--- Day changed Fri Jan 01 2010
00:37 < pekster> You shouldn't need any as modules should be dynamically loaded
00:56 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has quit []
01:21 < mithridates> why Iptables -L doesn't show rules?
02:15 < hyper_ch> !howto
02:15 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:15 < mithridates> hey guys I'm really in trouble
02:15 < mithridates> plz help me about iptables
02:15 < mithridates> I wrote rule for NAT
02:15 < mithridates> but when I run iptables -L it doesn't show anything
02:16 < mithridates> but I can see it in /etc/sysconfig/iptables
02:29 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has quit [Read error: 60 (Operation timed out)]
02:44 < Bushmills> iptables -L -t nat
02:45 < Bushmills> iptables comes with a man page, btw, which tells about those things
02:45 < Bushmills> http://doc.verhau.de/cgi-bin/dwww/usr/share/man/man8/iptables.8.gz?type=man
02:46 < vpnHelper> Title: iptables(8) (at doc.verhau.de)
02:46 < mithridates> yes I found it thank you
02:47 -!- grub_booter [n=charlie@d54C519D5.access.telenet.be] has joined ##openvpn
03:06 -!- master_of_master [i=master_o@p57B54BFE.dip.t-dialin.net] has joined ##openvpn
03:18 < mithridates> hey guys
03:18 < mithridates> openvpn[5103]: Options error: Unrecognized option or missing parameter(s) in server.conf:25: 45.34.11.203 (2.1_rc15)
03:18 < mithridates> what's wrong with me?
03:19 < mithridates> not with me
03:19 < mithridates> with my configuration :D
03:19 < mithridates> line 25 : local 45.34.11.203
03:20 < Bushmills> your problem is "Unrecognized option"
03:20 < mithridates> what does it mean?
03:24 < Bushmills> http://scarydevilmonastery.net/dict.cgi?unrecognized,  http://scarydevilmonastery.net/dict.cgi?option
03:24 < mithridates> :(
03:26 -!- master_o1_master [n=master_o@p57B551DE.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:31 < Bushmills> make sure the interface with that ip address is actually up
03:32 < Bushmills> (on the vpn server)
03:32 < mithridates> I used --local <ip> and it worked
03:32 < mithridates> do I need to set any ip address for tun0?
03:33 < Bushmills> openvpn does, according your config
03:33 < hyper_ch> Bushmills: I did not neatly sum up the problem I have with all the necessary info (I think):  http://www.ovpnforum.com/viewtopic.php?f=6&t=2389&
03:33 < vpnHelper> Title: OpenVPN Forum View topic - Can't SSH into a open-vpned client anymore (at www.ovpnforum.com)
03:36 < Bushmills> hyper_ch: without reading all that, I think I understood your problem. My problem was that I had to repeat what I had repeated already, and found me in the situation that I had to repeat what I had repeatedly repeated already
03:36 < hyper_ch> and I think you did not understand the problem
03:36 < Bushmills> without doing so again now, I'm afraid I don't know how to help you
03:37 < Bushmills> well, you connect from ssh client to openvpn client, start openvpn there, then route on openvpn client is changed to redirect default through openvpn server, and your ssh connection drops dead
03:38 < Bushmills> and you don't understand how and why openvpn server could possibly be involved in your ssh traffic
03:39 < hyper_ch> that's right
03:39 < hyper_ch> why doesn't that happen on the lan then?
03:39 < Bushmills> what part do you think did i not understand?
03:39 < hyper_ch> you seem to understand now but you were not phrasing it in a such a way that it seemed you did undestand
03:40 < Bushmills> see? about why that doesn't happen on your lan, i also already speculated, and gave you a possible reason, twice already
03:40 < Bushmills> to which you said something along the line of that that doesn't make sense
03:41 < Bushmills> so i think you should read a bit about routing before attempting to understand or solve your problem
03:42 < Bushmills> as i can't read it on your behalf, my options to help are rather limited.
03:43 < hyper_ch> I don't even know where to start to read
03:46 < Bushmills> mithridates: make sure your editor didn't add any strange chars, like control chars, which don't show, into your ip address
03:47 < Bushmills> for example, delete the whole line, and retype it
03:55 -!- baz [n=baz@c-67-183-155-189.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
04:40 < krzee> [05:18]  <mithridates> openvpn[5103]: Options error: Unrecognized option or missing parameter(s) in server.conf:25: 45.34.11.203 (2.1_rc15)
04:40 < krzee> you must have:
04:40 < krzee> local
04:40 < krzee> 45.34.11.203
04:40 < krzee> with a line break or something to make the app think the line ended
05:40 < Hetman> Hello, can i set somehow default user, and default pass in my vpn.conf ? i don`t want to type it all time
05:59 < Bushmills> Hetman: use key authentication
06:00 < Bushmills> moiners krzee
06:09 < krzee> moinmoin
06:09 < Bushmills> indeed
06:09 < krzee> Hetman, do you run the server and client?
06:10 < krzee> (is the pass for the key file or the vpn)
06:10 < krzee> because keyfiles dont need passes (but do support them), servers dont need to ask for passwords (but it is supported)
06:10 < krzee> but if you dont control the server and it requires a pass, yes there is a way
06:11 < krzee> !pwfile
06:11 < vpnHelper> krzee: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
06:36 -!- hyper_ch [n=hyper@adsl-84-227-58-130.adslplus.ch] has left ##openvpn ["Konversation terminated!"]
07:14 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
07:17 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
07:21 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
08:07 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)]
08:13 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"]
08:24 < ecrist> good morning.
08:25 < ecrist> Happy New Year
08:30 < Holistah> yippie
08:31 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
08:31 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
08:33 < Holistah> I can't believe I'm up....I went to sleep 5 hours ago....
08:33 < Holistah> should I make pancakes, or eggs? and don't say both.
08:33 < ecrist> both, with bacon
08:37 < Holistah> ugh...I wish there was something on tv....so bored
08:38 < ecrist> netflix + xbox FTW
08:39 < Holistah> not even
08:46 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn
08:49 -!- Holistah [n=holister@c-71-230-216-184.hsd1.nj.comcast.net] has quit [Remote closed the connection]
08:49 -!- Holistah [n=holister@c-71-230-216-184.hsd1.nj.comcast.net] has joined ##openvpn
08:50 -!- Pietjepuk [n=peter@89.200.78.148] has joined ##openvpn
08:50 -!- Holistah [n=holister@c-71-230-216-184.hsd1.nj.comcast.net] has quit [Remote closed the connection]
08:51 -!- Holistah [n=holister@c-71-230-216-184.hsd1.nj.comcast.net] has joined ##openvpn
08:51 < Holistah> ARGH! apparantly my irc client doesn't like high-ascii....
08:52 < Holistah> Bruno, or the hangover? right now neither really appeal to me very much....
09:13 < Pietjepuk> Happy newyear you all ... I've got an "assertion failed" error.. and really know idear what's wrong .. does someone care to take a look ?? http://pastebin.com/m634e9172
09:22 < Holistah> unfortunately, I suspect the problem is in your server config. it's not in /etc/openvpn?
09:24 < Pietjepuk> Holistah: .. Let me check..
09:26 < Pietjepuk> Holistah: You where right.. It's here -->> http://pastebin.com/m1c426abb
09:35 < Holistah> set "verb 9" in both configs....it's suppressing the message that would describe the actual problem...
09:41 < Pietjepuk>  .. ok.. .. I've posted the new .. ( huge ! ) logs here .. http://pastebin.com/m3f9e2b0c
09:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
09:42 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
09:42 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn
09:53 < Holistah> It's not jumping out at me.... have you read this http://ubuntuforums.org/showthread.php?t=845021 by any chance?
09:53 < vpnHelper> Title: [ubuntu] OpenVPN: Assertion failed at crypto.c:168 - Ubuntu Forums (at ubuntuforums.org)
09:56 -!- Pietjepuk_ [n=peter@89.200.78.148] has joined ##openvpn
09:56 < Pietjepuk_> Holistah: I'm getting the same errors using a diffrent client from a different ip .. So the client is not the problem I guess.. .. and I got disconnected.. did I miss something ?
09:56 -!- Pietjepuk [n=peter@89.200.78.148] has quit [Read error: 54 (Connection reset by peer)]
09:56 -!- Pietjepuk_ is now known as Pietjepuk
09:59 < Holistah> have your read http://ubuntuforums.org/showthread.php?t=845021
09:59 < vpnHelper> Title: [ubuntu] OpenVPN: Assertion failed at crypto.c:168 - Ubuntu Forums (at ubuntuforums.org)
10:01 < Pietjepuk> Holistah:  I had allready found and tryed that.. but let me try again... (client says the cipher I am using is supported allso..)
10:04 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:07 < Holistah> ugh....I hate mathematicians.... http://www.cs.utk.edu/~plank/plank/papers/CS-96-332.html even when they're trying to explain something specifically so that someone can understand it without knowing a zillion other things, they still make it overly complicated
10:07 < vpnHelper> Title: ``A Tutorial on Reed-Solomon Coding for Fault-Tolerance in RAID-like Systems'' (at www.cs.utk.edu)
10:09 < Pietjepuk> Holistah: ... sorry .. doesn't work using AES-256 CBC-256 either... It gives the same error message .. I do notice all the time there is a difference between local options hash and expected remote options hash ... has that something to do with it maybe ?
10:14 < Holistah> nah...they'll always be different...
10:14 < Pietjepuk> ... I saw them the same in a lot of posts while googling for this error ...
10:15 < Holistah> Only thing that keeps staring me in the face is the redirect-gateway failing....everything else is unfamiliar to me
10:16 < Pietjepuk> Holistah:  .. Ill take it out.. and see..
10:23 < Pietjepuk> Holistah: ... That solved it... unbeleivably stupid that I didn't try it.... I thought it wouldn't couse a fail....  Thank a lot for your assistence !!!!!!
10:24 -!- slol [n=john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
10:24 < slol> krzee, krzie : ping
10:28 -!- Pietjepuk [n=peter@89.200.78.148] has quit [Read error: 104 (Connection reset by peer)]
10:30 -!- Pietjepuk [n=peter@89.200.78.148] has joined ##openvpn
10:37 < krzee> ?
10:45 -!- Optic [n=Optic@miso.capybara.org] has left ##openvpn []
10:46 -!- Pietjepuk [n=peter@89.200.78.148] has left ##openvpn []
11:39 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
11:47 < Holistah> haha....ok... bruno was actually funny.... i'm pleasantly surprised
11:57 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Connection timed out]
12:38 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
12:44 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
13:02 -!- zamba [i=marius@flage.org] has joined ##openvpn
13:02 < zamba> i have a openvpn server with several local networks behind it..
13:02 < zamba> the openvpn server is the only machine with a public ip
13:03 < zamba> now i want to forward one of the internal machines' ssh service to the outside world
13:03 < zamba> i've tried using iptables -t nat -A PREROUTING -p tcp --dport <somerandomport> -j DNAT --to-destination <internal ip>:22
13:03 < zamba> and then making sure that ip forwarding is activated by issuing echo 1 > /proc/sys/net/ipv4/ip_forward
13:03 < zamba> but i'm still not able to connect to the inside machine from the outside.. what am i missing?
13:04 < zamba> the openvpn server isn't a NAT router for any other networks.. could that be the problem here?
13:14 < zamba> anyone have any idea?
13:16 < Holister> zamba: I may be able to help....but your description is lacking
13:17 < zamba> Holister: what do you lack?
13:17 < zamba> i believe i have to do something with SNAT to make the connection go back the right way
13:17 < Holister> your openvpn involvement for one
13:17 < zamba> please let me know what else you need
13:17 < zamba> hm?
13:18 < zamba> what do you mean?
13:18 < Holister> what are the subnets and where are you trying to get to from where
13:18 < zamba> well.. i have one subnet 192.168.4.0/24
13:18 < zamba> i have a network that's located well behind NAT (not public ip addresses at all)..
13:18 < zamba> not = no
13:19 < zamba> and from my router inside there i have established a vpn tunnel to a server located on the public internet (with a routable ip address)
13:21 < zamba> wow, think i actually got it working
13:21 < zamba> i lacked the SNAT :)
13:21 < Holister> oooooook
13:22 < zamba> wow, perfect
13:22 < zamba> can't believe i remembered this stuff :)
13:22 < zamba> thanks anyway :)
13:23 < zamba> iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.4.223
13:23 < zamba> iptables -t nat -A POSTROUTING -p tcp --dport 8080 -d 192.168.4.223 -j SNAT --to-source 10.8.0.1
13:23 < zamba> that did the trick
13:24 < Holister> oh....right.... I never did a setup like that...whenever a box was forwarding a port it was always masq'ing also.....I should probably actually copy that down in case someone else asks later
13:25 -!- slol [n=john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
13:26 < zamba> very neat
13:26 < zamba> i can now watch tv from outside the network.. dreambox rocks :)
14:22 -!- jhp [n=jhp@zeus.jhprins.org] has quit ["leaving"]
14:32 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
15:04 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
15:33 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
15:33 < mithridates> !factoids  tls
15:33 < vpnHelper> mithridates: Error: The "Factoids" plugin is loaded, but there is no command named "tls" in it.  Try "list Factoids" to see the commands in the "Factoids" plugin.
15:33 < mithridates> !factoids search tls
15:33 < vpnHelper> mithridates: 'tls-verify', 'tls-cipher', and 'tls-auth'
15:33 < mithridates> !factoids search handshake
15:33 < vpnHelper> mithridates: No keys matched that query.
15:34 < mithridates> VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=...
15:34 < mithridates> what's the problem guys
15:34 < mithridates> ?
15:34 < mithridates> VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=
15:35 < mithridates> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
15:37 < |Mike|> QUIT PASTING ERROR MESSAGES
15:38 < |Mike|> USE PASTEBIN !
15:38 < |Mike|> your CERT isn't valid mithridates
15:38 < |Mike|> read the friggin error!
15:39 < mithridates> how can I validate it?
15:40 < mithridates> how can I make it valid?
15:40 < mithridates> :(
15:48 < |Mike|> ask your system admin ?
15:48 < |Mike|> he has to sign a new cert. for you
15:56 < mithridates> I'm the admin
15:56 < mithridates> I signed the cert by openssl verify -CAfile ca.crt -purpose sslclient ca.crt
15:56 < mithridates> ca.crt: OK
15:57 < |Mike|> and what dates ? :)
15:58 < mithridates> I don't know
15:58 < mithridates> how can I set that?
16:00 < |Mike|> use the pki tools ? :p
16:00 < |Mike|> or ssl config...
16:01 < mithridates> :D ok |Mike|
16:01 < mithridates> thnx
16:05 < mithridates> |Mike|: plz tell me, I couldn't find it :(
16:05 < |Mike|> find . | grep build ?
16:06 < mithridates> nothing
16:06 < mithridates> w8
16:06 < |Mike|> or easy-rsa
16:06 < mithridates> http://pastebin.ca/1734436
16:07 < |Mike|> :-)
16:07 < |Mike|> !howto
16:07 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:08 < mithridates> I did it :(
16:08 < |Mike|> ./build-ca
16:08 < |Mike|> err
16:08 < |Mike|> ./build-key client
16:09 < mithridates> ok ok I saw it
16:12 < mithridates> TLS Error: Unroutable control packet received from
16:12 < |Mike|> heh
16:13 < mithridates> why?
16:15 < mithridates> I also disabled firewall in windows
16:15 < |Mike|> what error do you get (verb 6 ) (and paste it @ pastebin hehe)
16:16 < mithridates> http://pastebin.ca/1734444
16:20 < |Mike|> WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm
16:29 < mithridates> |Mike|: I have different build-key-server script
16:29 < mithridates> http://svn.openvpn.net/projects/openvpn/trunk/openvpn/easy-rsa/build-key-server
16:31 < mithridates> http://pastebin.ca/1734460
16:32 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"]
16:34 -!- _numbers [n=x@unaffiliated/numbers/x-253875] has joined ##openvpn
16:35 < _numbers> how is pptp related to openvpn?
16:36 < Bushmills> it has three p in its name, openvpn has two
16:38 < mithridates> =)))))))
16:38 < mithridates> heheee
16:38 < _numbers> that is incredibly insightful
16:39 < |Mike|> mithridates: no idea
16:40 < mithridates> I followed some crazy guideline for openssl config and now I should do all again
16:41 < |Mike|> Yes
17:00 -!- _numbers [n=x@unaffiliated/numbers/x-253875] has quit [Remote closed the connection]
17:08 -!- _numbers [n=x@unaffiliated/numbers/x-253875] has joined ##openvpn
17:31 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has quit [Remote closed the connection]
17:32 < krzee> !notcompat
17:32 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn
17:32 < krzee> !pptp
17:32 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
17:32 < vpnHelper> krzee: read about why to not use pptp
17:38 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
17:43 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
17:55 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)]
17:55 -!- lt83850 [n=your@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
18:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)]
18:59 < crazygir> is it possible to setup a vpn via routing whereby the client doesn't send the server *all* of their traffic, but only what's relevant?
18:59 < krzee> crazygir, if you can define whats relevant based on subnets, sure
19:00 < crazygir> I would only want rdp and smtp traffic to pass
19:00 < krzee> there actually is a way
19:00 < crazygir> isn't that fantastic ;)
19:00 < krzee> lemme type it out
19:00 < crazygir> what should I go read?
19:01 < crazygir> hah, ok
19:02 < krzee> !learn routebyapp as if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
19:02 < vpnHelper> krzee: Joo got it.
19:02 < krzee> !sockd
19:02 < vpnHelper> krzee: Error: "sockd" is not a valid command.
19:03 < crazygir> !socks
19:03 < vpnHelper> crazygir: Error: "socks" is not a valid command.
19:04 < krzee> !learn sockd as if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP!  otherwise you will be an open proxy.  that config has no security because its expected to run inside openvpn
19:04 < vpnHelper> krzee: Joo got it.
19:04 < krzee> (i personally use that method)
19:04 < crazygir> sounds risky
19:05 < krzee> so i can route only certain apps (then i exclude certain subnets from that)
19:05 < krzee> risky how?
19:05 < crazygir> like a slight mishap might really screw you
19:05 < krzee> mishap like that?
19:05 < crazygir> no, like on the fw/filtering rules on your vpn server working out the route
19:06 < krzee> that wont happen
19:06 < krzee> openvpn is only route based
19:06 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 110 (Connection timed out)]
19:06 < crazygir> I guess I could just send all of the client's traffic thru
19:06 < krzee> if you can define what you want in subnets you can do it without openvpn
19:06 < krzee> err
19:06 < krzee> if you can define what you want in subnets you can do it within openvpn
19:06 < crazygir> i just didn't like the idea at first
19:06 < krzee> otherwise you need what i do
19:06 < krzee> theres nothing "risky" about it
19:06 < krzee> just run it on the internal vpn subnet ip
19:07 < crazygir> what do you mean byt define what you want in subnets?
19:07 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn
19:07 < krzee> if thats risky dont go crossing any streets
19:07 < crazygir> heh
19:07 < krzee> you dunno what a subnet is?
19:07 < krzee> like ip netmask
19:08 < krzee> for example only a certain smtp server, not a problem
19:08 < krzee> but ALL port 25 traffic, not gunna happen without my method
19:08 < crazygir> I know what a subnet is, just didn't really understand what you were suggesting
19:09 < crazygir> are you referring to being able to filter traffic between the subnets?
19:13 < krzee> with openvpn you can push routes
19:13 < krzee> thats how it knows what to send over the vpn
19:13 < krzee> to send all you change the default route, but you can also do specific routes
19:13 < krzee> so if its only certain subnets you want over the vpn, no problem, just push a route to the client
19:13 < krzee> like:
19:13 < krzee> in server config: push "route <ip> <subnet>"
19:14 < krzee> however, you said: ALL rdp and ALL smtp
19:15 < krzee> which to me means either your mail and rdp apps, or the mail and rdp ports
19:15 < krzee> which i personally am able to do with my setup
19:16 < crazygir> yes, I guess I'm not sure which setup would be better at this point
19:17 < krzee> welp those are the options =]
19:17 < crazygir> simpler configuration is better, but right now I'd only really want to allow filtered access (based on port)
19:17 < krzee> both are simple
19:17 < krzee> depends on needs
19:18 < krzee> if you know the exact subnets and there arent too many, use the push route
19:18 < krzee> if you need ALL for an app or port, use the !routebyapp method
19:18 < krzee> you need to decide what you want, then you know what you need
19:20 < crazygir> I think our terms and definitions are slightly mismatched, but that is ok. I think I understand what you are saying. I don't want ALL rdp traffic, just rdp traffic to a specific IP/hostname
19:20 < crazygir> the hostname part I think will be an issue
19:20 < crazygir> as wins wants broadcast..
19:22 < krzee> ok than thats simple
19:24 < crazygir> supposedly bridging isn't scalable though
19:24 < krzee> wins does NOT want want broadcast
19:24 < krzee> it actually replaces it for NETBIOS translation
19:24 < krzee> !wins
19:24 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
19:27 < |Mike|> cows say moo ?
19:28 < krzee> plus you dont even need NETBIOS translation, anything you can do by netbios name you can do by the ip
19:29 < crazygir> my users know their hostname, not ip
19:30 < crazygir> krzee: ideally, a user should be able to initiate the vpn and then rdp to their workstation
19:30 < crazygir> windows to windows, via openvpn on openbsd, with a little help from the windows dc on the internalnetwork
19:30 < krzee> thats not a problem
19:30 < krzee> with wins they can do it by netbios name
19:31 < crazygir> can you point me in a configuration direction? I'm finding myself lost in all the possibilities
19:31 < krzee> without they can do it by ip
19:31 < krzee> !sample
19:31 < krzee> !man
19:31 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
19:31 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
19:31 < krzee> !route
19:31 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:31  * |Mike| stumbles something about donations :p
19:32 < krzee> if you only need the lan behind the server shared: you only push its route to clients, and skip to "ROUTES BEHIND OPENVPN"
19:33 < crazygir> k
19:33  * crazygir reading
19:33 < krzee> cool im outta here
19:33 < krzee> time to shower eat and party
19:34 < crazygir> ty
19:35 -!- caimlas [n=caimlas@DHCP-26.64-179-155.iw.net] has left ##openvpn ["Leaving"]
19:53 < krzee> np
20:36 < _numbers> which is more secure--RSA, DSA, or DH?
20:37 < crazygir> which points are you considering?
20:37 < _numbers> longest time to decrypt using brute force :)
20:40 < crazygir> which length/ they all have different bitrates
20:41 < _numbers> highest
20:46 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
20:47 < crazygir> what about performance?
20:47 < crazygir> do you have crypto hardware?
20:49 < _numbers> lol good q but no lets assume i dont care about performance
20:50 < _numbers> also, which is most secure out of: base64  blowfish  cast  des  idea  rc5
20:50 < _numbers> actually just:  blowfish  cast5 des3  idea  rc5
20:58 < _numbers> idea 1991, blowfish 1993, rc5 1994, cast-128 1996, triple des 1998
21:00 -!- corretico__ [n=laguilar@201.201.46.106] has quit ["Leaving"]
21:00 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
21:01 < _numbers>  simulation results showed that Blowfish has a better performance than other common encryption algorithms use. AES showed poor performance results compared to other algorithms since it requires more processing power.
21:03 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
21:04 < _numbers> in order of speed: rc4-256,  blowfish-256, aes-128, aes-256, DES, with Triple DES the slowest by far. http://www.javamex.com/tutorials/cryptography/ciphers.shtml
21:04 < vpnHelper> Title: Comparison of encryption ciphers in Java (at www.javamex.com)
21:06 < _numbers> DES is labeled insecure and an RFC actually says not to use it. wonder why it is even an option. even Triple DES is only considered moderately secure
21:07 < _numbers> AES is the most secure, then blowfish but recently superseded by twofish
21:07 < _numbers> In cryptography, the Advanced Encryption Standard (AES) is an encryption standard adopted by the U.S. government. originally published as Rijndael.
21:08 < _numbers> so DSA + AES-256 it is
21:08 < _numbers> now to figure out message authentication codes (MAC)
21:10 < crazygir> AES is proprietary
21:10 < crazygir> twofish is the open equivalent.. I believe
21:11 -!- HotMama [n=Rachu@cpe-24-95-54-134.columbus.res.rr.com] has quit ["Goodbye"]
21:23 < _numbers> ah crap AES not an option in openssl then eh
21:23 < _numbers> i wonder how php mcrypt can do it
21:23 < _numbers> twofish not supported either -- too new?
21:23 < _numbers> so i guess that means blowfish for openssl
21:28 < _numbers> bf bf-cbc bf-cfb bf-ecb bf-ofb -- which is best?
21:28 < _numbers> cbc?
21:33 < _numbers> definitely not ecb
21:33 < _numbers> http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
21:33 < vpnHelper> Title: Block cipher modes of operation - Wikipedia, the free encyclopedia (at en.wikipedia.org)
21:34 < krzee> the certs cant be AES
21:34 < krzee> but the cipher can
21:34 < krzee> and dh is entirely different
21:34 < krzee> !dh
21:34 < vpnHelper> krzee: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
21:34 < _numbers> !cbc
21:35 < vpnHelper> _numbers: Error: "cbc" is not a valid command.
21:38 < _numbers> "CBC has been the most commonly used mode of operation."
21:40 < _numbers> why is it necessary to gendsa dif. than genrsa (e.g. with a dsaparam-file) ?
22:13 < mithridates> how can I disable CA for security in client section?
22:24 < krzee> mithridates, huh?
22:29 < mithridates> oh sorry I was not
22:30 < mithridates> I wanted to test vpn whitout authorization
22:37 < krzee> !noauth
22:37 < vpnHelper> krzee: Error: "noauth" is not a valid command.
22:37 < krzee> !authpass
22:37 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
22:37 < krzee> client-cert-not-required is 1 way
22:37 < krzee> or just dont use --ca and friends
22:38 < krzee> read about those in the manual
22:45 < mithridates> tnx
22:55 -!- robert_ [n=hellspaw@objectx/robert] has left ##openvpn ["Leaving"]
23:54 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
--- Day changed Sat Jan 02 2010
00:25 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
00:25 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
00:50 -!- alan` [n=alan@rrcs-67-52-47-64.west.biz.rr.com] has joined ##openvpn
00:51 < alan`> hey you guys quick question about installing openvpn on a debian server
00:51 < alan`> after apt-get installing the packages i already had the keys and such set out, can i just deploy those keys or is there something more to do?
00:52 < _numbers> `openssl verify -CAfile ca.crt client.crt` says error 18 at 0 depth lookup:self signed certificate
00:52 < _numbers> wtf is that a problem for
00:53 < _numbers> Installing CA Certificates into the OpenSSL   framework
01:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
01:11 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn
01:12 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
01:31 -!- Intensity [i=[9wZk4yy@unaffiliated/intensity] has quit [Excess Flood]
01:36 -!- Intensity [i=[lRD75M9@unaffiliated/intensity] has joined ##openvpn
01:49 < magic_1> well alan`, if its not your main server, than yes you should be able to use the keys
02:51 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
03:00 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 54 (Connection reset by peer)]
03:00 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
03:03 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has joined ##openvpn
03:04 < Ceil> !redirect
03:04 < vpnHelper> Ceil: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
03:05 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn
03:05 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
03:07 -!- master_o1_master [n=master_o@p57B565EE.dip.t-dialin.net] has joined ##openvpn
03:18 -!- master_of_master [i=master_o@p57B54BFE.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:24 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Client Quit]
03:24 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn
03:44 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
03:46 < Ceil> So I've got two senarios where I am going to use my VPN:
03:46 < Ceil> [WIFI_MACHINE]----(WIFI)---->[WIRELESS_ACCESS_POINT]----(LAN)---->[VPN_SERVER]----->INTERNET
03:47 < Ceil> woops
03:47 < Ceil> should be
03:47 < Ceil> [LAPTOP]----(WIFI)---->[WIRELESS_ACCESS_POINT]----(LAN)---->[VPN_SERVER]----->INTERNET
03:47 < Ceil> and there is also
03:48 < Ceil> [LAPTOP]----(WIFI)---->[PUBLIC_WIRELESS_ACCESS_POINT]----(LAN)----->INTERNET----->[HOME_ROUTER]----(LAN)----->[VPN_SERVER]
03:48 < Ceil> I've been reading up
03:48 < Ceil> oh, and I want to tunnel all traffic through the vpn
03:49 < Ceil> aparently in the redirect-gatway directive you need to put "local" for the first senario but some people say you don't
03:49 < reiffert> proceed.
03:50 < Ceil> Also I'm having troubles wrapping my head around natting/routing/ip masquarading
03:50 < Ceil> I'm running the client
03:50 < Ceil> Windows Vista
03:50 < Ceil> and teh server is Ubuntu
03:51 < reiffert> And your question is?
03:51 < Ceil> I've printed out many guides but I still can't seem to write a config for my needs
03:51 < Ceil> basically I need some help starting from scratch
03:51 < Ceil> I've got openvpn installed
03:51 < reiffert> !howto
03:51 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:51 < Ceil> I've read that
03:51 < Bushmills> Ceil: http://scarydevilmonastery.net/masq
03:51 < reiffert> sample config inclusive.
03:52 < reiffert> moin MushBills
03:52 < Ceil> All the guides use PKI but I rather use a static key.
03:52 < Bushmills> moiners reiffert
03:53 < Ceil> and what is the difference between tun an tap
03:53 < Ceil> do I need tun if I want to tunnel all traffic through my vpn?
03:54 < Bushmills> !tunortap
03:54 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
03:54 < vpnHelper> Bushmills: against you over the vpn
03:55 < Ceil> ok, so let me get up sample.ovn and I'll try configure it
03:55 < Bushmills> ok, we let you do that
03:56 < Ceil> where are the default config files stored on linux?
03:57 < Ceil> vpn@securevpn:/etc/openvpn$ cd /usr/share/doc/packages/openvpn
03:57 < Ceil> -bash: cd: /usr/share/doc/packages/openvpn: No such file or directory
03:57 < Ceil> vpn@gsecurevpn:/etc/openvpn$ cd /usr/share/doc/openvpn-2.0
03:57 < Ceil> -bash: cd: /usr/share/doc/openvpn-2.0: No such file or directory
03:59 < Ceil> ok I found it on a windows system
04:00 < Ceil> http://pastebin.org/70465
04:00 < Ceil> is that ok for a server side
04:00 < Ceil> with a static key
04:00 < Ceil> given my requirments
04:02 < reiffert> vpn functionality independend from authentication method.
04:02 < Ceil> what?
04:02 < Ceil> it is using a static key?
04:02 < reiffert> i recommend to use PKI first, like the howto, change to static keya fterwards
04:03 < Ceil> but generating a key takes ages
04:04 < reiffert> something between 2 to 5 minutes != ages.
04:05 < reiffert> Ceil: default config files (linux)
04:05 < reiffert> cd /usr/share/doc
04:05 < reiffert> ls -ald *openvpn*
04:06 < Ceil> $ cd /usr/share/doc/packages/openvpn
04:06 < Ceil> -bash: cd: /usr/share/doc/packages/openvpn: No such file or directory
04:06 < reiffert> 11:05 < reiffert> cd /usr/share/doc
04:06 < reiffert> 11:05 < reiffert> ls -ald *openvpn*
04:07 < Ceil> cheers
04:07 < Ceil> where is easy rsa though
04:08 < reiffert> examples directory.
04:08 < Ceil> ah kk
04:09 < Ceil> I don't trust a 1024 bit key and 4096 takes way too long to generate
04:09 < Ceil> don't you know enough about static keys to help me?
04:15 < reiffert> you really should read that howto. It also covers static key stuff.
04:19 < Ceil> oh, http://www.openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
04:19 < vpnHelper> Title: Static Key Mini-HOWTO (at www.openvpn.net)
04:19 < Ceil> I found that
04:20 < Ceil> thanks for your help
04:20 < Ceil> night
04:21 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has quit []
04:27 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
04:27 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)]
04:34 < reiffert> I'm afraid he will come back/
04:43 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
04:43 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)]
04:57 < Bushmills> ubuntu says it all
05:19 -!- lt83850 [n=your@c-24-127-180-91.hsd1.pa.comcast.net] has quit []
06:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:26 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
06:27 -!- Lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
06:27 -!- Lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Client Quit]
06:49 -!- itguru [n=The@5ac461b7.bb.sky.com] has joined ##openvpn
06:53 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has joined ##openvpn
06:56 < Danskmand> Howdy :-) - Does ovpn run on windows 7, 64bit ? (got a error when installing "TAP-Win32 has known incompabilities")
06:56 < Danskmand> Or is it just a stupid eror-message and everyting just runs fine ?
06:59 -!- itguru [n=The@5ac461b7.bb.sky.com] has quit ["Leaving"]
07:28 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has quit ["Leaving."]
08:03 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 54 (Connection reset by peer)]
08:47 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 104 (Connection reset by peer)]
08:51 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
09:17 -!- hyper_ch [n=hyper@adsl-84-227-58-130.adslplus.ch] has joined ##openvpn
09:18 < hyper_ch> hmmm, in order to make all traffic go through openvpn I can put this into the server.conf:  push "redirect-gateway def1"   --> however if I don't want to have that for all clients, how would I put that into the according ccd?
09:27 < _numbers> how do i install my self-signed cert
09:27 < _numbers> on ubuntu w/ openvpn
09:27 < _numbers> trying to connect as a client. i copied the ca to /etc/ssl. now the ca.crt -validates with openssl. but not the client.key.
09:29 < _numbers> http://pastebin.com/d6bab546
09:29 < _numbers> my openvpn client log
09:29 < hyper_ch> _numbers: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
09:29 < vpnHelper> Title: HOWTO (at openvpn.net)
09:33 < _numbers> i am trying to do this without easy-rsa. i do not want its hand-holding. i want to learn the openssl commands. so i have done that but just need to get my client.key to -validate
09:35 < _numbers> i moved the ca.crt to /etc/ssl and now it will validate but not client.key. hmm..
09:39 < Bushmills> hyper_ch:
09:40 < Bushmills> !ccd
09:40 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
09:42 < Bushmills> oh, "how". you have the choice between typing it in, by pushing the keys on your keyboard, or, after having typed it once, copy it, then paste it for each client's config file
09:43 < _numbers> i already installed the ca.crt and configured the openvpn client
09:44 < _numbers> why would openvpn -validate client.crt fail when it has been self-signed by ca.crt and ca.crt is trusted in /etc/ssl/certs
09:44 < _numbers> on the client
09:45 < _numbers> i mean why would `openssl validate client.crt` fail when it has been self-signed by ca.crt and ca.crt is trusted in /etc/ssl/certs
10:00 < |Mike|> !linnat
10:00 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
10:12 < hyper_ch> hmmmm, why can I ping the openvpn server but none of the other openvpn clients with this client config:  http://www.pastebin.org/70517 ?
10:13 < Bushmills> !route
10:13 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:13 < Bushmills> !iroute
10:13 < vpnHelper> Bushmills: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:13 < Bushmills> !lan
10:13 < vpnHelper> Bushmills: Error: "lan" is not a valid command.
10:14 < hyper_ch> ah ok :)
10:15 < Bushmills> !client-to-client
10:15 < vpnHelper> Bushmills: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
10:15 < vpnHelper> Bushmills: behind other clients
10:15 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has joined ##openvpn
10:16 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
10:21 < hyper_ch> Bushmills: but if all clients are in the server subnet 10.8.0.x shouldn't it work automatically?
10:24 < _numbers> i was able to get the client.crt to be signed by the ca.crt which is now trusted so they both `openssl validate` with OK. however strangely enough I still receive an error trying to use the client.key to connect my openvpn client http://pastebin.com/d6d1c665c
10:28 < Bushmills> no
10:28 < Bushmills> "automatically" is between client and server
10:28 < Bushmills> that's the part which works on your side
10:30 -!- hid3nax [n=tst@lan-78-157-71-116.vln.skynet.lt] has joined ##openvpn
10:32 < hid3nax> !howto
10:32 < vpnHelper> hid3nax: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:34 < hyper_ch> Bushmills: ok, I fixed it
10:34 < hid3nax> Hello everyone. Is the server sample config in the openvpn.net a PPTP server type example or not?
10:34 < hyper_ch> Bushmills: adding push "route 10.8.0.0 255.255.255.0" to the according ccd
10:35 < hid3nax> Need to set up a PPTP server to allow Windows clients to conenct to it. Did some config but client is getting the 800 error. Not sure where to look further...
10:35 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
10:36 < hid3nax> !configs
10:36 < vpnHelper> hid3nax: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
10:36 < hyper_ch> but there's still one important question left - but unrelated to openvpn: What to have for supper tonight
10:37 < hid3nax> My godness... I'm starting to think that OpenVPN is just working with itself's client only...
10:37 < |Mike|> don't think.
10:38 < |Mike|> assumption is the mother of all fuckups ;)
10:38 < hid3nax> F-u-c-ked up enought tonight.. (already) :D
10:39 < |Mike|> as i said.
10:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:53 < _numbers> ok got my errors down to just this http://pastebin.com/d1721b266
10:54 < _numbers> incoming plaintext read error?
11:02 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has quit ["Leaving."]
11:06 < |Mike|> certificate verify failed
11:06 < |Mike|> can the openvpn daemon read the certs _numbers ?
11:10 < _numbers>  |Mike| using pfsense as the openvpn server. it just has a gui where you paste in the certs. i imagine it can
11:10 < _numbers> unless you mean the client?
11:10 < |Mike|> client yes.
11:11 < _numbers> |Mike|: i think so but how can i be sure?
11:11 < |Mike|> ssh to it and check?
11:11 < |Mike|> i've no clue what pfsense is imho :P
11:13 < _numbers> the client is my desktop machine so no need to ssh. it is saved in /etc/ssl with chmod 777
11:13 < _numbers> thats for the ca.crt
11:14 < |Mike|> don't use 777
11:14 < |Mike|> 644 is more than enough
11:15 < |Mike|> or 640 even.
11:15 < _numbers> thats what all the others are in /etc/ssl but the ones the openvpn client uses are under /etc/openvpn and they are chmod 600
11:15 < _numbers> i just tried 777 on them tho to be sure and same result
11:16 < |Mike|> you're a developer ? :P
11:16 < |Mike|> ok, but did you restart the client ?
11:21 -!- hid3nax [n=tst@lan-78-157-71-116.vln.skynet.lt] has quit [Read error: 54 (Connection reset by peer)]
11:21 -!- hid3nax [n=tst@lan-78-157-71-116.vln.skynet.lt] has joined ##openvpn
11:24 < _numbers> i think it may be that the common name CN is not matching the host name
11:24 < _numbers> i just put asdf for the CN lol
11:24 < _numbers> does it have to match the actual hostname to work?
11:26 < |Mike|> it must be FQDN yes.
11:26 < Bushmills> oh, just to make sure that if openvpn wants to execute the certs, that they're actually executable :)
11:26 < Bushmills> good thinking
11:26 < _numbers> |Mike|: does the client need a hostname then?
11:27 < |Mike|> Bushmills: lol :-P
11:27 < _numbers> the server is the pfsense box router app based on freebsd
11:27 < _numbers> i can get that a hostname
11:27 < _numbers> the client's hostname can change tho
11:27 < |Mike|> _numbers: hmz, you could try that. I'm not 100% sure if it needs to be a fqdn
11:34 < _numbers> i fixed it
11:34 < _numbers> removed this from client config: ns-cert-type server
11:34 < _numbers> what is that? "Require that peer certificate was signed with an explicit nsCertType designation of "client" or "server"."
11:34 < _numbers> i wonder how i sign with that type
11:39 < |Mike|> why don't you use the easy-rsa tools ? ;)
11:39 < _numbers> well i will once i understand what they are doing :)
11:40 < |Mike|> it's bash...
11:40 < _numbers> ya i'm looking for them now so i can read the bash scripting
11:40 < _numbers> to see how it builds keys with server as nsCertType
11:40 < _numbers> where do i find them
11:40 < _numbers> the easy-rsa tools
11:41 < _numbers> /usr/share/doc/openvpn/examples/easy-rsa/2.0
11:48 -!- hid3nax [n=tst@lan-78-157-71-116.vln.skynet.lt] has quit []
11:53 < _numbers> next q
11:53 < _numbers> is there a way to hook up openvpn to a socks5 proxy like tor
11:53 < _numbers> basically i am trying to tunnel all my traffic thru tor using a router
11:54 < _numbers> not just a few ports, but all
11:54 < _numbers> all traffic on the LAN must exit thru router (gateway) and i want router tunneling all traffic thru tor
12:23 -!- Holistah [n=holister@c-71-230-216-184.hsd1.nj.comcast.net] has quit [Remote closed the connection]
12:26 -!- Holistah [n=holister@c-71-230-216-184.hsd1.nj.comcast.net] has joined ##openvpn
12:32 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"]
12:39 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
12:41 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
12:51 < Bushmills> so what do you need openvpn for then?
13:13 < krzy> lol
13:16 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Client Quit]
13:27 < |Mike|> _numbers: search on (ctrl f) on http-proxy
13:28 < |Mike|> !howto
13:28 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:28 < |Mike|> @ howto ^
13:28 < _numbers> thats just one port. i want all tcp/udp traffic
13:28 < |Mike|> !tcp?
13:28 < vpnHelper> |Mike|: Error: "tcp?" is not a valid command.
13:28 < |Mike|> !tcp
13:28 < vpnHelper> |Mike|: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
13:37 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn
13:41 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Client Quit]
13:41 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
13:48 -!- Kaatje [n=Kaatje@unaffiliated/kaatje] has joined ##openvpn
14:01 -!- agagag [n=anton@158.37.56.5] has joined ##openvpn
14:47 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
14:59 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has joined ##openvpn
15:08 -!- MJD [n=quassel@dhcp-0-18-e7-4-f8-c7.cpe.mountaincable.net] has joined ##openvpn
15:10 -!- SupertrunksS [n=Supertru@f055161029.adsl.alicedsl.de] has joined ##openvpn
15:11 -!- Kaatje [n=Kaatje@unaffiliated/kaatje] has quit [K-lined]
15:12 -!- Kaatje [n=Kaatje@unaffiliated/kaatje] has joined ##openvpn
15:12 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
15:13 -!- Kaatje [n=Kaatje@unaffiliated/kaatje] has quit [K-lined]
15:14 < SupertrunksS> Hi, I need to reach a subnet (non-private) at the server side through the tunnel. the tunnel is working proberly, i can ping both sides, but cant ping the subnet through the tunnel. the route at the client side is set correctly, set up a nat rule at the server side but still no success. may someone can help?
15:17 < krzie> ip forwarding is on at the server?
15:17 < SupertrunksS> yes
15:17 < krzie> what os?
15:18 < SupertrunksS> ubuntu 9.04 x64
15:18 < hyper_ch> that's old
15:18 < SupertrunksS> vserver :)
15:18 < krzie> lets see the routing table of client and nat rule on server (pastebin or similar site)
15:18 < SupertrunksS> ok
15:18 < krzie> should be like:
15:18 < krzie> !linnat
15:18 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:18 < krzie> !linipforward
15:18 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
15:19 < krzie> show me cat /proc/sys/net/ipv4/ip_forward as well
15:21 < SupertrunksS> http://pastebin.com/m4c90a7f0
15:22 < SupertrunksS> I need to reach 194.25.134.0/24
15:22 -!- _numbers [n=x@unaffiliated/numbers/x-253875] has left ##openvpn ["Leaving."]
15:23 < krzie> when you tcpdump tun you see that packets leave via the tun (on client)
15:23 < SupertrunksS> http://pastebin.com/m790c4edc
15:23 < krzie> same on server, you see the packets arrive?
15:23 < SupertrunksS> tcpduump crashes when I start pinging from the client
15:23 < krzie> lol
15:23 < krzie> how are you starting tcpdump
15:24 < SupertrunksS> tcpdump -n -i tun0
15:24 < SupertrunksS> as root
15:24 < |Mike|> use sudo ;)
15:24 < krzie> you can recreate the tcpdump crash every time?
15:24 < SupertrunksS> sure that this does matter sudo or root?
15:24 < SupertrunksS> yes
15:24 < krzie> why sudo if hes already root mike
15:25 < krzie> SupertrunksS well then you have bigger problems
15:25 < krzie> and your problem might have nothing to do with openvpn
15:25 < krzie> the tcpdump crash for sure has nothing to do with openvpn
15:26 < krzie> tried tracing it to see why it crashes?
15:26 < SupertrunksS> It crashes only if i ping the the subnet I want to reach, if i ping the vpn network, its working fine
15:27 < SupertrunksS> http://pastebin.com/m681f4ed0
15:27 < krzie> ohhh
15:27 < krzie> show me server routing table
15:28 < SupertrunksS> http://pastebin.com/m2c3127af
15:29 < SupertrunksS> vserver :(
15:29 < krzie> ya i dunno but its not an openvpn problem
15:29 < krzie> you can paste configs to verify if you like
15:29 < SupertrunksS> ok
15:33 < SupertrunksS> http://pastebin.com/m2f37bb31
15:34 < |Mike|> !config
15:34 < vpnHelper> |Mike|: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
15:34 < krzie> SupertrunksS
15:34 < krzie> !configs
15:34 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
15:34 < krzie> please strip the comments
15:34 < SupertrunksS> ok sorry
15:35 < krzie> np, i didnt actually say to strip them so how could you know ;]
15:37 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has quit ["Leaving."]
15:37 < SupertrunksS> http://pastebin.com/m166fcfea
15:39 < krzie> you only need this once
15:39 < krzie> client-config-dir ccd
15:39 < krzie> tls-server can be dropped too, its part of --server
15:39 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has joined ##openvpn
15:41 < SupertrunksS> hm ok, but the rest should be ok?
15:50 < krzie> whoawhoawhoa
15:50 < krzie> #
15:50 < krzie> push "route 194.25.134.0 255.255.255.0"
15:50 < krzie> #
15:50 < krzie> route 194.25.134.0 255.255.255.0
15:50 < krzie> both of those in your ccd?
15:50 < krzie> why?
15:50 < krzie> who do you actually want to route that over the vpn?
15:50 < krzie> the client, right?
15:51 < krzie> also, who is 192.168.100.240 255.255.255.240 behind?
15:51 < krzie> client or server?
15:52 < SupertrunksS> yes, I want to access my isps mail server, and the vserver should be able to access it, so i want the client to route the traffic to the subnet through the tunnel and the server
15:52 < krzie> i think i was wrong that this wasnt openvpn related, i think you managed to create some weird looping
15:53 < krzie> remove this:
15:53 < krzie> route 194.25.134.0 255.255.255.0
15:53 < krzie> you do NOT need the server to route it over the vpn, which is what the route command does when on the server
15:53 < krzie> you just wanna push it to the client
15:53 < SupertrunksS> ok
15:53 < krzie> now also
15:54 < krzie> 192.168.100.240 255.255.255.240
15:54 < krzie> thats client lan?
15:54 < SupertrunksS> yes
15:54 < krzie> do thisL
15:54 < krzie> this line from ccd:
15:54 < krzie> push "route 192.168.100.240 255.255.255.240"
15:54 < krzie> goes to server.conf
15:55 < krzie> also add this to server.conf
15:55 < krzie> route 192.168.100.240 255.255.255.240
15:55 < krzie> oh wait thats there
15:55 < krzie> just move the push over
15:55 < krzie> read this doc for more understanding of route / push route, etc
15:55 < krzie> !route
15:55 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:56 < krzie> after you do all that tcpdump should stop crashing on you
15:56 < krzie> now you only want this exact client to route 194.25.134.0 255.255.255.0 over the vpn, right?
15:56 < krzie> because you could move tyhat push route to server.conf to have it apply to all clients
15:57 < krzie> or leave it there for only that client
15:57 < krzie> but this one: push "route 192.168.100.240 255.255.255.240"  only makes sense in server.conf, it actually gets ignored for that client because of the matching iroute, as explained in my routing document linked to above
15:58 < SupertrunksS> ok, done, but tcp dump keep crashing
15:58 < krzie> !configs
15:58 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
15:58 < krzie> again
15:58 < krzie> =]]
15:58 < krzie> the new and improved ones
15:58 < krzie> i assume you restarted both the client and server as well..
15:58 < SupertrunksS> removed the route 194.25.134.0 255.255.255.0 from my client ccd and added the push route to my lan to the server.conf, restarted ovpn dameon
15:59 < krzie> ok so repaste
15:59 < SupertrunksS> ok
15:59 < krzie> lemme see them again and know i didnt miss anything
15:59 < krzie> (dont edit, repaste)
16:01 < SupertrunksS> http://pastebin.com/m1c8ba744
16:02 < krzie> #
16:02 < krzie> push "route 192.168.100.240 255.255.255.240"
16:02 < krzie> not in ccd, in server.conf
16:02 < krzie> its in both right now
16:02 < krzie> so just remove it from ccd
16:03 < krzie> and just so you know:
16:03 < krzie> !ipp
16:03 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
16:05 < SupertrunksS> ok, im not going to use ipp, theres no reason for me to use ipp, cause i dont need dnat or static ip related services
16:05 < krzie> and ipp wouldnt be the right choice for those anyways
16:06 < krzie> (which was the reason i wanted you to know it wasnt good for static assignment)
16:06 < SupertrunksS> removed the line from ccd, restarted daemon ut tcpdump still crashing
16:06 < krzie> #
16:06 < krzie> 17:22:40.1262467462 truncated-ip 0
16:06 < krzie> #
16:06 < krzie> tcpdump: pcap_loop: corrupted frame on kernel ring mac offset 80 + caplen 84 > frame len 160
16:06 < krzie> #
16:06 < krzie> 8 packets captured
16:06 < krzie> still getting that?
16:07 < SupertrunksS> yes 5 packets caputred, 6 packets received by filter... 0 dropped by kernel
16:07 < krzie> more talkin bout the first part of my paste
16:07 < krzie> first and second lines...
16:07 < SupertrunksS> yes the same error
16:09 < krzie> reboot the server and try again
16:10 < SupertrunksS> ok
16:13 < SupertrunksS> done, restarted and tunnel established
16:13 < SupertrunksS> same error
16:15 < SupertrunksS> os just installed few hours ago, should be clean
16:16 -!- Lt83850c [n=your@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
16:19 < krzie> well theres something wrong
16:19 < krzie> (in the OS)
16:19 < SupertrunksS> yes
16:19 < krzie> try disabling the NAT rule just for the hell of it, see if it continues to error on tcpdump
16:19 < SupertrunksS> i have some trouble with other network apps too, nmap for exmaple
16:20 -!- Lt83850c [n=your@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Client Quit]
16:20 -!- mdiehl [n=mdiehl@173-10-242-193-Albuquerque.hfc.comcastbusiness.net] has joined ##openvpn
16:21 < mdiehl> Hi, does anyone know where dd-wrt puts the config file for openvpn?
16:22 < SupertrunksS> mdiehl: no, try t find it with find / -name *.conf
16:22 < mdiehl> Oh man, why didn't I just think a bit.  Thank you.
16:23 < SupertrunksS> krzie when i try to use nmap, this error appears, maybe ovpn is unable to find the right interface too?
16:23 < SupertrunksS> Failed to find device venet0 which was referenced in /proc/net/route
16:24 < mdiehl> TROL_V1)
16:24 < mdiehl> Sat Jan  2 23:23:40 2010 TLS Error: Unroutable control packet received from 10.0.1.1:1194 (si=3 op=P_CONTROL_V1)
16:24 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)]
16:24 < mdiehl> Any idea why I'd get this error?  10.0.1.1 is directly connected to the other device.
16:25 < mdiehl> I'm confuring the vpn on my lan before I deploy remotely.
16:27 < SupertrunksS> i think theres something wrong with your certificates
16:27 < mdiehl> Sounds like I have a routing loop..... No?
16:28 < SupertrunksS> check your date on both machines
16:32 < krzie> mdiehl:
16:32 < krzie> !configs
16:32 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
16:32 < mdiehl> Off by a timezone or so...
16:32 < krzie> you're l;ikely doing something you can do with remote but not while local
16:32 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
16:33 < krzie> like pushing a lan route or redirecting gateway without local flag
16:37 < mdiehl> Well, accounting for UTC v. MST timezones, the clocks are synced.
16:37 < mdiehl> I'm not pushing anything fancy, but I am running ripd, so maybe packets are sidestepping my vpn and causing grief.
16:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:41 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has quit ["Leaving."]
16:56 < SupertrunksS> krzie: i think ovpn is unable to find my default gw
16:57 < SupertrunksS> ..from the server venet0:0
16:58 < |Mike|> let me guess, OpenVZ ?
17:01 < SupertrunksS> yes :)
17:02 < SupertrunksS> it should work using SNAT rule but no success
17:03 < SupertrunksS> maybe i should try another os.. same as hosts system centos..
17:05 < |Mike|> lol :p
17:05 < |Mike|> no, blame openvz
17:06 < krzie> agreed with mike
17:07 < krzie> !factoids search
17:07 < vpnHelper> krzie: (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
17:07 < krzie> !factoids search --values dialup
17:07 < vpnHelper> krzie: No keys matched that query.
17:07 < krzie> !factoids search --values ppp
17:07 < vpnHelper> krzie: No keys matched that query.
17:07 < krzie> hrm, i know there was a thread about how linux finds default gateway, some dialups werent working with it
17:08 < |Mike|> !pptp
17:08 < vpnHelper> |Mike|: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml
17:08 < krzie> err about how openvpn finds default gateway in linux i mean
17:08 < vpnHelper> |Mike|: to read about why to not use pptp
17:08 < |Mike|> that one ?
17:08 < |Mike|> lol, drink another one mr krzie :p
17:08 < krzie> heh, pptp is another vpn solution, im talkin bout dialup (ppp)
17:08 < krzie> i must not have made a factoid bout it
17:09 < |Mike|> wtf, who uses that ?
17:12 < krzie> SupertrunksS
17:13 < krzie> here is the default gateway error:
17:13 < krzie> Sep 24 08:45:55 desktop ovpn-client.tun[6606]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
17:13 < krzie> so thats not it
17:34 < SupertrunksS> krzie ok
17:34 < SupertrunksS> same err in centos :(
17:35 < krzie> <|Mike|> no, blame openvz
17:35 < krzie> <krzie> agreed with mike
17:35 < SupertrunksS> hehe
17:36 < |Mike|> it's not the OS, it's the virtualisation layer.
17:36 < |Mike|> That's why i'm a xen / kvm fanboy
17:36 < krzie> i know it CAN work in openvz, but i know nothing about the poenvz config stuffs
17:36 < krzie> openvz*
17:38 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: deever, zykes-, mrnice1, zamba, |Mike|, ScriptFanix, ^scott^, Typone
17:42 -!- Netsplit over, joins: zamba, deever, ScriptFanix, |Mike|, zykes-, Typone, ^scott^, mrnice1
17:42 < SupertrunksS> ok, thanks for your support :)
17:43 < krzie> yw
17:44 < krzie> at least we did fix some stuff in your configs
17:44 < krzie> once the system can work right the configs will =]
18:00 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn
18:24 < SupertrunksS> krzie
18:24 < SupertrunksS> /sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i tun0
18:24 < SupertrunksS> /sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o tun0
18:24 < SupertrunksS> /sbin/iptables -t nat --flush
18:24 < SupertrunksS> /sbin/iptables -t nat -A POSTROUTING -s ! x.x.x.x -o venet0 -j SNAT --to-source x.x.x.x
18:25 < SupertrunksS> its working now :)
18:25 < SupertrunksS> tcpdump too
18:25 < SupertrunksS> x.x.x.x = ext. ip
18:26 < |Mike|> h00terz.
18:26 < |Mike|> why do you accept all ?
18:26  * |Mike| goes mitm supertrunk
18:27 < SupertrunksS> found this in forum, just applied this for testing, and its working :)
18:29 < SupertrunksS> maybe its the nat part who makes it working? will do some tests and fine tuning now
18:32 < SupertrunksS> hmm just flushed the forward table.. still working, seems that doing snat from all interfaces to ext ip does the trick?!
18:35 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has joined ##openvpn
18:35 < krzie> didnt i ask you to disable nat and try tcpdump? :-p
18:37 < krzie> also, thanx for reporting back your fix =]
18:39 < SupertrunksS> i don't understand why all interfaces have to snat to the ext ip... snat from tun0 -> ext ip didn't work
18:43 < krzie> your rule says nothing bout "all interfaces"
18:44 < krzie> only thing it says re: an interface is to go out venet0
18:47 < SupertrunksS> youre right sorry
18:47 < krzie> no appology needed, im still glad you shared your fix ;]
18:48 < krzie> a lot of people just say "it works" /quit
18:49 < SupertrunksS> yes unfortunately
18:51 < |Mike|> We should write more documentation.
18:53 < krzie> feel free mike
18:53 < krzie> the wiki is waiting for you
18:54 < krzie> i think im gunna make a !redirect document one of these days, but its a bitch cause every non-openvpn step will be done differently for osx/bsd/win/lin
18:55 < krzie> i think ill handle that by having seperate writeups for NAT / ip forwarding with each OS's method seperated in each writeup
18:55 < |Mike|> I rather write on wiki's than manpages ;)
18:55 < krzie> and keep the !redirect stuff openvpn dependant only with links to the os specific stuffs
18:56 < |Mike|> you think modular krzie
19:05 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Remote closed the connection]
19:06 < krzie> well if its done like that we'll have a good one for !nat and !ipforward
19:17 -!- supertrunks [n=Supertru@g227118207.adsl.alicedsl.de] has joined ##openvpn
19:17 -!- supertrunks [n=Supertru@g227118207.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)]
19:17 -!- supertrunks [n=Supertru@g227118207.adsl.alicedsl.de] has joined ##openvpn
19:19 < Danskmand> Howdy :-) - Someone still alive in here ?
19:22 < krzie> sure
19:23 -!- dagobertduck [n=Supertru@g230088250.adsl.alicedsl.de] has joined ##openvpn
19:25 < Danskmand> Cool :-) - you know, its 2:23 am here :-) - Well, if I dial into my server that runs openvpn (newest version), I get the message "createfile failed on TAPI-device: \\.\Global\(whatever).tap"
19:26 < krzie> dial?
19:26 < Danskmand> And a "all TAP-win32 adapters on this system are currently in use"...
19:27 -!- MJD [n=quassel@dhcp-0-18-e7-4-f8-c7.cpe.mountaincable.net] has quit [Operation timed out]
19:34 -!- SupertrunksS [n=Supertru@f055161029.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)]
19:36 < |Mike|> Danskmand: !all
19:36 < |Mike|> bite.
19:37 -!- supertrunks [n=Supertru@g227118207.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)]
19:41 < Danskmand> Well, not really dial :-) - I have a desktop-pc and 2 firewall-pc's and a laptop and a DSL-router. The desktop is hidden behind the 2 firewalls. The laptop is in front of the 2 firewalls. There will be some times where I will be "somewhere else" in Germany - and I want to be able to connect to my local "network" - to do that I need to dial-in into my internal firewall (I forward port 1194 to the internal firewall), which work
19:41 < Danskmand> I have a dyndns account by the way....
19:44 < Danskmand> Sorry it took so long for me to "shape my words" :-)
19:46 -!- robert_ [n=hellspaw@objectx/robert] has quit [Remote closed the connection]
19:55 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has joined ##openvpn
19:56 < Ceil> # /etc/init.d/openvpn restart
19:56 < Ceil>  * Stopping virtual private network daemon(s)...                                 *   No VPN is running.
19:56 < Ceil>  * Starting virtual private network daemon(s)...                                 *   Autostarting VPN 'openvpn'                                          [fail]
19:56 < Ceil> config (server):http://pastebin.com/m416bb14f
19:56 < Ceil> Platform: Ubuntu
19:57 < endre> so what
19:57 < Ceil> Well as you can see openvpn failed at starting
19:57 < Ceil> I am asking for help to find out why
19:58 < krzie> Ceil that means nothing, look at your logs, try starting it manually and see whats wrong
19:58 < Ceil> where are the logs?
19:58 < krzie> whereever you told them to be in your config
19:58 < krzie> try syslog files
19:58 < Ceil> I'm new at linux, where do i find those
19:59 < endre> you have like nothing in that config file
19:59 < endre> ah yup, sorry, you have ifconfig and key
19:59 < Ceil> what do you mean? it's similar to the default static key config file
19:59 < endre> ok, i've just never used statis key thing
20:00 < Ceil> ah, I'm using it because my only secure trasport between the server and client is text-only
20:00 < Ceil> so I can't transfer the PKI stuff
20:01 < Ceil> btw how do I view the syslog?
20:01 < Ceil> man syslog
20:01 < Ceil> No manual entry for syslog
20:01 < endre> it's in the /var/log/ dir
20:02 -!- Danskmand1 [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has joined ##openvpn
20:03 < Ceil> ah cheers I found the problem I think
20:04 < Ceil> hm.. nope failed I'll post syslog
20:05 -!- Danskmand [n=Danskman@dslb-088-069-209-082.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)]
20:05 < krzie> also post both configs, but like this:
20:05 < Ceil> ah fixed it
20:05 < krzie> !configs
20:05 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
20:05 < krzie> ahh ok nm then =]
20:06 < Ceil> ok time to test to see if it works, I have a few more questions in a sec
20:10 -!- Danskmand1 [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has quit ["Leaving."]
20:12 < Ceil> Server: http://pastebin.com/m6216f3fa
20:12 < Ceil> Client: http://pastebin.com/m659fc0ec
20:12 < Ceil> Sorry I couldn't remove the comments without leaving big gaps
20:12 < Ceil> do they look ok to you?
20:13 < Ceil> my worrie is:
20:14 < Ceil> *worry
20:14 < Ceil> http://pastebin.com/m136ec69b <- this part
20:14 < Ceil> do I need that on the client as well?
20:21 < Ceil> I got this error: Sun Jan 03 13:18:18 2010 us=281000 WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.3.0.1 10.3.0.2', remote='ifconfig 10.3.0.2 10.3.0.1'
20:23 < Ceil> as you can see in the configs they are the same
20:23 < Ceil> but why does that error say they are not
20:23 < Ceil> ah found it
20:24 < Ceil> I swapped it on the remote machine
20:25 < Ceil> So now to my real problem which after reading the howto and many tutorials I can only see that there are 100 different ways of doing this
20:25 < Ceil> How do I route traffic through the vpn
20:25 < Ceil> I'll annote the parts of teh howto I'm having trouble with
20:28 < Ceil> http://pastebin.com/mac19399
20:28 < krzie> !redirect
20:28 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:28 < krzie> (that was answered in the topic of this channel)
20:29 < Ceil> can you please read my pastebin
20:29 < Ceil> I read the howto and annoated the parts I have trouble with
20:29 < Ceil> !def1
20:29 < vpnHelper> Ceil: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:29 < krzie> !local
20:29 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
20:30 < krzie> you only use local not when on wireless, but on the same lan
20:30 < krzie> which happens to only have a purpose when securing your wireless
20:30 < Ceil> so when I'm at home I edit my config to have "local" in it
20:30 < krzie> the vpn server is at home?
20:30 < krzie> if so, why do you need to be on the vpn when at home?
20:30 < Ceil> yep
20:31 < Ceil> to secure wireless traffic
20:31 < krzie> then you need 2 configs
20:31 < krzie> 1 for when home 1 for when away
20:31 < Ceil> ah ok
20:31 < Ceil> but I still don't understand def1
20:32 < Ceil> so I just add: push "redirect-gateway def1"
20:32 < Ceil> I don't edit that line
20:32 < krzie> its explained in the manual, and in !def1
20:32 < Ceil> my vpn server is 192.168.22.2
20:32 < Ceil> and my gateway is 192.168.22.254
20:33 < Ceil> I've read the manual and !def1
20:33 < Ceil> I just don't understand what it is saying
20:34 < krzie> ok heres how it goes
20:34 < krzie> if you use def1 and then disconnect from the vpn, you still have a route to the internet
20:35 < krzie> if you dont use def1 and then disconnect, you have no route to the internet
20:35 < Ceil> ah, that helps :) cheers
20:35 < krzie> =]
20:37 < Ceil> ok probably the last question:
20:37 < Ceil> I just feel uncontable with linux atm, so I'm just asking
20:38 < Ceil> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
20:38 < Ceil> now "This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN "
20:38 < Ceil> but I don't have a server directive
20:38 < Ceil> I'm assuming I just need to use 10.3.0.0/24?
20:39 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit ["Leaving"]
20:40 < Ceil> seems to be working now all I need is some way to test if my net traffic is actually routed though the vpn
20:43 < Ceil> well it doesn't push out dns
20:43 < Ceil> So I'm assuming it isn't working :(
20:43 < Ceil> Client is Windows Vista
20:47 -!- Ceil-ME [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has joined ##openvpn
20:47 < Ceil-ME> woops back
20:48 < Ceil-ME> wait a second
20:48 < Ceil-ME> is there a way to do the local flag on the client side?
20:48 < Ceil-ME> that way I can change configs easily
21:04 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has quit [Read error: 110 (Connection timed out)]
21:06 < krzie> yes
21:07 < krzie> not just the local flag, the whole redirect-gateway command
21:07 < krzie> just dont push it ;]
21:11 < Ceil-ME> so I can just add in the config lines
21:11 < Ceil-ME> on the client
21:11 < Ceil-ME> redirect-gateway local def1
21:11 < Ceil-ME> and
21:12 < Ceil-ME> dhcp-option DNS 208.67.222.222
22:09 -!- a|3xx [i=18160ae5@gateway/web/freenode/x-mbtvernkitzntwdm] has joined ##openvpn
22:09 < a|3xx> hi
22:09 < a|3xx> i got openvpn access server question, anybody care to help?
22:18 < krzie> pls see topic and on-join message
22:20 < krzie> "NO SUPPORT FOR ACCESS SERVER"
22:20 < Ceil-ME> krzie: was my did I get it right when I said:
22:20 < Ceil-ME> <Ceil-ME> so I can just add in the config lines
22:20 < Ceil-ME> <Ceil-ME> on the client
22:20 < Ceil-ME> <Ceil-ME> redirect-gateway local def1
22:20 < Ceil-ME> <Ceil-ME> and
22:20 < Ceil-ME> <Ceil-ME> dhcp-option DNS 208.67.222.222
22:20 < krzie> if it had normal openvpn configs in the backend and normal logs i know i personally wouldnt mind helping, but it doesnt
22:20 < krzie> !pushdns
22:20 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
22:21 < krzie> you dont have to push it tho
22:21 < krzie> but do read those threads on the mail list
22:22 < Ceil-ME> hm.. how about testing if the vpn is working
22:22 < Ceil-ME> I mean if I was doing it externally I could whatsmyip.org
22:22 < Ceil-ME> but I can't
22:22 < Ceil-ME> is there away to check
22:42 -!- a|3xx [i=18160ae5@gateway/web/freenode/x-mbtvernkitzntwdm] has quit [Ping timeout: 180 seconds]
23:01 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: 110 (Connection timed out)]
23:08 < krzee> tcpdump
23:09 < Ceil-ME> is that on Windows?
23:09 < Ceil-ME> and what does that command do
23:09 < krzee> google it
23:09 < krzee> wireshark on windows
23:09 < Ceil-ME> ah ok
23:10 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
23:12 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: 104 (Connection reset by peer)]
23:22 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
23:22 < mithridates> !factoids pre-shared
23:22 < vpnHelper> mithridates: Error: The "Factoids" plugin is loaded, but there is no command named "pre-shared" in it.  Try "list Factoids" to see the commands in the "Factoids" plugin.
23:22 < mithridates> !factoids search pre-shared
23:22 < vpnHelper> mithridates: No keys matched that query.
23:22 < mithridates> !factoids search static
23:22 < vpnHelper> mithridates: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
23:24 < mithridates> hey guys
23:24 < mithridates> I wanna use static key instead of TLS
23:24 < mithridates> would u help me?
23:24 < mithridates> !howto
23:24 < vpnHelper> mithridates: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
23:25 < Ceil-ME> um... that's what I am trying to do
23:25 < Ceil-ME> so I'll give you what I have got so far
23:25 < Ceil-ME> use sample.ovpn
23:25 < Ceil-ME> that is it the windows distro
23:26 < Ceil-ME> it'll show you everything you need
23:26 < Ceil-ME> I'll pastebin mine for you
23:26 < Ceil-ME> can't say it is working fully yet
23:27 -!- rawDawg [n=raw@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
23:27 < Ceil-ME> http://pastebin.com/m35851d46
23:29 < Ceil-ME> and http://www.openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
23:29 < vpnHelper> Title: Static Key Mini-HOWTO (at www.openvpn.net)
23:29 < Ceil-ME> and https://help.ubuntu.com/community/VPNServer
23:29 < vpnHelper> Title: VPNServer - Community Ubuntu Documentation (at help.ubuntu.com)
23:29 < Ceil-ME> are they guides I've found
23:34 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
23:34 < Ceil-ME> Aaron: traps are good watchin sometimes
23:34 < Ceil-ME> Steve: eewww.. the number of penises I like to see in my day besides my own is 9
23:34 < Ceil-ME> Steve: fuck
23:34 < Ceil-ME> Steve: ahahaha
23:34 < Ceil-ME> Steve: 0
23:42 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)]
23:44 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
23:44 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
23:47 -!- dagobertduck [n=Supertru@g230088250.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)]
23:59 -!- Holistah [n=holister@c-71-230-216-184.hsd1.nj.comcast.net] has quit [Read error: 110 (Connection timed out)]
--- Day changed Sun Jan 03 2010
00:13 -!- SupertrunksS [n=Supertru@f055149056.adsl.alicedsl.de] has joined ##openvpn
00:13 < SupertrunksS> Is it possbile to use push routes with static keys?
00:14 < Ceil-ME> are you talking about OpenVPN?
00:14 < Ceil-ME> nevrmind
00:14 < SupertrunksS> yes
00:14 < Ceil-ME> I thought I was on a differnt channel
00:14 < Ceil-ME> Um.. I hope so
00:14 < Ceil-ME> although I'm not seeing it happen in my config
00:14 < Ceil-ME> I'm trying to do that too
00:15 < Ceil-ME> So far it doesn't seem to be redirect-gateway
00:15 < Ceil-ME> let me know if you find anythin
00:15 < Ceil-ME> g
00:16 < SupertrunksS> hm.. not tried it, I dont want to redirect all traffic through the tunnel, just a subnet
00:16 < SupertrunksS> actually trying to link my fritzbox with my dd-wrt
00:17 < Ceil-ME> ah ok
00:17 < SupertrunksS> but looks good
00:38 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has quit [Read error: 60 (Operation timed out)]
00:38 -!- SupertrunksS [n=Supertru@f055149056.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)]
00:39 -!- SupertrunksS [n=Supertru@f055149056.adsl.alicedsl.de] has joined ##openvpn
00:59 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
01:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
01:31 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)]
01:35 -!- lt83850 [n=your@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
01:42 -!- supertrunks [n=Supertru@f055152116.adsl.alicedsl.de] has joined ##openvpn
01:46 -!- SupertrunksS [n=Supertru@f055149056.adsl.alicedsl.de] has quit [Read error: 60 (Operation timed out)]
01:52 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
01:54 -!- SupertrunksS [n=Supertru@f055200160.adsl.alicedsl.de] has joined ##openvpn
02:00 < Ceil-ME> Ok, I think I'm part of the way there
02:01 < Ceil-ME> now if I try browse the net it won't work
02:01 < Ceil-ME> So if I try visit http://69.163.159.132 it doesn't load
02:01 < vpnHelper> Title: Achromatic Labs (at 69.163.159.132)
02:02 < Ceil-ME> So I think that means that the traffic isn't being directed out on teh vpn server
02:02 < Ceil-ME> I followed the guide
02:02 < Ceil-ME> however it didn't say exactly what I needed to do
02:02 < Ceil-ME> http://www.openvpn.net/index.php/open-source/documentation/howto.html#redirect
02:02 < vpnHelper> Title: HOWTO (at www.openvpn.net)
02:02 < Ceil-ME> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
02:03 -!- SupertrunksS [n=Supertru@f055200160.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)]
02:03 < Ceil-ME> I'll post my config and can someone please tell me what I need to change 10.8.0.0 to?
02:03 -!- SupertrunksS [n=Supertru@f055200160.adsl.alicedsl.de] has joined ##openvpn
02:03 -!- SupertrunksS [n=Supertru@f055200160.adsl.alicedsl.de] has quit [Remote closed the connection]
02:03 < Ceil-ME> http://pastebin.com/m643c5e7f
02:03 < Ceil-ME> the vpn connects and I can ping 10.3.0.1
02:05 < Ceil-ME> http://pastebin.com/m40c19559 is my ifconfig
02:05 < Ceil-ME> I'm using tun not tap fiy
02:07 < Ceil-ME> http://pastebin.com/m63c2652f is client config
02:08 -!- supertrunks [n=Supertru@f055152116.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)]
02:13 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:15 < krzee> (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`)
02:16 < krzee> oh lol
02:16 < krzee> nm
02:16 < krzee> [04:02]  <Ceil-ME> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
02:16 < Bushmills> Ceil-ME: enabled ip fowarding on server?
02:16 < krzee> -s 10.3.0.0
02:16 < Ceil-ME> so just iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
02:16 < Ceil-ME> hm.. I've done that already
02:17 < Ceil-ME> how do I check to make sure they are still there?
02:17 < Ceil-ME> woops
02:17 < krzee> dude
02:17 < Ceil-ME> with the 10.3.0.0
02:17 < krzee> change 10.8.0.0 to 10.3.0.0
02:17 < krzee> yup
02:17 < Ceil-ME> yeah I've done that
02:17 < Ceil-ME> but is there a way to check if that setting is "set"
02:17 < Bushmills> cat instead of echo
02:18 < Ceil-ME> ?
02:18 < krzee> !linipforward
02:18 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
02:18 < Bushmills> instead of echoing 1, use cat to display
02:18 < krzee> cat /proc/sys/net/ipv4/ip_forward
02:19 < krzee> grep -vE '^#|^;|^$' openvpn.conf
02:19 < Ceil-ME> echos 9
02:19 < Ceil-ME> 0
02:19 < krzee> then repost your configs
02:19 < Ceil-ME> I mean it says 0
02:19 < krzee> echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution
02:19 < krzee> heh
02:20 < Ceil-ME> ok I'm starting up my laptop to check if it works now
02:21 < Ceil-ME> So I need to: net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
02:21 < Ceil-ME> as well as  iptables -t nat -A POSTROUTING -s 10.3.0.0/24 -o eth0 -j MASQUERADE
02:21 < Bushmills> "I think i did that but i don't know exactly" is usually a sign that it hadn't been executed
02:23 < Ceil-ME> ^ what are you talking about
02:23 < Ceil-ME> and I think it works now
02:23 < Ceil-ME> the internet is working and I'm testing in wireshark in just asec
02:25 < Ceil-ME> it works thanks for your help
02:25 < Ceil-ME> So just to clarify the mistake
02:26 < Ceil-ME>  I need to: net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
02:26 < Ceil-ME> where is the sysct1.conf btw?
02:30 < Ceil-ME> and can http://www.openvpn.net/index.php/open-source/documentation/howto.html#security tls-auth work with TCP?
02:30 < vpnHelper> Title: HOWTO (at www.openvpn.net)
02:33 -!- rawDawg2 [n=raw@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
02:33 -!- rawDawg2 [n=raw@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
02:50 < krzee> you dont want tcp
02:50 < krzee> !tcp
02:50 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
02:51 -!- rawDawg [n=raw@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)]
02:58 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn
03:00 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 54 (Connection reset by peer)]
03:00 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
03:03 -!- master_o1_master [n=master_o@p57B565EE.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)]
03:03 < Ceil-ME> yeah I know why tcp is a bad idea because your making bigger packets
03:03 < Ceil-ME> so you need to spilt them etc
03:04 < Ceil-ME> but isn't HTTPS over TCP
03:06 -!- master_of_master [i=master_o@p57B57C1A.dip.t-dialin.net] has joined ##openvpn
03:07 < Bushmills> https relies on tcp for packet resending.   tcp over tcp introduces the risk of competing error correction
03:08 < Bushmills> not just a matter of different packet sizes
03:08 < krzee> clearly didnt read the link
03:08 < Ceil-ME> So is tcp impossible to use?
03:08 < Ceil-ME> I might change to udp then
03:08 < krzee> read the link and understand what you accept when you use tcp
03:08 < krzee> then make your choice
03:09 < Bushmills> krzee: indeed. but why should he. after all, he says that he know why.
03:09 < krzee> or just listen to the bot and make the uneducated right choice
03:09 < krzee> !tcp
03:09 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
03:09 < Bushmills> and moiners to you
03:09 < krzee> moinmoin bush
03:12 -!- mdiehl [n=mdiehl@173-10-242-193-Albuquerque.hfc.comcastbusiness.net] has left ##openvpn ["Konversation terminated!"]
03:13 < Bushmills> I just read in an article about 26C3 of a presentation which demonstrates how to compromise quantum key distribution
03:13 < Bushmills> (these systems were considered secure)
03:15 < Bushmills> the researchers report that the method has already been successfully tested on a real existing system
03:41 -!- Danskmand [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has joined ##openvpn
03:44 -!- Hetman [i=dnowak@gateway/shell/rootnode.net/x-xrzcbrwaovtvxvup] has quit ["leaving"]
04:11 -!- Ceil-ME [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has quit []
04:14 -!- Danskmand [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has quit ["Leaving."]
06:01 -!- Danskmand [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has joined ##openvpn
06:31 -!- Robbin [n=Multi-X@mobile.web.surgery.at.fenihon.com] has joined ##openvpn
06:32 < Robbin> !route
06:32 < vpnHelper> Robbin: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:34 < Robbin> !redirect
06:34 < vpnHelper> Robbin: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:35 < Robbin> anyone knows if there is some help available against redirecting the gateway?
06:36 < Robbin> 0.o
06:37 -!- Robbin [n=Multi-X@mobile.web.surgery.at.fenihon.com] has left ##openvpn ["No matter how dark the night, somehow the Sun rises once again"]
06:37 -!- Robbin [n=Multi-X@mobile.web.surgery.at.fenihon.com] has joined ##openvpn
06:39 < Robbin> only idlers in the chan? :S
06:40 < Bushmills> help aginst redirecting? as in, removing from onfig?
06:40 < Bushmills> hm  .. against .. config
06:40 < Robbin> it's weird problem really
06:40 < Robbin> I don't have redirect-gateway enabled
06:40 < Bushmills> open config file, remove the line. reload config
06:40 < Robbin> however, the clients gateway is changed
06:41 < Robbin> I don't have redirect-gateway enabled
06:42 < Robbin> tried both using tap or tun, tried adding or removing redirect gateway - the result is all the same
06:42 < Robbin> clients connecting can see the local net (if I push the right routes to them) but their routing table gets changed and their traffic comes through the vpn server
06:42 < Robbin> and the weirdest thing is that the redirect-gateway option doesn't really get involved in the whole thing
06:43 < Robbin> as if it doesn't work or is constantly enabled
06:43 < Bushmills> i don't understand your problem. are you wondering why your traffic isn't routed through gateway without redirect-gateway option?
06:43 < Robbin> no, it's the reverse
06:43 < Robbin> it gets routed
06:43 < Robbin> WITHOUT the option
06:44 < Bushmills> what is "it" in "it gets routed"
06:44 < Robbin> all the trafic
06:44 < Robbin> web, dns
06:44 < Robbin> etc
06:45 < Bushmills> connecting replaces your default route?
06:45 < Robbin> yup
06:45 < Robbin> on both linux and windows clients
06:45 < Bushmills> where don't you have redirect-gateway? in client or in server config?
06:45 < Robbin> in server
06:45 < Bushmills> so you have it in client config?
06:46 < Robbin> windows clients doesn't need that for what I know, plus in the linux client I think it  uses just nm plugin
06:46 < Robbin> no no
06:46 < Robbin> both do not have it
06:46 < Bushmills> look into client logs
06:46 < Bushmills> if route is changed, you'll have log entries reporting that
06:47 < Robbin> well right now I am checking with the linux box only and the default route does get changed, but I wanna know why and how to stop it
06:47 < Robbin> I don't want all the traffic redirected through the server
06:48 < Robbin> and as I said - the weirdest thing is it does it without the option enabled
06:48 < Bushmills> you don''t give enough information to tell you why
06:48 < Robbin> OpenVPN 2.1_rc15 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2008
06:48 < Robbin> what you need? Confs?
06:48 < Bushmills> openvpn doesn't change default route without being asked to
06:48 < Bushmills> logs
06:48 < Robbin> client conf - can't provide it, as it uses nm-openvpn plugin
06:49 < Robbin> ah... well I will have to dig in the logs or get disconnected to show you current
06:49 < Robbin> hold on
06:49 < Bushmills> !factoids search network-manager
06:49 < vpnHelper> Bushmills: No keys matched that query.
06:49 < Bushmills> !factoids search nm
06:49 < vpnHelper> Bushmills: No keys matched that query.
06:49 < Bushmills> !factoids search networkmanager
06:49 < vpnHelper> Bushmills: No keys matched that query.
06:49 < Bushmills> grr
06:49 < Bushmills> !ubuntu
06:49 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
06:49 < Bushmills> !factoids search network manager
06:49 < vpnHelper> Bushmills: No keys matched that query.
06:49 < Bushmills> bleh
06:50 < Robbin> ;-)
06:50 < Robbin> here is how nm starts it
06:50 < Robbin> in my case
06:50 < Robbin> /usr/sbin/openvpn --remote fenihon.com --comp-lzo --nobind --dev tap --proto udp --port 1194 --cipher BF-CBC --auth SHA1 --auth-nocache --syslog nm-openvpn --script-security 2 --up /usr/libexec/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --route-noexec --client
06:50 < Robbin> followed by the declarations for the certificates
06:51 < Bushmills> stop network manager, start openvpn client, check whether default route still gets changed
06:51 < Bushmills> if it doesn't, !blame network manager
06:51 < Bushmills> !blame
06:51 < vpnHelper> Bushmills: Error: "blame" is not a valid command.
06:52 < Bushmills> vpnhelper, are we playing a bit stupid today?
06:52 < vpnHelper> Bushmills: Error: "are" is not a valid command.
06:52 < Robbin> lol
06:52 < Robbin> Bushmills, I guess you want to see this line in the logs
06:52 < Robbin> Jan  3 14:14:56 lonestar NetworkManager: <info>  Policy set 'Fenihon VPN' (tap0) as default for routing and DNS.
06:53 < Robbin> so - yeah, I guess network manager changes it
06:53 < Bushmills> so, !blame network manager
06:53 < Bushmills> configure it, or remove it.
06:53 < Robbin> hm
06:54 < Robbin> !blame
06:54 < vpnHelper> Robbin: Error: "blame" is not a valid command.
06:54 < Robbin> ;-)
06:54 < Robbin> well Bushmills, that doesn't answer however why it does the same in windows clients
06:55 < Bushmills> now that you know that it isn't openvpn changing default route, you probably know what to look at
06:56 < Robbin> can't bet on it
06:56 < Bushmills> probably some "try to make computer smarter than it should be" contraption
06:56 < Robbin> :D
06:57 < Robbin> is it possible two clients to fail in the same way with the same server?
06:57 < Robbin> while the server changes to either using tap or tun
06:57 < Bushmills> they don't fail. they just act according their configuration or programming
06:58 < Bushmills> the fact that you're not content with the result doesn't represent failure
06:58 < Robbin> sure, nothing unusual, but there is no additional software installed or routes pushed then the minimum which is needed
06:58 < Bushmills> then, !blame windows
06:59 < Robbin> well.... agreed, but for me it looks like it has redirect-gateway auto enabled
06:59 < Robbin> I blame windows long a go Bushmills
06:59 < Robbin> too bad it will last even if pull out all my hair
06:59 < Bushmills> solution could be to !remove windows
07:00 < Robbin> not an option, the one using the windows machine knows nothing but "pretty windows" :D
07:00 < Bushmills> matter of priorities. sanity, hair, or fancy screen
07:01 < Robbin> even after I showed what gnome + compiz + awn does :D
07:01 < Bushmills> i can't tell you anything about openvpn under windows. except parroting opinions of others
07:02 < Robbin> =/
07:03 < Robbin> will try to launch it without the --up /usr/libexec/nm-openvpn-service-openvpn-helper option
07:03 < Robbin> and see what happens
07:03 < Robbin> gotta change server push declarations first :S
07:03 < Robbin> if it drops me out - it doesn't work :D
07:03 < Bushmills> network manager fell in disgrace with me independently of openvpn issues
07:04 < Robbin> yeah, same
07:04 < Bushmills> so i actually don't know what the openvpn and network manager issues are
07:04 < Robbin> I was pissed when it started changing my network interfaces the way it likes
07:05 < Bushmills> my problem was switching between 3g and cable connection frequently
07:05 < Bushmills> it somehow interfered always in a way that i lost connection, and needed to get access active manually again
07:06 < Bushmills> removed it - solved.
07:06 < Robbin> yeah, that's why I started looking at the VPN problem too
07:06 < Robbin> because I had to add the route manually
07:06 < Robbin> to make my home lan visible
07:06 < Robbin> do you know if here is any replacement for it?
07:06 < Bushmills> yes. no network manager
07:06 < Robbin> I must say I preffer to see something like that on my laptop
07:06 < Robbin> 0.o
07:07 < Bushmills> with my current config, it wouldn't do much good anyway
07:08 < Bushmills> i run everything through vpn, including dns, regardless of the connection type
07:08 < Robbin> by the way - without that option for the network manager... it works just fine
07:08 < Robbin> heck, still doesn't show me why it happens on windows too
07:09 < Robbin> Bushmills, problem is - when I go out, I start torrents :D
07:09 < Robbin> can't really use my home net, heh
07:09 < Bushmills> i run those remotely
07:10 < Bushmills> not sensible to use local bandwidth. that's reserved for fetching completed stuff
07:10 < Robbin> :D
07:10 < Robbin> can't really download movies at the office
07:10 < _trine> you could run your torrents inside a router
07:10 < Bushmills> route is still locally
07:10 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [Excess Flood]
07:10 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
07:11 < Robbin> _trine, the vpn server for me is... everything
07:11 < Robbin> web server, lan router, vpn server, mysql server....
07:11 < Bushmills> (meaning: don't want to use asymmetric access provider bandwidth for torrents)
07:11 < _trine> I have a small touter at home which I vpn into and run rtorrent inside screen on the router
07:11 < Bushmills> and "remote" means, high and symmetric speed
07:11 < Robbin> Bushmills, that's the other downfall for me - we use ADSL lines in both home and office :S
07:11 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
07:12 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
07:12 < Bushmills> Robbin: another reason to not jam the line with torrents
07:12 < Robbin> yeah _trine I do the same, but if my net gets routed throuh my home server.... would really piss me off while at work :)
07:13 < Robbin> yeah Bushmills, that's why I want to resolve this issue
07:13 < Robbin> because when that windows client downloads, it gets routed through my server again
07:13 < Bushmills> console clients run remotely nicely. many accept the torrent url instead of the torrent itself
07:14 < Robbin> nah, been using ktorrent long a go, recently Transmission is sufficient
07:14 < Robbin> lightweight is the key word here
07:15 < Robbin> ktorrent was a bit heavy :P
07:15 < Bushmills> bittornado mostly for me
07:15 < Bushmills> ncurses interface
07:16 < Robbin> lol, I would love that if I still had my old slack 7 router :D
07:16 < Robbin> lynx (or links) + centericq
07:16 < Robbin> haha
07:16 < Robbin> good old days
07:16 < Robbin> anyways
07:16 < Robbin> is there anyone which could help with the linux part of the problem?
07:16 < Robbin> krzee maybe. as the one which wrote some howtos on it :P
07:17 < Bushmills> i thought your problem was known already - network manager changes your default route
07:17 < Robbin> Bushmills, yeah, for the linux box
07:17 < Robbin> this does not apply to the windows box
07:18 < Bushmills> "anyone which could help with the linux part of the problem?"
07:18 < Robbin> hm, yeah, sorry, mystyped the OS in my above statemen, lol
07:21 < Robbin> krzee, could you?
07:24 < Robbin> =/
07:26 < Robbin> heh Bushmills NM is acting up, but something I tried and didn't work before, just worked
07:26 < Robbin> there is checkbox in network manager for the vpn connection
07:27 < Robbin> "use this connection only for resources on this network"
07:27 < Robbin> it didn't work before, it's fine now though
07:27 < Robbin> doesn't replace the default route
07:27 < Robbin> and that checkbox isn't checked by default, even though it should be :S
07:28 < Robbin> I guess I had something changed in the server conf last time I checked that
07:28 < Robbin> okay, so only windows problem left to solve
08:32 < ecrist> good morning
08:34 < Robbin> good morning
08:34 < Robbin> even if it's afternoon for me :P
08:34 -!- hyper_ch [n=hyper@adsl-84-227-58-130.adslplus.ch] has left ##openvpn ["Konversation terminated!"]
09:08 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
09:22 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:24 < krzee> good afternoon
09:24 < krzee> even if its still night for me
09:25 < Robbin> lol krzee
09:25 < Robbin> krzee, can you give me a hit about some windows issue with openvpn?
09:25 < Robbin> hint*
09:25 < krzee> only if you can give me a hint as to the problem you are having
09:26 < Robbin> openvpn in server mode, linux (fedora 10)
09:26 < Robbin> several clients
09:26 < Robbin> recently I realized that even though the server doesn't have the "redirect-gateway" enabled, the traffic from the clients gets routed
09:27 < Robbin> for the linux client (fedora 12) we came to the conclusion it's network manager's fault
09:27 < krzee> !configs
09:27 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
09:27 < Robbin> and I found a workaround
09:27 < krzee> network manager is crap
09:27 < Robbin> yeah, I know that.... =/
09:27 < Robbin> so the problem now is only in the windows client
09:28 < krzee> see above bot command
09:29 < Robbin> yeah yeah, working on it.....
09:30 < Robbin> krzee, http://pastebin.com/m6ee1c101
09:34 < Robbin> krzee, appended the client conf now
09:35 < Robbin> ah OS and version :S
09:36 < Robbin> OpenVPN 2.1_rc15 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 30 2008
09:36 < Robbin> server is fedora 10
09:36 < Robbin> OS on server *
09:37 < Robbin> krzee, I am sure it's not the server config which is the problem
09:37 < Robbin> changed it, tried with tun instead of tap - the results were the same
09:38 < Robbin> as I said - on the linux box, the problem was network manager
09:38 < Robbin> which is now bypassed
09:38 < Robbin> and as you see - I don't use the redirect-gateway option
09:38 < Robbin> but still all trafic gets routed through the box
09:39 < Robbin> the server*
09:41 < krzee> why are you bridging?
09:42 < krzee> when when you appended the client config it gave you a new url
09:42 < Robbin> no particular reason, did it this way in the begining, didn't bothered changing it
09:42 < Robbin> as it was serving the purpuse
09:42 < krzee> !tunortap
09:42 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
09:42 < vpnHelper> krzee: against you over the vpn
09:42 < krzee> go back to tun
09:42 < Robbin> doh, sorry, thought it updaes the same
09:42 < Robbin> http://pastebin.com/m34104c59
09:43 < krzee> when you go to tun you'll need to change the client ip too .16 wont be valid
09:43 < krzee> .6 .10 .14 .18 etc
09:43 < Robbin> krzee, tap does good job for me, let's not dig into this.... I will eventually route the trafic of my daughter through the server, so I can block some sites she shouldn't watch
09:44 < krzee> you can do that without tap
09:44 < Robbin> krzee, not quite, if you use the "topology subnet" declaration
09:44 < krzee> that is true
09:44 < Robbin> as I said - I played around with it before comming here ;-)
09:44 < krzee> cool, go back to it and i bet your problem goes byebye
09:45 < Robbin> back to tun?
09:45 < krzee> yup
09:45 < Robbin> I only tried it today, lol
09:45 < krzee> prove it
09:45 < krzee> go back to tun and show me logs and routing tables that its changing your default gateway
09:45 < Robbin> when I switch to tun it gaves some errors in the server log by the way
09:45 < Robbin> don't have access to the windows machines right now =/
09:46 < krzee> cool, come back when you go
09:46 < krzee> when you do*
09:46 < krzee> we cant troubleshoot something you dont even have access to
09:46 < Robbin> Sun Jan  3 00:41:59 2010 XXXX:34819 MULTI: bad source address from client [XXXX], packet dropped
09:46 < krzee> you trying to route a lan over the tunnel?
09:47 < Robbin> krzee, I asked for hint....
09:47 < Robbin> yes!
09:47 < krzee> !route
09:47 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:47 < Robbin> ......
09:47 < krzee> thats only valid for tun setups
09:47 < Robbin> watched that thing dozen times, didn't really helped with my setup
09:47 < Robbin> but ok
09:47 < krzee> umm
09:47 < krzee> that error is explained
09:48 < krzee> lol
09:48 < Robbin> didn't watch there after I got that error really, lol
09:48 < Robbin> but thanks anyways
09:48 < Robbin> will check once the people are back in their homes..... :S
09:57 < krzee> cool
09:58 < Robbin> hm, just remembered why I moved along from tun
09:58 < Robbin> there was still some problem with the routing
09:58 < Robbin> which I think was because the subnet has the same addresses I've entered in the server.conf
10:03 -!- s0undt3ch [n=s0undt3c@80.69.34.147] has joined ##openvpn
10:04 < s0undt3ch> hello ppl
10:04 < s0undt3ch> I have an http proxy which requires authentication
10:04 < s0undt3ch> I've set openvpn(for now) to query username and passwd from stdin
10:05 < s0undt3ch> the issue seems to be that my username is in the form of WinsDomainName\MyUsername, I can login through the browser, but not with openvpn
10:19 < s0undt3ch> ok, openvpn adds another \ :\
10:22 -!- erpel [n=erpel@f050094225.adsl.alicedsl.de] has joined ##openvpn
10:22 < erpel> hello everyone
10:25 < |Mike|> hi.
10:26 < erpel> does anyone have some tips on troubleshooting bridge mode on freebsd?
10:30 < erpel> I just don't get why this was easier on XP than on a proper OS...
10:30 -!- Danskmand1 [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has joined ##openvpn
10:32 < Robbin> erpel, I was using bridge mode just till 10 minues a go
10:32 < Robbin> according to krzee, bridging is no good :D
10:32 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn
10:32 < erpel> in general?
10:32 < erpel> I think theres right uses for almost anything
10:32 < Robbin> well someone could get acces to your vpn... blah blah blah... could arp-poison your vpn
10:33 < Robbin> yup, agreed
10:33 < Robbin> what are you using the bridging for
10:33 < Robbin> ?
10:34 < erpel> I'm rebuilding a home vpn for travelling purposes on a freebsd machine and the previous system used bridging
10:35 < erpel> dont things like mdns work only with bridge mode
10:35 < erpel> does wireshark work on the tap device on windows? does anybody know
10:36 < Robbin> for what I've got, most of the people (which were) here uses linux based systems
10:37 < Robbin> and can't say about mdns and wireshark
10:37 < erpel> sounds reasonable
10:38 < erpel> I know i could switch to layer 3 and have this thing up right now, but it really bothered me that this didn't work
10:38 < Robbin> well okay, what doesn't work for you right now
10:39 < erpel> I'm not entirely sure, the vpn connection works so far, that the xp client gets an IP address assigned but i can not get anything from one end to the other
10:40 < Robbin> could you start from the beginning? What's the purpuse, what you wanna do? You said you are packing it for traveling? Use pastebin to show conf files?
10:40 < Robbin> what was it
10:40 < Robbin> !configs
10:40 < vpnHelper> Robbin: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
10:41 < erpel> no problem, just a second
10:41 < Robbin> can't say I can be of much help, but I've been digging around openvpn for quite some time
10:44 < erpel> this is the server config
10:44 < erpel> http://pastebin.com/d7638ae8f
10:44 -!- Danskmand [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
10:45 -!- Zordrak_ [n=jaz@unaffiliated/zordrak] has quit [Read error: 110 (Connection timed out)]
10:45 < erpel> and the connection seems to be established without problems on the openvpn side
10:46 < erpel> 2.1.1 on the client (XP 32bit
10:46 < Robbin> erpel, probably will be good if you post them all in the same place
10:46 < erpel> 2.0.6 on the server (freebsd 8)
10:47 < Robbin> hm, so you are moving your server from the XP machine to the freebsd one?
10:48 < erpel> Its not really a move as I'm not reusing any files
10:48 < Robbin> but you want the same setup
10:48 < Robbin> well the conf isn't different really (for what I know)
10:48 < Robbin> can't say I have experience with XP server
10:50 < erpel> now we have everything in one place
10:50 < erpel> http://pastebin.com/d6bcfdddf
10:50 < erpel> but I also did not get better results from other clients
10:50 < erpel> My guess would be it's something with the bridge on the server side
10:53 < Robbin> ok, now with the files in one place, please, tell me the setup again, dunno if it's just me, I couldn't get it.... you are moving to the freebsd server, you have windows clients
10:54 < Robbin> so, clients connects
10:54 < Robbin> but....?
10:54 < erpel> okay from the start
10:55 < erpel> freebsd server. I'm currently testing this with a xp client
10:55 < erpel> client connect seems to work flawlessly (once you know the drill, openvpn is not to bad to set up i think)
10:55 < Robbin> yeah, indeed
10:55 < erpel> now I have something very weird
10:56 < Robbin> no "funny messages" in the logs I assume
10:56 < Robbin> yes?
10:56 < Robbin> hm, is it just me or you mistyped one line?
10:56 < Robbin> :local 192.168.99.51
10:57 < erpel> let me check
10:57 < Robbin> don't think it should have : in front
10:57 < |Mike|> Robbin: yep :p
10:57 < |Mike|> !tunortap
10:57 < erpel> I think thats fom the line above, where i commented the server details
10:57 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
10:57 < vpnHelper> |Mike|: against you over the vpn
10:57 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"]
10:57 < |Mike|> why are you using layer 2 erpel ? :)
10:57 < erpel> It is not in the file
10:58 < Robbin> erpel, ok, just checking
10:58 < |Mike|> erpel: grep local openvpn.conf ?
10:58 < Robbin> |Mike|, he said he wants some special services to run with it, for which he knows they run with tap
10:58 < |Mike|> (or whatever you named it)
10:58 < Robbin> (server.conf :P)
10:58 < erpel> for mdns (iTunes autodiscovery and stuff). I want to have a setup as close as possible as a cable to the network
10:59 < |Mike|> are you sure that that stuff does layer 2?
10:59 < Robbin> |Mike|, do you know if that can be done with tun as well?
10:59 < Robbin> because I have no idea about it :D
10:59 < erpel> How does stuff that does multicast announces behave with tun
10:59 < erpel> !wins
11:00 < vpnHelper> erpel: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:00 < erpel> now to the weirdness
11:00 < erpel> Im running wireshark on the clients tap interface and just saw windows announces from the target network
11:01 < |Mike|> ah okay. /me writes that down :)
11:03 < Robbin> :S
11:03 < Robbin> can't help in these matters
11:03 < erpel> damn
11:03 < erpel> now I'm confused
11:04 < erpel> I see the samba share from the server on the client
11:04 < erpel> but no ping...
11:04 < Robbin> windows firewall?
11:05 < erpel> phu, nope did not forget that one
11:05 < erpel> its inactive
11:06 < Robbin> :D
11:06 < Robbin> gotta be sure, hehe
11:07 < erpel> no absolutely
11:08 < Robbin> but yeah, it's weird
11:08 < erpel> okay so I can see stuff like router advertisements from the target network.
11:08 < erpel> on the client
11:10 < Robbin> hm
11:10 < Robbin> seems like firewall issue to me, really
11:11 < erpel> yes
11:12 < erpel> it looks like for once, the client does not get any arp responses
11:18 -!- Danskmand1 [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has quit ["Leaving."]
11:36 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
11:37 -!- erpel [n=erpel@f050094225.adsl.alicedsl.de] has quit ["This computer has gone to sleep"]
11:52 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
12:11 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
12:11 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
12:12 -!- maek [n=maek@ip70-189-163-157.lv.lv.cox.net] has joined ##openvpn
12:15 < maek> I have 1 public ip address and I will be routing udp 1194 to the static 192.168.2 address for my openvpn server. My vpn block will be 10.0.55.0/24. is it going to be complicated to make it so when someone connects to the open vpn they have access to the 192.168.2.0/24 range of servers?
12:21 < Bushmills> !client-to-client
12:21 < vpnHelper> Bushmills: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
12:21 < vpnHelper> Bushmills: behind other clients
12:21 < Bushmills> !route
12:21 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:23 -!- Danskmand [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has joined ##openvpn
12:28 < maek> Bushmills: thanks
12:28 < maek> so the route is what I want
12:28 < maek> because I dont want all the hosts on the local network to have to run a vpn client
12:43 -!- stirnlappenbasil [n=sag@f055121225.adsl.alicedsl.de] has joined ##openvpn
12:47 < Diddi> when I'm connected to my vpn, my tap interface says the connection is 10Mb/s, is it 10Mb/s or is it just showing that?
12:47 < Diddi> if it is, is it possible to change to 100Mb/s ? the server and client are on the same lan
12:51 < Diddi> using wget I get about 2Mb/s within the vpn.. still on same physical lan
12:53 -!- romero [n=user@mail.nfq.ktc.lt] has joined ##openvpn
12:56 -!- stirnlappenbasil [n=sag@f055121225.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)]
12:56 -!- stirnlappenbasil [n=sag@g225239082.adsl.alicedsl.de] has joined ##openvpn
13:00 -!- G-Script50 [n=sag@f055169100.adsl.alicedsl.de] has joined ##openvpn
13:00 -!- G-Script50 [n=sag@f055169100.adsl.alicedsl.de] has quit [Read error: 54 (Connection reset by peer)]
13:00 -!- G-Script50 [n=sag@f055169100.adsl.alicedsl.de] has joined ##openvpn
13:05 -!- G-Script50 [n=sag@f055169100.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)]
13:05 -!- G-Script50 [n=sag@g226231050.adsl.alicedsl.de] has joined ##openvpn
13:18 -!- stirnlappenbasil [n=sag@g225239082.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)]
13:28 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)]
13:29 -!- Danskmand [n=Danskman@dslb-088-069-215-127.pools.arcor-ip.net] has left ##openvpn []
13:39 -!- Robbin [n=Multi-X@mobile.web.surgery.at.fenihon.com] has quit ["KVIrc Insomnia 4.0.0, revision: 3462, sources date: 20090703, built on: 2009/09/10 21:45:11 UTC http://www.kvirc.net/"]
14:30 -!- G-Script50 [n=sag@g226231050.adsl.alicedsl.de] has quit ["Verdiene Dir in Deiner Freizeiht etwas dazu,erpreß Deinen Freund."]
14:45 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
14:45 < mithridates> hey guys
14:46 < mithridates> I'm following HOWTO
14:46 < mithridates> and I'm in the "Generate certificate & key for server "
14:46 < mithridates> I used ./build-key-server server
14:47 < mithridates> to make Cert & key for my server
14:47 < mithridates> but after asking email , it asks a Challenge password
14:47 < mithridates> what's that?
14:47 < mithridates> Please enter the following 'extra' attributes
14:48 < mithridates> can I leave it blank?
14:49 < ecrist> yes
14:51 < mithridates> hi ecrist
14:51 < mithridates> what does "1 out of 1 certificate requests certified, commit?" mean?
15:16 < mithridates> !IP
15:16 < vpnHelper> mithridates: Error: "IP" is not a valid command.
15:17 < mithridates> !factoids search local
15:17 < vpnHelper> mithridates: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
15:17 < mithridates> who can tell me what ";local a.b.c.d" means?
15:20 -!- erpel [n=erpel@f050095173.adsl.alicedsl.de] has joined ##openvpn
15:24 -!- ardya [i=ardy@unaffiliated/ardya] has joined ##openvpn
15:24 < ardya> hi folks, is it not possible to set ifconfig-pool range?
15:26 < ardya> man page says for tun device, range starts at .4, can that not be manually set?
15:29 < ardya> Jan  3 16:29:32 rdb openvpn[20324]: Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly
15:43 < mithridates> what's the --server ?
15:43 < mithridates> when I want to connect to my server it happens
16:26 -!- Lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
16:34 < ardya> guess no ones around
16:41 -!- lt83850 [n=your@c-24-127-180-91.hsd1.pa.comcast.net] has quit [No route to host]
16:43 < ardya> !iporder
16:43 < vpnHelper> ardya: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
16:44 < ardya> !static
16:44 < vpnHelper> ardya: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
16:44 < ardya> !ccd
16:44 < vpnHelper> ardya: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
16:51 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
17:03 < ardya> hmmm I set .4 as a static IP, client says .5 is pTp, and .6 gets assigned
17:04 -!- Lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)]
17:13 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
17:26 -!- erpel [n=erpel@f050095173.adsl.alicedsl.de] has quit ["This computer has gone to sleep"]
17:28 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 54 (Connection reset by peer)]
17:37 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
17:37 -!- magic_1 [n=magic@41.121.14.23] has joined ##openvpn
17:44 < mithridates> !ifconfig-pool
17:44 < vpnHelper> mithridates: Error: "ifconfig-pool" is not a valid command.
17:45 < mithridates> !ipp
17:45 < vpnHelper> mithridates: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
17:47 < mithridates> !iporder.x
17:47 < vpnHelper> mithridates: Error: "iporder.x" is not a valid command.
17:47 < mithridates> iporder
17:47 < mithridates> !iporder
17:47 < vpnHelper> mithridates: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
17:48 < mithridates> !static
17:48 < vpnHelper> mithridates: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
17:49 < mithridates> !ccd
17:49 < vpnHelper> mithridates: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
17:49 < mithridates> !factoids list
17:49 < vpnHelper> mithridates: Error: The "Factoids" plugin is loaded, but there is no command named "list" in it.  Try "list Factoids" to see the commands in the "Factoids" plugin.
17:49 < mithridates> list Factoids
17:52 < ardya> this isnt helping. I can use a dynamic ip, but if I set a static, the client fails.
17:53 -!- ardya [i=ardy@unaffiliated/ardya] has left ##openvpn ["*sigh*"]
17:54 < mithridates> !def1
17:54 < vpnHelper> mithridates: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
17:55 < mithridates> !man
17:55 < vpnHelper> mithridates: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:29 < mithridates> hey guys
18:30 < mithridates> I confused by this ip address : 10.8.0.0
18:30 < mithridates> is it the ip of TUN device?
18:30 < mithridates> or the ip address of eth0 which clients will connect ?
18:32 < mithridates> helloooo , is there any body ?
18:36 < Bushmills> would 192.168.50.70 be the ip address of a wlan interface, or a tun interface, or eth0?
18:38 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: 113 (No route to host)]
18:39 < mithridates> I'm talking about http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
18:39 < vpnHelper> Title: HOWTO (at openvpn.net)
18:39 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
18:39 < mithridates> Bushmills: I use a valid ip address for my eth0
18:40 < mithridates> Bushmills: should I change that vali ip address with 10.8.0.0 ?
18:40 < Bushmills> 192.168.50.70 is a valid ip address
18:40 < Bushmills> 10.8.0.0 look like a network address
18:41 < mithridates> yes
18:41 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
18:41 < Bushmills> "is it the ip of TUN device?" - can be network address of wlan, of eth0, of tun, of ppp
18:41 < mithridates> so I should change the iptables command to this: "iptables -t nat -A POSTROUTING -s <my eth0 IP address>/24 -o eth0 -j MASQUERADE"
18:42 < mithridates> ok let me to explain it
18:42 < mithridates> I want to serve NAT to my clients by VPN
18:42 < mithridates> and I want to serve Internet to them
18:43 < mithridates> I have 2 NIC right now
18:43 < mithridates> 1- eth0
18:43 < mithridates> 2-TUN0
18:43 < mithridates> I configured server.conf by this flags push "redirect-gateway def1"
18:44 < mithridates> push "redirect-gateway def1"
18:44 < mithridates> now I want to configure NAT
18:44 < Bushmills> and you looked at iptables man page, which told you what the parameter behind -s means, right?
18:45 < Bushmills> do you know what the /24 means?
18:45 < mithridates> oh , :( ok I just copied.
18:45 < mithridates> yes that my subnet mask
18:45 < mithridates> ok I got it
18:45 < mithridates> -s is the source ip address
18:45 < Bushmills> how would "my ip address" go together with "subnet mask"?
18:46 < mithridates> ummm
18:46 < mithridates> so what?
18:46 < mithridates> is it the range of my network?
18:46 < mithridates> oh I got it
18:46 < mithridates> yes that's the range
18:47 < Bushmills> ip address, for single host, or network address, in conjunction with mask
18:47 < mithridates> 10.8.0.0/24 ---> 10.8.0.0 - 10.8.255.255
18:47 < mithridates> am I right?
18:47 < Bushmills> no
18:49 < mithridates> :(
18:49 < Bushmills> http://en.wikipedia.org/wiki/CIDR
18:49 < vpnHelper> Title: Classless Inter-Domain Routing - Wikipedia, the free encyclopedia (at en.wikipedia.org)
18:50 < mithridates> ok tnx a lot
18:50 < mithridates> :)
18:59 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit []
19:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
19:15 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
19:21 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has quit ["Leaving"]
19:26 < mithridates> Bushmills: are u still there?
19:28 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
19:38 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
19:40 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
19:46 -!- ardya [i=ardy@unaffiliated/ardya] has joined ##openvpn
19:47 < ardya> !static
19:47 < vpnHelper> ardya: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
19:47 < ardya> !/30
19:47 < vpnHelper> ardya: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
19:47 < ardya> !topology
19:47 < vpnHelper> ardya: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
19:57 -!- corretico [n=laguilar@201.201.46.106] has quit [Success]
19:59 < ardya> ohh version 2.1
20:05 < reiffert> :)
20:08 < ardya> sweet, building 2.1.1
20:12 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
20:12 < krzie> i love when people come in, read the topic, and help themselves
20:13  * krzie gives ardya a ^5
20:13 < reiffert> yeah, me too.
20:15 < ardya> I wasn't grokking the /30 thing
20:17 < ardya> dynamic config worked, static want, until I found an example via google where the netmask was actually the next ip, not a netmask, so got static working, then I got to thinking why does each machine use 2 IPs, and remembered !/30
20:17 < ardya> s/want/wasnt
20:18 < krzie> you can use a netmask, just have to use .6 .10 .14 etc as the ip
20:18 < krzie> or of course 2.1 and topology subnet (which is cooler)
20:18 < ardya> I was trying 192.168.20.4 255.255.255.0
20:18 < ardya> which was fail
20:19 < krzie> right
20:19 < ardya> the man page isnt clear on "remote-netmask"
20:20 < krzie> he read the manpage too!
20:20 < krzie> you should train people how to get help in here
20:20 < krzie> lol
20:20 < krzie> ;]
20:20 < reiffert> :)
20:22 < theDoc> I'm so darn annoyed.
20:22 < theDoc> Major outtage from asia to US.
20:22  * theDoc screams.
20:22 < krzie> doh
20:22 < krzie> im excited, going to australia next month
20:23 < krzie> decided yesterday, got ticket today
20:23 < theDoc> krzee> Welcome to the land of the bandwidth caps.
20:23 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
20:26 < ardya> slackware ships 2.0.9
20:26 < ardya> so fixing the man pages isn't worth it
20:26 < krzie> 2.1 was very recently released
20:26 < krzie> !man
20:26 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:26 < ardya> thats what I'm building
20:26 < ardya> slack pkgs for 13.0 and 12.1
20:29 < theDoc> krzee> Holiday there?
20:29 < krzie> yup, 3 weeks
20:29 < krzie> been wanting to go for a long time, finally taking up a friends offer to visit
20:29 < ardya> sweeeeet
20:29 < ardya> all working
20:29 < ardya> thanks guys
20:30 < krzie> ild say yw but you did it all yourself =]
20:30 < theDoc> nice.
20:30 < theDoc> i'm looking to migrate pronto.
20:30 < krzie> migrate to 2.1?
20:32 < theDoc> no, migration of citizenship :P
20:32 < krzie> oh coo
20:32 < krzie> any target countries?
20:34 < theDoc> Looking at sweden at the moment.
20:34 < theDoc> :p
20:34 < theDoc> I'll be moving once my vpn business settles down and all
20:34 < theDoc> I'm not keen on staying here.
20:34 < krzie> nice
20:34 < krzie> ive been happy with my choice to leave usa
20:34 < theDoc> krzee> where have you moved to?
20:35 < ardya> whats ACCESS SERVER thats nor supported
20:35 < theDoc> ardya> I some-what support access-server.
20:35 < krzie> its the corporate attempt for a pay for license openvpn
20:35 < krzie> theDoc, caribbean
20:35 < theDoc> But ymmv, depending on my time.
20:35 < theDoc> krzee> nice, how old are you?
20:36 < ardya> ahh
20:36 < krzie> 28
20:36 < theDoc> krzee> That's young, i'm about there too.
20:36 < theDoc> :p
20:37 < theDoc> fuck this place, i'm moving out and away from all of you
20:37 < theDoc> :D
20:37 -!- maek [n=maek@ip70-189-163-157.lv.lv.cox.net] has quit []
20:38 < krzie> ardya if it was just like openvpn ild have no problem supporting it, but theres no independant config file, etc... they made it very different so we cant really troubleshoot it
20:38 < krzie> but thats not really an issue since its a licensed product, people can get support from whoever they license it from ;]
20:39 < ardya> I understand, just curious what it was
20:39 < krzie> understood ;]
20:39 < theDoc> krzee> but you'll have to admit that it's excellent for rapid deployment and minimal user intervention, however, it requires the people supporting it to actually have a clue :p
20:40 < krzie> theDoc actually i cant admit that, i know very little about it
20:40 < krzie> but i know you've used both so i trust what you said
20:41 < theDoc> krzee> my business stuff uses as, because all the user has to do is to put in a password.
20:41 < theDoc> granted, it's not as pretty or as "hacky" as openvpn (the opensourced one)
20:41 < theDoc> but it works good if you have to push it to dumb users.
20:41 < theDoc> like, ok see this icon here? yeah, click on it and put in your password and click connect
20:42 < theDoc> ahh, yes. that's all you need to do and you get all your porn
20:42 < theDoc> :p
20:42 < krzie> it should still have a standard config in the backend
20:42 < krzie> that the webserver uses
20:42 < krzie> imho
20:43 < krzie> then by knowing the OS one you would be prepard to use the license one
20:44 < krzie> if a company were paying me to setup a vpn solution, AS would have a chance if i could use standard config files in the backend, plus theyd be able to use the opensource community's support
20:44 < theDoc> krzee> True, but in this case, I don't think they'll be overhauling it anytime soon.
20:44 < theDoc> I've asked for a few feature requests, mainly to deal with the UI and all
20:45 < krzie> i dont think they will either, but think how easy it would have been if they did it that way
20:45 < krzie> then again i guess they would have had a hard time keeping it pay-for-use that way too
20:47 < theDoc> It's really a it may be for you product
20:47 < theDoc> :(
20:47 < krzie> well i do wish them well with it
20:49 < theDoc> i wish myself well with it, it'll be nice to manage to become asia-pac's largest consumer ip vpn carrier.
20:49 < theDoc> :P
20:49 < theDoc> or rather, i'll see if that's even feasible.
20:50  * theDoc forces everyone to encrypt their traffic.
20:51 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has joined ##openvpn
20:51 < Ceil> !tcp
20:51 < vpnHelper> Ceil: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
20:51 < ardya> so whats bytecount all about in the management interface
20:52 < theDoc> ardya> total in/out?
20:52 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has quit [Client Quit]
20:52 < ardya> shown where?
20:53 < theDoc> who knows, where are you finding that bytecount section at?
20:53 < ardya> I'm not finding it in any docs on teh website so far
20:53 < krzie> seriously, whered you see that?
20:53 < ardya> I see it in help in the management interface
20:53 < krzie> management interface isnt documented too well
20:53 < ardya> bytecount n            : Show bytes in/out, update every n secs (0=off).
20:54 < krzie> yup thats the best doc i know of for management interface
20:54 < krzie> oh well thats obvious then
20:54 < krzie> its total bytes in and out, lol
20:54 < krzie> but you also have:
20:54 < krzie> bytes_received
20:54 < krzie>     Total number of bytes received from client during VPN session. Set prior to execution of the --client-disconnect script.
20:54 < krzie> bytes_sent
20:54 < krzie>     Total number of bytes sent to client during VPN session. Set prior to execution of the --client-disconnect script.
20:54 < ardya> I set it to 1 sec, I see nothing heh
20:54 < krzie> env vars
20:55 < ardya> ah there we go
20:55 < ardya> generate some traffic :)
20:58 < krzie> management interface is mainly meant to be a socket for other apps to interact with openvpn with
20:59 < ardya> apps like what?
20:59 < krzie> whatever you script up i guess ;]
20:59 < ardya> oh ok
21:00 < krzie> im sure eventually someone will release something nice that interacts with it
21:00 < ardya> having its stats availa via snmp is an idea
21:01 < krzie> or even a nice web ui with ability to see stats, disconnect people with a click, and stuff like that
22:23 -!- _numbers [n=x@unaffiliated/numbers/x-253875] has joined ##openvpn
22:23 < _numbers> i have the id.dss but its a dropbearkey and dbclient is not on the server. openssh `ssh -i` does not understand dropbear's dss keys, or is there another way?
22:24 < _numbers> someone suggested converting it. i know id.dss is binary format and most private keys are stored by ssh-keygen in base64. i also know DSS and DSA are related (compatible?). i wonder if it is a matter of just converting binary to base64?
22:25 -!- ardya [i=ardy@unaffiliated/ardya] has left ##openvpn ["night folks"]
23:09 -!- magic_1 [n=magic@41.121.14.23] has quit [Read error: 104 (Connection reset by peer)]
23:09 -!- magic_1 [n=magic@41.121.14.23] has joined ##openvpn
23:27 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)]
23:37 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
23:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
--- Day changed Mon Jan 04 2010
00:14 -!- _numbers [n=x@unaffiliated/numbers/x-253875] has left ##openvpn ["Leaving."]
00:23 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has joined ##openvpn
00:23 < Ceil> !nat
00:23 < vpnHelper> Ceil: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto
00:24 < Ceil> !forward
00:24 < vpnHelper> Ceil: Error: "forward" is not a valid command.
00:24 < Ceil> Hm.. what was the thing I needed to edit to make echo 1 > /proc/sys/net/ipv4/ip_forward
00:24 < Ceil> permant
00:25 < Ceil> net.ipv4.conf.default.forwarding=1 to your /etc/sysctl.conf
00:25 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has quit [Client Quit]
00:38 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
00:46 -!- kaatje [n=paige@2001:470:d022:0:0:dead:beef:3] has joined ##openvpn
00:46 < kaatje> hi guys.
00:47 < kaatje> i am wondering, it is possible to emulate a cisco ipsec server with openvpm?
00:47 < kaatje> i am wondering, it is possible to emulate a cisco ipsec server with openvpn?
00:48 < kaatje> my devices only will support cisco ipsec supposedly
00:48 < kaatje> !howto
00:48 < vpnHelper> kaatje: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:52 < theDoc> kaatje> no, openvpn is an ssl vpn.
00:52 < theDoc> ipsec is ipsec
00:54 < kaatje> :(
00:54 < kaatje> someone told me it would do it
00:55 < kaatje> what about l2tp?
01:02 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
01:03 -!- kaatje [n=paige@2001:470:d022:0:0:dead:beef:3] has left ##openvpn ["Later gators!"]
01:16 -!- barefoot [n=magic@41.121.115.46] has joined ##openvpn
01:16 -!- magic_1 [n=magic@41.121.14.23] has quit [Read error: 104 (Connection reset by peer)]
01:32 -!- hyper_ch [n=hyper@177-117.78-83.cust.bluewin.ch] has joined ##openvpn
01:52 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
01:52 < mithridates> hey guys
01:52 < mithridates> I've tried to NAT
01:53 < mithridates> but my client cannot reach to the internet
01:53 < mithridates> target     prot opt source               destination
01:53 < mithridates> MASQUERADE  all  --  10.8.0.0/24          anywhere
01:53 < mithridates> it's my config
01:57 < theDoc> mithridates> Have you done an echo "1" > /proc/sys/net/ipv4/ip_forward yet?
01:58 < mithridates> let me to check it
01:58 < mithridates> oh no
01:58 < theDoc> Do it.
01:58 < mithridates> should I reset my network service after doing it ?
01:59 < mithridates> yes?
01:59 < theDoc> no, there's no need to
01:59 < mithridates> oh :( I did it
01:59 < mithridates> when I reset it changes to 0 again
02:00 < mithridates> why?
02:00 < theDoc> mithridates> edit your /etc/sysctl.conf
02:00 < mithridates> ah ok
02:00 < theDoc> and change the 0 to 1 for ip forwarding or something
02:01 < mithridates> what about this one? # Do not accept source routing
02:01 < mithridates> net.ipv4.conf.default.accept_source_route = 0
02:02 < mithridates> it's working perfect now
02:02 < mithridates> thank you
02:02 < theDoc> Leave that alone.
02:02 < theDoc> :p
02:02 < mithridates> theDoc: the dns for my clients is not working
02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:02 < mithridates> should I use bind?
02:03 < theDoc> no, edit your server.conf and add in a dns thing :P
02:03 < mithridates> !dns
02:03 < vpnHelper> mithridates: "dns" is Level3 open recursive DNS server at 4.2.2.1
02:04 < mithridates> !factoids search dns
02:04 < vpnHelper> mithridates: 'pushdns' and 'dns'
02:04 < mithridates> !pushdn
02:04 < vpnHelper> mithridates: Error: "pushdn" is not a valid command.
02:04 < mithridates> !pushdns
02:04 < vpnHelper> mithridates: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
02:14 < mithridates> I didn't get
02:14 < mithridates> theDoc: do I need to implement a dns server?
02:14 < mithridates> how can I redirect all the dns traffic for my clients?
02:33 < theDoc> mithridates> what are you doing?
02:33 < Bushmills> mithridates: a way to route all dns traffic through vpn is to run a local dns,  which queries an upstream dns on vpn server. Alternatively, let your clients query a recursive dns on your vpn server.
02:33 < Bushmills> (second method results in slightly increased vpn traffic)
02:37 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
02:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
02:38 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
02:39 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
02:40 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
02:41 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
02:42 -!- Sky[x] [n=mihaaaa@212.235.182.245] has joined ##openvpn
02:42 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
02:46 < mithridates> Bushmills: how can I set their dns server < 4.2.2.4 > or some other dns servers?
02:47 < Bushmills> locally run a dns which is used by clients, and uses <4.2.2.4  or some other dns server> as upstream dns
02:48 < Bushmills> or route 4.2.2.4 though vpn
02:54 -!- SkyX [n=mihaaaa@88.200.89.29] has joined ##openvpn
02:54 < mithridates> which one is better?
02:55 < mithridates> which one is the best solution regarding to the cpu usage of the server?
02:56 -!- barefoot is now known as magic_1
02:57 < mithridates> Bushmills: how can I route 4.2.2.4 through vpn for my clients dns requests?
03:01 < endre> push down the route for 4.2.2.4
03:03 < Bushmills> !howto
03:03 -!- barefoot [n=magic@41.121.115.46] has joined ##openvpn
03:03 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:03 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.]
03:03 -!- barefoot is now known as magic_1
03:06 -!- master_o1_master [n=master_o@p57B53FD6.dip.t-dialin.net] has joined ##openvpn
03:08 -!- Sky[x] [n=mihaaaa@212.235.182.245] has quit [Connection timed out]
03:19 -!- master_of_master [i=master_o@p57B57C1A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:38 -!- wedjat [n=wedjat@unaffiliated/wedjat] has joined ##openvpn
03:39 < wedjat> !route
03:39 < vpnHelper> wedjat: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
04:01 -!- SkyX [n=mihaaaa@88.200.89.29] has quit [Client Quit]
04:20 -!- mithridates1 [n=mithrida@76.76.15.203] has joined ##openvpn
04:21 < mithridates1> !ccd
04:21 < vpnHelper> mithridates1: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
04:21 -!- lt83850 [n=your@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
04:22 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)]
04:26 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)]
04:43 -!- dazo_afk is now known as dazo
04:48 -!- mithridates1 [n=mithrida@76.76.15.203] has quit [Read error: 110 (Connection timed out)]
05:03 -!- Lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
05:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
05:09 -!- lt83850 [n=your@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)]
05:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:25 -!- aland [n=aland@apple.rat.burntout.org] has left ##openvpn []
05:30 -!- LittleJ [n=linuz@82.78.185.26] has quit ["changing servers"]
05:30 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn
05:47 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
06:07 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)]
06:12 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn
06:12 < havoc> morning
06:13 < cpm> morn'n
06:18 < krzee> moin
06:19 < Optic> good morning
06:26 < havoc> route-gateway dhcp and port-share seem nifty
06:53 -!- deever [n=deever@78.46.68.172] has left ##openvpn []
06:54 < ecrist> good morning
06:54 < havoc> morning
07:31 -!- g0tcha [n=VaiO@41.252.40.105] has joined ##openvpn
07:32 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
07:33 -!- MJD [n=quassel@mc-125-114.IPReg.McMaster.CA] has joined ##openvpn
07:33 < g0tcha> !howto
07:33 < vpnHelper> g0tcha: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 101 (Network is unreachable)]
07:41 < g0tcha> hey guys, ive installed openvpn server on my ubuntu and created the keys, then installed openvpn on winxp, copied over the files and edited the config.ovpn file.. when i try to run openvpn from that config file it gives me this msg: Error: private key password verification failed
07:42 < theDoc> Your password is wrong. :(
07:42 < g0tcha> theDoc, which password? thats whats confusing me
07:43 < reiffert> Guess you gave the private a password.
07:43 < Bushmills> private key password  - that's what is called "passphrase" with ssh keys
07:43 < reiffert> MushBills!
07:43 < Bushmills> grin
07:43 < Bushmills> lard!
07:43 < Bushmills> :D
07:43 -!- Lt83850c is now known as lt83850c
07:43 < g0tcha> yeah, i did give it a priavet password, how do i make the client know the password?
07:43 < g0tcha> private*
07:43 < reiffert> g0tcha: the server.
07:44 < Bushmills> client
07:44 < reiffert> hrmn, however.
07:45 < reiffert> g0tcha: well, lets check the manpage
07:46 < reiffert> g0tcha: read --askpass
07:47 < Bushmills> train arriving at dest - gone agn
07:47 < reiffert> process with --auth-nocache
07:49 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 104 (Connection reset by peer)]
07:49 < g0tcha> so it has to be run through command prompt if i need to use the password and not the gui?
07:53 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
07:54 < reiffert> gui?
07:57 < g0tcha> yeah, im running the client on a windows xp machine
07:57 < g0tcha> openvpn has a gui
07:57 < reiffert> ah, well it pops up a password window for me.
07:57 < g0tcha> i managed to start it fine from the command prompt with what you suggested, it asked for the password and connected fine
07:57 < reiffert> running 2.1.1 with the gui that comes with the installer.
07:57 < g0tcha> it does? hmm wierd.. it doesnt
07:58 < g0tcha> let me check what version im running
07:58 < reiffert> 2.1.1?
07:58 < g0tcha> hmm says OpenVPN GUI 1.0.3 :/
08:00 < reiffert> yeah, thats correct.
08:00 < g0tcha> and openvpn is 2.1 it says
08:00 < reiffert> works like a charme for me.
08:00 < g0tcha> but it doesnt ask for the password when i right click the config.ovpn file and start it from there..
08:01 < g0tcha> a command prompt pops up giving me the error msgs and to press any key to continue and thats it
08:01 < reiffert> what happens when you start it with the gui?
08:01 < reiffert> choosing "connect"
08:06 < reiffert> what happens for me, when using "right mouse click" on the .ovpn file choosing "Open with openvpn": dosbox comes up asking me for the private key password.
08:09 < g0tcha> it gives me the same error msg in the openvpn gui window instead of a command prompt.. ill use pastebin to paste the whole msg from the log file
08:10 -!- tomjones40000 [n=magic@41.121.115.46] has joined ##openvpn
08:10 < g0tcha> http://pastebin.com/m3e7c2620
08:10 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.]
08:10 -!- tomjones40000 is now known as magic_1
08:11 < reiffert> thats what I get:
08:11 < reiffert> http://pastebin.com/m4b62a43e
08:12 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
08:12 < reiffert> does home.key work at all (with --ask-pass)?
08:12 < reiffert> does home.key got a filesize of 0 bytes?
08:12 < g0tcha> no, 1kb
08:13 < reiffert> open it with wordpad, does it start with:
08:13 < reiffert> http://pastebin.com/me2b3309
08:14 < reiffert> did you transfer the file using a ftp client?
08:14 < reiffert> breaking line breaks/carraige returns?
08:15 < g0tcha> good call.. its some gebbrish stuff inside
08:15 < g0tcha> might got screwed while transfering it
08:15 < g0tcha> yeah, it was through ftp
08:15 < reiffert> gebbrish?
08:16 < reiffert> check on the server side/PKI-server. does it look ok there?
08:16 < dazo> mattock:  why opening up a new openvpn irc channel?
08:16 < reiffert> Note: There is winscp if your remote site supports ssh.
08:16 < reiffert> dazo: Hi. btw there is #openvpn2009
08:17 < dazo> reiffert:  oh man ... that's so oldish ... already :-P
08:17 < g0tcha> yeah reiffert, i just ssh'd and the home,key looks fine on the server side
08:17 < g0tcha> home.key
08:18 -!- _LittleJ [n=linuz@82.78.185.26] has joined ##openvpn
08:18 -!- LittleJ [n=linuz@82.78.185.26] has quit [Read error: 104 (Connection reset by peer)]
08:18 < reiffert> dazo: blame the openvpn developers!
08:19 < dazo> :)
08:19 -!- _LittleJ is now known as LittleJ
08:19 < reiffert> g0tcha: great news, welcome!
08:19 < reiffert> g0tcha: btw, there is winscp on windows.
08:20 < reiffert> http://winscp.net/eng/index.php
08:20 < vpnHelper> Title: WinSCP :: Free SFTP and FTP client for Windows (at winscp.net)
08:20 < reiffert> (GUI Style)
08:20 < reiffert> Faster than that 10mbit putty pscp stuff.
08:20 < g0tcha> yeah, thats what i use with windows
08:20 < reiffert> Didnt find any limits on speed yet.
08:20 < g0tcha> i like it
08:20 < reiffert> g0tcha: but why did you choose ftp then?
08:21 < g0tcha> it was set by default and didnt bother changing it
08:22 < reiffert> ?!? winscp fails using sftp?
08:22 < reiffert> it works great at my place...
08:22 < g0tcha> didnt say it fails.. it works fine.. only with that home.key it got corrupted while transfering, never happened to me before
08:23 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: sno, noooon, openvpn2009, Rienzilla, sdh, Bushmills
08:23 -!- Rienzilha [i=rien@sinas.rename-it.nl] has joined ##openvpn
08:23 -!- sno_ [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
08:23 -!- Netsplit over, joins: openvpn2009
08:23 -!- Netsplit over, joins: noooon
08:23 -!- sdh [n=steve@188.40.36.167] has joined ##openvpn
08:23 -!- Bushmills [n=nnnBushm@verhau.de] has joined ##openvpn
08:24 -!- MJD [n=quassel@mc-125-114.IPReg.McMaster.CA] has quit [Read error: 110 (Connection timed out)]
08:25 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Read error: 104 (Connection reset by peer)]
08:31 < g0tcha> aah it worked.. didnt ask for the password, it times out heheh but atleast its not showing the same error..
08:31 < g0tcha> ill do some googling first
08:31 < g0tcha> thanks for the help reiffert
08:32 < reiffert> welcome
08:33 -!- Irssi: ##openvpn: Total of 94 nicks [0 ops, 0 halfops, 0 voices, 94 normal]
08:37 -!- rajin [n=_@port-10272.pppoe.wtnet.de] has joined ##openvpn
08:43 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
08:56 < hobbsc> when i connect to my openvpn box, i receive the routes it's pushing out, but can't access any of the resources on those routes.  the openvpn box can see those networks and those vice-versa.  this wasn't an issue until i restarted the openvpn box.  could a routing statement be messed up?
08:56 < ecrist> firewall?
08:56 < hobbsc> off
08:56 < hobbsc> i'm connected, i have routes, etc.
08:57 < hobbsc> from those other networks, i can ping the servers' tun interface, but i can't ping any clients.  likewise for clientside.  i can ping the server that's handing out vpn, but nothing beyond it
08:57 < hobbsc> the router that has the other networks attached to it has a route for the vpn server as well
08:59 < ecrist> hobbsc: you're saying you have no firewall on your vpn server?
08:59 < hobbsc> right
08:59 < hobbsc> none
08:59 < ecrist> ip_forward set to on?
08:59 < ecrist> in the OS kernel
08:59 < hobbsc> not sure
08:59 < ecrist> what OS?
08:59 < hobbsc> wouldn't that be ipv4?
08:59 < hobbsc> opensuse
08:59 < ecrist> sysctl -a | grep ip_forward
09:00 < hobbsc> this vpn worked before i restarted the openvpn server
09:00 < ecrist> so?
09:00 < hobbsc> net.ipv4.ip_forward = 0
09:00 < hobbsc> so i don't know what changed
09:00 < ecrist> you need to set that to 1
09:00 < hobbsc> it's turned off
09:00 < ecrist> turn it on
09:00 < hobbsc> sure thing
09:00 < ecrist> I don't know where you put that in linux, but in freebsd it's in /boot/loader.conf
09:01 < ecrist> man sysctl and find out where to put sysctl overrides for reboot
09:01 < hobbsc> sysctl -w net.ipv4.ip_forward=1
09:01 < hobbsc> er
09:01 < hobbsc> yeah
09:01 < hobbsc> it's in /etc/sysctl.conf
09:01 < hobbsc> alright, it's on.  let me try again
09:02 < hobbsc> i can't imagine why a restart would cause everything to crap out
09:02 < hobbsc> that fixed it, though
09:02 < hobbsc> thank you
09:02 < hobbsc> i may not have added that to sysctl.conf
09:02 < ecrist> 'everything' didn't crap out, your sysctl setting wasn't set in /etc/sysctl.conf
09:02 < hobbsc> i'm aware, thanks
09:02 < ecrist> as such, the blame is completely on you. ;)
09:02 < hobbsc> i appreciate the assistance
09:03 < hobbsc> 90% of the time it's my fault anyway heheh
09:03 < hobbsc> thanks again
09:07 -!- Gilos [n=Gilos@kccsfw01.sec.sprint.net] has quit [Remote closed the connection]
09:12 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
09:28 < cybertron> hi, the bridge on my vppn server, which ip should it have? so any ip of my bridge range?
09:29  * |Mike| lols
09:29 < cybertron> o.O
09:29 < cybertron> my problem is that i cant reach my vpn net
09:29 < |Mike|> !howto
09:29 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:30 < cybertron> i read it often, so something i have to overread ;)
09:47 < reiffert> cybertron: the bridge got an ip of your lan range.
09:47 < cybertron> reiffert: the br0 oder br0:0 ?
09:47 < reiffert> cybertron: the bridge contains various interfaces. the local network interface and the one from openvpn (tap).
09:47 < reiffert> cybertron: there is no br0:0 in the howto.
09:48 < cybertron> hm no
09:48 < reiffert> ok, get rid of it then.
09:48 < reiffert> on top br0:0 alias interfaces are depreceated on linux.
09:48 < reiffert> x:0 is old style.
09:48 < cybertron> ok its is running on my wrt router
09:49 < reiffert> so?
09:50 < cybertron> reiffert: http://nopaste.info/f8661a4b60.html
09:50 < reiffert> just adding the tap if to your previous existing bridge will be enough.
09:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)]
09:50 -!- m1dnight [n=rfranzen@189.27.187.13.dynamic.adsl.gvt.net.br] has joined ##openvpn
09:50 < reiffert> which is brctl addif br0 tap0
09:51 < cybertron> my problem is I cant test vpn inside my lan? so i can connect to my openvopn with my internal ip but if i use the vpnip i can not ping
09:51 < reiffert> sentence does not parse.
09:51 < cybertron> lokalip: 192.168.1.23 vpnip 192.168.1.120 <--no ping to each other
09:51 < cybertron> -k+c
09:52 < reiffert> paste brctl show
09:52 < cybertron> http://nopaste.info/48c948185a.html
09:52 < reiffert> brctl show
09:52 < cybertron> erm sorry mom
09:52 < cybertron> http://nopaste.info/9ccc96794c.html
09:53 < reiffert> client local lan adapter ip is?
09:53 < cybertron> 192.1681.1.23 and .120 from the client gui
09:53 < reiffert> ping 1.100 works?
09:54 < cybertron> yes from 1.23
09:54 < cybertron> but ping 1.23 to 1.120 no
09:54 < reiffert>  ping 1.23 -> 1.100 works?
09:54 < cybertron> yes
09:54 < reiffert> does your client live in the server lan?
09:55 < cybertron> yes
09:55 < cybertron> mom
09:55 < reiffert> did you specify
09:55 < reiffert> !local
09:55 < vpnHelper> reiffert: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
09:56 < reiffert> well, gotta go. be sure to test when your client is *not* in the server lan at the same time.
09:56 < reiffert> server side setup looks ok so far.
09:56 < reiffert> bbl
10:01 -!- MattJD [n=quassel@mc-193-93.IPReg.mcmaster.ca] has joined ##openvpn
10:03 -!- erpel [n=erpel@f050095173.adsl.alicedsl.de] has joined ##openvpn
10:05 -!- g0tcha [n=VaiO@41.252.40.105] has quit []
10:11 -!- MattJD [n=quassel@mc-193-93.IPReg.mcmaster.ca] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."]
10:15 -!- tomjones40000 [n=magic@41.121.115.46] has joined ##openvpn
10:15 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.]
10:15 -!- tomjones40000 is now known as magic_1
10:17 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)]
10:21 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:43 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
10:47 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:47 < krzee> [11:51]  <cybertron> lokalip: 192.168.1.23 vpnip 192.168.1.120 <--no ping to each other
10:47 < krzee> !samesubnet
10:47 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
10:48 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)]
10:49 < krzee> oh you're bridging
10:49 < krzee> nm
10:51 < cybertron> yes and now i got this problem krzee
10:51 < cybertron> http://nopaste.info/1845699838.html
10:52 < cybertron> i looked at the given link but thats not the problem
10:55 < cybertron> http://michaelellerbeck.com/2008/10/27/openvpn-client-hangs-on-dhcp-renewal-gets-apipa-address-instead/ i found this solution but cant belief that o.O
10:55 < vpnHelper> Title: OpenVPN Client hangs on DHCP renewal, recieves APIPA address instead. Resolved « Michael Ellerbeck (at michaelellerbeck.com)
10:57 < cybertron> so i got an ip for my client
10:58 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
11:01 -!- dazo is now known as dazo_afk
11:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
11:10 -!- hyper_ch [n=hyper@177-117.78-83.cust.bluewin.ch] has quit [Remote closed the connection]
11:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
11:28 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:11 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn
12:15 -!- erpel_ [n=erpel@g224213211.adsl.alicedsl.de] has joined ##openvpn
12:17 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Remote closed the connection]
12:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:24 -!- wedjat [n=wedjat@unaffiliated/wedjat] has left ##openvpn []
12:24 -!- erpel [n=erpel@f050095173.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)]
12:29 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)]
12:30 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
12:51 -!- m1dnight [n=rfranzen@189.27.187.13.dynamic.adsl.gvt.net.br] has quit ["Saindo"]
12:53 -!- erpel_ [n=erpel@g224213211.adsl.alicedsl.de] has quit ["This computer has gone to sleep"]
12:58 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
13:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)]
13:18 -!- Gilos [n=Gilos@kccsfw01.sec.sprint.net] has joined ##openvpn
13:48 -!- pm2 [i=47c2fcd3@gateway/web/freenode/x-guojjfhwnrndbhgf] has joined ##openvpn
13:52 < pm2> Hi - I have an OpenVPN server allowing users to connect to an office LAN.  Its a routed, tcp tunnel, that uses 192.168.8.0/24 addresses for clients.  The internal LAN uses 192.168.1.0/24.  If a user's home LAN is also using 192.168.1.0/24 addresses, will that cause some problem?
13:58 -!- rajin [n=_@port-10272.pppoe.wtnet.de] has quit [" I love my HydraIRC -> http://www.hydrairc.com <-"]
14:04 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
14:09 -!- phy [n=phy@l.monkey.org] has left ##openvpn []
14:09 < |Mike|> pm2: yeah that will clash..
14:10 < pm2> |Mike|: any good way around that other than changing our internal LAN IP scheme?
14:10 < ecrist> nope
14:10 < pm2> great...
14:10 < |Mike|> I would hike to 172.x :)
14:10 < pm2> OK, I guess I'll have to do that, thanks
14:11 < ecrist> good rule of thumb is to use 10/8 for corp networks
14:11 < |Mike|> most standard routers use those 192.168.1.0/24 ranges imho
14:11 < ecrist> 172.x for vpn
14:11 < ecrist> leave 192 alone
14:11 < |Mike|> Yep
14:11 < ecrist> or use IPv6 on it all
14:11 < pm2> This was all setup by my predecessor... Alright, I'll try to convince people that changing the IP scheme is a good idea
14:12 < ecrist> s/a good idea/required/
14:12 < |Mike|> Make a plan and stick to that!
14:12 < pm2> allright, thanks for the help all
14:12 -!- pm2 [i=47c2fcd3@gateway/web/freenode/x-guojjfhwnrndbhgf] has quit ["Page closed"]
14:13 < |Mike|> wow, that was easy.
14:14 < ecrist> we weren't even called any names that time
14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:26 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
14:26 < mithridates> hey guys
14:26 < mithridates> I need a web-based software to monitor clients bandwidth and vpn account
14:27 < mithridates> is there any software for this purpose?
14:32 < ecrist> yes and no
14:32 < ecrist> all the software you need is available and free
14:32 < ecrist> you need to piece it all together yourself.
14:33 < ecrist> if I were you, I would assign static IPs and use SNMP with ipfw to monitor bandwidth utilization
14:34 < ecrist> or, give each user their own device and do that
14:34 < ecrist> I'd do with with snmp, myself.
14:34 < mithridates> umm
14:34 < mithridates> I will have more than 150 clients
14:35 < mithridates> which way is the best?
14:35 < ecrist> snmp + firewall monitoring
14:35 < ecrist> ipfw supports log
14:35 < mithridates> would tell me the name of services which I need?
14:35 < mithridates> because I should search for each of them
14:36 < mithridates> and it takes a long time
14:36 < ecrist> cacti
14:36 < ecrist> snmp
14:36 < ecrist> ipfw on freebsd
14:36 < ecrist> I can't do the work for you, though
14:36 < mithridates> I have centos
14:36 < mithridates> ah ok
14:36 < ecrist> don't know how to do it on centos
14:37 < ecrist> http://www.linux.com/archive/articles/50649
14:37 < vpnHelper> Title: Linux.com :: Bandwidth monitoring with iptables (at www.linux.com)
14:37 < mithridates> so first I should assign static ip to my clients
14:37 < mithridates> then I should monitor them by snmp or a web-based monitoring tools
14:37 < mithridates> ok , thank you man
14:38 < mithridates> what about billing system?
14:38 < mithridates> do u have any idea about billing system?
14:40 < ecrist> mithridates: I'm not here to build your business.
14:40 < ecrist> that's what you make money on.
14:40 < ecrist> :)
14:40 < mithridates> no I'm asking only to find a software
14:40 < ecrist> nope
14:40 < mithridates> I didn't ask you to configure my server
14:40 < ecrist> I'd try #billing_software
14:41 < mithridates> ah ok that's fine :D
14:41 < mithridates> thank you
14:41 < mithridates> :D
15:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
15:21 -!- OpenVPN [n=fn-javac@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:22 -!- OpenVPN [n=fn-javac@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Client Quit]
15:22 -!- OpenVPN_Guest [n=fn-javac@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:26 -!- OpenVPN_Guest [n=fn-javac@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Client Quit]
15:58 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.16/2009120208]"]
15:59 < reiffert> mithridates: I can sell you billing software...
16:02 < ecrist> OpenVPN is a registered nick name
16:02 < ecrist> tsk tsk
16:03 < reiffert> ecrist: and nother two devs.
16:03 < ecrist> two new devs?
16:03 < ecrist> reiffert: do you pay attention to the mailing list?
16:04 < |Mike|> Are you guys on LinkedIn btw? :)
16:04 < reiffert> -devel from time to time
16:04 -!- Irssi: ##openvpn: Total of 90 nicks [0 ops, 0 halfops, 0 voices, 90 normal]
16:04 < ecrist> the mattock guy created another channel, #openvpncommunity
16:04 < reiffert> ecrist: just kas and openvpn2009 and those OpenVPN and OpenVPN_Guest who join/parted.
16:05 < ecrist> looks like they're testing a java irc client
16:05 < reiffert> ecrist: someone should join that channel telling us whats going on there.
16:05 < mithridates> hi reiffert
16:05 < ecrist> I've been in that chan since it was created
16:05 < mithridates> plz come to pm
16:06 < reiffert> mithridates: please share your thoughts with all others, maybe they have ideas/improvement.
16:06 < Kas> I was just checking out a Java Client. No harm meant :-)
16:06 < ecrist> no harm at all, Kas. :)
16:06 < mithridates> ok
16:06 < reiffert> wacky, they really follow that channel!
16:06 < reiffert> :)
16:07 < mithridates> I'm gonna use cacti for monitoring the bandwidth but I'm not sure how can I manage users
16:07 < mithridates> aah
16:07 < mithridates> I got it
16:07 < ecrist> Kas: OpenVPN nick name is reserved for an upcoming channel bot
16:07 < mithridates> there is something to manage certificates of users
16:07 < mithridates> I can make them expired
16:07 < mithridates> am I right?
16:07 < |Mike|> yep
16:07 < Kas> No worries, I didn't mean to enter that name in the first place ;-)
16:08 < ecrist> mithridates: CRL will do that for you
16:08 < reiffert> mithridates: the logfile comes up with bytes transferred and so on. Keeping a history is a one line disconnect shell script.
16:08 < mithridates> !CRL
16:08 < vpnHelper> mithridates: "CRL" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with
16:08 < vpnHelper> mithridates: openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you
16:09 < reiffert> btw, I really got impressed recently using Hamachi. I'm using it on 8 machines now. It's so much fun.
16:11 < mithridates> ok guys
16:11 < ecrist> I'm leery of a VPN that I don't control 100%
16:11 < ecrist> IMHO, it defeats the concept of VPN
16:11 < mithridates> I'm gonna do more research about billing and I will share what I get
16:12 < ecrist> I don't know what you're looking for as far as billing goes.
16:13 < ecrist> if you going to bill based on 95th percentile, cacti will tell you the value.  all you need to do is send the invoice...
16:13 < mithridates> ecrist: just I want a management system for openvpn
16:13 < mithridates> I don't even care about invoices right now
16:13 < ecrist> have you seen access server?
16:14 < mithridates> just I want to manage the bandwidth of each user , add, remove , suspend and some jobs like these
16:14 < mithridates> no
16:15 < ecrist> mithridates: have you seen openvpn status log?
16:15 < ecrist> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
16:15 < mithridates> oh yes
16:16 < mithridates> I need to show it to my clients also
16:16 < reiffert> mithridates: check out the openvpn web gui
16:16 < mithridates> ok tnx
16:18 -!- joomie [n=joomie@adsl-67-127-55-75.dsl.pltn13.pacbell.net] has joined ##openvpn
16:20 -!- joomie [n=joomie@adsl-67-127-55-75.dsl.pltn13.pacbell.net] has quit [Client Quit]
17:31 < mithridates> !epoll
17:31 < vpnHelper> mithridates: Error: "epoll" is not a valid command.
17:31 < mithridates> !factoids search epoll
17:31 < vpnHelper> mithridates: No keys matched that query.
17:40 < reiffert> !factoids search --values epoll
17:40 < vpnHelper> reiffert: No keys matched that query.
17:41 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)]
17:43 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
17:45 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit []
17:46 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 104 (Connection reset by peer)]
17:52 < mithridates> reiffert: :D
17:52 < mithridates> is there anybody have installed openvpn-web-gui on linux like centos?
17:52 < mithridates> I couldn't do that :( it needs smarty, I installed smarty but the page still shows blank
17:54 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:24 < reiffert> mithridates: I remember that I was installing smarty manually and had some mess around with various permission problems etc.
18:41 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"]
18:52 < reiffert> the major problem is: reduce the security of your PKI down to a http password.
18:53 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)]
19:08 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: noooon, s0undt3ch, cybertron, krzie, dmarkey, oc80z, pekster, LittleJ, kc8pxy, dazo_afk,  (+63 more, use /NETSPLIT to show all of them)
19:10 -!- romero [n=user@mail.nfq.ktc.lt] has joined ##openvpn
19:11 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn
19:16 -!- SkyX [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
19:16 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
19:16 -!- Bushmills [n=nnnBushm@verhau.de] has joined ##openvpn
19:16 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn
19:16 -!- MrJK [n=jezu@194.199.166.96] has joined ##openvpn
19:16 -!- julius [n=julius@217.20.127.15] has joined ##openvpn
19:16 -!- balboah [n=johnny@joonix.se] has joined ##openvpn
19:16 -!- endre [i=me2@urbnet.hu] has joined ##openvpn
19:16 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [SendQ exceeded]
19:16 -!- MrJK [n=jezu@194.199.166.96] has quit [Killed by sagan.freenode.net (Nick collision)]
19:16 -!- julius [n=julius@217.20.127.15] has quit [Connection reset by peer]
19:16 -!- krzie [n=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
19:17 -!- balboah [n=johnny@joonix.se] has quit [Killed by sagan.freenode.net (Nick collision)]
19:17 -!- MrJK [n=jezu@194.199.166.96] has joined ##openvpn
19:17 -!- balboah [n=johnny@joonix.se] has joined ##openvpn
19:17 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
19:17 -!- Gilos [n=Gilos@kccsfw01.sec.sprint.net] has joined ##openvpn
19:17 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
19:17 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn
19:17 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
19:17 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
19:17 -!- sdh [n=steve@188.40.36.167] has joined ##openvpn
19:17 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn
19:17 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn
19:17 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
19:17 -!- lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
19:17 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
19:17 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn
19:17 -!- s0undt3ch [n=s0undt3c@80.69.34.147] has joined ##openvpn
19:17 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
19:17 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
19:17 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn
19:17 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn
19:17 -!- Typone [n=nnnnitsm@195.197.184.87] has joined ##openvpn
19:17 -!- zykes- [i=zykes@zykes.themariachi.info] has joined ##openvpn
19:17 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn
19:17 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn
19:17 -!- zamba [i=marius@flage.org] has joined ##openvpn
19:17 -!- agagag [n=anton@158.37.56.5] has joined ##openvpn
19:17 -!- Intensity [i=[lRD75M9@unaffiliated/intensity] has joined ##openvpn
19:17 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn
19:17 -!- alan` [n=alan@rrcs-67-52-47-64.west.biz.rr.com] has joined ##openvpn
19:17 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn
19:17 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn
19:17 -!- grub_booter [n=charlie@d54C519D5.access.telenet.be] has joined ##openvpn
19:17 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn
19:17 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
19:17 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
19:17 -!- plundra [i=404@article.se] has joined ##openvpn
19:17 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
19:17 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn
19:17 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
19:17 -!- optiz0r [n=optiz0r@miranda.sihnon.net] has joined ##openvpn
19:17 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn
19:17 -!- kc8pxy [n=gecko@75-145-57-201-utah.hfc.comcastbusiness.net] has joined ##openvpn
19:17 -!- cybertron [n=cybertro@84.200.248.176] has joined ##openvpn
19:17 -!- ewook [n=ewook@thales.fluffis.se] has joined ##openvpn
19:17 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn
19:17 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn
19:17 -!- Rzewus [n=Rzewus@153.19.140.234] has joined ##openvpn
19:17 -!- int [n=quassel@wikia/int] has joined ##openvpn
19:17 -!- dmz [n=dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has joined ##openvpn
19:17 -!- Cap_J_L_Picard [n=ewanm89@unaffiliated/ewanm89] has joined ##openvpn
19:17 -!- dazo_afk [n=dazo@nat/redhat/x-clfzuciztghjjygs] has joined ##openvpn
19:17 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn
19:17 -!- oc80z [n=oc80z@74.63.222.147] has joined ##openvpn
19:17 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
19:17 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn
19:17 -!- zib [i=zib@slick.keff.org] has joined ##openvpn
19:17 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn
19:17 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn
19:17 -!- Lyndon [n=late@62.142.98.18] has joined ##openvpn
19:17 -!- CaBa [n=caba@188.40.166.98] has joined ##openvpn
19:17 -!- hobbsc [n=zalgo@opensuse/member/hobbsc] has joined ##openvpn
19:17 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn
19:17 -!- stein0 [n=stein@mail.vgnett.no] has joined ##openvpn
19:17 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn
19:17 -!- Diddi [i=diddi@zenit.bsnet.se] has joined ##openvpn
19:17 -!- _dren [i=dren@dereferenced.nullpointer.net] has joined ##openvpn
19:17 -!- krzie_ [n=krzee@butters.secure-computing.net] has joined ##openvpn
19:18 -!- julius [n=julius@217.20.127.15] has joined ##openvpn
19:19 -!- hyper_ch [n=hyper@84.226.234.60] has joined ##openvpn
19:31 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
19:45 -!- SkyX [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
20:12 -!- Dougy [n=douglas@64.18.144.2] has joined ##openvpn
20:12 < Dougy> hi kids
20:13 < mithridates> hi godfather
20:13 < Dougy> how are you
20:13 < mithridates> I'm not fine
20:13 < mithridates> I should implement a monitoring system for my openvpn server
20:14 < Dougy> You should buy a VPS from me and install nagios
20:14 < Dougy> (
20:14 < Dougy> (:
20:14 < mithridates> nagios?
20:14 < Dougy> or whatever it is that you uuse
20:14 < mithridates> I have a dedicated server
20:14 < Dougy> never heard of nagios?
20:14 < mithridates> and I installed everythings
20:14 < Dougy> ahh
20:14 < Dougy> where from?
20:15 < mithridates> I'm not famillar with monitoring tools
20:15 < mithridates> ca
20:15 < Dougy> !google nagios
20:15 < vpnHelper> Dougy: Nagios - The Industry Standard in IT Infrastructure Monitoring: <http://www.nagios.org/>; Nagios - Download: <http://www.nagios.org/download>; Nagios - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Nagios>
20:15 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
20:15 < mithridates> do u think it's possible to monitoring users' bandwidth ?
20:16 < mithridates> I need something like billing system
20:16 < Dougy> for VPN?
20:16 < Dougy> theDoc might be someone worth asking for that
20:16 < mithridates> when they use their bandwidth I need to make their certificates expired
20:16 < Dougy> i know he's into htat
20:16 < Dougy> that
20:16 < mithridates> I think I asked him
20:17 < mithridates> I donno why all IRC users are angry at me
20:17 < mithridates> they wanna kill me
20:18 < mithridates> theDoc: are u there man?
20:19 < mithridates> they answer my first question
20:19 < mithridates> then they kill me if I ask the second question
20:21 < Dougy> lol
20:22 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
20:23 < Dougy> mithridates: what provider is server from
20:24 < theDoc> Yeah, 'sup?
20:24 < theDoc> Sorry, was working on my stuff.
20:25 < Dougy> yeah yeah
20:25 < Dougy> thats what they all say
20:25  * Dougy punches theDoc 
20:25 < theDoc> Hey, I had to wiggle my junk
20:26 < theDoc> why are you guys running vpn companies when you guys don't know how to chart this stuff :P
20:26 < mithridates> oh sorry guys I wasn't
20:26 < theDoc> I'm just innately curious as to why people do it
20:26 < theDoc> lol
20:27 < theDoc> mithridates> So what are you doing, I'll tell you how it's done on my end at least.
20:27 < theDoc> Come to think of it, I actually have it working right, just that I need to fix the website.
20:27 < theDoc> Stupid graphic thingy.
20:28 < mithridates> I'm talking for some stuff to monitoring this stupid users' bandwidth
20:28 < theDoc> mithridates> AAA look at radius
20:28 < mithridates> radius?
20:28 < theDoc> yep, remote authentication dial in user service
20:29 < theDoc> radius with a sql backend for AAA
20:29 < mithridates> ok but how can I check my clients' bandwidth? and how can I suspend them if they use more than limitation of bandwidth
20:29 < mithridates> ?
20:30 < theDoc> mithridates> I've already told you. Look at radius and write some scripts to suspend them based on your data in the radius db
20:30 < mithridates> ah ok
20:30 < mithridates> thanks man
20:30 < mithridates> :D
20:31 < mithridates> I ask a lot instead of reading documents
20:31 < mithridates> sorry
20:31 < theDoc> it's not that really but i figured that you should be clear of what you want to do before embarking on anything.
20:33 < theDoc> now, if you'll excuse me, i need to get back to a meeting
20:33 < mithridates> :) thank you theDoc
20:33 < mithridates> you helped me
20:33 < mithridates> have a good time
20:33 < theDoc> i wish, i wish. :P more vpn customers and i would be
20:35 < Dougy> mithridates: i dont rtfm
20:35 < Dougy> i just harass ecrist and krzie_
20:35 < ecrist> naw, use ldap
20:36 < Dougy> see what im talking about
20:36 < Dougy> LOL
20:36 < Dougy> hey ecrist how are you
20:37 < theDoc> ecrist> ew, ldap?
20:37 < theDoc> That's annoying as fuck to use :P
20:37 < ecrist> theDoc: only if you don't know what you're doing
20:37 < Dougy> burn
20:38 < theDoc> ecrist> It's true, I don't know ldap.
20:38  * ecrist knows ldap
20:39  * Dougy is ignored
20:39 < ecrist> really, though, you could use anything as the authentication back end
20:40 < ecrist> Dougy: I'm fine.  How're you?
20:40 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
20:40 < Dougy> I am well
20:40 < Dougy> how was your new years / xmas
20:40 < ecrist> meh
20:40 < Dougy> me too
20:42 < theDoc> ecrist> is there a reason to prefer ldap over radius?
20:43 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Connection timed out]
20:43 < Dougy> hm ok
20:44 < Dougy> time to go find some other channels i know ops that will let me spam my product
20:44 < Dougy> :-D
20:46 < theDoc> Dougy> #freenode
20:46 < theDoc> rofl
20:46 < ecrist> theDoc: really you're comparing two different things
20:46 < ecrist> radius is a method, ldap is a storage backend
20:46  * Dougy hits theDoc with the idiot hammer
20:46 < ecrist> there just happen to be methods which can talk directly to ldap
20:47 -!- Dougy [n=douglas@64.18.144.2] has quit ["leaving"]
20:47 < ecrist> most common is pam_ldap, which uses the pam stack
20:47 -!- Douglas [n=douglas@64.18.144.2] has joined ##openvpn
20:47 < Douglas> 21:54 -!- Channel #freenode created Fri Feb  9 18:16:24 2001
20:47 < Douglas> 21:54 -!- Home page for #freenode: http://freenode.net/
20:47 < vpnHelper> Title: About the Network (at freenode.net)
20:47 < Douglas> 21:54 -!- Irssi: Join to #freenode was synced in 1 secs
20:47 < Douglas> 21:54 < Dougy> www.edgewire.sg
20:47 -!- Douglas is now known as Dougy
20:47  * Dougy gets akilled
20:47 < theDoc> That's not cool.
20:47 < Dougy> (:
20:47 < Dougy> theDoc: its ok
20:48 < theDoc> Not at all.
20:48 < Dougy> if your server gets attacked
20:48 < ecrist> akilled?
20:48 < Dougy> i have to pay the bandwidth bill
20:48 < Dougy> so chillax
20:48 < Dougy> lol
20:48 < theDoc> Dougy> That's annoying. I didn't ask you to spam my products.
20:48 < Dougy> Wahh
20:48 < theDoc> ecrist> Yeah. True.
20:49 < theDoc> Oh well.
20:50 < ecrist> Dougy: what's your deal?
20:50 < Dougy> who rang
20:50 < Dougy> oh
20:50 < Dougy> ecrist: i dunno
20:50 < Dougy> i think i'm going insane from cooping myself up inside so long
20:52 < ecrist> well, don't start spamming here...
20:52 < theDoc> lol
20:53 < theDoc> Such tough times.
20:53 < Dougy> ecrist: i know better
20:53 < Dougy> ofc
20:53 < ecrist> ofc?
20:53 < Dougy> of course
20:55 < theDoc> afk, skype meeting
20:55 < Dougy> fun
20:56 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
20:56 < theDoc> Anything but fun, I'm about to be stationed in KL with no net connectivity
20:56 < theDoc> Don't remind me of it
20:56 < theDoc> :(
20:57 < Dougy> eew
20:57 < Dougy> pay me first
20:57 < ecrist> pay me first?
20:57 < ecrist> are you whoring again, dougy?
20:57 < Dougy> he understands
20:57 < Dougy> no sir
20:57 < Dougy> no no no
20:57 < Dougy> i assure you no
20:58 < theDoc> Dougy> Yeah, I will before I leave in the morning.
20:58 < theDoc> :P
20:58 < theDoc> After all, you were pretty rad last night
20:58 < Dougy> oh yes ;]
20:58 < Dougy> oh damnit ecrist you didnt see that
20:59 < theDoc> ecrist> You have no idea how flexible dougy is.
20:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
20:59 < Dougy> yo krzee
20:59 < Dougy> whats popn
20:59 < ecrist> theDoc: based on how sore my dog was the other day, I can only imagine.
20:59 < Dougy> :X
20:59 < krzee> just touched down in costa rica
20:59 < Dougy> i love you guys
20:59 < theDoc> Oh dear me.
21:00 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
21:00 < Dougy> i can tell you guys love me to
21:00 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Client Quit]
21:00 < Dougy> its the love from behind kind of love
21:00 < theDoc> real rogues do it from behind.
21:01 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
21:06 < ecrist> dammit - forum is fubar
21:06 < ecrist> it appears someone did something nasty to the control panel
21:06 < ecrist> investigating
21:06 < Dougy> fubar where
21:06 < Dougy> i see nothing
21:08 < krzee> hrm, looks fine to me
21:09 < ecrist> click on 'Board Settings'
21:09 < krzee> hah im glad i can delete my own posts
21:09 < ecrist> some russians have been getting posts even though their accounts weren't active
21:10 < Dougy> woah
21:10 < Dougy> ecrist, security holes?
21:11 < ecrist> not sure, looking into it
21:11 < ecrist> krzee: why's that?
21:11 < krzee> i had responded to someones post in bragging rights asking what he wanted help with so i could move it to the right area
21:12 < krzee> not realizing, he posted in the right place and didnt need help
21:12 < krzee> lol
21:12 < Dougy> lol
21:12 < krzee> i just saw it and facepalmed
21:12 < Dougy> smooth moves, slick
21:12 < Dougy> i see more people coming to the forum slowly
21:12 < krzee> 1643
21:12 < krzee> i see you scripted up some cleaning ecrist
21:13 < krzee> 1643 total members
21:13 < Dougy> i bet you there are 5000 spambots
21:13 < Dougy> pending activation
21:13 < krzee> dude it was like 98% spambots before ecrist scripted something up to clean them out
21:13 < Dougy> Users Awaiting Email Confirmation 90
21:13 < Dougy> wtf
21:13 < Dougy> where the the 10k of them go
21:14 < theDoc> into my pocket :p
21:31 < krzee> To switch phones in the middle of an incoming call, just press * while you're talking, and your other phones will ring. Then, for example, you can pick up the call from your mobile phone (if you're about to head out), or from your desk. There are no passcodes or PINs to enter and, best of all, your caller won't even hear the switch.
21:31 < krzee> thats awesoe
21:31 < krzee> awesome
21:32 < ecrist> not sure what's up with the forum
21:33  * ecrist gives up and goes to bed
21:39 < Dougy> lol
21:41 < krzee> whoa
21:41 < krzee> goog voice does free outbound now too
21:41 < krzee> god i love the goog
21:41 < Dougy> :D
21:56 -!- Dougy [n=douglas@64.18.144.2] has quit ["Lost terminal"]
22:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
22:44 -!- kc8pxy [n=gecko@75-145-57-201-utah.hfc.comcastbusiness.net] has quit [Read error: 60 (Operation timed out)]
23:16 -!- tjz [n=tjz@bb121-7-11-34.singnet.com.sg] has joined ##openvpn
23:28 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
--- Day changed Tue Jan 05 2010
00:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
00:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit []
00:24 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"]
01:02 < reiffert> moin
01:14 -!- hyper_ch [n=hyper@84.226.234.60] has quit [Remote closed the connection]
01:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
01:19 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:08 -!- hyper_ch [n=hyper@73-44.3-85.cust.bluewin.ch] has joined ##openvpn
02:18 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:39 < jmm> hi
02:56 -!- dazo_afk is now known as dazo
03:00 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 104 (Connection reset by peer)]
03:01 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
03:02 -!- master_o1_master [n=master_o@p57B53FD6.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)]
03:06 -!- master_of_master [i=master_o@p57B571BE.dip.t-dialin.net] has joined ##openvpn
03:12 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
03:15 < mithridates> hi jmm
03:27 < Bushmills> krzee: free outbound is new. modes of operation aren't - still the same as from grandcentral times. only that voice-to-text was added.
03:28 < Bushmills> i suppose you'll have the option to receive incoming-call related advertising soon.
03:29 < Bushmills> and grand central have 5 $ credit, google just10 cents.
03:29 < Bushmills> gave3
03:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Excess Flood]
04:01 -!- wedjat [n=wedjat@unaffiliated/wedjat] has joined ##openvpn
04:26 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)]
04:26 < mithridates> do u know any client software fo MAC OS ?
04:26 < mithridates> !mac
04:26 < vpnHelper> mithridates: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
04:29 -!- romero [n=user@mail.nfq.ktc.lt] has quit ["leaving"]
04:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:01 -!- Artio [n=_@port-91015.pppoe.wtnet.de] has joined ##openvpn
05:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
05:04 < jmm> I setuped a small vpn with a server and client, I would like the client to be able to access the server's LAN. I followed the documentation on openvpn's website, but the client still have only access to the server.can somebody help please ? here is my config : http://pastebin.ca/1738633
05:05 < mithridates> jmm:  just wait I'm looking for what u want
05:05 < mithridates> I've seen an option
05:05 < jmm> hehe :)
05:06 < reiffert> jmm: read:
05:06 < reiffert> !route
05:06 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:06 < mithridates> ;client-to-client
05:06 < jmm> I check this.
05:07 < reiffert> mithridates: jmm wants to access the servers LAN.
05:07 < mithridates> aah ok :D sorry
05:07 < reiffert> mithridates: client-to-client allows openvpn clients to talk to openvpn clients.
05:07 < jmm> hehe.
05:08 < jmm> I found a documentation about it, but I'm pretty sure I misunderstood something.
05:08 < jmm> http://openvpn.net/index.php/open-source/documentation/howto.html#policy
05:08 < vpnHelper> Title: HOWTO (at openvpn.net)
05:09 < reiffert> jmm: see above.
05:09 < jmm> I'm not sure of where to see.
05:10 < jmm> !route
05:10 < vpnHelper> jmm: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:12 < jmm> it doesn't looks like what I'm lookin for... I want to share server's lan, not client's lan.
05:13 < mithridates> jmm: I think u can do it by netfilter
05:13 < mithridates> it's about routing
05:13 < mithridates> am I right?
05:13 < reiffert> mithridates: nonsense.
05:13 < reiffert> jmm: the !route does both, however.
05:14 < jmm> oh cool.
05:14 < jmm> I'll read more so !
05:15  * reiffert calls the vogons with their death rays.
05:15 < cpm> leave the vogons out of this please. can't take the shouting this early.
05:16 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
05:16 < reiffert> Maybe Wowbagger then?
05:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
05:19 < jmm> reiffert: I don't think it's the right doc, you must be wrong.
05:19 < jmm> it's all about client configuration.
05:20 < reiffert> jmm: and you want to make the client access the servers lan....
05:21 < reiffert> jmm: which is: make client1 talk to 192.168.2.0 in the howto.
05:21 < reiffert> (in the link given above)
05:21 < jmm> right , but client to client, I want to do client to server.
05:21 < jmm> the others computers are not part of the vpn.
05:22 < reiffert> allright, ignore me then.
05:23 < reiffert> u know, it's just that 5 people per day come in and happily live with that article, but you know it better, obviously.
05:23 < jmm> hehe, still thanks for the help, that doc has some interesting parts.
05:23 < jmm> pfft
05:24 < jmm> common you upset me.
05:24 < jmm> I bet you didn't even looked at the config I gave a link about.
05:25 < reiffert> why should I take a look at a working basic config you made from access the openvpn howto?
05:25 < jmm> it doesn't works.
05:25 < jmm> erm.
05:25 < jmm> maybe we don't understand well each other.
05:26 < reiffert> quote: "but the client still have only access to the server."
05:26 < jmm> yes.
05:26 -!- barefoot [n=magic@mail.virtuallogistics.co.za] has joined ##openvpn
05:26 < reiffert> basic working config.
05:26 < jmm> there is stuff to allow client to access server's lan.
05:26 < jmm> or at least what I trough I have to add.
05:27 < reiffert> yeah, the route reaches you client ...
05:27 < reiffert> your client can talk to your servers lan.
05:27 < jmm> I cannot ping any others computer on that lan.
05:27 < reiffert> you even have a route back on your firewall
05:28 < reiffert> then start some packet tracers, e.g tcpdump and follow that damn ping and ping-reply and see where it bails out
05:29 < jmm> let's try it. I'm not very good with those tool yet.
05:29 < reiffert> tcpdump -n -i interface proto ICMP
05:29 < reiffert> interface in eth0, tun0, eth1 etc
05:30 < jmm> roger.
05:32 < jmm> I can see the icmp echo request coming to the firewall, then to the openvpn computer.
05:32 < jmm> but I don't see any answer.
05:32 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)]
05:32 -!- magic_1 [n=magic@41.121.41.8] has joined ##openvpn
05:33 < reiffert> who is pinging who?
05:33 < jmm> the client is pinging a host( 192.168.1.121 ) on the server's lan.
05:33 < jmm> I tcpdumped from the firewall and openvpn server.
05:34 < reiffert> the request is 1st coming to the openvpn server
05:34 < reiffert> then to 1.121
05:34 < reiffert> from there a reply is sent to your lans gateway (firewall?)
05:34 < jmm> lemme check.
05:34 < reiffert> then back to openvpn server (1.123?), then back to client
05:34 < reiffert> sigh, thats what I meant by writing "follow".
05:35 < jmm> oh
05:35 < jmm> I got a reply on the 192.168.1.121 computer.
05:35 < jmm> but it doesn't reach the openvpn server.
05:35 < reiffert> so ...
05:35 < jmm> I guess I miss a route there.
05:36 < reiffert> whats inbetween, no a firewall.
05:36 < reiffert> 1.121 sends everything to its gateway
05:36 < reiffert> have a look on its gateway.
05:36 < jmm> oh yea it's 192.168.1.250 !
05:37 < reiffert> so tell 1.250 to send everything openvpn related to 1.123
05:37 < jmm> route add -net 10.11.12.0/24 gw 192.168.1.123
05:37 < reiffert> ...
05:37 < jmm> erm.
05:37 < reiffert> thats what your already got here:
05:37 < reiffert> http://pastebin.ca/1738633
05:37 < reiffert> #
05:37 < reiffert> 10.11.12.0      192.168.1.123   255.255.255.0   UG    0      0        0 eth1
05:37 < reiffert> line 41.
05:37 < jmm> oh it's not to be added on 192.168.1.121 ?
05:38 < reiffert> no, why should you do that?
05:38 < magic_1> hi guys
05:38 < jmm> because 192.168.1.121 send reply and 192.168.1.123 doesn't see those.
05:38 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
05:39 < reiffert> jmm: adding routes .. want to do that on 254 computers or just on one?
05:39 < jmm> hehe I'd better do it just on one.
05:40 < reiffert> however, all this is in !route.
05:40 < reiffert> but it must be wrong.
05:40 < jmm> heh you're helpfull, try to be cool too.
05:40 < jmm> :)
05:41 < reiffert> quote: "4) Because 192.168.2.20 has no route for 10.8.0.6, it sends the traffic to its default gateway which is 192.168.2.1 "
05:41 < magic_1> anyway i can help
05:42 < jmm> reiffert: I think I understand better now.
05:42 < jmm> Thanks for your help and patience, I'll be back after lunch to fix all that.
05:43 < reiffert> jmm: talk to magic_1, he can help anyway.
05:44 -!- theDoc [n=hex@69.10.59.166] has joined ##openvpn
05:45 < jmm> allright magic :)
05:45 < theDoc> hi all :)
05:45 < jmm> magic_1: I'm afk for lunch , but I'll try to be back quite soon.
05:45 < mithridates> hi theDoc :D
05:46 < mithridates> I was waiting to catch u :D
05:46 < theDoc> You were?
05:46 < mithridates> not really
05:46 < mithridates> but I want to ask something
05:46 < theDoc> I thought so.
05:46  * theDoc goes to fire up gns3.
05:46 < theDoc> Yeah, go ahead and ask
05:46 < mithridates> :D
05:47 < mithridates> everyone knows in #openvpn that I want to implement a monitoring system :P
05:47 < mithridates> I wanted to know the best solution
05:47 < theDoc> well, i don't. :P
05:48 < mithridates> yes, you were the exception
05:48 < mithridates> LD
05:48 < mithridates> let me to explain it for u
05:48 < reiffert> mithridates: use openvpn web gui, it already got everything.
05:48 < mithridates> but it doesn't work on centos
05:49 < mithridates> I installed smarty and other packages
05:49 < reiffert> track down why it doesnt work then.
05:49 < reiffert> - or - re-implement the wheels.
05:49 < mithridates> but the page is still blank
05:49 < reiffert> still blank after tracking down the problems? doubt that.
05:50 < theDoc> mithridates> what exactly do you want to monitor?
05:51 < mithridates> ok theDoc
05:51 < mithridates> good question :D
05:51 < mithridates> I want to monitor the amount of bandwidth which each user uses
05:51 < theDoc> mithridates> How many users do you have?
05:51 < mithridates> more than 100
05:51 < mithridates> just a perfect user management
05:52 < mithridates> users should be able to see their usage in the web
05:52 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
05:52 < mithridates> the program should block them if they use more than bandwidth limitation
05:53 < theDoc> mithridates> i have a custom setup here which does that for me.
05:53 < mithridates> I know that's not possible by using a program
05:53 < theDoc> mithridates> whcms and AAA.
05:53 < mithridates> ok
05:53 < mithridates> WHMCS?
05:54 < theDoc> mithridates> How are you handling your AAA at the moment?
05:54 < mithridates> I don't know what AAA?
05:54 < mithridates> what's that?
05:54 < mithridates> :(
05:54 < reiffert> mithridates: wanna have a screenshot?
05:55 < mithridates> what's AAA?
05:55 < theDoc> mithridates> How are you handling your user accounts at the moment.
05:55 < mithridates> nothing
05:55 -!- barefoot [n=magic@mail.virtuallogistics.co.za] has quit [Read error: 113 (No route to host)]
05:55 < mithridates> manually
05:55 < theDoc> via pam?
05:55 < mithridates> I will have 100 users
05:55 < mithridates> I don't have any user right now
05:55 < mithridates> just 4 users for test
05:56 < theDoc> mithridates> where are you pulling out this number of 100 anyway?
05:56 < theDoc> O_o
05:56 < mithridates> let me to say everything first
05:56 < mithridates> I have a dedicated server
05:57 < theDoc> Yeah, go ahead. I'm going to load up the configs for my boxes first
05:57 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
05:57 < reiffert> mithridates: I'm creating screenshots for you ...
05:57 < mithridates> I installed openvpn and it shares internet by SNAT for my clients which want to bypass filtering in IRAN
05:57 < mithridates> reiffert: would you give me the link of that plz?
05:58 < mithridates> no I want to use a monitoring system
05:58 < mithridates> to have an automation system
05:58 < theDoc> mithridates> Jesus christ. We know you want a monitoring system. I want to know what you have at the moment.
05:58 < mithridates> because they are growing
05:58 < mithridates> nothing
05:58 < mithridates> I have openvpn
05:59 < mithridates> and TLS/SSL
05:59 < mithridates> and also snmpd
05:59 < mithridates> these are all I have
06:00 < theDoc> mithridates> I suggest you look at AAA before running in head first. There's a fair bit of learning for you to do.
06:00 < mithridates> !AAA
06:00 < vpnHelper> mithridates: Error: "AAA" is not a valid command.
06:00 < theDoc> radius/ldap, sql, some-front-end.
06:00 < theDoc> iptables is also your friend.
06:01 < mithridates> and whmcs?
06:01 < reiffert> mithridates: http://snap.reifferscheid.org/owg/
06:01 < vpnHelper> Title: Index of /owg (at snap.reifferscheid.org)
06:01 < Diffen> hello. are there any guides that takes you through on how to setup openvpn on a single-nic machine that are connected directly to internet. i have done all the certificates and so on. im getting connected but no ip-address to my vpn client. im running out of ideas here :(
06:01 < theDoc> mithridates> I have a custom coded whmcs setup. Chances are, you aren't going to be going down that route.
06:02 < mithridates> woow reiffert
06:03 < mithridates> it what I need
06:03 < mithridates> and also I can make a report system by mail to my clients
06:03 < mithridates> its what I need
06:03 < reiffert> ...
06:03 < mithridates> have u installed it on bsd or linux?
06:03 < magic_1> apologies, i am back
06:04 < magic_1> had a business call that came up
06:04 < reiffert> What I was adding is the history stuff and downloading *config* and required certs as zipfile.
06:04 < magic_1> had to sort some stuff out quick
06:04 < magic_1> where do we seem to be
06:04 -!- ewook [n=ewook@thales.fluffis.se] has quit ["server goes home!"]
06:04 < mithridates> I started a topic in openvpn web gui forum but they didn't answer me | it was about installing on centos 5
06:05 < magic_1> yea i can understand why that didnt work
06:05 < mithridates> why ?
06:05 < magic_1> to be honest with you i see it being a 2 fold solution
06:07 < mithridates> what's ur mean?
06:07 < mithridates> reiffert: there is no guideline to install it on centos
06:07 < reiffert> mithridates: so?
06:07 < reiffert> mithridates: write one.
06:07 < mithridates> I tried by my self but it doesn't work
06:07 < reiffert> mithridates: make it work then.
06:08 < mithridates> yes I need to do that :)
06:08 < theDoc> mithridates> Look man, you really shouldn't come running in here and telling us it doesn't work. We all know it doesn't work that's why you are here. You need to actually have an idea what is broken. More often than not, the server logs generate some decent output.
06:09 < theDoc> and do read up on AAA because you're lacking in that department.
06:10 < mithridates> theDoc: sure , I want to follow what u said
06:10 < reiffert> mithridates: no, you dont.
06:10 < mithridates> =))
06:10 < reiffert> radius with sql backend for AAA?
06:10 < magic_1> there are guide lines, i use CentOS myself
06:11 < mithridates> reiffert: no I mean , I will read about AAA and radius and ldap, ok? :D
06:11 < magic_1> but i have used it for a while until now
06:11 < reiffert> let's see, wikipedia knows about 50 expandations for "AAA"
06:11 < magic_1> hahahahaha
06:11 < magic_1> that is true
06:11 < theDoc> reiffert> what's wrong with using radius with a sql backend for aaa?
06:12 < magic_1> well radius is going to be your best bet
06:12 < reiffert> theDoc: leaving the "keep it simple" rule.
06:12 < magic_1> but radius is not the easiest to setup
06:12 < theDoc> shrug
06:13 < magic_1> you have got a few options to be honest
06:13 < mithridates> uhum
06:13 < mithridates> I saved this chat,
06:13 < magic_1> the simplist could be the following
06:13 < reiffert> theDoc: what do we have here, a guy that is not running thousands of customers and on top he looks very overcharged with everything...
06:13 < buntfalke> Hi
06:14 < buntfalke> I get this message after I enabled IPv6
06:14 < buntfalke> http://paste.frubar.net/11675
06:14 < theDoc> i think radius is the simplest to manage in the long run but to be frank, it's probably a real pain to get it setup right if you don't have radius experience.
06:14 < buntfalke> Any hint's on how to fix it?
06:14 < theDoc> reiffert> Yeah true that I was kind of thinking of him being able to easily scale it up instead of running something like local pam and then migrating to radius.
06:14 < magic_1> use vyatta to setup openvpn as it has a gui interface to setup with
06:14 < reiffert> buntfalke: there has been some ipv6 discussion on the mailing lists. Never saw such a thing in here
06:14 < magic_1> raduis is best suited for this, but trust me its no walk in the park
06:15 < buntfalke> reiffert: Any idea what it actually means?
06:15 < magic_1> specially if you are going to be using freeradius
06:15 < mithridates> ah ok guys
06:15 < mithridates> thank u
06:15 < mithridates> I will come back with a monitoring solution
06:15 < mithridates> :D
06:15 < theDoc> freeradius almost killed me when i learnt it
06:15 < magic_1> but it depends you could use some other systems as well
06:15 < magic_1> can say that again
06:15 < buntfalke> reiffert: the server pushes the option "ifconfig-ipv6" to my, the client, but my version of openvpn doesnt understand such an option?
06:15 < reiffert> buntfalke: I could repeat the error message for you, but thats probably all I can do for you here.
06:16 < mithridates> theDoc: is it commercial? the radius?
06:16 < reiffert> buntfalke: which means something like: unrecognized option - or - missing parameter in your PUSH-OPTIONS
06:16 < reiffert> buntfalke: especially: route-ipv6 and ifconfig-ipv6.
06:16 < magic_1> mithridates, what you could use is a integrated solutions like the following
06:16 < buntfalke> yes, so what i described, right?
06:16 < buntfalke> Hmm
06:16 < theDoc> mithridates> opensource, freeradius but take heed, you'd probably want to run that on a -separate- server somewhere else and not locally on your openvpn servers
06:16 < magic_1> there are some easy to setup linux bandwidth montiring per IP solution
06:16 < reiffert> buntfalke: got openvpn 2.1.1?
06:17 < mithridates> theDoc: oh god, I don't have enough budget to do that :(
06:17 < buntfalke> reiffert: 2.1.0
06:17 < magic_1> what you could do then is , make sure that openvpn gives static IP per key, this way you will know
06:17 < magic_1> this is a crude solution, however it will work
06:17 < reiffert> buntfalke: dont think there has been much improvement between 2.1.0 and 2.1.1, just some bug fixing.
06:17 < theDoc> magic_1> That's a really crude solution to it.
06:18 < mithridates> magic_1: how can I set static ip per client? by ipp.txt?
06:18 < reiffert> magic_1: come on ... assing the traffic to the common name is *easy*
06:18 < magic_1> yea
06:18 < magic_1> it is
06:18 < theDoc> magic_1> the dhcp pool should be randomized based on a certain number of virtual ips to provide anonymity which are tied to the nics :P
06:18 < theDoc> or at least, to most people :P
06:18 < reiffert> it's a 2 line shell script talking to whatever database (starting by files)
06:18 < magic_1> look if you dont want bells and wistles etc... you could do a very straight forward solution
06:19 < theDoc> Yes, i know it's not exactly anonymous
06:19 < reiffert> theDoc: what?
06:19 < theDoc> reiffert> n/m.
06:19 < reiffert> theDoc: you want anonymity? unplug the cable.
06:20 < magic_1> yep, but the thought in his mind i am sure , it to offer a solution, i was mearly pointing out that yea look you can do it with minimal systems, however it would not be something i would recomend
06:20 < theDoc> reiffert> don't forget to hide in the bunker.
06:20 < theDoc> magic_1> There's no easy/cheap way to do this and still make it look nice.
06:20 < theDoc> at least not something i'm aware of at the moment.
06:21 < magic_1> i agree 100%
06:21 < reiffert> magic_1: all he really needs is a disconnect script on the server side, echo'ing the environmental variables to whatever he uses for storing values.
06:21 < mithridates> what do I use for my clients with windows vista?
06:21 < magic_1> openvpn
06:21 < reiffert> mithridates: openvpn client for windows vista.
06:21 < mithridates> is there something strange ?
06:21 < magic_1> will work on it as well
06:21 < reiffert> mithridates: polish is strange.
06:26 < reiffert> next.
06:38 < jmm> magic_1: I'm back .
06:42 < magic_1> how can i help jmm
06:43 < jmm> I've got a small vpn setup which is  working, there is one client, and one server.I'd like to allow the client to access server's lan.I followed some docs and with reiffert's help I nearly succed.
06:44 < jmm> my last problem is that answers packets coming from lan use lan's default route and not the vpn.
06:44 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
06:44 < jmm> http://pastebin.ca/1738633
06:44 < jmm> here is my configs.
06:45 < magic_1> let me check quick
06:46 < reiffert> jmm: before leaving for food you only had to add a simple route command which you already had ...
06:46 < reiffert> why starting all over?
06:46 < jmm> I'm not starting over, that missing route is my last problem.
06:47 < jmm> the route seems here, but for some reason it doesn't works.
06:47 < jmm> see :
06:47 < jmm> 10.11.12.0      192.168.1.123   255.255.255.0   UG    0      0        0 eth1
06:47 < reiffert> on 1.250
06:47 < reiffert> so tcpdump -n ..
06:48 < reiffert> reply reaches 1.250?
06:48 < reiffert> and ends there?
06:48 < magic_1> dont suppose you have some sort of diagram of your setup
06:48 < reiffert> then check your firewall on 1.250.
06:49 < jmm> I don't infortunatly. I works there for just a few weeks.
06:49 < magic_1> what is the IP on the server side, and what is the IP on the client side
06:51 < jmm> gimme a second, I locate where the reply ends.
06:52 < reiffert> magic_1: lan 192.168.1.0/24 lan-gw: 1.250, lan openvpn server: 1.123
06:52 < jmm> yes it ends on the firewall 192.168.1.250
06:52 < reiffert> magic_1: openvpn net: 10.11.12.0/24
06:52 < reiffert> jmm: fix your firewall on 1.250 then.
06:54 < jmm> 10.11.12.0      192.168.1.123   255.255.255.0   UG    0      0        0 eth1
06:55 < jmm> 192.168.1.123 is openvpn server. is that route ok on the gateway ?
06:55 < reiffert> it was and it still is...
06:56 < reiffert> check that damn firewall on that gateway.
06:56 < magic_1> i take it the 2 are not on the same subnet
06:56 < jmm>  I did, it seems ok.
06:56 < magic_1> as it seems so , apologies as i just need to tick my trouble shooting list here
06:57 -!- Alfafa [n=hhj@94.101.209.34] has joined ##openvpn
06:58 < reiffert> jmm: disable the firewall on that gateway.
06:58 < jmm> it's not possible, people are using it :(
06:58 < kyrix> jmm, not disable the gateway, the filtering, etc..
06:59 < reiffert> jmm: linux?
06:59 < kyrix> jmm, just drop the filtering
06:59 < jmm> reiffert: yes.
06:59 < reiffert> jmm: iptables -P INPUT ACCEPT
06:59 < reiffert> same for FORWARD and OUTPUT
06:59 < jmm> okay.
07:00 < jmm> oh woot it works !
07:01 < jmm> uhh now I'll have to dig that ipcop stuff trough :\
07:01 < jmm> thanks for your help guys.
07:01 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
07:01 < kyrix> !firewall
07:01 < vpnHelper> kyrix: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
07:02 < kyrix> :D
07:02 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
07:02 < reiffert> or have a look at the topic ..
07:02 < jmm> !topic
07:02 < vpnHelper> jmm: Error: "topic" is not a valid command.
07:02 < jmm> ops
07:02 < reiffert> kyrix: but all those links we have are all just wrong.
07:02 < kyrix> topic is the message you get when u login
07:02 < reiffert> type: /topic
07:02 < jmm> heh I did.
07:02 < kyrix> slash
07:03 < kyrix> i wish i had read the topic when i set up my first vpn
07:04 < reiffert> jmm: you get money for this?
07:04 -!- Alfafa [n=hhj@94.101.209.34] has quit ["leaving"]
07:04 < jmm> yes I'll do.
07:04 < jmm> I find you guys are hard with me.
07:04 < magic_1> everything is fine on your config, i would agree , it seems a FW issue
07:04 < reiffert> jmm: how about some donation then?
07:05 < jmm> it may not looks like but I'm not that bad. I've read docs before coming and that firewall stuff seemed ok at first.
07:05 < jmm> I earn 1150 euros a month. I don't give money to anyone.
07:05 < kyrix> hehe
07:05 < jmm> :)
07:05 < reiffert> Uh, you'll get more in slavery...
07:05 < kyrix> a donation can be $10
07:06 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:06 < kyrix> its good to donate to opensource projects
07:06 < kyrix> even if its very little
07:06 < jmm> I better contribute when I can.
07:06 < kyrix> well thats ok too
07:07 < kyrix> but most people, even myself, a software dev, consume a lot more than we produce
07:08 < kyrix> and i dont know how openvpn is doing, but some projects really could use cash :D
07:08 < reiffert> as in $$$.
07:09 < kyrix> work out time take care
07:10 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit ["Leaving"]
07:40 -!- FlaPer87 [n=FlaPer87@unaffiliated/flaper87] has joined ##openvpn
07:40 < FlaPer87> hey guys
07:40 < FlaPer87> what does "Authenticate/Decrypt packet error: cipher final failed" means?
07:40 -!- Winkie [n=urmom@ur.fa.gs] has joined ##openvpn
07:41 < Winkie> so hey, a quick question i've yet to be able to figure out. I'm running a server with server-bridge so that the local DHCP server (listening on tap0) can see requests and can update DNS with said requests
07:41 < Winkie> however, the client is proving to be a pain
07:41 < Winkie> if i bring it up, and then manually 'dhclient tap0' it works fine
07:41 < Winkie> but any combination of scripts i have tried to run dhclient on tap0 through the config fails, the packets just aren't transmitted
07:42 < Winkie> should i be using --up or --ipchange or similar?
07:42 < Winkie> i'm thinking it's probably the latter
07:42 < Winkie> hmm nope doesn't look like it
07:43 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
07:48 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn
07:50 < krzee> !c2c
07:50 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you want to use selective firewall rules on what clients can access things behind
07:50 < vpnHelper> krzee: other clients.
07:51 < krzee> damn i have part of that backwards
07:51 < krzee> !client-to-client
07:51 < vpnHelper> krzee: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
07:51 < vpnHelper> krzee: other clients
07:51 < krzee> !forget c2c
07:51 < vpnHelper> krzee: Joo got it.
07:51 < krzee> !learn c2c as [client-to-client]
07:51 < vpnHelper> krzee: Joo got it.
07:51 < krzee> there we goes
07:58 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
08:04 < FlaPer87> hi guys, I've push "dhcp-option DNS 192.168.2.1"
08:04 < FlaPer87> in my config
08:05 < FlaPer87> but for some reason the dns doesn't change when I connect to VPN
08:05 < FlaPer87> any idea of what I should check?
08:06 < Rienzilha>  iirc the name of the dhcp option is different
08:06 < Rienzilha> nameserver or name-server iirc
08:09 < dazo> FlaPer87:  are you running Windows?
08:09 < dazo> on the client
08:09 < krzee> !pushdns
08:09 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
08:10 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
08:10 < Rienzilha> sorry I was wrong
08:10 < FlaPer87> dazo: linux
08:11 < krzee> in linux you need a script for that
08:11 < krzee> i believe it comes in the tgz
08:11 < krzee> !download
08:11 < vpnHelper> krzee: "download" is www.openvpn.net/download to download openvpn
08:11 < FlaPer87> thanks
08:11 < krzee> its named something like update-resolv
08:12 < krzee> iirc
08:12 < dazo> FlaPer87:  Depending on your distro ... you might need a helper script as well .... but you need a resolvconf package for sure ... and the update script then tells a resolvconf updater about the new DNS, which updates /etc/resolv.conf properly
08:20 < dazo> FlaPer87:  I didn't find the original place I was looking for (/me curses Google for reordering the search results) ... but this is closer to something http://www.daniweb.com/forums/thread165269.html#
08:20 < vpnHelper> Title: openvpn, dns not pushed on linux client - *nix Software (at www.daniweb.com)
08:21  * FlaPer87 reads, thanks dazo
08:21 < ecrist> good morning
08:29 < havoc> morning
08:29 < krzee> moinmoin
08:39  * ecrist deletes 3230 users from ovpnforum.com
08:40 < havoc> idle/dead accounts?
08:41 < ecrist> spam
08:41 < ecrist> users with reg date more than 15 days ago with 0 post count
08:41 < havoc> ah
08:41 < ecrist> we get a *ton* of spam on the forum
08:41 < ecrist> none of it makes it to public view anymore due to hard work my mods 
08:42 < ecrist> all users who have less than 2 posts are required to be moderated 
08:42 < havoc> nice
08:45 < FlaPer87> If I have 2 nameserver in the resolv.conf shouldn't it try to resolv the domain I'm trying to acces with both nameservers? My resolv.conf is having a strange behavior, it tries with the first line and then fails
08:46 < ecrist> 1979 disapproved posts so far
08:46 < ecrist> no, FlaPer87 
08:46 < FlaPer87> hmm, too bad
08:46 < FlaPer87> ecrist: thanks
08:46 < ecrist> it only tries the second and subsequent servers if the first server is unreachable
08:46 < FlaPer87> ecrist: oh, I understand
08:46 < FlaPer87> didn't know that
08:47 < FlaPer87> thanks
08:48 < ecrist> a 'domain not found' message is considered an answer
08:48 < ecrist> DNS isn't like a child that asks dad, "can I go to the park" and when dad says no, asks mom the same question. :)
08:54 -!- Artio [n=_@port-91015.pppoe.wtnet.de] has quit [Connection timed out]
08:57 < wedjat> hello everybody
08:57 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
08:57 < wedjat> is it possible to route Roadwarriors through a site-to-site VPN ?
08:57 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
08:59 -!- tomjones4000 [n=magic@196.214.3.250] has joined ##openvpn
08:59 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)]
09:00 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
09:00 < ecrist> wedjat: not sure what you mean
09:03 < wedjat> ecrist: well, i have some roadwarriors who can access to a LAN behind a firewall.
09:04 < wedjat> ecrist: this firewall is connected to another firewall with a site-to-site OpenVPN. Then, it can access the other LAN behind the other firewall.
09:04 < havoc> you just need the correct routes
09:04 < wedjat> in fact, i want roadwarriors who access the first LAN, to access the second LAN
09:04 < havoc> I've done exactly that
09:05 < wedjat> havoc: yes. But i have some problems using the instructions "push route", "route" and "client-to-client"
09:05 -!- lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)]
09:05 < havoc> "client-to-client" has nothing to do with accessing the lan(s)
09:05 < ecrist> !route
09:05 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:08 < havoc> routing is pretty simple once you understand it
09:08 < Winkie> going to repeat my question from before, cause someone here might have a clue
09:08 < Winkie> i'm bringing up a vpn with 'server-bridge' set, in order that dhcp requests go to a dhcp server listening on tap0
09:08 < havoc> I had 2 sites connected by VPN, and vpn servers at each site, clients could connect to either site or both and have access to both whichever way
09:09 < Winkie> however, using 'up', even with 'up-delay', calling dhclient results in none of the broadcast traffic getting to the other side of the domain
09:09 < Winkie> if i run dhclient post the interface coming up, it works fine
09:09 < Winkie> but i can't trigger that from openvpn's scripts
09:09 < havoc> Winkie: so this is a client issue on linux?
09:09 < Winkie> havoc: it is indeed
09:10 < havoc> Winkie: distro?
09:10 < Winkie> havoc: ubuntu 9.10
09:10 < Winkie> Version: 2.1~rc19-1ubuntu2
09:10 < havoc> Winkie: this might help: http://hans.fugal.net/blog/2009/01/06/putting-openvpn-in-its-place/
09:10 < Winkie> openvpn version
09:10 < vpnHelper> Title: Putting OpenVPN in its place | The Fugue (at hans.fugal.net)
09:10 < Winkie> havoc: i read that but didn't see anything relevant, let me have another check
09:10 < havoc> towards the end it has ubuntu/debian specific dhcp client stuff
09:11 < Winkie> havoc: ha interesting
09:11 < havoc> read it again :) there is specific mention of ovpn dhcp options being ignored or something, and there is a workaround
09:11 < Winkie> indeed, i will be working on that momentarily :D
09:12 < havoc> the key is making sure the tun/tap iface is up first no matter what
09:18 < wedjat> havoc: ok, i have already read the documentation about routing, but i will search once again. Do you think OpenVPN can conflict with IPSec ? The truth is that i have another connection between my two firewall, an IpSec tunnel, which connects the same networks.
09:19 < havoc> if it moves IP traffic it shouldn't matter
09:20 < havoc> ...assuming there is no firewall rule(s) impeding IP traffic, and both routers/gateways support IP forwarding
09:21 < havoc> i.e. you can't just push the proper routes to your VPN clients, both routers must have proper routes as well
09:21 < havoc> so if your vpn clients can reach the first lan then the problem is routes on either or both gateways/routers, and not openvpn
09:25 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"]
09:27 -!- magic_1 [n=magic@41.121.41.8] has joined ##openvpn
09:49 -!- tomjones4000 [n=magic@196.214.3.250] has quit [No route to host]
10:04 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)]
10:10 -!- lysip [n=lysip@208.85.2.66] has joined ##openvpn
10:11 < wedjat> havoc: in fact, when i try to ping the LAN2 from my Roadwarriors, i see the ICMP data coming to the tun1 interface of the first router (roadwarriors) but it doesn't go to the tun3 interface (site-to-site)
10:11 < wedjat> ip forwarding is enabled
10:13 -!- lysip [n=lysip@208.85.2.66] has quit [Client Quit]
10:13 < havoc> sounds like a missing route to lan2 on the lan1 gateway
10:14 < wedjat> but the lan1 firewall is able to ping lan2
10:19 < havoc> can it ping hosts on lan2?
10:20 < havoc> nto that that is conclusive anyway
10:22 < wedjat> <havoc> can it ping hosts on lan2? >> yes, the lan1 firewall can do that directly with the tun3 interface
10:22 < havoc> and lan1 hosts can ping lan2 hosts?
10:23 < havoc> if so then the problem likely *is* the routes ovpn pushes to vpn clients
10:25 < wedjat> <havoc> and lan1 hosts can ping lan2 hosts? >> well, difficult to say. Today, there is still an IPSec tunnel between LAN1 and LAN2. I don't really know if they can communicate each other through the OVPN tunnel
10:26 < havoc> vpn clients are also on lan1?
10:28 < wedjat> <havoc> the routes ovpn pushes to vpn clients >> i've added a "push route LAN2netaddress netmask" to the server side of the roadwarriors config. As a client, i then have routes to LAN1 and LAN2. They have the same "special" OVPN gateway
10:28 < wedjat> <havoc> vpn clients are also on lan1? >> vpn roadwarriors have access to lan1, yes
10:32 < havoc> are they in the same subnet, i.e. bridging?
10:32 < wedjat> no
10:32 < havoc> ok
10:34 < havoc> so you're pushing routes for every subnet, including the vpn subnet, with the vpn IP as gateway for each route?
10:35 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has left ##openvpn []
10:36 < wedjat> i used "push route" for the roadwarriors. On the Lan2 firewall, i used "route roadwarriors_subnet netmask". that's all
10:36 < havoc> wedjat: http://pastebin.com/dab3325f
10:38 < wedjat> oh...i didn't know that the "push route" could take four arguments. is it the same for the "route" command ? Maybe it's indicated in the manual
10:38 < havoc> again, understanding "routing" helps :)
10:38 < havoc> anyway, you're probably missing the gateway, but since I haven't seen a config I can't know
10:39 < havoc> the metric is optional, but can come in handy
10:41 < havoc> e.g. I've pushed the same routes from both ends of a connected network, but with different metrics to prioritize access in case a client was connected to both ends at once
10:43 -!- Zarion [n=as@174.124.169.152] has joined ##openvpn
10:44 < Zarion> !route
10:44 < vpnHelper> Zarion: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:53 < wedjat> havoc: the "push route" doesn't work for site-to-site right ? only for roadwarriors pki configurations ?
10:53 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:53 -!- hyper_ch [n=hyper@73-44.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)]
10:53 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 54 (Connection reset by peer)]
10:54 < havoc> openvpn can only push routes to vpn clients
10:55 < havoc> otherwise I'm not sure that I understand the question
10:56 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:01 < Winkie> havoc: we eventually abandoned the plan thanks to OSX also being a pain in the ass :)
11:01 < Winkie> havoc: thanks anyway
11:02 < wedjat> havoc: yes, i wanted to be sure, thanks. In your example, what is exactly 10.185.169.1 ?
11:03 < Zarion> I have openvpn setup, but am trying to get the other machines on my LAN to use the VPN, any idea how to go about doing this?
11:04 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)]
11:05 < havoc> Winkie: ok, np :)
11:05 < havoc> wedjat: 10.185.169.1 is the IP of the vpn server
11:06 < havoc> ...the IP vpn clients see on the other side
11:09 < wedjat> virtual OpenVPN address ?
11:22 -!- FlaPer87_0_ [n=FlaPer87@95.237.114.36] has joined ##openvpn
11:23 < reiffert> anyone having a rapidshare account and could get me 150MB in 3 files?
11:27 < ecrist> reiffert: what do you need?
11:31 < havoc> wedjat: yes, in the server.conf
11:31 -!- dauergast [n=sag@g227130156.adsl.alicedsl.de] has joined ##openvpn
11:33 < wedjat> havoc: very weird. Now i have an icmp echo reply coming from LAN2 firewall, on tun0 interface of a Roadwarrior client, but it doesn't display the answer to ping in the command output.
11:34 -!- FlaPer87 [n=FlaPer87@unaffiliated/flaper87] has quit [Read error: 110 (Connection timed out)]
11:46 -!- jeremy9174 [i=d041afc5@gateway/web/freenode/x-jroclmeawbhyziek] has joined ##openvpn
11:49 < jeremy9174> Hello
11:49 < jeremy9174> !howto
11:49 < vpnHelper> jeremy9174: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:50 < jeremy9174> Can anyone tell me how to get openVPN working on my Pre? i installed it through preware, and i beleive i have to enter some commands now? not sure
11:53 -!- hyper_ch [n=hyper@84.226.234.60] has joined ##openvpn
11:54 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
11:54 < jeremy9174> Can anyone tell me how to get openVPN working on my Pre? i installed it through preware, and i beleive i have to enter some commands now? not sure what to do.
11:55 < reiffert> Pre what?
11:59  * dazo guesses Palm Pre
11:59 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
12:00 < reiffert> jeremy9174: are you familiar with openvpn?
12:04 -!- FlaPer87_0_ [n=FlaPer87@95.237.114.36] has quit [Read error: 113 (No route to host)]
12:05 < jeremy9174> hey sorry stepped away from my computer
12:05 < jeremy9174> not very familiar, no
12:05 < jeremy9174> does it only connect to open vpn or does it work with others, like cisco
12:07 < Zarion> anyone know how to get OpenVPN to let the whole lan on the vpn subnet?
12:09 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
12:10 < Bushmills> !route
12:10 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:11 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Client Quit]
12:14 < Zarion> Isn't a openvpn connect supposed to work for all computers on the lan?
12:15 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
12:16 < Bushmills> no
12:16 < Bushmills> it is supposed to work between client and server
12:17 < Zarion> I've been trying all day to get my other computer to get a IP from the vpn, but it just won't work
12:17 < Zarion> I guess run two copy's of open vpn would work
12:18 < Bushmills> if the other computers aren't vpn clients, you wouldn't want to give them ip addresses from the range of your openvpn net
12:19 < Zarion> That would let them in the vpn though
12:19 < Zarion> I tried routing, but the linux bpox won't re-route over to the vpn
12:20 < Bushmills> why not?
12:20 < Zarion> I don't know why.
12:21 < Zarion> route add 50.0.0.0 mask 255.255.255.0 192.168.1.250
12:21 < Bushmills> so how do you know that your linux box won't route it?
12:21 < Zarion> I tried that, but that won't work
12:21 < Zarion> I've tried pinging a vpn ip, from the windows box, and it won't go through, but on the linux box it'll work just fine
12:22 < Zarion> Must be some silly routing thing I'm missing
12:22 < ecrist> Zarion: do you own the 50/24 network?
12:22 < ecrist> seems an odd range to route
12:22 < Zarion> No I'm just a client on it
12:22 < ecrist> ah
12:22 < Bushmills> seems there are two possibilites:  a: you did something wrong, b: the operating systems are broken, by refusing otherwise correct routing statements.
12:23 < Zarion> Well on the linux side, the routing works fine, but it don't seem to want to reroute any of the 50.0.0.0
12:24 < reiffert> jeremy9174: openvpn is openvpn only.
12:24 -!- jeremy9174 [i=d041afc5@gateway/web/freenode/x-jroclmeawbhyziek] has quit ["Page closed"]
12:24 < reiffert> hehe.
12:29 < Zarion> interesting masks Freenode has
12:29 -!- dazo is now known as dazo_afk
12:30 < wedjat> thank you very much havoc for your time ! :D
12:30 < wedjat> thank you thank you !
12:30 -!- wedjat [n=wedjat@unaffiliated/wedjat] has left ##openvpn []
12:30 < reiffert> Zarion: pay and you get one IIRC.
12:30 < Zarion> Pay who?
12:30 < reiffert> freenode.
12:31 < Zarion> your kidding right?
12:36 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
12:38 -!- flo|va-nu-pied_ [i=c16d7718@gateway/web/freenode/x-xtiwmfajpowlkqho] has joined ##openvpn
12:38 < flo|va-nu-pied_> Hi all
12:39 -!- Zarion [n=as@174.124.169.152] has left ##openvpn []
12:39 < flo|va-nu-pied_> Looking for some assistance to set up my VPN clients using a local DHCP server instead of the one provided by openvpn
12:40 < flo|va-nu-pied_> i'm currently able to connect to VPN server using a client which IP is assigned by openvpn
12:40 < flo|va-nu-pied_> them from the client again a dhclient tap0 get an IP from my local DHCP server
12:41 < flo|va-nu-pied_> how can I ask the server to stop sending DHCP reply and how can I tell cclients to ask for a dynamic IP direct on logon ?
12:43 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)]
12:43 < Bushmills> specify server to query with dhclient
12:43 -!- hyper_ch [n=hyper@84.226.234.60] has left ##openvpn ["Konversation terminated!"]
12:44 < flo|va-nu-pied_> sorry but how can I do that Bushmills  ? which directive do I have to use
12:44 < Bushmills> man dhclient tells you about -s
12:44 < Bushmills> man man tells you about man
12:44 < flo|va-nu-pied_> hum ok  Bushmills i'll see it
12:45 < flo|va-nu-pied_> for the moment I can't really figure out how things are exactlly qworkin :)
12:45 < Bushmills> why don't you disable dhclient on vpn altogether and use vpn server assigned ip addresses instead?
12:46 < flo|va-nu-pied_> 'cause I wan't my DHCP server to dynamically update my DNS server
12:47 < Bushmills> can be solved with static ip addresses on vpn net
12:47 < flo|va-nu-pied_> using ccd directory you mean ?
12:47 < Bushmills> that's a method.
12:48 < flo|va-nu-pied_> can't use this one for a large range of cliens
12:49 < flo|va-nu-pied_> what i don't understand is how to disable DHCP server on openvpn ?
12:50 < Bushmills> by telling dhcp client to not query it
12:51 < flo|va-nu-pied_> ok using the dhclient -s as you mentionned previously
12:52 < flo|va-nu-pied_> but that mean that any clietn need to do a manual dhclient -s $DHCP_SERVER
12:53 < flo|va-nu-pied_> how can I automate the fact that when a client connect to my VPN it must ask a specifif server ?
12:53 < Bushmills> it is just a command line parameter - can be scripted, no need to do that manually
12:53 < flo|va-nu-pied_> hum i've seen a thing like that learned-smthg
12:55 -!- novelli [n=novelli@151.60.88.224] has joined ##openvpn
12:56 < flo|va-nu-pied_> learn-address in man openvpn seems to be what you're talkin about right ?
13:04 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
13:04 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
13:09 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
13:09 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
13:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit []
13:32 -!- Steve973 [n=Steve@169.130.18.10] has joined ##openvpn
13:33 < Steve973> !howto
13:33 < vpnHelper> Steve973: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:41 -!- Diffen [n=diffen@c-3672e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
13:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)]
13:59 -!- buntfalke_ is now known as buntfalke
14:08 -!- FlaPer87_0_ [n=FlaPer87@95.237.114.36] has joined ##openvpn
14:14 -!- novelli [n=novelli@151.60.88.224] has left ##openvpn []
14:18 < flo|va-nu-pied_> Bushmills: sorry but after reading I still can't figure out how it works ?
14:18 < flo|va-nu-pied_> do I have to fix client's configuration or server's configuration ?
14:21 < FlaPer87_0_> is it possible to add script-security to the configs instead of passing it to the command?
14:26 -!- dauergast [n=sag@g227130156.adsl.alicedsl.de] has quit ["alle, die glauben, dass telekinese wirklich funktioniert heben bitte meine hand!"]
14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:48 -!- moonspa [n=moonspa@icm218137-orange.orange.sk] has joined ##openvpn
14:48 -!- Diffen [n=diffen@c-3672e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
14:51 -!- moonspa [n=moonspa@icm218137-orange.orange.sk] has left ##openvpn []
14:51 -!- moonspa [n=moonspa@icm218137-orange.orange.sk] has joined ##openvpn
14:56 -!- Steve973 [n=Steve@169.130.18.10] has quit ["Leaving"]
15:10 -!- moonspa [n=moonspa@icm218137-orange.orange.sk] has quit [Read error: 60 (Operation timed out)]
15:29 -!- FlaPer87_0_ [n=FlaPer87@95.237.114.36] has quit [Client Quit]
15:29 -!- flo|va-nu-pied_ [i=c16d7718@gateway/web/freenode/x-xtiwmfajpowlkqho] has quit ["Page closed"]
15:40 < havoc> I think I'll be doing my first ever win32 server install of ovpn
15:41 < havoc> have new remote win2k8 web server
15:41 < havoc> gonna put ovpn on it for more secure RDP access
15:43 < reiffert> I preferr putting openvpn on the lans gateway..
15:44 < havoc> this is gonna be a standalone box in a colo
15:45 < havoc> so not really an option
15:45 < havoc> supposedly 2k8 rdp is more secure, but I'd rather rely on ovpn w/ tls
15:45 < reiffert> putting openvpn on the linux/bsd host where the windows maschine is a virtual guest then .. maybe? ;)
15:46 < havoc> nah, no virtualization
15:46 < havoc> I suppose we could MSDN it (hyper-v), but we're trying to stay legal here
15:46 < havoc> ...and within budget
15:47 < havoc> I'd imagine I just install it and use the same configs (w/ diff iface/dev lines) I'd use anywhere else
15:47 < havoc> even build the server and tls and dh keys on a linux box if I want
15:48 < havoc> not that it matters
15:48 < havoc> does the windows build include easyrsa, I never looked?
15:48 < reiffert> virtualization and linux/bsd is free.
15:49 < reiffert> windows installation comes with easy rsa
15:49 < havoc> duh, run window on linux
15:49 < havoc> yeah, not thinking
15:49 < havoc> ah, cool (easyrsa)
15:49 < reiffert> it's great .. live migration, snapshots and such?
15:50 < havoc> eh, since I am the IT dept, I don't think I'll be doing virt
15:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
15:52 < havoc> little time as it is
15:53 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)]
15:57 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn
16:06 < havoc> will also facilitate remote backups
16:06 < havoc> I could make it a client of our existing vpn infrastructure, but I think this is more secure, and more likely to be up
16:09 < reiffert> jup.
16:11 < havoc> this machine could actually handle virtualization though
16:11 < havoc> it's new :)
16:12 < havoc> 1U supermicro, dual 2.66GHz CPUs, 8GB RAM
16:13 < havoc> but I need it out the door to go to the colo most likely tomorrow
16:13 < havoc> and someone else is most likely to manage it, and would have fits just *hearing* that there's linux on it
16:14 < havoc> especially if there's no need
16:15 < havoc> I'm internal IT, my clients are morons ;)
16:19 -!- barefoot [n=magic@41.121.41.8] has joined ##openvpn
16:20 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.]
16:20 -!- barefoot is now known as magic_1
16:21 -!- barefoot [n=magic@41.121.41.8] has joined ##openvpn
16:21 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.]
16:22 -!- barefoot is now known as magic_1
16:23 < havoc> I wonder if it's worth it to allow multiple cert uses in this case?
16:26 < reiffert> there's just one client which is your company and the usual admin backdoor.
16:27 < havoc> yeah, but may be two of us connected at a time
16:27 < reiffert> o?
16:27 < havoc> and a few of us that may need access, although seldomly
16:27 < reiffert> so?
16:27 < havoc> so I'm thinking of just having one set of client keys we share
16:27 < havoc> and allowing multiple uses of those keys
16:28 < reiffert> I'd create a permanent link for running offsite backups.
16:29 < havoc> yeah, that'll be a seperate key
16:30 < havoc> what I do is add a client iface at the office gw/vpn box and MASQ it
16:30 < havoc> i.e. one way connections
16:31 < havoc> already a billion ifaces and shorewall zones there anyway, what's one more? :)
16:32 < reiffert> jup
16:41 < havoc> well, gonna find out how well 2.1.1 works on win2k8
16:41 < reiffert> it works on linux and OS X :)
16:43 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has joined ##openvpn
16:43 < yrashk> Hi! Is there any way to let client use connection to route all traffic to, without pushing this from the server?
16:44 < yrashk> !howto
16:44 < vpnHelper> yrashk: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:45 < reiffert> yrashk: yeah, put redirect-gateway def1 into your client conf.
16:45 < reiffert> !redirect
16:45 < vpnHelper> reiffert: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:47 < yrashk> !def1
16:47 < vpnHelper> yrashk: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
16:47 -!- kyrix [n=ashley@80-121-59-39.adsl.highway.telekom.at] has joined ##openvpn
16:54 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
17:04 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 60 (Operation timed out)]
17:04 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn
17:24 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit []
17:29 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 54 (Connection reset by peer)]
18:04 -!- kidem [n=jmartina@207-255-244-013-dhcp.wrn.pa.atlanticbb.net] has joined ##openvpn
18:06 < kidem> has openvpn been ported to work with windows 7 64 bit and Checkpoint r65 vpn?
18:08 -!- g-ram [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has joined ##openvpn
18:09 < g-ram> hey all
18:10 < g-ram> question for anyone who might be out there
18:10 < reiffert> kidem:
18:10 < reiffert> !notovpn
18:10 < vpnHelper> reiffert: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
18:10 < g-ram> i just added another network interface that I don't want to interact with openvpn at all, and now I can't connect to vpn
18:10 < reiffert> damn, wrong answer.
18:10 < reiffert> !factoids search --values cisco
18:10 < vpnHelper> reiffert: No keys matched that query.
18:10 < g-ram> server's giving me a log message showing a tls handshare error
18:10 < reiffert> damn, wheres that cisco stuff?
18:10 < reiffert> kidem: openvpn works with openvpn and does not with anything else.
18:11 < g-ram> might be a coincidence but openvpn's been very stable for the last couple years and it just happened to go down immediately after adding that additional interface (which also happens to be eth0)
18:11 < g-ram> any ideas?
18:15 -!- kidem [n=jmartina@207-255-244-013-dhcp.wrn.pa.atlanticbb.net] has quit [Read error: 104 (Connection reset by peer)]
18:15 < g-ram> I'm also getting the following 2 messages in syslog
18:15 < g-ram> Jan  5 19:16:41 sed-server ovpn-server[7084]: 74.74.156.140:41684 Local Options hash (VER=V4): 'a2e63101'
18:15 < g-ram> Jan  5 19:16:41 sed-server ovpn-server[7084]: 74.74.156.140:41684 Expected Remote Options hash (VER=V4): '272f1b58'
18:15 -!- kidem [n=jmartina@207-255-244-013-dhcp.wrn.pa.atlanticbb.net] has joined ##openvpn
18:18 -!- kidem [n=jmartina@207-255-244-013-dhcp.wrn.pa.atlanticbb.net] has quit [Read error: 54 (Connection reset by peer)]
18:21 -!- kyrix [n=ashley@80-121-59-39.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)]
18:33 < g-ram> ok, I think I figured out part of the problem
18:33 < g-ram> openvpn is binding to the wrong ip on the server
18:37 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
18:43 < g-ram> fixed
18:43 < g-ram> thanks guys :p
18:43 < g-ram> anybody awake in here?
18:46 < reiffert> no.
18:57 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
18:57 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit ["Leaving"]
18:57 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
18:58 < theDoc> hi all o/
18:59 < Kas> :-)
19:08 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit []
19:37 -!- fixUp [n=fixUp@89.242.96.208] has joined ##openvpn
19:38 < fixUp> Has anyone had any trouble with openvpn and packet shaping ?
19:39 < fixUp> I'm running a samba link which until recently was working with no problems at all, config has not changed on either client or server
19:39 < g-ram> fixUp: what kind of trouble are you having?
19:39 < g-ram> oh ok
19:39 < g-ram> did you change anything in samba? on your firewall? on the server?
19:39 < fixUp> g-ram: The reason I suspect packet shaping is that for small transfers it works fine, if I try and upload large files it chokes
19:40 < g-ram> what are you using for packet shaping?
19:40 < g-ram> iptables / tc?
19:40 < fixUp> g-ram: no, I suspect my ISP has started
19:40 < g-ram> ooh
19:40 < g-ram> it could well be your ISP
19:40 < g-ram> which ISP?
19:41 < g-ram> US based?
19:41 < fixUp> g-ram: no, UK based TalkTalk
19:41 < g-ram> sorry, no experience with them
19:41 < g-ram> but I would contact your ISP and ask
19:41 < g-ram> if you have a business connection they have no excuse for shaping your traffic
19:41 < g-ram> if you're using a residential connection . . . well
19:42 < fixUp> g-ram: what about in the US do any providers there specificly target openvpn ports ?
19:42 < g-ram> they might have a decent argument
19:42 < g-ram> well
19:42 < g-ram> large amounts of encrypted udp traffic would send up red flags
19:42 < g-ram> might be mistaken for encrypted torrent traffic
19:43 < Rienzilha> can it be a MTU issue?
19:44 < Rienzilha> like, is 'small transfer' < 1.5kB per request\/
19:44 < Rienzilha> ?
19:45 < fixUp> Rienzilha: no, its more to do with sustained throughput
19:45 < Rienzilha> does throughput outside of the vpn work fine?
19:45 < fixUp> reiffert: can transfer a couple of megs or so and then it graduallys slows down and stalls
19:46 < Rienzilha> mmmh
19:46 < Rienzilha> some isp's throttle all connections
19:46 < fixUp> Rienzilha: you mean another service like ssh ?
19:46 < Rienzilha> no I mean transferring data from somewhere else (not over openvon)
19:46 < Rienzilha> openvpn*
19:47 < fixUp> I had an scp transfer do the same, but it was shortly after I tried the openvpn transfer
19:48 < Rienzilha> i'd recommend calling your isp, especially if it happens out of your vpn as well
19:50 < fixUp> Rienzilha: I think I will, the thing that seems strange is that it isnt just capped at 10 kb/s or whatever it just dies and comes up with a file copy error in windows, is there a setting I can change in openvpn perhaps to make it more robust ?
19:52 < Rienzilha> well if the transport under openvpn fails, openvpn will fail as well
19:54 < theDoc> Oh snap :)
20:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
20:04 -!- Yurik [n=yrashk@174-143-148-222.static.cloud-ips.com] has joined ##openvpn
20:07 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has quit [Read error: 110 (Connection timed out)]
20:12 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has joined ##openvpn
20:25 -!- fixUp [n=fixUp@89.242.96.208] has quit ["Lost terminal"]
20:30 -!- Yurik [n=yrashk@174-143-148-222.static.cloud-ips.com] has quit [Read error: 110 (Connection timed out)]
20:40 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn
21:09 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
21:33 < ecrist> fuckers
21:48 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)]
21:49 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
22:02 < g-ram> ecrist: ?
22:31 -!- g-ram [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has quit [Client Quit]
22:31 -!- g-ram [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has joined ##openvpn
22:35 -!- g-ram [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has quit [Client Quit]
23:04 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)]
23:04 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
23:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
23:27 -!- Snypa [n=John@c-65-34-160-25.hsd1.fl.comcast.net] has joined ##openvpn
23:27 < Snypa> !howto
23:27 < vpnHelper> Snypa: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
23:29 < Snypa> hello
23:29 < Snypa> I'm in need of assistance can anyone help with my OpenVPN Issue?
23:30 < Snypa> !interface
23:30 < vpnHelper> Snypa: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
23:31 < Snypa> !route
23:31 < vpnHelper> Snypa: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:32 < Snypa> !configs
23:32 < vpnHelper> Snypa: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
23:42 -!- Snypa [n=John@c-65-34-160-25.hsd1.fl.comcast.net] has quit ["—I-n-v-i-s-i-o-n— 3.1.1 (June '09)"]
--- Day changed Wed Jan 06 2010
00:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
00:31 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
00:51 -!- kyrix [n=ashley@80-121-4-219.adsl.highway.telekom.at] has joined ##openvpn
00:52 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
00:53 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has quit [Remote closed the connection]
01:10 -!- hyper_ch [n=hyper@8-10.3-85.cust.bluewin.ch] has joined ##openvpn
01:17 -!- kyrix [n=ashley@80-121-4-219.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)]
01:32 -!- platoali [n=platoali@91.99.2.81] has joined ##openvpn
01:32 -!- platoali [n=platoali@91.99.2.81] has quit [Remote closed the connection]
01:33 -!- platoali [n=platoali@91.99.2.81] has joined ##openvpn
01:35 < platoali> Hi, I've an openvpn server and a few windows client. The problem is I can't install any software on them. Is there anyway to connect these PCs to server?
01:37 -!- Leila [i=d9dae562@gateway/web/freenode/x-gcnrmabgtwwjaxwd] has joined ##openvpn
01:41 -!- cpg [n=amahi@c-24-4-39-26.hsd1.ca.comcast.net] has joined ##openvpn
01:41 < hyper_ch> why should the server be able to install software on the clients?
01:45 < platoali> hyper_ch:  installing software is not possible for us. We have openvpn server but our clients cant install software on their system
01:45 < platoali> hyper_ch: I'm also looking for a solution that is more secure than pptp.
01:47 < platoali> hyper_ch: is there any way to make windows client connect to the openvpn server without any additional softwares?
01:50 < hyper_ch> you could slipstream openvpn into a windows isntaller cd then it would not require additional software anymore
01:51 < platoali> hyper_ch: acctually I don't have any control on my clients. they are located on different places
01:52 < platoali> hyper_ch: and we can tel them to install openvpn on their windows
01:52 < hyper_ch> well, if people want to use email, they'll have to install an email client
01:52 < hyper_ch> if people want to watch dvd they need to install the proper codecs
01:52 < hyper_ch> if people want to use vpn they also need according software
01:53 < platoali> I know. so the answere is No. another question, can openvpn work with pptp?
01:55 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
01:56 < platoali> hyper_ch: Thank you very much
01:57 < hyper_ch> no clue... don't even know what pptp is
02:02 < ecrist> platoali: OpenVPN, if not pre-installed, requires admin privs.
02:05 < platoali> ecrist: thank you. Is there any built in solution to connect windows clients to servers without any additional software? except pptp?
02:05 < ecrist> nope
02:05 < ecrist> none
02:06 < platoali> ecrist: thank you again
02:06 < ecrist> np
02:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
02:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
02:17 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
02:30 < theDoc> !routebyapp
02:30 < vpnHelper> theDoc: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
02:38 < ecrist> g'night
02:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
03:00 -!- toehio2 [i=3e0a418a@gateway/web/freenode/x-ixyhkbapgefivedo] has joined ##openvpn
03:06 -!- master_o1_master [n=master_o@p57B53C44.dip.t-dialin.net] has joined ##openvpn
03:18 -!- master_of_master [i=master_o@p57B571BE.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:19 -!- platoali [n=platoali@91.99.2.81] has quit [Remote closed the connection]
03:21 -!- Diffen [n=diffen@c-3672e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:25 -!- wedjat [n=wedjat@unaffiliated/wedjat] has joined ##openvpn
03:42 -!- dazo_afk is now known as dazo
03:47 -!- toehio2 [i=3e0a418a@gateway/web/freenode/x-ixyhkbapgefivedo] has quit ["Page closed"]
03:51 < reiffert> anyone remember Samuli's Nickname?
03:52 < mattock> I do, he's me :)
03:52 < mattock> I added it to my email signature a few moments back
03:52 < mattock> shoot
03:53 < reiffert> Ah, there it is, the signature :)
03:53 < mattock> great!
03:54 < mattock> let's see how much twitter spam I start receiving...
03:54 < reiffert> mattock: your proposal sounds good to me, a wiki sounds great in the first place. My 2nd thought was: Why change the community site at all and the 3rd one is: What about getting a trac which solves so many things alltogether?
03:54 < jmm> twitter spam, ew. that innovation.
03:55 < mattock> reiffert, we don't yet have a community site (I guess? :) and the web pages are terribly hard to update
03:55 < mattock> and Trac or similar is definitely an option
03:56 < reiffert> mattock: for those who didnt find it yet, the community site is at: http://openvpn.net/index.php/open-source.html
03:56 < vpnHelper> Title: Community Software Overview (at openvpn.net)
03:56 < reiffert> :)
03:57 < mattock> personally I don't like the look of Trac sites, but that's just my opinion... they look too much alike
03:57 < reiffert> mattock: Well, this can be changes with the help of a CSS guy.
03:57 < mattock> although Trac itself is a really nice application, I've used it a lot
03:57 < reiffert> changed
03:57 < mattock> yes, that's one good option
03:58 < mattock> everything's still open for discussion
03:59 < mattock> we may have to vote unless there's a clear winner
03:59 < mattock> :)
04:00 < reiffert> Do you think if the devel team is ready to switch their work to trac (or similar)?
04:01 < mattock> I'm not sure, first we need to free up some resources from Access server development
04:01 < mattock> that's the key
04:01 < reiffert> Just like I thought.
04:01 < mattock> software such as trac does not solve anything by itself, unfortunately ;)
04:02 < mattock> it's work in progress... going strong so far
04:02 < reiffert> So in principle James et al. stick to payware and you are looking out for a sane way to hand openvpn to others/free developers.
04:04 < mattock> not exactly, but along those lines... first separate the goals of OpenVPN and OpenVPN Access Server clearly. This allows more open OpenVPN (OSS) development without hurting Access server. Simultaneously free some of James' time to the OpenVPN (OSS) project. And reorganize the development model around OpenVPN so that it's (much) more community-oriented. Delegation of responsibility and all that
04:06 < reiffert> How far did the first step grow allready?
04:07 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
04:09 < mattock> I created a very rough outline of the goals (or mission statement) of Access server, but I need to discuss it with others. I also also drafted a mission statement for OpenVPN. However, getting approval from James for the change of development model is the key.
04:10 < mattock> I think it's going to happen, but I need to emphasize that we need to get it right from the start (from community management perspective)
04:10 < mattock> to James I mean
04:12 -!- hyper_ch [n=hyper@8-10.3-85.cust.bluewin.ch] has quit [Remote closed the connection]
04:12 -!- hyper_ch [n=hyper@8-10.3-85.cust.bluewin.ch] has joined ##openvpn
04:15 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has joined ##openvpn
04:16 < reiffert> mattock: Sounds good to me, let's do it :)
04:16 -!- Sky[x] [n=SkyB0x@88.200.89.23] has joined ##openvpn
04:17 < mattock> reiffert: I'm just writing an email to James (and Francis) about this issue. James has been very positive toward the changes to project organisation, but I have not received any definitive answers yet.
04:17 < mattock> pretty much everything is in order, we just need approval (and resources) from James
04:39 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has quit [Remote closed the connection]
04:39 -!- Yurik [n=yrashk@S010600179a2767ab.vc.shawcable.net] has joined ##openvpn
04:44 -!- keerthi [n=keerthi@nat2.maa.collab.net] has joined ##openvpn
04:44 < keerthi> Hi
04:46 -!- Yurik [n=yrashk@S010600179a2767ab.vc.shawcable.net] has quit [Read error: 104 (Connection reset by peer)]
04:46 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has joined ##openvpn
04:46 < keerthi> can anyone help me of my vpn issue
04:46 < keerthi> I could not able to ssh after I connect VPN and also ping
04:47 < dazo> keerthi:  surely someone here will respond .... if you ask the question .... we're not so good with jeopardy games here ;-)
04:47 < keerthi> have setup a vpn server (used 2.1.1 version) using tun
04:48 < keerthi> from the server I am able to ssh.. etc.. to the local network
04:48 < keerthi> but from the client.. I am not able to do ssh
04:48 < Leila> how can connect to vpn server in linux from windows without install app programs in windos??
04:49 < dazo> keerthi:  sounds like either the routing is not setup, that IP forwarding is not enabled or that you have a firewall blocking the traffic
04:49 < keerthi> is enabled
04:50 < keerthi> /proc/sys/net/ipv4/ip_forward is 1
04:50 < keerthi> I did not set any iptables
04:50 < dazo> Leila:  you need to install the openvpn client, together with configuration files and most probably some key files ... might be that OpenVPN AS got some tricks which does what you want, but we don't support that here
04:51 < keerthi> iptables was stopped
04:51 < dazo> keerthi:  have you tried to use tcpdump on the ovpn server?  To see where the traffic goes and if it goes back?
04:51 < keerthi> for which device
04:51 < dazo> that's usually the quickest way to pin-point where the trouble is
04:51 < Leila> dazo:  no. i don't have allow to install programs in my clients
04:51 < keerthi> tun0
04:51 < keerthi> or eth0
04:51 < Leila> i have to use pptp client on my server
04:51 < keerthi> yes it going
04:51 < dazo> keerthi:  both the eth for the internal network and the tun0
04:52 < keerthi> I tried before the setup was working
04:52 < dazo> Leila:  pptp is not openvpn
04:52 < keerthi> but box got rebooted its not working
04:52 < Leila> yes.
04:52 < dazo> Leila:  if you're enforced to use pptp ... you must use apps which supports that protocol .... openvpn uses it's own protocol
04:53 < Leila> how?
04:53 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has quit [Remote closed the connection]
04:54 < Leila> dazo:  how do it?
04:54 < dazo> Leila:  how?  you need to use openvpn on the client against an openvpn server .... and pptp against pptp based servers .... if you control the openvpn server, you can probably install and setup a pptp server .... but I have no idea how to do that ... google is your friend then
04:55 < Leila> but i don't have 2 server
04:55 < dazo> keerthi:  if it did work before the reboot .... something definitely changed .... probably some init scripts
04:55 < dazo> Leila:  then you're out of luck
04:55 < dazo> Leila:  anyhow ... openvpn and pptp server *software* may run on the same box
04:56 < Leila> dazo:  ok tnx a lot.
04:56 < keerthi> from that box I could able to access ssh all the box
04:57 < dazo> keerthi:  from the openvpn server?
04:57 < keerthi> I mean from vpn box I could able to access all the box
04:57 < dazo> keerthi:  lets start from scratch again .... you have   <vpn client>------<vpn server>-----<internal network>
04:58 < keerthi> If i set the push I cannot able to ping my LAN box
04:58 < keerthi> yes
04:58 < dazo> keerthi:  could you pastbin configs?
04:58 < dazo> !configs
04:58 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
04:58 < dazo> !pastebin
04:58 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
04:59 < keerthi> Redhat 5.3
04:59 < keerthi> kernel 2.6.18-164.9.1.el5
04:59 < keerthi> OpenVPN 2.1.1
05:01 < dazo> keerthi:  PASTEBIN!!!!
05:01 < dazo> man you choke my irc by what you're doing now!
05:04 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
05:05 < keerthi> oops so sorry
05:06 < dazo> I'm *still* receiving your conifg
05:07 < keerthi> ok
05:07 < dazo> keerthi:  it's too many comments in your config .... please read !config carefully .... esp. the "grep" command .... and pastebin it ... it's easier to understand what's happening ... client config will also be nice to have
05:08 < keerthi> ok I will paste what ever I enabled
05:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:11 < |Mike|> keerthi: you could use the grep -Ve ... command
05:11 < Leila> dazo:  no without install programs in windows
05:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
05:21 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)]
05:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
05:22 -!- magic_1 [n=magic@41.121.41.8] has joined ##openvpn
05:34 < Leila> dazo: ?
05:35 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
05:36 < havoc> morning
05:44 -!- Sky[x] [n=SkyB0x@88.200.89.23] has quit []
05:46 -!- Sky[x] [n=SkyB0x@88.200.89.23] has joined ##openvpn
05:57 -!- Sky[x] [n=SkyB0x@88.200.89.23] has quit []
05:57 -!- keerthi [n=keerthi@nat2.maa.collab.net] has quit ["leaving"]
06:00 -!- cpg [n=amahi@c-24-4-39-26.hsd1.ca.comcast.net] has quit []
06:04 -!- Leila [i=d9dae562@gateway/web/freenode/x-gcnrmabgtwwjaxwd] has quit [Ping timeout: 180 seconds]
06:05 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
06:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
06:05 -!- Leila_ [i=d9dae562@gateway/web/freenode/x-srlkciqqflmzefeu] has joined ##openvpn
06:19 < dazo> Leila_:  I don't follow you now .... if you cannot install any apps on your Windows box, you're forced to use PPTP which is native in Windows.  In this case, you'll need to install a pptp service on your Linux box .... if you can't do that either .... you're basically lost
06:20 < dazo> Leila_:  there are no way around this .... openvpn requires that software on server and on client .... PPTP requires PPTP software on server and client ... there's no other ways around this
06:22 -!- Leila [i=d9dae562@gateway/web/freenode/x-lszuoeqpwdlospyi] has joined ##openvpn
06:23 < Leila> dazo: ?
06:23 < dazo> Leila:  I don't follow you now .... if you cannot install any apps on your Windows box, you're forced to use PPTP which is native in Windows.  In this case, you'll need to install a pptp service on your Linux box .... if you can't do that either .... you're basically lost
06:23 < dazo> Leila:  there are no way around this .... openvpn requires that software on server and on client .... PPTP requires PPTP software on server and client ... there's no other ways around this
06:23 < Leila> how do it?
06:24 -!- Leila_ [i=d9dae562@gateway/web/freenode/x-srlkciqqflmzefeu] has quit [Ping timeout: 180 seconds]
06:24 < dazo> Leila:  how to do what?  Do you read what I'm writing here?
06:24 < Leila> ye
06:25 < Leila> i have to install pptp client on my server?
06:25 < Leila> or pptp server?
06:25 < dazo> pptp server
06:25 < reiffert> Leila: openvpn works with openvpn.
06:25 < reiffert> Leila: pptp will not work with openvpn.
06:25 < Leila> ye
06:25 < dazo> Leila:  I am by no means familiar with pptp .... here on this channel we only talk about openvpn .... openvpn is not pptp
06:25 < reiffert> Leila: openvpn will not work with pptp
06:26 < Leila> i installed openvpn client gui
06:26 < reiffert> Leila: good. Now follow the official oepnvpn howto.
06:26 < dazo> !howto
06:26 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:26 < Leila> and i onnected to openvpn server
06:26 < Leila> but my clients dont allow to install it
06:27 < reiffert> Leila: well, then you'll have to take something else.
06:27 < Leila> they have to connect to cpnserver in linux via win connections
06:28 < Leila> what do you i?
06:29 < dazo> Leila:  if you cannot install openvpn on both server AND client ... you can forget about OpenVPN
06:29 < Leila> no fg
06:30 -!- ribasushi_ [n=rabbit@dslb-084-063-042-037.pools.arcor-ip.net] has joined ##openvpn
06:31 -!- ribasushi [n=rabbit@dslb-084-063-048-214.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)]
06:37 -!- ribasushi_ is now known as ribasushi
06:39 -!- Leila [i=d9dae562@gateway/web/freenode/x-lszuoeqpwdlospyi] has left ##openvpn []
06:39 < |Mike|> wtf is up with this:
06:39 < |Mike|> LANDEN="nederland duitsland belgie frankrijk" for land in $LANDEN; do echo "Ik ben nu in ${land}"; done
06:39 < |Mike|> o crap, its dutch lol
06:41 -!- Gilos [n=Gilos@kccsfw01.sec.sprint.net] has quit [Read error: 110 (Connection timed out)]
06:45 -!- flo|va-nu-pied [n=florent@85.69.202.243] has joined ##openvpn
06:46 < dazo> |Mike|:  you're missing a semicolon in that line
06:52 < mithridates> !mac
06:52 < vpnHelper> mithridates: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
06:53 < |Mike|> dazo: oh dear, tnx :)
07:02 < ecrist> good morning
07:04 < havoc> morning
07:06 -!- rob0 [n=rob0@tuxaloosa.org] has joined ##openvpn
07:42 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
07:48 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
07:52 -!- Rzewus [n=Rzewus@153.19.140.234] has quit [Read error: 60 (Operation timed out)]
08:01 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:25 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
08:30 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:37 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit ["Leaving"]
08:40 -!- krphop [n=krphop@38.108.177.113] has joined ##openvpn
08:45 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"]
08:47 -!- krphop [n=krphop@38.108.177.113] has quit [Remote closed the connection]
08:50 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
08:52 -!- Rzewus [n=Rzewus@153.19.140.234] has joined ##openvpn
08:54 -!- ecrist changed the topic of ##openvpn to: Forum with OpenVPN Technologies staff on Monday, Jan 11 at 1900UTC | OpenVPN 2.1.1 most current. | Type !welcome before asking your questions.
08:54 < ecrist> !welcome
08:54 < vpnHelper> ecrist: Error: "welcome" is not a valid command.
08:54 < ecrist> !learn welcome as We need !goal !logs and !configs and maybe !interface to help  you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30  !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:54 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
08:55 < ecrist> !learn welcome as We need !goal !logs and !configs and maybe !interface to help  you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30  !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:55 < vpnHelper> ecrist: Joo got it.
08:56 < havoc> damn bots ;)
08:57 -!- Irssi: ##openvpn: Total of 94 nicks [0 ops, 0 halfops, 0 voices, 94 normal]
08:57 < rob0> What about the Tuesday meeting for development? Same bat time, same bat channel.
08:58 < ecrist> it was unclear to me as to whether there were going to be two meetings or he was confused.
08:58 < ecrist> doh, I should read the email subject
08:58 < ecrist> now it's clear
08:59 < rob0> Looked like two to me. The Tuesday one was only posted to openvpn-devel.
08:59 -!- ecrist changed the topic of ##openvpn to: OpenVPN Community Forum Monday, Jan 11 at 1900UTC | OpenVPN Development Forum Tuesday, Jan 12 at 1900UTC | OpenVPN 2.1.1 most current. | Type !welcome before asking your questions.
09:02 -!- ecrist changed the topic of ##openvpn to: OpenVPN Community Forum Monday, Jan 11 at 1900UTC (moderated) | OpenVPN Development Forum Tuesday, Jan 12 at 1900UTC (moderated) | To apply for +v for forums, email openvpn@secure-computing.net with registered nickname | OpenVPN 2.1.1 most current. | Type !welcome before asking your questions.
09:04 < krzee> ive been moving around timezones too much
09:06 < krzee> ok cool ill be in -4 on mon/tues
09:07 -!- lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
09:07 < rob0> My shell with IRC is in UTC, so I am usually well aware of UTC time, sometimes I know that better than my local time. :)
09:07 < ecrist> I get annoyed with UTC.  I prefer GMT
09:07 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
09:08 < krzee> now im in -6, ill be in -8 late jan, then +10 til mid march
09:08 < theDoc> hey all, o/
09:08 -!- lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Client Quit]
09:08 < ecrist> hey, theDoc 
09:08 < rob0> +10, wow, a globetrotter!
09:09 < dazo> krzee:  are you running away from someone?
09:09 < krzee> lol
09:09 < krzee> no
09:09 < theDoc> ergh, viscosity is crapping up again.
09:09 < theDoc> Seems like the latest version doesn't like or is able to import config files.
09:09 < krzee> i live in the caribbean, am visiting costa rica right now, headed back to cali to visit friends and family, then out to australia
09:10 < ecrist> I'm confused
09:10 < ecrist> nm
09:10  * ecrist shuts up
09:11 < rob0> Just so long as you keep your openvpn tunnel going from wherever you might be, all is well :)
09:11 < krzee> heheh howd ya know ;]
09:11 -!- Irssi: ##openvpn: Total of 95 nicks [0 ops, 0 halfops, 0 voices, 95 normal]
09:13 < theDoc> Any of you are on openvpn + mac?
09:14 < mithridates> theDoc: yes
09:14 < mithridates> theDoc: I have just installed a client on mac
09:14 < krzee> yup me too
09:14 < krzee> mac is my primary os
09:15 < mithridates> that's working fine
09:15 < theDoc> krzee> What do you use? Viscosity?
09:15 < krzee> a clickable shell script
09:15 < ecrist> theDoc: I use a mac as well
09:15 < krzee> which i leave in my stacks
09:15 < ecrist> Tunnelblick
09:15 < ecrist> !mac
09:15 < krzee> it starts all the openvpn's i want
09:15 < vpnHelper> ecrist: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
09:15 < mithridates> theDoc:  Tunnelblick
09:15 < theDoc> Hm, tunnelblick?
09:15 < mithridates> yes
09:15 < theDoc> For some reason, my viscosity client is broken
09:15 < theDoc> That or it doesn't like my config files from as.
09:15 < krzee> to make a shell script clickable in osx just name it with .command extention
09:16 < theDoc> I have to investigate this, I have a license for it ;p
09:16 < ecrist> theDoc: I don't know that viscosity can connect to AS
09:16 < krzee> back when i tried tunnelblick is just wanted to crash nonstop
09:17 < theDoc> ecrist> Yep, it can.
09:17 < theDoc> However, something has changed with 10.5
09:17 < ecrist> krzee: it's been stable for me for ~3 years
09:17 < theDoc> I used it with 10.6
09:17 < theDoc> I'm going to investigate and figure out exactly why the hell it refuses to import my connections now
09:17 < krzee> but honestly i dont get why a gui is needed for openvpn on osx, my shell script does just fine for me
09:17 < ecrist> I've run it on 10.4, 10.5 and 10.6
09:17 < krzee> hrm i believe i was trying on 10.4 and it had no love
09:17 < theDoc> krzee> Are you on 10.5 or 6?
09:18 < ecrist> krzee: it allows for easy selection of which vpn to start/stop in my case.  I have different vpns I connect to depending on what I'm doing.
09:18 < krzee> 10.5 on laptop, 10.6 on desktop
09:18 < krzee> my shell script does as well, but i guess the gui is more of a realistic solution for that
09:19 < reiffert> uh oh, krzee has made a shell script
09:19  * reiffert runs
09:19 < krzee> hahahah
09:19 < reiffert> :)
09:20 < krzee> hey man ive made a lot of useful shell scripts, some even accepted by communities (ie: google: krzee iodine dns )
09:20 < krzee> !google krzee iodine dns
09:20 < vpnHelper> krzee: TipsAndTricks – iodine: <http://dev.kryo.se/iodine/wiki/TipsAndTricks>; iodine: <http://dev.kryo.se/iodine/>; NStun.sh - DoesHosting.com - Nobody Does Hosting Better: <http://www.doeshosting.com/code/NStun.sh>
09:21 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"]
09:21 < krzee> :-p
09:22 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has joined ##openvpn
09:22 < krzee> and that 3000+ line beast made me a hero at work ;]  they wanted something to do that for a long time but never saw it as possible
09:22 < ecrist> *cough* ssl-admin
09:22 < krzee> oh god i fubar'ed that one right up
09:22 < krzee> =[
09:22 < theDoc> krzee> Do you happen to own doeshosting? ;)
09:23 < krzee> that was totally not a job for bash
09:23 < krzee> yes theDoc but its not a company anymore, i closed it like 3 yrs ago
09:23 < theDoc> ah, slow business?
09:24 < krzee> nah i left america and didnt want responsibility to customers
09:24 < krzee> so i closed all my businesses
09:24 < theDoc> Bummer.
09:24 < krzee> *shrug* i enjoy it
09:24 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has left ##openvpn []
09:25 < theDoc> This is very odd.
09:25 < theDoc> I need to get a viscosity developer.
09:25 < theDoc> There's no real reason why their new software version breaks imports of AS config files on 10.5
09:25 < theDoc> I got it working on 10.6
09:26 < krzee> even when i still accept side work that comes my way (instead of passing it on) i let the people know that if their side lags and i cant do things on my timeline (usually i grind away and finish fast then disappear) then they may need to wait for me to resurface again
09:26 < krzee> if only they knew they could always find me here, lol
09:26 < ecrist> I know where to find you, sucka
09:27 < krzee> lol
09:27 < krzee> to an extent that is true
09:27 < krzee> but we're friends =]
09:27 < reiffert> ecrist: I dont think irc newbies will understand what it means to register at a nickserv.
09:27 < ecrist> indeed
09:28 < krzee> !google register freenode nickserv
09:28 < ecrist> reiffert: irc newbies won't need +v  :)
09:28 < vpnHelper> krzee: freenode: frequently-asked questions: <http://freenode.net/faq.shtml>; How to Register a User Name on Freenode: 12 steps - wikiHow: <http://www.wikihow.com/Register-a-User-Name-on-Freenode>; NickServ Is Your Friend « staffblog: <http://blog.freenode.net/2007/03/nickserv-is-your-friend/>
09:28 < reiffert> Have "/msg ecrist I want voice" at the topic
09:28 < ecrist> will set that during time of forum
09:28 < reiffert> ecrist: what about all those james and other irc dontusers?
09:28 -!- Rzewus [n=Rzewus@153.19.140.234] has quit ["leaving"]
09:29 < dazo> they have 5 days to discover it
09:29 < ecrist> info the openvpn folks I can get with a host mask
09:29 < ecrist> s/info //
09:29 < reiffert> ecrist: is your nick capable of receiving messages from non registered users?
09:30 < ecrist> reiffert: you don't need to send an email, we'll make sure you get +v
09:30 < ecrist> yes
09:30 < reiffert> 'k
09:30 < krzee> hey should the doc i write next be chaining vpns or a !redirect writeup?
09:30 < theDoc> krzee> Chaining, it'll be fun.
09:30 < ecrist> redirect
09:30 < ecrist> it's the most asked question in here
09:30 < reiffert> both
09:30 < dazo> krzee:  chaining would be fun ... but redirect is more a relevant topic, both here and on ML
09:31 < krzee> hrm ya dazo and ecrist  i guess you're right
09:31 < dazo> \o/
09:31 < krzee> but chaining would be more fun theDoc ;]
09:31 < krzee> oki its time for me to go be useful, be back in like 15 hrs, lol
09:31 < reiffert> what is chaining at all?
09:32 < reiffert> route deployment, like routing protocols?
09:32 < reiffert> multiple nat, what are we talking abou?
09:32 < krzee> hooking vpn's to eachother in a manner that you talk to the first and you can tunnel from 1 to another to another to another as many as you want, choosing which machine to pop out of on the fly
09:32 < theDoc> krzee> Chains are utterly fun ;)
09:32 < krzee> its actually how i learned enough to write the !route doc
09:33 < theDoc> !route
09:33 < vpnHelper> theDoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:33 -!- dauergast [n=sag@g227138123.adsl.alicedsl.de] has joined ##openvpn
09:33 < reiffert> krzee: so client->server1->server2->server3?
09:33 < krzee> after teaching myself how to chain them (which had nothing written about it) i decided a decent routing doc for ovpn needed to be written
09:33 < krzee> client - server - client - server - client - server
09:33 < reiffert> krzee: what if server2 pops out?
09:33 < krzee> each client machine connects to 2 servers
09:33 < reiffert> ah
09:34 < reiffert> let's have a routing protocol?
09:34 < krzee> *shrug* machines i use rarely go down
09:34 < krzee> and i wanted it routed like that
09:34 < reiffert> krzee: vpnHelper goes down quite often.
09:34 < krzee> ironic isnt it? ;)
09:34 < ecrist> LOL
09:34 < reiffert> :)
09:35 < reiffert> afk
09:35 < krzee> anyways i need to go prove i was the right dude to bring to costa rica
09:35 < havoc> mmm, routing
09:35 < krzee> bbl
09:35 < havoc> I learned most of what I know about routing from the Shorewall author, not all, but most
09:35 < havoc> the guy's a networking genius
09:36 < rob0> Drink all the likka down in Costa Rica
09:37 < rob0> ain't nobody's business but yo' own ...
09:46 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn
09:52 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
09:54 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 60 (Operation timed out)]
10:01 -!- Steve973 [n=Steve@169.130.18.10] has joined ##openvpn
10:02 < Steve973> hello.  If I want to give vpn clients access to another network accessible to the server, is it necessary to have a POSTROUTING MASQUERADE rule in iptables?
10:03 < Steve973> I have a push route in the server config
10:05 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)]
10:05 < ecrist> likely
10:06 < ecrist> either the other network needs to know how to route the packets, or they need to be natted
10:07 < Steve973> ok, thanks
10:07 < Steve973> that is the piece I'm likely missing
10:07 < rob0> NAT is ugly and can/should be avoided in most if not all RFC 1918 networks. Just learn how to route it.
10:08 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)]
10:08  * ecrist agrees
10:08 < Steve973> i haven't done that before.  do you have any documentation to which you might point me, please?
10:09 < havoc> !route
10:09 < vpnHelper> havoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:18 < Steve973> ok, I don't have lans behind clients, so shouldn't the push "route 192.168.1.0 255.255.255.0" be sufficient?  The 192.168.1.0/24 lan is behind the openvpn server.
10:19 < dazo> Steve973:  sounds correct
10:20 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:20 < Steve973> i'll post what I assume is the relevant sections of my openvpn config and my iptables config.  Maybe I'm missing something obvious...
10:22 < Steve973> http://pastebin.com/m2a2c6c30
10:22 < Steve973> let me know if i can provide any more config info
10:23 < Steve973> openvpn is working (can ping the ovpn server) but i just can't get to machines on the lan behind ovpn
10:23 < Steve973> by the way, I also tried -I instead of -A and the result was the same for me
10:24 < Steve973> pinging something on the 192.168.1.x network yielded a response from the openvpn server that the destination is unreachable
10:25 < Steve973> ip forwarding is set to 1, also
10:31 < rob0> The LAN machines are using the openvpn server as their gateway?
10:34 < Steve973> nah, don't need them to be a gateway.  just need them to be able to access them...  SSH for example
10:35 < Steve973> i think i misread your quesiton
10:37 < Steve973> yes, the 192.168.1.x lan is sitting behind the openvpn server, which is their gateway
10:39 -!- hyper_ch [n=hyper@8-10.3-85.cust.bluewin.ch] has quit [Remote closed the connection]
10:40 -!- nneul [n=nneul@infinity.srv.mst.edu] has joined ##openvpn
10:44 < rob0> Okay, I just looked at the paste; if you only want related/established connections from VPN hosts, that is what you should expect. VPN clients [probably] can't initiate connections to LAN hosts, according to the snippet you pasted. Neither can they connect to the VPN server. Why did you want a VPN? So the server and LAN hosts could reach the clients?
10:46 -!- nneul [n=nneul@infinity.srv.mst.edu] has quit ["Leaving"]
10:46 < Steve973> we want a vpn so that we can access the lan machines directly after authenticating.  The machines on this lan cannot face the internet directly
10:46 -!- erpel_ [n=erpel@f050092131.adsl.alicedsl.de] has joined ##openvpn
10:47 < Steve973> the clients need to be able to reach the lan machines directly.
10:48 < ecrist> sounds simple enough
10:48 < rob0> You didn't allow that in the rules you pasted, so I'm guessing that a later rule or policy blocks that.
10:48 < Steve973> any idea what I'm doing wrong?  I'm following the docs, and I'm definitely reading them as opposed to skimming them
10:48 < Steve973> the iptables INPUT commands that the faq mentions won't work either
10:49 < Steve973> yeah, rob0, or that
10:50 -!- nneul [n=nneul@infinity.srv.mst.edu] has joined ##openvpn
10:50 < nneul> !welcome
10:50 < vpnHelper> nneul: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:50 -!- Gilos [n=Gilos@kccsfw01.sec.sprint.net] has joined ##openvpn
10:53 < ecrist> nneul: you get a gold star for reading /topic
10:54  * rob0 was thinking the same thing :)
10:54 < dunc> :)
10:55 < rob0> Does the bot have a web page listing all factoids?
10:55 < rob0> if not, I think it would be a good idea
10:55 < nneul> unfortunately, I have a mtg I have to run to, I do have a question about stability/keepalives problem I've seen (and sent a note to devel list about). will ask once i get back from mtg.
10:55 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 60 (Operation timed out)]
11:09 < ecrist> rob0: not at this time
11:09 < ecrist> at some point, if I'm not too busy, I"m in process of writing a new bot
11:09 < ecrist> such interfaces will be possible with the new bot
11:10 < ecrist> although, the current bot does keep all those factoids in sqlite db, so I could just write an interface...
11:10 < ecrist> I'll consider it after I'm done writing the  nagios plugin
11:21 < rob0> There's a similar bot in #postfix, nick is knoba, owner is Signum, if you're interested in how he did it.
11:23 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:28 < ecrist> did it with supybot, which is what vpnHelper is
11:30 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
11:33 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"]
11:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:47 -!- hyper_ch [n=hyper@84.226.234.60] has joined ##openvpn
11:55 < ecrist> reiffert: folks on the mailing list don't like the idea of moderated forum
11:56 -!- Irssi: ##openvpn: Total of 98 nicks [0 ops, 0 halfops, 0 voices, 98 normal]
11:58 < havoc> they can deal
11:59 < havoc> they don't have to babysit or fight spam
12:03 -!- magic_1 [n=magic@41.121.41.8] has quit [Remote closed the connection]
12:04 -!- magic_1 [n=magic@41.121.41.8] has joined ##openvpn
12:06 < ecrist> http://sourceforge.net/mailarchive/forum.php?thread_name=1262799221.18178.2%40mofo&forum_name=openvpn-devel
12:06 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net)
12:10 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
12:10 < Kas> ecrist: I agree with these guys. What is your opinion on that?
12:11 < ecrist> I'm formulating a response now.
12:12 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit ["Leaving"]
12:12 < rob0> I'd suggest play it by ear. Give out +v's in advance, but only silence the channel if it seems too hectic.
12:14 < ecrist> I'm open to ideas.
12:14 < ecrist> I just know that this channel has, in the past, gotten pretty nasty. :)
12:14 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
12:15 < ecrist> +v in advance and +m if needed works for me.
12:15 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:15 < ecrist> we've waited a considerable time to get openvpn devs involved with the community and I'd like it to go smooth.
12:16 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
12:16 < havoc> this channel hasn't seemed all that bad, but I'm sure I've just missed the nastiness
12:16 -!- wedjat [n=wedjat@unaffiliated/wedjat] has left ##openvpn []
12:19 -!- Steve973 [n=Steve@169.130.18.10] has quit [Read error: 110 (Connection timed out)]
12:22 -!- ecrist changed the topic of ##openvpn to: OpenVPN Community Forum Monday, Jan 11 1900UTC | OpenVPNn Development Forum Tuesday, Jan 12 1900UTC | OpenVPN 2.1.1 most current. | Type !welcome before asking your questions.
12:22 < ecrist> we'll roll with preemptive +v and play it by ear.
12:22 < ecrist> Kas: does that suit you folks?
12:23 < Kas> Looks good to me :-)
12:24 < ecrist> whoever was asking for it, I'll look at making factoids DB available on a web page
12:24 < ecrist> link will be on http://secure-computing.net/openvpn.php
12:24 < vpnHelper> Title: SCN: ##openvpn Policy (at secure-computing.net)
12:32 < dazo> ecrist:  I'n on the way out ... even though I do see your worries, I'd say we should probably try to keep it really open this time and see how that goes. I'm sure you know some quick ways to gain control if something really goes bad, and then introduce your initial idea
12:32 < nneul> question I had on openvpn stability/keepalives - ran into an issue recently with UDP based bridging setup - openvpn currently has no way to detect unidirectional link
12:32 -!- dwalluck [n=david@adsl-75-27-144-92.dsl.wlfrct.sbcglobal.net] has joined ##openvpn
12:33 < nneul> I had thrown a note together to devel list about a ping+response patch I put together, but ran into implementation issues with how outbound packet gets queued
12:33 < dwalluck> Trying to use openvpn from windows, I get an OpenSSL error about AES-256-CBC cipher missing. I am not sure if I have the right build of openssl, maybe missing strong crypto?
12:33 < nneul> Never heard anything back on devel list, was hoping to get some feedback/thoughts on the best way to address it.
12:34 < havoc> ecrist: put the link in vpnHelper's /whois info?
12:36 < ecrist> havoc: will look into it
12:36 < ecrist>  /msg chanserv info ##openvpn has some links, though
12:36  * dauergast ist jetzt AWAY |grund: auto-AWAY nach 180 min idle-zeit|
12:36 -!- dauergast is now known as dauergast|wech
12:38 -!- dazo is now known as dazo_afk
12:49 < nneul> dwalluck: have you tried issuing "openvpn --show-ciphers" on command line to see the list of available ciphers - that will tell you if you have a limited openssl.
12:49 -!- hyper__ch [n=hyper@adsl-89-217-25-187.adslplus.ch] has joined ##openvpn
12:49 -!- hyper_ch [n=hyper@84.226.234.60] has quit [Nick collision from services.]
12:49 -!- hyper__ch is now known as hyper_ch
12:56 < dwalluck> nneul: actually that cipher is listed there :/
12:57 < nneul> well, that's just odd...
12:57 < nneul> what happens if you issue "openssl ciphers" - is it in that list as well?
12:57 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
12:58 < ecrist> dwalluck: logs? 
12:58 < ecrist> !logs
12:58 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
12:58 -!- Irssi: ##openvpn: Total of 97 nicks [0 ops, 0 halfops, 0 voices, 97 normal]
13:00 < nneul> ecrist: any suggestion as to who might be able to help with some internal openvpn code questions?
13:03 < ecrist> nneul: as of this time, we aren't directly associated with OpenVPN staff.  there are some staff members here, and we're working on getting some developers in here, though.
13:03 < ecrist> I would suggest the devel mailing list
13:03 < nneul> yeah, unfortunately, got no reply there at all...
13:04 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
13:04 < ecrist> I would suggest just asking your questions here, and see if you get a response.
13:05 < nneul> Well, the basic problem I'm seeing is that openvpn can't detect a unidirectional link - I tried adding code to do a request/reply ping keepalive, which mostly works,
13:05 < nneul> however, there is an issue with how packets are generated/output in the main event loop in the openvpn code.
13:05 < nneul> It "looks" like it's queuing a packet for output, but the problem is that the code appears to be written to allow queueing only ONE packet.
13:06 < nneul> Any other attempt just stomps over the first one. With a timing driven packet generation (ping/pong), this occurs pretty frequently.
13:07 < nneul> I thought of a few approaches to possibly address it, but wanted to see if I'm just interpreting things wrong, or if this really is a flaw in how the main event loop/packet send/recv is implemented.
13:12 < ribasushi> is there some sort of bug-tracker or something?
13:12 < ribasushi> I have sent messages to openvpn-user and openvpn-devel
13:12 < ribasushi> filed a debian bug
13:12 < ribasushi> not a single response so far
13:13 < ribasushi> (I know it's the holidays but still)
13:14 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Connection timed out]
13:17 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Connection timed out]
13:22 < ecrist> those are some of the issues that are to be discussed on monday and tuesday
13:28 -!- dauergast|wech [n=sag@g227138123.adsl.alicedsl.de] has quit ["Die häufigsten Männerlügen:- Aber natürlich liebe ich Dich!- Klar, die Alimente habe ich gestern überwiesen!- Nein, blas ruhi]
13:31 < ecrist> 218 factoids in the database.  I'm writing a php script to display it now.  not sure it'll get done today, though.
14:05 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
14:08 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"]
14:09 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
14:23 -!- eliasp_ [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
14:33 -!- JackW [n=jack@95.16.21.75] has joined ##openvpn
14:34 < ecrist> havoc: was it you looking for factoids dump?
14:34 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Success]
14:36 < havoc> ecrist: nope
14:36  * ecrist scrolls up
14:37 < ecrist> rob0: I have the factoids dump available
14:37 < ecrist> http://www.secure-computing.net/factoids.php
14:37 < vpnHelper> Title: SCN: vpnHelper Factoids (at www.secure-computing.net)
14:37 < rob0> nice
14:37 < ecrist> I need to clean it up, but it gets the data out
14:39 < ecrist> there, now it wraps correctly
14:39 < ecrist> I will get rid of the nasty borders at some point and colorize the output
14:39 < ecrist> do we care 'who' added a given factoid?
14:40 < rob0> as admin you might, as user, ??
14:40 < ecrist> as admin, I'll just use sqlite from command line.
14:41 < rob0> It's not rendering right in links :(
14:42 < rob0> keys do not seem to be associated with the values
14:42 < rob0> but hey, it's a start
14:46 < ecrist> cleaned up coloring
14:46 < ecrist> will check it in lynx
14:47 < ecrist> rob0: not sure why output is so ugly in lynx.  keys *are* associated with facts, but the first factoid has no key
14:47 < ecrist> don't know how that happened.
14:47 -!- nneul [n=nneul@infinity.srv.mst.edu] has quit ["Leaving"]
14:47 -!- hyper_ch [n=hyper@adsl-89-217-25-187.adslplus.ch] has left ##openvpn ["Konversation terminated!"]
14:50 < ecrist> !factoids
14:50 < vpnHelper> ecrist: Error: "factoids" is not a valid command.
14:51 < ecrist> !learn factoids as A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:51 < vpnHelper> ecrist: Joo got it.
14:55 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Connection timed out]
14:56 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn
14:56 < ecrist> rob0: unless you find a major bug, that web page isn't going to change any time soon. ;)
14:58 < rob0> I'll look it over when I get time, thanks
14:58 < rob0> got to get real world work done this afternoon
15:04 < bytesaber_> when i make or sign keys, it asks you quetsions like their company name, hostname, email addy, etc.
15:04 < bytesaber_> am I supposebly answer quetsions of their company or mine?
15:05 < ecrist> yours, really, for a vpn
15:05 < bytesaber_> ok
15:06 < bytesaber_> not sure what the questions intent is
15:06 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
15:06 < bytesaber_> if i'm making a key for another company, in order to invite them into my lan, sign everything with my companies info, and make up a common name to represent "them" ?
15:08 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
15:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
15:16 < ecrist> rob0: you're right, the keys/data don't seem to be matched up
15:16 < ecrist> will need to look into it
15:21 -!- magic_1 [n=magic@41.121.41.8] has quit []
15:22 < ecrist> silly SQL typo, got it fixed
15:27 -!- dauergast [n=sag@g227138123.adsl.alicedsl.de] has joined ##openvpn
15:27 -!- dauergast [n=sag@g227138123.adsl.alicedsl.de] has quit [Remote closed the connection]
15:28 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
15:28 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
15:35 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
15:37 < pfo> is there an active openvpn server web interface project out there anyone cares sharing info about?
15:37 < pfo> doesn't have to be anything fancy
15:50 < cybertron> hm think only in combination wither wrt oder firewall projects
15:50 < cybertron> wither=with
15:50 < cybertron> oder=or ^^
16:05 -!- JackW [n=jack@95.16.21.75] has quit [Read error: 60 (Operation timed out)]
16:30 -!- JackW [n=jack@95.16.21.75] has joined ##openvpn
16:30 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
16:32 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has joined ##openvpn
16:35 < yrashk> Hi, I have a somewhat strange problem with OpenVPN. I am running it on a (rackspace cloud's) Ubuntu 9.10 VPS to connect VPN clients to external IPs attached to that VPS. It works fine, however if I disconnect a client, then wait for up to 3 hours, connect this client, it is not reachable from the outside network (for example, ping does not work and no icmp requests received on tunX). However, if I stop OpenVPN, bring eth0:X up, ping th
16:35 < yrashk> again and connect VPN client, everything works fine — i.e. cient becomes reachable
16:35 < yrashk> I got it repeated this way 4 times in a row
16:36 < yrashk> Rackspace's support is blaming OpenVPN configuration I use. Is there any possible way to figure out why this above scenario is happening in my setup?
16:37 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
16:40 -!- ruied [n=ruied@bl8-61-251.dsl.telepac.pt] has joined ##openvpn
16:55 -!- JackW [n=jack@95.16.21.75] has quit [Read error: 113 (No route to host)]
17:00 -!- erpel_ [n=erpel@f050092131.adsl.alicedsl.de] has quit ["This computer has gone to sleep"]
17:07 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
17:28 -!- eliasp_ [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
17:31 -!- hyper_ch [n=hyper@adsl-89-217-25-187.adslplus.ch] has joined ##openvpn
18:07 -!- Diffen [n=diffen@c-3672e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
18:55 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
18:55 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
19:00 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
19:30 < krzie_> (these are for me)
19:30 < krzie_> !hmadc
19:30 < vpnHelper> krzie_: Error: "hmadc" is not a valid command.
19:30 < krzie_> !hmac
19:30 < vpnHelper> krzie_: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
19:30 < vpnHelper> krzie_: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
19:30 < krzie_> !mitm
19:30 < vpnHelper> krzie_: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
19:30 < krzie_> !route
19:30 < vpnHelper> krzie_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:30 < krzie_> !tcp
19:30 < vpnHelper> krzie_: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
19:33 < krzie_> !sample
19:33 < vpnHelper> krzie_: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
19:34 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
19:35 < reiffert> ?
19:47 -!- ruied [n=ruied@bl8-61-251.dsl.telepac.pt] has left ##openvpn []
19:52 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
19:59 -!- tazdevil [n=tazmania@224.46.50.60.kmr04-home.tm.net.my] has joined ##openvpn
20:00 < tazdevil> Can I use openvpn to configure ipsec, pptp, and l2tp connection?
20:00 < tazdevil> I wanted to use openswan but came across openvpn
20:01 < tazdevil> are openswan and openvpn the same
20:03 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
20:09 < theDoc> tazdevil> No.
20:10 < tazdevil> reading through the wikipedia.  also found strongswan but don't know which is the best to go with in implementing ipsec client within the router
20:21 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
20:21 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["This computer has gone to sleep"]
20:22 -!- theDoc [n=hex@119.73.165.162] has joined ##openvpn
20:36 < Kasx> tazdevil: What kind of router are you trying to setup ipsec on?
20:37 < tazdevil> Kasx: 3G or PPPoE wireless router
20:37 < Kasx> Linksys?
20:37 < tazdevil> no
20:37 < tazdevil> it's based on an old powerpc >10 years old
20:37 < Kasx> Ahh, I see.
20:38 < Kasx> What is your main purpose for setting up a VPN?
20:38 < tazdevil> corporate use over multi clients
20:38 < tazdevil> customer's request
20:38 < Kasx> How many users?
20:38 < tazdevil> nationwide
20:38 < tazdevil> across UK
20:39 < Kasx> What is the general OS platform that they will be using to connect to the VPN?
20:39 < tazdevil> did not have get much detail from them
20:39 < Kasx> What os are you running on the powerpc? Linux?
20:39 < tazdevil> for the time being, they just want to know if we can support vpn client, mainly ipsec, within the router
20:40 < tazdevil> yes, Linux 2.6
20:40 < Kasx> Well OpenVPN is different than ipsec (better IMO)
20:40 < Kasx> It should serve the same purpose as Ipsec though.
20:40 < tazdevil> is it compatible with ipsec?
20:41 < Kasx> Do they alreayd have an existing ipsec system?
20:41 < tazdevil> AFAIK, the customer has already had the systems (servers) setup somewhere in UK
20:41 < tazdevil> and it does only IPSec
20:41 < Kasx> Gotcha, than Openswan is probably your best bet.
20:42 < Kasx> Don;t have much experience with it though.
20:42 < tazdevil> i see.  I am also reading Strongswan
20:42 < tazdevil> What is OpenVPN mainly for, in general?
20:43 < tazdevil> I have installed OpenVPN, OpenSwan, pptp, xl2tp, ipsec on my fedora machine
20:43 < Kasx> It is just another VPN Platform. With excellent support :-)
20:44 < Kasx> OpenVPN is a true SSL VPN
20:46 < tazdevil> I tried to setup a node using OpenVPN on fedora and during the setup, I was asked for so many things.  Certificates and some questions that I do not have a clue
20:46 < tazdevil> OK, so in your opinion, I should stay away from OpenVPN
20:46 < tazdevil> and use OpenSwan or StrongSwan instead
20:48 < tazdevil> based on wikipedia, OpenVPN is not compatible with IPsec or any other VPN package
20:49 -!- lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##openvpn
20:49 < Kasx> You are correct it isn't. You could get it to work with them if you needed. It does ask you a low of question initially, but it is very stable. I would reccomend giving it another shot actually.
20:49 < Kasx> *alot
20:50 < tazdevil> but the customer insists on using IPSec
20:50 < Kasx> You could run an ipsec server and an openvpn server. Just make sure the machine you have the openvpn server running on has a client connection to the ipsec server and push the routes from the ipsec server to the openvpn clients
20:50 < Kasx> Are they aware of the other solutions?
20:51 < tazdevil> I am not sure.  The IT guy from the company doesn't want to tell us much on their current system
20:52 < tazdevil> don't think they want to run another openvpn server, that's my observation
20:52 -!- lt83850c [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Client Quit]
20:54 < Kasx> Gotcha, well than go with ipsec if that what they want. It doesn;t sound like you have much of a choice :-)
20:55 < tazdevil> true... after all, I am only an engineer and customers are always right :)
20:55 < tazdevil> and the bosses are only interested to know if the whole thing can be done in less than 24 hours
20:55 < Kasx> lol, yep, sounds about right!
20:57 < tazdevil> Kasx: Thanks.  but during my free time, I will try OpenVPN at home.
20:57 < Kasx> Please do. Once you get it working, you will be hooked!!!
20:58 < tazdevil> haha
20:58 < Kasx> Ask the other 92 people in this channel. They will most likley agree. :-)
20:59 < tazdevil> I will ask in openswan and strongswan to see what they say about openvpn :-)
21:00 < theDoc> ovpn? Pretty darn awesome.
21:05 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn
21:06 < Gnewt> I currently have a server-client config with a CA... in my configs is a directive "ifconfig 10.8.0.1 10.8.0.2"
21:06 < Gnewt> I'd like to add another client to the OpenVPN network
21:06 < Gnewt> with some different configuration to push
21:06 < Gnewt> What's the way to do this?
21:09 < tazdevil> hmm... why does openvpn channel has 2 x ## instead of a single #?
21:37 < krzie_> because its not official, thats how freenode denotes official channels vs non-official
21:37 -!- krzie_ is now known as krzie
21:38 < krzie> Gnewt:
21:38 < krzie> !ccd
21:38 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
21:38 < Gnewt> That's perfect.
21:38 < Gnewt> Thank you!
21:38 < krzie> np
21:40 < krzie> randomness, a guy i met IRL today asked if i knew anything about openvpn, his problem was related to getting lans behind openvpn to route
21:40 < krzie> LOL
21:40 < krzie> i couldnt stop from laughing out loud before helping him
21:41 < havoc> nice
21:41 < havoc> krzie: what is your connection to openvpn?
21:41 < krzie> i help people with it
21:41 < havoc> are you an author?
21:41 < krzie> hehe
21:41 < havoc> ah
21:41 < Gnewt> What about custom DNS names inside the VPN? Is there a config for that too?
21:41 < krzie> !pushdns
21:41 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
21:42 < krzie> if in unix you need a script to deal with the pushed dns entry
21:42 < Gnewt> So I'd basically need to push DNS to my server and then make custom entries?
21:42 < krzie> in windows many report issues, those links can help if you have the issues
21:42 < krzie> well ya, lol
21:43 < Gnewt> So if I wanted serenity.vpn to resolve to one of my VPN clients would I just put that in the hosts file?
21:43 < Gnewt> er, no, I'd have to put that in my BIND wouldn't I?
21:43 < krzie> either would work
21:44 < krzie> its not a vpn question really
21:44 < Gnewt> Ah ok
21:44 < krzie> its a standard resolution question
21:44 < Gnewt> Thanks :)
21:44 < krzie> np
21:44 < Gnewt> I'll do some Googling
21:44 < havoc>  /etc/hosts works fine on the vpn/dns server depending on /etc/resolv.conf
21:45 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit []
21:45 -!- Matir [n=david@c-98-251-88-239.hsd1.ga.comcast.net] has joined ##openvpn
21:45 < Gnewt> But if my clients are querying 10.8.0.1 for DNS, it'd go straight to BIND right?
21:45 < havoc> Gnewt: not necessarily
21:46 < havoc> Gnewt: if 10.8.0.1 is the dns server, its hosts file can override bind, even locally installed bind, if resolv.conf says to
21:47 < Gnewt> Cool
21:48 < Gnewt> I'm sorry for continuing on a non-OpenVPN related topic, but where would I put hosts file precedence in resolv.conf?
21:48 < havoc> first/top?
21:48 < Gnewt> Sorry I shoulda phrased that better
21:49 < Gnewt> _how_ do I get my resolv.conf to choose my host file? Syntax wise.
21:49 < havoc> man resolv.conf ?
21:49 < havoc> I'd have to too, likely
21:50 < havoc> I'd just give you the answer if I had it, I just know where to look to find the info
21:51 < Gnewt> No problem, it's just that the resolv.conf manpage is unclear. I'll look around.
21:51 < Gnewt> It may just work :P
21:58 < havoc> ok, google now that you know what you're looking for?
22:00 < Gnewt> Yep
22:10 < rob0> um, that's /etc/nsswitch.conf that controls the precedence of hosts(5) over DNS.
22:11 -!- tjz [n=tjz@bb121-7-11-34.singnet.com.sg] has joined ##openvpn
22:12 < rob0> and named(8) itself never consults hosts, so it will only answer with real DNS data.
22:27 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
22:53 -!- Leila [i=d9dae562@gateway/web/freenode/x-unbarfnwtzfgxdtt] has joined ##openvpn
22:59 < ecrist> krzie: you around?
23:04 < krzee> yupyup
23:04 < krzee> just got back to the hotel
23:04 < krzee> thinking the hot tub sounds reeeeal nice
23:10 < krzee> whats up bro?
23:11 < ecrist> !factoids
23:11 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
23:11 < ecrist> that's what's up
23:12 < ecrist> also, if you hadn't, note the channel topic
23:13 < krzee> OH HELL YES @ !factoids
23:13 < krzee> some arent complete
23:13 < krzee> !wintaphide
23:13 < vpnHelper> krzee: "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89, or (#2) To show again, set it to 0x81
23:13 < ecrist> hope you don't mind, I've got a cron that pulls the db to my web server every 3 hours
23:13 < krzee> it only shows #2
23:13 < ecrist> yeah, there are bugs, but i'll work them out
23:13 < krzee> no i actually totally love it
23:14 < ecrist> also, http://secure-computing.net/openvpn.php
23:14 < vpnHelper> Title: SCN: ##openvpn Policy (at secure-computing.net)
23:14 < ecrist> I will work on smoothing out the layout, was just using some templates I had laying around
23:15 < ecrist> but, I'm off to bed.  see you tomorrow
23:15 < krzee> very nice stuff dude
23:15 < krzee> very very
23:15 < krzee> loving that dump, tried a shot at it myself awhile ago
23:15 < krzee> didnt work and i got lazy
23:17 < krzee> gnite
23:36 < theDoc> Bad bad bad headache.
23:36 < theDoc> Maybe it wasn't a wise idea to stay up all night last night playing with dynagen
23:38 -!- jaek_ [n=jaek@c-71-202-163-230.hsd1.ca.comcast.net] has joined ##openvpn
23:38 < jaek_> once logged in, i can ping the nsserver (192.168.1.1) but the nslookups are timing out
23:39 < jaek_> anyone know what i must have wrong?
23:44 < theDoc> !welcome
23:44 < vpnHelper> theDoc: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:46 < jaek_> !route
23:46 < vpnHelper> jaek_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:54 < jaek_> not the right one... i'm not bridging networks
23:54 < jaek_> !howto
23:54 < vpnHelper> jaek_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
23:58 < jaek_> the dns server gets pushed to the client, but the client cant do any lookups
23:59 < jaek_> even tho it can ping the dns server
--- Day changed Thu Jan 07 2010
00:01 < jaek_> will dns traffic not travel over vpn unless using redirect-gateway?
00:02 -!- Matir [n=david@c-98-251-88-239.hsd1.ga.comcast.net] has quit [Connection timed out]
00:02 -!- tazdevil [n=tazmania@224.46.50.60.kmr04-home.tm.net.my] has left ##openvpn ["Leaving"]
00:04 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
00:04 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["This computer has gone to sleep"]
00:27 -!- hyper_ch [n=hyper@adsl-89-217-25-187.adslplus.ch] has quit [Remote closed the connection]
00:50 -!- theDoc [n=hex@119.73.165.162] has joined ##openvpn
00:52 -!- Matir [n=david@c-98-251-88-239.hsd1.ga.comcast.net] has joined ##openvpn
01:07 -!- hyper_ch [n=hyper@54-59.1-85.cust.bluewin.ch] has joined ##openvpn
01:11 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["This computer has gone to sleep"]
01:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
01:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
01:45 -!- jaek_ [n=jaek@c-71-202-163-230.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)]
01:45 -!- jaek_ [n=jaek@c-71-202-163-230.hsd1.ca.comcast.net] has joined ##openvpn
01:54 -!- kyrix [n=ashley@80-121-4-195.adsl.highway.telekom.at] has joined ##openvpn
02:01 -!- MrJK [n=jezu@194.199.166.96] has quit [Read error: 104 (Connection reset by peer)]
02:10 -!- dazo_afk is now known as dazo
02:15 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
02:26 < krzee> !dns
02:26 < vpnHelper> krzee: "dns" is Level3 open recursive DNS server at 4.2.2.1
02:27 < krzee> !learn dns as Google open recursive DNS server at 8.8.8.8
02:27 < vpnHelper> krzee: Joo got it.
02:27 < reiffert> :)
02:27 < krzee> sup reif
02:27 < krzee> you see !factoids ?
02:27 < reiffert> !factoids
02:27 < vpnHelper> reiffert: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
02:27 < krzee> ecrist made it
02:27 < krzee> it rocks
02:27 < reiffert> oh, thats nice!
02:28 < reiffert> is it uptodate all the time?
02:28 < reiffert> no, it's not.
02:28 < krzee> its not showing multiple entries per factoid yet, but hes still playing with it
02:28 < krzee> nah its updated by a cronjob
02:28 < reiffert> ah
02:30 < krzee> !learn rules as http://secure-computing.net/openvpn.php for the channel rules!
02:30 < vpnHelper> krzee: Joo got it.
02:31 < krzee> that page isnt done yet either
02:42 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
02:50 < krzee> from ircstats
02:50 < krzee> 3 Apr 2009 11:43	<mjt> oh well.
02:50 < krzee> 11:43	<mjt> ecrist: you called me a troll a while back. But now YOU are behaving like troll.
02:50 < krzee> 11:43	*** mjt was kicked by ecrist (ecrist)
02:50 < krzee> LOL
02:50 < krzee> thats classic
02:50 < reiffert> :)
02:51 < reiffert> !irclogs
02:51 < vpnHelper> reiffert: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
02:53 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:54 < krzee> The evil guard of ##openvpn was ecrist who got this reputation after kicking out 21 people.
02:54 < krzee> Example: 	23:55 < krzee> muncher or the anal?
02:54 < krzee> 00:00 -!- krzee was kicked from ##openvpn by ecrist [ecrist]
02:54 < krzee> hahahahah another classic
02:59 < reiffert> krzie DIDN'T REALISE HOW ANNOYING THIS WAS - 12 lines in CAPS!
02:59 < reiffert> Example: 22:20 < krzie> "NO SUPPORT FOR ACCESS SERVER"
02:59 < reiffert> :)
03:00 < krzee> weird it shows to me like this:
03:01 < krzee> krzie forgot to turn off the CAPS-lock, writing 112 lines in CAPS.
03:01 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection]
03:01 < reiffert> THE BOTS ARE RIGHT ALL THE TIME!
03:02 < krzee> huh?
03:02 -!- master_o1_master [n=master_o@p57B53C44.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)]
03:03 < reiffert> if the bot says you didnt turn off CAPS, well then it's supposed to be right :)
03:03 < krzee> what bot?
03:03 < reiffert> the irclogs bot
03:04 < krzee> a crontabbed log analyzer counts as a bot?
03:05 < reiffert> cron calls itself a daemon..
03:06 -!- master_of_master [i=master_o@p57B55916.dip.t-dialin.net] has joined ##openvpn
03:07 < krzee> yes, it does =]
03:07 < jaek_> does compression help thruput?
03:08 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
03:08 < krzee> jaek_, depending on what os being transfered over the tunnel it can
03:08 < krzee> what is being*
03:08 < reiffert> jaek_: depends on what you pipe through.
03:08 < jaek_> i'm mostly transferring already compressed data (rar files mostly)
03:08 < krzee> then no
03:08 < jaek_> ah cool... wont bother with it then
03:09 < jaek_> man openvpn is totally changing my workflow
03:09 < reiffert> ?
03:09 < jaek_> all my machines now are clients... so i can client-to-client communicate with all of them
03:10 < jaek_> i used to use reverse ssh tunnels
03:10 < krzee> oh ya you're lovin ovpn
03:11 < krzee> heheh
03:11 < jaek_> server runs on my router
03:12 < reiffert> jaek_: so compromising one of your maschines grants access to your local network too?
03:13 < jaek_> yup... it kinda does
03:14 < jaek_> even running a client on my phone
03:14 < krzee> please tell me you arent using tap too
03:14 < jaek_> no, tun
03:14 < reiffert> using tap is so much fun...
03:14 < jaek_> is that what will let me route dns requests?
03:15 < jaek_> cus right now i couldnt get dns lookups to work
03:15 < krzee> nope
03:15 < reiffert> jaek_: tap is layer 3.
03:15 < krzee> umm
03:15 < krzee> no
03:15 < reiffert> I should get coffeee.
03:15 < krzee> heheh
03:15 < reiffert> it's layer 2.
03:15 < jaek_> how low level is dns?
03:16 < krzee> dns is layer 4 i guess
03:16 < reiffert> 5 i'd say
03:16 < jaek_> it just uses udp?
03:16 < krzee> maybe 5 dunno
03:16 < krzee> havnt paid attention to stuff besides 2 and 3 for awhile now as far as whats what
03:16 < krzee> standard dns queries just use udp, zone xfers use tcp
03:17 < krzee> maybe you want this:
03:17 < krzee> !pushdns
03:17 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
03:17 < krzee> its time for me to crash out, gotta be at an office in like 5 hrs
03:17 < krzee> gnite
03:18 < jaek_> yeah i had that working, but the actual lookups from the client was timing out
03:18 < jaek_> even tho i could ping the DNS server
03:18 < krzee> !dns
03:18 < vpnHelper> krzee: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8
03:18 < krzee> try one of those
03:19 < jaek_> well, the point was to use my router's dns server... it has all my hosts
03:19 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
03:20 < reiffert> start tcpdump and watch the dns queries getting to you and back.
03:20 < jaek_> question about scp performance from within the vpn
03:20 < jaek_> is it going to double encrypt the data?
03:20 < jaek_> and cause a substantial performance overhead?
03:21 < jaek_> i'll try the tcpdump in a few
03:34 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
03:54 -!- buntfalke_ is now known as buntfalke
03:54 < buntfalke> Hi
03:55 < buntfalke> Does anyone know of a .deb-repository where the packages are built with the v6-patches?
03:56 < dazo> jaek_:  DNS uses UDP or TCP ... it's pure application layer
03:56 < dazo> DNS uses TCP for bigger transfers, like zone dumps
03:57 < dazo> or ... can use ... is the proper wording
03:58 < dazo> buntfalke:  I believe it's in the testing repo .... I know the maintainer sent some updates there around when 2.1.0 was released
03:58 < dazo> or was it called unstable .... I don't recall now
03:59 < buntfalke> dazo: Which "testing repo"?
03:59  * dazo digs up some old mails
03:59 < buntfalke> Are you referring to Debian Testing (aka Squeeze)?
04:00 < dazo> most probably ... I'm not a debian user .... but he added one of my patches into Debian as well, that's why I know a little bit
04:01 < buntfalke> dazo: is this the patch? http://patch-tracker.debian.org/patch/series/view/openvpn/2.1.0-1/jjo-ipv6-support.patch
04:01 < vpnHelper> Title: Patch information for openvpn (2.1.0-1) jjo-ipv6-support.patch (at patch-tracker.debian.org)
04:01 < dazo> "Debian Developers upload to unstable (Sid), ten days after that (if no
04:01 < dazo> serious bugs appear) the package migrates to testing (squeeze, right
04:01 < dazo> now) and from time to time (~2 years) testing becomes stable."
04:02 < dazo> ^^ that's the explanation I got
04:02 < dazo> buntfalke:  yeah, that looks like it
04:02 < buntfalke> Then it doesn't quite do the trick for me. Are we talking about the same thing? I am lookig for IPv6-over-the-Tun, not IPv6-to-the-server
04:03 < buntfalke> I'm still getting Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:1: {ifconfig,route}-ipv6 even though this patch is in debian
04:03 < dazo> buntfalke:  aha ... I'm not sure I've ever seen any IPv6-over-tun .... but you can use tap device managing that now
04:04 < buntfalke> Well, if it was my server, yes ;-) University only provides v6-over-tun
04:04 < buntfalke> Well, I'll digg some more.
04:05 < dazo> buntfalke:  If you'll find the patches for ipv6-over-tun ... I'm interested in having a look at them .... as your university obviously must have managed something, doing that
04:07 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit []
04:09 -!- Leila [i=d9dae562@gateway/web/freenode/x-unbarfnwtzfgxdtt] has quit [Ping timeout: 180 seconds]
04:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
04:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
04:12 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
04:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
04:14 < buntfalke> dazo: They should be on the ML, as they are meant to become part of (one of the next) the next release(s)
04:14 < buntfalke> Seems like someone keeps pulling the plug... :-)
04:15 < dazo> buntfalke:  hmmm .... I can't say I recall that ... but my memory can be selective of what it wants to remember from time to time ;-)
04:17 < buntfalke> I didn't check that by myself either, the guy from our edpc said they're trying to get it up into mainline
04:27 < dazo> aha
04:31 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
04:39 -!- JackW [n=jack@95.16.21.75] has joined ##openvpn
04:44 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
04:50 -!- savenger [n=savenger@p5792E4CD.dip.t-dialin.net] has joined ##openvpn
04:52 < savenger> Hi everyone... I want to give specific clients a static ip address. The openvpn documentations says e.g. to give Thelonius an ip addr of 10.9.0.1 I have to put the line "ifconfig-push 10.9.0.1 10.9.0.2" into the file Thelonius inside the ccd-dir. What does the second paramater of ifconfig-push mean? (10.9.0.2)
04:53 < hyper_ch> I don't know
04:53 < hyper_ch> I just accepted that and it works :)
04:57 < kyrix> savenger, i dont remember quite well, but wasnt it the mask?
04:58 < savenger> kyrix: yes, that would make sense....
04:58 < savenger> hyper_ch: lol
04:59 < rob0> !ifconfig
04:59 < vpnHelper> rob0: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
04:59 < rob0> ifconfig-push is similar
05:00 < savenger> rob0: thanks...
05:02 < savenger> rob0: So, if my server had tun and ip 10.9.0.1 and I had Thelonius, that should have 10.8.0.128, I would write "ifconfig-push 10.8.0.128 10.8.0.1", right?
05:03 < buntfalke> dazo: I've asked for the specific patches, URLs and so on. let's see what the reply will look like.
05:06 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has joined ##openvpn
05:06 < Briareos1> is there a reason to not use the road-warrior "server" also for site-to-site connection?
05:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)]
05:16 < rob0> 10.8.0.1 ?
05:18 < rob0> Briareos1, I just figure if I'm already running a server at at least one of the sites, might as well use it. But a static key (peer mode) is simpler to set up and maintain.
05:19 -!- Briareos1_ [n=B@13-98-136-94.static.net4you.net] has joined ##openvpn
05:20 < rob0> Also, with TLS, the keys expire, so there's not the theoretical brute force vulnerability, nor the potential that an attacker could have cached all your traffic in the hopes of eventually getting the key.
05:20 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has quit [Read error: 104 (Connection reset by peer)]
05:20 < savenger> rob0: I mean 10.8.0.1 if my server had also 10.8.0.1
05:21 < rob0> (Neither of those are real world concerns.)
05:24 < dazo> rob0:  even with a static key, I believe temporary session keys are being generated exchanged as well ... but of course, if you capture the handshake process (which mostly happens in clear text), with a brute forced key (or stolen static key) you'll be able to retrieve the temporary session keys, and then decrypt the core traffic as well
05:27 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
05:28 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
05:34 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
05:45 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
05:49 -!- Leila [i=d9dae562@gateway/web/freenode/x-yrmakuviqwdiqtrs] has joined ##openvpn
05:50 -!- openvpnhater [n=sonupunn@82.109.74.162] has joined ##openvpn
05:50 < Leila> is it possible connect to openvpn server in linux from clients in windows without install openvpn client gui???/
05:51 < reiffert> yep.
05:52 < Leila> how?
05:55 < reiffert> run the openvpn binary from the command line
05:55 < reiffert> or right click on the .ovpn file and choose "connect" or similar
05:55 < reiffert> Think it's "Open this file with openvpn" or something
05:56 -!- Briareos1_ [n=B@13-98-136-94.static.net4you.net] has quit [Read error: 110 (Connection timed out)]
05:58 -!- Leila [i=d9dae562@gateway/web/freenode/x-yrmakuviqwdiqtrs] has quit [Ping timeout: 180 seconds]
05:58 < openvpnhater> hello all..could i ask if anyone knows what the status=1 messages mean in the logs after the initial connection is established
05:58 -!- Leila_ [i=d9dae562@gateway/web/freenode/x-jmavkbigfuseheyi] has joined ##openvpn
05:58 < openvpnhater> the log files show me  zobbo/90.210.88.136:55092 SENT CONTROL [zobbo]: 'PUSH_REPLY,route-gateway 192.168.112.254,ifconfig 192.168.112.230 255.255.255.0' (status=1)
06:00 < openvpnhater> i could connect and ping before but now have cannot ping machines on network once vpn in
06:00 -!- openvpnhater is now known as sppadicus
06:00 -!- flo|va-nu-pied [n=florent@85.69.202.243] has quit [Remote closed the connection]
06:00 < sppadicus> sorry-just been a crazy day so far trying to debug the messages in the logs
06:00 -!- flo|va-nu-pied [n=florent@85.69.202.243] has joined ##openvpn
06:01 < mithridates> hey guys
06:02 < mithridates> how can I set an account to be assigned just for a specific computer
06:02 < mithridates> ?
06:02 < mithridates> for example how can I set MAC access list for openvpn clients?
06:02 < Leila_> i want connect openvpn server in linux from client in windows without install openvpn gui
06:02 < Leila_> how?
06:03 < sppadicus> mithridates: i believe there is an  --lladdr address
06:03 < sppadicus>               Specify the link layer address, more commonly known as the MAC address.  Only applied to TAP devices.
06:03 < mithridates> !lladdr
06:03 < vpnHelper> mithridates: Error: "lladdr" is not a valid command.
06:04 < mithridates> sppadicus: but I don't use TAP , I use TUN device in my server
06:04 < sppadicus> ahhh mithridates oops
06:06 < sppadicus> vpnHelper: could i ask if u have come across PUSH_REPLY (status=1) messages in the logs before?
06:06 < vpnHelper> sppadicus: Error: "could" is not a valid command.
06:07 < mithridates> I don't wanna let users access to connect by other computers or devices to my server via same certificates
06:08 < sppadicus> vpnHelper: sorry just been stressed trying to debug the openvpn logs
06:08 < vpnHelper> sppadicus: Error: "sorry" is not a valid command.
06:09 < sppadicus> i have hit a bot
06:10 < sppadicus> mithridates: u shud take out duplicate-cn in ur config file
06:10 < sppadicus> to prevent multiple clients connecting with same cert
06:10 < mithridates> !duplicate-cn
06:10 < vpnHelper> mithridates: Error: "duplicate-cn" is not a valid command.
06:10 < mithridates> !duplicate
06:10 < vpnHelper> mithridates: Error: "duplicate" is not a valid command.
06:17 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
06:24 < mithridates> !factoids search duplicate
06:24 < vpnHelper> mithridates: No keys matched that query.
06:25 < mithridates> !factoids search duplicate_cn
06:25 < vpnHelper> mithridates: No keys matched that query.
06:25 -!- sppadicus [n=sonupunn@82.109.74.162] has left ##openvpn []
06:26 -!- Leila_ is now known as Leila
06:27 -!- sppadicus [n=sonupunn@82.109.74.162] has joined ##openvpn
06:29 < dazo> Leila:  you asked this question yesterday .... you will not get any different answers from anyone here, even today
06:31 < dazo> Leila:  and I told you that OpenVPN Access Server _might_ have such a feature ... but nobody have confirmed this ... and OpenVPN AS is not supported here
06:31 < dazo> mithridates:  what exactly are you trying to do?
06:32 < mithridates> I have more than 100 clients ( I will have)
06:32 < Leila> dazo:  ok tnx a lot.
06:33 < mithridates> I want to stop them to connect by other computers to openvpn server
06:33 < dazo> mithridates:  so you want the openvpn clients to be hard limited to a physical device?
06:33 < mithridates> yes
06:33 < mithridates> exactly
06:34 < dazo> mithridates:  aha ... that's a very tricky one ... OpenVPN do not have any such limitations ... the tun devices do not have MAC addresses, and the MAC address on tap devices are easy to modify
06:36 < dazo> mithridates:  you most probably would need to develop some extra software which needs to be run on the clients, which could be run via --up in the client configs
06:36 < mithridates> wait
06:36 < dazo> mithridates:  this software would then collect the needed information which you would like to use to identify the client hardware ... and send this information to the server via the tunnel
06:37 < dazo> mithridates:  and then the server could allow traffic to pass via the firewall ... or it could disconnect the client from the server
06:38 < mithridates> just a minute
06:38 < dazo> sure
06:39 < sppadicus> anyone got any ideas about status=1 messages in logs after connection is initiated
06:42 < sppadicus> also keep getting messsages in the logs saying that multiple connections even though its just me disconnectinga nd connecting back again
06:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:47 < Diffen> Hello. Im running openvpn on a single-nic server. The server is connected straight to internet. Im using tun, my problem is that i dont get any ip on the vpn-client. Anyone that have any nice ideas on what i have missed out in the config file?
06:50 < ecrist> good morning.
07:01 < dazo> !configs
07:01 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
07:01 < dazo> Diffen:  ^^^
07:01 < dazo> !pastebin
07:01 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
07:02 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:03 < Diffen> dazo will do
07:04 < Diffen> http://pastebin.com/m3bc21bcc
07:05 < dazo> Diffen:  I'm not too responsive this afternoon (CET) ... but please paste it here ... several skilled people are following the channel and will give input of they see something
07:05 < Diffen> dazo no problems :D im trying around to see if i can manage to get it working
07:05 < dazo> Diffen:  trust me ... you'll manage that ;-)
07:06 < dazo> you might also to share some logs as well
07:06 < dazo> !logs
07:06 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:06 < dazo> diffen ^^
07:06 < Diffen> hmm sorry but how to i set verb to 6?
07:07 < dazo> in server and client configs .... add verb 6 ;-)
07:07 < Diffen> will do
07:07 < dazo> even though verb 4 might be enough, usually
07:07 < dazo> Diffen:  btw ... you have verb 3 in your server config ...
07:08 < Diffen> yes saw that now
07:11 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
07:11 -!- Leila [i=d9dae562@gateway/web/freenode/x-jmavkbigfuseheyi] has left ##openvpn []
07:15 < Diffen> http://pastebin.com/m16df804 updated one now dazo.
07:16 < Diffen> im a worthless on tunnelblick so i cant get it connected to my openvpn. earlier i used another vpn client but im to cheap to buy it :D
07:17 < dazo> Diffen:  I'd like to see server log .... not status log ;-) .... have a look at --log in the man page
07:17 < Diffen> ahh
07:17 < Diffen> sorry my bad
07:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
07:24 < mithridates> dazo: which software can do that job?
07:24 < mithridates> openvpn?
07:25 < dazo> mithridates:  you'll probably need to write it yourself
07:25 < dazo> mithridates:  openvpn do not .... but openvpn can trigger such software to be run
07:26 < mithridates> what about duplicate_cn which a user in this channel said
07:26 -!- sppadicus [n=sonupunn@82.109.74.162] has left ##openvpn []
07:27 < Diffen> http://pastebin.com/m7d12d12 new information dazo :D
07:27 < Diffen> at the bottom
07:28 < dazo> Diffen:  and do you also have the client log as well?
07:28 < dazo> Diffen:  at first sight, it looks pretty good at the server side
07:29 < Diffen> the only thing i get from tunnelblick is the thing that says tunnelblick log. im pretty sure i messed up the config on the tunnelblick
07:29 < rob0> mithridates, these are (will be) remote clients? You won't see their MAC if you're not on a common, directly-connected segment.
07:30 < Diffen> dazo thats good to hear :D
07:31 < ecrist> looks like I need a little more complicated algorithm to parse the factoids database
07:33 < mithridates> rob0: yes these are remote clients
07:33 < dazo> mithridates:  duplicate-cn will only allow multiple users connecting from several clients using the same certificate .... if you want to bind the connection allowance to the physical hardware, you'll need authenticate the hardware somehow ... this is not possible to manage with the current openvpn versions at all ... you'll need to establish a connection, send over some extra auth-data to your own hw-auth service and then let this piece decid
07:33 < dazo> e what to do - disconnect the client or accept it by opening up in the firewall on-the-fly
07:34 < mithridates> oh I understood what you said
07:34 < rob0> Frankly, I am doubtful that it will be easy (or useful) to come up with a way to validate the hardware.
07:34 -!- Irssi: ##openvpn: Total of 100 nicks [0 ops, 0 halfops, 0 voices, 100 normal]
07:35 < ecrist> wow, 100 people in here
07:35 < mithridates> so if I use certificate in the current way , two users are not able to connect by same certificate in a same  time
07:35 < mithridates> am I right?
07:35 < mithridates> ecrist: :d yes
07:37 -!- Guest32140 [n=sec@dslb-092-073-151-028.pools.arcor-ip.net] has joined ##openvpn
07:37 < Guest32140> hi there
07:38 -!- Guest32140 is now known as thordon
07:40 < mithridates> are clients able to use same certificate in the same time?
07:54 -!- sporedi [n=chatzill@121.247.65.116] has joined ##openvpn
07:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
07:55 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:55 < sporedi> what could be reson when i run ip xfrm monitor i get blank /zero output ,sorry i am new to vpn
07:56 < sporedi> !welcome
07:56 < vpnHelper> sporedi: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:56 < dazo> mithridates:  without duplicate-cn ... only one user with the given certificate can connect simultaneously
07:57 < ecrist> !ccd
07:57 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:58 < ecrist> krzee: I've corrected the factoids dump page
07:58 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has quit [Read error: 60 (Operation timed out)]
07:59 < mithridates> dazo: thank you man, :D that's the enough limitation that I have needed
08:00 < ecrist> dazo: !factoids
08:00 < dazo> ecrist:  I know ... and I forget .... more often, I forget ;_)
08:00 < dazo> ;-)
08:00 < ecrist> no, I mean:
08:00 < ecrist> !factoids
08:00 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
08:01 < ecrist> new as of yesterday, just worked out some bugs
08:01 < dazo> ecrist:  nice!  yeah, I saw it this (my) morning .... but nice with the new improvement :)
08:01 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
08:02 < thordon> !welcome
08:02 < vpnHelper> thordon: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:02 < ecrist> it wasn't printing more than the last fact (for those with multiple facts)
08:02 < dazo> yeah ... this feature, I've been missing :)
08:02 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
08:03 < ecrist> nobody asked for it until yesterday.  took me about an hour to code, 30 minutes this morning to refactor my query and result processing.
08:03 < thordon> !forum
08:03 < vpnHelper> thordon: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
08:03 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
08:06 -!- sporedi [n=chatzill@121.247.65.116] has quit ["ChatZilla 0.9.86 [Firefox 3.5.6/20091201220228]"]
08:12 < ecrist> krzee: do you mind if I install some plugins for vpnHelper?
08:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit []
08:46 < krzee> ecrist, nah knock yourself out
08:46 < krzee> after seeing that dump page im looking forward to seeing what else you do with him
08:47 < krzee> lol
08:47 < krzee> makes me wish i moved him to your lan long ago
08:47 < krzee> i need to get to the job site tho, bbl
08:50 -!- nneul [n=nneul@mo-76-3-37-166.dhcp.embarqhsd.net] has joined ##openvpn
08:53 < ecrist> !rss.info
08:53 < vpnHelper> ecrist: Error: "rss.info" is not a valid command.
08:53 < ecrist> !info
08:53 < vpnHelper> ecrist: Error: The command "info" is available in the Factoids and RSS plugins.  Please specify the plugin whose command you wish to call by using its name as a command before "info".
08:53 < ecrist> !rss info
08:53 < vpnHelper> ecrist: (rss info <url|feed>) -- Returns information from the given RSS feed, namely the title, URL, description, and last update date, if available.
08:54 < ecrist> !rss add "OpenVPN Forum" "feed://www.ovpnforum.com/smartfeed.php?feed_type=RSS2.0&limit=1_DAY&sort_by=standard&feed_style=HTML&"
08:54 < vpnHelper> ecrist: Error: 'OpenVPN Forum' is not a valid feed name.  Feed names must not include spaces.
08:55 < ecrist> !rss add OpenVPN_Forum "feed://www.ovpnforum.com/smartfeed.php?feed_type=RSS2.0&limit=1_DAY&sort_by=standard&feed_style=HTML&"
08:55 < vpnHelper> ecrist: Joo got it.
08:55 < ecrist> !rss announce ##openvpn OpenVPN_Forum
08:55 < vpnHelper> ecrist: Error: 'announce' is not a valid url.
08:55 < ecrist> !announce ##openvpn OpenVPN_Forum
08:55 < vpnHelper> ecrist: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
08:59 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
08:59 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
09:05 -!- hyper__ch [n=hyper@143-200.2-85.cust.bluewin.ch] has joined ##openvpn
09:05 -!- hyper_ch [n=hyper@54-59.1-85.cust.bluewin.ch] has quit [Nick collision from services.]
09:05 -!- hyper__ch is now known as hyper_ch
09:07 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
09:09 < Diffen> Hello again. im struggleing with my route on my openvpn server. http://pastebin.com/d368ca082 the config and so on. my problem is that i think that the P-t-P on tun0 on the server are wrong configured. am i correct?
09:10 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection]
09:10 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
09:10 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection]
09:10 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
09:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:14 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
09:17 < dazo> Diffen:  line 34-35 looks utterly wrong
09:17 < ecrist> !announce ##openvpn OpenVPN_Forum
09:17 < vpnHelper> ecrist: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
09:17 < ecrist> sigh
09:17 < ecrist> !announce ##openvpn OpenVPN_Forum
09:17 < vpnHelper> ecrist: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
09:17 < Diffen> dazo thanks chief. ill take a look
09:17 < ecrist> sigh again
09:18 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit]
09:19 < Diffen> dazo hmm ok should i remove the delete part?
09:19 < dazo> Diffen:  those routes should come up automatically ... you should never ever need to manipulate the tun device currently being configured by openvpn
09:20 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
09:20 < vpnHelper> Announcement from my owner (ecrist): ##openvpn OpenVPN_Forum
09:23 < Diffen> ok
09:23 < Diffen> im gonna give it a try. brb
09:24 < dazo> Diffen:  !route might give you more info which can help you to understand the routing concept
09:26 < Diffen> !route
09:26 < vpnHelper> Diffen: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:28 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
09:28 < Diffen> dazo ok hmm the problem here is that i dont have a lan connected to my openvpn server. the server is connected directly to internet.
09:29 < dazo> Diffen:  that's not a problem ... but the routing concepts are similar ... but you'll need to use redirect-gateway on the client (can be pushed from server)
09:30 < Diffen> sweet
09:34 -!- kyrixpower [n=ashley@80-121-67-95.adsl.highway.telekom.at] has joined ##openvpn
09:36 -!- kyrix [n=ashley@80-121-4-195.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)]
09:43 -!- LittleJ [n=linuz@82.78.185.26] has quit [Read error: 110 (Connection timed out)]
09:46 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Connection timed out]
09:46 < Diffen> dazo thanks for all you help today
09:46 < dazo> Diffen:  you're welcome!
09:47 < Diffen> im not getting it working :) but i will go home and fry me some meatballs and get right back on the horse :D
09:47 < dazo> Diffen:  have fun! :)
09:48 < Diffen> i will try :D thanks and talk to you later :D
09:48 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
09:48 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
09:51 -!- nneul [n=nneul@mo-76-3-37-166.dhcp.embarqhsd.net] has quit ["Leaving"]
09:52 -!- Irssi: ##openvpn: Total of 98 nicks [0 ops, 0 halfops, 0 voices, 98 normal]
10:00 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: Include username and psswd in the config file :: Reply by ecrist <http://www.ovpnforum.com/viewtopic.php?f=5&t=2424&p=2799#p2799>
10:00 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
10:03 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
10:16 -!- hyper_ch [n=hyper@143-200.2-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)]
10:27 -!- stephenh [i=stephenh@69.30.200.88] has quit ["boom boom"]
10:33 < dwalluck> ok, I have my connection log and I'm getting: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
10:33 < dwalluck> do I have to add the certificate as trusted for openssl (this is on Windows, so I'm not sure which store it uses)
10:35 < dwalluck> I don't have any option about the type in my ovpn config
10:36 < ecrist> !verify
10:36 < vpnHelper> ecrist: Error: "verify" is not a valid command.
10:36 < crazygir> trying to setup windows clients makes me want to slaughter MS
10:36 < crazygir> *openvpn on windows clietns
10:36 < ecrist> !certinfo
10:36 < vpnHelper> ecrist: "certinfo" is please run `openssl x509 -in <file> -noout -text` for ca,server,client certs and pastebin the results
10:37 < ecrist> !certverify
10:37 < vpnHelper> ecrist: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
10:37 < ecrist> dwalluck: those commands are for you
10:40 < crazygir> I'm a little lost in the documentation at this point.. what is the best way to setup a windows openvpn client to connect to a remote tun vpn (routed)
10:40 < crazygir> simplicity of use is key.. I'm deploying this to no-IT endusers
10:40 < ecrist> crazygir: windows uses the same config linux clients use
10:40 < dwalluck> ecrist: I am not sure, the certificate is the CA?
10:41 < dwalluck> ecrist: oh, I have to get the server cert off of the server?
10:41 < ecrist> yes
10:41 < dwalluck> ecrist: at least, how could I make sure that the cert marked as "ca" is actually trusted?
10:41 < ecrist> !configs
10:41 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
10:42 < crazygir> ecrist: from what I was reading, it sounds like TUN is a pita to setup in windows?
10:42 < dwalluck> I assume that if the CA is not trusted the verify would automatically fail?
10:42 < crazygir> via the virtualTAP device
10:42 < ecrist> nope
10:42 < ecrist> it uses the same config as linux
10:42 < crazygir> hrm.. wonder what I'm doing wrong then
10:42 < dwalluck> But then, why does it say VERIFY OK and the error is about the nsCertType instead
10:43 < ecrist> dwalluck: you're not giving my your whole log, I can only offer advice based on the one line you displayed
10:43 < ecrist> !logs
10:43 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:43 < dwalluck> In Windows, if I double click on the crt I can add it to the Trusted Root Store. I am wondering if anything like that is needed here?
10:43 < ecrist> NO
10:43 -!- thordon_ [n=sec@dslb-088-078-082-148.pools.arcor-ip.net] has joined ##openvpn
10:43 < ecrist> dwalluck: post your configs and your logs, please
10:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:47 < dwalluck> ecrist: no problem, I just need to know what to obfuscate first
10:47 < thordon_> !welcome
10:47 < vpnHelper> thordon_: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:47 < thordon_> !mitm
10:48 < vpnHelper> thordon_: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
10:48 < crazygir> how should windows paths (for keys) be speficied in the config?
10:48 < thordon_> !iporder
10:48 < vpnHelper> thordon_: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
10:48 < ecrist> crazygir: your safest best is to use full paths when possible
10:49 < ecrist> relative paths are acceptable, as well
10:49 < crazygir> right.. that was my attempt
10:49 < thordon_> !ipp
10:49 < vpnHelper> thordon_: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
10:49 < crazygir> I'll try relative in another way
10:50 < ecrist> iirc, you need to use forward slashes in the path, even though windows uses backslashes
10:51 < dwalluck> ecrist: config: http://www.pastebin.ca/1741558
10:52 < crazygir> oh fun
10:53 < ecrist> what's up with line 09?
10:53 < ecrist> dwalluck: where are your client certificate and keys?
10:53 -!- dazo is now known as dazo_afk
10:54 < crazygir> ecrist: I have the keys in the same directory as the config so my key/cert lines are: key client.key and cert client.crt
10:54 < ecrist> crazygir: I've never had a problem with windows clients.  my configs only list the certificate/keys with no path, and all files go in the config directory
10:54 < dwalluck> ah well originally when I wasn't on windows it had another path, but I put '.' for the current directory: now the cert newca.crt is in the 'config' directory
10:54 < ecrist> always works for me
10:54 < crazygir> this is what I started with, then started testing with other path options
10:54 < ecrist> that should work.
10:54 < crazygir> I'm getting an fopen error
10:54 < dwalluck> There's no separate key file
10:54 < crazygir> trying to paste the error isn'
10:54 < crazygir> isn't working
10:54 < crazygir> hrm
10:55 < dwalluck> I should say the same config (line 9 has a different path) works on Linux
10:55 < ecrist> dwalluck: how are you authenticating your clients, then?
10:55 < crazygir> ecrist: what is weird, is that the ca line is first, and there's no error there
10:55 < ecrist> dwalluck: the cd command doesn't do anything
10:55 < ecrist> !configs please, crazygir
10:55 < vpnHelper> ecrist: Error: "configs" is not a valid command.
10:56 < dwalluck> the cd command makes it find the certficate I think is what it was for
10:56 < ecrist> dwalluck: no, it doesn't
10:57 < ecrist> it's a worthless command
10:57 < dwalluck> well i can remove it
10:57 < ecrist> I would start there.
10:57 < ecrist> then, where are your client certificate/key?
10:57 < dwalluck> the clients dont have certificates, only the server does and that's the one that's failing to verify, not newca.crt
10:57 < crazygir> yea, windows isn't finding the key/cert file
10:58 < ecrist> can you post your logs?
10:58 < ecrist> if not, I cannot help you
10:58 -!- thordon [n=sec@dslb-092-073-151-028.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
10:58 < ecrist> (either of you)
10:58 < dwalluck> sure, but I guess I can take out the IP address
10:59 < ecrist> whatever you want to do, but I won't help without logs
11:02 < dwalluck> ecrist: http://www.pastebin.ca/1741580
11:03 < dwalluck> ecrist: took out some stuff let me know if it was important
11:03 < dwalluck> ecrist: I guess it's like 28--32
11:03 < dwalluck> ecrist: lines
11:03 < ecrist> what did you take out, and why?
11:04 -!- dyzdyz [n=dyzdyz@ch49172.petrus.pl] has joined ##openvpn
11:04 < dyzdyz> !welcome
11:04 < vpnHelper> dyzdyz: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:04 < dwalluck> ecrist: the IP address
11:04 < ecrist> that's all?
11:05 < ecrist> did you sent nsCertType on your server certificate?
11:05 < dyzdyz> hi all
11:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
11:05 < ecrist> hello, dyzdyz
11:05 < crazygir> ecrist: Cannot load certificate file client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines: FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
11:05 < dyzdyz> !topology
11:05 < vpnHelper> dyzdyz: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
11:05 < ecrist> crazygir: can you post your configs, please
11:06 < ecrist> last time I'm willing to ask
11:06 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
11:06 -!- kyrixpower [n=ashley@80-121-67-95.adsl.highway.telekom.at] has quit ["Leaving"]
11:07 < dyzdyz> i need to set a VPN connection between my laptop and my office network, i'v got a Fedora 12 server behind dummy-router in the office
11:07 -!- phusion__ [i=phusion@88.80.16.38] has quit [Read error: 54 (Connection reset by peer)]
11:07 < dyzdyz> server has eth1 connected to LAN, with 192.168.1.X address
11:08 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn
11:08 < crazygir> ecrist: http://pastebin.ca/1741592
11:08 < crazygir> sorry, took me a few
11:09 < dyzdyz> i can farward a port to server from router, but i'm not sure how to edit server.conf, to use only one interface
11:09 < dyzdyz> only eth1
11:10 -!- JackW [n=jack@95.16.21.75] has left ##openvpn ["Konversation terminated!"]
11:11 < ecrist> doesn't sound like a problem, dyzdyz
11:11 < dyzdyz> can you show me the right way?
11:12 < ecrist> not sure what you want showed to you
11:12 < ecrist> start here
11:12 < ecrist> !howto
11:12 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:12 -!- hyper_ch [n=hyper@adsl-89-217-25-187.adslplus.ch] has joined ##openvpn
11:13 < dyzdyz> i'll try
11:13 < ecrist> crazygir: are you using openvpn gui on windows?
11:13 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
11:13 < ecrist> and are the ca.crt, client.key, and client.crt files in the same directory as the config file?
11:14 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
11:15 < dwalluck> ecrist: I don't run the server so I don't know, I removed the ns-cert-type line from the ovpn config, but apparently it still checks it? So what if there is none
11:16 < ecrist> dwalluck: you don't run the server?
11:16 < crazygir> ecrist: yes, all files (config/key/crts) are in the default openvpn config directory. and yes, I am using the openvpn windows gui, but I've been running openvpn.exe from the command line
11:16 < ecrist> I would suggest talking to your server admin, not a lot we can do for you
11:16 < ecrist> crazygir: use the gui, don't use command line
11:16 < ecrist> it should 'just work'
11:17 < crazygir> it doesn't that's why I have tried the cmd
11:17 < crazygir> I've got the red icon :|
11:23 < ecrist> hrm
11:23 < ecrist> my test box is not accessible.  my personal vpn is down for some reason
11:25 < crazygir> :|
11:25 < thordon_> Hello, please does anyone 've an Idea for my not working openvpn under windows7? ping works fine, but games doesn't find partner in tap-mode over game broadcast.
11:26 < thordon_> I've tried nearby anything and google does not help
11:26 < thordon_> maybee a tricky option in win7 ?
11:26 < ecrist> thordon_: firewall issues, probably?
11:27 < thordon_> mmh, i guess i've disabled firewall on all sides
11:27 < thordon_> i 've also removed all blocking rules
11:27 < ecrist> I would check.
11:27 < ecrist> if you can ping over the vpn to the other hosts, your problem is not with openvpn
11:28 < thordon_> ok, that my guess, too. cause under xp everything worked fine.
11:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
11:35 < ecrist> my vpn is back up
11:35 < crazygir> W00T
11:35 < ecrist> looking, crazygir 
11:35 < crazygir> :P
11:35 < crazygir> still trying over here, I was going to attempt from another windows box
11:37 < ecrist> running 2.1_rc22 works fine, crazygir 
11:40 < ecrist> http://pastebin.com/m4a9ddec0
11:40 < ecrist> that config works without a problem
11:40 < ecrist> all files are in c:\Program Files\OpenVPN\config
11:45 < thordon_> is it necessary to run openvpn-gui in vista compatibility mode to work under win7 ?
11:49 -!- yoshx [n=yoshx@93.9.150.199] has joined ##openvpn
11:52  * crazygir double checking versions
11:55 < dyzdyz> !topology
11:55 < vpnHelper> dyzdyz: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
12:02 -!- erpel_ [n=erpel@g224213073.adsl.alicedsl.de] has joined ##openvpn
12:03 -!- erpel_ [n=erpel@g224213073.adsl.alicedsl.de] has quit [Client Quit]
12:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
12:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit []
12:21 < ecrist> thordon_: no
12:23 -!- yoshx [n=yoshx@93.9.150.199] has quit [Read error: 110 (Connection timed out)]
12:24 -!- yoshx [n=yoshx@93.9.150.199] has joined ##openvpn
12:26 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:28 -!- thordon_ [n=sec@dslb-088-078-082-148.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
12:36 -!- dauergast [n=sag@g226224106.adsl.alicedsl.de] has joined ##openvpn
12:37 -!- dauergast [n=sag@g226224106.adsl.alicedsl.de] has quit [Client Quit]
12:51 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
13:10 -!- dauergast [n=sag@g226224106.adsl.alicedsl.de] has joined ##openvpn
13:17 -!- dwalluck is now known as dwalluck_lunch
13:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
13:41 -!- MrJK [n=jezu@194.199.166.96] has joined ##openvpn
13:41 < MrJK> hi
13:42 -!- G-Script50 [n=sag@g226224106.adsl.alicedsl.de] has joined ##openvpn
13:42 -!- G-Script50 [n=sag@g226224106.adsl.alicedsl.de] has quit [Remote closed the connection]
13:42 < MrJK> I've a question: how to change routes in Windows XP ( as client) to put all the web traffic trough my gateway ( the openVPN server in fact )
13:43 < endre> use route cmd
13:43 < MrJK> I try to play with the route command, without success
13:43 < ecrist> !def1
13:43 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
13:43 < endre> make a /32 route to the vpn server
13:43 < endre> and the make your default gw via the vpn peer linkaddr
13:43 < ecrist> endre: a /32 route will only route a single IP
13:43 < endre> ecrist: oh shit, no. rly?
13:44 < endre> you must have a host route or you will (wanna) route the vpn itself over the tunnel
13:45 -!- dauergast [n=sag@g226224106.adsl.alicedsl.de] has quit [Read error: 54 (Connection reset by peer)]
13:45 < MrJK> whaoo, huu, I'm little bit lost... I should have a look one the def1 flag ?
13:45 < ecrist> MrJK: the server end will need to support it, yes
13:45 < endre> not really
13:45 < endre> it's pure ip routing
13:45 < ecrist> yes, it will
13:46 < ecrist> he won't get internet access unless nat or public ips are use for vpn clients
13:46 < rob0> The server side would typically need to SNAT the outbound packets
13:46 < endre> the server must forward (and nat) your packets.. if that's what you cann support, then yes.
13:46 < endre> but it's out of openvpn's configuration at any kind.
13:46 < ecrist> indeed
13:46 < ecrist> as a 'client' he can't just decide, necessarily, to route all traffic over the vpn
13:46 < rob0> Right, and the original question is a Windows support one.
13:46 < endre> yup
13:47 < endre> MrJK: do a
13:47 < endre> route add <ur vpn public enpoint> mask 255.255.255.255 <ur defgw>
13:47 < endre> route del 0.0.0.0
13:47 < endre> route add 0.0.0.0 mask 0.0.0.0 <ur vpn server ip over the tunnel>
13:49 < ecrist> I still posit it would be easier for him to ask the server admin to do this with a proper 'push'
13:50 < endre> indeed.
13:50 < endre> i totally agree
13:50 < endre> but he can define it on the client side openvpn config as well
13:51 < rob0> But then, the stated goal was to put only Web traffic through the tunnel, not all traffic.
13:51 < ecrist> without policy-routing, you cannot route specific ports over the vpn
13:59 -!- Steve973 [n=Steve@169.130.18.10] has joined ##openvpn
14:00 < Steve973> hello.  since using a common subnet ip address scheme can result in ambiguity, are there any suggested guidelines for address ranges for subnets?
14:00 < MrJK> OMG, it works so much better
14:00 < MrJK> thanks a loooooot !!!
14:00 < MrJK> thx endre and ecrist =)
14:07 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
14:11 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Client Quit]
14:15 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
14:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
14:15 < ecrist> Steve973: the 'norm' seems to be 192.168.[01]/24 are used for most home networks, 172.16/12 is used for VPNs, and 10/8 is used for corp lans
14:15 < crazygir> I have the openvpn windows gui (same version) installed on two systems. The right-click menu on the tray icon is much more complete on one, and minimal on the other.. am I missing somehting?
14:15 < ecrist> configs?
14:15 < Steve973> thanks
14:15 < ecrist> can you post screen shots, crazygir ?
14:16 < ecrist> Steve973: that's not a hard-and-fast rule, but my observations
14:16 < Steve973> that can help
14:16 < crazygir> so that isn't a known problem
14:16 < crazygir> I was hoping it was something simple
14:16 < crazygir> let me see what I can do :)
14:17 < ecrist> !1918
14:18 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
14:18 < rob0> I avoid 192.168.0.0/22, generally make all my LAN/VPN netblocks in 192.168.4.x and above.
14:20 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
14:22 -!- dyzdyz [n=dyzdyz@ch49172.petrus.pl] has quit [Read error: 110 (Connection timed out)]
14:26 -!- buntfalke_ is now known as buntfalke
14:26 -!- k5ehx [i=oh9r51bH@unaffiliated/k5ehx] has joined ##openvpn
14:34 -!- mark__ [n=mark@74-132-123-85.dhcp.insightbb.com] has joined ##openvpn
14:35 < mark__> General question....I've got a working VPN connection, can ping ip addresses on the other side, but can't resolve hostnames on the other side.  Double checked /etc/resolv.conf and it's right.  Anybody know what I'm missing?
14:36 < mark__> routes seem correct too
14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:38 -!- mark__ is now known as shaggystyle
14:40 < shaggystyle> !welcome
14:40 < vpnHelper> shaggystyle: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:40 < shaggystyle> !redirect
14:40 < vpnHelper> shaggystyle: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:41 -!- Sky[x] [n=SkyB0x@BSN-176-142-83.dial-up.dsl.siol.net] has joined ##openvpn
14:46 < shaggystyle> !def1
14:46 < vpnHelper> shaggystyle: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:50 < shaggystyle> !howto
14:50 < vpnHelper> shaggystyle: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:52 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit []
14:55  * crazygir got side tracked.. making screenshots now
15:05 -!- shaggystyle [n=mark@74-132-123-85.dhcp.insightbb.com] has quit ["Leaving"]
15:06 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has quit [Read error: 54 (Connection reset by peer)]
15:06 -!- Steve973 [n=Steve@169.130.18.10] has quit ["Leaving"]
15:07 < crazygir> ok, made the screenshots.. but found the issue as part of making them
15:07 < crazygir> the conf was config.opvn
15:09 < ecrist> and you called it something else?
15:10 < crazygir> so the gui wasn't picking up the conf
15:10 < crazygir> nope.. the extension should be .ovpn for the gui to extend the menu
15:12 < crazygir> ok, now on to more fun problems ;)
15:15 < crazygir> all tap devices are in use. thanks windows
15:23 -!- thordon [n=sec@188.109.25.178] has joined ##openvpn
15:25 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)]
15:25 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn
15:25 -!- Sky[x] [n=SkyB0x@BSN-176-142-83.dial-up.dsl.siol.net] has quit [Connection timed out]
15:31 -!- Patric3 [n=Patric3@it040352.massey.ac.nz] has joined ##openvpn
15:41 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.17/2009122116]"]
15:42 < thordon> hi, please could someone give a hint why my windows7 clients doesn't connect to broadcast games each other in tap-mode. under winxp everything worked fine. ping going through. firewalls are disabled. i'm desponded.
15:42 < thordon> *snief*
15:43 < thordon> is it necessary to use compatibility mode vista ?
15:43 < reiffert> does it work for you with hamachi?
15:43  * crazygir still uses XP when windows is required
15:44 < thordon> i don't like hamachi. have not tested under win7
15:44 < thordon> argh.. working and search for day
15:44 < thordon> s
15:45 < thordon> maybee a pecial option in win7
15:45 < thordon> reiffert: should i try hamchi first ?
15:45 < reiffert> Hamachi just works like openvpn ...
15:46 < thordon> ping is working
15:46 < thordon> my colleges have tried hamachi, without success
15:46 < reiffert> Give it a try, it works for every game I tested.
15:47 < thordon> but openvpn give me a ping about 14ms and hamchi..^^ to slow
15:48 < thordon> adapter order ist set to openvpn first
15:48 < thordon> and why is ping working ?
15:48 < thordon> server is a freebsd
15:48 < reiffert> cause basically it's working.
15:49 < reiffert> adapter order? hahaha.
15:49 < reiffert> a myth coming up here and there but bullshit.
15:50 < thordon> mmmh, ok.
15:50 < reiffert> all your clients are in the same subnet, what should an adapter order do here?
15:50 < thordon> whats about compatibility mode ? a myth too ?
15:50 < reiffert> packets apply to routing ..
15:50 < reiffert> openvpn compatibility mode?
15:51 < thordon> reiffert: thats a good question ^^
15:52 < thordon> reiffert: no i mean. windows7 compatiblity mode
15:52 < reiffert> Ah, thought you meant freebsd compatibility mode.
15:52 < reiffert> whats a compat mode and what does it do?
15:53 < thordon> no, openvpn-gui.exe in compat mode vista
15:53 < reiffert> doing what?
15:53 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:53 < thordon> don't know how it works or what it does exactly. i'm not a great windows expert
15:54 -!- Patric3 [n=Patric3@it040352.massey.ac.nz] has left ##openvpn []
15:56 < thordon> mmh. i've found a guy , over google, who had exactly the same problem. but no answers
15:56 -!- yoshx [n=yoshx@93.9.150.199] has quit [Read error: 60 (Operation timed out)]
15:56 < thordon> 2 win7 and 2 winxp. winxp is working. win7 don't. only for games with broadcast search
15:59 < thordon> ok, maybee a wireshark on the server could show me the way, but i'm not so familiar with it
16:00 < thordon> thought that you experts have heard about this problem, already.
16:03 < thordon> reiffert: thanX, are U _the_ reiffert who was on #chillout - werderstrasse ?
16:05 < reiffert> yes.
16:05 -!- thordon is now known as sec
16:05 -!- dwalluck_lunch is now known as dwalluck
16:05 < reiffert> ah, moin sec
16:06 -!- sec is now known as Guest83708
16:06 < Guest83708> :) gg - cool.
16:06 -!- Guest83708 is now known as thordon
16:07 < thordon> my nick is already registerd on ircnet :/
16:07 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote closed the connection]
16:07 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
16:07 < reiffert> to be honest, you are on freenode and not on ircnet.
16:11 < thordon> ups, of course
16:18 < thordon> reiffert: do U have a hint for me to bring me on the right way, please. any suggestions ?
16:19 < thordon> other than downgrade to winxp
16:20 < reiffert> Like I said, I run hamachi for playing games.
16:20 < reiffert> I never found out why some games work when using broadcast/multicast search and why some of them dont run. I also used wireshark etc.
16:22 < reiffert> They all do on hamachi for me.
16:24 < thordon> hamachi ist toooo slow. and i've dated me with friends to play at friday evening and we could not connect to hamachi !
16:25 < thordon> that was the point where i switched to openvpn and it working glorious. pretty nice pings. that was a time ago under winxp
16:26 < thordon> i dont want to put up with a non working openvpn under win7.
16:26 < reiffert> well .. wireshark then?
16:27 < thordon> my ambition is awakedned
16:28 < thordon> mmmh. i will give it a try, but how i said i'm not an expert in analyzing ethernet streams ^^
16:28 < thordon> ok, another thing to learn :)
16:29 < thordon> reiffert: thank U very much for your efforts and nice to meet u again. maybee U will revisit us at #chillout.
16:30 < reiffert> you are welcome
16:30 < thordon> have a nice evening
16:30 < reiffert> thx, same goes out for you
16:34 -!- k5ehx [i=oh9r51bH@unaffiliated/k5ehx] has left ##openvpn []
16:43 -!- Sky[x] [n=SkyB0x@BSN-176-142-83.dial-up.dsl.siol.net] has joined ##openvpn
16:53 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
17:03 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit ["Leaving"]
17:05 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
17:08 -!- Sky[x] [n=SkyB0x@BSN-176-142-83.dial-up.dsl.siol.net] has quit []
17:17 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
17:18 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
17:52 -!- Diffen [n=diffen@c-3672e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
18:21 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn
18:22 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has left ##openvpn ["Leaving"]
18:46 < Diffen> evning: is this a correct route setup on the openvpn server? http://pastebin.com/d7fe983a1
18:54 -!- Diffen [n=diffen@c-3672e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
18:59 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
19:01 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
19:13 -!- savenger_ [n=savenger@p5792EF11.dip.t-dialin.net] has joined ##openvpn
19:18 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit ["Leaving"]
19:28 -!- optiz0r [n=optiz0r@miranda.sihnon.net] has quit [Read error: 110 (Connection timed out)]
19:29 -!- savenger [n=savenger@p5792E4CD.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
19:44 -!- optiz0r [n=optiz0r@miranda.sihnon.net] has joined ##openvpn
20:19 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
20:37 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has quit [Remote closed the connection]
21:08 -!- salax [n=ubuntu@219.95.96.90] has joined ##openvpn
21:10 < salax> hi all, i've setup the openvpn server and client in my ubuntu
21:10 < salax> but i got error when i want to initiate the connection
21:10 < salax> http://salawank.pastebin.com/f3969233b .. any idea? is it because of my key/certs?
21:15 < krzee> you changed the email in log yourself?
21:16 < krzee> or its really [at] ?
21:16 < krzee> yes, it has something to do with the certs
22:05 < salax> i changed it.. google crawl :)
22:05 < salax> krzee, i'll look into it, thnaks
22:05 < salax> thanks*
22:11 < salax> regarding certs/ keys for client, i have to issue it at the openvpn server right? and put it in the client side?
22:11 < krzee> also make sure both sides clocks are set to the right time / timezone
22:14 < salax> krzee, can this setting work? ---- i Installed openvpn server on ubuntu, put it in dmz, use the dynamic public ip for the openvpn server
22:14 < krzee> sure with dyndns
22:15 < salax> -- i installed openvpn client in another box, using ubuntu also, i connect to openvpn server.. both box is in my home
22:15 < krzee> oh both at home
22:15 < krzee> do they communicate through the same router?
22:15 < salax> yes, so basically, both have the same public IP, just the openvpn server is in the dmz
22:16 < salax> if i put let say 60.110.1.133, this will direct to the openvpn server
22:16 < salax> as my posted output, it seems they dont have trouble communicating with each other, just the certs/keys issue
22:17 < krzee> well you did cut the logs short too
22:17 < krzee> cant tell if something hat mattered was above or not
22:18 < salax> so, theoretical and technically, my settings for openvpn server and openvpn client is correct? if both in my home connecting thru same router?
22:20 < krzee> how could i know so far?
22:20 < krzee> !configs
22:20 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
--- Day changed Fri Jan 08 2010
00:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit []
00:22 -!- hyper_ch [n=hyper@adsl-89-217-25-187.adslplus.ch] has quit [Remote closed the connection]
00:25 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
00:53 -!- kerx [n=kerx@38.118.193.18] has joined ##openvpn
00:54 < kerx> hi everyone, i'm pushing a route of 192.168.1.0/24 to client's however i'm not able to ping ip's in the 192.168.1.0/24 range... it used to do it before, but it just all of a sudden stopped
00:54 < kerx> any ideas, please help?
01:02 -!- kerx_ [n=kerx@38.118.193.18] has joined ##openvpn
01:02 < kerx_> wups, lost internet
01:02 < endre> forwarding maybe off on the server/client?
01:02 < kerx_> endre, no forwarding is enabled since it's a NAT gateway as well
01:03 < endre> then a firewall rule?
01:03 < kerx_> which rule?
01:03 < endre> tcpdump all the participating interface
01:03 < endre> lol which rule
01:03 < endre> where should i know from
01:03 < kerx_> i just lost the server
01:03 < kerx_> because of doing: route 192.168.1.0 255.255.255.0
01:03 < endre> weird
01:04 < endre> remove that route from the kernel then
01:04 < kerx_> i use 192.168.1.0/24 on that server
01:04 < kerx_> it's my local network
01:05 < kerx_> $ipt -A INPUT -i tun0 -j ACCEPT
01:05 < kerx_> i have this rule setup
01:06 < kerx_> endre, you still around?  i would like to explain to you further the network
01:06 < kerx_> OPENVPN Server has  eth0 (external IP) and eth1 (internal range 192.168.1.0/24)
01:06 < endre> that's input not forward
01:06 < kerx_> tun0, has 10.20.01, and I push route 192.168.1.0/24 to the openvpn client's
01:06 < kerx_> however, the client once connected it has ip 10.20.0.x and can't access anything on 192.168.0.x
01:07 < kerx_> you mean setup forwarding for tun0 ?
01:07 < kerx_> $ipt -A FORWARD -i tun0 -j ACCEPT ?
01:07 < endre> yeah, like that
01:07 < kerx_> that doesn't work still
01:07 < kerx_> the client can't ping 192.168.1.0/24
01:07 < endre> that's a whole subnet of course it cannot ping that
01:08 < kerx_> well, i try pinging an IP on that subnet that is pingable, such as 192.168.1.210 or even the gw 192.168.1.1
01:08 < kerx_> i see in the openvpn log that it's pushing the route to the client of 192.168.1.0 255.255.255.0
01:08 < kerx_> it was working before, not sure what just happened
01:09 -!- hyper_ch [n=hyper@143-200.2-85.cust.bluewin.ch] has joined ##openvpn
01:09 < kerx_> does the windows machine need to have a route setup manually?
01:13 < kerx_> wow, weird, i can't even ping the tun0 IP address of the server from the client
01:14 < kerx_> any help is appreciated
01:15 -!- kerx [n=kerx@38.118.193.18] has quit [Read error: 110 (Connection timed out)]
01:15 < endre> dump and dump and dump to see what's goin where
01:17 < kerx_> I see!
01:17 < kerx_> From the client in the log's I see the following:
01:17 < kerx_> TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
01:17 < kerx_> route ADD 192.168.1.0 MASK 255.255.255.0 10.20.0.9
01:18 < endre> 0.9??
01:18 < kerx_> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.  [if_index=29]
01:18 < endre> you told me your server is at 0.1
01:18 < kerx_> tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
01:18 < kerx_>           inet addr:10.20.0.1  P-t-P:10.20.0.2  Mask:255.255.255.255
01:18 < kerx_> that's on the openvpn server
01:18 < endre> ah i see, windows..... that explains
01:18 < kerx_> 10.20.0.10 is the ipv4 address on the windows box
01:18 < endre> it can handle /30's only properly
01:18 < endre> ok, nvm
01:19 < endre> that sould world btw
01:19 < endre> s/world/work/
01:19 < kerx_> hrm, why is that failing?
01:19 < endre> apply that command by hand
01:19 < endre> on a cmdline
01:20 < kerx_> it says OK!
01:20 < kerx_> but i still can't ping 192.168.1.1
01:20 < kerx_> it says
01:20 < kerx_> Reply from 10.20.0.10: Destination host unreachable.
01:20 < kerx_> This used to work :-(
01:20 < kerx_> Not sure what's going on
01:22 < kerx_> OMG
01:22 < kerx_> it works on Windows XP machine
01:22 < endre> can you ping the 10.20.0.9 now?
01:22 < endre> lol wtf
01:22 < kerx_> This machine not working is Windows Vista
01:22 < kerx_> how can this be?
01:22 < endre> i dont have experience with vista at all
01:22 < kerx_> The OpenVPN Gui doesn't work w/ Vista?
01:22 < endre> try some recent versions
01:25 < kerx_> k, i just saw something online about it
01:25 < kerx_> Thank goodness I noticed on XP it works
01:25 < kerx_> otherwise my brain will go crazy :P
01:32 -!- kerx_ [n=kerx@38.118.193.18] has quit ["Leaving"]
02:06 -!- aia [n=aia@64-135-203-23.FoxValley.net] has joined ##openvpn
02:17 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
02:18 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:20 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn
02:26 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:26 < jmm> hello.
02:37 -!- Diffen [n=diffen@c-3672e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
02:40 -!- savenger_ [n=savenger@p5792EF11.dip.t-dialin.net] has quit ["leaving"]
02:49 -!- Diffen [n=diffen@c-3672e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
02:56 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"]
03:01 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn
03:03 -!- salax_ [n=salax@219.95.96.90] has joined ##openvpn
03:03 -!- salax_ [n=salax@219.95.96.90] has quit [Client Quit]
03:07 -!- master_o1_master [n=master_o@p57B570A3.dip.t-dialin.net] has joined ##openvpn
03:18 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote closed the connection]
03:18 -!- master_of_master [i=master_o@p57B55916.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:35 -!- lolipop [n=soontak@209.247.95.219.cbj02-home.tm.net.my] has joined ##openvpn
03:41 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
03:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
03:52 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit []
04:02 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
04:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Excess Flood]
04:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
04:11 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
04:15 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
04:37 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
04:44 -!- yoshx [n=yoshx@93.9.150.199] has joined ##openvpn
04:50 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
04:50 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
04:52 -!- salax [n=ubuntu@219.95.96.90] has quit ["Leaving"]
04:55 -!- lolipop [n=soontak@209.247.95.219.cbj02-home.tm.net.my] has quit ["Leaving"]
05:06 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
05:14 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
05:21 -!- zib [i=zib@slick.keff.org] has quit [Read error: 110 (Connection timed out)]
05:22 -!- dazo_afk is now known as dazo
05:27 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
05:27 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 54 (Connection reset by peer)]
05:28 -!- pfo_ is now known as pfo
05:41 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit []
06:00 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit ["Leaving"]
06:16 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
06:25 -!- hyper_ch [n=hyper@143-200.2-85.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)]
06:27 -!- hyper_ch [n=hyper@81.62.30.120] has joined ##openvpn
06:28 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
06:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:59 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
06:59 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 54 (Connection reset by peer)]
06:59 -!- pfo_ is now known as pfo
07:23 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
07:23 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 54 (Connection reset by peer)]
07:23 -!- pfo_ is now known as pfo
07:43 -!- yoshx [n=yoshx@93.9.150.199] has quit [Remote closed the connection]
07:44 -!- yoshx [n=yoshx@93.9.150.199] has joined ##openvpn
07:45 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
07:45 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 54 (Connection reset by peer)]
07:45 -!- pfo_ is now known as pfo
07:47 < ecrist> good morning
07:47 -!- Irssi: ##openvpn: Total of 95 nicks [0 ops, 0 halfops, 0 voices, 95 normal]
07:48 < havoc> morning
07:51 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 54 (Connection reset by peer)]
07:52 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
07:53 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:55 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
07:56 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 54 (Connection reset by peer)]
07:56 -!- pfo_ is now known as pfo
08:08 < havoc> maybe I'll get around to putting ovpn on win2k8 tiday
08:08 < havoc> today
08:08 < havoc> may have to disable the sign-driver protection though, not sure yet
08:42 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
08:42 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 104 (Connection reset by peer)]
08:42 -!- pfo_ is now known as pfo
08:49 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 104 (Connection reset by peer)]
08:49 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
08:54 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
09:06 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:15 -!- Diffen [n=diffen@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
09:24 -!- Diddi [i=diddi@zenit.bsnet.se] has quit [Remote closed the connection]
09:26 -!- rajin [n=_@port-94030.pppoe.wtnet.de] has joined ##openvpn
09:52 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
09:52 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn
09:52 < cityLights> hi can I get some help with bridging
09:52 < cityLights> ?
09:54 < ecrist> sure can.  don't know what kind of help you want, though, you haven't asked anything
09:55 < cityLights> ok
09:55 < cityLights> I got two LANs in two sites
09:56 < cityLights> the gateway of the first LAN (subnet) also runs a openvpn server
09:56 < cityLights> the second LAN has a gateway to the internet which runs a openvpn client
09:57 < cityLights> so the second pc connects to the first server
09:57 < ecrist> sounds reasonable
09:57 < cityLights> now, I had it all working in layer3 dev tun
09:58 < cityLights> I want to connect them using layer 2 to allow avahi (zero-config)
09:58 < cityLights> so I changed the config to "dev tap"
09:59 < cityLights> they connect but I dont understand how to do that bridging magic
09:59 < havoc> what OS?
09:59 < cityLights> gentoo linux
09:59 < havoc> as bridging involves some OS-dependent steps
09:59 < cityLights> in both pcs, I installed the relevent tools and kernel modules
10:00 < havoc> so you have br0 on both ends?
10:00 < cityLights> and indeed I setup br0 and tap0
10:00 < havoc> and the local taps are bridged?
10:00 < cityLights> yes I do have br0 on both ends
10:00 < havoc> so say tap0 + eth0 = br0?
10:00 < ecrist> is tap0 'up' on both boxes?
10:00 < cityLights> brctl show
10:00 < cityLights> bridge name	bridge id		STP enabled	interfaces
10:00 < cityLights> br0		8000.00d0b79ef738	no		eth1
10:00 < cityLights> 							tap0
10:01 < ecrist> ifconfig br0
10:01 < ecrist> ifconfig tap0
10:01 < ecrist> from both hosts, please
10:02 < ecrist> I only care about line 1
10:03 < cityLights> server:br0       Link encap:Ethernet  HWaddr 00:d0:b7:9e:f7:38     tap0      Link encap:Ethernet  HWaddr 42:02:94:ba:31:c7
10:03 < ecrist> is linux output that different?
10:04 < ecrist> can you pastebin the entire output from both?
10:04 < cityLights> min
10:05 < cityLights> my question is: should I add the line server-bridge 192.168.14.1 255.255.255.0 192.168.14.82 192.168.14.94 ?
10:05 < ecrist> if you want openvpn to hand the ips to the vpn server, yes
10:06 < cityLights> when I do that the tap0 devices get an IP address, but I understand that if I bridge them to the LAN ethernet card and give them a static IP - they should get an IP right?
10:07 < ecrist> that line doesn't make sense to me
10:08 -!- martexx [n=martexx@92.69.4.167] has joined ##openvpn
10:08 < cityLights> ok let me show you then
10:08 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
10:08 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
10:09 < martexx> HI there, i have a question about routing. I have a voip server in working order and it also servers as a openvpn server
10:10 < martexx> everything is working ok, but i need to know if it is possible that i put some rules in my home router so that a desktop ip phone can register to this server. local phone --> local pc ---> openvpn
10:11 < martexx> local pc is 172.19.3.2 phone is 172.19.3.3 and server is 10.8.0.1
10:12 < martexx> i dont mind to keep the pc on power
10:12 < ecrist> yes, but it involves connection sharing on your desktop/client PC and running a DHCP server available via the VPN
10:12 < cityLights> ecrist: min pls
10:13 < martexx> mmm i tried connection sharing and i lost internet but thats proberply dns then
10:13 < martexx> but i dont want other machines to connect to the internet via the vpn, only the phone
10:14 < ecrist> not sure what that has to do with this.
10:14 < ecrist> the phone should plug directly into your PC
10:14 < martexx> no it plugs in my router
10:14 < ecrist> PC should have internet connection sharing enabled
10:14 < ecrist> martexx: then no, it's going to be more difficult than that
10:15 < martexx> this i understand .. to create a route to the vpn
10:15 < ecrist> assign a static VPN ip to your phone, and set it's default route to your PC's VPN address
10:15 < martexx> is it not possible to create routing rules or something in the router telling that traffic to 10.8.0.1 goes tru the pc\
10:15 < martexx> aha
10:16 < martexx> and my pc will know what to do?
10:16 < martexx> or will the vpn just be available
10:16 < ecrist> you'll need a bridged vpn, and bridge tap with your lan address
10:16 < martexx> mmm i using routing now :(
10:17 < ecrist> this is really beyond teh scope of this channel
10:17 < martexx> actualy im not shure if i do, i have a tun device. oh ok i did not know what the scope was, but thanks for your advice
10:18 < havoc> FYI, bridging on windows: http://www.pavelec.net/adam/openvpn/bridge/
10:18 < vpnHelper> Title: OpenVPN Bridging with Windows HOWTO (at www.pavelec.net)
10:18 < martexx> hey im gonna take a look at that, thanks
10:19 -!- pfo_ [n=pfo@pseudoterminal.org] has joined ##openvpn
10:21 < martexx> to havoc: so i tried this before and lost my internet connection, do i need to give my pc and phone a static ip on my router or on openvpn server? I only want to conect to the server secure, other traffic can go via my home wan
10:23 < martexx> as i see it openvpn will do dns in this setup and its proberply setup so that all traffic goed to openvpn server :(
10:23 < martexx> dns is dhcp
10:23 < havoc> openvpn does not do dns
10:23 < havoc> it can push ips of dns servers though
10:24 < martexx> i will give this a trie when im home, working remote now so it wont wordk :) Thank you!!
10:25 < havoc> hmm, ok
10:25 < martexx> Too bad i cant tell my router that traffic for 10.8.0.1 needs to go to my pc
10:25 < havoc> I was reading back trying to figure out want the goal was
10:25 < martexx> Im soorry but if i try now i lose the connection, tried this before
10:26 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 110 (Connection timed out)]
10:26 -!- pfo_ is now known as pfo
10:26 < havoc> what kind of router is it?
10:26 < martexx> i want my desktop ip phone wich is connected to my router at home to register on the openvpn server
10:26 < martexx> its a allied data p2p1212
10:27 < martexx> or something like that, it has the option to add routes
10:27 < martexx> and i can use an different one if needed like a linksys bef or fritzbox
10:27 < havoc> then yes, you should be able to add either a host, or subnet route to it that uses your pc as the gateway
10:27 < havoc> but then the phone also need to use the router as the default gatewat
10:28 < havoc> and the routers needs an interface to the foreign subnet
10:28 < havoc> router
10:28 < martexx> it does now as its connected to the router and get an ip from it. TThe sip account registers to 10.8.1.0
10:28 < martexx> an interface?
10:29 < havoc> but the router needs a path to 10.8.1.0
10:29 < martexx> i can add an interface to the router, i saw this option
10:29 < martexx> yes thats was the question
10:30 < cityLights> ecrist: http://dpaste.com/142571/
10:30 < havoc> see, the router can't "tell" the phone where to send packets, the phone is just sending them to the router
10:31 < martexx> so i ned to add a virtual interface on the same subnet on this router
10:31 < havoc> so once the router would have them it would be completely up to the router to get them to the right spot
10:31 < havoc> this means the router would need an interface on the 10.8.1.0 subnet
10:31 < martexx> and then make a route to the local pc wich will act as gateway
10:31 < havoc> correct
10:31 < ecrist> cityLights: ok, all the interfaces are UP, which is a good place to be. where is br0 on client?
10:31 < martexx> this last thing.. will the pc accept these kind of connections automaticly?
10:32 < cityLights> ecrist: I am afraid I killed sshd on the client now, and can no longer access it
10:32 < havoc> martexx: not necessarily
10:32 < martexx> i was thi nking to set up a small server at home for this but the problem will persist
10:32 < martexx> thats too bad :)
10:32 < havoc> martexx: the pc needs the interface esposed externally, and not firewalled
10:33 < havoc> martexx: and the pc must have a route to direct the packets once it recieves them the same as the routers
10:33 < havoc> router
10:33 < cityLights> ecrist: my question is: in a bridging senerio should the tap0 device on the client get an IP address from openvpn?
10:33 < martexx> maybe i will buy a phone wich supports openvpn, they already exist!!!!!!!well its a local network so i dont think that will be a problem
10:33 < ecrist> cityLights: it doesn't really need to
10:33 < ecrist> ethernet (bridging) is layer 2, IP is layer 3
10:34 < cityLights> haha so I can avoid the server-bridge line in the config
10:34 < havoc> martexx: routing is failry simple, once you understand what it does, and more importantly what it does NOT do
10:34 < ecrist> you *could* have an entire ethernet bridged vpn without a single IP assigned and be functional for compat protocols
10:34 < martexx> too bad i cant try it right now
10:34 < havoc> martexx: basically, at any point/hop along the way, there must be a route on that router to the intermediate/final destination
10:35 < martexx> Thank soo much for your thoughts on this, it has given me some insight and i will try it as soon as i am home next wek or so
10:35 < martexx> yes i see that now, thank you man (or woman)
10:35 < havoc> usually you have a net/host route to a foreign subnet through a specified gateway of which the router is a memeber of the same subnet
10:35 < cityLights> ecrist : when I have the server-bridge line , and the client tap0 gets an IP , I can ping it from the server using the client's br0 IP address
10:36 < havoc> martexx: good luck later :)
10:36 < cityLights> when I drop the server-bridge line I can;t
10:36 < martexx> setup virtual interface on router and then add route to pc, on pc add route to 10.8.0.0 or 10.8.0.1
10:37 < martexx> hey i can try this as it wont concern bridging the adapters
10:37 -!- hyper_ch [n=hyper@81.62.30.120] has quit [Remote closed the connection]
10:37 < martexx> coolc
10:38 < havoc> martexx: if 10.8.0.0 is the vpn network, then the router must have an iface in the same subnet as the PC
10:38 < martexx> so i ca do it remote
10:38 < havoc> it might not need to be in the 10.8.0.0 subnet
10:38 < ecrist> cityLights: I forget the option, but there's another option separate from server-bridge
10:39 < martexx> ? the router server the ihome network so has it not already a iface in this subnet off pc?
10:39 < havoc> martexx: add a host route on the router to 10.8.0.0 255.255.255.0 using 172.19.3.2 as gateway (assuming 172.19.3.2 is the PC, and that the router also has an iface in the 172.19.3.0 subnet)
10:39 < martexx> sorry for my english
10:40 < havoc> martexx: then you need a route on the PC to get to 10.8.0.0 from 172.19.3.0
10:40 < havoc> but that should be there already
10:40 < havoc> martexx: the PC also muct do IP forwarding
10:40 < martexx> ok ill try it, yes it should be there as i can acces the vpn server from this pc
10:40 < martexx> good tip, ill try it
10:41 < havoc> martexx: the IP forwarding thing is key
10:41 < havoc> martexx: nothing can "route" incoming traffic without it
10:41 < havoc> I believe there's an openvpn faq about it somewhere
10:42 < havoc> martexx: and your english is good enough to get the job done :)
10:43 < havoc> martexx: just remember that for routing to work you always need IP forwarding, and a rule that tells you 2 things: 1) where to go [subnet|host], and 2) how to get there [gateway]
10:46 -!- martexx480 [n=martexx@92.69.4.167] has joined ##openvpn
10:47 < martexx480> havoc: that was rude from me, got disconnected
10:47 < martexx480> now ill  give it a try but as this is a java app (irc) i cant stay connected as my laptop sucks
10:48 < martexx> thank you again and perhaps catch u later
10:49 -!- martexx [n=martexx@92.69.4.167] has quit ["http://irc2go.com/"]
10:49 < martexx480> seems i was not diconnected haha
10:50 < martexx480> just did not see the window, now im gone
10:50 -!- martexx480 [n=martexx@92.69.4.167] has quit [Client Quit]
10:50 < havoc> ok, good luck :)
10:50 < havoc> doh
10:50 -!- pfo [n=pfo@pseudoterminal.org] has quit []
10:52 -!- yoshx [n=yoshx@93.9.150.199] has quit [Read error: 110 (Connection timed out)]
11:04 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
11:04 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)]
11:04 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
11:08 -!- aia [n=aia@64-135-203-23.FoxValley.net] has quit ["Bye"]
11:15 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
11:25 < cityLights> ecrist: what does that option do?  "but there's another option separate from server-bridge"
11:28 < krzee> !factoids
11:28 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:28 < krzee> !bridge-dhcp
11:28 < vpnHelper> krzee: "bridge-dhcp" is http://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server
11:29 < cityLights> krzee: but then the tap0 in the client will get an IP address
11:30 < krzee> thats all i got for ya, i dont support bridge setups
11:30 < krzee> theres RARELY a real reason to use bridge
11:31 < cityLights> but the whole point of a bridge mode is to avoid giving the tap device an address, right?
11:31 < krzee> nope
11:31 < havoc> cityLights: krzee is *not* the guy you want to be talking to about briding/TAP ;)
11:31 < krzee> the whole point of bridge mode is to tunnel layer2 traffic
11:31 < krzee> and be in the same broadcast domain without a bcast relay
11:31 < cityLights> zero-config for example
11:31 < havoc> and you should have a damn good, and well understood, reason for bridging/using TAP
11:32 < krzee> havoc is right on both of those
11:32 < cityLights> issue is I am searching to learn about bridging
11:32 < havoc> *but*, if you have a good reason, and understand the implications, then sure, bridging and/or tap is ok
11:32 < cityLights> and I dont see a good source
11:33 < havoc> krzee: is ipsec layer2 or 3?
11:33 < havoc> as I understand it the main difference is that ipsec runs in kernel space, ssl (ovpn) runs in user space?
11:33 < cityLights> 2
11:33 < krzee> its its own layer3 protocol
11:34 < krzee> thats a huge difference
11:34 < cityLights> right
11:34 < krzee> and it tunnels layer3
11:34 < krzee> ip traffic
11:36 < krzee> cityLights, whats zeroconfig do for you?
11:36 < cityLights> ssh , samba,cups and pulse-audio
11:37 < krzee> why do you need zeroconfig for any of those?
11:38 < cityLights> so I can use these services regardless of where my portable is
11:38 < krzee> !wins
11:38 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:38 < krzee> !pushdns
11:38 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit
11:38 < krzee> can push wins option too
11:39 < krzee> ssh, i dont see how zeroconfig has ANYTHING to do with
11:39 < krzee> cups is an ip protocol
11:39 < havoc> personal choice should be enough of a reason
11:39 < krzee> (samba is too, but wins will get you netbios resolution)
11:39 < havoc> ...if the implications are understood, and accepted
11:39 < krzee> *shrug* i guess so, you think he understands the implications tho? most dont
11:39 < cityLights> well, I got started on this from pidgin bonjur implimintation
11:40 < havoc> krzee: not necessarily, but you're the one to tell him :)
11:40 < krzee> security and performance are the implications
11:40 -!- TheDavidFactor-H [n=chatzill@nc-71-0-16-133.dhcp.embarqhsd.net] has joined ##openvpn
11:40 < krzee> !tunortap
11:40 < havoc> !mitm
11:40 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
11:40 < vpnHelper> krzee: against you over the vpn
11:40 < vpnHelper> havoc: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
11:40 < cityLights> so I can "see" the other parties on the lan , without the need to connect to msn or google
11:40 < krzee> nah !mitm is for servercert
11:41 < havoc> cityLights: before going down this road, and possibly accepting the potential risks, you should understand the possible exploitations of layer2
11:41 < havoc> krzee: also layer2
11:41 < havoc> ...as opposed to layer3/TUN
11:41 < krzee> no, the factoid !mitm has nothing to do with layer2
11:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
11:41 < havoc> ah, I wasn't sure about the contents of the factoid
11:41 < havoc> doh
11:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
11:43 < havoc> krzee: wrong button?
11:43 < havoc> and I wasn't sure about the contents of the factoid
11:43 < krzee> forgot battery was low
11:43 < havoc> aCk!
11:43 < krzee> check out what ecrist did with the factoids
11:43 < krzee> !factoid
11:43 < vpnHelper> krzee: Error: "factoid" is not a valid command.
11:43 < krzee> !factoids
11:43 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:43 < havoc> yeah, I've seen him testing the past few days
11:44 < krzee> i had forgotten about so many of those
11:44 -!- Gilos [n=Gilos@kccsfw01.sec.sprint.net] has quit [Remote closed the connection]
11:44 < krzee> whoa i dont know if i ever saw this one
11:44 < krzee> !bonjour
11:44 < vpnHelper> krzee: "bonjour" is http://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to
11:45 -!- hyper_ch [n=hyper@adsl-89-217-25-187.adslplus.ch] has joined ##openvpn
11:45 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)]
11:46 < TheDavidFactor-H> Hey all, I'm trying to setup an openvpn client on Fedora Core 10, the server is pushing down "dhcp-option DNS x.x.x.x"; it works on windows machines, but I can't get it to work on my FC machine. Can anyone point me to the documentation that would address this?
11:49 < krzee> openvpn comes with a script for it
11:49 < krzee> to update the resolv.conf
11:50 < krzee> google also has quite a few of them
11:51 < TheDavidFactor-H> ok, thanks!
11:51 < krzee> update-resolv-conf
11:51 < krzee> np
11:51 < krzee> !learn pushdns as in unix you'll use the update-resolv-conf script
11:51 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
11:51 < krzee> do too
11:52 < krzee> !learn pushdns as in unix you'll use the update-resolv-conf script
11:52 < vpnHelper> krzee: Joo got it.
11:57 < krzee> !learn menu or type !factoids to see a complete list
11:57 < vpnHelper> krzee: (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
11:57 < krzee> !learn menu as or type !factoids to see a complete list
11:57 < vpnHelper> krzee: Joo got it.
12:02 -!- TheDavidFactor-H [n=chatzill@nc-71-0-16-133.dhcp.embarqhsd.net] has quit [Remote closed the connection]
12:07 -!- teddymills [n=teddy@208.92.235.227] has quit ["Ex-Chat"]
12:10 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
12:12 -!- aia [n=aia@64-135-203-23.FoxValley.net] has joined ##openvpn
12:12 -!- aia [n=aia@64-135-203-23.FoxValley.net] has quit [Remote closed the connection]
12:12 -!- aia [n=aia@64-135-203-23.FoxValley.net] has joined ##openvpn
12:19 -!- aia [n=aia@64-135-203-23.FoxValley.net] has quit ["Bye"]
12:19 -!- theoretical [n=theoreti@64-135-203-23.FoxValley.net] has joined ##openvpn
12:25 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
12:33 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)]
12:33 -!- pfo_ is now known as pfo
12:43 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn
12:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
13:05 < vpnHelper> New forum entry openvpnforum: Wishlist :: Re: Statistics Offloading :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=10&t=2413&p=2803#p2803>
13:06 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:12 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn
13:13 < Gnewt> Hey, I'm running Tunnelblick on a Mac, connecting to a server that pushes "dhcp-option DNS 10.8.0.1"
13:13 < Gnewt> er, along with some other dns servers after that
13:13 < Gnewt> queries for public domains resolve fine
13:13 < Gnewt> but things like fidelity.vpn are resolved with dig but ping and Finder don't recognize them
13:13 < Gnewt> help?
13:14 < krzee> !pushdns
13:14 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
13:14 < krzee> see #4
13:14 < krzee> actually i saw one that specificly supports osx
13:14 < krzee> 1sec
13:15 < Gnewt> resolvconf is being updated as far as I can tell. cat /etc/resolv.conf shows 10.8.0.1 as first on the nameserver list.
13:16 < krzee> hrm and if you do this it works?
13:16 < krzee> host fidelity.vpn 10.8.0.1
13:16 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
13:16 -!- flo|va-nu-pied [n=florent@unaffiliated/flovanupied/x-758957] has quit [Read error: 113 (No route to host)]
13:17 < Gnewt> yep that works
13:17 < Gnewt> it seems like the OS isn't recognizing the change in resolv.conf
13:18 < krzee> interesting
13:18 < krzee> ive never tried in osx but i know it does use resolv.conf
13:18 < krzee> checked in tcpip settings to see if its visable in there too?
13:19 < reiffert> OS X is special, got a changed resolverlib in libc.
13:19 < reiffert> nameservice per domain is possible
13:20 < reiffert> adding nameserves without touching resolv.conf is possible as well
13:20 < Gnewt> I can have them all go through 10.8.0.1, is that what I should do?
13:20 < Gnewt> DNS servers are listed in the system config
13:21 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:22 < Gnewt> haha, this is such a weird bug XD
13:22 < Gnewt> if I put 10.8.0.1 in the DNS server
13:22 < Gnewt> only 10.8.0.1
13:22 < Gnewt> resolving works EXCEPT when pinging somebody inside the VPN
13:22 < Gnewt> it resolves and then the VPN dies
13:25 < Gnewt> lunchtime, back in a bit
13:35 < vpnHelper> New forum entry openvpnforum: Wishlist :: Re: Statistics Offloading :: Reply by ecrist <http://www.ovpnforum.com/viewtopic.php?f=10&t=2413&p=2804#p2804>
13:43 -!- dazo is now known as dazo_afk
13:43 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has quit [Remote closed the connection]
13:47 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
13:51 -!- Intensity [i=[lRD75M9@unaffiliated/intensity] has quit [Remote closed the connection]
13:58 -!- pfo_ [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
14:06 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection]
14:15 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 110 (Connection timed out)]
14:15 -!- pfo_ is now known as pfo
14:17 -!- rajin [n=_@port-94030.pppoe.wtnet.de] has quit [" Want to be different? Try HydraIRC -> http://www.hydrairc.com <-"]
14:23 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit []
14:25 -!- andyjrobbins [n=ajrobbin@h70.251.190.173.static.ip.windstream.net] has joined ##openvpn
14:25 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
14:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
14:38 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
14:39 < andyjrobbins> Greetings. I'm setting up openvpn on CentOS 5 and I am running into an error when I ./build-ca
14:40 < andyjrobbins> It says: 8930:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 88
14:40 < andyjrobbins> But I'm not sure what the STR_COPY variable should be set to and Googling has not yet produced the answer to my problem - any ideas?
14:48 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 60 (Operation timed out)]
14:56 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit []
15:07 < andyjrobbins> Ok, line 88 of openssl.cnf had: default_bits = $ENV::KEY_SIZE
15:07 < andyjrobbins> I changed this to default_bits            = 1024 - and then it ran fine
15:23 < Matir> andyjrobbins, had you sourced the "vars" file into your environment?
15:43 -!- dwalluck [n=david@adsl-75-27-144-92.dsl.wlfrct.sbcglobal.net] has left ##openvpn []
16:10 < ecrist> easyrsa sucks
16:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"]
16:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:15 < reiffert> what for?
16:31 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
16:38 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
16:45 -!- g0tcha [n=VaiO@41.252.62.179] has joined ##openvpn
16:51 -!- andyjrobbins [n=ajrobbin@h70.251.190.173.static.ip.windstream.net] has quit []
17:47 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
17:47 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
17:47 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
17:48 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
17:48 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
17:48 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
17:52 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
18:22 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
18:22 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
18:30 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
18:36 < g0tcha> do i have to restart openvpn server everytime i create a new client certifacte?
18:37 < reiffert> no.
18:37 < g0tcha> thank you
18:53 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
19:06 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit []
19:19 -!- Intensity [i=[iKhVexW@unaffiliated/intensity] has joined ##openvpn
19:27 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
19:33 < Bushmills> http://eprint.iacr.org/2010/006  - 768 bit RSA keys to be considered crackable now
19:33 < vpnHelper> Title: Cryptology ePrint Archive: Report 2010/006 (at eprint.iacr.org)
19:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
19:39 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
19:39 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
19:39 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
19:52 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Client Quit]
20:38 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
20:45 -!- nneul [n=nneul@mo-76-3-37-166.dhcp.embarqhsd.net] has joined ##openvpn
20:45 -!- nneul [n=nneul@mo-76-3-37-166.dhcp.embarqhsd.net] has quit [Client Quit]
21:17 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
21:30 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
21:34 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
22:08 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."]
22:08 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
22:09 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit]
22:10 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
22:21 -!- lclarkjr [n=wIRCer@173-132-88-153.pools.spcsdns.net] has joined ##openvpn
22:22 -!- lclarkjr [n=wIRCer@173-132-88-153.pools.spcsdns.net] has left ##openvpn []
22:25 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)]
22:25 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
22:25 -!- mode/##openvpn [+v Kasx] by ChanServ
22:33 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
22:34 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
22:38 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
22:38 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
23:04 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)]
23:05 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
23:19 -!- broerd [n=broerd@S0106001f3a41bc6a.gv.shawcable.net] has joined ##openvpn
23:38 -!- broerd [n=broerd@S0106001f3a41bc6a.gv.shawcable.net] has quit ["http://irc2go.com/"]
--- Day changed Sat Jan 09 2010
00:14 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
00:31 -!- Leila [i=d9dae562@gateway/web/freenode/x-iucockirqpvioumd] has joined ##openvpn
00:36 -!- Leila [i=d9dae562@gateway/web/freenode/x-iucockirqpvioumd] has left ##openvpn []
01:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
01:18 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
01:19 -!- mode/##openvpn [+o mattock] by ChanServ
02:57 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:07 -!- master_of_master [i=master_o@p57B54290.dip.t-dialin.net] has joined ##openvpn
03:16 -!- Intensity [i=[iKhVexW@unaffiliated/intensity] has quit [Excess Flood]
03:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Excess Flood]
03:18 -!- master_o1_master [n=master_o@p57B570A3.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
03:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
03:23 < krzee> ecrist, here?
03:24 < krzee> any interest of being CTO of a company in costa rica?
03:24 < krzee> personally im good where im at but i know you were looking to get outta the job you're at and i think youd do a good job out here
03:25 -!- Intensity [i=[bcjlWLN@unaffiliated/intensity] has joined ##openvpn
03:25 < krzee> let me know either way, i have people in mind if you say you arent interested
03:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
03:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:32 < reiffert> CTO in Costa Rica sounds interesting, what about working hours, vacation and salery?
03:33 < reiffert> How many slaves, how many employes in the company?
03:35 < krzee> reiffert, you actually interested or just curious?
03:36 < krzee> ild have no issue with recommending you if you are actually interested
03:36 < krzee> as to the questions, i cant answer them
03:37 < krzee> you wouldnt be working for or with me
03:37 < krzee> someone said something along the lines of 'damn too bad this guy is spoken for, we need a new cto'
03:37 < krzee> to which i responded that we should talk shop some
03:38 < krzee> found out what it is they require from one, and said i had some people i knew that fit their needs
03:38 < krzee> anything beyond that is none of my business since im just connecting 2 people
03:40 < krzee> company is large, not sure of the tech team's size
03:41 < krzee> and they know who i am, and respect my recommendation (they dont just know me from now)
03:48 < reiffert> More curious than interested, cant stop things here..
03:50 < reiffert> Maybe Bushmills .. said something that it's too cold outside atm
03:50 < krzee> gotchya
03:56 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 60 (Operation timed out)]
04:31 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has quit [Read error: 60 (Operation timed out)]
04:33 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
04:42 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
04:42 -!- Intensity [i=[bcjlWLN@unaffiliated/intensity] has quit [Excess Flood]
04:44 -!- Zordrak_ [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
04:47 -!- Intensity [i=[1pUJy44@unaffiliated/intensity] has joined ##openvpn
04:50 -!- Zordrak__ [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
04:50 -!- Zordrak_ [n=jaz@87-194-141-163.bethere.co.uk] has quit [Read error: 60 (Operation timed out)]
04:55 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
04:56 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has quit [Read error: 110 (Connection timed out)]
05:03 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)]
05:03 -!- pfo_ is now known as pfo
05:09 -!- pfo_ [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
05:29 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 110 (Connection timed out)]
05:34 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
05:39 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Client Quit]
05:44 -!- pfo_ [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)]
05:59 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
06:03 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
06:07 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
06:09 -!- Irssi: ##openvpn: Total of 91 nicks [0 ops, 0 halfops, 1 voices, 90 normal]
06:32 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
06:33 -!- int [n=quassel@wikia/int] has quit [Read error: 60 (Operation timed out)]
06:35 -!- int [n=quassel@int.matrixtelecom.net] has joined ##openvpn
06:55 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
07:11 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has quit [Read error: 104 (Connection reset by peer)]
07:23 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
07:45 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
07:47 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
07:47 -!- mode/##openvpn [+o mattock] by ChanServ
07:48 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:50 -!- Student_of_AI_ [n=chatzill@195-241-32-69.ip.telfort.nl] has joined ##openvpn
07:51 < Student_of_AI_> hello, does open vpn work on windows?
07:52 < havoc> yes
07:52 < havoc> as both a server and client
07:55 < Student_of_AI_> is the client free?
07:57 < Student_of_AI_> I guess so, I registered freely.
07:58 < Student_of_AI_> I'm trying openvpn to acces my university vpn on my windows XP64 machine. My university is telling me to use Cisco VPN. But Cisco VPN does not support x64. I'm hoping that openvpn can replace Cisco VPN.
08:02 < ScriptFanix> nope
08:03 < ScriptFanix> it's not the same protocol
08:20 -!- g0tcha [n=VaiO@41.252.62.179] has quit []
08:33 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
08:49 -!- Student_of_AI_ [n=chatzill@195-241-32-69.ip.telfort.nl] has left ##openvpn []
09:31 -!- Intensity [i=[1pUJy44@unaffiliated/intensity] has quit [Excess Flood]
09:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
09:35 -!- Intensity [i=[n4t3vNi@unaffiliated/intensity] has joined ##openvpn
09:44 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:45 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
09:48 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
09:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:16 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"]
10:20 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
10:23 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
10:28 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
10:29 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Client Quit]
10:31 -!- t10000 [n=t10000@p54BD5709.dip.t-dialin.net] has joined ##openvpn
10:32 < t10000> Hi, I want to build an rpm without pkcs-helper support, how can I do this?
10:45 < reiffert> pkcs-helper support?
10:46 < reiffert> run the configure script.
10:46 < reiffert> thomas@mail:~/openvpn-2.1~rc11$ ./configure --help | grep pkcs --disable-pkcs11        Disable pkcs11 support
10:56 < t10000> reiffert: thanks
11:07 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"]
11:18 -!- qvc [n=pexaa@zurich.perfect-privacy.com] has joined ##openvpn
11:18 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
11:19 < qvc> is the version included in the ubuntu repositories the latest version?
11:20 < reiffert> qvc: ask on #ubuntu.
11:20 < qvc> they wont know that
11:21 < rob0> Read /topic hee and compare?
11:21 < rob0> *here
11:22 < qvc> well I dont know what the crap their version means because it says "2.1~rc19-1ubuntu2"
11:22 < reiffert> 2.1 release candidate 19. 2nd build.
11:22 < rob0> rc19 is ... ys
11:23 < qvc> I dont know if that's the latest?
11:23 < rob0> We do. It is not.
11:24 < qvc> do you have to must register to download openvpn?
11:25 < qvc> !help
11:25 < vpnHelper> qvc: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
11:25 < rob0> huh? Register where? No.
11:25 -!- s0undt3ch [n=s0undt3c@80.69.34.147] has left ##openvpn []
11:27 < qvc> i cant find where to download the client, only the sever
11:27 < qvc> server
11:28 < rob0> the client IS the server, there is only one package, one binary.
11:28 < qvc> http://openvpn.net/index.php/access-server/download-openvpn-as.html <<<<<<<<watch what happens when you click on one
11:28 < vpnHelper> Title: Access Server Downloads (at openvpn.net)
11:29 < rob0> !access
11:29 < vpnHelper> rob0: Error: "access" is not a valid command.
11:30 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has joined ##openvpn
11:30 < Briareos1> which group does a user have to belong to for initiating an openvpn tunnel?
11:30 < Briareos1> Cannot allocate TUN/TAP dev dynamically
11:31 < qvc> rob0: ?
11:31 < rob0> OpenVPN-AS is a commercial product which uses the open source openvpn project.
11:32 < rob0> This channel is about the open source project.
11:33 < qvc> rob0: could you direct me to the open source download please?
11:33 < qvc> I can't' find it
11:33 < rob0> !download
11:33 < vpnHelper> rob0: "download" is www.openvpn.net/download to download openvpn
11:34 < rob0> If that's wrong, I don't know.
11:36 < Briareos1> direct: http://www.openvpn.net/index.php/open-source/downloads.html
11:36 < vpnHelper> Title: Downloads (at www.openvpn.net)
11:37 < Briareos1> anyone knows how to set up networkmanager (ubuntu) to allow a non-root user for a openvpn connection?
11:38 < hyper_ch> what about a sudo user?
11:38 < hyper_ch> I think openvpn needs root right
11:39 < rob0> yes, routing table changes require root privilege
11:40 < hyper_ch> an option would be a cron root that runs like every minute
11:40 < hyper_ch> and check for a given file if new instructions are in there
11:40 < hyper_ch> that file could be set by any user then
11:40 < hyper_ch> but that sounds dangerous to do
11:40 < rob0> and ugly
11:40 < hyper_ch> but it might work
11:41 < rob0> Maybe the Debian/Ubuntu package maintainers have documented how they work.
11:52 -!- t10000_ [n=t10000@84.189.44.175] has joined ##openvpn
11:55 < Briareos1> haven't found something yet, rob0
11:55 < Briareos1> it's kinda strange that there's a gui for openvpn that's apparently not working (without root-privs)
11:56 < krzee> [11:33]  <vpnHelper> rob0: "download" is www.openvpn.net/download to download openvpn
11:56 < krzee> [11:34]  <rob0> If that's wrong, I don't know.
11:56 < krzee> [11:36]  <Briareos1> direct: http://www.openvpn.net/index.php/open-source/downloads.html
11:56 < vpnHelper> Title: Downloads (at www.openvpn.net)
11:56 < krzee> both are right
11:56 < krzee> first link forwards to second
11:56 < Briareos1> yep
11:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"]
12:07 < qvc> rob0, Briareos1 : how do you upgrade if you have an older version of openvpn already on your box?
12:08 -!- t10000 [n=t10000@p54BD5709.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
12:11 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)]
12:21 < Briareos1> restarting networkmanager solved the problem
12:22 < krzee> !netman
12:22 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
12:27 -!- Tattooman919 [n=Tattooma@89.100.125.48] has joined ##openvpn
12:28 -!- Tattooman919 [n=Tattooma@89.100.125.48] has quit [Client Quit]
12:28 < qvc> is it important to check the gnupg signature?
12:28 -!- Tattooman189 [n=Tattooma@89.100.125.48] has joined ##openvpn
12:28 < Tattooman189> hello people
12:28 < Tattooman189> anyone here?
12:29 < qvc> just my cat paul
12:29 < krzee> qvc, personal decision, you know why it exists right?
12:29 < qvc> krzee: not entirely
12:29 < Tattooman189> anyone able help me regarding open vpn routes to sbs 2003 via ipcop
12:29 < krzee> Tattooman189, huh?
12:30 < krzee> qvc, verify integrity of the package
12:30 < Tattooman189> i have weird setup router and sbs 2003 wit 2 nics
12:30 < qvc> i thought it was to make sure someone on a router along the way didn't slip a backdoor into it
12:30 < Tattooman189> so i seted up ipcop on the middle
12:30 < krzee> whats sbs 2003
12:30 < Tattooman189> small business server
12:31 < krzee> windows?
12:31 < Tattooman189> yes
12:31 < qvc> or didnt swap the package for one with a back door in it
12:31 < qvc> or a virus
12:31 < krzee> ok[12:30]  <qvc> i thought it was to make sure someone on a router along the way didn't slip a backdoor into it
12:31 < krzee> wouldnt that be ruining the integrity of the package...?
12:31 < krzee> heh
12:31 < krzee> you thought correct
12:32 < Tattooman189> i can see dmz ip range but cannot see local range after dmz
12:32 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:33 < krzee> but the machine you are connecting to can see the local range?
12:33 < Tattooman189> yes
12:33 < Tattooman189> example 192.168.0
12:34 < krzee> !route
12:34 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:34 < krzee> read that already?
12:34 < Tattooman189> is dmz range and 192.168.16 is second range
12:34 -!- Tattooman189 [n=Tattooma@89.100.125.48] has quit ["Leaving"]
12:34 < krzee> the machine in the dmz is client or server?
12:34 < krzee> lol ok
12:35 -!- Tattooman189931 [n=Tattooma@89.100.125.48] has joined ##openvpn
12:35 -!- Tattooman189931 [n=Tattooma@89.100.125.48] has quit [Client Quit]
12:35 -!- Tattooman189 [n=Tattooma@89.100.125.48] has joined ##openvpn
12:36 < Tattooman189> sorry popup bloker kicked in
12:36 < Tattooman189> ! route
12:36 < vpnHelper> Tattooman189: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:36 -!- Tattooman189 [n=Tattooma@89.100.125.48] has quit [Client Quit]
12:37 -!- Tattooman189 [n=Tattooma@89.100.125.48] has joined ##openvpn
12:37 < Tattooman189> ! route
12:37 < vpnHelper> Tattooman189: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:41 -!- t10000_ [n=t10000@84.189.44.175] has quit [Read error: 110 (Connection timed out)]
12:45 < qvc> what if you skim milk it
12:48 < qvc> krzee: could you help me learn how to check gnupg signatures?
12:48 < krzee> wow that was the worst oun i may have ever learned
12:49 < krzee> !google check gnupg
12:49 < vpnHelper> krzee: Integrity Check - GnuPG.org: <http://www.gnupg.org/download/integrity_check.en.html>; [Announce] GnuPG 2.0.14 released: <http://lists.gnupg.org/pipermail/gnupg-announce/2009q4/000296.html>; Issue 1176: 'make check' fails for gnupg-2.0.14 - g10 Code's BTS: <https://bugs.g10code.com/gnupg/issue1176>
12:49 < rob0> Then you'd have less than 1/2% milkfat. Some folks like skim milk, others don't. 2% or whole definitely has the creamy "feel" and taste, but sometimes I like skim better.
12:49 < rob0> "man gpg" would be a good start on that.
12:53 < qvc> man gpg is too hard :(
12:54 < hyper_ch> qvc: not running a desktop?
12:54 < qvc> hyper_ch: what?
12:55 < hyper_ch> qvc: why do you try to check gpg signatures from the cli?
12:55 < qvc> cli=terminal?
12:56 < qvc> hyper_ch: cli = terminal?
12:56 < hyper_ch> yes
12:56 < rob0> It might be as simple as "gpg filename.sig"
12:56 < rob0> In Ubuntu, I bet it is that simple
12:57 < qvc> hyper_ch: well what should I do?
12:57 < rob0> assuming the sig and the signed file are in the current directory.
12:57 < hyper_ch> qvc: I don't even know what you try to do
12:58 < qvc> rob0: what's a signed file?
12:58 < Tattooman189> anyone herw willing to help me ?
12:58 < qvc> hyper_ch: im trying to check the integrity of a openvpn tarball
12:58 < Tattooman189> i have strange setup i need som information
12:59 < rob0> yikes. Why are you bothering if you don't even know that much about it?
13:01 -!- hyper_ch [n=hyper@adsl-89-217-25-187.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)]
13:03 < qvc> rob0: why cant you just answer my question then I will know much about it
13:04 < rob0> I did. I'm not going to try to explain every little bit of it.
13:05 -!- Tattooman189 [n=Tattooma@89.100.125.48] has quit ["Leaving"]
13:17 -!- hyper_ch [n=hyper@84.226.239.178] has joined ##openvpn
13:19 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
13:21 < qvc> rob0: no you didn't. show me you did?
13:42 -!- correcaminos [n=laguilar@201.201.46.106] has joined ##openvpn
13:42 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has quit [Read error: 113 (No route to host)]
13:58 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"]
14:12 -!- eyeoh [i=eyeoh@just.download.some.addons.org.ru] has joined ##openvpn
14:12 < eyeoh> !welcome
14:12 < vpnHelper> eyeoh: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:13 < eyeoh> !wiki
14:13 < vpnHelper> eyeoh: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
14:14 < eyeoh> !interface
14:14 < vpnHelper> eyeoh: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
14:14 < eyeoh> !howto
14:14 < vpnHelper> eyeoh: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:17 < eyeoh> hmm
14:17 < qvc> is not having the latest version a security concern?
14:22 < eyeoh> hehe, im scared to ask questions :p
14:22 < eyeoh> i want to use tap, but the server is set to tun
14:22 < eyeoh> reading up on the howto's im not sure if it can work still
14:23 < eyeoh> and my attempts to make it work have failed :(
14:35 < rob0> Why do you want tap?
14:35 < rob0> qvc, not likely.
14:38 < eyeoh> i was told to use it
14:38 < eyeoh> but its possible to use tun and only route traffic to/from certain ports?
14:39 < eyeoh> and all traffic goes through to the internet as normal
14:39 < rob0> !tap
14:40 < vpnHelper> rob0: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
14:40 < vpnHelper> rob0: where the protocol uses MAC addresses instead of IP addresses.
14:40 < rob0> see #3
14:40 < eyeoh> so tun can work if i get my routing right
14:40 < eyeoh> thats probably why i was told to use it
14:40 < rob0> Because the person who told you doesn't understand routing? :)
14:41 < eyeoh> !routing
14:41 < vpnHelper> eyeoh: Error: "routing" is not a valid command.
14:41 < eyeoh> hehe, probably :D
14:41 < eyeoh> can you recomned a good article on ip routing?
14:41 < rob0> !route
14:41 < eyeoh> i think i tried a bit
14:41 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:42 < eyeoh> hehe, I like this bot :)
14:42  * eyeoh skims
14:42 < rob0> :)
14:43 < eyeoh> hmm, I might run in to trouble though; I don't have access to the server config
14:43 < rob0> I learned about routing not so much by reading as by doing, and openvpn is a wonderful toy to teach you this stuff.
14:43 < rob0> ah
14:44 < eyeoh> i like learning curves
14:49 < eyeoh> hmm
14:49 < eyeoh> by the looks of that, that is server side
14:50 < eyeoh> i think i need to split the traffic based on rules defined on the client?
14:53 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
15:11 -!- hyper_ch [n=hyper@84.226.239.178] has quit [Remote closed the connection]
15:23 < qvc> rob0: define "not likely" please
15:26 < rob0> The only exploitable issues in openvpn that I am aware of would be addressed by fixing openssl. If you're using a distro like Ubuntu, they are taking good care of you. Just stay with their packages and their recommended updates, and you will be fine.
15:27 < rob0> BTW I also saw this which might be of interest to you:
15:27 < rob0> !tell qvc ubuntu
15:27 < rob0> !ubuntu
15:27 < vpnHelper> rob0: "ubuntu" is dont use network manager!
15:28 < rob0> I have no idea if that is accurate or not, or what it is supposed to mean in real terms.
15:29 < qvc> um, don't use network manager?
15:29 < qvc> why not?
15:30 < qvc> !why
15:30 < vpnHelper> qvc: Error: "why" is not a valid command.
15:32 < qvc> !why dont use network manager
15:32 < vpnHelper> qvc: Error: "why" is not a valid command.
15:35 < krzee> !netman
15:35 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
15:35 < krzee> see that post for your answer
15:37 -!- hyper_ch [n=hyper@84.226.239.178] has joined ##openvpn
15:37 < |Mike|> oi.
15:41 < qvc> oh im not
15:41 < qvc> i just use it to manage my connection
15:41 < qvc> not my vpn
15:49 < ecrist> qvc: network manager is broken
15:50 < qvc> ecrist: what do you mean/
15:51 < ecrist> did you read the mailing list entry?
15:57 < qvc> ecrist: no, im not subscribed
15:57 < ecrist> http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html
15:57 < vpnHelper> Title: Re: [Openvpn-users] Importing an OpenVPN configuration file in Network Manager (at openvpn.net)
15:58 < |Mike|> you don't need t obe subcribed lol
16:01 -!- correcaminos [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
16:03 < rob0> 403 You Must Be Subscribed Sucka.
16:04 < rob0> Anyway, that didn't say anything specific, Just that Jan doesn't like it.
16:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
16:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
16:06 -!- spiekey [n=mario@projekte.imos.net] has joined ##openvpn
16:06 < krzee> and Jan doesnt like it for the same reason we dont
16:06 < spiekey> Hello!
16:07 < spiekey> what are the files 01.pem, 02.pem, etc... good for?
16:07 < krzee> feal free to use it, but dont ask for help regarding it or we'll be saying "dont use it"
16:07 < krzee> spiekey, making a CRL
16:07 < krzee> (iirc)
16:07 < spiekey> CRL?
16:07 < krzee> !crl
16:07 < vpnHelper> krzee: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
16:07 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you
16:08 < spiekey> thanks
16:08 < krzee> yw
16:10 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:12 < rob0> krzee, I have no interest in such a thing, it was qvc who mentioned it earlier. I just happened to come across the !ubuntu factoid.
16:12 < krzee> =]
16:12  * rob0 uses ip(8) and iwconfig(8) and the like
16:13 < krzee> oh !ubuntu is just regarding openvpn
16:13 < krzee> same with !netman
16:24 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
16:26 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
16:28 -!- eyeoh [i=eyeoh@just.download.some.addons.org.ru] has quit ["Lost terminal"]
16:44 < Diffen> evning
16:46 < Diffen> i cant get this right regarding the damn route. i guess i might have done something that im not supposed to do. the openvpn server works fine. here are the routing table and so on if someone wants to take a quick look :)  http://pastebin.com/d492a4452
16:48 < krzee> you're trying to default route over the vpn?
16:49 < Diffen> krzee i guess so :) i just want to send all traffic through the tunnel
16:49 < krzee> !redirect
16:49 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:49 < krzee> server is what OS?
16:49 < Diffen> ubuntu server, latest version
16:49 < Diffen> hmmm
16:50 < krzee> !linnat
16:50 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
16:50 < krzee> !linipforward
16:50 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
16:50 < krzee> !def1
16:50 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
16:50 < krzee> =]
16:50 < Diffen> push "redirect-gateway def1"
16:50 < Diffen> i have that in my server.conf
16:50 < krzee> and you are NAT'ing the vpn subnet in the server?
16:50 < krzee> and ip forwarding is enabled on the server?
16:51 < Diffen> krzee how do i know if its on?
16:51 < Diffen> sorry but im not a linux expert :(
16:51 -!- eyeoh [n=io@lotsofinfo.mine.nu] has joined ##openvpn
16:51 < eyeoh> sorry, i timed out :(
16:51 < eyeoh> did anyone reply to what i said :D
16:52 < krzee> bbl
16:52 < krzee> Diffen, if you read everything my bot told you you should be able to find the rest on google
16:52 < krzee> my bot gave you exact commands, hehe
16:52 < Diffen> krzee im on it. thanks for the tip :D
16:53 < eyeoh> is it possible to only route specific traffic through tun0/vpn based on the port?
16:54 < |Mike|> sure eyeoh
16:55 < eyeoh> because at the moment it takes over the entire connection, which is nay good :(
16:55 < eyeoh> could i be pushed in the right direction please :D
16:55 < eyeoh> im thinking its routing
16:56 -!- elexis39 [n=elexis39@173-30-169-170.client.mchsi.com] has joined ##openvpn
16:59 < elexis39> Hi.
17:00 < Diffen> !!linnat
17:00 < vpnHelper> Diffen: Error: "!linnat" is not a valid command.
17:00 < Diffen> !linnat
17:00 < vpnHelper> Diffen: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
17:00 < elexis39> wow
17:01 < elexis39> that was actually my question
17:02 < Diffen> :)
17:02 < Diffen> mine too
17:02 < krzee> lol
17:02 < Diffen> now lets try the damn openvpn server :) brb
17:04 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
17:09 < krzee> !sample
17:09 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
17:09 -!- diffen_ [n=diffen@c-d372e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
17:09 < diffen_> :)
17:10 < diffen_> dont know if you got my last message but it works :) thanks krzee :)
17:10 < krzee> =]
17:10 < krzee> yw
17:10 < diffen_> :)
17:10 < diffen_> i have worked on this for 1,5 week :D
17:10 < diffen_> im really happy now
17:10 < diffen_> i feel like dancing :D
17:10 < krzee> ya the first setup often can take awhile if you dont enter it with a lot of network background
17:11 < krzee> im out for awhile, bbl =]
17:11 < diffen_> take car e:D
17:11 < diffen_> care
17:22 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has quit [Read error: 110 (Connection timed out)]
17:26 < eyeoh> brain melt :D
17:27 < rob0> Mmmm, with cheese, and it comes in a convenient microwave-safe bowl!
17:28 < rob0> I'm hungry now.
17:28  * rob0 nibbles on some finger sandwiches
17:29 -!- spiekey [n=mario@projekte.imos.net] has quit ["Ex-Chat"]
17:29 -!- dauergast [n=sag@f055002107.adsl.alicedsl.de] has joined ##openvpn
17:30 < eyeoh> i just had lovely cheese cake
17:30 -!- rajin [n=_@port-9202.pppoe.wtnet.de] has joined ##openvpn
17:30 -!- rajin [n=_@port-9202.pppoe.wtnet.de] has quit [Remote closed the connection]
17:34 < eyeoh> hmm, so i need to use iptables and prerouting
17:35 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
17:35 < |Mike|> cupcakes ftw.
17:37 < eyeoh> hehe, space ones? :D
17:40 -!- diffen_ [n=diffen@c-d372e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 54 (Connection reset by peer)]
17:42 < eyeoh> -A PREROUTING -t nat -p udp --sport 1234 -j DNAT --to <vpn ip>:port
17:43 < eyeoh> if I wanted to route all traffic to/from that port (1234) its something like that?
17:43 < eyeoh> sorry to be a pest :(
17:43 -!- dazo_afk [n=dazo@nat/redhat/x-clfzuciztghjjygs] has quit [Read error: 60 (Operation timed out)]
17:46 < eyeoh> ah
17:46 < elexis39> eyeoh, I just spent a few hours setting up the default easy-rsa config and forwarding stuff from tun0 to eth0
17:46 < elexis39> I ended up using these rules to get it working in the end: http://blog.baldiyo.com/posts/openvpn-roadwarrior-routing-internet-traffic-through-vpn.html
17:46 < vpnHelper> Title: Baldo's web log - Road-Warrior - Routing all client's internet traffic through the VPN (at blog.baldiyo.com)
17:46 -!- Diffen [n=diffen@78-82-118-208.tn.glocalnet.net] has quit [Read error: 60 (Operation timed out)]
17:46 -!- Diffen [n=diffen@c-d372e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
17:49 < eyeoh> ooo
17:49 < eyeoh> im slowly piecing together what I want/need to do
17:49 < eyeoh> thankyou for the link
17:49 < Diffen> hmm stupid question but if i remove push "redirect-gateway def1"
17:49 < Diffen>  from the server.conf file. do i need to add the route at the client then?
17:50 < eyeoh> but I want to limit traffic going through the vpn to a port range
17:50 < eyeoh> and all the rest to reach the internet normally
17:52 < qvc> what does it mean to "Import an OpenVPN configuration file in Network Manager"
17:52 -!- dazo_afk [n=dazo@nat/redhat/x-jifqzmzsnwsidnni] has joined ##openvpn
17:52 -!- dazo_afk is now known as Guest8170
17:52 -!- Guest8170 is now known as dazo
17:53 -!- dazo is now known as Guest43774
18:02 -!- Guest43774 [n=dazo@nat/redhat/x-jifqzmzsnwsidnni] has quit [Read error: 60 (Operation timed out)]
18:06 -!- elexis39 [n=elexis39@173-30-169-170.client.mchsi.com] has quit ["Java user signed off"]
18:09 < |Mike|> qvc: rotflol, are you f*cking kidding me ? :s
18:11 < qvc> i knew coming here on a sat night was a mistake lol
18:12 -!- dazo_afk [n=dazo@nat/redhat/x-zfwjbkjozujgogmm] has joined ##openvpn
18:12 -!- dazo_afk is now known as Guest549
18:12 -!- Guest549 is now known as dazo
18:13 -!- dazo is now known as Guest82625
18:13 < qvc> |Mike|: are you angry you didn't have any plans tonight
18:13 < qvc> lol
18:14 < |Mike|> something with timezones.
18:15 < eyeoh> theres a flipside to that qvc :)
18:16 < eyeoh> hmm, iptables dosnt like *nat
18:17 -!- Diffen [n=diffen@c-d372e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["Leaving"]
18:18 < |Mike|> 2.4.x kernels don't *DOH*
18:18 < qvc> |Mike|: admit it, I can catch you here every weekend
18:18 < |Mike|> Doubt that.
18:19 < |Mike|> But then again, why don't you monitor it for me.
18:19 < |Mike|> Hmz, I should write yet another h0no article.
18:20 < qvc> because I don't have as much time on my hands as you
18:20 < eyeoh> qvc, is it not saturday where you are to?
18:20 < |Mike|> epic fail.
18:20 < eyeoh> maybe its sunday now :p
18:20 < |Mike|> We need more trolls in ##openvpn
18:21 < qvc> its wednesday i think
18:21 < eyeoh> 2.6 kernel here btw
18:21 < |Mike|> Don't think, it's Sunday morning!
18:22 < qvc> no I was wrong. its friday on my planet
18:22 < eyeoh> bah, im so close. I can feel it :D
18:23 < |Mike|> qvc is ret. No doubt about that.
18:23 < eyeoh> ./ignore :)
18:24 < qvc> what does it mean to "Import an OpenVPN configuration file in Network Manager"
18:25 < eyeoh> i assume that you need to import your .ovpn file in your network manager
18:25 < qvc> nope
18:25 < |Mike|> network managers suck.
18:25 < |Mike|> !ubuntu
18:25 < vpnHelper> |Mike|: "ubuntu" is dont use network manager!
18:25 < eyeoh> maybe you need to build a building and call it dave
18:27 < qvc> :D
18:28 < qvc> dave huh?
18:28 -!- Diffen2 [n=diffen2@c-d372e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
18:31 < qvc> |Mike|: weren't you the moron that told me earlier that I had to subscribe to the mailing list to read it
18:31 < qvc> lol
18:32 < |Mike|> qvc: Mister, I only warn once. You're the moron in question. And no, it wasn't me.
18:33 < qvc> only warn once about what
18:33 < |Mike|> Abusive language.
18:33 < qvc> its just jesting
18:33 < qvc> :)
18:33 < |Mike|> ignoring all from qvc
18:33 < |Mike|> cya.
18:33 < qvc> oh no
18:34 < qvc> thats what I didn't want
18:34 < qvc> lol
18:35 < |Mike|> ecrist: You might want to help qvc a bit towards the right point (exit )
18:37 < eyeoh> |Mike|: can i request some guidance please :)
18:37 < qvc> ecrist: I was trying to ask you what you were trying to explain to me when Mike started cursing and insulting me. He's been inappropriate to more than me. Please kick him.
18:38 < eyeoh> have i got ecrist on ignore?
18:38 < eyeoh> i cant see him speak :s
18:38 < qvc> eyeoh: thought you were going to ignore me, mr carpenter
18:39 < |Mike|> heh eyeoh ?
18:39 < eyeoh> both you and qvc talking to ecrist ^^
18:39  * eyeoh is confused
18:39 < |Mike|> ever heard about hilighting ?
18:39 < eyeoh> of course
18:39 < qvc> eyeoh: put me on ignore. now. I command you.
18:40 < eyeoh> i dont need a command to do that qvc
18:40 < qvc> eyeoh: joke! :P
18:41 < eyeoh> mike, can you help me with my iptables por favor?
18:42 < |Mike|> Nope. I'm not an iptables guru.
18:42 < eyeoh> ah
18:42 < |Mike|> !nat
18:42 < vpnHelper> |Mike|: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto
18:42 < |Mike|> !lin-nat
18:42 < vpnHelper> |Mike|: Error: "lin-nat" is not a valid command.
18:42 < |Mike|> !linnat
18:42 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:42 < eyeoh> i had a read through !linnat
18:42 < eyeoh> it has helped me
18:43 < qvc> eyeoh: looks like all your brown-nosing got you nowhere
18:43 < eyeoh> ooooo
18:43 < eyeoh> <insert retaliation here>
18:43 < qvc> :p
18:44 < eyeoh> ;p
18:46 -!- diffen3 [n=diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
18:49 < diffen3> !route
18:49 < vpnHelper> diffen3: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:51 -!- dazo_afk [n=dazo@nat/redhat/x-vrciuwwbqqqarvwf] has joined ##openvpn
18:52 -!- dazo_afk is now known as Guest95156
18:52 -!- Guest82625 [n=dazo@nat/redhat/x-zfwjbkjozujgogmm] has quit [Read error: 54 (Connection reset by peer)]
18:55 -!- dazo_afk [n=dazo@nat/redhat/x-ybtxoeoesmarrssg] has joined ##openvpn
18:55 -!- dazo_afk is now known as Guest66910
18:55 -!- Guest66910 is now known as dazo
18:56 -!- dazo is now known as Guest51222
18:56 -!- Diffen2 [n=diffen2@c-d372e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)]
18:57 < eyeoh> ahah
18:57 -!- diffen3 is now known as Diffen2
18:57 < eyeoh> http://www.taiter.com/blog/2009/10/iptables-route-traffic-from-sp.html
18:57 < vpnHelper> Title: IPTABLES - Route Traffic from Specific Interface to a Specific Gateway - taiter.com - Tech Blog (at www.taiter.com)
18:57 < eyeoh> this is a big help
18:58 < eyeoh> but i still need to prevent tun0 taking over everything
18:59 < eyeoh> maybe if i was to bind tun0 to a local port?
19:06 < rob0> "Bind tun0 to a local port"?
19:10 -!- Guest95156 [n=dazo@nat/redhat/x-vrciuwwbqqqarvwf] has quit [Read error: 110 (Connection timed out)]
19:12 < eyeoh> well as soon as i initiate it it routes all traffic through it
19:12 < eyeoh> its just my iptables im sure
19:16 < rob0> I missed the real world goal.
19:17 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has quit [Read error: 60 (Operation timed out)]
19:17 < eyeoh> i want to only route traffic on port 80 through the vpn, all other traffic is to go through the internet as normal
19:17 -!- Diffen2 [n=diffen2@c-d372e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
19:18 < rob0> and the client(?) OS is ...?
19:18 < eyeoh> client OS is linux, debian
19:19 < rob0> LARTC, a fairly simple recipe
19:20 < rob0> ip route add default via vpn.peer.ip.addr table VPN # add VPN to your /etc/iproute2/rt_tables
19:20 < eyeoh> http://lartc.org/howto/lartc.rpdb.multiple-links.html ?
19:20 < vpnHelper> Title: Routing for multiple uplinks/providers (at lartc.org)
19:20 < eyeoh> sorry to interrupt :)
19:21 < rob0> ip rule ... with a fwmark
19:23 < rob0> iptables -vt mangle -A OUTPUT -p tcp --dport 80 -j MARK ...
19:23 < rob0> the mark you set is the mark that puts it in the VPN table
19:23 < eyeoh> yeah the mark bit i understand (from reading http://www.taiter.com/blog/2009/10/iptables-route-traffic-from-sp.html)
19:23 < vpnHelper> Title: IPTABLES - Route Traffic from Specific Interface to a Specific Gateway - taiter.com - Tech Blog (at www.taiter.com)
19:24 < rob0> In LARTC terms it's fairly simple, but it is complex really
19:24 < Diffen2> hmm is it possible to push a route from openvpn server to client that the client only should send the traffic from client to 130.239.8.25 to tun0. the rest to eth0? i have looked at push route and tested but no good result
19:24 < eyeoh> hehe yeah
19:24 < eyeoh> i feel like i understand it, but its still not graspable
19:24 < rob0> "policy routing" I think it is called
19:24 < Diffen2> thanks rob0
19:25 < rob0> huh?
19:25 < rob0> What am I being thanked for, I had not even read your question yet?
19:26 < rob0> And now I have, and my only answer would have been, "huh?"
19:30 < eyeoh> so when i start openvpn with the client config, it changes the default gw to use the vpn, dosnt it?
19:30 -!- Diffen [n=diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
19:30 < eyeoh> looking at it starting with verbose 4 i see it doing it
19:31 < eyeoh> how can i prevent that
19:31 < rob0> Hmmm, not ever having seen your config makes that a bit difficult to answer. I would say, definitely maybe, unless not.
19:31 < eyeoh> one second, i will pastebin it
19:31 < eyeoh> if you dont mind?
19:31 < rob0> just don't redirect-gateway
19:32 < eyeoh> http://pastebin.ca/1744840
19:32 < eyeoh> i dont
19:35 < eyeoh> ah
19:35 < eyeoh> but i get a push reply that makes it redirect
19:35 < eyeoh> anyway to prevent that?
19:35 < eyeoh> (i dont have access to the server)
19:36 -!- Diffen2 [n=diffen2@c-d372e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)]
19:38 < rob0> I don't know, actually, but you can manually delete the routes that the server pushes. Maybe an --up script?
19:41 < eyeoh> ah, so as soon as it initalizes, I just remove the changes?
19:41 < eyeoh> then just build my own?
19:43 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
19:57 -!- Guest51222 [n=dazo@nat/redhat/x-ybtxoeoesmarrssg] has quit [Read error: 60 (Operation timed out)]
19:58 -!- dazo_afk [n=dazo@nat/redhat/x-xocjmklootjmplgk] has joined ##openvpn
19:58 -!- dazo_afk is now known as Guest25297
19:59 -!- Guest25297 is now known as dazo
19:59 -!- dazo is now known as Guest52139
20:00 -!- Diffen [n=diffen2@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
20:09 -!- dazo_afk [n=dazo@nat/redhat/x-mjlepsllwgxeosxc] has joined ##openvpn
20:09 -!- dazo_afk is now known as Guest84987
20:09 -!- Guest84987 is now known as dazo
20:10 -!- dazo is now known as Guest33650
20:14 -!- Guest52139 [n=dazo@nat/redhat/x-xocjmklootjmplgk] has quit [Read error: 104 (Connection reset by peer)]
20:15 -!- Guest76610 [n=dazo@nat/redhat/x-fpwztfiswrszdmvx] has joined ##openvpn
20:15 -!- Guest33650 [n=dazo@nat/redhat/x-mjlepsllwgxeosxc] has quit [Read error: 60 (Operation timed out)]
20:16 -!- Guest76610 is now known as dazo
20:16 -!- dazo is now known as Guest92669
20:25 -!- dazo_afk [n=dazo@nat/redhat/x-rlydlhulyongjdde] has joined ##openvpn
20:25 -!- dazo_afk is now known as Guest4532
20:25 -!- Guest4532 is now known as dazo
20:26 -!- Guest92669 [n=dazo@nat/redhat/x-fpwztfiswrszdmvx] has quit [Read error: 60 (Operation timed out)]
20:26 -!- dazo is now known as Guest11014
20:31 -!- theoretical [n=theoreti@64-135-203-23.FoxValley.net] has quit [Read error: 60 (Operation timed out)]
20:34  * dauergast ist jetzt AWAY |grund: auto-AWAY nach 180 min idle-zeit|
20:34 -!- dauergast is now known as dauergast|wech
20:35 -!- dauergast|wech [n=sag@f055002107.adsl.alicedsl.de] has quit ["ich nutze das [G]Script... ©daGroove neuste versionen: www.orbitirc.net"]
20:44 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 60 (Operation timed out)]
20:45 -!- theoretical [n=theoreti@64-135-203-23.FoxValley.net] has joined ##openvpn
20:48 < eyeoh> woo
20:48 < eyeoh> step 1 complete :D
20:59 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
20:59 < mithridates> hey guys, this is mithri who installed openvpn + openvpn-gui-web based finally :D
21:00 < mithridates> who has installed openvpn-gui-webbased ? he gave me some screenshots of openvpn-gui-webbased
21:00 < mithridates> I wanna ask some questions about that
21:04 -!- theoretical [n=theoreti@64-135-203-23.FoxValley.net] has quit [Read error: 60 (Operation timed out)]
21:10 < eyeoh> hmm, I have it working that the vpn works outwords (ping -I tun0 google.com / traceroute -i tun0 google.com work as expected) but when i ping the ip address of the vpn it dosnt respond :(
21:31 -!- qvc [n=pexaa@zurich.perfect-privacy.com] has quit [Remote closed the connection]
23:02 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
23:17 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit []
23:43 -!- lepine2 [n=leprecha@modemcable140.128-20-96.mc.videotron.ca] has joined ##openvpn
23:43 < lepine2> can anyone remind what i'm forgetting here? just got a tunnel up and running, but can't get past the openvpn server.
23:44 < lepine2> I have push redirect-gateway, /proc/sys/net/ipv4/ip_forward = 1, iptables -P FORWARD ACCEPT
23:45 < lepine2> the routes on my client are good
23:45 < lepine2> the routes on the server are good
--- Day changed Sun Jan 10 2010
00:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
00:12 -!- lepine3 [n=leprecha@modemcable140.128-20-96.mc.videotron.ca] has joined ##openvpn
00:13 -!- lepine2 [n=leprecha@modemcable140.128-20-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)]
00:24 -!- lepine2 [n=leprecha@69-165-136-248.dsl.teksavvy.com] has joined ##openvpn
00:30 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
00:37 -!- lepine3 [n=leprecha@modemcable140.128-20-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)]
00:40 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:41 -!- lepine2 [n=leprecha@69-165-136-248.dsl.teksavvy.com] has quit ["Leaving."]
01:07 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
01:40 < jaek_> is there any reason why i shouldnt use bridged tap mode? seems like the most straight forward solution...
01:49 -!- LittleJ [n=linuz@82.78.185.26] has quit [Read error: 60 (Operation timed out)]
02:42 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)]
02:43 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
02:45 -!- corretico [n=laguilar@201.201.46.106] has quit [Connection reset by peer]
02:46 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
02:49 < hyper_ch> !route
02:49 < vpnHelper> hyper_ch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:57 < krzee> too bad fot lepine he left
02:58 < hyper_ch> hi krzee
02:58 < krzee> hyper_ch, when you're done reading that if you still have ?'s fire away
02:58 < krzee> but read it well firat
02:58 < krzee> first
02:58 < hyper_ch> krzee: well, can you explain how to route? ^^
02:58 < hyper_ch> I don't think I'll ever get that concept... but currently I don't have problems
02:58 < krzee> yes, i did it at !route
02:59 < krzee> oh you dont understand routing at all?
02:59 < hyper_ch> krzee: not really... but I don't have an issue
02:59 < krzee> seen a routing table before?
02:59 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
02:59 < hyper_ch> jaek_ asked before what makes tap better than bridging and I thought the !route entry gives that short explanation
03:00 < hyper_ch> krzee: well, I finally managed to set everything up the way I want :) well, sort of... I still had to circumvent a few things
03:00 < krzee> well when your machine has ip forwarding enabled packets may travel in, hit your kernel (routing table) and go out through your machine
03:00 < reiffert> !tunortap
03:00 < vpnHelper> reiffert: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
03:00 < vpnHelper> reiffert: against you over the vpn
03:00 < krzee> your kernel looks at its source address (src) and destination address (dst)
03:01 < reiffert> erm, src?
03:01 < krzee> the most specific route wins
03:01 < krzee> to understand that learn about subnets via google
03:02 < hyper_ch> well, I understand the theoretical principle sort of but not the practical application :)
03:02 < hyper_ch> but don't worry about me... I'm fine with the way I finally set it all up
03:02 < krzee> reiffert, ?
03:03 < krzee> im hammered
03:03 < reiffert>  the kernel pays attention to the dst address.
03:03 < krzee> firewall runs in kernel
03:03 < krzee> routing pays attention to dst
03:04 < krzee> kernel sees all of it
03:04 < krzee> besides im way drunk ;]
03:04 < reiffert> I'm trying to get sober ...#
03:04 < hyper_ch> drunk coding is not advised :)
03:04 < krzee> they make a don julio better than 1942!
03:04 < krzee> don julio real
03:05 < krzee> badass bottle too
03:05 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
03:05 < hyper_ch> I wonder, why does routing not also involve ports? wouldn't it make a lot of things easier?
03:05 < krzee> !routebyapp
03:05 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
03:06 < reiffert> ah, golden tequila?
03:06 < krzee> smoothest thing i ever seen
03:06 < krzee> the bottle was like $500 usd
03:06 < krzee> i wanted to buy the bottle at first til i heard the price, did shots instead
03:06 < krzee> lol
03:07 < reiffert> hyper_ch: thats called policy routing and varies from OS to OS#
03:07 < hyper_ch> there are other OSes besides Linux? :)
03:07 -!- master_o1_master [n=master_o@p57B54B98.dip.t-dialin.net] has joined ##openvpn
03:07 < krzee> <-- bsd/osx user
03:07 < hyper_ch> right :) there are Unices
03:10 -!- grub_booter [n=charlie@d54C519D5.access.telenet.be] has quit ["Ex-Chat"]
03:11 < hyper_ch> so, what is required to actually master routing?
03:11 < reiffert> iproute2.
03:12 < hyper_ch> I mean what do I need to really undestand routing :)
03:12 < reiffert> google for "static routing"
03:13 < hyper_ch> google hates me
03:13 < hyper_ch> since google knows way too much things about me
03:18 -!- master_of_master [i=master_o@p57B54290.dip.t-dialin.net] has quit [Connection timed out]
03:43 < mithridates> hi reiffert
03:43 < mithridates> reiffert: are you there?
03:47 < mithridates> I'll come back later
04:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
05:23 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
05:24 -!- flo|va-nu-pied [n=florent@unaffiliated/flovanupied/x-758957] has joined ##openvpn
05:24 < flo|va-nu-pied> I all
05:25 < flo|va-nu-pied> My VPN configuration is almost working
05:26 < flo|va-nu-pied> I'm trying to use an external DHCP server with openvpn to be able to dynamically update DNS zones
05:27 -!- Tattooman [n=Tattooma@89.100.125.48] has joined ##openvpn
05:27 < flo|va-nu-pied> all is workin fine except that I have to manually do the dhcp request on the client side
05:27 < Tattooman> hello people
05:28 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
05:28 < flo|va-nu-pied> Hi Tattooman
05:28 < Tattooman> anyone here maybe can help me about ipcop openvpn and windows sbs 2003 server wit 2 nics
05:28 < flo|va-nu-pied> just to finish, is there a way to force vpn client requesting a DHCP lease on connection ?
05:35 < hyper_ch> flo|va-nu-pied: not sure what you mean
05:36 < flo|va-nu-pied> i've installed both openvpn and a dhcp server
05:37 < hyper_ch> well, int he openvpn server config you can set that the server should hand out same ip as before
05:37 < hyper_ch> it will then noted down in a text file
05:37 < hyper_ch> or you can created for each client a static ip for the vpn network
05:38 < hyper_ch> I guess if you neitehr say in the config to try and hand out the same ip and not configuring static ip that you'll get then your dynamic vpn ips
05:38 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
05:38 < flo|va-nu-pied> hyper_ch: unfortunatly not
05:38 < hyper_ch> flo|va-nu-pied: so I don't quite understand what you try to achieve
05:39 < flo|va-nu-pied> I just want my VPN client using the DHCP server and not the one provided by openvpn
05:39 < |Mike|> heh a flo|va-nu-pied
05:39 < flo|va-nu-pied> hey |Mike| ;)
05:40 < flo|va-nu-pied> hyper_ch: I fact i think that the "DHCP Server" from open vpn is only launched on server side IMO
05:40 < |Mike|> even I don't understand what you're trying to accheive :p
05:41 < flo|va-nu-pied> i mean when a client connect the VPN no network request is done by the client
05:41 < hyper_ch> openvpn creates a seperate network... I fail to see how some external dhcp server has any influence there
05:41 < flo|va-nu-pied> the openvpn pick a free IP from a range of provided IP and assign it statically to the client
05:42 < |Mike|> jup
05:42 < flo|va-nu-pied> you can configure any service to listen on a tap interface
05:42 < |Mike|> !tunortap
05:42 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
05:42 < vpnHelper> |Mike|: against you over the vpn
05:43 < |Mike|> You're aware of the OSI layers ? :P
05:43 < flo|va-nu-pied> totally :)
05:43 < flo|va-nu-pied> a bridge braodcast :P
05:43 < |Mike|> you can't bind services to mac addresses ;)
05:43 < flo|va-nu-pied> but it works
05:44 < flo|va-nu-pied> i mean for the moment i'm able to create then crypted VPN
05:44 < flo|va-nu-pied> and then i do a dhclient on the client side
05:44 < flo|va-nu-pied> and the external DHCP server (installed on the same workstation as the openvpn server) answer correctly
05:45 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)]
05:45 -!- pfo_ is now known as pfo
05:45 < flo|va-nu-pied> I just can't succes in automating the client DHCP request on connection
05:45 < flo|va-nu-pied> is it more comprehensive now ? :)
05:48 < flo|va-nu-pied> |Mike|: on the server side my tap0 interface is staticaly addressed that's why i'm able to listen on
05:48 < flo|va-nu-pied> using the ifconfig directive from openvpn
05:50 < |Mike|> hmz
05:50 < |Mike|> !ifconfig
05:51 < vpnHelper> |Mike|: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
05:51 < flo|va-nu-pied> that's what i've done :)
05:52 < flo|va-nu-pied> I think there is a missunderstoud regarding my problem
05:54 < flo|va-nu-pied> http://pastebin.ca/1745372
05:55 < flo|va-nu-pied> here is my config file (server/client)
05:56 < flo|va-nu-pied> tap configuration allow me to forward Layer2 packets over the VPN
05:57 < flo|va-nu-pied> after starting openvpn on the client side tap0 interface is created and stay unaddressed waiting for an IP address
05:57 < flo|va-nu-pied> than i do a dhclient tap0 again on the client
05:57 < flo|va-nu-pied> on the server side I can see the DHCP request from the client
05:57 < flo|va-nu-pied> Jan 10 12:45:09 localhost dhcpd: DHCPREQUEST for 11.0.0.57 from aa:bb:cc:dd:ee:ff via tap0
05:58 < flo|va-nu-pied> afster that tap0 from my client has IP 11.0.0.57
05:58 < flo|va-nu-pied> so it work :)
05:59 < flo|va-nu-pied> the only thing I can't solve is to automate the dhcp request from client on openvpn connexion
06:00 < flo|va-nu-pied> I got it working on linux/unix client using a up.sh launched on vpn connexion but I can't use the same thing on windows workstation
06:01 < flo|va-nu-pied> That why i think that there is probably a way to do it into openvpn configuration.
06:01 < flo|va-nu-pied> but I don't know how
06:01 < flo|va-nu-pied> |Mike|: do you understand what I ask for now ?
06:01 < flo|va-nu-pied> :)
06:07 < flo|va-nu-pied> hum I think i've found something in  manpage regarding dhcp-renew option which work for tap-Win32 only :)
06:07 < flo|va-nu-pied> i've got to test it
06:16 -!- Tattooman [n=Tattooma@89.100.125.48] has quit ["http://irc2go.com/"]
06:19 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
07:12 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
07:26 < theDoc> Anyone here has done work on optimizing openvpn for online gaming? I'd like a word on how that is done.
07:29 < hyper_ch> theDoc: define "optimizing for online gaming"
07:31 < theDoc> hyper_ch> That's what I'm looking at, at the moment. I'm seeing something like 2x jump in latency when I fire up openvpn and attempt to play WoW over it.
07:31 < theDoc> hyper_ch> I'm wondering if there's something about the mtu which I can tweak to try to reduce the latency or something along those lines. I'm not exactly sure what's going on.
07:32 < hyper_ch> no clue
07:32 < hyper_ch> but an increase in latency is expected over a vpn
07:32 < theDoc> hyper_ch> But twice?
07:32 < hyper_ch> why not?
07:32 < hyper_ch> it depends on many factors
07:32 < theDoc> Yeah, I know that I should be expecting latency but I'm just surprised it's 2x.
07:33 < hyper_ch> I don't know what your vpn is setup like
07:33 < hyper_ch> if you run like a lan vpn then it shouldn't increase 2x I tend to think
07:33 < theDoc> hyper_ch> Single server here, all traffic gets tunneled through it. Over the WAN.
07:33 < hyper_ch> but creating a vpn with a server somewhere else located in the world
07:33 < hyper_ch> I expect latency to jump
07:33 < hyper_ch> where is that server and where are you?
07:34 < theDoc> hyper_ch> Yeah, we all do. I wasn't quite expecting a 2x jump. I'm going to take another look at it.
07:34 < theDoc> hyper_ch> Singapore > US > US
07:34 < hyper_ch> well, I'm surprised it's only 2x
07:34 < theDoc> That's the rough geographical route. US > US hops are showing good latency. SG to US is about 200ms.
07:35 < hyper_ch> trans-continental connections
07:35 < theDoc> I suppose this is a case of ymmv eh?
07:35 < hyper_ch> I have no clue what you mean by ymmv
07:35 < theDoc> your mileage may vary? ;p
07:35 < hyper_ch> I notice the same here
07:35 < hyper_ch> connecting within europe is usally quite fast
07:36 < theDoc> hyper_ch> Where are you connecting from and where to?
07:36 < hyper_ch> but as soon as I connect to the US it gets slow
07:36 < hyper_ch> transcontinental connections are not so good....
07:36 < hyper_ch> well, for normal browsing it hardly doesn't matter but for gaming it does
07:37 < theDoc> hyper_ch> Yeah, sounds like a ymmv situation to me, unless I find a magical config file somewhere.
07:37 < theDoc> Browsing works just fine. Latency sensitive things are usable, just not as smooth as I'd like it to be.
07:38 < hyper_ch> well, get a vpn server in SG :)
07:39 < theDoc> hyper_ch> $400/mbit? I'm sure ;)
07:39 < hyper_ch> that sounds expensive
07:39 < hyper_ch> no cheap hosting?
07:39 < theDoc> It's ridiculously expensive.
07:39 < theDoc> No, none at all.
07:40 < hyper_ch> I pay for my server now about $ 100/month and it has a 100mbit connection, 2x 1500 gb disks and 5tb traffic included... if I use more than 2tb it'll throttled to 10mbit
07:40 < theDoc> That's not too bad.
07:41 < theDoc> hyper_ch> I have 8tb's of traffic a month and frankly, my customers aren't blowing it out of the water yet ;p
07:41 < theDoc> Need more torrents!
07:41 < hyper_ch> there are many good torrents :)
07:41 < hyper_ch> well, it's unlimited the traffic... just after 2 tb the connection gets slowed down to 10mbit
07:42 < theDoc> hyper_ch> I can't control what my customers torrent and I'm just here to make it go faster for them ;)
07:42 < hyper_ch> use private trackers :)
07:43 < theDoc> hyper_ch> I don't torrent, my customers do and as a vpn provider, I can't tell them how and where to get their torrents, lest I get hounded by the RIAA for "helping" people torrent.
07:43 < hyper_ch> stupid MAFIAA
07:44 < theDoc> hyper_ch> The MAFIAA is a huge problem and it needs to die.
07:44 < ecrist> good morning
07:44 < theDoc> Well, maybe not. Since that allows us to try to force people to use encryption ;)
07:44 < hyper_ch> people should just stop buying records to set an example
07:44 < theDoc> hello ecrist.
07:44 < hyper_ch> I've been using pgp/gpg since '96 but most people don't care about it
07:44 < theDoc> hyper_ch> Yeah, I usually get my customers to use pandora.com for their music feed.
07:45 < ecrist> I wish PGP was more widely used.
07:45 < theDoc> hyper_ch> I once upon a time used a rule where if you don't sign your messages, I don't read them.
07:45 < ecrist> I'd still use it if apple mail had an easy way to integrate it.
07:46 < ecrist> theDoc: I'm guessing you abandoned that rule because a 'let's go to the bar friday' doens't really need verification via pgp?
07:46 < hyper_ch> theDoc: that meant you read no emails anymore :)
07:46 < hyper_ch> ecrist: why not TB for Mac with Enigmail?
07:46 < theDoc> ecrist> I used it for work, not personal emails about going to strip clubs
07:46 < theDoc> hyper_ch> That meant, that customers got annoyed and my boss was mad at me
07:46 < theDoc> lol
07:46 < ecrist> because I can't stand thunderbird
07:47 < hyper_ch> kmail?
07:47 < hyper_ch> Eudora?
07:47 < hyper_ch> mutts?
07:47 < theDoc> I realized that the excuse of, but they don't encrypt their mails doesn't fly well.
07:47 < ecrist> kmail is the best mail client ever
07:47 < ecrist> imho
07:47 < hyper_ch> I love kontact :)
07:47 < hyper_ch> kmail/korganizer/akregator
07:48 < hyper_ch> becdause it can really handle IMAP and especially disconnected IMAP
07:48 < hyper_ch> contrary to Outlook
07:48 < hyper_ch> running a little Horde setup on my server
07:48 < hyper_ch> so I can even sync it easily with my cell phone :)
07:49 < theDoc> Horde is good, for a mail client.
07:49 < theDoc> However, I'm a stickler for default things, so Mail.app works about right for me.
07:49 < hyper_ch> well, I have to test horde 4 some time.... :) it's quite mature meanwhile
07:49 < ecrist> does kde still have mac support?
07:49 < hyper_ch> syncing tasks, events etc. between your PIM and cell phone is great
07:50 < hyper_ch> ecrist: I think so... there's a windows port
07:50 < hyper_ch> and OSX is based on a unix
07:50 < hyper_ch> so I think kde can be run on a mac
07:50 < ecrist> http://mac.kde.org
07:50 < vpnHelper> Title: .: KDE 4 Mac :. (at mac.kde.org)
07:53 < hyper_ch> are there actually any cell phones that can be completely encrypted
07:54 < ecrist> I think blackberry devices can be
07:54 < ecrist> but for full support, they need to integrate with BES
07:54 < hyper_ch> what's BES?
07:54 < ecrist> blackberry enterprise server
07:54 < hyper_ch> ah
07:55 < hyper_ch> well, the N900 looks somewhat promising as it basically runs a stripped down debian
07:55 < hyper_ch> at least encrypting the memory card should work fine
07:55 < ecrist> if you, as an individual get a blackberry, it generally only comes with BIS (blackberry internet service) which gets your your email and web browsing.  full support requires BES, which can be had from hosted services and some wireless carriers will provide for it, as well
07:56 < theDoc> Any of you run 2048bit encryption? :o
07:56 < ecrist> theDoc: my vpn ruls 2048bit ssl certificates
07:56 < ecrist> when I used pgp (even 10 years ago) I was using 4096
07:56 < hyper_ch> well, it would be nice to encrypt caller list, phone book, text messages also...
07:57 < theDoc> ecrist> How much sensitive data do you transmit that the government spooks are interested in? :?
07:57 < ecrist> as if I would answer that in an open IRC channel
07:58 < theDoc> lol
07:58 < ecrist> I'm not a tin-hat wearer, but I don't desire to make decryption of data I want encrypted easily crackable
07:58 < hyper_ch> ecrist: so you deny to even transmit any sensitive data that government spooks could be interested in?
07:59 < hyper_ch> :)
07:59 < ecrist> using adium and our company jabber server, I PGP encrypt (on the fly) one-to-one chats between users.
07:59 < theDoc> ecrist> Was there an exploit/weakness found for RSA?
07:59 < ecrist> I am neither confirming nor denying anything.
07:59 < ecrist> 768bit keys are now considered crackable
07:59 < theDoc> ecrist> Ah, ok.
07:59 < ecrist> within 2 to 3 years, 1024bit keys are crackable
08:00 < ecrist> by crackable, I'm talking within 5-30 minutes
08:00 < hyper_ch> ecrist: but how does your chat partner decrypt the stuff?
08:00 < ecrist> they also use adium for that particular support
08:00 < hyper_ch> oh ok :)
08:00 -!- Guest11014 is now known as dazo
08:02 < theDoc> It'll be interesting to see how people are going to crack the 2048 ones, since the numbers are ridiculously insane.
08:02 < hyper_ch> I still don't get that bit part of encyrption...
08:02 < hyper_ch> as they vary very much between symmetric and asymmetric encryption
08:04  * dazo read the scroll back
08:05 < dazo> hyper_ch:  you've been using Horde for syncing between mobile devices and/or computers?
08:05 < dazo> or did I just misunderstand
08:05 < dazo> ?
08:05 < hyper_ch> dazo:
08:05 < hyper_ch> dazo: yes
08:05 < hyper_ch> dazo: I sync Konact with Horde
08:05 < hyper_ch> dazo: and I sync my cell phone with horde
08:06 < dazo> hyper_ch:  nice!  does it also do calender now?  group/shared calendars?
08:06 < hyper_ch> horde has calendars
08:07  * dazo has been asked to setup something which is syncable with mobile phones and computers (Windoze unfortunately)
08:07 < dazo> hmmm
08:07 < hyper_ch> but not sure what you mean with group/shared calendars
08:07 < dazo> That several users can access the same calendar
08:07 < hyper_ch> it can do that
08:07 < hyper_ch> but the limitation of cellphones usually is, that you can setup only one profile
08:08 < dazo> yeah, that's more than fine enough
08:08 < hyper_ch> so if you setup multiple calendar profiles one overwrites the other
08:08 < hyper_ch> and if the windows application supports webdav/caldav it works fine in windows
08:08 < dazo> they mostly want their own calendar on the mobile ... and to see their colleagues calendars on the PC
08:08  * dazo goes to dig up Horde info
08:08 < hyper_ch> yeah, that's what I use for our small company
08:09 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
08:09 < hyper_ch> and I was able to sync with horde from my old SonyEricsson K800i, the new C905 and a nokia N97
08:10 < dazo> I've been considering Zimbra .... but ... it's a monster to install .... and I'm using it at work, and I'm far from convinced I want to help someone install and maintain Zimbra in my spare time
08:10 < dazo> and I've been looking at Funambol, which looks promising in a lot of aspects .... but again .... not convinced
08:10 < ecrist> dazo: what do you use for spam filtering?
08:11 < hyper_ch> it took me a while to install horde 3 from svn
08:11 < hyper_ch> but it's been working fine for a year now
08:11 < hyper_ch> and horde 4 should be declared stable soon
08:11 < hyper_ch> one of the main improvments I'm looking forward there is that different calendards can be coloured differently
08:11 < hyper_ch> that's missing in h3
08:12 < dazo> ecrist:  right now, email handling is done by a third party which I don't know what uses .... those domains I've migrated to a new provider uses spamassassin + 2-3 anti-virus engines, that works very well
08:16 < ecrist> I used only spamassassin for about a decade, which worked extremely well with rules du jour
08:16 < dazo> I'm considering a setup where a third party receives the emails and my own server fetches mails via POP3 or IMAP to a local server which all employees uses ... to avoid being a hackable target ..... I'm just helping out an non-profit organisation who do not have any dedicated IT personnel, so I'm trying to make it work as best as possible with pure open source software, and as little maintenance as possible
08:16 < ecrist> now I'm using dspam, which works just as well, and has a slick user interface along iwth it (users can handle their own queues)
08:17 < ecrist> for the office I'm considering Postini or purchasing a barracuda appliance
08:17 < ecrist> would still run dspam on the mail server in the even either failed.
08:17 < eyeoh> hey :)
08:17 < ecrist> dazo: why not set them up on google apps?
08:18 < ecrist> iirc, non profits get their services for free
08:18 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
08:18 < eyeoh> I managed to set up my tun0 device so that I can route traffic out through the vpn
08:19 < dazo> ecrist:  Google is getting too big for me ... I don't trust them as much anymore .... and some persons in the organisation handles sensitive information about persons, which I don't want to give to Google
08:19 < eyeoh> but I can't seem to get it to listen on the device
08:19 < eyeoh> i dont have access to the server or its config
08:19 < eyeoh> how can i troubleshoot if its me or the server preventing this?
08:19 < dazo> eyeoh:  what should be listening to that interface?
08:19 < ecrist> dazo: same reasons I don't host services there
08:20 < eyeoh> ircd
08:20 < dazo> eyeoh:  and you start ircd after you've started openvpn?
08:20 < hyper_ch> dazo: well, have a look at horde :) I really like it
08:20 < eyeoh> yeah
08:20 < ecrist> horde suck, imho
08:20 < dazo> hyper_ch:  I'm looking here http://www.horde.org/groupware/ .... it looks promising
08:20 < vpnHelper> Title: Horde Groupware (at www.horde.org)
08:21 < dazo> ecrist:  why?
08:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:21 < hyper_ch> dazo: and of course there's also #horde :)
08:22 < dazo> eyeoh:  if you can ping the server's tun interface .... and from the server side can ping the client's tun0 interface .... then you'll need to dig into ircd log files
08:22 < dazo> hyper_ch:  hmmmmmm ;-)
08:22 < eyeoh> i dont have access to the server/server config
08:22 < hyper_ch> dazo: the devs are really helpful there :)
08:23 < dazo> hyper_ch:  you're using SyncML?
08:23 < hyper_ch> dazo: so I am
08:23 < eyeoh> ping -I tun0 google.com
08:23 < eyeoh> that works though
08:24 < ecrist> dazo: it's just too much.  the amount of effort to install and maintain is not worth the benefit
08:24 < hyper_ch> ecrist: maintain?
08:24 < ecrist> yes
08:25 < hyper_ch> what's to maintain there?
08:25 < dazo> ecrist:  sounds like the same issues I have with Zimbra and opengroupware.org
08:25 < ecrist> yeah
08:25 < ecrist> I looked at all three at one point, and the benefit didn't seem worth it for 8 people (or a couple, on my personal stuff)
08:25 < hyper_ch> copy horde folder as backup; update throught git/svn :)
08:25 < hyper_ch> if it doesn't work out, copy back the backup folder
08:26 < ecrist> postfix + postfixadmin + dspam + dovecot works well, and has been rock solid for me for 3 years now
08:26 < hyper_ch> but no calendar on there
08:27 < ecrist> iCal + Apache/DAV
08:27 < hyper_ch> and syncing with phone?
08:27 < ecrist> my ical syncs fine with my blackberry
08:28 < hyper_ch> :)
08:28 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
08:29 < eyeoh> should the ircd be listning on the subnet, or the end ip?
08:30 < dazo> eyeoh:  dunno ... but that's not really an openvpn related question though ....
08:31 < eyeoh> oh, sorry
08:31 < ecrist> dazo, pm?
08:31 < dazo> ecrist:  sure
08:31 < hyper_ch> well, we are 7 in the company and we use horde and it was worth to get it up and running
08:36 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
08:40 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
08:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
08:46 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)]
08:46 -!- pfo_ is now known as pfo
08:50 < dazo> hyper_ch:  did you follow any guide/howto to get started?
08:50 < dazo> hyper_ch:  and do you know any deadlines for v4 to get stable?
08:50 < hyper_ch> dazo: I found multiple howtos to get started and wanted to write my own
08:50 < hyper_ch> it was planned to make v4 stable at the end of 2009
08:50 < hyper_ch> I guess they didn't make the deadline
08:51 < hyper_ch> you wanna try h4?
08:51 < dazo> hyper_ch:  I'd be interested to try out Horde on an VM within a few months probably .... so if I can skip the "search for howto-get-started blogs", I'd appreciate that
08:52 < dazo> hyper_ch:  As this will go into production, with about 50-60 users in the end (starting with 10-12 users) ... I'd like to have something which is defined as stable
08:52 < hyper_ch> well, as said, I wanted to write a h3 quick'n'dirty howto but never got to it
08:52 < hyper_ch> and now I think I'll make a h4 one
08:52 < hyper_ch> stable can mean a lot of things
08:53 < hyper_ch> the only thing I know is that the definition of stable varies from project to project and the differences are massiv
08:53  * dazo understands "stable" as when developers have defined it as stable ... no major new rewrites of the code, expected features present and working
08:54 < hyper_ch> :)
08:54 < dazo> that's the definition I've met most of the time
08:54 < dazo> the worst any project gets, is a major code rewrite ... that always breaks things
08:56 < hyper_ch> h4 is a total rewrite from h3 :)
08:56 < dazo> hyper_ch:  you're running Horde Groupware Webmail?   Is Groupware Webmail the same as Groupware + a web gui on top of that?
08:56 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
08:57  * dazo found the info now :)
08:57 < dazo> "Please see the <Horde Groupware> page for general features of the the Horde Groupware Webmail Edition and the calendar, contacts, tasks, and notes components."
08:57 < hyper_ch> dazo: I'm running H3 framework with various stuff (IMP, Kronolith, DIMP, MIMP, ......)
08:58 < dazo> aha
08:59 < dazo> "Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Kronolith, Turba, Nag and Mnemo. "
09:00 < hyper_ch> ah... ok
09:00 < hyper_ch> well, I installed them all manually
09:01 < dazo> hyper_ch:  thanks a lot for your info!  This was very enlightening ... and Horde has achieved a lot since last time I considered it
09:01 < hyper_ch> dazo:  :)
09:01 < hyper_ch> well, if you wanted to have a look at it I suggest to try H4
09:01  * dazo goes to #horde to gain more release info about H4
09:01 < hyper_ch> as said, it was planned to declare it as stable end of 2009... so I assume they are pretty close to it
09:04 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
09:17 < havoc> horde looks pretty interesting
09:19 < hyper_ch> it is :)
09:25 < ecrist> IMP is an IMAP client?
09:25 < ecrist> so horde sits on top of a separate MTA/MDA?
09:27 < |Mike|> heh
09:27 < hyper_ch> nope, IMP is the webmail part of Horde Framework
09:28 < ecrist> so it's a client
09:28 < ecrist> not a server
09:29 < hyper_ch> yes, webmail client
09:29 < hyper_ch> it's not MTA
09:29 < hyper_ch> and it's no pop3/imap server
09:29 < ecrist> that would be MDA
09:31 < hyper_ch> what is then procmail?
09:31 < dazo> MDA, I'd say
09:31 < hyper_ch> I would procmail label as MDA
09:31 < ecrist> ditto
09:31 < ecrist> fetchmail would be a client
09:32 < hyper_ch> but then courier/dovecot does more than just put email into the right location
09:32 < hyper_ch> the enable actual access to those stored emails
09:32 < dazo> http://en.wikipedia.org/wiki/Mail_delivery_agent
09:32 < vpnHelper> Title: Mail delivery agent - Wikipedia, the free encyclopedia (at en.wikipedia.org)
09:32 < dazo> MTA's speak SMTP, to say it easy
09:32 < dazo> s/easy/simple
09:32 < ecrist> MDA's include methods to retrieve mail
09:33 < hyper_ch> nah
09:33 < hyper_ch> that would be a MRA according to that wikipage
09:33 < ecrist> MTA, transfer mail between servers.  MDA, handle organizing, storage, and client access
09:33 < ecrist> MRA is retarded
09:34 < ecrist> there is some grey area
09:34 < hyper_ch> A mail delivery agent or message delivery agent (MDA) is computer software that transfers the responsibility for the management of e-mail messages from the message transfer agent (MTA) within the message handling service (MHS) to a recipient's environment, commonly transferring them into a mailbox.
09:34 < ecrist> postfix can handle some parts of what the MDA does (which directory, etc) and it can handle authentication for sending client
09:35 < dazo> MUA->MTA->MTA->MDA
09:35 < hyper_ch> if it can do both then it is both :)
09:35 < ecrist> yes/now
09:35 < ecrist> no*
09:36 < ecrist> postfix doesn't handle the MUA connections, so it can't really be called a full MDA
09:36  * dazo heads out
09:36 < ecrist> wtf
09:37 -!- dazo is now known as dazo_afk
09:37 < ecrist> no kmail in mac port of kde
09:37 < hyper_ch> oh well, my great postfix / procmail / courier-imap / spamasssin / grey-listing setup works great :)$
09:37 < hyper_ch> ecrist: no Kontact / KDEPIM either?
09:46 -!- eyeoh [n=io@lotsofinfo.mine.nu] has quit ["leaving"]
09:46 < ecrist> the installer is hanging now.
09:46 < ecrist> hrm
09:47 < |Mike|> debian / ;)
09:47 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote closed the connection]
09:52 < hyper_ch> installer is hanging on Mac?
09:59 < ecrist> yeah
10:01 < mithridates> hey guys, who has worked with OpenVPN WEB GUI ?
10:02 < mithridates> brb
10:07 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
10:13 < mithridates> I'm here
10:13 -!- thordon [n=sec@188.109.25.178] has quit [Read error: 110 (Connection timed out)]
10:13 < mithridates> who has worked with OpenVPN WEB GUI ?
10:13 < flo|va-nu-pied> not me
10:14 -!- optiz0r [n=optiz0r@miranda.sihnon.net] has left ##openvpn []
10:14 < hyper_ch> there is a openvpn web gui?
10:14 < mithridates> yes here is an openvpn web gui
10:14 < mithridates> is there too?
10:14 < hyper_ch> what does it do?
10:15 < mithridates> it creates certificate , show bandwidth usage of clients who are connected ,....
10:16 < flo|va-nu-pied> this one openvpn web gui mithridates
10:16 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:16 < flo|va-nu-pied> http://sourceforge.net/project/screenshots.php?group_id=131667&ssid=7404
10:16 < vpnHelper> Title: SourceForge.net: OpenVPN Web GUI: Screenshots (at sourceforge.net)
10:19 < mithridates> I wanna add more features for user management to this project
10:26 < krzee> you gunana revive that project?
10:26 < krzee> that would be pretty cool
10:26 < mithridates> krzee: yes I wanna keep user's datas in a database
10:27 < krzee> well and allow disconnecting a connected client through the gui
10:27 < krzee> maybe see how much bw they've used...
10:27 < mithridates> krzee: yes, exactly
10:27 < krzee> etc
10:28 < mithridates> do you have any idea?
10:28 < krzee> i think a lot of people would use it if you made it nice
10:28 < krzee> idea of what?
10:28 < mithridates> because I'm not famillar with smarty
10:28 < krzee> nor am i
10:29 < mithridates> umm
10:29 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has quit ["Leaving"]
10:30 < mithridates> I think Mikhail Levin is not there, the owner of project,
10:30 < krzee> 08-18-2005. Version 0.3.2
10:30 < krzee> hey you're the last forum post
10:30 < krzee> hehe
10:31 < mithridates> =)))
10:31 < mithridates> yes
10:31 -!- Diffen [n=diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
10:44 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"]
11:20 -!- d12fk [n=heiko@vpn.astaro.de] has quit ["No Ping reply in 180 seconds."]
11:32 -!- kyrix [n=ashley@91-114-141-43.adsl.highway.telekom.at] has joined ##openvpn
11:34  * ecrist starts strangling mother fuckers
11:34 < ecrist> don't ask me to build your port, then tell me I don't know what the hell I'm doing.
11:34 < ecrist> rawr
11:35 < reiffert> Mikhail answers to private emails.
11:36 < reiffert> ecrist fell in love with a neighbour?
11:36 < ecrist> o.O
11:37 < mithridates> reiffert: reiffert did you play with mikhail's codes in this project?
11:38 -!- kyrixpower [n=ashley@91-114-141-43.adsl.highway.telekom.at] has joined ##openvpn
11:40 -!- kyrixstuff [n=ashley@80-121-50-148.adsl.highway.telekom.at] has joined ##openvpn
11:41 < krzee> issues in voipland eric?
11:41 < reiffert> mithridates: I was extending it, so that a history of the connections gets available and I was adding code so that the administrator is able to download .zip files containing a working openvpn config file with those certs required.
11:42 < mithridates> reiffert: woow nice
11:42 < mithridates> reiffert: do u wanna share it?
11:43 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote closed the connection]
11:44 < reiffert> mithridates: sure, but I need time for reviewing my code and extracting it from the original code.
11:45 < mithridates> reiffert: tnx , it's ok . I want to add somethings to this code , maybe a client interface
11:45 < mithridates> but I need to learn smarty
11:46 < reiffert> There is plenty of smarty code available, you will get it, once playing around with existing code.
11:47 < mithridates> reiffert: ok nice, when do u have enough time to review your code man?
11:48 < reiffert> I'm busy the whole next week.
11:48 < mithridates> reiffert: may be , we can make the new generation of ovpn gui web
11:48 < reiffert> nah, it deserves a rewrite from scratch. smarty sucks.
11:48 < mithridates> reiffert: :( can u send it to me without review? because I'm free in this week
11:49 < mithridates> why did he use fucking smarty
11:49 < mithridates> brb
11:51 < reiffert> another real pain in the ass is, that you have to drop off security considerations at so many places .. apache running as apache-user, openvpn running as nobody, write permissions in the key directory and such.
11:52 < krzee> should just put them in common group and use the group for perms
11:52 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:54 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
11:54 -!- mode/##openvpn [+o mattock] by ChanServ
11:54 < mithridates> reiffert: I felt that pain when I wanted to install it
11:56 < reiffert> You might solves this pain by the help of some wrappers or named pipes, but it just sucks that the user apache can add certificates to openvpn.
11:56 < mithridates> reiffert: what do u recommend me , in this way but better than it?
11:57 < reiffert> pay a guy as system engineer for adding certificates manually.
11:57 < reiffert> or do it yourself.
11:58 -!- Irssi: ##openvpn: Total of 91 nicks [1 ops, 0 halfops, 1 voices, 89 normal]
11:58 < mithridates> reiffert: Ouchhhhhh , why this is happening to me ??? lool
11:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer]
11:58 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:58 -!- kyrix [n=ashley@91-114-141-43.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)]
11:59 < reiffert> mithridates: Thats why I stopped developing openvpn-web-gui.
11:59 < reiffert> It will suck no matter what you do.
11:59 < mithridates> reiffert: why there is not any web based stuff for openvpn :((((
12:00 < ecrist> there is
12:00 < reiffert> mithridates: did you ever see web based stuff for bind nameservice? dhcpd? apache configuration?
12:00 < ecrist> see access-server
12:00 < mithridates> reiffert: no
12:01 -!- kyrixpower [n=ashley@91-114-141-43.adsl.highway.telekom.at] has quit [Connection timed out]
12:01 < mithridates> ecrist: there is but I should pay 5$ for each client
12:01 < reiffert> ecrist: how do they solve the horrible permission scenario?
12:01 < krzee> i agree there reiffert
12:01 < krzee> no reason to have the webgui making certs
12:01 < krzee> nor changing configs
12:01 < krzee> i like the idea to have it just be a web interface for management interface stuffs
12:01 < rob0> $5 / client doesn't sound bad to me, if value is added
12:01 < reiffert> krzee: it's kind of nice, but get back to pain and ass.
12:02 < ecrist> reiffert: it's a trade-off
12:02 < ecrist> the webserver has rights to all that stuff.
12:02 < mithridates> no I don't wanna make certificate , just I want to have a management interface for users , I can write some bash scripts to make certificate for my clients
12:02 < krzee> mithridates, already a nice perl one
12:03 < ecrist> mithridates: the amount of time you've spent asking for such, you likely could have written one
12:03 < krzee> !ssl-admin
12:03 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports
12:03 < reiffert> ecrist: anything special like named pipes? wrappers? cronjobs looking for newly created certs?
12:03 < ecrist> not sure, haven't bothered installing it .
12:03 < ecrist> easier for me to say, ask for support from the people you paid money to
12:03 < reiffert> ecrist: cant believe that this is all they want to earn money with.
12:04 < ecrist> now, if the corp were to provide funding and some licenses, I don't mind being their support for that
12:05 < reiffert> ecrist: pardon? They gave you free licenses?
12:08 < reiffert> or do you offer to get some?
12:16 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: 111 (Connection refused)]
12:27 -!- corretico_ [n=laguilar@201.201.46.106] has quit ["Leaving"]
12:31 < ecrist> if they gave me some, and would fund me, I'd provide support for it
12:32 -!- kyrixstuff [n=ashley@80-121-50-148.adsl.highway.telekom.at] has quit ["Leaving"]
12:32 -!- Mujtaba [i=4f7f0148@gateway/web/freenode/x-tyipyczurvhhewfg] has joined ##openvpn
12:32 < Mujtaba> Hello,  I am having a problem with OpenVPN
12:33 < Mujtaba> I get an error with the routing
12:33 < Mujtaba> I'm on Ubuntu Karmic
12:34 < Mujtaba> The error is : SIOCADDRT: No such process
12:34 < Mujtaba> The same config works on Windows on the same computer (inside VM) also works on other computers
12:35 < Mujtaba> I was told you can add a line to the config that would make the client wait before attempting
12:36 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
12:36 < reiffert> !logs
12:37 < vpnHelper> reiffert: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
12:46 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 60 (Operation timed out)]
12:47 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
12:49 < mithridates> Mujtaba: are u iranian?
12:50 < Mujtaba> y
12:50 < mithridates> :d me 2
12:50 < Mujtaba> lol
12:51 < mithridates> let me to read your msgs
12:52 < mithridates> Mujtaba: did you check your logs in the server side?
12:52 < mithridates> Mujtaba: would you paste that in pastebin.com ?
12:55 < Mujtaba> Well, I cannot access the server side scripts
12:55 < Mujtaba> But it is very odd, the very same script on the very same network works
12:55 < Mujtaba> It's probably a problem from the network-manager or something like that...
12:56 < krzee> !netman
12:56 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
12:56 < mithridates> Mujtaba:  plz come to the pm
13:28 -!- Mujtaba [i=4f7f0148@gateway/web/freenode/x-tyipyczurvhhewfg] has quit [Ping timeout: 180 seconds]
13:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
13:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
13:41 -!- kyrix [n=ashley@80-121-50-148.adsl.highway.telekom.at] has joined ##openvpn
13:57 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 60 (Operation timed out)]
14:05 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
14:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
14:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
14:29 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
14:38 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:39 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
14:49 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)]
14:49 -!- pfo_ is now known as pfo
14:49 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
14:50 -!- Diffen [n=diffen2@78-82-118-208.tn.glocalnet.net] has quit [Operation timed out]
14:51 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
14:55 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out]
15:03 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
15:05 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn
15:09 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has quit [Read error: 110 (Connection timed out)]
15:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)]
15:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
15:24 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
15:25 < mithridates> how can I disconnect someone ?
15:46 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:59 < hyper_ch> revoke his key?
16:03 < mithridates> !revoke
16:03 < vpnHelper> mithridates: Error: "revoke" is not a valid command.
16:03 < mithridates> for example a client is connected , I want to disconnect him just now
16:03 < mithridates> is it revoking?
16:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:11 < agagag> i think revoking  is a bit more permanent
16:11 < mithridates> yes exactly
16:11 < mithridates> I'm talking about suspending a client
16:12 < mithridates> temporary
16:15 < agagag> block his ip? if he can not change it ofcource
16:16 < rob0> The management interface lets you do that.
16:16 < rob0> of course, the client might try to reconnect immediately.
16:23 < mithridates> rob0: which management?
16:25 < reiffert> mithridates: openvpn management | google
16:25 < rob0> No, see --management in the man page for better results. :)
16:26 < mithridates> tnx
16:26 < rob0> If you're not already using it, you will have to restart the server, which disconnects everyone.
16:26 < mithridates> rob0:  =)))) I like your solution but other clients will kill me
16:27 < reiffert> rob0: the above gets you right into the ovpn manpage btw.
16:27 < reiffert> rob0: sorry, http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
16:27 < vpnHelper> Title: Management Interface (at openvpn.net)
16:44 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn
16:50 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)]
17:09 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
17:14 -!- Intensity [i=[n4t3vNi@unaffiliated/intensity] has quit [Remote closed the connection]
17:27 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
17:28 -!- lepine [n=leprecha@69-165-136-248.dsl.teksavvy.com] has joined ##openvpn
17:33 -!- rycar_ [n=rycar@adsl-76-228-202-253.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
17:34 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 60 (Operation timed out)]
17:34 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
17:36 -!- rycar_ is now known as rycar
17:50 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit ["Leaving"]
17:54 -!- lepine [n=leprecha@69-165-136-248.dsl.teksavvy.com] has quit [Read error: 110 (Connection timed out)]
17:55 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
18:21 -!- dash123 [n=Aly@ool-4579da57.dyn.optonline.net] has joined ##openvpn
18:21 < dash123> can you run the server as a client?
18:21 < dash123> or can you access the server via the vpn like you normally would a client?
18:23 < reiffert> yes.
18:24 < dash123> oh great
18:24 < dash123> thanks
18:25 < dash123> im also having another problem
18:27 -!- dash [n=Aly@ool-4579c671.dyn.optonline.net] has joined ##openvpn
18:27 < dash> but when i go to click connect
18:28 < dash> it tries to access the dh parameters on the c: drive but i have the program installed on G:
18:28 < reiffert> edit the config.
18:29 < dash> durp
18:29 < dash> :P
18:29 < dash> also what is the proper device name? i also have another tap driver installed for hamachi and i need to specify which network device it is
18:30 < dash> i tried TAP-WIN32 Adapter V8 that didnt work....
18:30 < dash> is it just called Local Connection 5?
18:31 < reiffert> rtfm
18:31 < dash> nitfmdb
18:32 < dash> thats what the device is called by windwos
18:32 < reiffert> and guess whats written in tfm
18:32 < reiffert> Oh, how could I, you are actually guessing.!
18:33 -!- dash123 [n=Aly@ool-4579da57.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)]
18:35 < dash> that is what the network card name is
18:35 < dash> thats what im saying
18:35 < dash> whats going to help me in the manual if exactly what the manual says isnt working
18:35 < reiffert> crying.
18:37 < dash> what are you doing here if your not going to help, this is an irc channel by the way
18:38  * rob0 shudders at the now-distant memory of Windows
18:38 < reiffert> People greet when they join irc channels.
18:38 < dash> in it for the greets eh?
18:38 < reiffert> dash: when you stopped crying, go back to reading whats written down for that problem you have.
18:39 < dash> nah its cool i just commented it out, thanks for the help dick
18:39 -!- dash [n=Aly@ool-4579c671.dyn.optonline.net] has quit [Read error: 104 (Connection reset by peer)]
18:40  * reiffert is a dick.
18:40 < rob0> That's MISTER dick.
18:41 < reiffert> Of course.
18:41 < rob0> This is something I'd like to bring up at the meeting. I get tired of clueless Windows questions on the mailing list. I'
18:42 < rob0> d participate more if there was a segregated list, Unix only.
18:42 < reiffert> just unsubscribe from -users...
18:42 < reiffert> well, thats what I did before joining #openvpn
18:43 < rob0> well yeah, but I don't mind helping people in general, just not the leeches and dead-weights
18:44 < rob0> (description seems to fit the average Windows user unfortunately)
18:49 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
19:08 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
19:15 -!- kyrix [n=ashley@80-121-50-148.adsl.highway.telekom.at] has quit ["Leaving"]
20:12 -!- number2 [n=number@75-173-241-97.clsp.qwest.net] has joined ##openvpn
20:22 < tjz> i haven't tried port-share
20:22 < tjz> can two openvpn process used the same 443 port?
20:22 < tjz> processes
20:22 < theDoc> tjz> No, I don't believe so.
20:25 < ecrist> no
20:37 < tjz> roger that
20:37 < tjz> :)
20:52 < rob0> but, IIRC it can be shared with another process such as httpd
20:52 < rob0> oh but you knew that
20:52 < rob0> (that's what port-share is, huh?)
20:59 -!- number2 [n=number@75-173-241-97.clsp.qwest.net] has quit [Read error: 110 (Connection timed out)]
21:03 -!- Bushmills [n=nnnBushm@verhau.de] has left ##openvpn ["Leaving."]
21:03 -!- Bushmills [n=nnnBushm@verhau.de] has joined ##openvpn
21:06 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Rundll, corretico, bytesaber_, mrnice1, plundra, vpnHelper
21:06 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jaek_, krphop, Optic, LobbyZ
21:07 -!- Netsplit over, joins: LobbyZ, jaek_, krphop, Optic
21:08 -!- Netsplit over, joins: Rundll, corretico, vpnHelper, krzie, bytesaber_, mrnice1, plundra
21:13 -!- rycar [n=rycar@adsl-76-228-202-253.dsl.bkfd14.sbcglobal.net] has quit ["Leaving"]
21:20 < tjz> rob0, maximum is 1 vpn to 1 https (443), i guess
21:20 < tjz> look like a ba-nana^netsplit..
21:32 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
21:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:30 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:31 < rawDawg> !welcome
22:31 < vpnHelper> rawDawg: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:56 -!- Leila_ [i=d9dae562@gateway/web/freenode/x-iiwdpwsxzmeulbuq] has joined ##openvpn
23:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
23:06 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 104 (Connection reset by peer)]
23:25 < Leila_> i want to configure pptp server on suse 11.2 but i can't do. plz help me.    this files are rewured:   * /etc/modules.conf     * /etc/pptpd.conf     * /etc/ppp/options.pptpd     * /etc/ppp/chap-secrets
23:26 < Leila_> but i don/t have them????????????????/
23:26 < Leila_> thos
23:26 < Leila_> e
23:26 < rob0> um, this is not a channel for pptpd
23:28 < Leila_> ok. i want my clients in windows connected to open vpn server in linux, so i need to pptp
23:29 < Leila_> clients not to allowed to install app programs
23:32 -!- Leila_ [i=d9dae562@gateway/web/freenode/x-iiwdpwsxzmeulbuq] has left ##openvpn []
23:33 < rob0> yikes
23:48 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
--- Day changed Mon Jan 11 2010
00:08 -!- hyper_ch [n=hyper@84.226.239.178] has quit [Remote closed the connection]
00:13 -!- maodun [n=stopgo@114.243.119.42] has joined ##openvpn
00:17 < maodun> I'm trying to figure out why my openvpn connection isn't working. I'm trying to forward my net connection over openvpn (to bypass the Chinese firewall, if anyone cares). I'm watching tshark on both ends. ARP requests and DNS requests seem to be happening properly on both sides over my tap connection, but when I try to talk to a website, something goes amiss.
00:17 < maodun> The gateway / server is 10.8.0.1 and my client is 10.8.0.12.
00:18 < maodun> When I talk to a website (@ 174.132.x.y), I see the following in tshark.
00:18 < maodun> On the client side:
00:18 < maodun> 10.8.0.12 -> 174.132.x.y HTTP GET / HTTP/1.1
00:19 < maodun> On the server side, I see the same, followed by:
00:20 < maodun> 174.132.x.y -> 10.8.0.12 TCP [TCP segment of a reassembled PDU]
00:20 < maodun> 174.132.x.y -> 10.8.0.12 TCP [TCP segment of a reassembled PDU]
00:20 < maodun> so it looks like everything is going well, except the client side never sees those packets
00:21 < maodun> so the client keeps trying to reconnect to 174.132.x.y because it never hears anything, apparently
00:21 < maodun> all in all, the forwarding doesn't work
00:22 -!- Leila_ [i=d9dae562@gateway/web/freenode/x-iiwdpwsxzmeulbuq] has joined ##openvpn
00:22 < maodun> I don't know enough about openvpn / tshark / networking to know where the packets are getting lost - on the openvpn server? Between the openvpn server and client? On the client?
00:23 < maodun> Anyone have any ideas?
00:24 < maodun> Incidentally, krzee, I found that I can avoid the Bad Source message by using a tap connection instead of a tun connection. I don't know why.
00:24 < krzee> !iroute
00:24 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
00:25 < maodun> Eh? Does the distinction between tun and tap have something to do with iroute?
00:26 < krzee> Without the iroute entry you will find the following in your logfiles:
00:26 < krzee> MULTI: bad source address from client [IP ADDRESS], packet dropped
00:26 < krzee> IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is. Once you give it the iroute statement, that changes.
00:26 < krzee> (im pasting from !route)
00:27 -!- Leila_ [i=d9dae562@gateway/web/freenode/x-iiwdpwsxzmeulbuq] has quit [Ping timeout: 180 seconds]
00:27 < maodun> Yeah, but openvpn should be able to function without iroute, no?
00:28 < krzee> function yes, route packets back to clients that arent the vpn address of the client, no
00:29 < maodun> But, I don't need to route packets back to clients that aren't the vpn address of the client, do I?
00:29 < krzee> [00:24]  <maodun> Incidentally, krzee, I found that I can avoid the Bad Source message by using a tap connection instead of a tun connection. I don't know why.
00:29 < krzee> you said bad src message error, right?
00:29 < krzee> like:
00:29 < krzee> [00:26]  <krzee> MULTI: bad source address from client [IP ADDRESS], packet dropped
00:29 < krzee> right?
00:29 < maodun> Sure, we had a conversation about this a while back
00:30 < krzee> i talk to a lot of people about their problems, yours doesnt stick out to me right now
00:30 < maodun> and I wanted a solution other than using iroute, because I don't always know my client's addresses
00:30 < maodun> s/client's/clients'
00:30 < krzee> well its working for you now?
00:30 < maodun> it works with a tap device - you asked me to give you more information if I ever found out workarounds to the bad src problem (aside from iroute)
00:31 < maodun> so I'm giving you more information
00:32 < maodun> Well, doesn't matter. Different issue now, I just remembered you helped me and wanted to tell you how I finally "solved" it.
00:40 < krzee> oh i gotchya
00:40 < krzee> thanx
00:40 < krzee> i was thinkin bout that, curious about this:
00:40 < krzee> is ip forwarding enabled on that client?
00:43 < maodun> krzee: no
00:44 < maodun> should it be?
00:44 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
00:44 -!- mode/##openvpn [+o mattock] by ChanServ
00:46 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
00:46 < krzee> nah i was thinking maybe thats what does it
00:47 < krzee> (still wanna know why some clients talk over tun with their lan ip
00:47 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
00:47 < krzee> )
00:49 -!- jaek_ [n=jaek@c-71-202-163-230.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
00:50 -!- jaek_ [n=jaek@c-71-202-163-230.hsd1.ca.comcast.net] has joined ##openvpn
00:51 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has quit [Client Quit]
01:04 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn
01:06 -!- hyper_ch [n=hyper@83-161.78-83.cust.bluewin.ch] has joined ##openvpn
01:12 -!- Intensity [i=[exNgvKL@unaffiliated/intensity] has joined ##openvpn
01:14 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit ["Leaving"]
01:19 < jaek_> i thought the tap mode should provide broadcast capabilities... upnp broadcasts dont seem to be making it
01:24 < jaek_> SSDP broadcasts
01:28 < krzee> bridging as well?
01:28 < krzee> you can also get bcast over tun with
01:28 < krzee> !bcast
01:28 < vpnHelper> krzee: "bcast" is pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup
01:28 < jaek_> yeah, i have it configured for bridging right now
01:29 < krzee> well ya i would expect it to work too
01:30 < jaek_> SSDP might have a very low TTL time or something... i was testing it over 3.5G
01:32 < jaek_> you know of something simple i could use to test bcasts?
01:35 < krzee> try pinging  the bcast address maybe?
01:52 < jaek_> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
01:52 < jaek_> this is what i get from a particular host
01:52 < jaek_> have a few others that work with the same config file
01:53 < krzee> firewall
01:53 < jaek_> i pray not...
01:54 < jaek_> i know it allows ssh and pptp thru
01:54 -!- Zap-W [n=z@77.124.136.234] has joined ##openvpn
01:54 < Zap-W> Hi
01:54 < Zap-W> can openvpn distribute IP addresses based on the authenticated username ?
01:54 < Zap-W> or based on info from the certificate of the user
01:54 < jaek_> that would be sweet
01:55 < krzee> Zap-W, either one
01:55 < krzee> !ccd
01:55 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
01:55 < krzee> !static
01:55 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
01:55 < krzee> !authpass
01:55 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
01:57 < jaek_> very interesting... dunno how to use that with my dd-wrt router
01:57 < Zap-W> krzee: nice
01:58 < Zap-W> !iporder
01:58 < vpnHelper> Zap-W: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
01:59 < jaek_> !ipp
01:59 < vpnHelper> jaek_: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
01:59 < jaek_> man some open firmware needs to make a complete interface for this
02:00 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
02:03 < jaek_> anyone hear of client virtualbox guestissues?
02:06 < hyper_ch> no
02:07 < jaek_> i'm just really hoping it isnt the firewall... really wanted to use openvpn for this
02:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:13 -!- aep [n=aep@libqxt/developer/aep] has joined ##openvpn
02:14 < aep> hi. i can't get the handshake working,  any idea what to set to get more usefull debug hints? I get nothing relevant in syslog
02:15 < aep> that's the server log.  repeating it http://codepad.org/JQZ5JlBu
02:15 < vpnHelper> Title: Plain Text code - 14 lines - codepad (at codepad.org)
02:15 < aep> almost identical on the client
02:15 < aep> can't really see anything useful in there
02:15 < krzee> firewall or nat
02:16 < aep> i have a nat inbetween, indeed
02:16 < aep> should i forward something?
02:17 < krzee> the answer to that is the same as running ANY service
02:17 < aep> i'm not running the server behind a nat
02:17 < aep> but the client is
02:17 < krzee> ok well somehow the server isnt receiving any traffic
02:18 < krzee> so if your client is trying to contact the server at the right place (ip:port) then something is not allowing that in
02:18 < aep> um well, but it does see the initial request from the client
02:18 < aep> thats the server log i posted
02:18 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [Read error: 104 (Connection reset by peer)]
02:18 < krzee> o tru
02:18 < krzee> !logs
02:18 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:19 < aep> verb 6.  will do
02:19 < jmm> hi.
02:22 < aep> server: http://codepad.org/HvxggJj0    client: http://codepad.org/GeBn2RCP
02:22 < vpnHelper> Title: Plain Text code - 236 lines - codepad (at codepad.org)
02:23 < aep> it writes stuff fine and all sudden decides to close oO
02:28 -!- Zap-W [n=z@77.124.136.234] has quit [Read error: 54 (Connection reset by peer)]
02:35 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
02:38 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has quit []
02:40 < aep> krzee: well any idea on that one?
02:41 < aep> most google results i get have a more usefull entry in thr log
02:52 < aep> actually the log is larger.  at the top it verfies on both sides that the remotes cert is fine
02:57 < aep> huh. switched to udp and everything works just fine
03:01 -!- fulat2k [n=fulat2k@142.12.111.218.klj01-home.tm.net.my] has joined ##openvpn
03:01 < fulat2k> !welcome
03:01 < vpnHelper> fulat2k: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:01 < fulat2k> !forum
03:01 < vpnHelper> fulat2k: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
03:03 -!- master_o1_master [n=master_o@p57B54B98.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)]
03:04 < fulat2k> hi folks, i've configured openvpn to use freeradius+mysql to authenticate users.  using the same setup, is it possible to assign ips or other attributes from the radius server to openvpn?
03:05 < reiffert> Quite intresting question.
03:05 < reiffert> try asking the -devel mailinglist.
03:06 < fulat2k> reiffert: cool.  thx for the pointer
03:07 -!- master_of_master [i=master_o@p57B547AC.dip.t-dialin.net] has joined ##openvpn
03:10 < fulat2k> so even with radius/ldap authentication, post auth attributes are still controlled via the server config?
03:13 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
03:14 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
03:26 < aep> can i give the server a fixed address? it seems to rotate and i have no clue how to set routes based on that
03:26 < aep> actually what the hell are those routes it adds by default. they make no sense
03:26 < fulat2k> darn, can't post to devel mailling list
03:38 -!- Zordrak__ is now known as Zordrak
03:41 -!- dazo_afk is now known as dazo
03:52 -!- mode/##openvpn [+o dazo] by ChanServ
03:52 -!- dazo changed the topic of ##openvpn to: OpenVPN Community Forum Monday, Jan 11 1900UTC  on #openvpn-discussion | OpenVPNn Development Forum Tuesday, Jan 12 1900UTC on #openvpn-discussion | OpenVPN 2.1.1 most current. | Type !welcome before asking your questions.
03:52 -!- mode/##openvpn [-o dazo] by ChanServ
03:54 -!- mode/##openvpn [+o dazo] by ChanServ
03:54 -!- dazo changed the topic of ##openvpn to: OpenVPN Community Forum Monday, Jan 11 1900UTC  on ##openvpn-discussion | OpenVPNn Development Forum Tuesday, Jan 12 1900UTC on ##openvpn-discussion | OpenVPN 2.1.1 most current. | Type !welcome before asking your questions.
03:54 -!- mode/##openvpn [-o dazo] by ChanServ
03:59 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
04:03 < fulat2k> reiffert: saw this: http://openvpn.net/archive/openvpn-devel/2007-04/msg00001.html.  any idea if that's been implemented?
04:11 < dazo> fulat2k:  I believe most installations which includes RADIUS does it via tha auth-pam plug-in ... I've not registered much "traffic" in regards to a native RADIUS plug-in
04:12 < dazo> fulat2k:  so, the features mentioned here is not implemented anywhere afaik
04:20 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)]
04:38 < fulat2k> dazo: does the native auth-pam plugin work?  i can't seem to find any documentation on it.  any pointers would be greatly appreciated
04:40 < dazo> fulat2k:  the auth-pam should work, I've never configured it myself, but there is a read me file in the source tree ... a lot of users use it, so I don't think that should be too difficult to configure  though .... but how to get RADIUS to do auth via PAM is another chapter, where I'm definitely not the guy to ask
04:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
04:46 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
04:58 -!- dyzdyz [n=dyzdyz@ch49172.petrus.pl] has joined ##openvpn
05:02 -!- theDoc [n=hex@69.10.59.166] has joined ##openvpn
05:04 < fulat2k> dazo: yeah, i'm strictly looking at radius to do pam for ovpn.  thing is backend need not be radius.  could be anything (even pam_mysql or ldap).  i just need to be able to push the user's attributes from the backend to openvpn.
05:04 < fulat2k> any ideas?
05:05 < dazo> fulat2k:  you mean to do ccd stuff via a back-end?
05:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:14 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
05:19 < fulat2k> dazo: i'm guessing ccd == auth/properties management :), if so, then yes :)
05:20 < dazo> fulat2k:  ccd == client-config-dir .... so if you mean configuration parameters for specific users, then this is not supported via other channels than --client-config-dir now
05:24 < fulat2k> dazo: ahh.....
05:24 < fulat2k> dazo: and darn :(  thanks for the pointer.  will read up on that
05:38 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
05:43 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
06:21 < fulat2k> has anyone here implemented bandwidth limiting for openvpn?
06:21 -!- alibaba [n=xerox@goliath.hantsch.co.at] has joined ##openvpn
06:22 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
06:22 -!- rwscott [n=rwscott@207.236.169.155] has joined ##openvpn
06:22 < alibaba> hello, I kindly please for your help. I had openvpn running since some months. Now, suddenly, it does not work any more, the client shows no tun0 interface.
06:22 < dazo> fulat2k:  not in openvpn .... that's usually managed best by the OS ... in Linux I believe 'tc' is the command to set the qdisc's profiles correct
06:23 < dazo> alibaba:  what did you change?
06:23 < alibaba> Really nothing.
06:23 < dazo> alibaba:  I don't believe you .... nothing stops working automatically .... something must have changed :)
06:24 < alibaba> I had to reboot it and now it doesn't work any more.
06:24 < alibaba> I have automated online updates activated, maybe they changed something?
06:24 < dazo> alibaba:  yeah, or that you did not enable something automatically in boot scripts
06:25 < alibaba> I entered "rcopenvpn start" and I see the daemon in 'ps auxw'
06:27 < alibaba> TLS Error: TLS key negotiation failed to occur within 60 seconds   This is what I get
06:28 < |Mike|> lol
06:28 < |Mike|> err, wrong window.
06:29 < dazo> heh
06:30 < fulat2k> dazo: hmm... so it's still tc... :)
06:30 -!- pfo_ [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
06:31 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 104 (Connection reset by peer)]
06:31 -!- pfo_ is now known as pfo
06:31 < alibaba> dazo: Can you help me, please?
06:32 < dazo> alibaba: first of all ... I'm at work, and can't always respond immediately .... secondly ... we need !logs and !configs on a !pastebin
06:32 < dazo> !logs
06:32 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
06:32 < dazo> !configs
06:32 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
06:32 < dazo> !pastebin
06:32 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
06:32 < fulat2k> !route
06:32 < vpnHelper> fulat2k: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:33 < dazo> alibaba:  and please .... do not paste configs or logs on irc .... or I'll strangle you immediately .... ;-)
06:33 < dazo> fulat2k:  yeah, still tc afaik
06:34 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Client Quit]
06:34 < fulat2k> dazo: was hoping ovpn can provide all the user/cert/bandwidth management in one nice package :)
06:34 < dazo> fulat2k:  it's a lot of things which could be put into openvpn ... but why do it when other parts can do it just as well, if not even better .... that's the unix philosophy, small modules which does a simple task and does it very well
06:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
06:38 < dazo> openvpn is supposed to do one thing .... create secure VPN connections between two computers .... and it does that very well, then openvpn just needs to be stacked with those modules which solves your needs
06:40 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
06:40 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:43 -!- dyzdyz [n=dyzdyz@ch49172.petrus.pl] has quit [Read error: 110 (Connection timed out)]
06:48 < ecrist> good morning
06:49 < dazo> morning!
06:49 < fulat2k> dazo: that's true. :)
06:49 < theDoc> Good evening to you all. o/
06:49 < ecrist> dazo, no need for +o to change topic
06:50 < dazo> ecrist:  ahh ... earlier I got my fingers smacked when I tried to do it :)
06:50 < ecrist> really?
06:50 < dazo> yeah, I had to do +o to be able to update it ... but its a while since I experienced the smacking, so I just do it automatically now
06:51 < ecrist> no worries
06:53 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
06:59 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)]
07:01 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)]
07:09 -!- fulat2k [n=fulat2k@142.12.111.218.klj01-home.tm.net.my] has quit ["Leaving."]
07:10 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:10 -!- bootlaces [n=bootlace@unaffiliated/bootlaces] has joined ##openvpn
07:21 < alibaba> dazo: I had a meeting, now I can start supplying you the infos you need.  Here the server side:  http://pastebin.com/dc57d3e9
07:23 < alibaba> dazo: This is the client side:   http://pastebin.com/dd7e41e9
07:25 < alibaba> dazo: Do you need further details?   The server has a device tun0 visible. The firewall is configured to let port 1194 come in  (UDP+TCP).  The client has no tun0 visible.
07:26 < dazo> alibaba:  I'll look asap on it ... in the middle of something right now
07:28 < Holister> is there a mac client?
07:28 < alibaba> I only use Linux.
07:28 < Holister> same here....someone asked at work....
07:29 < alibaba> Holister: How good is your knowledge with openvpn?
07:30 < alibaba> (server+client)
07:31 < Holister> so-so
07:31 < alibaba> My one is almost no-no ... ;)
07:32 -!- zxd [n=marceloa@95.211.21.34] has joined ##openvpn
07:32 < zxd> hi
07:32 < zxd> where do I write down the passphrase for my password protected pkcs12  certificate
07:42 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
07:49 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
07:51 < ecrist> you don't.
07:51 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has quit [Remote closed the connection]
07:52 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
07:52 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 104 (Connection reset by peer)]
07:53 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
07:54 < dazo> alibaba:  your server log and client log don't match too well ... there's no trace after the client trying to connect there ....
07:56 -!- ycy_ [n=mb@131.179.136.74] has joined ##openvpn
07:56 < ycy_> hi
07:56 < ycy_> I have a strange problem
07:56 < ycy_> i correctly setup openvpn server
07:57 < ycy_> on a client, I correctly configured openvpn and then I launch openvpn with openvpn --config client.conf
07:57 < ycy_> and then I keep receiving
07:57 < ycy_> TLS Error: Unroutable control packet received
07:57 < ycy_> what should I do?
07:57 < alibaba> dazo: what shall I change in the config?
07:59 < dazo> alibaba:  first of all .... have you shared the _complete_ log files?
07:59 < dazo> alibaba:  it looks like a lot is missing
07:59 < dazo> alibaba:  make sure verb is set to 4 in the configs (--verb 4)
08:00 < dazo> alibaba:  preferably from scratch empty log files .... by using --log
08:00 < dazo> alibaba:  and provide the complete output ... that gives a better indication
08:00 < krzee> ycy_,
08:00 < krzee> !configs
08:00 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
08:00 < alibaba> I made a marker into every log, then I restarted the openvpn service and sent you everything that came afterwards.
08:00 < krzee> !logs
08:00 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:01 < dazo> alibaba:  well, then verb 4 is needed for sure
08:01 < krzee> 4 at least
08:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
08:01 < krzee> i usually say 5 or 6
08:01 < alibaba> I have verb5 inside. Isn't that even more verbose?
08:01 < krzee> 6 helps find firewall issues
08:01 < krzee> ya 5 is more verbose
08:04 < dazo> krzee:  with 5 or 6, you get much more info which is more useful when needing to debug the core network traffic over the tunnel .... 4 gives rRwW with info of which side is writing or reading data
08:04 < dazo> alibaba:  yeah 5 is enough
08:04 < dazo> alibaba:  and remember to restart your openvpn services
08:05 < alibaba> Sure. Here is the entile log (level 5) after restarting the server side.
08:05 < alibaba> http://pastebin.com/d6adeb330
08:06 < alibaba> Is this ok or shall I increase the loglevel?
08:06 < dazo> 5 is more than enough
08:09 < alibaba> And here the log of the client: http://pastebin.com/d65b9293c    (It loops between the WWWWWWWWWWW sections...)
08:09 < krzee> 4 gies RWRW? i thought that was 5
08:11 < dazo> krzee:  4 too :)
08:11 < alibaba> I swear, I didn't touch the config files within last 2 months. Today the VPN suddenly was slow, so I restarted the client, and since then I have no tun0 any more.
08:12 < krzee> you shouldnt have tun unless you have openvpn running (unless you created a static device)
08:12 < dazo> alibaba:  the tun interface is created when openvpn starts .... and if it stops due to an error, it's usually gone again
08:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:13 < dazo> alibaba:  please make sure the client is connecting against the proper IP address .... looks like there is no traffic at all on the server
08:13 < reiffert> dazo: will it get created even when the directory /dev/net is missing?
08:14 < alibaba> Sure. I have entered the static IP of my server. I am also currently not at the client, I have a ssh to it. But I need vpn to access all files there.
08:15 < dazo> reiffert:  nope ... you do need /dev/net
08:15 < dazo> on Linux, that is
08:15 < dazo> alibaba:  do you have the tun module loaded?
08:16 < rob0> I do.
08:17 < reiffert> dazo: which might be worth adjusting in a upcoming release.
08:17 < krzee> moin moin reif
08:18 < reiffert> the krzee, moin!
08:18 < krzee> asjusting it how? dynamicly load the tun driver?
08:18 < alibaba> dazo:  This is openSuSE 11.1 (fyi). I cannot remember that I had to load something lik ethat in the past.
08:18 < reiffert> krzee: adjusting as in: get rid of /net/ in /dev/net
08:18 < krzee> ahh, thats os specific tho
08:18 < krzee> bsd and osx do it different than linux
08:19 < krzee> bigboy-2:~ Jeff$ ls -ls /dev/tun*
08:19 < krzee> 0 crw-rw----  1 root  wheel   19,   0 Jan 11 08:19 /dev/tun0
08:19 < krzee> 0 crw-rw----  1 root  wheel   19,   1 Jan 11 08:19 /dev/tun1
08:20 < reiffert> thats the way it should work with linux, without paying attention to what others say on google.
08:20 < krzee> i agree
08:21 < dazo> krzee:  in Linux the user space tools use /dev/net/tun to create/modify/remove tun/tap network devices .... there are no /dev/tunX devices in Linux
08:21 < krzee> but theres a few things that i like more about fbsd hier than linux
08:21 < krzee> dazo, yup i think i misunderstood what he meant in the very beginning (thought he meant future release of openvpn, vs something linux specific)
08:21 < reiffert> Another approach should be getting a sane error message from openvpn "Cant create tun0 special device, because /dev/net is not available". I can remember some releases where you get certification bio messages when there is no /dev/net.
08:22 < alibaba> Ok. From my point of view, the server side is fine (as it shows a tun0 device).  Can somebody help me with the client now, please?
08:22 < krzee> ya openvpn could use some better error messages
08:22 < krzee> alibaba, did you post !configs and !logs?
08:23 < alibaba> Meanwhile I losted them twice.
08:23 < alibaba> ... posted ...
08:23 < krzee> cool, i found client log, wheres server log?
08:23 < krzee> and wheres the configs?
08:23 < krzee> ahh found server log now
08:24 < Bushmills> alternatively, ls -ls /dev/net/tun*
08:24 < krzee> looks like firewall on server, client cant communicate with it at all
08:24 < krzee> firewall or nat i mean
08:25 < alibaba> Server side: http://pastebin.com/dc57d3e9     Client side: http://pastebin.com/dd7e41e9
08:25 < alibaba> Was at 14:23 today. ;)
08:26 < alibaba> On top you see the log, at the end the config file
08:26 < krzee> its only 8:25, you posted them in 6 hours
08:26 < zxd> do I need server 10.8.0.0 255.255.255.0  if I want to use fixed VPN ip addresses for clients ?
08:26 < alibaba> Ha, time difference!   I am GMT+1
08:26 < reiffert> krzee: so one hour ago...
08:26 < alibaba> yessss
08:27 < krzee> zxd, yes,
08:27 < krzee> !static
08:27 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
08:28 < krzee> alibaba, 10.0.0.0 is behind server and 10.1.0.0 behind client?
08:28 < alibaba> yes.
08:28 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Read error: 104 (Connection reset by peer)]
08:28 < krzee> 10.1.0.0 iroute entry in clients ccd file, right?
08:29 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
08:29 < alibaba> This is in the ccd file:    iroute 10.1.0.0 255.255.0.0
08:29 < krzee> ok
08:30 < krzee> server is on a LAN ip, correct?
08:30 < krzee> (as opposed to an external ip)
08:30 < alibaba> What do you mean?
08:30 < krzee> ifconfig shows an ip in 10.0.0.0/24 range
08:30 < krzee> on the server
08:30 < alibaba> The server is also firewall etc.  It has two NICs, one for LAN, one for WAN.
08:31 < krzee> ok, i dont believe the firewall has the openvpn ip:port/udp open
08:31 < krzee> you can see the client opens a connection, writes writes writes, server sees nothing
08:31 < krzee> its your firewall =]
08:31 < alibaba> On server side?
08:31 < krzee> yes
08:32 < krzee> unless its a firewall on the client blocking outbound...
08:32 < alibaba> Let me verify...
08:32 < krzee> (less common)
08:33 < alibaba> Does the open port appear to nmap?
08:33 < alibaba> I can run nmap from the client against my server?
08:34 < krzee> depends on something in configs, lemme check
08:34 < krzee> ya yours should
08:34 < krzee> with this it wouldnt:
08:34 < krzee> !hmac
08:34 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
08:34 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
08:34 < alibaba> Ok, then the port is closed.
08:35 < krzee> well ya
08:35 < krzee> didnt i say that?
08:35 < krzee> ;]
08:35 < alibaba> But nmap doesn't show  996 filtered ports.
08:36 < krzee> *shrug* fix your firewall for your ovpn setup
08:36 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
08:37 < Bushmills> did you scan udp (assuming that you server has been configured to use udp)?
08:37 < krzee> either way, its the firewall
08:37 < krzee> or wrong ip (im unable to verify that for you)
08:40 < alibaba> No.  I definitely have 1194 in the list of open UDP services in the firewall.  I'll switch to TCP, if this is better?
08:40 < Bushmills> no
08:40 < krzee> !tcp
08:40 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
08:40 < krzee> !firewall
08:40 < vpnHelper> krzee: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
08:40 < Bushmills> most likley not helping you with your problem, but instead introducing other ones
08:40 < krzee> see #1
08:42 < krzee> mattock, http://openvpn.net/man#lbBD doesnt rewrite the #lbBD marker
08:42 < dazo> alibaba:  you must have something blocking the traffic somewhere ... the server do not get any connection attempts
08:42 < krzee> alibaba, http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbBD
08:42 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
08:43 < alibaba> Hmm. Could you try to test if my server has 1194 open?   212.186.160.15
08:44 < zxd> what's the difference between iroute and route
08:44 < krzee> !iroute
08:44 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:47 < Bushmills> alibaba: closed
08:48 < rob0> A UDP port scan can't really tell the difference between a dropped packet and an openvpn server.
08:49 < krzee> right, which is why i checed his config
08:49 < krzee> its not using hmac sigs, so not dropping packets
08:49 < rob0> alibaba did have tcp/1194 closed, though, while other ports around it were dropped.
08:50 < Bushmills> i used netcat -u  on it
08:51 < Bushmills> difference is that with port open, an Enter exits, close ports hang waiting
08:52 < rob0> s/dropped/filtered/ in nmap terms
08:53 < Bushmills> though that's also not a very reliable method
08:55 < zxd> is it possible to have multiplie clients on the same machine connecting to different servers?
08:56 < krzee> zxd, yes
08:56 < alibaba> I changed now - for testing - to tcp and nmap shows me that port 1194 is open.
08:57 < alibaba> So if I change now the client, too, should it work?
08:57 < zxd> krzee, I just put in multiple  remote entries on the same client.conf file? or do I need to load it with different .conf files?
08:57 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
08:57 < krzee> 2 different
08:57 < krzee> 2 remotes will have 1 client rotate which it tries
08:57 < krzee> randomly if you choose
08:58 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
09:04 < alibaba> Hmm - After changing to tcp, I tried a telnet <ip-of-server> 1194   and received some little packages of crap. So I guess it answers to my client. Though, I get no tun0 device after restarting the client. :(
09:07 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:09 -!- rwscott [n=rwscott@207.236.169.155] has quit [SendQ exceeded]
09:09 -!- rwscott [n=rwscott@207.236.169.155] has joined ##openvpn
09:11 < alibaba> Stupid questions:  Do the certificates of openvpn expire?
09:12 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
09:13 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has quit [Read error: 104 (Connection reset by peer)]
09:17 < rob0> A better approach than to switch to TCP might be to fix the firewall to allow UDP.
09:19 < alibaba> I have currently both open: UDP and TCP. And openvpn was configured to use UDP. This worked until today morning, then slowly, and after rebooting client it didn't work any longer.
09:19 < rob0> SSL certificates (which is what openvpn uses) do have expiration dates, yes.
09:19 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Reporting scripts :: Reply by george <http://www.ovpnforum.com/viewtopic.php?f=6&t=375&p=2813#p2813> || Configuration :: Re: openvpn and samba, can't browse shares :: Reply by george <http://www.ovpnforum.com/viewtopic.php?f=6&t=1234&p=2814#p2814>
09:20 < alibaba> How long are these dates? ~2-3 months?
09:21 < rob0> These dates are what you set them to be when you created the cert.
09:21 < alibaba> Have you read the logs I posted?
09:22 < alibaba> Do they look like an expired cert?
09:22 < krzee> paste your firewall rules
09:23 < alibaba> You are familiar with SuSEFirewall2 ?  There I only have to enter FW_External_UDP="1194" and restart it (through a script).
09:24 < alibaba> But this works, I know that.
09:24 < krzee> im sure it uses iptables, right?
09:24 < krzee> !iptables
09:24 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall
09:24 < alibaba> It is an uptodate distro.
09:25 < alibaba> Yes it does.
09:26 < Bushmills> here is its sucks/rules ratio graph:  http://stats.verhau.de/localdomain/localhost.localdomain-rulesuckratio-month.png
09:27 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has joined ##openvpn
09:27 < krzee> lol
09:27 < krzee> whats actually being graphed?
09:27 < alibaba> good question. :)
09:28 < zxd> how do I run a script once a tun interface goes up , like enabling proxy arp
09:28 < Bushmills> http://scarydevilmonastery.net/munin/rulesuckratio
09:28 < krzee> you want proxy arp?
09:28 < krzee> theres a few places to run scripts, you likely want --up
09:29 < Bushmills> in  rating() the calculation is done
09:29 < zxd> krzee, yes I want proxy arp
09:30 < krzee> hahah nice Bushmills
09:31 < zxd> krzee, does it pass tun interface name as argument to the script?
09:31 < krzee> check the manual
09:31 < krzee> !man
09:31 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
09:32 < krzee> theres a section for external scripts, a piece on --up, environment vars section, etc
09:32 < krzee> everything you could need =]
09:32 < Bushmills> krzee: albeit a very rough metric, the results appear to match user opinions
09:33 < krzee> toss in osx
09:33 < Bushmills> freebsd, gentoo, slackware and debian tops, windows bottom, sounds about right
09:34 < Bushmills> note how windows experienced a temporary boost when win7 came out
09:34 < Bushmills> though it's on the decline again
09:34 < Bushmills> oh sorry, needs year graph:  http://stats.verhau.de/localdomain/localhost.localdomain-rulesuckratio-year.png
09:35 < krzee> whoaa
09:35 < krzee> ya they definitely improved for a bit
09:36 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
09:36 < steelnwool> !welcome
09:36 < vpnHelper> steelnwool: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:37 < steelnwool> hello
09:37 < krzee> hey
09:37 < steelnwool> I've just setup openvpn ussing the how to. using viscosity as the client. my server is 10.8.0.1 via tun, my client received 10.8.0.6
09:38 < steelnwool> if my client is running ssh, should i expect the server to be able to ssh to it?
09:39 < krzee> if the ssh server on * ip, and no firewall, yes
09:39 < steelnwool> oddly enough the ssh server will ask me for a password but won't let me in. also, if i run a webserver on the client, i can't get to it with the server.. but can locally. [typing more]
09:40 < steelnwool> i can't ping the server from my client, but i can ping the client from my server...
09:40 < krzee> makes me think the client has a firewall
09:40 < steelnwool> so it would seem things are "mostly working"..
09:41 < reiffert> ah, viscosity seems to be another openvpn gui client for OS X.
09:41 < steelnwool> yeah.
09:41 < steelnwool> just checked client, no firewall.
09:41 < krzee> !osx
09:41 < vpnHelper> krzee: "osx" is (#1) http://www.viscosityvpn.com/ (PAY), or (#2) http://www.tunnelblick.net/ (FREE)
09:41 < steelnwool> likewise if i ssh or http to my client from within my own lan, everything works fine.
09:41 < steelnwool> i chekced to see what IP's apache and ssh bind to on the client and they bind to everything.
09:41 < krzee> you ssh'ing by vpn ip?
09:41 < steelnwool> yeah.
09:42 < krzee> ssh listening on * ip?
09:42 < robotti^> reiffert: viscosity is nice
09:42 < steelnwool> and like i said, ssh actually does ask for a password, so there is some sort of handshake going on there.
09:42 < krzee> ahh
09:42 < reiffert> oh, payware, why do we list it on !osx?
09:42 < steelnwool> krzee: yes.
09:42 < robotti^> It is good
09:42 < krzee> reiffert, up to the user
09:42 < robotti^> and it is quite cheap :)
09:42 < reiffert> krzee: advertisment for payware?
09:42 < steelnwool> also, i was told tunnelblick has "issues" so i just skpped it and dropped the 9 bucks.
09:43 < krzee> ad for 2 choices of apps people seem to like that take standard openvpn configs
09:43 < krzee> 1 is pay 1 is free
09:43 < krzee> personally i use niether
09:43 < zxd> I can't get any networks routed via the tun0 interface
09:43 < steelnwool> anyways krzee, all that ssh/apache cleint stuff, lets ignore that, i'll make my question alot more simple : I can ping form the server to client, but not client to server.
09:43 < zxd> tcpdump shows the traffic being routed to the tun0 interface
09:43 < zxd> but I dont see the traffic on the other side
09:44 < reiffert> krzee: I really dislike the idea of running ads for payware I dont own.
09:44 < krzee> and that sounds like firewall on server
09:44 < steelnwool> krzee: if i ping the server/ssh the server from elsewhere inside its own network, things work tho. I did not setup/configure a firewall.
09:44 < krzee> reiffert, is !osx having that link you running ads for payware you dont own?
09:45 < reiffert> krzee: jup.
09:45 < krzee> steelnwool, from the manual:
09:45 < krzee> iptables -A INPUT -i tun+ -j ACCEPT
09:46 < krzee> iptables -A FORWARD -i tun+ -j ACCEPT
09:46 < robotti^> what is problem? :)
09:47 -!- steelie [n=devel1@dns1.suite2101.com] has joined ##openvpn
09:48 < krzee> reiffert, but i dont see how, you have the choice to make it show up or not, you can just use !mac
09:48 < steelie> krzie: sorry, the machine steelnwool is on just died this is me.
09:48 < krzee> !mac
09:48 < vpnHelper> krzee: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
09:48 < steelie> can you repaste that iptables thing.
09:48 < krzee> =]
09:48 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
09:48 -!- mode/##openvpn [+v Kas] by ChanServ
09:48 < krzee> steelie,
09:48 < krzee> [09:45]  <krzee> steelnwool, from the manual:
09:48 < krzee> [09:45]  <krzee> iptables -A INPUT -i tun+ -j ACCEPT
09:48 < krzee> [09:46]  <krzee> iptables -A FORWARD -i tun+ -j ACCEPT
09:48 < steelie> thanks.
09:48 < steelie> can you URL me on w here oyu found that.
09:48 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
09:49 < krzee> !man
09:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
09:49 < krzee> in section named FIREWALLS
09:49 < reiffert> krzee: Allright, I can live with that.
09:49 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has quit [Read error: 60 (Operation timed out)]
09:49 < steelie> krzee: thanks.
09:49 < krzee> np
09:50 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: OpenSUSE 11.1 service command issues :: Reply by george <http://www.ovpnforum.com/viewtopic.php?f=6&t=391&p=2815#p2815>
09:50 < steelie> however i'm not running any firewalls ON this machine. there is a SSG5 in front of it, but i'm already past that part since the VPN did connect.
09:50 -!- alibaba [n=xerox@goliath.hantsch.co.at] has quit [Read error: 110 (Connection timed out)]
09:51 -!- alibaba [n=xerox@goliath.hantsch.co.at] has joined ##openvpn
09:51 < alibaba> Hi, I restarted now my server after doing an online update, therefore I was away for some time.
09:52 < steelie> krzee: ah ha... last line of troubleshooting from the HOWTO - its about one way connections. says my firewall is likly blocking outgoing UDP or something.
09:52 < steelie> loooking into that now.
09:52 < alibaba> This reboot solved nothing, but then I disabled the compression. Oh wonder, now it works again!
09:53 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
09:54 < steelnwool> huh, rackspace must have had an outage.
09:54 -!- steelie [n=devel1@dns1.suite2101.com] has quit ["leaving"]
09:56 < steelnwool> krzie: it says this in the how to : The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.
09:57 < steelnwool> does that mean open udp 1194 in my firewall to the ip of my client? that seems like it would raise issues if i had multiple clietns wanting to use VPN's at my client site.
09:57 -!- dragoin [n=dragoin@81.19.35.122] has joined ##openvpn
09:58 < dragoin> Hi, I have a problem... with VPN
09:59 < le0> youre in the right place then
09:59 < Bushmills> dragoin: did you say "openvpn"?
09:59 < dragoin> I connect throuth vpn, and i get ip address. problem is in settings DNS servers for "transfer" ip
10:00 < dragoin> sry my eng is bad
10:00 < dragoin> jj openvpn
10:00 < dragoin> i have ubuntu 9.10
10:00 < Bushmills> !ubuntu
10:00 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
10:00 < dragoin> i know...
10:01 < le0> you need to get scripts to grab your DNS settings from the VPN host
10:01 < Bushmills> where is the dns you're using?
10:01 < le0> and execute them upon connecting / disconnecting
10:02 < dragoin> le0: and where i donwload it? i am laik.
10:02 < le0> i found some a while back
10:02 < le0> sec
10:03 < dragoin> bushmills: that is i dont know... or pls repeat qu
10:03 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
10:04 < Bushmills> is your intention to use a different dns after connection, or are you unable to query to your usual dns after vpn connection?
10:04 < dragoin> then connect... i can ping destination...
10:05 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit []
10:07 < dragoin> or dont ping  ,google.com ,
10:07 < dragoin> etc.
10:08 < Bushmills> do you redirect your internet traffic through vpn server?
10:08 < dragoin> ok, again, after vpn connection, i need internet...
10:09 < dragoin> i connecting to my school, because school have a licence ip address to database
10:10 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:11 < dragoin> Bushmills:i dont know, where, or how i detect
10:11 < dragoin> maybe, this is a problem...
10:11 < dragoin> but i fail it do this...
10:12 < Bushmills> if you don't know, you better don't mess with the config
10:12 < Bushmills> little angry man may appear and chide you.
10:13 < dragoin> so sorry... but
10:14 < alibaba> Ha, it works again! :)   This crazy online updates overwrote my firewall settings! 8O
10:14 < Bushmills> alibaba <3 SuSE
10:14 < dragoin> i am agonized. that all
10:15 < dragoin> i use openvpn... and setings from school
10:15 < alibaba> Bushmills: Believe me: Everything is better than debian.
10:15 < Bushmills> SuSE policy:  "personal configuration detected ... must overwrite immediately"
10:16 < Bushmills> alibaba: i don't believe you, knowing both suse and debian.
10:17 < alibaba> I use suse since 20 yrs. I had a look on ubuntu (which is debian) and I must say, I stay with suse.
10:17 < Bushmills> well, anyway, have fun with your mentioned online update which overwrote your settings
10:17 < Bushmills> ubuntu is ubuntu, not debain
10:17 < Bushmills> debian
10:18 < alibaba> doesn't matter  it is at least totally different in administration.
10:18 < dragoin> Bushmills: i find, this...but i dont repair, http://www.isaserver.org/tutorials/work-around-VPN-clients-split-DNS.html
10:18 < vpnHelper> Title: How to work around an issue with VPN clients and split DNS (at www.isaserver.org)
10:19 < dragoin> I trust this channel:-)
10:19 < Bushmills> alibaba: "The first version of this distribution appeared in early 1994"  ... "I use suse since 20 yrs"
10:19 < Bushmills> time warp?
10:20 < dragoin> le0: do you know, how solve my problem?
10:20 < alibaba> I started with SuSE 5.0
10:20 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:21 < alibaba> This is - estimated - 20 years.
10:21 < rob0> Linux itself is not yet 20-y-o. 1991 wasn't it?
10:21 < Bushmills> ah, so suse5.0 was out before the first version of suse was available
10:21 < Bushmills> getting more interesting :)
10:21 < alibaba> How long is it then?
10:21 < le0> dragoin, if you are not SPLIT tunnelling, you need to update your local DNS to reflect settings pushed from your VPN endpoint
10:21 < alibaba> It is Very long ago.
10:21 < le0> i have scripts whcih work with openvpn in linux
10:22 < le0> they are shell scripts
10:22 < le0> i am not sure about windows as none of my users are windows users
10:22 < Bushmills> bit more than 15 years that first version came out. 5.x was around 1995
10:22 < Bushmills> maybe 96
10:22 < alibaba> Ok. Then it is 15 yrs. Still long time.
10:23 < rob0> SuSE was a fork of Slackware, which began in 1993. Slackware was a fork of SLS.
10:23  * Bushmills used SLS
10:23 < alibaba> I slightly remember this stack of floppy disks. Then I bought a SuSE 5.0 package.  :)
10:24 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
10:24 < dragoin> le0: yes, I use Ubuntu 9.10, and openvpn...
10:24 < alibaba> Anyway, thank you very, very much for your kindly help.
10:24 < dragoin> no wins
10:25  * rob0 statred with Zipslack 3.6, 1998ish
10:25 < le0> okay, i will post, sec
10:25 < rob0> <== a newbie
10:25 < dragoin> le0: thank you
10:25 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Client Quit]
10:26 -!- alibaba [n=xerox@goliath.hantsch.co.at] has left ##openvpn ["Konversation terminated!"]
10:28 < le0> dragoin, i accept NO resp for these scripts btw
10:28 < le0> http://paste.debian.net/56378/
10:28 < le0> thats the up script
10:28 <+Kas> :kasx blitzen1
10:29 <+Kas> tehe
10:29 < le0> down script is: cp /home/user/keys/pentest/nonsplit/resolv.conf /etc/resolv.conf
10:31 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has joined ##openvpn
10:31 < zxd> I don't think my ccd file is working ,  can the  Common Name have spaces in it
10:32 < zxd> per example :   VPS Gateway1
10:35 -!- pfo [n=pfo@srv.gmi.oeaw.ac.at] has quit [Client Quit]
10:35 < zxd> Ok I got it
10:35 < zxd> it converts the space to _
10:37 < dragoin> pls le0 what is folder. if i get it, i have to rewrite resolv.conf?? I testing, this file, and i take same ip address...
10:37 < le0> what is folder?
10:37 < le0> you will need to amend paths to suit your env
10:38 < dragoin> before, and after vpn connect ... folder ehm /home/user/keys,,
10:38 < le0> i have a base copy of my resolv.conf so i know its right
10:41 -!- bootlaces [n=bootlace@unaffiliated/bootlaces] has quit ["Hometime - joy!"]
10:43 < le0> any luck dragoin
10:43 < dragoin> le0: pls vpn_up.sh one sec...
10:43 < dragoin> what is
10:44 < dragoin> what is it... i not found
10:47 < le0> dragoin, check pm
10:49 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has joined ##openvpn
10:49 < Briareos1> !download
10:49 < vpnHelper> Briareos1: "download" is www.openvpn.net/download to download openvpn
10:49 < Briareos1> !downloads
10:49 < vpnHelper> Briareos1: Error: "downloads" is not a valid command.
10:51 -!- dazo [n=dazo@nat/redhat/x-rlydlhulyongjdde] has quit [Read error: 54 (Connection reset by peer)]
10:53 < Briareos1> i am receiving "read UDPv4 [EMSGSIZE Path-MTU=1460]: Message too long (code=90)" on my client though I've set mssfix 1200 and the openvpn-server is responding to pings
10:53 < Briareos1> client is newest version (just downloaded)
10:53 -!- dazo_ [n=dazo@nat/redhat/x-lwskmcolscvullpx] has joined ##openvpn
10:53 < Briareos1> with version from ubuntu package repo it's the same
10:53 < Briareos1> couldn't find a solution
10:54 -!- dazo_afk [n=dazo@nat/redhat/x-hjlzmengnirgaqjc] has joined ##openvpn
10:54 -!- dazo_afk is now known as Guest39119
10:54 -!- Guest39119 is now known as dazo
10:54 -!- dazo is now known as Guest32313
10:55 < Briareos1> it seems to only happen with rdp
10:55 -!- Guest32313 is now known as dazo
10:57 -!- dazo_ [n=dazo@nat/redhat/x-lwskmcolscvullpx] has quit [Client Quit]
10:58 -!- hyper_ch [n=hyper@83-161.78-83.cust.bluewin.ch] has quit [Remote closed the connection]
11:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
11:11 -!- dragoin_ [n=dragoin@81.19.35.122] has joined ##openvpn
11:11 < le0> are your mtu settings the same on both local and remote systems?
11:11 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
11:13 < Briareos1> le0 haven't set them explicitly to anything
11:13 < Briareos1> now i set "fragment 1200" in addition to "mssfix 1200" (as stated in the faq) and it seems to work
11:14 < le0> cool
11:14 < Briareos1> i hope i'm not loosing too much performance or so :)
11:14 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
11:15 < Bushmills> it is good to loose performance. it is bad to lose it.
11:17 < Briareos1> thanks :)
11:17 < Briareos1> but don't tell my english teacher
11:18 < Briareos1> well see you later then
11:18 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has quit [Remote closed the connection]
11:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
11:21 -!- dyzdyz [n=dyzdyz@ch49172.petrus.pl] has joined ##openvpn
11:21 -!- dragoin [n=dragoin@81.19.35.122] has quit [Read error: 110 (Connection timed out)]
11:21 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
11:21 -!- dyzdyz [n=dyzdyz@ch49172.petrus.pl] has quit [Client Quit]
11:22 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
11:31 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)]
11:32 < steelnwool> I have my vpn setup, I can ping form the server to the client, but not the client to the server.. idea's ? [using tun]
11:32 < rob0> whois robotti^
11:32 < steelnwool> i'm not forwarding gateways, or publishing any routes. when i do a traceroute from my client, it dies on the first hop
11:33 < rob0> (Sorry, forgot the / -- just thought you might be someone I know)
11:38 -!- derRichard [n=derRicha@ununbium.nod.at] has joined ##openvpn
11:39 < steelnwool> why does client.conf have to exist on the server?
11:43 -!- APTX|1 [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
11:43 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit ["Leaving"]
11:44 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has quit [Read error: 60 (Operation timed out)]
11:44 -!- dragoin_ [n=dragoin@81.19.35.122] has quit ["Lost terminal"]
11:46 < dazo> steelnwool:  you need some routes, they can be in the client config ... or being pushed to clients from the server config by using --push ... the client.conf don't need to exist on the server, unless they are a part of --client-config-dir (aka ccd)
11:46 < dazo> !ccd
11:46 < vpnHelper> dazo: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
11:48 < steelnwool> dazo: wouldn't the route from 10.8.0.6 to 10.8.0.1 be published automatically when the connection starts? i would only use --push for routes to other networks beyond the vpn host, right?
11:48 < dazo> steelnwool:  that's right
11:48 < steelnwool> okay, in taht case then i should already ahve the route.
11:49 < dazo> steelnwool:  that's just to double check the client routing table ... route -n (Linux) or route print (windows, iirc)
11:49 < Bushmills> i think for only trying to contact server from client, no additional routes need to be pushed. problem should be a different one
11:49 < steelnwool> also: i noticed if i remoted clietn.conf , that all pings completly failed, but if i put it back in place, and restart openvpn, i can at least ping from server to client again, but cannot ping from client to server.
11:49 < Bushmills> (i'd say, firewall)
11:49 < steelnwool> Bushmills: yeah exactly. and i'm stumped
11:50 < steelnwool> bushmills firewall on which side ? a friend of mine was at my house last week and was able to connecto to his vpn at his work [also using openvpn and his client is also a mac]
11:50 < Bushmills> but to make sure, check your client routing table. route to vpn net should be there
11:50 < steelnwool> on my side : os x has no firewall turned on, my timecapsule isn't blocking any vpn traffic.
11:50 < steelnwool> Bushmills:
11:50 < steelnwool> tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff  open (pid 10869)
11:50 < Bushmills> steelnwool: server firewall, most likely
11:51 < steelnwool> Bushmills: ok for server firewall i opened UDP 1194, are there other things i should have open?
11:51 < Bushmills> ehm .. you can connect to server, so it's not an issue with udp 1194
11:52 < steelnwool> yeah zactly.
11:52 < Bushmills> the services which you can't reach on server should be allowed. or the whole tun interface
11:52 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
11:52 < dazo> steelnwool:  also double check that IP forwarding is enabled as well
11:52 < dazo> steelnwool:  even though to ping the other side of a p-t-p tunnel, would not require that ... but no traffic will be routed if IP forwarding is disabled
11:53 < steelnwool> my server is ubuntu with linux se, so it could be app-armour or ufw getting in the way..
11:53 < steelnwool> let me look into those.
11:53 < Bushmills> again, no ip forwarding needed for simple client - server connection
11:54 < steelnwool> yeah zactly. i'll get to that part later. for now i'll be happy just to have the two talk to each other.
11:54  * Bushmills nods
11:54 < dazo> that depends on which IP address you ping on the server .... if it is the tun interface, Bushmills is right ... if you do the physical eth, it will fail
11:55 < Bushmills> if traffic not redirected, those requests would go the other route
11:55 < dazo> as long as IP fwd is enabled
11:55 < steelnwool> i'm pinging from 10.8.0.6 to 10.8.0.1 and i just get 100% packet loss.
11:56 < dazo> what is what here?  what is client and what is server?
11:56 < steelnwool> client is mac osx, server is ubuntu LTS. client is .6 server is .1
11:56 < dazo> the server on the client side will then be 10.8.0.7, iirc
11:56 < dazo> and the client on the server side will be 10.8.0.2
11:57 < Bushmills> 0.7 should be the p2p address. probably not pingable
11:57 < steelnwool> should .1 be pingable/
11:57 < Bushmills> 0.1 as server address sounds right
11:57 < dazo> sorry!  10.8.0.5, I meant
11:58 < steelnwool> dazo: yeah its 1 and 2 and 5 and 6
11:58 < dazo> 0.7 would be the broadcast of the 10.8.0.4/30 net
11:59 < dazo> steelnwool:  this can be a bit confusing, but with the p-t-p setup ... on the client side, you should be able to ping .0.5 and 0.6 ... and on the server side .0.1 and .0.2
12:00 < steelnwool> dazo: if i want to ssh from the client to the server. which ip should i ssh to?
12:01 < dazo> steelnwool:  if sshd is listening to the tun address on the server, that would be 10.0.8.5, if the client address is 10.8.0.6
12:02 < Bushmills> ip addr of tun interface on server would be fine
12:02 -!- hyper_ch [n=hyper@adsl-84-226-239-178.adslplus.ch] has joined ##openvpn
12:02 < dazo> seen from the client side, though
12:02 < steelnwool> yeah, doesn't work.
12:04 < dazo> tried tcpdump on the tun devices?
12:05 < steelnwool> not yet. trying TCP, then I'll try that.
12:05 < Bushmills> I'd try   watch -n 1 iptables -nvL  on server, then ping from client and look if anything changes (rule hit count, number if policy caught packets)
12:06 < steelnwool> k, will do that now. then tcp i guess. thanks
12:08 < steelnwool> Bushmills: that command seems to exist almost immediatly.
12:08 < steelnwool> root@vpn:/etc/openvpn# tcpdump  watch -n 1 iptables -nvL
12:08 < steelnwool> Data link types (use option -y to set): DOCSIS (DOCSIS) (not supported) EN10MB (Ethernet)
12:08 < reiffert> :)
12:09 < steelnwool> you can mock my tcp-fu, i don't mind.
12:09 < steelnwool> er tcpdump-fu
12:09 < Bushmills> i didn't mention tcpdump
12:09 < steelnwool> oh. heh.
12:10 < steelnwool> okay, "watching" now
12:10 < steelnwool> nay, my pings from the client get "Request timeout for icmp_seq 0" so i don't think they're even leaving my house...
12:10 < dazo> steelnwool:  the tcpdump would be ... tcpdump -n -i tun0    (if your tun device is tun0)
12:11 < steelnwool> yeah, nothing from tcpdump.
12:11 < dazo> including on the client?
12:11 < steelnwool> sec. will run there.
12:12 < steelnwool> 14:12:18.312509 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 18731, seq 0, length 64
12:12 < steelnwool> thats from the client.
12:13 < dazo> steelnwool:  please ... try to ping 10.8.0.4 .... 10.8.0.1 will in most cases never work in a p-t-p setup
12:13 < steelnwool> you mean .2 ?
12:13 < dazo> I mean 10.8.0.5
12:13 < dazo> sorry
12:13 < steelnwool> yeah, did that, failed too.
12:14 < dazo> then you have some issues on your client's firewall most probably
12:14 < steelnwool> my mac firewall is off, and my nat-router was used last week by a friend connecting to his own openvpn elsewhere tho...
12:14 < dazo> or that the tun0 device is not found in the route table
12:14 < steelnwool> the tun0 interface IS found in my route table.
12:15 < steelnwool> http://pastebin.com/m2fb53112
12:15 < dazo> well, the packets disappear somewhere ....
12:15 < steelnwool> yeah.
12:16  * steelnwool relooks at mac firewall.
12:16 -!- jamesyonan [n=jamesyon@c-76-120-71-74.hsd1.co.comcast.net] has joined ##openvpn
12:16 < steelnwool> yeah, tis off.
12:16 < dazo> gateway: 10.8.0.5 ..... you should almost always be able to ping your gateway ... if that's not doable .... something is blocking you
12:17 < steelnwool> indeed.
12:18 < steelnwool> i'm going to try running the openvpn client from a linux command line, it might have some more verbose debugging, or at least removes the 'os x variable'
12:18 -!- jamesyonan [n=jamesyon@c-76-120-71-74.hsd1.co.comcast.net] has left ##openvpn []
12:19 -!- jamesyonan [n=jamesyon@c-76-120-71-74.hsd1.co.comcast.net] has joined ##openvpn
12:21 < jamesyonan> test message
12:21 < dazo> jamesyonan:  roger that :)
12:21 < jamesyonan> cool
12:21 < dazo> jamesyonan:  you might want to join ##openvpn-discussion
12:24 < hyper_ch> dazo: what's that?
12:24 < dazo> what's what?
12:24 < dazo> hyper_ch:  have you seen the topic lately?
12:25 < openvpn2009> !welcome
12:25 < vpnHelper> openvpn2009: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:25 < hyper_ch> topics? isn't that like FAQs, READMEs, manuals etc. just there to be ignored?
12:26 < dazo> only if you like to be spanked in public
12:26 < openvpn2009> hyper_ch, in most of the channels, yes. Not in here
12:26 < dazo> heh
12:27 < hyper_ch> dazo: I have a hardened shell from #debian
12:28 < dazo> :)
12:34 < hyper_ch> well, I've heard horror stories that people always get told RTFM
12:34 < hyper_ch> in #debian
12:34 < hyper_ch> but my experience has been quite nice this far
12:34 < Bushmills> no. only those who don't
12:34 < steelnwool> well. just tried with CLI on linux, and same symptons... so i guess that only leaves my firewall on the client side..
12:34 < hyper_ch> tbh, I think just shouting RTFM at people is not the best way
12:35 < hyper_ch> sometimes people are willing to RTM but they don't know where to start
12:35 < Bushmills> oh, some say "that's written in the manual - do you want me to paste it, or rephrase it so you can understand it too?"
12:35 < steelnwool> hyper_ch: in my experience i've found it depends upon the question.
12:35 < hyper_ch> if you don't know what a "thing" is called then you can't really search info on it
12:36 < Bushmills> but essentially, that means about the same :)
12:37 -!- mintaka [n=kosmic@unaffiliated/spice] has joined ##openvpn
12:37 < mintaka> Jan 11 19:33:39 2010 us=426024 [server] Inactivity timeout (--ping-restart), restarting
12:37 < mintaka> i get that a LOT
12:37 < mintaka> don't know what is causing it
12:37 < hyper_ch> k y gk
12:37 < mintaka> but sometimes every few minutes my connection drops
12:37 < hyper_ch> inactivity is causing it :)
12:38 < mintaka> but im not inactive
12:38 < Bushmills> your VPN might be
12:39 < Bushmills> after all, it is the vpn timing out, and not you.
12:39 < mintaka> it happens mostly when im on wireless
12:42 < Bushmills> !keepalive
12:42 < vpnHelper> Bushmills: Error: "keepalive" is not a valid command.
12:43 < Bushmills> mintaka: http://scarydevilmonastery.net/snap/1263235399510542882.png
12:44 < mintaka> thats nice
12:44 < mintaka> that's a nice hostname
12:45 < mintaka> i set ping-restart 0 in the ovpn file
12:46 < Bushmills> To disable the 120 second default, set --ping-restart 0 on the client.
12:46 < mintaka> that man snip says it's for servers. i dont have server access
12:46 < mintaka> theres another issue im having
12:47 < mintaka> i run openvpn as root, (you have to) then when i do get disconnected
12:47 < mintaka> the reconnect will be attempted
12:47 < Bushmills> keepalive causes ping and pingrestart on both server and client.  if you can edit client config only, you can have ping and ping-restart there
12:48 < mintaka> but if i have set to downgrade to user nobody or
12:48 < mintaka> grouand group nobody
12:48 < mintaka> it will fail to create the tunnel
12:48 < mintaka> it basically always needs root
12:48 < mintaka> i dont know if i like that
12:48 < mintaka> someone could send a carefully crafted packet that exploits my system when it reaches me
12:49 < mintaka> gains root access!
12:50 < rob0> user/group downgrade works for me
12:50 < mintaka> and when you recoonnect?
12:51 < mintaka> kkk
12:51 < Bushmills> normally you can drop privileges.
12:51 < mintaka> nverming that
12:51 < mintaka> i can drop privs but i cant get it to remake the connection
12:53 < Bushmills> check your .crt file on client for permission problems
12:53 < Bushmills> i think client.crt and ca.crt should be non-root readable
12:53 < mintaka> i only have ca.crt
12:54 < Bushmills> client.conf not sure, but i don't think that's needed
12:54 < mintaka> and it's readable by all
12:54 < mintaka> hmm maybe
12:54 < mintaka> let me try that
12:54 < mintaka> i dont have a client.conf just a .ovpn
12:54 < Bushmills> what's the name of your .key file?
12:55 < mintaka> no key files
12:55 < mintaka> password only
12:55 < Bushmills> ah
12:57 -!- cron2 [n=gert@dhcp-174.greenie.muc.de] has joined ##openvpn
12:59 -!- cron2_ [n=gert@dhcp-174.greenie.muc.de] has joined ##openvpn
13:15 -!- Schlaubi [n=daniel@p5B0A1A24.dip0.t-ipconnect.de] has joined ##openvpn
13:18 -!- Thaxll [n=Thaxll@69.70.215.78] has joined ##openvpn
13:20 -!- Schlaubi [n=daniel@p5B0A1A24.dip0.t-ipconnect.de] has quit ["Verlassend"]
13:20 -!- hyper_ch [n=hyper@adsl-84-226-239-178.adslplus.ch] has quit [Remote closed the connection]
13:20 -!- hyper_ch [n=hyper@adsl-84-226-239-178.adslplus.ch] has joined ##openvpn
13:21 -!- Schlaubi [n=daniel@p5B0A1A24.dip0.t-ipconnect.de] has joined ##openvpn
13:26 < Schlaubi> ö
13:27 < reiffert> !!!
13:27 < vpnHelper> reiffert: Error: "!!" is not a valid command.
13:28 < steelnwool> okay so.. a friend of mine, also on a mac and time capsule, was just connected to his own vpn. he disconnected and tried to connect to mine and got same symptoms. i think that means i can rule out my client side and that my issues are wither with the firewall on my server side, my server config it self or something else on the server side of things.
13:33 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)]
13:34 -!- berniv6 [n=berni@2001:1b10:1000:0:0:0:26c3:1] has joined ##openvpn
13:37 -!- Winkie [n=urmom@ur.fa.gs] has left ##openvpn []
13:39 < mintaka> so i run openvpn with ping-restart 0
13:39 < mintaka> it seems to help with my problem
13:40 < mintaka> but the question now becomes since i can only run one vpn connection at a time
13:40 < mintaka> what happens if i disconnect abruptly
13:40 < mintaka> will the remote server think im connected for ever?
13:41 < Bushmills> if you terminate client, the client won't ping anymore. but with your config, it won't anyway.
13:41 < Bushmills> means, it has no reason to ping for keeping alive.
13:42 -!- rajin [n=_@port-10961.pppoe.wtnet.de] has joined ##openvpn
13:43 -!- Schlaubi [n=daniel@p5B0A1A24.dip0.t-ipconnect.de] has left ##openvpn ["Verlassend"]
13:58 -!- rwscott [n=rwscott@207.236.169.155] has quit [Remote closed the connection]
14:01 < Thaxll> Hello, i've a question about routing, I know it's a well known subject but i'm a bit lost. How do we push all internet traffic from client to VPN because my push " blabla" in conf file doesn't work :/
14:02 < reiffert> !def1
14:02 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:04 < Thaxll> Hmm ok, i'm going to check that thanks ;)
14:05 < steelnwool> are the ovpn forums usually pretty good?
14:09 < mintaka> bushmills, so what happens
14:09 < Bushmills> (19:46:06) Bushmills: To disable the 120 second default, set --ping-restart 0 on the client.
14:09 < mintaka> i cant reconnect anymore?
14:09 < mintaka> well,
14:09 < Bushmills> and you haven't added a ping
14:10 < steelnwool> woo, got it working.
14:12 < ecrist> If folks didn't know, community forum going on now in ##openvpn-discussion
14:13 < mintaka> that's lovely and all
14:15 < steelnwool> i'm embarrased to say how i got it working,b ut suffice to say i had a client running on the server :)
14:15 < steelnwool> which of course = "a wrench in the gears" and a facepalm.
14:17 -!- cron2 [n=gert@dhcp-174.greenie.muc.de] has left ##openvpn ["-server freenode2 #openvpn"]
14:23 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has quit []
14:23 -!- a-zlex [n=as@null0.ipv6.bgp4.org] has joined ##openvpn
14:24 < steelnwool> can you use the push route comand for pushing routes to non-private ips ?>
14:25 < Bushmills> yes, you can
14:27 < steelnwool> holy crap. everything works.
14:27 < steelnwool> this is awesome.
14:27 < steelnwool> thanks for your patience everyone.
14:28 < mintaka> what do you think i should i do
14:28 < mintaka> to not get kicked off the vpn
14:29 -!- jamesyonan [n=jamesyon@c-76-120-71-74.hsd1.co.comcast.net] has left ##openvpn []
14:30 < Bushmills> it works? now that it does, you gotta change the configuration.
14:30 -!- a-zlex [n=as@null0.ipv6.bgp4.org] has left ##openvpn []
14:31 < mintaka> heh
14:31 < mintaka> to what!
14:31 < Bushmills> mintaka: try reading man page, concerning keepalive, ping, ping-restart
14:31 < mintaka> those are all badly named commands imo
14:31 < mintaka> yeah im diving into the man
14:32 < Bushmills> write a bug report, telling why you consider them inaptly named.
14:34 < mintaka> nah!
14:40 < mintaka> trying with keepalive 10 60 in .ovpn
14:40 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:50 -!- cron2_ [n=gert@dhcp-174.greenie.muc.de] has left ##openvpn []
14:52 < mintaka>  Jan 11 21:49:54 2010 us=697583 [server] Inactivity timeout (--ping-restart), restarting
14:52 < mintaka> again i got that
14:52 < mintaka> what is it with this crap
14:53 -!- cron2 [n=gert@2001:608:4:0:222:68ff:fe7f:7420] has joined ##openvpn
14:53 -!- dabozz [n=benny@dslb-094-219-206-019.pools.arcor-ip.net] has joined ##openvpn
14:54 -!- rajin [n=_@port-10961.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Po-ta-to, boil em, mash em, stick em in a stew."]
14:55 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
14:55 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Client Quit]
14:56 < dabozz> hi, can someone help me with my openvpn problem
14:56 < dabozz> ?
14:56 < dabozz> my client says: http://paste.pocoo.org/show/164440/
14:58 < ecrist> that tells me exactly nothing
14:59 < dabozz> mm ok
14:59 < ecrist> !logs
14:59 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
15:06 -!- ycy_ [n=mb@131.179.136.74] has quit [Read error: 104 (Connection reset by peer)]
15:06 < mintaka> dabozz, i think ecrist is asking for better logs
15:07 < dabozz> ok im looking for it
15:09 < Bushmills> actually, a description what your problem actually is can also be useful
15:11 < cron2> indeed, as the log looks pretty non-problematic so far - it initialized fine, and is now waiting for activity (as far as I can see)
15:11 -!- ycy_ [n=mb@Noise.CS.UCLA.EDU] has joined ##openvpn
15:11 < Bushmills> maybe your disk is full?
15:15 < mintaka> this is rather interesting
15:15 < mintaka> you know what i did?  i ran a tun on one machine
15:15 < mintaka> killed the wireless without killinbg the tun first
15:15 < mintaka> then tried connecting to the vpn from a different machine
15:16 < mintaka> and it worked, even with ping-restart 0
15:16 -!- dabozz [n=benny@dslb-094-219-206-019.pools.arcor-ip.net] has quit ["Leaving."]
15:16 < mintaka> worked on the third try but still
15:19 < mintaka> that might be worth noting :)
15:24 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:29 -!- zz_hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
15:32 -!- XATRIX [n=George@217-64-178-94.pool.ukrtel.net] has joined ##openvpn
15:32 < XATRIX> hi guys
15:33 < XATRIX> any idea of how openvpn connection can be unreachable
15:33 < XATRIX> look
15:33 < XATRIX> From 192.168.7.34 icmp_seq=1 Destination Port Unreachable
15:34 < XATRIX> http://pastebin.com/d43e039ec
15:34 < XATRIX> i'm trying to ping 192.168.3.74
15:35 < rob0> who/what is 7.34 then?
15:36 < ecrist> XATRIX: that host isn't reachable
15:36 < ecrist> either it's not on the LAN, or your routing tables are fubar
15:36 < XATRIX> rob0: as i understand it's my remote host openvpn interface
15:37 < XATRIX> and 192.168.3.0/24 is a remote office network
15:37 < XATRIX> ok, i'll describe the situation
15:37 < XATRIX> i have my laptop, and ADSL modem, so, my laptop is in 192.168.1.0/24 network
15:38 < XATRIX> 192.168.1.1 - is a laptop, and 192.168.1.254 - modem
15:38 < XATRIX> i have the remote network on our office , (192.168.3.0/24)
15:38 < XATRIX> i try to connect to it via openvpn
15:39 < XATRIX> some of the config files and certificates were given to me by our administrator
15:39 < rob0> Sounds like maybe the typical routing confusion. Each side has to know how to route to the other.
15:39 < rob0> !route
15:39 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:40 < XATRIX> http://pastebin.com/d5a6ab86e
15:40 < XATRIX> ok please , look at the config file
15:40 < XATRIX> i don't think i do something wrong
15:41 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has quit [Read error: 104 (Connection reset by peer)]
15:42 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn
15:43 -!- dauergast [n=sag@g227117037.adsl.alicedsl.de] has joined ##openvpn
15:46 < XATRIX> so ?
15:46 < XATRIX> i'm really need help
15:46 -!- dazo is now known as dazo_afk
15:46 < hyper_ch> dazo: you're using znc, right?
15:52 < XATRIX> guys please, help me to solve problem
15:58 < rob0> Did you read !route completely? I think it would help. I have my own jobs to do, unable to hold your hand through all of it.
16:00 -!- hyper_ch [n=hyper@adsl-84-226-239-178.adslplus.ch] has quit [Remote closed the connection]
16:00 -!- zz_hyper_ch is now known as hyper_ch
16:01 -!- hyper__ch [n=hyper@adsl-84-226-239-178.adslplus.ch] has joined ##openvpn
16:01 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has quit [Nick collision from services.]
16:01 -!- hyper__ch is now known as hyper_ch
16:02 < XATRIX> rob0: look, it quite strange, i didn't change anything in config files after i migrate from gentoo
16:02 < XATRIX> on gentoo i connected with this configs sucessfully
16:02 -!- zz_hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
16:03 -!- Thaxll [n=Thaxll@69.70.215.78] has quit ["Quitte"]
16:03 < XATRIX> can't understand what isn't right
16:03 < XATRIX> i have routes to 192.168.3.0/24 network... what can be wrong?
16:06 -!- zz_hyper_ch is now known as hyper_away
16:06 -!- hyper_away is now known as zz_hyper_ch
16:06 -!- hyper_ch [n=hyper@adsl-84-226-239-178.adslplus.ch] has quit [Remote closed the connection]
16:06 -!- zz_hyper_ch is now known as hyper_ch
16:07 -!- hyper_ch is now known as hyper_away
16:07 -!- hyper_away is now known as hyper_ch
16:08 -!- dauergast [n=sag@g227117037.adsl.alicedsl.de] has quit ["Windows error 000 : No errors found! [CLOSE]"]
16:20 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.17/2009122116]"]
16:29 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:53 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
17:09 -!- hyper_ch is now known as hyper_away
17:12 -!- hyper_away is now known as hyper_ch
17:14 -!- XATRIX [n=George@217-64-178-94.pool.ukrtel.net] has left ##openvpn ["Leaving"]
17:18 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."]
17:19 -!- ribasushi [n=rabbit@dslb-084-063-042-037.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
17:24 -!- hyper_ch is now known as hyper_away
17:26 -!- ribasushi [n=rabbit@dslb-084-063-012-137.pools.arcor-ip.net] has joined ##openvpn
17:35 -!- ribasushi_ [n=rabbit@dslb-084-063-041-247.pools.arcor-ip.net] has joined ##openvpn
17:39 -!- ribasushi_ [n=rabbit@dslb-084-063-041-247.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)]
17:42 -!- ribasushi [n=rabbit@dslb-084-063-012-137.pools.arcor-ip.net] has quit [Connection timed out]
17:52 -!- corretico [n=laguilar@201.201.46.106] has quit ["Leaving"]
18:00 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
18:00 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
18:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)]
18:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
18:07 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 60 (Operation timed out)]
18:15 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
19:07 -!- theDoc [n=hex@69.10.59.166] has joined ##openvpn
19:11 < crazygir> I can connect to the VPN just fine, but then can't get thru to the 172.x subnet from 10.0.65/
19:11 < crazygir> any thoughts.. I'm a bit lost on this VPN/routing issue: http://pastebin.ca/1747678
19:18 < ecrist> !route
19:18 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:19 < ecrist> ip_forward enabled?
19:19 < mithridates> !factoids search group
19:19 < vpnHelper> mithridates: No keys matched that query.
19:20 < mithridates> !factoids search config
19:20 < vpnHelper> mithridates: 'ifconfig' and 'configs'
19:20 < mithridates> !configs
19:20 < vpnHelper> mithridates: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
19:21 < mithridates> ecrist: how can I have different configurations for different groups of clients ? by ccd?
19:23 < crazygir> ecrist: pretty sure ip forwarding is set, will double check though.. may have been lost with a reboot
19:28 < crazygir> ecrist: yep.. ip forwarding is enabled
19:30 < ecrist> mithridates: ccd is the right way to do it
19:30 < ecrist> you can also do more complicated things with client connect scripts
19:32 < mithridates> ecrist:  is there any other things for group clients management?
19:32 < ecrist> mithridates: depending on how complicated, I would probably do a shared certificate for everyone in a specific group, but use user/pass verification to auth each user
19:33 < mithridates> aah ok
19:33 < mithridates> ecrist: can I set one certificate only for 10 people?
19:33 < ecrist> you can auth user/pass based on cname, to prevent users from other groups from using a different group's certificate
19:34 < mithridates> I didn't get the last part
19:34 < ecrist> crazygir: !logs, please
19:35 < ecrist> in your auth script, set some logic to verify a user has access to a specific CN
19:35 < theDoc> crazygir> Is your routing table looking correct?
19:35 < mithridates> ecrist:  ahaa I think I got it
19:36 < ecrist> theDoc: it seems to
19:36  * ecrist guesses firewall, or lack of a route on the server
19:36 < theDoc> Does the destination have a route back to the source?
19:37 < mithridates> ecrist: for example, I can set 10 users for one certificate. thus only 10 people can be online with a same configuration by ccd
19:37 < mithridates> am I right?
19:37 < theDoc> ecrist> Funnily enough, I was in a minor network nightmare due to default g/w's and non-existant routes in the routing table. ;p
19:38 -!- ribasushi [n=rabbit@dslb-084-063-001-106.pools.arcor-ip.net] has joined ##openvpn
19:40 < ecrist> mithridates: only if you set that in the auth script
19:41 < mithridates> is there any sample-script?
19:41 < ecrist> nope
19:41 < ecrist> for a six pack, I could write one, though. ;)
19:42 < mithridates> I don't know how I can write script related to this case
19:43 < mithridates> I think it doesn't need script
19:43 < ecrist> how many users are you talking about?
19:43 < mithridates> between 50 - 100
19:44 < ecrist> in each group, or total?
19:44 < mithridates> total
19:44 < mithridates> 10 or 20 for each group
19:44 < ecrist> ok, you have a couple options.
19:44 < ecrist> 1) every user gets their own CCD entry and their own certificate
19:44 < mithridates> ok
19:45 < ecrist> 2) every group gets their own certificate.  each certificate get its own CCD entry
19:45 < ecrist> 3) same as #2, but you incorporate a user auth script in addition
19:45 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
19:46 < ecrist> 2 is insecure as if a user changes groups, you cannot, without great hassle, remove their access from the former group, or prevent users from sharing certificates.
19:47  * ecrist bitch-slaps dazo
19:47 < mithridates> ecrist: number 3) it means to use a same user for all people in a group?
19:47 < ecrist> no
19:48 < ecrist> just do #1 and be done with it. ;)
19:48 < mithridates> ecrist: number one is like a crowd job
19:48 < mithridates> I like the way of number 2
19:48 < mithridates> every group gets their own certificate.  each certificate get its own CCD entry
19:50 < mithridates> ecrist: would you tell me , can I use this certificate for a group of 10 people only?
19:50 < ecrist> nope
19:51 < ecrist> not with just openvpn
19:51 < ecrist> you need to do #3 otherwise
19:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
19:51 < mithridates> but , What do u mean by auth script
19:51 < mithridates> which auth script
19:52 < ecrist> one you write
19:52 < vpnHelper> New forum entry openvpnforum: Configuration :: Obtain user attributes from Radius server :: Author fulat2k <http://www.ovpnforum.com/viewtopic.php?f=6&t=2434&p=2811#p2811> || Configuration :: So far - I have a one way vpn and I'm scratching my head. :: Author bignose <http://www.ovpnforum.com/viewtopic.php?f=6&t=2436&p=2817#p2817> || Configuration :: client.conf - On the server ? :: Author bignose <http://www.ovpnforum.com/viewtopic.php?
19:52 < ecrist> if you can't write one, you cannot do it
19:53 < mithridates> ecrist: aah I got it now , tell me use radius or nagios
19:53 < mithridates> =)) u only say auth script
19:53 < ecrist> nagios is not an auth system
19:53 < ecrist> it's a system monitor
19:54 < ecrist> ping dazo
19:54 < theDoc> radius != nagios
19:56 < ecrist> not even close
19:56 < theDoc> That's like comparing an apple to a car
19:56 < theDoc> ;p
19:56 < mithridates> =)))
19:56 < mithridates> say more
19:57 < ecrist> your smiley face is broken
19:57 < mithridates> describe a mistake , it's an enjoyable job
19:57 < mithridates> :))
19:59 < theDoc> Oh shoot, my ftp is broken
19:59 < theDoc> I'll get around to it in a few hours
19:59 < crazygir> theDoc: I posting the routes
20:00 < crazygir> ecrist: openvpn's logs?
20:00 < theDoc> crazygir> Wha?
20:00 < crazygir> *posted
20:00 < theDoc> route -e and pastebin that, I'm sure it's something along those lines.
20:00 < crazygir> http://pastebin.ca/1747678
20:00 < crazygir> theDoc: on the server?
20:00 < crazygir> or client
20:00 < theDoc> crazygir> Taking a look.
20:00 < theDoc> Both
20:00 < crazygir> ^^
20:01 < theDoc> ^^
20:01 < crazygir> (the paste should be sufficient)
20:01 < theDoc> crazygir> Which network are you originating from and which network is your destination?
20:02 < crazygir> I want to connect to systems in the 172.x subnet, my client is connected to the vpn and is coming from the 10.0.x
20:04 < ecrist> crazygir: did you include server routes on that paste?
20:05 < theDoc> crazygir> What's the -exact- 172.16.x ip you are trying to hit?
20:05 < crazygir> theDoc: 172.20.10.0
20:05 < crazygir> ecrist: yes
20:05 < theDoc> crazygir> That's your subnet id or a host address?
20:06 < theDoc> Because it looks like there isn't a route like that in your routing table.
20:06 < theDoc> on the server, at least
20:06 < ecrist> you don't have a route
20:06 < crazygir> http://pastebin.ca/1747738
20:06 < crazygir> ecrist: ?
20:06 < ecrist> you only have a route to 172.20.10.10
20:06 < theDoc> Line 45 shows a route going to 172.20.10.10
20:06 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
20:06 < crazygir> hrm.. let me check that
20:07 < theDoc> That's a /32 and seems to be pointing to a particular host, you need to have a route for the entire subnet
20:07 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has quit [Remote closed the connection]
20:08 < theDoc> and I believe, we have that solved ;p
20:08 < crazygir> yep, dunno why that is. adding the route now and testing
20:09 < crazygir> that would make sense, I was having difficulty pinpointing the goofed route
20:09 < theDoc> I think the 2 most common problems we see around here is not having ipv4_forward=1 and the routing table.
20:09 < ecrist> nope, most common is firewall problems
20:10 < theDoc> Talking about that, I'm feeling sleepy but I have to go lab this hsrp setup
20:10 < theDoc> ecrist> With iptables? :?
20:10 < crazygir> heh
20:10 < ecrist> theDoc: what any firewall
20:11 < theDoc> Oh, any firewall.
20:11 < ecrist> s/what/any
20:11 < crazygir> I can ping the vpn server ip (10.0.65.1) just fine, but no one inside 172.20.10.0
20:11 < ecrist> crazygir: did you read !route?
20:12 < crazygir> my route wasn't added :|
20:12 < ecrist> it really seems as though you did not
20:12 < crazygir> yes I did
20:13 < theDoc> !route
20:13 < vpnHelper> theDoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:15 < theDoc> crazygir> pastebin relevant push statements on your server.conf please.
20:15 -!- stephenh [n=stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
20:19  * ecrist goes to bed.
20:19 -!- APTX|1 [n=APTX@chello089076052083.chello.pl] has quit [Read error: 110 (Connection timed out)]
20:22 < vpnHelper> New forum entry openvpnforum: Wishlist :: Re: Statistics Offloading :: Reply by dazo <http://www.ovpnforum.com/viewtopic.php?f=10&t=2413&p=2812#p2812> || Wishlist :: Re: Statistics Offloading :: Reply by ecrist <http://www.ovpnforum.com/viewtopic.php?f=10&t=2413&p=2820#p2820>
20:23 < crazygir> theDoc: push "route 172.20.10.0 255.255.255.0" <--- this gets out to the client, I can see this in the client's logs/output. A traceroute to a system in the 172.x subnet shows that the client routes thru to the vpn (correct!) but then ends there. so the server's routes are correct. I'm looking into this now
20:25 < crazygir> theDoc: the client seems to reinitiate its connection, doesn't seem normal, is that?
20:26 < theDoc> crazygir> Your server doesn't have a route in the routing table, try adding one in like, route add -n 172.16.10.0 netmask 255.255.255.0 dev eth1_or_whatever
20:26 < crazygir> yep, I have. it isn't linux, but I'm working on figuring out why what I've tried isn't working
20:26 < theDoc> crazygir> Doesn't matter, you can push the routes via your server.conf but if your server's routing table doesn't have the network, it's pointless.
20:26 < theDoc> Which platform is this?
20:28 < crazygir> theDoc: right, I understand. and adding the route isn't erroring out, but it isn't being added either.. again, I'm debugging this now :)
20:28 < crazygir> theDoc: openbsd
20:29 < theDoc> crazygir> You see, I could pretend to have -any- subnet behind me in my server.conf but if my server's actual routing table doesn't have the routes, the traffic isn't going anywhere because the client is just told to send traffic to that network which is advertised via the server and nothing more.
20:30 < theDoc> lmao, d000::/8 prefix is still out there.
20:30 < theDoc> ;p
20:31 < crazygir> of course. it makes sense. again.. trying to figure out why the server's route isn't being added correctly
20:31 < theDoc> Now, that's not something I can help with, not familiar with bsd.
20:45 < mintaka> im strugglin real hardc with trying to add unpriviledged users to openvpn
20:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
20:48 < mintaka> its real hard
20:50 < mintaka> doesnt work like the manual shows
20:52 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: OpenSUSE 11.1 service command issues :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=6&t=391&p=2821#p2821>
21:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
21:10 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:16 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:19 -!- APTX|_ [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
21:22 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: So far - I have a one way vpn and I'm scratching my head. :: Reply by bignose <http://www.ovpnforum.com/viewtopic.php?f=6&t=2436&p=2822#p2822> || Configuration :: Re: client.conf - On the server ? :: Reply by bignose <http://www.ovpnforum.com/viewtopic.php?f=6&t=2437&p=2823#p2823>
21:25 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"]
21:38 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
21:38 < poningru> question
21:39 < poningru> need help with understanding anyconnect
21:39 < poningru> \/openconnect
21:40 < poningru> ...
21:41 < poningru> I'm an idiot
21:41 < poningru> nvm
21:41 < poningru> http://www.infradead.org/openconnect/
21:41 < vpnHelper> Title: OpenConnect (at www.infradead.org)
21:41 < poningru> the bottom section provides all the info
21:41 < poningru> sorry
21:41 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has left ##openvpn ["Leaving"]
21:49 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
21:49 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
22:23 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
22:30 -!- tjz2 is now known as tjz
22:30 -!- tjz [n=tjz@bb116-15-75-62.singnet.com.sg] has quit ["bbl"]
22:30 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn
22:33 -!- maodun [n=stopgo@114.243.119.42] has left ##openvpn []
22:36 -!- yrashk [n=yrashk@S010600179a2767ab.vc.shawcable.net] has left ##openvpn []
22:52 -!- xod [n=onats@112.201.158.40] has joined ##openvpn
23:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
23:30 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Remote closed the connection]
23:35 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
23:55 -!- hyper_away is now known as hyper_ch
--- Day changed Tue Jan 12 2010
00:01 -!- hyper_ch is now known as hyper_away
00:03 -!- hyper_away is now known as hyper_ch
00:03 -!- hyper_ch is now known as hyper_away
00:04 -!- hyper_away is now known as hyper_ch
01:20 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Read error: 60 (Operation timed out)]
01:26 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
01:45 -!- simplechat_ [n=simple@unaffiliated/simplechat] has joined ##openvpn
01:45 < simplechat_> Hi, I'm trying to set up bridged mode openvpn and it is failing oddly
01:46 < simplechat_> and i can't seem to find anything useful via google
01:46 < simplechat_> the interfaces have bridged properly (to br0)
01:46 < simplechat_> i have routes client side to the other network, with the gateway set, however no data is transfered through either tap
01:47 < simplechat_> 192.168.3.0     192.168.3.1     255.255.255.0   UG    0      0        0 tap0
01:47 < simplechat_> 192.168.3.0     *               255.255.255.0   U     0      0        0 tap0
01:47 < simplechat_>  is the output client side
01:47 < simplechat_> from route
01:50 < endre> you know how bridge works, don't you?
01:50 < simplechat_> i'm using bridge.sh
01:50 < endre> that was not the right answer.
01:50 < simplechat_> how would i conferm?
01:50 < simplechat_> http://pastebin.ca/1747981 is the output from ifconfig
01:50 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has left ##openvpn []
01:51 < endre> can you see the mac addresses of the other side at the bridge?
01:51 < endre> you can dump the tap interface as welll
01:52 < simplechat_> more information?
01:52 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
01:52 < endre> i won't do it for you
01:53 < simplechat_> endre, if you can tell me enough that i can google it, i'd be much grateful
01:54 < endre> google on tcpdump brctl first
01:54 < simplechat_> so i want to tcpdump the interface?
01:55 < cron2> you need to tcpdump the tap0 (to see whether packets from the LAN are properly bridged into tap0) - and also the tap0 on the server side, to see if packets arrive
01:56 < simplechat_> so run tcpdump on tap0
01:56 < simplechat_> and then attempt a tcp connection through?
01:56 < cron2> yes
01:56 < cron2> start with ping
01:56 < simplechat_> ok
01:56 < simplechat_> if it changes anything, this is a deb stable vm
01:57 < endre> is there any #openvpn-advanced?
01:57 < endre> or -dev?
01:57 < simplechat_> 07:57:56.617194 IP6 fe80::1440:5758:e2e5:47e2.52803 > ff02::c.1900: UDP, length 146
01:57 < simplechat_> does that mean anything?
01:57 < cron2> endre: well, there's the -dev mailing list
01:58 < simplechat_> its the only thing that i'm getting from tcpdump
01:58 < endre> not really except if the source lladdr is on the other network
01:58 < simplechat_> ping comes back Destination Host unreachable
01:58 < cron2> simplechat_: that's IPv6.  if that's all you get, your bridge config is not right
01:58 < simplechat_> yeah
01:58 < simplechat_> and 07:58:33.238361 arp who-has 192.168.3.201 tell BROADWAYROUTER
01:58 < endre> yup
01:59 < cron2> now that's better
01:59 < endre> at least arp is getting on the interface
01:59 < simplechat_> yeah
01:59 < simplechat_> but 201 is on the other side
01:59 < simplechat_> i've assigned openvpn .50 to .75
01:59 < cron2> well, that's the point: it's trying to figure out how to find .201
01:59 < endre> you not assigned anytinh
01:59 < endre> anything
01:59 < endre> using tap is above of ip addresses and all
01:59 < cron2> and since tap/bridge is ethernet it needs to do ARP for that - that ARP packet needs to arrive at the server side, be bridged to the server side LAN, and be answered by whoever has the .201
02:00 < endre> u are mixing tun and tap characteristics
02:00 < cron2> endre: I'd call it "below" :)
02:00 < endre> tap is like ethernet
02:00 < endre> cron2: i try to be like 'for dummies'. i know iso/osi model as well.
02:00 < cron2> endre: but still, with "server-bridge" you can have the OpenVPN server hand out IP addresses for the client's tap interfaces
02:00 < endre> fuck me, i use dhcp
02:00 < simplechat_> hmmmm
02:00 < simplechat_> :(
02:01 < simplechat_> damnit this stuff is painful
02:01 < cron2> endre: in that case, yes, openvpn tap is "just plain ethernet" :-)
02:01 < endre> :)
02:02 < simplechat_> hmmm
02:02 < simplechat_> would seeing my openvpn.conf help?
02:03 < cron2> I think it's more an issue of the bridge config on the server side
02:03 < cron2> since you see the ARP going out on the client side - that should be sufficient to make the client side work
02:03 < simplechat_> cron2, i was tcpdumping on the server
02:05 < cron2> simplechat: ah.  good: the OpenVPN part is transporting the packet to the server. Now the question is: does the packet travel from the server's tap0 to the server's eth0 (->bridge config on server side).  Run "tcpdump -n arp -i $physical_ethernet" on the server side, and try the ping again
02:05 < simplechat_> hmmmm
02:05 < simplechat_> so eth0?
02:06 < cron2> we can't know :-) - could be eth17.  but eth0 is quite likely :)
02:06 < simplechat_> 08:06:19.232696 arp who-has 192.168.3.1 tell 192.168.3.181
02:06 < simplechat_> 08:06:19.233150 arp reply 192.168.3.1 is-at 00:24:8c:8d:08:2e
02:06 < simplechat_> 3.1 is the gateway
02:06 < simplechat_> 181 is itsef
02:06 < simplechat_> i'm 3.50
02:07 < endre> seems like bridge is defunct
02:07 < endre> brctl show
02:07 < cron2> ok, I got confused about the arp packet above.  Let's do a step back
02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:07 < cron2> if you do a "ping 192.168.3.1" from the client side, you need to see an ARP from 3.50->3.1 on the client tap0, on the server tap0, and on the server eth0
02:08 < cron2> there is no good tcpdumping the server side unless you see *this* ARP on the client tap0
02:09 < simplechat_> bridge name	bridge id		STP enabled	interfaces
02:09 < simplechat_> br0		8000.00163e8cd05e	no		eth0
02:09 < simplechat_> 							tap0
02:09 < cron2> problem could be client bridge/client ifconfig, openvpn, and server bridge config - and this needs to be analyzed systematically, starting with the client bridge (to make sure the packet is actually entering the client's openvpn interface)
02:09 < endre> this looks good
02:09 < cron2> simplechat_: is this client or server side?
02:09 < simplechat_> server side
02:10 < simplechat_> client has no bridge, that i can see
02:10 < cron2> ok.  less stuff to worry about
02:10 < simplechat_> ok
02:10 < cron2> so please run the "ping" command while watching "tcpdump -n -i tap0 arp" on the client side
02:10 < cron2> (or make that "tcpdump -n -i tap0 arp or icmp")
02:11 < simplechat_> client side?
02:11 < cron2> yes, client side.
02:11 < endre> yeah
02:12 < endre> you should start it on server side as well
02:12 < cron2> first, make sure that the client kernel is handing the packet *to* openvpn, in the first place
02:12 < simplechat_> 19:12:23.208741 arp who-has 192.168.3.1 tell 192.168.3.50
02:12 < simplechat_> 19:12:24.208747 arp who-has 192.168.3.1 tell 192.168.3.50
02:12 < simplechat_> 19:12:25.208746 arp who-has 192.168.3.1 tell 192.168.3.50
02:12 < simplechat_> 19:12:26.216736 arp who-has 192.168.3.1 tell 192.168.3.50
02:12 < simplechat_> on client
02:12 < simplechat_> on server nothing
02:13 < cron2> my interpretation: client side ifconfig is fine, but tap-in-openvpn is failing.  is there anythign in the server side openvpn log?
02:14 < jmm> hi.
02:14 < simplechat_> openvpn-status.log?
02:14 < simplechat_> jmm, hey
02:16 < simplechat_> cron2, what sort of things am i looking for?
02:16 < cron2> simplechat: I'm not sure "something that looks like an error or warning"
02:17 < simplechat_> nothing
02:18 < cron2> hmmm.  is there an openvpn-status.log on the server side?
02:18 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Optic, ribasushi, jaek_, corretico, bytesaber_, mrnice1, krphop, plundra, vpnHelper
02:18 < simplechat_> yeah
02:18 < simplechat_> well
02:18 < simplechat_> i'm looking at the servers one
02:19 < simplechat_> i get Tue Jan 12 19:15:19 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.3.0 255.255.255.0,route-gateway 192.168.3.1,ping 10,ping-restart 120,ifconfig 192.168.3.50 255.255.255.0'
02:19 < simplechat_> Tue Jan 12 19:15:19 2010 /sbin/ifconfig tap0 192.168.3.50 netmask 255.255.255.0 mtu 1500 broadcast 192.168.3.255
02:19 < simplechat_> Tue Jan 12 19:15:19 2010 /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1
02:19 < cron2> that's the client side
02:19 < simplechat_> Tue Jan 12 19:15:19 2010 ROUTE default_gateway=192.168.1.1
02:19 < simplechat_> thats odd
02:20 < cron2> the route 192.168.3.0/24 -> 192.168.3.1 looks confusing - it shouldn't be there if your LAN is 192.168.3.x
02:20 -!- Netsplit over, joins: ribasushi, vpnHelper, corretico, jaek_, plundra, mrnice1, bytesaber_, krzie, krphop, Optic
02:22 < simplechat_> my lan is 1.
02:22 < simplechat_> the lan on the servers side is 3.
02:22 < cron2> in that case, that's all fine (because that is your local default gateway)
02:23 < cron2> but still, the "push route 192.168.3.0..." part is wrong - the server should not push a route for the network connected to the tap interface
02:24 < simplechat_> so that shouldn't be in there?
02:24 < cron2> yes
02:24 < simplechat_> i added it to my servers openvpn.conf
02:24 < cron2> that is quite obvious :)
02:25 < simplechat_> still won't do it
02:25 < simplechat_> without the push
02:25 < cron2> I think we need to see client & server openvpn.conf now...
02:26 < reiffert> moin..
02:27 -!- simplechat [n=simple@unaffiliated/simplechat] has joined ##openvpn
02:27 < simplechat> that was odd
02:27 -!- simplechat [n=simple@unaffiliated/simplechat] has quit ["Leaving"]
02:28 < simplechat_> ok
02:29 < simplechat_> http://pastebin.ca/1748010
02:29 < simplechat_> wait
02:29 < simplechat_> ok
02:29 < simplechat_> right one
02:30 < cron2> ok, and the server side?
02:30 < reiffert> cron2: there are various commands with the vpnHelper bot in here. Like !logs !configs and !interfaces
02:32 < cron2> reiffert: yes, I've noticed people use that.  Nice tool.
02:36 < simplechat_> sorry
02:36 < simplechat_> server was kind of screwed up :(
02:36 < simplechat_> http://pastebin.ca/1748014
02:39 < cron2> mmmh.  this looks right.  What I'd do now is to increase "verb" to 5 or 6 on both sides, and see if there is something in the logs when you run ping - the client should tell you that it's sending to the server (or an error message), and the server should receive something
02:40 < reiffert> guess he was removing the push route just seconds before .. let him see if it works properly now
02:40 < cron2> the push route was wrong, but should not actually cause harm - we saw ARP packets going into the client tap, but coming out of the server tap.  That's independent of routing issues
02:41 < cron2> "... but not coming out of the server tap"
02:41 < simplechat_> getting reads/writes
02:41 < cron2> sorry
02:41 < simplechat_> cron2, what should the route be?
02:41 < simplechat_> never hurts to fix something
02:41 < cron2> simplechat_: no route.  this is ethernet
02:41 < simplechat_> cron2, but this is over tap?
02:41 < cron2> tap is ethernet
02:41 < cron2> tap is ethernet
02:41 < cron2> tap is ethernet
02:42 < simplechat_> k
02:42 < cron2> back to the read/write: you see something every 10 seconds, when the "ping" timeout fires.  Then you should see activity as soon as there is something happening in "tcpdump -i tap0" on the client
02:42 < reiffert> -n
02:43 < cron2> for this sort of debugging it can help to increase the "keepalive" settings to something very high (keepalive 300 900) or even turn it off
02:43 < simplechat_> when i run the ping command i get continuous reads/writes on both sides
02:43 < simplechat_> Tue Jan 12 08:41:53 2010 us=708886 alex-desktop/123.243.79.139:49128 TUN WRITE [42]
02:43 < simplechat_> Tue Jan 12 08:42:00 2010 us=48722 alex-desktop/123.243.79.139:49128 UDPv4 WRITE [53] to 123.243.79.139:49128: P_DATA_V1 kid=0 DATA len=52
02:43 < cron2> that's the ARP packet going out
02:43 < simplechat_> the key i'm connecting from is called alex-desktop
02:44 < cron2> mmmh.  if that was the server log, it's a packet going server->client, so you really should see something in the client's "tcpdump -n -i tap0"
02:45 < cron2> (and each WRITE on the server should bring a READ on the client, and vice versa)
02:45 < simplechat_> that was server log
02:45 < simplechat_> Tue Jan 12 19:41:33 2010 us=417768 TUN READ [42]
02:45 < simplechat_> Tue Jan 12 19:41:33 2010 us=417834 UDPv4 WRITE [77] to 110.174.4.223:1194: P_DATA_V1 kid=0 DATA len=76
02:45 < simplechat_> Tue Jan 12 19:41:39 2010 us=796555 UDPv4 READ [53] from 110.174.4.223:1194: P_DATA_V1 kid=0 DATA len=52
02:45 < simplechat_> on client
02:47 < cron2> well.  this could very well be the "ping" packets -> please turn off "keepalive" in the server config, restart the server, reconnect, and then re-test
02:47 < cron2> run ping, see what happens in the client "tcpdump -n -i tap0", in the client openvpn log, in the server openvpn log, in the server "tcpdump -n -i tap0" and figure out where the packet is lost
02:48 -!- Intensity [i=[exNgvKL@unaffiliated/intensity] has quit [Remote closed the connection]
02:48 < simplechat_> theres a fair amount of traffic
02:49 < cron2> you need to correlate what's going on in all 4 observation points to see why it is not working
02:49 < simplechat_> ok
02:50 -!- Schlaubi [n=daniel@p5B0A151B.dip0.t-ipconnect.de] has joined ##openvpn
02:50 < cron2> client arp -> visible in tcpdump on client -> WRITE on client openvpn -> READ on server openvpn -> visible in server TAP.  ARP reply -> other direction.
02:50 < simplechat_> ok
02:51 < cron2> well, that ws simplified a bit, it's actually "TUN READ, UDP WRITE on client", etc.
02:51 < simplechat_> the two openvpns are sending/recieving stuff every few seconds
02:51 < cron2> have you turned off keepalive?
02:51 < simplechat_> yep
02:51 < simplechat_> and it turns off when i turn off ping
02:51 < simplechat_> so its getting through openvpn
02:52 < cron2> good
02:52 < simplechat_> client side has continuous stream of arp packets
02:52 < simplechat_> server side has a stream of
02:52 < simplechat_> 08:51:53.535890 IP6 fe80::1440:5758:e2e5:47e2.52803 > ff02::c.1900: UDP, length 146
02:52 < simplechat_> for no apparent reason
02:52 < cron2> that's some host on IPv6 trying DHCPv6 (most likely).  Noisy, but should not harm
02:52 < simplechat_> ok
02:52 < simplechat_> yeah
02:53 < simplechat_> nothing on the servers end
02:53 < cron2> ok, which interface is the server using?  is it using tap0 or tap1?
02:53 < simplechat_> nothing
02:53 < simplechat_> so its a problem with the bridge?
02:53 < cron2> I just remembered: to make a bridge config work, you need to pre-create the tap interface and tell the openvpn server to connect to "dev tap0" not "dev tap" (which will use the first available(!) tap device)
02:54 < simplechat_> wow
02:54 < simplechat_> and now its working
02:54 < simplechat_> holy shit cron2
02:54 < simplechat_> thanks :D
02:55 < cron2> stupid me, could have remembered that earlier :-)
02:55 < cron2> glad that it's working now
02:56 -!- Schlaubi [n=daniel@p5B0A151B.dip0.t-ipconnect.de] has left ##openvpn ["Verlassend"]
02:56 < cron2> reiffert: is there a command in VPN-Helper that will point to the most likely "tap/bridge" mistakes?  I think this must be one of them :-)
02:56 < reiffert> cron2: I remember that openvpn has issues when running on vmware.. it really sounds like one of them.
02:57 < reiffert> cron2: unfourtunatly I dont remember any vpnHelper factoids
02:57 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)]
02:57 < reiffert> !factoids search --values bridge
02:57 < vpnHelper> reiffert: 'bridge', 'samba', 'tap', and 'bridge-dhcp'
02:57 < reiffert> !bridge
02:57 < vpnHelper> reiffert: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP
02:57 < vpnHelper> reiffert: addresses. (but not samba, see !wins)
02:57 < cron2> reiffert: no, that was really "dev tap" allocating "tap1" while the bridge is connected to "tap0"
02:57 < reiffert> !tap
02:57 < vpnHelper> reiffert: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming,
02:57 < vpnHelper> reiffert: anything where the protocol uses MAC addresses instead of IP addresses.
02:58 < reiffert> !factoids search --values tap0
02:58 < vpnHelper> reiffert: No keys matched that query.
02:58 < reiffert> simplechat_: is there vmware involved anywhere?
02:58 < cron2> oh well, the ethernet-bridging.html has "dev tap0" in there, quite explicitely so :-)
02:59 < reiffert> 08:56 < simplechat_> if it changes anything, this is a deb stable vm
03:00 < cron2> reiffert: we got it to work now :-)
03:00 < reiffert> ?
03:00 < cron2> it was really "dev tap" vs. "dev tap0".  I was just wondering whether there is a FAQ available that covers this - and yes, it is (!tap has the relevant lines)
03:00 < reiffert> 09:54 < simplechat_> and now its working
03:01 < reiffert> Ah well, you can have dev tap as well and use a shell script adding the next interface to the bridge
03:02 < simplechat_> reiffert, nope
03:02 < simplechat_> xen
03:02 < simplechat_> this is amd64 debian lenny running the latest version of xen from the stable repos
03:03 < reiffert> :) anyway, time to get some work done
03:06 < simplechat_> kk
03:07 -!- master_o1_master [n=master_o@p57B55E0F.dip.t-dialin.net] has joined ##openvpn
03:18 -!- master_of_master [i=master_o@p57B547AC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:36 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
03:46 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)]
04:22 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:37 -!- dazo_afk is now known as dazo
04:42 -!- ribasushi [n=rabbit@dslb-084-063-001-106.pools.arcor-ip.net] has left ##openvpn ["Leaving"]
04:52 -!- Intensity [i=[3HRxiKb@unaffiliated/intensity] has joined ##openvpn
04:56 -!- trap [n=trap@host86-168-121-116.range86-168.btcentralplus.com] has joined ##openvpn
05:08 -!- Intensity [i=[3HRxiKb@unaffiliated/intensity] has quit [Remote closed the connection]
05:20 -!- trap is now known as lalaland
05:21 -!- lalaland is now known as blabland
05:29 < reiffert> !tcp
05:29 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
05:29 < mithridates> !management
05:29 < vpnHelper> mithridates: Error: "management" is not a valid command.
05:29 < mithridates> reiffert: how can I use management interface? should I put management in the configuration file?
05:30 < reiffert> echo "openvpn management" | google
05:30 < reiffert> first link.
05:30 < mithridates> tnx
05:45 -!- dunc_ [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
05:59 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: 111 (Connection refused)]
06:08 < mithridates> !manage
06:08 < vpnHelper> mithridates: Error: "manage" is not a valid command.
06:09 < mithridates> !factoids search manage
06:09 < vpnHelper> mithridates: No keys matched that query.
06:13 < reiffert> !factoids search --values management
06:13 < vpnHelper> reiffert: 'mgmt' and 'mgmt'
06:13 < reiffert> !mgmt
06:13 < vpnHelper> reiffert: "mgmt" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html, or (#2) http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt
06:17 < mithridates> tnx reiffert
06:17 < mithridates> have you ever heard about ZERINA ?
06:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
06:19 < reiffert> no.
06:19 < mithridates> :D I found the gui interface for openvpn
06:20 < mithridates> check it http://www.openvpn.eu/index.php?id=35&L=1
06:20 < vpnHelper> Title: ZERINA for IPCop: OpenVPN e.V. (at www.openvpn.eu)
06:20 < reiffert> no.
06:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:23 < mithridates> !factoids search --values zerina
06:23 < vpnHelper> mithridates: No keys matched that query.
06:24 < mithridates> !factoids search --values gui
06:24 < vpnHelper> mithridates: 'winpass', 'pfsense', 'activedirectory', 'webgui', and 'tunnelblick'
06:24 < vpnHelper> New forum entry openvpnforum: Wishlist :: Re: Statistics Offloading :: Reply by dazo <http://www.ovpnforum.com/viewtopic.php?f=10&t=2413&p=2825#p2825>
06:24 < mithridates> !factoids search --values web
06:24 < vpnHelper> mithridates: 'pastebin', 'pfsense', 'webgui', 'paste', and 'nopaste'
06:38 < zxd> Hi
06:38 < mithridates> hi
06:38 < zxd> what's the proper way to add custom  ip route add , commands once Tun0 interface comes up?
06:39 -!- APTX| is now known as APTXderZweite
06:39 < mithridates> custom ip for different clients?
06:40 -!- APTX|_ is now known as APTX|
06:40 < mithridates> may be !ccd
06:40 < mithridates> !ccd
06:40 < vpnHelper> mithridates: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
06:40 < mithridates> then put your configuration for route in that config file
06:41 < mithridates> but wait more and ask other people
06:41 < mithridates> because I'm newbie in openvpn
06:42 < zxd> ip route add default via 10.8.0.6 dev tun0 table T1
06:42 < zxd> per example
06:43 < mithridates> I donno man , I'm sorry
06:54 -!- APTX| is now known as APTX
06:58 -!- corrideat [n=tor@CAcert/user/corrideat] has joined ##openvpn
06:59 < Bushmills> zxd: ccd and push "route..."  if server side, you can also  route ...   client side
07:00 < zxd> Bushmills, the push " route ...  is a raw command?
07:01 < Bushmills> no. accepts ip/net, netmask and gateway as args
07:01 < zxd> my command uses iproute2
07:01 < zxd> with table T1  as argument
07:02 -!- APTX is now known as APTX|
07:02 -!- APTX| is now known as APTX|_
07:02 -!- APTX|_ is now known as APTX
07:03 < Bushmills>  --iproute cmd
07:03 < Bushmills>  Set  alternate  command  to  execute instead of default iproute2 command.
07:05 < Bushmills>  --route-up cmd -  Execute shell command cmd after routes  are  added
07:11 -!- mode/##openvpn [-c] by ChanServ
07:25 < mithridates> !mgmt
07:25 < vpnHelper> mithridates: "mgmt" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html, or (#2) http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt
07:29 < zxd> should --tun-mtu be the same as the mtu of the physical interface to avoid fragmantation ?
07:35 < ecrist> no
07:35 < ecrist> !mtu
07:35 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
07:35 < zxd> what?
07:36 < zxd> it shows an MTU higher than 1500
07:45 < havoc> yeah, found some issues w/ openvpn on windows, specifically easy-rsa, which I guess isn't really an openvpn issue
07:46 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
07:50 -!- dunc_ [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit ["Leaving"]
07:50 < ecrist> easy-rsa sucks
07:52 < havoc> anyway, they just need to quote pathnames
07:53 < ecrist> easy-rsa is developed by OpenVPN
07:53 < havoc> ah
07:55 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn
07:59 < zxd> L:1542
07:59 < zxd> why does it say 1542 for mtu
08:00 -!- Sonderblade [n=meh@h-52-159.A157.priv.bahnhof.se] has joined ##openvpn
08:00 -!- mithridates1 [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
08:00 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["Leaving."]
08:12 -!- Schlaubi [n=daniel@p5B0A151B.dip0.t-ipconnect.de] has joined ##openvpn
08:12 -!- Schlaubi [n=daniel@p5B0A151B.dip0.t-ipconnect.de] has left ##openvpn ["Verlassend"]
08:21 -!- Sonderblade [n=meh@h-52-159.A157.priv.bahnhof.se] has quit ["Lämnar"]
08:23 -!- mattock [n=samuli@sparkgw.utu.fi] has joined ##openvpn
08:23 -!- mode/##openvpn [+o mattock] by ChanServ
08:32 -!- kenrick86 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has joined ##Openvpn
08:32 < kenrick86> !welcome
08:32 < vpnHelper> kenrick86: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:33 < kenrick86> hello
08:33 -!- dazo changed the topic of ##openvpn to: OpenVPNn Development Forum Tuesday, Jan 12 1900UTC on ##openvpn-discussion | OpenVPN 2.1.1 most current. | Type !welcome before asking your questions.
08:33 < kenrick86> !howto
08:33 < vpnHelper> kenrick86: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:34 < kenrick86> !redirect 
08:34 < vpnHelper> kenrick86: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:34 < kenrick86> !def1
08:34 < vpnHelper> kenrick86: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:34 < kenrick86> !ipforward
08:34 < vpnHelper> kenrick86: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
08:35 < kenrick86> i have an issue and i can't seem to figure this out
08:35 < kenrick86> i have a CentOS Red Hat vps to Openvpn setup
08:36 < dazo> !configs
08:36 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
08:36 < dazo> !logs
08:36 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:36 < dazo> !pastebin
08:36 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
08:36 < dazo> !goal
08:36 < vpnHelper> dazo: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:36 < kenrick86> problem is: they connect but when i'm browsing with the VPN on client end it forwards my ISP of my regular ISP instead of the VPS IP
08:37 < dazo> kenrick86:  that's related to !redirect 
08:37 < dazo> !redirect
08:37 < vpnHelper> dazo: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:38 < dazo> !linipforward
08:38 < vpnHelper> dazo: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
08:38 < dazo> !linnat
08:38 < vpnHelper> dazo: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
08:38 < kenrick86> so its not an iptables issue?
08:38 < kenrick86> ok cool let me see
08:38 < kenrick86> thanks
08:39 < dazo> if your VPN client uses your local ISP address when surfing the net .... then it is clearly a local routing issue, as default gateway is not setup to use the VPN tunnel
08:40 < kenrick86> one more question I have....my IT set the VPS VPN config to send request to the 10.66.77.1 but the VPN connection on client end is 10.66.77.2
08:40 < kenrick86> i put the 10.66.77.1 in broswer settings with port and nothing loads
08:40 -!- cyberninja [n=user@CPE-58-170-30-196.lns9.cht.bigpond.net.au] has joined ##openvpn
08:41 < kenrick86> i put the 10.66.77.2 in browser like the client says when connected with port and it loads webpages
08:41  * dazo don't understand
08:41 < kenrick86> so am i supposed to be using the 10.66.77.1 or 10.66.77.2 in browser?
08:42 < dazo> you have a webserver on the VPS server you want to access over the VPN?
08:42 < kenrick86> yeah
08:42 < kenrick86> this is the setup I want that he's trying to succeed
08:43 < kenrick86> vps (IP) ---> Windows Openvpn Client---> external software on port 3128---->>browser
08:43 -!- cyberninja [n=user@CPE-58-170-30-196.lns9.cht.bigpond.net.au] has left ##openvpn []
08:44 < dazo> without !configs ... it's difficult to see the whole picture
08:46 -!- ecrist changed the topic of ##openvpn to: Developer Forum TODAY 1900UTC in ##openvpn-discussion || OpenVPN 2.1.1 Most Current | Type !welcome before asking your questions.
08:54 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:00 -!- mithridates1 [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has left ##openvpn []
09:01 < kenrick86> i have a CentOS Red Hat vps to Openvpn setup problem is: they connect but when i'm browsing with the VPN on client end it forwards my ISP of my regular ISP instead of the VPS IP here's the pastebin link to see config http://pastebin.ca/Z-8KATJf
09:03 < kenrick86> this is the setup im trying to have vps (IP) ---> Windows Openvpn Client---> external software on port 3128---->>browser
09:05 < Bushmills> tell browser to use proxy on vpn server
09:05 < kenrick86> sorry last past was bloocked here's the new link http://pastebin.ca/1748322
09:06 < kenrick86> i did the browser is using openvpn client ip with port 3128
09:06 < kenrick86> but when i use the external software with a basic anonymity ip that shows forward ip i see its forwarding my ISP ip instead of the VPS ip
09:07 < Bushmills> i suppose that software doesn't use the proxy
09:07 < kenrick86> please see my openvpn setup http://pastebin.ca/1748322 and help me forward the VPS IP to Openvpn
09:07 < Bushmills> your problem is not an openvpn problem. it is a matter of setting your client routing right.,
09:08 < kenrick86> oh
09:08 < kenrick86> i pasted my client config in that link also
09:09 < kenrick86> in the client config part under add route what do you suggest I put
09:11 < Bushmills> route the destination host or net which you want to go over vpn so that it uses vpn server as gateway.
09:12 < Bushmills> or that it simply gets there. in case of proxy,  vpn server isn't gateway. just destination. 
09:13 < kenrick86> so if I uncomment that line in Addroute
09:13 < kenrick86> it should work?
09:13 < Bushmills> configure your client so that the programs you want to use vpn such that they access one of the vpn-routed ip addresses as destination.
09:15 < kenrick86> im a newbie
09:15 < kenrick86> can you please be a bit more specific
09:15 < kenrick86> like what would i have to add to my client config exactly...example please
09:16 < kenrick86> my IT isn't online right now either for him to help me either
09:16 < Bushmills> set your  quote external software with a basic anonymity ip unquote to use your proxy on vpn server
09:16 < Bushmills> difficult to get more specific if you lack such
09:18 < Bushmills> if you run a tor proxy on server, set browser proxy to server:torproxyport. if you run squid on server, set browser proxy to server:squidport 
09:19 < kenrick86> i have apache
09:19 < Bushmills> on port 3128?
09:20 < kenrick86> the VPS ip is on port 8080
09:23 < kenrick86> ok i set browser on the server ip:port
09:25 < kenrick86> the external software on windows in preferences in network there's only internal where I can put the port for internal proxy settings
09:37 -!- mattock [n=samuli@sparkgw.utu.fi] has quit ["Leaving."]
09:57 < mintaka> i need to get this openvpn POS to connect as unpriviledged user
09:58 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
09:58 -!- mode/##openvpn [+v Kasx] by ChanServ
10:02 < mintaka> is there a guide or something 
10:03 < mintaka> !manual
10:03 < vpnHelper> mintaka: Error: "manual" is not a valid command.
10:03 < mintaka> !guide
10:03 < vpnHelper> mintaka: Error: "guide" is not a valid command.
10:05 < dazo> !man
10:05 < vpnHelper> dazo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
10:06 < dazo> mintaka:  ^^
10:06 < mintaka> is there something else
10:06 < mintaka> i tried that
10:07 < mintaka> i still didnt get it to work
10:07 < mintaka> i think it may be ubunts fault
10:07 < dazo> !ubuntu
10:07 < vpnHelper> dazo: "ubuntu" is dont use network manager!
10:07 < dazo> mintaka:  which version are you running of openvpn?
10:08 < mintaka> 2.1
10:09 < mintaka> i tried running the openvpn.net guide for 2.0 regarding the unpriv setup
10:09 < mintaka> it didnt work but ill have to try it again
10:09 < dazo> mintaka:  which 2.1 version?
10:09 < mintaka> 2.1 rc19
10:10 -!- kenrick1986 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has joined ##Openvpn
10:11 < dazo> oki ... rc19 is good enough
10:12 -!- Guest4252 [n=vamsi@121.245.60.203] has joined ##openvpn
10:14 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
10:22 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
10:23 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
10:27 -!- kenrick86 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)]
10:30 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:32 -!- kenrick1986 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)]
10:33 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
10:37 < flo|va-nu-pied> hi all 
10:41 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:42 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
10:44 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
10:44 -!- mode/##openvpn [+o mattock] by ChanServ
10:45 -!- Guest4252 [n=vamsi@121.245.60.203] has quit ["Leaving"]
11:02 -!- simplechat_ [n=simple@unaffiliated/simplechat] has quit [Read error: 54 (Connection reset by peer)]
11:02 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
11:07 -!- Diffen [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
11:14 < Diffen> Evning. hmm have i missed out one something regarding the route? i just want to route 130.239.8.25 and nothing else. when i connect to openvpn everyting works fine except the 130.239.8.25 route. http://pastebin.com/d10c4acf2
11:25 < flo|va-nu-pied> you want this route to be knowned by your VPN clients ?
11:25 < flo|va-nu-pied> don't you need to use ccd directory and iroute directive ? (not sure about it)
11:26 < Diffen> yes i want the route to known by all clients
11:26 < flo|va-nu-pied> do you have anything regarding this directive in your logs ?
11:27 < flo|va-nu-pied> to check the action is correctly done on the clients side or not
11:27 < Diffen> i think its known, got this: 130.239.8.25	192.168.98.5	UGS	0	2	1500	 tun0
11:27 < Diffen> let me check the logs
11:29 < flo|va-nu-pied> this given route has been found on the client side ?
11:29 < Diffen> yes
11:29 < Diffen> http://pastebin.com/d735e42b6 from the server log
11:30 < flo|va-nu-pied> does 192.168.98.1 know the route to reach host ? 130.239.8.25
11:31 < Diffen> yes
11:31 < flo|va-nu-pied> I mean from the client when you try to ping ip 130.239.8.25 what does it answer ?
11:31 < blabland> anybody know of some wlel known trustworthy vpn providers ? 
11:32 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
11:32 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:32 < Diffen> flo ahh ok the server reaches the ip when i do a trace. the client does not
11:33 < flo|va-nu-pied> is ip_forwarding enabled on the server ?
11:34 < Diffen> i guess so. if i use #push "redirect-gateway def1" everything works fine
11:34 < Diffen> all traffic uses the openvpnserver from the client
11:34 < Diffen> but not if i remove it
11:35 < flo|va-nu-pied> so leave it on :)
11:35 < Diffen> hehe cant :) i dont want to route all traffic through the vpn tunnel :(
11:36 < flo|va-nu-pied> and you didn't answered about the output of ping from client side ?
11:36 < Diffen> sorry no the client cant ping the ip
11:36 < Diffen> and if i do a trace it get stucked at the vpnserver
11:37 < flo|va-nu-pied> ok so the config is ok IMO
11:37 < Diffen> yes
11:37 < flo|va-nu-pied> any firewall rule on the server ?
11:37 < Diffen> nope no firewall on the server
11:37 < Diffen> the server is a single-nic directly connect to internet
11:38 < flo|va-nu-pied> hum ...
11:38 < flo|va-nu-pied> no idea anymore for the moment :)
11:38 < flo|va-nu-pied> sorry :)
11:39 < Diffen> its ok. thanks for you time anyway :D
11:39 < flo|va-nu-pied> ;)
11:41 -!- Intensity [i=[4twWOV+@unaffiliated/intensity] has joined ##openvpn
11:56 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:56 -!- mode/##openvpn [+v Kaspx] by ChanServ
11:59 -!- notneb_ [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:59 -!- mode/##openvpn [+v notneb_] by ChanServ
12:01 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:04 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 60 (Operation timed out)]
12:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
12:15 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
12:23 -!- xamox [n=xamox@68-28-137-226.pools.spcsdns.net] has joined ##openvpn
12:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:23 < xamox> Quick question and probably stupid but can I use openVPN as a socks proxy like I can with SSH?
12:25 < rob0> uh, no ... what openvpn gives you is a tunneled IP address. What you can do with that IP address is limited only by bandwidth and your imagination.
12:27 < Bushmills> xamox: you can securely connect to a remote socks proxy with openvpn
12:31 < xamox> rob0, so for instance when I setup my VPN and connect to it. How would I tell firefox to route my internet traffic through it? Or is this not possible?  Say I am on my work machine and they lock down a lot of sites. As of now I can use SSH and proxy on my local machine via a tunnel, is there something similar for openVPN? Excuse my ignorance as I have never used openVPN before but looking to set it up and seeing if it can replace SSH for 
12:31 < xamox> this type of functionality.
12:36 < Bushmills> xamox: possible. as you discovered: by routing.   
12:36 -!- Diffen [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 60 (Operation timed out)]
12:36 < Bushmills> alternatively, run a proxy on vpn server, and configure web browser to use that proxy
12:36 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)]
12:37 < xamox> Bushmills, alrighty, thanks. I just didn't know if it could support it out of the box.
12:37 < Bushmills> for client sites with locked down services, you can easily route your whole traffic through openvpn
12:37 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
12:38 < crazygir> when a tun interface has inet 10.0.65.1 --> 10.0.65.2, which is the address available to clients?
12:38 < Bushmills> local is 10.0.65.1. peer address is .2 . peer address is only relevant to the openvpn machine
12:38 -!- Diffen [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
12:39  * crazygir nods
12:39  * Bushmills nods back
12:39 < crazygir> going thru my setup again, still having problems with the OS routes on the vpn server
12:40 < rob0> Okay, I should revise that. Limited by bandwidth, imagination, and what you know how to do. :)
12:40 < crazygir> !welcome
12:40 < vpnHelper> crazygir: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:41 < Bushmills> rob, also limited by conceptial bounds of what one can do with a tunnel
12:42 < Bushmills> you can't get an IP address to make your laundry, for example.
12:42 < Bushmills> even if imagination and bandwidth would allow that 
12:43 < ecrist> crazygir: did you correct the route on the server?
12:43 < crazygir> that's what I'm working to sort out
12:44 < crazygir> I got a bit turned around last night and had to start fresh
12:44 < crazygir> so that's where I'm at
12:44 < rob0> Bushmills, as a matter of fact I am at work on a RFC draft for laundry over IP.
12:45 < rob0> (It has a ways to go, I doubt I'll finish in time for 2010-04-01.)
12:45 < Bushmills> still needs some sort of device, handling your laundry. an IP address alone won't do.
12:47 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:48 < ecrist> crazygir: if you read and follow !route, you would have been done.
12:48 < crazygir> I have read and followed route
12:48 < crazygir> the issue isn't openvpn
12:49 < crazygir> it's me and the OS playing nice ;)
12:49 < rob0> You'd be surprised what can be done by hanging dirty clothes on an active Ethernet wire. Preliminary studies suggest that IPv6 packets are more effective at removing stains, whereas IPv4 is better for general cleaning.
12:49 < hyper_ch> rob0: lol
12:50 < Bushmills> sensitive fabric and wool should be limited to 100 mbit lines. 
12:51 < rob0> Yes, and silk on 10.
12:52 < Bushmills> for space limited environments, you can hang them on wifi links
12:55 < rob0> Beware, WEP leaves an oily residue. You need strong crypto like openvpn to get that out.
12:56 -!- Schlaubi [n=daniel@p5B0A151B.dip0.t-ipconnect.de] has joined ##openvpn
12:56 -!- Schlaubi [n=daniel@p5B0A151B.dip0.t-ipconnect.de] has left ##openvpn ["Verlassend"]
13:00 < ecrist> or WPA2
13:00 < havoc> bah
13:00 < havoc> getting TLS errors :(
13:03 < havoc> "Certificate does not have key usage extension"
13:03 < havoc> bah
13:04 < ecrist> are you asking for help?
13:04 < havoc> not yet..., still googling
13:04 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"]
13:11 < havoc> ok, *now* I'm asking for help ;)
13:13 < havoc> getting logs....
13:13 < havoc> log: http://pastebin.com/d23db46d2
13:15 < rob0> Looks like something was wrong in the way that the cert was generated, openssl problem.
13:15 < havoc> yeah, my guess too
13:16 < havoc> indentical setup and configs to many other working installations, but this is the first one on win2k8
13:17 < rob0> Unfortunately I don't know enough about openssl to offer a useful suggestion.
13:18 < havoc> and firewall is completely disabled
13:18 < havoc> I know that can cause TLS issues
13:18 < rob0> you got through the firewall, the cert itself was rejected
13:18 < havoc> rob0: ecrist probably knows right off the top of his head, I'm just being patient until he returns
13:18 < crazygir> Bushmills / rob0 you folks rock
13:19 < crazygir> we've been talking about an IT standup routine
13:19 < crazygir> that's possible content right there
13:19 -!- ecrist changed the topic of ##openvpn to: Developer Forum in ##openvpn-discussion going on NOW || OpenVPN 2.1.1 Most Current || type !welcome before asking your questions.
13:20 < ecrist> havoc: I need your configs,
13:21 < havoc> ecrist: http://pastebin.com/d175b20b4
13:24 < ecrist> how did you build your certificates?
13:24 < havoc> with easy-rsa, according to HOWTO
13:25 < havoc> and "openvpn --genkey --secret ta.key"
13:25 < havoc> build-ca, build-key-server, build-dh, build-key
13:26 < ecrist> the log you gave me, from server or client?
13:27 < havoc> client
13:27 < havoc> lemme get server side
13:28 -!- Olrick [n=Olrick@unaffiliated/olrick] has joined ##openvpn
13:28 < havoc> ecrist: http://pastebin.com/d1e419c5b
13:30 < havoc> oh geez
13:30 < havoc> might be client side fw
13:31 < ecrist> your config looks overly complex, but otherwise valid
13:31 < havoc> I never rebooted after installing ovpn on this client
13:31 < havoc> so no fw settings available, which on winxp usually means no access
13:32 < havoc> bbiab, rebooting
13:37 < rob0> But if there was a non-default openssl.cnf being used by easy-rsa, it could change the settings ...
13:38 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
13:42 < havoc> back
13:44 < havoc> bah, no go :(
13:46 -!- flo|va-n1-pied [n=florent@85.69.202.243] has joined ##openvpn
13:47 < havoc> rob0: yeah, it's possible
13:47 < havoc> "Certificate does not have key usage extension"
13:47 < havoc> that's what's confusing me
13:48 < rob0> I would spend some time in openssl documentation looking for "key usage extension".
13:50 < havoc> http://openvpn.net/archive/openvpn-devel/2006-11/msg00024.html
13:50 < vpnHelper> Title: [Openvpn-devel] bug in easy-rsa in windows (at openvpn.net)
13:50 < havoc> already found many flaws in the win32 easy-rsa, just unquoted pathnames madae everything fail
13:52 < havoc> and: http://osdir.com/ml/java.ejbca.devel/2005-11/msg00017.html
13:52 < vpnHelper> Title: Re: nsCertType=server - msg#00017 - java.ejbca.devel (at osdir.com)
13:55 < havoc> now we wait a while for build-dh :|
13:56 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
14:03 -!- flo|va-nu-pied [n=florent@unaffiliated/flovanupied/x-758957] has quit [Read error: 110 (Connection timed out)]
14:08 < havoc> w00t!
14:08 < havoc> yeah, was that ssl key usage thing
14:14 -!- notneb_ is now known as openvpn_2009
14:14 -!- openvpn_2009 is now known as openvpn2009
14:14 -!- mode/##openvpn [+o openvpn2009] by ChanServ
14:16 -!- Irssi: ##openvpn: Total of 101 nicks [2 ops, 0 halfops, 1 voices, 98 normal]
14:24 < rob0> got it working?
14:24 -!- xamox [n=xamox@68-28-137-226.pools.spcsdns.net] has quit [Remote closed the connection]
14:24 < havoc> yup
14:25 -!- Olrick [n=Olrick@unaffiliated/olrick] has left ##openvpn []
14:25 < vpnHelper> New forum entry openvpnforum: Wishlist :: Re: bind to multiple ports :: Reply by cron2 <http://www.ovpnforum.com/viewtopic.php?f=10&t=383&p=2827#p2827> || Wishlist :: Configs From Server :: Author ecrist <http://www.ovpnforum.com/viewtopic.php?f=10&t=2441&p=2828#p2828>
14:34 < crazygir> what docs/pages would you folks suggest reading for certificate revocation? 
14:36 < ecrist> !crl
14:36 < vpnHelper> ecrist: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with
14:36 < vpnHelper> ecrist: openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you
14:38 < crazygir> thanks!
14:38 < crazygir> ecrist: I got my route issue resolved, it was partly routes and partly nat
14:39 < crazygir> :)
14:39 < ecrist> glad to hear it!
14:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:49 -!- dazo is now known as dazo_afk
14:52 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
15:09 < crazygir> me too :)
15:09 < crazygir> so begins the openvpn journey.. :P
15:18  * havoc continues to fight w/ win2k8 :(
15:19 < havoc> cannot for the life of me get ovpn to give out a default gateway along w/ and IP
15:19 < havoc> s/and/sn/
15:19 < havoc> I've tried --server, --ifconfig, --route-gateway, --route (w/ all args)
15:20 < havoc> gets IP, and can ping the vpn server, but no gatewat
15:20  * havoc googles
15:24  * havoc reads about --ip-win32
15:31 -!- ribasushi [n=rabbit@dslb-084-063-001-106.pools.arcor-ip.net] has joined ##openvpn
15:33 < crazygir> save your money and drop 2k8?
15:34 < havoc> *I* do, it's for work
15:34 < havoc> all my stuff is debian
15:34 < havoc> although if I had my choice I wouldn't have anything to do with computers
15:35 -!- Martexx [n=Martexx@90.145.45.11] has joined ##openvpn
15:39 < Martexx> Hi there, i was here a week ago asking for some advice about routing, anybody here who may be able to help me? I want a setup where a client pc has a openvpn client and a desktop ip phone in the same lan will register thru the pc. I thought i would add a static route in my home router to my pc and enable ipforwarding on the pc
15:39 < Martexx> any problems ahead?
15:40 < Martexx> Need some help on the static route as well
15:40 < havoc> Martexx: so you haven't tried anything yet?
15:41 < Martexx> pc is 192.168.10/255.255.255.255 ip phone is 192.168.1.11, router is 192.168.1.1 and openvpn is 10.8.0.1/255.255.255.252
15:41 < Martexx> i did but lost the remote connection and thus the chat history and acces to my network, i was working remote
15:42 < Martexx> Im home now with a beer in my hand and a cig (ouch) in my mouth
15:43 < Martexx> ( for listeners...) havoc explained me before but i could not try it succesfully
15:43 -!- HackOrDie [n=HackOrDi@41.249.62.68] has joined ##openvpn
15:44 < Martexx> But is it that simple?
15:45 < Martexx> i add a route to 10.8.0.0/255.255.255.252 gateway 192.168.1.10 in my router and ipforwarding turned on on the pc
15:45 < Martexx> should i not add a route on the pc?
15:45 -!- kenrick86 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has joined ##OpenVPN
15:45 < Martexx> and do i need te restart for ipforwarding on windows 7 wil wordk?
15:47 < Martexx> :S
15:47 < kenrick86> has anyone ever heard of Proxyswitcher?
15:48 < Martexx> Is thids not a webservice wich lets you connect to a remote server and wich switches you on a time basis to a different proxy?
15:48 < kenrick86> i have that software on my windows set up and i'm trying to get my VPS to connect to it but proxyswitcher in network options has only internal server port
15:49 < HackOrDie> proxyswitcher i've use it for a long time
15:49 < kenrick86> so how would i get my vps ip and port to talk to proxyswitcher on its internal port 3128
15:49 < Martexx> But why use a vpn over a proxy? Is your vpn endpoint not anom anough?
15:50 < kenrick86> well heres what i'm trying to accomplish
15:50 < HackOrDie> u click on file and u click on apport from text file and in this file u made ur own
15:50 < crazygir> here's a fun one.. how do I get dns (for a remote-vpn subnet) over the vpn to a client? (specifically for windows)
15:50 < crazygir> !windows
15:51 < vpnHelper> crazygir: Error: "windows" is not a valid command.
15:51 < crazygir> arg
15:51 < crazygir> !win
15:51 < HackOrDie> evenif he's his own proxy he can use it for encrypting his data
15:51 < vpnHelper> crazygir: Error: "win" is not a valid command.
15:51 < kenrick86> I have a VPS (red hat centos)--->>to vpn---->>proxyswitcher---->browser
15:51 < HackOrDie> agaisnt man in the midlle attack
15:51 < Martexx> man in the middle on a vpn?
15:51 < HackOrDie> if he use vpn is encrypted but if not 
15:51 < Martexx> I use a vps as openvpn server, there is no man in the middle
15:52 < HackOrDie> ya if u use vpn then u are protected
15:52 < HackOrDie> i mean if u don't use vpn
15:52 < crazygir> no mitm hah
15:52 < crazygir> ssl can be broken ;)
15:53 < HackOrDie> vps in ur own server or in special companie of storga
15:53 < kenrick86> the thing is i want my ip for my VPS to route to proxy switcher so i can use the ips in proxy switcher over the IP from VPS
15:53 < kenrick86> hope that wasn't confusing ;-)
15:53 < Martexx> For me it was  :)
15:53 < HackOrDie> essl can be broken of course
15:53 < HackOrDie> ssl*
15:53 < Martexx> so you want client>openvpn>proxy?
15:54 < kenrick86> vps>vpn>proxyswitcher>browser
15:54 < Martexx> yes offcourse it can, and the risk is how big? haha if you have info wich is worthy of hacking you would not be here :)
15:54 < kenrick86> i accomplished the vps>vpn part
15:54 < crazygir> do you have to include dns in your server push to clients?
15:54 < Martexx> Im sorry i dont get the wanted picture 
15:55 < kenrick86> lol sorry let me break what i have done here
15:55 < kenrick86> my browser is on my vpn server ip on port 8080
15:55 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.17/2009122116]"]
15:55 < kenrick86> that vpn server ip (my vps IP)
15:56 < kenrick86> now that speaks to the client which is on windows
15:56 < kenrick86> before the vpn server ip talks to client, I want proxy switcher to intercept and use an ip from proxyswitcher
15:56 < Martexx> your browser connect to vps on 8080?
15:56 < kenrick86> then send to client vpn
15:56 < kenrick86> yeah
15:56 < Martexx> or is your browser on your vps
15:57 < kenrick86> my browser is on windows
15:57 < kenrick86> network settings is vpn server (my vps IP) port 8080
15:57 < Martexx> so your problem is that you want your vps to use the proxyswitcher?
15:57 < kenrick86> exactly
15:58 < Martexx> aha :)
15:58 < kenrick86> :-)
15:58 < kenrick86> now in the proxyswitcher network settings it only has internal proxy port...I can't put the VPS IP & Port for it to communicate
15:58 < Martexx> you did check with the service provider?
15:59 < Martexx> is there a linux client for this software?
15:59 < kenrick86> no only windows
15:59 < kenrick86> i thought about that too if there was a linux version :-)
15:59 < kenrick86> so in order to get linux to talk to windows i used the vpn server to client
15:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
15:59 < kenrick86> so the proxyswitcher is on the computer which is the client
16:00 < kenrick86> so now i'm wondering if there's a way to intercept client vpn>proxyswitcher>browser
16:00 < Martexx> yes but this does not tell your vps to route all trafic to proxyblabla and tell proxyblabla to accept your connection
16:00 < Martexx> I have no insight on their software, but i guesss no
16:01 < Martexx> most provider like these use the client software to generate connection and so
16:01 < kenrick86> so the best bet is to find a software to put on linux that works like proxyswitcher?
16:01 < Martexx> you have everything right but you need a way to tell your vps to use proxyblabla for external traffic.
16:02 < kenrick86> exactly
16:02 < Martexx> I guess so, there are some openvpn proxy providers! So u could use one of those
16:02 < crazygir> http://support.microsoft.com/kb/311218 <-- am I understanding this correctly.. the caveat exists (no DNS across the VPN) when the VPN gateway is the default route?
16:02 < vpnHelper> Title: Cannot Change the Binding Order for Remote Access Connections (at support.microsoft.com)
16:03 < Martexx> Then you would use something wich is opensource and understand a bit better and you would not need a vps :(
16:03 < Martexx> :)
16:03 < Martexx> ?
16:03 < kenrick86> well i want a connection like VPS to proxy switch program to VPN to browser
16:03 < kenrick86> anonymity is excellent with that ;-)
16:04 < Martexx> well ok,, if that is your choice, talk to the creators of proxyblabla :) All openvpn stuff is ok as i see it. I dont believe that you need a solution like this to be anom, but hey.. i dont have big bucks secrets
16:05 < kenrick86> ? real quick your saying if I do vps to openvpn I should be ok?
16:05 < kenrick86> with anonymity
16:05 < crazygir> do you need separate push statements for routes, DNS, WINS, etc?
16:06 < Martexx> You couls however go a different route: proxy> openvpn proxy >other proxy> vps> other openvpn> proxy
16:06 < Martexx> Thats safer
16:06 < Martexx> crazygirl: yes you do, as it is not automated you need to manualy provide the info
16:06 < kenrick86> ahh but i do marketing
16:06 < Martexx> all the info you want the network to have needs to be pushed
16:07 < kenrick86> i have leads and these networks want to see numerous ips for these leads
16:07 < kenrick86> so thats why i wanted something like proxy switcher
16:07 < Martexx> Its always a criminal who needs this kind of stuff :)))
16:07 < kenrick86> in the config of my setup
16:07 < kenrick86> not a crime
16:07 < kenrick86> not at all
16:07 < Martexx> Yes its in the manual at openvpn
16:07 < crazygir> Martexx: there's no l :) so if the vpn is not the default gateway, theoretically all is well
16:08 < Martexx> Yes and no, i depends of what you want to achive
16:08 < kenrick86> technically instead of getting edu leads to my site i actually have employees getting the leads
16:08 < crazygir> Martexx: I just want my CEO to be happy and not call me :)
16:08 < kenrick86> so to submit all these leads i need them to look like those people did on their own
16:08 < Martexx> if you want to connect to this vpn and you provide all the info there should be no problem
16:08 < crazygir> when he's in poland or somewhere inaccessible :P
16:09 < Martexx> You dont need to explain :) I dont care actualy :)) As lonf as you make money and live im well
16:09 < kenrick86> lol cool
16:09 < crazygir> Martexx: thanks!
16:09 < kenrick86> so i guess i'll find a program like proxy switcher for linux
16:09 < kenrick86> thanks Martexx
16:09 < Martexx> Crazy: Just give it a try
16:09 < Martexx> I did not do anything
16:10 < crazygir> I have.. but can only 1/2 test atm, as I'm in the network I'm VPN'ing to
16:10 < Martexx> Too bad my problem still exist :(
16:10 < kenrick86> for your comments on helping me out
16:10 < Martexx> use a proxy like kendrick :))
16:10 < kenrick86> kenrick*
16:10 < kenrick86> no d
16:10 < kenrick86> lol
16:10 < Martexx> yes thats what i meant, well if you find a client like that you are all set to go!
16:11 < crazygir> what's your problem Martexx 
16:11 < Martexx> Now.. i have a question for a very smart routing guru, anyone?
16:12 < Martexx> I need to route traffic from a desktop ip phone in the internal lan to a pc in this lan wich has a openvpn client and it needs to work :)
16:13 < Martexx> I did turn on ipforwarding on the pc, added a route on my network router to the pc and am waiting for it to magicly go working
16:13 < crazygir> heh
16:13 < Martexx> but it takes lomng
16:13 < Martexx> long
16:13 < crazygir> filtering involved?
16:13 < Martexx> no its all internal
16:13 < Martexx> and the vpn is ok
16:13 < Martexx> as in working
16:13 -!- HackOrDie [n=HackOrDi@41.249.62.68] has quit [Read error: 110 (Connection timed out)]
16:14 < Martexx> so i told my router that: traffic for 10.8.0.0/255.255.255.252 has to go to gateway 192.168.1.10
16:17 < Martexx> aha well thank you for your thoughts anyway :) Im giving up, thanks so far all!! Im off to bed as it is late here
16:17 -!- Martexx [n=Martexx@90.145.45.11] has quit [Read error: 54 (Connection reset by peer)]
16:18 -!- Martexx [n=Martexx@90.145.45.11] has joined ##openvpn
16:19 -!- Martexx [n=Martexx@90.145.45.11] has quit [Client Quit]
16:25 -!- hyper_ch is now known as aavci
16:25 -!- aavci is now known as hyper_ch
16:29 -!- diffen2 [n=diffen2@c-6075e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
16:38 -!- Diffen [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)]
16:42 < kenrick86> does anyone know of a program thats like proxyswitcher but for Linux?
16:42 < kenrick86> i'm looking for one but its hard to find
16:42 < kenrick86> my linux is on a VPS by the way
16:43 < havoc> yeah, I wish I knew why my clients weren't getting a default gateway :(
16:57 < Bushmills> havoc, if there wasn't one to start with, redirect-gateway without def1 might not set a new one.
17:00 < kenrick86> hey bushmills
17:00 < Bushmills> kenrick86: foxyproxy for firefox
17:01 < havoc> Bushmills: I haven't been able to set one at all
17:01 < kenrick86> is that a windows or linux?
17:02 < Bushmills> either
17:02 < havoc> windows server
17:02 < kenrick86> so i can put that on my vps?
17:02 < Bushmills> you can run it as add-on in your firefox
17:02 < kenrick86> oh cool
17:02 < kenrick86> thank you sir
17:02 < havoc> Bushmills: it's win2k8r2
17:03 < Bushmills> https://addons.mozilla.org/en-US/firefox/addon/2464
17:03 < havoc> not sure that showing you a config would help any as I've tried a couple dozen different things, all allow for a connection, but still no gateway :(
17:03 < vpnHelper> Title: FoxyProxy Standard :: Add-ons for Firefox (at addons.mozilla.org)
17:04 < Bushmills> havoc: my windows exposure approaches zero
17:04 < havoc> Bushmills: consider yourself lucky :(
17:05 < Bushmills> on the contrary
17:06 < Bushmills> meaning, i consider myself not special in that respect, but i note that there are a few unlucky souls struggling with those systems
17:06 < Bushmills> i didn't understand though why they do
17:07 < havoc> I've been running into many issues :(
17:07 < Bushmills> I hear that frequently
17:08 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: berniv6, |Mike|, ScriptFanix, zykes-, dunc, master_o1_master, aep, Typone, xod, le0,  (+13 more, use /NETSPLIT to show all of them)
17:10 -!- Netsplit over, joins: cron2, dunc, blabland, master_o1_master, xod, steelnwool, aep, le0, Zordrak, MrJK (+1 more)
17:10 -!- Netsplit over, joins: berniv6, corrideat, freaky[t], tjz, Matir, balboah, ScriptFanix, |Mike|, zykes-, Typone (+1 more)
17:29 < havoc> so, schannel.dll is what's causing the problems here
17:29 < havoc> I just don't know why
17:29 < havoc> I can connect to vpn fine, no gateway, but still connected and ping works, but cannot RDP
17:34 -!- kenrick86 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has joined ##Openvpn
17:36 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."]
17:36 < kenrick86> Bushmills thanks it works but one thing how do I get Proxyswitcher to speak with the browser (which has the FoxyProxy Add on)
17:38 < Bushmills> "to speak"?
17:38 < kenrick86> yeah
17:38 < Bushmills> put it on status bar, that way you can switch proxies easily
17:39 < kenrick86> wait what you mean in the status bar
17:39 < Bushmills> but that is, you "speaking" to proxy switcher, not procy switcher to browser
17:39 < kenrick86> foxy proxy is added to my firefox
17:40 < kenrick86> foxy proxy is i set to my server IP which is the Server VPN IP
17:40 < kenrick86> so the server vpn ip = vps server ip
17:41 < kenrick86> i want foxy proxy to go to proxy switcher (which has many ips) then go to browser
17:41 < Bushmills> so if proxy runs on vpn server, you can switch to it, to have web traffic go across vpn. switching proxy off lets web traffic use default route
17:41 < havoc> I don't think openvpn is compatible w/ win2k8r2 :(
17:42 < Bushmills> or is it that win2k8r2 isn't compatible with openvpn?
17:42 < havoc> that too, either way they still don't work together :(
17:43 < Bushmills> good opportunity to get rid of win2k8
17:43 < havoc> I wish
17:43 < Bushmills> did it help?
17:44 < havoc> did what help?
17:44 < kenrick86> no
17:44 < Bushmills> wishing
17:44 < havoc> no :(
17:45 < kenrick86> the reason i want proxyswitcher to intercept between foxyproxy & browser
17:45 < Bushmills> i'd give installing another OS better chances than wishing.
17:45 < Bushmills> foxyproxy *is* a proxy switcher
17:45 < kenrick86> my vpn 10.66.77.1 >>>Proxyswitcher>>>Browser
17:45 < Bushmills> limited to firefox, though
17:45 < kenrick86> but it doesn't have a rotate mode
17:46 < kenrick86> for list of ips
17:46 < Bushmills> no. you select proxy either manually, or by request pattern
17:46 < Bushmills> like "for this type of files, use that proxy"
17:47 < kenrick86> thats not what i want
17:48 < kenrick86> I have my VPS IP and i need that to work with proxyswitcher
17:48 < kenrick86> so when an IP is being used in proxyswitcher its over my vps IP and then I need the IP from proxyswitcher to be sent to my browser
17:48 < kenrick86> so VPS>Proxyswitcher>Browser
17:49 < kenrick86> but Proxyswitcher doesn't have an external port part where i can put VPS IP:Port
17:49 < kenrick86> only an internal port for whichever pc computer its on
17:56 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: 113 (No route to host)]
17:57 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
18:02 -!- balboah [n=johnny@joonix.se] has quit [Read error: 104 (Connection reset by peer)]
18:03 -!- balboah [n=johnny@joonix.se] has joined ##openvpn
18:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
18:32 < havoc> ok, win2k8r2 doesn't even work as an openvpn client (entirely)
18:34 < havoc> so I guess openvpn still has a ways to go :(
18:40 < rob0> Or perhaps, Microsoft does?
18:40 < havoc> no, it's *because* of microsoft
18:40 < havoc> if they didn't want to support M$ there'd be a lot less reason to work as hard
18:41 < havoc> and openvpn *is* awesome
18:41 -!- cybertron [n=cybertro@84.200.248.176] has quit [Read error: 104 (Connection reset by peer)]
18:41 -!- cybertron [n=cybertro@84.200.248.176] has joined ##openvpn
18:43 < rob0> So you found confirmation of this issue somewhere? I've heard of lots of people using lots of Windows versions with openvpn. Fortunately I am not one of them. :)
18:44 < havoc> this is win2k8r2
18:45 < havoc> so still relatively new
18:45 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:45 < havoc> but I can't get it working as a client either
18:45 < havoc> and the FW is as disabled as can be
18:45 < havoc> schannel.dll is throwing the errors
18:45 < havoc> vpn is connected fine
18:45 < havoc> so I'm guessing the tap adapter is where it'd have to be fixed, if even possible
18:45 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
18:46 < havoc> otherwise wait for a fix from M$
18:46 < havoc> and the win2k8 FW no longer accepts per iface rules
18:47 < havoc> very lame
18:49 -!- kenrick86 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has quit [Read error: 60 (Operation timed out)]
18:54 -!- Kitty- [n=nunyuh@hpavc/Kitty] has joined ##openvpn
18:54 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
18:55 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote closed the connection]
18:57 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
18:57 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
19:01 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: 111 (Connection refused)]
19:02 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit ["ircN 8.00 for mIRC (20080809) - www.ircN.org"]
19:05 -!- kenrick86 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has joined ##Openvpn
19:14 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote closed the connection]
19:17 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
19:20 -!- corrideat [n=tor@CAcert/user/corrideat] has quit [K-lined]
19:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
19:31 -!- cybertron [n=cybertro@84.200.248.176] has quit [Read error: 60 (Operation timed out)]
19:32 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
19:33 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: 104 (Connection reset by peer)]
19:39 -!- cybertron [n=cybertro@84.200.248.176] has joined ##openvpn
19:46 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
20:00 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
20:00 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has joined ##openvpn
20:01 < NickWebHA> !welcome
20:01 < vpnHelper> NickWebHA: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:02 < NickWebHA> !route
20:02 < vpnHelper> NickWebHA: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:04 -!- Lyndon [n=late@62.142.98.18] has quit [Read error: 104 (Connection reset by peer)]
20:04 -!- Lyndon [n=late@savolaiset.fi] has joined ##openvpn
20:12 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
20:16 < NickWebHA> I am running an OpenVPN server (v2.1.1) on a Windows XP machine. After a day-- on and off-- of screwing with it I can not figure out what I am doing wrong regarding bridging. I have the TAP-Win32 adapter and physical adapter bridged with the local IP on the server side set. When I connect I get assigned an IP via the OpenVPN server (like I should) but I can not reach the rest of the network.
20:17 < NickWebHA> The local network is 10.0.0.0/25 while the OpenVPN pool is 10.0.0.128/25.
20:18 < NickWebHA> Please excuse me if I am leaving important information out or am not explaining myself very well; I think my eyes may start to bleed soon.
20:22 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)]
20:57 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has left ##openvpn []
21:28 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."]
21:29 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
22:36 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit []
23:06 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has quit [Remote closed the connection]
23:30 -!- kenrick86 [n=john@c-65-34-160-25.hsd1.fl.comcast.net] has quit ["—I-n-v-i-s-i-o-n— 3.1.1 (June '09)"]
--- Day changed Wed Jan 13 2010
00:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
00:26 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
01:14 -!- Kitty- [n=nunyuh@hpavc/Kitty] has quit [Read error: 110 (Connection timed out)]
01:21 -!- Leila [i=d9dae562@gateway/web/freenode/x-jgwlydrtfugxqqbm] has joined ##openvpn
01:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
01:48 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
01:48 -!- mode/##openvpn [+o mattock] by ChanServ
02:07 -!- ribasushi [n=rabbit@dslb-084-063-001-106.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
02:07 -!- ribasushi [n=rabbit@dslb-084-063-050-203.pools.arcor-ip.net] has joined ##openvpn
02:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:29 -!- Leila [i=d9dae562@gateway/web/freenode/x-jgwlydrtfugxqqbm] has quit ["Page closed"]
02:30 -!- ribasushi_ [n=rabbit@dslb-084-063-038-130.pools.arcor-ip.net] has joined ##openvpn
02:45 -!- ribasushi [n=rabbit@dslb-084-063-050-203.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
03:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
03:07 -!- master_of_master [i=master_o@p57B57B1C.dip.t-dialin.net] has joined ##openvpn
03:18 -!- master_o1_master [n=master_o@p57B55E0F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:40 -!- dazo_afk is now known as dazo
03:56 -!- phusion__ [i=phusion@88.80.16.38] has quit [Read error: 60 (Operation timed out)]
03:56 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn
04:07 -!- xod [n=onats@112.201.158.40] has quit [Read error: 104 (Connection reset by peer)]
04:07 -!- xod [n=onats@112.201.158.40] has joined ##openvpn
04:10 -!- xod [n=onats@112.201.158.40] has quit [Connection reset by peer]
04:10 -!- xod [n=onats@112.201.158.40] has joined ##openvpn
04:16 -!- mintaka is now known as pimpatine
04:21 -!- xod [n=onats@112.201.158.40] has quit ["Ex-Chat"]
04:24 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)]
04:34 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
04:41 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
04:45 < plundra> If I wanted to customize the win32-installer, by adding a config and a ca.crt, would I still need to build the package from scratch or can it be altered later?
04:45 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
04:46 < plundra> Also, is the win32-installer built on windows or crosscompiled?
04:56 < d12fk> plundra: the installer is built by nsis which is available for windows only afaik
04:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
05:00 < jmm> hi everyone.
05:00 < |Mike|> morning.
05:02 < jmm> I setuped a openvpn network, and I push DNS and DOMAIN to clients. on linux it works fine, but the window client doesn't have shorts names, and ipconfig /all show no dns suffixes.I'm a dick with window$ so I may have done something wrong. any suggestions ?
05:02 < dazo> plundra:  you can cross compile from Linux to Windows by using the mingw32 compiler, iirc
05:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
05:21 < havoc> bah
05:28 -!- ribasushi_ [n=rabbit@dslb-084-063-038-130.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
05:28 -!- ribasushi_ [n=rabbit@dslb-084-063-044-135.pools.arcor-ip.net] has joined ##openvpn
05:28 < aep> can i load balance a single encrypted route over two unencrypted?
05:29 < aep> preferable so that when one breaks, the other doesn't
05:31 < aep> well failover seems to be easy, but i want both lines to be connected at the same time in a way that makes it appear as one 
05:38 -!- eatnumber1 [n=eatnumbe@129.21.83.152] has joined ##openvpn
05:39 < eatnumber1> my openvpn setup seems to be dropping packets. I can ping the remote exit-point fine, but if I ping a host on the remote network, I only get about 3/4 of the packets back
05:41 -!- flo|va-n1-pied is now known as flo|va-nu-pied
05:43 -!- eatnumber1 [n=eatnumbe@129.21.83.152] has quit [Client Quit]
05:43 -!- eatnumber1 [n=eatnumbe@129.21.83.152] has joined ##openvpn
05:46 < plundra> d12fk: That was what I figured, but I grepped for the nsis-file which the docs for the gui mentioned (before merging it)
05:59 -!- eatnumber1 [n=eatnumbe@129.21.83.152] has quit ["Leaving."]
05:59 -!- eatnumber1 [n=eatnumbe@129.21.83.152] has joined ##openvpn
06:00 -!- eatnumber1 [n=eatnumbe@129.21.83.152] has quit [Client Quit]
06:02 -!- eatnumber1 [n=eatnumbe@129.21.83.152] has joined ##openvpn
06:27 -!- d12fk [n=heiko@vpn.astaro.de] has quit [Remote closed the connection]
06:34 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
06:37 -!- eatnumber1 [n=eatnumbe@129.21.83.152] has quit ["Leaving."]
06:39 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
06:40 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:43 -!- wulfgarpro [n=wulfgarp@CPE-58-168-232-79.lns6.win.bigpond.net.au] has joined ##openvpn
06:43 < wulfgarpro> hi, im getting error msg: Cannot load certificate file sample-keys/server.crt
06:43 < wulfgarpro> can someone point me in the right direction please ?
06:51 < havoc> hmm, yet more info on ovpn on win2k8r2, it's sending DHCPNACK's
06:54 < dazo> wulfgarpro:  try using full paths, check that the user running openvpn can read the files
06:54 < dazo> wulfgarpro:  make sure that server.crt contents looks like a certificate .... can be validated by doing 'openssl x509 -in server.crt', iirc
07:01 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Waiting for TUN/TAP interface to come up... :: Reply by iss42 <http://www.ovpnforum.com/viewtopic.php?f=6&t=2380&p=2830#p2830>
07:04 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
07:07 < wulfgarpro> dazo, got it thanks!
07:07 < dazo> np!
07:14 < jmm> I'm trying to push DNS and DOMAIN to my vpn's clients, it works for linux clients, but for some reasons on windows(not on linux ) only the dns server is setuped, the DOMAIN is not updated. can somebody help me please ?
07:25 -!- ribasushi_ is now known as ribasushi
07:34 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn
07:44 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:51 < jmm> uh ho window$ problem, it's fixed now.
07:51 < jmm> thanks myself and not thanks to m$.
07:51 -!- marceloa_ [n=marceloa@80.179.214.25.cable.012.net.il] has joined ##openvpn
07:52 -!- zxd [n=marceloa@95.211.21.34] has quit [Read error: 60 (Operation timed out)]
07:56 -!- wulfgarpro [n=wulfgarp@CPE-58-168-232-79.lns6.win.bigpond.net.au] has quit [Read error: 110 (Connection timed out)]
07:56 -!- wulfgarpro [n=wulfgarp@mdiche1.lnk.telstra.net] has joined ##openvpn
07:57 < ribasushi> right, so is there anyone who actually has a dev status
07:57 < ribasushi> and can help me further diagnose/fix the --multihome issue?
07:57 < ribasushi> being frozen at rc19 is no fun
07:58 < ecrist> ribasushi: your question/bug information belongs on the -devel mailing list for now
07:59 < ecrist> we will be able to help you further with bugs in the coming months as openvpn reorganizes at the community level and some of us are given more official roles.
07:59 -!- marceloa_ [n=marceloa@80.179.214.25.cable.012.net.il] has quit [Read error: 104 (Connection reset by peer)]
08:00 < ribasushi> ecrist: I see... well I guess I'll just have to stick with rc19 then and wait for someone to do something
08:00 < rob0> I don't want an official roll, I want a donut!!
08:00 < ecrist> did you submit on -devel list?
08:00 < ecrist> s/donut/official donut/
08:00 < ecrist> ;)
08:00 < rob0> ys
08:04 -!- trap_ [n=trap@host86-168-126-222.range86-168.btcentralplus.com] has joined ##openvpn
08:04 < havoc> hmm, my win2k8r2 issue may be ™U related
08:04 < ribasushi> ecrist: http://sourceforge.net/mailarchive/message.php?msg_name=4B40CC5E.10709%40rabbit.us
08:04 < vpnHelper> Title: SourceForge.net: OpenVPN: (at sourceforge.net)
08:07 < havoc> ok, ping -l 1500 -f <ADDR> indicates an MTU problem
08:07 < ribasushi> ecrist: also the --nobind thread does not apply to me, as I always had this in the client config
08:07 < havoc> what is the recommended way to adjust MTU?
08:07 < ecrist> !mtu
08:07 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
08:07 < havoc> i.e. what options should I be RTFMing?
08:07 < havoc> ok
08:07 < ecrist> !factoids
08:07 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
08:08 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
08:08 < havoc> wow, --mtu-test takes 3min on startup?
08:08 < ecrist> you only use it once
08:08 < havoc> ah
08:09 < havoc> on client or server side?
08:09  * havoc guesses client
08:09 < ecrist> "Basically you just use --mtu-test in your normal client  config
08:09 < ecrist> so, yeah
08:09 < ecrist> it was spelled out there for you...
08:10 < havoc> ack, already scrolled off, sorry, was looking at openvpn man entry
08:11 -!- blabland [n=trap@host86-168-121-116.range86-168.btcentralplus.com] has quit [Read error: 110 (Connection timed out)]
08:11 < havoc> I guess I wait and something should show up in logs in a few minutes?
08:14 < havoc> ok, test completed
08:14 < havoc> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1573,1573] remote->local=[1573,1573]
08:15 < havoc> but if 1573 works, the ping.exe shouldn't have had an issue with 1500
08:16 < havoc> "++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication"
08:16 < havoc> just noticed that
08:20 -!- wulfgarpro [n=wulfgarp@mdiche1.lnk.telstra.net] has quit [Read error: 110 (Connection timed out)]
08:22 -!- mort_gib [n=mjensen@177.209.244.195.dsl.static.gibconnect.com] has joined ##openvpn
08:28 < dazo> ribasushi:  have you tried to compile rc20 yourself?  or have you only tried .deb packages?
08:28 < ribasushi> only .deb
08:28 < ribasushi> no resources right now to try it with hand compile
08:28 < dazo> ribasushi:  I've skimmed through the diff between rc19 to rc20 .... and I honestly don't see that --multihome has been touched at all
08:28 < ribasushi> as I need to make sure I clean up after myself properly and things
08:29 < dazo> ribasushi:  it might be that a options->sockflag is reset, need to go more carefully through the diff to catch that ... but basically, --multihome only sets a flag ... and that flag is not changed anywhere in that diff
08:29 < dazo> ribasushi:  understood
08:30 < ribasushi> dazo: I only have one heavy-production multihome server :)
08:30 < dazo> ribasushi:  I just know that the .deb packages includes the IPv6 and eurephia patches as well .... maybe even some more, which then breaks things
08:30 < ribasushi> hm hm 
08:30 < dazo> ribasushi:  heh .... better be careful then ...
08:30 < ribasushi> I'll ask the maintainer for source diffs then
08:30 < ribasushi> maybe I'll spot it
08:30 < dazo> ribasushi:  on the other hand ... you can compile openvpn, and run it from the source dir without doing make install
08:31 < ribasushi> dazo: oh it will run? 
08:31 < ribasushi> cool I'll try tonight then
08:31 < dazo> ribasushi:  yeah ... it's a nice little binary :)
08:31 < ribasushi> should I try rc20 or latest?
08:31 < ribasushi> I guess both
08:31 < dazo> ribasushi:  I'd suggest rc20 ... as you know for sure this is the point where it fails
08:31 < ribasushi> right
08:31 < dazo> and if it works, then I'd try the latest one
08:32 < ribasushi> ok that's a way to do go forward
08:32 < ribasushi> dazo++ #even if a git fanboi :D
08:32 < dazo> ribasushi:  heh ;-)
08:33 < havoc> bah
08:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
08:44 -!- Kalculus [n=na@x40343ce2.ip.e-nt.net] has joined ##openvpn
08:53 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit []
08:54 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"]
09:04 -!- cybertron [n=cybertro@84.200.248.176] has left ##openvpn []
09:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:10 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 60 (Operation timed out)]
09:15 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
09:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out]
09:27 < ribasushi> is there a stable mechanism to guarantee ipp assigments?
09:27  * ecrist converts his vpn to bridged.
09:27 < ribasushi> the docs mention that the assignment is "best effort" not guaranteed
09:27 < ecrist> !iporder
09:27 < vpnHelper> ecrist: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
09:28 < ribasushi> !ipp
09:28 < vpnHelper> ribasushi: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
09:28 < ribasushi> !static
09:28 < vpnHelper> ribasushi: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
09:29 < ribasushi> hm hm hm 
09:29 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:29 < ribasushi> so I could make a client-connect-script
09:29 < ribasushi> which would scan the ipp.txt 
09:30 < ribasushi> and use it as the persistence database
09:30 < ribasushi> ?
09:34 < ecrist> you could, I suppose
09:35 -!- dmz [n=dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has quit ["Ex-Chat"]
09:41 < hyper_ch> ribasushi: what are you trying to do?
09:41 < ribasushi> <ribasushi> is there a stable mechanism to guarantee ip assigments?
09:41 < hyper_ch> I tend to think if really care what ip which client gets then you'd assign static ips in the client config
09:42 < hyper_ch> otherwise use ipp.txt to sort of assign the same client the same ip - if possible
09:42 < ribasushi> hyper_ch: clients have access to the client config
09:42 < ribasushi> the whole point is to enforce ip assignments server side
09:42 < ribasushi> so you can punch appropriate firewall holes etc
09:43 < hyper_ch> ribasushi: http://www.pastebin.org/75553
09:43 < hyper_ch> then assign a static ip to each client
09:44 < hyper_ch> ipp.txt will not ensure that each client always has the same ip... but using ifconfig-push in the ccd dir will do so
09:44 < ribasushi> yeah
09:44 < ribasushi> and then you need a database that gets autopopulated
09:44 < ribasushi> for which I'll use ipp.txt for
09:44 < hyper_ch> http://www.pastebin.org/75554
09:44 < ribasushi> so if I find an ip in the ipp - I'll gnerate a ccd
09:44 < ribasushi> otherwise I'll fallback to the assignment
09:44 < ribasushi> which will populate ipp for next time
09:44 < ribasushi> so all is good
09:45 < hyper_ch> not sure if ipp still works when you enable client config dirs
09:45 < ribasushi> it does (I have ccd enabled for other reasons)
09:45 < hyper_ch> ok :)
09:45 < hyper_ch> well, I only have a handful clients :)
09:46 < hyper_ch> so I don't need more sophisticated means to handle them
09:46 < ribasushi> by the way what is the reason that every client gets a /30 ?
09:46 < ribasushi> is this mandated by windows or something?
09:47 < ribasushi> can I pack clients closer together?
09:47 < hyper_ch> it says in the howto to use like that
09:47 < hyper_ch> and that's how I use it :)
09:47 < hyper_ch> !howto
09:47 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:48 < ribasushi> hm hm hm 
09:48 < ribasushi> so ten I could /25 my range when I outgrow the /24 ?
09:48 < ribasushi> and still keep the spacing at /30 for individuals?
09:49 < hyper_ch> Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Win32 driver. Specifically, the last octet in the IP address of each endpoint pair must be taken from this set:
09:49 < hyper_ch> http://openvpn.net/index.php/open-source/documentation/howto.html#policy
09:49 < vpnHelper> Title: HOWTO (at openvpn.net)
09:49 < ribasushi> hyper_ch: I just read that
09:49 < ribasushi> it doesn't say if > /24 subnets are ok
09:50 < ribasushi> when you outgrow your pool
09:50 < hyper_ch> make a new subnet I think
09:50 < hyper_ch> and add according routes
09:51 < hyper_ch> but then, I'm a noob on subnets and routing and stuff
09:51 < ribasushi> then why do you try to give advice? :)
09:51 < hyper_ch> why shouldn't I try to?
09:51 < dunc_> can you not just make the pool larger than a /24 and have openvpn deal with it?
09:51 < ribasushi> dunc_: I am asking if openvpn does deal with it
09:52 < ribasushi> with all the tap32 weirdness an stuff
09:52 < hyper_ch> ribasushi: why not just give it a try
09:52 < hyper_ch> you'd find out pretty quickly
09:58 -!- Zahra [n=Zahra@unaffiliated/belendax] has joined ##openvpn
09:59 -!- Zahra [n=Zahra@unaffiliated/belendax] has left ##openvpn []
10:02 -!- huzaifas [n=huzaifas@115.240.219.83] has joined ##openvpn
10:02 < huzaifas> hi is there any relation between tls-remote and tls-auth
10:02 < huzaifas> is tls-remote used only when tls-auth is used
10:02 < huzaifas> !welcome
10:02 < vpnHelper> huzaifas: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:03 < huzaifas> !welcome configs
10:03 < vpnHelper> huzaifas: Error: "welcome" is not a valid command.
10:03 < huzaifas> :)
10:05 < dazo> huzaifas:  nope ... they just depend on tls-server or tls-client
10:06 < dazo> huzaifas:  tls-remote validates the hostname given against the CN given in the server's certificate, to avoid MITM
10:06 < dazo> attack
10:06 < huzaifas> yeah 
10:06 < huzaifas> so basically i am writing a patch for Networkmanager-openvpn 
10:06 < huzaifas> when has an option for tls-auth
10:07 < dazo> huzaifas:  tls-auth is just an extra layer of security, which is a static key .... if this key is wrong, openvpn in UDP mode will not even bother responding to the client
10:07 < huzaifas> just wanted to make sure tls-remote does not depends on tls-auth
10:07 < huzaifas> ok
10:08 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
10:08 -!- mode/##openvpn [+v Kas] by ChanServ
10:08 -!- huzaifas [n=huzaifas@115.240.219.83] has quit ["Leaving"]
10:08 < dazo> gah ... why logout when I want to say more! :-P
10:09  * dazo finds that rude!
10:09 < dazo> :-P
10:12 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 60 (Operation timed out)]
10:16 < dunc_> ribasushi, are you using the server keyword? e.g. "server 10.12.12.0 255.255.255.0"
10:16 < ribasushi> dunc_: yup
10:16 < dunc_> coz if so, openvpn will just chop out /30s from whatever size you make the network
10:16 < ribasushi> so 255.255.254.0 will just work?
10:16 < dunc_> so if you make it a /23 (255.255.254.0) then you'll be allowed to have twice as many clients before you run out
10:16 < dunc_> i reckon
10:17 < ribasushi> awesome
10:19 < dunc_> i'd better qualify it slightly, i've used it before with a /24 and a /26, and it just works, i can't imagine they'd make it so that the maximum is a /24 and not bother to mention it in the docs </hasty_disclaimer> :)
10:21 < dunc_> as hyper_ch says tho, you're only one character change in the config, and 65 clients away from finding out
10:21 < dunc_> bagsy not being number 65
10:22 < dunc_> gah, 64, there's a server
10:24 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:25 -!- Zahra [n=Zahra@unaffiliated/belendax] has joined ##openvpn
10:26 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 104 (Connection reset by peer)]
10:27 < Zahra> !welcome
10:27 < vpnHelper> Zahra: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:27 < Zahra> hi, can anybody help me about this error? http://pastebin.com/m4380a913
10:28 < Zahra> I've searched most forums but I can't find any right way
10:28 < ecrist> check your network?
10:28 < ecrist> !logs
10:28 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:29 < Zahra> my network doesn't have any problem, my ip & port are true 
10:29 < ecrist> we need to see server and client logs, then
10:30 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
10:31 < Zahra> it's for my client http://pastebin.com/m60d87404
10:31 < Zahra> and it's for server http://pastebin.com/ma94bbc5
10:32 < Zahra> repeat this log every 1 min
10:37 < dazo> Zahra:  this is UDP?
10:37 < ecrist> Zahra: full logs, please
10:37 < ecrist> as was stated in !logs, above
10:37 < dazo> Zahra:  you might want to try TCP in this case ... not as efficient, but sometimes UDP gets filtered by some ISPs
10:38 < dazo> Zahra:  if still failing .... do as ecrist says, easier to help out then
10:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
10:45 < Zahra> dazo: yes, but I opened udp for 1194 port
10:46 < dazo> Zahra:  if you're using UDP, then I'd recommend trying out TCP in your case ... I've had similar issues myself, from one network I believe this was exactly the same which happened to me ... switching to TCP solved it
10:47 < dazo> unfortunately, I don't think there are any other ways around that
10:48 < dazo> unless you can investigate the infrastructure between your server and client
10:48 -!- mort_gib [n=mjensen@177.209.244.195.dsl.static.gibconnect.com] has quit ["Leaving"]
10:48 < Zahra> dazo: ok dazo, I'll test it
10:48 < Zahra> tnx
10:48 < dazo> np!
10:55 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
11:01 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)]
11:06 < rob0> dazo, switch ISPs?
11:08 < Zahra> dazo: I did this! but same problem exist!
11:09 < dazo> Zahra:  then we need !configs and complete !logs with minimum verb 4 
11:09 < dazo> rob0:  yeah, if you can ;-)
11:13 -!- diffen2 [n=diffen2@c-6075e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 60 (Operation timed out)]
11:15 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn
11:17 -!- diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
11:21 < Zahra> my server log: http://pastebin.com/m7f7c580b
11:21 < Zahra> myclient log: http://pastebin.com/m4369b911
11:21 < Zahra> my server.conf: http://pastebin.com/m4679c48e
11:22 < Zahra> my client.conf: http://pastebin.com/m59f0c326
11:28 < dazo> Zahra:  your server and client config don't match ... one says TCP (server) and the other one says UDP ...
11:28 < Zahra> ow! w8!
11:29 < dazo> and!  those logs is not verb 4 or higher
11:45 -!- sympho08 [n=casa@adsl196-42-228-217-196.adsl196-16.iam.net.ma] has joined ##openvpn
11:48 -!- sympho08 [n=casa@adsl196-42-228-217-196.adsl196-16.iam.net.ma] has quit ["Quitte"]
11:51 -!- diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 60 (Operation timed out)]
11:58 -!- diffen2 [n=diffen2@c-6075e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
12:00 -!- diffen2 [n=diffen2@c-6075e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit]
12:20 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"]
12:22 < Zahra> same problem!!!
12:22 < Zahra> server log : http://pastebin.com/m76a48887
12:23 < Zahra> client log: http://pastebin.com/m4d9ae2
12:23 < Zahra> server.conf: http://pastebin.com/m4679c48e
12:23 < Zahra> client.conf : http://pastebin.com/m39f2c31b
12:26 < dazo> Zahra:  where is the verb 4 with complete logs?
12:26 < dazo> that is not verb 4 logs
12:26 < dazo> at least not complete
12:28 < Zahra> dazo: but, as u see I used openvpn with --verb 4 & it was all of the output!
12:29 < dazo> Zahra:  please try to put --verb 4 behind the --config ..... if you have verb 2 or verb 3 in the config, that will override the verb 4 infront
12:29 < dazo> Zahra:  I just know that this log is not a verb 4 log ... from how it looks
12:35 < Zahra> server.conf:http://pastebin.com/m1ff987bb
12:35 < Zahra> client.conf:http://pastebin.com/m3383aa1d
12:35 < Zahra> is that true dazo?!
12:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
12:37 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)]
12:37 < dazo> Zahra:  this looks like verb 4
12:41 < ecrist> !logs
12:41 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
12:41 < ecrist> I think we ask for verb 6
12:41 < Zahra> do u want verb 15?!:D
12:42 < ecrist> Zahra: we're here to help you.  If you cannot do as we ask, we cannot help you.
12:43 < ecrist> the things we ask for are specific, and have been vetted from years of practice helping users such as yourself.
12:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out]
12:43 < Zahra> ecrist: sorry, It was only a humer & I didn't want to upset u.
12:45 < Zahra> server: http://pastebin.com/m6d72f23b
12:45 < Zahra> client: http://pastebin.com/m699d38f2
12:48 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn
12:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:52 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:58 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
13:06 -!- Zahra [n=Zahra@unaffiliated/belendax] has quit ["Leaving."]
13:22 -!- dazo is now known as dazo_afk
13:29 < steelnwool> hello
13:31 < ecrist> hi
13:35 < steelnwool> i have my vpn working now in so much as I can connect to 10.8.0.1. I want to push a route to 66.48.78.64/26 [255.255.255.192] however when i do that, and connect to my vpn both viscosity and openvpn processes go thru the roof. if i ping 10.8.0.1 i'm told "no buffer space available"
13:36 < ecrist> firewall
13:40 < steelnwool> sorry, one word answers don't help me much :)
13:42 < steelnwool> i'm not sure what firewall is in the way, i thought i've already gotten around the firewall by using open vpn. that was our point. Our servers do not have internal ips on reserved IP blocks, so we want to for example only allow ssh via the VPN and not poke holes in teh firewall.
13:45 < steelnwool> right ?
13:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
13:55 < ecrist> you need to make certain your firewalls are not blocking VPN traffic.
13:56 < ecrist> a VPN isn't a magic bullet.  you still need proper routing, and firwalling
13:56 < steelnwool> ah, i know my firewall isn't blocking vpn traffic. i thought that was clear when i said "as I can conect to 10.8.0.1"
13:56 < ecrist> if there is a firewall installed and running on the VPN server, it will block VPN traffic unless set to an open policy, or specifically instructed to allow VPN traffic.
13:57 < steelnwool> there isn't.
13:57 < ecrist> sigh
13:57 < steelnwool> i checked. 
13:57 < ecrist> no buffer space available usually means the firewall is blocking the packet
13:57 < ecrist> s/usually/almost always/
13:58 < steelnwool> i only get that tho if i push the route to the other subnet. if i don't push that route, ping works fine.
13:58 < ecrist> !configs
13:58 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
13:58 < steelnwool> sure , i'll put that up now.
13:58 < steelnwool> one sec.
14:00 < steelnwool> http://bignose.ca/openvpn/server.conf
14:00 < steelnwool> want me to remove comments?
14:00 < ecrist> are you the one who posted this to the forum recently?
14:00 < steelnwool> this is on ubunt LTS.
14:00 < steelnwool> ecrist: yup. that is me.
14:01 < ecrist> yes, please remove comments, per the instructions.
14:01 < steelnwool> k, one sec.
14:01 < steelnwool> http://bignose.ca/openvpn/nocomments.conf
14:02 < ecrist> client config/
14:02 < ecrist> and
14:02 < ecrist> !logs
14:02 < steelnwool> not sure how to show that... i'm using viscosity, there is no client.conf on the server.
14:02 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:03 < vpnHelper> New forum entry openvpnforum: Configuration :: pushing routes to public ip blocks :: Author bignose <http://www.ovpnforum.com/viewtopic.php?f=6&t=2443&p=2831#p2831>
14:03 < ecrist> just get me logs, first
14:03 < steelnwool> sure. will get server side logs. let me turn the verb up.
14:04 < steelnwool> do you want openvpn-status.log ipp.txt or something else?
14:04 < steelnwool> syslog?
14:04 < ecrist> no, main log
14:04 < steelnwool> k one sec.
14:05 < ecrist> if you run the command at the cli, everything that's output on stdout
14:06 < steelnwool> yeah its /var/log/daemon on ubuntu. one sec, i gotta kill viscosity/openvpn here...
14:07 < steelnwool> actually i have a linux box in m house that i can run openvpn right form command line too. i'll do that if you need client side logs.
14:10 < steelnwool> http://bignose.ca/openvpn/daemon.log
14:11 < steelnwool> the comments above the push route command suggest i may need to add a route back to tun 0 from eth0.. i thik, but i don't uquite understand that part.
14:13 < ecrist> the lines that state 'connection refused' demonstrate a firewall
14:13 < ecrist> with the push route in place, are you able to ping 10.8.0.1 from the client?
14:14 < ecrist> just not the newly pushed route?
14:14 < steelnwool> no :(
14:14 < steelnwool> i can't ping either route.
14:14 < steelnwool> i'll check iptables again on the vpn host...
14:14 < ecrist> !iptables
14:14 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall
14:15 < steelnwool> okay did htose steps. re testing now. [but i did just confirm and those were the only rules there.
14:16 < ecrist> where is the clientn log?
14:16 < steelnwool> didn't get it yet. i'm going to do that in one sec.
14:21 < reiffert> we should add ;'s in #1
14:22 < steelnwool> okay, so i just setup the client on my linux machine. joined vpn and did some pings.i get 100% packet loss to both 10.8.0.1 and 66.48.78.91 , now I'm pasting the client logs.
14:23 < steelnwool> http://bignose.ca/openvpn/client.log
14:24 -!- caution [n=caution@unaffiliated/caution] has joined ##openvpn
14:24 < caution> !welcome
14:24 < vpnHelper> caution: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:25 < caution> !redirect
14:25 < vpnHelper> caution: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:25 < caution> !def1
14:25 < vpnHelper> caution: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:25 < reiffert> steelnwool: client log says: everybody is ok.
14:25 < steelnwool> rieffert its lying :)
14:26 < reiffert> steelnwool: right, the problem is:
14:26 < reiffert> Wed Jan 13 16:21:40 2010 UDPv4 link remote: 66.48.78.87:1194
14:26 < reiffert> Wed Jan 13 16:21:40 2010 UDPv4 link remote: 66.48.78.87:1194
14:26 < reiffert> Wed Jan 13 16:21:43 2010 /sbin/route add -net 66.48.78.64 netmask 255.255.255.192 gw 10.8.0.5
14:26 < steelnwool> i don't see it.. help?
14:27 < reiffert> 66.48.78.64/26 includes 66.48.78.87
14:28 < steelnwool> right... so how is that a problem?
14:28 < reiffert> guess.
14:28 < reiffert> 21:26 < reiffert> Wed Jan 13 16:21:43 2010 /sbin/route add -net 66.48.78.64 netmask 255.255.255.192 gw 10.8.0.5
14:28  * Bushmills thinks of throwing a letter box key into the letter box
14:28 < steelnwool> i can't. with my limited understanding it makes sense. .87 is in the blcok i want to access and ipushed a route to that block, it should work.
14:29 < reiffert> your vpn connection will die that way.
14:29 < caution> !ipforward
14:29 < vpnHelper> caution: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
14:29 < caution> !linipforward
14:29 < vpnHelper> caution: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
14:30 < steelnwool> reiffert: i know it will die that way. that is why i'm here :)
14:30 < caution> !nat
14:30 < vpnHelper> caution: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto
14:30 < caution> !linnat
14:30 < vpnHelper> caution: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:30 < reiffert> steelnwool: look.
14:30 < Bushmills> steelnwool: think about the problem you'd have when you'd threw a letter box key into the letter box
14:31 < steelnwool> wtf is a letter box?
14:31 < Bushmills> then try to open the box
14:31 < steelnwool> okay, yes, i understand that.
14:31 < reiffert> steelnwool: you send packets from A to your gateway, to servers gateway, to server.
14:31 < steelnwool> but i can't link the analogy.
14:31 < steelnwool> okay..
14:31 < reiffert> steelnwool: now you tell the routing table, to send exactly those packets through the vpn link
14:31 < reiffert> steelnwool: but the vpn link can only exist, when you send packets from A to your gateway, to servers gateway, to server.
14:32 < steelnwool> so am i attacking the problem wrong?
14:32 < reiffert> no, you didnt understand it.
14:33 < caution> when I try the !linnat iptables command I get: iptables: No chain/target/match by that name
14:33 < steelnwool> i'm afraid i still don't.. i can't think of what other route i should be pushing...
14:33 < steelnwool> i understand what you are telling me, but i'm not connecting the dots as to what i should be doing.
14:34 < Bushmills> steelnwool: how is the client supposed to talk to the server, when you change that route to go through the vpn tunnel itself?
14:34 < steelnwool> well, i WANT it to go thru the VPN, because we have that server at .87 firewalled off.
14:35 < Bushmills> but there won't be a tunnel then
14:35  * ecrist thinks the firewall is the issue.
14:35 < Bushmills> because the client can't talk to the server anymore
14:35 < reiffert> caution: guess you are missing some modules or some iptables specific support in your kernel.
14:35 < caution> that's what I thought, what can I do about it?
14:35 < steelnwool> ecrist: when you say firewall, would you also mean the firewall outside of them achine ? liek the one besides ip tables ?
14:35 < reiffert> ecrist: what about the routing issue, is it so far off?
14:36 < ecrist> the routing looked fine to me.  I've been afk for about 10 mins
14:36 < reiffert> caution: adjust your kernel config - or - load the appropriate kernel modules.
14:36 < reiffert> ecrist: http://bignose.ca/openvpn/client.log
14:36 < steelnwool> are you saying that i need to open a port between my vpn and my juniper to .87 ?
14:37 < ecrist> yes
14:37 < reiffert> ecrist: pay attention to "link remote" and the routes.
14:37 < Bushmills> why does --redirect-gateway add a host route to server?
14:37 < steelnwool> i do not have --redirect-gateway turned on.
14:37 < ecrist> steelnwool: I don't see a route .87
14:37 < Bushmills> but you have the same problem
14:37 < reiffert> ecrist: did you tell him before?
14:38 < steelnwool> workshop@workshop-desktop:~$ netstat -nr|grep 78
14:38 < steelnwool> 66.48.78.64     10.8.0.5        255.255.255.192 UG        0 0          0 tun0
14:38 < steelnwool> thats from my client.
14:38 < reiffert> you broke routing.
14:38 < ecrist> ignore my comment.
14:38 < ecrist> durr
14:38 < reiffert> steelnwool: tell your client how to get to the openvpn server.
14:38 < ecrist> !durr
14:38 < vpnHelper> ecrist: Error: "durr" is not a valid command.
14:39 < ecrist> steelnwool: you have a conflicting route in your push
14:39 < reiffert> caution: zgrep /proc/config.gz MASQ
14:39 < ecrist> your client is connecting to .87, after connection, you're adding a static route
14:39 < ecrist> break it all up
14:39 < steelnwool> no idea how. :(
14:39 < caution> reiffert: gzip: MASQ.gz: No such file or directory
14:39 < reiffert> caution: sorry. zgrep MASQ /proc/config.gz
14:40 < steelnwool> i thought that routes were like firewall rules, ie : first one matched was the one that was taken... ?
14:40 < ecrist> steelnwool: give me 2 mins
14:40 < steelnwool> ecrist: tks
14:40 < caution> reiffert: gzip: /proc/config.gz: No such file or directory
14:40 < ecrist> steelnwool: it does, but you're providing a route with a lower metric through the vpn
14:40 < steelnwool> thanks for your patience guys btw. i help people in a freebsd channel, and i know the facepalms that go on.
14:40 < reiffert> caution: do you have an idea how to get to your kernel config?
14:40 < caution> no, sorry
14:40 < reiffert> caution: what distro are you running, kernel version?
14:41 < caution> ubuntu 2.6.18-128.2.1.el5.028stab064.7
14:41 < reiffert> self made kernel?
14:41 < caution> I didn't make it but my host may have
14:41 < reiffert> caution: pastebin.ca << lsmod
14:42 < caution> the -j SNAT command works, is that an alternative?
14:42 < caution> lsmod is blank
14:42 < reiffert> caution: like !linnat tells us.
14:42 < reiffert> caution: omg.
14:43 < reiffert> caution: ls /lib/modules
14:43 < caution> 2.6.18-028stab062.3  2.6.18-128.2.1.el5.028stab064.7
14:43 < reiffert> find /lib/modules/2.6.18-128.2.1.el5.028stab064.7 | grep -i masq
14:43 < caution> no output
14:44 < reiffert> your kernel is missing the masquerading feature. get a new one.
14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:44 < reiffert> find /lib/modules/2.6.18-128.2.1.el5.028stab064.7 -name '*.ko' |wc -l
14:45 < caution> 0
14:45 < reiffert> caution: your kernel misses *any* module.
14:45 < reiffert> steelnwool: whats the ip of the clients gateway?
14:46 < reiffert> caution: whoever did this to you, make him fix it.
14:46 < steelnwool> 66.48.78.65 however there is a bridge between the gateway and the client.
14:46 < steelnwool> which might be a giant light over my head.....
14:46 < reiffert> whats the clients ip?
14:46 < steelnwool> sorry. rewind. when you siad client, did you mean the openvpn client as in my desktop here in my house?
14:47 < reiffert> yes.
14:47 < steelnwool> open 10.0.1.1
14:47 < steelnwool> er s/open/okay.
14:47 < reiffert> "open"?
14:47 < steelnwool> here is a diagram.
14:47 < ecrist> steelnwool: here: http://pastebin.com/m1a46339a
14:47 < ecrist> add those to the server, remove the push you have, and you should be good to go
14:47 < reiffert> push "route 66.48.78.87 255.255.255.255 10.0.1.1"
14:48 < reiffert> add this line and there you are.
14:48 < reiffert> even put this line to client conf to get a working setup:
14:48 < reiffert> route 66.48.78.87 255.255.255.255 10.0.1.1
14:48 < reiffert> ecrist: why the heck?
14:49 < steelnwool> reiffert: there are many hosts behind the network and they come and go, i don't want to have to tell my clients to update everytime i add them...
14:49 < ecrist> reiffert: my push routes are good for 'any' client, even if that client's gateway isn't 10.0.1.1
14:49 -!- napcae [n=napcae@i59F76047.versanet.de] has joined ##openvpn
14:49 < steelnwool> ecrist: trying yours now...
14:49 < ecrist> reiffert: I do that exact thing on my work vpn, as our VPN server resides in the middle of a subnet.
14:49 < caution> reiffert: apparently openvz doesn't support masquerading
14:50 < reiffert> caution: I have no idea about openvz, sorry
14:50 < reiffert> ecrist: how about running openvpn on your subnet's gateway?
14:50 < steelnwool> ecrist: okay, i added those lines. i can now ping 10.8.0.1 but not 66.48.78.91
14:51 < reiffert> same question goes out to steelnwool
14:51 < ecrist> reiffert: because we don't do it that way
14:51 < steelnwool> reiffert: my subnets gateway is a cisco thingy that i have no access to.
14:51 < ecrist> for good reasons (has to do with firewall layout, redundancy
14:51 < caution> thanks for the help
14:51 < ecrist> now, if openvpn supported something like pfsync, I could do that.
14:52 < ecrist> regardless, reiffert, that setup's been working for +3years
14:52 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || type !welcome before asking  your questions.
14:53 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type !welcome before asking  your questions.
14:53 < havoc> heh
14:53 < steelnwool> ecrist: those lines you sent me in pastebin, does that mean i'd have to add a new one for every machine i add behind my vpn?
14:53 < ecrist> steelnwool: no
14:53 < ecrist> I broke up your subnets to exclude .87
14:54 < steelnwool> well, it didn't work :)
14:54 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
14:54 < steelnwool> and i want to be able to access the whole subnet.
14:54 < havoc> someone needs to put a public web UI on ipcalc
14:54 < ecrist> havoc: send me an email with a scope and I'll make it happen
14:55 < steelnwool> however like i said [you may have missed it] there IS a firewall between the gateway and the .87, its a bridge. so perhaps if i just made a ruile that .65 could connectoto anything behind the firewall i'd be working?
14:55 < havoc> ecrist: I meant so you could link it for other people
14:55 < havoc> ecrist: a nice CGI w/ args in GET
14:55 < ecrist> what's the IP?
14:55 < ecrist> hostname, rather
14:55 < steelnwool> of the bridge? bridges are ip-less.
14:55 < ecrist> steelnwool: was talking to havoc, not you
14:55 < steelnwool> werd. 
14:56 < steelnwool> well, now i'm just confused :)
14:56 < havoc> ecrist: oh, I have ipcalc, it would just be handy for providing support to have a web ui
14:56 < havoc> ecrist: something you could give them a URL w/ GET string for the args
14:56 < ecrist> steelnwool: did you put those route in place, and test?
14:56 < havoc> would be easy enough to write, would just need somewhere to put it
14:57 < ecrist> havoc: send me an email, and I"ll make it happen
14:57 < steelnwool> ecrist: yes, said that above. they don't work.
14:57 < havoc> I probably wouldn't waste time w/ making an interface to ipcalc even, just reimplement code in JS
14:57 < steelnwool> ecrist: there was a small chnage. with those routes i can ping 10.8.0.1 once again.
14:58 < havoc> ecrist: email you what, just a reminder to do it? :)
14:58 < ecrist> yes
14:58 < havoc> I should just write it, could do it all in JS in a single html file
14:58 < ecrist> and what, specifically, you want it to do
14:58 < ecrist> then do it
14:58 < ecrist> and I'll host it
14:58 < havoc> I'm thinking about it
14:59 < steelnwool> ecrist: would this understanding be correct: with my orriginal route statement, i was telling all traffic for the /26 to go thru the gateway. but since there is a bridge between gateway and machines using that gatewayu, the bridge is blcoking the traffic?
14:59 < ecrist> I already host the forum and wiki
14:59 < ecrist> steelnwool: no
14:59 < havoc> a CGI iface to ipcalc is easiest, reimplemented in JS is most portable, but more work
14:59 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
14:59 < reiffert> steelnwool: paste you server config.
15:00 < steelnwool> reiffert: http://bignose.ca/openvpn/nocomments.conf
15:00 < havoc> although startiung w/ CGI to ipcalc gets 1st rev done faster and allows for UI design work/time
15:00 < ecrist> you were connectingn to the vpn which resides within the /26, after you connected to the vpn, it sent you a new route to get to the /26, which removed the default, since it couldn't get to the .87 IP (no route) the vpn was dropped
15:00 < ecrist> it was a nasty circle
15:00 < reiffert> steelnwool: the _current_ one, DOH!
15:00 < steelnwool> ecrist: ahhhhh that makes sense.
15:00 < steelnwool> reiffert: :) stupid me. updating it now.
15:01 < havoc> ecrist: nm: http://jodies.de/ipcalc
15:01 < vpnHelper> Title: IP Calculator / IP Subnetting (at jodies.de)
15:01 < steelnwool> reiffert: hit reload.
15:01 < reiffert> steelnwool: add the /26 route back.
15:01 < ecrist> havoc: that works, but I hate cluttered pages. ;)
15:02 < havoc> yeah
15:02 < reiffert> steelnwool: sorry, dont.
15:02 < steelnwool> done ! :)
15:02 < ecrist> reiffert: don't confuse the lad
15:02 < reiffert> ecrist: dont think that can be raised anymore.
15:02 < havoc> syntax highlighting for pastebin for routing tables would be cool too
15:05 < Bushmills> use a different ip address on vpn server, if you have several there.
15:05 < steelnwool> i have a pool of 64, but they'd all be in the same subnet.
15:05 < steelnwool> not sure how that would help tho.. would be the same issue.
15:06 < napcae> can someone help me?i have an ubuntu hardy heron server with openvpn and my macbook unibody 5,1 with "tunnelblick" as the client. i can connect to my server, from lan and also from everywhere else, but i don't get my "home ip", which means;@home i have over(whatsmyip.org) 89.xxx; from the external lan i have 85.xxx; normally i would get 89.xxx isn't like that!?
15:06 < Bushmills> no. then vpn server ip address would be outside the routed net 
15:06 < steelnwool> i don't have an IP that is outside the routed net..
15:06 < steelnwool> i only have things in .64/26
15:06 -!- caution [n=caution@unaffiliated/caution] has quit [Remote closed the connection]
15:06 < steelnwool> what i'm doing can't be that bizzare thos is it ?
15:06 < Bushmills> don't route /26, but /27
15:07 < ecrist> steelnwool: that's why i did all those funky push routes
15:07 < Bushmills> use for server one of the /27 addresses which isn't routed 
15:07 < ecrist> Bushmills: read up
15:07 < Bushmills> trying to simplify, rather than route cluttering
15:07 < steelnwool> yeah, i htink our IP usage is all over the place tho. [i inherited this system, in 2 months its all gonna be NAT with privagte ip's anyways]
15:08 < napcae> push?
15:08 < Bushmills> pop
15:08 < napcae> ..
15:09 < steelnwool> ecrist: so i should probably just play around with the route values you sent me. like perhaps removing all but one and try to connect to something in that block.
15:12 < ecrist> sure, but what I gave you will get you everything
15:12 < steelnwool> what you gave me, does not work.
15:12 -!- napcae [n=napcae@i59F76047.versanet.de] has quit ["Changing server"]
15:12 < ecrist> why not?
15:13 < steelnwool> i don't know yet..
15:13 < ecrist> what makes you think it doesn't work?
15:13 < steelnwool> um.. the lack of abilitty ping or connect to things.
15:13 < steelnwool> like 66.48.78.91 for example.
15:14 < ecrist> !logs
15:14 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
15:16 < steelnwool> while running a ping to .91 my server logs say something like this : Jan 13 16:13:40 vpn ovpn-server[10209]: jeffmacdonald/96.30.130.240:46157 UDPv4 READ [125] from 96.30.130.240:46157: P_DATA_V1 kid=0 DATA len=124
15:16 < steelnwool> Jan 13 16:13:40 vpn ovpn-server[10209]: jeffmacdonald/96.30.130.240:46157 TUN WRITE [84]
15:16 < steelnwool> turning up client logs now.
15:16 < steelnwool> Wed Jan 13 17:17:16 2010 us=384971 TUN READ [84]
15:16 < steelnwool> Wed Jan 13 17:17:16 2010 us=385127 UDPv4 WRITE [125] to 66.48.78.87:1194: P_DATA_V1 kid=0 DATA len=124
15:16 < steelnwool> from the client..
15:17 < krzie> use pastebin to paste
15:24 < steelnwool> is there a chance my issues have anything to do with this statement ? http://pastebin.com/m7b3f7beb - about routing back to the openvpn client pool?
15:26 < steelnwool> here's my logs.. http://pastebin.com/m20cf475f
15:26 < ecrist> yes, you'll need to either provide reverse routing, or nat VPN clients to the VPN server IP
15:26 < ecrist> also, ip_forward needs to be enabled.
15:26 < steelnwool> oh that part is just so things behind the vpn can talk back to MY private net then?
15:26 < steelnwool> i don't really need that.
15:28 < ecrist> no
15:28 < ecrist> the systems on the VPN lan need to be able to route to 10.8.0.1/24
15:29 < steelnwool> so i guess thats waht is missing here?
15:29 < ecrist> yes
15:29 < ecrist> like I said, you can do it two ways
15:29 < ecrist> 1) NAT VPN clients to the server IP address
15:29 < steelnwool> i missed that i guess.
15:29 < ecrist> 2) provide a reverse path to the 10.8/24 subnet
15:30 < steelnwool> so that is a config i have to perform on every server..  is there a reason we might not have talked about that an hour ago?
15:30 < ecrist> because it wasn't the problem an hour ago
15:32 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
15:32 < steelnwool> but the problem set didn't change :)
15:33 < ecrist> sure it did
15:33 < ecrist> this is a separate issue from  your other one
15:33 < steelnwool> how so? all i want to do is to be able to talk to .91
15:33 < ecrist> jesus man
15:34 < steelnwool> he definatly can't help me.
15:34 < ecrist> add in the reverse route and you'er all done
15:34 < krzie> lol
15:35 < steelnwool> via server.conf or the command line on the server?
15:37 < steelnwool> sorry i'm so dense. i don't know if you mean add the route on .91 to get to 10.8.0.1 or 10.8.0.2 or.. what in the hell...
15:37 < steelnwool> or i fyou mean add it on the vpn server... or.
15:37 < cron2> steelnwool: the *other* machines in the network need to know how to reach 10.8.0.x ("send it to the OpenVPN server")
15:38 < ecrist> on the network default gateway, type this at the CLO
15:38 < ecrist> I
15:38 < cron2> so, yes, if you want to talk to .91, the .91 needs to know how to reach 10.8.0.x
15:38 < ecrist> route add 10.8.0.0/24 ip.ip.ip.87
15:38 < steelnwool> ecrist: i have no access to the network gateway.
15:38 < ecrist> change ip.ip.ip to your ip range, i don't remember it
15:38 < krzie> sure, if .91 is all you care about make a persistent route on it to let it know that the vpn subnets are behind the local vpn machine
15:38 < krzie> !route
15:38 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:38 < ecrist> then type that on .91
15:38 < krzie> ROUTES TO ADD OUTSIDE OPENVPN
15:39 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"]
15:39 < steelnwool> okay i typed this on .91 : route add 10.8.0.0/24 66.48.78.87 
15:40 < steelnwool> pinging .91 still doesn't work.
15:41 < steelnwool> obviously this will be easy when the servers all get private ip's. 
15:42 < krzie> it will be easy when you read that section of my routing doc and understand it
15:43 < steelnwool> krzie: i'll read it, but it doesn't seem analogous to my issue, because i'm trying to route to a public subnet.. whre routes already exist.
15:43 < steelnwool> and its hard when your document says i need ip forwarding yet ecrist says i do not need ip forwarding. so i'm getting conflicting info.
15:43 < steelnwool> but yes, i will read it. 
15:43 < cron2> you need ip forwarding on the OpenVPN server machine
15:43 < ecrist> YOU DO NEED ip_forward
15:43 < steelnwool> oh.
15:44 < krzie> ohh
15:44 < steelnwool> one second then.
15:44 < havoc> if you have routes for packets coming from a non-local subnet you need ip forwarding
15:44 < krzie> i jumped in 1/2 way through, ill disapeer and let ecrist finish with ya
15:44 < ecrist> no, please don't
15:44 < krzie> lol
15:44 < ecrist> I've already checked out.
15:44 < ecrist>  ;)
15:44 < cron2> havoc: nothing to do with "non-local subnet" - any time a machine is supposed to forward a packet from A to B, and neither "A" nor "B" are local addresses, you need ip forwarding
15:45 < havoc> cron2: I was trying to find language to explain it to someone who doesn't know routing
15:45 -!- vampyr [n=vampyr@i198189.upc-i.chello.nl] has joined ##openvpn
15:45 < havoc> it's tricky
15:45 < steelnwool> it works now.
15:45 < steelnwool> works just fine.
15:46 < havoc> cron2: and I just forgot the non-local destination bit
15:46 < cron2> havoc: mmmh, indeed.  "If you receive packets from machine A and need to pass them on to machine B, you need ip_forward"
15:46 < havoc> cron2: and you're on neither machine A or B
15:46 < havoc> see, you forgot key bits too ;)
15:46 < cron2> if a packet is to travel A -> B -> C, B needs "ip_forward"
15:47 < havoc> cron2: this is your first mention of a 'C' ;)
15:47 < havoc> but yes, that's better
15:47 < cron2> redesign :)
15:47 -!- vampyr [n=vampyr@i198189.upc-i.chello.nl] has quit [Read error: 104 (Connection reset by peer)]
15:47 < havoc> see? explaing it is harder than doing it
15:47 < cron2> yes
15:47 < steelnwool> also, ssh on C knows nothing of the rsa keys on A, it is looking for them from B.. but thats trivial. my vpn works now. thanks guys.
15:48 < steelnwool> I know it was a struggle, but thank you.
15:48 < cron2> steelnwool: now *this* is a question on whether or not "B" does NAT (which will make the whole mess even more muddy)
15:48 < steelnwool> b doens't do nat in my case.
15:49 < cron2> in that case, C will see the SSH session coming from A, and will not know anything about B
15:49 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn
15:49 < cron2> (except that B is where IP packets to A need to be sent to, but that's not something sshd will know)
15:49 < steelnwool> in that case i'm not sure. i know i didn't setup nat. but there is a trnaslation between 10.8.0.1 and 66.48.78.91 so i guess that counts as nat.
15:51 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:53 < steelnwool> ecrist: if i was using a private subnet on the VPN lan, would i need to add routes on each machine still? part of me thinks yes.
15:55 < ecrist> yes
15:56 < steelnwool> okay. that struggle is out of the way then. now i just have to figure out how to "nat the vpn clients to the server address"
15:56 < steelnwool> which i guess you just mean nat 10.8.0.0/24 to say... 10.14.14.0/32 if 10.14.14.0/32 is my internal private block...
15:57 < steelnwool> or... just add a route on my gateway. once i have control of my gateway....
16:02 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.17/2009122116]"]
16:04 < hagna> where are the bsd openvpn ethernet bridging instructions?
16:04 < ecrist> not complete, but I can answer questions
16:05 < hagna> so it's possible?
16:05 < ecrist> yes
16:05 < ecrist> I run a bridged vpn on freebsd now
16:05 < hagna> do you have the start-bridge script handy?
16:06 < hagna> I'm on freebsd
16:06 < ecrist> no, I don't use that. ;)
16:06 < ecrist> let me grab my setup
16:06 < hagna> you don't use freebsd?
16:06 < ecrist> yes, I use freebsd
16:06 < ecrist> almost exclusively
16:06 < hagna> uh sleepy
16:06 < hagna> cool
16:07 < ecrist> in rc.conf, I have the following line: ifconfig_tap0="inet 172.30.20.1 netmask 255.255.255.0"
16:07 < ecrist> before that, cloned_interfaces="tap0"
16:07 < ecrist> bah, let me start over
16:07 < hagna> this is the client side?
16:08 < ecrist> no, server side
16:08 < hagna> ahh ok
16:08 -!- wulfgarpro [n=wulfgarp@mdiche1.lnk.telstra.net] has joined ##openvpn
16:08 < ecrist> this is what I have in /etc/rc.conf: http://pastebin.com/m1eabc4ed
16:10 < ecrist> this is my openvpn.conf config: http://pastebin.com/m5382f14e
16:10 < hagna> ok that's simple enough
16:10 < ecrist> I have one problem that I've been too lazy to fix, and that's where the tap0 interface isn't 'up' after a reboot
16:11 < hagna> huh I'm a newb to freebsd
16:11 < ecrist> in the config, change line 17 to: up  ifconfig tap0 up
16:11 < hagna> so you just fixed it?
16:11 < ecrist> may have.  let me test.
16:12 < hagna> line 17? mine only goes to 7
16:12 < ecrist> there were two pastebins
16:12 < krzie> heh, hes talking bout his line 17
16:12 < ecrist> the second is what I'm referring to
16:12 < hagna> ohh missed that
16:13 -!- caution [n=caution@unaffiliated/caution] has joined ##openvpn
16:14 < caution> !linnat
16:14 < vpnHelper> caution: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
16:15 < caution> ahh, I finally understand
16:15 < caution> --to is actually --to-source
16:16 < krzie> basically
16:16 < krzie> (its a SNAT)
16:17 < caution> basically? Isn't it identical?
16:17 < krzie> the --to does set the source
16:18 < caution> I thought iptables was expanding it to --to-source
16:18 < krzie> whether or not theres a --to-source i dunno
16:18 < krzie> im sure the man would tell ya that one tho
16:18 < caution> yes, I got that from the man
16:18 < krzie> ok then =]
16:18 < caution> I was confused why --to was used when it was actually --to-source
16:18 < ecrist> hagna: add 'up' to the end of the ifconfig_tap0 line
16:18 < ecrist> so: ifconfig_tap0="inet 172.30.20.1 netmask 255.255.255.0 up"
16:19 -!- caution [n=caution@unaffiliated/caution] has left ##openvpn []
16:20  * ecrist is leaving.  hagna if you have questions, please feel free to hit me up, but krzee is also a bsd guy
16:21 < krzie> yup and i am around, but im in and out (working)
16:22 < hagna> ecrist: thanks
16:23 < derRichard> !welcome
16:23 < vpnHelper> derRichard: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:29 < krzie> <aliby:#cryptohaze> Also... I keep getting a fscking CUDA initialization error
16:29 < krzie> oops
16:42 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:45 -!- mode/##openvpn [+s] by ChanServ
17:01 -!- wulfgarpro [n=wulfgarp@mdiche1.lnk.telstra.net] has quit [Client Quit]
17:12 -!- pimpatine is now known as mintaka
17:20 -!- chilicuil [n=sistemas@189.144.79.31] has joined ##openvpn
17:21 < hagna> I suppose the same server cannot connect client1 to tap0 and client2 to tap1
17:26 < mintaka> speaking of tap
17:31 < krzie> not the same server process
17:31 < krzie> but the same machine with 2 openvpn's running, sure
17:32 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)]
17:32 < hagna> krzie: ok makes sense
18:05 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)]
18:18 -!- Wired_Life [n=Chatzill@mgdb-4db8d038.pool.mediaWays.net] has joined ##openvpn
18:20 < Wired_Life> i have the problem openvpn @ windows 7 ultimate x64 the tap interface wont change ip and i cant ping anything
18:28 -!- hagna [n=hagna@70.102.57.178] has quit [Read error: 110 (Connection timed out)]
18:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
18:42 -!- Wired_Life [n=Chatzill@mgdb-4db8d038.pool.mediaWays.net] has left ##openvpn []
19:12 -!- le0 [n=itsle0@host86-157-228-21.range86-157.btcentralplus.com] has joined ##openvpn
19:13 -!- eZ [n=eZ@201-93-218-229.dsl.telesp.net.br] has joined ##openvpn
19:13 < eZ> hi dudes, how are you ?
19:13 < eZ> can anyone help me with a simple question ?
19:14 < eZ> !welcome
19:14 < vpnHelper> eZ: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:14 < krzie> hi =]
19:14 < krzie> start with:
19:14 < krzie> !goal
19:14 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:15 < eZ> there is a way to control old versions of the keys ? If a guy have a old version, with default password, he can access. I need to revoke only a specific version of keys. there is a way to control it ?
19:15 < krzie> version of keys?
19:17 < eZ> krzie: yes .. like .. the old sysadm and manager has a copy of all default keys... he got fired,so he can access via any key that he have a copy ...the users have the keys on their workstations, with newer password, but the guy has the old one. How can I assure that only the keys on the users can be used ? not the sysadm ?
19:18 < krzie> the old sysadmin has the ca.key i would suspect, is that correct?
19:19 < eZ> he has user1.key, user2.key, usern.key .. and maybe the ca.key too ...
19:21 < eZ> krzie: i think all the keys will need to be regenerated, right ?
19:21 < krzie> yes
19:21 < krzie> !crl
19:21 < vpnHelper> krzie: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
19:21 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you
19:21 < krzie> The only time when it would
19:21 < krzie>             be necessary to rebuild the entire PKI from scratch would be if
19:21 < krzie>             the root certificate key itself was compromised.
19:21 < krzie> thats your situation
19:22 < eZ> krzie: bad news for my customer ... lol ... i told him that ...  i was not wrong after all .. thank you ver much :)
19:34 -!- le0 [n=itsle0@host86-157-228-21.range86-157.btcentralplus.com] has quit ["Leaving"]
19:41 < krzie> np
20:26 < tjz> hmm..
20:26 < tjz> have a small problem with openvpn on dd-wrt router..
20:27 < tjz> anyone have experience with openvpn dd-wrt router?
20:37 -!- Matir [n=david@c-98-251-88-239.hsd1.ga.comcast.net] has quit [Read error: 113 (No route to host)]
20:48 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
20:48 < theDoc> lolwut?
20:49 < theDoc> Problem isn't my firewall ;p
20:49 < steelnwool> sure it is.
20:49 < theDoc> It sure isn't.
20:56 < rob0> is too! is not! is too!
20:57 < rob0> Rabbit season!
21:00 < krzie> Duck season!
21:00 < rob0> Rabbit season!
21:02 < theDoc> is never!
21:02 < theDoc> ;p
21:04  * rob0 points the shotgun at the duck ... BLAM
21:05 < rob0> s/the duck/theDoc/
21:05 < rob0> What's up Doc?
21:06 < theDoc> rob0> Too much work, too little sleep
21:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
22:05 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
23:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
23:27 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
--- Day changed Thu Jan 14 2010
00:41 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit []
00:57 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
01:29 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has left ##openvpn []
01:30 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
02:14 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:26 -!- chilicuil [n=sistemas@189.144.79.31] has quit [Read error: 60 (Operation timed out)]
02:26 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
03:07 -!- master_o1_master [n=master_o@p57B54C5B.dip.t-dialin.net] has joined ##openvpn
03:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
03:18 -!- master_of_master [i=master_o@p57B57B1C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:21 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
03:22 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
03:40 -!- trap_ [n=trap@host86-168-126-222.range86-168.btcentralplus.com] has quit [Read error: 60 (Operation timed out)]
03:47 -!- le0 [n=itsle0@host86-157-228-21.range86-157.btcentralplus.com] has joined ##openvpn
04:00 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
04:09 -!- Han [n=han@unaffiliated/han] has joined ##openvpn
04:10 < Han> Hi, I got push "route 1.2.3.4 255.255.255.255" on the server which sets up a route to my mailserver on the network. But now I need to figure out how to add a route from the server to that machine?
04:10 < Han> How should I do that?
04:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
04:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:20 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
04:21 -!- Han [n=han@unaffiliated/han] has left ##openvpn []
04:22 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:22 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
04:22 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:40 -!- huzaifas [n=huzaifas@115.240.191.139] has joined ##openvpn
04:58 -!- spiekey [n=mario@projekte.imos.net] has joined ##openvpn
04:58 < spiekey> Hello!
04:59 < spiekey> i have multipe OpenVPN Servers...and i want to manage the certs and keys on only one central server
04:59 < spiekey> any idea how i can do this?
05:02 < huzaifas> spiekey:  all of them listen on the same interface?
05:11 -!- huzaifas [n=huzaifas@115.240.191.139] has quit [Remote closed the connection]
05:12 -!- Schlaubi [n=daniel@p5B0A168B.dip0.t-ipconnect.de] has joined ##openvpn
05:12 < Bushmills> spiekey: rather than relying on the key/cert server to be online as single point of failure for logins to all your vpn servers, I'd probably distribute certs and keys by script over a secure channel to the servers.
05:12 -!- Schlaubi [n=daniel@p5B0A168B.dip0.t-ipconnect.de] has left ##openvpn ["Verlassend"]
05:15 -!- eZ [n=eZ@201-93-218-229.dsl.telesp.net.br] has quit ["Lost terminal"]
05:15 < spiekey> i am planing to set up about 100 Firewalls and i want to manag them on openldap basis
05:15 < spiekey> i already have my config files in my openldap structure including password authentitification
05:15 < spiekey> now i only need to be able to manage that ca, key stuff centrally :)
05:22 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"]
05:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:37 < _trine> when I use a public wifi access point my VPN gives me this message and stops further access to the net can anyone give me an answer to help solve it
06:37 < _trine> Replay-window backtrack occurred [1]
06:37 < _trine> on other wifi networks it works ok
06:42 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
06:43 < macsppadic> wondering if anyone else has been seeing MULTI:status=1 messages when disconnecting and reconnecting the same client 
06:43 < macsppadic> obtaining the ip address from server fine but cant ping anything - routing seems to be gone to hell
06:48 < Bushmills> macsppadic: client may have received a different ip address. check.
06:52 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 104 (Connection reset by peer)]
06:53 < macsppadic> hello Bushmills - just checked -the ip receieved is within the ifconfig-pool range
06:53 < Bushmills> different than the one before disconnect
06:53 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:55 < macsppadic> nope same IP - jsut did a test connect n disconnect three times - same Ip is being received from the server - i dont have a client-config-dir just a standard server config 
06:55 < macsppadic> persist-key and persist-tun are set as well 
06:55 < macsppadic> as per the docs
06:58 < macsppadic> am pushing 5 routes through in the openvpn server conf but none of those work as cant get to the gateway 
06:59 < macsppadic> i can ping from the openvpn server to all the five routes ..so must be something in openvpn routing that i have fubared
06:59 < macsppadic> am using a bridged tap configuration 
07:07 < macsppadic> can see echo request going out but no replies coming back when doing a tcpdump on the tap interface Bushmills
07:07 < ecrist> good morning
07:07 < Bushmills> sounds serverish
07:09 < ecrist> !configs
07:09 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
07:09 < macsppadic> aye wondering if the firewall is doing anything funky ...
07:10 < ecrist>         macsppadic what vpnHelper said was for you
07:11 -!- dazo_afk is now known as dazo
07:16 < macsppadic> hello ecrist http://pastebin.com/d5c11a146
07:19 -!- aep [n=aep@libqxt/developer/aep] has left ##openvpn ["WeeChat 0.3.1-dev"]
07:35 < ecrist> macsppadic: why do yo have such an odd set of routes?
07:36 < jmm> hello.
07:36 < macsppadic> hello ecrist- one of the clients has different vlan segments so need the mobile vpn connected client to be able to reach each of them 
07:37 < macsppadic> they all go thru 131.254 gateway - which shud be pingable - but cant ping that once i connect in with openvpn 
07:37 < macsppadic> the ip i receive is 131.246 
07:37 < macsppadic> on connecting in with openvpn 
07:37 < jmm> I wish to route all traffic from one client by the vpn, I tried using 'push redirect-gateway def1" in my ccd, but it doesn't seems to works, routes on the clients remain the same.can somebody help please ?
07:39 < ecrist> macsppadic: why are you using bridged mode?
07:39 < ecrist> jmm, we need configs and some sort of evidence of what you're saying is/is not happening
07:40 < jmm> ecrist: allright.
07:40 < macsppadic> ecrist - u reckon routing setup will be easier?
07:40 < ecrist> macsppadic: yes, we generally recommend routing here.  
07:41 < macsppadic> just thought since bridging shud forward all traffic would make life easier - after tinkering the firewall that is ...
07:42 < ecrist> well, bridging is easier is some cases, but not the way you have your network subnetted.
07:46 < jmm> ecrist: http://pastebin.ca/1750956, tell me if you need something else.
07:50 < ecrist> jmm: logs, too, please:
07:50 < ecrist> !logs
07:50 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:51 < jmm> do you really want logs lvl to 6 ? it will make huge files.
07:51 < ecrist> yes, we really do
07:51 < jmm> okay, I'll add this.
07:57 < tjz> hey guys, do you have experience with openvpn on dd-wrt router?
07:57 < tjz> i have the openvpn connected successfully
07:57 < ecrist> limited.  we can handle basic questions, but they bastardize it quite a bit
07:57 < tjz> but incoming traffic seem to be 'block'
07:57 < tjz> :(
07:58 < ecrist> tjz: check your firewall settings
07:58 < tjz> hmm..
07:58 < tjz> i have this been run:
07:58 < tjz> iptables -t nat -F POSTROUTING
07:59 < ecrist> !iptables
07:59 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall
07:59 < tjz> it should have clear off everything, i think..
07:59 < reiffert> ecrist: can you edit this stuff onthefly?
08:00 < reiffert> ecrist: we should add ;'s in #1
08:00 < ecrist> reiffert: I can edit only directly in db, otherwise it's a forget/relearn
08:01 < tjz> talking about briding..
08:01 < tjz> bridging
08:01 < tjz> i am with this situation
08:01 < tjz> lol
08:01 < tjz> this openvpn was setup on router #2
08:01 < tjz> wall - router #1 - router #2 and pc
08:02 < tjz> :D
08:02 < tjz> reiffert, care to tell me what you like to edit on the fly ...like via from web-based?
08:03 < ecrist> reiffert: tell me how #1 should be formatted and I'll update
08:03 < ecrist> pleas
08:03 < ecrist> e
08:03 < reiffert> tjz: I was talking to ecrist, thats why I put his name in front of my question.
08:04 < reiffert> to test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;
08:04 < jmm> ecrist: here are the logs : http://pastebin.ca/1750968 and http://pastebin.ca/1750972 . 
08:04 -!- zobbo [n=icottee@82.109.74.162] has joined ##openvpn
08:04 -!- lettucefire [n=lettucef@82.109.74.162] has joined ##openvpn
08:04 < jmm> I had to shortend the server one a bit because it was too big.
08:05 < jmm> but I think all important informations are here.
08:05 < ecrist> !iptables
08:05 < vpnHelper> ecrist: '"iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT \nACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
08:05 < vpnHelper> ecrist: computing.net/wiki/index.php/OpenVPN/Firewall'
08:05 < ecrist> like that, reiffert?
08:06 < lettucefire> ping bloffers
08:07 < macsppadic> bloffers has left the building lettucefire 
08:07 < lettucefire> ah ok ta macsppadic .. 
08:07 < reiffert> ecrist: without that copy paste \n.
08:07 < ecrist> doh
08:07 -!- lettucefire [n=lettucef@82.109.74.162] has left ##openvpn []
08:07 < reiffert> :)
08:08 < ecrist> !iptables
08:08 < vpnHelper> ecrist: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
08:08 < vpnHelper> ecrist: computing.net/wiki/index.php/OpenVPN/Firewall
08:10 < reiffert> great :)
08:10 < reiffert> thank you
08:10 < ecrist> np
08:13 -!- spiekey [n=mario@projekte.imos.net] has quit ["Ex-Chat"]
08:16 < tjz> reiffert, okay.. :D
08:23 -!- trap [n=trap@host86-168-126-222.range86-168.btcentralplus.com] has joined ##openvpn
08:23 < trap> will using an openvpn client with untangle on a nat'd network screw up things at all? 
08:24 < ecrist> what is untangle?
08:24 < trap> just bundles a load of opensoucce stuff together
08:24 < trap> like snort/openvpn client into one pacakage
08:24 < trap> basically will using an openvpn client on a nat'd network make things weird? 
08:24 < trap> ie.not working
08:25 < ecrist> nope
08:25 < ecrist> I'm connected to two different VPNs right now through a NAT
08:25 < jmm> I do too :)
08:25 < trap> nice
08:26 < trap> can snort sniff the unencrypted traffic? 
08:26 < trap> it will be on the same box as the vpn client 
08:26 < trap> i heard u can use snort to just sniff the plain packets ..?
08:26 < trap> after it gets decrypted in / beforei t gets encrypted on way out 
08:26 < ecrist> it depends on where you're doing your sniffing
08:27 < ecrist> then sure, why couldn't it?
08:27 < trap> where should i be doing my sniffing ? 
08:29 < tjz> ecrist, hmm...
08:29 < tjz> interesting..
08:32 < jmm> so guys nobody can't help with routing all client traffic trough the vpn ? 
08:32 < trap> im gonna be pyaing for shadowvpn 
08:32 < trap> i want all my traffic to be going through shadowvpn . ..will that be hard to setup client side? 
08:33 < ecrist> !def1
08:33 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:34 -!- mattock1 [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
08:34 -!- mode/##openvpn [+o mattock1] by ChanServ
08:42 < jmm> ecrist: you didn't spotted something suspect in the logs ?
08:42 < ecrist> haven't looked yet
08:43 < tjz> i am planning to move away from gmail after seeing this one: http://www.youtube.com/watch?v=hrontojPWEE
08:43 < vpnHelper> Title: YouTube - The Google Toilet: SuperNews! (at www.youtube.com)
08:43 < tjz> :D
08:45 -!- zobbo [n=icottee@82.109.74.162] has left ##openvpn []
08:47 < ecrist> jmm: what isn't working?
08:47 < jmm> the client doesn't seems to route traffic trough the vpn.
08:48 < ecrist> can you post your configs again (or just give me the link)
08:48 < jmm> sure.
08:48 < jmm> http://pastebin.ca/1750956
08:49 < ecrist> jmm: you want all traffic to go through the vpn?
08:50 < ecrist> line 28 of your pastebin is missing a double quote
08:50 < ecrist> I don't see anything in the logs about it trying to push the route
08:50 < jmm> my final objective is to route all traffic but a class. the current config is made to route all .
08:50 -!- Zahra [n=Zahra@unaffiliated/belendax] has joined ##openvpn
08:50 < jmm> lemme check line 28.
08:51 < jmm> it just on the pastebin.
08:51 < jmm> I got : push "redirect-gateway def1"
08:51 < jmm> in the config.
08:52 < Zahra> I've configed openvpn for my client & server & everything is true but I have this error: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)                    
08:53 < jmm> ecrist: I do see the route pushed too, I don't understand why.
08:53 < ecrist> Zahra: logs
08:53 < ecrist> !logs
08:53 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:53 < Zahra> ecrist: server: http://pastebin.com/m5af35b18   client: http://pastebin.com/m7297d0f5
08:55 < ecrist> jmm: my guess is the ccd is names wrong, or something.
08:55 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
08:55 < jmm> let's double check it !
08:56 < ecrist> Zahra: you should update to 2.1.1
08:56 < jmm> ecrist: oh lol I think you are right.
08:56 < jmm> I'm banging my head on the wall for 2 hours.
08:57 < ecrist> the file needs to be named the same as what is in the client's CN
08:57 < jmm> thanks a lot man.
08:57 < Zahra> ecrist: r u share that it will be fixed after update?
08:57 < ecrist> no, that's a separate issue
08:57 < ecrist> I'm just telling you to update.
08:57 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:57 < ecrist> 2.0.9 is more than 4 years old
08:59 < ecrist> !configs
08:59 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
08:59 < ecrist> Zahra: ^^^
09:02 < Zahra> ecrist: server.conf http://pastebin.com/m129a518c  client.conf http://pastebin.com/m51a79873
09:03 < ecrist> please dispose of the comments
09:05 -!- Kalculus [n=na@x40343ce2.ip.e-nt.net] has quit [Read error: 60 (Operation timed out)]
09:08 < Zahra> server http://pastebin.com/m7ee39bea  client http://pastebin.com/m5bf0d523
09:10 < Zahra> ecrist: ^^
09:10 < ecrist> Zahra: it really looks like there's network connection issues
09:10 < ecrist> nothing specifically openvpn related.
09:11 < ecrist> your configs look fine,and your logs don't indicate a problem.
09:14 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [Read error: 60 (Operation timed out)]
09:14 -!- havoc [n=havoc@saturn.chaillet.net] has quit [Read error: 60 (Operation timed out)]
09:14 -!- sno_ [n=sno@static.153.209.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)]
09:14 < jmm> ecrist: does by any chance you know how to route everything exept the local class of the client ? I find no docs about it.
09:14 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
09:14 < ecrist> !def1
09:14 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
09:15 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
09:15 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn
09:18 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
09:18 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
09:22 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has quit [Client Quit]
09:22 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
09:23 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Nick collision from services.]
09:23 -!- tjz2 is now known as tjz
09:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
09:32 -!- flo|va-nu-pied [n=florent@unaffiliated/flovanupied/x-758957] has quit [Read error: 110 (Connection timed out)]
09:35 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Read error: 60 (Operation timed out)]
09:37 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
09:45 -!- ez [n=ez@200.169.162.250] has joined ##openvpn
09:45 < ez> !goal
09:45 < vpnHelper> ez: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:46 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Read error: 60 (Operation timed out)]
09:47 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
09:48 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
09:52 -!- Otacon22 [n=otacon22@93-36-88-88.ip59.fastwebnet.it] has joined ##openvpn
09:52 < Otacon22> How can i check the expire time of a CA certificate?
09:58 < ecrist> with openssl command
09:59 < Otacon22> ovviusly
09:59 < Otacon22> but how
09:59 < Otacon22> ?
09:59 < ecrist> !verifyca
09:59 < vpnHelper> ecrist: Error: "verifyca" is not a valid command.
09:59 < ecrist> !verify
09:59 < vpnHelper> ecrist: Error: "verify" is not a valid command.
09:59 < ecrist> !certverify
09:59 < vpnHelper> ecrist: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
09:59 < Otacon22> ok
10:09 -!- teddymills [n=teddy@208.92.235.227] has quit ["Ex-Chat"]
10:10 < Otacon22> ecrist, the verify says me that is all ok, but it is not ok.
10:10 < Otacon22> i've created a ca.key and ca.cert with an expire time of 3650 days
10:10 < Otacon22> and i've signed a request of a client with the option --days 3650 with openssl
10:11 < Otacon22> then i've tried and all was working
10:11 < ecrist> OK, so what is your issue?
10:11 < Otacon22> then i've changed in the future the time on the server and on the client
10:11 < Otacon22> (1 year in the future)
10:11 < Otacon22> and nothing working
10:11 < Otacon22> Fri Jan 14 18:06:36 2011 us=969187 VERIFY ERROR: depth=0, error=certificate has expired: /C=AU/ST=Some-State/O=Internet_Widgits_Pty_Ltd/CN=Otacon22_VPN_main_Server
10:11 < Otacon22> where is the problem? I can't understand
10:12 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
10:15 < Otacon22> ecrist, any suggestions for me?
10:16 < reiffert> !masq
10:16 < vpnHelper> reiffert: Error: "masq" is not a valid command.
10:16 < reiffert> !factoids search masq
10:16 < vpnHelper> reiffert: No keys matched that query.
10:16 < reiffert> !factoids search --values masq
10:16 < vpnHelper> reiffert: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
10:16 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Success]
10:16 < reiffert> !winnat
10:16 < vpnHelper> reiffert: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS)
10:17 < reiffert> !forward
10:17 < vpnHelper> reiffert: Error: "forward" is not a valid command.
10:17 < reiffert> !ipforward
10:17 < vpnHelper> reiffert: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
10:17 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
10:17 < reiffert> !winipforward
10:17 < vpnHelper> reiffert: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
10:19 < havoc> hmm, I always use netsh to enable IP forwarding in windows
10:19 < havoc> I *think* it sets the reg key
10:19 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Read error: 54 (Connection reset by peer)]
10:20 -!- chilicuil1 [n=sistemas@189.191.135.225] has joined ##openvpn
10:26 < ecrist> working on a minor ssl-admin update
10:27 -!- napcae [n=napcae@i59F76F00.versanet.de] has joined ##openvpn
10:27 < napcae> hi
10:28 < napcae> i have a problem, i can connect to my vpn server, but i don't get a new ip on whatsmyip.org
10:30 -!- chilicuil1 [n=sistemas@189.191.135.225] has quit [Read error: 60 (Operation timed out)]
10:31 < napcae> anybody there?
10:36 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 60 (Operation timed out)]
10:44 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
10:44 < dazo> napcae:  (I'm in a meeting now) ... sounds --redirect-gateway is not correctly setup on your client
10:46 < napcae> should i post my client config?
10:48 < krzie> !configs
10:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
10:48 < krzie> also, heres a basic checklist
10:48 < krzie> !redirect
10:48 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
10:50 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:51 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
10:51 < napcae> client conf:
10:51 < napcae> client
10:51 < napcae> dev tun
10:51 < napcae> proto udp
10:51 < napcae> remote napcae.dyndns.org
10:51 < napcae> resolv-retry infinite
10:51 < napcae> nobind
10:52 < napcae> persist-key
10:52 < napcae> persist-tun
10:52 < napcae> ca ca.crt
10:52 < napcae> cert lindenhome-napcae.crt
10:52 -!- le0 [n=itsle0@host86-157-228-21.range86-157.btcentralplus.com] has quit [Read error: 110 (Connection timed out)]
10:52 < napcae> key lindenhome-napcae.key
10:52 < napcae> comp-lzo
10:52 < napcae> verb 3
10:52 < krzie> whoaaa
10:52 < krzie> !pastebin
10:52 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
10:53 < krzie> that was made clear in the welcome message when you joined
10:53 < krzie> 35mb cpp!?
10:53 < napcae> ahh okay, sry
10:54 < krzie> np
10:54 < napcae> i new to that
10:54 < krzie> !configs
10:54 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
10:54 < krzie> ~redirect
10:54 < krzie> !redirect
10:54 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
10:55 < napcae> I'm sry, but i don't understand what you mean :S
10:55 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Read error: 54 (Connection reset by peer)]
10:55 < krzie> what part dont you understand
10:55 -!- chilicuil1 [n=sistemas@189.191.135.225] has joined ##openvpn
10:55 < napcae> what do you mean with !configs; !redirect
10:56 < napcae> where i have to type that in?
10:56 < krzie> read what my bot tells you
10:56 < krzie> im giving commands to my bot
10:56 < krzie> !bot
10:56 < vpnHelper> krzie: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
10:57 < napcae> okay, i'll check my server.conf
10:58 -!- chilicuil1 [n=sistemas@189.191.135.225] has quit [Read error: 54 (Connection reset by peer)]
10:59 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
10:59 < Otacon22> damn certificates!
11:00 < Otacon22> it's since 2 hours that i'm tring to create a certificate wich could work for more than 1 month
11:01 -!- napcae [n=napcae@i59F76F00.versanet.de] has quit ["Lost terminal"]
11:04 < ecrist> krzie: I've finally automated the freebsd portbuild of ssl-admin
11:04 -!- le0 [n=itsle0@host86-157-228-21.range86-157.btcentralplus.com] has joined ##openvpn
11:04 < ecrist> working on a batch update to get rid of some of the extra confirmations from openssl command line call
11:05 < ecrist> hoping to submit the patch today after testing
11:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)]
11:08 -!- napcae [n=napcae@i59F76F00.versanet.de] has joined ##openvpn
11:09 < napcae> sry, my keyboard didn't write anymore;had to restart
11:10 < napcae> http://pastebin.com/m28c5ebab
11:10 < Otacon22> ecrist, please could you check this commands wich i've used to create certificates? http://pastebin.com/f2fa66310
11:10 < napcae> i think i have to change "redirect gateway"
11:11 < Otacon22> if i can find the error i will finish to write my guide (in italian) about how to build up a openvpn network
11:11 < ecrist> what do you think is wrong with your certificates?
11:12 < Otacon22> ecrist, expire time
11:12 < ecrist> why do you think it is wrong?
11:12 < Otacon22> because every 1 month i must regenerate all client certificates
11:13 < Otacon22> and ca certificate
11:15 < ecrist> your commands look OK to me.
11:19 < ecrist> krzie: you around?
11:21 < Otacon22> ecrist, sure? uff, but it is not working ! 
11:21 < Otacon22> GH
11:22 -!- macsppadic [n=sonupunn@82.109.74.162] has left ##openvpn []
11:26 < krzie> hey just got back
11:27 < krzie> napcae, so your server has NAT and ip forwarding enabled?
11:27 -!- chilicuil1 [n=sistemas@189.191.135.225] has joined ##openvpn
11:27 -!- le0 [n=itsle0@host86-157-228-21.range86-157.btcentralplus.com] has quit ["Leaving"]
11:28 < ecrist> krzie: I have some changes to ssl-admin, if you could help test them
11:29 < napcae> ip forwarding 1
11:29 < napcae> and NAT, from the how to iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
11:30 < napcae> it should work now, but I can't test it yet
11:30 < krzie> ecrist sure
11:30 < krzie> ecrist are they in trunk?
11:30 < ecrist> let me put it somewhere for you
11:31 < krzie> ok
11:31 < ecrist> yes, the changes are
11:31 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Read error: 104 (Connection reset by peer)]
11:31 < krzie> ahh ya if you could gimme the tgz it would be easier
11:31 < ecrist> if you just want the ports patch, I can make that avaialble
11:31 < krzie> my unix box here has no inet access
11:31 < ecrist> you want freebsd version?
11:31 < krzie> ya
11:31 < krzie> and ill just toss in the dir
11:32 < ecrist> ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin/ssl-admin-1.0.3.tar.gz
11:32 < ecrist> that for the ports build
11:33 < ecrist> here's the patch: http://pastebin.com/m221ea56e
11:33 < napcae> is there i way to test my configuration in the lan?
11:33 < ecrist> run that patch on /usr/ports/security/ssl-admin
11:34 < krzie> is part of the update a real makefile (bypassing my super ugly configure attempt) ?
11:50 < krzie> Patching file Makefile using Plan A...
11:50 < krzie> Hunk #1 failed at 1.
11:50 < krzie> 1 out of 1 hunks failed--saving rejects to Makefile.rej
11:52 < krzie> hrm nm\
11:52 < krzie> got it now
11:56 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
11:59 < ecrist> most of the changes in svn were related to my packaging up for the port
11:59 < ecrist> the real program change was the addtion of the -batch flag to openssl to not ask for vars that are set already
12:01 -!- dauergast [n=sag@g225217008.adsl.alicedsl.de] has joined ##openvpn
12:08 < krzie> any changes to the config gile?
12:08 < krzie> file
12:08 < krzie> or can i just install right over the old one
12:08 -!- chilicuil1 [n=sistemas@189.191.135.225] has quit [Connection timed out]
12:13 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Success]
12:14 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:15 -!- mode/##openvpn [+o openvpn2009] by ChanServ
12:15 < napcae> i added push "redirect-gateway"
12:15 < napcae> to my server config
12:15 < napcae> but I'm stuck on my router configuration
12:28 < ecrist> !def1
12:28 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
12:28 < ecrist> krzie: just install over the existing one
12:29 < krzie> your router config napcae ?
12:29 < trap> im paying for a commercial openvpn service called shadowvpn ...its a subset of xerobank ....using my openvpn client can i route ALL my internet traffic through the vpn ? 
12:29 < krzie> trap, we know nothing of that service
12:30 < krzie> but if they are setup for that, and use openvpn, sure
12:30 < ecrist> you need to contact their support
12:30 < krzie> yes, what ecrist said
12:30 < krzie> if you ran both sides we could help you
12:34 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
12:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
12:47 -!- hagna [n=hagna@173-10-30-5-BusName-utah.ut.hfc.comcastbusiness.net] has joined ##openvpn
12:49 < hagna> http://pastebin.com/m7ccddd8f shows a simple server and client config for p2p with certs, but it won't connect and the server says ECONREFUSED]: Connection refused (code=111)
12:53 < ecrist> firewall
12:53 < ecrist> we've been over this
12:54 -!- corretico_ [n=laguilar@201.201.46.106] has quit ["Leaving"]
12:54 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
13:00 < hagna> I'd agree if p2p with these config files didn't work http://pastebin.com/m1b5b96a1
13:01 < hagna> is the client trying to tcp in the former example?
13:01 < hagna> s/to tcp/to do tcp
13:02 < trap> does anybody know of some trustworthy vpn providers who dont keep logs, where you can choose between a load of different ips for you vpn in different countries
13:02 < trap> i dont want the same vpn ip all the time 
13:03 < trap> i want different us vpn ips every time i use the service..or atleast a big selection
13:04 < napcae> okay, i tried my config with a friend
13:04 < napcae> he said, that he can't ping any machines of mine in my networ
13:06 < hagna> ecrist: nm it's a cert verify failure I missed it
13:07 < napcae> btw, server.conf
13:07 < napcae> http://pastebin.com/d1118732e
13:12 < krzie> napcae 
13:13 < krzie> !goal
13:13 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:16 -!- caesar_ [n=napcae@i59F76F00.versanet.de] has joined ##openvpn
13:17 < caesar_> wth?
13:17 < caesar_> napcae=caesar
13:17 < caesar_> did you say something krzie ?
13:19 < hagna> he said !goal
13:20 < caesar_> ty, replied yet
13:22 -!- napcae [n=napcae@i59F76F00.versanet.de] has quit [Read error: 54 (Connection reset by peer)]
13:26 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:27 -!- napcae [n=napcae@i59F76F00.versanet.de] has joined ##openvpn
13:30 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
13:33 < napcae> ?
13:33 < napcae> seems to work
13:40 -!- caesar_ [n=napcae@i59F76F00.versanet.de] has quit [Read error: 110 (Connection timed out)]
13:42 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has quit [Read error: 104 (Connection reset by peer)]
13:42 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn
13:44 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has quit [Read error: 104 (Connection reset by peer)]
13:45 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn
13:47 -!- napcae [n=napcae@i59F76F00.versanet.de] has quit ["Lost terminal"]
13:53 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Connection reset by peer]
14:25 -!- Zahra [n=Zahra@unaffiliated/belendax] has quit ["Leaving."]
14:29 -!- chilicuil [n=sistemas@189.191.135.225] has joined ##openvpn
14:36 < krzie> ecrist still here?
14:41 < ecrist> yep
14:42 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has quit [Read error: 60 (Operation timed out)]
14:44 < ecrist> krzie: what you need?
14:44 < krzie> did you make the meetings on mon/tues?
14:44 < ecrist> yes
14:44 < krzie> traveling for work and whatnot kept me from making it
14:45 < ecrist> logs are available
14:45 < krzie> howd it go? anything cool?
14:45 < krzie> ahh nice
14:46 < ecrist> http://secure-computing.net/logs/openvpn-20090111.log
14:46 < ecrist> http://secure-computing.net/logs/openvpn-20090112.log
14:47 < ecrist> ah, 'fortune -o' is great
14:48 -!- hagna [n=hagna@173-10-30-5-BusName-utah.ut.hfc.comcastbusiness.net] has quit ["leaving"]
14:49  * rob0 <3 fortune(6)
14:50 < ecrist> directories I don't want indexed on my web server simply cat fortune -o
14:50 < ecrist> ;)
14:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:51 < rob0> oh haha nice
14:52 -!- mattock1 [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
14:55 < krzie> lol
14:56 < dazo> Q: How does a Unix guru have sex?
14:56 < dazo> A: unzip;strip;touch;finger;mount;fsck;more;yes;umount;sleep
14:57 < krzie> who; last; talk; read; pause; grep; touch; finger; unzip; head; mount
14:57 < krzie>           /dev/girl -t wet; fsck; fsck; fsck; fsck; yes; yes; yes; umount
14:57 < krzie>           /dev/girl; zip; rm -rf wet.spot; sleep;
14:58 < dazo> heh
14:58 -!- chilicuil [n=sistemas@189.191.135.225] has quit [Connection reset by peer]
15:01 < ecrist> Q:	What do you call a truck load of vibrators?
15:01 < ecrist> A:	Toys for twats.
15:02 < hyper_ch> what's a twat?
15:03 < ecrist> The word twat has various functions, its primary meaning being a vulgar synonym for the human vulva, vagina, or clitoris. ..
15:03 < rob0> That's a slang term ...
15:04 < hyper_ch> ah :)
15:15 < havoc> geez, so I installed win2k8 web ed., NOT R2, did everything idential, even used same configs, and everything magically works now
15:15 < havoc> so definitely an R2 issue
15:28 -!- trap_ [n=trap@host86-162-65-161.range86-162.btcentralplus.com] has joined ##openvpn
15:28 -!- trap [n=trap@host86-168-126-222.range86-168.btcentralplus.com] has quit [Read error: 110 (Connection timed out)]
15:28 -!- dazo is now known as dazo_afk
15:30 -!- ez [n=ez@200.169.162.250] has quit ["leaving"]
15:38 < havoc> and win2k8 still has MTU issues, have to use mssfix to make it work
15:47 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:59 -!- dauergast [n=sag@g225217008.adsl.alicedsl.de] has quit ["Widersprich nie einer Frau! Warte einen Augenblick, dann tut sie es selbst"]
16:08 < vpnHelper> New forum entry openvpnforum: Server Administration :: MULTI: new incoming connection would exceed maximum number o :: Author ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=2833#p2833>
16:34 -!- trap_ [n=trap@host86-162-65-161.range86-162.btcentralplus.com] has quit [Read error: 110 (Connection timed out)]
16:35 -!- trap_ [n=trap@host86-162-65-239.range86-162.btcentralplus.com] has joined ##openvpn
16:37 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has quit [Read error: 60 (Operation timed out)]
16:37 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
16:46 -!- Lantizia [n=Lantizia@212.57.229.111] has joined ##openvpn
17:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
17:22 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)]
17:47 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote closed the connection]
17:48 -!- invalidrecord [n=biodroid@client-80-3-173-31.cht-bng-011.adsl.virginmedia.net] has joined ##openvpn
17:49 < invalidrecord> !welcome
17:49 < vpnHelper> invalidrecord: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:49 < invalidrecord> !redirect
17:49 < vpnHelper> invalidrecord: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:49 < invalidrecord> !def1
17:49 < vpnHelper> invalidrecord: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
17:51 < invalidrecord> great bot guys all the silly bits out of the way we need one in ror
17:51 < invalidrecord> !nat
17:51 < vpnHelper> invalidrecord: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto
17:51 < rob0> !factoids
17:51 < vpnHelper> rob0: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
17:51 < invalidrecord> ohh sweet
17:51 < rob0> ^^ that has the whole thing
17:51 < rob0> yw
17:51 < invalidrecord> cheers man
17:52 < invalidrecord> how does openvpn compare to freeswan etc?
17:52 < rob0> Anyone who reads the /topic when joining a channel can't be all bad. :)
17:53 < rob0> Well, openvpn is what's called a SSL VPN, whereas Freeswan is IPSec.
17:53 < invalidrecord> ahh so an ssl vpn is what like l2tp
17:53 < invalidrecord> or ptptp
17:54 < invalidrecord> bahh im being lazy i can google
17:54 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:54 < rob0> Depends on your needs. If you're going to push crap through the tunnel and push the limits all the time, maybe ipsec is better.
17:54 < invalidrecord> no i want my imap to work when im on the college wifi
17:55 < invalidrecord> ohh and hulu vids ;)
17:55 < rob0> SSL VPN means there's a single port which carries the connection, and it's secured by SSL, the same as HTTPS and so on.
17:55 < invalidrecord> ok and what it does some multiplexing sort of like socks\
17:55 < rob0> You'll be able to get through a nasty proxy server with openvpn. I don't know, with ipsec.
17:56 < invalidrecord> ipsec is a bitch 
17:56 < rob0> openvpn can actually share a port such as 443/tcp, share it with your httpd.
17:56 -!- byu [n=clastu@202.71.103.246] has joined ##openvpn
17:56 < invalidrecord> i was close to going the ssh route but i want something a bit less hacky\
17:56 < invalidrecord> ohh i can share it on my 8080
17:56 < rob0> (although ideally you would not want to run openvpn on TCP)
17:57 < rob0> try UDP first, see if you can get out
17:57 -!- byu [n=clastu@202.71.103.246] has quit [Client Quit]
17:57 < invalidrecord> yes the overhead + enc would be a bit heavy\
17:57 < rob0> right
17:58 < invalidrecord> well ill go check my nat etc before firing off questions, no doubt ill still come back to a 'have you plugged it in?' type of solution. Price of being blonde 
17:59 < rob0> :)
17:59 < invalidrecord> can you belive my college blocks /. that was the last straw
18:00 < invalidrecord> how will i know when textmate2 is out \
18:02 < rob0> well, I generally have a low opinion of "education", so stuff like that does not surprise me.
18:02 < invalidrecord> !linnat
18:02 < vpnHelper> invalidrecord: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:03 < invalidrecord> its just frustrating as their tech guys are well i would have them on my servers put it that way
18:03 < invalidrecord> the temptation to fuck with them is imense
18:03 < invalidrecord> integer based 4 digit password you cant change for example
18:15 -!- biodroid [n=biodroid@client-80-3-173-31.cht-bng-011.adsl.virginmedia.net] has joined ##openvpn
18:15 -!- invalidrecord [n=biodroid@client-80-3-173-31.cht-bng-011.adsl.virginmedia.net] has quit [Read error: 104 (Connection reset by peer)]
18:18 -!- biodroid is now known as invalidrecord
18:19 -!- invalidrecord is now known as invalidrecord_
18:19 -!- invalidrecord_ [n=biodroid@client-80-3-173-31.cht-bng-011.adsl.virginmedia.net] has quit [Remote closed the connection]
18:24 -!- Lantizia [n=Lantizia@212.57.229.111] has quit ["Leaving"]
18:28 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
18:46 < DarkAnt> This is my first time trying to set up a vpn and I need a bit of help solving this problem.
18:46 < DarkAnt> I have a centos 5.3 box acting as the openvpn server
18:46 < DarkAnt> and a windows 7 box acting as the client
18:46 < DarkAnt> they're both on the same lan
18:47 < DarkAnt> now the client is sending to the server
18:47 < DarkAnt> and I've captured those packets on the server
18:47 < DarkAnt> but the client is not connecting, I keep getting P_CONTROL_HARD_RESET_CLIENT_V2
18:48 < DarkAnt> I'll post the configs and logs:
18:48 < DarkAnt> server conf: http://pastebin.im/1599
18:50 < DarkAnt> client conf: http://pastebin.im/1600
18:51 < DarkAnt> client log: http://pastebin.im/1601
18:52 < DarkAnt> server log: http://pastebin.im/1602
18:57 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
18:58 < reiffert> be sure that you are on openvpn-2.1.1 and dont do openvpn when on the same lan (for the beginning)
18:59 < reiffert> when those two maschines are on the same lan.
18:59 < havoc> it can work, you just have to make sure you have the right metrics for the routes
18:59 < havoc> but if he can't get it working initially it's probably best not to be on same enet segment
19:00 < DarkAnt> ok
19:00 < reiffert> try with a simple setup, get insane later.
19:00 < havoc> my laptop stays connected to work and home no matter where I am, even if/when on same lan, it's nice :)
19:00 < havoc> yeah, what reiffert said :)
19:01 < DarkAnt> so don't be on the same lan, anything else that could make it simpler?
19:01 < DarkAnt> and update my version of openvpn
19:01 < havoc> don't muck about with DHCP or anything
19:01 < havoc> get keys made and vpn connections working
19:01 < havoc> and make sure firewalls allow everything to start for initial setup and testing
19:02 < DarkAnt> yeah, I'm mostly using the stock config files
19:02 < havoc> and yes, use latest versions of everything
19:02 < DarkAnt> ok
19:02 < havoc> just get it *working* first, then tweak
19:02 < DarkAnt> oh, I was trying to just get it to work
19:02 < DarkAnt> tweaking was later :P
19:03 < DarkAnt> if my firewall was rejecting, would I still be able to capture the packets via tcpdump?
19:04 < havoc> that depends on where tcpdump was running
19:05 < havoc> if it's behind the FW, then No. ;)
19:05 < DarkAnt> yeah, I'm not sure where it is. I'd assume it would be behind the firewall
19:05 < havoc> ecrist: so anyway, I'm trying win2k8r2 again, I have some ideas
19:05 < DarkAnt> I guess I could go test
19:05 < havoc> it'll either not work, or be an OMFG moment
19:05 < DarkAnt> ok, thanks guys :)
19:06 < havoc> DarkAnt: good luck :)
19:13 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
19:13 < theDoc> Morn' all.
19:14 < havoc> morning
19:16 < theDoc> Oh lord, lol.
19:16 < theDoc> http://i.imgur.com/68eug.jpg
19:18 < tjz> lol
19:19 < havoc> jesus fucking allah
19:19 < tjz> lol
19:19 < havoc> there's a good reason why I make every effort to avoid Humanity
19:21 < theDoc> I just lost more faith in humanity
19:21 < theDoc> lol
19:21 < havoc> I sincerely hope that's in jest, but I fear it's not as I've seen too many real examples of similar beliefs
19:21 < theDoc> Considering that the above was the FIRST thing I saw when I got onto digg.com this morning.
19:26 < rob0> Aww, that's hard to believe. Bible thumpers don't condone rape; they want the state to kill all accused murderers and rapists and robbers and drug vendors and users (and speeders, and jaywalkers ...)
19:29  * havoc considers Poe's Law
19:30 < DarkAnt> he's trolling
19:45 -!- Wired_Life [n=Chatzill@mgdb-4db8c302.pool.mediaWays.net] has joined ##openvpn
19:46 < Wired_Life> hello is that possible to see any host in openvpn client network?
19:48 < Wired_Life> route add clientnetwork mask 255.255.255.0 serverip @ server dont work
20:09 < freaky[t]> why does the moon not fall down to earth ;D
20:34 < Wired_Life> is there anywhere a good net to net how to ?
20:41 < krzee> !route
20:41 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:04 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has left ##openvpn [""""]
21:05 -!- Wired_Life1 [n=Chatzill@mgdb-4db8d279.pool.mediaWays.net] has joined ##openvpn
21:10 -!- Wired_Life [n=Chatzill@mgdb-4db8c302.pool.mediaWays.net] has quit [Read error: 60 (Operation timed out)]
21:56 < Wired_Life1> krzee is that possible to change from tap to tun with this config? http://pastebin.com/d1c14adae
22:21 -!- Wired_Life1 [n=Chatzill@mgdb-4db8d279.pool.mediaWays.net] has quit ["Und tschüss!"]
23:49 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
--- Day changed Fri Jan 15 2010
00:22 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit []
00:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
00:54 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
01:40 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit ["Leaving"]
02:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:10 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: ycy_, havoc, Intensity, alan`, stein0, disco-, Nappy, phusion__, tarbo2_, hobbsc,  (+26 more, use /NETSPLIT to show all of them)
02:10 -!- Netsplit over, joins: d12fk
02:12 -!- Netsplit over, joins: +Kas, mintaka, dazo_afk, drue, krzee, Rolybrau, Otacon22, havoc, phusion__, Intensity (+25 more)
02:14 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: cron2
02:15 -!- cron2 [n=gert@blue.greenie.muc.de] has joined ##openvpn
02:17 -!- sdh [n=steve@188.40.36.167] has quit [Read error: 104 (Connection reset by peer)]
02:18 -!- sdh [n=steve@steve.st] has joined ##openvpn
02:25 < tjz> split split split.. :(
02:27 < hyper_ch> join, join, join :)
02:40 < jmm> hi.
02:40 < reiffert> moin
02:43 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Read error: 104 (Connection reset by peer)]
02:43 < reiffert> nen live ticker hats da auch irgendwo
02:43 -!- LowKey [i=rhel@72.20.37.172] has joined ##openvpn
02:43 < reiffert> http://live.24hseries.com/
02:43 < vpnHelper> Title: 24H Series - endurance racing : 24H Dubai 2010 Live (at live.24hseries.com)
02:43 < reiffert> ww
02:49 < hyper_ch> anyone uses here voip/sip?
02:55 -!- APTXderZweite [n=APTX@ks32603.kimsufi.com] has quit [Remote closed the connection]
02:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
02:58 -!- Rolybrau [n=Rolybrau@122-78.78-83.cust.bluewin.ch] has joined ##openvpn
03:06 -!- dazo_afk is now known as dazo
03:07 -!- master_of_master [i=master_o@p57B55175.dip.t-dialin.net] has joined ##openvpn
03:12 < krzee> hyper_ch, sure why?
03:14 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
03:15 < hyper_ch> krzee: well, I started now working as partner in a SME and it seems the current ISDN PBX must be completely replace... so I'm currently looking for other options to keep up the service we have now but lower the costs and VOIP/SIP seems interesting. However I do not have any experience with it :)
03:18 < hyper_ch> I don't even know what on the technical side would be required... right now there are 10 numbers in use and one of them is a fax machine... :)
03:19 -!- master_o1_master [n=master_o@p57B54C5B.dip.t-dialin.net] has quit [Success]
03:23 < dazo> hyper_ch:  an organisation I know about switched from PBX to VoIP.  They had an ISDN based PBX, and they still use it .... they just got some "modems" which takes the ISP connector and provides an ISDN plug
03:23 < dazo> From what I've heard, they seem to be happy ... they've been to that solution for a couple of years already
03:23 < hyper_ch> dazo: how big are they? We are currently 3 partners and 4 employees :)
03:23 < dazo> but they have a dedicated Internet connection to the ISP/Phone service vendor
03:24 < dazo> They're about 20-25 people
03:24 < dazo> (that dedicated connection was a part of a pretty decent offer they got)
03:27 < hyper_ch> dazo: can you ask them how much bandwidth they have on their dedicated line?
03:28 < dazo> hyper_ch:  I believe they have a 1 or 2Mbit connection ... it's nothing "beefy" ... but it's enough for phone
03:52 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
04:07 -!- cybertron [n=cybertro@84.200.248.176] has joined ##openvpn
04:07 < cybertron> hello, is it realy nesseccary that i install samba on my router to connect windows share in my internal lan?
04:08 < reiffert> cybertron: this is #openvpn. It's about openvpn.
04:10 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by mwandelaar <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2837#p2837>
04:11 < cybertron> reiffert: yes i know ;) i mean if i realy need smb von my router where i have installed openvpn
04:11 < cybertron> i will connect from win to win per openvpn and using win shares
04:11 < cybertron> will?Want
04:11 < cybertron> will=want
04:13 < cybertron> i only know the bridging way
04:23 < reiffert> I cant follow you.
04:23 < reiffert> why do you think that you need smb on your router?
04:27 < dazo> cybertron:  no, you don't need samba on the router ... you need to setup WINS and push the WINS server to the clients, then browsing should begin to work
04:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
04:29 < cybertron> dazo: thx thats what i mean :) 
04:29 < dazo> cybertron:  http://support.microsoft.com/kb/117633  ... this is the kind of topics you probably need to look for
04:29 < vpnHelper> Title: How browsing browsing over a multi-subnet TCPIP network works in a domain and in a workgroup (at support.microsoft.com)
04:29 < dazo> cool spelling error by MS ..... maybe they use Word? :-P
04:29 < reiffert> dazo: you dont need browsing for accessing one maschine from the other.
04:29 < cybertron> lol
04:29 < dazo> not spelling, but typing error
04:30 < cybertron> i just wanna have access to the shares 
04:30 < dazo> cybertron:  then you just go in and type the IP or hostname in Explorer ... and it should show up
04:30 < reiffert> cybertron: type this into windows explorer \\ip       and hit return
04:31 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:31 < cybertron> ok ok i c its like without vpn :)
04:32 < cybertron> but then when i need bridge net?
04:32 < dazo> cybertron:  when you need bridge?
04:32 < cybertron> yes
04:32 < dazo> very seldom, I'd say
04:32 < dazo> that's more when you want to "extend" two remote networks via VPN .... to look as they are on exactly the same network
04:33 < dazo> and where routing is not an alternative .... f.ex. if you use non TCP/IP based protocols .... AppleTalk, IPX, etc
04:33 < cybertron> yeah ok, so i read it in the openvpn doku that i need brdiging for windows shares
04:34 < cybertron> but gread if not so i can also use win2k as client for the net
04:34 < cybertron> gread=great
04:34 < reiffert> dazo: AppleTalk is working across tun quite well btw.
04:35 < reiffert> dazo: all you need is a zeroconf proxy like avahi-daemon
04:35 < reiffert> relaying the name resolution
04:35 < dazo> cybertron:  well, that's probably written before sub-network browsing really began to work .... and that before you could use IP addresses and DNS hostnames directly in the Explorer
04:35 < dazo> reiffert:  ahh ... I lived in a world where I thought AppleTalk was something different than TCP/IP 
04:35  * dazo stands corrected
04:36 < cybertron> dazo: k so its out of date :)
04:36 < dazo> cybertron:  in the old days, you had to have browsing work to be able to use windows share .... so yeah, pretty outdated .... Microsoft understood around the time of WinXP that they needed cross-subnet to work :-P
04:37 < cybertron> hey that would say that MS learns somthing...wtf.... :>
04:39 < reiffert> dazo: well basically it's name resolution on multicast, and zeroconf announcing services on every maschine.
04:39 < dazo> reiffert:  are you sure you meant AppleTalk, and not the file-sharing service? (AppleShare, or some of the "sub" parts)  .... 
04:39 < reiffert> dazo: where as filetransfer etc is tcp/ip and ipv6 wherever it is possible.
04:40 < dazo> http://en.wikipedia.org/wiki/AppleTalk
04:40 < vpnHelper> Title: AppleTalk - Wikipedia, the free encyclopedia (at en.wikipedia.org)
04:40 < reiffert> dazo: I'm sure.
04:40 < dazo> reiffert:  AppleTalk can also use the DDP protocol, which is Layer-3 traffic
04:41 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 104 (Connection reset by peer)]
04:42 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
04:42 < dazo> reiffert:  Apple just made it confusing, by calling all elements from Layer-3 to Layer-7  "AppleTalk"-something ... 
04:42 < reiffert> Despite the default networking on the Mac being TCP/IP, AppleTalk support was provided in Apple operating systems before the release of Mac OS X v10.6 for backward compatibility with many products.
04:42 < reiffert> provided but turned off in 10.5 and 10.4 by default.
04:43 < reiffert> Starting with Mac OS X v10.2, Bonjour (originally named Rendezvous) provides similar discovery and configuration services for TCP/IP-based networks. Bonjour is Apple's implementation of ZeroConf, which was written specifically to bring NBP's ease-of-use to the TCP/IP world. Mac OS X v10.5 was the last version of Mac OS X to support AppleTalk[1].
04:43 < reiffert> well, anyway, nobody is still on AppleTalk.
04:44 < reiffert> but you are right, it's naming hell as we spoke from totally different things.
04:45 < dazo> reiffert:  yeah :)
04:48 < dazo> on the otherhand, I didn't know that the Layer-3/4 support (probably) of the AppleTalk stack was abandoned ... but in today's world, standardising on TCP/IP is also not a bad move
04:48 < reiffert> :)
04:48 < reiffert> coming back to bridge vs tunnel: bridge solution doesnt have to fight 3rd party windows firewalls.
04:49 < dazo> reiffert:  how is it with bridge support in Windows actually?   It's never ever crossed my mind to check out if that could work ....
04:51 < reiffert> dazo: It works, but you dont have a single chance getting it to work when sitting remotely.
04:51 < dazo> ugh
04:52 < reiffert> dazo: choose two adapters, right click -> bridge them
04:52 < reiffert> dazo: thats where you loose the remote connection. bridge no ip.
04:53 < dazo> reiffert:  I see ... well, technically speaking, it's the same issue in Linux, if you're moving from non-bridged to bridged setup .... but if you have defined a bridge with only ethX ... then you can modify it on the fly
04:53 < dazo> only one ethX, I meant
04:54 < reiffert> or run shell scripts with a scheduler, job system, etc.
04:54 < dazo> true
04:54 < dazo> reiffert:  bridging works on all Win (newer) boxes?
04:55 < reiffert> dazo: it worked for XP, no idea about later windows.
04:55 < dazo> good to know :)
04:55 < dazo> thx!
05:15 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
05:15 -!- mode/##openvpn [+o mattock] by ChanServ
05:20 < reiffert> Hi mattock
05:20 <@mattock> hi reiffert
05:20 < reiffert> Any unexpecting news on the progress? ;)
05:26 <@mattock> no, not really. I'm drawing process flow diagrams. Idea is to help communicate the possible future development processes. An enhanced version of the current process is already finished:  http://users.utu.fi/sjsepp/openvpn/process_contributing_to_openvpn.png
05:27 <@mattock> I'll do a few more so we can discuss which is best and what modifications are required
05:31 < dazo> mattock:  the "Developer" segment .... that's people doing patch reviews?
05:32 <@mattock> yep
05:32  * dazo asks ... because a contributor is also a developer
05:33 < dazo> "is" is probably too strong, but most often it is a developer
05:33 <@mattock> dazo: true, perhaps it should be "Contributor/Developer" -> "Developers (incl. James)" for clarity
05:34 < dazo> mattock:  I'd probably use the wording "Patch reviewer (incl. James)" in that segment ... and "Patch contributor" on the first one
05:34 <@mattock> patch author perhaps?
05:35 < dazo> patches is to say indirectly development ... but it can also include fixes to man pages, readme files, etc ... which is not "development"
05:35 < dazo> mattock:  yeah, patch author can work
05:36 <@mattock> ok, now it's updated
05:36 < trap_> i need a vpn provider which has the choice of thousands and thousands of dynamic ips in the us to choose from ...any ideas? i need to be able to route all my traffic through it 
05:37 <@mattock> dazo: I'll create a modified version where James is not the bottleneck
05:39 < dazo> mattock:  actually, this will not necessarily make James such a "bottleneck" .... because when it comes to deciding what hits the final releases, you need someone who decides ... but with such a model, it is possible to let the patch reviewers keep all dialogue with the contributor ... and when it's ready for inclusion, those patches can be queued up for James
05:40 <@mattock> in fact, one important step is missing from diagram I drew... signing the contributor agreement
05:40 < dazo> mattock:  http://whygitisbetterthanx.com/images/workflow-c.png  ... this is kind of the workflow, I do see beneficial now
05:40 <@mattock> unfortunately we need that
05:40 <@mattock> dazo: I'll take a look at that
05:40 < dazo> mattock:  why?
05:40 < dazo> mattock:  why do you need such an agreement?  It'
05:40 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn
05:40 < dazo> it's GPLv2, isn't it?
05:41 <@mattock> dazo: we sell "commercial" licenses under a proprietary license...
05:42 <@mattock> so we need the copyright to the whole codebase... fortunately the contributor agreement is the best I've seen so far. We guarantee that the contribution is released under an OSS license
05:42 < dazo> mattock:  well, but the source code to OpenVPN is GPLv2 ... whatever changes you put into there, needs to be made available, at minimum on request .... that's already covered by GPLv2
05:43 <@mattock> I'm not a fan of contributor agreements myself and would love to get rid of it
05:43 < dazo> mattock:  such an agreement will just kill interest for OpenVPN and encourage a fork
05:43 < dazo> interest for contributing to OpenVPN, that is
05:45 <@mattock> dazo: agreed, a contributor agreement is a bad idea. Do you know if earlier contributors have signed contributor agreements?
05:45 <@mattock> because if they didn't, I don't see much value in forcing people to sign them now
05:45 < dazo> mattock:  I know I have not .... and James have accepted two of my patches (bug fixes), which went into the v2.1.0 and v2.1.1
05:46 < dazo> mattock:  I don't know about others, tbh ... Alon Bar-Lev seem to have gotten more patches in
05:46 <@mattock> dazo: I need to check this out, too... I've discussed this issue with Francis and he wants contributor agreements. However, he has not told why, even though I've asked.
05:47 <@mattock> I understand the need for having the copyright to the whole codebase, but if it's already "contaminated" with code not from us, then... what's the point?
05:48 < dazo> mattock:  based on histories going here about Francis .... he seem to talk warmly about OSS ... but he wants to control it like it is proprietary ... he really do not have any high scores or trust in the community nowadays
05:48 <@mattock> dazo: that's my feeling, too... he comes from such a different background than, say, me or you
05:48 <@mattock> and different priorities
05:48 <@mattock> I guess I'm the balancing force, "the other public face of the company"
05:49 < dazo> mattock:  According to the GPL licenses ... the contributor keeps the copyright.  BUT!  The GPL license states that changes provided under GPL must be available in source code, and it cannot be withdrawn without a common consensus to all who have contributed to the source
05:50 < dazo> mattock:  the GPL license protects both the author, the one implementing code and the one using the source .... to be sure the code is free and available for anyone, without any restrictions (other than it must still be GPL)
05:51 <@mattock> dazo: true. So, if we've included patches without forcing the authors to waive their copyrights, then we don't have the right to publish the code under any other license than GPLv2
05:51 < dazo> mattock:  exactly
05:52 <@mattock> if we _do_ hold the copyright to the whole code then we can do whatever we want...
05:53 <@mattock> dazo: I think I got to take a deeper look at the previous contributors and inform Francis about this
05:53 <@mattock> personally I'd like to see that OpenVPN is full of stuff not under our copyright... that'd make the contributor agreement unnecessary 
05:53 < dazo> mattock:  Also read GPLv2 license .... it's not in a difficult language ... and it's quite a lot you can learn from it as well ....
05:53 <@mattock> and would not hurt the community
05:54 < dazo> http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
05:54 <@mattock> dazo: yep, I've read it several times :)
05:54 < dazo> :)
05:54 < dazo> mattock:  even better ... make Francis read it to
05:54 <@mattock> dazo: I'll provide him with a link, but give a brief overview of the problem
05:54 <@mattock> I need some real data to back up my claims, though
05:55 < dazo> mattock:  understood
05:55 <@mattock> meaning SVN logs, mailing list posts etc.
05:55 <@mattock> and I think I'll talk to James, too, he knows how many patches have been included
05:55 < dazo> mattock:  but if a contributor agreement comes .... I know, I'd rather support a fork of OpenVPN which is *really* open 
05:56 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
05:58 < hyper_ch> mattock: you can still publish it under gplv3
06:00 <@mattock> dazo: I'll make sure Francis knows this. I've spoken of the risk of a fork earlier with ihm
06:00 <@mattock> him
06:01 <@mattock> dazo: in fact, I think Francis is just misinformed about the status of copyright issues in OpenVPN 
06:01 <@mattock> I'll let him know the status and the problems involved in using "Contributor agreements"
06:03 -!- trap_ [n=trap@host86-162-65-239.range86-162.btcentralplus.com] has quit [Read error: 113 (No route to host)]
06:03 < hyper_ch> mattock: who is in charge of the openvpn website?
06:04 < hyper_ch> because of:  Copyright © 2002-2006 by Telethra, Inc.
06:04 <@mattock> hyper_ch: I'm not exactly sure. There's a guy who responsible for technical maintenance, but beyond that I'm not sure
06:05 -!- __trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:05 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 104 (Connection reset by peer)]
06:05 -!- __trine is now known as _trine
06:05 <@mattock> hyper_ch: telethra seems to be company in Pleasanton, CA... the same city as OpenVPN Technologies, Inc.
06:06 < hyper_ch> I was rather referring to the  before the copyright sign :)
06:06 <@mattock> hyper_ch: ok :)
06:08 <@mattock> another slightly modified (and more open) process here: http://users.utu.fi/sjsepp/openvpn/process_contributing_to_openvpn_2.png
06:09 <@mattock> I'll make one which includes a bug tracker
06:15 <@mattock> dazo: what do you think of a hybrid patch merge model, where bugfix patches are attached to a bug report (in a tracker), whereas others are sent to openvpn-devel?
06:16 <@mattock> or should all patches be sent to the list (e.g. with tracker item ID)
06:18 <@mattock> some sort of tracker<->email bridge would probably be needed in any case (as you suggested earlier?)
06:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
06:22 < havoc> bah
06:22  * havoc installs win2k8 yet again
06:29 < reiffert> mattock: are there any other developers supposed getting svn commit rights or will it stay at James?
06:30 < havoc> reiffert: morning
06:30 < reiffert> Hi
06:31 <@mattock> reiffert: At first it's probably best that only James commits. Later on I think it makes sense to grant write access to a few trusted core developers
06:32 <@mattock> when a good development team has formed
06:36 < reiffert> Are you going to create a time schedule for this?
06:47 <@mattock> reiffert: perhaps later on... I think we should first see how the modified development model works. If there are already competent developers who James trusts, then I see no point in delaying giving them write access. But that's ultimately up to James
06:58 < dazo> hyper_ch:  if I recall history right .... the copyrights went to Telethra Inc and then to OpenVPN Technology Inc ... most places in the code .... it happened between 2.1_rc12 and rc16, iirc ... And I believe it happened some organisational changes as well at that time
07:00 < dazo> mattock:  If using both openvpn-devel and a bug tracker to track patches .... if they are not synchronised, patches will be missed in the long run
07:01 < hyper_ch> dazo: I was asking becuase of:   ©
07:02 < dazo> mattock:  and then you'll have a case where some is reported only one place, or both places ... that's rather chaotic ... if they are synchronised somehow, then you'll find them both places, and the submitter can use what's convenient for the user
07:02 <@mattock> dazo: agreed
07:03 < dazo> hyper_ch:  yeah, but despite having (C) ... that is not in contrast to GPL .... GPL actually requires a contributor of or to a source file to keep his/hers copyrights
07:03 < ecrist> good morning
07:03 <@mattock> and we definitely need a bug tracker... 
07:03 <@mattock> good morning, ecrist
07:04 < dazo> g'afternoon!
07:06 < hyper_ch> dazo: I mean the "Â" before the copyright --> type error
07:07 < dazo> ahh ... I thought that was a buggy IRC client :-P
07:12 < hyper_ch> :)
07:13 -!- ribasushi [n=rabbit@dslb-084-063-044-135.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
07:14 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has joined ##openvpn
07:26 <@mattock> hyper_ch: you can send mail to frank at openvpn about the typo
07:27 -!- phusion__ [i=phusion@88.80.16.38] has quit [Read error: 60 (Operation timed out)]
07:29 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn
07:29 -!- xeviox [n=NEBAP@p5497876D.dip0.t-ipconnect.de] has joined ##openvpn
07:30 < xeviox> !welcome
07:30 < vpnHelper> xeviox: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:31 < xeviox> is "don't use 192.168.1.0/24 ..." for the local addresses in a lan?
07:31 < xeviox> !route
07:31 < vpnHelper> xeviox: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:34 < xeviox> the problem is that our company ips are in this structure (192.168.0.x)
07:34 < xeviox> now I've tried to establish a connection from a client in the LAN to the server
07:35 < xeviox> connection works fine (no errors)
07:35 < xeviox> but I'm not able to ping anything (not the 10.8.0.1 and no part of the LAN)
07:35 < xeviox> there is no firewall involved ..
07:36 < xeviox> but maybe thats a logic error when trying to connect from the lan itself, but I'm not sure ..
07:36 < jmm> xeviox: show us your config files, and logs.
07:36 < xeviox> k, one second
07:36 < jmm> no hurry.
07:39 < xeviox> jmm: this is the server side: http://pastebin.com/d7458f02e
07:41 -!- dazo [n=dazo@nat/redhat/x-hjlzmengnirgaqjc] has quit [Read error: 54 (Connection reset by peer)]
07:41 < xeviox> jmm: this is the client side (there is no log  ?!?): http://pastebin.com/d174bc5bd
07:44 -!- dazo [n=dazo@nat/redhat/x-lshoztazovndqxix] has joined ##openvpn
07:44 -!- dazo is now known as Guest60666
07:45 < xeviox> any ideas?
07:45 < jmm> not yet, but I'm thinking about it !
07:45 < jmm> :)
07:45 < xeviox> kk thank you :)
07:45 -!- Guest60666 is now known as dazo
07:51 < xeviox> maybe the problem is caused by my lan internal test?
07:51 < jmm> maybe,what's that lan test ?
07:51 < xeviox> that the route breaks when the client trys to add another route 192.168.0.x?
07:52 < xeviox> I mean because I try to establish a connection from the lan itself
07:52 < ecrist> xeviox: you must change your IPs if there is a conflict
07:53 < xeviox> the lan in our company our like "192.168.0.x"
07:53 < xeviox> I tried to establish the connection from a workstation in the lan to the server in the lan
07:53 < jmm> xeviox: did you checked your firewall rules ? if openvpn port is allowed from client to server ?
07:53 -!- ycy_ [n=mb@Noise.CS.UCLA.EDU] has left ##openvpn []
07:53 < jmm> hi ecrist .
07:54 < xeviox> the firewall is disabled on client and server
07:55 < ecrist> xeviox: if you have clients connecting from the 192.168.0.0/24 network as their LAN, you will break their connections with your pushed route
07:55 < xeviox> k, so that seems to be the problem
07:55 < xeviox> ecrist: thanks :)
07:55 < ecrist> also, you cannot reliably connect to a vpn server on the same lan if it's pushing routes for that lan
07:55 < xeviox> so I have to try from an outside connection
07:55 < ecrist> yes
07:55 < xeviox> k
07:55 < ecrist> change your company IPs
07:56 < ecrist> I would suggest the 10.0/24 range
07:56 < xeviox> I think that's a problem :(
07:56 < xeviox> but maybe we can do that when we get some new workstations ..
07:56 < ecrist> why is it a problem?
07:56 < xeviox> for now the connection should work when the clients ip (at home) has a ip different from "192.168.0.x" right?
07:57 < ecrist> yes
07:57 < xeviox> ecrist: to much work for now (have to change both server, dhcp, router ..)
07:57 < ecrist> *shrug* your decision
07:57 < ecrist> I'm just telling you what will/won't work.
07:57 < jmm> I maybe wrong, but why not just changing the route to be pushed ?
07:58 < jmm> just stop pushin 192.168.0.0 route.
07:58 < ecrist> jmm: he would have to change that route and those of the LAN
07:58 < jmm> why changing lan routes ?
07:58 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Remote closed the connection]
08:05 < xeviox> when I stop pushing that route it may work for the local test?
08:05 < ecrist> jmm: do you understand routing?
08:05 < endre> use netmap guys if you have overlapping ip subnets
08:06 < xeviox> if it does, I will test it locally with disabled push and then enable the push for the remote test ..
08:06 < endre> not a perfect solution but will work
08:06 < ecrist> what is netmap?
08:07 < xeviox> ecrist: do you think the test will work if I disablet the route push?
08:07 < jmm> ecrist: I do.
08:07 < xeviox> *disable
08:08 < jmm> ecrist: I may have misunderstood something, but i thinked since his 2 computers are on same lan, just stop pushing lan route would be good.
08:08 < ecrist> xeviox: you will be able to ping 10.8 subnet, but not your office lan
08:08 < ecrist> jmm: he's only on the same lan for testing
08:08 < jmm> now I may not know something about routing, that force use of an unknown route to me.
08:08 < jmm> ecrist: ah.
08:09 < xeviox> ecrist: k, thats worth a try :), I think I will test that, and if it works it should work with a different net on the remote clients ..
08:11 < xeviox> so, I've commented the line with the "push .." let's see what happens :D
08:12 < xeviox> I've also encountered another problem, the gui client for windows does always throw an error "Could not open the server.log for writing ..." even when I open it as administrator ..
08:12 < xeviox> yeah baby
08:12 < xeviox> ping for 1.8.0.1 works :D
08:13 < xeviox> also the local adresses work (192.168.0.x) but maybe they are not send through the tunnel, anything how to check that?
08:14 < jmm> check with route -n
08:14 < ecrist> without the push route, they won't be sent through tunnel
08:15 < xeviox> yep seems not to be tunneled .. ^^
08:16 < xeviox> thank you guys :D
08:19 < xeviox> what do I have to install on the client? The network adapter and the -client....?
08:19 < xeviox> or do I need something extra?
08:19 < xeviox> like the rsa stuff?
08:19 < ecrist> nope
08:19 < ecrist> just openvpn and the config
08:20 < xeviox> cool
08:20 < xeviox> puh
08:20 < xeviox> I really hope that will work from home ;)
08:20 < xeviox> I try for month to enable a vpn connection to our company
08:20 < jmm> xeviox: the client need the keys too.
08:20 < xeviox> first solution with our symantec firewall didn't work because of the missing client (couldn' find any)
08:21 < jmm> vpnpabst.{crt,key}
08:21 < ecrist> yes, the client ssl certificate and key
08:21 < xeviox> k
08:21 < xeviox> thank you
08:21 < jmm> yw.
08:21 < xeviox> I put everything together on a stick :D
08:22 < xeviox> the second solution didn't work because the firewall wasn't able to forward the GRE protocolls vor ipsec or pptp
08:22 < xeviox> so I really hope this one will correctly work with our firewall / lan :D
08:22 -!- reiffert [n=thomas@mail.webersheim.de] has left ##openvpn []
08:22 < xeviox> at first I tried to setup it in bridge mode, but that messed up the hole lan (clients couldn't reach the internet)
08:23 < xeviox> so I hope the routing will be enough to get a connection to the servers :D
08:23 < ecrist> that's likely because of your conflicting address space
08:23 < xeviox> ?
08:23 < xeviox> in the lan?
08:23 < ecrist> between lan and clients
08:24 < xeviox> I've done everything like in the howto, I added a bridge over both networks on the win2k3 server
08:24 < xeviox> and then enabled a static ip
08:24 < xeviox> server worked fine after that (could reach each client and the internet)
08:24 < ecrist> you really need to change your office ips to get a fully working vpn
08:25 < xeviox> but the client couldn't reach the internet any more..
08:25 < xeviox> ecrist: why? When I establish from home where the local ips are like "178.168.0.x" will there be a problem now?
08:25 < ecrist> you have 178.168 addresses at home?
08:26 < xeviox> ah sorry, I messed up, i think "168.178.0.x"
08:26 < ecrist> you own that address space?
08:27 < ecrist> according to ARIN, that address space is owned by the State of Utah
08:27 < xeviox>  ?!? no, I think this is the default space in fritz!box config
08:27 < xeviox> ^^
08:27 < ecrist> that would be 192.168.0.0
08:27 < ecrist> which is the same as your office lan
08:27 < ecrist> nevermind, I give up.
08:28 < xeviox> then it's maybe 192.178...
08:28 < xeviox> there is a 178 somewhere ^^
08:28 < ecrist> if you want a problem-free vpn, you need to change your office lan
08:28 < xeviox> but why?
08:28 < ecrist> BECAUSE THEY CONFLICT
08:28 < ecrist> that's why your clients lose internet
08:28 < xeviox> I thought the problem is only caused by giving client and server the same space, right?
08:29 < ecrist> that's why I had you remove the push route
08:29 < xeviox> the clients in the lan (at work) just lost internet when I enabled the network bridge on the server
08:29 < xeviox> ah k
08:30 < xeviox> sorry, I think you missunderstand me, the broken internet was a problem IN the LAN at work
08:30 < xeviox> has nothing to do with the vpn
08:30 < ecrist> whatever
08:30 < xeviox> the problem was caused by the bridging of the network adapters
08:31 < xeviox> but you're right, I have to change the ips to avoid problems with some home networks (because of same network space)
08:35 < xeviox> and I really have to forward that single port through the firewall??
08:35 < xeviox> no GRE protocols or something else?
08:44 < xeviox> is it possible to avoid the route push manually on the client?
08:45 < jmm> I'm not sure about what you mean.
08:45 < jmm> it's the word manually that I don't get.
08:45 < xeviox> ah ok
08:46 < xeviox> if the push is enabled on the server
08:46 < xeviox> is it possible to let the client know to not use this push?
08:46 < jmm> oh I get it.
08:46 < jmm> I think it's possible, I saw some option I think.
08:47 < xeviox> because then I maybe can disable the route for clients that may have conflicts with the route and setup up some single routes to the servers (if that is possible)
08:48 < jmm> you can configure which route are pushed or not to client if you use ccd.
08:48 < Bushmills> xeviox: you can push selectively
08:48 < Bushmills> !ccd
08:48 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
08:48 < jmm> Bushmills: heh :)
08:49 < xeviox> Bushmills: does that enable the client to deny the server push?
08:50 < jmm> xeviox: no.
08:50 < Bushmills> no. it is an inclusive feature, not an exclusive one
08:50 < xeviox> hmm
08:50 < jmm> it allow to choose which route are pushed on which clients.
08:50 < jmm> ( not just routes btw ).
08:50 < ecrist> xeviox: just change your damn ips
08:50 < xeviox> I'm searching for an option to disable the server push on the client and add some other routes instead of the server push
08:51 < ecrist> the time you've spent in here could have change the ips.
08:51 < xeviox> ecrist: like I've set I couldn't simply change the office ips
08:53 < xeviox> so, like I understand the problem that is caused by the "wrong" ips, it can simply be knocked out by using just single routes to the servers if the clients ip range is in conflict with the one of the server
08:54 < xeviox> but that means
08:54 < xeviox> that I need a way to tell the client if it should use the server push (which adds the route for the hole net) or if it should use some single routes. But not depending on the client
08:55 < xeviox> depending on the network were the client is at the moment it wants to connect the server ..
08:56 < xeviox> would be no problem if there is an option like "disable server pushs" OR an option to setup the route in the client config
08:58 < xeviox> so maybe someone knows of a way to add the route in the client config?
09:00 < Bushmills> though you might be able to trick it. 
09:00 < Bushmills> you can change route command by parameter. possibly also to removing a route from ccd
09:01 < xeviox> hmmm
09:01 < xeviox> maybe I'll disable route push on the server and enter the routes on the client manually after successfull connection ..
09:02 < Bushmills> !ccd
09:02 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
09:02 < Bushmills> easier than doing it by hand
09:05 < xeviox> I've found a doc tellling me something about the "pull" option on the client
09:06 < xeviox> which seems to be needed when using the "push" on the server, right?
09:06 < Bushmills> there's a no-pull
09:07 < xeviox> aha :D
09:07 < xeviox> so using no-pull, the client will skip the server pushs?
09:08 < Bushmills> route-nopull might do that
09:09 < xeviox> route-nopull or route-no-pull?
09:09 < Bushmills> TMPIYF
09:09 < xeviox>  ???
09:10 < Bushmills> "the manual page is your friend"
09:10 < xeviox> kk thank you
09:10 < xeviox> maybe the german translation was from an older version (as it missed that)
09:15 < xeviox> k, just for info its "--route-no-pull" and the "--pull" option is still there ..
09:17 < xeviox> wow, so I can use parameters instead of config files to start openvpn ?!? cool, that opens the way for a nice and small gui to start the client :D
09:17 < xeviox> thank you all guys
09:18 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)]
09:18 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
09:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
09:23 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
09:24 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has left ##openvpn []
09:30 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
09:31 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 54 (Connection reset by peer)]
09:31 -!- magic_1 [n=magic@41.123.156.25] has joined ##openvpn
09:35 < ecrist> krzee: any problems with the new changes to ssl-admin, or can I send them up to freebsd-ports?
09:43 -!- Zordrak_ [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
09:47 -!- xeviox [n=NEBAP@p5497876D.dip0.t-ipconnect.de] has quit ["Nettalk6 - www.ntalk.de"]
09:49 -!- kit_ [n=chatzill@gw-65.bdo-it.com] has joined ##openvpn
09:50 -!- kit_ [n=chatzill@gw-65.bdo-it.com] has left ##openvpn []
09:50 -!- kit_ [n=chatzill@gw-65.bdo-it.com] has joined ##openvpn
09:52 < kit_> Hi, I just found how to run windows client as non-admin using patched openvpn (--win32-gui option added). I studied the path and it seem straight and easy to integrate the patch to me. Is there any reason to not include it in official relase?
09:57 < dazo> kit_:  you'll probably need to bring that discussion up on the mailing list .... it's no official openvpn developers here, thus difficult to answer you for us
09:57 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has quit [Read error: 110 (Connection timed out)]
09:58 < kit_> dazo: thanks
09:59 -!- kit_ [n=chatzill@gw-65.bdo-it.com] has quit ["ChatZilla 0.9.85 [SeaMonkey 2.0.1/2009121000]"]
10:03 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
10:03 -!- mode/##openvpn [+v Kasx] by ChanServ
10:04 -!- d12fk [n=heiko@vpn.astaro.de] has quit [Read error: 60 (Operation timed out)]
10:04 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
10:08 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 60 (Operation timed out)]
10:15 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)]
10:15 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:33 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
10:34 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:36 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
10:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
10:46 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
10:46 -!- mode/##openvpn [+o mattock] by ChanServ
11:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
11:07 -!- gazelle [n=luna@80-254-76-142.dynamic.swissvpn.net] has joined ##openvpn
11:09 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"]
11:11 -!- hobbsc [n=zalgo@opensuse/member/hobbsc] has quit ["bad client, no donut"]
11:12 -!- dli [n=dli@dsl-69-172-118-139.acanac.net] has joined ##openvpn
11:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
11:13 < dli> is openvpn blocked in china?
11:14 < krzee> ecrist, its on my ca box at work, i got busy and couldnt test =[
11:14 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
11:14 < krzee> now today is my day off
11:15 -!- ius [n=thralas@2001:610:1908:8000:21f:c6ff:fe52:7e30] has joined ##openvpn
11:15 < ius> !welcome
11:15 < vpnHelper> ius: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:16 < ius> !topology
11:16 < vpnHelper> ius: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
11:17 -!- gazelle [n=luna@80-254-76-142.dynamic.swissvpn.net] has quit ["Lost terminal"]
11:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
11:29 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Remote closed the connection]
11:30 -!- MrRR [i=1856a0fc@gateway/web/freenode/x-rutsgnqoifynrumt] has joined ##openvpn
11:30 < MrRR> Am I on the wrong page here?  I'm trying to download OpenVPN but all I get are appliance downloads.  Is http://www.openvpn.net/ the correct web site?  Thanks in advance.
11:30 < vpnHelper> Title: Welcome to OpenVPN (at www.openvpn.net)
11:30 < krzee> !download
11:30 < vpnHelper> krzee: "download" is www.openvpn.net/download to download openvpn
11:31 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:31 < havoc> MrRR: you want the Community Software part of the site
11:31 < MrRR> There we go, it redirects here:  http://www.openvpn.net/index.php/open-source/downloads.html
11:31 < vpnHelper> Title: Downloads (at www.openvpn.net)
11:31 < MrRR> There doesn't seem to be a link to this page from the home page.
11:31 < MrRR> Thanks.
11:31 < MrRR> It's not obvious.
11:31 < havoc> MrRR: right at the top in the main nav bar
11:32 < MrRR> I'm having trouble getting users to try OpenVPN because they can't figure out how to download it either.  They end up asking me how to get the appliance server stuff to work in the way I've been telling them how good OpenVPN is.
11:32 < MrRR> There used to be a "Downloads" button that included OpenVPN.
11:32 < MrRR> I see the link now, but it's not obvious to people downloading.
11:33 < MrRR> havoc:  Are you in charge of the web site?  If so, I suggest adding a "Download OpenVPN" button somewhere on the page.  Calling it "Community Software" is really nice, but it's not intuitive.
11:34 < MrRR> I worry that a lot of people have looked elsewhere for other VPN solutions when they couldn't download OpenVPN and were presented with options that cost money.
11:34 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
11:34 < MrRR> I appreciate that the OpenVPN site owners are running a business, but I think this is a serious design problem with the web site.
11:35 < dazo> MrRR:  mattock, openvpn2009 and Kasx are working in OpenVPN Tech .... the rest is the community
11:35 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn
11:41 <@openvpn2009> MrRR: your concern is noted.
11:41 < MrRR> Thanks!
11:41 < MrRR> I love this product, by the way.
11:41 -!- mode/##openvpn [+o Kasx] by openvpn2009
11:42 <@openvpn2009> We are glad you like it.
11:42 <@openvpn2009> :-)
11:42 < MrRR> I even link to it from here:  http://www.lumbercartel.ca/resources/security.pl#openvpn
11:42 < vpnHelper> Title: [LumberCartel.ca] Resources - Anti-Virus, Anti-SpyWare, and Security solutions (at www.lumbercartel.ca)
11:43 <@Kasx> Just a heads up, openvpn.net is the correct url ;-)
11:43 <@openvpn2009> Awesome!
11:44 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:45 < MrRR> Kasx:  Fixed.  Thanks for the pointer.
11:45 <@mattock> hi guys, do you know of anyone who has signed a "contributor agreement" for OpenVPN? Essentially giving away the copyright to their work when contributing to OpenVPN...
11:46 <@mattock> I'm trying to figure out the copyright owner status of OpenVPN
11:54 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
11:56 -!- MrRR [i=1856a0fc@gateway/web/freenode/x-rutsgnqoifynrumt] has left ##openvpn []
12:14 < havoc> I'm sorry, but if somone can't find the download link on openvpn.net then they probably aren't qualified to use openvpn
12:16 < dazo> havoc:  to put it another way .... to configure openvpn you need some basic knowledge, and if you can't find the software ................
12:25 < Section58> i wish i could say that to my clients
12:26 -!- kisom [n=kisom@c-9fdce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
12:26 < dazo> Section58:  you can always say that .... the question is more if it is clever :)
12:29 < havoc> anyway, I fought to keep my mouth shut while he was here ;)
12:31 -!- hagna [n=hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has joined ##openvpn
12:32 -!- hagna [n=hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has quit [Client Quit]
12:32 -!- hagna [n=hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has joined ##openvpn
12:36 < hagna> if kldload: can't load if_tap: No such file or directory how can I get a tap device?
12:37 < hagna> on freebsd
12:47 < ecrist> what version of freebsd?
12:51 -!- tommyd3mdi [n=tommyd@77-23-252-15-dynip.superkabel.de] has joined ##openvpn
12:52 < hyper_ch> I wonder, is it ok to post a new link about TSA security in here?
12:53 < tommyd3mdi> Hi guys! You guess it, I need your help! I'm getting an SSL handshake error when trying to setup an openvpn connection, similar to what has been reported here: http://openvpn.net/archive/openvpn-users/2004-12/msg00377.html
12:53 < vpnHelper> Title: [Openvpn-users] error=self signed certificate (at openvpn.net)
12:55 < tommyd3mdi> I roughly followed the installation instructions here http://dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24+ and everything seems to be nice, but the connection drops server-side with this: http://pastebin.ca/1752660
12:55 < vpnHelper> Title: VPN (the easy way) v24+ - DD-WRT Wiki (at dd-wrt.com)
12:55 -!- dazo is now known as dazo_afk
12:56 < tommyd3mdi> and client-side with this: http://pastebin.ca/1752665
12:56 < hagna> ecrist 7.2
12:57 < tommyd3mdi> does this look like a firewall issue or rather a key issue?
12:58 < ecrist> unless you built a custom kernel, it's already there
12:58 < ecrist> ifconfig create tap0
12:58 < ecrist> or whatever
12:59 < hagna> I did ifconfig create tap0 and it says ifconfig: interface create does not exist
13:00 < ecrist> sorry, ifconfig tap0 create
13:00 < hagna> ooh
13:00 < hagna> yeah saw that
13:00 < hagna> ok that works
13:00 < ecrist> why were you trying to load the kernel module?
13:01 < hagna> it's what http://www.freebsddiary.org/openvpn.php said to do
13:01 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - getting it running (at www.freebsddiary.org)
13:03 -!- mithridates1 [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
13:03 < ecrist> lol
13:03 -!- Irssi: ##openvpn: Total of 93 nicks [3 ops, 0 halfops, 0 voices, 90 normal]
13:03 < mithridates1> hey guys
13:03 < mithridates1> I wanted to create more certificates
13:03 < mithridates1> but when I wanted to use them I got this error message :
13:03 < mithridates1> TLS Error: Unroutable control packet received from 76.76.15.203:1194 (si=3 op=P_CONTROL_V1)
13:04 < ecrist> hagna: he built that page sitting in here, talking to me and krzee. ;)
13:04 < hagna> haha that's funny
13:04 < ecrist> the link he says, 'For another view...' is my wiki page
13:05 -!- CrashSys [n=kumba@173.6.83.123] has joined ##openvpn
13:05 <@mattock> dazo_afk: are you there?
13:05 < ecrist> could be he built the article around freebsd 6, don't remember if if_tap was built in back then.
13:05 < CrashSys> Is there any benefit of 32 or 64 bit in terms of system load?
13:06 < hagna> freebsd is nice so far
13:06 < mithridates1> :O what the fuck is that? I searched the error and I found my ip address in pastebin http://pastebin.ca/raw/1734444
13:07 < ecrist> mithridates1: what are you talking about?
13:08 < mithridates1> I got an error , then I searched the line in google
13:08 < mithridates1> TLS Error: Unroutable control packet received from 76.76.15.203:1194 (si=3 op=P_CONTROL_V1)
13:08 < ecrist> you didn't know pastebin was indexed?
13:08 < mithridates1> I saw a log file in pastebin same as what I have in openvpn log file
13:09 < mithridates1> nevermind
13:09 < mithridates1> what do u think about the error message ecrist?
13:09 < ecrist> looks to me like it doesn't know how to route the packets
13:10 < ecrist> really can't do anything without full logs, though
13:10 < ius> Say I have a remote machine A with a /28 IP block assigned, and would like clients routed by machine B to be able to use these addresses. Is OpenVPN in bridging mode what I'm looking for?
13:10 < ecrist> !logs
13:10 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
13:10 < mithridates1> ok
13:11 < ecrist> mithridates1: start here: http://www.go2linux.org/troubleshooting-openvpn
13:11 < vpnHelper> Title: TLS Error: Unroutable control packet received and Connection refused (code=111) | Linux Operating System - Debian, Ubuntu, Fedora, Gentoo, Arch (at www.go2linux.org)
13:11 < mithridates1> ok tnx
13:11 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
13:12 < ecrist> mattock: dazo isn't usually around this time of day, as I recall
13:12 < ecrist> mattock: http://www.secure-computing.net/logs/openvpn_page_2.html  #5 is dazo
13:13 < vpnHelper> Title: ##openvpn stats from ecrist! - Detailed info (at www.secure-computing.net)
13:13 < ecrist> historicaly, he drops off about an hour ago and isn't heard from again.
13:13 <@mattock> ecrist: thank, I thought so... I think he's in Czech republic or something. I'm not usually around this time either
13:13 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
13:14 <@mattock> ecrist: wow, that's one cool-looking IRC statistics page :)
13:14 < ecrist> http://secure-computing.net/openvpn.php
13:14 < vpnHelper> Title: SCN: ##openvpn Policy (at secure-computing.net)
13:14 < ecrist> for information, other stats pages there.
13:14 < ecrist> you're looking at page 2 of 'all time' stats
13:16 < krzee> ya that stats page is cool
13:17 < krzee> you're full of cool stuff you've made eric
13:17  * krzee <3 !factoids page
13:17 < mithridates1> ecrist: http://pastebin.ca/1752690 I uploaded both logs, server side and client side
13:17 <@mattock> I'll add this to my bookmarks, it's not only cool, but also quite useful :)
13:17 < hyper_ch> krzee: you're from the US?
13:17 < krzee> hyper_ch, orig i am
13:17 < hyper_ch> krzee: new TSA security measure: http://www.youtube.com/watch?v=4ajNpR6bmes
13:17 < vpnHelper> Title: YouTube - TSA Training Video - Hug A Jew (at www.youtube.com)
13:18 < ecrist> mattock: the factoids page may be useful to you, as well
13:18 < ecrist> !factoids
13:18 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:19 <@mattock> ecrist: thanks!
13:20 < krzee> lol hyper_ch 
13:20 < mithridates1> would you plz have a look on my log file ? http://pastebin.ca/1752690
13:20 < hyper_ch> krzee: what woman made you leave the US?
13:20 < ecrist> mithridates1: did you see the link I posted to you?
13:20 < mithridates1> yes
13:20 < mithridates1> but I don't think so that it is the problem
13:21 < ecrist> why not?
13:21 < krzee> mithridates1, the 'women' in washington dc
13:21 < mithridates1> because with the other certificate I can connect in the same system
13:21 < krzee> i dont agree with them, so i left
13:21 < krzee> i still vote tho
13:21 < hyper_ch> krzee: where are you located now? Canada? England? Down Under?
13:22 < krzee> tropical island
13:22 < krzee> =]
13:22 < havoc> bastard!
13:22 < havoc> nm, I like *cold*, not heat
13:23 < mithridates1> havoc: that's wrong command, you should type !bastard
13:23 < hyper_ch> working all day at the beach with a notebook?
13:23 < hyper_ch> having some nice drinks while working
13:23 < hyper_ch> get sometimes a bath to cool down$
13:23 < havoc> s/beach/bar/
13:23 < hyper_ch> :)
13:23 < havoc> dark bar
13:23 < havoc> w/ food
13:24 < krzee> mithridates1, what verb are you using? can you increase to 5
13:24 < mithridates1> aah
13:24 < mithridates1> ok
13:24 < mithridates1> sure
13:24 < mithridates1> I use 3
13:24  * havoc uses verb 3 as well, when not debugging
13:31 < mithridates1> ecrist: same error
13:32 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
13:32 < CrashSys> Anyone know of a java-based openvpn client that I can launch within a web page?
13:32 < ecrist> I do not know of one, CrashSys 
13:34 < CrashSys> Any difference between 32 or 64 bit for scaling/system-load?
13:34 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)]
13:35 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
13:42 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)]
13:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
13:47 -!- tommyd3mdi [n=tommyd@77-23-252-15-dynip.superkabel.de] has quit []
13:50 < CrashSys> ANyone got any links on how to seed an openvpn client download? I want to make a php webpage that a client put in their user/pass, and it seeds a client and lets them download it
13:51 < hyper_ch> CrashSys: what do you mean by seeding a client?
13:53 < CrashSys> they download openvpn-client-special.exe... then they just click it, it runs, they are connected
13:53 < CrashSys> no config files, etc, for the end user to mess with
13:54 < hyper_ch> and linux clients?
13:54 < CrashSys> These are all window clients
13:54 < hyper_ch> somehow I don't think you can establish a vpned connection as non-privileged user
13:54 < hyper_ch> but that's just me
13:55 < CrashSys> I'm trying to address the 95% of the end user base I will have. The other 5% will have to edit config files.
13:57 -!- chilicuil [n=sistemas@189.191.135.77] has joined ##openvpn
14:01 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
14:01 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)]
14:03 < hagna> so my goal is to setup in freebsd what I've setup in linux and that is a bridged tap interface where the tap is connected via p2p tunnel to a openvpn remote
14:04 < hagna> so I've got A -> FreeBSD --(openvpn tap)--> L
14:05  * hyper_ch heard that p2p is evil
14:05 < hagna> that's nice
14:05 < hagna> I'm only doing p2p because it's the most simple vpn config
14:06 < hagna> once this is working I could do some other configuration
14:06 < hyper_ch> I think I misunderstood :)
14:06 < hagna> oh p2p hehe
14:14 < hagna> on FreeBSD tcpdump -i tap0 shows ping requests from A, but none get answered 
14:14 < hagna> ping requests to L that is
14:14 < hyper_ch> firewall problems?
14:15 < hyper_ch> routing problems?
14:15 < hagna> problems
14:15 < hagna> for sure
14:15 < hyper_ch> at least I was half-rigth :)
14:15 < hagna> my guess is routing because firewall is off (pfctl -d)
14:16 < hyper_ch> but I was told for years that I can't go into the internet without firewall
14:16 < hyper_ch> otherwise evil people will hack my computer :)
14:17 < hagna> p2p users?
14:21 < hagna> BTW it was routing woot
14:21 < CrashSys> can I put the keys in the actual ovpn file or do I have to link to an external file?
14:22 < hagna> mithridates1, terrance this is stupid stuff ... is you nick from this http://www.bartleby.com/123/62.html ?
14:22 < vpnHelper> Title: LXII. Terence, this is stupid stuff. Housman, A. E. 1896. A Shropshire Lad (at www.bartleby.com)
14:23 < hagna> vpnHelper, thanks
14:23 < vpnHelper> hagna: Error: "thanks" is not a valid command.
14:24 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn
14:30 -!- chilicuil [n=sistemas@189.191.135.77] has quit [Connection reset by peer]
14:30 -!- CrashSys [n=kumba@173.6.83.123] has quit [Read error: 60 (Operation timed out)]
14:57 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
14:59 -!- chilicuil [n=sistemas@189.191.134.144] has joined ##openvpn
15:28 -!- chilicuil1 [n=sistemas@189.191.134.144] has joined ##openvpn
15:28 -!- chilicuil [n=sistemas@189.191.134.144] has quit [Read error: 104 (Connection reset by peer)]
15:29 -!- chilicuil [n=sistemas@189.191.134.144] has joined ##openvpn
15:29 -!- chilicuil [n=sistemas@189.191.134.144] has quit [Read error: 104 (Connection reset by peer)]
15:30 -!- chilicuil2 [n=sistemas@189.191.134.144] has joined ##openvpn
15:31 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 110 (Connection timed out)]
15:33 -!- mithridates1 [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["Leaving."]
15:45 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"]
15:45 -!- chilicuil1 [n=sistemas@189.191.134.144] has quit [Connection timed out]
15:49 < ius> Say I have an OpenVPN server with a /28 block of IPs. Should I use bridging mode with DHCP instead of routing in order to assign the /28 range to clients and forward traffic?
15:50 < rob0> not unless you need bridging
15:50 < rob0> !topology
15:50 < vpnHelper> rob0: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
15:51 < ius> Well, I'd like a set of virtualized clients to be assigned addresses from the /28 pool..
15:52 < ius> With as few configuration as possible on the client side. Transparent would be the ultimate solution, ie. assign IPs via DHCP to those clients (VMware allows me to bridge their network connectivity to a network interface)
15:53 < ius> As far as I understand the routing vs. bridging concept, I'd have to use bridging to achieve that?
15:53 < krzee> but you dont actually need dhcp
15:54 < krzee> rob0 pointed to !topology because with topology subnet and --server you can just assign ips from a pool
15:55 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)]
15:56 < rob0> A pool as small as /28 is tiny without   --topology subnet, limited to 3 clients
15:56 < ius> Hm I'm afraid I don't fully understand the topology concept, but I'm fairly certain it isn't exactly what I'm looking for.
15:59 -!- hagna [n=hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)]
15:59 -!- hagna [n=hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has joined ##openvpn
16:01 -!- hagna [n=hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has quit [Client Quit]
16:01 < ius> Or perhaps it is..
16:11 < ius> But if I do not want to run OpenVPN on the clients (they will be all on a 'local' bridge interface on server A) and still want to route traffic from each client via server B, I do need to use bridging mode in OpenVPN, right?
16:17 < Bushmills> a client which does not run openvpn is, in openvpn terms, not a client.
16:17 < Bushmills> it may have its traffic routed through another machine which is an openvpn client
16:17 < ius> I undertand, it's a little confusing indeed. Let's call A the (sole) client then
16:18 < Bushmills> but you need an openvpn client somewhere
16:19 < ius> That would be A in this case, B being the server.
16:20 < Bushmills> one client, one server
16:20 < ius> Correct
16:21 < Bushmills> that's a feasable configuration 
16:21 < Bushmills> :D
16:21 < ius> So rephrasing, if the OpenVPN server B has 16 IPs assigned which I'd like to be assigned to hosts 'behind' A, A being an OpenVPN client, would I need briging?
16:22 < ius> Hm the second assigned should read something like re-assigned, which still isn't entirely the right wording, but you get what I mean I guess
16:23 < Bushmills> if a host behind A pings one of the 16 server ip addresses, where should the packets go to?
16:24 < ius> Doesn't matter. They don't need to interact, all I want is for the 'outside world' to reach the 16 hosts behind A via the 16 IPs and vice versa
16:25 < Bushmills> an i try to look at an interfaces with a specific ip address from inside and outside look. after all that interface must be the same for both inside and outside, right? 
16:27 < Bushmills> oh well, don't worry. routing in internet is done by routers. what your server needs to be, essentially, is a router for those addresses.
16:27 < ius> Hm, not sure whether I entirely get what you're trying to say, but I do think so.
16:28 < ius> Given B has interfaces eth0:0 to eth0:15, I'd just like it to be as if those interfaces where on the hosts behind A. Just for IP, but if bridging is required that would add the network layer as well
16:29 < Bushmills> no. it won't have those
16:29 < Bushmills> because, in that case, the server has interfaces with the same addresses you want to assign to the clients
16:29 < ius> Yeah I get what you mean (and thats what I mean), B still has the interfaces assigned, but it needs to route the traffic
16:29 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."]
16:30 < Bushmills> right, but it doesn't need to have an interface for each single address it want to route
16:30 < Bushmills> were you to do that, you'd rather look at SNAT on server
16:31 < Bushmills> that was, btw, what my ping question was relating to.
16:31 < ius> That's my current setup actually, each host behind A is an OpenVPN client to B, B SNAT'ing each client
16:32 < ius> But I'd like to eliminate the requirement of having to install OpenVPN on each and every client.
16:33 < ius> Whoops, I used client instead of host again
16:33 < Bushmills> you can hook up a patchkabel to the server, and a switch, and connect the clients to the switch
16:34 < Bushmills> no need for openvpn
16:34 < ius> The hosts are virtualized on A, so what VMware offers is a bridge interface which I can all connect them to
16:34 < ius> B is on WAN, not on LAN
16:35 < Bushmills> your packets are also routed by several routers to google.com without needing openvpn
16:36 < Bushmills> donc, it is a routing question. not an openvpn question
16:39 < ius> But, A and B being only connected via IP/LAN, I do need OpenVPN..
16:39 < ius> IP/WAN*
16:39 < ius> Perhaps I should draw a diagram
16:41 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, kisom, jaek_, balboah, bytesaber_, mrnice1, cybertron, plundra, Section58, magic_1,  (+1 more, use /NETSPLIT to show all of them)
16:42 -!- Netsplit over, joins: kisom
16:42 -!- Netsplit over, joins: cybertron
16:43 -!- Netsplit over, joins: phusion__
16:43 -!- Netsplit over, joins: plundra
16:43 -!- Netsplit over, joins: balboah
16:47 < ius> Bushmills: http://i45.tinypic.com/2vcdpas.png Does this clarify things?
16:47 < |Mike|> Afternoon :)
16:47 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Optic, newmember, hyper_ch, krphop, Diffen
16:49 -!- hyper__ch [n=hyper_ch@91.121.147.34] has joined ##openvpn
16:53 -!- hyper__ch is now known as hyper_ch
16:53 -!- Netsplit over, joins: krphop
16:55 -!- magic_1 [n=magic@41.123.156.25] has joined ##openvpn
17:00 -!- jaek_ [n=jaek@c-71-202-163-230.hsd1.ca.comcast.net] has joined ##openvpn
17:07 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: buntfalke
17:09 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit ["Reconnecting"]
17:09 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn
17:12 -!- Netsplit over, joins: buntfalke
17:12 -!- _phusion__ [i=phusion@88.80.16.38] has joined ##openvpn
17:14 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: master_of_master, sno, DarkAnt, Holister, MrJK, tjz, zamba, le0
17:15 -!- sno_ [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
17:15 -!- DarkAnt_ [n=DarkAnt@24.63.224.114] has joined ##openvpn
17:15 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit ["Reconnecting"]
17:15 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Intensity, stein0, jaek_, krphop, craver_, drue, Rolybrau, jfkw, hyper_ch, _dren,  (+8 more, use /NETSPLIT to show all of them)
17:18 -!- rob0 [n=rob0@tuxaloosa.org] has quit [Read error: 54 (Connection reset by peer)]
17:18 -!- sdh [n=steve@steve.st] has quit [Dead socket]
17:18 -!- phusion__ [i=phusion@88.80.16.38] has quit [Dead socket]
17:18 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn
17:18 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn
17:18 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
17:19 -!- Netsplit over, joins: zamba
17:19 -!- zamba [i=marius@flage.org] has quit [Killed by ballard.freenode.net (Nick collision)]
17:19 -!- zamba [i=marius@flage.org] has joined ##openvpn
17:19 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
17:19 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn
17:19 -!- rob0_ [n=rob0@tuxaloosa.org] has joined ##openvpn
17:22 -!- DarkAnt_ is now known as DarkAnt
17:22 -!- sdh [n=steve@steve.st] has joined ##openvpn
17:22 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
17:22 -!- jaek_ [n=jaek@c-71-202-163-230.hsd1.ca.comcast.net] has joined ##openvpn
17:22 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
17:22 -!- hyper_ch [n=hyper_ch@91.121.147.34] has joined ##openvpn
17:22 -!- plundra [i=404@article.se] has joined ##openvpn
17:22 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
17:22 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
17:22 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:22 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn
17:22 -!- Intensity [i=[4twWOV+@unaffiliated/intensity] has joined ##openvpn
17:22 -!- stephenh [n=stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
17:22 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn
17:22 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn
17:22 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn
17:22 -!- Cap_J_L_Picard [n=ewanm89@unaffiliated/ewanm89] has joined ##openvpn
17:22 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn
17:22 -!- stein0 [n=stein@mail.vgnett.no] has joined ##openvpn
17:22 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn
17:22 -!- _dren [i=dren@dereferenced.nullpointer.net] has joined ##openvpn
17:23 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn
17:23 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
17:23 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
17:23 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn
17:23 -!- MrJK [n=jezu@194.199.166.96] has joined ##openvpn
17:23 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Optic, newmember, MrJK, Section58, Diffen
17:24 -!- le0_ [n=itsle0@82.16.123.181] has joined ##openvpn
17:24 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn
17:24 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has quit [Connection reset by peer]
17:24 -!- mintaka [n=kosmic@unaffiliated/spice] has quit [Connection reset by peer]
17:24 -!- master_o1_master [n=master_o@87.181.81.117] has joined ##openvpn
17:24 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Client Quit]
17:24 -!- mintaka [n=kosmic@thefuckin.net] has joined ##openvpn
17:24 -!- Holister [n=ryan@151.204.189.39] has joined ##openvpn
17:29 -!- zamba [i=marius@flage.org] has quit [Killed by ballard.freenode.net (ballard.freenode.net (zamba[i=marius@flage.org] Ghosted sagan.freenode.net))]
17:35 -!- zamba [i=marius@flage.org] has joined ##openvpn
17:35 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn
17:48 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: tjz2, krzie, bytesaber_, mrnice1
17:58 -!- Netsplit over, joins: tjz2, bytesaber_, krzie, mrnice1
18:01 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 110 (Connection timed out)]
18:06 -!- chilicuil2 [n=sistemas@189.191.134.144] has quit [Read error: 104 (Connection reset by peer)]
18:09 -!- MrJK [n=jezu@194.199.166.96] has joined ##openvpn
18:09 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn
18:09 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
18:09 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
18:09 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn
18:10 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
18:12 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has quit ["Leaving"]
18:13 -!- rob0_ is now known as rob0
18:15 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Section58, newmember, MrJK, Diffen, Optic
18:19 -!- Netsplit over, joins: MrJK, Section58, newmember, Diffen, Optic
18:20 -!- _phusion__ [i=phusion@88.80.16.38] has left ##openvpn []
18:25 -!- slonbg [n=chatzill@216.17.90.91] has joined ##openvpn
18:27 -!- Bushmills [n=nnnBushm@verhau.de] has left ##openvpn ["Leaving."]
18:28 -!- Bushmills [n=nnnBushm@verhau.de] has joined ##openvpn
18:30 -!- stephenh_ [n=stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
18:31 -!- sdh [n=steve@steve.st] has quit [Remote closed the connection]
18:31 -!- sdh [n=steve@steve.st] has joined ##openvpn
18:31 -!- stephenh [n=stephenh@94-23-158-103.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)]
18:33 < slonbg> I have 2 environments, connected trough openvpn tunnel - OFFICE and PROD. everything works ok, when I try to access any machine on PROD from any machine in OFFICE. I also have on the same OFFICE machine an openvpn server, so remote users can connect to OFFICE. All is OK, when remote client tries to access OFFICE. A proper routing is pushed to the clients to PROD. Also, when I listen...
18:33 < slonbg> ...(tcpdump) to the 2 TUN devices on OFFICE, I see the packet (tcp 80 request) coming from remote client, so the routing works (maybe). But on the entry point in PROD I do not see it. So, something's wrong with the routing. How to investigate? Any ideas how to go after this?
18:42 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]"]
18:52 -!- RandomizeR [n=randomiz@41.237.69.77] has joined ##openvpn
18:53 < RandomizeR> anyone around?
18:53 < RandomizeR> hello..?
18:55 < RandomizeR> :(
18:55  * RandomizeR 's sound echoes off in the empty channel...
18:56 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has joined ##openvpn
18:57 < RandomizeR> hey Nick
18:57 < NickWebHA> Hey, hey. :-D
18:57 < NickWebHA> How are you?
18:57 < RandomizeR> I'm fine, you? :)
18:58 < RandomizeR> I was looking for a small bit of help, you think you might be able to help me?
18:58 < NickWebHA> I think my eye are going to start bleeding after I am done plugging my hair out.
18:58 < NickWebHA> I am also here for the same thing. I even wrote a blog post about it.
18:58 < RandomizeR> :-D
18:58 < RandomizeR> what's the problem?
18:59 < NickWebHA> I am going to plead my case now I guess with my pre-prepared speech. "I throw myself on the mercy of the channel. I just can not get OpenVPN working properly. Can anyone help me regain my sanity? http://blog.lifebloodnetworks.com/?p=163"
18:59 < NickWebHA> What is your issue?
19:00 < RandomizeR> well, my issue is much simpler, really, i just need to connect to a VPN but it's using the same address range as my own network
19:00 < RandomizeR> 10.0.0.0
19:00 < RandomizeR> i'm behind a router
19:01 < NickWebHA> So your VPN server has the same local network scheme as the network you are on now?
19:01 < RandomizeR> and although my router is on a different ip than the router of the network i'm connecting to, as soon as i get connected i lose connectivity completely
19:01 < RandomizeR> yep
19:01 < NickWebHA> Short answer: No can do.
19:01 < RandomizeR> not exact, though
19:02 < RandomizeR> yeah, but the client that installs on windows works around this issue by re-routing all the addresses
19:02 < RandomizeR> i was wondering if i can do the same on my linux
19:02 < RandomizeR> it works on windows but not linux, which is a shame really :(
19:02 < NickWebHA> Really? Not sure how that works... unless the IPs you are using are unused on the other network.
19:03 < NickWebHA> I have only been using Linux for about six months. I have learned a hell of a lot but some of it is still a black box to me.
19:03 < RandomizeR> but on windows when i do a dns lookup for a machine on the remote network by name, i get a fake "internet" address
19:03 < RandomizeR> yeah, same here really
19:04 < RandomizeR> and i can still access stuff using their real internal network IPs as long as there's no conflict
19:04 < RandomizeR> where there isn't really
19:05 < RandomizeR> my own network is very small, and currently i'm the only one on it beside the router, it's my home network
19:05 < NickWebHA> The default route is going to be sent to one not the other. I would assume you just got lucky that the network you wanted happened to be the default one at the time. I do not think Windows can work around that.
19:05 < RandomizeR> the other one is the work network, but i know for a fact i'm not conflicting with any of the work addresses, both the address for the router and my own machine are free on the work network
19:06 < RandomizeR> i think the windows client is the one that works around it
19:06 < NickWebHA> I am saying I do not see how.
19:06 < NickWebHA> Sounds fishy to me.
19:06 < RandomizeR> well, why does it work on windows and not linux?
19:06 < NickWebHA> No idea.
19:07 < NickWebHA> If I could answer that one way or another I would be sitting on the stairs in my apartment building stealing WiFi so I could play with my new VPN. :-P
19:07 < RandomizeR> hold on a minute, i'll try something, but i might lose connectivity for a while
19:07 < RandomizeR> :P
19:08 < RandomizeR> nop, still no luck
19:09 < RandomizeR> well, i was content with it only working on windows since i only needed to go in to check stuff occasionally so far
19:10 < RandomizeR> but now some code i wrote yesterday broke the cron job, and i wanted to go in and fix it but all my tools and stuff are linux based
19:10 < NickWebHA> According to the OpenVPN site the examples should work virtually unmodified. Does this thing require other ports to work or something?
19:10 < RandomizeR> and i really would hate to have to go to work tomorrow just to see what went wrong :(
19:11 < RandomizeR> i wouldn't know, really, i'm not the network admin, i'm just a developer ^_^
19:11 < NickWebHA> netstat does not show me anything...
19:11 < RandomizeR> i haven't had to deal with VPN until a couple of weeks ago
19:12 < NickWebHA> Need? I just want. :-P
19:14 < RandomizeR> :-P
19:14 < RandomizeR> so you're just doing this for fun? :-P
19:14 < NickWebHA> If you have a better idea of what is fun I would like to hear it!
19:14 < RandomizeR> i totally see where you're coming from, but i wouldn't have waited until i start pulling my hair out
19:15 < RandomizeR> actually, the first network i ever built was also for the same reason
19:15 < NickWebHA> I am convinced of a) I am an idiot or b) the site is wrong.
19:15 < RandomizeR> i had a single internet connection and a switch not a router (not that i knew the difference back then!), and i decided i wanna share that internet connection across the multiple PCs i had
19:16 < NickWebHA> I remember my first website a while back. I made a copy of each image for each time I wanted it on the page because it never occurred to me I could use the same image in two places.
19:16 < RandomizeR> well, it's usually c) Some other variable is different with you that the site doesn't mention
19:17 < RandomizeR> o_O
19:18 < RandomizeR> well, can't claim my first web experience was much better really, i started by reverse-engineering multiple web pages to try and learn what that "language" they were "programmed" in
19:18 < RandomizeR> using "View Source" :-P
19:18 < NickWebHA> English. Duh. :-P
19:18 < RandomizeR> only a while later that it occured to me i don't have to do that really, i could just read a book :-P
19:19 < RandomizeR> yeah, but i didn't really know anything about tags and html, i just started reading the html source of the pages and trying to figure out how it works
19:20 < RandomizeR> i actually got surprisingly far with that, too!
19:21 < RandomizeR> *sigh* the things we do for fun... :-P
19:21 < NickWebHA> I failed many a high school class that way.
19:21 < NickWebHA> ... also I never showed up. But that did not help.
19:21 < RandomizeR> Yeah, I'd imagine so.
19:23 < RandomizeR> it's funny how when you look back at things that you thought at the time were really complicated and see how simple they seem now
19:23 < NickWebHA> I want that day to come for OpenVPN.
19:23 -!- napcae [n=napcae@i59F7066D.versanet.de] has joined ##openvpn
19:23 < RandomizeR> and the good news is, this same thing is probably gonna happen with you and this whole VPN thing
19:24 < RandomizeR> yep, i hope so myself
19:24 < NickWebHA> Well, it is worse than that I think. I think I do understand it and it still does not work.
19:24 < NickWebHA> hahaha, that amuses me.
19:24 < RandomizeR> and you actually got me thinking about doing that VPN thing myself, actually!
19:24 < napcae> i've activated "redirect-gateway" but the clients have no internetconnection
19:24 < napcae> what can be the reasons for that?
19:25 < RandomizeR> napcae, i don't think either of us would be able to help you, we each have our own unsolved mysteries :-D
19:25 < napcae> :S
19:26 < RandomizeR> and we have all come here looking for answers, but i guess it's a low time for the channel right now
19:26 < napcae> hmm
19:26 < napcae> guess you're right
19:28 < napcae> WTF
19:28 < NickWebHA> What now?
19:28 < RandomizeR> ??
19:28 < RandomizeR> :-P
19:28 < napcae> I'm sitting for over 2 hours on this fuckin problem
19:28 < napcae> and now, i just uncommented dev tap for random in my server.conf
19:28 < napcae> and now it works!
19:28 < RandomizeR> careful with the language, i think there's an autobot
19:28 < napcae> oO
19:28 < napcae> sry^^
19:28 < NickWebHA> That is pretty awesome.
19:29 < RandomizeR> wouldn't wanna get kicked out now, that's a definite mood spoiler :-P
19:29 < RandomizeR> well, congrats ;-)
19:29 < NickWebHA> Seriously. All this hope is making me try harder. Cut that out!
19:29 < RandomizeR> :-[
19:30 < RandomizeR> you know, i'm thinking seriously of changing my local network settings to like 192.168.0.0 or something
19:31 < RandomizeR> i know that would probably solve the problem
19:31 < NickWebHA> Sounds like a plan to me.
19:31 < NickWebHA> I went with 10.0.0.0/25 (router would not let me choose /8).
19:31 < RandomizeR> it's just too much of a freakin hassle, and i've never done that with this router before
19:31 < RandomizeR> if i end up screwing something up i might find myself with no connectivity at all
19:32 < RandomizeR> or worse, having to hard-reset the router :-P
19:33 < RandomizeR> oh well, i think i'll give it a try anyway!
19:34 < RandomizeR> NickWebHA, i didn't get from your blog post what the exact problem is
19:35 < RandomizeR> your clients connect to the vpn but can't route properly?
19:35 < NickWebHA> I will re-read it. I might have left out the most important part due to the fact I can not think any more.
19:35 < RandomizeR> well, i'm not anywhere near knowing what anything means anyway, so it might be just fine and the problem is with me
19:36 < RandomizeR> i'm just trying to understand so maybe i can help after all
19:36 < RandomizeR> you know what they say, 2 heads is better than one
19:36 < NickWebHA> Reading it now I do see that I need to rewrite it. I am all over the place in that description.
19:37 < NickWebHA> I also have not slept more than a few hours a night in the last week. I think I am starting to fall asleep.
19:37 < napcae> ty..
19:37 < napcae> wow that was a lucky one..
19:37 < napcae> maybe u could post ur problems again
19:37 -!- napcae [n=napcae@i59F7066D.versanet.de] has quit ["leaving"]
19:38 < RandomizeR> i think you should go sleep
19:38 < RandomizeR> me too actually, that won't be such a bad idea
19:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
19:40 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:40 < NickWebHA> Have a good one.
19:41 < RandomizeR> you too
19:42 < RandomizeR> good night then :-), and good luck!
19:42 < RandomizeR> bye...
19:42 -!- RandomizeR [n=randomiz@41.237.69.77] has quit ["Leaving"]
19:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
19:56 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit ["Leaving."]
20:13 -!- JodaX [n=NOTOKAY@ks22848.kimsufi.com] has joined ##openvpn
20:14 < JodaX> i want to use my dedicated server to encrypt my connection to the internet (connection to it) so it can't be sniffed on open wlans and such, are there any setup guides that describe that scenario ?
20:25 < Bushmills> !redirect
20:25 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:25 < Bushmills> JodaX: ^^^^
20:27 < Bushmills> essentially just a client - server openvpn connection, with redirect-gateway in config, NAT enabled on server, and a name server which can be used by client.
20:29 < JodaX> redirect-gateway in the client config ?
20:29 < Bushmills> your choice,
20:29 < Bushmills> can be pushed by server, or written into client config
20:30 < JodaX> ok
20:30 < JodaX> but how exactly do i enable nat on the server and configure openvpns network settings ?
20:30 < Bushmills> by reading what the bot told you
20:31 < JodaX> !ipforward
20:31 < vpnHelper> JodaX: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
20:31 < JodaX> !nat
20:31 < vpnHelper> JodaX: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto
20:31 < JodaX> !linipforward 
20:31 < vpnHelper> JodaX: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
20:31 < JodaX> !def1
20:31 < vpnHelper> JodaX: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:33 < JodaX> !linnat
20:33 < vpnHelper> JodaX: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
20:34 < JodaX> Bushmills, how do i set the vpn network ? what server.conf option is that ?
20:35 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
20:35 < mithridates> hey guys
20:36 < Bushmills> a macro which also sets the net, in server config, is server
20:36 < mithridates> is there any difference between certificates for openvpn by openssl and other certificates?
20:36 < mithridates> is it an specific type of certificates?
20:37 < mithridates> !certificate
20:37 < vpnHelper> mithridates: Error: "certificate" is not a valid command.
20:37 < mithridates> !ca
20:37 < vpnHelper> mithridates: Error: "ca" is not a valid command.
20:37 < Bushmills> !ssl
20:37 < vpnHelper> Bushmills: Error: "ssl" is not a valid command.
20:37 < mithridates> !openssl
20:37 < vpnHelper> mithridates: Error: "openssl" is not a valid command.
20:38 < mithridates> hey Bushmills
20:38 < Bushmills> 'morning
20:38 < mithridates> where are you from?
20:38 < Bushmills> try http://tldp.org/HOWTO/SSL-Certificates-HOWTO/
20:38 < vpnHelper> Title: SSL Certificates HOWTO (at tldp.org)
20:38 < mithridates> oh tnx
20:39 < mithridates> where are you from Bushmills?
20:39 < Bushmills> sol3, milky way
20:39 < mithridates> sol3?
20:39 < mithridates> =)))
20:39 < mithridates> milky way
20:39 < Bushmills> third planet around star named sol
20:39 < mithridates> K-PAX ?
20:40 < mithridates> have u seen this movie ?
20:40 < Bushmills> not that i remember
20:40 < mithridates> Kevin Spacey has a role in that
20:40 < Bushmills> http://www.imdb.com/title/tt0272152/
20:40 < vpnHelper> Title: K-PAX (2001) (at www.imdb.com)
20:40 < Bushmills> this one?
20:40 < mithridates> yes 
20:40 < mithridates> I like that
20:41 < JodaX> Bushmills, what route do i push to the client ?
20:41 < mithridates> when a person asked him where are you from he said something like you
20:41 < Bushmills> not seen. i'll keep it in mind
20:41 < Bushmills> JodaX: i don't know which ones you do. tell me.
20:42 < JodaX> which ones should i ?
20:42 < Bushmills> besides the vpn net itself?
20:43 < Bushmills> redirect-gateway updates your routes, and creates new default route through vpn
20:43 < JodaX> can you explain what the vpn net, and what the route is in normal networking terms
20:43 < Bushmills> none extra needed. it also adds a host route to vpn server through your old interface
20:44 < Bushmills> vpn net is the range of ip addresses within which the addresses of server and client tun devices fall
20:45 < JodaX> so when a client connects i will get a tun device that is a connection to that client, and the client will have an ip of the net i set with the "server" config option ?
20:45 < Bushmills> normally, packets to vpn net are routed through tun device
20:45 < Bushmills> yes, essentially. only, second client should be "server"
20:45 < mithridates> Bushmills: do u know some web based management system for certificates?
20:46 < ecrist> !ssl-admin
20:46 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports
20:46 < Bushmills> mithridates: no. 
20:46 < ecrist> not web based, but it's menu driven
20:46 < JodaX> Bushmills, ah, ok, so the connection when shown using ipconfig will sport that ip, what ip will the client have ?
20:46 < mithridates> ecrist: tnx man
20:46 < Bushmills> JodaX: determined by server, as consequence of your server config
20:47 < JodaX> Bushmills, now you are confusing me
20:48 < JodaX> if i do
20:48 < JodaX> server 10.8.0.0 255.255.255.0
20:48 < Bushmills> the address is not hardcoded.
20:48 < JodaX> in the server config
20:48 < ecrist> mithridates: i wrote it, if you have questions, let know
20:48 < Bushmills> so you have control over it
20:48 < ecrist> ^me
20:48 < JodaX> that ip is the servers ip on the tun device ?
20:48 < mithridates> sure tnx
20:48 < Bushmills> that's the vpn net. server and client will fall into into.
20:48 < JodaX> ok
20:49 < JodaX> so what does push "route 192.168.1.0 255.255.255.0"
20:49 < JodaX> do then ?
20:49 < Bushmills> check out  --topology,  --ifconfig-push
20:49 < Bushmills> check out --push,  and  route
20:50 < JodaX> push pushes a setting to the client
20:50 < Bushmills> or, even better, try  !howto
20:51 < JodaX> where do i check those ?
20:51 < Bushmills> !howto
20:51 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:51 < Bushmills> !man
20:51 < vpnHelper> Bushmills: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:52 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has left ##openvpn []
20:53 < JodaX> so for the client to access the internet over the server i'd push a internet route to it ? 0.0.0.0 0.0.0.0 ?
20:53 < Bushmills> !redirect
20:53 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:53 < Bushmills> !def1
20:53 < JodaX> so i don't need route ?
20:53 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:54 < Bushmills> (03:43:06) Bushmills: redirect-gateway updates your routes, and creates new default route through vpn
20:54 < JodaX> ok, so no routes, just redirect gateway
20:54 < JodaX> right ?
20:54 < Bushmills> bingo
21:03 < mithridates> ecrist: I'm looking for some web based stuff like the plugin which is in Webmin 
21:06 < JodaX> ehum, there any openvpn gui for windows 7 ?
21:06 < JodaX> or does openvpn even work on windows 7 ? (certified drivers and such... ?)
21:06 < mithridates> JodaX: yes I've tried
21:07 < JodaX> which gui ?
21:07 < mithridates> just use run as administrator 
21:07 < mithridates> and change compatibility mode to win vista
21:07 < JodaX> install what ?
21:07 < JodaX> and i don't want to disable driver signing...
21:08 < mithridates> driver signing?
21:08 < mithridates> !download
21:08 < vpnHelper> mithridates: "download" is www.openvpn.net/download to download openvpn
21:09 < mithridates> I donno about driver singing
21:10 < rob0> Musical drivers!
21:12 < JodaX> lol
21:12 < JodaX> nice gui it is
21:13 < JodaX> where is the config ?
21:24 < mithridates> JodaX: !config
21:25 < mithridates> !config
21:25 < vpnHelper> mithridates: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
21:25 < JodaX> nvm that
21:25 < mithridates> see the howto
21:25 < mithridates> no
21:25 < mithridates> look at the article section of openvpn.net community software
21:26 < mithridates> there is an article which talked about installing openvpn over different OSs
21:26 < mithridates> hey guys, what's the best way for managing certificates?
21:28 < JodaX> hmm, used redirect-gateway in the client, connects, but doesn't redirect traffic over the gateway
21:29 < Bushmills> look at routing table
21:30 < mithridates> JodaX: do u wanna use NAT?
21:30 < JodaX> yes
21:30 < mithridates> JodaX: have a look at ip_forward
21:30 < mithridates> put 1 instead of 0
21:30 < JodaX> well, i need to get clientside working
21:30 < JodaX> it should at least shutdown my internet on clientside if serverside wasn't working
21:31 < JodaX> but it seems to not redirect over the openvpn
21:31 < Bushmills> you can speculate, or you can obtain information from the system.
21:32 < JodaX> i can't read routing tables, never got into that
21:32 < mithridates> who knows a perfect certificate administration system?
21:32 < Bushmills> then pastebin the output
21:33 < JodaX> ipv4 route table enough ?
21:33 < Bushmills> yes
21:33 < mithridates> I removed all certificates files from my server but a client is still connected
21:34 < JodaX> Bushmills, http://piratepad.net/Zf2sDwrNAE
21:34 < vpnHelper> Title: PiratePad: Zf2sDwrNAE (at piratepad.net)
21:34 < mithridates> !openssl
21:34 < vpnHelper> mithridates: Error: "openssl" is not a valid command.
21:34 < mithridates> !factoids search --value ssl
21:34 < vpnHelper> mithridates: 'tls-auth', 'hmac', 'servercert', 'certs', 'crl', 'notcompat', 'quietopenssl', 'quietopenssl', 'dh', 'certinfo', 'certverify', and 'pptp'
21:34 < mithridates> !notcompat
21:34 < vpnHelper> mithridates: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn
21:35 < mithridates> !certinfo
21:35 < vpnHelper> mithridates: "certinfo" is please run `openssl x509 -in <file> -noout -text` for ca,server,client certs and pastebin the results
21:35 < JodaX> hmm, but i seen open implementations of ipsec...
21:35 < Bushmills> 10.196.129.0 is your vpn net?
21:36 < JodaX> server 10.8.0.0 255.255.255.0
21:36 < JodaX> client says i have the ip 10.8.0.6
21:37 < Bushmills> you aren't connect to server, according route table.
21:37 < Bushmills> connected
21:37 < JodaX> the openvpn gui tells me i am
21:37 < JodaX> icon is green
21:38 < Bushmills> what OS is that?
21:38 < Bushmills> what version of windows, i mean
21:38 < JodaX> win7 64bit
21:38 < JodaX> professional
21:39 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has quit ["bbl"]
21:39 -!- tjz [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
21:39 < Bushmills> do you have any route statement in server config?  such as route 10.8.0.0 255.255.255.0 ?
21:40 < JodaX> no
21:41 < JodaX> i pasted the server config below the other paste
21:41 < JodaX> and client config below that
21:44 < JodaX> that is strange tho
21:44 < JodaX> the ip on the tun interface is not 10.8.
21:44 < JodaX> its 10.196.129
21:45 < Bushmills> you have redirect-gateway in both client and pushed by server
21:45 < JodaX> so 
21:45 < Bushmills> once with, once without def1
21:46 < JodaX> removing the one from the client
21:46 < Bushmills> i'd remove the server one for now, and add def1 to client#
21:46 -!- HazardX [n=HazardX3@pool-96-252-45-198.bstnma.fios.verizon.net] has joined ##openvpn
21:47 < Bushmills> 10.196.129.0 as vpn net is more consistent with routing table. it also means that redirect-gateway is effective
21:48 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:49 < JodaX> but i do not have 10.196.129.0 set on server side
21:49 < Bushmills> have you reloaded server config after editing?
21:50 < Bushmills> !tcp
21:50 < vpnHelper> Bushmills: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
21:50 < JodaX> oh wait its erroring about that
21:50 < JodaX> Sat Jan 16 04:49:27 2010 Route: Waiting for TUN/TAP interface to come up...
21:50 < JodaX> Sat Jan 16 04:49:28 2010 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
21:50 < JodaX> Sat Jan 16 04:49:28 2010 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
21:50 < JodaX> SYSTEM ROUTING TABLE
21:50 < JodaX> and i am using tcp already
21:50 < Bushmills> that's why i sent you that factoid
21:50 < Bushmills> just read it carefully again
21:51 < JodaX> i added redirect-gateway def1
21:51 < Bushmills> to client?
21:52 < JodaX> yes
21:52 < JodaX> and i removed the push on the server
21:53 -!- dli [n=dli@dsl-69-172-118-139.acanac.net] has quit [Remote closed the connection]
21:54 < Bushmills> client-to-client should make little sense if there is no   mode server  in server config 
21:54 < Bushmills> no sense, actually
21:55 < JodaX> do i make it mode server ?
21:56 < Bushmills> if planning for more than one client, yes
21:56 < JodaX> not
21:56 < JodaX> just needs to work now
21:56 < JodaX> do i need to ifconfig the ips on server and client ?
21:57 < Bushmills> so what will the other clients be you're enabling client-to-client comm with?
21:57 < JodaX> ?
21:57 < JodaX> i removed that
21:57 < Bushmills> your server config says  client-to-client
21:57 < JodaX> yeah
21:57 < Bushmills> funny with server configured to allow one client only
21:58 < JodaX> edited it when you said it was nonsensical
21:58 < JodaX> but that isn't the problem
21:58 < Bushmills> i haven't tested conflicting options well.
21:58 < Bushmills> and that was one
21:58 < JodaX> Sat Jan 16 04:56:08 2010 TEST ROUTES: 0/0 succeeded len=0 ret=0 a=0 u/d=down
21:58 < JodaX> Sat Jan 16 04:56:08 2010 Route: Waiting for TUN/TAP interface to come up...
21:58 < JodaX> still that
21:59 < Bushmills> i suppose routing table of your client is pretty messed up now
21:59 < Bushmills> after disconnect, not able to restore old default route
22:00 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"]
22:00 < Bushmills> did you reload server config?
22:00 < JodaX> i restarted the server
22:00 < JodaX> that not enough ?
22:01 < Bushmills> enough.
22:02 < Bushmills> why is there ifconfig 10.8.0.2 10.8.0.1 in client config?
22:02 < JodaX> tried it because it was mentionned somewhere
22:03 < ecrist> mithridates: aside from guis for DD-WRT, FreeNAS, and some others, that's all you get
22:03 < ecrist> pay me, and I'll write one in PHP for you
22:03 < Bushmills> remove it or use different addresses. higher
22:03 < JodaX> ok
22:03 < JodaX> but one general thing
22:03 < JodaX> shouldn't the tun interface have a 10.8 ip ?
22:03 < Bushmills> yes, it should
22:04 < JodaX> well, it does not
22:04 < JodaX> it gets a windows autoconfig ip
22:04 < JodaX> still the gui tells me i got 10.8.0.6
22:04 < Bushmills> that's why we eliminated some config glitches.
22:05 < Bushmills> you can check server ip address of tun device
22:05 < JodaX> tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
22:05 < JodaX>           inet Adresse:10.8.0.1  P-z-P:10.8.0.2  Maske:255.255.255.255
22:06 < Bushmills> see why i asked to change or remove client ifconfig
22:06 < Bushmills> try to reboot client, or restart networking so that your route is clean again
22:06 < JodaX> it didn't change anything tho
22:06 < Bushmills> before starting openvpn
22:06 < JodaX> route is clean as far as i can see
22:07 < rob0> A clean route is a happy route.
22:08 < JodaX> oi
22:08 < JodaX> no
22:08 < JodaX> ok
22:08 < Bushmills> you may want to ask somebody with windows 7 exposure whether any special requirements for openvpn apply.
22:08 < JodaX> i had
22:08 < JodaX> dev tap
22:08 < JodaX> in config
22:08 < Bushmills> ah
22:09 < Bushmills> true
22:09 < JodaX> whats the difference ?
22:09 < JodaX> between tun and tap ?
22:09 < Bushmills> !tunortap
22:09 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
22:09 < vpnHelper> Bushmills: against you over the vpn
22:10 < JodaX> yup all works
22:10 < rob0> tun is OSI layer 3, IP; tap is layer 2, link layer (virtual Ethernet.)
22:12 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
22:12 < Dougy> hai
22:15 < JodaX> would it work if i just changed both to tap ?
22:16 < Bushmills> !tunortap
22:16 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
22:16 < vpnHelper> Bushmills: against you over the vpn
22:18 < vpnHelper> New forum entry openvpnforum: Server Administration :: OpenVPN for QNX :: Author ob1 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2449&p=2838#p2838>
22:25 < Dougy> oh snap
22:25 < Dougy> they got the forum bot working
22:25 < Dougy> fantastic
22:25 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["Leaving."]
23:31 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
23:31 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Nick collision from services.]
23:31 -!- tjz2 is now known as tjz
23:36 < ecrist> Dougy: pm?
--- Day changed Sat Jan 16 2010
00:13 -!- EricInBNE [n=Eric@203-206-187-157.perm.iinet.net.au] has joined ##openvpn
00:24 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
00:27 -!- EricInBNE [n=Eric@203-206-187-157.perm.iinet.net.au] has left ##openvpn ["Leaving"]
00:33 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
00:41 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit []
00:49 -!- Leila [i=d9dae562@gateway/web/freenode/x-iecbqqawoljawtgd] has joined ##openvpn
00:49 -!- Leila [i=d9dae562@gateway/web/freenode/x-iecbqqawoljawtgd] has left ##openvpn []
01:36 < ecrist> dammit jim
01:52 -!- frone [n=sammy@rotterdam.perfect-privacy.com] has joined ##openvpn
01:53 < frone> i have openvpn running in the background but cannot find it in my system monitor. im running ubuntu 9.10. how do I stop the sucker?
02:08 < ecrist> ps auxwww | grep openvpn
02:19 < frone> ecrist: what does that command do?
02:21 < ecrist> it searches for all running commands for 'openvpn'
02:22 < ecrist> man ps and man grep
02:28 < frone> thanks ecrist 
02:28 -!- frone [n=sammy@rotterdam.perfect-privacy.com] has quit [Client Quit]
03:07 -!- master_of_master [i=master_o@p57B57DF5.dip.t-dialin.net] has joined ##openvpn
03:20 -!- master_o1_master [n=master_o@87.181.81.117] has quit [Read error: 110 (Connection timed out)]
03:44 -!- eightfold [n=eightfol@c213-89-114-50.bredband.comhem.se] has joined ##openvpn
04:14 < eightfold> howdy, i'm running debian and i have openvpn installed. i have the conf files provided here: http://ivacy.com/en/doc/user/setup/winxp_openvpn saved to example file names at that site (ie. Ivacy-client.ovpn etc) and i want to connect to that vpn using the terminal. what is the command?
04:14 < vpnHelper> Title: OpenVPN connection setup for Windows XP (at ivacy.com)
04:49 -!- ScriptFan [i=vincent@2a01:240:fe35:0:21a:70ff:fea3:44ab] has joined ##openvpn
04:49 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has quit [Remote closed the connection]
05:00 -!- sdh [n=steve@steve.st] has quit [Remote closed the connection]
05:06 -!- ScriptFan [i=vincent@2a01:240:fe35:0:21a:70ff:fea3:44ab] has quit [Network is unreachable]
05:25 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
06:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:33 < DarkAnt> Sat Jan 16 07:31:28 2010 us=924411 UDPv4 WRITE [14] to 24.63.224.114:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
06:33 < DarkAnt> Sat Jan 16 07:31:29 2010 us=4078 read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
06:33 < DarkAnt> Sat Jan 16 07:31:29 2010 us=4529 UDPv4 READ [0] from [undef]: DATA UNDEF len=-1
06:33 < DarkAnt> oops
06:33 < DarkAnt> well, I meant to paste that in a pastebin, but I'm getting that error
06:37 < DarkAnt> I am receiving packets, so I think it isn't my firewall
06:37 < DarkAnt> why isn't my server responding then?
06:38 < JodaX> use tcp
06:39 < DarkAnt> ok
06:39 < DarkAnt> I'll try that
06:41 < DarkAnt> I'm still failing with no route to host
06:43 < JodaX> then there really is no route to the host
06:43 < JodaX> try pinging it
06:43 < JodaX> see if you can open a connection to it
06:46 < DarkAnt> k
06:47 < DarkAnt> well, that's odd
06:47 < DarkAnt> I can't ping it
06:48 < DarkAnt> but I can still ssh into it and whatnot
06:50 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has joined ##openvpn
06:55 < DarkAnt> ugh, the router was set up to drop pings
06:57 < DarkAnt> ok, I can ping it
06:59 < DarkAnt> so if I can see it with tcpdump its getting through the server firewall
06:59 < DarkAnt> I can see the machine
07:00 < DarkAnt> why am I still getting no route to host...
07:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
07:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:08 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out]
07:10 < DarkAnt> I'm using the example configs, I'm kinda stuck as to how to proceed debugging this
07:29 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has quit []
07:29 -!- le0_ [n=itsle0@82.16.123.181] has quit [Read error: 110 (Connection timed out)]
07:31 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has joined ##openvpn
07:40 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has quit []
07:57 -!- Artio [n=_@port-12648.pppoe.wtnet.de] has joined ##openvpn
08:16 < HazardX> I know you can ssh into it, as if you couldn't it couldn't be connected to you so you couldn't be comendeering said test box....
08:17 < DarkAnt> yeah, but only you and I knew that
08:17 < HazardX> Full disclosure, when you've got no idea what's going on, fill in the blanks that aren't default knowns, then sometimes some other crazy person wanders by that's done it all before.
08:18 < HazardX> (I know I've been on both sides of that exact series of events)
08:18 < DarkAnt> fair enough
08:22  * DarkAnt flails about
08:22  * HazardX lols
08:24 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has joined ##openvpn
08:28 < Dougy> http://www.newegg.com/Product/Product.aspx?Item=N82E16820227502
08:28 < Dougy> asdfgadfgsfaf
08:28 < vpnHelper> Title: Newegg.com - OCZ Colossus Series OCZSSD2-1CLS1T 3.5 1TB SATA II MLC Internal Solid State Drive SSD - Solid State Disks (at www.newegg.com)
08:28 < Dougy> woah
08:30 < DarkAnt> that's pretty impressive
08:30 < DarkAnt> but I am way too poor to afford that
08:31 < DarkAnt> I could have 4 brand new computers for that drive
08:31 < Dougy> me too
08:31 < Dougy> lol
08:31 < Dougy> i could ahve more
08:31 < Dougy> like 6 
08:32 < DarkAnt> still, its nice to know that in 4 years I'll have a 1TB solid state drive in my computer
08:39 < NickWebHA> I am very, very stuck. Can someone please help me? http://blog.lifebloodnetworks.com/?p=163 (Since it was a lot of information I posted it on my blog to make it easier for whoever is helping me.)
08:40 -!- ScriptFan [i=vincent@2a01:240:fe35:0:21a:70ff:fea3:44ab] has joined ##openvpn
08:41 < DarkAnt> NickWebHA: set a higher verb
08:41 < JodaX> DarkAnt, they will still be expensive in 4 years
08:41 < DarkAnt> but if it makes you feel any better, I'm still trying to get openvpn to work too :P
08:41 < DarkAnt> JodaX: yes, but they won't be 4K expensive
08:41 < NickWebHA> Alright.
08:42 < JodaX> hmm, propably still 500$
08:42 < JodaX> ratio will only get marginally better
08:43 < DarkAnt> why do you think the price will stay so high?
08:43 < JodaX> you will get a 10tb normal drive for 200$ at that time
08:43 < JodaX> DarkAnt, asume halfing the price every year, thats overly optimistic but will still leave you with 250$
08:43 < ecrist> NickWebHA: see here:
08:44 < ecrist> !logs
08:44 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:44 < ecrist> !goal
08:44 < vpnHelper> ecrist: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:44  * ecrist goes and makes breakfast
08:44 < NickWebHA> Will do.
08:46 < JodaX> DarkAnt, you don't believe they will be as cheap as normal disks in just 4 years, do you ?
08:47 < DarkAnt> no, but I'd expect them to be in the $500 or less range
08:47 < DarkAnt> or at least hope :D
08:47 < JodaX> 1tb for 500$ ?
08:47 < JodaX> sure
08:48 < JodaX> but at the same time you will get 10tb for well under 200
08:48 < JodaX> normal disk
08:48 < DarkAnt> yeah, but they don't have the read speed of solid state
08:49 < JodaX> aren't ssd's still about as fast as normal disks when it comes to read (no seek) speeds ?
08:49 < DarkAnt> I don't think so
08:49 < DarkAnt> wikipedia has a good article on them
08:49 < DarkAnt> let me check
08:50 < JodaX> everything under a order of magnitude is neglible
08:50 < DarkAnt> yeah, way faster read times
08:50 < DarkAnt> and by that I mean much faster seek times
08:50 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has quit ["Leaving."]
08:51 < JodaX> seek times obviously
08:51 < JodaX> but read times compare
08:51 < JodaX> seek times aren't that important
08:51 < JodaX> since there is still a very huge factor to ram
08:52 < DarkAnt> 250 MB/s read/write
08:52 < JodaX> outnumbering the costs of ram to hd space still by much
08:52 < JodaX> thats about 2x what a slow normal hd does
08:52 < JodaX> my server disks here do 120
08:52 < JodaX> and thats real speed, not lab test results
08:52 < DarkAnt> in fact I know a professor who is trying to figure out how solid state drives can play a role in some sort of swap setup
08:52 < JodaX> ...
08:53 < JodaX> professor microsoft ?
08:53 < Dougy> good bye mzima
08:53 < JodaX> whats their tech called, readyboost ?
08:53 < JodaX> -_-
08:53 < DarkAnt> no, just at my school
08:53 < DarkAnt> he's doing work with...umm
08:53 < JodaX> http://de.wikipedia.org/wiki/ReadyBoost
08:53 < vpnHelper> Title: ReadyBoost – Wikipedia (at de.wikipedia.org)
08:53 < DarkAnt> its some supercomputing place
08:55 < DarkAnt> but anyway, openvpn and why it will not play nice
08:56 < DarkAnt> no route to host :/
08:57 < JodaX> if you got it on tcp
08:57 < JodaX> see if you can telnet that port
08:57 < DarkAnt> ok
08:57 < DarkAnt> well I can see the packets on both sides with tcpdump
08:57 < JodaX> forget tcpdump, see if you can telnet the port
08:57 < DarkAnt> ok
08:58 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has joined ##openvpn
08:59 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has quit [Client Quit]
09:00 -!- dauergast [n=sag@g226237107.adsl.alicedsl.de] has joined ##openvpn
09:00 < DarkAnt> hehe, my test machine didn't have telnet
09:04 < DarkAnt> no route to host
09:04 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:04 < DarkAnt> excellent
09:04 < DarkAnt> ok, I can work on this problem from here for a bit
09:04 < DarkAnt> thanks JodaX :)
09:05 < JodaX> flush iptables
09:05 < DarkAnt> that's going to kill my ssh session isn't it
09:05 < DarkAnt> well, here goes
09:06 < JodaX> well, not if you connectivity doesn't depend on iptables (nat, forwarding)
09:06 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)]
09:09 < DarkAnt> hehe
09:10 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has joined ##openvpn
09:10 < DarkAnt> TY JodaX :)
09:10 < JodaX> problem solved ?
09:10 < DarkAnt> <.<
09:10 < DarkAnt> I don't want to talk about it :P
09:10 < JodaX> ...
09:10 < DarkAnt> but yeah, problem solved
09:10 < DarkAnt> haha
09:10 < DarkAnt> thanks again
09:10 < NickWebHA> After a nice long trek through my apartment building to steal WiFi for this test I have returned with the logs: http://blog.lifebloodnetworks.com/?p=163
09:11 < NickWebHA> Also I put on pants for this so you know I am serious.
09:12 -!- nixfreak [i=d872c45a@gateway/web/freenode/x-oetmdjucanzpbzgi] has joined ##openvpn
09:13 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has joined ##openvpn
09:14 < nixfreak> Is there a way to script openVPN into a client that automatically connects to a server ? 
09:14 < krzee> huh?
09:14 < NickWebHA> You mean include an OpenVPN client in another script or program?
09:14 < krzee> you mean like have it auto-connect on boot?
09:14 < nixfreak> yes 
09:15 < NickWebHA> You could always do something like exec("open [configfile");
09:15 < DarkAnt> nixfreak: put it in your bashrc
09:15 < nixfreak> include an openvpn client into a program
09:15 < krzee> bashrc?
09:15 < DarkAnt> oh, windows
09:15 < krzee> heh
09:15 < nixfreak> most clients use windows 
09:15 < NickWebHA> Er, exec("openvpn [config]")
09:15 < krzee> just run it as a windows service
09:15 < krzee> it'll connect on boot
09:16 < NickWebHA> krzee: I think nix wants to write a program that will connect.
09:16 < nixfreak> its going to be a program that users download and just start 
09:16 < nixfreak> yes NickWebHA 
09:16 < krzee> just start, thats the windows gui app
09:16 < Dougy> hey jeff
09:16 < krzee> they just click it from the taskbar
09:16 < krzee> then it connects
09:16 < NickWebHA> nix: I remember reading something in the HOWTO about software that will package it for you. Check there.
09:17 < krzee> sup doug
09:17 < nixfreak> on the openvpn site ? 
09:17 < krzee> !download
09:17 < vpnHelper> krzee: "download" is www.openvpn.net/download to download openvpn
09:17 < krzee> there
09:17 < Dougy> not shit
09:17 < Dougy> you
09:17 < NickWebHA> Yes. If not in the HOWTO somewhere on the page.
09:17 < NickWebHA> ^ site
09:17 < nixfreak> k thanks 
09:17 < NickWebHA> My brain is going too many things right now.
09:17 < NickWebHA> ^ doing!
09:17 < krzee> doug, im drunk as shit, just woke up in someone elses bed with my girlfriend
09:17 < krzee> lol
09:18 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has quit []
09:19 < NickWebHA> Can anyone look at my logs and tell me if they see anything strange? Nothing is jumping out at me: http://blog.lifebloodnetworks.com/?p=163
09:21 < Bushmills> dev tap  is strange
09:21 < NickWebHA> How so? The HOWTO says it should be tap and not tun.
09:21 < krzee> !tunortap
09:21 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
09:21 < vpnHelper> krzee: against you over the vpn
09:22 < Bushmills> moin krzee
09:22 < krzee> moin moin bro
09:22 < Bushmills> submarine time?
09:22 < krzee> it would be a good idea
09:22 < krzee> ...i dont go to work for 5 1/2 hours
09:22 < Bushmills> http://forthfreak.net/snap/submarine.png
09:22 < krzee> i should at least get a beer
09:23 < NickWebHA> I need it for boardcasts (games, mostly).
09:23 < Bushmills> autotranslated
09:23 < krzee> im thinking zintronensaft didnt translate
09:24 < Bushmills> lemon juice.
09:24 < Bushmills> spelling error in it
09:24 < krzee> ahh
09:24 < Bushmills> stockbesoffen approximates to dead drunk
09:25 < NickWebHA> Anything else stand out?
09:25 < krzee> !ipp
09:25 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
09:26 < NickWebHA> I do not care which IPs the clients grab. That is just in there because it was in the sample config which the HOWTO implied I should start with.
09:26 < Bushmills> i think you need  mode server   for multiple clients
09:27 < NickWebHA> I will try it. It was not in the sample config. Also right now I am just testing with a single client.
09:27 < krzee> nah server-bridge inclues mode server
09:27 < krzee> includes
09:27 < Bushmills> ah, ok
09:27 < krzee> it looks good to me if you bridged right and whatnot
09:28 < krzee> however, if all you need is bcasts
09:28 < krzee> !bcast
09:28 < vpnHelper> krzee: "bcast" is pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup
09:28 < NickWebHA> In Windows you just select the two adapters, bridge, and set the LAN IP on the bridged adapter that the LAN adapter had?
09:28 < krzee> dunno bout the ip part, but yes
09:29 < Bushmills> don't let your girlfriend read that, krzee. she might take offense at the giant tomcat
09:30 < NickWebHA> Right now I say broadcasts because I want to be able to give some friends the ability to share files and play games. I also like the idea of the bridge because it gives me the ability to do whatever crazy ideas I might get in the future. You know, instead of setting up specific cases now.
09:30 < Bushmills> some can be a bit touchy when seemingly referred to in conjunction with the word "giant"
09:33 < krzee> !wins
09:33 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:35 < JodaX> using openvpn to mitm people xD
09:35 < JodaX> funny idea
09:35 < krzee> done it
09:35 < krzee> so dont think it hasnt happened
09:35 < krzee> ;]
09:35 < JodaX> i could tell by what you said that you did
09:37 < NickWebHA> I am unclear about what my next step is. Why can I not get this working?
09:37 < JodaX> hmm, this
09:37 < JodaX> Sat Jan 16 16:36:47 2010 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
09:37 < JodaX> is taking about 5 seconds, is there any way i can have it skip the test ?
09:38 < krzee> the wait is likely agood thing
09:38 < krzee> without it the routes prolly wouldnt work
09:42 < NickWebHA> I just thought of something; It appears to me that once connected to the server the client is trying to route all traffic through it. How so I configure the server and client to not do that?
09:43 < JodaX> remove redirect-gateway
09:45 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn
09:46 < nixfreak> NickWebHA is this what your talking about http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html
09:46 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se)
09:46 < reiffert> !welcome
09:46 < vpnHelper> reiffert: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:46 < reiffert> !goal
09:46 < vpnHelper> reiffert: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:46 < reiffert> I just wanna have world domination.
09:47 < nixfreak> !goal connect multiple vpn clients to a server to access an internal network 
09:47 < vpnHelper> nixfreak: Error: "goal" is not a valid command.
09:47 < NickWebHA> nix: It about about a week ago but I think that might have been it. I think the one I saw was more recent than 2005, however.
09:48 < krzee> !route
09:48 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:50 < nixfreak> http://darkness.codefu.org/wordpress/2007/06/14/279
09:50 < vpnHelper> Title: Disgusting way to roll your own OpenVPN 2.1rc4 Windows installer | darkness (at darkness.codefu.org)
09:50 -!- caution [n=caution@unaffiliated/caution] has joined ##openvpn
09:51 < krzee> http://torrentfreak.com/oink-admin-found-not-guilty-walks-free-100115/
09:51 < vpnHelper> Title: OiNK Admin Found Not Guilty, Walks Free | TorrentFreak (at torrentfreak.com)
09:51 < krzee> sweet
09:52 < krzee> openvpn2009, your irc handle is outdated ;]
09:52 < caution> heh
09:53  * krzee registers openvpn2010 with nickserv!
09:53 < krzee> hehe
09:54 < DarkAnt> sniped
09:55 < caution> on linux as the gateway, how do I forward a port from WAN to my openvpn LAN IP?
09:55  * reiffert registers openvpn-next-century with DNS registrar.
09:55 < reiffert> caution: using netfilter.
09:55 < krzee> caution, NAT
09:56 < krzee> err listen to reiffert over me
09:56 < krzee> hes likely less drunk
09:56 < reiffert> krzee: just guessing eh?
09:56 < krzee> yup
09:56 < krzee> i just woke up in someone else's bed with surprise...
09:56 < krzee> its an educated guess, lol
09:57 < reiffert> it was a boy?
09:57 < caution> will anyone help me out with the iptables syntax?
09:57 < krzee> yes, but he was on the floor and my girlfriend was in the bed with me
09:57 < reiffert> obvious surprise ;)
09:57 < krzee> (thank god)
09:58 < caution> I just need to know what roughly to look for on the man page
09:58 < reiffert> caution: !linnat
09:58 < caution> !linnat
09:58 < vpnHelper> caution: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
09:58 < reiffert> ah, stop, sorry, my fault.
09:58 < reiffert> you are looking for portforwarding, is it?
09:58 < caution> yeah
09:58 < caution> I'm already using linnat
09:58 < reiffert> manpage DNAT
09:59 < krzee> well the howto linked to at the end likely has it
09:59 < krzee> #3
09:59 < krzee> At the end of the two week trial the jury returned a unanimous verdict (12 to 0). Alan Ellis is not guilty of Conspiracy to Defraud the music industry. He walked out of Teesside Crown Court a free man today, his name cleared.
10:00 < krzee> oink, not guilty, i love it
10:00 < caution> expensive solicitors
10:01 < nixfreak> sweet he got off
10:01 < caution> he can afford them with his £20,000 month donations
10:02 < nixfreak> Torrent sites need to be more secure 
10:02 < nixfreak> like scene top sites
10:03 < reiffert> secure like everybody can get an account.
10:03 < NickWebHA> I am taking a break. I have no idea what I should be doing and perhaps a fresh pair of eyes later will help me see something I am missing.
10:03 < NickWebHA> Thanks for the help, guys. I bet you will be seeing me again in the future. :-P
10:04 < nixfreak> no need more private torrent sits
10:04 < nixfreak> sites 
10:04 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has quit ["Leaving."]
10:14 -!- G-Script50 [n=sag@g230099182.adsl.alicedsl.de] has joined ##openvpn
10:15 -!- G-Script50 [n=sag@g230099182.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)]
10:32 -!- dauergast [n=sag@g226237107.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)]
10:40 -!- Beira [n=_@port-12648.pppoe.wtnet.de] has joined ##openvpn
10:42 < DarkAnt> I'll assume the client isn't supposed to be restarting every 5 seconds
10:42 < reiffert> feature.
10:42 < DarkAnt> haha
10:47 -!- ScriptFan [i=vincent@2a01:240:fe35:0:21a:70ff:fea3:44ab] has quit [Remote closed the connection]
10:48 -!- Artio [n=_@port-12648.pppoe.wtnet.de] has quit [Connection timed out]
10:48 -!- Beira is now known as Artio
10:48 -!- ScriptFan [i=vincent@2a01:240:fe35:0:21a:70ff:fea3:44ab] has joined ##openvpn
10:53 -!- Artio [n=_@port-12648.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- \o/"]
10:59 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
11:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
11:03 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:04 -!- napcae [n=napcae@i59F779EF.versanet.de] has joined ##openvpn
11:04 < napcae> hi
11:04 < napcae> can someone explain this?WARNING: potential route subnet conflict between local LAN
11:04 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Client Quit]
11:04 < napcae> clients can connect,but after disconnect they doens't have any connection anymore
11:08 < napcae> no one?
11:09 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:15 -!- xeviox [n=ben@dslb-088-064-006-039.pools.arcor-ip.net] has joined ##openvpn
11:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
11:16 < xeviox> hi guys, I've setup openvpn with routing on my server, but it seems that I have a routing error somewhere (no firewall problem, I've checked that)
11:16 < caution> maybe your lan and openvpn lan are using the same subnet and maybe that's not a good idea
11:16 < krzee> !route
11:16 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:17 < xeviox> someone told me that but my problem is little bit strange, let me explain
11:17 < krzee> if you have same subnets anywhere, its a problem
11:17 < xeviox> I have a remote subnet of 192.168.115.x at the client location
11:18 < xeviox> and the subnet at the servers location is 192.168.0.x (don't equals the clients one)
11:18 < krzee> then the vpn subnet cannot be that, nor can any subnet being shared over the vpn
11:18 < xeviox> krzee: why there can't be shared any subnet over the vpn?
11:18 < krzee> all that matters is the vpn subnet, and all subnets being routed over the vpn
11:18 < xeviox> vpn is left at default settings
11:18 < xeviox> the 10.8.0.x
11:18 < krzee> there ARE no default settings
11:19 < krzee> werd
11:19 < krzee> any subnet can be shared over the vpn, but then whatever subnet is shared over the vpn must not conflict with any others
11:19 -!- caution [n=caution@unaffiliated/caution] has quit []
11:19 < napcae> i don't geht why my local LAN is 10.8.0.0
11:19 < napcae> local LAN [10.8.0.0/255.255.255.0] and remote VPN [10.8.0.0/255.255.255.0]
11:19 -!- napcae [n=napcae@i59F779EF.versanet.de] has quit [Remote closed the connection]
11:19 < xeviox> in my case there are no conflicts, am I wrong?
11:19 -!- napcae [n=napcae@i59F779EF.versanet.de] has joined ##openvpn
11:19 < krzee> so if you share the 192.168.0.x subnet, no client in his own 192.168.0.x may use the vpn
11:20 < xeviox> thats clear
11:20 < xeviox> the client has a subnet of 192.168.115.x
11:20 < krzee> napcae, your lan at home is 10.8.0.0?
11:20 < xeviox> when I create the tunnel (works without any problem)
11:20 < xeviox> I can ping 10.8.0.1
11:20 < krzee> xeviox, cool
11:20 < krzee> so wheres the problem
11:20 < xeviox> and 10.8.0.6 (which was the clients ip)
11:21 < xeviox> also I can ping the servers local address (not lan address) from the client which is for example 192.168.0.50
11:21 < xeviox> but the problem is
11:21 < xeviox> that I can't ping any of the other computers in the servers lan
11:21 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit ["Leaving"]
11:21 < xeviox> like another server at 192.168.0.51
11:21 -!- napcae [n=napcae@i59F779EF.versanet.de] has quit [Read error: 54 (Connection reset by peer)]
11:22 < xeviox> the server pushes a route to 192.168.0.x 
11:22 < xeviox> but that seems to just work for the servers local address
11:22 < xeviox> not for any other computers
11:22 < xeviox> in that subnet
11:22 -!- napcae [n=napcae@i59F779EF.versanet.de] has joined ##openvpn
11:22 < napcae> !welcome
11:22 < vpnHelper> napcae: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:22 < xeviox> so there seems to be a routing error
11:22 < xeviox> somewhere ..
11:23 < krzee> [13:22]  <xeviox> the server pushes a route to 192.168.0.x 
11:23 < napcae> my home subnet is 192.168.0.1
11:23 < napcae> my home subnet is 192.168.0.0
11:23 < krzee> 'so you can have no clients from that subnet connect
11:23 < xeviox> krzee, yes it does
11:23 < napcae> and not 10.8.0.0
11:24 < xeviox> krzee, sure, like I've said, the client is at the subnet 192.168.115.x
11:24 < xeviox> but the client should get a connection to the servers subnet through the tunnel, right?
11:24 < krzee> no road warriors
11:25 < xeviox> the client is one
11:25 < krzee> then you should change your server subnet
11:25 < xeviox> server @ company (192.168.0.x) / client @ home (192.168.115.x)
11:25 < xeviox> why?
11:25 < xeviox> is there any conflict?
11:26 < krzee> you saidclient is road warrior
11:26 < xeviox> sorry I'm not that experienced with routing and networks ..
11:26 < krzee> he will find himself on a 192.168.0.0, its basically the most common subnet
11:26 < krzee> when he does, the vpn will break his routing
11:26 < xeviox> ok that's clear
11:26 < Bushmills> i wager a penny on 192.168.1.0 being the most common one
11:27 < xeviox> but the client has the subnet (192.168.115.x) which doesn't break the routing (afaik)
11:27 -!- napcae [n=napcae@i59F779EF.versanet.de] has quit [Remote closed the connection]
11:27 < xeviox> ^^
11:27 < krzee> Bushmills, i bet a beer when we meet one day
11:27 < krzee> xeviox, correct
11:27 < xeviox> ok
11:27 -!- napcae [n=napcae@i59F779EF.versanet.de] has joined ##openvpn
11:27 < xeviox> and the routing works for the servers local address
11:27 < Bushmills> beer agains penny - i'd be a fool not to take you on on that
11:27 < xeviox> but not for any other pc's
11:28 < xeviox> *computers
11:28 < krzee> beer against beer, i was raising the stakes ;]
11:28 < xeviox> so
11:28 < xeviox> any ideas what can couse such an error?
11:28 < xeviox> *cause
11:28 < krzee> xeviox, what error?
11:28 < xeviox> that the client couldn't reach other local addresses than the servers one
11:28 < napcae> any ideas why my tunnelblick client says that my localsubnet is 10.8.0.0?
11:29 < Bushmills> taken. penny is just dead weight. beer is active weight.
11:29 < krzee> did you read !route?
11:29 < xeviox> napcae, maybe that's the ip the vpn tunnel uses
11:29 < krzee> napcae, tunnelblick is reporting the vpn subnet
11:29 < xeviox> krzee: yes, which doesn't mean I've understand all ..
11:29 < krzee> which makes sense, its a vpn app...
11:29 < krzee> xeviox,
11:29 < xeviox> but like I said the server pushes a route to its local subnet
11:29 < napcae> so its my wrong server config?
11:29 < krzee> !ipforward
11:29 < vpnHelper> krzee: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
11:30 < xeviox> so this is what works / not works
11:30 < krzee> xeviox, did you read the section "ROUTES TO ADD OUTSIDE OPENVPN"
11:30 < xeviox> client (192.168.115.50) -> server (192.168.0.50) works
11:30 < krzee> sounds like thats the part you missed
11:30 < xeviox> k, I'll recheck :D
11:31 < krzee> basically, did you add a route to your router manually
11:31 < xeviox> !routing
11:31 < vpnHelper> xeviox: Error: "routing" is not a valid command.
11:31 < krzee> if not, thats the problem
11:31 < xeviox> !route
11:31 < krzee> !route
11:31 < vpnHelper> xeviox: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:31 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:31 < xeviox> a single route to the router at the server location or at my local location?
11:32 < krzee> Bushmills, and i actually think you're right, but i like beer and would happily buy you one when we find ourselves in the same location
11:32 < krzee> ;]
11:32 < napcae> i don't get it..
11:32 < napcae> i'll begin with a new server.conf, maybe thats help..
11:32 < xeviox> napcae: as openvpn uses a virtual network it has its own subnet which is 10.8.0.x by default (afaik)
11:32 < Bushmills> good beer available here and in some neighbouring countries
11:33 < xeviox> you'll find good beer here in germany :P
11:33 < krzee> napcae, you dont have a problem
11:33 < krzee> tunnelblick SHOULD be talking about your vpn subnet
11:33 < Bushmills> with the neighbouring countries being czech republic, belgium, and to some extent, poland too nowadays.
11:34 < napcae> i have a problem
11:34 < napcae> when i disconnect from vpn
11:34 < napcae> then i don't have any connection to internet
11:34 < krzee> xeviox, there is no default
11:35 < krzee> it just is the subnet commonly used in examples
11:35 < xeviox> k
11:35 < krzee> maybe germany is the next country i go to
11:35 < napcae> but why i get this warning message?
11:35 < Bushmills> napcae: i assume your default route was deleted
11:35 < krzee> when is summer Bushmills ?
11:35 < napcae> hmm
11:35 < krzee> napcae, what warning?
11:35 < Bushmills> so it couldn't be restored after disconnect
11:35 < Bushmills> !def1
11:35 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:35 < Bushmills> napcae:  ^^^^^
11:36 < xeviox> so if I get it right, I have to give the router add the server location a route to the vpn subnet (10.8.0.x for me)..
11:36 < krzee> correct
11:36 < napcae> already tried, that doesnt work either
11:36 < xeviox> think I've done that already, but I'm not sure if it works
11:36 < krzee> the router needs to know that 10.8.0.0 exists behind the gateway 192.168.0.50
11:36 < xeviox> is there a way to check if that's the problem?
11:37 < krzee> xeviox, a packet sniffer...
11:37 < xeviox> k sounds great :D
11:37 < xeviox> k, I'll use a packet sniffer on the server, if there is comming traffic back from another client, the route on the router should work, right?
11:37 < Bushmills> napcae: check your client route. if there's no default to your original/usual gateway, add it manually, or restart networking.
11:38 < Bushmills> then connect and disconnect openvpn again.
11:38 < xeviox> if there is no traffic coming back, it seems that the routing does not work ..
11:38 < Bushmills> test connectivity after that
11:38 < xeviox> k, thank you guys, will check that and maybe be back later
11:39 < xeviox> and check "Augustiner" beer if you are in Germany (Munich) ;)
11:39 < Bushmills> acceptable
11:39 < Bushmills> though i prefer andechser
11:39 < xeviox> ^^
11:40 < xeviox> ah ok, yes may be better but not that common as it's a smaller "company" (imho)
11:40 < Bushmills> i lived for a year close to the monastery :)
11:40 < xeviox> k, again: thank you, bbl
11:40 < napcae> the problem isn't dissapearing
11:40 < xeviox> ah cool
11:40 < Bushmills> was the locally available beer there
11:41 < napcae> after disconnect from vpn, no internetconnection
11:41 < xeviox> which city?
11:41 < Bushmills> bad kohlgrub
11:41 < napcae> netstat -nr does not show anything remakeble
11:41 < Bushmills> close to ogau
11:41 < Bushmills> (oberammergau)
11:41 < krzee> i still dont understand what the problem is napcae 
11:41 < xeviox> ^^
11:41 < krzee> as in, what is the symptom
11:41 < xeviox> k heard of it but never was there ^^
11:41 < xeviox> cu later ;)
11:41 < xeviox> bye
11:42 -!- xeviox [n=ben@dslb-088-064-006-039.pools.arcor-ip.net] has quit ["Ex-Chat"]
11:42 < napcae> problem: after disconnecting from vpn, no internet here
11:42 < krzee> ahh
11:42 < krzee> !def1
11:42 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:42 < napcae> already added!
11:42 < krzee> reboot, test
11:43 < napcae> sudo /etc/init.d/openvpn stop ; start
11:43 < krzee> negative
11:43 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
11:43 < krzee> you still dont have the route to default already
11:43 < napcae> reboot?
11:43 < krzee> from when you didnt have def1
11:43 < napcae> client or server
11:43 < krzee> well reboot or manually fix routing table first
11:43 < krzee> reboot is easier for me to know you did it right ;]
11:43 < krzee> the client, thats the only thing with an issue right?
11:44 < Bushmills> krzee: actually, reiffert intriduced me to a local brand of beer, which is quite good.
11:44 < krzee> and if you're pushing def1 be sure you restarted openvpn as you said above
11:44 < napcae> okay i reboot the client
11:44 < krzee> Bushmills, i believe all local beer (local to you) is good
11:44 < Bushmills> i think thar's his preferred beer here now, when he has the opportunity to get some of it
11:44 < napcae> cya
11:44 -!- napcae [n=napcae@i59F779EF.versanet.de] has quit ["Lost terminal"]
11:44 < krzee> the beer here is good, but they only have pilsner
11:45 < Bushmills> that's Volkerbräu, IIRC
11:45 < krzee> which does get old
11:45 < krzee> but better than costa rica... they only had pilsner and it sucked
11:45 < krzee> i could def go for some pale ale
11:45 < krzee> or some heffe
11:46 < Bushmills> hefe. the brand xeviox mentioned makes some good hefe
11:46 < krzee> mmm
11:46 < Bushmills> but actually, one of the cheapest mass-produced beer here is actually quite acceptable
11:47 < krzee> the mass produced stuff from usa is complete crap
11:47 < krzee> but the smaller places ave some good stuff
11:47 < Bushmills> they don't advertise for their brew
11:48 < Bushmills> oh well we can do a blind test on that brand with you
11:48 < krzee> yesyes!
11:48 < Bushmills> i reckon you'll be surprised to find out which one was the cheap brew
11:48 < krzee> dude come out here sometime and we'll rock the super blind rum taste test
11:48 < krzee> my rum collection is growing
11:49 < krzee> brought some back from costa rica dutyfree from guatemala and nicaragua
11:49 < Bushmills> hehe. i am just working on a bottle of rum
11:49 < krzee> and of course im stocked on caribbean rum
11:49 < Bushmills> actually, the cause why we weren't admitted to a local club
11:49 < Bushmills> had my flask full with it
11:49 < krzee> the keychain flask?
11:49 < krzee> or a real one
11:50 -!- napcae [n=napcae@i59F779EF.versanet.de] has joined ##openvpn
11:50 < napcae> okay still not working
11:50 < Bushmills> no, there was cognac in that one.  a larger one, 8 oz.
11:50 < krzee> napcae, logs?
11:50 < napcae> client?
11:50 < Bushmills> the one which has to come to rescue with poor coffee or tea
11:50 < krzee> both
11:51 < napcae> client http://pastebin.com/m713fc8fe
11:51 < napcae> where can i find the log for server?
11:51 < krzee> Bushmills, they search you when you enter?
11:51 < Bushmills> there they did
11:51 < napcae> because theres nothing in openvpn-status.log
11:51 < krzee> they dont even do that in usa
11:51 < krzee> openvpn-status isnt a log
11:51 < Bushmills> didn't find my ceramic blade knife, but the flask they did
11:51 < krzee> its a status file
11:52 < napcae> okay
11:52 < krzee> Bushmills, what makes me laugh is airports taking my water but leaving me my fully charged laptop battery
11:52 < Bushmills> ah, yes.  their metal detectors are also not 100%
11:52 < krzee> client is on 192.168.0.0 subnet?
11:52 < Bushmills> on a flight they missed my (forgotten to take it off) leatherman
11:53 < Bushmills> was just carrying it on my belt
11:53 < krzee> my laptop battery holds as much stored energy as a hand grenade
11:53 < krzee> just make the wrong connection and BOOM
11:53 < krzee> but i cant have my water
11:53 < krzee> must buy their $2 water, lol
11:53 < Bushmills> yeah. energy densitiy is higher than that of dynamite
11:54 < krzee> napcae, client is on 192.168.0.0 subnet?
11:54 < Bushmills> though the "boom" is more like a "woooosh"
11:54 < napcae> jep
11:54 < krzee> there the problem
11:54 < napcae> gateway(router) is 192.168.0.1
11:54 < krzee> 2010-01-16 18:47:30 /sbin/route add -net 192.168.0.0 10.8.0.5 255.255.255.0
11:54 < krzee> you're trying to route that subnet over the vpn
11:54 < napcae> okay
11:55 < krzee> which breaks your routing
11:55 < krzee> you either have route 192.168.0.0 in your client config, or you push it from server config
11:55 < krzee> is the server on a lan of 192.168.0.0?
11:55 < napcae> yes
11:55 < krzee> and you want to use that lan over the vpn?
11:55 < napcae> yes
11:56 < napcae> it worked yet
11:56 < krzee> you must change the server lan
11:56 < krzee> the subnet
11:56 < napcae> but why i have to do that now?it already worked before..
11:56 < krzee> to something uncommon
11:56 < napcae> thats so strange
11:56 < krzee> when it worked you werent on a conflicting subnet
11:56 < krzee> or you didnt push that subnet to the client
11:56 < krzee> 1 of the 2
11:59 < DarkAnt> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain
11:59 < krzee> DarkAnt, you messed up when making your certs
11:59 < DarkAnt> yeah, I figured as much
11:59 < krzee> do it again using the howto as your guide, OR use ssl-admin
11:59 < krzee> !howto
11:59 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:59 < krzee> !ssl-admin
11:59 < DarkAnt> but I followed the howto
11:59 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports
11:59 < krzee> hence the word 'again' ;]
12:00 < DarkAnt> haha
12:00 < DarkAnt> ok
12:00 < napcae> so i have to change my subnet now?
12:01 -!- DelphiWorld [n=Miranda@41.104.68.129] has joined ##openvpn
12:01 < DelphiWorld> hi dear all
12:01 < krzee> napcae, correct
12:01 < napcae> side note: my friend is sitting here; he#s got a netbook and he can join from the same network
12:01 < DelphiWorld> any web gui to build an VPN based on openvpn?
12:01 < napcae> he has also a connection
12:01 < napcae> and after disconnection vpn, he s still got a internet connection 
12:01 < krzee> DelphiWorld, openvpnAS uses a web gui, but we dont support it here
12:02 < krzee> napcae, his logs?
12:02 < napcae> jap
12:02 < krzee> napcae, and regardless of anything you say, YOU CAN NOT PUSH YOUR LOCAL LAN SUBNET OVER THE VPN WITHOUT UNWANTED SIDE-EFFECTS
12:02 < krzee> just to be extra clear ;]
12:02 < DelphiWorld> krphop: ok
12:03 < krzee> DelphiWorld, but you likely dont need a gui
12:03 < krzee> see this:
12:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
12:03 < krzee> !sample
12:03 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
12:03 < krzee> !howto
12:03 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:03 < krzee> howto for generating the keys
12:03 < DelphiWorld> krphop: ok thx
12:03 < krzee> sample is a good starting point, is a basic vpn connection  just to connect to the single machine
12:03 < DelphiWorld> my problem is only linux accessibility;)
12:03 < krzee> to build on that:
12:03 < krzee> !goal
12:03 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:03  * DelphiWorld is blind
12:04 < krzee> you dont need linux
12:04 < DelphiWorld> and i think krphop you know me allready;)
12:04 < krzee> it works on linux,bsd,windows,osx,solaris
12:04 < DelphiWorld> krphop: i have a VPS in linux
12:04 < krzee> im krzee ;]
12:04 < krzee> i know you?
12:04 < krzee> from here?
12:04 < napcae> http://pastebin.com/m75abea11
12:04 < DelphiWorld> krphop: algeria
12:04 < krzee> i mean this channel
12:04 < DelphiWorld> krphop: i see your nick allready before, and i think we talked allready
12:05 < napcae> since i changed my server.conf, he also don't have internetconnection while is connected to the vpn; but after disconnecting
12:05 < krzee> cool
12:05 < krzee> right
12:05 < krzee> napcae, exactly
12:06 < napcae> after disconnection, he has internetconnection again
12:06 < krzee> he doesnt ACTUALLY have a connection to the vpn
12:06 < krzee> he connects and loses his route to the internet
12:06 < krzee> which means he loses his connection to the vpn
12:06 < napcae> hmm
12:08  * krzee loves ssh'ing to his mac when his girlfriend is on it and using the say command
12:08 < krzee> freaks her out
12:08 < krzee> i need to remember to setup a vpn to home to do that to her when im not home
12:10 < napcae> ..
12:10 < napcae> okay the warning dissapears
12:11 < napcae> without changing the subnet
12:11 < krzee> sure, by not pushing the route
12:11 < DelphiWorld> krzee: thx
12:11 -!- DelphiWorld [n=Miranda@41.104.68.129] has left ##openvpn ["I'm a happy Miranda IM user! Get it here: http://miranda-im.org"]
12:11 < napcae> jep
12:13 < napcae> -.-' thats so strange..
12:13 < napcae> okay gotta go, thank u guys
12:13 < krzee> its only a problem when you push the route
12:13 < krzee> but if you need to access server lan, you need to change that subnet
12:13 < krzee> then push the route
12:13 < krzee> then add a route to that lans router
12:13 < napcae> hm
12:13 < krzee> (assuming the server isnt on the router)
12:14 < napcae> i don't get, becuase it really worked 100%gg
12:14 < napcae> with the same configuration..
12:16 < krzee> lol
12:16 < krzee> listen to me or dont
12:16 < krzee> but the only way to have it working right is by listening ;]
12:16 < DarkAnt> *shrugs* it works now
12:16 < krzee> (i assume thats why you're here)
12:16 < DarkAnt> oh
12:16 < DarkAnt> I know what I did
12:16 < DarkAnt> ok
12:16 < DarkAnt> I didn't delete the old certs and stuff
12:17 < DarkAnt> I just used clean-all
12:17 < napcae> jep, i'll
12:17 < napcae> thank u again
12:17 < napcae> gotta go!!
12:17 < napcae> bye
12:17 -!- napcae [n=napcae@i59F779EF.versanet.de] has quit ["leaving"]
12:17 < DarkAnt> things are working now
12:17 < DarkAnt> huzza!
12:17 < krzee> cool what did you change?
12:18 < DarkAnt> clean-all doesn't delete the stuff in /ect/openvpn
12:18 < DarkAnt> it just gets the stuff in /etc/openvpn/easy-rsa/keys
12:18 < krzee> right
12:19 < DarkAnt> well now we both know :P
12:23 -!- stony [n=ol@77-21-120-206-dynip.superkabel.de] has joined ##openvpn
12:23 < stony> hi
12:23 < stony> i know this is a weird question but can i create a connection without encryption ?
12:23 < reiffert> stony: hi. yes you can.
12:24 < stony> reiffert: only disallowing all encryption ciphers ?
12:24 < reiffert> stony: I'm not into it, but I've read that it will work. Guess it was when reading the manpage.
12:25 < stony> ok, i'll recheck the manpage
12:25 < stony> other question: can i use environmental variables inside the openvpn config file ?
12:25 < stony> eg $USER order %USERNAME% on winodow ?
12:26 < reiffert> You might wanna read the chapter about environmental variables.
12:27 < stony> reiffert: but this section only applies to vars exported by openvpn to the env the script is run in
12:27 < stony> i need vars inside the openvpn config file
12:27 < reiffert> Think about the time when you need the vars and have them in the scripts that run at this particular time.
12:29 < stony> reiffert: i would need cryptopapicert "SUBJ:%USERNAME%"
12:29 < stony> in the client config file
12:29 < reiffert> I can't find cryptopapicert in the manpage.
12:30 < stony> http://www.openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html
12:30 < vpnHelper> Title: OpenVPN 2.1 (at www.openvpn.net)
12:30 < reiffert> I cant find that word there neither
12:31 < stony> eer?
12:31 < reiffert> "cryptopapicert"
12:32 < stony> ah you found a typo
12:32 < stony> my hero ;)
12:32 < stony> try "cryptoapicert"
12:33 < reiffert> api vs papi ;)
12:40 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Dougy, mrnice1
12:46 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn
12:46 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
12:48 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, mrnice1
12:48 -!- krzie_ [n=krzee@butters.secure-computing.net] has joined ##openvpn
12:49 -!- Netsplit over, joins: mrnice1
12:51 -!- McManiaC [n=McManiaC@n-sch.de] has joined ##openvpn
12:51 < McManiaC> hey, is it possible to limit traffic of client xy with openvpn?
12:52 < stony> McManiaC: sure - use traffic shaping
12:52 < stony> qos/cos/tos are the magic words on linux :)
12:52 < McManiaC> okay
12:52 < McManiaC> and is it possible to split that traffic over several vpn servers?
12:53 < McManiaC> or use server a until traffic limit is reached, then change to server b?
12:53 < stony> McManiaC: do you mean channel bonding or load balancing ?
12:53 < stony> you can define more than one connection profile on the "client"-side
12:53 < stony> and if the traffic limit on server a is reached, deny the connection
12:53 < stony> then the client will automagically connect to server b
12:54 < McManiaC> can you tell the client which server to use?
12:54 < McManiaC> serverside
12:54 < stony> McManiaC: either by roundrobin or by sequential testing
12:54 < stony> McManiaC: you can use the <connection /> tags to do this
12:55 < stony> McManiaC: check it out at the top of the manual: http://www.openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html
12:55 < vpnHelper> Title: OpenVPN 2.1 (at www.openvpn.net)
12:55 < stony> no that's not possible
12:55 < stony> as you can't push options that execute scripts this won't work
12:57 < McManiaC> that qos stuff, is that part of vpn? or do you need iptables/whatever?
12:58 < krzee> --shaper is in the vpn
12:58 < stony> McManiaC: it's mostly done through the "tc" command
12:58 < krzee> iptables or whatever will get more done
12:58 < krzee> but --shaper does exist
12:58 < krzee> !man
12:58 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:58 < stony> krzee is right - there is a way to do this on the openvpn side :)
12:59 < McManiaC> ok
13:01 < McManiaC> what do you need to connect two servers?
13:01 < stony> ?
13:01 < McManiaC> so they share the same network, like for example irc servers work
13:01 < stony> I don't really get what you mean
13:01 < McManiaC> is it possible to setup one vpn using two servers?
13:02 < krzee> you can create another vpn connection between the servers
13:02 < McManiaC> so you can connect to either the one or the other server
13:02 < stony> sure
13:02 < stony> best way to do this would be to use a pki
13:02 < krzee> dont think of it as connecting 2 vpn servers
13:02 < krzee> think of it as connecting those 2 computers
13:02 < krzee> then its just another vpn connection ;]
13:02 < krzee> however, why would you need that?
13:02 < stony> krzee: i guess what he meant is to have two systems that provide access to the same subnet on the other side
13:03 < McManiaC> well thats not exactly what I'm looking for
13:03 < stony> for failover/loadbalancing :)
13:03 < McManiaC> yup
13:03 < nixfreak> is there a limit on how many client you can have connected to a openVPN server ? 
13:03 < krzee> wouldnt carp on server side be better?
13:03 < stony> McManiaC: problem can be routing/brouting to the vpn-access-machines 
13:03 < stony> McManiaC: but if you handle this, there shouldn't be any problem
13:04 < stony> McManiaC: the sky is the limit, or better your hardware and it's performance
13:04 < nixfreak> do accel cards help out a lot for that 
13:07 < McManiaC> well, my problem is that my servers all have limited traffic… and with vpn all the traffic between clients would cause the vpn servers traffic to go up a lot
13:09 < McManiaC> so I want to share that traffic over my servers to allow a greater total number of traffic
13:09 < stony> McManiaC: i would try to find a connection with better conditions
13:11 < McManiaC> hmm
13:12 < krzee> McManiaC, 
13:12 < krzee> is most your traffic gunna be between clients?
13:12 < McManiaC> yes
13:12 < krzee> you might want a different vpn solution
13:12 < krzee> hamachi and ipsec handle clients talking direct
13:12 < Bushmills> why would traffic between servers go up a lot with openvpn, unless it is additional traffic, instead of migrated from non-vpn to vpn traffic?
13:12 < krzee> (i basically NEVER say anything like that)
13:13 < krzee> however for your exact situation, much easier to use one of those and not have client to client traffic travel over the server
13:13 -!- ruied [n=ruied@bl7-213-7.dsl.telepac.pt] has joined ##openvpn
13:13 < McManiaC> hmkay
13:13 < stony> my "vpn bridgeheads" are dedicated servers...
13:14 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has joined ##openvpn
13:16 < McManiaC> is hamachi available for linux? i thought it was a windows tool ^^
13:18 < krzee> no idea
13:18 < Bushmills> doesn't matter, there is openvpn for linux
13:19 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has quit [Client Quit]
13:20 < krzee> Bushmills, his traffic is heavy on client to client, which will cause his server to run out of bandwidth
13:20 < krzee> his orig question is how to balance that over multiple servers
13:20 < krzee> however i told him that if he doesnt use openvpn he can get client to client traffic direct without it going over the server
13:20 < krzee> for him that sounds like the better solution
13:21 < McManiaC> yeah…
13:21 < krzee> better than hacking up some convoluted balancing act with ovpn
13:21 < Bushmills> giving up one traffic-limited server, and taking a (probably cheaper) unlimited one may be the easiest solution 
13:21 < Bushmills> McManiaC: how much do you pay for one?
13:21 < stony> yeah a dedicated one with unlimited bandwith :)
13:22 < McManiaC> I'm actually looking for a unlimited bandwith one
13:22 < Bushmills> less than 50 €?
13:22 < McManiaC> but most of them are either very expensiv or more like "yeh, we dont charge you but we'll cut down your general bandwith"
13:22 < stony> in germoney you get at least 10tb/month for 50€
13:23 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)]
13:23 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
13:24 < Bushmills> unlimited *traffic* or unlimited *bandwidth* ???
13:24 -!- DelphiWorld [n=Miranda@41.104.68.129] has joined ##openvpn
13:24 < DelphiWorld> hi
13:24 < DelphiWorld> krzee: do we support win32 here?
13:24 < stony> Bushmills: unlimited bandwith with 10tb traffic/month
13:24 < krzee> in regards to openvpn, yes
13:24 < DelphiWorld> krzee: i am connected now; good info krzee!
13:25 < krzee> =]
13:25 < DelphiWorld> krzee: but the trafic in win32 is not going troug openvpn tunnel... why?
13:25 < Bushmills> i think practical limits are at 10 gbit per second bandwidth right now.  unlimited may be out of reach.  
13:25 < stony> DelphiWorld: routing wrong
13:25 < krzee> !redirect
13:25 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:25 < stony> Bushmills: yeah - but i guess your cpu power won't stand 10gbit/s if it's encoded and routed through one or more vpn tunnels
13:26 < DelphiWorld> krzee: how to plz in an windows machine?
13:26 < krzee> !winipforward
13:26 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
13:26 < krzee> !winnat
13:26 < vpnHelper> krzee: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS)
13:26 < Bushmills> and many routers still work with 100 mbit/sec.  conflicting even more with unlimited bandwidth
13:26 < krzee> Bushmills, he means traffic limit
13:27 < Bushmills> that's why i asked
13:27 < Bushmills> but he insists on bandwidth
13:27 < krzee> he'ld prolly get it right in german ;]
13:27 < stony> are you talking about me ?
13:27 < Bushmills> no
13:27 < krzee> whoever insists on the word bandwidth
13:28 < Bushmills> about McManiaC 
13:28 < krzee> out of who is active right now im the only non german
13:28 < Bushmills> we can adopt you
13:28 < krzee> yay!
13:28 < krzee> whens summer there?
13:28 < krzee> august or feb?
13:28 < stony> krzee: we're in the mittle of winter now
13:28 < stony> -17°C a few days ago
13:28 < McManiaC> Bushmills: traffic
13:28 < stony> august
13:28 < Bushmills> or declare you honarary German
13:28 < stony> s/mittle/middle
13:29 < krzee> Bushmills, i need to prove myself with beer first dont i?
13:29 < stony> we could assimilate him - then he wouldn't care about summer/winter :D
13:29 < Bushmills> about july is when summer scorches 
13:29 < Bushmills> better that than with a sample devouring of nieuwe haring
13:30 < krzee> sweet
13:30 < stony> the german purity law is the oldest law we have :) so beer shouldn't be a problem ;)
13:30 < krzee> i get a vacation in august
13:30 < krzee> i will hafta try to make it out there if you and reif will be around
13:30 < Bushmills> very likely
13:32 < krzee> i know some girls out there too, will hafta see what part they're in
13:32 < krzee> they were in san diego
13:32 < krzee> fun chicks
13:33 < krzee> is english pretty common there?
13:33 < Bushmills> yes, lot of folks speak english
13:33 < Bushmills> though you don't hear it frequently. not much opportunity to use it
13:34 < Bushmills> some sound a bit like the TV crook of german origin
13:34 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
13:34 < Bushmills> menny problems wiz ze "th"
13:35 < Bushmills> reiffert likes the idea too he says
13:35 < Bushmills> i just drew his attention on your intention
13:36 < Bushmills> he's affirmatively not opposed against the notion of lifting some pints
13:37 < krzee> yesyes!
13:37 < reiffert> I enjoy it, whatever it takes :)
13:37 < reiffert> got to run, bbl
13:44 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
13:50 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
13:50 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
13:51 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Read error: 104 (Connection reset by peer)]
13:51 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
13:54 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
13:55 -!- DelphiWorld [n=Miranda@41.104.68.129] has quit [Read error: 110 (Connection timed out)]
13:55 -!- gallatin [n=gallatin@dslb-092-073-078-087.pools.arcor-ip.net] has joined ##OpenVPN
13:56 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
13:58 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)]
13:58 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
14:06 -!- LobbyZ` [n=default@main.lobbyzffs.com] has joined ##openvpn
14:08 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Remote closed the connection]
14:08 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
14:09 < DarkAnt> rock out! I totally have openvpn working. Thanks for all of the help everyone :)
14:09 < krzee> =]
14:11 < DarkAnt> now I just need to figure out how to get the firewall rules to play nice in centos
14:11 < DarkAnt> The iptables stuff seems to be handled by system-config-securitylevel
14:12 < DarkAnt> because when I thought I was punching holes through my firewall, I was not
14:12 < DarkAnt> that program controls the iptables stuff I guess :/
14:19 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Remote closed the connection]
14:19 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
14:26 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)]
14:27 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
14:37 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Remote closed the connection]
14:37 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
14:47 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Remote closed the connection]
14:47 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
14:55 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)]
14:55 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
14:56 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Read error: 104 (Connection reset by peer)]
14:56 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
15:06 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Remote closed the connection]
15:06 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
15:06 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Read error: 104 (Connection reset by peer)]
15:07 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
15:07 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Read error: 104 (Connection reset by peer)]
15:07 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has joined ##openvpn
15:20 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
15:21 < mithridates> hey guys
15:21 < mithridates> what do you recommend me ? openbsd or centos for installing on my server
15:22 < stony> debian
15:22 < mithridates> no
15:22 < stony> then get bsd
15:22 < mithridates> I have two options 1-centos 2-openbsd
15:24 < mithridates> I have two options 1-centos 2-openbsd
15:26 -!- ruied [n=ruied@bl7-213-7.dsl.telepac.pt] has left ##openvpn []
15:43 < DarkAnt> are you going to do anything else with this server?
15:43 < DarkAnt> if you are, you might want centos, if not, use openbsd
15:43 -!- Optic [n=Optic@miso.capybara.org] has left ##openvpn []
15:45 < mithridates> DarkAnt: :( I told them to install centos
15:45 < mithridates> yest just I wanted to serve vpn
15:46 < DarkAnt> well if the server is just a toy it really doesn't matter
15:47 < mithridates> no it's not a toy
15:47 < DarkAnt> I would have gone with openbsd then
15:47 < mithridates> DarkAnt: I want to serve openvpn for more than 100 clients
15:48 < mithridates> I don't like rpm based distros but I don't know about bsd systems
15:48 < mithridates> DarkAnt: do you know any web based certificate management system?
15:48 < mithridates> I want to manage my certificates
15:49 < DarkAnt> to be honest I'm not sure centos has an rpm for openvpn. I got mine from DAG
15:49 < DarkAnt> mithridates: sorry, I just got my openvpn server going
15:49 < DarkAnt> I'm a newbie
15:49 < DarkAnt> its just a toy for me
15:49  * stony advises debian (sid)
15:49 < mithridates> DarkAnt: doesn't matter I know how to install openvpn
15:49 < mithridates> aha ok
15:49 < DarkAnt> well where were you when I was having all of that trouble?! :P
15:51 < mithridates> did you install it ?
15:51 < mithridates> you should enable epel and remi repositories on your centos
15:52 < mithridates> then you can install openvpn but that's not the official version for centos
15:52 < mithridates> but it works
15:53 < mithridates> !openssl
15:53 < vpnHelper> mithridates: Error: "openssl" is not a valid command.
15:53 < mithridates> !ssl
15:53 < vpnHelper> mithridates: Error: "ssl" is not a valid command.
16:04 -!- buntfalke_ is now known as buntfalke
16:16 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has joined ##openvpn
16:23 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
16:26 -!- nixfreak [i=d872c45a@gateway/web/freenode/x-oetmdjucanzpbzgi] has quit ["Page closed"]
16:27 < krzie_> <mithridates> DarkAnt: do you know any web based certificate management system?
16:27 < krzie_> there is SOMETHING on sourceforge
16:27 < krzie_> but its way old and i havnt heard good things bout it
16:28 < krzie_> you might find you like ssl-admin tho
16:28 < krzie_> perl menu driven system for managing certs
16:31 < krzie_> but if you decide to go with a web system for that, be very careful
16:31 < krzie_> make sure that specific webserver has no inet access
16:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
16:31 < krzie_> your CA machine is the most important piece of your vpn's security
16:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:32 < krzie_> i suggest giving it no network access whatsoever
16:32 -!- krzie_ is now known as krzie
16:32 -!- krzie [n=krzee@unaffiliated/krzee] has left ##openvpn []
16:32 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn
16:34 < Bushmills> i think you could connect to a vnc server with a java applet from  a web browser, and start a shell there. even though that's not exactly web based, it is at least usable through web browser.  there, in that shell, you can administrate certificates as you please.
16:35 < Bushmills> i just assume that "web based" means "usable through web browser"
16:36 < krzie> and if the problem is people dont know unix, you can either automate it in bash or give them an account which automaticly runs ssl-admin, copies the new zip of certs + config to usb, and exits
16:36 < krzie> youd just put the commands in their .profile
16:36 < krzie> i personally do that for the people in this office to use that 3000+ line shell script i wrote
16:36 < Bushmills> this approach has the advantage that it can be use without browser in identical way
16:37 < krzie> oops when i said automate in bash i meant in batch, like windows scripting
16:37 < mithridates> let me to read what you've written
16:39 -!- gallatin [n=gallatin@dslb-092-073-078-087.pools.arcor-ip.net] has quit [Read error: 113 (No route to host)]
16:40 < mithridates> krzie: thus, there is no web based app for this purpose . how can I know the structure of openssl and the relation with openvpn
16:40 < mithridates> I used to easy-rsa
16:40 < krzie> http://sourceforge.net/projects/openvpn-admin/
16:40 < vpnHelper> Title: Multiplatform Admin GUI for OpenVPN | Get Multiplatform Admin GUI for OpenVPN at SourceForge.net (at sourceforge.net)
16:40 < mithridates> I've seen that krzie 
16:40 < krzie> but ive heard bad things bout it
16:41 < krzie> mithridates i dont understand the question
16:41 < mithridates> krzie: it couldn't satisfy me
16:41 < mithridates> I wanna know the relation between openvpn and openssl
16:42 < krzie> openssl generates the certs and handles all encryption
16:42 < mithridates> what about easy-rsa
16:42 < krzie> openvpn doesnt do any of its own encryption, openssl does
16:42 < mithridates> easy-rsa is a script which make it easier?
16:42 < krzie> easy-rsa is a  suitce of scripts for using openssl to make certs
16:42 < krzie> suite
16:43 < krzie> ssl-admin is my favorite alternative to easy-rsa
16:43 < mithridates> do u recommend it?
16:43 < mithridates> !ssl-admin
16:43 < vpnHelper> mithridates: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports
16:43 < krzie> which i think ive recommended to you a couple times ;]
16:43 < mithridates> yes
16:44 < mithridates> but it didn't have any documentation
16:44 < mithridates> does it have?
16:44 < krzie> it comes with a man page
16:44 < mithridates> I thought it is an app without good support
16:44 < mithridates> aah ok
16:44 < mithridates> what about installation document?
16:44 < krzie> well the author helps run this channel
16:44 < mithridates> because I wanna install it on centos
16:44 < krzie> and is very active here
16:44 < mithridates> I think you are the author
16:45 < krzie> (ecrist)
16:45 < mithridates> aah ecrist 
16:45 < krzie> nope, i just use it and love it
16:45 < mithridates> yes
16:45 < mithridates> :)
16:45 < mithridates> so I'm gonna use it too
16:45 < krzie> im not much of a coder, reiffert will back up that statement ;]
16:45 < mithridates> is it possible to install it on centos?
16:46 < krzie> i hope so
16:46 < krzie> i hacked up the linux install, never tested on centos
16:46 < krzie> grab it, then ./configure and then make
16:46 < mithridates> aah ok
16:46 < krzie> its really ugly but as i said im not a coder
16:47 < krzie> if i was i woulda made the Makefile right instead of using ./configure
16:47 < krzie> maybe we can convince bushmills to help with that part sometime ;]
16:48 < mithridates> :D
16:48 < mithridates> oh by the way
16:48 < Bushmills> nothing wring with autoconfig
16:48 < Bushmills> wrong
16:48 < mithridates> I saw a perl script over there
16:48 < krzie> check out what i did to ssl-admin sometime if you get a chance bushmills, it'll hurt to look at
16:49 < krzie> i made the ./configure and the Makefile to work with it
16:49 < Bushmills> generating a Makefile is often better than writing one yourself, when you need to take account of what is available on a system
16:49 -!- mintaka [n=kosmic@thefuckin.net] has quit [SendQ exceeded]
16:49 -!- Zordrak_ [n=jaz@87-194-141-163.bethere.co.uk] has quit [Read error: 60 (Operation timed out)]
16:49 < krzie> gotchya, but im still sure my way is notn only ugly but also wrong
16:49 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
16:49 < krzie> but it worked on all systems i tested it on!
16:49 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:50 < mithridates> krzie: do you recommend me to install it on my centos? 
16:50 < mithridates> I'm wondering about it
16:50 < krzie> yes, and pls lemme know how that goes
16:50 < krzie> and read the link in !ssl-admin
16:50 < krzie> !ssl-admin
16:50 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports
16:50 < krzie> #1
16:51 < krzie> theres some dependancies
16:51 < krzie> like zip
16:51 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
16:51 < mithridates> aah ok
16:51 < krzie> oh that link doesnt list them
16:51 < mithridates> so help me plz if I get problem in installation
16:51 < krzie> im sure it'll complain about the deps tho
16:52 < krzie> sure, thats what we do here =]
16:52 < mithridates> there is no even a tar.gz package :)
16:52 < krzie> nope, subversion 
16:52 < Bushmills> mithridates: what are the companies which you are targetting doing in Iran?
16:52 < krzie> svn co
16:54 < mithridates> Bushmills: it's not a company, it's an illegal job for getting  internet access without filtering to some people 
16:59 < rob0> in other words, subversion! :)
17:01 -!- EwanMcLean [n=ewanmcle@89.241.235.97] has joined ##openvpn
17:03 < krzie> oooo who made the RIPRouting doc!??
17:04 -!- EwanMcLean [n=ewanmcle@89.241.235.97] has left ##openvpn []
17:04 < krzie> thats coolness of them to document it
17:04 < krzie> !learn rip as http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
17:04 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
17:05 < krzie> !learn rip as http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
17:05 < vpnHelper> krzie: Joo got it.
17:06 < krzie> !learn mesh as see !rip
17:06 < vpnHelper> krzie: Joo got it.
17:09 < mithridates> krzie: I did : ./configure then make install
17:09 < mithridates> krzie: is it installed?
17:10 < mithridates> krzie: :D yes I think it has installed
17:10 < krzie> well it should be
17:10 < krzie> try man ssl-admin
17:11 < mithridates> yes I saw that
17:11 < mithridates> :)
17:14 < mithridates> krzie: I got it "Did you copy the sample from /etc/ssl-admin/ssl-admin.conf.sample?" but there is just one file :/etc/ssl-admin/ssl-admin.conf.default
17:15 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has quit []
17:15 < krzie> just copy that file to not have .sample and modify it to your needs
17:21 < vpnHelper> New forum entry openvpnforum: Wishlist :: adaptive tls-server / tls-client :: Author krzee <http://www.ovpnforum.com/viewtopic.php?f=10&t=2457&p=2849#p2849>
17:25 < krzie> i shoulkda moved that bot to ecrists network long ago!
17:30 < mithridates> krzie: # These values must match what's in your root CA certificate. what does it mean?
17:30 < mithridates> krzie: does it mean that the root CA will have same values which are in ssl-admin.conf ?
17:32 < krzie> always keep those values the same
17:32 < mithridates> krzie: so when I want to make certificate for my clients
17:33 < mithridates> should I do the same?
17:33 < krzie> set them in ssl-admin.conf and they'll be there
17:33 < stony> n8 guys
17:33 < krzie> all you do is set the clients common-name and if you want email
17:33 -!- stony [n=ol@77-21-120-206-dynip.superkabel.de] has quit ["n8"]
17:33 < krzie> then you make it
17:35 < mithridates> krzie: If I set password protect for clients then should they login by password when they want to connect by openvpn client?
17:35 < krzie> it will secure their key from local access
17:35 < krzie> they will need that password to have the real key, so they wont even try to make a connection to the server without that pass
17:35 < krzie> for a password to connect see !authpass
17:36 < mithridates> !authpass
17:36 < vpnHelper> mithridates: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
17:41 < mithridates> krzie: first bug : I wrote no for the password part which I asked you then I got this : string is too long, it needs to be less than  2 bytes long
17:43 < mithridates> does ssl-admin have a log file?
17:46 -!- tommyd3mdi [n=tommyd@f053097062.adsl.alicedsl.de] has left ##openvpn []
17:50 < krzie> hehe yup thats a bug, email it to ecrist
17:50 < krzie> writing no would set a pw of no btw
17:50 < krzie> leave it blank to not set one
17:51 < krzie> not sure if it logs, if it does the log would be in the same dir
17:51 < krzie> the ssl-admin dir
17:57 -!- bandini [n=bandini@host128-110-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn
18:15 -!- bandini [n=bandini@host128-110-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"]
18:22 < mithridates> krzie: didn't work
18:23 < krzie> care to expand on that?
18:24 < mithridates> yes, but not now
18:24 < mithridates> I don't have enough time for my jobs :(
18:25 < krzie> !learn qnx as http://ovpnforum.com/viewtopic.php?f=4&t=2449 for the qnx6 port of openvpn
18:25 < vpnHelper> krzie: Joo got it.
18:33 < mithridates> I go back to easy-rsa
18:36 < mithridates> does the make uninstall work on ssl-admin?
18:36 < krzie> dunno
18:37 < krzie> if so theres a section in the Makefile for it
18:37 < krzie> if not, should be rather easy to see what to delete
18:37 < krzie> (in the Makefile)
18:37 < krzie> if you dont understand it, post the Makefile and ill tell ya what files
18:37 < mithridates> ok
18:37 < mithridates> tnx
18:37 < mithridates> krzie: no I can understand it
18:37 < mithridates> :D
18:38 < krzie> ok ;]
19:15 < DarkAnt> ok, so I have a little discrepancy between what's in my ipp.txt file and what my client think's his ip address is
19:15 < krzie> !ipp
19:15 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
19:15 < DarkAnt> thank you
19:15 < krzie> yw
19:16 < DarkAnt> but if I have two clients on a routed network they should be able to ping each other right?
19:16 < DarkAnt> because I can get the clients to ping the server
19:17 < DarkAnt> but the server can't ping the clients
19:17 < reiffert> 6cm snow in 4 hours rounded up by 30 mins rain, driving is lots of fun right now
19:17 < krzie> firewall
19:17 < krzie> 1 way pinging points to firewall
19:18 < DarkAnt> ok, I'll drop the firewall and check
19:18 < krzie> reiffert sounds sloshy
19:20 < reiffert> cars are driving between 20 to 40 mph, depending on the drivers drunkeness and their courage ;)
19:20 < DarkAnt> no, its not the firewall
19:22 < DarkAnt> ipp.txt is supposed to have past associations, but my clients never had those ip addresses
19:23 < krzie> erase ipp.txt and try again
19:23 < DarkAnt> ok
19:23 < krzie> or just dont use it, its rather pointless
19:23 < DarkAnt> right
19:23 < DarkAnt> but either way, I can't ping my clients
19:23 < krzie> if you want them to have static ips, give them static ips
19:23 < krzie> windows clients?
19:24 < DarkAnt> one is windows, the other is linux(debian)
19:24 < DarkAnt> I can't ping either of them
19:24 < DarkAnt> but both of them can ping the server
19:24 < krzie> on the windows one tell windows firewall to not firewall tap interface
19:25 < krzie> or turn it off all together and test again
19:25 < krzie> also, what ip are you trying to ping for the client?
19:25 < reiffert> or allow 0.0.0.0/0.0.0.0
19:25 < DarkAnt> well my windows box is reporting that it has 10.8.0.10
19:25 < krzie> yup
19:25 < krzie> .6 .10 .14 etc
19:25 < DarkAnt> and my linux box is reporting 10.8.0.5
19:25 < krzie> nah linux is .6
19:26 < DarkAnt> huh?
19:27 < krzie> !/30
19:27 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
19:28 < DarkAnt> niffty
19:30 < DarkAnt> ok, I turned off the windows firewall and I'm still not getting pings
19:30 < DarkAnt> pings from server-->client that is
19:31 < krzie> interesting
19:31 < krzie> but i do assure you, if you have 1 way ping you have a firewall issue somewhere
19:31 < krzie> its the only way that can happen
19:32 < DarkAnt> I'm certain I do
19:33 < DarkAnt> well, my server firewall is down
19:33 < DarkAnt> my windows firewall is down
19:33 < DarkAnt> maybe my router?
19:33 < DarkAnt> the windows box and the router are on the same lan
19:34 < krzie> nope not the router
19:34 < DarkAnt> doesn't look like it
19:34 < krzie> the router doesnt see a ping, just a vpn tunnel
19:34 < krzie> the server firewall might need to be up with rules set to allow stuff specificly
19:35 < krzie> no idea why that would be the case, but iive had people say it was down then when they enter the right rules it magicly works
19:35 < krzie> !firewall
19:35 < vpnHelper> krzie: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
19:35 < krzie> link #1
19:35 < DarkAnt> $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
19:36 < krzie>     iptables -A INPUT -i tun+ -j ACCEPT 
19:36 < krzie>     iptables -A FORWARD -i tun+ -j ACCEPT 
19:36 < DarkAnt> yeah, I have those
19:37 < krzie> hrm, that should be enough
19:38 < krzie> Kasx openvpn2009, can you get the web guys to fix rewrite on the manual?
19:38 < krzie> http://openvpn.net/man#lbBD loses the #lbBD after url rewrites
19:38 < DarkAnt> this is from the linux box(not on the lan):
19:38 < DarkAnt> traceroute to 10.8.0.1 (10.8.0.1), 30 hops max, 40 byte packets
19:38 < DarkAnt>  1  10.8.0.1 (10.8.0.1)  84.647 ms  88.276 ms *
19:39 < DarkAnt> this is when I try to ping the windows box
19:39 < DarkAnt> traceroute to 10.8.0.10 (10.8.0.10), 30 hops max, 40 byte packets
19:39 < DarkAnt>  1  172.16.1.1 (172.16.1.1)  0.992 ms  1.200 ms *
19:39 < DarkAnt>  2  * * *
19:39 < DarkAnt>  3  * * *
19:39 < krzie> well that looks right...
19:39 < krzie> ohh so you're saying they can ping the server, but not eachother
19:39 < DarkAnt> yeah, the route to the server is fine
19:39 < DarkAnt> yes
19:39 < DarkAnt> and the server can't ping them
19:39 < krzie> oh ok so i did understand you right
19:39 < krzie> are you using --client-to-client?
19:39 < DarkAnt> but they can ping the server
19:40 < krzie> if not you need ip forwarding enabled
19:40 < krzie> for them to ping eachother
19:40 < krzie> !c2c
19:40 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
19:40 < vpnHelper> krzie: behind other clients
19:40 < DarkAnt> is client to client in the server.conf?
19:40 < krzie> thats my question, yes
19:41 < DarkAnt> :)
19:44 < DarkAnt> hmm
19:44 < DarkAnt> It was off, I turned it on
19:44 < DarkAnt> and nothing still
19:44 < krzie> that only realtes to them pinging eachother
19:44 < krzie> the server not pinging them is totally seperate
19:44 < DarkAnt> yeah, they still can't ping each other
19:44 < krzie> well may be, but for sure cant be fixed by that option
19:45 < krzie> ok so now both causes are likely the same
19:45 < krzie> best thing i can suggest is pastebin all the firewall rules and maybe a linux guy in here can spot something
19:45 < DarkAnt> this is from linux box --> windows box
19:45 < DarkAnt> traceroute to 10.8.0.10 (10.8.0.10), 30 hops max, 40 byte packets
19:45 < DarkAnt>  1  * * *
19:46 < DarkAnt> ok
19:46 < Section58> stars are not always a bad thing
19:47 < krzie> Kasx openvpn2009, the funny thing bout that rewrite thing i mentioned is that in the web manual the links at the bottom go to the short version that i use, so none of them are working currently
19:48 < DarkAnt> iptables: http://pastebin.im/1635
19:48 < DarkAnt> stars are bad when you have 11 of them
19:49 < DarkAnt> 30 hops max reached
19:49 < krzie> #
19:49 < krzie> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
19:49 < krzie> UDP state?
19:50 < Section58>                  DarkAnt
19:50 < Section58> yey spaces
19:50 < Section58> erm
19:50 < Section58> the route to 10.8.0.1 from your windows box is mashed
19:50 < Section58> this is why you can't ping back
19:50 < krzie> wrong Section58
19:50 < Section58> *10.8.0.10
19:50 < krzie> he can ping 1 way
19:50 < krzie> proving routes are right
19:50 < krzie> its his firewall
19:50 < Section58> just cause you can ping in, doesn't mean your routes are all good
19:50 < Section58> it will use the connect it came in on
19:50 < Section58> from windows however
19:51 < krzie> umm no
19:51 < reiffert> krzie: state on udp?
19:51 < krzie> reiffert can you look at his firewall?
19:51 < Section58> it doesn't send it thu the tap
19:51 < reiffert> krzie: sure. where?
19:51 < krzie> <DarkAnt> iptables: http://pastebin.im/1635
19:51 < DarkAnt> that rule was made by system-config-securitylevel btw(the server is a centos box)
19:51 < reiffert> krzie: in short: omg.
19:52 < krzie> i guess maybe iptables attempts to keep state on a stateless protocol
19:52 < reiffert> DarkAnt: iptables -P INPUT ACCEPT
19:52 < reiffert> DarkAnt: iptables -P FORWARD ACCEPT
19:52 < reiffert> DarkAnt: iptables -P OUTPUT ACCEPT
19:52 < reiffert> iptables -I INPUT -p udp --dport 1194 -j ACCEPT
19:53 < reiffert> iptables -I FORWARD -i tun0 -j ACCEPT
19:53 < reiffert> iptables -I FORWARD -o tun0 -j ACCEPT
19:53 < DarkAnt> I assume you're calling out the ones I need to keep
19:53 < reiffert> iptables -I INPUT -i tun0 -j ACCEPT
19:54 < reiffert> just copy paste that stuff.
19:54 < krzie> well it looks like you have some NAT in there too for your LAN
19:54 < krzie> so just paste what hes giving you
19:54 < DarkAnt> ok
19:54 < reiffert> krzie: problem with his firewall:
19:54 < reiffert> krzie: first rule jumps to RH-Firewall-1-INPUT
19:54 < reiffert> krzie: last rule in there does:
19:54 < reiffert> krzie: reject
19:54 < krzie> ohhh
19:55 < krzie> so everything in between is ignored
19:55 < reiffert> krzie: -A means: adding
19:55 < reiffert> krzie: -I means: inserting
19:55 < rob0> oh my, tmi
19:56 < reiffert> -A (adding) means: put at the end of the rules in that particular chain
19:56 < krzie> that makes me so glad i chose the bsd world
19:56 < reiffert> -I inserting means: put it as rule no 1
19:56 < reiffert> krzie: come on, you can have bullshit firewalls on BSD as well.
19:56 < reiffert> krzie: do they have nat in kernel space nowadays or still natd?
19:56 < krzie> oh for sure, but the syntax is more humanlike to me
19:57  * rob0 runs in terror from the sight of RH-Firewall-1-INPUT
19:57 < DarkAnt> ok, so let me try this
19:57 < DarkAnt> yeah, me too
19:57 < krzie> kernel via pf
19:57 < krzie> ipfw still would use natd
19:58 < krzie> and ipf would still use ipnat or whatever it was
19:58 < reiffert> ah
19:58 < DarkAnt> still can't ping the clients
19:58 < reiffert> nice to know, I should try on pf soon.
19:58 < reiffert> DarkAnt: use the swiss army knife: tcpdump
19:59 < krzie> as should i, i havnt played with pf for a longtime
19:59 < reiffert> tcpdump -n -i INTERFACE proto ICMP
19:59 < reiffert> INTERACE in tun0, eth0, whatever
19:59 < DarkAnt> yeah, I've been using tcpdump all day :P
20:02 < DarkAnt> its what, tcpdump 'icmp[icmptype] = icmp-ping'?
20:02 < reiffert> no, cause you will be missing the those stuff here:
20:02 < reiffert> #
20:02 < reiffert> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
20:02 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
20:03 < DarkAnt> yes, I just noticed that sucker
20:03 < DarkAnt> could that be the problem?
20:03 < reiffert> tcpdump will tell you.
20:03 < reiffert> get rid of that firewall, it keeps you from progress.
20:03 < DarkAnt> ok
20:04 < DarkAnt> I'm sorry, what filter do I want on tcpdump?
20:05 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
20:05 < reiffert> the read filter
20:05 < reiffert> 02:59 < reiffert> tcpdump -n -i INTERFACE proto ICMP
20:06 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
20:06 < reiffert> 02:59 < reiffert> INTERACE in tun0, eth0, whatever
20:06 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
20:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Excess Flood]
20:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
20:07 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
20:07 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
20:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Excess Flood]
20:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
20:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Excess Flood]
20:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
20:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Excess Flood]
20:10 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
20:10 < DarkAnt> yeah, I'm not seeing anything on either client
20:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
20:10 < mithridates> !ip
20:10 < vpnHelper> mithridates: Error: "ip" is not a valid command.
20:10 < DarkAnt> when I ping from the server
20:11 < mithridates> !factoids search ip
20:11 < vpnHelper> mithridates: 'tls-cipher', 'iporder', 'winipforward', '2.1-winpass-script', 'iptables', 'linipforward', 'ipv6', 'ipp', 'ipforward', 'fbsdipforward', 'win_ipfail', 'iphone', and 'rip'
20:11 < mithridates> !iporder
20:11 < vpnHelper> mithridates: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
20:11 < mithridates> !ipforward
20:11 < vpnHelper> mithridates: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
20:11 < mithridates> !linipforward
20:11 < vpnHelper> mithridates: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
20:12 < mithridates> !ipp.txt
20:12 < vpnHelper> mithridates: Error: "ipp.txt" is not a valid command.
20:12 < mithridates> !factoids search ipp
20:12 < vpnHelper> mithridates: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
20:13 < mithridates> !mgmt
20:13 < vpnHelper> mithridates: "mgmt" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html, or (#2) http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt
20:14 < mithridates> hey guys, how can I use management console? can I put management in config file?
20:14 < krzie> see --management in the manual
20:14 -!- McManiaC [n=McManiaC@n-sch.de] has left ##openvpn []
20:15 < mithridates> krzie: I saw that, but they didn't point out about openvpn configuration file
20:15 < mithridates> they said just use openvpn --management
20:15 < mithridates> I use service openvpn start
20:15 < krzie> in the start of the manual it says that all options can be put in the config after removing the leading --
20:15 < mithridates> do I need to add it to the init script?
20:15 < mithridates> aah ok
20:15 < mithridates> tnx krzie :)
20:16 < krzie> np
20:16 < mithridates> do u like this management console?
20:16 < mithridates> is it fine?
20:16 < reiffert> mithridates: how far have you gotten to webgui?
20:16 < krzie> never used it, but i do know it wasnt designed with humans in mind
20:16 < DarkAnt> heh
20:16 < krzie> its more for coding an app to use the management interface
20:17 < mithridates> reiffert: I'm in canada and webgui is in the moon 
20:17 < krzie> satelite relay?
20:17 < krzie> ;]
20:17 < mithridates> reiffert: I'm not really good in programming and I don't have time to make it :(
20:17 < reiffert> mithridates: so .. pay someone to do it?
20:18 < DarkAnt> 21:17:53.049474 IP 10.8.0.1 > 10.8.0.10: ICMP echo request, id 46097, seq 1, length 64
20:18 < DarkAnt> my server is sending out the pings to the correct ip
20:18 < reiffert> .1 and .10, wtf?
20:18 < krzie> reif, /30
20:18 < krzie> .10 is client2
20:18 < reiffert> krzie: 1-10 != /30
20:19 < DarkAnt> .10 is the windows box
20:19 < krzie> 1 is server
20:19 < reiffert> Ah, that makes more sense.
20:19 < DarkAnt> which should be client2
20:19 < reiffert> 1 - 6 works?
20:19 < mithridates> reiffert: no, I wanna just solve my problems by terminal for myself, then I like to start an opensource project for this purpose 
20:19 < DarkAnt> reiffert: no
20:19 < DarkAnt> the linux box is .5 and I can't send a ping to it
20:19 < DarkAnt> *linux client
20:19 < krzie> its not .5!
20:19 < reiffert> DarkAnt: got rid of that firewall drama yet?
20:20 < DarkAnt> yeah, the firewall has been down for some time now
20:20 < krzie> or if it actually thinks its .5 theres your problem, lol
20:20 < reiffert> DarkAnt: proof!
20:20 < krzie> (its .6)
20:20 < reiffert> doh, this word is getting me sick
20:20 < reiffert> to prove, the proof?
20:20 < krzie> yup
20:20 < DarkAnt> <.<
20:20 < DarkAnt> frack
20:20 < krzie> proof is a noun, prove is a verb
20:21 < mithridates> what's the best value for unstable networks in these fields : keepalive , verb
20:21 < mithridates> what's the best value for unstable networks in these fields : keepalive , verb?
20:21 < reiffert> DarkAnt: so prove!
20:21 < DarkAnt> I kept reading this:  P-t-P:10.8.0.5
20:21 < krzie> well proof can be a verb, but thats to check spelling and grammer, proof reading
20:21 < DarkAnt> instead of this:  addr:10.8.0.6
20:21 < reiffert> DarkAnt: paste ifconfig -a
20:21 < krzie> DarkAnt, yup ;]
20:21 < reiffert> DarkAnt: while at it, paste route -n
20:22 < reiffert> DarkAnt: just do like the following command tells you:
20:22 < reiffert> !interfaces
20:22 < vpnHelper> reiffert: Error: "interfaces" is not a valid command.
20:22 < reiffert> !interface
20:22 < vpnHelper> reiffert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
20:22 < mithridates> what's the best value for unstable networks in these fields : keepalive , verb?
20:22 < reiffert> DarkAnt: you are running openvpn-2.1.1?
20:22 < DarkAnt> route -n: http://pastebin.im/1636
20:22 < mithridates> who knows about it?
20:23 < krzie> mithridates verb doesnt matter unless debugging
20:23 < reiffert> DarkAnt: http://pastebin.im/1636
20:23 < reiffert> DarkAnt: thats the server?
20:23 < krzie> mithridates and read about keepalive to figure out a good setting for you, its actually a couple commands rolled into 1
20:23 < krzie> (read in manual)
20:23 < mithridates> I found it in the man page
20:23 < mithridates> tnx
20:23 < DarkAnt> reiffert: yes
20:24 < DarkAnt> that's the server
20:24 < reiffert> krzie: check out the link, is it supposed to be like this? http://pastebin.im/1636
20:24 < DarkAnt> the ping to the linux box works when I actually type the right IP address
20:24 < DarkAnt> who knew...
20:24 < krzie> umm, weird
20:25 < krzie> #
20:25 < krzie> 10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
20:25 < krzie> just dont seem right to me
20:25 < reiffert> yeah
20:25 < krzie> did you play with routes by hand DarkAnt ?
20:25 < DarkAnt> hell no
20:25 < reiffert> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
20:25 < reiffert> 10.10.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun2
20:25 < reiffert> got this at my place.
20:25 < reiffert> 10.9.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
20:25 < DarkAnt> I played with the firewall by hand and that's off now
20:25 < reiffert> 10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
20:25 < reiffert> 10.10.0.0       10.10.0.2       255.255.255.0   UG    0      0        0 tun2
20:25 < reiffert> 10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
20:25 < reiffert> 10.9.0.0        10.9.0.2        255.255.255.0   UG    0      0        0 tun1
20:25 < krzie> show us routing table and ifconfig -a when no vpn proc running
20:26 < reiffert> so it looks okay.
20:26 < DarkAnt> ok
20:26 < krzie> oh ok, mine dont have that
20:26 < krzie> but im bsd ;]
20:26 < reiffert> sup sup sup
20:27 < krzie> 10.8/24            10.8.1.2           UGS         0        0   tun0
20:27 < krzie> 10.8.1/24          10.8.1.2           UGS         0  2200116   tun0
20:27 < krzie> 10.8.1.2           10.8.1.1           UH          2        0   tun0
20:27 < DarkAnt> ifconfig -a with openvpn shut down: http://pastebin.im/1637
20:27 < reiffert> DarkAnt: route -n as well
20:28 < reiffert> DarkAnt: well, thsats only part of ifconfig -a
20:28 < DarkAnt> route -n with openvpn shut down: http://pastebin.im/1638
20:29 < reiffert> DarkAnt: iptables -L -v -n
20:29 < DarkAnt> oh woops
20:29 < DarkAnt> sorry, it got cut off
20:29 < krzie> ok so we know routing table is fine (which i deduced from 1 way pings working)
20:30 < krzie> im still hard core that its the firewall
20:30 < krzie> in fact with a 1 way ping i dont believe its possible to be something else
20:30 < reiffert> he's going to prove that.
20:30 < DarkAnt> ifconfig -a, not cut off this time: http://pastebin.im/1639
20:30 < reiffert> krzie: what is the opposite of "to prove", is it "to dis-aprove"?
20:31 < krzie> to prove wrong
20:31 < krzie> i guess disprove
20:31 < DarkAnt> its disprove
20:31 < mithridates> !factoids value persist-key
20:31 < vpnHelper> mithridates: Error: The "Factoids" plugin is loaded, but there is no command named "value" in it.  Try "list Factoids" to see the commands in the "Factoids" plugin.
20:31 < mithridates> !factoids --value persist-key
20:31 < krzie> but not disaprove, thats to say you dont agree with something someone said or did
20:31 < vpnHelper> mithridates: Error: The "Factoids" plugin is loaded, but there is no command named "--value" in it.  Try "list Factoids" to see the commands in the "Factoids" plugin.
20:31 < mithridates> !factoids search persist
20:31 < vpnHelper> mithridates: No keys matched that query.
20:31 < mithridates> :(
20:31 < reiffert> krzie: thanks
20:32 < reiffert> so he's going to prove us wrong ...
20:32 < krzie> hes gunna try, i wont believe its anything other than the firewall until he fixes it without needing to change his fw
20:32 < krzie> lol
20:33 < krzie> the big plus, hes not arguing that its not his firewall, i hate when people do that when we know it is
20:33 < reiffert> Well, he is argueing, well kind of:
20:33 < krzie> then hours later they go "oh hey it was my firewall"
20:33 < mithridates> can I assign port 80 to  openvpn server, then will clients have any problem with web ?
20:34 < reiffert> 03:25 < DarkAnt> I played with the firewall by hand and that's off now
20:34 < reiffert> DarkAnt: paste online: iptables -L -v -n
20:34 < DarkAnt> http://pastebin.im/1640
20:34 < krzie> mithridates as long as you dont run a web server on port 80 on that ip already thats fine, are you using TCP as your transport layer? if you are using UDP you might want port 53 instead
20:35 < krzie> if you're trying to bypass firewalls by using port 80
20:35 < reiffert> the fireall is off, wow.
20:35 < DarkAnt> yeah
20:35 < mithridates> krzie: I'm using udp, and I want to bypass firewall by using port 80
20:36 < krzie> you'll get better luck with 53
20:36 < krzie> port 80 is normally tcp
20:36 < krzie> port 53 is udp, its the DNS port
20:36 < mithridates> krzie: but if they block all port except of 80
20:36 < mithridates> ?
20:36 < krzie> it would be weird for them to allow 80 UDP
20:36 < DarkAnt> hey guys, I really need to crash
20:36 < DarkAnt> I've been up for way too long with no food
20:36 < krzie> g'nite and g'luck DarkAnt 
20:36 < mithridates> I got it
20:37 < mithridates> tnx :)
20:37 < DarkAnt> thanks for all of the help, I owe this channel some considerable troubleshooting time
20:37 < mithridates> will it cause any conflict for client side?
20:37 < krzie> mithridates no
20:37 < mithridates> :)
20:38 < krzie> also, if you do need a tcp port go for 443 instead of 80, thats the web port for ssl
20:38 < reiffert> DarkAnt: once you made it work, feel free to help others on this channel :)
20:38 < krzie> so the traffic is expected to be encrypted ;]
20:38 < DarkAnt> hehe, yes :)
20:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
20:42 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
20:44 < mithridates> # In how many days should certificates expire?
20:44 < mithridates> export KEY_EXPIRE=3650
20:44 < mithridates> is it for client's key?
20:45 < krzie> and servers, yes
20:46 < mithridates> how can I list certificates which I made for clients?
20:46 < Dougy> man
20:46 < Dougy> you are still asking questions?
20:46 < Dougy> jesus
20:46 < mithridates> Dougy: what's wrong with asking question? :D
20:46 < Dougy> nothing
20:46 < Dougy> but you are the epitome of the energizer bunny
20:47 < krzie> wow dougy
20:47 < Dougy> sup krazy
20:47 < Dougy> ?
20:47 < reiffert> hi Dougy 
20:47 < Dougy> howdy
20:47 < Dougy> :)
20:47 < reiffert> snow. plenty :)
20:47 < krzie> i couldnt believe i saw that come from #3 on the stats page who has never actually helped someone in here
20:47 < krzie> lol
20:47 < Dougy> ROFL
20:47  * Dougy shoots daggers at krzie
20:48 < Dougy> I just liven it up..  doesn't mean I'm good for anything
20:48 < krzie> lol
20:48 < Dougy> actually i lied
20:48 < Dougy> i'm good for getting people servers to put VPN's on
20:48 < Dougy> ehehe
20:48 < Dougy> you did get the info for your box, ta?
20:48 < reiffert> http://mzcam.kunden-mediamachine.de/markt/bild_popup.htm
20:48 < vpnHelper> Title: Mainz Online: Dom St. Martin und Mainzer Markt. (at mzcam.kunden-mediamachine.de)
20:49 < krzie> oh ya, i totally forgot bout it
20:49 < krzie> lol
20:49 < Dougy> LOL
20:49 < Dougy> its using $25/mo worth of my electri
20:49 < Dougy> you better put it to use, LOL
20:49 < reiffert> http://www.mainzerring.de/webcam/webcam_set.html
20:50 < Dougy> win
20:50 < Dougy> no snow here thankfully
20:50 < krzie> bro you can power it down if you wanna, i literally have nothing i need it for at the moment
20:50 < Dougy> haha
20:50 < mithridates> reiffert: hey it's like where I'm living , saint john has a rail like this , with snow :))
20:50 < Dougy> krzie: i got the spare power
20:50 < krzie> i will want it again tho ;]
20:51 < Dougy> but it makes me sad that its wasting away
20:51 < krzie> ok
20:51 < Dougy> well actually i dont have the spare power now, but its besides the point
20:51 < Dougy> if i need another amp ill shut it down
20:51 < krzie> dont worry ill try to find a use for it
20:51 < Dougy> irc box
20:51 < Dougy> lols
20:51 < krzie> already have a couple of those
20:51 < krzie> ;]
20:51 < Dougy> who doesnt
20:51  * Dougy raises his hand
20:52 < krzie> maybe ill throw it into the mix as a hop in a openvpn-chain
20:52 < krzie> i havnt done that for awhile
20:52 < krzie> maybe ill document it this time
20:52 < Dougy> this guy from indonesia ordered from me
20:52 < Dougy> i made a few calls..
20:52 < Dougy> he was going thru 6 VPN's 
20:52 < Dougy> when he ordered from me
20:52 < krzie> lol
20:52 < Dougy> with a domain that had 'vcc' in it
20:53 < Dougy> and was about virtual credit cards
20:53 < Dougy> i shut him off as soon as i saw it
20:53 < krzie> why? sounds legit!
20:53 < krzie> lol
20:53 < Dougy> yeaaaaa!
20:53 < Dougy> no.
20:53 < krzie> and you've never talked to me without me going through AT LEAST 1 vpn
20:53 < reiffert> n8, afk
20:53 < krzie> then again i still owe you $50 so maybe im not the best example
20:53 < krzie> later reif
20:54 < Dougy> later redfox
20:54 < Dougy> er
20:54 < Dougy> reiffert
20:54 < Dougy> tab </3
20:56 < mithridates> guys, how can I see certificates which I made by scripts in easy-rsa ? ( if Dougy is not mad at me for asking Q please answer me) 
20:56 < Dougy> of course not
20:56 < Dougy> ask all you want
20:56 < mithridates> :D
20:56 < Dougy> i am not mad either, i was just amazed you're still asking questions
20:56 < Dougy> lol
20:57 < mithridates> tnx question counter 
20:57 < Dougy> krzie: i've found a job for myself
20:57 < Dougy> question counter
20:57 < mithridates> lol
20:58 < krzie> lol
20:59 < krzie> mithridates asking questions is fine, assuming you've tried to answer them from the docs
20:59 < Dougy> dougy just asks, he doesnt try to figure them out himself
20:59 < Dougy> :X
20:59 < krzie> seeing certs you've made, you need to save the CSR
20:59 < krzie> so you can later make a crl if needed
20:59 < krzie> !crl
20:59 < vpnHelper> krzie: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
20:59 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you
21:01 < mithridates> ummm tnx
21:02 < mithridates> no I don't use anyone to solve my problem :( I need to have just the clue then I can find doc and read it . when I don't know that's related to CSR how can I read that doc?
21:03 < krzie> i wasnt saying anything about you, that was an 'in general' answer
21:04 < krzie> just dont delete anything on the CA box
21:04  * Dougy is writing a little perl thing
21:07 -!- LobbyZ [n=im@c83-251-23-194.bredband.comhem.se] has quit [Client Quit]
21:12 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
21:13 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
21:16 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
21:24 -!- HazardX [n=HazardX3@pool-96-252-45-198.bstnma.fios.verizon.net] has quit [Read error: 60 (Operation timed out)]
21:36 < mithridates> is there any document for everything about openssl and openvpn?
21:36 < krzie> openssl has a manpage
21:37 < krzie> but an overview, as i said earlier, EVERYTHING related to encryption is done by openssl
21:37 < krzie> openvpn doesnt handle its own encryption, openssl does
21:37 < krzie> which i think is great
21:37 < mithridates> man openssl?
21:37 < Dougy> krzie: i just had a 7 minute 600mbps burst
21:37 < Dougy> and my graphs didnt even show it
21:37 < Dougy> LOL
21:38 < krzie> hah
21:38 < krzie> well it wasnt me!
21:38 < Dougy> it was me
21:38 < Dougy> hmm it wasnt 600, yeah, more like 400
21:38 < Dougy> http://www.scottburns.org/temp/fingergraph.png <-- that was the box i spiked to
21:38 < krzie> mithridates that will give you the manual for the openssl application
21:38 < krzie> same as man 8 openssl
21:39 < mithridates> ok
21:39 < mithridates> I'm reading that
21:39 < krzie> mmm port Gi goodness
21:41 < rob0> openssl(1) ... section 1 here
21:42 < krzie> ahh ya i was wrong
22:14 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit ["Leaving"]
22:17 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
23:05 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has quit [Read error: 113 (No route to host)]
23:05 < mithridates> I've created a build-key client4 two times by a mistake
23:05 < mithridates> how can I remove one of them?
23:06 < mithridates> just by removing the line in index.txt?
23:07 < mithridates> how can I remove a certificate? by revoke-full script?
23:23 -!- buntfalke [n=nobody@openvpn-p1-ipv6-1033.triple-a.uni-kl.de] has joined ##openvpn
23:38 < ecrist> dazo_afk: interesting email
23:42 < ecrist> dammit Dougy
23:55 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
--- Day changed Sun Jan 17 2010
00:10 -!- Irssi: ##openvpn: Total of 88 nicks [2 ops, 0 halfops, 0 voices, 86 normal]
00:18 < mithridates> !factoids search tls
00:18 < vpnHelper> mithridates: 'tls-verify', 'tls-cipher', and 'tls-auth'
00:37 -!- StewartSmalls [n=StewartS@173-146-143-20.pools.spcsdns.net] has joined ##openvpn
00:37 < StewartSmalls> !welcome
00:37 < vpnHelper> StewartSmalls: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:38 < StewartSmalls> just to clarify.. before I begin reading.. my openvpn gui is always yellow..
00:38 < StewartSmalls> Im assuming it works on the stoplight system.. green is what im shooting for?
00:38 < StewartSmalls> !howto
00:38 < vpnHelper> StewartSmalls: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:40 < StewartSmalls> !route
00:40 < vpnHelper> StewartSmalls: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:41 < mithridates> us=129145 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C= 
00:41 < mithridates> why is this happening to me?
00:41 < mithridates> date?
00:42 < mithridates> !verify
00:42 < vpnHelper> mithridates: Error: "verify" is not a valid command.
00:42 < mithridates> !factoids search verify
00:42 < vpnHelper> mithridates: 'tls-verify' and 'certverify'
00:42 < mithridates> !certverify
00:42 < vpnHelper> mithridates: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
00:42 < mithridates> I used easy-rsa
00:43 < mithridates> should I verify certificates after creating?
00:44 < StewartSmalls> If I goto a port check utility on the web.. should it show that port 1194 is open? or should it only be open to the 10.8.x.x subnet I laid out in my configs?
00:58 < mithridates> why easy-rsa-crazy creates certificate for 4 hours later
00:58 < mithridates> ?
00:58 < mithridates> how can I change it? :(
01:02 < mithridates> openssl x509 -in client1.crt -noout -startdate
01:02 < mithridates> notBefore=Jan 17 08:15:39 2010 GMT
01:03 < mithridates> # date
01:03 < mithridates> Sun Jan 17 05:03:20 EST 2010
01:03 < mithridates> why?
01:07 < krzee> EST vs GMT
01:08 < krzee> mithridates, you dont need to edit the easy-rsa scripts
01:08 < krzee> just use them as shown in the howto
01:08 < krzee> many people have used that guide exactly as is and had working vpns
01:16 < StewartSmalls> i followed the static-key mini-HOWTO and just cannot get a valid connection
01:16 < StewartSmalls> my openvpn gui stays yellow
01:20 < krzee> what page is that?
01:20 -!- StewartSmalls [n=StewartS@173-146-143-20.pools.spcsdns.net] has quit []
01:29 < mithridates> krzee: I couldn't find it in openssl.conf
01:31 < mithridates> krzee: how can I change it ?
01:34 < krzee> change what?
01:34 < krzee> check that the time is correct for the set timezone on each computer
01:34 < krzee> ntpdate time.nist.gov should work in any nix
01:35 < krzee> windows is easy to check both
02:02 < mithridates> krzee: I changed the timezone of both to GMT but it still doesn't work
02:04 < mithridates> I changed the timezone of both to GMT but it still doesn't work
02:07 < mithridates> it worked :P just 15 minutes =)))) loool
02:07 < mithridates> crazy world
02:08 < krzee> lol
02:19 -!- Centaur [n=Sorry@202-89-174-157.static.dsl.amnet.net.au] has joined ##openvpn
02:19 < Centaur> Hi Folks
02:19 < Centaur> I have been using the latest version of open vpn lately and I cannot connect a client externally.
02:20 < Centaur> I am more than familiar with port forwarding and it has certainly worked before.
02:20 < Centaur> I have tested between two internal subnet and it works great.
02:20 < Centaur> All other port forwarding or my dmz function are working fine.
02:21 < Centaur> But port 1194 UDP is just dead from the interent.
02:21 < Centaur> Is this me?
02:22 < Centaur> !Welcome
02:22 < vpnHelper> Centaur: "Welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:23 < Centaur> Using bridging, Not using that subnet at all and my configuration is the same as when I last had it running.
02:24 < Centaur> Currently testng between XP Pro system, the only major difference is the new version of OPEN VPN
02:24 < Centaur> I  guess my most direct question is
02:25 < Centaur> Are ISPs Blocking this port or others for that matter, if we are sure that they are not, then I guess I will have to lok deeper into my configuration
02:25 < mithridates> krzee: I feel some conflicts for name resolving in my client
02:26 < krzee> Centaur, netcat will show if its blocked, check the firewalls and any NAT the server is behind
02:27 < Centaur> I will try netcat now, but I have changed the routers again and again, I have culled the setup down to one router and a simple XP box.
02:27 < Centaur> Thanks krzee
02:28 < krzee> oh ya netcat is unix, dunno if theres a win version
02:28 < Centaur> Yeh there is should be cool but I have linux here as well.
02:28 < Centaur> Thanks mate
02:29 < krzee> np
02:29 < mithridates> !keep-alive
02:29 < vpnHelper> mithridates: Error: "keep-alive" is not a valid command.
02:30 < mithridates> krzee: do I need to set keep-alive option in my client configuration file?
02:30 < krzee> not if you have it in server
02:30 < krzee> if you read --keepalive you'll know why
02:31 < mithridates> ok tnx
02:36 < mithridates> krzee: it's strange that openvpn doesn't work as well as port 1194 when I set 53 UDP
02:37 < krzee> maybe your ISP rate limits your udp 53
02:37 < krzee> it is just for DNS, and there are DNS amplification attacks
02:37 < mithridates> may be
02:37 < krzee> using misconfigured DNS servers to amplify and hide an attack
02:37 < krzee> so rate limiting udp 53 could make sense to an ISP
02:38 < mithridates> what else do you recommend me krzee?
02:38 < krzee> trial and error
02:38 < krzee> find common udp ports and check it out
02:38 < mithridates> aah ok
03:00 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 104 (Connection reset by peer)]
03:01 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
03:05 < Centaur> Thanks Fellas
03:05 < Centaur> Netcat helped me fixed the problem, a firewall at the other site.
03:05 < Centaur> Cheers
03:05 < Centaur> Filtered to the hilt it was
03:06 -!- Centaur [n=Sorry@202-89-174-157.static.dsl.amnet.net.au] has quit [Remote closed the connection]
03:07 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
03:07 -!- master_o1_master [n=master_o@p57B570F2.dip.t-dialin.net] has joined ##openvpn
03:19 -!- master_of_master [i=master_o@p57B57DF5.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:21 < krzee> !/30
03:21 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
03:21 < krzee> !topology
03:21 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
03:39 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
04:48 < mithridates> who knows Mathias Sundman ?
04:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)]
06:28 < DarkAnt> morning all
06:29 < DarkAnt> I got another linux box on my lan connected to my server. This means its entirely the windows box's fault(also on the lan)
06:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
06:34 < DarkAnt> and that magically works now
06:34 < DarkAnt> I'm really happy it works
06:34 < DarkAnt> I have no friggen clue why
06:34 < DarkAnt> which makes me much less happy
06:38 < DarkAnt> oh fuck you windows security model
06:38 < DarkAnt> you shouldn't let services silently fail because they didn't have privs
06:39 < DarkAnt> I wasn't running as admin
06:40 < DarkAnt> which apparently allows me to ping the server, but not have the server ping back
06:40 < DarkAnt> awesome
06:47 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"]
06:49 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
06:53 < DarkAnt> once again, thank you guys so much. You were exceptionally helpful
06:57 < theDoc> Hi all.
07:10 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:06 < eightfold> i want to connect to a vpn using openvpn via the debian command line. i have the following conf files: http://ivacy.com/en/doc/user/setup/winxp_openvpn
08:06 < vpnHelper> Title: OpenVPN connection setup for Windows XP (at ivacy.com)
08:07 < eightfold> i've been trying to come up with something read the man, but not really getting there
08:10  * Dougy opens link
08:10 < Dougy> did fyou modify the 'remote' line
08:10 < Dougy> oh hmm
08:10 < Dougy> what is ivacy?
08:11 < Dougy> !logs
08:11 < vpnHelper> Dougy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:12 < Dougy> oh wow
08:13 < Dougy> dug up an old friend of mine
08:13 < Dougy> now in Koeln, DE
08:15 -!- Leila [i=d9dae562@gateway/web/freenode/x-yrlhvdcoegoluufq] has joined ##openvpn
08:15 < theDoc> heya doug, ;)
08:15 -!- Leila [i=d9dae562@gateway/web/freenode/x-yrlhvdcoegoluufq] has left ##openvpn []
08:17 < theDoc> Wow, generic certificate for ivacy? Is that even a good idea? :?
08:17 < eightfold> theDoc: better than nothing i guess :)
08:18 < eightfold> eightfold: but i think that's how most vpn providers do, i might be wrong though
08:18 < theDoc> eightfold> Not true, I have generated per-user certs.
08:18 < Dougy> theDoc: i thought the same
08:18 < eightfold> theDoc: whatdo you pay for the service? which provider do you use?
08:19 < theDoc> Sounds like some one doesn't know how to generate per-user certs and manage them.
08:19 < theDoc> eightfold> I run a provider ;p
08:19 < eightfold> theDoc: ha, ok, that explains it :)
08:19 < theDoc> eightfold> I'm just saying that generic certs are not the best way to handle this and I don't see a reason to use it.
08:20 < eightfold> theDoc: all in all i think it works pretty well though. speedwise (you can chose from servers in russian, uk and usa)
08:20 < eightfold> and it has got a nifty payment system, and easy port forwarding
08:21 < theDoc> eightfold> I've no comments for that, since I don't use their services.
08:22 < eightfold> theDoc: up until recently you could create an account and use 100 mb for free. i think they removed that feature though.
08:22 < theDoc> eightfold> Hm, ok ;p
08:23 < eightfold> theDoc: have you can any instruction for connecting to you via openvpn commandline on *nix?
08:24 < eightfold> theDoc: that might be used ivacy, that is
08:24 < eightfold> perhaps that would be different as you're not using generic certificates?
08:24 < theDoc> eightfold> openvpn /path/to/config/file
08:25 < theDoc> eightfold> That should start it.
08:27 < eightfold> theDoc: and the certificates from here [ http://ivacy.com/en/doc/user/setup/winxp_openvpn ] should just be saved in the same folder?
08:27 < vpnHelper> Title: OpenVPN connection setup for Windows XP (at ivacy.com)
08:27 < eightfold> as ca.crt, client.crt, client.key and tls.key etc?
08:31 < theDoc> eightfold> I'm not quite keen on providing support for this, mainly because it's a paid-for service and the respective helpdesk should do it but your config file should point to the correct directories where the certs are residing.
08:31 < theDoc> That's roughly what you need.
08:32 < eightfold> sorry, saw that the paths for the crt and key files where in the ovpn file.
08:34 -!- LobbyZ` is now known as LobbyZ
08:42 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:45 < eightfold> where would be proper place the ovpn config files? /etc/openvpn/config?
08:47 < Bushmills> if you like that, sure.  or /etc/openvpn.
08:50 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type !welcome before asking your questions. || We need forum moderators, email openvpn@secure-computing.net to volunteer.
08:52 < JodaX> ecrist, hmm, what about having openvpn clearly state that the problem is the firewall and how it is
08:54 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: working standard TUN config :: Reply by dustin.mann9 <http://www.ovpnforum.com/viewtopic.php?f=4&t=3&p=2847#p2847> || Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by dustin.mann9 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2846#p2846> || Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by dustin.mann9 <http://www.ovpnforum.co
08:55 < Dougy> hey eric
08:55 < Dougy> how are you
08:56 -!- mintaka [n=kosmic@thefuckin.net] has joined ##openvpn
08:57 < ecrist> good morning.
08:57 < ecrist> JodaX: I don't understand.
08:58 < JodaX> well, error messages are there for a reason
08:58 < JodaX> make them easyer to understand
08:58 < ecrist> OpenVPN has no definitive method to determine firewall problems.
08:59 < Bushmills> bo, they're meant to intimidate the user, so he calls professional help
08:59 < JodaX> can't connect => firewall problem
08:59 < ecrist> the vast majority of people who come here seeking help have firewall problems.
08:59 < ecrist> nope
08:59 < Dougy> !tun
08:59 < vpnHelper> Dougy: Error: "tun" is not a valid command.
08:59 < Dougy> !tunortap
08:59 < vpnHelper> Dougy: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
08:59 < vpnHelper> Dougy: against you over the vpn
08:59 < ecrist> the usual problem is the users opens 1194, but fails to pass VPN IPs through the firewall.  As such, the VPN connects, but users cannot access systems/services within the VPN.
09:00 < ecrist> OpenVPN would have no knowledge about this.
09:00 < Dougy> !wins
09:00 < vpnHelper> Dougy: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:00 < ecrist> Dougy: !factoids
09:00 < Dougy> !factoids
09:00 < vpnHelper> Dougy: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:00 < Dougy> ahha
09:01 < Dougy> ecrist: i'm actualyl being useful
09:01 < Dougy> being
09:01 < Dougy> I put some good stuff on the forum
09:01 < Dougy> LOL
09:01 < ecrist> excellent.
09:01 < Dougy> not very much
09:01 < Dougy> but some
09:03 < Dougy> win
09:03 < Dougy> congrats on moderator theDoc
09:06 < theDoc> <3
09:07 < Dougy> i think i am gonna troll Andrew from OpenVPN to link to the forum on the opensource page
09:13 -!- eightfold [n=eightfol@c213-89-114-50.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)]
09:13 -!- eightfold [n=eightfol@85.249.223.23] has joined ##openvpn
09:25 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2859#p2859> || Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2860#p2860> || Server Administration :: Re: working standard TUN config :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.
09:50 -!- BoomSie [n=gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
09:53 -!- eightfold [n=eightfol@85.249.223.23] has quit [Read error: 60 (Operation timed out)]
10:03 -!- eightfold [n=eightfol@c213-89-114-50.bredband.comhem.se] has joined ##openvpn
10:19 -!- BoomSie [n=gideon@84-245-27-118.dsl.cambrium.nl] has quit ["Ex-Chat"]
10:37 < mithridates> what's going on my favorite IRC channel ?
10:37 < Dougy> nothing
10:38 < mithridates> hi Dougy 
10:38 < Dougy> hi
10:43 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)]
10:46 -!- Otacon22 [n=otacon22@93-36-88-88.ip59.fastwebnet.it] has left ##openvpn ["Part"]
10:50 <@Kasx> Dougy: this is Andrew from openvpn, we will be linking to you, we will be doing a lot of work in the community area these next 1-2 months.
10:51 < Bushmills> how's trac progressing?
10:52 <@Kasx> Not sure, thats a question for Samuli/mattock
10:53 < Dougy> oh shit
10:53 < Dougy> hi Kasx
10:53 < Dougy> :)
10:53 <@Kasx> Hey Dougy!
10:53 < Dougy> How ya doin
10:53 <@Kasx> good man, and you?
10:53 < Dougy> decent
10:53 < Dougy> I guess I should get a different skin for the forum to liven it up eh
10:54 <@Kasx> Your choice :-)
10:54 < Dougy> I will hunt
10:54 < Dougy> it is kind of dull now
10:54 < Dougy> so hey whats up with the openvpn site now
10:54 < Dougy> it hides the open source 
10:54 <@Kasx> I will send an e-mail to Samuli and see if we could put your link at the link you sent me in that pm
10:55 < Dougy> k
10:55 < Dougy> also
10:55 <@Kasx> as far as open-source turning into Community?
10:55 < Dougy> why does the index page only have links to access server except for the one tab for community software
10:55 < Dougy> but theres tons of info about the AS
10:55 <@Kasx> PM?
10:56 < Dougy> you can always PM me
10:56 < Dougy> !tap
10:56 < vpnHelper> Dougy: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
10:56 < vpnHelper> Dougy: where the protocol uses MAC addresses instead of IP addresses.
10:56 < Dougy> !tunortap
10:56 < vpnHelper> Dougy: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
10:56 < vpnHelper> Dougy: against you over the vpn
11:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
11:06 < Dougy> eyo krzee
11:06 < krzee> hey
11:08 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 110 (Connection timed out)]
11:14 -!- BoomSie [n=gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
11:25 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by dustin.mann9 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2863#p2863> || Server Administration :: Re: working standard TUN config :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=4&t=3&p=2864#p2864>
11:41 -!- kyrix [n=ashley@91-114-134-188.adsl.highway.telekom.at] has joined ##openvpn
11:44 -!- ScriptFan is now known as ScriptFanix
11:51 < reiffert> how to say that in english when a person leaves a company?
11:51 < krzee> to quit
11:51 < krzee> or if forced to leave, to be fired
11:52 < reiffert> the man is planning to leave the company
11:52 < krzee> is planning to quit
11:52 < reiffert> I want to write smth like: I really regret your plan to quit the company
11:52 < krzee> that you plan to quit the company
11:52 < krzee> but ya
11:53 < krzee> yours is right, just not how ild say it
11:53 < reiffert> :)
11:53 < reiffert> thanks!
11:55 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: working standard TUN config :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=3&p=2865#p2865>
11:55 < Dougy> krphop
11:56 < Dougy> krzee
11:56 < Dougy> thats my other job
11:56 < Dougy> comic relief
11:56 < Dougy> :D
11:56 < Dougy> !wins
11:56 < vpnHelper> Dougy: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
12:00 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:02 < krzee> also, you can do windows shares by IP without needing WINS at all.
12:05 < Dougy> i just nuked those posts
12:05 < Dougy> lol
12:06 < krzee> lame
12:06 < krzee> that might have helped someone
12:06 < Dougy> i doubt it
12:06 < Dougy> http://www.ovpnforum.com/viewtopic.php?f=4&p=2863
12:06 < Dougy> ^
12:06 < vpnHelper> Title: OpenVPN Forum View topic - help with OpenVPN for Ubuntu (at www.ovpnforum.com)
12:06 < krzee> how so?
12:07 < Dougy> i dont know how to answer him
12:07 < krzee> you obviously didnt know the wins stuff, im sure you arent the only one
12:07 < Dougy> because krzee if they actually read the bot output (unlike me) they would understand
12:07 < Dougy> i didnt know cuz i didnt read the bot's clear explanation
12:07 < Dougy> lol
12:07 < krzee> you clearly had read it, just not understand
12:07 < Dougy> i skimmed it
12:07 < Dougy> no, i skimmed
12:07 < Dougy> saw tap somewhere in there and then replied about it
12:07 < Dougy> lol
12:07 < krzee> its 3.5 lines
12:08 < krzee> a skim would catch it
12:08 < krzee> :-p
12:08 < Dougy> i dont read read, i really skim
12:08 < Dougy> to the point i just said
12:09 -!- kyrix [n=ashley@91-114-134-188.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)]
12:10 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
12:10 < Dougy> Gaines Adams dies
12:10 < Dougy> Bears DE Gaines Adams, 26, died Sunday due to cardiac arrest caused by an enlarged heart, coroner says
12:10 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:16 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
12:17 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:17 < krzee> Dougy, 
12:17 < krzee> If you want the clients to interface with one another, you need to add 'client-to-client' to the server configuration.
12:17 < krzee> see !c2c
12:18 < krzee> thats only somewhat true
12:18 < Dougy> correct me
12:18 < Dougy> in the thread obv
12:18 < krzee> doesnt need to be done in that one
12:18 < krzee> !c2c
12:18 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
12:18 < vpnHelper> krzee: behind other clients
12:21 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote closed the connection]
12:21 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:25 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote closed the connection]
12:26 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:31 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote closed the connection]
12:31 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:47 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
12:48 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:48 -!- BoomSie [n=gideon@84-245-27-118.dsl.cambrium.nl] has quit [Read error: 110 (Connection timed out)]
12:55 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2867#p2867>
13:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Excess Flood]
13:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
13:19 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Connection timed out]
13:24 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
13:25 < vpnHelper> New forum entry openvpnforum: Off Topic, Related :: OpenVPN Technologies & OpenVPN Community Relationship :: Author ecrist <http://www.ovpnforum.com/viewtopic.php?f=1&t=2467&p=2868#p2868>
13:31 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out]
13:32 < krzee> _________________
13:32 < krzee> "You cannot invade the mainland United States. There would be a rifle behind each blade of grass."
13:32 < krzee> "A brilliant man would find a way not to fight a war."
13:32 < krzee> -- Admiral Isoroku Yamamoto
13:32 < krzee> love that quote
13:32 < Dougy> me too
13:32 < krzee> lets just hope the republicrats dont take away all our guns
13:33 < krzee> well all your guns, i left ;]
13:33 < Dougy> pussy
13:33 < krzee> is that an "you are what you eat" type thing?
13:33 < Dougy> yeah
13:33 < Dougy> you've got 2 lips and inside is warm, so i guess so
13:34 < krzee> erm
13:34 < Dougy> ROFL
13:34 < krzee> o...k...
13:34 < Dougy> you started it
13:36 -!- bewst [n=bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
13:37 < bewst> !welcome
13:37 < vpnHelper> bewst: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:37 < krzee> !goal
13:37 < bewst> !redirect
13:37 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:37 < vpnHelper> bewst: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:38 -!- Sord444 [n=Sord444@user-12l2jcd.cable.mindspring.com] has joined ##openvpn
13:40 < bewst> Goal: route /all/ client traffic through server.  Symptom: works fine if I set up manual IP/gateway on client.  Using DHCP I keep getting a gateway address of 10.8.0.5 when it should be 10.8.0.1
13:41 < Sord444> Heh I came in to ask for help, but I just realized my pf firewall wasn't passing in/out on tun0...
13:41 < krzee> .1 is for the server
13:41 < krzee> .6 of first client
13:41 < krzee> .5 is internal to openvpn, its the gateway for the client
13:41 < krzee> !/30
13:41 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
13:42 < Dougy> Sord444: lols
13:42 < krzee> Sord444, good job
13:42 < krzee> Sord444, did the topic help?
13:42 < bewst> kzree: .5 may be gateway for client, but I have to set the gateway to .1 if I want it to work
13:43 < krzee> bewst,
13:43 < krzee> !configs
13:43 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
13:44 < bewst> kzree: server: http://dpaste.com/146559/
13:45 < krzee> you shouldnt need to manually change anything
13:45 < krzee> lets see the client log at verb 5
13:46 < krzee> (2 lines up assumes nothing goofy in client config)
13:46 < bewst> kzree: client: http://dpaste.com/146560/
13:46 < bewst> kzree: coming up
13:47 < krzee> ok nothing goofy going on there, i want proof of what you say not working
13:47 < Sord444> krzee, lol no i didnt even see that.  just as i joined i was tweaking pf and thought oh i wonder if thats the problem
13:54 < bewst> krzee: http://dpaste.com/146563/   sorry it took so long
13:54 < bewst> kzree: the client can't browse when connected
13:54 < bewst> I have done the MASQUERADE dance
13:55 < krzee> bewst, that is setup correct
13:55 < krzee> !linnat
13:55 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:55 < krzee> !linipforward
13:55 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution
13:56 < bewst> krzee: didn't know about that last thing
13:56 < rob0> That factoid assumes that sysctl.conf(5) is being used. Slackware by default does not.
13:57 < Dougy> oh hey
13:57 < Dougy> that was my contribution
13:57 < Dougy> i remember that
13:57 < Dougy> hehe
13:57 < krzee> rob0, then how in slack?
13:58 < bewst> krzee: whoo hoo!
13:58 < rob0> there is a /etc/rc.d/rc.ip_forward which can be made executable.
13:58 < krzee> =]
13:58 < Dougy> openvpn has always been a bit of a pain for me
13:58 < bewst> krzee: just to be double sure: how can I confirm that the windows client is going through the VPN and not using its other 'net connection directly?
13:58 < krzee> rob0, once you +x it ip forward is enabled on boot?
13:58 < Dougy> i need to find a good way to make it start on boot
13:58 < krzee> bewst, whatismyip.com
13:58 < rob0> Very Painful Networking :)
13:58 < krzee> or secure-computing.net
13:58 < bewst> krzee, excellent
13:59 < rob0> krzee, correct
13:59 < krzee> http://secure-computing.net/ip.php
13:59 < vpnHelper> Title: SCN: SCN (at secure-computing.net)
13:59 < Dougy> ecrist how do i get to awstats aain
13:59 < Dougy> again
13:59 < Dougy> oh
13:59 < Dougy> secure-computing.net has
13:59 < krzee> !learn linipforward as chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
13:59 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
14:00 < krzee> !learn linipforward as chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:00 < vpnHelper> krzee: Joo got it.
14:06 < Dougy> now to make openvpn start on boot
14:10 < Dougy> krzee: ever done that before
14:11 < krzee> of course, theres countless ways on each OS
14:29 -!- Sord444 [n=Sord444@user-12l2jcd.cable.mindspring.com] has quit ["Leaving"]
14:32 < Dougy> Mon Jan 18 07:34:21 2010 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
14:32 < Dougy> Mon Jan 18 07:34:21 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
14:32 < Dougy> Mon Jan 18 07:34:21 2010 Cannot allocate TUN/TAP dev dynamically
14:32 < Dougy> Mon Jan 18 07:34:21 2010 Exiting
14:32 < Dougy> [root@vpn openvpn]# ls -al /dev/net/tun
14:32 < Dougy> crw------- 1 root root 10, 200 Jan 18 07:33 /dev/net/tun
14:32 < Dougy> afdgklkdfja
14:32 < Dougy> really
14:32 < Dougy> openvz eat m
14:32 < Dougy> e
14:33 < Dougy> oh fixed
14:33 < krzee> isnt there openvz specific stuff you did?
14:34 < krzee> if so, go make a writeup for the wiki!
14:34 < Dougy> yeah my CP that does it didnt work right
14:34 < Dougy> so i modprobe'd tun
14:34 < Dougy> and it worked
14:34 < Dougy> hehe
14:34 < krzee> lol
14:34 < krzee> but i mean openvz specific
14:34 < Dougy> yes there is stuff
14:34 < krzee> that was just loading tun module
14:34 < Dougy> http://wiki.openvz.org/VPN_via_the_TUN/TAP_device
14:34 < vpnHelper> Title: VPN via the TUN/TAP device - OpenVZ Wiki (at wiki.openvz.org)
14:35 < krzee> !learn openvz as http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn
14:35 < vpnHelper> krzee: Joo got it.
14:36 < krzee> thx
14:41 < Dougy> !ipforward
14:41 < vpnHelper> Dougy: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
14:41 < Dougy> !linipforward
14:41 < vpnHelper> Dougy: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:56 < Dougy> gah wtf
14:56 < Dougy> openvz pissing me off
15:10 -!- bewst [n=bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit ["Leaving."]
15:12 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has quit []
15:12 -!- Dougy [n=me@vpn.douglashaber.com] has joined ##openvpn
15:13 < Dougy> hooah vpn
15:15 -!- HazardX [n=HazardX3@pool-96-252-45-198.bstnma.fios.verizon.net] has joined ##openvpn
15:21 < poningru> I had a question
15:22 < poningru> ok more of a feature request
15:22 < poningru> can openvpn client have a cisco mode?
15:22 < poningru> for their new ssl vpn
15:23 < poningru> I mean all it is just a messed up ssl implementation
15:23 < rob0> probably not
15:23 < poningru> rob0, any reason why?
15:24 < rob0> totally different implementation of a SSL VPN? Maybe a proprietary specification? Lots of reasons why.
15:25 < rob0> If Cisco wanted it to be openvpn-compatible, they easily could have made it so.
15:25 < poningru> rob0, err they are just using openssl
15:26 < poningru> granted an older one but still
15:26 -!- kyrix [n=ashley@91-114-134-188.adsl.highway.telekom.at] has joined ##openvpn
15:26 < rob0> Did you ask the Cisco folks if their thing is openvpn-compatible?
15:26 < poningru> ...
15:26 < poningru> I know it isnt
15:27 < poningru> there are no 'cisco folk' to ask
15:27 < poningru> there is a client called openconnect that does the job
15:27 < rob0> Oh, if you are a paying customer, they surely have support?
15:28 < poningru> just for brevity's sake it would be awesome if openvpn's client had similar support
15:28 < rob0> Then what you are asking is for openvpn to implement openconnect all in the same binary?
15:28 < poningru> pretty much yeah
15:29 < poningru> it isnt a big deal at all... it is dead simple to have either or
15:30 < poningru> but... would be nice if openconnect or something similar came under the awesome community that is openvpn
15:30 < Dougy> hmm
15:30 < Dougy> time to open a new location for VPS sales
15:30 < rob0> I doubt that would be practical. You can ask James on the -devel mailing list, but I'm betting the answer would be no.
15:30  * Dougy sends email to announce NJ location
15:31 < poningru> rob0, fair enough
15:32 < poningru> Dougy, vps sales?
15:32 < Dougy> yes?
15:32 < poningru> Dougy, selling virtualization?
15:32 < Dougy> yes
15:33 < poningru> god I need to get into the business of taking stupid peoples money
15:33 < Dougy> poningru: ?
15:33 < poningru> 2 hours of research and you can setup virtualization at no cost to you (other than hardware)
15:34 < poningru> and yet... people spend money on consultants
15:34 < Dougy> ya, thats the whole point of renting some virtualized stuff
15:34 < Dougy> people are happy to pay me $20 to rent 512MB RAM and a chunk of a quadcore
15:34 < poningru> oh... I guess that is different
15:35 < poningru> I was thinking you were setting up virtualization for companies
15:35 < poningru> nvm
15:35 < Dougy> oh
15:35 < Dougy> i get paid a fortune for that
15:35 < poningru> ...
15:35 < Dougy> i have a guy paying me $7500/month for a dual quadcore esxi machine.. cost me $2500 to build it
15:35 < Dougy> and i manage it for him
15:35 < poningru> sigh...
15:35 < poningru> see my company does something similar
15:36 < poningru> I think they pay something like 100K per year to sugarcrm to manage/custom code our pos crm
15:36 < poningru> and it is HORRIBLE too
15:36 < Dougy> lol
15:36 < Dougy> fail.
15:36 < poningru> seriously
15:36 < poningru> I need to get into consultancy
15:37 < poningru> I should probably get a few certifications
15:37 < Dougy> that company is nice
15:37 < Dougy> they pay for me to have a full rack in the dc
15:37 < Dougy> and a full gige for myself
15:37 < Dougy> loo
15:37 < Dougy> l
15:37 < poningru> who's data center?
15:37 < Dougy> Switch&Data
15:38 < poningru> whose*
15:38 < Dougy> its not quite my rack though
15:38 < Dougy> i just got a few U brocolo
15:38 < Dougy> company got the rest
15:38 < Dougy> i have a rack in another datacenter.
15:38 < poningru> I was thinking about creating a datacenter actually
15:38 < Dougy> i hope you have DEEP pockets
15:39 < poningru> hehe
15:39 < Dougy> caps for emphasis on how incredibly deep you need
15:39 < Dougy> now a days 20+mil for a smalll one
15:39 < poningru> if you are talking about hvac and power then it isnt that bad actually
15:39 < poningru> just^
15:40 < Dougy> 20+ mil for a very small d
15:40 < Dougy> c
15:40 < poningru> if you are talking about with the boxen then yes that makes sense
15:40 < Dougy> everything 
15:40 < Dougy> but really a decent sized one is close to 3 digit millions
15:42 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)]
15:43 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:46 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
15:57 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
16:08 < Dougy> ecrist
16:09 < Dougy> how did you set up moderated posts for first 2 posts
16:18 < ecrist> let me lok
16:18 < Dougy> all new users i have set to go to group A
16:19 < Dougy> which can't post w/o approval it says
16:19 < Dougy> so maybe now i just need to set it to move them at X post count
16:20 < ecrist> under user registration settings
16:20 < ecrist> New member post limit
16:20 < Dougy> New member post limit:
16:20 < Dougy> New members are within the Newly Registered Users group until they reach this number of posts. You can use this group to keep them from using the PM system or to review their posts. A value of 0 disables this feature.
16:20 < Dougy> just set that, and after they hit 2
16:20 < Dougy> for example
16:20 < Dougy> they can post freely?
16:20 < ecrist> yep
16:21 < Dougy> win
16:21 < ecrist> you have to setup the groups properly
16:21 < Dougy> in what sense
16:21 < Dougy> permissions?
16:21 < ecrist> yes
16:22 < Dougy> can you clue me in on what exactly?
16:22  * Dougy seems to think it looks like it'll work fine
16:22 < ecrist> group settings, which forums the 'newly registered users' can post to
16:22 < Dougy> oh taht
16:22 < Dougy> ok
16:22 < ecrist> are you setting up another forum or something?
16:22 < Dougy> yeah
16:25 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
16:34 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
16:37 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
16:42 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit]
16:51 < ecrist> Dougy: data centers don't have to cost that much.
16:52 < ecrist> sans rent, I can build a superb data center for a few hundred thousand
16:52 < ecrist> it really all depends on the size of the DC you're talking
16:54 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)]
16:59 -!- kyrixpower [n=ashley@80-121-0-254.adsl.highway.telekom.at] has joined ##openvpn
17:16 -!- kyrix [n=ashley@91-114-134-188.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)]
17:26 < vpnHelper> New forum entry openvpnforum: Wishlist :: Re: Statistics Offloading :: Reply by ecrist <http://www.ovpnforum.com/viewtopic.php?f=10&t=2413&p=2873#p2873>
17:46 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote closed the connection]
18:02 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:07 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
18:11 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
18:13 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
18:14 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection]
18:18 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out]
18:32 -!- kyrixpower [n=ashley@80-121-0-254.adsl.highway.telekom.at] has quit [Client Quit]
18:33 -!- kyrix [n=ashley@80-121-0-254.adsl.highway.telekom.at] has joined ##openvpn
18:43 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)]
18:49 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:02 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
19:08 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
19:17 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
19:31 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: rawDawg, jfkw, master_o1_master, Dougy, mithridates, ScriptFanix, poningru, LobbyZ
19:32 -!- fnbrier [n=fbrier@adsl-190-181-181.asm.bellsouth.net] has joined ##openvpn
19:34 < fnbrier> !welcome
19:34 < vpnHelper> fnbrier: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:36 -!- kyrix [n=ashley@80-121-0-254.adsl.highway.telekom.at] has quit [Remote closed the connection]
19:38 < fnbrier> I am willing to post all my logs and configs, but I am not sure it is necessary...
19:39 < fnbrier> I do not believe my problem is OpenVPN related...
19:40 < fnbrier> I can connect to my OpenVPN server from Windows XP.  The Windows XP box can ping the OpenVPN server.
19:41 < fnbrier> I can ping the Windows XP client from another system on my network and see the network traffic on the Windows XP box.
19:42 < fnbrier> However, if I attempt to "ping -I tun0 10.27.1.20" (my DNS server on my server side LAN), from the OpenVPN server, it fails.
19:43 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
19:44 < fnbrier> So unless the tun0 interface handles ping weirdly, this seems to indicate OpenVPN is not the problem, correct?
19:44 < theDoc> !forum
19:44 < vpnHelper> theDoc: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
19:45 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
19:45 < fnbrier> What command or configuration do I need to have tun0 packets be forwarded to the eth0 interface?
19:46 < fnbrier> !route
19:46 < vpnHelper> fnbrier: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:53 -!- Netsplit over, joins: Dougy, mithridates, jfkw, master_o1_master, poningru, LobbyZ, rawDawg, ScriptFanix
19:55 < reiffert> fnbrier: 
19:55 < reiffert> !linnat
19:55 < vpnHelper> reiffert: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
20:08 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
20:09 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
20:09 -!- ggamer [n=ggamer@steinsel.perfect-privacy.com] has joined ##openvpn
20:09 < ggamer> hi
20:10 < ggamer> could anyone help me with a technical question?
20:10 < krzee> !ask
20:10 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help
20:10 < Dougy> fuck
20:10 < Dougy> krzee you beat me to it
20:10 < Dougy> i had !as typed
20:10 < krzee> quick on the draw ;]
20:10 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
20:11 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
20:12 < ggamer> my VPN provider has a feature that routes *all* traffic through the VPN, even flash and java and anything else you could think of. what is this feature called and does anyone know of any other VPN providers that have it?
20:12 < krzee> !def1
20:12 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:12 < krzee> !redirect
20:12 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:13 < krzee> its not application based, its route based, so it in fact does like you said, routes EVERYTHING
20:13 < krzee> as far as a name, i guess default routing over the vpn *shrug*
20:13 < krzee> im not 1 for marketing buzzwords i guess
20:14 < krzee> theDoc runs a company that does it, but that would be a subject for private msg
20:14 < ggamer> krzee: so it isn't one single thing im describing but a collection of things?
20:14 < Dougy> its a single thing
20:14 < Dougy> one line
20:14 < krzee> well its a single thing
20:14 < Dougy> push 'redirect-gateway def1 bypass-dhcp'
20:14 < krzee> 3 things to do to impliment it, 1 of them are in openvpn
20:14 < ggamer> then what is it called please?
20:14 < Dougy> !redirect
20:14 < vpnHelper> Dougy: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:14 < Dougy> ^
20:14 < krzee> did you read what my bot told you?
20:15 < krzee> --redirect-gateway is the openvpn option
20:15 < rob0> I thought the bot was talking to me!
20:15 < ggamer> it's called "redirect-gateway def1 bypass-dhcp?"
20:15 < krzee> def1 bypass-dhcp are optional flags to send to the redirect-gateway command
20:15 -!- HazardX [n=HazardX3@pool-96-252-45-198.bstnma.fios.verizon.net] has quit [Read error: 110 (Connection timed out)]
20:17 < ggamer> i want a complete 100% "redirect" so nothing gets through my computer's connection except through the VPN
20:17 -!- jaek_ [n=jaek@c-71-202-163-230.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
20:17 < reiffert> why would anyone use bypass-dhcp on redirect-gateway?
20:17 < theDoc> 'sup?
20:17 < theDoc> I heard my name.
20:17 < Dougy> ayo
20:17 < Dougy> whats good 
20:17 < Dougy> tD
20:17 < krzee> reiffert, did you read that flag?
20:17 < reiffert> krzee: no.
20:18 < ggamer> is that possible?
20:18 < ggamer> what flags would i use?
20:18 < Dougy> ggamer
20:18 < krzee> ggamer, none, you dont run the server
20:18 < Dougy> we just told you twice ...
20:18 < ggamer> im asking so I can go vpn shopping
20:18 < Dougy> talk to theDoc
20:18 < krzee> all will do it
20:18 < Dougy> he'll sell it to you
20:19 < Dougy> yo krzee
20:19 < Dougy> you on OS X?
20:19 < Bushmills> ggamer: the openvpn connection itself goes through your normal connection ...
20:19 < ggamer> Bushmills: no way
20:19 < krzee> dougy, yes
20:19 < Dougy> http://zoomvps.com/forum/index.php
20:19 < vpnHelper> Title: ZoomVPS Forums Index page (at zoomvps.com)
20:19 < Dougy> how does that integration look
20:19 < Dougy> lines up ok?
20:20 < ggamer> Dougy: you told me all kinds of different flags
20:20 < Bushmills> ggamer: unless you tunnel openvpn over another openvpn
20:20 < krzee> yes
20:20 < Dougy> sweet
20:20 < ggamer> Bushmills: you mean you can chain openvpns?
20:20 < krzee> sure, but not how bush just said
20:20 < reiffert> krzee: been reading it, still no idea why anyone wants to use bypass-dhcp.
20:20 < Bushmills> wouldn't call it chaining, but nesting
20:21 < krzee> they can be chained as well, but thats different
20:21 < krzee> reiffert, ive never needed it either, but i guess it fixes some lamesauce where dhcp servers overwrite the ip
20:21 -!- HazardX [n=HazardX3@pool-96-237-60-245.bstnma.fios.verizon.net] has joined ##openvpn
20:22 -!- HazardX [n=HazardX3@pool-96-237-60-245.bstnma.fios.verizon.net] has quit [Remote closed the connection]
20:23 < krzee> oh no i have it backwards
20:24 < reiffert> ?sdrawkcab
20:24 < Bushmills> ecuasemal
20:24 < Dougy> liaf
20:26 < theDoc> ggamer> What do you need?
20:26 < theDoc> There was something about a vpn and all? ;p
20:27 < reiffert> better talk to openvpn2009 or Kasx.
20:27 < ggamer> i wonder why you cant do redirect with tor
20:28 < krzee> you can, by using tor
20:28 < krzee> lol
20:28 < krzee> along with an app like proxifier
20:28 < ggamer> you don't know very much about tor krzee 
20:28 < krzee> oh really?
20:28 < krzee> lol
20:28 < theDoc> Tor is horrible. 
20:28 < theDoc> ;p
20:28 < Dougy> lol who the hell does this joke think he is
20:28 < Dougy> krzee will shit in your cereal
20:28 < krzee> hes trolling
20:29 < fnbrier> May I ask for some help?
20:29 < Dougy> don't ask
20:29 < krzee> go ahead dougy
20:29 < Dougy> if you can ask
20:29 < Dougy> just ask
20:29 < ggamer> he's not asking
20:29 < ggamer> he's asking to ask
20:29 < fnbrier> I think I am missing a route command.
20:29 < ggamer> :)
20:29 < Dougy> ggamer: shut it
20:29 < reiffert> fnbrier: I already gave you:
20:29 < Dougy> smart ass
20:29 < reiffert> !linnat
20:29 < vpnHelper> reiffert: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
20:30 < fnbrier> Okay.  I went to that web page.  I guess I just did not get it.
20:31 < fnbrier> My configuration is not a NAT, is it?
20:31 < reiffert> fnbrier: just copy paste that first command, done.
20:31 < fnbrier> I am using OpenVPN with routing, not bridging.
20:31 < krzee> lulz
20:31 < krzee> ok im outtahere guys, enjoy :)
20:32 < ggamer> is that for my chinese food
20:32 < krzee> oh but before i go
20:33 -!- mode/##openvpn [+o krzee] by ChanServ
20:33 < Dougy> uh oh
20:33 -!- mode/##openvpn [+b *!*@steinsel.perfect-privacy.com] by krzee
20:33 -!- ggamer was kicked from ##openvpn by krzee [krzee]
20:33 < Dougy> hahahahahaa krzee <3
20:33 <@krzee> bibi
20:33 -!- mode/##openvpn [-o krzee] by krzee
20:33 < Dougy> bye
20:34 < rob0> Copy/paste of that command might not work. It assumes that eth0 is the external interface.
20:35 < theDoc> Wow, perfect privacy customer?
20:35 < reiffert> rob0: he was saying so.
20:35 < theDoc> Way to go, troll.
20:35 < rob0> oh
20:36 < fnbrier> So the -s (source) 10.8.0.0/24 refers to the tun0 interface?  So if my tun0 for the client was 10.27.8.0, I would type: "iptables -t nat -A POSTROUTING -s 10.27.8.0/24 -o eth0 -j MASQUERADE"
20:36 < fnbrier> ?
20:36 < Dougy> sounds right
20:41 < fnbrier> Hmm... Did not work...  I hate not understanding.  My test to see if this is working is to ping -I tun0 10.27.1.20 (my DNS server), which fails and just failed.  Is that a valid test?
20:41 < fnbrier> And the ping is being run on the OpenVPN server.
20:45 < reiffert> fnbrier: run tcpdump.
20:45 < rob0> How about you describe the goal a bit better?
20:45 < reiffert> while letting the ping run from client to dns server:
20:45 < reiffert> on the openvpn server:
20:45 < reiffert> tcpdump -n -i tun0 proto ICMP
20:45 < reiffert> see anything?
20:45 < reiffert> rob0: he already did.
20:45 < fnbrier> I am SO close.  I can ping the client from a machine on the OpenVPN LAN.  The client can ping both the OpenVPN server's tun0 IP and its eth0 IP.  But it cannot ping servers on the OpenVPN LAN.
20:46 < fnbrier> Will do reiffert.  And thank you SO much for the help.
20:46 < reiffert> fnbrier: ah, stop it.
20:47 < reiffert> fnbrier: 1. remove that iptables rule we gave you.
20:47 < reiffert> fnbrier: iptables -t nat -L POSTROUTING --line-numbers -v -n
20:47 < reiffert> fnbrier: iptables -t nat -D POSTROUTING 12345
20:47 < reiffert> where 12345 is the line-number.
20:48 < rob0> (or just change the -A to -D)
20:48 < rob0> (in the original rule you typed)
20:48 < reiffert> fnbrier: 2. add a static route to your OpenVPN LAN's gateway, routing packets with destination 10.27.1.0/24 back to your OpenVPN Server.
20:48 < reiffert> fnbrier: done.
20:49 < reiffert> fnbrier: means:
20:49 < reiffert> fnbrier: paket from client to server travels from client to openvpn server to server
20:50 < reiffert> but how about the way back:
20:50 < reiffert> from server to server's gateway and dropped there.
20:50 < fnbrier> Sorry.  Having a bit of trouble removing the iptables rule
20:50 < reiffert> adding a static route, hands those pakets back to the openvpn server
20:50 < reiffert> rob0: you get the idea?
20:51 < reiffert> fnbrier: what trouble is it?
20:52 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:52 < reiffert> fnbrier: just a question inbetween: OpenVPN LAN's gateway is running Linux or Cisco?
20:52 < fnbrier> When I try to list the POSTROUTING rules, nothing shows up.
20:52 < reiffert> iptables -t nat -L POSTROUTING
20:52 < reiffert> nothing shows up?
20:52 < reiffert> like e.g.
20:53 < reiffert> mail:/home/thomas# iptables -t nat -L POSTROUTING
20:53 < reiffert> Chain POSTROUTING (policy ACCEPT)
20:53 < reiffert> target     prot opt source               destination
20:53 < fnbrier> Nada.  Yup.
20:53 < reiffert> ok, so it's gone already, or never was active.
20:53 < fnbrier> Now when I ran the ping from the client I received:
20:53 < reiffert> back to the question of inbetween:
20:54 < reiffert> u first
20:54 < fnbrier> 21:54:32.672867 IP 10.27.8.5 > 10.27.1.20: ICMP echo request, id 1024, seq 13312, length 40
20:55 < fnbrier> 4 times, once for each ping (which shows as failing on the client).
20:55 < fnbrier> No I did not add the static route yet.
20:56 < reiffert> great, let the ping run, then stop the tcpdump and run another one:
20:56 < reiffert> on the openvpn server: tcpdump -n -i eth0 proto ICMP
20:56 < reiffert> what do you get here?
20:56 < reiffert> should be somth like
20:56 < reiffert> 10.27.8.5 > 10.27.1.20: ICMP echo request
20:56 < reiffert> stop the tcpdump and run another one:
20:56 < reiffert> on the openvpn server: tcpdump -n -i eth0 proto ICMP
20:56 < reiffert> should get you somth like
20:56 < reiffert> 10.27.8.5 > 10.27.1.20: ICMP echo request
20:56 < reiffert> is it?
20:58 < reiffert> just gimme a yes or no.
20:58 < fnbrier> Not sure what is different..
20:58 < fnbrier> Same result.
20:58 < reiffert> great.
20:58 < reiffert> openvpn server is member of a lan.
20:59 < fnbrier> Ran the same tcpdump and ping.
20:59 < reiffert> what is the gateway of that lan?
20:59 < fnbrier> I did not get your response.
20:59 < reiffert> no, the 2nd command was different:
20:59 < reiffert> 2nd command: tcpdump -n -i eth0 proto ICMP
20:59 < fnbrier> 21:57:02.758222 IP 10.27.8.5 > 10.27.1.20: ICMP echo request, id 1024, seq 14336, length 40
20:59 < reiffert> 1st command: tcpdump -n -i tun0 proto ICMP
21:00 < fnbrier> Yes.
21:00 < reiffert> ok. stop running tcpdump here.
21:00 < reiffert> 03:58 < reiffert> openvpn server is member of a lan.
21:00 < fnbrier> Sorry.  Typed what you said.  First tun0 and then eth0.
21:00 < reiffert> 03:59 < reiffert> what is the gateway of that lan?
21:00 < fnbrier> Got the same result.
21:00 < reiffert> great news (same result)
21:00 < fnbrier> 10.27.1.1
21:01 < reiffert> 10.27.1.1 is running linux?
21:01 < fnbrier> It is a Linksys router.
21:01 < reiffert> sigh.
21:01 < reiffert> Which one?
21:01 < fnbrier> I did buy a box to put OpenWRT on, but have not gotten around to it yet.
21:02 < fnbrier> Just a sec.  Put the model numbers on my twiki,.
21:02 < fnbrier> BEFSX41 
21:02 < fnbrier> Firmware 1.52.15 
21:03 < fnbrier> I tried creating a static routing on the Linksys.
21:04 < reiffert> "tried"?
21:04 < fnbrier> The routing table on the Linksys shows Dest IP 10.27.8.0, Mask 255.255.255.0 GW 10.27.8.1, HOP 0, Iface LAN.
21:05 < reiffert> http://downloads.linksysbycisco.com/downloads/BEFSX41_V21_UG_B-WEB,0.pdf
21:05 < reiffert> page 7
21:05 < reiffert> Setup > Advanced Routing
21:05 < reiffert> This screen is used to set up the Router.s advanced
21:05 < reiffert> functions. Dynamic Routing automatically adjusts how
21:05 < reiffert> packets travel on your network. Static Routing sets up a
21:05 < reiffert> fixed route to another network destination.
21:05 < reiffert> wrong.
21:05 < reiffert> it should show:
21:05 < reiffert>  Dest IP 10.27.8.0, Mask 255.255.255.0 GW 10.27.1.IP_OF_OPENVPN_SERVER
21:06 < reiffert> what is the IP OF YOUR OPENVPN SERVER?
21:06 < fnbrier> Okay.  I can change that.
21:06 < fnbrier> 10.27.1.19
21:06 < reiffert> put it there.
21:06 < fnbrier> What should the hop count be?  0 does not seem right.
21:07 < reiffert> all the linksys knows about is the 10.27.1.0/24 net, he doesnt know how to reach 10.27.8.1
21:07 < reiffert> let it blank, choose 0 or whatever
21:07 < reiffert> Hop Count Enter the maximum number of steps between
21:07 < reiffert> network nodes that data packets will travel. A node is any
21:07 < reiffert> device on the network, such as a computer, print server,
21:07 < reiffert> or router.
21:07 < reiffert> take '1'
21:08 < reiffert> or 0, or 30
21:08 < Bushmills> reiffert: do you remember HB-Männchen?
21:08 < reiffert> Bushmills: sure I do
21:08 < reiffert> http://www.dasauge.de/medien/aktuell/g1150449348.jpeg
21:09 < Bushmills> :D
21:09 < Dougy> damn germans
21:09 < Dougy> go to sleep
21:09 < Dougy> its late
21:09 < reiffert> Bushmills: I allready got one in my mouth, waiting for fnbrier's confirmation
21:09 < reiffert> Dougy: no. it's early.
21:09 < Bushmills> http://www.youtube.com/watch?v=78W7s4beAvI
21:09 < vpnHelper> Title: YouTube - HB Männchen - Der Flugpionier (at www.youtube.com)
21:11 < reiffert> :)))
21:11 < Bushmills> i was just picturing go going ballistic a similar way
21:11 < Bushmills> you going ...
21:11 < reiffert> fnbrier: come one 'saving changes' shouldnt take that long.
21:12 < reiffert> Bushmills: fnbrier is slow. I dont like being slow.
21:12 < reiffert> Bushmills: which doesnt mean that I dont like him, or dont want to help him.
21:12 < reiffert> well, guess he already made it.
21:12 < Bushmills> http://www.youtube.com/watch?v=Uh9dkHdQOAg&NR=1
21:12 < vpnHelper> Title: YouTube - HB Männchen Fliege (at www.youtube.com)
21:13 < reiffert> now watching pakets as they arrive and as they leave the interfaces ;)
21:21 < reiffert> fnbrier: does it work? yes/no/maybe/dontknow?
21:24 -!- fnbrier [n=fbrier@adsl-190-181-181.asm.bellsouth.net] has quit [Read error: 110 (Connection timed out)]
21:25 -!- fnbrier [n=fbrier@adsl-190-180-224.asm.bellsouth.net] has joined ##openvpn
21:25 < reiffert> fnbrier: success?
21:25 < fnbrier> reiffert?
21:26 < fnbrier> Not yet...  I added a tcpdump to the DNS server and the pings do not make it there.
21:26 < reiffert> you said that they leave the eth0 interface on you openvpn server, didnt you?
21:26 < fnbrier> I have read that some people have had problems with VMWare, which I am not using.
21:27 < fnbrier> They are all my servers...
21:27 < reiffert> let's prove again: on openvpn server do:
21:27 < reiffert> tcpdump -n -i eth0 proto ICMP
21:27 < fnbrier> The OpenVPN server is a KVM VM on Fedora 11.
21:27 < reiffert> do you see the packets?
21:28 < fnbrier> Yes.
21:29 < fnbrier> And I just saw them on the DNS server too.
21:29 < fnbrier> !!!
21:29 < vpnHelper> fnbrier: Error: "!!" is not a valid command.
21:29 < reiffert> allright.
21:29 < fnbrier> Ping still failed on the Windows XP client.
21:29 < reiffert> on the dns server do:
21:29 < reiffert> tcpdump -n -i eth0 proto ICMP
21:29 < reiffert> paste what you see
21:29 < reiffert> paste to http://pastebin.ca/
21:29 < fnbrier> I was just doing that.
21:29 < reiffert> use copy and paste
21:29 < fnbrier> 22:28:08.826597 IP 10.27.8.5 > 10.27.1.20: ICMP echo request, id 1024, seq 19968, length 40
21:30 < reiffert> allright, disable the firewall on your DNS Server.
21:31 < fnbrier> After the above line repeated 4 times, the following line appeared 6 times:
21:31 < fnbrier> 22:30:06.662667 IP 10.27.1.20 > 10.27.1.154: ICMP host 10.27.1.20 unreachable - admin prohibited, length 60
21:31 < reiffert> 04:30 < reiffert> allright, disable the firewall on your DNS Server.
21:32 < fnbrier> Well, 4 times the length was 60 and 2 it was 56.
21:32 < fnbrier> Will do.
21:32 < reiffert> fnbrier: what is 1.254 doing here instead of 1.1?
21:32 < reiffert> 04:00 < reiffert> 03:59 < reiffert> what is the gateway of that lan?
21:32 < reiffert> 04:00 < fnbrier> 10.27.1.1
21:33 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
21:34 < fnbrier> Sorry.
21:35 < fnbrier> I was wondering where those packets were coming from.
21:35 < reiffert> fnbrier: they are coming from your firewall. the question is where are they heading to.
21:36 < fnbrier> 154 is my wife's laptop.
21:37 < reiffert> 254
21:37 < reiffert> oh, 154, my fault, forget about that.
21:37 < reiffert> how far did you get for disabling the firewall on .20?
21:37 < rob0> "admin prohibited"
21:38 < fnbrier> It is disabled.
21:38 < fnbrier> That was relatively easy.
21:39 < reiffert> copy paste what tcpdump shows.
21:40 < fnbrier> [root@derecho ~]# tcpdump -n -i eth0 proto ICMP
21:40 < fnbrier> tcpdump: WARNING: eth0: no IPv4 address assigned
21:40 < fnbrier> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
21:40 < fnbrier> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:40 < fnbrier> 22:39:28.358989 IP 10.27.8.5 > 10.27.1.20: ICMP echo request, id 1024, seq 23040, length 40
21:40 < fnbrier> 22:39:33.761364 IP 10.27.8.5 > 10.27.1.20: ICMP echo request, id 1024, seq 23296, length 40
21:40 < fnbrier> 22:39:38.775541 IP 10.27.8.5 > 10.27.1.20: ICMP echo request, id 1024, seq 23552, length 40
21:40 < fnbrier> 22:39:43.775618 IP 10.27.8.5 > 10.27.1.20: ICMP echo request, id 1024, seq 23808, length 40
21:40 < reiffert> ping pakets get to your DNS Server, it does not answer them.
21:41 < fnbrier> I have never used pastebin.ca before...  Need to learn about it...
21:41 < fnbrier> So why might it not answer them?
21:42 < reiffert> firewall.
21:42 < reiffert> icmp disabled
21:42 < fnbrier> Hmmm....
21:42 < Bushmills> 10.27.8.x and 10.27.1.x same subnet? otherwise return route on server? 
21:43 < reiffert> Bushmills: tcpdump -n -i eth0 proto ICMP should show the echo replys.
21:43 < Bushmills> on eth0?
21:43 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
21:43 < Bushmills> shouldn't those go to tun?
21:44 < reiffert> Bushmills: dns server no tun0
21:44 < Bushmills> CMP echo request
21:44 < fnbrier> Maybe I did not turn off the firewall...  I used the system-config-firewall gui and disabled/applied.
21:44 < Bushmills> ICMP
21:44 < reiffert> fnbrier: paste: iptables -L -v -n
21:44 < reiffert> to pastebin.
21:44 < reiffert> a
21:44 < reiffert> c
21:44 < reiffert> http://pastebin.ca
21:44 < reiffert> Bushmills: "ICMP echo request" saying what?
21:45 < Bushmills> (04:43:04) reiffert: Bushmills: tcpdump -n -i eth0 proto ICMP should show the echo replys.
21:45 < Bushmills> why replies on eth0?
21:45 < reiffert> Bushmills: dns server only got eth0.
21:46 < Bushmills> ah. dns problem. not openvpn problem?
21:46 < fnbrier> http://pastebin.ca/1755576
21:46 < Bushmills> didn't read all the backlog
21:46 < reiffert> fnbrier: fine, firewall's been turned off.
21:46 < Bushmills> assumed 10.x.x.x is openvpn, and ping not returning 
21:46 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
21:46 < reiffert> Bushmills: client -> server -> dns
21:46 < reiffert> Bushmills: ping gets to dns
21:46 < reiffert> Bushmills: dns doesnt send reply
21:47 < fnbrier> http://pastebin.ca/1755577
21:47 < reiffert> Bushmills: firewall's off
21:47 < reiffert> fnbrier: route -n
21:47 < fnbrier> The DNS server does not seem to have a route to the 10.27.8.0
21:47 < reiffert> fnbrier: cat /proc/sys/net/ipv4/icmp_echo_ignore_all
21:48 < fnbrier> http://pastebin.ca/1755578
21:48 < reiffert> fnbrier: we will care about that later, once your dns send out an icmp paket.
21:48 < fnbrier> 0
21:49 < reiffert> fnbrier: let me logon to your dns as root.
21:49 < reiffert> fnbrier: paste: ifconfig -a
21:49 < fnbrier> Well, that would be difficult unless I port forward into it.
21:49 < reiffert> (from dns)
21:50 < fnbrier> It is behind the firewall.
21:50 < fnbrier> The router.
21:50 < reiffert> fnbrier: paste: ifconfig -a
21:51 < fnbrier> http://pastebin.ca/1755583
21:51 < reiffert> paste: brctl show
21:51 < reiffert> fnbrier: allright: run another tcpdump on the dns:
21:51 < reiffert> tcpdump -n -i br0 proto ICMP
21:51 < reiffert> paste what it shows please
21:52 < fnbrier> http://pastebin.ca/1755584
21:53 < fnbrier> http://pastebin.ca/1755585
21:53 < reiffert> welcome to virtual world problems.
21:53 < reiffert> your DNS doesnt reply to the icmp ping pakets.
21:53 < reiffert> it should reply.
21:54 < reiffert> can you ping 10.27.1.154 from the openvpn client?
21:54 < fnbrier> http://pastebin.ca/1755587
21:55 < reiffert> vortex is?
21:55 < fnbrier> It will respond from other servers on the network.
21:55 < fnbrier> vortex is the OpenVPN server.
21:55 < reiffert> but it does not reply to requests from servers outside your network.
21:55 < fnbrier> derecho is the DNS server.
21:56 < fnbrier> It won't respond if I ping it using the tun0 interface
21:56 < reiffert> it does not reply to requests from servers outside your network.
21:57 < reiffert> it is supposed to answer them.
21:57 < reiffert> but it does not.
21:57 < fnbrier> Okay...  Hmmm...
21:57 < reiffert> and I have no idea why it doesnt do it.
21:57 < reiffert> thats why I was asking:
21:57 < reiffert> 04:54 < reiffert> can you ping 10.27.1.154 from the openvpn client?
21:57 < fnbrier> You have been amazing...  I have learned a lot even if I haven't solved the problem.
21:58 < fnbrier> No.  It is not responding.
21:58 < reiffert> turn off the firewall on 10.27.1.154
21:58 < reiffert> which is the laptop of your girl.
21:58 < fnbrier> Yah.
21:59 < fnbrier> But the box is now not responding from internal boxes.
21:59 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
22:00 < reiffert> turn it on.
22:00 < fnbrier> I just figured out what you were asking and tried it with a different box than the DNS server.
22:00 < fnbrier> The HDHomeRun embedded box is responding to pings over the OpenVPN link from the client.
22:01 < reiffert> great. it's not a virtual box I guess?
22:01 < reiffert> so you made it work finally, enjoy!
22:01 < fnbrier> No.  It is an embedded video capture box.
22:02 < fnbrier> And I can ping cyclone which is another Fedora11 host box with the same bridged networking.
22:02 < reiffert> cyclone is the host rather than a vm guest?
22:02 < fnbrier> Yes.
22:03 < fnbrier> But snow is a VM on cyclone and I can ping it too!
22:03 < reiffert> damn, reboot the nameserver...
22:04 < reiffert> are they on the same vm host? snow and derecho
22:04 < fnbrier> I can ping ice which is a VM on the host derecho!
22:04 < fnbrier> Again from the client.
22:05 < fnbrier> derecho is the only d@mn thing I cannot ping.
22:05 < fnbrier> So reboot derecho.
22:05 < fnbrier> Okay.  I can do that.
22:05 < reiffert> the only and that of your girl
22:06 < fnbrier> Yeah, but it is a Vista box :).
22:06 < reiffert> Excusing what, the firewall?
22:07 < reiffert> cyclone: paste ifconfig -a         and         brctl show
22:08 < fnbrier> I am rebooting derecho which is a VM host and also the DNS server for the network.  It is running dnsmasq.  I switch from bind 6 months ago.
22:08 < reiffert> ah, found the problem on derecho
22:08 < reiffert> netmask is wrong
22:08 < reiffert> #
22:08 < reiffert> [root@derecho ~]# ifconfig -a
22:08 < reiffert> #
22:08 < reiffert> br0       Link encap:Ethernet  HWaddr 00:26:18:F1:89:02 
22:08 < reiffert> # inet addr:10.27.1.20  Bcast:10.27.15.255  Mask:255.255.240.0
22:10 < reiffert> let say it's too big.
22:11 < fnbrier> Yeah.  I did not realize it was 240...
22:12 < fnbrier> brb
22:12 < reiffert> Im to bed, bye
22:14 -!- jMyles [n=justin@user-160uq6b.cable.mindspring.com] has joined ##openvpn
22:14 < jMyles> Hello everyone.
22:15 < jMyles> I'm getting "read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused (code=111)" on my server.  I have googled and applied iptables rules, but the problem persists.
22:17 < fnbrier> reiffert!  Thank you!!!
22:17 < reiffert> you are welcome
22:17 < fnbrier> It works!!!
22:17 < fnbrier> I can ping the DNS server.
22:17 < fnbrier> Man, I feel really sheepish.
22:18 < fnbrier> I cannot believe you spotted that.
22:18 < reiffert> feel free to send money to my paypal account.
22:18 < fnbrier> What is your paypal account?
22:18 < reiffert> I sent a privmsg
22:22 < rawDawg> are you really gonna pay him?
22:30 < jMyles> I am trying to use the same certificate which I use for apache, which is signed.  Is this a good idea?  I get the following message: unable to get local issuer certificate
22:32 -!- Dougy [n=me@vpn.douglashaber.com] has quit [Read error: 110 (Connection timed out)]
22:49 -!- linucks [n=linucks@loft4610.serverloft.com] has joined ##openvpn
22:51 < linucks> Hi I am trying to set up a VPN on a VPS, I simply want my traffic to be forwarded from my computer via the VPN through the VPS to it's default gateway. What's the best way to do this? I am getting a bit confused.
22:52 < linucks> !welcome
22:52 < vpnHelper> linucks: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:52 < linucks> !redirect
22:53 < vpnHelper> linucks: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
23:19 < jMyles> I'm very new to openvpn - when I connect, should my client show a new tun0 device in ifconfig?
23:36 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"]
23:43 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
--- Day changed Mon Jan 18 2010
00:00 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit []
00:15 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
00:18 -!- jMyles [n=justin@user-160uq6b.cable.mindspring.com] has quit [Remote closed the connection]
00:19 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 110 (Connection timed out)]
00:34 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
00:44 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
00:45 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
00:46 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
00:47 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
00:47 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
00:49 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
00:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
01:15 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
01:19 < Bushmills> yes
01:21 < Bushmills> linucks: "want my traffic to be forwarded from my computer via the VPN through the VPS to it's default gateway."  how does that involve openvpn?
01:21 < Bushmills> i mean, where is server, where is client?
01:22 < Bushmills> and what traffic do you want to reroute where to?
01:27 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
01:27 -!- mode/##openvpn [+o mattock] by ChanServ
01:30 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: 113 (No route to host)]
01:32 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)]
01:45 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)]
01:49 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
01:53 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
01:58 -!- arvind [n=arvind@114.143.216.131] has joined ##openvpn
02:06 < arvind> http://pastebin.com/d9c2e3a8
02:06 < arvind> !welcome
02:07 < vpnHelper> arvind: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:07 < arvind> !goal
02:07 < vpnHelper> arvind: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:08 < arvind> !howto
02:08 < vpnHelper> arvind: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:08 < arvind> !route
02:08 < vpnHelper> arvind: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:14 < arvind> Goal: My VPN Server is on the Internet. I need LAN1(remote) to be able to talk to LAN2(also remote) through the VPN server. 1 machine on either LAN should act as the gateway for the respective LAN's. All the other machines must communicate through these.
02:15 < arvind> The 2 gateways can both connect to OpenVPN server and ping each other.
02:16 < arvind> LAN1 however cannot even ping the VPN server which is on the Internet.
02:16 < arvind> details are here - http://pastebin.com/d9c2e3a8
02:29 < jmm> hi.
02:34 -!- d12fk [n=heiko@vpn.astaro.de] has quit [Remote closed the connection]
02:56 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
02:57 -!- cityLights [i=nobody@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn
03:00 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 104 (Connection reset by peer)]
03:00 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
03:03 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
03:04 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
03:04 < cityLights> hi all , where can I ask about bridging?
03:08 -!- master_of_master [i=master_o@p57B562BF.dip.t-dialin.net] has joined ##openvpn
03:12 < eightfold> i open a vpn connection using this openvpn config file [ http://paste.debian.net/56985 ]. i want the applications run under the user account "vpn" on my debian install to only have access to the internets via tun0 (openvpn), the "vpn" user should be able to access the eth0 connection. i want all the other users accounts to default to _not_ using the vpn connection, i want them to use eth0.
03:12 < eightfold> the tunnel works but per default it redirects all traffic via tun0. if i add these lines to iptables [ http://paste.debian.net/56940/ ] the applications not running via the user "vpn" can't access the intarwebs (like firefox). i suppose that is because they try to use the tun0 connection, but the iptables lines says they can not.
03:13 < eightfold> how do i get openvpn to not by default be "system wide"? i just want to redirect the user account on my computer with the name "vpn" to be forced to use the tunnel. i have been looking at "redirect-gateway" in the .ovpn file. def1 seems to force connection to be system wide. right now that is what seems to happen even though i don't have that setting. ideas?
03:18 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:18 -!- master_o1_master [n=master_o@p57B570F2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:20 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)]
03:24 < eightfold> sorry, the first of those above three lines should say "the "vpn" user should NOT be able to access the eth0 connetction"
03:25 -!- arvind [n=arvind@114.143.216.131] has quit ["Leaving"]
03:25 < JodaX> tl;dr, eightfold
03:26 < eightfold> hmm, sawry.
03:28 < eightfold> in short: i want to connect to a openvpn tunnel but i don't want it (tun0) to  become the default system wide network interface.
03:39 < JodaX> why would it become that ?
03:39 < JodaX> no other interfaces, using redirect-gateway or some push route somewhere ?
03:40 < eightfold> JodaX: my conf: http://paste.debian.net/56985
03:41 < eightfold> JodaX: could it be the redirect-gateway line?
03:41 < JodaX> thats client conf, server conf can also push stuff
03:41 < JodaX> but you gotz dat redirect-gateway in dere, remove dat
03:43 -!- cityLights [i=nobody@bzq-84-111-46-151.red.bezeqint.net] has quit [Remote closed the connection]
03:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 113 (No route to host)]
04:23 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn
04:24 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)]
04:25 < eightfold> JodaX: can't try right now, but will test later. is there a way to override settings pushed by server?
04:30 < cityLights> hi, how can I block dhcp request from a client subnet reaching the servers subnet
04:30 -!- buntfalke [n=nobody@openvpn-p0-122.triple-a.uni-kl.de] has joined ##openvpn
04:31 -!- buntfalke is now known as Guest18307
04:33 -!- dazo_afk is now known as dazo
04:38 -!- Guest18307 [n=nobody@openvpn-p0-122.triple-a.uni-kl.de] has quit [Remote closed the connection]
04:38 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
04:42 -!- polaru [n=polaru@93.113.192.70] has quit [Excess Flood]
04:42 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
04:44 -!- polaru [n=polaru@93.113.192.70] has quit [Excess Flood]
04:44 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
04:45 -!- polaru [n=polaru@93.113.192.70] has quit [Excess Flood]
04:45 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
04:46 -!- polaru [n=polaru@93.113.192.70] has quit [Excess Flood]
04:47 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
04:48 -!- polaru [n=polaru@93.113.192.70] has quit [Excess Flood]
04:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
04:49 -!- polaru [n=polaru@93.113.192.70] has quit [Excess Flood]
04:50 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
04:51 -!- polaru [n=polaru@93.113.192.70] has quit [Excess Flood]
04:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
04:54 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
04:54 -!- buntfalke [n=nobody@openvpn-p0-122.triple-a.uni-kl.de] has joined ##openvpn
04:55 -!- buntfalke is now known as Guest21937
05:00 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote closed the connection]
05:02 -!- Guest21937 [n=nobody@openvpn-p0-122.triple-a.uni-kl.de] has quit [Client Quit]
05:02 -!- Guest21937 [n=nobody@openvpn-p0-122.triple-a.uni-kl.de] has joined ##openvpn
05:02 -!- Guest21937 [n=nobody@openvpn-p0-122.triple-a.uni-kl.de] has quit [Remote closed the connection]
05:02 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
05:04 -!- YaManicKill [n=ali@130.159.141.69] has joined ##openvpn
05:05 < YaManicKill> when trying to push dns options through openvpn, what should i use as the ip?
05:13 < reiffert> those of your nameservers.
05:17 < YaManicKill> and if i dont have an internal nameserver, can i put an external one? (such as 8.8.8.8)
05:19 -!- MrJK [n=jezu@194.199.166.96] has quit [Read error: 104 (Connection reset by peer)]
05:20 < kisom> YaManicKill: provided that the client will be able to access an external DNS server, yes you an put it there
05:21 < YaManicKill> hmmm ok, well for some reason it isnt working. and i know its dns, cause i can go to website when i enter the ip address
05:22 < kisom> YaManicKill: Do you redirect client traffic thru the VPN?
05:23 < YaManicKill> server conf - http://pastebin.com/f1f59c692
05:24 < YaManicKill> kisom: i'm pretty sure i do. push "redirect-gateway" does that, yeah?
05:24 < kisom> yes it does. make sure you enable masquerade mode in iptables and tell the kernel to forward packets
05:25 < kisom> im sorry, but i have to go, got a plane to catch
05:25 < kisom> good luck with your VPN
05:39 -!- JodaX [n=NOTOKAY@ks22848.kimsufi.com] has quit [Read error: 60 (Operation timed out)]
05:50 < le0> !nat
05:50 < vpnHelper> le0: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto
06:09 < YaManicKill> ok, what would i need to do for this http://pastebin.com/d7c91675b to allow openvpn connections?
06:09 < YaManicKill> (thats my iptables)
06:14 < DarkAnt> YaManicKill: I'm just curious what linnat and fbsdnat are
06:14 < DarkAnt> !linnat
06:14 < vpnHelper> DarkAnt: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
06:15 < DarkAnt> !fbsdnat
06:15 < vpnHelper> DarkAnt: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD
06:15 < DarkAnt> ok, I run a linux nat
06:16 < DarkAnt> !staicip
06:16 < vpnHelper> DarkAnt: Error: "staicip" is not a valid command.
06:16 < DarkAnt> !staic-ip
06:16 < vpnHelper> DarkAnt: Error: "staic-ip" is not a valid command.
06:17 < DarkAnt> !staticip
06:17 < vpnHelper> DarkAnt: Error: "staticip" is not a valid command.
06:17 < DarkAnt> !static-ip
06:17 < vpnHelper> DarkAnt: Error: "static-ip" is not a valid command.
06:17 < DarkAnt> bah
06:17 < YaManicKill> lol
06:17 < reiffert> !factoids search --values static
06:17 < vpnHelper> reiffert: 'static', 'iporder', 'hmac', 'ipp', 'ipp', and 'iporder'
06:17 < DarkAnt> ah, niffty
06:18 < DarkAnt> !static
06:18 < YaManicKill> !iptables
06:18 < vpnHelper> DarkAnt: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
06:18 < vpnHelper> YaManicKill: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
06:18 < vpnHelper> YaManicKill: computing.net/wiki/index.php/OpenVPN/Firewall
06:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
06:20 < DarkAnt> !iporder
06:20 < vpnHelper> DarkAnt: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
06:29 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:32 < DarkAnt> what actually goes into a client connect script. I'm having trouble finding the documentation for it
06:36 < DarkAnt> oh, there's a lot going on with that script
06:39 < DarkAnt> and its all scattered about in the documentation as far as I can tell :/
06:43 < DarkAnt> !factoids search --values script
06:43 < vpnHelper> DarkAnt: 'iporder', 'mitm', 'crl', 'ipv6', and 'pushdns'
06:46 < dazo> DarkAnt:  what exactly are you looking for?
06:52 < DarkAnt> I'm trying to figure out how to hand out static ip addresses
06:53 < DarkAnt> actually, my end goal is to have some form of a dns
06:56 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
06:59 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has quit ["Leaving"]
07:02 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has quit ["bbl"]
07:02 -!- tjz [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
07:13 < DarkAnt> so that I can type "ssh some_server" and I'll be able to log in
07:14 < DarkAnt> uh oh, I've to shovel snow. I'll be sure to read whatever anyone types when I get back
07:18 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)]
07:34 < ecrist> good morning
07:34 < reiffert> rawDawg2: I wrote "feel free" which is what I meant.
07:35 < reiffert> rawDawg2: so if he's going to get me some bucks I'll feel happy. If he doesnt I'll feel happy as well.
07:36 < reiffert> hi ecrist 
07:39 < dazo> g'afternoon
07:39 < reiffert> hi dazo
07:39 < dazo> :)
07:40 < reiffert> ecrist: do we have graphviz (especially: dot plugin) on the wiki !route is living at?
07:40 < ecrist> not sure what you mean
07:41 < reiffert> !route
07:41 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:41 < ecrist> is graphiz a plugin for mediawiki?
07:41 < reiffert> it's a mediawiki, is it?
07:41 < ecrist> yes, the wiki is mediawiki
07:41 < reiffert> http://www.mediawiki.org/wiki/Extension:Graphviz
07:41 < vpnHelper> Title: Extension:Graphviz - MediaWiki (at www.mediawiki.org)
07:42 < ecrist> it's not installed yet, but I can do that for you, if you'd like.
07:42 < reiffert> graphviz example: http://www.graphviz.org/Gallery/directed/unix.html
07:42 < vpnHelper> Title: Graphviz Example: UNIX Family 'Tree' (at www.graphviz.org)
07:42 < reiffert> ecrist: I really like to have graphviz there. I like it for drawing network maps.
07:43 < ecrist> Since I've discontinued my personal wiki, there's no download at the moment. I might decide to put the code online again on my new page at a later time, but for the moment, I'm sorry.
07:44 < reiffert> "no download" of what in particular?
07:44 < ecrist> the extension
07:44 < ecrist> the php code to include graphviz in mediawiki
07:44 < reiffert> so the secure-computing.net wiki is running at what place?
07:45 < reiffert> (I still dont get it right I think)
07:46 < ecrist> it is running at my home, in my server room, on a freebsd 7.2p2 system
07:46 < reiffert> but you cannot download the graphviz extension because you have stopped your personal wiki?
07:47 < ecrist> no, I pasted what is under the 'Download' section of the mediawiki link you gave me
07:47 < ecrist> sorry, I wasn't clear with my paste. 
07:48 < ecrist> I need GraphvizExtension.php to include it in mediawiki, but there's no download link available
07:49 < ecrist> http://www.mediawiki.org/wiki/Extension:GraphViz
07:49 < vpnHelper> Title: Extension:GraphViz - MediaWiki (at www.mediawiki.org)
07:49 < ecrist> that might be a better page
07:49 < ecrist> it has a download link
07:50 < reiffert> "Of course the only requisite for this plugin to work is the graphviz program; you can download it from here"
07:50 < reiffert> pkg_add -r graphiv or similar
07:51 < reiffert> then click on 
07:51 < reiffert> Install instructions
07:51 < reiffert> 1. Download Graphviz.php.
07:51 < reiffert> getting you here: http://mwextensions.cvs.sourceforge.net/*checkout*/mwextensions/mediawikiextensions/Graphviz.php
07:51 < reiffert> or choose http://www.mediawiki.org/wiki/Extension_talk:GraphViz#Improvement
07:51 < vpnHelper> Title: Extension talk:GraphViz - MediaWiki (at www.mediawiki.org)
07:51 < reiffert> 2. Copy Graphviz.php to the $mediawiki/extensions directory.
07:52 < reiffert> add stuff to localsettings.php, check if it works, done, thanks
07:52 < reiffert> :)
07:53 < ecrist> working on getting it installed now, reiffert
08:01 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
08:03 < newmember> I can use <ca> and <key> and <cert> in the client config file, what is the syntax for using a "secret passphrase"? 
08:04 < ecrist> when asked, type it in
08:08 < dazo> newmember:  you can also use --auth-user-pass ... 
08:08 < dazo> ecrist:  a good feature to factoid would be to look up sections in the openvpn man page ..... !man --auth-user-pass ...
08:09 < dazo> newmember:  that argument takes a file name, where you have saved username and password .... but it won't help for certificates
08:10 < dazo> newmember:  for certificate ... --askpass is the argument, I believe
08:11 < ecrist> reiffert: graphviz is installed and working.
08:12 < ecrist> dazo: that sounds like a lot of work.
08:12 < ecrist> dazo: do you know python?
08:13 < dazo> ecrist:  yeah, but my available time is limited :-P
08:14 < ecrist> here are my two suggestions: write the plugin for supybot, and I'll install it for vpnHelper, or parse the man pages and send me the result, and I'll write a plugin for the upcoming OpenVPN bot
08:14 < ecrist> OpenVPN bot may replace, or augment vpnHelper, not sure at this point.
08:14 < dazo> ecrist:  I'd like to help out writing a parser ... no prob!  I just know I won't manage it the first 2 weeks 
08:15 < ecrist> no rush
08:15 < ecrist> if you can automate the parsing (i.e. pull from website, parse data), we can give it an auto-update feel by using cron to update the db as the web page is updated.
08:16 < ecrist> once I have that, I'll write the code for the bot
08:16 < dazo> ecrist:  even better ... and htmlised man page is easier to parse as well ... that's just to use libxml2 and XPath queries
08:17 < ecrist> if you did that, it would give me motivation to work on the other bot.
08:17 < ecrist> :)
08:17 < ecrist> dazo: did you see my post on ovpnforum about comp -> community relationship?
08:17 < dazo> No, I haven't been there for a few days
08:17  * dazo pokes
08:17 < newmember> Maybe to restate, I am trying to use "Shared key" and I would like to put the "Shared key" in the config.opvn file, I used <ca></ca> for a ca, what would go around a "Shared key"?
08:18 < ecrist> http://www.ovpnforum.com/viewtopic.php?f=1&t=2467
08:18 < vpnHelper> Title: OpenVPN Forum View topic - OpenVPN Technologies & OpenVPN Community Relationship (at www.ovpnforum.com)
08:18 < ecrist> I omitted contents of your email, as it was semi-private, but feel free to comment on the thread. ;)
08:18 < dazo> newmember:  --key can also contain a password string for a static password
08:19 < dazo> ecrist:  sure, thx!
08:22 < newmember> Hmmm, the client keeps asking for the ca
08:23 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
08:23 < steelnwool> on ubuntu, is the recommend way to increase the mtu, via /etc/defaults/openvpn ?
08:24 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)]
08:26 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn
08:29 -!- LongInt [n=LongInt@41.219.248.160] has joined ##openvpn
08:29 -!- YaManicKill [n=ali@130.159.141.69] has left ##openvpn []
08:30 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:36 -!- slonbg [n=chatzill@216.17.90.91] has quit ["ChatZilla 0.9.86 [Firefox 3.6b5/2009120400]"]
08:38 < reiffert> steelnwool: go and ask ubuntu guys.
08:47 -!- LongInt [n=LongInt@41.219.248.160] has quit [" HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D"]
08:48 < le0> steelnwool, i have not had to alter MTU settings on an ubuntu based server....
08:48 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
08:50 < steelnwool> le0: i do. :) thanks tho.
08:50 < dazo> well, if you struggle with fragmentation issues ... playing with the MTU can improve the situation ... but it also depends on "which MTU" you're playing with as well ... is the t he MTU inside the tunnel, or the packets which openvpn corks up before encrypting them and sending them to the wire?
08:51 < steelnwool> my goal was just to see how to set them.. which i've now realized i can do with the config file, so i'm good. thanks.
08:51 < steelnwool> 1400 works much better for vmware vhspere client i find.
08:52 < ecrist> !mtu
08:52 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
08:52 < steelnwool> aye.
08:59 < vpnHelper> New forum entry openvpnforum: Configuration :: Advice on troubleshooting possible network problem :: Author Simon B <http://www.ovpnforum.com/viewtopic.php?f=6&t=2476&p=2878#p2878>
09:00 < ecrist> we need new forum software
09:01 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:01 < ecrist> I think this month I'll scrounge up the dough to get a vbulletin license.
09:01 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)]
09:02 < steelnwool> phpbb not up to the task?
09:02 < steelnwool> or is that what yer using already?
09:02 < ecrist> it is, but take a look at that link.
09:02 < ecrist> that's what we're using now
09:02 < steelnwool> gotcha.
09:03 < ecrist> it has ugly links, phpbb3 insists on putting session id in the URL
09:03 < ecrist> phpbb isn't optimized for search engines, either
09:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
09:03 < reiffert> ecrist: thanks!
09:04 < steelnwool> evert seen phorum?
09:04 < ecrist> that link, on vbulletin, would be something like http://www.ovpnforum.com/server-administration/configuration/advice-on-troubleshooting-possible-network-problem
09:04 < steelnwool>  i could never quite get the allure of it.
09:04 < reiffert> ecrist: I'm currently creating a wiki account.
09:04 < reiffert> ecrist: it says: To help protect against automated account creation, please enter the words that appear below in the box (more info): 
09:05 < reiffert> ecrist: I cant see any "words"
09:05  * ecrist looks
09:05 < ecrist> crappy
09:05 < ecrist> must be a broken lib.  let me fix
09:07 < ecrist> I guess it's been pretty effective against spam accounts. :)
09:07 < reiffert> ecrist: 
09:07 < reiffert> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>Access Forbidden</title></head><body><h1>Access Forbidden</h1><p>Can't view captcha image a second time.</p></body></html>
09:07 < reiffert> doh. forget that.
09:09 < DarkAnt> heh
09:09 < reiffert> Now I have Interal Error, requesting a bogus image.
09:10 < ecrist> reiffert: I removed the captcha, create your account and I'll put it back in for now.
09:11 < reiffert> created, thanks
09:11 < reiffert> There is no user by the name "reiffert". Check your spelling, or create a new account. 
09:11 < reiffert> guess I need some email approval, let the greylisting timeout.
09:12 < reiffert>   Welcome, Reiffert! 
09:12 < reiffert> ah!
09:14 < reiffert> ecrist: http://www.secure-computing.net/wiki/index.php/Graph ...
09:14 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
09:15 < rob0> Damn spammers. A tiny group of nasty bastards, and they have in effect gotten away with mass murder (considering the time that each and every Internet user has lost to them.)
09:17 < Bushmills> no wonder if many mail server are configured with the equivalent of a sign, saying "stab here" 
09:17 < ecrist> reiffert: http://www.mediawiki.org/wiki/Extension:GraphViz
09:17 < vpnHelper> Title: Extension:GraphViz - MediaWiki (at www.mediawiki.org)
09:17 < ecrist> the examples at the bottom worked forme.
09:17 < ecrist> s/forme./for me./
09:17 < reiffert> ecrist: It _is_ the example from the bottom.
09:18 < ecrist> refresh your page
09:18 < ecrist> my example should show up, and it's working.
09:18 < reiffert> hrmn...
09:19 < ecrist> are you on the Graphviz page or GraphViz page?
09:19 < ecrist> two different, upper 'V' is correct.
09:19 -!- theDoc [n=hex@69.10.59.166] has joined ##openvpn
09:19 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has left ##openvpn []
09:20 < theDoc> Morn' all.
09:21 < ecrist> reiffert: http://www.wikischool.de/wiki/WikiSchool:Graphviz
09:21 < vpnHelper> Title: WikiSchool:Graphviz – WikiSchool (at www.wikischool.de)
09:21 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
09:21 < ecrist> those also seem to all work fine.
09:21 < reiffert> now it works, I just was following the example code too hard.
09:22 < reiffert> (copy paste)
09:31 < reiffert> http://www.secure-computing.net/wiki/index.php/Graph   will fill it up later, gtg
09:31 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
09:36 -!- hyper_ch [n=hyper_ch@91.121.147.34] has quit [Excess Flood]
09:37 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
09:37 < buntfalke> berniv6: Greenie writes on his v6 page you host the patch in git - where?
09:37 < buntfalke> berniv6: please leave me a memo in case i'm offline
09:39 < ecrist> nice, reiffert 
09:44 < dazo> buntfalke:  which/what v6 patch?
09:46 < buntfalke> dazo: http://www.greenie.net/ipv6/openvpn.html
09:46 < vpnHelper> Title: Gert Döring - IPv6 Payload Patch for OpenVPN (at www.greenie.net)
09:46 < buntfalke> IPv6-within-tun
09:46 < buntfalke> in contrast to jjo's ipv6-to-server patch
09:47 < dazo> buntfalke:  yeah, that was what I was wondering about :)
09:48 < buntfalke> :-)
09:55 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)]
09:57 -!- hvnqke_work [n=per@90.184.203.29] has joined ##openvpn
09:58 < hvnqke_work> 10.0.30.2 (the vpn server) is accessible by the client, but others on the subnet (10.0.30.10 for example) is not. How come?
09:59 < dazo> hvnqke_work:  do you mean that other clients cannot access the server?  or that server cannot access clients?  Or that clients cannot access other clients?
10:00 < hvnqke_work> that I, from the client, can't access the other machine on the same network as the VPN-server.
10:01 < hvnqke_work> 10.0.30.2 and 10.0.30.10 are next to each other, but the client can only access 10.0.30.2
10:01 < Bushmills> that's right
10:02 < Bushmills> it comes because openvpn has no reason to talk to machines connected to another interface
10:02 < hvnqke_work> what good is vpn if I don't get a network?
10:03 < Bushmills> you need to give openvpn a reason
10:03 < hvnqke_work> and how would I do that?
10:03 < dazo> hvnqke_work:  it's not easy to understand what you try to achieve .... but it sounds like you haven't set up routing
10:03 < Bushmills> !route
10:03 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:03 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)]
10:03 < Bushmills> also read about client-to-client
10:04 < hvnqke_work> dazo, I have a number of servers on the subnet 10.0.30.*. 10.0.30.2 is acting vpn-server. I want to be able to access each server from anywhere in the world through openvpn with ssh root@10.0.30.*.
10:05 < dazo> hvnqke_work:  good!  That's a pretty normal setup .... is 10.0.30.2 also a default gateway in your network?
10:05 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)]
10:06 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:06 < reiffert> do it by nat.
10:06 < hvnqke_work> dazo, they are virtual servers, so the gateway for the respective machines are the virtual interfaces. however, I have this line: up route add -net 10.9.0.0 netmask 255.255.255.0 gw 10.0.30.2 in my /etc/network/interfaces
10:07 < hvnqke_work> (openvpn is set to push to 10.9...)
10:07 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
10:07 -!- mode/##openvpn [+v Kas] by ChanServ
10:07 < dazo> hvnqke_work:  goodie .... then you also probably just need to    push "route 10.0.30.0 255.255.255.0"  in server config as well
10:08 < dazo> hvnqke_work:  another trap people fall in is also the firewall .... check that the openvpn don't have any rules which would block the VPN traffic to hit your network
10:09 < dazo> hvnqke_work:  but basically, !route gives a pretty good overview over how the routing works and can be setup ... you won't need all these features described here, but it's a good source to grab the functionality
10:10 < hvnqke_work> I've got the following lines in server.conf : http://pastebin.ca/1756139 -- I've set iptables on the "host" of the virtual machines to route all port 1194 traffic to 10.0.30.2
10:11 < dazo> hvnqke_work:  iptables must also allow "native" IP traffic to pass from the tun/tap device and to the network segments you allow VPN clients to reach
10:12 < dazo> hvnqke_work:  this is needed in the FORWARD chain
10:13 < dazo> hvnqke_work:  you'll usually find people testing out with   iptables -I FORWARD -i tun+ -j ACCEPT ; iptables -I FORWARD -o tun+ -j ACCEPT .... if you're using tun devices
10:14 < krzee> Kas, you here?
10:14 <+Kas> Yes sir, Whats up?
10:14 < hvnqke_work> dazo, http://pastebin.ca/1756148
10:14 < dazo> hvnqke_work:  for more debugging, you'll probably find tcpdump -n -i tun0 invaluable, running on the server ... then you see how the traffic flow
10:15 < dazo> hvnqke_work:  yeah, that'll disable the firewall for the tun+ devices
10:15 < hvnqke_work> hmm. It hits me - there's no tun-devices on the host-system, only the guest system holding the vpn-server
10:15 < krzee> Kas, some links for the web manual dont work
10:15 <+Kas> could you please point me to an example
10:15 < dazo> hvnqke_work:  also make sure sysctl net.ipv4.ip_forward is 1
10:15 < krzee> !firewall
10:15 < vpnHelper> krzee: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
10:16 < krzee> link #1
10:16 < krzee> then go to the bottom and try ANY of them
10:16 < krzee> the redirect loses the #location
10:16 < hvnqke_work> dazo, on which system?
10:16 < dazo> hvnqke_work:  on your openvpn server
10:17 < hvnqke_work> it's 1
10:17 < hvnqke_work> should the host-system have a tun device?
10:17 <+Kas> krzee, You are correct, I will talk with our web developer now.
10:17 < krzee> thanx
10:18 < dazo> hvnqke_work:  yes, it should .... either tun or tap ... depending on your config .... you might have renamed the device in the openvpn config?
10:19 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
10:19 < hvnqke_work> hvnqke_work, the openvpn-server has a tun device, but the host has not
10:19 < dazo> hvnqke_work:  ahh ... only the server needs it
10:20 < hvnqke_work> right. the iptables rules regarding tun, should the be duplicated in the vpn-server?
10:20 < hvnqke_work> *they be
10:20 < dazo> hvnqke_work:  those rules needs to be on the vpn-server yes
10:21 < dazo> hvnqke_work:  your vpn-server is in this case a router .... routing traffic between a virtual interface (tun+) and the "physical" local network
10:21 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
10:22 < dazo> hvnqke_work:  openvpn only reads and writes unencrypted data to/from the tun device .... and reads/write encrypted data on to the remote openvpn node
10:22 < hvnqke_work> right, thanks. I've opened for tun in the vpn-server too, still no dice though
10:23 < dazo> hvnqke_work:  please, can you share your complete config? ... without comments ..... grep -e "^#" <configfile>
10:23 < dazo> grep -v
10:23 < dazo> !configs
10:23 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
10:23 < dazo> !config
10:23 < vpnHelper> dazo: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
10:23 < dazo> grep -vE '^#|^;|^$' server.conf ... that's a nicer one :)
10:24 < hvnqke_work> dazo, http://pastebin.ca/1756158
10:24 < hvnqke_work> just for the record, clients can access the vpn-server through 10.0.30.2 easily
10:25 < dazo> hvnqke_work:  oki, shouldn't change anything ... have you tried to run tcpdump on the vpn-server? .... tcpdump -i tun0 -n
10:26 < dazo> and then try to ping one of the servers "behind" the VPN server?
10:26 < hvnqke_work> it spams a hell of a lot output
10:27 < dazo> okey?  Do you ssh to the vpn server via the VPN?
10:27 < dazo> can you grab me a few lines? .... normally, it should not spew out much on an idle link
10:28 < dazo> (2-3 lines is enough right now)
10:29 < hvnqke_work> http://pastebin.ca/1756164
10:30 < hvnqke_work> and it just goes on like that forever
10:30 < dazo> 10.9.0.6 ... that's a VPN client, I presume?
10:30 < dazo> 10.0.30.2 ... and that's the vpn-server behind the VPN, I believe
10:31 < dazo> you can do ... tcpdump -i tun0 -n port ! 22  .... that'll make it more quiet
10:31 < hvnqke_work> dazo, I logged out from ssh and went into it through xen instead
10:31 < hvnqke_work> now it's quiet
10:32 < hvnqke_work> when I ping 10.0.30.* it responds in tcpdump
10:32 < dazo> hvnqke_work:  do you get both icmp request and response?
10:33 < hvnqke_work> and yes, 10.9.0.6 appears to be me. 10.0.30.2 is the server. 
10:33 < hvnqke_work> there's a lot of requests, but II don't see any reply/response
10:33 < dazo> 11:33:45.315258 IP 192.168.99.40 > 192.168.99.1: ICMP echo request, id 27515, seq 1, length 64
10:33 < dazo> 11:33:45.315329 IP 192.168.99.1 > 192.168.99.40: ICMP echo reply, id 27515, seq 1, length 64
10:34 < dazo> hvnqke_work:  that's a typical ping sequence
10:34 < hvnqke_work> yeah, I see reply when I ping the server, and no reply when I ping the .10 machine
10:34 < dazo> hvnqke_work:  good ... which eth interface is the .10 machine available on?
10:35 < dazo> hvnqke_work:  on your vpn-server
10:35 < hvnqke_work> it's own interface is eth0, which is using vif17.0 as gateway, which gets traffic from the host system's eth2
10:35 < hvnqke_work> on the vpn-server? how that?
10:36 < dazo> hvnqke_work:  whohaa ... that I didn't catch .... when you ping the .10 machine on the vpn-server .... which interface will it use on the vpn-server to access that machine?
10:37 < hvnqke_work> oh, right, I think we've talked past each other. I'm tcpdumping on the vpn-server, while pinging from my client machine
10:37 < dazo> hvnqke_work:  yeah, and t that is right!
10:37 < hvnqke_work> right, then I'm lost. What do you mean?
10:37 < dazo> hvnqke_work:  okay ... can you give me the output of:  route -n   from vpn-server?
10:38 < hvnqke_work> http://pastebin.ca/1756179
10:39 < dazo> now, on the vpn-server .... try   tcpdump -i eth0 -n host 10.9.0.6  .... and then do the pinging like you did earlier
10:39 < dazo> against .10
10:40 < hvnqke_work> http://pastebin.ca/1756180
10:40 < dazo> hvnqke_work:  cool!  This means something very important!
10:40 < hvnqke_work> awesome!
10:41 < dazo> hvnqke_work:  the vpn-server does the correct routing ..... but!  the .10 machine does not route the traffic back via 10.30.0.2
10:41 < hvnqke_work> I see
10:41 < hvnqke_work> so safe to assume that it's one silly configuration somewhere that's wrong?
10:42 < dazo> hvnqke_work:  on the .10 box ... make sure you have a route which routes traffic to 10.9.0.0/24 via 10.30.0.2 ... I believe that's basically it
10:42 -!- Remowylliams [n=Mare@204.180.233.74] has joined ##openvpn
10:42 < Remowylliams> hello all. openvpn has gone commercial?
10:42 < dazo> hvnqke_work:  unless you need some extra firewall rules to allow traffic from the 10.9.0.0/24 network to be accepted
10:42 < dazo> Remowylliams:  no, not completely .... just parts of it .... the Access Server
10:43 < hvnqke_work> hmm. sounds like the right answer. I'm not completely sure how. Until last friday my experience with iptables was limited to that I'd heard of it before
10:44 -!- zykes- [i=zykes@zykes.themariachi.info] has quit [Read error: 110 (Connection timed out)]
10:44 < Remowylliams> Ah clearly you have to be aware of 'terminology' and look to the 'community' panel
10:45 < dazo> Remowylliams:  yeah .... people have commented that "a couple" of times before as well
10:45 < dazo> Kas:  openvpn2009 ^^^
10:45 < Remowylliams> I would think so. it's become very realplayer ish
10:45 <+Kas> Hello
10:46 < Remowylliams> even on the community download page there's this big sidebar that says '2 free licenses'
10:47 < hvnqke_work> dazo, how would you make that rule?
10:47 < dazo> Kas:  just pointing out another one commenting the same as you've heard some times recently .... confusion about where the F/OSS version of openvpn is
10:48 < dazo> hvnqke_work:  Can you do a complete iptables-dump on that .10 box for me? .... easier to see what you have and what you need then
10:48 <+Kas> Oh, gotcha, I plan on discussing this today with the team.
10:48 < dazo> Remowylliams:  yeah, that's the Access Server ..... which is commercial
10:48 < hvnqke_work> dazo, seems there are no iptables rules on the machine as of yet
10:49 < hvnqke_work> iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file or directory
10:49 < dazo> hvnqke_work:  then you don't have much to worry about :)   Then you most probably miss a routing entry
10:49 < dazo> hvnqke_work:  that error usually means that you don't have iptables support enabled
10:50 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["Leaving"]
10:50 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
10:50 < hvnqke_work> dazo, I should have. I just haven't added any iptables entries to it
10:50 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit]
10:50 < dazo> hvnqke_work:  if you get that error .... that's something really wrong then
10:50 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
10:51 < dazo> hvnqke_work:  that really indicates that some iptables modules are missing ... really ...
10:51 < Remowylliams> so I'm guessing this will be sold to Cisco in a year or 2
10:52 < hvnqke_work> I tried adding a dummy rule: http://pastebin.ca/1756198
10:52 < Remowylliams> still thank you very much for the info.
10:52 < dazo> Remowylliams:  Cisco? ... nah .... Oracle, HP or Microsoft :-P
10:53 < Remowylliams> dazo: mysql was sold to Sun.. so maybe HP or Microsoft first then to Cisco. LOL
10:53 < dazo> Remowylliams:  no worries, the important piece for most openvpn users are free .... so whatever happens, it will always be a free version available
10:54 < hvnqke_work> dazo, I'll admit I don't know much about iptables, but after I added that dummy rule the error is gone
10:54 < dazo> hvnqke_work:  can you get more sensible results now with iptables-dump?
10:54 < hvnqke_work> yeah: http://pastebin.ca/1756198
10:55 < dazo> hvnqke_work:  yeah ... iptables was not loaded ... thus not blocking anything on that box
10:55 < dazo> hvnqke_work:  have a look at     route -n  on that box first
10:56 < hvnqke_work> dazo, http://pastebin.ca/1756209
10:56 < dazo> hvnqke_work:  try to add:  route add -net 10.9.0.0 255.255.255.0 gw 10.0.30.2
10:56 < dazo> hvnqke_work:  and then do the ping
10:57 < hvnqke_work> I get the "usage" message
10:58 < hvnqke_work> nevermind, got it working.
10:59 < hvnqke_work> or, that is, I get "SIOCADDRT: No such process" now
10:59 < dazo> hvnqke_work:  ahh ... sorry about the wrong syntax ... hmmmmm
10:59  * dazo thinks
10:59 < dazo> ahh
10:59 < dazo> ugh
11:00 < dazo> hvnqke_work:  this is on 10.30.0.10 ?
11:00 < hvnqke_work> yeah
11:00 < dazo> 10.0.30.10, I meant .... okay ... go to 10.0.30.9, as all packets are routed via that box
11:00 < dazo> and please share the route table here as well
11:01 < hvnqke_work> there is no 10.0.30.9 box. it's the virtual interface on the host system that the .10 machine is hooked up to
11:01 < dazo> hvnqke_work:  ahh ... cool ... nice
11:01 < dazo> hvnqke_work:  the you need to go to dom0 .... and have a look at the route table here
11:02 < hvnqke_work> going to dom0, stand by...
11:02 < hvnqke_work> http://pastebin.ca/1756227
11:03 < hvnqke_work> err
11:03 < hvnqke_work> that last one is eth2 too
11:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
11:04 < hvnqke_work> dazo, just highlighting here, pardon me if I'm too eager
11:04 < dazo> hvnqke_work:  now here .... you need to add the route ... 10.9.0.0 netmask 255.255.255.0 goes to 10.0.30.2 
11:06 -!- Remowylliams [n=Mare@204.180.233.74] has quit ["Leaving."]
11:06 < hvnqke_work> awesome, that did it
11:07 < hvnqke_work> thanks a lot man
11:07 < dazo> hvnqke_work:  sure no prob!
11:07 < hvnqke_work> to recap; what do I need to do to get, say, a new .12 machine on the vpn? anything at all
11:08 < hvnqke_work> ?
11:08 < dazo> hvnqke_work:  you need to make sure that the dom0 in your case routes the traffic to the 10.9.0.0/24 network via 10.0.30.2 ... that's the key point
11:09 < hvnqke_work> right. but I need to do this only once, right?
11:09 < dazo> hvnqke_work:  you're openvpn server is working .... you just had a routing issue .....
11:09 < dazo> hvnqke_work:  you should now have a consistent setup, so accessing other boxes should not change anything now
11:10 < dazo> hvnqke_work:  just make sure that this last route we added are enabled on reboots
11:10 < hvnqke_work> right, thanks again. I just got a whole lot more enlightened.
11:10 < hvnqke_work> dazo, how that? is there a standardized way or should I write a script?
11:11 < dazo> hvnqke_work:  without that last route .... vpn client -> vpn-server -> dom0 -> 10.0.30.10 -> dom0 -> internet (via default gateway) .......
11:11 < dazo> hvnqke_work:  but with that last route:  vpn client -> vpn-server -> dom0 -> 10.0.30.10 -> dom0 -> vpn-server -> vpn client
11:12 < dazo> hvnqke_work:  what kind of Linux distro are you running?
11:12 < hvnqke_work> Debian
11:13 < dazo> hvnqke_work:  Not sure how Debian does that .... but I'd ask some virtualisation guys in some debian channels
11:13 < dazo> hvnqke_work:  but I'm sure debian has a standard way how to add such static routes
11:13 < hvnqke_work> righto. I was just thinking about putting all the iptables and route stuff into a script and have it be run at boot
11:14 < dazo> hvnqke_work:  yeah, there is definitely standard ways how to do that .... and I recommend you to follow these paths, it helps others to pick up after you in the future as well
11:15 < hvnqke_work> right. it's just because there isn't really a standardized way of doing the iptables thing. most people do a iptables-save > /etc/somethingorother and then have it loaded at boot somehow
11:20 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection]
11:20 < Bushmills> hvnqke_work: there's a debian package which adds run level links and start/kill script for iptables into /etc/init.d 
11:21 < Bushmills> (not that one can't do that by hand, of course, of use up and down script
11:21 < hvnqke_work> nice
11:21 < Bushmills> )
11:22 < Bushmills> or use ...
11:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
11:28 < hvnqke_work> anyway, thanks for the help. It's great with some earnest advice that doesn't treat me like a moron ;)
11:29 < Bushmills>  /etc/network/interfaces is the place to add up or down scripts per interface
11:31 <+Kas> Krzee: We fixed the linking issue on that Manual (http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html)
11:31 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
11:31 < berniv6> buntfalke: git://git.birkenwald.de/openvpn.git
11:31 <+Kas> Thanks for letting me know about that :-)
11:32 < buntfalke> berniv6: thanks
11:33 < buntfalke> berniv6: you might want to tell greenie he forgot to link this; my next mail is not yet in sight, i barely had time to grab the latest patchset
11:33 < berniv6> buntfalke: branch gert-ipv6 comes from git://git.birkenwald.de/openvpn-gert.git (directly maintained by Gert Doering)
11:33 < krzee> and betaman?
11:33 < berniv6> I'll do an official announcement in -devel and -users in the next few days anyway
11:35 < krzee> !man
11:35 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:35 < reiffert> krzee: come on, after 3 years of 2.0 you cant expect people to accept 2.1 that soon.
11:35 < krzee> lol
11:36 < krzee> kas, http://openvpn.net/man-beta#lbBD
11:37 <+Kas> Oh, didn;t see that link earlier, will have him fix that now!
11:37 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
11:38 < krzee> i didnt mention it, thought it was obvious ;]
11:38 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
11:38 <+Kas> :/
11:42 -!- hvnqke_work [n=per@90.184.203.29] has quit ["Leaving"]
11:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
11:49 < DarkAnt> !ipp
11:49 < vpnHelper> DarkAnt: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
11:50 < DarkAnt> !iporder
11:50 < vpnHelper> DarkAnt: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
11:50 < DarkAnt> !static
11:50 < vpnHelper> DarkAnt: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
11:50 < DarkAnt> !ccd
11:50 < vpnHelper> DarkAnt: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
11:50 < krzee> kas, thank you
11:51 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)]
11:53 -!- Dougy [n=me@vpn.douglashaber.com] has joined ##openvpn
11:53 < Dougy> ecrist: for future moderators
11:53 < Dougy> you me and krzee can discuss
11:54 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
11:54 < dazo> !route
11:54 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:54 < Dougy> hey dazo
11:54 < dazo> Dougy:  hi!
11:59 -!- Auz [n=Auz@ext00.education.com] has joined ##openvpn
12:00 < Auz> g'day
12:00 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit [Client Quit]
12:02 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
12:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
12:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
12:45 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [Read error: 110 (Connection timed out)]
12:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
12:48 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit]
12:49 -!- Dougy [n=me@vpn.douglashaber.com] has quit [Read error: 110 (Connection timed out)]
12:52 -!- anamorph [i=nicolas@paris.office.anamor.ph] has joined ##openvpn
12:52 < anamorph> hello
12:52 < anamorph> i seem to have an issue with openvpn
12:53 < anamorph> i have alot of WRWRWRRWWWWRWRWRWWRWRWRWRWRWRWRWRWRW in my server logs
12:54 < anamorph> anybody know where this could come from ?
12:55 < dazo> anamorph:  decrease your verb log level
12:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
12:56  * dazo gueses verb 4 is being used
12:56 < anamorph> dazo: to like 4
12:56 < anamorph> yeah, ok
12:56 < dazo> anamorph:  in production, go no higher than 3, even that's quite verbose
12:57 < krzee> hell on some boxes i dont use any
12:57 < krzee> unless of course theres something to debug
12:58 < anamorph> well to be honest
12:58 < anamorph> i have some speed issues
12:59 < anamorph> and i increased log level to debug some
12:59 < anamorph> basically, 3 clients on the vpn is apparently too much tohandle
13:00 < anamorph> on two different source lan
13:00 < anamorph> (server is on a dedicated box, running on unmetered 100mbps)
13:01 < reiffert> you can use slurm or iptraf for metering
13:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
13:02 < anamorph> reiffert: i don't really see how three clients on dsl lines can pump 100mbps over a vpn
13:03 < reiffert> anamorph: maybe a metering program can help you with this.
13:04 < reiffert> getting some numbers >> "speed issues"
13:04 < anamorph> i tweaked a little the keepalive directive though
13:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
13:05 < anamorph> the server is windows .. i think that doesn't help too
13:05 < anamorph> ^^
13:05 < reiffert> keep guessing issues then.
13:06 < anamorph> slurm/iptraf is for unixes; let me find something for win32
13:08 < anamorph> this looks good: http://lastbit.com/trafmeter/
13:08 < vpnHelper> Title: TrafMeter: IP network traffic meter and traffic monitor; network bandwidth viewer and packet filtering firewall for Windows (at lastbit.com)
13:08 < hyper_ch> good evening
13:08 -!- aar [n=yxc@85.249.223.22] has joined ##openvpn
13:12 < aar> how can i set a defaut route without redirect-gateway command? 
13:13 < hyper_ch> aar: create a ccd and push the route from there
13:15 < reiffert> aar: by reading the text that stands right next to "--redirect-gateway" here: http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html
13:15 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net)
13:24 < aar> hyper_ch: how ccd stand for? reiffert: without redirect-gateway any idea? theres only the flag options
13:24 < hyper_ch> custom client directory
13:25 < hyper_ch> you can setup different behaviour for different clients in there.. like assigning static ips and custom routes
13:25 < hyper_ch> (and probably a whole lot more things=
13:30 -!- aar [n=yxc@85.249.223.22] has quit [Remote closed the connection]
13:31 -!- dazo is now known as dazo_afk
14:04 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
14:06 -!- aar [n=yxc@85.249.223.22] has joined ##openvpn
14:09 < aar> ROUTE: default_gateway=UNDEF with push command default route does not set
14:10 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has quit [Remote closed the connection]
14:13 < krzie> !ccd
14:13 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:15 -!- crazygir [n=jason@unaffiliated/crazygir] has quit [Read error: 104 (Connection reset by peer)]
14:15 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn
14:17 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn
14:19 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
14:19 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
14:23 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
14:25 < aar> anyone an idea what dows it mean?
14:25 < krzie> aar:
14:26 < krzie> !configs
14:26 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
14:30 < aar> ok so i will post this on another time
14:30 -!- eightfold [n=eightfol@c213-89-114-50.bredband.comhem.se] has quit ["I quit."]
14:31 -!- APTX| [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
14:32 -!- aar [n=yxc@85.249.223.22] has left ##openvpn ["Konversation terminated!"]
14:37 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
14:38 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 110 (Connection timed out)]
14:39 -!- APTX| [n=APTX@chello089076052083.chello.pl] has quit [Client Quit]
14:39 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
14:50 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
15:09 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn
15:28 -!- fnbrier [n=fbrier@adsl-190-180-224.asm.bellsouth.net] has left ##openvpn ["Leaving"]
15:37 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
15:43 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:50 -!- Dougy [n=me@vpn.douglashaber.com] has joined ##openvpn
16:06 < reiffert> krzie: 
16:06 < reiffert> Dougy: 
16:06 < reiffert> dazo_afk: 
16:06 < reiffert> ecrist: 
16:06 < reiffert> Bushmills: 
16:06 < reiffert> http://www.secure-computing.net/wiki/index.php/Graph
16:06 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
16:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:07 < krzie> nice
16:07 < reiffert> Feel free to improve, add it to !route once it is looking nice and is mentioning the static route on the gateway.
16:07 < reiffert> krzie: check out the wiki source!
16:07 < reiffert> you can have URL's behind everything etc.
16:07 < reiffert> http://www.graphviz.org/doc/info/attrs.html#d:labeljust
16:07 < krzie> that looks great, only thing that could be added is a note of what src and dst is
16:07 < vpnHelper> Title: Node, Edge and Graph Attributes (at www.graphviz.org)
16:08 < krzie> but that was a great idea for an image
16:08 < reiffert> krzie: feel free to add that: label="foo\nsrc: 343434\ndst:34234"
16:08 < krzie> it will be added to !route
16:09 < reiffert> it's not an image, it's a graph made with the help of graphviz, like I said, check that wiki source.
16:09 < reiffert> it's editable.
16:09 < krzie> its an image if i capture it ;]
16:10 < krzie> where would i put that label?
16:10 < reiffert> http://pastebin.ca/1756647
16:10 < krzie> ya i see the src in the wiki, coolstuff
16:10 < krzie> i had never heard of graphviz
16:11 < reiffert> there are lots of examples in the docs
16:14 < krzie> there
16:14 < krzie> http://www.secure-computing.net/wiki/index.php/Graph
16:14 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
16:15 < krzie> a lil note at the bottom now
16:17 < reiffert> I'm not sure if we should mention the icmp redirection paket and the following shortcut.
16:17 < krzie> ild go with no, it wouldnt help any and would serve to confuse people
16:18 < krzie> this is only for as things relate to openvpn
16:18 < krzie> (right?)
16:18 < reiffert> I see it that way as well, too much confusion
16:19 < krzie> im setting up ovpn in a jail now, glad ive been hangin around here for so long
16:19 < krzie> !fbsdjail
16:19 < vpnHelper> krzie: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
16:19 < krzie> =]
16:23 < krzie> maybe ill make a lil writeup on it after i finish
16:24 < reiffert> krzie: http://www.google.de/search?hl=de&client=firefox-a&rls=org.mozilla%3Ade%3Aofficial&hs=9X0&q=+jail+openvpn&btnG=Suche&meta=&aq=f&oq=
16:24 < vpnHelper> Title: jail openvpn - Google-Suche (at www.google.de)
16:26 < krzie> nothing overly useful there, but everything i need is in !fbsdjail
16:28 < krzie> well there and the fbsd handbook of course
16:48 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: ScriptFanix
16:49 -!- Netsplit over, joins: ScriptFanix
16:52 -!- eightfold [n=eightfol@c213-89-114-50.bredband.comhem.se] has joined ##openvpn
16:54 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:54 < eightfold> my vpn connection works fine when the line "redirect-gateway" is in the opvn conf file.
16:54 < eightfold> but, that line also makes the vpn connection the default interface (system wide).
16:57 < eightfold> when i remove "redirect-gateway" default is not the vpn connection. i try to make applications run under the user account "vpn" to use the open tun0 tunnel with these firewall settings: http://paste.debian.net/57056/ , but "sudo -u vpn lynx http://www.google.com/" wont work.
16:57 < eightfold> ideas?
16:58 < Dougy> hm
16:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
16:58 < Dougy> nope
16:58 < eightfold> darn
16:58 < Dougy> its ok
16:59 < Dougy> i've been here a ton and talked even more
16:59 < krzie> !routebyapp
16:59 < Dougy> i never hel panyone
16:59 < vpnHelper> krzie: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
16:59 < Dougy> i am useless
16:59 < krzie> you cant have a seperate routing table based on user
16:59 < Dougy> krzie: you know i was tyhinking about that
16:59 < Dougy> but i did not want to say something wrong
17:00 < eightfold> krzie: you're saying those iptables lines are no workie?
17:00 < krzie> your firewall rule ALLOWS traffic to leave from that account on that interface
17:00 < krzie> but the routing table doesnt have the packets attempting to do it
17:01 < krzie> you can route based on subnet using ovpn, or based on application using my !routebyapp solution (i use it)
17:01 < eightfold> krzie: hmm, you're right about that
17:02 < eightfold> krzie: proxifier seems to be available for linux, but i guess there's some equivalent.
17:02 -!- corretico_ [n=laguilar@216.194.173.25] has joined ##openvpn
17:02 < eightfold> seems _not_
17:03 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn
17:03 < krzie> socksify or something
17:04 < krzie> also a xen virtual machine would have its own routing table
17:04 < krzie> or a vmware machine
17:04 < krzie> (any vm or vps software really)
17:05 < krzie> !google socksify linux
17:05 < vpnHelper> krzie: TranSocks - Transparent SOCKSifying Proxy: <http://transocks.sourceforge.net/>; The Answer Guy 48: Linux Workstations Behind a Proxy/Firewall: <http://linuxgazette.net/issue48/tag/27.html>; [sldev] Socksifying linux client via LD_PRELOAD: <https://lists.secondlife.com/pipermail/sldev/2007-February/000445.html>
17:06 < eightfold> hmmm, was running a virtual machine on windows that went through vpn. but didn't want to have a virtual machine running all the time. so, no i have a debian server.
17:06 < eightfold> i want rtorrent to only connect via vpn.
17:07 < krzie> so just socksify rtorrent
17:08 < krzie> http://www.cis.upenn.edu/~maoy/faqs/socks.html
17:08 < vpnHelper> Title: Socksify applications (at www.cis.upenn.edu)
17:09 < krzie> for some reason that was #2 on my search and not on my bots
17:09 < krzie> i know you use debian so not rpm, but im sure you can figure that part out ;]
17:10 < eightfold> krzie: so, the idea is to start this transocks daemon, set rtorrent to use localhost and the transocks port as proxy?
17:10 < krzie> thats kinda funny, my !routebyapp solution was exact opposite, the only things i DONT want over my vpn is torrents
17:10 < krzie> nah i meant this link: http://www.cis.upenn.edu/~maoy/faqs/socks.html
17:10 < vpnHelper> Title: Socksify applications (at www.cis.upenn.edu)
17:10 < krzie> then you just runsocks rtorrent
17:12 < eightfold> krzie: sorry for stupidness, but how does runsocks know that it should be using tun0?
17:15 < reiffert> allright, who got some ipv6 test host for me, for trying that ipv6 patch from -devel?
17:17 < Dougy> i have a /64 of ipv6 but it's not configured at switch yet
17:17 < Dougy> ;]\
17:17 < Dougy> ;\
17:18 < eightfold> krzie: build date sep 25 year 2000. http://rpmfind.net//linux/RPM/falsehope/home/gomez/socks5/runsocks-1.0r11-3.i386.html  . wonder how much luck i will have with that :)
17:18 < vpnHelper> Title: runsocks-1.0r11-3.i386 RPM (at rpmfind.net)
17:19 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
17:20 < krzie> it prolly hasnt needed any mods
17:21 < krzie> but arent rpms for redhat derivitives only?
17:21 < krzie> didnt think debian used them
17:22 -!- corretico_ [n=laguilar@216.194.173.25] has quit [Read error: 113 (No route to host)]
17:22 < krzie> see if its in apt_cache
17:23 < krzie> or whatever the debian way for checking is, i dont use linux often
17:26 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)]
17:26 < reiffert> cron2: I would like to see a ./configure'able flag like --enable-ipv6 or similar.
17:30 < eightfold> krzie: i found "tsocks". should do the same thing
17:30 < krzie> cool
17:31 < krzie> regardless, you got the idea
17:31 < reiffert> cron2: compiler error in mroute.c
17:31 < reiffert> mroute.c:115: error: 'const struct in6_addr' has no member named '__in6_u'
17:31 < krzie> reiffert what'd cron2 make?
17:31 < reiffert> he wrote that patch.
17:32 < krzie> for ovpn to run over an ipv6 connection?
17:32 < reiffert> no, vice versa.
17:33 < krzie> oh the patch that was implimented time ago?
17:33 < reiffert> That one already exists.
17:33 < krzie> tun-ipv6 or whatever it is
17:33 < reiffert> http://www.greenie.net/ipv6/openvpn.html
17:33 < vpnHelper> Title: Gert Döring - IPv6 Payload Patch for OpenVPN (at www.greenie.net)
17:33 < eightfold> krzie: i do "sudo -u vpn tsocks rtorrent" now. but somehow i need to get the socksifying "tsocks" app to use tun0 the vpn tunnel, right?
17:34 < krzie> if the socks is running inside ovpn, you reach it via vpn ip, it goes through tun0
17:34 < krzie> by inside ovpn i mean only needs to listen on vpn ip
17:35 < krzie> --tun-ipv6
17:35 < krzie>     Build a tun link capable of forwarding IPv6 traffic. Should be used in conjunction with --dev tun or --dev tunX. A warning will be displayed if no specific IPv6 TUN support for your OS has been compiled into OpenVPN. 
17:35 < krzie> hows that different reiffert, or did he write that?
17:35 < reiffert> cron2: my fault, I was choosing the wrong patch (31.12) instead of (14.01)
17:35 < krzie> (its in 2.0)
17:37 < reiffert> cron2: oh, send greetings to thomas glanzmann ;)
17:38 < eightfold> krzie: should i set socks to be running "inside openvpn" by specifying something in the client.ovpn config file?
17:38 < reiffert> krzie: have a look on "The Features"
17:47 < eightfold> !sockd
17:47 < vpnHelper> eightfold: "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
17:51 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 60 (Operation timed out)]
17:51 -!- eightfold [n=eightfol@c213-89-114-50.bredband.comhem.se] has left ##openvpn ["irssi"]
17:54 -!- eightfold [n=eightfol@c213-89-114-50.bredband.comhem.se] has joined ##openvpn
18:02 < Auz> anyone familiar with tunnelblick?
18:04 < krzie> personally i havnt used it, but i believe its a osx gui that you just give a normal ovpn config and you can start/stop the vpn from that gui
18:05 < Auz> right, and it works fine, but the down script ends up running with different privileges as the up script... there is a work around, but its not documented, trying to figure it out
18:06 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
18:06 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:12 < reiffert> Auz: how did you prove that?
18:12 < Auz> heh, well my down script could not really do anything.... let me find the posts on it
18:13 < reiffert> paste what comes out here:
18:13 < reiffert> ls -al /Applications/Tunnelblick.app/Contents/Resources/*.sh ; ps auxwwww | grep -i [t]unne
18:15 < Auz> moment, got to fire up a mac
18:15 < krzie> actually thats to be expected if you drop permissions with --user / --group
18:15 < krzie> --up has root, --down does not
18:16 < Auz> they added a plugin, openvpn-down-root.so
18:16 < krzie> hrm, never hearda that
18:16 < reiffert> "they"?
18:17 < Auz> the tunnelblick devs
18:17 < reiffert> Auz: plural? Since when is that?
18:17 < reiffert> it's angelolaub who's accepting 5% of all bugs.
18:18 < reiffert> bugreports
18:18 < Auz> I was guessing more than one, but I havent looked
18:18 < reiffert> but who didnt manage to fix that crappy up script when you get other than one nameserver for years.
18:19 < reiffert> But now he gets a openvpn-down-root.so
18:19 < reiffert> sigh.
18:19 < Auz> http://groups.google.com/group/tunnelblick-discuss/browse_thread/thread/63b272f1e6253abe
18:19 < vpnHelper> Title: Tunnelblick 3.0b20 doesnt call client.down.osx.sh on OSX 10.6.1 - tunnelblick-discuss | Google Groups (at groups.google.com)
18:19 < reiffert> krzie: using shell directly or that payware gui?
18:20 < krzie> shell directly, open it via stacks shortcut
18:20 < krzie> i never understood why people want a gui for openvpn in osx
18:20 < krzie> shell scripts become clickable in osx when you save with .command
18:20 < krzie> toss it in stacks and you're done
18:21 < krzie> i toss a shortcut to it in stacks cause you cant change icons on .command in stacks but you can on shortcuts
18:21 < Dougy> meh.
18:21 < Dougy> bored out of my mind.
18:21 < Dougy> maybe i should do something cool like read a manua
18:21 < Dougy> l
18:25 < reiffert> krzie: will I get 'names' in the stacks as well?
18:25 < krzie> sure
18:25 < krzie> filenames
18:25 < reiffert> How to create a stack?
18:25 < krzie> they are standard on osx 10.5 and 10.6
18:25 < krzie> on the bottom right
18:25 < reiffert> removed mine
18:25 < krzie> ahh
18:25 < krzie> drag a dir to there
18:26 < reiffert> uhhhh, scary
18:26 < krzie> scary?
18:27 < reiffert> impressive.
18:27 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 60 (Operation timed out)]
18:27 < krzie> oh ;]
18:28 < reiffert> can I have stacks at the upper menu bar, e.g. where you get the WirelessLAN Icon, Time/Date and such?
18:28 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
18:28 < krzie> not without some hackery
18:28 < krzie> i mean, its not an option
18:29 < krzie> but by digging in and hacking some stuffs ild assume its POSSIBLE
18:29 < Auz> that openvpn-down-root.so works
18:30 < reiffert> Auz: anything special that your downscript has to do for you?
18:30 < Auz> not too much, the up script mounts a samba share, the down removes it
18:31 < krzie> you could always work around with a +s script
18:31 < reiffert> it will work with the help of sudo as well.
18:31 < krzie> owned by group of nvpn process
18:32 < vpnHelper> New forum entry openvpnforum: Configuration :: TUN connection up between Centos and ASUS 520gu (Tomato VPN) :: Author bobapoka <http://www.ovpnforum.com/viewtopic.php?f=6&t=2480&p=2882#p2882>
18:32 < reiffert> sudo is a bit more restrictive on who runs what.
18:32 < krzie> oh thats true, i always forget you can remove PW restriction with sudo
18:33 < krzie> reif's way is definitely better than what i said
18:35 < krzie> eightfold 
18:35 < krzie> eightfold if you look at that socks config, it only listens on the internal vpn ip
18:36 < krzie> therefor it cant be reached unless you are already in the vpn
18:36 < krzie> reif,
18:36 < krzie> The connection has timed out
18:36 < krzie>       
18:36 < krzie>       
18:36 < krzie>       
18:36 < krzie>       
18:36 < krzie>       
18:36 < krzie>         
18:36 < krzie>         
18:36 < krzie>           
18:36 < krzie> The server at www.greenie.net is taking too long to respond.
18:36 < krzie> bleh sorry bout that
18:36 < Auz> heh
18:37 -!- mode/##openvpn [+o krzie] by ChanServ
18:37 -!- krzie was kicked from ##openvpn by krzie [flooder!]
18:37 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn
18:37 < reiffert> let's run some ascii art
18:37 < krzie> ;]
18:37 < reiffert> http://www.asciipr0n.com/pr0n/
18:37 < vpnHelper> Title: ascii pr0n archive (at www.asciipr0n.com)
18:37 < DarkAnt> hey, how do you guys handle tld hijacks (by comcast and the like)?
18:38 < reiffert> /exec -o echo "ASCII" | figlet
18:38 < Auz> dont use their name servers?
18:38 < krzie> DarkAnt i run my own NS's
18:39 < reiffert> My Lan Gateway sends all nameservice request over a openvpn tunnel to my personal bind running outside.
18:39 < DarkAnt> yeah, that's what I was trying to avoid
18:39 < krzie> http://www.glassgiant.com/ascii/ascii.php?sample=mona
18:41 < reiffert> :)
18:42 < krzie> new hobby, take all my facebook pics, ascii them, capture the ascii as jpg, reupload
18:42 < DarkAnt> haha
18:43 < DarkAnt> you've seen ascii star wars right?
18:48 < krzie> yup
18:50 < reiffert> telnet towel.blinkenlights.nl
18:58 -!- Heyraj [n=heyraj20@173.70.169.104] has joined ##openvpn
18:59 < Heyraj> Hi
18:59 < Heyraj> Does anyone know whom I should contact for windows GUI client customization
19:01 < Auz> what customization did you have in mind?
19:04 < Heyraj> Now the GUI client is not user friendly. The end user has to configure where he needs to be admin sought to do those functions
19:04 < Heyraj> I was mainly looking for something simple for a end user to use
19:07 < Auz> I usually recompile the openvpn-gui to have the config + certs, make a custom installer for them
19:09 < Heyraj> can u please explain more
19:09 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn
19:10 < Auz> openvpn gui provides the NSIS installer source
19:11 < Heyraj> where can i find more info on this regards
19:11 < Auz> http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html
19:11 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se)
19:12 < Heyraj> thanks
19:12 < Heyraj> let me take a look
19:17 < mintaka> how can i supply the username and password in the conf file
19:17 < mintaka> i cant re enter both every hour, really. 
19:17 < mintaka> need an easier way to do it!
19:18 < mintaka> wait!
19:18 < mintaka> found out how to do it from the manual
19:20 < mintaka> nice. it worked. ;)
19:22 < Dougy> gah
19:22 < Dougy> everyne in here winks
19:22 < Dougy> krzee creeps me out with that
19:22 < DarkAnt> ;)
19:23 < krzie> ;]
19:23 < Dougy> asdffg;kjkdfgkahfjj
19:24 -!- Heyraj [n=heyraj20@173.70.169.104] has quit []
20:06 -!- Run32dll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:10 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Read error: 113 (No route to host)]
20:12 -!- Run32dll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
20:12 -!- Run32dll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:23 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
20:34 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has joined ##openvpn
20:34 < NickWebHA> !welcome
20:34 < vpnHelper> NickWebHA: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:35 < NickWebHA> !route
20:35 < vpnHelper> NickWebHA: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:38 < NickWebHA> The more I read the more I am becoming very confused on a very important point. Pages (like http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing) say the tun interface is routed while the sample configs say the tap interface is routed.
20:38 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
20:38 < NickWebHA> Which is it?
20:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:43 < Bushmills> tun is for routed configs, tap for bridged
20:48 < Dougy> !tunortap
20:48 < vpnHelper> Dougy: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
20:48 < vpnHelper> Dougy: against you over the vpn
20:54 < NickWebHA> Aaahhh that is where I was confusing myself.
20:54 < NickWebHA> Thanks.
20:54 < Dougy> You got it
20:55 < NickWebHA> Is !route what I should be reading if the clients can see the server but not the LAN the server is on?
20:55 < Dougy> hm
20:55 < Dougy> I'm tired from studying 8 hours
20:55 < NickWebHA> This does not seem to be answering any of my questions so I think I may be reading the wrong thing.
20:55 < Dougy> but that sounds right
20:55 < Dougy> !route
20:55 < vpnHelper> Dougy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:55 < Dougy> ^
20:55 < NickWebHA> That is what I am reading. Thanks.
20:55 -!- mode/##openvpn [+o ecrist] by ChanServ
20:55 -!- mode/##openvpn [+v ecrist] by ecrist
20:55 < Dougy> uh oh
20:55 < NickWebHA> I hear you. I woke up at 6:00AM after my girlfriend tossed and turned all night.
20:55 < Dougy> im getting banned
20:55 -!- mode/##openvpn [-o ecrist] by ecrist
20:55 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
20:56 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
20:56 -!- mode/##openvpn [+o ecrist] by ChanServ
20:56 -!- mode/##openvpn [-o ecrist] by ecrist
20:56 < NickWebHA> Sure is taking a while...
20:56 < rob0> tap is virtual Ethernet, tun is IP only. tun=routed, tap=bridged
20:56 < Dougy> !factoids
20:56 < vpnHelper> Dougy: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
20:56 < Dougy> NickWebHA: skim that over
20:56 < Dougy> might be useful
20:57 -!- mode/##openvpn [+o ecrist] by ChanServ
20:57 < NickWebHA> Just for my own sanity, bridged allows me to use IPX, right?
20:57 -!- mode/##openvpn [-v ecrist] by ecrist
20:57 -!- mode/##openvpn [-o ecrist] by ecrist
20:57 < NickWebHA> Alright.
20:57 -!- Irssi: ##openvpn: Total of 84 nicks [1 ops, 0 halfops, 1 voices, 82 normal]
20:57 < rob0> IPX is doable on a bridge yes.
20:58 < rob0> not sure if there is any way to do IPX-over-IP
20:59 < NickWebHA> I just got my first client to see the server after a week. I am considering tonight a win even if my mother called with the sole purposing of telling me she hates me!
21:01 < Dougy> LOL
21:02 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
21:04 < rob0> ouch
21:05 < rob0> Are you my brother or something? :)
21:16 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 60 (Operation timed out)]
21:19 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
21:20 < NickWebHA> This article only addresses using a tun interface while I am using a tap interface.
21:21 < mintaka> Tue Jan 19 05:15:10 2010 us=490637 Cannot allocate TUN/TAP dev dynamically
21:21 < mintaka> Tue Jan 19 05:15:10 2010 us=490693 Exiting
21:21 < mintaka> why does that happen
21:21 < mintaka> it should be reconnecting !!!!!
21:21 < NickWebHA> I just confirmed the packets are getting through the WAN, through OpenVPN and onto my local LAN but not able to get back to the "pinger."
21:21 < NickWebHA> mintaka: Try sudo.
21:21 < NickWebHA> Or su... whatever gives you root.
21:21 < mintaka> well it is root
21:21 < mintaka> but i do downgrade to nobody
21:22 < NickWebHA> It downgrades after it connects. Not sure that it ever brings its privileges back up.
21:22 < NickWebHA> Try without the down.
21:22 < mintaka> well that will work but people constantly say its not advised to run it as root
21:23 < mintaka> :/
21:23 < NickWebHA> Sorry, this well is dry.
21:23 < rob0> What OS is it?
21:24 < mintaka> linux
21:24 < rob0> try "modprobe -v tun"
21:24 < rob0> and then start the vpn
21:25 < NickWebHA> OK, so Wireshark shows me a "Who has 10.8.0.4?  Tell 10.8.0.51" when an OpenVPN client tried to ping an internal LAN address. How do I configure OpenVPN to set a route back to the client?
21:25 < mintaka> done.
21:26 < rob0> you don't set routes, you're bridging
21:26 < rob0> you bridged into your LAN?
21:26 < NickWebHA> Yes. I have a push "route 10.0.0.0 255.255.255.128" in there (which is my local LAN).
21:27 < NickWebHA> The traffic is getting to me but not back out via OpenVPN. That article does not deal with bridged as far as I can gather.
21:29 < NickWebHA> I am so close! I can taste it!
21:29 < rob0> you should have set an address for the bridge in 10.0.0.0/24
21:30 < NickWebHA> I am just using the sample configs. Once I get it working I will change the OpenVPN network to be 10.0.0.128/25.
21:30 < rob0> oh /25
21:31 < NickWebHA> My local is 10.0.0.0/25 while (when I am done) OpenVPN will be 10.0.0.128/25.
21:31 < rob0> well, bridged means the network is shared like a single segment ... you seem intent on splitting it
21:31 < NickWebHA> Really now?
21:31 < NickWebHA> One moment.
21:36 < mintaka> what if i were to have the vpn shut down on disconnect
21:36 < mintaka> end the program. but then rerun it automatically
21:36 < mintaka> through bash
21:46 < mintaka> yeah that should work
21:52 < NickWebHA> Alright. The server now has a 10.0.0.20 IP and the clients are pulling an IP on the same network (10.0.0.0/25).
21:53 < NickWebHA> They still can only ping the server and not the LAN.
21:57 < rob0> server is Linux?
21:57 < NickWebHA> Both my server and client are Windows.
21:58 < NickWebHA> Yet another thing to do when I get this working in an environment I know the most about. :-P
21:59 < rob0> ah, well, good luck then
21:59 < NickWebHA> While on a computer on the local LAN running WireShark I do see a "who has 10.0.0.100? tell 10.0.0.1" but 10.0.0.1 is my router while the client who did the ping was 10.0.0.50.
21:59 < mintaka> fixed it
22:00 < NickWebHA> Why would the packet source be the router while OpenVPN is running on a Windows box?
22:00 < mintaka> while :; do openvpn; done
22:00 < mintaka> it downgrades and restarts successfully
22:11 < NickWebHA> Thanks for everyones help. I need sleep.
22:12 < NickWebHA> Be back later. My mother has yet to call (scroll up).
22:12 -!- NickWebHA [n=nick@pool-74-108-117-104.nycmny.fios.verizon.net] has quit ["Leaving."]
22:25 -!- Dougy [n=me@vpn.douglashaber.com] has quit []
22:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
22:58 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
23:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
23:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
23:29 < mintaka> will connect-retry 0 simply not attempt reconnection 
23:29 < mintaka> or will 0 run it through infinity ;)
--- Day changed Tue Jan 19 2010
00:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
00:47 -!- Run32dll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
01:50 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
01:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:15 < jmm> hi.
02:35 -!- aditsu [n=aditsu@n11211876136.netvigator.com] has joined ##openvpn
02:36 < aditsu> hi, where can I get an openvpn client for mac os?
02:40 < jmm> I think you can use openvpn + tunnelblick.
02:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
02:43 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
02:56 -!- dazo_afk is now known as dazo
02:59 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:01 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit]
03:04 < aditsu> jmm: thanks
03:08 -!- master_o1_master [n=master_o@p57B56789.dip.t-dialin.net] has joined ##openvpn
03:12 < jmm> yw.
03:17 -!- aditsu [n=aditsu@n11211876136.netvigator.com] has quit ["Chatzilla 0.9.75.1 [SeaMonkey 1.1.18/2009100623]"]
03:17 -!- ruied [n=ruied@bl9-254-142.dsl.telepac.pt] has joined ##openvpn
03:19 -!- master_of_master [i=master_o@p57B562BF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:24 -!- linucks is now known as linucks[afk]
03:26 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
03:26 -!- mode/##openvpn [+o mattock] by ChanServ
03:31 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:34 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
04:17 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn
04:20 -!- teddymills [n=teddy@208.92.235.227] has quit ["Ex-Chat"]
04:24 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
04:52 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
04:54 -!- ruied [n=ruied@bl9-254-142.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)]
04:59 -!- anamorph [i=nicolas@paris.office.anamor.ph] has left ##openvpn []
05:10 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
05:26 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
05:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:50 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
06:26 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:33 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:41 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
06:48 -!- BoomSie [n=gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn
07:08 < ecrist> good morning
07:08 < jmm> hi.
07:19 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
07:20 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit [Client Quit]
07:21 < dazo> g'afternoon
07:22 < havoc> morning
07:22 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
07:33 -!- saftsack [n=oliver@p4FF0D1AD.dip.t-dialin.net] has joined ##openvpn
07:34 < saftsack> hi, how can i set the start time for a certificate in easy-rsa? i want to create a certificate which connects on a system without ntpdate and easy-rsa
07:34 < saftsack> sorry not without easy-rsa i mean rtc
07:34 < vpnHelper> New forum entry openvpnforum: Configuration :: OpenVpn configuration :: Author m_ab_malik <http://www.ovpnforum.com/viewtopic.php?f=6&t=2481&p=2883#p2883>
07:35 < ecrist> saftsack: it is always a good idea to have a correct date/time on a given system
07:36 < dazo> especially when SSL and certificates are involved
07:36 < saftsack> ecrist, yes but directly after booting on a remote device first priority is it to get it reachable.
07:36 < ecrist> but, if you must, read the man page for openssl
07:36 < ecrist> saftsack: first priority should be to mount the drives and set date/time
07:37 < ecrist> otherwise your logs will be skewed
07:37 < dazo> saftsack:  why not just call ntpdate first?
07:37 < saftsack> i found something which is called KEY_EXPIRE
07:37 < ecrist> saftsack: man openssl
07:38 < dazo> and man x509
07:41 < saftsack> that is the only option there: -days arg
07:41 < saftsack> startdate is just as displayoption listed
07:42 < ecrist> there you go
07:43 < dazo> saftsack:  you might also want to look at    man ca   as well, but I presume you'll need to hack the easy-rsa script a bit
07:43 < saftsack> that's no problem if openssl is offering me an option to modify the startdate. the last time i set the clock of the easy-rsa computer to 1970 but i dont think that this is a good solution
07:44 < saftsack>        -startdate date that seems to be nice ;)
07:44  * dazo still considers it safer and more safe to do a ntpdate against a public NTP server before doing anything else ... but that's merely his opinion
07:45 < dazo> and more *sane*
07:46  * dazo goes back to study the usage of boolean variables in openvpn
07:47 < |Mike|> plz do :p
07:47 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
07:49 < rob0> "ntpd -q" is supposed to take the place of ntpdate, but yeah, I agree, if your hardware clock sucks as bad as most of them seem to, you should set it before you let ntpd handle adjustments.
07:50 < |Mike|> xen? 
07:52 < rob0> If you're running virtualization, the host computer should maintain time with ntpdate+ntpd, then the guests should be fine.
07:53 < dazo> not necessarily .... it sounds logic, but it might not be that the clock ticks are synchronised with the host OS
07:53 < dazo> the hwclock is read upon boot, and  then the kernel does the rest
08:00 < saftsack> rob0, this computer has no battery ... so no rtc ;)
08:01 < rob0> btdt :)
08:11  * |Mike| j'adores ==> /bin/echo 'xen.independent_wallclock = 1' >> '/etc/sysctl.conf'
08:19 < ecrist> o.O
08:19 < ecrist> what does that do, mike?
08:19 < ecrist> the sysctl, I mean
08:19 < |Mike|> it unset hwclock on xen domU's, so you can run ntp without a problem :)
08:19 < ecrist> nm, I can read a man page
08:20 < |Mike|> (as far as i remember, i created that puppet module months ago)
08:27 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
08:27 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:28 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"]
08:30 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
08:34 < vpnHelper> New forum entry openvpnforum: Installation Help :: OpenVPN on Windows XP - Cant install TAP-Win32 device driver :: Author leo2308 <http://www.ovpnforum.com/viewtopic.php?f=5&t=2483&p=2885#p2885>
08:37 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:38 < ecrist> anyone have a vbulleting 4.0 forum license they want to donate?
08:41 < ecrist> vbulletin, even
08:55 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
08:58 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"]
09:20 -!- trox [i=c345d00c@gateway/web/freenode/x-qancqbszwcwdgynp] has joined ##openvpn
09:21 < trox> possible to create a vpn while both server and client are behind NAT ?
09:21 < endre> sure
09:21 < trox> as in both of them dont have a remote ip
09:21 < trox> endre , how ?
09:21 < endre> they need a portforward a dyndns hostname
09:22 < endre> they need a portforward and a dyndns hostname
09:23 < trox> endre : cant do port forwarding. the router thats causing the NAT is at the isp's side, and they refuse to do port forwarding for anyone.
09:23 < ecrist> then that user must be a client
09:23 < trox> endre : still possible ?
09:23 < endre> then you need some tricking
09:23 < endre> cheat isp's conntrack table
09:23 < endre> pretend both nodes as talking to each other
09:26 < trox> endre : what do you mean by the user must be a client ?
09:27 < endre> trox: however, both of our nickname starts with 'e', i'm definitely not ecrist.
09:29 < ecrist> endre is MUCH better looking
09:29 < ecrist> ;)
09:29 < trox> :S
09:29 < trox> sorry about that migraine attack taking place atm
09:30 < trox> its good that i can at least read whats being said :)
09:30 < ecrist> trox: are both of the systems you want a VPN for behind the same NAT issue?
09:31 < endre> i also have a migraine attack right now
09:31 < trox> same issue, not the same router thats causing the NAT.
09:31 < endre>  that's bad
09:31 < ecrist> trox: use a third-party, then.
09:31 < ecrist> get a VPS, or Hamachi
09:31 < endre> find/make a node on the net taht you can connect both nodes to
09:31 < endre> yup
09:31 < ecrist> run a server off-net
09:34 < trox> does openvpn have to be installed system wide ?
09:35 < trox> could it be installed on some shell ?
09:36 < endre> you need to be root to configure ip
09:36 < endre> as well as open up tunnel interfaces
09:37 < trox> i dont have root access to any vps atm :(
09:37 < trox> this is starting to look bad :P
09:51 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
10:00 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
10:14 < |Mike|> krzie: awake?
10:14 < |Mike|> !ubuntu
10:14 < vpnHelper> |Mike|: "ubuntu" is dont use network manager!
10:14 < |Mike|> Who has a good alternative for Network Manager ?
10:15 < dazo> |Mike|:  gopenvpn is pretty good for OpenVPN
10:15 < |Mike|> gnome openvpn that is? :)
10:15 < dazo> |Mike|:  GTK?  GNU?  Garage?  Garbage?   who knows ....
10:16 < |Mike|> God ! :D
10:16 < rob0> Gargantuan
10:16 < rob0> Gangrenous
10:16  * dazo is using a self patched gopenvpn for Fedora 11
10:16 < rob0> gorilla
10:16 < dazo> Gottafindadarnlongwordwhichbeatsall
10:16 < |Mike|> Argh, there is no Ubuntu package... :(
10:18 < rob0> GoshIGottaCompileItOrGiveUp
10:19  * |Mike| utters something about packages and databases
10:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
10:33 < ecrist> sup, krzee?
10:35 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
10:38 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
10:39 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
10:41 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: stein0, dmarkey, _dren, Holister, tompaw, LowKey, Intensity, krphop, plundra, drue,  (+2 more, use /NETSPLIT to show all of them)
10:41 -!- stein0_ [n=stein@mail.vgnett.no] has joined ##openvpn
10:41 -!- plndra [i=404@article.se] has joined ##openvpn
10:41 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn
10:41 -!- drue [n=drue@64.251.23.23] has joined ##openvpn
10:41 -!- Netsplit over, joins: Holister
10:41 -!- krphop [n=krphop@38.108.177.113] has joined ##openvpn
10:41 -!- Netsplit over, joins: Cap_J_L_Picard
10:41 -!- tompaw [n=tompaw@91.121.184.63] has joined ##openvpn
10:42 -!- Netsplit over, joins: LowKey
10:51 < krzee> wassup!
10:52 -!- codeswing [n=codeswin@unaffiliated/codeswing] has joined ##openvpn
10:52 < codeswing> Hi guys
10:53 < codeswing> guys
10:53 < codeswing> stuck at http://pastie.org/private/5t5e4qfjjrovf97or5jgq
10:54 < codeswing> help
10:54 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
10:54 < codeswing> Kas: you there
10:54 <+Kas> Yes sir, whats up?
10:55 < codeswing> Kas: http://pastie.org/private/5t5e4qfjjrovf97or5jgq
10:55 < codeswing> not able to connect to vpn 
10:55 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
10:56 < krzee> increase verbosity to 5 and paste both logs (server / client)
10:56 < codeswing> krzee: I can't send server logs
10:56 < krzee> and why is that
10:57 < codeswing> krzee: I am at hoem
10:57 < codeswing> home
10:57 < krzee> i guess it'll have to wait til you can access both sides =/
10:58 < krzee> that log tells nothing
10:58 < codeswing> krzee: http://pastie.org/private/5t5e4qfjjrovf97or5jgq
10:58 < codeswing> updated the pastie
10:58 < krzee> yup saw it
10:58 < krzee> but it doesnt help me
10:59 < krzee> there must be something after as well
10:59 < ecrist> krzee: you don't happen to have vbulletin license laying around, do you?
10:59 < ecrist> 4.0?
10:59 < krzee> it times out or what?
10:59 < krzee> negative ecrist 
10:59 < krzee> dougy might
10:59 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type !welcome before asking your questions. || Web Forum: http://ovpnforum.com
11:00 < codeswing> krzee: it's stopped at the point
11:00 < krzee> codeswing, so the next thing it does is timeout?
11:00 < krzee> no R's or W's?
11:00 < krzee> i KNOW it does SOMETHING after
11:01 < codeswing> hmm
11:01 < codeswing> it's stopped there :)
11:01 < krzee> maybe for a certain amount of time...
11:02 < krzee> !configs
11:02 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
11:03 < krzee> ecrist, did you see riproute on the wiki?  i just noticed it, way cool of the guy to make that writeup (its now !rip)
11:04 < ecrist> !rip
11:04 < vpnHelper> ecrist: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
11:04 < codeswing> krzee: what should I do?
11:04 < krzee> codeswing, paste both configs without comments and come back when you have access to the server
11:04 < codeswing> hmm
11:05 < ecrist> krzee: that's pretty cool
11:05 < krzee> ya man
11:06 < krzee> i remember explaining iroute to him and whatnot, but he figured the solution himself and was cool enough to document it
11:06 < krzee> i just realized he had documented it, lol
11:09 < ecrist> there have been a few people with interesting configurations that would have been nice to have them document stuff, and they never do.
11:10 < krzee> yup
11:10 < krzee> was cool to see an exception to that =]
11:10 < krzee> ill be making a writeup on chaining vpns soon
11:12 < krzee> a group of friends is all doing 1 writeup within these 2 weeks, i chose VPN chaining (which was my orig motivation for learning everything that led to writing !route)
11:12 < ecrist> I sent dougy an email about vbulletin.  if I have to, I'll just buy a license and run with it.  once I obtain that, I'm hoping to make a more uniform site, including the wiki
11:12 < krzee> i setup X servers, in a linear line with 1 client between each server in the chain, the client connects to both servers and routes between it
11:13 < ecrist> not sure if I want to move the wiki, giving openvpn it's own, or simply make the wiki seem part of ovpnforum.com
11:14 < codeswing> openvpn suck
11:16 < krzee> ecrist, i like idea 2 more
11:17 < ecrist> codeswing?
11:17 < codeswing> yeah
11:17 < ecrist> krzee: as in, move the wiki to ovpnforum.com?
11:17 < codeswing> it's not simple
11:17 < krzee> or have it accessible from the forum somehow
11:17 < krzee> so that people who find the forum from google can find the wiki easily
11:18 < ecrist> my only 'problem', krzee, is right now it's intermingled with my other articles.
11:18 < codeswing> what does it mean "2010-01-19 22:30:45   pkcs11_protected_authentication = DISABLED"
11:18 < ecrist> I suppose we could just have links directly in to the articles from the forum site
11:18 < krzee> *shrug* its all knowledge, but isnt there a openvpn specific link you could use?
11:18 < codeswing> krzee: 2010-01-19 22:30:45   pkcs11_protected_authentication = DISABLED
11:19 < krzee> http://www.secure-computing.net/wiki/index.php/OpenVPN
11:19 < vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net)
11:19 < codeswing> what does the line mean
11:19 < krzee> codeswing, it means paste those configs or stop wasting time
11:19 < krzee> lol
11:19 < codeswing> hmm.. I can't access server logs ..
11:19 < codeswing> it's protected
11:19 < krzee> did i just say logs?
11:19 < codeswing> the server is secure
11:20 < codeswing> I can't send server configs too
11:20 < krzee> come back when you can
11:20 < krzee> if you dont have access to the server, get support from the company that runs it
11:20 < krzee> if you do but not at this moment, please return with the needed info
11:21 < rob0> "openvpn suck"?
11:22 -!- NickWebHA [n=nick@mail.webhse.com] has joined ##openvpn
11:22 < NickWebHA> Hello everyone and welcome back me!
11:22 < krzee> lol, sup NickWebHA 
11:22 < NickWebHA> I am in a pretty good mood and to top it all off food is on its way!
11:22 < NickWebHA> The only thing better is food being here.
11:23 < rob0> krzee, I'd suggest a "!sweet" factoid for visitors such as codeswing: http://sweet.nodns4.us/
11:23 < vpnHelper> Title: S.W.E.E.T.: Stop Wasting Everyone Else's Time (at sweet.nodns4.us)
11:23 -!- BoomSie [n=gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit [Client Quit]
11:23 < codeswing> krzee: the same configs are connecting from my friends machine
11:23 < rob0> ah crap
11:23 < krzee> codeswing, then the server log should tell us your problem
11:23 < rob0> leave off the "http://" part :)
11:23 < codeswing> krzee: it's stuck
11:24 < krzee> codeswing, we dont often sit here and guess what we need, come back when you have the server logs at verb 5
11:24 < NickWebHA> So I made some major headway in my OpenVPN-related Struggle Time (tm). Everyone can connect to the server and they can ping it! They just can not see the local LAN behind the OpenVPN server. I read !route but that does not apply to bridged configurations.
11:24 < krzee> codeswing, im starting to think you might be trolling...
11:24 < codeswing> hmm
11:24 < codeswing> nope
11:25 < codeswing> krzee: the same config used to connect some while ago (1 month back)
11:25 < codeswing> now it is not connecting
11:25 < krzee> ahh bridged configs, someone besides myself will need to help with that NickWebHA, but may i ask why you need bridge?
11:25 < krzee> codeswing, THEN COME BACK WHEN YOU HAVE SERVER LOG
11:25 < krzee> if i say that again its in a kick message
11:25 < codeswing> krzee: my boss won't allow me to access our openvpn server
11:25 < rob0> Nick is using IPX
11:25 < krzee> rob0, ahh =]
11:25 < rob0> codeswing: http://sweet.nodns4.us/
11:25 < vpnHelper> Title: S.W.E.E.T.: Stop Wasting Everyone Else's Time (at sweet.nodns4.us)
11:26 < NickWebHA> Old video games. Really old video games.
11:27 < krzee> NickWebHA, valid reason... ild help if i used bridged mode
11:27 < krzee> but do stick around, others here know bridged mode better than i
11:27 < NickWebHA> I may not be an OpenVPN issue at all. While running Wireshark I see the packets hitting the machine on the local LAN but it can not find its way back.
11:27 < rob0> codeswing: when you say things such as "openvpn suck" in here, you defined yourself as someone who is not worth my time and effort. I would have no interest in helping you even if you did come back with information to make help possible. Just thought you might benefit from some feedback.
11:28 < codeswing> okay
11:28 < codeswing> sorry..
11:28 < NickWebHA> It also find it odd that a connected OpenVPN client does not have a gateway listed on the virtual adapter.
11:28 < NickWebHA> codeswing: Shame on you. These people are here because they want to be here. If they kick your ass out you have no one to blame but yourself.
11:28 < krzee> the bridge script does need a gateway added at the end, i do remember that
11:28 < codeswing> rob0: sorry ... could you tell me what might be the problem I am facing
11:29 < krzee> oh boy...
11:29 < rob0> I accept the apology, but as krzee said, it's pretty near impossible to guess.
11:29 < NickWebHA> Unless you guys are working off tech-related prison offenses. Than I suppose you will never do that again. :-P
11:29 < krzee> rob0, you just saved him from a /kb come back with server logs if we unban you
11:30 < NickWebHA> Given your limited bridge experience, would you say "server-bridge 10.0.0.20 255.255.255.128 10.0.0.50 10.0.0.99 10.0.0.20" looks right? 10.0.0.20 is the local IP of the server running OpenVPN.
11:30 < krzee> LOL NickWebHA thats a great idea
11:30 < codeswing> rob0: okay .. np
11:30 < krzee> instead of jail time for hacking they should be monitored while supporting software on IRC
11:30 < krzee> lol
11:31 < NickWebHA> I know this is way off topic but I was just reminded of http://www.youtube.com/watch?v=VfCYZ3pks48 .
11:31 < vpnHelper> Title: YouTube - Sex Offender Shuffle (at www.youtube.com)
11:31 < NickWebHA> Oh, neat. I remember my old IRC bot-making days.
11:32 < krzee> NickWebHA, and whats an address they cant ping on the lan?
11:32 < NickWebHA> Anything other that the IP of the server itself. For example, I have a NAS array at 10.0.0.2 which is pingable but from from a client.
11:32 < NickWebHA> They also can not ping other connected clients.
11:32 < NickWebHA> I do have the client-to-client directive in there.
11:33 < krzee> --server-bridge gateway netmask pool-start-IP pool-end-IP
11:33 < krzee> pls see --server-bridge in !man
11:33 < krzee> !man
11:33 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:34 < NickWebHA> I will check it out. I was going by what was in the sample (these configs are almost verbatim the samples just for testing purposes).
11:35 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: OpenVPN on Windows XP - Cant install TAP-Win32 device driver :: Reply ... <http://www.ovpnforum.com/viewtopic.php?f=5&t=2483&p=2886#p2886> || Installation Help :: Re: Connect to Cisco vpn concentrator :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=5&t=2295&p=2887#p2887>
11:35 < krzee> knowing how it expands may help you NickWebHA 
11:35 < krzee> its just a helper directive, its actually a couple commands in 1
11:36 < NickWebHA> I see. Hitting the books. I will cover myself in fire retardant for when I make it explode.
11:37 < krzee> its actually not much to read, i think it could help =]
11:38 < krzee> also, you want to give the clients a netmask that goes with what the LAN uses, but only a pool of IPs that the LAN knows to never use themselves
11:38 < krzee> so if ou have DHCP on that lan, the DHCP server needs to set aside those ips to not hand out
11:40 < krzee> !learn sweet as http://sweet.nodns4.us/ =[
11:40 < vpnHelper> krzee: Error: Missing "]".  You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands.
11:40 < NickWebHA> I have that part all done. 10.0.0.50 to 10.0.0.99 is all set aside for the VPN clients to use. There is not much equipment on my home network that requires a static IP by design so most of the range is for dynamic addresses.
11:40 < krzee> !learn sweet as http://sweet.nodns4.us/ =(
11:40 < vpnHelper> krzee: Joo got it.
11:42 < ecrist> may not be suitable for work: http://secure-computing.net/files/booty.gif
11:42 < NickWebHA> You know, I see no reason to have OpenVPN dishing out the IPs. Perhaps I should let my local DHCP do it... I am going to look into that.
11:42 < NickWebHA> You have no idea where I work.
11:42 < NickWebHA> I may get more money for that one. :-P
11:43 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
11:43 -!- teddymills [n=teddy@208.92.235.227] has quit ["Ex-Chat"]
11:43 < NickWebHA> The gateway I am sending to the clients should be the local IP of the OpenVPN server, no?
11:45 < ecrist> NickWebHA: did you wait for it to download completely?
11:45 < ecrist> it's a 2MB gif
11:47 < krzee> ecrist, she just walks away, right
11:47 < krzee> ?
11:47 < ecrist> yeah
11:48 -!- Znuff [n=ibm86@89.165.131.103] has joined ##openvpn
11:48 < Znuff> Hi.
11:48 < Znuff> I'm having an issue configuring openvpn on a windows 2008 server
11:49 < Znuff> Basically it says it can't load the server.crt, even tough the path is correct :-/
11:50 < krzee> show me the line you used
11:50 < krzee> (@znuff)
11:51 < Znuff> sec, I'm trying to build the keys again
11:51 < krzee> you still have the line in your config...
11:53 < NickWebHA> We have company-sanctioned Boob Hour (tm) on Fridays. I let it download. :-P
11:53 < krzee> sounds like where i work
11:53 < Znuff> krzee, the slashes were escaped properly
11:54 < krzee> Znuff, and quoted?
11:54 < krzee> ""
11:54 < Znuff> yes
11:54 < Znuff> just that my .crt was empty
11:54 < Znuff> just recreated all the keys from scratch and it worked
11:54 < krzee> when someone has a nekkid girl on msn at my office people (including the boss) gather to watch
11:54 < krzee> lol
11:54 < krzee> Znuff, sounds good =]
12:05 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: OpenVpn configuration :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=2481&p=2888#p2888>
12:10 -!- Znuff [n=ibm86@89.165.131.103] has left ##openvpn ["Leaving"]
12:14 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:14 -!- codeswing [n=codeswin@unaffiliated/codeswing] has left ##openvpn ["Leaving..."]
12:24 < NickWebHA> I have figured out my problem! Just one catch...
12:25 < NickWebHA> ... "server-bridge 10.0.0.20 255.255.255.128 10.0.0.50 10.0.0.99" does not push the proper gateway to the clients. When I set it manually everything works.
12:26 -!- cp7 [n=neo@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:26 -!- mode/##openvpn [+v cp7] by ChanServ
12:27 -!- cp7 [n=neo@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Client Quit]
12:30 -!- adam_ [i=5d3092bb@gateway/web/freenode/x-rznvjxistnkfemfl] has joined ##openvpn
12:31 < krzee> ahh nice NickWebHA 
12:31 < krzee> you can run the command to set it manually from bridge script or from --up <script>
12:31 < adam_> hi guys, i currently use hamachi to connect to my home server when i'm not at home... can i do the same using openvpn? my big problem is that i don't have any public ip, my home internet provider use a nat, so i cannot have direct access to the server
12:31 < krzee> !route
12:31 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:31 < krzee> dyndns can map your dynamic ip to a hostname
12:32 < krzee> but really your home can connect to the server, which i assume is on a static ip
12:33 < adam_> krzee: if that was for me... i haven't a dynamic ip... there is just the static one of the nat server, which blocks everything, and don't route to internal hosts
12:34 < krzee> but server is out on the net, like a colo?
12:35 < adam_> krzee: nope, it's at home.... (i use it for home stuff, like sharing file, etc...).. which is connected to internet under a nat.... so there is this scenario: notebook -> nat <- homeserver
12:35 < adam_> hamachi solve this, but the linux version is kinda old and unmaintaned, so i was looking for alternatives
12:35 -!- CaBa [n=caba@188.40.166.98] has quit [Remote closed the connection]
12:35 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn
12:37 < krzee> both machines are home?
12:37 < adam_> krzee: the server always, the notebook could be everywhere in the world
12:38 < krzee> if you cant forward a port, openvpn wont be the solution for you, UNLESS you have a server you can use on the inet and make both laptop and home into clients
12:38 < krzee> on the inet i mean with an open port
12:39 < NickWebHA> Would I have to use an external script? Can I not push something to the clients or something to set the gateway? server-bridge [gateway] [netmask] [start IP] [end IP] is simply not working.
12:39 < NickWebHA> I am trying push "route-gateway 10.0.0.20" but that does not work either.
12:40 < adam_> krzee: i can't forward ports (as it's managed by the internet provider)... mmm...but in that case i would need another public server to make it work.....so nothing, i'll stay with hamachi ;)
12:41 < krzee> NickWebHA, did you read on route-gateway? i believe that option only changes what gateway --route commands use
12:41 < krzee> adam_, sounds like your best bet for now
12:41 < krzee> i have something in the wishlist for that type of setup to work, but its not being worked on
12:42 < krzee> and i dont even know if its feasible, and doubt anyone wants to work on coding it
12:42 < krzee> !wishlist
12:42 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
12:42 < krzee> http://ovpnforum.com/viewtopic.php?f=10&t=141
12:42 < vpnHelper> Title: OpenVPN Forum View topic - Idea for direct connections (at ovpnforum.com)
12:43 < adam_> krzee: mmm..ok...thank you anyway :)
12:45 -!- adam_ [i=5d3092bb@gateway/web/freenode/x-rznvjxistnkfemfl] has quit ["Page closed"]
12:46 < NickWebHA> Here is where I am confused. Check out this line from the client right as it connects: "PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.128,route-gateway 10.0.0.20,ping 10,ping-restart 120,ifconfig 10.0.0.51 255.255.255.128'"
12:47 < NickWebHA> It has "route-gateway 10.0.0.20" in there.
12:47 < NickWebHA> Yet when I look on a Linux client or a Windows client it is not set.
12:47 < NickWebHA> When I set it manually it works.
12:48 < krzee> that gateway is for --route commands
12:48 < krzee> i remember yrs ago when i did a bridge i had to set the gateway
12:48 < krzee> in fact doesnt it mention something bout that in --server-bridge?
12:48 < NickWebHA> Ah. So what do I need to push to the clients (or put in their configuration less preferably) to set a gateway?
12:49 < NickWebHA> Yes. The server-bridge directive is where that route-gateway is coming from.
12:49 < krzee> i mean something about manually setting the gateway info
12:50 < NickWebHA> If I have to I have to but I can not imagine at v2.1.x we still have to manually set such a quintessential parameter.
12:50 < krzee> ecrist, how do you solve that?
12:50 -!- trox [i=c345d00c@gateway/web/freenode/x-qancqbszwcwdgynp] has quit [Ping timeout: 180 seconds]
12:51 < krzee> i remember adding it to my bridge.sh script
12:51 < NickWebHA> Well my server is running on Windows.
12:51 < krzee> that would be a .bat script ;]
12:51 < krzee> but maybe ecrist knows the way, i usually deal in routed configs
12:52 < NickWebHA> I suppose my point was I am unfamiliar with auto executing scripts however poorly my words were chosen. :-P
12:52 -!- dazo is now known as dazo_afk
12:52 < ecrist> no idea
12:53 < krzee> dont you bridge? you set it via script too?
12:53 -!- agagag [n=anton@158.37.56.5] has quit [Read error: 104 (Connection reset by peer)]
12:54 < krzee> NickWebHA, if you decide to do it via script it would be a route add command in a bat file run by --up command in openvpn
12:54 -!- agagag [n=anton@ataraxia.bek.no] has joined ##openvpn
12:54 < krzee> you can find the right command in cmd window
12:59 < NickWebHA> So if I was running this as a service I would not be able to do that?
13:00 < NickWebHA> I mean I can disable DHCP all together and statically assign everything per client I suppose but that is just a headache.
13:04 < krzee> read --up
13:05 < krzee> !man
13:05 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
13:15 -!- agagag [n=anton@ataraxia.bek.no] has quit [Remote closed the connection]
13:15 -!- agagag [n=anton@ataraxia.bek.no] has joined ##openvpn
13:16 < NickWebHA> Aye.
13:21 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:25 -!- _dren [i=dren@dereferenced.nullpointer.net] has joined ##openvpn
13:27 < NickWebHA> Using either up "route add gw 10.0.0.20" or up "route gw 10.0.0.20" both result in an error. Since the documentation does not use conventions like italics for arguments and so forth I am unclear as to the usage of up.
13:28 < krzee> up <script>
13:28 < krzee> script would be a .bat containing your command(s)
13:29 -!- Intensity [i=[6XRnEbE@unaffiliated/intensity] has joined ##openvpn
13:30 < NickWebHA> The docs say "shell command to run after successful TUN/TAP device open" and I only need one command so I figure I could just put the command there instead of using an external script. No?
13:30 < krzee> nope
13:30 < NickWebHA> ... which raises another point. I need to know the adapter's name if I am going to set its gateway from a script.
13:31 < krzee> ild think you could just add a route to the subnet you need to reach to point twords its endpoint which you can already ping
13:31 < krzee> no device needed if that works
13:31 < krzee> theres already a route for that ip to go over the device
13:32 < NickWebHA> Good point.
13:32 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
13:33 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
13:35 -!- saftsack [n=oliver@p4FF0D1AD.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
13:39 < NickWebHA> I just hit something strange.
13:39 < NickWebHA> When I wrote "route change 10.0.0.0 10.0.0.20" at the command line on the client after the OpenVPN client connects everything works but when I put it in a batch file I get an error and OpenVPN exits.
13:40 < NickWebHA> Running an experiment now...
13:41 -!- Bushmills [n=nnnBushm@verhau.de] has left ##openvpn ["Leaving."]
13:41 -!- Bushmills [n=nnnBushm@verhau.de] has joined ##openvpn
13:41 < hyper_ch> why don't you create a ccd and and put according routs to each client in there?
13:42 < NickWebHA> "Tue Jan 19 14:41:05 2010 us=343000 vm-winxpprodev.bat TAP-Win32 1500 1574 10.0.0.51 255.255.255.128 init 'route' is not recognized as an internal or external command, operable program or batch file."
13:42 < krzee> give full path to route command
13:42 < NickWebHA> When I instead put "echo Dance, dance, dance!" in the batch file it works fine and outputs "Dance, dance, dance!"
13:44 < NickWebHA> Says the route is not found. I will try up-delay...
13:44 < hyper_ch> !ccd
13:44 < vpnHelper> hyper_ch: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:44 < NickWebHA> hyper_ch: Thanks for the suggestion. I think it needs to be on client because the client is the one with the wrong gateway OpenVPN is having trouble setting.
13:45 < NickWebHA> I would love the have 100% of the configuration on the server and none of the clients if that were possible. :-P
13:45 < hyper_ch> it is possible
13:46 < NickWebHA> Nothing I have tried over the last week has worked. I see the directives being pushed to the clients but they do not take effect (IE: I do an ipconfig /all on my Windows client and no gateway is set although I see it in the OpenVPN logs).
13:47 < NickWebHA> I would love to get that working if you can offer a suggestion about what I should do. :-D
13:47 < hyper_ch> oh, you use windows?
13:47 < NickWebHA> This route business is a band-aid.
13:47 < NickWebHA> Most of my clients will be Windows boxes so I figured I would test in Windows.
13:48 < krzee> NickWebHA, 
13:48 < krzee> !push
13:48 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
13:48 < krzee> see --push in manual for what works in push option
13:48 < NickWebHA> I got that. I have the route-gateway command being pushed. It shows up like I expect it to. It just does not set the gateway like it is suppose to with no error.
13:48 < NickWebHA> Already did.
13:49 < krzee> dude
13:49 < krzee> i told you what route-gateway does 3 times
13:49 < krzee> it does NOT add a gateway, it sets the gateway which will be used with following --route commands
13:50 < NickWebHA> One minute. Checking into --route.
13:50 < NickWebHA> OK, I see.
13:51 < hyper_ch> I have that in one of my ccd configs:
13:51 < hyper_ch> ifconfig-push 10.8.0.4 10.8.0.5
13:51 < hyper_ch> push "route 10.8.0.0 255.255.255.0"
13:51 < hyper_ch> and works fine
13:53 < krzee> .4 .5?
13:53 < krzee> in net30?
13:53 < NickWebHA> Docs say that should be a remote netmask. 10.8.0.5 works?
13:53 < hyper_ch> krzee: what do I know about things... that works :)
13:54 < NickWebHA> If it works it works. Ain't broke, don't fix it.
13:58 < Bushmills> if it works, and you don't know why, break it, so you can learn by fixing it.
13:59 < Bushmills> that condition (working and not knowing why) is the worst of all. 
13:59 < krzee> as many hacked people would say, just because it works doesnt mean its not broken
14:00 < NickWebHA> Not a bad point at all.
14:00 < krzee> but in your case with the ifconfig-push, screw it, if you're happy who cares ;]
14:00 < krzee> but it shouldnt work in net30 topology
14:01 < krzee> (default for routed configs)
14:01 < NickWebHA> OK, here is where I am now. up "jfdhgjdfgfg.bat" executes just fine. If I just do up then it happens too soon (says the adapter is now ready yet) but if I do up-delay it happens without error but does not fix anything. If I type in the command in the batch file ("route change 10.0.0.0 10.0.0.20") manually after it connects everything works fine.
14:01 < NickWebHA> ^ adapter is not ready
14:02 < krzee> 2010-01-19 15:58:58 (50.7 KB/s) - `26c3-3555-en-sccp_hacking_attacking_the_ss7_amp_sigtran_applications_one_step_further_and_mapping_the_phone_system.mp4' saved [670895247/670895247]
14:02 < krzee> woohoo
14:02 < krzee> lil something for the ipod while i work =]
14:04 < krzee> NickWebHA, how bout if you double click the .bat after connecting?
14:05 < NickWebHA> Yip, that also fixes it.
14:05 < NickWebHA> The batch is working fine. It is OpenVPN that is calling it... perhaps too soon?
14:05 < NickWebHA> I wonder if I put a wait or something in the batch...
14:06 < NickWebHA> Of course Windows has no build-in way to do that... of course.
14:20 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
14:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
14:25 < ecrist> no built-in way to do what?
14:25 < NickWebHA> Have a batch file wait. Some versions of DOS shipped with executables called wait or choice but Windows no longer does.
14:26 < ecrist> the Windows 2003 Resource Kit provides a 'sleep' command requiring no extra tricks.
14:26 < ecrist> http://malektips.com/xp_dos_0002.html
14:26 < vpnHelper> Title: Batch file SLEEP Command - Windows XP and DOS (at malektips.com)
14:29 -!- saftsack [n=oliver@p4FD88B15.dip0.t-ipconnect.de] has joined ##openvpn
14:29 < ecrist> they also recommend using ping in place
14:29 < NickWebHA> A-HA! I GOT IT ALL WORKING!
14:29 < NickWebHA> No "up" required!
14:29 < ecrist> ping -n <seconds>
14:29 < NickWebHA> I am going to post everything on my blog!
14:29 < |Mike|> please don't :p
14:29 < NickWebHA> I did not think of ping. That is a good idea.
14:30 < NickWebHA> By "everything" I mean my configs and step-by-step instructions. Perhaps also that animated GIF that was here a few hours back.
14:31 -!- DelphiWorld [n=Miranda@41.104.5.83] has joined ##openvpn
14:31 < DelphiWorld> hi OpenVPN peoples
14:31 < DelphiWorld> if i create a config and one user is connected to my VPN
14:31  * NickWebHA is now an OpenVPN peoples.
14:31 < DelphiWorld> i must create another Config to let users connect?
14:31 < DelphiWorld> or same one?
14:31 < NickWebHA> DelphiWorld: Not sure what you mean. You need one config for the server and one for the client(s).
14:32 < DelphiWorld> for the clients
14:32 < DelphiWorld> for all client?
14:32 < DelphiWorld> or one by one?
14:35 < NickWebHA> You could distribute the same config for all and same certificate for all using "duplicate-cn" on the sever but that is highly recommended against.
14:35 < ecrist> hello DelphiWorld 
14:40 -!- Intensity [i=[6XRnEbE@unaffiliated/intensity] has quit [Read error: 104 (Connection reset by peer)]
14:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:45 < DelphiWorld> hi ecrist
14:45 < DelphiWorld> so OpenVPN use key... no user/pass
14:46 < ecrist> it *can* use user/pass, but it requires further scripting
14:46 < ecrist> and you still need certificates at some level if you want encryption between more than two peers
14:46 < DelphiWorld> ecrist: where are u from?
14:46 < ecrist> why?
14:53 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
15:04 -!- saftsack [n=oliver@p4FD88B15.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)]
15:04 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has left ##openvpn []
15:09 -!- saftsack [n=oliver@p4FF0D9C3.dip.t-dialin.net] has joined ##openvpn
15:10 -!- Auz [n=Auz@ext00.education.com] has quit [Read error: 104 (Connection reset by peer)]
15:11 -!- Dougy [n=me@vpn.douglashaber.com] has joined ##openvpn
15:14 -!- Intensity [i=[IWxENo1@unaffiliated/intensity] has joined ##openvpn
15:14 -!- DelphiWorld [n=Miranda@41.104.5.83] has quit [Read error: 54 (Connection reset by peer)]
15:18 < Dougy> ecrist: around ?
15:18 < Dougy> ecrist: if not, will catch you later
15:21 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
15:22 < Mtn_Bkng_Dave> !welcome
15:22 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:22 < Mtn_Bkng_Dave> !howto
15:22 < vpnHelper> Mtn_Bkng_Dave: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:22 < NickWebHA> Hellllllo party people! Would the kind helpers of #openvpn on freenode direct their browsers to the following: http://blog.lifebloodnetworks.com/?p=196
15:23 < NickWebHA> I am a bit burnt from all my OpenVPNing so I may have left one or two things out. If anyone sees anything missing please let me know.
15:23 < Mtn_Bkng_Dave> anybody here?
15:24 < Mtn_Bkng_Dave> need some help with a linksys bridging configuration on DD-WRT firmware
15:24 < Mtn_Bkng_Dave> I have been at it all day and cannot get a connect
15:24 < NickWebHA> I can not help you with the 3rd party router firmware but I may be able to help with some OpenVPN configuration stuff. What step are you at?
15:25 < krzie> Mtn_Bkng_Dave why bridging?
15:25 < krzie> !tunortap
15:25 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:25 < vpnHelper> krzie: against you over the vpn
15:25 < Mtn_Bkng_Dave> two remote networks
15:25 < krzie> !route
15:25 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:25 < krzie> routed setups can connected multiple networks
15:25 < krzie> more efficiently and securely in fact
15:25 < NickWebHA> Oh, I forgot the tap/tun argument. You might want to consider that first. :-D
15:25 < Mtn_Bkng_Dave> yeah LOL
15:25 < Mtn_Bkng_Dave> tried em both
15:25 < Mtn_Bkng_Dave> neither works
15:25 < Mtn_Bkng_Dave> LOL
15:26 < krzie> the only reason to use a bridge is if (like NickWebHA) you need a specific layer2 protocol
15:26 < NickWebHA> Dave is like a time machine. A younger me.
15:26 < Mtn_Bkng_Dave> LOL maybe not
15:26 < Mtn_Bkng_Dave> how old are you
15:26 < Mtn_Bkng_Dave> LOL
15:26 < krzie> Mtn_Bkng_Dave you have specific layer2 proto you need over the vpn or shall i try to help you get a routed config up?
15:26 < Mtn_Bkng_Dave> routed would work
15:26 < NickWebHA> How old am I before or after today? I aged a lot in the last week. :-P
15:27 < Mtn_Bkng_Dave> ive got a wins server 
15:27 < Mtn_Bkng_Dave> so routed will do for what i need
15:27 < Mtn_Bkng_Dave> just want access to windows shares
15:27 < krzie> !sample
15:27 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
15:27 < krzie> !route
15:27 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:27 < krzie> do you happen to use freebsd?
15:27 < Mtn_Bkng_Dave> no i dont
15:27 < krzie> !howto
15:27 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:28 < krzie> use that howto for making your certs
15:28 < Mtn_Bkng_Dave> got all that done
15:28 < krzie> then read the man pages for every option in my sample configs
15:28 < Mtn_Bkng_Dave> getting a code 146
15:28 < krzie> you can use them as a base config if you like
15:28 < krzie> then we'll get your lans routing over the vpn
15:28 < Mtn_Bkng_Dave> thats all done
15:28 < Mtn_Bkng_Dave> certs are up and installed
15:29 < krzie> ok well then
15:29 < krzie> !configs
15:29 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
15:29 < krzie> lets see where your routed configs are at
15:29 < Mtn_Bkng_Dave> connection is being refused on the server end
15:29 < Mtn_Bkng_Dave> ok
15:29 < Mtn_Bkng_Dave> lemme get them up and ill paste them in
15:29 < krzie> oh, is your server behind a firewall / nat? does your server log see a connection attempt?
15:30 < krzie> reiffert, these CCC talks from december are ELITE
15:30 < Mtn_Bkng_Dave> yes
15:30 < Mtn_Bkng_Dave> i see the attempt
15:30 < Mtn_Bkng_Dave> server and client are appliances
15:31 < krzie> ok thats good
15:31 < krzie> ahh that will make the klan routing easier, both sides are gateways for their lan?
15:31 < krzie> s/klan/lan/
15:31 < Mtn_Bkng_Dave> linksys wrt54gl with DD-wrt firmware with OpenVPN integrated
15:31 < Mtn_Bkng_Dave> yes
15:31 < Mtn_Bkng_Dave> both are gateways
15:31 < krzie> great, you dont have to add routes to the routers then, thats a nice step to skip
15:32 < krzie> your setup will be pretty easy
15:32 < Mtn_Bkng_Dave> ok let me dig up what I have so far
15:32 < Mtn_Bkng_Dave> just paste it in?
15:32 < krzie> !p[astebin
15:32 < vpnHelper> krzie: Error: Missing "]".  You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands.
15:32 < krzie> !pastebin
15:32 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
15:33 < Mtn_Bkng_Dave> ok ill do em small
15:33 < Mtn_Bkng_Dave> LOL
15:33 < krzie> and no comments
15:33 < Mtn_Bkng_Dave> i havent been on irc in 15 years LOL
15:33 < krzie> (with comments removed, you can use `grep -vE '^#|^;|^$'
15:33 < krzie>             server.conf`)
15:33 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn
15:35 < krzie> Mtn_Bkng_Dave just go to pastebin and its obvious
15:35 < krzie> try, THEN ask
15:35 < krzie> (re: msg)
15:37 < NickWebHA> OK, all. I need to go get a drink of water and pay attention to my woman. She has been very patient with me the last week. And that scares the shit out of me.
15:37 < NickWebHA> Thank you all for the help! I am going to start a Live Aid concert in your honor.
15:37 -!- NickWebHA [n=nick@mail.webhse.com] has left ##openvpn []
15:38 < Mtn_Bkng_Dave> http://pastebin.ca/1758045
15:39 < Mtn_Bkng_Dave> ok
15:39 < Mtn_Bkng_Dave> there is my server config
15:39 < krzie> you can lose #
15:39 < krzie> tls-server
15:39 < krzie> its part of --server
15:40 < krzie> 192.168.65.0 is the lan behind server, correct?
15:41 < Mtn_Bkng_Dave> yes
15:41 < krzie> and 192.168.64.0 does not exist anywhere else, only the VPN right
15:41 < Mtn_Bkng_Dave> yes
15:41 < Mtn_Bkng_Dave> im sorry
15:41 < Mtn_Bkng_Dave> 64 is behind server
15:41 < Mtn_Bkng_Dave> or local
15:41 < Mtn_Bkng_Dave> 65 is the client network
15:41 < krzie> 64 is the server LAN?
15:41 < Mtn_Bkng_Dave> yes
15:42 < krzie> you cant assign that to the VPN then
15:42 < krzie> you can use 10.8.0.0 or something instead
15:42 < Mtn_Bkng_Dave> ohhhhh it needs its own virtual network?
15:42 < krzie> correct
15:42 < krzie> and you need to push the server LAN, so 64
15:43 < krzie> will there be more than 1 client?
15:43 < Mtn_Bkng_Dave> for now only 1
15:43 < krzie> like road warrior maybe, that wants to access both lans?
15:43 < Mtn_Bkng_Dave> ok yes
15:43 < krzie> well shall we make it work for that setup for future?
15:43 < krzie> ok
15:43 < krzie> so you push BOTH routes
15:43 < krzie> and you make a ccd entry for client with lan behind him
15:43 < krzie> with an iroute for his lan subnet
15:43 < krzie> as shown in:
15:43 < krzie> !route
15:43 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:44 < krzie> a writeup i made for connecting multiple lans via ovpn
15:44 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)]
15:44 < krzie> had you looked at my samples and !route i think youd have it done ;]
15:45 < Mtn_Bkng_Dave> i thought you meant the samples in the HOWTO
15:45 < Mtn_Bkng_Dave> LOL
15:45 < Mtn_Bkng_Dave> my eyes are fried on those LOL
15:45 < krzie> !sample
15:45 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
15:46 < Mtn_Bkng_Dave> so would bridging also require a virtual subnet?
15:46 -!- plndra is now known as plundra
15:46 < krzie> you dont need bridging
15:46 < Mtn_Bkng_Dave> what about accessing windows shares?
15:46 < Mtn_Bkng_Dave> routing still work?
15:46 < krzie> !wins
15:46 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
15:47 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn
15:47 < Mtn_Bkng_Dave> ive got a wins server running on a media server
15:47 < krzie> but you can access by IP without wins
15:47 < Mtn_Bkng_Dave> i have several blondes
15:47 < Mtn_Bkng_Dave> numbers scare them
15:47 < Mtn_Bkng_Dave> LOL
15:48 < krzie> automount .bat script?
15:48 <+Kas> hah
15:48 < krzie> then they dont have to map the network share manually at all
15:48 < krzie> (aka mount the share)
15:49 < krzie> however, you can push the wins server to clients
15:49 < Mtn_Bkng_Dave> same way?
15:49 < krzie> as seen in the manual
15:49 < krzie> !man
15:49 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
15:49 < krzie> search for wins
15:49 < Mtn_Bkng_Dave> ok thanks krzie
15:49 < Mtn_Bkng_Dave> ill prolly be back LOL
15:49 < krzie> yw
15:50 < krzie> --dhcp-option type [parm]
15:50 < Mtn_Bkng_Dave> do you know which version is in the dd-wrt firmware?
15:50 < krzie> read on that
15:50 < krzie> nope, i dont play with those
15:50 < krzie> but 2.1.1 is latest ovpn release
15:51 -!- linucks[afk] is now known as linucks
15:51 < Mtn_Bkng_Dave> ok thanks
15:52 < krzie> np
15:52 < Mtn_Bkng_Dave> gonna go read this manual........AGAIN LOL
15:52 < krzie> i STILL read it
15:52 < krzie> <3 this manual
15:52 < krzie> great doc
16:07 < Dougy> krzie
16:07 < Dougy> i think we gonna convert forum to vB again
16:07 < Dougy> .
16:08 < krzie> y?
16:08 < Dougy> eric wants to
16:09 < Dougy> Doug,
16:09 < Dougy> Do you still have a vBulletin 4.0 license?  I think it would be best to obtain that instead of using phpBB.  The RSS and URL schemes in phpBB are lacking. 
16:09 < Dougy> meh.
16:09 < Dougy> so he and i are gonna try and find fundz0rs to do it
16:09 < krzie> i never had one
16:10 < krzie> but is there really a reason to pay?
16:10 < krzie> what we have seems to be working
16:10 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
16:10 < Dougy> I donno.. it's not my idea, it's his
16:11 < Dougy> ask him his reason
16:11 < Dougy> damn wtf vB is $195 each
16:11 < Dougy> oh wait thats owend
16:11 < Dougy> i think
16:12 < krzie> doesnt make sense in my head to pay to do free support, lol
16:12 < Dougy> lol
16:12 < Dougy> i emailed a contact at vBulletin 
16:13 < Dougy> seeing if they do 'open source' licenses
16:13 < Dougy> ofc if people want to donate that'd be a big help too
16:13 < krzie> *shrug*
16:16 < Dougy> or god 
16:16 < Dougy> we could ugh
16:16 < Dougy> put up ads
16:16 < Dougy> ;/
16:19 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 60 (Operation timed out)]
16:20 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
16:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
16:21 < krzie> or we dcould just stick with whats already there *shrug*
16:29 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)]
16:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:45 < Dougy> its up to ecrist he runs it more then me
16:45 < Dougy> im just a helper
16:45 < krzie> same
16:45 < krzie> just my 2c
16:50 < Dougy> meh
16:50 < Dougy> vB would be cool if forum was busier
17:09 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lyndon, ribasushi, ius, stephenh_, DarkAnt, berniv6, freaky[t], sno_, ScriptFanix, ^scott^,  (+1 more, use /NETSPLIT to show all of them)
17:11 -!- Netsplit over, joins: Lyndon
17:11 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
17:11 -!- stephenh [n=stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
17:12 -!- ius [n=thralas@ius.student.utwente.nl] has joined ##openvpn
17:13 -!- Netsplit over, joins: ^scott^
17:13 -!- Netsplit over, joins: ribasushi
17:13 -!- Netsplit over, joins: freaky[t]
17:13 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
17:13 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn
17:16 -!- berniv6 [n=berni@2001:1b10:1000:0:0:0:26c3:1] has joined ##openvpn
17:19 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
17:20 -!- Typone [n=nnnnnits@195.197.184.87] has joined ##openvpn
17:25 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)]
17:39 -!- alan` [n=alan@rrcs-67-52-47-64.west.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)]
17:47 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)]
17:47 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn
17:54 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
17:54 < Mtn_Bkng_Dave> still here krzie?
17:55 < Mtn_Bkng_Dave> anybody live?
17:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
17:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:00 < Mtn_Bkng_Dave> hi holybrau
18:01 < Mtn_Bkng_Dave> wow whole room of bots and lurkers LOL
18:01 < Mtn_Bkng_Dave> !wins
18:01 < vpnHelper> Mtn_Bkng_Dave: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
18:02 < DarkAnt> I am not a bot
18:02 < DarkAnt> I am turing complete
18:03 < Mtn_Bkng_Dave> lol
18:03 < Mtn_Bkng_Dave> are you a user or a helper?
18:03 < Mtn_Bkng_Dave> i have a small problem
18:03 < DarkAnt> more of a loser actually :P
18:04 < DarkAnt> but I can try to help
18:04 < Mtn_Bkng_Dave> lol me too when it comes to this
18:04 < Mtn_Bkng_Dave> just got a client server router config talking
18:05 < Mtn_Bkng_Dave> ping shows my local server net, xxx.xxx.64.0 correctly with all systems
18:05 < Mtn_Bkng_Dave> ping of remote xxx.xxx.65.0 shows every ip returning at the same rate and not showing any of my systems
18:05 < Mtn_Bkng_Dave> remote = client
18:06 < Mtn_Bkng_Dave> ping from client shows all correctly
18:06 < Mtn_Bkng_Dave> any ideas?
18:07 < Mtn_Bkng_Dave> push "route 192.168.64.0 255.255.255.0"
18:07 < Mtn_Bkng_Dave> server 192.168.66.0 255.255.255.0
18:07 < Mtn_Bkng_Dave> should that point at the gateway?
18:07 < Mtn_Bkng_Dave> the push?
18:07 < Mtn_Bkng_Dave> i think its right tho
18:07 < Mtn_Bkng_Dave> cause it all looks right from the client
18:10 < DarkAnt> sorry, I'm not sure
18:10 < reiffert> ecrist: would you please remove +t on #openvpn-devel, thanks
18:11  * reiffert is a bot and a lurker and not going to help Mtn_Bkng_Dave.
18:11 < reiffert> (as a bot and lurker, I'm free of choice)
18:11 < DarkAnt> hehe
18:12 -!- Dougy changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type !welcome before asking your questions. || Web Forum: http://ovpnforum.com || Dougy encourages you to join the forum!
18:12 < Bushmills> reiffert: do the three (or four) laws of robotics apply to you? 
18:12 < Mtn_Bkng_Dave> LOL
18:13 < reiffert> lemme see, # A robot may not injure a human being or, through inaction, allow a human being to come to harm.
18:13 < Bushmills> right
18:13 < reiffert> # A robot must obey any orders given to it by human beings, except where such orders would conflict with the First Law.
18:13 < reiffert> # A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
18:13 < Bushmills> because than all one needs to do is to present the problem such that it becomes evident that harm would result from not solving it, to compel you to rush to aid#
18:13 < reiffert> Bushmills: I step back from the robot thing.
18:14 < reiffert> # A robot must establish its identity as a robot in all cases.
18:14 < reiffert> - OR -
18:14 < reiffert> # A robot must reproduce. As long as such reproduction does not interfere with the First or Second or Third Law.
18:14 < reiffert> and there is a 5th law: A robot must know it is a robot.
18:15 < havoc> you all are strange
18:15  * havoc loves Asimov
18:15 < havoc> don't forget the Zeroth Law ;)
18:16 < Mtn_Bkng_Dave> !welcome
18:16 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:16 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit []
18:16 < Bushmills> A robot may not harm humanity?
18:17 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
18:17 < Mtn_Bkng_Dave> !welcome
18:17 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:17 < Bushmills> !laws_of_robotics
18:17 < vpnHelper> Bushmills: Error: "laws_of_robotics" is not a valid command.
18:18 < Bushmills> !factoids search laws
18:18 < vpnHelper> Bushmills: No keys matched that query.
18:18 < krzie> lol
18:18 < krzie> Mtn_Bkng_Dave im guessing you didnt do the iroute in ccd entry
18:19 < Mtn_Bkng_Dave> hi krzie
18:19 < krzie> not yet, waiting til after work
18:19 < krzie> but ill be hi as shit when that happens
18:19 < krzie> ;]
18:19 < Mtn_Bkng_Dave> can ya pop that link
18:19 < krzie> !route
18:19 < Mtn_Bkng_Dave> for the posing site
18:19 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:19 < Dougy> krzie you work ?LOL
18:20 < Mtn_Bkng_Dave> that may be my problem
18:20 < Mtn_Bkng_Dave> hi is not working LOL
18:20 < krzie> yup, closed all my businesses when i moved out of USA
18:20 < krzie> now im just a normal workin dude
18:20 < krzie> well not normal, but yanno what i mean
18:20 < Dougy> lol
18:23 < havoc> Bushmills: yes, Humanity, from Robots and Empire
18:29 < reiffert> Dougy: why do you think that we should join the forum when we have IRC?
18:29 < Mtn_Bkng_Dave> sorry krzie.........
18:29 < Dougy> because a lot of people wont use irc
18:29 < Mtn_Bkng_Dave> the ccd entry...........
18:30 < Mtn_Bkng_Dave> can i toss that in my firewall........
18:30 < Mtn_Bkng_Dave> im on an appliance
18:30 < Mtn_Bkng_Dave> trying to figure out where to stick it in the gui
18:30 < krzie> !ccd
18:30 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
18:30 < krzie> i dunno bout the gui, ssh in
18:31 < Mtn_Bkng_Dave> ok another one i gotta figure out LOL
18:31 < reiffert> Dougy: why place the ads on IRC then?
18:31 < Mtn_Bkng_Dave> <<<<OLDNOOB LOL
18:35 < Dougy> wtf im downloading this file at 44 Bytes/sec
18:37 < Bushmills> effective throttling
18:37 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection]
18:38 -!- crunge [n=Crunge@about/security/staff/crunge] has joined ##openvpn
18:43 < crunge> Is it possible to have per-client tunX devices without running a separate server for each client?
18:43 < krzie> no
18:43 < krzie> but you very very likely dont need that
18:43 < krzie> in fact i dont think theres a single reason why you would
18:44 < crunge> I don't strictly have to but it would slightly simplify the very weird thing I'm doing
18:45 < reiffert> and that is?
18:45 < crunge> Proprietary. I could tell you but I'd have to kill us both
18:45 < reiffert> right, then live on with that "no".
18:46 < crunge> Which is fine
18:46 < crunge> I just have to decide which complexity I prefer, the complexity in the openvpn configs vs the supporting routing and NATting and such
18:47 < crunge> thanks for the time
18:47 -!- crunge [n=Crunge@about/security/staff/crunge] has left ##openvpn []
18:48 -!- ius [n=thralas@ius.student.utwente.nl] has quit ["leaving"]
18:55 < krzie> had he told us what his goal was we coulda prolly told him a better way
18:55 < krzie> lol
18:55 < Bushmills> goal is classified
18:56 < Bushmills> and probably hell breaks loose for him now for hinting that openvpn might be used
19:15 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has quit [" HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D"]
19:25 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
19:27 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn
19:31 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Client Quit]
19:41 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
19:45 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
19:54 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type !welcome  before asking your questions. || Web Forum: http://ovpnforum.com
19:55 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
20:19 < Dougy> http://newjersey.craigslist.org/sys/1555247616.html
20:19 < vpnHelper> Title: Commodore 64 with floppy drive (at newjersey.craigslist.org)
20:29 < Section58> doesn't have network card does it
20:29 < Section58> :(
20:29 < Dougy> :(
20:29 < Section58> would have loved added that to my AD
20:30 < Section58> for the lulz
20:30 < Section58> 'my nas is an amiga'
20:30 < Section58> o, how cool would it be to save your info on a 5 1/4 floopy
20:31 < Dougy> lol
20:39 < Dougy> yo
20:39 < Dougy> anyone wanna help me split this dedi
20:39 < Dougy> dual 5520, 72gb ram, like 6tb space, 10GBps bandwidth, 20GBps uplink
20:39 < Dougy> $10k/mo
20:39 < Dougy> lol
20:46 < Mtn_Bkng_Dave> still here krzee
20:46 < Mtn_Bkng_Dave> i finally figured out the client file
20:46 < Mtn_Bkng_Dave> still got the same problem tho
20:55 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has quit ["bbl"]
20:55 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn
20:57 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 54 (Connection reset by peer)]
20:58 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
21:04 < Mtn_Bkng_Dave> !welcome
21:04 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit []
21:04 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:04 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
21:04 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
21:12 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit []
21:24 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:52 < DarkAnt> silly question, can I get openvpn to work within cygwin?
22:13 < ecrist> DarkAnt: no
22:17 < Dougy> ecrist
22:17 < Dougy> i emailed vB to see if they could do a discount for us
22:17 < ecrist> ok, I doubt they will
22:17 < Dougy> never know
22:18 < Dougy> my friend who used to work billing over there quit
22:18 < Dougy> :-(
22:18 -!- Dougy [n=me@vpn.douglashaber.com] has quit []
22:21 < ecrist> !exec ping6 ipv6.google.com
22:21 < vpnHelper> ecrist: Error: "exec" is not a valid command.
22:21 < ecrist> doh
22:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
22:39 -!- saftsack_ [n=oliver@p579DCBAF.dip.t-dialin.net] has joined ##openvpn
22:52 -!- saftsack [n=oliver@p4FF0D9C3.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
23:13 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has quit [Read error: 110 (Connection timed out)]
23:28  * tjz study ipv6
23:37 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
--- Day changed Wed Jan 20 2010
01:29 -!- Nrg_ [i=pk@reaktio.net] has joined ##openvpn
01:48 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
01:48 -!- mode/##openvpn [+o mattock] by ChanServ
02:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:23 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
02:41 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
02:41 < Mtn_Bkng_Dave> here krzee?
02:42 < krzee> yup
02:42 < krzee> watching a lecture
02:42 < krzee> sup
02:42 < Mtn_Bkng_Dave> this thing is kicking my butt
02:43 < krzee> !configs
02:43 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
02:43 < krzee> !logs
02:43 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:43 < krzee> read both those carefully pls
02:43 < Mtn_Bkng_Dave> k
02:43 < Mtn_Bkng_Dave> brb
02:43 < Mtn_Bkng_Dave> had a weird one with a switch
02:43 < jmm> hello !
02:43 < krzee> iirc you're running 2 ovpn endpoints on routers and want both lans shared and read !route
02:44 < Mtn_Bkng_Dave> !route
02:44 < vpnHelper> Mtn_Bkng_Dave: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:44 < Mtn_Bkng_Dave> yeah been at that one for hours
02:44 < krzee> cool ill wait for the pastebins
02:45 < Mtn_Bkng_Dave> lemme change verbose to 6 and catch some logs
02:45 < Mtn_Bkng_Dave> brb
02:45 < krzee> hey
02:45 < Mtn_Bkng_Dave> yes
02:45 < krzee> actually 4 will be fine for you
02:45 < Mtn_Bkng_Dave> im at 5 now
02:45 < krzee> thats fine
02:51 < Mtn_Bkng_Dave> http://pastebin.com/m5f057ece
02:51 < Mtn_Bkng_Dave> server config
02:51 < Mtn_Bkng_Dave> first line isnt really there
02:51 < Mtn_Bkng_Dave> didnt realize i had grabbed
02:53 < Mtn_Bkng_Dave> dang
02:53 < Mtn_Bkng_Dave> just realized it ate my ccd entry
02:53 < Mtn_Bkng_Dave> it must blow that dir away on reboot
02:55 < Mtn_Bkng_Dave> grrrrrrrrrrr im rusty at unix linux LOL
02:55 < Mtn_Bkng_Dave> been 20 years
02:55 < Mtn_Bkng_Dave> now i need my Merlin phone switch back LOL
03:08 -!- master_of_master [i=master_o@p57B53D0D.dip.t-dialin.net] has joined ##openvpn
03:15 < Mtn_Bkng_Dave> trying to figure out where the rest of the app is LOL
03:18 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:19 -!- master_o1_master [n=master_o@p57B56789.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:19 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote closed the connection]
03:20 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:38 -!- Dave1 [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
03:38 -!- Dave1 is now known as dave1000
03:44 -!- Dave2000 [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
03:45 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has quit ["Leaving"]
03:46 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has joined ##openvpn
03:47 < Dave2000> stupid box
03:48 < Dave2000> any work arounds for iroute krzee
03:48 < Dave2000> ?
03:48 < Dave2000> its mtn_bkng_dave
03:48 < Dave2000> lost my nick for a few
03:48 < Dave2000> LOL
03:48 < Dave2000> irc doesnt like to have the router rebooted 
03:48 < Dave2000> LOL
03:52 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 110 (Connection timed out)]
04:02 -!- dave1000 [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 110 (Connection timed out)]
04:03 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
04:08 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit []
04:13 -!- Dave2000 [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 110 (Connection timed out)]
04:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
04:52 -!- xeviox [n=NEBAP@p54978924.dip0.t-ipconnect.de] has joined ##openvpn
04:52 < xeviox> hi guys I have a problem using windows server 2003
04:53 < xeviox> openVPN is installed and works correctly
04:53 < xeviox> but it seems I have a "routing" problem in the network
04:53 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn
04:55 < xeviox> in the destination network are two servers (one is running the vpn server)
04:55 < xeviox> from the client I can reach the server that is running the vpn server
04:55 < xeviox> but not the other server
04:55 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
04:55 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has joined ##openvpn
04:55 < xeviox> from the server running the vpn server I can reach the connected client
04:55 < reiffert> http://www.secure-computing.net/wiki/index.php/Graph
04:55 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
04:56 < xeviox> reiffert: ok makes it a bit easier to explain: connection between client and server works (using vpn ips and local ones)
04:57 < xeviox> but the connection client - target doesn't work
04:57 < xeviox> so I've added a route on the target to the vpn network
04:57 < xeviox> no I see the ping requests on a network sniffer on the server
04:57 < xeviox> but they don't reach the client
04:57 < xeviox> so it seems the server doesn't deliver them correctly
04:58 < xeviox> any ideas what's wrong on the server?
04:58 < reiffert> !winipforward
04:58 < vpnHelper> reiffert: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
04:59 < CheBuzz_Home> Hello all.  I'm having a weird issue that I hope somebody can help me out with.  Openvpn is connected just fine, but I need to route all SIP through the tunnel.    I have added a static route for all traffic destined to 10.8.0.1 to go through my laptop 192.168.2.3.  I have added forward accept and masquerading rules on 2.3.  tcpdump on 2.3 shows the traffic being forwarded.  But tcpdump on the openvpn server shows no traffic arr
04:59 < CheBuzz_Home> iving.  Any ideas?
05:00 < xeviox> reiffert: thanks, but I already have set the value to one
05:00 < xeviox> reiffert: any idea how to check if ip forwarding is enabled correctly?
05:01 < reiffert> xeviox: running the network sniffer on the LAN interface of the openvpn server, do you see icmp packets as they leave?
05:02 < xeviox> reiffert: I've applied a filter with (ip.dst == 10.8.0.6 || ip.src == 10.8.06) which is the vpn clients ip. The only thing I see is the ping request from the target to the client
05:02 < reiffert> remove that filter and try with proto ICMP
05:03 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has quit [Read error: 54 (Connection reset by peer)]
05:03 < xeviox> kk
05:03 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has joined ##openvpn
05:05 < xeviox> reiffert: now I see the request from target -> client and then the response server -> target (unreachable)
05:05 < reiffert> please be precise with the response (unreachable). Try copy & paste.
05:06 < xeviox> kk
05:06 < xeviox> which entry do you need? Type / Code ...?
05:07 < reiffert> paste everything to http://pastebin.ca/
05:07 < xeviox> kk
05:10 < xeviox> reiffert: http://img705.imageshack.us/img706/6608/screentd.jpg
05:10 < xeviox> sorry text copy didn't work
05:10 < xeviox> ah sorry mistake in the link
05:11 < xeviox> reiffert: http://img705.imageshack.us/img705/6608/screentd.jpg
05:11 < xeviox> reiffer: .11 is the vpn server .12 the client
05:11 < xeviox> sry
05:11 < xeviox> .12 the target
05:12 < reiffert> I'm not sure about it, but what does netbios-ns port 137 got to do with that icmp type of message?
05:13 < reiffert> Disable the firewall on the openvpnserver, then run wireshark on the tun/tap interface with filter proto ICMP
05:13 < xeviox> k, firewall is disabled
05:15 < xeviox> doesn't show anything also with disabled filter
05:15 < reiffert> try pinging from client to target.
05:17 < xeviox> sh** I've a problem testing this scenario as the client is in the same net as the server for testing purposes
05:19 < xeviox> hmm pings to 10.8.0.1 does work but they don't show up in the network scanner
05:21 < xeviox> seems that the problem is the ipforwarding of the server right?
05:22 < xeviox> but it seems to be enabled correctly as a second article for windows server 2003 tells me to change the same registry key ..
05:23 < xeviox> any ideas for what I can look then?
05:26 < xeviox> k, now it seems to work
05:26 < xeviox> the target isn't reachable from the client
05:26 < xeviox> so we can test
05:26 < xeviox> network scanner shows the ICMP request from the client
05:26 < xeviox> but doesn't show no answer
05:27 < xeviox> ^^ sry doesn't show an answer of the target
05:28 -!- Intensity [i=[IWxENo1@unaffiliated/intensity] has quit [Remote closed the connection]
05:28 < xeviox> reiffert: but switching back to the lan network I see the answer from the target
05:29 < xeviox> "echo ping request" to the client
05:29 < xeviox> but the client doesn't receive the ping as its not send to the vpn lan
05:29 < xeviox> so, what's the problem?
05:29 < xeviox> do I have to add a route on the server?
05:31 < xeviox> any ideas?
05:31 < xeviox> or is it caused by the missing ip forwarding (which should be enabled)?
05:32 < CheBuzz_Home> Does the server know how to route back to your local net?  I would guess you need to add a route on the server
05:32 < reiffert> xeviox: Didnt follow your progress, sorry. Any news?
05:33 < xeviox> CheBuzz_Home: I don't have added a route, but pinging the servers local address works
05:33 < xeviox> reiffert: yes the client ping to the target reaches, but the answer from the target is only visible on the local net of the server, not the vpn adapter
05:34 < reiffert> xeviox: forwarding seems to work then?
05:35 < xeviox> reiffert: from the client to the target yes, but not the other way round
05:35 < xeviox> so client can reach target but target can't reach the client
05:36 < xeviox> sorry guys, have to leave for half an hour
05:36 < xeviox> be back in a few minutes
05:36 -!- xeviox [n=NEBAP@p54978924.dip0.t-ipconnect.de] has quit ["Nettalk6 - www.ntalk.de"]
05:42 < CheBuzz_Home> Anybody know how I can use the vpn tunnel on my laptop from another machine on the laptop's local network?
06:01 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
06:09 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:21 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
06:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:26 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
06:28 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Optic, rawDawg, CaBa, d12fk, jmm, hyper_ch, freaky[t], bytesaber_, sigius, Section58,  (+1 more, use /NETSPLIT to show all of them)
06:30 -!- Netsplit over, joins: reiffert, d12fk, rawDawg, freaky[t], bytesaber_, CaBa, Optic, jmm, sigius, Section58
06:30 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)]
06:31 -!- hyper_ch [n=hyper_ch@91.121.147.34] has joined ##openvpn
06:31 < ecrist> good morning
06:32 < havoc> morning
06:36 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: noooon, cybertron, krzie, oc80z, dazo_afk, tarbo2_, Lyndon, ^scott^, stein0_, julius,  (+52 more, use /NETSPLIT to show all of them)
06:44 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
06:44 -!- linucks [n=linucks@loft4610.serverloft.com] has joined ##openvpn
06:44 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn
06:44 -!- stein0_ [n=stein@mail.vgnett.no] has joined ##openvpn
06:44 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has joined ##openvpn
06:44 -!- endre [i=me2@urbnet.hu] has joined ##openvpn
06:44 -!- julius [n=julius@217.20.127.15] has joined ##openvpn
06:44 -!- Bushmills [n=nnnBushm@verhau.de] has joined ##openvpn
06:44 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
06:44 -!- ServerMode/##openvpn [+o mattock] by irc.freenode.net
06:45 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
06:45 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
06:45 -!- hyper_ch [n=hyper_ch@91.121.147.34] has joined ##openvpn
06:45 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
06:45 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
06:45 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
06:45 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn
06:45 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn
06:45 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn
06:45 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
06:45 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn
06:45 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn
06:46 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
06:46 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
06:46 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn
06:46 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
06:46 -!- master_of_master [i=master_o@p57B53D0D.dip.t-dialin.net] has joined ##openvpn
06:46 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:46 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn
06:46 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
06:46 -!- Holister [n=ryan@151.204.189.39] has joined ##openvpn
06:46 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
06:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:46 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has joined ##openvpn
06:46 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
06:46 -!- saftsack_ [n=oliver@p579DCBAF.dip.t-dialin.net] has joined ##openvpn
06:46 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn
06:46 -!- berniv6 [n=berni@2001:1b10:1000:0:0:0:26c3:1] has joined ##openvpn
06:46 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn
06:46 -!- Lyndon [n=late@savolaiset.fi] has joined ##openvpn
06:46 -!- _dren [i=dren@dereferenced.nullpointer.net] has joined ##openvpn
06:46 -!- agagag [n=anton@ataraxia.bek.no] has joined ##openvpn
06:46 -!- tompaw [n=tompaw@91.121.184.63] has joined ##openvpn
06:46 -!- plundra [i=404@article.se] has joined ##openvpn
06:46 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn
06:46 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
06:46 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn
06:46 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
06:46 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
06:46 -!- mintaka [n=kosmic@thefuckin.net] has joined ##openvpn
06:46 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
06:46 -!- zamba [i=marius@flage.org] has joined ##openvpn
06:46 -!- rob0 [n=rob0@tuxaloosa.org] has joined ##openvpn
06:46 -!- cybertron [n=cybertro@84.200.248.176] has joined ##openvpn
06:46 -!- kisom [n=kisom@c-9fdce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
06:46 -!- dazo_afk [n=dazo@nat/redhat/x-lshoztazovndqxix] has joined ##openvpn
06:46 -!- cron2 [n=gert@blue.greenie.muc.de] has joined ##openvpn
06:46 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn
06:46 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
06:46 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn
06:46 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn
06:46 -!- oc80z [n=oc80z@74.63.222.147] has joined ##openvpn
06:46 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn
06:46 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn
06:46 -!- ServerMode/##openvpn [+v Kas] by irc.freenode.net
06:49 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Optic, rawDawg, CaBa, d12fk, jmm, hyper_ch, bytesaber_, freaky[t], rawDawg2, sigius,  (+2 more, use /NETSPLIT to show all of them)
06:50 -!- Netsplit over, joins: reiffert, d12fk, rawDawg2, jmm, hyper_ch, freaky[t], bytesaber_, CaBa, Optic, sigius (+1 more)
06:52 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: @mattock, linucks, crazygir, CheBuzz_Home, stein0_
06:53 -!- Netsplit over, joins: CheBuzz_Home
06:53 -!- Netsplit over, joins: @mattock, stein0_, crazygir
06:54 -!- Netsplit over, joins: linucks
06:54 -!- crazygir [n=jason@unaffiliated/crazygir] has quit [SendQ exceeded]
06:55 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn
06:56 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: master_of_master, kyrix, sno, DarkAnt, Holister, Rolybrau, dunc, ScriptFanix, poningru
06:58 -!- Netsplit over, joins: Rolybrau, DarkAnt, kyrix, dunc, master_of_master, ScriptFanix, sno, Holister, poningru
06:58 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)]
06:58 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
06:58 -!- mode/##openvpn [+v Kas] by ChanServ
06:59 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
07:00 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)]
07:00 < CheBuzz_Home> Anybody know how I can use the vpn tunnel on my laptop from another machine on the laptop's local network?
07:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:05 < ecrist> routing
07:05 < ecrist> !route
07:05 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:08 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
07:08 -!- mode/##openvpn [+v Kasx] by ChanServ
07:09 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
07:10 -!- xeviox [n=NEBAP@dslb-088-064-017-200.pools.arcor-ip.net] has joined ##openvpn
07:11 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Optic, CaBa, linucks, d12fk, +Kas, jmm, hyper_ch, bytesaber_, freaky[t], rawDawg2,  (+3 more, use /NETSPLIT to show all of them)
07:11 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
07:12 -!- Netsplit over, joins: jmm
07:13 < xeviox> re
07:13 -!- Netsplit over, joins: CaBa
07:13 < xeviox> so back with still the same problem
07:14 < xeviox> but from the remote point now ..
07:14 -!- Netsplit over, joins: reiffert, d12fk, +Kas, linucks, rawDawg2, hyper_ch, freaky[t], bytesaber_, Optic, sigius (+1 more)
07:14 < xeviox> any ideas what the problem can be?
07:14 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 104 (Connection reset by peer)]
07:14 -!- hyper_ch [n=hyper_ch@91.121.147.34] has quit [Read error: 104 (Connection reset by peer)]
07:14 -!- d12fk [n=heiko@vpn.astaro.de] has quit [Read error: 104 (Connection reset by peer)]
07:14 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
07:14 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
07:15 < xeviox> client -> server works (vpn and local ip)
07:15 < xeviox> client -> target (only works in this direction)
07:15 < xeviox> target responses to the client (I can see that on the server)
07:16 < xeviox> but the server doesn't deliver the package back to the client
07:16 -!- Intensity [i=[av++EeF@unaffiliated/intensity] has joined ##openvpn
07:16 < xeviox> any ideas?
07:16 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: @mattock, crazygir, stein0_
07:17 -!- Netsplit over, joins: @mattock, crazygir, stein0_
07:17 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has quit [Read error: 54 (Connection reset by peer)]
07:17 -!- crazygir [n=jason@li14-82.members.linode.com] has quit [SendQ exceeded]
07:17 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn
07:17 < xeviox> reiffert: hey
07:17 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has joined ##openvpn
07:17 < xeviox> \o
07:18 < xeviox> reiffert: any idea what can cause the problem?
07:18 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn
07:20 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has quit [Read error: 54 (Connection reset by peer)]
07:20 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has joined ##openvpn
07:20 < xeviox> reiffert: client ---> server ---> target (works) but client <-X- server <--- target (breaks on the server)
07:21 < xeviox> is this a hint on ip forwarding, or does it work because of the working connection from client to target?
07:22 < jmm> !firewall
07:22 < vpnHelper> jmm: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
07:22 < xeviox> jmm: the firewall is disabled on all three peers
07:23 < reiffert> xeviox: I have no idea. Try again when your openvpn client is not part of your openvpn server LAN>
07:23 < jmm> can you use tcpdump on the 3 hosts, to see exactly what's going on ? you may need nat or something to get it to works.
07:23 < xeviox> running a network scanner I can see the packets arrive on the server and then go out to the target, but the other direction the packets arrive on the server but don't go out to the client ..
07:23 < reiffert> jmm: he's on windows. wireshark works though.
07:23 < xeviox> reiffert: now I'm on the same lan
07:24 < reiffert> jmm: he's about to use routing instead of nat.
07:24 < xeviox> this are the routes I've added:
07:24 < jmm> oh allright.
07:24 < reiffert> xeviox: change that please, e.g. use an UMTS Stick on your openvpn client.
07:24 < xeviox> reiffert: I did, the client isn't in the local lan anymore
07:25 < xeviox> 1 Route on the target to use the server as router for 10.8.0.x
07:25 < reiffert> xeviox: great. what about the firewall on your openvpn server?
07:25 < reiffert> xeviox: regarding the routes:
07:25 < reiffert> xeviox: paste the routes of openvpn client, server, target and LAN-gateway to pastebin.ca
07:26 < xeviox> reiffert: the openvpn servers firewall is disabled
07:26 < xeviox> k
07:26 < reiffert> xeviox: would you do me a favour and stop typing k or kk after every sentence, thank you.
07:26 < reiffert> 'kkk'
07:26 < xeviox> sorry, will stop that
07:27 < jmm> kk sound like shit in french. it's funny;
07:27 < reiffert> kk sounds like merde?
07:27 < jmm> kk sound like caca
07:27 < jmm> :)
07:27 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Connection timed out]
07:27 < reiffert> I read it as kay kay
07:28 < jmm> you're not a funny guy !
07:28 < reiffert> sniff
07:29 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)]
07:29 < xeviox> ^^
07:29 < xeviox> here are the routes: http://pastebin.ca/1758876
07:29 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: noooon, cybertron, krzie, oc80z, dazo_afk, tarbo2_, Lyndon, ^scott^, stein0_, julius,  (+52 more, use /NETSPLIT to show all of them)
07:29 < xeviox> I've added another route in the router but that seems not to be needed for now (as I've added the route directly on the target)
07:32 -!- xeviox [n=NEBAP@dslb-088-064-017-200.pools.arcor-ip.net] has quit ["Nettalk6 - www.ntalk.de"]
07:43 -!- Netsplit over, joins: mattock
07:43 -!- xeviox2 [n=NEBAP@dslb-088-064-017-200.pools.arcor-ip.net] has joined ##openvpn
07:43 -!- Netsplit over, joins: d12fk, Rolybrau, stein0_, Section58, sigius, Optic, bytesaber_, freaky[t], linucks, hyper_ch (+12 more)
07:43 -!- DarkAnt_ [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
07:43 -!- Netsplit over, joins: berniv6, reiffert, cpm, CheBuzz_Home, crazygir, Intensity, CaBa, jmm, +Kasx, krphop (+13 more)
07:43 -!- ServerMode/##openvpn [+ov mattock Kasx] by irc.freenode.net
07:43 -!- Netsplit over, joins: cron2, dazo_afk, mintaka, mrnice1, Zordrak, zamba, rob0, cybertron, kisom, havoc (+6 more)
07:43 -!- xeviox2 is now known as xeviox
07:43 < reiffert> xeviox: while being there, ipconfig /all from all participants.
07:51 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has quit [Read error: 110 (Connection timed out)]
07:51 -!- DarkAnt_ is now known as DarkAnt
07:57 < xeviox> reiffert: puh, big act ^^: http://pastebin.ca/1758915
08:00 < xeviox> hope that it will help ^^, I had to use a remote over remote desktop connection to get to this data ^^
08:00 < xeviox> very slow ..
08:00 < reiffert> xeviox: just a tip: dont use the .local domain.
08:01 < xeviox> reiffert: why? (I didn't build up that network, but I'm able to change it to a better one now ;) )
08:02 < reiffert> xeviox: remove the 10.8.0.0 route on target and add a static route to your LAN's gateway for this.
08:03 < xeviox> I've done that, but because I wasn't sure if the LAN gateway will handle it correctly I added the route on the target for testing ..
08:06 < xeviox> do you think the ip forwarding is working properly?
08:11 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:11 < reiffert> think so, yes.
08:11 < reiffert> at least in one direction.
08:12 < reiffert> so what keeps it from working in the other direction might be a firewall.
08:12 < reiffert> xeviox: http://en.wikipedia.org/wiki/.local
08:12 < vpnHelper> Title: .local - Wikipedia, the free encyclopedia (at en.wikipedia.org)
08:13 < reiffert> http://technet.microsoft.com/en-us/library/cc708159%28WS.10%29.aspx
08:13 < vpnHelper> Title: Internal Domain Information (OEM) (at technet.microsoft.com)
08:13 < reiffert> "it is recommended that you do not use the .local l"
08:14 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
08:15 < xeviox> reiffert: the firewall is disabled on all 3 pcs (server, client and target)
08:18 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
08:19 < xeviox> reiffert: if the LAN's gateway (which is a firewall) blocks the response, I should be able to see the response on the vpn adapter of the server, right?
08:21 < reiffert> no.
08:21 < xeviox> no? why not?
08:22 < reiffert> you already gave the answer in your question.
08:22 < xeviox> but the sniffer runs on the server
08:22 < xeviox> so let me visualize me thought:
08:24 < ecrist> pants on the ground.
08:27 < ecrist> reiffert: did you ever get graphviz working the way you wanted?
08:28 < reiffert> ecrist: It requires digging into the docs, but yeah.
08:29 < ecrist> great
08:30 -!- CheBuzz_Home [n=CheBuzz_@88-202-45-98.ip.skylogicnet.com] has left ##openvpn ["Leaving"]
08:41 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
08:41 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has left ##openvpn []
08:42 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
08:42 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has left ##openvpn []
08:42 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
08:43 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit []
08:43 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
08:44 < Mtn_Bkng_Dave> anybody here familiar with linksys wrt54gl?
08:44 < ecrist> sure, depends on what you're doing with it
08:44 -!- Intensity [i=[av++EeF@unaffiliated/intensity] has quit [Remote closed the connection]
08:44 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 60 (Operation timed out)]
08:44 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
08:45 < Mtn_Bkng_Dave> trying to write a client1 file for an iroute statement
08:45 < hyper_ch> the 54gls are nice :)
08:45 < hyper_ch> what firmware do you have on it?
08:45 < reiffert> the lurker got plenty of those 54gl's but in unwilling to help.
08:45 < Mtn_Bkng_Dave> dd-wrt
08:45 < Mtn_Bkng_Dave> lol
08:45 < Mtn_Bkng_Dave> thanks as usual reif
08:45 < reiffert> s,in,is,
08:45 < Mtn_Bkng_Dave> LOL
08:46 < Mtn_Bkng_Dave> cant get it to commit to nvram
08:46 < Mtn_Bkng_Dave> keep losing it on reboot
08:46 < hyper_ch> don't reboot :)
08:46 < Mtn_Bkng_Dave> hadnt thought of that one hyper LOL
08:46 < reiffert> Mtn_Bkng_Dave: using nvram is depreceated IIRC.
08:46 < ecrist> Mtn_Bkng_Dave: I would suggest a channel dedicated to that platform.
08:47 < Mtn_Bkng_Dave> they are all asleep
08:47 < hyper_ch> it's somewhat wasteful to sleep 1/3 of your life
08:47 < Mtn_Bkng_Dave> i agree
08:47 < Mtn_Bkng_Dave> my gf doesnt think so
08:48 < Mtn_Bkng_Dave> "ARE YOU COMING TO BED?" LOL
08:49 < Mtn_Bkng_Dave> can i pm you ecrist?
08:50 < Mtn_Bkng_Dave> or anybody that may point me the right direction
08:50 < hyper_ch> I doubt there is private tech support on freenode
08:51 < Mtn_Bkng_Dave> ok guess i will wait for somebody to wake up in #dd-wrt
08:51 < ecrist> Mtn_Bkng_Dave: I suggest the platform channel as I don't think anyone here can help you.
08:51  * hyper_ch prefers tomato over dd
08:51 < Mtn_Bkng_Dave> really?
08:51 < ecrist> also, while you're issue impacts your openvpn install, you problem isn't with openvpn, so it is off-topic.
08:51 < Mtn_Bkng_Dave> havent tried it hyper
08:53 -!- thrope [n=thrope@cpe-069-134-225-204.nc.res.rr.com] has joined ##openvpn
08:53 < thrope> hi - im trying to convert a connection i have in viscosity ( a mac front end) to a standard config file
08:54 < thrope> the only setting im not sure of is the send all traffic over vpn box which has default gateway specified (10.8.0.1) - the other end of the tunnel - how do I put that in the vpn file?
08:54 < thrope> *config
08:54 < thrope> !welcome
08:54 < vpnHelper> thrope: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:56 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit []
08:57 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
09:00 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Client Quit]
09:02 -!- thrope [n=thrope@cpe-069-134-225-204.nc.res.rr.com] has quit [Remote closed the connection]
09:03 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
09:10 < reiffert> !winipforward
09:10 < vpnHelper> reiffert: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
09:11 < reiffert> !factoids search forward
09:11 < vpnHelper> reiffert: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward'
09:11 < reiffert> !ipforward
09:11 < vpnHelper> reiffert: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
09:12 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit []
09:13 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
09:19 -!- thrope [n=thrope@cpe-069-134-225-204.nc.res.rr.com] has joined ##openvpn
09:19 < thrope> hi - how do i add a default route through the tunnel in the client config?
09:19 < thrope> ive been using viscosity but not sure what the config file setting is
09:20 < reiffert> thrope: read this:
09:20 < reiffert> !def1
09:20 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
09:21 < reiffert> redirect-gateway def1
09:21 < reiffert> put that in client.conf and you are done
09:21 < thrope> ok - i dont need to put the ip of the other end of the tunnel? (it is a setting in the gui which is why i was confused)
09:22 < reiffert> 16:21 < reiffert> put that in client.conf and you are done
09:25 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
09:25 < thrope> thing is on the viscosity client it doesnt work properly with just the box ticked (which corresponds to def1) - I also have to put in the ip ...
09:25 < thrope> maybe thats mac specific though
09:26 < thrope> !man
09:26 < vpnHelper> thrope: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
09:26 < reiffert> thrope: you are about to leave visco, arent you?
09:27 < thrope> well i use it on the mac where its working but trying to copy the setup to another platform now
09:35 -!- Intensity [i=[TwgZSVb@unaffiliated/intensity] has joined ##openvpn
09:39 -!- Dave1965 [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
09:42 -!- xeviox [n=NEBAP@dslb-088-064-017-200.pools.arcor-ip.net] has quit ["Nettalk6 - www.ntalk.de"]
09:46 -!- Dave1965 [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 104 (Connection reset by peer)]
09:46 -!- Dave1965 [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
09:47 -!- Dave1965 [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Client Quit]
09:54 -!- pa_ [n=pa@host201-21-dynamic.61-82-r.retail.telecomitalia.it] has joined ##openvpn
09:57 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 113 (No route to host)]
09:58 -!- pa_ [n=pa@host201-21-dynamic.61-82-r.retail.telecomitalia.it] has quit [Client Quit]
09:58 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn
10:03 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
10:04 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
10:07 < thrope> I am having this problem with using secret http://openvpn.net/archive/openvpn-users/2004-09/msg00093.html
10:07 < vpnHelper> Title: Re: [Openvpn-users] Options error: specify only one of --tls-server, --tls-client, or --secret (at openvpn.net)
10:07 < thrope> how do i specify point-to-pont tunnel?
10:07 < thrope> (ie old server mode)
10:13 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:24 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
10:28 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"]
10:32 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Remote closed the connection]
10:35 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
10:35 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
10:35 -!- thrope [n=thrope@cpe-069-134-225-204.nc.res.rr.com] has quit []
10:36 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
10:37 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
10:56 -!- hackeron [n=hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has joined ##openvpn
10:57 < hackeron> hey, I have a few clients connected to my openvpn - how do I get a list of who's connected?
10:57 < rob0> did you enable the management interface?
10:58 < hackeron> hmm, yes? no? maybe?
10:58 < rob0> ah.
10:58 < hackeron> is there no openvpn --list-connected or something?
10:59 < havoc>  /etc/openvpn/openvpn-status.log ?
10:59 < rob0> How would you tell it to ask a specific running instance of openvpn? Did you find that in the man page?
10:59 < havoc> hackeron: the --status directive in your config
11:00 < hackeron> rob0: /var/spool/openvpn/0 or something?
11:00 < hackeron> havoc: I see, thanks
11:01 < havoc> np
11:01 < jmm> hackeron: with the management interface, you can use 'status' command to see clients connected too .
11:02 < jmm> oh rob0 said it already.
11:02  * jmm go back to home 
11:02 < havoc> isn't the mgmt iface via telnet?
11:02 < jmm> yea telnet works on it.
11:04 < hackeron> ok, thanks, I'll check out the management interface
11:04 -!- chilicuil [n=sistemas@189.144.244.131] has joined ##openvpn
11:19 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has quit [Client Quit]
11:20 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn
11:21 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has quit [Client Quit]
11:21 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn
11:23 -!- NickWebHA [n=nick@mail.webhse.com] has joined ##openvpn
11:28 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
11:32 < NickWebHA> !man
11:32 < vpnHelper> NickWebHA: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:02 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has joined ##openvpn
12:14 -!- oliver__ [n=oliver@p579DDF0F.dip.t-dialin.net] has joined ##openvpn
12:27 -!- Mtn_Bkng_Dave [n=whome@c-24-98-78-68.hsd1.ga.comcast.net] has quit [Read error: 110 (Connection timed out)]
12:29 -!- saftsack_ [n=oliver@p579DCBAF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
12:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
12:46 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)]
13:00 < reiffert> hackeron: you can enable status log and use cat/awk/grep on it for non-interactive stuff, e.g. for monitoring/
13:00 < hackeron> reiffert: yeah, that's what I ended up doing :)
13:00 < Bushmills> and sed
13:00 < Bushmills> :D
13:07 < NickWebHA> I run OpenVPN at home in a bridged configuration I have a laptop I bring from home to work. I obviously want it connecting at work but not while at home. Is there any way I can have the script not auto connect while at home while running as a service?
13:08 -!- buntfalke [n=nobody@openvpn-p1-ipv6-1033.triple-a.uni-kl.de] has joined ##openvpn
13:10 < krzee> not that i know of
13:10 < krzee> i guess if your firewall doesnt suck you could block yourself from reaching your inet ip from LAN interface
13:10 < krzee> if that doesnt break anything else you do
13:11 < Bushmills> under which circumstances is your connect script executes?
13:11 < Bushmills> executed
13:11 < krzee> moin bush/reif
13:11 < Bushmills> moiners, krzee
13:12 < Bushmills> i'm running out of rum :(
13:12 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
13:12 < krzee> :(
13:12 < krzee> want me to see bout shipping some out?
13:12 < krzee> or can you get good island rum out there?
13:12 < Bushmills> oh thanks, not really. i use the "rotgut" brand, just or tea an toddies 
13:13 -!- bandini [n=bandini@host101-111-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn
13:13 < Bushmills> for
13:13 < krzee> i have like 7 bottles of different rum
13:13 < NickWebHA> Speaking of shipping things out a co-worker has a buddy who lives in Bermuda. The guy has to pay $1,200 for an iPhone after import taxes. 
13:13 < Bushmills> yours would be a waste on me
13:14 < krzee> ya import taxes are a bitch if you cant get around them
13:14 < krzee> lol
13:14 < krzee> some things i can some things not
13:14 < Bushmills> import it in pieces, as parts? 
13:15 < krzee> thats 1 good way
13:15 < Bushmills> or purportedly for material reclaiming
13:15 < krzee> another is have someone bring it on plane when someone i know is coming
13:16 < NickWebHA> That is a good one.
13:17 < NickWebHA> Last time I was in Bermuda all I did was sleep outside and scuba dive. I miss that water.
13:18 < krzee> man i havnt done any scuba in over a yr, i need to go do that
13:18 < krzee> tip: never scuba near hurricane season, it brings in all the jellyfish
13:18 < NickWebHA> Good to know.
13:19 < NickWebHA> I got my PADI certs back when they still had an open-water cert.
13:19 < krzee> ya, sucks to find out the hard way
13:19 < krzee> i got stung all over before i could even see them
13:19 < NickWebHA> I have been certified since I was 14 (I think). I got certified in the East River (New York).
13:20 < krzee> i got certified as a youngster too, then me and my gf broke up and we had never sent in the certificates
13:20 < NickWebHA> OK, now I miss diving. Who wants to put me up for a week?
13:20 < krzee> so ive been certified, but dont have a license
13:20 < krzee> luckily where i live nobody gives a shit as long as i have $ and seem to know what im doing, lol
13:20 < NickWebHA> In my experience any place outside of the US they do not care to see the certs as long as you hand over the money before hand.
13:21 < NickWebHA> Speaking of certs my new OpenVPN rocks. You see the poorly-written blog post?
13:21 < NickWebHA> ^ new OpenVPN server
13:21 < krzee> neg, link?
13:22 < NickWebHA> http://blog.lifebloodnetworks.com/?p=196
13:22 < NickWebHA> A mad thanks to you, y0. Fo shizzel.
13:22 < krzee> yw
13:23 < NickWebHA> Without you I would still be banging my head against my keyboard and everyone knows my head can not take much more abuse.
13:24 < Bushmills> and keyboards can break too
13:24 < NickWebHA> That would be awful if I did not have spare.
13:25 < Bushmills> zaphod beeblebrox has
13:25 < NickWebHA> I am almost done re-reading those.
13:25 < NickWebHA> Huge pile of books to get to... man, there is not enough time in the day.
13:27 < NickWebHA> Now I have to figure out why ALSA all of a sudden can not see my sound card.
13:28 < ecrist> NickWebHA: we accept donations in the form of money, party favors, or scantily (read: none) clad women
13:28 < NickWebHA> Such a thin may be in order.
13:28 < NickWebHA> thing
13:30 < NickWebHA> You guys should apply for tax exempt status in the US so I can write it off!
13:34 < ecrist> heh
13:34 < ecrist> that may happen at some point
13:35 < NickWebHA> !welcome
13:35 < vpnHelper> NickWebHA: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:36 < NickWebHA> I remember seeing a page with donation information on it. What was it again?
13:36 < NickWebHA> !/30
13:36 < vpnHelper> NickWebHA: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
13:41 < NickWebHA> !mitm
13:41 < vpnHelper> NickWebHA: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
13:42 < NickWebHA> !wiki
13:42 < vpnHelper> NickWebHA: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
13:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
13:47 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
13:53 < krzee> NickWebHA, you might like this too:
13:53 < krzee> !hmac
13:53 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
13:53 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
13:55 < krzee> and ya i know there was a donation button somewhere too, but cant find it, ecrist would know
13:55 < ecrist> !donate
13:55 < vpnHelper> ecrist: Error: "donate" is not a valid command.
13:55 < NickWebHA> So close.
13:56 < NickWebHA> Jesse is going to be so pissed. I keep regenerating his keys on him and sending him new configurations. Well if he wants free access to my crap he will have to put up with it. :-P
13:56 < ecrist> !learn donate as send monetary donations to openvpn@secure-computing.net via paypal.  All money donated goes to staff toward development of the community wiki, forum, and this IRC channel.
13:56 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:56 < ecrist> doh
13:57 < krzee> !learn donate as send monetary donations to openvpn@secure-computing.net via paypal.  All money donated goes to staff toward development of the community wiki, forum, and this IRC channel.
13:57 < vpnHelper> krzee: Joo got it.
13:58 < ecrist> #2 should be, send all scantily or non-clad women of a rating above 8 to 1234 ecrist's house, Minneapolis MN USA
13:58 < krzee> hey hey, you get the $ i take the women
13:58 < krzee> lol
13:59 < NickWebHA> I do have one or two ex's who still owe me favors...
13:59 < Bushmills> then hope that nobody makes a BIG contribution
13:59 < krzee> all i have is latin women out here
13:59 < ecrist> send one to PR for krzee then.
13:59 < NickWebHA> Oh, than Rebecca is out. :-P
13:59 < krzee> lol Bushmills 
13:59 < ecrist> lol
14:00 < ecrist> we have plenty of those from WI and IA
14:00 < NickWebHA> Who managed this PayPal account?
14:00 < ecrist> why I started my ldap directory with cn instead of uid for the distinguished name is beyond me.
14:00 < ecrist> o/
14:01 < krzee> NickWebHA, ecrist does, he also hosts the forum and wiki, and is top admin for irc on chanserv
14:01 < krzee> so it makes most sense for him to have the paypal account
14:01 < ecrist> I only spend part of it on booze. heh
14:02 < ecrist> !learn donate as Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
14:02 < vpnHelper> ecrist: Joo got it.
14:03 < NickWebHA> Spend it all on booze. And latin women naked Rebecca. $100 is traveling through the tubes now. See it gets to the people who helped build my OpenVPN server. :-D
14:03 < NickWebHA> ^ named
14:03 < ecrist> sweet, your contribution is appreciated.
14:03 < ecrist> who helped you?
14:04 < NickWebHA> You had a hand, krzee did a lot for me.
14:04 < krzee> hey man thats very cool of you to send that
14:04 < NickWebHA> I appreciate the help. I was pulling my hair out.
14:05 < NickWebHA> I have to go through my older logs to see who else because I spend so many nights half-sleep on this project someone could have easily slipped my mind.
14:05 < ecrist> NickWebHA: can I give you a 'credit' on a donations page, or do you want to stay anon?
14:05 < NickWebHA> Credit away.
14:07 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Connection timed out]
14:07 < NickWebHA> There is this one tiny indent on the server I have my mouse on and my pointer keeps getting stuck on the screen...
14:10 -!- NickWebHA [n=nick@mail.webhse.com] has quit ["Leaving."]
14:10 -!- NickWebHA [n=nick@mail.webhse.com] has joined ##openvpn
14:10 < NickWebHA> Oops.
14:11 -!- Mtn_Bkng_Dave [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has joined ##openvpn
14:12 < Mtn_Bkng_Dave> !welcome
14:12 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:16 < NickWebHA> !interface
14:16 < vpnHelper> NickWebHA: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
14:24 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
14:25 -!- Dave1965 [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has joined ##openvpn
14:27 -!- NickWebHA [n=nick@mail.webhse.com] has left ##openvpn []
14:28 -!- AndChat| [n=AndChat@153.sub-97-32-111.myvzw.com] has joined ##openvpn
14:29 < AndChat|> Sweet. IRC client for my Droid. OK, I am done flooding the channel with useless crap now.
14:29 -!- saftsack_ [n=oliver@p579DD639.dip.t-dialin.net] has joined ##openvpn
14:29 -!- AndChat| [n=AndChat@153.sub-97-32-111.myvzw.com] has quit [Client Quit]
14:30 -!- Dougy [n=me@vpn.douglashaber.com] has joined ##openvpn
14:30 -!- NickWebHA [n=nick@mail.webhse.com] has joined ##openvpn
14:32 -!- Mtn_Bkng_Dave [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has quit [Read error: 60 (Operation timed out)]
14:33 -!- Mtn_Bkng_Dave [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has joined ##openvpn
14:40 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
14:41 -!- oliver__ [n=oliver@p579DDF0F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
14:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
14:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:45 -!- Dave1965 [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has quit [Read error: 113 (No route to host)]
14:46 < krzee> ecrist, you ready to talk to the guy about the CTO position in Costa Rica?
14:46 < ecrist> yeah
14:47 < krzee> ill msg
14:47 -!- Remowylliams [n=Mare@204.180.233.74] has joined ##openvpn
14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:50 -!- NickWebHA [n=nick@mail.webhse.com] has left ##openvpn []
14:51 < Remowylliams> errf umm is there a easy way to get my openvpn routed out of the server?
14:52 < Mtn_Bkng_Dave> !route
14:52 < vpnHelper> Mtn_Bkng_Dave: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:52 < Bushmills> the magic phrase was "routing"
14:52 < Mtn_Bkng_Dave> LOL lemme try this now
14:53 < Remowylliams> Bushmills: thanks. i didn't know if ubuntu needed something special done to forward ip packets
14:53 < Mtn_Bkng_Dave> will ubuntu run from cd like kubuntu remo?
14:55 < Dougy> ecrist: vB said no we don't cut anyone a discount good day sir
14:55 < Dougy> more or less verbatim what they told me
14:55 < ecrist> yeah, I figured.
14:55 < Dougy> they were real pricks about it
14:55 < ecrist> heh
14:55 < Dougy> not 'We can't do that at this time' but 'No we do it for nobody'
14:55 < ecrist> yeah, I figured they would be.
14:55 < ecrist> would you rather they led you on?
14:55 < ecrist> lead*
14:56 < Dougy> No, i'd rather they weren't such jackassses about it.
14:56 < Dougy> So hey, while krzee is in the vicinity
14:56 < Dougy> why did you want vB?
14:57 < ecrist> I explained it to him.  We don't *need* it, it just has some features that would be nice, like better RSS feeds.
14:57 < Dougy> ah
14:57 < Dougy> It got way more expensive then when I bought it
14:57 < Dougy> 50% price increase
14:58 < Dougy> er, doubled rather
14:58 < Dougy> however it looks like they dont do 1yr only lifetime
14:58 < Dougy> now
15:18 < krzie> 2a's i fgot it
15:18 -!- trispace [n=surfer@chello212017114137.18.11.vie.surfer.at] has joined ##openvpn
15:25 -!- Mtn_Bkng_Dave [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has quit []
15:26 < krzie> <Dougy> 50% price increase
15:26 < krzie> <Dougy> er, doubled rather
15:26 < krzie> thats 100% increase ;]
15:30 < Dougy> yeah
15:30 < Dougy> i know
15:30 < Dougy> hence the 'er'
15:46 -!- bandini [n=bandini@host101-111-dynamic.44-79-r.retail.telecomitalia.it] has quit [Read error: 104 (Connection reset by peer)]
15:47 -!- trispace [n=surfer@chello212017114137.18.11.vie.surfer.at] has quit []
16:01 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]"]
16:46 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Excess Flood]
16:47 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:58 -!- Mtn_Bkng_Dave [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has joined ##openvpn
17:00 < Mtn_Bkng_Dave> here krzee
17:01 < reiffert> still no success
17:01 < reiffert> ?
17:03 -!- Remowylliams [n=Mare@204.180.233.74] has left ##openvpn []
17:10 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
17:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
17:19 -!- Mtn_Bkng_Dave [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has quit []
17:26 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)]
17:41 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by dustin.mann9 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2894#p2894>
18:21 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has left ##openvpn ["gone"]
18:24 -!- STF [n=chatzill@20-130.stw.uni-duisburg.de] has joined ##openvpn
18:25 < STF> hi
18:25 -!- STF [n=chatzill@20-130.stw.uni-duisburg.de] has left ##openvpn []
18:27 -!- STF [n=chatzill@20-130.stw.uni-duisburg.de] has joined ##openvpn
18:31 < STF> hi i need help to configure my openvpn-server this way, that user who be connected to it, can use the internetconnection of it. But the problem is that the server is connected to the internet over a router.
18:32 < krzie> i dont understand
18:32 < STF> what do you not understand?
18:33 < krzie> what you just said
18:33 < DarkAnt> lol
18:33 < krzie> i understand that the server is behind a router
18:33 < STF> yes
18:33 < krzie> but if you can port forward you are ok there
18:34 < STF> you mean if i make portforwarding for the right 
18:34 < STF> stop
18:35 < STF> you mean, if i make the right port forwarding for the vpnserver it should be right?
18:35 < krzie> just like you would for ANY internet servioce you run on it
18:36 < rob0> Probably have to tell the router to use a route to the VPN subnet, and to do NAT for VPN clients. Typical !route stuff, probably the most F of all openvpn FAQ's.
18:37 < krzie> that depends on his goal, which i dont understand yet
18:37 < krzie> all i know so far is that his server is behind a router, so we know he needs a NAT entry on that router to reach openvpn whatsoever
18:37 < Bushmills> my guess is he want to route his internet traffic across vpn
18:38 < krzie> yay bush is here
18:38 < STF> the situation is much more complex
18:38 < Bushmills> it's fun guessing people's intentions :D
18:38 < krzie> i think we have some lang barrier, maybe you can help him in .de?
18:38 < STF> german that would be nice
18:38 < Bushmills> "...that user who be connected to it, can use the internetconnection of it. "
18:38 < STF> yes
18:38 < Bushmills> !redirect
18:38 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:39 < Bushmills> we are all very heavy on wire
18:40 < STF> why did i not grow up with linux, i would not feel like a stupid newbie everytime ;)?
18:41 < STF> okay
18:41 < Bushmills> can't say. masochist tendencies?
18:41 < STF> ?
18:41 < STF> me?
18:41 -!- xod [n=onats@112.201.158.40] has joined ##openvpn
18:41 < Bushmills> "why did i not..."
18:41 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2895#p2895>
18:41 < krzie> Bushmills talk to him in german maybe?
18:42 < STF> i grow up with windows, and my linux knowledges are only grounded
18:43 < Bushmills> that's not an excuse. other grow up in the usa, and also don't complain.
18:43 < STF> but windows is no option if you need a system with low hardware requiresmaent
18:43 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)]
18:43 < Bushmills> there was a time where it was the other way around
18:44 < STF> :)
18:44 < STF> okay back to the problem
18:44 < STF> okay lets make the first stop.
18:45 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has joined ##openvpn
18:46 -!- saftsack_ [n=oliver@p579DD639.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
18:48 < STF> 1. When i established the connection from the client to the server, i need to redirect the question to the www through the vpn, (i think i can managed it with the routtables)     2. I have to say the my Server(Debian) to redirect the questions to the vpnserver over nat and portforwarding to the router ---- have i get it right?
18:50 < Bushmills> do you redirect all you traffic, or specific traffic only?
18:50 < Bushmills> want to ...
18:50 < STF> i want to specific the traffic
18:50 < Bushmills> hm. not that easy.  only web traffic?
18:50 < STF> for example only http and ftp
18:51 < STF> http is important
18:51 < Bushmills> easiest may be to use a proxy
18:51 < STF> most important
18:51 < Bushmills> tell clients to use proxy on vpn server
18:53 < STF> you mean i am established a vpn connection between client and server, and on the client i enter the vpn server adress as a proxy adress in the browser, or do i need to establish a simple proxy server?
18:53 < Bushmills> almost right. still missing to install a web proxy on vpn server
18:53 -!- saftsack [n=oliver@p579DD639.dip.t-dialin.net] has joined ##openvpn
18:53 < STF> :D
18:54 < STF> oh man, i am happy to be and talk to you, have completly forgett to combine vpn an proxy
18:55 < Bushmills> easiest solution i could think of
18:56 < STF> ive i think longer about it, i am right with you
18:57 < STF> if i think ( my english is bad as well as my linux knowledge ;)
18:58 < Bushmills> squid  is a popular proxy
19:01 < STF> squid i know it, but i don't get it configured, because every example configuration didn't give me an answer me, how to configure it, when you are behind a router.
19:02 < Bushmills> you aren't - openvpn tunnels it
19:02 < krzie> or if you want certain programs, ports, addresses in combination:
19:02 < krzie> !routebyapp
19:02 < vpnHelper> krzie: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
19:03 < Bushmills> for your client, it will loop as if your machine with squid server sits on the same network. router will be transparent.
19:03 < Bushmills> look
19:03 < Bushmills> and server, where you'll install squid, is probably directly connected to internet
19:05 < STF> no
19:05 < STF> that is the problem
19:05 < krzie> there is no special configuration for being behind a router
19:06 < krzie> you just forward the port
19:06 < krzie> like with ANY internet service you can run
19:08 < STF> how can i make a portforward? this something i am not sure that i will ever keep it in mind
19:09 < krzie> !google forward port router
19:09 < vpnHelper> krzie: PortForward.com - Port Forwarding Guides Listed by Manufacturer ...: <http://portforward.com/>; What is Port Forwarding - PortForward.com - Free Help Setting up ...: <http://portforward.com/help/portforwarding.htm>; WWW FAQs: How do I set up my router to forward ports from the ...: <http://www.boutell.com/newfaq/creating/forwardports.html>
19:12 < STF> !google stupid guide iptables
19:12 < vpnHelper> STF: [ubuntu] IPTables MAC Filtering for ICS - Ubuntu Forums: <http://ubuntuforums.org/showthread.php?t=1343597>; Debian User Forums • View topic - HOWTO: iptables (part one of three): <http://forums.debian.net/viewtopic.php?f=16&t=16166&start=15>; Bandwidth Limiting HOWTO: <http://www.faqs.org/docs/Linux-HOWTO/Bandwidth-Limiting-HOWTO.html>
19:12 < STF> i am shortly away
19:13 < Bushmills> !google iptables for dummies
19:13 < vpnHelper> Bushmills: Best book or tutorial for iptables: <http://linux.derkeiler.com/Mailing-Lists/Fedora/2007-09/msg01446.html>; iptables for dummies » Communications From Elsewhere » Blog Archive: <http://www.elsewhere.org/journal/archives/2005/01/09/iptables-for-dummies/>; Iptables: <http://lists.netfilter.org/pipermail/netfilter/2004-September/056288.html>
19:14 < krzie> hell if its iptables the openvpn manual has the port forward rule for openvpn
19:14 < krzie> small change for anything else
19:14 < krzie> oh actually that may not be for a rule on the router
19:15 < Bushmills> hehe... warranty on rechargables:  "We guarantee that we will repair or replace, at our option, any device damaged by these Soshine Ni-MH rechargeable batteries. Guarantee void if batteries are charged by user or device" 
19:17 < krzie> hahaha
19:17 < Bushmills> get some and throw them (uncharged of course) into your computer screen when you need a replacement :)
19:24 < STF> LOL
19:24 < STF> Back in action
19:28 < ecrist> you're missing a 'U' at the end of your name
19:28 < krzie> lol
19:28 < krzie> that would be a good name for a banhammer bot
19:29 < ecrist> vpnHelper changed nick to STFU.  krzee was subsequently kicked the F out.
19:29 < vpnHelper> ecrist: Error: "changed" is not a valid command.
19:29 < ecrist> lol
19:30  * ecrist goes back to hanging with JD
19:30 < krzie> jack daniels?
19:30 < ecrist> aye
19:35 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: julius, endre, stein0_, APTX, Bushmills
19:36 -!- Netsplit over, joins: APTX, stein0_, Bushmills, julius, endre
19:39 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)]
19:39 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has joined ##openvpn
19:42 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
19:42 -!- mode/##openvpn [+v Kaspx] by ChanServ
19:46 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 60 (Operation timed out)]
19:47 -!- blueshoes [n=blueshoe@pdpc/supporter/student/blueshoes] has joined ##openvpn
19:49 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
19:50 -!- mode/##openvpn [+v openvpn2009] by ChanServ
19:50 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has left ##openvpn []
19:50 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
19:50 -!- mode/##openvpn [+o openvpn2009] by ChanServ
19:50 -!- Dougy [n=me@vpn.douglashaber.com] has quit []
20:00 -!- xod is now known as onats
20:00 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
20:13 -!- kisom [n=kisom@c-9fdce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: 60 (Operation timed out)]
20:36 -!- kisom [n=kisom@c-9fdce155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
20:50 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
21:04 < DarkAnt> ok, so I have openvpn running and I put a little http server on my little intranet
21:04 < DarkAnt> I'd like to have some form of dns
21:04 < DarkAnt> what are my options (assuming the server is a linux box and I have windows and linux clients)
21:05 < DarkAnt> I was going to set up a dns + dhcp server, but openvpn kinda does that stuff in some manner or another
21:05 < DarkAnt> but I'd just like a client to be able to type http://client2 and get a webpage
21:25 < DarkAnt> I dunno, I'm kinda lost
21:35 < krzie> depends on size of intranet
21:36 < krzie> ypou can use host files, a dns server, wins, whatever you want
21:36 < krzie> theres no openvpn way, its just standard networking
21:48 < STF> hi DarkAnt i think you need to use !BIND
21:48 < STF> !BIND
21:48 < vpnHelper> STF: Error: "BIND" is not a valid command.
21:48 < STF> !google BIND wikipedia
21:48 < vpnHelper> STF: BIND - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/BIND>; The Ties that Bind - Wikipedia - The OC link - Fanpop: <http://www.fanpop.com/spots/the-oc/links/6340101/title/ties-bind-wikipedia>; Double bind - Wikipedia, the free encyclopedia on Flickr - Photo ...: <http://www.flickr.com/photos/caseorganic/3295620357/>
21:56 < STF> !iptables-saves
21:56 < vpnHelper> STF: Error: "iptables-saves" is not a valid command.
21:56 < STF> !iptables-save
21:56 < vpnHelper> STF: Error: "iptables-save" is not a valid command.
22:03 -!- blueshoes [n=blueshoe@pdpc/supporter/student/blueshoes] has quit ["brb"]
22:12 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: OpenVPN on Windows XP - Cant install TAP-Win32 device driver :: Reply ... <http://www.ovpnforum.com/viewtopic.php?f=5&t=2483&p=2893#p2893>
22:31 -!- ellick [i=Hello@cpe-24-58-22-141.twcny.res.rr.com] has joined ##openvpn
22:31 < ellick> !welcome
22:31 < vpnHelper> ellick: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:32 < ellick> can anyone tell me is there something special I need to do to get irc to connect while using the vpn?  vpn works fine but irc won't connect through it
22:36 -!- ellick [i=Hello@cpe-24-58-22-141.twcny.res.rr.com] has quit []
22:46 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn
22:50 < STF> is the irc-server on the same server like the vpn-server`?
22:54 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit ["The Lord of Murder Shall Perish."]
22:57 -!- aditsu [n=aditsu@n1164942225.netvigator.com] has joined ##openvpn
22:58 < aditsu> hi, I'm connected to a server with openvpn, and it works fine, except the server can't ping me; I can see the incoming ICMP requests with wireshark but there's no reply from my computer
22:58 < aditsu> what could be the problem?
23:01 < aditsu> oh, I also can't ping the server's vpn ip (but I can ping other ips it has)
23:04 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"]
23:09 < aditsu> anybody?
23:16 -!- aditsu [n=aditsu@n1164942225.netvigator.com] has quit ["ChatZilla 0.9.86 [SeaMonkey 2.0.2/20100104161941]"]
23:26 -!- tjz [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
23:48 -!- STF_ [n=chatzill@dslb-084-061-151-073.pools.arcor-ip.net] has joined ##openvpn
23:50 -!- STF__ [n=chatzill@dslb-084-061-151-073.pools.arcor-ip.net] has joined ##openvpn
23:50 -!- STF_ [n=chatzill@dslb-084-061-151-073.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)]
23:54 -!- STF is now known as Guest36745
23:56 -!- STF__ is now known as STF
--- Day changed Thu Jan 21 2010
00:06 -!- Guest36745 [n=chatzill@20-130.stw.uni-duisburg.de] has quit [Read error: 110 (Connection timed out)]
00:07 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
00:21 -!- Mtn_Bkng_Dave [i=whome@12.50.114.160] has joined ##openvpn
00:36 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has quit [Read error: 110 (Connection timed out)]
01:10 -!- linucks [n=linucks@loft4610.serverloft.com] has left ##openvpn ["Leaving"]
01:52 -!- STF [n=chatzill@dslb-084-061-151-073.pools.arcor-ip.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]"]
02:04 -!- Mtn_Bkng_Dave [i=whome@12.50.114.160] has quit [Read error: 110 (Connection timed out)]
02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:19 < jmm> hello.
02:32 < tjz> hello jmm
02:32 < tjz> How may we help you?
02:37 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
02:38 < jmm> I don't need help atm.
02:38 < jmm> but thanks still :)
02:42 < tjz> ok
02:42 < tjz> :)
02:44 < reiffert> how frustating.
02:48 < tjz> Hello reiffert
02:48 < tjz> what happen :(
02:59 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:02 < reiffert> tjz: jmm doesnt need our help, that is frustating me.
03:06 < jmm> in fact I'm working on nagios, if you guys really need to help someone.
03:06 < jmm> :)
03:07  * reiffert is playing with symfony
03:07 -!- master_o1_master [n=master_o@p57B53E99.dip.t-dialin.net] has joined ##openvpn
03:14 -!- le0 [n=itsle0@82.132.136.133] has joined ##openvpn
03:19 -!- master_of_master [i=master_o@p57B53D0D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:20 -!- APTXderZweite [n=APTX@ks32603.kimsufi.com] has joined ##openvpn
03:24 < |Mike|> Morning.
03:24 < tjz> i am playing myself
03:24 < tjz> LOL
03:24 < tjz> just joking
03:24 < tjz> :P
03:26 < reiffert> tjz: http://www.asciipr0n.com/
03:26 < vpnHelper> Title: ascii pr0n . com (at www.asciipr0n.com)
03:37 < tjz> reiffert, you know me well
03:37 < tjz> lol
03:39 -!- Lyndon [n=late@savolaiset.fi] has quit [Remote closed the connection]
03:39 -!- Lyndon [n=late@savolaiset.fi] has joined ##openvpn
03:43 -!- le0 [n=itsle0@82.132.136.133] has quit [Read error: 110 (Connection timed out)]
03:51 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit [Read error: 110 (Connection timed out)]
03:53 -!- mintaka is now known as kosmic
03:53 -!- kosmic is now known as mintaka
04:45 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
05:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:13 < ecrist> good morning
06:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
06:37 < havoc> morning
06:44 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: OpenVPN on Windows XP - Cant install TAP-Win32 device driver :: Reply ... <http://www.ovpnforum.com/viewtopic.php?f=5&t=2483&p=2899#p2899>
06:45 -!- meik [n=meik@78.157.114.78] has joined ##openvpn
06:45 < meik> Anyone here ?
06:45 < meik> I have a roblems with my openvpn... - tap win32 failed to install.. ( my operativsystem is windows xp )
06:46 < meik> !welcome
06:46 < vpnHelper> meik: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:46 < meik> I have a roblems with my openvpn... - tap win32 failed to install.. ( my operativsystem is windows xp )
06:47 < meik> !howto
06:47 < vpnHelper> meik: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:03 < ecrist> meik, people are here.
07:10 -!- ycy___ [n=mb@Noise.CS.UCLA.EDU] has joined ##openvpn
07:10 < ycy___> hi there
07:10 < ecrist> hello
07:11 < ycy___> i have a problem with openvpn: this is the server conf: http://pastebin.com/m16c2d621 and this is the client conf: http://pastebin.com/mfded7c8
07:12 < meik> I have a roblems with my openvpn... - tap win32 failed to install.. ( my operativsystem is windows xp )
07:12 < meik> "fil not found" when trying to add hardware in device manager
07:12 < ecrist> meik: you've said that three times now.
07:12 < ecrist> what installer are you using?
07:13 < meik> Yea so? No one responds me. 2.1.1
07:13 < ecrist> so, ask a question
07:13 < meik> http://openvpn.net/release/openvpn-2.1.1-install.exe
07:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:14 < meik> error http://peecee.dk/uploads/012010/openvpnfailed.png
07:14 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: OpenVPN on Windows XP - Cant install TAP-Win32 device driver :: Reply ... <http://www.ovpnforum.com/viewtopic.php?f=5&t=2483&p=2900#p2900>
07:14 < ecrist> you should just have to run the installer - it installed the device as part of the install
07:14 < ecrist> not sure what you're doing in device manager
07:14 < meik> I know, I've don it 500 times or so. Only have had this problem twice. 
07:15 < meik> In device manager, I can see the adapter, with yellow "!" sign over. When I'm trying to update the driver (from openvpn\drivers folder) it says failed. "The suggested file not found". All files are in the drivers folder.
07:15 < ecrist> not bad, a .02% failure rate
07:15 < ycy___> i have a problem with openvpn: this is the server conf: http://pastebin.com/m16c2d621 and this is the client conf: http://pastebin.com/mfded7c8 . This is the log for the server: http://pastebin.com/m1b541783 and this is the client's log: http://pastebin.com/m1418b9d6 . On the client, I cannot see the 'tun' interface. Where am I wrong?
07:15 < ecrist> why are you 'updating' the driver?
07:16 < meik> Because the yellow "!" mark is over it. When the installer has been set.
07:16 < meik> The problem is, that I can't start/activate the adapter.
07:16 < ecrist> I would suggest uninstalling openvpn, removing the device if it's still there, and reinstalling openvpn
07:16 < meik> I've done that 10 times :)
07:17 < ecrist> I would then suggest #windows
07:17 < meik> That's why I'm here now, hehe.
07:17 < meik> haha :D
07:17 < ecrist> seriously.  the problem is not really openvpn specific.  it sounds as if there's some other driver conflict or another related issue.
07:17 < meik> Try Google "tapinstall.exe failed" and you'll get many hits.
07:17 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:18 < meik> The problem started with the following: Had 1 adapter, worked. Wanted to add 2 more. Both failed.
07:18 < meik> Uninstalled everything, installed again with NEW isntaller. ALl failed with the adapters
07:18 < ecrist> did you verify the adapter had been removed from within device manager?
07:19 < meik> Yea
07:19 < ecrist> try #windows
07:19 < ecrist> see if they can offer more specific OS support.
07:20 < ecrist> if you really think it's a bug in openvpn, send it to the mailing list
07:21 -!- le0 [n=itsle0@82.132.248.2] has joined ##openvpn
07:21 < ycy___> i have a problem with openvpn: this is the server conf: http://pastebin.com/m16c2d621 and this is the client conf: http://pastebin.com/mfded7c8 . This is the log for the server: http://pastebin.com/m1b541783 and this is the client's log: http://pastebin.com/m1418b9d6 . On the client, I cannot see the 'tun' interface. Where am I wrong?
07:22 < meik> Did you see my screenshots, yes or no?
07:23 < meik> See http://www.google.dk/#hl=da&q=tapinstall.exe+failed&meta=&aq=&oq=tapinstall.exe+failed&fp=a0774f6e26d521f2 , I'm not the only one.
07:23 < vpnHelper> Title: Google (at www.google.dk)
07:25 -!- le0 [n=itsle0@82.132.248.2] has quit [Client Quit]
07:28 < ecrist> meik: I'm certain you're not the only one.
07:28 < ecrist> but, there are far more people who have it working just fine
07:30 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: redfox
07:30 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: havoc, berniv6, Intensity, krzie, Lyndon, cybertron, disco-, Nappy, ScriptFanix, tarbo2_,  (+49 more, use /NETSPLIT to show all of them)
07:30 -!- Netsplit over, joins: d12fk, buntfalke_, cpm, Lyndon, master_o1_master, ribasushi, saftsack, Rolybrau, freaky[t], krzee (+5 more)
07:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Success]
07:31 -!- Netsplit over, joins: @openvpn2009, Diffen, kreg, chilicuil, hyper_ch, Optic, sigius, Section58
07:32 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn
07:32 -!- plundra [i=404@article.se] has joined ##openvpn
07:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:32 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
07:32 -!- Intensity [i=[TwgZSVb@unaffiliated/intensity] has joined ##openvpn
07:32 -!- _dren [i=dren@dereferenced.nullpointer.net] has joined ##openvpn
07:32 -!- ServerMode/##openvpn [+v Kaspx] by irc.freenode.net
07:33 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
07:33 -!- hackeron [n=hackeron@gentoo/user/hackeron] has joined ##openvpn
07:33 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn
07:33 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn
07:33 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn
07:33 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn
07:33 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
07:33 -!- tompaw [n=tompaw@91.121.184.63] has joined ##openvpn
07:33 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn
07:33 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn
07:33 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
07:33 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
07:33 -!- zamba [i=marius@flage.org] has joined ##openvpn
07:33 -!- rob0 [n=rob0@tuxaloosa.org] has joined ##openvpn
07:33 -!- cybertron [n=cybertro@84.200.248.176] has joined ##openvpn
07:33 -!- oc80z [n=oc80z@74.63.222.147] has joined ##openvpn
07:33 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn
07:33 -!- Nappy is now known as Guest41881
07:34 < ycy___> i have a problem with openvpn: this is the server conf: http://pastebin.com/m16c2d621 and this is the client conf: http://pastebin.com/mfded7c8 . This is the log for the server: http://pastebin.com/m1b541783 and this is the client's log: http://pastebin.com/m1418b9d6 . On the client, I cannot see the 'tun' interface. Where am I wrong?
07:34 -!- dazo_afk [n=dazo@nat/redhat/x-oqavtanzapelxkcm] has joined ##openvpn
07:34 -!- dazo_afk is now known as Guest88514
07:34 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn
07:34 -!- Guest88514 is now known as dazo
07:34 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn
07:35 -!- dazo is now known as Guest41804
07:35 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
07:35 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn
07:35 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
07:35 -!- agagag [n=anton@ataraxia.bek.no] has joined ##openvpn
07:35 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn
07:35 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn
07:35 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn
07:35 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
07:35 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has quit [Read error: 60 (Operation timed out)]
07:35 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn
07:35 -!- mintaka [n=kosmic@109.74.194.171] has joined ##openvpn
07:36 -!- berniv6 [n=berni@2001:1b10:1000:0:0:0:26c3:1] has joined ##openvpn
07:36 -!- meik [n=meik@78.157.114.78] has quit ["Lost terminal"]
07:39 < ycy___> i have a problem with openvpn: this is the server conf: http://pastebin.com/m16c2d621 and this is the client conf: http://pastebin.com/mfded7c8 . This is the log for the server: http://pastebin.com/m1b541783 and this is the client's log: http://pastebin.com/m1418b9d6 . On the client, I cannot see the 'tun' interface. Where am I wrong?
07:40 -!- cron2 [n=gert@blue.greenie.muc.de] has joined ##openvpn
07:46 < jmm> lol stop reposting that message.
07:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:56 < ecrist> ycy___: you're logs aren't complete
07:56 < ecrist> !logs
07:57 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:00 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
08:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
08:21 < ecrist> whether on the mailing list, or here, ycy___ your logs are not complete
08:24 -!- Iskorptix_ [n=iskorpti@d205.csc.lt] has joined ##openvpn
08:24 < Iskorptix_> hello
08:24 < ecrist> hi!
08:24 < Iskorptix_> PUSH_REPLY,redirect-gateway,route10.20.30.1 255.255.255.0,route 10.20.30.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.20.30.6 10.20.30.5' (status=1
08:25 < Iskorptix_> basically, the default route is sent as 10.20.30.1
08:25 < Iskorptix_> but windows client, sets default route 10.20.30.5
08:25 < Iskorptix_> why ?
08:25 < ecrist> !/30
08:25 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
08:25 < Iskorptix_> !topology
08:25 < vpnHelper> Iskorptix_: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
08:25 < ecrist> therin lies your answer.
08:30 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: ycy___, Iskorptix_, Guest41804, stein0_
08:30 -!- Netsplit over, joins: Guest41804, Iskorptix_, ycy___, stein0_
08:31 < Iskorptix_> I'm not expert with networking (yet ;D) , maybe someone could provide fast workaround please ?
08:31 < Iskorptix_> I found it I think
08:31 -!- Guest41804 [n=dazo@nat/redhat/x-oqavtanzapelxkcm] has quit [Success]
08:32 < ecrist> Iskorptix_: your routing should work, what's your problem?
08:33 < Iskorptix_> it doesn't
08:33 < Iskorptix_> windows machine doesn't have internet connection
08:33 < Iskorptix_> I know why, but can't solve, cause I don't know how (lack of network knowledge)
08:34 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: havoc, berniv6, Intensity, krzie, cybertron, disco-, tarbo2_, pa, jmm, krphop,  (+31 more, use /NETSPLIT to show all of them)
08:34 < Iskorptix_> I'm experimenting now
08:34 < ecrist> !configs
08:34 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
08:34 < ecrist> i think you're setting thigs up wrong
08:34 < Bushmills> if your default route is set through vpn, then the problem may be somewhere else
08:34 -!- Guest23896 [n=dazo@nat/redhat/session] has joined ##openvpn
08:35 -!- Netsplit over, joins: cron2, berniv6, mintaka, LobbyZ, disco-, havoc, agagag, jmm, tjz, Diffen2 (+1 more)
08:35 -!- Netsplit over, joins: Guest41881, mikkel, +Kaspx, Intensity, _dren
08:35 < ecrist> any of you have the rockyou password list?
08:35 < ecrist> nobody's seeding the torrent
08:36 -!- Netsplit over, joins: @openvpn2009, noooon, Diffen, kreg, chilicuil, hyper_ch, Optic, sigius, Section58
08:37 < Iskorptix_> http://pastebin.com/m18363c96
08:37 < ecrist> change line 10 to this:
08:37 < ecrist> push "redirect-gateway def1"
08:38 < ecrist> that is your problem.
08:38 < Iskorptix_> now I can't connect from windows machine at all
08:39 < Iskorptix_> it says something about valid-subnets
08:39 < ecrist> that push should go in server config, too.
08:39 < Bushmills> maybe "lack of network knowledge"  and setting up a vpn isn't such a great combination
08:40 < ecrist> LOL
08:40 < ecrist> Bushmills: you should put that in /topic ;)
08:40 < Bushmills> hehe
08:41 < Iskorptix_> I have already know how make it done
08:41 < Iskorptix_> but I have to use static ip each time from windows machine
08:41 < Iskorptix_> which is unacceptable for me
08:41 < ecrist> follow our directions and we'll help
08:41 < ecrist> !all
08:41 < vpnHelper> ecrist: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
08:41 < Bushmills> my earnest suggestion would be to read yourself a bit into the subject
08:41 < Iskorptix_> and please don't be fucking morons who lough at noobs, thanks
08:42 < Bushmills> you haven't heard us laughing. actually we don't laugh at noobs
08:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
08:43 < Bushmills> so far to that part. what about the fucking morons part?
08:44 < Iskorptix_> fine then
08:44 -!- ycy___ [n=mb@Noise.CS.UCLA.EDU] has left ##openvpn []
08:44 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit [Read error: 60 (Operation timed out)]
08:44 -!- mode/##openvpn [+o ecrist] by ChanServ
08:44 -!- Iskorptix_ was kicked from ##openvpn by ecrist [we're not fucking morons]
08:44 <@ecrist> holy lag batman
08:44 <@ecrist> I ran that macro 2 mins ago
08:45 -!- Irssi: ##openvpn: Total of 65 nicks [2 ops, 0 halfops, 1 voices, 62 normal]
08:45 -!- mode/##openvpn [-o ecrist] by ecrist
08:48 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: chilicuil, hyper_ch, sigius, kreg
08:48 -!- Netsplit over, joins: kreg
08:48 -!- Netsplit over, joins: hyper_ch
08:49 -!- Netsplit over, joins: chilicuil
08:50 -!- hackeron [n=hackeron@gentoo/user/hackeron] has joined ##openvpn
08:50 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn
08:50 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn
08:50 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn
08:50 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn
08:50 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
08:50 -!- tompaw [n=tompaw@91.121.184.63] has joined ##openvpn
08:50 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn
08:50 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn
08:50 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
08:50 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
08:50 -!- zamba [i=marius@flage.org] has joined ##openvpn
08:50 -!- rob0 [n=rob0@tuxaloosa.org] has joined ##openvpn
08:50 -!- cybertron [n=cybertro@84.200.248.176] has joined ##openvpn
08:50 -!- oc80z [n=oc80z@74.63.222.147] has joined ##openvpn
08:50 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn
08:51 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
08:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
08:54 -!- Irssi: ##openvpn: Total of 82 nicks [1 ops, 0 halfops, 1 voices, 80 normal]
08:59 -!- Raphael_Albrecht [n=chatzill@p4FC59D44.dip0.t-ipconnect.de] has joined ##openvpn
09:00 < cybertron> hi, I got the Problem that my 2 clients get the both ip address, so I have a router with vpn, 1client internal and 1 external both clietns get the vpn ip 192.168.1.6 
09:01 < Raphael_Albrecht> hi, my question is: has anybody experience with connection to a Check Point VPN Tunnel? i am searching for a linux pendant to Win VPN-Client Software "Check Point VPN-1 SecureClient"
09:02 < Raphael_Albrecht> is it possible to connect via openvpn?
09:04 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
09:05 -!- Iskorptix_ [n=iskorpti@d205.csc.lt] has joined ##openvpn
09:05 < steelnwool> i'm trying to use reovke-full, and ma getting an error with my openssl.cnf, i think maybe i'm just missing a env variable or something... ? 
09:05 < steelnwool> 15018:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282
09:05 < Iskorptix_> hey guys, sorry if I made you upset, you get me wrong
09:06 < Iskorptix_> I did not meant that you should be like those I mentioned, I just new to this technology
09:06 < Iskorptix_> looking for a bit help
09:06 < Iskorptix_> i'll try to explain again...
09:06 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
09:06 < steelnwool> this is line 282 : MODULE_PATH = $ENV::PKCS11_MODULE_PATH
09:07 < steelnwool> so i guess ENV isn't right, or ENV::PKCS11_MODULE_PATH isn't set or something...
09:07 < Iskorptix_> the machine which runs openvpn server, has gets x.x.x.1 , but when I connect to vpn server from windows machine, in default gateway field I see, that default gateway is x.x.x.5 , not x.x.x.1 . Why ? Please help. Thanks
09:08 < steelnwool> Iskorptix_: to understand why, you need to read now the tun interface works.
09:08 < steelnwool> and the basics of how openvpn sets up its interfaces.
09:08 < Iskorptix_> can you please give a link or something, thanks.
09:09 < steelnwool> http://openvpn.net/index.php/open-source/documentation.html
09:09 < vpnHelper> Title: Documentation (at openvpn.net)
09:09 < ecrist> Iskorptix_: I already pointed you to docs on /30 subnetting
09:09 < ecrist> that explains why
09:10 < Iskorptix_> I can't understand what is written there hm
09:10 < steelnwool> hm ?
09:10 < ecrist> basically, don't worry about it, it works
09:10 < steelnwool> if you don't understand it, you should read some documents about how IP subnetting works.
09:11 < ecrist> steelnwool: he's trying to spell a gutteral verbalization common when one is confused.
09:11 < steelnwool> gotcha. i never know when internet people say things if its some hipster lingo, or a gutteral grunt.
09:11 < ecrist> aside from few execptions, lol, heh, hehe, etc, I'm not a fan of spelling sounds
09:12 < steelnwool> Iskorptix_: you need to build up some prerequesite skills to understand this stuff, versus just diving in. so go learn a bit about subnetting and ip addressing.
09:12 < ecrist> otherwise, half my conversations *fart* would have sounds intermixed. ;)
09:12 < steelnwool> ecrist: for revoke-full to work, do i have to change any of openssl.cnf that comes with openvpn ?
09:12 < steelnwool> i'm guessing some env variable isn't set or something.
09:12 < steelnwool> sec, i'll pastebin
09:13 < ecrist> steelnwool: I'm not a good person to ask about easy-rsa.  I wrote my own certifcate management scripts
09:13 < steelnwool> http://pastebin.com/me15f7ad 
09:13 < steelnwool> oh.. :)
09:13 < ecrist> I despise easy-rsa
09:13 < steelnwool> k. thanks.
09:13 < ecrist> I would look at line 282 of /etc/openvpn-pke/openssl.cnf, though
09:13 < steelnwool> :) i am.
09:14 < steelnwool> MODULE_PATH = $ENV::PKCS11_MODULE_PATH
09:14 < ecrist> ah, no idea
09:14 < ecrist> you're welcome to abandon easy-rsa and use ssl-admin, though. :)
09:14 < ecrist> my script is open-source and available to the public.
09:14  * havoc likes easy-rsa
09:14 < steelnwool> got a url for it?
09:14 < havoc> mostly
09:14 < ecrist> !ssl-admin
09:14 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports
09:14 < steelnwool> havoc: lend me a hand ? :)
09:14 < steelnwool> ecrist: tks, will have a loook.
09:15 < havoc> steelnwool: my only use of easy-rsa is *exactly* what's in the howto
09:15 < steelnwool> hehe, you may want to update that link.
09:15 < steelnwool> or update the vpnhelper thign, to remove the , from the end of the url.
09:15 < havoc> if it's not in the howto, then I don't know about it
09:15 < steelnwool> havoc: k.
09:15 < ecrist> steelnwool: what's wrong with the link?
09:16 < havoc> he just doesn't like the comma at the end messing up clickability
09:16 < steelnwool> its more iterms problem than the link. if i comamnd-click on it, it includes the , 
09:16 < ecrist> works for me, but I'll adjust it
09:16 < ecrist> !forget ssl-admin 1
09:16 < vpnHelper> ecrist: Joo got it.
09:16 < ecrist> !learn ssl-admin 1 as http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed
09:16 < vpnHelper> ecrist: Joo got it.
09:16 < ecrist> !ssl-admin
09:16 < vpnHelper> ecrist: "ssl-admin" is (#1) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#2) if you use freebsd, it is in ports
09:17 < ecrist> !learn ssl-admin as svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
09:17 < vpnHelper> ecrist: Joo got it.
09:21 < steelnwool> did you just take ovpnforums down?
09:22 < ecrist> briefly
09:22 < ecrist> it's back up
09:22 < steelnwool> groove
09:22 < ecrist> you must have refreshed at the moment I did the HUP
09:23 < steelnwool> yeah
09:25 < steelnwool> who wrote/maintains easyrsa ?
09:25 < ecrist> openvpn developers
09:26 -!- Raphael_Albrecht [n=chatzill@p4FC59D44.dip0.t-ipconnect.de] has quit ["ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]"]
09:26 < steelnwool> ovpnforums isn't tied to their 'support center' is it ?
09:27 -!- screenn [n=screenn@77.222.135.254] has joined ##openvpn
09:28 < Iskorptix_> you are fucking morons
09:28 < Iskorptix_> sorry buts true
09:28 -!- Iskorptix_ [n=iskorpti@d205.csc.lt] has quit ["leaving"]
09:29 < steelnwool> wow, he showed us.
09:29 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
09:32 < screenn> in crl-verify option need I use full path for the crl.pem file, or just crl.pem?
09:32 < steelnwool> full path. else how would it find it ?
09:33 < screenn> trying to revoke cert's, it isn't works
09:33 < screenn> did all by howto
09:33 < steelnwool> did you restart openvpn?
09:34 < steelnwool> remember, it won't automatically kick people out of the vpn, they have to disconnect, or you have to restart openvpn.
09:34 < screenn> yes once I restart, my crl.pem was changed and I use full way for that in server.conf
09:34 < macsppadic> screenn: hello u can also check the index.txt file 
09:34 < macsppadic> which shud show status of the certificate 
09:34 < macsppadic> V or R 
09:34 < screenn> R in line with this client
09:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit []
09:35 < screenn> V in lines with others
09:35 < macsppadic> ok that looks right then 
09:35 -!- mode/##openvpn [+o ecrist] by ChanServ
09:35 < screenn> need I remove key's for this client?
09:35 < macsppadic> u shudnt have to 
09:35 < macsppadic> u have restarted u said 
09:35 < steelnwool> hey ecrist in ssl-admin.conf - $ENV{'KEY_CRL_LOC'} = "URI:http://CRL_URI"; ... do i change that?
09:35 < screenn> yes
09:35 < macsppadic> where is crl.pem?
09:35 -!- mode/##openvpn [+b *!*@193.139.191.*] by ecrist
09:36 < screenn> I've copied in the /etc/openvpn/ directory
09:36 < macsppadic> ok
09:36 < macsppadic> could also try just linking the crl.pem from keys folder to /etc/openvpn
09:36 -!- mode/##openvpn [+b Iskorptix_!*@*] by ecrist
09:37 < macsppadic> anything in the logs?
09:37 -!- mode/##openvpn [-o ecrist] by ecrist
09:37 < steelnwool> ecrist: nevermind, i read the docs.
09:37 < ecrist> steelnwool: ovpnforums is run by the same folks who run this chan
09:37 < ecrist> ssl-admin has real man pages, fwiw
09:37 < steelnwool> cool. is there a reason why one would want to put a revocation list on the net?
09:37 < screenn> I'm reading log's it shows client connected successfully 
09:37 < steelnwool> i guess if you had a cluster of vpns?
09:38 < ecrist> if you had a cluster/share SSL topo
09:38 < ecrist> ssl-admin can be used for more than openvpn
09:38 < steelnwool> sure.
09:38 < macsppadic> just a double check screenn diff crl.pem with the one in keys folder
09:38 < ecrist> so, you *could* use ssl-admin if you wanted to operate a small CA
09:39 < steelnwool> i like how you chose to make it menu driven.
09:39 < macsppadic> u also have crl-verify crl.pem  as the line in ur config 
09:39 < macsppadic> no slashes 
09:39 < ecrist> if I ever get around to rewriting it, it will be either interactive or option driven
09:40 < screenn> macsppadic ok, I'll check my config again, maybe twice options?
09:40 -!- NoReflex [n=ionut@89.123.120.134] has joined ##openvpn
09:40 < steelnwool> if i password protect the CA key, does that basically mean i'll need this when ever i start openvpn, or when i create new keys for clients?
09:41 < ecrist> not for the CA key
09:41 < macsppadic> openvpn restart usually takes care of this once the config is pointed at the right file 
09:41 < ecrist> the password on CA key prevents signing new certs without the password
09:41 < screenn> I've used /usr/share/doc/openvpn* /easy-rsa for generating previous certs
09:41 < steelnwool> ecrist: k.
09:41 < macsppadic> ooo screenn did u do a . ./vars initially?
09:41 < screenn> but now I use other directory, maybe it has double crt files?
09:42 < macsppadic> hmm 
09:42 < screenn> yeah I did "source ./vars"
09:42 < macsppadic> ok 
09:42 < screenn> and "./revoke-full cleintname" after that
09:42 < macsppadic> aye that shud do it 
09:43 < NoReflex> Hey guys! Can I use OpenVPN to acccess another network? I have a computer which has two NICs - one connects to the Internet and another which connects to another network (through a gateway - 10.10.0.1). Would I be able to connect to that network (10.10.x.x)  through openVPN - installed on the computer?
09:43 < NoReflex> something like push networks / routes?
09:43 < macsppadic> shud be able to NoReflex 
09:46 < screenn> maybe I need to change permission?
09:46 < screenn> it runs from user openvpn?
09:46 < macsppadic> oh ok ...whats the perms on the crl.pem file 
09:47 < macsppadic> yeah go for it 
09:47 < steelnwool> needs to be world readable.
09:47 < screenn> root:openvpn, I've changed it, but how about certs it has root:root, cause I've generated that from root sure
09:47 < screenn> it's readable for all groups
09:47 < steelnwool> ecrist: why does ssl-admin need client.ovpn ?
09:48 < macsppadic> whos the user group setting in config file?
09:49 < ecrist> steelnwool: it doesn't *need* it, but ssl-admin will package all certs and the openvpn config into a single zip, if you chose
09:49 < screenn> root:root for the server.conf
09:49 < steelnwool> ahhh, gotcha. to make setup easier for the suits.
09:49 < ecrist> exactly
09:49 < steelnwool> so i can just ignore that error if id on't care. gotcha.
09:49 < steelnwool> we're all on mac anyways.
09:49 < steelnwool> course viscosity can use openvpn config files.
09:49 < ecrist> viscosity?
09:50 < steelnwool> yeah.
09:50 < ecrist> we use tunnelblick
09:50 < macsppadic> viscosity is quite good 
09:50 < screenn> is it important to restart service, I can't do that now, people working with that
09:50 < macsppadic> yes once u revoke a cert 
09:50 < ecrist> I tried it when it first came out, and I can't get a 30-day evaluation to run again (says mine's used up) and I don't know where it's storing that data
09:50 < macsppadic> usually unless client disconnects  u have to restart the openvpn service i believe to see hte changes
09:50 < ecrist> as such, I'm not going to but it to try it again.
09:51 < steelnwool> okay, just one more potentially dumb question: i was using easy-rsa, i'm going to try ssl-admin, can i jjust take my csrs from my easy-sssl, copy them in and sign them ?
09:51 < screenn> I'm checking with my own cert, I can disconnect, so I don't need to restart service in this case?
09:51 < steelnwool> screenn: right.
09:52 < screenn> ok
09:52 < steelnwool> however, you did have toe restart the first time you added verify to the config files
09:52 < steelnwool> so that openvpn knows to check the verify file.
09:52 < screenn> how about reload config without restarting the service?
09:52 < screenn> can I do that?
09:52 < steelnwool> probably.
09:53 < steelnwool> check the docs :)
09:53 -!- le0 [n=itsle0@82.132.136.134] has joined ##openvpn
09:53 < screenn> rtfm?
09:53 < screenn> :)
09:54 < screenn> did by howto, ok, will try little bit without restart
09:54 < steelnwool> ecrist: you could make (z) zip files for end users, also zip it with a password for even mroe secure distribution.
09:54 < steelnwool> if you were so inclined :)
09:54 -!- elliotdenk [n=elliotde@VPNPOOL04-0001.UNI-MUENSTER.DE] has joined ##openvpn
09:55 < ecrist> steelnwool: zip file passwords are cosmetic
09:55 < ecrist> very easily broken
09:55 -!- peepod [n=opt@216.18.20.66] has joined ##openvpn
09:55 < steelnwool> so just transfer the zip and hope for the best?
09:55 < ecrist> yep
09:55 < ecrist> I usually provide zip files through an SSL-enabled web download
09:56 < elliotdenk> does openvpn in bridged mode withe multiple clients require one tap-interface for each client or is one interface per openVPN process suffient?
09:56 < ecrist> password protect FTP client
09:56 < steelnwool> i skype them. its encrypted.
09:56 < ecrist> there you go
09:56 < steelnwool> ssl-admin ftw.
09:56 < steelnwool> thanks. very nicel
09:57 < ecrist> no problem
09:57 < peepod> elliotdenk: Why would the openvpn server need more than one interface?
09:57 < steelnwool> peepod: thats in the faq
09:58 < elliotdenk> i don't know - actually I'm trying to understand the basics of openVPN and figure out whether it's possible to run the openVPN server from within a freeBSD jail
09:58 < steelnwool> i would say it probably is.
09:59 < steelnwool> to understand the basics, read the howto and the documents surrounding it, they are pretty good.
09:59 < steelnwool> i've been using openvpn for less than 2 weeks and besides some routing issues echrist helped me wiht, the docs have been very clear.
10:00 -!- le0 [n=itsle0@82.132.136.134] has quit ["Leaving"]
10:01 -!- mintaka is now known as nagasadow
10:02 < macsppadic> chaps i have got a bridged setup and can connect in using viscosity as a test client - but cant ping anything behind - i just did a check of the tcpdump and can see request packets going to the machine but no reply  
10:03 < macsppadic> i can ping the ip from the openvpn server but not from client despite being on the same subnet 
10:04 < peepod> Firewall?
10:05 -!- hackeron [n=hackeron@gentoo/user/hackeron] has quit [Connection timed out]
10:05 < steelnwool> what ip are you pinging ?
10:05 < macsppadic> am assigned 192.168.131.242 
10:05 < macsppadic> server itself is on 192.168.131.252
10:05 < steelnwool> did you push routes to that subnet?
10:05 < macsppadic> am tyring to ping 192.168.131.254
10:06 < steelnwool> put your config file up somewhere
10:06 < macsppadic> sec let me pastebin it 
10:08 < macsppadic> http://pastebin.com/m7874d93c
10:08 < macsppadic> i have commented out some of the push routes i need to add on later 
10:10 < macsppadic> openvpn logs at level 5 - show a steady stream of RWWWWRWWW
10:10 -!- screenn [n=screenn@77.222.135.254] has quit ["Leaving"]
10:11 < steelnwool> well, you'll need some routes.
10:11 < steelnwool> add this
10:11 < steelnwool> pus route 192.168.131.254 255.255.255.255
10:11 < steelnwool> *push
10:12 < macsppadic> ok ..sec let me try that 
10:12 < ecrist> macsppadic: do those other machines know how to get to the vpn clients?
10:12 < steelnwool> and just try that. see if it works. then you can play with the rest of your routes.
10:12 < steelnwool> and yeah, you'll need reverse routes, either added to each machine, or set on the gateway.
10:12 < macsppadic> ecrist - the 192.168.131.354 is a switch that routes onto other subnets - i have specific static rotues setup on the server for those - 
10:13 < macsppadic> which work fine - ican get from server to those other subnets - just issue with the openvpn clients
10:13 < steelnwool> so you have 10.8.0.0/24 routing back thru .252 ?
10:13 -!- hackeron [n=hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has joined ##openvpn
10:14 < macsppadic> aha!!
10:15 < macsppadic> nice one steelnwool  thats done the trick!
10:15 < steelnwool> macsppadic: okay there is a gotcha here. and i had the exact issue when i started.
10:15 < macsppadic> oh oh 
10:15 < steelnwool> make sure your push routes do not include a push route back to vpn server.
10:15 < steelnwool> ie setup your routes to be all the ips on either side of 252, but not 252, or it will mess up yer vpn with a circularish route
10:16 < macsppadic> dear god routing loops 
10:16 < macsppadic> aye thanks for the heads up steelnwool 
10:25 < steelnwool> hey ecrist i just tried to build the diffie helmean keys. it didn't save the file, but it did "go thru the motions"
10:25 < steelnwool> ah it did. it just didn't put them in active.
10:27 < ecrist> yeah, that's the oddity
10:27 < ecrist> the dh are put up a dir
10:28 < steelnwool> so your wiki docs conflict that. just a heads up.
10:28 < ecrist> can you point me?
10:28 < steelnwool> !ssladmin
10:28 < vpnHelper> steelnwool: Error: "ssladmin" is not a valid command.
10:28 < steelnwool> !ssl-admin
10:28 < vpnHelper> steelnwool: "ssl-admin" is (#1) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#2) if you use freebsd, it is in ports, or (#3) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
10:29 < steelnwool> hrmm frig, one sec.
10:29 < steelnwool> http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed about 3/4 way down.
10:29 < vpnHelper> Title: FreeBSD OpenVPN Server/Routed - Secure Computing Wiki (at www.secure-computing.net)
10:29 < steelnwool> dh      /usr/local/etc/ssl-admin/active/dh1024.pem
10:31 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:50 < krzie> ecrist here?
10:52 < krzie> your new ports version of ssl-admin has been tested and is good on my fbsd box
10:57 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:03 < krzie> and the other guy i was recommending for that CTO spot is out of the mix, he cant entertain the idea of moving anymore (his mom was diagnosed with cancer, hes going to stay with her and take care of her)
11:05 < ecrist> krzie: yes, here
11:06 < ecrist> excellent, then it's a matter of whether they can/want to afford me.
11:07 < ecrist> krzie: did you see anything about the rockyou password breach last year?
11:07 < ecrist> I just did some parsing of the file: http://secure-computing.net/pw/
11:07 < vpnHelper> Title: Index of /pw (at secure-computing.net)
11:07 < krzie> i also mentioned your involvement with ovpn/nagios/freeswitch, saying that it may not appear on your resume
11:07 < ecrist> yeah, none of that is really on my resume
11:07 < ecrist> thanks
11:07 < krzie> np
11:08 < krzie> but just so you know, these guys are hacker friendly types, so dont hesistate to mention things you wouldnt normally put on a resume
11:08 < krzie> things like what i mentioned to him go a long way with them
11:09 < ecrist> will do.  they may enjoy my stories from HS, then. ;)
11:09 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
11:10 < krzie> the other guy i was recommending is a hacker, the guy mentioned he likes the idea of that cause creative ideas could come of it
11:10 < ecrist> I wouldn't classify myself in that group any longer, really
11:11 < krzie> right, im just letting you know what kinda people you're talking to, they are open to creativity from their CTO
11:11 < krzie> not just a robot
11:11 < krzie> which would be a nice change from where you are now
11:11 < krzie> listening to morons that try to keep you from doing all you could
11:12 < ecrist> :)
11:12 < krzie> (ill never understand people with that mindset)
11:12 < havoc> corporate drones
11:12 < krzie> yup
11:13 < krzie> this would be a fun job tho, if i was free ild go down and do it myself
11:13 < havoc> what's the job?
11:13 < krzie> the place is a live high value target, and they're willing to give freedom and a team under you
11:13 < havoc> and where?
11:13 < krzie> CTO, costa rica
11:13 < havoc> bah
11:14 < krzie> its an international biz run by americans :-p
11:14  * havoc doesn't like travel
11:14 < havoc> at least not business travel, nor relocating
11:14 < krzie> good thing too, cause i didnt recommend you to him :-p
11:14 < havoc> plus I'd have to learn another language
11:15 < krzie> nah no spanish needed
11:15 < havoc> ah
11:17 < ecrist> my wife is down for a move anywhere
11:17 < ecrist> bascially, she told me a year ago, if I want to move, pick a place and we'll go
11:17 < krzie> from personal experience i have to say its nice being outside of USA
11:17 < ecrist> (I've re-confirmed this since the baby)
11:17 < krzie> i wouldnt move back
11:18 < krzie> i do visit, but wont be going back permanently
11:18 < krzie> not to say ill always be here, but i wont be in usa
11:20 < NoReflex> hey guys...connecting to openvpn disconnects my Vodafone 3G connection in windows 7 - I understand that Window$ considers the TAP connection as better and Vodafone disconects -any idea how to solve this?
11:22 < krzie> you must be giving it redirect-gateway to windows
11:22 < NoReflex> krzie: checking now
11:23 < krzie> if thats the case you can make a more specific route telling windows that the 3g network goes whereever it is supposed to
11:23 < krzie> to check simply goto whatismyip.com and see if you have the vpn ip
11:23 < krzie> or if you run both sides of the vpn check both configs, it can be given in client or pushed from server
11:25 -!- elliotdenk [n=elliotde@VPNPOOL04-0001.UNI-MUENSTER.DE] has quit []
11:26 < NoReflex> krzie: after connecting to the VPN I can't check whatismyip since the 3G connection was the way I connected to the internet - after connecting 3G disconects and VPN disconnects as well since it can't contact the vpn server
11:27 < krzie> !configs
11:27 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
11:28 -!- macsppadic [n=sonupunn@82.109.74.162] has left ##openvpn []
11:35 < NoReflex> krzie: http://pastebin.com/d72964a12
11:36 < krzie> take a look at my server config
11:36 < krzie> !sample
11:36 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
11:37 < krzie> lose mode server, ifconfig, ifconfig-pool, and your push route, just use --server
11:37 < krzie> oh and tls-server
11:38 < NoReflex> krzie: I'm trying to connect 10 clients to the same server...and I need to push a router from the server to the clients
11:38 < NoReflex> *push a route
11:38 -!- le0 [n=itsle0@82.132.136.130] has joined ##openvpn
11:39 < krzie> its all handled in --server
11:39 < krzie> !man
11:39 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:39 < krzie> see --server
11:40 < krzie> you're only pushing a route to the vpn, --server does it
11:41 < krzie> also, be sure you understand this:
11:41 < krzie> !/30
11:41 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
11:41 < krzie> because currently your pool is big enough for only 2 clients
11:41 < krzie> .6 and .10
11:41 < krzie> but if you use a --server command like in my sample config, you fix that
11:42 < krzie> ;]
11:44 < NoReflex> what does local do at the beginning?
11:45 < NoReflex> in the server config file?
11:48 -!- NickWebHA [n=nick@mail.webhse.com] has joined ##openvpn
11:52 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has left ##openvpn []
11:53 -!- mick_laptop [n=mick@clamwin/admin/mickhome] has joined ##openvpn
11:54 < mick_laptop> hi everyone, how can i get openvpn to work on a vps? i think that i'll need to bridge the tun/tap w/ venet0:1
11:54 < mick_laptop> i get: Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)
11:54 < mick_laptop> in /var/log/messages
11:55 < NoReflex> mick_laptop: you probably have to start it as root
11:57 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn
11:58 < NoReflex> krzie: what does local in the server config file stand for?
11:58 < NoReflex> should I put there the IP address I want for the server in vpn - 10.8.0.1 for example?
11:59 < mick_laptop> NoReflex: i'm in as root
11:59 < NoReflex> or the external IP of my VPN server?
11:59 < mick_laptop> it uses OpenVZ
11:59 < mick_laptop> which i think is the problem
11:59 < mick_laptop> this info didn't help: http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi
11:59 < vpnHelper> Title: TUN/TAP device with OpenVPN or Hamachi - VPSLink Wiki (at wiki.vpslink.com)
11:59 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:00 < mick_laptop> mknod /dev/net/tun c 10 200 <-- it already exists
12:00 < mick_laptop> just this: cat /dev/net/tun <--- doesn't work
12:02 < krzie> NoReflex local is what ip to bind to, EVERY option is available to read up on in the manual
12:02 < krzie> !openvz
12:02 < vpnHelper> krzie: "openvz" is http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn
12:03 < krzie> also be sure you loaded tun module
12:03 < mick_laptop> krzie: modprobe tun
12:04 < mick_laptop> and: modprobe tap
12:04 < krzie> and read the link i just gave
12:04 < krzie> for the openvz side
12:04 < mick_laptop> ok
12:04 < mick_laptop> thanks
12:04 < krzie> yw
12:04 < krzie> if dougy can do it from that guide anyone can ;]
12:05 < mick_laptop> "Make sure the tun module has been already loaded on the hardware node" -- ok, i only have access to the vps, not the actual hw node
12:06 < krzie> so your provider needs to do stuff
12:06 < mick_laptop> that is what i figure
12:09 < NoReflex> krzie: why does the server give the address 10.8.0.6 to the client wiht a netmask of 255.255.255.252 and no gateway (route)??
12:09 < NoReflex> i've set server 10.8.0.0 255.255.255.0
12:10 < krzie> <krzie> also, be sure you understand this:
12:10 < krzie> <krzie> !/30
12:10 < krzie> <vpnHelper> krzie: "/30" is (#1)
12:10 < krzie>             http://openvpn.net/index.php/open-source/faq.html#slash30 explains
12:10 < krzie>             why routed clients each use 4 ips, or (#2) you can avoid this
12:10 < krzie>             behavior with by reading !topology
12:10 < krzie> <krzie> because currently your pool is big enough for only 2 clients
12:10 < vpnHelper> Title: FAQ (at openvpn.net)
12:10 < krzie> <krzie> .6 and .10
12:10 < krzie> <krzie> but if you use a --server command like in my sample config, you fix
12:10 < krzie>           that
12:10 < krzie> <krzie> ;]
12:13 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"]
12:14 -!- NickWebHA [n=nick@mail.webhse.com] has left ##openvpn []
12:14 < krzie> !topology
12:14 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
12:14 < NoReflex> well I used --server as you said but it's not fixed...http://pastebin.com/d63efca07
12:14 < krzie> its not supposed to stop the !/30 behavior
12:14 < krzie> what you fixed is that now 10 clients could actually connect
12:15 < krzie> your old options could only handle 2 clients
12:15 < krzie> go actually read the links i gave you\
12:15 < NoReflex> if I understand correctly if I add topology subnet will fix /30
12:16 < krzie> not *fix* cause its not broken, but yes it will get rid of the /30 behavior
12:16 < cybertron> hi, i got a problem with routing http://nopaste.info/084164b3f1.html client ip 10.1.1.23 if i connect to my openvpn router internal i cant reach the router openvpn net also not the local ip on my server but it works fine with external client 
12:16 < krzie> default topology is net30
12:16 < cybertron> http://nopaste.info/be6dbf581e.html server
12:16 < krzie> cybertron
12:16 < krzie> !local
12:16 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
12:17 < cybertron> hm
12:17 < cybertron> but it worked some hours ago withou this 
12:17 < krzie> you should NOT use 192.168.1.0 as your VPN subnet
12:18 < krzie> it will break routing for any client in a lan of 192.168.1.0
12:18 < krzie> which could lead the issue you are having
12:18 < cybertron> yes but my net is 10.1
12:18 < krzie> either way, if you will have a road warrior change the vpn subnet
12:18 < krzie> !welcome
12:18 < vpnHelper> krzie: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:18 < NoReflex> I added topology subnet and it says it does not recognizwe the option
12:18 < cybertron> so local pc is 10.1.1.23 server ip 10.1.1.1.1
12:19 < krzie> see last part
12:19 < krzie> NoReflex then you are using a very very old version of openvpn
12:19 < cybertron> ok ok
12:19 < krzie> !topology
12:19 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
12:19 < krzie> see how it says in 2.1
12:19 -!- le0 [n=itsle0@82.132.136.130] has quit ["Leaving"]
12:19 < krzie> why dont people read what my bot tells them =[
12:19 < cybertron> i look :P
12:20 < krzie> ya that one wasnt you
12:20 < krzie> cybertron does client config have redirect-gateway?
12:20 < cybertron> atm no
12:20 < krzie> ohh i see
12:20 < krzie> heres the issue
12:20 < krzie> # push "route 10.1.1.0 255.255.255.0" #local 
12:20 < krzie> you are routing that lan over the vpn, but you are on that lan
12:20 < NoReflex> krzie: openvpn 2.0.9 on windows
12:21 < krzie> so you lose your route to your gateway, and thus the vpn
12:21 < krzie> NoReflex
12:21 < krzie> !download
12:21 < vpnHelper> krzie: "download" is www.openvpn.net/download to download openvpn
12:21 < cybertron> hm so correct would be?
12:21 < cybertron> so the redirect should help?
12:22 < krzie> cybertron remove that line from the server, and add it to remote clients without push, or add something to block the routes from being added on the local client
12:22 < krzie> no redirect is for something else
12:22 < cybertron> k i try
12:22 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
12:23 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:24 < NoReflex> krzie: I'm not looking to update my OpenVPN...I just want to connect 10 clients to one server and push a route from that server to the clients ... the clients should access another network to which the client is connected to through the VPN server. Is that possible?
12:24 < krzie> --route-nopull
12:24 < krzie>     When used with --client or --pull, accept options pushed by server EXCEPT for routes.
12:25 < krzie> When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface. 
12:25 < krzie> cybertron thats your second option
12:25 < krzie> NoReflex, sure it is, but you must live with /30 for each user
12:25 < krzie> you should currently be setup like that if you did what i said
12:25 < cybertron> doesnt works
12:25 < cybertron> -s
12:25 < krzie> cybertron show me what doesnt work
12:26 < krzie> server and client config
12:26 < NoReflex> krzie: so it should look like: client connect to vpn; client tries to connect to 10.10.x.x -> packets go through VPN server (192.168.1.2) -> through the gateway for the other NIC of the server (10.10.0.1) and arrives at destination
12:26 < cybertron> what im also wondering is that my internal client get another dhcp server as my external clietn
12:26 < krzie> NoReflex you need to change that vpn subnet
12:26 < cybertron> mom
12:27 < krzie> it will break routing for anyoene on 192.168.1.x
12:28 < cybertron> http://nopaste.info/0670acdc7b.html client
12:28 < krzie> cybertron you are using layer3 tunnel, there is no dhcp over the vpn (dhcp is layer2)
12:28 < NoReflex> krzie: 192.168.1.2 is the IP from the NIC which connects to the Internet; 10.10.0.101 with 10.10.0.1 as gateway on the NIC that connects to the other network (which isn't connected to the internet); is it possible to have a client connect to machines in the 10.10.x.x network through the vpn server? is yes which subnet should I change
12:28 < cybertron> http://nopaste.info/4d4d04c9b2.html
12:28 < NoReflex> ?
12:28 < krzie> cybertron and the new server config
12:28 < cybertron> server
12:28 < krzie> cool
12:28 -!- ruied [n=ruied@92.250.95.7] has joined ##openvpn
12:29 < krzie> NoReflex oh ok my bad i thought you were saying 192.168.1.x is the VPN subnet, my bad that should have been directed at cybertron 
12:29 < krzie> NoReflex, you wanna read this then
12:29 < cybertron> my dhcp is off the add dhcp comes from the openvpn 
12:29 < krzie> !route
12:29 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:30 < cybertron> *read*
12:30 < krzie> if the only lan to be routed over vpn is behind server it comes down to a single push route and a route added to your router
12:31 < krzie> cybertron so those new configs dont work how?
12:32 < krzie> oh nm i see
12:32 < krzie> you are breaking it the exact same way
12:32 < krzie> in client config: # route 10.1.1.0 255.255.255.0
12:32 < cybertron> args
12:32 < krzie> remove that for the exact same reason
12:32 < cybertron> you say i sold change to it
12:32 < krzie> only for REMOTE clients
12:32 < krzie> this is a local client
12:33 < cybertron> ah sorry
12:33 < krzie> you are still telling that client to route its own lan over the vpn, so it cant connect to its gateway anymore
12:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
12:34 < Bushmills> "you must tunnel openvpn through openvpn in order to do that"
12:34 < krzie> chicken vs egg
12:35 < cybertron> and the remote client
12:35 < Bushmills> egg was first
12:35 < cybertron> need then push 10.1.1.0?
12:35 < krzie> cybertron, you have 2 options... you can push to all clients and have route-nopull in local clients
12:36 < krzie> OR you can not push the route to anyone, and put the route in all clients that do not connect locally
12:36 < cybertron> hm think first one is easier for more clients
12:36 < Bushmills> an extra host route to vpn server could also help
12:37 < krzie> bushmills, assuming you dont need to communicate with any other machines in the lan
12:38 < rob0> What we have here ... is failure to communicate. </cool-hand-luke>
12:38 < krzie> good movie
12:38 < Bushmills> true. gets messy if you have to route them explicitely. but then those machines should be in a different, non-routed subnet
12:39 < krzie> but the easy ways are the 2 options i outlines
12:39 < krzie> outlined
12:39 < krzie> sure, you can get creative once you understand it all, which is a category you fit into ;]
12:40 < cybertron> hm doesnt work
12:41 < Bushmills> how about ... turning off openvpn whenever you need to talk to a local machine, and on again when finished?
12:41 < cybertron> no :)
12:41 < Bushmills> ok. just an idea :)
12:41 < krzie> ya, why are you connecting to the vpn locally? securing your wifi?
12:42 < cybertron> hm i downt need connected if the ext. connect to the lan?
12:42 < krzie> huh?
12:42 < cybertron> ext -> server ->int computer
12:43 < krzie> no, internal computers dont need to connect for that
12:43 < krzie> !route
12:43 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:43 < cybertron> so ext wants to connect to a windows share on the internal lan
12:43 < cybertron> kk
12:44 < krzie> you can connect as many lans as you want, 1 openvpn node per lan
12:48 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
12:49 < steelnwool> ecrist: if i revoke a cert, and then want to readd that person, do i have to HUP openvpn after making that persons new cert?
12:50 < krzie> no, you just need to give him a new common-name
12:50 -!- rajin [n=_@port-91406.pppoe.wtnet.de] has joined ##openvpn
12:50 < steelnwool> is it okay if the common name is the same, so long as serial is different?
12:50 < cybertron> krzie: mouch thx for your nervs :)
12:50 < cybertron> mouch=much
12:50 < krzie> np cybertron =]
12:51 < cybertron> but one thing
12:51 < krzie> steelnwool, no
12:51 < cybertron> ^
12:51 < steelnwool> nm. my crl.pem is worrong mode... 
12:51 < cybertron> how can i now reach my external client from the internal?
12:51 < steelnwool> cybertron: add routes to the internal clients, or to the gateway they use.
12:52 < krzie> cybertron see the section ROUTES TO ADD OUTSIDE OPENVPN in my routing doc
12:52 < cybertron> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing <--in that?
12:52 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
12:52 < NoReflex> krzie: I think I got a little further - I managed to connect to the VPN from my Linux machine - I can ping 10.8.0.1 from 10.8.0.6 and 10.8.0.6 from 10.8.0.1... but I don't think I got the push router part right
12:52 < cybertron> ah yes
12:53 < NoReflex> I added push "route 10.10.0.0 255.255.0.0"and route 10.10.0.0 255.255.0.0 to server.ovpn
12:53 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
12:54 < steelnwool> that is for the clients.
12:54 < steelnwool> if you want machiens on the server side of the network to talk back, they need to know how.
12:55 < krzie> you telling me its for the clients?
12:55 < NoReflex> steelnwool: how do I do that? my routes after connecting to the VPN are http://pastebin.com/d7d3cc0a6
12:55 < krzie> cause im telling you its not
12:56 < steelnwool> NoReflex: it depends upon the os. for example in solaris you can do "route add -p 10.8.0.0/24 192.168.1.14"
12:56 < krzie> that is DIRECTLY on the router
12:56 < krzie> NOT through openvpn
12:56 < NoReflex> steelnwool: the openvpn server runs on XP :(
12:56 < steelnwool> which would tell your machine, to route all traffic that is destined for the 10.8.0.0/24 thru 192.168.1.14, assuming .14 is the vpn server.
12:56 < steelnwool> NoReflex: i'm not saying type this on openvpn machine.
12:57 < krzie> yup, steelnwool has it right
12:57 < steelnwool> i'm sayig you need to either type this on the gateway of your lan, or on each individual machine you wish to connect to inside your lan.
12:57 < krzie> steelnwool, prior knowledge or from reading !route ?
12:57 < krzie> (out of curiosity)
12:57 < steelnwool> krzie: last week i learned/tuaght myself routing and openVPN.
12:57 < steelnwool> and echrist helped alot.
12:57 < krzie> steelnwool ahh cool
12:58 < cybertron> krzie: hm i tried route add 192.168.1.0 MASK 255.255.255.0 10.1.1.1
12:58 < steelnwool> i had to do a crash course, i have a new job and i replaced a guy who couldn't get anything done, so i had to make a good impression.
12:58 < steelnwool> cybertron: that route is backwards.
12:58 < krzie> cybertron what ip is the local openvpn node?
12:59 < cybertron> the vpn net?
12:59 < cybertron> 192.168.1.0 <--vpn net 10.1.1.1 vpn server local
12:59 < krzie> the lan ip of the openvpn node
13:00 < krzie> you wont have ANY road warriors, right?
13:00 < cybertron> ill get them
13:00 < cybertron> later 
13:00 < krzie> then CHANGE YOUR VPN SUBNET!
13:00 < cybertron> then i change my vpn net to 10.x i promise
13:00 < krzie> ive only said it like 5 times
13:00 < krzie> lol
13:00 < steelnwool> ah c'mon. 192.168.0.0/24 is awesome!
13:01 < krzie> well once you do that you'll have to change the route on your router
13:01 < krzie> cause you'll break it when yopu change vpn subnets
13:01 < rob0> I'll get them! When they least expect it!!
13:01 < krzie> if you listen to the people you ask for support your setup will go smoother
13:01 < cybertron> the vpn here is just for testing it will work at another place
13:02 < krzie> *shrug* im detaching my screen
13:02 < krzie> bbl
13:02 < cybertron> so again my vpn net is 192.168.1.0 internal net 10.1.1.0 which route need for my internal pc? :)
13:03 < steelnwool> read a basic tutorial on routing
13:03 < steelnwool> so you can invent your own logic, versus reluying on anonymous advice, that tho will work, will not help you.
13:03 < steelnwool> thing of it in terms of "all traffic from XYZ needs to get to ABC via DEF"
13:04 < steelnwool> "teach a man to fish" and all that.
13:05 < cybertron> so im wondering that i can ping 192.168.1.1 on my vpn net but nothing behind
13:06 < steelnwool> right, in order to ping something, data has to be able to travel both directions.
13:06 < steelnwool> so the ping is probably getting to the clients behind the vpn,b ut the clients do not know how to return it.
13:06 < Bushmills> !route
13:06 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:06 < Bushmills> cybertron: ^^^
13:06 < cybertron> i read it 2 times 
13:06 < steelnwool> so they need routes telling them, instead of replying to the ping via their default gateway, they need to be told to reply thru the vpn... so they need a static route added to the routing table.
13:06 < steelnwool> so you need to learn how to add static routes. now go read.
13:07 < cybertron> route add -p ^^ 
13:07 < Bushmills> cybertron: you didn't miss that bit about ip_forward?
13:07 < ecrist> steelnwool: openvpn doesn't really care about certs
13:08 < ecrist> revokations are managed in crl.pem and is read on demand
13:08 < steelnwool> ecrist: yup, i'm on board now. thanks much much for ssl-admin its nice.
13:08 < ecrist> bascially, if a cert if signed within the same chain, and isn't in crl, it's valid
13:08 < ecrist> if you don't mind my asking, which platform do you use it on
13:09 < steelnwool> i set it up on ubuntu 8.04 lts.
13:09 < NoReflex> this drives me insane...i can ping the vpn server from my machine and my machine from the VPN server...the vpn server has a network behind it that I want to access from my client. On my machine I have the route entry but it doesn't work...I tried traceroute but I only get stars *
13:09 < ecrist> did you hand-edit ssl-admin, or run configure?
13:10 < steelnwool> NoReflex: read the last 200 lines of this channel, i've describe the answer at least twice.
13:10 < steelnwool> ecrist: i ran configure.
13:10 < ecrist> excellent
13:10 < steelnwool> but i did change the make file
13:10 < ecrist> ah, what did you change?
13:11 < ecrist> if it's global, I'll update source
13:11 < ecrist> did you pull from svn?
13:11 < steelnwool> on ubuntu the group is called "nogroup" not nobody like freebsd.
13:11 < steelnwool> yeah i svn'd.
13:12 < ecrist> as you can tell, my non-freebsd packaging is pretty non-existent
13:13 < ecrist> I don't see nobody in the Makefile
13:13 < NoReflex> steelnwool: I don't undertand what to do...the route you posted there doesn't seem right to me "route add -p 10.8.0.0/24 192.168.1.14" - as I see it this tells the openvpn server it should connect to hosts in 10.8.0.0/24 (the VPN subnet) through its other NIC - the one who connects to the Internet
13:14 < steelnwool> NoReflex: as i said, that route is for MACHIENS THAT ARE NOT THE VPN MACHINE.
13:14 < steelnwool> that is for machiens that are on the same lan as the vpn.
13:14 < steelnwool> ecrist: it had to do with the chown line.
13:14 < steelnwool> ecrist: and perhaps i might make an ubuntu package for it some day :)
13:15 < steelnwool> i forget thedetails, been all over the place today.
13:19 < ecrist> that's OK, if you have time, can you give me specifics, or a patch?  also, the full URL from where you downloaded it
13:21 < rob0> http://localhost/
13:21 -!- jMyles [n=justin@rrcs-24-97-206-244.nys.biz.rr.com] has joined ##openvpn
13:23 < jMyles> With lots of help from this channel and some forums, I have my openvpn working.  :-)  However, it is quite slow.  While I get transfer rates of around 70-110Kbps using SSHD to my home machine, I get only 12-20 using openvpn.  What might be creating this bottleneck?
13:23 -!- saftsack_ [n=oliver@p579DDC9A.dip.t-dialin.net] has joined ##openvpn
13:35 -!- saftsack [n=oliver@p579DD639.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
13:37 -!- NoReflex [n=ionut@89.123.120.134] has quit ["Leaving"]
13:43 -!- ruied [n=ruied@92.250.95.7] has quit [Connection timed out]
14:26 -!- rajin [n=_@port-91406.pppoe.wtnet.de] has quit [Client Quit]
14:30 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has joined ##openvpn
14:35 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
14:36 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has quit []
14:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)]
14:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
15:05 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit [Read error: 104 (Connection reset by peer)]
15:14 -!- PeterFA [n=quassel@unaffiliated/peterfa] has joined ##openvpn
15:16 < PeterFA> I get an error in the TLS handshake stage. It  says, "TLS_ERROR: BIO read tls-read_plaintext error" and "VERIFY ERROR: depth=0, error=unabled to get local issuer certificate" and lists some details
15:17 < PeterFA> Should I redo all the certs and try again?
15:17 < PeterFA> Or is there a different, more appropriate solution?
15:22 < ecrist> !logs
15:22 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
15:22 -!- le0 [n=itsle0@82.132.136.129] has joined ##openvpn
15:24 < PeterFA> pastebin.com/m5a361db8
15:25 < PeterFA> That's the client.
15:27 -!- newmember_ [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
15:28 -!- newmember_ [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Client Quit]
15:37 -!- STF [n=chatzill@dslb-084-061-151-073.pools.arcor-ip.net] has joined ##openvpn
15:37 < STF> hi someone of you help me with squid?
15:40 < reiffert> !notovpn
15:40 < vpnHelper> reiffert: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
15:40 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)]
15:41 -!- STF [n=chatzill@dslb-084-061-151-073.pools.arcor-ip.net] has left ##openvpn []
15:49 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:50 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has joined ##openvpn
15:52 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
16:08 -!- le0 [n=itsle0@82.132.136.129] has quit [Read error: 110 (Connection timed out)]
16:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:18 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
16:23 < PeterFA> I was told in another channel that I probably need to disable cert verification since I made the certs myself.
16:24 < PeterFA> How do I do that? I'm currently hunting the web for that piece of info.
16:25 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has joined ##openvpn
16:42 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:09 -!- chilicuil [n=sistemas@189.144.244.131] has joined ##openvpn
17:11 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
17:32 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has left ##openvpn []
17:33 -!- DarkAnt_ [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
17:40 < rob0> OpenVPN relies on certificate verification. That's the authentication mechanism.
17:50 < Bushmills> Bis zu 5 SIM Karten für Familie und Freunde buchbar - das sind die flatrate mobilesims
17:51 < Bushmills> also das heißt glaub ich daß man damit gegen einmalige zahlung simkarten weitergeben kann 
17:51 < Bushmills> und da dann kostenlos hin anrufen kann.
17:51 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has quit [Read error: 110 (Connection timed out)]
17:51 -!- DarkAnt_ is now known as DarkAnt
17:51 < Bushmills> oops
17:51 < Bushmills> sry
17:54 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 54 (Connection reset by peer)]
18:16 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has joined ##openvpn
18:17 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has quit [Client Quit]
18:18 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has joined ##openvpn
18:24 -!- Mtn_Bkng_Dave [i=whome@12.50.114.160] has joined ##openvpn
18:25 -!- saftsack_ [n=oliver@p579DDC9A.dip.t-dialin.net] has quit ["Verlassend"]
18:26 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has quit []
18:34 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has joined ##openvpn
18:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
18:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Operation timed out]
18:54 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has quit [Read error: 54 (Connection reset by peer)]
18:54 -!- peerce [i=mudshark@hogranch.com] has joined ##openvpn
18:55 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has joined ##openvpn
18:57 < peerce> in 2.1, there's support for pkcs#11 tokens.  anyone here familiar with this ?   does that go through openssl and http://www.opensc-project.org/engine_pkcs11/ ?
18:57 < vpnHelper> Title: Engine PKCS#11 (at www.opensc-project.org)
18:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
19:01 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
19:07 < peerce> !welcome
19:07 < vpnHelper> peerce: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:18 < peerce> mmm.  i bet Alon Bar-Lev is the only guy who knows how the pkcs code works.
19:30 < reiffert> :)
19:30 < reiffert> send him an email, he will answer.
19:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
19:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
20:07 -!- Dave1965 [i=whome@12.50.114.160] has joined ##openvpn
20:07 -!- Mtn_Bkng_Dave [i=whome@12.50.114.160] has quit [Read error: 54 (Connection reset by peer)]
20:07 -!- Dave1965 [i=whome@12.50.114.160] has quit [Remote closed the connection]
20:11 -!- Mtn_Bkng_Dave [i=whome@12.50.114.160] has joined ##openvpn
20:21 < peerce> having just spent an hour or so studying the source code, I think the answer is, no...  it has its own pkcs11 support
20:21 < peerce> i can see why...   the openssl in many popular distributions doesn't have the ENGINE_ support functions that engine_pkcs11 requires
20:22 < peerce> what a pain in the butt ... trying to find a piece of code I can understand that invokes engine_pkcs11 and thought openvpn was it :)
20:28  * EugeneKay does a little dance
20:29 < EugeneKay> I somehow managed to configure an OpenVPN Bridge without asking for help ONCE!
20:29  * EugeneKay is so proud
20:29  * EugeneKay gives everybody here a hug anyway
20:29 -!- peerce [i=mudshark@hogranch.com] has left ##openvpn []
20:30 < ecrist> good job, EugeneKay 
20:32 < EugeneKay> Of course, it'll all be broken once I change my remote network over to 10.x.0.0 subnet instead of the 192.168.x.0 it's using right now. But eh. I'll worry about that next week.
20:33 < rob0> Now, we poke a pin in your balloon and ask, "why did you need bridging?" :)
20:33 < ecrist>  GOLD STAR * 
20:33 < ecrist> wow /me is bored
20:33 < rob0> nice ANSI
20:33 < EugeneKay> Because I like the silly little icon in Windows Network Connections folder :-p
20:34  * ecrist goes to watch a movie with wife
20:41 < tjz> nice..
20:41 < tjz> :D
20:47 -!- athen4 [n=john@200.2.149.125] has joined ##openvpn
20:59 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
21:01 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
21:20 -!- ruied [n=ruied@bl7-217-61.dsl.telepac.pt] has quit []
21:23 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has quit [Read error: 54 (Connection reset by peer)]
21:24 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has joined ##openvpn
21:36  * ecrist is back
21:36 < ecrist> wife fell aslseep
21:36 < ecrist> movie sucks
21:48 < EugeneKay> Sleeping GF/wife isn't a problem. It's an opportunity >_>
21:49 < ecrist> not until she's naked, in bed.
21:49 < ecrist> :)
21:49 < ecrist> couch + two cats + tightly wrapped blanket
21:49 < EugeneKay> She's  wearing *clothes* ? >_<
21:49 < ecrist> yeah, it's not the weekend, so I permit it
21:49 < ecrist> lol
21:50 < EugeneKay> I like this place xD
21:50 < ecrist> it's only fun after-hours.
21:50 < ecrist> I'm an ass most of the day.
21:50 < ecrist> or two drinks from now, depending. ;)
21:51  * EugeneKay points to his stack of empty beers
22:31 -!- athen4 [n=john@200.2.149.125] has quit [Read error: 104 (Connection reset by peer)]
22:31 -!- athen4 [n=john@200.2.149.125] has joined ##openvpn
22:50 -!- Mtn_Bkng_Dave [i=whome@12.50.114.160] has quit []
23:21 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has quit [Read error: 113 (No route to host)]
23:21 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
23:24 -!- EugeneKay is now known as EugeneSleep
23:54 < krzee> anyone got a --client-connect script handy?
23:54 < tjz> ecrist, what movie did you watch?
23:54 < krzee> if not i guess ill start from scratch...
23:55 -!- ath3na [n=john@200.2.149.125] has joined ##openvpn
23:55 < tjz> krzee, is it server side script?
23:55 < krzee> yup it is
23:55 < krzee> !iporder
23:55 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
23:59 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit []
--- Day changed Fri Jan 22 2010
00:01 -!- athen4 [n=john@200.2.149.125] has quit [Read error: 60 (Operation timed out)]
00:24 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
00:36 -!- knish [n=rommel@187.133.76.6] has joined ##openvpn
00:39 < knish> hallo!  I've just install a linux box with 2.6.31 ( previously i've got 2.6.18 ) And all of the suddden the tun device have some changes. Is there any special guide to make openvpn up and running with linux 2.6.31?
00:39 < krzee> the openvpn side should be the same
01:00 -!- rob0 [n=rob0@tuxaloosa.org] has quit [Remote closed the connection]
01:00 -!- rob0 [n=rob0@tuxaloosa.org] has joined ##openvpn
01:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
01:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
01:48 -!- tarbo2_ [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)]
01:51 -!- screenn [n=screenn@77.222.135.254] has joined ##openvpn
01:54 -!- hackeron_ [n=hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has joined ##openvpn
01:56 -!- hackeron [n=hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has quit [Read error: 104 (Connection reset by peer)]
02:04 -!- ath3na [n=john@200.2.149.125] has quit [Read error: 113 (No route to host)]
02:08 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn
02:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:20 < jmm> hi.
02:30 < tjz> Hi jimm
02:30 < tjz> :)
02:30 < tjz> how may i help you?
02:34 < reiffert> :)
02:38 < tjz> lol
02:38 < tjz> :(
02:43 -!- mikey [n=mikey@88.80.28.153] has joined ##openvpn
02:44 < mikey> Anybody have any south american vpn provider recommendations?
02:47 -!- mattock [n=samuli@sparkgw.utu.fi] has joined ##openvpn
02:47 -!- mode/##openvpn [+o mattock] by ChanServ
02:58 < tjz> mikey, u need it to be in brazil?
03:06 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
03:08 -!- master_of_master [i=master_o@p57B569CA.dip.t-dialin.net] has joined ##openvpn
03:11 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
03:14 -!- EugeneSleep [n=EugeneKa@unaffiliated/eugenekay] has quit [Read error: 54 (Connection reset by peer)]
03:15 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has joined ##openvpn
03:19 -!- master_o1_master [n=master_o@p57B53E99.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:22 < mikey> tjz: yeah
03:23 < jmm> hello guys :)
03:24 < macsppadic> hello jmm 
03:25 -!- mattock [n=samuli@sparkgw.utu.fi] has quit ["Leaving."]
03:25 -!- mattock1 [n=samuli@sparkgw.utu.fi] has joined ##openvpn
03:25 -!- mode/##openvpn [+o mattock1] by ChanServ
03:27 -!- knish [n=rommel@187.133.76.6] has left ##openvpn []
03:33 -!- ruied [n=ruied@89.180.249.125] has joined ##openvpn
03:47 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Client Quit]
03:48 < tjz> jmm, i am a patient guy
03:48 < tjz> don't worry
03:48 < tjz> mikey, ok.. i don't know any
03:48 < tjz> in brazil
03:48 < jmm> yea I got an important question for you guys.
03:50 < jmm> it's not directly openvpn related trough. some guy in debian keep tellin me to use fqdn in /etc/hostname .
03:51 < jmm> but every documentation I read say just to use the hostname.
03:51 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has quit [Read error: 60 (Operation timed out)]
03:52 < reiffert> man hostname covers it all
03:52 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:53 < jmm> reiffert: I read it, it's not write to use fqdn in /etc/hostname .
03:54 < reiffert> it says: you cant change the fqdn with the 'hostname' command.
03:54 < jmm> what about /etc/hostname file ?
03:55 < jmm> I think just the computer name go there.
03:55 < jmm> fqdn part go in /etc/hosts, or on the dns.
03:58 -!- mattock1 [n=samuli@sparkgw.utu.fi] has quit ["Leaving."]
04:06 < mikey> jmm: i would use an actual hostname that resolves to an ip address.
04:18 < jmm> mikey: that exactly what I do.
04:18 < jmm> but someone in #debian bug me it's wrong, then he left !
04:18 < mikey> perhaps he was trolling you
04:19 < jmm> hehe it's possible, but he seemed to know well linux.
04:19 < jmm> it's a bit offtopic but thanks for the info.
04:25 -!- tjz2 [n=tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
04:25 < krzee> can anyone here get openvpn 2.1.1 working with a socks proxy?
04:26 < krzee> i think its broken in newer versions
04:29 < krzee> i know im doing it right, but 2.1.1 doesnt work
04:31 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 60 (Operation timed out)]
04:32 < krzee> is anyone here running an old version of openvpn?
04:33 < hyper_ch> define "old" :)
04:33 < krzee> an rc, earlier would be cool
04:33 < krzee> 2.0.9
04:34 < krzee> whatever
04:34 < hyper_ch> openvpn --version
04:34 < hyper_ch> OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
04:34 < hyper_ch> :(
04:34 < krzee> try this pls
04:34 < krzee> socks-proxy 94.242.144.215
04:34 < krzee> socks-proxy-retry
04:34 < hyper_ch> what should that do?
04:34 < hyper_ch> what will that do to my current vpn?
04:34 < krzee> Jan 22 05:26:55 kief openvpn[78233]: TCP: connect to 94.242.144.215:1080 failed, will try again in 5 seconds: Operation timed out
04:35 < hyper_ch> does it need to be run on the server or on the client? as root?
04:35 < krzee> it will connect to your vpn over that socks proxy
04:35 < krzee> which i have tested in my browser to work
04:35 < krzee> on client
04:35 < krzee> in the ovpn config
04:35 -!- tjz2 is now known as tjz
04:35 < krzee> ovpn always gets started as root
04:35 < hyper_ch> now I'm totally confused what to do
04:35 < krzee> toss those 2 lines in client config
04:35 < krzee> then see if you can connect
04:36 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:36 < hyper_ch> tossed it in
04:36 < hyper_ch> restarted openvpnon the lcinet
04:36 < hyper_ch> what to do now?
04:36 < krzee> see log
04:37 < hyper_ch> log is deactivated :)
04:37 < krzee> Jan 22 05:29:28 kief openvpn[78233]: Expected Remote Options hash (VER=V4): '530fdded'
04:37 < krzee> Jan 22 05:29:28 kief openvpn[78233]: Attempting to establish TCP connection with 94.242.144.215:1080 [nonblock]
04:37 < krzee> Jan 22 05:29:38 kief openvpn[78233]: TCP: connect to 94.242.144.215:1080 failed, will try again in 5 seconds: Operation timed out
04:37 < krzee> well, do you connect to vpn?
04:37 < krzee> can you ping it?
04:37 < |Mike|> good monring krzee 
04:37 < krzee> mornin mike
04:38 < krzee> hey mike you got any old versions of ovpn handy?
04:38 < hyper_ch> Fri Jan 22 11:40:07 2010 us=537978 Attempting to establish TCP connection with 94.242.144.215:1080 [nonblock]
04:38 < hyper_ch> Fri Jan 22 11:40:08 2010 us=538115 TCP connection established with 94.242.144.215:1080
04:38 < hyper_ch> Fri Jan 22 11:40:09 2010 us=588688 recv_socks_reply: Socks proxy returned bad reply
04:38 < hyper_ch> Fri Jan 22 11:40:09 2010 us=588801 TCP/UDP: Closing socket
04:38 < hyper_ch> Fri Jan 22 11:40:09 2010 us=588842 SIGUSR1[soft,init_instance] received, process restarting
04:38 < hyper_ch> Fri Jan 22 11:40:09 2010 us=588857 Restart pause, 5 second(s)
04:38 < krzee> hrm ok so not workin in rc11
04:38 < krzee> thanx
04:38 < hyper_ch> I can take it out again and restart openvpn?
04:38 < krzee> yes
04:39 < hyper_ch> :
04:39 < hyper_ch> :)
04:39 < |Mike|> krzee: i'm running one of the old 2.x releaess yeah
04:39 < krzee> 2.0?
04:39 < |Mike|> let me check
04:39 < |Mike|> sec.
04:39 < krzee> on a client
04:41 < |Mike|> penVPN 2.1_rc20 amd64-portbld-freebsd7.2
04:41 < |Mike|> OpenVPN 2.1_rc11 arm-unknown-linux-gnueabi
04:42 < krzee> hyper tested rc11 and im using 2.1.1
04:42 < |Mike|> hmz, t
04:42 < krzee> i guess ill get 2.0 sources
04:42 < |Mike|> Yep, debian repos is already using 2.1_rc11 so i can't help you with 2.0 
04:47 < krzee> ahh nice fbsd has openvpn and openvpn20
04:52 -!- ruied [n=ruied@89.180.249.125] has quit [Read error: 113 (No route to host)]
04:55 < krzee> ok i take it back, its working again on my own socks server, nm =]
04:55 < |Mike|> hehe
05:22 -!- ruied [n=ruied@89.214.238.249] has joined ##openvpn
05:32 -!- le0_ [n=itsle0@82.132.139.243] has joined ##openvpn
05:33 < screenn> how can I know by log that client wasn't revoked by ./revoke-rull command? CRL CHECK OK, VERIFY OK, or anything else? 
05:34 < screenn> and what I'll have in log's after revoke client
05:36 < macsppadic> screenn: i believe client refused connection is what i saw in the logs when i did revoke 
05:38 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
05:45 -!- le0_ [n=itsle0@82.132.139.243] has quit ["Leaving"]
05:51 -!- ycy___ [n=mb@Noise.CS.UCLA.EDU] has joined ##openvpn
05:51 < ycy___> hi there
05:52 < ycy___> what can I use to diagnose if an udp port is correctly opened?
05:53 < hyper_ch> nmap?
05:53 < ycy___> well, it's not so reliable...
05:53 < ycy___> it says that a particular port is open
05:53 < ycy___> even if there isn't the nat on that port...
05:54 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
05:57 < _trine> my VPN works perfectly except for when I connect with wifi to a public BTFON spot; after connecting to the BTFON spot and then trying to surf the web it fails it wont let me connect to google however I can connect to my router at home over the vpn; has anyone any suggestions to correct this?
06:01 < _trine> The VPN tunnel up and working as shown by the fact that I can connect to my own LAN but I am not able to surf
06:02 < macsppadic> netstat -una ycy___ 
06:02 < macsppadic> shud should show all udp conenctions 
06:23 < _trine> http://dpaste.com/148941/
06:24 < _trine> I can use my xchat over vpn as I am doing now
06:24 < _trine> but thats because I have psybnc running inside my router I suspect
06:25 < _trine> clearly the tunnel is up and running but it wont allow surfing
06:25 < _trine> and I dont know where those ip are from in the paste I posted
06:26 < _trine> the IP address on my LAN is 192.168.123.254
06:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:27 < _trine> so just where 192.168.22.22 etc has come from I don't know unless that from the BTFON spot
06:36 -!- dauergast [n=sag@g226240225.adsl.alicedsl.de] has joined ##openvpn
06:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
06:49 < _trine> http://dpaste.com/148952/
06:49 -!- jackburke_ [n=jackburk@ip-78-137-144-70.lmk.metro.digiweb.ie] has joined ##openvpn
06:51 < jackburke_> i have setup an openvpn server and can connect successfully with a windows machine using the cert file, client cert file and key.. however trying to connect with linux and specifying the cert and ca it tells me: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
06:52 < jackburke_> how do i actually put it in tls mode?
06:55 < |Mike|> !tls-auth
06:55 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how
06:55 < |Mike|> read :)
06:55 < jackburke_> thanks
06:56 < jackburke_> !secure
06:56 < vpnHelper> jackburke_: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
06:59 -!- athen4 [n=john@200.2.149.125] has joined ##openvpn
07:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:09 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
07:10 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
07:11 -!- Diffen [n=diffen2@c-ef75e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)]
07:15 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has joined ##openvpn
07:20 < Bushmills> trine, test whether the name server you're using can still be reached
07:20 < Bushmills> i.e. whether your system can resolve host names
07:21  * Bushmills should re-enable display of part messages
07:21 -!- Heyraj [n=heyraj20@12.3.167.66] has joined ##openvpn
07:29 -!- screenn [n=screenn@77.222.135.254] has quit ["Leaving"]
07:34 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn
07:37 -!- athen4 [n=john@200.2.149.125] has quit [Read error: 110 (Connection timed out)]
07:40 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has left ##openvpn []
07:41 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:43 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit [Operation timed out]
07:49 -!- athen4 [n=john@200.2.149.125] has joined ##openvpn
07:54 < _trine> Bushmills: I think maybe that's my problem
07:54 < _trine> but I don't know how to overcome it
07:55 < macsppadic> shud be able to push dns server in ur config...if am not mistaken _trine sorry cant remember if u had that option in ur config 
07:55 < Bushmills> 1. use a public, free DNS.  2. run your own recursive DNS and use that one.  3. add a host route to your provider DNS
07:55 < macsppadic> or u cud just follow Bushmills statement..:-)
07:56 < Bushmills> 4. run a recursive DNS locally
07:56 < reiffert> 4 and 2 look equally to me
07:57 < _trine> Bushmills: thanks for your great suggestions but unfortunately I am a beginner in this can you help me understand how to implement your suggestions
07:57 < Bushmills> 2 was meant "on the vpn server"
07:57 < Bushmills> _trine: what operating system does your client run?
07:57 < _trine> ubuntu
07:57 -!- Heyraj [n=heyraj20@12.3.167.66] has left ##openvpn []
07:58 < _trine> the server in inside my router openwrt kamikaze
07:58 < _trine>    ^^^is
07:58 < Bushmills> that's make some things easier. what i would do is to run a small recursive dns locally.
07:58 < _trine> you mean inside openwrt
07:59 < _trine> or on my netbook
07:59 < Bushmills> should work there too, yes.   a small one would, easy to configure, would be   maradns.   check whether that's available under openwrt
07:59 < _trine> ok let me look
07:59 < _trine> thanks
08:00 < Bushmills> either.  netbook or router.
08:00 < Bushmills> (assuming your router is the vpn client)
08:00 < _trine> the router is running openvpn inside it
08:00 < _trine> so I can connect to my LAN when I am in other places
08:01 -!- screenn [n=screenn@77.222.135.254] has joined ##openvpn
08:01 < Bushmills> though adding a host route to provider DNS may be easier.  but from running a recursive DNS on your router (or netbook) you'll benefit by performance increase
08:02 < _trine> I have just installed on my router maradns - 1.3.07.09-1
08:03 < Bushmills> you need a small configuration, to tell it to run as recursive DNS.
08:03 < Bushmills> should be not more than ... 3 lines or such
08:03 < Bushmills> http://www.maradns.org/tutorial/recursive.html
08:03 < vpnHelper> Title: Recursive DNS serving (at www.maradns.org)
08:04 < _trine> this is the default config http://dpaste.com/148995/
08:04 < Bushmills> be aware that it should bind to an interface which can be connected from the network.
08:05 < Bushmills> default seems ok
08:05 < _trine> my lan is 192.168.123.254
08:05 < Bushmills> change recursive_acl="192.168.1.0/24"
08:05 < _trine> yes that's what I was thinking
08:05 < Bushmills> that tells who is allowed to query the DNS 
08:07 < _trine> are those root servers dns servers?
08:07 < Bushmills> yes. the topmost ones.
08:10 -!- ruied [n=ruied@89.214.238.249] has quit [Read error: 110 (Connection timed out)]
08:12 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
08:13 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:15 < _trine> do I have to change anything on my netbook to get the new maradns working that is now running inside my router
08:16 < Bushmills> yes, you want to let it know that your router is now your DNS
08:19 < vpnHelper> New forum entry openvpnforum: Introductions :: What's up? :: Author PeterJohnson <http://www.ovpnforum.com/viewtopic.php?f=11&t=2496&p=2906#p2906>
08:20 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
08:22 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:28 < screenn> what this ./revoke-rull script's output is means: "error 23 at 0 depth lookup:certificate revoked"
08:33 < _trine> Bushmills: you're a star it's working now thanks to your help and suggestions
08:33 < _trine> thank you
08:34 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:34 < Bushmills> you're welcome.  check your resolving speed now.
08:34 < _trine> how do I do that?
08:34 < Bushmills> i am sure you'll find that it beats previous speed by lengths.
08:34 < Bushmills> dig 
08:34 < _trine> yes it's quite fast now
08:35 -!- macsppadic [n=sonupunn@82.109.74.162] has left ##openvpn []
08:35 < KaiForce> Is OpenVPN GUI still the best way to install an OpenVPN client on Windows?
08:35 < KaiForce> seems dev has ceased on taht
08:39 < ecrist> KaiForce: GUI is included now
08:39 < ecrist> !download
08:39 < vpnHelper> ecrist: "download" is www.openvpn.net/download to download openvpn
08:39 < ecrist> !forget download
08:39 < vpnHelper> ecrist: Joo got it.
08:40 < KaiForce> ecrist:  cool thanks...  I wish I had checked on that a couple of years ago !
08:40 < ecrist> !learn download as http://www.openvpn.net/download to download OpenVPN
08:40 < vpnHelper> ecrist: Joo got it.
08:40 < ecrist> !gui
08:40 < vpnHelper> ecrist: Error: "gui" is not a valid command.
08:40 < ecrist> !learn gui as OpenVPN's Windows installer now includes OpenVPN GUI.  Don't bother with http://openvpn.se anymore.
08:40 < vpnHelper> ecrist: Joo got it.
08:41 < ecrist> !learn download as see !gui for more information for Windows clients.
08:41 < vpnHelper> ecrist: Joo got it.
08:48 < screenn> macsppadic: ping
08:48 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
08:49 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:49 < screenn> macsppadic: ./revoke-full works, just wrong way to crl.pem file in the old server.conf settings
08:50 < screenn> :)
08:50 < _trine> sorry about keep poping in and out I'm configuring my router
08:58 < screenn> after revoked client cert I have this output in log "TLS Error: TLS handshake failed" is it means client can't connect by revoked cert?
09:01 -!- ath3na [n=john@200.2.149.125] has joined ##openvpn
09:01 < ecrist> no, it means the handshake failed
09:01 < ecrist> that message usually is accompanies by other messages
09:02 < screenn> but it failed after revoked, before I hadn't nothing like that message
09:02 < screenn> and I can't connect after that sure
09:03 < ecrist> if your certificate is revoked and the server is looking to the CRL, you won't connect
09:08 -!- athen4 [n=john@200.2.149.125] has quit [Read error: 110 (Connection timed out)]
09:09 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]"]
09:12 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has left ##openvpn ["gone"]
09:18 < screenn> ecrist I know, but the question what I'll have in log, when the client is really revoked?
09:19 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
09:20 < ecrist> all I can say is try it
09:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn
09:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit]
09:28 < screenn> ok, I revolved certs already yet, can I back it to previous working state again?
09:28 -!- elliotdenk [n=elliotde@VPNPOOL04-0227.UNI-MUENSTER.DE] has joined ##openvpn
09:29 < elliotdenk> what does openvpn during the initialization process before dropping priviledges (if configured to do so)?
09:31 < ecrist> elliotdenk: I don't quite understand.
09:32 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
09:39 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Remote closed the connection]
09:41 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"]
09:44 -!- STF [n=chatzill@dslb-084-061-174-080.pools.arcor-ip.net] has joined ##openvpn
09:50 < ath3na> krzee, are  you there?
09:52 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
09:57 < elliotdenk> which operations does openvpn with the root priviledges
10:05 -!- reiffert [n=thomas@88.198.83.82] has quit ["leaving"]
10:10 < rob0> Privileged operations, such as changing the route table and adding IP addresses to an interface, must be done as root. Opening the tun device and reading the SSL key file can also be done as root, but permissions can allow non-root users to do those.
10:11 < rob0> See the --persist-* options in the man page.
10:12 < elliotdenk> can I find somewhere details of the exactly done privileged operations?
10:12 < rob0> You can also start with sufficient verbosity (4-5 maybe should do it) and see what happens, when.
10:12 < elliotdenk> ok, nice idea, I'll try that
10:13 < rob0> Of course all the details are in the source, if you can't find them elsewhere.
10:16 < elliotdenk> of course...
10:16 < elliotdenk> but thx so far
10:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
10:21 -!- athen4 [n=john@200.2.149.125] has joined ##openvpn
10:23 -!- STF [n=chatzill@dslb-084-061-174-080.pools.arcor-ip.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]"]
10:25 -!- elliotdenk_ [n=elliotde@WL-POOL02-36.UNI-MUENSTER.DE] has joined ##openvpn
10:25 -!- ath3na [n=john@200.2.149.125] has quit [Read error: 60 (Operation timed out)]
10:26 -!- elliotdenk [n=elliotde@VPNPOOL04-0227.UNI-MUENSTER.DE] has quit [Read error: 60 (Operation timed out)]
10:26 -!- elliotdenk_ is now known as elliotdenk
10:31 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:34 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]"]
10:39 -!- ath3na [n=john@200.2.149.125] has joined ##openvpn
10:43 -!- elliotdenk [n=elliotde@WL-POOL02-36.UNI-MUENSTER.DE] has quit []
10:47 -!- athen4 [n=john@200.2.149.125] has quit [Read error: 60 (Operation timed out)]
10:51 -!- chilicuil [n=sistemas@189.144.244.131] has joined ##openvpn
11:00 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
11:04 -!- G-Script50 [n=sag@f055019243.adsl.alicedsl.de] has joined ##openvpn
11:04 -!- G-Script50 [n=sag@f055019243.adsl.alicedsl.de] has quit [Remote closed the connection]
11:06 < screenn> how to assign crl.pem file way in config? 
11:08 < screenn> I copied to /etc/openvpn and have this log's output: "CRL: cannot read: /etc/openvpn/crl.pem: No such file or directory (errno=2)"
11:08 < screenn> what's wrong?
11:08 < screenn> maybe I need use tab instead space?
11:08 < screenn> or anything else :(
11:12 < screenn> ls shows /etc/openvpn/crl.pem an exists on this place! 
11:12 < screenn> readable for everybody
11:17 < ecrist> !crl
11:17 < vpnHelper> ecrist: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with
11:17 < vpnHelper> ecrist: openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you
11:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 60 (Operation timed out)]
11:18 -!- jMyles [n=justin@rrcs-24-97-206-244.nys.biz.rr.com] has quit [Read error: 113 (No route to host)]
11:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
11:22 -!- dauergast [n=sag@g226240225.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)]
11:27 -!- screenn [n=screenn@77.222.135.254] has quit ["Leaving"]
11:43 -!- kosmaty [n=mis@chello089075173119.chello.pl] has joined ##openvpn
11:46 -!- kyrix [n=ashley@chello062178167252.12.14.vie.surfer.at] has joined ##openvpn
11:48 -!- Lyndon [n=late@savolaiset.fi] has left ##openvpn []
11:57 -!- kyrix [n=ashley@chello062178167252.12.14.vie.surfer.at] has quit ["Leaving"]
12:49 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
13:31 < ath3na> hey krzee 
13:32 < ath3na> or krzie whichever's on
13:32 < krzee> hey
13:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
13:53 -!- teddymills [n=teddy@208.92.235.227] has quit ["Ex-Chat"]
14:08 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has left ##openvpn ["Leaving"]
14:08 -!- tessier [n=treed@kernel-panic/copilotco] has joined ##openvpn
14:08 < tessier> Hello all!
14:09 < tessier> I am running the latest openvpn on Windows Vista and when it tries to add routes and do various other things it gets "access denied" in the openvpn log.
14:09 < tessier> We are logged in as administrator even. Anyone know what I might be missing?
14:20 < krzee> !logs
14:20 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:30 -!- chilicuil1 [n=sistemas@189.144.244.131] has joined ##openvpn
14:34 -!- chilicuil2 [n=sistemas@189.144.244.131] has joined ##openvpn
14:35 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit [Read error: 104 (Connection reset by peer)]
14:41 < tessier> Some googling suggests I need to add route-method exe and route-delay 2
14:42 < tessier> As well as turn off UAC and login as administrator.
14:42 < tessier> I hate windows.
14:46 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
14:51 -!- chilicuil1 [n=sistemas@189.144.244.131] has quit [Connection timed out]
15:03 < tessier> yeay, it works!
15:39 -!- nebula_ [i=nebula@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has joined ##openvpn
15:39 < nebula_> am I using this directive correctly? (ifconfig_broadcast=192.168.210.0/24
15:40 < nebula_> ifconfig_broadcast
15:40 < nebula_> or should it be ifconfig_broadcast=192.168.210.255
15:41 -!- ath3na [n=john@200.2.149.125] has quit [Read error: 110 (Connection timed out)]
15:52 < nebula_> anyone?
16:08 -!- Zordrak_ [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
16:23 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has quit [Read error: 110 (Connection timed out)]
16:43 < krzee> !ptpp
16:43 < vpnHelper> krzee: Error: "ptpp" is not a valid command.
16:43 < krzee> !pptp
16:43 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
16:43 < vpnHelper> krzee: read about why to not use pptp
16:45 -!- athen4 [n=john@200.2.149.125] has joined ##openvpn
16:47 < krzee> !factoids search win
16:47 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', 'win2k8', and 'sudowin'
16:47 < krzee> !win_rollup
16:47 < vpnHelper> krzee: "win_rollup" is (#1) http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html for a doc on HowTo Roll Your Own OpenVPN Windows Installation Package, or (#2) http://gentoo-wiki.com/HOWTO_OpenVPN_RoadWarrior#For_Installation_on_Windows_Client for a batch you can use to install certs in win client automagically
16:48 < krzee> !factoids search auth
16:48 < vpnHelper> krzee: 'tls-auth' and 'authpass'
16:48 < krzee> !authpass
16:48 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
16:58 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
17:14 -!- kisom [n=kisom@c-9fdce155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote closed the connection]
17:29 -!- jackburke_ [n=jackburk@ip-78-137-144-70.lmk.metro.digiweb.ie] has quit [Read error: 110 (Connection timed out)]
17:41 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Client Quit]
17:42 -!- tessier [n=treed@kernel-panic/copilotco] has left ##openvpn ["Leaving"]
17:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
17:48 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
17:57 -!- derRichard [n=derRicha@ununbium.nod.at] has left ##openvpn []
18:00 < nebula_> no one home huh
18:00 < nebula_> its okay!
18:00 < nebula_> take care guys
18:00 < nebula_> OpenVPN is great!
18:00 -!- nebula_ [i=nebula@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has quit ["nebula_ has no reason"]
18:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer]
18:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
18:25 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Client Quit]
18:35 -!- Diffen [n=diffen2@c-3477e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
18:39 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
18:49 -!- Dougy [n=me@vpn.douglashaber.com] has joined ##openvpn
18:50 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
18:54 -!- zamba_ [i=marius@flage.org] has joined ##openvpn
18:58 -!- zamba [i=marius@flage.org] has quit [Read error: 110 (Connection timed out)]
18:59 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
19:01 -!- kosmaty [n=mis@chello089075173119.chello.pl] has left ##openvpn []
19:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
19:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
19:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
20:16 < Dougy> evenin
20:36 -!- athen4 [n=john@200.2.149.125] has quit ["Leaving"]
21:07 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has quit [" HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D"]
21:38 -!- TDJACR [n=TDJACR@unaffiliated/tdjacr] has joined ##openvpn
21:40 < TDJACR> I am looking for a solution to connect 192.168.10.0/24 to 192.168.15.0/24 in two different locations. I want it to be invisible to the client. In a client-server config, is the connection always open (what if I was the client, and needed to send to server)?
21:44 < TDJACR> Also, can I set up a routing scheme in which both subnets can access eachother without NAT?
21:54 < Bushmills> what is routed through any machine outside of openvpn, is not secured by openvpn
21:54 < Bushmills> and yes, you mentioned the magic word: "routing"
21:59 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
22:07 -!- TDJACR [n=TDJACR@unaffiliated/tdjacr] has left ##openvpn ["Part"]
22:17 -!- chilicuil2 [n=sistemas@189.144.244.131] has quit [Read error: 60 (Operation timed out)]
22:38 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1242515082.dsl.bell.ca] has joined ##openvpn
22:44 < darkdrgn2k3> Ok i setup a TAP internface as follows: http://imagebin.org/81377
22:44 < vpnHelper> Title: Imagebin - A place to slap up your images. (at imagebin.org)
22:45 < darkdrgn2k3> im trying to get routing going getween the 31 and 41 networks..
22:45 < darkdrgn2k3> what am i missing?
22:56 < Dougy> FUCK
22:56 < Dougy> spamming assholes
22:59 < rob0> Imagebin? Strange place to post a link for text content.
23:03 < darkdrgn2k3> ?
23:03 < darkdrgn2k3> rob0: http://imagebin.org/81378 <- updated LOL
23:04 < vpnHelper> Title: Imagebin - A place to slap up your images. (at imagebin.org)
23:04 < rob0> Oh I'm reading this in console, I am not going to start a GUI to look at a picture.
23:05 < darkdrgn2k3> aaa i see
23:05 < darkdrgn2k3> fair enough
23:05 < darkdrgn2k3> ok i got a win2k3 server running OPENVPN client
23:05 < darkdrgn2k3> and a openwrt gateway running openvpn server (TAP)
23:06 < darkdrgn2k3> i added a route on the gateway on the 2k3 side to 192.168.41.0    192.168.31.66   (66 being the openwrt serveR)
23:06 < darkdrgn2k3> it alsmost seems i cant ping across the two networks on the win2k server
23:07 < darkdrgn2k3> only the win2k server cna ping both networks
23:08 < rob0> !route
23:08 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:08 < darkdrgn2k3> k.. thanx
23:09 < darkdrgn2k3> what teh diff between iroute and route
23:11 -!- lampliter [n=chatzill@c-76-19-126-1.hsd1.ma.comcast.net] has joined ##openvpn
23:12 < rob0> iroute simply tells openvpn how to handle an unknown network, internally
23:12 < rob0> route sets system routing table entries
23:13 < darkdrgn2k3> aaa i get it thanx
23:14 < rob0> !iroute
23:14 < vpnHelper> rob0: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
23:17 < lampliter> got a bit a problem:  need to run 1-3 links at once but not always the same N links. 
23:17 < lampliter> what is the best way to allocate tun's and handle dns
23:19 < krzee> lampliter, huh?
23:20 < lampliter> ok it is like this
23:20 < krzee> rob0, nice explanation, most concise explanation ive heard
23:21 < lampliter> I'm dealing with three networks. My own, client A, client B
23:22 < rob0> yeah, but the factoid fleshes it out as is probably needed more often
23:22 < lampliter> sometimes, I need to be connected all three of them (when I'm way out in left field :-)
23:22 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: OpenVPN on Windows XP - Cant install TAP-Win32 device driver :: Reply ... <http://www.ovpnforum.com/viewtopic.php?f=5&t=2483&p=2911#p2911>
23:22 < lampliter> and sometimes I'm only connected to two
23:23 < lampliter> in any case, as I start adding more networks, I get into an interesting problem with allocating the virtual ethernet device to different VPNs 
23:24 < lampliter> the second problem is dealing with DNS. Each network has its own internal DNS with private names. Open VPN already has a problem with local versus remote DNS. This makes it worse
23:24 < lampliter> so, any ideas?
23:24 < krzee> [01:23]  <lampliter> in any case, as I start adding more networks, I get into an interesting problem with allocating the virtual ethernet device to different VPNs 
23:25 < krzee> thought about static devices?
23:25 < lampliter> sure. I'm on Windows 7 and networking is royally screwed anyway. :-)
23:25 < krzee> oh windows
23:25 < lampliter> Yeah. Joys of being crippled and meeting speech recognition.
23:25 < krzee> bleh i havnt used windows since before vista came out
23:26 < lampliter> I'll stop complaining about as soon as I get enough money to make NaturallySpeaking work on linux
23:26 < lampliter> :-)
23:26 < krzee> get a mac =]
23:26 < lampliter> no good speech recognition there either
23:26 < lampliter> besides, I really don't think user interfaces should be videogames unless there are first-person shooter....
23:27 < krzee> how does windows handle having many diff vpns, does it give you an interface per vpn you connect to?
23:28 < krzee> ild think no
23:29 < krzee> what is this interesting problem you speak of?
23:29 < lampliter> you need to create a tun for each active VPN
23:30 < krzee> ok so its already static interfaces
23:31 < lampliter> it looks like a configuration file requires specification of what tun interfaces is used for that VPN
23:31 < Dougy> hm
23:31  * Dougy should learn some perl
23:31 < lampliter> try Python. I've used Perl and I will never go back
23:31 < Dougy> Python meh
23:31 < Dougy> i'm doing something simple..
23:31 < krzee> Dougy, i know a lot of people who say that
23:31 < Dougy> a menu
23:32 < Dougy> krzee: which
23:32 < Dougy> i just said a few things
23:32 < krzee> [01:31]  <lampliter> try Python. I've used Perl and I will never go back
23:32 < Dougy> i hear that a lot
23:32 < lampliter>  there's a reason why
23:32 < Dougy> i like sub {} in perl
23:32 < Dougy> its nice
23:32 < Dougy> makes my job easy
23:33 < krzee> theres just so few things i cant do in bash
23:33 < darkdrgn2k3> can openvpn TAP be routable/
23:33 < Dougy> krzee: i dont write scripts for much
23:33 < lampliter> yeah, the fact that it's space sensitive is little weird but the lack of EOL semicolons is really nice
23:33 < Dougy> i could probably do this in bash too
23:34 < krzee> darkdrgn2k3, yes but it will still tunnel layer2 traffic, unless you are using windows in which case you can say dev tun and tap interface does tun mode
23:34 < Dougy> its just something for first logi nto VPS. it prompts about if they want to install a CP, what one, and if they say yes, installs it.. if they say no.. exit.. and just seds itself out of a file
23:35 < darkdrgn2k3> krzee: my server is on linux, and added the tun interface to a vlan
23:35 < Dougy> my project for tomorrow..
23:35 < darkdrgn2k3> krzee: i cant seem to figure out how to setup routes
23:35 < Dougy> freenas.
23:35 < lampliter> so sounds like for the moment, she just statically allocate open VPN interfaces.
23:35 < darkdrgn2k3> "iroute only  works with tun-style tunnels"
23:35 < lampliter> Sir, speech recognition air
23:36 < Dougy> lampliter: what about speech recognition
23:36 < krzee> darkdrgn2k3, do you have a specific layer2 protocol you need over the vpn?
23:36 < lampliter> I use speech recognition, it makes mistakes, I correct some.
23:36 < Dougy> lampliter: are you blind or something
23:36 < Dougy> oh
23:36 < Dougy> speech recognition
23:36 < Dougy> nvm
23:36  * Dougy headdesk
23:36 < lampliter> np
23:36 < Dougy> good thing i caught that before i got trolled
23:38 < krzee> lampliter, you tried specifying the device per config?
23:39 < Dougy> python seems usable
23:39 < Dougy> lampliter: is there something like sub {} in python like there is in perl
23:39 < Dougy> Im sure there is
23:39 < Dougy> but what is it
23:39 < Dougy> I like being able to &initMenu instead of 20 lines
23:39 < lampliter> anyway, the next problem is handling DNS. How to I access names in the different zones? (I.e. their own name servers)
23:40 < lampliter> what is sub{} (it's been 15 years)
23:40 < darkdrgn2k3> krzee: not really, but i like the fact i can bridge it with a specific vlan
23:41 < krzee> lampliter, dunno bout the DNS one... you could make a NS that forwards to each of those remote ones and a recursive one, best i can think up
23:42 < lampliter> then I will need a name server on Windows
23:42 < krzee> i cant be much help with the bridge
23:43 < krzee> im gunna passout, nite all
23:44 < Dougy> lampliter: um
23:44 < lampliter> yes?
23:45 < Dougy> basically its like function() {} in PHP i think.. sub Name { echo ""; echo ""; } and so on..then just putting &Name; in the code
23:45 < Dougy> displays the whole 'sub'
23:45 < Dougy> albeit a bit different then php
23:45  * Dougy is not a coder obviousyl
23:45 < lampliter> ah
23:45 < lampliter> def xyzzy (a1, a2, a3.,):
23:46 < Dougy> how do you call def back later on
23:46 < lampliter> z= xyzzy(1,2,3)
23:46 < lampliter> method or function
23:46 < Dougy> as in, this is a series of prompts, ie press 1 and enter, then 2 and enter.. and then it pulls back main menu
23:47 < Dougy> subroutes i guess it would be called? 
23:47 < lampliter> methods if class, functions if not
23:48 < Dougy> meh, ill have to google
23:48 < Dougy> that is over my head
23:49 < lampliter> k
23:49 < Dougy> so if i did.. def menu():
23:49 < Dougy> it'd be just menu() later?
23:50 < lampliter> y
23:50  * Dougy googles python if statements
23:50 < lampliter> if predicate:
23:51 < Dougy> so if i am seeing this properly
23:51 < Dougy> python is anal about spacing?
23:53 < lampliter> yes
23:53 < lampliter> with a good IDE, it's really not a problem
23:54 < Dougy> hmm.. thats annoying
23:54 < lampliter> seriously, I have over 30 years experience with a variety of languages, Python is the best of seen so far
23:54 < lampliter> which also explains why my hands are broken and I use speech recognition
23:59 < lampliter> ah, foound a hint
23:59 < Dougy> this space formatting is confusing the f out of me
23:59 < Dougy> will have to sort tomorrow
23:59 < Dougy> night
23:59 < lampliter> 3 line paste ok?
--- Day changed Sat Jan 23 2010
00:00 -!- Dougy [n=me@vpn.douglashaber.com] has quit []
00:02 -!- zamba_ is now known as zamba
00:18 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
00:27 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
00:31 -!- Zordrak_ [n=jaz@87-194-141-163.bethere.co.uk] has quit [Read error: 110 (Connection timed out)]
01:02 -!- harlan [n=harlan@ntp/programmemanager/harlan] has joined ##openvpn
01:05 < harlan> I'm running openvpn on a (freebsd7) machine where I am also running named on an aliased IP.  Lately I find that VPN clients cannot do name resolution.  I think I removed all of the restrictions in named.conf, but there's a chance I missed something.  Any idaes?
01:05 < lampliter> I think this is a very common problem
01:06 < harlan> I'd surf the net but right now the VPN is up so I can't do name resolution (this window was up before I fired up openvpn)
01:06 < lampliter> typically shows up first as being able to resolve names on the far side but not the near side
01:08 < rob0> getting timeouts, or denied?
01:08 < harlan> dig @ip-of-named dom.ain
01:08 < harlan> ...
01:08 < harlan> ;; Got answer:
01:08 < harlan> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 40972
01:11 < harlan> and if I run that same query directly on the machine where I run named and openvpn, it resolves just fine.
01:15 < rob0> well just check your ACLs and allow-query settings
01:16 < harlan> will do - thanks.
01:16 < rob0> what I did, lame, I added 192.168.0.0/16 to a trusted acl :)
01:17 < rob0> allow-recursion too, you might need that
01:17 < harlan> I notice I can resolve machines on the internal LAN from openvpn-connected hots
01:17 < harlan> hosts
01:17 < harlan> yeah, that's where I was headed next
01:17 < rob0> yeah, it's allowing auth queries but not recursion
01:18 < harlan> but those work for machines on the LAN.
01:18 < harlan> Strange...
01:20 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1242515082.dsl.bell.ca] has quit [Read error: 110 (Connection timed out)]
01:28 < lampliter> can I add a route on the client-side configuration?
01:30 < harlan> allow-recurison did it - thanks!
01:30 < rob0> yw
01:31 < harlan> lampliter: use: push "route a.b.c.d ne.tm.as.k"
01:31 < harlan> or do I misunderstand?
01:32 < lampliter> is that what I would use on the client side (i.e. my laptop). For example, I don't want to give everybody access to both subnets so I leave one off and set the client only for the few that get access to both subnets
01:33 < harlan> I have lines like that in my server config, and they get pushed to clients.
01:34 < harlan> Do you use dhcp?
01:35 < lampliter> yes I do
01:35 < lampliter> but like I said, I only want a couple of clients to have access to both networks
01:35 < harlan> You can probably have dhcp push extra routes to your client then.
01:36 < lampliter> I can probably fake something. Right now I'm having trouble getting multiple links up at the same time
01:36 < harlan> but it may be easier to put these routes on your laptop, unless you only want them when the vpn is up.
01:36 < lampliter> I only want them when the VPN is up
01:36 < harlan> 'k.  I haven't done that.
01:37 < harlan> the openvpn config file says there is a ccd/ subdirectory and the openvpn man page has client-specific info in it.
01:38 < lampliter> TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use (WSAEADDRINUSE)
01:38 < harlan> or a --client-connect script
01:39 < harlan> good luck - time for me to sleep.
01:41 -!- harlan [n=harlan@ntp/programmemanager/harlan] has left ##openvpn []
02:29 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has left ##openvpn ["Konversation terminated!"]
02:44 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
03:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
03:08 -!- master_o1_master [n=master_o@p57B55138.dip.t-dialin.net] has joined ##openvpn
03:19 -!- master_of_master [i=master_o@p57B569CA.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:22 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection]
03:45 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
03:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
03:53 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:00 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
04:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:18 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: 101 (Network is unreachable)]
04:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
04:33 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
05:05 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection]
05:21 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit [Read error: 110 (Connection timed out)]
05:22 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
05:29 -!- jackburke_ [n=jackburk@ip-78-137-144-70.lmk.metro.digiweb.ie] has joined ##openvpn
05:33 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:47 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
06:06 -!- dazo_h [n=dazo@212.71.72.138] has joined ##openvpn
06:06 -!- dazo_h is now known as dazo_wrk
06:19 -!- screenn [n=screenn@94-248-28-35.dynamic.peoplenet.ua] has joined ##openvpn
06:20 < screenn> is it possible to decrease internet traffic when openvpn client works?
06:24 < hyper_ch> screenn: what do you mean?
06:24 < screenn> it use a large traffic
06:25 < hyper_ch> what do you mean?
06:52 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
06:58 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
07:02 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1242515082.dsl.bell.ca] has joined ##openvpn
07:08 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit [Read error: 60 (Operation timed out)]
07:21 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1242515082.dsl.bell.ca] has quit [Read error: 110 (Connection timed out)]
07:39 -!- screenn [n=screenn@94-248-28-35.dynamic.peoplenet.ua] has quit ["Leaving"]
07:41 < _trine> I just rebooted so I could have missed anything said to me in the last few minutes
07:55 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
08:10 -!- dunc_ [n=dunc@2a01:348:1d2:1212:226:5aff:fe09:42e3] has joined ##openvpn
08:12 < hyper_ch> _trine: you could use a bnc service :)
08:15 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: 113 (No route to host)]
08:21 -!- dunc [n=dunc@2a01:348:1d2:1212:226:5aff:fe09:42e3] has joined ##openvpn
08:21 -!- yoshx [n=yoshx@38.115.119-80.rev.gaoland.net] has joined ##openvpn
08:23 -!- diffen3 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
08:25 < _trine> hyper_ch, you're right ,, and infact I do do that but for some reason since I put psybnc inside my router I don't get those notifications anymore
08:26 < hyper_ch> znc :)
08:27 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit [Read error: 110 (Connection timed out)]
08:31 -!- dazo_wrk [n=dazo@212.71.72.138] has quit ["Leaving"]
08:33 -!- dunc_ [n=dunc@2a01:348:1d2:1212:226:5aff:fe09:42e3] has quit [Read error: 111 (Connection refused)]
08:39 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1242515082.dsl.bell.ca] has joined ##openvpn
08:41 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote closed the connection]
08:42 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:43 < _trine> hyper_ch, I don't think that will work on my psybnc which I have installed in my router
08:43 < hyper_ch> well, znc is a bnc also... I run it on one of my servers :)
08:44 < _trine> yes i have just found it
08:45 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1242515082.dsl.bell.ca] has quit [Client Quit]
08:45 < _trine> I may try that later
08:45 < _trine> thanks
08:52 -!- CaBa [i=caba@unique-inter.net] has left ##openvpn []
09:06 -!- jackburke_ [n=jackburk@ip-78-137-144-70.lmk.metro.digiweb.ie] has quit [Read error: 110 (Connection timed out)]
09:21 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
09:31 -!- diffen3 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit [Client Quit]
09:31 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has joined ##openvpn
09:38 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has quit [Read error: 60 (Operation timed out)]
09:39 -!- Zordrak [n=jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
09:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
09:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:13 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:29 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn
11:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:00 -!- Diffen2 [n=diffen2@202.138.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
12:10 -!- reiffert [n=thomas@mail.webersheim.de] has quit ["leaving"]
13:06 -!- yoshx [n=yoshx@38.115.119-80.rev.gaoland.net] has quit [Remote closed the connection]
13:17 -!- PeterFA [n=quassel@unaffiliated/peterfa] has quit [Read error: 113 (No route to host)]
13:54 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
14:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
14:43 < cybertron> hi any idea how i can use the host names behind the vpn lan? so i tried to add the lan ip/hostname into the hosts file but doenst work :/ or is there away how i can use the internal dns server?
14:44 < |Mike|> internal dns :)
14:44 < cybertron> so i mean there is a win server width ad/dns
14:45 < cybertron> how can I tell the client the dns with .conf file?
14:47 < hyper_ch> adding to hosts file should work just fine
14:48 < cybertron> doesnt find anything
14:48 < hyper_ch> then you do something wrong
14:48 < hyper_ch> you're on windows?
14:48 < cybertron> yes
14:49 < cybertron> client win server linux
14:49 < hyper_ch> IIRC windows needs to be rebooted before changes in the hosts files come into effect
14:49 < cybertron> ah k I'll try
14:50 < cybertron> reboot the master commands
14:50 < cybertron> -s
14:50 < hyper_ch> only on windows
14:50 < hyper_ch> on linux reboots are non-necessary anymore :)
14:51 < cybertron> i meant at win hehe 
14:54 < cybertron> hm nothing hyper_ch 
14:54 < cybertron> ping host works fine but \\nexi no :/
14:54 < |Mike|> http://www.linkedin.com/groups?gid=2599481&trk=anetsrch_name&goback=%2Egdr_1264280042138_1
14:54 < vpnHelper> Title: OpenVPN group | LinkedIn (at www.linkedin.com)
14:54 < hyper_ch> if ping works fine then it's not a networking issue
14:54 < hyper_ch> rather sounds like an ad problem or something
14:55 < hyper_ch> no clue about all that windows stuff thingies
14:55 < cybertron> erm ok my fault, atm here is no AD just locals 
15:00 < |Mike|> hyper_ch / cybertron are you guys member of the OpenVPN linkedin group yet ? :)
15:00 < hyper_ch> |Mike|: no
15:01 < |Mike|> planning to join?
15:01 < hyper_ch> |Mike|: are you?
15:01 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
15:01 < |Mike|> Yes, I did join it a few weeks ago.
15:01 < hyper_ch> |Mike|: I'm not on facebook either
15:01 < hyper_ch> |Mike|: I don't have an open id
15:01 < hyper_ch> I value my privacy ;)
15:01 < |Mike|> LinkedIn is more business to business imho
15:02 < |Mike|> hyper_ch: I see, i can understand that :)
15:03 < cybertron> no Im not in :)
15:04 < hyper_ch> |Mike|: I don't really see any benefits from those social networking sites even if they proclaim to be b2b
15:04 < cybertron> i'm only on xing and that cauz my boss want it :)
15:04 < |Mike|> I did get my current job trough LinkedIn, and it's good to do some social stuff tho
15:04 < hyper_ch> I'm a totally asocial guy :)
15:05 < |Mike|> And then again, we do marketing via twitter / linkedin aswell :p
15:05 < hyper_ch> |Mike|: good for you... marketing is restricted for my field of work
15:06 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
15:06 < |Mike|> what kind of work do you do hyper_ch ?:)
15:06 < hyper_ch> lawyer and notary public
15:07 < |Mike|> Okay, that sounds somewhat different than IT technician :P
15:07 < hyper_ch> :)
15:07 < cybertron> I think xing is the same way live linkedin :)
15:08 < hyper_ch> xing and linkedin have the same goal
15:09 < |Mike|> linkedin is probably more accepted. 
15:09 < |Mike|> ( i never heard about Xing)
15:09 < hyper_ch> depends
15:10 < hyper_ch> german speaking room you better use xing
15:10 < cybertron> right :)
15:13 < |Mike|> I see
15:13 < |Mike|> Who just joined openvpn @ linkedin ? :)
15:13 < hyper_ch> was not me
15:18 < krzie> you start that mike?
15:20 < krzie> oh nm i just saw you say you joined recentgly
15:20 < krzie> -g
15:21 < |Mike|> krzie: Arno Kruse started that, I know him IRL
15:21 < krzie> ahh cool
15:23 -!- linxisp [n=linxisp@195-23-27-78.static.net.novis.pt] has joined ##openvpn
15:25 < linxisp> hello, anyone could pls tell me how can i set openvpn server a specific gateway address to vpn clients?
15:25 < cybertron> hm any idea how i can openvpn log? so i found nothing in my log/messages
15:25 < krzie> see --log in manual
15:26 < krzie> but --daemon should send it to syslog as well
15:26 < cybertron> it is
15:26 < krzie> linxisp i dont know what you mean
15:26 < krzie> cybertron what is
15:26 < cybertron> but i use an wrt openvpn not the standard install i think
15:27 < krzie> <krzie> see --log in manual
15:27 < cybertron> ah moment
15:27 < cybertron> i had ;)
15:27 < cybertron> i did i mean
15:29 < krzie> so you see howto bypass syslogd and just write to a file you specify
15:29 < linxisp> lol i'm sorry, i also didnt understood what i said :p the problem is that the vpn clients dont get any gateway on the vpn connection, they only get ip and dns
15:29 < krzie> linxisp bridge?
15:29 < cybertron> krzie: problem is, that I use dd-wrt not an normal linux
15:29 < linxisp> yes
15:29 < krzie> cybertron nope, thats not a problem
15:29 < krzie> !router
15:29 < vpnHelper> krzie: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them
15:30 < krzie> linxisp when i used bridging a couple yrs ago i had to put an add route for gateway in the bridge script
15:40 < cybertron> doenst work... 
15:41 < krzie> cybertron try starting syslog then
15:41 < |Mike|> debian?
15:41 < |Mike|> oh, dd-wrt
15:42  * hyper_ch prefers tomato over dd
15:49 < linxisp> krzie thank you :)
15:49 -!- linxisp [n=linxisp@195-23-27-78.static.net.novis.pt] has left ##openvpn []
15:50 < |Mike|> :-)
15:51 < cybertron> syslog is running
15:51 < cybertron> my problem is that openvpn after some hours/days...is killing it self and down know why
15:53 < |Mike|> we have the same problem at a company where we deployed openvpn
15:53  * |Mike| blames LDAP
15:55 < cybertron> bad hehe
15:56 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
15:56 < |Mike|> yes.
15:57 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
15:57 < cybertron> is there any way to read out the common name from the server cert?
15:57 < |Mike|> openssl from the command line imho.
15:59 < krzie> !factoids search cert
15:59 < vpnHelper> krzie: 'servercert', 'certs', 'nocert', 'certinfo', and 'certverify'
15:59 < krzie> !certinfo
15:59 < vpnHelper> krzie: "certinfo" is please run `openssl x509 -in <file> -noout -text` for ca,server,client certs and pastebin the results
15:59 < |Mike|> krzie: :-)
15:59 < krzie> you dont need to pastebin anything, thats the command
16:00 < cybertron> hehe thx
16:00 -!- Guest41881 [n=nappy@123-247.97-97.tampabay.res.rr.com] has quit [Client Quit]
16:01 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
16:04 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
16:07 < cron2> Irssi 0.8.14 (20090728) - http://irssi.org/ ebd
16:07 < vpnHelper> Title: Irssi - The client of the future (at irssi.org)
16:08 < cron2> oops, sorry
16:14 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 110 (Connection timed out)]
16:16 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
16:44 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
16:45 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
16:56 < Bushmills> cybertron: run openvpn in a shell, not daemonized
16:58 < Bushmills> that may catch error messages which aren't logged
16:59 -!- meepmeep [i=meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
17:02 < meepmeep> Hi, i'm kinda of new on openvpn .. and I have 2 questions (I get part of the answer, but i need to validate here ..) . I have an ipv4/28, and I would like to use on of my public ip address for openvpn client (only 1, me). Is it the same things as bridging ethernet ?
17:02 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
17:04 -!- Optic [n=Optic@miso.capybara.org] has left ##openvpn []
17:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
17:44 < Dougy> http://exchange.nagios.org/directory/Plugins/Network-Connections%2C-Stats-and-Bandwidth/check_hetzner-%252D-checking-monthly-traffic-limit-of-your-servers/details
17:44 < vpnHelper> Title: Nagios Exchange - check_hetzner - checking monthly traffic limit of your servers (at exchange.nagios.org)
17:44 < Dougy> for you hetzner people
18:44 -!- lampliter_ [n=chatzill@c-76-19-126-1.hsd1.ma.comcast.net] has joined ##openvpn
18:45 -!- lampliter [n=chatzill@c-76-19-126-1.hsd1.ma.comcast.net] has quit [Read error: 60 (Operation timed out)]
18:45 -!- lampliter_ is now known as lampliter
18:46 -!- lampliter [n=chatzill@c-76-19-126-1.hsd1.ma.comcast.net] has quit [Client Quit]
18:46 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
19:12 -!- daemon [n=paul@cpc1-linc11-2-0-cust594.12-1.cable.virginmedia.com] has joined ##openvpn
19:12 < daemon> hey all
19:12 < daemon> I have a serer runnign in 'server' mode
19:12 < daemon> two clients one on 'xl0' the other on 'xl1'
19:13 < daemon> all can connect and authenticate
19:13 < daemon> but non can contact each other or the server
19:13 < daemon> the server is: ifconfig 172.31.1.1 255.255.255.252
19:13 < daemon> client1 is .2
19:13 < daemon> client2 is .3
19:13 < daemon> I have 'client-to-client' specified
19:13 < daemon> what could the problem be?
19:39 < krzie> client1 is .2... you sure?
19:40 < krzie> you using topology subnet?
19:45 -!- dunc [n=dunc@2a01:348:1d2:1212:226:5aff:fe09:42e3] has quit [Read error: 113 (No route to host)]
19:45 < krzie> !/30
19:45 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
19:47 < Bushmills> "I did what it says ... reading about topology ...  but nothing has changed"  :D
19:48 < daemon> krzie, Bushmills 
19:48 < daemon> ok all working :)
19:48 < daemon> but one of my remote clients is having trouble with TLS negotiation
19:49 < daemon> he is firewalled inbound for both udp and tcp
19:49 < daemon> how do I get around that
19:49 < Bushmills> use a port/protocol which isn't firewalled. PITA to do that for one single client
19:50 < daemon> Bushmills, he is totally firewalled inbound
19:50 < daemon> he only has outbound
19:50 < daemon> behind a dodgy nat
19:52 < Bushmills> totally firewalled inbound is just as good as not having any connection at all
19:52 < daemon> some other vpn software works 'habari' I think its called so I figured openvpn would
19:53 < daemon> hamachi
19:53 < daemon> sorry
19:53 < Bushmills> try tcp/443 or udp/53 or tcp/53
19:53 < daemon> how do I tell the clients to listen on that port
19:54 < Bushmills> client and server
19:54 < krzie> if he only has outbound whats the problem?
19:54 < krzie> hes connecting to the server
19:54 < krzie> outbound
19:54 < Bushmills> protocol, port config statements
19:54 < daemon> krzie, he keeps getting TCL negotiation errors (timeout after 60 seconds)
19:54 < daemon> no one else is, so I assumed it was his dodgy firewalls
19:54 < krzie> very well might be, try netcat for figuring that out
19:55 < daemon> anyway to disable tcl?
19:55 < krzie> tcl?
19:56 < krzie> <daemon> no one else is, so I assumed it was his dodgy firewalls
19:56 < krzie> <krzie> very well might be, try netcat for figuring that out
19:56 < krzie> if it IS his firewall, its not inbound its outbound thats firewalled
19:56 < krzie> (or both of course)
19:56 < daemon> ok dokey
20:07 -!- paul_ [n=paul@cpc1-linc11-2-0-cust594.12-1.cable.virginmedia.com] has joined ##openvpn
20:07 -!- daemon [n=paul@cpc1-linc11-2-0-cust594.12-1.cable.virginmedia.com] has quit [Read error: 104 (Connection reset by peer)]
20:29 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
20:46 -!- Mtn_Bkng_Dave [i=whome@12.50.114.160] has joined ##openvpn
20:50 -!- Beber` [n=Beber@otis.meleeweb.net] has joined ##openvpn
20:50 < Beber`> !welcome
20:50 < vpnHelper> Beber`: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:51 < Beber`> !goal
20:51 < vpnHelper> Beber`: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:51 < Beber`> !goal creatin a mesh network
20:51 < vpnHelper> Beber`: Error: "goal" is not a valid command.
20:51 < Dougy> lol
20:52 < Beber`> :)
20:52 < Dougy> you don't need to !goal <goal>
20:52 < Dougy> just tell us
20:52 < Beber`> !me speaking: I'm searching a way to create a mesh network over network
20:52 < vpnHelper> Beber`: Error: "me" is not a valid command.
20:53 < Beber`> !without a heaving configuration and scalable with many clients
20:53 < vpnHelper> Beber`: Error: "without" is not a valid command.
20:53 < Dougy> um.. Beber`?
20:53 < Beber`> !sed s/heaving/heavy
20:53 < vpnHelper> Beber`: Error: "sed" is not a valid command.
20:53 < Dougy> why are you prefixing everything with a !
20:53 < Dougy> stop it
20:53 < Beber`> :)
20:54 < Mtn_Bkng_Dave> lol
20:54 < Mtn_Bkng_Dave> he got a response anyway
20:54 < Mtn_Bkng_Dave> LOL
20:55 < Beber`> actually, i'm having enough bw, but for the beauty, i'd like to do real mesh
20:55 < Beber`> yeah, vpnHelper is funny :)
20:55 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has joined ##openvpn
20:56 < Beber`> i seen on the ml a post about the goal after openvpn-2.0
20:56 < Bushmills> mesh benefits from open access. openvpn restricts access.
20:56 < Beber`> but i can't find the full list anywhere
20:56 < Beber`> CA restrict access
20:57 < Mtn_Bkng_Dave> !bridge
20:57 < vpnHelper> Mtn_Bkng_Dave: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP
20:57 < vpnHelper> Mtn_Bkng_Dave: addresses. (but not samba, see !wins)
20:57 < Beber`> it's not mesh
20:58 < Mtn_Bkng_Dave> ahhhhh so bridging is for dumb@sses like me LOL
20:58 < EugeneKay> Would somebody recommend a HowTo on making a LAN-to-LAN bridge? I have two physical networks that I want to put on the same subnet such that any box at site A can talk to any box at Site B, but I only need to configure 2 machines with OpenVPN(the host and a client).
20:58 < Beber`> proxy_arp is just easier
20:58 < Mtn_Bkng_Dave> same here EugeneKay
20:58 < Mtn_Bkng_Dave> LOL
20:58 < Beber`> and work with tun devices
20:59 < EugeneKay> I've found a coupla guides, but they're not terribly informative, just "here, do this"
20:59 < krzee> Beber`, 
20:59 < krzee> !riproute
20:59 < vpnHelper> krzee: Error: "riproute" is not a valid command.
20:59 < krzee> err
20:59 < krzee> !rip
20:59 < vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
21:00 < krzee> there you go
21:00 < krzee> mesh network =]
21:00 < krzee> but it wont be easy and it scales only as much as you want to put in effort
21:01 < krzee> openvpn wasnt made for it, but you CAN make it happen if you desire
21:01 < krzee> if you dont know what RIP is, you dont have the required knowledge yet to do a mesh network in openvpn
21:01 < krzee> err with openvpn
21:01 < Beber`> i have
21:02 < Beber`> i don't see the point
21:02 < krzee> i also dont see the point
21:03 < krzee> which is why i dont use openvpn to make a mesh
21:03 < Beber`> what do you use ?
21:03 < krzee> i dont :)
21:03 < Beber`> ahah :)
21:03 < krzee> if i want failover ild use CARP
21:03 < krzee> if i want a cluster ild use something for that
21:03 < krzee> etc etc
21:03 < krzee> but i havent had a need for a mesh
21:03 < Mtn_Bkng_Dave> hey krzee
21:04 < Bushmills> moiners, krzee
21:05 < Mtn_Bkng_Dave> krzee quick question
21:05 < krzee> moinmoin buddy
21:05 < krzee> sup Mtn_Bkng_Dave 
21:05 < Mtn_Bkng_Dave> do you have any idea how big the linux version required files are
21:05 < Mtn_Bkng_Dave> i have 16mb of ram on a device
21:05 < Mtn_Bkng_Dave> wonder if i can load it to that
21:06 < krzee> no idea
21:06 < krzee> give it a shot
21:06 < krzee> also see what you can cut out in the configure
21:06 < krzee> i have seen TINY builds from the mail list
21:06 < Mtn_Bkng_Dave> yeah i found out why i was having so much trouble
21:07 < krzee> ?
21:07 < Mtn_Bkng_Dave> i have no way to create the user files on my device
21:07 < Mtn_Bkng_Dave> other than scripting
21:07 < Mtn_Bkng_Dave> LOL
21:07 < Bushmills> mount an nfs export
21:07 < Mtn_Bkng_Dave> cant
21:08 < Bushmills> stick usb drive in?
21:08 < Mtn_Bkng_Dave> my device sacrificed cifs and jffs support for openvpn
21:08 < Mtn_Bkng_Dave> LOL
21:08 < Mtn_Bkng_Dave> the flash kernel is only 4mb
21:08 < Mtn_Bkng_Dave> so they had to give up cifs and jffs for openvpn
21:08 < Bushmills> there are routers with 4 mb of flash, for the whole file system
21:09 < Mtn_Bkng_Dave> yeah
21:09 < Mtn_Bkng_Dave> mine is one of those
21:09 < Mtn_Bkng_Dave> running dd-wrt on them
21:09 < Mtn_Bkng_Dave> its a hog
21:09 < krzee> i believe i saw an openvpn build under 1meg on the maillist
21:09 < Mtn_Bkng_Dave> LOL
21:09 < Mtn_Bkng_Dave> oh yeah?
21:09 < krzee> not sure how much it could still do tho
21:10 < Mtn_Bkng_Dave> i think i am back to bridging
21:10 < Mtn_Bkng_Dave> LOL
21:10 < Bushmills> try sshfs :)
21:11 < Mtn_Bkng_Dave> ??
21:11 < Mtn_Bkng_Dave> <<noob
21:11 < Mtn_Bkng_Dave> LOL
21:11 < Mtn_Bkng_Dave> whats that do for me Bushmills
21:12 < Bushmills> allows you to mount a remote directory. remote would be a ssh server
21:12 < Mtn_Bkng_Dave> hmmmmmmmmmm
21:12 < Mtn_Bkng_Dave> tried to mount via cifs
21:12 < Mtn_Bkng_Dave> alas no cifs support
21:13 < Mtn_Bkng_Dave> i have a nas with a cifs share
21:13 < Bushmills> cifs would be the last i'd try
21:13 < Mtn_Bkng_Dave> i would have to do the ssh on a linux box no?
21:13 < Beber`> mine is 339K 
21:13 < Mtn_Bkng_Dave> the NAS isnt very flexible LOL
21:13 < Bushmills> sshfs on router, sshd on xoid box
21:14 < Mtn_Bkng_Dave> cifs, ftp/s, and http/s
21:14 < Mtn_Bkng_Dave> only options i have
21:14 < Mtn_Bkng_Dave> i have an old unix box in the attic
21:14 < Mtn_Bkng_Dave> i may have to dig it out
21:14 < Mtn_Bkng_Dave> LOL
21:15 < Mtn_Bkng_Dave> blow the dust off the old sun
21:15 < Mtn_Bkng_Dave> LOL
21:15 < Bushmills> -rwxr-xr-x 1 root root 58312 Feb  4  2009 /usr/bin/sshfs
21:15 < Bushmills> not sure what support it needs. fuse or such
21:15 < krzee> cifs is windows right?
21:15 < Bushmills> yes
21:15 < Mtn_Bkng_Dave> yeah
21:15 < krzee> weaksauce
21:15 < Mtn_Bkng_Dave> cifs is windows
21:15 < Mtn_Bkng_Dave> or as we say in atlanta winders
21:15 < Mtn_Bkng_Dave> LOL
21:16 < Mtn_Bkng_Dave> ok sshfs is out
21:16 < Mtn_Bkng_Dave> no system in the kernel
21:16 < Mtn_Bkng_Dave> LOL
21:16 < Mtn_Bkng_Dave> geez
21:17 < Mtn_Bkng_Dave> i have ssh
21:17 < Mtn_Bkng_Dave> what is that/
21:17 < Mtn_Bkng_Dave> ??
21:18 < Mtn_Bkng_Dave> thats the shell right?
21:18 < Bushmills> remote login
21:18 < Mtn_Bkng_Dave> thought so
21:18 < Mtn_Bkng_Dave> grrrrrrr
21:18 < Mtn_Bkng_Dave> LOL
21:19 -!- paul_ [n=paul@cpc1-linc11-2-0-cust594.12-1.cable.virginmedia.com] has quit [Read error: 104 (Connection reset by peer)]
21:19 < Bushmills> also provides scp and sftp subsystems
21:20 < Mtn_Bkng_Dave> anything there that would transfer a file?
21:20 < Mtn_Bkng_Dave> LOL
21:20 < Bushmills> yes
21:20 < Bushmills> either
21:20 < Mtn_Bkng_Dave> what kind of server would they need?
21:20 < Bushmills> scp file host:
21:20 < Bushmills> remote ssh
21:21  * Mtn_Bkng_Dave looks warily at the old dusty sun in the corner LOL
21:21 < Mtn_Bkng_Dave> i havent looked at a green monitor in a long time
21:22 < Mtn_Bkng_Dave> LOL
21:22 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: noooon, @openvpn2009
21:22  * Bushmills prefers amber
21:22 < Mtn_Bkng_Dave> lol yeah that was an upgrade LOL
21:23 < Mtn_Bkng_Dave> nothing like the popping hum of the crt powering up
21:23 < Mtn_Bkng_Dave> LOL
21:23 < Mtn_Bkng_Dave> *KACHONGGGGGGGGGGGGGGGG*
21:23 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn
21:23 < Mtn_Bkng_Dave> i think i need to call the utility to up my tap before i turn this thing on LOL
21:24 < Mtn_Bkng_Dave> the lights dimmed
21:24 < Mtn_Bkng_Dave> LOL
21:24 < Mtn_Bkng_Dave> is there a remote ssh that runs under winders?
21:25 < Mtn_Bkng_Dave> ok now i need a bonghit
21:25 < Bushmills> sshd under windows? not that i know of.
21:25 < Bushmills> client, yes.
21:26 < Bushmills> server, no
21:26 < Bushmills> if you run sshd on router, you're good
21:27 < Dougy> yes it does Bushmills
21:27 < Dougy> there is win sshd
21:27 < Dougy> http://sshwindows.sourceforge.net/
21:27 < vpnHelper> Title: sshwindows.sf.net: OpenSSH for Windows (at sshwindows.sourceforge.net)
21:27 < Dougy> http://www.freesshd.com/
21:27 < vpnHelper> Title: freeSSHd and freeFTPd - open source SSH and SFTP servers for Windows (at www.freesshd.com)
21:27 < Dougy> !google Windows SSHd
21:27 < vpnHelper> Dougy: How to install OpenSSH sshd server and sftp server on a Windows ...: <http://chinese-watercolor.com/LRP/printsrv/cygwin-sshd.html>; sshwindows.sf.net: OpenSSH for Windows: <http://sshwindows.sourceforge.net/>; freeSSHd and freeFTPd - open source SSH and SFTP servers for Windows: <http://www.freesshd.com/>
21:28 < Mtn_Bkng_Dave> kewl
21:28 < Mtn_Bkng_Dave> thanks Dougy
21:28 < rob0> see also cygwin
21:28 < Bushmills> actually, sshd on router makes more sense .. otherwise you'd need to login to router first, before ssh'ing to win box
21:28 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
21:28 -!- mode/##openvpn [+v openvpn2009] by ChanServ
21:29 < rob0> With cygwin, you can have a nearly-comple nearly-Unix system.
21:29 < rob0> um, nearly-complete*
21:29 < Mtn_Bkng_Dave> i got it rob0
21:29 < Mtn_Bkng_Dave> LOL
21:29 < Mtn_Bkng_Dave> i have one windows desktop that stays online 
21:30 < Mtn_Bkng_Dave> still need windows for the gf to play on
21:30 < Mtn_Bkng_Dave> or i would just install ubuntu or something
21:31 < rob0> The kids here have an XP for Sims and a few other games, but otherwise we're all Linux.
21:31 < Mtn_Bkng_Dave> i wonder if my network would go into a death loop if i just opened 2 lchap vpn connections bi-directionally?
21:31 < rob0> and even that XP is set up to dual-boot
21:31 < Mtn_Bkng_Dave> yeah but shes blonde
21:31 < Mtn_Bkng_Dave> LOL
21:31 < Mtn_Bkng_Dave> to the bone
21:32 < Mtn_Bkng_Dave> shes still working on learning the tv remote
21:32 < Mtn_Bkng_Dave> LOL
21:33 < Mtn_Bkng_Dave> if i didnt have a shortcut to facebook she would be done
21:33 < Mtn_Bkng_Dave> :D
21:33 < Mtn_Bkng_Dave> i wonder if my network would go into a death loop if i just opened 2 lchap vpn connections bi-directionally?
21:34 < Mtn_Bkng_Dave> client > server, server > client
21:34 < Mtn_Bkng_Dave> or pptp 
21:36 < Mtn_Bkng_Dave> so which linux build are you running rob0?
21:37 < rob0> um, I have numerous, mostly Slackware, soon to be all Slackware (but various versions.)
21:37 < rob0> oh, and one openwrt too
21:38 < Mtn_Bkng_Dave> which one you like the best?
21:38 < Mtn_Bkng_Dave> ive been playing with ubuntu
21:38 < Mtn_Bkng_Dave> actually kubuntu
21:38 < Mtn_Bkng_Dave> so i can boot from cd
21:38 < Mtn_Bkng_Dave> office IT guys frown on software installs on the laptops
21:38 < Mtn_Bkng_Dave> LOL
21:40 < Mtn_Bkng_Dave> this thing is running something called Dropbear for ssh
21:42 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
21:42 < mithridates> Finally I wrote an article for OpenVPN on Centos 
21:42 < mithridates> http://pazooki.info/2010/01/23/openvpn/
21:42 < vpnHelper> Title: OpenVPN on CentOS | Mehrdad Pazooki (at pazooki.info)
21:48 < Mtn_Bkng_Dave> http://www.pastebin.org/81343
21:49 < Mtn_Bkng_Dave> can somebody look at that and see if it looks like this shell will support file transfer
21:49 < Mtn_Bkng_Dave> this router is so crippled LOL
21:52 < Dougy> You can not imagine how difficult it is to hold a half gallon of moo juice 
21:52 < Dougy> and polish the one-eyed gopher when your doin' seventy-five 
21:52 < Dougy> in an eighteen-wheeler.
21:52 < Dougy> ahhh man
21:52 < Dougy> good song
21:57 < Mtn_Bkng_Dave> ROFT
21:59 < Mtn_Bkng_Dave> who is it Dougy
22:00 < Dougy> bloodhound gang
22:00 < Dougy> Well, faster than you can say, "shallow grave", 
22:00 < Dougy> this pretty little thing come up to me and starts kneadin' my balls 
22:00 < Dougy> like hard-boiled eggs in a tube sock.
22:06 < mithridates> hey Dougy 
22:06 < Dougy> ayo
22:08 -!- hackeron_ [n=hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has quit [Read error: 104 (Connection reset by peer)]
22:40 < tjz> do you mind i post something meaningful here?
22:45 < Bushmills> Greetlings, earthings
22:47 < Mtn_Bkng_Dave> sup Bushmills
22:56 < vpnHelper> New forum entry openvpnforum: Off Topic, Related :: Anonyproz OpenVPN Service Provider :: Author maggot <http://www.ovpnforum.com/viewtopic.php?f=1&t=2502&p=2913#p2913> || Off Topic, Related :: Re: Anonyproz OpenVPN Service Provider :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=1&t=2502&p=2925#p2925> || Introductions :: Introduction :: Author aspescarm <http://www.ovpnforum.com/viewtopic.php?f=11&t=2509&p=2920#p2920
23:30 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has quit []
23:35 < mithridates> hey guys, would you tell me your opinion about this article? http://pazooki.info/2010/01/23/openvpn/
23:35 < vpnHelper> Title: OpenVPN on CentOS | Mehrdad Pazooki (at pazooki.info)
23:36 < tjz> ...
23:39 < mithridates> tjz: :( ... ?
--- Day changed Sun Jan 24 2010
00:42 < krzee> Kaspx, you here?
00:43 < krzee> mithridates, that rpm is 2.1.1?
00:44 < mithridates> krzee: I'm not sure , let me to check it
00:45 < krzee> # The below command set the Time Zone equal GMT and also you need to set your client?s time zone same time zone as your server?s time zone
00:45 < krzee> not true
00:45 < krzee> they can be any timezone you want, as long as they agree on what time it is in GMT
00:45 < mithridates> krzee:  Package openvpn-2.1-0.30.rc15.el5.i386
00:46 < krzee> in other words, as long as they are both set to right time
00:46 < krzee> rc15 is bad mmkay
00:46 < mithridates> krzee: yes but that was the easiest way
00:46 < mithridates> I will remove that part
00:46 < mithridates> mmkay?
00:47 < mithridates> it's working fine for me
00:47 < krzee> hehe, teacher from south park
00:47 < krzee> should still see bout getting 2.1.1 working for the guide
00:47 < krzee> what was the problem with source?
00:47 < krzee> should only require lzo and openssl to build
00:47 < krzee> ./configure
00:47 < krzee> make
00:48 < krzee> make install
00:51 < mithridates> krzee: I tried before , I couldn't install it by source
00:52 < krzee> give it a shot while im on with ya if you wanna  http://www.openvpn.net/release/openvpn-2.1.1.tar.gz
00:52 < krzee> wget http://www.openvpn.net/release/openvpn-2.1.1.tar.gz i mean
00:54 -!- peepod [n=opt@216.18.20.66] has quit [Remote closed the connection]
00:55 < mithridates> I will update the article
00:55 < mithridates> :( I'm tired
01:06 < krzee> werd =]
01:07 < mithridates> krzee: I'm editing the article
01:10 -!- Dave1965 [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has joined ##openvpn
01:11 -!- Dave1965 [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has quit [Client Quit]
01:12 < mithridates> krzee: I edited the article, please take a look at that
01:12 < mithridates> http://pazooki.info/
01:12 < vpnHelper> Title: Mehrdad Pazooki (at pazooki.info)
01:14 < krzee> if giving commands like that you gotta tar -zxf <ovpn tgz file> and cd top the dir
01:14 < krzee> to*
01:14 < krzee> hehe
01:14 < krzee> try to do it then document what you do
01:14 < krzee> if it doesnt work say something
01:15 < mithridates> =))))
01:15 < mithridates> ok
01:17 < krzee> source vars
01:17 < krzee> ./vars
01:17 < krzee> that doesnt source it
01:17 < krzee> you need:
01:17 < krzee> . ./vars
01:17 < mithridates> ./vars?
01:18 < krzee> # Generate the master certificate and key
01:18 < krzee> cd /etc/openvpn/easy-rsa/
01:18 < krzee> source vars
01:18 < krzee> ./vars
01:18 < mithridates> what should it be?
01:19 < mithridates> ./vars instead of source vars ?
01:19 < krzee> oh nm, i see source ./vars is same as . ./vars
01:19 < krzee> nah nm
01:19 < krzee> but what is the ./vars for?
01:19 < mithridates> I don't know hehehee =)))
01:19 < krzee> you can remove ./vars
01:19 < mithridates> ok
01:19 < krzee> cause its either . ./vars or source vars
01:20 < mithridates> updated
01:20 < mithridates> and have a look at the end part of article :D ;)
01:23 < krzee> heyyy
01:23 < mithridates> krzee: am I good in english?
01:24 < krzee> !learn management as see http://openvpn.net/management for doc on management interface
01:24 < vpnHelper> krzee: Joo got it.
01:24 < krzee> i had not seen that
01:25 -!- Mtn_Bkng_Dave [i=whome@12.50.114.160] has quit [Read error: 104 (Connection reset by peer)]
01:25 < mithridates> krzee: :O really?
01:26 < krzee> never played with management interface
01:26 < mithridates> I like that interface
01:27 < mithridates> how is my english krzee ?
01:27 < mithridates> do I have mistake?
01:28 < krzee> echo 1 > /proc/sys/net/ipv4/ip_forward
01:28 < krzee> thats only a temp solution until reboot
01:28 < krzee> !linipforward
01:28 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
01:29 < krzee> but ya its good
01:29 < mithridates> :)
01:30 < krzee> and im drunk
01:30 < krzee> just sampled 7 diff types of rum
01:30 < mithridates> krzee: =)))
01:34 < freaky[t]> ^^
01:43 < mithridates> krzee: are you still drunk?
01:43 < krzee> lol of course
01:43 < mithridates> drink lemon juice and then review my article =)))
01:43 < mithridates> hehe
01:43 < krzee> already looked at it
01:44 < mithridates> I edited again the part which is related to ip_forward
01:53 < mithridates> I am going to bed 
01:54 < mithridates> please take a look at this article and give me some f* feedback
01:54 < mithridates> http://pazooki.info/2010/01/23/openvpn/
01:54 < vpnHelper> Title: OpenVPN on CentOS | Mehrdad Pazooki (at pazooki.info)
01:56 < mithridates> babye
02:19 -!- bandini [n=bandini@host12-24-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
02:23 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]"]
02:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
02:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:08 -!- master_of_master [i=master_o@p57B57E2B.dip.t-dialin.net] has joined ##openvpn
03:10 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
03:19 -!- master_o1_master [n=master_o@p57B55138.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:20 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:32 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
03:32 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:38 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
03:46 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
04:01 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
04:06 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
04:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
05:19 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn
05:19 < reiffert> moin
05:26 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
05:31 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
05:33 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
05:37 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
05:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Nick collision from services.]
05:41 -!- buntfalke_ is now known as buntfalke
06:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:31 < hyper_ch> anyone here has a Mac?
06:56 -!- ycy___ [n=mb@Noise.CS.UCLA.EDU] has left ##openvpn []
07:19 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
07:19 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
07:26 -!- reiffert [n=thomas@mail.webersheim.de] has quit ["Lost terminal"]
08:28 < vpnHelper> New forum entry openvpnforum: Configuration :: How to block MAC request :: Author nuralamgir <http://www.ovpnforum.com/viewtopic.php?f=6&t=2514&p=2927#p2927> || Off Topic, Related :: Re: Anonyproz OpenVPN Service Provider :: Reply by maggot <http://www.ovpnforum.com/viewtopic.php?f=1&t=2502&p=2926#p2926>
08:32 -!- disappearedng [n=disappea@unaffiliated/disappearedng] has joined ##openvpn
08:32 < disappearedng> Hey I need help
08:32 < disappearedng> I keep getting an error msg
08:32 < disappearedng> about TSL handshake fail
08:53 < |Mike|> !tls-auth
08:53 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how
08:53 -!- disappearedng [n=disappea@unaffiliated/disappearedng] has quit [Read error: 104 (Connection reset by peer)]
10:11 -!- Dougy [n=me@vpn.douglashaber.com] has joined ##openvpn
10:21 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Remote closed the connection]
10:21 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
10:22 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Client Quit]
10:23 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
10:23 -!- xod [n=onats@112.201.158.40] has joined ##openvpn
10:24 -!- xod is now known as onats
10:27 -!- bandini [n=bandini@host12-24-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)]
10:39 -!- bandini [n=bandini@host12-24-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
10:51 -!- Avalloc [n=_@port-6142.pppoe.wtnet.de] has joined ##openvpn
11:02 -!- smultring [n=Smultr1n@bus-driver.net] has joined ##openvpn
11:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
11:23 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
11:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
11:58 -!- Avalloc [n=_@port-6142.pppoe.wtnet.de] has quit [Read error: 60 (Operation timed out)]
12:09 -!- NickWebHA [n=AndChat@71.sub-174-209-193.myvzw.com] has joined ##openvpn
12:22 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Remote closed the connection]
12:25 -!- NickWebHA [n=AndChat@71.sub-174-209-193.myvzw.com] has quit ["Bye"]
12:44 -!- bandini [n=bandini@host12-24-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection]
13:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
13:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:32 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)]
13:44 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
14:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
14:16 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
14:16 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:19 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 60 (Operation timed out)]
15:21 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
15:28 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
15:29 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 104 (Connection reset by peer)]
15:30 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
15:36 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 60 (Operation timed out)]
15:44 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
15:47 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
16:02 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)]
16:14 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
16:15 < mithridates> !factoids search hint
16:15 < vpnHelper> mithridates: No keys matched that query.
16:15 < mithridates> !factoids search webmin
16:15 < vpnHelper> mithridates: No keys matched that query.
16:17 < Dougy> what are you looking for
16:23 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
16:40 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)]
16:41 < ecrist> !factoids
16:41 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
16:57 < mithridates> nothing hehehe
16:59 < mithridates> hey guys
17:00 < mithridates> Dougy: 
17:00 < mithridates> I wrote an article for openvpn :D
17:00 < mithridates> do you like to take a look at the article?
17:01 < mithridates> http://pazooki.info/2010/01/23/openvpn/
17:01 < vpnHelper> Title: OpenVPN on CentOS | Mehrdad Pazooki (at pazooki.info)
17:01 < Dougy> i can look soo
17:01 < Dougy> n
17:06 -!- EugeNetBooK [n=EugeneKa@unaffiliated/eugenekay] has joined ##openvpn
17:08 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has quit [Read error: 54 (Connection reset by peer)]
17:10 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
17:13 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]"]
17:37 -!- simplechat [n=simple@unaffiliated/simplechat] has joined ##openvpn
17:47 < simplechat> hi
17:47 < simplechat> i have a bridged openvpn server
17:47 < simplechat> it was working perfectly, and now for some odd reason its not. (openvpn server on debian, set up to bridge from vpn to local lan)
17:47 < simplechat> i haven't touched it (its a vps sitting on a random box), so i'm a little puzzled
17:49 < Dougy> !all
17:49 < vpnHelper> Dougy: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
17:50 < simplechat> this is debian lenny on the latest updates on the server end, ubuntu 9.04 on the client end
17:50 < simplechat> server http://pastebin.ca/1764570
17:51 < simplechat> client http://pastebin.ca/1764572
17:56 -!- EugeNetBooK [n=EugeneKa@unaffiliated/eugenekay] has quit [Read error: 104 (Connection reset by peer)]
17:56 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has joined ##openvpn
18:02 -!- EugeneKay [n=EugeneKa@unaffiliated/eugenekay] has left ##openvpn ["Leaving"]
18:16 < simplechat> yeah
18:16 < simplechat> :(
18:21 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
18:27 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:40 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has quit ["Leaving"]
18:47 -!- MatBoy [n=MatBoy@wiljewelwetenhe.xs4all.nl] has joined ##openvpn
18:47 < MatBoy> Hi guyas
18:48 < Dougy> hiya
18:48 < Dougy> wsup
18:48 < MatBoy> when my vpn-connection connects my default gateway on my lan dissapears... lan is DHCP
18:48 < Dougy> !all
18:48 < vpnHelper> Dougy: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
18:48 < MatBoy> yeah I can pastepin it
18:48 < MatBoy> *pastebin
18:49 < MatBoy> Dougy: I just use default settings
18:49 < MatBoy> so no redirects or so
18:49 < Dougy> pastebin
18:49 < MatBoy> ok
18:49 < MatBoy> just a sec
18:49 < krzie> no such thing as default settings
18:49 < Dougy> i am useless with openvpn
18:49 < Dougy> but if you pastebin it al
18:49 < krzie> always makes me laugh when people say that
18:49 < Dougy> l
18:49 < Dougy> someone can help
18:49 < Dougy> krzie: i seldom laugh at IRC, but it is amusing i guess
18:50 < MatBoy> lol.. I needed to pptp to the device to get my openvpn settings... ouch :P
18:51 < MatBoy> Dougy: here you go :http://pastebin.ca/1764651
18:51 < Dougy> you are lucky krzie is around
18:51 < Dougy> he's smart
18:51 < Dougy> any reason you are using tap?
18:52 < Dougy> !tunortap
18:52 < vpnHelper> Dougy: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
18:52 < vpnHelper> Dougy: against you over the vpn
18:52 < MatBoy> yap, tun doesn't work that well on windows
18:52 < Dougy> i have no issue
18:52 < Dougy> s
18:52 < krzie> umm, yes it does
18:52 < Dougy> what doesn't work well for you?
18:52 < MatBoy> I have, my gateway doesn't come throug and so on
18:52 < krzie> (woprks fine in windows)
18:52 < Dougy> krzie: exactly
18:52 < Dougy> lol
18:52 < MatBoy> *through
18:52 < MatBoy> I have seen some more issues with it
18:52 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has joined ##openvpn
18:52 < Dougy> like
18:53 < MatBoy> like I had 
18:53 < MatBoy> with other people
18:53 < Dougy> like
18:53 < krzie> prove it or they dont exist :-p
18:53 < MatBoy> what I said... DHCP was not set on .1 ( but something higher)
18:53 < krzie> dhcp?
18:53 < MatBoy> no gateway
18:53 < MatBoy> yap
18:53 < krzie> screw dhcp, when you use tun there is no dhcp
18:53 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
18:53 < krzie> keep going..
18:53 < MatBoy> I need DHCP :) so
18:54 < MatBoy> tap is OK
18:54 < krzie> nope, you likelky just think you do
18:54 < disappearedng_> can someone tell me how do I use the update-resolve-conf on debian?
18:54 < krzie> likely*
18:54 < Dougy> krzie: !notopenvpn for disappearedng_?
18:54 < MatBoy> krzie: I don't want to set static IP's
18:54 < krzie> dougy, wreong
18:54 < krzie> wrong
18:54 < Dougy> krzie: that's why i asked
18:54 < krzie> MatBoy see --server
18:54 < Dougy> MatBoy:
18:54 < krzie> disappearedng_, in --up
18:54 < Dougy> !man
18:54 < vpnHelper> Dougy: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:55 < Dougy> disappearedng_: you too ^
18:55 < disappearedng_> what? 
18:55 < MatBoy> krzie:  ?
18:55 < disappearedng_> I actually have a specific DNS server that I have to use
18:55 < krzie> MatBoy you dont need static ips with tun, see --server
18:55 < MatBoy> ok
18:55 < Dougy> disappearedng_: you can push dns servers
18:55 < Dougy> with openvpn
18:55 < krzie> disappearedng_ read --up in the manual, thats where you use the script you mentioned
18:55 < MatBoy> I'm running it on ddwrt btw
18:55 < disappearedng_> do you mean man up? 
18:56 < Dougy> no, disappearedng_
18:56 < Dougy> !man
18:56 < vpnHelper> Dougy: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:56 < Dougy> find --up in the second link
18:56 < krzie> Dougy, he knows, that script he mentioned is how you recieved the pushed DNS server in linux/unix
18:56 < Dougy> if you are using 2.1
18:56 < Dougy> ah
18:56 < krzie> but ya read what dougy said
18:57 < Dougy> wait, i said something useful?
18:57 < krzie> well you repeated me :-p
18:57 < Dougy> well that's a proper start :D
18:57 < disappearedng_> Oh I get it now thx
18:58 < krzie> disappearedng_ np
18:58 < disappearedng_> actually can I put it in my script? Since it says: up /etc/openvpn/update-resolv-conf
19:01 < krzie> in your config
19:02 < disappearedng_> yeah but it takes only 1 argument 
19:02 < disappearedng_> so I don't really know how to pass in the ip of my dns server
19:04 < disappearedng_> hey 
19:08 < Dougy> i
19:08 < Dougy> hi
19:13 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
19:23 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has quit [Read error: 110 (Connection timed out)]
19:23 -!- disappearedng_ [n=disappea@213.254.213.43] has joined ##openvpn
19:53 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has quit [Read error: 110 (Connection timed out)]
19:56 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has joined ##openvpn
19:58 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn
20:01 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
20:11 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:13 < robotti^> what does those persist options mean?
20:19 < rob0> When you drop privileges (--user/--group settings) it helps to keep privileged things open. Your key might be root:root 400, and of course the tun device might not belong to the openvpn user/group.
20:20 < robotti^> persist ip?
20:21 < robotti^> persist local ip?
20:23 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
20:26 -!- hacim [n=micah@debian/developer/micah] has joined ##openvpn
20:26 < hacim> I'm launching openvpn with --auth-user-pass and it starts up and asks me for a username, but it doesn't ask me for a password, why not?
20:26 < hacim> (it fails to authenticate because I dont provide a password)
20:27 < hacim> i'm using 2.1_rc15
20:34 < krzee> first of all, use 2.1.1
20:34 < hacim> yeah, i want to
20:34 < hacim> and will
20:35 < krzee> right, but we cant be sure there wasnt a bugfix for your problem, so troubleshooting it in rc15 is a waste
20:35 < hacim> i dont have access to change that, but have requested it
20:36 -!- lampliter [n=chatzill@c-76-19-126-1.hsd1.ma.comcast.net] has joined ##openvpn
20:37 < krzee> ahh
20:37 < lampliter> here's another helpful hint: don't turn off the VPN server in preparation to make changes before gaining access via some alternative path.
20:38 < lampliter> especially if it kills your access to your e-mail server.
20:38 < krzee> heh i learned that one when first playing with firewalls
20:39 < krzee> i think everyone learns that one the hard way
20:39 < lampliter>  Oh, I learned a long time ago but, sometimes the universe thinks you need reminding
20:40 < lampliter> and then I was going to write a problem statement to the mailing list and remembered I no longer have access to my e-mail 
20:40 < lampliter> it was the problem I was talking about yesterday regarding DNS and multiple simultaneous connections
20:41 < lampliter> Heck, I would like to get simultaneous connections on my Windows box but that's a whole different discussion
20:42 < krzee> but its not really an openvpn problem, its more of a "im connected to many networks, and each of which require using its dns server"
20:42 < krzee> problem
20:43 < krzee> but ya you'll likely get some ideas
20:43 < lampliter> yeah, been there before, don't buy it
20:43 < krzee> im interested to see if you get any different than the one i gave you
20:43 < lampliter> here's why
20:43 < lampliter> open VPN is wonderful. It does a lot of things right
20:43 < lampliter> but DNS is so easy to mess up because it's so fragile
20:44 < krzee> check this out actually
20:44 < lampliter> in this case, in order to do DNS right, open VPN would need to grant external application the ability to define the resolver address
20:44 < krzee> you use unix right?
20:44 < lampliter>  personally, 80% Windows, 20% Linux
20:45 < krzee> well at least in unix i can think of a way
20:45 < krzee> dunno how windows handles you getting multiple dns servers pushed at you from multiple places
20:45 < lampliter> disabled, broken hands, speech recognition, got I hate Microsoft and nuance together. .. Remember?
20:45 < krzee> but in linux you handle dns server pushing with a script
20:45 < lampliter> it doesn't. Part of the reason is that many DNS servers return nxdomain which kills off the resolver search sequence
20:46 < krzee> so that script can do anything you want
20:46 < lampliter> I've been part of the conversation on dnsmasq
20:46 < krzee> werd
20:46 < krzee> so you need my first idea
20:46 < krzee> 1 DNS server that forwards diff zones to whichever NS handles that zone
20:47 < krzee> and the rest of them it can either handle itself or forward to an open NS
20:47 < krzee> !dns
20:47 < vpnHelper> krzee: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8
20:47 < krzee> from what you just said, thats your only way
20:47 < lampliter> yeah.I was thinking something like a DNS proxy that used string-based routing as well as the resolver redirection capability
20:48 < krzee> you just made that sound more complicated than it is ;)
20:48 < krzee> bind can do it
20:48 < krzee> hell windows NS can do it
20:49 < lampliter> yeah basically except in my context would be #1 customer A DNS, #2 customer B DNS, #3 my internal hosting DNS, #4 the rest of the world
20:49 < lampliter> and the selection was based on the domain name
20:49 < krzee> 1,2,3 all run VPN servers?
20:49 < krzee> and internal NS?
20:50 < lampliter> yes
20:50 < lampliter> it's called telecommuting :-)
20:50 < krzee> 1 machine has access to all 3, and runs a NS, that NS configured to forward requests for specific zones to NS over the VPN
20:51 < krzee> if you try to access a host where the VPN cant forward dns, you cant reach that host anyways cause you aint on the VPN ;]
20:51 < krzee> then you use your local NS
20:51 < krzee> im telling you, this is a DNs problem not an openvpn problem
20:51 < lampliter> okay it's on the fringes of an open VPN problem. :-)
20:51 < krzee> nope
20:51 < lampliter> Because open VPN reveals complexity that most people hadn't suspected
20:51 < krzee> openvpn is just how you access those networks
20:52 < lampliter> but let's look at the solution you're suggesting here
20:52 < krzee> you just wish the vpn would do the creative solutions part of being connected to 3 networks for you ;)
20:52 < lampliter> if it works, I will buy you lunch (admittedly cheap lunch, but lunch)
20:52 < krzee> but it wont
20:53 < krzee> ill go over it in theory, not setting up the DNS server with you
20:53 < lampliter> my frustration with DNS has been the lack of tool availability under Windows. Believe me, I can handle setting it up once I have a tool
20:54 < krzee> i dont use windows
20:54 < lampliter> I wish I had a choice
20:54 < krzee> i find unix much much more comfy for servers
20:54 < krzee> although back in the day i did make decent $ setting up AD networks and whatnot
20:54 < lampliter> it is. I'm doing all this on a laptop
20:54 < krzee> i have forgotten much of what i knew bout windows, and dont mind 1 bit
20:54 < krzee> anyways
20:54 < krzee> have 1 machine which can connect to all of those LANs
20:55 < krzee> setup a NS servicing localhost with DNS on that machine
20:55 < lampliter> that might have been a missed one. I'm running all simultaneous VPNs on a laptop so I can communicate with a variety of sites from anywhere
20:55 < krzee> get recursion working for normal hosts
20:55 < lampliter> how do you deal with DHCP overriding the resolver
20:56 < krzee> then setup NS forwarding for each of your LANs stating that each specific NS controls the zones you wish for them to resolve
20:56 < krzee> by telling it what NS to use manually
20:56 < krzee> overriding DHCP
20:56 < krzee> it will handle ALL dns for that machine
20:56 < krzee> so screw what dhcp says :)
20:57 < lampliter> that's right. I can tell the Windows ethernet configuration to use a static DNS server
20:58 < lampliter> hmmm windows server...
20:59 < krzee> so ya, best of luck with the setup
21:00 < lampliter> why do I feel like Wiley coyote about 50 feet past the cliff edge
21:00 < krzee> windows
21:00 < krzee> ;]
21:00 < lampliter> :-)
21:00 < lampliter> thanks
21:01 < krzee> yw
21:12 -!- WormFood [n=wormfood@113.87.194.89] has joined ##openvpn
21:21 < lampliter> what's the hook I need to turn on the DNS server based on which VPNs are active?
21:22 < krzee> dont need to worry bout that
21:22 < krzee> if you try to reach a VPN only address it'll just fail
21:22 < krzee> which is what you want anyways
21:22 < lampliter> oh?
21:23 < krzee> it wont be able to reach the forwarding NS due to lack of route
21:24 < lampliter> Actually, he won't even try because the name server will be referenced only if you're facing a domain
21:24 < lampliter> referencing a domain
21:25 < krzee> correct
21:25 < krzee> i was assuming you meant if you tried to access a hostname that is only accessible over the vpn
21:25 < lampliter> http://dhcp-dns-server.sourceforge.net/
21:25 < vpnHelper> Title: DHCP Server (at dhcp-dns-server.sourceforge.net)
21:26 < krzee> whatev
21:26 < krzee> you know what to do
21:26 < krzee> nothing left has to do with the vpn =]
21:26 < lampliter> it's a resource that may be useful to others.
21:26 < krzee> hint: ms DNS server can do it, bind can do it
21:27 < lampliter>  I try to stay away from Microsoft DNS servers just because they seem rather fat.
21:28 < lampliter> Bind it doesn't run on Windows as far as I know
21:28 -!- simplechat [n=simple@unaffiliated/simplechat] has quit [Remote closed the connection]
21:30 < krzee> right on, lemme know if you like that one for windows
21:34 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
21:40 < ecrist> fucking vikings.
21:40 < ecrist> :\
21:42 < krzee> won me $100
21:42 < krzee> heh
21:56 -!- PeterFA [n=Peter@unaffiliated/peterfa] has joined ##openvpn
22:32 -!- WormFood [n=wormfood@113.87.194.89] has quit [Read error: 60 (Operation timed out)]
22:33 -!- WormFood [n=wormfood@113.87.194.89] has joined ##openvpn
22:42 -!- Dougy [n=me@vpn.douglashaber.com] has quit []
23:02 < WormFood> I have moved a working openvpn server config from one server to another, and when I try to ping the other side of the tunnel, it is dropping the packet because it has a bad source address (and the logs do show the wrong address)....if 192.168.100.6 is my side of the tunnel, and 192.168.100.5 is the other end of the tunnel, then why does it have a source address of my local machine/network (192.168.0.2)? shouldn't it have the source address of 192.168
23:02 < WormFood> .100.6? (should I start posting my logs and such?)
23:03 < WormFood> er....not clear...when I ping 192.168.100.5 (remote end of the tunnel), shouldn't have my source address of 192.168.100.6 (my end of the tunnel)
23:03 < krzee> i still have no idea why some systems do that
23:04 < WormFood> I connect to my other  vpn, and it works fine (using static key)
23:04 < WormFood> and the servers I moved between are the same type of server (not that it should matter much)....and the routing table looks fine....I'm stumped
23:04 -!- lampliter [n=chatzill@c-76-19-126-1.hsd1.ma.comcast.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]"]
23:04 < WormFood> krzee, so this is a known problem?
23:06 < krzee> i see it very rarely, some systems use the ip of eth0 instead of whichever device the traffic is going out
23:06 < krzee> its never happened to me so i havnt been able to play with fixing
23:06 < krzee> i can tell you how to workaround if its not a road warrior
23:07 < WormFood> but it only happens when connecting to one server, and it was working fine with the same config on a different server....maybe I can try it on the other server and compare notes
23:07 < WormFood> not a road warrior, but not on a static ip
23:07 < krzee> doesnt need inet static, just lan static
23:07 < krzee> if the other server is the same that would be interesting
23:07 < krzee> you said it was ptp setup tho
23:08 < krzee> since its not road warrior:
23:08 < WormFood> or, maybe it is something odd going on with my kernel (maybe I misconfigured something), since I did change the kernel on my client....but then the other vpn server works ok
23:08 < krzee> make a ccd entry on the server giving the client an iroute
23:08 < krzee> !iroute
23:08 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
23:08 < krzee> !ccd
23:08 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
23:08 < krzee> ya its something on the client machine
23:08 < krzee> its sending its src as its lan ip even tho its going out vpn device
23:09 < krzee> thats not standard behavior for a box
23:09 < WormFood> yeah, that is rather confusing
23:09 < WormFood> yeah, I know it is totally wrong
23:09 < krzee> but my workaround will be fine for you if you use it
23:09 < WormFood> interesting, wasn't ware of the ccd bit
23:10 < WormFood> that is good to know
23:10 < krzee> server config:   client-config-dir /path/to/ccd-dir
23:10 < krzee> in ccd-dir/<common-name of client> :
23:10 < krzee> iroute 192.168.0.2 255.255.255.255
23:11 < krzee> common-name must be exact
23:11 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
23:11 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has left ##openvpn []
23:12 < WormFood> and the IP must match too
23:13 < WormFood> krzee...I need to go now...thanks a LOT for the help on this...I'll have to test it out later...i'll let you know how it goes
23:13 < krzee> yw
23:13 < krzee> you could also just expand the iroute
23:13 < krzee> like 255.255.255.0
23:14 < krzee> then ip doesnt HAVE TO match
23:17 < krzee> and please, if you find out why your system is doing that let me know
23:19 < WormFood> ok, will do
23:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)]
23:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
23:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
23:38 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn
23:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
23:48 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn
23:49 < krzee> !certinfo
23:50 < vpnHelper> krzee: "certinfo" is please run `openssl x509 -in <file> -noout -text` for ca,server,client certs and pastebin the results
23:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
23:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
--- Day changed Mon Jan 25 2010
00:16 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
02:01 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Waiting for TUN/TAP interface to come up... :: Reply by iss42 <http://www.ovpnforum.com/viewtopic.php?f=6&t=2380&p=2935#p2935>
02:03 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
02:36 -!- smultring [n=Smultr1n@bus-driver.net] has quit [Remote closed the connection]
03:06 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
03:08 -!- master_o1_master [n=master_o@p57B5749C.dip.t-dialin.net] has joined ##openvpn
03:14 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
03:14 -!- mode/##openvpn [+o mattock] by ChanServ
03:19 -!- master_of_master [i=master_o@p57B57E2B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:01 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
04:16 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
04:17 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
04:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
04:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:43 -!- Guest23896 [n=dazo@nat/redhat/x-dqjruhfsdokmpvjs] has quit [Read error: 54 (Connection reset by peer)]
04:44 -!- dazol [n=dazo@nat/redhat/x-nrswfdwuhjzeaujj] has joined ##openvpn
04:50 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)]
04:50 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn
04:51 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
04:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
04:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
04:58 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
05:08 -!- screenn [n=screenn@77.222.135.254] has joined ##openvpn
05:17 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)]
05:49 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn
06:05 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
06:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:09 < screenn> how can I know X509 client name of generated certs?
06:23 < macsppadic> u shud be able to see the Common Name after the issuer name line at the top of the crt file if thats what u r after
06:24 < krzee> !certinfo
06:24 < vpnHelper> krzee: "certinfo" is please run `openssl x509 -in <file> -noout -text` for ca,server,client certs and pastebin the results
06:24 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:27 < ecrist> in this case, you don't need to paste the results.
06:27 < krzee> !forget certinfo
06:27 < vpnHelper> krzee: Joo got it.
06:28 < krzee> !learn certinfo as run `openssl x509 -in <file> -noout -text` for info from your cert file
06:28 < vpnHelper> krzee: Joo got it.
06:28 < krzee> more common people wanna know, less common we need to :)
06:30 < screenn> macsppadic is it CN= ?
06:31 < macsppadic> yes 
06:31 < screenn> ok, thanks! 
06:31 < macsppadic> np
06:31 < screenn> macsppadic yeah, do you remember my problems with crl.pem file?
06:32 < macsppadic> refresh my memory screenn 
06:32 < macsppadic> was the crl.pem not being seen by the openvpn daemon process?
06:32 < screenn> I have in config crl-verify /etc/openvpn/crl.pem option, but it didn't works
06:33 < macsppadic> ahhh 
06:33 < screenn> cause I need to store it in /var/lib/openvpn/etc/openvpn/ directory
06:33 < macsppadic> ok
06:33 < macsppadic> from what i remember - the crl.pem shud be in a folder where the openvpn user can read it - usually 
06:34 < ecrist> it needs to be in a folder the user openvpn runs as can see. always
06:34 < screenn> but the way in config to /etc/openvpn and config must be in /var/lib/
06:36 < krzee> good tip ecrist, i just caught that on something im setting up, ccd dir wasnt o+x or set to openvpn user
06:37 < ecrist> screenn: you can put files anywhere you want, as long as you use the correct path in config
06:39 < krzee> which i prefer to do like so:
06:39 < krzee> cd /home/krzee/vpn/keys/
06:39 < krzee> ca ca.crt
06:39 < krzee> cert server.crt
06:39 < krzee> key server.key
06:39 < krzee> dh dh4096.pem
06:39 < krzee> tls-auth ta.key 0
06:39 < krzee> so if you move them, its easy to change
06:39 < havoc> that work on windows too?
06:39 < havoc> the 'cd'?
06:39 < krzee> yup
06:39 < havoc> cool
06:40 < havoc> does the ovpn config support vars of any type?
06:41 < havoc> I have never thought about it
06:41 < krzee> nope
06:41 < havoc> ok
06:41 < krzee> but the scripts do
06:41 < krzee> many places to hook in scripts
06:41 < havoc> I was just curious, I have no use in mind
06:42 < krzee> and many vars given to be used in creative ways
06:42 < krzee> some nice sections in the manual about it if you find yourself bored
06:43 < havoc> yeah, the only time I've needed up/down scripts was when I did bridging
06:44 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [Read error: 60 (Operation timed out)]
06:54 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
06:58 < ecrist> I use bridging, and don't need up/down scripts. ;)
07:02 -!- jfkw_ [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:03 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 104 (Connection reset by peer)]
07:03 -!- screenn [n=screenn@77.222.135.254] has quit [Read error: 110 (Connection timed out)]
07:05 -!- screenn [n=screenn@77.222.135.254] has joined ##openvpn
07:12 < havoc> ecrist: depends on how you set it up
07:12 < havoc> I wanted to be able to restart networking, openvpn, and shorewall all independently
07:17 < screenn> I mean when I have in config file an option: "push "route 192.168.88.0 255.255.255.0", but for --client-config-dir file this option - push "route 192.168.50.0 255.255.255.0", what route for this client I'll have both or one from them? 
07:22 < krzee> !goal
07:22 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:24 < krzee> and answer is both
07:25 < screenn> ok
07:29 -!- screenn [n=screenn@77.222.135.254] has quit ["Leaving"]
07:47 < disappearedng_> anyone familiar with dnsmasq?
07:47 < disappearedng_> is that what you guys use for updating your dns servers when you run openvpn
07:48 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
07:51 -!- macsppadic [n=sonupunn@82.109.74.162] has quit [Read error: 104 (Connection reset by peer)]
07:51 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
08:00 < Bushmills> i run maradns
08:07 < ecrist> I don't update DNS when clients connect/disconnect
08:07 < ecrist> if your question is specific to dnsmasq, try their channel.
08:25 -!- W0rmF00d [n=wormfood@121.35.52.235] has joined ##openvpn
08:26 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has quit [Read error: 110 (Connection timed out)]
08:27 -!- disappearedng [n=disappea@unaffiliated/disappearedng] has joined ##openvpn
08:27 < disappearedng> how do I change my dns when openvpn is in place?
08:27 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)]
08:35 -!- WormFood [n=wormfood@113.87.194.89] has quit [Read error: 60 (Operation timed out)]
09:03 -!- W0rmF00d is now known as WormFood
09:14 < Bushmills> disappearedng: locally running a recursive name server lets it use default route - when openvpn is up and traffic routed through it, dns queries will be too. 
09:15 < Bushmills> just tell your resolver to use your local dns, rather than provider dns.
09:15 -!- STF_ [n=chatzill@dslb-084-061-189-052.pools.arcor-ip.net] has joined ##openvpn
09:15 -!- STF_ is now known as STF
09:25 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn
09:30 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
09:30 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"]
09:43 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)]
09:44 -!- hyper_ch [n=hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
09:51 -!- agagag [n=anton@ataraxia.bek.no] has quit [Read error: 60 (Operation timed out)]
09:55 -!- lampliter [n=chatzill@c-76-19-126-1.hsd1.ma.comcast.net] has joined ##openvpn
09:58 < lampliter> any hints n how to make windows openvpn client work for multiple connections?
10:03 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
10:03 -!- mode/##openvpn [+v Kas] by ChanServ
10:04 < ecrist> lampliter: what do you mean?
10:05 -!- WormFood [n=wormfood@121.35.52.235] has quit [Read error: 60 (Operation timed out)]
10:08 < lampliter> I need 3 links up at the same tiem
10:09 < lampliter> it complains about a (socket??) in use
10:10 -!- disappearedng [n=disappea@unaffiliated/disappearedng] has quit [Read error: 110 (Connection timed out)]
10:10 -!- disappearedng [n=disappea@213.254.213.41] has joined ##openvpn
10:11 < lampliter> TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use (WSAEADDRINUSE)
10:16 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit]
10:21 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
10:22 -!- WormFood [n=wormfood@121.35.53.253] has joined ##openvpn
10:28 -!- mick_laptop [n=mick@clamwin/admin/mickhome] has left ##openvpn []
10:44 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
10:58 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
11:07 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit ["ircN 8.00 for mIRC (20080809) - www.ircN.org"]
11:15 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:22 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:22 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:27 -!- macsppadic [n=sonupunn@82.109.74.162] has quit []
11:28 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
11:30 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit]
11:31 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
12:25 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: |Mike|, ScriptFanix, Holister, ribasushi, dunc, d12fk, @openvpn2009, le0, freaky[t], sno,  (+1 more, use /NETSPLIT to show all of them)
12:32 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn
12:32 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
12:32 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
12:32 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn
12:32 -!- ribasushi [n=rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has joined ##openvpn
12:32 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
12:32 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
12:32 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn
12:32 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
12:32 -!- Holister [n=ryan@151.204.189.39] has joined ##openvpn
12:33 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:33 -!- ServerMode/##openvpn [+o openvpn2009] by irc.freenode.net
12:58 -!- bandini [n=bandini@host246-106-dynamic.10-79-r.retail.telecomitalia.it] has joined ##openvpn
13:05 -!- STF is now known as Guest46005
13:05 -!- STF__ [n=chatzill@20-130.stw.uni-duisburg.de] has joined ##openvpn
13:06 -!- Guest46005 [n=chatzill@dslb-084-061-189-052.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)]
13:06 -!- STF___ [n=chatzill@dslb-084-061-189-052.pools.arcor-ip.net] has joined ##openvpn
13:09 -!- STF___ [n=chatzill@dslb-084-061-189-052.pools.arcor-ip.net] has quit [Client Quit]
13:09 -!- STF [n=chatzill@dslb-084-061-189-052.pools.arcor-ip.net] has joined ##openvpn
13:16 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:22 < eightfold> is it possible to get openvpn to run a socks proxy so that i can connect to a running tunnel via a program that can handle proxies?
13:22 < ecrist> ping dazo
13:22 -!- Irssi: ##openvpn: Total of 91 nicks [2 ops, 0 halfops, 1 voices, 88 normal]
13:23 -!- STF__ [n=chatzill@20-130.stw.uni-duisburg.de] has quit [Read error: 110 (Connection timed out)]
13:31 < krzee> eightfold, 
13:31 < krzee> !routebyapp
13:31 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
13:31 < krzee> you mean like that?
13:33 < eightfold> krzee: to be honest, i don't know! i tried to grasp and implement that solution a week ago, but practically i can't really see the process.
13:33 < eightfold> krzee: i want to run only rtorrent through a tunnel.
13:34 < eightfold> krzee: but it doesn't handle proxies, so i will use a *nix program called "tsocks" that works as a wrapper or whatever. 
13:35 < eightfold> krzee: you do: "tsocks rtorrent" and tsocks "proxifies" rtorrent
13:35 < krzee> heh
13:35 < eightfold> reading this now: http://www.exiledmind.net/vpn-tunnel
13:35 < vpnHelper> Title: VPN Tunnelling through HTTP Proxy | exiled mind (at www.exiledmind.net)
13:35 < krzee> i told you how to do it last time you asked
13:35 < krzee> !routebyapp
13:35 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
13:35 < krzee> theres nothing difficult about it, i GAVE you the config
13:36 < eightfold> krzee: hmm, sorry i missed that part. or i'm becoming senile. have the logs though, i think.
13:37 < krzee> if you dont, here they are
13:37 < krzee> !irclogs
13:37 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
13:37 < krzee> and the config is here:
13:38 < krzee> !sockd
13:38 < vpnHelper> krzee: "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
13:46 < eightfold> hey, thanks a bunch.
13:54 < eightfold> krzee: eh, hmm. how do i run the the config "on the internal vpn ip"?
13:58 < krzee> it should be obvious from the config file, but even if it isnt, try reading the manual
13:59 < krzee> theres 2 places in the config with an ip, its not that hard...
14:05 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn
14:05 -!- MadTBone [n=MadTBone@160.39.238.196] has quit ["Leaving"]
14:08 < eightfold> bah, i think the problem is that don't even know what it is doing. feeling quite stupid. dante is acting as a proxy. am i trying to use sockd to run as a proxy. specify where traffic is going (with sockd.conf) when i connect rtorrent with tsocks to sockd?
14:09 < hyper_ch> good evening :)
14:09 < eightfold> remove this part: "dante is acting as a  proxy. am i trying to use sockd to run as a proxy.
14:09 < eightfold> "
14:16 -!- koin [n=niko@niko-niko.co.uk] has joined ##openvpn
14:17 < koin> Hey there, I am getting this error when trying to connect via openvpn gui on windows: Error: private key password verification failed
14:17 < koin> However I have made new keys with no passwords, but cant figure out what this mean
14:17 < koin> as I have not had it with other keys I have made befor3e
14:18 < koin> Does anyone have ay idea as I have been searching for a while now
14:19 < ecrist> it looks like you're trying to feed a password for the certificate
14:19 < ecrist> and it's wrong
14:24 < koin> I wasn't actually too sure how to use the password at first
14:24 < koin> butI have deleted all the keys now and started again without one
14:25 < koin> andI am still getting the error
14:28 < koin> ls
14:28 < koin> sorry D:
14:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:48 < ecrist> !logs
14:48 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:48 < ecrist> !configs
14:48 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
15:05 -!- chilicuil [n=sistemas@189.191.122.139] has joined ##openvpn
15:25 -!- Holister [n=ryan@151.204.189.39] has quit [Read error: 104 (Connection reset by peer)]
15:25 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn
15:29 < krzie> <eightfold> remove this part: "dante is acting as a  proxy. am i trying to use
15:29 < krzie>             sockd to run as a proxy.
15:29 < krzie> <eightfold> "
15:29 < krzie> dante is a sockd
15:37 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 113 (No route to host)]
15:58 -!- bandini [n=bandini@host246-106-dynamic.10-79-r.retail.telecomitalia.it] has quit [Remote closed the connection]
16:24 -!- connectionVPN [n=hello_wo@lu-r1.connectionvpn.com] has joined ##openvpn
16:41 < eightfold> krzee: looking at "ifconfig" the tun0 get's different numberrs each time i connect (i guess this is the internal vpn ip?). inet addr:xxx  P-t-P:yyy  Mask:255.255.252.0
16:41 < eightfold> krzee: xxx and yyy changes every time i connect
16:42 < eightfold> krzee: does this make setting an ip in http://www.ircpimps.org/sockd.conf tricky?
16:44 < Bushmills> eightfold:  ifconfig-pool-persist  or  ifconfig-push
16:44 < Bushmills> (server side)
16:46 < eightfold> Bushmills: i can't control server side
16:48 < Bushmills> look at  ifconfig in client side config
16:49 < Bushmills> but that may fail, i think, if you were disconnected too long (and server reassigned the ip address which you want to use to another client)
16:52 < eightfold> Bushmills: hmm... all i'm trying to do is to only use openvpn for rtorrent. the rest of the system should default to eth0. right now the tunnel is running but i need direct the rtorrent traffic to the tunnel. using the proxifier "tsocks" (as rtorrent doesn't support proxies) i could send the traffic to a proxy (sockd). i need to configure sockd, but i'm not sure how.
16:52 < Bushmills> !routebyapp
16:52 < vpnHelper> Bushmills: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
16:52 < eightfold> Bushmills: trying to use this: http://www.ircpimps.org/sockd.conf . but as my ip changes at each new connect, i dunno how.
16:54 < eightfold> Bushmills: yeah, that's what i'm doing. but is configuring sockd.conf properly possible if the ip changes?
16:54 < Bushmills> you can try  client side ifconfig+
16:55 < eightfold> Bushmills: in what way?
16:56 < Bushmills> in the way the documentation or man page suggests
16:58 < eightfold> Bushmills: so, what i'm trying to do, get the same ip every time or is there another solution?
16:58 < Bushmills> that's the first thing i'd try
17:01 < krzie> <eightfold> Bushmills: i can't control server side
17:02 < krzie> if you dont control the server you cant do what im saying with socks
17:03 < eightfold> krzie: hmm, ok
17:04 < eightfold> krzie: so the attempt on  routing only one application through a tunnel on debian will fail?
17:10 < Bushmills> moiners, krzie
17:17 -!- connectionVPN_ [n=hello_wo@lu-r1.connectionvpn.com] has joined ##openvpn
17:27 -!- connectionVPN [n=hello_wo@lu-r1.connectionvpn.com] has quit [Read error: 110 (Connection timed out)]
17:34 -!- connectionVPN_ is now known as connectionVPN
17:40 < eightfold> would it be possible to make a shell script that took the the current vpn ip from ifconfig output and put it in the sockd.conf at each connect?
17:44 < rob0> Um, I'm not wishing to read the whole scrollback, but ISTM that is rather silly. Why is your VPN IP dynamic? Even a client can have a static VPN IP.
17:44 < rob0> Do you not control the server end of it?
17:45 < rob0> oh I see that
17:45 < Bushmills> eightfold: http://scarydevilmonastery.net/snap/1264463101464138113.png
17:45 < rob0> Did you ask the server admin for a static IP?
17:45 < Bushmills> take note of the "ifconfig_local_ip" arg passed to it
17:50 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)]
18:02 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
18:10 -!- chilicuil [n=sistemas@189.191.122.139] has quit [Client Quit]
18:16 < krzie> eightfold yes, if you dont control the server you have no way to do that
18:16 < krzie> Bushmills moinmoin
18:24 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: dazol, havoc, +Kas, berniv6, WormFood, jmm, hacim, _trine, cron2, disco-,  (+2 more, use /NETSPLIT to show all of them)
18:24 -!- hacim_ [n=micah@micah.riseup.net] has joined ##openvpn
18:24 -!- havoc_ [n=havoc@saturn.chaillet.net] has joined ##openvpn
18:24 -!- cron2_ [n=gert@blue.greenie.muc.de] has joined ##openvpn
18:24 -!- mode/##openvpn [+v Kas] by ChanServ
18:24 -!- Netsplit over, joins: Kas, _trine, disco-
18:24 -!- Netsplit over, joins: Diffen
18:28 -!- berniv6__ [n=berni@2001:1b10:1000:0:0:0:26c3:1] has joined ##openvpn
18:28 -!- berniv6__ [n=berni@2001:1b10:1000:0:0:0:26c3:1] has quit [Client Quit]
18:30 -!- dazo [n=dazo@nat/redhat/session] has joined ##openvpn
18:30 -!- WormFood [n=wormfood@121.35.53.253] has joined ##openvpn
18:30 -!- dazo is now known as Guest89799
18:32 -!- nagasadow [n=kosmic@thefuckin.net] has joined ##openvpn
18:44 < koin> ls
18:44 < koin> doh!
18:55 -!- connectionVPN_ [n=hello_wo@lu-r1.connectionvpn.com] has joined ##openvpn
18:56 -!- connectionVPN_ [n=hello_wo@lu-r1.connectionvpn.com] has left ##openvpn ["Leaving"]
18:58 < krzie> -rw-------   1 koin koin 512 Jan 25 15:07 kiddieporn
18:59 < krzie> doh, shoulda been drwx------
18:59 < krzie> :-p
19:04 -!- connectionVPN [n=hello_wo@lu-r1.connectionvpn.com] has quit [Read error: 110 (Connection timed out)]
19:07 < eightfold> gotta get some sleep
19:07 < eightfold> be back tomorrow. thanks for the help.
19:30 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Connection reset by peer]
19:31 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn
19:33 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)]
19:35 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn
19:47 < tjz> krzie, lol
19:49 -!- WormFood [n=wormfood@121.35.53.253] has quit [Read error: 60 (Operation timed out)]
19:53 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
19:54 < Bushmills> oh, sleep. right. end of the month approaching again.
20:04 < krzie> lol
20:07 -!- WormFood [n=wormfood@121.35.52.234] has joined ##openvpn
20:09 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out]
20:24 -!- STF is now known as Guest4150
20:25 -!- STF_ [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has joined ##openvpn
20:25 -!- STF_ [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has quit [Remote closed the connection]
20:25 -!- STF_ [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has joined ##openvpn
20:26 -!- STF_ [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has quit [Client Quit]
20:26 -!- STF [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has joined ##openvpn
20:31 < tjz> lol
20:43 -!- Guest4150 [n=chatzill@dslb-084-061-189-052.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
21:24 -!- raj123 [n=raj99@pool-173-70-169-104.nwrknj.fios.verizon.net] has joined ##openvpn
21:24 < raj123> hi
21:24 < raj123> I am new to openvpn
21:25 < raj123> I was able to connect to the vpn server from the client
21:25 < raj123> further than that I am not able to access my other machines in the network
21:26 < raj123> I was looking at the website and I am not clear by this statement- how to achieve this
21:26 < raj123> # (The OpenVPN server machine may need to NAT# the TUN/TAP interface to the internet in# order for this to work properly).
21:26 < raj123> Can someone advise me how to do this
21:31 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)]
21:37 -!- raj123 [n=raj99@pool-173-70-169-104.nwrknj.fios.verizon.net] has quit []
21:38 -!- WormFood [n=wormfood@121.35.52.234] has quit [Read error: 60 (Operation timed out)]
21:50 -!- WormFood [n=wormfood@58.60.223.83] has joined ##openvpn
21:52 -!- W0rmF00d [n=wormfood@113.87.199.119] has joined ##openvpn
22:01 -!- WormFood [n=wormfood@58.60.223.83] has quit [Read error: 60 (Operation timed out)]
22:08 < Bushmills> !route
22:08 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:13 < krzee> what website
22:13 < krzee> oh hes gone
22:16 < Bushmills> doesn't matter - we both gave the wrong answer anyway
22:17 < krzee> yanno the name of that cli speedtesting app?
22:17 < Bushmills> speed of what?
22:17 < krzee> bandwidth
22:17 < Bushmills> wget
22:17 < krzee> i mean i remember someone talking about an app you run on both sides that tests the connection, as opposed to just wget or scp
22:18 < krzee> an app that was made only for that
22:18 < Bushmills> wget has a verbose mode.
22:18 < krzee> im automating the speedtest
22:18 < krzee> with control over both sides
22:19 < Bushmills> bing
22:19 < Bushmills>  Bing determines the real (raw, as opposed to available or average)
22:19 < Bushmills>  throughput on a link by measuring ICMP echo requests' round trip times
22:19 < Bushmills>  for different packet sizes at each end of the link.
22:19 < krzee> there it is, iperf
22:20 < krzee> Iperf was developed by NLANR/DAST as a modern alternative for measuring maximum TCP and UDP bandwidth performance. Iperf allows the tuning of various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, datagram loss.
22:21 < Bushmills>  Internet Protocol bandwidth measuring tool
22:21 < Bushmills>  Iperf is a modern alternative for measuring TCP and UDP bandwidth performance,
22:21 < Bushmills>  allowing the tuning of various parameters and characteristics.
22:21 < Bushmills> righ
22:21 < Bushmills> t
22:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
22:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
22:41 < tjz> Iperf ..
22:41 < tjz> anyone tried it?
22:51 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)]
22:52 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
23:03 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)]
23:07 -!- jfkw_ [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
23:19 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
23:23 -!- disappearedng [n=disappea@213.254.213.41] has quit [Read error: 110 (Connection timed out)]
23:25 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
23:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
23:30 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)]
23:32 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
--- Day changed Tue Jan 26 2010
00:45 < krzee> not yet tjz, ill play with it  soon tho
01:44 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
01:44 < nb> is it possible to get my vpn server to route a public ip on that server to one of the vpn clients?
01:46 < krzee> sure, but requires wasting 2 ips
01:47 < nb> oh?
01:47 < krzee> so if you have a /24, 254 usable, if you have a single free ip, you have to use bidirectional NAT i think
01:47 < krzee> sure, nowhere does it say --server MUST take a rfc1918 ip
01:48 < krzee> you can give it inet routable ips
01:48 < krzee> its just much more normal to use 1918 ips =]
01:49 < krzee> Bushmillsor reiffert, ya here?
01:49 < nb> oh, so i could tell openvpn to give it a public ip, but id have to have another one too?
01:49 < krzee> whoa reif isnt even in the channel... Bushmills ya here?
01:49 < krzee> another 2
01:49 < krzee> gateway and broadcast
01:50 < krzee> and thats only if you use 2.1 with topology subnet
01:50 < krzee> otherwise its 4 ips per endpoint with default topology (net30)
01:50 < nb> oh
01:51 < krzee> you could prolly do it with a bridge without wasting an IP, but i cant help with that
01:54 < krzee> bleh i have interesting stuff to talk bout an reif isnt here, dazo isnt here, ecrist is sleeping and Bushmills is idle
01:57 -!- Leila_ [i=50bfc236@gateway/web/freenode/x-zxgfoyedacxkijbl] has joined ##openvpn
02:08 -!- Leila_ [i=50bfc236@gateway/web/freenode/x-zxgfoyedacxkijbl] has quit [Ping timeout: 180 seconds]
02:15 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:15 < jmm> hi.
02:15 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:39 < cron2_> krzee: so what's up?
02:44 < krzee> making a little writeup about it
02:45 -!- jmm is now known as jww
02:45 < krzee> heres an ugly preview
02:45 < krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
02:45 < vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
02:47 < krzee> very ugly very rough
02:47 < krzee> but at least i got the info in there for now
02:48 < cron2_> mmmh, fun stuff :-)
02:52 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
03:08 -!- master_of_master [i=master_o@p57B57414.dip.t-dialin.net] has joined ##openvpn
03:10 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
03:10 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:20 -!- master_o1_master [n=master_o@p57B5749C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:27 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Read error: 110 (Connection timed out)]
03:32 < krzee> there, lil prettier now
03:32 < krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
03:32 < vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
03:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
03:41 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
03:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
03:44 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
03:44 -!- yoshx [n=yoshx@38.115.119-80.rev.gaoland.net] has joined ##openvpn
04:21 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn
04:53 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
05:24 -!- robotti^ [i=robotti@kapsi.fi] has quit ["leaving"]
05:27 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn
05:29 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
05:29 -!- mode/##openvpn [+o mattock] by ChanServ
05:38 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
05:42 -!- havoc_ [n=havoc@saturn.chaillet.net] has quit [Client Quit]
05:42 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn
05:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:51 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
05:51 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)]
05:58 -!- newmember__ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
06:12 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)]
06:17 -!- mgolisch [n=michi@85.93.11.18] has joined ##openvpn
06:24 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
06:24 < mgolisch> the openvpnservice wrapper for windows does not provide any interfaces to interact with the openvpn process right?
06:25 < mgolisch> like passing in username/password for authentication
06:25 < mgolisch> so it can only be used with privatekey auth right?
06:26 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
06:58 < ecrist> lol @ krzee 
07:00 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 110 (Connection timed out)]
07:16 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
07:35 -!- lampliter [n=chatzill@c-76-19-126-1.hsd1.ma.comcast.net] has quit [Remote closed the connection]
07:44 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Remote closed the connection]
07:44 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
07:57 -!- chilicuil [n=sistemas@189.191.122.139] has joined ##openvpn
07:58 -!- chilicuil [n=sistemas@189.191.122.139] has quit [Client Quit]
07:59 -!- bkohler [n=bkohler@91.209.82.15] has joined ##openvpn
08:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:11 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn
08:25 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
08:38 -!- bkohler [n=bkohler@91.209.82.15] has quit [Read error: 60 (Operation timed out)]
08:48 -!- newmember__ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit]
09:04 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"]
09:04 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
09:11 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has joined ##openvpn
09:16 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)]
09:27 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn
09:31 < crazygir> are there still problems with running the tap32 driver on windows vista?
09:40 < crazygir> I'm finding info about previous issues, but nothing recent. I'm trying to install the openvpn gui (and tap driver) on a clients vista (32bit) system but vista is yelling at me over driver incompatibilities
09:40 < crazygir> won't let me install the driver :|
09:49 < mgolisch> why not?
09:51 < mgolisch> is there any plans to improve the service wrapper on windows?
09:51 < mgolisch> like implementing somekind of interface for a gui to interact with it?
09:51 < mgolisch> like starting dedicated instances of the openvpn client and pass input to them? like for username/password auth?
09:54 < ecrist> mgolisch: not sure.  better asking on -devel mailing list.
09:54 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)]
09:56 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
09:56 -!- mode/##openvpn [+v Kas] by ChanServ
09:56 < mgolisch> its kinda dumb atm
10:03 < crazygir> vista just complains about the driver having incompatibilities, and blocks its installation
10:05 -!- W0rmF00d [n=wormfood@113.87.199.119] has quit [Read error: 60 (Operation timed out)]
10:12 -!- incorrect [n=fwest@78.33.42.140] has joined ##openvpn
10:12 < incorrect> how do i find out what a number set for my openvpn server is?
10:14 < hyper_ch> incorrect: ?
10:15 < incorrect> hyper_ch, well i am using pfsense and they have a cute status page, however to get it to work it says add "management 127.0.0.1 <port>"
10:15 < incorrect> where <port> is the port number set for that server.
10:15 < incorrect> does it mean to put in the same port i am using for connections maybe
10:15 < hyper_ch> no clue what pfsense is
10:15 < hyper_ch> or how that is related to openvpn
10:16 < incorrect> its a freebsd with a pretty webui 
10:16 < incorrect> like monowall
10:16 < incorrect> they let you use openvpn
10:18 < hyper_ch> it still does not change anything about me having no clue what that is or how to use that or what to do with it or how that is related to openvpn
10:20 < incorrect> there is a openvpn status page, for it to work its asking me to add "management 127.0.0.1 <port>" to my config
10:25 -!- W0rmF00d [n=wormfood@121.35.52.116] has joined ##openvpn
10:28 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
10:32 -!- Mtn_Bkng_Dave [n=whome@206.17.147.84] has joined ##openvpn
10:33 < Mtn_Bkng_Dave> !welcome
10:33 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:33 < Mtn_Bkng_Dave> !route
10:33 < vpnHelper> Mtn_Bkng_Dave: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:08 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn
11:10 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:16 -!- stephenh [n=stephenh@94-23-158-103.kimsufi.com] has quit [Read error: 60 (Operation timed out)]
11:30 -!- macsppadic [n=sonupunn@82.109.74.162] has quit []
11:34 -!- incorrect [n=fwest@78.33.42.140] has quit [Remote closed the connection]
11:54 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn
11:57 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:01 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)]
12:01 -!- smerz [n=daniel@smerz.demon.nl] has quit [Connection reset by peer]
12:01 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn
12:04 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn
12:04 -!- STF [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)]
12:04 -!- STF [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has joined ##openvpn
12:11 -!- drue [n=drue@64.251.23.23] has quit [Client Quit]
12:30 < krzee> ecrist, ?
12:30 < ecrist> yo
12:30 < krzee> [08:58]  <ecrist> lol @ krzee 
12:30 < ecrist> 01:54 ##openvpn: < krzee> bleh i have interesting stuff to talk bout an reif isnt here, dazo isnt here, ecrist is sleeping and Bushmills is idle
12:30 < krzee> lol
12:31 < krzee> did you see my beginning of a vpnchains writeup?
12:32 < krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
12:33 < vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
12:34 < ecrist> yes, I did.
12:34 < ecrist> I like my smiling 'M' diagram better. ;)
12:34 < krzee> lol
12:35 < krzee> i wasnt sure that it really belongs on the wiki, but i have nowhere else
12:35 < krzee> hehe
12:35 < ecrist> wiki is OK, forum would be good, as well.
12:35 < ecrist> did you know we've got graphviz on the wiki now?
12:36 < ecrist> http://www.secure-computing.net/wiki/index.php/Graph
12:36 < krzee> ya reiffert made an awesome diagram with it
12:36 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
12:36 < krzee> hey and thats it!
12:36 < krzee> i added the top 2 lines of text =]
12:36 < krzee> (a the bottom)
12:44 < krzee> any thoughts to why i would see that difference in bandwidth?
12:44 < krzee> btw CLIENT-B is at your house :)
12:55 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"]
13:17 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 60 (Operation timed out)]
13:20 -!- Serideru1 [n=GTWebste@63.91.180.212] has joined ##openvpn
13:24 -!- Zarathu [i=zarathu@srv01.whitepaperclip.com] has joined ##openvpn
13:25 < Zarathu> thought I'd ask here really quickly for potential alternatives. I have one central machine that needs to have its files in a particular directory available for constant read-write access to 15 other machines via windows file sharing. all of the machines are running windows
13:25 < Zarathu> my first attack at the issue is just to set up a VPN, but are there other possible alternatives?
13:27 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out]
13:39 -!- Serideru1 [n=GTWebste@63.91.180.212] has quit [Connection timed out]
13:39 -!- Zarathu [i=zarathu@srv01.whitepaperclip.com] has left ##openvpn []
13:50 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
13:54 < ecrist> krzee: I figured.  If bandwidth becomes a problem, I know where to look. ;)
13:55 < |Mike|> where is that
13:55 < ecrist> I'm guessing your test ran about 8:45 CST
13:55 < rob0> look that way --->
13:55 < |Mike|> <---
13:55 < rob0> Indians! We's under attack! Circle up the wagons!!
13:57  * ecrist has no problem with Indains so long as he gets a discount on Super Squishies (http://sharetv.org/watch/110414)
13:57 < vpnHelper> Title: Watch All Syrup Super Squishy Bender - The Simpsons TV Clip - ShareTV.org (at sharetv.org)
13:59 -!- hacim_ is now known as hacim
14:00  * reiffert shoots burning archery
14:08 -!- Dave1965 [n=whome@166.217.101.201] has joined ##openvpn
14:15 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
14:17 -!- Mtn_Bkng_Dave [n=whome@206.17.147.84] has quit [Read error: 110 (Connection timed out)]
14:21 -!- Dave1965 [n=whome@166.217.101.201] has quit []
14:22 -!- Mtn_Bkng_Dave [n=whome@206.17.147.84] has joined ##openvpn
14:23 < Mtn_Bkng_Dave> here krzee?
14:29 < reiffert> krzee is gone, he left us yesterday.
14:30 < Mtn_Bkng_Dave> huh?
14:30 < reiffert> believe it or not.
14:30 < Mtn_Bkng_Dave> as in permenantly?
14:31 < reiffert> did he respond to your question yet?
14:31 < Mtn_Bkng_Dave> no actually
14:31 < Mtn_Bkng_Dave> so is he gone for good?
14:32 < Mtn_Bkng_Dave> or just on vacation
14:32 < Mtn_Bkng_Dave> LOL
14:33 < reiffert> I'd ask Bushmills, he probably knows more.
14:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:58 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
15:11 -!- Mtn_Bkng_Dave [n=whome@206.17.147.84] has quit []
15:17 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit ["Leaving"]
15:34 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 113 (No route to host)]
15:53 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection]
16:02 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Remote closed the connection]
16:10 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
16:13 -!- yoshx [n=yoshx@38.115.119-80.rev.gaoland.net] has quit [Remote closed the connection]
16:17 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
16:26 -!- PeterFA [n=Peter@c-98-203-132-209.hsd1.wa.comcast.net] has joined ##openvpn
16:33 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out]
16:44 -!- W0rmF00d [n=wormfood@121.35.52.116] has quit [Read error: 60 (Operation timed out)]
16:44 -!- W0rmF00d [n=wormfood@121.35.52.116] has joined ##openvpn
16:52 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Optic
16:52 -!- Optic_ [n=Optic@miso.capybara.org] has joined ##openvpn
17:02 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
17:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
17:57 -!- STF is now known as Guest7141
17:58 -!- STF__ [n=chatzill@20-130.stw.uni-duisburg.de] has joined ##openvpn
17:58 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
17:58 -!- STF__ [n=chatzill@20-130.stw.uni-duisburg.de] has quit [Remote closed the connection]
17:59 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
17:59 -!- STF [n=chatzill@20-130.stw.uni-duisburg.de] has joined ##openvpn
18:04 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit ["Leaving."]
18:09 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: help with OpenVPN for Ubuntu :: Reply by dustin.mann9 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2402&p=2947#p2947>
18:13 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)]
18:14 -!- Guest7141 [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
18:23 -!- master_of_master [i=master_o@p57B57414.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
18:27 -!- MatBoy_ [n=MatBoy@wiljewelwetenhe.xs4all.nl] has joined ##openvpn
18:33 -!- master_of_master [i=master_o@p57B57414.dip.t-dialin.net] has joined ##openvpn
18:37 -!- MatBoy [n=MatBoy@wiljewelwetenhe.xs4all.nl] has quit [Read error: 110 (Connection timed out)]
18:49 -!- reiffert [n=thomas@mail.webersheim.de] has quit ["Lost terminal"]
18:53 -!- STF is now known as Guest64811
18:53 -!- STF__ [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has joined ##openvpn
19:00 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"]
19:01 < ecrist> evening, folks.
19:01 < krzie> folks? not bitches!?
19:01  * krzie checks ecrist's temp
19:02 < ecrist> SUP BITCHES
19:02 < ecrist> that better? ;)
19:02 < havoc> is it possible to install openvpn on windows unattended?
19:02 < ecrist> havoc: anything is possible.
19:02 < krzie> havoc, not standard
19:02 < havoc> heh, ok, how hard is it? ;)
19:03 -!- master_o1_master [n=master_o@p57B57414.dip.t-dialin.net] has joined ##openvpn
19:03 < havoc> does the installer take options?
19:03 < krzie> you could always roll your own
19:03 < krzie> !win_rollup
19:04 < vpnHelper> krzie: "win_rollup" is (#1) http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html for a doc on HowTo Roll Your Own OpenVPN Windows Installation Package, or (#2) http://gentoo-wiki.com/HOWTO_OpenVPN_RoadWarrior#For_Installation_on_Windows_Client for a batch you can use to install certs in win client automagically
19:04 < havoc> thanks
19:04 < krzie> yw
19:07 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
19:07 < theDoc> !welcome
19:08 < vpnHelper> theDoc: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:09 -!- master_of_master [i=master_o@p57B57414.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
19:10 -!- Guest64811 [n=chatzill@20-130.stw.uni-duisburg.de] has quit [Read error: 110 (Connection timed out)]
19:30 -!- W0rmF00d is now known as WormFood
19:31 < ecrist> ping krzie, pm?
19:32 < krzie> sure
19:43 -!- Darkclaw66 [n=fortness@unaffiliated/darkclaw66] has joined ##openvpn
19:43 < Darkclaw66> is tcp mode significantly slower than udp mode?
19:44 < krzie> it can be
19:44 < krzie> read this:
19:44 < krzie> !tcp
19:44 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
19:44 < Darkclaw66> I had to switch from udp to tcp because I kept getting disconnected
19:45 < Darkclaw66> I have noticed a decrease in performance but some perfomance is better than ZERO performance
19:45 < Darkclaw66> I agree avoiding it is better but how can I fix it so I am not getting disconneced constantly
19:46 < krzie> by using udp
19:46 < Darkclaw66> I was getting disconnected constantly with UDP 
19:46 < Darkclaw66> I stopped getting disconnected with I switched to TCP
19:46 < krzie> had a keepalive?
19:46 < krzie> maybe something wrong with your firewall
19:46 < krzie> does it try to keep state on UDP?
19:46 < Darkclaw66> its at work, they have extensive firewalls
19:47 < krzie> (which i know is not stateful, but some lamesauce firewalls try to keep-state
19:47 < Darkclaw66> its not that they block it but they do some crap that is affecting it
19:47 < Darkclaw66> yes, they have stupid firewalls
19:47 < Darkclaw66> it is a big company with a big firewall
19:48 < Darkclaw66> I can give you the error message if you are interested
19:49 < krzie> theres an error message?
19:49 < Darkclaw66> something to do with a timeout
19:49 < krzie> right
19:50 < krzie> i blame your firewall
19:50 < Darkclaw66> then it would reconnect and two minutes it would do it again
19:50 < krzie> tried using commonly used ports to see if they are less restricted?
19:50 < krzie> like udp 53
19:50 < krzie> got a keep-alive?
19:50 < Darkclaw66> I don't, I removed everything to do with ping timeouts and keepalives
19:51 < Darkclaw66> the thing is, they arent blocking the port
19:51 < krzie> umm, keepalive is important
19:51 < Darkclaw66> i agree, i did have keep alive but it still was disconnecting me
19:52 < krzie> werd
19:53 < Darkclaw66> they have some firewall that knows I tried using MSN Messenger. when I send a message to a friend the firewall says you do not have permission
20:08 -!- STF__ [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has quit [Client Quit]
20:09 -!- STF [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has joined ##openvpn
20:09 < Darkclaw66> krzie do you know how I can make samba faster via OpenVPN?
20:10 < krzie> samba is a crap protocol, im not sure
20:10 < krzie> running a wins server should help a lil
20:11 < ecrist> what's your problem with smb over openvpn?
20:12 < krzie> many people have reported it doesnt perform like other proto's, but thats due to the fact it wasnt designed to be used over the inet
20:12 < krzie> at least my reading has pointed to that
20:13 < ecrist> fwiw, I just managed to saturate my inet pipe over openvpn and smb during a file copy
20:13 < ecrist> I call bullshit
20:13 < ecrist> justn ow,
20:13 < ecrist> just now*
20:13 < krzie> i dont use smb so i cant comment from personal experience
20:13 < ecrist> i use it, it's a decent protocol to help with file shares.
20:13 < ecrist> I'm a much bigger fan of AFP
20:14 < krzie> i stick to AFP / NFS
20:14 < krzie> might be due to a lack of windows on machines i control
20:14 < krzie> ;]
20:14 < Darkclaw66> it works but its extremely slow
20:14 < Darkclaw66> and it's even more slower with tcp
20:14 < ecrist> many of the desktop at the office are windows, so the file servers there run a combo of AFP, NFS, and SMB
20:14 < krzie> ecrist, hes also bound to TCP
20:14 < ecrist> more slower?
20:15 < Darkclaw66> switching from udp to tcp slowed down samba 
20:15 < ecrist> english is not strong with you
20:15 < ecrist> !tcp
20:15 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
20:15 < Darkclaw66> huh?
20:15 < krzie> he knows, he gets disconnected every 2min even with a keepalive when using UDP, company firewall issues
20:16 < krzie> my guess is the company firewall attempts to keep-state on UDP and something breaks
20:16 < Darkclaw66> not sure what my english has anything to do with this situation
20:16 < ecrist> quit browsing porn on company time. ;)
20:16 < krzie> ecrist, no porn!? what are we supposed to do at work?
20:17 < ecrist> *I* look at porn just fine, but being the sr admin, I know if/where things are logged. ;)
20:17 < ecrist> amirite?
20:19 < krzie> bleh i cant remember the name of that tool for viewing images an an arp poison'ed lan
20:19 < ecrist> Darkclaw66: your problem is TCP, not smb.
20:19 < krzie> but its fun, lol
20:19 < Darkclaw66> im not complaining though, basic things like browsing the web and stuff is relatively fast but dealing with files with samba is extremely slow
20:19 < krzie> i have a shortcut to running it on my stacks but im not home
20:21 < Darkclaw66> do I still need keepalive if I am using tcp?
20:21 < krzie> read --keepalive in the manual?
20:21 < ecrist> I don't think so.
20:21 < ecrist> !keepalive
20:21 < vpnHelper> ecrist: Error: "keepalive" is not a valid command.
20:21 < krzie> !man
20:21 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:21 < ecrist> dazo - did you ever write a parser for !man?
20:21 < krzie> ooo that would be cool
20:22 < ecrist> krzie: new bot is supposed to have the manual built in
20:22 < Darkclaw66> it doesnt say if I need to use it if I am using tcp or udp
20:22 -!- richardrowe [n=richard@124-169-20-69.dyn.iinet.net.au] has joined ##openvpn
20:22 < ecrist> dazo said he's write the parser (daily update from web) and we could just refernce !man <section>
20:22 < ecrist> I write the bot part, he write the parser
20:22 < krzie> thats cool
20:23 < krzie> Darkclaw66 ya jkeep it
20:23 < krzie> --ping n
20:23 < krzie>     Ping remote over the TCP/UDP control channel if no packets have been sent for at least n seconds
20:23 < Darkclaw66> do you recommend using ping and ping-exit over keepalive?
20:23 < krzie> nope, i dont
20:24 < krzie> but you can, depends on your needs
20:24 < krzie> youd rather have ping-exit than ping-restart?
20:24 -!- STF is now known as Guest23089
20:25 < richardrowe> Hi, I'm new to OpenVPN and looking to setup a VPN where I have a host machine that will send requests (through SSL) to client machines, the client machines are in different locations (not in a LAN). Can this be done with OpenVPN? If so, is a routed or bridged setup preferred (completely new to OpenVPN/VPNs)
20:25 < ecrist> I think it does
20:25 < krzie> richardrowe what do you mean by "requests"?
20:26 < ecrist> doh, I'm responding to mailing list messages in irc
20:26  * ecrist gives up
20:26 < krzie> lol
20:26 < krzie> you can tell when im answering messages on the maillist, i sit here pasting vpnhelper commands to my mail client
20:27 < krzie> haha
20:27 < Darkclaw66> keepalive is basically a combination of ping and ping restart
20:27 < krzie> Darkclaw66 correct
20:27 < krzie> you asked about ping-exit
20:27 < Darkclaw66> sorry I didnt mean it to sound like I was questioning you, I just realized what it means
20:28 < krzie> i didnt take it bad ;]
20:28 < richardrowe> krzie: This is probably unrelated to OpenVPN but my server machine will host a PHP interface, and the clients are voice servers. The PHP interface will interact/manage these voice servers. Really new to this, not even sure OpenVPN is what I should be looking at to do this securely.
20:29 < krzie> richardrowe could you do it if they were in the same lan?
20:29 < krzie> if so, openvpn is what you want
20:29 < krzie> if you only require layer2, you want a tun routed setup
20:29 < krzie> !sample
20:29 < richardrowe> krzie: The servers aren't in the same data center, they're in multiple different locations. Can this sitll work?
20:29 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
20:29 < krzie> richardrowe, and thats why you want openvpn =]
20:29 < krzie> !vpn
20:29 < vpnHelper> krzie: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal
20:30 < krzie> read that
20:34 < richardrowe> krzie: Cheers. That seems (it's a little above me) like what I'm looking for
20:34 < krzie> lets put it this way
20:34 < krzie> <krzie> richardrowe could you do it if they were in the same lan?
20:34 < krzie> <krzie> if so, openvpn is what you want
20:36 < richardrowe> krzie: So if the servers are in different data centers, this is out of the question?
20:37 < krzie> umm dude
20:37 < krzie> read my question
20:37 < krzie> hypothetically, if they were NOT in different datacanters, could you accomplish your goal?
20:38 < krzie> (please answer)
20:38 < krzie> if they were in the same DC, could you accomplish your goal?
20:39 < richardrowe> krzie: I've got no experience in networks. I thought if they're in same data center, that's a LAN (if they're directly connected), else it would be considered a WAN? I really know nothing of networks.
20:39 < krzie> omfg
20:39 < krzie> you dont need to know networks to answer my question
20:40 < krzie> IF they were in the same lan, could you accomplish your goal?
20:40 < richardrowe> krzie: Ok, not without a VPN , SSH tunnel or something to secure the connection. It's still insecure locally
20:40 < krzie> holy shit
20:40 < krzie> IF THEY WERE IN THE SAME LAN
20:40 -!- STF__ [n=chatzill@20-130.stw.uni-duisburg.de] has joined ##openvpn
20:40 < krzie> i suggest hiring someone to setup your network, lol
20:40 -!- Guest59860 [n=STF@20-130.stw.uni-duisburg.de] has joined ##openvpn
20:41 < krzie> and yes, openvpn is likely what that person would need
20:41 -!- Guest23089 [n=chatzill@dslb-084-061-176-150.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)]
20:41 -!- STF__ [n=chatzill@20-130.stw.uni-duisburg.de] has quit [Client Quit]
20:41 -!- richardrowe [n=richard@124-169-20-69.dyn.iinet.net.au] has quit ["Lost terminal"]
20:41 < rob0> On the upside, openvpn is a great way to teach yourself networking.
20:41 < krzie> that was bad
20:42 < rob0> unless your IRC client loses its terminal.
20:42 < krzie> rob0, not if you cant answer simple non technical questions
20:44 < krzie> ahh he was .au, i prolly woulda been more patient in voice, i love .au accent
20:44 < krzie> lol
20:44 < rob0> No, really, staying out of IRC is best for people like that. When I was in that situation, I just played around with things and read documentation. Asking silly questions gets them nowhere.
20:44 < krzie> its almost impossible to get impatient with an aussie in voice
20:45 < krzie> "I just played around with things and read documentation."
20:45 < krzie> thats why you rock ;]
20:45 < rob0> haha, thanks
20:49 -!- Optic_ is now known as Optic
20:53 < WormFood> hahaha krzie, I just read your "conversation" with richardrowe....classic....he is too stupid to be on the internet.
20:53 < krzie> lol
20:54 < Darkclaw66> openvpn is seriously the best and easy solution
20:55 < theDoc> People are stupid ;(
20:55 < theDoc> !topic
20:55 < vpnHelper> theDoc: Error: "topic" is not a valid command.
21:27 -!- Mtn_Bkng_Dave [i=whome@12.50.124.47] has joined ##openvpn
21:28 < Mtn_Bkng_Dave> here Bushmills?
21:28 < Mtn_Bkng_Dave> or krzie
21:29 < Mtn_Bkng_Dave> or anybody else that can help
21:31 < theDoc> Maybe, what is it about?
21:31 < Mtn_Bkng_Dave> trying to setup a route between networks
21:31 < Mtn_Bkng_Dave> i can see from server to client
21:31 < Mtn_Bkng_Dave> but not from client to server
21:34 < Mtn_Bkng_Dave> can ya take a look?
21:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
21:34 < Mtn_Bkng_Dave> hey krzee
21:35 < krzee> [16:23]  <Mtn_Bkng_Dave> here krzee?
21:35 < krzee> [16:29]  <reiffert> krzee is gone, he left us yesterday.
21:35 < krzee> [16:30]  <Mtn_Bkng_Dave> huh?
21:35 < krzee> [16:30]  <reiffert> believe it or not.
21:36 < krzee> [16:30]  <Mtn_Bkng_Dave> as in permenantly?
21:36 < krzee> [16:31]  <reiffert> did he respond to your question yet?
21:36 < krzee> [16:31]  <Mtn_Bkng_Dave> no actually
21:36 < krzee> [16:31]  <Mtn_Bkng_Dave> so is he gone for good?
21:36 < krzee> [16:32]  <Mtn_Bkng_Dave> or just on vacation
21:36 < Mtn_Bkng_Dave> lol
21:36 < krzee> [16:32]  <Mtn_Bkng_Dave> LOL
21:36 < krzee> [16:33]  <reiffert> I'd ask Bushmills, he probably knows more.
21:36 < krzee> LOL
21:36 < krzee> i just saw that
21:36 < krzee> well played reif
21:36 < krzee> sup dave
21:36 < Mtn_Bkng_Dave> not much
21:36 < Mtn_Bkng_Dave> still fighting my network
21:36 < krzee> omg still?>
21:36 < Mtn_Bkng_Dave> yeah had issues with the appliance
21:36 < krzee> you must be trying for a record ;]
21:37 < Mtn_Bkng_Dave> nvram had no room for client1 file
21:37 < Mtn_Bkng_Dave> ive got the server client working
21:37 < Mtn_Bkng_Dave> can see the server
21:37 < Mtn_Bkng_Dave> but still not the client from server side
21:37 < Mtn_Bkng_Dave> thought i finally had it
21:37 < krzee> thats a good reason to not just ask for me but instead ask the question, reif knows much more than me about those hacked up linksys routers iirc
21:38 < krzee> and he was there at 16:30 when you were asking for me
21:38 < krzee> lol
21:38 < Mtn_Bkng_Dave> yeah i got busy at work
21:38 < Mtn_Bkng_Dave> didnt get a chance to talk to him
21:38 < krzee> unless of course you just wanted to say hi to me ;]
21:38 < Mtn_Bkng_Dave> well that too
21:38 < Mtn_Bkng_Dave> LOL
21:38 < Mtn_Bkng_Dave> grrrrrrrrrrr
21:38 < Mtn_Bkng_Dave> now my script isnt working
21:39 < Mtn_Bkng_Dave> this thing blows away stuff on startup
21:39 < Mtn_Bkng_Dave> and it does it after the startup script LOL
21:40 < Mtn_Bkng_Dave> i wonder if you can script stuff in server.conf
21:40 < krzee> negative
21:40 < krzee> but server.conf can call scripts
21:40 < Mtn_Bkng_Dave> yeah that would be great if i had some user ram to put it on
21:40 < Mtn_Bkng_Dave> LOL
21:40 < Mtn_Bkng_Dave> hence the issue
21:40 < krzee> *shrug*
21:41 < krzee> more of a question for people that make or support your router's firmware
21:41 < Mtn_Bkng_Dave> yeah they snooze alot
21:41 < krzee> #openwrt i believe
21:41 < Mtn_Bkng_Dave> #dd-wrt
21:41 < krzee> werd
21:41 < krzee> well thats where you get help with the non-openvpn side
21:41 < krzee> which is what you're talkin bout
21:42 < Mtn_Bkng_Dave> what are the drawbacks to no iroute?
21:42 < Mtn_Bkng_Dave> will that cause my problem?
21:42 < krzee> there is no openvpn solution for "my router is deleting stuff" or "theres no room for my files on my router"
21:42 < krzee> there are no drawbacks persay
21:42 < krzee> !iroute
21:42 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
21:43 < krzee> its just a route, internal to the openvpn process, not to be confused with ANYTHING to do with the routing table of your system
21:43 < Mtn_Bkng_Dave> so i should be able to see my client then without it?
21:43 < krzee> by vpn ip, sure
21:43 < krzee> just nothing to do with its LAN
21:44 < Mtn_Bkng_Dave> so how do i see its lan?
21:44 < krzee> as seen in my !route document, you know when you need it because of the MULTI error you get without it when a source ip of foreign network comes over the VPN
21:44 < krzee> by adding a route to the server, iroute to the ccd entry for that client, and route to the clients router to get back to vpn subnet
21:45 < krzee> all explained in this:
21:45 < krzee> !route
21:45 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:45 < Mtn_Bkng_Dave> i read it
21:45 < Mtn_Bkng_Dave> and havent seen the error
21:47 < Mtn_Bkng_Dave> whats that paste site again krzee?
21:49 < Mtn_Bkng_Dave> http://pastebin.com/d4b819e31
21:49 < Mtn_Bkng_Dave> thats my server.conf
21:49 < Mtn_Bkng_Dave> can ya take a look?
21:50 < Mtn_Bkng_Dave> .64.0 is server lan .65.0 is client lan .66.0 is openvpn lan
21:51 < krzee> first, go read my routing doc 3 times just for not being sure of your setup!
21:51 < krzee> and your config is fine, assuming no extra clients
21:52 < krzee> ild push both LANs (as seen in !route)
21:52 < Mtn_Bkng_Dave> i did
21:52 < Mtn_Bkng_Dave> oh wait
21:52 < Mtn_Bkng_Dave> that was earlier
21:53 < Mtn_Bkng_Dave> deleted it
21:53 < Mtn_Bkng_Dave> lemme try that......
21:53 < krzee> it wont change anythin
21:53 < krzee> but not everything is solved in server.conf
21:53 < krzee> go read my doc a couple times like i said
21:53 < krzee> understand whats going on
21:53 < krzee> THEN you can figure out whats not working
21:54 < Mtn_Bkng_Dave> well if you say i cant see the client side lan then its working
21:54 -!- |STF| [n=STF@dslb-084-061-153-053.pools.arcor-ip.net] has joined ##openvpn
21:54 < Mtn_Bkng_Dave> the client can see the server lan
21:54 < krzee> is the router vpn side on the client?
21:54 < krzee> the dd-wrt
21:54 < Mtn_Bkng_Dave> both ends
21:54 < Mtn_Bkng_Dave> client and server
21:55 < krzee> ok so then all thats left is the iroute
21:55 < krzee> !ccd
21:55 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
21:55 < krzee> !iroute
21:55 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
21:55 < Mtn_Bkng_Dave> thats what i was askin
21:55 < krzee> when you watch server log, and client logs in, you'll see the iroute used
21:55 < Mtn_Bkng_Dave> ok
21:55 < Mtn_Bkng_Dave> the log looked good
21:55 < krzee> well its answered in the doc i keep telling you to read
21:55 < Mtn_Bkng_Dave> everything seemed to be working
21:55 < krzee> it says its reading the IROUTE in the log?
21:55 < Mtn_Bkng_Dave> just never saw the error you were referring to
21:56 < krzee> it says its reading the IROUTE in the log?
21:56 < krzee> youd only see that error if a client lan machine tried to reach something on the server side of vpn
21:56 < Mtn_Bkng_Dave> no im still fighting to find a place to script it to that doesnt overwrite on boot
21:57 < Mtn_Bkng_Dave> i can only put it in a startup script
21:57 < krzee> whats the script do?
21:57 < krzee> start openvpn?
21:57 < Mtn_Bkng_Dave> creates the client1 file with the iroute statement
21:57 < krzee> oh and server side?
21:57 < krzee> err
21:57 < krzee> on server side?*
21:57 < Mtn_Bkng_Dave> yes
21:57 < krzee> gotchya
21:57 < Mtn_Bkng_Dave> im trying to put it on the server side dd-wrt
21:57 < krzee> you know you can put it ANYWHERE
21:58 < Mtn_Bkng_Dave> yeah but the nvram gets wiped and recreated
21:58 < krzee> as long as you set the ccd dir accordingly
21:58 < Mtn_Bkng_Dave> some of it after the startup script
21:58 < krzee> it must have somewhere solid state you can access?
21:58 < Mtn_Bkng_Dave> openvpn took up all the room on the nvram
21:58 < Mtn_Bkng_Dave> i cant mount or anything
21:58 < krzee> find something you can delete
21:59 < Mtn_Bkng_Dave> gonna try the jffs folder
21:59 < krzee> you wont be using pptp, see if thats there to delete, BACKUP ANYTHING  FIRST
21:59 < Mtn_Bkng_Dave> i may can stick it there
21:59 < Mtn_Bkng_Dave> its all in the way it boots
21:59 < Mtn_Bkng_Dave> i think it blows everything away 
22:00 < Mtn_Bkng_Dave> and recreates everything from scratch
22:00 < Mtn_Bkng_Dave> openvpn is in the /tmp directory
22:00 < Mtn_Bkng_Dave> i think /tmp is all volitale
22:00 < Mtn_Bkng_Dave> this thing is a PITA
22:00 < Mtn_Bkng_Dave> LOL
22:01 < Mtn_Bkng_Dave> i worked 2 days on trying to mount a cifs driveshare from my server
22:01 < Mtn_Bkng_Dave> they stripped cifs and jffs support in leiu of openvpn
22:01 < Mtn_Bkng_Dave> LOL
22:02 < Mtn_Bkng_Dave> that little tidbit was buried off in an obscure wiki on dd-wrt LOL
22:03 < krzee> (also the place to be looking for info re: current problem)
22:03 < krzee> here you'll find openvpn help
22:04 < Mtn_Bkng_Dave> you answered my question
22:04 < Mtn_Bkng_Dave> i was just chatting
22:04 < Mtn_Bkng_Dave> sorry
22:06 < krzee> oh my bad
22:06 < krzee> lol
22:06 < Mtn_Bkng_Dave> about to test it now
22:06 < Mtn_Bkng_Dave> just made the changes
22:12 -!- Guest59860 [n=STF@20-130.stw.uni-duisburg.de] has quit [Read error: 110 (Connection timed out)]
22:22 < Mtn_Bkng_Dave> ok finally krzee
22:22 < Mtn_Bkng_Dave> it says "read client specific options from /tmp/ccd/client1
22:23 < Mtn_Bkng_Dave> finally found a place to put it
22:23 < Mtn_Bkng_Dave> LOL
22:24 < Mtn_Bkng_Dave> sweeeeeeeet
22:24 < Mtn_Bkng_Dave> that fixed it
22:30 -!- |STF| [n=STF@dslb-084-061-153-053.pools.arcor-ip.net] has quit [Client Quit]
22:31 < Mtn_Bkng_Dave> ok this is cool
22:31 < Mtn_Bkng_Dave> its "learning" all the network computers as we connect to them
22:35 < Mtn_Bkng_Dave> now i just gotta make a hole in the firewall for it
22:40 < krzee> =]
22:45 < Mtn_Bkng_Dave> well that killed it
22:45 < Mtn_Bkng_Dave> LOL
22:47 < Mtn_Bkng_Dave> ok question krzee
22:48 < Mtn_Bkng_Dave> the client sees everthing as coming from the openvpn network correct?
22:53 < krzee> nope
22:53 < krzee> gets it over openvpn, sees src ip of whatever machine it talks to
22:55 < Mtn_Bkng_Dave> ok so i should open the firewall to the server lan on the client side and vice versa
22:56 < krzee> you can blindly allow the tun device if you trust both lans
22:56 < Mtn_Bkng_Dave> the server doesnt seem to have an issue with not having an entry for the client side
22:56 < krzee> otherwise firewall it as you like
22:56 < krzee> hey if its working its working
22:56 < Mtn_Bkng_Dave> well it works till i enable the client firewall LOL
22:57 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
22:57 < krzee> !linfw
22:57 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info
22:57 < krzee> err
22:57 < krzee> for tun device
22:59 < Darkclaw66> you know whats silly? I am on the LAN that has openvpn and samba and when I open files locally through it, it's extremely slow, that's pretty pathetic
23:00 < Darkclaw66> I'd expect it to be slow through the WAN but im on the LAN
23:00 < krzee> still using tcp?
23:01 < Darkclaw66> yep
23:01 < krzee> if so try searching manual for the command to have no queue for tcp
23:01 < krzee> might be tcp-noqueue or something
23:01 < Darkclaw66> but its just with samba, everything else is fast
23:04 < Darkclaw66> I'll change it to UDP and see if it makes a difference
23:06 < Darkclaw66> yeah its TCP
23:06 < Darkclaw66> theres NO lag with udp
23:06 < Darkclaw66> krzee can I have openvpn use both tcp and udp?
23:07 < Darkclaw66> udp for speed and tcp for reliability
23:07 < krzee> 2 different openvpn processes with different configs
23:07 < Darkclaw66> not good
23:08 < Darkclaw66> man if they would make it to use both protocols that would be the best
23:08 < Darkclaw66> surprised they didnt do it
23:08 < krzee> try turning off the queueing for tcp
23:08 < krzee> its in the manual
23:08 < Darkclaw66> k i'll try
23:09 < krzee> and re: what you said
23:09 < krzee> !wishlist
23:09 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
23:09 < krzee> i already have it on there
23:09 < Darkclaw66> :)
23:09 < rob0> A pony. I want a pony!!
23:09 < krzee> http://ovpnforum.com/viewtopic.php?f=10&t=383&sid=4334f3bb1db5dbae4c439ee3692633ae
23:09 < vpnHelper> Title: OpenVPN Forum View topic - bind to multiple ports (at ovpnforum.com)
23:09 < Mtn_Bkng_Dave> i want an 8ball and a hooker
23:09 < Darkclaw66> are you referrng to tcp-queue?
23:10 < krzee> yes
23:10 < krzee> theres a way to turn it off
23:10 < Darkclaw66> are you recommending to put it at 0?
23:10 < krzee> give it a shot
23:12 < krzee> or maybe its --tcp-nodelay
23:13 < Darkclaw66> hmm im not seeing that in the manual
23:14 < Darkclaw66> I need to try to make this udp work but if the company's firewall is goofing it up, there really is no way around with keeping the connection from disconnecting right?
23:15 < Darkclaw66> like right now im connected using udp and its working quite perfectly
23:15 < Darkclaw66> but when I am connected using the company's connection, that's when I get disconnected every 2 mins
23:22 < Darkclaw66> I'll try using udp at work tomorrow and see if I still have problems. If I do, I'll copy the error messages and see if its something that can be addressed
23:23 -!- Mtn_Bkng_Dave [i=whome@12.50.124.47] has quit []
23:25 < Darkclaw66> good night
23:25 -!- Darkclaw66 [n=fortness@unaffiliated/darkclaw66] has quit []
23:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
23:28 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:30 -!- Mtn_Bkng_Dave [i=whome@12.50.124.47] has joined ##openvpn
23:31 -!- Mtn_Bkng_Dave [i=whome@12.50.124.47] has quit [Client Quit]
23:32 -!- Mtn_Bkng_Dave [i=whome@12.50.124.47] has joined ##openvpn
23:34 < Mtn_Bkng_Dave> ok krzee
23:34 < Mtn_Bkng_Dave> thanks for the help
23:35 < Mtn_Bkng_Dave> shes working beautifully now
23:36 < Mtn_Bkng_Dave> krzee any known conflicts with running ptpp with open vpn?
23:36 < Mtn_Bkng_Dave> the server?
23:37 < krzee> dunno anything bout pptp
23:37 < Mtn_Bkng_Dave> it seems to be working
23:37 < Mtn_Bkng_Dave> i run it as well
23:37 < Mtn_Bkng_Dave> so i can hit it from systems without openvpn
23:44 < krzee> !pptp
23:44 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
23:44 < vpnHelper> krzee: read about why to not use pptp
23:50 -!- Dave1965 [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has joined ##openvpn
23:51 -!- Dave1965 [n=whome@c-24-99-232-29.hsd1.ga.comcast.net] has quit [Client Quit]
23:51 -!- Mtn_Bkng_Dave [i=whome@12.50.124.47] has quit [Read error: 104 (Connection reset by peer)]
23:55 -!- Mtn_Bkng_Dave [i=whome@12.50.124.47] has joined ##openvpn
23:56 < Mtn_Bkng_Dave> !welcome
23:56 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:57 < Mtn_Bkng_Dave> !redirect
23:57 < vpnHelper> Mtn_Bkng_Dave: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
23:57 < Mtn_Bkng_Dave> !/30
23:57 < vpnHelper> Mtn_Bkng_Dave: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
23:58 < Mtn_Bkng_Dave> !topology
23:58 < vpnHelper> Mtn_Bkng_Dave: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
--- Day changed Wed Jan 27 2010
00:04 -!- WormFood [n=wormfood@121.35.52.116] has quit [Read error: 54 (Connection reset by peer)]
00:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)]
00:17 -!- Mtn_Bkng_Dave [i=whome@12.50.124.47] has quit []
00:28 -!- error404notfound [n=Eror404@119.153.58.9] has joined ##openvpn
00:29 < error404notfound> i gave someone access to my vpn(which is over ssl), and now that i want to block him. Unfortunately his certificates will still hold for the next 30 days. can i do this any other way around?
00:31 < rob0> CRL
00:31 < error404notfound> crl?
00:32 < rob0> --crl-verify (you revoke the cert) or --disable
00:33 -!- WormFood [n=wormfood@119.136.226.99] has joined ##openvpn
00:33 < error404notfound> hmmm, okay, lemme google on that for details...
00:33 < error404notfound> thanks :)
00:33 < rob0> um, they're both in the man page
00:33 < rob0> yw
00:34 < error404notfound> hmmm, thanks again :)
00:36 < error404notfound> so i all need is to find his .crt file and do force revocation, easy :)
00:42 < rob0> there are, of course, lots of other possibilities. I use a ccd and --ccd-exclusive, so all I'd have to do is delete the file in the ccd.
00:45 < error404notfound> rob0, ahan, that seems easier :P
00:46 < error404notfound> easy-rsa has list-crl and revoke-full scripts, seems nice to me because i initially used easy-rsa for all certificate generation
00:51 < error404notfound> btw if i enable tls-auth, do i need to add same to clients? have been thinking for sometime to enable it.
01:04 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Connection timed out]
01:05 -!- WormFood [n=wormfood@119.136.226.99] has quit [Read error: 60 (Operation timed out)]
01:12 -!- dunc [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit ["Leaving"]
01:19 < krzee> !tls-auth
01:19 < vpnHelper> krzee: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how
01:19 < krzee> !secure
01:19 < vpnHelper> krzee: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
01:19 < krzee> hrm
01:19 < krzee> !hmac
01:19 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
01:19 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
01:19 < krzee> !forget tls-auth
01:19 < vpnHelper> krzee: Joo got it.
01:20 < krzee> !learn tls-auth as [!hmac]
01:20 < vpnHelper> krzee: Error: "!hmac" is not a valid command.
01:20 < krzee> !learn tls-auth as [hmac]
01:20 < vpnHelper> krzee: Joo got it.
01:23 -!- error404notfound [n=Eror404@119.153.58.9] has quit ["User guilty of hitting the Big Red X"]
01:26 -!- WormFood [n=wormfood@58.60.223.122] has joined ##openvpn
02:01 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
02:01 -!- mode/##openvpn [+o mattock] by ChanServ
02:03 < krzee> sup mattock 
02:04 <@mattock> krzee: great!
02:04 <@mattock> and you?
02:05 < krzee> doing well
02:05 <@mattock> what do you think about a weekly, informal developer meeting on thursdays at 19:00 UTC?
02:06 <@mattock> I talked with James yesterday and he and I though that'd be best time
02:06 < krzee> im not much of a dev but ild be there as long as i dont have jiu jitsi
02:06 < krzee> throw this at him sometime if you get a chance tho
02:06 < krzee> !wishlist
02:06 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
02:07 <@mattock> will do. We'll starting to build the community site on thursday
02:08 <@mattock> we can include those in the feature requests in trac
02:08 < krzee> ahh cool
02:09 -!- mikey [n=mikey@unaffiliated/mikey] has left ##openvpn []
02:13 <@mattock> krzee: I think you should attend the developer meetings... I think they'll be more like "community meetings with james" - at first at least
02:13 < krzee> sounds good
02:14 < krzee> i should be there this week, then ill be traveling for around 5 weeks
02:18 <@mattock> ok, I'll send mail to the devel list today...
02:18 -!- Ozux [n=lacin@91.99.6.111] has joined ##openvpn
02:21 < Ozux> HI, I'm migrating from PPTP and IPSec to OpenVPN, Now I'm connected to VPN server, I added push "redirect-gateway  def1" to server, but there is no traffic going from VPN Tunnel any body can help me?
02:22 < Ozux> Also I had ppp interface for PPTP with IP address, but for OpenVPN there is no thing like it, is it true?
02:22 < Ozux> I use TU (Routing mode)
02:22 < krzee> i cant speak on anything in relation to pptp
02:22 < krzee> however,
02:22 < krzee> !goal
02:22 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:25 < Bushmills> Ozux: check client route, that it indeed as a default route to vpn device added
02:26 < krzee> im guessing that if that is his goal, he doesnt have nat or ip forwarding enabled
02:26 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
02:26 < Bushmills> the openvpn device for routing is tun, not ppp
02:26 < Bushmills> moiners, krzee. that's quite likely, actually
02:27 < krzee> moinmoin
02:27 < Bushmills> i sometimes take too literal what people say 
02:27 < Bushmills> "no traffic" i understand as "no traffic" - not even attempted traffic
02:27 < Bushmills> oh, had my flask filled with absinth yesterday :D
02:27 < krzee> if only everyone dove for the packet sniffers ;]
02:27 < krzee> mmmm
02:28 < krzee> howd ya like?
02:28 < Bushmills> nice drop i got me.
02:28 < Bushmills> better than the one i had before
02:28 < Bushmills> (previously it was bottled. this came from vat)
02:28 < krzee> ooo im jealous!
02:29 < Bushmills> you'll get your chance
02:30 < Bushmills> oh, did you read about that taiwanese whisky which was elected as #1 whisky bx a scottish tester panel during a blind degustation?
02:30 < krzee> lol no
02:31 < Bushmills> i actually tried to get some of that stuff, but the shop hasn't heard of that yet
02:31 < krzee> !google taiwanese whisky
02:31 < vpnHelper> krzee: Taiwan whisky beats Scotch in blind taste test - Telegraph: <http://www.telegraph.co.uk/expat/expatnews/7071737/Taiwan-whisky-beats-Scotch-in-blind-taste-test.html>; Taiwan whisky makes name for itself in Scotland - Taiwan News Online: <http://www.etaiwannews.com/etn/news_content.php?id=1164878&lang=eng_news&cate_img=logo_taiwan&cate_rss=TAIWAN_eng>; Taiwan whisky beats Scotch in blind
02:31 < vpnHelper> krzee: taste test, says report ...: <http://www.etaiwannews.com/etn/news_content.php?id=1164482&lang=eng_news&cate_img=49.jpg&cate_rss=news_Society>
02:31 < Bushmills> so i went for the absinth instead :)
02:36 < krzee> nice
02:41 < Ozux> Sorry guys, had to handle a phone ... OK .... vpnHelper  I would like to access the internet over my VPN, Actually we have OpenVPN server on HeadOffice and all Users have to connect that Server to access Internet 
02:41 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Reporting scripts :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=375&p=2951#p2951>
02:42 < Bushmills> Ozux: http://scarydevilmonastery.net/masq  server side done?
02:42 < Ozux> Bushmills: I think there is nothing wrong with taking literal ;)
02:42 < Bushmills> ah. ok then back to client route
02:42 < krzee> !redirect
02:42 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:43 < Ozux> Bushmills:  yes server side is done
02:44 < Ozux> Bushmills: Now there is a PPTP server (Linux poptopd) and internet shared!
02:44 < krzee> !pptp
02:44 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
02:44 < vpnHelper> krzee: read about why to not use pptp
02:45 < Bushmills> !notopenvpn
02:45 < vpnHelper> Bushmills: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
02:45 < Ozux> krzee: We know alrady, that's reason we are migrating 560 user to OpenVPN
02:45 < krzee> Bushmills, ?
02:46 < Ozux> krzee:  But I have to use pptp  for Devices (Network Appliances) that don't support OpenVPN 
02:46 < krzee> Ozux, does the server have NAT setup for the ovpn subnet?
02:46 < Bushmills> well, if you have to you have to
02:48 < Ozux> krzee:  NAT setup, may be I can't understand you,  Serever has 2 Public IP Address set on eth0/eth01  just this, To provide access to internet from old PPTP way I set MASQUERADE rule for IPTABLES, is it what you refer as NAT?
02:49 < krzee> !linnat
02:49 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
02:49 < krzee> you have a new subnet for openvpn
02:50 < krzee> NAT aka MASQUERADE that subnet
02:50 < krzee> also, you will need this:
02:50 < krzee> !topology
02:50 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
02:50 < krzee> you have too many users to be using a /30 for each user
02:53 -!- mgolisch [n=michi@85.93.11.18] has quit [Read error: 60 (Operation timed out)]
02:53 -!- Cap_J_L_Picard [n=ewanm89@unaffiliated/ewanm89] has quit [Read error: 60 (Operation timed out)]
02:53 -!- Rienzilha [i=rien@sinas.rename-it.nl] has quit [Read error: 60 (Operation timed out)]
02:53 -!- balboah [n=johnny@joonix.se] has quit [Read error: 60 (Operation timed out)]
02:54 < Ozux> krzee: Now it's just me, In fact I'm testing to find a best solution,  and some thing else, 560 users are devided to 10 branch office and a central office and 3 server rooms, so I don't have to dedicate IP to all of them, I mean I'll do it on routers etc..... 
02:54 < krzee> oh ok thats easy
02:54 < krzee> then you need this:
02:54 < Bushmills> will there be many users connected at the same time?
02:54 < krzee> !route
02:54 < Ozux> Yes
02:54 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn
02:54 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: havoc, @openvpn2009, jww
02:54  * krzee kicks vpnHelper 
02:54 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:54 < Bushmills> will traffic per user be considerable?
02:54 < Ozux> Bushmills: All af them connecting from 8:00 to 16:00 
02:54 -!- Netsplit over, joins: @openvpn2009, havoc, jww
02:54 -!- Cap_J_L_Picard [n=ewanm89@unaffiliated/ewanm89] has joined ##openvpn
02:54 -!- balboah [n=johnny@joonix.se] has joined ##openvpn
02:54 -!- mgolisch [n=michi@85.93.11.18] has joined ##openvpn
02:55 < krzee> just know that all servers flow through a central server with this setup
02:55 < krzee> err
02:55 < krzee> all lans flow through a central server
02:55 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
02:55 < krzee> there is not direct connections between clients with openvpn
02:55 < Ozux> Yes, after that this server will decide based on lots of policies that traffic will go where any how ....
02:55 < Bushmills> will encryption be enabled for all users?
02:56 < krzee> Ozux, cool
02:56 < Ozux> Bushmills:  Yes, how? It will be overloading proccess?
02:56 < krzee> Bushmills, he means there will be a lot of users on the lan
02:56 < krzee> 10 lans
02:56 < krzee> so in reality 1 server and 9 clients
02:56 < Ozux> Bushmills:  We have IBM x3250 for PPTP with MPPE and it works .. works some how infact
02:57 < Bushmills> >500 encrypted users on one server, which is default gateway may stretch its performance a bit
02:57 < krzee> Ozux, you only need a single vpn client per network
02:57 < Ozux> kreg:  14 clients, 10 Branch+1Local+3ServerRoom
02:57 < krzee> oh good point, i forgot we're using redirect
02:58 < hyper_ch> krzee: if you have two clients in the same openvpn network and they want to exchange data.... then all the data goes through the server first?
02:58 < Bushmills> oh. 14 client should be fine
02:58 < krzee> hyper_ch, correct
02:58 < krzee> Bushmills, you're still right about BW, but i guess if they do it now they must have that under control
02:59 < krzee> Ozux, do you want lans communicating as well?
02:59 < hyper_ch> krzee: oh.... I thought the server is just needed for outgoing traffic and for establishing the network... but once the network is established the traffic goes directly between the openvpned clients 
02:59 < krzee> hyper_ch, nope
02:59 < Ozux> Bushmills: traffic will not be some thing like VOIP or Video even ISO files and that's just html,css, some thing like that I hope we will not face problem! but in fact I preapred a IBM HS20 server for feature 
03:00 < krzee> although i have a complicated suggestion in the wishlist about doing that
03:00 < hyper_ch> krzee: that's a little pity
03:00 < Ozux> krzee:  Yes they are communicating 
03:00 < krzee> Ozux, already are using openvpn?
03:00 < Ozux> hyper_ch: Yeah, that's a point... mmmm
03:01 < hyper_ch> well, for me it does not matter... but when there are more users and everything goes through the server it can put quite some pressure on it :)
03:01 < Ozux> Bushmills:  14Clients with almost 20Mbps for each I mean it's not a huge traffic amount
03:01 < Bushmills> hyper_ch: if clients are firewalled - how could one client reach another?
03:01 < krzee> Ozux, thats what i was telling you above, <krzee> all lans flow through a central server   <krzee> there is not direct connections between clients with openvpn
03:01 < krzee> Ozux, and the server has a big enough pipe for that?
03:01 < hyper_ch> Bushmills: by the use of magic :)
03:02 < krzee> 14 clients trying to use their 20mbit while server is on 20mbit will slow things down a bit
03:02 < Ozux> krzee:  No just PPTP and IPSec just for servers and server rooms (via Cisco )
03:02 < Bushmills> but by invoking magic, we don't need openvpn anymore
03:02 < krzee> Ozux, ok lets stick to the openvpn stuff
03:02 < hyper_ch> Bushmills: # Any sufficiently advanced technology is indistinguishable from magic.
03:02 < krzee> Ozux, im asking if you want your openvpn setup to have lans communicating over openvpn
03:03 < krzee> as well as the redirect stuff
03:03 < Ozux> krzee:  In fact no, 
03:03 < krzee> ok, so just redirect
03:03 < Ozux> krzee: but with our design they have!
03:03 < krzee> you need to MASQUERADE every source address
03:04 < krzee> so all client lans, and the vpn subnet
03:04 < Bushmills> hyper_ch: if there'S sufficiently advanced firewall piercing technology to allow openvpn clients to talk directly to each other even when firewalled, there'll be an update to firewall software within foreseeable time, aiming to prevent that.
03:04 < Ozux> krzee: I mean Our network designed ina way every thing going direct to VPN server
03:04 < krzee> if you are doing this on routers, thats all
03:05 < hyper_ch> Bushmills: oh well, I have no real clue about things and stuff :)
03:05 < krzee> otherwise, the lan must use the local vpn node as its default gateway, and the local vpn node needs ip forwarding turned on
03:05 < Ozux> dudes,  I have to cache incident, thanks for sharing ideas and will bother you very soon ;)  BRB, 
03:06 < krzee> ok well save what i just said
03:06 < krzee> cause its all you should need
03:08 -!- master_of_master [i=master_o@p57B5616D.dip.t-dialin.net] has joined ##openvpn
03:10 < Bushmills> krzee, you recently asked about general level of english spoken in germany. here's a sample of german representatives: 
03:11 < Bushmills> !google oettinger speaking english video
03:11 < vpnHelper> Bushmills: Günther Oettinger speaking English/Die deutsche Stimme in Brüssel ...: <http://transblawg.eu/index.php?/archives/3652-Guenther-Oettinger-speaking-EnglishDie-deutsche-Stimme-in-Bruessel.html>; Transblawg: <http://transblawg.eu/>; Viral Video Chart - Oettinger Talking English - Worse than Westerwave:
03:11 < vpnHelper> Bushmills: <http://viralvideochart.unrulymedia.com/youtube/oettinger_talking_english__worse_than_westerwave?id=OXPPu418C78>
03:20 -!- master_o1_master [n=master_o@p57B57414.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:23 < Bushmills> zenk yoo for your kind eddengion
03:24 < hyper_ch> Westerwave :)
03:29 -!- Ozux [n=lacin@91.99.6.111] has quit []
03:34 < krzee> hyper_ch, 
03:34 < krzee> i just saw your forum post
03:34 < krzee> still having the problem?
03:34 < krzee> oh actually nm, you have to be
03:35 < krzee> you cant be reachable over the inet from arbitrary hosts on the net
03:35 < krzee> you could add a route for certain hosts to bypass the vpn
03:35 < krzee> thats what redirect-gateway does
03:41 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=2954#p2954> || Configuration :: Re: How to block MAC request :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=2514&p=2952#p2952> || Configuration :: Re: Advice on troubleshooting possible network problem :: Reply by krzee <http://www.ovpnfo
03:49 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 110 (Connection timed out)]
03:50 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
03:50 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:01 < krzee> !linnat
04:01 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
04:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:11 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Can't SSH into a open-vpned client anymore :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=2389&p=2955#p2955> || Configuration :: Re: OpenVPN on different IP address (eth0:1) :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=2394&p=2956#p2956>
04:26 < krzee> !man
04:26 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
04:42 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: TUN connection up between Centos and ASUS 520gu (Tomato VPN) :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=2480&p=2957#p2957> || Configuration :: Re: Obtain user attributes from Radius server :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=2434&p=2959#p2959> || Configuration :: Re: pushing routes to public ip blocks :: Reply by krzee <http://www.ov
04:49 < hyper_ch> krzee: that was a quick answer to that forum post ;)
04:49 < hyper_ch> krzee: but I solved it meanwhile :9
04:49 < krzee> cool
04:49 < krzee> now its answered for the guy who finds it via google ;]
04:50 < hyper_ch> by adding my "work" computer also to the vpn but using ccd and not doing redirect teh gateway :)
04:50 < hyper_ch> I should add my solution to it
04:50 < hyper_ch> but generally, what do you think of that graphic that I made?
04:50 < krzee> confused me
04:50 < krzee> its why i hadnt answered way before
04:51 < krzee> i skimmed the post tonight and it made sense
04:51 < krzee> oh wait i helped you with this in here didnt i? lol
04:51 < hyper_ch> and I put hours and hours into the graphic :(
04:51 < hyper_ch> krzee: you partially helped IIRC
04:53 < krzee> cool
05:07 < krzee> !winipforward
05:07 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
05:12 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: Issues with Open VPN Setup :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=5&t=2071&p=2961#p2961>
05:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
05:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
05:23 < krzee> !authpass
05:23 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
05:32 -!- mkulke [n=mkulke@144.41.253.148] has joined ##openvpn
05:35 < mkulke> hello, i am currently testing openvpn. so far there are good results with linux server & osx, windows clients. however there are issues with linux clients, as i get "inactivity timeouts" regulary there :/ is this a common issue or does anyone know which config could cause this?
05:37 < Bushmills> !keepalive
05:37 < vpnHelper> Bushmills: Error: "keepalive" is not a valid command.
05:37 < Bushmills> bleh
05:37 < mkulke> i figured this one too
05:39 < mkulke> but this is a server sided setting i guess
05:40 < mkulke> and i wonder why this works on mac (tunnelblick) but not on linux, tho
05:41 < mkulke> the client configs are similar (safe the if/up scripts)
05:42 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: pb with openvpn client : entering a wrong password :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2296&p=2962#p2962> || Configuration :: Re: OpenVPN connects / disconnects every 120 sec :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=1673&p=2963#p2963>
05:43 < Bushmills> keepalive is just a config macro,  setting ping timeout, and also pushing it.
05:43 < Bushmills> !ping
05:43 < vpnHelper> pong
05:43 < Bushmills> !ping-restart
05:43 < vpnHelper> Bushmills: Error: "ping-restart" is not a valid command.
05:43 < Bushmills> bleh^2
05:43 < Bushmills> so you can still use ping and ping-restart on client
05:44 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has joined ##openvpn
05:44 < fluxdude> is it possible to push different routes to a single client depending on who they are authenticated as?
05:44 < Bushmills> yes
05:44 < Bushmills> !ccd
05:44 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
05:45 < fluxdude> thanks!
05:47 < Bushmills> alternatively, specify different client configs, with custom routes added per config.
05:48 < mkulke> Bushmills: thx, but why would openvpn claim, there is 'inactivity' anyway?
05:48 < mkulke> there is actually activity
05:48 < Bushmills> no idea. you're sure that activity involves openvpn traffic?
05:49 < mkulke> hmm... good point
05:49 < Bushmills> your lady neighbour doing aerobic doesn't count
05:52 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
05:54 < mkulke> pinging the client machine w/ its vpn ip would mean traffic, right?
05:54 < Bushmills> depends on where you're pinging from
05:55 < macsppadic> mkulke: u could always check traffic going thru the tun or tap device using tcpdump 
05:55 < mkulke> yup
05:58 < mkulke> tap0 shows the ICMP packages from where i am pinging
05:59 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: 110 (Connection timed out)]
06:00 < mkulke> but after a while the ping receives no reply and openvpn restarts the connection :/
06:07 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
06:12 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: @openvpn2009, havoc, jww
06:12 -!- Netsplit over, joins: @openvpn2009, havoc, jww
06:27 < macsppadic> mkulke: what have u got for keepalive on the server side?
06:27 < macsppadic> i believe Bushmills mentioned it earlier - 
06:39 -!- Ozux [n=lacin@li90-225.members.linode.com] has joined ##openvpn
06:41 < mkulke> keepalive 10 60
07:03 < ecrist> good morning
07:13 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
07:32 -!- macsppadic [n=sonupunn@82.109.74.162] has quit [Read error: 113 (No route to host)]
07:32 -!- macsppadic_ [n=sonupunn@82.109.74.162] has joined ##openvpn
07:38 -!- macsppadic_ [n=sonupunn@82.109.74.162] has quit [Read error: 104 (Connection reset by peer)]
07:38 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
07:38 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: _trine
--- Log closed Wed Jan 27 07:38:31 2010
--- Log opened Wed Jan 27 07:38:42 2010
07:38 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn
07:38 -!- Irssi: ##openvpn: Total of 75 nicks [2 ops, 0 halfops, 1 voices, 72 normal]
07:38 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
07:39 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn
07:39 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
07:39 -!- Irssi: Join to ##openvpn was synced in 34 secs
07:39 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn
07:39 -!- meepmeep [i=meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
07:40 -!- Typone [n=nnnnnnit@195.197.184.87] has joined ##openvpn
07:42 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: pushing routes to public ip blocks :: Reply by bignose <http://www.ovpnforum.com/viewtopic.php?f=6&t=2443&p=2964#p2964>
07:43 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
07:47 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:54 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."]
07:56 -!- DarkAnt [n=DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
08:12 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Reporting scripts :: Reply by george <http://www.ovpnforum.com/viewtopic.php?f=6&t=375&p=2965#p2965>
08:17 -!- Ozux [n=lacin@li90-225.members.linode.com] has quit []
08:21 -!- MatBoy_ [n=MatBoy@wiljewelwetenhe.xs4all.nl] has quit [Client Quit]
08:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:31 -!- hacim [n=micah@debian/developer/micah] has left ##openvpn []
08:44 -!- Nrg__ [i=pk@reaktio.net] has quit [Client Quit]
08:44 -!- Nrg_ [i=pk@reaktio.net] has joined ##openvpn
08:53 -!- yoshx [n=yoshx@38.115.119-80.rev.gaoland.net] has joined ##openvpn
08:53 -!- yoshx [n=yoshx@38.115.119-80.rev.gaoland.net] has quit [Read error: 104 (Connection reset by peer)]
08:54 -!- yoshx [n=yoshx@38.115.119-80.rev.gaoland.net] has joined ##openvpn
09:12 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has quit [Read error: 101 (Network is unreachable)]
09:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
09:24 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn
09:30 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:31 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has joined ##openvpn
09:32 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
09:41 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit [Read error: 54 (Connection reset by peer)]
09:42 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has joined ##openvpn
09:45 -!- macsppadic [n=sonupunn@82.109.74.162] has left ##openvpn []
10:02 -!- WormFood [n=wormfood@58.60.223.122] has quit [Read error: 54 (Connection reset by peer)]
10:25 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
10:28 -!- mkulke [n=mkulke@144.41.253.148] has quit ["Verlassend"]
10:29 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
10:34 -!- WormFood [n=wormfood@121.15.47.11] has joined ##openvpn
10:43 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=2958#p2958> || Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=2969#p2969> || Configuration :: Re: Reporting scripts :: Reply by Douglas <http://www.ovpn
10:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
10:46 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit ["Leaving"]
11:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
11:12 -!- Darkclaw66 [n=andre@unaffiliated/darkclaw66] has joined ##openvpn
11:13 < Darkclaw66> hey krzee  you here?
11:13 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Waiting for TUN/TAP interface to come up... :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=6&t=2380&p=2974#p2974>
11:14 < Darkclaw66> I am at work and using udp to connect to the openvpn and I am seeing the random disconnects happen again
11:15 < Darkclaw66> here is a link to the error message
11:15 < Darkclaw66> http://pastebin.com/m1ee0a6c3
11:27 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"]
11:31 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has quit [Remote closed the connection]
11:42 < Bushmills> I suppose that openvpn is resistent against attacks with oversized packet lengths. True?
11:45 < Darkclaw66> it does have protection against that
11:47 < fluxdude> what is the dh file needed for exactly?
11:47 < fluxdude> seems my openvpn needs it but why?
11:47 < fluxdude> for randomness?
12:04 < ecrist> !dh
12:04 < vpnHelper> ecrist: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
12:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out]
12:08 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
12:09 < ecrist> fluxdude: that was for you
12:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:11 < fluxdude> ecrist: thanks.. basically it's complicated maths stuff or it's just a seed for diffie hellman?
12:11 < ecrist> it's a seed
12:11 < ecrist> but it's also complicated math stuff
12:31 < Darkclaw66> ecrist,  the vpn server and vpn client need to have firewall rules to allow them ping each other right?
12:32 < fluxdude> ecrist: thanks, gotta run...
12:34 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has quit ["When two people dream the same dream, it ceases to be an illusion"]
12:56 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn
13:11 -!- myrradin [n=username@69.172.135.242] has joined ##openvpn
14:06 < Darkclaw66> yeah im getting random disconnects
14:06 < Darkclaw66> http://pastebin.com/m1ee0a6c3
14:06 < Darkclaw66> anyone know how to fix it?
14:07 < Darkclaw66> sometimes it happens back to back and sometimes it happens every 2 minutes and 10 minutes
14:08 < Darkclaw66> when I switched to TCP mode I didnt get disconnected once but the drawback was that everything slowed down
14:13 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=2984#p2984>
14:20 -!- Mtn_Bkng_Dave [n=whome@206.17.147.84] has joined ##openvpn
14:26 < Darkclaw66> anyone know how to fix random disconnects without switching to TCP mode?
14:37 -!- C4colo [n=DJpyro@65.204.123.195] has joined ##openvpn
14:38 < C4colo> I have a vpn network that consists of multiple servers in a star topology.  They are all in various datacenters with 100mbps shared network except a few on consumer dsl/cable connections.  The problem is that if I ping client->server or client-client I get around 50% packet loss ... but from the server to any client I get 0% packet loss ... trying to figure out where to even start troubleshooting this 
14:39 < hyper_ch> sounds like a routing issue but then I have no real clue about things :)
14:39 < C4colo> loadaverage is ~0.50 on the server, not good but not bad
14:40 < C4colo> multiple 0.0.0.0 routes? 
14:40 < C4colo> brb checking 
14:41 < C4colo> only one default gateway 
14:41 < C4colo> let me see if it is just delay, I'll bump the timeout for pings up ro 10000
14:41 < C4colo> *up to
14:43 < Darkclaw66> anyone know how to fix random disconnects without switching to TCP mode?
14:45 < C4colo> 0% packet loss if I wait 10 seconds for the packet to return ... so it is not lost data, just horrible and intermittent delays ... this is my experience SSH'ing over the tunnels too, the screen updates are fast for a second then nothing for 1-3 seconds then updates again ... like it is cyclic 
14:46 < Bushmills> oh, i know that. my broken router sometimes acts up, that way. after resetting the router, i'm fine again for some time.
14:47 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit [Read error: 60 (Operation timed out)]
14:49 < Darkclaw66> see when I change to TCP mode, I dont get disconnected at all
14:54 < C4colo> nevermind ... seems the server at the middle of all this is a virtual system ... sharing too many resources with other virtual systems ... nothing to do with openvpn 
14:55 < Darkclaw66> umm am I being ignored
14:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:55 < C4colo> the virtual host was sleeping the system for up to 2 seconds at a time
14:55 < C4colo> Darkclaw66, UDP has no mechanism for maintaining state or retransmitting lost packets 
14:56 < Darkclaw66> how is everyone able to use UDP and not have it disconnect constantly
14:56 < C4colo> depends on the network.  All networks have some packet loss ... some more than others 
14:57 < C4colo> also with UDP if there is no traffic the state can be reset in the router's state table 
14:57 < C4colo> same can happen with TCP, but at least TCP has a longer default timeout 
14:57 < C4colo> try running a ping (linux) or ping -t (windows) between the two endpoints ... if it never drops then it is a state table issue in the firewall/router 
14:58 < C4colo> if that is the case get rid of your linksys router and put in something that you can upgrade the RAM in (like a vyatta router) 
14:58 < C4colo> if it still drops then it is probably lost packets somewhere between the two devices running openvpn 
14:59 < C4colo> running the ping is like a keepalive ... every 1 second it will send a packet across the VPN tunnel, keeping the state alive in the state table 
15:00 < C4colo> why do you need UDP instead of TCP?
15:00 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:03 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
15:04 < Darkclaw66> UDP is faster
15:05 < Darkclaw66> TCP is significantly slower
15:05 < Darkclaw66> I did some pings and there is some random packet loss between the two links
15:07 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:08 < Darkclaw66> because theres some packet loss its going to cause my connection to fry?
15:08 < Darkclaw66> even if its 2%?
15:10 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Client Quit]
15:10 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has joined ##openvpn
15:12 < Darkclaw66> in any case C4colo  you are right
15:12 < Darkclaw66> its just I have to sacrifice performance for reliability
15:17 < C4colo> in theory, and in some circumstances you will see better throughput from UDP 
15:18 < C4colo> for example, if most of your traffic is UDP (voip or streaming video for example) then udp for the vpn layer is a good idea
15:18 < C4colo> if most of your traffic is TCP (email, web traffic, etc) then TCP is probably better, since that will do the same retransmit request on the application layer that the tunnel layer could do for you 
15:19 < rob0> Can you replace the broken router with something less broken? You found the only openvpn fix to the problem.
15:19 < C4colo> do you want the application retransmitting tcp packets over a udp tunnel... or the tcp tunnel handling the retransmission of lost packets?  either way there is TCP overhead for TCP traffic ... 
15:19 < Darkclaw66> who me?
15:19 < C4colo> rob0, for my original solution? 
15:20 < C4colo> er problem 
15:20 -!- mgolisch [n=michi@85.93.11.18] has quit [Remote closed the connection]
15:20 -!- mgolisch [n=michi@85.93.11.18] has joined ##openvpn
15:21 < C4colo> my solution was "it's not losing packets, they are just being delayed ... so for now the VPN is working but slow ... eventually you'll have to move that virtual server onto a host with fewer other virtual servers or migrate it to a hardware box"
15:21 < C4colo> they are going to set up another host in the datacenter for it 
15:22 < Darkclaw66> C4colo, it sounds like you advocate TCP mode
15:22 < C4colo> for my situation TCP is better 
15:22 < C4colo> if I was linking VOIP servers or something I'd probably use UDP 
15:22 < Darkclaw66> for mine too 
15:23 < C4colo> it depends on the traffic going through the tunnel and the network conditions 
15:23 < Darkclaw66> I seriously can't stand it when OpenVPN disconnects but as soon as I siwtch to TCP its solid
15:23 < C4colo> then that sounds good 
15:23 < C4colo> you aren't doing video streaming or voip are you? 
15:23 < Darkclaw66> nope im using it for smtp, pop, vnc
15:24 < C4colo> pings are not a good indication of the "speed" or "health" of a network ... for a real glimpse you need something you can taylor to the traffic patterns, like iperf 
15:24 < Darkclaw66> I actually have iperf
15:24 < C4colo> running an iperf test between two systems over a vpn and tweaking the settings to emulate the type of traffic is a better test
15:25 < Darkclaw66> I'll do it now
15:25 < C4colo> for voip networks I drop the packet size to almost nothnig and run as many parallel sessions as possible 
15:25 < rob0> Hmmm, I doubt TCP is really "better" for anyone; more likely, it's a workaround for bad/silly firewalls.
15:25 < C4colo> and use udp
15:25 < C4colo> but for networks with "normal" traffic I use larger packets and use TCP 
15:25 < C4colo> for testing with iperf 
15:25 < C4colo> ping is just "did it get there and back fast enough?" 
15:26 < Darkclaw66> I know a lot of docs say TCP is not the ideal choice but its a matter of choosing the lesser of two evils...
15:26 < C4colo> TCP adds overhead 
15:26 < C4colo> it also adds reliability ... but can cause issues on the application layer if the application layer is realtime (such as streaming UDP traffic) 
15:28 < Darkclaw66> one hand you have reliability and the other hand you have performance
15:29 < Darkclaw66> maybe with some apps you wouldnt even notice the reconnects but with vnc, as soon as the connection disconnects, you lose the terminal
15:29 < C4colo> yea
15:30 < C4colo> vnc uses both tcp and udp, but most of the traffic is tcp 
15:31 < C4colo> using tcp for the vpn obfuscates the real issue because the vpn layer can retransmit the packets and the application layer never even knows about the lost packet ... it just sees it as an out of order packet and processes it as normal 
15:31 < C4colo> but with udp the application layer has to retransmit 
15:31 < C4colo> by the way, 2% is pretty high for lost packets 
15:31 < C4colo> 0.2% is more reasonable 
15:32 < C4colo> (for across the internet) 
15:32 < C4colo> I've got a deadline I need to hit today so I gotta get back on this other project ... but I hope than info was useful 
15:32 < Darkclaw66> I have to leave I will bbiab
15:32 < Darkclaw66> thanks for the info c4, it made sense
15:32 < C4colo> np
15:32 < C4colo> see ya
15:33 -!- C4colo [n=DJpyro@65.204.123.195] has left ##openvpn ["brb"]
15:36 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:36 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:36 -!- mode/##openvpn [+v Kas] by ChanServ
15:37 -!- mgolisch [n=michi@85.93.11.18] has quit [Remote closed the connection]
15:37 -!- mgolisch [n=michi@85.93.11.18] has joined ##openvpn
15:44 -!- jeffl_ [i=coz@teledojo.com] has joined ##openvpn
15:45 < jeffl_> I'm running openvpn on a pfsense firewall. If I set up another tunnel on the same port, will open vpn determine which tunnel to connect to based on the keys or do I need to change ports?
15:59 -!- mgolisch [n=michi@85.93.11.18] has quit [Remote closed the connection]
16:00 -!- mgolisch [n=michi@85.93.11.18] has joined ##openvpn
16:03 -!- Mtn_Bkng_Dave [n=whome@206.17.147.84] has quit []
16:09 < krzie> jeffl_ must change ports or protocols
16:10 < jeffl_> krzie: thanks I figured it out :) there was a tiny thing that explained it that I kept skimming over
16:24 -!- Irssi: ##openvpn: Total of 82 nicks [1 ops, 0 halfops, 1 voices, 80 normal]
16:26 -!- dazo_h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
16:27 -!- dazo_h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Client Quit]
16:33 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
16:41 -!- kyrix [n=ashley@80-121-68-217.adsl.highway.telekom.at] has joined ##openvpn
17:17 -!- yoshx [n=yoshx@38.115.119-80.rev.gaoland.net] has quit [Remote closed the connection]
17:23 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
17:28 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
17:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
17:49 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit ["Leaving."]
17:59 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"]
18:10 < jeffl_> I finally got openvpn working and connected, but I can't ping from the network it's connecting too
18:10 < jeffl_> is that normal?
18:10 < jeffl_> Also, I keep getting this error
18:11 < jeffl_>  WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 192.168.8.1 192.168.8.2'
18:11 < jeffl_> I get that on both sides
18:12 -!- APTX| [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
18:14 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Waiting for TUN/TAP interface to come up... :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=6&t=2380&p=2974#p2974>
18:15 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
18:22 < krzie> jeffl_
18:22 < krzie> !configs
18:22 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
18:23 < jeffl_> what are ccd entries?
18:23 < jeffl_> !configs
18:23 < vpnHelper> jeffl_: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
18:23 < krzie> !ccd
18:23 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
18:24 < jeffl_> http://pastebin.com/m36c0516a --- config
18:25 < jeffl_> I'm running pfsense
18:25 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
18:25 < jeffl_> krzie: I can't really paste my pfsense config
18:27 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 110 (Connection timed out)]
18:27 < krzie> doesnt it use a standard openvpn config on the inside when you ssh in?
18:27 < krzie> other people with pfsense have been able to in the past...
18:29 < jeffl_> oh
18:29 < jeffl_> duh
18:29 < jeffl_> one minute
18:30 < krzie> !learn win_tcplimit as see http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2383.html to know why windows TCP servers can only handle 60 clients
18:30 < vpnHelper> krzie: Joo got it.
18:33 < jeffl_> krzie: working on it, not a normal shell
18:36 < krzie> its not just a csh shell? pfsense is a modified fbsd
18:37 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
18:42 < jeffl_> krzie: I was using the wrong shell
18:42 -!- Dougy [n=me@69.10.59.230] has joined ##openvpn
18:42 < jeffl_> I found the config but it's kinda weird with the xml they use
18:43 < Dougy> howdy ya'll
18:43  * Dougy pokes at Kas
18:43 < krzie> sup dougy
18:43 < Dougy> busy as FUCK
18:43 < Dougy> im home 0 nights a week now
18:43 < Dougy> im out doing stuff every day
18:43 <+Kas> hey all
18:43 < krzie> right on
18:43 < Dougy> howdy Kas
18:44 < Dougy> how are ya
18:44 < krzie> hey kas
18:44 < Dougy> krzie: EMS school 2 days a week, at DC 3, and onsite with clients other 2
18:44 < krzie> hey kas, you know anything re: this?
18:44 < krzie> !win_tcplimit
18:44 < vpnHelper> krzie: "win_tcplimit" is see http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2383.html to know why windows TCP servers can only handle 60 clients
18:44 < Dougy> krzie: did you see my reply to the thread on the forum?
18:44 < Dougy> i was curious about that
18:44 < krzie> Dougy ya your replies always give me lulz
18:44 <+Kas> Dougy, which link?
18:44 < Dougy> krzie: someone gotta do it
18:44 < jeffl_> krzie: http://pastebin.com/m29377e49
18:45 < krzie> kas, the link i just gave you
18:45 <+Kas> ahh, gotcha, sec
18:45 < krzie> jeffl_ oh god i hate when interfaces wanna use their own custom configs
18:46 < Dougy> jeff i had an offer
18:46 < Dougy> im tempted to buy this ompany
18:46 < jeffl_> krzie: me too :( any single line <aaa /> just means it's blank
18:46 < Dougy> VPS company with like 110 VPS's.. $2500 for the whole shebang.. $1700/mo gross revenue
18:46 < jeffl_> Dougy: do it
18:46 < krzie> jeffl_ i cant tell, but it looks like from that address pool that pfsense is using --server
18:46 < krzie> if thats the case, removing the ifconfig from the client will make it work
18:46 < jeffl_> pfsense IS the server
18:46 < krzie> i said --server
18:46 < jeffl_> oh, what does that mean?
18:47 < krzie> like the option to openvpn
18:47  * jeffl_ googles
18:47 < Dougy> jeffl_
18:47 < krzie> using ifconfig as you did and using --server are different ways to do the same thing
18:47 < Dougy> stop
18:47 < Dougy> !man
18:47 < vpnHelper> Dougy: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:47 < Dougy> ^ second link
18:47 < krzie> see if commenting the ifconfig in client config helps
18:47 < krzie> jeffl_ dougy is right, forget google and use the manual for learning
18:47 < jeffl_> krzie: if I comment it out, it complains about routes and stuff from the client end
18:49 < krzie> well, i can tell you how to do it right in normal openvpn, but i dont understand the pfsense xml config
18:49 <+Kas> krzie: from James: However, I do believe this issue still exists when running the OpenVPN server on Windows (native).
18:49 < krzie> kas, ok cool thanx
18:49 < krzie> its a windows issue, ya?
18:49 < krzie> (like their problem, not openvpn's)
18:49 <+Kas> Yep: James: Because Windows has an internal limit on the maximum number of events that can be waited on by one process.
18:49 < jeffl_> krzie: it's a windows issue
18:50 < krzie> cool thanx
18:50 <+Kas> np
18:50 < jeffl_> krzie: which line is the equiv of --server?
18:51 < krzie> i dont know, thats the problem
18:51 < krzie> i dont understand the lame pfsense config
18:51 < krzie> i also dunno why pfsense and network manager insist on using their own style for configs
18:52 < jeffl_> krzie: everything is in a single config file
18:52 < krzie> and that config file is not openvpn format
18:53 < krzie> !sample
18:53 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
18:53 < jeffl_> krzie: http://pastebin.com/m66f0a2eb
18:54 < jeffl_> krzie: the xml is generated from a normal config, apparently.
18:54 < krzie> ahh there we go
18:54 < Dougy> whats lport
18:54 < krzie> remove both ifconfigs
18:54 < krzie> on server add this
18:55 < krzie> server 192.168.8.0 255.255.255.0
18:55 < krzie> if the server openvpn node is not the router for its lan, you must add another route to its router
18:55 < krzie> if its not the router feel free to tell me to expand on that
18:55 < jeffl_> the pfsense is the router
18:56 < krzie> cool
18:56 < krzie> also know, you cant connect this client if its ever on a LAN of 192.168.0.0
18:56 < krzie> which could be an issue if its a road warrior
18:56 < jeffl_> Yeah, I saw those lines.. I'm not really sure what they are doing there
18:56 < krzie> what lines?
18:56 < jeffl_> #
18:56 < jeffl_> ifconfig 192.168.8.1 192.168.8.2
18:56 < jeffl_> #
18:57 < krzie> ahh
18:57 < krzie> well thats ptp style config
18:57 < jeffl_> soo apparently I can't edit the config directly
18:58 < jeffl_> I HAVE to use the gui
19:00 < krzie> once you figure out the relation between gui and config settings, it would make a good wiki post!
19:00 < krzie> !wiki
19:00 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
19:02 < jeffl_> krzie: I'd be happy too, if this made any sense :D
19:02 < krzie> =]
19:03 < krzie> it may come down to just playing and checking the config repeatedly
19:03 < jeffl_> krzie: well there is one other thign
19:03 < jeffl_> from the pfsense, I can ping 192.168.8.2
19:03 < jeffl_> but I can't from the local network, any ideas?
19:04 < jeffl_> I added a static route for 192.168.8.0 to point to 192.168.0.1
19:04 < jeffl_> but it doesn't work :/
19:04 < krzie> prolly firewall related, lets do 1 thing at a time
19:04 < jeffl_> yeah
19:04 < jeffl_> Well the reason I haven't set the first issue as a priority, is BECAUSE I can ping from the firewall
19:06 < jeffl_> krzie: but you said the keyword, firewall and I think I just needed to add a rule to the lan 
19:06 < jeffl_> :D
19:09 < krzie> =]
19:17 -!- kyrix [n=ashley@80-121-68-217.adsl.highway.telekom.at] has quit ["Leaving"]
19:17 < jeffl_> krzie: huh, I can ping any ip from the client side
19:17 < jeffl_> and I get a response
19:17 < jeffl_> but I can't get a response pinging from the local network..
19:18 < jeffl_> Any ideas?
19:24 < krzie> firewall
19:25 < krzie> possibly on client side
19:25 < krzie> (remember that the packets from the lan show up with LAN ip and not vpn ip)
19:26 < krzie> Kas, so that problem we talked about exists with UDP as well?
19:28 < jeffl_> krzie: yeah, I added an allow all to and from rule for lan
19:28 < krzie> jeffl_, on the client as well?
19:29 < krzie> hey Dougy did you see the weird results of my testing in !vpnchains ?
19:29 < Dougy> no sir
19:29 < Dougy> !vpnchains
19:29 < vpnHelper> Dougy: Error: "vpnchains" is not a valid command.
19:30 < Dougy> apparently
19:30 < Dougy> neither did the bot
19:30 < krzie> oh lol i never made a bot command
19:30 < krzie> i guess with good reason, it wont help anyone with problems
19:30 < krzie> 1sec
19:30 < krzie> http://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
19:30 < vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
19:30 < jeffl_> krzie: you mean the local firewall?
19:31 < jeffl_> on the machine in the network?
19:32 < krzie> on the client machine
19:32 < krzie> you said the LAN cant ping the client
19:37 < krzie> dougy, so i actually got better speed double tunneled than i did single tunneled
19:38 < krzie> which is just crazy
19:38 < krzie> you understand what i mean from that wiki post?
19:43 < jeffl_> krzie: correct, but I can't see the computer blocking a net address like that..
19:44 < Dougy> krzie; no friggin idea
19:44 < Dougy> LOL
19:44 < Dougy> i guess it means
19:44 < Dougy> 1 vpn -> another -> another -> another
19:44 < Dougy> or something
19:47 < jeffl_> krzie: actually, that doesn't make any sense.. if I'm pinging from my local machine to the remote client, shouldn't I be okay?
19:54 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
20:00 < krzie> jeffl_ you have ping 1 way and not the other, its firewall
20:00 < krzie> dougy
20:01 < krzie> i chain together a couple vpns, and since there is no direct client communications, i force it to go through as many computers encrypted as i want
20:01 < krzie> then i make a vpn inside that vpn, between me and the far side
20:01 < krzie> somehow, that innermost vpn got better throughput than the original vpn
20:02 < krzie> was interesting to me
20:07 -!- Beber` [n=Beber@otis.meleeweb.net] has quit ["Kenavo les poteaux"]
20:14 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=2997#p2997>
20:18 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
20:20 -!- onats [n=onats@unaffiliated/onats] has left ##openvpn ["Ex-Chat"]
20:29 -!- andre_ [n=andre@akprofessionalconsulting.com] has joined ##openvpn
20:29 < andre_> trying to resolve dns queries through openvpn and its saying query refused
20:29 -!- APTX| [n=APTX@chello089076052083.chello.pl] has quit [Client Quit]
20:29 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
20:30 -!- Darkclaw66 [n=andre@unaffiliated/darkclaw66] has quit [Nick collision from services.]
20:30 -!- andre_ is now known as Darkclaw66
20:30 < Darkclaw66> anyone know?
20:31 < krzie> whats saying query refused?
20:31 < Darkclaw66> i disabled client-to-client is that the reason?
20:31 < krzie> openvpn doesnt do DNS
20:31 < Darkclaw66> should be able to pass the queries
20:31 < krzie> !c2c
20:31 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
20:31 < vpnHelper> krzie: behind other clients
20:32 < Darkclaw66> krzee, openvpn cant pass dns queries?
20:32 < krzie> openvpn doesnt care if they are dns queries
20:32 < krzie> it blindly tunnels the traffic passed to it
20:32 < Darkclaw66> why would named not provide the answer?
20:33 < Dougy> bad config
20:33 < Darkclaw66> it only doesnt work with the vpn
20:33 < Dougy> bad config
20:34 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
20:34 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:34 < Darkclaw66> its really not...
20:34 < Dougy> then it would be working
20:34 < Darkclaw66> i have named listening on the vpn server
20:35 < Dougy> firewall
20:35 < Darkclaw66> the exact error is: Query refused
20:35 < Dougy> something
20:35 < Dougy> !notopenvpn
20:35 < vpnHelper> Dougy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
20:37 < krzie> lol
20:37 < krzie> ya thats actually true
20:37 < Dougy> which
20:37 < Dougy> what i said?
20:37 < krzie> the NS cant refuse a query unless it gets the packets
20:37 < krzie> and you cant see it was refused unless the packets made it back
20:37 < Dougy> krzie im on a roll tonight
20:37 < Dougy> 2 useful things
20:37 < Dougy> win
20:37 < Darkclaw66> unless client-to-client is the problem
20:37 < krzie> yup, you are ;]
20:38 < krzie> Darkclaw66 both are clients?
20:38 < krzie> (NS is on client, other client is trying?)
20:38 < Darkclaw66> in openvpn's eyes maybe
20:38 < krzie> Darkclaw66 openvpn isnt responsible for how you configure other applications
20:38 < Darkclaw66> I know that
20:39 < krzie> oh i see what you mean
20:39 < krzie> well did you TRY seeing if it was client-to-client?
20:39 < Darkclaw66> I should try i
20:39 < krzie> (if it is, the problem when you dont have that is your firewall)
20:39 < krzie> you should try, you should also be using packet sniffers to see whats up
20:40 < krzie> but i dont think its firewall OR client-to-client, and i think it wont help
20:40 < krzie> cause if bind is refusing, its recieving and responding
20:40 < krzie> just not responding in the way you hoped ;]
20:42 < Darkclaw66> is it stupid to have dns queries go through the vpn?
20:42 < krzie> nope
20:42 < krzie> its a personal choice
20:43 < krzie> an example of why i could never say its stupid... if you are trying to hide by tunneling over the vpn, but dns wasnt tunneled (common with socks) DNS queries would give away your real ip
20:44 < Darkclaw66> yes
20:45 < Darkclaw66> well, I disable the firewall completely and it still says query refused
20:45 < Darkclaw66> its either named or openvpn and I agree with you and Dougy that its something to do with named
20:45 < krzie> <krzie> but i dont think its firewall OR client-to-client, and i think it wont
20:45 < krzie>           help
20:45 < krzie> <krzie> cause if bind is refusing, its recieving and responding
20:45 < krzie> <krzie> just not responding in the way you hoped ;]
20:46 < Darkclaw66> I totally agree but the name server is working perfectly I am able to resolve all queries locally/remotely
20:46 < Darkclaw66> sorry I dont mean to ramble, I'll keep hammering at it and let you guys know what the prob is
20:46 < krzie> that doesnt mean its enabled to allow your new subnet :-p
20:47 < Darkclaw66> it's listening on the vpn server ip address
20:47 < krzie> that doesnt mean its enabled to allow your new subnet :-p
20:47 < Darkclaw66> in the named document if I don't specify allowed hosts then it allows all
20:48 < krzie> why are you talking here instead of looking at bind in debug mode? :-p
20:48 < krzie> see why its refusing
20:48 < Darkclaw66> im on it :)
20:49 < krzie> but bind is actively refusing
20:49 < krzie> so it cant be an openvpn problem
20:49 < krzie> if it was timing out it could be
21:19 < Bushmills> "is it stupid to have dns queries go through the vpn?"  - I think that is a good thing
21:19 < Bushmills> thwarts nosy isp providers
21:21 < Bushmills> dns usually has an ACL in the config, telling it from who to accept recursive queries from - that's possibly the problem, it doesn't allow recursive queries from von net ip addresses
21:33 < Darkclaw66> I sadly haven't been able to work on it because other things came up but I am free again so let's see if I can see why named is bitching about it
21:52 < Darkclaw66> well, enalbing debugging in named didnt help
21:55 < Darkclaw66> okay well I think I found the problem
21:56 < Darkclaw66> it seems that its a RFC violation to do what I am saying
21:59 -!- Darkclaw66 [n=andre@unaffiliated/darkclaw66] has quit ["Leaving"]
22:00 -!- Dougy [n=me@69.10.59.230] has quit []
22:00 -!- Darkclaw66 [n=fortness@unaffiliated/darkclaw66] has joined ##openvpn
22:01 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [Remote closed the connection]
22:14 < krzee> umm no
22:15 < krzee> what makes you think its a violation of RFC to have a NS on a LAN?
22:15 < krzee> (vpn clients basically make up a layer3 LAN)
22:15 < krzee> or even to forget about that oversimplification, why would it be a violation of RFC to run a NS over a VPN...?
22:15 < krzee> many people do it
22:16 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
22:17 < Darkclaw66> found out the reason why named wasnt liking it is because the VPN client ips werent setup to be resolved
22:17 < Darkclaw66> the client ips reverse is configured now and named lets the vpn clients request queries
22:21 < krzee> weird
22:23 < Darkclaw66> its all good
22:23 < Darkclaw66> btw krzee, I tried doing udp again at work and it was very bad
22:24 < Darkclaw66> it was really good in the beginning but then it started to get worse and it seems like there is packet loss
22:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
22:24 < Darkclaw66> haha
22:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
22:25 < Darkclaw66> did you see my msg krzee
22:35  * Bushmills wonders if that was true that bind requires clients to be resolvable and even reverse dns, how public recursive dns handles that for all the potential (and anonymous) clients - corollary, there's a flaw in that conclusion. 
22:36 < Bushmills> well, anyway, i have no reverse dns set up for the clients which use dns over openvpn. 
22:48 < Darkclaw66> let me clarify, the vpn client server IP needs to be resolvabl
22:52 < Darkclaw66> so lets say the vpn server ip is 171.10.0.1 then that would need to be resolvable
22:58 < Darkclaw66> I am hoping I can chat more about my situation with using the protocol udp and having intermittent disconnects
23:01 < Darkclaw66> it seems that theres some packet loss
23:01 < Darkclaw66> if that happens theres no way to salvage the connection?
23:05 < krzee> nope
23:05 < Darkclaw66> I am very sad to hear that
23:06 < krzee> that was re: msg
23:06 < Darkclaw66> oh sorry
23:06 < krzee> packet loss, ive had no problems with my udp vpn with some packet loss
23:06 < Darkclaw66> I was able to copy and paste the error message
23:07 < krzee> im in a 3rd world country, i go places with packet loss
23:07 < Darkclaw66> basically when theres some major packet loss I start getting disconnected
23:07 -!- Intensity [i=[TwgZSVb@unaffiliated/intensity] has quit [Excess Flood]
23:07 < krzee> h major loss, sounds right
23:07 < krzee> oh*
23:07 < krzee> but also, when that same packet loss happens if you are transfering stuff over a tcp vpn, you'll get worse than a reconnect
23:07 < Darkclaw66> I am trying to find the error messages but I can't seem to find it but basically something to do with a no ping response
23:08 < Darkclaw66> the thing is, with TCP it is slower but it keeps the connection alive
23:11 < Darkclaw66> krzee do you know of a way where I can tell openvpn server or client not to give up if theres packet loss?
23:11 -!- Ozux [n=lacin@91.99.13.12] has joined ##openvpn
23:12 < Darkclaw66> like to basically hang in there until it clears up?
23:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)]
23:15 < Darkclaw66> see how shitty that is?
23:15 < Darkclaw66> UDP is faster but unreliable :(
23:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
23:19 < Darkclaw66> it looks like udp is pwned you :(
23:20 -!- Intensity [i=[jhWZBIm@unaffiliated/intensity] has joined ##openvpn
23:20 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
23:31 -!- Intensity [i=[jhWZBIm@unaffiliated/intensity] has quit [Excess Flood]
23:32 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Excess Flood]
23:32 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
23:35 -!- Intensity [i=[aYQOr4X@unaffiliated/intensity] has joined ##openvpn
23:35 -!- Darkclaw66 [n=fortness@unaffiliated/darkclaw66] has quit []
23:48 -!- Intensity [i=[aYQOr4X@unaffiliated/intensity] has quit [Excess Flood]
23:52 -!- Intensity [i=[d9wDC0b@unaffiliated/intensity] has joined ##openvpn
23:54 -!- Intensity [i=[d9wDC0b@unaffiliated/intensity] has quit [Excess Flood]
23:58 -!- Intensity [i=[yNmFq9E@unaffiliated/intensity] has joined ##openvpn
--- Day changed Thu Jan 28 2010
00:01 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit []
00:06 -!- Ozux [n=lacin@91.99.13.12] has quit [Excess Flood]
00:34 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
00:40 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Excess Flood]
00:41 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn
01:40 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn
01:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
02:00 -!- Guest89799 is now known as dazo
02:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
02:06 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 60 (Operation timed out)]
02:24 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Client Quit]
02:45 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Waiting for TUN/TAP interface to come up... :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=6&t=2380&p=2974#p2974>
02:59 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:08 -!- master_o1_master [n=master_o@p57B54A03.dip.t-dialin.net] has joined ##openvpn
03:21 -!- master_of_master [i=master_o@p57B5616D.dip.t-dialin.net] has quit [Connection timed out]
03:30 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
03:30 -!- mode/##openvpn [+v Kasx] by ChanServ
03:31 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
03:32 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
03:44 -!- dunc [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:45 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: Issues with Open VPN Setup :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=5&t=2071&p=2961#p2961>
03:48 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)]
03:51 -!- Scorpion [i=Scorpion@94.190.88.196] has joined ##openvpn
03:51 < Scorpion> hello
03:51 < Scorpion> ll Show how to create a vpn connection with username and password
03:52 < Scorpion> debian lenny 5.03
03:52 < Scorpion> key file is not found
03:58 < jww> ~hi Scorpion .
03:58 < jww> please show your configuration on pastebin.ca .
03:59 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
04:02 < Scorpion> vpn.kcjh.ru
04:03 < Scorpion> username gerald
04:03 < Scorpion> password *******
04:03 < Scorpion> without encryption
04:04 < jww> stop using crack gerald, it's bad for you.
04:05 < Scorpion> i'm install pptp-linux and network-manager-pptp
04:06 < Scorpion> what should I do next
04:06 < Scorpion> ?
04:07 < jww> http://openvpn.net/index.php/open-source/documentation/howto.html#quick
04:07 < vpnHelper> Title: HOWTO (at openvpn.net)
04:07 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has joined ##openvpn
04:07 < jww> the best is to start by the beginning :)
04:07 < Scorpion> thank you
04:07 < fluxdude> what is the passphrase prompt for when you generate keys, is it for protecting the private key?
04:08 < fluxdude> when doing build-key-pass, this means you have to enter that passphrase every time you want to create a new key?
04:08 < fluxdude> ie for a client?
04:09 < fluxdude> and when done for a client it protects the client's private key, right?
04:09 < fluxdude> I want to make clients use both a private key (non protected) plus a  password on the server... have read this is possible, does anyone have any recommendations?
04:10 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
04:10 < fluxdude> i want the password to be stored on the openvpn server to make it more resistant to just offline cracking attacks against the local key
04:10 < fluxdude> of course I don't want to have openvpn users with passwords on the local linux server
04:29 -!- Scorpion [i=Scorpion@94.190.88.196] has left ##openvpn ["Leaving"]
04:29 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
05:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:15 -!- ruied [n=ruied@dial-b1-226-218.telepac.pt] has joined ##openvpn
05:35 < fluxdude> hmmm setting a passphrase when using build-key-server server doesn't seem to password protect that at all
05:35 < fluxdude> I can do ./build-pass for a client without needing that password at all
05:35 < fluxdude> what's the point, does this mean I need the password when starting the openvpn in order to use that then?
05:39 < fluxdude> no it seems it doesn't even need it for the openvpn server restart
05:39 < fluxdude> perhaps it's just there to protect the key?
05:39 < fluxdude> I don't know when one would use this
05:39 < fluxdude> hang on, shouldn't openvpn need the key in order to do the encryption?
05:39 < Bushmills> the private key needs unlocking with that passphrase when using it to connect
05:40 < fluxdude> Bushmills: no I'm talking about the server key not the client key
05:40 < fluxdude> build-key-server server prompts for a pw
05:40 < fluxdude> at the end
05:40 < fluxdude> but I can't find a good use for it
05:43 -!- dunc is now known as d|unker
05:55 -!- error404notfound [n=Eror404@203.99.176.17] has joined ##openvpn
05:56 < error404notfound> can i use openvpn server to change dns entries of it's clients? like say if i want my vpn clients to use openvpn server as primary dns server?
05:58 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
05:58 < fluxdude> is it possible to use a passphrase that is kept on the server in addition to using a certificate to authenticate?
05:58 < theDoc> Greetings, all.
05:58 < macsppadic> yes error404notfound u shud be able to push dns information 
05:58 < fluxdude> error404notfound: yes
05:58 < macsppadic> to each client 
05:58 < macsppadic> or rather to every client 
05:58 < macsppadic> hello theDoc 
05:58 < theDoc> o/
05:58 < error404notfound> macsppadic, can you give me a reference?
05:59 -!- ruied [n=ruied@dial-b1-226-218.telepac.pt] has quit [Read error: 60 (Operation timed out)]
05:59 < fluxdude> push "dhcp-option DNS x.x.x."
05:59 < fluxdude> in your server.conf file
05:59 < fluxdude> it's in the howto as well as the default conf for reference
05:59 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"]
06:00 < macsppadic> aye thats pretty much what u would do - u will need to make sure that redirect-gateway is set 
06:00 < macsppadic> so that al the traffic is set to go thru the openvpn server
06:00 < fluxdude> macsppadic: why?
06:00 < fluxdude> that would just make web browsing and all the rest of your otherwise non-vpn traffic slow
06:00 < macsppadic> ahh yes sorry ur right fluxdude 
06:00 < macsppadic> u just want the DNS to be pushed on
06:00 < error404notfound> fluxdude, lemme check
06:00 < macsppadic> fluxdude: is right error404notfound 
06:01 < macsppadic> it would just slow down adding the redirect-gateway n u just want to set the DNS not force all traffic through the openvpn server in your case 
06:03 < fluxdude> can anyone give me any pointers for using multiple authentication with openvpn, ie certificate (with unprotected priv key) as well as a username/passphrase that is stored on the server so that you can't just get hold of the priv key and then offline attack it
06:06 < error404notfound> there are *.domain.com that i want to be redirect to openvpn's ip instead of public ip addresses for all machines that are in vpn.
06:06 < error404notfound> there are 20 *.domain.com 
06:11 -!- error404notfound [n=Eror404@203.99.176.17] has quit ["User guilty of hitting the Big Red X"]
06:12 -!- mkulke [n=mkulke@144.41.253.148] has joined ##openvpn
06:12 < macsppadic> fluxdude: the askpass option no go then?
06:14 < mkulke> hello, i have the problem that right now in my openvpn setup, when 2 clients connect with the same "common name" in their cert they get the same ip assigned. is it possible to change this?
06:16 < macsppadic> is there a client specific ifconfig-push mkulke ?am guessing not 
06:16 < mkulke> no
06:17 < mkulke> im using the "server-bridge" command
06:17 < macsppadic> best to pastebin the config - anything interesting in the logs ?
06:18 < mkulke> http://pastebin.com/m73f282fe
06:19 < mkulke> no, i don't think its an error
06:28 < Bushmills> mkulke: yes. use different CNs, or read about --duplicate-cn
06:29 < Bushmills> !duplicate-cn
06:29 < vpnHelper> Bushmills: Error: "duplicate-cn" is not a valid command.
06:29 < Bushmills> bleh
06:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:29 < fluxdude> macsppadic: I'm not sure yet, need to do more reading
06:33 < mkulke> Bushmills, thanks
06:33 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn
06:34 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has left ##openvpn []
06:37 < Bushmills> fluxdude: "so that you can't just get hold of the priv key and then offline attack it"  - if someone manages to steal private keys from servers, consider them compromised, and reinstall, regenerate, redo the whole machine.
06:38 < Bushmills> there's no way to make sure that extent of compromising stopped at only stealing private keys
06:41 < mkulke> is there a way to tell which users are currently logged in, or do i have to check the logs?
06:43 < fluxdude> Bushmills: no I mean the client key
06:43 < fluxdude> if you lose your laptop, you lose the client key
06:44 < fluxdude> so depending on just the client key, even if it's passphrase protected isn't that wise
06:44 < Bushmills> which is presumably passphrase protected?
06:44 < fluxdude> I want a username/pw on the server on top of the client cert which itself I won't bother passphrase protecting
06:44 < fluxdude> it gives extra resistance to offline attack and makes penetration much less feasible
06:45 < fluxdude> because attack would be limited by the speed of the connection attempts and can be detected
06:45 < fluxdude> difference of 1 per second vs thousands of attempts per second
06:45 < fluxdude> it's like 1000 times more secure
06:45 < Bushmills> an encrypted notebook partition for more sensible files can also help
06:46 < Bushmills> username + password on server is often a mediocre idea
06:46 < fluxdude> I cannot rely on the client's machine being encrypted, I have no control over that
06:46 < fluxdude> I have to give keys to contractors who already have laptops and we can't ask or force them to encrypt their disk
06:46 < Bushmills> how can you rely on strong password, rather than, say, user name?
06:47 < fluxdude> Bushmills: huh? I can set the password on the server to be a random generating secure pw and then give it out
06:47 < fluxdude> it will be the same strengh passphrase as would be on the key, only the attack on it would be 1000 times slower
06:47 < fluxdude> in even of laptop theft
06:47 < fluxdude> s/even/event/
06:48 < macsppadic> mkulke: openvpn-status.log file 
06:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:05 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
07:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:14 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
07:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:43 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
07:48 < mkulke> in my config files we got "tun-mtu 1500, fragment 1300 & mssfix" because i read windows clients do need this. however this option conflicts w/ ubuntu oob support :/
07:49 < mkulke> are those options really necessary?
07:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
07:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:51 < mkulke> hmm... just tried w/ windows. it seems it needs them 
07:54 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection]
07:54 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
08:02 -!- ruied [n=ruied@89.214.145.21] has joined ##openvpn
08:07 < ecrist> mkulke: it depends on a lot of things.  none of my windows clients here need thosesettings, though.
08:14 -!- Mtn_Bkng_Dave [n=whome@206.17.147.84] has joined ##openvpn
08:16 < vpnHelper> New forum entry openvpnforum: Scripting and Customizations :: How to setup a OpenVPN network where the client specified IP :: ... <http://www.ovpnforum.com/viewtopic.php?f=15&t=2560&p=3002#p3002>
08:17 < Mtn_Bkng_Dave> !welcome
08:17 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:17 < Mtn_Bkng_Dave> !goal
08:17 < vpnHelper> Mtn_Bkng_Dave: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:17 < Mtn_Bkng_Dave> !logs
08:17 < vpnHelper> Mtn_Bkng_Dave: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:17 < Mtn_Bkng_Dave> !configs
08:17 < vpnHelper> Mtn_Bkng_Dave: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
08:18 < Mtn_Bkng_Dave> !interface
08:18 < vpnHelper> Mtn_Bkng_Dave: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
08:19 < Mtn_Bkng_Dave> !slow
08:19 < vpnHelper> Mtn_Bkng_Dave: Error: "slow" is not a valid command.
08:19 < Mtn_Bkng_Dave> !slowconnection
08:19 < vpnHelper> Mtn_Bkng_Dave: Error: "slowconnection" is not a valid command.
08:19 < Mtn_Bkng_Dave> LOL
08:19 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has quit ["When two people dream the same dream, it ceases to be an illusion"]
08:19 < Mtn_Bkng_Dave> any suggestions for speeding up a connection
08:19 < Mtn_Bkng_Dave> ??
08:20 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has joined ##openvpn
08:21 < Mtn_Bkng_Dave> my vpn does not appear to be utilizing any bandwidth
08:21 < Mtn_Bkng_Dave> its el-pokey
08:25 < Bushmills> Mtn_Bkng_Dave: compress data, and have sufficiently fast CPU on the compressing side
08:26 < Mtn_Bkng_Dave> i have lzo enabled
08:26 < Mtn_Bkng_Dave> and its running on a dd-wrt firmware WRT54GL
08:26 < Bushmills> upgrade your link
08:26 < Mtn_Bkng_Dave> processor load is 25%
08:26 < Mtn_Bkng_Dave> upgrade?
08:26 < Mtn_Bkng_Dave> how so?
08:26 < Bushmills> from 6 mbit to 10 gigabit
08:27 < Bushmills> per sec
08:27 < Mtn_Bkng_Dave> im 50gigabit on the server
08:27 < Mtn_Bkng_Dave> 10 on the client
08:27 < Mtn_Bkng_Dave> transfer rate is like 200k
08:28 < Mtn_Bkng_Dave> i cant view my client config files
08:28 < Bushmills> 50 gigabit should be enough for the international exchange know of a small country
08:28 < Bushmills> knot
08:28 < Mtn_Bkng_Dave> yeah
08:28 < Mtn_Bkng_Dave> i know
08:28 < Mtn_Bkng_Dave> LOL
08:29 < Mtn_Bkng_Dave> its idling
08:29 < Mtn_Bkng_Dave> how does the mtu affect throughput
08:30 < Bushmills> the more packets need fragmented, the bigger the overhead
08:30 < Mtn_Bkng_Dave> i have MTU set at 1450
08:30 < Bushmills> but the faster error recovery is
08:30 < Mtn_Bkng_Dave> on the client side
08:30 < Mtn_Bkng_Dave> im sorry 1500 MTU
08:31 < Mtn_Bkng_Dave> there is something called a TUN MTU Extra set at 32
08:31 < Bushmills> shouldn't be an issue with bandwidth to spare
08:31 < Mtn_Bkng_Dave> and TCP MSS set to 1450
08:31 < Bushmills> what kind of transfers are you benchmarking?
08:31 -!- d|unker [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote closed the connection]
08:31 < Mtn_Bkng_Dave> its backup files from quickbooks
08:32 < Mtn_Bkng_Dave> 32MB roughly
08:32 < Bushmills> using what transfer protocol?
08:32 < Mtn_Bkng_Dave> UDP
08:32 < Bushmills> what kind of network service
08:32 < hyper_ch> why don't I have a 50gbit connection :(
08:33 < Mtn_Bkng_Dave> comcast atlanta just came out with it
08:33 < Mtn_Bkng_Dave> :D
08:33 < Mtn_Bkng_Dave> you get a fancy new cisco modem too LOL
08:33 < Mtn_Bkng_Dave> the client side is something from Birch Telecom........supposedly 10mb down/2mb up
08:34 < Mtn_Bkng_Dave> i cant remember what Comcast calls the new connection........Mega something LOL
08:34 < Mtn_Bkng_Dave> they have a marketing ploy name for it
08:35 < Mtn_Bkng_Dave> 50mb down/10mb up
08:35 < Mtn_Bkng_Dave> depending on the IP pool i hit i get 45mb down/8.5mb up typically
08:36 < Mtn_Bkng_Dave> across 50 miles to speakeasy
08:36 < Mtn_Bkng_Dave> it puts all the little speedtest speedometers off the scale LOL
08:37 < Mtn_Bkng_Dave> so any ideas Bushmills?
08:37 < Mtn_Bkng_Dave> i would think TCP would be even slower
08:38 < Bushmills> are you sure that it is openvpn causing the slowdown?
08:39 < Mtn_Bkng_Dave> i can connect to my ftp server and dload and get some pretty decent transfers.........around 1-2gb/sec
08:39 < Mtn_Bkng_Dave> but the vpn is crawling
08:40 < ecrist> Mtn_Bkng_Dave: you get 1-2gb/sec?
08:40  * ecrist calls bullshit
08:41 < Mtn_Bkng_Dave> via ftp
08:41 < ecrist> you on 10GigE?
08:41 < Mtn_Bkng_Dave> 50gig
08:41 < Mtn_Bkng_Dave> on the server
08:41 < Mtn_Bkng_Dave> 10 on the client
08:42 < Mtn_Bkng_Dave> comcast just started marketing the 50gb stuff
08:43 < Mtn_Bkng_Dave> sorry
08:43 < Mtn_Bkng_Dave> mb
08:43 < Mtn_Bkng_Dave> im asleep
08:43 < Mtn_Bkng_Dave> LOL
08:43 < Mtn_Bkng_Dave> ive been at work since 2am
08:43 < Mtn_Bkng_Dave> LOL
08:43 -!- dunc_ [n=dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
08:44 < Mtn_Bkng_Dave> no wait
08:44 < Mtn_Bkng_Dave> is is gb
08:44 < Mtn_Bkng_Dave> transfer is 45,000 mb/sec
08:44 < Mtn_Bkng_Dave> LOL
08:44 < Mtn_Bkng_Dave> from speakeasy
08:44 < ecrist> Comcast isn't selling you 50gb internet
08:46 < ecrist> I live in Comcast's first DOCSIS 3 deploy.
08:46 < Mtn_Bkng_Dave> they have it in the atlanta metro now
08:46 < ecrist> sweet
08:46 < Mtn_Bkng_Dave> i just got it last month
08:46 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=3003#p3003>
08:46 < Mtn_Bkng_Dave> i have had it for about a month now
08:47 < ecrist> they've had lots of bugs with the firmware on their business class modems, mostly fixed now, though
08:47 < Mtn_Bkng_Dave> ive got the cisco
08:47 < Mtn_Bkng_Dave> it seems to be ok
08:47 < ecrist> it's all SMC up here.
08:47 < Mtn_Bkng_Dave> havent really had any problems with it
08:47 < Mtn_Bkng_Dave> except when i first got it.........
08:48 < Mtn_Bkng_Dave> i accidentally turned on anchorfree on one of my modems and it was routing all my traffic via san jose, CA
08:48 < Mtn_Bkng_Dave> LOL
08:48 < fluxdude> how does chrooting work with relation to route commands on the server?
08:48 < Mtn_Bkng_Dave> that cut me down to 20mb/sec
08:48 < Mtn_Bkng_Dave> LOL
08:49 < fluxdude> I am seeing error messages such as /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
08:49 < fluxdude> Linux ip addr del failed: could not execute external program
08:49 < Mtn_Bkng_Dave> !route
08:49 < vpnHelper> Mtn_Bkng_Dave: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:49 < fluxdude> so I need to put ip in the chroot as well as mount proc there by the look of it?
08:49 < ecrist> fluxdude: depending on the type of chroot, you need to have access to the routing tables in order to add routes.
08:49 < fluxdude> which means /proc
08:50 < fluxdude> that makes chroot somewhat less effective does it not?
08:50 < fluxdude> //proc inside chroot cannot be a good thing, then what's the point of chrooting
08:51 < ecrist> fluxdude: it's complicated enough that I simply don't run openvpn chrooted
08:52 -!- error404notfound [n=Eror404@119.153.57.96] has joined ##openvpn
08:53 < Mtn_Bkng_Dave> ecrist im sorry........again i was asleep........its 50mb
08:53 < Mtn_Bkng_Dave> from comcast
08:53  * ecrist knows
08:54 < Mtn_Bkng_Dave> 2 hours sleep and 12 hours work LOL
08:54 < Mtn_Bkng_Dave> this has me puzzled tho
08:54 < Mtn_Bkng_Dave> my transfers are still less than 200k
08:55 < ecrist> up/down?
08:55 < Mtn_Bkng_Dave> know of any good peer to peer speedtest packages?
08:55 < Bushmills> (15:28:36) Bushmills: 50 gigabit should be enough for the international exchange know of a small country
08:55 < ecrist> comcast's usual tier is 50/10
08:55 < Bushmills> ^^^ hint not taken
08:55 < Bushmills> knot
08:55 < Mtn_Bkng_Dave> LOL
08:55 < Mtn_Bkng_Dave> i wasnt paying attention
08:55 < Mtn_Bkng_Dave> LOL
08:55  * Mtn_Bkng_Dave is asleep
08:55 < Mtn_Bkng_Dave> LOL
08:56 < ecrist> Mtn_Bkng_Dave: are you sure you're not seeing 200K instead of 'k'?
08:57 < Mtn_Bkng_Dave> lemme check my bandwidth graphs again
08:58 < Mtn_Bkng_Dave> it took like 4 hours to transfer a 32MB file
08:58 < Mtn_Bkng_Dave> 200 Kbps
08:59 < Mtn_Bkng_Dave> Not KB/sec
08:59 < Mtn_Bkng_Dave> be back later
09:00 < Mtn_Bkng_Dave> gotta vpn via crackberry to check on the file transfer
09:00 -!- Mtn_Bkng_Dave [n=whome@206.17.147.84] has quit []
09:02 < WormFood> krzee, you around? (if not, give me a shout back, just to follow up on our previous conversation)
09:04 -!- error404notfound [n=Eror404@119.153.57.96] has quit [Read error: 104 (Connection reset by peer)]
09:08 -!- error404notfound [n=Eror404@119.153.57.96] has joined ##openvpn
09:11 < fluxdude> is it possible to get username/pw authentication on top of client certs and if so can anyone give me a pointer how (I'm still wading through the man page and have already been through the howto)
09:12 < fluxdude> is pam the only way?
09:12 < fluxdude> I don't want users to have login usernames/pws on my servers
09:12 < fluxdude> in which case I'll need to go digging through pam modules for this capability
09:14 < ecrist> it's all scriptable
09:14 < ecrist> however you want to do it.
09:14 < ecrist> if you're reading the man page, you're looking in the right place
09:15 < fluxdude> I'm not sure where I should store the usernames/pws though
09:15 < fluxdude> I wonder if there is a htpasswd style pam module somewhere...
09:16 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=3006#p3006> || Scripting and Customizations :: Re: How to setup a OpenVPN network where the client specified ... <http://www.ovpnforum.com/viewtopic.php?f=15&t=2560&p=3008#p3008>
09:18 -!- ruied [n=ruied@89.214.145.21] has quit [Read error: 60 (Operation timed out)]
09:19 -!- ruied [n=ruied@89.214.145.21] has joined ##openvpn
09:19 -!- ribx [n=lutz@p50991f65.dip0.t-ipconnect.de] has joined ##openvpn
09:20 < ribx> !welcome
09:20 < vpnHelper> ribx: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:21 < ribx> !wiki
09:21 < vpnHelper> ribx: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
09:27 -!- ribx_ [n=lutz@p50991f65.dip0.t-ipconnect.de] has joined ##openvpn
09:33 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has joined ##openvpn
09:36 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
09:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded]
09:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
09:42 -!- ribx [n=lutz@p50991f65.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)]
09:45 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
09:57 < fluxdude> does anyone have any ideas what is the best way to add username/pw on top of certificates for standalone accounts without using valid unix accounts?
09:58 < ribx_> hi guys,
09:58 < krzie> fluxdude 
09:58 < ecrist> fluxdude: yes
09:58 < krzie> !authpass
09:58 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
09:58 < ecrist> it's covered in the man page
09:58 < fluxdude> ecrist: ok looking now
09:58 < fluxdude> thx
09:58 < ecrist> I told you that 45 minutes ago
09:59 < fluxdude> ecrist: oh wait you mean for an arbitrary script
09:59 < fluxdude> what I mean is which method do you think is the best if using something like an external arbitrary user store
09:59 < fluxdude> htpasswd ?
10:00 < ecrist> naw, just user:MD5(passwd) flat-file
10:00 < krzie> your script would need to speak htpasswd then sure
10:00 < krzie> anything a script can do (which is basically anything) you can auth against
10:01 < krzie> but for the love of god dont just use MD5
10:01 < krzie> ecrist i destroy MD5 hashes
10:01 < ecrist> salted?
10:01 < ecrist> how about SHA1?
10:01 < fluxdude> krzie: what do you suggest then?
10:01 < krzie> SHA-1 is better, still owned
10:02 < fluxdude> krzie: meh, that's not completely true
10:02 < fluxdude> it still takes a while
10:02 < fluxdude> it's just 2000 times easier since some chinese researchers "cracked" it
10:02 < fluxdude> but still not that quick
10:02 < krzie> rainbow tables + GPU brute
10:03 < fluxdude> krzie: ok that is a good combo
10:03 < fluxdude> which gpu?
10:03 < krzie> well if its between MD5 or SHA-1 keep it salted or SHA-1
10:03 < fluxdude> what platform?
10:03 < krzie> MD5 gets beat up
10:03 < krzie> osx, 273 GTX
10:03 < krzie> 275*
10:04 < fluxdude> but how do you make use of that gpu, which software?
10:04 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn
10:04 < Sp4rKy> hi
10:05 < Sp4rKy> is it possible to load an openvpn config without restarting all configs ? 
10:05 < krzie> fluxdude, wrong channel :-p
10:05 < krzie> google it
10:05 < krzie> Sp4rKy, ?
10:05 < fluxdude> krzie: ok got it thx
10:05 < Sp4rKy> ie: I have 5 PtP configs running, I add another one. I want openvpn to load it without /etc/init.d/openvpn restart, because it will stop and restart *all* the connexions
10:06 < krzie> Sp4rKy i take it maybe you are only starting it using the OS method
10:06 < krzie> heh yup
10:06 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
10:06 < krzie> just start it manually
10:06 < Sp4rKy> like ? 
10:06 < krzie> openvpn <config>
10:06 < krzie> lol
10:06 < Sp4rKy> :}
10:07 < Sp4rKy> the command used by init.d script is a bit more complex
10:07 < Sp4rKy>  /usr/sbin/openvpn --writepid /var/run/openvpn.server-2-from-6.pid --daemo
10:07 < Sp4rKy> n ovpn-server-2-from-6 --status /var/run/openvpn.server-2-from-6.status 10 --cd /etc/openvpn --config /etc/openvpn/server-2-from-6.conf
10:08 < Sp4rKy> openvpn config does not seems to daemonize it
10:09 -!- WormFood [n=wormfood@121.15.47.11] has quit [Read error: 60 (Operation timed out)]
10:09 < Sp4rKy> ehhh my bad
10:09 < Sp4rKy> /etc/init.d/openvpn start seems to works
10:09 < Sp4rKy> and start all config not started yet
10:11 < Bushmills> http://lmgtfy.com/?q=how%20to%20google%20google
10:11 < vpnHelper> Title: Let me google that for you (at lmgtfy.com)
10:11 < Bushmills> just in case
10:11 < ecrist> lol Bushmills 
10:12 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 54 (Connection reset by peer)]
10:13 < Bushmills> glad to help
10:17 < ribx_> soo.. hi again. my chef who has some half knowledge about computers wanna me to have the authentification in 2 ways: once the certificate and once from the mac address of the virtual divice that is connecting (as a kind of password)
10:17 -!- mkulke is now known as sikor_sxe
10:17 < ecrist> ribx_: that won't work very weel.
10:17 < ecrist> well.
10:17 < ribx_> now, we are useing tun devices and i dont think that its possible
10:17 < ribx_> sure.
10:17 < ribx_> i need another idea/solution
10:17 < krzie> certificates
10:18 < krzie> give your private key a passphrase
10:18 < ribx_> of course he doesnt wanna any authentification
10:18 < ribx_> this he doesnt wanna
10:18 < ribx_> he wanna this automated
10:18 < ecrist> then just use certificates.
10:18 < krzie> then no passphrase on the cert
10:18 < krzie> lol
10:18 < ribx_> is there any other information i get from a connecting client than certificate?
10:18 < ecrist> not really
10:19 < krzie> it doesnt matter cause it will add NOTHING
10:19 < ribx_> ok
10:19 < ribx_> so i tell him it does not work
10:19 < ecrist> the virtual device mac address is random, and changes for every new process.
10:19 < ribx_> without authentification
10:19 < ribx_> thanks :)
10:19 < krzie> you tell him he doesnt know what hes talking about, and give him a certificate
10:19 < ribx_> ok
10:19 < ribx_> we have certificates, but he wanna some second secirity (which is stupid)
10:21 < ecrist> no, secondary auth is smart, automating both primary and secondary is stupid
10:21 < ecrist> and pointless
10:21 < ribx_> i dont know
10:21 < ecrist> I'm telling you
10:21 < ecrist> now you do know
10:21 < ribx_> some kind of pseudo security.. noone should get a certificate...
10:21 < ribx_> when he has one
10:21 < ribx_> he is already inside anyway
10:22 < ribx_> _I_ know it
10:22 < ribx_> but this is not about me ;)
10:22 < ribx_> not yet at least ;)
10:22 < krzie> but you're the one here
10:22 < krzie> so we'll give you the answers ;]
10:22 < ribx_> i have the job to try to find a solution for him
10:22 < krzie> bring him in and we'll tell him
10:22 < ribx_> thats way i am here
10:23 < ribx_> :)
10:23 < krzie> if it makes him sleep better you can compile in password reading from a file and use a script to make a flat file
10:23 < krzie> it will add 0 security
10:25 < ribx_> :)
10:25 < ribx_> no
10:25 < ribx_> he is not stupid
10:25 < krzie> but he is
10:25 < ribx_> he just doesnt understand everything
10:25 < krzie> oh ok\
10:25 < ribx_> i dont understand what he is doing
10:25 < ribx_> but i accept it
10:26 < krzie> well your job is to help him understand
10:26 < ribx_> yes
10:26 < ribx_> but
10:26 < krzie> if he wants to add more protection, best thing to do is password protect his private key
10:26 < ribx_> i have to listen to things like: if its possible, do it.
10:26 < krzie> then even is his key is jacked, it cant be read
10:27 < ribx_> sure
10:27 < krzie> optherwise you're just jacking him off
10:27 -!- WormFood [n=wormfood@58.60.222.191] has joined ##openvpn
10:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
10:29 < krzie> heres a tip for you, dont let non-techs control technical solutions, let them control goals in the idea sense, your job is to teach them what it is they really want to achieve that goal
10:30 < krzie> and impliment it =]
10:30 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
10:30 < ribx_> AND he doesnt wanna typ in the passphrase... anyway, thanks for your help krzie, ecrist. have nice evening (or whatever, whereever you life ;) )
10:30 < ribx_> i try my best.
10:30 < ribx_> first he needs some more respect (i am only the student..)
10:31 < ribx_> ok
10:31 < ribx_> cu 
10:31 < ribx_> and thanks for all
10:32 -!- ribx_ [n=lutz@p50991f65.dip0.t-ipconnect.de] has quit ["leaving"]
10:36 -!- d12fk [n=heiko@vpn.astaro.de] has quit [Remote closed the connection]
10:54 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [Read error: 60 (Operation timed out)]
11:01 -!- yoshx [n=yoshx@84.7.169.144] has joined ##openvpn
11:05 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has quit [Remote closed the connection]
11:05 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:05 -!- mode/##openvpn [+v Kas] by ChanServ
11:08 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
11:09 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
11:11 < nb> can openvpn handle ipv6?
11:13 < ecrist> in bridged mode, yes
11:13 < ecrist> there are some patches that allow it to use ipv6, but they're not really supported at this time
11:13 < ecrist> !ipv6
11:13 < vpnHelper> ecrist: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar
11:15 -!- d12fk [n=heiko@vpn.astaro.de] has joined ##openvpn
11:16 -!- macsppadic [n=sonupunn@82.109.74.162] has left ##openvpn []
11:22 -!- master_o1_master is now known as master_of_master
11:24 < krzie> ecrist, what bout --tun-ipv6
11:26 < fluxdude> when having a username/password authentication openvpn, I know openvpn itself supports this but does openvpn-gui?
11:26 < fluxdude> for windows clients...
11:26 < fluxdude> if the only way is to put the creds in the ovpn file then that's a no go
11:28 < krzie> fluxdude dunno, try testing it
11:29 < fluxdude> i am, I am looking at openvpn gui and cannot see any way for it to take a username/pw
11:29 < krzie> maybe it pops a window when asked for it
11:30 < krzie> ild be shocked to find that it didnt accept pass auth
11:35 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
11:35 -!- mode/##openvpn [+o mattock] by ChanServ
11:35 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection]
11:49 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
12:13 < cron2_> ecrist: can you make vpn-helper learn http://www.greenie.net/ipv6/openvpn.html as an alternative for IPv6?
12:13 < vpnHelper> Title: Gert Döring - IPv6 Payload Patch for OpenVPN (at www.greenie.net)
12:14  * cron2_ pats vpnHelper
12:17 < krzie> cron2, nice link
12:17 < vpnHelper> New forum entry openvpnforum: Scripting and Customizations :: Re: How to setup a OpenVPN network where the client specified ... <http://www.ovpnforum.com/viewtopic.php?f=15&t=2560&p=3020#p3020>
12:18 < krzie> !learn ipv6 as http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options)
12:18 < vpnHelper> krzie: Joo got it.
12:18 < cron2_> krzie: while it's not useful for the average openvpn user (because you have to patch and rebuild from source), it's at least a start :-) - and as soon as "we" figure out a way how to get community work back into the main source, I'll try to get it in.
12:18 < cron2_> need to test this...
12:18 < cron2_> !ipv6
12:18 < vpnHelper> cron2_: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload
12:19 < vpnHelper> cron2_: patch (adds some nice ipv6 options)
12:19 < cron2_> cool
12:21 < ecrist> cron2_: !factoids if you want a list
12:23 < cron2_> !factoids
12:23 < krzie> cron2_ theres actually a dev meeting today on IRC
12:23 < vpnHelper> cron2_: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:23 < krzie> at 17:00 GMT
12:24 < krzie> you're welcome to show up
12:24 < cron2_> krzie: yes, I'm in that channel, but so far not much has happened
12:24 < krzie> ahh cool
12:24 < ecrist> 1900GMT, krze
12:24 < krzie> doh!
12:24 < cron2_> ah
12:25 < cron2_> now that's more likely, I was already wondering :-) - I'm in GMT+1, and 17:00 GMT is 1:25h past...
12:25 < cron2_> see you over there in 35 minutes, then :)
12:25 < krzie> ahh that quick... whats the channel name?
12:26 < cron2_> #openvpn-discussion
12:41 -!- dazo [n=dazo@nat/redhat/x-vjnkmifkciediwzb] has quit [Read error: 60 (Operation timed out)]
12:43 -!- dunc_ [n=dunc@fenchurch.ipv6.braddon.org.uk] has quit [Client Quit]
12:44 -!- sikor_sxe [n=mkulke@144.41.253.148] has quit [Remote closed the connection]
12:59 -!- error404notfound [n=Eror404@119.153.57.96] has quit [Read error: 104 (Connection reset by peer)]
13:02 < fluxdude> can someone explain to me what index.txt is for in the easy-rsa/keys directory?
13:02 < fluxdude> why do we need it?
13:02 < fluxdude> what happens if I lose it?
13:03  * krzie points at ecrist 
13:10 -!- ruied [n=ruied@89.214.145.21] has quit [Connection timed out]
13:10 < ecrist> if you lose it, you cannot create or revoke any ssl certificates
13:10 < ecrist> man openvpn
13:10 < ecrist> !index.txt
13:10 < vpnHelper> ecrist: Error: "index.txt" is not a valid command.
13:10 < ecrist> hrm, thought I'd gotten around to making that one.
13:12 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."]
13:12 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
13:13 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit]
13:15 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
13:22 -!- error404notfound [n=Eror404@119.153.57.96] has joined ##openvpn
13:30 < |Mike|> oi
13:30 < |Mike|> ecrist / krzie we should set +R in this channel aswell, #snort, #puppet and #openbsd are beeing spammed by ctcp flooders (with some link in their ctcp msg which opens up a IRC connection what helps spamming aswell)
13:31 < krzie> +s handles it
13:31 < krzie> which ecrist set back when spam started
13:31 < |Mike|> Okay
13:32 < |Mike|>  ufpodx [n=lhgqmmew@adsl-75-20-205-28.dsl.pltn13.sbcglobal.net] requested CTCP VERSION from #puppet: Learn more at http://someurl/
13:32 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:33 -!- sleeping`dragon [n=Eror404@119.153.51.14] has joined ##openvpn
13:34 < ecrist> +R caused problems from non-regular IRC users
13:34 -!- sleeping`dragon [n=Eror404@119.153.51.14] has quit [Read error: 104 (Connection reset by peer)]
13:34 < ecrist> I don't think a registered nickname should be required for casual users.
13:35 < |Mike|> true, but it keeps the most spammers out (if they find ##openvpn at a time)
13:36 < ecrist> sure, we can address that when it happens, though.
13:36 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."]
13:37 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
13:38 -!- error404notfound [n=Eror404@119.153.57.96] has quit [Read error: 60 (Operation timed out)]
13:43 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."]
13:45 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN
13:57 -!- sleeping`dragon [n=Eror404@203.99.175.244] has joined ##openvpn
14:01 < cron2_> !factoids search qnx
14:01 < vpnHelper> cron2_: "qnx" is http://ovpnforum.com/viewtopic.php?f=4&t=2449 for the qnx6 port of openvpn
14:04 < krzie> !wishlist
14:04 < vpnHelper> krzie: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
14:28 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has quit [Read error: 110 (Connection timed out)]
14:30 -!- |404NotFound| [n=Eror404@203.99.173.55] has joined ##openvpn
14:31 -!- |404NotFound| [n=Eror404@203.99.173.55] has quit [Read error: 54 (Connection reset by peer)]
14:32 -!- |404NotFound| [n=Eror404@203.99.175.52] has joined ##openvpn
14:37 -!- error404notfound [n=Eror404@203.99.182.164] has joined ##openvpn
14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit []
14:52 -!- sleeping`dragon [n=Eror404@203.99.175.244] has quit [Read error: 110 (Connection timed out)]
14:57 -!- ruied [n=ruied@95.69.89.16] has joined ##openvpn
14:59 -!- |404NotFound| [n=Eror404@203.99.175.52] has quit [Connection timed out]
14:59 -!- jbartus [n=jbartus@smokey.stfudonny.com] has joined ##openvpn
14:59 < jbartus> !welcome
14:59 < vpnHelper> jbartus: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:00 < jbartus> !goal
15:00 < vpnHelper> jbartus: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:01 < jbartus> i have a openvpn server setup and working with these three custom lines in the server.conf: http://www.pastie.org/799418
15:01 < jbartus> that works nicely for road-warrior access
15:01 < jbartus> i want to also setup a server-to-server
15:02 < jbartus> is it possible to have a particular client cert skip the login plugin?
15:05 -!- error404notfound [n=Eror404@203.99.182.164] has quit [Read error: 110 (Connection timed out)]
15:18 < Bushmills> what is "login procedure"?
15:25 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has joined ##openvpn
15:32 -!- aaa___ [i=nebula@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has joined ##openvpn
15:33 < aaa___> is there a way to launch a .bat script on he client machine once the client is connected?
15:33 -!- Dougy [n=me@69.10.59.230] has joined ##openvpn
15:33 < Dougy> !tunortap
15:33 < vpnHelper> Dougy: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:33 < vpnHelper> Dougy: against you over the vpn
15:33 < aaa___> anyone?
15:34 < aaa___> I want a mount script as soon as the client is connected
15:34 < Bushmills> aaa___: --up
15:34 < aaa___> Bushmills, thaks so it will be --up test.bat
15:34 < aaa___> and it needs to sit in the config dir?
15:34 < Dougy> krzie: http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=3029#p3029
15:34 < Dougy> am i right
15:34 < Bushmills> i wonder why you couldn't find that in the man page
15:34 < vpnHelper> Title: OpenVPN Forum View topic - MULTI: new incoming connection would exceed maximum number o (at www.ovpnforum.com)
15:36 < Bushmills> and i'd pass the full path
15:38 < aaa___> sorry dougy, tried the document way and it isn't working :-P
15:39 < aaa___> so --up C:\test.bat
15:39 < Dougy> aaa___: ??
15:39 < aaa___> would be a valid argument for the client config directive?
15:40 < Dougy> cd... i don't put --'s
15:40 < Dougy> just the
15:40 < Dougy> up C:\test.bat
15:40 < Bushmills> also on command line?
15:41 < Dougy> commandline no, im taking aobut in the ccd-dir
15:41 < Dougy> ccd dir
15:41 < Bushmills> ccd is server, not client
15:42 < Dougy> yes
15:42 < Dougy> Bushmills: <aaa___> would be a valid argument for the client config directive?
15:42 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
15:42 < Dougy> ccd ?
15:42 < Dougy> goin2slee
15:42 < Bushmills> (22:33:04) aaa___: is there a way to launch a .bat script on he client machine once the client is connected?
15:42 < Dougy> ah
15:42 < Dougy> well he asked me about ccd
15:42 < Dougy> afk
15:44 < aaa___> not working
15:45 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=3029#p3029>
15:47 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit ["Leaving."]
15:47 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has joined ##openvpn
15:48 < Bushmills> aaa___: try reading a bit of manual
15:49 < Bushmills> hint: --script-security
15:52 -!- PeterFA [n=Peter@c-98-203-132-209.hsd1.wa.comcast.net] has joined ##openvpn
15:55 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.6/20100115144158]"]
16:01 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 113 (No route to host)]
16:05 < aaa___> tried it and nothing worked :(
16:05 < aaa___> maybe one day I will get it to work!
16:05 < aaa___> thank you
16:06 -!- aaa___ [i=nebula@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has quit ["aaa___ has no reason"]
16:09 < Bushmills> time will tell
16:25 -!- yoshx [n=yoshx@84.7.169.144] has quit [Read error: 110 (Connection timed out)]
16:31 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
16:52 -!- Dougy [n=me@69.10.59.230] has quit []
16:52 < jeffl_> Wow this channel is actually quite busy
17:01 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn
17:01 < reiffert> Hi guys!
17:03 < krzee> !static
17:03 < jeffl_> hai
17:03 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
17:03 < krzee> moinmoin reif
17:04 < krzee> !ccd
17:04 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
17:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
17:09 -!- chilicuil1 [n=sistemas@189.191.135.160] has joined ##openvpn
17:10 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit [Read error: 104 (Connection reset by peer)]
17:15 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=3033#p3033> || Server Administration :: Re: MULTI: new incoming connection would exceed maximum number o :: ... <http://www.ovpnforum.com/viewtopic.php?f=4&t=2445&p=3034#p3034>
17:21 -!- poningru [n=poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
17:32 -!- pukeko [n=pukeko@121.90.3.120] has joined ##openvpn
17:34 < pukeko> hi all - quick question.. if i elect "hide the TAP-Win32" when installing the Gui, what is this hidden adapted called by default, i.e for in my config file ?  
17:34 < pukeko> *adapter
17:36 < pukeko> can i rename it if its hidden ?
17:36 < pukeko> i want it hidden so it doesn't cause clutter for the user
17:40 < pukeko> ...ok then let me rephrase my question..
17:42 < pukeko> using OpenVpnGui , what it the default name for the adapter if the "hide" flag is elected during instalation ?
17:45 < pukeko> hmmm thanks for your time
17:45 -!- pukeko [n=pukeko@121.90.3.120] has left ##openvpn []
17:57 -!- Netsplit over, joins: APTXderZweite, endre, koin
17:57 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: julius, Bushmills, disco-, Sky[x], APTX
17:57 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
17:58 -!- Netsplit over, joins: disco-
17:58 -!- Bushmills [n=nnnnBush@verhau.de] has joined ##openvpn
17:58 -!- Netsplit over, joins: Sky[x]
18:06 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
18:06 -!- chilicuil1 [n=sistemas@189.191.135.160] has quit [Client Quit]
18:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
18:12 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:13 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"]
18:24 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has quit [Read error: 113 (No route to host)]
18:46 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 104 (Connection reset by peer)]
19:09 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn
19:44 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit ["ircN 8.00 for mIRC (20080809) - www.ircN.org"]
19:50 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn
21:11 < krzee> lol @pukeko
21:11 < krzee> was here for all of 13 minutes before deciding he couldnt get help
21:11 < krzee> if he was still here ild be able to tell him not to rename it and theres no worries about it being hidden
21:16 < vpnHelper> New forum entry openvpnforum: Scripting and Customizations :: Re: How to setup a OpenVPN network where the client specified ... <http://www.ovpnforum.com/viewtopic.php?f=15&t=2560&p=3044#p3044>
21:33 -!- sdlk [n=sdlk@CL-GSCE-GW087.herts.ac.uk] has joined ##openvpn
21:34 < sdlk> i use a wireless broadband modem, if the openvpn server is somewhere on my home network will my traffic be sent out encrypted? 
21:34 < theDoc> If you route it through, yes
21:35 < sdlk> but i dont understand if its encrpyted as its leaving my wirless modem how does the target understand what it is ? /
21:39 < krzee> it will be encrypted from client to server
21:39 < sdlk> thats what i thought was logical to me 
21:39 < sdlk> but that means it isn't encrypted as it leaves through my wirleess modem 
21:39 < sdlk> meaning people can packet inject?
21:40 < krzee> can they get between server and router?
21:40 < krzee> by get i mean layer2
21:43 < krzee> if so, yes
21:46 < vpnHelper> New forum entry openvpnforum: Introductions :: Hello, new here! :: Author GrantElla <http://www.ovpnforum.com/viewtopic.php?f=11&t=2588&p=3037#p3037>
21:49 < sdlk> i think im gonna be better off paying for a commercial vpn provider
21:50 < sdlk> i dont wanna risk not securing it properly 
21:50 < krzee> just get a server outside your lan
21:50 < krzee> or ya, commercial provider
21:50 < sdlk> yea i think i will do that now, but the only server i can get is a commercial one
21:50 < krzee> theDoc sells them, toss him a msg if you wanna check him out
21:50 < sdlk> is there a vpn provider which will definately not route my traffic anywhere malicious...i dont wanna deal with any shady companies
21:51 < sdlk> i definately dont want to use anybody that isn't hugely respected
21:51 < rob0> Shady VPN, Inc.
21:51 < krzee> only one i know of is theDoc's, he helps people around here
21:51 < theDoc> I heard my name ;p
21:52 < krzee> sdlk is looking for a vpn provider, i told him he could msg you to talk bout that
21:52 < krzee> if he wants
21:52 < theDoc> Sure thing, ;)
21:52 < theDoc> sdlk> Let me know if you need something. ;)
21:52 < theDoc> Thanks krz.
21:52 < krzee> np
21:52 < sdlk> i dont want to reely on n e 1 on irc 
21:53 < rob0> So, this is not a good place to ask.
21:53 < krzee> LOL
21:53 < sdlk> for the vpn provider that is
21:53 < sdlk> but id like the advice from you 
21:53 < krzee> you didnt like my advice :p
21:54 < theDoc> sigh, why do people always do this shit.
21:54 < theDoc> Lunch time, ;p see you guys later.
21:54 < krzee> really, as if youd be more qualified if you were not here helping people
21:54 < krzee> adios
21:54 < rob0> In any security analysis, the first step should be to describe the threat model.
21:55 < theDoc> krzee> It's exactly because I help people, I actually have an idea what goes on ;p
21:55 < sdlk> you gotta be able to suggest a really mainstream vpn provider that is trustwrothy though surely ?
21:56 < krzee> theDoc, yup
21:56 < krzee> sdlk, we dont really deal with those here, we run our own servers
21:56 < rob0> Gee, I just run my own VPN among my own endpoints.
21:56 < krzee> hence, we are the last people to ask about that
21:57 < krzee> other than the fact that someone who helps around here happens to run one ;]
21:57 < theDoc> sdlk> Yes, I'm sure the rest of the "mainstream" vpn providers that want you to buy pptp services have your best interest at heart.
21:57 < theDoc> Now, pptp is absolute shit.
21:57 < rob0> !pptp
21:57 < vpnHelper> rob0: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
21:57 < vpnHelper> rob0: read about why to not use pptp
21:57 < krzee> theDoc, dude giganews uses pptp, LOL
21:57 < krzee> i just found that out
21:57 < theDoc> krzee> FAIL!
21:57 < krzee> its serious lulz
21:58 < theDoc> Any provider that's "mainstream" or whatever that means, which uses pptp should never be taken seriously at all.
21:58 < krzee> they're a serious company, using such a non-serious vpn solution
21:58 < sdlk> openvpn known to be the most secre then? 
21:58 < theDoc> That's my taken on it, pptp should have been depreciated something like 10 years ago.
21:58 < krzee> sdlk, actually yes, since it uses openssl to handle every aspect of its encryption
21:59 < theDoc> sdlk> Yes
21:59 < rob0> "Most secure" is not a valid concept.
21:59 < theDoc> rob0> Most secure out of all the existing vpn solutions if deployed right, then yes ;p
21:59 < theDoc> ymmv, I'm out for lunch now. ;)
22:00 < rob0> well, it all comes down to that "if"
22:00 < krzee> oh of course thats true
22:00 < rob0> and, as I said, what the real concern is
22:01 < rob0> If you want to connect two endpoints that you control, and secure their traffic, openvpn is surely among the best choices available.
22:01 < theDoc> No one should or can sell a "most secured" vpn solution. It's absolute bull.
22:01 < theDoc> However, security is an every day issue.
22:01 < theDoc> and I'm hungry
22:01 < theDoc> >_>
22:01 < krzee> go eat!
22:02 < theDoc> Yessir.
22:02 < theDoc> ;p
22:02 < rob0> If you want to mask your Internet access through a VPN provider, you are implicitly trusting that provider.
22:03 -!- flaco [n=flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
22:04 < flaco> hi all.. I'm following this guide https://help.ubuntu.com/community/OpenVPN
22:04 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com)
22:04 < krzee> mmm my gf rules
22:04 < Bushmills> !ubuntu
22:04 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
22:04 < krzee> steak and mashed potatoes delivered to bed
22:04 < krzee> flaco,
22:04 < krzee> !goal
22:04 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:04 < krzee> step 1, put down the ubuntu guide!
22:04 < flaco> but the command chown -R root:admin say "chown: missing operand after `root:admin'
22:05 < Bushmills> you forgot something
22:05 < krzee> well of course, chown is chown <flags> user:group FILES!
22:05 < rob0> um, /j #chown ;)
22:05 < krzee> you are changing owners of a file or dir
22:05 < krzee> hehe
22:05 < Bushmills>  /j #ubuntu
22:05 < krzee> yup, thats basic linux question, not openvpn related
22:06 -!- PeterFA [n=Peter@unaffiliated/peterfa] has quit [Read error: 60 (Operation timed out)]
22:07 < krzee> a lil 'man chown' wouldnt hurt either
22:07 < rob0> If the wiki has an error, it should be corrected
22:08 < rob0> (but, maybe they have a talk page that you can mention it on)
22:08 < rob0> If you don't know how to use GNU Coreutils, you shouldn't be writing documentation.
22:10 < krzee> nah the docs are right
22:10 < krzee> the user just didnt understand the . matters
22:10 < krzee> cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
22:10 < krzee> sudo chown -R root:admin .  ## make this directory writable by the system administrators
22:10 < krzee> sudo chmod g+w . ## make this directory writable by the system administrators
22:13 -!- Darkclaw66 [n=fortness@unaffiliated/darkclaw66] has joined ##openvpn
22:13 < Darkclaw66> has anyone setup openvpn so it runs udp and tcp on freebsd?
22:13 < krzee> sure
22:13 < krzee> 1 process for udp, 1 for tcp
22:13 < krzee> different configs
22:14 < Darkclaw66> that is exactly what I need to do but if its in /usr/local/etc/rc.d do I create one that says openvpntcp and another one that says openvpnudp ?
22:15 < krzee> just start 1 the rc.d way and do the other in crontab or something
22:15 < krzee> @reboot <command>
22:15 < krzee> well, thats how i do it cause im lazy
22:15 < Darkclaw66> I remember you mentioned a feature request to have openvpn run in both tcp and udp mode, do you know if they are working on it?
22:15 < krzee> maybe its doable with fbsd's rc.d script, i never looked
22:16 < krzee> Darkclaw66, for all i know they may have seen it for the first time today
22:16 < krzee> i linked the wishlist to the dev meeting today
22:16 < Darkclaw66> it will be huge if they implement it
22:17 < Darkclaw66> it makes sense to do it
22:20 < Darkclaw66> I just opened openvpn in rc.d and it says the script supports multiple instances of openvpn
22:23 < Darkclaw66> its actually not that bad since they support that
22:28 < Darkclaw66> krzee do they both use the same tun?
22:30 -!- PeterFA [n=Peter@c-98-203-132-209.hsd1.wa.comcast.net] has joined ##openvpn
22:48 < krzee> no
22:54 < Darkclaw66> that might be a problem, I definitely don't want to have multiple tun interfaces
22:55 < Darkclaw66> you have tun1 and tun2?
22:55 < flaco> ok.. I installed openvpn on linux, a windows client can't connect.. but the linux box does not have internet access.. any ideas?
22:56 < flaco> wait... windows client CAN connect..
23:02 < rob0> "modprobe telepathy" and connect the Linux to a telepathic ISP.
23:05 -!- ranitha [n=ranitha@eth217.vic.adsl.internode.on.net] has joined ##openvpn
23:09 < Darkclaw66> that would be sweet
23:10 -!- sdlk [n=sdlk@CL-GSCE-GW087.herts.ac.uk] has quit []
23:19 < Darkclaw66> well, I switched back to UDP mode and I hope that I won't have packet loss at work
23:22 < Darkclaw66> sad thing is, I work for one of the biggest ISPs 
23:22 < Darkclaw66> but I use a different ISP at home
23:37 < Darkclaw66> everyone asleep already eh
23:53 -!- WormFood [n=wormfood@58.60.222.191] has quit [Read error: 60 (Operation timed out)]
23:54 -!- WormFood [n=wormfood@58.60.222.191] has joined ##openvpn
23:57 -!- Darkclaw66 [n=fortness@unaffiliated/darkclaw66] has quit []
--- Day changed Fri Jan 29 2010
00:01 -!- ranitha [n=ranitha@eth217.vic.adsl.internode.on.net] has quit ["Leaving"]
00:17 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
00:20 -!- error404notfound [n=Eror404@119.153.132.81] has joined ##openvpn
00:29 -!- flacom [n=flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
00:29 -!- flaco [n=flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: 104 (Connection reset by peer)]
00:32 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has joined ##openvpn
00:32 < disappearedng_> possible to tell my applications to not use a certain ip interface, like tun0 which is my openvpn's tunnel when openvpn is on? 
00:40 -!- flaco [n=flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
00:40 -!- flacom [n=flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: 54 (Connection reset by peer)]
01:00 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
01:16 -!- error404notfound [n=Eror404@119.153.132.81] has quit [Read error: 110 (Connection timed out)]
01:18 -!- error404notfound [n=Eror404@119.153.71.135] has joined ##openvpn
01:22 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection]
01:41 -!- error404notfound [n=Eror404@119.153.71.135] has quit [Read error: 110 (Connection timed out)]
01:46 -!- error404notfound [n=Eror404@119.153.56.43] has joined ##openvpn
01:47 -!- error404notfound [n=Eror404@119.153.56.43] has quit [SendQ exceeded]
01:48 -!- error404notfound [n=Eror404@119.153.56.43] has joined ##openvpn
02:10 -!- sleeping`dragon [n=Eror404@119.153.63.242] has joined ##openvpn
02:16 -!- flaco [n=flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: 104 (Connection reset by peer)]
02:19 -!- sleeping`dragon [n=Eror404@119.153.63.242] has quit [Read error: 104 (Connection reset by peer)]
02:25 -!- error404notfound [n=Eror404@119.153.56.43] has quit [Read error: 110 (Connection timed out)]
03:00 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 104 (Connection reset by peer)]
03:00 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn
03:07 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn
03:09 -!- master_o1_master [n=master_o@p57B55B7E.dip.t-dialin.net] has joined ##openvpn
03:15 -!- le0 [n=itsle0@87.112.250.227] has joined ##openvpn
03:15 -!- WormFood [n=wormfood@58.60.222.191] has quit [Read error: 60 (Operation timed out)]
03:16 -!- WormFood [n=wormfood@58.60.222.191] has joined ##openvpn
03:21 -!- master_of_master [n=master_o@p57B54A03.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)]
03:21 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection]
03:23 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has joined ##openvpn
03:40 -!- dazo_afk [n=dazo@nat/redhat/x-iyxxdnbqukoenzpg] has joined ##openvpn
03:40 -!- dazo_afk is now known as Guest24100
03:40 -!- Guest24100 is now known as dazo
03:43 < krzee> disappearedng_, what do you mean?
03:55 -!- WormFood [n=wormfood@58.60.222.191] has quit [Read error: 60 (Operation timed out)]
03:55 -!- WormFood [n=wormfood@58.60.222.191] has joined ##openvpn
03:56 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"]
03:58 < fluxdude> I have written a script and tested it worked with openvpn for auth-user-pass but it also seems that as long as you have any certificate and any one of the username/password combinations it will let you in
03:59 < fluxdude> is there a way to tie a username/password to a certificate to keep everything straight?
04:01 < krzee> if your script can do it, openvpn can
04:01 < krzee> it should be getting common-name passed to it as a variable
04:01 < krzee> so do as you want in your script =]
04:04 < fluxdude> ok, right, thanks I didn't know that, although I did read about a bunch variable yesterday and forgot so this makes sense, I think it's a whole tonne of them, right?
04:04 < fluxdude> from end of manual...
04:04 < fluxdude> iirc
04:04 < krzee> exactly
04:05 < |Mike|> :-)
04:05 < krzee> ENVIRONMENT VARIABLES section
04:05 < fluxdude> ok thx that's exactly the reminder I needed...
04:05 < krzee> each script may get different ones tho
04:05 < fluxdude> will rewrite script
04:05 < krzee> if you would, post that script in bragging rights section of the forum
04:06 < cron2_> fluxdue: just run "env >>/tmp/env.out" in your script and look at all the nice stuff there :)
04:06 < krzee> would be nice to start getting those custom scripts archived in the forum
04:06 < krzee> !forum
04:06 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
04:39 -!- WormFood [n=wormfood@58.60.222.191] has quit [Read error: 60 (Operation timed out)]
04:40 -!- WormFood [n=wormfood@one.look.at.your.mother.and.i.screamed.jesusfuckinchrist.com] has joined ##openvpn
04:44 -!- error404notfound [n=Eror404@119.153.64.38] has joined ##openvpn
04:59 -!- Diffen2 [n=diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit ["This computer has gone to sleep"]
05:15 -!- sleeping`dragon [n=Eror404@203.99.174.158] has joined ##openvpn
05:22 -!- error404notfound [n=Eror404@119.153.64.38] has quit [Read error: 60 (Operation timed out)]
05:34 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn
05:34 -!- mode/##openvpn [+o mattock] by ChanServ
05:55 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
06:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
06:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
06:23 -!- Diffen [n=diffen2@c-3477e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)]
06:38 -!- Diffen [n=diffen2@c-607fe555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
06:54 -!- flaco [n=flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
06:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
07:05 -!- Nappy [n=nappy@123-247.97-97.tampabay.res.rr.com] has quit ["Leaving"]
07:09 < flaco> !welcome
07:09 < vpnHelper> flaco: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:13 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
07:15 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
07:19 -!- dazo is now known as dazo_afk
07:21 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
07:32 < flaco> hi all... I got a windows XP connected to the openvpn server (over LAN), but when I try connect a computer (linux) who is another network I can't, in the router I got the openvpn in DMZ and forward the 443 port to the openvpn server... any ideas?
07:32 < fluxdude> damn it, I finished writing / testing my simple auth and the found this: http://www.eurephia.net/
07:32 < |Mike|> you're using udp right ? :-)
07:32 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
07:32 < fluxdude> why didn't someone mention it when I asked yesterday...
07:33 < macsppadic> wow...didnt know of that 
07:33 < fluxdude> hmmm that thing has patches and all sorts of rubbish
07:34 < fluxdude> why isn't it just a script ...
07:34 < fluxdude> like mine
07:34 < fluxdude> not going to use that, it's too much trouble
07:34 < fluxdude> when openvpn includes a native way of doing this then I'll upgrade and use that.
07:38 < flaco> !howto
07:38 < vpnHelper> flaco: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:39 < flaco> !interface
07:39 < vpnHelper> flaco: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
07:44 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)]
07:44 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn
07:45 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
07:45 -!- mnemoc [n=amery@188.40.102.234] has joined ##openvpn
07:47 < mnemoc> hi, when running openvpn is a given server in bridge mode, can it be setup to ask the dhcp server for an address for the client?
07:47 < mnemoc> s/is/in/
07:58 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)]
08:05 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has joined ##openvpn
08:08 < mnemoc> found it on the FAQ :) thanks!
08:08 -!- mnemoc [n=amery@188.40.102.234] has left ##openvpn []
08:22 < Optic> moo
08:22 < ecrist> BLAMMO
08:25 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has quit [Read error: 110 (Connection timed out)]
08:26 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has joined ##openvpn
08:29 -!- smultring [i=ros2468@bus-driver.net] has joined ##openvpn
08:38 -!- le0 [n=itsle0@87.112.250.227] has quit [Client Quit]
08:41 < disappearedng_> Hey while using openvpn, 
08:41 < disappearedng_> is it possible to have my other services, like apache and azureus to not use the tunnel? 
08:44 < ecrist> only if they're on other IPs, unless you use policy routing through your firewall
08:45 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has quit [Read error: 113 (No route to host)]
08:45 < disappearedng_> ok for example
08:45 < disappearedng_> I have apache
08:46 < fluxdude> is it possible to specify the username in the config file of openvpn client?
08:46 < disappearedng_> i still have eth0 as my network interfaces
08:46 < disappearedng_> so I guess no? 
08:47 < fluxdude> rather than being prompted for it
08:47 < ecrist> fluxdude: what do you mean?
08:47 < fluxdude> I want to only be prompted for the password not the username
08:47 < fluxdude> so I want to put the username in the config file
08:47 < ecrist> disappearedng_: not within openvpn, you  need a firewall to policy-route
08:47 < fluxdude> when using auth-user-pass-verify on the server
08:47 < ecrist> fluxdude: there is a CN as username option, search the man page for it
08:48 < disappearedng_> do you have any good firewall to recommend for this? 
08:48 < ecrist> pf, iptables, ipchains, any firewall, really
08:48 < fluxdude> ecrist: I've already looked at that
08:48 < fluxdude> it looks to do it the other way around when you are disabling cert usage
08:48 < ecrist> that's your options, fluxdude 
08:48 < fluxdude> ecrist: you meant that for disappearedng_ didn't you?
08:49 < ecrist> the firewall, yes
08:49 < disappearedng_> ecrist: you have any articles or how to on this subject matter ? 
08:50 < ecrist> !google how to do policy based routing
08:50 < vpnHelper> ecrist: How to use the Cisco IOS Policy-Based Routing Features: <http://www.petri.co.il/how-to-use-cisco-ios-policy-based-routing-features.htm>; PIX/ASA : Security Appliance FAQ - Cisco Systems: <http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml>; Policy-Based Routing [IP Routing] - Cisco Systems:
08:50 < vpnHelper> ecrist: <http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml>
08:50 < fluxdude> ecrist: I'm not clear, I have already looked at the username-as-common-name which uses the username as the cn, whereas I want to make sure the username sent matches the cn
08:51 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit ["Leaving."]
08:51 < fluxdude> there is no --username-as-cn option in the man page
08:51 < fluxdude> or similar
08:51 < fluxdude> have done a bunch of keyword searches on the man page in 2.1
08:51 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has joined ##openvpn
08:52 < disappearedng_> so I need a cisco router for this? 
08:52 < ecrist> fluxdude: there is an option, let me do your homework for you
08:52 < fluxdude> disappearedng_: no you can do policy based routing on linux
08:52 < ecrist> google it, disappearedng_ 
08:52 < fluxdude> ecrist: you're not doing my homework, I've already scoured the man page for openvpn several times
08:53 < fluxdude> and used /keyword searching on a tonne of things
08:53 < fluxdude> the --username-as-common-name is not going to set the username according to the certificates's cn
08:53 < fluxdude> it does the opposite for when you disable certs
08:53 -!- ruied [n=ruied@95.69.89.16] has quit [Read error: 60 (Operation timed out)]
08:54 < ecrist> fluxdude: --username-as-common-name
08:55 < ecrist> did you read the section on auth-user-pass-verify?
08:55 -!- Diffen2 [n=diffen2@226.234.241.83.in-addr.dgcsystems.net] has quit ["This computer has gone to sleep"]
08:55 < fluxdude> I'm talking about something to prevent the client for prompting for a username
08:55 < ecrist> and read the part about method?
08:55 < fluxdude> ecrist: several times since I've written a working plugin for it
08:58 < fluxdude> For --auth-user-pass-verify authentication, use the authenticated username as the common name, rather than the common name from the client cert.
08:58 < fluxdude> that's from the man page
08:58 < fluxdude> it does the Opposite to what I am talking about
08:58 < fluxdude> I'm talking about the client not being prompted for a username, openvpn just sending whatever the common-name is as the username
08:58 < fluxdude> can't find any option that does that
09:09 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [K-lined]
09:15 -!- dazo_afk is now known as dazo
09:18 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:21 -!- sleeping`dragon [n=Eror404@203.99.174.158] has quit [Read error: 104 (Connection reset by peer)]
09:23 -!- sleeping`dragon [n=Eror404@119.153.65.251] has joined ##openvpn
09:28 -!- sleeping`dragon [n=Eror404@119.153.65.251] has quit ["User guilty of hitting the Big Red X"]
09:43 -!- le0 [n=itsle0@87.112.250.227] has joined ##openvpn
09:46 -!- leleobhz [n=leleobhz@unaffiliated/leleobhz] has joined ##openvpn
09:46 < leleobhz> im configuring a vpn with cacert certificates
09:46 -!- BoomSie [n=gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn
09:46 < leleobhz> i got a lot of issues, but almost solved. i cant resolve this:
09:47 < leleobhz> Fri Jan 29 13:44:57 2010 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
09:47 < leleobhz> Fri Jan 29 13:44:57 2010 TLS Error: TLS object -> incoming plaintext read error
09:47 < leleobhz> Fri Jan 29 13:44:57 2010 TLS Error: TLS handshake failed
09:47 < leleobhz> have no another error, just this.
09:47 < leleobhz> what can be wrong?
09:52 < leleobhz> VERIFY nsCertType ERROR: /CN=domain, require nsCertType=SERVER
09:52 < leleobhz> when domain is my host fqdn
09:53 < ecrist> !configs 
09:53 < ecrist> !logs
09:53 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
09:53 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
09:54 -!- endre [i=me2@urbnet.hu] has quit ["maintenance"]
09:56 < leleobhz> ecrist: i think i found the issue. cacert appear to dont turned the certificate nsCertType to server
09:59 < leleobhz> now the problem is the timeout of tls
10:15 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has quit [Read error: 104 (Connection reset by peer)]
10:20 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has joined ##openvpn
10:20 < fluxdude> I want to firewalling a couple of contractors on my openvpn setup, what is the best way of doing this, push a specific ip range to those contractors and restrict traffic to/from that ip range or using some kind of learn-address script?
10:22 < macsppadic> fluxdude: i did a specific range and control the traffic from there on 
10:22 < macsppadic> when i had a similar setup 
10:23 < macsppadic> u will have to make sure that client to client is disabled - i believe to get firewall controls to work - 
10:23 < fluxdude> macsppadic: can't the contractors just change their addresses on their tap devices to circumvent the firewall rule???
10:26 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has quit [SendQ exceeded]
10:26 < macsppadic> fluxdude: just wasnt keen on the circumventing firewall bit...fitted my needs at the time ...
10:26 < macsppadic> also the third party hired by the client - well suffice to say clients wanted us to lock it down..:-)
10:34 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
10:36 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has quit [Excess Flood]
10:40 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has quit [Read error: 110 (Connection timed out)]
10:42 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has joined ##openvpn
10:43 -!- yoshx [n=yoshx@84.7.169.144] has joined ##openvpn
10:44 < fluxdude> macsppadic: what do you mean? You don't have faith in the security not being circumvented when doing this?
10:44 < fluxdude> or you couldn't be bothered locking it down and it was just at the client's insistance
10:47 < fluxdude> which do you think is better, learn-address or just having a subnet for these clients?
10:47 < fluxdude> and then pushing the ifconfig and having only that subnet firewall restricted...
10:47 < fluxdude> ?
10:47 < macsppadic> clients insistance fluxdude 
10:47 -!- pestilence [n=pestilen@unaffiliated/pestilence] has joined ##openvpn
10:48 < pestilence> isn't SIGHUP supposed to reload openvpn?  when i send that signal, openvpn dies
10:48 < pestilence> (on ubuntu, started with the system startup scripts)
10:50 < pestilence> version is OpenVPN 2.0.6 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 10 2006
10:51 < ecrist> no, only way to reload configs is through mgmt interface
10:51 < Bushmills> "to deliver a SIGHUP or SIGUSR1  signal  to  OpenVPN.   OpenVPN will  then  reestablish  a  connection  with  its  most recently authenticated peer"
10:52 < Bushmills> guess where this comes from
10:52  * ecrist guesses a magical irc fairy
10:53 < pestilence> Bushmills: is that directed at me?  here is what "man openvpn" under SIGNALS tells me
10:53 < ecrist> iow, Bushmills == Magical IRC Fairy
10:53 < pestilence>  SIGHUP Cause  OpenVPN to close all TUN/TAP and network connections, restart, re-read the configuration file (if any), and re‐open TUN/TAP and network connections.
10:54 < pestilence> so the man page says "SIGHUP--> restart and reread configuration files"
10:54 < pestilence> but when i send it SIGHUP, it exits
10:54 < pestilence> ecrist: what is the management interface
10:55 < ecrist> look for that on the man page
10:56 < Bushmills> pestilence:   http://scarydevilmonastery.net/snap/1264784103172880271.png  no mention of config reload without restarting connection
10:56 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
10:57 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
10:57 -!- ruied [n=ruied@89.180.121.75] has joined ##openvpn
11:00 < pestilence> Bushmills: that snapshot says exactly what i pasted, does it not?
11:02 -!- macsppadic [n=sonupunn@82.109.74.162] has left ##openvpn []
11:02 < Bushmills> so we could assume that a: we have similar man pages, and b: that at least part of the restart works.  why it doesn't complete, by managing to reestablish the connection, if probably the 1 million $ question.
11:03 < pestilence> haha, ok
11:03  * ecrist points to logs.
11:04 < Bushmills> in your original question, i thought to read from "why doesn't it reload config without restarting" as that's what often HUP response of programs is,
11:06 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has quit [SendQ exceeded]
11:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)]
11:07 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
11:11  * pestilence is trying to figure out if there is anything in the lgos
11:11 < pestilence> *logs
11:12 < pestilence> two things i see:
11:12 < pestilence> ERROR: Linux route delete command failed: shell command exited with error status: 7
11:12 < pestilence> and also
11:12 < pestilence> Cannot open /etc/openvpn/keys/dh1024.pem for DH parameters: error:0200100D:system library:fopen:Permission denied: error:2006D002:BIO routines:BIO_new_file:system lib
11:13 < pestilence> is this because openvpn is running as "nobody"?
11:13 < pestilence> i guess it must be.
11:14 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has quit [SendQ exceeded]
11:18 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
11:21 < Bushmills> probably. set them to 644
11:21 < Bushmills> (them: .pem files)
11:21 < pestilence> well, it also complains about being able to write the log files
11:22 < Bushmills> you have a   log ... entry in your config?
11:22 < Bushmills> because, "By default, log messages will go to the syslog"
11:23 < pestilence> Bushmills: it's the status log
11:23 < pestilence> shows current connections
11:23 < pestilence> i suppose i could do without it
11:24 < Bushmills> or put it in nogroup group, and set group write permissions  
11:24 < Bushmills> assuming your openvpn runs with group nogroup permissions
11:30 -!- BoomSie [n=gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"]
11:32 -!- steelnwool [n=jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
11:32 < steelnwool> hiya, question can i move a openvpn installation from one server to another , decommission the first, without regenerating any keys or diffie helmen or anything?
11:33 -!- le0 [n=itsle0@87.112.250.227] has quit [Client Quit]
11:33 < pestilence> Bushmills: i have to set server.key to group readable, and then openvpn gives a warning about that
11:33 < pestilence> is this a security problem
11:34 < ecrist> steelnwool: yes
11:35 < steelnwool> groovy. thanks.
11:38 < pestilence> ok, i give up
11:39 < steelnwool> note: giving up doesn't effect us, it only effects you.
11:40 < pestilence> steelnwool: yes, thanks :-D
11:40 < pestilence> it could affect whether or not Bushmills felt compelled to respond to my last question
11:41 < steelnwool> everyone in IRC is a volunteer. be patient.
11:43 < steelnwool> mind you, you should re-read the documentation as it mentions how you must protect that file.
11:43 < steelnwool> that file is a secret and should only be readable by root, or by root and openvpn user, if you are using chroot
11:49 -!- dazo is now known as dazo_afk
11:54 < pestilence> steelnwool: i wasn't complaining.  but thank you for the advice
11:56 -!- pestilence [n=pestilen@unaffiliated/pestilence] has quit ["leaving"]
12:04 < disappearedng_> ecrist: so i have been looking at iptables
12:04 < disappearedng_> I don't really know if they can handle routing to different interfaces though
12:16 < disappearedng_> I don't really know if they can handle routing to different interfaces though
12:16 < disappearedng_> ecrist: so i have been looking at iptables
12:16 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has left ##openvpn ["Leaving"]
12:17 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has joined ##openvpn
12:17 < disappearedng_> Hey anyone here can teach me about iptable and ip route with openvpn?
12:17 < steelnwool> google can.
12:17 < disappearedng_> I did look up, 
12:18 < disappearedng_> but NOTHING mentions about routing between interfaces
12:18 < steelnwool> from "man route" first line : 
12:18 < steelnwool>      route  [-v] [-A family] add [-net|-host] target [netmask Nm] [gw Gw] [metric N] [mss M] [window W] [irtt I] [reject] [mod]
12:18 < steelnwool>               [dyn] [reinstate] [[dev] If]
12:18 < steelnwool> see dev IF ? that is the interface.
12:18 < disappearedng_> ok why don't I describe the problem 
12:19 < disappearedng_> when I turn on openvpn, all my traffic goes to tun0
12:19 < disappearedng_> my desired goal is to only have my browser use openvpn
12:20 < disappearedng_> so when tun0 is started, does packets still come in through my original eth0? 
12:20 < steelnwool> yes. tun0 goes thru eth0.. look in the docs where it describes what tun0 is.
12:20 < steelnwool> its a virtual interface as it were, and piggy backs on eht0.
12:20 < steelnwool> or whichever..
12:22 < disappearedng_> ok so technically let say my original ip is 1.2.3.4, then I still have that ip right ? 
12:23 < disappearedng_> let me clarify: but "i still have that ip" meaning that that ip still points to my computer right?
12:27 < steelnwool> yes.
12:27 < steelnwool> use traceroute to determine which direction traffic is going.
12:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
12:28 < steelnwool> you can also use ifconfig to see what ip addresses your machine has.
12:35 -!- APTX| [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
12:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
12:44 < ecrist> disappearedng_: I'm not a linux guy, I could help with pf, but pf isn't available on linux
12:44 -!- APTX [n=APTX@phpBB/developer/APTX] has quit [Read error: 110 (Connection timed out)]
12:48 -!- sistema [n=sistema@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
12:49 < sistema> Hi all... someone can help me plz... I got forward the port 1194 in my router to the machine with the openvpn installed, but I can't get access from the internet... any hint?
12:56 < krzee> !redirect
12:56 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:00 -!- jvv [n=jvv@averon.wojtysiak.org] has joined ##openvpn
13:03 < jvv> hi, i'm trynig to tunnel all my traffic through vpn and i've done like it's in docs but it doesn't work... can anybody help /
13:03 < jvv> ?
13:03 < krzee> !redirect
13:03 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:03 -!- ruied [n=ruied@89.180.121.75] has left ##openvpn []
13:04 < sistema> !nat
13:04 < vpnHelper> sistema: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto
13:05 < krzee> hmm, thought i made a winnat too
13:05 < krzee> !winnat
13:05 < vpnHelper> krzee: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS)
13:05 < krzee> !forget nat 4
13:05 < vpnHelper> krzee: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:06 < krzee> !forget nat 4
13:06 < vpnHelper> krzee: Joo got it.
13:06 < krzee> !learn nat as please choose between !linnat !winnat and !fbsdnat for specific howto
13:06 < vpnHelper> krzee: Joo got it.
13:13 < jvv> can I force exact default gateway that server will set on a client ?
13:26 -!- xeviox [n=NEBAP@p5497535C.dip.t-dialin.net] has joined ##openvpn
13:27 -!- APTX| [n=APTX@chello089076052083.chello.pl] has quit [Client Quit]
13:27 -!- APTX [n=APTX@chello089076052083.chello.pl] has joined ##openvpn
13:31 -!- heise2k [n=heise2k@65-78-40-52.c3-0.upd-ubr6.trpr-upd.pa.cable.rcn.com] has joined ##openvpn
13:33 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has quit [Read error: 110 (Connection timed out)]
13:41 -!- bandini [n=bandini@host47-105-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn
13:41 -!- jvv [n=jvv@averon.wojtysiak.org] has quit [Read error: 113 (No route to host)]
13:50 -!- Holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn
13:51 < Holister> I'm having issues with my vpn setup using a tunnelblick client. The same config works just fine in windows and linux, but in mac, it connects but won't route packets...
13:51 -!- makomi [n=makomi@port-87-234-130-196.dynamic.qsc.de] has joined ##openvpn
13:51 -!- epaphus [n=epaphus@190.10.68.228] has joined ##openvpn
13:51 < makomi> !welcome
13:51 < vpnHelper> makomi: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:53 < epaphus> Hello, i have a successful VPN setup as a default-gateway in a machine with NAT and a LAN behind it. Everything works as expected except that when the tunnel for any reason goes down then users can navigate through the "regular internet" and I dont want that. I have thought that limitting communication only to the IP that it connects the tunnel too would do it however when I put this policy on the firewall the communication is established except that I
13:53 < epaphus>  cannot navigate the internet.. or do anything. What could be wrong?
13:55 < makomi> hi, i need your help. I´ve got a server with a official IP this is my openvpn server. I´ve a dsl router with openvpn client - which has a network behind. And i´ve got a roadwarrior. the connection to vpn server is established and from rw, dsl router and a client in the network behind router i could ping server. from server i could also ping a client in the private network behind dsl router, but not from rw. Do you know 
13:55 < makomi> which option I should use to allow this?
13:56 -!- flacom [n=flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
13:56 < makomi> I´ve enabled client-2-client
13:56 < makomi> !redirect
13:56 < vpnHelper> makomi: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:56 < Holister> !route
13:56 < vpnHelper> Holister: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:06 < epaphus> anybody?
14:07 < epaphus> How can I force openvpn in --redirect-gateway mode so that if the tunnel ever goes down users cannot use the "regular internet" to navigate? 
14:07 < epaphus> something in the firewall?=
14:09 < makomi> epaphus: push all users a default gateway which is the ip for the tunnel
14:10 < makomi> if this ip is not reachable they couldn´t use internet
14:10 < epaphus> makomi, right, you mean using the --redirect-gateway in openvpn?
14:10 < makomi> no, this is no option in openvpn
14:11 < makomi> i mean dhcp
14:11 < makomi> if the tunnel is down, you have no openvpn and also no openvpn redirect option
14:12 -!- sistema [n=sistema@pc-166-153-83-200.cm.vtr.net] has quit [Read error: 110 (Connection timed out)]
14:13 < makomi> you could also set your firewall that only ip address from server could connect to internet
14:13 < makomi> but this is not openvpn
14:13 -!- sistema [n=sistema@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
14:13 < makomi> and it depends on your OS
14:13 < epaphus> i just made my firewall with that option.. that the only IP it can connect to is the openvpn server... but then nothing works
14:13 < epaphus> i must be doing something wrong?
14:14 -!- flaco [n=flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: 110 (Connection timed out)]
14:14 < makomi> is the openvpn server is also your default gateway for your clients?
14:14 < epaphus> yes.
14:14 < epaphus> via NAT
14:14 < makomi> do you have a proxy on your openvpn server?
14:14 < epaphus> no
14:15 < makomi> if your clients could ping internet you have to doing something wrong :)
14:16 < makomi> but, as i say, it depends on your firewall and your operating system
14:16 < makomi> so i think it better to ask another channel, like #windows or others
14:17 < epaphus> hmm ok thanks
14:17 < makomi> this problem is not a problem of openvpn
14:17 < epaphus> its never an openvpn problems, always a routing problem :P
14:18 < makomi> maybe, but sometimes it depends on a few optins in openvpn :)
14:32 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn
14:41 < steelnwool> soooo, i just took my openvpn installation which was inside a virtual machine, shut it down move dit and broght it back up... now routes seem to be a bit screwy.
14:48 -!- flaco [n=flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
14:51 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)]
14:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:00 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
15:03 -!- flacom [n=flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: 110 (Connection timed out)]
15:05 -!- bandini [n=bandini@host47-105-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection]
15:08 -!- flaco [n=flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: 110 (Connection timed out)]
15:15 -!- ruied [n=ruied@92.250.24.120] has joined ##openvpn
15:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"]
15:37 -!- makomi [n=makomi@port-87-234-130-196.dynamic.qsc.de] has quit [Remote closed the connection]
15:40 -!- nixfreak [n=nixfreak@mn-10k-dhcp1-3174.dsl.hickorytech.net] has joined ##openvpn
15:41 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has joined ##openvpn
15:42 < nixfreak> question about routing or bridging ,I want to be able to have multiple clients connect to server using a tunne.I want those clients to be able to send messages (feeds) to the outside 
15:43 < nixfreak> should I use routing or bridging ? 
15:51 -!- sistema [n=sistema@pc-166-153-83-200.cm.vtr.net] has quit [Read error: 110 (Connection timed out)]
16:00 -!- sq7obj [i=sq7obj@gateway/shell/rootnode.net/x-wpvgozwaomiygdip] has joined ##openvpn
16:00 < sq7obj> hi
16:03 < sq7obj> !welcome
16:03 < vpnHelper> sq7obj: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:06 < sq7obj> does anyone know if it is possible to set OpenVPN to connect automatically when I'm on Wifi, and do not connect if I'm using any other interface?
16:10 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
16:10 < Hypnoz> what is the command to run openvpn from command line, in debug mode, not as a daemon
16:10 -!- yoshx [n=yoshx@84.7.169.144] has quit [Read error: 104 (Connection reset by peer)]
16:10 < Hypnoz> is it just "openvpn server.conf" ?
16:17 -!- leleobhz [n=leleobhz@unaffiliated/leleobhz] has left ##openvpn []
16:20 < nixfreak> !route
16:20 < vpnHelper> nixfreak: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:29 < nixfreak> !help
16:29 < vpnHelper> nixfreak: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
16:30 < nixfreak> !how to
16:30 < vpnHelper> nixfreak: Error: "how" is not a valid command.
16:30 < nixfreak> !how to for beginners
16:30 < vpnHelper> nixfreak: Error: "how" is not a valid command.
16:31 < nixfreak> !howto
16:31 < vpnHelper> nixfreak: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:35 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
16:42 -!- Diffen2 [n=diffen2@78-82-118-208.tn.glocalnet.net] has quit ["This computer has gone to sleep"]
16:49 -!- xeviox [n=NEBAP@p5497535C.dip.t-dialin.net] has quit [Read error: 113 (No route to host)]
17:11 -!- mischief [n=mischief@unaffiliated/mischief] has joined ##openvpn
17:11 < mischief> is there a way to have openvpn not print the error 'write UDPv4: No buffer space available (code=55)' to syslog?
17:29 -!- epaphus [n=epaphus@190.10.68.228] has quit [Read error: 110 (Connection timed out)]
18:00 -!- chilicuil [n=sistemas@unaffiliated/chilicuil] has quit ["Leaving."]
18:32 -!- myrradin [n=username@69.172.135.242] has quit [Read error: 60 (Operation timed out)]
18:33 -!- myrradin [n=username@69.172.135.242] has joined ##openvpn
18:40 -!- fluxdude [n=fluxdude@unaffiliated/fluxdude] has quit [Read error: 113 (No route to host)]
18:41 < nb> !route
18:41 < vpnHelper> nb: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:12 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has quit [Client Quit]
19:13 -!- nb [n=nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
19:25 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
19:30 -!- mischief [n=mischief@unaffiliated/mischief] has quit [Read error: 104 (Connection reset by peer)]
20:03 -!- xeviox [n=NEBAP@p5497535C.dip.t-dialin.net] has joined ##openvpn
20:03 -!- Kirill_TO [n=Kirill_T@67.204.24.72] has joined ##openvpn
20:04 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
20:06 < Kirill_TO> Hi guys, I need to setup my work network to be available on my local(home) network. I normally connect via VPN, but the problem is that I need to have more than one PC connected at the same time. I was wondering is I can somehow bridge VPN and have it locally available to the entire subnet ? Does anyone know how to do it, or where to read ?
20:07 < Kirill_TO> !welcome
20:07 < vpnHelper> Kirill_TO: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:09 < Kirill_TO> !howto
20:09 < vpnHelper> Kirill_TO: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:13 < Bushmills> Kirill_TO: what's on the other end of vpn? server side, that is?
20:15 < Kirill_TO> Windows Server 
20:19 < Bushmills> do your local clients need to reach anything else than that server over vpn?
20:22 < krzee> !route
20:22 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:22 < krzee> !tunortap
20:22 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
20:22 < vpnHelper> krzee: against you over the vpn
20:22 < Kirill_TO> yes, I need to have access to few MS_SQL servers and a NAS
20:23 -!- xeviox [n=NEBAP@p5497535C.dip.t-dialin.net] has quit [No route to host]
20:23 < Bushmills> (maybe not needed. setting a route with vpn client as gateway may be enough) 
20:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"]
20:24 < Kirill_TO> I am limited to one vpn connection only (gotta love MS licensing)
20:24 < Bushmills> what vpn?
20:25 < Bushmills> openvpn doesn't put any such restriction onto you
20:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn
20:25 < Bushmills> where does that licensing matter come from?
20:27 < Kirill_TO> well Office network is over whatever standard comes with Windows Server, it is not implemented over opnVPN, I just figured concept would still apply.
20:27 < Bushmills> !notopenvpn
20:27 < vpnHelper> Bushmills: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
20:28 < Bushmills> the answers you obtain about configuration here don't apply to your vpn
20:30 < Kirill_TO> all I want to do is to establish VPN tunnel, and mascarade my lan, create some sort of VPN gateway. I cant see how open VPN or or any other  would differ once you have the tunnel.
20:38 -!- Dougy [n=me@69.10.59.230] has joined ##openvpn
20:41 < Bushmills> how would it help you if you receive information what to configure in openvpn for that purpose?
20:41 < Bushmills> let's start with its configuration file,. say, let the server push a route to client
20:41 < Bushmills> can you edit the configuration file, please?
20:42 < rob0> I have a friend who set up a bridged VPN with Windows servers at each site, and yes, they triggered some kind of license problem.
20:42 < rob0> but indeed, !notopenvpn
20:43 < disappearedng_> Anyone know how i can route traffic from tun0 to eth0?
20:43 < Bushmills> you route by packet destination
20:43 < disappearedng_> i need clarification on this
20:43 < disappearedng_> so when openvpn is on, tun0 is a virtual interface created right
20:44 < disappearedng_> let say my original ip is 1.2.3.4, then 1.2.3.4 still points to MY computer right?
20:44 < Bushmills> you tell what interface a packet goes to when it falls within an ip address range which you describe
20:44 < disappearedng_> but then I just need to direct my outgoing traffic to my eth0 interface is that it?
20:44 < disappearedng_> ok wait more fundamental than that
20:44 < disappearedng_> when I tun0 is built
20:45 < disappearedng_> can incoming traffic still go to 1.2.3.4?
20:45 < Bushmills> you also need to enable ip forwarding.
20:45 < Bushmills> otherwise your operating system will not just send anything what comes in on any interface to your outgoing interface
20:46 < Bushmills> (but only those packets originating from your own machine)
20:46 < disappearedng_> um
20:46 < disappearedng_> so is does 1.2.3.4 still reachable to my computer?
20:46 < disappearedng_> I don't understand how this tun0 interface works
20:47 < disappearedng_> let say I only have one network card. so everything has to go through eth0 to reach the outside world right
20:47 < Bushmills> just like eth0. only that the cable is software
20:47 < Bushmills> no
20:47 < disappearedng_> but the end of the cable is at eth0 right
20:48 < Bushmills> everything has to go through the interface which allows you to connect to outside world
20:48 < disappearedng_> yes I know that
20:48 < disappearedng_> but tun0 is virtual
20:48 < Bushmills> no. at the end of the "software cable" is another tun device
20:48 < disappearedng_> so it completely bypass eth0?
20:49 < Bushmills> it is a tunnel, in case of openvpn. hidden for the packets which are routed through tun they actually do leave the computer to the destination, through the interface determined by the routing table
20:49 < disappearedng_> ok 
20:49 < Bushmills> look at your route.
20:49 < Bushmills> that will probably tell you a lot about what goes where to
20:50 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: LowKey, plundra, mrnice1, Diffen
20:50 -!- plndra [i=404@article.se] has joined ##openvpn
20:50 < disappearedng_> I am going to be honest, I am not familiar with linux networking
20:50 -!- Netsplit over, joins: Diffen
20:51 < disappearedng_> http://pastebin.com/m4c6af0bf 
20:51 -!- Netsplit over, joins: LowKey
20:51 < Bushmills> route -n
20:51 < disappearedng_> done
20:51 -!- Netsplit over, joins: mrnice1
20:52 < Bushmills> so in your case, everything goes through eth2
20:52 < Bushmills> the "default" route is the key
20:52 < Bushmills> routes anything which hasn't been specified above
20:53 < disappearedng_> ok so let me tell you my situation
20:53 < disappearedng_> when I turn on openvpn, I want my webservices, bit torrent clients to continue working on eth0 instead of tun0
20:54 < disappearedng_> so how should I go about this routing
20:54 < Bushmills> that's the default. 
20:54 < disappearedng_> yes 
20:54 < disappearedng_> I do not want to flood the vpn network 
20:54 < Bushmills> without "redirect-gateway" only traffic to vpn addresses is routed through tun
20:54 < Bushmills> start vpn, look at route again
20:55 < disappearedng_> I might get disconected wait 
20:55 < Bushmills> if you do, your vpn setup routes other destinations over vpn
20:55 < disappearedng_> let me use my laptop for this
20:56 < Bushmills> in which case you probably want to comment out  route, push "route..." and redirect-gateway statements from configs on both client and server
20:57 < disappearedng_> ok my vpn is on my laptop now
20:57 < disappearedng_> and of course the route -n is changed
20:58 < disappearedng_> do you have a more simple solution
20:58 < disappearedng_> cause I am not familiar with those and I am sure I will break something 
20:58 < Bushmills> solution? what's the problem?
20:59 < Bushmills> (besides lack of complete understanding of routing)
20:59 < disappearedng_> like I have no idea what you are talking about lo
20:59 < Bushmills> what solution could you think of?
21:00 < disappearedng_> in which case you probably want to comment out  route <= where?
21:00 < Bushmills> in openvpn config
21:00 < disappearedng_> ip tables?
21:01 < Bushmills> not in your diary
21:01 < disappearedng_> but I only want port 80 to use tun0 though
21:01 < Bushmills> use a proxy on server
21:01 < disappearedng_> I actually don't understand the logic very well 
21:01 < Bushmills> tell web browser to use that proxy
21:02 < disappearedng_> so for all incoming traffic to eth0, let them go, for all outgoing traffic, if not port 80 redirect to eth0? 
21:02 < disappearedng_> oh ok 
21:02 < disappearedng_> that sounds more doable
21:02 < Bushmills> routing is done per destination
21:02 < disappearedng_> so I make openvpn more like a proxy kind of object
21:02 < disappearedng_> i can't control the server 
21:02 < disappearedng_> can I make a proxy object on the client side
21:02 < Bushmills> not quite. you make it a wire to your proxy which is on a different machine
21:03 < disappearedng_> I currently have one machine thar runs 24 /7
21:03 < Bushmills> proxy on client recreates the problem you're working around: how to get selected traffic, other than to specific destininations, routed through vpn
21:04 < Bushmills> by having proxy on vpn server, you can easily route that traffic to proxy through vpn, as you tell web browser what machine the proxy is on
21:06 < disappearedng_> I have no control on the server
21:06 < disappearedng_> I am using a vpn service provider
21:07 < disappearedng_> let say I want to route traffic using ip table is that easy? 
21:08 < Bushmills> then you may have to fiddle with firewall rules.
21:08 < disappearedng_> ok so what rules should I fiddle
21:08 < disappearedng_> I don't know where incoming and outgoing should be
21:08 < disappearedng_> so incoming * port 80 => localhost 80 tun0? 
21:09 < Bushmills> you need to add rules to redirect traffic to specific ports to another destination
21:09 < disappearedng_> but is my rule correct?
21:09 < disappearedng_> I read the ip tables man pages
21:09 < Bushmills> hm no. same destination, but through different interface
21:09 < disappearedng_> I just need to know the rules
21:10 < disappearedng_> so like localhost 80 eth0 => localhost 80 tun0
21:10 < Bushmills> get yourself acquainted with iptables. 
21:10 < Bushmills> and i'm sure the folks on #iptables can give you a hand
21:10 < disappearedng_> ok thx I didn't that exist
21:11 < Bushmills> what you need to know of openvpn to that end is that that your interface name is tun0 
21:11 < Bushmills> or tun1 or tun2, depending on how many you have
21:12 < Bushmills> or check whether your provider offers a http proxy
21:12 < Bushmills> use that one, that'd be much easier
21:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"]
21:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)]
21:23 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has left ##openvpn ["Leaving"]
23:00 -!- Dougy [n=me@69.10.59.230] has quit []
23:08 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn
--- Day changed Sat Jan 30 2010
00:01 -!- Kirill_TO [n=Kirill_T@67.204.24.72] has quit ["Leaving"]
00:18 < krzee> Bushmills, for what you were telling disappearedng:
00:18 < krzee> !routebyapp
00:18 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
00:19 < Bushmills> yes, but he can't set up a socks server on vpn server
00:19 < Bushmills> ehm. no need to ...
00:19 < Bushmills> see what captain morgan does to a person ...
00:20 -!- error404notfound [n=Eror404@203.99.180.251] has joined ##openvpn
00:21 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Connection timed out]
00:27 < error404notfound> how do i explicitly ask openvpn server for a new ip?
00:32 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn
00:33 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)]
01:15 -!- nixfreak [n=nixfreak@mn-10k-dhcp1-3174.dsl.hickorytech.net] has quit ["Lost terminal"]
01:35 -!- error404notfound [n=Eror404@203.99.180.251] has quit [Read error: 104 (Connection reset by peer)]
01:37 -!- error404notfound [n=Eror404@203.99.180.251] has joined ##openvpn
01:40 < krzee> error404notfound, thats not how it works
01:40 < error404notfound> krzee, i am confused because ipp.txt says hat i should have .4 but i have .6 ip.
01:40 < error404notfound> e.g 10.0.0.4 and 10.0.0.6
01:40 < krzee> !ipp
01:41 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
01:41 < krzee> !/30
01:41 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
01:41 < krzee> .4 is the server internal side of .6 in a way when using net30 topology
01:41 < error404notfound> ahan, i see, thanks :)
02:19 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn
02:19 < reiffert> moin
02:32 -!- error404notfound [n=Eror404@203.99.180.251] has quit ["User guilty of hitting the Big Red X"]
02:32 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: reiffert, hyper_ch, Zordrak, zamba, myrradin, stein0_
02:32 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: @mattock, DarkAnt, Rienzilla, master_o1_master, teddymills, LowKey, dazo_afk, ^scott^_, freaky[t], mrnice1,  (+3 more, use /NETSPLIT to show all of them)
02:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: krzee, corretico_, plndra, nb, redfox, Diffen
02:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: PeterFA, kala, d12fk, mgolisch, balboah, vpnHelper, Cap_J_L_Picard
02:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: |Mike|, Holister, ribasushi, sno, sq7obj, ruied, heise2k, cron2_
02:34 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: havoc, jww, APTXderZweite, Typone, Nrg_, rob0, smultring, meepmeep, +Kas, APTX,  (+2 more, use /NETSPLIT to show all of them)
02:35 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: tarbo2
02:36 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: krzie, cybertron, pa, krphop, koin, oc80z, tompaw, steelnwool, Gnewt, crazygir
02:38 -!- Netsplit over, joins: |Mike|
--- Log closed Sat Jan 30 02:38:57 2010
--- Log opened Sat Jan 30 02:39:06 2010
02:39 -!- Sp4rKy [~Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn
02:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:39 -!- Irssi: Join to ##openvpn was synced in 23 secs
02:39 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
02:39 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
02:40 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:41 -!- cybertron [~cybertron@84.200.248.176] has joined ##openvpn
02:41 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has left ##openvpn ["Konversation terminated!"]
02:41 -!- WormFood [~wormfood@121.15.46.255] has joined ##openvpn
02:44 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
02:46 < hyper_ch> yey, using SSL now :)
02:51 -!- plundra [404@article.se] has joined ##openvpn
02:54 -!- jeffl [coz@teledojo.com] has joined ##openvpn
02:56 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
03:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
03:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:03 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
03:03 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
03:06 -!- master_of_master [~master_of@p57B55B7E.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:09 -!- master_of_master [~master_of@p57B57237.dip.t-dialin.net] has joined ##openvpn
03:18 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: leaving]
03:38 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
03:42 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
03:43 -!- buntfalke [~nobody@openvpn-p1-ipv6-1033.triple-a.uni-kl.de] has joined ##openvpn
03:43 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
03:44 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
03:44 -!- buntfalke is now known as Guest2481
03:50 -!- Netsplit *.net <-> *.split quits: yoshx
03:51 -!- Netsplit over, joins: yoshx
03:53 -!- UdontKnow [~evaldo@evaldo.gardenali.biz] has joined ##openvpn
03:54 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
03:55 -!- xeviox [~NEBAP@p5497567D.dip.t-dialin.net] has joined ##openvpn
03:59 -!- Netsplit *.net <-> *.split quits: Guest2481
03:59 -!- Guest2481 [~nobody@openvpn-p1-051.triple-a.uni-kl.de] has joined ##openvpn
04:03 -!- xeviox [~NEBAP@p5497567D.dip.t-dialin.net] has quit [Quit: Nettalk6 - www.ntalk.de]
04:05 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 240 seconds]
04:09 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
04:17 -!- cron2 [~gert@blue.greenie.muc.de] has joined ##openvpn
04:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:28 -!- Guest2481 [~nobody@openvpn-p1-051.triple-a.uni-kl.de] has quit [Ping timeout: 260 seconds]
04:46 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
05:18 -!- Guest2481 [~nobody@openvpn-p1-ipv6-1033.triple-a.uni-kl.de] has joined ##openvpn
05:31 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
05:40 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
05:51 -!- smultring [ros2468@bus-driver.net] has joined ##openvpn
05:53 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
05:59 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
06:03 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
06:06 < reiffert> http://www.youtube.com/watch?v=sunxX-_TBSQ
06:06 < vpnHelper> Title: YouTube - Günther Oettinger Talking English?!? (at www.youtube.com)
06:06 < reiffert> just follow a bit, it turns to english.
06:12 -!- error404notfound [~Eror404@203.99.180.251] has quit [Quit: User guilty of hitting the Big Red X]
06:17 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:28 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has joined ##openvpn
06:30 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 276 seconds]
06:40 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has quit [Ping timeout: 276 seconds]
06:48 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: Lost terminal]
06:57 < hyper_ch> anyone alive in here?
06:58 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has joined ##openvpn
07:05 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has quit [Quit: When two people dream the same dream, it ceases to be an illusion]
07:05 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has joined ##openvpn
07:07 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has quit [Changing host]
07:07 -!- fluxdude2 [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
07:20 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
07:28 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 260 seconds]
07:29 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
07:32 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
07:53 -!- fluxdude2 [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 276 seconds]
07:56 < Bushmills> just 74 bots and one lurker
08:14 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
08:16 -!- Guest2481 [~nobody@openvpn-p1-ipv6-1033.triple-a.uni-kl.de] has quit [Read error: Connection reset by peer]
08:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:27 -!- error404notfound [~Eror404@203.99.180.251] has joined ##openvpn
08:28 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has joined ##openvpn
08:36 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 248 seconds]
08:36 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: leaving]
08:38 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has quit [Ping timeout: 276 seconds]
08:38 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
08:41 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
08:46 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
08:47 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 256 seconds]
09:06 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
09:14 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
09:16 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
09:50 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has joined ##openvpn
10:05 -!- WormFood [~wormfood@121.15.46.255] has quit [Ping timeout: 256 seconds]
10:13 -!- ChanServ [ChanServ@services.] has quit [shutting down]
10:21 -!- WormFood [~wormfood@58.60.223.33] has joined ##openvpn
10:27 < fluxdude2> i'm using a learn-address script to control dynamic firewalling and I have found that openvpn is not calling delete when I disconnect which means that the iptables are filling up with rules that are not being removed
10:41 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
11:14 < fluxdude2> it looks like my learn-address script is called for the delete operation but it's not passed 3 args as with add/update, it's only passed 2 args, the address and the delete operation but it doesn't pass which client (common-name) this was for
11:14 < fluxdude2> wtf???
11:14 < fluxdude2> is there any way I can get it to pass this information or deduce it otherwise/
11:14 < fluxdude2> ?
11:16 < fluxdude2> reading the man page again this is intended behavior but WHY????
11:16 < fluxdude2> how am I supposed to determine the client and it's iptables chains just from the ip address?
11:18 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 240 seconds]
11:22 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
11:36 -!- sppadicus [~IceChat7@87.113.82.103.plusnet.pte-ag2.dyn.plus.net] has joined ##openvpn
11:36 -!- sppadicus [~IceChat7@87.113.82.103.plusnet.pte-ag2.dyn.plus.net] has left ##openvpn []
11:38 -!- krzee [nobody@hemp.ircpimps.org] has joined ##openvpn
11:38 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host]
11:38 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
11:41 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
11:41 < hyper_ch> krzee: you value privacy?
11:42 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
11:49 < Bushmills> fluxdude2: --down to execute a script in disconnect?
11:51 < fluxdude2> Bushmills: i take it that --down passes the environment variables and learn-address doesn't
11:51 < fluxdude2> why have learn-address at all if we have --up and --down
11:51 < fluxdude2> ?
11:51 < fluxdude2> I guess it doesn't have update
11:51 < Bushmills> i don't know about learn-address. but --down receives arguments, among those the ip address.
11:52 < Bushmills> (receives them from the disconnecting openvpn instance)
11:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
12:02 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 256 seconds]
12:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:05 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
12:11 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
12:21 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 240 seconds]
12:27 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
12:35 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: Lost terminal]
12:47 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 264 seconds]
12:49 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
12:53 < fluxdude2> i've got 3 subnets on my openvpn server as per the howto (1 for contractors, 1 for admin and 1 for users)
12:53 < fluxdude2> problem is from the contractors subnet I can't ping my gateway at the other end of the tun0
12:54 < fluxdude2> a packet trace shows the responses are coming from the wrong ip
12:54 < fluxdude2> so the openvpn server is sending the responses from a different ip to the one that I pinged over the tunnel
12:55 < fluxdude2> any ideas how to fix this?
13:05 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has quit [Quit: When two people dream the same dream, it ceases to be an illusion]
13:07 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
13:08 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
13:09 -!- ruied [~ruied@92.250.24.120] has quit [Ping timeout: 256 seconds]
13:10 -!- UdontKnow [~evaldo@evaldo.gardenali.biz] has quit [Quit: leaving]
13:10 -!- myrradin [~username@69.172.135.242] has quit [Quit: leaving]
13:11 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
13:13 -!- UdontKnow [~evaldo@evaldo.gardenali.biz] has joined ##openvpn
13:30 < krzee> [13:41]  <hyper_ch> krzee: you value privacy?
13:30 < krzee> yes
13:49 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 260 seconds]
13:52 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
14:11 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
14:13 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
14:13 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
14:13 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
14:36 < steelnwool> so here is the issue i have : [outside world - a] -> [ openvpn b ] <- [ behind vpn c].
14:37 < steelnwool> a can ping b, c can ping b, a can't talk to c and vice versa. however before a reboot it all worked. i setup  the vpn a few weeks ago, so i am guessing that B has a firewall running inside it, which is probably preventing the communication... sounds half reasonable?
14:37 < steelnwool> [reading some iptables man pages now]
14:38 < steelnwool> ah ah.. i bet ip forwarding is off...
14:39 < steelnwool> woo. badabing.
14:39 < steelnwool> I'll say thanks even tho i just talked to my self. sometimes typing it out helps solves problems.
14:42 -!- yoshx [~yoshx@84.7.169.144] has quit [Read error: Operation timed out]
14:50 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
14:58 -!- krzie [~krzee@butters.secure-computing.net] has quit [Changing host]
14:58 -!- krzie [~krzee@unaffiliated/krzee] has joined ##openvpn
14:58 -!- mode/##openvpn [+o krzie] by ChanServ
14:59 -!- mode/##openvpn [-o krzie] by krzie
14:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:13 -!- smultring [ros2468@bus-driver.net] has quit [Remote host closed the connection]
15:17 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
15:23 -!- corretico__ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
15:33 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
16:18 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
16:33 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
16:39 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Ping timeout: 240 seconds]
16:48 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
16:55 -!- Netsplit *.net <-> *.split quits: Optic, Guest65496, master_of_master, stein0, meepmeep, rob0, ribasushi, makomi, kala, heise2k,  (+49 more, use /NETSPLIT to show all of them)
16:56 -!- Netsplit over, joins: hyper_ch, cron2, buntfalke, stephenh, tompaw
16:56 -!- Netsplit over, joins: mrnice1, Rienzilla, Nrg_, WormFood, kreg, teddymills, d12fk, le0, heise2k, corretico (+3 more)
16:57 -!- nb [~nb@delta.bebout.net] has joined ##openvpn
16:57 -!- freaky[t] [alpha@88.198.215.139] has joined ##openvpn
16:57 -!- Netsplit over, joins: oc80z, Zordrak, stein0, makomi, magic_1, mikkel, APTXderZweite, kala, julius
16:57 -!- Rolybrau [~Rolybrau@180-153.3-85.cust.bluewin.ch] has joined ##openvpn
16:57 -!- redfox [~redfox2@ns351996.ovh.net] has joined ##openvpn
16:57 -!- Netsplit over, joins: APTX, tarbo2, |Mike|
16:59 -!- jeffl [coz@teledojo.com] has joined ##openvpn
16:59 -!- Guest65496 [~dazo@nat/redhat/x-tcsfeaxcoogruscu] has joined ##openvpn
16:59 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
16:59 -!- steelnwool [~jeff@204.232.209.119] has joined ##openvpn
16:59 -!- koin [~niko@212.13.195.36] has joined ##openvpn
16:59 -!- havoc [~havoc@saturn.chaillet.net] has joined ##openvpn
16:59 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
16:59 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
16:59 -!- ribasushi [~rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has joined ##openvpn
16:59 -!- sno [~sno@78.46.209.153] has joined ##openvpn
16:59 -!- sq7obj [sq7obj@gateway/shell/rootnode.net/x-vfsivtpjusvrgbzd] has joined ##openvpn
16:59 -!- balboah [~johnny@joonix.se] has joined ##openvpn
16:59 -!- poningru [~poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
16:59 -!- DarkAnt [~DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has joined ##openvpn
17:00 -!- mgolisch [~michi@85.93.11.18] has joined ##openvpn
17:00 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
17:00 -!- master_of_master [~master_of@p57B57237.dip.t-dialin.net] has joined ##openvpn
17:00 -!- Sp4rKy [~Sp4rKy@rennes1.dunnewind.net] has joined ##openvpn
17:00 -!- UdontKnow [~evaldo@evaldo.gardenali.biz] has joined ##openvpn
17:00 -!- Bushmills [~nnnnnBush@verhau.de] has joined ##openvpn
17:00 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
17:04 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 258 seconds]
17:04 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
17:04 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
17:04 -!- plundra [404@article.se] has joined ##openvpn
17:04 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has joined ##openvpn
17:05 -!- redfox is now known as Guest20273
17:05 -!- Rolybrau is now known as Guest92203
17:05 -!- nb is now known as Guest96821
17:06 -!- UdontKnow is now known as Guest69762
17:06 -!- Sp4rKy is now known as Guest89562
17:18 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
17:36 < |Mike|> oi
17:48 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
17:49 -!- Guest69762 [~evaldo@evaldo.gardenali.biz] has quit [Quit: leaving]
17:50 -!- UdontKnow [~evaldo@evaldo.gardenali.biz] has joined ##openvpn
17:54 < krzie> sup mike
17:54 < |Mike|> Beerware licensed stuff :p
17:54 < krzie> haha
17:55 < |Mike|> How're you doing mister?
17:55 < |Mike|> UdontKnow: heh, quitted oper stuff ?
17:55 < krzie> im good, headed to usa tomorrow
17:56 < |Mike|> I see, holidays ?
17:56 < krzie> lil vacation
17:56 < krzie> gunna hit AU as well
17:56 < |Mike|> krzie: you planned to visit FOSDEM btw?
17:57 < krzie> dunno of it
18:04 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Quit: Leaving]
18:04 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
18:04 < |Mike|> krzie: okay
18:06 < UdontKnow> |Mike|: no
18:07 < |Mike|> okay, opers quitted to use "spoofs"?
18:09 -!- UdontKnow [~evaldo@evaldo.gardenali.biz] has quit [Quit: gone]
18:11 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 258 seconds]
18:19 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
18:22 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
18:27 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 248 seconds]
18:28 -!- Guest96821 [~nb@delta.bebout.net] has quit [Changing host]
18:28 -!- Guest96821 [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
18:31 -!- Guest96821 is now known as nb
18:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:43 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
18:46 -!- simcop2387-lap [~simcop238@p3m/member/simcop2387] has joined ##openvpn
18:48 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
18:50 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Ping timeout: 272 seconds]
18:53 < simcop2387-lap> ok i'm trying to switch from the tun setup i've had to a tap setup so i can do ipv6 over the vpn, the connection and everything appears to go fine but i can't send any pings or anything over the interface, anyone have ideas of where to start looking (it really isn't a firewall, at the moment there isn't one between the two machines)
18:55 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
18:56 < reiffert> moin
19:00 < simcop2387-lap> hello
19:05 < krzie> moinmoin
19:05 < krzie> hows that socks workin out for ya bud?
19:06 < krzie> simcop2387-lap 
19:06 < krzie> !ipv6
19:06 < vpnHelper> krzie: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
19:06 < vpnHelper> krzie: (adds some nice ipv6 options)
19:06 < krzie> see #3
19:06 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
19:06 < simcop2387-lap> hmm
19:07 < simcop2387-lap> ooo i am running 2.1 already
19:08 < simcop2387-lap> that makes this much easier then since i can use the working tun setup...
19:10 < reiffert> guys, is there any chance to get a live stream of 24h daytona going on right now?
19:11 < reiffert> any tv-to-livestream bridge around? speedtv.com is broadcasting afaik
19:12 < reiffert> ah, found it. http://de.justin.tv/crazyodaz#r=bYHJd1k
19:12 < vpnHelper> Title: crazyodaz on Justin.tv (at de.justin.tv)
19:20 < Optic> mooo
19:30 -!- tjz [~tjz@bb116-15-75-62.singnet.com.sg] has joined ##openvpn
19:30 -!- tjz [~tjz@bb116-15-75-62.singnet.com.sg] has quit [Changing host]
19:30 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
19:36 -!- AlexC [~AlexC@unaffiliated/alexc] has joined ##openvpn
19:37 < AlexC> is there a way i can route all IP traffic though a VPN except for a list of IP addresses?
19:37 < AlexC> like everything but 192.168.1.0/24?
19:42 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
19:43 < simcop2387-lap> i don't know the correct way; but i just do soemthing like; route add -net 192.168.1.0 netmask 255.255.255.0 [gw 192.168.1.1] dev wlan0
19:43 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 256 seconds]
19:44 < simcop2387-lap> might be able to throw that in the interface up script somewhere
19:47 < AlexC> hmmm
19:47 < AlexC> why gateway .1?
19:48 < AlexC> do i need a gateway?
19:48 < simcop2387-lap> the [] was optional if you needed one
19:48 < AlexC> oh okay
19:48 < simcop2387-lap> that depends on the network
19:49 < simcop2387-lap> since i'm the only one that uses the vpn i've got setup (laptop to home network) i've just got a script i run that does that for me, but its not very portable to other setups (e.g. liable to blow up nearly constantly)
19:49 < simcop2387-lap> and its not automated either
20:13 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
20:18 -!- retro_neo [~hello_wor@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn
20:21 -!- Guest20273 is now known as redfox
20:21 -!- redfox is now known as Guest63825
20:25 < retro_neo> hi! any ideas on why out of two servers with identical configs, one would work correctly but the other refuses to accept UDP connections? (TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
20:25 < retro_neo> if I switch it to TCP, I am able to connect though
20:48 -!- retro_neo [~hello_wor@cust-146-10.on4.ontelecoms.gr] has quit [Quit: Leaving]
21:14 -!- AlexC [~AlexC@unaffiliated/alexc] has quit [Quit: Leaving]
21:30 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
21:42 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 248 seconds]
21:44 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
22:37 < nb> firewall?
22:50 -!- simcop2387-lap [~simcop238@p3m/member/simcop2387] has left ##openvpn ["Leaving"]
23:05 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 276 seconds]
23:07 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
23:31 -!- MusashiX90 [~nano@unaffiliated/musashix90] has joined ##openvpn
23:38 -!- Chris_____ [~Chris@nc-71-50-143-196.dyn.embarqhsd.net] has joined ##openvpn
23:39 < Chris_____> Anyone around to help with a quick net-to-net config question. I have my the client network has a connection to my server and can ping/connect to all my LAN computers but I cannot do the same for the other network.
23:40 < Chris_____> this is my server config http://nunzzz.pastebin.com/m71e4ac7f
23:40 < Chris_____> And this is the client config. http://nunzzz.pastebin.com/m1d30afe5
23:44 < rob0> It's not quick, but it is pretty simple. Each side has to know how to route to the other (i.e., in this case, through the VPN peers.)
23:44 < rob0> !route
23:44 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:44 < MusashiX90> It was iptables' fault
23:58 -!- Chris_____ [~Chris@nc-71-50-143-196.dyn.embarqhsd.net] has left ##openvpn []
--- Day changed Sun Jan 31 2010
00:05 -!- MusashiX90 [~nano@unaffiliated/musashix90] has left ##openvpn []
00:06 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:08 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 258 seconds]
00:10 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
00:52 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 246 seconds]
00:54 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
01:51 -!- izro [~brian@hick.org] has joined ##openvpn
02:04 -!- error404notfound [~Eror404@119.153.51.207] has joined ##openvpn
02:22 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has joined ##openvpn
02:22 -!- fluxdude2 [~fluxdude@5ace3f2e.bb.sky.com] has quit [Changing host]
02:22 -!- fluxdude2 [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
02:24 < fluxdude2> when logging in as a contractor (straight from the howto) on the 10.8.2.2 ip I get access to what I expect but for some reason I do not get any ping replies from my 10.8.2.1 gateway... any ideas why?
02:25 < fluxdude2> I would like to make that work...
02:25 -!- fluxdude2 is now known as fluxdude
02:32 < reiffert> Your problem is your firewall, really.
02:33 < fluxdude> which firewall though, the one on the openvpn box?
02:34 < fluxdude> see I've got a log iptables rules before a drop iptables rule and the packet didn't show up in the logs as denied
02:34 < fluxdude> in fact a packet trace showed a rely but from a different ip than the one I pinged, openvpn box replied from 10.8.0.1 instead of the 10.8.2.1 address that I pinged
02:35 < fluxdude> maybe a masquerading problem... I have a rule which masquerades on postrouting for all 10.8.0.0/16
02:37 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 258 seconds]
02:38 < fluxdude> however, pinging 10.8.2.1 from 10.8.2.2 over the tap device shouldn't require any routing and therefore no masquerading, right
02:39 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
02:45 < reiffert> ah, tap. layer2. all I can read from you is, that the layer2 is working.
02:45 < reiffert> And that your firewall may still be your problem. As 10.8.2.0/24 is inside 10.8.0.0/16
02:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:00 < fluxdude> sorry meant to say tun
03:00 < fluxdude> I've flushed all rules and replaced them with a single log rule on input, forward and output
03:00 < fluxdude> logs now show the packets are going in tun0 and out tun0 to the 10.8.2.1 address but nothing is coming back
03:01 < fluxdude> so the firewall isn't seeing any response from that address... I can't explain what is going on here
03:01 < fluxdude> the firewall should be letting everything through and logging it at the same time but the response never touches the firewall... like the interface 10.8.2.1 never responds for some reason...
03:07 -!- master_of_master [~master_of@p57B57237.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:08 -!- master_of_master [~master_of@p57B5715D.dip.t-dialin.net] has joined ##openvpn
03:33 < fluxdude> this is baffling, it's simply the other side of the tun0 device... why isn't a ping response sent from the 10.8.2.1 interface?
03:34 < fluxdude> I must be missing something... the firewall isn't getting in the way because the log rules aren't catching any responses, only the requests... so it looks like the tun0 interface 10.8.2.1 simply isn't sending any response...
03:35 -!- parito [~par@85-255-49-118.ip.kis.lt] has joined ##openvpn
03:42 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:42 -!- mode/##openvpn [+o mattock] by ChanServ
03:49 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has left ##openvpn []
04:00 -!- error404notfound [~Eror404@119.153.51.207] has quit [Ping timeout: 272 seconds]
04:05 -!- error404notfound [~Eror404@119.153.51.207] has joined ##openvpn
04:13 -!- error404notfound [~Eror404@119.153.51.207] has quit [Quit: User guilty of hitting the Big Red X]
04:15 -!- Guest63825 is now known as redfox
04:15 -!- redfox is now known as Guest9259
04:16 -!- parito [~par@85-255-49-118.ip.kis.lt] has quit [Quit: .]
04:20 < fluxdude> ok I have done lots of testing and found that with all rules and masquerading flushed on the standard 10.8.0.x/24 network when I am assigned 10.8.0.6 I can ping that but not the 10.8.0.5 at the other end of the tun but I can ping 10.8.0.1 for some reason
04:20 < fluxdude> thing is most bizarre
04:20 < fluxdude> why can't I ping 10.8.0.5 since it's the tun0 gateway?
04:22 < fluxdude> routing tables show "10.8.0.5 dev tun0 kernel scope link src 10.8.0.6"
04:22 < fluxdude> and "10.8.0.1 via 10.8.0.5 dev tun0"
04:22 < fluxdude> and a traceroute 10.8.0.1 which works shows it as only 1 hop away
04:23 < fluxdude> 10.8.0.1 must be going through the 10.8.0.5 gateway in order to get out... I don't really understand how/why this is working the way it is...
04:23 < fluxdude> and I have read all of the docs and the routing wiki page as well
04:23 < fluxdude> I read the man page and the howto both at least twice
04:23 < fluxdude> can anyone explain?
04:41 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
04:45 < WormFood> fluxdude, you can ping 10.8.0.1
04:45 < fluxdude> yes
04:46 < fluxdude> but not 10.8.0.5 which is the /30 subnet gateway for the vpn client
04:46 < WormFood> yeah, I can't figure it out either...I could have sworn I was able to ping the remote end of the tunnel....maybe I'm thinking about my static key setup
04:46 < fluxdude> i am given 10.8.0.6 ip on my tun with 10.8.0.5 as the gateway
04:46 < WormFood> fluxdude, yeah dude, I know
04:46 < WormFood> I run the same system too :P
04:47 < fluxdude> I have another strange issues which is that bad source address log showing my laptop's eth0 ip has gone over the vpn and confused openvpn but I have no idea why that ip would reach openvpn, surely it should get the 10.8.0.6 ip address if I need to connect to anything over the vpn
04:48 < fluxdude> and in most cases it does, but I can't figure out how come openvpn also sees some traffic from my eth0...
04:50 < fluxdude> i would have thought that the pushed routing tables would make sure that all traffic over the vpn is sourced from my 10.8.0.6 ip and I should never see that message about bad source ip in the logs
04:50 < fluxdude> there is nothing on my laptop's lan that would route through the vpn anyway as the routing wiki suggest and  ip_forward is 0 on my linux laptop...
04:51 < fluxdude> how on earth is my eth0 ip leaking through my openvpn????
04:51 < fluxdude> traffic works normally though
04:51 < fluxdude> if it was using this for everything then nothing would return and I have tcpdump'd and can see that my traffic is using the right 10.8.0.6 src address....
05:06 -!- error404notfound [~Eror404@119.153.51.207] has joined ##openvpn
05:08 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
05:11 < error404notfound> even though i have push "dhcp-option DNS 192.168.50.1" bur still my ubuntu client doesn't add this DNS to resolv.conf
05:18 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 265 seconds]
05:19 -!- Guest92203 [~Rolybrau@180-153.3-85.cust.bluewin.ch] has quit [Remote host closed the connection]
05:19 < error404notfound> i know its for windows clients, but isn't there an alternate for nix clients as well?
05:20 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
05:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:24 < error404notfound> I have tried adding tun0 to /etc/network/interfaces as dhcp nic but no use...
05:33 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:41 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
05:46 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
05:46 < error404notfound> anyone?
05:56 -!- error404notfound [~Eror404@119.153.51.207] has quit [Quit: User guilty of hitting the Big Red X]
06:00 -!- error404notfound [~Eror404@119.153.51.207] has joined ##openvpn
06:09 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
06:18 -!- error404notfound [~Eror404@119.153.51.207] has quit [Read error: Connection reset by peer]
06:26 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
06:30 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Client Quit]
06:31 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
06:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Client Quit]
06:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
06:48 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:54 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
06:54 -!- dvrcoder [~asdf@84-75-113-215.dclient.hispeed.ch] has joined ##openvpn
06:55 < dvrcoder> hi, question: if i need the openvpn tap driver on a windows host, is it enough to install only the tap driver of openvpn and NOT the complete openvpn package?
06:56 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
07:13 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
07:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:23 -!- dvrcoder [~asdf@84-75-113-215.dclient.hispeed.ch] has quit [Quit: SEMPRE E SOLO HC LUGANO!]
07:33 -!- Guest89562 [~Sp4rKy@rennes1.dunnewind.net] has quit [Quit: Reconnecting]
07:33 -!- Sp4rKy [~Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn
07:58 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
07:58 -!- error404notfound [~Eror404@119.153.135.200] has joined ##openvpn
08:07 -!- Irssi: ##openvpn: Total of 80 nicks [1 ops, 0 halfops, 1 voices, 78 normal]
08:07  * ecrist restarts vpnHelper
08:07 < ecrist> nm, he's still here
08:27 -!- Dougy [~me@69.10.59.230] has joined ##openvpn
08:27 < Dougy> ecrist ding
08:27 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: TAP-win32 driver install problems on Vista x64 :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=5&t=494&p=3126#p3126>
08:27 < ecrist> what's up, dougy?
08:28 < Dougy> y0
08:28 < Dougy> how are ya
08:33 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
08:33 -!- WormFood [~wormfood@58.60.223.33] has quit [Remote host closed the connection]
08:33 < mithridates> hey guys
08:34 < mithridates> how can I have two openvpn daemons in a server with different ports?
08:36 < Bushmills> run openvpn twice, with 2 different configurations
08:37 < mithridates> service iptables start ? two times? how can I set the different configurations?
08:39 < Bushmills> eh? iptables can take many rules. 
08:39 < Bushmills> "set" configs? you edit them. two seperate files.
08:39 < mithridates> aah ok tnx
08:40 < mithridates> so first of all I should duplicate the /etc/init.d/openvpn to openvpn1 and openvpn2
08:41 < mithridates> and change the path of configuration in each of them
08:41 < Bushmills> first of all you should make your alternative config
08:42 < Bushmills>  changes to /etc/init.d/ you want to do after you confirmed your second instance of openvpn running and working
08:42 < ecrist> mithridates: I would update openvpn init.d script to provide additional functionality
08:42 < Dougy> fadsgdf
08:42 < Dougy> ok
08:42 < Dougy> ecrist: vB?
08:43 < ecrist> for example, scan a dir for configs, enumerate them, and list their status, similar to how jails work in freebsd
08:43 < ecrist> Dougy: holding off on it for the time being.
08:43 < Dougy> how come
08:43 < mithridates> Bushmills: which port is neccessary for all clients? I wanna choose a port because sometime some 1194 in clients is blocked
08:43 < ecrist> do you following the mailing list at all?
08:43 < Dougy> not one bit
08:43 < Bushmills> having two openvpn scripts in init.d makes sense - that way either instance can be started and stopped through init scripts
08:44 < ecrist> check out the archives, and look for topics about the community
08:44 < Dougy> gah
08:44 < Dougy> cant you just tell me in a nut shell lol
08:44 < ecrist> no
08:44 < Dougy> why ot
08:44 < ecrist> too much to indicate quickly
08:44 < ecrist> look at the last couple weeks on the openvpn-devel mailing list.
08:45 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
08:45 < mithridates> which port is necessary for us in the internet 80 and 53? I wanna choose a port because sometime 1194 in clients is blocked
08:45 < Bushmills> "which port ..."   -  how long is a piece of string?
08:45 < Dougy> i dont even ahve the patience to read the manual and you think i have patience to read a mailing list lol
08:45 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
08:45 < mithridates> I wanna choose a port for my server,
08:46 < ecrist> mithridates: that's very subjective.
08:46 < mithridates> 443?
08:46 < ecrist> Dougy: if you want your answer, I'm certain you will find the patience you require. :)
08:46 < Dougy> or, i can just go with 'no'
08:46 < Dougy> and be done
08:46 < Bushmills> take a port which is not blocked
08:46 < ecrist> 443 has a good chance of working, sure, but tcp over tcp is bad
08:47 < mithridates> I use udp
08:48 < rob0> If 1194/udp is blocked, probably all UDP is blocked. You could try 53/udp, but it's probably redirected to a local nameserver.
08:48 < mithridates> so what else?
08:48 < Dougy> ecrist: seems that its just people want mailing list unless i am missing it
08:49 < mithridates> does init.d file need to change pid file name?
08:53 < mithridates> I changed $piddir to /var/pid/openvpn1/
08:54 < mithridates> and I put 1 for /bin/ls *.conf now it's : /bin/ls *1.conf
08:54 < mithridates> for server1.conf
08:57 < Bushmills> given that my very reasonable suggestion of starting with the config, not with program startup scripts, remains completely unheard, i assume other replies will be useless too.
08:59 < ecrist> Dougy: OpenVPN may be setting up a forum, or mirroring ours, once we figure all that out, we can figure out if we want vB or phpBB
08:59 < Dougy> bastards.. they'll set up their own and cut this one off
08:59 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
09:00 < ecrist> Dougy: No, we've been working with them on some things.
09:00 < Dougy> ah
09:00 < ecrist> there is talk I will have direct access to the web servers and we will be backing things up
09:00 < Dougy> cool
09:01 < Dougy> i dont needa be involved in the forum much im not helpful anyway
09:14 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
09:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
09:43 < fluxdude> mithridates: redhat init script will start multiple instances of openvpn, just drop 2 or more *.conf files in /etc/openvpn
09:44 < mithridates> fluxdude: oh ok, tnx man
09:44 < fluxdude> mithridates: which distro are you using?
09:44 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
09:45 < mithridates> centos
09:45 < mithridates> 5.2
09:45 < fluxdude> good
09:45 < fluxdude> nothing need be done except put 2 *.conf files in /etc/openvpn then
09:45 < fluxdude> and service openvpn restart
09:46 < fluxdude> you should set the 2 configs to listen to different ports obviously...
09:46 < mithridates> yes , :)
09:48 -!- Rolybrau [~Rolybrau@243-76.3-85.cust.bluewin.ch] has joined ##openvpn
09:48 -!- Rolybrau [~Rolybrau@243-76.3-85.cust.bluewin.ch] has quit [Changing host]
09:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:50 < mithridates> fluxdude: how can I figure it out ?  MULTI: bad source address from client packet dropped ( I have lots of clients so ccd is a crazy id now for me) what else ? :)
09:51 < mithridates> do u have any idea?
09:57 < fluxdude> i also have this problem
09:57 < fluxdude> I am getting it from my laptop on my new test openvpn server which I've heavily refined, this is one of only 1/2 niggles left
09:58 < fluxdude> the problem for me is that I have ccd and it makes no difference
09:59 < fluxdude> my laptop's eth0 id is leaking through the vpn but I can't see how, I've packet traced and everything
09:59 < fluxdude> i am leaving iptables logging rules and this will hopefully catch something later that I can correlate
09:59 < fluxdude> and figure out wtf is going on.
09:59 < fluxdude> tried going verb 7 but I still couldn't see anything
10:00 < fluxdude> it's not happening all the time so it's harder to spot/reproduce/fix
10:06 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
10:13 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 246 seconds]
10:17 -!- makomi_ [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
10:20 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Ping timeout: 272 seconds]
10:23 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 258 seconds]
10:34 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:37 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
10:37 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:38 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
10:38 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:43 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
10:48 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
10:50 -!- error404notfound [~Eror404@119.153.135.200] has quit [Ping timeout: 256 seconds]
10:51 -!- error404notfound [~Eror404@119.153.51.227] has joined ##openvpn
10:57 < ecrist> anyone interested in a mailing list rss feed for -users mailing list announced in here?
11:01 < rob0> eww, not sure about that
11:02 < rob0> Problem being, I tend to ignore most threads on the list anyway.
11:03 < mithridates> guys
11:03 < rob0> Like if the subject contains "Windows" or other indications thereof.
11:03 < mithridates> would you take a loot at my logs http://pastebin.ca/1773223
11:03 < mithridates> I tested my client in an other computer and it worked
11:04 < rob0> You're trying to run one instance of TCP and another instance of UDP?
11:04 < mithridates> but when I some one tried to connect from iran with the same client and true date it couldn't
11:05 < mithridates> no
11:05 < mithridates> both of them are udp
11:05 < mithridates> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
11:06 < mithridates> I checked date and everything but the client got this error
11:06 < rob0> why two UDP?
11:06 < mithridates> I can connect to the server with same config and same certificates
11:06 < mithridates> why not?
11:06 < rob0> I won't ask again.
11:06 < mithridates> but I don't what are you talking about?
11:06 < mithridates> do you mean that I should put tcp in client side?
11:07 < mithridates> is it your mean?
11:07 < mithridates> should I put tcp in client side?
11:07 < rob0> What problem were you trying to solve?
11:07 < mithridates> it's in the log file
11:07 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
11:07 < mithridates> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
11:07 < rob0> That means CHECK YOUR NETWORK CONNECTIVITY
11:08 < mithridates> which type of checking?
11:09 < ecrist> rob0: you'd still be welcome to ignore them.  Seems the most on any given day in a month is 27 posts, 15 days with < 10, 9 with >10 but <20, and 6 > 20.
11:10 < mithridates> ecrist: in the last conversation you told me something about TCP TCP connection
11:10 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
11:10 < mithridates> is it possible to use udp for client side and tcp for server side
11:10 < mithridates> ?
11:10 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
11:10 < mithridates> but these are different
11:10 < rob0> Of course not
11:10 < mithridates> I confused
11:10 < mithridates> so what?
11:11 < mithridates> rob0>	why two UDP?
11:11 < mithridates> I didn't get your question :(
11:11 < rob0> Here's the thing: if openvpn can't make a network connection between peers, it cannot establish a VPN between them.
11:12 < mithridates> aah ok
11:12 -!- makomi_ is now known as makomi
11:12 < mithridates> they can connect server but they get this handshake error
11:12 < mithridates> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
11:13 < mithridates> and I don't understand how can I check the network connectivity
11:13 < mithridates> it's a very general sentence
11:13 < rob0> I would use nc(1) and nmap(1) and other such diagnostic tools.
11:13 < mithridates> checking firewall? routing? cable? maybe dsl modem? ping?
11:14 < mithridates> ok but for what purposes?
11:14 < mithridates> to find open ports?
11:15 < mithridates> ok now suppose that you have this problem and you got this error
11:15 < mithridates> how do you check your network with nmap or nc ?
11:15 < mithridates> I don't need commands
11:15 < mithridates> just what do you wanna know about your network?
11:19 < mithridates> I can read a simple log like you and say (check your network connectivity)
11:19 < mithridates> anyway thank you
11:19 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
11:19 < Dougy> hey jef
11:19 < Dougy> f
11:20 < mithridates> hey Dougy 
11:21 < mithridates> how can I escape from TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) ?
11:21 < Dougy> not sure
11:21 < Dougy> http://img651.imageshack.us/img651/8326/0131001152.jpg
11:21 < Dougy> YUM
11:22 < mithridates> umm
11:22 < mithridates> I'm gonno kitchen 
11:22 < mithridates> brb
11:22 < mithridates> :(
11:28 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: TAP-win32 driver install problems on Vista x64 :: Reply by neo314 <http://www.ovpnforum.com/viewtopic.php?f=5&t=494&p=3128#p3128>
11:28 -!- Dougy [~me@69.10.59.230] has quit []
11:44 -!- Artio [~a@port-93418.pppoe.wtnet.de] has joined ##openvpn
11:55 < mithridates> why my clients can connect via pre-shared key from iran but they can not connet to the server via certificate?
12:01 < mithridates> !ifconfig
12:01 < vpnHelper> mithridates: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
12:03 < mithridates> how can I use pre-shared key and prevent to get more than one connection from a key?
12:08 < fluxdude> mithridates: yo figured out after some more debugging why I was getting the bad source address
12:09 < mithridates> how I did that?
12:09 < fluxdude> I had existing connections that were retrying but didn't release the original source ip
12:09 < fluxdude> but in most cases you just want to add route x.x.x.x/y in server.conf and iroute x.x.x.x y.y.y.y in ccd for client
12:09 < fluxdude> if routing networks
12:10 < fluxdude> I'm not which was why it was so confusing, i didn't have forwarding/routing enabled on my laptop either
12:10 < mithridates> yes I know but when I have more than 50 clients
12:10 < fluxdude> it was easier to debug that I though
12:10 < mithridates> it's a crazy idea to do that
12:10 < fluxdude> thought with packet tracing the tun0
12:10 < fluxdude> mithridates: no no no
12:10 < fluxdude> you misunderstand
12:10 < fluxdude> you're stuck on ccd
12:11 < fluxdude> you should tcpdump to find out WHY those ips are coming
12:11 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
12:11 < fluxdude> are they machines behind the openvpn clients trying to come through the vpn?
12:11 < fluxdude> ie connected subnets?
12:11 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
12:11 < mithridates> oh I got it
12:11 < fluxdude> find out what the traffic is doing first and then consider solution
12:11 < mithridates> because I use virtualbox for testing my clients
12:12 < fluxdude> mithridates: me too, my laptop is running it, you're probably also seeing 10.0.2.0/24 ips in your bad source address logs?
12:12 < mithridates> I think it could be related to the virtual network and subnet which I have in my laptop between the linux and crazy winxp in the virtual machine
12:12 < mithridates> yes
12:13 < mithridates> that's not a big problem for me now :)) I got a huge problem today
12:13 < fluxdude> what's that?
12:13 < mithridates> my clients cannot connect via certificate from Iran
12:14 < mithridates> I'm gonna change config to pre-shared key
12:15 < mithridates> :(( OMG I have two assignment for university and I'm still working on this openvpn server
12:16 < fluxdude> unless there is some gateway-to-iran issue with ciphers sanction sort of thing I can't think way
12:16 < mithridates> I need three angel, the first one should prepare my assignments, the second one must solve my problem in this server, and the third one have to massage my body
12:16 < fluxdude> psk sucks
12:16 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Ping timeout: 256 seconds]
12:16 < fluxdude> uni is useles
12:16 < fluxdude> don't waste your time on it
12:16 < fluxdude> s/useles/useless/
12:16 < fluxdude> mithridates: it may well be a client config problem
12:16 < mithridates> :(
12:17 < fluxdude> you should log in to a machine over there and try it yourself with your own config to make sure
12:17 < mithridates> no, I tried it by my client
12:17 < fluxdude> and a cert/key pair you're successfully used already
12:17 < fluxdude> so from Iran what is the error?
12:17 < mithridates> it was ok, and I checked in three different computer in even 2 different city with different ISPs
12:17 < mithridates> TLS error
12:17 < mithridates> http://pastebin.ca/1773223
12:18 < fluxdude> have you packet traced on the server to see if you're getting the packets from where you expect?
12:18 < mithridates> yes I checked the client ip
12:18 < mithridates> and I compared with which is on my openvpn.log
12:18 < fluxdude> so you're seeing the connection on the client?
12:18 < mithridates> and is trying to connect me
12:19 < mithridates> yes
12:19 < fluxdude> so you're seeing the client's connection in the server logs?
12:19 < mithridates> yes
12:19 < fluxdude> try changing ciphers, downgrading until it works...
12:19 < mithridates> cipher?
12:19 < fluxdude> might be some sanction thing against iran
12:19 < fluxdude> anyway gotta run...
12:19 < fluxdude> you can set different ciphers
12:19 < fluxdude> not using hmac, are you?
12:19 < mithridates> I don't use cipher
12:20 < mithridates> I'm not sure
12:20 < mithridates> how can I know it
12:20 < mithridates> ?
12:20 < mithridates> I think, and it's same problem
12:20 < mithridates> with some other people in IRAN
12:21 < mithridates> http://holgr.com/blog/2009/06/23/setting-up-openvpn-on-amazons-ec2/    search Iran in this link and read the line plz
12:21 < fluxdude> you're not just looked at your pastebin
12:22 < mithridates> what's Hmac?
12:22 < mithridates> !hmac
12:22 < vpnHelper> mithridates: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make
12:22 < vpnHelper> mithridates: the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
12:23 < fluxdude> mithridates: still waiting for that page to load for me... :-(
12:23 < mithridates> I think a firewall block the way of packets which are for authenticating
12:23 < fluxdude> ah, loaded, there is no iran on that page
12:24 < fluxdude> oh wait
12:24 < mithridates> yes there is
12:24 < mithridates> use ctrl+f :D
12:24 < fluxdude> browser betrayed me, now it does find the word
12:24 < mithridates> and type iran
12:24 < mithridates> ok
12:24 < fluxdude> i did, first ctrl-f was red and didn't find it
12:24 < fluxdude> now it got it let me see
12:25 < fluxdude> yeah that's exactly what I thought, sanction
12:26 < mithridates> is there any way to figure it out?
12:26 < fluxdude> there must be some gateways around iran filtering traffic
12:26 < mithridates> yes
12:26 < fluxdude> no you'll have to switch to use something non-restricted
12:26 < mithridates> like what?
12:26 < fluxdude> which is why I suggested downgrading your ciphers one by one to see if that would work around it
12:27 < fluxdude> set with cipher blah in server.conf and client.conf
12:27 < fluxdude> man openvpn
12:27 < mithridates> ah ok
12:27 < mithridates> I will try all kind of ciphers 
12:28 < fluxdude> it's possible non of them will be permitted in which case psk is your only option... it may be the certs themselves which get filtered... in which case you'd have to regen your certs
12:28 < fluxdude> and what a pain... psk would be simpler
12:29 < mithridates> :( I hate the government of iran
12:30 < mithridates> where are you from fluxdude?
12:52 -!- wwalker [~wwalker@mailbox.eclipsing.com] has joined ##openvpn
12:53 < wwalker> "Your problem is your firewall, really."  :)   
12:53 < wwalker> !welcome
12:53 < vpnHelper> wwalker: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:55 -!- PeterFA [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has joined ##openvpn
12:55 -!- PeterFA [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has quit [Changing host]
12:55 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
12:55 < wwalker> openvpn works for me, a lot!  Thanks to all who've made it possible!
12:56 < wwalker> My question is about management tools.  I need to set up a bunch of users with static IPs in the VPN addr space.  I see certs being touted but using DHCP and getting changing addresses.  I've generally done server to server stuff and just used simple keys.
12:57 < wwalker> anyone have a tool to recommend that an admin can easily use to make keys (or certs) and assign static IPs?
12:57 < wwalker> I can write it myself, but would prefer to not reinvent the wheel on this one.
12:58 < wwalker> "admin" above is the windows help desk guy, not someone who understands VPNs or /30 subnets
12:59 < Bushmills> wwalker: a script in conjuction with
12:59 < Bushmills> !ccd
12:59 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
12:59 < Bushmills> when certs are generated
13:05 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Ping timeout: 272 seconds]
13:10 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
13:15 -!- Artio [~a@port-93418.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Like it?  Visit #hydrairc on EFNet]
13:17 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 240 seconds]
13:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
13:22 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
13:23 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
13:25 -!- error404notfound [~Eror404@119.153.51.227] has quit [Ping timeout: 240 seconds]
13:42 -!- error404notfound [~Eror404@119.153.51.227] has joined ##openvpn
13:53 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
14:02 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has quit []
14:02 -!- Holister [~ryan@static-151-204-189-39.pskn.east.verizon.net] has quit [Read error: Connection reset by peer]
14:03 -!- Holister [~ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn
14:07 -!- flaco [~sistema@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
14:37 -!- teddymills [~teddy@208.92.235.227] has quit [Quit: Ex-Chat]
14:48 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
15:05 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 272 seconds]
15:15 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
15:16 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
15:16 -!- PeterFA [~Peter@c-98-203-132-209.hsd1.wa.comcast.net] has joined ##openvpn
15:16 -!- PeterFA [~Peter@c-98-203-132-209.hsd1.wa.comcast.net] has quit [Changing host]
15:16 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
15:34 < krzie> reiffert here?
15:36  * ecrist doubts it
15:36 < ecrist> krzie, what do you think about an rss fee for the -users mailing list?
15:37 < krzie> would be cool, but the idea i really liked was someone had suggested integration of a forum with maillist
15:37 < krzie> where people can communicate over whichever they prefer, and its on both
15:37 < ecrist> that would be pretty difficult.
15:37 < krzie> ya, didnt know of that existing prior
15:38 < ecrist> there was something back in 2005, don't know if it's been maintained.
15:38 < krzie> im not sure of the benefit to an RSS for maillist
15:38 < ecrist> mail2forum.com
15:40 < ecrist> blast, that's phpbb2 only.
15:41 < krzie> if it works it would RSS the maillist as well
15:41 < krzie> as a byproduct
15:41 < ecrist> right
15:42 < ecrist> if there's something available, I wouldn't be opposed to linking the two.
15:42 < ecrist> it wouldn't be impossible to write a procmail type thing to parse, either, I suppose.
15:42 < krzie> do we use phpbb2?
15:42 < ecrist> no, we use phpbb3 right now
15:42 < krzie> oh
15:43 < ecrist> vbulletin has an interface, though.
15:44 < ecrist> http://www.vbulletin.org/forum/showthread.php?t=151222
15:44 < vpnHelper> Title: Email Integration (New threads/replies by email) - vBulletin.org Forum (at www.vbulletin.org)
15:44  * ecrist goes and plays xbox
15:44 < krzie> wait pls
15:44 < krzie> can you view this video?
15:44 < krzie> http://mmablips.dailyradar.com/video/brightcove-cyborg-santos-vs-marloes-coenen-mma-fight/
15:44 < vpnHelper> Title: BrightCove: Cyborg Santos vs. Marloes Coenen MMA Fight (video) (at mmablips.dailyradar.com)
15:45 < krzie> not sure which countries are allowed to
15:47 < fluxdude> what is the point of the 01.pem, 02.pem in easy-rsa/keys?
15:47 < fluxdude> they are the same as the keys/username.crt
15:47 < fluxdude> in content
15:47 < krzie> they match the index
15:47 < fluxdude> and the revoke-all script doesn't seem to use it
15:47 < krzie> likely for CRL making
15:47 < fluxdude> yes I can see that they match the numbers 
15:47 < krzie> oh ok dunno then
15:47 < krzie> im not versed in CRL related stuff
15:47 < fluxdude> but the revoke script revokes them based on the username.crt in the keys dir having just read revoke-full
15:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
15:52 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
16:22 < ecrist> krzie: I seem to be able to view the video...
16:22 < krzie> ahh cool
16:22 < krzie> i guess usa works, ill see bout ssh tunneling to it
16:23 < krzie> (im not at home, no access to my normal methods)
16:23 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]]
16:23 < ecrist> ssh -ND 9999 <host>
16:23 < ecrist> config firefox to use socks5 on 127.0.0.1:9999
16:23 < ecrist> :)
16:23 < krzie> actually today...
16:24 < krzie> http://oldsite.precedence.co.uk/nc/putty.html
16:24 < vpnHelper> Title: Using PuTTY to create an SSH tunnel (at oldsite.precedence.co.uk)
16:24 < krzie> =[
16:24 < ecrist> http://www.secure-computing.net/wiki/index.php/Secure_browsing
16:24 < vpnHelper> Title: Secure browsing - Secure Computing Wiki (at www.secure-computing.net)
16:24 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:25 < krzie> pasted mine to show i was on windows right now (using putty)
16:25 < krzie> but still easy
16:25 < ecrist> yeah, putty still does socks proxying though
16:25 < krzie> yup
16:45 < krzie> cool watching now!
16:45 < krzie> thanx
16:48 < reiffert> ecrist: did you get firefox to work with sock5 when authentication is required?
16:48 < krzie> it doesnt look like theres a way to do that
16:48 < krzie> in firefox
16:48 < krzie> i THINK opera does, can look when im home if you want
16:49 < reiffert> safari doesnt work as well..
16:49 < reiffert> proxifier does pretty well on both
16:51 < krzie> ohh if you have proxifier you love it!
16:52 < reiffert> jup
16:55 < reiffert> what I could need is a socks5 client running on mipsel
16:57 < krzie> i actually paid for proxifier
16:57 < krzie> i really like it and they werent asking much
16:57 < reiffert> I was taking the freeware version...
16:57 < krzie> freeware?
16:57 < krzie> you mean shareware
16:58 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:58 < reiffert> Ah, 31 days free trial, I see.
17:57 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 258 seconds]
17:59 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
18:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:15 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
18:19 -!- Rolybrau [~Rolybrau@243-76.3-85.cust.bluewin.ch] has joined ##openvpn
18:19 -!- Rolybrau [~Rolybrau@243-76.3-85.cust.bluewin.ch] has quit [Changing host]
18:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
18:32 -!- Guest9259 is now known as redfox
18:33 -!- redfox is now known as Guest61129
18:36 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 276 seconds]
18:46 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
18:49 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 258 seconds]
18:49 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
18:52 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
18:52 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
18:52 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:09 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
19:17 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
19:19 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
19:20 -!- karlgus [~karl@c-ea61e055.031-36-68626710.cust.bredbandsbolaget.se] has joined ##openvpn
19:23 < flacom> Hi all... anyone here?
19:29 < ecrist> yup
19:31 < ecrist> krzie and reiffert: on mac os x, you can go to System Preferences -> Network -> Advanced -> Proxies and setup a SOCKS Proxy.  that allows you to setup authentication.  In firefox, specify use system proxy.
19:34 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]]
19:35 < flacom> hi, I got a problem... I'm running openvon server on fedora, I can connect a PC that is in other city.... but a PC in the same LAN of the vpn server can't... if I change the hostname to the LAN ip the local pc can connect...
19:35 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Ping timeout: 246 seconds]
19:37 < ecrist> then do that
19:38 < flacom> but if I change the hostname with a LAN ip, the connectivity test fails
19:39 < flacom> now I have as hostname matusvpn.dnsalias.net and clients outside my LAN can connect to the server... and the connectivity test is success
19:40 -!- tarbo2 [~me@pool-173-75-5-88.pitbpa.fios.verizon.net] has joined ##openvpn
19:40 -!- tarbo2 [~me@pool-173-75-5-88.pitbpa.fios.verizon.net] has quit [Changing host]
19:40 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
19:41 -!- corretico_ [~laguilar@201.201.46.106] has quit [Quit: Leaving]
19:41 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
19:49 < Bushmills> your problem is one of host name resolution.
19:49 < Bushmills> resp. unability to reach the ip address to which host name is resolved
20:15 < flacom> Bushmills, how can I solve this?
20:16 < Bushmills> by setting your host name resolving, and being able to reach interfaces with ip addresses resolved to correctly
20:18 -!- Dougy [~me@69.10.59.230] has joined ##openvpn
20:18 < Dougy> ello ya'll
20:19 < Dougy> i have a question.. i probably would grasp it if i wasnt so burnt out and not have to ask
20:20 < Dougy> I have a switch, say it's X.X.X.X/30.. and I want to access it via VPN only (openvpn).. is there a way to set up openvpn to reach the switch ?
20:37 < flacom> Bushmills, thanks for your help, now works correctly :)
20:48 < Bushmills> yw. glad you didn't need step by step instructions :) 
20:52 -!- fsufitch [~fsufitch@sirius.poly.edu] has joined ##openvpn
20:53 < fsufitch> hey, could someone help me with my openvpn setup?
20:53 < fsufitch> i think i got everything right, but my server "Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)"
20:54 < fsufitch> which is odd considering i'm root, so does anyone have an idea?
20:55 < Bushmills> ls -l /dev/net/tun   ?
20:56 < fsufitch> crw------- 1 root root 10, 200 2010-01-31 21:54 /dev/net/tun
20:56 < fsufitch> it's *there*, but i don't know why i can't access it...
20:57 < Dougy> fsufitch: uname -r
20:57 < fsufitch> 2.6.18-128.2.1.el5.028stab064.8ent
20:57 < Bushmills> mine is   crw-rw-rw- 1 root root 10, 200 Jan 26 22:42 /dev/net/tun
20:57 < Dougy> thats why
20:57 < Dougy> its openvz
20:57 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
20:58 < Dougy> actually it looks like its created properly
20:58 < fsufitch> well how can i make it work with openvz? do chmod a+rw like Bushmills's conf?
20:58 < Dougy> did you enable tun on hostnode properly
20:58 < fsufitch> i dont remember doing anything special to enable it, it has to be enabled?
20:59 < Dougy> yes
20:59 < Dougy> its a process
20:59 < Dougy> you mknod'd it in the VPS and set the tun parameters or no
20:59 < Dougy> on the hostnode
21:00 < fsufitch> er, i'm confused, i didn't use mknod
21:01 < Dougy> oh
21:01 < fsufitch> it was just... there
21:01 < Dougy> do you have access to hostnode
21:01 < fsufitch> yes
21:01 < Dougy> http://wiki.openvz.org/VPN_via_the_TUN/TAP_device
21:01 < vpnHelper> Title: VPN via the TUN/TAP device - OpenVZ Wiki (at wiki.openvz.org)
21:01 < fsufitch> i'm trying to set up a VPN between my VPS and a couple of other machines i own
21:01 < Dougy> !openvz
21:01 < vpnHelper> Dougy: "openvz" is http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn
21:02 < Dougy> ahh it is in the bot
21:02 < Dougy> win
21:02 < fsufitch> lol, okay i'll read that and try it out
21:02 < fsufitch> thanks
21:03 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:03 < fsufitch> oh snap
21:03 < fsufitch> Dougy: root@vps:/etc/openvpn# modprobe tun
21:03 < fsufitch> FATAL: Could not load /lib/modules/2.6.18-128.2.1.el5.028stab064.8ent/modules.dep: No such file or directory
21:03 < Dougy> ouch
21:04 < Dougy> not on the vps
21:04 < Dougy> on host node ..
21:04 < fsufitch> host node == server, right?
21:04 < Dougy> as in
21:04 < Dougy> the box the openvz kernel is installed on
21:04 < Dougy> not the openvz container
21:04 < fsufitch> (sorry, clueless...)
21:05 < fsufitch> oh, no i don't have access to the node itself, sorry
21:05 < Dougy> need to ask the person who does to do it
21:05 < fsufitch> ok
21:05 < Dougy> you're SOL until they do
21:05 < Dougy> you rent a VPS somewhere? :)
21:05 < fsufitch> yes
21:05 < Dougy> virtuozzo?
21:05 < fsufitch> quantact.com
21:05 < Dougy> why have i heard of them
21:06 < Dougy> LOL mcaffee blacklisted them
21:06 < fsufitch> wait what o_O
21:06 < fsufitch> seriously?
21:06 < Dougy> Mcafee siteadvisor flashed red
21:06 < Dougy> http://www.siteadvisor.com/sites/quantact.com?premium=false&client_uid=2503347204&client_ver=3.0.1.163&client_type=IEPlugin&suite=true&aff_id=755&locale=en_us&os_ver=6.1.0.0&pip=true
21:06 < vpnHelper> Title: quantact.com | McAfee SiteAdvisor Software – Website Safety Ratings and Secure Search (at www.siteadvisor.com)
21:06 < fsufitch> that makes me sad
21:06 < fsufitch> anyway it seems there's an option to add a TUN device on the management page
21:07 < Dougy> nice nice
21:09 < Dougy> https://www.thepaypalblog.com/2008/08/proposed-irs-reporting-requirements-become-law/
21:09 < Dougy> w
21:09 < Dougy> wow
21:09 < vpnHelper> Title: The PayPal Blog » Blog Archive » Proposed IRS Reporting Requirements Become Law (at www.thepaypalblog.com)
21:09 < Dougy> fuck the irs
21:10 < fsufitch> heh
21:11 < fsufitch> hey cool, the vpn started :)
21:11 < Dougy> yay
21:11 < Dougy> their prices arent bad
21:11 < Dougy> mine are about the same 
21:11  * Dougy is happy
21:11 < fsufitch> and i can ping my server address
21:11  * fsufitch cheers
21:15 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
21:16 < fsufitch> Dougy: are you familiar with the NetworkManager openvpn plugin? it's either it or me that's being stupid, and it's most likely the latter
21:16 < Dougy> !ubuntu
21:16 < vpnHelper> Dougy: "ubuntu" is dont use network manager!
21:16 < fsufitch> :|
21:17 < fsufitch> i figured, the way that works best is always the hard way
21:22 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Ping timeout: 272 seconds]
21:25 < ecrist> ssssshhhh
21:26 < ecrist> fsufitch: don't use newtowrk manager.
21:26 < ecrist> it's broken.
21:28 < Dougy> yo ecrist
21:28 < Dougy> im on a rage of stupidity tonight
21:28 < Dougy> did you see my question
21:29 < fsufitch> ecrist, Dougy do you have a client setup guide or something, or do i have to learn by trial and error?
21:30 < Dougy> um
21:30 < Dougy> client set up guide ?
21:30 < Dougy> it's ery ismple
21:30 < Dougy> very
21:34 < fsufitch> oh hey, there's a client.conf in the sample files
21:34 < fsufitch> i'm blind
21:35  * Dougy head desk
21:41 -!- APTX| [~APTX@chello089076052083.chello.pl] has joined ##openvpn
21:41 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
21:43 -!- Mtn_Bkng_Dave [~whome@c-24-99-232-29.hsd1.ga.comcast.net] has joined ##openvpn
21:44 -!- Mtn_Bkng_Dave [~whome@c-24-99-232-29.hsd1.ga.comcast.net] has quit [Client Quit]
21:45 < fsufitch> Dougy: what's the difference between "command" and ";command" in the config?
21:45 < Dougy> ; is commented out
21:45 < Dougy> wtf has gotten into me
21:45 < Dougy> this is the most helpful i've ever been
21:45 < Dougy> and im practically asleep
21:45 < fsufitch> wait then what's the difference between ; and #?
21:45 < Dougy> same thing
21:46 < fsufitch> and it's probably because i'm so clueless that by comparison you're a genius even when asleep
21:46 < Dougy> i never help anyone
21:46 < Dougy> ecrist and krzie always tell me im useless (not flat out, just subtle)
21:47 < Dougy> btw fsufitch if you have any questions
21:47 < Dougy> check this page
21:47 < Dougy> !factoids
21:47 < vpnHelper> Dougy: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
21:47 < Dougy> as in, use search feature of browser to see if your question is in there
21:47 < fsufitch> cool, thanks :)
21:49 < Dougy> !irclogs
21:49 < vpnHelper> Dougy: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
21:49 < Dougy> holy sh*t krzie talks a lot
21:49 < Dougy> lol
21:49 < Dougy> goddamn
21:53 -!- DarkAnt [~DarkAnt@c-24-63-224-114.hsd1.ma.comcast.net] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Now with extra fish!]
22:07 -!- Dougy [~me@69.10.59.230] has quit []
22:24 -!- error404notfound [~Eror404@119.153.51.227] has quit [Quit: User guilty of hitting the Big Red X]
22:43 < fsufitch> it works! \o/
22:47 < fsufitch> thanks to all who helped :)
22:47 -!- fsufitch [~fsufitch@sirius.poly.edu] has quit [Quit: leaving]
22:55 -!- huzaifas [~huzaifas@nat/redhat/x-ynqmlcvydnhqlahj] has joined ##openvpn
23:04 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
23:08 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 248 seconds]
23:09 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:31 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
23:55 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
23:58 -!- error404notfound [~Eror404@203.99.185.240] has joined ##openvpn
--- Day changed Mon Feb 01 2010
00:12 -!- error404notfound [~Eror404@203.99.185.240] has quit [Ping timeout: 272 seconds]
00:13 -!- icecream [~job@unaffiliated/rapidmon] has joined ##openvpn
00:13 < icecream> !welcome
00:13 < vpnHelper> icecream: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:25 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Quit: leaving]
00:31 -!- icecream [~job@unaffiliated/rapidmon] has left ##openvpn []
00:32 -!- icecream [~job@unaffiliated/rapidmon] has joined ##openvpn
00:33 -!- icecream [~job@unaffiliated/rapidmon] has left ##openvpn []
00:43 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has joined ##openvpn
00:43 < TecR0c> hi all
00:43 < TecR0c> everytime i do a test connection i get vpn.server.daemon.enable
00:51 -!- tarbo2 [~me@unaffiliated/tarbo] has joined ##openvpn
01:06 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
01:06 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
01:06 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
01:26 -!- dovim [~n@unaffiliated/dovim] has joined ##openvpn
01:26 < dovim> !welcome
01:26 < vpnHelper> dovim: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:26 < dovim> !howto
01:26 < vpnHelper> dovim: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
01:27 < dovim> I am not sure of this is a silly question or not, but is it possible to use S/Key authentication with OpenVPN?
01:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:00 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:01 < dovim> !wiki s/key
02:01 < vpnHelper> dovim: Error: "wiki" is not a valid command.
02:06 < reiffert> !factoids search --values s/key
02:06 < vpnHelper> reiffert: No keys matched that query.
02:06 < dovim> Damnit.
02:07 < dovim> I would really like that to be an option
02:07 < reiffert> openvpn got a pam plugin, so whenever s/key works with pam, you are done.
02:07 < |Mike|> why ?
02:07 < dovim> Ah ok
02:07 < dovim> reiffert: Thank you
02:07 -!- error404notfound [~Eror404@mbl-99-57-238.dsl.net.pk] has joined ##openvpn
02:09 < reiffert> "S/KEY is supported in Linux (via Pluggable authentication modules), "
02:31 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:31 -!- mode/##openvpn [+o mattock] by ChanServ
02:45 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
02:46 -!- Jck_true [~jcktrue@unaffiliated/jcktrue/x-390518] has joined ##openvpn
02:47 < Jck_true> Sorry if I didn't understand the channel guidelines correctly...
02:48 < Jck_true> I'm trying to setup PPTPd on my server
02:48 < Jck_true> I've got connections and authentication working 
02:48 < Jck_true> And my clients are getting IP's but I seem unable to make any outbound connections
02:49 < rob0> So, you decided to give up and try openvpn? Good choice!
02:49 < rob0> !PPTP
02:49 < vpnHelper> rob0: "PPTP" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
02:49 < vpnHelper> rob0: read about why to not use pptp
02:49 < Jck_true> I know it's insecure... But it's supported by my iPod
02:50 < Jck_true> iPhone*
02:50 < rob0> Oh. But no, it's not supported here, sorry.
02:50 < Jck_true> :-(
02:50 < Jck_true> Thanks anyway 
02:51 < Jck_true> Is IPSec supported by Windows?
02:51 < rob0> Peruse the bot, sounds like you have a routing problem.
02:51 < rob0> !factoids
02:51 < vpnHelper> rob0: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
02:53 < Jck_true> I hope one day stupidity gets accepted as a valid condition and I can get fulltime goverment support instead of working on this :-s
03:07 -!- master_of_master [~master_of@p57B5715D.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:09 -!- master_of_master [~master_of@p57B54EA2.dip.t-dialin.net] has joined ##openvpn
03:09 -!- le0_ [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
03:12 -!- Jck_true [~jcktrue@unaffiliated/jcktrue/x-390518] has left ##openvpn []
03:14 -!- error404notfound [~Eror404@mbl-99-57-238.dsl.net.pk] has quit [Ping timeout: 248 seconds]
03:23 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Ping timeout: 258 seconds]
03:31 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
03:34 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
03:37 -!- Guest65496 is now known as dazo
03:44 -!- fluxdude2 [~fluxdude@212.240.75.195] has joined ##openvpn
03:45 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 245 seconds]
03:47 < reiffert> keeping forum and mailinglists in sync? omg.
03:50 < fluxdude2> does anyone know about the performance differences between using the default blowfish vs aes 256 algorithm?
03:50 < fluxdude2> or diffie hellman 1024 vs 2048
03:53 -!- Nrg_ [pk@reaktio.net] has quit [Quit: leaving]
04:13 -!- error404notfound [~Eror404@119.153.32.235] has joined ##openvpn
04:22 -!- error404notfound [~Eror404@119.153.32.235] has quit [Ping timeout: 248 seconds]
04:31 < vpnHelper> New forum entry openvpnforum: Server Administration :: Problems Creating Extra Client Keys :: Author leo2308 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2682&p=3135#p3135>
04:33 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Quit: Lost terminal]
04:34 < fluxdude2> I've got a weird error from openvpn, I've just created a new certificate and when I try using it the openvpn logs says the certificate is revoked
04:34 < fluxdude2> I probably made one of the same CN previously, and now I can't seem to make another one of the same CN?
04:36 < reiffert> certificates are CN based, so this may be true, though I have no idea about the revoking message.
04:36 < fluxdude2> but surely the new cert should be ok?
04:36 < fluxdude2> I don't need to enable duplicate cn just for this do I????
04:36 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
04:37 < reiffert> I dont know what happens when you revoke a cert for CN=foo, when you create another cert with CN=foo.
04:37 < fluxdude2> that means every time I want to issue a new cert to the same user, that user's name would have to be change?
04:37 < fluxdude2> surely not!
04:38 < reiffert> you seem to know more than I do, I'm out.
04:43 < macsppadic> fluxdude2: source the vars file first?
04:53 < fluxdude2> creating the cert worked fine... it's only now I come to use it that it does...
04:55 < fluxdude2> that it gets rejected by the server I mean
05:01 < macsppadic> am wondering if worthwhile checking the list-crl and index.txt 
05:01 < macsppadic> tho i must admit not had this issue myself 
05:14 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
05:22 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
05:22 < ScriptFanix> !welcome
05:22 < vpnHelper> ScriptFanix: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:23 < ScriptFanix> !iporder
05:23 < vpnHelper> ScriptFanix: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
05:24 < ScriptFanix> !ipp
05:24 < vpnHelper> ScriptFanix: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
05:25 < ScriptFanix> !static
05:25 < vpnHelper> ScriptFanix: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
05:25 < ScriptFanix> !ccd
05:26 < vpnHelper> ScriptFanix: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
05:26 < ScriptFanix> !wiki
05:26 < vpnHelper> ScriptFanix: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
05:27 < macsppadic> fluxdude2: any luck ?
05:28 < fluxdude2> macsppadic: yeah I revoked that newly created cert, and recreated it and now it works...
05:28 -!- huzaifas [~huzaifas@nat/redhat/x-ynqmlcvydnhqlahj] has quit [Quit: Leaving]
05:29 < macsppadic> nice
05:29 < fluxdude2> at least I know cert revocation works....
05:29 < fluxdude2> ;-)
05:30 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:30 < macsppadic> aye heheh that was bit odd tho 
05:40 -!- kyrix [~ashley@45.Red-80-25-61.staticIP.rima-tde.net] has joined ##openvpn
05:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
06:19 -!- error404notfound [~Eror404@119.153.32.235] has joined ##openvpn
06:22 -!- kyrix [~ashley@45.Red-80-25-61.staticIP.rima-tde.net] has quit [Quit: Leaving]
06:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
06:35 -!- error404notfound [~Eror404@119.153.32.235] has quit [Ping timeout: 240 seconds]
06:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:41 -!- APTX| [~APTX@chello089076052083.chello.pl] has quit [Quit: Farewell]
06:42 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
06:42 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
06:42 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:44 -!- EdwardIII [~chatzilla@unaffiliated/edward123] has joined ##openvpn
06:45 < EdwardIII> hey, you don't need to generate diffie hellman paramaters after every new client key you create, do you?
06:46 < macsppadic> nope EdwardIII not as far as i am aware 
06:46 < EdwardIII> i've just created a new key for a user, when it prompted for a password i just hit 'enter'
06:46 < EdwardIII> however user is getting TLS handshake failed, and something about a self-signed cert in the chain?
06:47 < EdwardIII> this is on windows, openvpn 2.0.9 on windows
06:47 < ecrist> good morning
06:48 < EdwardIII> the setup script prompted me, to sign, i chose 'y', it prompted me to commit to which i also said 'y'
06:48 < EdwardIII> the final output was "Write out database with 1 new entries \ Data Base Updated"
06:48 < havoc> morning
06:50 < EdwardIII> 'lo havoc 
06:57 -!- error404notfound [~Eror404@119.153.32.235] has joined ##openvpn
07:13 < reiffert> hm, 404 has found us.
07:13 < reiffert> Do we still exist?
07:14 -!- error404notfound [~Eror404@119.153.32.235] has quit [Ping timeout: 256 seconds]
07:14 < reiffert> :)
07:21 -!- yoshx [~yoshx@88-139-245-149.adslgp.cegetel.net] has joined ##openvpn
07:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
07:26 -!- krzee [nobody@hemp.ircpimps.org] has joined ##openvpn
07:26 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host]
07:26 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
07:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:30 -!- Sp4rKy [~Sp4rKy@freenode/sponsor/sp4rky] has quit [Ping timeout: 246 seconds]
07:40 -!- fluxdude2 [~fluxdude@212.240.75.195] has quit [Changing host]
07:40 -!- fluxdude2 [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
07:40 -!- fluxdude2 is now known as fluxdude
07:43 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
07:53 -!- Sp4rKy_ [~Sp4rKy@rennes1.dunnewind.net] has joined ##openvpn
07:53 -!- Sp4rKy_ [~Sp4rKy@rennes1.dunnewind.net] has quit [Client Quit]
07:54 -!- karlgus [~karl@c-ea61e055.031-36-68626710.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
07:56 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
08:04 -!- incorrect [~fwest@78.33.42.140] has joined ##openvpn
08:05 -!- havoc [~havoc@saturn.chaillet.net] has left ##openvpn ["bbl"]
08:24 < dazo> EdwardIII:  the dhparam is just a pretty big prime number ... it's used for helping seeding the encryption layer ... if it's missing, it will do it on the fly, but generating DH params on the fly is a rather expensive operation ... you probably should change it from time to time (like minimum 2-3 times a year or so)
08:24 < EdwardIII> hmm OK dazo 
08:24 < EdwardIII> where can i start diagnosing why the openvpn servers seem to think the key is signed by an untrusted CA?
08:25 < EdwardIII> i created the key on the server, signed it using the quick key generation script that comes with openvpn and the ssl stuff on windows, then copied it back via SSL?
08:25 < EdwardIII> when i say 'copied it back' i mean back here to our network
08:26 < dazo> in the log files ;-) ... verb 4 on the server should be enough .... double chech that the CA file is being loaded ... and you can use openssl commands to validate the contents of these cert files
08:26 < EdwardIII> OK thanks dazo, i shall check out the 4th verb
08:27 < dazo> The server and clients needs the ca certificate which easy-rsa created when doing the ./build-ca step  (the --ca config argument)
08:28 < EdwardIII> ah....
08:28 < dazo> Then the server will need a key and a signed certificate .... which is done by the ./build-server (iirc) ... you will then need to copy out the server.key and server.crt to the server
08:28 < EdwardIII> i don't think i included the server's cert on the client
08:28 < dazo> you need to differentiate server.crt and ca.crt ... that is two different certs
08:29 < dazo> when the server have the ca.crt, server.crt and server.key .... you would create client certs with ./build-client (again, iirc) .... and this will produce client.key and client.crt .... these two files + ca.crt needs to go to the client
08:33 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: Connection reset by peer]
08:34 < EdwardIII> got it
08:35 < EdwardIII> i'd just been foolish and copied the client CSR instead of the server's CA certificate to the client, it's been a looong time since i created an openvpn client certificate
08:36 < dazo> ahh :)
08:37 -!- epaphus [~epaphus@190.10.68.228] has joined ##openvpn
08:37 < ScriptFanix> hello there
08:38 < EdwardIII> dazo: in your office do your users tend to have just 1 private/public key pair that they use for a range of different services e.g. encryption of e-mails, openvpn connection etc?
08:38 < EdwardIII> or is it a better idea to stick to 1 key per service?
08:38 < EdwardIII> well, 1 key-pair per service
08:38 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
08:39 < dazo> EdwardIII:  dunno .... we're only using openvpn which requires certificates .... I'd probably lean towards having one certificate per person ... easier to administer, especially when you need to revoke a certificate
08:40 < ScriptFanix> One of our teleshifters is running a personal FTP server on his windows box. When his tunnel is up, his ftp server becomes inaccessible. His computer has the address 192.168.1.2/24, VPN addresses are assigned from the 192.168.255.0/24 block (TAP devices)
08:41 < dazo> ScriptFanix:  sounds like routing or firewall issues
08:41 < EdwardIII> dazo: sure. on my to-do list is creating a portable openvpn setup so staff can have a usb stick with everything they need to connect up remotely 
08:41 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
08:41 < ScriptFanix> the VPN server pushes routes to 192.168.192.0/24 and 192.168.64.0/24
08:41 < EdwardIII> but of course, the TAP adapter is the main cause of problems so far
08:41  * EdwardIII has checked out the portable version which looks good in theory but has TAP issues
08:41 < dazo> ScriptFanix:  but it don't push 192.168.1.0/24
08:43 < dazo> EdwardIII:  in that setting, one key per usb stick is probably more sensible
08:43 < EdwardIII> yes
08:43 < EdwardIII> the loss of a usb stick is much higher probability than a machine getting compomised and someone pilffering the key
08:43 < ScriptFanix> dazo: no, it doesn't
08:43 < EdwardIII> imo anyway, heh maybe your users are more organised!
08:44 < dazo> dazo:  that might be the problem
08:44 < ScriptFanix> ipconfig and routing tables when the tunnel is up : http://paste.debian.net/hidden/3346c6a2/
08:46 < ScriptFanix> (sorry, his windows is in French)
08:46 < dazo> ScriptFanix:  is he connecting to the openvpn server?
08:46 < dazo> or is he running it?
08:47 < ScriptFanix> he is a client
08:48 < dazo>   192.168.1.0    255.255.255.0         On-link       192.168.1.2    266
08:48 < dazo> he is a client ... and you try to connect to his FTP server?
08:49 < dazo> !goal
08:49 < vpnHelper> dazo: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:50 < dazo>           0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     10
08:50 < dazo> this rule might be the issue
08:50 < ScriptFanix> the goal is for him to access resoucres on the 192.168.64/24 and 192.168.192/24 subnets, behind the VPN server, and this is achieved
08:51 < dazo> but he looses connection to his own network?
08:51 < dazo> or localhost?
08:52 < ScriptFanix> he still has access to his LAN and the Internet through his NAT box. His FTP server should be accessible from his LAN or from the internet with appropriate port forwarding rules on his NAT router
08:56 < ScriptFanix> I just asked, his server is still accessible from his computer, both on 127.0.0.1 and 192.168.1.2. Another computer on his LAN cannot
09:01 < ScriptFanix> OK, Microsoft Windows' firewall just sucks :)
09:01 < ScriptFanix> sorry
09:04 < dazo> no prob ... yeah, this doesn't sound like openvpn issue .... sounds more like firewall now
09:05 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:06 -!- n0ah [n0ah@edge.chi.arknet.n0ah.org] has joined ##openvpn
09:07 < n0ah> configure is giving me checking that OpenSSL Library is at least version 0.9.6... configure: error: OpenSSL crypto Library is too old.
09:07 < n0ah> even though i had a 0.7 installed i compiled the latest source and installed that, still the same message
09:07 < n0ah> both are in $PKG_CONFIG_PATH
09:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:09 < dazo> n0ah:  you have some library conflicts ... you can use --with-ssl-headers=<path> and --with-ssl-lib=<path> to give the proper directory path where to find the correct SSL
09:10 < n0ah> dazo i'll give that a shot
09:12 -!- yoshx [~yoshx@88-139-245-149.adslgp.cegetel.net] has quit [Quit: Nice Scotty, now beam my clothes up too!]
09:12 < n0ah> dazo yup it's good now. configure is going to the next step :P
09:13 < n0ah> now the scary part, attempting to compile on solaris/sparc64
09:14 < n0ah> hopefully not scarry, some code knows what it's doing when it comes to this stuff some doesn't
09:14 < n0ah> i trust openvpn :P
09:14 < dazo> n0ah:  I would probably recommend you to consider to upgrade all software using 0.9.6 and remove 0.9.6 completely .... that's not a safe version at all
09:15 < n0ah> dazo actually i just noticed the version i had installed is the same version i just compild and installed to a different directory, it just wasn't finding it for some reason right.. i dunno
09:16 < dazo> n0ah:  aha ... well, I belive it looks for openssl in the default system paths, not necessarily what pkg-config says
09:16 < n0ah> and just says they are too old even if it can't find them it seems
09:17 < dazo> yeah ... that could be improved ... but it might be it says that because it doesn't find an include file or a function which is present in newer versions
09:17 < dazo> and when it doesn't find it ... it just says, "too old version", even though it can't find it due to not finding the lib/include
09:17 < n0ah> hm well it errored :( unresolved symbols
09:17 < n0ah> http://pastebin.com/m366a1f54
09:18 < n0ah> might have something to do with the ssl library but i just compiled it from *scratch*
09:18 < dazo> n0ah:  you're missing a correct --with-ssl-lib path now, I'd guess
09:19 < dazo> dazo:  you should be able to run that last gcc line manually ... to try to add another -L argument with a path to where you have the openssl ilb
09:19  * dazo gotta run
09:19 < n0ah> nice -n 20 ./configure --disable-lzo --with-ssl-headers=/usr/local/ssl/include --with-ssl-lib=/usr/local/ssl/lib
09:20 < n0ah> that is what i did
09:20 < n0ah> also --disable-lzo works .. --disable-ssl doesn't seem to
09:20 < n0ah> it still required libssl in the config
09:20 < n0ah> configure script still looked for it
09:20 < dazo> you really don't want to disable ssl if you want a safe VPN
09:21 < n0ah> no.. because just like on any other connection if i want something encrypted i'll do it at the application layer (despite openvpn)
09:21 < n0ah> most stuff i'd rather get the performance tradeoff
09:21  * dazo runs
09:22 < n0ah> hah it only built a static libssl.a dazo
09:22 -!- dazo is now known as dazo_afk
09:22 < n0ah> guess i'll point it at the last one my pkg management tool had installed, same version but probably dynamic
09:22 < n0ah> later dazo_afk 
09:23 < n0ah> yea seems to be the case *reconfigures*
09:35 < flacom> hi all.. I got a question... if a client (linux) is connected to the vpn server, and the server is loose the internet connection or is rebooted, the client is connected automatic to the vpn server??
09:36 -!- zuez [~sf@catalyst.httpd.org] has joined ##openvpn
09:36 < zuez> Hmph, used to be a link in the topic for how to get disparate networks to speak to each other over VPN, anyone still have access to that? :-)
09:36 < zuez> !client
09:36 < vpnHelper> zuez: Error: "client" is not a valid command.
09:36 < zuez> dang. :-)
09:40 -!- error404notfound [~Eror404@119.153.73.226] has joined ##openvpn
09:45 < n0ah> flacom: if the server is started, but yes if the client is started before the server or is still running they will still negotiate
09:49 -!- KaiForce [~chatzilla@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
09:49 < Bushmills> zuez: 
09:49 < Bushmills> !route
09:49 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:52 -!- epaphus [~epaphus@190.10.68.228] has quit [Ping timeout: 260 seconds]
09:56 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has quit [Read error: No route to host]
10:03 < zuez> Bushmills: Thanks! that's what I needed.
10:08 -!- epaphus [~epaphus@static.204.79.46.78.clients.your-server.de] has joined ##openvpn
10:10 -!- wwalker [~wwalker@mailbox.eclipsing.com] has left ##openvpn []
10:12 < flacom> n0ah, thanks :)
10:13 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
10:13 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: Leaving]
10:23 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
10:24 < sparch> hi
10:24 < sparch> is cold out there?
10:24 < sparch> here is so damn hot
10:24 < sparch> =\
10:25 < sparch> this heat is freakin me up
10:25 < sparch> btw, OpenVPN is fuckin awesome
10:25 < ecrist> 8*F here...
10:26 < sparch> in Celsius?
10:26 < flacom> 32° celcius here
10:26 < ecrist> no, F, that's why the F was there...
10:26 < incorrect> is it possible to force a client to enter their username and password, 
10:26 < sparch> yep, I know, but how much in C?
10:26 < ecrist> incorrect: by requireing one on the server side, sure.
10:27 < incorrect> i saw there is a patch for ldap
10:27 < |Mike|> OpenVPN works pretty good with ldap
10:27 < incorrect> now i am happy to get the username and password from pam
10:27 < ecrist> sparch: -13*C
10:27 < sparch> wowwww
10:27 < sparch> thats good!
10:27 < |Mike|> chilly there ecrist 
10:27 < incorrect> and pam can get it from the ldap server
10:27 < ecrist> actually, it's pretty nice
10:28 < sparch> 33*C here
10:29 < |Mike|> where is sparch coming from ?
10:29 < incorrect> can i use an username and password with a cert?
10:29 < |Mike|> why would you like to do that ?
10:30 < ecrist> lowest temp this year so far, -37*F, which is -38*C
10:32 < incorrect> well its quicker for me to remove someone from the ldap server than it is to revoke their cert
10:32 < sparch> ecrist: my God...
10:32 < sparch> ecrist: the lowest I've in was -2*C
10:33 < sparch> chaos
10:33 < ecrist> Minnesota record is -61*C (-79.3*F)
10:34 < ecrist> that's not counting windchill
10:35 < ecrist> coldest Minnesota temp with windchill was in 1936 at -100*F (-73.3*C)
10:36 < ecrist> the coldest I've dealt with was about -73*F (temp was -56*F) in Bemidji about 5 years ago
10:36  * rob0 <3 Dixieland
10:37 < ecrist> the coldest I ride my motorcycle is ~40*F (4*C)
10:37 < rob0> We got down to -5C or so last night, but the forecast high is 10C
10:39 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
10:40 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:40 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
10:40 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:47 < n0ah> dazo_afk: i figured why --disable-ssl and it was still looking for openssl, because it uses the crypto library portion of it still must --disable-crypto to get the openssl out of it completely
10:47 < n0ah> and it did compile just fine after that, (am sure it would have with correct ssl library too)
10:47 < n0ah> sparc64/solaris
10:48 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
10:48 < incorrect> do i need to add anything to a client for it to know to send a username and password?
10:50 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
10:52 < sparch> incorrect: auth-user-pass
10:53 < gorkhaan> --auth-user-pass 
10:54 < sparch> gorkhaan: this parameter is from cli
10:54 < sparch> *for cli
10:54 < sparch> I mean, without the -- to go into config file.
10:55 < incorrect> thanks
10:55 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has joined ##openvpn
10:55 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
10:55 < incorrect> and on the server i need something like plugin /usr/lib/openvpn/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
10:55 < rob0> It's in the man page with the leading "--", so that's a good way to tell someone.
10:56 < sparch> ok.
10:57 < gorkhaan_> incorrect,  u can authenticate with any kind of script, openvpn checks the exit code of the script,  for example if it's bash script,   exit 0 means openvpn will keep/create the connection exit 1 disconnects
10:57 < gorkhaan_> I'm using this method ( bash script + MySQL )
10:57 < incorrect> ah
10:57 < sparch> nice
10:57 < gorkhaan_> + wordpress :)
10:58 < sparch> the limit is our creativity ;)
10:58 < gorkhaan_> indeed.  :))
11:09 -!- al1irv [~sean@cpc1-hawk1-0-0-cust297.aztw.cable.virginmedia.com] has joined ##openvpn
11:10 < al1irv> are the sample-config-files supposed to be in gz format?
11:10 < al1irv> do you have to unpack them before using them?
11:11 < sparch> sure
11:11 < sparch> gunzip do the trick
11:13 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
11:13 < incorrect> ah great openvpn is great
11:13 < |Mike|> better than IPsec ? :p
11:14 < incorrect> well, let me see, i looked at openswan and strongswan
11:14 < incorrect> i tried to read the docs, they sucked
11:14 < incorrect> they were just weirdly random, 
11:15 < incorrect> i spent 2 days trying to figure out what i needed to do
11:15 < incorrect> i cried
11:15 < incorrect> this morning in an hour i had a working openvpn server going
11:15 < incorrect> i even have a mac working setting the DNS correctly
11:15 < |Mike|> and is it secure aswell ? :-)
11:16 < incorrect> well i used certs, so i hope so
11:16 < incorrect> then this afternoon, i thought it would be sweet if i could add username and password auth too
11:16 < sparch> I like OpenVPN
11:16 < sparch> fuckin awesome
11:17 < incorrect> i think i can here asking a poorly formed question, duh id like usernames and stuff
11:17 < incorrect> oh look there it is
11:17 < incorrect> 20 odd mins later its all working
11:17 < sparch> nice the hear
11:17 < Bushmills> madgick
11:17 < incorrect> just need to check tunnelblick thingy asks for a username
11:18 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
11:18 < sparch> incorrect: yeah, it asks ;)
11:18 < incorrect> ok let me test
11:18 < incorrect> as i've had a lot of people complaining how macs
11:19 < sparch> I use a Mac tih tunnelblick... no complain
11:19 < sparch> simply work.
11:19 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:19 < incorrect> hmm no dialog box 
11:19 < incorrect> ah i need auth-user-pass
11:19 < sparch> you have to put into config file auth-user-pass parameter
11:20 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
11:21 < sparch> I need a Coke
11:21 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:21 < sparch> and I need it now!
11:21 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
11:23 < n0ah> well too for me openvpn on solaris crashes the system just as often as not
11:23 < n0ah> too bad for me*
11:23 < n0ah> but it's not really openvpn
11:24 < n0ah> it's the tun1.1.tar.gz that comes from vtun sourceforge project or something like that
11:24 < n0ah> to create a /dev/tun device and interact with the tunnel driver
11:24 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
11:25 < n0ah> it's a little driver
11:25 < n0ah> for systems that don't have /dev/tun
11:25 < n0ah> http://vtun.sourceforge.net/
11:25 < vpnHelper> Title: VTun - Virtual Tunnels over TCP/IP networks (at vtun.sourceforge.net)
11:26 < n0ah> that
11:26 < n0ah> 02.03.2001 Universal TUN/TAP driver 1.1 released
11:26 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:26 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:27 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 264 seconds]
11:27 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:29 < n0ah> http://unix.derkeiler.com/Mailing-Lists/SunManagers/2007-02/msg00065.html this guy had the same problem
11:29 < vpnHelper> Title: Solaris 10 + OpenVPN (tun/tap) (at unix.derkeiler.com)
11:29 -!- crazygir [~jason@li14-82.members.linode.com] has quit [Changing host]
11:29 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
11:29 < n0ah> i'm at a loss
11:33 -!- jeffl [coz@teledojo.com] has quit [Remote host closed the connection]
11:34 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has joined ##openvpn
11:36 -!- incorrect [~fwest@78.33.42.140] has quit [Ping timeout: 246 seconds]
11:42 -!- Guest61129 is now known as redfox
11:42 -!- redfox is now known as Guest9842
11:47 -!- incorrect [~frith@cpc2-cmbg8-0-0-cust287.cmbg.cable.ntl.com] has joined ##openvpn
12:10 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 245 seconds]
12:11 -!- Ghent [~ghent@unaffiliated/ghent] has joined ##openvpn
12:11 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Ping timeout: 260 seconds]
12:12 -!- Ghent [~ghent@unaffiliated/ghent] has left ##openvpn []
12:23 -!- error404notfound [~Eror404@119.153.73.226] has quit [Ping timeout: 245 seconds]
12:25 -!- error404notfound [~Eror404@119.153.74.157] has joined ##openvpn
12:48 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 248 seconds]
12:48 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
12:48 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
12:48 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
13:09 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 248 seconds]
13:09 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
13:11 < sparch> openvpn[12111]: segfault at 0000000000000000 rip 00002acd093a76f0 rsp 00007fffad4fb358 error 4
13:11 < sparch> am I fucked up?
13:16 -!- Diffen2 [~diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
13:18 < sparch> strace give me nothing
13:18 < sparch> what are the causes for this kind of segfault?
13:18 < sparch> is there a way to debug?
13:18 < reiffert> gdb.
13:22 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
13:22 < Bushmills> so called null pointer.
13:22 < sparch> http://pastebin.com/m66a9a50c
13:22 < Bushmills> attempt to reference an illegal address
13:22 < sparch> strace output
13:24 < sparch> I'll post the output from valgrind, may say anything more usefull
13:25 < sparch> it can be a fault memory?
13:26 < Bushmills> not impossible but not too likely
13:31 < sparch> memory leak
13:31 < sparch> is there anything that can I do?
13:32 < Bushmills> not leak
13:32 < Bushmills> file a bug report. try to reproduce the problem, see whether a sequence of actions leads to that problem reliably
13:33 < sparch> http://pastebin.com/m3102f15b
13:33 < reiffert> sparch: i386? openvpn-2.1.1?
13:33 < sparch> Bushmills: if am I right, the one who is causing it is the openvpn-ldap-auth.so ?
13:33 < reiffert> openvpn-auth-ldap?
13:34 < sparch> fuck... sorry guys
13:34 < reiffert> 20:33 < reiffert> sparch: i386? openvpn-2.1.1?
13:35 < Bushmills> that's right
13:35 < reiffert> i recommend that you swap to auth-pam have pam auth against ldap.
13:35 < sparch> x86_64, 2.1.0
13:35 < reiffert> and get 2.1.1
13:36 < sparch> thank you guys for you attention
13:36 < sparch> I really apreciate it
13:36 < sparch> turning off ldap-auth openvpn started okie dokie.
13:38 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has quit [Quit: changing servers]
13:42 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
13:46 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 245 seconds]
14:01 -!- fluxdude [~fluxdude@5ace3f2e.bb.sky.com] has joined ##openvpn
14:01 -!- fluxdude [~fluxdude@5ace3f2e.bb.sky.com] has quit [Changing host]
14:01 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
14:13 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 245 seconds]
14:17 < sparch> got segfault using openvpn-auth-pam.so
14:17 < sparch> =\
14:20 -!- Dougy [~me@69.10.59.230] has joined ##openvpn
14:20 < Dougy> hi
14:20 < Dougy> ecrist: around?
14:20 < ecrist> yep
14:20 < Dougy> ok, can i ask you something
14:20 < Dougy> i cant seem to grasp how i would do this
14:20 < Dougy> think asking you is bout best thing i can do
14:21 < Dougy> in other word
14:21 < Dougy> im asking if you got 10 mins for me
14:21 < ecrist> don't ask to ask, just ask. ;)
14:22 < Dougy> i'll ask if you have time hehe
14:22 < Dougy> ok sdo
14:22 < Dougy> so
14:22 < Dougy> I have a switch, IP is XX.XX.XX.XX (Cisco 2950)
14:22 < Dougy> I want to somehow set up a VPN so that the only way you can reach it via telnet is in the VPN (IE 10.50.50.0/24)
14:22 < Dougy> Is that possible?
14:22 < Dougy> meaning switch would be like ... 10.50.50.4
14:22 < Dougy> or even just telnetting to its public ip
14:22 < Dougy> but if i wasnt on vpn it'd fail
14:24 < sparch> guys
14:24 < sparch> look
14:24 < sparch> I've forgot to point where is the auth-ldap.conf
14:24 < sparch> plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap
14:24 < sparch> .conf
14:24 < sparch> plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap
14:24 < sparch> .conf
14:24 < sparch> sorry
14:26 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
14:28 < ecrist> sure
14:28 < ecrist> Dougy: that's easy.
14:29 < ecrist> just make sure the switch knows how to route for the VPN ips
14:33 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
14:36 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
14:45 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
14:46 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: Anybody can win, unless there happens to be a second entry.]
14:51 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
14:53 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has left ##openvpn ["It´s time to say goodbye"]
14:54 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
14:59 -!- koin [~niko@212.13.195.36] has quit [Remote host closed the connection]
15:01 < Dougy> oh
15:01 < Dougy> ecrist sorry for not answering
15:01 < Dougy> how would i do that
15:01  * Dougy clueles to the max
15:01 < Dougy> clueless
15:30 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 252 seconds]
15:52 -!- KaiForce [~chatzilla@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
15:53 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has joined ##openvpn
15:54 -!- incorrect [~frith@cpc2-cmbg8-0-0-cust287.cmbg.cable.ntl.com] has quit [Remote host closed the connection]
16:09 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:21 -!- cybertron [~cybertron@84.200.248.176] has quit [Ping timeout: 256 seconds]
16:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
16:26 < al1irv> where do you pur server.conf after you've unpacked it?
16:26 < al1irv> put
16:26 < Dougy> anywhere you want
16:27 < al1irv> where do people normally put them - "The file should be copied to a directory where the OpenVPN server can access it"
16:29 < al1irv> why does the server.conf file come gzipped anyhow, what's the rational for that?
16:34 -!- epaphus [~epaphus@static.204.79.46.78.clients.your-server.de] has quit [Ping timeout: 246 seconds]
16:35 < ecrist> save bandwidth?
16:36 < Dougy> hmm
16:36 < Dougy> got time to answer him but not me ehhhh
16:36 -!- le0_ [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Ping timeout: 272 seconds]
16:37 < ecrist> Dougy: see !route
16:38 < Dougy> !route
16:38 < vpnHelper> Dougy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:38 < ecrist> that will answer your question
16:38 < Dougy> lans behind openvpn uh
16:38  * Dougy will read
16:38 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
16:38 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
16:41 < al1irv> ecrist, server.conf.gz doesn't seem like a very big file
16:41 < al1irv> oh well
16:42 < Dougy> ecrist: i realize i'd need to push routes
16:42 < rob0> al1irv: your distributor did that, not openvpn, ask them why.
16:42 < Dougy> but is it just on the VPN or something?
16:42 < Dougy> or do i need to add routes on switch
16:42 < al1irv> still can't see any pointers where to put it, howabout  /etc/openvpn/ ?
16:43 < ecrist> either you need to add routes to the switch for the vpn users, or you need to nat from the vpn to the switch
16:43 < Dougy> that's the part i cant seem to visualize
16:44 < rob0> Yes, /etc/openvpn/ is a common choice. You can put config files anywhere. If you're planning to use the distributor's init script, you should check the distributor's documentation.
16:49 -!- epaphus [~epaphus@static.204.79.46.78.clients.your-server.de] has joined ##openvpn
16:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:52 < al1irv> I don't think debian has an init script
16:54 < al1irv> sorry, ignore that
16:55 < reiffert> debian runs a very ancient openvpn version.
16:56 < reiffert> which is because of openvpn didnt release a stable version for over 3 years.
16:56 -!- zorzar [~zz@static.78.193.46.78.clients.your-server.de] has joined ##openvpn
16:57 < al1irv> 3 windows clients to samba server should be fairly easy though shouldn't it? I might just tell them to use winscp
16:57 < rob0> Well, I have an opinion about that. Different projects have different standards on what is considered a stable version. James is just way more cautious than most (and probably didn't give a lot of time to openvpn development during that period.)
16:58 < al1irv> I will return to this tomorrow, my head hurts
16:58 -!- al1irv [~sean@cpc1-hawk1-0-0-cust297.aztw.cable.virginmedia.com] has quit [Quit: Leaving]
16:59 < reiffert> rob0: well. No public beta testers (aka stable) might cause bugs to stay for years.
17:00 < rob0> It was funny, 2.1.0 lasted what, a day, before 2.1.1?
17:01 < reiffert> rob0: check on rc13 up to rc22. It's when James trys to combine everything on his own.
17:02 < reiffert> I have doubts, that the new development progress map will improve things, but lets give them a try at least.
17:14 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has quit [Excess Flood]
17:14 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has joined ##openvpn
17:14 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
17:15 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has quit [Excess Flood]
17:17 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has joined ##openvpn
17:29 -!- Netsplit *.net <-> *.split quits: Dougy
17:33 -!- Dougy [~me@69.10.59.230] has joined ##openvpn
17:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:52 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:57 -!- KaiForce [~chatzilla@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
18:06 -!- epaphus [~epaphus@static.204.79.46.78.clients.your-server.de] has quit [Ping timeout: 256 seconds]
18:11 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]]
18:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
18:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
18:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:21 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
18:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
18:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:34 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
18:53 -!- jeffl [coz@teledojo.com] has joined ##openvpn
18:53 -!- jeffl [coz@teledojo.com] has left ##openvpn []
18:53 -!- jeffl [coz@teledojo.com] has joined ##openvpn
18:54 -!- KaiForce [~chatzilla@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
18:58 -!- Guest9842 is now known as redfox
18:58 -!- redfox is now known as Guest23438
19:02 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
19:11 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 252 seconds]
19:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
19:29 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has quit [Excess Flood]
19:29 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has joined ##openvpn
19:33 -!- krzee [nobody@hemp.ircpimps.org] has joined ##openvpn
19:33 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host]
19:33 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
19:39 < ecrist> Dougy: do you still have the download from vBulletin
19:39 < ecrist> ?
19:43 < Dougy> er
19:43 < Dougy> what do you mean
19:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:04 -!- heise2k [~heise2k@65-78-40-52.c3-0.upd-ubr6.trpr-upd.pa.cable.rcn.com] has quit [Read error: Connection reset by peer]
20:13 < jeffl> I have open vpn configured to connect the remote clients on the 192.168.8.0 network
20:13 < jeffl> the router's local ip is 192.168.8.1
20:13 < jeffl> and the remote machine's ip is 192.168.8.2
20:13 < jeffl> The remote machine can ping the local network but the local network cannot ping the remote machine
20:13 < jeffl> Do I need to add a static route that uses 192.168.8.1 as the gateway or 192.168.0.1?
20:18 < Bushmills> if your router (vpn client) knows how to reach vpn server, then your machines on local network would use your router as gateway
20:19 < krzee> what is 192.168.0.1?
20:21 < jeffl> 192.168.0.1 is the ip of my router
20:21 < jeffl> I'm running pfsense
20:22 < jeffl> let me clerify... sorry for my error
20:22 < jeffl> the router's openvpn ip is 192.168.8.1
20:22 < jeffl> the local network is 192.168.0.0
20:22 < jeffl> the remote is 192.168.8.0
20:23 < Bushmills> you'd usually use the route ip address which is in the subnet of the local network machines 
20:23 < Bushmills> router
20:23 < jeffl> Yeah, that's what I thought, but it isn't passing any traffic :/
20:23 < Bushmills> does it have a reason to?
20:24 < Bushmills> moin krzee
20:24 < krzee> moinmoin
20:25 < jeffl> yeah.. it should
20:26 < jeffl> I added the firewall rule
20:27 < Bushmills> has router been told to forwards packets between interfaces?
20:28 < Bushmills> forward ...
20:30 < jeffl> which interface should it be forwarding to?
20:32 < Bushmills> probably, any to any
20:32 < Bushmills> and your firewall to restrict unwanted traffic
20:33 < jeffl> well to make things a bit more complicated
20:33 < jeffl> I have a multi-wan router doing load balancing
20:33 < jeffl> I have it set to use the gateway that the remote clients connects to though
20:35 < Bushmills> well, evidently you know the details of your installation better than we do. 
20:35 < Bushmills> good luck.
20:35 < jeffl> Yeah, thanks.
20:35 < jeffl> Going to need it.. having issues even getting the remote client to connect now
20:39 < krzee> read this too for the ovpn side
20:39 < krzee> !route
20:39 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:48 -!- lkthomas [lkthomas@218.213.78.173] has joined ##openvpn
20:48 < lkthomas> hey guys
20:48 < lkthomas> I am using pop3s now
20:49 < lkthomas> and seems openvpn also use 995 port
20:49 < Bushmills> nope
20:49 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
20:49 < lkthomas> is there have any other way to change that openvpn port to something else ?
20:49 < Bushmills> openvpn uses the port you configure for it
20:49 < lkthomas> what about the SSL ?
20:50 < Bushmills> all openvpn traffic (the tunnel, that is) goes through on single port
20:50 < Bushmills> one
20:50 < lkthomas> hmm, ok thanks
21:20 -!- epaphus [~epaphus@201.199.62.74] has joined ##openvpn
21:34 -!- error404notfound [~Eror404@119.153.74.157] has quit [Ping timeout: 246 seconds]
21:50 -!- error404notfound [~Eror404@119.153.65.136] has joined ##openvpn
22:08 -!- error404notfound [~Eror404@119.153.65.136] has quit [Quit: User guilty of hitting the Big Red X]
22:10 -!- Dougy [~me@69.10.59.230] has quit []
22:29 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
22:43 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
23:05 -!- epaphus [~epaphus@201.199.62.74] has quit [Ping timeout: 245 seconds]
23:25 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:25 -!- error404notfound [~Eror404@119.153.21.232] has joined ##openvpn
23:41 -!- error404notfound [~Eror404@119.153.21.232] has quit [Ping timeout: 265 seconds]
23:52 -!- sq7obj [sq7obj@gateway/shell/rootnode.net/x-vfsivtpjusvrgbzd] has quit [Ping timeout: 260 seconds]
23:53 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
--- Day changed Tue Feb 02 2010
00:01 -!- sq7obj [sq7obj@gateway/shell/rootnode.net/x-nvjlbfgxxcfnvxzk] has joined ##openvpn
01:02 < zorzar> hey, i have trouble setting up a opnvpn server as gateway, if i don't push "redirect-gateway def1 bypass-dhcp" the client can ping the servers' vpn ip, if i push "redirect-gateway def1 bypass-dhcp" the client can't ping anything. here are my configs: http://gist.github.com/292456
01:02 < vpnHelper> Title: gist: 292456 - GitHub (at gist.github.com)
01:23 -!- Guest23438 is now known as redfox
01:24 -!- redfox is now known as Guest65072
01:47 -!- error404notfound [~Eror404@mbl-99-57-238.dsl.net.pk] has joined ##openvpn
01:52 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
01:57 < zorzar> !welcome
01:57 < vpnHelper> zorzar: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:57 < zorzar> !redirect
01:57 < vpnHelper> zorzar: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
01:57 < zorzar> !net
01:57 < vpnHelper> zorzar: Error: "net" is not a valid command.
01:57 < zorzar> !nat
01:57 < vpnHelper> zorzar: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
01:58 < zorzar> !ipforwarding
01:58 < vpnHelper> zorzar: Error: "ipforwarding" is not a valid command.
01:58 < zorzar> !ipforward
01:58 < vpnHelper> zorzar: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
01:58 < zorzar> !linipforward
01:58 < vpnHelper> zorzar: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
02:31 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has quit [Excess Flood]
02:33 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has joined ##openvpn
02:36 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has quit [Excess Flood]
02:36 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has joined ##openvpn
02:38 < jmm> hi.
02:39 -!- jmm is now known as jww
02:44 < reiffert> hi jmm^wjww
02:47 < zorzar> hey, i have trouble setting up a opnvpn server as gateway, if i don't push "redirect-gateway def1 bypass-dhcp" the client can ping the servers' vpn ip, if i push "redirect-gateway def1 bypass-dhcp" the client can't ping anything. here are my configs: http://gist.github.com/292456
02:47 < vpnHelper> Title: gist: 292456 - GitHub (at gist.github.com)
02:48 < reiffert> remove the bypass-dhcp.
02:49 < zorzar> reiffert: doesn't help :/
02:50 < reiffert> just do it. Then check if the client gets an IP address.
02:51 < reiffert> And please paste:
02:51 < reiffert> !interfaces
02:51 < vpnHelper> reiffert: Error: "interfaces" is not a valid command.
02:51 < reiffert> !interface
02:51 < vpnHelper> reiffert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
02:51 < zorzar> should i leave def1 in?
02:51 < reiffert> do for now, yes.
02:53 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
02:58 < zorzar> reiffert: now the tunnel is up, but the client didn't set the default gw, i updated the gist with ifconfig and routingtables
03:06 -!- error404notfound [~Eror404@mbl-99-57-238.dsl.net.pk] has quit [Ping timeout: 260 seconds]
03:07 -!- master_of_master [~master_of@p57B54EA2.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:09 -!- master_of_master [~master_of@p57B56308.dip.t-dialin.net] has joined ##openvpn
03:11 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
03:11 < fluxdude> I would like to change the email address on my CA certificate, is this something that is easy to do without rebuilding the CA and all clients?
03:15 < reiffert> zorzar: I was asking you to paste the interface config. As you didnt do it your problems seems already went to lunch.
03:15 < reiffert> fluxdude: thats a perfect question for the openssl guys.
03:16 < fluxdude> reiffert: ok will ask there
03:16 < zorzar> reiffert: my interface config is in the gist http://gist.github.com/292456
03:16 < vpnHelper> Title: gist: 292456 - GitHub (at gist.github.com)
03:21 < reiffert> and you cant ping 10.8.1.1?
03:23 < zorzar> yes
03:23 < zorzar> i can sorry
03:23 < zorzar> i can ping 10.8.1.1 but my traffic isn't routed through the vpn
03:23 < reiffert> and you have two openvpn clients running?
03:24 < zorzar> on the client there's a server, too
03:24 < reiffert> stop that server please, then push redir-gw def1 and repaste routing table.
03:25 < zorzar> reiffert: push redirect-gateway def1 already is in the server config
03:27 < reiffert>    you commented it out.
03:27 < reiffert> ;push "redirect-gateway def1 bypass-dhcp"
03:27 < reiffert> is what I read from your paste.
03:27 < fluxdude> openssl channel is has hardly anyone in it... will probably have to wait ages
03:27 < fluxdude> it anyone knows the answer to this question, send it my way
03:28 < fluxdude> (can I change the email address displayed on the ca certificate)
03:28 < fluxdude> without rebuilding ca and re-issuing all clients
03:29 < zorzar> reiffert: i disabled the server on the client machine, restarted openvpn and now i cant ping here's the clients' routing table http://pastie.org/805609
03:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:36 < zorzar> reiffert: this the current server config: http://pastie.org/805615
03:36 < reiffert> paste iptables -v -n -L
03:36 < zorzar> server or client?
03:36 < reiffert> both.
03:38 < zorzar> iptables server: http://pastie.org/805618
03:39 < zorzar> iptables client: http://pastie.org/805620
03:47 -!- incorrect [~fwest@78-33-42-140.static.enta.net] has joined ##openvpn
03:49 < reiffert> any virtual maschine involved, vmware or xen?
03:53 < zorzar> both are virtualbox vms
03:54 < incorrect> is it possible to setup static mappings for dhcp assigned clients?
03:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
03:55 < reiffert> zorzar: so please paste interfaces from the host as well.
03:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:57 < zorzar> reiffert: master ifconfig http://pastie.org/805638
03:58 < reiffert> zorzar: intresting. we have such problems from time to time, but nobody dares sending them to the mailinglist. Would you mind putting everything in a big email?
03:59 < zorzar> reiffert: shure, i'll try to put things in a correct order, would you proof read it?
03:59 < reiffert> sure
04:00 < reiffert> ifconfig -a | grep -B1 encap   will shorten it a bit
04:00 < reiffert> -A1 instead of -B1
04:05 -!- snovak7 [~snovak7@BSN-61-74-13.static.dsl.siol.net] has joined ##openvpn
04:05 < snovak7> hello :~)
04:05 < snovak7> help needed here, anyone?
04:06 -!- Rolybrau [~Rolybrau@26-87.79-83.cust.bluewin.ch] has joined ##openvpn
04:06 -!- Rolybrau [~Rolybrau@26-87.79-83.cust.bluewin.ch] has quit [Changing host]
04:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:09 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
04:09 < sparch> morning
04:09 < snovak7> hi
04:10 < sparch> night heat
04:10 < sparch> bad sleep
04:10 < sparch> but okie dokie
04:10 < snovak7> similar today :D
04:10 < snovak7> hot night
04:10 < zorzar> reiffert: http://pastie.org/805647
04:11 < reiffert> zorzar: 
04:11 < reiffert> ifconfig -a | grep -A1 encap
04:11 < zorzar> oh yeah didn't see that
04:12 < reiffert> and remove that tun0 from the Server, as it will confuse people
04:12 < reiffert> sorry, step back, forget that last sentence.
04:13 < zorzar> hehe ok i was pretty confused :)
04:13 < snovak7> uhm I have a vpn client which is connected to an external vpn server, but I want the same machine to be a vpn server to channel out to that vpn client's internet, I can't connect while vpn client is connected to the external vpn server. anyone?
04:14 < reiffert> zorzar: add some linebreaks to your "If I" sentence
04:14 < sparch> snovak7: for config that connect to openvpn server use tun0 as the device instead tun and the one as vpn server, use tun1 instead tun
04:15 < snovak7> sparch: I have that already
04:15 < sparch> no deal?
04:15 < snovak7> nope
04:16 < snovak7> server is connected to vpn, only that our IP isn't receiving opening any connections on standard IP in my case eth2
04:16 < snovak7> eth3 is lan
04:17 < snovak7> tun0 is server config, tun1 is client config
04:18 < snovak7> I'm of opinion that I'm missing some rules
04:18 < sparch> net.ipv4.ip_forward = 0
04:18 < sparch> ?
04:18 < snovak7> and I'm using ufw
04:18 < snovak7> it's enabled
04:19 < snovak7> because from lan I'm already using vpn's forwarding
04:19 < sparch> let's see if I got it. both yours vpns can connect?
04:19 < sparch> or just one at once?
04:20 < snovak7> vpn is connected to third-party vpn server, my vpn server is idle, because It can't receive connections
04:20 < snovak7> from eth2 - internet interface
04:21 < sparch> ok, both openvpn instances are up? thats right?
04:21 < snovak7> yes
04:21 < sparch> firewall
04:21 < sparch> =)
04:21 < reiffert> zorzar: please paste the firefall of the host as well
04:21 -!- Diffen2 [~diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
04:21 < snovak7> sparch: that's my opinion aswell :p
04:22 < sparch> have you tried droping all firewall rules?
04:23 < snovak7> working on it
04:25 < snovak7> the thing is that openvpn changes the routes, so I guess the interface is left out with nothing [almost, except routing traffic]
04:25 < snovak7> it's gateway
04:25 < zorzar> reiffert: http://pastie.org/805658
04:26 < zorzar> reiffert: should i send it to a special mailinglist?
04:27 < zorzar> reiffert: users or devel?
04:32 < sparch> zorzar: users
04:36 < snovak7> sparch: need that I draw you? :D
04:37 < zorzar> thx i sent a mail to the users mailinglist hope somebody has an idea
04:47 < snovak7> sparch: http://yfrog.com/i3vpnprobj
04:47 < vpnHelper> Title: Yfrog - vpnprob (at yfrog.com)
04:47 < snovak7> :D
04:50 < sparch> haha
04:50 < sparch> nice draw
04:50 < snovak7> hehe
04:50 < snovak7> anyway the green one is in interest
04:51 < snovak7> tun1 is gatewayed to eth2 ip
04:51 < snovak7> over*
04:54 < macsppadic> hello snovak7 - the problem is with eth2 interface ?
04:54 < snovak7> eth2 is internet, and I have internet over vpn, and I want somehow to connect to the eth2
04:59 < macsppadic> sorry if i have misunderstood here -so tun0 is the vpn server u have setup 
04:59 -!- dazo_afk is now known as dazo
04:59 < macsppadic> and u have internet thru eth2 over vpn on tun1 
05:00 < snovak7> yes
05:00 < macsppadic> so u want to get to eth2 from the lan?
05:00 < snovak7> no
05:01 < snovak7> from outside to eth2 to access eth3 and tun0, tun1
05:01 < snovak7> through tun0 :]
05:03 < macsppadic> hmm ok ..so u have redirect-gateway setup is it for tun1? to allow all network traffic to go thru that interface?
05:03 < snovak7> yes
05:05 < macsppadic> snovak7:  could u poste ur routes on the box ?
05:05 < snovak7> command? :p
05:05 < macsppadic> netstat -nr 
05:06 < macsppadic> or u could do a route -n 
05:06 < macsppadic> did u try disabling the firewall for a quick test?
05:06 < snovak7> I'm not sure, I could test it
05:07 < snovak7> I can try
05:07 < snovak7> nope
05:07 < snovak7> doesn't connect
05:08 < snovak7> where do I post?
05:09 < snovak7> routing table that is*
05:09 < sparch> pastebin.com
05:11 < snovak7> http://pastebin.com/d443f5b26
05:12 < reiffert> zorzar: -users, if no reply within 3 days, take -devel
05:12 < zorzar> reiffert: ok thx!
05:12 < zorzar> reiffert: posted to users
05:19 < macsppadic> snovak7: just thinking out loud here - u have forwarding enabled right ? 
05:19 < snovak7> ofcourse
05:19 < snovak7> for ipv4 and 6
05:19 < macsppadic> so packets get to tun0 alright 
05:19 < macsppadic> but cant get to eth3 ?
05:20 < snovak7> it's not the issue here yet
05:20 < snovak7> first I want to ssh to eth2
05:20 < snovak7> and I can't
05:21 < snovak7> to eth2's ip
05:21 < snovak7> from outside
05:22 -!- Robinet [~robinet@195.49.172.145] has joined ##openvpn
05:23 < Robinet> !welcome
05:23 < vpnHelper> Robinet: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:24 < sparch> !route
05:24 < vpnHelper> sparch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:25 < Robinet> I'm having a broadcast problem which could be related to misunderstanding from my side, I'm using vpncubed for EC2, which uses openvpn setup as a tunnel interface. Is there any way I can squeeze regular UDP broadcasts through this?
05:28 < sparch> snovak7: looks like what are you trying to do http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
05:28 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
05:28 < sparch> snovak7: take a look
05:31 < snovak7> hmm
05:31 < snovak7> I don't know
05:31 < snovak7> I don't think it addresses my problem
05:32 -!- AntoineBk [~Antoine@188.165.75.17] has joined ##openvpn
05:32 < AntoineBk> Hello gentlemen, I have a little question
05:32 < AntoineBk> do I have to have a defined pool of IPs in order for ethernet bridging to work ?
05:33 < macsppadic> snovak7: anything in the logs on ur firewall as regards ssh attempt?
05:33 < macsppadic> also try a tcpdump on eth2 interface 
05:34 < macsppadic> !server-bridge
05:34 < vpnHelper> macsppadic: Error: "server-bridge" is not a valid command.
05:34 < macsppadic> oh crap
05:35 < snovak7> macsppadic: doesn't show up anything except udp traffic of openvpn
05:35 < snovak7> and some internet broadcasts
05:45 < macsppadic> ok that is weird 
05:46 < snovak7> yes it is
05:46 < macsppadic> as a quick check - can u do a telnet on the port 22 
05:46 < macsppadic> from outside on the eth2 ip 
05:47 < snovak7> trying...
05:48 < snovak7> there came something
05:49 < snovak7> 12:48:23.322299 IP BSN-61-74-13.static.dsl.siol.net.28194 > 85.10.14.254.ssh: Flags [S], seq 113112914, win 5840, options [mss 1352,sackOK,TS val 181628004 ecr 0,nop,wscale 7], length 0
05:50 < snovak7> that's all I get
06:03 < snovak7> :]
06:06 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:09 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
06:12 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Client Quit]
06:12 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
06:25 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has joined ##openvpn
06:28 < macsim> hi, I try to connect 2 lan (LAN1[192.168.1.0/24] LAN2[192.168.2.0/24]) through a vpn (192.168.0.0/24), connection is fine but I'm unable to ping any LAN1 hosts with vpn client , I add route and ip_forward =1, here is my config file for server and client : http://pastebin.org/85378 and http://pastebin.org/85379 thanks
06:28 < theDoc> macsim> Pastebin your routing table.
06:29 < theDoc> From your server.
06:29 < macsim> theDoc, from client or server ?
06:29 < macsim> ok from server give me a sec
06:29 < theDoc> Server.
06:30 < macsim> theDoc, http://pastebin.org/85383
06:30  * theDoc is getting buried alive by is-is and bgp
06:30 < theDoc> :(
06:31 < theDoc> macsim> What's this word? Passerelle
06:31 < macsim> theDoc, that means gateway
06:31 < theDoc> 1.0 belongs to your server?
06:31 < theDoc> Your routing table looks wrong.
06:31 < snovak7> macsppadic: anything? :p
06:31 < macsppadic> am lost snovak7 
06:31 < macsim> theDoc, 1.0 is the vpn network
06:31 < macsppadic> sorry dont get why u cant get to the external ip address 
06:32 < theDoc> Hang on, I'm not familiar with french or whatever that language is.
06:32 < snovak7> macsppadic: though nut eh? :D
06:32 < macsppadic> aye not straightforward
06:32 < macsim> theDoc, whant me to translate the pastebin ?
06:32 < theDoc> Could you please?
06:32 < macsppadic> stopping firewall n ssh attempt no luck u ssaid?
06:32 < macsppadic> or a ping even 
06:33 < macsim> theDoc, give me sec (sorry for that)
06:33 < snovak7> macsppadic: yup, I'm using ufw
06:33 < theDoc> np.
06:33 < macsim> theDoc, http://pastebin.org/85384
06:34 < reiffert> zorzar: still here?
06:35 < theDoc> macsim> Have you checked the firewalls?
06:35 < macsim> theDoc, no firewall for the moment I shoot it down
06:35 < macsim> theDoc, I just let the ip_forward to 1 (I'm on debian btw)
06:36 < theDoc> macsim> and when you do a trace, where does the trace fail at?
06:37 < macsim> theDoc, on the routeur, if 192.168.0.2 (192.168.2.2 in his lan) ping 192.168.1.1 (it's an host on lan1) the ping fail on 192.168.0.1 (192.168.1.5 in his lan)
06:37 -!- Diffen2 [~diffen2@226.234.241.83.in-addr.dgcsystems.net] has joined ##openvpn
06:38 < theDoc> macsim> You are trying to ping 1.1 and the ping fails at 192.168.1.5 or 192.168.0.1?
06:39 < macsim> 192.168.1.5 and 0.1 is the same host and traceroute fail on 192.168.0.1
06:40 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
06:40 < theDoc> Well, it seems to be a problem with the server, something on it at least.
06:41 < macsim> theDoc, are my conf seam right ?
06:42 < Robinet> Is it possible to route broadcasts over a tun interface or do I have to create a bridged setup instead?
06:42 < theDoc> macsim> Off the top of my head, it looks fine.
06:43 < macsim> theDoc, lol ok thanks for you're help
06:43 < theDoc> Sorry about it, I'm trying to read through some isis/bgp notes at the moment and I'm not really concentrating.
06:43 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:44 < macsim> theDoc, np ;)
06:45 -!- julius [~julius@217.20.127.15] has quit [Remote host closed the connection]
06:55 < sparch> Ping works but connection to services don't.
06:56 < sparch> traceroute do the right path...
06:56 < sparch> boths sides ping each other
06:56 < sparch> just services don't connect from VPN client
06:56 < sparch> do not look like a route problem
06:56 < macsppadic> sparch: firewall specific to the ports
06:57 < macsppadic> ?
06:57 < macsppadic> sorry firewall on the ports 
06:57 < sparch> no firewall on internal network
06:57 < sparch> OpenVPN pass trougth a Juniper
06:58 < Bushmills> do services bind to all interfaces? including tun?
06:58 < sparch> tun is just on OpenVPN server
06:59 < sparch> the client reach them over this tunnel
06:59 < Bushmills> if services not bound to all interfaces, that may be the problem
06:59 -!- julius [~julius@217.20.127.15] has joined ##openvpn
07:00 < sparch> LAN
07:00 < sparch> no Tun
07:01 < Bushmills> and no service answering on tun
07:01 < sparch> Bushmills: but I got what you mean, I'm pretty sure that isn't the cause.
07:01 < sparch> [CLIENT] --- tun0[OpenVPN] --- [LAN]
07:02 < sparch> ping and traceroute works perfect
07:02 < sparch> this is all symptom of firewall
07:02 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
07:02 < Bushmills> services are running on machine on the LAN behind openvpn server?
07:02 < sparch> yeah
07:03 < Bushmills> ah. right
07:04 < sparch> hum, I have not used tcpdump to diagnosis... 
07:04 < sparch> let me see
07:04 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has joined ##openvpn
07:04 < macsppadic> sparch just to confirm that u can get to the services port on the machine from the openvpn server
07:04 < sparch> macsppadic: I can confirm this one. It's working.
07:05 < sparch> forward is 1, as I can reach ICMP to the servers
07:07 < sparch> hum
07:07 < sparch> thats weird
07:07 < macsppadic> got anything in the tcpdump?
07:08 < sparch> running tcpdump, I can see the packets arriveing on port 80 coming from VPN
07:08 < sparch> *arriving
07:08 < macsppadic> oh ok 
07:08 < sparch> but, no return
07:09 < sparch> look, LAN net addr is 192.168.11.0/24, VPN clients 172.16.0.0/22
07:09 < sparch> I can ping, from this server, which runs Apache the VPN Client 172.16.0.6
07:10 -!- dazo is now known as dazo_afk
07:11 < macsppadic> that has to be a firewall ....
07:12 < sparch> indeed...
07:14 -!- dazo_afk is now known as dazo
07:20 < ecrist> good morning
07:20 < macsppadic> morning ecrist 
07:21 < ecrist> sparch: looks like the apache server doesn't know how to route back to the vpn
07:22 < sparch> it knows..
07:22 < sparch> for sure
07:22 < sparch> 64 bytes from 172.16.0.6: icmp_seq=37 ttl=127 time=182 ms
07:22 < sparch> From 192.168.11.37: icmp_seq=39 Redirect Host(New nexthop: 192.168.11.1)
07:22 < sparch> the last line, when I disconnect the Client.
07:23 < sparch> 192.168.11.1 is the router for the Lan
07:23 < sparch> I'm almost sure that is a Policy
07:24 < sparch> or something like that
07:29 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Quit: Leaving]
07:32 < sparch> I am stuck.
07:32 < sparch> =\
07:32 < sparch> hate those scenarios
07:32 < ecrist> firewall?
07:38 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
07:39 -!- epaphus [~epaphus@static.204.79.46.78.clients.your-server.de] has joined ##openvpn
07:41 < sparch> ecrist: IP 192.168.11.125.http > 172.16.0.6.4407
07:41 < sparch> ICMP traffic Ok...
07:42 < ecrist> yep, you said that.
07:42 < ecrist> ICMP != TCP
07:42 < sparch> I know.
07:42 < ecrist> ping works but connections on port 80 don't
07:42 < ecrist> that screams firewall
07:42 < sparch> I'm thinking... 
07:43 < sparch> OpenVPN server is on Trust interface of Firewall
07:43 < sparch> As I connect to the tunnel, once into that Tunnel, I belong to that Trust zone, am I right?
07:44 < ecrist> no idea, I'm not your admin
07:45 < sparch> oh
07:45 < sparch> sorry.
07:45 < sparch> wasn't my intention. just thinking
07:49 -!- Robinet [~robinet@195.49.172.145] has quit [Quit: Java user signed off]
07:50 < sparch> gonna lunch
07:50 < sparch> cya later.
07:52 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has joined ##openvpn
07:57 -!- macsim_ [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has joined ##openvpn
07:57 < macsim_> hi again, I've got this error TCP/UDP: Socket bind failed on local adress 82.127.XX.XXX:1194: Cannot assign requested address but nothing on 1194 before I launch openvpn, anyidea ?
07:58 < ecrist> are you running as root?
07:58 < macsim_> ecrist, yes
07:58 < ecrist> !logs
07:58 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:59 < macsim_> ecrist, give me a sec I pastebin the log
08:00 < macsim_> ecrist, http://pastebin.org/85426
08:04 < ecrist> macsim_: is the address you're trying to bind to assigned on that box?
08:05 < macsim_> ecrist, no the box is connected to a modem-router
08:05 < ecrist> that's why it can't bind to that adress/port
08:05 < ecrist> you need to bind to an IP that's assigned on the box
08:06 < macsim_> ecrist, I can use the local IP ? or should I do a dmz ?
08:06 < ecrist> up to you
08:06 < ecrist> I would use a DMZ, your router should forward things for you.
08:07 < macsim_> ecrist, ok but it's not a problem if I use the box local ip ?
08:08 < ecrist> not if you forward the port
08:10 < macsim_> ecrist, I should not use local so ?
08:10 -!- chilicuil [~sistemas@189.144.16.23] has joined ##openvpn
08:10 -!- chilicuil [~sistemas@189.144.16.23] has quit [Changing host]
08:10 -!- chilicuil [~sistemas@unaffiliated/chilicuil] has joined ##openvpn
08:12 -!- chilicuil1 [~sistemas@189.144.16.23] has joined ##openvpn
08:14 -!- chilicuil [~sistemas@unaffiliated/chilicuil] has quit [Ping timeout: 245 seconds]
08:16 -!- chilicuil [~sistemas@189.191.132.42] has joined ##openvpn
08:16 -!- chilicuil [~sistemas@189.191.132.42] has quit [Changing host]
08:16 -!- chilicuil [~sistemas@unaffiliated/chilicuil] has joined ##openvpn
08:17 -!- KaiForce [~chatzilla@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:17 -!- chilicuil1 [~sistemas@189.144.16.23] has quit [Ping timeout: 265 seconds]
08:28 < sparch> macsim_: as ecrist said, forward the port from your router to local IP, and Yes, you *MUST* assing to local IP that's on the interface that reach your modem/router
08:29 < macsim_> sparch, oki thanks
08:39 < sparch> =)
08:45 < macsim_> he're is the problem how makes me crazy, http://pastebin.org/85449 I past config file + ping test and route output, I don't get what's wrong, works on a part of vpn and not in the other
08:55 < macsim_> nobody for my problem ? :/
08:56 -!- azrtuiop [~chatzilla@bgl93-7-88-189-218-150.fbx.proxad.net] has joined ##openvpn
08:57 < azrtuiop> hello
08:57 < macsppadic> hello azrtuiop macsim 
08:57 < macsim_> hello macsppadic 
08:57 < azrtuiop> hello macsppadic 
08:57 < azrtuiop> who use openvpn firmware ? 
08:57 < macsppadic> just had a quick look on ur config macsim_ 
08:58 < macsppadic> whats the issue again?
08:58 < macsim_> macsppadic, I've pastebin all info here http://pastebin.org/85449 in fact my vpn works on one way only :/
08:58 < azrtuiop> who use openvpn firmware ? 
08:59 < macsim_> macsppadic, can ping from LAN1 to LAN2 but not the other way 
09:00 < sparch> ecrist: nice topic
09:00 < sparch> ecrist: haha
09:01 < sparch> ecrist: sure is firewall, always
09:01 < macsppadic> !route
09:01 < vpnHelper> macsppadic: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:03 < macsim_> macsppadic, I take a look at you're link thanks 
09:03 < macsppadic> np macsim_ 
09:04 < azrtuiop> i want to install openvpn on my openwrt firmware
09:07 < sparch> !welcome
09:07 < vpnHelper> sparch: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:07 < sparch> !redirect
09:07 < vpnHelper> sparch: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
09:07 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:08 < sparch> !def1
09:08 < vpnHelper> sparch: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
09:17 < azrtuiop> i want to install openvpn server on my router 
09:17 < azrtuiop> is it working for yoU ? 
09:17 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
09:18 < macsim_> macsppadic, I read you're link, it was more or less what I did, the only things is client-to-client I'm not sure to understood what this command means
09:19 < macsim_> is it allow vpn network to see each other ? or is it allow extenal network to see vpn network ?
09:19 < macsppadic> !client-to-client
09:19 < vpnHelper> macsppadic: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
09:19 < vpnHelper> macsppadic: behind other clients
09:20 < macsim_> so I don't need it in my case, I have the good route too, my route output seams good I really don't see where is my problem
09:21 < macsim_> iroute is not for bridge only ? I should use it for a tun0 vpn ?
09:22 < macsppadic> !iroute
09:22 < vpnHelper> macsppadic: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
09:23 < macsim_> macsppadic, ok so I should use it isn't it ? (excuse me but english is not my mother tonge and concept is sometime hard to get)
09:23 < macsim_> s/tonge/tongue
09:24 < macsppadic> yes macsim_ u can use iroute with dev tun0 
09:24 < macsppadic> but its client specific 
09:25 < macsim_> macsppadic, because I just have 2 computer for vpn it's not a problem ?
09:26 < macsppadic> shud be ok macsim_ 
09:26 < macsim_> macsppadic, ok I try with ccd conf so thanks a lot for your help macsppadic 
09:27 < macsppadic> no worries- give taht a go 
09:27 < azrtuiop> hello there 
09:27 < azrtuiop> openvpn on openwrt is it possible ? 
09:30 -!- nx5 [~nap@unaffiliated/nx5off/x-000000001] has joined ##openvpn
09:30 -!- nx5 [~nap@unaffiliated/nx5off/x-000000001] has left ##openvpn []
09:31 < sparch> azrtuiop: dunno
09:32 < azrtuiop> thx
09:32 < azrtuiop> do you know how to use openvpn ? 
09:32 < azrtuiop> i have done it one time i fogot everything since
09:33 < azrtuiop> i just want to put on listening mode 
09:33 < sparch> on www.openvpn.net have a relly nice Howto
09:33 < azrtuiop> on my server
09:33 < sparch> easy breeze
09:33 < azrtuiop> ???
09:33 < macsim_> how can I know the client's common-name  ? it's hostname ? it's ip ?
09:35 < macsim_> common-name from cert ?
09:37 < sparch> cat ipp.txt
09:38 -!- azrtuiop [~chatzilla@bgl93-7-88-189-218-150.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
09:43 -!- epaphus [~epaphus@static.204.79.46.78.clients.your-server.de] has quit [Ping timeout: 245 seconds]
09:45 < sparch> ecrist: from LAN to client I'm able to connet to VNC, for example.
09:50 < sparch> I dont want to use MASQUERADE to work...
09:50 < sparch> =\
09:51 < macsim_> macsppadic, I change my conf to adapt it with ccd now I can't ping from anywhere http://pastebin.org/85465 here is my openvpn.conf changed
09:53 < macsppadic> oh dear macsim_ 
09:53 < macsim_> ;)
09:53 < macsim_> I did a wrong thing ?
09:55 < sparch> ecrist: worked like a charm doing the NAT, so it's clear that is a route problem, right?
09:58 -!- Diffen2 [~diffen2@226.234.241.83.in-addr.dgcsystems.net] has quit [Quit: This computer has gone to sleep]
10:02 -!- azrtuiop [~chatzilla@bgl93-7-88-189-218-150.fbx.proxad.net] has joined ##openvpn
10:02 < azrtuiop> hello 
10:02 < azrtuiop> really ur tutorial not helping me very well 
10:03 < azrtuiop> make me confusion by dividing in several part
10:03 < azrtuiop> it was better before 
10:04 < azrtuiop> me just want to install openvpn on put it on listening mode 
10:04 < azrtuiop> what i have to do ? 
10:04 < ecrist> sparch: yes, you're missing a route.
10:04 < ecrist> azrtuiop: what tutorial?
10:05 < azrtuiop> http://openvpn.net/index.php/open-source/documentation/howto.html
10:05 < vpnHelper> Title: HOWTO (at openvpn.net)
10:05 < azrtuiop> and i m trying to install on openwrt system 
10:06 < ecrist> you need to really work with the openwrt people
10:07 < azrtuiop> not got time 
10:07 < ecrist> then I don't, either.
10:07 < ecrist> have a nice day
10:07 < azrtuiop> ok 
10:07 < azrtuiop> if you want 
10:07 < azrtuiop> i can't my job
10:07 < azrtuiop> i can't put my job
10:07 < azrtuiop> here
10:08 < azrtuiop> about seting up openvpn on openwrt 
10:08 < azrtuiop> i can 
10:08 -!- error404notfound [~Eror404@119.153.65.136] has joined ##openvpn
10:09 -!- epaphus [~epaphus@190.10.68.228] has joined ##openvpn
10:10 < azrtuiop> ok tell me what to do ? 
10:10 -!- EdwardIII [~chatzilla@unaffiliated/edward123] has quit [Remote host closed the connection]
10:10 < ecrist> I don't care what you do.  I'm telling you you're best off talking to people in #openwrt
10:12 < azrtuiop> OK what to do to put the server on listening mode ?
10:12 < ecrist> talk to #openwrt
10:12 < azrtuiop> ok thx
10:13 -!- azrtuiop [~chatzilla@bgl93-7-88-189-218-150.fbx.proxad.net] has left ##openvpn []
10:21 -!- azrtuiop [~chatzilla@bgl93-7-88-189-218-150.fbx.proxad.net] has joined ##openvpn
10:22 < azrtuiop> azrtuiop: better to ask ##openvpn because there is no special in openwrt
10:23 -!- azrtuiop [~chatzilla@bgl93-7-88-189-218-150.fbx.proxad.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.0.17/2009122116]]
10:24 < |Mike|> ecrist: now he went boohoo :p
10:29 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:31 -!- flaco [~sistema@pc-166-153-83-200.cm.vtr.net] has quit [Quit: Leaving]
10:45 < sparch> ecrist++
10:49 < dazo> but the #openwrt guys got a point ... it's plain openvpn available .... but the trick is where/how to save the config and certificates and enable it during boot ... as the disk space for saving that on the flash is limited, and it can be saved in NVRAM instead
10:50  * dazo would be willing to write a howto if someone can manage to extend the hours of the days beyond 24 hours ...
10:51 < reiffert> dazo: if 24 hours is not enough, then use the night as well!
10:51 -!- duende [corey@cafejos.org] has joined ##openvpn
10:51 < dazo> reiffert:  I've already used all the 24 hours .... I need more ....
10:51 -!- KaiForce [~chatzilla@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
10:51 < duende> !welcome
10:51 < vpnHelper> duende: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:55 < macsim_> ok so after been crazy and made macsppadic crazy too anybody want to try to fix my on way vpn ? so odd
10:55 < macsim_> one way vpn
10:55 < macsim_> works on a way but not in the other with no vpn error and good route
11:02 < macsim_> :/
11:04 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:05 < ecrist> his questions was about how to start openvpn 
11:05 < ecrist> I don't know how to do that on openwrt
11:08 < dazo> macsim_:  have a look at !route ... sounds like you need to look at iroute 
11:08  * dazo calls this a a working day
11:08 < dazo> a complete working dat
11:08 < dazo> y
11:09 < macsim_> dazo, I try with iroute it worst I can't ping anything
11:09 -!- dazo is now known as dazo_afk
11:09 < macsim_> :/
11:10 -!- Diffen2 [~diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
11:12 -!- epaphus [~epaphus@190.10.68.228] has quit [Read error: Operation timed out]
11:12 -!- epaphus [~epaphus@190.10.68.228] has joined ##openvpn
11:13 -!- error404notfound [~Eror404@119.153.65.136] has quit [Ping timeout: 260 seconds]
11:19 < macsim_> I past my configuration on ccd doesn't change client network can't connect to server network, but server network can connect to client network
11:24 -!- Irssi: ##openvpn: Total of 85 nicks [1 ops, 0 halfops, 0 voices, 84 normal]
11:25 -!- macsim_ [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
11:25 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
11:26 < sparch> ecrist: adding the route directly to host: route add -net 172.16.0.0/22 gw 192.168.11.137
11:26 < sparch> works... 
11:26 < ecrist> congrats
11:26 < sparch> as the topic says "Your problem is your firewall, really."
11:27 < sparch> I'll have to look deeply what to do in the router 
11:27 -!- s-taylo [~staylo@vm3999.vps.tagadab.com] has joined ##openvpn
11:27 < sparch> don't wanna change by hand 50 hosts
11:27 < sparch> and add manually that route
11:27 < s-taylo> !welcome
11:27 < vpnHelper> s-taylo: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:31 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
11:31 -!- error404notfound [~Eror404@203.99.172.188] has joined ##openvpn
11:31 -!- chilicuil [~sistemas@unaffiliated/chilicuil] has quit [Ping timeout: 245 seconds]
11:32 -!- tarbo2 [~me@unaffiliated/tarbo] has quit [Read error: Connection reset by peer]
11:33 < s-taylo> Hi all, trying to set up a single-server multiple-client VPN with the clients being embedded linux devices without real-time clocks. I've had some difficulty finding information on just ho accurate the system clock has to be to avoid invalid certificate errors; can anyone tell me if it's a matter of weeks, days or hours?
11:35 < mort_gib> s-taylo: And you can't use ntp??
11:36 -!- epaphus [~epaphus@190.10.68.228] has quit [Read error: Operation timed out]
11:37 < Bushmills> +1-  accurate clock preferable than hoping to stay within margin of error
11:38 < s-taylo> usually, yes, and I'll be relying on it generally; but in some cases these devices will be installed behind other companies' firewalls and I want to avoid a failure if ntp is firewalled out at any point
11:38 < Bushmills> run ntpdate  once per hour
11:39 < Bushmills> per day, even
11:39 -!- epaphus [~epaphus@190.10.68.228] has joined ##openvpn
11:39 < sparch> server ntpserver iburst
11:39 < mort_gib> s-taylo: I think you will have problems....
11:40 < sparch> mort_gib: indeed
11:41 < s-taylo> I'm guessing you're right, I just want to minimise the potential disruption if the ntp client connection is unavailable for whatever reason. I was just wondering if anyone knows roughly how accurate the system clock has to be. (No problem though, I can always experiment)
11:45 -!- epaphus [~epaphus@190.10.68.228] has quit [Read error: Operation timed out]
11:46 < mort_gib> Is there ANY VPN solution that does not rely on precise timing??
11:49 < s-taylo> well, simple point-to-point links aren't a problem. Openvpn in a static-key configuration is not date-dependent. In my case I'm only trying to transport a few TCP links from embedded devices and industrial panel PCs rather than doing the kind of routing you'd expect from an office network, so OpenVPN is a little overkill; but it looks likely to be more efficient than my current solution of SSH tunnelling over TCP.
11:51 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
11:51 -!- epaphus [~epaphus@190.10.68.228] has joined ##openvpn
11:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:59 -!- macsim [~macsim@ALille-551-1-56-25.w86-198.abo.wanadoo.fr] has joined ##openvpn
11:59 -!- macsim_ [~macsim@ALille-551-1-56-25.w86-198.abo.wanadoo.fr] has joined ##openvpn
12:17 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
12:17 -!- incorrect [~fwest@78-33-42-140.static.enta.net] has quit [Remote host closed the connection]
12:30 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:50 < izro> howdy
13:02 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
13:35 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
13:41 < reiffert> http://didyouwatchporn.com/
13:41 < vpnHelper> Title: Did you watch porn? See what your friends watch.. (at didyouwatchporn.com)
13:41 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined ##openvpn
13:43 < ecrist> reiffert: ?
13:45 < reiffert> ecrist: it's about browser bugs.
13:58 < rob0> haha
14:00 < rob0> s-taylo, ntpd(8) is generally an easy and elegant thing, but indeed it fails without access to a good time source. Maybe you want to script something to keep checking for a time source before starting ntpd?
14:03 < ecrist>  Sure! It's here. Be careful though, or you end up like Matthias Schlitte. We are permanently adding new sites to it as people send us their tips. If you have suggestions,
14:03 < ecrist>    please mail them to us.
14:03 < ecrist> lol
14:05 -!- Guest65072 is now known as redfox
14:06 < s-taylo> rob0: Sounds sensible. The main problem I'm having is just that (as these are headless devices, and crucially they're firewalled to the extent that I can't SSH into them except within the VPN session) there's no way of amending a faulty time server. So you can see why I'm very keen to find a way to make the connection work even if ntp fails. :)
14:08 < Bushmills> if you can vpn in, you should be able to ssh in. even of sshd has to listen to a different port. 
14:08 < Bushmills> if
14:10 -!- snovak7 [~snovak7@BSN-61-74-13.static.dsl.siol.net] has quit [Read error: Connection reset by peer]
14:10 < ecrist> not necessarily.
14:11 < sparch> reiffert++
14:12 < s-taylo> Bushmills: The devices are the VPN clients, not the servers, so they're VPNing out. I've done the same thing using SSH tunnels so far (with the devices connecting into a server and then creating TCP tunnels back to the ports) but it's very inefficient with bandwidth and fairly slow.  (Back in half an hour or so)
14:12 -!- s-taylo is now known as s-taylo_away
14:12 -!- snovak7 [~snovak7@BSN-61-74-13.static.dsl.siol.net] has joined ##openvpn
14:19 -!- crazygir [~jason@unaffiliated/crazygir] has left ##openvpn []
14:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:22 < rob0> And with the time wrong, the VPN fails?
14:26 -!- snovak7 [~snovak7@BSN-61-74-13.static.dsl.siol.net] has quit [Ping timeout: 246 seconds]
14:31 < zoredache> rob0: I suspect if the time goes badly wrong the vpn would fail to connect because the certs are invalid
14:31 < rob0> right, depending on how wrong the time is, of course
14:32 < rob0> maybe that's the answer: extend the validity of the cert
14:33 < zoredache> rob0: I only got part of the conversation, so I wasn't sure.  But that seems like it may be a solution,
14:39 -!- epaphus [~epaphus@190.10.68.228] has quit [Ping timeout: 276 seconds]
14:40 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 252 seconds]
14:46 -!- epaphus [~epaphus@190.10.68.228] has joined ##openvpn
14:47 -!- bandini [~bandini@host47-105-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn
14:48 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 252 seconds]
14:48 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
14:50 < cron2> sometimes the time is way in the *past*, and the certs are not-yet-valid
14:51 < cron2> I'm not sure whether you can do SSL certs "backwards in time", as in "roll a cert today that is valid starting Jan 1 1970 and extends to 2020"
14:51  * cron2 has this very problem on some embedded phone-home-devices that boot with their clock set to 2004, and sometimes NTP syncing fails
14:52 < cron2> ... so the VPN fails as well...
14:52 < rob0> That was what I was thinking, push the beginning date back.
14:52 -!- s-taylo_away is now known as s-taylo
14:52 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
14:52 -!- mode/##openvpn [+v openvpn2009] by ChanServ
14:52 < cron2> can you do that (except with the obvious thing: keep your CA machine running in 1970's time)?
14:52 < rob0> If no other solution works, you could set the CA's system clock back a few years :)
14:53 < cron2> yes
14:53 < ecrist> regardless, it's stupid to not have a correct date set.
14:53 < cron2> ecrist: sometimes reality is somewhat impractical
14:53 < rob0> software written in ~2009 making certs which were valid before the SSL standard developed :)
14:54 < rob0> "Stupid" is not always the truth. We're talking about limited hardware with sometimes limited Internet access.
14:55 < rob0> Of course ... if no 'net, there's no VPN either.
14:55 < s-taylo> Yes, I ended up creating certificates with a backdated cert to 1/1/1970, doesn't seem to be causing problems but haven't tried logging in with a client whose time is set to 1970 yet :) I've decided the simplest workaround is to fall back to the more bandwidth-intensive SSH tunnel if the OpenVPN connection fails due to an invalid certificate; in my case that will allow me to SSH into the device via the tunnel and address whatever's caused ntp to fa
14:55 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: A yawn is a silent shout.]
14:55 < cron2> my main problem is "no real-time clock", so after every reboot, the clock is wrong - and sometimes, NTP servers break (or get moved to new IP addresses by well-meaning network admins, and DNS servers get moved as well)
14:56 < rob0> so, the script to check for time source and keep thumping ntpd might be the best workaround.
14:56 < cron2> s-taylo: that is a good approach
14:56 < rob0> ah, yeah, that's good too
14:56 < cron2> fallback to something else if OpenVPN breaks, for whatever reason
14:59 < s-taylo> I guess it would make sense to create a cron job to periodically write the date to a file and then restore it on bootup too, obviously wouldn't give great accuracy but perhaps better than nothing!
15:02 < rob0> yes, still need to tweak ntpd, because it has low tolerance for time jumps
15:04 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 260 seconds]
15:08 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:08 -!- mode/##openvpn [+v openvpn2009] by ChanServ
15:08 -!- mode/##openvpn [+o openvpn2009] by ChanServ
15:14 < zoredache> rob0: what are you using for ntp servers?  are you not able to simply point at a couple servers in pool.ntp.org?  (0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org)
15:18 -!- epaphus [~epaphus@190.10.68.228] has quit [Read error: Operation timed out]
15:18 < rob0> I use pool severs.
15:19 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
15:21 -!- cbob27410 [~cbaldini@66.193.68.162] has joined ##openvpn
15:23 -!- epaphus [~epaphus@190.10.68.228] has joined ##openvpn
15:29 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
15:30 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Read error: No route to host]
15:55 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
15:57 -!- Dougy [~me@69.10.59.230] has joined ##openvpn
15:58 < Dougy> !openvz
15:58 < vpnHelper> Dougy: "openvz" is http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn
16:02 < cbob27410> So I've got the OpenVPN service set to auto, but when I'm in the office I have to stop it, otherwise I can't access any local resources (but I can access the internet).  Is there a way to configure the client so that I don't have to stop the service when I'm in the office?
16:05 < gorkhaan> cbob27410,  you may have add some local route rules. 
16:05 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 256 seconds]
16:05 < gorkhaan> *have to
16:06 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
16:07 < cbob27410> When I'm in the office I have two routes for my local LAN, which I think may be the issue.
16:11 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
16:11 -!- mode/##openvpn [+v openvpn2009] by ChanServ
16:14 -!- gazl [~luna@80-254-76-154.dynamic.swissvpn.net] has joined ##openvpn
16:14 < gazl> hi guys
16:14 < gorkhaan> hi :)
16:14 < gazl> ;)
16:14 < gazl> i come with issues
16:15 < gazl> have this router that runs ddwrt
16:15 < gazl> it has a vpn client!
16:15 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 240 seconds]
16:15 < gazl> i run the client on the command line like i usually run it
16:15 -!- cbob27410 [~cbaldini@66.193.68.162] has left ##openvpn []
16:15 < gazl> sure it connects and all but it is not really forwarding information back to the pc on the lan side
16:16 < gazl> seems to fail at the dns stage
16:17 < gazl> so i'm wondering if i can set a command or two in the config file for it to work properly
16:19 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
16:19 -!- mode/##openvpn [+v openvpn2009] by ChanServ
16:20 < gorkhaan> gazl,  maybe u should post your config files... :)
16:20 < gorkhaan> pastebin.com
16:22 < gazl> http://pastie.org/private/r881z601fuwln862aoasiw
16:24 < gazl> nothing special
16:26 < Bushmills> "not really forwarding information back to the pc -  fail at the dns stage"  
16:26 < Bushmills> conclusion is not evident
16:27 < gazl> hm
16:27 < Bushmills> "can set a command or two in the config" .. maybe. what's the problem?
16:28 < gorkhaan> "auth-user-pass" u have this twice...
16:28 < gorkhaan> what's this for? reneg-bytes 32000000000  
16:29 < gazl> the topology is this, the lan computers are meant to transparently get to the internet through the router which is running the vpn instance
16:29 < gazl> gorkhaan, ah i see
16:30 < gorkhaan> gazl,  can you try to connect with IP address?
16:31 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
16:31 < gazl> let me set it up so ican try
16:31 < gorkhaan> and be sure u can resolv this address: connect-openvpn.swissvpn.net   it seems strange to me.  ;) :)
16:33 < gorkhaan> gorkhaan@gorkhaan-pc:~$ ping connect-openvpn.swissvpn.net
16:33 < gorkhaan> PING connect-openvpn.swissvpn.net (80.254.79.87) 56(84) bytes of data.
16:33 < gazl> yeah, that works.
16:33 < gazl> it works when i do it from the pc ;)
16:34 < Bushmills> you still haven't explained what does *not* work
16:34 < gorkhaan> what's the server and the client version of openvpn?
16:34 < gorkhaan> dd-wrt's openvpn is quite old...
16:34 < gazl> let me check
16:34 < gorkhaan> * the buit in firmware I mean. ipkg-opt is afaik rc11 or so...
16:35  * Bushmills hides again
16:36 < gorkhaan> optware : #  openvpn - 2.1_rc15-1 - SSL based VPN server with Windows client support 
16:36 < gorkhaan> http://www.dd-wrt.com/wiki/index.php/Quick_list_of_Optware_packages
16:36 < vpnHelper> Title: Quick list of Optware packages - DD-WRT Wiki (at www.dd-wrt.com)
16:36 < gorkhaan> k now I shut up for a while. 
16:37 < gorkhaan> gazl,   openvpn --version
16:39 < gazl> it's 2.1
16:39 < gazl> rc2+ 
16:40 < gazl> rc20, gorkhaan 
16:40 < gorkhaan> that's good. Can we see a "connection log" too?  verb 5 is enough
16:40 < gorkhaan> or verb 3
16:41 < gazl> okay, i'll have to disconnect
16:46 -!- epaphus [~epaphus@190.10.68.228] has left ##openvpn ["Leaving"]
16:46 < jeffl> any ideas why an openvpn server would not respond when I try to connect
16:47 < jeffl> the client outputs to here
16:47 < jeffl> Tue Feb 02 13:46:40 2010 UDPv4 link remote:  myip:port
16:47 < jeffl> and then stops
16:47 < jeffl> I have to restart the openvpn server to get it to connect and then it'll freeze again
16:48 < gorkhaan> jeffl,  what about openvpn logs? 
16:48 < gorkhaan> *server
16:48 < Dougy> !man
16:48 < jeffl> 1 sec
16:48 < vpnHelper> Dougy: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
16:52 < Dougy> http://pastebin.com/m39e2eb43
16:52 < Dougy> is that correct for a static ip
16:55 < jeffl> write UDPv4: No buffer space available (code=55)
16:55 < jeffl> that doesn't look good..
17:00 < gorkhaan> jeffl,  are u using linux?
17:01 < jeffl> gorkhaan: pfsense :/
17:02 < jeffl> Been having issues for weeks
17:02 < jeffl> Thinking I have a bad build or something
17:02 < gorkhaan> build of what? :) kernel?
17:03 < jeffl> of pfsense
17:03 < jeffl> if I get disconnected, it won't let me reconnect
17:03 < jeffl> I have to reboot the entire firewall
17:04 < gorkhaan> oh I see, I've never heared about pfsense... ;)  maybe a memory leak?
17:05 < jeffl> I have no idea
17:05 < jeffl> I just tried to reconnect another client
17:05 < jeffl> and now getting this
17:05 < jeffl> openvpn[9992]: /etc/rc.filter_configure tun0 1500 1558 192.168.8.1 192.168.8.2 init
17:05 < jeffl> openvpn[9999]: UDPv4 link local (bound): [undef]:1195
17:05 < jeffl> openvpn[9999]: UDPv4 link remote: [undef]
17:05 < jeffl> openvpn[9999]: TLS Error: local/remote TLS keys are out of sync: 74.207.244.84:54022 [4]
17:06 < jeffl> (I purposely disconnected this tunnel just to see if I could reconnect and now I get that error)
17:06 < gorkhaan> yeah well, it must be some kind of pfsense error. :/
17:07 < jeffl> That's what I'm thinking. Like I said if I restart the box it'll connect again.
17:08 < gorkhaan> you can try to monitor  memory usage, maybe it will help to find the problem.
17:08 -!- Diffen2 [~diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
17:15 -!- bandini [~bandini@host47-105-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
17:34 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:35 -!- snovak7 [~snovak7@BSN-61-74-13.static.dsl.siol.net] has joined ##openvpn
17:43 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
17:48 -!- gazl [~luna@80-254-76-154.dynamic.swissvpn.net] has quit [Quit: Lost terminal]
17:57 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
18:04 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
18:08 -!- snovak7 [~snovak7@BSN-61-74-13.static.dsl.siol.net] has quit [Read error: Connection reset by peer]
18:12 -!- snovak7 [~snovak7@BSN-61-74-13.static.dsl.siol.net] has joined ##openvpn
18:36 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Ping timeout: 252 seconds]
18:41 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
18:46 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
18:46 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
18:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
19:01 -!- teddymills [~teddy@208.92.235.227] has quit [Remote host closed the connection]
19:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:23 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
19:23 -!- duende [corey@cafejos.org] has left ##openvpn []
19:30 -!- jamesd2 [~jamesd@adsl-68-254-161-68.dsl.milwwi.ameritech.net] has joined ##openvpn
19:37 < jamesd2> http://openvpn.net/index.php/access-server/quick-start-guide.html gives a 404 error  i guess since this isn't official it does no good reporting it here
19:38 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 260 seconds]
19:39 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined ##openvpn
19:54 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
19:57 < theDoc> Morning all. o/
20:05 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Quit: Leaving]
20:37 -!- krzy [nobody@hemp.ircpimps.org] has joined ##openvpn
20:37 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
20:48 -!- krzy [nobody@hemp.ircpimps.org] has quit [Ping timeout: 256 seconds]
20:49 < Dougy> hey
20:49 < Dougy> who's awake in hete
20:49 < Dougy> here
20:50 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
20:53 < Dougy> http://pastebin.com/m39e2eb43
20:53 < Dougy> is taht correct
21:58 -!- Dougy [~me@69.10.59.230] has quit []
22:02 -!- error404notfound [~Eror404@203.99.172.188] has quit [Ping timeout: 240 seconds]
23:30 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 260 seconds]
23:30 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
23:32 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 260 seconds]
23:33 -!- magic_1 [~magic@41.123.154.151] has joined ##openvpn
23:33 -!- magic_1 [~magic@41.123.154.151] has quit [Changing host]
23:33 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
23:39 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:50 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
23:51 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
23:55 -!- error404notfound [~Eror404@mbl-99-57-238.dsl.net.pk] has joined ##openvpn
--- Day changed Wed Feb 03 2010
00:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
00:56 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Quit: Leaving]
01:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
01:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:11 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
02:13 -!- macsim [~macsim@ALille-551-1-56-25.w86-198.abo.wanadoo.fr] has quit [Ping timeout: 276 seconds]
02:13 -!- macsim_ [~macsim@ALille-551-1-56-25.w86-198.abo.wanadoo.fr] has quit [Ping timeout: 252 seconds]
02:14 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
--- Log closed Wed Feb 03 02:29:48 2010
--- Log opened Wed Feb 03 08:43:06 2010
08:43 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
08:51 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:03 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has joined ##openvpn
09:14 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:44 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
09:44 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
09:47 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
09:59 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
10:02 -!- macsim [~macsim@LPuteaux-156-15-47-103.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
10:03 -!- error404notfound [~Eror404@119.153.63.106] has joined ##openvpn
10:17 -!- calpat [ghgf@123.108.109.9] has joined ##openvpn
10:17 < calpat> hi , is there any method of using openvpn for networks like torrent etc ?
10:19 < ecrist> torrent is a network?
10:20 -!- Diffen2 [~diffen2@226.234.241.83.in-addr.dgcsystems.net] has quit [Quit: This computer has gone to sleep]
10:22 < calpat> i mean as a extra layer for p2p networking ( for privacy )
10:22 < ecrist> openvpn builds a point-to-point tunnel.
10:23 < calpat> can it support multilple peers same time ?
10:23 < ecrist> yes
10:23 < ecrist> you have a single server process and multiple clients connecting to that server
10:23 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
10:23 < calpat> ah,
10:23 < calpat>  can it be like mesh network
10:24 < ecrist> no
10:24 < ecrist> not without setting up multiple servers, etc
10:24 < calpat> only hub and sppoke ?
10:24 < ecrist> yes
10:24 < calpat> does all  peers have to pass traffiv through server ? 
10:24 < ecrist> yes
10:25 < calpat> no direct connectivity ?
10:25 < ecrist> correct
10:25 < calpat> :(
10:26 < calpat> can you suggest any solution for direct multiple p2p encrypted connectivity ( i think open vpn is only server-c;ient )
10:26 < ecrist> nope, sorry
10:27 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
10:27 -!- calpat [ghgf@123.108.109.9] has left ##openvpn []
11:02 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:03 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
11:05 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:08 < hyper_ch> ecrist: hmmm, to the question of calpat: several bittorrent clients have encryption options. If they all say to try first to establish an encrypted connection then it's all encrypted... wouldn't that be a solution for calpat's qustion?
11:09 < ecrist> possibly, I don't really deal in the realm of bittorrent, so I was unable to offer any suggestions.
11:11 < dazo> hyper_ch:  but you still reveal that you're doing some traffic which most probably can be related to bitorrent traffic
11:12 < hyper_ch> dazo: well, you would be able to tell that in just about everything that it's p2p traffic
11:12 < hyper_ch> however to determine what is actually being transferred will the not (easily) be possible
11:12 < dazo> hyper_ch:  some countries might put you into a "pay attention to this person"-lists based on that .... just like Sweden did quite recently, they had a razzia a few days ago, IIRC
11:13 < dazo> anyhow, that was DirectConnect and not bitorrent
11:13 < hyper_ch> dazo: for that reason I have everything encrypted except for my cell phone and run an open wifi :)
11:19 -!- incorrect [~fwest@78-33-42-140.static.enta.net] has quit [Remote host closed the connection]
11:19 < zoredache> if I run multiple openvpn servers (on linux, using tun) should each have a seperate tun device, and ip address space?  Or can 2 servers share a device/network?
11:20 -!- Netsplit *.net <-> *.split quits: poningru, zorzar, sno, lkthomas, dazo, APTX, meepmeep, rob0, ribasushi, balboah,  (+1 more, use /NETSPLIT to show all of them)
11:20 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:21 < ecrist> they need their own device, but can share a network, if you're careful with your scripts
11:21 -!- Netsplit over, joins: balboah
11:22 -!- zuez_ [~sf@catalyst.httpd.org] has joined ##openvpn
11:22 -!- zuez_ [~sf@catalyst.httpd.org] has quit [Excess Flood]
11:22 -!- zuez [~sf@catalyst.httpd.org] has quit [Excess Flood]
11:22 -!- Netsplit over, joins: dazo, lkthomas, zorzar, APTX, steelnwool, meepmeep, rob0, ribasushi, sno, poningru
11:22 -!- zuez_ [~sf@catalyst.httpd.org] has joined ##openvpn
11:22 -!- poningru [~poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has quit [Max SendQ exceeded]
11:22 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Quit: No Ping reply in 180 seconds.]
11:22 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
11:22 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
11:22 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
11:23 -!- dazo [~dazo@nat/redhat/x-tcsfeaxcoogruscu] has quit [Quit: ZNC - http://znc.sourceforge.net]
11:23 -!- poningru [~poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
11:24 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
11:26 -!- dazo [~dazo@nat/redhat/x-brllznifwdqemddn] has joined ##openvpn
11:26 -!- zuez_ [~sf@catalyst.httpd.org] has quit [Client Quit]
11:26 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
11:36 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
11:36 -!- dazo is now known as dazo_afk
11:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
11:59 -!- macsim [~macsim@ALille-551-1-23-179.w90-34.abo.wanadoo.fr] has joined ##openvpn
12:03 -!- macsim [~macsim@ALille-551-1-23-179.w90-34.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
12:17 -!- macsim [~macsim@ALille-551-1-104-49.w86-196.abo.wanadoo.fr] has joined ##openvpn
12:18 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 252 seconds]
12:27 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
12:30 -!- gazelle [~luna@unaffiliated/gazelle] has joined ##openvpn
12:34 -!- krzee [nobody@hemp.ircpimps.org] has joined ##openvpn
12:34 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host]
12:34 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
12:39 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
12:48 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
12:52 -!- macsim [~macsim@ALille-551-1-104-49.w86-196.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
12:59 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Read error: Connection reset by peer]
12:59 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
13:03 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
13:05 -!- Diffen2 [~diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
13:34 -!- sleeping`dragon [~Eror404@119.153.56.12] has joined ##openvpn
13:35 -!- dovim [~n@unaffiliated/dovim] has quit [Quit: leaving]
13:36 -!- error404notfound [~Eror404@119.153.63.106] has quit [Ping timeout: 252 seconds]
13:38 -!- nameless` [~nameless`@lav35-1-82-236-136-20.fbx.proxad.net] has joined ##openvpn
13:38 < nameless`> hi
13:38 < nameless`> i'm in trouble "uping" a script, it doesn't find the ip command neither the route command (despite the script-security is set to 2)
13:39 < snovak7> perhaps command is not in the $PATH
13:39 < nameless`> i can use the script normally out of openvpn
13:39 < snovak7> interesting
13:39 < snovak7> custom commands?
13:40 < ecrist> PATH
13:40 < nameless`> http://de.pastebin.ca/1786197
13:40 < nameless`> nop only ip command
13:40 < nameless`> to add addr and route
13:41 < snovak7> why do you need ip command?
13:41 < snovak7> i'm not sure it exists
13:42 < snovak7> only under root
13:42 < nameless`> need ip to add addr and route
13:42 < nameless`> route doesn't work either
13:43 < snovak7> do you have maybe in config under which user/group is running?
13:43 < nameless`> no
13:43 < nameless`> my config doesn't set user neither group
13:45 < snovak7> what is this called #! in shell header
13:46 < nameless`> every bash file start with that
13:46 < snovak7> which os?
13:46 < nameless`> ArchLinux
13:47 < snovak7> :(
13:47 < snovak7> my friend uses arch :p
13:47 < snovak7> sorry
13:47 < nameless`> where did you find out that my script was starting with #! ?
13:48 < snovak7> it's common to shell scripts
13:48 < snovak7> if it doesn't start as #! it treats it as binary file (if applicable)
13:49 < snovak7> later
13:49 < nameless`> no it's ok my script start with #!/bin/sh
13:50 < nameless`> oh i found
13:50 < nameless`> the $PATH is not the same when i execute openvpn
13:50 < nameless`> and it does not include the /usr/sbin 
13:50 < nameless`> strange
13:57 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 265 seconds]
13:59 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
14:00 < ecrist> nameless`: that's common
14:01 < ecrist> that's why we recommend setting $PATH within your scripts, or at  least using the full path to your binaries.
14:05 -!- Dougy [~me@69.10.59.230] has joined ##openvpn
14:07 < ecrist> hi, Dougy
14:20 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: Eat right, exercise regularly, die anyway.]
14:21 < nameless`> ecrist: i don't understand that behaviour, why is that happens ?
14:22 < rob0> why what, why sbin paths are not in your $PATH? or what the PATH is?
14:25 < ecrist> man path
14:25 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
14:25 < Dougy> hey ecrist
14:25 < Dougy> can you help me please, i feel retarded
14:25  * Dougy gets pastebin url
14:26 < Dougy> http://pastebin.com/m39e2eb43
14:26 < Dougy> is this correct
14:27 < rob0> um, that would be "man bash", but that's hard reading. I would suggest finding a shell tutorial instead.
14:29 < Dougy> :)
14:29  * Dougy has 10 more minutes before he has to leave and come back later to ask same question yet again
14:29 < Dougy> lol
14:30 < zoredache> are you sure you can't summarize all those routes you have? to a simple 'route 10.255.240.0 255.255.255.0'?
14:31 < Dougy> i dont know
14:31 < Dougy> i am trying to find a way to set a static ip and my googling produced what i showed
14:34 < zoredache> ah, and you are pointing to your ccd with client-config-dir?  I didn't think those had to be scripts
14:35 < zoredache> they are just configuration fragements that are included dending on the cn of the cert used to connect
14:35 < Dougy> the ccd entry is just ifconfig-push for each client
14:35 < Dougy> ecrist: can you guide me sir
14:35 < ecrist> busy, sorry
14:36 < Dougy> ah
14:36 < Dougy> i could probably get away with one giant route..
14:36 < Dougy> and just 'ifconfig-push 10.255.240.5 255.255.255.0'
14:36 < Dougy> ewtc
14:36 < Dougy> etc
14:36 < Dougy> asfdsuahjdf
14:39 < zoredache> also in your line 'ifconfig-push 10.255.240.5 10.255.240.6' the 3rd doesn't look like a netmask to me...
14:39 < Dougy> yeah
14:39 < Dougy> i thought something seemed off there
14:40 < Dougy> in my ifconfig push it'd need to be 'ifconfig-push 10.255.240.6 255.255.255.252' i believe
14:40 -!- KaiForce [~chatzilla@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn
14:41 < zoredache> that looks more reasonable.  Out of curiosity, why did you need a static ip?
14:41 < Dougy> it is going to be for secure SSH communication and i want to add the machines to /etc/hosts
14:41 < Dougy> ie
14:41 < Dougy> sudo ssh vz01
14:41 < Dougy> sudo ssh vz05
14:41 < Dougy> etc
14:42 < Dougy> static ip will let me do such
14:43 < zoredache> ah.  On my system, I setup a dns zone that accepts dynamic dns, and then added a connect script that did the dns update based on the certificate cn
14:43 < zoredache> it is more complex to setup at the start, but once it is going everything is automagical
14:44 < rob0> sudo ssh? why ssh as root?
14:44 < Dougy> rob0: single ssh key for 20+ users
14:44 < Dougy> instead of 20 ssh keys
14:45 < rob0> Not relevant.
14:45 < Dougy> explain
14:45 < Dougy> in fact dont
14:45 < Dougy> bbl
14:45 -!- Dougy [~me@69.10.59.230] has quit []
14:45 < rob0> I disable root logins for ssh.
14:46 < rob0> Good, I wasn't much inclined to explain anyway.
14:46 < zoredache> just because he is sshing from a root account doesn't necessarily mean he is connectin to a root account..
14:47 < zoredache> he could have a shared ssh config file that goes to some common non-privileged account.
14:49 < rob0> sudo ssh : that runs ssh both AS root and TO root, bad ideas both.
14:50 < zoredache> rob0: it wouldn't conect to root if the system he is connecting from has a .ssh/config with liens like 'Host *\n  User nobody'. 
14:51 < zoredache> of course I doubt he is doing that given that he is sharing an ssh key with 20 people...
14:51 < rob0> well, possibly right, yes ... but I doubt he's that sophisticated, TBH.
14:51 < rob0> :)
14:52 < zoredache> I don't suppose you know what it takes to get a tun* device to report a useful link speed so that snmp tools (mrtg,etc) can generate useful graphs?
14:55 < rob0> not a clue
14:57 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
15:03  * ecrist goes home.
15:07 -!- Holister [~ryan@static-151-204-189-39.pskn.east.verizon.net] has quit [Ping timeout: 272 seconds]
15:17 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
15:18 -!- Diffen [~diffen2@c-607fe555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
15:32 -!- sleeping`dragon [~Eror404@119.153.56.12] has quit [Read error: Connection reset by peer]
15:43 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
15:44 -!- makomi [~makomi@91-65-153-27-dynip.superkabel.de] has joined ##openvpn
15:48 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:48 -!- mode/##openvpn [+v Kas] by ChanServ
15:58 -!- makomi [~makomi@91-65-153-27-dynip.superkabel.de] has quit [Quit: It´s time to say goodbye]
16:01 -!- KaiForce [~chatzilla@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
16:05 -!- makomi [~makomi@91-65-153-27-dynip.superkabel.de] has joined ##openvpn
16:10 -!- gazelle [~luna@unaffiliated/gazelle] has quit [Ping timeout: 264 seconds]
16:16 -!- makomi [~makomi@91-65-153-27-dynip.superkabel.de] has quit [Quit: It´s time to say goodbye]
16:16 -!- makomi [~makomi@91-65-153-27-dynip.superkabel.de] has joined ##openvpn
16:17 -!- makomi [~makomi@91-65-153-27-dynip.superkabel.de] has quit [Remote host closed the connection]
16:19 -!- freaky[t] [alpha@88.198.215.139] has quit [Remote host closed the connection]
16:21 -!- freaky[t] [~alpha@freakyy.de] has joined ##openvpn
16:32 -!- Pete-J [~Pete@71-127.lerstenen.t3.se] has joined ##openvpn
16:33 < Pete-J> hey my OpenVPN server have been running very well until today now i am being told this in the logs Options error: You must define TUN/TAP device (--dev)
16:34 < Pete-J> shouldn't option dev tun in the config be enough?
16:34 < Pete-J> since it were before
16:51 < Pete-J> another issue i have is this
16:51 < Pete-J> ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
16:52 < Pete-J> hereäs my cfg http://pastebin.com/dd3a18e
16:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
17:00 < reiffert> Pete-J: scary
17:01 < Pete-J> reiffert, no kidding ;)
17:10 < reiffert> and of course you didnt change anything?
17:12 < Pete-J> Well i did an update 
17:13 < Pete-J> but i think i know what's the issue
17:13 < Pete-J> I am runing OpenVPN on my WRT160NL router running OpenWRT
17:13 < Pete-J> and i do beleive that i don't have the blowfish cypher installed
17:17 -!- nameless` [~nameless`@lav35-1-82-236-136-20.fbx.proxad.net] has left ##openvpn []
17:32 < Pete-J> reiffert, gotten it working now
17:32 < Pete-J> everything
17:33 < reiffert> blowfish missing?
17:40 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:40 < Pete-J> yeah missing OpenSSL package
17:45 < Bushmills>  Pete-J, look whether you have another tun device open
17:47 < Bushmills> openvpn should auto-enumerate tun interfaces as long as no other have been created. otherwise, you'd need to specify the tun interface explicitely, like   tun0  or  tun1
17:49 < Pete-J> Bushmills, i solved that aswell
17:49 < Pete-J> some kmod-tun issues in OpenWRT
17:50 < Pete-J> everything is runnunig OK now
18:01 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:01 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Ping timeout: 252 seconds]
18:07 -!- Diffen2 [~diffen2@c-737de555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
18:15 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
18:16 -!- freaky[t] [~alpha@freakyy.de] has quit [Remote host closed the connection]
18:17 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
18:23 -!- freaky[t] [~alpha@freakyy.de] has joined ##openvpn
18:43 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
18:43 -!- mode/##openvpn [+v Kasx] by ChanServ
18:44 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has quit [Ping timeout: 240 seconds]
18:46 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 240 seconds]
18:47 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
19:07 -!- Pete-J [~Pete@71-127.lerstenen.t3.se] has quit [Quit: Leaving]
21:36 -!- error404notfound [~Eror404@119.153.56.12] has joined ##openvpn
21:45 -!- error404notfound [~Eror404@119.153.56.12] has quit [Read error: Connection reset by peer]
21:46 -!- error404notfound [~Eror404@119.153.51.186] has joined ##openvpn
22:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:11 -!- error404notfound [~Eror404@119.153.51.186] has quit [Quit: User guilty of hitting the Big Red X]
22:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
22:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:59 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:02 -!- heise2k [~heise2k@65-78-40-52.c3-0.upd-ubr6.trpr-upd.pa.cable.rcn.com] has quit [Ping timeout: 256 seconds]
23:02 -!- heise2k [~heise2k@65-78-40-52.c3-0.upd-ubr6.trpr-upd.pa.cable.rcn.com] has joined ##openvpn
23:03 -!- PeterFA [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has joined ##openvpn
23:03 -!- PeterFA [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has quit [Changing host]
23:03 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
23:33 -!- error404notfound [~Eror404@203.99.190.217] has joined ##openvpn
23:40 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Thu Feb 04 2010
00:03 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
00:34 -!- error404notfound [~Eror404@203.99.190.217] has quit [Quit: User guilty of hitting the Big Red X]
00:35 -!- error404notfound [~Eror404@203.99.190.217] has joined ##openvpn
00:55 -!- error404notfound [~Eror404@203.99.190.217] has quit [Quit: User guilty of hitting the Big Red X]
01:02 -!- ddaydj [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has joined ##openvpn
01:03 < ddaydj> is there anyone around who could help me with setting up openvpn? i had it working but the subnets weren't setup the way that i wanted and things weren't working properly
01:05 < ddaydj> !welcome
01:05 < vpnHelper> ddaydj: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:06 < ddaydj> !route
01:06 < vpnHelper> ddaydj: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:19 < cron2> s
01:25 < tjz> hmm
01:29 -!- ddaydj_ [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has joined ##openvpn
01:31 -!- ddaydj [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has quit [Ping timeout: 240 seconds]
01:31 -!- ddaydj_ is now known as ddaydj
01:34 < ddaydj> hmm, so what i have is 3 physical seperated networks. i have two of them connecting to me and tap and bridged adapters. this lets all the computers see and talk to each other. the problem i ran in to is that they are all on the same network, and sometimes new computers are accessing other networks routers before the local one and getting the wrong dhcp info
01:35 < ddaydj> my guess is the way to fix it would be to do better subnetting, right now i'm using 172.16.1 for my network and 172.16.2 and .3 for the two remote networks, with a subnet mask of 255.255.0.0
01:35 < rob0> !bridge
01:35 < vpnHelper> rob0: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
01:35 < vpnHelper> rob0: (but not samba, see !wins)
01:36 < rob0> You probably do not need and should not use bridging.
01:36 < ddaydj> yeah, it looks like tun is going to be the better way to set it up, bridging was just a lot easier
01:37 < rob0> The only way to fix it with bridged networks is to somehow block the transmission of DHCP over the VPN.
01:37 < ddaydj> i could probably figure that out, but that seems like patching it up and if i did it wrong i'm not too hestitant to redo it the right way
01:37 < rob0> (or, get each DHCP server to only answer for its own hosts)
01:38 < rob0> Fixing the bridge is not the ideal solution, as pr factoid, you really should do it right, with routing.
01:39 < ddaydj> alright, i'll get working on that then
01:39 < ddaydj> my subnetting is right if i change the subnet mask right? to 255.255.255.0 ?
01:39 < rob0> fortunately you're already using distinct netblocks, just need to ... rright
01:40 < ddaydj> ^^b
01:40 < rob0> change /16 to /24
01:52 -!- ddaydj_ [~ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has joined ##openvpn
01:57 -!- ddaydj [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has quit [Ping timeout: 272 seconds]
01:57 -!- ddaydj_ [~ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has quit [Ping timeout: 264 seconds]
01:57 -!- ddaydj [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has joined ##openvpn
02:07 -!- jww is now known as jmm
02:08 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:16 < jmm> hello.
02:17 -!- ddaydj [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has quit []
02:17 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
02:19 -!- ddaydj [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has joined ##openvpn
02:21 -!- ddaydj_ [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has joined ##openvpn
02:21 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:23 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:23 -!- mode/##openvpn [+o mattock] by ChanServ
02:24 -!- ddaydj [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has quit [Ping timeout: 272 seconds]
02:36 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Quit: leaving]
03:07 -!- master_of_master [~master_of@p57B569D3.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:09 -!- master_of_master [~master_of@p57B552B4.dip.t-dialin.net] has joined ##openvpn
03:17 -!- ddaydj_ is now known as ddaydj
03:20 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:25 < |Mike|> gewd meurning :-)
03:27 -!- dazo_afk is now known as dazo
03:28 < macsppadic> morning |Mike| 
03:43 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
03:57 < ddaydj> ugh, so close. also i don't think homegroups work across subnets... so that's gonna suck
04:02 -!- jamesd2 is now known as london_dan
04:03 -!- london_dan is now known as jamesd_
04:13 < krzee> homegroups?
04:16 < ddaydj> yeah, simple file sharing on windows 7
04:16 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
04:17 < sparch> morning
04:18 < krzee> ddaydj, 
04:18 < krzee> !wins
04:18 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
04:18 < sparch> !openvpn
04:18 < vpnHelper> sparch: Error: "openvpn" is not a valid command.
04:19 < krzee> sparch, 
04:19 < krzee> !goal
04:19 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:19 < sparch> FUCKIN AWESOME
04:19 < sparch> Love OpenVPN
04:20 < krzee> cool
04:20 < ddaydj> ugh ~.~ i'm gonna worry about homegroups and wins later
04:20 < krzee> ddaydj, wins is your solution
04:20 < krzee> netbios resolution over IP
04:20 < sparch> Wins man, Wins.
04:20 < ddaydj> so here's where i'm at right now
04:21 < ddaydj> the remote network can access the openvpn server, but nothing else over here. but i have a computer on this network that is able to access the client on the remote network
04:22 < krzee> firewall on the openvpn server
04:22 < sparch>  /topic
04:22 < ddaydj> all firewalls are off, i added routing tables to both routers
04:22 < sparch> which is your Firewall?
04:23 < ddaydj> the remote computer has kaspersky, the ones on this network are using windows firewall
04:23 < krzee> the computer on the server network can access cients, but that same client cant access the computer on the server lan?
04:23 < sparch> Juniper do no support ICMP Redirect, I can say for sure
04:23 < sparch> http://kb.juniper.net/KB6416
04:23 -!- mattock [~samuli@sparkgw.utu.fi] has joined ##openvpn
04:23 -!- mode/##openvpn [+o mattock] by ChanServ
04:24 < ddaydj> yeah, both my computers on this network can access the one on the remote network
04:24 < ddaydj> oh, there's a printer on the remote network, i can ping that from here too
04:24 < krzee> ddaydj, and same machine on remote network cant access those machines that can access them?
04:24 < ddaydj> oddly i can't ping the remote network's router...
04:25 -!- mattock [~samuli@sparkgw.utu.fi] has quit [Client Quit]
04:25 < ddaydj> the remote computer can access the server on this network, but not the other computer or the router
04:26 < ddaydj> tracerty show that it jumps to the server (using the vpn ip) and then doesn't seem to know where to go from there
04:26 < ddaydj> *tracert
04:26 < krzee> ok check this out
04:26 < krzee> [02:24]  <ddaydj> yeah, both my computers on this network can access the one on the remote network
04:26 < krzee> lets say thats A pinging B
04:26 < krzee> can B then ping A?
04:26 < krzee> if not, firewall problem
04:26 < ddaydj> yes, they can ping each other
04:27 < krzee> both directions?
04:27 < ddaydj> but then lets say C is the other computer on the same network as A
04:27 < ddaydj> C can ping B but B can't ping C
04:27 < ddaydj> yep, both ways for A and B
04:27 < krzee> are C and A both machines in the same LAN, niether one runs openvpn?
04:28 < ddaydj> openvpn is installed on A, C is just connected a basic router
04:30 < krzee> run wireshark filtering for ICMP on C
04:30 < krzee> see if it gets the ping, and replies
04:30 < krzee> then run wireshark on A filtering for ICMP on tap device
04:30 < krzee> if it gets the ping but never the reply, you likely messed up adding the route to the router in that LAN
04:31 < krzee> if C never gets the ping at all, you might not have ip forwarding on A
04:31 < krzee> or the firewall on A or C blocks it
04:31 < ddaydj> well, all firewalls are off so that shouldn't be it
04:31 < krzee> basically, i cant help until you sniff out the problem
04:31 < ddaydj> yeah, working on that now
04:35 < ddaydj> it seems that C is replying but B is never getting it
04:36 < krzee> route on router
04:36 < krzee> full explanation here:
04:36 < krzee> !route
04:36 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
04:36 < krzee> ROUTES TO ADD OUTSIDE OF OPENVPN
04:36 < krzee> http://secure-computing.net/wiki/index.php/Graph
04:36 < vpnHelper> Title: Graph - Secure Computing Wiki (at secure-computing.net)
04:36 < krzee> that helps too
04:36 < ddaydj> yeah, i added those...
04:37 < krzee> well you added it wrong
04:37 < ddaydj> Name  	Destination IP  	Netmask  	Gateway  	Metric  	Interface  	   	 
04:37 < ddaydj> 172.16.2.xxx 	172.16.2.0 	255.255.255.0 	172.16.1.101 	1 	LAN 	Edit 	Delete
04:37 < ddaydj> 172.16.3.xxx 	172.16.3.0 	255.255.255.0 	172.16.1.101 	1 	LAN 	Edit 	Delete 
04:37 < krzee> or your router is also a firewall
04:37 < krzee> 172.16.1.101 is A's LAN ip?
04:37 < ddaydj> yes
04:38 < ddaydj> 172.16.2.0 is the remote network
04:38 < ddaydj> .3 isn't up yet
04:38 < krzee> and whats the VPN network?
04:38 < ddaydj> 172.16.1.0
04:38 < krzee> umm no
04:38 < krzee> thats the LAN A is on
04:38 < ddaydj> uh, lol. 172.16.0.0
04:39 < krzee> ok then you need to add a route to that network
04:39 < krzee> via .101
04:39 < ddaydj> ah, okay
04:39 < ddaydj> on both network's routers?
04:39 < krzee> im guessing B is on the 0.x
04:40 < ddaydj> b's vpn address is 172.16.0.10, its dhcp address is 172.16.2.101
04:40 < krzee> yes, both routers need a route to VPN subnet assuming both vpn endpoints need to communicate with other side LANs
04:40 < krzee> yes B was using its VPN subnet ip as its source
04:40 < krzee> thats why you didnt have a route to reply
04:40 < krzee> so the reply was going out over internet, not vpn tunnel
04:40 < krzee> add that route and retest
04:42 < ddaydj> ^^ that did it. thanks
04:43 < krzee> np
04:43 < ddaydj> any idea why i can't access the router on the remote network?
04:43 < krzee> follow the routes
04:43 < ddaydj> remote network can't access my router either
04:46 < ddaydj> using tracert? it goes to 172.16.0.10, and then times out from there on
04:47 < ddaydj> oh, that's odd... remote network can access my router now
04:48 < krzee> screw tracert
04:48 < krzee> packet sniffers are the only way to figure out where it stops
04:48 < krzee> like you did when i told you to
04:51 < ddaydj> i monitored packets on B on both ports, it shows the requests coming in, but no reply
04:52 < ddaydj> *ports = adapters
04:53 < krzee> do the requests go past B?
04:53 < ddaydj> yes, they pass through B without any issues it seems
04:53 < krzee> it seems?
04:53 < ddaydj> i see the packet requests go through, i'm not sure if there's anything else i should look for
04:54 < krzee> so you have a machine behind B, we can call it D
04:54 < krzee> on D is a sniffer seeing pings, and replying
04:54 < krzee> correct?
04:54 < ddaydj> no, i only have one computer on the remote network, B
04:54 < krzee> get one up
04:54 < ddaydj> i have a printer on that network i can ping, but nothing else
04:54 < krzee> you need something that can sniff packets
04:55 < ddaydj> B can sniff packets
04:55 < krzee> you have no way of knowing if machines BEHIND B get the ping or not
04:55 < ddaydj> the printer doesn't count?
04:55 < krzee> so put a machine on that lan and sniff packets there
04:55 < krzee> does your printer have a packet sniffer?
04:55 < ddaydj> no, it just replies to pings
04:55 < krzee> if not, no it doesnt count
04:56 < ddaydj> alright, i'll have to wait til tomorrow then. everyone over there is asleep
05:07 < ddaydj> thanks for your help, i'm gonna get some sleep
05:08 < krzee> yw
05:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:32 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
06:12 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Quit: Leaving]
06:13 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
06:20 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Quit: Leaving]
06:20 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
06:23 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Client Quit]
06:23 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
06:29 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Quit: Leaving]
06:29 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
06:33 -!- gazelle [~luna@unaffiliated/gazelle] has joined ##openvpn
06:36 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Changing host]
06:36 -!- le0 [~itsle0@unaffiliated/le0] has joined ##openvpn
06:37 -!- le0 [~itsle0@unaffiliated/le0] has quit [Quit: Leaving]
06:37 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
06:37 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Changing host]
06:37 -!- le0 [~itsle0@unaffiliated/le0] has joined ##openvpn
06:38 -!- le0 [~itsle0@unaffiliated/le0] has quit [Client Quit]
06:39 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
06:39 -!- le0 [~itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Changing host]
06:39 -!- le0 [~itsle0@unaffiliated/le0] has joined ##openvpn
06:43 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
06:44 < krzee> ecrist, here?
06:44 < ecrist> aye
06:45 < krzee> any idea why my mail works great, im on the ovpn list, but see no mail to it since jan 16?
06:46 < ecrist> no idea, have you checked your spam quarantine?
06:46 < krzee> aye
06:46  * ecrist looks
06:46 < ecrist> there has been a lot of list traffic
06:47 < krzee> did you play with imap dir perms maybe? like o share it
06:47 < krzee> to*
06:47 < ecrist> nope
06:47 < krzee> weird
06:47 < ecrist> the amount of configuration that changes on that box is nil
06:47 < ecrist> it's been pretty static since Jan 2007
06:49 < krzee> even in dspam history i dont see openvpn stuff
06:49 < ecrist> that's what I'm looking at now.
06:49 < ecrist> let me check the mail server logs
07:04 -!- le0 [~itsle0@unaffiliated/le0] has quit [Ping timeout: 256 seconds]
07:09 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
07:09 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
07:09 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:10 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
07:11 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
07:11 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
07:11 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:12 -!- le0 [~itsle0@unaffiliated/le0] has joined ##openvpn
07:16 -!- CheBuzz_Home [~CheBuzz_H@88-202-45-98.ip.skylogicnet.com] has joined ##openvpn
07:17 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: Apples  have  meant  trouble  since  eden.]
07:18 < CheBuzz_Home> I searched for this but couldn't find it.  Is there any way to change to rekey length (I believe the default is 3600 seconds) to something longer, say 1 day or 1 week?
07:20 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
07:22 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
07:22 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
07:22 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:29 < krzee> !man
07:29 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
07:31 < krzee> see the --reneg options
07:39 < CheBuzz_Home> krzee: Yep, that's what I was looking for.  Thanks for the help.
07:40 < krzee> np
07:46 -!- CheBuzz_Home [~CheBuzz_H@88-202-45-98.ip.skylogicnet.com] has left ##openvpn ["Leaving"]
08:16 -!- le0 [~itsle0@unaffiliated/le0] has quit [Quit: Leaving]
08:17 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
08:26 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
08:26 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left ##openvpn []
08:26 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 260 seconds]
08:32 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:32 -!- mode/##openvpn [+o mattock] by ChanServ
08:52 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:55 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
09:04 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
09:36 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
09:47 -!- sikor_sxe [~mkulke@p5DE79863.dip.t-dialin.net] has joined ##openvpn
09:48 < sikor_sxe> hello, is there a way for an openvpn client to query the server for option like 'mssfix, fragment & tun-mtu'?
09:49 < krzee> dont think so
09:49 < dazo> NAFAIK
09:49 < krzee> could try pushing them, but i dont think they can be pushed
09:52 < sikor_sxe> ok, thx
09:53 < ecrist> sikor_sxe: no, but that's on the wishlist
09:53 < ecrist> !wishlist
09:53 < vpnHelper> ecrist: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
10:07 < krzee> !download
10:07 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) see !gui for more information for Windows clients.
10:11 < krzee> !certinfo
10:11 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
10:15 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: Problems Creating Extra Client Keys :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2682&p=3172#p3172>
10:26 -!- error404notfound [~Eror404@119.153.67.110] has joined ##openvpn
10:27 -!- sikor_sxe [~mkulke@p5DE79863.dip.t-dialin.net] has quit [Quit: sikor_sxe]
10:32 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
10:41 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:44 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
10:46 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
10:56 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
10:58 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:58 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
10:58 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
11:00 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
11:01 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
11:07 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
11:19 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:29 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:30 -!- mode/##openvpn [+v Kas] by ChanServ
11:40 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: Leaving]
11:48 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
11:51 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
12:02 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
12:04 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
12:09 -!- sleeping`dragon [~Eror404@119.153.53.109] has joined ##openvpn
12:11 -!- error404notfound [~Eror404@119.153.67.110] has quit [Ping timeout: 258 seconds]
12:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:27 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: Eat right, exercise regularly, die anyway.]
12:40 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
12:53 -!- agi [~agi@manson.entorno-digital.com] has joined ##openvpn
12:54 -!- agi [~agi@manson.entorno-digital.com] has left ##openvpn ["[1]+  Killed                  cat /dev/urandom | irssi"]
13:25 -!- a-zlex [~as@null0.ipv6.bgp4.org] has joined ##openvpn
13:26 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
13:36 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
13:52 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
13:54 -!- mode/##openvpn [+o openvpn2009] by ChanServ
13:56 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
14:01 -!- dazo is now known as dazo_afk
14:05 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
14:05 -!- mode/##openvpn [+v Kasx] by ChanServ
14:05 -!- sleeping`dragon is now known as error404notfound
14:06 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 264 seconds]
14:06 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 248 seconds]
14:08 -!- error404notfound is now known as sleeping`dragon
14:09 -!- sleeping`dragon is now known as error404notfound
14:10 -!- Dougy [~me@vpn.douglashaber.com] has joined ##openvpn
14:10 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
14:10 -!- mode/##openvpn [+v openvpn2009] by ChanServ
14:10 < Dougy> hey guys
14:11 < ecrist> what's up, Dougy 
14:11 -!- Irssi: ##openvpn: Total of 82 nicks [1 ops, 0 halfops, 2 voices, 79 normal]
14:11 < Dougy> http://pastebin.com/m3972f950
14:11 < Dougy> i'm trying to get two /24's in there
14:11 < Dougy> 10.255.240.0/24 for clients
14:12 < Dougy> .241.0/24 for servers
14:12 < Dougy> is that set up properly
14:12 < krzee> you really gunna have over 254 connected machines?
14:12 < Dougy> krzee: no, im not using subnet topology so it makes a /30
14:12 < ecrist> krzee: I do the same thing on my company vppn
14:12 < Dougy> and for organizations sake
14:13 < Dougy> i want the servers on a different block
14:13 < krzee> why no topology subnet
14:13 < Dougy> krzee: i always do that, im trying something different
14:14 < krzee> 255.255.254.0 is 2 /24's
14:14 < ecrist> or /23
14:14 < krzee> ya thats a /23
14:15 < krzee> 11111111.11111111.11111110.00000000
14:15 -!- ddaydj [ddaydj@cpe-98-150-206-201.hawaii.res.rr.com] has quit []
14:16 < Dougy> yeah i know i routed a /20
14:16 < Dougy> i felt like having the buffer
14:16 < Dougy> but aside from trolling how big of a ip block i reserved
14:16 < Dougy> can you tell me if what i have is right
14:17 < Dougy> (ie. what do i need to do to make .240.0/24 be able to communicate with .241.0/24)
14:26 < Dougy> :)
14:32 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
14:34 -!- error404notfound [~Eror404@119.153.53.109] has quit [Changing host]
14:34 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
14:37 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
14:37 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
14:38 -!- error404notfound is now known as |404NotFound|
14:38 -!- |404NotFound| is now known as error404notfound
14:40 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
14:41 < Dougy> where did you two go
14:41  * Dougy nudges ecrist and punches krzee in the ribs
14:41 < Dougy> o.o
14:42 < ecrist> sorry, Dougy, there's a company here in Minneapolis that pays me a fair amount of money to pay attention to *their* issues.  
14:43 < Dougy> o.O
14:43 < Dougy> only a fair amount?
14:43 < Dougy> you can do better
14:43 -!- error404notfound is now known as |404NotFound|
14:44 -!- |404NotFound| is now known as error404notfound
14:47 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
14:53 < Bushmills> Dougy: one acceptable metric for "being right" is "it works" 
14:57 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
15:09 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
15:13 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote host closed the connection]
15:14 -!- makomi [~makomi@91-65-101-204-dynip.superkabel.de] has joined ##openvpn
15:14 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:15 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
16:30 -!- makomi [~makomi@91-65-101-204-dynip.superkabel.de] has quit [Remote host closed the connection]
16:38 < Dougy> -.-
16:44 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
17:23 -!- n0ah [n0ah@edge.chi.arknet.n0ah.org] has quit [Ping timeout: 256 seconds]
18:05 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 265 seconds]
18:10 -!- gazelle is now known as gazl
18:12 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
18:12 -!- PeterFA [~Peter@c-98-203-132-209.hsd1.wa.comcast.net] has joined ##openvpn
18:12 -!- PeterFA [~Peter@c-98-203-132-209.hsd1.wa.comcast.net] has quit [Changing host]
18:12 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
18:15 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
18:18 -!- gazl [~luna@unaffiliated/gazelle] has quit [Ping timeout: 240 seconds]
18:33 -!- APTX| [~APTX@chello089076052083.chello.pl] has joined ##openvpn
18:35 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
18:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
18:53 -!- APTX| [~APTX@chello089076052083.chello.pl] has quit [Quit: Farewell]
18:53 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
18:53 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
18:53 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:01 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
19:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:06 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
20:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
21:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
21:32 -!- teddymills [~teddy@208.92.235.227] has quit [Quit: Ex-Chat]
22:05 -!- Dougy [~me@vpn.douglashaber.com] has quit []
22:24 -!- PeterFA_ [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has joined ##openvpn
22:25 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: No route to host]
22:45 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
23:06 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:33 -!- Optic [~Optic@miso.capybara.org] has quit [Ping timeout: 252 seconds]
23:35 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
23:36 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
23:38 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
23:40 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 276 seconds]
23:40 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
23:41 -!- corretico__ [~laguilar@201.201.46.106] has quit [Client Quit]
23:42 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 264 seconds]
23:55 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
--- Day changed Fri Feb 05 2010
00:07 -!- Zahra [~Zahra@unaffiliated/belendax] has joined ##openvpn
00:08 < Zahra> does anybody know how can I set my routing table to route all the traffics via vpn?
00:11 < hyper_ch> !def1
00:11 < vpnHelper> hyper_ch: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
00:17 < Zahra> does anybody work with n2n?
00:36 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
00:42 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:03 -!- bandini [~bandini@host225-107-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn
01:10 -!- sleeping`dragon [~Eror404@203.99.172.179] has joined ##openvpn
01:12 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
02:17 -!- mattock [~samuli@sparkgw.utu.fi] has joined ##openvpn
02:17 -!- mode/##openvpn [+o mattock] by ChanServ
02:20 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:26 < jmm> hi.
02:29 -!- sleeping`dragon [~Eror404@203.99.172.179] has quit [Ping timeout: 240 seconds]
02:45 -!- sleeping`dragon [~Eror404@203.99.172.179] has joined ##openvpn
03:05 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:06 -!- mattock [~samuli@sparkgw.utu.fi] has quit [Ping timeout: 245 seconds]
03:07 -!- master_of_master [~master_of@p57B552B4.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:09 -!- master_of_master [~master_of@p57B550C8.dip.t-dialin.net] has joined ##openvpn
03:10 -!- mattock [~samuli@sparkgw.utu.fi] has joined ##openvpn
03:11 -!- mode/##openvpn [+o mattock] by ChanServ
03:16 -!- macsppadic_ [~sonupunno@82.109.74.162] has joined ##openvpn
03:16 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Read error: Connection reset by peer]
03:16 -!- macsppadic_ is now known as macsppadic
03:43 -!- Zahra [~Zahra@unaffiliated/belendax] has left ##openvpn []
04:05 -!- mattock [~samuli@sparkgw.utu.fi] has quit [Ping timeout: 245 seconds]
04:08 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
04:13 -!- |404NotFound| [~Eror404@119.153.74.33] has joined ##openvpn
04:15 -!- sleeping`dragon [~Eror404@203.99.172.179] has quit [Ping timeout: 252 seconds]
04:21 < sparch> morning
04:22 < macsppadic> morning sparch 
04:23 < |Mike|> reprepro includedeb lenny-kumina /home/mike/listchanges_1.0.3_all.deb
04:24 < |Mike|> grmbl, i have to close some terminals
04:24 < reiffert> :)
04:24 < macsppadic> :-)
04:25 -!- dazo_afk is now known as dazo
04:25 < |Mike|> btw, any debian users here what would like to have PowerAdmin as a debian package? :-)
04:31 < sparch> macsppadic: how do you do?
04:31 < macsppadic> am good sparch how r u sir? enjoying the heat still was it ?
04:32 < sparch> wow
04:32 < sparch> today was the worst night to sleep
04:32 < sparch> no wind
04:32 < macsppadic> ouch
04:32 < macsppadic> air conditioner time 
04:33 < sparch> that's for sure
04:33 < sparch> but here, where I live, I should use the air a month a year
04:33 < sparch> no advantage
04:35 < sparch> but thats are time when i deeply think into buying one
04:37 < macsppadic> where u based sparch ?
04:39 < sparch> Brazil
04:39 < sparch> Curitiba
04:39 < sparch> and you?
04:39 < macsppadic> Liverpool Uk
04:39 < sparch> just a little far hehe
04:41 < macsppadic> aye just a small ocean 
04:41 < sparch> when I play fifa 2010 on xbox, a lot of people are from england
04:42 < macsppadic> good game that 
04:42 < sparch> choose Manchster United or Liverpool to play
04:43 < |Mike|> soccer--
04:44 < sparch> |Mike|: what do you like then?
04:44 < macsppadic> sparch:  dont got there - will start me off on a rant n am sure no one in this channel wants that 
04:45 < macsppadic> :-)
04:45 < sparch> I got it, just asking what kind of sport he likes...
04:45 < sparch> not my intention to troll
04:45 < sparch> sorry
04:45 < macsppadic> hahahaha
04:45 < macsppadic> no its ok 
04:46 < macsppadic> sorry just a vey disgruntled footie fan here....
04:46 < macsppadic> :-)
04:46 < sparch> hahaha
04:46 < sparch> I see
04:49 -!- freaky[t] [~alpha@freakyy.de] has quit [Remote host closed the connection]
04:50 < sparch> I've been sad about my firewall device
04:50 < macsppadic> whats happened?
04:50 < sparch> Juniper, do not support ICMP Redirect
04:50 < sparch> had to put a route to vpn net on each server, by hand
04:51 < sparch> that's not cool, but worked... 
04:52 < |Mike|> sparch: volleybal ;)
04:52 < |Mike|> jumping female volleyballers :D
04:53 < macsppadic> female beach volleyballers even better |Mike| 
04:53 < macsppadic> :-D
04:53 < |Mike|> i have to agree with that macsppadic :D
04:54 < sparch> macsppadic: indeed
04:54 < macsppadic> they are just the best 
04:54 < sparch> macsppadic++
04:54 < macsppadic> sparch: juniper hard to configure?
04:54 < macsppadic> always been interested in it ..just never had time to have a play around 
04:55 < sparch> no! its a great apliance
04:55 < sparch> easy brezzy
04:55 < |Mike|> macsppadic: you got mail :-)
04:56 < sparch> macsppadic: I am using SSG 320M
04:56 < macsppadic> niice
04:56 < sparch> recommend
04:57 < sparch> its solid, run JunOS, which is FreeBSD based
04:57 < sparch> nice webui
04:57 < sparch> easy console
04:57 < macsppadic> i see
04:57 < sparch> and the main thing: it works
05:05 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
05:06 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has joined ##openvpn
05:08 < Zeeek> greetings (to no one in particular)
05:08 < Zeeek> anyone here familiar with Markus Feilner ?
05:09 < macsppadic> morning Zeeek 
05:09 < Zeeek> I ask because he is our guest on the VoIP Users Conference in about 6 hours from now
05:09 < Zeeek> macsppadic: hi
05:10 < Zeeek> We would like to get OpenVPN people on the call to ask intelligent questions
05:10 < macsppadic> oh VoiP - kewl stuff
05:10 < Zeeek> Markus wrote Beginning OpenVPN 2.0.9 and he's an interesting human
05:11 < Zeeek> so we wander away from VoIP for 30 minutes today to discuss OpenVPN
05:11 < macsppadic> wow
05:11 < Zeeek> You can join us via Skype or SIP
05:11 < macsppadic> cheers Zeeek sounds intersting..might definitely give that a go 
05:11 < Zeeek> See http://vuc.me or just phone in 
05:11 < vpnHelper> Title: VoIP Users Conference (at vuc.me)
05:11 < Zeeek> skype:vuc.me
05:12 < macsppadic> cheers
05:12 < Zeeek> sip:200901@login.zipdx.com
05:12 < Zeeek> IRC #vuc
05:12 < Zeeek> macsppadic: come on by, six hours from now :)
05:12 < macsppadic> i just might 
05:12 < macsppadic> :-)
05:12 < Zeeek> what time zone are you in?
05:12 < macsppadic> tho not sure about the intelligent question asking bit - :-)
05:13 < macsppadic> GMT
05:13 < Zeeek> Well if you're into OpenVPN, you can win a copy of Markus' book
05:13 < Zeeek> The call starts around 5PM GMT
05:13 < Bushmills> wow, closed source comms for open source conf
05:13 < Zeeek> which Skype? That's for people who aren't into the technical end
05:13 < macsppadic> ooo definitely in - am sold Zeeek 
05:14 < Bushmills> i see. the conf is for non-technical people.  end users?
05:14 < Zeeek> Personally I use whatever works
05:14 < Zeeek> Bushmills: the conf is for anyone interested. There are some very cool people who are regulars like Randal Schwartz
05:15 < Bushmills> well, i have to give it a pass. no skype installed here.
05:15 < Zeeek> Randal wrote the Perl book and is a big Open Source promoter as you probably know
05:15 < Zeeek> Bushmills: what about SIP?
05:15 < Bushmills> that i have
05:15 < Zeeek> sip:200901@login.zipdx.com
05:15 < Zeeek> as I said above
05:15 < Zeeek> $
05:15 < Bushmills> thanks.
05:15 < Zeeek> g722 if possible
05:15 < Zeeek> if not, whatever you have
05:15 < Bushmills> sorry, not seen what you wrote above
05:16 < Zeeek> np
05:16 < Zeeek> Do you know Markus or his work?
05:16 < Bushmills> linux for developing countries guy?
05:17 < Zeeek> Anyone who wants to connect via SIP is welcome to joijn today's discussion of OpenVPN
05:17 < Zeeek> Bushmills: yes, that's one of his facets
05:17 < Zeeek> I think
05:17 -!- oc80z [oc80z@blea.ch] has quit [Quit: ZNC - http://znc.sourceforge.net]
05:17 < Zeeek> I spoke to him briefly yesterday. on Skype :)
05:17 < Bushmills> he's with linux magazin iirc
05:17 < Zeeek> yup
05:17 < Zeeek> great guy 
05:18 < Zeeek> I'm looking forward to this call
05:18 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
05:18 < Zeeek> but then we always have great calls, every Friday at 12 Noon EST (5PM GMT)
05:18 < Zeeek> primarily VoIP but sometimes other technologies, usually network-related
05:18 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
05:22 < sparch> good to know
05:22 < Zeeek> I can't help it, no matter how much new shit gets invented, nothing beats IRC!
05:23 < Zeeek> There's no easier way to immediately find the best focused interest group around a topic
05:23 < Zeeek> If only Captain Picard were here to weigh in :)
05:24 -!- |404NotFound| [~Eror404@119.153.74.33] has quit [Ping timeout: 240 seconds]
05:24 < macsppadic> o my god!
05:24 < macsppadic> not another Picard lover
05:24 < macsppadic> heheheh
05:24 < macsppadic> make it so!
05:24 < Bushmills> jabber conferences have the potential but not the user base
05:25 -!- |404NotFound| [~Eror404@119.153.79.68] has joined ##openvpn
05:25 < Zeeek> Bushmills: agreed
05:25 < Zeeek> macsppadic: have you seen the Frasier TV show where Picard was a guest?
05:25 < macsppadic> yes
05:26 < macsppadic> his name is Patrick stewart or rather sir patrick now 
05:26 < macsppadic> my boss is a huge huge fan of him as well 
05:26 < Zeeek> yeah couldn't remember right off
05:26 < Zeeek> stewart is brilliant. He was in "extras" with the "Office" comedian too
05:26 < Zeeek> can't recall his name either
05:26  * Bushmills wonders whether he should bridge #openvpn to an openvpn conference
05:27 < Zeeek> we will be chatting with markus on #vuc 
05:27 < Bushmills> on a jabber server
05:27 < Zeeek> temporarily we call it "VPN Users Conference"
05:27 < macsppadic> ricky gervais Zeeek 
05:27 < Zeeek> now if we could find a few virgins, we could call it...
05:28 < Zeeek> Gervais, yeah, thx
05:28 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:28 -!- mode/##openvpn [+o mattock] by ChanServ
05:30 < Bushmills> beer volcano too?
05:30 < Zeeek> full-blown Star Trek/The Office/Frasier discussion now in #vuc
05:31 < Zeeek> Virgin Users Conference in which case, VUC ME It's Friday would have deeper meaning
05:31 < Zeeek> [but I digress]
05:31 < macsppadic> rofl
05:35 < Zeeek> so OpenVPN guys, is it a date? Today in 5 1/2 hours on #vuc and http://vuc.me to talk about OpenVPN 2 ?
05:35 < vpnHelper> Title: VoIP Users Conference (at vuc.me)
05:35 < Zeeek> cute
05:36 < Zeeek> one msut make sure to not leave "Untitled Document" like so many idiots have in the past
05:36 < Zeeek> Front Page rocks! (ironic tone)
05:37 < Zeeek> The existing structure of IRC, like that of Usenet makes it easy to find centers of interest... like OpenVPN
05:42 < |Mike|> Zeeek: You might want to ask mattock to topic that :)
05:43 < Zeeek> I'd be really happy if that could happen
05:43 < Zeeek> thx for me,tioning it
05:43 < Zeeek> see my typing goes to hell when I get excited
05:44 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:53 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
05:57 < Zeeek> what does it mean, type !welcome ?
05:59 < |Mike|> !welcome
05:59 < vpnHelper> |Mike|: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:07 < Zeeek> aha
06:07 < Zeeek> !man
06:07 < vpnHelper> Zeeek: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
06:08 < Zeeek> nice
06:09 < Zeeek> vpnHelper: VUC is a conference today on OpenVPN at 5PM GMT
06:09 < vpnHelper> Zeeek: Error: "VUC" is not a valid command.
06:09 < Zeeek> different bots, different methods
06:13 < |Mike|> Zeeek: ecrist and krzie maintain vpnHelper 
06:15 < Zeeek> k
06:18 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 252 seconds]
06:22 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
06:23 -!- oc80z [oc80z@blea.ch] has quit [Client Quit]
06:23 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
06:25 -!- sleeping`dragon [~Eror404@119.153.75.160] has joined ##openvpn
06:26 -!- sleeping`dragon is now known as error404notfound
06:26 -!- error404notfound [~Eror404@119.153.75.160] has quit [Changing host]
06:26 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:27 -!- oc80z [oc80z@blea.ch] has quit [Client Quit]
06:28 -!- |404NotFound| [~Eror404@119.153.79.68] has quit [Ping timeout: 252 seconds]
06:31 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 256 seconds]
06:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
06:34 -!- error404notfound [~Eror404No@unaffiliated/error404notfound] has joined ##openvpn
06:35 -!- error404notfound is now known as sleeping`dragon
06:36 -!- sleeping`dragon is now known as |404NotFound|
06:36 -!- |404NotFound| is now known as error404notfound
06:38 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
06:39 -!- sleeping`dragon [~Eror404No@unaffiliated/error404notfound] has joined ##openvpn
06:40 -!- sleeping`dragon is now known as |404NotFound|
06:41 -!- error404notfound [~Eror404No@unaffiliated/error404notfound] has quit [Disconnected by services]
06:41 -!- |404NotFound| is now known as error404notfound
06:43 -!- _Zeeek [~Zeeek@bdx.resmo.net] has joined ##openvpn
06:43 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has quit [Read error: Connection reset by peer]
06:43 -!- _Zeeek [~Zeeek@bdx.resmo.net] has quit [Changing host]
06:43 -!- _Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has joined ##openvpn
06:43 -!- _Zeeek is now known as Zeeek
06:51 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 248 seconds]
06:55 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
07:20 < ecrist> what's up folks?
07:22 -!- julius [~julius@217.20.127.15] has quit [Read error: Connection reset by peer]
07:35 <@mattock> not much, just got the meeting summaries linked to from this page: http://www.secure-computing.net/wiki/index.php/OpenVPN/IRC_meetings
07:35 < vpnHelper> Title: OpenVPN/IRC meetings - Secure Computing Wiki (at www.secure-computing.net)
07:35 < steelnwool> i predict the maker of Viscosity VPN is about to encounter some legal troubles.
07:35 < steelnwool> his company is called Spark Labs. THere is one that already exists with that name.
07:37 -!- reiffert [~thomas@mail.webersheim.de] has quit [Remote host closed the connection]
07:40 -!- julius [~julius@217.20.127.15] has joined ##openvpn
07:50 < Zeeek> any ops awake yet?
07:51 < macsppadic> Zeeek: u want ecrist and mattock 
07:51 < macsppadic> steelnwool: oh dear 
07:51 < Zeeek> Bushmills: could you maybe mention the OpenVPN conference that's happening at 5PM GMT (12 Noon EST) just before it starts
07:51 < Zeeek> macsppadic: hello again
07:52 < Zeeek> I'd like to see a few people from here come over there. Hop over to #vuc for more info or see http://vuc.me
07:52 < vpnHelper> Title: VoIP Users Conference (at vuc.me)
07:52 <@mattock> ecrist is the IRC man here, I'd probably destroy the channel by mistake if I did any op commands :)
07:52 < Zeeek> vpnHelper: thanks so much for reading the title of the web site
07:52 < Zeeek> $
07:52 < vpnHelper> Zeeek: Error: "thanks" is not a valid command.
07:52 < Zeeek> I know
07:53 <@mattock> zeeek: having fun with vpnHelper, eh :)
07:53 <@mattock> he's a nice guy
07:53 < Zeeek> mattock: well if anyone could remind the powers that be
07:53 < Zeeek> I think Markus is an interesting guy and the chat should be fun
07:54 < Zeeek> surely some of the regulars here know him  or know of him
07:57 < Zeeek> Here's the book link: http://tr.im/openvpn209
07:57 < Zeeek> if tr.im still works
08:15 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:17  * ecrist is here.
08:21 < hyper_ch> so, who is using SSL for freenode in here?
08:22 < ecrist> not I
08:22 < hyper_ch> why not?
08:22 < ecrist> why?
08:23 < hyper_ch> well, if your concious enough to run VPNs why not run SSLed irc?
08:23 < ecrist> because the endpoint is insecure.  why have a secure transport to an insecure endpoint?
08:24 < ecrist> not only that, many of (not all) the channels I am in are publicly logged.
08:24 < hyper_ch> there are many reasons :)
08:24 < ecrist> such as...
08:25 < hyper_ch> what about queries?
08:25 < ecrist> what about them?
08:25 < hyper_ch> why not use features that are offered
08:26 < hyper_ch> while anyone can put an irc logger into public chatrooms it's a bit more complicated to listen to a query that's ssled :)
08:26 < ecrist> hyper_ch: I treat IRC as an insecure service.  there is no benefit imho to using a secure transport for an insecure service.
08:26 < ecrist> sure, but I don't know that freenode isn't logging it
08:26 < hyper_ch> with that mindset it will remain insecure
08:26 < ecrist> if I was secure communication with someone, I will use a private SSL'd SIP call, or PGP/email
08:27 < ecrist> it will never be secure, as long as a third party controls the back end.
08:27 < hyper_ch> assuming the other party also has that :)
08:27 < hyper_ch> there is never 100% security :)
08:27 < hyper_ch> but why not aim for 99%?
08:28 < ecrist> this is such a thing as 100% security, so long as both parties can be trusted.
08:28 < ecrist> it's just difficult to do correctly
08:29 < ecrist> Zeeek: query
08:31 < hyper_ch> nah, nothing is 100% secure :)
08:31 < hyper_ch> except for death :9
08:35 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has left ##openvpn []
08:35 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has joined ##openvpn
08:35 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has left ##openvpn []
08:36 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has joined ##openvpn
08:39 -!- mode/##openvpn [+o ecrist] by ChanServ
08:39 -!- mode/##openvpn [-t] by ecrist
08:39 -!- mode/##openvpn [-o ecrist] by ecrist
08:45 -!- Zeeek changed the topic of ##openvpn to: Chat with author of 'Beginning OpenVPN 2.0.9' see #vuc for details.  - OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type !welcome  before asking your questions. || Web Forum: http://ovpnforum.com
08:45 < steelnwool> add to that "Learn some basic routing, for christs sake, tutorials are all over the web"
08:45 < Zeeek> now I have to go buy za lot more beer for our openvpn guests
08:46 < ecrist> lol @steelnwool
08:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:55 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
08:55 < flaco> hi all... I got this client config http://dpaste.com/154976/ , but the clients are not keet trying to connect to the vpn server... I'm missing something?
08:56 < ecrist> !logs
08:56 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
09:00 -!- zheng [~zheng@114.92.157.67] has joined ##openvpn
09:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
09:03 -!- steelnwool [~jeff@204.232.209.119] has left ##openvpn []
09:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:24 -!- MadTBone__ [~MadTBone@160.39.238.196] has joined ##openvpn
09:34 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
09:46 -!- zheng [~zheng@114.92.157.67] has quit [Quit: Leaving]
09:55 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
10:00 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Ping timeout: 240 seconds]
10:04 < Zeeek> The OpenVPN discussion starts in 45 minutes on #vuc and via SIP:200901@login.zipdx.com - check it out and I'll now stop flooding the channel about this :) Be well!
10:05 < Zeeek> see topic for an explanation
10:05 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has left ##openvpn []
10:10 -!- MadTBone__ [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
10:14 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
10:16 -!- dauergast [~sag@f055013111.adsl.alicedsl.de] has joined ##openvpn
10:17 -!- dauergast [~sag@f055013111.adsl.alicedsl.de] has quit [Client Quit]
10:21 -!- makomi [~makomi@95-89-254-170-dynip.superkabel.de] has joined ##openvpn
10:33 -!- makomi [~makomi@95-89-254-170-dynip.superkabel.de] has quit [Remote host closed the connection]
10:34 -!- MadTBone__ [~MadTBone@160.39.238.196] has joined ##openvpn
10:45 -!- dazo [~dazo@nat/redhat/x-brllznifwdqemddn] has quit [Quit: ZNC - http://znc.sourceforge.net]
10:47 -!- dazo [~dazo@nat/redhat/x-trdcpaehnoxqbcwa] has joined ##openvpn
10:48 -!- dazo is now known as Guest86327
10:50 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has quit []
10:50 -!- Guest86327 is now known as dazo_
11:01 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:02 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Read error: No route to host]
11:02 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
11:17 -!- macsppadic_ [~sonupunno@82.109.74.162] has joined ##openvpn
11:18 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Read error: Connection reset by peer]
11:18 -!- macsppadic_ is now known as macsppadic
11:23 -!- polaru [~polaru@93.113.192.70] has quit [Read error: Connection reset by peer]
11:24 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 265 seconds]
11:31 < ecrist> !tcp
11:31 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
11:42 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type  !welcome  before asking your questions. || Web Forum: http://ovpnforum.com
11:46 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:48 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 245 seconds]
11:54 -!- MadTBone__ [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
12:09 -!- dazo_ is now known as dazo
12:13 -!- teddymills [~teddy@208.92.235.227] has quit [Ping timeout: 256 seconds]
12:14 < rob0> Tea seepy. Teecy pea.
12:15 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote host closed the connection]
12:15 < Bushmills> i see.  am pee
12:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
12:56 < ecrist> you deep E
12:58 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:15 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
13:32 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:33 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:39 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
13:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
13:47 -!- dazo is now known as dazo_afk
13:52 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
13:52 < reiffert> foo
13:53 < ecrist> sup, reif?
13:53 < reiffert> to be honest, I have no idea what "sup" means.
13:53 -!- error404notfound [~Eror404No@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
13:53 < ecrist> it's slang for "What's up"
13:54 < reiffert> do you pronounce the 'u' like in 'but'?
13:54 < ecrist> yes
13:54 < reiffert> ah, so s from "what's" and up.. yeah, waiting for the train to get to the party
13:55 < reiffert> n u?
13:55 < ecrist> nm, playing with my new DB server.
13:55 < ecrist> it's *fast*
13:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
13:56 < ecrist> pgbench select-only at 37K transactions per second
13:56 < reiffert> How to compare DB speed in matters of fast and faster?
13:56 < ecrist> our old box gets about 10K tps
13:56 < reiffert> tps, thats block operations per second on the harddrive, aint it?
13:56 < ecrist> read/write to platter gets about 2000tps
13:57 < reiffert> oh no, transfers per second.
13:57 < ecrist> tps = queries
13:57 < reiffert> ah, I was referring tps to iostat manpage.
13:57 < reiffert> Well, queries are not comparable to queries, bit ones, subselects, unions, matter of columns, indeces..
13:57 < reiffert> s,bit,big,
13:58 < reiffert> allright, so 2Ktps is requirement and old box is about 10Ktps, what about the new one?
13:59 < ecrist> in terms of iostat, I'm getting 3200tps
14:00 < ecrist> new one does 37K
14:00 < reiffert> ah, sounds like fun. i7 Xeon, SAS Raid?
14:01 < ecrist> Nalehem quad-core x 2, 32GB RAM, 6x 15k SAS RAID10
14:01 < reiffert> Now that sounds like fun.
14:01 < reiffert> Just hand me the root account, I'll manage that box for ya ;)
14:01 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has joined ##openvpn
14:02 < Morgan_Phoenix> !welcom
14:02 < vpnHelper> Morgan_Phoenix: Error: "welcom" is not a valid command.
14:02 < Morgan_Phoenix> !welcome
14:02 < vpnHelper> Morgan_Phoenix: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:05 < Morgan_Phoenix> !configs
14:05 < vpnHelper> Morgan_Phoenix: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
14:05 < Morgan_Phoenix> !route
14:05 < vpnHelper> Morgan_Phoenix: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:07 < Morgan_Phoenix> hrm
14:08 < Morgan_Phoenix> !redirect
14:08 < vpnHelper> Morgan_Phoenix: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:08 < Morgan_Phoenix> wow
14:09  * reiffert likes people who know how to selfhelp, first off they are able to read ;)
14:09 < Morgan_Phoenix> lol
14:10 < Morgan_Phoenix> I've been trying to overcome the same problem for 2 days
14:10 < Morgan_Phoenix> >.<
14:10 < ecrist> it's a good start reading /topic
14:10 < Morgan_Phoenix> I did everything right, or so I thought
14:10 < Morgan_Phoenix> and I still get a TLS error
14:11 < Morgan_Phoenix> timeout handshake fail, etc.
14:11 < reiffert> did you recognize the example configs at the very end of the !howto?
14:11 < Morgan_Phoenix> I have my router forwarding port 1194 to the system on which I'm running OpenVPN
14:12 < ecrist> * for Morgan_Phoenix 
14:12 < Morgan_Phoenix> yeah, all I did was edit the samples a bit
14:12 < Morgan_Phoenix> changed the IP
14:12 < Morgan_Phoenix> listed full path of keys
14:12 < reiffert> well try with !configs then
14:12 < Morgan_Phoenix> !configs
14:12 < vpnHelper> Morgan_Phoenix: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
14:12 < Morgan_Phoenix> hrm
14:13 < reiffert> ecrist: !learn configs as use http://pastebin.com or http://pastebin.ca
14:13 < reiffert> or similar.
14:13 < ecrist> you have bot access, reiffert
14:14 < Morgan_Phoenix> yeah
14:14 < reiffert> ecrist: uh.
14:14 < reiffert> !learn configs as Please use http://pastebin.com or http://pastebin.ca
14:14 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
14:14 < reiffert> !whoami
14:14 < vpnHelper> reiffert: I don't recognize you.
14:14 < reiffert> !identify KHJnjhg*h983d
14:14 < vpnHelper> reiffert: Error: That operation cannot be done in a channel.
14:15 < reiffert> ecrist: I dont have a password. How do I get one?
14:15 < ecrist> it looks like you have one, let me find out
14:15 < Morgan_Phoenix> http://pastebin.ca/1787370
14:15 < reiffert> ecrist: ow, not that I know about ... :)
14:16 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
14:18 < Morgan_Phoenix> just updated it with the openvpn.log
14:19 < reiffert> please add client.conf
14:19 < Morgan_Phoenix> k
14:19 < reiffert> the tls-auth stuff looks bad to me
14:20 < reiffert> thats mine: http://pastebin.ca/1787374
14:21 < reiffert> anyway, gotta run, reiffert->train(party)
14:22 < Morgan_Phoenix> updated
14:23 < ecrist> !learn configs as use http://pastebin.com or http://pastebin.ca
14:23 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
14:23 < ecrist> !learn configs as use http://pastebin.com or http://pastebin.ca
14:23 < vpnHelper> ecrist: Joo got it.
14:23 < Morgan_Phoenix> I've also been kind of curious about ethernet bridging
14:24 < Morgan_Phoenix> I'd like to, ultimately, make my laptop look like it's on the LAN.
14:24 < Morgan_Phoenix> and act like it's on my LAN
14:25 < Morgan_Phoenix> cuz I've found the BS with a lot of public WiFi and the network filtration/limitation on the network at my school to be rather lame.
14:26 < Morgan_Phoenix> plus, I'd rather keep it so none of the above can monitor what I'm doing on the internets with my laptop... only that I have this big encrypted stream going to some IP.
14:35 < Morgan_Phoenix> do I need to create a device before calling it in the config?
14:35 < Morgan_Phoenix> or does the config create the device?
14:35 < Morgan_Phoenix> err
14:35 < Morgan_Phoenix> interface
14:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:41 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
14:43 < Morgan_Phoenix> wait
14:43 < Morgan_Phoenix> I just got it
14:43 < Morgan_Phoenix> holy crap
14:43 < Morgan_Phoenix> I just didn't tell it to push the ip's
14:43 < Morgan_Phoenix> Tunnelblick is connected, and I can ping the VPN gateway IP
14:44 < Morgan_Phoenix> now I want to test this at a remote location
14:44 < Morgan_Phoenix> ^_^
14:45 < Morgan_Phoenix> now what I'm wondering is if this will get it to tunnel all traffic through it, or if there's more I have to do to do that.
14:46 -!- dollabill [~mike@97.66.26.10] has quit []
14:50 < Morgan_Phoenix> cuz I'm now unsure as to where the networking system sends its traffic.
14:53 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
14:56 < Morgan_Phoenix> I *think* it sends through tunnelblick, but that may just be DNS inquiries.
15:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:18 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
15:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
15:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:40 -!- makomi [~makomi@91-67-198-38-dynip.superkabel.de] has joined ##openvpn
15:46 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: [hienoa] - your ass is glowing!]
15:52 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
16:01 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
16:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
16:17 < Bushmills> Morgan_Phoenix:     printing out  routing table will tell.  
16:23 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
16:23 -!- cybersyx [~CyberSyx_@151.95.175.27] has joined ##openvpn
16:23 < cybersyx> hi all
16:23 < cybersyx> !welcome
16:23 < vpnHelper> cybersyx: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:24 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined ##openvpn
16:24 < cybersyx> !routew
16:24 < vpnHelper> cybersyx: Error: "routew" is not a valid command.
16:24 < cybersyx> !route
16:24 < vpnHelper> cybersyx: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:26 < zoredache> is it legal to specify multiple --up scripts?
16:28 -!- cybersyx [~CyberSyx_@151.95.175.27] has quit [Ping timeout: 265 seconds]
16:32 -!- cybersyx [~CyberSyx_@host145-83-static.34-79-b.business.telecomitalia.it] has joined ##openvpn
16:43 < cybersyx> hi, i've a big problem with openvpn, the server is on windows pc,ip pool 10.1.0.0, now the client on linux (ip tun0 10.1.0.6) have a phisical eth0 interface (192.168.1.50) but from windows server i can't ping any host with subnet 192.168.1.0, on the server confing i've add route 192.168.1.0 255.255.255.0, any idea ? Thanks
16:52 -!- makomi [~makomi@91-67-198-38-dynip.superkabel.de] has quit [Remote host closed the connection]
17:00 -!- cybersyx [~CyberSyx_@host145-83-static.34-79-b.business.telecomitalia.it] has quit [Ping timeout: 256 seconds]
17:00 < Bushmills> cybersyx: ip_forward on linux client enabled?
17:02 -!- cybersyx [~CyberSyx_@151.95.174.179] has joined ##openvpn
17:02 < cybersyx> no idea ?
17:13 < Bushmills> then i presume that not
17:14 < Bushmills> du breadboardest doch ab und zu, gell?
17:17 < Bushmills> sry wrng channel
17:17 < |Mike|> gans geil ? lol
17:20 < cybersyx> ?
17:27 -!- cybersyx is now known as CyberSyx^
17:29 < Bushmills> gans = goose
17:30 < |Mike|> ganz = whole
17:30  * Bushmills wonders what |Mike| needs a goose for
17:30 < |Mike|> ganz geil is german
17:30 < Bushmills> gans geil is too. it means  "goose horny"
17:31 < Bushmills> :D
17:31 < |Mike|> translated on a hard way lol ya.
17:32 < Bushmills> http://www.megagadgets.nl/images/sheep.jpg  if the goose won't do ...
17:46 -!- CyberOuT^ [~CyberSyx_@151.95.174.179] has joined ##openvpn
17:46 -!- CyberOuT^ [~CyberSyx_@151.95.174.179] has quit [Client Quit]
17:49 -!- CyberSyx^ [~CyberSyx_@151.95.174.179] has quit [Ping timeout: 264 seconds]
18:28 -!- votetrev [~votetrev@li99-86.members.linode.com] has joined ##openvpn
18:28 < votetrev> anyone around who could help me with an issue?
18:29 < votetrev> i setup openvpn on my centos server....i can connect fine using viscosity on my macosx computer....everything routes through the server and works correctly....im now trying to get things working on my android phone.  I can get connected just fine, but i cant actually access any websites or anything when i try to access them.
18:37 -!- PeterFA_ [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has quit [Ping timeout: 248 seconds]
18:44 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 252 seconds]
18:57 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
19:00 < Bushmills> can you ping server from the phone?
19:22 < votetrev> ill try
19:23 < votetrev> the servers internal ip?
19:24 < votetrev> i do get a reply when i ping the servers internal ip
19:26 < votetrev> actualy if i ping google.com it works to.....and if it traceroute google it follows the same route as if i do it from my laptop connected through vpn
19:30 < Bushmills> can your phone resolve host names other than google?
19:30 < votetrev> trying
19:31 < votetrev> yep
19:31 < votetrev> just tried yahoo and its working
19:31 < reiffert> howdy sup Bushmills 
19:31 < reiffert> ?
19:31 < Bushmills> you might also want to try to ping an external address. like  213.144.9.98
19:31 < votetrev> l
19:31 < Bushmills> moiners reiffert
19:31  * reiffert trys pinging external addresses.
19:31 < votetrev> yep i get that also
19:31 < votetrev> or i mean that works also
19:32 < reiffert> 64 bytes from 213.144.9.98: icmp_seq=0 ttl=54 time=30.149 ms
19:32 < Bushmills> so, what does *not* work, then?
19:32 < Bushmills> reiffert: back early
19:32 < Bushmills> run out of beer?
19:32 < votetrev> well maybe its a browser issue....i didnt try pinging anything frmot he terminal
19:32 < votetrev> but the browser doesnt work
19:32 < reiffert> Bushmills: does pinging mean we are loosing that last outpost Zaphod was selling to us?
19:32 < votetrev> it jsut sits at a white screen
19:32 < votetrev> i tried with pptp prviously to openvpn and it does the same thing
19:33 < votetrev> the browser eventually reports that it cant find the site
19:33 < reiffert> Bushmills: oh beer, I still got plenty of them, almost two IIRC..
19:33 < Bushmills> votetrev: if everything else works, just no web pages, it most likely is a browser issue. 
19:33 < Bushmills> disable proxy, for example
19:33 < votetrev> ok....dang...thats what i was hoping it wasnt :P
19:34 < reiffert> Bushmills: haha, you didnt read the sixt of three journey Arthur is telling, right?
19:34 < votetrev> bushmills thanks for the help
19:35 < Bushmills> right. didn't spend enough time in the bathroom
19:39 < Bushmills> reiffert: check these out http://cgi.ebay.de/10pcs-8x8-Dot-Matrix-3mm-dia-Bicolor-LED-Display_W0QQitemZ230432540100QQcmdZViewItemQQptZLH_DefaultDomain_0
19:39 < vpnHelper> Title: 10pcs 8x8 Dot-Matrix 3mm dia. Bicolor LED Display bei eBay.de: Electronic Components (endet 06.02.10 05:49:15 MEZ) (at cgi.ebay.de)
20:17 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
20:18 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
20:20 < reiffert> Bushmills: you really miss how Arthur is experniencing bathrooms..
20:24 < Bushmills> hm. there's a problem with enough lights to put all my 18650s in - no more spare 18650 anymore ...
20:27 < Bushmills> need to get some more :(
20:27 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 252 seconds]
21:05 -!- votetrev [~votetrev@li99-86.members.linode.com] has left ##openvpn []
21:06 -!- Dougy [~me@69.10.59.230] has joined ##openvpn
21:47 -!- Han [~han@unaffiliated/han] has joined ##openvpn
21:48 < Han> How do I set up the openvpn tunnel to route all traffic through the tunnel?
21:49 < Bushmills> !redirect
21:49 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
21:50 < Han>  hmmm
21:52 -!- k-train [~hyerk@75-174-33-21.bois.qwest.net] has joined ##openvpn
21:52 < k-train> Welcome all!
21:54 < k-train> Bummer... you don't support Access Server... i guess i'm out of luck.. LoL
21:55 < Dougy> hehe
21:58 < k-train> I realize you guys don't support Access server, but could i ask you a network question, not a configuration question?  I'm seeing something fun.
22:01 -!- k-train [~hyerk@75-174-33-21.bois.qwest.net] has quit [Quit: Leaving]
22:08 < rob0> Maybe it's just me, but I think you generally have to ASK a question if you hope to have it answered.
22:08 -!- PiousMinion [~clay@175-216.126-70.tampabay.res.rr.com] has joined ##openvpn
22:08 < zoredache> rob0: I don't think many people get irc protocol
22:09 < zoredache> everyone always seems to think you have to ask permission to ask
22:10 < PiousMinion> I've had openvpn running on my debian system for a while now and all of the sudden now it it sending the wrong default gateway to clients.  Ideas?
22:16 < Bushmills> "it" sends? as in "it replies to requests"? that must be your dhcpd configuration. maybe you updated, and overwrote your config the the package maintainer config.
22:18 < PiousMinion> I don't remember ever messing with a dhcp server.  hmm
22:19 < Bushmills> there is not much more which can send gateways to clients
22:19 < Bushmills> wrong ones
22:20 < PiousMinion> push "redirect-gateway def1"
22:20 < PiousMinion> I don't have a dhcpd installed, let along running.
22:21 -!- Han [~han@unaffiliated/han] has quit [Read error: Connection reset by peer]
22:21 < Bushmills> redirect can send *the* gateway (vpn server) but not others (wrong gateways)
22:22 < PiousMinion> Well, evidently it is. lol
22:22 < PiousMinion> There is only one dhcp server on the network and it knows nothing about 10.8.0.0 IPs.
22:23 < PiousMinion> clients either recieve no gateway, or a gateway of 10.8.0.x
22:23 < Bushmills> it still can provide the with information about the wrong gateway
22:23 < PiousMinion> Come again?
22:24 < Bushmills> even if dhcp server knows nothing of vpn, it has the capability to give them a wrong gateway
22:24 -!- Han [~han@unaffiliated/han] has joined ##openvpn
22:24 < PiousMinion> Yeas, but it would give a 192... gateway, not a 10.8.. gateway.
22:24 < Han> redirect-gateway doesn't work. I get the routes but packages still won't go anywhere after the tunnel.
22:25 < Bushmills> Han: then it works
22:25 < Han> note: all firewalls were disabled
22:25 < Bushmills> otherwise packages wouldn't go through the tunnel
22:26 < Bushmills> PiousMinion: i don't know what wrong gateway is resp. right gateway
22:26 < Han> Bushmills, I'm not happy though
22:26 < Bushmills> but openvpn server can push itself as gateway, or it doesn't
22:27 < PiousMinion> Bushmills: e.g.  right(what I want) = 10.8.0.1, wrong(what I'm getting) = 10.8.0.6
22:27 < Bushmills> setting other gateways as default needs some explicit fiddling in the config
22:28 < Bushmills> .6 is probably .5's p-t-p address
22:28 < PiousMinion> Bushmills: Well, if that's true and the dhcpd on the lan simply cannot give out a 10.8.0.0 address, then would you reccomend I file a bug report? 
22:28 < PiousMinion> yeah, I know .5 is p-t-p. :P
22:28 < Bushmills> read in man page about --topology
22:29 < Bushmills> han, achieving happyness lies in your own hands
22:30 < Bushmills> figuratively spoken
22:31 < PiousMinion> Bushmills: Read it. Using subnet and clients are windows based.
22:31 < PiousMinion> doesn't seem to be related to problem
22:34 < PiousMinion> hm, now getting .5 for gateway
22:35 < Bushmills> having windows clients moved the problem outside of the domain of my expertise
22:35  * Bushmills googles "what is windows?"
22:35 < PiousMinion> :P
22:36 < PiousMinion> what would make it push the p-t-p address instead of the other?
22:37 < PiousMinion> nvm, now p-t-p is .2.  I think my head hurts too much to mess with this any further tonight.
22:37 < PiousMinion> thanks for the help
22:55 -!- Han [~han@unaffiliated/han] has quit [Read error: Connection reset by peer]
22:55 -!- Han [~han@unaffiliated/han] has joined ##openvpn
23:09 < PiousMinion> Through some apparent crazy routing snafu, I now have access to all the cable modems in my neihborhood. lol
23:09 < Dougy> lol
23:19 < PiousMinion> well shit, "I'm" not running any other dhcp servers, but there seems to be a shit ton of them on the 10.8.0. range on my cable modem providers nework.  Maybe that's why I'm not getting the correct gateway.
23:30 -!- Han [~han@unaffiliated/han] has left ##openvpn []
23:32 < Dougy> http://eventful.com/newark/events/brick-city-boxing-series-tomasz-adamek-vs-jason-/E0-001-026923384-8
23:32 < vpnHelper> Title: Brick City Boxing Series: Tomasz Adamek vs. Jason Estrada in Newark at Prudential Center | Tickets & Event Info EventfulBrick City Boxing Series: Tomasz Adamek vs. Jason Estrada in New York City at Prudential Center - Eventful (at eventful.com)
23:32 < Dougy> krzie
23:32 < Dougy> there ?
23:40 -!- Dougy [~me@69.10.59.230] has quit []
--- Day changed Sat Feb 06 2010
00:05 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:39 -!- PeterFA [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has joined ##openvpn
00:39 -!- PeterFA [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has quit [Changing host]
00:39 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
01:07 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:22 -!- correcaminos_ [~laguilar@201.201.46.106] has joined ##openvpn
01:45 -!- correcaminos_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
02:11 -!- makomi [~makomi@91-67-198-38-dynip.superkabel.de] has joined ##openvpn
02:37 -!- sleeping`dragon [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:37 -!- error404notfound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
03:00 -!- teddymills [~teddy@208.92.235.227] has quit [Read error: Connection reset by peer]
03:01 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
03:07 -!- master_of_master [~master_of@p57B550C8.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:09 -!- master_of_master [~master_of@p57B57978.dip.t-dialin.net] has joined ##openvpn
03:15 < sleeping`dragon> i can't ping openvpn clients from server, get http://pastebin.com/m78c43aeb and strange thing is that icmp count is 1, doesn't increment
03:22 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
03:28 < sleeping`dragon> anyone?
03:29 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has joined ##openvpn
03:29 < cron2> check routing table on the server, check "tcpdump -n -i tun0" on the server (to verify that packets are sent from the server kernel to the OpenVPN process)
03:29 < cron2> might be firewalling on the server as well
03:31 < Zeeek> The recorded version of yesterday's chat with Markus Feilner, author of "Beginning OpenVPN 2.0.9" is posted now : http://www.vuc.me/2010/book-beginning-openvpn-2-0-9 | you might enjoy listening to it if you weren't able to join us live
03:31 < vpnHelper> Title: Beginning OpenVPN 2.0.9 « VoIP Users Conference (at www.vuc.me)
03:32 < sleeping`dragon> cron2, damn right, a misspelling in fw config. damn... thanks a lot :)
03:34 < cron2> sleeping`dragon: *grin* - glad to hear that it was so simple :_)
03:34 < sleeping`dragon> :)
03:34 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
03:51 -!- makomi [~makomi@91-67-198-38-dynip.superkabel.de] has quit [Remote host closed the connection]
04:19 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
04:33 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 264 seconds]
04:40 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
04:51 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn
04:54 -!- Zeeek [~Zeeek@pdpc/supporter/active/zeeek] has quit [Quit: Time for Food and WIne]
04:54 -!- makomi_ [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
04:56 -!- makomi__ [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
04:56 -!- makomi_ [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
04:56 -!- makomi__ is now known as makomi_
04:56 -!- makomi [~makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Ping timeout: 240 seconds]
04:56 -!- makomi_ is now known as makomi
04:57 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:00 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
05:04 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
05:11 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
05:17 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
05:18 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 252 seconds]
05:21 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
05:40 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
05:40 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
05:40 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
05:46 -!- will-s [~william@91.84.250.229] has joined ##openvpn
06:13 -!- will-s [~william@91.84.250.229] has quit [Ping timeout: 240 seconds]
06:14 -!- will-s [~william@91.84.250.229] has joined ##openvpn
06:30 < fluxdude> I've got a situation where my openvpn server is receiving the udp packets but it's not sending back and responses, tcpdump on the openvpn server shows udp packets being received but the server isn't even trying to send anything back
06:30 < fluxdude> it sometimes authentications, and then hangs on the push request stage
06:30 < fluxdude> sometimes it takes ages to authenticate
06:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:06 -!- will-s [~william@91.84.250.229] has quit [Ping timeout: 265 seconds]
07:07 -!- rajin [~a@port-91160.pppoe.wtnet.de] has joined ##openvpn
07:09 -!- will-s [~william@91.84.250.229] has joined ##openvpn
07:14 -!- will-s [~william@91.84.250.229] has quit [Read error: Operation timed out]
07:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
07:18 -!- will-s [~william@91.84.250.229] has joined ##openvpn
07:19 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
07:19 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
07:19 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:21 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: TAP-win32 driver install problems on Vista x64 :: Reply by mcatchan <http://www.ovpnforum.com/viewtopic.php?f=5&t=494&p=3181#p3181>
07:23 -!- will-s [~william@91.84.250.229] has quit [Ping timeout: 264 seconds]
07:34 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
07:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:43 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
08:00 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:12 -!- rob0 [~rob0@tuxaloosa.org] has quit [Ping timeout: 260 seconds]
08:18 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
08:52 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 252 seconds]
09:06 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
09:16 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 252 seconds]
09:46 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
09:55 -!- |404NotFound| [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
09:56 -!- sleeping`dragon [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
10:10 -!- Neit [~a@port-8702.pppoe.wtnet.de] has joined ##openvpn
10:12 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
10:13 -!- rajin [~a@port-91160.pppoe.wtnet.de] has quit [Ping timeout: 256 seconds]
10:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:23 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
10:26 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
10:30 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
10:37 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
10:42 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
10:46 -!- |404NotFound| is now known as err404notfound
10:48 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
10:50 -!- Neit [~a@port-8702.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it]
10:52 -!- err404notfound is now known as err404
10:53 -!- err404 is now known as error404notfound
11:58 -!- julius [~julius@217.20.127.15] has quit [Remote host closed the connection]
12:00 -!- bandini [~bandini@host225-107-dynamic.44-79-r.retail.telecomitalia.it] has quit [Ping timeout: 260 seconds]
12:07 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
12:13 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
12:24 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
12:26 -!- bandini [~bandini@host208-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
12:40 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
12:54 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:01 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
13:04 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
13:07 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:09 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
13:12 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:17 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 264 seconds]
13:26 -!- julius [~julius@217.20.127.15] has joined ##openvpn
13:28 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:29 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
13:31 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
13:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
13:37 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
13:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:47 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
13:51 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:52 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: TAP-win32 driver install problems on Vista x64 :: Reply by neo314 <http://www.ovpnforum.com/viewtopic.php?f=5&t=494&p=3196#p3196>
13:52 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
13:54 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
13:56 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:57 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
14:01 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
14:05 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
14:14 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
14:17 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
14:38 -!- jamesd_laptop [~jamesd@adsl-68-254-161-68.dsl.milwwi.ameritech.net] has joined ##openvpn
14:42 -!- jamesd_ [~jamesd@adsl-68-254-161-68.dsl.milwwi.ameritech.net] has quit [Ping timeout: 265 seconds]
14:45 -!- jamesd_laptop [~jamesd@adsl-68-254-161-68.dsl.milwwi.ameritech.net] has quit [Ping timeout: 265 seconds]
15:02 -!- rajin [~a@port-8702.pppoe.wtnet.de] has joined ##openvpn
15:10 -!- oktay [~oktay@78.191.88.27] has joined ##openvpn
15:10 < oktay> hello. is there docs for automatically starting/stopping a CLIENT connection along with the network interfaces?
15:17 < Bushmills> !keys
15:18 < vpnHelper> Bushmills: "keys" is http://openvpn.net/howto#pki
15:18 < Bushmills> that's for promptless authentication
15:19 < oktay> i don't think i'm entering a password as is
15:19 < Bushmills>  /etc/init.d/openvpn start   and   stop    for scriptable (i.e. potentially automatic) starting and stopping 
15:19 < oktay> is that for the server or client?
15:19 < Bushmills> client or server makes no difference. same procedure. 
15:19 < oktay> ok. i will take a look. thanks.
15:19 < Bushmills> only the config determines what is server and what is client
15:29 -!- oktay [~oktay@78.191.88.27] has quit [Ping timeout: 240 seconds]
15:29 -!- oktay [~oktay@78.191.88.27] has joined ##openvpn
15:34 -!- oktay [~oktay@78.191.88.27] has quit [Ping timeout: 265 seconds]
15:36 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 252 seconds]
15:43 -!- gionnico [~gionnico@unaffiliated/gionnico] has joined ##openvpn
15:43 < gionnico> hello
15:43 < gionnico> when I start openvpn client
15:43 < gionnico> network stops to work
15:43 < gionnico> and if i type route it hangs
15:44 < gionnico> openvpn client stop solves my problem
15:46 -!- gionnico [~gionnico@unaffiliated/gionnico] has quit [Client Quit]
15:47 -!- gionnico [~gionnico@unaffiliated/gionnico] has joined ##openvpn
15:47 < gionnico> so bad ...
16:04 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
16:13 -!- rajin [~a@port-8702.pppoe.wtnet.de] has quit [Quit:  Want to be different? Try HydraIRC -> http://www.hydrairc.com <-]
16:40 -!- mtrg [~mtgr@unaffiliated/mtrg] has joined ##openvpn
16:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
16:49 -!- mtrg [~mtgr@unaffiliated/mtrg] has quit [Quit: leaving]
17:08 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 248 seconds]
17:08 -!- tompaw [~tompaw@slave20.tesserakt.eu] has quit [Ping timeout: 248 seconds]
17:08 < Bushmills> try route -n
17:08 -!- hyper_ch [~hyper_ch@91.121.147.34] has joined ##openvpn
17:09 -!- tompaw [~tompaw@slave20.tesserakt.eu] has joined ##openvpn
17:10 < Bushmills> then try to ping, with openvpn client running, an ip address. for example, ping 8.8.8.8
17:11 < Bushmills> if that works, set your  /etc/resolv.conf to a nameserver which resolves for you.  for example, 8.8.8.8
17:11 -!- stein0 [~stein@mail.vgnett.no] has quit [Ping timeout: 276 seconds]
17:11 -!- stein0 [~stein@mail.vgnett.no] has joined ##openvpn
17:12 < Bushmills> gionnico: ^^^^^
17:19 < gionnico> Bushmills: ok i'll try
17:20 < gionnico> Bushmills: ?
17:22 < gionnico> here's route -n log: http://pastebin.ca/1788500
17:22 < gionnico> but ping doesnt work
17:23 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
17:24 < Bushmills> remove   redirect-gateway from client config,  or  push "redirect-gateway from server config, or setup server to function as gateway
17:24 < oc80z> http://wiki.openvz.org/VPN_via_the_TUN/TAP_device#Troubleshooting
17:24 < vpnHelper> Title: VPN via the TUN/TAP device - OpenVZ Wiki (at wiki.openvz.org)
17:24 < |Mike|> oc80z: lol
17:24 < oc80z> ..my hostnode is a RHE machine, and the vps being gentoo
17:25 < oc80z> "Note that the above steps do not solve the problem if a gentoo VE sits on a Centos HN; it's still an unsolved mystery. "
17:25 < oc80z> :(
17:27 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
17:27 < oc80z> solution: cliff, jump.
17:27 < gionnico> Bushmills: oh wow thank you
17:28 < gionnico> so redirect-gateway is if I want ALL client traffic pass ONLY through the tunnel
17:28 < Bushmills> !redirect
17:28 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:28 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
17:28 < gionnico> if i don't redirect, openvpn server become JUST ANOTHER route
17:28 < Bushmills> you had the first part, but not the second and third part
17:28 < gionnico> ONLY for private net
17:29 < Bushmills> redirect merely adds a host route to vpn server, and replaces default route
17:29 < gionnico> !ipforward
17:29 < vpnHelper> gionnico: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
17:29 < gionnico> !linipforward
17:29 < vpnHelper> gionnico: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
17:29 < gionnico> !linnat
17:29 < vpnHelper> gionnico: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
17:29 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
17:29 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
17:29 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
17:30 < gionnico> Bushmills: what if i create masquerade
17:30 < gionnico> but not add redirect-gateway?
17:30 < gionnico> it will work, because the route is added
17:30 < gionnico> (though it's not default route..)
17:30 < gionnico> right?
17:31 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
17:31 < Bushmills> then your server will be able to masquerade, but it won't be used
17:31 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 276 seconds]
17:31 < gionnico> hmm ok. I got it
17:40 -!- gionnico [~gionnico@unaffiliated/gionnico] has quit [Quit: Blue blue sky ...]
17:54 -!- theneb [~theneb@theneb.co.uk] has joined ##openvpn
17:54 < theneb> Hi all
17:54 < theneb> ]!welcome
17:54 < theneb> !welcome
17:54 < vpnHelper> theneb: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:55 < theneb> !route
17:55 < vpnHelper> theneb: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:57 < theneb> I'm wondering on performance of OpenVPN. I am running protected network internally, without VPN pings to the devices are sub 1ms. Through VPN the min ping time is 2ms, can this be improved upon or is this the best performance?
17:58 -!- k-train [~hyerk@75-174-33-21.bois.qwest.net] has joined ##openvpn
18:00 < Bushmills> if your server is slow and network fast, turn off compression
18:02 < theneb> Server is running using KVM (Virtual). I will try turning off LZO and see if it improves.
18:02 < theneb> The application requires quite a bit of speed, it is being used for CCTV network access. Video is freezing a lot compared to being on the network.
18:05 < oc80z> hmm
18:06 < oc80z> what are you using?
18:08 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:10 < oc80z> i have a 4x4 125fps here
18:14 < k-train> Hello everyone.
18:43 < oc80z> theneb
18:44 < oc80z> is the client station ota?
18:52 < Bushmills> you were looking at latency, not at speed
18:53 < Bushmills> with a frame per 30..40 ms, whether a frame arrives a ms earlier or later is hardly relevant 
18:54 -!- LobbyZ [~default@main.lobbyzffs.com] has quit [Read error: Connection reset by peer]
18:59 < oc80z> talking to me?
19:05 < theneb> oc80z: ota?
19:05 < theneb> Sorry, had msn minimised
19:05 < theneb> irc even
19:06 < theneb> Ah ota?
19:06 < theneb> Over the air?
19:06 < theneb> It's all ethernet, 100
19:10 -!- zheng [~zheng@114.92.136.45] has joined ##openvpn
19:44 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:59 -!- zheng [~zheng@114.92.136.45] has quit [Quit: Leaving]
20:11 -!- hyper_ch [~hyper_ch@91.121.147.34] has quit [Excess Flood]
20:11 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
20:22 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: Connection reset by peer]
20:22 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
20:35 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
20:40 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
20:58 -!- LobbyZ [znc@main.lobbyzffs.com] has joined ##openvpn
21:08 -!- ^scott^_ is now known as ^scott^
21:10 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
21:14 -!- le0 [~tehle0@unaffiliated/le0] has quit [Client Quit]
21:30 < Bushmills> oc80z: nope
21:59 -!- error404notfound is now known as Error404NotFound
22:17 -!- ^scott^ [~scott@stthom.org] has quit [Ping timeout: 256 seconds]
22:29 -!- PiousMinion [~clay@175-216.126-70.tampabay.res.rr.com] has quit [Ping timeout: 260 seconds]
22:29 -!- PiousMinion [~clay@175-216.126-70.tampabay.res.rr.com] has joined ##openvpn
22:40 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 264 seconds]
22:58 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Remote host closed the connection]
23:34 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Remote host closed the connection]
23:34 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
23:42 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
23:42 < mithridates> hey guys
--- Day changed Sun Feb 07 2010
00:36 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]]
01:46 -!- correcaminos [~laguilar@201.201.46.106] has joined ##openvpn
02:07 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
02:07 < fahadsadah> !welcome
02:07 < vpnHelper> fahadsadah: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:08 < fahadsadah> !/30
02:08 < vpnHelper> fahadsadah: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
02:31 -!- z3r0 [~z3r0@hongkong.perfect-privacy.com] has joined ##openvpn
02:32 < z3r0> Could anyone tell me if there is a way to setup my ethernet and wifi connection (both to the same network) to transfer over the connection if one is disconnected so that nothing streaming is interrupted and so I don't need to relogin to my VPN?
02:37 -!- z3r0 is now known as z3r0-0n3
03:00 -!- teddymills [~teddy@208.92.235.227] has quit [Read error: Connection reset by peer]
03:01 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
03:04 -!- z3r0-0n3 [~z3r0@hongkong.perfect-privacy.com] has quit [Read error: No route to host]
03:05 -!- z3r0 [~z3r0@2607:f128:40:700:216:e6ff:fe60:4770] has joined ##openvpn
03:08 -!- master_of_master [~master_of@p57B57978.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:09 -!- z3r0 [~z3r0@2607:f128:40:700:216:e6ff:fe60:4770] has left ##openvpn []
03:09 -!- master_of_master [~master_of@p57B570FB.dip.t-dialin.net] has joined ##openvpn
03:32 -!- zheng [~zheng@114.92.136.45] has joined ##openvpn
04:04 -!- zheng [~zheng@114.92.136.45] has quit [Quit: Leaving]
04:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:39 -!- correcaminos [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
04:50 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 264 seconds]
05:15 -!- __trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
05:15 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
05:25 -!- __trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
05:29 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
05:42 -!- tjz2 [~tjz@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
05:45 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 248 seconds]
05:48 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:04 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
06:04 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
06:04 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
06:04 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:07 -!- tjz2 [~tjz@bb116-15-75-224.singnet.com.sg] has quit [Ping timeout: 264 seconds]
06:11 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
06:12 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
06:17 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:17 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
06:24 -!- nick [~nick@unaffiliated/nick] has joined ##openvpn
06:26 < nick> can i divide my clients in to to subnets in one openvpn server? for example if i want one of them have an IP in 10.8.0.0 and other one from 10.8.1.0? if so can i do that with ipp.txt? 
06:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:33 -!- derRichard [~derRichar@ununbium.nod.at] has joined ##openvpn
06:35 < hyper_ch> !cdd | nick
06:35 < vpnHelper> hyper_ch: Error: "cdd" is not a valid command.
06:35 < hyper_ch> !ccd | nick
06:35 < vpnHelper> hyper_ch: Error: "ccd" is not a valid command.
06:35 < hyper_ch> !ccd
06:35 < vpnHelper> hyper_ch: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
06:36 < derRichard> can somebody recommend a router device which is capable of openvpn?
06:36 < hyper_ch> derRichard: any that supports openwrt
06:36 < hyper_ch> I think
06:36 < hyper_ch> or setup a dedicated linux box with two network cards
06:36 < hyper_ch> and let it act as router
06:37 < derRichard> i don't want a hacky router with openwrt. i need a supported routing device
06:37 < hyper_ch> get a dedicated box
06:37 < hyper_ch> put two nics into it
06:37 < hyper_ch> setup a linux
06:38 < derRichard> no way
06:38 < hyper_ch> then you have a router with supporting openvpn :)
06:38 < derRichard> i need lots of these routers ;)
06:38 < hyper_ch> then get a lot of those boxes
06:38 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
06:39 < derRichard> again, no way. i would have to build and setup them for my own.
06:39 < derRichard> i want a complete solution
06:39 < hyper_ch> get a magic want and magically create complete solutions
06:39 < hyper_ch> or hire harry potter to do so :)
06:39 < derRichard> ...
06:41 < derRichard> hyper_ch: something like this one: http://www.insys-tec.de/fileadmin/insys/redaktion/Datenblaetter/Hutschiene_de/DBd_INSYS_MoRoSLAN.pdf
06:41 < derRichard> oh sorry. it's german
06:54 < PiousMinion> set one up, then close hard drives.  no need to set each one up.
06:56 < derRichard> then after 2 years the harddisk dies and i have a lot of fun ;)
06:57 < PiousMinion> ok, ssd.  should have same lifespan as the flash chip on any other router.
06:58 < derRichard> but i want a out-of-the-box soltion. (of course i could hack my own linux-box, but it is a lot more work)
06:58 < Bushmills> derRichard: what number of eth interfaces do you need?
06:59 < derRichard> only one
07:00 < derRichard> i need simple brach office boxes with openvpn support
07:00 < Bushmills> check out whether something like the sheevaplug would do
07:00 < Bushmills> http://www.globalscaletechnologies.com/p-22-sheevaplug-dev-kit-us.aspx
07:00 < vpnHelper> Title: SheevaPlug Dev Kit (at www.globalscaletechnologies.com)
07:01 < derRichard> Bushmills: thanks a lot.
07:01 < Bushmills> "Basic examples of such services include web, email, and virtual private network servers hosted in homes and small offices."
07:04 < derRichard> sounds good :)
07:05 < Bushmills> "We have plugs for U.S., U.K., and European wall sockets"
07:06 < Bushmills> i'm interested in such a device myself. though i liked it better had it powerline network support
07:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
07:25 < vpnHelper> New forum entry openvpnforum: Server Administration :: OpenVPN Issues :: Author Uiop <http://www.ovpnforum.com/viewtopic.php?f=4&t=2748&p=3204#p3204> || Installation Help :: Can't access Admin Panel :: Author tgo1117 <http://www.ovpnforum.com/viewtopic.php?f=5&t=2747&p=3203#p3203> || Installation Help :: Re: TAP-win32 driver install problems on Vista x64 :: Reply by Cantello <http://www.ovpnforum.com/viewtopic.php?f=5&t=494&p=3210#p
07:39  * PiousMinion kind of thought a pc + a thumb drive was an "out of the box" solution... well, out of 2 boxes maybe, but that's more of a logistics matter. :P
07:52 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
07:54 -!- Nrg_ [pk@reaktio.net] has joined ##openvpn
07:54 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:40 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 256 seconds]
08:54 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
08:54 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:16 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
09:29 -!- TurkeR [~turker@unaffiliated/turker] has joined ##openvpn
09:29 -!- TurkeR [~turker@unaffiliated/turker] has left ##openvpn ["Leaving"]
09:33 -!- loca|host [~tux@41.227.202.204] has joined ##openvpn
09:33 < loca|host> hello all
09:34 < loca|host> i have an openvpn server wich was working normally for one year till yesterday
09:34 < loca|host> on the client side, it says: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
09:35 < loca|host> TLS Error: TLS handshake failed
09:35 < rob0> One year sounds quite likely to be an expired cert and/or CA.
09:35 < loca|host> on the server, i can see an established connection between server and client, so there's nothing about a network connectivity problem
09:36 < loca|host> rob0, yes am thinking about it ... is there any tool to check the expiry date of each cert ?
09:37 < rob0> openssl(1) and appropriate applets
09:39 < loca|host> :( i dont get it
09:40 < loca|host> i'll try to build-key-pass for a new user using the existent server certs
09:40 < loca|host> if any of them is expired i think openvpn is smart enough to tell me :)
09:41 < rob0> yes, I would think it should be logged at a fairly low verbose setting.
09:42 < loca|host> Certificate is to be certified until Feb  5 15:41:46 2020 GMT (3650 days)
09:42 < loca|host> am signing it, and will try with this
09:45 < rob0> I think a decade is rather decadent, in that I wouldn't consider it trustworthy that long, but it will certainly give you ten years to not worry about certificate expiration.
09:47 < rob0> I'd have about 2 years of not worrying, two years of having forgotten and sudden pangs of worry & doubt, followed by six years of wondering if my cert was still secure.
09:47 < rob0> but that's me
09:48 < loca|host> i agree with that .. 10years is a wide interval ..
09:48 < loca|host> i think 1 year or 2 is enough, depending on how much users and security level
09:49 < loca|host> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
09:49 < loca|host> same thing
10:04 < ecrist> we write our vpn certificates with 10 year
10:05 < ecrist> if you're really paranoid, encrypt your private key, set 30 day expiration, and require secondary authentication use OPIE
10:07 < rob0> actually I think I was decadent too :) -- but I'll switch them out in another year or 2.
10:08 < ecrist> my new vpn setup will depend on user/pass rather than ssl certificates, I think.
10:27 < cron2> our corporate VPN uses SSL certs (yearly renewal) plus one-time-pards (hardware token)
10:27 < cron2> and this is good :-) users are just too careless with their passwords, laptops get stolen, ...
10:28 < ecrist> our vpn isn't considered trusted, it's just 'more' trusted than the raw inet
10:29 < ecrist> authentication is still required for all systems, so you can't really do anything even if you're on the vpn
10:29 -!- Irssi: ##openvpn: Total of 81 nicks [1 ops, 0 halfops, 1 voices, 79 normal]
10:29 < cron2> in our case, no single machine except the two VPN gateways is reachable via SSH from the world - and from within the VPN, all are reachable (and thus open to SSH password scanning etc)
10:30 < cron2> and customer data can be queried on the intranet, and such stuff
10:30 < cron2> so we want a good, tight security there :-)
10:30 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
10:32 < ecrist> I have two systems reachable, the vpn server and our office firewall, without being on the vpn, everything else is closed off
10:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
10:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:49 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
11:06 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:15 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
11:29 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
11:35 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
11:35 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
11:44 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:46 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
11:49 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
11:51 -!- plundra [404@article.se] has quit [Ping timeout: 265 seconds]
11:55 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
11:57 -!- plundra [404@article.se] has joined ##openvpn
12:07 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 256 seconds]
12:10 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:31 -!- disco- [~disco@andromeda.h4xed.com] has joined ##openvpn
12:33 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Quit: It´s time to say goodbye]
12:33 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
12:35 -!- sgrover [~quassel@96.53.1.14] has joined ##openvpn
12:35 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
12:36 < sgrover> !welcome
12:36 < vpnHelper> sgrover: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:36 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:37 < sgrover> !howto
12:37 < vpnHelper> sgrover: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:39 < sgrover> Looking for tips.  I'm trying to connecto to a VPN on startup (kubuntu 9.10 workstation).  I have my ovpn/conf file in /etc/openvpn.  My cert requires a password entry.  Doing "/etc/init.d/openvpn start myvpn" does work, but only after I enter the password.
12:39 < sgrover> Do I need a passwordless cert?  Or is there another alternative?
12:54 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
12:58  * ecrist gets snippy in an email.
12:59 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has left ##openvpn []
12:59 < ecrist> I really am not a fan of people who ask for help, and respond in a similar manner to my 8 year-old when I recommend *he* do something.
12:59  * rob0 checks the mailing list
13:02 < rob0> Nope, that did not sound snippy to me.
13:03 < ecrist> I don't know what his real problem is.  I don't see the issues he's claiming he has.
13:03 < ecrist> unless he's got up/down scripts and he's trying to do something extremely abnormal.
13:04 < ecrist> what puzzles me about the openvpn user base is that most people I encounter try to do some outlandish configs, when they aren't really needed.
13:05 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:05 < ecrist> I've got extremely simply overall configs, with a list of about 30 routes (breaking up a /25 since the vpn server ip is in the middle) and our vpn does everything we need.
13:05 < ecrist> also, why do people use macports when openvpn compiles without issue direct from source?
13:08 < ecrist> last, the article he refers to is dated from Oct 15, 2004.  There have been a few corrections and updates by apple since then (including a 'true' Unix certification)
13:08 < ecrist> but, whatever, I'm going back to my xbox. :)
13:11 -!- loca|host [~tux@41.227.202.204] has left ##openvpn ["./configure pasta; make pranzo; make install sex"]
13:15 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
13:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
13:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:37 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
13:39 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
13:58 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
13:58 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
13:58 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
14:07 -!- rajin [~a@port-11409.pppoe.wtnet.de] has joined ##openvpn
14:21 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
14:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:49 -!- nick [~nick@unaffiliated/nick] has left ##openvpn []
14:53 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
14:56 -!- rajin [~a@port-11409.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- The alternative IRC client]
15:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Connection reset by peer]
15:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:27 -!- sgrover [~quassel@96.53.1.14] has quit [Remote host closed the connection]
15:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:33 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
15:43 -!- LobbyZ [znc@main.lobbyzffs.com] has quit [Quit: Free FTW]
15:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
15:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:52 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:02 -!- LobbyZ [znc@main.lobbyzffs.com] has joined ##openvpn
17:01 -!- bandini [~bandini@host208-22-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
17:21 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
17:39 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
17:47 -!- buntfalke_ is now known as buntfalke
18:03 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
18:59 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
19:37 -!- ataki [~dren@cpe-72-224-179-87.maine.res.rr.com] has joined ##openvpn
19:38 < ataki> !configs
19:38 < vpnHelper> ataki: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
19:39 < ataki> !fbsd nat
19:39 < vpnHelper> ataki: Error: "fbsd" is not a valid command.
19:39 < ataki> !fbsdnat
19:39 < vpnHelper> ataki: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD
19:53 -!- correcaminos [~laguilar@201.201.46.106] has joined ##openvpn
20:17 -!- correcaminos [~laguilar@201.201.46.106] has quit [Quit: Leaving]
20:19 -!- correcaminos [~laguilar@201.201.46.106] has joined ##openvpn
20:28 < ataki> !welcome
20:28 < vpnHelper> ataki: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:28 < ataki> !howto
20:28 < vpnHelper> ataki: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
20:37 -!- ataki [~dren@cpe-72-224-179-87.maine.res.rr.com] has quit [Ping timeout: 258 seconds]
20:41 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Quit: Leaving]
21:14 -!- Rajko [Rajko@wan.rajkonet.info] has joined ##openvpn
21:15 < Rajko> hello, once upon a time, i stumbled on the internet, a page that explains the openvpn header sizes and different encryption/mac overheads
21:15 < Rajko> i cannot find it now, could someone help me out
21:16 < Rajko> had a table with all the relevant values in it
21:34 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
21:57 < Rajko> rarrr
22:07 -!- Rajko [Rajko@wan.rajkonet.info] has quit [Ping timeout: 240 seconds]
22:08 -!- Rajko [Rajko@cable-94-189-170-15.dynamic.sbb.rs] has joined ##openvpn
22:17 -!- Rajko [Rajko@cable-94-189-170-15.dynamic.sbb.rs] has quit [Ping timeout: 276 seconds]
22:17 -!- Rajko [Rajko@wan.rajkonet.info] has joined ##openvpn
22:29 < ecrist> Rajko: could probably look in src, or get a dump with tcpdump
22:29 < Rajko> cant see anything with tcpdump when its encrypted
22:34 -!- Rajko [Rajko@wan.rajkonet.info] has quit [Read error: Connection reset by peer]
22:34 -!- Rajko [bitrot@wan.rajkonet.info] has joined ##openvpn
22:36 -!- Rajko [bitrot@wan.rajkonet.info] has quit [Read error: Connection reset by peer]
22:36 -!- Rajko [Rajko@wan.rajkonet.info] has joined ##openvpn
22:37 -!- Rajko [Rajko@wan.rajkonet.info] has quit [Read error: Connection reset by peer]
22:38 -!- Rajko [bitrot@wan.rajkonet.info] has joined ##openvpn
22:39 -!- Rajko [bitrot@wan.rajkonet.info] has quit [Read error: Connection reset by peer]
22:40 -!- Rajko [~Rajko@wan.rajkonet.info] has joined ##openvpn
22:43 -!- Rajko [~Rajko@wan.rajkonet.info] has quit [Client Quit]
22:43 -!- Rajko [bitrot@wan.rajkonet.info] has joined ##openvpn
22:44 < rob0> You can see it all if you do the tcpdump on the correct interface, i.e., the tun interface.
22:58 -!- k-train [~hyerk@75-174-33-21.bois.qwest.net] has quit [Quit: Leaving]
23:00 -!- tjz2 [~tjz@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
23:03 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
23:07 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 248 seconds]
23:18 -!- tjz2 is now known as tjz
23:18 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
23:18 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
23:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
23:28 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
23:29 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
23:41 -!- Rajko [bitrot@wan.rajkonet.info] has quit [Quit: Leaving]
23:41 -!- Rajko [Rajko@wan.rajkonet.info] has joined ##openvpn
23:53 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 248 seconds]
23:56 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
--- Day changed Mon Feb 08 2010
00:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:06 -!- biatche [~biatche@unaffiliated/biatche] has joined ##openvpn
00:07 < biatche> im not sure where I should ask this, but I hope it's fine here.. I have 3 choices for a vpn server -- ipsec, openvpn, pptp and i'm not sure which exactly to use, i meant to access a workgroup of about 30 computers.. primarily for file sharing, nothing much more
00:08 < biatche> can anybody point me in the right direction?
00:17 < rob0> Obviously people here are openvpn users.
00:17 < rob0> !pptp
00:18 < vpnHelper> rob0: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
00:18 < vpnHelper> rob0: read about why to not use pptp
00:18 < rob0> Objectively I would say that both openvpn and ipsec can be good choices. I like the modular approach that openvpn has.
00:19 < rob0> PPTP is not a good choice, never was.
00:21 < Rajko> pptp has a larger overhead than openvpn anyway
00:21 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
00:33 < biatche> ok, so i guess ill use openvpn heh.
00:43 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:04 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
01:05 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
01:16 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:46 < Rajko> ipsec operates in kernel mode so its faster tho
01:52 -!- biatche [~biatche@unaffiliated/biatche] has left ##openvpn []
01:52 -!- correcaminos [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
02:07 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:21 < jmm> hi.
02:32 < theDoc> hai2u2
02:44 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:45 -!- mode/##openvpn [+o mattock] by ChanServ
02:49 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
02:51 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Quit: Leaving]
02:51 -!- dazo_afk is now known as dazo
02:53 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:56 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
03:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
03:08 -!- master_of_master [~master_of@p57B570FB.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:09 -!- master_of_master [~master_of@p57B5799E.dip.t-dialin.net] has joined ##openvpn
03:12 -!- sylock [~sylock@91.176.175.12] has joined ##openvpn
03:13 < sylock> hello
03:15 < sylock> On linux (with network-manager), on Mac OS (with TunnelBlick), it is possible to store the password of the certificates in the system. So even if the certificate is protected by a password, we don't need to type it each time.
03:15 < sylock> is it possible to do the same with Windows GUI?
03:16 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
03:16 < krzee> thats 100% against the reason to have pw protected certs
03:16 < krzee> just dont pw protect your cert if you dont want it pw protected
03:16 < krzee> you can store the auth password, but cert pw, no
03:17 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
03:18 < sylock> yeah, you're right. But I was thinking that this is not absolutely the same : when a certificate is not protected by a password, stole the files is sufficient to have access to the VPN (when sending it by mail for example).
03:19 < krzee> false
03:19 < krzee> only the key gets protected by PW, key never needs to be sent anywhere
03:19 < krzee> cert isnt enough to get in, key is needed
03:21 < sylock> mhm. actually, I create everything on the server : create the private key of the client and sign it
03:21 < reiffert> so you have to steal the whole laptop, allright then.
03:22 < sylock> and the send it to the person
03:22 < sylock> so every files needed to connect are in the mail I send
03:22 < sylock> is there a wiser way to manage it?
03:23 < reiffert> use secure copy (scp).
03:23 < krzee> if you're looking for a way to protect your key during transit, try generating the key on the machine it'll be used from
03:23 < krzee> then send CSR to CA machine
03:23 < krzee> then sign it, send back CRT
03:23 < krzee> or send it encrypted like reiffert said
03:24 < sylock> ok
03:26 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
03:28 -!- joobie [~joobz@CPE-124-179-211-169.lns1.lon.bigpond.net.au] has joined ##openvpn
03:28 < joobie> guys i have 2 NIC's.. is it possible to make openvpn use the src ip of one of the nics? can i specify it with the config on the client?
03:29 < krzee> src ip SHOULD be whatever ip is on the nic which it sends packets our of
03:29 < Bushmills> joobie: then you'd have two interfaces with the same ip address - how should that work?
03:29 < joobie> i have two WAN ips
03:29 < krzee> i say SHOULD cause ive seen exceptions but have no idea what caused it
03:29 < Bushmills> ah.  src ip.  i read it as assigning same ip as existing interface to tun
03:30 < Bushmills> moiners krzee
03:30 < joobie> i have two WAN ips
03:30 < krzee> moinmoin Bushmills 
03:30 < joobie> i want to send it out of NIC#2's src ip
03:30 < joobie> NIC#1 is the default so it keeps taking NIC#1's ip
03:30 < Bushmills> route the packets through nic#2
03:34 < joobie> i am
03:34 < joobie> but that's my problem
03:34 < joobie> because its original SRC is nic#1's
03:34 < joobie> i use iptables -t mangle OUTPUT to fwmark the packet, then i use ip rule / route to route the packet over nic#2
03:34 < joobie> but then if i setup a rule in -t filter OUTPUT to match NIC#1, the packet is hitting that rule
03:35 < joobie> if i tcpdump NIC#1 the packet doesnt appear
03:35 < krzee> you run ovpn on ip2?
03:35 < joobie> if i tcpdump NIC#2, the packets appear.. it's just that iptables on -t filter OUTPUT seems to register the packet under nic#1, which i want to avoid - hence forcing openvpn to use NIC#2's src via its config
03:35 < joobie> krzee, yaa
03:35 < Bushmills> grin, some of those chinese traders are a bit confused about western holidays ... I just received a "Merry Christmas" :D
03:36 < krzee> tell him happy chinese new year next dec 31st
03:36 < Bushmills> kung fat pak choi or something
03:37 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
03:37 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
03:37 < krzee> kung ho fat choi    iirc
03:37 < Bushmills> scaring the nian away
03:39 < joobie> hmm
03:39 < joobie> so is there a way to force openVPN to use a particular src
03:39 < joobie> via its config
03:39 < krzee> neg
03:39 < krzee> its not openvpn
03:39 < krzee> its your machine
03:39 < krzee> openvpn just lets your machine handle all that
03:40 < joobie> decent applications will let you specify the src
03:40 < joobie> i shouldnt have to use iptables / routing to make it use a secondary NIC, because the application doesnt support it
03:40 < krzee> feel free to add whatever code you like
03:40 < Bushmills> actually, NAT does something related, mangling the source address.  
03:40 < joobie> i wont add code - but don't say bs like it's not openvpn it's my machine
03:41 < krzee> it ISNT openvpn
03:41 < Bushmills> might be a way to patch up outgoing packets using iptables
03:41 < joobie> Bushmills, no shit - that's what im doing
03:41 < joobie> krzee, that's funny - because sendmail lets me specify the src
03:41 < krzee> just cause you want openvpn to handle that instead of letting your machine do it, doesnt mean it does
03:41 < joobie> i mean not EVERY machine has one WAN interface
03:41 < krzee> i guess sendmail doesnt just let your machine handle it then now does it
03:41 < krzee> lol
03:42 < joobie> how is my machine meant to know that one specific application wants to originate from one of the secondary NICS if the application doesnt tell it to?
03:42 < krzee> routing table
03:42 < joobie> routing table alone cant do it
03:42 < joobie> fail
03:42 < krzee> well thats how its happening
03:42 < krzee> failure
03:42 < joobie> you need routing table and iptables
03:43 < joobie> no you fail - iptables has to mark the packet so routing can do something different with it
03:43 < joobie> all cos shitty openvpn cant specify its own originating src in its own code
03:43  * krzee feels a /kick fail coming up
03:43 < joobie> it just grabs the default
03:43 < joobie> dont kick the only source of intelligence
03:43 < joobie> you will go back to lame code where you presume the originating interface
03:43 < joobie> and never move beyond it
03:43 < joobie> i bring a becon  of light
03:43 -!- mode/##openvpn [+o krzee] by ChanServ
03:43  * theDoc facepalms.
03:43 -!- joobie was kicked from ##openvpn by krzee [fail]
03:44 <@krzee> heh
03:44 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:44 -!- mode/##openvpn [-o krzee] by krzee
03:44 -!- joobie [~joobz@CPE-124-179-211-169.lns1.lon.bigpond.net.au] has joined ##openvpn
03:44 < joobie> meh
03:45 < krzee> i knew i felt it coming
03:45 < Bushmills> there is a flair of dunning kruger hanging around
03:45 < krzee> anyways, there is no code presuming anything about how to send traffic, it lets your system figure that out based on routing table
03:45 < krzee> the system figures out how to send traffic
03:46 < krzee> if you would like to add that to the wishlist, do feel free
03:46 < krzee> !wishlist
03:46 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
03:47 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
03:47 < joobie> ill work around it
03:47 < joobie> just a good feature
03:47 < joobie> to have
03:47 < sparch> morning
03:47 < joobie> not everyone has one WAN interface...
03:47 < krzee> joobie, set your default route to the other and watch what happens
03:48 < sparch> !welcome
03:48 < vpnHelper> sparch: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:48 < krzee> openvpn doesnt care how many interfaces you have, your system will send packets where ever the routes say to
03:48 < krzee> its not openvpn related, you would like it to be (and it could if the code was there)
03:49 < theDoc> I still think that it's probably a better thing to have the system handle the routing table.
03:49 < joobie> krzee, that's funny - because i have a route - that matches, telling the packet to go out my secondary
03:49 < krzee> theDoc, and i agree
03:49 < sparch> theDoc: indeed
03:49 < krzee> joobie, 
03:49 < krzee> !interface
03:49 < joobie> the packet goes out the secondary, but the src is the primary
03:49 < vpnHelper> krzee: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
03:49 < krzee> only do it for the machine in question
03:50 < joobie> ergh
03:50 < joobie> ok
03:50 < krzee> it goes out secondary because you force it to with iptables stuff?
03:50 < joobie> ill send you the meaty stuff
03:50 < joobie> nod
03:50 < theDoc> No application should be screwing around with the routing table directly. More often than not, it breaks routing when apps do it directly to the routing table.
03:50 < krzee> thats not routing table!
03:50 < joobie> i use -t mangle OUTPUT to fwmark the packet
03:50 < krzee> heh
03:50 < krzee> you dont get it man =/
03:50 < joobie> then i use ip rule to match the packet and send it to a certain routing table
03:50 < joobie> and then ip route sends the packet out the 2nd NIC
03:50 < theDoc> iptables != routing table.
03:51 < joobie> dood, i know that
03:51 < joobie> iptables is used to MARK the packet
03:51 < joobie> so that when the routing tbale SEES the packet, it can route it differently
03:51 < theDoc> That's about right.
03:51 < krzee> but it was still destined for the first interface when the packet was generated
03:51 < joobie> how else can you route JUST openvpn out the 2ndary interface without making everything go out it as the default
03:51 < joobie> nod
03:51 < krzee> so SRC address was made at that point
03:51 < joobie> that's the problem
03:51 < joobie> EXACTLY
03:51 < joobie> that's my problem
03:51 < joobie> that's why im fuked.
03:51 < krzee> its not openvpn tho
03:51 < krzee> change default route and see what happens
03:52 < joobie> if openVPN was capable of specifying its src (such as how sendmail can), then it would be fine
03:52 < krzee> then add the code!
03:52 < joobie> it's because openvpn is grabbing the default nic
03:52 < krzee> its open source
03:52 < krzee> LOL
03:52 < krzee> YOUR SYSTEM CONTROLS THAT, NOT OPENVPN
03:52 < joobie> if i change the default route, im going to have the same problem for every other type of traffic that i want to go over NIC#1
03:53 < joobie> how the FUCK do you get NIC#1 and NIC#2 playing together? I can't just change the default route each time? I have applications i want to go over NIC#1 and some i want to go over NIC#2
03:53 < joobie> the ONLY solution i have for this is applications that can bind to a specified src address
03:53 < krzee> when the packet is made, it was headed out of interface 1, so your SYSTEM (read: not openvpn), then you mangle it up to go out interface 2, but it has int1 src ip
03:53 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
03:53 < krzee> which it has through no fault of openvpn, cause openvpn makes NO ATTEMPT to control that
03:53 < joobie> it should though
03:53 < theDoc> Can't you have a mangle rule and route it through NIC#2?
03:53 < krzee> lol
03:54 < theDoc> I haven't tested it but I -think- that should work, no?
03:54 < krzee> yes, that should work ild think
03:54 < joobie> theDoc, that's what i do - the packet goes out of NIC#2 .. everything looks fine and dandy.. i even use POSTROUTING and set the SRC to be NIC#2
03:54 < theDoc> Soooo... what's the problem?
03:54 < joobie> the only problem i have is if i setup a rule on -t filter OUTPUT to listen on NIC#1, i see the packet
03:54 < krzee> not openvpn related, but yes
03:54 < theDoc> I'm confused now :P
03:54 < krzee> umm dude
03:54 < krzee> you're saying the SRC is nic1
03:55 < krzee> then you say you mangle the src to nic2
03:55 < joobie> the problem is, if i want to setup iptables rules on -t filter OUTPUT, the packet appears to go through nic#1
03:55 < joobie> so all my rules, need to be applied to NIC#1
03:55 < joobie> even though -t mangle OUTPUT and ip rule / route has marked the packet to go out NIC#2 before -t filter OUTPUT, it still goes though -t filter OUTPUT as NIC#1
03:55 < joobie> that's my issue.. 
03:55 < joobie> here sec
03:55 < joobie> let me pastebin some stuff that will make it clear
03:56 < joobie> maybe im talken too much shit
03:56 < theDoc> joobie> That's not true. You can just mangle openvpn traffic on nic#1 and have the rest of the rules affecting the traffic on nic#2 once the traffic gets passed from nic#1 to #2.
03:56 < theDoc> I remember doing some shit like that years ago but I'll have to relook at it again or something to be sure.
03:56 < krzee> alright guys im on vacation so im going back to idle for a bit
03:56 < theDoc> It's 6pm, I'm about to leave office. ;)
03:57 < krzee> 2am here
03:57 < theDoc> :)
03:57 < krzee> but ill be in australia soon!!!
03:57 < krzee> <-- cant wait
03:57 < theDoc> Land of the internet bills:)
03:57 < theDoc> Contribute more to their economy, ;p
03:58 < krzee> hah
03:58 < theDoc> But I need to go home now, so good luck folks.
03:58 < theDoc> o/
03:58 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Quit: Leaving]
03:58 < krzee> adios doc
03:58 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
03:58 < joobie> http://pastebin.com/m5a90d263
03:59 < joobie> fuk
03:59 < joobie> theDoc left
03:59 < joobie> krzee, check that out
03:59 < krzee> joobie, sorry i cant tell you the solution, but i can tell you that openvpn makes no attempt to change or control src address in any way, it lets your system handle it
03:59 < joobie> basically if i tcpdump on NIC#2, i see the packet go out fine.. it has the correct SRC / DST
03:59 < Bushmills> http://scarydevilmonastery.net/wowbagger
03:59 < joobie> if i tcpdump on NIC#1, i dont see shit - which is good
03:59 < joobie> but just that iptables -nvL OUTPUT, i see the packet go out NIC#1
04:00 < joobie> according to http://jengelh.medozas.de/images/nf-packet-flow.png .. there's a rerouting decision made just before -t filter OUTPUT and after -t mangle OUTPUT, so im expecting it to go through -t filter OUTPUT on NIC#2 ??
04:00 < krzee> joobie, that would be better asked in a linux chan ild think, its really not openvpn related
04:00 < krzee> !notovpn
04:00 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
04:01 < joobie> yea
04:01 < joobie> im having to do all this shit because openvpn cant fuken allow u to specify a src
04:01 < krzee> then make a patch or add it to wishlist
04:01 < joobie> anyway where in AU are u going - im from Victoria
04:01 < joobie> i cbf
04:01 < joobie> no time
04:01 < joobie> u kno how it goes
04:01 < krzee> cause as you now know, openvpn doesnt do that
04:01 < krzee> melbourne
04:02 < reiffert>        --local host
04:02 < reiffert>               Local host name or IP address for bind.  If specified, OpenVPN will bind to this address only.  If unspecified, OpenVPN will bind to all interfaces.
04:02 < krzee> Bushmills, what was that
04:02 < krzee> reiffert, thats for listen, doesnt affect the path for leaving packets
04:02 < Bushmills> section from hitchhikers' guide
04:02 < joobie> what are you doing in melbourne?
04:03 < reiffert> krzee: he should mark packages and use iproute2 then.
04:03 < joobie> i am doing that reiffert 
04:03 < Bushmills> actually meant for another channel. for one where people come in, say "hi" and leave a few seconds later again
04:03 < krzee> joobie, fun
04:03 < Bushmills> that somehow reminded me of wowbagger
04:03 < joobie> reiffert, you had experience in doing this?
04:03 < joobie> krzee, first time in melbourne?
04:03 < joobie> when are u coming
04:03 < reiffert> Bushmills: he's doing whole planets nowadays.
04:04 < krzee> yup first time in AU, going a week from tues
04:04 < Bushmills> reappearance in 6?
04:04 < reiffert> yup
04:04 < Bushmills> ah
04:04 < joobie> ahh
04:04 < joobie> u might just miss our hot weather
04:04 < krzee> i hope not!
04:04 < joobie> it's been like 35-45 degrees lately
04:04 < joobie> celcius
04:04 < joobie> man u dont want that hot weather
04:05 < joobie> u cant take a crap without a bead of sweat rolling down ur ass
04:05 < joobie> it's that hot
04:05 < krzee> i can handle it, i live on a tropical island and used to spend too much time in vegas
04:05 < joobie> reiffert, can you give me any words of wisdom? http://pastebin.com/m5a90d263
04:05 < reiffert> joobie: "let it be"
04:05 < joobie> reiffert, basically if i tcpdump nic#2, i see the packet go out as expected (snat is also done on POSTROUTING) .. 
04:06 < joobie> reiffert, only problem i have is on -t filter OUTPUT, i see the packet going out of NIC#1.. not NIC#2
04:06 < krzee> vegas gets to 50 celsius on a regular bases
04:06 < krzee> basis
04:06 < joobie> fark
04:06 < joobie> fuk that
04:06 < joobie> it's too hot
04:06 < joobie> i prefer weather where you can sit down without the A/C or heater blasting
04:07 < krzee> the girls as good as i hear out there?
04:07 < joobie> krzee, what are your plans when u come to melb? got any sights ear marked to see?
04:07 < joobie> haah
04:07 < joobie> depends what ur taste is :P
04:07 < reiffert> joobie: as you can see, your marking fails.
04:07 < krzee> im gunna stay at a friends house, no idea of anything else from there, gunna do whatever sounds good
04:07 < joobie> reiffert, scuse the counters - it does hit that marketing
04:07 < joobie> -et
04:08 < krzee> but i have 3 weeks so im sure ill figure some things out
04:08 < joobie> reiffert, that iinetDrop table is a prohibit.. if i remove the iinet table, it prohibits.. so i know for sure as it makes it to the routing it's marked
04:08 < joobie> cool krzee 
04:08 < joobie> how old are u
04:08 < joobie> if u dont mind me asking
04:08 < krzee> re my tase, good looking and sexually outgoing
04:08 < krzee> 28
04:08 < joobie> ok
04:09 < krzee> s/tase/taste/
04:09 < joobie> make sure u check out the espy
04:09 < joobie> tell ur mate
04:09 < reiffert> joobie: heres how I do it:
04:09 < joobie> to take u there 
04:09 < reiffert>  post-up ip rule add fwmark 1 lookup 1
04:09 < reiffert>  post-up ip route add default via 192.168.2.1 table 1
04:09 < reiffert> s,post-up,g
04:09 < joobie> on a friday / saturday night
04:09 < joobie> there are some decent chicks there
04:09 < reiffert> s,post-up,,g
04:09 < joobie> around ur age
04:09 < joobie> ur my age;P
04:09 < reiffert> -t mangle -A OUTPUT -s 192.168.2.2 -o eth1 -p tcp -m tcp --dport 80 -j MARK --set-mark 0x1 
04:09 < krzee> right on
04:09 < joobie> "the espy in brighton"
04:09 < joobie> tell him to take u there
04:09 < joobie> it's on the beach
04:10 < joobie> good music
04:10 < joobie> good chicks
04:10 < krzee> nice, leaving him a msg now
04:11 < joobie> reiffert, that's the same as what i do, cept different rule priorities and marks
04:11 < joobie> krzee, http://www.espy.com.au/ i think that is their homepage if u are interest
04:11 < vpnHelper> Title: HOME (at www.espy.com.au)
04:12 < reiffert> joobie: not sure about your src and dst in mangle/OUTPUT. try -j LOG
04:12 < joobie> ive looked at log 
04:12 < joobie> it's ok
04:12 < reiffert> k
04:12 < joobie> in -t mangle i dont specify a src, i just match based on DST and out NIC
04:13 < joobie> .. and dst port
04:13 < joobie> in output i do the same
04:13 < joobie> trying to keep the rules as "open" as possible..
04:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:19 < joobie> reiffert, i just tried on -t nat OUTPUT, and the packet is registering on NIC#1
04:19 < joobie> yet if i do the tcpdump on NIC#2 i see the packet go out NIC#2
04:19 < reiffert> It should not hit nat...
04:19 < joobie> it's wak
04:19 < joobie> it should hit it
04:20 < joobie> im just not doing anything with it
04:20 < krzee> the espy looks cool, and anything "by the beach" is good with me (as a rule)
04:20 < joobie> just logging
04:20 < joobie> to see what NIC it goes out
04:20 < joobie> it's decent
04:20 < joobie> brb in about 15mins
04:20 < joobie> reiffert, any of ur help would be appreciated man - been stuck on this for days
04:20 < joobie> brb in 15ish
04:20 < reiffert>               nat:
04:20 < reiffert>                   This table is consulted when a packet  that  creates  a  new
04:20 < reiffert>                   connection  is encountered. 
04:21 < reiffert> So it sounds sane at least
04:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 256 seconds]
04:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:39 < joobie> back
04:39 < joobie> reiffert, ya.. it should traverse the NAT table
04:39 < joobie> but it shouldnt be going through on NIC#1
04:39 < joobie> afaik
04:40 < joobie> krzee, it's decent man.. i mean it's by the beach as in it's on the opposite road of the beach - it aint actually on the beach which would rock.. but u got beach views
04:48 < joobie> reiffert, still awake?
04:52 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
04:55 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
04:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:00 -!- joobie [~joobz@CPE-124-179-211-169.lns1.lon.bigpond.net.au] has quit [Quit: This computer has gone to sleep]
05:24 -!- sylock [~sylock@91.176.175.12] has quit [Ping timeout: 248 seconds]
05:28 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
05:29 < theDoc> Anyone has a clever method of using tcpdump to identify port scanning traffic?
05:31 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Client Quit]
05:37 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
05:40 < sparch> !google detecting portscan with tcpdump
05:40 < vpnHelper> sparch: SecurityFocus: <http://www.securityfocus.com/archive/101/507351/30/390/threaded>; Penetration Testing: Re: port scan to juniper fw: <http://seclists.org/pen-test/2009/Oct/153>; Penetration Testing: Re: port scan to juniper fw: <http://seclists.org/pen-test/2009/Nov/2>
05:40 < theDoc> It's either me or my web host is fucking stupid.
05:40 < theDoc> I'm not sure where they are seeing "port scans" from but I'm almost sure that they have a misconfigured rule somewhere.
05:44 < theDoc> nope, nothing at all even after tcpdumping my traffic logs.
05:44 < theDoc> >_>
05:54 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:00 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
06:00 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
06:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
06:20 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:20 -!- Rajko [Rajko@wan.rajkonet.info] has quit [Read error: No route to host]
06:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:31 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
06:34 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
06:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
06:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:00 < ecrist> lol@list
07:01 < ecrist> theDoc: look for RST errors in your system kernel logs
07:01 < theDoc> ecrist> Under /var/log/messages or /var/log/secure?
07:01 < theDoc> Either way, both of them are clean.
07:01 < ecrist> lemme look, hang on
07:02 < theDoc> ecrist> No, the funny thing here is, the rule -only- gets triggered when I try to grab my webmail.
07:02 < theDoc> and I've tcpdumped the entire SMTP session +- 5 minutes, it's totally clean.
07:03 < ecrist> errors like this:
07:03 < ecrist> Feb  8 07:02:40 kenny kernel: Limiting closed port RST response from 277 to 200 packets/sec
07:03 < theDoc> ecrist> In /var/log/messages?
07:03 < ecrist> yes, though I get mine from /var/log/all.log
07:03 < ecrist> but it should be in messages, as well.
07:09 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
07:19 -!- tjz [~tjz@unaffiliated/tjz] has quit [Quit: bbl]
07:19 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
07:19 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
07:19 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
07:21 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
07:25 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
07:41 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
07:53 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
08:02 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:27 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:29 -!- henry-nicolas [~d940f005@gateway/web/freenode/x-zabpzxvculfjiwxy] has joined ##openvpn
08:32 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 272 seconds]
08:38 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:47 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 246 seconds]
08:49 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
08:59 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: Problems Creating Extra Client Keys :: Reply by leo2308 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2682&p=3224#p3224>
09:27 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Quit: Leaving]
09:36 < henry-nicolas> Hello everybody, I'm trying to improve my openvpn performance (reducing delay). Bandwidth is good but delay is bad. Eg: If I connect to a protected (behind the vpn) application, the delay might go from 5ms to 150ms. Any idea about some options to improve that ? 
09:42 < snovak7> what is cpu performance now?
09:45 < |Mike|> what kind of encryption are you using?
09:46 < snovak7> henry-nicolas: :p
09:47 < henry-nicolas> snovak7: didn't know your question was for me :), cpu usage is low, cpu is quite powerfull (quad xeon)
09:48 < snovak7> I'm not sure how openvpn uses optimizations on multi-core processors
09:48 < henry-nicolas> snovak7: but I still observe large delay with one particular application, no delay if I bypass the vpn
09:48 < snovak7> or it's libraries for encryption
09:50 < snovak7> if there is no multicore features means you can only use one processor at a time, and this means that processors with higher frequencies are better than multicore
09:50 < snovak7> just a thought
09:51 < Rienzilla> is cpu performance really an issue?
09:51 < Rienzilla> I'd expect that only on large implementations
09:51 < Rienzilla> deployments*
09:51 < |Mike|> barely rien :)
09:52 < snovak7> also henry-nicolas how many users do you support
09:52 < henry-nicolas> snovak7: cpu clock speed is at 2.2Ghz and I'm supporting 6 concurrent user on that vpn
09:52 < Rienzilla> I mean, a quad xeon should be able to do a lot of concurrent connections without any problem (and also, if cpu is the bottleneck I'd also expect bandwitdth to decrease)
09:53 < |Mike|> Rienzilla: 1500 at least, w/o problems :)
09:53 < snovak7> how much latency is to the server?
09:53 < Rienzilla> can a xeon encrpyt a gigabit of traffic?
09:54 < snovak7> we are talking about optimization, any processor parallel processing increases performance :p
09:54 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:54 < snovak7> we are talking about nanoseconds :p
09:54 < henry-nicolas> snovak7: latency to the server (without vpn) is less than 5ms
09:55 < snovak7> and when you connect
09:55 < snovak7> how much latency is to the server?
09:55 < henry-nicolas> the same, less than 5 ms. It's only when I connect to a defined app that I got delay issue.
09:56 < snovak7> now calculate from app <-> server <-> you and sum it up :)
09:57 < |Mike|> what kind of encryption are you using on your clients/server?
09:59 < henry-nicolas> from app (windows virtual server / kvm but on the same switch) to the firewall/vpn it's less than one ms and from the vpn server to me it's generally less than 5ms but sometime 20ms
10:00 < henry-nicolas> I'm using DES-CBC + tls-auth
10:06 -!- polaru [~polaru@93.113.192.70] has quit [Read error: Connection reset by peer]
10:07 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:12 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
10:16 -!- jbartus [~jbartus@smokey.stfudonny.com] has left ##openvpn []
10:28 -!- hvnqke_work [~per@90.184.203.29] has joined ##openvpn
10:29 < hvnqke_work> what can make an openvpn connection suddenly fail 1-2 times every minute? everything worked last week, and now it suddenly just breaks every minute or so. All other traffic is going out perfectly and consistently, but the openvpn-client connection dies
10:31 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:35 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
10:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:40 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
10:44 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
11:00 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
11:03 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:08 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
11:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:16 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
11:16 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:31 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
11:33 -!- dazo is now known as dazo_afk
11:37 -!- buntfalke_ is now known as buntfalke
11:37 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
11:37 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has left ##openvpn []
11:46 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:46 -!- irvken [~sean@cpc1-hawk1-0-0-cust297.aztw.cable.virginmedia.com] has joined ##openvpn
11:50 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:55 -!- hvnqke_work [~per@90.184.203.29] has quit [Quit: Leaving]
11:56 < irvken> !welcome
11:56 < vpnHelper> irvken: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:56 < irvken> !howto
11:56 < vpnHelper> irvken: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:59 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
12:04 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
12:07 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:22 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote host closed the connection]
12:28 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
12:41 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:49 -!- __trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:49 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
12:49 -!- __trine is now known as _trine
13:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
13:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
13:44 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
13:44 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
13:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:57 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: Sphinx may be image of a failed attempt to cross humans with lions.]
14:04 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Ping timeout: 246 seconds]
14:05 -!- PeterFA [~Peter@c-98-203-132-209.hsd1.wa.comcast.net] has joined ##openvpn
14:05 -!- PeterFA [~Peter@c-98-203-132-209.hsd1.wa.comcast.net] has quit [Changing host]
14:05 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
14:14 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
14:15 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
14:15 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
14:45 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
14:46 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
15:24 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:24 -!- mode/##openvpn [+v Kaspx] by ChanServ
15:25 -!- openvpn_2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:25 -!- mode/##openvpn [+v openvpn_2009] by ChanServ
15:26 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 248 seconds]
15:28 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 272 seconds]
15:39 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
15:46 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
15:46 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
15:57 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has quit []
16:01 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
16:01 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
16:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
16:05 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:29 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
16:34 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
16:34 < sparch> night
16:35 < sparch> Ok, I know this can be my firewall
16:35 < sparch> read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
16:35 < sparch> but, TCP tunnel works fine
16:35 < sparch> I don't know where to look anymore
16:36 < sparch> because everything is open (in/out) for OpenVPN server.
16:37 < sparch> it happens in server side
16:38 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
16:40 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:45 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
16:45 -!- mode/##openvpn [+v Kasx] by ChanServ
16:48 -!- openvpn_2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 240 seconds]
16:48 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 240 seconds]
16:53 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
16:53 -!- mode/##openvpn [+v openvpn2009] by ChanServ
16:55 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has joined ##openvpn
16:59 < CamargoBP> !welcome
16:59 < vpnHelper> CamargoBP: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:01 < Bushmills> sparch: "No route to host" sounds more like routing issue
17:03 < CamargoBP> Hi there I'm getting an "Unable to get certificate CRL" Error: http://pastebin.com/m4bac88c9   I'll gather the configs.
17:03 < CamargoBP> !logs
17:03 < vpnHelper> CamargoBP: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:03 < sparch> Bushmills: but why work for TCP connections?
17:04 < sparch> thats weird
17:04 < CamargoBP> !configs
17:04 < vpnHelper> CamargoBP: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:04 < Bushmills> question is probably "where do packets go to that a route for a particular destination is missing" 
17:06 < Bushmills> but i can't help you much, the amount of details you gave is far too skinny. i don't even know whether you experience that problem on client or server 
17:06 < Bushmills> oh. wrong. you said "server side"
17:09 -!- irvken [~sean@cpc1-hawk1-0-0-cust297.aztw.cable.virginmedia.com] has quit [Remote host closed the connection]
17:09 < CamargoBP> !goal
17:09 < vpnHelper> CamargoBP: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:09 < CamargoBP> !howto
17:09 < vpnHelper> CamargoBP: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:11 < krzee> CamargoBP,
17:11 < krzee> !factoids
17:11 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
17:11 < krzee> you might like that one too =]
17:14 < CamargoBP> Goal: Connect to a subnet: 10.128.0.0/16 from anywhere. server.conf: http://pastebin.com/m7adae552 client.conf: http://pastebin.com/m69db333 error: http://pastebin.com/m4bac88c9
17:15 < krzee> !route
17:15 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:15 < krzee> is the subnet behind server or client?
17:16 < krzee> ohhh, the error is your certificate
17:16 < krzee> Feb  8 15:53:48 vpn1 openvpn[13040]: 166.70.12.225:1106 VERIFY ERROR: depth=0, error=unable to get certificate CRL: /C=US/ST=UT/L=Orem/O=The_Company/CN=bret/emailAddress=bret@company.com
17:17 < krzee> check this:
17:17 < krzee> crl-verify /etc/openvpn/keys/crl.pem
17:17 < krzee> seems to be something wrong with the file
17:22 < krzee> so not cert, i mean CRL
17:30 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has quit [Ping timeout: 248 seconds]
17:31 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
17:33 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
17:35 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
17:51 < CamargoBP> Wow, sorry for bailing. We had an impromto meeting.
17:51 < CamargoBP> krzee:  Yeah I touched the crl.pem
17:52 < CamargoBP> Do you know a way to generate one without actually revoking a cert?
17:58 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
17:58 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
18:06 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 240 seconds]
18:06 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
18:06 -!- mode/##openvpn [+v Kaspx] by ChanServ
18:08 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 260 seconds]
18:10 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
18:10 -!- mode/##openvpn [+v openvpn2009] by ChanServ
18:21 < krzee> CamargoBP, just comment it out until you revoke a cert
18:22 < krzee> although there is a way, the command should be in the perl script ecrist wrote
18:22 < krzee> !ssl-admin
18:22 < vpnHelper> krzee: "ssl-admin" is (#1) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#2) if you use freebsd, it is in ports, or (#3) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
18:27 < CamargoBP> krzee: Same error
18:36 < krzee> same error when you comment out the CRL?
18:37 < krzee> thats not possible, the error is about CRL, without CRL it cant give an error about the CRL...
18:37 < krzee> i believe there is AN error if you commented that out, but not that exact error
18:37 -!- sparch_ [~daniel@189.114.179.55.dynamic.adsl.gvt.net.br] has joined ##openvpn
18:38 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Ping timeout: 272 seconds]
18:47 -!- izro [~brian@hick.org] has quit [Ping timeout: 272 seconds]
18:48 -!- sparch_ [~daniel@189.114.179.55.dynamic.adsl.gvt.net.br] has quit [Quit: If you are going to walk on thin ice, you may as well dance.]
19:00 -!- henry-nicolas [~d940f005@gateway/web/freenode/x-zabpzxvculfjiwxy] has quit [Disconnected by services]
19:08 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
19:21 -!- theDoc [~hex@unaffiliated/thedoc] has joined ##openvpn
19:21 < theDoc> Morn' all.
19:42 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
20:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
20:35 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
20:37 -!- theDoc [~hex@unaffiliated/thedoc] has quit [Quit: Leaving]
20:37 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:40 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Ping timeout: 240 seconds]
21:37 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
22:04 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
22:06 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
22:10 -!- Demonous [~samuel@ip98-183-225-164.hr.hr.cox.net] has joined ##openvpn
22:10 < Demonous> Would anyone be aware of any VPNs that are public for any guest to use? 
22:11 < theDoc> That's cute.
22:12 < Demonous> It's not like I can host my own. I'm screwed as far as that front goes.
22:17 -!- Demonous [~samuel@ip98-183-225-164.hr.hr.cox.net] has left ##openvpn []
23:01 -!- heise2k [~heise2k@65-78-40-52.c3-0.upd-ubr6.trpr-upd.pa.cable.rcn.com] has quit [Read error: Connection reset by peer]
23:03 -!- freaky[t] [alpha@freakyy.de] has quit [Read error: Operation timed out]
23:03 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
23:08 -!- heise2k [~heise2k@65-78-40-52.c3-0.upd-ubr6.trpr-upd.pa.cable.rcn.com] has joined ##openvpn
23:15 -!- onats [~onats@unaffiliated/onats] has joined ##openvpn
23:20 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
23:22 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:32 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
--- Day changed Tue Feb 09 2010
00:01 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
00:43 -!- Sir-Rogers [~rweber89@188-221-70-159.zone12.bethere.co.uk] has joined ##openvpn
00:43 < Sir-Rogers> hi guys
00:43 < Sir-Rogers> !welcome
00:43 < vpnHelper> Sir-Rogers: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:44 < theDoc> Hello.
00:44 < Sir-Rogers> is this the right place
00:45 < Sir-Rogers> to ask questions about possible openvpn development?
00:45 < Sir-Rogers> or is it more a helpbase for endusers?
00:48 < Sir-Rogers> theDoc?
00:48 < theDoc> Both I guess.
00:48 < theDoc> I'll try to answer any queries you might have.
00:49 < rob0> I'll try to create confusion and dissent.
00:49 < Sir-Rogers> lol
00:49 < Sir-Rogers> ok well
00:50 < Sir-Rogers> I just started looking into openvpn
00:50 < Sir-Rogers> and I might possibly want to use it to play LAN games
00:51 < Sir-Rogers> now I'm not 100% sure how it works on the serverside
00:51 < Sir-Rogers> i know the server is used to authenticate connections, in order to establish a secure connection
00:51 < Sir-Rogers> is there a physical limit to how many users can connect to an openvpn at the same time?
00:51 < Sir-Rogers> what I really want to know
00:52 < Sir-Rogers> is for what process server ressources are used
00:52 < Sir-Rogers> like when user A wants to tunnel user B
00:52 < Sir-Rogers> that goes through the server right? and then after the tunnel has been established it's just between both users?
00:52 < rob0> You're more likely to be limited by your Internet bandwidth & latency than by openvpn.
00:53 < Sir-Rogers> well
00:53 < Sir-Rogers> that's why I'm asking
00:53 < rob0> yes, it's a "star topology" VPN
00:53 < Sir-Rogers> where there's work involved
00:53 < rob0> client-to-client goes through the server
00:53 < Sir-Rogers> but only when a tunnel is setup right?
00:54 < Sir-Rogers> after that it's client-to-client?
00:54 < rob0> huh?
00:54 < Sir-Rogers> the tunnel?
00:54 < Sir-Rogers> that's a client-to-client connection, doesn't involve the server?
00:55 < Sir-Rogers> or did I misunderstand something?
00:55 < rob0> If userA and userB are both clients connected to serverC, traffic from userA to userB goes through serverC.
00:56 < Sir-Rogers> ohhh
00:56 < rob0> I man, assuming you're using the VPN, which might not be a safe assumption.
00:56 < rob0> *mean
00:56 < Sir-Rogers> what do you mean?
00:56 < Sir-Rogers> might not be a safe assumption, why?
00:57 -!- onats [~onats@unaffiliated/onats] has quit [Quit: onats]
00:57 < rob0> I suggest you go read up and try some things, let us know when you have a specific question.
00:57 < Sir-Rogers> so there is no way
00:57 < Sir-Rogers> for a client-to-client connection?
00:57 < Sir-Rogers> because i thought that's what it does
00:58 < rob0> < rob0> client-to-client goes through the server
00:58 < Sir-Rogers> ok
00:58 < Sir-Rogers> so if
00:58 < Sir-Rogers> 10 clients
00:59 < Sir-Rogers> all tunnel each-other
00:59 < Sir-Rogers> so that their lan traffic is sent to others
00:59 < Sir-Rogers> that's a huge traffic load on the server
00:59 < Sir-Rogers> i'm guessing
00:59 < Sir-Rogers> so user A sends packet X
00:59 < Sir-Rogers> to the server
00:59 < Sir-Rogers> and the server sends it to the other 9
00:59 < Sir-Rogers> sorry if they're all newbie questions, there just wasn't technical documentation that I could find
01:00 < Sir-Rogers> there were articles on setting up the configs, how to solve use problems etc
01:02 < rob0> You could set up a full-mesh topology, using peer connections among each endpoint. That doesn't scale very well, but it can be done. So userA has individual tunnels to each of userB, userC, userD et c.
01:04 < theDoc> Sorry, at work here ;p
01:04 < theDoc> What did I miss?
01:04 < Sir-Rogers> is it possible to set that up using openvpn?
01:04 < rob0> Not any questions about development, that I have seen.
01:04 < Sir-Rogers> like if you have the vpn IPs of all 10 people
01:04 < Sir-Rogers> tell them to connect to eachother?
01:05 < Sir-Rogers> or atleast
01:05 < Sir-Rogers> 9 to 1
01:05 < Sir-Rogers> because only one person has to host the game
01:05 < Sir-Rogers> but they don't need to be connected to the other 100 users in the chat
01:05 < Sir-Rogers> if that makes sense
01:05 < rob0> 9 to 1 is simple, just a typical client/server setup.
01:06 < theDoc> However, the problem with LAN gaming is that your overhead with tunneling of traffic over the WAN increases significantly.
01:06 < theDoc> and so does your latency
01:06 < rob0> "Full mesh" would mean (1 to 9) * 10
01:07 < Sir-Rogers> well
01:07 < Sir-Rogers> they'd just need
01:07 < Sir-Rogers> an initial 9 to 1 over LAN
01:07 < Sir-Rogers> to be able to join the game
01:07 < Sir-Rogers> *see the game
01:07 < rob0> 90 individual tunnels, see? "Doesn't scale very well."
01:07 < Sir-Rogers> after they join the game, the game takes care of it
01:07 < Sir-Rogers> nono
01:07 < Sir-Rogers> just 9
01:07 < Sir-Rogers> 9 tunnels for the other players to the one host
01:08 < theDoc> Point to multipoint?
01:08 < Sir-Rogers> hmm
01:08 < Sir-Rogers> what is point to multipoint?
01:08 < Sir-Rogers> sorry my vocabulary and theoretical knowledge in the area is very limited
01:09 < Sir-Rogers> so I need 9 players to be able to see the LAN packets of one host
01:10 < theDoc> Sir-Rogers> How many users do you plan to have on that one box?
01:11 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
01:12 < Sir-Rogers> could be quite a bit
01:12 < Sir-Rogers> starting with 100
01:13 < Sir-Rogers> hopefully scalable up to 10'000/100'000
01:13 < rob0> Seems to me that full mesh should be doable with a slight extension of the protocol, such that each client would get an iroute table pushed from the server.
01:14 < Sir-Rogers> ok very basic question
01:14 < rob0> Then a client-to-client connection would be routed directly to the other client. Offer void with clients behind troublesome firewalls, of course.
01:14 < Sir-Rogers> yes well it doesn't have to be full-mesh
01:14 < Sir-Rogers> as I said it just has to be one way
01:14 < Sir-Rogers> 9->1
01:14 < Sir-Rogers> and the 1 player they all connect to
01:14 < Sir-Rogers> has to forward his ports
01:15 < Sir-Rogers> i'm guessing
01:15 < Sir-Rogers> unless you can connect to games over the vpn without the need to forward ports?
01:15 < Sir-Rogers> would that be the case?
01:15 < Sir-Rogers> I'm assuming they'd have to configure the firewalls and forward the correct ports for the specific game
01:17 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:17 -!- mode/##openvpn [+o mattock] by ChanServ
01:28 < Sir-Rogers> r0b?
01:28 < Sir-Rogers> rob0?
01:34 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
01:36 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 256 seconds]
01:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:48 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
01:59 < Sir-Rogers> ok thanks for your help, bye
01:59 -!- Sir-Rogers [~rweber89@188-221-70-159.zone12.bethere.co.uk] has quit []
02:03 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:12 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 256 seconds]
02:22 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:28 -!- henry-nicolas [~d940f005@gateway/web/freenode/x-mqqxwlorballxixh] has joined ##openvpn
02:29 < henry-nicolas> Hello everybody, I got issue when trying to connect my openvpn windows clients. They tolds me : "Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:9: topology (2.0.9)" any idea why ?
02:29 < krzee> yes
02:29 < krzee> !topology
02:29 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
02:29 < krzee> you arent using 2.1
02:31 < |Mike|> good morning krzee :)
02:31 < krzee> mornin
02:33 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
02:33 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:43 < henry-nicolas> krzee: Ok but I put topology subnet on the server, what should I do with the windows client ?
02:46 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
02:55 -!- dazo_afk is now known as dazo
02:55 < cron2> upgrade to 2.1
03:08 -!- master_of_master [~master_of@p57B5799E.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
03:09 -!- master_of_master [~master_of@p57B542D7.dip.t-dialin.net] has joined ##openvpn
03:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
03:16 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:18 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
03:19 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
03:20 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
03:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 258 seconds]
03:47 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 256 seconds]
03:50 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
03:50 -!- henry-nicolas [~d940f005@gateway/web/freenode/x-mqqxwlorballxixh] has quit [Quit: Page closed]
03:58 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
04:14 -!- polaru [~polaru@93.113.192.70] has quit [Ping timeout: 276 seconds]
04:33 -!- krzee [nobody@hemp.ircpimps.org] has joined ##openvpn
04:33 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host]
04:33 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
04:34 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
04:35 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
04:52 -!- polaru [~polaru@93.113.192.70] has quit [Ping timeout: 276 seconds]
05:08 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
05:10 -!- master_of_master [~master_of@p57B542D7.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
05:11 -!- master_of_master [~master_of@p57B542D7.dip.t-dialin.net] has joined ##openvpn
05:13 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:16 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
05:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
05:47 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
05:49 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote host closed the connection]
05:50 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
05:51 < flaco> hi all.. I got openvpn server installed on fedora, all my clients have stable internet access, but they VPN connection are dropped at random times... I got this config in the clients http://dpaste.com/156504/ how can I make the client 'auto connect' when is disconnected from the vpn server??
05:52 < sparch> morning.
05:52 < macsppadic> morning flaco sparch 
05:53 < sparch> macsppadic: how do you do?
05:53 < macsppadic> hey sparch am good thanks urself?
05:53 < macsppadic> !ping-restart
05:53 < vpnHelper> macsppadic: Error: "ping-restart" is not a valid command.
05:53 < macsppadic> ahh crap 
05:53 < flaco> good morning!
05:54 < macsppadic> hey there flaco usually add persist-key as well in configs but dont know if that will solve ur issue 
05:55 < macsppadic> so u shud be to reconnect without having to renegotiate the keys as far as i understand it 
05:56 < flaco> I read that 'resolv-retry infinite' should reconnect when the connection is dropped
05:56 < krzee> really that option is for when you drop user privs, you dont need privileges to read the key file as the new user
05:56 < krzee> all persist options are for when you use --user --group
05:57 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: Eat right, exercise regularly, die anyway.]
05:57 < flaco> the only way to get connected again is restarting the openvpn service (in the client)
05:58 < krzee> flaco, whered you get that config?
05:58 < flaco> krzee, the openvpn server admin
05:58 < flaco> webadmin
06:00 < theDoc> flaco> Is this on access-server?
06:00 < flaco> theDoc, sorry, I don't understand (english is not my language)
06:00 < krzee> theDoc, he pasted a config, AS doesnt have configs
06:01 < krzee> he just means the web guy in his office
06:01 < theDoc> krzee> ah.
06:01 < theDoc> Well, AS does have a config file, it's just buried somewhere ;p
06:01 < krzee> but it could very well be a mis-match of --reneg-sec
06:02 < krzee> but i cant tell cause no server config
06:02 < krzee> but what he described would be a symptom of that
06:02 < krzee> flaco, can you get the server config?
06:04 < flaco> I was looking that.... where is stored??? it was created by the webadmin (in /etc/openvpn) there is nothing
06:04 < krzee> ps auxw|grep openvpn
06:05 < krzee> you wouldnt find it in /etc/openvpn on any of my machines either
06:06 < flaco> weird, http://dpaste.com/156507/
06:07 < krzee> hah
06:07 < krzee> theDoc, you were right!
06:07 < theDoc> ^^
06:07 < theDoc> toldja :P
06:07 < krzee> i didnt know clients could use normal openvpn configs with AS
06:07 < theDoc> No, you can't mix and match that.
06:08 < theDoc> Well, in theory..
06:08 < theDoc> You can.
06:08 < theDoc> If the certs and all match.
06:08 < krzee> he seems to be, http://dpaste.com/156504/ is his client config
06:08 < theDoc> It's just outright annoying to do that and why the hell would you do that anyway?
06:08 < krzee> hrm, he doesnt have certs in his client config
06:08 < krzee> i didnt notice that til you mentioned it
06:08 < theDoc> Yeah.
06:09 < theDoc> krzee> Well, you can mix and match them but your certs/keys need to match and on top of that, user needs to exist in radius/pam/whatever-authentication
06:09 < krzee> flaco, hit your webguy upside his head and tell him its from krzee
06:09 < theDoc> I find it insanely annoying to do so, I just use AS and forget about the trouble
06:09 < theDoc> :P
06:09 < flaco> krzee, I still does not have certs in the clients, because I wanna solve the "stability" first
06:10 < theDoc> sigh
06:10 < krzee> flaco, and it connects?
06:10 < theDoc> If it does, you are doing something wrong.
06:10 < flaco> krzee, yes, but 1 client can get connected for 2 days and other for 10 minutes... its random
06:11 < theDoc> There's something wrong, you should not be able to connect if you don't specify certs.
06:11 < flaco> :S
06:12 < krzee> theDoc, isnt the cert stuff built in to AS and cant be removed?
06:12 < krzee> (ive never used it, dont plan on it either ;] )
06:12 < flaco> ok.. I create certs for the clients... and the server config? where should I save?
06:12 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:13 < krzee> flaco, theDoc is your only hope in here as far as i know, because he is the only one here who helps and uses AS
06:13 < flaco> :O
06:13 < krzee> (Access Server, the pay version of openvpn)
06:14 < flaco> I pay for 20 licenses!
06:14 < theDoc> krzee> Well, AS generates the certs automatically.
06:14 < krzee> exactly, and i only use the free version so im useless to you
06:14 < theDoc> flaco> What does your setup look like and what exactly is the problem?:)
06:16 -!- menace [~knorr@unaffiliated/menace] has joined ##openvpn
06:17 < flaco> theDoc, server behind a router, with ports configured, I got 50% linux clients and 50% windows client... I installed the openvpn_AS package as the "installation overview" say in the openvpn site
06:17 < flaco> the problem is.. I can't get stable client connection to the vpn server, even if the client's has 24/7 ethernet internet connection
06:18 < theDoc> flaco> Which platform?
06:18 < theDoc> Linux?
06:18 < krzee> def a unix from the ps output
06:18 < flaco> theDoc, the server Fedora 12, clients ubuntu 8.04 and windows XP
06:18 < krzee> or a *nix i guess
06:18 < theDoc> flaco> Pastebin your /var/log/openvpnas.log
06:19 -!- menace [~knorr@unaffiliated/menace] has left ##openvpn []
06:19 < theDoc> Hehe, true that.
06:19 < theDoc> ;p
06:19 < theDoc> krzee> I'm planning on issuing dongles to some of my customers that really need multi-layer authentication ;p
06:19 < krzee> nice
06:20 < theDoc> So I have cert > radius + dongle.
06:20 < krzee> lemme know how you go about it after you bust it
06:20 < krzee> going with kerberos?
06:20 < theDoc> krzee> Probably radius.
06:20 < theDoc> I have no experience with kerberos.
06:20 < krzee> werd
06:20 < theDoc> Unless someone can show me the ropes.
06:20 < theDoc> Well, I'm not sure if I can use radius to do that yet
06:20 < flaco> is too big to paste
06:20 < flaco> any particular section?
06:21 < theDoc> flaco> Yes, I want the part about client connecting and disconnecting.
06:23 < flaco> http://dpaste.com/156509/
06:23 < flaco> mmmm
06:23 < flaco> ['parque1', '02/06/10 . 09:50:59', '02:16', 'VPN', '200.124.37.62', '10.8.1.3', 'UDP', '1194', '63.00 KB', '65.43 KB', ''], ['parque1', '02/06/10 . 09:50:58', '00:00', 'VPN', '200.124.37.62', '10.8.1.3', 'UDP', '1194', '3.79 KB', '4.31 KB', 'disconnected because user-specific properties prevent concurrent VPN connections by this user']
06:23 < krzee> you connecting multiple clients with same certs?
06:24 < flaco> the clients does not have certs
06:24 < theDoc> This seems self-explainatory, disconnected because user-specific properties prevent concurrent VPN connections by this user'
06:25 < theDoc> No, openvpnAS does not permit multiple CN connections at the same time, iirc.
06:25 < krzee> login information then i guess
06:25 < krzee> theres something its being auth'ed by
06:25 < krzee> and you seem to be duplicating it on 2 client machines
06:25 < theDoc> That seems to be a problem and also, it does from the amount of traffic being sent, it does seem that the link is flakey.
06:25 < theDoc> Yep.
06:25 < flaco> should I create certs for client and that should fix the problem?
06:26 < theDoc> flaco> OpenvpnAS creates the entire package for you, how -exactly- are you configuring it?
06:26 < krzee> each client needs separate login info
06:26 < krzee> and if you use certs, each needs separate certs
06:26 < flaco> the server, with this command /usr/local/openvpn_as/bin/ovpn-init
06:27 < theDoc> flaco> That's to run the -installer- for the server.
06:27 < flaco> the clients... I create a user account in the openvpn server
06:27 < dazo> theDoc:  --duplicate-cn
06:27 < krzee> dazo, not recommended
06:27 < theDoc> dazo> I'm not a fan of --duplicate-cn and I feel each user needs to have their own certs
06:27 < krzee> (as mentioned in the manual)
06:28 < dazo> krzee:  agreed
06:28 < theDoc> It's a risk.
06:28 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
06:28 < dazo> agreed ... but it is possible to use the same cert on more clients in parallel, that's my point
06:28 < theDoc> flaco> Yep, use the generated files in the server and assign them to your clients.
06:28 < flaco> yes
06:28 < theDoc> dazo> Yep, it is and it should be depreciated ;p
06:28 < krzee> oh, not mentioned in the manual... but still
06:28 < krzee> lol
06:29 < theDoc> flaco> So why are you trying to create user certs?
06:29 < krzee> it exists for using a single cert for multiple clients, then using auth and --username-as-commonname
06:30 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:30 < dazo> but --duplicate-cn is only evil if you use it in connection with ccd ... and try to assign static ip addresses .... except for that, its not that bad - depending on the requested/expected security level ... and in conjunction with some username/password auth it might be acceptable
06:30 < krzee> at least thats why imho
06:31 < flaco> this is the full client conf created by the openvpn webadmin http://dpaste.com/156511/
06:31 < flaco> ah... I'm using static ip in the clients
06:32 < theDoc> That doesn't show any problems.
06:33 < dazo> flaco:  I'd recommend you to change your keys and certificates now :-P
06:33 < krzee> lol
06:33 < krzee> yup
06:34 < krzee> that was a bit too much info
06:34 < flaco> xD
06:34 < krzee> you just made your auth public
06:34 < krzee> -----BEGIN RSA PRIVATE KEY-----
06:39 < theDoc> Never .. paste your RSA keys out
06:41 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
06:43 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
06:43 < flaco> ok, I create new server certs
06:44 < flaco> but... what I do with my client's problem??
06:46 < theDoc> flaco> Are you sure it's not a link problem?
06:51 -!- _joe [~joseph@joseph.xen.prgmr.com] has joined ##openvpn
06:51 < flaco> you mean unstable internet connection by the client?
06:51 < _joe> hi folks, any reason why this wouldn't work: server 10.0.0.0 255.0.0.0 ? i get a "Options error: --server directive netmask allows for too many host addresses (subnet must be 255.255.0.0 (/16) or higher)" error
07:03 < theDoc> flaco> Yep.
07:04 < theDoc> Because you probably can't fit a couple of million addresses on a single server? ;p
07:05 < krzee> _joe, error seems pretty obvious
07:05 < _joe> heh
07:05 < flaco> theDoc, I'm sure... but if it was the case, the openvpn client is a service, so it should try to reconnect
07:05 < _joe> i'm asking for a friend
07:05 < _joe> he's not planning on using all the addresses (obviously)
07:05 < krzee> that doesnt make the error less obvious...
07:05 < _joe> agreed
07:05 < _joe> what i'm really asking is: is there any way around it?
07:06 < krzee> use a smaller netmask, lol
07:06 < _joe> let me rephrase: is there any way to force openvpn to allow it?
07:06 < krzee> why would you want to?
07:07 < _joe> my friend wants a /8 so he can spread stuff out on it to his liking
07:07 < krzee> he can do that with any size subnet
07:07 < krzee> doesnt need /8 to do that
07:07 < _joe> ok
07:07 < _joe> i guess i have what i needed to know
07:07 < _joe> thanks for your help :)
07:07 < krzee> np
07:09 < krzee> hell with a /16 you could give 255 clients their own /24's, which is un-necessary as well
07:10 < krzee> everything needed can be done within a /24, but he does have the option to go all the way to /16
07:11 < theDoc> flaco> Doesn't it try to reconnect?
07:13 < flaco> theDoc, nop
07:13 < flaco> theDoc, I have to restart the service
07:13 < krzee> i see the --reneg-sec is set to 1 day
07:13 < krzee> if server had different, that would do it
07:14 < flaco> theDoc, and why this "disconnected because user-specific properties prevent concurrent VPN connections by this user"
07:14 < flaco> I got different account, different IP for each client
07:14 < krzee> thats where i was headed before i saw he uses AS
07:23 < ecrist> good morning
07:35 < |Mike|> morning e crist :)
07:36 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:36 < macsppadic> morning ecrist 
07:44  * ecrist needs a new mac.
07:48 -!- Grapsus [~grapsus@LMontsouris-152-63-14-98.w217-128.abo.wanadoo.fr] has joined ##openvpn
07:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:04 < dazo> _joe:  it was discussed (even a patch was written, iirc) by someone else to make openvpn allow a bigger netmask ... but it was rejected, as the need really is limited for such big netmask ... you normally would spread such a big amount of clients on more openvpn processes which would use separate network segments
08:04 < _joe> dazo: gotcha
08:06 < dazo> _joe:  keep in mind that openvpn don't scale too well, there are reports about performance loss when you pass 150 clients .... and it only uses one CPU core, even though you might have many more cores available on the server .... so then you need multiple openvpn processes pinned to separate CPU cores
08:15 < theDoc> Anyone having problems getting to google?
08:19 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
08:20 -!- _joe [~joseph@joseph.xen.prgmr.com] has quit [Quit: leaving]
08:25 -!- Grapsus [~grapsus@LMontsouris-152-63-14-98.w217-128.abo.wanadoo.fr] has quit [Quit: Quitte]
08:29 < ecrist> !google anyone having problems getting to google
08:29 < vpnHelper> ecrist: Anyone having problems getting into Google Mail?: <http://askville.amazon.com/problems-Google-Mail/AnswerViewer.do?requestId=7269740>; Anyone having problems getting into Google Mail? Nope, no problems.: <http://askville.amazon.com/problems-Google-Mail-Nope/AnswerDetails.do?requestId=7269740&responseId=7269921>; Anyone having trouble accessing their google email account ...:
08:29 < vpnHelper> ecrist: <http://www.google.com/support/forum/p/gmail/thread?tid=3c87e8222a2320d7&hl=en>
08:29 < ecrist> nope
08:32 < theDoc> ecrist> I am.
08:32 < theDoc> Oh wat ;p
08:32 < theDoc> http://inetpro.org/pastebin/2418
08:33 < theDoc> Bad times.
08:42 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
09:04 -!- mattock [~samuli@sparkgw.utu.fi] has joined ##openvpn
09:04 -!- mode/##openvpn [+o mattock] by ChanServ
09:17 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
09:31 < theDoc> Hmm.:)
09:32 < theDoc> Swapped dns servers to google and it's alot better.
09:32 < |Mike|> got 8.8.8.8 ? :p
09:32  * rob0 is not a fan of DNS forwarders in general
09:33 < theDoc> True that, ;p
09:33 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
09:33 < theDoc> 8.8.8.8 and 8.8.4.4
09:33 < theDoc> rob0> Referring to opendns? ;p
09:34 < rob0> AND Google, and ISP nameservers, yes. I just do my own recursion.
09:35 < |Mike|> authorative i hope
09:35 < theDoc> In all honesty, I'm not a dns monkey so ;p
09:36 < ecrist> I do my own recursion, as well.
09:36 < theDoc> on your own dns servers?
09:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
09:36 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
09:37 < ecrist> yes
09:38 < rob0> |Mike|, I don't get the question. Recursion is only done for non-authoritative names (names outside my own zones.)
09:40 < |Mike|> rob0: i was a bit sarcastic :D
09:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:02 -!- mattock [~samuli@sparkgw.utu.fi] has quit [Ping timeout: 245 seconds]
10:27 < reiffert> Anyone into HP Procurve? Paticularily into LACP.
10:28 < theDoc> reiffert> What help do you need with it?
10:31 < reiffert> privmsg ok?
10:31 < theDoc> Sure.
10:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:48 -!- Error404NotFound [~Eror404@119.153.70.121] has joined ##openvpn
10:48 -!- Error404NotFound [~Eror404@119.153.70.121] has quit [Changing host]
10:48 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:57 -!- dazo [~dazo@nat/redhat/x-trdcpaehnoxqbcwa] has quit [Read error: Connection reset by peer]
10:58 -!- dazo [~dazo@nat/redhat/x-tnjwdjqvamlntvrb] has joined ##openvpn
11:02 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
11:07 -!- dazo is now known as dazo_afk
11:15 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
11:21 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:22 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 256 seconds]
11:23 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
11:23 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
11:23 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
11:48 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
11:54 -!- a-zlex [~as@null0.ipv6.bgp4.org] has quit [Read error: No route to host]
11:58 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
12:12 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
12:28 -!- bandini [~bandini@host190-105-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn
12:30 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
12:38 -!- a-zlex [~as@null0.ipv6.bgp4.org] has joined ##openvpn
12:46 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:47 < CamargoBP> Hey guys, I'm still working on that problem I had yesterday. I ran an strace on the openvpn process and it's looking for this file: 21332 stat("/etc/openvpn/keys/45644673.r0", 0x7fff7b4689c0) = -1 ENOENT (No such file or directory)
12:47 < CamargoBP> Here is a referesher
12:47 < CamargoBP> Goal: Connect to a subnet: 10.128.0.0/16 from anywhere. server.conf: http://pastebin.com/m7adae552 client.conf: http://pastebin.com/m69db333 error: http://pastebin.com/m4bac88c9
12:48 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
12:48 < CamargoBP> I've added/removed the server.conf option: crl-verify /etc/openvpn/keys/crl.pem
12:48 < CamargoBP> Same error both times.
12:49 < CamargoBP> it seems to always be looking for this file: /etc/openvpn/keys/45644673.r0
12:49 < CamargoBP> Any ideas to as why it would be looking for that file?
12:57 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:58 -!- tomtom2 [~tomtom@c-76-19-139-0.hsd1.ma.comcast.net] has joined ##openvpn
12:58 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
12:59 < tomtom2> anyone running openvpn on ubuntu?
12:59 < tomtom2> I am getting the following error
12:59 < tomtom2> (WSAECONNRESET) (code=10054)
12:59 < tomtom2> google shows that its a comman error ubuntu users get
12:59 < tomtom2> but no fix
12:59 < ecrist> !networkmanager
12:59 < vpnHelper> ecrist: Error: "networkmanager" is not a valid command.
12:59 < ecrist> !ubuntu
13:00 < vpnHelper> ecrist: "ubuntu" is dont use network manager!
13:00 < tomtom2> vpm?
13:01 < tomtom2> vpn what do u mean
13:01 < ecrist> tomtom2: network manager is broken.  if you're using it, dont'
13:02 < tomtom2> I edited the files manually
13:02 < ecrist> ok, logs, and configs, please
13:02 < ecrist> !logs
13:02 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
13:02 < ecrist> !configs
13:02 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:03 < tomtom2> ok hold
13:06 < tomtom2> http://pastebin.com/m6c3bde55
13:06 < tomtom2> both server and client conf
13:07 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 248 seconds]
13:10 < tomtom2> nything else
13:10 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
13:10 -!- __trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
13:16 < ecrist> yes, your logs
13:26 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:33 -!- PiousMinion [~clay@175-216.126-70.tampabay.res.rr.com] has left ##openvpn []
13:36 -!- __trine is now known as _trine
13:37 < CamargoBP> I'm thinking this is a bug in openvpn 2.1.1. Is anyone else getting the VERIFY ERROR: depth=0, error=unable to get certificate CRL error?
13:42 < ecrist> full logs, server and client, CamargoBP 
13:42 < ecrist> !logs
13:42 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
13:42 < CamargoBP> Goal: Connect to a subnet: 10.128.0.0/16 from anywhere. server.conf: http://pastebin.com/m7adae552 client.conf: http://pastebin.com/m69db333 error: http://pastebin.com/m4bac88c9
13:43 < CamargoBP> Logs in a sec
13:43 < rob0> Any reason you can't put all that into one pastebin? I don't feel like jumping all over the place. ONE pastebin please.
13:46 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
13:46 < CamargoBP> Logs: http://pastebin.com/m63f864f8
13:46 < CamargoBP> Sure I can do that
13:46 < CamargoBP> One sec.
13:48 < CamargoBP> All in one file: http://pastebin.com/m7567715b
13:49 < ecrist> is the certificate installed on the client?
13:50 < CamargoBP> This one has the strace error at the bottom. So this is the true full logs: http://pastebin.com/m3bdd7641
13:50 < CamargoBP> Yes
13:50 < ecrist> is that client or server log?  we really need both
13:51 < ecrist> CamargoBP: have you thought about using tunnelblick or viscosity on your mac?
13:52 < ecrist> and, for some reason, it's trying to access /etc/openvpn/keys/45644673.r0 which doesn't exist.
13:53 < rob0> And that strace error was where it ended?
13:54 < rob0> "SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" sounds like an openssl problem with the client cert.
14:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
14:06 < reiffert> anyone into OS X and iSCSI initiators?
14:06 < reiffert> (attotech xtend san maybe)
14:15 < ecrist> iSCSI sucks
14:15 < ecrist> stay away from it if you can.
14:15 < ecrist> you're better off with NFS
14:34 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
14:34 < CamargoBP> ecrist:  I use tunnleblick. (Sorry I had to step out for a bit) Here is the client side logs as well. (Full logs) http://pastebin.com/m401e3e9d
14:35 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Ping timeout: 248 seconds]
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Connection reset by peer]
14:42 < reiffert> ecrist: how would nfs combine two 5TB shares to a single 10TB share?
14:42 < ecrist> I think you could do something like that with GELI
14:43 < ecrist> what are you trying to do?
14:43 < reiffert> combine two synology DS409 to have one big backup space
14:44 < reiffert> I already told $customer that this will be the most insane situation he can have.
14:45 < reiffert> but hey, it's not my time when he needs to resync a 12TB backup when one disk gets lost.
14:45 < ecrist> if it's freebsd, yes, pretty easy with geom, I think
14:45 < ecrist> http://en.wikipedia.org/wiki/GEOM
14:45 < vpnHelper> Title: GEOM - Wikipedia, the free encyclopedia (at en.wikipedia.org)
14:45 < reiffert> kind of, OS X.
14:47 < ecrist> geom isn't available on os x.
14:48 < ecrist> I would suggest some other schema, or other external enclosures, or maybe a freebsd head for those enclusures. :)
15:04 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
15:11 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Ping timeout: 264 seconds]
15:16 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
15:18 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
15:24 < tomtom2> where adoes openvpn store its server logs?
15:29 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
15:31 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
15:32 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Ping timeout: 264 seconds]
15:59 -!- tomtom2 [~tomtom@c-76-19-139-0.hsd1.ma.comcast.net] has quit []
16:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
16:07 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:29 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:42 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
16:48 -!- tw [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has joined ##openvpn
16:48 < tw> !welcome
16:48 < vpnHelper> tw: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:48 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:49 < tw> !redirect
16:49 < vpnHelper> tw: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:50 < tw> Ookey, is this in a web document somewhere?
16:50 < tw> !def1
16:50 < vpnHelper> tw: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
16:54 < tw> !man
16:54 < vpnHelper> tw: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:02 < tw> Oh good, apparently all I needed was push "redirect-gateway def1" and everything else I had right.
17:02 < tw> thanks, vpnHelper!
17:22 -!- SparFux [~raoul@e182016187.adsl.alicedsl.de] has joined ##openvpn
17:23 < SparFux> Hi all. Just a quick question. When using dev tun and udp, I open firewall for port 11194 which I use. But what about the packets from the vpn network? will they be filtered, too?
17:52 < tw> They will get filtered when they get forwarded.
17:54 < tw> (I expect.  I haven't tested it explicitly.  Typically, when you've got data coming in/out of a ppp interface, it goes out over your main interface again after passing through -t filter FORWARD.)
17:55 < SparFux> tw: I tried, it filters even in INPUT and OUPUT chain.
17:55 < SparFux> first I have to open port 1194 for udp for main internet access of openvpn daemon, then I even have to open ports I want to open for the LAN address.
17:55 < SparFux> That's nice :-)
17:56 < tw> Are your rules limited by interface?  Have you tried just allowing anything not on your external interface coming from your vpn pool?
17:57 < tw> (also, that's weird in linux... it should just go along FORWARD, and not hit any of the others)
17:58 < tw> I'd need to know more specifics about what you're trying to do to explain it better.
17:58 < SparFux> but it's not forward, its packets goinog to my localhost.
17:58 < SparFux> I have set up and openvpn to a friend from my local machine only. That's right that it goes to INPUT and OUTPUT. FORWARD is for the LAN I might have one day :-)
17:59 < tw> Oh, then yes, it will be filtered by input/output.
17:59 < SparFux> And the big question is, how can I accomplish that my friend can be server, too. Like we both have dyndns names and we want to be able to initiate vpn from both sites. right now I am server and only he can bring up the lan.
18:01 < tw> I don't know how to do that in openvpn.
18:02 < SparFux> ok.
18:05 < SparFux> It seems, which is really ass kciking cool.
18:05 < SparFux> It seems really, that both sides only have to use remote line :-)
18:06 < SparFux> It seems it decides itself who would be client or server. Nice one.
18:08 < SparFux> The question is wether openvpn will be smart enough to survive a 24h disconnect of my dsl line :-\
18:18 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 258 seconds]
18:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:25 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
18:29 < SparFux> Can I specify a timeout where the ip address of the dns in "remote" line is re-queried when no connection possible?
18:29 < SparFux> in order to survive a temporary disconnect with change of ip address?
18:35 < rob0> If you want both sides to be listening AND initiating connections, you want peer mode, see the 1.x howto.
18:36 < rob0> If either peer changes IP address, the one who changed should still be able to connect to the non-changed one.
18:36 -!- SparFux [~raoul@e182016187.adsl.alicedsl.de] has quit [Ping timeout: 260 seconds]
18:36 < rob0> sigh
18:41  * reiffert is doing iscsi over openvpn
18:41 < reiffert> over a 2mbit/s line.
18:41 < reiffert> formating 12TB disk.
18:41 < reiffert> glad openvpn runs compression up to 2.6mbit/s
18:42 < reiffert> :)
18:42 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Read error: Connection reset by peer]
18:42 -!- jadew [~jadew@188.27.94.151] has joined ##openvpn
18:42 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
18:43 < jadew> hi guys, is it possible to configure the openvpn client so once a connection is active, it will use that as the default route, basically access the internet trough the vpn?
18:44 < rob0> !redirect-gateway
18:44 < vpnHelper> rob0: Error: "redirect-gateway" is not a valid command.
18:44 < rob0> see --redirect-gateway in the man page
18:45 < jadew> thanks
18:47 < Bushmills> !redirect
18:47 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:48 < jadew> !def1
18:48 < vpnHelper> jadew: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
18:49 < rob0> NAT on the server is the typical way to do it, but it is by no means the only way.
18:49 < jadew> rob0, I'd need to use TAP for that, right?
18:49 < rob0> I've done it using proxy ARP and a regular routable IP.
18:49 < rob0> Huh, why tap?
18:50 < jadew> yeah, you're right, it doesn't make sense
18:50 -!- SparFux [~raoul@e182029220.adsl.alicedsl.de] has joined ##openvpn
18:50 < jadew> I'm about 30 minutes new to openvpn :)
18:50 < rob0> SparFux: If you want both sides to be listening AND initiating connections, you want peer mode, see the 1.x howto.
18:50 < jadew> just connected my phone to the vpn server and trying to get it to access the internet trough my home connection
18:51 < rob0> SparFux: If either peer changes IP address, the one who changed should still be able to connect to the non-changed one.
18:52 -!- albondi [~albondee@99-144-131-76.lightspeed.miamfl.sbcglobal.net] has quit [Remote host closed the connection]
18:52 < rob0> Peer mode by definition means there are only two peers, it's not a multi-client/single-server.
18:52 < SparFux> rob0: ok, if the one who didn't change ip address wants to connect, then it should look up the dns name in the "remote" line again :-)
18:53 < rob0> right
18:53 < rob0> and if both change, they both keep trying until one of them gets the right IP for the other.
18:54 < SparFux> nice. the dyndns name will be updated by both of them.
18:55 -!- theDoc [~jaki@69.10.59.162] has joined ##openvpn
18:55 -!- theDoc [~jaki@69.10.59.162] has quit [Changing host]
18:55 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:12 -!- SparFux [~raoul@e182029220.adsl.alicedsl.de] has left ##openvpn ["Leaving."]
19:16 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 256 seconds]
19:20 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
19:29 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
19:43 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
20:54 < TecR0c> what port does openvpn listening on for incoming traffic over the net?
20:56 < Bushmills> the port which is specified in server config
21:00 < theDoc> By default, 1194.
21:14 < TecR0c> does that apply to openvpnas aswell ?
21:15 < theDoc> Yes.
21:15 < TecR0c> interesting if i nmap that port
21:15 < TecR0c> it says its closed
21:18 < TecR0c> Ports: 22/open/tcp//ssh///, 443/open/tcp//https///, 943/open/tcp//unknown///, 5480/open/tcp/////, 5488/open/tcp/////, 5489/open/tcp/////Ignored State: closed (65530)
21:19  * theDoc shrugs.
21:19 < theDoc> Turn on your openvpn service.
21:20 < TecR0c> the server is currently ON
21:20 < TecR0c> hrmm i just noticed it says port for VPN client connections: tcp/443
21:46 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
21:51 < MJD> TecR0c: by default its a udp port.  nmap scans tcp ports by default.  it wouldn't detect an open udp port on such a scan.  Also, scaning udp ports is not as easy as tcp.
21:51 -!- ribasushi [~rabbit@dslb-084-063-002-197.pools.arcor-ip.net] has quit [Ping timeout: 260 seconds]
21:52 < TecR0c> thanks for the tip
21:52 < MJD> np
21:55 -!- ribasushi [~rabbit@dslb-084-063-044-193.pools.arcor-ip.net] has joined ##openvpn
21:56 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 248 seconds]
21:58 -!- theDoc [~jaki@69.10.59.162] has joined ##openvpn
21:59 -!- fabrianchi [~hachepe@unaffiliated/fabrianchi] has joined ##openvpn
22:03 -!- theDoc [~jaki@69.10.59.162] has quit [Changing host]
22:03 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:31 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Wed Feb 10 2010
00:00 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
00:04 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
00:16 -!- teratoma [~unknown@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn
01:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
01:06 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:07 -!- mode/##openvpn [+o mattock] by ChanServ
01:13 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
01:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:28 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:05 < jmm> hello.
02:22 -!- cron2 [~gert@blue.greenie.muc.de] has quit [Ping timeout: 248 seconds]
02:23 -!- cron2 [~gert@blue.greenie.muc.de] has joined ##openvpn
02:35 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
02:44 -!- fabrianchi [~hachepe@unaffiliated/fabrianchi] has quit [Read error: Connection reset by peer]
02:45 -!- fabrianchi [~hachepe@unaffiliated/fabrianchi] has joined ##openvpn
02:46 -!- Sweeper [~ppp@74.51.109.60] has joined ##openvpn
02:46 < Sweeper> hi folks
02:47 < Sweeper> got a bit of a problem here..my vpn connection is up and established, but I can't ping across it
02:47 < Sweeper> interestingly, on the tun0 device on the vpn server, it has lots of tx bytes but no rx bytes
02:48 < Sweeper> asdf vsat link down
02:48 < Sweeper> it WAS up anyways
02:49 < Sweeper> !welcome
02:49 < vpnHelper> Sweeper: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:49 < Sweeper> !interface
02:49 < vpnHelper> Sweeper: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
02:50 < Sweeper> !configs
02:50 < vpnHelper> Sweeper: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
02:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
02:52 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 260 seconds]
02:59 < Sweeper> you guys
02:59 < Sweeper> you guys' lack of answering is going to give me cancer
03:00 -!- teddymills [~teddy@208.92.235.227] has quit [Read error: Connection reset by peer]
03:01 < Sweeper> I don't even really know how to test/troubleshoot it...routes look good, connection is up, but no joy
03:01 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
03:02 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:05 < rob0> It's middle of the night in my TZ, and my lack of sleep ranks higher with me than your cancer does, sorry.
03:08 -!- master_of_master [~master_of@p57B542D7.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:10 -!- master_of_master [~master_of@p57B565EB.dip.t-dialin.net] has joined ##openvpn
03:11 < cron2> !route
03:11 < vpnHelper> cron2: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:14 < Sweeper> rob0: well it's 4am here as well :P
03:32 < Sweeper> ok link back up. I guess I paste some configs now
03:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
03:46 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
03:49 < Sweeper> http://pastebin.ca/1792386 <-- here is the config
03:52 < Sweeper> http://pastebin.ca/1792388 <-- updated to include software versions
03:59 < Sweeper> problem I'm having is that despite the ovpn connection being up, authenticated, etc, and traffic going over the interface, I can't ping.
04:00 < Sweeper> what kind of routes should exist on my server machine?
04:00 < Sweeper> I see lots of routes to 10.0.0.2, but nobody can ping 10.0.0.2
04:00 < Bushmills> can't ping what?
04:01 < Bushmills> how about pinging 10.0.0.1?
04:05 < Sweeper> I can ping it from the server, because that's the address of the tun0 interface
04:05 < Sweeper> inet addr:10.0.0.1  P-t-P:10.0.0.2  Mask:255.255.255.255
04:05 < Sweeper> that's what I've got in ifconfig for tun0
04:05 < Sweeper> s/in/from/
04:05 < cron2> the 10.0.0.2 address is sort of virtual, you can't ping it
04:06 < Bushmills> ping same address from client
04:06 < cron2> it is only used to have something to point routes to, which is "on the other side of the tun0 interface"
04:06 < cron2> clients will have other addresses assigned, not 10.0.0.2
04:06 < Sweeper> right
04:06 < Sweeper> I just wanted to check all the steps along the way
04:06 < cron2> so there's your answer :-) - the p2p-address on the server will never be pingable
04:07 < Sweeper> well answer to THAT
04:07 < Sweeper> I still can't ping between client and server
04:07 < cron2> (on the client it depends on the topology setting, if /30s are assigned, same thing)
04:08 < cron2> what's the tun0 ifconfig on the client side, and what happens if the client pings 10.0.0.1?
04:08 < Sweeper> ok, so on client, I should have 10.0.0.3 for example be the 'real' address, and .4 the fake one, and routes point at the .4?
04:08 < cron2> dunno which way around it is, but yes - one is "ifconfig" and the other one is "where routes point to"
04:09 < Sweeper> ok that might have been a problem, let me rectify some things here
04:10 < cron2> start without ifconfig-push in the ccd
04:11 < cron2> and ".4" is not a valid address in a /30 anyway, it needs to be .5 and .6
04:11 < cron2> (in your config, ifconfig-push is overlapping with the server address pool, and I'm not sure whether this will cause surprises)
04:11 < Sweeper> oh, it needs to be all subnetty...
04:12 -!- dazo_afk is now known as dazo
04:12 < Sweeper> ok, vpn back up
04:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:12 < Sweeper> I don't have ifconfig-push, so it assigned me 10.0.0.10
04:13 < cron2> now you should be able to ping 10.0.0.10 from the server, and 10.0.0.1 from the client
04:13 < Sweeper> nada
04:13 < cron2> if that doesn't work, I'd suspect local firewall rules on client or server that interfere
04:15 < cron2> I'd try "tcpdump -n -i tun0" on the server and "tcpdump -n -i ovpn-out1" on the client to see whether packets are moving at all
04:16 < Sweeper> ok, tcpdump on server while pinging client show the packets
04:16 < cron2> outgoing and incoming, or only outgoing?
04:16 < Sweeper> outgoing only
04:17 < cron2> so next step is tcpdump on mikrotik - should show "incoming", at least
04:19 < Sweeper> all I see are packets for ip protocol 64 from 159.10.0.0 to 1.10.0.0
04:20 < Sweeper> net even the same length as the ping packets I'm sending
04:20 < cron2> that's no good
04:20 < cron2> either tcpdump is broken on mikrotik, or openvpn's handling of tun interfaces is
04:20 < Sweeper> well it's not real tcpdump, so it could be that
04:21 < Sweeper> it's their little built-in packet sniffer thing
04:21 < cron2> if you ping outgoing mikrotik->server, can you see anything in tcpdump on the server side?
04:21 < Bushmills> protocol 64?  i'd have expected packet size of 64 bytes
04:22 < Sweeper> yea!
04:22 < Sweeper> so weird
04:22 < cron2> Bushmills: yes, looks like packet is shifted by some offset of 16 bit or so
04:22 < Sweeper> ok, there must be some snow on the dish or something, this thing keeps kicking me off
04:22 < cron2> what OS is mikrotik OS?  Is that BSD based?
04:22 < Sweeper> iirc it's linux
04:22 < Bushmills> icmp is protocol 1
04:23 < Sweeper> ok, nothing when pinging from mikrotik to server
04:23 < cron2> mmmh, more "offset by one byte", weird
04:23 < cron2> does tcpdumping (sniffing) on mikrotik work for ping mikrotik->server?
04:23 < Sweeper> oh good try
04:24 < cron2> (figure out whether "sniffer" is broken or "openvpn tun handling")
04:24 < Sweeper> *idea
04:25 < Sweeper> man this is really frustrating. stupid satellite
04:26 < Sweeper> ok yea, I have a lot of packets from 10.0.0.10 to 10.0.0.1 on the mikrotik sniffer
04:26 < Sweeper> you know it DOES look offset
04:27 < cron2> in the server openvpn log files, I bet you can find log messages about "invalid source IP address from client" (or something like that)
04:27 < Sweeper> http://imagebin.ca/view/Pf_NMQ.html
04:27 < vpnHelper> Title: silly.png (at imagebin.ca)
04:27 < Sweeper> hmm, I'm getting 'bad lzo decompression header'
04:27  * Sweeper disables it on both sides
04:28 < Sweeper> vpn restarting....
04:29 < Sweeper> FUCK YEA
04:29 < cron2> so what?
04:29 < Sweeper> gee, look in the logs
04:29 < Sweeper> that was difficult
04:29 < Sweeper> disabled lzo
04:29 < Sweeper> I didn't see any options for it in the mikrotik
04:29 < Sweeper> so probably doesn't support it
04:30 < Sweeper> time for celebratory smoke break :D
04:30 < cron2> so it works now?
04:30 < Sweeper> yea
04:30 < cron2> cool :-)
04:30  * Sweeper adds to mikrotik wiki page
04:31 < cron2> indeed... "look at the logs" is most useful :-)
04:31 < Sweeper> yea. I was looking in the client logs and didn't see anything...
04:39 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:42 -!- awetawet [~aewtawet@110-174-4-223.tpgi.com.au] has joined ##openvpn
04:42 -!- awetawet [~aewtawet@110-174-4-223.tpgi.com.au] has quit [Remote host closed the connection]
04:45 < Sweeper> cron2: ok, so to ifconfig-push, each client has to be subnetted into a /30?
04:49 -!- julius [~julius@217.20.127.15] has quit [Ping timeout: 276 seconds]
04:54 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
04:57 -!- julius [~julius@217.20.127.15] has joined ##openvpn
05:00 < cron2> Sweeper: I'm not fully sure, this depends on the topology setting (which defaults to "one /30 per client").  You should be able to hand them single IP addresses if you do "topology subnet" on the server side.
05:01 < cron2> I'd also make sure that your ifconfig-push addresses do not overlap with the address range specified in the "server" statement (which defines the ifconfig-pool used)
05:01 < cron2> "server" is really a macro for "mode server" and "ifconfig-pool" and "route" :-)
05:07 -!- bandinia [~bandini@host115-111-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn
05:11 -!- bandini [~bandini@host190-105-dynamic.45-79-r.retail.telecomitalia.it] has quit [Ping timeout: 264 seconds]
05:27 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
05:27 < sparch> morning
05:27 < sparch> I missed you all
05:55 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
05:55 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
05:55 -!- mode/##openvpn [+v Kaspx] by ChanServ
06:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
06:12 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:25 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
06:34 < ecrist> good morning
06:35 <@mattock> morning
06:35 <@mattock> or afternoon, rather
06:39 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:40 < sparch> I'm glad the coffee is awesome
06:40 < sparch> have somedays that it realy suck
06:40 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:19 < macsppadic> afternoon sparch 
07:21 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
07:23 < sparch> macsppadic: 11:23AM here.. hehe
07:23 < macsppadic> ahh 2 hours behind then .:-D
07:24 < sparch> I'm wondering what we'll get for lunch today
07:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:54 < sparch> now, time to lunch
08:10 -!- arturob [~bandini@host60-104-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn
08:11 -!- bandinia [~bandini@host115-111-dynamic.44-79-r.retail.telecomitalia.it] has quit [Ping timeout: 264 seconds]
08:16 -!- ribasushi [~rabbit@dslb-084-063-044-193.pools.arcor-ip.net] has quit [Read error: Connection reset by peer]
08:21 -!- fabrianchi [~hachepe@unaffiliated/fabrianchi] has quit [Remote host closed the connection]
08:43 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Read error: Operation timed out]
08:44 < sparch> man... the lunch was awesome
08:53 < tw> Is it possible to have separate configurations by client category?  For example, I'd like one client to do whole internet tunneling, and another to only tunnel requests to the private network.  Do I need to run 2 openvpn servers for that or can I do it with just one instance?
09:05 < rob0> !ccd
09:05 < vpnHelper> rob0: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
09:05 < tw> That's cool.
09:06 < tw> Ok, thanks.
09:09 < tw> I can't really do group based management with that, but I suppose I can use symlinks to group 'em up.
09:13 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
09:17 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:23 -!- jmoncayo [~chatzilla@200.124.230.68] has joined ##openvpn
09:23 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
09:23 < ivenkys> !welcome
09:24 < vpnHelper> ivenkys: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:24 < jmoncayo> hi guys, i am getting this error when trying to connect to my server from my windows client Cannot use private key: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure: error:140AE043:SSL routines:SSL_CTX_use_PrivateKey:passed a null parameter
09:24 < jmoncayo> Wed Feb 10 10:23:15 2010 Exiting
09:26 -!- xeviox [~NEBAP@p54979406.dip0.t-ipconnect.de] has joined ##openvpn
09:26 -!- xeviox [~NEBAP@p54979406.dip0.t-ipconnect.de] has left ##openvpn []
09:28 < jmoncayo> anyone could help me configuring openvpn to work with pkcs12
09:43 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Read error: Connection reset by peer]
09:47 -!- |STF| [~STF@dslb-084-061-188-048.pools.arcor-ip.net] has joined ##openvpn
09:49 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote host closed the connection]
09:52 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:53 -!- Irssi: ##openvpn: Total of 83 nicks [1 ops, 0 halfops, 2 voices, 80 normal]
10:09 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
10:20 -!- d12fk [~heiko@vpn.astaro.de] has quit [Read error: Connection reset by peer]
10:22 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
10:25 < ivenkys> !howto
10:25 < vpnHelper> ivenkys: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:30 -!- _STF_ [~STF@20-130.stw.uni-duisburg.de] has joined ##openvpn
10:33 -!- _STF_ [~STF@20-130.stw.uni-duisburg.de] has quit [Client Quit]
10:33 -!- |STF| [~STF@dslb-084-061-188-048.pools.arcor-ip.net] has quit [Ping timeout: 258 seconds]
10:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:06 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined ##openvpn
11:07 < bashusr> hi, i'm having problems with routing in openvpn .. for some reason, push "route 172.20.0.0 255.255.255.0" is not being honored on the client side
11:08 < bashusr> i tried --verb 4 and 5 and i don't see the command ever get run
11:11 < bashusr> what can i do to diagnose this issue?
11:16 < cron2> !configs
11:16 < vpnHelper> cron2: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:16 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:17 -!- d12fk [~heiko@vpn.astaro.de] has quit [Read error: Operation timed out]
11:18 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
11:21 < cron2> my guess would be that you're missing "pull" in the client config, or have "route-nopull" set in the client config
11:38 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
11:41 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:45 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
12:22 -!- dazo is now known as dazo_afk
12:37 -!- bashusr_ [~bashusr@pool-96-224-30-66.nycmny.east.verizon.net] has joined ##openvpn
12:39 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 252 seconds]
12:44 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
12:45 < snovak7> bah!
12:46 < snovak7> impossible, impossible!
12:57 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Operation timed out]
12:57 -!- PeterFA [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has joined ##openvpn
12:57 -!- PeterFA [~Peter@2002:62cb:84d1:1234:21a:73ff:fe3b:d510] has quit [Changing host]
12:57 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
13:00 -!- jmoncayo [~chatzilla@200.124.230.68] has quit [Ping timeout: 245 seconds]
13:06 < CamargoBP> Where do I find crl-verify? Example on the openvpn site: crl-verify crl.pem
13:06 < CamargoBP> http://openvpn.net/index.php/open-source/documentation/howto.html
13:06 < vpnHelper> Title: HOWTO (at openvpn.net)
13:06 < CamargoBP> Nevermind
13:06 < CamargoBP> It's a directive not a command
13:08 < CamargoBP> I sure am going crazy trying to figure out why openvpn keeps saying: VERIFY ERROR: depth=0, error=unable to get certificate CRL
13:12 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Ping timeout: 248 seconds]
13:26 -!- X-Raimo [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has joined ##openvpn
13:28 -!- X-Raimo [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has left ##openvpn []
13:28 -!- X-Raimo [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has joined ##openvpn
13:30 < ecrist> CamargoBP: do you have crl-verify in your config, and no crl.pem file?
13:30 < X-Raimo> hello, i have problem with openVPN. I took working config from another server and adapted it to my machine. But it doesn't work - the problem is: Client connects to VPN succesfully. He even has access to internet via our server, but cannot ping any host in LAN
13:32 < ecrist> does the LAN know how to route to the VPN?
13:32 < X-Raimo> ecrist: how to check this?
13:33 < ecrist> go to a LAN host, try to ping the vpn, or do a traceroute, the traceroute should show the vpn server in the path
13:35 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:35 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:36 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:37 < X-Raimo> ecrist: no it doesn't. How set these route?
13:37 < snovak7> push route?
13:37 < ecrist> X-Raimo: on your default gateway, add a route for the VPN subnet and point it to the VPN server.
13:38 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
13:39 < X-Raimo> ecrist: okay. But my gateway and vpn is the same machine
13:50 < ecrist> then it should all just work.
13:53 < X-Raimo> ecrist: after i added route. I could LAN from VPN/ But still I cannot ping VPN from LAN 
13:54 < X-Raimo> ecrist: My routing table: http://paste.org.ru/?y5olma
13:55 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
13:55 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
13:58 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Ping timeout: 256 seconds]
13:59 < tw> X-Raimo: does your firewall allow forwarding from tun0 to eth1 and the reverse?
14:02 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
14:03 < X-Raimo> tw: yes
14:35 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: The light at the end of the tunnel may be an oncoming dragon.]
14:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 256 seconds]
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:54 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:05 -!- X-Raimo [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has left ##openvpn []
15:14 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 265 seconds]
15:19 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
15:22 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has quit [Ping timeout: 260 seconds]
15:22 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
15:44 < reiffert> where is thedoc when you need him?
15:49 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
15:53 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
16:04 -!- bashusr_ is now known as bashusr
16:04 -!- bashusr [~bashusr@pool-96-224-30-66.nycmny.east.verizon.net] has quit [Changing host]
16:04 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined ##openvpn
16:05 < CamargoBP> ecrist:  I have tried both ways. With the crl-verify and without, yes with a crl.pem created. Same error both times
16:06 < CamargoBP> ecrist:  Here are the logs/configs/errors/client and server. http://pastebin.com/m401e3e9d
16:07 < CamargoBP> I am sifting through the openvpn source right now.
16:16 < reiffert> anyone playing with lacp trunking on OSX?
16:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:29 < bashusr> can i push routes without tls-server?
16:31 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
16:35 -!- jadew [~jadew@188.27.94.151] has quit [Ping timeout: 240 seconds]
16:43 < rob0> tls-server is not directly relevant to that.
16:43 < bashusr> rob0: my client is not applying the routes i am pushing
16:43 < bashusr> let me pastebin my server and client config
16:43 < rob0> Why are you using TLS at all?
16:43 < bashusr> i am not
16:43 < rob0> oh nm
16:43 < bashusr> i'm trying to use pull
16:44 < rob0> duh, I was thinking tcp-server
16:44 < bashusr> cuz for some reason my client is not applying my push
16:44 < bashusr> but 1 sec, i'll pastebin my client and server
16:44 < rob0> but not logs?
16:44 < bashusr> where?
16:45 < bashusr> i have openvpn running --verb 3
16:45 < bashusr> and nothing about applying routes
16:45 < bashusr> the server has a line about pushing the route
16:45 < bashusr> but hte client has nothing about applying the routes
16:49 < rob0> CamargoBP, *how* did you create the CRL? All I can see, looks like problems with the openssl files.
16:50 < CamargoBP> Step 5 on this URL. http://www.webhostingtalk.com/showthread.php?t=595436
16:50 < vpnHelper> Title: HOWTO OpenVPN setup guide for FC3, FC4, FC5, CentOS and others,connecting via Windows : Hosting Security and Technology Tutorials : Web Hosting Talk (at www.webhostingtalk.com)
16:50 < CamargoBP> I found the problem
16:51 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
16:53 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
16:55 < bashusr> http://pastebin.ca/1793175
16:55 < bashusr> any ideas why my push isn't working?
16:56 < CamargoBP> Where do I submit bugs to openvpn?
17:09 < rob0> bashusr, that DOES say tcp-server, not tls-server
17:10 < bashusr> rob0: yes
17:10 < bashusr> i know
17:10 < rob0> "push" is server ONLY
17:10 < bashusr> ah
17:10 < bashusr> i see
17:10 < rob0> you are not a server
17:10 < bashusr> dumb me
17:10 < bashusr> so i have to instead of push
17:10 < bashusr> put it in the client
17:10 < bashusr> seems so simple
17:10 < rob0> an up script
17:10 < rob0> there is no client per se
17:10 < rob0> except in TCP terms (and why TCP, anyway?)
17:10 < rob0> !tcp
17:10 < vpnHelper> rob0: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
17:15 < bashusr> rob0: if you don't notice
17:15 < bashusr> i'm going over 443
17:16 < bashusr> i have pretty bad firewalls to get around
17:16 < bashusr> i only have 3 ports open
17:16 < bashusr> ftp
17:16 < bashusr> http
17:16 < bashusr> and https
17:17 < bashusr> yay it works!
17:17 < bashusr> instead of push, i put just route on the "client" vpn computer
17:18 < bashusr> it is a client in the fact that the server listens and the client does the connecting
17:36 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has quit [Remote host closed the connection]
17:36 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has joined ##openvpn
17:36 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has quit [Excess Flood]
17:38 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has joined ##openvpn
17:38 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has quit [Excess Flood]
17:41 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has joined ##openvpn
17:41 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has quit [Excess Flood]
17:46 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
17:52 -!- Scuderia [~gshell@nr5-216-196-210-185.fuse.net] has joined ##openvpn
17:53 < Scuderia> Can any of you tell me if the OpenVPN community software solution can coexist with my exsiting SBS2003 PPTP based VPN?
17:54 < bashusr> Scuderia: what do you mean coexist?
17:55 < Scuderia> Can it run on my SBS2003 machine without affecting my existing users who are connecting via the "stock" PPTP based VPN?
17:56 < Scuderia> I have one user who is having firewall issues and wants to know if I can support a SSL based VPN.
17:56 < Scuderia> Doing that with SBS2003 is a PAIN.
17:56 < bashusr> Scuderia: short answer is yes
17:56 < bashusr> but whether you can access all the network assets is another question
17:56 < Scuderia> And the longer answer is... <big ol' grin>
17:56 < bashusr> you'll have to make sure all the routing is done properly and all
17:58 < Scuderia> Actually that one user only needs to access a single asset, i.e. a SQL server that is part of the domain behind the SBS2003.
18:00 < Scuderia> I have never played with OpenVPN, can you point me to any good "resources" to get me started?
18:02 < Scuderia> bashusr:  are you still there???
18:04 < bashusr> sorry
18:04 < bashusr> yes
18:04 < bashusr> the howto
18:04 < Scuderia> the howto?
18:04 < bashusr> if you follow that, you can do most everything
18:05 < bashusr> most client to server, and even site to site vpn configurations
18:05 < bashusr> Scuderia: http://openvpn.net/index.php/open-source/documentation/
18:05 < vpnHelper> Title: Documentation (at openvpn.net)
18:05 < Scuderia> OK.  I will image my server first, just in case and then give it a go.
18:06 < bashusr> if you do have a *nix machine, i recommend you use that over a windows server 
18:06 < bashusr> but openvpn will work on a windows server
18:07 < Scuderia> Thanks,  I just wanted to be sure it would not screw up my existing VPN connections as I have to maintin those as well.
18:07 < bashusr> Scuderia: it shouldn't
18:07 < bashusr> openvpn can use a different subnet
18:08 < Scuderia> "should"  being the operative word.   grin...
18:08 < Scuderia> I also see there is a forum that I can refer to as well.  The IRC welcome message here pointed that out. 
18:08 < Scuderia>  http://ovpnforum.com
18:09 < vpnHelper> Title: OpenVPN Forum Index page (at ovpnforum.com)
18:09 < Scuderia> So I'll poke around there a bit as well.  Thanks for you help bashusr... dinner is calling.
18:10 -!- Scuderia [~gshell@nr5-216-196-210-185.fuse.net] has quit []
18:28 -!- upb [cmpxchg@88.80.13.92] has joined ##openvpn
18:33 -!- bashusr_ [~bashusr@pool-71-183-181-156.nycmny.east.verizon.net] has joined ##openvpn
18:33 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 252 seconds]
18:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:47 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined ##openvpn
18:47 -!- bashusr_ [~bashusr@pool-71-183-181-156.nycmny.east.verizon.net] has quit [Ping timeout: 252 seconds]
18:48 -!- bashusr [~bashusr@unaffiliated/bashusr] has left ##openvpn []
19:14 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
19:17 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:23 -!- theDoc_ [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:25 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
19:28 -!- theDoc_ is now known as theDoc
20:02 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined ##openvpn
20:03 < bashusr> hi, how do i get redirect-gateway working? i can't get the vpn client to use my LAN gateway
20:03 < bashusr> all it says is "No route to host"
20:03 < bashusr> apparently a routing issue
20:19 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:26 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Quit: leaving]
20:26 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined ##openvpn
20:28 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
20:35 < bashusr> redirect-gateway is a mystery to me
20:41 < theDoc> You are a mystery to me too
20:45 < bashusr> theDoc: =)
20:45 < theDoc> ;p
20:45 < bashusr> can you give me any assistance with redirect-gateway?
20:46 < bashusr> i can ping my internal LAN right now
20:46 < theDoc> Yes, that parameter redirects the traffic to another gateway
20:46 < theDoc> ;p
20:46 < theDoc> So what's the problem with it?
20:46 < bashusr> i can ping the internal LAN gateway
20:46 < bashusr> but when i try to ping google or anything outside of the network
20:46 < bashusr> i get no route to host
20:46 < bashusr> so something is lost between the VPN server, gateway, and the internet
20:47 < bashusr> i set up ipv4 forwarding on the VPN server
20:47 < bashusr> i set up routes to the VPN subnet (172.30.0.0/24)
20:48 < bashusr> from my gateway
20:48 < bashusr> i can ping back and forth the vpn client from different machines within my LAN
20:48 < upb> do you have NAT on your gateway ?:PP
20:48 < bashusr> i just can't get outside of my LAN
20:48 < bashusr> upb: yes? 
20:48 < theDoc> What upb said.
20:48 < upb> ok :)
20:49 < theDoc> bashusr> Pastebin configs from server/client and routing table
20:49 < bashusr> theDoc: who's routing tables?
20:49 < theDoc> server routing tables
20:49 < bashusr> ok
20:52 < bashusr> http://pastebin.ca/1793417
20:53 < bashusr> what do you guys think?
20:55 < theDoc> Line 12 is wrong.
20:55 < bashusr> theDoc: yay
20:55 < bashusr> ok why?
20:56 < theDoc> Hang on a second.
20:56 < bashusr> ok
20:56 < bashusr> sure, thanks
20:56 < theDoc> I need to double check it ;p
20:57 < bashusr> theDoc: lol, it's right
20:57 < bashusr> that works
20:57 < bashusr> i'm beyond the basic setup
20:57 < bashusr> right now, i just need to fine-tune routing
20:57 < theDoc> bashusr> Can you traceroute to google and let me know where the traffic drops?
20:59 < bashusr> nope
20:59 < bashusr> can't traceroute
20:59 < bashusr> it doesn't go through at all
20:59 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
20:59 < bashusr> traceroute: findsaddr: write: No such process
21:01 < theDoc> bashusr> No such process?
21:01 < theDoc> Where are you tracerouting from?
21:01 < bashusr> OS X =/
21:01 < theDoc> Are you connected via vpn yet?
21:01 < bashusr> yes i am
21:05 < bashusr> yay!
21:05 < bashusr> magic
21:06 < bashusr> it works =P
21:06 < bashusr> DNS has to be in caps
21:06 < bashusr> so does DOMAIN
21:06 < bashusr> so annoying
21:06 < theDoc> wtf.
21:07 < theDoc> I've never seen that happen before ;p
21:07 < bashusr> the openvpn client for mac is buggy
21:07 < bashusr> i had to look at the routing script
21:07 < bashusr> and when i was looking at it
21:07 < bashusr> it uses a grep DOMAIN
21:07 < bashusr> and grep DNS
21:08 < bashusr> and i was like.... wha?
21:08 < theDoc> Oh, you're using the client?
21:08 < theDoc> hm
21:09 < bashusr> why?
21:09 < bashusr> there is a native openvpn client for OS X?
21:09 < bashusr> yay
21:09 < bashusr> all routes connected
21:09 < bashusr> i'm done!
21:09 < bashusr> =D
21:09 < bashusr> thanks
21:11 < theDoc> I use viscosity ;p
22:07 < simplechat> hey, is there any nice reason why a bridged vpn would be insanely flaky?
22:08 < vpnHelper> New forum entry openvpnforum: Server Administration :: Stops working when I reboot Server 2008 :: Author moored99 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2800&p=3258#p3258>
22:09 < simplechat> in short, i connect to a bridged vpn, connection works fine
22:09 < simplechat> server is up and has network connectivity
22:09 < simplechat> routes get added
22:09 < simplechat> however i can't actually get access
22:10 < theDoc> Have you checked NAT/FW/routes?
22:10 < simplechat> not sure exactly what to check tho
22:10 < simplechat> i have 192.168.3.0     192.168.3.1     255.255.255.0   UG    0      0        0 tap0
22:10 < simplechat> 192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 tap0
22:10 < simplechat> and tap0 is a device with the right ip
22:11 < simplechat> on my end
22:11 < theDoc> Which OS is your server running on?
22:11 < simplechat> server is running debian lenny
22:11 < simplechat> client is ubuntu karmic
22:11 < theDoc> and is there a real need to use bridged mode? ;p
22:11 < simplechat> yes, pretty much
22:11 < simplechat> i need to dial into work to access my servers
22:12 < simplechat> (vps server farm, so installing openvpn on each of them would just be a pain)
22:13 < theDoc> simplechat> Er, no. You can run routed mode. Are all your servers in the same facility?
22:13 < simplechat> they are all in the same subnet
22:14 < simplechat> if thats what you're asking
22:15 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 246 seconds]
22:16 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
22:17 < theDoc> simplechat> Well, if it's all in the same subnet, you just do a push route and you should be fine.
22:18 < simplechat> yeah
22:18 < simplechat> it is pushing the route
22:18 < simplechat> its just plain not working
22:18 < flaco> hi all... I create a bunch of client certs, where I have to put the server certs??? I configure the server with the webadmin tool
22:19 < theDoc> simplechat> What does traceroute tell you?
22:20 < simplechat> no packets get through
22:20 < theDoc> simplechat> Where does it drop?
22:20 < simplechat> first and only hop is me
22:20 < simplechat> it can't find the server
22:21 < simplechat> ie. i get 1. [my ip on the other lan] .....
22:21 < simplechat> thats it
22:21 < theDoc> Can you pastebin your client routes?
22:21 < theDoc> along with which ip goes where ;p
22:21 < simplechat> ah, damnit
22:21 < simplechat> i just restarted it and it screwed up my routes
22:21 < simplechat> mmmm
22:22 < theDoc> O_o?
22:22 < simplechat> yeah
22:22 < simplechat> oddly enough
22:22 < simplechat> now i have half a thing for tap1
22:22 < simplechat> which failed
22:22 < simplechat> because tap 1 doesn't exist
22:22 < theDoc> You have tap1?
22:22 < theDoc> simplechat> Do you mind pastebinning your server config?
22:22 < simplechat> sure
22:22 < simplechat> and i might restart to get rid of the extra interface
22:23 < simplechat> cause i'm thinking that it caused some issues
22:23 < simplechat> would routed be a lot easier?
22:23 < simplechat> because atm this thing has failed three times without us actually touching it
22:23 < simplechat> like we bring the box up, and sometimes it just fails horribly and i'm back here trying to fix it :(
22:23 < theDoc> Yes, routed would be alot easier.
22:23 < simplechat> any good docs for it?
22:24 < theDoc> !welcome
22:24 < vpnHelper> theDoc: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:24 < theDoc> !handbook
22:24 < vpnHelper> theDoc: Error: "handbook" is not a valid command.
22:24 < theDoc> !howto
22:24 < vpnHelper> theDoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
22:24 < theDoc> Yes, that ;p
22:25 < simplechat> mmmm
22:25 < simplechat> kk
22:25 < simplechat> i've read this before oddly enough
22:25 < simplechat> it makes less sense every time :(
22:25 < theDoc> lmao
22:25 < theDoc> simplechat> Give me a few while I go grab lunch and I'll come back to give you a hand
22:26 < theDoc> Like 10 minutes or so, the food center is just next door
22:26 < simplechat> kk
22:26 < simplechat> thanks mate :)
22:26 < theDoc> Don't mention, I bill at 75$/hr; rounded up of course.
22:26 < simplechat> lol
22:26 < simplechat> ;)
22:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
22:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:36 < theDoc> right, ok.
22:36 < theDoc> So I'm back
22:36 < simplechat> as am i
22:36 < theDoc> simplechat> You might want to try using routed mode, it's much easier and there isn't a compelling reason for you to use bridged mode as far as I can tell
22:37 < simplechat> yeah
22:37 < simplechat> i'm unsure how to set it up tho
22:37 < simplechat> http://pastebin.ca/1793485 is the server config
22:38 < theDoc> Hang on, looking
22:38 < simplechat> http://pastebin.ca/1793486 is client config
22:38 < simplechat> kk
22:40 < theDoc> simplechat> Do you want me to try to help you with bridge mode or are we going to try routed?
22:40 < simplechat> would like to know what to o to mopve it to rputed
22:40 < theDoc> simplechat> What?
22:41 < simplechat> sorry, slight keyboard fail there
22:41 < simplechat> i'd like to know what i'd have to do in order to move from my current broken bridged config to a working routed config
22:41 < theDoc> Evidently ;p
22:42 < theDoc> Hang on, boss
22:42 < simplechat> lol
22:43 < simplechat> i think noob would be more appropriate
22:43 < simplechat> in this situation
22:43 < simplechat> lol
22:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
22:54 < theDoc> simplechat> Yeah, sorry. ;p
22:54 < theDoc> So where was I? :?
22:54 < simplechat> routed configs?
22:55 < theDoc> right, hang on.
22:56 < theDoc> simplechat> http://www.openvpn.net/index.php/open-source/documentation/howto.html#server
22:56 < vpnHelper> Title: HOWTO (at www.openvpn.net)
22:56 < theDoc> That's a sample config.
22:57 < simplechat> mmmmm
22:57  * simplechat reads
22:59 < simplechat> hey theDoc would i need ethernet bridging?
22:59 < theDoc> Why do you need bridging?
22:59 < simplechat> i want to be able to dial in and access the entire network
22:59 < simplechat> if this doesn't need bridging then i don't
23:00 < theDoc> simplechat> define dial in
23:00 < simplechat> ie. i'm on the road
23:00 < simplechat> i connect in via the vpn
23:01 < simplechat> and i'm then on the same lan as all of my servers
23:01 < simplechat> and can access them all
23:01 < theDoc> simplechat> You can do that without bridging
23:02 < simplechat> ok
23:02 < theDoc> !welcome
23:02 < vpnHelper> theDoc: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:02 < theDoc> Hang on
23:02 < theDoc> !factoids
23:02 < vpnHelper> theDoc: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
23:02 < theDoc> Give me a sec, finding the relevant information for you
23:02 < simplechat> thanks mate :)
23:03 < theDoc> simplechat> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
23:03 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
23:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:04 < simplechat> mmmm
23:04 < theDoc> simplechat> What I would recommend is that, you have a different rfc1918 ip pool for your vpn clients and do the above
23:04 < simplechat> well, the current lan is only 192.168.3.0/24, and my own lan is on 192.168.0.0/24
23:05 < simplechat> so they are already in different pools
23:06 < theDoc> So that's good, then just follow the routing document above ;)
23:06 < theDoc> and you're fine
23:06 < simplechat> yeah
23:06 < simplechat> i'm looking at it
23:06 < simplechat> i'm not sure if it would do what i want tho
23:07 < simplechat> i want to be able to see the companies lan, but i don't want there to be a route back
23:07 < theDoc> simplechat> No route back = 1 way traffic and what's the point of it?
23:07 < simplechat> i mean i don't want people on the company lan to be able to nmap my network :)
23:07 < simplechat> only my computer
23:07 < theDoc> simplechat> Look into ccd.
23:08 < rob0> If you're not forwarding, there is no way into the network behind the client.
23:09 < simplechat> cool
23:09 < rob0> Unless of course some meanie h4x0r pwns j00! :)
23:09 < simplechat> unlikely to happen
23:10 < theDoc> You'd have to forward if you even want to get to your LAN.
23:10 < theDoc> and on top of that, ccd will help because you can specify routes to push
23:11 < simplechat> yeah
23:11 < simplechat> He wanted machines on all 3 lans to be able to communicate using a tun (routed) setup.
23:11 < simplechat> ie. he wants to bridge the lans
23:11 < simplechat> which isn't what i want
23:11 < rob0> Right, the server side only needs the route to the client, not to the LAN behind it.
23:12 < rob0> he hoo?
23:12  * simplechat is confused :(
23:13 < theDoc> simplechat> I was under the impression that you wanted something like, client > vpn server > internal lan
23:14 < simplechat> sorry theDoc, i must have phrased it badly :(
23:14 < simplechat> thats almost what i wannt
23:14 < simplechat> *want
23:15 < simplechat> ie. if i'm at home, i want to be able to dial into work and access the intranet there
23:15 < simplechat> however allowing everybody to access my home network would be considered bad
23:15 < theDoc> simplechat> So use ccd to push routes only to you.
23:16 < theDoc> !ccd
23:16 < vpnHelper> theDoc: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
23:16 < rob0> None of their business, especially if the employer isn't [directly] paying for your LAN.
23:16 < simplechat> theDoc, that is going to be painful when there are more then a few people on the lan
23:17 < simplechat> this is why we were using bridge before, so that i could just connect up to the bridge and see the other lan
23:18 < theDoc> simplechat> How is it "difficult"?
23:18 < simplechat> ?
23:19 < theDoc> simplechat> How is it going to be difficult when there are a few more people on the LAN? Either I'm confused as to what you are trying to accomplish or you're missing my point ;p
23:25 < simplechat> theDoc, like if i have a ccd per user
23:25 < simplechat> and i have say 20 users
23:25 < simplechat> thats a lot of ccd's to modify/etc. as users come and go
23:27 < theDoc> simplechat> I believe empty ccd's just have the global configs pushed to them and nothing else.
23:27 < simplechat> yeah
23:27 < theDoc> I could be wrong on that but I think that is how the ccd part works.
23:27 < simplechat> i'd prefer the simplest possible solution
23:27 < simplechat> and i'd prefer not to be screwing with individual per user routes
23:27 < theDoc> simplechat> So, if it's just you that requires access to the other subnet, just make a ccd entry for yourself and presto! problem solved? ;p
23:28 < simplechat> theDoc, i'm setting it up for me atm, but its going to be pushed to everybody soon
23:28 < simplechat> and once that happens......
23:28 < simplechat> me ----> headdesk
--- Day changed Thu Feb 11 2010
00:06 -!- Overand [overand@crappy.domain.name] has joined ##openvpn
00:20 -!- crab [ams@disorder.primate.net] has joined ##openvpn
00:21 < crab> hi. if i have "server 10.8.0.0 255.255.255.0" in openvpn.conf, is it safe to ifconfig-push addresses from 10.8/24 from files in my client-config-dir?
00:22 < crab> i've done it, and it works, but i don't know if the server knows that it shouldn't hand out those hand-pushed addresses from the pool.
00:28 -!- crab [ams@disorder.primate.net] has left ##openvpn []
00:29 -!- d457k [~heiko@vpn.astaro.de] has joined ##openvpn
00:30 -!- d12fk [~heiko@vpn.astaro.de] has quit [Ping timeout: 260 seconds]
00:39 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:58 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
01:05 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
01:06 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
01:06 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
01:54 -!- dazo_afk is now known as dazo
01:55 -!- Netsplit *.net <-> *.split quits: ScriptFanix, le0, kreg, goog1jh, simplechat, mrnice1, mgolisch
01:58 -!- Netsplit over, joins: mgolisch
02:01 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
02:04 < cron2> crab: I'm fairly sure that this could end up in problems.  What definitely will be problematic is if the server allocates address .x from the pool, and after that, a client connects that gets *that* address ifconfig-push'ed (because the server will not know about ccd/ configs before the corresponding client has connected)
02:04 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:04 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
02:09 -!- le0 [~tehle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
02:09 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
02:09 -!- ScriptFanix [vincent@2a01:240:fe35:0:21a:70ff:fea3:44ab] has joined ##openvpn
02:17 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 256 seconds]
02:29 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
02:34 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:07 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:08 -!- master_of_master [~master_of@p57B565EB.dip.t-dialin.net] has quit [Ping timeout: 248 seconds]
03:10 -!- master_of_master [~master_of@p57B55BC4.dip.t-dialin.net] has joined ##openvpn
03:14 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:24 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
03:25 < makomi_work> hi all
03:26 < makomi_work> anybody know, how i could setup openvpn to get the following scenario i described at http://pastebin.com/d6298849e?
03:27 < makomi_work> I already configured openvpn-server (at server) and vpn-client at dsl-router
03:28 < makomi_work> and I get access from server to any client behind dsl-router
03:28 < makomi_work> and vice versa
03:28 < dazo> makomi_work:  use the same config file, preferably with separate keys for the roadwarrior ... should be practically the same setup
03:29 < makomi_work> but how I don´t know, how I should set the route to get access from roadwarrior to network behind router
03:29 < dazo> aha ... you want to access the network behind the DSL router?
03:29 < dazo> from the RW
03:29 < makomi_work> yes
03:30 < dazo> I see ... you then need to push the route of the dsl network from the openvpn server .... and you need on the openvpn server to have a route which can route traffic to the DSL network
03:31 < makomi_work> from server i could ping internal ips in dsl network
03:32 < makomi_work> but not from rw
03:32 < dazo> makomi_work:  then you're simply missing a route for the RW .... which routes the DSL network via the VPN IP address of the openvpn server
03:33 < dazo> if your openvpn server got 10.8.0.1 .... and your DSL network is 192.168.222.0/255.255.255.0 .... then you can add in the openvpn server config:  push "route 192.168.222.0 255.255.255.0 10.8.0.1"
03:34 < makomi_work> ok, i will try it
03:34 < dazo> makomi_work:  it might be you need to add client-to-client in the server config as well
03:34 < makomi_work> yes, this is already done
03:35 < dazo> oki, then it's probably just that route missing
03:35 < makomi_work> If I will use CCDs, it right to set "ifconfig push ..."?
03:35 < makomi_work> oh no, thats wrong
03:36 < dazo> "ifconfig push" sounds wrong .... but you can do push "route ..." in CCD
03:36 < plundra> Just a quick question, confirming I'm not stupid; nothing in this conf would push a default route to the client -- right? http://pastie.org/819706.txt?key=oh3vemfx4ulwu8k3kzt2a
03:36 < dazo> push "route 1.2.3.4 255.255.255.255"
03:36 < dazo> push "route 4.5.6.7 255.255.255.255"
03:37 < plundra> I end up with one on a linux-machine, with some NetworkManager-plugin etc.
03:37 < dazo> plundra:  ^^^ those lines will push those routes
03:37 < plundra> dazo: Yes, but no _default_ route (0.0.0.0)
03:37 < plundra> And since it works fine on two OSX machines (I haven't checked routes on them, but it works so, yeah, I figure they DON'T get one :-P)
03:37 < dazo> plundra:  not in this config ... but might be you have something in the client config some how ....
03:38 < dazo> plundra:  iirc ... the NM-plugin have a "don't route other network" option somewhere .... you might need to mark that one
03:39 < plundra> Hmm, "
03:40 < plundra> Use this connection only for resources on its network", but that doesn't sound right. And "Ignore automatically obtained routes" sure isn't.
03:40 < dazo> plundra:   The first options is  the one I was thinking about
03:41 < plundra> Ok, I'll try it.
03:41 -!- X-Raimo [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has joined ##openvpn
03:41 < dazo> plundra:  the second one ignores "push" statements from server
03:41 < plundra> Yeah :)
03:41 < dazo> plundra:  but in general ... the nm-pluging for openvpn is rather crappy .... if you want something gui, gopenvpn might be a better choice 
03:41 < plundra> Oh, while on the subject, it really annoys me having to set a static username with the NM-plugin :-(
03:41 < X-Raimo> Hello please help me with routing. My Case is: http://paste.org.ru/?fdap26
03:41 < dazo> plundra:  gopenvpn avoids that
03:42 < plundra> Yes, agreed! :-P But it was so neatly integrated and easy for non-technicians to use.
03:42 < plundra> I'll check gopenvpn out, thanks.
03:42 < dazo> plundra:  true :) .... if I had more time .... I'd probably try to port gopenvpn into a new nm-plugin :-P
03:43 < dazo> X-Raimo:  !welcome ... !goals
03:43 < dazo> !welcome
03:43 < vpnHelper> dazo: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:43 < dazo> !goals
03:43 < vpnHelper> dazo: Error: "goals" is not a valid command.
03:44 < dazo> !goal
03:44 < vpnHelper> dazo: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:44 < dazo> (sorry about that one))
03:44 < plundra> Nope, that "Ignore automatically ..." gives me no routes I pushed, but still a default one.
03:44 < dazo> plundra:  and the default one is changing the default gw?
03:44 < X-Raimo> !route @ X-Raimo
03:44 < vpnHelper> X-Raimo: Error: "route" is not a valid command.
03:44 < plundra> dazo: The default one?
03:45 < dazo> plundra:  yeah
03:45 < dazo> !route
03:45 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:45 < plundra> dazo: It does change the default route yes, after first adding the vpn-endpoint via my old default. (Of course :-P)
03:45 < X-Raimo> !redirect
03:45 < vpnHelper> X-Raimo: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
03:46 < X-Raimo> !ipforward
03:46 < vpnHelper> X-Raimo: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
03:46 < dazo> plundra:  I'd bet that's a pretty nasty NM-plugin issue .... that plug-in tries to be so insanely clever that it creates troubles for those knowing what they want
03:46 < X-Raimo> !linipforward
03:46 < vpnHelper> X-Raimo: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
03:46 < plundra> dazo: Yeah, I'll dump it :-) Man I hate things trying to out smart me :-D
03:46 < dazo> plundra:  :)
03:47 < plundra> In most cases, it ends up just being trouble.
03:47 < plundra> I'm very tempted at throwing in some nasty Windows on these laptops actually :-) (They're supposed to be for working home, for our not-so-technical customer service)
03:48 < plundra> But yeah, I'll check gopenvpn out. Thanks for the help!
03:48 < dazo> plundra:  that's why I like gopenvpn when GUI is wanted ... it uses the raw openvpn config files ... it only adds management parameters, as it uses the management interface to query for passwords when needed
03:48 < dazo> plundra:  no prob!
03:48 < dazo> plundra:  don't fall for the windows approach ... then you need a decent fw for sure in the tunnel interfaces on your server :-P
03:49 < dazo> *on the tunnel
03:51 < X-Raimo> dazo: there is routing between servers with their lans behing them. And need roadwarrior config
03:52 < plundra> dazo: I'm only pushing about 10 routes for the client to use, all our internal stuff. But the clients them self would probably be in need of something good yes...
03:52 < dazo> X-Raimo:  have you tried to use tcpdump or wireshark on your openvpn server? ... might help you to see if the routing really works
03:53 < X-Raimo> dazo: yes i did. Right now flushed all the routes connected to VPN Server. And dunno how to do a right route between my networks
03:57 < dazo> X-Raimo:  you'll need either in the server config: push "route 192.168.100.0 255.255.255.0"    or the client config:  route 192.168.100.0 255.255.255.0
03:58 < dazo> X-Raimo:  even thought !route is quite comprehensive and got some more aspects involved, its still the standard routing basics being used here as well
03:59 < X-Raimo> dazo: can I use  push "route 192.168.100.0 255.255.255.0" toghether with def1 ?
03:59 < dazo> X-Raimo:  yes
04:01 < dazo> X-Raimo:  your VPN server ... is it also acting as the default gateway in your network?  I mean for the LAN computers
04:01 < X-Raimo> dazo: yes
04:02 < dazo> X-Raimo:  then its either a firewall issue or a strange routing issue which I don't manage to see right now .... I'd probably redo a tcpdump test on the server .... to see if the traffic are routed correctly ..... and also on a the roadwarrior to see if the traffic comes back or not 
04:03 < makomi_work> thanks dazo. adding push "route 1.2.3.4 255.255.255.0" to ccd file works!
04:03 < dazo> makomi_work:  cool! :)  Happy to hear!
04:03 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
04:04 -!- X-Raimo_nbook [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has joined ##openvpn
04:07 < X-Raimo_nbook> dazo: after I uncommented push route 192.168.100.0 255.255.255.0. It still doesn't works. My client's routing table after he connects to VPN is: http://paste.org.ru/?nxhhpn
04:07 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:09 < dazo> X-Raimo_nbook:  if you ping a computer in the 192.168.100.0/24 segment (which responds to ping) .... how does the "tcpdump -n -i eth1" look like when run on the openvpn server?
04:11 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
04:11 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
04:16 -!- X-Raimo_nbook [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has quit [Ping timeout: 276 seconds]
04:16 < X-Raimo> X-Raimo: http://paste.org.ru/?jhi5az
04:16 < X-Raimo> dazo: http://paste.org.ru/?jhi5az
04:18 < dazo> X-Raimo:  the traffic is not routed back to the openvpn server ....
04:18 -!- tiav [~tiav@mx.fr.smartjog.net] has joined ##openvpn
04:18 -!- X-Raimo_nbook [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has joined ##openvpn
04:20 < dazo> X-Raimo:  It's only ICMP echo requests in this direction  192.168.200.3 > 192.168.100.5 ...... and never ICMP echo reply 192.168.100.5 > 192.168.200.3 
04:20 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
04:20 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
04:21 < X-Raimo> dazo: maybe the reason is LAN doesn't know where to send packages to VPN. I need to make route?
04:21 < dazo> X-Raimo:  try by turning of the firewall ... to check if it's routing or firewall
04:21 < dazo> X-Raimo:  could be ... but as this openvpn is the default gw .... it should not be needed
04:21 < dazo> this openvpn server, that is
04:22 < plundra> Darn it, no amd64-package of gopenvpn for Ubuntu.
04:24 < X-Raimo> dazo: when firewall is off and ip_forwarding is on the same situation: packages don't do between ifaces
04:24 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:24 < dazo> X-Raimo:  and you can ping 192.168.100.5 from the openvpn server and get a response?
04:25 < X-Raimo> dazo: yes i have responce
04:26 < dazo> X-Raimo:  then I'd probably check the routing table and firewall on .100.5 .... if possible even do a tcpdump on that box as well
04:27 < X-Raimo> dazo: http://paste.org.ru/?ic0zxv - ping result (from server to LAN)
04:27 < makomi_work> I´ve got another question: I´ll give one client (RoadWarrior) a special config. I will set for this client the openvpn server as gateway and give him a opendns server as dns server
04:28 < makomi_work> i try push "redirect-gateway"
04:28 < makomi_work> push "dhcp-option DNS 208.67.222.222"
04:28 < dazo> X-Raimo:  that looks good ... but can you do tcpdump on the .100.5 and ping from the VPN client?
04:28 < makomi_work> but it doesn´t work
04:28 < dazo> makomi_work:  which OS is the RW?
04:28 < makomi_work> windows
04:29 < X-Raimo> dazo: ok
04:29 < makomi_work> is there a difference between OS? this is only a test - later it would work with macos
04:30 < dazo> makomi_work:  it might be you need: push "redirect-gateway def1" .... and DNS can be tricky on Windows, it sometimes takes a little while before it gets active .... if you search the mailing list, I believe you'll find some answers there ... look for mails from Jan Just Keijser ... he have answered this question a couple of times for Windows users
04:31 < makomi_work> ok, thanks
04:31 < makomi_work> if i set push "redirect-gateway" my default gw is now 10.8.0.1
04:31 < makomi_work> this is right?
04:31 < dazo> makomi_work:  the DNS config is not changed immediately on Windows for unknown reasons (well, MS probably can explain why :-P) ... but JJK have provided some workarounds for it
04:32 < dazo> makomi_work:  that sounds right
04:32 < makomi_work> i´ll ask because you said push "redirect-gateway"
04:32 < makomi_work> you said push "redirect-gateway def1"
04:32 < makomi_work> and I don´t know what I insert in def1
04:33 < dazo> makomi_work:  yeah ... I'm not perfect :-P .... def1 is a valid argument to redirect-gateway
04:33 < dazo> it's usually the recommended way
04:33 < makomi_work> ah ok
04:33 < makomi_work> :)
04:34 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:38 -!- mattock [~samuli@sparkgw.utu.fi] has joined ##openvpn
04:38 -!- mode/##openvpn [+o mattock] by ChanServ
04:39 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
04:39 < sparch> morning
04:40 < X-Raimo> dazo: http://paste.org.ru/?9qdezh - tcp dump from 192.162.100.5
04:41 < dazo> X-Raimo:  and the default gw on .100.5 is the openvpn server?
04:42 -!- mattock [~samuli@sparkgw.utu.fi] has quit [Ping timeout: 245 seconds]
04:42 < X-Raimo> dazo: yes
04:42 -!- rob0 [~rob0@tuxaloosa.org] has quit [Ping timeout: 265 seconds]
04:43 < X-Raimo> dazo: stop! I will check.
04:44 < dazo> X-Raimo:  you have something odd with something here ... as we see traffic going out of the openvpn server to .100.5 ... line 13+14 in the last pastebin shows that the box receives and responds .... but it never reaches the openvpn server again
04:44 < X-Raimo> dazo: my error! default gw wasn't 100.4
04:45 < X-Raimo> dazo: Someone already changed it
04:45 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]]
04:45 < dazo> X-Raimo:  there you most probably have it :)
04:45 < macsppadic> moring sparch 
04:57 < X-Raimo> dazo: how to route in following case: openVPN Server - 192.168.100.4 and gefault gw = 192.168.100.1. And where shall change routing?
04:58 -!- Sir-Rogers [~rweber89@188-221-70-159.zone12.bethere.co.uk] has joined ##openvpn
04:58 < Sir-Rogers> hi guys
04:59 < dazo> X-Raimo:  Often, it's enough to add a "route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.100.4" on the default gw ... but some routers don't handle that, and then you need to have that on all computers in that network which VPN clients should access
05:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
05:11 -!- X-Raimo_nbook [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has left ##openvpn []
05:12 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
05:13 < X-Raimo> dazo: thanx a lot! everything is Okay
05:15 < upb> hmm
05:15 < upb> i wonder which router cant handle a route :p
05:15 < sparch> hahaha
05:17 -!- X-Raimo [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has left ##openvpn []
05:24 -!- rsc [~robert@fedora/rsc] has joined ##openvpn
05:25 < rsc> How can I execute a script on client and server side once the connection is established? I only have a static key, no road warrior and no PKI.
05:25 < rsc> Important is: The tunX device needs to be up at that point already
05:31 -!- X-Raimo_nbook [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has joined ##openvpn
05:32 -!- X-Raimo_nbook [~alexmurav@ppp94-29-70-81.pppoe.spdop.ru] has left ##openvpn []
05:36 -!- uriel_ [uriel@95.154.208.115] has joined ##openvpn
05:37 < uriel_> !welcom
05:37 < vpnHelper> uriel_: Error: "welcom" is not a valid command.
05:37 < uriel_> !welcome
05:37 < vpnHelper> uriel_: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:38 < uriel_> Hi, How can I make openvpn assign an IP for the tap device it creates on the server? (running debian)
05:42 < reiffert> you bind tap0 and eth0 to a virtual device called bridge
05:43 < reiffert> that bridge carries the IP address. normally that one that eth0 got before binding.
05:43 < reiffert> brctl and ifconfig is your friend.
05:45 < reiffert> you can do this even before starting openvpn, so create a bridge, make eth0 be part of it
05:45 < reiffert> when openvpn runs, assure that tap0 is part of it
05:53 < Sir-Rogers> just out of interest
05:53 < Sir-Rogers> what is the tap device needed for?
05:58 < uriel_> I got the bridge running, after running openvpn I get a new device called tap, it has no ip address and I want to assign it with an ip address, I can do it manually using ifconfig but my question is if can I use openvpn to assign it with an ip
05:58 < uriel_> tap is used for windows clients
06:04 < reiffert> Sir-Rogers: sending layer 2 frames
06:05 < reiffert> Sir-Rogers: on top of that, there is no tun device on windows. Which is quite confusing.
06:05 < reiffert> uriel_: are we talking from the server or from the client?
06:05 < uriel_> from the server
06:05 < reiffert> uriel_: OS?
06:05 < uriel_> debian
06:05 -!- d303k [~heiko@vpn.astaro.de] has joined ##openvpn
06:05 < reiffert> brctl br0 addif tap0
06:06 < reiffert> brctl addif br0 tap0    
06:06 -!- d457k [~heiko@vpn.astaro.de] has quit [Ping timeout: 246 seconds]
06:06 < reiffert> uriel_: you dont assign IP addresses to tap devices on the != windows side.
06:06 < reiffert> uriel_: you bind it to your bridge.
06:06 < uriel_> I want to assign an ip to the tpa device on the server side
06:07 < reiffert> 13:06 < reiffert> uriel_: you dont assign IP addresses to tap devices on the != windows side.
06:07 < reiffert> 13:06 < reiffert> uriel_: you bind it to your bridge.
06:07 < uriel_> oh I see, so I add another virtual ip to the bridge?
06:07 < reiffert> no.
06:08 < reiffert> the bridge already got an IP address.
06:09 < reiffert> (the one that eth0 was using before you was setting up the bridge)
06:09 < uriel_> I want to add an rfc1918 IP address to bind a service on it, that will be available only to my vpn clients
06:09 < reiffert> then bridging is the wrong solution.
06:09 < sparch> reiffert: indeed.
06:10 < uriel_> bridging is used for the vpn with windows clients
06:10 < uriel_> so what is the right solution?
06:10 < sparch> !route
06:10 < vpnHelper> sparch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:10 < reiffert> uriel_: your last sentence is not quite right.
06:11 < reiffert> uriel_: the normal setup is routing. Even in Windows.
06:11 < reiffert> uriel_: but the interface on windows is called tap.
06:11 < reiffert> uriel_: it should be named tun to be correct, right.
06:11 < uriel_> oh, so i thgouth windows can only be used with bridge, which is incorrect? I can just use routing and thats all?
06:11 < uriel_> thought
06:12 < reiffert> yep.
06:12 < reiffert> It's covered in the official howto.
06:12 < reiffert> Do you know it?
06:13 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
06:13 < makomi_work> hi again
06:13 < uriel_> i used an unofficial howto for my setup..
06:13 < reiffert> "an" 1= 'the'
06:13 < reiffert> !howto
06:13 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:14 < uriel_> thanks
06:14 < reiffert> afk, good luck
06:16 < makomi_work> !route
06:16 < vpnHelper> makomi_work: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:21 < s-taylo> Does anyone have (or could point me in the direction of) any tips for ensuring absolute minimum bandwidth use when the connection is idling? Oddly the transmission path (Vodafone 3G dongle => server) seems to sustain a pipe without keepalives indefinitely, so I don't even need keepalive packets, but any data traffic within each 15 minute window incurs a fee so I need to have absolute zero data transfer for hours on end if at all possible (I unders
06:23 < makomi_work> need help again :( - my roadwarrior should goes over my openvpn server to internet. the tunnel is astablished, the default gw is set. if i ping a client in internet my echo request goes outside, but i can´t get the answer. I think my server doesn´t know the route back to my roadwarrior :(.
06:29 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Disconnected by services]
06:29 -!- APTX| [~APTX@chello089076052083.chello.pl] has joined ##openvpn
06:44 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
06:52 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
06:53 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
06:57 < uriel_> Hmm, getting ERROR: Linux route add command failed: external program exited with error status: 7
07:02 < ecrist> good morning
07:04 < uriel_> looks like it caused by /sbin/route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.200.2
07:06 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
07:10 < macsppadic> perhaps have to mention a specific device there uriel_ ? usually dont have to tho 
07:11 < rob0> How is it that your gateway is inside the network that you want to route to? There must be a preexisting route to the gateway.
07:16 < uriel_> I got server 192.168.200.0 255.255.255.0
07:16 < uriel_> push "route 192.168.200.0 255.255.255.0"
07:16 < uriel_> route 192.168.200.0 255.255.255.0
07:17 < uriel_> on the conf
07:18 < rob0> ^^ reread that
07:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:29 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
07:30 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: Eat right, exercise regularly, die anyway.]
07:31 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:32 < uriel_> openvpn sets the gateway itself
07:32 < uriel_> its not in the conf
07:36 < rob0> I am talking about how /sbin/route works. It fails if there is no preexisting route to the gateway that you gave it.
07:38 < upb> ofc :P
07:38 < upb> how is the routing supposed to work otherwise
07:38 < ecrist> your next hop always has to be local, relatively
07:50 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
07:50 -!- bravia [~user1@87.240.220.218] has joined ##openvpn
07:50 < bravia> hi
07:52 < bravia> is it possible to use a /8 network on the server side for openvpn?
07:53 < ecrist> no, /16 is the biggest subnet you can use
07:53 < bravia> ok, thank you ecrist 
07:53 < bravia> so it is considered to route instead?
07:54  * rob0 does not understand how a /8 would prevent the need for routing
07:55 < ecrist> bravia: if you do bridged, you can do any size subnet you desire
07:56 < bravia> rob8 use netmap and route a range in your tunnel with just one IP instead of attributing vpn cloud IP to every host 
07:56 < bravia> I'll need to look at that ecrist, but it could be an option indeed
07:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:57 < bravia> But some internal ranges will be impossible to change I suppose
07:58 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
07:59 < bravia> I'll think I stick with netmapping a network within my  tunnel
08:00 < rob0> a bridged /8 -- yikes! That would be insane.
08:01 < bravia> pity it doens't support /8 in non-bridged
08:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:02 < ecrist> it was a decision by the devs.  You could update the code yourself.
08:02 < bravia> I'm not that good unfortunately
08:02 < ecrist> why you'd need a /8 is beyond me.
08:03 < ecrist> 16K vpn clients is insane
08:03 < bravia> because I've 400 /24 networks in a vpn cloud
08:04 < ecrist> just push the routes
08:04 < bravia> if I used openvpn either I use 2 vpn tunnels each serving 254 network
08:04 < ecrist> 2.1.1 has no limit on number of routes
08:04 < ecrist> I think your design is flawed
08:05 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
08:05 < bravia> I don't think it is flawed, we manage about  400 companies and each have about 100 hosts
08:05 < ecrist> that part is fine, your vpn setup seems wonky, though.
08:06 < bravia> each host has to be uniquely identified in the network
08:06 < bravia> no nat
08:07 < ecrist> sure, that's fine, but why you need to have an 8 bit subnet mask.  push the routes for the other subnets.  easy enough.
08:07 < bravia> well that is what I'll expect to do when I'll convert to openvpn
08:08 < bravia> i'll netmap every host to a unique IP and push the routes over the vpn tunnel
08:13 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
08:14 < bravia> thanks anyway for the help
08:14 -!- bravia [~user1@87.240.220.218] has quit [Quit: Leaving]
08:15 < dazo> !?!?!? .... quite some questions today ..... file size limits on file transfers via openvpn  .... and this ^^^ 
08:15 < vpnHelper> dazo: Error: "?!?!?" is not a valid command.
08:15 < dazo> hehehe
08:15 < ecrist> lol
08:15 < dazo> that should say: "?!?!?!?" is not a valid question!
09:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
09:13 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
09:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 256 seconds]
09:29 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]]
09:35 -!- Guest7702 [fahad@pyramid.cluenet.org] has joined ##openvpn
09:35 -!- Guest7702 is now known as fahadsadah
09:35 -!- fahadsadah [fahad@pyramid.cluenet.org] has quit [Changing host]
09:35 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
09:36 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:38 -!- APTX| [~APTX@chello089076052083.chello.pl] has quit [Quit: Farewell]
09:38 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
09:38 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
09:38 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
09:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:45 -!- uriel_ [uriel@95.154.208.115] has quit [Quit: leaving]
09:53 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
09:53 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
09:53 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
09:53 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
09:54 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
09:54 -!- mode/##openvpn [+o mattock] by ChanServ
10:10 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
10:11 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
10:12 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:18 <@mattock> hi all, I have a theorical question... could I limit OpenVPN client's access only to specific intranet services/hosts (e.g. a mail server) by adding per-client (IP+port) iptables rules to the OpenVPN server computer? For example, only allow access from the client IP to mail.intranet.com:143?
10:21 <@mattock> and do all this so that the user can't circumvent the iptables restrictions (e.g. by changing his IP)
10:21 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
10:21 < Rienzilla> probably, yes
10:21 < rob0> um, not always IIUC
10:22 < Rienzilla> I think it should be possible, both with a routed and a bridged vpn. In the latter case it's a bit more of a hassle
10:22 < rob0> some VPN packets bypass Netfilter, and I am not sure of the details.
10:23 < Rienzilla> only if you enable client-to-client, as far as I know
10:23 < rob0> Of course in such a need, you would nail the client down to a specific IP anyway, right?
10:23 < rob0> oh, that makes sense, INPUT rules should still apply
10:23 < rob0> but, sounds like mattock is talking about FORWARD
10:23 <@mattock> ok, so it's possible to force a specific IP address to a client so that it can't get around it.
10:24 < rob0> sure.
10:24 < Rienzilla> rob0: if the packet is routed, it's going to pass the forward chain
10:24 < Rienzilla> mattock: yes
10:24 < Rienzilla> (if the packet is bridged, it can be filtered using bridge firewalling)
10:24 < rob0> ebtables(8) yes
10:25 <@mattock> I'm just thinking of enabling more fine-grained access control rather than just "access/no access"
10:25 <@mattock> to the private network I mean
10:26 <@mattock> thanks guys!
10:26 < Rienzilla> np
10:27 < ecrist> pf on *BSD can do what you want pretty easily.
10:31 -!- Sp4rKy [~Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn
10:31 < Sp4rKy> hi
10:32 < Sp4rKy> anyone knows how I can monitor my openvpn server (in udp) with nagios ? 
10:35 < macsppadic> hey there Sp4rKy does nagios not use the pid status of a program?
10:40 < Rienzilla> ecrist: so can iptables
10:44 < Sp4rKy> macsppadic: mhhh, I thought of checking the connection from outside, not the process itself
10:45 < macsppadic> sorry not familiar with the nagios - in zabbix and bigsister - u can monitor the port 
10:48 -!- Sir-Rogers [~rweber89@188-221-70-159.zone12.bethere.co.uk] has quit []
10:53 -!- sdfs [~sdfsd@CL-GSW-GW001.herts.ac.uk] has joined ##openvpn
10:54 < sdfs> are there any trustworthy openvpn providers? not one that somebody in an irc sets up..a commercial big company
10:58 < ecrist> why do you discount 'somebody on irc?'
11:00 < sdfs> i dont know but for some reason i think that a commercial company that has thousands of reviews with no negative feedback about fraudulent traffic rerouting or whatever and has thousands and thousands of users might be more trustworthy than somebody on irc that offers me a openvpn
11:00 < sdfs> i might be wrong though
11:01 < rob0> The fact of asking such a question on IRC is ironic, to say the least.
11:01 < sdfs> why coz soembody can just refer me to dodgyvpn.com? 
11:01 < rob0> By definition you should not trust anything we say.
11:01 < ecrist> sdfs: I don't think you will find 'a commercial company that has thousands of reviews with no negative feedback about fraudulent traffic rerouting'
11:02 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
11:02 < ecrist> I think Secure Computing Networks can offer such a service.
11:02 < rob0> Here's a thought. A big commercial company with thousands of reviws would probably try to place themselves in Web search results!
11:04 < ecrist> *gasp*
11:04 -!- dazo is now known as dazo_afk
11:05 < ecrist> where would I go to search the web?
11:05 < ecrist> !google what is a web search engine
11:05 < vpnHelper> ecrist: Web search engine - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Web_search_engine>; WebCrawler Web Search: <http://www.webcrawler.com/>; Dogpile Web Search: <http://www.dogpile.com/>
11:10 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: TAP-win32 driver install problems on Vista x64 :: Reply by neo314 <http://www.ovpnforum.com/viewtopic.php?f=5&t=494&p=3261#p3261>
11:10 < rob0> But then again, we're just IRC folks, so maybe we're giving misleading answers.
11:15 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:15 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
11:17 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:17 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
11:17 < tw> I've got a windows vista client running 2.1.1 that can get connected, but his routes don't change when I push him the 'redirect-gateway def1'.  Has anyone else encountered this problem?
11:20 < tw> I think his UAC is still on, is that known to cause problems?
11:20 < ecrist> could be
11:21 -!- _Brandon_ [~Brandon@93-43-143-146.ip92.fastwebnet.it] has joined ##openvpn
11:27 < tw> UAC did it.  I had him turn that off and it auto-added correctly.  Works perfectly now, thanks.
11:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:31 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:31 -!- mode/##openvpn [+v Kas] by ChanServ
11:33 < _Brandon_> hi, is it possible to use openvpn to connect two lan in two different locations like they are in the same lan?
11:34 -!- rsc [~robert@fedora/rsc] has left ##openvpn ["Linux - The future has already started!"]
11:34 < ecrist> yes
11:34 < ecrist> that is called bridging
11:34 < _Brandon_> thanks
11:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
11:47 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Connection reset by peer]
12:32 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
12:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:35 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:56 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: Operation timed out]
12:56 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
13:00 -!- master_of_master [~master_of@p57B55BC4.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
13:01 < ecrist> community forum beginning now in ##openvpn-discussion
13:04 -!- master_of_master [~master_of@p57B55BC4.dip.t-dialin.net] has joined ##openvpn
13:09 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:13 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
13:37 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Disconnected by services]
13:38 -!- APTX| [~APTX@chello089076052083.chello.pl] has joined ##openvpn
13:50 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
13:51 -!- l0wkey [~bsd@93-103-1-78.static.t-2.net] has joined ##openvpn
13:51 < l0wkey> does any1 know if it's possible to setup simple openvpn server (tun server - with multiple clients) that pushes clients IPv4 as well as IPv6 address and all defaults routes ?
13:51 < ecrist> no
13:52 < ecrist> the only thing you can currently do for IPv6 is setup bridging
13:52 < cron2> weellll
13:52 < cron2> there's an IPv6 patch, but that means "compile your openvpn from source, test it, expect the unexpected, and report back to me if it works for you"
13:53 -!- Gandalfar [~gandalf@93-103-37-225.dynamic.dsl.t-2.net] has joined ##openvpn
13:53 -!- Gandalfar [~gandalf@93-103-37-225.dynamic.dsl.t-2.net] has left ##openvpn ["Leaving"]
13:53 < cron2> l0wkey: if you feel like "compile it yourself and give it a good beating", ask the VpnHelper for "!ipv6"
13:54 < l0wkey> ecrist, and in bridging mode IPv6 address is given to cleint via DHCPv6 server or radvd or openvpn itself?
13:54 < ecrist> yep
13:54 < l0wkey> cron2, nja .. 10x
13:54 < l0wkey> ecrist, which one?
13:55 < cron2> l0wkey: in bridge mode: by whoever distributes the address on lan, not by openvpn server
13:55 < ecrist> whichever you setup
13:55 < cron2> ecrist: never by openvpn
13:55 < ecrist> lol, http://i.imgur.com/x0CNB.jpg
13:55 < ecrist> didn't mean to imply openvpn, just rtadv and DHCPv6
13:55 < cron2> yes
13:56 < l0wkey> ecrist, okies .. makes sense
13:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:58 -!- cron2 [~gert@blue.greenie.muc.de] has quit [Quit: Lost terminal]
14:06 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
14:26 -!- MadTBone__ [~MadTBone@160.39.238.196] has joined ##openvpn
14:31 -!- sdfs [~sdfsd@CL-GSW-GW001.herts.ac.uk] has quit []
14:32 -!- APTX| [~APTX@chello089076052083.chello.pl] has quit [Quit: Farewell]
14:32 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
14:32 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
14:32 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
14:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
14:51 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
15:02 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
15:15 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
15:17 -!- tiav [~tiav@mx.fr.smartjog.net] has quit [Remote host closed the connection]
15:30 -!- NickWebHA [~nick@mail.webhse.com] has joined ##openvpn
15:30 < NickWebHA> Good day kind people of #openvpn!
15:31 < NickWebHA> ... I forgot my question!
15:33 < Bushmills> avocados are said to be good for maintaining memory
15:37 < NickWebHA> When I was a kid I had a pretty bad head injury; My memory is not coming back. :-P
15:38 < NickWebHA> ... I also broke my spine in a separate incident... I should stay inside more.
15:38 < Bushmills> many accidents happen at home
15:39 < NickWebHA> Probably because avocados are slippery and people forget where they put them.
15:59 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
16:00 -!- NickWebHA [~nick@mail.webhse.com] has left ##openvpn []
16:26 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:38 -!- sjr [~sjr@office.superuholdings.com] has joined ##openvpn
16:38 < sjr> I have OpenVPN setup on a box, and for some reason that box cannot connect to the remote network, however everything else can connect via that box to the other network.
16:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:11 -!- MadTBone__ [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
17:22 -!- Netsplit *.net <-> *.split quits: ScriptFanix, cron2, fahadsadah, dunc, le0, APTX
17:26 -!- Netsplit over, joins: cron2, le0, dunc, APTX, fahadsadah, ScriptFanix
17:26 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Max SendQ exceeded]
17:28 -!- Guest8146 [fahad@pyramid.cluenet.org] has joined ##openvpn
17:51 -!- _Brandon__ [~Brandon@93-43-143-146.ip92.fastwebnet.it] has joined ##openvpn
17:55 -!- _Brandon_ [~Brandon@93-43-143-146.ip92.fastwebnet.it] has quit [Ping timeout: 240 seconds]
18:03 -!- _Brandon__ is now known as _Brandon_
18:04 -!- _Brandon_ is now known as _Brandon__
18:04 -!- _Brandon__ is now known as _Brandon___
18:04 -!- _Brandon___ is now known as _Brandon__
18:04 -!- _Brandon__ is now known as _Brandon_
18:07 -!- master_of_master [~master_of@p57B55BC4.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
18:08 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
18:09 -!- NickWebHA [~nick@2002:ad38:149d:0:221:85ff:feda:2615] has joined ##openvpn
18:09 < NickWebHA> !welcome
18:09 < vpnHelper> NickWebHA: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:09 < NickWebHA> !man
18:09 < vpnHelper> NickWebHA: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:16 -!- master_of_master [~master_of@p57B55BC4.dip.t-dialin.net] has joined ##openvpn
18:20 -!- NickWebHA [~nick@2002:ad38:149d:0:221:85ff:feda:2615] has quit [Quit: Leaving.]
19:01 -!- _Brandon_ [~Brandon@93-43-143-146.ip92.fastwebnet.it] has quit [Read error: Connection reset by peer]
19:04 -!- NickWebHA [~nick@2002:ad38:149d:0:221:85ff:feda:2615] has joined ##openvpn
19:04 < NickWebHA> What does passtos do? The manual is not helping me.
19:23 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
19:33 -!- acidfoo [~nib@dsl-67-212-3-113.acanac.net] has joined ##openvpn
19:34 < acidfoo> hi guys, any openvpn developer here ? I'm curious what kind of openSSL BIO they are using to link with their socket, because they are clearly not using the socket implementation offered by openssl ... so Im curious how do they use the openssl functions on the buffer they get from a read on their own socket
19:38 -!- NickWebHA [~nick@2002:ad38:149d:0:221:85ff:feda:2615] has quit [Quit: Leaving.]
19:45 -!- flaco [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Ping timeout: 276 seconds]
20:05 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:05 < theDoc> Anyone has managed to use openvpn with a 6to4 tunnel?
20:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
20:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:11 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
21:13 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
21:18 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
21:18 -!- d303k [~heiko@vpn.astaro.de] has quit [Write error: Broken pipe]
21:19 -!- corretico [~laguilar@201.201.46.106] has quit [Quit: Leaving]
21:21 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
21:38 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
21:48 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
21:49 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
22:04 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
22:04 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
22:08 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
22:10 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
22:19 -!- xous [~xous@wnpgmb0517w-ad04-176-82.dynamic.mts.net] has joined ##openvpn
22:20 < xous> loop0 in a container seems to be running at 100% CPU
22:20 < xous> can't stop the container or kill the process.
22:24 < xous> err.
22:24 < xous> oops
22:24 < xous> I'm an idiot.
22:24 < xous> wrong channel.
22:24 -!- xous [~xous@wnpgmb0517w-ad04-176-82.dynamic.mts.net] has left ##openvpn []
23:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
23:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:19 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:32 -!- btm [~btm@serenity.ninjr.org] has joined ##openvpn
23:32 < btm> !welcome
23:32 < vpnHelper> btm: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:33 < btm> !/30
23:33 < vpnHelper> btm: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
23:33 < btm> !topology
23:33 < vpnHelper> btm: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
23:33 < btm> !goal
23:33 < vpnHelper> btm: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:33 < btm> !logs
23:33 < vpnHelper> btm: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
23:33 < btm> !configs
23:33 < vpnHelper> btm: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
23:52 < btm> I've been battling for some time getting openvpn running between an ubuntu 9.10 server and windows server 2008 datacenter 32-bit running in EC2. My configs and logs are here: https://gist.github.com/acde2d0595602e4b51e0
23:52 < vpnHelper> Title: gist: acde2d0595602e4b51e0 - GitHub (at gist.github.com)
23:54 < btm> I'll note in those logs there is the 'Initialization Sequence Completed With Errors' error. Initially I had it working via the GUI, but had to switch ip-win32 to manual to get the service to work. I can't get the GUI to work any longer. I've fully disabled the firewall, and ipv6 via the registry, as well as unchecking ipv6 in the adapter. I've also set the apdapter to always on, as you'll note I often see the IP address marked (Tentative) in the ...
23:54 < btm> ... ipconfig output.
23:57 < btm> this is basically the same problem as seen in http://www.pubbs.net/openvpn/201001/10903/, I also often see 'transmit failed, error code 1232' from ping.
--- Day changed Fri Feb 12 2010
00:16 < btm> upgrading from 2.1~rc19-1ubuntu2 to 2.1.0-1ubuntu1 on the server had no affect.
00:27 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has joined ##openvpn
00:28 < rob0> Fri Feb 12 05:48:59 2010 us=31000 Warning: route gateway is not reachable on any active network adapters: 10.88.26.190
00:28 < chilicuil> !welcome
00:28 < vpnHelper> chilicuil: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:28 < btm> rob0: yeah, because the DHCP never configures the interface.
00:28 < btm> rob0: as seen in the ipconfig output
00:29 < rob0> You're bridging? Why?
00:30 < btm> if I manually configure the interface, it says as (Tentative), interestingly it goes to (Preferred) if set to Always On in the adapter config up until I bring up the vpn. If I set the interface to DHCP, it never gets configured.
00:31 < rob0> Hmm, it says dev tun down here on page 21 of 41 in my lynx browser.
00:31 < rob0> Does the Windows DHCP client work for tun interfaces?
00:32 -!- chilicuil1 [~chilicuil@201.102.100.182] has joined ##openvpn
00:32 < rob0> I don't see how that would be possible, since DHCP requires broadcast.
00:32 < btm> added more dhcp output: https://gist.github.com/acde2d0595602e4b51e0#file_ipconfig.txt
00:32 < vpnHelper> Title: gist: acde2d0595602e4b51e0 - GitHub (at gist.github.com)
00:33 < btm> I'm not sure how the openvpn dhcp magic works. perhaps it just doesn't over tun.
00:34 < rob0> I know Windows does a lot of wacky non-standard stuff, but still, I don't know how a tun could be configured by DHCP, at all.
00:34 < btm> mostly I went with tun initally to not have to set up bridging on the server side.
00:36 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has quit [Ping timeout: 265 seconds]
00:40 < rob0> You want tun. Bridging is seldom a good idea. But you have to have the server assign the client IP addresses, rather than using DHCP.
00:40 < rob0> And again, I don't know about (nor do I care to know) if Windows does something strange.
00:43 < btm> well, when ip-win32 is dynamic the client sets the ip addresses using dhcp
00:43 -!- chilicuil1 [~chilicuil@201.102.100.182] has quit [Ping timeout: 240 seconds]
00:45 < btm> Fri Feb 12 05:48:23 2010 us=875000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.88.26.189/255.255.255.252 on interface {9F8E9EBA-61EB-4B87-AF8A-008B9718D227} [DHCP-serv: 10.88.26.190, lease-time: 31536000]
00:52 < btm> I'm relatively sure this is a Windows Server 2008 networking issue, I'm just terrible at debugging windows programs.
00:53 < rob0> Too bad there's no such thing as Windows support! Anyway, bedtime here, bye.
00:53 < btm> s/windows support/useful windows support/
00:53 < rob0> (which amounts to the same thing, does it not?)
00:54 < btm> I know a lot of people that pay a lot of money for a lot of support that doesn't do a lot ;)
00:54 < rob0> of course, there's a lot of misinformation in the Linux/Unix world too, but there's usually decent documentation.
00:55 < rob0> OpenVPN is one project which is pretty well documented.
00:55 < rob0> anyway, here I go, for real, good luck.
01:03 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has joined ##openvpn
01:08 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has quit [Quit: Leaving.]
01:11 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has joined ##openvpn
01:13 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
01:14 -!- theDoc [~jaki@119.73.165.162] has joined ##openvpn
01:14 -!- theDoc [~jaki@119.73.165.162] has quit [Client Quit]
01:27 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 256 seconds]
01:28 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
01:28 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
01:28 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
01:45 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has quit [Quit: Leaving.]
01:57 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
02:03 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
02:15 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:23 < jmm> hi;
02:23 < jmm> hi even.
02:23 < |Mike|> ih :)
02:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:46 < btm> I seem to eventually have gotten it working a second time. I'm pretty sure that manually configuring the interface, setting ip-win32 manual, then rebooting, is part of the solution.
02:50 -!- Sp4rKy [~Sp4rKy@freenode/sponsor/sp4rky] has left ##openvpn []
03:03 < |Mike|> must be windows
03:05 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:06 -!- master_of_master [~master_of@p57B55BC4.dip.t-dialin.net] has quit [Read error: Operation timed out]
03:09 -!- master_of_master [~master_of@p57B55DC9.dip.t-dialin.net] has joined ##openvpn
03:29 -!- tiav [~tiav@mx.fr.smartjog.net] has joined ##openvpn
03:39 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
03:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
04:30 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
04:30 < sparch> morning
04:33 < hyper_ch> noon
04:37 < sparch> noon?
04:37 < macsppadic> morning sparch 
04:37 < sparch> hyper_ch: are you in Australia?
04:38 < hyper_ch> no
04:38 < hyper_ch> why should I be in Australia?
04:38 < sparch> by the fuse
04:40 < sparch> but dont worry
04:41 < hyper_ch> are you maybe confusing noon and midnight?
04:43 < sparch> nope
04:43 < sparch> here is 8:43
04:44 < sparch> I presume you are 6+ ?
04:46 < hyper_ch> I have no clue what you are referring to
04:46 < sparch> ok :)
04:47 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has joined ##openvpn
04:59 < Bushmills> http://upload.wikimedia.org/wikipedia/commons/e/e7/Timezones2008.png
04:59 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
05:03 < chilicuil> Hi, I've just set up openvpn (for the very first time) with this scenario <Remote machine> ----  <Openvpn server> ----- <Lan>, it's intend to be a roadwarrior setup. the remote machine is in the range 10.0.1.0/24 , the Openvpn server uses the 192.168.3/24 subnet and the Lan uses the 192.168.1.0/24 ips. Currently I can access from the remote machine to the Lan and the Openvpn with no problems, and I also can access to the remote machine from t
05:15 < Bushmills> !route
05:15 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:16 < Bushmills> chilicuil: ^^^
05:18 < chilicuil> ups, thx Bushmills, I'm reading
05:28 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
05:28 < ufoman> hello there
05:29 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
05:29 < ufoman> I am generating certificates using these instructions to create certs for aes256 cipher: http://www.procyonlabs.com/guides/openbsd/openvpn/index.php
05:29 < vpnHelper> Title: Procyon Labs | Guides | OpenBSD | OpenVPN (at www.procyonlabs.com)
05:30 < ufoman> after sending ca.crt, client.crt and client.key to client machine, I can't establish a connection
05:31 < ufoman> client says the certificate is self-signed, and it is, but I need aes256
05:31 < ufoman> or am I deluded and I don't need to do it that way?
05:41 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
05:41 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has quit [Ping timeout: 264 seconds]
05:42 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
05:44 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
05:45 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
05:52 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:52 -!- mode/##openvpn [+o mattock] by ChanServ
05:53 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
06:00 < sparch> OpenVPN for the win!
06:04 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has joined ##openvpn
06:12 < zamba> definitely
06:37 -!- tjz [~tjz@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
06:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:12 < ecrist> ufoman: can you share your configs, please?
07:15 -!- tiav [~tiav@mx.fr.smartjog.net] has quit [Ping timeout: 246 seconds]
07:16 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has quit [Remote host closed the connection]
07:25 -!- Krikke [~ixevix@62.142.105.142] has joined ##openvpn
07:25 < Krikke> !welcome
07:25 < vpnHelper> Krikke: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:26 < Krikke> !route
07:26 < vpnHelper> Krikke: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:31 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
07:37 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:54 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
07:57 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:58 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:04 < KaiForce> I have a Leaf Bering router with a functional client config (network to network) and a functional server config (for "road warriors") but when I try to run both at the same time, the server fails to start with " Socket bind failed on local address [undef]:1194: Address already in use."  What am I doing wrong?
08:10 < KaiForce> Ok, seems "nobind" directive on client solves this for me.  Thanks!
08:19 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
08:35 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:36 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Remote host closed the connection]
08:37 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 248 seconds]
08:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
09:06 < sparch> back
09:13 < vpnHelper> New forum entry openvpnforum: Off Topic, Related :: Just saying Hello :: Author JensenElla <http://www.ovpnforum.com/viewtopic.php?f=1&t=2806&p=3265#p3265>
09:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:55 -!- makomi [~makomi@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
10:24 -!- kyrix [~ashley@41.251.18.208] has joined ##openvpn
10:39 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:42 -!- Blues-Man [~bluesman@host75-80-dynamic.37-79-r.retail.telecomitalia.it] has joined ##openvpn
10:42 < Blues-Man> hi all
10:43 < Blues-Man> I got this TLS Error: local/remote TLS keys are out of sync: [AF_INET]192.168.1.167:1194 from the server log but i have configurated it to run in UDP way for the 5000 port
10:43 < Blues-Man> what's wrong?
10:45 < ecrist> sounds like the time is wrong on one of the systems
10:46 < Blues-Man> ma the strange thing is that 1194 port is shown
10:46 < Blues-Man> while i'm using 5000
10:46 < Blues-Man> the 192.... is my IP in the real lan that is connecting to the VPN
11:12 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:14 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:19 < Blues-Man> how to avoid lag? after min of inactivities i can't do traffic, i also put ping 10 in both (client/server) conf
11:21 < rob0> 5000 was the old default, 1194 is default since a few years back.
11:22 < rob0> So if you upgrade and use an old config which didn't specify the port ...
11:24 < Blues-Man> i specified it as lport 5000
11:24 < Blues-Man> in the server
11:28 < Blues-Man> rob0, so is better to move to 1194?
11:32 < rob0> "Better" is not relevant. It's just what the new default is.
11:43 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
11:45 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:51 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
11:57 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:03 -!- Blues-Man [~bluesman@host75-80-dynamic.37-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
12:13 < tw> Can I make openvpn run a script on connect and disconnect of a client or will I need to use a logwatcher for that?
12:15 < ecrist> yes, you can make it do what you want
12:15 < ecrist> look for up and down in man page
12:16 < tw> Ok, thanks, I'll look for that.  I was going through the howto one more time and didn't see it.
12:28 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]]
12:31 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:32 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
12:32 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 258 seconds]
12:37 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:37 -!- dazo_afk [~dazo@nat/redhat/x-tnjwdjqvamlntvrb] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:16 -!- teratoma [~unknown@i.dont.get.mad.i.get.stabby.net] has quit [Quit: leaving]
13:31 -!- kyrix [~ashley@41.251.18.208] has quit [Quit: Leaving]
13:42 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: [hienoa] - your ass is glowing!]
14:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:23 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 272 seconds]
14:24 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
14:29 < ecrist> cron2: are you a developer?
14:34 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
15:33 -!- unsinn [~unsinn@rzlx0901.hs-esslingen.de] has joined ##openvpn
15:33 < unsinn> hello
15:34 < unsinn> how much is the average speed-up of comp-lzo? are there some experiences or papers to read?
15:34 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 260 seconds]
15:35 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
15:42 < tw> unsinn: I'd imagine that is highly dependent on the content that is being compressed.  Oberhumer (the O in LZO) has some stats on his site though it doesn't really explain the test well enough to reproduce his metrics.
15:44 < cron2> ecrist: why are you asking?
15:57 -!- unsinn [~unsinn@rzlx0901.hs-esslingen.de] has quit [Quit: Lost terminal]
15:58 -!- upb [cmpxchg@88.80.13.92] has left ##openvpn []
16:00 < cron2> ecrist: but to answer the question - I'm somewhat of a network admin and unix geek, and occasionally I find time to work on open source.  Current project: IPv6 transport in OpenVPN.
16:01 < rob0> My own very unscientific experiments with LZO and compressible data (piped /dev/zero over the VPN) found very little difference at the lower layer.
16:06 -!- cervicek [~cervicek@rzlx0901.hs-esslingen.de] has joined ##openvpn
16:10 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
16:39 -!- drako [~luisjose@nelug/coreteam/luisjose] has joined ##openvpn
16:39 < drako> why when i connect thro the VPN my ping jump from 100 to 500 and 400ms
16:39 < drako> its kind a lot of diference
16:42 < ecrist> because you're adding hops to the route
16:42 < ecrist> cron2: pm?
16:42 < drako> ecrist: its a bridge vpn
16:43 < ecrist> so?
16:43 < ecrist> you're still adding hops
16:43 < drako> oh wait
16:43 < drako> im also downloading something on the vpn server...
16:44 < ecrist> so, when your connection is saturated, you add latency?!?!?!!!11!
16:44 < drako> but still on the server the ping is on 300ms and on my client is 500ms
16:44 < ecrist> what's the latency between your client and the server?
16:45 < drako> ecrist: yes that make sense
16:45 < drako> ecrist: 250 plus other 250 it makes ~500
16:45 < ecrist> :)
16:45 < drako> so when my downlaod is done it should be like ~150
16:46 < drako> i totally forgot about that download :P
16:46 < ecrist> I can't speak to that, but if you add client -> server latency to server -> dest latency, you'll get total latency
16:46 < drako> yes
16:46 < ecrist> simple math, really
16:46 < drako> i forgot the client-server latency
16:46 < ecrist> :)
16:47 < drako> dunno why i thought i was on the lan ...
16:47 < ecrist> my job here is to state the obvious, and absorb the dick-headedness for the rest of the helpers in here.
16:49 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
16:49 -!- tjz [~tjz@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
16:49 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
17:02 -!- makomi [~makomi@p509966c5.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
17:19 -!- drako [~luisjose@nelug/coreteam/luisjose] has quit [Ping timeout: 264 seconds]
17:53 -!- krzee [nobody@hemp.ircpimps.org] has joined ##openvpn
17:53 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host]
17:53 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
17:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 256 seconds]
18:05 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
18:07 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
18:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:08 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 260 seconds]
18:08 -!- zorzar [~zz@static.78.193.46.78.clients.your-server.de] has quit [Ping timeout: 260 seconds]
18:08 -!- sno [~sno@78.46.209.153] has quit [Ping timeout: 260 seconds]
18:09 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 272 seconds]
18:10 -!- Bushmills [~nnnnnBush@verhau.de] has quit [Ping timeout: 272 seconds]
18:10 -!- reiffert [~thomas@mail.webersheim.de] has quit [Ping timeout: 260 seconds]
18:11 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
18:15 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
18:15 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
18:15 -!- Bushmills [~nnnnnBush@verhau.de] has joined ##openvpn
18:16 -!- zorzar [~zz@static.78.193.46.78.clients.your-server.de] has joined ##openvpn
18:16 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
18:16 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
18:17 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
18:17 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
18:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:21 -!- teddymills [~teddy@208.92.235.227] has quit [Quit: Ex-Chat]
18:22 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
18:30 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
18:35 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 245 seconds]
18:43 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 245 seconds]
18:45 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
18:49 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Client Quit]
18:50 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
18:52 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
19:03 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
19:12 -!- le0 [~tehle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Quit: Leaving]
19:16 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
19:22 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
19:26 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
19:49 -!- tjz [~tjz@unaffiliated/tjz] has quit [Quit: bbl]
20:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
21:31 -!- sip83 [sip83@69.196.159.201] has joined ##openvpn
21:31 -!- sip83 [sip83@69.196.159.201] has quit []
22:11 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
22:11 < Dougy> anyone got carfax? :)
22:44 -!- drako [~luisjose@nelug/coreteam/luisjose] has joined ##openvpn
23:13 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:15 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 256 seconds]
23:29 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has quit []
--- Day changed Sat Feb 13 2010
00:06 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:14 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
00:15 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:37 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
01:44 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
01:49 < reiffert> theDoc.
01:55 -!- Guest8146 [fahad@pyramid.cluenet.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
01:59 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
02:17 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
02:47 -!- gallatin [~gallatin@dslb-092-073-078-156.pools.arcor-ip.net] has joined ##openvpn
02:52 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 258 seconds]
03:08 -!- master_of_master [~master_of@p57B55DC9.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:10 -!- master_of_master [~master_of@p57B54AC5.dip.t-dialin.net] has joined ##openvpn
03:12 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
03:13 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
04:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:43 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
05:05 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:08 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
05:16 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 246 seconds]
05:44 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
05:53 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
05:54 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
06:43 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
06:58 -!- kyrix [~ashley@41.251.12.211] has joined ##openvpn
07:18 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
07:36 -!- kyrix [~ashley@41.251.12.211] has quit [Ping timeout: 272 seconds]
07:48 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:51 -!- Phurl [~mdupont@2001:0:53aa:64c:3031:1b4d:ae2d:1b81] has joined ##openvpn
07:51 < Phurl> hi
07:52 < ecrist> hello
07:56 -!- gallatin [~gallatin@dslb-092-073-078-156.pools.arcor-ip.net] has quit [Quit: Client exiting]
07:59 < Bushmills> is a client config file for windows in identical format as for a xoid openvpn client? means, can i pass on a working client.conf to a windows user after having renamed it to client.ovpn?
07:59 < ecrist> yep
07:59 < Bushmills> glad to hear that
07:59 < ecrist> better yet, just name ALL configs client.ovpn and you're goot to go
07:59 < ecrist> good*
08:00 < Phurl> can i run openvpn over ipv6 
08:00 < ecrist> the only difference is the path, if the keys and certificates aren't in the same directory as the config
08:00 < Phurl> we cannot open up any incoming ports at home
08:00 < ecrist> Phurl: not at this time, though there are patches for it.
08:00 < Phurl> because the isp is blocking it
08:01 < Phurl> ok
08:01 < Bushmills> ok, so to keep it simple, i ask to put keys and config into same dir
08:01 < ecrist> yes, Bushmills 
08:01 < ecrist> I have windows, mac, and linux clients at work, and we hand out the exact same config bundle to all users.
08:02 < Phurl> #flossk #gfk "OpenVPN over IPv6" - http://github.com/jjo/openvpn-ipv6/watchers
08:02 < vpnHelper> Title: People watching jjo/openvpn-ipv6 - GitHub (at github.com)
08:03 -!- Artio [~a@port-7417.pppoe.wtnet.de] has joined ##openvpn
08:10 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
08:24 -!- drako [~luisjose@nelug/coreteam/luisjose] has quit [Ping timeout: 240 seconds]
08:31 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:44 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:29 -!- drako [~luisjose@nelug/coreteam/luisjose] has joined ##openvpn
10:01 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
10:02 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
10:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:45 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
10:46 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
10:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:59 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
11:00 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
11:28 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
11:29 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
11:29 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
11:29 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
11:48 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
13:06 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:52 -!- Bushmills1 [~Bushmills@78.46.19.202] has joined ##openvpn
13:52 -!- Bushmills [~nnnnnBush@verhau.de] has quit [Disconnected by services]
13:53 -!- Bushmills1 is now known as Bushmills
14:02 -!- ozux [~ozux@91.99.12.178] has joined ##openvpn
14:02 -!- ozux [~ozux@91.99.12.178] has quit [Quit: leaving]
14:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
14:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:49 -!- palmpreopenvpn [~1817b419@gateway/web/freenode/x-eqkypjixboqrrmjg] has joined ##openvpn
15:00 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
15:06 -!- palmpreopenvpn [~1817b419@gateway/web/freenode/x-eqkypjixboqrrmjg] has left ##openvpn []
15:06 -!- arturob [~bandini@host60-104-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
15:19 -!- hacim [~micah@debian/developer/micah] has joined ##openvpn
15:20 < hacim> is there a way a client can override the ifconfig line that the server is sending?
15:20 < hacim> the one I'm getting doesn't work, but I *can* fix it if I drop to shell and tweak it
15:21 -!- kyrix [~ashley@41.92.44.127] has joined ##openvpn
15:45 -!- drako [~luisjose@nelug/coreteam/luisjose] has quit [Quit: Leaving...]
16:04 -!- Artio [~a@port-7417.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Now with extra fish!]
16:13 -!- kyrix [~ashley@41.92.44.127] has quit [Quit: Leaving]
16:20 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
16:23 < hacim> the problem is that the ifconfig line the server sends includes the broadcast option and that causes my interface to get fucked
16:24 < hacim> I also cannot hardcode the IP in there, because it changes
16:25 < cron2> hacim: you could configure the client without "pull" in its config, causing it to not pull any configuration from the server.  But I'm not sure whether you'll receive the lines at all, then, or not at all.  Test it :-)
16:26 < hacim> cron2: yeah, the problem with that is I wont get the dynamic IP
16:26 < cron2> hacim: you *could* also just read "man openvpn" and set "ifconfig-noexec" in the client config :-)
16:27 < cron2> (and run your script with the "up /path/to/my/script" command)
16:27 < hacim> cron2: ooh i missed that option
16:39 -!- cbob27410 [~cbaldini@cpe-174-098-211-065.triad.res.rr.com] has joined ##openvpn
16:45 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:54 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
16:55 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:06 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
17:15 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
17:34 -!- drako [~luisjose@nelug/coreteam/luisjose] has joined ##openvpn
17:34 -!- drako [~luisjose@nelug/coreteam/luisjose] has quit [Remote host closed the connection]
18:12 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
18:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:26 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
18:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:42 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
20:48 -!- theDoc [~jaki@bb121-6-159-65.singnet.com.sg] has joined ##openvpn
21:26 -!- Alex___ [~1817b419@gateway/web/freenode/x-lxfpcyyjveigozsd] has joined ##openvpn
21:28 -!- theDoc [~jaki@bb121-6-159-65.singnet.com.sg] has quit [Quit: Leaving]
21:30 < Alex___> Hi, I'm attempting to get openvpn working on my palm pre.  Anyone able to take a look at a log and tell me what's wrong? http://pastebin.com/m64f8d45b
21:30 < Alex___> !welcome
21:30 < vpnHelper> Alex___: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:31 < Alex___> !howto
21:31 < vpnHelper> Alex___: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
21:37 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
21:43 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
21:54 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
23:01 -!- Bushmills [~Bushmills@78.46.19.202] has quit [Quit: Terminated with extreme prejudice - dircproxy 1.0.5]
23:28 -!- Bushmills1 [~Bushmills@78.46.19.202] has joined ##openvpn
23:28 -!- Bushmills1 is now known as Bushmills
23:28 -!- Bushmills [~Bushmills@78.46.19.202] has quit [Disconnected by services]
23:29 -!- Bushmill- [~Bushmills@78.46.19.202] has joined ##openvpn
23:29 -!- Bushmill- is now known as Bushmills
23:30 -!- Bushmills [~Bushmills@78.46.19.202] has quit [Disconnected by services]
23:31 -!- Bushmills1 [~Bushmills@78.46.19.202] has joined ##openvpn
23:33 -!- Bushmills1 is now known as Bushmills
23:33 -!- Bushmills [~Bushmills@78.46.19.202] has quit [Disconnected by services]
23:33 -!- Bushmills1 [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
23:34 -!- Bushmills1 is now known as Bushmills
23:34 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
23:34 -!- Bushmills1 [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
23:35 -!- Bushmills1 is now known as Bushmills
23:35 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
23:36 -!- Bushmills [~Bushmills@78.46.19.202] has joined ##openvpn
--- Day changed Sun Feb 14 2010
00:31 -!- kyrix [~ashley@41.92.5.28] has joined ##openvpn
00:38 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
00:38 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
01:53 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:53 -!- mode/##openvpn [+o mattock] by ChanServ
01:56 < Alex___> anyone here?
02:04 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Ping timeout: 260 seconds]
02:10 -!- Alex___ [~1817b419@gateway/web/freenode/x-lxfpcyyjveigozsd] has quit [Ping timeout: 252 seconds]
02:17 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
02:21 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Operation timed out]
02:25 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
03:08 -!- master_of_master [~master_of@p57B54AC5.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:10 -!- master_of_master [~master_of@p57B55086.dip.t-dialin.net] has joined ##openvpn
03:35 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
03:58 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:07 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
04:58 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
05:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:30 -!- Mtn_Bkng_Dave [whome@68.186.32.29] has joined ##openvpn
06:31 < Mtn_Bkng_Dave> morning guys and girls
06:31 < Mtn_Bkng_Dave> i am having a script error when i try to log in a client
06:32 < Mtn_Bkng_Dave> NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
06:32 < Mtn_Bkng_Dave> any ideas?
06:33 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
06:33 < Mtn_Bkng_Dave> hi krzee
06:33 < Mtn_Bkng_Dave> NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
06:33 < krzee> hey
06:33 < Mtn_Bkng_Dave> getting that trying to log in a road warrior........typo in the config script for the client?
06:34 < krzee> every 2.1 prints that warning
06:34 < krzee> its not an error
06:34 < Mtn_Bkng_Dave> ok........
06:34 < Mtn_Bkng_Dave> it was the first in a line........
06:34 < Mtn_Bkng_Dave> of errors
06:35 < Mtn_Bkng_Dave> do you have time to take a look for me?
06:35 < rob0> I would suggest that you use '--script-security 2' or higher to call user-defined scripts or executables. ;)
06:36 < krzee> post it
06:36 < Mtn_Bkng_Dave> http://pastebin.com/d4dafd5df
06:36 < Mtn_Bkng_Dave> thats the log file
06:37 < Mtn_Bkng_Dave> from the client
06:37 < Mtn_Bkng_Dave> let me get the config
06:37 < krzee> new vpn or previously working?
06:38 < Mtn_Bkng_Dave> the server is working
06:38 < Mtn_Bkng_Dave> i have it up and running a routed network between two offices
06:38 < Mtn_Bkng_Dave> just adding a road warrior
06:39 < Mtn_Bkng_Dave> http://pastebin.com/d5b962b37
06:39 < Mtn_Bkng_Dave> thats the config file
06:40 < krzee> !configs
06:40 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
06:40 < krzee> filter the comments pls
06:40 < Mtn_Bkng_Dave> should i just get rid of them?
06:40 < Mtn_Bkng_Dave> thats from the sample
06:41 < krzee> try this 1 time:
06:41 < krzee> comment this line
06:41 < krzee> remote-cert-tls server
06:42 < Mtn_Bkng_Dave> ok
06:43 < Mtn_Bkng_Dave> ok it tried 1 time and failed
06:43 < Mtn_Bkng_Dave> lemme get the log
06:44 < Mtn_Bkng_Dave> got further tho
06:45 < Mtn_Bkng_Dave> http://pastebin.com/d27c5629c
06:46 < Mtn_Bkng_Dave> says its looking for a tap
06:46 < Mtn_Bkng_Dave> let me delete that tun0 back to tun
06:46 < Mtn_Bkng_Dave> and try that
06:48 < Mtn_Bkng_Dave> does it still require the tap device for tun use?
06:50 < Mtn_Bkng_Dave> ok that would be a yes
06:50 < Mtn_Bkng_Dave> LOL
06:50 < Mtn_Bkng_Dave> !configs
06:50 < vpnHelper> Mtn_Bkng_Dave: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
06:52 < krzee> lol ya windows tap driver does tun mode
06:53 < Mtn_Bkng_Dave> ok thanks
06:53 < Mtn_Bkng_Dave> so what did the line actually do that i commented out?
06:53 < krzee> !mitm
06:53 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
06:53 < krzee> your server cert isnt signed as a server cert, your client was checking that it was
06:54 < Mtn_Bkng_Dave> i used build-key-server server to build it
06:54 < Mtn_Bkng_Dave> did i miss something there?
06:55 < krzee> maybe its old style and you're checking for new style
06:55 < krzee> try 
06:55 < krzee> ns-cert-type server
06:56 < Mtn_Bkng_Dave> ok let me try that
06:56 < Mtn_Bkng_Dave> this is the free version btw
06:56 < Mtn_Bkng_Dave> on the routers anyway
06:56 < krzee> good thats all i know
06:57 < Mtn_Bkng_Dave> it seems to be happy with that line
06:58 < Mtn_Bkng_Dave> verified "OK"
06:59 < Mtn_Bkng_Dave> there is no need for iroute on a single client is there?
07:00 < krzee> if there is a lan behind it
07:00 < Mtn_Bkng_Dave> not that i want to see
07:00 < krzee> no reason for iroute unless theres a lan behind the client
07:00 < Mtn_Bkng_Dave> hotel lan
07:00 < Mtn_Bkng_Dave> ok thought that was correct
07:01 < Mtn_Bkng_Dave> i havent messed with it in a few weeks
07:01 < Mtn_Bkng_Dave> LOL
07:01 < Mtn_Bkng_Dave> been installing ip cameras
07:01 < Mtn_Bkng_Dave> and clogging my network with garbage
07:01 < Mtn_Bkng_Dave> LOL
07:02 < Mtn_Bkng_Dave> wonder if I should put them on another vlan
07:02 < Mtn_Bkng_Dave> or subnet altogether
07:04 < rob0> You surely don't want the cameras on a subnet that the guests can access. You would have to call them "insecurity cameras" in that case!
07:05 < Mtn_Bkng_Dave> they are passworded
07:05 < Mtn_Bkng_Dave> and its in my offices
07:05 < Mtn_Bkng_Dave> not a hotspot or anything
07:05 < Mtn_Bkng_Dave> and they use them for client photos and such
07:05 < rob0> guests don't have wireless access?
07:06 < Mtn_Bkng_Dave> not on that network
07:06 < Mtn_Bkng_Dave> its for hospital traffic
07:06 < rob0> that was what I was saying ... you don't want them on the same network as the cameras
07:07 < Mtn_Bkng_Dave> right now they use the cameras for client photos
07:07 < Mtn_Bkng_Dave> its an animal hospital
07:07  * rob0 has spent time in hotels trying to see what could be gotten from their networks :)
07:07 < Mtn_Bkng_Dave> yeah
07:07 < Mtn_Bkng_Dave> me too
07:07 < Mtn_Bkng_Dave> LOL
07:07 < Mtn_Bkng_Dave> im in a hotel 300 days a year
07:08 < Mtn_Bkng_Dave> boredom drives the need for hacking LOL
07:08 < rob0> oh oh I was thinking you were the hotel owner/manager/network guy.
07:08 < Mtn_Bkng_Dave> no no
07:08 < rob0> now I get it
07:08 < Mtn_Bkng_Dave> LOL
07:08 < rob0> you're a vet?
07:08 < Mtn_Bkng_Dave> my gf and I have 8 vet clinics in atlanta
07:08 < Mtn_Bkng_Dave> shes the vet
07:09 < rob0> gotcha
07:09 < Mtn_Bkng_Dave> i build commercial bakeries
07:10 < Mtn_Bkng_Dave> and do her IT
07:10 < Mtn_Bkng_Dave> from far away LOL
07:10 < rob0> "Bkng" means "baking"
07:10 < Mtn_Bkng_Dave> no actually thats biking
07:10 < Mtn_Bkng_Dave> LOL
07:10 < Mtn_Bkng_Dave> the baking came later
07:10 < rob0> haha okay
07:10 < Mtn_Bkng_Dave> i used to race some
07:11 < Mtn_Bkng_Dave> back when i could train everyday
07:11 < rob0> My son was into that too.
07:11 < Mtn_Bkng_Dave> now i have $10k worth of bikes collecting dust for the most part
07:12 < rob0> his are worth maybe 1/4th that, but also gathering dust :)
07:12 < Mtn_Bkng_Dave> i miss it
07:13 < Mtn_Bkng_Dave> i really enjoyed it
07:14 < Mtn_Bkng_Dave> ok another vpn question
07:14 < Mtn_Bkng_Dave> is there any way to point the vpn to my wins server?
07:14 < Mtn_Bkng_Dave> can i just configure it in the tap?
07:15 < krzee> you can send it as a dhcp-option
07:15 < Mtn_Bkng_Dave> is there a help file for that one?
07:16 < Mtn_Bkng_Dave> my regular DHCP server does
07:18 < Mtn_Bkng_Dave> !configs
07:18 < vpnHelper> Mtn_Bkng_Dave: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:18 < Mtn_Bkng_Dave> !route
07:18 < vpnHelper> Mtn_Bkng_Dave: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:19 < Mtn_Bkng_Dave> what would be the syntax on that krzee?
07:20 < krzee> !man
07:20 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
07:21 < Mtn_Bkng_Dave> ok thanks
07:21 < rob0> --dhcp-option is Windows only
07:22 < krzee> well in linux a script neeeds to grab them and do it
07:23 < Mtn_Bkng_Dave> so is that added on the server side or client?
07:24 < Mtn_Bkng_Dave> server is a dd-wrt linux box
07:24 < Mtn_Bkng_Dave> clients are winders
07:24 < Mtn_Bkng_Dave> LOL
07:24 < Mtn_Bkng_Dave> the road warrior clients are anyway
07:24 < krzee> client is win it'll get the dhcp options
07:25 < Mtn_Bkng_Dave> that will work.......
07:25 < Mtn_Bkng_Dave> the remote lans all have dhcp servers issuing the wins server anyway
07:39 < Mtn_Bkng_Dave> ok gotta get to work.........
07:39 < Mtn_Bkng_Dave> later guys
07:40 < Mtn_Bkng_Dave> thanks for the help
07:40 -!- Mtn_Bkng_Dave [whome@68.186.32.29] has quit []
07:54 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:56 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:05 -!- Phurl [~mdupont@2001:0:53aa:64c:3031:1b4d:ae2d:1b81] has left ##openvpn ["Ex-Chat"]
08:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:29 -!- sporedi [~chatzilla@121.247.65.116] has joined ##openvpn
08:30 < sporedi> hello friends i am new to ssl vpn ,after connected to ssl vpn how do i access my network resource ,my desktop remotely 
08:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:40 < Bushmills> your vpn will supply virtual interfaces, which have ip addresses. you route traffic through those
08:44 < rob0> Sounds like you lack a basic understanding of how IP routing works. The good news: openvpn is an excellent way to teach yourself. :)
09:29 -!- sporedi [~chatzilla@121.247.65.116] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]]
10:05 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
10:15 -!- warddr [~warddr@Wikipedia/Warddr] has joined ##openvpn
10:15 < warddr> !welcome
10:15 < vpnHelper> warddr: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:01 < warddr> Hello, does anyone know if openVPN can be used to "bypass" internet censorship? And is it really safe enough?
11:03 < tw> Hi, I use it for exactly that with a vpn server in the US and a client in saudi arabia and it bypasses the filters in place.
11:03 < rob0> No encryption technology is safe from certain brute force attacks; those being: application of brute force upon the user.
11:04 < rob0> If you're out of favor of the guys with guns, and they want to harass you ... they will.
11:04 < tw> I would agree.  a vpn is only one part of the security precautions you should take in that instance.
11:04 < acidfoo> !goal
11:04 < vpnHelper> acidfoo: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:04 < rob0> but, they're not going to trivially be able to see what you did
11:05 < rob0> (if it matters ... suspicion is enough in many cases)
11:08 < warddr> It's really for someone (not for me, I don't have to be afraid in the European Union), who really can't say what he likes to say on the internet because he is affraid for the guns
11:23 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
11:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:41 -!- teddymills_ [~teddy@208.92.235.227] has joined ##openvpn
11:44 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:46 -!- hacim [~micah@debian/developer/micah] has left ##openvpn []
12:07 -!- cbob27410 [~cbaldini@cpe-174-098-211-065.triad.res.rr.com] has quit [Ping timeout: 256 seconds]
12:07 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
12:09 -!- cbob27410 [~cbaldini@cpe-174-098-211-065.triad.res.rr.com] has joined ##openvpn
12:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:21 -!- cbob27410 [~cbaldini@cpe-174-098-211-065.triad.res.rr.com] has left ##openvpn []
12:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:22 < dunc> !mitm
12:22 < vpnHelper> dunc: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
12:41 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
12:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:54 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
12:54 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
12:54 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:58 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
14:04 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
14:20 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:29 -!- warddr [~warddr@Wikipedia/Warddr] has quit [Ping timeout: 252 seconds]
15:31 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
15:42 -!- warddr [~warddr@Wikipedia/Warddr] has joined ##openvpn
16:01 -!- kyrix [~ashley@41.92.5.28] has quit [Ping timeout: 240 seconds]
16:18 -!- Nrg_ [pk@reaktio.net] has quit [Read error: Operation timed out]
16:23 -!- Nrg_ [pk@reaktio.net] has joined ##openvpn
16:25 -!- Nrg_ [pk@reaktio.net] has quit [Read error: Operation timed out]
16:27 -!- warddr [~warddr@Wikipedia/Warddr] has quit [Quit: Leaving]
16:33 -!- airmack [~airmack@slashem.de] has joined ##openvpn
16:33 < airmack> hoi hoi
16:33 < airmack> !welcome
16:33 < vpnHelper> airmack: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:34 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:37 < airmack> somehow openvpn has trouble parsing my config file. I compiled openvpn for the ARM architecture as static. Funny thing is i am using the same config files on x86 system and there it works.
16:38 < airmack> I am invoking openvpn with /usr/sbin/openvpn --config /etc/openvpn/openvpn.conf
16:38 < airmack> and i get Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/openvpn.conf:16: client (2.1.0)
16:38 < airmack> probably it is not so much of a problem with the config file
16:40 < airmack> is there any way to figure out what goes wrong?
16:40 < rob0> increase log verbosity?
16:42 < airmack> even when using --verb 5 or higher there is no other output
16:43 < airmack> just the Options error
16:44 < airmack> also when trying openvpn --client i get the same error message
16:45 < airmack> with s/:16: client/[CMD-LINE]:1: client (2.1.0)
16:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
16:50 -!- Nrg_ [pk@reaktio.net] has joined ##openvpn
17:36 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
17:53 -!- kyrix [~ashley@41.92.11.115] has joined ##openvpn
17:54 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
18:39 -!- teddymills_ [~teddy@208.92.235.227] has quit [Quit: Ex-Chat]
19:15 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
19:32 -!- flaco [~sistema@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
19:35 < flaco> hi all.. I got a big trouble here... my vpn server (the machine) die... so I took the hard drive and put in another computer... the problem is that the openvpn server does not run...
19:35 < flaco> I check the logs.. and the server is looking for eth0, but I got eth1.. and can't change it... any ideas how to solve this?
19:36 -!- flaco is now known as flacom
19:42 -!- flacom [~sistema@pc-166-153-83-200.cm.vtr.net] has quit [Remote host closed the connection]
19:44 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
19:44 -!- flacom [~sistema@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
19:53 -!- kyrix [~ashley@41.92.11.115] has quit [Quit: Leaving]
19:54 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
19:54 -!- flacom [~sistema@pc-166-153-83-200.cm.vtr.net] has quit [Ping timeout: 248 seconds]
20:10 -!- flacom [~sistema@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
20:56 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
20:57 -!- flacom [~sistema@pc-166-153-83-200.cm.vtr.net] has quit [Quit: Leaving]
21:22 < vpnHelper> New forum entry openvpnforum: Off Topic, Related :: Re: Hey guys :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=1&t=2756&p=3339#p3339>
21:24 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:44 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
21:46 -!- closer [~muffinman@southampton.perfect-privacy.com] has joined ##openvpn
21:46 < closer> hi
21:46 < closer> what is the command to open a ovpn file in linux
21:53 < Bushmills> closer: openvpn
21:55 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
22:54 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:04 -!- zheng [~zheng@114.92.140.81] has joined ##openvpn
23:06 -!- closer [~muffinman@southampton.perfect-privacy.com] has quit [Read error: Connection reset by peer]
23:13 -!- zheng [~zheng@114.92.140.81] has quit [Quit: Leaving]
23:49 -!- poningru [~poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has quit [Read error: Operation timed out]
23:51 -!- poningru [~poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has joined ##openvpn
--- Day changed Mon Feb 15 2010
00:17 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
00:50 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
01:38 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
01:52 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:52 -!- mode/##openvpn [+o mattock] by ChanServ
01:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:33 -!- Vakz [~Vakz@90-227-168-81-no123.tbcn.telia.com] has joined ##openvpn
02:35 < Vakz> I'm using OpenVPN-AS. Is it possible to reach the adminUI from within the virtual network? From the network i'm connecting, only port 80 and port 443 are avaliable, and i'm already using port 80 for lighttpd and port 80 for the VPN-tunnel. So basically, is it possible to connect to 172.16.0.1 through the tunnel? I can already connect to things like my FTP, which are on the same server as the VPN, but the adminUI seems unavaliable.
02:43 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:47 < krzee> [19:46]  <closer> what is the command to open a ovpn file in linux
02:47 < krzee> [19:53]  <Bushmills> closer: openvpn
02:47 < krzee> heh
02:49 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
02:55 -!- APTXderZweite [~APTX@ks32603.kimsufi.com] has quit [Quit: No Ping reply in 180 seconds.]
03:08 -!- master_of_master [~master_of@p57B55086.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:10 -!- master_of_master [~master_of@p57B563A4.dip.t-dialin.net] has joined ##openvpn
03:36 -!- maxagaz_ [~maxagaz@soho2.i-xanadu.com] has joined ##openvpn
03:36 < maxagaz_> hi
03:38 -!- maxagaz [~maxagaz@soho2.i-xanadu.com] has joined ##openvpn
03:39 -!- maxagaz_ [~maxagaz@soho2.i-xanadu.com] has quit [Quit: Ex-Chat]
03:43 < maxagaz> I have installed a new openvpn clients with keys and certificates, when I start it, it says OK, but when I type ifconfig, I get no tun0, and I can only see this in the logs: VERIFY ERROR: depth=1, error=certificate is not yet valid
03:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:17 -!- amol112 [~amol111@203.129.255.181] has joined ##openvpn
04:18 < amol112> hi all i am downloading / syncing android  but getting message as external/openvpn/: discarding 11 commits external/openvpn/: discarding 1 commits
04:30 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Ping timeout: 240 seconds]
04:33 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
04:33 -!- amol112 [~amol111@203.129.255.181] has quit [Remote host closed the connection]
04:37 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
04:38 < flacom> !wiki
04:38 < vpnHelper> flacom: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
04:51 -!- zorzar [~zz@static.78.193.46.78.clients.your-server.de] has quit [Ping timeout: 260 seconds]
05:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:19 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
05:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:35 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
05:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:45 < krzee> !winipforward
05:45 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
06:00 <@mattock> has anyone seen dazo lately?
06:01 < flacom> hi all.. my server (the machine) die, so I took the harddrive and put in another computer.. but the openvpn server is not running, is expecting eth0 but I got eth1, how cna I change the conf of the server.. it was made by the webadmin
06:04 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
06:17 < krzee> flacom, very unlikely, if not impossible that your problem is openvpn specific
06:20 -!- dazo|h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
06:29 -!- dazo|h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Ping timeout: 264 seconds]
06:30 -!- dazo|h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
06:40 < Sweeper> flacom: yea, openvpn does not look at the hardware device names for listening, you'll have to configure your network interfaces first
06:48 < flacom> Sweeper, krzee : this is the server log http://dpaste.com/159019/
06:49 < krzee> [04:17]  <krzee> flacom, very unlikely, if not impossible that your problem is openvpn specific
06:50 < rob0> I won't even look at that paste, sorry. Learn how to manage your OS, ask your questions about that in a place for your OS.
06:50 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:50 < krzee> !notovpn
06:50 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
06:55 -!- dazo|h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Ping timeout: 265 seconds]
07:04 -!- Sweeper [~ppp@74.51.109.60] has left ##openvpn []
07:05 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
07:05 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
07:08 -!- dazo|h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
07:23 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
07:50 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:01 -!- dazo_afk [~dazo@nat/redhat/x-tdbhaajxdrkprlfl] has joined ##openvpn
08:01 -!- dazo_afk is now known as Guest44788
08:02 -!- Guest44788 is now known as dazo
08:02 -!- dazo|h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Quit: Leaving]
08:12 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
08:12 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
08:13 -!- Zordrak is now known as H2SO4
08:13 -!- H2SO4 is now known as Zordrak
08:45 -!- dazo [~dazo@nat/redhat/x-tdbhaajxdrkprlfl] has quit [Read error: Connection reset by peer]
08:48 -!- dazo [~dazo@nat/redhat/x-bjkcerkabsnydzqk] has joined ##openvpn
08:49 -!- dazo is now known as Guest28846
09:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
09:22 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
09:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:31 < s-taylo> Hi all, I've attempted to disable keepalives by setting 'keepalive 86400 345600' in my config file (ping every 24 hours and disconnect after 96 hours - pointless really but keepalive 0 0 doesn't work), but I still see an exchange of TCP packets regularly every 5 minutes ( 300 seconds). Any idea what could be causing this?
09:32 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
09:32 -!- dKingston [~unsigned_@65-78-93-47.c3-0.tlg-ubr2.atw-tlg.pa.cable.rcn.com] has joined ##openvpn
09:32 < dKingston> question
09:33 < dKingston> oh
09:36 < jmm> answer.
09:36 < jmm> ah
09:37 < dKingston> you dont support what I need help with :p
09:37 < ecrist> :)
09:37  * ecrist guesses access server
09:37 < dKingston> indeed
09:45 -!- airmack [~airmack@slashem.de] has left ##openvpn ["= He comes. He who walks behind walls."]
09:57 < s-taylo> Hmm, appears to originate from the server, consists of two TCP packets and then a single packet response from the remote. Packet length is always 40 bytes. Sounds like a ping, but the configuration options on the server should be preventing any regular pings at that sort of interval
10:00 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 256 seconds]
10:01 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:01 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
10:01 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:02 < acidfoo> 40bytes might be an arp request
10:04 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:06 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:08 -!- kyrix [~ashley@41.92.41.90] has joined ##openvpn
10:13 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:22 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
10:34 < s-taylo> acidfoo: Thanks, I'll look into that. I'm using tun; would ARP requests be transferred?
10:35 < acidfoo> what is your OS
10:38 < s-taylo> Both linux devices; centos (red hat) on the server, openWRT on the remote
10:38 < acidfoo> ok
10:38 -!- goog1jh_ [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
10:39 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has quit [Read error: Operation timed out]
10:40 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
10:47 -!- kyrix [~ashley@41.92.41.90] has quit [Quit: Leaving]
10:52 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Quit: No Ping reply in 180 seconds.]
10:56 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:56 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
10:56 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
11:00 < ecrist> with tun, arp would not traverse the vpn
11:05 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
11:07 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:07 < s-taylo> OK, thanks. Oddly I don't seem to be getting the traffic anymore, trying to determine at which point it stopped now (but just glad that it seems to be possible to have a completely idle connection!)
11:30 -!- tmwsiy2012 [~tmwsiy@152-20-244-42.rev.uncw.edu] has joined ##openvpn
11:30 < tmwsiy2012> !welcome
11:30 < vpnHelper> tmwsiy2012: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:31 < tmwsiy2012> !man
11:31 < vpnHelper> tmwsiy2012: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:34 < tmwsiy2012> so has anyone had any luck with getting the client to work in windows 7? I am using the 2.1.1 version and it connects and even tells me I have a 10.2.1.0 address but when I run ipconfig it shows the APIPA address for the interface
11:40 -!- tmwsiy2012 [~tmwsiy@152-20-244-42.rev.uncw.edu] has quit [Ping timeout: 264 seconds]
11:49 -!- Guest28846 is now known as dazo
11:50 -!- knarfly [~vlad@c-98-242-237-166.hsd1.fl.comcast.net] has joined ##openvpn
11:50 < knarfly> I need to setup Open VPN on my FreeBSD-7.2 server to connect to a Cisco router at my employer
11:51 < knarfly> can anyone offer some advice?
11:51 < knarfly> I followed the docs as best I can but I'm not sure that I'm on the right track
11:53 < ecrist> OpenVPN does not connect to Cisco SSL VPN
11:55 < knarfly> ecrist: thanks...I believe you're the same person who wrote the article I read a few hours ago
11:55 < knarfly> http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed
11:55 < vpnHelper> Title: FreeBSD OpenVPN Server/Routed - Secure Computing Wiki (at www.secure-computing.net)
11:56 < knarfly> but if Open VPN does not connect with Cisco router I'm going to have to pursue other options
11:57 < ecrist> that is my wiki, yes
11:57 < knarfly> can anyone make recommendation for connecting my home LAN/WAN which uses FreeBSD to a Cisco Router?
11:57 < ecrist> OpenVPN and Cicso have different implementations of SSL VPN
11:58 < ecrist> http://www.infradead.org/openconnect.html
11:58 < vpnHelper> Title: OpenConnect (at www.infradead.org)
11:58 < ecrist> that may be a good place to start, knarfly 
11:59 < ecrist>  /usr/ports/security/openconnect
12:01 < knarfly> thanks...checking it out now
12:01 < ecrist> !cisco
12:01 < vpnHelper> ecrist: Error: "cisco" is not a valid command.
12:02 < ecrist> !learn cisco as An open-source client for Cisco SSL VPN is available from http://www.infradead.org/openconnect.html
12:02 < vpnHelper> ecrist: Joo got it.
12:03 < ecrist> !learn cisco as OpenConnect is availabe in FreeBSD ports in security/openconnect
12:03 < vpnHelper> ecrist: Joo got it.
12:03 < knarfly> so openconnect is aka !lean cisco???
12:04 < knarfly> so openconnect is aka !learn cisco???
12:05 < knarfly> yuk! /usr/ports/security/openconnect/pkg-message has a dire warning in it
12:08 < knarfly> it also warns that any version of FreeBSD older than 8.0 require several patches for OpenSSL....I was running 8.0 but it proved unstable and I went back to 7.2-STABLE
12:09 -!- Anthro [~kzjdfhfvd@c-68-50-227-86.hsd1.md.comcast.net] has joined ##openvpn
12:09 < knarfly> and of course there is no information on what patches are required or how to acquire them...
12:10 < Anthro> Can someone point me to a comparison, in terms of advantages and disadvantages, of using OpenVPN over TCP vs. UDP?
12:10 < ecrist> knarfly: what issues did you have with 8.0?
12:10 < ecrist> I'm running it in production on about 20 systems without issue
12:10 < ecrist> !tcp
12:11 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
12:11 < ecrist> Anthro: the above is for you
12:11 < ecrist> :)
12:16 < ecrist> knarfly: you must have an old copy of ports, my pkg-message for openconnect has no such dire warning
12:16 < ecrist> it mentions a patch, but indicates the connections will still function
12:23 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 272 seconds]
12:26 < Anthro> ecrist: Thanks
12:31 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:31 -!- mode/##openvpn [+o openvpn2009] by ChanServ
12:32 < Anthro> Is anyone familiar with the OpenVPN book by Markus Feilner? Is it as woefully out of date as a 2006 copyright might indicate?
12:37 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
12:38 < ecrist> not really, but yes
12:38 < ecrist> there is a lot that will still apply, but there are many features in 2.1 that could not be covered in the book
12:57 < knarfly> ecrist: I was running my 8.0 server as a wireless AP and it was very sporadic...sometimes it would connect, but most of the time it would not...connection speed was ridiculously slow as well
12:57 < knarfly> I reinstalled 7.2-STABLE and it got better but there were still problems with the wireless AP setup so I abandoned it for now
12:57 < knarfly> I just updated my ports collection a few hours ago
13:02 < ecrist> ok, well, that's your option, on freebsd.  good luck
13:16 < krzee> [10:57]  <knarfly> ecrist: I was running my 8.0 server as a wireless AP and it was very sporadic...sometimes it would connect, but most of the time it would not...connection speed was ridiculously slow as well
13:16 < krzee> that sounds like device support, as opposed to the os
13:17 < knarfly> krzee: I think you're right about that...some others I chatted with in #freebsd said it was less hassle with the ath0 cards...mine was ral0 but then again none of them were running 8.0
13:20 < knarfly> I have an old D-Link 624 wireless router here, its about 5 years old now. runs smooth and is very fast, routinely we get 134KB/s transfer to the laptops and it's reliable, only having to be rebooted a few times in it's life. I was really looking forward to replacing it with my new Dell server running FreeBSD-8.0 or even 7.2 but the speed slows down to 39 KB/s with 8.0 and 56 KB/s with 7.2....go figure but that's what I got with it
13:22 < Bushmills> "134KB/s transfer" that's more than twice the speed of an analog modem. very respectable. 
13:23 < Bushmills> ah. kilobyte. not kilobit.
13:23 < Bushmills> 20 times speed of analog modems :D
13:23  * ecrist stopped doing support in #freebsd a while ago
13:24 < knarfly> yes, I'm on Comcast cable modem..it's been fast but recently they built a new school just down the block. Comcast brought in some kind of circuit for the school and word was the Neighborhood Association cut a deal to bring the whole bunch of us in on it. A few weeks ago the speed went from fast to blazing....with my cabled ethernet connections I routinely get 1500KB/s downloads over the net
13:26 -!- macsimum [~macsimum@cpe-66-25-148-232.austin.res.rr.com] has joined ##openvpn
13:26 < knarfly> ecrist: why? FreeBSD is my favorite OS
13:30 < macsimum> anyone here can help with a quick "auth-user-pass" problem?
13:32 < macsimum> hehe well nevermind i think i just found the problem, figures right when i asked for help i'd get it right.
13:41 -!- Anthro [~kzjdfhfvd@c-68-50-227-86.hsd1.md.comcast.net] has left ##openvpn ["Client exiting"]
13:50 < ecrist> knarfly: I got tired of the same issues over and over in there, and on the -questions mailing list
13:50 < ecrist> I'm a freebsd guy, as well
14:00 < ecrist> macsimum: that's what usually happens to me.
14:00 < macsimum> yep got it working
14:00 < knarfly> I'm running 3 freebsd servers on my LAN, one as router, one as file server and one as desktop, but I require Windows for my work and I have two desktops with Vista and a laptop with Vista
14:01 < knarfly> I have a i7 machine with 12 GB ram coming on Wednesday. It will run Vista for my AutoCAD stuff, but I've got an extra drive and will load FreeBSD on it to test it out too.
14:14 -!- macsimum [~macsimum@cpe-66-25-148-232.austin.res.rr.com] has left ##openvpn []
14:18 -!- dKingston [~unsigned_@65-78-93-47.c3-0.tlg-ubr2.atw-tlg.pa.cable.rcn.com] has quit [Quit: Leaving]
14:23 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
14:28 -!- le0 [~tehle0@unaffiliated/le0] has quit [Read error: Connection reset by peer]
14:48 < ecrist> knarfly: I run a freebsd network for my day job, currently have 22 servers running FreeBSD with an additional 11 sitting in shipping crates either in the office or in a truck between here and there now.
14:49 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
14:50 < ecrist> Our newest DB server is a dual Nalehem quad core with 32GB DDR3 memory and 6x146GB SAS 15k drives.  New storage box is 2x Dell R610 1u heads 24GB ram each, quad core Xeon marries to an MD3000 15x450GB SAS 15K drive disk array with multipath SAS 
14:50 < ecrist> at home I have 5 FreeBSD systems hosting various servers, etc, and 3 macs for desktop use.
14:51 < |Mike|> and you got  gbit line to your house ? :P
14:51 < ecrist> no gbit for me.
14:51 < ecrist> I have 100mb to my colo'd box, though.
14:53 < krzee> after enabling ip forwarding on windows is reboot generally needed?
14:54 < ecrist> nope
14:54 < ecrist> not in my experience
14:54 < krzee> werd thx
14:55 -!- l0wkey [~bsd@93-103-1-78.static.t-2.net] has left ##openvpn ["Leaving"]
14:55 < krzee> i musta fubar'ed somewhere
14:55 < ecrist> though, last I checked, windows needs to reboot each time you exhale.
14:57 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
14:58 < krzee> hrm, seems to be the ip forwarding, im gunna give the reboot a shot
14:58 < atlantic> hi. can somebody give me a hint what should I verify if a bridged ethernet mode openvpn setup is working fine, except that after 25-30 seconds, the ping fails (destination unreachable) and in the same time a 169.254.x.x route come up, and the Openvpn pushed one disappear? after additional 10 seconds, the good routes back again...and everything is stable from that time on like hell...
14:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:00 < ecrist> sounds like you have an IP conflict
15:02 < atlantic> ecrist: thanks, but I checked with wireshark and I see normal arp requests/responses
15:02 < ecrist> not sure why that matters
15:03 < ecrist> it sounds like the VPN is using IPs that exist on the local network, or you're pushing routes that conflict with the client's default gateway
15:03 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 272 seconds]
15:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:06 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
15:09 < krzee> weak, it did just need a reboot
15:11 -!- knarfly [~vlad@c-98-242-237-166.hsd1.fl.comcast.net] has quit [Quit: knarfly]
15:14 < atlantic> ecrist: thx, I will test it
15:24 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
15:38 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
15:50 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:04 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
16:11 -!- havoc [~havoc@saturn.chaillet.net] has joined ##openvpn
16:12 < havoc> hola
16:17 < havoc> --port-share would be awesome if I could find any useful docs about it
16:45 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:52 < reiffert> When run in TCP server mode, share the OpenVPN port with another application, 
16:52 < reiffert> such as an HTTPS server. If OpenVPN senses a connection to its port which is 
16:52 < reiffert> using a non-OpenVPN protocol, it will proxy the connection to the server at 
16:52 < reiffert> host:port. Currently only designed to work with HTTP/HTTPS, though it would 
16:52 < reiffert> be theoretically possible to extend to other protocols such as ssh.
16:52 < reiffert> Not implemented on Windows. 
16:52 < reiffert> http://openvpn.net/archive/openvpn-users/2006-09/msg00115.html
16:52 < vpnHelper> Title: [Openvpn-users] port-share examples (at openvpn.net)
17:03 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
17:14 < havoc> reiffert: yeah, I've read that already, it's lacking
17:14 < havoc> and I've actually read that url already too
17:14 < havoc> I'm 8 pages deep in google
17:15 < havoc> oh, and it doesn't work
17:16 < havoc> but I'm guessing that "mode server" is not enough, the --server directive is probably necessary
17:16 < havoc> which the docs do not say a thing about
17:16 < reiffert> see what --server expands too.
17:17 < havoc> I already know, but I'm running an external DHCP
17:18 < reiffert> bypass-dhcp?
17:20 < havoc> isn't that a --redirect-gateway opt?
17:21 < havoc> but I think I have it figured out anyway
17:21 < havoc> the docs are just *poor*
17:22 < reiffert> please share to us.
17:22 < havoc> the port isn't the issue
17:22 < havoc> the IP is the issue, you can't have 2+ daemons trying to listen on the same IP:port
17:23 < havoc> e.g. if you want apache on 443 it has to be bound only to say localhost
17:24 < havoc> otherwise bind() just can't work
17:27 -!- dazo is now known as dazo_afk
17:28 -!- snovak7 [~snovak7@BSN-61-74-13.static.dsl.siol.net] has quit [Quit: leaving]
17:30 < krzee> actually apache 443 is the 1 exception
17:31 < havoc> krzee: yay, I was hoping you'd show up, I expect you know the answer already
17:32 < havoc> krzee: can I have both apache and openvpn listening on tcp:443?
17:33 < krzee> --port-share host port
17:33 < krzee> When run in TCP server mode, share the OpenVPN port with another application, such as an HTTPS server. If OpenVPN senses a connection to its port which is using a non-OpenVPN protocol, it will proxy the connection to the server at host:port. Currently only designed to work with HTTP/HTTPS, though it would be theoretically possible to extend to other protocols such as ssh.
17:33 < krzee> not usable in windows ;]
17:33 < havoc> this is deb amd64
17:33 < krzee> you're golden
17:34 < havoc> I wish :(
17:34 < krzee> welp, thats how its done
17:35 < krzee> 2.1 only
17:35 < havoc> apache is the problem here I think
17:35 < krzee> seems to be brain-child of this thread:  http://openvpn.net/archive/openvpn-users/2005-01/msg00374.html
17:35 < vpnHelper> Title: [Openvpn-users] how to share tcp port 443 between OpenVpn and Apache? (at openvpn.net)
17:35 < krzee> heh
17:36 < krzee> you may not have realized something
17:36 < havoc> it refuses to bind only to 127.0.0.1:443
17:36 < krzee> yup, i was right
17:36 < krzee> heheh
17:36  * havoc looks
17:36 < krzee> run it on a diff port
17:36 < krzee> have openvpn forward it to that port
17:36 < krzee> although ild think apache would be ok with localhost only
17:37 < havoc> you'd think :(
17:37 < krzee> is openvpn running on * or bound to a single ip?
17:37 < havoc> but that would solve the problem
17:37 < krzee> that could be the issue...
17:37 < havoc> default-ssl:2:<VirtualHost 127.0.0.1:443>
17:38 < havoc> but I recall something about the behaivor of lo being changed in newer kernels
17:38 < krzee> [15:37]  <krzee> is openvpn running on * or bound to a single ip?
17:38 < krzee> check your netstat -l
17:38 < havoc> oh, openvpn
17:38 < havoc> bound to everything
17:38 < havoc> wait
17:38 < krzee> thats your problem :-p
17:38 < havoc> gotta check again
17:39 < krzee> bind openvpn only to the inet ip, then apache can take lo0
17:39 < krzee> --local host
17:39 < krzee> Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces.
17:39 < havoc> ovpn is bound to 0.0.0.0
17:40 < havoc> which would also bind lo, right?
17:40 < krzee> right
17:42 < havoc> no go
17:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:49 < havoc> oh geez
17:50 < havoc> krzee: in case you come across anyone else w/ the same problem
17:51 < havoc> I had one global "Listen 443" in an apache conf for mod_ssl.c, it must be "Listen 127.0.0.1:443"
17:51 < havoc> missed that one
17:51 < krzee> heh
17:52 < krzee> right on
17:52 < havoc> still need the --local in ovpn though
17:52 < krzee> yup
17:52 < havoc> but that's where apache was choking
17:53 < havoc> just need to grep -Hnris "443" /etc/apache2/ ;)
17:54 < havoc> there was a "ports.conf" in the debian default that had it
18:04 < havoc> I've been setting up yet another monster "edge-case" ;)
18:05 < havoc> amd64 box at a colo, we only have 1 physical machine; can't get more
18:05 < havoc> deb/host runs proxmox/kvm, postfix/dovecot, openvpn, openfire
18:06 < havoc> 1 win2k8 VM for www, 1 win2k8 VM for AD DC
18:07 < havoc> 3 vpn ifaces, 2 incomming on udp:1194 and tcp:443, one client connecting to existing office vpn for the AD DC
18:07 < havoc> postfix/dovecot and openfire auth against the AD DC VM
18:08 < havoc> udp:1194 is for admin and direct access from office, tcp:443 is for --redirect-gateway, which is also setup at office, but this being at the colo has way more bandwidth
18:08 < havoc> need local AD DC as office connection is comparitively sucky
18:13 -!- julio [~julio@190.132.231.51] has joined ##openvpn
18:14 < julio> can anyone lend me a hand setting my first vpn?
18:16 < julio> i'm on ubuntu, trying to connect to a windows based vpn (i guess)
18:16 < julio> is pptp mandatory?
18:23 < krzee> not compat
18:23 < krzee> !notcompat
18:23 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn
18:23 < krzee> !pptp
18:23 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
18:23 < vpnHelper> krzee: read about why to not use pptp
18:34 < rob0> Looks like the first thing for you to do is to ask the admin of the VPN you want to connect to, how to do it.
18:38 < julio> dang
18:38 < julio> but his on vacations right now
18:38 < julio> does anyone know how?
18:39 < julio> there's no openvpn on the vpn i'm talking about
18:39 < havoc> yes, you google for pptp and ubuntu
18:39 < havoc> and if it's not openvpn you are in the wrong place
18:39 < havoc> but most of us here would have to google it anyway
18:39 < havoc> I'm also sure that ubuntu forums already have the answer for you
18:40 < havoc> which you find by googling, which is exactly what we would have to do to answer you
18:45 < krzee> !notovpn
18:45 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
18:45 < havoc> !sep
18:45 < vpnHelper> havoc: Error: "sep" is not a valid command.
18:45 < havoc> need to alias that one :)
18:46 < krzee> sep = ?
18:46 < havoc> Somebody Else's Problem
18:46 < havoc> from Douglas Adams :)
18:46 < krzee> oh lol
18:47 < krzee> !lmgtfy
18:47 < vpnHelper> krzee: Error: "lmgtfy" is not a valid command.
18:47 < havoc> yes, and that to :)
18:47 < havoc> too
18:47 < krzee> at least we have a working !google
18:47 < krzee> !google ubuntu pptpclient
18:47 < vpnHelper> krzee: ubuntu - PPTP Client: <http://pptpclient.sourceforge.net/howto-ubuntu.phtml>; PPTP Client: <http://pptpclient.sourceforge.net/>; [ubuntu] pptp client huge packets TX ??? - Ubuntu Forums: <http://ubuntuforums.org/showthread.php?t=912940>
18:47 < havoc> seriouslly, google ubuntu+pptp and the answer would likely be 1st
18:47 < krzee> heh
18:48 < krzee> i know pptpclient is the name from !pptp
18:48 < havoc> I find many soutions for my debian problems on the ubuntu forums
18:48 < krzee> makes sense, with ubuntu basically being debian
18:48 < havoc> yes
18:49 < havoc> but debian folks tend not to document the edge cases ;)
18:49 < havoc> also, don't stop at the 1st page of results
18:49 < havoc> lots can be learned by digging deeper
18:50 < havoc> google-fu is a definite skill
18:50 < krzee> for sure
18:50 < krzee> there should be a college major in google usage
18:50 < havoc> no kidding
18:50 < krzee> being a google ninja means you can learn anything yourself
18:50 < krzee> best skill i can think of to gain from college
18:50 < havoc> I understand non-native English speakers can have issues though
18:51 < havoc> but still, it's not really english, it's techno-babble and meaningless acronyms in any language :)
18:51 < havoc> i.e. "identifiers"
18:51 < krzee> s/less/full/
18:52 < havoc> I've found what I needed in kanji pages
18:52 < havoc> whole bunch of kanji, then some english "words"/identifiers that were what I was looking for :)
18:53 < havoc> and aside from Kompi! (sp?) I know no Japanese
18:54 < krzee> konichiwa!
18:55 < havoc> heh, and that too
18:55 < havoc> my roomie for many many years is from Japan
18:55 < havoc> he was also an ex biz partner
18:55 < krzee> oh and dont forget bukake!
18:56 < havoc> aCk!
18:59 -!- Vakz [~Vakz@90-227-168-81-no123.tbcn.telia.com] has quit [Read error: Connection reset by peer]
19:11 < julio> thanks yall, i'll spend some time with uncle G
19:11 -!- julio [~julio@190.132.231.51] has left ##openvpn ["Saliendo"]
19:58 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
20:12 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
20:51 -!- hackeron [~hackeron@gentoo/user/hackeron] has joined ##openvpn
20:51 -!- graffz [~graffz@222.127.189.190] has joined ##openvpn
20:52 < hackeron> hey, is there anyway to get openvpn to run a command everytime a client connects or disconnects? -- I want to update a postgres database with new IP details for a client for DNS - or is there some other standard way to handle DNS?
21:01 < hackeron> ah, looks like learn-address is what I need
21:03 < hackeron> except is there anyway to also get the external IP?
21:10 < Bushmills> hackeron:  --up
21:10 < Bushmills>  --down
21:10 < Bushmills> extip passed as argument to the invoked scripts
21:11 < Bushmills> oh, i recall, it is actually written in the man page
21:12 < hackeron> Bushmills: and I can specify up /path/to/script in my server.conf too?
21:16 < Bushmills> yes - but I think you would want   --client-connect  instead
21:17 < hackeron> Bushmills: what's the difference?
21:18 < Bushmills> difference between an interface coming up and a client connecting? 
21:18 < Bushmills> on server, interface comes up once after start
21:18 < hackeron> but I can just check if it's an init or a restart, no?
21:18 < Bushmills> but users can connect/disconnect all the time
21:18 < hackeron> so if a user disconnects --down won't be triggered?
21:19 < Bushmills> not on server
21:19 < Bushmills> that's what --client-disconnect  is for
21:19 < hackeron> but it says it's triggered on TUN/TAP close?
21:20 < Bushmills> when a client disconnects from server, server TUN doesn't close
21:20 < Bushmills> would be too bad for other connected users, wouldn't it? 
21:20 < hackeron> Bushmills: hmm, is there anything like --up that will also send all client details as arguments to the script?
21:21 < hackeron> Bushmills: seems --client-connect uses environmental variables and doesn't have the external ip?
21:21 -!- graffz [~graffz@222.127.189.190] has quit [Ping timeout: 240 seconds]
21:22 < Bushmills> afaik, those are passed as positional args to invoked script
21:22 < hackeron> Bushmills: hmm, not according to the man page?
21:22 < Bushmills> at least, for --up and --down they are, so I assume their passed for --client-connect as well
21:23 < hackeron> Bushmills: nope :(
21:23 < hackeron> Bushmills: for --up and --down, yes, for --client-connect, nope :(
21:24 < Bushmills> then you're at a point where your knowledge exceeds mine now
21:24 < hackeron> just looking at the man page
21:25 < Bushmills> I don't. I left that as exercise to you :D
21:26 < hackeron> heh, right, guess I'll have to access the environmental variables
21:32 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: Connection reset by peer]
21:33 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
22:02 < hackeron> hmm, I added: client-connect /var/www/Xanview/scripts/openvpn_control.py - which just does os.system("echo test | wall") -- but no message is being broadcast when clients connect - any ideas?
22:04 < hackeron> also tried this but no commands.log is being created: client-connect "python /var/www/Xanview/scripts/openvpn_control.py >> commands.log 2>&1"
22:14 < hackeron> and I tried to put openvpn_control.py into /etc/openvpn also - nothing appears to happen
22:14 < hackeron> how would I debug?
22:16 < hackeron> oh, I think I found it: openvpn_execve: external program may not be called due to setting of --script-security level
22:19 < hackeron> yeah, that was it
22:20 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
22:55 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Ping timeout: 276 seconds]
23:20 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
--- Day changed Tue Feb 16 2010
00:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:05 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
00:33 -!- Error404NotFound [~Eror404@119.153.114.137] has joined ##openvpn
00:33 -!- Error404NotFound [~Eror404@119.153.114.137] has quit [Changing host]
00:33 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
00:44 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Operation timed out]
01:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
01:53 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:05 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:25 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:25 -!- mode/##openvpn [+o mattock] by ChanServ
02:30 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
02:39 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:51 -!- dazo_afk [~dazo@nat/redhat/x-bjkcerkabsnydzqk] has quit [Read error: Operation timed out]
02:59 -!- goog1jh_ [googijh@my.barbie.wears.no-panties.org] has quit [Read error: No route to host]
03:00 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
03:06 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
03:08 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:08 -!- master_of_master [~master_of@p57B563A4.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:10 -!- master_of_master [~master_of@p57B5465E.dip.t-dialin.net] has joined ##openvpn
03:16 -!- le0_ [~tehle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
03:31 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
03:31 -!- maxagaz [~maxagaz@soho2.i-xanadu.com] has quit [Read error: Connection reset by peer]
03:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:41 < krzee> i read http://www.linuxjournal.com/article/9915 and am wondering why they built a routing tech instead of using something like RIP
03:41 < vpnHelper> Title: Building a Multisourced Infrastructure Using OpenVPN | Linux Journal (at www.linuxjournal.com)
03:50 -!- dazo_afk [~dazo@nat/redhat/x-eotqvidadipgeorz] has joined ##openvpn
03:50 -!- dazo_afk is now known as Guest97655
03:58 -!- style2_AFK [~a@nagios-dev.cbp.ens-lyon.fr] has joined ##openvpn
04:37 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
04:45 -!- le0_ [~tehle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Quit: Leaving]
04:45 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
04:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
04:56 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
04:56 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: OpenVPN Issues :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2748&p=3357#p3357> || Server Administration :: Re: Stops working when I reboot Server 2008 :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2800&p=3359#p3359> || Installation Help :: Re: Getting started with OpenVPN :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=5&t=283
04:57 < krzee> woot
04:57 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
04:59 -!- lupus78 [~lupus@193.188.47.38] has joined ##openvpn
05:03 < lupus78> When I connect 'openssl s_client -connect server:port' to my openvpn server the certificates the ssl certificates for 'port-share' configured https server are retrieved... any idea why?
05:04 < krzee> what do you mean: 'openssl s_client -connect server:port'
05:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:04 < krzee> is that an openssl command?
05:05 < krzee> if so, i would expect it to go to the port-share service instead of openvpn
05:06 < krzee> since it is designed to forward on everything except openvpn
05:13 < Guest97655> lupus78:  krzee: If I've understood that feature correctly ... if OpenVPN don't recognise the client side as an OpenVPN client, it will forward all the raw traffic directly to the port-share host
05:14 < krzee> thats my understanding of it
05:16 < krzee> im not sure if this is how they implemented it or not, but here is a good idea on how they might have done it: http://openvpn.net/archive/openvpn-users/2005-01/msg00377.html
05:16 < vpnHelper> Title: Re: [Openvpn-users] how to share tcp port 443 between OpenVpn and Apache? (at openvpn.net)
05:16 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
05:16 < krzee> (note, thats from before it existed, and was just an idea being kicked around)
05:21 < lupus78> hmmm, trying to figure out how openvpn knows it not an openvpn client BEFORE the ssl handshake
05:22 < lupus78> krzee: in fact i have openvpn running at port 443
05:22 < krzee> could sniff the interface and see the diff...
05:22 < lupus78> that enables all our clients to connect from anywhere (including firewalled sites)
05:23 < lupus78> krzee: yep i'm sniffing, but I'd rather find something documented
05:23 < krzee> right on
05:23 < krzee> im not aware of the nitty gritty
05:24 < lupus78> krzee: btw thanks for the link above
05:26 < vpnHelper> New forum entry openvpnforum: Off Topic, Related :: Re: OpenVPN Technologies & OpenVPN Community Relationship :: Reply by ... <http://www.ovpnforum.com/viewtopic.php?f=1&t=2467&p=3361#p3361>
05:29 < krzee> np
05:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:51 -!- style2_AFK [~a@nagios-dev.cbp.ens-lyon.fr] has quit [Quit: Quitte]
06:09 < havoc> morning
06:10 -!- Guest97655 is now known as dazo
06:18 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has joined ##openvpn
06:31 < s-taylo> Hi all, I've attempted to disable keepalives by setting 'keepalive 86400 345600' in my config file (ping every 24 hours and disconnect after 96 hours - pointless really but keepalive 0 0 doesn't work), but I still see an exchange of 3 40-byte TCP packets regularly every 5 minutes ( 300 seconds). Any idea what could be causing this? (Repeat question from yesterday, sorry)
06:39 < Bushmills> s-taylo: have you tcpdumped, wiresharked or tsharked what kind of traffic it is? 
06:40 < s-taylo> I've got a tcpdump of the data and its content but haven't been able to determine what it is yet (knowledge gap!)
06:40 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
06:41 < Bushmills> try wireshark, that's quite informative on packet type and composition
06:41 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
06:41 < Bushmills> without knowing, your question is "i have sporadic traffic but i don't know what causes it"
06:42 < Bushmills> actually, that wasn't a question
06:43 < Bushmills> "I have sporadic traffic, what is causing it?"   That's one.
06:43 -!- s-taylo [~staylo@vm3999.vps.tagadab.com] has quit [Read error: Operation timed out]
06:44 -!- s-taylo [~staylo@vm3999.vps.tagadab.com] has joined ##openvpn
06:45 < s-taylo> Is there any way of feeding the output of tcpdump to wireshark on another machine? The remote client is an embedded device and I don't have much space available for additional packages
06:46 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Ping timeout: 256 seconds]
06:46 < s-taylo> Hmm, yes, google :)
06:53 < Bushmills> watch on server side
06:53 < Bushmills> what goes in client side comes out server side, after all
06:57 < krzee> if you are behind a NAT or using UDP disabling keepalives could lead to dead connections (fyi)
06:58 < krzee> and once it dies, it wont reconnect for 96 hours...
06:58 < krzee> sounds poorly thought out to me
07:04 < s-taylo> yep, unfortunately I'm connecting through a 3G connection that charges 0.01GBP if any activity whatsoever takes place within each 15 minute window; bizarre but I've got to live with it. So a manual reconnect if the server side drops out is an acceptable evil in the application I have in mind
07:05 < krzee> ok
07:05 < krzee> be sure you kill the old one when you start the new one
07:05 < ecrist> morning.
07:05 < reiffert> moin
07:06 < krzee> mornin
07:06 < s-taylo> OK, thanks krzee
07:07 < krzee> i have recently realized i should be selling girls on webcams
07:07 < ecrist> home shopping style?
07:07 < krzee> i have the girls, i just need the developer who wants to work for part of the company
07:07 < krzee> nah, like = to naked . com
07:08 < ecrist> I have a server with bandwidth
07:08 < krzee> they actually get like $5 / min, i figure i could pay girls more like $1/min
07:08 < krzee> ya i have a few too
07:08  * reiffert raises hands for alpha/beta tester
07:09 < ecrist> I'd like to try the talent in person, first.  make sure we're making a good business decision.
07:09 < krzee> lol
07:09 < krzee> of course of course
07:09 < ecrist> I have PHP skills, but no graphics skills.
07:10 < krzee> not sure how much graphics skills would be needed, pics of our girls fill that void well
07:10 < reiffert> I will administrate the server. Bushmills knows about streaming.
07:10 < Bushmills> who shouts?
07:10 < reiffert> Bushmills: krezze is raising a porn server.
07:11 < krzee> ild like to!
07:11 < krzee> i have the girls
07:11 < Bushmills> i have a  bank account
07:11 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
07:11 < reiffert> krzee: get some good cams and a fast line...
07:11 < krzee> where i live its 3rd world and SEXY girls who are down for it
07:11 < krzee> now thats 1 prob, the inet isnt so fast
07:12 < ecrist> I've always wanted to start an amateur site, ala watchers web or redclouds
07:12 < krzee> but camchat really only takes like 20kb/s bidirectional sustained
07:12 < reiffert> per client.
07:12 < Bushmills> could we think of 3d plotters, synthesising animated objects?
07:12 < krzee> ohh right
07:12 < krzee> ya bw isnt a problem
07:13 < krzee> its the whole "im not a dev" thing
07:13 < krzee> lol
07:13 < reiffert> great, get some cams.
07:13 < reiffert> once we have the pics here we can get a payment system
07:13 < Bushmills> we take a reprap, redesign it a bit.  
07:13  * ecrist is a dev
07:13  * rob0 is a devil
07:13 < krzee> nice
07:14 < krzee> reiffert, pics?
07:14 < reiffert> krzee: gimme all
07:14 < krzee> you mean like teaser pics for the girls?
07:14 < reiffert> 15 fps will do
07:14 < Bushmills> pics are so ... retro
07:15 < ecrist> we could build the first 3D streaming site...
07:15 < s-taylo> Hmm, interesting - it seems they are keepalive packets and responses every 5 minutes (but the config file on the server states no keepalives)
07:16 < krzee> ok when i get back to the island ill work on getting pics of some girls together (none are going to be naked)
07:16 < Bushmills> an immersive reality site?
07:16 < krzee> i leave usa for australia tomorrow (technically today)
07:16 < ecrist> I'm jealous
07:16 < krzee> so ill be home in like a month
07:17 < krzee> if you guys are serious, check out naked . com (its free until you want the girl to get naked)
07:17 < krzee> see how the latin girls have auto-translate, we'ld need something like that
07:18 < krzee> since all my starting women will speak spanish
07:18 < reiffert> ok, lets learn spanish and portugese, you can have me as a translator
07:18 < krzee> then ill see bout getting my old USA whores on it, i havnt seen them in awhile since i moved away
07:19 < krzee> but they're always in for the $ schemes
07:19 < krzee> but ya, basically i wanna be like naked.com, i think its an awesome business and makes enormous $
07:21 < s-taylo> From the doc the keepalive config option is a wrapper for ping and ping-restart; does it control all keepalives?
07:22 < krzee> ild answer if i knew, ive never seen someone want to do that
07:22 < Bushmills> there are no keepalives other than the  ping and push "ping...". that's what keepalive causes
07:23 < Bushmills> consider the possibility that the packets are caused by something else, and just routed through the vpn
07:24 < Bushmills> you have disabled  keepalive on both client and server, i suppose?
07:26 < s-taylo> Well, they're both set to very high values (24 hours ping), and the initial packet of each keepalive seems to originate from the server
07:26 < Bushmills> define "seems"
07:26 < s-taylo> In each recorded instance the source address of the initial packet is from the server's IP
07:26 < ecrist> why the hell would you set a 24 hour keepalive?
07:27 < krzee> [04:57]  <krzee> if you are behind a NAT or using UDP disabling keepalives could lead to dead connections (fyi)
07:27 < krzee> [04:58]  <krzee> and once it dies, it wont reconnect for 96 hours...
07:27 < krzee> [04:58]  <krzee> sounds poorly thought out to me
07:27 < krzee> [05:04]  <s-taylo> yep, unfortunately I'm connecting through a 3G connection that charges 0.01GBP if any activity whatsoever takes place within each 15 minute window; bizarre but I've got to live with it. So a manual reconnect if the server side drops out is an acceptable evil in the application I have in mind
07:28 < s-taylo> There doesn't appear to be a no-keepalive option or similar and keepalive 0 0 doesn't function, so an extremely high value seems to be the only option; but whether it's too high and it's defaulting to a 300s keepalive...
07:28 < Bushmills> 0 0
07:28 < ecrist> that's 0.96GBP per day
07:29 < ecrist> H O L Y  S H IT
07:29 < Bushmills> again, consider the possibility that those packets are not sent by openvpn server (the program, not the machine).  
07:30 < Bushmills> as neither 0 0  nor big big seem to have any effect, that's quite a strong clue
07:30 < ecrist> just set an inactivity timeout for the vpn
07:30 < Bushmills> maybe 0 0  *does* work
07:30 < s-taylo> Well, I've had a TCP connection between the server and remote client using netcat without data use, and the packets appear to originate on the openvpn port
07:30 < Bushmills> only there's another program, causing periodic traffic
07:30 < ecrist> of course it will seem like that, it's all going to come from the vpn port...
07:31 < ecrist> look at --inactive option
07:35 < s-taylo> Basically because all inbound ports on the 3G device are closed (provider limitation) I'm trying to leave an idle connection open as long as possible which I can activate from the server side; hence I'm trying to disable all timeouts and keepalives
07:37 < s-taylo> keepalive 0 0 gives 'Tue Feb 16 13:36:02 2010 WARNING: --keepalive option is missing from server config
07:41 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has quit [Ping timeout: 246 seconds]
07:41 < Bushmills> openvpn ping packets are not echoed like ICMP pings, therefor you'd ping from both ends 
07:44 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
07:48 < s-taylo> OK, I'll try forcing TCP pings to occur every 200s and see if the pattern matches and whether the 300s interval TCP pings still occur
07:49 < s-taylo> (and get some lunch in the interim; brb. Thanks for the help!)
07:58 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
08:01 -!- mattock [~samuli@sparkgw.utu.fi] has joined ##openvpn
08:01 -!- mode/##openvpn [+o mattock] by ChanServ
08:03 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:08 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
08:09 < sparch> noon.
08:09 -!- LobbyZ` [~default@188.72.230.20] has joined ##openvpn
08:14 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
08:15 -!- LobbyZ` [~default@188.72.230.20] has quit [Quit: Free FTW]
08:19 < Bushmills> no. someon. manyon.
08:34 -!- flacom [~flaco@pc-166-153-83-200.cm.vtr.net] has quit [Read error: Connection reset by peer]
09:03 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
09:10 -!- BinaryKhaos [~matthew@p5791EDD8.dip.t-dialin.net] has joined ##openvpn
09:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:14 < BinaryKhaos> Hi. I am running an OpenVPN server (2.1.x) on a high latency (120-200ms) network. When I connect to it from linux and tunnel my traffic, I can achieve d/l rates up to 10 mbit/s. But if I connect via Win7, I can hardly cross the 2.5 mbit/s mark from the same server. I guess it is related to rwin scaling. Can someone please point me into the right direction?
09:15 < BinaryKhaos> By the way: I am running OpenVPN via udp.
09:24 < ecrist> doh, my mail server ssl cert expired, fyi krzee
09:42 < ecrist> it's been updated...
09:46 -!- uchimata [~uchimata@HSI-KBW-078-043-160-035.hsi4.kabel-badenwuerttemberg.de] has joined ##openvpn
09:47 < uchimata> hi, is it possible to not accept the dns-push on client-config side?
09:58 -!- sullivan [~sullivan@2001:610:110:4d1:280:5aff:fe69:e121] has joined ##openvpn
09:58 < sullivan> Hi 
09:58 < jmm> hi.
10:00 < sullivan> I'm trying to disable "source spoofing protection" (the check in multi.c) and I'm able to see the packet on tun0. Nonetheless, the same packet doesn't get routed on eth1 (outgoing iface to reach dest). The test has a spoofed src IP but a valid dst IP. I'm expecting NOT to see the reply, of course, but I was expecting to see the request to hit the end-host (and somehow to come back till the openvpn server).
10:00 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:00 < sullivan> well, I said source spoofing protection even if it hasn't been created for that reason, I believe.
10:01 < sullivan> my setup is the classic one. tun, one LAN behind the server, certs.
10:02 -!- latz [~latz@5546.virtual.yourshelter.net] has joined ##openvpn
10:03 < sullivan> it the following journey of a packet, correct? OpenVPN server reads from the socket (say UDP), does all the checks, decrypt and spits it out on the tun. What's next? I suppose it reads from the tun and route the pkt according the (dst-based) routing decision... but if that's true, what I just described should definitely work.
10:03 < sullivan> s/^it/is
10:03 -!- mattock [~samuli@sparkgw.utu.fi] has quit [Ping timeout: 245 seconds]
10:04 < latz> hi I have clients connecting to a openvpnserver and in the configs of the clients I have added a route allowing clients to connect to the local network of the server, but now I would need the server to connect to all client networks as well ... is it possible to do this? thx
10:09 < ecrist> !iroute
10:09 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:09 < ecrist> !route
10:09 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:10 < latz> o.key thx
10:12 -!- LobbyZ [znc@main.lobbyzffs.com] has quit [Quit: Free FTW]
10:17 < latz> what's the common name? the hostname or the name of the key ... or the name in openvpn-status.log?
10:19 -!- BinaryKhaos [~matthew@p5791EDD8.dip.t-dialin.net] has quit [Quit: Leaving]
10:32 < Bushmills> hostname would be a good choice
10:32 < Bushmills> free text. unique, preferably. chosen such that you can associate host with name easily
10:35 -!- LobbyZ [~default@main.lobbyzffs.com] has joined ##openvpn
10:37 < cron2> latz: the "inner" name of the key - not the filename, but that what's in the certificate ("CN=") - just open one of the "cert" files with an editor and look for the line "Subject:"
10:38 < cron2> latz: and that's what goes into the openvpn log
10:38 < cron2> could be hostname, or site name, or whatever is suitable to identify a particular client
10:38 < sullivan> what's the journey of a packet (in terms of read by ovpn from real iface, tun, etc)?
10:38 < sullivan> (suppose tun)
10:39 < latz> alright
10:40 < latz> in my server.conf I have client-to-client and this route 192.168.10.0 255.255.255.0
10:41 -!- APTX| [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:41 < latz> and in the clientconfig dir I have the commonname file with this iroute 192.168.10.0 255.255.255.0
10:41 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
10:41 < latz> but I am not able to ping any of the hosts on the client network 192.168.10.0
10:42 < cron2> latz: do the hosts on the client network know that they should send packets back to the client OpenVPN instance?  Is ip_forwarding active on the OpenVPN client?
10:42 < cron2> !route
10:42 < vpnHelper> cron2: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:42 < cron2> my standard procedure is: run ping and traceroute from end-to-end, and verify with "tcpdump -n -i tun<x>" on the OpenVPN client and server that packets are moving in and out of the tunnel
10:43 < cron2> most of the time it's "other machines don't know that they should send packets to the openvpn node" (-> traceroute shows this) or "ip forwarding not active" (* * * in traceroute, instead of the expected machine)
10:43 -!- krion [~seb@unaffiliated/krion] has joined ##openvpn
10:44 < krion> hi guys
10:44  * cron2 goes checking whether !route has a step-by-step process how to find these
10:44 < krion> anybody ever see /etc/openvpn/keys becomed a... socket instead a directory 
10:44 < krion> ?
10:45 < cron2> no step-by-step, but *all* the instructions are there
10:52 -!- lupus78 [~lupus@193.188.47.38] has quit [Ping timeout: 256 seconds]
10:57 < sullivan> do you gusy know when ovpn (server) reads from/writes  to the tun iface?
10:57 < sullivan> er
10:57 < sullivan> guys
10:57 < sullivan> :)
11:00 -!- APTX| [~APTX@chello089076052083.chello.pl] has quit [Quit: Farewell]
11:00 < cron2> sullivan: it reads if there is something to read, and it writes when there is something to write
11:00 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
11:00 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
11:00 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
11:00 < cron2> which is quite straightforward :-) - but I'm afraid I'm misunderstanding your question
11:02 < sullivan> I'm trying to figure out what's the journey of a packet when it's received from a UDP socket, for instance.
11:02 < sullivan> the problem is that I'm disabling some checks to allow for spoofing src IPs on the client side (if you do this by default, the pkt gets dropped)
11:03 < sullivan> I can see the decrypted pkt on tun (ovpn server side)
11:03 < sullivan> so I was wondering what's next. Is it everything taken care of by routing and not ovpn anymore?
11:04 < sullivan> I know I won't see the answer to the spoofed (originally src) IP, and that's fine.
11:05 < sullivan> but I would like to see the request to hit the end-host 
11:05 < sullivan> routing seems to be fine on the ovpn server
11:05 < sullivan> IP forward as well
11:05 < cron2> sullivan: if you see the packet in "tcpdump -n -i tun", then it's already at the host
11:05 < sullivan> that was my believe so I was expecting it to be forwarded by the host to the LAN behind him
11:06 < sullivan> but it doesn't get on the eth1 (internal iface)
11:06 < cron2> the packet on the openvpn server is received by UDP, sanity checked for source address spoofing, then checked for destination address ("does this need to be sent to a different client"), and then sent to the tun
11:06 < sullivan> and that is weird
11:06 < sullivan> yep
11:06 < sullivan> that's exactly what I saw in multi.c
11:06 < sullivan> I disabled the sanity check for src spoofing
11:06 < sullivan> in fact I see it on the tun
11:07 < cron2> if you're on Linux, it might have its own anti-spoofing active
11:07 < cron2> (rd-filter, IIRC)
11:07 < sullivan> mmm
11:07 < sullivan> I doubt it as I checked
11:07 < sullivan> but I'll double check it
11:07 < sullivan> now :)
11:11 < sullivan> nothing
11:11 < sullivan> damn it, this is driving me crazy
11:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 258 seconds]
11:12 < sullivan> as, of course, it works with legal src IPs 
11:12 -!- krion [~seb@unaffiliated/krion] has left ##openvpn []
11:12 < sullivan> I see the pkt on tun then on the internal iface
11:12 < sullivan> and I was expecting to see just that
11:15 < cron2> something in the kernel is eating your packet
11:15 < cron2> echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
11:15 < cron2> ?
11:16 -!- polaru [~polaru@93.113.192.70] has quit [Read error: Connection reset by peer]
11:16 < cron2> (or at least on .../ipv4/conf/tun0/rp_filter)
11:16 < sullivan> yep already tried that
11:17 < sullivan> but the weird thing is that it works when legit src IPs are used
11:17 < sullivan> my question is, what happens when I see the pkt on tun? Is ovpn involved or it's just routing at that point?
11:17 < sullivan> if ovpn is not involved that this is *weird*
11:17 < cron2> if the packet is visible on the tun interface, it's already out of openvpn
11:17 < cron2> (if the direction is UDP->OpenVPN->tun)
11:18 < sullivan> yep, that is what I was thinking
11:18 < sullivan> but than it's weird
11:18 < cron2> any firewall rules on the host?
11:18 < sullivan> btw, how is the pkt routed once it's on tun?
11:18 < sullivan> I mean, ovpn writes the pkt on the tun
11:18 < cron2> tun semantics are "take the packet as-is, stuff it into /dev/tun, and the kernel will handle the rest"
11:18 < sullivan> then, does everything depend on the routing table?
11:19 < sullivan> ok
11:19 < cron2> write to /dev/tun == "packet received on ethernet interface" (semantically)
11:19 < cron2> routing table, ip rule table, firewall table
11:19 < sullivan> than it's weird. It works it legit pkts (those with the real client tun src IP)
11:19 < sullivan> yep already checked all of em
11:19 < sullivan> firewall is down
11:19 < sullivan> I mean, disabled
11:22 < cron2> anything in the kernel logs (dmesg or /var/log/*)?
11:22 -!- reeniginEesreveR [~reeniginE@203.175.76.194] has joined ##openvpn
11:23 < reeniginEesreveR> is it possible to connect openvpn with a juniper ssg firewall for VPN'ing?
11:24 < sullivan> cron2, I was just trying to see if there's something there...nothing so far
11:24 < sullivan> (btw, thx for the help)
11:25 < cron2> sullivan: mmmh.  in that case, I'm a bit out of ideas
11:25 < cron2> reeniginEesreveR: no.  Junipers do IPSEC, not OpenVPN
11:26 < sullivan> yeah, me too
11:26 -!- pestilence [~pestilenc@unaffiliated/pestilence] has joined ##openvpn
11:26 < pestilence> !welcome
11:26 < reeniginEesreveR> cron2, I'm a fairly newbie in this stuff ... as far as i understand Junipers also provide VPN. Do they use propreitery stuff?
11:26 < vpnHelper> pestilence: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:27 < pestilence> !goal
11:27 < vpnHelper> pestilence: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:27 < pestilence> !logs
11:27 < vpnHelper> pestilence: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:28 < sullivan> cron2, do you think it's normal I don't see the packet written on tun by ovpn by logging the INPUT chain?
11:28 < pestilence> is this why i have packet loss:   write UDPv4: No buffer space available (code=55)
11:29 < cron2> reeniginEesreveR: IPSEC VPN is "the IETF standard", which is an open, well-documented, and somewhat complex to do VPN.  OpenVPN does some sort of SSL VPN (but different from what Cisco or Juniper call "SSL VPN")
11:29 < cron2> both have advantages and disadvantaces, but mainly they are different and incompatible
11:30 < cron2> sullivan: if you run "tcpdump -n -s0 -v -i tun0", is there anything else "weird" about the packet?  broken checksum, funny destination address, ...?
11:30 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
11:30 < reeniginEesreveR> cron2, could there be any plugin of openvpn or is there any other software based vpn solution which would allow me to connect to juniper's ssl vpn?
11:31 < sullivan> cron2, nope. I
11:31 < sullivan> er sorry
11:31 < cron2> reeniginEesreveR: there is vpnc that connects to juniper's IPSEC vpn (and the SSG normally wouldn't do SSL VPN)
11:31 < cron2> reeniginEesreveR: no idea whether there is an open-source SSL VPN client
11:32 < reeniginEesreveR> cron2, could you please explain "and the SSG normally wouldn't do SSL VPN"; if it won't, wouldn't openvpn work with it?
11:32 < sullivan> cron2, nope. I'm using scapy to make the forging test now both for sending legit and not packets. However, I just noticed that with legit pkts I do see (FORWARD -j LOG) IN=tun0 OUT=eth1 and viceversa (for the reply) with legit pkts
11:32 < cron2> reeniginEesreveR: the SSG does IPSEC.  OpenVPN does NOT do IPSEC.
11:32 < sullivan> cron2, with those spoofed nothing hits that chain. But I *do* see the packet with tcpdump on tun, tho (only the req)
11:32 < cron2> reeniginEesreveR: there is something called SSL VPN offerend by specific Juniper products (and I think this is not available for the SSG) - but this is again different from OpeNVPN
11:33 < reeniginEesreveR> cron2, thanks. You've been a great source of help. I've been searching on net but cuoldn't understand my requirements at all
11:33 < cron2> reeniginEesreveR: ah
11:33 < pestilence> is there anything about opening a udp openvpn tunnel over a PPtP vpn connection that would cause packet loss?
11:33 < cron2> reeniginEesreveR: check out the "shrew soft" VPN client
11:34 < cron2> pestilence: saturated links
11:34 < pestilence> my openvpn works beautifully except for when I have to run it over a second vpn
11:34 < pestilence> cron2: is that an MTU issue, or is a problem with the PPtP?
11:35 < cron2> pestilence: have you packet loss, as in "9 out of 10 packets arrive fine" or are you having problems with large packets ("packets with full size never arrive")?
11:35 < cron2> reeniginEesreveR: http://www.shrew.net/ - commercial client, but available for free.  Works with Juniper SSG and others.
11:35 < vpnHelper> Title: Shrew Soft Inc : Home (at www.shrew.net)
11:36 < pestilence> cron2: if i just run ping to a server on the openvpn, i get 4% packet loss.  if i ping something not on the openvpn (but still on the PPtP vpn), i don't get any packet loss
11:37 < reeniginEesreveR> cron2, thanks a loottttt! 
11:37 < pestilence> and the packet loss probably does correspond to heavy usage by other users in the area
11:37 < cron2> pestilence: so there you got the answer.  link full, packets get lost.
11:37 < pestilence> when i don't get packet loss, i do still get some high pings (400ms+ when the norm is 8ms)
11:38 < pestilence> cron2: why does it not seem to affect connections not on the openvpn, but still on the PPtP?
11:38 < pestilence> although that is possibly my imagination.
11:38 < pestilence> as it is currently dropping packets over that link too.  so never mind!
11:38 < cron2> "something" might prioritize non-VPN icmp packets
11:39 < pestilence> ah
11:39 < cron2> or you just had a lucky timing in running the pings :-)
11:39 < pestilence> i also wonder if i'm getting interference from the espresso machine :)
11:45 < sullivan> cron2, man
11:45 < sullivan> cron2, I'm an idiot ;)
11:45 < sullivan> I thought that by disabling rp_filter for all
11:46 < sullivan> that would automatically disabled it for all the iface
11:46 < sullivan> by selectively disabling it for the ifaces I'm interested in, it works :)
11:46 < sullivan> although I'm still convinced that all meant all...
11:46 < sullivan> whatever :)
11:47 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
11:49 < pestilence> thanks, cron2 
11:49 -!- pestilence [~pestilenc@unaffiliated/pestilence] has quit [Quit: leaving]
11:49 < cron2> sullivan: ah, good.  Learnt something new :-)
11:49 < sullivan> eheh
11:49 < sullivan> :)
11:49 < sullivan> thx
11:49 < sullivan> bye
11:50 -!- sullivan [~sullivan@2001:610:110:4d1:280:5aff:fe69:e121] has quit [Quit: Leaving]
11:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:55 -!- le0_ [~leeee0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
11:56 -!- le0_ [~leeee0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Client Quit]
11:57 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
12:02 -!- reeniginEesreveR [~reeniginE@203.175.76.194] has quit [Quit: Leaving]
12:27 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Ping timeout: 256 seconds]
12:28 -!- sparch_ [~daniel@187.58.233.250] has joined ##openvpn
12:28 -!- sparch_ [~daniel@187.58.233.250] has quit [Changing host]
12:28 -!- sparch_ [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
12:33 -!- sparch_ [~daniel@pdpc/supporter/active/sparch] has quit [Quit: sparch_]
12:45 -!- kyrix [~ashley@41.92.45.148] has joined ##openvpn
12:54 -!- kyrix [~ashley@41.92.45.148] has quit [Read error: Connection reset by peer]
13:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
13:07 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
13:12 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
13:12 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
13:12 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:15 -!- dazo is now known as dazo_afk
13:25 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has joined ##openvpn
13:26 -!- CamargoBP [~CamargoBP@orem.jiveip.net] has left ##openvpn []
13:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
13:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:43 < uchimata> hi, is it possible to not accept the dns-push on client-config side?
13:43 < |Mike|> you can reconfigure that on the client side manyually
13:52 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
13:53 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 256 seconds]
13:54 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:54 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Client Quit]
13:55 < krzee> but its all or nothing, either you take pushed options or not
13:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
13:55 < krzee> and if not, you must manually set your routes and ip i believe
13:57 < ecrist> if you do no-pull, I thought the pushed options were set in env for access by scripts
13:57 < krzee> i think they are either way, and good call i didnt think bout that
13:58 < krzee> you could make a script act on all but what you decide
14:01 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
14:06 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:08 < uchimata> so how could I _re_configure the dns on client side on windows?
14:09 < uchimata> ignoring completely is not an option, unfortunateley
14:15 < krzee> a script in --up maybe
14:15 < krzee> a script somewhere for sure
14:19 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
14:19 < uchimata> krzee: hehe of course.... hoped someone would have an idea how to do this on windows ;) but i will find out
14:19 < krzee> windows has scripts, lol
14:32 -!- nathangl [~nathangl@CPE0016b64943b8-CM000a735d73d4.cpe.net.cable.rogers.com] has joined ##openvpn
14:32 < nathangl> hi
14:33 < nathangl> I have a couple questions, ethernet bridging mode... 
14:33 < nathangl> bridge-start removes all internet connectivity... i'm using my machines correct ethernet card, eth1  and specifying the address of it... but when it runs my ssh session to thes ystem ends and it goes totally offline
14:33 < nathangl> am I missing something?
14:36 < nathangl> . . .
14:37 < cron2> if you bridge eth1 to something (I assume "tap0"), you need to configure the IP address on the bridge interface (br0)
14:40 < nathangl> hmmm
14:40 < nathangl> I did that in the scripty
14:40 < cron2> pastebin the script, please
14:41 < nathangl> http://pastebin.com/d2651c934
14:42 < nathangl> so eth1 is the only nic in the server, and my machines Ip is 192.168.1.147
14:43 < cron2> ifconfig 0.0.0.0 doesn't look right to me
14:43 < nathangl> hmm
14:43 < cron2> but I think you're losing your default gateway in the process
14:44 < nathangl> hrmm I see
14:44 < nathangl> thats just the script I got from openvpn.net
14:45 < cron2> try adding "ip route default gw $yourdefaultrouter" at the end
14:46 < nathangl> ip route?
14:46 < nathangl> just route?
14:46 < nathangl> oh
14:46  * cron2 is confusing cisco syntax and linux syntax
14:46 < cron2> sorry
14:47 < nathangl> lol
14:47 < cron2> route add default ...
14:47 < cron2> or ip route add default
14:47 < cron2> depending on what config tool you use
14:47 < nathangl> well, lets see
14:47 < nathangl> I mean my bridge stuff is all installed right
14:48 < nathangl> I was using eth0 by mistake before (not my ethernet adapter) and it ran fine but obviusly didn't bridge to the network right
14:55 -!- nathangl [~nathangl@CPE0016b64943b8-CM000a735d73d4.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
14:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:59 -!- rajin [~a@port-1595.pppoe.wtnet.de] has joined ##openvpn
15:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:04 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 246 seconds]
15:11 -!- nathangl [~nathangl@CPE0016b64943b8-CM000a735d73d4.cpe.net.cable.rogers.com] has joined ##openvpn
15:11 < nathangl> aack okay
15:11 < nathangl> so it crashed again :p
15:11 < nathangl> after my brctl addif br0 eth1 line
15:15 -!- rajin [~a@port-1595.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!]
15:18 -!- nathangl [~nathangl@CPE0016b64943b8-CM000a735d73d4.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
15:32 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:55 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
16:09 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
16:44 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:46 -!- krotzzz [same@mm-167-154-84-93.dynamic.pppoe.mgts.by] has joined ##openvpn
16:51 < krotzzz> Hello. I have Debian VPS and Windows client. I installed openvpn both at windows and debian machines and used this tutorial http://tinyurl.com/yepf4my to set up them. Now VPN is working and all traffic from client is routed to the server, but client can't access any web-site. Ping says "request timed out". Any ideas what I have missed in configuration?
16:51 < vpnHelper> Title: Quick Linux and Windows OpenVPN HOWTO and tutorial, including VPN routing | Adam Palmer, Linux, PHP Programmer, MySQL Developer, Embedded Hardware, Security Consultant (at tinyurl.com)
16:58 -!- s-taylo [~staylo@vm3999.vps.tagadab.com] has quit [Quit: leaving]
17:38 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
17:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
17:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:55 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
18:20 < krzee> krotzzz, 
18:20 < krzee> !redirect
18:20 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:20 < krzee> soundslikely ip forwarding and/or nat
18:26 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
18:42 -!- nathangl [~nathangl@CPE0016b64943b8-CM000a735d73d4.cpe.net.cable.rogers.com] has joined ##openvpn
18:42 < nathangl> hi
18:43 < nathangl> cron2: I haven't been able to get it working yet... I try to bridge-start and it totally brings down my net
18:43 < nathangl> I dunno what it is...
18:46 < nathangl> anyone know why briding a tap adapter to my systems ethX adapter would cause networking to stop working
18:49 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
19:05 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
19:06 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
19:16 < nathangl> hibridge the system network goes down?
19:17 < nathangl> I can't access anything?
19:17 < nathangl> anyone have an idea why that would happen when trying to do bridge vpn...
19:55 -!- nathangl [~nathangl@CPE0016b64943b8-CM000a735d73d4.cpe.net.cable.rogers.com] has quit [Quit: leaving]
20:53 -!- Serideru [~GTWebster@206.82.218.140] has joined ##openvpn
21:22 -!- udk [~evaldo@freenode/staff/udontknow] has joined ##openvpn
21:22 -!- jeffl_ [coz@teledojo.com] has joined ##openvpn
21:22 -!- sq7obj_ [sq7obj@gateway/shell/rootnode.net/session] has joined ##openvpn
21:23 -!- sq7obj_ [sq7obj@gateway/shell/rootnode.net/session] has quit [Changing host]
21:23 -!- sq7obj_ [sq7obj@gateway/shell/rootnode.net/x-fyutfuponontjepp] has joined ##openvpn
21:23 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Remote host closed the connection]
21:23 -!- sq7obj [sq7obj@gateway/shell/rootnode.net/x-nvjlbfgxxcfnvxzk] has quit [Write error: Broken pipe]
21:28 -!- jeffl [coz@teledojo.com] has quit [Ping timeout: 265 seconds]
21:36 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
21:37 < krzee> damn tmobile for blocking NS tunneling and LAX for using them
22:01 < krzee> i felt t-mobile laugh at me when i paid them
22:58 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
23:03 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
23:14 -!- zheng [~zheng@114.92.140.81] has joined ##openvpn
23:19 -!- jeffl_ is now known as jeffl
23:21 -!- zheng [~zheng@114.92.140.81] has quit [Quit: Leaving]
23:22 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:44 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 265 seconds]
--- Day changed Wed Feb 17 2010
00:15 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
01:00 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
01:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
01:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:49 -!- Serideru [~GTWebster@206.82.218.140] has quit [Quit: Leaving.]
01:52 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:52 -!- mode/##openvpn [+o mattock] by ChanServ
01:57 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:08 -!- master_of_master [~master_of@p57B5465E.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:10 -!- master_of_master [~master_of@p57B56D80.dip.t-dialin.net] has joined ##openvpn
03:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:17 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
03:40 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
03:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:56 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
04:08 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:13 -!- xro [~a062ef85@gateway/web/freenode/x-vtcqzyzmwdnyppyf] has joined ##openvpn
04:13 < xro> hi,
04:14 < xro> i would like to configure my openvpn server to authenticat user/pass througt ldap server... how should i do it? i saw that :   http://code.google.com/p/openvpn-auth-ldap/
04:14 < vpnHelper> Title: openvpn-auth-ldap - Project Hosting on Google Code (at code.google.com)
04:19 -!- dazo_afk is now known as dazo
04:20 -!- correcaminos [~laguilar@201.201.46.106] has joined ##openvpn
04:21 -!- correcaminos [~laguilar@201.201.46.106] has quit [Client Quit]
04:23 < xro> can i have some help to install auth-ldap?
04:26 -!- xro [~a062ef85@gateway/web/freenode/x-vtcqzyzmwdnyppyf] has quit [Quit: Page closed]
04:26 -!- APTX| [~APTX@chello089076052083.chello.pl] has joined ##openvpn
04:27 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
04:27 -!- krphop_ [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
04:28 -!- |Mike|_ [mike@2001:1af8:2:444::2] has joined ##openvpn
04:29 -!- jeffl_ [coz@teledojo.com] has joined ##openvpn
04:29 -!- tompaw_ [~tompaw@slave20.tesserakt.eu] has joined ##openvpn
04:29 -!- __trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
04:29 -!- balboah_ [~johnny@joonix.se] has joined ##openvpn
04:33 -!- Netsplit *.net <-> *.split quits: krzie, dunc, jeffl, tompaw, APTX, redfox, sjr, meepmeep, _trine, krphop,  (+2 more, use /NETSPLIT to show all of them)
04:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:17 -!- Netsplit over, joins: redfox
05:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:49 -!- diffen3 [~diffen2@c-3370e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
05:49 -!- Diffen2 [~diffen2@c-3370e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
05:49 -!- Diffen2 [~diffen2@c-3370e555.042-17-73746f11.cust.bredbandsbolaget.se] has left ##openvpn []
05:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:20 -!- APTX| [~APTX@chello089076052083.chello.pl] has quit [Quit: Farewell]
06:20 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
06:20 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
06:20 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:33 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Operation timed out]
07:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
08:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:23 -!- diffen3 [~diffen2@c-3370e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
08:23 -!- Diffen2 [~diffen2@c-3370e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
08:27 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:30 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:32 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 245 seconds]
08:36 -!- Signum [~Signum@debian/developer/pdpc.active.haas] has joined ##openvpn
08:38 < Signum> Hi, everyone. We have a Debian gateway with Shorewall running. But the traffic shaping is a bit strange. It works for forwarded traffic. But we also run OpenVPN on the same gateway and I can't find a way to shape tun0 traffic there. Any hints?
08:39 < ecrist> why wouldn't you shape it the same way?
08:40 < Signum> I do. eth0 is the interface facing the internet. Traffic shaping there works. But limiting the maximal bandwidth on tun0 strangely does nothing.
08:41 < Signum> On my mind it's just forwarding as well. I come from the LAN (eth1 here) and forward into tun0. If tun0 is like any other interface then the usual ("tc" style) traffic shaping should do.
08:41 < Signum> I know OpenVPN has the "shaper" option but then I can't guarantee a minimum bandwidth so doing that with "tc" sounded more sane.
08:41 < ecrist> what is tc?
08:42 < havoc> traffic control
08:42 < Signum> It's what the linux kernel uses to allow traffic shaping.
08:42 < Signum> I hoped that one of you perhaps has a gateway with OpenVPN running and got traffic shaping working.
08:42 < havoc> Signum: you can only ever shape outgoing traffic, never invoming
08:42 < Signum> Didn't seem too far away.
08:42 < rob0> I'm not sure; tun is not "exactly" like any other interface.
08:43 < Signum> havoc: Well, I can, by throwing away packets thus making the remote peer send fewer packets. But it's harder. 
08:43 < havoc> it should work, but as alwayes w/ TC, only one way
08:43 < rob0> maybe tc works at layer 2, which does not exist in tun
08:43 < Signum> havoc: In this case it's the outgoing traffic that is killing me anyway.
08:43 < Signum> rob0: Possibly.
08:43 < havoc> Signum: I suggest asking on #shorewall, they are much more knowledgable about this particular issue
08:44 < Signum> havoc: ok
08:44 < ecrist> Signum: I do traffic shaping all the time, but it's on FreeBSD with pf.
08:44 -!- reeniginEesreveR [~reeniginE@203.175.76.194] has joined ##openvpn
08:44 < Signum> ecrist: Did you find any caveats?
08:44 < havoc> I use shorewall, and the builtin TC, but I've never tried to shape a TUN
08:44 < reeniginEesreveR> does openVPN support ESP protocol?
08:45 < ecrist> shaping can really on occur on outgoing packets, but by limitied your outgoing ACKs, the incoming ends up getting throttled to a degree.
08:45 < Signum> reeniginEesreveR: No, just it's own protocol.
08:45 < ecrist> but, that's in general, not specific to my setup
08:45 < reeniginEesreveR> Signum, thanks
09:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:06 < Signum> Ah, found it. We had a wrong netmask so the traffic shaping just wasn't applied. "tc" with "tun0" works perfectly. :)
09:10 < tw> I've always had problems with tc filter classifiers.  They never seem to work as expected.
09:11 < tw> Signum: For my reference, do you use filters based on IP/interface or connmark?
09:11 < tw> I'd like to do the same thing with my openvpn server but I haven't gotten around to it.
09:13 < Signum> tw: Currently I think it's connmark. I mark the packets in iptables and then shape them down.
09:13 < Signum> tw: Actually I got confused a year ago and started using Shorewall. But the underlying principle is the same I think. :)
09:14 < Signum> tw: "tc" gives me a headache.
09:14 < rob0> indeed
09:17 < tw> Signum: Ok, I didn't scroll up enough to see you were using shorewall.  Yes, I'm not a big fan of tc, though it does what I need it to do (if convoluted and seemingly more complex than necessary).  Thanks.
09:19 < Signum> tw: At home I was using "tcng" to simplify the creation of "tc" scripts. But shorewall does that way nicer. I know it's cowardy but at a certain complexity the mixture of iptables and tc was hard to handle.
09:22 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:24 -!- sporedi [~chatzilla@121.247.65.116] has joined ##openvpn
09:26 < sporedi> hello Friends ! i am new to vpn i am system admin ,i am new to vpn can u please tell me where i can get information on ssl and ipsec (differance )which application are support after site to site vpn are connected and how to acess internal network after connecting to my remote ssl vpn (remote acess)
09:26 -!- Serideru [~GTWebster@206.82.218.140] has joined ##openvpn
09:28 < Bushmills> !howto
09:28 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:28 < Bushmills> !ipsec
09:28 < vpnHelper> Bushmills: Error: "ipsec" is not a valid command.
09:29 < ecrist> sporedi: check out google.
09:29 < Bushmills> !factoids search ipsec
09:29 < vpnHelper> Bushmills: No keys matched that query.
09:29 < ecrist> ipsec and ssl are two very different types of vpns, though they serve a similar function
09:29 < ecrist> !goal
09:29 < vpnHelper> ecrist: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:31 < Bushmills> "application are support"  openvpn looks like a network interface, underlying OS routing. it is quite transparent for apps
09:31 < Bushmills> what apps you can run on a network with a gateway in between, should work directly with openvpn 
09:32 < Bushmills> those apps requiring clients to sit on the same hub/switch need some extra config.
09:32 < Bushmills> openvpn wise, or support program wise
09:34 < Bushmills> s/gateway/router/
09:39 -!- upb [cmpxchg@88.80.13.92] has joined ##openvpn
09:39 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
09:39 < upb> hi, is the route-up directive available in files read from ccd?
09:41 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
09:44 -!- Diffen2 [~diffen2@c-3370e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
09:54 < sporedi> !help
09:54 < vpnHelper> sporedi: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
09:55 -!- sporedi [~chatzilla@121.247.65.116] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.7/20091221164558]]
09:57 -!- reeniginEesreveR [~reeniginE@203.175.76.194] has quit [Quit: Leaving]
10:05 < ecrist> what a retard
10:07 < rob0> We prefer to call ourselves "special".
10:08 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
10:12 -!- |Mike|_ [mike@2001:1af8:2:444::2] has quit [Quit: Reconnecting]
10:12 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
10:29 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:37 -!- tmwsiy2012 [~tmwsiy@152-20-244-42.rev.uncw.edu] has joined ##openvpn
10:37 < tmwsiy2012> !welcome
10:38 < vpnHelper> tmwsiy2012: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:39 < tmwsiy2012> Hi I am trying to setup a bridge and in going through the 76-ethernet-briding.html file I am wondering if the Local IP address that it is talking about should be the one already bound or will it bind another (the one specified?)
10:39 < ecrist> I don't grok your question
10:40 < tmwsiy2012> sorry hard to explain what I am thinking...
10:41 < tmwsiy2012> I guess does the ip that I setup in the bridge script need to already be an active address or will it bring it up as part of its setup?
10:42 < tmwsiy2012> or maybe even more simply does the bridge require a separate ip from the one that is already bound to the interface
10:42 < tmwsiy2012> lol
10:42 < tmwsiy2012> guess im not very experssive today
10:43 < tmwsiy2012> thanks anyways
10:43 < ecrist> heh
10:43 < ecrist> it shouldn't matter which interface has the IP
10:43 < ecrist> if all the interfaces are bridged
10:44 < ecrist> bridging is layer 2, IP is layer 3, you actually don't need an ip at all for briding.
10:45 < tmwsiy2012> that makes sense, I still need an ip to connect to for the ssl tunnel endpoint though right?
10:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
11:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
11:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:23 -!- krotzzz [same@mm-167-154-84-93.dynamic.pppoe.mgts.by] has quit []
12:18 -!- mimecine [~Adium@user-0cdfsbf.cable.mindspring.com] has joined ##openvpn
12:18 < mimecine> !welcome
12:18 < vpnHelper> mimecine: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:19 -!- dazo is now known as dazo_afk
12:21 -!- sq7obj_ is now known as sq7obj
12:22 -!- Serideru [~GTWebster@206.82.218.140] has quit [Ping timeout: 264 seconds]
12:26 < mimecine> !goal
12:26 < vpnHelper> mimecine: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:27 < mimecine> !howto
12:27 < vpnHelper> mimecine: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:49 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:52 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:05 -!- polaru [~polaru@93.113.192.70] has quit [Read error: Connection reset by peer]
13:11 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
13:14 -!- cpm is now known as philtrum
13:17 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:21 -!- knarfly [~vlad@c-98-242-237-166.hsd1.fl.comcast.net] has joined ##openvpn
13:21 < knarfly> ecrist: hey guy are you on the channel
13:27 -!- philtrum is now known as cpm
13:28 -!- knarfly [~vlad@c-98-242-237-166.hsd1.fl.comcast.net] has quit [Ping timeout: 252 seconds]
13:45 -!- lampliter [~chatzilla@c-76-19-126-1.hsd1.ma.comcast.net] has joined ##openvpn
13:46 < lampliter> can I specify a route on the client side configuration file?
14:14 < Bushmills> client side config of what?
14:16 < Bushmills> you can set a route on client side. a host route to server, so that client request packets will go along that route 
14:26 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 246 seconds]
14:26 < ecrist> I am now...
14:32 < Bushmills> ah. openvpn. i thought this was on #dns channel
14:32 < Bushmills> yes, you can
14:33  * ecrist slaps Bushmills with a large trout.
14:34  * Bushmills caresses ecrist with a 15 ton steam roller
14:35  * ecrist smushes Bushmills with Bushmills' own mother.
14:36 < lampliter> Bushmills: thanks
14:36  * Bushmills googles ecrist and finds zero hits
14:36  * ecrist googles Bushmills and gets lots of hits about a zero.
14:38  * Bushmills turns his mind towards issues he cares more about
14:39 < lampliter> one more problem http://pastebin.com/d12c465b0.  wth is this all about?
14:43 < lampliter> do I need to specify specific tap interfaces when a client has multiple vpn's?
14:49 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:57 -!- Diffen2 [~diffen2@c-3370e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
15:22 < tmwsiy2012> I am trying to get a road warrior type setup so that I can tunnel to my contract job from my regular job :)  I have setup successfully setup a bridge between client and server. but I am not getting a gateway pushed down by openvpn... can this be done with one nic card? do I need two on the openvpn server to make this work... there is something very basic that I am overlooking or not understanding... It is a little bit of a complicated setup
15:22 < tmwsiy2012> lol
15:22 < tmwsiy2012> it kinda works :)
15:23 < tw> Are you using redirect-gateway?
15:24 < tmwsiy2012> ive tried it both ways
15:24 < tw> Is your server set up to forward traffic for you (both iptables and the sysctl)?
15:25 < tw> Err, I assumed you are using a linux server, you may not be.
15:26 < tmwsiy2012> yes its wierd. I can connect to a 172.16.100.0 addresses through it but for some reason I cant get the other (a 192.168.0) my home network is 192.168.5.0
15:26 < tmwsiy2012> and yes linux
15:27 < tmwsiy2012> just to confirm my thinking
15:27 < tmwsiy2012> my client, the vpn server, and my router all need to know about each subnet for it to work right?
15:28 < tmwsiy2012> but my client and server are on the same subnet
15:29 < tmwsiy2012> due to the bridge, obviously
15:29 < tmwsiy2012> anyways
15:29 -!- roe [~roe___@216-164-215-125.c3-0.eas-ubr15.atw-eas.pa.cable.rcn.com] has joined ##openvpn
15:29 < tmwsiy2012> I will keep plugging
15:29 < tmwsiy2012> thanks tw for the input :)
15:30 < tw> Check to make sure your vpn server can reach the 192.168.5.* addresses, then check the routing tables on the client machine to make sure it's got either a default gateway listed for those addresses or it knows to push that traffic through the vpn.
15:33 < tmwsiy2012> ok in looking at the client log, this looks peculiar and not sure what did it
15:33 < tmwsiy2012> there is the following entry
15:33 < tmwsiy2012> route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.5.12
15:33 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
15:34 < tmwsiy2012> the 192.168.5.12 is my vpn endpoint but should not be the gateway
15:37 < tmwsiy2012> its kindof a corner case I am dealing with here
15:39 < roe> !welcome
15:39 < vpnHelper> roe: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:39 < roe> !howto
15:39 < vpnHelper> roe: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:50 < Bushmills> !redirect
15:50 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:51 < Bushmills> !tunortap
15:51 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:51 < vpnHelper> Bushmills: against you over the vpn
15:51 < Bushmills> tmwsiy2012: ^^^^^
15:51 < Bushmills> !nat
15:51 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
15:51 < Bushmills> tmwsiy2012: ^^^^^
15:52 < roe> !wins
15:52 < vpnHelper> roe: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
15:54 -!- skymaaster [~skymaster@h142n2fls34o972.telia.com] has joined ##openvpn
15:56 < tmwsiy2012> Bushmills: thanks... the reason I went the bridge tap route was b/c I was having issues with windows 7 client taking the address offered. Which is weird because it takes the one offered when I have the bridge going
15:58 < skymaaster> Does anyone have a bridge setup and can push DNS's to Linux clients ?
15:59 < skymaaster> The client recievs this but doesnt add the resolvers to /etc/resolv.conf:
15:59 < skymaaster> skymaster
15:59 < skymaaster> Wed Feb 17 22:11:50 2010 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway,dhcp-option DNS 195.67.199.7,dhcp-option DNS 195.67.199.8
16:00 < skymaaster> Snipped the rest of that line.
16:01 < skymaaster> After manually adding DNS's to resolv.conf the tunnel works as expected (perfectly).
16:01 -!- tmwsiy2012 [~tmwsiy@152-20-244-42.rev.uncw.edu] has left ##openvpn []
16:02 -!- tiav [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has joined ##openvpn
16:03 -!- sjr [~sjr@office.superuholdings.com] has joined ##openvpn
16:03 < Bushmills> skymaaster: did you come across this bit in the man page:  http://scarydevilmonastery.net/snap/1266444169953755567.png ?
16:03 < skymaaster> Yes, but theres no such env variable
16:04 < skymaaster> Otherwise i could have modded /sbin/dhclient
16:04 < skymaaster> dhclient-script
16:04 < Bushmills> you do run an up script?
16:04 < skymaaster> No
16:05 < Bushmills> so what should read (and use) contents of that environment variable?
16:06 < skymaaster> network-manager
16:06 < skymaaster> Or the dhclient-script as dhclient is running.
16:07 < Bushmills> there were some reports of network manager with openvpn not working properly
16:07 < Bushmills> !network-manager
16:07 < vpnHelper> Bushmills: Error: "network-manager" is not a valid command.
16:07 < Bushmills> !ubuntu
16:07 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
16:07 < Bushmills> ah
16:08 < Bushmills> running dhclient queries a dhcp server. openvpn isn't a dhcp server.
16:08 < skymaaster> Its used by all ubuntu desktop clients by default and doesnt "turn off" :)
16:08 < Bushmills> tough luck
16:09 < skymaaster> dhclient is what pulls in the first network settings for the computer, then network-manager runs its own race.
16:10 < skymaaster> I dont believe in luck. I like to fix whats broken instead.
16:10 < Bushmills> run a network-local recursor. use that as dns
16:10 < skymaaster> re-who ?
16:12 < skymaaster> But what can cause the environment variable to not be set ?
16:13 < Bushmills> it probably is set
16:13 < Bushmills> only, you're not running anything reading it
16:13 < skymaaster> "env" "set", its not there
16:14 < Bushmills> setting an environment variable isn't some global thing
16:15 < Bushmills> the environment is visible to processes called within that environment only. not outside of it, as your "env" attempts to
16:15 < skymaaster> So how could an external process pick it up if its not exported globally ?
16:15 < Bushmills> run an up script, and it will see the variable
16:15 < Bushmills> let the up script do what is needed to use it
16:19 < skymaaster> So if i had a few thusand clients i should copy this script to them and set that up instead of the openvpn client checking for that "PUSH" and updating resolv.conf or possibly writes an addin file with the resolvers that external programs can use ?
16:19 < skymaaster> Administrating that doesnt seem to be optimal.
16:19 < Bushmills> running that script *is* openvpn clients' method to "check" for that push
16:20 < skymaaster> to "do"
16:20 < Bushmills> interface it to you resolv.conf,  or your resolver updater
16:21 < skymaaster> How can i define this script. Can i put a script-line in the client conf only ?
16:21 < Bushmills> well, if waiting for network-manager to do that for you is more optimal, then you have a better solution.
16:22 < skymaaster> I intend to evaluate all options.
16:22 < Bushmills> you use an interactive configuration frontent, usually called an "editor".
16:22 < Bushmills> frontend
16:23 < skymaaster> ?
16:23 < Bushmills> chose location, name. put in your required actions for updating client config from dhcp pushed settings.
16:23 < Bushmills> give that loation and name to client config.
16:24 < Bushmills> (oh, make it executable. don't forget about script-security)
16:24 < Bushmills> check out the sample configs. there may be a version ready to use
16:25 < skymaaster> Whats the option that triggers this command ? .. client config dir ?
16:25 < Bushmills> up
16:25 < Bushmills> that's why it's called an up script
16:26 < skymaaster> up /hmm/script.sh ? or is that ifconfig-up or something ?
16:26 < Bushmills> translates to "the script which is executed when interface comes up"
16:26 < Bushmills> i'd give it a more inventive nam, like "zarniwoop_was_here" 
16:27 < skymaaster> Thanks. Do you like Iron Maiden ?
16:27 < Bushmills> not specifically. but i can't say I dislike them
16:28 < skymaaster> Favourite tune ?
16:28 < Bushmills> there ain't single one, and they change all the time
16:29 < skymaaster> the trooper ?
16:29 < Bushmills> Mr Bungle?
16:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:30 < skymaaster> ?
16:30 < skymaaster> What group is that ?
16:30 < Bushmills> http://en.wikipedia.org/wiki/Mr_bungle
16:30 < vpnHelper> Title: Mr. Bungle - Wikipedia, the free encyclopedia (at en.wikipedia.org)
16:31 < skymaaster> http://en.wikipedia.org/wiki/Mr._Bungle
16:31 < skymaaster> Haha, found it
16:31 < vpnHelper> Title: Mr. Bungle - Wikipedia, the free encyclopedia (at en.wikipedia.org)
16:32 < Bushmills> Secret Chiefs?
16:32 < skymaaster> Thanks for the tip, ill see if its on youtube later.
16:32 < Bushmills> John Zorn?
16:32 < Bushmills> Fred Frith?
16:32 < skymaaster> Thin Lizzy ?
16:32 < Bushmills> not that much
16:32 < skymaaster> :)
16:33 < skymaaster> Metallica (The older records, before the dreaded black dung:)
16:33 < skymaaster> Didnt like it
16:34 < skymaaster> Hammerfall ?
16:34 < Bushmills> Captain Beefheart?
16:34 < skymaaster> Haha, wthmm :) .. googling
16:35 < skymaaster> The Loneliness Of The Long Distance Runner av Iron Maiden från Somewhere In Time
16:36 < skymaaster> Don Van Vliet
16:36 < skymaaster> Many calif bands ?
16:38 < skymaaster> I bought a cool thing from there a while ago. A bluetooth-box that can be plugged into a mobile phone and regular (oldstyle *)phones
16:38 < skymaaster> So, dial with the old phone via the mobile's.
16:42 < skymaaster> Thanks for the chat.
16:44 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:45 -!- Diffen2 [~diffen2@c-3370e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 252 seconds]
16:46 -!- bandini [~bandini@204.101.26.186] has joined ##openvpn
16:49 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
16:50 < skymaaster> Bushmills: Do you have some script that sets DNSs i can take a look at ?
16:51 < Bushmills> nope. I run a recursive DNS locally. #
16:53 < skymaaster> Ah.
16:54 < skymaaster> Some isps hide their dns's from other isps clients so unless this works the tunnel-up wont be flawless.
16:55 < Bushmills> with a recursive dns, i don't depend on any provider's dns
16:56 < skymaaster> Itll just load what the master dns has, sooner or later youll want to have it updated. Or do you query to root-servers directly ?
16:57 < Bushmills> that is what "recursive dns" means
16:58 < skymaaster> So you run that in a public place where basically all internet computers can access a query ?
16:59 < Bushmills> no,i run it on my lan
16:59 < Bushmills> though i do have "public" dns. those are authoritative
17:00 < skymaaster> yep
17:02 < skymaaster> So, say your client is on an unknown network called foobar.org and its dns's are only available if querying via route a.b.c.d. Now it connects to your network. What script does it run to set your DNS's ?
17:03 < Bushmills> none. my client connects to the server, its traffic is redirected through server.
17:04 < skymaaster> So then the clients has ISP-DNS's that are reachable from your VPN-server net as well as on their own nets ?
17:05 < Bushmills> no isp dns involved. all name resolution is done through local recursive dns
17:07 < skymaaster> Does each client run its own DNS-server ? :)
17:07 < Bushmills> no. but when i take the client with recursive dns with me, the othzer clients have no need for resolving
17:08 < skymaaster> I have no ideea.
17:10 < Bushmills> there are: printers, VoIP boxes, a PDA, and a turned off desktop computer next to the mostly used notebook on my local network.
17:10 < Bushmills> dns goes with notebook, which is also vpn client.
17:11 < Bushmills> in the very rare cases that desktop comes up (unreliable machine), it uses notebook dns
17:13 < skymaaster> Aha, i have a bit bigger setups in mind that should suite as many connecting clients on as many odd/even nets as possible.
17:14 < Bushmills> run a local recursive dns
17:15 < Bushmills> no need to push dns over vpn
17:15 < skymaaster> To be fair you should not query the root resolvers directly.
17:15 < Bushmills> just running dhclient will set you client right
17:15 < Bushmills> heh? why not?
17:15 < skymaaster> If everyone did that the net would break
17:15 < Bushmills> that's bull
17:16 < skymaaster> how so ?
17:16 < Bushmills> heart of TTL? record cachin?
17:16 < Bushmills> it is not that they are queried all the time
17:16 < skymaaster> TTL 3D
17:17 < skymaaster> bigillions of peoples computers trying to update against 13 computers at once :P
17:17 < Bushmills> root server gets maybe queried once per top level domain for as long as (root server detemined) ercord lifetime is
17:17 < Bushmills> update? a single request. then nothing anymore for hours, days ..
17:18 < Bushmills> better read into dns structure before telling me what i should or should not do
17:19 < Bushmills> root server are not stratum 1 ntp servers, after all
17:20 < skymaaster> I havnt told you to do anything or nothing. Im ok at these computamaphone-things.
17:20 -!- bandini [~bandini@204.101.26.186] has quit [Remote host closed the connection]
17:20 < Bushmills> (00:15:26) skymaaster: To be fair you should not query the root resolvers directly.
17:20 < Bushmills> you told me what i should not do
17:20 < Bushmills> (00:18:23) Bushmills: better read into dns structure before telling me what i should or should not do
17:20 < Bushmills> which is what i was objecting to
17:20 < skymaaster> "Should" is a suggestion. "Shall" would have been telling you.
17:21 < Bushmills> "before telling me what i should or should not do" i used the same words you used to "suggest" 
17:22 < skymaaster> Awesome music :)
17:22 < Bushmills> however, each and every root server is capable to tell my recursive dns "don't ask me for this anymore for a month"
17:24 < Bushmills> top level domain dns are those under load. not root servers.
17:31 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:46 < skymaaster> Watching the OS thing ?
17:47 < skymaaster> Germany Sweden 3-3 in curling (Stone-tossing :P)
17:47 < Bushmills> no. just wathed sagan. "if you want to bake an apple pie from scratch, you first have to invent the universe"
17:49 < skymaaster> http://bubblare.se/movie/sagan_om_isfolket_trolldom
17:49 < vpnHelper> Title: Bubblare.se - Sagan om Isfolket - Trolldom (at bubblare.se)
17:50 < skymaaster> Bushmills: I took a shower and a beer.
17:54 -!- harovali [~harovali@r190-135-6-204.dialup.adsl.anteldata.net.uy] has joined ##openvpn
17:56 < harovali> hi , I'm building openvpn from sources ; it took me to build lzo and openssl , which succeeded ; now I ran openvpn's ./configure  and suceeded too ; but now I go to run make and it tells me that there is no Makefile ; what steps do I have to follow to make openvpn ?
17:57 < Bushmills> try ./configure
17:57 < skymaaster> cat INSTALL
18:00 < harovali> Bushmills: thanks
18:00 < harovali> skymaaster: thanks
18:00 < harovali> I'll be back
18:00 < Bushmills> any success?
18:01 < harovali> Bushmills: in fact ./configure succeded aparently , but it did no yield a Makefile ; dos that mean that it did not succeed ?
18:02 < skymaaster> np
18:02 < Bushmills> last line(s) of screen output should tell.  I'd have expected a Makefile
18:02 < harovali> ouch  , ./configure told me "configure: error: OpenSSL Crypto headers not found."
18:02 < Bushmills> there you are
18:02 < skymaaster> ill try to build it
18:03 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
18:03 < harovali> Bushmills: yes, I got that error before building and installing openssh , but now that I did that previous step , I'm lost at why the error persists
18:03 < Bushmills> missing ssl dev libs
18:03 < Bushmills> need to install
18:03 < harovali> Bushmills: yes , or at least it does not find them where they should
18:04 < Bushmills> libssl-dev
18:04 < harovali> Bushmills: is that a separate software as openssl ?
18:05 < Bushmills> same software, but not compiled.  headers included, needed for compilation of programs which use them
18:05 < Bushmills> "error: OpenSSL Crypto headers not found."   go figure
18:05 -!- __trine is now known as _trine
18:05 < skymaaster> openssl contains the ssl headers (binary packges calls those -dev or -devel)
18:05 < harovali> Bushmills: true , sorry for the confusion
18:05 < skymaaster> packages
18:06 < skymaaster> Compiles nicely here
18:06 < harovali> I have untarred the openssl tarball in my home directory , in order to build it. 
18:06 < harovali> Then I make installed'd it
18:06 < skymaaster> cd openvpn-*/ && ./configure --prefix=/usr && make
18:06 < Bushmills> tar probably contains sources + headers
18:06 < harovali> what should I perform in order to have the headers where openvpn's ./configure can find them ?
18:07 < Bushmills> consult the READMEs
18:07 < harovali> Bushmills: yes , I'll do
18:07 < Bushmills> INSTALLs are also helpful
18:08 < skymaaster> cd openssl-*/ && ./configure --prefix=/usr && make && make install
18:08 < harovali> skymaaster: I did that , but missed the --prefix=/usr
18:08 < skymaaster> ok, do it again
18:08 < skymaaster> run "make clean" first
18:09 < harovali> will I have to compile the whole thing again ? it took hours
18:09 < skymaaster> make PREFIX=/usr install
18:09 < skymaaster> could be ok, see that it uses "/usr/lib" and not /usr/local/lib
18:09 < harovali> right now ? over the already compiled thing ?
18:09 < skymaaster> yes
18:09 < harovali> thanks
18:10 < skymaaster> See if it works first :)
18:10 < skymaaster> but.. np
18:10 < harovali> "make PREFIX=/usr install" , right ?
18:10 < skymaaster> yes
18:10 < harovali> skymaaster: thanks
18:10 < skymaaster> np
18:11 < krzee> <--- in australia
18:11 < Bushmills> g'day mate
18:11 < krzee> aww damn, just found out they use different plugs here, 40min left of laptop juice
18:11 < krzee> lol
18:12 < skymaaster> Only The Good Die Young av Iron Maiden från Seventh Son Of A Seventh Son
18:12 < Bushmills> oh right, 2x45 degree rotated
18:12 < harovali> skymaaster: I'm afraid it started compiling again 
18:12 < krzee> yup, exactly
18:13 < skymaaster> harovali: 5-10 minutes on > 2 ghz 
18:13 < skymaaster> easy!
18:13 < krzee>  it should compile again, you didnt compile with the headers before
18:13 < harovali> skymaaster: yes, but why "make PREFIX=/usr install" would compile ? shouldn't it just install ?
18:14 < Bushmills> watch out for the Bunyip
18:14 < skymaaster> Nope, it needs to compile the source files that uses config.h so that their object files contain the proper settings for the resulting binaries.
18:16 < Bushmills> and don't get alarmed when somebody asks your whether you want any dead horse over your dish
18:16 < harovali> skymaaster: hmm, and should I expect it to compile properly as you point out and have the binaries installed ?  (I ask because I thought them to be separate steps , one with make , and the other with make install )
18:17 < skymaaster> Nope, that will make the required files and install the resulting binaries.
18:17 < harovali> skymaaster: thanks
18:17 < harovali> I have to go now, I'll be back later or tomorrow. Thanks
18:18 < skymaaster> check that "/usr/include" is used, and not "/usr/local/include"
18:18 < skymaaster> Np, have fun!
18:19 < harovali> skymaaster: how do I check that ? where do I have to look into ?
18:19 < krzee> Bushmills, where in germany are you?
18:19 < Bushmills> below 50 north, around 8 east
18:20 < skymaaster> West ?
18:20 < krzee> werd
18:21 < krzee> bbl before i run out of power
18:21 < skymaaster> :)
18:21 < Bushmills> east (of greenwich)
18:21 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
18:21 < harovali> bbl too
18:22 -!- harovali [~harovali@r190-135-6-204.dialup.adsl.anteldata.net.uy] has left ##openvpn []
18:27 -!- kwame [~kwame@159.153.4.51] has joined ##openvpn
18:46 -!- mimecine [~Adium@user-0cdfsbf.cable.mindspring.com] has quit [Ping timeout: 265 seconds]
18:50 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
19:01 < kwame> Hi, can someone give me a hand with what I think it's a routing issue?
19:02 < kwame> This is my config for both server and openvpn client
19:02 < kwame> http://pastebin.com/d5e4e2a46
19:02 < kwame> my issue is that I CAN ping hosts of the 10.104.219.x network, but I cannot ssh into them
19:03 < kwame> I get a ssh: connect to host 10.104.219.22 port 22: No route to host
19:17 < kwame> anybody?
19:35 -!- kwame [~kwame@159.153.4.51] has quit [Quit: leaving]
20:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
21:05 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
21:19 -!- meepmeep [meepmeep@212.24.104.229] has joined ##openvpn
21:22 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay]
21:28 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Read error: Operation timed out]
21:46 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
21:59 -!- harovali [~harovali@190.132.240.233] has joined ##openvpn
22:06 -!- Serideru [~GTWebster@206.82.218.140] has joined ##openvpn
23:06 -!- Serideru [~GTWebster@206.82.218.140] has quit [Ping timeout: 264 seconds]
23:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
23:12 -!- Serideru [~GTWebster@206.82.218.140] has joined ##openvpn
23:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
--- Log closed Wed Feb 17 23:34:01 2010
--- Log opened Thu Feb 18 01:41:31 2010
01:41 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
01:58 -!- |Mike|_ [mike@2001:1af8:2:444::2] has quit [Quit: Reconnecting]
02:04 -!- polaru [~polaru@93.113.192.70] has joined ##openvpn
02:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:39 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
03:08 -!- master_of_master [~master_of@p57B56D80.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:10 -!- master_of_master [~master_of@p57B566DD.dip.t-dialin.net] has joined ##openvpn
03:26 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
03:36 -!- krzie [~krzee@butters.secure-computing.net] has joined ##openvpn
03:42 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
03:45 -!- enca [~mickey_mo@85-135-159-80.adsl.slovanet.sk] has joined ##openvpn
03:51 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:55 -!- enca [~mickey_mo@85-135-159-80.adsl.slovanet.sk] has left ##openvpn []
03:55 -!- tom_ [~tom@ms803.montefiore.ulg.ac.be] has joined ##openvpn
03:56 -!- tom_ [~tom@ms803.montefiore.ulg.ac.be] has left ##openvpn ["Quitte"]
03:56 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
04:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:03 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
04:10 -!- sehh [~sehh@cust-224-67.on1.ontelecoms.gr] has joined ##openvpn
04:10 < sehh> hey people
04:23 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:29 -!- dazo_afk is now known as dazo
04:41 -!- APTX| [~APTX@chello089076052083.chello.pl] has joined ##openvpn
04:42 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
05:07 -!- APTX| [~APTX@chello089076052083.chello.pl] has quit [Quit: Farewell]
05:08 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
05:08 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
05:08 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
05:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:50 -!- skymaaster [~skymaster@h142n2fls34o972.telia.com] has quit [Ping timeout: 252 seconds]
05:51 -!- skymaaster [~skymaster@h142n2fls34o972.telia.com] has joined ##openvpn
05:53 < sehh> q: I've got a Win2003 server running OpenVPN. My configuration works fine, but I've got the following problem: If I manually start the OpenVPN service, my VPN works. If I let the server start on its own during boot (OpenVPN service is set to Autostart), then it never works. So each time I reboot the server, I have to manually stop and start again the service. Please help.
05:55 < Krikke> I think it was mentioned in the faq
05:56 < dazo> sehh:  I'm not a Windows user ... but it sounds like either the certificates are in the wrong certificate register in Windows (discussed recently in the mailing list, IIRC) ... or that you have some passwords which it cannot retrieve
05:58 < Krikke> or the service starts before some bridge is up
05:58 -!- gazelle [~nkey@unaffiliated/gazelle] has joined ##openvpn
05:58 < Krikke> or route
05:59 < gazelle> hi guys !
06:03 -!- balboah [~johnny@joonix.se] has joined ##openvpn
06:04 -!- balboah_ [~johnny@joonix.se] has quit [Read error: Connection reset by peer]
06:07 < sehh> hmm
06:07 < sehh> damn
06:07 < sehh> what if I set the service to Delayed Autostart? maybe that will help?
06:08 < sehh> hmm
06:08 < sehh> nope, that won't work because win2003 doesn't have Delayed start, thats in Vista :P
06:24 < dazo> sehh:  have you tried --up-delay?  ... or using the management interface in conjunction with --management-hold ... where you have a script checking if it's ready for openvpn to start, and then it connects to the management interface and starts the connection?
06:27 < sehh> hmm --up-delay? no I wasn't aware of such parameter. But I'm not sure how that works, since I can't pass any parameters to the service itself...
--- Log closed Thu Feb 18 06:28:54 2010
--- Log opened Thu Feb 18 08:01:25 2010
08:01 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:05 -!- skymaaster [~skymaster@h142n2fls34o972.telia.com] has quit [Quit: Quit]
08:07 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
08:08 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
08:11 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:13 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
08:14 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:17 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
08:19 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
08:21 -!- mgolisch [~michi@85.93.11.18] has left ##openvpn []
08:29 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
08:29 -!- dazo_afk is now known as dazo
08:31 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:32 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
08:33 -!- mah_cfsi [~mah@mail.cfsi.dk] has joined ##openvpn
09:00 -!- Mtn_Bkng_Dave [~whome@216.70.180.208] has joined ##openvpn
09:00 < Mtn_Bkng_Dave> !help
09:00 < vpnHelper> Mtn_Bkng_Dave: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
09:01 < Mtn_Bkng_Dave> morning gang
09:01 < Mtn_Bkng_Dave> whats the best approach for multiple configurations?
09:02 < Mtn_Bkng_Dave> ie: 2 networks that I would like to access via openvpn
09:02 < Mtn_Bkng_Dave> any way to quickly change from one config to the other?
09:05 < Mtn_Bkng_Dave> i am trying to avoid a double hop through openvpn
09:05 < Mtn_Bkng_Dave> !config
09:05 < vpnHelper> Mtn_Bkng_Dave: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
09:06 < Mtn_Bkng_Dave> !welcome
09:06 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:06 < Mtn_Bkng_Dave> !man
09:06 < vpnHelper> Mtn_Bkng_Dave: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
09:07 < rob0> There is nothing wrong with running multiple instances of openvpn. The problems might come if one of them gets you into a redirect-gateway, or if they try to set routes to the same netblock.
09:08 < Mtn_Bkng_Dave> hey rob0
09:08 < rob0> I've only used redirect-gateway for securing wireless.
09:08 < rob0> (I wouldn't try to do it over the Internet.)
09:08 < Mtn_Bkng_Dave> i have two networks routed with open
09:08 < Mtn_Bkng_Dave> local net and remote
09:08 < Mtn_Bkng_Dave> right now i can hit the same server as the remote
09:09 < Mtn_Bkng_Dave> would like to have a server on the other net to avoid having to route back through open
09:09 < tw> rob0: Is there something inherently vulnerable with doing so?
09:09 < Mtn_Bkng_Dave> just for road warrior clients
09:10 < Mtn_Bkng_Dave> kinda pointless to burn bandwidth and processor in the openvpn appliance for in and out traffic
09:10 < tw> But you get the assurance of knowing that by default, the client is not accidentally bleeding potentially sensitive information out of a split tunnel.
09:10 < rob0> tw, I am sure that some people have the need to redirect-gateway over the Internet. The problem is that you add in all the lag and latency along the way, and it can take much moer bandwidth.
09:10 < rob0> true
09:11 < rob0> Looking at it from that angle, it's a security featuer, which is why Cisco (among others) does it.
09:12 < rob0> But, if you hit a redirect-gateway connection, and then want to connect to another one ... you get a tunnelled tunnel.
09:16 < Mtn_Bkng_Dave> hey rob
09:17 < Mtn_Bkng_Dave> am i reading this right..........if you have multiple config files in the directory it will start them all?
09:19 < rob0> uh, that would depend on your startup script, and I don't use one of those.
09:20 < Mtn_Bkng_Dave> im just using the openvpn gui in windows for remotes
09:20 < Mtn_Bkng_Dave> maybe this is a plan
09:21 < Mtn_Bkng_Dave> do you have to have multiple taps for multiple instances?
09:21 < Mtn_Bkng_Dave> i could install 2 adapters and just enable the one I want to use at the time
09:21 < Mtn_Bkng_Dave> each config could have its own tap adapter
09:22 < rob0> I don't use Windows at all.
09:23 < Mtn_Bkng_Dave> i just went back and looked........it doesnt reference a particular tap
09:23 < Mtn_Bkng_Dave> device tun
09:24 < Mtn_Bkng_Dave> or dev tun
09:24 < Mtn_Bkng_Dave> !man
09:24 < vpnHelper> Mtn_Bkng_Dave: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
09:27 < Mtn_Bkng_Dave> !help nobind
09:27 < vpnHelper> Mtn_Bkng_Dave: Error: There is no command "nobind".
09:33 -!- badmicrophone [~User@c-71-235-48-135.hsd1.ct.comcast.net] has joined ##openvpn
09:33 < badmicrophone> greetings
09:34 < jmm> hi.
09:34 < badmicrophone> My openvpn keeps causing my wireless card to be disabled permanently until I restart the computer. Can anyone help me with this?
09:34 < badmicrophone> hi jmm
09:35 < badmicrophone> it also doesnt allow me to connect through ethernet when that happens
09:36 < jmm> do you use tcp or udp ?
09:36 < badmicrophone> both
09:37 < Mtn_Bkng_Dave> both lan and wireless are disabled?
09:37 < badmicrophone> yes
09:38 < Mtn_Bkng_Dave> server or client
09:38 < badmicrophone> client
09:38 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm_]
09:38 < Mtn_Bkng_Dave> !welcome
09:38 < vpnHelper> Mtn_Bkng_Dave: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:39 < badmicrophone> !goal
09:39 < vpnHelper> badmicrophone: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:39 < jmm> I want to be fireman.
09:39 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
09:39 < Mtn_Bkng_Dave> you just want chicks to admire your hose
09:39 < Mtn_Bkng_Dave> ROFL
09:40 < badmicrophone> 1) i would just like to access the internet over my VPN provider, using ovpn files
09:40 < badmicrophone> 2!logs
09:40 < badmicrophone> !logs *
09:40 < vpnHelper> badmicrophone: Error: "logs" is not a valid command.
09:40 < jmm> :)
09:40 < badmicrophone> !logs
09:40 < vpnHelper> badmicrophone: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
09:41 < Mtn_Bkng_Dave> is there any particular reason you want to access the internet via vpn?
09:41 < badmicrophone> :( i dont know how to do what vpnhelper just said. I just use the easy instructions from my vpn provider
09:41 < badmicrophone> security
09:42 < badmicrophone> encryption and hiding my ip from attacks
09:43 < badmicrophone> i use openvpn gui
09:43 < badmicrophone> does that little window with all the text, is that the log?
09:44 < Mtn_Bkng_Dave> and your provider uses openvpn as well?
09:44 < badmicrophone> its a separate company
09:44 < Mtn_Bkng_Dave> and your provider uses openvpn as well?
09:44 < upb> ah, so it cant possibly use openvpn because it is a separate company
09:44 < badmicrophone> what provider?
09:45 < Mtn_Bkng_Dave> the network you are trying to connect to
09:45 < badmicrophone> yes it does
09:46 < badmicrophone> i thought you meant my isp
09:47 < Mtn_Bkng_Dave> post your logs and configs
09:48 < Mtn_Bkng_Dave> !pastebin
09:48 < vpnHelper> Mtn_Bkng_Dave: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
09:48 < badmicrophone> is the log kept in that little text window ovpn starts in?
09:48 < Mtn_Bkng_Dave> yes
09:49 < Mtn_Bkng_Dave> click view log from the gui menu
09:53 -!- Error404NotFound [~Eror404@119.153.73.152] has joined ##openvpn
09:53 -!- Error404NotFound [~Eror404@119.153.73.152] has quit [Changing host]
09:53 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
09:55 -!- badmicrophone [~User@c-71-235-48-135.hsd1.ct.comcast.net] has quit [Quit: Leaving.]
09:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
10:07 < rob0> yikes, that was bad
10:07 < Mtn_Bkng_Dave> whats that
10:08 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:08 < rob0> the scrollback
10:39 < Mtn_Bkng_Dave> from badmic?
10:39 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
10:43 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:44 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
10:45 < mah_cfsi> Hi,  am am looking for small hardware that willl run as VPN gateway, any knowledge of the requirements for the CPU size and type?
10:49 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
10:49 -!- mode/##openvpn [+v Kas] by ChanServ
10:49 < mah_cfsi> !welcome
10:49 < vpnHelper> mah_cfsi: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:51 < mah_cfsi> !wiki
10:51 < vpnHelper> mah_cfsi: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
10:52 < mah_cfsi> !mitm
10:52 < vpnHelper> mah_cfsi: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
10:57 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
11:05 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
11:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:22 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
11:22 -!- mode/##openvpn [+o mattock] by ChanServ
11:26 -!- polaru [~polaru@93.113.192.70] has quit [Remote host closed the connection]
11:33 < dazo> mah_cfsi:  depends on how many users
11:33 < dazo> mah_cfsi:  personally, to access my equipment at home .... I'm running a Linksys WRT54GL with OpenWRT and OpenVPN without any problems at all
11:34 < dazo> mah_cfsi:  but if you're looking for a solution with more throughput and which can handle more users ... a little bit more beefy hw is probably not bad ... but you don't need a high end Xeon server, so to speak
11:34 < cron2> dazo: good point.  do you have a quick tip for me how to cross-compile openvpn for the WRT?
11:35 < cron2> mah_cfsi: if you feel like adventure, look at http://plugcomputer.org - nice and fast boxes, but very much "non-mainstream"
11:35 < vpnHelper> Title: PlugComputer Community (at plugcomputer.org)
11:36 < dazo> cron2:  nope :( ... would be fun though, to compile some stuff for it though :)
11:37 < dazo> cron2:  http://www.frontiernet.net/~beakmyn/CrossCompile.htm ... might give some clues though
11:37 < vpnHelper> Title: Cross Compiling for WRT Notes (at www.frontiernet.net)
11:38 < cron2> oh, cool.  *note*.
11:39 < dazo> cron2:  hmmm .... openwrt got their own SDK for porting apps to it ... http://wiki.openwrt.org/oldwiki/buildingpackageshowto
11:40 < cron2> thanks.  will give it a try.
11:43  * dazo heads home ... to be ready for the meeting today
11:44 -!- dazo is now known as dazo_afk
12:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:13 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
12:15 -!- dazo_afk is now known as dazo
12:25 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
12:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:31 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 268 seconds]
12:49 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has joined ##openvpn
12:50 < PwrSurge> hello, is there any way to prevent openvpn from prompting for a private key at startup?
12:51 < Bushmills> place a key somewhere, and tell config where to find it.
12:53 < PwrSurge> what statement in the config file controls this?
12:53 < PwrSurge> I currently have ca, cert, dh and key files
12:53 < PwrSurge> defined
12:54 < Bushmills> ca, cert, key  should do
12:54 -!- Blues-Man [~bluesman@host163-117-dynamic.49-79-r.retail.telecomitalia.it] has joined ##openvpn
12:54 < Blues-Man> hi
12:54 < PwrSurge> that's what I have but openvpn is still prompting me to enter my private key when I start it
12:55 < Bushmills> how do you enter it?
12:55 < PwrSurge> when started, openvpn prompts this: "Enter Private Key Password:"
12:56 < Bushmills> that's the key passphrase.
12:56 < PwrSurge> ok
12:56 < Bushmills> recreate key, but without passphrase
12:56 < PwrSurge> oh
12:56 < PwrSurge> so I just press enter when asked for a passphrase
12:56 < PwrSurge> ?
12:56 < Bushmills> when there is none, it won't ask
12:56 < PwrSurge> ok
12:57 < Blues-Man> I have a problem: after certain time I lose connection to a remote OpenVPN server and I have to reconnect anytime. I wonder why, I put "ping 10" in my client.conf but how can I see why it happens?
12:57 < Bushmills> Blues-Man: look at  --keepalive
12:57 < Blues-Man> as openvpn-server option ?
12:58 < Bushmills> does ping, ping-erstart, and also pushes those to the other end
12:58 < Bushmills> restart
12:58 < Blues-Man> do you know how to escape '-' in google :-)
12:58 < Blues-Man> ?
12:59 < PwrSurge> enclose in quotes
12:59 < PwrSurge> i.e. "--keepalive"
12:59 < Blues-Man> ok thanks
13:00 < Bushmills> you could have looked at the man page instead
13:01 < Bushmills> !keepalive
13:01 < vpnHelper> Bushmills: Error: "keepalive" is not a valid command.
13:02 < Bushmills> vpnHelper: 'Error: "keepalive" is not a valid command.' is not a valid reply
13:02 < vpnHelper> Bushmills: Error: "'Error:" is not a valid command.
13:02 < Bushmills> vpnHelper: get smart
13:02 -!- Mtn_Bkng_Dave [~whome@216.70.180.208] has quit [Read error: Connection reset by peer]
13:02 < vpnHelper> Bushmills: Error: "get" is not a valid command.
13:03 < Bushmills> i know
13:03 < ecrist> community meeting in ##openvpn-discussion starting now
13:04 -!- Mtn_Bkng_Dave [~whome@216.70.180.208] has joined ##openvpn
13:18 -!- LobbyZ [~default@main.lobbyzffs.com] has quit [Quit: Free FTW]
13:20 -!- Blues-Man [~bluesman@host163-117-dynamic.49-79-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
13:23 -!- le0_ [~tehle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn
13:24 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 256 seconds]
13:24 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
13:34 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:36 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 256 seconds]
13:37 -!- montana [~montana@212.117.173.72] has joined ##openvpn
13:37 < montana> !welcome
13:37 < vpnHelper> montana: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:37 < montana> !goal
13:37 < vpnHelper> montana: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:42 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
13:42 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
13:42 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:43 < montana> The setup is working on other vista pcs and winxp and linux. about 6 clients. but on on one vista machine, openvpn doesn't start from the services
13:43 < montana> any typs?
13:43 < montana> any tips
13:44 < montana> the vpn tunnel is just to protect the communication between the clients and the server. nothing fancy
13:49 < montana> http://pastebin.com/m73b2ce8e 
13:49 < montana> confg
13:51 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
13:51 -!- mode/##openvpn [+v Kasx] by ChanServ
13:51 < ecrist> montana: do you see anything in the logs?
13:55 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 265 seconds]
13:55 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 265 seconds]
13:56 < montana> ecrist: will check :p sry
13:59 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
13:59 -!- mode/##openvpn [+v openvpn2009] by ChanServ
14:09 -!- mimecine [~Adium@cpe-67-250-35-166.nyc.res.rr.com] has joined ##openvpn
14:10 -!- Blues-Man [~bluesman@host163-117-dynamic.49-79-r.retail.telecomitalia.it] has joined ##openvpn
14:10 < Mtn_Bkng_Dave> !man
14:10 < vpnHelper> Mtn_Bkng_Dave: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
14:13 -!- tiav [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has quit [Quit: Parti]
14:21 -!- tmwsiy2012 [~tmwsiy@152-20-244-42.rev.uncw.edu] has joined ##openvpn
14:23 < Blues-Man> if I don't put any "max-clients" value, is allowed (unlimited) multi client connected to the OpenVPN server? Cause it happens that if I connect another one disconnect, I'm using fixed different IPs 
14:25 < tmwsiy2012> in the sample configuration there is two ips given in the server.conf.. why do we need two ips?
14:26 < ecrist> Blues-Man: I'm guessing you're using the same certificate for both clients
14:27 < Blues-Man> ecrist, no I have generated different certificates for the clients, generated on the same machine and then signed by the CA but I put different values
14:27 < ecrist> !logs
14:27 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:28 < Blues-Man> ok as I can try to connect both clients i'll pastebin
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has quit [Ping timeout: 260 seconds]
14:51 < Blues-Man> ecrist, I saw this http://pastebin.ca/1801958 in latest log lines, when the 87.xxx IP comes, I (79.xx) IP got TLS keys out of sync
14:56 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has joined ##openvpn
14:57 -!- dazo is now known as dazo_afk
14:58 -!- Bushmills [~Bushmills@78.46.19.202] has quit [Quit: Terminated with extreme prejudice - dircproxy 1.0.5]
14:59 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:19 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:22 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
15:32 -!- Mtn_Bkng_Dave [~whome@216.70.180.208] has quit []
15:35 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
15:56 -!- leOn [~xxx@a213-22-84-186.cpe.netcabo.pt] has joined ##openvpn
15:57 < leOn> sorry about the OT question ... but does anyone know any way to connect a linux box to a checkpoint vpn-1 firewall ?
15:58 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Read error: Connection reset by peer]
16:00 -!- mimecine1 [~Adium@cpe-67-250-35-166.nyc.res.rr.com] has joined ##openvpn
16:00 -!- mimecine [~Adium@cpe-67-250-35-166.nyc.res.rr.com] has quit [Read error: Connection reset by peer]
16:01 -!- mimecine1 [~Adium@cpe-67-250-35-166.nyc.res.rr.com] has quit [Client Quit]
16:16 -!- cervicek [~cervicek@rzlx0901.hs-esslingen.de] has quit [Quit: leaving]
16:18 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
16:22 < upb> is there a public svn repo (read only) ?
16:22 < upb> i'd like to verify whether a patch i sent in a year ago was merged :P
16:23 < ecrist> just download the source
16:24 < ecrist> openvpn.net/release
16:24 < ecrist> upb: the development process is changing now
16:25 < ecrist> if you don't see it, re-submit it to the developers mailing list and someone will look at it.
16:27 < upb> but is there a svn repo ?
16:29 < ecrist> yes, on sourceforge
16:30 < ecrist> http://sourceforge.net/projects/openvpn/
16:30 < vpnHelper> Title: OpenVPN | Get OpenVPN at SourceForge.net (at sourceforge.net)
16:30 < ecrist> !svn
16:30 < vpnHelper> ecrist: Error: "svn" is not a valid command.
16:31 < ecrist> upb: there is also a git repo, which is where the 'real' devel takes place.  approved and tested code moves into SVN from there.
16:33 < upb> thx
16:38 < upb> yuck, its cvs not svn ÖD
16:38 < upb> :D
16:40 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:44 < ecrist> there is an svn repo, I just can't find it at the moment.
16:54 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
16:56 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
16:58 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
17:07 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has quit [Ping timeout: 260 seconds]
17:12 -!- Blues-Man [~bluesman@host163-117-dynamic.49-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
17:19 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has joined ##openvpn
18:09 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
18:47 -!- Mtn_Bkng_Dave [~whome@216.70.180.208] has joined ##openvpn
18:48 < Mtn_Bkng_Dave> any wrtg4gl users here?
19:20 -!- leOn [~xxx@a213-22-84-186.cpe.netcabo.pt] has quit [Quit: leaving]
20:12 -!- Mtn_Bkng_Dave [~whome@216.70.180.208] has quit [Read error: Connection reset by peer]
20:19 -!- Mtn_Bkng_Dave [~whome@216.70.180.208] has joined ##openvpn
20:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 256 seconds]
21:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:13 -!- simplechat [~simplecha@123-243-79-139.tpgi.com.au] has joined ##openvpn
21:13 -!- simplechat [~simplecha@123-243-79-139.tpgi.com.au] has quit [Changing host]
21:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:14 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
21:21 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Write error: Broken pipe]
21:21 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
22:09 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
22:17 < donavan> Hi, I'm running 2.1.1 on linux.  I have client to server config working.  I'm now trying to access the network behind the server from the client.  Previously in 2.0.9 I used the 'up' config file option.  However, with 2.1.1 I'm failing even with the 'script-security 3' option in my server.conf. 
22:17 < donavan> Is there a difference in behavior using --up on the command line and up in the config file?
22:35 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
23:02 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has quit [Ping timeout: 246 seconds]
23:27 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:27  * donavan stabs SELinux
23:37 < Mtn_Bkng_Dave> anybody played with a plugcomputer yet?
23:40 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has joined ##openvpn
--- Day changed Fri Feb 19 2010
00:25 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:26 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
01:12 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
01:46 < cron2> Mtn_Bkng_Dave: yes, I have a SheevaPlug and a OpenRD-Client here.  Debian on it, nice boxes.
01:54 -!- makomi [~makomi@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
01:58 -!- makomi [~makomi@p509966c5.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
02:01 -!- makomi [~makomi@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
02:24 < jmm> hi.
02:24 < jmm> Mtn_Bkng_Dave: I'd like to try one .
02:29 -!- BinaryKhaos [~matthew@p5791E63A.dip.t-dialin.net] has joined ##openvpn
02:30 < BinaryKhaos> Hi. I am running an OpenVPN server (2.1.x) on a high latency (120-200ms) network. When I connect to it from linux and tunnel my traffic, I can achieve d/l rates up to 10 mbit/s. But if I connect via Win7, I can hardly cross the 2.5 mbit/s mark from the same server. I guess it is related to rwin scaling. Can someone please point me into the right direction?
02:30 < hyper_ch> ditch win7 and install linux :)
02:31 < jmm> hyper_ch++
02:31 < jmm> hi :)
02:31 < hyper_ch> hi :)
02:31 < BinaryKhaos> Nice one. ;-) Fortunately I have been using Linux for years as my main os and unfortunately I need Windows from time to time for some work related stuff. So... :-)
02:31 < jmm> :\
02:32 < hyper_ch> ever heard of virtualization :)
02:32 < jmm> if I'd have to run windows for some reason, I'd use a virtual computer.
02:32 < jmm> heh.
02:33 < BinaryKhaos> If it possible, I use kvm or virtualbox but some times you have to do some graphics intensive stuff (non-games) which require windows because of the demands of your customer.
02:33 < BinaryKhaos> Geez I should have proof read that last sentence...
02:35 < BinaryKhaos> I can only speculate that is has something to do w/ some problem in Win7's rwin scaling code. Changing the autotuning level unfortunately made no difference at all.
02:43 -!- BinaryKhaos [~matthew@p5791E63A.dip.t-dialin.net] has quit [Quit: Leaving]
02:57 -!- gazelle [~nkey@unaffiliated/gazelle] has quit [Ping timeout: 245 seconds]
02:58 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
03:08 -!- master_of_master [~master_of@p57B566DD.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:10 -!- master_of_master [~master_of@p57B54950.dip.t-dialin.net] has joined ##openvpn
03:28 -!- BinaryKhaos [~matthew@li103-84.members.linode.com] has joined ##openvpn
03:30 < BinaryKhaos> Hi. Again, it's me. I did some further testing and I made a terrible mistake earlier. OpenVPN speed from and to my host is perfect. Tunneling traffic through my host to the net is horrible on Linux and Win. While I get almost 3MB/s on the host from server a, I get only 400kb/s from server a if I access it from my client through the tunnel. This is all on a high latency network (150-250ms). Are there any knobs I can change to increase t
03:30 < BinaryKhaos> he performance?
03:31 < BinaryKhaos> Knobs on client/host Linux that is.
03:37 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:03 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:16 -!- BinaryKhaos [~matthew@li103-84.members.linode.com] has quit [Ping timeout: 268 seconds]
04:25 -!- makomi [~makomi@p509966c5.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
04:32 -!- dazo_afk is now known as dazo
04:49 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 264 seconds]
05:26 -!- insane^ [~jg@pizza.internetx.de] has joined ##openvpn
05:30 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:30 -!- mode/##openvpn [+o mattock] by ChanServ
05:39 -!- ParanoyaM [~kvirc@93-183-231-252-dynamic.retail.datagroup.ua] has joined ##openvpn
05:40 < ParanoyaM> Hi All, can anybody tell me how to recover keys, i did a mistake and removed openvpn folder with easy-rsa folder, so now i haven't keys and dh1024.pem. Is it possible to add clients now? or i should reinstall all keys everywhere?
05:42 < hyper_ch> ParanoyaM: get the keys back from your backups
05:43 < ParanoyaM> hyper_ch: i didn't do the backups, can i use keys from clients side?
05:43 < hyper_ch> no clue
05:43 < hyper_ch> but it's a very very bad idea to not make backups
05:43 < ParanoyaM> no clue? what do you mean, sorry i am not very good in english
05:44 < ParanoyaM> yes i know, next time i will do them for sure
05:44 < hyper_ch> no clue whether you can use those key
05:44 < hyper_ch> s
05:44 < ParanoyaM> you mean you don't know?
05:51 < ParanoyaM> maybe somebody can help me? 
06:08 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
06:15 -!- jeffl_ [coz@teledojo.com] has quit [Read error: Operation timed out]
06:15 -!- jeffl [coz@teledojo.com] has joined ##openvpn
06:22 -!- ParanoyaM [~kvirc@93-183-231-252-dynamic.retail.datagroup.ua] has quit [Quit: When two people dream the same dream, it ceases to be an illusion. KVIrc 3.4.3 Shiny(svn-3438) http://www.kvirc.net]
06:26 -!- le0_ [~tehle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Ping timeout: 256 seconds]
06:37 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
06:39 -!- Mtn_Bkng_Dave [~whome@216.70.180.208] has quit []
06:43 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
06:45 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 256 seconds]
06:46 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
06:48 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
06:50 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
06:51 -!- tjz [~tjz@unaffiliated/tjz] has joined ##openvpn
06:56 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 256 seconds]
07:04 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Quit: Leaving]
07:18 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
07:24 < mah_cfsi> Sorry to ask onche more, but i was torn away yesterday by en urgent phone call, thanks dazo for the answer.
07:24 < mah_cfsi> Hi,  am am looking for small hardware that willl run as VPN gateway, any knowledge of the requirements for the CPU size and type?
07:24 < dazo> mah_cfsi:  sure ... np!
07:25 < mah_cfsi> dazo: no it wil only have one connection, it will be the gateway for a small network out into the wild
07:25 < dazo> mah_cfsi:  then you won't need much power at all :)
07:26 < mah_cfsi> I am considering a small computer with an ARM processor
07:27 < ecrist> mah_cfsi: lost of folks do it with linksys routers and DD-WRT or similar
07:28 < mah_cfsi> it need to be din rail mountet so linksys is not an option sorry
07:30 < ecrist> as in, rack-mounted?
07:32 < mah_cfsi> i only found a test saying that the encryption is the bottle neck (no surprise)
07:33 < mah_cfsi> ecrist: no, din rail is used (at least in europe) to mount things like fuseboxes and other elektrikal equipmwent
07:33 < ecrist> ok
07:34 < mah_cfsi> I would be happy if i could fine some testing on encryption performance on different CPU's types and sizez, but it does'nt seem to exist
07:35 < ecrist> mah_cfsi: google sheevaplug
07:35 -!- le0_ [~tehle0@cpc1-bele7-2-0-cust44.2-1.cable.virginmedia.com] has joined ##openvpn
07:35 < ecrist> http://www.cyrius.com/debian/kirkwood/sheevaplug/gallery.html
07:35 < vpnHelper> Title: SheevaPlug image gallery (at www.cyrius.com)
07:36 < havoc> bah!
07:37 < havoc> I have 3 server confs, all the same except for the proto:port, but only one dies on startup: "CRL: cannot read: crl.pem: No such file or directory (errno=2)"
07:37 < mah_cfsi> http://en.wikipedia.org/wiki/DIN_rail
07:37 < vpnHelper> Title: DIN rail - Wikipedia, the free encyclopedia (at en.wikipedia.org)
07:38 < ecrist> havoc: mah_cfsi see the sheevaplug link above
07:38 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 256 seconds]
07:38 < mah_cfsi> ecrist: sorry forgot to mention that must have 2 eth ports
07:39 < ecrist> why?
07:39 -!- _le0 [~tehle0@cpc1-bele7-2-0-cust44.2-1.cable.virginmedia.com] has joined ##openvpn
07:40 < cron2> mah_cfsi: wait for the GuruPlug (shipping in April) or get an OpenRD client
07:40 < mah_cfsi> It must work as a simple firewall at the same time, devices on the inner network may only have access to the outside world through the VPN gateway
07:41 -!- le0_ [~tehle0@cpc1-bele7-2-0-cust44.2-1.cable.virginmedia.com] has quit [Ping timeout: 272 seconds]
07:41 < havoc> ok, was a perms issue, nm
07:41 < cron2> GuruPlug is "SheevaPlug with black case, 2x USB and 1-2x GigE"
07:41 < ecrist> http://www.globalscaletechnologies.com/t-guruplugdetails.aspx#physical
07:41 < vpnHelper> Title: GuruPlug Server (at www.globalscaletechnologies.com)
07:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:41 < cron2> yes
07:41 < ecrist> see GuruPlug Server Plus
07:42 < ecrist> 1.2GHz ARM processor
07:43 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
07:43 -!- ScriptFanix [vincent@2a01:240:fe35:0:21a:70ff:fea3:44ab] has quit [Ping timeout: 256 seconds]
07:44 < tjz> anyone using mirc program like me here?
07:45 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
07:45 < ecrist> irssi+screen here.
07:46 < tjz> hmm
07:46 < tjz> i mean smell linux
07:46 < tjz> :D
07:46 < ecrist> what?
07:46 < cron2> irssi+screen here as well :) - no Leegnux here, NetBSD
07:47 < tjz> netbsd , is it netbook version of freebsd?
07:47 < ecrist> FreeBSD is right for me!
07:47 < cron2> NetBSD for teh rulz
07:47 < tjz> hmm
07:47 < tjz> i never used * BSD b4
07:47 < tjz> :(
07:48 < cron2> tjz: NetBSD is the "runs on every piece of hardware ever built" fork of *BSD (except that it doesn't :( - no NetBSD on the Sheevaplugs)
07:49 < tjz> cool
07:49 < tjz> i have been with redhat ..and then centos
07:49 < ecrist> cron2: I'm surprised.  I've gotten a coca-cola to run netbsd before. ;)
07:50 < tjz> now.. is more of ubuntu & debian
07:50 < ecrist> cron2: apparently FreeBSD/ARM will run on sheevaplug
07:50 < cron2> ecrist: NetBSD massively suffers by "lack of active developers" for most of the non-i386/amd64 platforms
07:50 < tjz> is it possible to get irssi to 'highlight' when someone mention my nick?
07:51 < ecrist> yes
07:51 < ecrist>  /hilight command
07:51 < ecrist> irssi is probably the *best* client out there
07:52 < ecrist> it could be considered the standard.
07:53 < mah_cfsi> ecrist: well it dosn't have din rail mount, but sure looks interesting to the price.
07:54 < mah_cfsi> cron2: well it dosn't have din rail mount, but sure looks interesting to the price.
07:54  * mah_cfsi adjusting spelling plate
07:54 < ecrist> mah_cfsi: odds are, you're not going to find *exactly* what you need - you may  need to modify it.
07:56 < mah_cfsi> I know, nut have to try, it will be for a comercial product in small numbers so, the less i have to modify the better (cheaper)
07:57 < ecrist> the computer I told you, and a blank din mounting plate.  simple enough.
07:57 < ecrist> regardless, this is OT
07:58 < ecrist> https://www.winford.com/products/dinm01.php
07:58 < vpnHelper> Title: DIN Rail Mounting Clips (DINM01) - Winford Engineering (at www.winford.com)
07:59 < mah_cfsi> meybe i find an deriviate of the shevaplug, it would be a "nice to have" if I could supply  with 12V
08:02 < cron2> mah_cfsi: well, the sheevaplug and guruplug are just "proof of concept" hardware to demonstrate the coolness of the Marvell Chip inside.  So you could build your own... :-)
08:02 < mah_cfsi> ecrist, cron2: i humble thanks for our time, you gave me needed inspiration. now the clock is 1500 (3pm) here, so I think I will call it a workday. And leave for the weekend
08:03 < cron2> mah_cfsi: well, it's 3pm here as well, but "weekend" starts at 7pm or so today...
08:03 < cron2> more work that needs to be done
08:03 < mah_cfsi> cron2: the exspected production  number can't pay a special design.
08:04  * mah_cfsi says bye
08:04 < ecrist> bye
08:04 -!- mah_cfsi is now known as mah_cfsi_AFK
08:06 -!- hyphenex [~Adium@115-64-56-198.static.tpgi.com.au] has joined ##openvpn
08:07 < hyphenex> G'Day, on a billion router, if I wanted to add a static route through to my VPN, what would the 'cost' be?
08:07 < ecrist> http://www.dpie.com/industrialpc/rd103.html
08:07 < vpnHelper> Title: RD103 - Rugged Intel ® Pentium ® M DIN Rail / Wall Mount PC (at www.dpie.com)
08:10 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: Stops working when I reboot Server 2008 :: Reply by moored99 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2800&p=3416#p3416>
08:11 -!- Nrg_ [pk@reaktio.net] has quit [Ping timeout: 240 seconds]
08:12 < ecrist> http://www.advantech.com/products/UNO-1019/mod_1-2MLJ3W.aspx
08:12 < vpnHelper> Title: Marvell® Xscale Uno With 2 X Lan, 4 X Com, 4 X Di/O - UNO-1019 - Advantech (at www.advantech.com)
08:17 < dazo> mah_cfsi_AFK:  how would this one fit into your need?  http://www.soekris.com/net5501.htm
08:17 < vpnHelper> Title: Soekris Engineering > net5501 (at www.soekris.com)
08:18 < dazo> (if using FreeBSD, you can even get a VPN accelerator to it ... http://www.soekris.com/vpn1401.htm)
08:18 < vpnHelper> Title: Soekris Engineering > vpn14x1 (at www.soekris.com)
08:18 < ecrist> dazo: it's not din-mountable
08:19 < tjz> ecrist, why do you use irssi with screen..
08:19 < ecrist> tjz: because it's CLI, and it allows me to stay connected all the time, and I can reconnect to the session at will
08:20 < dazo> ecrist:  not as a standard ... but I thought it should be possible to find a casing which fits into a DIN rail which also got the proper size for that mainboard .... it's not that big
08:21 < ecrist> dazo: the user has lots of conditions, and couldn't be appeased.
08:22 < dazo> true ... just thinking out loud :)
08:22 < ecrist> *I* am more realistic, and would tend to agree with you.  S/He has little or no budget, no time to modify, and had a strict set of requirements, that increased/changed the more information I gave the person.
08:27 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has quit [Ping timeout: 260 seconds]
08:27 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has joined ##openvpn
08:29 < tjz> ecrist, ok
08:29 < tjz> :D
08:29 < ecrist> tjz: http://www.secure-computing.net/wiki/index.php/Quick_Notes#IRSSI
08:29 < vpnHelper> Title: Quick Notes - Secure Computing Wiki (at www.secure-computing.net)
08:32 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has quit [Ping timeout: 240 seconds]
08:32 < tjz> lol@ at the movie
08:32 < tjz> hehehehe
08:32 < hyphenex> hmm, I can seem to ping one way, but not the other
08:32 < hyphenex> across my bridge
08:44 -!- le0_ [~tehle0@cpc1-bele7-2-0-cust44.2-1.cable.virginmedia.com] has joined ##openvpn
08:44 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has joined ##openvpn
08:45 -!- _le0 [~tehle0@cpc1-bele7-2-0-cust44.2-1.cable.virginmedia.com] has quit [Ping timeout: 272 seconds]
08:49 -!- PwrSurge [~nrg@206-248-139-212.dsl.teksavvy.com] has quit [Ping timeout: 240 seconds]
08:51 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote host closed the connection]
08:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:04 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
09:05 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 240 seconds]
09:06 -!- hyphenex [~Adium@115-64-56-198.static.tpgi.com.au] has quit [Quit: Leaving.]
09:17 -!- tjz [~tjz@unaffiliated/tjz] has quit [Quit: bbl. See you guys later.]
09:22 < havoc> !redirect-gateway
09:22 < vpnHelper> havoc: Error: "redirect-gateway" is not a valid command.
09:22 < havoc> bah
09:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:23 < havoc> what would be a good way to test redir-gw functionality?
09:25 < rob0> um, I would just check my routing table :)
09:26 < rob0> but there's whatismyip.com IIRC
09:26 < havoc> duh, thanks :)
09:27 -!- kyrix [~ashley@41.251.67.204] has joined ##openvpn
09:29 < havoc> bah, not working
09:30 < havoc> *but*, I'm using a sprintpcs data card to test from, which forcibly uses a metric of 1
09:30 < havoc> I can't figure out how to change that
09:34 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
09:36 < cron2> havoc: redirect-gateway def1
09:37 < cron2> (it will just install two /1-Routes, overriding the default without actually changing it)
09:37 < havoc> cron2: see above
09:38 < havoc> it's not working because I'm using a winxp PPP adapter, which uses a metric of 1
09:38 < havoc> and I apparently cannot change that :(
09:39 < havoc> it sucks
09:39 -!- poningru [~poningru@dsl093-236-026.hfd1.dsl.speakeasy.net] has quit [Ping timeout: 276 seconds]
09:44 < rob0> I doubt that would matter, but oh well, it's a Windows problem anyway. :)
09:45 < cron2> havoc: the point is: you don't need to change the metric if you install a route with a different prefix - instead of 0.0.0.0/0, you install 0.0.0.0/1 and 128.0.0.0/1, which are two completely independent routes
09:45 < cron2> ... that just happen to cover the same address space...
09:46 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
09:47 < havoc> cron2: yeah well those aren't being added either for some reason
09:48 < havoc> and I'm using redirect-gateway def1
09:51 < havoc> ha
09:51 < havoc> NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
09:51 < rob0> Funny thing, how helpful those logs can be!
09:52 < havoc> yeah, it's not like I don't read them, I just hadn't gotten to this one yet
09:56 < havoc> of course now it doesn't work
09:56 < havoc> but now I suspecting routing/masq issues on server
09:56 < havoc> s/suspecting/suspect/
10:00 -!- Blues-Man [~bluesman@host73-117-dynamic.56-79-r.retail.telecomitalia.it] has joined ##openvpn
10:01 -!- le0_ [~tehle0@cpc1-bele7-2-0-cust44.2-1.cable.virginmedia.com] has quit [Ping timeout: 272 seconds]
10:01 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
10:02 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
10:02 < havoc> WOOHOO!
10:03 < Blues-Man> hi all
10:03 < havoc> yeah, forgot a masqurading rule for that vpn segment
10:03 < havoc> was not necessary for other vpn segment as those lcients used their own local net route
10:05 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Ping timeout: 256 seconds]
10:09 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
10:09 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
10:12 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
10:12 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
10:16 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
10:21 -!- kyrix [~ashley@41.251.67.204] has quit [Read error: Operation timed out]
10:32 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Ping timeout: 256 seconds]
10:33 -!- graffz [~graffz@112.198.153.126] has joined ##openvpn
10:35 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
10:36 < havoc> now to figure out the startup options for multiple VPNs on windows
10:37 -!- kyrix [~ashley@41.251.23.198] has joined ##openvpn
10:42 -!- lkeijser [~leon@i231127.upc-i.chello.nl] has joined ##openvpn
10:43 < lkeijser> i'm having troubles with crl-verify ... i've created a CRL and checked with the openssl cmdline tools that the serial matches the client's serial. Yet the client is still able to connect.
10:44 < ecrist> !logs
10:44 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:44 < ecrist> !configs
10:44 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:45 < lkeijser> i take it that you want to see my logfiles? :)
10:51 < lkeijser> brb then
11:01 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
11:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:05 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has quit [Ping timeout: 246 seconds]
11:07 -!- Schiz0 [~Schiz0@unaffiliated/schiz0] has joined ##openvpn
11:08 < Schiz0> !welcome
11:08 < vpnHelper> Schiz0: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:16 < Schiz0> !goal
11:16 < vpnHelper> Schiz0: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:18 -!- le0_ [~tehle0@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
11:18 < havoc> lkeijser: look int the logs specifically for the crl file being unreadable for some reason
11:18 < havoc> lkeijser: that would allow a revoked client to still connect, if the server cannot read the crl.pem
11:22 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 272 seconds]
11:22 < havoc> aside from putting "C:\Program Files\OpenVPN\bin\openvpn.exe" --pause-exit --config "<path to config>" in a bat file, is there any way to start only 2 of 3 available configs?
11:22 < havoc> on Windows XP
11:23 < Schiz0> I'm trying to setup a secure connection between my server (unix) and a couple of clients (windows). I have openvpn configured and running on the server, with certificates/keys all generated and gievn to the clients. I'm trying to connect using the openvpn.se package on windows and it connects ok, but I can't access anything on the server. Here's the client log: http://pastebin.ca/1802820
11:23 < havoc> Schiz0: the main openvpn install .exe for windows includes OpenVPN-GUI now
11:23 < Schiz0> When I try to connect from the windows box to the web server running on the server on the VPN ip, it just times out.
11:23 < Schiz0> Oh, does it? Ok.
11:23 < Schiz0> I acn use that then
11:24 < havoc> yes
11:24 < lkeijser> havoc: i'm getting a  CRL CHECK OK msg in the logfile, so it looks like the crl file is being parsed
11:24 < havoc> also, are you trying to connect on TCP port 443?
11:24 < Schiz0> no, the httpd is on port 80
11:24 < havoc> lkeijser: ok, that was my one idea, sorry :(
11:24 < lkeijser> havoc: thanks anyway :)
11:25 < havoc> Schiz0: do you have ip_forwarding and appropriate routes setup on the server?
11:25 < havoc> lkeijser: I'd scrutinize logs on both ends, and pastebin them if you want further help here
11:25 < havoc> not much else can be done w/o the logs :(
11:25 < lkeijser> havoc: ok i'll do that right now then
11:26 < Schiz0> All I did on the server was configure openvpn, setup the httpd to listen on the 10.x.x.x IP, then open a hole in the firewall. I would imagine the rc.d scripts would setup the proper routes...how can I check?
11:26 < havoc> route -n on linux
11:26 < lkeijser> i'll do so first with verb 3, because other clients are connecting to it now and the log becomes too big to be any good. If more debug is reqiured, i'll do so with more verbosity
11:27 < havoc> Schiz0: also: cat /proc/sys/net/ipv4/ip_forward
11:27 < Schiz0> it's bsd
11:27 < havoc> that'll tell you if ip forwarding is enabled or not
11:27 < havoc> ah
11:27 < havoc> lkeijser: I use verb 3 too, I don't increase verbosity unless I can't figure it out at 3
11:31 < lkeijser> havoc: server config and log @  http://pastebin.com/d4734d594
11:32 < lkeijser> i'll also post the output of openssl crl -in crl.pem -noout -text  , and the equivalent for the client cert
11:33 < havoc> odd, tcp:1194
11:34 < havoc> but yeah, I see the CRL CHECK OK
11:35 < havoc> lkeijser: was there a specific reason for using TCP, or just random choice?
11:35 < havoc> I'm just curious
11:35 < havoc> I only use tcp for 443 w/ redirect-gateway
11:36 < lkeijser> havoc: random choice
11:36 < lkeijser> client crt and server crl output :   http://pastebin.com/d501a22da
11:37 < lkeijser> argh
11:37 < lkeijser> wrong client 
11:37 < havoc> heh
11:39 < lkeijser> lol ... i revoked the wrong serial
11:39 < lkeijser> 60 instead of 61
11:40 < lkeijser> yeah it's working now ... i'm an idiot :P
11:42 < lkeijser> havoc: the port is going to be changed later to 443, so clients behind a tricksy firewall/proxy can still connect
11:42 < havoc> heh, like I said, *scritinize* the logs ;)
11:42 < havoc> lkeijser: yeah, my servers all listen on both udp:1194 and tcp:443
11:42 < havoc> so the clients have the choice of which to use
11:43 < havoc> and I use --port-share on the tcp:443 ones so I can still have https sunning on the same machine
11:43 < havoc> it's pretty slick
11:44 < havoc> just config apache ssl to only listen on localhost:443, then port0share localhost 443
11:44 < havoc> port-share
11:44 < lkeijser> port-share, didn't know that
11:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
11:44 -!- Schiz0 [~Schiz0@unaffiliated/schiz0] has quit [Quit: :wq]
11:44 < havoc> it's nifty :)
11:45 < lkeijser> that's really nice, because the customer was kind of reluctant to give me a second public ip :)
11:45 < havoc> especially since tcp:443 is one of the few ports a locked down env will have open
11:45 < lkeijser> exactly
11:45 < havoc> lot of hotels only have tcp:80 and tcp:443 open
11:46 < havoc> and ssl vpn traffic would never be noticed on an ssl port anyway, even if someone was looking :)
11:46 < lkeijser> true :)
11:46 < lkeijser> well, thank's for the tip
11:47 < havoc> np
11:47 < lkeijser> s/thank's/thanks/
11:47 < havoc> but I always setup two
11:47 < havoc> I don't like redirecting everything unless absolutely necessary
11:47 < havoc> it breaks all kinds of stuff
11:48 < lkeijser> yeah, this machine only serves two purposes; https and openvpn, i don't mind that much that this is not a default setup 
11:48 < havoc> better to issue two configs to everyone
11:49 -!- agagag [~anton@royalrabbit.goto10.org] has joined ##openvpn
11:53 < lkeijser> well, one of the configs is going to be generated automatically, so i'll just give the 'dual' config to people who know what they're doing
11:54 < lkeijser> does this create some (noticable) overhead?
11:54 < havoc> does what?
11:55 < lkeijser> sorry, the port share
11:55 < havoc> not that I'm aware of
11:55 < havoc> I'm sure there's *some*, but I wouldn't worry about it
11:55 < rob0> Ha, I saw that name and thought you might be JJK :)
11:56 < havoc> redir-gw will be way more
11:57 < lkeijser> ok
12:01 < lkeijser> hm, the port-share doesn't seem to work. I guess it's because the server doesn't have a public ip. The firewall forwards traffic to it, so i can't have apache listen on localhost:443
12:03 < havoc> then how are you going to have openvpn listen on 443?
12:03 < havoc> are the vpn and www servers different machines?
12:03 < lkeijser> no both on the same
12:04 < havoc> it should still work then
12:04 < havoc> ...if ovpn is actively listening on 443
12:04 < lkeijser> ok let me then configure apache to listen on it's lan ip , port 443 only,  and port-share openvpn to that ip:port
12:05 < lkeijser> should i then still add the 'port 443' line to the vpn conf? (and does it matter which position?)
12:05 < havoc> e.g. ovpn will be accepting *all* connections to tcp:443, and proxy non-vpn ones to wherever is specified in port-share
12:05 < lkeijser> aah
12:05 < havoc> get it? :)
12:05 < lkeijser> okay now i get it
12:05 < lkeijser> lol
12:05 < havoc> :)
12:12 < lkeijser> i can't seem to get openvpn listen on port 443 if i configure port-share ..
12:15 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
12:15 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
12:17 < havoc> lkeijser: read logs :)
12:17 -!- Blues-Man [~bluesman@host73-117-dynamic.56-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
12:18 < lkeijser> havoc: yeah, sorry ... too eager to get it working :)
12:23 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
12:26 -!- kyrix [~ashley@41.251.23.198] has quit [Quit: Leaving]
12:29 < lkeijser> havoc: cool, port-share is working now , thanks :)
12:31 < havoc> nice :)
12:32 < lkeijser> okay, enough stuff to play with for now 
12:32 < lkeijser> see you later
12:32 -!- lkeijser [~leon@i231127.upc-i.chello.nl] has quit [Quit: Leaving]
12:44 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
12:47 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
13:26 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:58 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote host closed the connection]
14:00 -!- sjr [~sjr@office.superuholdings.com] has quit [Ping timeout: 246 seconds]
14:05 -!- sjr [~sjr@office.superuholdings.com] has joined ##openvpn
14:08 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
14:11 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
14:13 -!- NickWebHA [~nick@2002:ad38:149d:0:a4c7:33ff:fee9:f688] has joined ##openvpn
14:20 -!- exterm223 [~dustin@c-76-18-161-10.hsd1.tn.comcast.net] has joined ##openvpn
14:20 < exterm223> !welcome
14:20 < vpnHelper> exterm223: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:20 < exterm223> exit
14:22 -!- exterm223 [~dustin@c-76-18-161-10.hsd1.tn.comcast.net] has left ##openvpn []
14:22 -!- exterm223 [~dustin@c-76-18-161-10.hsd1.tn.comcast.net] has joined ##openvpn
14:26 < exterm223> Anyone here familar with openvpn-auth-pam?  I am using it for radius authentication for about 470 clients and am starting to notice significant latency over tunnels when a client's authentication fails.  I'm unable to find any good information on a similar issue via google and mailing list archives.
14:33 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
14:33 -!- rossand [~aross@CPE000c413a19a3-CM00159a025ad4.cpe.net.cable.rogers.com] has joined ##openvpn
14:34 < tw> Typically, pam introduces a delay when authentication fails so you can't spam passwords.  Check out if you can turn off the auth delay in pam for openvpn specifically.
14:34 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
14:35 < exterm223> Thanks for the tip I'll try that
14:37 < dazo> exterm223:  beware that openvpn is single threaded ... so if one client causes a problem, that will affect all other clients ... all clients are going through a round-robin styled scheduling ... 
14:38 < dazo> exterm223:  if you have a multi-core box where openvpn is running, I'd recommend firing up more openvpn processes and doing some kind of simple load balancing in client configs (multiple --remote lines to same IP with differnt port f.ex ... and --remote-random)
14:38 < exterm223> Yeah, I was reading about the single threading since 2+ causes latency spikes etc with tls negotians sometimes
14:39 < exterm223> I imagine this is similar
14:39 < dazo> exterm223:  then I would try to pin each openvpn process to a separate CPU core ... that could also improve overall performance
14:39  * dazo heads out to pick up wife
14:40 -!- dazo is now known as dazo_afk
14:46 -!- NickWebHA [~nick@2002:ad38:149d:0:a4c7:33ff:fee9:f688] has quit [Quit: Leaving.]
14:53 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
15:07 < rossand> Noob question. I am setting up openvpn following some examples online. I see the following error in syslog: http://www.pastebin.com/m2d547366  iptables is allowing port 1194. Looking for any suggestions about how to debug more thoroughly. Thank you kindly.
15:18 < cron2> "connection refused" typically means "on the specified port (TCP or UDP?) on the server, nothing is listening"
15:19 < rob0> If you're using UDP, allowing tcp/1194 is useless.
15:20 < rob0> (And you should be using UDP.)
15:21 < rossand> cron2: I see logs on client & server. The logs I posted were server side.
15:22 < rossand> rob0: I am allowing udp 1194. Double checked to be certain.
15:22 < cron2> rossand: which hints at "some device in the path is refusing the packets server->client"
15:22 < tw> Unrelated question, can you use UDP through NAT (client is behind NAT) with no ability to modify port forwards?
15:22 < cron2> tw: unless the NAT device is stupider than usual, you can
15:22 < rossand> cron2: yes, that's where I'm scratching my head. I can shut down iptables all together thus accepting everything and it behaves the same.
15:22 < cron2> (as long as there is activity)
15:23 < cron2> rossand: routers or firewalls on the way?
15:23 < cron2> rossand: iptables on the *client*?
15:23 < rossand> cron2: yes, a wrt54g, which is set to forward port 1194 tcp and udp
15:23 < rob0> There are some stupid routers that have problems with UDP, so I hear.
15:23 < rossand> cron2:  I've got so far as to shut down iptables on both client and server.
15:23 < rob0> ah, port forwarding, the thought plickents!
15:23 < cron2> rossand: the client side port will usually not be 1194
15:24 < rossand> cron2: yeah. some unregistered port I imagine. To control for that, I shut 'er down to let anything go.
15:24 < cron2> rossand: but will the WRT let that through?  If it does NAT, it *should*
15:25 < rossand> cron2: yes, it's doing NAT for all web traffic on my network. As well, forwarding ssh, web, etc. successfully.
15:25 < rossand> It's set to forward 1194 tcp and udp to the box running the openvpn server.
15:25 < cron2> ah, the server is behind the NAT device (*shudder*)
15:26 < cron2> try running tcpdump on the client and server to see which packets are sent and received and which packets "sent on side A" are not "received on side B" and vice versa
15:26 < cron2> (tcpdump -n 'udp port 1194')
15:26 < rossand> cron2: that's a great suggestion. thank you.
15:37 -!- exterm223 [~dustin@c-76-18-161-10.hsd1.tn.comcast.net] has left ##openvpn []
15:52 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
16:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
16:10 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 272 seconds]
16:13 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
16:37 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:40 < upb> yes
16:41 < |Mike|> upb: 
16:41 < |Mike|> joo are a wankerrrrrrr
16:42 < upb> wut :P
16:43 < upb> d i know u ?:P
16:43 < |Mike|> Yes you do.
16:44 < |Mike|> preteam ftw ? lawl.
16:44 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
16:44 < upb> don't think so heh
16:44 < |Mike|> upb: attach your other client :)
16:50 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
17:24 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
17:24 -!- mode/##openvpn [+o openvpn2009] by ChanServ
17:24 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
17:24 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
17:25 -!- le0_ [~tehle0@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Ping timeout: 272 seconds]
17:27 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
17:39 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: Leaving]
18:16 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
18:17 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
18:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
18:57 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Quit: Ex-Chat]
19:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
19:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
19:52 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
19:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
20:05 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
20:05 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
20:05 < Dougy> anyone here drive a VW jetta?
20:06 -!- tjz [~pc@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
20:06 -!- tjz [~pc@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
20:06 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:11 < tjz> hmm
20:11 < tjz> anyone used powerDNS?
20:17 < rob0> I had a VW Golf, basically the same thing as a Jetta, a long time ago.
20:18 < rob0> (hatchback form factor)
20:48 -!- enyoet [~enyoet@188.72.203.23] has joined ##openvpn
20:55 -!- enyoet [~enyoet@188.72.203.23] has quit []
20:55 -!- enyoet [~enyoet@188.72.203.23] has joined ##openvpn
21:00 < Dougy> tjz
21:00 < Dougy> i love powerdns
21:00 < Dougy> rob0: i am noticing something weird with the jettas i been driving
21:00 < Dougy> older ones
21:00 < Dougy> read: http://www.vwforum.com/forums/f15/2000-02-jetta-questions-40627/
21:00 < vpnHelper> Title: 2000-02 Jetta questions - VW Forum :: Volkswagen Forum (at www.vwforum.com)
21:03 -!- enyoet [~enyoet@188.72.203.23] has quit [Ping timeout: 276 seconds]
21:25 < rob0> Interesting. Mine was an automatic (fast little bugger, tho!)
21:28 < Dougy> I want to learn to rdrive stick
21:28 < Dougy> goddamnit
21:28 < Dougy> soon as i go to bed
21:28 < Dougy> kayako goes off
21:30 < rob0> I'm old enough that I no longer give a hoot about that. :) I had sporty cars in my 20's. Now I like having one less thing to think about while driving.
21:31 < Dougy> I dont even really have the desire to go  fast
21:31 < Dougy> but i am tired of loud music especially while driving my parents mini vans
21:31 < Dougy> and i get bored while on a car ride
21:31 < Dougy> stick gives me something todo
21:48 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has quit []
21:52 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
21:53 -!- rossand [~aross@CPE000c413a19a3-CM00159a025ad4.cpe.net.cable.rogers.com] has left ##openvpn []
--- Day changed Sat Feb 20 2010
00:31 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
00:34 -!- c0mmunist [~c0mmunist@212.117.162.194] has joined ##openvpn
00:34 < c0mmunist> I would just like to know if I am downloading torrents through an OpenVPN VPN provider with its own IP address, is my router taking the abuse of multiple connections or is it theirs?
00:36 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
00:56 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:04 -!- graffz [~graffz@112.198.153.126] has quit [Ping timeout: 260 seconds]
01:46 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
02:11 -!- kiuma [~kiuma@85-18-55-37.ip.fastwebnet.it] has joined ##openvpn
02:11 < kiuma> hello
02:20 < kiuma> I've a problem with setting up openvpn, I've two eth : eth0 1s 192.168.100.1 qnd eth1 is a public ip, I've setup openvpn server with "server 192.168.100.0 255.255.255.0" but I can't then perform ssh from my intenal network and I cannot navigate on internet too. Could you help me please?
02:38 -!- c0mmunist [~c0mmunist@212.117.162.194] has quit [Quit: Leaving]
02:53 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
02:55 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
03:02 -!- kiuma [~kiuma@85-18-55-37.ip.fastwebnet.it] has quit [Quit: Leaving]
03:08 -!- master_of_master [~master_of@p57B54950.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:10 -!- master_of_master [~master_of@p57B57F79.dip.t-dialin.net] has joined ##openvpn
03:15 -!- c0mmunist [~c0mmunist@212.117.165.197] has joined ##openvpn
03:18 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
03:21 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:31 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
03:31 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
03:33 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:39 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
03:41 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:43 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
03:45 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
03:47 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
04:01 -!- correcaminos [~laguilar@201.201.46.106] has joined ##openvpn
04:04 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
04:09 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
04:10 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
04:19 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
04:21 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
04:24 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 272 seconds]
04:25 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
04:26 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
04:41 -!- correcaminos [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
04:42 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
04:51 -!- latz [~latz@5546.virtual.yourshelter.net] has quit [Remote host closed the connection]
05:06 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
05:15 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
05:18 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 272 seconds]
05:26 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
06:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:57 -!- julius [~julius@217.20.127.15] has quit [Disconnected by services]
07:24 -!- stony [~ol@p5B1569EA.dip.t-dialin.net] has joined ##openvpn
07:24 < stony> hi
07:24 < stony> i know this is an odd question: can i create a vpn tunnel without encryption ?
07:29 < _trine> stony: only if you could fly an airplane without air
07:29 < stony> _trine: that's possible (nasa, shuttle) ;)
07:30 < stony> i thought about a "null-cipher" or something
07:30 < stony> e.g. https without encryption but valid certs is also possible
07:33 < havoc> !goal
07:33 < vpnHelper> havoc: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:34 < stony> havoc: i would like to tunnel already encrypted vpn connections and only need the tun/tap devices as clear endpoints for brouting/firewalling
07:34 < havoc> eh, less work to just use weak encryption then
07:35 < havoc> use strong auth, but weak crypto
07:35 < stony> hmm i was hoping for strong auth/no crypto - but ok
07:35 < stony> thx :)
07:46 < havoc> there's a way to change ciphers in ovpn
07:46 < havoc> maybe one is a null?
07:50 < havoc> or weak enough to be close to null
07:58 -!- kiuma [~kiuma@93-36-8-254.ip57.fastwebnet.it] has joined ##openvpn
07:58 < kiuma> hello
08:00 < kiuma> on the server I've eth0 on 192.168.100.1 eth1 on public ip, and tun0 for vpn on ip 192.168.2.1 , why from client I cannot ssh on 192.168.100.1 but only on the tun0 one ?
08:07 < rob0> !route
08:07 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:12 < kiuma> rob0, I tried but without lick
08:12 < kiuma> lol * luck
08:12 < stony> kiuma: try to add a route to 192.168.100.1 on the tap device on the client
08:12 < stony> ip route add 192.168.100.1 via 192.168.2.1
08:13 < kiuma> ok I try
08:23 < stony> ah latest 2.6.32 on debian sid segfaults ... and i'm the lucky one who found out ...
08:24 -!- c0mmunist [~c0mmunist@212.117.165.197] has quit [Ping timeout: 245 seconds]
08:29 -!- daemon [~paul@2a01:348:1f9:feed:dddc:6125:d304:46f7] has joined ##openvpn
08:29 < daemon> hey all one of my clients keets getting the following error: Sat Feb 20 08:24:16 2010 TLS Error: Unroutable control packet received from [AF_INET]95.154.246.179:1194 (si=3 op=P_CONTROL_V1)
08:29 < daemon> on google it said to sychronize times which I have done
08:29 < daemon> neither server not client is out by over a second
08:30 < daemon> both these machines are however in different timezones (around 8 hours different)
08:30 < daemon> is there anything I can do to get around the problem
08:33 < stony> daemon: this mostly comes from wrong cert/key pairs
08:33 < stony> daemon: check if your cert and key match
08:34 < daemon> story, yeah I just spied that on a later result from google there is only three clients so im going to quickly read the docs and generate them all again
08:34 < stony> daemon: it's also possible you have compression enabled on one site and not on the other
08:34 < stony> daemon: you can check the certs and keys md5 sums
08:34 < daemon> stony, nah, there is one client that does work so I litrally copied that config as the 'default''
08:34 < stony> daemon: if they don't match, they're wrong
08:34 < daemon> got it
08:35 < stony> daemon: openssl x509 -in cert.crt -noout -modulus | md5
08:36 < stony> and openssl rsa -in key.pem -noout -modulus | md5
08:36 < stony> if they don't match, wrond cert/key pair
08:36 < daemon> stony, ah thank you :) now time to see what I got wrong
08:47 < stony>  
08:54 < kiuma> stony, sorry for late in response (doctor is visiting my daughter). I've tried adding  route add 192.168.100.1 via 192.168.2.1 to client conf but it doesn't change
08:54 < kiuma> stony, ps. I've tun instead of tap does it matter ?
08:54 < |Mike|> !tunortap
08:54 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
08:54 < vpnHelper> |Mike|: against you over the vpn
08:54 < stony> kiuma: go to your daughter and stop fiddling around with your computer
08:54 < |Mike|> kiuma: ^
08:54 < rob0> Indeed, hope she's okay!
08:54 < kiuma> :)
08:55 < kiuma> she's ok
08:55 < kiuma> only season desease :)
08:57 < stony> kiuma: ok then - you have to route to the subnet you want to connect to - it doesn't matter in this case if tun or tap you need to set the route to 192.168.100.1 via your router on the vpn tunnel (e.g. 192.168.2.1 if i got it correct)
09:01 < stony> !lartvc
09:01 < vpnHelper> stony: Error: "lartvc" is not a valid command.
09:01 < stony> !lartc
09:01 < vpnHelper> stony: Error: "lartc" is not a valid command.
09:01 < stony> hmm
09:01 < stony> http://lartc.org/
09:01 < vpnHelper> Title: Linux advanced Routing & Traffic Control HOWTO (at lartc.org)
09:03 < daemon> stony, you was right the auth/crypto files where out
09:04  * stony got the crystal ball ;)
09:04 < daemon> stony, out of interest though, I have client-to-client in the server config but non of my clients can ping one another
09:04 < daemon> they can reach the server fine though
09:04 < stony> daemon: as long as your certs are wrong nothing will work
09:04 < daemon> stony, oh no, I know there wrong because I fixed them now everyone can connect ;)
09:04 < stony> daemon: and you should add the option that clients can talk one to another
09:05 < daemon> yep 'client-to-client'
09:05 < daemon> I unhashed it
09:05 < stony> i can't remember it now
09:05 < stony> this option also works in server mode 
09:05 < stony> just a sec
09:05 < rob0> daemon, ping the VPN IP addresses, not some other IP address.
09:05 < daemon> rob0, of course ;)
09:05 < daemon> my vpn server sits as 10.0.2.2, myself I am 10.0.2.3 and my friend over in the states is 10.0.2.4
09:05 < daemon> 10.0.2.3[or 4] can ping 10.0.2.2 but not each other
09:06 < rob0> of course ... ? This is a FAQ, most people asking have no concept of routing.
09:06 < rob0> !route
09:06 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:06 < daemon> rob0, I also made sure 10.0.2.0/24 was being pushed ;)
09:06 < daemon> or in case of my lan...
09:07 < daemon> route add 10.0.0.0/24 10.0.2.3 (my internlan)
09:07 < rob0> ah, there it is
09:07 < stony> daemon: you're right - it's client-to-client
09:07 < daemon> route add 10.0.2.2/24 10.0.2.3 (on my server at home so it knows there are other clients on the remote vpn link)
09:07 < rob0> the VPN is the same netblock as the LAN
09:08 < stony> this can work if you set explicit routes
09:08 < rob0> ...2/24 is not a valid CIDR expression
09:08 < daemon> rob0, 10.0.0.0/24 is my physical lan, 10.0.1.0/24 my printers sit on
09:08 < daemon> 10.0.2.0/24 is the vpn clients
09:08 < daemon>  /24 is equal to 255.255.255.0
09:08 < rob0> oh
09:08 < rob0> still, ...2/24 is not a valid CIDR expression
09:08 < stony> daemon: layer2 or 3 vpn?
09:09 < stony> rob0: isn't cidr ignoring everything that is matched by the 0-mask in the subnet ?
09:09 < daemon> stony, ok that one threw me, im using tap 
09:09 < stony> rob0: couldn't it be written as 10.1.0/24 10.1.0.55/24 oder 10.1.0.0/24 ?
09:09 < stony> daemon: ok, layer 2
09:09 < daemon> I take it layer 2 would be a hardware vpn adapter and 3 is software emulated?
09:09 < daemon> ah ok
09:09 < stony> daemon: is the link for 10.0.2.0/24 on the tap device and nowhere else ? (on both clients) ?
09:10 < rob0> stony, varies by implementation, but strictly speaking, /24 is only valid as ...0/24.
09:10 < daemon> stony, indeed
09:10 < daemon> stony, both clients also have the route for 10.0.0.0/24 as well I set the following:
09:11 < stony> rob0: as cidr only uses the net-part of the address afaik it doesn't matter if you put a whole host or just a network in front of - btw. what if you have 10.0.1.0/23 ? is that wrong or right ? ;)
09:11 < daemon> push "route 10.0.0.0 255.255.255.0"
09:11 < daemon> push "route 10.0.2.0 255.255.255.0"
09:11 < daemon> as well as of course client-to-client
09:11 < stony> daemon: what is the 10.0.0.0 doing there ?
09:11 < rob0> 1.0/23 is wrong, X.0/23 where X is even
09:11 < daemon> stony, I assumed I would have to push that to my friend in the states so he knows my lan machines are on 10.0.0.0 via 10.0.2.2 (the vpn host)
09:12 < stony> daemon: what you're doing is to put the 10.0.0.0 route on the interface of your friend not on a gateway (!)
09:12 < daemon> the vpn host its self knows 10.0.0.0/24 is via 10.0.2.3 (my gateway/router) here
09:12 < stony> daemon: so he looks for 10.0.0.0/24 hosts on it's interface with arp requests
09:12 < daemon> ah
09:12 < daemon> I best remove that then :)
09:12 < stony> daemon: if you're running proxyarp on all machines in the chain from your friend to your subnet this can work
09:13 < daemon> ok proxyarp I dont recall seeing anything about that in my configuration I better quickly take a peak at the docs
09:13 < rob0> If the VPN server pushes the VPN subnet, client-to-client enabled, one client should be able to ping another using VPN IP addresses. We're just stumbling aound with wild guesses.
09:13 < stony> daemon: if you can do it by routing you better do it this way
09:13 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
09:13 < daemon> my current config: http://www.pastebin.com/d3bfda031
09:14 < rob0> !ipforward
09:14 < vpnHelper> rob0: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
09:14 < daemon> you are talking about net.inet.ip.forwarding
09:14 < daemon> and net.inet6.ip6.forwarding
09:14 < daemon> inet4 is enabled
09:14 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:16 < |Mike|> openvpn isn't compatible with ipv6 yet
09:16 < stony> daemon: cat /proc/sys/net/ipv4/ip_forward
09:17 < cron2> |Mike| the openvpn-testing tree is
09:17 < daemon> stony, I can do but im quite sure it will gail (freebsd host)
09:17 < daemon> fail*
09:17 < daemon> in freebsd the equivlent is:
09:17 < daemon> # sysctl net.inet.ip.forwarding
09:17 < daemon> net.inet.ip.forwarding: 1
09:17 < rob0> !fbsdipforward
09:17 < vpnHelper> rob0: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
09:18 < daemon> rob0, that simply enables an rc script in /etc/rc.d that sets the sysctl I just passed ;)
09:18 < rob0> But it falls upon you to figure out why it's not working.
09:19 < stony> daemon: do a ping from client1 to vpn-address client 2
09:19 < stony> daemon: and monitor the tap interface if packets are going round
09:19 < stony> daemon: if you're running layer 2 you should see arp requests
09:19 < daemon> stony, gotcha
09:19 < stony> and check if the mac of client 2 appears in your arp-cache
09:19 < rob0> it's tun
09:19 < daemon> ? (10.0.2.4) at 56:89:7a:fd:ec:61 on tap0 [ethernet]
09:19 < stony> then check for icmp packets
09:19 < stony> i thought it's tun !?
09:19 < rob0> on yikes no it's tap
09:20 < rob0> Why bridging?
09:20 < stony> so if the mac address appears it seems that there is an filter on the other site
09:20 < rob0> No wonder
09:20 < daemon> when I originally investigated openvpn and explained my network layout I was informed tap would be the correct interface to use
09:20 < rob0> !bridging
09:20 < vpnHelper> rob0: Error: "bridging" is not a valid command.
09:20 < daemon> was that incorrect?
09:20 < rob0> of course it was incorrect
09:21 < stony> daemon: only question for you is "is it the right tool for me"
09:21 < rob0> !bridge
09:21 < vpnHelper> rob0: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
09:21 < vpnHelper> rob0: (but not samba, see !wins)
09:21 < daemon> thats probably why. Samba runs across these links also
09:21 < stony> i'm using brouting on layer2 networks and layer2 vpns and it's way better than layer 3 routing
09:21 < rob0> Samba can be routed, se !wins
09:22 < daemon> right
09:22 < daemon> hmm in theory I should be able to simply change device tap to device tun
09:22 < rob0> well, you'd have to take down whatever bridge you set up
09:23 < rob0> it does sound like you did a tun-type config but with "dev tap"
09:23 < daemon> rob0, only a few commands
09:23  * stony advises tap on layer 2
09:23 < |Mike|> cron2: kewl! any idea when it becomes the new stable?
09:24 < rob0> Okay stony: what is the benefit of all the extra transatlantic layer 2 traffic?
09:25 < daemon> rob0, stony, well that was easy, its up and working
09:25 < stony> rob0: you can do neat tricks on layer 2 without have to fiddling around with routing
09:25 < stony> rob0: what makes it even better for the people using the vpn 
09:26 < rob0> I can do neat tricks with routing, without pushing tons of useless chatter over the Internet.
09:26 < stony> rob0: e.g proxyarp a subnet of a subnet of clients from somewhere else that appear in the same subnet everywhere
09:26 < daemon> stony, this is an odd question could be an intermitent thing
09:26 < daemon> is tun slightly faster than tap
09:26 < rob0> I've even routed a proxy-ARP network.
09:26 < stony> rob0: the more-traffic-question is the same question like using tcp or udp or if vi is better than emacs ...
09:27 < stony> in the end you have to decide if it's the right tool nothing more
09:27 < daemon> ok I can ping 10.0.2.1 (vpn host) from my 10.0.0.0/24 machines
09:27 < daemon> lets see if I can reach my friend in the states
09:27 < stony> the end justifies the means.
09:27 < daemon> actually all the routing seems perfect now
09:27 < rob0> No. vi/emas is a preference, there is a better answer in the TCP/UDP choice, just as there is a better answer in the tun/tap choice.
09:28 < daemon> not always a preference
09:28 < daemon> in some os's vi is in the base/default install emacs is not
09:29 < daemon> so you get used to using it when logged in via kvm to some remote server with connectivity issues
09:29 < rob0> Then that was the distributor;s preference. Don't confuse matters.
09:29 < stony> rob0: in 99,9% of the time it's just a question of faith/belief and sometimes usefullness
09:29 < stony> rob0: and nothing else
09:29 < cron2> |Mike|: it will take some time - enough tests and feedback, then move from -testing to -beta, then eventually to -stable.  I'd expect "half a year".  But folks are making debian packages and freebsd ports available in the next few days
09:29 < rob0> I choose not to push all the useless layer 2 packets over the Internet.
09:30 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
09:30 < stony> if the user using openvpn can connect via tcp through a https proxy and udp 1194 is not working i won't tell him that i don't believe in vpn connections over tcp...
09:30 < stony> same thing in layer2/3
09:30 < |Mike|> cron2: for squeeze i hope :P
09:30 < rob0> I would choose differently if I had a need for a non-IP protocol.
09:30 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:31 < cron2> |Mike|: dunno what will be available in the end, I'm not doing the .deb packaging.  I'd expect lenny and squeeze.
09:36 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
09:37 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:41 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
09:42 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:44 < kiuma> my daughter is ok :)
09:44 < kiuma> my vpn no :(
09:44 < rob0> Did you ask the doctor to fix the VPN?
09:45 -!- ol_ [~ol@p5B1569EA.dip.t-dialin.net] has joined ##openvpn
09:45 -!- stony [~ol@p5B1569EA.dip.t-dialin.net] has quit [Read error: No route to host]
09:45 -!- ol_ is now known as stony
09:45 < stony> re
09:45 < kiuma> lol , no but she has spoken all the time about her journeys around the world
09:47 < kiuma> the problem is that I'm a java consultant and now I'm working in a place with heavy restriction , so strong that I can't even look at my email that is on google.
09:47 < kiuma> so my only option is to use a vpn
09:48 < kiuma> I don't know why (I'm not a systemist) but I can't set the default gateway to the tun gw because I top to navigate
09:49 < rob0> !def1
09:49 < vpnHelper> rob0: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
09:51 < kiuma> rob0, this would also let me use irc ? I use it in my daily job
09:56 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
09:56 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
09:58 < kiuma> nothing seems to change
09:59 < stony> rootis grub counting serial connections from 0 or from 1 ?
10:07 < kiuma> ?
10:07 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has left ##openvpn ["Leaving"]
10:08 -!- mimecine [~Adium@cpe-67-250-38-114.nyc.res.rr.com] has joined ##openvpn
10:09 < stony> kiuma: wrong winodow :)
10:09 < kiuma> :)
10:19 -!- kiuma [~kiuma@93-36-8-254.ip57.fastwebnet.it] has quit [Ping timeout: 248 seconds]
10:20 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:26 -!- kiuma [~kiuma@93-36-8-254.ip57.fastwebnet.it] has joined ##openvpn
10:35 -!- kiuma [~kiuma@93-36-8-254.ip57.fastwebnet.it] has quit [Ping timeout: 248 seconds]
10:41 -!- acidfoo [~nib@dsl-67-212-3-113.acanac.net] has quit [Ping timeout: 245 seconds]
10:46 -!- stony_ [~ol@p5B157173.dip.t-dialin.net] has joined ##openvpn
10:47 -!- stony [~ol@p5B1569EA.dip.t-dialin.net] has quit [Disconnected by services]
10:47 -!- stony_ is now known as stony
11:24 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
11:24 -!- sparch [~daniel@pdpc/supporter/active/sparch] has left ##openvpn []
11:45 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
11:52 -!- mimecine [~Adium@cpe-67-250-38-114.nyc.res.rr.com] has quit [Quit: Leaving.]
12:06 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 256 seconds]
12:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:33 -!- xulf [~j@71.189.126.150] has joined ##openvpn
12:33 < xulf> Hello
12:34 < xulf> isn't it true for lzo or other compression to work efficiently the packet size needs to be a minimum size?  
12:35 < xulf> is there any encapsulation option of multiple packets to make this more efficient
12:37 -!- kiuma [~kiuma@93-36-3-162.ip57.fastwebnet.it] has joined ##openvpn
12:39 < kiuma> hello, I've still a problem with openvpn, I've added "redirect-gateway def" and "dhcp-option DNS 192.168.2.1" and I've set named to listen on 192.168.2.0/24 . 
12:39 < Bushmills> i doubt that - compression buffer size and packet size do not need to be related
12:40 < Bushmills> kiuma: what client OS?
12:41 < kiuma> the dns dosn't work, if I use another dns and try to ping a host, the dns resolves the name but hangs
12:41 < kiuma> Bushmills, linux gentoo
12:41 < Bushmills> what do you do on client to set DNS, as pushed by server?
12:42 < kiuma> in /etc/openvpn.conf I've added "dhcp-option DNS 192.168.2.1"
12:42 < kiuma> or any dns I like 
12:42 < Bushmills> that's on server. i mean, on client
12:43 < Bushmills> ah, that is client. i assumed "push"
12:43 < Bushmills> just by setting that option, linux will not change your resolver
12:44 < kiuma> but it's not a real problem with the resolver
12:44 < Bushmills> according manual: " Set  extended  TAP-Win32  TCP/IP  properties,..."
12:44 < Bushmills> note the "Win"
12:44 < kiuma> (a push from the server shouuld be better)
12:44 < Bushmills> well, the DNS you usually use is probably not accessable from vpn server
12:45 < kiuma> it is
12:45 < Bushmills> no. push from server has same effect
12:45 < Bushmills> can you resolve hosts from your vpn server, using the DNS in your client  resolv.conf?
12:45 < kiuma> well now I'm using 213.140.2.12 that it's the fastweb one
12:46 < kiuma> Bushmills, it's not my actual need
12:46 < Bushmills> but that may be your problem
12:47 < Bushmills> if you can't, that's a reason for client to not resolve host names
12:47 < kiuma> Bushmills, the vpn server is the server I have in the office and I use its dns 
12:48 < Bushmills> check you client resolv,conf, when vpn is started, whether your vpn server DNS is actually in there 
12:48 < kiuma> so my dns works, I've also added the 192.168.2.0/24 to named that is the vpn
12:48 < Bushmills> if it isn't, your client won't use it
12:48 < kiuma> listen, I told I can resolve names
12:48 < kiuma> this is not the problem
12:48 < Bushmills> ok
12:49 < kiuma> hte problem is that when I try to ping a host
12:49 < Bushmills> "(19:41:02) kiuma: the dns dosn't work,"
12:49 < kiuma> I see only the first ping line
12:49 < kiuma> Bushmills, and the I specified :)
12:49 < Bushmills> "... if I use another dns and try to ping a host, the dns resolves the name but hangs"
12:49 < kiuma> infact
12:50 < Bushmills> so your dns doesn't work, but you can resolve names
12:50 < kiuma> but if I use another dns 
12:50 < kiuma> no :) 
12:50 < kiuma> it works
12:50 < kiuma> but I think I've something wrong with iptables
12:51 < kiuma> because even using an external dns 
12:51 < Bushmills> i think there's something wrong with describing your problem
12:51 < kiuma> when Pinging I see only the first result line then ping stales
12:51 < rob0> dhcp-option is Windows-only
12:51 < kiuma> Bushmills, I'm not a systemist :/
12:52 < kiuma> rob0, but it updates my resolv.conf
12:53 < kiuma> may I pastebin my iptables to let u check if I missed something ?
12:53 < rob0> There are numerous kludges to accomplish the same thing.
12:53 < rob0> !iptables
12:53 < vpnHelper> rob0: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
12:53 < vpnHelper> rob0: computing.net/wiki/index.php/OpenVPN/Firewall
12:54 < kiuma> rob0, I cannot clean my office server iptables from here :)
12:54 < Bushmills> #iptables
12:55 < rob0> My approach would be a bit simpler than the factoid, "for chain in INPUT OUTPUT FORWARD ; do iptables -vI $chain ACCEPT ; done"
12:55 < Bushmills> as you have openvpn client server connection, and traffic routed to server, openvpn seem fine 
12:55 < kiuma> http://pastebin.com/d2802e87d
12:57 < kiuma> Bushmills, yes I think I'm near to the solution, now I can do a ssh over vpn, and I can use squid. I would like to be able to use irc now 
12:57 < Bushmills> Chain INPUT (policy ACCEPT)  , then having a lot of ACCEPT seems strange
12:57 < rob0> No, that's too complex for me to try to debug for free. :) You know how to test and see if the firewall is the problem. Did you?
12:57 < Bushmills> general idea is: policy DROP, and ACCEPT what you need
12:57 < kiuma> no :(
12:57 < kiuma> Bushmills, thx I'll do
12:58 < kiuma> but I've to be in the office :)
12:58 < Bushmills> no need to mix some REJECT and some ACCEPT then
12:58 < Bushmills> policy ACCEPT and selected REJECTs is also not a good idea
12:58 < Bushmills> you probably want 53 open, for reverse DNS
12:59 < rob0> Oh I don't agree. I like ACCEPT policies. I use blanket DROP or REJECT rules in place of policies.
12:59 < kiuma> so I only should ave default drop and then ACCEPT what I nned right ?
12:59 < rob0> Same idea, different implementation.
12:59 < Bushmills> rob0: ok.  but policy ACCEPT and then two handfuls of ACCEPT rules at the end of chain?
12:59 < kiuma> the key is not to mix right ?
13:00 < rob0> that would only be useful for counting packets & bytes, yes, not very useful.
13:00 < Bushmills> there are 15 rules which server no purpose at all with policy ACCEPT
13:01 < Bushmills> serve
13:01 < rob0> Also, domain/udp is being rejected.
13:02 < Bushmills> he says his DNS works.ö
13:02 < kiuma> removed the two reject lines, now I try 
13:02 < kiuma> Bushmills, from the office it works
13:02 < kiuma> and anyway I can use another dns
13:02 < rob0> Better to bind your nameserver to the IP addresses it needs, rather than bind to all and block in the firewall.
13:02 < Bushmills> it even works while blocked by firewall :)
13:03 < kiuma> no :(
13:05 < kiuma> do u see me now ?
13:05 < kiuma> ping
13:05 < kiuma> I'm always one way :(
13:09 < kiuma> I've removed the two REJECT lines as suggested by you, but it doesn't change
14:05 -!- kiuma [~kiuma@93-36-3-162.ip57.fastwebnet.it] has quit [Ping timeout: 248 seconds]
14:13 -!- stony [~ol@p5B157173.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
14:18 -!- kiuma [~kiuma@85-18-55-37.ip.fastwebnet.it] has joined ##openvpn
14:31 < kiuma> push
14:37 -!- kiuma [~kiuma@85-18-55-37.ip.fastwebnet.it] has quit [Quit: Bye bye ppl]
14:38 -!- xulf [~j@71.189.126.150] has left ##openvpn []
15:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
15:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
--- Log closed Sat Feb 20 17:00:21 2010
--- Log opened Sat Feb 20 21:44:20 2010
21:44 < tjz> hihi dougy :D
21:44 < tjz> -_-
21:44  * ecrist starts his nyquil nap/coma
21:45 < Dougy> ecrist
21:45 < Dougy> where have you been
21:45 < Dougy> tjz: hio
21:45 < Dougy> hi
21:45  * Dougy waves
21:45 < ecrist> Dougy: riding snowmobile today
21:45 < Dougy> ecrist: did your net go out?
21:45 < Dougy> i tried to load up da forum and it was a no go
21:45 < ecrist> yes, it did for a bit.  Comcast working in the area
21:45 < ecrist> how long was I down?
21:45 < Dougy> didnt check
21:45 < Dougy> i tried to load it once and said f it
21:46 < ecrist> looks like I was offline from about 16:50 to 17:20
21:47 < ecrist> my irc didn't rejoin until I forced it
21:47 < Dougy> ah
21:47 < Dougy> holy shit
21:47 < Dougy> 86 pending posts
21:47 < Dougy> yikes
21:53 < Dougy> i bought a car today
21:53 < Dougy> wo0t
21:53 < Dougy> !logs
21:53 < vpnHelper> Dougy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
21:55  * ecrist goes to couch with nyquil
21:55 < Dougy> you ok ecrist?
21:57 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: Stops working when I reboot Server 2008 :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=4&t=2800&p=3449#p3449>
22:01 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has quit []
22:02 -!- correcaminos [~luis.agui@201.201.46.106] has joined ##openvpn
22:02 -!- correcaminos [~luis.agui@201.201.46.106] has quit [Read error: Connection reset by peer]
22:03 -!- correcaminos [~laguilar@201.201.46.106] has joined ##openvpn
22:43 -!- udk [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 630 seconds]
22:49 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
--- Day changed Sun Feb 21 2010
00:35 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
01:27 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: Stops working when I reboot Server 2008 :: Reply by moored99 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2800&p=3453#p3453>
01:52 -!- stony [~ol@p5B157173.dip.t-dialin.net] has joined ##openvpn
01:53 -!- stony is now known as Guest10191
01:55 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
01:55 < theDoc> Anyone around? ;p
01:58 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Client Quit]
02:50 -!- tjz [~pc@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
02:50 -!- tjz [~pc@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
02:50 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
03:00 -!- teddymills [~teddy@208.92.235.227] has quit [Read error: Connection reset by peer]
03:00 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
03:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:03 -!- Guest10191 [~ol@p5B157173.dip.t-dialin.net] has quit [Quit: leaving]
03:03 -!- stony [~ol@p5B157173.dip.t-dialin.net] has joined ##openvpn
03:03 < stony> hi
03:04 < tjz> Hello
03:04 < tjz> welcome
03:09 -!- master_of_master [~master_of@p57B57F79.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:10 -!- master_of_master [~master_of@p57B54C60.dip.t-dialin.net] has joined ##openvpn
03:45 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 256 seconds]
03:46 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
03:53 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 268 seconds]
03:53 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
04:14 -!- stony_ [~ol@p5B1554E7.dip.t-dialin.net] has joined ##openvpn
04:18 -!- stony [~ol@p5B157173.dip.t-dialin.net] has quit [Ping timeout: 248 seconds]
05:50 -!- Netsplit *.net <-> *.split quits: Krikke, pa, Overand, disco-, Rienzilla, APTX, tompaw_, mrnice1
05:52 -!- stony_ is now known as stony
05:52 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
05:52 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
05:52 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
05:54 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
05:54 -!- Overand [overand@crappy.domain.name] has joined ##openvpn
05:54 -!- Krikke [~ixevix@62.142.105.142] has joined ##openvpn
05:54 -!- tompaw [~tompaw@slave20.tesserakt.eu] has joined ##openvpn
06:06 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
06:10 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
06:19 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
07:23 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:26 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:28 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
07:52 -!- julius [~julius@217.20.127.15] has joined ##openvpn
07:57 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
08:37 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
08:37 -!- zero-__ [~zero@noc.toile-libre.net] has joined ##openvpn
08:37 < zero-__> hi
08:39 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:39 -!- mode/##openvpn [+o mattock] by ChanServ
08:52 -!- stony [~ol@p5B1554E7.dip.t-dialin.net] has quit [Ping timeout: 248 seconds]
08:53 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
08:54 -!- stony [~ol@p5B1554E7.dip.t-dialin.net] has joined ##openvpn
08:54 -!- stony is now known as Guest21882
09:06 -!- Guest21882 is now known as stony_
09:22 -!- stony_ is now known as stonsy
09:22 -!- stonsy is now known as stony_
09:44 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
09:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:14 -!- stony_ is now known as stony
10:32 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
10:36 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:47 -!- stony_ [~ol@p5B154D3C.dip.t-dialin.net] has joined ##openvpn
10:47 -!- stony [~ol@p5B1554E7.dip.t-dialin.net] has quit [Disconnected by services]
10:47 -!- stony_ is now known as stony
10:53 -!- stony [~ol@p5B154D3C.dip.t-dialin.net] has quit [Read error: No route to host]
10:58 -!- stony [~ol@p5B154D3C.dip.t-dialin.net] has joined ##openvpn
10:58 -!- stony is now known as Guest93156
11:08 -!- lbt [~david@Maemo/community/contributor/lbt] has joined ##openvpn
11:09 < lbt> hi - I have openvpn working over a gprs connection to a linux client. The problem I'm having is sending the DOMAIN and DNS settings
11:09 < lbt> I use :  push "dhcp-option DOMAIN mydomain.com"
11:10 < lbt> but can't find out how to access this on the client
11:10 < ecrist> with a script
11:10 < ecrist> it'll be stored in the environment
11:10 < lbt> I've run a script that drops the env into a tmp file and can see route_netmask_1=255.255.255.0 etc
11:10 < lbt> nothing has the domain
11:11 < lbt> I saw in the docs that this is a windows thingy :)
11:11 < lbt> I'm pure linux though...
11:11 < ecrist> don't know if you can use it, then.
11:11 < rob0> Then you will find the workarounds :)
11:11 < lbt> heh
11:12 < lbt> any way to pass arbitary data in the env sent over the link?
11:12 < rob0> The Windows DHCP client is silly to be configuring a layer 3 interface.
11:12 -!- Guest93156 is now known as stony_
11:12 < rob0> arbitrary?
11:12 < lbt> essentially I want the client to use my internal LAN DNS server to resolv
11:13 < lbt> so simply to pass "dns_resolv_ip=10.0.0.7"
11:13 < lbt> (oh, I meant DNS aswell as DOMAIN)
11:14 < Bushmills> lbt, you can push dhcp option, and run client-side a script when interface comes up (--up ...), which reads pushed option from environment variable 
11:14 < Bushmills> then it needs to change resolver settings accordingly. maybe patch resolv.conf
11:15 < rob0> There is a "resolvconf" script (packaged by Debian I think) which might do what you want.
11:15 < lbt> Bushmills: so I am using :  push "dhcp-option DNS 10.0.0.7"
11:15 < lbt> and my client side script does : env > /tmp/pulled-env
11:15 < Bushmills> on windows clients, that should work without extra script
11:15 < rob0> We have already established that dhcp-option is Windows-only.
11:15 < rob0> < lbt> I saw in the docs that this is a windows thingy :)
11:15 < lbt> mmm - I wondered about setting --ip-win32 dynamic on the server
11:16 < rob0> Windows-only settings are not going to work on a Linux client.
11:16 < Bushmills> lbt: esentially, yes. but by having env in /tmp, nothing changes. 
11:17 < Bushmills> as you'd run some script then to use the /tmp saved dns in your resolver, that script could also be called as --up script
11:17 < lbt> yeah - debug aid to see what env was avialable
11:17 < lbt> and DNS wasn't sent (as rob0 points out)
11:18 < lbt> even though it'd be rather useful :)
11:19 < rob0> Relax, you have far more options than Windows could ever dream of.
11:19 < lbt> kinda seems odd as openvpn is setting the client IP and I'd expect a way to set domain/resolv - especially given a redirect-gateway
11:19 < lbt> rob0: of course :)
11:19 < rob0> Consider running your own dnsmasq on the client.
11:20 < lbt> well, I could just make the client script rewrite the resolver with a hardcoded value
11:20 < lbt> but I'd like to do this 'properly' and then fit it into our distro
11:20 < lbt> dnsmasq is running on the client
11:21 < rob0> oh! Then use a dnsmasq.d file and reload dnsmasq
11:21 < lbt> how do I tell it to use the IP from the internal lan?
11:22 < rob0> hmm, not sure offhand
11:22 < lbt> ie how do I push that IP from openvpn server
11:22 < lbt> yeah :)
11:22 < rob0> you looked at the various script options, --up and friends?
11:22 < lbt> yes
11:23 < lbt> didn't see any that seemed to get any more data than 'env'
11:23 < lbt> route-up is the last to be called
11:23 < lbt> so should have the richest env
11:25 < rob0> you could distribute the dnsmasq.d file with the signed client certificate
11:25 < lbt> heh
11:25 < rob0> are you talking about a general-purpose Linux distro?
11:25 < lbt> meego/maemo
11:26 < rob0> I've seen the name but not familiar with it.
11:26 < lbt> (was moblin too) so not general purpose - mobile focused
11:26 < lbt> I wonder if other scripts get other envs...
11:30 < rob0> Did you look at resolvconf?
11:30 < lbt> I did - it seems to look for env settings like : foreign_option_1='dhcp-option DNS 193.43.27.132'
11:31 < lbt> that's what I expected to see
11:34 < lbt> ah
11:34 < lbt> I may not have restarted openvpn on the server :)
11:34 < lbt> foreign_option_1=dhcp-option DNS 10.0.0.7           
11:43 < Bushmills> lbt: "how do I tell it to use the IP from the internal lan?" again through --up. it's one of the arguments passed to script
11:44 < lbt> Bushmills: thanks - I mean the DNS ip, not the vpn ip
11:44 < Bushmills> ah. that's what you found already, i take it..
11:44 < lbt> openvpn was working fine at the ip level
11:44 < lbt> yes
11:44 < lbt> it seems that you can send dhcp options via push
11:44 < Bushmills> yes
11:45 < Bushmills> (18:14:32) Bushmills: lbt, you can push dhcp option, and run client-side a script when interface comes up (--up ...), which reads pushed option from environment variable 
11:45 < lbt> even though the manpage says you can't
11:46 < Bushmills> odd
11:46 < Bushmills>   This is a partial list of options which can currently be pushed: --route, --route-gateway, --route-delay, --redirect-gateway,
11:46 < Bushmills>               --ip-win32, --dhcp-option, --inactive, --ping, --ping-exit, --ping-restart, --setenv, --persist-key,  --persist-tun,  --echo,
11:46 < Bushmills>               --comp-lzo, --socket-flags, --sndbuf, --rcvbuf
11:47 < Bushmills> says man page
11:47 < Bushmills> note the " --dhcp-option"
11:47 < lbt> yes and: "Set extended TAP-Win32 TCP/IP properties, must be used with --ip-win32 dynamic."
11:47 < lbt> it is contradicted elsewhere though
11:48 < Bushmills> "must be used with " doesn't say "can't be used"
11:48 < lbt> don't defend bad docs :)
11:48 < Bushmills> i only object incorrect claims.
11:49 < lbt> The meaning of the docs is incorrect. They have a bug. It's not a huge bug.
11:49 < lbt> I'm more interested in rephrasing them
11:50 < Bushmills> "Set  extended  TAP-Win32  TCP/IP properties,..." and then "Note that if --dhcp-option is pushed via --push to a non-windows client..." 
11:50 < lbt> yes indeed
11:50 < Bushmills> on non-windows client you don't set TAP-Win32  TCP/IP properties
11:50 < lbt> would you care to do a word-count between those sentences?
11:51 < lbt> IMHO that's not clear
11:51 < lbt> and would benefit from a change
11:51 < Bushmills> no, i think it suffices to say that one is written at the begin, the other at the end of description of  --dhcp-option 
11:51 < lbt> look, I'm quite happy to admit that I made a mistake doing the config
11:52 < lbt> but the docs could be better written
11:52 < lbt> are you a dev?
11:52 < Bushmills> nope
11:52 < lbt> ok then nm
11:52 < Bushmills> not an openvpn, that is
11:52 < lbt> yeah, if you were I'd send a doc-patch
11:53 < Bushmills> the fact that i'm not shouldn't keep you from doing so
11:53 < lbt> nope, but I won't worry about persuading you the docs need improving ;)
11:53 < Bushmills> man page author email address at the end of man page
11:54 < Bushmills> one problem with docs is that one size doesn't fit all
11:56 < lbt> agreed - but this is a reasonably common use-case and isn't terribly clear. Simply moving that caveat paragraph up so windows/non-windows are discussed together would help.
11:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
12:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:14 -!- correcaminos [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
12:14 -!- correcaminos [~laguilar@201.201.46.106] has joined ##openvpn
12:14 -!- stony_ [~ol@p5B154D3C.dip.t-dialin.net] has quit [Quit: off we go]
12:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Connection timed out]
12:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:31 -!- tmwsiy2012 [~tmwsiy@152-20-244-42.rev.uncw.edu] has quit [Ping timeout: 264 seconds]
12:36 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
12:50 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
12:55 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
13:15 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:16 -!- bandini [~bandini@host125-6-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn
13:27 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 252 seconds]
13:29 -!- tmwsiy2012 [~tmwsiy@152-20-244-42.rev.uncw.edu] has joined ##openvpn
13:35 < tmwsiy2012> I am having some routing issues with a standard road warrior kind of setup. I have a pptpclient running also on the openvpn server that I wish to route 2 private subnets into from openvpn. I can access the private subnets fine from server but not from openvpn client. I have pastebin'ed my current config although it has changed a lot in messing around with this.
13:35 < tmwsiy2012> http://www.pastebin.com/m45f1f0a3
13:45 < cron2> routes pushed to clients?  ip forwarding enabled on openvpn server?
13:46 < cron2> from a brief look, I'd blaim the firewall rules
13:46 < cron2> there is nothing that permits FORWARD from tun
13:47 < Bushmills> "access the private subnets" ...
13:47 < Bushmills> !route
13:47 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:00 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
14:12 < tmwsiy2012> I still should be able to ping the gateway that the server is pushing to my client though right? I can connect to the server itself but not beyond, ip forwarding is enabled, but I am getting a gateway assigned that I have no idea where is is coming from 
14:12 < tmwsiy2012> my server line is 
14:12 < tmwsiy2012> server 10.8.111.0 255.255.255.0
14:12 < tmwsiy2012> and I get a 10.8.111.6 for my client and it pushes me a 10.8.111.5 gateway shows up in my client routing tables which has me totally baffled and I cant ping
14:13 < tmwsiy2012> from the docs and from what I see in the log on the client I should be getting a 10.8.111.1 gateway
14:14 < tmwsiy2012> and my example is a little different than the !route page but its fairly close
14:18 < Bushmills> that's normal 
14:19 < Bushmills> that's the P-t-P address
14:19 < Bushmills> ifconfig shows
14:20 < Bushmills> server won't respond with echo replies on that one because server can't bind anything to it - that's the client representation of the tunnel endpoint
14:20 < tmwsiy2012> ok that does make sense and something is obviously working b/c I can connect to local subnet interface of openvpn server
14:20 < tmwsiy2012> must be firewall rules :)
14:21 < tmwsiy2012> !forwarding
14:21 < vpnHelper> tmwsiy2012: Error: "forwarding" is not a valid command.
14:21 < Bushmills> ping the server ip address in the openvpn net instead
14:21 < tmwsiy2012> yes I can ping that
14:21 < tmwsiy2012> !welcome
14:21 < vpnHelper> tmwsiy2012: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:22 < Bushmills> fine then
14:22 < tmwsiy2012> is there a help for iptables?
14:22 < ecrist> !iptables
14:22 < vpnHelper> ecrist: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
14:22 < Bushmills> iptables howto i suppose. or ...
14:22 < vpnHelper> ecrist: computing.net/wiki/index.php/OpenVPN/Firewall
14:22 < tmwsiy2012> :)
14:22 < Bushmills> !nat
14:22 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
14:23 < ecrist> !factoids
14:23 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:23 < Bushmills> !linnat
14:23 < vpnHelper> Bushmills: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:23 < ecrist> tmwsiy2012: that link by 'factoids' will give you everything the bot has
14:23 < tmwsiy2012> thanks guys
14:23 < Bushmills> np
14:26 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
14:32 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
14:32 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Read error: No route to host]
14:33 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
14:55 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
14:56 -!- Crell [~lgarfiel@c-98-220-236-211.hsd1.il.comcast.net] has joined ##openvpn
14:59 < Crell> Hi all.  I'm trying to connect to a VPN using KNetworkManager (Kunbuntu 9.10).  I have the configuration all setup AFAIK, but when I select the connection in the popup nothing happens.  No connection, no error, nada.  When I check /var/log/daemon.log, the first useful mention is "No VPN secrets!"  What the heck does that mean, and what do I do about it?
15:00 < Crell> The VPN connection itself is set to use OpenVPN.
15:01 < Bushmills> !ubuntu
15:01 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
15:02 < Bushmills> sounds like you haven't set up certs+keys yet
15:02 < Bushmills> or networkmanager doesn't know how to find them
15:03 < Crell> I have set them up.  
15:04 < Crell> What should I be using in Kubuntu then besides network manager?
15:04 < Bushmills> i'd say, stop networkmanager, start (presumably started already) vpn server, then start vpn client, through /etc/init.d/openvpn start  
15:05 < agagag> 15
15:05 < Bushmills> when you can connect then, the problem seems to be networkmanager. if you can't, it is your setup
15:06 < Bushmills> also, you might add to client and server configs to use seperate config files for openvpn 
15:07 < Bushmills> makes it easier to read what might be wrong
15:07 < Bushmills> sry. seperate log files, i mean
15:08 < Crell> Well I have no control over the server.  It's in another city. :-)
15:08 < Bushmills> mine too. i can still ssh to it
15:09 < Crell> I'd like to be able to. :-)
15:09 < Crell> Hm.  One thing I googled suggested kvpnc instead.
15:09 < Bushmills> don't add problem potential.  reduce it.
15:10 < Crell> So how do I do this from the command line then?
15:10  * Crell has never done Linux client VPN before, so is in uncharted territory.
15:10 < Bushmills> or do you want to not know whether the problem is openvpn or kvpnc cause - instead of openvpn or networkmanager caused
15:11 < Bushmills> ... then start vpn client, through /etc/init.d/openvpn start  
15:11 < Bushmills> that's not rocket science to type in such a command
15:11 < Bushmills> there is also /etc/init.d/openvpn stop
15:11 < Crell> I have already typed said command, and it has given me no feedback to indicate that it did anything either.  Nor does syslog.
15:12 < Crell> (I am new to VPNs, but please do not assume I am entirely ignorant of the system.)
15:12 < Bushmills> "seperate log files...
15:12 < Bushmills> look at those
15:12 < Crell> Which log files?
15:12  * Bushmills facepalms
15:13 < Bushmills>  also, you might add to client and server configs to use seperate ...      wel, do that on client only without access to server
15:13 < Crell> I am looking at syslog and at daemon.log.  I do not know what other logs you mean, 
15:13 < Crell> There is no /var/log/openvpn log that I am aware of.
15:13 < Bushmills> "add to client and server configs"
15:14 < Bushmills> that means: "modify you client config"
15:14 < Crell> Which is where?  
15:14 < Bushmills> "specify the name of the log file you want openvpn to log to"
15:14 < Bushmills> !howto
15:14 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:14 < Crell> The only file in /etc/openvpn is a bash resolve conf update script.
15:16 < Bushmills> looks like you don't have a config file then
15:16 < Bushmills> why not?
15:16 < Crell> That is an excellent question.
15:16 < Crell> The only documentation I was given by my network admin pertained to using network-manager.
15:16 < Bushmills> answer would be "because I haven't set up openvpn client yet"
15:16 < Bushmills> or "because i haven't configured it yet"
15:16 < Crell> Is it possible that network-manager is simply not writing the correct files?
15:17 < Bushmills> answer would not be "because nobody did that for me"
15:17 < Bushmills> !ubuntu
15:17 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
15:17 < Bushmills> it is known to be buggy
15:17 < Crell> Joy.
15:19 < Bushmills> what certificate and key files did you put on client?
15:19 < Bushmills> (you said you had done that part of configuration)
15:21 < Crell> The CA file is the cacert.pem file I was provided, the certificate is the myusername_myhost_cert.pem file, and the key is the myusername_myhost_key.pem file.
15:22 -!- bandini [~bandini@host125-6-dynamic.6-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
15:22 < Bushmills> but those are not in your /etc/openvpn dir?
15:22 < Crell> No, they're in my home directory.
15:23 < Bushmills> well, they may reside anywhere, but your client config needs to tell openvpn where they are
15:23 < Crell> Hm.
15:23 < Crell> And so perhaps network-manager is not doing so, hence the issue.
15:24  * Crell tries copying those files.
15:24 < Bushmills> usual place would be in /etc/openvpn because that's the default place where openvpn would be looking.
15:24 < Bushmills> but it still needs their names, specified in the config
15:24 < Crell> Do they need to be in the root of that directory, or can they be in a subdirectory grouped by the remote network?  (I have no other remote network to connect to yet, but I'm planning ahead.)
15:25 < Bushmills> they may be in subdir, but you will have to tell where they are, in client config
15:26 < Bushmills> did you read
15:26 < Bushmills> !howto
15:26 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:27 < Crell> I started skimming past the parts about installing on Windows to find the parts relevant for me, but then we continued talking before I could find them.
15:27 < Bushmills> well, read it. it may answer a lot of your questions
15:29 < Bushmills> while skimming, you may have skimmed past the section "Creating configuration files for server and clients"
15:29 < Crell> brb
15:43 -!- dxtr [dexter@unaffiliated/dxtr] has joined ##openvpn
15:43 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
15:44 < dxtr> Hey, how would one do to get a vpn that looks like a LAN? With multicast and stuff so one can, for example, use the "Find computers" function in Windows and play games and stuff?
15:44 < dxtr> Kinda like Hamachi (yuck)
15:46 < Rienzilla> use dev-type tap and bridging
15:47 < Rienzilla> it can create a vpn on ethernet level, allowing you to use any protocol across it
15:47 < dxtr> I've tried to find information on the web but most (if not all of it) resources I found only handled network-to-network stuff
15:57 < Bushmills> !tap
15:57 < vpnHelper> Bushmills: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming,
15:57 < vpnHelper> Bushmills: anything where the protocol uses MAC addresses instead of IP addresses.
15:58 < Bushmills> dxtr: ^^^^
15:58 < Crell> Hm.  What does this mean: Bad LZO decompression header byte: 42
15:59 < Crell> And what do I do about it?
15:59 < Bushmills> it will still be client to server, and client to client through server
16:00 < Bushmills> Crell: you may want to look at manpage, under --comp-lzo. 
16:00 < Bushmills> most likely you need to change your client setting of that option
16:03 < Crell> Hm, still doing it after I disable that setting in the config file...
16:03 < Crell> I also don't seem to have dns forwarding.  Hm.
16:06 < Bushmills> read manpage about dhcp-option. provided that's how your resolver is supposed to be set
16:07 < dxtr> Bushmills: Oh yeah, now I remember why I stopped trying to get it work
16:07 < dxtr> My friggin' VPS provider :/
16:08 < Crell> I've no idea what the server is set to do.  Presumably it should be forwarding DNS to me, since it does for my coworkers, but I can't ping our intranet server by domain name.
16:08 < dxtr> http://pastebin.ca/1805107 :/
16:08 < Bushmills> Crell: is your VPN provider supposed to resolve the machines of your coworkers?
16:09 < rob0> there are two people here asking separate questions :)
16:09 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:09 < Bushmills> or, your intranet servers?
16:09 < Bushmills> dxtr: how is VPS related to VPN?
16:09 < Crell> Bushmills: I'm not trying to connect to their clients, just to our main development server.  I don't know it's IP address off hand, but it has a half-dozen intranet domains running on it.
16:10 < Bushmills> Crell: why should you VPN provider know name and ip address of your intranet server - as you seem to expect them to resolve them for you.
16:10 < Crell> I think we're talking past each other...
16:11 < Crell> If I'm connected to the office VPN, I want/need to get the office DNS server rather than my normal one.
16:11 < Bushmills> "it should be forwarding DNS to me" - "I can't ping our intranet server by domain name"
16:11 < rob0> Bushmills: < rob0> there are two people here asking separate questions :)
16:11 < Bushmills> rob0: i know
16:11 < Bushmills> did i mix them up anywhere?
16:12 < rob0> looked like it, maybe not
16:12 < Bushmills> wasn't my impression
16:13  * Crell could tell them apart.
16:15 < rob0> dxtr: is the tun driver loaded? "modprobe -v tun"
16:16 < rob0> And are you sure you can't do your games with routing?
16:17 < rob0> WINS "find computer" works with routing.
16:18 < rob0> (although I'm trying to figure out why you'd want Samba on a VPS)
16:18 < Crell> Bushmills: So the howto doesn't say what if anything I need to do on the client side to make sure that I pick up the DNS server from the VPN.
16:18 < Crell> But I know my VPN server is supposed to push that out, because it works for my coworkers.  (They're all on Macs.)
16:20 < Crell> I also don't get kicked off of IRC, which is surprising, so I am not 100% certain it is connecting. :-)  Although the messages would indicate it is.
16:27 < Crell> Hm.  No, traffic is not routing.
16:28 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:29 -!- correcaminos [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
16:30 < dxtr> rob0: It does work with routing?
16:36 < rob0> OpenVPN does not work in any way without a tun driver.
16:37 -!- valemon [~valemon@tuxhacker/valemon] has joined ##openvpn
16:38 < valemon> hello can anyone help setting up a vpn connection on gnome?
16:39 < valemon> or link me a guide or something?
16:44 < Crell> Eh, screw this, I'm just passing it back to my network admin.  See if he has any ideas.
16:48 -!- valemon [~valemon@tuxhacker/valemon] has left ##openvpn ["Leaving"]
17:28 -!- lbt [~david@Maemo/community/contributor/lbt] has quit [Ping timeout: 264 seconds]
18:04 -!- Crell [~lgarfiel@c-98-220-236-211.hsd1.il.comcast.net] has quit [Quit: I fell off the Internet.]
19:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:46 -!- lkthomas [lkthomas@218.213.78.173] has quit []
19:54 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
19:55 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
19:55 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
19:55 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
20:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 272 seconds]
20:44 -!- tjz [~pc@bb116-15-75-224.singnet.com.sg] has joined ##openvpn
20:44 -!- tjz [~pc@bb116-15-75-224.singnet.com.sg] has quit [Changing host]
20:44 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:00 < tjz> hmm
21:00 < tjz> any good ipaddress - bandwidth monitoring software to recommend?
21:31 < ecrist> depends on what you'er doing
21:31 < ecrist> catci/mrtg is really all most people need.
21:32 < tjz> Hello ecrist :D
21:33 < tjz> hmm
21:33 < tjz> i will read up more on cacti
21:33 < tjz> thx for the suggestion
21:33 < tjz> :D
21:40 < Bushmills> tjz: munin is an alternative
21:40 < Bushmills> also has support plugin for openvpn. graphs the number of connections
21:42 < Bushmills> for more detailed view into connections, you may want to have a look at ntop
21:43 < ecrist> I use a combination of cacti and PNP for Nagios (both based on MRTG
21:44 < tjz> hmm
21:44 < tjz> munin seem to monitor the system resources..
21:44 < tjz> i don't see any thing related to monitor bandwidth usage 
21:44 < Bushmills> it monitors whatever the plugins collect 
21:45 < Bushmills> the network monitoring plugins monitor network bandwidth
21:45 < tjz> ok..
21:46 < tjz> i like to monitor each ip address :D
21:46 < Bushmills> can do
21:48 < tjz> is it need to install a plugin?
21:48 < Bushmills> symlink to plugin  ip_     from  ip_nnn.nnn.nnn.nnn   for each address where nnn.nnn.nnn.nnn is the ip address you want to monitor 
21:49 < Bushmills> symlinking *is* the "installing"
21:49 < Bushmills> the ip_ module comes with it already
21:51 < tjz> ok..
21:55 < Bushmills> depending on your distribution, it may create symlinks to your ip addresses during installation already
22:05 < tjz> hmm
22:06 < tjz> does it report monthly bandwidth use by each ipa ddress?
22:06 < Bushmills> daily, weekly, monthly and yearly graphs
22:06 < Bushmills> for each ip address
22:07 < tjz> wow
22:07 < tjz> nice
22:08 < tjz> ok
22:08 < Bushmills> all that stuff you're not interested in, you can remove the symlinks, of yourse
22:08 < tjz> i will try out
22:08 < tjz> :D
22:08 < Bushmills> course
22:09 < Bushmills> nobody cares about disk temperatures or fan speed or such anyway :P
22:09 < tjz> lol
22:09 < tjz> yea
22:09 < tjz> :D :D
22:10 < Bushmills> i run one plugin which shows OS rule/suck ratio  :D
22:11 < Bushmills> http://scarydevilmonastery.net/rule.png
22:13 < Bushmills> http://scarydevilmonastery.net/rulesuck.png
22:14 < Bushmills> just migrated that installation to another server, that's the reason for the discontinuity
22:17 < tjz> still trying to see your pic
22:17 < tjz> :D
22:17 < tjz> hehe
22:19 < tjz> i have munin install on my centos server..
22:20 < tjz> is it view munin via http://ipadd/munin/cgi/munin-cgi-graph ?
22:23 < Bushmills> ehm no.
22:24 < Bushmills> doesn't call a cgi for visualizing. generates static html with links to png graphics
22:25 < Bushmills> most simple case would be a symlink from your docroot to where munin builds its page.  /var/cache/munin/www  on debian
22:27 < Bushmills> or a virtualhost with docroot at var/cache/munin/www 
22:29 < ecrist> Bushmills: what is your rule/suck graph based on?
22:29 < Bushmills> google hit counts
22:30 < Bushmills> searches for <distrib> sux|sucks|stinks  vs  rules|rulez|rocks 
22:30 < ecrist> ah
22:30 < Bushmills> queries every 5 minutes, in a round robin manner. each period another distrib
22:31 < Bushmills> bash script :)
22:34 < Bushmills> http://scarydevilmonastery.net/rulesuckratio
22:35 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has joined ##openvpn
22:35 < traceback0> hey guys, i am trying to setup my vpn gateway to access internal ips of other servers on my network--would appreciate help if anyone is on
22:35 < Bushmills> !route
22:35 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:36 < traceback0> Bushmills: thanks
22:37 < Bushmills> uw
22:37 < tjz> bushmills, hmm...know any tutorial how to setup the ip plugin thing?
22:37 < tjz> :D
22:37 < Bushmills> yes, the plugin itself
22:37 < Bushmills> docs in it
22:38 < tjz> is it found in /etc/munin ?
22:38 < Bushmills> yes. plugins dir in there
22:38 < Bushmills> there's the symlink to the actual file
22:38 < Bushmills> and where you'd add other symlinks if needed
22:38 < Bushmills> but that's not ip_ plugin specific
22:39 < Bushmills> that's the way munin knows what plugins to use
22:39 < tjz> i only have this in my  /etc/munin .
22:39 < tjz> munin.conf  templates
22:39 < Bushmills> yor distribution may have a different directory layout
22:40 < Bushmills> or you're missing a part
22:40 < Bushmills> there are two components of munin
22:40 < Bushmills> the aquisition part, with plugins, and the rendering part. generating html
22:41 < Bushmills> those may run on different machines, therefore the split into two
22:41 < ecrist> tjz: if you're just monitoring bandwidth, do it with SNMP and cacti
22:41 < ecrist> munin is similar to nagios, and not really what you need.
22:42 < ecrist> https://www.secure-computing.net/cacti/graph_view.php?action=tree&tree_id=2&select_first=true
22:43 < ecrist> guest/guest for user/pass if it asks
22:43 < ecrist> click on a graph to get more detailed data
22:48 < traceback0> Bushmills: I added: push "route 10.173.102.2 255.255.255.0" however not seeing tunnelblick add the route even after i restart openvpn
22:50 < traceback0> Also I don't understand why it uses 255.255.255.0
22:50 < Bushmills> "I added..."  that may be the reason
22:51 < traceback0> well the main reason is probably I still don't fully comprehend what I am doing =)
22:52 < traceback0> Bushmills: Why is that the problem, seemed like you're supposed to add that entry to your server.conf
22:53 < Bushmills> i don't know why that should be a problem.  a /24 network is not uncommon
22:54 < Bushmills> but 10.173.102.2 may be
22:54 < traceback0> Bushmills: you said "I added..." that may be the reason--what did you mean by that?
22:54 < Bushmills> I added: push "route 10.173.102.2 255.255.255.0" .... "I don't understand why it uses 255.255.255.0"
22:54 < traceback0> Bushmills: I am trying to connect to the server 10.173.102.2 which is on a lan with my server via my desktop
22:55 < Bushmills> then a host route should do - or are there more host in the 10.173.102.0/24 network which you want to access?
22:56 < traceback0> yeah i have more servers with different internal ips that i wnat to be able to connect to--I'd like this openvpn to be a gateway server to all of thier internal ips which i cannot connect to remotely
22:57 < Bushmills> !route
22:57 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:58 < traceback0> Bushmills: thanks I read that (and didn't skim it)
22:59 < ecrist> traceback0: just add a route for each subnet you want to route for.
22:59 < traceback0> ecrist: I thought that's what I did but I don't know what I did wrong
23:00 < traceback0> is that not right?
23:03 < tjz> ecrist, yea.. okay
23:04 < traceback0> ecrist: is route 10.173.102.2 255.255.255.0 a range?
23:05 < ecrist> it is, but the .2 isn't relavent
23:05 < traceback0> ok so this doesn't make sense
23:05 < ecrist> the 255.255.255.0 says 10.173.102.0 through 10.173.102.255
23:05 < traceback0> all i want to do is be able to connect to a server on the lan that my vpn server has access to but my client does not
23:05 < traceback0> ohhh
23:05 < traceback0> okay
23:05 < traceback0> ecrist: so then why can I not connect to that internal ip?
23:05 < traceback0> from my client
23:06 < traceback0> if I added that route line to my conf
23:06 < ecrist> traceback0: depending on the routing stack, the .2 may invalidate the route, since, technically, it doesn't make sense.
23:06 < traceback0> so i should make it 0?
23:06 < ecrist> traceback0: how would I know?  I've not seen configs or logs
23:08 < traceback0> ecrist: Sun 02/21/10 09:06 PM: /sbin/route add -net 10.173.102.0 10.8.1.5 255.255.255.0
23:08 < ecrist> !logs
23:08 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
23:08 < traceback0> ecrist: so that looks promising but i still can't connect to that ip
23:08 < ecrist> traceback0: do you have a firewall?
23:08 < traceback0> on the server? yes.
23:08 < ecrist> probably in there, or the system you're trying to route to doesn't know how to route back to the vpn
23:09 < traceback0> ecrist: I can connect to that ip on the server
23:09 < traceback0> so the system is probably fine?
23:09 < ecrist> ecrist: server isn't the vpn
23:09 < traceback0> i can connect to that ip via the vpn server
23:09 < ecrist> server might be a vpn endpoint, but it's different
23:09 < ecrist> do a traceroute from a client to the IP you're having a problem with
23:09 < ecrist> where does the route stop?
23:09 < traceback0> what should the firewall look like on the vpn server and the server on the lan?
23:10 < traceback0> okay
23:11 < traceback0> ecrist: don't think it goes anywhere, just gives me 1 * * * * 
23:12 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 276 seconds]
23:15 < ecrist> then you're missing routes
23:15 < ecrist> or the firewall is blocking it
23:15 < traceback0> I don't think I am missing routes since I can ssh to that box via logged into my vpn server
23:15 < traceback0> so must be a firewall thing?
23:16 < traceback0> do I need open up port 1194 on all my boxes on the same LAN as the vpn server?
23:16 < ecrist> for the last time, because you can do something from the vpn server, doesn't mean you're pushing the right thing to your clients
23:16 < traceback0> okay
23:16 < ecrist> on the client, is there a proper route in the routing table?
23:17 < traceback0> Probably not and I don't know what that is
23:18 < ecrist> I'm off to bed.  Read !route and you should be able to figure things out from there.
23:22 < traceback0> ecrist: I enabled ip forwarding and got something back from traceroute!
23:23 < traceback0> hits my vpn server, yay
23:31 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
23:32 < traceback0> so I can ping that internal ip but I don't think it pings that actual server it relates to
23:32 < traceback0> the traceroute stops at the vpn server's ip
23:32 < traceback0> any ideas?
23:33 < traceback0> http://dpaste.com/162832/
23:36 < traceback0> Bushmills: ping?
23:47 -!- fofware [~chatzilla@host147.190-229-137.telecom.net.ar] has joined ##openvpn
23:47 < fofware> hello every one
23:48 < fofware> how I connect client with openvpn V 2.1 to server openvpn 1.x with TLS
23:50 < fofware> I did read that I need use key-method 1 on the 2.0 side
23:51 < fofware> but I get this openvpn(custom_config)[2973]: Options error: --client requires --key-method 2
23:51 < traceback0> how do specify in the lan gateway where the destination servers behind the lan how to route back to the vpn client?
23:51 < traceback0> seems when i ping my destination server which is apart of the lan, they have no clue how to get back to the client
23:53 < fofware> traceback0: did you set your firewall on server?
23:53 < traceback0> fofware: what do you mean by did i set it?
23:54 < traceback0> isn't iptables the firewall?
23:54 < fofware> your firewall accept forward trafic from lan to vpn?
23:55 < traceback0> I am pretty sure I read some stuff online about ip forwarding
23:55 < traceback0> the moment I turned it on, I was able to traceroute the destination ip which stops on the vpn server
23:56 < fofware> and to route in linux box route add -net 172.16.0.0 netmask 255.255.255.0 gw 192.168.1.7 for example
23:56 < traceback0> I think have this issue: http://www.linuxquestions.org/questions/linux-networking-3/openvpn-client-cannot-route-to-lan-366279/
23:56 < vpnHelper> Title: OpenVPN client cannot route to LAN - LinuxQuestions.org (at www.linuxquestions.org)
23:56 < fofware> in windows box route -p add 172.16.0.0 mask 255.255.255.0 192.168.1.7
23:56 < traceback0> add that to my client? vpn server? or box I am trying to connect to behind lan?
23:57 < traceback0> (fofware)
23:58 < fofware> your client must be know others subnet in server so you must add it in client
23:59 < fofware> but your serve must permit trafic from vpn to lan and lan to vpn
23:59 < traceback0> my server does because of ip forwarding correct?
23:59 < fofware> if the same that you have 2 subnetwroks 
23:59 < traceback0> btw what is this last part: gw 192.168.1.7
--- Day changed Mon Feb 22 2010
00:00 < fofware> this ip is  vpn gatway ip
00:00 < traceback0> ah
00:01 < traceback0> fofware: should i use the public ip?
00:01 < traceback0> for that
00:02 < fofware> what you are using tun or tap
00:02 < traceback0> tun
00:02 < fofware> ok
00:02 < fofware> then type ifconfig
00:02 < traceback0> i also get route: bad address: netmask
00:03 < traceback0> ifconfig on client box?
00:03 < fofware> yes
00:03 < traceback0> ok done
00:03 < traceback0> fofware: use the inet ip for tun0?
00:03 < fofware> you see tun device with inet addr: xxxx...xx.xx and PtP addr
00:04 < fofware> P-t-P is your gateway
00:05 < traceback0> fofware: http://dpaste.com/162843/
00:06 < fofware> and to route in linux box route add -net <your_lan_subnet> netmask 255.255.255.0 gw 10.8.1.5
00:06 < fofware> route add -net <your_lan_subnet> netmask 255.255.255.0 gw 10.8.1.5
00:07 < traceback0> fofware: lan subnet can just be the ip of the box i want to connect to right?
00:08 < traceback0> fofware: http://dpaste.com/162844/
00:10 < fofware> yes if your lan have ips from 10.176.107.1 upto 10.176.107.254
00:10 < traceback0> fofware: yeah one of my boxes has an ip in that range
00:11 < fofware> but look like you don't have route command
00:12 < fofware> what command are you use to change route table?
00:12 < traceback0> I do have the route command
00:13 < fofware> traceback0: sorry
00:13 < fofware> yes but it do not work you get SIOCADDRT: No such process
00:14 < fofware> your vpn is connected?
00:14 < traceback0> fofware: http://dpaste.com/162845/
00:14 < traceback0> that's as far as i get
00:14 < traceback0> yeah it is
00:14 < traceback0> fofware: tracerouting to the other box on the lan as the vpnserver
00:14 < traceback0> it gets to the vpn server's ip
00:14 < traceback0> then stops
00:15 < fofware> yes, then all is working fine on cliente
00:15 < fofware> the issues it's on server side
00:15 < fofware> server do not route to that address
00:16 < traceback0> yea
00:16 < traceback0> fofware: so is that the route thing you wanted me to run?
00:19 < fofware> your client route fine this subnet to other side of opnevpn, but the server don't know this subnet or how route to it
00:19 < traceback0> gotcha
00:19 < traceback0> so how do I set that up
00:19 < fofware> jejejejejje
00:20 < fofware> huston we got a problem :)
00:20 < fofware> do you have access to server?
00:24 < traceback0> fofware: yes
00:24 < traceback0> fofware: btw it's like it routes to itself now: http://dpaste.com/162849/
00:25 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
00:25 < fofware> traceback0: this subnet is on vpn server side
00:25 < fofware> or is in vpn client side?
00:26 < traceback0> the server i want to connect to is on a LAN with the vpn server
00:29 < traceback0> fofware: 
00:31 < fofware> so, your vpn server have one ip of the same subnet?
00:31 < traceback0> vpn server has a different ip than my other box
00:31 < traceback0> so different subet
00:32 < fofware> then vpn serve don't see the other server because they are in different subnets
00:32 < traceback0> fofware: http://dpaste.com/162852/
00:32 < traceback0> fofware: yeah, so how do make it see the other server
00:35 < fofware> you need find the way to route from vpn server to your other server, if both are connected to the same switch you can add one ip of other subnet to your vpnserver, so it will know the other subnet
00:36 < traceback0> how do you "add an ip" though
00:36 < fofware> but if you have a route betwin both you must set route in your vpn server to router that handlle thoes address
00:38 < fofware> traceback0: what linux are you ussing?
00:38 < traceback0> fofware: no clue what rackspace.com uses
00:38 < traceback0> fofware: ubuntu
00:39 < fofware> so, read how set 2 ip address to same card on debian or ubuntu
00:40 < fofware> traceback0: can you paste ifconfig of your vpnserver?
00:40 < traceback0> fofware: http://dpaste.com/162854/
00:42 < fofware> ok, and the oter server it's fisically connect to same switch?
00:42 < traceback0> fofware: not sure how rackspace does it
00:43 < traceback0> could experiment i guess
00:43 < fofware> and if you connet to your vpn server with ssh, you can ping to other server?
00:44 < traceback0> fofware: think it's a router
00:44 < traceback0> fofware: yes i can
00:44 < fofware> ok
00:45 < fofware> so, please paste traceroute to it and route of your vpnserver
00:46 < traceback0> fofware: http://dpaste.com/162856/
00:47 < fofware> that is from vpnserver?
00:47 < traceback0> fofware: yea
00:49 < fofware> type route and paste it please
00:49 < traceback0> from the vpn server?
00:49 < fofware> yes, from vpn server
00:49 < traceback0> fofware: http://dpaste.com/162859/
00:52 < fofware> traceback0: give me some time I will read all 
00:55 < fofware> traceback0: route add -net 10.176.96.0 netmask 255.255.224.0 gw 10.8.1.2
00:56 < fofware> traceback0: but first del previus route setting
00:57 < traceback0> which one?
00:59 < fofware> route del -net 10.176.107.0 netmask 255.255.255.0 gw 10.8.1.5
00:59 < fofware> in your client
01:00 < fofware> that should work
01:00 < traceback0> fofware: http://dpaste.com/162861/
01:01 < traceback0> fofware: http://dpaste.com/162862/
01:01 < fofware> traceback0: sorry
01:02 < fofware> traceback0: route add -net 10.176.96.0 netmask 255.255.224.0 gw 10.8.1.5
01:02 < traceback0> wont let me do that
01:02 < fofware> in your client the gateway is 10.8.1.5 not 10.8.1.2
01:03 < fofware> you must change route in your client not in server vpn
01:06 < fofware> so, It's working now?
01:06 < traceback0> fofware: http://dpaste.com/162866/
01:09 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:09 -!- mode/##openvpn [+o mattock] by ChanServ
01:13 < fofware> traceback0: but it's correct http://dpaste.com/162869/
01:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:16 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:22 -!- fofware [~chatzilla@host147.190-229-137.telecom.net.ar] has quit [Read error: Connection reset by peer]
01:26 -!- lbt [~david@Maemo/community/contributor/lbt] has joined ##openvpn
01:28 -!- fofware [~chatzilla@190.7.25.160] has joined ##openvpn
01:40 -!- fofware [~chatzilla@190.7.25.160] has quit [Read error: Connection reset by peer]
01:41 -!- dazo_afk is now known as dazo
01:42 -!- fofware [~chatzilla@190.229.137.147] has joined ##openvpn
01:56 < cron2> !route
01:56 < vpnHelper> cron2: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:58 -!- xod [~onats@112.201.158.40] has joined ##openvpn
02:04 -!- xod [~onats@112.201.158.40] has quit [Quit: Ex-Chat]
02:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:24 -!- Kartagis [~c1ff8701@gateway/web/freenode/x-bzmoryzposjaxrdt] has joined ##openvpn
02:25 < Kartagis> hello
02:25 < jmm> hi.
02:25 < Kartagis> I am trying to install openvpn. I typed sudo /etc/init.d/openvpn start but it didn't start. where to look for errors?
02:26 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 246 seconds]
02:29 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has joined ##openvpn
02:32 -!- steven__ [~chatzilla@124.14.22.231] has joined ##openvpn
02:33 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
02:36 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has joined ##openvpn
02:40 < steven__> hello all
02:40 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 272 seconds]
02:58 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:58 -!- mode/##openvpn [+o mattock1] by ChanServ
02:59 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
03:04 < insane^> Kartagis, propably in /var/log/messages ...
03:07 < Kartagis> insane^: no it's not there
03:08 < insane^> which distribution?
03:08 -!- master_of_master [~master_of@p57B54C60.dip.t-dialin.net] has quit [Ping timeout: 248 seconds]
03:08 < |Mike|> windows ? :p
03:09 < Kartagis> I'm ssh'ing
03:09 < Kartagis> insane^: ubuntu
03:10 < insane^> ./var/log/syslog ?
03:10 -!- master_of_master [~master_of@p57B57DFA.dip.t-dialin.net] has joined ##openvpn
03:11 < Kartagis> not there, not in /var/log/messages
03:12 < Kartagis> it used to give me errors about certificates, could it be that=
03:12  * Kartagis hides
03:12 < |Mike|> try /var/log/openvpn/
03:12 < |Mike|> Kartagis: *gosh* rtfm
03:12 < |Mike|> !howto
03:12 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:13 < |Mike|> openvpn doesn't come with signed certs :)
03:15 -!- mah_cfsi_AFK [~mah@mail.cfsi.dk] has quit [Quit: Ex-Chat]
03:21 -!- fofware [~chatzilla@190.229.137.147] has quit [Ping timeout: 272 seconds]
03:45 -!- Kartagis [~c1ff8701@gateway/web/freenode/x-bzmoryzposjaxrdt] has quit [Quit: Page closed]
03:49 -!- steven__ [~chatzilla@124.14.22.231] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
03:53 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has joined ##openvpn
03:53 < traceback0> so does anyone here understand how route works
03:53 < traceback0> could use some hep
03:53 < traceback0> help
03:59 < traceback0> whenevr i traceroute my internal IP it just routes to the gateway instead of the actual server
03:59 < traceback0> so weird
04:04 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
04:06 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has joined ##openvpn
04:14 < upb> what is your 'internal ip' ?:P
04:15 < upb> from where are you tracerouting it ?
04:15 < upb> what's your network topology
04:17 < traceback0> upb: I am trying to openvpn to connect to a gateway which allows me access to a bunch of my boxes which I want to be able to ssh into via internal ips
04:17 < traceback0> I am tracerouting from my laptop (aka the client)
04:18 < traceback0> upb: client -> gateway -> <servers>
04:19 < upb> okay
04:19 < upb> check routings on each node to servers and to client
04:19 < upb> if routings are ok, check with tcpdump
04:20 < traceback0> upb: http://dpaste.com/162916/
04:20 < traceback0> this is what happens
04:20 < traceback0> when I am trying to traceroute from laptop to the server firewalled
04:20 < traceback0> it hits the gateway ip
04:20 < traceback0> and then just dies
04:21 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
04:22 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
04:36 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
04:36 -!- mode/##openvpn [+o mattock] by ChanServ
04:36 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
04:48 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Ping timeout: 256 seconds]
04:49 < upb> traceback0: tcpdump on the gateway
04:50 < cron2> traceback0: have you fully read !route?
04:50 < upb> does the server have 1) gateway as default route or 2) route to the client subnet through gateway
04:52 < traceback0> upb: when I do a traceroute on my client machine and tcpdump this is what I get: http://dpaste.com/162929/ and the client hangs
04:55 < upb> if you ran tcpdump on the gateway, the most probable cause is that the server doesn't have routing to the client
04:56 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
04:58 < |Mike|> :)
04:58  * upb slaps |Mike| 
05:00 < traceback0> upb: interestingly, I can no longer ping my other server
05:00 < traceback0> I used to be able to
05:00 < traceback0> So now I have to figure out what happened because that's the main reason why I probably can't get to it
05:01 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds]
05:01 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
05:06 < |Mike|> Hey upb :)
05:18 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
05:35 < traceback0> upb: around?
05:38 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
05:39 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
05:39 < sparch> morning
05:39 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Read error: Connection reset by peer]
05:40 < upb> traceback0: yes _
05:40 < upb> ?
05:40 < traceback0> upb: so looking at tcpdump on the gateway: 11:40:07.030512 IP 10.8.0.6 > 10.176.107.1: ICMP echo request, id 37126, seq 54, length 64
05:40 < traceback0> upb: but nothing is hitting the server
05:52 < traceback0> upb: do you know the right forwarding and nat stuff ?
05:53 < traceback0> I assume since my other server isn't getting any requests that it's a forwarding/nat/something issue
05:53 < upb> nah, its a routing issue
05:53 < traceback0> heh
05:53 < upb> try pinging the server from gw
05:54 < traceback0> I did it works
05:54 < upb> wtf :P
05:54 < upb> then, maybe you have fw rules on the gw ?
05:54 < traceback0> fw?
05:54 < traceback0> forwarding?
05:54 < insane^> firewall 
05:54 < traceback0> upb: http://dpaste.com/162956/
05:54 < traceback0> take a look
05:55 < traceback0> traceroute just stops at the gateway ip
05:56 < traceback0> won't move on
05:56 < traceback0> other server gets no requests, only the gateway
05:57 < traceback0> since I can ping the server from gateway
05:57 < traceback0> must be a firewall issue
05:58 < traceback0> does the other server have to have 1194 open?
05:59 < traceback0> gah
05:59 < upb> lines 34 to 36 have no effect
05:59 < traceback0> openvpn is too hard =(
05:59 < upb> since you have a -j REJECT before them
05:59 < upb> line 31 should allow traffic from your laptop to server
05:59 < upb> but traffic isnt allowed back
06:00 < upb> if this is a test network, you can look at the counters on rules
06:00 < traceback0> i deleted -A FORWARD -j REJECT
06:00 < traceback0> on line 31
06:00 < traceback0> err 32
06:01 < traceback0> but still doesn't solve it
06:01 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:01 -!- mode/##openvpn [+o mattock] by ChanServ
06:01 < traceback0> whoa wait a min
06:01 < traceback0> upb: notice how it says eth0
06:02 < traceback0> shouldn't that be eth1?
06:02 < traceback0> maybe not
06:02 < traceback0> no i guess i am connecting openvpn through a pub ip
06:03 < traceback0> heh oh well
06:04 < traceback0> I just don't know anymore
06:04  * traceback0 throws in the towel
06:11 < reiffert> !route
06:11 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:13 < reiffert> I've got an openvpn problem.
06:13 < reiffert> Site A<-tun0------tun0->Site B
06:14 < reiffert> Site A is 192.168.0.0/24  Site B is 192.168.1.0/24, openvpn Net is 10.8.0.0/24
06:14 < reiffert> A client from Site A is pinging: 192.168.1.255
06:14 < reiffert> The ping can be tcpdumped on Site A/openvpn:
06:14 < reiffert> 13:14:45.138606 IP 192.168.0.19 > 192.168.1.255: ICMP echo request, id 2181, seq 268, length 64
06:14 < reiffert> The ping can be tcpdumped on Site B/openvpn:
06:15 < reiffert> 13:15:01.137423 IP 192.168.0.19 > 192.168.1.255: ICMP echo request, id 2181, seq 284, length 64
06:15 < reiffert> but the packet does not make it to Site B-Lan-Interface.
06:15 < reiffert> How to do this?
06:19 < reiffert> I need this for samba remote announce.
06:20 < reiffert> guys come on...
06:22 < |Mike|> must be a layer 2 network, isnt it ?
06:22 < reiffert> I wonder how those broadcast pings made it from site A to site B ...
06:23 < |Mike|> indeed, what if you use arpping some-ip ?
06:24 < reiffert> I got a layer 3 openvpn tunnel, what do you expect by arppinging?
06:27 < |Mike|> I'm not sure, I always tought that Samba used layer2 imho
06:43 < ecrist> samba is routable
06:43 < ecrist> host discovery is done via layer 2
06:43 < ecrist> but that can bridge routes when coupled with a WINS server
06:51 < reiffert> so any idea how to get those 1.255 packets across vpn?
06:51 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
06:51 < cron2> reiffert: route them?
06:51 < reiffert> cron2: go ahead..
06:51 < cron2> what looks like a broadcast in one subnet is just an IP address from everywhere else
06:52 < reiffert> right.
06:52 < cron2> without knowing the netmask, you can't say whether (e.g.) 10.2.0.255 is a broadcast or not
06:52 < cron2> so if the client is 192.168.0.x/24 and routes 192.168.0.0/16 over...
06:52 < reiffert> everything is /24
06:52 < reiffert> want me to paste some routing tables?
06:53 < cron2> ah
06:53 < cron2> so your concern is actually that the packet arrives, but doesn't make it into a broadcast on the B network?
06:53 < reiffert> right.
06:54 < reiffert> It comes into Site A gateway, it leaves that gateway on tun0, it arrives on site b gateway and there it disappears.
06:54 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:54 -!- mode/##openvpn [+o mattock] by ChanServ
06:54 < cron2> reiffert: most likely gateway B will eat it, because this sort of "send packet to broadcast address from elsewhere" is frequently used for DoS attacks
06:55 < reiffert> want me to paste sysctl -a?
06:55 < ecrist> http://xkcd.com/705/
06:55 < vpnHelper> Title: xkcd: Devotion to Duty (at xkcd.com)
06:55 < cron2> (send pings from A to B.255, pretend to be C.  B's network will aplify A's pings and send 1000s of ping replies to C)
06:55 < cron2> ((smurf attack))
06:55 < reiffert> cron2: sysctl tell.me.whatever.the.thing.is = 0?
06:55 < cron2> I know how to configure this on cisco ("ip directed-broadcast") but need to do some googling for Linux
06:56 < cron2> http://www.linuxquestions.org/questions/linux-networking-3/enabling-subnet-directed-broadcast-on-linux-router-198955/
06:56 < vpnHelper> Title: Enabling subnet directed broadcast on Linux Router - LinuxQuestions.org (at www.linuxquestions.org)
06:57 < cron2> mmm.  same problem, but no solution yet
06:58 < cron2> http://darkness.codefu.org/wordpress/2006/02/22/226
06:58 < vpnHelper> Title: Linux and directed broadcasts | darkness (at darkness.codefu.org)
06:59 < reiffert> seen those two .. yeah
07:00 < cron2> found some more but all seem to say that Linux doesn't forward broadcasts the moment it notices that its a broadcast
07:01 < reiffert> I tried with bcrelay, no luck here.
07:02 < reiffert> I could use bridging those two different subnets for exchanging mcast,bcast and route ip additionally.
07:02 < reiffert> hm.
07:03 < cron2> reiffert: make "whatever it is" work without broadcasts?
07:03 < reiffert> samba remote announce
07:03 < cron2> the canonical response I always give to our windows folks is "use a WINS server"...
07:03 < reiffert> I successfuly managed to get around this for AFP, using bonjour proxies.
07:04 < reiffert> cron2: sure. two subnets, two wins servers. how are they supposed to talk to each other?
07:05 < cron2> reiffert: uh.  Now we're losing my field of windows experience.  Can you synchronize two WINS servers (via unicast packets, WINS<->WINS)?
07:05 < reiffert> using remote browse sync and remote announce ..
07:06 < reiffert> lemme try on unicast, right.
07:20 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:23 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
07:32 -!- XATRIX [~XATRIX@94.244.27.12] has joined ##openvpn
07:32 < XATRIX> hi guys
07:33 < XATRIX> i've got a problem, my openvpn can't handle stable connection to my work server
07:33 < XATRIX> i don't know why... i didn't change any settings for a long time
07:33 < XATRIX> i'll give you a log in a sec
07:34 < XATRIX> take a look please
07:34 < XATRIX> http://pastebin.com/d679fd7ef
07:35 < XATRIX> it actually establishes connection, but it resets after a few seconds
07:53 < |Mike|> cron2: openvpn-dev does ipv6, but can it also handle dual stack?
07:53 < |Mike|> XATRIX: sorry, can't help you with that. Maybe a firewall issue somewhere?
07:53 < |Mike|> or routation even.
08:10 < cron2> |Mike|: there's actually two feature branches in there - one is "do OpenVPN over IPv6 packets" (transport) and the other one is "do IPv6 inside an OpenVPN tun" (payload).
08:10 < cron2> Both are in -allmerged, and that's what the openvpn-devel packets will have
08:11 < cron2> and "payload" will of course handle v4+v6
08:20 -!- XATRIX [~XATRIX@94.244.27.12] has left ##openvpn []
08:29 -!- dazo is now known as dazo_afk
08:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
08:47 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
08:55 -!- steak__ [~alex@fire.perspectix.com] has joined ##openvpn
08:56 < steak__> !welcome
08:56 < vpnHelper> steak__: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:56 < steak__> !route
08:56 < vpnHelper> steak__: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:01 < steak__> ‬!iporder
09:02 < steak__> !topology
09:02 < vpnHelper> steak__: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
09:02 < steak__> !/30
09:02 < vpnHelper> steak__: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
09:02 < steak__> Hi all
09:03 < steak__> I have set up openvpn per the howto published on the website and everything is running fine, remote clients can connect to the VPN server and access the "office" network without issues.
09:03 < |Mike|> cron2: okay, thanks for the information.
09:04 < steak__> However, I would like to be able to access those remote clients from a workstation in the office, but I am not able to understand how can I access them - the vpn server is not on the gateway, but the gateway is forwarding all the requests for the VPN subnet to the vpn server 
09:05 < steak__> this seems to work, because in a traceroute I see that the last working hop is the openvpn server
09:05 < steak__> so I am assuming that my issue is in the internal routing of the openvpn server... I have enabled ip forwarding (it's a linux box), tried various ways with iptables but I am not able to get through it... any ideas?
09:06 < rob0> Your answer is in understanding !route
09:06 < rob0> Each side has to know how to route to the other.
09:07 < steak__>  I have advertised the office network to the vpn clients, so that they can effectively connect to its hosts
09:07 < steak__> and it works
09:07 < rob0> And indeed, it's easier when the gateway is the VPN endpoint, but static routes can fix that problem.
09:07 < steak__> so basically I would have to set up a static route on the vpn server, right_
09:07 < steak__> ?
09:08 < rob0> "Each side has to know how to route to the other."
09:08 < steak__> ... and by trying to understand this statement, I guess the client needs a static route as well :P
09:09 < rob0> bingo
09:10 < steak__> so for a practical example, to make sure that a host inside of the office network can (for instance) ssh to a remote workstation through the vpn, the office infrastructure needs to point to the VPN box for the VPN subnet and the remote client has to know how to get to the office network
09:10 < rob0> zackly
09:10 < steak__> zackly?
09:10 < steak__> I assume it stands for "exactly" :)
09:11 < rob0> (exactly)
09:11 < steak__> ok :)
09:11 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:11 < steak__> so the static route goes on the client as well... this is something I was not considering
09:11 < steak__> also because the VPN is a single subnet, I am not doing LAN-to-LAN
09:11 < rob0> well, it might work to set it on the gateways
09:11 < havoc> ah, lessons in routing
09:11 < steak__> hi havoc, yes :)
09:12 < rob0> but it WILL work if set on all hosts who need to use (or be used over) the VPN.
09:12 < steak__> well in my setup the remote workstation could be anywhere, so I can't say I will always be in control of the physical gateway.
09:13 < steak__> ok, so client in office lan needs to know who handles VPN subnet (openvpn server), remote workstation needs to know who handles office subnet (office gateway)
09:13 < steak__> let me try
09:15 < rob0> routes set on gateway: host sends VPN packets to gateway, gateway forwards and sends icmp-host-redirect packet to sending host. Ideally at that point the host knows to send further packets direct to the VPN peer.
09:16 < rob0> IME this does not always work, some IP implementations (cough Windows cough) are not so smart.
09:16  * steak__ is Linux server and OsX client
09:17 < rob0> Also, some crappy routers don't know how to send host-redirect messages.
09:31 < reiffert> Some windows machines dont know how to handle icmp redirection messages ...
09:32 < reiffert> mostly firewall related.
09:39 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
09:55 -!- steak__ [~alex@fire.perspectix.com] has quit [Quit: Leaving]
09:57 -!- acaso [~acaso@acaso.dsi.unive.it] has joined ##openvpn
09:58 -!- rob0 [~rob0@tuxaloosa.org] has quit [Ping timeout: 246 seconds]
09:58 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
10:20 -!- acaso [~acaso@acaso.dsi.unive.it] has quit [Quit: ciao!]
10:23 < sparch> I love OpenVPN
10:31 -!- rob0 [~rob0@tuxaloosa.org] has quit [Ping timeout: 245 seconds]
10:37 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
10:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:50 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
10:50 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
10:59 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
11:12 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:32 < ecrist> \o
11:38 < fahadsadah> I have LDAP authentication
11:38 < fahadsadah> How do I make it so clients don't need their own certificates or keys, just a copy of my cert?
11:46 < fahadsadah> !tls
11:46 < vpnHelper> fahadsadah: Error: "tls" is not a valid command.
11:46 < fahadsadah> !noauth
11:46 < vpnHelper> fahadsadah: Error: "noauth" is not a valid command.
11:46 < fahadsadah> !auth
11:46 < vpnHelper> fahadsadah: Error: "auth" is not a valid command.
11:50 < ecrist> fahadsadah: there's information in the man page
11:50 < ecrist> !man
11:50 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:01 < upb> fahadsadah: copy of your cert ?:P
12:01 < upb> sounds like you're using PKI for the wrong purpose :D
12:18 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
12:27 -!- Blues-Man [~bluesman@host105-117-dynamic.27-79-r.retail.telecomitalia.it] has joined ##openvpn
12:31 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:31 -!- mode/##openvpn [+v Kaspx] by ChanServ
12:33 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 256 seconds]
12:34 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 252 seconds]
12:37 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:37 -!- mode/##openvpn [+v openvpn2009] by ChanServ
12:45 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has quit [Read error: Connection reset by peer]
12:46 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has joined ##openvpn
13:09 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:21 -!- philtar [~rashed202@67.205.245.208] has joined ##openvpn
13:21 < philtar> Does anyone know how resource intensive openvpn is?
13:22 < rob0> It can be used on small embedded devices. Not for a whole lot of traffic, but it is supported by projects like openwrt.
13:23 < rob0> If you're going to have a large userbase and a lot of traffic, you would want a real computer handling it.
13:24 < Bushmills> philtar: about 2...3 meg of RAM
13:24 < philtar> What do you mean by real computer?
13:24 < philtar> I'm thinking of a user base in the thousands with bridging.
13:24 < Bushmills> CPU depends.  compressing server will be loaded higher than decompressing client
13:25 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:25 < philtar> "Your problem is your firewall, really" lol
13:25 < rob0> "Real computer" as opposed to a "small embedded device" such as openwrt typically runs on.
13:26 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:26 < philtar> Ohh. Yeah that's not an issue.
13:26 < rob0> With thousands of users, surely there's revenue for a powerful machine or cluster.
13:26 < philtar> Well, that's my overly optimistic thinking.
13:27 < philtar> I'm just looking for a rough guideline somewhere. Something like "an x proc with y memory will handle x users."
13:27 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:28 < rob0> Thousands before you have asked the same question, in OpenVPN as in other projects. The thing is, no concrete answers to those questions have ever been possible.
13:29 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:29 < rob0> I'm using a Phenom quad, 4GB RAM, two, count-'em two, clients, easy peasy.
13:30 < rob0> I'm sure it could scale up to the point that my Internet connection would no longer be usable for anyone.
13:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:34 < rob0> Oh, and IIUC the quad core provides little if any benefit; the whole thing is running in a single thread on a single core.
13:35 < rob0> People who are interested in development of OpenVPN have been talking about multithreading support.
13:36 < tw> It doesn't sound like you'd benefit from MT support much over simply running 2 servers with very similar configs (ie, port number difference with an include for the common bits)
13:49 -!- Blues-Man [~bluesman@host105-117-dynamic.27-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
14:02 < rob0> Again, I'm sure my userbase could grow on the single-threaded server, far beyond what my Internet connection could handle. Point being: hardware is rarely the limiting factor.
14:13 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
14:25 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 256 seconds]
14:48 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
15:04 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
15:15 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: I used to have a drinking problem.  Now I love the stuff.]
15:21 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
15:26 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has quit [Quit: traceback0]
15:44 -!- traceback0 [~traceback@user-64-9-237-17.googlewifi.com] has joined ##openvpn
15:49 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
15:51 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
15:57 < jeffl> Hey guys
15:58 < jeffl> Is there anyone familiar with pushing a static ip to a client with th epfsense implementation of openvpn?
16:00 < Bushmills> !ccd
16:00 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
16:01 < Bushmills> no idea about epfsense, but options shouldn't be different, i guess
16:01 < jeffl> There isn't a ccd directory
16:01 < jeffl> but there is a client specific config page
16:01 < Bushmills> that may mean that you haven't created one
16:01 < jeffl> Most of the config is supposed to be done through the gui
16:02 < jeffl> the issue I have is that on the custom client config page, you have to give it an address pool in cidr notation..
16:02 < Bushmills> can't help you with that
16:02 < jeffl> and now it keeps assigning the client 8.1 with an 8.2 gw
16:02 < jeffl> which doesn't work because the server is 8.1
16:02 < Bushmills> that sounds right
16:02 < Bushmills> but that client gets 8.1 doesn't
16:03 < jeffl> doesn't what?
16:03 < Bushmills> the client+1 address should be right
16:03 < Bushmills> but client should be 8.5 or so
16:03 < jeffl> yeah, but if the servers Interface on that lan is 8.1 and the remote ip is 8.1 it isn't gonna work
16:04 < Bushmills> must be the joy of using configuration GUIs
16:04 < jeffl> yeah :/
16:04 < Bushmills> pretty but inefficient
16:05 < jeffl> You would think but most people who have configured a lot of servers prefer a config file
16:05 < jeffl> yeah..
16:05 < jeffl> Thing is, I only have one machine on this vpn connection
16:05 < jeffl> just need to make sure it's ip is static
16:06 < Bushmills> other problem with GUI is that not that many people can help you.
16:06 < Bushmills> makes it more difficult to tell what you actually set up
16:06 < jeffl> haha yeah
16:06 < Bushmills> "i clicked here and there and result is that it doesn't quite work" makes diagnosing somewhat tricky
16:07 < Bushmills> and most of the more experienced folks here are not GUI users. those are the ones you actually want an answer from.
16:14 < jeffl> Yeah.
16:14 < jeffl> Is there a way to define an 8.5/6 range in cidr?
16:16 < Bushmills> 4..7 
16:17 < rob0> Only one other endpoint, I wouldn't even bother with a server/client. Peer mode is easier.
16:18 < rob0> Server only makes sense with multiple clients.
16:19 < jeffl> rob0: I'm not entirely sure how to configure that 
16:19 < rob0> See the 1.x howto
16:20 < Bushmills> "... using the GUI" :P
16:20 < rob0> ah, well I bet not, then.
16:21 < jeffl> yeah :/
16:21 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
16:21 < rob0> There's one configuration GUI that I respect: Samba's SWAT.
16:22 < jeffl> and you cna't edit instance.conf because it's overwritten.. it's generated from an xml file created by the gui
16:22 < Bushmills> in fact, many people use config GUIs, which are a bit less specific for one program. They are called "editors"
16:23 < rob0> Because SWAT is basically just a connection between the HTML man page and the admin. If you want to see how to configure any item, click the help, it takes you there.
16:23  * jeffl *sighs*
16:23 < jeffl> I changed the address pool of this server
16:23 < jeffl> and the client gets a diff ip now
16:23 < jeffl> but the gateway is still 8.1
16:23 < jeffl> err, 8.2
16:24 < jeffl> Is there a cache somewhere that would cause it to keep using 8.2?
16:49 -!- asand [~asand@pr-66-150-46-254.wgate.com] has joined ##openvpn
16:51 < asand> Can anyone help with a newbie question?
16:51 < hyper_ch> !welcome
16:52 < vpnHelper> hyper_ch: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:52 < asand> !howto
16:52 < vpnHelper> asand: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:56 < asand> is there a community server?  Or is the commercial-as release the only server available?
16:56 < hyper_ch> what do you mean by community server?
16:58 < asand> non-commercial - I'll build from source if need be.  It appears to me that the openvpn package available (for fedora in my case) is only the client side.   And it appears that the server side (-as) requires a commercial purchase of keys beyound the two free to get started.
16:59 < hyper_ch> asand: ???
16:59 < hyper_ch> did you have a look at the openvpn.net homepage and the downloads?
16:59 < asand> and the -as release stops at fedora 10.  It is not available for F11 or F12
16:59 -!- philtar [~rashed202@67.205.245.208] has left ##openvpn []
17:00 < asand> yes, i'm looking now but it is not clear to me whether the dnld's are client only or client & server
17:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:01 < hyper_ch> there is no client/server specific package
17:01 < hyper_ch> it all depends how you setup the config
17:01 < asand> ahh,...  OK then!
17:02 < Bushmills> keys/certs you can make yourself
17:02 < hyper_ch> the howto has a link to easy-rsa
17:02 < hyper_ch> or is included in the howto itself
17:03 < Bushmills> or i can sell you some :D
17:03 < asand> lol - OK thanks!
17:12 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Ping timeout: 276 seconds]
17:17 < asand> Thanks guys - the howto does in-fact answer my questions.
17:19 < Bushmills> there it goes, the quick cash :(
17:19 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
17:23 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
17:27 -!- d_sun [~x@borg.medozas.de] has joined ##openvpn
17:34 -!- asand [~asand@pr-66-150-46-254.wgate.com] has quit [Quit: Leaving]
17:34 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
17:35 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Client Quit]
17:40 -!- zero-__ [~zero@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
17:40 -!- zero-_ [~zero@noc.toile-libre.net] has joined ##openvpn
17:49 -!- Overand [overand@crappy.domain.name] has left ##openvpn []
18:01 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
18:12 -!- le0 [~tehle0@unaffiliated/le0] has quit [Read error: Connection reset by peer]
18:29 -!- Netsplit *.net <-> *.split quits: traceback0, simplechat
18:30 -!- Netsplit over, joins: simplechat
18:43 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 256 seconds]
18:48 -!- lbt [~david@Maemo/community/contributor/lbt] has quit [Ping timeout: 252 seconds]
18:59 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
19:01 < Dougy> voice recognition is cool
19:01 < Dougy> I wish it was easier to configure
19:01 < Dougy> But it will work well for this
19:01 < Dougy> It works great for chatting
19:01 < Dougy> Unfortunately for me it doesn't like outlook as much as it likes mIRC
19:09 < Bushmills> yes, very nice to wreck a nice beach
19:10 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has joined ##openvpn
19:10 < Gnewt> How do I get one client to share one other host on the network with the VPN?
19:11 < Dougy> What do you mean
19:11 < Dougy> Please explain better
19:11 < Dougy> Thank you
19:11 < Bushmills> !route
19:11 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:11 < Gnewt> serenity is 10.8.0.3 and I want 10.8.0.4 to point to serenity's 192.168.1.1
19:11 < Gnewt> thanks Bushmills 
19:12 < Bushmills> uw
19:13 < Gnewt> hmm that page isn't clear on how to add an extra route to exactly one client
19:23 < Dougy> ccd can do that
19:29 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has joined ##openvpn
19:30 < Morgan_Phoenix> hrm
19:30 < Morgan_Phoenix> I forgot how to create a tun device
19:30 -!- tjz [~pc@bb219-74-104-21.singnet.com.sg] has joined ##openvpn
19:30 -!- tjz [~pc@bb219-74-104-21.singnet.com.sg] has quit [Changing host]
19:30 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:31 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
19:32 < Morgan_Phoenix> http://pastebin.ca/1806268
19:35 -!- krphop_ is now known as krphop
19:35 < rob0> In Linux (I know you're not Linux) that would mean that the tun driver is not loaded. Maybe google "load tun driver mac" and variants, will help.
19:36 < Morgan_Phoenix> k thanks
19:37 < rob0> and hang around, there might be Mac folks around eventually. (Or, hop on over to a mac place and ask them.)
19:37 < pdt> I have a working openvpn setup going from us to france connection is around 150ms latency, latency through vpn is 2-3x native traffic.  For kicks I wanted to try udp vs tcp to see if that had any effect.  Converting server/client to udp vs tcp they won't connect I get tls negotiation failed to occur with in 60 seconds.  Both sides have lots of horsepower and are not loaded down, so that doesn't seem to be source of latency. The 
19:37 < pdt> side is behind a nat, server side is in a checkpoint dmz.  so a few questions, am I even heading down the right path for removing the latency?  Is that much latency to be expected with openvpn? any ideas on why udp would fail where tcp worked?
19:37 < pdt> by us i mean USA
19:38 < rob0> The tunnel *was* TCP and is now UDP?
19:38 < rob0> !tcp
19:38 -!- kyrix [~ashley@41.92.4.16] has joined ##openvpn
19:38 < vpnHelper> rob0: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
19:38 < pdt> yes, tried to go from tcp to udp
19:39 < pdt> got the negotiation message
19:39 < pdt> switch both sides back to tcp, works
19:39 < rob0> /topic, "Your problem is your firewall, really."
19:40 < pdt> I believe so as well, thats why I mentioned that it was checkpoint.  No rules on the CP side that would affect the traffic and we even completely turned off "smart defense"
19:40 < pdt> same result
19:40 < pdt> ever heard of any strangeness going through checkpoint?
19:42 < rob0> I don't even know what "checkpoint" is.
19:42 < rob0> You want to allow in 1194/udp, or whatever nonstandard port you have chosen.
19:50 -!- uchimata [~uchimata@HSI-KBW-078-043-160-035.hsi4.kabel-badenwuerttemberg.de] has quit [Ping timeout: 246 seconds]
19:52 < Morgan_Phoenix> yep, that did the trick.
19:53 < Morgan_Phoenix> I installed the tuntap package from sourceforge
19:53 < Morgan_Phoenix> thanks again
19:54 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
19:59 < rob0> yw
20:10 -!- kyrix [~ashley@41.92.4.16] has quit [Read error: Connection reset by peer]
20:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
20:55 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has quit []
21:27 < tjz> ecrist, r u there?
21:27 < tjz> want to ask about cacti..
21:27 < ecrist> yes, what's up?
21:27 < ecrist> PM me
21:28 < tjz> ok
21:34 -!- Mehdi [flang@64.85.172.128] has joined ##openvpn
21:34 < Mehdi> what version of OpenVPN can I use with cygwin?
21:35 < ecrist> any
21:36 < Mehdi> oic, because i see 4 specific platforms on their website
21:36 < ecrist> not sure what you mean, but this isn't #cygwin
21:39 < rob0> I doubt it would work under cygwin, and even if it did, what's the benefit over using the native openvpn.exe?
21:40 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Ping timeout: 256 seconds]
21:41 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
21:47  * ecrist goes to bed.
22:08 < Mehdi> any ideas as to what the default user/pass is for the webclient?
22:08 < Mehdi> I'm using the vmware copy of openvpn, and it never prompted at install
22:13 < Mehdi> found it: http://support.openvpn.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=91
22:13 < vpnHelper> Title: OpenVPN - Powered by Kayako SupportSuite Help Desk Software (at support.openvpn.net)
22:23 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has joined ##openvpn
22:37 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:33 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:56 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 246 seconds]
--- Day changed Tue Feb 23 2010
00:59 -!- balboah [~johnny@joonix.se] has quit [Read error: Connection reset by peer]
01:01 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Quit: Leaving]
01:05 -!- balboah [~johnny@joonix.se] has joined ##openvpn
01:12 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:12 -!- mode/##openvpn [+o mattock] by ChanServ
01:26 -!- lbt [~david@Maemo/community/contributor/lbt] has joined ##openvpn
01:31 -!- dazo_afk is now known as dazo
01:42 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
02:03 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:27 < jmm> hi.
02:49 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:51 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 256 seconds]
03:07 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
03:08 -!- master_of_master [~master_of@p57B57DFA.dip.t-dialin.net] has quit [Ping timeout: 248 seconds]
03:10 -!- master_of_master [~master_of@p57B55D0C.dip.t-dialin.net] has joined ##openvpn
03:16 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:24 -!- acaso [~acaso@acaso.dsi.unive.it] has joined ##openvpn
03:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:37 < acaso> hi, i've some problem with openvpn and bridging: i can connect to server, i can ping the server and other clients on the vpn, but i cannot ping other hosts on the bridged physical network. My config is here: http://pastebin.com/d3f738ae6
03:38 < acaso> there's no firewall, and from the server i can ping other hosts on the physical network
03:39 < acaso> it seems that bridging between eth1 and tap0 isn't working, but brctl says that it is
04:50 -!- i-pink [~i-pink@bzq-79-177-185-83.red.bezeqint.net] has joined ##openvpn
04:51 < i-pink> hii all
04:51 < i-pink> i try to config the openvpn on XP 
04:51 < i-pink> and i cant set a USER and PASS
04:53 < i-pink> i teke the samples file and i put it in the config directory.. 
04:54 < i-pink> someone here?
04:54 < jmm> hi pink.
04:54 < jmm> infortunatly I don't use windows, it give me gazes.
04:55 < i-pink> hehe..
04:55 < i-pink> but the server is Windows, and all the users work with linux..
04:56 < i-pink> jmm, to config it on Windows.. is not the same as linux?
04:56 < jmm> I think it should be quite the same.
04:57 < i-pink> if i want to set USER in the OPENVPN.. how i  do it?
04:58 < jmm> I make a key for it, and edit some routes that he will need.
04:59 < i-pink> what do you mean? edit some routes???
04:59 < jmm> openvpn can setup routes for the clients, so when I add a client I sometimes have to add routes to be pushed on the server.
04:59 -!- acaso [~acaso@acaso.dsi.unive.it] has left ##openvpn ["bye"]
05:00 < i-pink> you can gaide me step by step how to set the server in the openvpn
05:01 < jmm> documentation on openvpn's website is cool for starter.
05:01 < jmm> I can help, but I won't do it for you. or you'll to pay for that :)
05:02 < i-pink> hehe i am 3 days try to understend it..
05:02 < jmm> hehe.
05:02 < jmm> are you following a specific tutorial ?
05:03 < i-pink> i am in the HOW TO in th e openvpn site..
05:03 < jmm> it's a good one. where are you stuck ?
05:04 < i-pink> i'm install the openvpn and i try to make it server
05:04 < i-pink> how i set users?
05:05 < jmm> you sign their key.
05:05 < jmm> I think you can use passwords too, but I did not tried.
05:06 < jmm> can you show your openvpn config ? both on server and on client 
05:06 < i-pink> mmm what is the consept of openvpn?
05:06 < jmm> um ?
05:07 < i-pink> if i try to make SERVER is ask for getway.. 
05:07 < jmm> I don't undestand well.
05:08 < i-pink> i need to put the IP of the compeuter in the server settings
05:08 < i-pink> i back in 1 hour..
05:08 < i-pink> BRB :-)
05:08 < jmm> cya.
05:11 -!- kyrix [~ashley@41.92.12.114] has joined ##openvpn
05:19 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
05:21 -!- rgubler [rob@happybox.org] has joined ##openvpn
05:22 < rgubler> !welcome
05:22 < vpnHelper> rgubler: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:22 < insane^> !redirect
05:22 < vpnHelper> insane^: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
05:22 < insane^> !route
05:22 < vpnHelper> insane^: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:28 < rgubler> hello, i have a question based on curiosity.. my configuration is working. i have an openvpn server, and 2 clients. the server is configured to use a bridge and tap devices.  the bridge device is local, and is not bridged with any real ethernet devices.  when both clients connect i can ping between hosts over the ovpn assigned ips, and the latencies are twice as big as the latencies are when pinging the ovpn server ip.  however, when i look at the tx/rx packet 
05:30 < hyper_ch> rgubler: all traffic goes through the openvpn server
05:30 < hyper_ch> if you want to to connect from client1 to client2 it's:  client1 -> openvpn server -> client2
05:31 < rgubler> hyper_ch: ok, thanks for the clarification.. that is what i suspected.. do you know why i don't see the traffic hit the bridge device, or the tap devices for the cooresponding clients?
05:31 < hyper_ch> so, pinging client1 -> client2 would take double latency compared to client1 -> openvpn server I think
05:31 < hyper_ch> rgubler: no clue about that :)
05:31 < rgubler> hyper_ch: all devices are set in promiscuous mode
05:32 < rgubler> hyper_ch: ah, ok :)
05:35 < rgubler> i suppose its possible ovpn recognizes that the clients are talking to each other and not the server, and thus it bypasses the tap devices / bridge device for performance gain
05:36 < rgubler> although that doesn't seem very desirable
05:39 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
05:52 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:03 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
06:03 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
06:03 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:06 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
06:06 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
06:06 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
06:06 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:19 < i-pink> jmm, Back :-)
06:30 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:35 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
06:35 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
06:35 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
06:35 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 256 seconds]
06:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:58 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has quit [Ping timeout: 265 seconds]
07:06 -!- Tophat [~Tophat@unaffiliated/tophat] has joined ##openvpn
07:09 -!- i-pink_ [~i-pink@bzq-79-177-185-83.red.bezeqint.net] has joined ##openvpn
07:11 -!- i-pink [~i-pink@bzq-79-177-185-83.red.bezeqint.net] has quit [Ping timeout: 256 seconds]
07:12 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
07:16 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 256 seconds]
07:19 -!- i-pink__ [~i-pink@bzq-79-177-185-83.red.bezeqint.net] has joined ##openvpn
07:22 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
07:22 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
07:22 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:22 -!- i-pink_ [~i-pink@bzq-79-177-185-83.red.bezeqint.net] has quit [Ping timeout: 256 seconds]
07:27 < Tophat> when configuring the server i have to have the ./pkitool hostname
07:27 < Tophat>  command, but i have to know the clients hostname ?  is there a way to do a generic VPN setup and have the server create a vpn file that i can add to a windows client that will have the correct information to connect to the network without worrying about hostnames 
07:28 -!- i-pink__ [~i-pink@bzq-79-177-185-83.red.bezeqint.net] has quit [Ping timeout: 240 seconds]
07:31 -!- Signum [~Signum@debian/developer/pdpc.active.haas] has left ##openvpn []
07:37 -!- i-pink [~i-pink@bzq-79-177-185-83.red.bezeqint.net] has joined ##openvpn
07:40 < havoc> Tophat: don't use pki?
07:40 < havoc> I just use a key and tls
07:43 < Tophat> ><
07:43 < Tophat> just slicked my openvpn stuff anyways, starting from stratch -- but now i know i dont ahve to use a pki!  :] thanks havoc 
07:45 < havoc> just follow the howto
07:45 < havoc> then add the DH params and TLS auth
07:46 < havoc> you're using easy-rsa, right?
07:46 < Tophat> si
07:46 < havoc> is server windows or linux?
07:46 -!- i-pink [~i-pink@bzq-79-177-185-83.red.bezeqint.net] has quit [Ping timeout: 256 seconds]
07:47 < Tophat> havoc - server is ubuntu 9.10.  i followed their guide which pretty much broke down to using pki
07:47 < havoc> better: http://openvpn.net/index.php/open-source/documentation/howto.html
07:47 < vpnHelper> Title: HOWTO (at openvpn.net)
07:48 < havoc> Tophat: first thing is edit easy-rsa/2.0/vars
07:48 < havoc> and possibly easy-rsa/2.0/openssl.cnf
07:48 < havoc> then . vars
07:48 < havoc> ./build-ca
07:48 < havoc> ./build-key-server
07:49 < havoc> ./build-dh
07:49 < havoc> and "openvpn --genkey --secret ta.key" for TLS auth
07:50 < havoc> Tophat: start here: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
07:50 < vpnHelper> Title: HOWTO (at openvpn.net)
07:50 < havoc> Tophat: and then skip to here for the TSL auth and CRL stuff: http://openvpn.net/index.php/open-source/documentation/howto.html#security
07:50 < Tophat> yeah ive got all that done, just not sure what to do after configuration of the server
07:50 < vpnHelper> Title: HOWTO (at openvpn.net)
07:51 < havoc> ah
07:51 < Tophat> i think the hostname bit just threw me off a bit
07:51 < havoc> just ./build-key <client name>
07:51 < Tophat> ah...
07:51 < Tophat> ><
07:51 < havoc> hostname is common-name
07:51 < havoc> I also use a ccd
07:51 < havoc> client-config-dir
07:52 < havoc> it's an easy way to control client access w/o a CRL
07:52 < havoc> I just touch a file in that dir w/ the client's key's name
07:52 < havoc> e.g. ./build-key host.domain.com
07:53 < havoc> and all the opts you pass during nuild-key can be set in vars
07:53 < havoc> in easy-rsa/vars that is
07:53 < Tophat> sounds like ive got a lot of reading to do
07:53 < Tophat> lol
07:53 < havoc> it's very cool once it clicks
07:54 < havoc> I use openvpn for a *lot* of stuff
07:54 < havoc> I have many tap/tun ifaces per install too
07:54 < Tophat> yeah ive gotta get the bridging setup as well.  just gonna have to sit down tonight and read over all this stuff
07:55 < havoc> 3 of my installs listen on at least 2 ports
07:55 < havoc> I used to run a few bridged setus, no more, all routed now
07:56 < Tophat> if i just need remote desktop or to run an application i need it to be bridged right ?
07:56 < havoc> no
07:57 < Tophat> so routed is the way to go ?
07:57 < havoc> usually
07:57 < havoc> it's definitely more flexible, and scalable
07:58 < Tophat> what about having multiple subnets say my vpn is 10.1.1.0/24 and my servers are one 10.2.2.0/24 .. they should be able to talk no issues eh ?
07:59 < Tophat> and the openvpn server maybe on 10.3.3.0/24
07:59 < havoc> if you have the routes setup right, yes :)
07:59 < havoc> just like routing anything else
07:59 < Tophat> whoohoo :]
08:00 < Tophat> thanks for all your help havoc -- been very informative
08:00 < havoc> I also use external dhcp on everything
08:00 < havoc> e.g. windows dhcp for the AD domain at the office
08:00 < havoc> and I use dhcp3-relay on the linux box running ovpn to relay the requests
08:01 < Tophat> so you can have the windows server dhcp be the dhcp for the vpn users as well ?  nice
08:02 < havoc> yes
08:02 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
08:02 < havoc> and even have it update the dns :)
08:02 < havoc> ...and wins
08:02 < havoc> but you probably already know that you need WINS for cross-subnet "browsing" w/ windows
08:03 < havoc> which I do on win2k3 at the office, and w/ samba at home
08:06 -!- incorrect [~fwest@78-33-42-140.static.enta.net] has joined ##openvpn
08:07 < Tophat> yeah, i tried to move away from wins, but had too many legacy apps requiring it.
08:07 < havoc> same.
08:09 -!- i-pink [~i-pink@109.67.184.68] has joined ##openvpn
08:09 < incorrect> can i allow someone to connect with the same cert more than once?
08:10 < Tophat> thats incorrect
08:10 < Tophat> ahh, i love usernames :]
08:13 < incorrect> duplicate-cn ?
08:14 < incorrect> that should do it
08:14 < havoc> incorrect: yup, that's it
08:15 < incorrect> that should do it
08:15 < incorrect> thanks
08:15 < rob0> uh, but it's a bad idea.
08:16 < havoc> yes, not recommended
08:18 < incorrect> why is that?
08:19 < havoc> it's like having all your users use the same username/password
08:19 < incorrect> i have users use their username and password from ldap
08:19 < rob0> Imagine having to revoke it, for one thing.
08:19 < havoc> rob0: right, same as if your one user account gets compromised
08:20 < rob0> Also, it causes confusion when the same actual client reconnects.
08:20 < havoc> you can't control or monitor/log each client
08:20 < rob0> openvpn doesn't know which one is real
08:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:21 < rob0> It costs nothing but time (and little of that) to generate more certs.
08:21 < rob0> I think all this is covered in the howto.
08:21 < havoc> the howto is a monster, but has almost everything you could need to know
08:34 -!- chilicuil [~sistemas@unaffiliated/chilicuil] has joined ##openvpn
08:40 -!- krphop [~krphop@74-82-160-100.take2hosting.com] has joined ##openvpn
08:40 < incorrect> rob0, its just that one users want to connect in twice at the same time
08:41 < incorrect> so i figure if i want to revoke him i revoke his cert and it kills both his clients
08:44 < havoc> is he connecting from different machines?
08:46 < rob0> If one is a more or less static connection, from home, and the other is a laptop which roams, I'd definitely want him to use two certs.
08:46 < rob0> shouldn't be difficult to configure LDAP to allow the same password.
08:47 < rob0> If he's connecting two machines from the same place to the same VPN, he just needs to GAFC about networking. :)
08:56 -!- i-pink_ [~i-pink@109.67.184.68] has joined ##openvpn
09:00 -!- i-pink [~i-pink@109.67.184.68] has quit [Ping timeout: 256 seconds]
09:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:07 < chilicuil> Hi, I've set up an openvpn server (using a tap device) and everything is working great, it's pretty good how I can access to any client and its services without needing extra routes, but still I'm having a little issue, when any client connects to the server it loses access to internet, I mean they're unable to connect to google.com or any other website, I've run traceroute to see what's going on, and this is what I get: http://pastebin.com/ya
09:07 < rob0> !bridge
09:07 < vpnHelper> rob0: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
09:07 < vpnHelper> rob0: (but not samba, see !wins)
09:08 < rob0> looks like a cut-off pastebin URL
09:10 < chilicuil> ok, I'm gonna re-read the bridge section, rob0, thx
09:16 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
09:21 -!- Tophat [~Tophat@unaffiliated/tophat] has quit [Ping timeout: 256 seconds]
09:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:40 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:45 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
09:54 -!- kyrix [~ashley@41.92.12.114] has quit [Ping timeout: 276 seconds]
10:01 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn
10:05 -!- paul [~paul@2a01:348:1f9:feed:74e0:d75a:2112:d3da] has joined ##openvpn
10:08 -!- daemon [~paul@2a01:348:1f9:feed:dddc:6125:d304:46f7] has quit [Ping timeout: 256 seconds]
10:52 < Mehdi> by default, what ports must I open to give access to a my OpenVPN client?
10:53 < Mehdi> oh, actually I see the problem now
10:54 < Mehdi> can i configure my VPN server IP to the same as my Interface IP?
10:55 < hyper_ch> Mehdi: what do you mean?
11:00 < Mehdi> nevermind
11:00 < Mehdi> actually, my main question is... what ports do I need open, on my OpenVPN to use it correctly
11:00 < Mehdi> I believe just one, which I specify, ie: 443?
11:07 < hyper_ch> what did you specify in the openvpn server conf?
11:07 -!- dazo is now known as dazo_afk
11:09 -!- i-pink__ [~i-pink@bzq-79-180-184-195.red.bezeqint.net] has joined ##openvpn
11:11 < rob0> The HOWTO assumes you're familiar with basic networking concepts. The default port/protocol is 1194/udp, and that port, on the server, should be open for any potential clients.
11:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:12 -!- i-pink_ [~i-pink@109.67.184.68] has quit [Ping timeout: 256 seconds]
11:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:26 -!- incorrect [~fwest@78-33-42-140.static.enta.net] has quit [Quit: Leaving]
11:29 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit [Quit: Ex-Chat]
11:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:43 -!- Tophat [~Tophat@unaffiliated/tophat] has joined ##openvpn
11:45 < fahadsadah> I'm using OpenVPN to create a bridge to a mesh VPN (home-grown software)
11:46 < fahadsadah> I have 10.156.210.0/26, and other clients on the mesh VPN know to route through me for that subnet
11:46 < fahadsadah> I have a test box connect, which has 10.156.210.10/30 (stupid ifconfig-pool thing)
11:46 < fahadsadah> *connected
11:46 < fahadsadah> I can't ping it
11:47 < fahadsadah> 10.156.210.2    *               255.255.255.255 UH    0      0        0 tun0
11:47 < fahadsadah> 10.156.210.0    10.156.210.2    255.255.255.192 UG    0      0        0 tun0
11:49 < ecrist> no pasting in here, please
11:50 < fahadsadah> Sorry.
11:50 < fahadsadah> Should there be a gateway set?
11:50 < Tophat> how can i get openvpn to use an windows server for dhcp instead of hading out addresses from the server
11:50 < fahadsadah> (10.156.210.2 is my PtP address)
11:51 < ecrist> Tophat: check the man page, it's covered there.
11:55 < fahadsadah> http://gist.github.com/312479
11:55 < vpnHelper> Title: gist: 312479 - GitHub (at gist.github.com)
11:58 < fahadsadah> !welcome
11:58 < vpnHelper> fahadsadah: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:58 < fahadsadah> !route
11:58 < vpnHelper> fahadsadah: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:59 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:59 < fahadsadah> I have to go
12:01 -!- orangey [~orangey@bas1-kingston08-1167877040.dsl.bell.ca] has joined ##openvpn
12:02 < orangey> love the topic : )
12:02 < orangey> i think my problem is firewall ; )
12:03 < orangey> I'm trying to do client -> server -> internet
12:03 < orangey> I turned on ip_forwarding
12:03 < orangey> but is there more?
12:04 < ecrist> NAT
12:04 < orangey> ?
12:07 < ecrist> the internet doesn't know how to get to client.
12:08 < orangey>  iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE ?
12:08 < ecrist> no idea, I don't know iptables
12:09 < ecrist> !linnat
12:09 < vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
12:09 < ecrist> looks right to me.
12:09 < orangey> thanks
12:19 < rob0> uh ... what? You want to NAT going through the VPN?
12:19 < orangey> rob0: I guess so
12:19 < rob0> -s source range
12:19 < rob0> -o outbound interface
12:19 < orangey> ?
12:19 < rob0> no.
12:19 < orangey> ah ok
12:20 < rob0> You are more likely to want -s to be the VPN IP range, and -o to be the interface of your default route.
12:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
12:32 -!- orangey [~orangey@bas1-kingston08-1167877040.dsl.bell.ca] has quit [Ping timeout: 240 seconds]
12:34 -!- orangey [~orangey@bas1-kingston08-1167877040.dsl.bell.ca] has joined ##openvpn
12:34 -!- Blues-Man [~bluesman@host62-80-dynamic.37-79-r.retail.telecomitalia.it] has joined ##openvpn
12:35 -!- orangey [~orangey@bas1-kingston08-1167877040.dsl.bell.ca] has quit [Client Quit]
12:40 < Tophat> openvpn require two nics ?
12:42 < hyper_ch> Tophat: no
12:43 < hyper_ch> but you need to create a tap or tun device
12:43 < hyper_ch> or rather openvpn needs to create it
12:49 -!- d_sun [~x@borg.medozas.de] has left ##openvpn []
12:52 < ecrist> it can already exist, openvpn can create it, given permissions, however.
12:53 < Tophat> yeah, i wouldn't recommend trying to use gadmin-openvpn-server
12:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:58 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
13:02 -!- djscott_ [~djscott@SCHEHERAZADE.MIT.EDU] has joined ##openvpn
13:03 < djscott_> !factoids search *
13:03 < vpnHelper> djscott_: More than 100 keys matched that query; please narrow your query.
13:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 268 seconds]
13:04 < djscott_> !welcome
13:04 < vpnHelper> djscott_: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:05 < djscott_> !goal
13:05 < vpnHelper> djscott_: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:07 < djscott_> Hi, I'd like to know if it's possible to authenticate users using pure ticket-based Kerberos. i.e. I don't want to submit my username/password to OpenVPN, just my Kerberos ticket.
13:07 < djscott_> I read about the PAM and LDAP modules, but they require that I send my username/password over the wire.
13:15 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
13:18 < ecrist> yes, how else would they work?
13:18 < ecrist> !durr
13:18 < vpnHelper> ecrist: Error: "durr" is not a valid command.
13:20 -!- Blues-Man [~bluesman@host62-80-dynamic.37-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
13:20 -!- le0 [~tehle0@unaffiliated/le0] has quit [Client Quit]
13:24 -!- paul [~paul@2a01:348:1f9:feed:74e0:d75a:2112:d3da] has quit [Disconnected by services]
13:32 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
13:33 < tw> Probably by taking the krb service ticket that comes over the wire and validating it against the issuing server.  I don't think openvpn supports that kind of authentication mechanism.
13:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:41 < ecrist> tw: you're talking about krb, which relates to, but is not, ldap or pam
13:42 < tw> djscott_ was talking about kerberos and how he had read the doc on those systems.
13:43 < ecrist> tw,  you're right, I was only reading his last line.
13:44  * ecrist puts on dunce cap.
13:44 < tw> Yah, I thought you were a little confused, so I chimed in.  I still don't think it's possible to kerberos auth for openvpn.
13:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:47 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
13:55 -!- daemon [~paul@2a01:348:1f9:feed:74e0:d75a:2112:d3da] has joined ##openvpn
13:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
14:16 < havoc> gah, Authenticate/Decrypt packet error: packet HMAC authentication faile
14:16  * havoc digs
14:23 < havoc> times are correct, keys are the same (even checked MD5sum), WTF?
14:24 < havoc> bah, smoke break
14:24 < |Mike|> weird.
14:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:30 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has joined ##openvpn
14:31 < traceback0> can anyone help me with my vpn, I am trying to connect to servers connected on rackspace via their internal ips, I can traceroute to my gateway but it stops there. doing a tcpdump on "other server" shows no incoming request from the gateway so I can never ping my "other server"
14:32 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
14:42 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
14:45 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
14:55 < havoc> |Mike|: yeah, I'll find it eventually
14:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:59 -!- Argafal [argafal@users.tokkee.org] has joined ##openvpn
14:59 < Tophat> havoc - im gonna end up using you as a consultant and paying you to help me with whatever in the world im doing wrong lol
15:02 < havoc> heh
15:02 < havoc> I gotta solve my own issues here too :)
15:03 < Argafal> hello. i got a question, probably a dev might know the issue. I augmented a working openvpn.conf by a line socks-proxy and a valid socks5 proxy and port. the error i get is: http://nopaste.info/7af3c84a64.html
15:04 < Argafal> the openvpnconf is: http://nopaste.info/a069e224d8.html
15:09 < cron2> traceback0: I'm sure I've pointed you to !route yesterday already, didn't I?
15:10 < traceback0> yeah and I read that and need additional help, is that ok?
15:10 < havoc> ok, no problem, just a hung win32 process being mental
15:11 < cron2> traceback0: it's almost definitely firewalling filters, ip forwarding not turned on, or missing routes
15:11 < traceback0> cron2: yes and since I am not the most badass sysadmin in the world, I need help.
15:12 < cron2> trackeback0: have you checked these things?
15:12 < traceback0> Yes I have and I am lost
15:14 < cron2> ok, please show "ip route show" on the VPN client, on the VPN server, and on "the other server".  Add to that "iptables -L -n" on the VPN server and the "other server".  Finally, add "sysctl -a |grep forward" on the VPN server.  Put that in pastebin, not in the channel.
15:30 -!- tmwsiy2012 [~tmwsiy@152-20-244-42.rev.uncw.edu] has left ##openvpn []
15:31 -!- Netsplit *.net <-> *.split quits: Rolybrau, MadTBone
15:32 -!- Netsplit over, joins: MadTBone, Rolybrau
15:35 < traceback0> cron2: my client is a mac os x machine
15:36 < cron2> tracekback0: then send "netstat -r -n"
15:38 < traceback0> cron2: http://dpaste.com/163803/
15:38 < djscott_> OK, thanks guys - so not possible to use Kerberos tickets directly? I have to send the username/password to OpenVPN? If I do it this way, is that transmission encrypted?
15:39 < djscott_> The manual mentions that the OpenVPN-KDC connection is encrypted, but doesn't say anything about the client-OpenVPN connection.
15:42 < tw> traceback0: you didn't link the 'sysctl -a | grep forward'
15:42 < cron2> traceback0: so what's the "other server's" IP address that you want to reach?
15:43 < cron2> traceback0: I assume it's 10.176.107.1?
15:44 < traceback0> cron2: tw sorry http://dpaste.com/163808/
15:45 < traceback0> cron2: yes exactly
15:46 < cron2> mmmh.  routing tables are fine.
15:48 -!- Netsplit over, joins: jmm, Argafal
15:48 -!- Netsplit *.net <-> *.split quits: chilicuil, Nappy
15:48 < cron2> the iptables look funny (multiple identically-looking lines?) - but it should permit all
15:48 -!- Netsplit over, joins: Nappy
15:48 -!- chilicuil [~sistemas@189.191.125.112] has joined ##openvpn
15:49 < cron2> could you re-do the iptables with "iptables -L -n -v"?  without -v, the interface dependencies are missing
15:50 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 256 seconds]
15:51 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
15:51 < traceback0> cron2: http://dpaste.com/163817/
15:55 < cron2> ok, your iptables still look funny (you're permitting by-interface traffic between tun0 and eth0, and tun0<->tun0, and in addition to that, traffic from 10.8.0.0/24 to anywhere without interface dependency
15:55 < cron2> there's hits on the 10.8 rule, and no hits on the other rules, so that matches and the packet is forwarded
15:56 < traceback0> i think after a while I just started testing different rules i saw online
15:56 < cron2> on the "other server", the INPUT rules should permit at least ssh, http, https
15:56 < traceback0> cron2: http://dpaste.com/163819/ has the gateway ip rules
15:56 < traceback0> cron2: they do
15:56 < traceback0> i can ssh to it
15:57 < cron2> traceback0: from the VPN client?
15:57 < traceback0> yes
15:57 < cron2> so the whole issue is that *ping* does not work?
15:57 < traceback0> just did
15:57 < traceback0> or traceroute
15:57 < traceback0> or ssh
15:57 < traceback0> i cant ssh to my "other server" through the vpn
15:57 < traceback0> using the "other servers" internal ip
15:58 < cron2> didn't you just say that you *can*?
15:58 < traceback0> through the public ip yes
15:58 < traceback0> not through the internal one
15:58 < cron2> now that *could* be rp_filter
15:58 < traceback0> hence the vpn
15:58 < cron2> ah
15:58 < traceback0> i can't ping that internal ip either
15:58 < traceback0> nothing
15:59 < traceback0> routing or ip forwarding i've suspected is broken somewhere
15:59 < cron2> don't muddle the issue, don't explain that "something works" which has nothing to do with VPN.  Please.  It will confuse everything.
15:59 < traceback0> ok
15:59 < traceback0> sorry
15:59 < cron2> routing looks fine, ip forwarding is turned on, IP tables look reasonable
15:59 < traceback0> I think I actually thought you said "can you ssh from the gateway"
15:59 < cron2> 22:57 < cron2> traceback0: from the VPN client?
15:59 < traceback0> i know! =)
15:59 < traceback0> mistake 
16:00 < cron2> do you see anything in "the other server"'s log files (firewall logs)?
16:00 < cron2> just making sure that I'm not misreading things
16:00 < traceback0> where are those?
16:00 < cron2>  /var/log/<something>
16:00 < traceback0> when I did a tcp dump on eth1 for the "other server" I saw no incoming request from the gateway
16:01 < traceback0> cron2: on ubuntu not sure where the firewall log is
16:01 < cron2> mmmh, ok.  tcpdump should grab the packets before the firewall drops 'em
16:01 < traceback0> I did tcpdump -i eth1
16:01 < traceback0> nothing showed up
16:01 < traceback0> and I was doign a ping/traceroute/ssh to the internal "other server" ip
16:02 < cron2> can you do the "tcpdump -i eth1" on the gateway machine, please?  if routing/forwarding/filtering on the gatway works, you should see the packets going out there
16:03 < havoc> w00t!
16:03 < havoc> Miller Time :)
16:04 < havoc> Tophat: you make any headway?
16:05 -!- Grapsus [~grapsus@ADijon-554-1-210-27.w81-51.abo.wanadoo.fr] has joined ##openvpn
16:07 < traceback0> cron2: http://dpaste.com/163827/
16:07 < traceback0> cron2: yeah it hits but it's like the "other server" doesn't ge tit
16:07 < cron2> is there anything funny in between?
16:08 < traceback0> yea kinda...
16:08 < traceback0> cron2: http://dpaste.com/163828/
16:08 < cron2> ok, from that paste, I'm 99% sure that it's not the gateway
16:09 < traceback0> so then it's the "other server"
16:09 < tw> What's between your gateway and the other server?  Is it just a dumb switch or do you have some kind of packet filtering hardware in there?
16:09 < cron2> or something in between, like a layer2 firewall or such?
16:10 < cron2> the "other server" should also be fine
16:11 < traceback0> not sure
16:11 < traceback0> on the "cloud"
16:11 < traceback0> rackspace
16:11 < tw> I'm thinking, and this is going to sound stupid, you might need to SNAT your vpn'd traffic to the outgoing interface if you can't mess with the hardware in the middle.
16:11 < traceback0> i think they use routers not switches though
16:11 < traceback0> with some tiny research
16:13 < tw> You have multiple servers with them?  Call them and tell them what you've got and see what they suggest.
16:13 < cron2> traceback0: there could be "security filters" on the internal network, to avoid "customers doing funnies" - which is about what you're doing, if their view is "only 10.176 is allowed here!"
16:13 < traceback0> cron2: going to ask in their support live chat
16:13 < cron2> traceback0: I *think* your machines are fine, and I agree with tw
16:13 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
16:14 < cron2> so you might be forced to use source-NAT tun->eth1 (masquerading).
16:14 < traceback0> well that's good to know i can follow directions
16:14 < traceback0> I've been racking my brains with this for a while
16:14  * cron2 needs to go to bed now, anyway, 23:14 in my time zone and early wakeup call tomorrow
16:15 < traceback0> thanks cron2 
16:15 < cron2> let us know what the outcome is :-) - good night
16:15 < traceback0> will do
16:20 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Remote host closed the connection]
16:20 < traceback0> cron2: you there?
16:21 < traceback0> I got this awesome response!
16:21 < traceback0> tw: or are you on
16:21 < traceback0> tw: http://dpaste.com/163835/ from the "other server" when I try ssh
16:22 < traceback0> and ssh times out
16:24 < havoc> ok, --port-share really fills up the logs
16:30 -!- mode/##openvpn [+o openvpn2009] by ChanServ
16:30 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
16:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:36 -!- Grapsus [~grapsus@ADijon-554-1-210-27.w81-51.abo.wanadoo.fr] has quit [Quit: Quitte]
16:36 < traceback0> gah
16:36 < traceback0> impossible
16:44 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has quit [Quit: traceback0]
16:48 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 256 seconds]
17:07 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Quit: Ex-Chat]
17:09 -!- traceback0 [~traceback@adsl-69-228-190-230.dsl.snfc21.pacbell.net] has joined ##openvpn
17:12 -!- traceback0 [~traceback@adsl-69-228-190-230.dsl.snfc21.pacbell.net] has quit [Read error: Connection reset by peer]
17:24 -!- traceback0 [~traceback@adsl-69-228-190-230.dsl.snfc21.pacbell.net] has joined ##openvpn
17:24 < havoc> ok, about to ask a silly question
17:24 < havoc> I have one client connect, and assigned a fixed/known IP, I need routes back to the client's lan
17:25 < havoc> where/how would be the recommened way to add these?
17:25 < havoc> can a client push routes?
17:26 < havoc> the server and client are both debian boxes, BTW
17:27 < havoc> I've added them manually now, but I need it automatic
17:28 < havoc> I am using ccd too, but just empty files right now
17:28 < havoc> basically I can get it done, I'm just looking for the "recommended" method
17:39 < hyper_ch> !route
17:39 < vpnHelper> hyper_ch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:47 < havoc> ok
17:47 < havoc> although "put it on the server conf" was all I needed
17:47 < havoc> which shouldn't work
17:47 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:47 < havoc> you should be able to add routes until a gateway for that route exists
17:48 < havoc> would be better in a client connect conf
17:48 < havoc> but it's been tested both ways
17:48 < havoc> but I appreciate wasting an extra 10min
17:51 -!- lbt [~david@Maemo/community/contributor/lbt] has quit [Ping timeout: 276 seconds]
18:05 -!- chilicuil [~sistemas@189.191.125.112] has quit [Quit: Leaving.]
18:09 -!- kyrix [~ashley@41.92.19.189] has joined ##openvpn
18:49 -!- Argafal [argafal@users.tokkee.org] has quit [Ping timeout: 256 seconds]
18:49 -!- Argafal [argafal@users.tokkee.org] has joined ##openvpn
18:50 -!- traceback0 [~traceback@adsl-69-228-190-230.dsl.snfc21.pacbell.net] has quit [Quit: traceback0]
18:59 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has joined ##openvpn
19:11 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Ping timeout: 245 seconds]
19:21 -!- kyrix [~ashley@41.92.19.189] has quit [Ping timeout: 245 seconds]
19:39 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
19:39 -!- kyrix [~ashley@41.92.41.74] has joined ##openvpn
20:05 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
20:37 < ecrist> \o
20:39 < reiffert> \d
20:46 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:47 < theDoc> Morn' folks.
20:48 < reiffert> night ppl
20:49 < theDoc> reiffert> Have you managed to get your LACP thing fixed? I was travelling and thus, the lack of presence online ;)
20:52 -!- kyrix [~ashley@41.92.41.74] has quit [Ping timeout: 245 seconds]
21:01 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
21:15 -!- daemon [~paul@2a01:348:1f9:feed:74e0:d75a:2112:d3da] has quit [Read error: Connection reset by peer]
21:29 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
21:37 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 245 seconds]
21:41 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:53 -!- kyrix [~ashley@41.92.4.44] has joined ##openvpn
21:54 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
22:32 -!- kyrix [~ashley@41.92.4.44] has quit [Ping timeout: 256 seconds]
23:04 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
23:04 -!- kyrix [~ashley@41.92.15.50] has joined ##openvpn
23:18 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:41 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:58 -!- kyrix [~ashley@41.92.15.50] has quit [Ping timeout: 265 seconds]
--- Day changed Wed Feb 24 2010
00:08 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
00:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
01:28 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:28 -!- mode/##openvpn [+o mattock] by ChanServ
01:28 -!- lbt [~david@Maemo/community/contributor/lbt] has joined ##openvpn
02:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:24 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has joined ##openvpn
02:42 -!- pmjdebruijn [pascal@jester.pcode.nl] has joined ##openvpn
02:42 < pmjdebruijn> hi all
02:42 < pmjdebruijn> we're having a route adding failure when installing OpenVPN on Windows 7... I've seen several places recommeding to run OpenVPN as admin, which is not a real solution
02:51 < hyper_ch> well, not knowing windows all that well, I think that as unprivileged user on windows you can't add routes. Hence either you can run openvpn as system service or manually start it as admin or give according privileges to manipulate the routs to the restricted user
03:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:09 -!- master_of_master [~master_of@p57B55D0C.dip.t-dialin.net] has quit [Ping timeout: 256 seconds]
03:11 -!- master_of_master [~master_of@p57B56D1A.dip.t-dialin.net] has joined ##openvpn
03:23 < pmjdebruijn> http://msdn.microsoft.com/en-us/library/bb756929.aspx
03:23 < vpnHelper> Title: Step 6: Create and Embed an Application Manifest (UAC) (at msdn.microsoft.com)
03:25 -!- i-pink_ [~i-pink@bzq-109-67-184-92.red.bezeqint.net] has joined ##openvpn
03:28 -!- i-pink__ [~i-pink@bzq-79-180-184-195.red.bezeqint.net] has quit [Ping timeout: 248 seconds]
03:33 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
03:34 < ||arifaX> Hi, I install openvpn (server) on a windows machine. what kind of certs (pem or pkcs12) shall I create for the client machines or what is the difference?
03:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
03:36 -!- i-pink_ [~i-pink@bzq-109-67-184-92.red.bezeqint.net] has quit [Read error: Connection reset by peer]
03:44 -!- dazo_afk is now known as dazo
03:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:48 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
05:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
05:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
05:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:42 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
05:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:50 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
05:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
05:55 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has quit [Read error: Connection reset by peer]
05:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:01 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has joined ##openvpn
06:02 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has quit [Read error: Connection reset by peer]
06:09 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has joined ##openvpn
06:11 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has quit [Read error: Connection reset by peer]
06:17 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has joined ##openvpn
06:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
06:24 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has quit [Read error: Connection reset by peer]
06:30 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined ##openvpn
06:30 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has joined ##openvpn
06:32 < hid3> Hello everyone. I've installed OpenVPN client on my Windows machine (laptop). It created a virtual adapter (as expected). However, when I lauch OpenVPN shortcut, it appears in taskbar but the icon doesn't dontain any options: just About, Exit and Proxy. How do I connecto to a OpenVPN server then?
06:32 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has quit [Read error: Connection reset by peer]
06:35 < Tophat> hid3 whats the problem ?
06:35 < Tophat> !howto
06:35 < vpnHelper> Tophat: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:35 < hid3> Tophat, thanks, found it already too.
06:36 < hid3> I expected it to have a configurable GUI too, that's Windows anyway! :D
06:36 < Tophat> yeah lol
06:37 < hid3> Still need to configure my linux server a an OpenVPN server firstly...
06:38 < Tophat> yeah thats the hard part, where im stuck at as well
06:38 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has joined ##openvpn
06:38 < hid3> I've configured some Cisco ASA's as VPN servers but never done anything similar with OpenVPN or other software, lol :D
06:39 < hid3> In fact I need a *minimal* VPN server: lowest encryption possible, authentication via the /etc/passwd file, that's all
06:44 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 265 seconds]
07:08 < upb> i would then adivse you to use the DOUBLEXOR stream cipher
07:14 -!- dazo is now known as dazo_afk
07:14 -!- Leila [~50bfc236@gateway/web/freenode/x-yecfwethonkkzxbp] has joined ##openvpn
07:22 -!- Leila [~50bfc236@gateway/web/freenode/x-yecfwethonkkzxbp] has quit [Ping timeout: 252 seconds]
07:33 < pmjdebruijn> hid3: OpenVPN uses SSL certificates
07:34 < pmjdebruijn> hyper_ch: the problem is that this should be automatable for deployment
07:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:43 -!- dazo_afk is now known as dazo
07:49 < hid3> pmjdebruijn: Yes, I've manage to set up almost everyting. My Windows client connects successfully but it failes to add routes: says "Access denied" when executing c:\windows\system32\route.exe. What Might be wrong? The Laptop is running Windows 7 Pro.
07:49 < hid3> I guess this might be because of some stupid security/permission system in Win7
07:51 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
07:52 < hyper_ch> pmjdebruijn: ?
07:53 < hyper_ch> usually administrative priviledges are required to alter the routing (on linux, no clue about windows)
07:55 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Client Quit]
07:59 < insane^> hyper_ch, on windows, too
08:12 < pmjdebruijn> the Windows client is pretty much broken as is now... it's not realistic to expect users to rightclick on the icon to run as admin
08:12 < pmjdebruijn> http://article.gmane.org/gmane.network.openvpn.user/24873
08:13 < pmjdebruijn> that works though
08:13 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org)
08:16 < hyper_ch> windows is weird :)
08:17 < pmjdebruijn> true
08:35 < djscott_> With PAM authentication, is the username/password submission encrypted?
08:37 < ecrist> \o
08:38 < ecrist> yes
08:38 < ecrist> provided you're encrypting your tunnel
08:39 < djscott_> So that would depend on the client software?
08:40 < ecrist> if you're using SSL certificates with openvpn, it will be encrypted
08:40 < djscott_> OK, thanks.
08:43 < djscott_> so I have to create an SSL certificate for each client?
08:43 < ecrist> yes
08:44 < djscott_> Ouch. That pretty much negates the reason to use PAM...
08:44 < ecrist> well, you can share an SSL certificate among all clients
08:45 < djscott_> Yes. But that's pretty bad for revoking access.
08:45 < ecrist> isn't that why you're using PA<?
08:45 < ecrist> PAM*
08:45 < djscott_> Good point.
08:45 < ecrist> you're complaining about both sides. ;)
08:46 < djscott_> :)
08:53 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
08:58 < pmjdebruijn> hmmm
08:58 < pmjdebruijn> are the install sources for 2.1.1 available anywhere, so I can fix the GUI binary myself?
08:59 < ecrist> I assume you're talking about windows GUI?
08:59 < pmjdebruijn> yeah
09:00 < pmjdebruijn> It would also be nice to customize the installer to include the certificates
09:00 < pmjdebruijn> up until openvpn_2.1rc they were available on openvpn.se
09:00 < ecrist> not sure where they are kept, perhaps ask on -devel mainling list
09:00 < ecrist> mailing*
09:00 < pmjdebruijn> huh? 
09:01 < pmjdebruijn> you mean published
09:01 < ecrist> sure, whatever
09:04 < pmjdebruijn> that would be a major bummer, since I'm not able to fix anything
09:05 -!- orzel [~orzel@berlioz.ethernet.freehackers.org] has joined ##openvpn
09:06 < orzel> !welcome
09:06 < vpnHelper> orzel: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:06 < orzel> !route
09:06 < vpnHelper> orzel: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:06 < orzel> weird,it wont answer as query, only on the channel.
09:09 < rob0> there is a Web page listing all the factoids
09:10 < rob0> !bot
09:10 < vpnHelper> rob0: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
09:10 < rob0> hmm, I can't remember the URL
09:13 < dazo> rob0:  which URL?
09:14 < dazo> rob0:  http://www.secure-computing.net/factoids.php ... this one?
09:14 < vpnHelper> Title: SCN: vpnHelper Factoids (at www.secure-computing.net)
09:15  * dazo is practising his telepathic talent ... but still far from perfect
09:15 < rob0> that one
09:15 < rob0> :)
09:15  * dazo is improving his skills
09:15 < dazo> :)
09:17 < ecrist> !factoids
09:17 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:21 < rob0> yeah I should have tried that one :)
09:28 -!- jmm is now known as jww
09:31 -!- __cipher__ [~njende@dialbs-092-079-140-220.static.arcor-ip.net] has quit []
09:47 < hid3> OK. So I've set up the VPN server. It shows up as having IP address 192.168.4.1 on the tun0 interface. However, when I connect with a client (it gets IP 192.168.4.6) it sets the default gateway as 192.168.4.5, not 192.168.4.1. What's wrong? What am I missing here?
09:49 < Bushmills> nothing
09:50 < Bushmills> except, that client sees its P-t-P address as end point, and as gateway
09:51 < Bushmills> or, the man page text at --topology 
09:52 < hid3> The problem is that my default-gateway if the other side default gateway, NOT my VPN server (which I want to be)
09:53 < Bushmills> i don't understand.  tunnel end point from client view *is* the openvpn server
09:54 < hid3> Yeah, but let's say I do ping www.google.com and it ping the google NOT via VPN but from direct link
09:54 < Bushmills> that's a matter of client routing
09:54 < hid3> and yes, I have 'redirect-gateway' enabled...
09:55 < Bushmills> you route either through your upstream interface, or through vpn
09:55 < Bushmills> then remove redirect-gateway, if you want to ping google though upstream interface instead of through vpn
09:57 < hid3> No! I want to ping it via my vpn
09:58 < jww> the google, the internet
09:58 < jww> the jww.
09:58 < jww> <=
09:59 < hid3> jww, who the hell are you? Should I ping YOU?! :D
09:59 < jww> :)
10:01 < rob0> I'm sure by now you have seen the !route factoid?
10:02 < hid3> Of course
10:02 < hid3> Guess I should add 0.0.0.0 0.0.0.0 then
10:02 < hid3> :D
10:02 < hid3> I've added my local routes already
10:02 < hid3> (192.168.2.0, 192.168.3.0)
10:02 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
10:04 < rob0> The thing is: to do fancy routing tricks, you have to understand how routing works. 0.0.0.0/0 would break your tunnel.
10:04 < rob0> Think like a packet. Every host which handles a packet should know what to do with it.
10:04 < rob0> If any host along the way does it wrong, goodbye packet.
10:05 < hid3> Yeah.
10:06 < hid3> Slightly offtopic here: I see it uses 160 bit encryption. Is there any way/chance/need to reduce it to say 32 bit in order to save CPU power/bandwidth/etc?
10:11 < rob0> um, I think so, look in the man page at crypto options.
10:13 < hid3> Thanks!
10:13 < hid3> This is really a great thing. I wish I had set up it MUCH earlier!
10:14 < rob0> --show-ciphers
10:17 < Bushmills> if you default route to your client's P-t-P address, traffic *does* reach the vpn server. what's the problem? 
10:17 < hid3> Hm.. 
10:17 < hid3> that's strange
10:17 < hid3> the traffic was going through the vpn server
10:18 < hid3> (ping google in background)
10:18 < hid3> but suddenly it stopped
10:18 < hid3> not sure why
10:18 < Bushmills> is that your question?
10:18 < hid3> At the moment, yes
10:18 < Bushmills> check the logs
10:19 < hid3> I connected to the VPN and it worked (all the traffic router through VPN)
10:19 < hid3> But suddenly it stopped.
10:19 < hid3> 1 minute..
10:19 < Bushmills> check whether your client has a host route
10:19 < Bushmills> to vpn server
10:20 < hid3> Strange, logs say noting, neither on client nor server side
10:20 < Bushmills> (well, it probably has, or there wouldn't be a "one minute")
10:20 < hid3> I still can reach my internal subnets
10:21 < hid3> I reconnected to VPN and it works again
10:21 < Bushmills> well, I can't tell you why you traffic suddenly stops, from just the information that it does.
10:21 < hid3> I'm confused, dunno what causes that...
10:25 < hid3> Well, I'll need to do some more testing/investigation
10:26 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
10:26 < fahadsadah> http://gist.github.com/313577 is my OpenVPN server conf
10:26 < vpnHelper> Title: gist: 313577 - GitHub (at gist.github.com)
10:26 < hid3> Any ideas if I can push more than one DNS server with "dhcp-option DNS"?
10:27 < fahadsadah> You can
10:27 < fahadsadah> You can push up to two, I think
10:27 < hid3> Separated with a space, comma or comma + space?
10:27 < fahadsadah> Have two seperate push lines
10:27 < hid3> Oh. That way
10:28 < fahadsadah> http://gist.github.com/313577 now contains both my client and server configs
10:28 < vpnHelper> Title: gist: 313577 - GitHub (at gist.github.com)
10:28 < fahadsadah> From the server, I can't ping clients
10:29 < hid3> I can't either
10:29 < hid3> Not a big deal I guess
10:30 < fahadsadah> It is for me
10:30 < fahadsadah> I need a bidirectional VPN
10:32 < hid3> Successfully pushed 3 DNS servers...
10:32 < fahadsadah> Cool
10:32 < hyper_ch> pinging clients from server works
10:33 < fahadsadah> I wish I had three DNS servers to push
10:33 < fahadsadah> Actually, I do have three DNS servers
10:33 < fahadsadah> One has a VPN address
10:33 < fahadsadah> The other two are administrated by clueless people
10:33 < fahadsadah> Who keep leaving them dced
10:33 < hid3> hyper_ch: how?
10:33 < hyper_ch> ping 10..8.0.4
10:34 < fahadsadah> hyper_ch: I can ping the server from my clients
10:34 < fahadsadah> I can't ping my clients from the server
10:34 < fahadsadah> Which is annoying, as I have a LAN behind the server
10:34 < hid3> In my case it's 192.168.4.6, and I can't ping it
10:34 < fahadsadah> Who's occupants need to be able to ping the clients
10:34 < hyper_ch> then somethign's wrong with your config I guess
10:34 < fahadsadah> 504> ping 10.156.210.14
10:34 < fahadsadah> PING 10.156.210.14 (10.156.210.14) 56(84) bytes of data.
10:34 < fahadsadah> --- 10.156.210.14 ping statistics ---
10:34 < fahadsadah> 306 packets transmitted, 0 received, 100% packet loss, time 305395ms
10:34 < fahadsadah> hyper_ch: I pastebinned my config
10:35 < fahadsadah> Do I need ifconfig-pool?
10:35 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:37 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
10:39 < fahadsadah> !nat
10:39 < vpnHelper> fahadsadah: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
10:39 < fahadsadah> !linnat
10:39 < vpnHelper> fahadsadah: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
10:39 < hyper_ch> fahadsadah: my configs: http://www.pastebin.org/96560 --> server + ccd for client xxx + xxx config
10:39 < fahadsadah> !winnat
10:39 < vpnHelper> fahadsadah: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS)
10:40 < fahadsadah> No clue...
10:40 < hid3> When do I specify -j SNAT --to <ip> and when do I specify -j SNAT --to-source? Any ideas?
10:40 < fahadsadah> I know I've forgotten something that means I can't access clients
10:40 < fahadsadah> WHAT?
10:41 < hid3> :D
10:41 < hid3> Linux, babe 
10:42 < fahadsadah> I'm DDoSing one of my clients
10:43 < fahadsadah> And I have a tshark trace
10:43 < fahadsadah> I see nothing
10:43 < fahadsadah> No, I see tonnes of spam
10:43 < fahadsadah>  26.278959 97.107.142.96 -> 82.28.217.234 UDP Source port: openvpn  Destination port: 55235
10:43 < hyper_ch> fahadsadah: you don't use linux?
10:43 < fahadsadah> Linux server
10:43 < fahadsadah> Mixed clients
10:44 < fahadsadah> The client box 82.28.217.234 is Windows
10:44 < hyper_ch> windows is too complicated for me
10:45 -!- pmjdebruijn [pascal@jester.pcode.nl] has left ##openvpn []
10:45 < fahadsadah> OK
10:45 < fahadsadah> On 82.28.217.234, WireShark shows me tonnes of ping packets
10:46 < fahadsadah> 97.107.142.96:openvpn to 82.28.217.234:55235
10:51 < orzel> Hi... i read the route url.... but i still have a problem. I have a working configuration with a server and several client succesfully connecting to the server. From clients, i can ping and connect to the computers connected to the server lan.
10:52 < fahadsadah> orzel: But you can't ping the clients from the server?
10:52 < fahadsadah> Exact same problem here.
10:52 < orzel> I dont really need this. haven't tried
10:53 -!- dazo is now known as dazo_afk
10:53 < orzel> I've added a  new node on the lan today. And this one can't be ping from vpn clients, only from the local network. I think this is because packets reaching it with an ip (vpn client) different than the lan are kind of dimissed by this node.
10:54 < orzel> is it possible ? can it be solved ?
10:54 < orzel> using tcpdump on another (linux) node, i see incoming icmp packet have the 'from' IP of the vpn range, not from the lan range
10:55 < orzel> but this work nonetheless on all nodes.... but this latest one.
10:56 < orzel> i'm afraid the answer will contain something with 'nat' inside it that kind of frightens me.....right?
11:03 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has quit [Quit: It´s time to say goodbye]
11:03 -!- kyrix [~ashley@41.92.16.26] has joined ##openvpn
11:04 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has joined ##openvpn
11:04 -!- CheBuzz_Home [~CheBuzz_H@88-202-61-65.ip.skylogicnet.com] has joined ##openvpn
11:06 -!- kyrix [~ashley@41.92.16.26] has quit [Max SendQ exceeded]
11:06 -!- kyrix [~ashley@41.92.16.26] has joined ##openvpn
11:07 < CheBuzz_Home> Question for the openvpn experts out there:  I have an openvpn server that runs on a DSL connection in the States.  The client I run 7000 miles away over a satellite connection.  The latency can get upwards of 1000-1500 msecs.  I tunnel VoIP over this, but notice something odd.  The latency on the VoIP (or SSH/HTTP, whatever) can get upwards of 20 seconds during heavy traffic.  Why?  And is there anything I can do to help this?
11:08 < ecrist> CheBuzz_Home: satellite sucks, it sucks even more over VPN
11:09 < CheBuzz_Home> Agreed.  But why the discrepancy between non-encrypted of a max 2000 msecs to 20,000 msecs when using openvpn?
11:10 < ecrist> because vpn sucks over satellite
11:10 < CheBuzz_Home> Not exactly much of an explanation....
11:11 -!- makomi [~makomi@91-67-199-44-dynip.superkabel.de] has left ##openvpn ["It´s time to say goodbye"]
11:12 < ecrist> http://forum.ecoustics.com/bbs/messages/34579/127542.html
11:12 < vpnHelper> Title: VPN over Satellite: A comparison of approaches (at forum.ecoustics.com)
11:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:29 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
11:30 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
11:33 < CheBuzz_Home> That was a little more helpful.  But still doesn't quite answer the question.  This was referring to TCP and it's tendency to slow down over latent connections.  That I know.  So I of course configured openvpn to use UDP.  And VoIP is a UDP service.  And they were referring to 25% slowdowns, where I am talking about 1000% slowdowns.  So, any other ideas?
11:36 -!- Tophat_ [~Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn
11:39 -!- Tophat [~Tophat@unaffiliated/tophat] has quit [Ping timeout: 240 seconds]
11:43 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:49 -!- Tophat_ is now known as Tophat
11:49 -!- Tophat [~Tophat@fpal5-a01.peop.tds.net] has quit [Changing host]
11:49 -!- Tophat [~Tophat@unaffiliated/tophat] has joined ##openvpn
11:54 -!- Blues-Man [~bluesman@host169-112-dynamic.52-79-r.retail.telecomitalia.it] has joined ##openvpn
11:57 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
12:14 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
12:18 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
12:24 < Bushmills> fahadsadah: not being able to ping clients from *server* is not a nat issue.  it is probably a firewall issue
12:25 -!- kyrix [~ashley@41.92.16.26] has quit [Ping timeout: 256 seconds]
12:25 < Bushmills> it is also unlikely that it is a routing issue, or echo replies from server wouldn't return to clients when they ping server
12:29 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:34 -!- lbt [~david@Maemo/community/contributor/lbt] has left ##openvpn ["Konversation terminated!"]
12:35 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
12:36 -!- kyrix [~ashley@41.92.12.120] has joined ##openvpn
12:46 < hyper_ch> hi Bushmills
12:46 < Bushmills> moinmoin hyper_ch
12:47 < hyper_ch> Bushmills: thx for all the support you do in here :)
12:47 < Bushmills> me?
12:47 < hyper_ch> Bushmills: no, you :)
12:47 < Bushmills> i think you must be confusing me with somebody else :)
12:48 < hyper_ch> Bushmills: nope... there's only one registered Bushmills on freenode as far as I can remember
12:49 < Bushmills> well, it is not the impresson that I have that I do that much support in here
12:49 < Bushmills> maybe you just happen to check in when I happened to have said something 
12:50 < hyper_ch> Bushmills: you mean to say that I stalk you?
12:50 < hyper_ch> :)
12:50 < Bushmills> no. possibly a time zone cohesive thing
12:51 < hyper_ch> or maybe you think of stalking but are afraid to say it so hence you come up with that time zone thingy
12:51 < Bushmills> you just finished dinner and had a look here, right?
12:51 < hyper_ch> nah, not had dinner ydet
12:52 < Bushmills> hm. that's not it, then
12:52 < hyper_ch> but I'm about to shovel something into the oven
12:52 < Bushmills> france, well, same time zone it is
12:53 < hyper_ch> you're in france?
12:53 < Bushmills> no. i thought that you are
12:54 < hyper_ch> je parle français mais je ne suis pas français :)
12:54 < Bushmills> belgique then?
12:54 < hyper_ch> non-plus :)
12:54 < Bushmills> or just learned somewhere?
12:55 < hyper_ch> je vis dans un pays où français est une des langues officielles
12:55 < Bushmills> ah.  african?
12:55  * hyper_ch points to the "ch"
12:55 < Bushmills> northern afruique?
12:55 < Bushmills> ok
12:55 < hyper_ch> and I thought that was obvious :)
12:56 < Bushmills> francophone part. yes, should have been. it is now that you mention it
12:56 < hyper_ch> nah, german speaking part :)
12:56 < Bushmills> jo oida.
12:56 < Bushmills> grias di
12:56 < hyper_ch> that sounds bavarian
12:56 < Bushmills> hehe
12:57 < Bushmills> though i'm nit
12:57 < Bushmills> not
12:57 < hyper_ch> hmmm, ig froge mi immer no wieso schwyzerdüütsch so schwierig isch zum verschtoh
12:57 < Bushmills> nee hoor
12:57 < Bushmills> is like swabian
12:57 < hyper_ch> :)
12:58 < hyper_ch> immer die Schwobe
12:59 < Bushmills> i understand platt pretty well, and bavarian.  actually i also can speak what makes northerns think what i'm from northern germany myself :) 
12:59 < havoc> is there a way to quiet --port-share aside from lowering --verb?
12:59 < Bushmills> though i'm not
12:59 < Bushmills> having lived for a while in bavaria and swabia rounds up the language towards the other end of the country
13:00 < Bushmills> therefore, schwyzerdüütsch is not so much out of the line
13:03 < hyper_ch> well, one of my roommate at university (from the Rheingau) did have quite some trouble understanding it at first.... but then he got used to it :)
13:03 < Bushmills> the trick with platt is simply that i speak dutch :)
13:04 < hyper_ch> when I hear dutch I always have the feeling that I should understand it
13:05 < Bushmills> it sounds easy at first. until you notice that words which sound similar to words you know have sometimes a very different meaning.
13:05 < hyper_ch> Bushmills: I still wonder, when will Germany leave the EU?
13:06 < Bushmills> about the time when switzerland has its own navy
13:06 < hyper_ch> Bushmills: we have :)
13:06 < Bushmills> on the geneve sea?
13:06 < Krikke> geneve, I love that region
13:07 < hyper_ch> Landlocked Switzerland does not have a navy, but it does maintain a fleet of military lake patrol boats. The Aquarius-class Patrouillenboot 80 PBRs, operated by Motorboat Company 10, patrol Lake Geneva, Lake Lucerne, Lake Lugano, Lake Maggiore and Lake Constance.
13:07 < hyper_ch> ok, it says we have not
13:07  * Bushmills pictures an aircraft carrier on lake geneve
13:07 < hyper_ch> but as we have boats I consider that as navy
13:08 < hyper_ch> wait until we put an aircraft carrier into lake constance
13:08 < hyper_ch> ;)
13:08 < Bushmills> then germany might quit the EU
13:08 < hyper_ch> damn you were to quick
13:08 < hyper_ch> well, I just wonder what keeps Germany in the EU
13:08 < hyper_ch> you do nothing but pay and pay and pay and pay
13:09 < Bushmills> I suppose it is considered worth it. revenues also increase. 
13:09 < hyper_ch> and I still think the expansion from EU16 -> EU25 (and now 27?) was too early... but that's just my opinion
13:13 < Bushmills> also consider that EU predecessor is considered one reason why europe zone has been largely stable in the second half of last centurey
13:13 < Bushmills> century
13:13 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
13:14 < Bushmills> among other, it was an instrument to convert competitors to allies
13:14 < Bushmills> Europe was  very fragmented before. and a lot of tension among many states
13:14 < hyper_ch> I know but I still think the last two expansions were just too big in a too short of time... ti should have been slower
13:18 < Bushmills> we probably don't know the real reasoning behind the expansion burst. just what is told us.  there may be considerations which are beyond simply growing an economic union. 
13:19 < Bushmills> one possibility is that russia is still considered a potential thread, which may become even more one when it manages to capture the more or least orphaned eastern european states
13:19 < Bushmills> threat
13:19 < Bushmills> so by expanding europe, the borders are pushed eastwards
13:20 < Bushmills> that's where most new member states are located
13:21 < hyper_ch> are the new MS all NATO members?
13:21 < Bushmills> those countries are essentially a buffer. being considered "them" by russia, not as "ours" or "neutral"
13:21 < Bushmills> not automatically, no.
13:21 < hyper_ch> which ones of them are not? romania and bulgaria?
13:22 < Bushmills> would have to look it up myself to find out who isn't now.
13:22 < Bushmills> but bulgaria isn't EU yet
13:22 < Bushmills> i think ...
13:23 < hyper_ch> I think Bulgaria is
13:23 < hyper_ch> it was just a thought to have "all" NATO members also in the EU so it's one more "common" thing those countries have in common
13:23 < Bushmills> oh, indeed. 1 January 2007
13:24 < hyper_ch> :)
13:25 < Bushmills> relationship to the usa have improved a bit again since Bush - before some countries were voicing their support for a non-NATO military alliance.  
13:25 < hyper_ch> bush was horrible
13:26 < hyper_ch> obama just presents things better I think
13:26 < Bushmills> sort of "loose cooperation" with NATO
13:27 < hyper_ch> oh well, time will tell how things will go with the EU and stuff
13:28 < Bushmills> with a president Cheney, those plans may have had evolved further by now
13:28 -!- Blues-Man [~bluesman@host169-112-dynamic.52-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
13:42 < traceback0> cron2: ping
13:43 -!- orzel [~orzel@berlioz.ethernet.freehackers.org] has left ##openvpn ["Konversation terminated!"]
13:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
14:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:19 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
14:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:51 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
14:52 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
14:57 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:05 < cron2> traceback0; ah, welcome back :)
15:06 < cron2> traceback0: I saw your message about the "arp" being visible - but that's to be expected, that's basically a gateway<->other server thing, independent of the client
15:06 < traceback0> ah
15:06 < traceback0> well then i have no idea stll
15:07 < cron2> so what did their support say?
15:08 < cron2> traceback0: and finally, you could really do nat - I found that vpnhelper knows about it :-)
15:08 < cron2> !linnat
15:08 < vpnHelper> cron2: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:08 < traceback0> cron2: they said they didnt know why it didn't work :P
15:09 < tw> That's certainly convenient of them.
15:09 < traceback0> isn't it :P
15:10 -!- sjr [~sjr@office.superuholdings.com] has left ##openvpn ["Leaving"]
15:15 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 248 seconds]
15:15 -!- zero-_ [~zero@noc.toile-libre.net] has quit [Read error: No route to host]
15:20 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
15:26 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
15:27 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:28 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
15:32 -!- zero-_ [~zero@noc.toile-libre.net] has joined ##openvpn
15:51 < havoc> oh yeah, still getting the HMAC errors
15:51 < havoc> yet everything is working
15:51 < havoc> very odd
16:00 < havoc> logs: http://pastebin.com/ZFTkvbnn
16:00 < havoc> the weird bit is that everything works
16:00 < havoc> but I'm sure I'm doing sometihng wrong
16:13 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
16:17 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
16:23 -!- ryan_ [~ryan@170.213.131.190] has joined ##openvpn
16:24 < ryan_> hello
16:24 < ryan_> does "redirect-gateway def1" work on linux without extra scripting if it works on a windows box?
16:25 < havoc> one way to find out, but I'd think it would be fine, it's just adding two routes
16:25 < ryan_> it never works for me on ubuntu but if i put the same config and certs on a usb, then goto windows xp, it works
16:26 < ryan_> thats frustrating
16:26 < havoc> huh, odd
16:26 < Bushmills> ryan_: works
16:26 < havoc> ryan_: what ver on ubuntu?
16:27 < ryan_> 9.10
16:27 < ryan_> but it didnt work on 9.04 either
16:27 < ryan_> ya ive been trying for about 6 months
16:27 < Bushmills> maybe something is interfering.
16:27 < Bushmills> do  you run network manager?
16:27 < ryan_> like network manager applet?
16:27 < ryan_> ya
16:27 < ryan_> i heard that
16:27 < Bushmills> !ubuntu
16:27 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
16:27 < Bushmills> possible
16:28 < ryan_> but i dont know how to manually configure my wifi
16:28 < havoc> ryan_: what version of *openvpn*
16:28 < ryan_> it would be a huge pain for me, as a laptop user, to manually configure wifi everywhere i go
16:28 < ryan_> newest version
16:28 < ryan_> released february
16:28 < ryan_> this year
16:28 < Bushmills> iwconfig, wpa_supplicant
16:28 < rob0> I think the factoid is telling you not to use Network Manager *for opevpn*
16:29 < ryan_> i don't use network manager for openvpn
16:29 < ryan_> i run it in terminal
16:29 < rob0> Then you're good.
16:29 < Bushmills> redirect-gateway doesn't do a lot more than adding routes
16:29 < ryan_> right, so what is it about ubuntu that doesn't click like on windows xp
16:30 < Bushmills> should be one host route and, with def1,  a 0.0.0.0 and a 128.0.0.0 route
16:30 < rob0> Extra scripting might be wanted for pushing VPN DNS hosts.
16:30 < ryan_> server side or client side?
16:30 < ryan_> ubuntu openvpn comes with a script for routing DNS
16:30 < Bushmills> if those routes are added, redirect-gateway worked
16:31 < ryan_> ya i read about that extra scripting in the howto
16:31 < ryan_> really woulda been great for elaboration
16:31 < Bushmills> run a local recursor.
16:31 < ryan_> a what?
16:31 < Bushmills> no need for scripting then
16:31 < rob0> You'd probably have to be more specific than "doesn't click". What is the problem?
16:31 < Bushmills> a local recursive dns
16:32 < ryan_> windows xp connects to openvpn, redirects gateway, i can browse to google
16:32 < ryan_> ubuntu connects to openvpn, redirects gateway, looking up google for hours
16:32 < rob0> oh, I have a theory
16:33 < rob0> using ISP nameservers, and the ISP blocks those from external queries
16:33 < rob0> the VPN server being external to that ISP
16:33 < ryan_> so that would cause it to work for windows and not work for linux
16:33 < ryan_> your saying?
16:34 < rob0> I'm saying why name resolution might not be working with the tunnel and redirect-gateway.
16:34 < ryan_> wtf
16:34 < ryan_> it does work
16:34 < ryan_> for windows
16:35 < ryan_> stop regressing
16:35 < rob0> Bushmills told you a good solution. A simpler, lame fix would be to use 8.8.8.8 in resolv.conf.
16:35 < ryan_> right
16:35 < ryan_> ya i will
16:35 < rob0> And what's this about regressing?
16:36 < ryan_> resolv.conf
16:36 < ryan_> k
16:36 < ryan_> imma do that right now
16:36 < ryan_> the regressing thing was because you tried to point at a solution that was already disproved by the fact that it works for windows and doesn't work for linux
16:38 < rob0> No, you're just not able to understand what I'm saying. Typing more than you think, and you have very little understanding of what's going on.
16:38 < ryan_> hmm
16:38 < rob0> Don't be rude when people try to help you.
16:38 < ryan_> wtf
16:38 < ryan_> your being rude
16:39 < ryan_> ur a idiot stop regressing
16:39 < ryan_> lol
16:39 < ryan_> l8ter douche
16:39 < ryan_> !exit
16:39 < ryan_> exit
16:39 < vpnHelper> ryan_: Error: "exit" is not a valid command.
16:39 -!- ryan_ [~ryan@170.213.131.190] has left ##openvpn ["Leaving"]
16:39 < rob0> one more for the /ignore list
16:40 < havoc> WTF?
16:42 < havoc> rob0: I'd ask you about my HMAC thing, but I think you've said in the past you don't know details of openssl
16:43 < rob0> probably so :)
16:43 < havoc> it's just odd because everything actually *works*
16:44 < rob0> I wouldn't worry, then. A lot of things could cause a bad packet.
16:45 < havoc> filling up logs
16:45 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
16:45 < havoc> and it's fairly regular, about ever 2sec
16:45 < rob0> verbose setting is what?
16:45 < havoc> 3
16:46 -!- sammmy [~sam@c-71-235-44-218.hsd1.ct.comcast.net] has joined ##openvpn
16:48 -!- le0 [~tehle0@82.132.139.245] has joined ##openvpn
16:48 -!- le0 [~tehle0@82.132.139.245] has quit [Changing host]
16:48 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
16:51 -!- Netsplit *.net <-> *.split quits: Tophat, master_of_master
16:53 -!- Netsplit over, joins: Tophat, master_of_master
16:59 < sammmy> hi guys
16:59 < sammmy> could anyone tell me how you verify openvpn with its gpg signature?
17:00 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
17:02 < hyper_ch> sammmy: ?
17:03 < sammmy> hyper_ch, i dont get this i've been reading documentation and trying to get this to work for the last 2 days
17:03 < sammmy> how do you use the gpg signature
17:03 < hyper_ch> what don't you get?
17:03 < hyper_ch> don't you install openvpn from the repositories?
17:03 < sammmy> to verify the openvpn installer
17:03 < sammmy> im using windows
17:03 < hyper_ch> oh... no clue
17:04 < hyper_ch> try #windows
17:04 < sammmy> ive been spending all my freetime on this
17:04 < sammmy> im really frustrated. they dont help much in #windows
17:05 < hyper_ch> use google
17:06 < hyper_ch> or better: switch to linux ;)
17:07 < hyper_ch> and why would you want to verify the installer with gpg if you downloaded it from the openvpn site?
17:08 < hyper_ch> if there's malware in it then it would be provided as binary package on the openvpn site and signed with it... I don't see much point of checking with a gpg key if you get the file from the openvpn site
17:08 < hyper_ch> but that's just my opinion
17:13 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
17:15 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 246 seconds]
17:32 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Ping timeout: 256 seconds]
17:34 -!- Guest26987 [fahad@pyramid.cluenet.org] has joined ##openvpn
17:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:49 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:50 -!- sammmy [~sam@c-71-235-44-218.hsd1.ct.comcast.net] has quit [Ping timeout: 276 seconds]
18:07 -!- kyrix [~ashley@41.92.12.120] has quit [Quit: Leaving]
18:07 -!- kyrix [~ashley@41.92.12.120] has joined ##openvpn
18:11 -!- kyrix [~ashley@41.92.12.120] has quit [Client Quit]
18:18 -!- kyrix [~ashley@41.92.12.120] has joined ##openvpn
18:35 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds]
19:01 -!- kyrix [~ashley@41.92.12.120] has quit [Ping timeout: 252 seconds]
19:42 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has quit [Read error: Connection reset by peer]
19:42 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined ##openvpn
19:42 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
20:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:16 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
21:21 -!- tjz [~pc@bb116-15-71-68.singnet.com.sg] has joined ##openvpn
21:21 -!- tjz [~pc@bb116-15-71-68.singnet.com.sg] has quit [Changing host]
21:21 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:23 -!- Tophat [~Tophat@unaffiliated/tophat] has quit [Read error: Connection reset by peer]
21:28 < Bushmills> just checking though the public keys on keyservers related to openvpn, there's actually none which would be the obvious choice to verify against.
21:28 < Bushmills> through
22:14 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
22:15 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
22:18 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Client Quit]
22:24 -!- CheBuzz_Home [~CheBuzz_H@88-202-61-65.ip.skylogicnet.com] has quit [Read error: Connection reset by peer]
22:27 -!- CheBuzz_Home [~CheBuzz_H@88-202-61-65.ip.skylogicnet.com] has joined ##openvpn
22:39 -!- clas33k [~graffz@120.28.142.54] has joined ##openvpn
22:55 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
22:55 -!- mode/##openvpn [+v Kasx] by ChanServ
22:55 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
23:01 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
23:11 -!- CheBuzz_Home [~CheBuzz_H@88-202-61-65.ip.skylogicnet.com] has quit [Read error: Connection reset by peer]
23:29 -!- CheBuzz_Home [~CheBuzz_H@88-202-61-65.ip.skylogicnet.com] has joined ##openvpn
23:47 < hid3> Good morning everyone
23:48 < hid3> Is there any way to lauch the VPN connection through a command line in Windows? Someting clike that: c:\openvpn\openvpn.exe --connect myprofile.ovpn
23:51 -!- krphop [~krphop@74-82-160-100.take2hosting.com] has quit [Ping timeout: 256 seconds]
--- Day changed Thu Feb 25 2010
00:46 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:47 -!- mode/##openvpn [+o mattock] by ChanServ
00:52 -!- clas33k is now known as graffz
01:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
02:02 -!- morphles [~useris@86.100.95.148] has joined ##openvpn
02:02 < morphles> !welcome
02:02 < vpnHelper> morphles: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:03 < morphles> !goal
02:03 < vpnHelper> morphles: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:03 < morphles> !log
02:03 < vpnHelper> morphles: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
02:04 < morphles> !logs
02:04 < vpnHelper> morphles: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:04 < hid3> ^^
02:04 < morphles> !configs
02:04 < vpnHelper> morphles: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
02:04 < morphles> :)
02:07 < morphles> well actualy my problems is relly simple :) my vpnserver is in private adress sapce, BUT i forward all ports from my router (witch ins public address sapce) to my vpnserver, now if i start openvpn without any params it binds to private ip and vpn works(testing with machine from local net) but if i cant get client to connect to vpn server using public ip
02:15 -!- morphles_ [~useris@86.100.95.148] has joined ##openvpn
02:18 -!- morphles [~useris@86.100.95.148] has quit [Ping timeout: 245 seconds]
02:21 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
02:26 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:37 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:38 -!- mikeage [~mmiller@mikeage.net] has joined ##openvpn
02:41 < mikeage> hi. any suggestions for an easy way to integrate a small, lightweight, DNS server to handle the IPs given out by openvpn? I'm using ifconfig-pool-persist, so the IPs are known ahead of time.
02:46 < cron2> well, the ifconfig-pool-persist file is a simple text file, so you could read it in regular intervals and build BIND zone files or tinydns data files from it
02:47 < cron2> or you could do a powerdns backend that will automatically read this file...
02:47 < cron2> I think the most "lightweight" of these would be tinydns
02:50 < cron2> (one might even script some on-demand DNS update at connection time, running an external script from OpenVPN itself...)
03:09 -!- master_of_master [~master_of@p57B56D1A.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:11 -!- master_of_master [~master_of@p57B560E8.dip.t-dialin.net] has joined ##openvpn
03:24 < mikeage> it seems strange that no one has done this; how do most people manage DNS on a VPN?
03:25 < hyper_ch> know your network ;)
03:25 < hyper_ch> well, if you have static servers in the vpn you'll create according zone files
03:26 < hyper_ch> and for dynamic clients I don't really see a point in adding zone files for them
03:26 < mikeage> and if you allocate dynamically? do most people just not use client-to-client? 
03:26 < hyper_ch> but why would you want to connect a client to a domain?
03:26 < hyper_ch> it's a client not a server
03:27 < mikeage> I want my clients to be able to see each other
03:27 < hyper_ch> then give them static ips
03:27 < hyper_ch> and make zone files
03:27 < mikeage> still, seems strange; maintaining the same information in two separate files. I'm a little surprised that there doesn't seem to be anything more polished out there. 
03:28 < hyper_ch> go ahead and make something :)
03:28 < mikeage> :)
03:28 < hyper_ch> but it's not the same information
03:28 < hyper_ch> openvpn provides a network
03:28 < hyper_ch> dns is something different from that
03:28 < mikeage> true, but openvpn also issues IPs to clients, which are based on the hostname. DNS maps hostnames to IPs. 
03:29 < reiffert> mikeage: get bind, enable a dynamic zone
03:30 < reiffert> then have a shellscript update the zone
03:30 < hyper_ch> mikeage: well, openvpn does issue ips based on the according key :) at least here
03:30 < reiffert> use nsupdate for the update itself.
03:30 < hyper_ch> and the issuing of ips basing on hostname does not work all the time I think
03:30 < mikeage> thanks reiffert; I'll look into that. up to this point, my DNS (server) experience has been limited to my home router's GUI ;)
03:30 < reiffert> mikeage: have fun.
03:31 < hyper_ch> bind9 isn't that tough :)
03:31 < hyper_ch> just chroot it :)
03:32 -!- pmjdebruijn [pascal@jester.pcode.nl] has joined ##openvpn
03:33 < pmjdebruijn> mattock: thanks for your reply
03:33 < pmjdebruijn> but I'm looking for package sources like this http://www.openvpn.se/files/install_packages_source/ with the binaries prebuilt
03:33 < vpnHelper> Title: Index of /files/install_packages_source (at www.openvpn.se)
03:34 <@mattock> pmjdebruijn: no probs
03:34 < pmjdebruijn> my problem is, I'd like to build the nsis on Linux
03:34 <@mattock> ok, I see
03:34 < hyper_ch> package source with binaries prebuilt?
03:34 < pmjdebruijn> debian has a nice makensis package for that
03:34 < pmjdebruijn> hyper_ch: yes
03:34 < pmjdebruijn> like there was provided in the past
03:34 < hyper_ch> doesn't that contradict each other?
03:35 < pmjdebruijn> I ment prebuilt openvpn binaries... not package binaries
03:35 < hyper_ch> ah ok :)
03:35 <@mattock> so you don't need any modifications to the openvpn binary itself?
03:35 <@mattock> only the NSIS installer?
03:35 < pmjdebruijn> jep
03:36 < pmjdebruijn> wel, I do need minor modification to the binaries, I'd like to apply a manifest to the openvpn-gui so Windows 7 automatically elevates the privileges so openvpn can set a route
03:36 < pmjdebruijn> we might sign the binaries as well
03:36 < pmjdebruijn> but these are all post-compile modifications
03:37 <@mattock> is windows client exe an installer or the real OpenVPN client?
03:37 <@mattock> the official one I mean
03:37 < pmjdebruijn> huh?
03:37 < pmjdebruijn> we use the official openvpn.exe
03:37 < pmjdebruijn> we modifications we want, are just .exe metadata modifications
03:37 < pmjdebruijn> post-compile
03:37 < pmjdebruijn> http://article.gmane.org/gmane.network.openvpn.user/24873
03:38 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org)
03:38 < pmjdebruijn> the binaries are severely broken for Windows 7
03:38 < pmjdebruijn> it's not reasonable the require a user to rightclick "run as administrator"
03:38 < pmjdebruijn> anyway
03:38 < pmjdebruijn> the old install_packages_sources are perfect for my purposes
03:38 < pmjdebruijn> they just haven't been kept up to date
03:39 < reiffert> 2.1 beta7 is 5 years old.
03:39 < pmjdebruijn> is it?
03:39 < reiffert> sorry, 4.
03:39 < pmjdebruijn> ok
03:39 < pmjdebruijn> I'm not intending to use that
03:40 < pmjdebruijn> but the old distribution format (prebuilt binaries with nsis sources) is ideal for us, and I imagine for lots of other as well
03:40 -!- mikeage [~mmiller@mikeage.net] has quit [Ping timeout: 265 seconds]
03:40 < reiffert> so you are looking for the binaries just before they get packaged to an installer file?
03:40 < pmjdebruijn> yes, in a proper tree, so I can just run the nsis to get an installer
03:41 -!- mikeage [~mmiller@mikeage.net] has joined ##openvpn
03:42 < reiffert> pmjdebruijn: you like to modify security related stuff that gets into account during the installation?
03:42 -!- kyrix [~ashley@41.92.11.142] has joined ##openvpn
03:42 < reiffert> so all you need to modify are some nsis package control variables or smth?
03:43 < pmjdebruijn> reiffert: not into the accounts
03:43 < pmjdebruijn> reiffert: the manifest is in the exe, it tells Windows the openvpn-gui binary (and all binaries it starts) need elevated rights (to set the route)
03:43 < reiffert> to get into account = are important, let me check my dictonary
03:44 < pmjdebruijn> huh?
03:44 < pmjdebruijn> this has nothing to do with specific accounts
03:45 < pmjdebruijn> anyway
03:45 < pmjdebruijn> again, the old distribution format is exactly right for my uses
03:45 < pmjdebruijn> I'd very much like a tree of binaries, with a source nsis, which I can just makensis
03:50 < pmjdebruijn> I'm trying to recreate the try myself now
03:50 < pmjdebruijn> tree*
03:50 < pmjdebruijn> for example I'm having an issue with a missing defs.nsi... which I'm wondering if it's creating during compile/build scripts?
03:54 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
03:55 < reiffert> sorry, I'm not that far in windows world.
03:56 < pmjdebruijn> I'm neither, but I have to be at the moment
03:56 < pmjdebruijn> it seems asif the source build and installer build have been integrated into each other :'(
03:59 < pmjdebruijn> that's horrible
04:00 -!- sq7obj [sq7obj@gateway/shell/rootnode.net/x-fyutfuponontjepp] has left ##openvpn []
04:04 -!- morphles_ [~useris@86.100.95.148] has left ##openvpn []
04:10 -!- stony [~ol@187-140-088-212.ip-addr.teresto.net] has joined ##openvpn
04:10 < stony> hi
04:11 < stony> what happens if i use server 10.1.1.0 255.255.255.0 and using topology subnet
04:11 < stony> is this compatible ?
04:21 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 246 seconds]
04:30 -!- CheBuzz_Home [~CheBuzz_H@88-202-61-65.ip.skylogicnet.com] has quit [Read error: Connection reset by peer]
04:31 -!- mikeage [~mmiller@mikeage.net] has quit [Remote host closed the connection]
04:31 -!- mikeage1 [~mmiller@mikeage.net] has joined ##openvpn
04:31 -!- mikeage1 is now known as mikeage
04:32 -!- CheBuzz_Home [~CheBuzz_H@88-202-61-65.ip.skylogicnet.com] has joined ##openvpn
04:32 -!- dazo_afk is now known as dazo
04:32 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
04:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:46 -!- CheBuzz_Home [~CheBuzz_H@88-202-61-65.ip.skylogicnet.com] has quit [Read error: Connection reset by peer]
04:55 < pmjdebruijn> stony: what's a topology subnet?
05:00 < |Mike|> keizerflop!
05:00 < |Mike|> !topology
05:00 < vpnHelper> |Mike|: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
05:07 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
05:08 < fahmad> hello
05:09 -!- mikeage [~mmiller@mikeage.net] has left ##openvpn ["Leaving."]
05:10 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
05:26 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
05:28 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:30 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
05:41 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
05:46 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
06:07 < pmjdebruijn> ok
06:10 -!- Netsplit *.net <-> *.split quits: hyper_ch, fremo__, LobbyZ, btm, zamba, Krikke, sno, freaky[t], pmjdebruijn, Cap_J_L_Picard,  (+3 more, use /NETSPLIT to show all of them)
06:11 < fahmad> can some one tell me how can i fix this error openvpn[10244]: Libgcrypt warning: missing initialization - please fix the application
06:11 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
06:11 -!- Netsplit over, joins: fremo__
06:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
06:11 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
06:13 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
06:14 -!- pmjdebruijn [pascal@jester.pcode.nl] has joined ##openvpn
06:15 -!- btm [~btm@serenity.ninjr.org] has joined ##openvpn
06:15 -!- zamba [marius@flage.org] has joined ##openvpn
06:15 < fahmad> any one ?
06:15 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
06:15 -!- Krikke [~ixevix@62.142.105.142] has joined ##openvpn
06:15 < fahmad> can some one tell me how can i fix this error openvpn[10244]: Libgcrypt warning: missing initialization - please fix the application
06:15 -!- Cap_J_L_Picard [~ewanm89@unaffiliated/ewanm89] has joined ##openvpn
06:15 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
06:16 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
06:18 < krzee> sounds like you had an error compiling
06:18 < fahmad> nope i do not get any error
06:19 < fahmad> its while i run openvpn it give me error when client trying to connect ...
06:20 < krzee> openvpn AS or open source?
06:22 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
06:22 < fahmad> opensource
06:22 -!- insane^ [~jg@pizza.internetx.de] has quit [Read error: Connection reset by peer]
06:28 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
06:30 < krzee> never seen anything like that, check that libcrypt is installed right i guess
06:33 < Argafal> i'd like to repeat my question from a few days ago. i have a problem with using the socks-proxy parameter of openvpn, let me give you pastebin links:
06:33 < Argafal> http://nopaste.info/a069e224d8.html openvpn conf
06:34 < fahmad> krzee: its installed
06:34 < Argafal> terminal message: http://nopaste.info/7af3c84a64.html "recv_socks_reply: TCP port read failed on recv(): Operation now in progress (errno=115)"
06:34 < krzee> dev tcp-server  ?
06:35 < Argafal> i also know this issue exists for quite a while since i can find a few other people reporting it on the net, without any solutions to be found.
06:36 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
06:40 < krzee> Argafal, using 2.1.1?
06:41 < krzee> i have: socks-proxy 10.8.1.1
06:41 < krzee> socks-proxy-retry
06:41 < krzee> and it works for me
06:41 < krzee> but im wondering what dev tcp-server is
06:43 < krzee> --dev tunX | tapX | null 
06:43 < krzee> TUN/TAP virtual network device ( X can be omitted for a dynamic device.)
06:43 < fahmad> krzee: any idea about my issue :S
06:44 < |Mike|> fahmad: what distro / os are you using?
06:45 < fahmad> CentOS
06:45 < fahmad> 5.4
06:45 < |Mike|> and you've installed openvpn with yum?
06:45 < fahmad> nope
06:45 < fahmad> i compiled it using source
06:45 < |Mike|> if you want to make a mess of your system, go ahead :)
06:46 < fahmad> ?
06:46 < Argafal> krzee: using 2.1.0
06:46 < |Mike|> why do you think that centos uses a package system fahmad...
06:46 < fahmad> |Mike|: i used rpmbuilt -tb openvpn-2.1.1.tar.gz
06:47 < fahmad> and its created openvpn rpm
06:47 < fahmad> and i installed
06:47 < Argafal> krzee: i have no idea about dev tcp-server. :-/ it's a config i got from someone and which works as long as no socks-proxy is specified.
06:47 < |Mike|> okay, you just told me something else ;)
06:47 < Argafal> but i'd love to try other settings, if you have any suggestions.
06:47 < fahmad> |Mike|: sorry for that :)
06:48 < fahmad> |Mike|: it also means that its being compiled on my system
06:48 < Argafal> krzee: what port does your socks-proxy 10.8.1.1 assume?
06:48 < Argafal> cause i specify one explicitly.
06:49 < krzee> assumes port 1080
06:49 < krzee> standard socks port
06:50 < Argafal> but that shouldn't be my problem ...
06:50 < |Mike|> fahmad: did it fail or error about libcryupt?
06:50 < |Mike|> -u
06:50 < fahmad> yes
06:50 < |Mike|> while compiling i mean.
06:50 < fahmad> what you means by -u ?
06:50 < fahmad> nope
06:51 < |Mike|> libcryupt -u => libcrypt (fix typo)
06:51 < Argafal> that is a new disussion i haven't seen before, same error as mine. but i don't speak russian :-/ http://www.securitylab.ru/forum/forum21/topic48102/
06:51 < vpnHelper> Title: openvpn + proxy (at www.securitylab.ru)
06:51 < fahmad> hold
06:51 < |Mike|> what openvpn version is available in Centos btw?
06:51 < krzee> google translate
06:51 < Argafal> krzee: and they use other devs but report the same issue, so i'd think this shouldn't be the problem.
06:52 < fahmad> humm
06:52 < krzee> maybe an issue on the socks server
06:52 < krzee> try proto tcp, maybe your socks server doesnt do udp
06:52 < Argafal> krzee: the socks server is just a ssh -D localhost:5555
06:52 < Argafal> so it does not do udp.
06:52 < krzee> although, if that does work, note this:
06:52 < krzee> !tcp
06:52 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
06:53 < Argafal> and i know it is a bad idea :-( unfortunately there is no way around it (that i'd know of)
06:55 < krzee> well your config is for udp
06:55 < krzee> so that explains your error
06:55 < Argafal> http://nopaste.info/968510d7fd.html same with proto tcp. though it could be that the server doesn't support it.
06:55 < Argafal> krzee: yeah, i guess. thanks for pointing me towards it. 
06:55 < krzee> np
06:56 < Argafal> i guess now i need to explain the server admin why and how to enable tcp server-side.
06:56 < krzee> try dante as a decent socks server
06:56 < Argafal> krzee: dante?
06:56 < krzee> !socks
06:56 < vpnHelper> krzee: Error: "socks" is not a valid command.
06:56 < krzee> hrm
06:56 < Argafal> hrhr
06:56 < Argafal> http://www.inet.no/dante/ that one?
06:56 < vpnHelper> Title: Dante - A Free Socks Implementation (at www.inet.no)
06:56 < krzee> !factoids search sock
06:56 < vpnHelper> krzee: "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
06:57 < krzee> ya
06:59 < Argafal> thanks once again. will be a bit bigger issue than i hoped, but at least i know where to start now.
06:59 < krzee> you can also have dante auth with same passes as ssh
07:00 < krzee> i have that setup as well with freebsd using pam
07:00 < krzee> although in linux the support is built into the app
07:11 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
07:19 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
07:21 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
07:23 < Bushmills> ah
07:23 < Bushmills> krzee !eaten by saltwater crocodiles,  !stung by deadly jellyfish,  !bitten by hand palm sized spiders 
07:24 < Bushmills> do you have a pet taipan now?
07:26 < havoc> morning
07:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:43 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
07:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:06 -!- Liquido123 [~Liquidoz@213.197.141.162] has joined ##openvpn
08:06 < Liquido123> hello
08:06 < ecrist> hi
08:06 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
08:06 < havoc> hi
08:08 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
08:09 < Liquido123> I got a one long question regarding openvpn. I have 2 interfaces (ethX) where I have separate networks running (let say 192.168.0.12 on eth0 and 192.168.1.12 on eth1). Now what I want: is it possible to run OpenVPN with such configs: I want to make sure that my road warriors could access those external networks + they would have all of their connections passed through my vpn server (redirect-gateway) ?
08:10 < Liquido123> I tried to do push "192.... 255.." but this does not help
08:10 < Liquido123> they cannot access external networks
08:12 < Liquido123> any ideas ?
08:17 < ecrist> NAT?
08:22 < upb> why NAT when you could do it with routing ?:P
08:23 < ecrist> he said 'external' which means 'publicly routable' to me.
08:23 < Liquido123> look, let me explain again
08:23 < Liquido123> please forget what was written
08:23 < Liquido123> I will explain in correct english now
08:23  * ecrist forgets
08:23 < Liquido123> give me few moments please
08:24 -!- krphop [~krphop@74-82-160-100.take2hosting.com] has joined ##openvpn
08:24 -!- krphop [~krphop@74-82-160-100.take2hosting.com] has quit [Client Quit]
08:25 < upb> he also said 'those external' which i took was referring to 'networks running (let say 192.168.0.12 on eth0 and 192.168.1.12 on eth1)' :P
08:26 -!- krphop [~krphop@74-82-160-100.take2hosting.com] has joined ##openvpn
08:26 -!- krphop [~krphop@74-82-160-100.take2hosting.com] has left ##openvpn []
08:27 -!- krphop [~krphop@74-82-160-100.take2hosting.com] has joined ##openvpn
08:35 < Liquido123> theres 2 network cards (192.168.0.12 on eth0 and 192.168.1.12 eth1), I want to run openvpn server on that machine with following setup: is it possible that user who connects to this openvpn would have an opportunity to access 192.168.0.x or 192.168.1.x machines ? Also, is it possible have redirect-gateway feature enabled for this setup ?
08:36 < krzee> !route
08:36 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:36 < krzee> yes it is
08:36 < krzee> !redirect
08:36 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:36 < krzee> i suggest only worrying about 1 at a time
08:37 < Liquido123> !nat
08:37 < vpnHelper> Liquido123: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
08:37 < Liquido123> !ipforward
08:37 < vpnHelper> Liquido123: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
08:37 < Liquido123> !linipforward
08:37 < vpnHelper> Liquido123: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
08:37 < Liquido123> thanks krzee 
08:37 < krzee> np
08:39 < krzee> !linnat
08:39 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
08:41 -!- stony [~ol@187-140-088-212.ip-addr.teresto.net] has quit [Ping timeout: 245 seconds]
08:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:08 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
09:08 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
09:19 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
09:21 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has quit [Ping timeout: 240 seconds]
09:23 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
09:29 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
09:31 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
09:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:38 -!- Guest26987 is now known as fahadsadah
09:39 -!- fahadsadah [fahad@pyramid.cluenet.org] has quit [Changing host]
09:39 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
09:43 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:44 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
09:45 < fahmad> hey
09:45 < fahmad> can some one tell me why i get this problem
09:45 < fahmad> Thu Feb 25 20:42:17 2010 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
09:45 < fahmad> Thu Feb 25 20:42:18 2010 There is a problem in your selection of --ifconfig endpoints [local=172.16.0.153, remote=255.255.255.0].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
09:45 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Ping timeout: 248 seconds]
09:46 < ecrist> fahmad: have you read the warning?
09:46 < ecrist> it tells you EXACTLY why it's complaining
09:46 < fahmad> ecrist: i do not know what to do 
09:46 < fahmad> --ifconfig-nowarn
09:51 < havoc> ecrist: morning
09:51 < ecrist> fahmad: post your configs here, please
09:51 < ecrist> !configs
09:51 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:51 < ecrist> hello, havoc
09:51 < fahmad> ok
09:52 < fahmad> http://www.pastie.org/private/bxbokhiv1esvx5vk1lca
09:52 < fahmad> this is my server config
09:52 < fahmad> i am using Radius Autnetication :$
09:54 < fahmad> fixed
09:57 < havoc> ecrist: have some questions when you've got time
09:57 < ecrist> ask away, I'll answer as I have time. :)
09:57 < havoc> ecrist: http://pastebin.com/d3x7nWtm
09:58 < havoc> ecrist: getting those HMAC errors every 2sec or so, yet everything actually works as expected
09:59 < ecrist> are you coming in from 100.100.100.238, or is that someone else?
10:00 < havoc> me
10:00 < ecrist> do you have a second instance of openvpn running in the background (maybe left over from testing?)
10:02 < ecrist> do ta.key files match on both client and server?
10:02 < havoc> yes, md5sums are same
10:02 < havoc> and I thought about the leftover iface, rebooted everything
10:02 -!- Liquido123 [~Liquidoz@213.197.141.162] has quit [Quit: Lost terminal]
10:03 < havoc> hmm, everything rebooted but this 100.100.100.238, the router box
10:03 < havoc> debian
10:04 < havoc> I suppose that's the next step
10:04 < havoc> lemme get back to you, this'll be a pain :(
10:04 < ecrist> havoc: ok
10:05 < ecrist> it looks like your key files are mismatched, though.
10:05 < ecrist> or, try adding --float to your config
10:05 < havoc> hang on
10:06 < havoc> --float has/had no effect
10:07 < havoc> and which key files are mismatched?
10:08 -!- krphop [~krphop@74-82-160-100.take2hosting.com] has quit [Quit: Leaving]
10:11 < havoc> ok, I'll try rebooting the debian router machine, that seems to be the last option
10:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:23 < havoc> geez
10:23 < havoc> now that a billion things have been disconnected, it's fixed ;)
10:24 < havoc> I had hoped linux wouldn't require that, oh well :(
10:24 < havoc> ~50 ssh sessions and ~30 RDP sessions disconnected :(
10:25 < havoc> well, nto all disconnected, was apparently fast enough
10:25 < havoc> ecrist: thanks :)
10:26 < rob0> ah, I have a theory, maybe you had a second openvpn process running which was causing the log errors.
10:26 < rob0> obviously a reboot would have been one (brutal) way to clear that up.
10:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:34 < ecrist> I suggested that...
10:34 < ecrist> 10:00 < ecrist> do you have a second instance of openvpn running in the background (maybe left over from testing?)
10:34 -!- uchimata_ [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
10:37 < havoc> ecrist: I know, it was justa  last resort; I didn't *want* to do it, yet ;)
10:37 < havoc> rob0: I couldn't find any other processes when I comp[letely shutdown openvpn
10:37 < havoc> or I would have just killed the proc
10:38 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has quit [Ping timeout: 245 seconds]
10:38  * rob0 scrolls up, oops, I missed that :)
10:40 < havoc> I can only imagine that it was something the kernel networking subsys was doing
10:40 < havoc> but I don't know nearly enough about it to do more than speculate
10:40 -!- pegg [~pegg@208.73.74.77] has joined ##openvpn
10:40 < havoc> eh, it's fixed now
10:42 < pegg> I have openvpn with tap and ip given out with isc-dhcpd to the clients, I have it working on windows, but os x and linux are proving to be dificult.  I want all the traffic to traverse over the VPN, I can get OS X or linux to conect but every time the get the DHCP lease they get the no route to host (code=113) error
10:46 -!- mimecine [~Adium@cpe-67-250-38-114.nyc.res.rr.com] has joined ##openvpn
10:46 -!- rob0 [~rob0@tuxaloosa.org] has quit [Ping timeout: 260 seconds]
10:47 < pegg> http://pastebin.com/8MG5HTw4
11:00 -!- mimecine [~Adium@cpe-67-250-38-114.nyc.res.rr.com] has quit [Quit: Leaving.]
11:03 < krzee> !configs
11:03 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:14 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:15 -!- rob0_ [~rob0@tuxaloosa.org] has joined ##openvpn
11:27 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:27 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:39 -!- Blues-Man [~bluesman@host252-80-dynamic.37-79-r.retail.telecomitalia.it] has joined ##openvpn
11:50 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
11:50 -!- mode/##openvpn [+o mattock] by ChanServ
11:59 <@mattock> the community meeting at #openvpn-discussion is just about to start - it was moved 1 hour earlier (18:00UTC) in last weeks meeting
12:10 -!- djscott_ [~djscott@SCHEHERAZADE.MIT.EDU] has quit [Ping timeout: 265 seconds]
12:11 -!- DJ_HaMsTa [~tocmo0nlo@c-69-136-240-76.hsd1.nj.comcast.net] has joined ##openvpn
12:11 < DJ_HaMsTa> hai guys
12:14 < |Mike|> pmjdebruijn: wist niet dat jij iets met ovpn + windows deed :)
12:14 < pmjdebruijn> heh
12:15  * |Mike| is mikeh van bbq
12:20 < DJ_HaMsTa> This server runs as this user: what should i put here? 
12:30 < krzee> a friend just gave me a couple safeword keychain dongles, now im going to do my research, wanna integrate them into a ovpn setup
12:31 -!- cobradevil [~chatzilla@93-125-200-5.dsl.alice.nl] has joined ##openvpn
12:31 < cobradevil> Hello all
12:31 < DJ_HaMsTa>  im trying to install OpenVPN and i am very noobish, i have GADMIN-openVPN server and i am trying to configure the server settings and the user accounts. What should i enter for "The server runs as this user: / The server runs as this group? "
12:32 < cobradevil> i have a question about the possibility for a gui application for openvpn client which supports smartcards
12:32 < Bushmills> DJ_HaMsTa: i suppose most users here don't use GUIs for openvpn configuration
12:33 < krzee> cobradevil, you looking to write code or hoping it gets made?
12:33 < cobradevil> no just wondering if there is something like that already
12:34 < cobradevil> i am creating an usb stick where people can make a connection to work and we have smartcards
12:34 < DJ_HaMsTa> i am sure the question would stand without a GUI
12:34 < cobradevil> now network-manager is simple for network / wireless setup
12:34 < krzee> DJ_HaMsTa, sounds like --user and --group from the manual
12:35 < cobradevil> it also has support for vpn connections but i have to make use of a smartcard
12:36 < cobradevil> the smartcard has a pin but i have not found any info about a client gui with support for smartcards asking a user for a pin
12:36 < cobradevil> I got this working on the cli but has someone any info about a gui for computer noobs?
12:36 < krzee> im wondering if it asks that like a normal password
12:37 < krzee> ild assume the gui's would have code for normal auth-password stuff
12:37 < cobradevil> at the cli i get enter password which is the pin
12:37 < cobradevil> for the smartcard i use
12:37 < Bushmills> DJ_HaMsTa: well, it does. usually, the config file contains appropriate user and group names, as result of installation, or because the config has defaults which go well with the OS or distribution.  
12:38 < DJ_HaMsTa> "nobody" is there
12:38 < Bushmills> that often eliminates the need for the user to look up for himself what user and groups he has make sense
12:38 < Bushmills> after all, what goes in there must be existing user and group
12:39 < Bushmills> so i can't suggest to you to use  user openvpn, because i have no idea whether that user exists on your system
12:39 < DJ_HaMsTa> how can i look up the groups in my system ?
12:40 < Bushmills> and whether that use owns the relevant files, or has proper permissions to dirs#
12:40 < Bushmills> you could look at your groups file
12:40 < roe> is there documentation somewhere I can read that discusses gaining access to a Directory service managed network through openVPN.  Once connected to the network, how are network user permissions correctly managed?
12:41 -!- pegg [~pegg@208.73.74.77] has quit [Quit: Leaving]
12:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
12:41 < Bushmills> what's a network user permission?
12:41 < krzee> that has nothing to do with openvpn
12:42 -!- pegg [~pegg@208.73.74.77] has joined ##openvpn
12:42 < krzee> he wants to access things in his remote AD setup
12:42 < roe> not directly, no.
12:42 < krzee> you would do it the same as a local one for the most part
12:42 < krzee> possibly needing wins if using a tun
12:42 < krzee> !wins
12:42 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
12:43 < pegg> I have openvpn with tap driver and ip public IP addresses serverd from ISC-DHCP working on windows but not os X or linux, some pointers/ help would be apperichated   full wirte is is here http://pastebin.com/vA9rAgMs
12:43 < roe> except don't you have to be logged in to the client in order to start the VPN, but once logged in you can't authenticate anymore to the LDAP server
12:44 < roe> not AD, not windows, WINS an't gonna be helpful
12:45 < Bushmills> pegg: does your linux client obtain dns name or up from dhcp server?
12:45 < krzee> oh ok
12:45 < Bushmills> .."or ip address" ...
12:45 -!- DJ_HaMsTa [~tocmo0nlo@c-69-136-240-76.hsd1.nj.comcast.net] has quit [Ping timeout: 245 seconds]
12:46 < krzee> and you arent looking to auth using ldap, correct?
12:48 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:51 < pegg> I want to to reterive  ip and dns  from the DHCP server 
12:52 < pegg> Bushmills like a good DHCP server and client should work
12:53 -!- Blues-Man [~bluesman@host252-80-dynamic.37-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
12:55 -!- buntfalke_ is now known as buntfalke
12:55 < Bushmills> did you read this section in the man page:  " Note that if --dhcp-option is pushed via --push to a non-windows client, the option will be saved in the client's environment before the up script is called, under the name "foreign_option_{n}".  ?
12:55 < Bushmills>               
12:55 -!- DJ_HaMsTa [~tocmo0nlo@c-69-136-240-76.hsd1.nj.comcast.net] has joined ##openvpn
12:56 < Bushmills> though i'm not sure whether that's relevant in your case of bridging
12:57 < pegg> Bushmills so what would be saved in the foreign_option_{n} varable?
12:58 < pegg> <Bushmills> sounds like it might be relevent
12:58 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has left ##openvpn []
12:59 < Bushmills> i suppose it isn't.  your vpn connection is up, then your dhcp client executes, and broadcast the dhcp request, which reaches dhcp server on vpn server machine?
13:01 -!- rob0_ is now known as rob0
13:01 < pegg> <Bushmills> actully no, I am not pushing dhcp options I did use that when I was using the tun driver, but I wanto to switch to tap so I can use ISC-DHCPD to push public ip address to the clients
13:02 < Bushmills> why would you need a dhcpd, and tap, for that?
13:02 < pegg> <Bushmills> yes that is correct vpn client connects properly, I have some sonme of the testing by hand with the dhcp and, it gets a ip from the dhcp server, then it get the error  http://pastebin.com/vA9rAgMs
13:03 -!- cobradevil [~chatzilla@93-125-200-5.dsl.alice.nl] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2pre/20100223061627]]
13:06 < Bushmills> sounds like you should check you client routing table
13:11 < krzee> [11:02]  <Bushmills> why would you need a dhcpd, and tap, for that?
13:11 < krzee> agreed
13:11 < krzee> pushing a public ip is as easy as setting aside a subnet for openvpn to use, and topology subnet
13:11 < krzee> and likely
13:12 < krzee> !static
13:12 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:13 < Bushmills> krzee !eaten by saltwater crocodiles,  !stung by deadly jellyfish,  !bitten by hand palm sized spiders.  do you have a pet taipan now?
13:13 < krzee> hehe
13:13 < |Mike|> lol
13:13 < krzee> i have some aussie girls now if that counts
13:13 < krzee> they like my pet taipan
13:14 -!- DJ_HaMsTa [~tocmo0nlo@c-69-136-240-76.hsd1.nj.comcast.net] has quit [Quit: Ex-Chat]
13:15 < havoc> heh aussies
13:17 -!- skymaaster [~skymaaste@h142n2fls34o972.telia.com] has joined ##openvpn
13:19 < skymaaster> After trying various solutions for how to make Fedora's NetworkManager accept Bridge setups without blocking all traffic for EXTIF (external internet-facing interface) ive come up with a solution as follows...
13:19 < skymaaster> http://mange.dynalias.org/linux/gadmin-openvpn/server/devel/broken-networkmanager.txt
13:19 < skymaaster> took alot of time to find out
13:19 < krzee> !netman
13:19 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
13:20 < krzee> ;]
13:20 < skymaaster> krzee: Ubuntus networkmanager is fine, fedoras is a bit hosed
13:21 < krzee> the way it handles openvpn configs is junk
13:21 < krzee> regardless of distro
13:21 < skymaaster> Yeah, it blows
13:22 < skymaaster> I made 2 new guis -> http://mange.dynalias.org/linux.html (tried them ?)
13:22 < vpnHelper> Title: The GAdminTools Project (at mange.dynalias.org)
13:22 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 268 seconds]
13:23 < skymaaster> echo BackScatter |  < /dev/null http://gadmintools.flippedweb.com
13:23 < vpnHelper> Title: Gadmintools - Home (at gadmintools.flippedweb.com)
13:24 -!- dazo is now known as dazo_afk
13:24 < skymaaster> krzee: It took me 3 days to figure out the useless of networkmanager (Besides its ability to up/down interfaces at connection loss..)
13:25 < skymaaster> A simple script can do that much better
13:27 < skymaaster> while [ 1 ]; do \n if [ server_up == "yes" ]; then \n echo ok \n else restart_server \n sleep 3 \n fi 
13:27 < Bushmills> while : ; .... suffices, btw
13:28 < skymaaster> I emailed redhat but got no reply for some days
13:28 < skymaaster> Ok
13:28 < skymaaster> yeah... for( ;; )
13:28 < Bushmills> server_up  ... missing something here`
13:28 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
13:28 < skymaaster> it calls server_up() i guess
13:29 < Bushmills> ah, ok
13:29 < skymaaster> :)
13:29 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
13:29 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
13:29 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:31 < skymaaster> Bushmills, Krikke: If you want to start another network app after "ip link set eth0 up" then another sleep is required. I use 7, but 3 could also be fine. What a pice of crap that networkmanager is atm
13:32 < skymaaster> Ehm, also... "ip" and ifconfig should only return success when the link is frikkin "up" :)
13:32 < Bushmills> appears to be overrated.
13:32 < skymaaster> hehe
13:33 < skymaaster> Ah, Its my birthday this weekend. My gf gave me a huge green plant (over a meter tall). Frikken cool.
13:33 < Bushmills> actually, when i had nm installed, shortly, it did the opposite of what it was supposed to do. rather then keeping me online, it was consistently the reason why connection failed.
13:33 < skymaaster> Read: http://mange.dynalias.org/linux/gadmin-openvpn/server/devel/broken-networkmanager.txt
13:34 < skymaaster> FC11 sucks as well, but on Debian/Ubuntu openvpn just works
13:34 < rob0> "ip link set eth8 up ; echo $?" I get Cannot find device "eth8" \n 255
13:34 < skymaaster> 8 ?
13:35 < skymaaster> Ah, its Robocop :=)
13:35 < rob0> ip does not return success in that case anyway.
13:35 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
13:37 < skymaaster> ip link show eth8 || echo it_does
13:37 < skymaaster> Device "eth8" does not exist.
13:37 < skymaaster> it_does
13:38 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
13:38 < rob0> Similarly, trying to add a bad route returns failure (exit 2).
13:39 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
13:40 < skymaaster> route add foo $? ; echo $?
13:40 < skymaaster> foo: Unknown host
13:40 < skymaaster> 1
13:40 < rob0> I don't know about ifconfig (other than that it is broken and unmaintained), but ip seems to be sane.
13:40 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
13:40 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
13:40 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:41 < skymaaster> ssh/scp can return 255, 127 or something on success as well as 0 :)
13:42 < skymaaster> I agree that some things arent very cool when you dig into the foo of it all.
13:43 < skymaaster> But if something gives options and declare its states then all things are doable.
13:43 < skymaaster> When was OpenVPN first started, beeing coded on ?
13:44 < skymaaster> 2003 or...
13:44 < skymaaster> Its an awesome thing. Cudos!
13:45 < rob0> DNS tools like dig(1) have a problem reporting various things that you might consider "failure". If the query was made successfully, regardless of what was found, it exits 0.
13:46 < skymaaster> But thats not as important as knowing wether the networking is up or not, because dig returns data if data is found and no data if not, whereas if ip or ifconfig didnt it would be a disaster
13:47 < skymaaster> You can check for a reply with MX etc
13:48 < skymaaster> dig foo | grep "^MX.*" || echo Nope
13:48 < skymaaster> Or somethings
13:49 < rob0> http://openvpn.net/index.php/about.html 2002
13:49 < vpnHelper> Title: About Us (at openvpn.net)
13:50 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 256 seconds]
13:50 < skymaaster> Cool
13:50 < skymaaster> I hope they like my guis ?
13:51 < Bushmills> dig +short foo MX    not good?
13:51 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 252 seconds]
13:51 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
13:51 -!- mode/##openvpn [+v Kas] by ChanServ
13:52 < skymaaster> There are many ways to check the dig.
13:52 < Bushmills> actually, for return value, it isn't good
13:52 < rob0> yes, but my point is, not just the exit code, in many cases.
13:52 < rob0> depending on what the goal is
13:52 < skymaaster> Yeah, but its usable... not like NetworkManager
13:54 < skymaaster> /etc/rc.d/init.d/Networkmanager restart && ping -c 1 www.google.se && ( echo ok || echo crap )
13:54 < skymaaster> /etc/rc.d/init.d/NetworkManager restart && ping -c 1 www.google.se && ( echo ok || echo crap )
13:54 < skymaaster> The paths are from "
13:54 < skymaaster> "my ram" :)
13:55 < skymaaster> google.com
13:55 < skymaaster> takes a while to start it up if on dynamic interfaces
13:55 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
13:55 -!- mode/##openvpn [+v openvpn2009] by ChanServ
13:57 < skymaaster> I wonder if the founders have worked on Sandvik in Sweden ?
13:58 < skymaaster> In any case, very solid vpn-program.
14:01 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:03 < skymaaster> I set OpenVPN up for my fathers brothers business. Works nicely.
14:05 < pegg> krzee why would I want to use ccd directory, I dont want to have to give each user their own ip
14:06 < skymaaster> I just wish someone would make a very good CAD program thats not so expensive as adobes (30000-5000) USD extortion upgrades
14:06 < skymaaster> pegg: Give it valid login times and so on... ?
14:07 < pegg> skymaster what you do you mean "vaild login times"  there is no log in limit
14:07 < skymaaster> case fetch_date_time() in time_is(7-9) && dont_pull_route
14:07 < skymaaster> Sky is the limit when using CCD
14:09 < skymaaster> pegg: its an awesome feature
14:10 < pegg> well I want all the users to be able to log in any time
14:13 < pegg> I want the users to have publc ip';s able to log in any time, but for the users to user the ip;s most effictently   ,    openvpn seams to be pretty liberal when it comes to ipi useage, but it does not really matter when you have a while public ip space to use
14:23 < skymaaster> Rock!!! :)
14:32 < Bushmills> login where? connect client to server? that demands a public ip on server
14:33 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
14:35 < krzee> !topology
14:35 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
14:36 < krzee> with that its 1 ip per user
14:38 -!- kyrix [~ashley@41.92.11.142] has quit [Ping timeout: 248 seconds]
14:43 < skymaaster> pegg: Please define your question.
14:44 -!- pegg [~pegg@208.73.74.77] has quit [Ping timeout: 240 seconds]
14:45 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:46 < s34n> I have a generic question about a vpn that isn't openvpn
14:47 < skymaaster> Fork it over
14:47 < s34n> I have two networks (A and B) connected with VPN devices (a and b), but none of the hosts on either network know about a and b
14:48 < s34n> A and B have distinct address spaces
14:48 < skymaaster> The tunnel doesnt allow clients to see eachother ? /No broadcast
14:48 < s34n> strangely, the client do see each other
14:49 < skymaaster> What are the client OSES ?
14:49 < s34n> I can ping from A to B, for instance
14:49 < s34n> clients are mixed
14:49 < rob0> If the default gateways are the VPN peers, it should just work.
14:49 < skymaaster> Ok. I hate windows btw
14:49 < skymaaster> :)
14:50 < s34n> rob0: right
14:50 < s34n> I think that is my snag
14:50 < skymaaster> Well, if you can ping a box, in my oppinion its available to that client. Whats wrong ?
14:50 < s34n> the dg for A is a
14:50 < skymaaster> opinion
14:50 < s34n> the default gateway for B is b
14:51 < skymaaster> DG (DegoBah GyroGateway:)
14:51 < skymaaster> Sorry, its my birthday :)
14:51 < s34n> however, I have a host b' in the B network that also sits in C network
14:51 < skymaaster> Routing issues ?
14:51 < s34n> yep
14:52 < s34n> from A I can ping b'
14:52 < s34n> I don't understand how, but it works
14:52 < s34n> but I can't ssh b' from A
14:52 < skymaaster> Firewall in the way ?
14:52 < krzee> firewall
14:52 < s34n> that makes sense to me
14:53 < skymaaster> Tear it down and test
14:53 < s34n> even without a firewall, ssh doesn't work
14:53 < krzee> firewall
14:53 < krzee> it IS NOT routing if a ping can happen 1 way
14:53 < skymaaster> krzee: Correct!
14:54 < skymaaster> krzee: I had a nic that the RX (Reciever was hosed on) Not the tranciever (TX)
14:54 < skymaaster> Tricky shit
14:55 < krzee> damn
14:55 < skymaaster> ?
14:56 < rob0> happy birthday
14:56 < skymaaster> Thanks rob0!!!
15:00 < skymaaster> Heh, my Rhythmbox has labeled all my good music as "Unknown". Aces high etc :)
15:01 < reiffert> Aces Of Spades :)
15:01 < skymaaster> Rock and roll!!!
15:02 < reiffert> There will be a Movie about Lemmy out mid of march btw. Movie's gonna called "Lemmy".
15:03 < reiffert> Just enough time for reading his biography right before the movie gets out
15:03 < s34n> shouldn't the host rely on routing to know which interface to use when responding to a ping?
15:03 < reiffert> s34n: it should.
15:04 < skymaaster> http://powerlinead.files.wordpress.com/2008/05/noje-10s38-lemmy-567_3681.jpg
15:04 < skymaaster> Rock and frikkin roll!!! :)
15:04 < s34n> so when there is no route defined on b' to network A, it should just use the default gw, right?
15:04 < skymaaster> Looks like that "Witches of Eastwick" dood :=)
15:05 < reiffert> s34n: should use b's gateway in that case
15:05 < skymaaster> s34n: No, if theres no route it wont route at all
15:06 < reiffert> skymaaster: assuming that there is a default gw at least.
15:06 < skymaaster> Then client B/b is hosed
15:06 < s34n> there is a default gw
15:06 < skymaaster> Ok
15:06 < skymaaster> Yeahm then the default is used
15:06 -!- dazo_afk [~dazo@nat/redhat/x-eotqvidadipgeorz] has quit [Read error: Operation timed out]
15:06 < s34n> the default gw for b' is on the C network
15:06 < s34n> so the ping shouldn't work, it seems to me
15:07 < reiffert> s34n: know !route already?
15:07 < skymaaster> route / route print <- windomoblows.
15:07 < reiffert> !route
15:07 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:07 < skymaaster> Precedence of the routes are essential.
15:08 -!- dazo_afk [~dazo@nat/redhat/x-wbuewcupmncwnaaa] has joined ##openvpn
15:08 -!- dazo_afk is now known as Guest3546
15:08 -!- Guest3546 is now known as dazo
15:09 -!- dazo is now known as Guest38238
15:12 < reiffert> Check out that one as well http://www.secure-computing.net/wiki/index.php/Graph
15:12 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
15:13 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:15 < skymaaster> Hmm, i got an impression from the tv that Californian people dont want to pay the slightest bit to make people all over the US be more healty. A health that would benefit all as it would deminish crime and make people alot happier. Is anyone of you against this theory at present ?
15:15 < skymaaster> I saw a woman "Screaming --- No taxes" for instance
15:16 < s34n> reiffert: ok
15:17 < skymaaster> She seemed to be very confused according to me. Can any of you clarify her to me ?
15:17 < rob0> Oh that would be way off topic. I might have an opinion, but this is not the place to discuss that.
15:18 < skymaaster> Ok, but i assume we all like to have good peoples in our countries
15:18 < s34n> reiffert: b' has multiple interfaces: one on B and one on C
15:18 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
15:19 < skymaaster> brctl them
15:19 < s34n> reiffert: the default gw on b' is the gateway for C
15:19 < skymaaster> Bridge the interfaces
15:19 < s34n> b' doesn't know about network A
15:19 < skymaaster> ENOPROBLEM :)
15:19 < s34n> somehow a ping from A to b' works
15:20 < s34n> that doesn't make sense to me
15:20 < skymaaster> Suck my pipe
15:22 < reiffert> skymaaster: would you please try pushing forward instead of giving insane ideas like bridging?
15:23 < reiffert> s34n: having multiple lans attached on multiple NICs is nothing special. Check that routing is working prior to playing with openvpn please.
15:23 < skymaaster> No answer.
15:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:24 < s34n> reiffert: I realize it is nothing novel
15:24 < skymaaster> There are atleast 2 solutions to any given problem.
15:24 < s34n> reiffert: b' isn't using openvpn
15:25 < reiffert> sorry, got to get my project finished.
15:25 < s34n> reiffert: right now, it doesn't know anything about a VPN or network A
15:25 < s34n> ah. ok
15:25 < reiffert> try not to listen to skymaaster's proposals, so far it's about motoerhear, arnold schwarzenegger and bridging.
15:25 < reiffert> motoerhead that is.
15:26 < skymaaster> Motoer head
15:26 < skymaaster> No, you mean Iron Maiden and Birtrhdays.
15:28 < skymaaster> Im overworked and have a bit of code rage (Fedora isnt good)
15:28 < skymaaster> But im cute as hell :)
15:28 < skymaaster> So my gf tells me
15:34 < skymaaster> Bushmills: Do you use Linux ?
15:35 < Bushmills> I do
15:35 < skymaaster> reiffert: I like the prospect of electricity fueling our cars instead of coal and arab oil. What do you think about that ?
15:36 < skymaaster> Yeah!
15:36 < Bushmills> Motörhead, actually
15:36 < skymaaster> ööö
15:36 < skymaaster> Yep
15:37 < skymaaster> Im going to have electric cars if im going to kill every one on this planet because its cool.
15:38  * Bushmills wonders how openvpn would be of use in that setup
15:38 < skymaaster> Brings jobs. I want to kick arse with anyone who disagrees.
15:38 < skymaaster> VPN from the car
15:38 < skymaaster> to the house
15:39 < skymaaster> ;)
15:42 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 252 seconds]
15:49 < skymaaster> Or to the whence "dedicated car-computer inter exchanges"
15:49 < skymaaster> Lets see, thatd mean 300.000 billion customers atleast
15:50 < skymaaster> Services to the cars
15:51 < skymaaster> Mind you a wireless connection becomes atleast 10 times as fast in responsiveness when connected to a more static line.
15:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:52 < skymaaster> Im tunneling into another computers stach because i get much faster responce times. 
15:53 < skymaaster> response
15:54 < skymaaster> Excuse my birthdayness :)
15:55 < skymaaster> Ill have to go tell Redhat/Fedora lamers that they use crappy NetworkManager code.
15:55 < skymaaster> Thanks for the chat. Love you!
16:08 -!- skymaaster [~skymaaste@h142n2fls34o972.telia.com] has quit [Ping timeout: 264 seconds]
16:11  * reiffert goes out for writing "Dont feed the animals" x 100
16:37 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
16:38 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
16:38 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
16:38 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
16:52 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
16:54 -!- pa [~paolo@unaffiliated/pa] has joined ##openvpn
17:15 -!- portn0k [~portn0k@unaffiliated/portn0k] has joined ##openvpn
17:39 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 258 seconds]
17:43 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
17:43 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
17:43 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
17:43 -!- pa [~paolo@unaffiliated/pa] has quit [Remote host closed the connection]
17:56 < portn0k> http://pastie.org/843360 <-- here's my logs connecting client to server. which configuration (or both) do you guys need to see to help me fix this problem?
17:57 < portn0k> i'm really not sure whats wrong, i've forwarded the udp port in my pf.conf (freebsd router). i'm kinda lost.
18:03 < Bushmills> what problem?
18:11 -!- correcaminos [~luis.agui@201.201.46.106] has joined ##openvpn
18:12 < portn0k> well apparently its not seeing that my tap0 interface is up
18:12 < portn0k> but it is. ;/
18:12 < portn0k> or, at least, thats what ive gathered from the log.
18:13 < portn0k> tcpdump reveals no incoming traffic on the server either.
18:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:11 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
19:36 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
20:08 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
20:23 -!- correcaminos [~luis.agui@201.201.46.106] has quit [Read error: Connection reset by peer]
20:31 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
20:32 < crazygir> hiya! is openvpn capable of taking a passphrase for an SSL cert?
20:41 < krzee> sure
20:42 < krzee> in fact the easyrsa scripts prompt you for an optional passphrase when you build the certs
20:42 < krzee> what happens is the private key gets encrypted on disk
20:45 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
20:45 < Dougy> does anyone here use fdcservers by chance
20:46 < krzee> negative ghostrider
20:46 < krzee> wassup dougy
20:46 < crazygir> how do you pass in the passphrase to openvpn on start?
20:46 < Dougy> krzee: just got some photos of FDCservers's datacenter
20:46 < Dougy> let me put it this way
20:46 < Dougy> i'll NEVERRRRRRRR use them
20:46 < krzee> crazygir, it prompts you
20:47 < krzee> Thu Feb 25 18:47:13 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
20:47 < krzee> Enter Private Key Password:
20:47 < krzee> like that
20:47 < Dougy> krzee: http://ub3r.net/fdc/2009-10-03%2008.26.24.jpg
20:50 < crazygir> let me double check these logs..
20:53 < crazygir> there we go
20:53 < crazygir> I read the log too quickly (not far back enough actually)
21:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
21:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:55 -!- fahmad is now known as xen^
21:56 -!- xen^ [~linux@vpn.server4sale.com] has quit [Changing host]
21:56 -!- xen^ [~linux@unaffiliated/lnux/x-10290] has joined ##openvpn
21:57 -!- xen^ is now known as L|NUX
21:58 -!- L|NUX is now known as fahmad
21:58 -!- fahmad is now known as fahmed
21:58 -!- fahmed is now known as fahmad
22:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
22:05 -!- fahmad [~linux@unaffiliated/lnux/x-10290] has quit [Changing host]
22:05 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
22:11 -!- fahmad is now known as L|NUX
22:11 -!- L|NUX is now known as Xen^
22:27 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has quit []
22:34 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Ping timeout: 265 seconds]
22:35 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
22:37 -!- nb is now known as i
22:37 -!- i is now known as nb
23:01 -!- graffz [~graffz@120.28.142.54] has quit []
23:09 -!- tjz [~pc@bb116-15-74-197.singnet.com.sg] has joined ##openvpn
23:09 -!- tjz [~pc@bb116-15-74-197.singnet.com.sg] has quit [Changing host]
23:09 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
23:09 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
23:22 -!- hackeron [~hackeron@gentoo/user/hackeron] has quit [Ping timeout: 252 seconds]
23:22 -!- hackeron [~hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has joined ##openvpn
23:22 -!- Argafal [argafal@users.tokkee.org] has quit [Remote host closed the connection]
23:22 -!- Argafal [argafal@users.tokkee.org] has joined ##openvpn
23:33 -!- havoc [~havoc@saturn.chaillet.net] has quit [Ping timeout: 260 seconds]
23:35 -!- havoc [~havoc@saturn.chaillet.net] has joined ##openvpn
23:44 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has joined ##openvpn
23:44 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has quit [Changing host]
23:44 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
--- Day changed Fri Feb 26 2010
00:13 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:13 -!- mode/##openvpn [+o mattock] by ChanServ
01:00 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has quit [Read error: Connection reset by peer]
01:32 -!- Zordrak_ [~jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
01:35 -!- Zordrak [~jaz@87-194-141-163.bethere.co.uk] has quit [Ping timeout: 276 seconds]
01:50 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 252 seconds]
02:07 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
02:10 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
02:12 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
02:23 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:53 -!- traceback0 [~traceback@adsl-99-186-40-132.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
03:00 -!- teddymills [~teddy@208.92.235.227] has quit [Read error: Connection reset by peer]
03:02 -!- stony_ [~ol@186-140-088-212.ip-addr.teresto.net] has joined ##openvpn
03:02 < stony_> hi
03:02 < stony_> is openvpn l2 supporting stp ?
03:03 < reiffert> the kernel on the host is.
03:04 < reiffert> bridge name	bridge id		STP enabled	interfaces
03:04 < reiffert> br0		8000.0050bac5ced3	yes		eth0 tap0
03:04 < reiffert> http://pastebin.ca/1811533
03:04 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
03:10 -!- master_of_master [~master_of@p57B560E8.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:10 < stony_> enabled != working
03:11 -!- master_of_master [~master_of@p57B562A1.dip.t-dialin.net] has joined ##openvpn
03:20 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
03:32 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 268 seconds]
03:36 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Remote host closed the connection]
03:37 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
03:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:45 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
03:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:57 -!- stony_ [~ol@186-140-088-212.ip-addr.teresto.net] has quit [Ping timeout: 252 seconds]
04:13 -!- beber [~beber@scabb.meleeweb.net] has joined ##openvpn
04:13 < beber> Hi
04:14 < beber> How could I can the difference between a https and openvpn stream ?
04:14 < beber> tcp/openvpn
04:30 -!- stony_ [~ol@p5B155769.dip.t-dialin.net] has joined ##openvpn
04:31 < upb> you cant, its TLS
04:31 < upb> you want to block overvpn ?:P
04:31 < beber> no
04:32 < Guest38238> !factiods
04:32 < vpnHelper> Guest38238: Error: "factiods" is not a valid command.
04:32 -!- Guest38238 is now known as dazo
04:32 < beber> I want to use a common frontend on haproxy, and I want haproxy to "forward" to openvpn, https ou openssh depending on the stream
04:32 < beber> openssh and https is not a problem actually
04:33 < upb> well, the only thing you can get is the client-hello message
04:33 < beber> yes
04:33 < upb> from that point on, you need to forward the connection already
04:34 < beber> isn't sufficient?
04:36 < upb> nop
04:36 < upb> only way to do it is to MITM the stream
04:36 < beber> how does work the port-share ?
04:37 < beber> I can MITM
04:37 < upb> like some l33t antivirus products ;P
04:37 < beber> with haproxy/stunnel
04:57 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:02 -!- Xen^ [~linux@unaffiliated/fahmad] has quit [Ping timeout: 265 seconds]
05:05 < dazo> !factoid
05:05 < vpnHelper> dazo: Error: "factoid" is not a valid command.
05:09 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:09 -!- mode/##openvpn [+o mattock] by ChanServ
05:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:35 -!- stony_ [~ol@p5B155769.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
05:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
05:50 -!- stony_ [~ol@p5B155769.dip.t-dialin.net] has joined ##openvpn
06:03 -!- stony_ [~ol@p5B155769.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
06:24 -!- Ramjar [~Ramjar@d226.broadband.quicknet.se] has joined ##openvpn
06:25 < Ramjar> !welcome
06:25 < vpnHelper> Ramjar: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:25 < Ramjar> !forum
06:25 < vpnHelper> Ramjar: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
06:26 < Ramjar> does anyone know how to change openvpn password for a user directly on a openvpn server? (not with the client gui)?
06:54 < ecrist> openvpn doesn't manage passwords
06:56 < reiffert> openssl does
07:50 < Ramjar> aha i see. What does it change password for? the private key, cert?
08:04 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
08:05 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
08:11 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 265 seconds]
08:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:27 < dazo> Ramjar:  openvpn gui's change password feature is to change the password of the SSL key or the .p12 certificate file
08:28 < dazo> (.p12/PKCS#12 files are certificates and SSL keys bundled into one single file)
08:29  * reiffert didnt know that. Intresting.
08:39 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
08:40 -!- janjust [~janjust@ardeche.nikhef.nl] has joined ##openvpn
08:42 -!- ol [~ol@tmo-104-108.customers.d1-online.com] has joined ##openvpn
08:42 -!- ol is now known as stony
08:44 < janjust> testing testing 123 ;-)
08:45 < janjust> Samuli I got your email, just checking out this irc channel 
08:46 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
08:47 < janjust> but I am not seeing anything typed here?
08:48 < dazo> janjust:  welcome!  pleasure to see you here :)
08:48 < dazo> Samuli is mattock here
08:48 < janjust> I know 
08:48 < janjust> xchat told me :)
08:48 < dazo> :)
08:48 < janjust> I'm not sure (yet) if I'll join this channel regularly (or the discussion channel)
08:49 < janjust> 1800UTC is really bad for me, usually I'm on my bicycle at that time 
08:49 < janjust> but Samuli asked about clearing up existing bugs - sounds like a good plan
08:52 < dazo> janjust:  yeah, I discussed that with him earlier today ... it's a sf.net bug tracker with a lot of things, and questions I'm quite sure I've seen you help solving earlier as well - I just happen to not remember where and when :)
08:52 < dazo> https://sourceforge.net/tracker/?func=browse&group_id=48978&atid=454719
08:52 < vpnHelper> Title: SourceForge.net: OpenVPN: Bugs (at sourceforge.net)
08:53 < dazo> janjust:  if you have time and are willing, I'm sure we would appreciate your help to clean up this bug tracker .... and I'm sure Samuli will grant you the needed privileges as well
08:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:56 < dazo> btw ... I'm tempted to close all bugs without activity which are older than 2009-01-01 ... unless they seem to have relevance for the 2.1.1 release
08:56 -!- Blues-Man [~bluesman@host88-112-dynamic.56-79-r.retail.telecomitalia.it] has joined ##openvpn
09:01 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
09:01 < Bushmills> declare bugs nobody tackles as non-existing?
09:03 < janjust> there's a 190 bugs in total ... hmmm I've been supporting openvpn for nearly 5 yr now, lemme go through the list
09:03 < janjust> privs would be handy, if I am sure the bug is bogus/fixed then I can close em straight away
09:03 < dazo> janjust:  I'm pretty sure mattock will get you the needed privs asap :)
09:04 < dazo> appreciate your help here!
09:06 < janjust> no prob ... maybe I can then finally get something done about the pkcs11 support ;-)
09:06 < dazo> Bushmills:  in many cases, that looks like a sensible approach ... as many of those are really poorly documented ... but some of them is good to look out for, to make sure they either don't exists in 2.1.1 or they are not relevant at all any more
09:07 < dazo> janjust:  :) 
09:09 -!- uchimata_ is now known as uchimata
09:17 -!- f [~pegg@208.73.74.77] has joined ##openvpn
09:48 -!- Blues-Man [~bluesman@host88-112-dynamic.56-79-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
09:56 -!- janjust [~janjust@ardeche.nikhef.nl] has quit [Quit: Leaving]
09:57 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
10:01 -!- beber [~beber@scabb.meleeweb.net] has quit [Quit: leaving]
10:02 -!- Blues-Man [~bluesman@host88-112-dynamic.56-79-r.retail.telecomitalia.it] has joined ##openvpn
10:03 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined ##openvpn
10:09 -!- havoc [~havoc@saturn.chaillet.net] has left ##openvpn ["bbl"]
10:12 < bashusr> hi
10:12 < bashusr> i'm using redirect-gateway def1
10:12 < bashusr> and it was working when i originally set it up
10:12 < bashusr> but my server was restarted
10:12 < bashusr> and now my clients can't reach the internet when connected
10:13 < bashusr> only the internal VPN network
10:13 < bashusr> any ideas where to start looking to fix this?
10:13 < bashusr> the routing tables look the same as before
10:16 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
10:18 < stony> on the clients too?
10:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
10:22 -!- Sevet [~steveayre@host90-152-2-170.ipv4.regusnet.com] has joined ##openvpn
10:24 < bashusr> stony: only on the clients
10:24 < Sevet> if i have a vpn server on a /26 and i want to push a route to vpn clients to that /26, is that possible without preventing the vpn packets reaching the vpn server (just pushing the route makes the vpn client try to send the openvpn packets via the vpn)?
10:24 < bashusr> let me check the tables
10:28 -!- stony [~ol@tmo-104-108.customers.d1-online.com] has quit [Quit: off]
10:32 < reiffert> Sevet: that sounds broken. Guess your are using routing with tun adapters and try to run the same net as vpn net?
10:33 < Sevet> yes it is :) currently i push /32 routes to ips in that range, there's just a lot in a /26 and wanted something shorter if possible
10:33 < Sevet> something like pushing that a /32 should still use the default gateway
10:34 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:39 -!- sparch [~daniel@pdpc/supporter/active/sparch] has joined ##openvpn
10:39 < sparch> noon
10:53 < bashusr> noon
10:54 -!- Sevet [~steveayre@host90-152-2-170.ipv4.regusnet.com] has left ##openvpn []
10:55 < sparch> is there a management system for OpenVPN?
10:55 < sparch> i don't mean the access server nor openvpn manager
10:57 < sparch> because I'll develop a system for this purpose
11:00 -!- rkantos_UK [~robin@195.3.136.135] has joined ##openvpn
11:01 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:01 < rkantos_UK> who has the most skills with openvz+openvpn?
11:02 < cron2> what is a "management system for OpenVPN"?
11:06 < rkantos_UK> !welcome
11:06 < vpnHelper> rkantos_UK: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:07 < rkantos_UK> !redirect
11:07 < vpnHelper> rkantos_UK: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:08 < rkantos_UK> !def1
11:08 < vpnHelper> rkantos_UK: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:09 < f> cron2 it is a way to see who is connected, kill users, debug issues, have you ever set up a server?
11:09 < rkantos_UK> -!- #openvz Cannot send to channel
11:10 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has joined ##openvpn
11:11 < rkantos_UK> !ipforward
11:11 < vpnHelper> rkantos_UK: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
11:12 < rkantos_UK> !linipforward
11:12 < vpnHelper> rkantos_UK: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
11:14 -!- rkantos [robin@hp1.jaketus.net] has joined ##openvpn
11:15 < f> lets lay off the vpnhelper it is not helping
11:15 -!- f [~pegg@208.73.74.77] has quit [Remote host closed the connection]
11:15 -!- f [~pegg@208.73.74.77] has joined ##openvpn
11:16 < rkantos_UK> f: what you mean?
11:16 < f> rkantos_UK please use full setences
11:17 -!- f is now known as Pegger
11:18 -!- Blues-Man [~bluesman@host88-112-dynamic.56-79-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
11:25 -!- Blues-Man [~bluesman@host88-112-dynamic.56-79-r.retail.telecomitalia.it] has joined ##openvpn
11:33 < dazo> Pegger:  what's wrong with vpnhelper?  which answers are you looking for?
11:33 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
11:36 < Pegger> dazo just dont over uese it; I hope most people already read through the docs, and did not quite understand it so they need a more human response not a canned one
11:37 < dazo> Pegger:  really?  It really helps a lot of people here ... and off-loads answering the same question over and over and over again
11:39 < Pegger> dazo any idea what my issue is http://pastebin.com/vA9rAgMs  
11:39 < dazo> If you dislike it ... come with a question you have issues with rather than complaining on a service which works pretty well for us who have been here a while longer
11:39 < rob0> Pegger, are you a regular in any IRC channels?
11:40 < rob0> I think anyone who helps out in any IRC channels well understands the value of a bot.
11:40 < Pegger> rob0 I have trouble making time for IRC
11:41 < dazo> Pegger:  What do you put in the client-config-dir?
11:42 < Pegger> dazo there is nothing in the client-config-dir.
11:42 < rob0> Why bridging in the first place?
11:42 < Pegger> do that isc-dhcp can hand out the IP's
11:43 < Pegger> isc-dhcp hands out public ip's to the clients, I run a TCP and UDP VPN server so I want to be able to efficiently use the ip space between the two servers
11:43 < dazo> Pegger:  iirc ... on Linux/BSD (incl OSX) you need to start the dhcp client on the tap device then to make this work ... through a script started via openvpn .... 
11:44 < rob0> You're running a DHCP client on the clients after connection?
11:44  * dazo hands it over to rob0 ... he seems to be on the same track :)
11:45 < rob0> oh don't drop out of it, I am not a bridger, myself
11:45 < dazo> heh
11:45 < dazo> rob0: it's always a first time, isn't it? ;-)
11:46 < Pegger> I am trying to find the os x script that I tried before for up-down
11:46 -!- rkantos_UK [~robin@195.3.136.135] has quit [Quit: leaving]
11:47 < dazo> Pegger:  this is based on individual needs of cource ... but using tun, and proper routing ... you can have just a good setup using the built in "DHCP" service OpenVPN provides ... having the clients in a separate network segment ... and tun has better performance than tap, after all
11:48 < dazo> but it's your call, just my 2cents ... based on experience and others experiences
11:48 < Pegger> what about sharing the same ip pool between mulitipule VPN servers
11:49 < Pegger> I have a limited ip space and I need to use it as efficiently as possible, so I was hoping to share it between the vpn servers
11:49 < dazo> Pegger:  why do you need to share the IP pool?
11:49 < Pegger> because I will be using publc IP's which are limited
11:50 < dazo> Pegger:  why not have separate pools, inside the RFC1918 ... and then NAT the traffic going from the VPN and out on the Internet?
11:50 < rob0> Would be ugly, but one possibility w ^^ haha I was going to say that
11:51 < dazo> it's not ugly to take this approach, IMHO
11:51  * rob0 is not generally a fan of NAT, but neither is he a fan of bridging
11:51 < Pegger> rob0 excatly, I am trying to do that now, but as you say it is ugly
11:51 < dazo> it's ugly to use NAT if that's to hide that you're not able to do the routing properly ;-)
11:51 < Pegger> rob0 that sounds like a catch 22  dont like bridging or NAT
11:51 < rob0> client-config-dir could have scripts that set the NAT rules.
11:51 < rob0> s/have/call/
11:52 < Pegger> NAT is a hack in it's self
11:52 < Pegger> I dont see what is so bad about bridging except for the fact I am having troble getting it working with *Nix systems
11:52 < dazo> Pegger:  that's nonsense ... unless you mean private network ranges which wants Internet access are a hack 
11:53 < dazo> Pegger:  in VPN perspective, it gives you higher overhead ... as it will need to transport ethernet frames .... while with tun it will transfer IP packets only
11:53 < Pegger> dazo pretty much, there should be no need for private ip's, it just adds confsion and problems
11:54 < dazo> Pegger:  well, without NAT we might all have been running IPv6 a decade ago ... but with IPv4 it wouldn't be enough IP addresses available for everyone
11:55 < rob0> With the tunnel up, can you manually run your DHCP client on a client?
11:55 < Pegger> dazo true, very true
11:55 < Pegger> and then places like MIT have their own class A  ip space
11:56 < rob0> "dhcpcd -dt 10 tap0" or whatever client you use, probably also need to check its documentation for how it acts when a default route already exists.
11:56  * rkantos is real happy at the moment
11:57 < Pegger> I tried following this guide for OS X http://www.mccambridge.org/blog/2007/10/correct-way-to-set-up-openvpn-client-on-mac-os-x/  one of the probelems is some of the commands near the bottom dont even work for example "scutil ?dns" does nothing on my mac 
11:57 < vpnHelper> Title: The Spark Between » Correct Way to set up OpenVPN Client on Mac OS X (at www.mccambridge.org)
11:58 < rob0> or, just manually set the 0.0.0.0/1 and 128.0.0.0/1 routes on the client, if the DHCP client did work
11:59 < Pegger> I will try setting them by hand tonight when I can test with the machine, and not be on IRC
12:01 < sparch> cron2: I mean, a system to administrate OpenVPN, like, making certificates for the users, storing infos about them like IP, password for the Cert (if used), compiling and sending an installer together with the certs
12:02 < sparch> cron2: got it?
12:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:03 < rkantos> where's the problem if i can access internet, but can't ping other computers on the virtual NAT?
12:05 < Pegger> I was just reading about MIT's use of ip space "Just to make the routing simpler, each fraternity is assigned a Class B network"  awsome 65K ip for one house
12:06 -!- Blues-Man [~bluesman@host88-112-dynamic.56-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
12:10 -!- nowen [~nowen@adsl-176-34-198.asm.bellsouth.net] has joined ##openvpn
12:12 -!- rob0 [~rob0@tuxaloosa.org] has quit [Ping timeout: 240 seconds]
12:26 -!- Pegger [~pegg@208.73.74.77] has quit [Read error: Connection reset by peer]
12:36 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
12:39 -!- nowen [~nowen@adsl-176-34-198.asm.bellsouth.net] has quit [Quit: Leaving.]
12:45 < cron2> sparch: yep, got it :-) - and no, I don't think such a thing exists yet
12:46 -!- bandini [~bandini@host16-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
12:48 -!- rob0_ [~rob0@tuxaloosa.org] has joined ##openvpn
12:52 -!- dazo is now known as dazo_afk
13:05 < rkantos> hmm.. My other computer seems to get connected, but other one won't
13:05 < rkantos> same config
13:05 < rkantos> different certs ofcourse
13:12 < sparch> nice... so I'm going toward this
13:13 -!- rob0_ is now known as rob0
13:14 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
13:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:43 < rkantos> can't ping other computers on the nat network. Where's the bug now?
13:51 < Bushmills> !route
13:51 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:03 -!- portn0k [~portn0k@unaffiliated/portn0k] has quit [Ping timeout: 268 seconds]
14:24 -!- linduxed [~linduxed@194-14-0-85.serioustubes.org] has joined ##openvpn
14:25 < linduxed> is it a known bug that i get my vpn up and running, but get kicked after about 10 seconds?
14:26 < linduxed> or is my configuration faulty in some way?
14:26 < smerz> i doubt that very much :)
14:26 < smerz> worked rock solid for me
14:27 < smerz> to the point that i didn't even realise that my vpn was connecting automatically on boot
14:27 < linduxed> what's strange is that it definately works as it should
14:27 < linduxed> it forwards everything correctly
14:27 < linduxed> shows the right IPs
14:28 < linduxed> but after 10-30 seconds, my nm-applet always reports that the tunnel has died
14:28 < Bushmills> smerz: do you have a host route to your vpn server in your client routing table?
14:28 < Bushmills> ehm ,, linduxed i mean
14:29 < Bushmills> chances that you push a route, and kill or override the route to your vpn server
14:29 < smerz> i set the vpn server as my default gateway if you mean that yes
14:29 < linduxed> checking my logs, ive noticed i get code=111
14:29 < Bushmills> that's not a known bug, but a know misconfiguration :)
14:29 < smerz> can look it up real quick if you want busmills
14:30 < Bushmills> known
14:30 < linduxed> so what do i do with a 111
14:30 < Bushmills> smerz: na, you should be fine. i just put the wrong name into reply
14:31 < linduxed> i think this is a keepalive thing
14:31 < Bushmills> doubtful.
14:31 < Bushmills> with traffic, there's no need to keep alive
14:32 < Bushmills> unless, you don't actually transfer over vpn
14:32 < Bushmills> in which case it's disconnect, without keepalive, after some time
14:34 < linduxed> what do you mean by transfer in this case?
14:35 < Bushmills> data sent through vpn
14:38 < linduxed> well there's not much going at times, but i would assume a byte here and a byte there
14:38 < linduxed> so it should be alive...
14:38 < linduxed> i just have to find where nm-applet logs the client stuff
14:38 < linduxed> that way i could post the client log
14:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Connection reset by peer]
14:51 -!- dauergast [~sag@g225200035.adsl.alicedsl.de] has joined ##openvpn
14:55 < linduxed> ok i found the following page:
14:55 < linduxed> http://readthefuckingmanual.net/error/383/
14:55 < vpnHelper> Title: [SOLVED] - read UDPv4 [ECONNREFUSED]: Connection refused (code=111) (at readthefuckingmanual.net)
14:55 < linduxed> the problem is that i have no idea how to open for UDP traffic
15:00 < ecrist> talk to your firewall admin
15:01 < linduxed> that's me...
15:01 < linduxed> the weird thing is that now it seems to work...
15:01 < ecrist> and you don't know how to open port 1194 in your firewall?
15:01 < linduxed> which is very odd
15:02 < linduxed> ecrist: im the admin by the virtue of ssh'ing into my server
15:02 < linduxed> ive got a server and a laptop and i follow howtos
15:02 < linduxed> im that much of an admin
15:02 < linduxed> :-P
15:02 < ecrist> what firewall do you use?
15:03 < linduxed> but as said, for some reason it seems to be working for a longer while, so i don't want to touch it anymore
15:03 < linduxed> ecrist: iptables
15:03 < ecrist> !iptables
15:03 < vpnHelper> ecrist: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
15:03 < vpnHelper> ecrist: computing.net/wiki/index.php/OpenVPN/Firewall
15:04 < linduxed> well ill check with that if stuff breaks again
15:04 < linduxed> thx anyway
15:04 -!- linduxed [~linduxed@194-14-0-85.serioustubes.org] has left ##openvpn []
15:06 -!- dauergast [~sag@g225200035.adsl.alicedsl.de] has left ##openvpn []
15:12 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
15:24 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
15:24 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
15:29 -!- sparch [~daniel@pdpc/supporter/active/sparch] has quit [Quit: EPIC5-1.0[1581] - amnesiac : I really dispise you internet know-it-alls]
15:32 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:32 -!- mode/##openvpn [+o openvpn2009] by ChanServ
15:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:59 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
16:23 -!- portn0k [~portn0k@unaffiliated/portn0k] has joined ##openvpn
16:35 -!- bandini [~bandini@host16-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Ping timeout: 268 seconds]
16:37 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
16:42 -!- kyrix [~ashley@62.166.18.95.dynamic.jazztel.es] has joined ##openvpn
16:48 < rkantos> !route
16:48 < vpnHelper> rkantos: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:48 < rkantos> i don't have lans behind openvpn
16:49 < rkantos> !welcome
16:49 < vpnHelper> rkantos: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:49 < rkantos> !/30
16:49 < vpnHelper> rkantos: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
16:55 -!- kyrix [~ashley@62.166.18.95.dynamic.jazztel.es] has quit [Quit: Leaving]
16:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
17:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:10 -!- abdx [~abdx@h142n2fls34o972.telia.com] has joined ##openvpn
17:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
17:28 < abdx> Who are these "blackducksoftware" peoples ?
17:29 < abdx> blackducksoftware.com
17:30 -!- bashusr [~bashusr@unaffiliated/bashusr] has left ##openvpn []
17:30 < abdx> They seem to have run a scan on one of my hosts as follows: http://mange.dynalias.org/linux/misc/scripts/sys_uptime/service-guardian.log.txt
17:32 < abdx> Cool software anyhow, the service-guardian
17:35 < abdx> So if anyone wants to test.. http://mange.dynalias.org/linux/service-guardian/devel/service-guardian-1.8.tar.gz
17:36 < abdx> Make sure you edit the configuration before starting it. Its kinda military that way.
17:37 < abdx> Awake Bushmills ?
17:37  * Bushmills pinches himself for finding out
17:38  * abdx what..
17:40 < abdx> Rock and roll.
17:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:45 < abdx> Bushmills: Let me know how that goes.
18:00 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
18:00 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
18:15 < abdx> Bushmills: Its a fairly neat attack-subvertor
18:15 < abdx> :=)
18:16 < abdx> Run a scan against that address and itll block you.
18:19 < abdx> Bushmills: Did you fall asheep ? :)
18:20 < Bushmills> eh, no. i just didn't want to test something i don't even know what i would be testing.
18:21 < Bushmills> or how
18:21 < abdx> read the readme or somethings
18:21 < Bushmills> had you asked "why can't i reach hosts on my LAN" i might have replied
18:22 < abdx> Why would i have asked that ?
18:23 < Bushmills> why haven't you?
18:24  * Bushmills checks what channel he is on
18:24 < rob0> Why can't I ping http://google.com/ from my client?
18:24 < vpnHelper> Title: Google (at google.com)
18:25 < Bushmills> rob0: because google is down :P
18:27 < abdx> Heh, right.
18:28 < abdx> Make me interrested, Bushmills - rob0 etc
18:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:54 -!- abdx [~abdx@h142n2fls34o972.telia.com] has quit [Quit: Quit]
18:55 < ecrist> \o
18:55 < ecrist> sup, bitches?
19:00 -!- tjz [~pc@bb121-7-23-87.singnet.com.sg] has joined ##openvpn
19:00 -!- tjz [~pc@bb121-7-23-87.singnet.com.sg] has quit [Changing host]
19:00 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
19:20 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
19:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:30 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
19:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:07 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 248 seconds]
20:43 -!- portn0k [~portn0k@unaffiliated/portn0k] has quit [Remote host closed the connection]
20:48 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
22:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:44 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
23:09 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:25 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
--- Day changed Sat Feb 27 2010
00:03 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
00:10 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
02:09 -!- Mehdi [flang@64.85.172.128] has quit [Read error: Connection reset by peer]
02:15 -!- gallatin [~gallatin@188.109.201.200] has joined ##openvpn
02:18 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
03:10 -!- master_of_master [~master_of@p57B562A1.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:11 -!- master_of_master [~master_of@p57B56ABD.dip.t-dialin.net] has joined ##openvpn
03:25 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:25 -!- mode/##openvpn [+o mattock] by ChanServ
04:06 -!- napsy [~luka@88.200.96.14] has joined ##openvpn
04:06 -!- napsy [~luka@88.200.96.14] has left ##openvpn []
04:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
04:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:23 -!- gallatin [~gallatin@188.109.201.200] has quit [Ping timeout: 246 seconds]
04:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
05:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:13 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:35 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:37 -!- disappearedng [~disappear@unaffiliated/disappearedng] has joined ##openvpn
06:37 < disappearedng> Hey when I turn on my openvpn, tun0 is formed, how come I can't ssh into my computer using the IP from before turning on openvpn? 
06:43 -!- disappearedng [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 252 seconds]
06:45 < rkantos> client-to-client ping just doesn't work
06:50 -!- disappearedng [~disappear@unaffiliated/disappearedng] has joined ##openvpn
06:50 < disappearedng> if someone can answer this that would help me out a lot. http://superuser.com/questions/114211/how-to-combine-with-openvpn-dynamic-ip 
06:50 < vpnHelper> Title: How to combine with openvpn, dynamic-ip? - Super User (at superuser.com)
07:07 -!- dvl [~nnnnnnnnn@pdpc/supporter/active/dvl] has joined ##openvpn
07:07 < dvl> Giday.  :)
07:22 < dvl> I'm having trouble with replay / TLS errors. http://pastebin.ca/1813403  
07:22 < dvl> Started recently after a long time of problem free activity.  Not aware of any other changes.
07:31 < rkantos> dvl: restarted the server? :D
07:31 < dvl> rkantos: Yes, tried that.  Now I'm upgrading to 2.1.1
07:32 < rkantos> dvl: do you have working ping from server to client?
07:33 < dvl> rkantos: Not ping specifically, but ssh works, if that helps?
07:33 < rkantos> what about client to client ping?
07:34 < dvl> rkantos: Will try.  BBS.
07:35 < rkantos> not that relates to your problem
07:35 < rkantos> but it relates to mine :P
07:38 < dvl> oh?
07:38 < dvl> comms between client and server are fine.  backups are run over that on a regular basis.
07:38 < rkantos> this just freaking bothers me
07:39 < rkantos> I can ping from client to server
07:39 < dvl> sounds like routing first.
07:39 < rkantos> but not from server to client
07:39 < dvl> but not the other way... routing, I'm sure.
07:39 < dvl> Or perhaps, firewall.
07:40 < dvl> Run tcpdump.  see if the pings are going out on the tun (or whatever device is used for the VPN).  Then do the same at the other end to see if they are being recieved.
07:41 < rkantos> mhmm
07:41 < rkantos> pings work when there's no firewall
07:41 < rkantos> atleast from server to client
07:42 < rkantos> and from client to client
07:42 < rkantos> :P
07:42 < rkantos> cheers
07:42 < rkantos> 200ms average jikes
07:43 < dvl> Ok, so, you know it's firewall for sure?  Good, then it's easy to fix?
07:43 < rkantos> the next question is: where do i have to make the hole on the windows machine
07:43 < rkantos> ?
07:43 < dvl> Dunno.
07:46 < rkantos> ohh man, it is the firewall
07:46 < rkantos> no question about it
07:46 < rkantos> I'm beginning to like this
07:50 < dvl> Good.  Glad I could help.  :)
07:50 < ecrist> dvl, long time no see.
07:50 < dvl> ecrist: yo!
07:50 < ecrist> I may make it to BSDCan this year. :)
07:50 < dvl> Tis, been a long time.  I see you're in Pittsburg?  Or just using that server.  I'm near Phillie.
07:51 < dvl> ecrist: that would be good. Speakers have been selected, but not announced.
07:51 < ecrist> naw, I'm in Minneapolis
07:51 < dvl> ecrist: been watching Olympic Hockey?  Big Final.
07:51 < dvl> Canada vs USA
07:52 < dvl> Sunday, 3pm
07:52 < ecrist> not watching, but paying attention.  Looking forward to that game. 
07:52 < ecrist> I'm hoping to see some Canadians cry. :D
07:52 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:52 < rkantos> UK tv from Finland with zattoo
07:52 < rkantos> awesome
07:52 < dvl> and me, vice versa.
07:53 < rkantos> next I need some fine tuning
07:53 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 256 seconds]
07:53 < rkantos> ip's to 11.11.1.x
07:54 < rkantos> would anyone have idea why windows says that the tap adapter has no internet connection
07:55 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
07:57 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:00 < dvl> rkantos: Dunno Windows enough.
08:02 < ecrist> rkantos: because you're not connected to the VPN
08:16 < dvl> All the nodes have been upgraded to 2.1.1 (without problem AFAIK).
08:17 < dvl> We'll wait and see about this reply/TLS issue.
08:25 < dvl> Didn't take long.   Just got the message again.
08:25 < dvl> On the server.
08:25 < dvl> I'm having trouble with replay / TLS errors. http://pastebin.ca/1813403  
08:26 < dvl> I'm not sure about the replay-window option and how it can help.
08:34 < ecrist> dvl - is it causing problems other that taking up space in the logs?
08:38 < dvl> ecrist: none that I know of.
08:39 < dvl> Got gear? http://photos-f.ak.fbcdn.net/hphotos-ak-snc3/hs444.snc3/25499_106399866046321_100000289239443_160815_993531_n.jpg
08:40 < ecrist> what're you building with that?
08:45 < dvl> ecrist: FreeBSD 8.x, running ZFS.  To be a storage unit.  Backups, etc.
08:46 < dvl> http://dan.langille.org/ has the various configurations that I considered before settling on this.
08:46 < vpnHelper> Title: Dan Langilles Other Diary (at dan.langille.org)
08:47 < ecrist> price tag?
08:49 < dvl> ecrist: I think about $1700
08:49 < dvl> ecrist: I spent $250 on the case.
08:50 < dvl> prices are in the webpage for the components.
08:50 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
08:50 < ecrist> see that, looks neat
08:51 < ecrist> I'm going to be building a ZFS storage box this week.  our hardware was a tad more expensive.
08:51 < dvl> The case looks great.
08:51 < dvl> ecrist: If it wasn't my money, I'd have spent more.  :)
08:51 < dvl> And probably RAID rated HDD too.
08:52 < tjz> hee..i am also planning to build a storage  box too
08:52 < tjz> :D :D
08:52 < ecrist> 2 x Dell PowerEdge R610, 24GB DDR3 2x146GB SAS, dual-port external SAS HBA both married to an MD3000 with 15 x 450GB SAS with redundant controllers.
08:53 < tjz> wow
08:53 < ecrist> that case looks nice, dvl
08:53 < dvl> ecrist: wow, that's hardware.
08:53 < ecrist> not my money. ;)
08:53 < ecrist> total price was about $22,000
08:53 < tjz> lol!!
08:53 < tjz> -_-""
08:53 < dvl> ecrist: thanks.  I wanted a couple of weeks for it to be in stock.  A guy in #freebsd undernet pointed me at Lian Li.
08:53 < dvl> fark!
08:54 < tjz> LOL
08:54 < tjz> hmm
08:54 < tjz> is ZFS the way to go?
08:54 < tjz> i was planning to go with centos / redhat as the OS..
08:54 < tjz> and the normal filesystem..
08:54 < tjz> :(
08:54 < ecrist> the price is justified as we will be booting our entire production network via PXE and NFS from that appliance.
08:54 < dvl> tjz: I think ZFS has a lot going for it.
08:55 < dvl> ecrist: Well, agreed.
08:55 < ecrist> tjz: if you're going CentOS or RHEL, go XFS
08:55 < dvl> But, I'm only slightly biased in recommending FreeBSD + ZFS.
08:56 < ecrist> we are a 100% FreeBSD shop
08:56 < tjz> hee.. never use freebsd b4...
08:56 < tjz> :(
08:56 < dvl> Hawaii Braces For Possible Tsunami - CBS News
08:56 < ecrist> everything, including our phone system, runs freebsd
08:56 < tjz> cool
08:56 < dvl> http://www.cbsnews.com/stories/2010/02/27/national/main6249805.shtml
08:56 < vpnHelper> Title: Hawaii Braces For Possible Tsunami - CBS News (at www.cbsnews.com)
08:56 < tjz> but why freebsd isn't so common like centos?
08:56 < tjz> dvl, yea
08:56 < tjz> 8.8 mag quake at chile
08:56 < ecrist> tjz: because freebsd doesn't do desktop well.
08:56 < tjz> -_-
08:57 < tjz> centos is for server..for most cases..
08:57 < ecrist> there are a lot of big companies that sponsor/fund freebsd and use it at their core, but they don't advertise it heavily, or at all.
08:57 < ecrist> Qwest Communications, for example, uses FreeBSD on their entire core.
08:57 < dvl> tjz: I really like how straight forward it is to upgrade and maintain a FreeBSD box, both the OS and the apps.  Very solid.
08:58 < tjz> ok
08:58 < tjz> lot of reading :D :D
08:58 < ecrist> for postgres/mysql databases, freebsd leaves linux in the dust, as well.
08:59 < dvl> Oh yeah, and I use PostgreSQL too.
08:59 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
08:59 < tjz> i used mysql...
08:59 < tjz> :D :D
09:00 < ecrist> I'm out for the day - later.
09:00 < tjz> i am out for sleep :(
09:00 < tjz> :D :D
09:01 < tjz> good nite
09:01 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:01 < rkantos> how can i change the location of the user certificates?
09:15 -!- dauergast [~sag@p5B3EF8D7.dip.t-dialin.net] has joined ##openvpn
09:16 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
09:17 < dvl> ecrist: so, you're guessing, just ignore the message?
09:19 < rkantos> anyone?
09:24 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
09:24 < dvl> rkantos: what's the problem?
09:24 < dvl> with changing...
09:26 < dvl> rkantos: this help http://pastebin.ca/1813556
09:27 < rkantos> i mean the client.key and client.crt
09:28 < rkantos> does the openvpn even have to know where they are?
09:31 < rkantos> apparently not
09:31 < rkantos> how can i restrict some users using the openvpn then?
09:39 < dvl> ecrist: amended total for system: $1800 to date.
09:42 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
09:43 -!- liquido [~liquido@lan-84-240-15-13.vln.skynet.lt] has joined ##openvpn
09:44 < liquido> hi
09:44 < liquido> how I could sign/revoke CA for my clients using easy-rsa ?
09:45 < rkantos> i'd like to know the same^^
09:46 < dvl> liquido: I've seen that in the docs.
09:46 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
09:47 < liquido> can't find it anywhere
09:47 < liquido> not even in book
09:47 < liquido> see, the other man would like to know also
09:48 < liquido> I understand how it works, but can't find how to sign/revoke keys ;/
09:49 < dvl> http://openvpn.net/index.php/open-source/documentation/howto.html
09:49 < vpnHelper> Title: HOWTO (at openvpn.net)
09:49 < dvl> search for revoke there
09:51 < liquido> when I sign key
09:51 < liquido> lets say I run ./build-key-pass user15
09:51 < dvl> Sorry, I don't know more.  I'd have to read, and can't do that now.
09:51 < liquido> I proceeding with there, I see that ca.crt isn't updated in keys
09:52 < liquido> which file has records of sign'atures ?
09:52 < liquido> anyway, thanks for help dvl 
09:54 < disappearedng> if someone can answer this that would help me out a lot. http://superuser.com/questions/114211/how-to-combine-with-openvpn-dynamic-ip 
09:55 < vpnHelper> Title: How to combine with openvpn, dynamic-ip? - Super User (at superuser.com)
09:58 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
10:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:07 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
10:18 < rkantos> '/win 16
10:29 -!- pdt [~ptinsley@64.241.37.140] has joined ##openvpn
10:31 < rkantos> can the revoke be removed?
10:32 < rkantos> eg. re-enable the cert
10:36 -!- dvl [~nnnnnnnnn@pdpc/supporter/active/dvl] has left ##openvpn ["Leaving"]
10:39 < rkantos> resign*
10:44 < liquido>  /topic
10:46 < rkantos> how can i resign the cert?
10:46 < rkantos> c'mon someone :D
10:48 -!- hacim [~micah@debian/developer/micah] has joined ##openvpn
10:49 < hacim> if i am connected to my VPN and my wireless link drops momentarily, but then comes back... the VPN gets wedged
10:49 < hacim> i have to restart openvpn to have it renegotiate
10:49 < hacim> is there a way I can get it to recover a little more gracefully?
10:49 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
10:52 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:56 < rkantos> how can i make tap adater signed as home network in W7?
11:00 < liquido> how the server knows when new certs are added ?
11:06 -!- pegg [~pegg@pool-74-104-97-125.bstnma.east.verizon.net] has joined ##openvpn
11:06 < krzee> liquido, it doesnt, the CA signed it and that is all that matters
11:06 < krzee> each side checks the other was signed by the CA
11:06 < krzee> if told to, the client also checks the server was signed as a server, as in !mitm
11:07 < rkantos> krzee: can the client cert be resigned after being revoked?
11:08 < krzee> no, the client cert is not effected by the revocation, the CRL blocks the client cert
11:08 < krzee> you can issue a new cert with a new common name
11:09 < rkantos> i can always remove the crl
11:10 < rkantos> so i'll have to make a new cert and update the crl?
11:10 < krzee> old cert will work when you remove the crl
11:10 < rkantos> but if i hace a more complex system
11:11 < rkantos> many certs etc
11:11 < rkantos> and want to re-enable just one
11:11 -!- pegg [~pegg@pool-74-104-97-125.bstnma.east.verizon.net] has quit [Quit: Leaving]
11:12 < krzee> you can backup from previous CRL or use a completely new common-name
11:12 < krzee> but no using the same common-name otherwise
11:13 < rkantos> common name meaning that I can create a cert with the same name?
11:13 < krzee> you can not
11:13 < krzee> completely new!
11:14 < rkantos> damn
11:14 < rkantos> so you will have to send new certs?
11:15 < liquido> thanks krzee 
11:16 < krzee> rkantos, correct, or revert to CRL that you didnt block that cert on
11:17 < rkantos> so i'd have to backup crl everytime i make changes to revoked clients?
11:17 < krzee> !crl
11:17 < vpnHelper> krzee: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
11:17 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you
11:17 < krzee> rkantos, you should never make a change to a CRL really, because you only revoke a cert when its integrity may be compromised, in which case you dont use it anymore
11:18 < rkantos> but if i for example have a little paying group
11:18 < rkantos> for vpn
11:19 < krzee> if you revoke a cert, you must make a new one with different common-name
11:19 < rkantos> and then just want to revoke for sometime
11:19 < krzee> period
11:19 < krzee> for some time, you dont revoke
11:19 < krzee> see --disable
11:19 < rkantos> ok, thanks
11:20 < krzee> disable would go in a ccd entry
11:20 < krzee> !ccd
11:20 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
11:20 < krzee> read about it in !man
11:20 < krzee> !man
11:20 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:20 < liquido> krzee: is it possible to check which users are allowed connect to server ? I mean which certificates are valid ?
11:21 < krzee> every cert signed by the CA are valid, no way for the server to know
11:21 < liquido> ok, but it is possible to know which certs was signed by CA ?
11:22 < krzee> yes, by being the CA and knowing what you signed, lol
11:22 < liquido> ;DD
11:22 < liquido> so I need to keep a track somewhere
11:22 < liquido> np
11:32 -!- pdt [~ptinsley@64.241.37.140] has quit [Quit: pdt]
11:47 < rkantos> anyone has any idea how to see connected people?
11:48 < krzee> management interface
11:48 < krzee> --management
11:52 -!- heise2k [~heise2k@65-78-40-52.c3-0.upd-ubr6.trpr-upd.pa.cable.rcn.com] has quit [Remote host closed the connection]
12:06 < rkantos> krzee: where to put that?
12:23 < krzee> !man
12:23 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:25 < rkantos> search for what?
12:34 < rkantos> what would be the best option for using iptables routing like this:
12:34 < rkantos> iptables -t nat -A POSTROUTING -s 11.11.11.20 -j SNAT --to 195.3.xx.xx
12:34 < liquido> rkantos: search for openvpn managament interface, I have read abit about it
12:34 < rkantos> and the same for every other 11.11.11.*
12:34 < liquido> http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
12:34 < vpnHelper> Title: Management Interface (at openvpn.net)
12:35 < liquido> a roadwarrior wants to ping another roadwarrior, is that possible ?
12:46 < hacim> if i am connected to my VPN and my wireless link drops momentarily, but then comes back... the VPN gets wedged, i have to restart openvpn to have it renegotiate. is there a way I can get it to recover a little more gracefully?
12:55 < rkantos> anyone has any idea why I can't change W7 tap/tun adapters location
12:56 < rkantos> ?
13:48 < cron2> hacim: what do you mean by "wedged"?
13:48 < cron2> you could try setting "keepalive 10 60" in the configs, to make it auto-restart if the connectivity between client and server breaks
13:48 < hacim> cron2: wont pass traffic, interfaces are up, routes are there
13:49 < cron2> liquido: yes.  whether or not it works depends on firewall settings on the server, routes on the clients, and --client-to-client setting on the server
13:50 < cron2> hacim: try "--keepalive"
13:50 < hacim> ok, will do
13:50 -!- dauergast [~sag@p5B3EF8D7.dip.t-dialin.net] has quit [Quit: Nimm deine Hand aus meiner Hose! Ich zähle bis 1000]
13:57 < liquido> cron2: thanks
14:05 -!- bandini [~bandini@host31-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
14:27 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
14:43 -!- bandini [~bandini@host31-22-dynamic.20-79-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
14:44 -!- bandini [~bandini@host20-107-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn
14:53 < rkantos> when using tap
14:53 < rkantos> where's the problem
14:54 < rkantos> There is a problem in your selection of --ifconfig endpoints [local=10.0.0.2, remote=255.255.255.252].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  
14:59 -!- bandini [~bandini@host20-107-dynamic.44-79-r.retail.telecomitalia.it] has quit [Ping timeout: 265 seconds]
15:36 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
15:38 -!- bandini [~bandini@host7-105-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn
15:44 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
15:45 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
15:45 -!- liquido [~liquido@lan-84-240-15-13.vln.skynet.lt] has quit [Quit: leaving]
15:48 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Client Quit]
15:53 -!- bandini [~bandini@host7-105-dynamic.16-79-r.retail.telecomitalia.it] has quit [Ping timeout: 256 seconds]
16:26 -!- rob0 [~rob0@tuxaloosa.org] has quit [Ping timeout: 265 seconds]
16:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
16:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
16:56 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
17:07 -!- billub [~billub@c-69-181-249-62.hsd1.ca.comcast.net] has joined ##openvpn
17:08 < billub> i am trying to compile openvpn on windows and run into some issues, it complians that openssl dir and pcks11-helper dirs are not found. i did point it to openssl dir, but it didnt work
17:12 < billub> any suggestions ? 
17:13 -!- hackeron [~hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has quit [Changing host]
17:13 -!- hackeron [~hackeron@gentoo/user/hackeron] has joined ##openvpn
17:38 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
18:12 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has joined ##openvpn
18:24 -!- billub [~billub@c-69-181-249-62.hsd1.ca.comcast.net] has quit [Ping timeout: 252 seconds]
18:49 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
18:50 < tjz> Morning, everyone~ :D
21:29 -!- joat [~joat@ip70-174-79-200.hr.hr.cox.net] has joined ##openvpn
21:30 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
23:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
23:43 -!- joat [~joat@ip70-174-79-200.hr.hr.cox.net] has quit [Quit: Leaving]
23:55 -!- billub [~billub@c-69-181-249-62.hsd1.ca.comcast.net] has joined ##openvpn
23:56 < billub> i am having trouble compiling openvpn for windows using mingw, i get error on crypt.c any suggestions ? 
23:59 < rob0> Not really, just that you're not likely to find any help for that here. I don't have Windows at all, and those here who do probably tend to use the binaries.
--- Day changed Sun Feb 28 2010
00:03 < billub> is there a different channel for devel ? 
00:06 < rob0> Yes, but same thing, not many of those folks are going to be compiling for Windows.
00:10 < billub> i guess this may not be specifc to windows, i have all the tools etc installed, just get error in crypt.c
00:10 < billub> actually i take that back, i get complain about not finding openssl directory although i point to it, and pcks11-helper
00:12 < rob0> Regardless, I have no idea about it, and I bet no one else will. Recently a similar issue came up on the mailing list, and no one knew.
00:14 < billub> ok
00:14 < billub> you using openvpn for what ?
00:17 -!- Leila [~50bfc236@gateway/web/freenode/x-jmuhzfltbcabktae] has joined ##openvpn
00:17 < rob0> 2-3 site-to-site tunnels and occasional remote laptop connections. Used to be to secure wifi, but I no longer need security (only 2 other houses within a kilometer.)
00:17 -!- Leila is now known as Guest40609
00:23 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
00:35 < billub> sorry came back
00:35 < billub> rob0: are you a sysad ? 
00:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:40 < rob0> Unemployed ATM, but I do indeed consider myself a professional sysadmin, among other things. :)
00:57 < billub> (sorry, on and off) cool
00:57 < billub> i like chatting with prof sysadmin
00:58 < billub> i am non-prof sort of sysadmin :)
01:05 -!- pdt [~ptinsley@99-0-36-187.lightspeed.mrbotn.sbcglobal.net] has quit [Quit: pdt]
01:37 -!- billub [~billub@c-69-181-249-62.hsd1.ca.comcast.net] has left ##openvpn []
02:07 -!- disappearedng [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 248 seconds]
02:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
02:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:22 -!- disappearedng [~disappear@unaffiliated/disappearedng] has joined ##openvpn
02:36 -!- Guest40609 [~50bfc236@gateway/web/freenode/x-jmuhzfltbcabktae] has quit [Quit: Page closed]
02:45 < tjz> anyone like pizza?
02:48 -!- zerk [~sup3rfly@boxcars.triplecrowncasinos.com] has joined ##openvpn
03:09 -!- master_of_master [~master_of@p57B56ABD.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:11 -!- master_of_master [~master_of@p57B55CDC.dip.t-dialin.net] has joined ##openvpn
03:18 -!- TecR0c [tecr0c@never.met.a.leet-hacker.net] has left ##openvpn []
04:12 < hyper_ch> what's pizza?
04:17 < tjz> Hello
04:17 < tjz> hawaillian
04:17 < tjz> :D :D
04:19 -!- zerk [~sup3rfly@boxcars.triplecrowncasinos.com] has quit []
04:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 260 seconds]
05:19 -!- ||arifaX [~ContikiC6@p4FE18535.dip0.t-ipconnect.de] has joined ##openvpn
05:19 -!- ||arifaX [~ContikiC6@p4FE18535.dip0.t-ipconnect.de] has quit [Changing host]
05:19 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
05:23 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
05:24 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:17 -!- ivenkys_ [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
06:17 -!- ivenkys_ [~ivenkys@unaffiliated/ivenkys] has quit [Client Quit]
06:22 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has quit [Ping timeout: 260 seconds]
06:24 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has joined ##openvpn
06:48 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
06:49 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
06:49 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
06:49 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:50 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
07:11 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
07:15 -!- LobbyZ [~default@188.72.255.194] has quit [Remote host closed the connection]
07:19 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 245 seconds]
07:29 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
07:51 -!- dauergast [~sag@p5B3EF384.dip.t-dialin.net] has joined ##openvpn
08:00 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Read error: Operation timed out]
08:01 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
08:31 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has quit [Read error: Connection reset by peer]
08:32 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has joined ##openvpn
08:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
08:41 -!- rob0 [~rob0@tuxaloosa.org] has quit [Read error: Operation timed out]
08:42 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
08:56 -!- dauergast [~sag@p5B3EF384.dip.t-dialin.net] has quit [Quit: Neurotiker bauen Luftschlösser, Psychopathen wohnen darin und Psychater kassieren die Miete]
09:13 -!- khaos [~khaos@p5791EB05.dip.t-dialin.net] has joined ##openvpn
09:14 < khaos> Hi. Iam trying to increase the receive/send buffer on an OpenVPN 2.1.1 windows client. Both options do nothing, both buffers stay at 8kb. Is there something else I need to do to make this work?
09:23 -!- khaos [~khaos@p5791EB05.dip.t-dialin.net] has quit [Quit: Verlassend]
09:42 -!- albech [~thomas@124.157.189.40] has joined ##openvpn
09:47 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:03 < albech> if no listen is specified will openvpn then listen on all available interfaces?
10:21 < albech> I keep getting 'Invalid argument (code=22)' on my server. What is causing this?
10:21 < ecrist> see topic, albech 
10:24 < albech> http://paste.debian.net/61840
10:25 < albech> i am using the configs from this howto: http://openvpn.net/index.php/open-source/documentation/howto.html#examples
10:25 < vpnHelper> Title: HOWTO (at openvpn.net)
10:34 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
10:58 -!- derRichard [~derRichar@ununbium.nod.at] has left ##openvpn []
11:08 -!- master_of_master [~master_of@p57B55CDC.dip.t-dialin.net] has quit [Read error: Connection reset by peer]
11:13 -!- albech [~thomas@124.157.189.40] has quit [Quit: Leaving]
11:33 -!- disappearedng [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 268 seconds]
11:57 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
12:17 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
12:44 -!- rajin [~a@port-15531.pppoe.wtnet.de] has joined ##openvpn
12:47 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
12:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:17 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
13:25 -!- rajin [~a@port-15531.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)]
13:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
14:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:27 -!- billub [~billub@c-69-181-249-62.hsd1.ca.comcast.net] has joined ##openvpn
14:28 < billub> i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat
14:28 < billub> any suggestions  
14:38 -!- rajin [~a@port-15531.pppoe.wtnet.de] has joined ##openvpn
15:19 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
15:52 -!- rajin [~a@port-15531.pppoe.wtnet.de] has quit [Quit:  Try HydraIRC -> http://www.hydrairc.com <-]
16:05 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
16:14 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
16:15 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
16:58 -!- berend [~user@d220-236-249-169.dsl.nsw.optusnet.com.au] has joined ##openvpn
16:59 < berend> I've a very weird problem right now: I'm attached to a wireless router and use openvpn to access my server infrastructure. Receiving data works. Uploading data (probably above X packets at once or close together) fails. 
16:59 < berend> Any clues?
16:59 < berend> openvpn server is freebsd, using dev tun
16:59 < berend> compression is enabled
16:59 < berend> client is Ubuntu 9.10
17:00 < berend> for example scp over openvpn fails
17:00 < berend> transmits first 192KB or so, and then stalls.
17:00 < berend> scp of same file straight to server's public ssh port is fine.
17:01 < berend> mtu both sides is 1500
17:01 < berend> and of course normally this setup works
17:02 < berend> So it's this wifi router? I can't change the router or change anythign there.
17:02 < berend> But perhaps people have suggestions.
17:04 < berend> ah I see in my client's config I have link-mtu 1542.
17:04 < reiffert> disable compression on both sides
17:04 < reiffert> then run:
17:04 < berend> why?
17:04 < reiffert> !mtu-test
17:04 < vpnHelper> reiffert: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is
17:04 < berend> ah yes
17:04 < reiffert> You are asking for suggestions, here are mine.
17:05 < berend> Like to understand what I'm doing :-)
17:06 < reiffert> the manpage will explain how to disable compression. comp-lzo 0 IIRC.
17:06 < berend> yes, I put it in the config file myself, just doing this
17:06 < reiffert> using udp btw?
17:06 < berend> yes
17:06 < reiffert> good.
17:07 < reiffert> using QoS somewhere inbetween?
17:07 < berend> If I did, it would be outside my control
17:07 < berend> The server is NZ, and I'm in an suburb quite outside Sydney, AU right now
17:07 < berend> disabled compression, scp still fails, now running mtu-test
17:08 < reiffert> 1200km is more than openpvn can handle?
17:08 < reiffert> using openvpn-2.1.1?
17:09 < ecrist> OpenVPN doesn't care what the distance is...
17:09 < berend> Desktop: 2.1_rc19
17:09 < berend> awecwe: 1.`.`
17:10 < berend> oops
17:10 < berend> server: 2.1.1
17:11 < reiffert> that combination should be fine.
17:11 < berend> it would be nice to have a progress display for --mtu-test :-)
17:11 < berend> yes, both latest for these 2 platforms
17:12 < reiffert> 21rc19 is latest for a platform? Which one is it?
17:12 < berend> that's Ubuntu 9.10 Karmic
17:12 < reiffert> 2.1.1 will compile fine on almost every platform. however 2.1rc19 should be ok.
17:17 < berend> hmmm, doing: openvpn --mtu-test --dev tun
17:17 < berend> hasn't yet returned, already 5 minutes
17:21 < reiffert> increase verbosity, like --verb 5
17:23 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:27 < billub> would you guys know the ansewr to this : i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat
17:34 < berend> NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (0 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ.
17:34 < berend>  
17:34 < berend> Not sure if that's important, doesn't perhaps seem so?
17:36 < berend> but also don't seem to get packet sizes
17:53 < berend> mtu-test doesn't seem to return
17:54 < berend> have been playing with fragment and mssfix
17:55 < berend> but enabling that gives weird warnings about link-mtu missing or mty-dunamic being rpesent
17:55 < berend> eh mtu-dynamic I mean
18:08 < berend> well, fixed the thing with mssfix and fragment 1400
18:13 < berend> the only annoying thing appears to be that mssfix and fragment need to be set on every client.
18:14 < berend> Very annoying.
18:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:29 < berend> interestingly find another setting that works, i.e. tun-mtu 1200
18:37 < berend> ok, I think I've found a solution that doesn't require me to fix all clients. Only do --mssfix 1300, no need for fragment, at least for now, so no server side changes necessary
18:51 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
18:52 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
18:52 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:00 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
19:07 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Disconnected by services]
19:07 -!- ||arifaX_ [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
19:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
19:18 < Sky[x]> hello
19:18 < Sky[x]> i need help :)
19:18 < Sky[x]> when i connect on openvpn i cant ping out just inside network any idea '
19:18 < Sky[x]> ?
19:20 < Bushmills> why do you think you should be able to ping out?
19:21 < Bushmills> (meaning:  "what have you done, set up, or configured to allow you to ping out?")
19:23 < Sky[x]> the problem was in the iptables :)
19:23 < Sky[x]> this rows missing :)
19:23 < Sky[x]> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
19:23 < Sky[x]> iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -o eth0 -j ACCEPT
19:23 < Sky[x]> iptables -A FORWARD -i eth0 -o tun0 -m state –state ESTABLISHED,RELATED -j ACCEPT
19:23 < Sky[x]> echo 1 > /proc/sys/net/ipv4/ip_forward
19:24 < Bushmills> alternatively /etc/sysctl.conf for ip_forward
19:24 < Bushmills> can set it permanently there
19:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
19:36 -!- elge [~elge@mx2.nethence.com] has joined ##openvpn
19:37 < elge> hi there, I'm finally connected with a win32 client to a linux server, but the tap network interface keep unlinked on the windows side
19:37 < elge> any hints ?
19:38 < elge> "Cable disconnected", like I didn't plug any cable into the virtual TAP win32 interface
19:38 < elge> I did setup an IP for it, 10.8.0.2
19:38 < theDoc> You're doing it wrong. What is your setup?
19:40 < elge> theDoc, linux side, openvpn 2.1.1 from source
19:40 < elge> win32 side, 2.0.9 vpn gui, connects fine
19:40 < theDoc> So what's broken?
19:40 < elge> I can't ping anything
19:41 < elge> the TAP interface is disconnected
19:41 < Bushmills> did you check you logs?
19:41 < theDoc> What does your server config and routing tables show you?
19:42 < elge> Bushmills, yes, nothing special on the client
19:42 < elge> server logs look fine too
19:42 < Bushmills> so, they say "connected" etc?
19:43 < elge> theDoc, I'm using the defaults for now, server has tun0/10.8.0.1
19:43 < elge> Bushmills, yes
19:43 < elge> and the icon is yellow
19:43 < elge> ehm, not "connected"
19:44 < elge> UDPv4 link remote IPADDRESS:443
19:44 < theDoc> Check your client logs.
19:44 < elge> that's the last line
19:44 < theDoc> Firewall filtering 443?
19:44 < elge> oh yeah !
19:44 < elge> of course
19:44 < elge> thanks
19:50 -!- tjz [~pc@bb116-15-166-82.singnet.com.sg] has joined ##openvpn
19:50 -!- tjz [~pc@bb116-15-166-82.singnet.com.sg] has quit [Changing host]
19:50 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:55 < elge> WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
19:55 < elge> WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1574', remote='link-mtu 1542'
19:55 < elge> WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
19:55 < elge> is it fine or do I have to fix the mtu ?
19:59 < reiffert> 02:55 < elge> WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
19:59 < reiffert> fix all.
20:01 < elge> reiffert, server is linux, with tun
20:01 < elge> client is windows, tap
20:01 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Ping timeout: 252 seconds]
20:02 < elge> i doubt there's a tun driver for windows, I guess this warning can be ignored.
20:02 < elge> not sure about the mtu tho
20:04 < theDoc> You might want to change the mtu to 1492 or something
20:04 < theDoc> reiffert> Got your lacp fixed?
20:07 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
20:08 < elge> theDoc, dev-mtu work on 2.1.1 but no on the 2.0.9 win32 client
20:08 < elge> bad syntax probably
20:10 < elge> reiffert, you were right !
20:10 < elge> dev tun works on windows too although it's a tap device
20:10 < elge> I ping the networks
21:18 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Quit: Terminated with extreme prejudice - dircproxy 1.0.5]
21:24 < tjz> hmm
21:25 < tjz> anyone come across this?
21:25 < tjz> server side say:
21:25 < tjz> TLS Error: cannot locate HMAC in incoming packet
21:28 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
22:10 -!- albech [~thomas@124.157.189.40] has joined ##openvpn
23:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:29 -!- ||arifaX_ [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Ping timeout: 265 seconds]
23:33 -!- albech [~thomas@124.157.189.40] has quit [Ping timeout: 256 seconds]
23:35 -!- albech [~thomas@119.42.79.237] has joined ##openvpn
23:58 -!- albech_ [~thomas@124.157.189.40] has joined ##openvpn
--- Day changed Mon Mar 01 2010
00:02 -!- albech [~thomas@119.42.79.237] has quit [Ping timeout: 265 seconds]
00:08 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has joined ##openvpn
00:08 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has quit [Changing host]
00:08 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
00:25 -!- billub [~billub@c-69-181-249-62.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
01:30 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
01:32 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
01:58 -!- albech_ [~thomas@124.157.189.40] has quit [Ping timeout: 265 seconds]
01:59 -!- albech_ [~thomas@119.42.77.220] has joined ##openvpn
02:14 < jmm> hi.
02:18 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:58 -!- dazo_afk [~dazo@nat/redhat/x-wbuewcupmncwnaaa] has quit [Ping timeout: 258 seconds]
03:10 -!- dazo_afk [~dazo@nat/redhat/x-zskgdalwfqtwswag] has joined ##openvpn
03:10 -!- dazo_afk is now known as Guest10307
03:10 -!- Guest10307 is now known as dazo
03:11 -!- dazo is now known as Guest20744
03:12 -!- Guest20744 is now known as dazo_
03:23 -!- dazo_ [~dazo@nat/redhat/x-zskgdalwfqtwswag] has quit [Ping timeout: 240 seconds]
03:29 -!- dazo_ [~dazo@nat/redhat/x-uefaptlsnyfpfhgx] has joined ##openvpn
03:31 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:45 < dazo_> rob0:  Good answer in regards to the "ntp" feature request!
03:46 < krzee> someone wanted openvpn to handle ntp??
03:48 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
03:48 < theDoc> krzee> Any chance you can help me with a radius/sql question?
03:50 < krzee> not likely, havnt played with radius before, although i now have the need to
03:50 < krzee> unfortunately my need requires me to use windows radius server
03:51 < theDoc> lol
03:51 < krzee> ok not need, but i got some free OTP tokens and i wanna integrate them into an openvpn install
03:51 < theDoc> freeradius is frustrating the hell out of me right now with that stupid sql schemas which do not exist
03:51 < theDoc> in the redhat package.
03:51 < krzee> the app to use them requires windows
03:51 < theDoc> ew.
03:51 < krzee> agreed
03:52 < theDoc> I just realized, the redhat package does not have the freeradius schemas
03:52 < theDoc> What the fuck is up with that.
03:53 < krzee> redhat, also ew
03:53 < krzee> hehe
03:53 < theDoc> and the #freeradius is about as active as a dead snail
04:01 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:11 -!- dazo_ is now known as dazo
04:27 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
04:49 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
05:24 -!- berend [~user@d220-236-249-169.dsl.nsw.optusnet.com.au] has quit [Ping timeout: 265 seconds]
05:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:34 < albech_> anyone know if the bridgeutils in busybox are sufficient for openvpn bridge setup?
05:35 -!- maxagaz [~maxagaz@soho2.i-xanadu.com] has joined ##openvpn
05:35 < maxagaz> hi
05:37 < maxagaz> which files should be on the client, and which should be on the server ? => myuser.[crt,csr,key], ca.crt, ca.key and ta.key
05:38 < hyper_ch> !howto
05:38 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:41 < maxagaz> hyper_ch, the howto is not clear
05:43 < hyper_ch> what's not clear there?
05:44 < maxagaz> the table... it doesn't say about myuser.csr and ta.key
05:44 < hyper_ch> it does
05:46 < maxagaz> hyper_ch, it doesn't
05:47 < krzee> albech_, i wish, but no
05:48 < krzee> no tap device
05:48 < krzee> csr doesnt matter
05:48 < albech_> krzee, crap :(
05:48 < krzee> not needed
05:48 < krzee> its an unsigned crt
05:49 < krzee> ta.key refers to a static key, needs to be on every machine on the vpn including server
05:49 < krzee> !hmac
05:49 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
05:49 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
05:49 < albech_> krzee, it might be in BB v1.16, hopefully
05:56 < maxagaz> krzee, and the myuser.csr ?
05:56 < krzee> [03:48]  <krzee> csr doesnt matter
05:56 < krzee> [03:48]  <krzee> not needed
05:56 < krzee> [03:48]  <krzee> its an unsigned crt
05:56 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
05:57 < maxagaz> krzee, ok, sorry
06:07 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
06:23 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
06:27 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has joined ##openvpn
06:30 < ambro718> Hi, I have a question about using TAP-Win32 from a program. When writing a frame to the device with WriteFileEx in overlapped mode, can I assume the operation will always complete immediately, or is it possible that WriteFileEx returns ERROR_IO_PENDING?
06:31 < krzee> thats for dev
06:31 < krzee> !dev
06:31 < vpnHelper> krzee: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
06:34 < upb> maxagaz: think logically
06:34 < upb> maxagaz: ofcourse, the client needs to have ca.key
06:35 < upb> and also the server needs to have ca.key :P
06:36 < upb> oh and the server needs to have the private key of every client
06:37 < krzee> maxagaz, dont listen to him, listen to howto
06:37 < krzee> lol
06:38 < upb> i dont understand how could anyway even think what i wrote is true :P
06:38 < upb> s/anyway/anyone/
06:44 -!- maxagaz [~maxagaz@soho2.i-xanadu.com] has quit [Read error: Connection reset by peer]
06:48 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has left ##openvpn []
06:51 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
06:55 -!- Krikke [~ixevix@62.142.105.142] has quit [Ping timeout: 260 seconds]
06:55 -!- Krikke [~ixevix@62.142.105.142] has joined ##openvpn
07:15 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Quit: ZNC - http://znc.sourceforge.net]
07:17 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Remote host closed the connection]
07:19 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
07:26 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
07:26 -!- mode/##openvpn [+o mattock] by ChanServ
07:29 -!- jetole [~Joe@irc.fossl.net] has joined ##openvpn
07:30 < jetole> Hey guys. I am trying to make some changes to the office iptables rules however I am wondering, does openvpn always use tun0? I'm guessing no but funny topic to google for
07:32 -!- cybertron [~cybertron@84.200.248.176] has joined ##openvpn
07:32 < cybertron> hi
07:33 < cybertron> what could be the reason that my road warrior client cant finde windows shares? so from intern lan to extern works
07:34 < jetole> well one reason is typically that netbios shares do their name resolution via broadcasts on the lan and if you are using openvpn in tunnel vs. bridge mode then it is on a different lan and won't see data to the broadcast address
07:35 < jetole> a good test is try connecting via the ip address i.e. \\192.168.0.10\my_share$
07:35 < cybertron> i just use ip add :)
07:35 < jetole> what?
07:35 < cybertron> i use ip add 
07:35 < cybertron> so i can ping 192.168.1.202
07:35 < cybertron> routed vpn btw 
07:35 < cybertron> but cannot reach \\192.168.1.202
07:36 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Read error: Connection timed out]
07:36 < jetole> try connecting to an actual share instead of the ip address
07:36 < dazo> jetole:  openvpn can use tun0 always, if you configure it so .... by using tun0 in the .--dev config statement
07:36 < cybertron> jetole: u mean local?
07:36 < dazo> jetole:  if given just --dev tun ... it will use the first available tun device, starting at 0 and incrementing upwards
07:37 < jetole> If you can't connect to the share via IP but you can connect to other network services for example to ping the host then it seems like ovpn is doing it's job and I would look into you're windows config
07:37 < jetole> dazo: can I use --dev tun0 ?
07:37 < cybertron> hm
07:37 < dazo> jetole:  afaik, yes .... even vpn0 if you want ... but that requires --dev-type tun
07:38 < jetole> dazo, wait, I can create any dev name I like and tun will bind to it if I use --dev-type tun ?
07:39 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
07:39 < cybertron> ahhhhh ...*boooom* file sharing was disabled lol
07:39 < dazo> jetole:  openvpn will try to identify if it is a tun or tap device based on the name given to --dev ... if it can't it will complain ... but by using --dev-type {tun|tap} you can instruct what kind of device it is
07:39 < jetole> dazo, so that means I can give it any name though? Right?
07:40 < dazo> jetole:  yes, but you will need --dev-type in addition :)
07:40 < jetole> right
07:40 < jetole> Ok, thanks a ton, thats good to know for iptables rules
07:40 < jetole> really good to know
07:41 < dazo> jetole:  it's the same principles as with renaming ethernet devices as well :)
07:41 < jetole> agh, don't get me started. I just spent the morning creating new vlan devices for a new department
07:41 < jetole> brb
07:41  * dazo always renames eth devices to their purpose ... easier to read configurations .... esp. on firewalls
07:43  * jetole doesn't
07:44 < jetole> If I need to then I note it in the /etc/network/interfaces file (debian and ubuntu
07:44 < jetole> )
07:48 < dazo> jetole:  docs are always good .... but if you then do ifconfig or iptables dump .... and you see devices like "world", "office", "dmz", "wifi" ... you don't need to look into the docs to connect "eth0" to the office network, or "eth3" to the ISP interface, etc, etc ... it's indirect documentation
07:48 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
07:48 < dazo> having that said ... I don't rename devices on boxes with only one interface which is in use
07:51 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
07:53 < jetole> dazo: on the other hand, eth0 is always isp, eth1 is always lan, eth2 is always dmz and wifi doesn't matter since it's never been eth* on any system I have
07:53 < jetole> anyways those aren't specs or anything. Their just my rules
07:54 < jetole> on another word, does anyone know what the word if for something that is about to be quarantined like a pre quarantine state?
07:54 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
07:54 < dazo> that's not my point ... my point is that with your scheme, you need to know these rules ... with mine, you just need to use your imagination 
07:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Client Quit]
07:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:04  * jetole shrugs
08:05 < jetole> it's documented, the devices are just not renamed 
08:10 < |Mike|> :D
08:18 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
08:28 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
08:29 -!- MadTBone_ [~MadTBone@160.39.238.196] has joined ##openvpn
08:42 < dazo> hahaha .... Markus Feilner will give away 15 books on Cebit ... Beginning Openvpn 2.0.9" .... I hope the number 15 was due what they had on stock ...........
08:45 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
08:45 -!- MadTBone_ [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
08:45 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
08:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
08:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
09:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:13 -!- tompaw [~tompaw@slave20.tesserakt.eu] has quit [Ping timeout: 256 seconds]
09:20 -!- tompaw [~tompaw@slave20.tesserakt.eu] has joined ##openvpn
09:22 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Ping timeout: 265 seconds]
09:23 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
09:23 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
09:51 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:17 -!- Optic [~Optic@miso.capybara.org] has quit [Read error: Connection reset by peer]
10:19 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
10:20 < rob0> dazo, re: the time synch feature request thread, it reminded me of the famous quote, "Those who don't understand Unix ..." :)
10:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
10:26 < dazo> rob0:  indeed :)
10:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Client Quit]
10:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:48 -!- Optic [~Optic@miso.capybara.org] has left ##openvpn ["Leaving"]
10:51 -!- stony [~ol@186-140-088-212.ip-addr.teresto.net] has joined ##openvpn
10:51 < stony> hi
10:51 < stony> i'm running n openvpn daemon in server mode (server 10.1.1.0 255.255.255.0)
10:52 < stony> now i'm trying to add additional routes to the tun0 device so that the "iroute" commands can handle the rest
10:52 < stony> but that's not allowed 
10:52 < stony> any hints ?
10:52 < upb> how is that not allowed ?:P
10:53 < stony> Options error: option 'route' cannot be used in this context
10:53 < upb> so, you're using it in the wrong place
10:54 < stony> if i add it to the config directly without any gateway (!) - i want to use the interface - it says that it needs a gateway
10:54 < stony> e.g. route 10.2.1.0 255.255.255.0
10:54 < upb> yep
10:54 < stony> what it should do would be: ip route add 10.2.1.0/24 dev tun0
10:55 < upb> i have such config for example:
10:55 < upb> ./static.conf:route 10.222.2.0 255.255.255.0
10:55 < upb> ./static.conf:push "route 10.222.2.0 255.255.255.0"
10:55 < stony> OpenVPN ROUTE: failed to parse/resolve route for host/network:
10:57 < upb> dno, works for me :)
10:57 < stony> but not for me ...
10:57 < stony> bug?
10:58 < ecrist> !logs
10:58 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:12 -!- pmjdebruijn [pascal@jester.pcode.nl] has left ##openvpn []
11:14 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
11:15 -!- albech_ [~thomas@119.42.77.220] has quit [Ping timeout: 265 seconds]
11:17 -!- albech_ [~thomas@119.42.77.220] has joined ##openvpn
11:20 < cybertron> dow 
11:21 < cybertron> doh
11:28 -!- stony [~ol@186-140-088-212.ip-addr.teresto.net] has quit [Ping timeout: 276 seconds]
11:39 -!- rickross [~rickross@supporter/active/rickross] has joined ##openvpn
11:42 -!- albech_ [~thomas@119.42.77.220] has quit [Ping timeout: 246 seconds]
11:44 -!- albech_ [~thomas@124.157.189.40] has joined ##openvpn
11:53 -!- albech_ [~thomas@124.157.189.40] has quit [Ping timeout: 240 seconds]
11:53 -!- rickross [~rickross@supporter/active/rickross] has quit [Read error: Connection reset by peer]
11:58 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
12:02 -!- rickross [~rickross@cpe-065-190-017-219.nc.res.rr.com] has joined ##openvpn
12:02 -!- rickross [~rickross@cpe-065-190-017-219.nc.res.rr.com] has quit [Changing host]
12:02 -!- rickross [~rickross@supporter/active/rickross] has joined ##openvpn
12:04 -!- albech [~thomas@124.157.189.40] has joined ##openvpn
12:07 -!- rickross [~rickross@supporter/active/rickross] has quit [Read error: Connection reset by peer]
12:16 -!- rickross [~rickross@cpe-065-190-017-219.nc.res.rr.com] has joined ##openvpn
12:16 -!- rickross [~rickross@cpe-065-190-017-219.nc.res.rr.com] has quit [Changing host]
12:16 -!- rickross [~rickross@supporter/active/rickross] has joined ##openvpn
12:24 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
12:26 -!- e-squizo [~fheinz@190.230.44.64] has joined ##openvpn
12:27 < e-squizo> !welcome
12:27 < vpnHelper> e-squizo: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:28 < e-squizo> !route
12:28 < vpnHelper> e-squizo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:33 < cybertron> hm any reason why I cant reach any lan clients? Just reach the vpn ip of my vpn server
12:34 < cybertron> !redirect
12:34 < vpnHelper> cybertron: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:35 < cybertron> i got an dsl router and openvpn router so first the dsl do the inet connection and forwards the vpn traffic to the vpn router
12:40 -!- albech_ [~thomas@124.157.189.40] has joined ##openvpn
12:41 -!- Typone [~nnnnnnnit@195.197.184.87] has quit [Ping timeout: 276 seconds]
12:42 -!- albech [~thomas@124.157.189.40] has quit [Ping timeout: 245 seconds]
12:43 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
12:45 < tw> Hi cybertron, I probably can't help you, but if you post your routing tables for the vpn client, as well as the vpn server's routing tables and firewall rules in pastebin, someone might be able to figure it out.
12:45 < tw> (all routing tables with the vpn connected)
12:46 -!- albech_ [~thomas@124.157.189.40] has quit [Ping timeout: 245 seconds]
12:49 < cybertron> tw: thx then come back later again cant post the informations u need
12:52 < rob0> I don't need any information to say, this sounds like the most FA of all FAQs in openvpnland: failure to understand how IP routing works. Your answer really is in !route; read it, don't skim it.
12:53 < cybertron> !route
12:53 < vpnHelper> cybertron: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
13:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:19 -!- dazo is now known as dazo_afk
13:23 < e-squizo> folks, I'm trying to set up a bridged VPN, but I'm stuck. Routed works, bridged doesn't, so I guess the firewall isn't at fault this time.
13:23 < e-squizo> here are the goals and a detailed description of the problem: http://pastebin.com/ZVMD75vW
13:23 < e-squizo> here's the server-side setup: http://pastebin.com/YXr7a0ua
13:24 < e-squizo> and the client-side: http://pastebin.com/M5JEfPKF
13:24 < e-squizo> the strange thing is that everything seems to be working, IP addresses get assigned
13:24 < e-squizo> routes get added
13:24 < e-squizo> it all looks great
13:25 < e-squizo> but I can't get packets across the VPN link
13:25 < e-squizo> ping in either direction fails
13:25 < e-squizo> any ideas?
13:31 < rob0> Just curious, why was bridging desired?
13:33 < e-squizo> rob0: I want users to be able to browse certain resources that are advertised only to the LAN
13:34 < e-squizo> but I've hit a wall: everything seems to be working... only it doesn't. It's  a puzzle
13:35 < cron2> e-squizo: have you set up briding tap0 <-> eth0 on the server side?
13:35 < cron2> and are you using the right tap device ("dev tap0" not "dev tap") in the server config?
13:35 < e-squizo> cron2: I have set up the bridging
13:36 < e-squizo> now we're talking! It needs to be tap0, not tap? I didn't know that!
13:36 < cron2> !bridge
13:36 < vpnHelper> cron2: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
13:36 < vpnHelper> cron2: (but not samba, see !wins)
13:36  * e-squizo re-checks the howto!
13:36 < cron2> if you don't use "tap0", OpenVPN will use the "next available" TAP device, which usually is tap1 - and not the one bound to the bridge
13:37 < e-squizo> howto says "dev tap"!
13:37 < rob0> If "browse certain resources that are advertised" means SMB/CIFS, why not use WINS?
13:37 < cron2> e-squizo: the link above (ethernet-briding.html) says "dev tap0"
13:38 < cron2> (on the client, it's - usually - "dev tap", because there is no client LAN to be bridged.  If you have a bridge configured, it's "tap0")
13:39  * e-squizo kicks self
13:39 < cron2> *g*
13:39 < e-squizo> I was reading the Windows section
13:39 < cron2> Windows is not good for mental health :-)
13:39 < cron2> ok, I'm going to watch TV now :))
13:40 < e-squizo> success!!!!!!!
13:41 < e-squizo> tks cron2, that was the ticket
13:44 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
13:48 -!- Liquid0 [~Iskorptix@lan-84-240-15-13.vln.skynet.lt] has joined ##openvpn
14:01 -!- pfo [~pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
14:01 < pfo> is there a way to tell openvpn to use it's own PAM file (like /etc/pam/openvpn) -- sshd has this.
14:01 < pfo> (at least on debian)
14:03 < |Mike|> jup
14:03 < |Mike|> !howto
14:03 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:03 < |Mike|> read :)
14:10 -!- Liquid0 [~Iskorptix@lan-84-240-15-13.vln.skynet.lt] has quit [Quit: Leaving.]
14:11 -!- Ghostishell [~Ghostishe@h142n2fls34o972.telia.com] has joined ##openvpn
14:13 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
14:15 < Ghostishell> Hi Bushmills...  Does anyone know OpenVPNguis "Mathias Sundman" ? I sent him an email a year ago but he didnt reply. I would like to know how a windows openvpngui looks like with user/password auth and chrooted if possible.
14:17 < Ghostishell> Adding an adapted export in gadmin-openvpn-server for that program as well.
14:19 < Ghostishell> Unfortunately some people still uses windows on clients :(
14:22 -!- e-squizo [~fheinz@190.230.44.64] has left ##openvpn []
14:24 -!- pfo [~pfo@chello084114049188.14.vie.surfer.at] has quit [Ping timeout: 245 seconds]
14:28 -!- pfo [~pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn
14:30 -!- LobbyZ [~default@188.72.255.194] has quit [Remote host closed the connection]
14:34 -!- pfo [~pfo@chello084114049188.14.vie.surfer.at] has quit [Ping timeout: 240 seconds]
14:43 -!- Ghostishell [~Ghostishe@h142n2fls34o972.telia.com] has quit [Quit: Quit]
14:46 -!- btm [~btm@serenity.ninjr.org] has left ##openvpn []
14:56 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
15:00 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:06 -!- rickross [~rickross@supporter/active/rickross] has quit [Read error: Connection reset by peer]
15:15 -!- rickross [~rickross@supporter/active/rickross] has joined ##openvpn
15:27 -!- rickross [~rickross@supporter/active/rickross] has quit [Ping timeout: 246 seconds]
15:32 -!- alexf [~IceChat7@CPE000f3d516e67-CM001cea874bae.cpe.net.cable.rogers.com] has joined ##openvpn
15:33 -!- mmcgrath [~mmcgrath@mmcgrath.net] has joined ##openvpn
15:33 < mmcgrath> !welcome
15:33 < vpnHelper> mmcgrath: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:34 < mmcgrath> I'm seeing errors like this on my clients: event_wait : Interrupted system call (code=4)
15:34 < mmcgrath> followed by a restart
15:34 < mmcgrath> it can happen on several servers at once, usually within a few minutes of eachother.
15:34 < mmcgrath> I'm not sure what it means or where to look for a cause though
15:35 < hyper_ch> I'd try google :)
15:36 < mmcgrath> I did, nothing useful came up.  I saw lots of references to what I assume was ddwrt and things
15:36 < mmcgrath> but I'm not using any of that.
15:36 < hyper_ch> no clue
15:37 < rob0> "I'm seeing errors like this on my clients" ... "it can happen on several servers at once"?
15:37 < mmcgrath> rob0: sorry, s/servers/hosts/
15:38 < rob0> so, the error happens at different places at more or less the same time?
15:38 < rob0> (are you keeping clocks in synch with ntpd?)
15:38 < mmcgrath> they are ntpd synced, but the errors or happening over the span of like a 10 minute window
15:38 < mmcgrath> and then everything is fine again for quite some time.
15:39 < rob0> your verb setting is what? (You increase it when you want to know more.)
15:40 < mmcgrath> I'm not explicitly setting it so it must be at the default right now, I'll increase it and see if I get more info.  thanks
16:01 -!- rickross [~rickross@supporter/active/rickross] has joined ##openvpn
16:28 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has joined ##openvpn
16:29 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has left ##openvpn []
16:30 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has joined ##openvpn
16:30 < LordDoskias> hello people, is there are guide as to how to tune openvpn for performance
16:30 < LordDoskias> 'cause right now I can't get more than 2 mbps through the tunnel
16:32 < rickross> I'm reading the howto to figure out how to get some devices on our client lan to communite with devices on the remote end of a VPN tunnel. It appears I need to somehow get the gateway for the client lan to direct VPN subnets to the OpenVPN client machine
16:33 < rickross> we're having a tough time doing this on the Syswan SW88 that is the gateway device for the client lan
16:33 < rickross> anyone have any knowledge of this ?
16:33 < LordDoskias> rickross: you want the openvpn server to push default routes to clients?
16:33 < rob0> Lord, UDP is better than TCP, and routing (tun) beats bridging (tap).
16:33 < LordDoskias> rob0: that's what i'm doing, but still 
16:34 < LordDoskias> my windows client shows that the tun/tap device has capacity of 10mbps
16:34 < LordDoskias> while it is running on top of a 100mbps ethernet
16:34 < rickross> LordDoskias: I think the server is doing so, but the machines on the client lan don't know how to reach the OpenVPN server
16:34 < rickross> apparently they need a route, as well
16:35 < rob0> I don't/won't use Windows, but I wouldn't put a lot of faith in that "capacity".
16:35 < rob0> Rick, sounds like basic routing.
16:35 < rob0> !route
16:35 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:35 < LordDoskias> rickross:  paste your server config
16:36 < rickross> LordDoskias: I think I may not be using the right vocabulary
16:37 < rob0> You'll need to know how to use your router, of course.
16:37 < rickross> we have a local lan of client machines with NAT-routed DHCP addresses talking to a cable modem for public internet
16:38 < rickross> one of the lan machines is also the OpenVPN client, to manage a tunnel to a remote voip server
16:39 < rickross> that lan machine is NOT the lan gateway address
16:39 < rickross> and packets destined for the tunnel are not getting to it from the lan, but the OpenVPN client machine itself is pinging happily across the tunnel
16:40 < rickross> until an hour ago we had a dd-wrt router also acting as the OpenVPN client, so it bridged and routed automagically
16:41 < rickross> now we're trying to puzzle through what we need to do to get this silly Syswan SW88 to route vpn-destined traffic to the tunnel
16:41 < rickross> I hope I am describing this more reasonably
16:42 < rob0> Did you check the router documentation or ask the vendor?
16:42 < rickross> yes, we are in the docs - cannot reach the vendor yet
16:43 < rob0> I'm not sure what you're asking in an openvpn context.
16:43 < rickross> we also may not have done this correctly on the client (although it is communicating with the same server and is identically configured as the dd-wrt client was)
16:43 < rob0> You want a workaround? NAT sometimes is a workaround for bad routing.
16:44 < rickross> rob0: that might be what we need
16:44 < rob0> I'd say you need a router that you know how to work with, actually.
16:44 < rickross> would the gateway machine's route point the vpn-targeted traffic to the lan address of the OpenVPN client?
16:45 < rickross> presuming that somehow the tunnel and the lan traffic are bridged on that machine
16:49 < LordDoskias> rob0: what speeds are you typically doing with openvpn? have you ever topped atleast 1megabyte?
16:56 < rob0> I have no idea.
16:58 < vpnHelper> New forum entry openvpnforum: Scripting and Customizations :: OpenVPN and (Free)Radius :: Author Liquido <http://www.ovpnforum.com/viewtopic.php?f=15&t=3130&p=3602#p3602>
17:02 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has quit [Quit: Lost terminal]
17:07 < rickross> I think my problem is not a route, but rather that we do not have the tun0 and eth0 devices bridged on the client side. Is this something one would normally have to do?
17:08 < rickross> traffic destined for the tunnel is hitting the lan client IP o the OpenVPN client machine, but not forwarding across the tunnel
17:08 < krzee> !tunortap
17:08 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
17:08 < vpnHelper> krzee: against you over the vpn
17:23 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
17:30 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 268 seconds]
17:42 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
17:43 < rickross> here's my openvpn server config - http://pastebin.com/bxxNp2JV
17:44 < rickross> here's my openvpn client.conf - http://pastebin.com/HE34Kt7R
17:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:48 < rickross> I think I am just missing a step. Something like "iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE"
18:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
18:16 < rickross> AWESOME - we finally got it - OpenVPN is so cool!
18:27 < krzee> ahh, 
18:27 < krzee> !linnat
18:27 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:27 < krzee> sorry so late ;]
18:30 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
18:35 < rickross> krzee - thanks
18:35 < rickross> I'll read that link to try to understand this better, but it seems to be working well now
18:36 < rickross> our route on the lan gateway had been working all along, but without the iptables rule we were getting nowhere quickly
18:41 < Bushmills> that means you didn't read the !route document, where that was explained, well enough.
18:42 < krzee> i think he was talking bout redirecting inet traffic
18:42 -!- billub [~billub@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
18:42 < billub> i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat. Any suggestions ? 
18:42 -!- billub [~billub@71-6-65-18.static-ip.telepacific.net] has left ##openvpn []
18:43 < krzee> lol
18:43 < Bushmills> hi krzee
18:43 < krzee> moin!
18:43 < Bushmills> not eroded by deadly bark fungus?
18:44 < krzee> not yet
18:45 < rickross> Bushmills: evidently I did not - it ain't my first mistake
18:45 < krzee> !route
18:45 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:45 < krzee> !redirect
18:45 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:46 < rickross> it all seems so obvious now <blush>
18:46 < krzee> !welcome
18:46 < vpnHelper> krzee: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:46  * krzee points at topic
18:46 < krzee> ;]
18:46 < Bushmills> not trampled over by myriads of myxomatosical rabbits? 
18:48 -!- naiad [~kmfdm@s66-183-5-108.bc.hsia.telus.net] has joined ##openvpn
18:49 < rickross> !welcome
18:49 < vpnHelper> rickross: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:49 < naiad> im sure this is a common question.  linux machine at home running openvpn, i can vpn in fine, i can ping the vpn subnet, 10.5.0.0 and i can ping the vpn server on 192.168.0.2 but i cannot ping anything else on 192.168.* 
18:49 -!- teddymills [~teddy@208.92.235.227] has quit [Quit: Ex-Chat]
18:49 < Bushmills> did you at least run into a kangaroo, which was attracted by the warm car lanes? 
18:51 < Bushmills> naiad: yes, it is
18:51 < rickross> is there a !command for getting info about which ciphers work the cpu the hardest?
18:52 < krzee> neg
18:52 < krzee> thats actually an openssl question tho, for your googling
18:52 < Bushmills> naiad: actually, it would be, had that been a quesstion
18:53 < rickross> now that we have a tun link working, would you guys recommend figuring out how to switch it to tap?
18:53 < Bushmills> rickross: no
18:54 < naiad> Bushmills, can you point me to some documentation on that issue?
18:54 < Bushmills> naiad: yes.  /topic
18:54 < krzee> !tunortap
18:54 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
18:54 < vpnHelper> krzee: against you over the vpn
18:54 < Bushmills> naiad: actually, better:
18:54 < Bushmills> !route
18:54 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:55 < rickross> krzee, thx - it sounds like tun will do the job nicely for hiding my voip traffic from the snooping ISP (who was apparently capping voip traffic for some reason)
18:56 < rickross> we just need phones to be able to communicate with an asterisk server on the other end of the tunnel - it appears to be working well
18:56 < Bushmills> rickross: it will. but hide your dns request too
18:57 < rickross> hmm, the lan's normal clip IP traffic is not going over the tunnel, just the voip stuff - I don't understand how dns fits in?
18:58 < rickross> we seem to be getting dns on the lan from our ordinary dns servers
18:58 < Bushmills> nosy providers often use customer dns queries for being nosy
18:58 < rickross> but the phones have registered with a sip server at the other side of the tunnel
18:58 < rickross> Bushmills, ahhh, I see
18:59 < Bushmills> well, if those ordinary dns servers are yours, and queried over vpn, you're clean
18:59 < rickross> we;;, it'll probably come to that, but at least now we can have more than 2 simultaneous sip calls happening
19:00 < rickross> we tested 10, and it was flawless, but before the OpenVPN tunnel, the third would bring our connection to its knees
19:00 < rickross> we have adequate upstream bandwidth (2 mbps) but we were crapping out at around 300 kbps of voip upstream
19:00 < rickross> now we can run it up to the max
19:01 < rickross> thank you, Time-Warner!
19:07 < rickross> anyway, thank you guys (sincerely) for the insights
19:07 < rickross> cya later
19:07 -!- rickross [~rickross@supporter/active/rickross] has quit [Quit: rickross]
19:22 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
19:31 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:38 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
19:39 < ksnp> i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat. Any suggestions ?
19:39 -!- naiad [~kmfdm@s66-183-5-108.bc.hsia.telus.net] has quit [Quit: Leaving]
21:09 -!- teddymills [~teddy@208.92.235.227] has quit [Remote host closed the connection]
21:20 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Ping timeout: 240 seconds]
21:39 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:41 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
22:22 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
22:28 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
22:33 -!- dxtr [dexter@unaffiliated/dxtr] has quit [Ping timeout: 246 seconds]
22:36 -!- dxtr [dexter@dxtr.cc] has joined ##openvpn
22:36 -!- dxtr [dexter@dxtr.cc] has quit [Changing host]
22:36 -!- dxtr [dexter@unaffiliated/dxtr] has joined ##openvpn
23:21 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 264 seconds]
23:54 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
--- Day changed Tue Mar 02 2010
00:06 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it]
00:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
00:57 < jeffl> is it possible load balance incoming openvpn connections?
01:31 -!- DJ_HaMsTa [~tocmo0nlo@unaffiliated/dj-hamsta/x-2342346] has joined ##openvpn
01:32 < DJ_HaMsTa> is root an ok group to run openvpn in ?
01:49 < reiffert> user nobody
01:49 < reiffert> group nogroup
02:13 < |Mike|> DJ_HaMsTa: lol.
02:14 < DJ_HaMsTa> eh
02:54 -!- Liquido [~Liquidoz@213.197.141.162] has joined ##openvpn
02:54 < Liquido> hello
02:55 < Liquido> when I connect from linux, I see that DNS is not updated but with connecting from win32/64 everything is fine
02:56 < Liquido> when I add remote dns to resolv.conf , everything is fine
02:56 < Liquido> I bet its not a bug 
02:58 < reiffert> It's how distributors handle things. E.g. regarding debian there is /etc/openvpn/update-resolv-conf
02:59 < reiffert> and /usr/share/doc/openvpn/README.Debian.gz explaining how to use it.
03:00 < reiffert> Liquido: your SuSE might handle it in a different way.
03:02 < DJ_HaMsTa> https://help.ubuntu.com/community/VPNServer#Configuring OpenVPN i am following this tutorial, where it says /etc/openvpn/office.up should be executable and contain:
03:02 < vpnHelper> Title: VPNServer - Community Ubuntu Documentation (at help.ubuntu.com)
03:02 < DJ_HaMsTa> how do i make it executable ?
03:02 < DJ_HaMsTa> do i just paste the information into "/etc/openvpn/office.up" ?
03:04 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:04 -!- mode/##openvpn [+o mattock] by ChanServ
03:22 -!- dazo_afk is now known as dazo
03:33 -!- alexf [~IceChat7@CPE000f3d516e67-CM001cea874bae.cpe.net.cable.rogers.com] has quit [Quit: When the chips are down, well, the buffalo is empty]
03:36 -!- Liquido [~Liquidoz@213.197.141.162] has quit [Ping timeout: 260 seconds]
03:38 -!- Liquido [~Liquidoz@213.197.141.162] has joined ##openvpn
03:47 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
03:48 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
04:04 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
04:04 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
04:04 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:12 -!- janjust [~janjust@ardeche.nikhef.nl] has joined ##openvpn
04:13 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
04:13 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:21 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
04:22 < Liquido> reiffert: i have /etc/resolv.conf
04:22 < Liquido> and I see my DNS servers there, but after I connect to my remote location with openvpn
04:22 < Liquido> I see same list, without other DNS servers
04:22 < Liquido> so I have to add them manually there each time
04:47 -!- Blues-Man [~bluesman@95.235.112.202] has joined ##openvpn
04:52 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
04:53 < dazo> Liquido:  you need to have a relsov.conf updater script to make that work on Linux/OSX/*BSD
04:54 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:55 < dazo> Liquido:  and old article, possibly a bit outdated, but it grasps the context:  http://www.phocean.net/2006/12/07/openvpn-and-dns-on-a-linux-client.html 
04:55 < vpnHelper> Title: Phocean.net » OpenVPN and DNS on a linux client (at www.phocean.net)
05:01 < janjust> Liquido: also, remember that /etc/resolv.conf does not enable split level DNS, that is, you can add as many dns servers as you like, but if the first one return 'not found' it will not proceed to the next one
05:03 < jmm> janjust: you can change /etc/nsswitch.conf to try on the next one.
05:05 < janjust> ah right jmm, forgot about that one ... now if that would work on windows as well ;-)
05:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Operation timed out]
05:06 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
05:06 < jmm> hehe :)
05:19 < Liquido> janjust,dazo thanks
05:19 < dazo> np!
05:20 < dazo> janjust:  you know, you have two kinds of OSes .... those who are real OSes .... those who want to be a real OS .... only real OSes can do such things like that ;-)
05:21 < janjust> hehe dazo ;-)  it's just that I remembered a discussion on openvpn-users about split-level DNS ....
05:21 < dazo> yeah :)
05:22 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: Connection reset by peer]
05:25 < dazo> janjust:  when you go through those bugs ... those which needs attention, please try to find a clever way to "tag" them as something we need to look at 
05:25  * dazo heads out for lunch
05:25 < janjust> ok dazo, enjoy
05:25 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
05:51 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
05:55 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:01 -!- Blues-Man [~bluesman@95.235.112.202] has quit [Quit: Sto andando via]
06:25 -!- zheng [~zheng@114.92.140.81] has joined ##openvpn
06:30 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
06:33 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
06:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
06:47 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:47 -!- mode/##openvpn [+o mattock] by ChanServ
06:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:04 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:26 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:26 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
07:39 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: No route to host]
07:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
07:46 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
08:12 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
08:13 -!- zheng [~zheng@114.92.140.81] has quit [Quit: Leaving]
08:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:50 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:50 -!- mode/##openvpn [+o mattock] by ChanServ
08:55 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
08:59 < cybertron> perhaps anyone could help I got an dd-wrt router running and I ask myself why eth0/1 doesnt have any ip addresses? but br0 have my routers local ip
09:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:01 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:09 < ecrist> cybertron: that's a dd-wrt question
09:24 -!- Liquido_ [~Liquidoz@213.197.141.162] has joined ##openvpn
09:24 < cybertron> ecrist: got the answer i think :)
09:24 < cybertron> but another perhaps u can anser
09:25 < cybertron> i got 2 tun0 routings in my table 
09:25 < cybertron> 10.1.1.2 and 10.1.1.0 but why?
09:25 < cybertron> i set as vpn tunnel 10.1.1.0
09:25 < ecrist> !/30
09:25 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
09:26 -!- Liquido [~Liquidoz@213.197.141.162] has quit [Read error: Operation timed out]
09:26 < cybertron> ecrist: so one tun is the server tun and the secon ist the client network u mean?
09:27 < ecrist> it's just how point-to-point routing works.
09:27 < cybertron> o
09:27 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:28 < cybertron> k
09:28 < cybertron> ecrist: could u explain me what 10.1.1.2 exact mean in my content?
09:31 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
09:35 < cybertron> ecrist: http://pastebin.com/YyFqYCf7 
09:37 < cybertron> iam wondering why my openvpn server got 2 tun0 with 2 diffenrent ips?
09:38 -!- mmcgrath [~mmcgrath@mmcgrath.net] has left ##openvpn []
09:39 < theDoc> Hum, radius.
09:39 < theDoc> It's a tough one to learn.
09:40 -!- janjust [~janjust@ardeche.nikhef.nl] has quit [Quit: Leaving]
09:49 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 248 seconds]
09:53 -!- in^ [in^@unaffiliated/in/x-7550183] has joined ##openvpn
09:54 < in^> can OpenVPN GUI be used to access an OpenVPN Access Server?
09:55 < ecrist> we don't support Access Server here.
09:55 < in^> k
10:03 -!- in^ [in^@unaffiliated/in/x-7550183] has quit [Ping timeout: 265 seconds]
10:09 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
10:13 -!- Phina [~pkemmerli@209-234-189-154.static.twtelecom.net] has joined ##openvpn
10:19 -!- Liquido_ [~Liquidoz@213.197.141.162] has quit [Quit: Lost terminal]
11:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:31 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has quit [Read error: Operation timed out]
11:31 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
11:36 < hacim> cron2: hey a couple days ago you suggested I set "keepalive 10 60" in my configs, to make openvpn restart if the connectivity between the client and server breaks. i tried setting that, but it doesn't seem to solve my problem
11:36 < hacim> cron2: i tink the issue is that from openvpn's point of view, it doesn't think that the connection has dropped
11:37 -!- vegarn [~chatzilla@172.213.251.212.customer.cdi.no] has joined ##openvpn
11:37 < vegarn> Hi, I have set up openvpn on two machines using the simple static mini howto
11:37 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:38 < vegarn> The problem is, the side which acts as the server can not ping the vpn IP of the side acting as the client 
11:39 < vegarn> however, the client can ping the server using both the vpn IP and the private IP of the server
11:39 < vegarn> so communication only works from client subnet to server subnet but not vice versa (although the responses apparently work fine)
11:42 < vegarn> this is my config: http://pastebin.com/qV8Y9Sa8
11:43 < vegarn> as you can see, the client is on a 10.0.0.x subnet, and the server is on a 192.68.0.x subnet...
11:44 -!- ahf [ahf@irssi/staff/ahf] has joined ##openvpn
11:44 < ahf> !welcome
11:45 < vpnHelper> ahf: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:46 < ahf> Hi. Perhaps I'm doing this incorrectly, but is it possibly to get the username in the connect-script? My current setup authenticates users via an auth script, but I would like to be able to see the username in the connect and disconnect script as well.
11:52 < vegarn> This is really puzzling. The two subnets seem to be joined correctly. The desktop machines can ping eachother and use eachothers services just fine.
11:52 < vegarn> Its just the vpn server which has problems reaching the client subnet
11:57 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
11:57 -!- dazo is now known as dazo_afk
12:01 -!- Argafal [argafal@users.tokkee.org] has quit [Ping timeout: 276 seconds]
12:01 < gorkhaan> Hi! May I ask futher informations about a parameter: "--port-share host port"  any experiences, any other stuff what I should configure? For example Apache2 HTTPS port sharing. thx
12:05 < gorkhaan> anyone? :)
12:17 -!- Argafal [~argafal@users.tokkee.org] has joined ##openvpn
12:29 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
12:31 -!- Argafal [~argafal@users.tokkee.org] has quit [Ping timeout: 276 seconds]
12:39 < cybertron> if i use 2 routers in my network first is for internet connection 2nd for vpn, is it better to change the 2nd into "router" or should it also work as "gateway" device?
12:41 -!- Argafal [argafal@users.tokkee.org] has joined ##openvpn
12:44 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
13:12 < Bushmills> gorkhaan: what it is meant to do is: openvpn passed those packets which it doesn't recognise as its own to the other program which was bound to the same port
13:13 < Bushmills> i have no first hand experience with it, so you might just as well simply try it out
13:20 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 246 seconds]
13:28 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
13:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
13:34 -!- vegarn [~chatzilla@172.213.251.212.customer.cdi.no] has quit [Read error: Connection reset by peer]
13:43 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
13:43 < cybertron> hm any Idea why I cant reach my vpn with local client? so I reach ext. with my vpn client the vpn server but dont reach the vpn server from the internal client 
13:47 -!- le0 [~tehle0@unaffiliated/le0] has quit [Client Quit]
13:50 < Bushmills> cybertron: because of your routing
13:54 < cybertron> Bushmills: yes but have no idea what is wrong :/
13:55 < Bushmills> cybertron: mtr/traceroute,  tshark/tcpdump are good diagnostics in those situatins
13:56 < cybertron> http://de.pastebin.ca/1819777 routing table of vpn router
13:57 < cybertron> http://i48.tinypic.com/x51bae.gif network
13:57 < Bushmills> what destination do you try to reach over vpn?
13:58 < cybertron> from ext. 192.168.1.0
13:58 < cybertron> so roadwarrior got 10.1.1.6 vpn ip and pings int. lan 192.168.1.101 for example
14:00 < cybertron> so the RW reach vpn server10.1.1.1 and the vpn server lan ip 192.168.1.3 
14:00 < cybertron> that works
14:00 < Bushmills> did you check out:
14:00 < Bushmills> !route
14:00 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:01 < cybertron> yes some days ago but i did
14:02 < cybertron> Bushmills: it all worked fine as i only use 2 clients 
14:02 < cybertron> one rw and one client directly connected via lan
14:03 < Bushmills> well, traceroute it. mtr it.
14:03 < cybertron> but as I add the complete lan to the vpn router it broke
14:03 < cybertron> tracert goes to the isp dns and failed then
14:04 < cybertron> so the ping goes out to the internet and dont stops at the router
14:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
14:05 < cybertron> damit
14:05 < cybertron> the old gateway was it lol
14:05 < cybertron> the old internet gw was set not the new to the vpn router now it works\p/
14:06 < cybertron> holy...
14:07 < cybertron> another question is there any chance to geht dns working? 
14:07 < cybertron> geht=get
14:08 < Bushmills> my fav solution is to run a local recursive dns
14:08 < Bushmills> the next in line is an uplink dns on vpn server
14:08 < cybertron> hm u mean the router to config with the internal dns?
14:09 < Bushmills> you can push dhpc-option dns to road warriors, and let an --up script take care of patching their resolv.conf (if xoid), or it should work directly with w*dows 
14:10 < Bushmills> no need to let any provider know what they're resolving.
14:10 < cybertron> no no i mean 
14:10 < cybertron> I have an win server with DC
14:11 < cybertron> and could it work if i relay it with the router?
14:12 < Bushmills> if you have a recursive dns, which can be reached, it should
14:12 < Bushmills> may need to permit recursion to vpn net
14:12 < cybertron> what u mean with recursive?
14:12 < Bushmills> recursive dns
14:13 < cybertron> is a Win DC an recursive dns? ;)
14:13 < Bushmills> http://en.wikipedia.org/wiki/Domain_Name_System#Recursive_and_caching_name_server
14:13 < vpnHelper> Title: Domain Name System - Wikipedia, the free encyclopedia (at en.wikipedia.org)
14:14 < cybertron> ah k 
14:50 -!- zagabar [~zagabar@109.225.68.246] has joined ##openvpn
14:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:51 < zagabar> When I downloaded openvpn and install it with ./configure, make and make install, where does the binary and stuff go? 
14:51 < zagabar> I can't start it by typing "openvpn"
14:55 < Bushmills> zagabar: you might want to configure server and clients first
14:56 < Bushmills> you *do* have both server and client(s), right?
15:09 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
15:10 < Blu3> does anyone have a sample setup of multiple masters for a vpn?
15:11 < Bushmills> multiple servers?  round robin?  just specify multiple  server lines  in client config
15:11 < Blu3> how do the two masters talk to each other?  (geographically and logically disparate)
15:11 < Blu3> do i need a backchannel vpn?
15:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:20 < Bushmills> you don't
15:20 < Bushmills> one can be client and server at  the same time
15:21 < Bushmills> client can talk to other servers
15:21 < Bushmills> and remote clients can talk to server on that machine
15:22 < Blu3> ok
15:23 < Bushmills> "at the same time" means, running openvpn twice. once as client, once as server
15:23 < Blu3> using the same tap dev?
15:23 < Bushmills> binding to different ports
15:23 < Blu3> right
15:23 < Bushmills> no
15:23 < Blu3> ok
15:24 < Bushmills> !tunortap
15:24 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:24 < vpnHelper> Bushmills: against you over the vpn
15:24 < Blu3> we do ipv6 and other so tap is appropriate
15:28 -!- Argafal [argafal@users.tokkee.org] has quit [Remote host closed the connection]
15:31 -!- Phina [~pkemmerli@209-234-189-154.static.twtelecom.net] has left ##openvpn []
15:43 -!- SkyX [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
15:46 < zagabar> Bushmills: I removed it and installed from the ubuntu repositories instead. ^^
15:47 < zagabar> I get another error though when trying to start it with my config file:
15:47 < zagabar> Options error: Unrecognized option or missing parameter(s) in openvpn.conf:243: comp-lzo (2.1.1)
15:47 < Bushmills> have you configured both client and server?
15:48 < Bushmills> " mode may be  "yes",  "no",  or  "adaptive""
15:48 < zagabar> Yes.
15:50 < zagabar> I have made my config file, I have built certificates for clients and the server. This problem arises when trying to boot up openvpn
15:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:59 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 630 seconds]
16:05 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
16:12 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
16:13 < ksnp> i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat. Any suggestions ?
16:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:28 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
16:42 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Ping timeout: 240 seconds]
17:53 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
18:19 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
18:55 -!- coil [platypus@unaffiliated/coil] has joined ##openvpn
18:55 < coil> !welcome
18:55 < vpnHelper> coil: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:56 < coil> !howto
18:56 < vpnHelper> coil: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
19:10 < coil> !goal
19:10 < vpnHelper> coil: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:10 < coil> !logs
19:10 < vpnHelper> coil: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
19:13 < coil> http://ztecwiz.pastebin.com/6YkrU0z0
19:26 < coil> nm that
20:13 < ecrist> sup, bitches?
20:20 < coil> nat works, dns doesn't
20:24 < Bushmills> local recursive dns, doesn't care whether default route is through provider or vpn
20:25 -!- tjz [~pc@bb121-7-95-243.singnet.com.sg] has joined ##openvpn
20:25 -!- tjz [~pc@bb121-7-95-243.singnet.com.sg] has quit [Changing host]
20:25 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:44 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
20:51 < coil> ok i got it all working
20:51 < coil> but
20:51 < coil> im blocking irc on my firewall but i can still get on irc throug hthe vpn
20:54 < Bushmills> is firewall machine same as vpn server or client, or does firewall only see the encrypted vpn traffic?
20:55 < coil> the firewall is on the vpn server
20:55 < coil> pf
20:55 < Bushmills> in that case should you be able to block irc traffic
20:55 -!- teddymills [~teddy@208.92.235.227] has quit [Quit: Ex-Chat]
20:55 < coil> hmm ok
20:56 < coil> then i guess i misconfigured it
20:56 < Bushmills> correction.. "block irc traffic to those servers with ports known"
20:57 < coil> ya i have a list of irc ports most commonly used
20:58 < Bushmills> if some unknown (to you) irc server offers service on port 17392, there's little you can do, except active filtering, to prevent client from connecting 
21:00 < coil> ahh ok
21:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
22:38 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
22:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
22:58 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:03 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Preventing windows from connecting to internet without VPN :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=2920&p=3622#p3622>
23:16 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:18 -!- DJ_HaMsTa [~tocmo0nlo@unaffiliated/dj-hamsta/x-2342346] has quit [Quit: Ex-Chat]
23:37 -!- corretico [~laguilar@201.201.46.106] has quit [Quit: Leaving]
23:52 < ksnp> i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat. Any suggestions ?
--- Day changed Wed Mar 03 2010
00:04 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
00:04 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Ping timeout: 245 seconds]
00:05 < krzee> none from me, never compiled it in windows
00:14 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
00:20 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:20 -!- mode/##openvpn [+o mattock] by ChanServ
00:42 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 245 seconds]
01:49 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:02 -!- hackeron [~hackeron@gentoo/user/hackeron] has quit [Read error: Connection reset by peer]
02:44 -!- dazo_afk is now known as dazo
03:03 -!- mattock1 [~samuli@sparknet-agw0.abo.fi] has joined ##openvpn
03:03 -!- mode/##openvpn [+o mattock1] by ChanServ
03:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
03:11 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:11 -!- mode/##openvpn [+o mattock] by ChanServ
03:13 -!- mattock1 [~samuli@sparknet-agw0.abo.fi] has quit [Ping timeout: 256 seconds]
03:17 -!- Zordrak_ is now known as Zordrak
03:27 -!- roam [~rk@reiko.vzsze.de] has joined ##openvpn
03:28 < roam> where's the best place to put the NAT-Firewall rule on a linux system. I don't like to install an extra firewall software.
03:55 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:58 < cron2> this very much depends on the linux distribution in question - every distribution puts firewall rule sets somewhere else, unfortunately
03:58 < gorkhaan> Hi! Yesterday I asked about "--port-share"  option. I added this to my configuration,  port-share <ip addr> 443    and now apache says the port is already taken. How will openvpn Proxy the traffic to Apache2? Any ideas would be appreciated.
03:58 < cron2> roam: and even on, say, debian, there is multiple possible ways
04:01 < gorkhaan> oh, I misunderstood the manual. a mom
04:04 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
04:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
04:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
04:43 < cybertron> hi, I got a problem with my win shares from inside lan to the roadwarrior
04:44 < cybertron> I cant connect to my roadwarrior shares 
04:45 < cybertron> could it be the problem of the RW Lan network? VPN is 10.1.1.0 and lan 192.168.1.0 und the rw lan is also 192.168.1.0 and vpn 10.1.1.6
04:45 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
04:45 < krzee> are you trying to access the lan behind either of them?
04:46 < cybertron> no I only try to connect to rw's VPN IP 
04:46 < krzee> then that is no problem
04:46 < krzee> check that windows firewall is not active on tap adapter
04:47 < cybertron> win fw is completely deactivated
04:47 < krzee> maybe something like an av firewall or other?
04:48 < krzee> can you ping eachother?
04:48 < cybertron> yes and I can reach the internal lan share
04:49 < krzee> oh you are bridging?
04:49 < cybertron> no routing
04:49 < krzee> routing sharing lans with exact same subnets?
04:49 < krzee> cause that wont work
04:50 < cybertron> yes I think thats the problem 
04:50 < cybertron> so thats why I ask and the beginning
04:50 < krzee> [02:45]  <krzee> are you trying to access the lan behind either of them?
04:50 < cybertron> and=at
04:50 < krzee> [02:46]  <cybertron> no I only try to connect to rw's VPN IP 
04:50 < cybertron> yes 
04:50 < cybertron> but 
04:50 < cybertron> the other way
04:50 < krzee> thats why i asked that
04:50 < cybertron> I try to connect the internal lan 
04:51 < krzee> not you say you want to access ones lan over the vpn
04:51 < sno> hi, is it possible to redirect web traffic through a vpn that is setup to only accept traffic for the routes destined through the vpn? without changing server side :)
04:51 < krzee> sno, run a web proxy or socks
04:51 < cybertron> krzee: we start again ok? :) 
04:52 < sno> im off site and some sites require js = X based browser :(
04:52 < krzee> sno, if you require vpn, run the web proxy or socks inside the vpn ;]
04:52 < krzee> ok yes its possible
04:52 < krzee> only push routes for what you want to go over the vpn
04:52 < krzee> !push
04:52 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
04:53 < cybertron> rw lan 192.168.1.0 vpn ip 10.1.1.6 -> vpn server net 10.1.1.0 client on lan side of the vpn 192.168.1.101 and I try to reach BOTH shares on rw side with vpn ip on the other side with lan ip
04:53 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
04:53 < krzee> !!redirect
04:53 < vpnHelper> krzee: Error: "!redirect" is not a valid command.
04:53 < krzee> !redirect
04:53 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:53 < gorkhaan> re again.  --port-share works great. :)
04:53 < krzee> sno, follow that except no !def1, use push routes instead for what you want routed over the vpn
04:53 < krzee> !pushlimit
04:53 < vpnHelper> krzee: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB
04:53 < sno> yea i understand changing server side krzee , was wondering it client can somehow use trickery to get around server conf, will look at socks thanks :)
04:54 < krzee> dont need to push the route
04:54 < krzee> client config can do it too
04:54 < krzee> just put it in the client config
04:54 < sno> oh i see!
04:54 < krzee> however, your server must be NAT'ing
04:54 < sno> yes it is, great thanks :)
04:54 < krzee> otherwise packets go to the inet with your vpn ip as source and cant return
04:54 < cybertron> krzee: u understan dme?
04:55 < krzee> prolly get filtered
04:55 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Operation timed out]
04:55 < krzee> cybertron, can you ping by vpn ip?
04:55 < cybertron> krzee: yes
04:55 < krzee> both ways?
04:55 < cybertron> rw vpnip -> lan 192.168.1.101 and 192.168.1.101->10.1.1.6 works both
04:55 < krzee> ignore lan ips
04:56 < krzee> you arent talking about routing the entire lan over the vpn, they dont matter
04:56 < cybertron> krzee: but my internal Lan dont have vpn ip? It ends at the vpn router
04:56 < krzee> !configs
04:56 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
04:56 < cybertron> k i post moment
04:58 < cybertron> krzee: http://pastebin.com/tiBZ2ziA server
04:59 < cybertron> http://pastebin.com/8pdMLGmy client
05:00 < cybertron> I'll tried now 2 roadwarriors one with dsl connection and router and one without router only umts the umts client works fine also with shares on both sides 
05:00 < roam> cron2: I know, I would prefer a way that enables NAT, when openvpn is startet (and stops it, when openvpn is stopped). 
05:00 < krzee> !samesubnet
05:00 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
05:00 < cybertron> only the other one not
05:01 < roam> cron2: and I'm using debian :)
05:01 < cybertron> krzee: so its realy same subnet problem?
05:01 < krzee> i dont know how your client even has network access right not
05:01 < krzee> now
05:01 < krzee> it shouldnt be able to access its lan
05:02 < cybertron> i can access with one the lan yes ping even win share
05:03 < krzee> roam: see --up and --down
05:03 < vpnHelper> New forum entry openvpnforum: Scripting and Customizations :: Re: OpenVPN and (Free)Radius :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=15&t=3130&p=3629#p3629>
05:05 < cybertron> krzee: so you dont have a real idea for my problem?
05:05 < krzee> i garuntee what i said is a problem
05:05 < krzee> fix it and see what happens
05:09 < cybertron> krzee: the samesubnet?
05:09 < krzee> lol
05:09 < cybertron> sorry :/
05:10 < cybertron> krzee: dont know what u mean else
05:10 < roam> krzee: that will do, tnx
05:12 < cybertron> krzee: please what is problem u think? I just find subnet problem
05:12 < krzee> mattock, openvpn.net/man-beta#lbAP and others still dont work
05:12 < krzee> cybertron, FIX IT!
05:13 < krzee> how many problems do you need before you go fix them? 1 should be enough
05:13 < krzee> hehe
05:13 < cybertron> krzee: args I dont understand WHAT I have to fix 
05:13 < cybertron> if I dont know what is wrong
05:13 < krzee> change a lan's subnet!
05:13 < cybertron> thats what i ask some minutes ago...ok I'll do
05:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:20 < cron2> roam: in that case, write your own script and put it into /etc/openvpn/, and then have openvpn call it via "up" and "down" scripts...
05:20 < cron2> krzee: regarding !pushlimit... I think this is no longer true with 2.1, $THEY have added an extention-block mechanism
05:21 < krzee> ooo cool
05:21 < krzee> !forget pushlimit
05:21 < vpnHelper> krzee: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
05:22 < cybertron> krzee:  doenst workrks changed the Lan to 192.168.3.0 and 1.0 
05:22 < krzee> !forget pushlimit
05:22 < vpnHelper> krzee: Joo got it.
05:23 < cron2> krzee: ah, there it is, in the ChangeLog for 2.1_rc20
05:23 < cron2> * Eliminated the limitation on the number of options that can be pushed
05:23 < cron2>   to clients, including routes.  Previously, all pushed options needed
05:23 < cron2>   to fit within a 1024 byte options string.
05:23 < krzee> gorkhaan, awesome, glad to hear it and interested in hearing how it works for you, care to toss something on the forum bragging rights section?
05:23 < cron2> (I've discovered in the code when adding pushing of ifconfig-ipv6 :) )
05:24 < krzee> cool thanx for sharing!
05:25 < gorkhaan> krzee, okay. :)  It's great.  --port-share <ip> 3128   in the vpnserver config, then I had to change apache2 config to https --> 3128 port. 
05:25 < gorkhaan> that's it. 
05:25 < cybertron> :/
05:26 < gorkhaan> krzee, That forum section is about to share, how my networks are working? :)
05:29 < gorkhaan> yeah, I'll share it. :)
05:46 < cybertron> krzee: another idea?
05:47 -!- zero-_ [~zero@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
05:47 -!- zero-_ [~zero@195.88.84.100] has joined ##openvpn
06:04 -!- vegarn [~chatzilla@172.213.251.212.customer.cdi.no] has joined ##openvpn
06:07 < vegarn> Hi, I have set up openvpn on two machines in different private subnets
06:08 < vegarn> the subnets are 192.168.x.0/24 and 10.0.z.0/24
06:08 < vegarn> the tunnel is set up successfully and the clients on the subnets are able to connect to eachother and everything seems to be working properly
06:09 < vegarn> however, the openvpn server on the 192 subnet is not able to ping any of the machines on the 10.0 subnet.. 
06:10 < vegarn> so the tunneling and routing is working just fine as viewed by any of the desktop machines.. but the 192.x.x.x openvpn server itself can not reach the 10.0.x.x subnet
06:10 < hyper_ch> sounds like a routing issue
06:11 < cybertron> krzee: now i took a third RW with umts same sharing problem like my xp rw client, only win7 rw client works how it should 
06:12 < vegarn> ya, but it only affects the server on the 192.x subnet.. while the clients on the 192.x subnet can connect to 10.x clients just fine
06:12 < vegarn> it's plain weird
06:12 < vegarn> I'll try to sum it up in a text file and paste to pastebin
06:12 < cybertron> krzee: so my both umts warriors got the same network config but only one works
06:13 < tjz> krzee, you are back! ^_^
06:13 < krzee> im in australia on vacation
06:14 < hyper_ch> krzee: nice, Australia is fun
06:14 < krzee> hell ya
06:14 < hyper_ch> those 50 weeks I spent there passed way too quickly
06:18 < tjz> niceeeeeee
06:18 < tjz> very nice~!~
06:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:34 < cybertron> damit -.-
06:38 < vegarn> I summed up my openvpn problem: http://pastebin.com/eQi44DjW
06:38 < vegarn> All clients in network B can reach all clients in network A and vice-versa through the OpenVPN route. However, OpenVPN A server machine can not reach any machines(even the server) in B network.
06:39 < krzee> the difference is his source ip is vpn subnet, the rest of his lan is not
06:40 < gorkhaan> krzee,  I posted my stuff to the forum, pls moderate it, I'd like to edit it futher.
06:47 < krzee> done
06:48 < vegarn> hyper_ch: I included the routing table.. does it seem correct?
06:49 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:49 < krzee> gorkhaan, a note, md5 is rather breakable
06:49 < krzee> gpu rainbow tables and the like
06:50 < gorkhaan> krzee,  I see, so what should I use insted of md5? :)
06:50 < krzee> blowfish is good
06:51 < krzee> sha-1 has slight shortcuts and some tables, but is stronger than md5
06:51 < krzee> aes is good
06:53 < gorkhaan> mysql   can use then? That was my original problem. 
06:53 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:54 < krzee> can you salt?
06:56 < krzee> hey it does support AES
06:56 < krzee> Since the exploits for MD5 and SHA1, especially in the form of dictionary attacks, are out there, using them may not provide us the level of encryption and protection we desire. Fortunately, MySQL offers 
06:56 < krzee> AES
06:57 < krzee> http://mysqldatabaseadministration.blogspot.com/2006/08/storing-passwords-in-mysql.html
06:57 < vpnHelper> Title: MySQL Blog:: Storing Passwords in MySQL (at mysqldatabaseadministration.blogspot.com)
06:58 < krzee> According to MySQL AES functions (AES_ENCRYPT() and AES_DECRYPT()) were added in MySQL 4.0.2 and are currently the most cryptographically secure encryption functions in MySQL.
07:00 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
07:00 -!- upb [cmpxchg@88.80.13.92] has left ##openvpn []
07:04 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
07:04 < vpnHelper> New forum entry openvpnforum: My VPN :: Gorkhaan's Setup ( Wordpress + OpenVPN fun ) :: Author Gorkhaan <http://www.ovpnforum.com/viewtopic.php?f=13&t=3158&p=3632#p3632>
07:04 < gorkhaan> Thanks krzee  I'll look into it. :)
07:04 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 245 seconds]
07:04 < krzee> np, thx for sharing info on the setup
07:08 < krzee> vegarn, 
07:08 < krzee> have you read all of:
07:08 < krzee> !route
07:08 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:08 < vegarn> yes krzee
07:09 < krzee> so the router for each lan being shared has routes for the other lan through local vpn endpoint
07:09 < krzee> but does it also have one for the vpn subnet?
07:11 < vegarn> yes it has a target route
07:11 < vegarn> it's all in the paste
07:11 < vegarn> routing tables of both machines are there
07:12 < vegarn> i'm suspecting that the routes are fine, but openvpn itself doesn't route it.. if you know what i mean.. so I looked up the iroute statement, but i don't think it applies in this scenario
07:12 < vegarn> since there is no common name in simple symmetric key
07:13 < vegarn> the thing that i'm really confused is.. it routes everything which originates from desktop machines correctly, but when it originates from itself.. it doesn't..
07:13 < vegarn> confused about*
07:15 < krzee> i mean on the routers
07:16 < krzee> you show client and server routing tables
07:18 < krzee> in !route i mean ROUTES TO ADD OUTSIDE OPENVPN
07:18 < roam> cron2: up and down works for my problem, thanks
07:18 < krzee> or possibly somewhere you allowed the other lan subnet in a firewall but did not allow the vpn subnet
07:22 < vegarn> krzee: I don't have a firewall
07:22 < krzee> and the other part?
07:28 < vegarn> I have routes for the vpn target, as well as the other subnet in both machines
07:29 < krzee> ROUTERS NOT MACHINES!
07:30 < vegarn> in both routers
07:31 < krzee> so each router has 2 routes in it for the vpn, you just double checked that?
07:54 < vegarn> I think I found the error..
07:54 < vegarn> if you notice on ROUTER B
07:55 < vegarn> in the routing table, there's an as0t0 interface
07:55 < vegarn> downing it makes everything dandy
07:55 < vegarn> it gets brought up when starting openvpn though... what is it for?
07:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
08:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
08:01 -!- Rienzilla [rien@sinas.rename-it.nl] has left ##openvpn []
08:04 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
08:05 < vegarn> krzee: any thoughts?
08:12 -!- AdamDV [~adamdv@unaffiliated/tuxice] has joined ##openvpn
08:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:14 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
08:15 < AdamDV> Hello folks, I have a question. I have an OpenVPN server, and a client connected to that VPN. When I access the OpenVPN server, apache and ssh report my IP as being 99.232.197.182, which is my actual IP. I would like it to instead report that my IP is either 10.8.0.10 (The local IP of the machine accessing it), or report the server IP, (72.14.187.223). How can I accomplish this?
08:21 -!- kyrix [~ashley@77.117.145.15.wireless.dyn.drei.com] has joined ##openvpn
08:28 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 248 seconds]
08:39 < AdamDV> Anybody alive?
08:39 < jmm> I am.
08:40 < jmm> so which url do you use to access that webserveR ? 72.14.187.223 or 10.8.0.x ?
08:41 < jmm> s/url/ip 
08:46 < AdamDV> To access the webserver, I want to use the domain
08:46 < AdamDV> go-techo.com
08:46 < AdamDV> Problem is, when I access the webserver from my client computer
08:46 < AdamDV> Instead of showing My IP as 72.14.187.223 or 10.8.0.x its showing my actual Rogers IP, 99.232.197.182
08:46 < AdamDV> But, only to that server.
08:46 < jmm> go-techo is 72.14.183.223,
08:47 < AdamDV> If I try with another server (which is not in the VPN), it shows 72.14.187.223
08:47 < jmm> so I guess when you type it, you just access it without the vpn.
08:47 < jmm> what does route -n show ?
08:47 < AdamDV> ON client?
08:47 < jmm> yea.
08:47 < AdamDV> http://pastebin.com/KBvSTx4i
08:48 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
08:48 < AdamDV> Heres the problem, for example.
08:48 < AdamDV> WHen I access go-techo.com, the apache log shows this: 99.232.197.182 - - [03/Mar/2010:14:44:52 +0000] "GET /phpmyadmin/ HTTP/1.1" 200 
08:48 < jmm> I see.
08:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:48 < jmm> let's make a small test.
08:48 < AdamDV> Instead, I would like to accomplish it showing this: 72.14.183.223 - - [03/Mar/2010:14:44:52 +0000] "GET /phpmyadmin/ HTTP/1.1" 200  or 10.8.x - - [03/Mar/2010:14:44:52 +0000] "GET /phpmyadmin/ HTTP/1.1" 200 
08:48 < AdamDV> Small test, no problem :)
08:49 < jmm> just access 10.8.0.x instead of the domain name
08:49 < jmm> and look your ip in the logs.
08:49 < jmm> ( dunno wich is your vpn ip for the webserver ).
08:49 < AdamDV> Yep, that works.
08:49 < jmm> allright.
08:50 < jmm> so now you gotta make a fix I guess.
08:50 < jmm> the easiest is to add the server to /etc/hosts, with the vpn ip.
08:50 < jmm> but it may not be the best solution.
08:50 < AdamDV> How can I make it do that for when people in the VPN access the webserver, but not when the server is accessed publicly.
08:51 < AdamDV> I'll brb.
08:51 < jmm> k.
08:53 -!- havoc [~havoc@saturn.chaillet.net] has joined ##openvpn
08:53 < havoc> morning
08:53 < AdamDV> jmm: Is there a directive I can add to server.conf which will forward go-techo.com requests to 10.8.0.1
08:53 < AdamDV> ?
08:54 < tw> I think the only way to do that easily is to run a caching nameserver on the network of the vpn server and push that nameserver to vpn clients... if you don't have access to the hosts file on each client, otherwise updating hosts is probably easier.
08:54 < tw> s/only way/one way/
08:56 < jmm> others solutions need you either to have a dns server for the vpn, or to add rules on the client's firewall.
08:56 < AdamDV> How can I have a dns server for the VPN?
08:57 < AdamDV> I run a powerdns nameserver.
08:57 -!- AdamDV-Palm [~63e8c5b6@gateway/web/freenode/x-suzkrjqhqzqksrtu] has joined ##openvpn
08:57 < jmm> just like a regular dns, you can push nameservers when a client connect to openvpn.
08:58 < AdamDV-Palm> Okay, that makes sense. How could I set that up?
08:58 < jmm> http://openvpn.net/index.php/open-source/documentation/howto.html#dhcp
08:58 < vpnHelper> Title: HOWTO (at openvpn.net)
08:59 < AdamDV> I have push "dhcp-option DNS 10.8.0.1" in there already.
08:59 < AdamDV> Now I guess I need to set up a bind install to act as a caching nameserver?
09:00 < jmm> yea, don't forget it need to answer 10.8.0.x for go-techo.com .
09:00 < AdamDV-Palm> Alright.
09:00 < jmm> hi havoc .
09:00 < AdamDV-Palm> I'll give it a try, thanks
09:00 < jmm> yw.
09:02 -!- dazo is now known as dazo_afk
09:07 -!- AdamDV-Palm [~63e8c5b6@gateway/web/freenode/x-suzkrjqhqzqksrtu] has quit [Ping timeout: 252 seconds]
09:09 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
09:23 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
09:41 < cybertron> krzee: you wanna know that the real problem was of my share problem? ;)
09:41 -!- zuez [~sf@catalyst.httpd.org] has joined ##openvpn
09:42 < zuez> Had an OpenVPN instance running on a linux box, worked super well... moved it over, same configs to a new box... now all of my ssh connections over the tun* interfaces are super jittery, not blaming OpenVPN obviously, but curious if anyone has ever dealt with a similar issue?
09:46 < cybertron> tha=what
09:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:04 -!- nixfreak [~nixfreak@mn-10k-dhcp1-3174.dsl.hickorytech.net] has joined ##openvpn
10:06 -!- xod [~onats@112.201.158.40] has joined ##openvpn
10:10 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
10:15 -!- vegarn [~chatzilla@172.213.251.212.customer.cdi.no] has quit [Read error: Connection reset by peer]
10:34 -!- kyrix [~ashley@77.117.145.15.wireless.dyn.drei.com] has quit [Ping timeout: 265 seconds]
10:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:12 -!- cpm is now known as anti-cpm
11:17 -!- anti-cpm is now known as cpm
11:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
11:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:51 -!- dollabill [~mike@97.66.26.10] has quit []
11:51 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:52 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
11:53 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Client Quit]
11:58 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
11:58 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
12:00 -!- dollabill [~mike@97.66.26.10] has quit [Client Quit]
12:01 < jpalmer> I'm trying to assign static IP's to clients.  however, openVPN doesn't seem to like it.  I've uncommented the 'client-config-dir /etc/openvpn/ccd' line,  and in that folder have made a file that matches the CN of the cert.  in that file, I have 'ifconfig-push 10.16.0.11 10.16.0.1' (.11 is the IP I'm trying to set)  is there anything I'm missing?
12:09 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:13 -!- coil [platypus@unaffiliated/coil] has left ##openvpn []
12:16 < ecrist> hi, jpalmer 
12:17 < ecrist> are you using topology in your server config
12:20 -!- threexk [~threexk@173-21-231-141.client.mchsi.com] has joined ##openvpn
12:20 < threexk> Hello.  If I download "OpenVPN" is that the client?  Not the server, right?
12:21 < plundra> Both.
12:21 < plundra> You can configure it anyway you want.
12:22 < threexk> Is there a way to get just the client?  I'm not interested in running as a server, and don't want the extra baggage.
12:23 < plundra> No. But really, the binary isn't that big? :-)
12:23 < plundra> Other than that, what baggage are you talking about?
12:27 < threexk> clutter in my UI after installing. Desktop icons and start menu icons for things I don't need.  Files getting put all over my system, persisting after uninstall.  More complexity, more problems, you know
12:27 < threexk> seems strange you can't download just a client.  Suppose I'll back up my system before installing so I can safely try it out
12:28 < plundra> Ah, on Windows I hav no idea, surely you can skip install some parts?
12:28 < plundra> Like the shortcuts etc.
12:28 < threexk> yeah, true, maybe it will have a custom install
12:29 < plundra> You still need the tap-drivers and all.
12:41 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
12:42 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Client Quit]
12:44 < jpalmer> ecrist: when you say topology, I'm not sure what you are referring to.
12:49 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
12:49 < ecrist> !configs
12:49 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:49 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:50 < ecrist> threexk: OpenVPN isn't that obtrusive
12:50 < ecrist> there is only one binary and a Tun/Tap driver
12:52 < threexk> ecrist: OK
12:54 -!- AdamDV [~adamdv@unaffiliated/tuxice] has quit [Read error: Connection reset by peer]
12:58 < jpalmer> ecrist: http://www.pastebin.ca/1821624   <-- based on those configs,  the client is still obtaining a random IP from the pool
13:01 < ecrist> jpalmer: your ifconfig line doesn't make sense
13:01 < ecrist> !/30
13:01 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
13:02 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 245 seconds]
13:09 -!- jpalmer- [~jeffpalme@static-173-65-43-10.tampfl.fios.verizon.net] has joined ##openvpn
13:10 < jpalmer-> ecrist: As soon as I posted that link,  I lost conenction to my IRC client.  did you have any hints/ideas?
13:10 -!- AdamDV [~adamdv@CPE001cf0f6336b-CM0018c0d8b7e6.cpe.net.cable.rogers.com] has joined ##openvpn
13:11 -!- AdamDV is now known as Guest97303
13:11 < ecrist> !/30
13:11 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
13:11 < ecrist> jpalmer-: ^^^
13:11 < ecrist> your ifconfig line isn't correct for a /30
13:12 < jpalmer-> ecrist: ahh.  interesting.  you'd think it'd log that situation.  I'll check that link.  thanks.
13:12 < ecrist> no problem.
13:16 < jpalmer-> ecrist: ok,  from that FAQ, it looks like I need to use the linear pool option.  (I don't have any windows clients)  does that sound fair/reasonable?
13:20 < krzee> !topology
13:20 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
13:21 < krzee> also, for your benefit
13:21 < krzee> !tcp
13:21 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
13:21 < krzee> !ipp
13:21 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
13:26 < jpalmer-> krzee: thanks.  I'll try topology p2p, and remove the entry from the ipp persistent file.
13:27 < jpalmer-> !iporder
13:27 < vpnHelper> jpalmer-: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
13:28 < krzee> lol
13:28 < krzee> topology subnet
13:28 < krzee> p2p is only 2 machines
13:28 -!- BBHoss [~bbhoss@69.171.197.91] has joined ##openvpn
13:29 < BBHoss> would running pluto/openswan interfere with opevpn?
13:29 < krzee> no
13:29 < BBHoss> I am trying to connect to my new server, but it says connection refused
13:29 < BBHoss> and i've verified that the server is running on the correct port with netstat
13:29 < jpalmer-> doh,  I meant subnet.  sorry.  I was reading the article you linked,  and had just went back to look at the options.
13:30 < BBHoss> i was using udp, but switched to tcp so for debugging purposes
13:30 < krzee> firewall, nat, or hmac sigs if used
13:30 < BBHoss> when i nc -l 1194 on the server, it connects, but it wont do that for any other server i've tried
13:31 < BBHoss> the only thing sitting in front of this connection is a linksys router, could that cause issues krzee?
13:32 < jpalmer-> well,  adding topology subnet is getting me IP's lower in the range,  but still not the ones I'm trying to assign.
13:32 < krzee> in front of server or client?
13:32 < krzee> !static
13:32 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:32 < BBHoss> krzee: the client
13:33 < krzee> BBHoss, no
13:33 < BBHoss> the server is a linode with no iptables rules
13:33 < krzee> BBHoss, 
13:33 < krzee> !configs
13:33 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:33 < BBHoss> krzee: alright sec
13:35 < jpalmer-> http://pastebin.ca/1821624 <-- krzee,  my configs.  the only change is I've added a 'topology subnet' to the server config
13:36 < BBHoss> krzee: https://gist.github.com/7934260a9aea197ba277
13:36 < vpnHelper> Title: gist: 7934260a9aea197ba277 - GitHub (at gist.github.com)
13:36 < krzee> jpalmer-, have another look at !static
13:36 < krzee> remove ipp
13:36 < krzee> if you say "i did" i say !configs again
13:36 < BBHoss> krzee: https://gist.github.com/531cb398662d1ce71c2f is the client
13:36 < vpnHelper> Title: gist: 531cb398662d1ce71c2f - GitHub (at gist.github.com)
13:37 < jpalmer-> you can't have both a ccd entry and ipp?
13:37 < krzee> !ipp
13:37 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
13:40 < BBHoss> any ideas krzee?
13:40 < BBHoss> i can see it trying to hit the server with tcpdump
13:40 < BBHoss> its just not responding
13:42 < jpalmer-> krzee: I'm sorry.  I must be dense.  I have a ccd entry as per !static,  I've read through !ipp,  and don't see anything where the two can't co-exist. the only thing I see different, is in the !static example, the ccd has a subnet.  mine has the IP of the server (which I read in other docs is correct for a routed network. subnet mask is for a bridged network)
13:44 < jpalmer-> for clarification,  I removed that hosts ipp entry which is what I assume you are trying to tell me,  but I didn't remove the ipp option from the server config.
13:46 -!- thelongmile [~Mark@cpc3-ely14-0-0-cust875.cdif.cable.ntl.com] has joined ##openvpn
13:49 < thelongmile> hello, i've been having a few problems with openvpn, trying to install it so that i can use it when I'm at a wifi hotspot for more secure web browsing, however any time i run the install scripts, i can get as far as connecting to the server, I can ping it, and browse websites I host on that server, but as far as web access goes, nothing, can't even get sites, I'm installing on Debian 5.0 lenny via SSH, I have removed it for th
13:49 < thelongmile> being to try and go through an install to make sure it wasnt something i missed
13:50 < krzee> jpalmer-, comment the ipp and try the subnet in static ip
13:50 < krzee> trying to do what i suggest is step 3 in getting help from me ;]
13:51 < jpalmer-> krzee, ok.  I apologize.  it wasn't clear that ipp and ccd were mutually exclusive.  i thought you meant the single ipp entry for that client.
13:52 < krzee> they are not mutually exclusive
13:52 < krzee> but ipp can get in the way
13:52 < krzee> and is completely useless
13:55 < thelongmile> sorry for the long post btw
13:56 < jpalmer-> krzee, ok,  now none of the hosts have the expected (and hoped) IP's ;)
13:56 < jpalmer-> ipp is commented out in the server config
13:56 < krzee> and the server log shows it is reading the ccd entry when the client connects?
13:57 < jpalmer-> I see nothing in the log about a ccd entry
13:57 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 256 seconds]
13:57 < krzee> you prolly didnt name the ccd file EXACTLY as the common-name of the client
13:57 < krzee> !ccd
13:57 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:57 < jpalmer-> yeah, I did.  
13:57 < krzee> [11:57]  <jpalmer-> I see nothing in the log about a ccd entry
13:57 < krzee> its either that or permission problems
13:58 < jpalmer-> hrm,  could be perms.  let me look into that.
13:58 < krzee> remember if you drop permissions using --user / --group, that user/group needs access to ccds
13:59 < thelongmile> the main idea is to connect to the server and go through it for web access
14:00 < BBHoss> krzee: apparently i do have a firewall, i feel stupid
14:00 < krzee> thelongmile, 
14:00 < krzee> !redirect
14:00 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:01 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
14:01 < thelongmile> krzee: thanks, I don't suppose you have a page on all of this? i can't seem to find anything but access server info
14:01 < thelongmile> !def1
14:02 < vpnHelper> thelongmile: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:02 < ecrist> ldap has chosen today to kick my behind.
14:02 < krzee> thelongmile, ive thought about writing one a couple times, but its a pita because most the config is OS specific
14:02 < |Mike|> ecrist: just restart is as much till it crashes :p
14:02 < krzee> so it would mean writing a doc on linux NAT/ BSD NAT/ windows NAT / osX NAT
14:03 < krzee> etc
14:03 < |Mike|> sup krzee 
14:03 < krzee> sup man
14:03 < thelongmile> krzee: ah, then I don't blame you, Sorry for asking what must seem like quite a silly question, but how exactly am I suppost to add the def1 flag? also, is the vpnHelper set up so I can do all the ! commands and not flood the channel in either a private room or PM?
14:04 < |Mike|> krzee: my boss starts to accept my ideas about why we should use tls-auth and csr (or was it clr)
14:05 < krzee> by msg, but different syntax, /msg vpnHelper factoids whatis ##openvpn def1
14:05 < krzee> or
14:05 < krzee> !factoids
14:05 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:05 < krzee> for info re: def1, please see --redirect-gateway in the man page ( !man ) to fully understand
14:06 < thelongmile> okay, thanks, it's --redirect-gateway after openvpn?
14:06 < krzee> grr
14:06 < thelongmile> sorry!
14:07 < thelongmile> I'm afraid I'm a sort of linux newb, not that new but just, might need things sometimes in black and white
14:07 < krzee> !learn -- as OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.
14:07 < vpnHelper> krzee: Joo got it.
14:08 < krzee> its not a linux thing tho, its a manual thing
14:08 < krzee> !man
14:08 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
14:08 < thelongmile> krzee: sorry, i mean, what do I need to run --redirect-gateway in front of
14:09 < krzee> huh?
14:09 < |Mike|> haha
14:09 < krzee> heheh i need to chop up some weed dont i mike
14:09 < thelongmile> sorry
14:09 < krzee> go to my happyplace
14:10 < |Mike|> krzee: :D
14:10 < jpalmer-> krzee:  thanks for the help.  I think I see the problem.  my keys seem to have odd CN's.   CN=clientname/email=security@example.com   instead of just CN=clientname
14:10 < jpalmer-> I'll generate a new test key, and see if it works.
14:11 < krzee> !certinfo
14:11 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
14:12 < jpalmer-> yeah,  I checked.   my CN is: CN=vsvoasrqvt01/emailAddress=security@foo.com  
14:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
14:14 < |Mike|> krzee: i still pitty that we haven't met up while you where in NL tho
14:14 < krzee> same man, but maybe ill be back in aug
14:15 < krzee> i wanna take a train around europe
14:15 < |Mike|> around or trought ? :P
14:15 < krzee> yes
14:15 < krzee> ;]
14:17 < |Mike|> would be fun indeed.
14:19 < krzee> did you ever look at those strange findings i had while playing with vpnchains?
14:33 -!- thelongmile [~Mark@cpc3-ely14-0-0-cust875.cdif.cable.ntl.com] has left ##openvpn []
14:43 < |Mike|> krzee: nope
14:45 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
14:45  * ecrist resolves his ldap problems.
14:46 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
14:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:52  * jpalmer- still can't get static IP's to work.  I'm creating the certs according to the docs,  but the CN seems to always append the emailAddress, unless I'm reading the info from the cert wrong.
14:53 < krzee> !certinfo
14:53 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
14:54 < krzee> pastebin
14:54 < jpalmer-> Subject: C=US, ST=FL, L=Sarasota, O=Flipper, CN=vsvoasrqvt01/emailAddress=security@flipper.com   <- the way I'm reading it, the whole CN includes the emailAdress property, right?
14:54 < Guest97303> Alright, back from work.
14:54 -!- Guest97303 is now known as AdamDV
14:54 -!- AdamDV [~adamdv@CPE001cf0f6336b-CM0018c0d8b7e6.cpe.net.cable.rogers.com] has quit [Changing host]
14:54 -!- AdamDV [~adamdv@unaffiliated/tuxice] has joined ##openvpn
14:55 < jpalmer-> krzee:  sorry,  was pasting it before the pastebin suggestion. didn't realize you'd said it
14:55 < krzee> thats fine
14:55 < krzee> then CN is vsvoasrqvt01
14:55 < krzee> nah you pasted the single line that mattered
14:56 < krzee> i just didnt want the whole dump in here
14:56 < jpalmer-> damn. if thats the CN,  thats exactly what I've named the ccd file.
14:56 < krzee> then show me permissions for ls -la ccd/
14:56 < jpalmer-> I've got to be overlooking something insanely simple.
14:56 < krzee> that something simple could be -x on the ccd dir for example
14:58 < jpalmer-> http://www.pastebin.ca/1821815
14:58 < krzee> bleh getting tables next to eachother is annoying
14:58 < jpalmer-> and yes,  the server has a user nobody setting
14:59 < jpalmer-> normally, I have them chmod'd to 640,  but added 644 to test perms
14:59 -!- AdamDV [~adamdv@unaffiliated/tuxice] has quit [Ping timeout: 276 seconds]
14:59 < krzee> try giving the ../ a+x
14:59 < jpalmer-> so, the ccd dir itself?
15:00 < krzee> nope, the ../
15:00 < krzee> ccd was ./
15:02 < jpalmer-> do I need to restart openvpn if it's a perm issue?  or will it read that client ccd file when the client next connects?  (not sure when openvpn reads that file in)
15:03 -!- BBHoss [~bbhoss@69.171.197.91] has quit [Quit: Leaving...]
15:05 -!- AdamDV [~adamdv@CPE001cf0f6336b-CM0018c0d8b7e6.cpe.net.cable.rogers.com] has joined ##openvpn
15:05 < jpalmer-> that worked.
15:05 < jpalmer-> OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/huntington
15:05 -!- AdamDV is now known as Guest4848
15:06 -!- Guest4848 [~adamdv@CPE001cf0f6336b-CM0018c0d8b7e6.cpe.net.cable.rogers.com] has quit [Changing host]
15:06 -!- Guest4848 [~adamdv@unaffiliated/tuxice] has joined ##openvpn
15:06 -!- Guest4848 is now known as AdamDV-Desktop
15:06 < AdamDV-Desktop> Don't you love it when things work?
15:07 < jpalmer-> not when it's something simple, and I'm just overlooking it ;)
15:07 < jpalmer-> I mean, yes.  :P
15:07 < AdamDV-Desktop> Haha
15:07 < AdamDV-Desktop> I'm quite happy with my setup, atm.
15:07 < jpalmer-> krzee:  thanks muchly.  this was driving me up a wall
15:08 < AdamDV-Desktop> !welcome
15:08 < vpnHelper> AdamDV-Desktop: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:08 < jpalmer-> AdamDV-Desktop: me too,  but we're about to add over 1000 persistent VPN clients.  so, we really needed to go static rather than letting the pool assign.
15:08 < AdamDV-Desktop> Haha
15:09 < jpalmer-> now I just need to find an ingenious way for openvpn to update DNS records. lol
15:09 < Bushmills> nsupdate, via --up
15:10 < jpalmer-> hmm,  I was joking.  but thats actually not a bad idea
15:10 < Bushmills> or, server side, through --client-connect
15:13 -!- AdamDV-Desktop [~adamdv@unaffiliated/tuxice] has quit [Ping timeout: 276 seconds]
15:15 < krzee> np =]
15:29 -!- alpha_ [~alpha@41.230.216.117] has joined ##openvpn
15:42 < nixfreak> is it possible to setup openvpn in bridge mode via ssh ? 
15:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:42 < nixfreak> or do you need to be in front of the machine 
15:44 < alpha_> hello
15:48 < alpha_> I have installed openvpn with rpm but I dosnt see the TAP/TUN interface with the ifconfig command
15:48 < alpha_> what can be the pb, please help, thanks
15:54 < krzee> nixfreak, its possible as long as you dont make a mistake i guess, but really you should consider using tun if you can
15:55 < krzee> alpha_, you need tuntap module loaded
15:55 < krzee> or you arent yet running openvpn
15:55 < krzee> (it will dynamically make the tun device)
16:17 -!- jpalmer- [~jeffpalme@static-173-65-43-10.tampfl.fios.verizon.net] has quit [Quit: jpalmer-]
16:19 -!- alpha_ [~alpha@41.230.216.117] has quit [Quit: Quitte]
16:27 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
16:35 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
17:02 -!- roam [~rk@reiko.vzsze.de] has quit [Ping timeout: 256 seconds]
17:25 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
17:37 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
17:38 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
17:38 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
17:40 < ksnp> i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat. Any suggestions ?
17:42 -!- tompaw [~tompaw@slave20.tesserakt.eu] has quit [Ping timeout: 260 seconds]
17:42 -!- tompaw [~tompaw@slave20.tesserakt.eu] has joined ##openvpn
17:46 -!- [1]ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
17:48 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Ping timeout: 246 seconds]
17:48 -!- [1]ksnp is now known as ksnp
18:02 -!- pegger [~pegg@208.73.74.67] has joined ##openvpn
18:03 < pegger> is anyone in here from Canada, I am asking because a client is telling me that they are getting VERY less then  KB/s when connecting to our VPN server in the US
18:04 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
18:14 < ksnp> would you know about compiling openvpn in windows ?
18:14 < ksnp> i am trying to avoid problems with nat traversal by using openvpn and am having a hard time building it in windows
18:15 < pegger> ksnp why do you have to build it from source?
18:33 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
18:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
18:37 < krzee> you will need openssl stuff to compile it, sounds like you dont have it there
18:39 < Optic> mooo
18:43 -!- tjz [~pc@bb116-15-64-54.singnet.com.sg] has joined ##openvpn
18:43 -!- tjz [~pc@bb116-15-64-54.singnet.com.sg] has quit [Changing host]
18:43 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
18:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
18:48 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Ping timeout: 268 seconds]
18:57 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Quit: Terminated with extreme prejudice - dircproxy 1.0.5]
19:04 -!- tazdevil [~tazmania@60.53.7.73] has joined ##openvpn
19:04 < tazdevil> are ipsec, pptpd, and xl2tpd compatible with openvpn?
19:06 -!- xod [~onats@112.201.158.40] has quit [Remote host closed the connection]
19:42 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
19:58 -!- aditsu [~aditsu@203.145.92.164] has joined ##openvpn
20:00 < aditsu> hi, I'm unable to connect between 2 vpn clients
20:00 < aditsu> I have "client-to-client" in the server config
20:00 < aditsu> what could be the problem?
20:02 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
20:30 -!- aditsu [~aditsu@203.145.92.164] has quit [Read error: Connection reset by peer]
20:32 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
20:34 -!- tazdevil [~tazmania@60.53.7.73] has left ##openvpn ["Leaving"]
20:44 < Bushmills> can you ping the other client?
20:45 -!- huzaifas [~huzaifas@115.240.176.189] has joined ##openvpn
20:45 < huzaifas> hey
20:45 < huzaifas> i want to know what --auth algorithirms does openvpn support?
20:54 -!- pegger [~pegg@208.73.74.67] has quit [Quit: This computer has gone to sleep]
20:55 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
20:56 < huzaifas> !welcome
20:56 < vpnHelper> huzaifas: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:56 < huzaifas> i want to know what --auth algorithirms does openvpn support?
20:57 < huzaifas> !logs
20:57 < vpnHelper> huzaifas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
20:57 < huzaifas> !route
20:57 < vpnHelper> huzaifas: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:05 -!- twb [~twb@nat064.cyber.com.au] has joined ##openvpn
21:06 < twb> Thanks, I found the bug!
21:07 -!- zagabar [~zagabar@109.225.68.246] has left ##openvpn []
21:08 -!- [1]ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
21:10 -!- huzaifas [~huzaifas@115.240.176.189] has quit [Quit: Leaving]
21:11 -!- aditsu [~aditsu@254.9.246.220.static.netvigator.com] has joined ##openvpn
21:12 -!- aditsu [~aditsu@254.9.246.220.static.netvigator.com] has quit [Client Quit]
21:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
21:34 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
21:35 < caution> how do I stop windows from adusting the route metric after I set it?
21:38 -!- caution [~caution@unaffiliated/caution] has quit [Remote host closed the connection]
21:43 < twb> Architecturally, is OpenVPN peer-to-peer, or client(s)-to-server?
21:44 < twb> From what I can see, it seems to be the latter.
21:48 -!- pegg [~pegg@pool-71-174-39-30.bstnma.east.verizon.net] has joined ##openvpn
21:48 < pegg> is anyone in here from Canada, I am asking because a client is telling me that they are getting VERY less then  KB/s when connecting to our VPN server in the US
21:51 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Read error: Operation timed out]
21:58 -!- FirefighterBlu3 [~David@BlueLabs/Blu3] has joined ##openvpn
22:02 -!- FirefighterBlu3 is now known as Blu3
22:03 < rob0> twb, either AND both. A tun interface is typically configured as peer-to-peer.
22:04 < rob0> Also see "peer mode", the 1.x howto.
22:20 < [1]ksnp> i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat. Any suggestions ?
22:21 < [1]ksnp> rob0 ?
22:24 -!- nixfreak [~nixfreak@mn-10k-dhcp1-3174.dsl.hickorytech.net] has quit [Quit: Lost terminal]
22:32 < rob0> Why are you flagging me about that?
22:37 < [1]ksnp> seems like youa re the only one here :)
22:40 < rob0> I answered that question (maybe from you?) several days ago, and my answer was, "I have no idea, and I bet no one else here will."
22:41 < rob0> In that amount of time I have not started using Windows.
22:45 < twb> ##windows knows about windows, fwiw
22:49 < rob0> ha, I actually doubt they do :)
22:52 -!- AntoineBk [~Antoine@188.165.75.17] has quit [Ping timeout: 245 seconds]
22:52 -!- AntoineBk [~Antoine@188.165.75.17] has joined ##openvpn
22:57 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:00 < twb> I followed http://wiki.debian.org/HowTo/openvpn and now I have a working point-to-point link on my test bench, between two hosts connected over a simple crossover cable.
23:00 < vpnHelper> Title: HowTo/openvpn - Debian Wiki (at wiki.debian.org)
23:01 < twb> My target deployment is a central server, with encrypted VPN connections to remote headless nodes around the internet.
23:01 < Bushmills> I'm sure nobody can eavesdrop on your crossover cable now :D
23:01 < twb> So AIUI I need to turn a point-to-point setup into a proper network
23:01 < twb> Bushmills: that's what they said about CRTs before project TEMPEST
23:02 < Bushmills> that was before video output was scrambled
23:03 < Bushmills> essentially, your single client server is the same you'd use for an installation with more clients
23:04 < twb> If I can give all the client nodes the same config files, and have them automatically pick an IP on the VPN, that would simplify matters immensely, because they're booting from what amounts to a live CD.
23:06 < Bushmills> yes. possible.  attention is needed with the DNS they'll use. I suppose you'll --redirect-gateway?
23:06 < twb> NFI.  The only VPN I've used before is ssh -w.
23:07 -!- FirefighterBlu3 [~David@BlueLabs/Blu3] has joined ##openvpn
23:07 < twb> I want most stuff to go out over the normal (non-openvpn) connection; the openvpn line is just there for stuff like syslog,ssh,vnc,nagios, etc.
23:07 < twb> FSVO normal = web browsing
23:12 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Quit: Coyote finally caught me]
23:12 -!- FirefighterBlu3 is now known as Blu3
23:19 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn
23:19 < ksnp> i am trying to compile openvpn on windows using mingw and it complains about not finding the openssl dir and the pkcs11-helper dir. i am using the batch file for compilation that is in ms/mingw32.bat. Any suggestions ?
23:19 < ksnp> anyone there ?
23:19 -!- ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Client Quit]
23:20 -!- [1]ksnp [~ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Ping timeout: 256 seconds]
23:20 < pegg> why do you need to compile it?
--- Day changed Thu Mar 04 2010
00:01 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
00:10 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
00:30 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
01:21 < hyper_ch> I think I might switch back from Chromium to firefox
01:22 -!- pegg [~pegg@pool-71-174-39-30.bstnma.east.verizon.net] has quit [Quit: This computer has gone to sleep]
01:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
01:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:58 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:58 -!- mode/##openvpn [+o mattock] by ChanServ
01:59 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
03:29 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:33 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Operation timed out]
03:48 -!- Deepy [deepy@wrongplanet/deepa] has joined ##openvpn
03:48 < Deepy> !welcome
03:48 < vpnHelper> Deepy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:48 < Deepy> !redirect
03:48 < vpnHelper> Deepy: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
03:49 < Deepy> !route
03:49 < vpnHelper> Deepy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:52 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
03:52 -!- dazo_afk is now known as dazo
03:53 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:53 < Deepy> I need to use a SOCKS proxy to connect to my OpenVPN server, but when I'm connected I want to run all traffic (except the connection to the socks proxy) through openvpn
04:03 < dxtr> !def1
04:03 < vpnHelper> dxtr: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
04:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
04:12 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
04:19 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
04:55 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:55 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
05:00 < Deepy> Any idea on why the connection keeps on resetting?
05:00 < Deepy> http://pastebin.com/tLuTVAvU - that's part of my log
05:03 -!- twb [~twb@nat064.cyber.com.au] has quit [Read error: Connection reset by peer]
05:07 < Deepy> I guess it's because of the Thu Mar 04 11:55:21 2010 Fatal decryption error (process_incoming_link), restarting
05:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
05:19 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
05:24 -!- dazo [~dazo@nat/redhat/x-uefaptlsnyfpfhgx] has quit [Read error: Connection reset by peer]
05:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:24 -!- dazo_ [~dazo@nat/redhat/x-mrgweesefhinbybk] has joined ##openvpn
05:25 -!- dazo_ is now known as Guest48249
05:38 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
05:53 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:14 -!- Guest48249 is now known as dazo_
06:14 -!- dazo_ is now known as dazo
07:15 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
07:18 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
07:18 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
07:18 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:19 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
07:19 -!- stony [~ol@187-140-088-212.ip-addr.teresto.net] has joined ##openvpn
07:19 < stony> hi
07:19 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:20 < stony> if i use client-connect script.sh then $1 is the name of a temp-file for openvpn options that are dynamically created
07:20 < stony> where has the file to be placed ? in the ccd or in /tmp ?
07:23 < stony> 'cause there is no path offered
07:29 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
07:29 < dazo> stony:  it's not in cwd?
07:29 < stony> dazo: that's not explained in the docs and that's why i'm asking
07:29  * dazo looks into the source
07:29 < stony> but laying it in the cwd of the script works
07:30 < dazo> stony:  look at --tmp-dir 
07:30 < stony> dazo: thx
07:31 < dazo> stony:  np!
07:32 < stony> btw is there a way to obtain the ip addresses from a radius server ?
07:32 < stony> i found the learn-address option but i don't think that's what i want
07:35 < dazo> stony:  no, I don't think that's possible
07:35 < dazo> stony:  --lean-address is called after authentication and everything is ready ... it's the last plug-in call before everything is ready for the client
07:36 < dazo> stony:  --learn-address call is where the server registers the IP address the client will use
07:36 < stony> ah ic
07:36 < stony> and by adding an ifconfig directive to the dynamic options of the client-connect script ?
07:36 < stony> e.g. push-ifconfig bleh blah ?
07:37 < stony> i'll get the ip address - e.g. out of radius, and put it there
07:37 < dazo> stony: you should be able to push it to the client ... by creating a ccd file on-the-fly .... but that's probably needed to be done during --tls-verify 
07:37 < dazo> stony:  why static IP?
07:38 < stony> dazo: it's not the static ip thing it's more the "running multiple openvpn daemons with same ip-pool"-thing
07:38 < stony> i want on openvpn daemon listening on 1194 udp and another one on 443 tcp
07:38 < stony> default should be 1194 udp but if that's not working clients should connect 443 tcp
07:38 < stony> and the ip-pool should be shared
07:39 < stony> also for failover with multiple systems sharing the same ip-pool
07:39 < dazo> stony:  ahh ... I c ... but .... that sounds like a disaster anyway, though .... same ip-pool among two openvpn processes, that will clash anyway - because openvpn processes will not communicate in between themselves
07:40 < dazo> dazo:  you're probably going to have bigger success with proper routing and separate network segments, though
07:40 < stony> that's what i thought about too, but i think it's the better way - in this case - to use radius address assigning
07:40 < stony> i also use a part of radius and/or ldap auth to auth users agains ad
07:41 < stony> s/ad/adds
07:42 < Deepy> I'm on Windows and I keep getting "Thu Mar 04 11:55:21 2010 Fatal decryption error (process_incoming_link), restarting" at the client
07:42 < stony> Deepy: key/cert missmatch in 99,9% of the time
07:43 < Deepy> Well I manage to get connected and then it drops
07:43 < dazo> yeah, you don't have much other chances than static assignment to avoid clashes then ... you'd probably then need to use --tls-verify and/or --auth-user-pass-verify to pick out the needed info from radius and create ccd on-the-fly
07:44 < Deepy> I've managed to reach a couple of host through the connection while it stays up
07:44 < dazo> Deepy:  UDP?
07:44 < Deepy> TCP
07:44 < Deepy> I need to go through a socks proxy
07:44 < dazo> can you try running this without the proxy?  to see if it's more stable then?
07:45 < Deepy> Nope, I need the proxy to reach outside
07:45 < dazo> it might be the proxy fooling you ... and would be good to see if the setup worked without the proxy
07:45 < Deepy> well the proxy is generaetd by a ssh tunnel :P
07:46 < stony> why don't you tunnel through ssh directly?
07:46 < Deepy> What do you mean?
07:46 < dazo> openssh also allows tap based "vpn" as well
07:46 < stony> e.g. you can do port-forwarding with ssh
07:46 < stony> and connect the openvpn to those ports
07:46 < stony> or you simply start pppd on top of the ssh connection
07:47 < stony> the tap-based version of ssh-vpn is new to me
07:47 < dazo> might be tun, on second thoughts ... anyway, it's creating a network device which can be used as a tunnel
07:47 < dazo>    -w local_tun[:remote_tun]
07:47 < dazo>              Requests tunnel device forwarding with the specified tun(4) devices between the client (local_tun) and
07:47 < dazo>              the server (remote_tun).
07:48 < dazo> p-t-p tunnel
07:48  * dazo has never tried it in real life
07:49 < stony> hm i guess i found a bug in the masquerade module of netfilter
07:49 < dazo> ?
07:49 < stony> it uses the wrong ip on the interface
07:49 < dazo> interesting
07:49 < stony> ip of ppp0 is used as ip on ppp1
07:50 < dazo> could be the ppp driver too maybe, confusing netfilter?
07:50 < stony> i can delete all connections on ppp1 with conntrack and then it starts working again until the link on ppp1 is rebuild from pppd
07:50 < stony> same again
07:51 < Deepy> It's not working better with local port forwarding
07:51 < Deepy> infact, I can keep connections even shorter now
07:51 < stony> dazo: not sure, 'cause it's not using an old ppp1-ip it's using the ppp0 ip
07:52 < stony> Deepy: there's a tool called httptunnel that tunnels everything through simple http-requests (if nothing else works in the end)
07:52 < dazo> http://prefetch.net/blog/index.php/2008/06/26/opensshs-vpn/ .... VPN via openssh
07:52 < stony> another tools tunnels everything through dns requests but i guess openvpn on port 53 will work too
07:52 < stony> s/tools/tool
07:54 < Deepy> the dns request one builds on a guess that you can't reach anything
07:54 < ecrist> good morning, kids
07:54 < Deepy> so you rely on the local dns server not having caching
07:54 < Deepy> I can socksify lots of stuff, but I really need a VPN
07:55 < havoc> and VPNs appear to be done
07:55 < havoc> massive overhaul yesterday
07:55 < Deepy> Can you use UDP through a socks proxy btw?
07:57 < dazo> Deepy:  if using SOCKS5, you can, afaik
07:58 < Deepy> o, sweet
07:58 < Deepy> gonna try that out then
07:59 < dazo> Deepy:  just so I got this right .... you ran openvpn in TCP over SOCKS (via ssh) to the outside?
08:00 < Deepy> outside not NAT'ed box is openvpn server
08:00 < Deepy> I ssh'ed to a machine of my own, ssh tunnel there and connected to other box through TCP over socks through this SSH link
08:01 < Deepy> Hmm nope. can't seem to connect with UDP set
08:01  * dazo got confused .... but it sounds like multiple tcp-over-tcp layers .....
08:02 < Deepy> me openvpn-client over ssh to anotherbox with openvpn server
08:05 < dazo> Deepy:  exactly ... openvpn using TCP .... which means, you get in reality 2 tcp-over-tcp layers .... I really think this won't work well
08:06 < ecrist> !tcp
08:06 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
08:07 < dazo> TCP traffic hitting you VPN tunnel .... will be transported as TCP packets (openvpn), which again goes over another TCP packet layer (ssh) .... I think this is simply too much for the TCP/IP stack to handle :)
08:07 < Deepy> Well, I can't avoid it :p
08:08 < dazo> well, I don't think you can really make it work without issues .... read the link above ... "Why TCP over TCP is a bad idea"
08:08 < dazo> Deepy:  you'll have a bigger chance of success looking at openssh's "VPN" solution .... that removes one of the TCP layers ... *that* might work better
08:10 < Deepy> Does that vpn thing work on Windows?
08:11 < dazo> not sure if putty has implemented that feature .... worst case, you always got cygwin which got openssh
08:11 < Deepy> Which most likely does not have it either :P
08:11 < dazo> if you have a tun device available thoguh
08:11 < dazo> if not .... you're most probably out of luck
08:11 < ecrist> yes, putty supports it
08:13 < dazo> ecrist:  the ssh -w feature?
08:13 < Deepy> I can't find any option in putty for it
08:15 < Deepy> ecrist: you sure it's supported?
08:15 < dazo> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/tun-openssh.html  ... seems not
08:15 < vpnHelper> Title: PuTTY wish tun-openssh (at www.chiark.greenend.org.uk)
08:15 < ecrist> sorry, I misspoke
08:15  * ecrist flogs himself and dons the dunce cap for the day
08:16 < ecrist> or the cone of shame, whichever you prefer: http://3.bp.blogspot.com/_qJxb6aQx_Oo/SkqE2IMeDZI/AAAAAAAAAPg/Wh3Ejsu0JWM/s400/cone+of+shame.jpg
08:17 < dazo> :)
08:17 -!- joh [johannj@caracal.stud.ntnu.no] has joined ##openvpn
08:17 < joh> !welcome
08:17 < vpnHelper> joh: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:18 < joh> Hi, I've set up my openvpn server to authenticate against ldap using openvpn-auth-ldap.so. I'm wondering - is it possible to set up clients with static keys as well?
08:19 < dazo> Deepy:  seems cygwin + openssh + the tun driver from openvpn will be your last hope
08:20 < dazo> joh:  what do you mean with static keys?
08:21 < joh> dazo: i.e. certificates and keys as described in the howto: ./build-key client1
08:21 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 258 seconds]
08:21 < Deepy> Or I'll get a UNIX VM and set it as gateway
08:22 < joh> dazo: I get "TLS Error: Auth Username/Password was not provided by peer"
08:23 < dazo> joh:  you're probably missing --auth-user-pass in client configs?
08:23 < joh> dazo: But I don't want to authenticate using user-pass for this particular client - I want to use the client certificate instead.
08:24 < dazo> joh:  you can also skip SSL certificates, if you want to ... you can use either --client-cert-not-required  or --static keys .... but using SSL certs is the safest
08:24 < dazo> joh:  it's all or nothing ... you cannot skip user/pass auth for selected clients 
08:24 < joh> dazo: Oh I see
08:24 < dazo> joh:  the only way to do this, is to have a separate openvpn daemon running with a different config
08:25 < joh> dazo: Is it possible to store the password in a file at the client side?
08:25 < joh> dazo: I.e. read it from that file
08:26 < dazo> joh:  don't recall right now ... but I belive --auth-user-pass can be given a filename with auth info .... *checking*
08:26 < dazo>        --auth-user-pass [up]
08:26 < dazo>               Authenticate with server using username/password.  up is a  file
08:26 < dazo>               containing username/password on 2 lines
08:27 < dazo> but it requires openvpn to be built with --enable-password-save
08:27 < dazo> joh:  ^^
08:27 < dazo> it's all in the man page ;-)
08:27 < joh> dazo: Ah great, thanks :)
08:28 < dazo> joh:  no prob!
08:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
08:43 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:47 -!- jpalmer- [~jeffpalme@static-173-65-43-10.tampfl.fios.verizon.net] has joined ##openvpn
08:52 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has quit [Ping timeout: 240 seconds]
08:54 -!- stony [~ol@187-140-088-212.ip-addr.teresto.net] has quit [Quit: l8r]
08:58 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has joined ##openvpn
09:06 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
09:10 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
09:12 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
09:18 < joh> What's required to get dhcp-options to work on linux machines? (debian stable)
09:28 < ecrist> a custom script
09:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:43 < joh> ecrist: thanks, I figured it out :)
09:44 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
09:49 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
09:50 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: No route to host]
09:50 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
09:50 -!- cwillu_at_work [~cwillu@cwillu.com] has joined ##openvpn
09:52 < cwillu_at_work> Question:  I'd like to set up a vpn where remote machines log into purely for the purposes of being logged into.  i.e., a, b, c vpn into the server.  When I want to connect to b, I vpn into the server, and then log in to b over the vpn.  a, b, c shouldn't be able to see each other though.  My impression is that there's some internal routing that can be enabled; can this be used to enable this?
09:53 < cwillu_at_work> I don't really want to set up a dozen separate vpn's
09:54 < mort_gib> cwillu_at_work: Configure one VPN master, and make routing "files" for all subnets
09:55 < cwillu_at_work> are such routes mandatory?
09:55 < cwillu_at_work> to the clients, I mean?
09:59 < mort_gib> If the "server" is not announcing what networks it knows about, then the clients can't know
09:59 < mort_gib> So, the "server" will have to push routes to clients
09:59 < cwillu_at_work> s/can't know/have to guess/
10:00 < mort_gib> 'Puters guess lousy
10:00 < mort_gib> Gotta be told
10:01 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
10:01 < cwillu_at_work> by people... who guess better :p
10:01 < mort_gib> Well I still get surprised :-)
10:01 < mort_gib> Even with people you have to be rather blunt....
10:01 < mort_gib> :-)
10:02 < mort_gib> -Let me show you a snippet
10:08 < cwillu_at_work> I guess I just find it difficult to take seriously the proposition that a 32bit key (the network address) is secure when they rarely change, there are lots of valid keys, and multiple attempts are allowed
10:11 < cwillu_at_work> not that it's _likely_, but that's a long way from "it's not gonna happen"
10:12 -!- BBHoss [~bbhoss@69.171.197.91] has joined ##openvpn
10:16 < mort_gib> Did you see the private post
10:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
10:18 < cwillu_at_work> oh, no, sorry
10:19  * cwillu_at_work reads
10:21  * cwillu_at_work gets off the phone and starts reading again
10:25 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:25 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
10:25 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:25 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
10:33 -!- BBHoss [~bbhoss@69.171.197.91] has left ##openvpn ["Leaving..."]
11:14 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:23 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
11:29 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:35 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 265 seconds]
11:37 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
11:46 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
12:20 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
12:27 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
12:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:49 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
12:50 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
12:51 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
12:53 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 256 seconds]
12:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:58 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
12:58 < Rienzilla> Hi
12:58 < Rienzilla> is it possible to connect to an openvpn server without having a valid cacert on the client side? (but with a valid cert and key?)
13:08 < joh> Rienzilla: I don't think so, no
13:09 < joh> Rienzilla: You can however configure your server to not require a client certificate.
13:11 < Rienzilla> hmm
13:11 < Rienzilla> no that's not what I need
13:11 < Rienzilla> since that would compromise security
13:12 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 248 seconds]
13:12 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
13:18 -!- Section58 [~steve@78-86-206-81.zone2.bethere.co.uk] has quit [Ping timeout: 276 seconds]
13:18 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
13:21 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
13:23 -!- montana [~montana@212.117.173.72] has quit [Ping timeout: 246 seconds]
13:24 -!- Section58 [~steve@usa.minid.co.uk] has joined ##openvpn
13:34 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
13:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:52 -!- dazo is now known as dazo_afk
13:54 < cwillu_at_work> Rienzilla, you don't want the client to verify the server?
14:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
14:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:09 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
14:23 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 260 seconds]
14:28 < Rienzilla> well
14:28 < Rienzilla> I have a practical problem
14:28 < Rienzilla> I have not enough space to store the certificates :)
14:31 < cwillu_at_work> geez, how many certificates do you have? :p
14:31 < cwillu_at_work> (you only need the root cacert on the client, not all of the server certs that are signed by it)
14:32 < Rienzilla> I know
14:32 < Rienzilla> but I have to squeeze it in like 8k nvram
14:32 < Rienzilla> and it doesn't fit :)
14:33 < cwillu_at_work> what processor are you using, where you can use openvpn, but you only have 8k of storage available :p
14:34 -!- Section58 [~steve@usa.minid.co.uk] has quit [Ping timeout: 276 seconds]
14:40 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:40 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
14:44 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:56 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
14:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
14:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
15:04 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
15:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:07 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
15:09 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 256 seconds]
15:09 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: windows xp, openvpn server problem :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=6&t=2911&p=3650#p3650> || Scripting and Customizations :: Re: OpenVPN and (Free)Radius :: Reply by Douglas <http://www.ovpnforum.com/viewtopic.php?f=15&t=3130&p=3651#p3651> || My VPN :: Re: Gorkhaan's Setup ( Wordpress + OpenVPN fun ) :: Reply by Douglas <http://www.ovpnforum.com/viewtop
15:11 -!- zerk [~sup3rfly@boxcars.triplecrowncasinos.com] has joined ##openvpn
15:11 < zerk> gah
15:11 < zerk> i'm about to pull my hair out....routing issue with openvpn gw2gw
15:11 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
15:11 < zerk> the server can ping the remote subnet just fine, but the clients behind the server can't
15:18 -!- dotCOMmie [tox@glitchinthe.net] has joined ##openvpn
15:19 < dotCOMmie> i guess my problem is the firewall thanks topic d:
15:20 < rob0> If it's not firewall, it's basic routing.
15:21 < dotCOMmie> routing looks ok let me pastebin
15:21 < hyper_ch> well, in situations where I just don't get ahead anymore, I wish I had a magic wand :) it would make life much easier :)
15:22 < rob0> See --magic-wand in the man page.
15:22 < hyper_ch> you're kidding?
15:22 < hyper_ch> you are :)
15:35 < dotCOMmie> http://pastebin.com/Uy2SwzGs
15:35 < dotCOMmie> i can ping the vpn server by internal ip but not any machines on lan or outside of lan
15:36 < dotCOMmie> oops
15:36 < dotCOMmie> looks like route on client is wrong
15:36 < dotCOMmie> there is no default route to tun
15:38 < dotCOMmie> so Id guess there are 2 problems
15:38 < dotCOMmie> the internal lan should work
15:39 < dotCOMmie> any ideas?
15:54 < Hypnoz> did you set ip_forward to 1
15:55 < dotCOMmie> yeah
15:57 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 246 seconds]
15:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 268 seconds]
15:58 < dotCOMmie>             /proc/sys/net/ipv4/ip_nonlocal_bind        /proc/sys/net/ipv4/ipfrag_time
15:58 < dotCOMmie> root@OpenWrt54g:~# cat /proc/sys/net/ipv4/ip_forward 
15:58 < dotCOMmie> 1
15:58 < Hypnoz> so your vpn connects, and you can ping the vpn server, but you can't ping any hosts behind the router
15:59 < dotCOMmie> right
15:59 < rob0> hyper_ch: Made ya look! :)
15:59 < Hypnoz> you could try adding a static route on one of the hosts to see if that helps
15:59 < Hypnoz> linux or windows host behind the router?
15:59 < hyper_ch> rob0: no, made me grep :)
16:00 < Hypnoz> huh? can't grep a man file
16:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
16:00 < rob0> can too!
16:01 < Hypnoz> wow you're right
16:01 < Hypnoz> its works pretty crappy, but it works
16:02 < rob0> although, less(1) as PAGER searches similarly, and shows you context more easily
16:02 < hyper_ch> Hypnoz: man openvpn | grep magic
16:03 < hyper_ch> for that purpose it was enough :)
16:04 < Hypnoz> ./revoke-full fails for me. anyone else tried to revoke a cert?
16:04 < rob0> I'd do "man openvpn<enter>/magic<enter>"
16:06 < rob0> Do you have your CRL?
16:06 < rob0> --crl-verify
16:06 < Hypnoz> what is the full command?
16:07 < Hypnoz> i can't just type --crl-verify on the command line
16:08 < rob0> I'd do "man openvpn<enter>/--crl-verify<enter>" ;)
16:08 < Hypnoz> hehe
16:09 < Hypnoz> http://pastebin.com/W5y9ediL
16:09 < rob0> If you didn't specify your CRL, there is no validity checking, they're all assumed to be valid and unrevoked.
16:09 < Hypnoz> I think it's an ubuntu thing
16:11 < Hypnoz> are you saying i need to start the openvpn daemon with --crl-verify <path>/keys/crl.pem
16:13 < rob0> um, I put such things in a config file
16:14 < Hypnoz> oh I think i see what you're talking about
16:14 < Hypnoz> after revoke-full creates that crl.pem
16:14 < Hypnoz> I need to run "crl-verify crl.pem"
16:15 < Hypnoz> The revoke-full script will generate a CRL  (certificate revocation list) file called crl.pem in  the keys subdirectory. The file should be copied to a  directory where the OpenVPN server can access it, then CRL verification  should be enabled in the server configuration:  crl-verify crl.pem  Now all connecting clients will have their client certificates  verified against the CRL, and any positive match will result in the  co
16:15 < Hypnoz> I wonder if I just need to run that command once now that openvpn is running, or if I need to put it in server.conf or something
16:17 < Hypnoz> actually based on that wording it sounds like i need to put it in server.conf
16:17 < rob0> "crl-verify <path>/keys/crl.pem" needs to be in the config file
16:17 < Hypnoz> hmmm interesting
16:18 < Hypnoz> so i needed to revoke one cert before it was generated
16:18 < Hypnoz> now i need to put that in the conf, and restart openvpn
16:18 < Hypnoz> :(
16:18 < Hypnoz> that seems kinda convoluted
16:18 < rob0> but, it is checked any time you have a client connect, so new additions to the CRL are seen as they try to connect.
16:19 < Hypnoz> yeah, but that line wasn't in server.conf originally because crl.pem didn't exist until i did my first revoke
16:19 < Hypnoz> when they could have had that line in server.conf, and had an empty crl.pem already exist
16:19 < Hypnoz> so I wouldn't have to restart openvpn now
16:19 < Hypnoz> and drop all my connected users
16:20 < cwillu_at_work> Hypnoz, the default config file didn't have that?
16:20 < cwillu_at_work> and more specifically, which default config where you using?  I didn't think our package had a default config file
16:21 < rob0> The management interface has a "kill" command.
16:21 < rob0> There's also --disable, but there too, requires a restart
16:21 -!- thelongmile [~thelongmi@cpc3-ely14-0-0-cust875.cdif.cable.ntl.com] has joined ##openvpn
16:22 < cwillu_at_work> That's what round-robin failover is for :p
16:22 < rob0> if you have a CCD and --ccd-exclusive, you can simply delete that client's ccd file.
16:22 < Hypnoz> there is a server.conf.gz that comes with openvpn examples
16:22 < Hypnoz> extract that
16:22 < thelongmile> hello, trying to get openvpn working on my linux server (debian 5.0) i can get it up and running to the point I can connect to it with no problems, however if i add the push "redirect-gateway def1"
16:22 < thelongmile> option to the config file so that ALL of my web traffic is encrypted, i cannot get any web traffic at all, only pages or pings from the server, any ideas?
16:23 < thelongmile> i can pastebin the iptables rules i used if that helps
16:23 < Hypnoz> /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
16:23 < thelongmile> and here it is
16:23 < thelongmile> http://pastebin.com/d5JWSBWf
16:24 < Hypnoz> http://openvpn.net/index.php/open-source/documentation/howto.html
16:24 < vpnHelper> Title: HOWTO (at openvpn.net)
16:24 < Hypnoz> did you look through the redirct gw section in there
16:24 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:24 < thelongmile> yes, 
16:25 < rob0> thelongmile: try http://66.226.201.55/ from the client, I suspect you can't reach your nameserver.
16:25 < vpnHelper> Title: No DNS for us (at 66.226.201.55)
16:25 < thelongmile> thats with the redirect title in the confign yes?
16:26 < thelongmile> i'll give it a try now
16:26 < rob0> would be rather pointless to do any testing if not connected.
16:26 < thelongmile> i got NONDNS4.US
16:27 < rob0> and you can ping that IP through the VPN?
16:27 < thelongmile> yes, i can ping that, let me run a quick traceroute to make sure
16:29 < thelongmile> yes, it's going through the vpn succesfully
16:29 < rob0> client is what OS?
16:29 < thelongmile> i have tried installing apt-get install dnsmaq and adding push "dhcp-option DNS 10.8.0.1"
16:29 < thelongmile> rob0:  Debian 5.0
16:29 < rob0> right, dnsmasq is what I would do
16:30 < cwillu_at_work> just set your dns to google's public dns :p
16:30 < thelongmile> ok, just to confirm, push "dhcp-option DNS 10.8.0.1" looks right to you?
16:30 < rob0> Debian/Ubuntu has some other hack called "resolvconf", which I am not sure what it does, but it is for this sort of thing
16:30 < cwillu_at_work> 8.8.8.8 or 8.8.4.4 will work as your dns server
16:31 < cwillu_at_work> they don't even do any redirection
16:31 < thelongmile> cwillu_at_work: where would i change that in the config?
16:31 < rob0> dhcp-option is Windows-only, but it can set environment variables for a script you can run.
16:31 < thelongmile> ah, i'm on a mac
16:31 < cwillu_at_work> thelongmile, "nameserver 8.8.8.8" in your /etc/resolv.conf would work I'd expect
16:32 < cwillu_at_work> basically you just need your default dns server to be accessible.  One way is to make an accessible dns server, another is to use one that's already accessible (which is my suggestion)
16:32 < rob0> or, just do an iptables REDIRECT for DNS traffic through the VPN
16:32 < cwillu_at_work> on a mac, you'd just check your network properties or whatever they call it;  it's not really openvpn specific (although it could be)
16:33 < thelongmile> hm, i have a dns server of 109.74.192.20 192 and 193 etc
16:33 < rob0> then it doesn't matter what IP the client thinks it's using
16:33 < thelongmile> rob0: i think i did an iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
16:33 < cwillu_at_work> well, depending on why he cares about encrypting his web traffic, using his default dns may be silly :p
16:34 < thelongmile> so i can secure my traffic when i use my mobile broadband card or in wifi hotspots
16:34 < cwillu_at_work> okay, but if you're not securing (quote unquote) your dns at the same time...
16:34 < thelongmile> ah, the server also acts as a webserver when i'm not connected, it's a linode
16:34 < cwillu_at_work> .. such a wifi hotspot could still have a poisoned dns server that would redirect you
16:35 < thelongmile> i thought that it would all go through the vpn connection, dns et all and get it from there?
16:35 < rob0> iptables -vt nat -I PREROUTING -p udp --dport 53 -i tun+ -j REDIRECT --to your.nameserver.IP.address
16:35 < cwillu_at_work> thelongmile, the suggestions they're giving you are to unredirect your dns queries to the local server
16:35 < rob0> (repeat for -p tcp, but that might not be used much)
16:35 < thelongmile> cwillu_at_work: i sww
16:36 < thelongmile> ok rob ill do this in three as i ahve the three nameserver already
16:36 < rob0> oh um
16:36 < rob0> s/REDIRECT/DNAT/
16:36 < thelongmile> thats correct yes?
16:36 < thelongmile> iptables -vt nat -I PREROUTING -p udp --dport 53 -i tun+ -j REDIRECT --109.74.194.20
16:36 < cwillu_at_work> thelongmile, if you just use 8.8.8.8 (and/or 8.8.4.4), you'll have no such issues, at the cost of not getting local resolution if you're on a company network (in which case you could just change your settings)
16:36 < thelongmile> s redirect nat?
16:37 < rob0> unless you're running your own dnsmasq on the server, and if so, leave off the last part, --to ...
16:37 < cwillu_at_work> if you _do_ use what rob0 suggests, please remember that nothing is stopping a poisoned local dns from sending you to naughty servers despite your vpn
16:37 < thelongmile> yes dnsmaq is installed on the server, so i should just do "iptables -vt nat -I PREROUTING -p udp --dport 53 -i tun+ -j REDIRECT" ?
16:38 < cwillu_at_work> oh, okay
16:38 < rob0> huh? You think your own nameserver is more likely to be poisoned than a huge public one?
16:38 < cwillu_at_work> no, I missed that the name server was on the serve
16:38 < cwillu_at_work> but yes, it's probably more likely :p
16:38 < rob0> wrong
16:38 < cwillu_at_work> a huge public one that has staff dedicated to its proper function?
16:39 < thelongmile> rob0:  thanks, can i just confirm that the correct iptables is correct as "iptables -vt nat -I PREROUTING -p udp --dport 53 -i tun+ -j REDIRECT"
16:39 < rob0> thelongmile: yes
16:39 < thelongmile> thanks, i'll run that and test it
16:40 < rob0> of course, dnsmasq is itself just a forwarder, so it can be vulnerable to cache poisoning upstream.
16:41 < thelongmile> ok, rob0, ran and tested that, i got an output on the server which i'll paste next, but this time instead of "everloading pages" etc, I actually got a 'cannot connect to server"
16:41 -!- zerk [~sup3rfly@boxcars.triplecrowncasinos.com] has quit []
16:41 < cwillu_at_work> either way, you weren't suggesting the thing I thought you were suggesting :)
16:41 -!- jpalmer- [~jeffpalme@static-173-65-43-10.tampfl.fios.verizon.net] has quit [Quit: jpalmer-]
16:41 < thelongmile> output was this "REDIRECT  udp opt -- in tun+ out *  0.0.0.0/0  -> 0.0.0.0/0  udp dpt:53 "
16:42 -!- temba [pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn
16:42 < thelongmile> not sure if that offers any hints about why it didn't work
16:42 < rob0> sigh ... I am sorry for having led you this far, I'm going to have to step out and leave you to the various man pages. You can use dig(1) to test DNS, and tools like traceroute/tracepath for routing (which seems to be okay.)
16:43 < thelongmile> rob0: you've gotten me further than I got in the last week, so thank you so much already!
16:43 < rob0> I'll check in later, have fun.
16:43 < thelongmile> i'll take a look and make sure it's not a fubar setting in my client, does anyone else here have any advice on viscosity for mac, maybe it's something in there thats causing this?
16:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
16:50 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:04 -!- thelongmile [~thelongmi@cpc3-ely14-0-0-cust875.cdif.cable.ntl.com] has quit [Quit: thelongmile]
17:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
17:40 -!- temba [pommes@188-193-22-46-dynip.superkabel.de] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )]
17:59 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
18:11 -!- threexk1 [~threexk@173-21-231-141.client.mchsi.com] has joined ##openvpn
18:11 -!- threexk [~threexk@173-21-231-141.client.mchsi.com] has quit [Disconnected by services]
18:11 -!- threexk1 is now known as threexk
18:17 -!- threexk [~threexk@173-21-231-141.client.mchsi.com] has quit [Ping timeout: 264 seconds]
18:21 -!- threexk [~threexk@173-21-231-141.client.mchsi.com] has joined ##openvpn
18:30 -!- threexk [~threexk@173-21-231-141.client.mchsi.com] has quit [Ping timeout: 265 seconds]
18:38 -!- jpalmer- [~jeffpalme@71.3.0.205] has joined ##openvpn
18:42 -!- jpalmer- [~jeffpalme@71.3.0.205] has quit [Client Quit]
18:45 -!- jpalmer- [~jeffpalme@71.3.0.205] has joined ##openvpn
18:47 -!- jpalmer- [~jeffpalme@71.3.0.205] has quit [Client Quit]
19:29 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
19:43 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
19:55 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:21 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
20:41 -!- korozion [korozion@linuxgeneration.org] has joined ##openvpn
20:42 < korozion> First, thank you for OpenVPN.  Second, I have a couple of windows machines that have OpenVPN on them and they're connecting and working perfectly.  However I have one that I need to connect to two seperate OpenVPN servers.  Is that doable?
20:58 < rob0> Of course, but it could get ugly if both servers are doing redirect-gateway.
21:12 < korozion> naw, neither is
21:26 < rob0> um, I should have said I don't use Windows, so I don't know what kind of wackiness it might have with multiple VPNs. Suffice to say, if your OS is fine with multiple routes, openvpn is fine too.
21:27 < korozion> ok
21:27 < korozion> any idea how to set that up in the gui client?
21:27 < korozion> also
21:27 < korozion> where do I know your nick from?
21:28 < rob0> nope, never used a gui client
21:28 < korozion> hrm, ok
21:28 < korozion> you in #lighttpd or something?
21:28 < korozion> postgresql, pfsense?
21:29 < rob0> none of those!
21:29 < korozion> hrm
21:29 < korozion> I swear I've talked with you before
21:29 < korozion> must be the face ;)
21:29 < rob0> I'm on a bunch of channels
21:30 < korozion> cool
21:31 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:05 -!- twb [~twb@nat064.cyber.com.au] has joined ##openvpn
22:05 < twb> !welcome
22:05 < vpnHelper> twb: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:06 < twb> !howto
22:06 < vpnHelper> twb: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
22:09 < twb> http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html says that using symmetric pre-shared keys only works "one client, one server".
22:09 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
22:09 < twb> Why can't I just put the same secret key on every client?
22:22 < twb> At the very least, I can't because the implementation disallows it:
22:22 < twb> Options error: --server and --secret cannot be used together (you must use SSL/TLS keys)
22:24 -!- korozion [korozion@linuxgeneration.org] has left ##openvpn []
22:40 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 260 seconds]
22:44 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
22:58 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
22:58 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
22:58 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
23:07 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:33 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Excess Flood]
23:33 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
23:33 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
23:33 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
--- Day changed Fri Mar 05 2010
00:06 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
00:08 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
00:17 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
00:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:59 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has joined ##openvpn
01:19 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:19 -!- mode/##openvpn [+o mattock] by ChanServ
01:41 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:17 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
02:28 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
02:53 < plundra> Anyone had luck with the "Compatibility Administrator", to execute OpenVPN(-GUI) as Administrator, but without UAC-interaction, in Vista?
02:53 < plundra> I want this because it fails to add the routes I push otherwise.
02:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
02:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
02:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
03:04 -!- d12fk [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
03:17 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
03:19 -!- mgolisch [~michi@85.93.11.18] has joined ##openvpn
03:53 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Excess Flood]
03:53 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
03:53 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
03:53 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
04:03 -!- le0 [~tehle0@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
04:03 -!- le0 [~tehle0@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Changing host]
04:03 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
04:05 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 268 seconds]
04:08 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
04:13 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has quit [Remote host closed the connection]
04:19 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 256 seconds]
04:19 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has joined ##openvpn
04:22 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
04:41 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
05:03 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
05:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
05:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:30 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
05:31 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
05:44 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
06:13 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
06:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:30 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
06:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:32 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Client Quit]
06:42 -!- Netsplit *.net <-> *.split quits: Zordrak, jmm, cybertron
06:45 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Ping timeout: 256 seconds]
06:46 -!- Deepy_ [deepy@magician.snakeporno.com] has joined ##openvpn
06:47 -!- Netsplit over, joins: jmm, cybertron, Zordrak
06:47 -!- zuez [~sf@catalyst.httpd.org] has quit [Excess Flood]
06:47 -!- zuez [~sf@catalyst.httpd.org] has joined ##openvpn
06:47 -!- zuez [~sf@catalyst.httpd.org] has quit [Excess Flood]
06:47 -!- zuez [~sf@catalyst.httpd.org] has joined ##openvpn
06:50 -!- Netsplit *.net <-> *.split quits: Deepy
06:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
07:01 -!- Deepy_ [deepy@magician.snakeporno.com] has quit [Changing host]
07:01 -!- Deepy_ [deepy@wrongplanet/deepa] has joined ##openvpn
07:01 -!- Deepy_ is now known as Deepy
07:08 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
07:09 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
07:11 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:51 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:53 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 258 seconds]
07:53 -!- ease2 [~ease@180.171.160.128] has joined ##openvpn
07:53 -!- goog1jh_ [~goog1jh@my.barbie.wears.no-panties.org] has joined ##openvpn
07:55 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has quit [Ping timeout: 256 seconds]
08:00 -!- ease2 [~ease@180.171.160.128] has quit [Quit: Leaving]
08:08 -!- twb [~twb@nat064.cyber.com.au] has quit [Ping timeout: 245 seconds]
08:13 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
08:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
08:18 -!- Etherfast [~etherfast@86.105.68.231] has joined ##openvpn
08:18 < Etherfast> !welcome
08:18 < vpnHelper> Etherfast: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:19 < Etherfast> !howto
08:19 < vpnHelper> Etherfast: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:24 < krzee> =]
08:27 < Etherfast> Uhm, question. 
08:27 < Etherfast> (hi)
08:27 < krzee> hi, fire away
08:28 < Etherfast> I've been having issues with my openvpn connection. For some reason, it keeps disconnecting me at random intervals, due inactivity. Firewall off, it worked before under same network settings and XP SP2. Now it's Win 7.
08:28 < Etherfast> Is this a known issue?
08:29 < krzee> not that ive seen, also doesnt help that i dont use windows
08:29 < krzee> have a keepalive?
08:29 < ecrist> hi, krzee
08:29 < krzee> hey eric, hows it going?
08:30 < ecrist> TGIF
08:30 < ecrist> :D
08:31 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
08:31 < Etherfast> I'mma try keepalive 10 60. Brb
08:31 < Etherfast> TGIF, oh yeah.
08:32 < krzee> its saturday =]
08:32 < ecrist> krzee, setting freeswitch up on our freebsd box with a PRI
08:32 < ecrist> I found a supported T1 card on freebsd.
08:32 < ecrist> \o/
08:32 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Client Quit]
08:32 < krzee> <-- .au right now
08:32 < krzee> ahh nice
08:33 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
08:33 < ecrist> how do you like it?
08:33 < krzee> sangoma?
08:33 < ecrist> that's one place I've always wanted to visit
08:33 < krzee> i love it
08:33 < ecrist> no, OpenVox
08:33 < krzee> ahh werd
08:33 < ecrist> I wanted to move to au for a while, until I read more about their gun laws.
08:34 < ecrist> I no longer have a desire to live there.
08:34 < krzee> tru
08:35 < Etherfast> krzee, no use. This is what I'm getting: http://pastebin.ca/1823775 after a few moments
08:35 < Etherfast> It's weird, I've been tcpdumping the server and the client, and those keepalives are being sent back and forth, and at one point the server stops sending them.
08:36 < krzee> server log anything?
08:36 < Etherfast> No, server sees me connected
08:36 < Etherfast> Google doesn't really help, lots of simmilar problems but no definite suggestion/answer
08:37 < krzee> no help from me
08:37 < krzee> =/
08:37 < Etherfast> Yeah, unfortunately :/
08:38 < Etherfast> I'm going to try a different connection, see how that works out
08:38 < krzee> sounds like a firewall somewhere
08:38 < krzee> like a firewall maybe keeping state on udp traffic
08:38 < krzee> unless you're using tcp, in which case use udp
08:40 < Etherfast> Nah, I'm using UDP
08:40 < Etherfast> brb
08:40 < Etherfast> If there's a firewall, I should know about it.
08:41 -!- Etherfast [~etherfast@86.105.68.231] has quit []
08:42 -!- Etherfast [~etherfast@speedy-fe0.b.astralnet.ro] has joined ##openvpn
08:43 < Etherfast> Different vlan ^^
08:49 -!- Etherfast [~etherfast@speedy-fe0.b.astralnet.ro] has quit [Ping timeout: 258 seconds]
08:51 -!- Etherfast [eth@etherfast.noc.upc.ro] has joined ##openvpn
08:51 < Etherfast> Pointless
08:56 -!- rare1980_ [~rare1980@115.186.26.181] has joined ##openvpn
08:56 < rare1980_> hi every one
08:57 < rare1980_> i want install openvpn on ubuntu .. plz could any one refer me good installation guide?
08:58 < Etherfast> Hi. See this: https://help.ubuntu.com/community/OpenVPN
08:58 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com)
08:58  * Etherfast pets vpnHelper
09:00 < rare1980_> vpnhelper.: have you installed openvpn?
09:00 -!- mimecine [~Adium@cpe-67-250-38-114.nyc.res.rr.com] has joined ##openvpn
09:00 < vpnHelper> rare1980_: Error: "have" is not a valid command.
09:01 < Etherfast> Ehm, vpnHelper is a bot.
09:02 < rare1980_> which vpn is good in prefomance ... openvpn or pptp vpn?
09:02 < krzee>             !pptp
09:02 -!- Netsplit *.net <-> *.split quits: Zordrak, dollabill, cybertron
09:02 -!- rare1980_ [~rare1980@115.186.26.181] has quit [Read error: Connection reset by peer]
09:02 < krzee> !pptp
09:02 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
09:02 < vpnHelper> krzee: read about why to not use pptp
09:02 -!- rare1980_ [~rare1980@115.186.26.181] has joined ##openvpn
09:03 < rare1980_> vpnhelper: which vpn is good in prefomance ... openvpn or pptp vpn?
09:03 < vpnHelper> rare1980_: Error: "which" is not a valid command.
09:03 < krzee> lol
09:03 < krzee> dude
09:03 < krzee> did you read !pptp
09:03  * ecrist <3 IRC logs.
09:03 < krzee> also
09:03 < krzee> !bot
09:03 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
09:04 < rare1980_> i installed poptop .. but i am having issues with it
09:04  * krzee gives up
09:04 < krzee> !notovpn
09:04 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
09:04 < krzee> lol
09:05 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Ping timeout: 256 seconds]
09:07 < rare1980_> krezee: can you help in configration openvpn ?
09:07 -!- Netsplit over, joins: dollabill, cybertron, Zordrak
09:07 -!- zuez [~sf@catalyst.httpd.org] has quit [Excess Flood]
09:07 -!- zuez_ [~sf@catalyst.httpd.org] has joined ##openvpn
09:09 < Etherfast> Thanks, krzee, good bye :)
09:09 -!- Etherfast [eth@etherfast.noc.upc.ro] has quit []
09:13 < ecrist> so, it seems I can max out an SAS 15K disk at 903Mb/s
09:16 < ecrist> I'll be curious what I can do when I get my real disk array online.
09:23 < rare1980_> krzee: the link i using to install and configure open vpn is https://help.ubuntu.com/community/OpenVPN
09:23 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com)
09:23 < rare1980_> i ma not able to understand bridge settings
09:24 < krzee> !tunortap
09:24 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
09:24 < vpnHelper> krzee: against you over the vpn
09:24 < krzee> wow thats good throughput eric
09:25 < krzee> rare1980_, 
09:25 < krzee> !bot
09:25 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
09:32 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
09:32 < rare1980_> helloooooo
09:34 < rare1980_> ??
09:58 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has quit [Read error: Operation timed out]
10:05 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:14 < rare1980_> i am unable to install openvpn on my server plz\
10:14 < rare1980_> any one who can help me?
10:19 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
10:21 -!- rare1980_1 [~rare1980@12.25.228.67] has joined ##openvpn
10:23 -!- rare1980_ [~rare1980@115.186.26.181] has quit [Ping timeout: 256 seconds]
10:28 < rare1980_1> hello experts
10:32 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
10:32 < rare1980_1> any help on isntalling openvpn?
10:55 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:56 < Bushmills> !howto
10:56 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:02 -!- Baxxor [~Baxxor@h156n2fls32o256.telia.com] has joined ##openvpn
11:07 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
11:13 -!- mimecine [~Adium@cpe-67-250-38-114.nyc.res.rr.com] has quit [Quit: Leaving.]
11:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:47 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 260 seconds]
12:02 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
12:19 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
12:20 -!- rare1980_1 [~rare1980@12.25.228.67] has quit [Ping timeout: 260 seconds]
12:30 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has joined ##openvpn
12:30 < fastputty1> hello someone could help me with seting up openvpn in ubuntu
12:30 < fastputty1> and having windows vpn client connect to it thanks you
12:33 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
12:33 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:42 < rob0> I haven't bothered to read the channel /topic nor to look at any documentation. Can someone tell me everything I need to know to set this up? And please hurry, I have promised a VPN for my paying customer within an hour. They paid me a lot! Don't let them down!!
12:49 < fastputty1> rob0: lol
12:52 < Bushmills> !howto
12:52 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:53 < Bushmills> what of this have you tried already? what didn't work? how does your problem manifest?
12:53 < Bushmills> !logs
12:53 < vpnHelper> Bushmills: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
12:55 < fastputty1> hello, i try to configure the easy-rsa
12:55 < fastputty1> after ./vars no error appeared
12:56 < fastputty1> but i cannot use the ./build-ca
12:56 < Bushmills> why not?
12:56 < fastputty1> Please edit the vars script to reflect your configuration,  then source it with "source ./vars".  Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys.
12:56 < fastputty1> this is what build-ca returned me
12:57 < Bushmills> did you "Please edit the vars script to reflect your configuration" ?
12:57 < fastputty1> yeah :o
12:57 < fastputty1> i change the export EASY_RSA=
12:58 < fastputty1> but i am not sure what other thing to change
12:58 < fastputty1> i point EASY_RSA var to the folder of the vars
12:59 < Bushmills> look at output of     echo $KEY_DIR  before executing  ./build-ca
12:59 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
13:01 < fastputty1> this i what $KEY_DIR show me: /etc/openvpn/easy-rsa/2.0/keys
13:01 < fastputty1> and it seem to be find
13:01 < fastputty1> fine*
13:01 < Bushmills> that dir exists?
13:01 < fastputty1> oh it works fine :o
13:02 < fastputty1> i need to create keys directely.. i thought it woulm ake it itself.. 
13:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:14 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
13:14 < max_atre1des> !welcome
13:14 < vpnHelper> max_atre1des: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:14 < max_atre1des> !howto
13:14 < vpnHelper> max_atre1des: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:21 -!- corretico [~laguilar@201.201.46.106] has quit [Quit: Leaving]
13:22 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
13:24 -!- okaratas [~mueddib@fsf/member/okaratas] has joined ##openvpn
13:25 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has quit [Read error: Connection reset by peer]
13:25 -!- correcaminos [~luis.agui@201.199.12.190] has joined ##openvpn
13:25 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has joined ##openvpn
13:26 -!- okaratas is now known as mueddib
13:35 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has quit [Ping timeout: 268 seconds]
13:36 -!- Amjad [~zjb@87.109.195.15] has joined ##openvpn
13:36 -!- plum [~chatzilla@151.112.5.182] has joined ##openvpn
13:37 -!- corretico [~laguilar@201.201.46.106] has quit [Quit: Leaving]
13:37 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has joined ##openvpn
13:37 < fastputty1> hello after connected to my server vpn, i cannot browse internet anymore other than my vlan. someone could help me out ? :s
13:38 < fastputty1> is there a waya i can put in my conf to let only a X range of ip to go trouth tun0, the rest use normal internface? thanks
13:40 < Baxxor> Bushmills: I fear that "Ikoonia" might get hornswaggled on account that Operator reaks as much as "Nirik Ryan Scrythell Ryan0e"
13:40 -!- correcaminos_ [~luis.agui@201.199.12.190] has joined ##openvpn
13:42 < Bushmills> I must have missed part of the more recent past. There was a precedent?
13:42 -!- correcaminos [~luis.agui@201.199.12.190] has quit [Ping timeout: 245 seconds]
13:43 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
13:43 < Bushmills> fastputty1: yes. it is called "routing"
13:44 < Bushmills> http://doc.scarydevilmonastery.net/cgi-bin/dwww/usr/share/man/man8/route.8.gz?type=man
13:44 < fastputty1> i know
13:44 < fastputty1> the old route is overrite..
13:44 < vpnHelper> Title: route(8) - Man pages (at doc.scarydevilmonastery.net)
13:44 -!- Amjad [~zjb@87.109.195.15] has quit [Read error: Connection reset by peer]
13:44 < fastputty1> but is nt it posible to put something in the client configuration to not doing it?
13:44 < fastputty1> i know the old default routing is overwrite
13:45 < fastputty1> except by resetting manually the default route by urself
13:45 < Bushmills> then set it up to *not* replace it
13:45 < fastputty1> what is the configuration var for it?
13:45 < Bushmills> or, add the routes, using alternative interfaces/gateways 
13:46 < Bushmills> default is just the catch-all. everything what isn't routed otherwise
13:46 < fastputty1> the client are mosly in windows...
13:46 < fastputty1> i know i know..
13:46 < Bushmills> oh sorry, i thought you asked
13:46 < fastputty1> but isnt there a way to auto route only vlan range ip to the tun0
13:46 < fastputty1> and the rest stay tot he same old default rouge
13:46 < fastputty1> roue*
13:46 < fastputty1> route*
13:46 < Bushmills> that's the normal setup
13:46 -!- correcaminos__ [~luis.agui@201.199.12.190] has joined ##openvpn
13:46 < Bushmills> *unless* you configure it to route more or all
13:47 < fastputty1> hmm i didnt..
13:47 < Bushmills> then ask him who did to remove that
13:47 < fastputty1> wanna see my server.conf or client.conf^
13:47 < fastputty1> ?
13:47 < Bushmills> !redirect
13:47 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:47 < Bushmills> remove that
13:47 -!- plum [~chatzilla@151.112.5.182] has left ##openvpn []
13:47 < fastputty1> i dnt have the redirect enable..
13:47 < fastputty1> let me check..
13:48 < fastputty1> oh found it
13:48 < fastputty1> i gues this is the value: push "redirect-gateway def1"
13:48 < fastputty1> XD
13:49 < Bushmills> it helps to read what things do before adding them
13:50 -!- correcaminos_ [~luis.agui@201.199.12.190] has quit [Ping timeout: 245 seconds]
13:50 < Bushmills> it also helps to remember having them added
13:52 -!- mueddib [~mueddib@fsf/member/okaratas] has quit [Quit: Leaving]
13:52 -!- darkscrypt [~darkscryp@adsl-067-033-035-249.sip.asm.bellsouth.net] has joined ##openvpn
13:53 -!- Amjad [~zjb@87.109.195.15] has joined ##openvpn
13:53 < darkscrypt> I have setup a bridged vpn, following the instructions precisely, listed on http://help.ubuntu.com/community/OpenVPN
13:53 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com)
13:53 < darkscrypt> I have gotten this setup to work before for my home network just fine.
13:54 < darkscrypt> I can connect to this vpn server just fine. tls handshake succeeds. 
13:54 < darkscrypt> I can ping the vpn host 
13:54 < darkscrypt> *server i can ping the server
13:54 < darkscrypt> but i cant access anything else on that subnet
13:54 < Bushmills> !route
13:54 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:54 < darkscrypt> Bushmills, its a bridged vpn though , not routed
13:55 < darkscrypt> client to client is enabled as well
13:55 < Baxxor> When i did the military mandatory part of my life a fucking idiot officer kicked me in the back. Years later he was terrorising me at my work. Ive hired a killer to make that guy dead (Villa Staden). 
13:55 -!- correcaminos_ [~luis.agui@201.199.12.190] has joined ##openvpn
13:56 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has quit [Ping timeout: 268 seconds]
13:56 < Baxxor> Im gonna hook up that fucker to my car and see his flesh burn!!!
13:58 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has joined ##openvpn
13:58 -!- correcaminos [~luis.agui@201.199.12.190] has joined ##openvpn
13:58 -!- correcaminos__ [~luis.agui@201.199.12.190] has quit [Ping timeout: 245 seconds]
14:00 -!- correcaminos_ [~luis.agui@201.199.12.190] has quit [Ping timeout: 258 seconds]
14:04 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has quit [Read error: Connection reset by peer]
14:04 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has joined ##openvpn
14:06 -!- correcaminos_ [~luis.agui@201.199.12.190] has joined ##openvpn
14:10 -!- correcaminos [~luis.agui@201.199.12.190] has quit [Ping timeout: 248 seconds]
14:15 < darkscrypt> afaik route isn't supposed to be used in a bridged vpn setting..as everything is layer 2 at that point.
14:21 -!- Amjad [~zjb@87.109.195.15] has quit [Read error: Connection reset by peer]
14:23 < Baxxor> darkscrypt: I have something that works
14:23  * darkscrypt listens to baxxors every word
14:23 < Baxxor> http://mange.dynalias.org/linux.html
14:23 < vpnHelper> Title: The GAdminTools Project (at mange.dynalias.org)
14:23 < max_atre1des> is it good idea to set your vpn server port to dns port? I hear a lot of wireless access points let dns traffic through before you register
14:23 < Baxxor> GUIS that will help you set things up
14:24 < darkscrypt> thanks baxxor
14:24 < |Mike|> max_atre1des: ip over dns you mean?
14:24 < Baxxor> Np, have fun!!!
14:24 < max_atre1des> |Mike|: yeah
14:26 < max_atre1des> |Mike|: http://www.adamsinfo.com/udp-tunneling-to-avoid-hotspot-or-firewall-restrictions/
14:26 < vpnHelper> Title: UDP Tunneling to avoid hotspot or firewall restrictions | Adam Palmer, Linux, PHP Programmer, MySQL Developer, Embedded Hardware, Security Consultant (at www.adamsinfo.com)
14:29 < Baxxor> Love you mate!
14:30 -!- Amjad [~zjb@87.109.195.15] has joined ##openvpn
14:31 < fastputty1> hello how can i push the dfault gateway for 192.168.1.0/24 trough my tun0 unstead of the eth0 in the server.conf thanks you
14:32 < fastputty1> is there a way?
14:41 < Baxxor> I rule
14:41 < Baxxor> !!!!!!!!!!!!!!!!!!!!
14:41 < vpnHelper> Baxxor: Error: "!!!!!!!!!!!!!!!!!!!" is not a valid command.
14:41 < Baxxor> Rock!!!
14:41 < Baxxor> Sod off toolize'
14:41 < Baxxor> We like the 'real'
14:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:44 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has quit [Ping timeout: 240 seconds]
14:45 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has joined ##openvpn
14:45 < fastputty1> hmm
14:46 < fastputty1> does the ca.crt is generate eveyrtime i uype build-dh?
14:46 -!- alpha_ [~alpha@41.230.225.181] has joined ##openvpn
14:50 -!- master_of_master [~master_of@p57B55A0C.dip.t-dialin.net] has joined ##openvpn
14:53 < alpha_> hello
14:53 < alpha_> how to load tuntap module under linux
14:53 < alpha_> ?
14:54 -!- bandini [~bandini@host124-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn
15:00 < Bushmills> modprobe tun
15:01 < Bushmills> usually there's no need for explicit loading - it would normally get loaded automatically on demand 
15:03 < alpha_> thanks
15:04 < alpha_> When I launch openvpn it does not launch the tun module because when i lauch the ifconfig command I dont see the tun device
15:07 < Bushmills> should come up only when connected. your problem may be authentication, not tun module.
15:07 < rob0> tun does not autoload for me
15:07 < Bushmills> driver or device?
15:07 < Bushmills> module or device, i mean
15:08 < rob0> driver, I have my rc.local load it before starting the VPN
15:08 < Bushmills> what distribution?
15:09 < rob0> Slackware, something missing in my udevil worship maybe?
15:09 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:11 < Bushmills> module auto loading should be compiled into kernel, and i think, you could also compile that code as module which you could load, to enable module auto loading. 
15:11 < Bushmills> but udev shoud have nothing to do with that
15:12 < Bushmills> should
15:14 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 258 seconds]
15:14 < rob0> Oh I do have autoloading in the kernel, and everything else works fine.
15:15 < Bushmills> hm. can't find appropriate option in kernel config anymore. seems to be always present now. 
15:15 < rob0> CONFIG_KMOD IIRC
15:16 < rob0> maybe I need some alias in /etc/modprobe.d
15:16 < rob0> This never has worked for me, but I never thought of it as a problem.
15:17 < Bushmills> there's just no module autoloading kernel config option anymore, where it was before:  http://scarydevilmonastery.net/snap/1267823793167226502.png
15:18 < Bushmills> however, i don't explicitely load tun module from anywhere in my setup
15:19 < rob0> grep tun /etc/modprobe.d/* (may be elsewhere in your distro, whatever modprobe uses)
15:19 < Bushmills> well, that's what I call "explicit loading" when it's in there
15:20 < Bushmills> just the alias in it
15:20 < rob0> huh? modprobe aliases?
15:20 < rob0> what is the alias?
15:21 < Bushmills> got one not-quite-matching alias on tunl0
15:21 < Bushmills> alias tunl0 ipip
15:21 < rob0> oh that's not tun, that's ipip
15:22 -!- dauergast [~sag@p5B3EB381.dip.t-dialin.net] has joined ##openvpn
15:22 < rob0> maybe I'll try "alias tun0 tun"
15:22 < Bushmills> also no loading done from /etc/init.d scripts or anywhere else
15:24 < Bushmills> what's your kernel version?
15:28 -!- cjs [~AndChat@209.sub-97-63-245.myvzw.com] has joined ##openvpn
15:29 -!- cjs [~AndChat@209.sub-97-63-245.myvzw.com] has quit [Client Quit]
15:43 < Baxxor> Bushmills My old Freunde!!!
15:43 < Baxxor> Good morning
15:43 < rob0> various versions, it never did autoload, and I've been openvpn'ing a long time
15:43 < Baxxor> rob0: Be nice laRatta
15:43 < Bushmills> rob0: slackware, the pleasures of stick shift driving :D
15:44 < Baxxor> That rat sickens me <(
15:44 < rob0> Funny thing, I would never consider a manual transmission car, but I'll probably never leave Slackware. :)
15:45 < Bushmills> oh well, loading a module on boot is not such a big deal
15:46 < rob0> Right, like I said, I never thought of it as a problem. But if I am missing some alias or something, I'd fix it.
15:54 < Baxxor> rob0: Right, you have issues
15:54 < Baxxor> rob0: Are you always this evil _
15:54 < Baxxor> ?
15:55 < Baxxor> fuckin fagnipple. I hate evil peoples
15:55 < Baxxor> Bushmills: Its important to be nice.
15:57 < Baxxor> Bushmills, I want rob0 to change nick to Ladfy
15:58 < Baxxor> Bushmills, We will chat later on.
15:59 < Baxxor> Bushmills: BlueCollarComedyTour >P
16:01 < Baxxor> Kill a cop, atleast a cop from Sandviken < and live longer
16:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
16:11 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
16:16 -!- bandini [~bandini@host124-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:23 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 256 seconds]
16:29 -!- dauergast [~sag@p5B3EB381.dip.t-dialin.net] has quit [Quit: Wer die Katze im Sack kauft, kann sie schneller ertränken!]
16:31 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:33 < krzee> lol @ fagnipple
16:33 < |Mike|> :P
16:33 < |Mike|> screw you krzee :p
16:34 < krzee> too many aussie chicks in line, you gotta get to the back
16:35 -!- fastputty1 [~fastPutty@modemcable086.138-70-69.static.videotron.ca] has quit [Ping timeout: 246 seconds]
16:35 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
16:38 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
16:39 < |Mike|> krzee: hahaha
16:39 -!- buntfalke_ is now known as buntfalke
16:40 -!- Baxxor [~Baxxor@h156n2fls32o256.telia.com] has quit [Quit: Quit]
16:42 -!- Baxxor [~Baxxor@h156n2fls32o256.telia.com] has joined ##openvpn
16:42 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
17:00 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
17:00 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
17:02 -!- correcaminos_ [~luis.agui@201.199.12.190] has quit [Ping timeout: 245 seconds]
17:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:32 -!- correcaminos [~luis.agui@201.199.12.190] has joined ##openvpn
17:35 -!- Baxxor [~Baxxor@h156n2fls32o256.telia.com] has quit [Quit: Quit]
17:36 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Quit: Terminated with extreme prejudice - dircproxy 1.0.5]
17:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
17:46 -!- correcaminos_ [~luis.agui@201.199.12.190] has joined ##openvpn
17:48 -!- correcaminos [~luis.agui@201.199.12.190] has quit [Ping timeout: 240 seconds]
17:52 -!- correcaminos__ [~luis.agui@201.199.12.190] has joined ##openvpn
17:52 -!- correcaminos__ [~luis.agui@201.199.12.190] has quit [Client Quit]
17:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:54 -!- correcaminos_ [~luis.agui@201.199.12.190] has quit [Ping timeout: 246 seconds]
17:57 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
18:03 -!- LobbyZ [~default@188.72.255.194] has quit [Remote host closed the connection]
18:06 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
18:18 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
19:13 < krzee> !winroute
19:13 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access
19:13 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: OpenVPN for QNX :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2449&p=3669#p3669>
19:17 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
19:34 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 260 seconds]
19:36 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
19:43 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: Stops working when I reboot Server 2008 :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2800&p=3670#p3670>
19:58 -!- tjz [~pc@bb116-15-64-54.singnet.com.sg] has joined ##openvpn
19:58 -!- tjz [~pc@bb116-15-64-54.singnet.com.sg] has quit [Changing host]
19:58 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:32 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
20:37 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
20:37 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
21:42 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Read error: Operation timed out]
21:43 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
21:43 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
21:43 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
22:25 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Operation timed out]
22:27 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
22:27 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Connection reset by peer]
22:27 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
22:27 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
22:27 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
22:29 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: No route to host]
22:30 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
22:30 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
22:30 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
22:33 -!- alpha_ [~alpha@41.230.225.181] has quit [Ping timeout: 240 seconds]
22:42 -!- fastputty1 [~fastPutty@dsl-67-204-48-140.acanac.net] has joined ##openvpn
23:08 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:10 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 248 seconds]
23:20 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Remote host closed the connection]
23:39 -!- fastputty1 [~fastPutty@dsl-67-204-48-140.acanac.net] has quit [Read error: Operation timed out]
23:49 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
23:52 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
--- Day changed Sat Mar 06 2010
00:04 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:02 -!- albech [~thomas@119.42.79.160] has joined ##openvpn
01:13 -!- mape2k [~mape2k@p5B287B5A.dip.t-dialin.net] has joined ##openvpn
01:18 -!- mape2k [~mape2k@p5B287B5A.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
01:20 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:20 -!- mode/##openvpn [+o mattock] by ChanServ
01:26 < krzee> Linux Magazine and co-founder of the Openvpn.e.V. (http://www.openvpn.eu) will give 
01:26 < krzee> away15 free and signed copies of Packt's new book "Beginning Openvpn 2.0.9" 
01:26 < krzee> (http://www.packtpub.com/learning-openvpn-2-0-9/book) to the first 15 interested
01:26 < krzee> readers. "
01:26 < krzee> LOL
01:26 < vpnHelper> Title: Home: OpenVPN e.V. (at www.openvpn.eu)
01:26 < krzee> what timing
01:26 < krzee> he only had a couple years with 2.0.9 being the latest release, and he releases it right after 2.1.1 is released
01:27 < rob0> such is an examplee of why dead trees can't keep up with computing
01:42 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has joined ##openvpn
01:53 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
01:57 -!- fastputty1 [~fastPutty@dsl-67-204-48-140.acanac.net] has joined ##openvpn
01:58 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
02:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:15 -!- albech [~thomas@119.42.79.160] has quit [Ping timeout: 240 seconds]
02:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
02:28 < reiffert> oin
02:28  * reiffert needs coffee. way too tired
02:29 < krzee> moinmoin
02:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:30 < reiffert> Hey krzee, how is australia?
02:31 < krzee> awesome
02:31 < krzee> love it here
02:31 < reiffert> where did you go so far in autralia?
02:31 < reiffert> let me take a photo from my place, it was snowing 10cm tonight (sigh)
02:31 < krzee> all around victoria
02:32 < krzee> kept melbourne as home base the whole time
02:32 < krzee> but stayed other areas
02:36 < reiffert> http://snap.reifferscheid.org/IMG_9005.JPG http://snap.reifferscheid.org/IMG_9006.JPG http://snap.reifferscheid.org/IMG_9007.JPG
02:38 < krzee> looks cold, glad im not there right now
02:44 < reiffert> Last two week spring came out, I left my jacket at home at day.. sigh
02:49 < reiffert> Are you going to Tasmania as well?
02:58 -!- fastputty1 [~fastPutty@dsl-67-204-48-140.acanac.net] has quit [Read error: Operation timed out]
02:58 < krzee> nope im outta here tues
03:04 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Ping timeout: 265 seconds]
03:10 -!- master_of_master [~master_of@p57B55A0C.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
03:12 -!- master_of_master [~master_of@p57B53BD0.dip.t-dialin.net] has joined ##openvpn
03:24 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
03:38 -!- balboah [~johnny@joonix.se] has quit [Read error: Connection reset by peer]
03:41 -!- balboah [~johnny@joonix.se] has joined ##openvpn
04:00 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
04:02 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 248 seconds]
04:02 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has quit [Ping timeout: 248 seconds]
04:03 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has joined ##openvpn
04:11 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
04:16 -!- albech [~thomas@124.157.189.201] has joined ##openvpn
04:25 -!- kyrix [~ashley@77.116.248.125.wireless.dyn.drei.com] has joined ##openvpn
04:27 < reiffert> Hrmn, I was building my own OS X 10.5 i368 kernel, adding ethernet bridging support.
04:27 < reiffert> New kernel boots up fine, but no bridge support .. hrmn.
05:31 -!- BorisK [~name@p57B27CC7.dip.t-dialin.net] has joined ##openvpn
05:31 < BorisK> Hi
05:32 < BorisK> i need a german people to help me
05:32 < BorisK> :(
05:35 < mape2k> BorisK, what's your problem?
05:35 < BorisK> i habe a windows web server 2008, and i need a own VPN
05:35 < BorisK> http://openvpn.net/index.php/access-server/download-openvpn-as.html
05:36 < vpnHelper> Title: Access Server Downloads (at openvpn.net)
05:36 < BorisK> is this the right one?
05:37 < mape2k> der Access Server ist eine art Appliance
05:37 < mape2k> und soweit ich weiss kostet die auch was
05:38 < BorisK> und wie bekomme ich dann einen VPN auf meinen Server?
05:38 < BorisK> gibts da ne lösung mit openvpn ?
05:39 < mape2k> http://www.linux-magazin.de/Online-Artikel/OpenVPN-fuer-Windows-Rechner
05:39 < vpnHelper> Title: OpenVPN in vier Schritten einrichten Online Artikel Linux-Magazin Online (at www.linux-magazin.de)
05:39 < mape2k> Lesen ;)
05:39 < BorisK> ok
05:40 < mape2k> je nachdem was du mit deinem VPN vorhast sollte das ggf. das richtige sein
05:44 < BorisK> ich versuch es mal
05:48 < BorisK> An der Windows-Befehlszeile wechselt der User ins Verzeichnis easy-rsa und gibt nacheinander folgende Befehle ein: "vars", "init-config", "build-dh", "build-ca", "build-key-server server", "build-key client".
05:49 < BorisK> mape2k was soll bitte eine "Windows-Befehlszeile" sein und wie wechsel ich in ein Verzeichnis ?
05:56 < mape2k> Eingabeaufforderung?
05:57 < mape2k> Und Verzeichniswechsel mit cd?
05:58 < BorisK> chdir
05:58 < BorisK> ^^
05:59 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
06:08 < BorisK> mape2k nach der anleitung geht das leider nicht.
06:15 < mape2k> hmmm, dann hab ich keine ahnung
06:15 < mape2k> ich nutz das ausschlie?lich unter linux als server
06:15 < mape2k> bin jetzt erstmal weg
06:36 -!- albech [~thomas@124.157.189.201] has quit [Ping timeout: 256 seconds]
06:39 -!- BorisK_ [~name@p57B25A48.dip.t-dialin.net] has joined ##openvpn
06:43 -!- BorisK [~name@p57B27CC7.dip.t-dialin.net] has quit [Ping timeout: 268 seconds]
06:50 -!- albech [~thomas@119.42.79.66] has joined ##openvpn
06:59 -!- kyrix [~ashley@77.116.248.125.wireless.dyn.drei.com] has quit [Quit: Leaving]
07:04 -!- albech_ [~thomas@124.157.189.201] has joined ##openvpn
07:04 -!- Artio [~a@port-12577.pppoe.wtnet.de] has joined ##openvpn
07:06 -!- albech [~thomas@119.42.79.66] has quit [Ping timeout: 252 seconds]
07:11 -!- albech__ [~thomas@119.42.76.214] has joined ##openvpn
07:13 -!- albech_ [~thomas@124.157.189.201] has quit [Ping timeout: 245 seconds]
07:16 -!- albech_ [~thomas@124.157.186.95] has joined ##openvpn
07:18 -!- albech__ [~thomas@119.42.76.214] has quit [Ping timeout: 245 seconds]
07:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
07:44 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has quit [Read error: Operation timed out]
07:54 -!- albech__ [~thomas@119.42.76.162] has joined ##openvpn
07:54 -!- albech_ [~thomas@124.157.186.95] has quit [Ping timeout: 268 seconds]
08:13 -!- BorisK_ [~name@p57B25A48.dip.t-dialin.net] has quit [Read error: Connection reset by peer]
08:19 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
08:42 -!- BorisK [~name@p57B25A48.dip.t-dialin.net] has joined ##openvpn
08:51 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
09:38 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has joined ##openvpn
10:52 -!- reeniginEesreveR [~reeniginE@203.175.76.194] has joined ##openvpn
10:52 < reeniginEesreveR> could somebody plz tell me what is "encryption domain" ?
10:53 -!- Artio [~a@port-12577.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Go on, try it!]
10:59 < rob0> Those terms do not appear together in my copy of the man page.
11:06 < hyper_ch> you can install openvpn server on windows?
11:11 < rob0> um, since the client and server are the same piece of software, sure. (That's not to say it's a good idea!)
11:18 < hyper_ch> hmmmm...
11:19 < hyper_ch> right... it's the same piece of software
11:19 < hyper_ch> then it must be Window's fault to make it so complicated
11:19 < hyper_ch> (on windows)
11:20 < rob0> Windows is probably a bit braindead about routing, and typically a VPN server is doing some routing.
11:22 < hyper_ch> you could have stopped after braindead :)
11:23 < rob0> true
11:23 < rob0> and left out "probably a bit"
11:24 -!- fastputty1 [fastPutty@dyn-159-184.wireless.concordia.ca] has joined ##openvpn
11:33 < hyper_ch> right :)
11:46 -!- reeniginEesreveR [~reeniginE@203.175.76.194] has quit [Quit: Leaving]
11:49 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:54 -!- albech__ [~thomas@119.42.76.162] has quit [Ping timeout: 245 seconds]
13:24 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
13:24 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
13:25 < tw> I have a tunnel up but I cannot connect to the client computer from the vpn server.  I have -o tun1 -j ACCEPT, -i tun1 -j ACCEPT;  I can ping both ways.
13:26 < tw> ... windows firewall maybe?
13:26 < tw> No, that's off.
13:26 < |Mike|> logs!
13:27 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has joined ##openvpn
13:28 < rob0> tun1, huh? There's more than one tun interface?
13:28 < tw> Yes, second instance of openvpn.
13:29  * rob0 smells a possible FUBAR routing table
13:30 < tw> Sec, building some logs and useful info...
13:30 < nassy> im new to openvpn. i am looking to use certificates with openvpn 2. for a fairly small operation that may grow. i was curious about certificate revocation. if i need to prevent a user from connecting to the vpn how do i go about preventing that one individual.
13:32 < rob0> see --crl-verify in the man page. Other choices include --ccd-exclusive and --disable.
13:33 < nassy> rob0: thanks.
13:38 < tw> http://pastebin.ca/1825637
13:38 < tw> Let me get a openvpn.conf up too.
13:40 < |Mike|> !configs
13:40 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:42 < tw> config+uname+version: http://pastebin.ca/1825641
13:45 < tw> I added the ifconfig to the bottom: http://pastebin.ca/1825645
13:47 < tw> The only thing I can think that would do exactly this is some kind of firewall on the windows client side, but I'm not running any.
13:49 -!- fastputty1 [fastPutty@dyn-159-184.wireless.concordia.ca] has quit [Ping timeout: 276 seconds]
13:50 < rob0> Pastebin.ca continues to block me.
13:51 < tw> connection info and tests: http://pastebin.com/8gxS4ieX
13:51 < tw> server conf & ifconfig: http://pastebin.com/kvLHppJd 
13:51 < |Mike|> use pastie.org then ? :)
13:51 < |Mike|> rob0: same here
13:52 < rob0> so it's not just me, I figured as much
13:52 < tw> I am somewhat scared to go to a site named pastie.org
13:54 < tw> http://pastie.org/857423 <- everything in one.
14:00 -!- kisom [~x@c-e7dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
14:13 < tw> I take it that no response means everyone is just as confused as me who looked at it.  Thanks anyway.
14:18 < |Mike|> input and output in the firewall looks good tho.
14:19 < |Mike|> you might want to look to tls-auth aswell.
14:19 < |Mike|> !tls-auth
14:19 < vpnHelper> |Mike|: "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key
14:19 < vpnHelper> |Mike|: to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
14:20 < hyper_ch> test
14:20 < |Mike|> 0
14:21 < tw> I have a tcpdump of a connection syn packet going out over tun1, but nothing coming back.  At this point, I'm fairly sure it isn't an openvpn issue.
14:28 < rob0> tw, not necessarily confused. In my case it meant I glanced over it and nothing jumped out.
14:29 < rob0> That's the thing about free help on IRC: they don't tend to work hard for you.
14:30 < rob0> I would suggest disabling the firewalls as a troubleshooting step; I'm not going to pick over your RH-Firewall1-INPUT mess and see what it's doing.
14:32 < tw> rob0: Yes, I was only looking for a once-over for obvious errors.  I flushed the firewall rules out on the server side and retried.  I'm very certain it is on the client side.
14:33 < rob0> um, you're pinging through the tunnel both ways
14:34 < rob0> so what was the question again?
14:34 < tw> I can't connect to the client over tcp.
14:36 < rob0> what service on the client? What did the logs for that service say?
14:37 < |Mike|> your server uses udp or tcp ? :)
14:38 < rob0> immaterial, since the tunnel is up and can be pinged through.
14:38 < tw> it's nc.exe -l 50000, no connection was received.
14:38 < tw> netcat for windows.
14:40 < rob0> Again I would suggest disabling the firewalls as a troubleshooting step.
14:40 < rob0> !firewall
14:40 < vpnHelper> rob0: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
15:01 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 256 seconds]
15:05 -!- max_atre1des is now known as max_atreides
15:08 < max_atreides> how can i make sure my client is communicating over the tun0 interface and not wlan interface on linux?
15:08 < |Mike|> ip?
15:08 < max_atreides> yes
15:08 < |Mike|> netstat should show that 
15:08 < max_atreides> i did netstat -r but i'm not clear what it is saying
15:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:27 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
16:27 < havoc> $find /mnt/music/ | wc -l
16:28 < havoc> bah
16:28 -!- havoc [~havoc@saturn.chaillet.net] has left ##openvpn ["oh boy"]
16:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:47 -!- kornbluth [whodat@147.236.188.204.in-addr.arpa] has joined ##openvpn
17:53 -!- kornbluth [whodat@147.236.188.204.in-addr.arpa] has quit [Ping timeout: 265 seconds]
18:07 -!- dhansen7 [~dhansen7@76.8.206.177] has joined ##openvpn
18:08 < dhansen7> Does setting up an openvpn server with ethernet bridging require multiple physical ethernet interfaces?
18:09 < |Mike|> nope.
18:10 < dhansen7> in the documentation it says that the interface should be private, and then bridged with the tap0 interface
18:10 -!- BorisK [~name@p57B25A48.dip.t-dialin.net] has quit [Ping timeout: 252 seconds]
18:10 < dhansen7> but if that interface is the only physical interface, and it is private, then how do remote clients connect to the server?
18:11 < dhansen7> doesn't a remote-facing interface need to be involved here?
18:13 < |Mike|> as long as your switches support vlans you can build as many bridges/vlans (to a max of 2048 if i'm not mistaking) on 1 single cable :)
18:15 < dhansen7> yeah I understand that, but what if I just have a single computer, with a single ethernet interface, which is connected directly to the internet (public ip), what would be the easiest way to do ethernet bridging?
18:17 < |Mike|> bridging between public and prod ? :)
18:17 -!- kornbluth [whodat@147.236.188.204.in-addr.arpa] has joined ##openvpn
18:17 < rob0> First question to ask about bridging: why?
18:18 < dhansen7> I need to allow broadcasts
18:18 < dhansen7> over the vpn
18:18 < |Mike|> You need more than 1 server to make a network imho.
18:18 < |Mike|> ghe, have phun routing :p
18:22 -!- dhansen7 [~dhansen7@76.8.206.177] has quit [Quit: Leaving]
18:23 -!- fastputty1 [~fastPutty@dsl-67-55-14-8.acanac.net] has joined ##openvpn
18:30 -!- harovali [~atahualpa@r190-135-5-143.dialup.adsl.anteldata.net.uy] has joined ##openvpn
18:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
18:48 < harovali> !welcome
18:48 < vpnHelper> harovali: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:01 -!- harovali [~atahualpa@r190-135-5-143.dialup.adsl.anteldata.net.uy] has left ##openvpn []
19:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
19:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:51 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has quit [Quit: nassy]
19:51 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has joined ##openvpn
19:53 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
19:59 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
20:26 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 265 seconds]
21:35 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has quit [Quit: nassy]
21:35 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has joined ##openvpn
22:25 -!- fastputty1 [~fastPutty@dsl-67-55-14-8.acanac.net] has quit [Ping timeout: 264 seconds]
22:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
23:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
--- Day changed Sun Mar 07 2010
00:29 -!- tjz [~pc@bb116-14-98-52.singnet.com.sg] has joined ##openvpn
00:29 -!- tjz [~pc@bb116-14-98-52.singnet.com.sg] has quit [Changing host]
00:29 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
01:10 -!- Warp4 [~robert.wo@cpe-69-204-101-172.buffalo.res.rr.com] has joined ##openvpn
01:10 < Warp4> hi all
01:11 < Warp4> is this the right place to go for openvpn sa?
01:40 < hyper_ch> what's openvpn sa?
01:46 < Warp4> rather OpenVPN AS I mean
01:46 < hyper_ch> what's the as one?
01:48 < Warp4> http://openvpn.net
01:48 < vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net)
01:48 < hyper_ch> I know openvpn but what's openvpn as?
01:49 < Warp4> OpenVPN Access Server is a full featured SSL VPN software solution that accommodates a wide range of configurations, including secure and granular remote access to your internal network and/ or your private cloud network resources and applications with fine-grained access control
01:49 < Warp4> basically OpenVPN on steroids IMO
01:49 < Warp4> has web based mamagement and configuration
01:49 < hyper_ch> no clue... I just use openvpn as client and server
01:49 < Warp4> does custom client packaging...
01:49 < Warp4> basically the commercial version of OpenVPN
02:00 -!- Axsuul [~someone@97-93-99-133.static.mtpk.ca.charter.com] has joined ##openvpn
02:00 < Axsuul> is OpenVPN GUI compatible w/ Windows 7?
02:00 < Axsuul> it seems like it hasn't been updated sinec 2005
02:09 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
02:11 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
02:19 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
02:19 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
02:23 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
02:25 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
03:10 -!- master_of_master [~master_of@p57B53BD0.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
03:12 -!- master_of_master [~master_of@p57B56D2E.dip.t-dialin.net] has joined ##openvpn
03:24 -!- julius [~julius@217.20.127.15] has quit [Disconnected by services]
03:30 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:42 -!- julius_ [~julius@217.20.127.15] has joined ##openvpn
04:32 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
04:58 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:17 -!- rkantos [robin@hp1.jaketus.net] has joined ##openvpn
05:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:51 -!- sdlfk [~lkjdfsg@212.183.140.33] has joined ##openvpn
05:51 < sdlfk> hi, im woried about people sniffing my phone line to do things like packet injection
05:51 < sdlfk> <sdlfk> if i route all my traffic through a vpn hosted outside of my network, can people still sniff my internet server ip? i would imagine so
05:51 < sdlfk> so if im trying to prevent people hacking my isp's ip (my computer), would routing everything through a vpn help in any way?
05:51 < sdlfk> it would for packet injection right? but not if the operating system has any exploits?
06:13 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
06:15 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
06:31 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:41 < master_of_master> hi, if I run several openvpn daemons (several ports) can I still use the same network in the server option?
06:46 < |Mike|> that would clash imho.
06:46 < theDoc> Mainly due to the routing tables, I'm pretty sure
06:48 < |Mike|> sdlfk: well you have to connect with your IP to the remote server. So yes, that server will see your IP
06:49 < |Mike|> but you can route all your traffic over the VPN tunnel, if you visit a website, the remote IP (where the openvpn daemon runs) will pop up in apache/nginx/iis logs
06:50 < theDoc> |Mike|> or you could always delete those logs and no one would have an idea ;p
06:51 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has quit [Ping timeout: 245 seconds]
06:52 < |Mike|> haha
06:52  * |Mike| routes all his traffic trough a colocated server aswell :p
06:52  * theDoc does that too.
06:52 < |Mike|> call me paranoid..
06:52 < theDoc> |Mike|> I'm extremely paranoid ;p
06:53 < |Mike|> I can't wait till openvpn-stable has v6 support !
06:53 < theDoc> |Mike|> That too!
06:54 < theDoc> I'm so tempted to try to make ovpn-as do some v6 stuff but it's a production box and I'm not about to tempt fate ;p
06:54 < |Mike|> same tought here
06:55 < theDoc> I was thinking of using a ipv6 tunnel broker to deal with the v6 tunnels to the ipv6 networks and v4 on my server ends.
06:56 < |Mike|> here in NL we have allmost everywhere native v6 in datacenters :p
06:56 < theDoc> NL = netherlands?
06:56 < |Mike|> yes.
06:56 < theDoc> |Mike|> Nice, I might look into colo for ipv4 vpn > 4-6 tunnel proxies for those v4 vpn servers
06:58 < theDoc> |Mike|> How do you handle ddos on your vpn servers?
07:00 < cron2> |mike|: regarding v6 support in -stable - let the mailing lists know that you're waiting for it.  OpenVPN-the-company is a bit reluctant to add potentially-dangerous features unless they see user demand
07:00 < cron2> (the development model right now is "openvpn-the-community does -testing, openvpn-the-company takes bits from there to -beta, then to -stable")
07:01 < theDoc> cron2> Do you have any idea what is going to be included in the next release of ovpn-as?
07:02 < cron2> theDoc: no idea at all.  I only use the open source openvpn, and hack on that
07:02 < theDoc> Mhm, ok. Thanks.
07:02 < theDoc> Been trying to find some sort of release notes or at least.
07:03 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
07:08 < |Mike|> theDoc: we never had to cope with DDOS on our VPN server(s), but then again, only ~15 people use it
07:08 < theDoc> ah.
07:09 < theDoc> |Mike|> I was wondering how much difference the HMAC packet signature makes.
07:12 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 245 seconds]
07:15 < |Mike|> it's another security layer on top of the OpenSSL encryption imho
07:16 < theDoc> Correct me if I'm wrong but I was under the impression that if the HMAC signature does not match with what the server has, the server drops the packet without further processing.
07:16 < |Mike|> Yep
07:16 < theDoc> It does seem it a method to alleviate DDoS on the server.
07:17 < theDoc> However, of course, if the incoming amount of data is bigger than your pipe, you still have problems.
07:20 < |Mike|> Indeed, and you can't avoid that on a single box setup, but you can if you have a network :)
07:20 < theDoc> Oh, for sure.
07:21 < theDoc> That or if you have multiple servers in your setup.
07:21 < theDoc> Well, it somewhat gives me the impression that traffic scrubbing + HMAC would be a good way to counter DDoS.
07:21 < theDoc> If you have a network available for traffic scrubbing
07:25 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
07:25 -!- mode/##openvpn [+o mattock] by ChanServ
07:25 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Client Quit]
07:26 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has quit [Ping timeout: 248 seconds]
07:27 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
07:39 < |Mike|> theDoc: hehe, you're over engineering ;)
07:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:47 < theDoc> |Mike|> Hardly, ;p
07:47 < theDoc> |Mike|> Is there an easier way to deal with it?
07:49 < |Mike|> nope :P
07:51 < theDoc> lol
07:54 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
08:00 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
08:15 -!- kyrix [~ashley@77.117.153.191.wireless.dyn.drei.com] has joined ##openvpn
08:20 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
08:27 -!- LobbyZ [~default@188.72.255.194] has quit [Remote host closed the connection]
08:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:48 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:51 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
08:53 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:03 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:04 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 256 seconds]
09:09 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
09:15 < nassy> is there anyway to get an iphone and or blackberry to use openvpn
09:15 < nassy> without any hacking
09:18 < |Mike|> my nokia e52 can do that :P
09:18 < |Mike|> so i think a blackberry / iphone can do that aswell.
09:19 < |Mike|> http://forums.crackberry.com/f35/any-way-use-openvpn-blackberry-bold-222811/
09:19 < nassy> i dont think there is an app for that (iphone), or is there? did you have to install software
09:20 < |Mike|> http://www.iphonealley.com/forums/showthread.php?t=1332
09:20 < |Mike|> lol, he is installing a openvpn server on his iphone
09:20 < |Mike|> on my e52, no
09:21 < nassy> no, i want to connect to an openvpn server using both iphone and blackberry
09:21 < |Mike|> http://osischool.livejournal.com/1258.html
09:21 < vpnHelper> Title: John - iPhone to openVPN server (at osischool.livejournal.com)
09:21 < |Mike|> there you go
09:22 < |Mike|> err, that url is way off.
09:22 < |Mike|> but you might want to google that yourself :)
09:25 < nassy> thanks. it looks like there is no client so the work around is to connect to a computer and then use that computers connection to openvpn. the salesmen will only have their blackberries or iphone so it will not work for them
09:25 < |Mike|> indeed.
09:31 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
09:33 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
09:46 -!- hacim [~micah@debian/developer/micah] has left ##openvpn []
10:17 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:20 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
10:31 < sdlfk> how hard is it to maintain an exploit free openvpn server? i dont need to use it for anything else 
10:37 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has quit [Read error: Operation timed out]
10:43 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
11:01 -!- kyrix [~ashley@77.117.153.191.wireless.dyn.drei.com] has quit [Ping timeout: 246 seconds]
11:06 -!- Diffen2 [~diffen2@c-6874e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
11:11 -!- Znuff [Znuff@89.45.83.253] has joined ##openvpn
11:11 < Znuff> Hi.
11:12 < Znuff> I'm having some issues with a vpn client connecting to a RouterOS that runs openvpn server. I can't get it to add a default route after connecting
11:14 < Znuff> This is my config file for the client: http://pastebin.com/QyMrNvaY
11:20 -!- Znuff [Znuff@89.45.83.253] has quit [Read error: Connection reset by peer]
11:20 -!- Znuff [Znuff@89.45.83.253] has joined ##openvpn
11:24 -!- Znuff [Znuff@89.45.83.253] has quit [Client Quit]
11:30 -!- kisom [~x@c-e7dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
11:38 -!- kyrix [~ashley@77.117.128.136.wireless.dyn.drei.com] has joined ##openvpn
11:48 -!- y5 [~danh@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn
11:48 < y5> how can i tell which key is associated with which .pem file in my keys/ directory?  ive been knocking people off of my vpn by deleting their crt csr key files, but of course that doesn't work
11:49 -!- Warp4 [~robert.wo@cpe-69-204-101-172.buffalo.res.rr.com] has quit []
11:53 -!- kyrix [~ashley@77.117.128.136.wireless.dyn.drei.com] has quit [Quit: Leaving]
12:07 < rob0> um, what? You keep client keys in a directory? The way SSL PKI is supposed to work, the user sends you (the CA) a CSR, and you never see the user's key.
12:07 < rob0> Anyway, sounds like you might want to read up on openssl(1) documentation.
12:08 < rob0> The openvpn side of it: see --crl-reject and --disable in the man page.
12:16 -!- plum [~chatzilla@cpe-75-83-110-215.socal.res.rr.com] has joined ##openvpn
12:18 < plum> hello, i'm wondering how to set up a vpn on my computer for my android phone to access it
12:18 -!- Axsuul [~someone@97-93-99-133.static.mtpk.ca.charter.com] has quit [Ping timeout: 276 seconds]
12:21 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 260 seconds]
12:21 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
12:21 < chester> !welcome 
12:21 < vpnHelper> chester: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:26 < chester> !goal
12:26 < vpnHelper> chester: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:27 < chester> Hello, i just want to know if anyone is aware of any development of openvpn on symbian platforms ? thank you
12:28 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
12:30 < Bushmills> plum: configuring your computer as router/gateway, which is used by your phone, would be enough.
12:30 < hyper_ch> hi Bushmills
12:30 < Bushmills> (default route through vpn. suitable dns provided too, assumed)
12:30 < Bushmills> hi hyper_ch
12:30 < plum> so i basically set up say, hamachi? 
12:30 < hyper_ch> Bushmills: can I ask for your professional advice?
12:31 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
12:31 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
12:31 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:31 < Bushmills> if liability is yours
12:31 < Bushmills> plum: why would you think i'd suggest to set up hamachi on the openvpn channel?
12:31 < hyper_ch> Bushmills: does spying on my new pair of cats with a webcam - that are still a bit scared with their new surroundings and hang out mostly in my bedroom - make me a bad person?
12:32 < Bushmills> don't call it "spying", then you arenn't
12:33 < hyper_ch> Bushmills: ah, by re-labelling bad things to good things it makes them ok :) good to know :)
12:33 < Bushmills> yes, that's the way it usually works
12:33 < hyper_ch> thx :)
12:33 < plum> Bushmills: i'm not too sure what you mean by that? i was just reading that hamachi was one of the most recommended vpn - OH duh. x] openvpn = openvpn's channel. haha
12:33 < plum> openvpn was also one of the most recommended ones
12:34 < plum> i'll try that
12:34 < Bushmills> you only want to check how they blend in. there's no spying in that, on nothing bad about it.
12:34 < Bushmills> or
12:34 < hyper_ch> exactely :)
12:34 < plum> alright i'll go try that and come back with any progress :)  cya guys
12:34 -!- plum [~chatzilla@cpe-75-83-110-215.socal.res.rr.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
12:37 < nassy> plum, i was looking into hamachi also. i saw a few posts on the web where hamachi went down for a long time period and no one could use their vpns. there seemed to not be a lot f communication from the company as to when it would be back up also. so you are at the mercy of the company for vpn connections. only issue so far i have seen with openvpn is there are no clients for phones and though there seems to be some demand f
12:37 < nassy> damm
12:38 < chester> i may try to start a implementation of openvpn on symbian
12:39 < chester> i need to get used to the platform though
12:39 < nassy> cool
12:40 < chester> "cool" , but i need to find out what are the best sources i should start with
12:42 < nassy> i hope the interest in phone clients eventually spills over to iphones or blackberries. wish i could do a port myself
12:44 < hyper_ch> iphones are evil
12:44 < chester> i don't know others plantforms, but now Symbian is more or less opensource
12:44 < chester> so it should be ok
12:46 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
12:49 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
12:49 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
12:49 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:49 -!- zuez_ [~sf@catalyst.httpd.org] has quit [Quit: .]
13:03 < nassy> hehe, hyper_ch but they and blackberries are popular in the company i work for
13:21 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Disconnected by services]
13:21 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
13:22 < chester> :/
13:24 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Disconnected by services]
13:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
13:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:44 < nassy> this may not be possible since openvpn runs in user space, but can the vpn remain active after someone logs out of the gui?
13:45 < Bushmills> yes, sure.
13:46 < Bushmills> normally, especially when connecting at boot time, openvpn is completely transparent to the user
13:53 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
13:54 < nassy> reason i asked was i wanted it to be active when my parents log out of their computers. just means i will need to set up a server and network to network access 
13:55 < rob0> Um, that's a Windows question actually, and IIRC the answer is to run it as a service.
13:55 -!- Diffen2 [~diffen2@c-8370e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
14:02 -!- chester31 [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
14:11 < nassy> ah ok, they have macs actually. but same principal i guess
14:14 -!- Axsuul [~someone@97-93-99-133.static.mtpk.ca.charter.com] has joined ##openvpn
14:37 -!- Robuster [~0px0@78.134.8.131] has joined ##openvpn
14:37 < Robuster> hi
14:38 < Robuster> i got some strange issue, i setup a openvpn server and using redirect-gateway, and when i visit for example www.whatsmyip.com it shows the ip of my vpn, but when i connected to IRC it wasn't tunneled through the vpn
14:38 < Robuster> is it some bad configuration or what's causing this?
14:45 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Remote host closed the connection]
14:48 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
14:51 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
14:55 < ecrist> Snom VoIP phones support OpenVPN: http://wiki.snom.com/Networking/Virtual_Private_Network_%28VPN%29
14:55 < vpnHelper> Title: Networking/Virtual Private Network (VPN) - Snom User Wiki (at wiki.snom.com)
15:00 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
15:10 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
15:12 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 246 seconds]
15:13 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has quit [Ping timeout: 245 seconds]
15:14 -!- Robuster [~0px0@78.134.8.131] has quit [Ping timeout: 276 seconds]
15:21 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
15:52 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
16:10 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
16:12 -!- Axsuul [~someone@97-93-99-133.static.mtpk.ca.charter.com] has quit []
16:26 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:43 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has joined ##openvpn
16:56 -!- chester31 [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
16:57 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
17:18 -!- kurt_ [~kurt@astound-69-42-7-19.ca.astound.net] has joined ##openvpn
17:22 < kurt_> Hi - looking for help with a problem with X11 sessions thru my openvpn tunnel running in pfsense.  X11 sessions "freeze", never fully initiating.
17:23 < kurt_> Logs from openvpn and X11 don't show anything obvious
17:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
17:24 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:42 < kurt_> any takers?
17:50 < Bushmills> !configs
17:50 < vpnHelper> Bushmills: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
18:05 < kurt_> Has anyone seen freezes in X11 sessions over ssh over openvpn before?
18:12 < Bushmills> yes. you
18:15 < rob0> Captain Kirk, there are approximately 1.1174 million possible causes for that phenomenon. --Spock
18:15 < kurt_> understood, but how can I begin to diagnose?
18:15 < rob0> !debug
18:15 < vpnHelper> rob0: Error: "debug" is not a valid command.
18:16 < kurt_> in the same network, going over sonicwall, it works
18:16 < kurt_> ssh sessions work
18:16 < rob0> how about going over the Internet without openvpn?
18:17 < kurt_> ... trying to think of how I could try that.  this is a pfSense host
18:17 < rob0> ssh and openvpn both do encryption, so that's overkill
18:17 < kurt_> yeah, that's understood, but ssh is pretty much a replacement for telnet in most cases
18:18 < kurt_> X11 should just work
18:18 < rob0> It could be you have something silly in your as-yet-unposted configs, too. I'll stop guessing now.
18:18 < kurt_> and, as I said, going thru sonicwall, it works without issues
18:19 < kurt_> Ok, well, let me figure out how to grab those via pfSense
18:19 < kurt_> btw - it eventually comes back with "Read from remote host phenom: Operation timed out
18:19 < kurt_> Connection to phenom closed."
18:24 -!- Amjad is now known as PrinceAmjad
18:25 < dxtr> rob0: I have to tunnel openvpn over ssh when I'm at schol :D
18:25 < kurt_> and you can pull up x sessions (ie. xeyes, xclock) without problems, right?
18:26 < dxtr> Actually I don't even do that
18:26 < kurt_> btw - server config posted http://www.pastebin.org/104354
18:26 < dxtr> kurt_: Can one get an X client in Windows?
18:27 < dxtr> That'd be awesome
18:27 < kurt_> you mean start an x session like xceed?
18:27 < kurt_> I'm using mac osx
18:27 < dxtr> mkay
18:30  * rob0 not familiar with pfSense
18:32 < nassy> hehe funny you should be dicussing pfSense. i have a problem with my openvpn which i suspect is due to my firewall, and all my google.com search results are for pfSense (which isnt my firewall)
18:34 < kurt_> pfsense is an open source internet appliance package, which incorporates openvpn
18:35 < kurt_> uses a gui to do configuration of everything
18:35 < kurt_> its very slick
18:36 < nassy> it looks like it is supposed to be set up as your firewall behind your cable modem 
18:37 < nassy> for me my problem is i want to run openvpn behind my router firewall but for some reason i cant connect. maybe i am not forwarding the right ports or something
18:37 < kurt_> yes, that too - its a firewall, router, vpn
18:40 < Bushmills> dxtr: there's a low cost X server for windows, called pc-xware. 
18:40 < nassy> kurt_: try macosxhints.com to see if they can help with X windows setup 
18:40 < Bushmills> integrates in windows desktop for "seamless" X clients, but can also full screen X session
18:41 < kurt_> its not my x windows set up...remember I said this can be done without issues via sonicwall
18:41 < Bushmills> but most, if not all, Xservers running directly under windows seem to be payware
18:42 < kurt_> you can find really good deals on ebay for previous generation exceed
18:42 < kurt_> then you can upgrade
18:42 < kurt_> if you need to
18:43 < nassy> openvpn server is sitting behind my LAN firewall and i am trying to connect via the WAN (public internet). do i need to forward more than tcp port 443 if i set openvpn to listen on that port?
18:44 < nassy> im using tcp for testing purposes
18:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:46 < Bushmills> packets need to reach server
18:46 < Bushmills> the one port you use for openvpn is enough, though
18:49 < nassy> ok, thanks. i am forwarding that port and i can reach it from the net. but when i try to connect it fails. i know what i will do. i was testing my clinet > WAN > openvpn LAN. maybe i should just test from the WAN
18:54 -!- jwm [~jwm@dev.dist.us] has joined ##openvpn
18:54 < jwm> I have a samba + windows explorer question 
18:55 < jwm> I'd like to see the remote samba server in explorer (located at 10.8.0.1 on openvpn)
18:55 -!- MatToufoutu [mattoufout@unaffiliated/mattoufoutu] has joined ##openvpn
18:55 < jwm> but tis not happening
18:55 < jwm> heh
18:55 < jwm> I can directly access the shares and map stuff if I type it in
18:56 < jwm> but it never comes up in my explorer view under computer
18:56 < nassy> just aguess. maybe you need a wins server setup
18:56 < jwm> yeah I guess
18:56 < jwm> I figured this wasn't an openvpn question
18:56 < MatToufoutu> hi
18:57 < jwm> samba
18:57 < jwm> but they are dead in there :)
18:57  * rob0 wondered where the smell was coming from :(
18:57 < jwm> hah!
18:57 < MatToufoutu> i'm introducing myself to openvpn and was wondering, what are the pros/cons of using it in tcp or udp mode?
18:57 < jwm> not a samba liker eh
18:57 < rob0> !tcp
18:57 < vpnHelper> rob0: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
18:57 < MatToufoutu> i think udp is faster but doesn't provide packet integrity checking, i'm right?
18:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
18:58 < MatToufoutu> ok, so if udp works, i'd better use it if i understand well
18:58 < rob0> There is no advantage to TCP, but it's easier to get through the really stupid firewalls you might encounter, by listening on port 443/tcp.
18:59 < rob0> If you don't have to work around stupid firewalls, stick with UDP.
18:59 < jwm> you can pretty much get the reliability of tcp over udp using your own protocol
18:59 < MatToufoutu> ok, thanks :)
18:59 < nassy> ive got this sill firewall i cant set up port 443 UDP 
18:59 < nassy> silly
19:00 < nassy> or figure out how to
19:00 < jwm> hehe
19:00 < jwm> throw it away
19:03 < nassy> hehe, it was expensive
19:08 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:08 < theDoc> !welcome
19:08 < vpnHelper> theDoc: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:08 < theDoc> !nat
19:08 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
19:08 < theDoc> !linnat
19:08 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
19:08 < theDoc> !ipforward
19:08 < vpnHelper> theDoc: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
19:08 < theDoc> !ipforwarding
19:08 < vpnHelper> theDoc: Error: "ipforwarding" is not a valid command.
19:08 < theDoc> !linipforward
19:08 < vpnHelper> theDoc: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
19:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:13 < nassy> thanks :-)
19:15 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
19:16 < rob0> Wow, interesting post on the mailing lists today, sounds like openvpn might be getting a grant :)
19:37 -!- Netsplit *.net <-> *.split quits: atlantic, Rolybrau, simplechat, @openvpn2009
19:38 -!- Netsplit over, joins: Rolybrau, simplechat, @openvpn2009, atlantic
19:53 -!- tjz [~pc@bb116-15-76-215.singnet.com.sg] has joined ##openvpn
19:53 -!- tjz [~pc@bb116-15-76-215.singnet.com.sg] has quit [Changing host]
19:53 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:12 -!- jwm [~jwm@dev.dist.us] has left ##openvpn []
20:12 < MatToufoutu> i would like to use my vpn server as a kind of proxy too, i  read the doc and see something about telling the clients to use an alternative dns server (the push directive), but if i understant well, i need a dns server in my virtual network? can't i just forward the dns queries to an external one?
20:12 < MatToufoutu> (if this is a solution, maybe it could be achieved using iptables)
20:22 < MatToufoutu> nobody to tell me if i'm mistaking?
20:27 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
21:07 < Bushmills> you can
21:08 < Bushmills> problem people often face is that they try to continue the same DNS they used before traffic went over VPN
21:08 < Bushmills> when that's providers' DNS, they often don't allow to resolve from other ip addresses than their own
21:09 < Bushmills> so when you use an open external DNS, you're fine. through VPN or not, doesn't matter
21:10 < Bushmills> and you can run a proxy on your vpn server, and use it from your local clients too.
21:10 < MatToufoutu> yes, i thought about doing this: on the vpn server, redirect incoming dns requests to opendns servers
21:10 < MatToufoutu> would it be a good idea?
21:11 < Bushmills> i think a better idea is to tell clients to use an open DNS instead
21:11 < Bushmills> openvpn has support to instruct clients what dns to use.
21:12 < Bushmills> (which needs an extra step on non-windows machines)
21:12 < MatToufoutu> that's what i tryed, i put 'push "dhcp-option DNS 208.67.222.222"' in server.conf
21:13 < MatToufoutu> but it didn't seem to work :/
21:13 < Bushmills> looks good for windows clients.
21:13 < Bushmills> on what machines did that not work?
21:14 < MatToufoutu> clients are linux
21:14 < Bushmills> ah. no wonder.
21:14 < Bushmills> the mentioned "extra step"
21:15 < Bushmills> http://scarydevilmonastery.net/snap/1268018101179628359.png
21:15 < Bushmills> from the man page
21:16 < Bushmills> easier may be to just put that server into /etc/resolv.conf permanently.  
21:17 < Bushmills> uh ... opendns sucks - they return A record even for domains which don't exist
21:17 < MatToufoutu> oO
21:17 < MatToufoutu> really
21:17 < MatToufoutu> ?
21:17 < Bushmills> try 8.8.8.8 alternatively. 
21:18 < Bushmills> that's google opendns. at least, they return correct reply on non-existing hosts
21:18 < Bushmills> or run your own recursive DNS, on your OpenVPN server machine, maybe
21:18 < MatToufoutu> yes, that could be a nice idea
21:19 < MatToufoutu> would it be hard to setup?
21:19 < Bushmills> no.
21:20 < Bushmills> recursive is usually easier than authoritative
21:20 < Bushmills> simple case is a three-line config file
21:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
21:20 < Bushmills> check this out:  http://www.maradns.org/tutorial/recursive.html
21:20 < vpnHelper> Title: Recursive DNS serving (at www.maradns.org)
21:21 < MatToufoutu> thanks a lot
21:22 < MatToufoutu> yeah, seems simple to setup :)
21:42 < rob0> BIND named(8) likewise is pretty simple for recursion only.
21:44 < rob0> At home (and other sites I have set up) I use dnsmasq for authoritative & DHCP, with named (on an alternate port) for recursion.
21:45 < Bushmills> memory footprint of bind is about 10 times higher. for simple recursive dns bind is a bit overkill.
21:48 < Bushmills> actually, i have it the other way around: bind as authoritative + dynamic update by dhcp, and maradns as local recursive :D
21:49 < Bushmills> used maradns as authoritative too, but dynamic updates aren't possible with it.
21:50 < Bushmills> (hosting domains from people with not-quite-static ip address, and ugly CNAMEs to dyndns wouldn't do) 
21:50 < MatToufoutu> ok, so if one day i wish to create my own domain names within the vpn, bind would be better, but for now maradns is sufficient, right?
21:51 < Bushmills> maradns is quite ok for hosting your own domains too
21:51 < Bushmills> but where it fails is when your DNS should also do what dyndns does
21:51 < MatToufoutu> ok i see
21:51 < Bushmills> (allowing frequent updates of zone files from remote)
21:52 < MatToufoutu> let's go for maradns so ^^
21:53 < Bushmills> probably a good enabler to eventually grow through to bind
21:53 < Bushmills> it is a "full" dns. just everything much smaller than bind, and it lacking some not-frequently used features
21:54 < Bushmills> oh, it also lacks one more-frequently used feature:  no support for AXFR or IXFR notifications
21:54 < MatToufoutu> what is this?
21:55 < Bushmills> (that means, if you want you slave DNS update automatically from master DNS when a zone changes, there is no automatic in it)
21:55 < Bushmills> you'd need to so something hackish then.   it *does* support zone transfers, though
21:55 < Bushmills> but not the notification to slave, causing the slaves to pull the changed zones from master
21:56 < MatToufoutu> ok, i'll see while using it if it fits my needs, at least it will be instructive
21:56 < Bushmills> that may become an annoyance when you run several name servers
21:56 < Bushmills> (which you want to sync automatically)
21:57 < MatToufoutu> i don't plan to run more than one name server for now
21:57 < Bushmills> in that case you won't miss that
21:57 < MatToufoutu> that's fine so
21:58 < MatToufoutu> well, thanks for all your advices, now i need to sleep a bit, i learned enough things for today ^^
21:58 < Bushmills> with dynamic updates, that automatic instant sync is necessary 
21:59 < Bushmills> they must obtain the changed zones as soon as they're changed on master
22:00 < MatToufoutu> ok, i understand, that's good to know
22:00 < Bushmills> as recursor, i like maradns because it uses little memory
22:01 < Bushmills> (running it on a netbook with 512 mb RAM)
22:02 < MatToufoutu> i think it will be fine for what i plan to do
22:02 < MatToufoutu> gtg now, thanks again :)
22:15 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
22:15 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
22:16 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
23:05 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined ##openvpn
23:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
23:16 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:31 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
23:32 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
--- Day changed Mon Mar 08 2010
00:06 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
00:07 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
00:11 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
00:43 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
00:43 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
00:57 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
01:04 -!- mape2k [~mape2k@p5B28703D.dip.t-dialin.net] has joined ##openvpn
01:18 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
01:21 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:30 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit []
01:30 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
01:31 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
01:31 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:56 -!- plum [~chatzilla@cpe-75-83-110-215.socal.res.rr.com] has joined ##openvpn
02:02 -!- BorisK [~name@p5B1260BD.dip.t-dialin.net] has joined ##openvpn
02:02 -!- plum [~chatzilla@cpe-75-83-110-215.socal.res.rr.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
02:06 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
02:23 < jmm> hi.
02:37 -!- sdlfk [~lkjdfsg@212.183.140.33] has quit [Ping timeout: 246 seconds]
02:43 -!- sdlfk [~lkjdfsg@212.183.140.53] has joined ##openvpn
02:47 -!- Diffen2 [~diffen2@c-8370e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
02:52 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:06 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
03:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
03:10 -!- master_of_master [~master_of@p57B56D2E.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
03:11 -!- master_of_master [~master_of@p57B54084.dip.t-dialin.net] has joined ##openvpn
03:12 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 245 seconds]
03:16 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:21 -!- stefanlsd [~stefanlsd@ecstasy.lsd.co.za] has joined ##openvpn
03:22 < stefanlsd> Does anyone have an idea what the issue could be when making an udp connection from windows 7. I have linux clients connecting via udp fine, and windows client just say trying to connect to ip:1194 and nothing...
03:25 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:42 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
03:46 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
03:53 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 256 seconds]
03:58 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
04:05 < hyper_ch> quick question: when I have a working openvpn network with 1 server, 3 clients
04:05 < hyper_ch> then I can access a specific client on a specific port like this:  10.8.0.4:1234 ?
04:10 -!- macsppadic_ [~sonupunno@82.109.74.162] has joined ##openvpn
04:11 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Read error: Connection reset by peer]
04:11 -!- macsppadic_ is now known as macsppadic
04:25 < nassy> stefanlsd: maybe firewall is blocking udp
04:34 < nassy> hyper_ch: i think to connect from one vpn client to another vpn client you may need to do some additional configuration (not sure what as i am new to open vpn, but may have to do with routing)
04:35 < hyper_ch> nassy: I can ping it fine it seems
04:36 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
04:37 < nassy> are you going from one vpn client to a computer behind the vpn server? if so then check that the firewall on that host is ot blocking the port. maybe scan with nmap
04:39 < hyper_ch> nassy: the port is not blocked
04:40 < nassy> hyper_ch: whats the problemthen
04:40 < hyper_ch> it just doesn't seem to work for some reason
04:41 < nassy> does the program depend on broadcasts for some reason, or additional ports that are blocked by the firewall
04:42 < hyper_ch> there is no firewall
04:43 < nassy> does the program work with nat?
04:44 < hyper_ch> what program?
04:45 < hyper_ch> on one vpn client I try to run a vlc server that rcords my webcam
04:45 < hyper_ch> on my client here, I try to access it by it's port
04:45 < hyper_ch> but it's not working
04:46 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
04:49 < nassy> im not sure why streaming rtp or udp from vlc server to a vlc client over openvpn would not work if no firewalls are running
04:49 < theDoc> It should work.
04:53 < nassy> hyper_ch: then, are you sure you have the correct url for your vlc server
04:53 < theDoc> Are you even able to ping the vlc server for a start? ;p
04:54 < hyper_ch> nassy: yes, I am
04:54 < hyper_ch> theDoc: how to ping it?
04:54 < nassy> theDoc: hyper_ch
04:54 < nassy> :  nassy: I can ping it fine it seems
04:55 < theDoc> Hmm.
04:59 < hyper_ch> how do you ping on a specific port?
05:01 < nassy> hyper_ch: scan the port with nmap from insecure.org
05:02 < theDoc> vlc daemon listening for connections?
05:04 < hyper_ch> no matter what port I start vlc on, I always get a different message
05:04 < hyper_ch> with nmap
05:07 < nassy> hats the message and whats the tcp port you are scanning with nmap? vlc is using udp or rtp?
05:08 < hyper_ch> I run it like this: vlc v4l2:///dev/video0 --sout '#transcode{vcodec=h264,vb=800,fps=12,venc=x264{profile=baseline,keyint=20,subme=3}}:standard{access=http,mux=ts,dst=127.0.0.1:20000}'
05:09 < hyper_ch> nmap -p 20000 10.8.0.6
05:09 < hyper_ch> PORT      STATE  SERVICE
05:09 < hyper_ch> 20000/tcp closed unknown
05:11 < nassy> maybe vlc is only broadcasting on localhost and not on the network adapter you are connecting to: 10.8.0.6
05:13 < hyper_ch> might be
05:14 -!- newtech [~newtech@41.226.104.136] has joined ##openvpn
05:15 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 248 seconds]
05:24 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
05:32 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
05:51 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:21 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:21 -!- mode/##openvpn [+o mattock] by ChanServ
06:33 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
06:36 -!- Sky[x] [~SkyB0x@193.2.72.254] has joined ##openvpn
06:39 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
06:41 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
06:48 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
06:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:11 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
07:11 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:12 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 246 seconds]
07:14 -!- Sky[x] [~SkyB0x@193.2.72.254] has quit [Remote host closed the connection]
07:17 -!- da1l6 [~da1l6@i528C3016.versanet.de] has joined ##openvpn
07:25 < da1l6> !welcome
07:25 < vpnHelper> da1l6: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:26 < da1l6> !/30
07:26 < vpnHelper> da1l6: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
07:30 < da1l6> !topology
07:30 < vpnHelper> da1l6: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
07:35 < newtech> hello, I am using openvpn with Centos 5.3, I have failed to run a tunnel between a linux and windows machines
07:37 < newtech> I have configured the tunnel with port 443 in both ends, but when I run try to connect, with wireshark I see that the port 443 is unreachable
07:37 < newtech> also, I don't see the tap device when I run the ifconfig command
07:37 < newtech> pls help
07:48 < newtech> I have took the same config from the linux machine and put it in another windows machine, it works
07:48 < newtech> I think the pb is dealing with linux os
07:49 < newtech> have you an idea?
07:49 < newtech> thks
07:58 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has quit [Quit: nassy]
08:03 -!- da1l6 [~da1l6@i528C3016.versanet.de] has quit [Remote host closed the connection]
08:33 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:42 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:57 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
09:03 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:05 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
09:05 -!- Winkie [~urmom@87.194.109.4] has joined ##openvpn
09:06 < Winkie> hey sportsfans, i'm about to deploy openvpn onto my boss' windows machine by giving him the setup utility, th e options to select and a zipped up key, cert and config
09:06 < Winkie> now here's the question, the config is linux based, and has 'dev tun' and 'user nobody' etc in it
09:06 < Winkie> will these work fine on windows, or do i need to remove 'user nobody, group nogroup' etc?
09:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:27 -!- darkscrypt [~darkscryp@adsl-067-033-035-249.sip.asm.bellsouth.net] has quit [Remote host closed the connection]
09:28 -!- ycas [~yann@84.114.50.173] has joined ##openvpn
09:29 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 264 seconds]
09:31 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:32 < ycas> hello. i installed openvpn and created the keys about 18months ago, now i want to create new keys. do i need to recreate vars?
09:32 < ecrist> no, but you need to import it
09:33 < ecrist> the howto for easy-rsa should still apply
09:33 < ycas> ok thx
09:44 -!- ycas [~yann@84.114.50.173] has quit [Quit: leaving]
09:44 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
10:01 -!- sdlfk [~lkjdfsg@212.183.140.53] has quit [Ping timeout: 268 seconds]
10:07 -!- mape2k [~mape2k@p5B28703D.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
10:13 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
10:43 -!- dollabill [~mike@97.66.26.10] has quit []
10:47 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
10:59 < y5> Winkie: i use the same conf file for linux windows mac
10:59 < y5> Winkie: are you really good with tcl
10:59 < y5> Winkie: name the file .ovpn for windows, .conf for linux and mac
11:02 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 248 seconds]
11:04 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Quit: Quitte]
11:07 -!- julius_ [~julius@217.20.127.15] has quit [Ping timeout: 276 seconds]
11:15 -!- sdlfk [~lkjdfsg@212.183.140.53] has joined ##openvpn
11:24 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
11:26 -!- kyrix [~ashley@77.116.254.45.wireless.dyn.drei.com] has joined ##openvpn
11:27 -!- QbY [~Kelvin@c-24-126-145-123.hsd1.ga.comcast.net] has joined ##openvpn
11:27 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:28 < Winkie> y5: no problem, i actually named it .conf but the guy will call me
11:28 < Winkie> also i know my way around tcl, that is an odd question :)
11:28 < QbY> I'm "moving" into a new linux desktop replacing my windows machine for work--in Windows I used putty and ssh tunneling to access work servers--would open vpn do the same?  Or is there a simple "tunnel management" program for linux?
11:28 < Winkie> i'm off to ride the 4 miles home, so if you leave any messages i will respond
11:29 < Winkie> QbY: openvpn replacing ssh tunneling will blow your mind
11:29 < Winkie> i suggest you try it
11:29 < QbY> ok.  is this going to be an all day configuration?  i'd love to have it on the work servers so that I could just hit one button and then i'm cnonected
11:31 -!- julius [~julius@217.20.127.15] has joined ##openvpn
11:36 < rob0> QbY, I'd advise you to learn how to manage your distribution the way it is meant to be used. Read the distro documentation.
11:37 < y5> Winkie: i know where you live
11:38 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has quit [Ping timeout: 252 seconds]
11:49 -!- julius [~julius@217.20.127.15] has quit [Ping timeout: 276 seconds]
11:50 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
11:52 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Read error: Connection reset by peer]
11:54 < krzee> QbY, 
11:54 < krzee> !sample
11:54 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
11:54 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
11:54 < krzee> do you want to access a whole lan or just single machine?
11:54 < krzee> do you want to redirect all inet traffic over the vpn?
11:58 -!- alpha [~alpha@41.224.128.248] has joined ##openvpn
11:58 -!- le0 [~tehle0@unaffiliated/le0] has quit [Client Quit]
12:04 < Winkie> y5: that's cool i also know where i live
12:06 -!- kyrix [~ashley@77.116.254.45.wireless.dyn.drei.com] has quit [Quit: Leaving]
12:10 < alpha> Is openvpn suitable with kernel 2.6 systems?
12:11 < Winkie> yes
12:11 < Winkie> 2.6.31-20-generic-pae
12:11 -!- julius [~julius@217.20.127.15] has joined ##openvpn
12:17 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
12:21 < krzee> alpha, sure, just gotta be sure you build the tun / tap module or compile it into the kernel
12:22 < krzee> (like with any kernel)
12:22 < alpha> I have installed from rpm
12:22 < alpha> but does not work like it should
12:22 < alpha> it does not load the tuyn tap module
12:23 < krzee> hehe right
12:23 < cron2> alpha: so what happens if you run "modprobe tun" as root?
12:23 < alpha> when i enter the iifconfig interface i don't see it and the tunnel fail to become up
12:23 < krzee> rpm's dont modify your kernel
12:23 < krzee> do what cron2 said
12:24 < alpha> it works woithout any output
12:24 < cron2> the "tun0" interface will only be there when the tunnel is actually fully established, so the problem is somewhere else
12:24 < cron2> !logs
12:24 < vpnHelper> cron2: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
12:24 < krzee> after that can you run openvpn?
12:24 < krzee> (after you used modprobe)
12:24 < cron2> (client logs should be sufficient here, to see why it's failing - OpenVPN logs are gooood!)
12:25 < alpha> yes krzee
12:25 < alpha> it runs but the 2 ends does not connet
12:25 < krzee> ok so that problem is fixed
12:25 < alpha> HOW,
12:25 < krzee> do what cron2 said
12:26 < krzee> also
12:26 < krzee> !configs
12:26 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:27 < alpha> in  the other end wireshark shows that the vpn port is unreachable
12:28 < cron2> is this client-server or point-to-point VPN?  What exactly do you see in wireshark?  ICMP "port unreachable" messages?
12:29 -!- nachox [~imarambio@200.68.83.121] has joined ##openvpn
12:29 -!- julius [~julius@217.20.127.15] has quit [Ping timeout: 276 seconds]
12:30 < alpha> yes cron2
12:30 < nachox> guys, i'm having problems with openvpn, and its an odd problem
12:30 < krzee> nachox, 
12:30 < krzee> !welcome
12:30 < vpnHelper> krzee: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:31 < nachox> adding redirect-gateway def1 causes a segfault in openvpn-auth-pam.so
12:31 < krzee> 2.1.1?
12:31 < nachox> 2.1_rc11
12:31 < Bushmills> i heard that before
12:31 < krzee> upgrade
12:31 < krzee> !download
12:31 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) see !gui for more information for Windows clients.
12:32 < Bushmills> (problem with openvpn-auth-pam.so)
12:33 < cron2> alpha: answering "yes" to an "or" question is technically correct, but not *that* useful.  But anyway: if there are firewalls or NAT routers between your endpoints, make sure that they permit the packets that you use for VPN, in both directions
12:33 < nachox> so its a known problem?
12:34 < alpha> sorry cron2
12:35 < krzee> alpha, duplicate it in 2.1.1 before you can even call it a problem
12:35 < alpha> cron2, I have deactivated the firewalls in trhe 2 ends and they are in the same not, so I dont think it is a nat or firewall problem
12:35 < krzee> its simple to upgrade, its just the binaries
12:36 < cron2> alpha: show us the configs and the logs, based on that, we know what you are trying to achieve, and can then figure out what's failing
12:36 < alpha> ok cron2
12:38 -!- mrahab [~ahab@olsennetworking-1-pt.tunnel.tserv3.fmt2.ipv6.he.net] has joined ##openvpn
12:38 < mrahab> !welcome
12:38 < vpnHelper> mrahab: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:40 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
12:42 -!- julius [~julius@217.20.127.15] has joined ##openvpn
12:46 < mrahab> I am trying to use TLS authentication.  I have created a CA, as well as certs for the server and clients.  when connecting with openvpn, the clients correctly verify the certificates, but the server does not due to VERIFY ERROR: depth=2, error=self signed certificate in certificate chain.  I can pastebin further information if needed
12:47 < rob0> mattock: do you (or someone else here) have moderator authority on the mailing lists? I posted to openvpn-devel a bit ago, maybe was not a subscribed address.
12:47 < Winkie> mrahab: as a guess, you've signed the client's cert incorrectly, instead of signing it with the CA you've signed it with some other cert?
12:47 < krzee> !factoids search cert
12:47 < vpnHelper> krzee: 'servercert', 'certs', 'nocert', 'certverify', and 'certinfo'
12:47 < Winkie> mrahab: i am simply guessing though
12:47 < krzee> !certverify
12:47 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
12:47 < krzee> (@ mrahab )
12:48 < mrahab> one sec, i believe i have already checked that though
12:49 < mrahab> I ran that on the server, it verified it correctly
12:49 < krzee> and the client...?
12:50 < mrahab> yes
12:50 < mrahab> that works as well
12:51 < mrahab> both using the same CA certificate that openvpn is configured to use
12:51 < krzee> md5's match on the ca.crt?
12:51 < mrahab> yes
12:52 < krzee> pastebin me both !certinfo and !certverify from both machines
12:52 < krzee> !cerinfo
12:52 < vpnHelper> krzee: Error: "cerinfo" is not a valid command.
12:52 < krzee> !certinfo
12:52 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
12:52 -!- LobbyZ` [~default@188.72.255.194] has joined ##openvpn
12:53 < rob0> Ah, Finland, I bet mattock has gone home and forgotten/forsaken us.
12:54 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:54 -!- mode/##openvpn [+v Kas] by ChanServ
12:54 < krzee> theres always kas ;]
12:55 < rob0> aha yes
12:55 < mrahab> krzee: http://pastebin.org/105798
12:55 < mrahab> that's the server
12:55 < rob0> kas: do you (or someone else here) have moderator authority on the mailing lists? I posted to openvpn-devel a bit ago, maybe was not a subscribed address.
12:55 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:56 <+Kas> rob0: I do not personally but I will shoot an e-mail to James. What seems to be the issue?
12:57 < mrahab> http://pastebin.org/105813
12:57 < mrahab> client
12:58 -!- alpha [~alpha@41.224.128.248] has quit [Ping timeout: 276 seconds]
12:59 -!- alpha [~alpha@41.224.170.149] has joined ##openvpn
13:01 -!- LobbyZ` [~default@188.72.255.194] has quit [Ping timeout: 264 seconds]
13:01 < rob0> Kas, no big deal, he will probably approve it when he sees it.
13:01 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 256 seconds]
13:02 < rob0> or it's gone into the void, in which case I might subscribe and repost.
13:03 < mrahab> krzee: any thoughts?  need any other info?
13:08 < mrahab> ls
13:10 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
13:20 < krzee> that error points to a problem with your certs
13:20 < krzee> rebuilt your certs from scratch following the howto
13:20 < krzee> !howto
13:20 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:21 < krzee> rebuild*
13:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
13:27 < mrahab> ok, i'll give that a try
13:28 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has joined ##openvpn
13:29 < Gnewt> How can I limit my client's bandwidth to say 2GB/mo?
13:29 < krzee> firewall traffic accounting + static ip could do it
13:30 < Gnewt> cool, thanks
13:30  * Gnewt disappears. Lunchtime.
13:31 < krzee> basically, the same way youd accomplish the same thing if it werent a vpn
13:32 < krzee> then you can temporarily not allow the person to connect by using --disable in a ccd entry, or the firewall can simply not allow traffic from their vpn IP
13:32 < krzee> but you also must have your program disconnect them when they go over, that could be done through management interface
13:32 < krzee> enjoy lunch
13:43 < hyper_ch> lunchtime is one of my favourite times a day :)
13:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:43 < krzee> right up there with breakfast and dinner!
13:43 < krzee> =]
13:43 < hyper_ch> :)
13:52 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
13:52 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
14:06 -!- harovali [~harovali@r190-135-78-195.dialup.adsl.anteldata.net.uy] has joined ##openvpn
14:08 < harovali> hi , imagine I have a host that has 3 NICs , namely , lo , eth0 and tun0. Each has its IP. Another host acts as a server of telnetd. When I telnet to it from the former, the latter sees the IP of tun0. I'd like the latter to see the IP of eth0. How can that be achieved ?
14:13 < Gnewt> krzee: Okay, that makes enough sense. I see that Shorewall can shape traffic... but do you have any idea if it can also set caps?
14:13 < krzee> harovali, so you dont want traffic flowing over the vpn?
14:13 < krzee> i know nothing about shorewall
14:14 < krzee> but im sure a shorewall help channel would
14:16 < harovali> krzee: oh no, I wouldn't like that. I'd like traffic tunneled over the vpn, but I'd like tun0 interface not to be the primary source of tcp connections to the server
14:18 < harovali> I'd like the server to see the IP adresses of the eth intefaces in the local network of the client, if that is possible
14:18 < harovali> If I nat over the vpn , that won't happen , I'd imagine
14:22 < Bushmills> harovali: as you have a host route to server, traffic to server goes through your non-vpn interface
14:24 < Bushmills> (at least, traffic with destination of server NIC ip address)
14:26 < harovali> Bushmills: so I'd ensure that outgoing packets see the eth0 source interface to the vpn  before it would see the tun0 source interface route , is that approximately correct ?  
14:26 < harovali> Then , does the order of routes matter ?
14:26 < harovali> or simply there should be one right route ?
14:27 < Bushmills> destination matters. server NIC ip address differs from server VPN address
14:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:27 < krzee> order of routes doesnt matter, most specific route wins
14:27 < Bushmills> ping the one, packet goes through non-VPN. ping the other, traffic goes through VPN
14:27 < harovali> thanks
14:28 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
14:28 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
14:29 -!- LobbyZ` [~default@188.72.255.194] has joined ##openvpn
14:29 < harovali> But a doubt remains in my somwhat confused head : does the chosen route determine which originating IP does the server see ?
14:29 < krzee> which interface it leaves from does
14:29 < Bushmills> order should matter with overlapping destinations, but i believe you could call them "buggy routes"
14:30 < krzee> you can get routes in the table with overlapping destinations?
14:30 < harovali> krzee: and that is always determined by the winning route , right ?
14:30 < Bushmills> "chosen route determine which originating IP" - no guaranty. depends on OS
14:30 < krzee> harovali, correct
14:30 < krzee> which OS doesnt do like i said?
14:30 < harovali> Bushmills: what should I expect in linux ?
14:30 < krzee> ive seen linux sometimes not do it, couldnt figure out why tho
14:31 < harovali> krzee: routing nighmares are the worst of their kind
14:32 < krzee> never had it happen to me, so i couldnt know what they did prior to potentially cause it
14:33 < Bushmills> i think the problem occurs mostly when a service, which is bound to several interfaces, is used from one of those. 
14:33 -!- mrahab [~ahab@olsennetworking-1-pt.tunnel.tserv3.fmt2.ipv6.he.net] has left ##openvpn []
14:33 < Bushmills> reply packets may carry the wrong origin ip then 
14:34 < krzee> its the src packets that are wrong in those cases i speak of
14:34 < Bushmills> which is usally fine, as transaction has been completed already, by then
14:34 < krzee> the work-around is iroute (even tho no client lan over vpn)
14:34 < Bushmills> only some clients may complain about reply not seeming to come from the right server
14:35 < Bushmills> those may trigger some sort of spoof alert
14:35 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
14:35 < krzee> when its a client doing it, it triggers a MULTI error in server unless they iroute the clients lan ip
14:36 < krzee> which is ok unless they are a road warrior
14:37 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
14:37 -!- LobbyZ` is now known as LobbyZ
14:37 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
14:41 < harovali> oh wait : pings from an inner machine which routes its traffic over the vpn-connecting machine , will always have the correct originating IP. But the problem is very harsh when it comes to the pings coming from the very vpn-connecting machine , whose originating IP will never be the one that connects it to its inner network , but always the vpn one , is that right ? is this a known problem, with a known discussion ? 
14:42 < krzee> its not even a problem
14:42 < krzee> its how routing works
14:43 < krzee> you can nat it on the other side if it really matters, but im curious why you must be on the lan ip and cant show up on vpn up
14:43 < harovali> krzee: is there a way to fool that, tellin packets originating in the vpn-connecting host to have another interface's IP ?
14:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:43 < krzee> seems to be, because of a problem ive seen others have (basically, theirs did what you want)
14:44 < krzee> yet we never found the cause of their problem (your solution)
14:44 < harovali> krzee: if I imagine a solution you'll have you problem solved !
14:45 < krzee> exactly!
14:45 < krzee> but it would be a linux thing, not openvpn specific
14:45 < krzee> you want traffic to go out 1 interface but using SRC ip of other interface
14:45 < harovali> hmm true , but i'd be happy with a linux solution
14:45 < krzee> of course
14:46 < krzee> im just saying that so you know what type of channel / google to use
14:46 < harovali> yes , because I want the space of addresses of my lan to be seen by the server-over-the-vpn , including the routing machine
14:46 < Bushmills> sounds like something you'd do by routing
14:46 < harovali> is that crazy /wrong / bogus ?
14:47 < Bushmills> !route
14:47 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:47 < krzee> harovali, you're aware youd still have to reach the other side by VPN ip, right?
14:47 < krzee> Bushmills, he has the lan communicating already
14:47 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
14:48 < Bushmills> so what is missing then?
14:48 < harovali> krzee: oh yes, of course , but I'd like that to operate on a lower layer
14:48 < krzee> he wants his VPN client to use its LAN ip as its SRC when communicating over the VPN
14:48 < krzee> what lower layer?
14:48 < krzee> you will NEED to use the vpn ip of the server to access the server over the vpn from the client
14:48 < krzee> period
14:49 < harovali> krzee: in fact I'm accessing the server by the IP in its internal network , and it works 
14:49 < harovali> of course, pinging the ip on the other side of the vpn works too , but in this case , the server is an inner machine there
14:49 < krzee> oh right i forgot bout that, my bad... if you shared that lan as well that does work assuming ip forwarding enabled
14:50 < harovali> krzee: I think that is working with no nat
14:50 < krzee> ya it would
14:51 < krzee> only thing youd need to nat is the vpn ip of the client to the lan ip you want it to show up as
14:51 < harovali> I want both lans to see each other's members
14:51 < krzee> you can access the client by its lan ip as well
14:51 < harovali> yes , I want it
14:51 < krzee> but its source really should be the vpn ip
14:52 < harovali> well , it sould go through it, but after a route did its work , so that originating IP is eth0's
14:52 < krzee> huh?
14:54 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
15:02 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
15:10 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
15:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
15:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:38 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
15:40 < Gnewt> How can I make my up.sh run as root?
15:41 < Bushmills> you don't. but you can let it execute  sudo command, and set command up to execute as root
15:42 < Bushmills> oh.- wrong. it *does* execute as root
15:46 -!- bandini [~bandini@host163-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn
15:47 < Bushmills> --down script doesn't
15:49 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
15:49 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
15:49 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
15:58 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
16:09 -!- bandini [~bandini@host163-110-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:16 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 258 seconds]
16:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:40 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
16:43 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
17:00 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 268 seconds]
17:04 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
17:06 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
17:08 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 258 seconds]
17:12 -!- ary [~quassel@200-122-74-15.cab.prima.net.ar] has joined ##openvpn
17:16 < ary> hi guys! I'm new in openvpn. I made an openvpn server inside of a virtual machine (with virtual box in bridge mode) Then I installed and configured an openvpn server. In my desktop I installed an openvpn client. In the side of the server all is ok. It started the TUN device with the default ip 10.8.0.1. But in the client side there is a problem when it try to conect: "read UDPv4 [EHOSTUNREACH]: No route to host (code=113)"
17:16 < ary> any idea?
17:27 -!- nachox [~imarambio@200.68.83.121] has quit [Ping timeout: 245 seconds]
17:28 < ary> I found my error. The problem is the initial firewall of centos. Iptables -F in the server side, solved my problem
17:28 < ary> ;)
17:31 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
17:31 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
17:31 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
17:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
17:38 < rob0> ary, /topic, "Your problem is your firewall, really." :)
17:39 < ecrist> lol
17:39 < ecrist> lots of people get bit by that one.
17:53 < ary> yes :)
17:53 -!- ary [~quassel@200-122-74-15.cab.prima.net.ar] has quit [Remote host closed the connection]
17:58 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:05 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
18:19 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Ping timeout: 256 seconds]
18:37 -!- tjz [~pc@bb121-6-13-102.singnet.com.sg] has joined ##openvpn
18:37 -!- tjz [~pc@bb121-6-13-102.singnet.com.sg] has quit [Changing host]
18:37 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
18:39 -!- harovali [~harovali@r190-135-78-195.dialup.adsl.anteldata.net.uy] has left ##openvpn []
19:15 -!- QbY [~Kelvin@c-24-126-145-123.hsd1.ga.comcast.net] has left ##openvpn ["Leaving"]
19:43 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:46 -!- GeekSquid [~hilaire@unaffiliated/fccf] has joined ##openvpn
19:47 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has joined ##openvpn
19:47 -!- GeekSquid [~hilaire@unaffiliated/fccf] has left ##openvpn []
19:57 -!- nassy_ [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has joined ##openvpn
19:58 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has quit [Read error: Connection reset by peer]
19:58 -!- nassy_ is now known as nassy
20:01 -!- nassy_ [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has joined ##openvpn
20:01 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has quit [Read error: Connection reset by peer]
20:01 -!- nassy_ is now known as nassy
20:04 -!- BorisK_ [~name@p5B1269D2.dip.t-dialin.net] has joined ##openvpn
20:08 -!- BorisK [~name@p5B1260BD.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
20:51 -!- piju [~piju@120.140.28.214] has joined ##openvpn
20:51 -!- piju [~piju@120.140.28.214] has left ##openvpn []
21:09 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
21:32 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:29 -!- ojai [~ojai@c-67-166-58-214.hsd1.co.comcast.net] has joined ##openvpn
22:34 < ojai> Hi, sorry for the total n00b question but I think I'm running into a routing issue in my openvpn configuration.  I'm connecting just fine but can't ssh to any of the systems on my LAN.  My LAN's on 10.10.1.0/24 and my VPN's on 10.11.1.0/24.  I connect, get 10.11.1.6 (vpn server is 10.11.1.1) and doing a tcpdump on one of systems I'm trying to ssh into, I see the traffic and it's getting routed back to the VPN server's 10.10.1.0/24 IP but t
22:36 < ojai> here's my openvpn.conf: http://pastebin.com/73yuVaUz
22:37 < Bushmills> !route
22:37 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:38 < Bushmills> !firewall
22:38 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
22:40 < Bushmills> i suppose the server doesn't have a back route to the clients through vpn 
22:44 < ojai> actually, now that I look at it, I don't know what's going on.  the openvpn server has tun0 set to 10.11.1.1 but here is that system's routing table.  it has a couple entries for 10.11.1.2.  http://pastebin.com/5PC9Viab
22:45 < ojai> and the client's gw for 10.11.1.0/24 is set to 10.11.1.5
22:45 < ojai> I have no idea what 10.11.1.2 and 10.11.1.5 are (again, sorry, openvpn n00b)
22:48 < Bushmills> look at output of  ifconfig tun0
22:50 < Bushmills> 10.10.1.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0   is probably why packets don't go back to your clients
22:50 < Bushmills> oh well. the instructions in the Routing document tell you all about it, I suppose
22:52 < Bushmills> in short, routing is not stateful, as would be NAT, for example.  means, you have to take care of routing both ways 
22:53 < ojai> ah, OK, I see "P-t-P:10.11.1.2" on tun0...  
22:54 < Bushmills> that explains it?
22:55 -!- BorisK_ [~name@p5B1269D2.dip.t-dialin.net] has quit [Read error: Connection reset by peer]
22:55 -!- chester31 [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
23:00 -!- chester31 [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 265 seconds]
23:01 < ojai> no but at least that showed 10.11.1.2...
23:04 -!- PrinceAmjad [~zjb@87.109.195.15] has quit []
23:04 -!- PrinceAmjad [~zjb@87.109.195.15] has joined ##openvpn
23:07 -!- PrinceAmjad [~zjb@87.109.195.15] has quit [Client Quit]
23:08 -!- Amjad [~zjb@87.109.195.15] has joined ##openvpn
23:10 -!- Amjad is now known as PrinceAmjad
23:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
23:13 < ojai> OK, I realised that my openvpn server didn't have IP forwarding enabled and have fixed that
23:18 < ojai> I can ssh to 10.11.1.1 from the client and the client (10.11.1.6) from the openvpn server but can't do anything more than that
23:19 < ojai> and correct me if I'm wrong, but http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing isn't 100% applicable to having a single client trying to connect to a single LAN
23:20 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
23:23 < Bushmills> same principles apply
23:24 < Bushmills> trick is probably, not blindly following instructions, but develop an understanding what they are for
23:24 -!- newtech_ [~newtech@41.226.214.71] has joined ##openvpn
23:26 -!- newtech [~newtech@41.226.104.136] has quit [Ping timeout: 245 seconds]
23:27 < ojai> yeah, I get that but it's not making sense to me.  I'm not seeing any "bad source address from client" errs in my syslog.  I just don't know what else to look at
23:29 < Bushmills> how are packets routed back to your client?
23:31 < Bushmills> "no but at least that showed 10.11.1.2..."    vpn server (clients too) need a concept of "other end of tunnel"
23:31 < Bushmills> similar to the ip address of the machine on the other end, without actually being from that machine
23:32 < Bushmills> that's that P-t-P address
23:32 < Bushmills> by that, software knows that referring to that address means "not here"
23:32 < ojai> OK, so outbound traffic destined for clients should have the default gw of 10.11.1.2 then?
23:33 < Bushmills> sounds good
23:33 < ojai> OK, so then the current routing table is correct: 10.11.1.0       10.11.1.2       255.255.255.0   UG        0 0          0 tun0
23:34 < ojai> and I can ssh into the client from the openvpn server so we know that that works
23:35 < Bushmills> weren't your clients on 10.10.x.x?
23:35 < ojai> no, the LAN is 10.10.1.x.  clients are 10.11.1.x
23:36 < ojai> ah shit, I'm an idiot.  sorry for wasting your time.  fw misconfig
23:38 -!- ojai [~ojai@c-67-166-58-214.hsd1.co.comcast.net] has quit [Quit: ojai has no reason]
23:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:50 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 264 seconds]
--- Day changed Tue Mar 09 2010
00:02 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
00:02 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
00:02 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
00:29 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Connection reset by peer]
00:30 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
00:37 -!- theDoc_ [~jaki@121.123.137.46] has joined ##openvpn
00:38 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Read error: Connection reset by peer]
00:42 -!- theDoc_ [~jaki@121.123.137.46] has quit [Ping timeout: 264 seconds]
00:55 -!- alpha [~alpha@41.224.170.149] has quit [Ping timeout: 260 seconds]
00:55 -!- alpha [~alpha@41.224.80.77] has joined ##openvpn
01:06 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has joined ##openvpn
01:08 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:09 -!- mode/##openvpn [+o mattock] by ChanServ
01:09 -!- alpha [~alpha@41.224.80.77] has quit [Quit: Quitte]
01:40 -!- kurt_ [~kurt@astound-69-42-7-19.ca.astound.net] has quit [Quit: kurt_]
01:50 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Ping timeout: 256 seconds]
01:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
01:55 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
02:41 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
02:44 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
02:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
03:02 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
03:11 -!- master_of_master [~master_of@p57B54084.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:12 -!- master_of_master [~master_of@p57B57D0C.dip.t-dialin.net] has joined ##openvpn
03:15 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:17 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:22 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
03:24 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
03:32 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
03:47 -!- stefanlsd [~stefanlsd@ecstasy.lsd.co.za] has left ##openvpn ["WeeChat 0.2.6.3"]
04:24 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
04:56 -!- wassup [wassup@czoko.eu] has joined ##openvpn
04:56 < wassup> hi
04:56 < wassup> !welcome
04:56 < vpnHelper> wassup: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:57 < macsppadic> hi wassup 
04:57 < wassup> hi macsppadic 
04:57 < wassup> I was thinking it was my firewall, really
04:58 < wassup> but it's not
04:58 < wassup> does anyone possibly know why on freebsd with openvpn started I can bind to the ports on the interface, but I cannot telnet to them from the localhost? 
04:58 < wassup> although I can telnet to them from other machines in the network
04:59 < wassup> my firewall rules are 'pass all'
05:03 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
05:04 < newtech_> hello
05:05 -!- dazo_afk is now known as dazo
05:05 < newtech_> is it possible to use the same tcp server port to connect many clients in the same time? if yes, how? thks
05:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:15 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
05:18 < cron2> newtech_: uh, "just do it"?
05:18 < dazo> newtech_:  if using --mode server, that should work out of the box ... I hope you're aware of drawbacks with tcp, though
05:18 < dazo> !tcp
05:18 < vpnHelper> dazo: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
05:28 -!- wassup [wassup@czoko.eu] has left ##openvpn []
05:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:11 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has quit [Quit: nassy]
06:19 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 258 seconds]
06:21 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:33 -!- nachox [~imarambio@200.68.83.121] has joined ##openvpn
06:38 < |Mike|> okay guys, who here as experience with rsyslogd over openvpn ?
06:40 -!- Deepy [deepy@wrongplanet/deepa] has quit [Ping timeout: 246 seconds]
06:41 < |Mike|> lol, while asking i found the solutions :P
06:42 -!- Deepy [~deepy@magician.snakeporno.com] has joined ##openvpn
06:43 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
06:43 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
06:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:51 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:02 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Read error: Connection reset by peer]
07:03 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
07:13 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote host closed the connection]
07:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:21 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
07:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:37 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 245 seconds]
07:50 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
07:54 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
08:00 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:07 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
08:32 -!- temba [~temba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn
08:32 < temba> hello, is it possible to say in the openvpn.config that logfile will be rotated / deleted when grown to 2 megabyte ?
08:34 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
08:39 < macsppadic> hello temba can u not setup a logrotate setup for that?
08:40 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:42 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 256 seconds]
08:46 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
08:58 -!- Deepy [~deepy@magician.snakeporno.com] has quit [Changing host]
08:58 -!- Deepy [~deepy@wrongplanet/deepa] has joined ##openvpn
09:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
09:12 -!- jfkw [~jtk@24.216.241.93] has joined ##openvpn
09:18 < dazo> temba:  nope ... you need logrotate ... or let syslog take care of logging
09:20 < temba> thanks
09:20 -!- temba [~temba@188-193-22-46-dynip.superkabel.de] has quit [Quit: Verlassend]
09:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:28 -!- jfkw [~jtk@24.216.241.93] has quit [Quit: leaving]
09:34 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
09:43 -!- nachox [~imarambio@200.68.83.121] has left ##openvpn ["Saliendo"]
09:48 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:50 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:03 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 260 seconds]
10:16 -!- nachox [~imarambio@200.68.83.121] has joined ##openvpn
10:18 < nachox> guys, does the redirect-gateway option work on windows? i have a windows client that is connecting to an openvpn with the push “redirect-gateway def1″ directive and my windows server is still going out through the regular gateway
10:20 < nachox> ok, i forgot to turn on the forwarding in the linux server. shame on me. Lets see if it works now
10:20 -!- nachox [~imarambio@200.68.83.121] has quit [Client Quit]
11:04 -!- jfkw [~jtk@24.216.241.93] has joined ##openvpn
11:10 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has quit [Read error: Operation timed out]
11:12 -!- sdlfk [~lkjdfsg@212.183.140.53] has quit [Ping timeout: 265 seconds]
11:18 -!- sdlfk [~lkjdfsg@212.183.140.98] has joined ##openvpn
11:20 -!- PrinceAmjad [~zjb@87.109.195.15] has quit []
11:25 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
11:25 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Connection reset by peer]
11:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
11:34 -!- PrinceAmjad [~zjb@87.109.195.15] has joined ##openvpn
11:37 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
11:37 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:37 -!- NickWebHA [~nick@2002:ad38:149d:0:78b2:17ff:fe30:d1f6] has joined ##openvpn
11:39 < NickWebHA> I already have a working bridged server running. Is there any way to use the VPN as my default for only one or two clients instead of all of them?
11:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:42 -!- PrinceAmjad [~zjb@87.109.195.15] has quit []
11:42 -!- Amjad [~zjb@87.109.195.15] has joined ##openvpn
11:44 -!- Amjad is now known as PrinceAmjad
11:47 < hyper_ch> NickWebHA: use CCDs and push according directions to the individual clients
11:47 < hyper_ch> !ccd
11:47 < vpnHelper> hyper_ch: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
11:48 < NickWebHA> I thought of that but then I thought the configuration for gateway redirection was purely server side? No? Which directive would I push to the client?
11:48 < hyper_ch> don't do the def1 on clients you don't want to have completely routed through the vpn
11:49 < hyper_ch> and push the def1 on clients that you want to have completely routed
11:49 < hyper_ch> set also nameserver
11:49 < hyper_ch> and maybe other stuff
11:50 < hyper_ch> in one ccd entry I only have this:  
11:50 < hyper_ch> ifconfig-push 10.8.0.4 10.8.0.5
11:50 < hyper_ch> push "route 10.8.0.0 255.255.255.0"
11:50 < hyper_ch> that pushes an IP to my client
11:50 < hyper_ch> and pushes the route
11:50 < hyper_ch> so it can access the vpn network
11:50 < hyper_ch> but all stuff is generally not routed through the vpn
11:51 < hyper_ch> and this one here is routed completely through the vpn: http://www.pastebin.org/107581
11:53 < NickWebHA> Thank you. I will experiment with these.
11:54 < hyper_ch> of course use vpn settings that you have in use :) I use the 10.8.0.0 net for it :)
12:16 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:19 -!- NickWebHA [~nick@2002:ad38:149d:0:78b2:17ff:fe30:d1f6] has left ##openvpn []
12:20 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
12:27 < Bushmills> hi, oath-cooperator  (or would what translate to  "oath companion"?
12:29 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100216105410]]
12:31 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
12:36 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Ping timeout: 245 seconds]
12:38 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
12:41 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has left ##openvpn []
12:46 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Ping timeout: 264 seconds]
12:50 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
12:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:17 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
13:20 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Ping timeout: 245 seconds]
13:32 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:41 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
13:49 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:57 -!- dazo is now known as dazo_afk
14:06 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
14:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:27 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Operation timed out]
14:29 -!- PeterFA [~Peter@24-113-142-187.wavecable.com] has joined ##openvpn
14:29 -!- PeterFA [~Peter@24-113-142-187.wavecable.com] has quit [Changing host]
14:29 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
14:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:46 -!- Beber` [~Beber@2a01:e35:1394:d920:34::11] has joined ##openvpn
14:46 < Beber`> Hi
14:46 < Beber`> is it possible to annonce route (or push route) at any time
14:46 < Beber`> not just at tunnel initialisation ?
14:47 < rob0> If the client is running as non-root, it can't change routes after dropping privilege.
14:48 < Beber`> you'r right
14:48 < Beber`> but else ?
14:49 < rob0> If the client is running as root, it can change routes anytime.
14:50 < Beber`> but how to push the route from the server ?
14:51 < krzee> well
14:54 < krzee> through the VPN, only when the client connects
14:54 < krzee> however, you can just add a route manually
14:54 < krzee> the only way thats not going to work is if you also need an iroute, which is only the case if the route is for a lan behind a client
14:55 < Beber`> the goal is to push bpg routes to clients dinamycally
14:55 < Beber`> dynamically
14:56 < krzee> ahh
14:56 < krzee> !riproute
14:56 < vpnHelper> krzee: Error: "riproute" is not a valid command.
14:56 < krzee> !rip
14:56 < vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
14:56 < krzee> thats not about bgp, but you may find it interesting
14:56 < Beber`> yes of course
14:57 < Beber`> this add clients ip to servers annonce
14:57 < Beber`> I'd like to do the oposite
14:59 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
15:02 < krzee> well it uses a routing daemon to add routes
15:03 < krzee> and in that setup there is no client/server
15:03 < krzee> he found that he had to use ptp mode to make it work
15:03 < krzee> i remember explaining the iroute stuff to him when he was working on it, but i hadnt realized that ptp would make it work
15:05 < Beber`> I want to add route on clients via a push route
15:05 < Beber`> I don't want to have rip/quagga on client side
15:08 < krzee> there is something you can do via management interface to have them reload I THINK
15:08 < krzee> iirc i read about it not too long ago
15:08 -!- Rolybrau [~Rolybrau@82-255.3-85.cust.bluewin.ch] has joined ##openvpn
15:08 -!- Rolybrau [~Rolybrau@82-255.3-85.cust.bluewin.ch] has quit [Changing host]
15:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:11 < krzee> omfg my eyes are on fire
15:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
15:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
15:28 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
15:30 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
15:31 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
15:31 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
15:31 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
15:36 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
15:51 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
15:54 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Ping timeout: 256 seconds]
15:57 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
16:25 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
16:38 -!- accipter [~albert@dhcp-208-115.ce.utexas.edu] has joined ##openvpn
16:48 < accipter> is having ifconfig report "tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00" bad?
16:57 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
17:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:25 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:27 < Bushmills> no
17:31 < accipter> thanks
17:31 -!- accipter [~albert@dhcp-208-115.ce.utexas.edu] has left ##openvpn []
18:33 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
18:53 -!- MatToufoutu [mattoufout@unaffiliated/mattoufoutu] has left ##openvpn ["Quitte"]
19:04 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
19:07 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Ping timeout: 264 seconds]
19:09 -!- tjz [~pc@bb116-15-47-200.singnet.com.sg] has joined ##openvpn
19:09 -!- tjz [~pc@bb116-15-47-200.singnet.com.sg] has quit [Changing host]
19:09 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:47 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has joined ##openvpn
19:47 -!- seva [~seva@glivorem.com] has joined ##openvpn
19:49 < seva> i have a pretty basic openvpn setup, it seems to be working, but i am having trouble going further out over the vpn to the hosts on the lan
19:49 < seva> the config on one side is http://pastebin.com/nKFAhVCa
19:50 < seva> the other side is the same except the addition of "remote IP.AD.D.R"
19:50 < seva> this is on linux 2.6 i have set the net.ipv4.ip_forward to 1
19:50 < seva> i can ping each side from the other
19:50 < seva> but not through it
19:51 < seva> oh..
19:51 < seva> nm, i don't think i added routes to the other hosts
20:04 < seva> yep, sorry about the noise :)
20:04 -!- seva [~seva@glivorem.com] has left ##openvpn []
20:14 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
20:16 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
20:19 < oc80z> noise is good.
20:20 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
20:39 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has joined ##openvpn
20:42 -!- max_atre1des [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Ping timeout: 245 seconds]
20:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:20 -!- joh_ [johannj@caracal.stud.ntnu.no] has joined ##openvpn
21:21 -!- uchimata_ [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
21:25 -!- Netsplit *.net <-> *.split quits: uchimata, joh, freaky[t]
21:28 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
21:28 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
21:28 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has quit [Ping timeout: 277 seconds]
21:56 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
21:58 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: Stops working when I reboot Server 2008 :: Reply by moored99 <http://www.ovpnforum.com/viewtopic.php?f=4&t=2800&p=3747#p3747> || Scripting and Customizations :: Re: OpenVPN and (Free)Radius :: Reply by Liquido <http://www.ovpnforum.com/viewtopic.php?f=15&t=3130&p=3744#p3744>
22:02 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
22:13 < krzee> http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/
22:13 < vpnHelper> Title: 1024-bit RSA encryption cracked by carefully starving CPU of electricity -- Engadget (at www.engadget.com)
22:14 -!- p3rror [~Ali@2001:5c0:1400:b::6485] has joined ##openvpn
22:14 < p3rror> hello
22:15 < krzee> hello
22:19 < p3rror> please i have a question
22:20 < p3rror> well i like openvpn
22:20 < p3rror> so i'm trygin to develop a monitoring solution
22:20 < krzee> you will likely want the management interface
22:21 < krzee> see --management in the manual
22:21 < p3rror> :)
22:21 < p3rror> krzee, thanks
22:21 < p3rror> krzee, but i dev a script that do the job
22:21 < p3rror> http://github.com/mezgani/ovpnview
22:21 < vpnHelper> Title: mezgani's ovpnview at master - GitHub (at github.com)
22:21 < krzee> you're welcome
22:22 < krzee> ahh cool
22:22 < krzee> --management is designed to be used by scripts
22:22 < p3rror> it's a python script based on socket
22:22 < p3rror> so the script connect using TCP to management console
22:22 < p3rror> and send raw command
22:22 < krzee> ohh
22:22 < p3rror> like what we did interactively 
22:22 < krzee> you already do you --management with your script then =]
22:23 < p3rror> =)
22:24 < p3rror> but my question is over
22:24 < p3rror> i need to monitor some LANS
22:24 < p3rror> so i have to install many monitoring tools on these LANs
22:24 < p3rror> every LAN has a DMZ of course
22:25 < p3rror> so is there any solution to do this with many instance of openvpn
22:25 < p3rror> so we can name it the openvpn cloud
22:26 < krzee> couldnt you just vpn the lans together and use nagios or opennms or something?
22:26 < p3rror> yep that is
22:26 < krzee> or zabbix or something...
22:26 < p3rror> i'll use nagios
22:26 < krzee> ok so i dont see what you're missing then
22:26 < p3rror> so the simple idea is too install client on each LANS
22:27 < krzee> right
22:27 < krzee> !route
22:27 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:27 < krzee> like that basically
22:27 < krzee> you could likely make a nagios plugin that uses your python script
22:28 < krzee> that would be pretty awesome
22:28 < vpnHelper> New forum entry openvpnforum: Server Administration :: Re: Stops working when I reboot Server 2008 :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=4&t=2800&p=3748#p3748> || Scripting and Customizations :: Re: OpenVPN and (Free)Radius :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=15&t=3130&p=3749#p3749> || Off Topic, Related :: Re: unable to connect to NW :: Reply by krzee <http://www.ovpnforum.com/viewtopic
22:28 < krzee> oh lol you already made one!
22:29 < krzee> http://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/
22:29 < vpnHelper> Title: Openvpn nagios pluging « Mezgani blog (at securfox.wordpress.com)
22:29 < krzee> i see mezgani there as well as in your link to your script
22:29 < p3rror> =)
22:29 < p3rror> i like nagios too
22:29 < krzee> that link i just pasted was from you?
22:30 < p3rror> which one ?
22:30 < krzee> http://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/
22:30 < vpnHelper> Title: Openvpn nagios pluging « Mezgani blog (at securfox.wordpress.com)
22:30 < p3rror> krzee, it's my blog
22:30 < krzee> haha thats awesome, it happened to be first hit for google: nagios openvpn plugin
22:31 < p3rror> yep =) i'm lucky 
22:33 -!- p3rror [~Ali@2001:5c0:1400:b::6485] has quit [Read error: Operation timed out]
22:33 < krzee> !learn nagios as http://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/ for info on hooking openvpn into nagios
22:33 < vpnHelper> krzee: Joo got it.
22:43 -!- PrinceAmjad [~zjb@87.109.195.15] has quit [Ping timeout: 256 seconds]
22:47 -!- p3rror [~Ali@2001:5c0:1000:b::57ab] has joined ##openvpn
22:48 -!- PrinceAmjad [~zjb@87.109.252.36] has joined ##openvpn
22:49 -!- y5 [~danh@i.dont.get.mad.i.get.stabby.net] has quit [Quit: leaving]
22:50 -!- p3rror [~Ali@2001:5c0:1000:b::57ab] has quit [Read error: Operation timed out]
22:55 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
22:58 -!- jfkw [~jtk@24.216.241.93] has quit [Quit: leaving]
22:59 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
23:05 -!- p3rror [~Ali@2001:5c0:1000:b::57ff] has joined ##openvpn
23:58 < vpnHelper> New forum entry openvpnforum: My VPN :: Re: openwrt openvpn simple server-to-server configuration :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=13&t=1338&p=3753#p3753>
--- Day changed Wed Mar 10 2010
00:00 -!- newtech__ [~newtech@41.230.149.150] has joined ##openvpn
00:01 < krzee> p3rror, i added this:
00:01 < krzee> !nagios
00:01 < vpnHelper> krzee: "nagios" is http://securfox.wordpress.com/2009/04/24/openvpn-nagios-pluging/ for info on hooking openvpn into nagios
00:01 < krzee> thanx for writing it =]
00:02 -!- newtech_ [~newtech@41.226.214.71] has quit [Ping timeout: 246 seconds]
00:10 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
00:10 < theDoc> Anyone has an idea what ipv6 support for openvpn is like at the moment?
00:11 < krzee> !ipv6
00:11 < vpnHelper> krzee: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
00:12 < vpnHelper> krzee: (adds some nice ipv6 options)
00:12 < krzee> see #3
00:17 < theDoc> Cheers, thanks krz.
00:17 < krzee> np
00:19 < p3rror> krzee, yep good job :)
00:21 < theDoc> Might be looking into provisioning ipv6 connectivity to clients.
00:21  * theDoc grumbles.
00:22 < krzee> ahh cool
00:26 -!- p3rror [~Ali@2001:5c0:1000:b::57ff] has quit [Ping timeout: 268 seconds]
00:37 -!- p3rror [~Ali@2001:5c0:1000:b::56bb] has joined ##openvpn
00:41 < krzee> p3rror, your openview is different from https://sourceforge.net/projects/openvpn-status/ right?
00:41 < vpnHelper> Title: OpenVPN-Status | Get OpenVPN-Status at SourceForge.net (at sourceforge.net)
00:42 < krzee> i see your link to it...
00:42 < p3rror> it's the same
00:43 < p3rror> i make some change and i rename it ovpnview
00:43 < krzee> ahh
00:52 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
01:01 -!- p3rror [~Ali@2001:5c0:1000:b::56bb] has quit [Read error: Operation timed out]
01:01 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:04 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
01:09 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:09 -!- mode/##openvpn [+o mattock] by ChanServ
01:12 < theDoc> Yay, new verisign cert to sign my website and billing portal.
01:12 < theDoc> \o/
01:15 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
01:16 -!- p3rror [~Ali@2001:5c0:1000:b::5217] has joined ##openvpn
01:24 -!- stein0 [~stein@mail.vgnett.no] has quit [Ping timeout: 246 seconds]
01:25 -!- stein0 [~stein@mail.vgnett.no] has joined ##openvpn
01:27 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
01:34 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:35 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
01:43 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
01:48 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
02:14 -!- p3rror [~Ali@2001:5c0:1000:b::5217] has quit [Ping timeout: 268 seconds]
02:19 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has quit [Ping timeout: 256 seconds]
02:21 -!- jmm_ [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:21 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
02:24 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 256 seconds]
02:24 -!- ahf [ahf@irssi/staff/ahf] has quit [Ping timeout: 256 seconds]
02:25 -!- ahf [ahf@irssi/staff/ahf] has joined ##openvpn
02:28 -!- dazo_afk is now known as dazo
02:39 < cron2> theDoc: what operating system do you use?
02:42  * krzee would gamble its linux
02:43 < cron2> chances are high, but if Linux, which distribution?
02:44 < cron2> (Reason for me asking: there's a Gentoo ebuild and a Debian package available for OpenVPN-with-IPv6)
02:44 < cron2> and a FreeBSD port, of course :)
02:45 < krzee> oh, interesting
02:46 < krzee> hrm, i wonder if it uses that patch or not
02:47 < krzee> freebsd port...
02:48 < krzee> root@hemp:/usr/ports/security> ls|grep openvpn
02:48 < krzee> openvpn
02:48 < krzee> openvpn-admin
02:48 < krzee> openvpn-auth-ldap
02:48 < krzee> openvpn-devel
02:51 < dazo> krzee:  openvpn-devel is ecrist work :)
02:51 < cron2> krzee: what he said :)
02:52 < krzee> really?
02:52 < dazo> krzee:  yeah ... ecrist has become the openvpn-devel package maintainer for FreeBSD, and it's based on openvpn-testing.git
02:52 < cron2> krzee: yes.  It's dazo's openvpn-testing git, snapshotted and packed as a FreeBSD port by ecrist
02:52 < cron2> hrhr :)
02:52 < dazo> heh
02:53 < krzee> coolness
02:53 < dazo> yeah, might even call it progress :-P
02:53 < krzee> sure would
03:00 -!- teddymills [~teddy@208.92.235.227] has quit [Read error: Connection reset by peer]
03:01 -!- teddymills [~teddy@208.92.235.227] has joined ##openvpn
03:10 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:10 -!- master_of_master [~master_of@p57B57D0C.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:12 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 256 seconds]
03:12 -!- master_of_master [~master_of@p57B56902.dip.t-dialin.net] has joined ##openvpn
03:23 -!- max_atreides [~mooja@cpe-68-172-220-51.hvc.res.rr.com] has quit [Read error: Operation timed out]
03:45 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:08 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
04:37 -!- newtech__ [~newtech@41.230.149.150] has quit [Ping timeout: 268 seconds]
04:50 -!- newtech [~newtech@41.227.113.234] has joined ##openvpn
05:37 -!- nassy [~nassy@207-172-163-225.s606.tnt4.nywnj.ny.dialup.rcn.com] has quit [Quit: nassy]
05:50 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
06:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:26 < krzee> hey do we support openvpn-AS on the forum?  if so we should make a separate category for it, if not we should make a note of that
06:26 < krzee> ecrist, thoughts?
06:29 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: Can't access Admin Panel :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=5&t=2747&p=3762#p3762>
06:36 < dazo> krzee:  I'd says that the community shouldn't necessarily support commercial products ... that's kind why customers do pay for a product, isn't it?
06:37 < krzee> cool
06:37 < krzee> ild have no problem helping people with it, but it doesnt take standard configs nor does it output standard logs, so its a different app to me
06:38 < krzee> which i dont care to learn
06:45 -!- Pastoolio [~null@blowfish.x86.co.za] has joined ##openvpn
06:45 < Pastoolio> hey guys
06:45 < Pastoolio> is there a way to push routes a windows 7 machine?
06:46 < gorkhaan> yes there is.
06:46 < Pastoolio> i tried with options: float, route-method exe, and route-delay 2 
06:46 < Pastoolio> but it doesn't seem very happy
06:47 < Pastoolio> gorkhaan: can you point me to where there is info? :)
06:47 < gorkhaan> !route
06:47 < vpnHelper> gorkhaan: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:47 < krzee> erm
06:47 < krzee> thats for lans behind vpn endpoints
06:47 < Pastoolio> *click*
06:48 < Pastoolio> i have that already
06:48 < Pastoolio> it pushes routes fine to my XP machines
06:48 < krzee> you are saying you are pushing routes to a windows client and the route command errors in logs?
06:48 < Pastoolio> but not to windows 7
06:48 < Pastoolio> krzee: yes it does, only on my windows 7 laptop
06:48 < Pastoolio> the routes push to windows XP
06:48 < krzee> !configs
06:48 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
06:48 < krzee> !logs
06:48 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
06:49 < krzee> only need log from the client in question
06:49 < krzee> but both configs
06:49 < Pastoolio> ok, hold on
06:49 < gorkhaan> it have to work, maybe UAC hold the Route rules back
06:49 < gorkhaan> run openvpn as admin.
06:49 < gorkhaan> ( or openvpn gui )
06:49 < krzee> oh right that could definitely be it
06:49 < krzee> also the routing and remote access service has been known to screw stuff up
06:50 < krzee> !winroute
06:50 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access
06:50 < Pastoolio> i tried that
06:50 < Pastoolio> let me try to run it as admin
06:51 < krzee> ohh
06:51 < krzee> ya it most certainly needs to be ran as admin
06:51 < gorkhaan> yepp
06:51 < krzee> in all OS
06:51 < Pastoolio> omg it works :( sorry for bothering you guys with my idiocy
06:51 < gorkhaan> its okay, happy to help
06:52 < Pastoolio> thanks guys, laters.
06:52 -!- Pastoolio [~null@blowfish.x86.co.za] has left ##openvpn []
06:52 < krzee> yup, np
06:54 -!- dazo is now known as dazo|afk
06:56 < krzee> !learn winroute as make sure you are running openvpn as admin
06:56 < vpnHelper> krzee: Joo got it.
06:58 < gorkhaan> let's try it. 
06:58 < gorkhaan> !winroute
06:58 < vpnHelper> gorkhaan: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
06:59 < gorkhaan> I like this bot. :D
06:59 < krzee> me too =]
06:59 < krzee> what i love is what ecrist did:
06:59 < krzee> !factoids
06:59 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
06:59 < gorkhaan> let see
07:01 < ecrist> my php skillz are 1337
07:01 < ecrist> ;)
07:01 < gorkhaan> :D
07:02 < ecrist> krzee: did I tell you I have fs up and running on freebsd with a PRI?
07:02 < krzee> yup
07:02 < krzee> you went with a diff T1 card iirc
07:03 < ecrist> yeah, OpenVox and dahdi port came out in-tandem. :)
07:04 < krzee> =]
07:25 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
07:30 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
07:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
07:34 -!- FinnTux [~smr@et456.netikka.fi] has joined ##openvpn
07:44 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
07:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:51 < atlantic> is it possible to set up that for a given OpenVPN user only a subset of push routes are coming up, and not all?
07:54 < krzee> you could push the routes only to the users who should get them by putting them in ccd entries
07:54 < krzee> !ccd
07:54 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:56 < atlantic> krzee: thanks, it is a good starting point, I read it
07:56 < FinnTux> I have site-to-site bridge working reat apart from one small problem. A laptop that used on bot sites works only from siteB -> siteA (siteA=server and siteB is connecting client). 
07:56 < FinnTux> both sites*
07:57 < FinnTux> manually changing MAC address while in siteA and renewing IP makes it work again until it is used in siteB again (or so I think)
07:58 < FinnTux> all dekstop machines are working ok all the time
07:58 < FinnTux> desktop*
07:59 < krzee> im of no help with tap devices
08:00 < krzee> havnt used bridge much, but stick around im sure someone who is good with bridges will come around
08:02 < FinnTux> yup, I'll wait. thx
08:02 -!- Blues-Man [~bluesman@host54-17-dynamic.43-79-r.retail.telecomitalia.it] has joined ##openvpn
08:03 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
08:03 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
08:07 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:08 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
08:09 < theDoc> blah, internet is shit here.
08:09 < krzee> where?
08:10 < theDoc> Malaysia.
08:10 < theDoc> I'm tunneled, so ;p
08:10 < krzee> ahh werd
08:10 < theDoc> What about?
08:10 < krzee> werd = cool
08:10 < theDoc> Oh.
08:11 < theDoc> You know how it's -really- annoying when the internet is so flaky that even MSN doesn't stay connected?
08:11 < krzee> hehe when i was in australia on the internet from a hostel i couldnt even connect to msn
08:11 < krzee> or my vpn
08:11 < theDoc> Yeah, some people filter vpn connections.
08:11 < theDoc> It's like, I just take to running it off 443.
08:12 < theDoc> For SSL.
08:12 < krzee> nah it wasnt a filter
08:12 < hyper_ch> MSN is evil
08:12 < krzee> it was too much latency
08:12 < krzee> like 5000ms to google
08:12 < theDoc> What the fuck ;p
08:13 < krzee> thats what i said
08:14 < theDoc> It's really funny, since the pings are ok but I'm guessing the problem here is the size of the pipe.
08:15 < krzee> i had fun showing some girl from england arp poisoning
08:15 < theDoc> krzee> Were you trying to hook her up? ;p
08:15 < krzee> driftnet tripped her out, lol
08:16 < krzee> i wanted to violate her, didnt happen tho
08:16 < theDoc> krzee> You lost me at driftnet.
08:16 < krzee> i ended up getting some other girls tho
08:16 < theDoc> Well, so you still got laid, that's fine ;)
08:17 < krzee> driftnet is an app for when you are arp poisoning someone, it will show all images going over the network
08:17 < theDoc> Oh, lol
08:17 < theDoc> Fun, what stuff did you get from her? ^^
08:18 < krzee> well she knew i was doing it
08:18 < krzee> so nothing interesting
08:18 < theDoc> snap:)
08:18 < krzee> i wasnt trying to be sneaky
08:18 < theDoc> Well, the internet's real shit here anyway so I can barely get any work done.
08:18 < theDoc> :\
08:19 < theDoc> It's taking like 15 minutes for me to just get connected to MSN
08:19 < krzee> ya it sucks where i live too, but i pay a ton to get decent speeds so its usable
08:19 < theDoc> Oh screw this, I'm going to bed.
08:20 < theDoc> The latencies are good, the pipe is probably to small to be shared among 200 rooms.
08:20 < theDoc> That or someone is torrenting.
08:20 < krzee> so arp poison it and kill the offending connections ;)
08:21 < theDoc> krzee> Well,.. ;p
08:21 < theDoc> Actually, I'd just go to bed. I don't really want to kill someone's connection and have to start working because the internet is working fine ;p
08:21 < ecrist> krzee: I prefer the Louisville method
08:23 < krzee> lol x2
08:25 < krzee> did you guys see RSA was broken?
08:25 < hyper_ch> it's now in two pieces? :(
08:27 < theDoc> Is it broken by design or is it broken because it was used in the wrong way?
08:27 < krzee> [20:13]  <krzee> http://www.engadget.com/2010/03/09/1024-bit-rsa-encryption-cracked-by-carefully-starving-cpu-of-ele/
08:27 < theDoc> I saw a thread on it, didn't quite follow it
08:27 < vpnHelper> Title: 1024-bit RSA encryption cracked by carefully starving CPU of electricity -- Engadget (at www.engadget.com)
08:28 < krzee> Now, three eggheads (or Wolverines, as it were) at the University of Michigan claim they can break it simply by tweaking a device's power supply. By fluctuating the voltage to the CPU such that it generated a single hardware error per clock cycle, they found that they could cause the server to flip single bits of the private key at a time, allowing them to slowly piece together the password. With a small cluster of 81 Pentium 4 chips and 104 hours of p
08:28 < krzee> rocessing time, they were able to successfully hack 1024-bit encryption in OpenSSL on a SPARC-based system, without damaging the computer, leaving a single trace or ending human life as we know it
08:30 < theDoc> Well, if someone has access to your device itself, it's no longer considered secure and that should be a "valid" vector of attack in a real world situation.
08:31 < krzee> still interesting
08:31 < krzee> pquite interesting
08:31 < krzee> -p
08:32 < theDoc> FUCK
08:32 < theDoc> I hate it when I'm writing a long email via the web client and the fucking session ID gets reassigned to someone else and I get some "unknown error" shit.
08:32 < theDoc> What the fuck kind of a web mail is this
08:34 < ecrist> wow, calm down chief.
08:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:37 < theDoc> It's really annoying because the internet here is shit and it takes forever to load.
08:38 < theDoc> fuck this, I'm off to bed.
08:38 < theDoc> G'night folks.
08:38 < krzee> gnite
08:39 -!- forke [~forke@vpn.astaro.de] has joined ##openvpn
08:40 < forke> hello guys, one customer from me, want to start a batch script with the net use command when the openvpn client is connect. But I can't start the batch file with the command "up" in the config file. Have somebody a idea?
08:41 < krzee> why cant you use it with up?
08:42 < forke> Wed Mar 10 15:34:29 2010 script failed: returned error code 1
08:43 < krzee> sounds like something in your script failed
08:43 < krzee> is this the same issue as is on the mail list recently?
08:44 < forke> the script works, when i start it dircetly it works
08:45 < krzee> then whys it passing a return code of non 0?
08:45 < theDoc> !google bank code 7339
08:45 < vpnHelper> theDoc: Offline Payment: <http://www.newlook.com.sg/offline.asp>; Payment by Funds Transfer: <http://www.newlook.com.sg/fundstransfer.asp>; Registration: <http://www.rp.sg/symposium/registration.htm>
08:45 < krzee> lol theDoc 
08:45 < forke> this is a good question ;)
08:46 < theDoc> krzee> Internet is slow as fuck.
08:46 < theDoc> ;p
08:46 < krzee> theDoc, google command is the same in msg
08:46 < theDoc> I have to resort to this.
08:46 < theDoc> Cheers mate
08:46 < krzee> =]
08:47 < theDoc> I'm annoyed as fuck as to why paypal keeps insisting that they have sent me some cash for verification when I didn't get jack shit.
08:47 < krzee> should be a couple cents
08:48 < theDoc> Yeah, bank insist that they didn't get jack shit.
08:48 < theDoc> Paypal insisted they sent it.
08:48 < theDoc> Account numbers are correct, so is the bank code
08:48 < theDoc> Whatever the fuck could go wrong here?:)
08:48 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:49 < krzee> forke, is this the same as a post to the mail list recently?
08:49 < krzee> as in, was that you as well?
08:50 < krzee> or forum or something...
08:51 < krzee> i could swear i saw this recently
08:53 < rob0> LOL, what went wrong is you trusting Paypal with actual money ;)
08:54 < rob0> They stole from me once, never again. Theft is a keystone of their business model.
08:57 < krzee> ahh you must have been a merchant
08:57 < krzee> ive heard that a lot
08:58 < ecrist> theDoc: can you tone down your language, please?
08:58 < krzee> i was thinking the same
08:58 < krzee> lol
08:59 < ecrist> you know when *I* say something it's bad. ;)
08:59 < gorkhaan> Paypal is strange, one they got kindda' verification money from me, but I didnt received a post mail about the verification..
08:59 < krzee> haha 
08:59 -!- sdlfk [~lkjdfsg@212.183.140.98] has quit [Ping timeout: 264 seconds]
09:02 < krzee> forke, when you run it manually, echo out %errorlevel%
09:02 < rob0> That's another thing: they don't have a clue about mail and DNS. They make the scammers' jobs easy.
09:03 < krzee> and to set return code 0 no matter what happened, exit 0
09:04 < krzee> but thats not likely what you want
09:04 < forke> ok, wait
09:04 < krzee> you might THINK it is, but it isnt ;]
09:04 < krzee> forke, can you answer my question?
09:04 -!- dazo|afk is now known as dazo
09:05 < forke> ok which ;) Sorry... but I have a customer call at the moment. And I see no last question, me window is to tiny ;)
09:05 < krzee> btw i know nothing bout windows scripting, i found all that by google: batch script return code
09:05 < krzee> [06:49]  <krzee> forke, is this the same as a post to the mail list recently?
09:05 < krzee> [06:49]  <krzee> as in, was that you as well?
09:05 < krzee> [06:50]  <krzee> or forum or something...
09:05 < krzee> [06:51]  <krzee> i could swear i saw this recently
09:07 < forke> not the same, but something near it. So my first step was, to insert he security level 2 and up command in the openvpn client conf. after this i create a bat file. with the netuse command. 
09:10 < krzee> so when you connect without it, then run it manually from commandline with echo %errorlevel%  at the end, what gets echo'ed out?
09:12 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
09:16 < forke> when I start the batch file with this command, I have a additional line with the entrie "0"
09:16 < krzee> hrmm
09:18 < krzee> 1. OpenVPN GUI has a feature that allows you to put a file named xxxx_up.bat in the OpenVPN config folder, where xxxx is the same name as your OpenVPN config file. This will be executed after the tunnel is established.
09:19 < krzee> remove the echo line, and try running it on connect that way
09:19 < krzee> that was a reply to a message that was hit #2 from google: openvpn batch net use
09:24 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 248 seconds]
09:25 < forke> wow, sorry... and it works. I think I  ignore this hit today. 
09:26 < krzee> =]
09:27 < krzee> glad that helped
09:27 < krzee> if only i could find that other message that was similar
09:29 -!- whirler [~whirler@cpe-098-026-232-086.triad.res.rr.com] has joined ##openvpn
09:29 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
09:30 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:30 < krzee> ahh there it is
09:31 < forke> thank you krzee
09:32 < krzee> np
09:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:36 -!- whirler [~whirler@cpe-098-026-232-086.triad.res.rr.com] has quit [Ping timeout: 265 seconds]
09:38 < krzee> ecrist, check this one out
09:38 < krzee> http://www.ovpnforum.com/viewtopic.php?f=1&t=3278
09:38 < vpnHelper> Title: OpenVPN Forum View topic - Greetings! from Mississippi (at www.ovpnforum.com)
09:39 < krzee> that guy signed up from .ro ip, but i dont see any evidence hes a spammer
09:39 < ecrist> of course not, he's waiting for us to approve his stuff and take advantage.
09:39 < ecrist> I don't approve any of those messages, especially since it's in the wrong section.
09:39 < krzee> ok
09:40 < krzee> should we even keep the greetings section?
09:40 < ecrist> no, it should go away, imho
09:40 < ecrist> I've just not done so.
09:40 < krzee> werd
09:41 < rob0> Mississippi, hmm.
09:46 < krzee> there, introductions section is gone
09:46 < krzee> before i removed it, i moved the one asking about other langs to off-topic/related
09:54 -!- toehio2 [~a4804a9d@gateway/web/freenode/x-clkihasjnbsqszhz] has joined ##openvpn
09:54 < toehio2> Can you use UDP programs through TCP OpenVPN networks?
09:58 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
09:59 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
10:02 -!- Blues-Man [~bluesman@host54-17-dynamic.43-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
10:05 < rob0> toehio2, a VPN is just another type of IP network. But:
10:05 < rob0> !tcp
10:05 < vpnHelper> rob0: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
10:06 < rob0> TCP as the transport layer for the VPN is bad.
10:06 < toehio2> rob0, I see
10:06 < toehio2> I think I have to use it though - my clients cannot connect with UDP
10:06 < toehio2> But would UDP programs work through it though?
10:08 < rob0> um ... *ANY* IP traffic can go through a tun interface.
10:08 < toehio2> rob0: Oh, OK. Thank you.
10:08 < toehio2> it's such a hassle with windows clients
10:09 < toehio2> One keeps getting "CreateFile failed on TAP device:"  (using a 64 bit system)
10:09 < rob0> If your UDP traffic is real-time audio, you might hear skips and other audio problems.
10:09 < rob0> Oh, indeed, Windows is no fun.
10:09 -!- takamichi [~pri@78.133.36.225] has joined ##openvpn
10:12 < takamichi> Good afternoon gents. I run an offshore privacy service and want to provide a vpn service to my clients to bypass local country restrictions. I intend to lease 3 dedicated servers in different locations and use openVPN technology. Does anyone have any experience with such a service?
10:13 < toehio2> rob0: well, thanks for the help. I'm off - bye!
10:13 -!- forke [~forke@vpn.astaro.de] has left ##openvpn ["leaving."]
10:13 -!- toehio2 [~a4804a9d@gateway/web/freenode/x-clkihasjnbsqszhz] has quit [Quit: Page closed]
10:15 < takamichi> My plans so far are to use Centos 5 running Xen and have openVPN running on 3 domU instances for high availability. I'll also lease a seperate server to run ldap autehtnication service. 
10:15 -!- uchimata_ is now known as uchimata
10:16 < takamichi> Before I start throwing cash and time into this, is there anything I need to be careful with regarding design. I plan to service about 800 clients but only a few dozen concurrently.
10:17 < takamichi> Perhaps I need to $$consult with an expert here? Can anyone recommend anyone?
10:21 < takamichi> is there another more appropriate channel where I could seek advice?
10:27 < dazo> takamichi:  you might not get immediate response ... I'm sure there are some people here which can answer (I'm not one), but they don't sit and wait for questions to pop up ... so patience is a virtue
10:27 < takamichi> np dazo, I understand, thanks.
10:27 < dazo> takamichi:  having that said ... similar topics have been mentioned both here and on the mailing lists from time to time
10:28 < dazo> takamichi:  but initially ... you specs sounds reasonable ... and yes, I believe it is doable
10:33 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
10:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
10:45 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
10:45 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
10:45 < krzee> takamichi, bandwidth is the limiting factor
10:46 < krzee> you wont gain anything by putting 3 virtual machines running openvpn on the same hardware
10:46 < krzee> at least nothing i know of
10:46 < takamichi> ok, from my research I should be doing about 6 terrabytes per month
10:46 < krzee> that helps for apps like asterisk which completely suck
10:46 < krzee> its less about per month and more about per second
10:47 < takamichi> I thought the virtualization would provide high availaiblity if one server went down
10:47 < krzee> 800 uses on at the same time could fill your pipe and give them slowness
10:47 < takamichi> ok, I understand
10:47 < krzee> if you are talking about windows, i understand
10:47 < takamichi> windows?
10:47 < krzee> if unix, it shouldnt go down unless its a hardware issue or you screw something up
10:47 < takamichi> No, I plan on using Centos 5
10:48 < takamichi> on a dedicated server. I expect up to about 30 concurrent users initially
10:48 < krzee> well 30 is tiny and a non-issue for anything really
10:48 < takamichi> and I need to scale up to about 200 within the next 6 months
10:48 < takamichi> How would you approach high availability
10:48 < krzee> multiple servers in multiple datacenters
10:49 < takamichi> I plan on leasing three servers and giving users the ability to choose which server they connect to
10:49 < krzee> you can also set their config to use all 3
10:49 < takamichi> yes I understand the client side 'load balancing' feature
10:50 < takamichi> If I only have one physical machine and want to provide some HA, how would you go about it?
10:50 < krzee> well in reality you cant
10:50 < takamichi> I though running XEN with openVPN on 3 seperate instances would allow me to failover service if one crashed
10:51 < rob0> hmmm, here's a thought for development: What about using MX records with priorities?
10:51 < krzee> have you run much unix?
10:51 < takamichi> no, but I understand dns
10:51 < krzee> a crash without a hardware reason is pretty uncommon
10:51 < krzee> unless you screw something up and cause it
10:51 < krzee> and on 3 identical systems, you would have screwed that same thing up on all 3
10:51 < takamichi> yes, I cant help a hardware crash with one physcial machine, so I was just refering to software crashses
10:51 < krzee> rob0, huh?
10:52 < takamichi> ok, so you see no reason to go the virtualization route
10:52 < krzee> not at all
10:52 < krzee> HA via virtual machines is NOT HA
10:52 < takamichi> this is great advice, you may have already saved me a few weeks work
10:53 < rob0> krzee, I'm thinking about a means of failover, just as DNS MX records work, with priorities and alternate hostnames.
10:53 < takamichi> ok gotcha, I thought it was
10:53 < krzee> rob0, oh like giving --remote priorities?
10:53 < krzee> by default it goes in order of --remote in the config, unless you command it to randomize
10:53 < rob0> right, something like --remote-mx my.mxname
10:53 < takamichi> yes dns could provide a round robin load balancing service, but again I would need seperate physical lmachines
10:54 < rob0> and my.mxname. is a MX
10:54 < krzee> takamichi, i think rob0 is talking about something on the dev side of things
10:54 < takamichi> why are you talking about mx records which are for mail not?
10:54 < takamichi> oh right sorry!
10:54 < krzee> rob0, ya im confused why you are talking bout MX as well
10:55 < krzee> where do mail servers come into play?
10:55 < rob0> my.mxname. MX 0 primary.servername ; my.mxname. MX 10 secondary.servername
10:55 < rob0> it's just a thought
10:55 < rob0> would be handy for failover
10:55 < krzee> mail servers?
10:55 < rob0> and why invent a new RR type, when MX exists and does this?
10:56 < takamichi> krzee: Would you employ Access server for this service?
10:56 < rob0> ewww Access?
10:56 < krzee> takamichi, personally no, but i personally wouldnt use AS for anything
10:56 < krzee> whereas for some it works nice
10:56 < takamichi> Could you summarize why not?
10:56 < rob0> I use it for looking down my nose at. :)
10:57 < takamichi> I intend on leasing a server to run ldap for authentication
10:57 < krzee> because i dont want a web interface for accessing my stuff (i also hate cpanel and all those other web admin UI's)
10:57 < takamichi> right.
10:57 < krzee> plus it doesnt use standard openvpn configs or have standard openvpn logs
10:57 < krzee> so its a whole new app to me
10:57 < takamichi> what about the client config stuff. Is that no valuable?
10:57 < rob0> And talking about HA and then mentioning any MS product ... oxymoron.
10:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:58 < takamichi> Whats an MS product?
10:58 < krzee> rob0, he plans on using centos5
10:58 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
10:58 < rob0> ohhhh sorry :) I thought you meant Access database :)
10:58 < krzee> i was saying if it WAS windows i could see the need for 3 VM's on 1 piece of hardware
10:58 < krzee> oh, lol
10:58 < rob0> haha
10:58 < krzee> access-server
10:58 < takamichi> no no lol
10:58 < takamichi> access-server
10:58 < rob0> yeah I forget about AS
10:59 < krzee> takamichi, i cant fully speak on the client config stuff, i have never used AS
10:59 < takamichi> ah right ok
10:59 < rob0> I guess if you don't personally have the expertise in openvpn, AS could be handy to have support from the company.
10:59 < krzee> theDoc uses it for his VPN company tho
11:00 < krzee> rob0, so it does come with support for customers?
11:00 < takamichi> does theDoc frequent this channel?
11:00 < krzee> (i didnt know if it does or not)
11:00 < rob0> oh I don't know
11:00 < takamichi> yes, AS provides support
11:00 < krzee> ya, and hes here now
11:00 < takamichi> $5 per license is pretty cheap as well.
11:00 < krzee> !seen thedoc
11:00 < vpnHelper> krzee: thedoc was last seen in ##openvpn 2 hours, 12 minutes, and 22 seconds ago: <theDoc> Whatever the fuck could go wrong here?:)
11:00 < rob0> haha
11:01 < takamichi> he he lol
11:01 < krzee> i think he went to sleep tho
11:01  * rob0 slaps vpnHelper for being a potty-ASCII-mouth
11:01 < takamichi> I'll bug him when he gets up.
11:01 < krzee> hey hey, he was innocently quoting theDoc
11:01 < krzee> lol
11:01 < takamichi> I also thought about using vyatta for this. Any comments?
11:01 < krzee> !google vyatta
11:02 < vpnHelper> krzee: Routing, Firewall, VPN for Physical Networks, Virtual Networking ...: <http://www.vyatta.com/>; Free Router, Firewall, VPN Download | Vyatta Community Edition ...: <http://www.vyatta.com/downloads/index.php>; Vyatta.org | The Open Source Networking Community: <http://www.vyatta.org/>
11:03 < krzee> hrm
11:03 < krzee> first i seen of it
11:03 < takamichi> oh really, ok dont worry. although it is an interesting piece of kit.
11:03 < krzee> but unless you want one of the rare things openvpn doesnt do, you're unlikely to be suggested to use anything but openvpn in here
11:03 < krzee> lol
11:04 < krzee> like if you require an insecure vpn, ill suggest pptp
11:04 < takamichi> lol sure
11:04 < krzee> if you require direct client to client communications, ill suggest ipsec
11:04 < takamichi> ok brilliant, thanks krzee I really appreciate the guidance.
11:05 < takamichi> I'll be considering ipsec/l2tp seperately
11:05 < krzee> the nice thing is you wont be needing clients to talk to eachother
11:05 < krzee> so when you have more than 1 server, they wont need to be linked
11:05 < krzee> that will make this very easy for you
11:05 < takamichi> exactly
11:05 < rob0> oh no! my CA expired
11:05 < krzee> you'll decide how many clients max each server should have at a time
11:06 < krzee> then you'll tell the server to not allow more consecutive clients than that
11:06 < takamichi> yes, it should be easy to scale like that
11:06 < krzee> then each client will have remote entries for all the vpns
11:06 < takamichi> The only common denominator will be the LDAP server
11:06 < krzee> (by dns in case you change IPs later)
11:06 < takamichi> yes for sure, I'll run my own dns
11:07 < krzee> so in all reality your setup wont be too difficult
11:07 < krzee> are you ready to start testing yet?
11:07 < rob0> damn, this sucks.
11:07 < takamichi> almost, in the next week or so I should provision my first server
11:07 < takamichi> whats up rob0?
11:07 < krzee> also, heres a suggestion
11:08 < krzee> instead of pushing --redirect-gateway to the client
11:08 < takamichi> ok
11:08 < krzee> you could put redirect-gateway in the client config
11:08 < takamichi> ok, I'll make note of that
11:08 < krzee> then you can run dante (a socks daemon) on the VPN ip
11:08 < krzee> like this
11:08 < krzee> !socks
11:08 < vpnHelper> krzee: Error: "socks" is not a valid command.
11:08 -!- BorisK [~name@p5B1252EA.dip.t-dialin.net] has joined ##openvpn
11:08 < krzee> !dante
11:08 < vpnHelper> krzee: Error: "dante" is not a valid command.
11:08 < krzee> hrmz
11:09 < krzee> !factoids search sock
11:09 < vpnHelper> krzee: "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
11:09 < krzee> ya, that
11:09 < takamichi> ok
11:09 < krzee> that way if a user only wants some stuff going over the vpn, he can connect and use the internal socks daemon
11:09 < takamichi> yes, that makes sense
11:09 < krzee> if he wants EVERYTHING to go over it, he just leaves the redirect-gateway in his config
11:10 < takamichi> ok, thats cool
11:10 < krzee> i personally use that socks approach for my own traffic
11:10 < takamichi> did yo usay that theDoc was running his own vpn service?
11:10 < krzee> he sure is
11:10 < takamichi> alright, I need to take him out for a virtual beer
11:10 < krzee> make a note of this as well
11:10 < krzee> !redirect
11:10 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:11 < rob0> takamichi: I'm trying frantically to remember what to do to generate a new CA cert.
11:11 < krzee> you can just make note to type !redirect ;]
11:11 < takamichi> yes
11:11 < takamichi> all noted!
11:11 < rob0> I don't think I used easy-rsa
11:11 < krzee> rob0, ssl-admin maybe
11:11 < krzee> !ssl-admin
11:11 < vpnHelper> krzee: "ssl-admin" is (#1) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#2) if you use freebsd, it is in ports, or (#3) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
11:11 < rob0> I used openssl ca commands
11:12 < krzee> oh, lol
11:12 < krzee> well easy-rsa could be a good reference for openssl commands i guess
11:12 < rob0> they're in .bash_history on my dead laptop
11:12 < krzee> why would you type them all manually?
11:12 < takamichi> openssl
11:13 < krzee> takamichi, yup, openvpn lets openssl handle all its encryption
11:13 < takamichi> yes I know, sorry I was answering rob0
11:13 < rob0> this was in 2008 March, valid for, you guessed it, two years.
11:13 < takamichi> shite
11:14 < krzee> im betting the new CA will be valid for longer
11:14 < rob0> haha yes
11:14 < rob0> that way, when it expires, I'll be TOTALLY lost
11:14 < takamichi> ok, I gotta get back to biz. thanks guys, its been very interesting. Cheers krzee
11:14 < krzee> it takes me minutes to generate the whole PKI from scratch
11:14 < krzee> cause i use ssl-admin
11:15 < krzee> (on single core cpu)
11:15 < krzee> cheers takamichi 
11:16 -!- treats [~treats@209-94-131-110.c3-0.abr-ubr2.sbo-abr.ma.cable.rcn.com] has joined ##openvpn
11:16 < treats> what is the best admin gui for windows?
11:16 < rob0> putty.exe :)
11:17 < rob0> SCNR
11:17 < treats> how would putty admin openvpn?
11:17 < treats> an openvpn windows server
11:17 < rob0> eww
11:17 < treats> yeah
11:17 < treats> its the only box i have available
11:17 < treats> small client
11:19 < krzee> admin gui?
11:19 < krzee> notepad.exe
11:20 < krzee> its just a tiny lil config file man
11:20 < krzee> a gui would be way bigger / harder to deal with than a lil config file
11:22 < rob0> hmmm, it's the server cert that's expired, I think, not sure how to check on the CA cert
11:22 < krzee> !certinfo
11:22 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
11:23 < krzee> if its the server cert just renew it
11:23 < krzee> (which ssl-admin has an option for_)
11:25 < rob0> thanks, "Not After : Mar  9 08:20:00 2013 GMT"
11:25 < rob0> so I have 3 years on that
11:26 < rob0> I just need to generate a CSR for the server and sign it ... yikes, I hope I have that password
11:29 < rob0> req(1)
11:30 < rob0> I hate openssl :(
11:32 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:33 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
11:33 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
11:35 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
11:38  * cpm doesn't trust rob0 with CSRs
11:38 -!- cpm is now known as openssl
11:38  * openssl hates rob0 
11:38 -!- openssl is now known as cpm
11:39 < krzee> lol
11:40 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:47 < rob0> Trying to figure out if the req(1) -new option is needed for a renewal?
11:48 < krzee> !ssl-admin
11:48 < vpnHelper> krzee: "ssl-admin" is (#1) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#2) if you use freebsd, it is in ports, or (#3) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
11:48 < krzee> check his code
11:48 < krzee> he calls openssl directly
11:49 < rob0> good idea, thanks again
11:49 < krzee> www
11:49 < krzee> err
11:49 < krzee> https://www.secure-computing.net/svn/trunk/ssl-admin/ssl-admin
11:59 < ecrist> !ssl-admin
11:59 < vpnHelper> ecrist: "ssl-admin" is (#1) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#2) if you use freebsd, it is in ports, or (#3) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
12:00 < ecrist> I desperately need to do a rewrite for ssl-admin
12:02 < ecrist> 41 downloads of the freebsd port since Feb 19, though
12:10 < krzee> none were me ;]
12:14 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
12:16 < ecrist> I want to rewrite the whole thing in C or C++
12:16 < rob0> why?
12:17 < hyper_ch> rob0: for the same reason people climb on mountains :)
12:17 < hyper_ch> rob0: because they can ;)
12:17 < rob0> ISTM perl is a pretty good choice for a tool of that nature.
12:17 < krzee> well it requires the user install PERL
12:18 < krzee> and zip
12:19 < dazo> ecrist:  if you want to C-ify ssl-admin, I'll help you out as much as I can manage to squeeze in some time
12:20 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
12:20  * dazo don't do C++ voluntarily, though 
12:20 < rob0> dazo, did you see my idea about --remote-mx?
12:20 < dazo> rob0:  remote-mx?
12:20  * cpm remotely mixes rob0 
12:21 < dazo> rob0:  nope .... when I hear mx ... I think about DNS, MX records and mail servers .... and wonder what that has to do with OpenVPN?   OpenVPN over SMTP?
12:21 < rob0> failover, priorities
12:21 < rob0> --remote hostname resolves "hostname" to an IP address
12:22 < dazo> rob0:  well .... first of all, OpenVPN do not have failover at all ... that's impossible as encryption keys cannot be synchronised across several OpenVPN servers now
12:22 < dazo> (that's a design feature of SSL ... to avoid MITM)
12:22 < rob0> --remote-mx hostname would resolve "hostname" to a MX, and then to prioritized IP address
12:23 < dazo> rob0:  to be honest ... that sounds like a hack .... and would require to include a DNS resolver into OpenVPN which does the DNS queries
12:24 < rob0> isn't there a means in C libraries to make DNS queries?
12:25 < rob0> well, I thought it sounded cool anyway, the fellow who was here was wanting to set up something where that might be useful.
12:25 < dazo> rob0:  I'd like to see someone rather implement OpenAIS or similar clustering stuff into OpenVPN, which could then share encryption keys between server processes ... and then a server process could then ask the other cluster members if someone has a lower load than itself, and decide if it should suggest the client to reconnect to another host ... using the same SSL keys, avoiding renegotiations of keys
12:26 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
12:26 < dazo> rob0:  that solution would be both a proper failover solution and a better load balancer
12:31 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:33 < ecrist> dazo: I'd be a complete newb to C/C++, so no preference, really, it would be my starter project
12:33 < ecrist> ESOC
12:33 < ecrist> Ecrist Summer of Code
12:33 < ecrist> :)
12:34 < dazo> ecrist:  :) ... I'd recommend starting with C then .... easier to learn C well and go further to C++, than the other way around ... C++ got a lot of tweaks, which is easier to understand with C knowledge
12:35 < dazo> ecrist:  but I gotta warn you .... the OpenSSL API is not easy to work with in C .... it's not impossible, but the documentation can be both good and bad - at the same time 
12:35 < ecrist> so, similar to setting up LDAP for the first time.
12:36 < ecrist> 'thar be dragons in those hills'
12:36 -!- dijital1 [~bob@unaffiliated/dijital1] has joined ##openvpn
12:36 < dazo> ecrist:  might be that gnutls is a better road, but I have no experience with gnutls ... and I'm learning OpenSSL myself :)
12:36 < dijital1> what is the directive that needs to put in the openvpn.conf file on a client machine so that it does NOT modify it's DNS entries?
12:36 < dazo> ecrist:  yeah ... something like that
12:36 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
12:36 < dijital1> I want the client to keep what it currently has for DNS
12:37 < dazo> dijital1:  which platform?
12:38 < dijital1> OS X
12:38 < dijital1> snow leopard
12:42 < dijital1> any ideas?
12:42 < ecrist> dazo: I'm looking to start the ssl-admin rewrite sometime this spring/early summer
12:42 < ecrist> my hope is to get openvpn core to drop easy-rsa
12:42 < dazo> ecrist:  sounds cool!  and needed :)
12:42 < ecrist> easy-rsa < my dog's pile of poo
12:43 < dazo> ecrist:  I'll always have plentiful of project ... but I can for sure help you out getting started and the more heavy SSL API stuff
12:43 < dazo> ecrist:  I probably need to adjust some priorities on project for a little while ... but that's doable :)
12:45 < ecrist> that'd be great.  
12:46 < ecrist> at the very least, some code review.
12:46 < ecrist> I do think I'm going to keep the code myself, and not roll it into the openvpn tree, though.
12:46 < dazo> ecrist:  give me a week warning ... so I can either hide or clean my schedule :-P
12:46 < ecrist> lol
12:46 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
12:47 < dazo> ecrist:  that's very fine ... it can fine live as a separate project ... and if it gets good and it gets time to drop easy-rsa, we can consider to do a merge - you'll anyway keep the copyrights on everything you write under GPL ... so nobody can take the credit away from you :)
12:47 < dazo> but it's not needed to merge
12:48 < ecrist> I don't write GPL
12:48 < ecrist> unless I have to due to openssl or something.
12:48 < ecrist> BSD license for me, baby.
12:49 < dazo> ahh .. .well, then you don't have that security ... as GPL forces any distributor to provide the source code, while BSD in general do not 
12:49 < ecrist> OpenSSL has a BSD-style license it seems.
12:49 < dazo> yeah, it does
12:49  * dazo is just very GPL oriented :)
12:50 < dijital1> trying to figure out a way to make this work.. for some reason dns is getting fubared
12:50 < ecrist> GPL is like religion, it's a great idea, but in practice, it causes many headaches.
12:50 < dazo> but ... I'm mainly doing my stuff as GPLv2 only
12:50 < dazo> Stallmanism is a danger yes .... I'm not that :)  I read the license, and like the concept there
12:50 < dazo> that's all .... and that's why I'm sceptic to GPLv3
12:51 < krzee> what do you like about GPL more than BSD license?
12:51 < dazo> That the source code *must* be provided on request ... you can't do binary only distributions
12:52 < krzee> dijital1, you dont control the server i take it
12:52 < dijital1> I do. but this issue only seems to happen under OS X
12:53 < krzee> if you dont push a NS, the NS doesnt change
12:53 < krzee> i run openvpn on leo and snow leo
12:53 < dijital1> the windows machines work fine. Any non-vpn traffic still goes through the local lan
12:53 < krzee> its no diff than any other unix
12:53 < krzee> (in regards to ovpn)
12:54 < dijital1> http://pastebin.com/Z9bDJMUg 
12:54 < dijital1> that lists the client openvpn.conf short of unimportant details
12:54  * dazo decides he's been working enough today :)
12:54 < krzee> "unimportant details" lol
12:54 < dijital1> :-)
12:55 < krzee> you can hide the ip, nothing else
12:55 < krzee> show me the following: configs for server, client with problem, client that works right, include in each a note about what the local subnet is
12:55 < dijital1> everything other than client, dev tun, and udp is there
12:55 < krzee> dev tun is far from unimportant
12:56 -!- dazo is now known as dazo_afk
12:56 < krzee> in fact all of that is important
12:56 < krzee> lol
12:56 < krzee> which is why you CAN NOT modify (except to hide ip) stuff before pasting
12:57 < dijital1> I guess I'm saying very well then... this is the complete openvpn.conf sans IP
12:57 < dijital1> http://pastebin.com/NJGwwx5R
12:57 < krzee> you make the connection, so IP is irrelevant
12:57 < krzee> [10:55]  <krzee> show me the following: configs for server, client with problem, client that works right, include in each a note about what the local subnet is
13:03 < krzee> and tell me, what sort of traffic do you want to go over the vpn, and what sort NOT over the vpn
13:03 < krzee> (paste first, talk after)
13:05 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
13:05 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
13:08 < rob0> LOL @ Stallmanism ... "Marx, Lenin, Stallman!"
13:10 < ecrist> you guys should have seen the spooge on the computer screens of LUGers here in Mpls when he was here last summer.
13:12 < ecrist> http://archives.mn-linux.org/pipermail/tclug-list/2008-October/thread.html
13:12 < vpnHelper> Title: The tclug-list October 2008 Archive by thread (at archives.mn-linux.org)
13:14 -!- BorisK [~name@p5B1252EA.dip.t-dialin.net] has quit [Read error: Connection reset by peer]
13:14 -!- BorisK [~name@p5B1252EA.dip.t-dialin.net] has joined ##openvpn
13:15 < ecrist> s/last summer/Oct 2008/
13:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:10 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
14:11 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
14:11 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
14:11 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
14:15 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
14:18 < ecrist> this is my first time using it, but ssl-admin is much nice with the -batch option to openssl.
14:22 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
14:45 -!- dijital1 [~bob@unaffiliated/dijital1] has left ##openvpn []
14:45 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:49 -!- goog1jh_ [~goog1jh@my.barbie.wears.no-panties.org] has quit [Read error: Connection reset by peer]
14:49 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has joined ##openvpn
14:50 -!- d457k [~heiko@vpn.astaro.de] has joined ##openvpn
14:52 -!- Cap_J_L_Picard [~ewanm89@unaffiliated/ewanm89] has quit [Ping timeout: 256 seconds]
14:52 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:52 -!- Cap_J_L_Picard [~ewanm89@unaffiliated/ewanm89] has joined ##openvpn
14:54 -!- d12fk [~heiko@vpn.astaro.de] has quit [Ping timeout: 256 seconds]
14:55 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
15:02 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has quit [Ping timeout: 260 seconds]
15:04 < rob0> Turns out it wasn't very painful to make another CSR and sign it.
15:04 < rob0> I wish I could renew the original certs, but I've lost their CSRs.
15:10 -!- newtech [~newtech@41.227.113.234] has quit [Ping timeout: 276 seconds]
15:11 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
15:20 -!- LeRrA [~lerra@c-83-233-243-2.cust.bredband2.com] has joined ##openvpn
15:21 -!- LeRrA_ [~lerra@c-83-233-243-2.cust.bredband2.com] has joined ##openvpn
15:21 -!- LeRrA_ [~lerra@c-83-233-243-2.cust.bredband2.com] has quit [Client Quit]
15:27 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
15:41 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
15:52 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
16:14 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
16:19 < ecrist> http://undeadly.org/cgi?action=article&sid=20100309072751
16:19 < vpnHelper> Title: OpenSSH 5.4 released (at undeadly.org)
16:21 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:22 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
16:39 -!- takamichi [~pri@78.133.36.225] has quit []
17:00 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
17:10 -!- takamichi [~pri@78.133.36.225] has joined ##openvpn
17:57 < theDoc> takamichi> I just got up and I'm about to leave to head to a customer site, grab me in about an hour.
17:57 < theDoc> Good god, ;p this hotel room has some awesome pillows (almost like boobies). It's been a good sleep.
17:57 -!- p3rror [~Ali@anonymous-196-206-65-140.broker.freenet6.net] has joined ##openvpn
18:09 -!- p3rror [~Ali@anonymous-196-206-65-140.broker.freenet6.net] has quit [Read error: Operation timed out]
18:18 -!- PrinceAmjad [~zjb@87.109.252.36] has quit []
18:23 < krzee> pillows that are like real boobies would be very counter-productive for me sleeping
18:23 -!- kyrix [~ashley@77.116.252.70.wireless.dyn.drei.com] has joined ##openvpn
18:24 -!- p3rror [~Ali@2001:5c0:1400:b::63d7] has joined ##openvpn
18:27 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 268 seconds]
18:33 -!- newmember_ [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
18:34 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 245 seconds]
18:34 -!- newmember_ is now known as newmember
18:38 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
18:44 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
18:52 -!- kyrix [~ashley@77.116.252.70.wireless.dyn.drei.com] has quit [Quit: Leaving]
18:52 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
18:54 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
18:57 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Excess Flood]
19:01 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
19:04 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
19:04 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
19:04 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:05 < theDoc> o/
19:09 -!- Kha0sK1d [~NA@c-174-60-157-149.hsd1.pa.comcast.net] has joined ##openvpn
19:13 < Kha0sK1d> hi. I'm confused. It says openvpn is free, yet only a certain number of clients can connect before I must purchase to allow more? Is this correct, or am I misunderstanding?
19:14 < ecrist> Kha0sK1d: you're seeing the commercial version
19:14 < ecrist> click on 'community'
19:15 < Kha0sK1d> ecrist: does the community software include both server and client?
19:15 < ecrist> it's the same binary
19:15 < ecrist> the binary behaves as a client or server depending upon the configure options
19:16 < Kha0sK1d> ecrist: thank you. I get it now, I just wondered why it was saying it was free and then having to pay.
19:17 < Kha0sK1d> this makes me much happier :)
19:17 < ecrist> openvpn, in some form, will always be free.
19:18 < Kha0sK1d> thanks for the quick responses, take care
19:18 -!- Kha0sK1d [~NA@c-174-60-157-149.hsd1.pa.comcast.net] has quit [Quit: Leaving]
19:19 < krzee> i wish those spammers checked that their posts got through and trimmed their list based on it!
19:19 < krzee> (forum)
19:19 < ecrist> agreed.
19:19 < ecrist> it's not that bad, really
19:19 < ecrist> a dozen or so a day.
19:19 < theDoc> morn' all.
19:19 < krzee> evenin'
19:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:43 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
19:43 < caution> what settings are good for a connection with packet loss and frequent high latency?
19:44 < caution> can I make openvpn do rapid resends until confirmed?
19:44 < krzee> tun and UDP
19:44 < caution> already using that
19:44 < krzee> !mtu
19:44 < vpnHelper> krzee: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
19:47 < caution> I have to fragment the packets, will it still work with fragment set?
19:47 < krzee> (this one is for somewhere else)
19:47 < krzee> !configs
19:47 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
19:58 < krzee> caution, just do the mtutest
19:58 < caution> disable frament?
19:58 < caution> fragment
19:58 < krzee> did i say anything bout that?
19:59 < krzee> (these are for someone else)
19:59 < krzee> !routebyapp
19:59 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
19:59 < krzee> !sockd
19:59 < vpnHelper> krzee: "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
19:59 < theDoc> !seen thedoc
19:59 < vpnHelper> theDoc: thedoc was last seen in ##openvpn 40 minutes and 0 seconds ago: <theDoc> morn' all.
19:59 < theDoc> ehehehe
20:00 < krzee> !seen your_mom
20:00 < vpnHelper> krzee: I have not seen your_mom.
20:01 < krzee> !seen vpnHelper 
20:01 < vpnHelper> krzee: I have not seen vpnHelper.
20:01 < krzee> no mirrors in bot-world i guess
20:04 < theDoc> krzee> Can you see if you are able to reach this machine? 
20:11 -!- caution [~caution@unaffiliated/caution] has quit [Ping timeout: 245 seconds]
20:18 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
20:19 < caution> what should I do with the mtu-test results?
20:20 -!- rawDawg [~rawDawg@cpe-76-189-164-149.neo.res.rr.com] has joined ##openvpn
20:20 < krzee> tell me what they say
20:20 < krzee> theDoc, reach by ping?
20:20 < caution> [Tried,Actual] local->remote=[396,388] remote->local=[396,396]
20:20 < krzee> WHOA
20:20 < krzee> ok comment out all frag stuff first and try again
20:20 < krzee> lol
20:20 < krzee> ive never seen anything that low
20:20 < krzee> are you running openvpn over a DNS tunnel or something?
20:20 < caution> I tried that and it didn't start the test
20:21 < krzee> !configs
20:21 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
20:21 < krzee> (thats for you caution)
20:23 < theDoc> krzee> This ip 213.86.193.56
20:23 < krzee> a certain port, icmp, what?
20:24 < theDoc> Just reachability
20:24 < caution> Reply from 213.86.193.56: Destination host unreachable.
20:24 < krzee> ya, no ping
20:24 < krzee> reachability means nothing!
20:25 < krzee> unless you specify WHAT to reach
20:25 < krzee> could be a webserver, could be vpn, could be ping
20:25 < krzee> you cant ping some of my machines, but they are up and running just fine
20:26 < theDoc> krzee> telnet, ;)
20:26 < krzee> your telnet port is open!?!?!?
20:27 < theDoc> krzee> Supposedly. I wouldn't go to the extend of abusing it.
20:27 < krzee> umm
20:28 < krzee> dude, close that
20:28  * krzee smacks theDoc upside the head!
20:28 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Operation timed out]
20:29 < theDoc> krzee> I don't have access to that machine. It's a news wire machine.
20:29 < theDoc> I'm trying to reach it for a customer.
20:29 < krzee> ahh
20:29 < krzee> well ya, seems to be down
20:29 < theDoc> Hm, maybe they took it down or something.
20:30 -!- PeterFA [~Peter@24-113-142-187.wavecable.com] has joined ##openvpn
20:30 -!- PeterFA [~Peter@24-113-142-187.wavecable.com] has quit [Changing host]
20:30 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
20:30 < theDoc> krzee> I would know better than to use something like telnet on my boxes ;p
20:30 < theDoc> ssh + vpn or no connexion!
20:31 -!- BorisK_ [~name@p5B125D4B.dip.t-dialin.net] has joined ##openvpn
20:36 -!- BorisK [~name@p5B1252EA.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
20:38 -!- caution [~caution@unaffiliated/caution] has quit [Ping timeout: 245 seconds]
20:42 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 260 seconds]
20:43 -!- rawDawg [~rawDawg@cpe-76-189-164-149.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
20:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:23 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
22:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 246 seconds]
22:09 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
22:14 -!- kornbluth [whodat@147.236.188.204.in-addr.arpa] has quit [Ping timeout: 276 seconds]
22:14 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 246 seconds]
22:14 -!- p3rror [~Ali@2001:5c0:1400:b::63d7] has quit [Ping timeout: 240 seconds]
22:25 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
22:26 -!- p3rror [~Ali@2001:5c0:1000:b::57b5] has joined ##openvpn
22:46 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:56 -!- BorisK_ [~name@p5B125D4B.dip.t-dialin.net] has quit [Quit: get satisfied! • :: www.unitedservers.de ««« (Gamers.IRC) »»» gamersirc.net ::]
23:50 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
--- Day changed Thu Mar 11 2010
00:29 -!- takamichi [~pri@78.133.36.225] has quit [Ping timeout: 264 seconds]
01:13 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
01:25 -!- takamichi [~pri@78.133.36.225] has joined ##openvpn
01:38 -!- newtech [~newtech@41.230.74.200] has joined ##openvpn
01:56 -!- tjz [~pc@bb116-15-91-148.singnet.com.sg] has joined ##openvpn
01:56 -!- tjz [~pc@bb116-15-91-148.singnet.com.sg] has quit [Changing host]
01:56 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
02:01 -!- dazo_afk is now known as dazo
02:11 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:11 -!- mode/##openvpn [+o mattock] by ChanServ
02:20 -!- sonnie [~sonnie@202.141.162.106] has joined ##openvpn
02:24 < sonnie> hi there,I created a pair of crt/key/ovpn by using ./vars && ./build-key <client-name>, but windows client is unable to contact linux server with this <client-name>. while using an older one, it works, why?
02:27 < Bushmills> !logs
02:27 < vpnHelper> Bushmills: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:28 < Bushmills> better yet, look at the logs yourself
02:37 < sonnie> Thu Mar 11 16:35:13 2010 202.141.162.33:1973 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CN/ST=AH/L=Hefei/O=USTC/CN=fgw/emailAddress=sh@lib.ustc.edu.cn
02:40 < hyper_ch> hi Bushmills
02:41 < Bushmills> good morning hyper_ch
02:41 < hyper_ch> Bushmills: you're hardware savy?
02:42 < Bushmills> sonnie: what files did you create and put on your windows machine?
02:43 < sonnie> <client-name>.crt / key / ovpn
02:43 < Bushmills> ca.crt?
02:43 < sonnie> yeah
02:44 < Bushmills> you need 4 files, including the ovpn config file
02:44 < sonnie> i put another crt/key/ovpn in windows directory, it works
02:44 < Bushmills> ah,ok. solved, that is.
02:45 < sonnie> i mean, in config/ directory, there are: client1.crt/key/ovpn, client2.crt/key/ovpn, ca.crt
02:46 < Bushmills> hyper_ch: i have once seen a screwdriver. that qualifies? 
02:46 < hyper_ch> Bushmills: well, I'm considering to get a Linksys WRT160NL router (currently have a Linksys WRT54GL with tomato wrt on it). Mainly because I can put dd-wrt on it. You think it's a good one?
02:47 < Bushmills> i was just interested in another router myself, and was more looking at the asus wl xxx  and some buffalo routers.  
02:47 < sonnie> Bushmills, i have forgot how the older client cert was created. but this one seems to mismatch the server cert
02:48 < hyper_ch> Bushmills: :) well, I like to put tomato wrt or dd-wrt on it... I read yesterday that buffalo ships now some routers with dd-wrt by default
02:48 < Bushmills> you have recreated server cert, i figure
02:48 < hyper_ch> but it'll be like forever until you get one here I suppose
02:48 < Bushmills> yes. especially some of their faster ones
02:49 < Bushmills> but both asus and buffalo have models which are good for dd-wrt, as they tend to have some more flash and ram as many competition models
02:50 < Bushmills> in fact, that was one of the reasons why i was looking specifically at those
02:50 < hyper_ch> that one has 8mb flash and 32mb ram
02:50 < sonnie> Bushmills, maybe because I did a "clean-all", that caused a new server cert, is it?
02:50 < hyper_ch> but don't know about the asus or buffalo ones
02:50 < Bushmills> sonnie: most likely, yes
02:51 < sonnie> can i create a new client with older server cert?
02:51 < Bushmills> also, usb ports i find quite useful on those routers
02:51 < Bushmills> sonnie: not if you've lost it
02:52 < Bushmills> but you can copy new ca.crt to client
02:52 < Bushmills> (along with new client keys and crt) 
02:52 < sonnie> got it
02:53 < hyper_ch> Bushmills: nah, I can't do much with usb ports on routers
02:53 < hyper_ch> because all my storage gets encrypted with dm-crypt :)
02:54 < Bushmills> alternative is to use a low cost pc board. something low power, like an atom board
02:54 < Bushmills> they are available for about 50 EUR, including CPU
02:55 < Bushmills> silent, lots of RAM compared to router, and with a flash adapter, no mechanical hard disk needed 
02:56 < hyper_ch> hmmm
02:56 < Bushmills> http://www.computeruniverse.net/products/90282715/intel-d945gclf-atom-230.asp  for example
02:56 < vpnHelper> Title: Intel D945GCLF Atom 230 - computeruniverse.net (at www.computeruniverse.net)
02:58 < hyper_ch> hmmm thx, I'll have a look
03:02 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:10 -!- master_of_master [~master_of@p57B56902.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
03:12 -!- master_of_master [~master_of@p57B576FC.dip.t-dialin.net] has joined ##openvpn
03:12 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 268 seconds]
03:45 -!- newtech_ [~newtech@41.227.72.122] has joined ##openvpn
03:48 -!- newtech [~newtech@41.230.74.200] has quit [Ping timeout: 265 seconds]
03:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
04:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:07 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
04:19 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has quit [Ping timeout: 252 seconds]
04:19 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
04:47 -!- mgolisch [~michi@85.93.11.18] has left ##openvpn []
05:06 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:10 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
05:24 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
05:33 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
05:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:09 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
06:43 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:53 < ecrist> krzee: http://www.ovpnforum.com/viewtopic.php?f=10&t=3300
06:53 < vpnHelper> Title: OpenVPN Forum View topic - Multiple configs in one file (at www.ovpnforum.com)
06:53 < krzee> not a bad idea
06:54 < krzee> ild imagine that wouldnt be overly hard to code
06:54 < krzee> although logs could be ugly as hell
06:54 < krzee> then again i guess they would be now if you start 3 at once
06:54 < ecrist> unless you use different log files
06:55 < ecrist> the logs could preface the config descriptor before each line
06:55 < krzee> tru
06:55 < ecrist> [config My Company] would have ': My Company :' at the start (after date, and other syslogd goo)
06:55 < ecrist> make it easy to grep out what you're looking for.
06:56 < dazo> well, it breaks the idea of overriding config file parameters from the command line ... which is now possible ... except for that, it's not a bad idea
06:57 < ecrist> I would think it would be an expected side-effect
06:57 < dazo> anyhow, the whole config file needs a real re-implementation .... because now you also have some semi-xml tags available as well ....
06:58 < dazo> (<connection>)
06:58 < ecrist> I don't think there's a need for full xml
06:58 < dazo> no no ... I didn't say that :)
06:58 < ecrist> it wouldn't be bad, but the config example I posted is reasonable.
06:59 < dazo> I just said that there are something implemented that already, not solving your issue though ... but might break the command line override somehow already
06:59 < dazo> ini styled config would be reasonable to consider though
07:01 < dazo> ecrist:  but .... what do you gain from having information about multiple connections in one config file vs separate files?
07:01 < ecrist> really, the whole thing could be done in an if within the code that handles --config
07:01 < dazo> basically, that's what you're asking for
07:01 < ecrist> that's exactly what I'm after
07:01 < ecrist> for example, on freebsd, when i install openvpn, I get an init script which reads /etc/rc.conf, but that only allows me to run a single instance of openvpn
07:02 < ecrist> to run more, I have to do some hackery, which is a PITA
07:02 < dazo> but what's the difference ..... openvpn --config <config-file>      vs      openvpn --config <config.file> --config-section xyz
07:02 < ecrist> why have multiple files if I can put it all in one?
07:02 < dazo> simplicity of openvpn?
07:02 < ecrist> I don't think that's a good reason.
07:03 < vpnHelper> New forum entry openvpnforum: Wishlist :: Multiple configs in one file :: Author ecrist <http://www.ovpnforum.com/viewtopic.php?f=10&t=3300&p=3789#p3789>
07:03 < dazo> I'm sure it will not be considered for real, if the only reason is to collect multiple files into one single config file
07:03 < ecrist> why not?
07:03 < dazo> because openvpn will still not spawn out several connections
07:04 < dazo> openvpn will still only connect to one selected host in the config
07:04 < ecrist> my feature request is to add that capability
07:04 < dazo> openvpn will need even more rewrite to connect to all of the defined hosts in such a combined config
07:04 < dazo> which will require quite a rewrite of openvpn
07:05 < ecrist> no, the initial process just says, 'oh, there are multiple connections spawn(--option 1 --option2) etc
07:05 < ecrist> dazo: we have internal code at my office for our stuff that does exactly what i'm asking for, and it's all pretty simple.
07:05 < dazo> yes, and that spawning will not be trivial in the OpenVPN code as it is today .... that's a major rewrite 
07:06 < ecrist> openvpn does know what it is, and can't simply spawn another instance of itself?
07:06 < dazo> I have a bigger belief in a "openvpn-starter" which can parse one or more config files ... and spawn out openvpn instances separately, without modifying openvpn
07:07 < dazo> not in the current state, not without rewriting most of the config parser (options.c) and init.c
07:07 < dazo> openvpn's design is to be single threaded and single processed, from start to end
07:08 < ecrist> ok, I know I'm not the only one who has asked for such features
07:08 < ecrist> also, single-threaded is retarded with current hardware
07:08 < dazo> that's a major flaw in my opinion, esp. on the server side .... where it would be beneficial to have one thread/process per connected client .... but that's not how OpenVPN is designed
07:09 < ecrist> perhaps OpenVPN 3.0 needs to be a ground-up rewrite to support multiple threads, etc.
07:09 < dazo> oh yeah
07:09 < dazo> but really!
07:09 < dazo> this is why several people have reported performance drops when you hit 150+ clients
07:10 < dazo> if you have quad core server, one openvpn process will only make use of one of the cores
07:13 < ecrist> i would solve that with multiple instances, pinned to each core, and a script coupled with my firewall to determine active connections in the state table to direct those users to a specific process.
07:14 < dazo> yeah, but to quote you .... "to run more, I have to do some hackery, which is a PITA"
07:14 < dazo> ;-)
07:14 < ecrist> I didn't say I should have to do that
07:15 < dazo> :)
07:15 < ecrist> I said how I *would* solve that.
07:15 < Deepy> It's a beautiful solution
07:15 < Deepy> A beautiful snowflake in hell
07:15  * dazo wonder which solution Deepy refers to now
07:15 < ecrist> to quote you, 'I'm sure it will not be considered for real'
07:16 < Deepy> ecrist's solution
07:18 < dazo> but which other server product, even aimed at enterprise segments, do you have to make use of home brewed scripts to fork multiple instances and pin them to each CPU core, and make sure you have configs to each process to make sure they will work nicely together ... to make it work properly on a multicore box?
07:19 < ecrist> I don't grok that, dazo
07:20  * ecrist suggests English. ;)
07:28 -!- drecute [~pdrealg@41.155.74.245] has joined ##openvpn
07:35 < Deepy> I got that though
07:36 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:39 < drecute> hello, on OpenVpn, I was able to connect to the server from the client and vice-versa, but I can't browse the internet after connection
07:39 < drecute> any clues please
07:40 < Deepy> Is your server doing any routing?
07:40 < drecute> sure
07:41 < ecrist> !configs
07:41 < drecute> i am connecting to the internet through a dialup
07:41 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:42 < drecute> ok, just a second
07:43 < drecute> er...
07:43 < krzee> i wish the forum had "disapprove and delete user"
07:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:46 < ecrist> it does
07:46 < drecute> deepy: any ideas please
07:46 < ecrist> you have to do it from the user profile, not the moderator queue
07:50 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
07:58 -!- sonnie_ [~sonnie@202.141.162.106] has joined ##openvpn
07:58 < sonnie_> hi there
08:00 < sonnie_> i want to build-key for a client with existing ca.crt, but the "keys" directory has been removed. while I can still copy ca.crt from an old client. how?
08:08 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
08:16 -!- newtech__ [~newtech@74.115.0.29] has joined ##openvpn
08:16 < cwillu_at_work> sonnie, so you don't have the key for the ca.crt?
08:17 < krzee> ecrist, right, but thats a lot of clicks from the moderator queue
08:17 < krzee> i wish i could do it right from the queue, maybe even in mass
08:18 < krzee> cause its too much a PITA to delete each spam user as is, i just disapprove the posts... i think we all do that
08:19 -!- newtech_ [~newtech@41.227.72.122] has quit [Ping timeout: 258 seconds]
08:19 -!- drecute [~pdrealg@41.155.74.245] has quit [Ping timeout: 240 seconds]
08:25 < ecrist> yeah, just disapprove
08:25 < ecrist> every couple months I delete all users with 0 posts
08:25 < krzee> ahh tru, forgot bout that
08:25 < krzee> still i think they should put a delete user checkbox when modding
08:26 < ecrist> there's a side-effect of possible 'real' users without posts, but I'm not so worried.
08:27 < ecrist> my office vpn is now all sorts of crazy
08:28 < |Mike|> like the admin .... :P
08:28 < ecrist> indeed
08:29 < cron2> dazo: to get UDP servers multithreaded is hard
08:29 < dazo> cron2:  yeah, I see that one
08:29 < cron2> well, to get *anything* to work reliably with threads is hard, because 95% of all programmers cannot handle threaded environments (sad, but what I see in software all around me - not that I know how do threads properly)
08:29 < dazo> cron2:  but .... the current non-threaded state is unsustainable in the long run
08:31 < cron2> it might be interesting to try to generate a few worker threads for "here's a packet, crypt() it and stuff to socket" and "here's a packet from remote, decrypt(), and put to internal queue"
08:31 < dazo> cron2:  that's very true ... threading is not trivial itself ... but it's probably among one of the few options you got to improve performance these days on multi core boxes
08:32 < cron2> getting crypt and decrypt operations offloaded to multiple cores might actually increase scalability quite some - the rest of the code is fairly grivial
08:32 < cron2> trivial is the wrong word
08:32 < cron2> "un-demanding"
08:33 < cron2> not much parsing and thinking and computing going on in the main "move packet from $this client to $that client" code
08:34 < dazo> cron2: well, that's pretty much similar to the worker queues in the kernel scope, I presume ... that's the same issue there as well
08:34 < cron2> "someone" should try profiling OpenVPN server :-)  (not me, not now, need to get my other action items done first)
08:34 < dazo> :)
08:34 < cron2> dazo: I have not the slightest idea how kernel threading / kernel work queues work :-) - I understand "linear flow of control and data from user space to driver and back".  All the rest is magic.
08:36 < dazo> cron2:  the major problem is that when one client is "accepted" in openvpn, it blocks the other clients during the time slot it has available .... most probably it's doing enc/dec of data ... but just as well shuffling data from user-space to kernel-space a couple of times before next client is the next to go
08:36 < dazo> cron2:  so to have a thread which can only shuffle data from the socket into worker queues, and each worker queue can process data separately, much can be improved 
08:39 < cron2> ... and *this* sort of threading is actually fairly manageable from a programmer's perspective - threads don't touch data structures all over the place, just some well-defined things, and those can be rigorously tested
08:39 < dazo> yes
08:40 < dazo> and if the "shuffler" can then put data into different "queues", where one "queue" represent one client ... you have them pretty well confined as well
08:40 < cron2> don't tempt me with so interesting projects :-) - I need to do some paid-for work every now and then.  Especially *now*...
08:40 < dazo> :)
08:40  * dazo too!
08:45 < hyper_ch> I'd rather get paid without being required to do any work :)
09:00 < ecrist> my current VPN (sorry about my graphviz skills, or lack of) http://www.secure-computing.net/wiki/index.php/User_talk:Ecrist#Office_LAN
09:00 < vpnHelper> Title: User talk:Ecrist - Secure Computing Wiki (at www.secure-computing.net)
09:05 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
09:22 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
09:29 -!- newtech_ [~newtech@41.227.72.122] has joined ##openvpn
09:33 -!- newtech__ [~newtech@74.115.0.29] has quit [Ping timeout: 240 seconds]
09:33 < sonnie_> i want to build-key for a client with existing ca.crt, but the "keys" directory has been removed. while I can still copy ca.crt from an old client. how?
09:42 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
09:42 -!- mode/##openvpn [+o mattock] by ChanServ
09:44 -!- drecute [~pdrealg@41.155.6.250] has joined ##openvpn
09:46 < drecute> can't connect to the internet after setting up openvpn. i really need help for this
09:47 < drecute> deepy: you were saying something the other time!
09:51 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
09:55 -!- sonnie_ [~sonnie@202.141.162.106] has quit [Quit: leaving]
09:59 -!- newtech_ [~newtech@41.227.72.122] has quit [Quit: Quitte]
10:18 < rob0> My openssl debacle of yesterday is over, and I'm good until 2013-March-10, when the CA cert expires. (With some minor expirations occurring in 2011 & 2012 too.)
10:18 < rob0> I guess there's no way to "renew" a self-signed CA?
10:18 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:20 -!- cpm is now known as _rob0
10:21 < ecrist> rob0: nope
10:21 < ecrist> well, sort of
10:21 < ecrist> you can re-self-sign it
10:22 -!- _rob0 is now known as cpm
10:25 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
10:25 < rob0> I learned a few tricks, like saving the CSR for reuse, and how to generate a new cert with the old key, and that you can have multiple valid certs with the same CN.
10:26 -!- cpm is now known as _rob0
10:26 < ecrist> rob0: read through ssl-admin script, there's a lot of that I do already
10:26 -!- _rob0 is now known as cpm
10:27 < rob0> yes, it helped, thanks
10:32 < APTX> How do you generate a CSR on windows?
10:32 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
10:34 <@mattock> Does anyone know what OpenVPN Admin GUI is shown here: http://lifehacker.com/5489252/best-vpn-tool-openvpn
10:34 < vpnHelper> Title: Best VPN Tool: OpenVPN - Vpn - Lifehacker (at lifehacker.com)
10:34 <@mattock> the name is a little generic... :)
10:36 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 248 seconds]
10:45 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
10:46 <@mattock> ok, it's this one: http://sourceforge.net/projects/openvpn-admin/
10:46 < vpnHelper> Title: Multiplatform Admin GUI for OpenVPN | Get Multiplatform Admin GUI for OpenVPN at SourceForge.net (at sourceforge.net)
10:52 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 256 seconds]
10:53 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
11:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
11:04 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
11:04 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
11:05 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
11:06 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
11:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:22 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 256 seconds]
11:24 -!- virtx [~spartak@host-78-13-208-82.cust-adsl.tiscali.it] has joined ##openvpn
11:24 < virtx> hi
11:25 < virtx> i've a vpn up, client is connected correctly. now how can i route all from client to vpn and exit to internet?
11:25 -!- AndChat| [~AndChat@241.sub-97-245-33.myvzw.com] has joined ##openvpn
11:25 -!- AndChat| [~AndChat@241.sub-97-245-33.myvzw.com] has quit [Client Quit]
11:28 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
11:29 < Deepy> drecute: yes, routing/nat might be fun to setup
11:29 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:29 < Deepy> server-side
11:29 < drecute> yea
11:29 < virtx> yep, iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
11:29 < virtx> and echo 1 to forward in proc
11:29 < drecute> i setup some iptables
11:30 < drecute> sure i did exactly that
11:30 < drecute> still no luck
11:30 < drecute> i am connecting to the internet via dial-up
11:30 < drecute> could this be the problem
11:32 < drecute> the dial-ip uses dhcp
11:32 < drecute> so everytime i connect the ip changes
11:34 < ecrist> my vpn setup make me cry
11:40 -!- virtx [~spartak@host-78-13-208-82.cust-adsl.tiscali.it] has quit [Quit: machihadettochenonc'e']
11:43 -!- drecute [~pdrealg@41.155.6.250] has quit [Ping timeout: 248 seconds]
11:51 -!- drecute [~pdrealg@41.155.6.250] has joined ##openvpn
11:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:53 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:07 -!- max06 [~max06@freenode/sponsor/max06] has joined ##openvpn
12:09 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
12:09 < max06> Good evening... Just a short question. I managed to set up my vpn, I want to route all traffic through the server, but I need to enter "route add default gw 10.0.0.1" on my client everytime I connect. Is it possible to set this automatically?
12:09 < caution> yes, it's a config setting, openvpn --help
12:09 < max06> okay, I'll have a look again
12:10 < caution> might be 'route-up' that you want
12:12 < max06> mhm, that's in the client config, right?
12:16 -!- LobbyZ [~default@188.72.255.194] has quit [Read error: Operation timed out]
12:17 < caution> yeah
12:18 < rob0> !redirect-gateway
12:18 < vpnHelper> rob0: Error: "redirect-gateway" is not a valid command.
12:18 < rob0> !def1
12:18 < vpnHelper> rob0: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
12:25 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has joined ##openvpn
12:25 < Gnewt> Is it possible to make an OpenVPN "single-click" executable for Windows?
12:25 < Gnewt> I want it to work like this
12:25 < Gnewt> 1) generate cert that is valid for 1 hr
12:25 < Gnewt> 2) pack executable so that an OpenVPN connection is started with that cert in one click
12:27 < rob0> A certificate is not valid unless/until signed by the CA, and when it's signed, it is given a specific lifetime, not "one hour of use whenever used".
12:27 < Gnewt> I know
12:28 < Gnewt> I am the CA and I want to give it one hour from generation
12:29 < max06> mhm... after connection, route shows: "default         *               0.0.0.0         U     0      0        0 tap0"
12:29 < max06> which should work
12:29 < drecute> hello folks, how can I allow my internet connection to use my vpn ip to connect to the internet
12:30 < max06> but I need the route "default         o202.local      0.0.0.0         UG    0      0        0 tap0"
12:31 < max06> redirect-gateway def1 isn't working
12:33 < drecute> yep
12:33 < drecute> it isn't
12:33 < rob0> Gnewt: think about this. You are the CA. Your Windows-client-wannabee is *not* the CA. How is your Windows executable going to sign that certificate?
12:33 < drecute> when i check my ip, it still using the one on my local computer
12:34 < Gnewt> rob0: Not what I mean. I want to generate everything serverside, and then make it into an exe to downloa.
12:34 < Gnewt> download.
12:35 < rob0> Oh, then that should be achievable, sure. What are you asking?
12:36 < rob0> !tap
12:36 < vpnHelper> rob0: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
12:36 < vpnHelper> rob0: where the protocol uses MAC addresses instead of IP addresses.
12:36 < rob0> max06: ^^
12:37 < max06> rob0, what? ^^
12:37 < max06> should I use tun instead of tap?
12:38 -!- drecute [~pdrealg@41.155.6.250] has quit [Ping timeout: 260 seconds]
12:38 < max06> trying this... moment ... ^^
12:38 -!- drecute [~pdrealg@41.155.6.250] has joined ##openvpn
12:38 < rob0> tap is rarely a good idea. 
12:40 < max06> not working, server doesn't want to start any more ^^
12:41 < max06> I want the server to tell my clients to execute "route add default gw 10.0.0.1" after connecting... without changing the config files of the clients
12:56 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 248 seconds]
12:59 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
13:01 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
13:16 < max06> I can't figure it out... -.-
13:20 -!- Blues-Man [~bluesman@host113-117-dynamic.27-79-r.retail.telecomitalia.it] has joined ##openvpn
13:27 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
13:28 -!- Blues-Man [~bluesman@host113-117-dynamic.27-79-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
13:30 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Ping timeout: 245 seconds]
13:34 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
13:45 < caution> clients need something like 'pull' in their configs
13:45 < caution> and server has push
13:47 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
13:50 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
13:50 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
13:50 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:53 -!- dazo is now known as dazo_afk
13:54 -!- drecute is now known as coodu
13:55 -!- coodu is now known as drecute
14:07 -!- drecute [~pdrealg@41.155.6.250] has quit [Ping timeout: 264 seconds]
14:11 -!- le0_ [~tehle0@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
14:14 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
14:18 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has joined ##openvpn
14:18 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:23 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
14:28 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
14:32 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
14:43 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:14 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:58 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
16:09 < HardDisk_WP> hey
16:09 < HardDisk_WP> I run this ovpn config: http://pastebin.com/mMX7MUwk
16:09 < HardDisk_WP> clients can connect
16:09 < HardDisk_WP> but the DHCP part isnt working
16:09 < HardDisk_WP> Oh wait...
16:11 < HardDisk_WP> this one is correct http://pastebin.com/zNHwcggn
16:11 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:14 < HardDisk_WP> client is winxp sp3, dhcpclient enabled
16:15 < caution> maybe you should pastebin both configs
16:31 -!- Beber` [~Beber@2a01:e35:1394:d920:34::11] has quit [Read error: No route to host]
16:32 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 258 seconds]
16:38 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
16:39 -!- le0_ [~tehle0@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Ping timeout: 265 seconds]
16:45 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
16:46 -!- LobbyZ [~default@188.72.255.194] has quit [Remote host closed the connection]
16:47 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:48 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
17:08 < HardDisk_WP> caution, that issue is solved... i now have another problem ^^
17:09 < HardDisk_WP> tap0 is bridged to eth_wan => br0: http://pastebin.com/ezHsbRx6
17:09 < HardDisk_WP> and there's shorewall running
17:09 < HardDisk_WP> but shorewall should not affect the bridge?
17:10 -!- p3rror [~Ali@2001:5c0:1000:b::57b5] has quit [Read error: Operation timed out]
17:11 < HardDisk_WP> in any case, this here is iptables output:
17:11 < HardDisk_WP> http://pastebin.com/fUNfRPTM
17:13 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 256 seconds]
17:15 < HardDisk_WP> caution, any idea what might possibly have gone nuts?
17:15 < caution> I'm just another person seeking help, no need to highlight me
17:17 -!- treats [~treats@209-94-131-110.c3-0.abr-ubr2.sbo-abr.ma.cable.rcn.com] has quit []
17:19 < HardDisk_WP> Ah okay^^
17:27 -!- p3rror [~Ali@anonymous-196-206-81-211.broker.freenet6.net] has joined ##openvpn
17:33 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
17:37 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 268 seconds]
17:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:40 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
17:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:47 < sonnie> cwillu_at_work, Bushmills: are you there?
17:47 < sonnie> I have lost the key for older ca.crt, now what shall I do?
17:49 -!- saylar [~doe.john@213.163.64.43] has joined ##openvpn
17:50 < saylar> hey guys
17:50 < saylar> !welcome
17:50 < vpnHelper> saylar: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:51 < saylar> !goal
17:51 < vpnHelper> saylar: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:54 < saylar> i think i just need the right keywords. my goal is to connect to an VPN Server but still be able to access the local services on the machine, such as samba. could someone give me a hint on where to start looking? 
17:56 < rob0> I have no idea WHY you cannot access local services when using openvpn, so no, not really.
17:58 -!- Uriell [uriel@2001:470:1f09:2e9::13] has joined ##openvpn
17:59 < Uriell> How can I make openvpn tunnels be private per user in windows 7? so the tunnel won't be accessible by other users on the machine
18:00 < Uriell> I already have each user have his own static IP address
18:02 < Uriell> But all the users can access the tunnels
18:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:06 < rob0> openvpn has no such feature, to control which processes can access a tunnel. Therefore it would be a Windows question, if it is even possible.
18:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:23 -!- steve991 [~vpn@2002:ad03:acce:b:213:d3ff:fe63:e3fc] has joined ##openvpn
18:23 < steve991> hello
18:24 < steve991> I'm getting a "Could not execute web user account useradd. (32512, 'sh: useradd: command not found')"
18:25 < steve991> useradd is definitely a command, just tried it. it's in my PATH
18:25 < steve991> oh wait. no its not. wtf.
18:35 < saylar> rob0, maybe you could have a look at this thread where I described the problem a bit more detailed. I really appreciate the help 
18:35 < saylar> http://ubuntuforums.org/showthread.php?p=8941068#post8941068
18:35 < vpnHelper> Title: [ubuntu] Port Forwarding to VPN Client (kvpnc) - Ubuntu Forums (at ubuntuforums.org)
18:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:38 -!- steve991 [~vpn@2002:ad03:acce:b:213:d3ff:fe63:e3fc] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
18:43 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
18:53 -!- saylar [~doe.john@213.163.64.43] has quit [Remote host closed the connection]
18:53 -!- saylar [~doe.john@213.163.65.50] has joined ##openvpn
18:54 -!- saylar [~doe.john@213.163.65.50] has quit [Remote host closed the connection]
18:54 -!- saylar [~doe.john@213.163.71.100] has joined ##openvpn
18:54 -!- saylar [~doe.john@213.163.71.100] has quit [Remote host closed the connection]
18:55 -!- saylar [~doe.john@213.163.72.149] has joined ##openvpn
19:04 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
19:05 -!- tjz [~pc@bb116-15-57-207.singnet.com.sg] has joined ##openvpn
19:05 -!- tjz [~pc@bb116-15-57-207.singnet.com.sg] has quit [Changing host]
19:05 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:15 -!- Uriell [uriel@2001:470:1f09:2e9::13] has quit [Quit: Lost terminal]
19:59 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:59 < theDoc> Hi all.
20:03 -!- caution [~caution@unaffiliated/caution] has quit [Ping timeout: 245 seconds]
20:03 < theDoc> Takamichi, you were looking for me?
21:04 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
21:41 -!- rgubler [rob@happybox.org] has quit [Remote host closed the connection]
21:41 -!- crazygir [~jason@unaffiliated/crazygir] has quit [Ping timeout: 276 seconds]
21:44 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has quit [Ping timeout: 268 seconds]
21:45 -!- Gnewt [~hackerlet@2001:470:1f05:c28::deaf:1] has joined ##openvpn
21:45 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
21:46 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:53 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
21:53 -!- rgubler [rob@happybox.org] has joined ##openvpn
22:00 -!- saylar [~doe.john@213.163.72.149] has quit []
22:11 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
22:12 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 268 seconds]
22:22 < ecrist> evening, folks
22:28 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
22:33 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit [Ping timeout: 265 seconds]
22:45 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:47 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
22:52 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
23:13 < sonnie> is it possible to rebuild ca.key with old ca.crt?
23:17 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
23:17 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
23:18 < ecrist> DUDES!
23:19 < ecrist> sonnie: no
23:19 < ecrist> if you have ca.csr, yes
23:19 < rob0> No, a key is not retrievable from the certificate. If you've lost your key or passphrase, you're going to have to start over with a new CA.
23:19 < ecrist> oh, wait, not even then.
23:19 < rob0> yeah, I think it was the CA key lost.
23:19 < ecrist> you need csr and key for any certificate to rebuilt
23:19 < ecrist> ~ssl-admin
23:19 < ecrist> they will save it
23:21 < ecrist> up for review: I've considered offering a free off-site backup solution via config for ssl-admin of all ca and client CSR and keys.
23:22 < ecrist> as well as hosting CRL
23:22 < rob0> In a perfectly-run CA, the CA would not have any client keys. Users generate their CSR, send it, receive the cert in return.
23:23 < rob0> (I know. I have almost all my client keys too.)
23:23 < ecrist> rob0: you're right, but that's not how most openvpn setups are executed.
23:23 < rob0> :)
23:24 < ecrist> BUT, if I built an infrastructure, I could setupt (not knowing/accepting/wanting) openvpn configs, I could be a site that managed those things for users.
23:24 < ecrist> i.e. joe.blow registers, builds all their certificates from my site.  I store CSR and key.  I don't have to know where they send them.
23:24 < ecrist> I would do that for free.
23:25 < rob0> The only theoretical problem with controlling the whole CSR/key generation at the CA is in getting the key securely to the client.
23:25 < ecrist> as a pay service, I could offer VPN providers access to my API, allowing clients in their list to submit the CSR to their system.
23:25 < rob0> Listen to me, talking about SSL like I know something about it! FAKER!!
23:27 < ecrist> lol
23:27 < ecrist> rob0: that easy to handle internally
23:28 < rob0> or gpg
23:28 < ecrist> in a perfect work the client generates it themselves, but that's not really realistic in a VPN scenario
23:31 < theDoc> More often than not, realism is the killer to most "perfect scenarios" ;p
23:31 < theDoc> Just like how I'm getting annoyed with web developers that fail to deliver.
23:34  * ecrist goes to bed.
23:51 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Read error: Connection reset by peer]
23:56 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
--- Day changed Fri Mar 12 2010
00:23 -!- simplechat [~simplecha@123-243-79-139.tpgi.com.au] has joined ##openvpn
00:23 -!- simplechat [~simplecha@123-243-79-139.tpgi.com.au] has quit [Changing host]
00:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
00:45 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:46 < cwillu_at_work> sonnie, if you don't have the key for a ca, you can no longer sign with that ca.  That's pretty much the whole point of certs :)
00:47 < cwillu_at_work> sonnie, start using a new ca, and make sure you don't lose the key this time :p
00:48 < cwillu_at_work> you should be able to continue to use keys signed by the old ca, although you're probably best of resigning such keys with the new ca
00:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:58 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has joined ##openvpn
02:00 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 246 seconds]
02:11 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
02:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:55 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
03:10 -!- master_of_master [~master_of@p57B576FC.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:12 -!- master_of_master [~master_of@p57B56A7E.dip.t-dialin.net] has joined ##openvpn
03:14 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:19 -!- dazo_afk is now known as dazo
03:30 -!- BuGo_laptop [~anonymous@78-59-31-26.static.zebra.lt] has joined ##openvpn
03:30 < BuGo_laptop> !welcome
03:30 < vpnHelper> BuGo_laptop: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:30 < BuGo_laptop> !route
03:30 < vpnHelper> BuGo_laptop: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:35 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
03:39 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:43 < BuGo_laptop> THE F/
03:43 < BuGo_laptop> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
03:43 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
03:44 < BuGo_laptop> In short, if your lan that you want to access using openvpn uses a common subnet such as 192.168.0.x or 192.168.1.x, CHANGE IT. 
03:44 < BuGo_laptop> what kind of solution is that?
03:46 -!- RayTracer [~Ray@HSI-KBW-078-042-233-220.hsi3.kabel-badenwuerttemberg.de] has joined ##openvpn
03:47 < RayTracer> !welcome
03:47 < vpnHelper> RayTracer: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:49 < BuGo_laptop> awesome...
03:49 < BuGo_laptop> i have 192.168.0.0/24 and i want to connect to 192.168.0.0./24
03:49 < RayTracer> how can I mute these "WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page)." warnings? I find them very annoying
03:49 < BuGo_laptop> just awesome.... 
03:55 < RayTracer> I have verb 0 already, but it keeps sending annoying "NOTE: the current --script-security setting may allow this configuration to call user-defined scripts" and "WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page)." logs
03:56 < RayTracer> isn't there a way to tell openvpn "I know what I'm doing, stop being a dork"
04:02 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
04:09 < |Mike|> RayTracer: sudo halt.
04:09 < RayTracer> |Mike|: is that supposed to be funny?
04:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:22 < |Mike|> RayTracer: y
04:24 < RayTracer> you get kicked/banned on ##linux for such misadvising. it's not funny either.
04:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:28 -!- BuGo_laptop [~anonymous@78-59-31-26.static.zebra.lt] has quit [Ping timeout: 245 seconds]
04:32 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:48 < reiffert> "I know what I'm doing, stop being a dork": why?
04:50 < RayTracer> reiffert: these warnings/notes may be appropriate hints the first time, I now am looking for a way to acknowledge/suppress them
04:50 < RayTracer> after all, I put verb 0 so there shouldn't be logged anything but fatal errors, as described in the man page
04:53 < dazo> RayTracer:  I'll put that one up for discussion on the developers meeting next week, it's a fair request/wish
04:53 < RayTracer> thx
04:54 < dazo> RayTracer:  it's important notifications, but when you do things on purpose, and do know what you do ... being able to actively disable such notifications should be possible, IMO
04:56 < RayTracer> it's just a misclassification of the messages, it should just log to the appropriate verb levels
04:58 < RayTracer> the man page could mention them in more detail, 0 == FATAL, 2 == WARN, 3 == NOTE, or however you made the mapping
05:02 < RayTracer> although an option that causes log messages if used at all seems silly to me, this warning should probably just be dropped - the man page doesn't indicate issues with tls-remote, in contrary it mentions "tls-remote is a useful replacement". then you use it, an get warned about it
05:04 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:04 -!- mode/##openvpn [+o mattock] by ChanServ
05:10 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
05:23 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
05:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:38 -!- Debian911 [~79d7b293@gateway/web/freenode/x-suhwvjzqvdgfqfgs] has joined ##openvpn
05:39 < Debian911> Just installed openvpn on my fresh Ubuntu Server 9.10 and windows 7 64bit, using the script here to setup: http://vpsnoc.com/blog/how-to-install-openvpn-on-a-debianubuntu-vps-instantly/ and connecting fine - but no internet is being passed down/on
05:39 < vpnHelper> Title: How to install OpenVPN on a Debian/Ubuntu VPS instantly | VPS Network Operation Center (at vpsnoc.com)
05:39 < Debian911> Ideas would be greatly appreicated
05:41 < dazo> !def1
05:41 < vpnHelper> dazo: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
05:41 < dazo> Debian911:  ^^
05:42 < Debian911> as you can see from the script, it actually adds "redirect-gateway def1" to client and "push "redirect-gateway" to server
05:42 < Debian911> dazo: ^^
05:43 < dazo> Debian911:  it sounds wrong to use that on both places
05:43 < dazo> Debian911:  try without the push statement, that might override the client setting
05:44 < dazo> Debian911:  or remove the statement in the client config and modify the push to push "redirect-gateway def1"
05:44 < Debian911> dazo: for easier comparsion this is server: http://pastebin.com/EaKYf2dL and this is client configs: http://pastebin.com/LRrS9dAW
05:45 < Debian911> dazo: just wait til youve read the above to confirm, and ill go ahead and try those suggestions - id do it now, but ill dc when I do heh
05:46 < dazo> Debian911: windows is the client?
05:46 < dazo> !logs
05:46 < Debian911> yes
05:46 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
05:46 < Debian911> windows 7 64bit
05:46 < Debian911> u need me to redo logs?
05:46 < Debian911> or future ref
05:47 < dazo> Debian911:  I didn't see you posted logs ... but if not, for future ref
05:48 < Debian911> I did try disabling push on server at one point it still connected, had internet, but wasn't using servers IP
05:48 < Debian911> etc
05:48 < Debian911> dazo: sorry by logs I meant configs
05:49 < Debian911> dazo: I can try once again with # client redirect and making server push but I think it will have the same effect as when I tried both, connects, has internet, but not from Server
05:49 < dazo> configs are fine ... I need logs to see what really happens on your server and client .... filter out IP addresses only
05:49 < dazo> Debian911:  you start openvpn with admin privileges?
05:50 < dazo> Debian911:  openvpn needs to modify the routing table ... so if it's not able to do that, you might not succeed 
05:50 < Debian911> dazo: no, ill give that a try now - ill dc, ill get logs for u aswell - where are logs on my nix server for u?
05:50 < Debian911>  /var/log?
05:50 < dazo> Debian911:  most probably ... or you can use --logs <filename>
05:51 < Debian911> kk, brb
05:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:11 -!- Debian911_ [~79d7b293@gateway/web/freenode/x-pkrwrhgsncdmpsbr] has joined ##openvpn
06:12 < Debian911_> dazo: back :) - no luck tho mate
06:12 < Debian911_> dazo: client log - http://pastebin.com/ih9i22dc           server log - http://pastebin.com/jK9Pe7eK
06:13 -!- Debian911 [~79d7b293@gateway/web/freenode/x-suhwvjzqvdgfqfgs] has quit [Ping timeout: 252 seconds]
06:19 -!- Debian911_ [~79d7b293@gateway/web/freenode/x-pkrwrhgsncdmpsbr] has left ##openvpn []
06:19 -!- Debian911_ [~79d7b293@gateway/web/freenode/x-pkrwrhgsncdmpsbr] has joined ##openvpn
06:20 < Debian911_> dazo: think i dc'd mate
06:20 < Debian911_> sorry
06:20 < Debian911_> dazo: client log - http://pastebin.com/ih9i22dc           server log - http://pastebin.com/jK9Pe7eK
06:21 < Debian911_> dazo: Im running service as sudo, but isnt it meant to drop privs down after?
06:28 < Debian911_> if thats even the issue..
06:32 < macsppadic> hey there Debian911_ 
06:32 < macsppadic> so getting tunnel setup errors in the server log 
06:32 < Debian911_> macsppadic: Hi mate
06:32 < Debian911_> macsppadic: ideas on what one can do?
06:34 < macsppadic> apologies as am just catching up with issue 
06:34 < macsppadic> so no dev tun device then ?
06:34 < macsppadic> being listed when u do an ifconfig on the server
06:39 < Debian911_> yea its there mate
06:39 < Debian911_> only errors im seeing in server log is the permission denys
06:39 < Debian911_> macsppadic: the issue at hand is that I can connect perfectly fine to server, but there is no internet when connected
06:39 < Debian911_> aka can't ping/surf
06:40 < |Mike|> RayTracer: I don't care, this is ##openvpn  :)
06:42 -!- mape2k [~mape2k@150.200.116.85.dsl.manitu.net] has joined ##openvpn
06:42 < Debian911_> macsppadic: server config - http://pastebin.com/VEd00M2m         client config - http://pastebin.com/DRviqSac
06:43  * ecrist kicks |Mike| in the baby-maker
06:43 < macsppadic> Debian911_:  cud u try channing that to root user first as a test to see if anything changes?
06:43 < dazo> Debian911_:  have a close look at those error and warning messages .... you have issues there, especially on the client
06:43 < macsppadic> sorry the config i mea 
06:43 < macsppadic> n
06:44 < dazo> Debian911_:  line 15, 16 and 41-46
06:44  * dazo is not a windows expert, so can't help much in regards to 41-46
06:45 < dazo> Debian911_:  further ... on the server side, line 15, 18 and 19 indicates you are not starting the server with root privileges
06:45 < Debian911_> ill brb gotta run to car
06:45 < Debian911_> i am
06:45 < Debian911_> sudo
06:45 < dazo> #
06:45 < dazo> SIOCSIFADDR: Permission denied
06:45 < macsppadic> aye dazo was wondering that as well 
06:45 < Debian911_> im sudo
06:45 < Debian911_> tho
06:45 < dazo> you do not have enough privileges, it's that easy
06:45 < Debian911_> thats weird
06:46 < dazo> Debian911_:  Check this error up some ubuntu channels ... that looks more to be a Ubuntu issue
06:47 -!- mape2k [~mape2k@150.200.116.85.dsl.manitu.net] has quit [Ping timeout: 260 seconds]
06:49 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:57 -!- MacVirus [~VirusTB@ip-145-93-223-92.fontys.nl] has joined ##openvpn
06:58 < |Mike|> ecrist: harderrrrr :D
06:59 -!- mape2k [~mape2k@150.200.116.85.dsl.manitu.net] has joined ##openvpn
07:00 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
07:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:18 < Debian911_> dazo macsppadic: back sorry for that
07:19 < Debian911_> macsppadic: if i change those two nobody references to root and run
07:19 -!- RayTracer [~Ray@HSI-KBW-078-042-233-220.hsi3.kabel-badenwuerttemberg.de] has left ##openvpn []
07:19 < Debian911_> that will check if its related to permissions yes?
07:19 < macsppadic> yes wud bea start as dazo highlighted as well 
07:19 < dazo> Debian911_:  openvpn will not change to --user/--group privileges before it can drop root privileges, so that should not be the issue
07:20 < dazo> Debian911_:  I'm using --user, --group and --chroot in a strict setup on 3 different server setups ... and that has never been an issue
07:20 < Debian911_> dazo: so ur saying its an ubuntu issue?
07:20 < dazo> Debian911_:  it smells so for me
07:21 < Debian911_> just weird no ones found a bug in the x amount of months its been out
07:21 < Debian911_> which makes me thing config issue
07:21 < Debian911_> or perms
07:21 < dazo> Debian911_:  either Ubuntu or something strange on your side .... try starting it directly from the root account .... sudo su - ... and then call openvpn with --config ... and see what happens
07:22 < Debian911_> i normally start it will service openvpn start - how can i thrw --config in there?
07:22 < dazo> Debian911_:  my personal experiences with Ubuntu is not positive ... and it's not the first issue we've had here with Ubuntu even ... 
07:23 < dazo> Debian911_:  openvpn --config <full-path-to-config-file>
07:23 < Debian911_> kk
07:24 < Debian911_> ill dc, brb with logs
07:27 < Debian911_> dazo: openvpn --config /etc/openvpn/openvpn.conf isnt starting service
07:27 < dazo> Debian911_:  and you do that as root?
07:27 < Debian911_> yes
07:27 < Debian911_> no errors
07:28 < Debian911_> but jst doesnt start
07:28 < dazo> Debian911_:  log files?
07:28 < dazo> Debian911_:  sure it just didn't daemonise itself?
07:33 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
07:33 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
07:33 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:40 -!- Debian911_ [~79d7b293@gateway/web/freenode/x-pkrwrhgsncdmpsbr] has quit [Quit: Page closed]
07:40 -!- debian911 [~79d7b293@gateway/web/freenode/x-dbvmhydsouberqsk] has joined ##openvpn
07:41 < debian911> client: http://pastebin.com/5XhTM5Kc server: http://pastebin.com/jMasTLuc
07:41 < debian911> dazo macsppadic: changing it to root root makes permision errors go away
07:42 < debian911> however interestingly, runnin as root with nobody still in there still produces em
07:42 < debian911> but yea... wtf?
07:42 < macsppadic> thats odd...
07:42 < macsppadic> very odd 
07:44 -!- crazygir [~jason@li14-82.members.linode.com] has quit [Changing host]
07:44 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
07:44 < debian911> dazo: not sure what to go to ubuntu with if u still think its their prob
07:44 -!- le0 [~tehle0@unaffiliated/le0] has quit [Read error: Connection timed out]
07:45  * dazo is very busy right now ... need to go away for a while .... doing some work I'm paid to do :-P
07:45 < debian911> those logs
07:45 < debian911> show no errors
07:45 < debian911> so im completly lost
07:48 < debian911> macsppadic: cant be iptables shit wrong can it, or it wld show up yea?
07:49 < macsppadic> tcpdump is the bet command to check that - 
07:49 < macsppadic> if u cna try n ping the ip n watch the tun0 device 
07:49 < macsppadic> tcpdump -nei tun0 
07:49 < macsppadic> mite be a clue 
07:59 -!- MacVirus [~VirusTB@ip-145-93-223-92.fontys.nl] has quit [Quit: MacVirus]
08:00 < macsppadic> u there debian911 
08:00 < macsppadic> any luck?
08:01 < debian911> nope
08:01 < debian911> :(
08:01 < macsppadic> oh dear
08:01 < macsppadic> what verbosity are the logs at?
08:01 < macsppadic> try put it to 5 or 6 if not 
08:01 < macsppadic> u have no errors anymore in the server logs u were saying?
08:01 < debian911> thatll give more detail?
08:01 < macsppadic> aye
08:01 < debian911> kk 1 sec
08:01 < macsppadic> well if anything at all on the server side 
08:01 < debian911> verb on both client and server
08:01 < debian911> or only server command
08:02 < debian911> option*
08:02 < macsppadic> !verb 
08:02 < vpnHelper> macsppadic: Error: "verb" is not a valid command.
08:02 < macsppadic> doh
08:04 -!- APTX_ [~APTX@chello089076052083.chello.pl] has joined ##openvpn
08:04 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
08:05 < macsppadic> at both ends pls 
08:08 -!- mape2k [~mape2k@150.200.116.85.dsl.manitu.net] has quit [Ping timeout: 260 seconds]
08:10 -!- SandGorgon [~OmNomNomO@122.160.41.129] has joined ##openvpn
08:11 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
08:12 < SandGorgon> hi guys.. i'm using openvpn 2.1 on ubuntu (server and client) - when I connect using Gnome's network-manager-vpn, I'm not able to reach the regular internet. I'm pretty sure I didnt ask for that in my server's configuration - is this default behavior? I only want traffic meant for the private subnet to go through VPN
08:19 < dazo> !ubuntu
08:19 < vpnHelper> dazo: "ubuntu" is dont use network manager!
08:20 -!- MacVirus [~VirusTB@ip-145-93-223-92.fontys.nl] has joined ##openvpn
08:22 < HardDisk_WP> hi
08:22 < HardDisk_WP> I try to use openvpn on a shorewall-based firewall with two nics
08:22 < HardDisk_WP> the ovpn tap0 is bridged with eth_lan to br0
08:23 < HardDisk_WP> well, the ovpn clients can ping the server (the br0 if) and vice versa
08:23 < HardDisk_WP> same for the LAN clients
08:23 < HardDisk_WP> but the LAN clients cant ping the ovpn clients and other way round
08:23 < HardDisk_WP> IPv4 forward is enabled
08:23 < macsppadic> client-to-client HardDisk_WP 
08:23 < macsppadic> is the client-to-client option enabled HardDisk_WP ?
08:23 < HardDisk_WP> Yes
08:24 < dazo> HardDisk_WP:  or you might even need to look at iroute
08:24 < dazo> !route
08:24 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:24 < HardDisk_WP> it's bridged
08:24 < HardDisk_WP> no routed vpn
08:24 < HardDisk_WP> this is serverconf
08:24 < HardDisk_WP> http://pastebin.com/sNmgCSh7
08:25 < macsppadic> what do the logs show HardDisk_WP ? 
08:25 < macsppadic> anything in shorewal logs
08:25 < macsppadic> ?
08:26 < HardDisk_WP> http://pastebin.com/509VyGt4
08:26 < HardDisk_WP> this here is ovpn client log
08:27 < HardDisk_WP> Nope nothin in shorewall log
08:27 < debian911> gah
08:27 < debian911> that took fuckin long enuf
08:28 < debian911> dazo macsppadic: client - http://pastebin.com/Q5dMLYZu server - http://pastebin.com/J4Z21ABH
08:28 < debian911> verb6
08:28 < HardDisk_WP> macsppadic, is there maybe sth. in the iptables rules missing?
08:28 < HardDisk_WP> shorewall is just a interface for it
08:31 < macsppadic> aye HardDisk_WP shorewall is jsut netfilter anyways 
08:31 < HardDisk_WP> so whatever's wrong here is either the bridge or netfilter rules...
08:31 < macsppadic> aye 
08:31 < HardDisk_WP> I dont have a clue about netfilter
08:31 < HardDisk_WP> .oO( cmon, say "aye" :P)
08:31 < macsppadic> dont need - shorewall is based on that 
08:32 < macsppadic> rite HardDisk_WP when u connect to the server what IP r u getting it
08:32 < HardDisk_WP> I connect from the outside, I gots 172.16.0.50 for the client
08:32 < macsppadic> ok n what are u trying to reach 
08:32 < HardDisk_WP> 172.16.0.101, a machine on eth_wan
08:32 < HardDisk_WP> eh eth_lan
08:32 < HardDisk_WP> can be pinged from server
08:33 < macsppadic> ok
08:33 < debian911> dazo: I cant see any issues with ethier logs (bar permissions on server log)
08:33 < HardDisk_WP> and .101 can ping .1 (the IP of br0)
08:33 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:34 < macsppadic> HardDisk_WP: shorewall rules- got anything specifically blocking loc ping?
08:34 < HardDisk_WP> nope machines on lan can ping each other (sure, they're on a hub)
08:35 < HardDisk_WP> hold short I'll pastebin my shorewall conf files
08:35 < theDoc> God damn, fuck PPTP.
08:35 < macsppadic> okie dokie 
08:36 < HardDisk_WP> macsppadic, this are shorewall confs: http://pastebin.com/TvKV5vgM
08:36 < dazo> debian911:  can you ping the server VPN IP address from client ... and vice versa?
08:37 < debian911> i can go try now, will dc
08:37 < debian911> brb
08:38 -!- APTX_ [~APTX@chello089076052083.chello.pl] has quit [Quit: Farewell]
08:38 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
08:38 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
08:38 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
08:40 < SandGorgon> hi guys.. how can i ensure that only traffic meant for the VPN's private network (10.8.0.x) goes through VPN and everything else goes through the regular internet ? I would prefer doing it using some directive in the server, so it just works on windows and linux
08:41 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
08:44 < HardDisk_WP> macsppadic, uh... is it possible that the routing doesnt work properly
08:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:44 < HardDisk_WP> because br0 has no default gateway set??
08:45 -!- debian911_ [~79d7b293@gateway/web/freenode/x-rgnmapoiwbnsuscp] has joined ##openvpn
08:45 < debian911_> dazo: can ping fine, both server client and visa versa
08:46 < debian911_> dazo: weird thing is, doing a ipconfig on windows box, i have ip, subnet but NO default gateway
08:46 < macsppadic> sorry HardDisk_WP was in a meeting 
08:47 < dazo> debian911_:  then you need to have a look at 1) is IP forwarding enabled?  2) Is your routing tables sensible after OpenVPN has started?
08:47 < HardDisk_WP> np
08:47 < debian911_> dazo: ipv4_foward returns 1
08:47 -!- debian911 [~79d7b293@gateway/web/freenode/x-dbvmhydsouberqsk] has quit [Ping timeout: 252 seconds]
08:47 < debian911_> i only issued: sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
08:48 < dazo> debian911_:  3) iptables ... do you allow traffic to pass via FORWARD table ....
08:48 < dazo> and the 4th you managed to confirm :)
08:48 < macsppadic> rite back with a bang 
08:48 < macsppadic> br0 has no default gateway ?
08:48 -!- cwillu_at_work [~cwillu@cwillu.com] has quit [Ping timeout: 252 seconds]
08:48 < debian911_> dazo: what do i need to pass for 3)
08:48 < HardDisk_WP> macsppadic, yeah... i mean, .1 (br0) is the gateway for the eth_lan machines
08:48 < dazo> pastbin results of iptables -nvxL FORWARD
08:49 < HardDisk_WP> all of them have set 172.16.0.1 as their gateway
08:49 < macsppadic> ok 
08:49 < dazo> debian911_:  and for 2) ... pastebin route -n  on both server and client when you're connected
08:49 < macsppadic> and u can ping the gateway fine after connecting in 
08:49 < HardDisk_WP> Yep
08:51 -!- APTX is now known as APTX_
08:51 < debian911_> dazo: for 2) on windows route -n errors out
08:51 < dazo> debian911_:  ahh .. .I forgot .... route pritn
08:51 < dazo> *print
08:51 < debian911_> kk dc;ing
08:51 -!- APTX_ [~APTX@phpBB/developer/APTX] has quit [Quit: Farewell]
08:51 < debian911_> brb
08:52 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
08:52 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
08:52 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
08:54 -!- cwillu_at_work [~cwillu@cwillu.com] has joined ##openvpn
08:56 -!- debian911 [~79d7b293@gateway/web/freenode/x-asqmgfyhbljbqfeu] has joined ##openvpn
08:57 < debian911> dazo: 3) http://pastebin.com/pxgUA1cM 2) Client: http://pastebin.com/eViTp4Li     Server: http://pastebin.com/jQSqSJEy
08:58 < debian911> dazo: lets hope that does somehting
08:58 -!- debian911_ [~79d7b293@gateway/web/freenode/x-rgnmapoiwbnsuscp] has quit [Ping timeout: 252 seconds]
08:58 -!- BuGo_laptop [~anonymous@78-59-31-26.static.zebra.lt] has joined ##openvpn
08:58 < BuGo_laptop> !welcome 
08:58 < vpnHelper> BuGo_laptop: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:59 < BuGo_laptop> !goal
08:59 < vpnHelper> BuGo_laptop: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:59 < dazo> gah ... how I dislike windows route print ....
08:59 < reiffert> :)
09:00 < dazo> debian911:            0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.73     30 .... this route do not put anything via the tunnel
09:00 < dazo> debian911:  do you use redirect-gateway with def1 now?
09:00 < dazo> if so, try without ... and see if this route changes
09:01 < BuGo_laptop> i have network that is 192.168.0.0/24 and i want to connect to network that is 192.168.0.0/24 (yes i know this is shit but still). How do i take 192.168.0.27 address from the LAN behind VPN and the rest from my local LAN
09:01 -!- insane^ [~jg@pizza.internetx.de] has joined ##openvpn
09:03 < debian911> dazo: server config - http://pastebin.com/uJ9WXR7L          client config - http://pastebin.com/UP0sjLJ2
09:03 < debian911> dazo: u askin me to change client or server side
09:03 < dazo> that's fine .... that's a good change .... now, try to use redirect-gateway without any arguments
09:03 < dazo> in the client config
09:04 < dazo> debian911:  but!
09:04 < reiffert> dazo: 
09:04 < debian911> but?
09:04 < dazo> you did not remove push "redirect-gateway" from the server config .... or is it the old configs?
09:04 < reiffert> "i have network that is 192.168.0.0/24 and i want to connect to network that is 192.168.0.0/24 "
09:04 < debian911> dazo: thy are most recent configs
09:05 < debian911> dazo: to confirm i am removing def1 from client and 
09:05 -!- mape2k [~mape2k@l208.fem.tu-ilmenau.de] has joined ##openvpn
09:05 < dazo> push "redirect-gateway" (from server config) wil conflict with  redirect-gateway def1  in client config
09:05 < debian911> server side I am removing - push "redirect-gateway"
09:05 < dazo> yes, correct!
09:05 < debian911> dazo: ok
09:05 < reiffert> dazo: oh forget my comment, I mixed it up.
09:05 < debian911> once again brb
09:05 < debian911> sigh need another pc
09:08 -!- BuGo_laptop [~anonymous@78-59-31-26.static.zebra.lt] has quit [Ping timeout: 248 seconds]
09:09 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:12 -!- debian911 [~79d7b293@gateway/web/freenode/x-asqmgfyhbljbqfeu] has quit [Ping timeout: 252 seconds]
09:13 -!- debian911 [~79d7b293@gateway/web/freenode/x-uldhcaiksmkjnxjw] has joined ##openvpn
09:14 < debian911> dazo: Once again. 3) http://pastebin.com/f1iR2zyX          2) Client - http://pastebin.com/SPA11aQG         Server - http://pastebin.com/kXzBZF1g
09:14 < debian911> dazo: This is doin my head in lol
09:14 < debian911> dazo: I thght we had it that time, cause a Windows found new network thing came up - like add to Home/Work/Public
09:14 < debian911> dazo: so I guess thats progression?
09:15 < dazo>       0.0.0.0          0.0.0.0         10.8.0.5         10.8.0.6     31
09:15 < dazo> that looks better
09:15 < dazo> that looks correct even
09:15 < debian911> awesome
09:15 < debian911> but no internet
09:15 < debian911> still
09:15 < dazo> debian911:  now it is a windows issue .... could it be windows firewall blocking things now?
09:15 < debian911> dazo: should we be worried my 3) is blank?
09:16 < debian911> dazo: aka no iptables shizzle?
09:16 < macsppadic> hey ther SandGorgon 
09:16 < dazo> debian911:  default policy is ACCEPT ... so you don't block anything there
09:16 < debian911> dazo: rite, well i can turn windows firewall off and give it ago
09:16 < debian911> any last things
09:16 < debian911> before I dc again 
09:17 < dazo> debian911:  it's definitely something to do with Windows now
09:17 < debian911> dazo: like to try a couple things if u have anythin else up ur sleeze?
09:17 < SandGorgon> macsppadic, ??
09:17 < debian911> dazo: kk
09:17 < dazo> and I'm not a windows expert at all
09:17 < debian911> dazo: guess brb
09:18 < macsppadic> sorry SandGorgon hit tab complete n enter n wrong name 
09:18 < macsppadic> apologies
09:20 -!- nvme [~nvme@65.213.1.61] has joined ##openvpn
09:21 -!- nvme [~nvme@65.213.1.61] has quit [Remote host closed the connection]
09:22 -!- debian911 [~79d7b293@gateway/web/freenode/x-uldhcaiksmkjnxjw] has quit [Ping timeout: 252 seconds]
09:26 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:30 -!- SandGorgon [~OmNomNomO@122.160.41.129] has quit [Ping timeout: 276 seconds]
09:30 < HardDisk_WP> macsppadic, uh, in bridged mode what do I have to change to use one central DHCP server?
09:30 < HardDisk_WP> I mean, for now it is so that eth_lan runs a dhcpd, and openvpn gets served by its own dhcpd
09:32 -!- debian911 [~79d7b293@gateway/web/freenode/x-aeqdvxtrlupdgvpm] has joined ##openvpn
09:32 < debian911> dazo: right so, fws turned off - connecting to openvpn successful, getting gateway and shit now
09:32 < debian911> but its not taking on servers IP
09:33 < debian911> whn i do ipchicken and alike
09:33 < debian911> dazo macsppadic: dont know if we've gone backwards or forward
09:33 < dazo> dazo:  forward ... but you seem to have a windows issue .... you said you were running windows7?
09:34 < debian911> dazo: Windows 7 64bit yes
09:34 < debian911> dazo: but wouldnt it not takin on servers IP to do somethin with iptables?
09:34 < debian911> do you need logs/routes again (sigh haha0
09:35 < dazo> debian911: probably not right now ... because windows obviously don't route your stuff via the tunnel ... that's why this is no longer a openvpn issue, really ... you have the correct route ... you can ping VPN server and client from the other side ....
09:36 < dazo> and when you get the wrong IP when you do your tests .... that shows that Win7 don't respect the routing table .... for some odd reasons
09:36 < debian911> i wish i had an xp box here
09:36 < debian911> or something
09:36 < debian911> is there anyway to confirm this?
09:37 < dazo> I'm sorry, but *I* cannot help you further now .... maybe somebody else here on the channel have some Windows hints ... or try the openvpn-users mailing list
09:39 < debian911> dazo: well thanks for your time and effort mate
09:39 < debian911> much appreicated
09:39 < dazo> debian911:  sure, you're welcome :)
09:45 -!- theDoc [~jaki@unaffiliated/thedoc] has left ##openvpn ["Leaving"]
09:47 -!- MacVirus [~VirusTB@ip-145-93-223-92.fontys.nl] has quit [Quit: MacVirus]
09:54 < macsppadic> HardDisk_WP:  sorry not sure what u mean there 
09:54 < HardDisk_WP> normally in server-bridge you give a start and end range of ips for ovpn to give out to clients
09:54 < HardDisk_WP> so ovpn acts as a dhcpd to clients
09:55 < HardDisk_WP> what do I have to do to make ovpn simply pass through dhcp traffic?
09:55 -!- joh_ is now known as joh
09:58 < macsppadic> HardDisk_WP: When redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active.
09:58 < HardDisk_WP> i'm not after DNS
09:58 < HardDisk_WP> i'm after DHCP
09:58 < macsppadic> aargh!
09:58 < macsppadic> remember its friday 
09:58  * macsppadic has lost the plot 
10:00 -!- nvme [nvme@65.213.1.61] has joined ##openvpn
10:00 < nvme> can someone link me to a good guide for setting up a openvpn server on win2k3 server?
10:01 -!- powers [~bab@208.73.74.90] has joined ##openvpn
10:02 < powers> can someone pleas help me, why did I get this error  " Linux route add command failed: external program exited with error status: 7"     http://pastebin.com/BnGtAaK1
10:03 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:15 < HardDisk_WP> !dhcp-option
10:15 < vpnHelper> HardDisk_WP: Error: "dhcp-option" is not a valid command.
10:15 < HardDisk_WP> !dhcp-options
10:15 < vpnHelper> HardDisk_WP: Error: "dhcp-options" is not a valid command.
10:20 -!- takamichi [~pri@78.133.36.225] has quit [Ping timeout: 256 seconds]
10:20 -!- takamichi [~pri@78.133.36.225] has joined ##openvpn
10:23 < powers> <HardDisk_WP> where do you see dhcp-option
10:23 < HardDisk_WP> ah nothin, came from a /query
10:24 < macsppadic> powers: did u get that route issue sorted?
10:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
10:29 < powers> no i have no idea why I am getting "Linux route add command failed: external program exited with error status: 7"
10:30 < powers> The routes should be added because they are set up as push "redirect-gateway"  on the server, but they are getting a error when trying to run on the client
10:30 < powers> it gets even stranger, after everything finishes I can cut and pate the route info into a new shell and it runs properly and all my traffic routs as it should
10:32 -!- nvme [nvme@65.213.1.61] has quit [Quit: Leaving]
10:36 < macsppadic> odd
10:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:44 -!- mape2k [~mape2k@l208.fem.tu-ilmenau.de] has quit [Ping timeout: 258 seconds]
10:49 < powers> so I have everybody stumped ?
10:55 < rob0> With the bits you provided, of course. Configs and general information about what you were doing were omitted. You need magicians, not technicians, to do your troubleshooting.
10:55 < rob0> One thing I can suggest:
10:55 < rob0> !def1
10:55 < vpnHelper> rob0: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
10:59 -!- goog1jh [googijh@my.barbie.wears.no-panties.org] has quit [Read error: Operation timed out]
11:01 < powers> rob0 I did try def1 before, but as I remember it did not work when I tried it.  I will have to disconnect to try it
11:06 -!- powers [~bab@208.73.74.90] has quit [Ping timeout: 248 seconds]
11:12 -!- debian911 [~79d7b293@gateway/web/freenode/x-aeqdvxtrlupdgvpm] has quit [Ping timeout: 252 seconds]
11:20 -!- powers [~bab@CH-Boston.tch.harvard.edu] has joined ##openvpn
11:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
11:30 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:41 -!- Blues-Man [~bluesman@host198-119-dynamic.32-79-r.retail.telecomitalia.it] has joined ##openvpn
11:45 -!- gorkhaan [~gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn
12:06 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
12:08 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
12:12 -!- powers [~bab@CH-Boston.tch.harvard.edu] has quit [Ping timeout: 248 seconds]
12:14 -!- powers [~bab@208.73.74.90] has joined ##openvpn
12:16 < powers> Ok I am back, when I connect with "push "redirect-gateway def1"" on the server traffic is not router over the vpn  when when I use "push "redirect-gateway"" it is routed over the vpn but the routes are not put in properly, but everything works when they are added by hand http://pastebin.com/BnGtAaK1 
12:17 -!- Blues-Man [~bluesman@host198-119-dynamic.32-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
12:23 -!- Error404NotFound [~Eror404@119.153.65.177] has joined ##openvpn
12:23 -!- Error404NotFound [~Eror404@119.153.65.177] has quit [Changing host]
12:23 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:25 < agagag> !route
12:25 < vpnHelper> agagag: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:27 < agagag> the vpn server is also vserver host, one of the clients is a vserver guest. I can ping it from other vpn clients but i cannot ping back 
12:27 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
12:27 < powers> <agagag> is that "!route for me?
12:28 < agagag> powers: no for me 
12:28 < agagag> :)
12:35 < powers> added in the client and server config's  http://pastebin.com/tM6pYnAk   I would also like to note that there is a isc-dhcp server handing out addresses to the clients, I just need to figure out why I am getting the route added error 
12:41 -!- dazo is now known as dazo_afk
12:52 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
12:57 -!- powers [~bab@208.73.74.90] has quit [Ping timeout: 260 seconds]
12:58 -!- powers [~bab@208.73.74.90] has joined ##openvpn
13:11 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
13:16 < powers> blaha
13:16 -!- powers [~bab@208.73.74.90] has quit [Quit: Leaving]
13:17 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:27 -!- SandGorgon [~OmNomNomO@122.162.122.87] has joined ##openvpn
13:35 -!- daguz [~leo@208-1-63-34.celito.net] has joined ##openvpn
13:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:40 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
13:43 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
13:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:53 -!- rajin [~a@port-3073.pppoe.wtnet.de] has joined ##openvpn
14:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Quit: Leaving]
14:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:10 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
14:12 -!- SandGorgon [~OmNomNomO@122.162.122.87] has quit [Ping timeout: 264 seconds]
14:17 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
14:26 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
14:38 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
14:38 < grendal_prime> can i run multible ciphers on one box?
14:38 -!- caution [~caution@unaffiliated/caution] has quit [Ping timeout: 245 seconds]
14:40 -!- jmm_ [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: Operation timed out]
14:40 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
14:43 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:02 < grendal_prime> ok im running multiple ciphers on my openvpn server...how can i see what cypher a client connected with?
15:10 -!- dollabill [~mike@97.66.26.10] has quit []
15:15 -!- dauergast [~sag@p5B3EC480.dip.t-dialin.net] has joined ##openvpn
15:15 -!- seph_ [~seph_@74-94-185-249-NewEngland.hfc.comcastbusiness.net] has joined ##openvpn
15:16 < seph_> !welcome
15:16 < vpnHelper> seph_: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:17 < dauergast> !redirect
15:17 < vpnHelper> dauergast: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:18 < seph_> Hi all, I'm trying to generate various iptables rules on a per client basis. It looks like one way I could do this is by using a learn-address. But that doesn't seem to get called on a client disconnect. It seems like it should, am I misreading the docs?
15:19 < seph_> I'm also not sure how disconnects should work. I'm using tunnelblick as a client, and when it disconnects the server doesn't seem to notice. It'll eventually notice when enough pings time out, but not before. Is there supposed to be another mechanism?
15:20 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
15:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:22 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
15:23 -!- le0 [~tehle0@unaffiliated/le0] has quit [Read error: Connection timed out]
15:25 < grendal_prime> is it possible two run two ciphers?
15:32 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
15:32 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:32 -!- mode/##openvpn [+v Kas] by ChanServ
15:33 -!- rajin [~a@port-3073.pppoe.wtnet.de] has quit [Ping timeout: 256 seconds]
15:34 -!- patrick1 [~patrick@84-74-143-70.dclient.hispeed.ch] has joined ##openvpn
15:34 < patrick1> hello
15:35 < grendal_prime> hey
15:35 < grendal_prime> do you know if its possible to run two ciphers on the same instance of openvpn?
15:37 < patrick1> no, i have a question  ;)
15:42 < patrick1> !welcome
15:42 < vpnHelper> patrick1: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:43 < patrick1> anyone here?
16:00 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
16:02 -!- dauergast [~sag@p5B3EC480.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
16:06 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:10 -!- p3rror [~Ali@anonymous-196-206-81-211.broker.freenet6.net] has quit [Read error: Operation timed out]
16:14 < agagag> !iporder
16:15 < vpnHelper> agagag: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
16:15 < agagag> !redirect
16:15 < vpnHelper> agagag: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:25 -!- p3rror [~Ali@2001:5c0:1000:b::5701] has joined ##openvpn
16:30 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:54 -!- patrick1 [~patrick@84-74-143-70.dclient.hispeed.ch] has quit []
17:05 -!- seph_ [~seph_@74-94-185-249-NewEngland.hfc.comcastbusiness.net] has quit [Quit: seph_]
17:06 -!- AntoineBk [~Antoine@188.165.75.17] has quit [Read error: Operation timed out]
17:11 -!- Eric02 [Eric@93.157.173.228] has joined ##openvpn
17:11 < Eric02> !welcome
17:11 < vpnHelper> Eric02: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:12 < Eric02> hello
17:12 < Eric02> My question is
17:13 < Eric02> i have configured openvpn successfully and working perfectly.
17:13 < Eric02> my vpn service provider provided me 4 extra ips
17:13 < Eric02> how can i add them to openvpn as alias ?
17:13 < Eric02> never used alias before, i want to chain all my 4 addition ips to work like my 1st ip which i am using now.
17:14 < Eric02> i think it will be something like this: Ifconfig ethx:1 <ip> <mask>
17:14 < Eric02> but i am not sure if i should write " Ifconfig ethx:1 <ip> <mask> " in openvpn.conf
17:14 < Eric02> or somewhere else
17:15 < Eric02> please guide me :)
17:15 -!- AntoineBk [~Antoine@188.165.75.17] has joined ##openvpn
17:37 < Eric02> waste of time :)
17:37 -!- Eric02 [Eric@93.157.173.228] has quit []
18:04 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
18:13 -!- gorkhaan [~gorkhaan@adsl-101-16.globonet.hu] has quit [Quit: Távozom]
18:16 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:21 -!- leo__ [~leo@190.42.126.145] has joined ##openvpn
18:22 < leo__> Hi friends
18:23 < leo__> Someone tell me, why, internet is disconnected when the tunnel is open? 
18:26 < leo__> How I make that the tunnel is open and not lose the internet connection
18:34 < leo__> somebody can help me?
19:14 -!- leo__ [~leo@190.42.126.145] has quit [Ping timeout: 264 seconds]
19:17 -!- leo__ [~leo@190.42.126.145] has joined ##openvpn
19:18 -!- leo__ [~leo@190.42.126.145] has quit [Client Quit]
19:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
19:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:40 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
19:50 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
20:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:37 -!- Gnewt [~hackerlet@2001:470:1f05:c28::deaf:1] has quit [Quit: leaving]
20:53 < Bushmills> with or without redirect-gateway in config?
21:27 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
21:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
21:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:17 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
22:26 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
22:38 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
23:38 < krzee> !static
23:38 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
23:41 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
23:53 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:59 < rob0> "static" is what you get when you rub a balloon on carpet. :)
--- Day changed Sat Mar 13 2010
01:07 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
01:08 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Excess Flood]
01:09 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
01:09 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
01:09 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
01:14 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:23 < Bushmills> why does my radio care about balloons?
01:58 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
02:09 -!- p3rror [~Ali@2001:5c0:1000:b::5701] has quit [Read error: Operation timed out]
02:23 -!- p3rror [~Ali@2001:c08:3700:ffff::5c6f] has joined ##openvpn
02:43 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
02:50 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:52 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:11 -!- master_of_master [~master_of@p57B56A7E.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:12 -!- master_of_master [~master_of@p57B54412.dip.t-dialin.net] has joined ##openvpn
03:22 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
03:57 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
04:39 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
04:55 -!- xod [~onats@112.201.158.40] has joined ##openvpn
05:40 -!- takamichi [~pri@78.133.36.225] has quit [Ping timeout: 268 seconds]
05:40 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
06:24 -!- xod [~onats@112.201.158.40] has quit [Remote host closed the connection]
07:02 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
07:25 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:59 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Excess Flood]
08:02 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
08:02 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
08:02 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
08:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:32 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
08:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
09:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
09:33 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
09:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:41 -!- tompaw [~tompaw@slave20.tesserakt.eu] has left ##openvpn []
09:48 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
10:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
10:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:43 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
10:43 < Dougy> krzee you around
10:50 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 268 seconds]
11:44 -!- SandGorgon [~OmNomNomO@122.162.128.223] has joined ##openvpn
11:57 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
12:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
12:19 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
12:20 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
12:44 -!- robin__ [robin@hp1.jaketus.net] has joined ##openvpn
12:44 < robin__> meh
12:44 < robin__> I have to clients behind the same router
12:44 < robin__> on the other one speedtest.net says about 1/1M
12:44 < robin__> on the other it says 8/1
12:45 < robin__> which is the speed of my internet
12:45 -!- robin__ is now known as rkantos_UK
12:50 < rkantos_UK> how can I get a new ip for the same client?
13:12 -!- roe [~roe___@216-164-215-125.c3-0.eas-ubr15.atw-eas.pa.cable.rcn.com] has quit [Ping timeout: 276 seconds]
13:24 -!- roe [~roe___@207-172-35-242.c3-0.eas-ubr15.atw-eas.pa.cable.rcn.com] has joined ##openvpn
13:24 -!- roe is now known as Guest62928
13:45 -!- Guest62928 [~roe___@207-172-35-242.c3-0.eas-ubr15.atw-eas.pa.cable.rcn.com] has quit [Ping timeout: 245 seconds]
13:54 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
14:08 < krzee> Dougy, wassup
14:19 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
14:21 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 256 seconds]
14:25 < Dougy> hey krzee
14:25 < Dougy> how many legs does a black rooster have
14:27 < krzee> 2
14:28 < krzee> and 2 eyes
14:28 < krzee> 2 wings
14:29 < Dougy> hm
14:29 < Dougy> have you heard the joke?
14:30 < krzee> ya but the white cats i play with are bald
14:30 < Dougy> :(
14:30 < krzee> although this weekend the cat is iraqi
14:35 < Dougy> http://my.opera.com/d.i.z./blog/2009/04/22/watch-fullscreen-flash-while-working-on-another-screen
14:35 < vpnHelper> Title: Rafal - Watch fullscreen flash while working on another screen (at my.opera.com)
14:35 < Dougy> its about damn time i found that
14:48 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 264 seconds]
15:12 -!- p3rror [~Ali@2001:c08:3700:ffff::5c6f] has quit [Read error: Operation timed out]
15:30 -!- MatBoy [~MatBoy@wiljewelwetenhe.xs4all.nl] has joined ##openvpn
15:30 < MatBoy> hi guys !
15:36 < krzee> heyhey
15:39 < MatBoy> hi !
15:40 < MatBoy> I'm thinking about a webbased openvpn manager where users can setup their own users
15:40 < krzee> where admins can manage users i hope you mean
15:41 < krzee> ;]
15:41 < MatBoy> yes, but an admin can have a superadmin
15:41 < MatBoy> I wonder if something like it already exist
15:41 < krzee> negative
15:42 < krzee> but maybe here is something to start with
15:42 < MatBoy> I already thought so
15:42 < krzee> !factoids search
15:42 < vpnHelper> krzee: (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
15:42 < MatBoy> I need some secure shares people can manage their onw
15:42 < krzee> !factoids search --values web
15:42 < vpnHelper> krzee: 'pastebin', 'pfsense', 'webgui', 'paste', and 'nopaste'
15:42 < krzee> !webgui
15:42 < vpnHelper> krzee: "webgui" is http://openvpn-web-gui.sourceforge.net/ if you have tried this please give us feedback
15:42 < MatBoy> ah
15:42 < MatBoy> I was already googeling there
15:43 < MatBoy> `no, searching ;)
15:43 < krzee> hrmmz there was another
15:43 < krzee> i wonder what it was
15:43 < krzee> !factoids search --values sourceforge
15:43 < vpnHelper> krzee: 'mail', 'tls-cipher', 'mactuntap', 'webgui', 'dev', 'sudowin', 'pptp', and 'win_tcplimit'
15:44 < krzee> hrm i guess i didnt link it
15:44 < MatBoy> keej, maybe you find it some other time ?
15:44 < MatBoy> but this is good, PHP based :D
15:45 < krzee> http://sourceforge.net/projects/openvpn-status/
15:45 < vpnHelper> Title: OpenVPN-Status | Get OpenVPN-Status at SourceForge.net (at sourceforge.net)
15:45 < |Mike|> good and php based doesn't fit in 1 sentence imho.
15:45 < krzee> !factoids learn webgui as http://sourceforge.net/projects/openvpn-status/  also pls let us know if you use that
15:45 < vpnHelper> krzee: Joo got it.
15:45 < krzee> |Mike|, why not? theres plenty of good php stuff
15:46  * |Mike| did PCI stuff last weeks :$
15:46 < krzee> php by itself isnt bad, its just that coders often make insecure stuff when they use php
15:46 < MatBoy> |Mike|: BS, most large sites are based on PHP moslty
15:46 < MatBoy> *mostly
15:46 < MatBoy> indeed
15:46 < krzee> and admins often dont lock their php installs down well
15:46 < |Mike|> krzee: indeed!
15:46 < MatBoy> an ubuntu install with PHP is already damn secure
15:46 < |Mike|> lawl.
15:46 < krzee> but it isnt php's fault
15:47 < MatBoy> nope
15:47 < MatBoy> just everyone can use it
15:47 < MatBoy> that is the issue
15:48 < MatBoy> I just ad a client that let a portal develop... and they used "ajax" damn javascript and PHP and all paths are visible, bad user checks and so on
15:48 < |Mike|> and apache with ETago n ? ;)
15:49 < krzee> anyways, those are the web gui's i know it
15:49 < krzee> err
15:49 < krzee> know of
15:49  * |Mike| shuts krzee of ;)
15:50 < MatBoy> krzee: thanks !
15:50 < krzee> np
15:51 < MatBoy> I only hate smarty so I need to rip that out :)
15:55 < MatBoy> krzee: do you also know a decent way to make your own client ?
15:55 < MatBoy> I mean, a user doesn't want to have some too advanched client that he doesn't understand
15:55 < Dougy> ROFL
15:56 < Dougy> <@Steven> to this day
15:56 < Dougy> <@Steven> its been 5 months almost
15:56 < Dougy> <@Steven> i still pee
15:56 < Dougy> <@Steven> out the bottom of my dick
15:56 < Dougy> <@Steven> and the front
15:56 < Dougy> <@Steven> at the same time
15:56 < krzee> MatBoy, i see no reason for a webgui
15:57 < krzee> but you would interact with openvpn's management interface
15:57 < |Mike|> Dougy: you pervert!
15:59 < |Mike|> http://www.linkedin.com/pub/douglas-haber/10/777/3aa
15:59 < vpnHelper> Title: Douglas Haber - LinkedIn (at www.linkedin.com)
15:59 < |Mike|> Dougy: that you ? :p
15:59 < MatBoy> krzee: example, I can have a admin that can setup max 5 users and limit them in usage
15:59 < krzee> MatBoy, it doesnt exist, feel free to go for it, i cant help with that
16:00 < MatBoy> krzee: I'm going for it, using your examples :) thanks :)
16:00 < krzee> np
16:00 < MatBoy> wtf, my housemates are going crazy
16:00 < krzee> if you release something, pls let us know ;]
16:01 < MatBoy> yeah, build it into a existing panel I think... so need to see if I can make it seperate
16:02 < Dougy> |Mike| no
16:02 < krzee> nah hes younger than that mike
16:02 < Dougy> http://www.linkedin.com/in/dhaber
16:02 < vpnHelper> Title: Douglas Haber - LinkedIn (at www.linkedin.com)
16:02 < Dougy> thats me
16:03 < |Mike|> okay
16:04 < |Mike|> groups as webhostingtalk, cpanel.... make me puke :p
16:04 < Dougy> Lol
16:04 < Dougy> well
16:04 < Dougy> puke that way ---->
16:04 < Dougy> cuz im over here <---
16:04 < krzee> on my screen those almost line up to where you are pointing to the same place from other directions
16:04 < krzee> so he'll score a direct hit
16:04 < Dougy> sorry
16:04 < Dougy> puke that way ----------------------------------------------------------->
16:04 < |Mike|> :D
16:04 < Dougy> cuz im over here <---
16:05 < krzee> too late, direct hit!
16:05 < Dougy> ive been puked on so many times now
16:05 < Dougy> im used to it
16:05 < krzee> stop getting girls that drunk before you try to take them home
16:05 < Dougy> dude i wish that was it LOL
16:05 < |Mike|> to the smell or to the temp of it ? ;)
16:05 < Dougy> every time i've ever gone on a field trip from school
16:05 < Dougy> literally
16:05 < Dougy> every time
16:05 < Dougy> i get puked on
16:06 < Dougy> Wind: From ENE at 25mph gusting to 42mph
16:06 < Dougy> gah
16:06 < Dougy> i dont want to go drive
16:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:33 -!- testbuild [~rooot@ool-ad03acce.dyn.optonline.net] has joined ##openvpn
16:34 < testbuild> how can i test connectivity to my server locally?
16:34 < |Mike|> mtr
16:34 < testbuild> errr remotely, but locally.
16:41 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Quit: Quitte]
16:49 < krzee> ping the vpn ip over the vpn...?
16:49 -!- Dougy [~me@ool-435033e6.dyn.optonline.net] has quit []
16:58 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
16:59 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
16:59 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
16:59 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
17:04 -!- duende [corey@142.162.167.25] has joined ##openvpn
17:04 < duende> !welcome
17:04 < vpnHelper> duende: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:05 < krzee> start with !goal
17:05 < duende> tmx
17:05 < duende> tnx
17:05 < duende> !goal
17:05 < vpnHelper> duende: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:05 < duende> !route
17:05 < vpnHelper> duende: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:07 < duende> goal:  I have an active OpenVPN connection, but, I want to bypass it when connecting to a speciifc IP address.  Running Windows 7.
17:11 < duende> !redirect
17:11 < vpnHelper> duende: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:11 < krzee> duende, make a route to access that ip over your normal INET route
17:11 < duende> that's what i'm trying to figure out how to do
17:12 < krzee> from within openvpn or using your normal windows route command?
17:12 < duende> i would assume i would have to do it through Windows route command
17:12 < krzee> ok
17:12 < krzee> !interface
17:12 < vpnHelper> krzee: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
17:13 < krzee> just give me ipconfig/all on that win box
17:13 < krzee> when connected to the vpn
17:13 < krzee> and then tell me the IP you wanna bypass
17:13 < duende> k, one sec.  pastebin i'm assuming?
17:13 < krzee> yes
17:14 < krzee> just to verify... you are redirecting all inet over the vpn, but youd like a specific address to NOT go over the vpn
17:14 < krzee> correct
17:14 < krzee> ?
17:14 < duende> that is correct
17:14 < krzee> cool
17:15 < krzee> also, is the computer a desktop or laptop (asked to know if you will be on random networks or not)
17:15 < duende> it is a laptop, but, its not moving anywhere.  Its acting as a media center connected to my tv
17:15 < rob0> Of, if the computer has Alzheimer's, every network it sees is random.
17:16 < krzee> well i can do it 2 ways...
17:16 < rob0> *or
17:16 < krzee> 1 is windows way, add a permanent route
17:16 < krzee> 2 is openvpn way, will figure out what to do as needed
17:16 < krzee> (when connecting)
17:16 < krzee> both will work
17:16 < duende> http://pastebin.com/ywfV5fpg
17:17 < duende> ip connecting to:  209.197.15.238
17:17 < krzee> there is no text in that pastebin
17:17 < duende> yeah, i just noticed that
17:18 < duende> weird
17:18 < rob0> I ate it.
17:18 < duende> http://pastebin.com/ADKGdAj3
17:18 < duende> try that one :)
17:19 < krzee> err
17:19 < duende> the ip is an ip on my local ISP that you can only connect to if you're coming from inside their network
17:19 < krzee> gimme netstat -rn
17:21 < duende> http://pastebin.com/8UkG3HCQ
17:21 < krzee> ok
17:21 < krzee> whats the ip you wanna bypass vpn for?
17:21 < duende> ip connecting to:  209.197.15.238
17:22 < krzee> route -p add 209.197.15.238 192.168.1.1
17:22 < krzee> according to this:
17:22 < krzee> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx?mfr=true
17:22 < vpnHelper> Title: Microsoft Windows XP - Route (at www.microsoft.com)
17:22 < krzee> however
17:23 < krzee> in client config, this would work:   route 209.197.15.238 net_gateway
17:23 < duende> oh, nice
17:23 < krzee> assuming net_gateway is supported in windows
17:24 < krzee> the manual says its not supported by all of them
17:24 < duende> let me try it
17:24 < krzee> (all OSs)
17:24 < duende> how do i remove that last route?
17:24 < krzee> read it on the link above
17:24 < duende> Good point :)
17:24 < krzee> (i gave the link so you could learn what i typed) ;]
17:24 < duende> seriously though, I should know this stuff
17:24 < duende> hah
17:25 < krzee> just parroting it into the cmd is 1 thing, learning it is another =]
17:25 < krzee> aim for the second
17:25 < duende> I did mcse :(
17:25 < duende> but, its been 5 years since i used any of the stuff, and if you don't use it, you lose it
17:25 < krzee> almost every mcse i met didnt know much about networking
17:26 < duende> there you go
17:26 < krzee> or computers in general
17:26 < krzee> (not a shot at you whatsoever)
17:26 < krzee> just something i have observed over the years
17:26 < duende> No, i understand.  I'm good with computers, just some things I haven't messed with much
17:26 < duende> I'm not a booksmart person, I did it cause i love it
17:26 < krzee> werd, same with me, lots i cant do yet
17:27 < duende> A lot of people did mcse who never touched computers before, but thought there was money in it
17:33 < MatBoy> ok, my target is also to build my own client :)
17:34 < duende> krzee: doesn't appear the line for the openvpn config file works in my install, but, the command line route you gave me works perfect
17:40 < duende> krzee: Thank you very much for your help, it works like a charm.  Now i can leave my vpn on full time on my htnb
17:44 < krzee> np =]
17:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:02 -!- p3rror [~Ali@anonymous-196-206-73-95.broker.freenet6.net] has joined ##openvpn
18:04 -!- cwillu_at_work [~cwillu@cwillu.com] has quit [Ping timeout: 260 seconds]
18:08 -!- chester [~bla@did75-16-88-162-137-34.fbx.proxad.net] has quit []
18:27 -!- billub [~billub@c-24-6-49-149.hsd1.ca.comcast.net] has joined ##openvpn
18:27 < billub> hi anyone tried compiling openvpn with mingw32 ? 
18:28 < billub> on windows ? 
18:28 < reiffert> lots of people do. check the mailing lists for recent attempts.
18:28 < billub> reiffert: ok, i searched already, but will search again
18:29 < billub> basically i could compile openssl, lzo etc.
18:29 < reiffert> openvpn-devel IIRC.
18:29 < billub> and using the batch file included in the source, for compilation, i think the batch file is poorly written
18:30 < billub> i am on the openvpn-dev, not many people there
18:30 < billub> are u a system admin ? 
18:32 < reiffert> I could swear that there are recent posts on openvpn-devel from the last three months regarding building openvpn with mingw.
18:33 < billub> ok
18:33 < billub> you mean openvpn-dev correct ? 
18:33 < billub> wait i got it
18:33 < reiffert> openvpn-devel.
18:33 < billub> yeah i got it
18:34 < reiffert> like e.g. http://sourceforge.net/mailarchive/forum.php?thread_name=783B83D7F51B4A99AF36C4EBE8D8E754%40nw8000&forum_name=openvpn-devel
18:34 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net)
18:34 < rob0> Yes there were posts, and IIRC no answers, only questions. :)
18:35 < reiffert> rob0: Alon Bar-Lev gave some help.
18:35 < rob0> oh maybe so
18:36 -!- testbuild [~rooot@ool-ad03acce.dyn.optonline.net] has quit [Ping timeout: 264 seconds]
18:38 < krzee> !mail
18:38 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
18:38 < krzee> http://news.gmane.org/gmane.network.openvpn.devel
18:38 < vpnHelper> Title: Gmane Loom (at news.gmane.org)
18:38 < krzee> i like gmane better
18:45 < billub> i am looking for it, thanks guys
18:46 < reiffert> it works well with cygwin btw
18:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
18:52 < billub> you mean i need cygwin ? 
18:52 < billub> right now i am using mingw32 without cygwin
18:57 < billub> in case you are fluent with it and have a couple of minutes, can you please help me fix the issue with the batch file ? (it can't see the openssl and lzo files/dir although i manually set the path), - i have everything setup and you can login if its not too much trouble
19:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:14 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
19:20 -!- duende [corey@142.162.167.25] has left ##openvpn []
19:22 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
19:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:24 < billub> i couldn't find makefile.w32 which is referenced in windows compile instructions
20:54 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
20:54 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
21:10 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
21:51 -!- MacVirus [~VirusTB@thetouch.demon.nl] has joined ##openvpn
21:55 -!- MacVirus [~VirusTB@thetouch.demon.nl] has quit [Client Quit]
21:55 -!- VirusTB [~VirusTB@thetouch.demon.nl] has joined ##openvpn
22:25 -!- Gabe_G23 [~mac-mini@bzflag/player/GabrielG] has joined ##openvpn
22:57 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
23:09 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:56 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Ping timeout: 248 seconds]
--- Day changed Sun Mar 14 2010
00:20 -!- VirusTB [~VirusTB@thetouch.demon.nl] has quit [Quit: VirusTB]
00:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
00:41 -!- billub1 [~billub@c-24-6-49-149.hsd1.ca.comcast.net] has joined ##openvpn
00:42 -!- billub1 [~billub@c-24-6-49-149.hsd1.ca.comcast.net] has left ##openvpn []
00:44 -!- billub [~billub@c-24-6-49-149.hsd1.ca.comcast.net] has quit [Ping timeout: 248 seconds]
00:44 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
00:50 -!- VirusTB [~VirusTB@thetouch.demon.nl] has joined ##openvpn
00:52 -!- VirusTB [~VirusTB@thetouch.demon.nl] has quit [Client Quit]
00:57 -!- SandGorgon [~OmNomNomO@122.162.128.223] has quit [Ping timeout: 265 seconds]
01:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
01:06 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:32 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 248 seconds]
01:40 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
01:42 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 276 seconds]
01:42 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
01:46 -!- SandGorgon [~OmNomNomO@122.162.128.223] has joined ##openvpn
03:13 -!- SandGorgon [~OmNomNomO@122.162.128.223] has quit [Ping timeout: 248 seconds]
03:35 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
04:11 -!- master_of_master [~master_of@p57B54412.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
04:12 -!- master_of_master [~master_of@p57B57EB6.dip.t-dialin.net] has joined ##openvpn
04:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:28 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:34 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has quit [Ping timeout: 264 seconds]
04:35 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
04:44 -!- SandGorgon [~OmNomNomO@122.162.128.223] has joined ##openvpn
04:56 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:24 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 248 seconds]
05:27 -!- SandGorgon [~OmNomNomO@122.162.128.223] has quit [Ping timeout: 258 seconds]
06:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:57 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
07:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:10 -!- VirusTB [~VirusTB@thetouch.demon.nl] has joined ##openvpn
07:40 -!- VirusTB [~VirusTB@thetouch.demon.nl] has quit [Quit: VirusTB]
07:50 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:08 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
09:25 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
09:26 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
09:26 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
09:26 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:18 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
10:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
12:00 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
12:08 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
12:16 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
12:18 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:56 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
13:57 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
13:57 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
13:57 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
14:26 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 268 seconds]
14:26 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:27 -!- pflanze [~chris__@69-196-152-229.dsl.teksavvy.com] has joined ##openvpn
14:31 < pflanze> !welcome
14:31 < vpnHelper> pflanze: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:32 < pflanze> !redirect
14:32 < vpnHelper> pflanze: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:32 < pflanze> !howto
14:32 < vpnHelper> pflanze: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:39 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Quit: Quitte]
14:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:49 < pflanze> Hello. I'd like to route traffic originating *from* a particular local ip (actually the ip of the tun interface) through the vpn (and let it go to the internet on the server through masquerading).
14:50 < pflanze> So the point being, not all traffic, only the traffic I want. 
14:50 < pflanze> Kind of a route only valid for my set of applications.
14:52 < pflanze> And I *think* the cleanest way would be to select the traffic by it's source ip; I can then configure those apps to use that ip for binding or as source ip (or the vserver chbind tool).
14:53 < pflanze> I can only find "Routing all client traffic (including web-traffic) through the VPN" in the howto, which is not selective.
14:55 < hyper_ch> pflanze: ?
14:56 < hyper_ch> but didn't you just say you could router all traffic originating from a given IP through the vpn?
14:57 < pflanze> My question is, how do you say "application X should route through the vpn, all other applications should just use the normal route".
14:57 < pflanze> Or let's be totally specific:
14:57 < pflanze> I've got Ekiga running on my laptop, which is a voip application.
14:58 < pflanze> I want all traffic from Ekiga go through the vpn to my server at home, and from there reach my sip provider unencrypted through my ISP's network.
14:58 < pflanze> But I don't want my http traffic etc take the same route (since my home network is DSL and thus slow).
14:59 < pflanze> How?
14:59 < hyper_ch> [20:52] <pflanze> And I *think* the cleanest way would be to select the traffic by it's source ip; I can then configure those apps to use that ip for binding or as source ip (or the vserver chbind tool). -> so you can route all the traffic for those desired apps through a given proxy or bind it to some other ip?
14:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:59 < pflanze> No, I can't so far.
15:00 < pflanze> That's my question.
15:00 < pflanze> What I *can* do is force an application to use a specific source ip for it's traffic.
15:00 < hyper_ch> I don't have a clue what you just mean with the above phrase
15:00 < hyper_ch> if you can force an application to use a specific source ip for its traffic
15:01 < pflanze> Has anyone done what I've asked about in my second attempt?
15:01 < hyper_ch> then you can make that all traffic from that specific source ip go through the vpn
15:01 < pflanze> how?
15:01 < hyper_ch> [21:00] <pflanze> What I *can* do is force an application to use a specific source ip for it's traffic.
15:02 < hyper_ch> I don't know how you force all that traffic of those selected programs to go through a specific source ip
15:02 < hyper_ch> I guess I just don't understand what you mean to say
15:02 < pflanze> Let's say I've got eth0 addr:192.168.1.179, and tun1 addr:192.168.200.5
15:03 < pflanze> Now if some program X opens a tcp connection to 1.2.3.4, the kernel will send a packet with source ip 192.168.1.179 and target ip 1.2.3.4
15:04 < pflanze> it will choose 192.168.1.179 because that's the default network interface.
15:04 < pflanze> Now what I can do is configure X to explicitely use source ip 192.168.200.5 instead,
15:04 < pflanze> so the packet will have source ip 192.168.200.5 and target ip 1.2.3.4
15:05 < pflanze> but that still won't make the packet be routed through the vpn, afaik.
15:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
15:05 < hyper_ch> can't you just bind that application to a specific interface?
15:06 < pflanze> (Hm, at least not if I've got masquerading configured at the same time; well maybe I should test that more.)
15:06 < pflanze> How do you mean "bind"?
15:06 < hyper_ch> bind
15:06 < pflanze> Usually if you say "bind" one means listening.
15:06 < hyper_ch> a couple of programs I use can be bound to a specific ip or interface
15:06 < hyper_ch> and then it uses solely that
15:06 < pflanze> Yes, that's for listening, incoming connections.
15:06 < hyper_ch> no, not just for listening
15:07 < pflanze> So, how do you do it?
15:07 < hyper_ch> depends on the programs
15:07 < pflanze> ok, we're talking the same thing I guess.
15:07 < pflanze> But as I said, afaik that won't make outgoing traffic go through the vpn yet.
15:07 < hyper_ch> simplest thing would be like proxy settings for webbrowsers
15:07 < hyper_ch> it will
15:08 < hyper_ch> if it's bound
15:08 < pflanze> Ok then I'm doing something stupid and have to do further testing.
15:08 < hyper_ch> well, it depends on the programs whether they offer such a thing
15:09 < pflanze> Luckily linux-vserver has a tool called chbind which automatically makes a program use a particular source ip.
15:09 < pflanze> I'm mostly using that.
15:12 -!- p3rror [~Ali@anonymous-196-206-73-95.broker.freenet6.net] has quit [Read error: Operation timed out]
15:21 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 268 seconds]
15:24 < pflanze> Well. I'm testing like this (without involving anything vserver related):
15:24 < pflanze> echo hello world | netcat www.iro.umontreal.ca 80 -q1
15:24 < pflanze> will show up unencrypted in tcpdump, of course.
15:24 < pflanze> echo hello world | netcat  -s 192.168.200.5 www.iro.umontreal.ca 80 -q1
15:25 < pflanze> will just hang, if there's no masquerading enabled on the local machine.
15:25 < pflanze> If setting up masquerading with -A POSTROUTING -s 192.168.0.0/16 -d ! 192.168.0.0/16 -j MASQUERADE
15:25 < pflanze> then it will again show up unencrypted in tcpdump.
15:26 < pflanze> hyper_ch: so I don't know why you think just binding the source will make it go through the tunnel.
15:27 -!- p3rror [~Ali@2001:5c0:1400:b::650f] has joined ##openvpn
15:27 < pflanze> 192.168.200.5 is the ip of the local tun1 device, which goes through the vpn to the server
15:27 < pflanze> (the server has 192.168.200.1 on it's own tun1 device)
15:29 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
15:29 -!- p3rror [~Ali@2001:5c0:1400:b::650f] has quit [Max SendQ exceeded]
15:30 -!- p3rror [~Ali@2001:5c0:1400:b::650f] has joined ##openvpn
15:38 < pflanze> Seems I need "advanced routing" / "policy based routing"
15:53 < reiffert> push "redirect-gateway def1"
15:53 < reiffert> "application X should route through the vpn, all other  applications should just use the normal route"
15:53 < reiffert> you dont on layer 3.
15:54 < reiffert> however, policy based routing
15:54 < reiffert> iptables -t mangle -A OUTPUT -s 192.168.2.2 -o eth1 -p tcp -m tcp --dport 80 -j MARK --set-mark 0x1
15:55 < reiffert> ip route add default via 192.168.2.1 table 1
15:55 < reiffert> ip rule add fwmark 1 lookup 1
15:56 < reiffert> mark whatever you need in mangle table.
15:56 < reiffert> see man iptables for the description of the chains in the mangle table.
15:57 < pflanze> aha, the ip route  table  thingie seems to be what I was missing.
15:57 < pflanze> Thanks. Still wondering whether there isn't a howto somewhere as I'd think that's a pretty often wanted setup?
15:58 < reiffert> another example:
15:59 < reiffert> iptables -t mangle -A PREROUTING ! -d 192.168.0.0/16 -i br0 -p tcp -m tcp --dport 80 -j MARK --set-xmark 0x1
15:59 < reiffert> /sbin/ip rule add fwmark 1 lookup 1
16:00 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
16:00 < reiffert> and that you gonna put into /sbin/dhclient-script:
16:00 < reiffert>                 /sbin/ip route del table 1
16:00 < reiffert>                 /sbin/ip route add default via $router table 1
16:00 < reiffert> /sbin/iptables -t nat -I POSTROUTING -j SNAT --to-source $new_ip_address
16:01 < reiffert> pflanze: routing based on application? howto? here you got what you want: http://lartc.org/  have fun!
16:01 < vpnHelper> Title: Linux advanced Routing & Traffic Control HOWTO (at lartc.org)
16:04 < pflanze> ahh, that was it. I've been looking around on netfilter.org to no avail.
16:04 < reiffert> I remember a routing module for netfilter.. guess it's depreceated by now.
16:07 < reiffert> Might check out l7-filter if it comes to applications.
16:11 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
16:15 -!- p3rror [~Ali@2001:5c0:1400:b::650f] has quit [Ping timeout: 248 seconds]
16:28 -!- p3rror [~Ali@2001:5c0:1400:b::67d5] has joined ##openvpn
16:34 -!- theoretical [~theoretic@64-135-203-23.FoxValley.net] has joined ##openvpn
16:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:58 -!- p3rror [~Ali@2001:5c0:1400:b::67d5] has quit [Ping timeout: 248 seconds]
17:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
17:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:12 -!- p3rror [~Ali@2001:5c0:1400:b::63cb] has joined ##openvpn
17:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
17:44 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Read error: Operation timed out]
17:47 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
17:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:55 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
17:58 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
18:19 < MatBoy> he,I'm in openvpn :)
18:20 < MatBoy> I'm looking for a decent and simple n00b-way XP client, what would that be ?
18:21 < MatBoy> something I can build maybe with the right certs in it and the user only need to enter his username and password
18:32 < pflanze> Thanks for your help reiffert, got it working perfectly now.
18:35 -!- joh [johannj@caracal.stud.ntnu.no] has quit [Ping timeout: 245 seconds]
18:35 -!- joh [johannj@caracal.stud.ntnu.no] has joined ##openvpn
19:09 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
19:22 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
19:37 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
19:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:47 -!- sonnie [~sonnie@202.141.162.106] has quit [Quit: leaving]
19:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:00 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
20:03 -!- Rolybrau [~Rolybrau@57-75.3-85.cust.bluewin.ch] has joined ##openvpn
20:03 -!- Rolybrau [~Rolybrau@57-75.3-85.cust.bluewin.ch] has quit [Changing host]
20:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:16 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
20:42 -!- dextro_ [~dex@vpn.m3th.org] has joined ##openvpn
20:49 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has joined ##openvpn
20:50 < SerajewelKS> hey all, i'm having a problem setting up a bridged server/client.  the connection is established and appears to be working, but pinging through the vpn is fail.
20:50 < SerajewelKS> this is my networking setup on both sides: http://pastebin.ca/1840650
20:50 < SerajewelKS> given the configuration, i would expect the ping to be replied to
20:53 < SerajewelKS> wow ok i'm a moron, forgot to up the server bridged iface in promisc mode
20:58 < dextro_> so i have only ever used a paid vpn service like strongvpn but recently have got my own dedicated server and wish to setup something on it so i can use it as a vpn is openvpn what i am looking for? is it easy or is there something else probably better for first timers?
21:10 < pflanze> openvpn should be as easy as it gets.
21:10 < pflanze> (Easier than ipsec anyway)
21:11 < pflanze> dextro_: an exception may be the ssh tun feature, but I think that can only use TCP for forwarding, and probably not do everything you want either (but I've never tried)
21:12 < pflanze> Question: when setting up the server with --server-bridge, what option should I pass to the client?
21:12 < pflanze> Also --server-bridge ?
21:13 < SerajewelKS> pflanze: no
21:14 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Ping timeout: 256 seconds]
21:14 < pflanze> actually I'm on linux on both sides
21:14 < SerajewelKS> pflanze: "--client --dev tap" should be all you need (excepting the ca/cert/etc stuff)
21:14 < pflanze> ok, and then run a dhcp client on tap right?
21:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
21:14 < SerajewelKS> pflanze: if you are not using --ifconfig-pool on the server
21:15 < pflanze> I'm not (the server got it's ip from dhcp, too)
21:15 < SerajewelKS> pflanze: are you bridging the vpn to the lan?
21:15 < pflanze> yes
21:16 < SerajewelKS> pflanze: then that dhcp server will see requests coming in from the other side of the bridge too
21:16 < pflanze> I mean:  server has br0 consisting of eth1 (on the home lan),
21:16 < pflanze> and client is somewhere in the wild.
21:16 < pflanze> on my laptop.
21:16 < pflanze> I want some interface on my laptop to be bridged to the home lan.
21:16 < SerajewelKS> pflanze: if the iface that the server sees the dhcp server on is bridged with the openvpn tap device, then, well, you should see how it works
21:17 < SerajewelKS> pflanze: the server will be acting as a switch for those clients.  so whatever DHCP server is on your LAN will also see the openvpn clients, and will respond to them.
21:17 < pflanze> good
21:17 < SerajewelKS> pflanze: if that is what you want then you are already done :)
21:18 < SerajewelKS> pflanze: in my case that is not what i want because some of my friends join the VPN to play LAN games with me.  and i do not want them using my internet connection as their gateway.
21:18 < pflanze> :)
21:18 < SerajewelKS> pflanze: so i have the two networks segmented to separate the routing rules in use.  but if you trust everyone who will be on this VPN then it should not matter.  just know that all your internet traffic is going to be routed through the VPN.
21:19 < pflanze> Nah, I'm using two routes, and only one user's traffic will go through the VPN
21:19 < pflanze> (I managed to set that up without bridging before)
21:19 < SerajewelKS> pflanze: the routes pushed by the dhcp server will be merged with those in the config
21:19 < SerajewelKS> at least i believe that's how it operates
21:20 < pflanze> I'm passing options to pump to not set up gateway and resolv.conf
21:20 < SerajewelKS> pflanze: ah, then you should be good
21:29 < pflanze> Oh no. The gateway ip in the home lan happens to be the same as the gateway ip on the network where the client laptop is.
21:29 < pflanze> And I diverted traffic by giving that special user another gateway ip.
21:30 < pflanze> Now I have to find another way to force that user's packets through the vpn.
21:33 < pflanze> (Hm full disclosure: my laptop *is* currently actually in the home network. I hope I won't get nastier problems like loops?)
21:34 < krzee> !route
21:34 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:34 < krzee> (thats not for here)
22:06 -!- toddc [~chatzilla@ip24-251-94-159.ph.ph.cox.net] has joined ##openvpn
22:17 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
22:43 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 245 seconds]
22:43 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
23:18 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Operation timed out]
23:20 -!- PeterFA [~Peter@24-113-142-187.wavecable.com] has joined ##openvpn
23:20 -!- PeterFA [~Peter@24-113-142-187.wavecable.com] has quit [Changing host]
23:20 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
--- Day changed Mon Mar 15 2010
00:19 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
00:53 -!- pflanze [~chris__@69-196-152-229.dsl.teksavvy.com] has quit [Ping timeout: 246 seconds]
00:57 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
01:06 -!- pflanze [~chris__@69-196-152-229.dsl.teksavvy.com] has joined ##openvpn
01:16 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has joined ##openvpn
01:17 < LordDoskias> what could be the reasons that i get 4mb thoroughput wihtout openvpn 
01:17 < LordDoskias> and with it i can't get more than 200kb 
01:17 < LordDoskias> i'm using udp 
01:29 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
01:36 < slb_> hi i set openvpn up but how do i limit the files and the user it logs on as? do i openvpn --user myuser and then just chroot that user?
01:37 < slb_> or do i just set my user and group in the config file?
01:45 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has quit [Quit: Lost terminal]
01:54 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
02:00 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has quit [Remote host closed the connection]
02:02 < Bushmills> either way
02:02 < Bushmills> command line takes precedence over config file
02:03 < slb_> so it really doesnt matter
02:03 < slb_> thats simple enough
02:03 < slb_> thansk a lot
02:03 < slb_> and then after i do that ill be able to access everything the same as if i was that user?
02:03 < Bushmills> "you"?  it is the openvpn process which changes user id
02:04 < Bushmills> makes sense only when starting openvpn as root
02:04 < slb_> im sorry what you just said confused me
02:04 < Bushmills> dropping privileges, to not continue runnning as privileged user, when there is no need for
02:05 < Bushmills> it has nothing to do with the privileges of the user, running his traffic through openvpn
02:06 < slb_> so limiting the user in the conf has nothing to do with privileges?
02:06 < Bushmills> it does have.
02:06 < slb_> oh i thought you just said it doesnt im sorry
02:06 < Bushmills> it limits  the privileges of the openvpn process
02:06 < Bushmills> it does not limit the privileges of the user, using openvpn
02:07 < slb_> ok yea thats what i means
02:07 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has joined ##openvpn
02:07 < Bushmills> restricting user privileges is not openvpn's job
02:08 < slb_> so if i set some regular user as the user in my config file when i connect to the vpn ill only have the access of that user in the config right?
02:08 < Bushmills> just as much or little as it is the job of a network patch cable to restrict user permissions
02:08 -!- toddc [~chatzilla@ip24-251-94-159.ph.ph.cox.net] has quit [Remote host closed the connection]
02:08 < Bushmills> who is "I"?
02:08 < slb_> well im saying if i restrict the user in the config files access
02:09 < slb_> i think you are taking me too literally
02:09 < Bushmills> if you replace "I" against "openvpn process", that would be "yes"!
02:09 < slb_> ok
02:09 < slb_> thats what i was asking thanks
02:09 < slb_> have to reboot.  thanks!!
02:09 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit []
02:10 < Bushmills> somehow I doubt that he understood
02:20 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:26 -!- mape2k [~mape2k@p5B287810.dip.t-dialin.net] has joined ##openvpn
02:37 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:37 -!- mode/##openvpn [+o mattock] by ChanServ
03:53 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:10 -!- master_of_master [~master_of@p57B57EB6.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:12 -!- master_of_master [~master_of@p57B55EDA.dip.t-dialin.net] has joined ##openvpn
04:47 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
05:13 -!- incorrect [~fwest@cpc2-cmbg8-0-0-cust286.cmbg.cable.ntl.com] has joined ##openvpn
05:14 < incorrect> can i do something like push "route 10.3.7.0 255.255.255.0 <gateway ip>" to avoid the redirect ?
05:15 -!- dazo_afk is now known as dazo
05:15 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
05:16 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
05:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:30 -!- dazo is now known as dazo_afk
05:58 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:43 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
06:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:51 -!- takamichi [~pri@213.163.66.192] has quit [Read error: Connection reset by peer]
06:51 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
06:52 -!- takamichi [~pri@213.163.66.192] has quit [Read error: Connection reset by peer]
06:52 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
06:55 -!- dazo_afk is now known as dazo
07:05 -!- autoditac [~autoditac@brln-4d0c392e.pool.mediaWays.net] has joined ##openvpn
07:06 < autoditac> !welcome
07:06 < vpnHelper> autoditac: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:09 < agagag> !goal
07:09 < vpnHelper> agagag: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:14 < autoditac> hi. i would like to access different lans behind clients from a single server using a pre-shared key setup. is this possible with 2.1 using a single server, i.e. without having to hardcode the port number in the clients config?
07:15 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
07:33 < MatBoy> anyone an idea to make the most simple n00b based client ?
07:35 < krzee> autoditac, pre-shared key setup is point-to-point, not client/server
07:35 < autoditac> krzee: sure?
07:35 < krzee> autoditac, use a standard tun server setup and follow this:
07:36 < krzee> !route
07:36 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:36 < krzee> !sample
07:36 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
07:42 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
07:45 < MatBoy> what kind of clients do you guys use for desktops ?
07:48 < rob0> Mat, the question makes no sense to me. I use openvpn(8) as client and server. And since my tunnels are connecting site-to-site at the router, a desktop needs no client.
07:50 < MatBoy> rob0: I use my VPNś for people that want to have some remote storage. I would like to make a package with their key in it and run the app or simple install it and when you want to connect ask for user password... 
07:52 < Bushmills> MatBoy: i use openvpn as openvpn client
07:53 < MatBoy> yes but a homeuser is not able to install it and config in a decent way, so I need to get around it
07:53 < Bushmills> it's a SEP
07:54 < MatBoy> SEP ?
07:54 < Bushmills> http://scarydevilmonastery.net/SEP
07:54 < rob0> so you're wanting to run a commercial VPN/remote storage system?
07:54 < MatBoy> rob0: no commercial in the first place
07:55 < MatBoy> want to tets how it runs with mutiple users and shares
07:55 < MatBoy> *test
07:55 < MatBoy> Bushmills: I don't like that way of thinking...
07:56 < Bushmills> well, it will be you to solve it :)
07:56 < MatBoy> Bushmills: so Iḿ looking for a decent solution :)
07:57 < Bushmills> if he can't *config* it ... that's a matter of providing a working config
07:57 < rob0> I'm betting folks have done it. Whether or not they shared their results, I am not sure.
07:58 < MatBoy> yes, but automated in a installer would be nicer, maybe I should us ethe source and make my own installer
08:00 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Remote host closed the connection]
08:00 < Bushmills> consider: if users are not capable of that level of administration - how do they keep attackers out of their system?  the same system you're providing a secure tunnel to another system to. 
08:01 < MatBoy> Bushmills: but that is with everything, remove backup, the whole gang.... I just want to provide them a share over a secure connection, nothing more :)
08:04 < rob0> A theoretically secure connection. :) A connection to an insecure machine cannot be secured.
08:04 < MatBoy> true, but in that matter we better can stop living :)
08:05 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
08:06 -!- le0 [~tehle0@unaffiliated/le0] has quit [Client Quit]
08:11 -!- autoditac [~autoditac@brln-4d0c392e.pool.mediaWays.net] has left ##openvpn []
08:15 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:27 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: No route to host]
08:40 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:40 -!- mode/##openvpn [+o mattock] by ChanServ
08:53 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
08:53 -!- jmm is now known as jww
08:57 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
08:59 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:59 -!- mode/##openvpn [+o mattock] by ChanServ
09:08 -!- buntfalke [~nobody@openvpn-p0-ipv6-1017.triple-a.uni-kl.de] has joined ##openvpn
09:08 -!- buntfalke [~nobody@openvpn-p0-ipv6-1017.triple-a.uni-kl.de] has quit [Changing host]
09:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:13 -!- cwillu_at_work [~cwillu@cwillu.com] has joined ##openvpn
09:13 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:24 -!- teddymills [~teddy@208.92.235.227] has quit [Quit: Ex-Chat]
09:33 -!- mikkel_ [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:37 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
09:39 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Remote host closed the connection]
09:39 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
09:55 < ecrist> good morning, folks
10:00 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type  !welcome  before asking your questions. || Web Forum: http://ovpnforum.com || Developers: #openvpn-devel
10:14 < cpm> morn'n
10:14 < macsppadic> afternoon pm
10:14 < macsppadic> afternoon cpm 
10:15 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
10:17 -!- dazo is now known as dazo_afk
10:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:48 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
10:48 -!- mode/##openvpn [+v Kasx] by ChanServ
10:50 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 240 seconds]
10:52 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 252 seconds]
10:54 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
10:54 -!- mode/##openvpn [+v openvpn2009] by ChanServ
10:55 -!- toddc [~chatzilla@ip24-251-94-159.ph.ph.cox.net] has joined ##openvpn
10:59 -!- yeason [~jharris@c-67-166-133-227.hsd1.ca.comcast.net] has joined ##openvpn
11:00 -!- toddc [~chatzilla@ip24-251-94-159.ph.ph.cox.net] has quit [Ping timeout: 246 seconds]
11:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:01 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:12 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
11:19 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
11:35 -!- yeason [~jharris@c-67-166-133-227.hsd1.ca.comcast.net] has quit [Remote host closed the connection]
11:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:12 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 248 seconds]
12:12 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
12:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
12:15 -!- mape2k [~mape2k@p5B287810.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
12:24 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
12:32 -!- Kaapa [~Something@bl9-79-77.dsl.telepac.pt] has joined ##openvpn
12:33 -!- le0 [~tehle0@82.132.139.117] has joined ##openvpn
12:33 -!- le0 [~tehle0@82.132.139.117] has quit [Changing host]
12:33 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
12:33 < Kaapa> !welcome
12:33 < vpnHelper> Kaapa: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:34 < Kaapa> maybe someone can redirect me to the correct place to look
12:34 < Kaapa> I can't do scp's over my openvpn connection
12:35 < Kaapa> I don't know where to start looking (this has always worked)
12:35 -!- incorrect [~fwest@cpc2-cmbg8-0-0-cust286.cmbg.cable.ntl.com] has quit [Ping timeout: 245 seconds]
12:36 < ecrist> Kaapa: check your routing.
12:36 < ecrist> can you ping the server across the vpn?
12:36 < Kaapa> I can ssh to it
12:37 < Kaapa> scp stalls and on the other side there's a file with size 0
12:38 < ecrist> if you can ping and ssh in, you have a problem that's not related to openvpn
12:40 < Kaapa> if I use the public host, I can
12:41 < ecrist> openvpn doesn't filter or block anything
12:41 < ecrist> if the vpn is up, and you can do other things through the vpn, your issue is not with openvpn
12:41  * rob0 suspects VPN with TCP transport layer
12:42 < Kaapa> I don't know what to think, to be honest
12:42 < Kaapa> this used to work - I don't know if it stopped working with the new router, the new kernel or something else
12:43 < Kaapa> it's absolutely desperate
12:48 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
13:05 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
13:05 -!- Kaapa [~Something@bl9-79-77.dsl.telepac.pt] has quit [Ping timeout: 264 seconds]
13:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:29 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
13:30 < slb_> if i want to set up two differnet users for two different sets of vpn access is that just a matter of setting up another vpn server?
13:30 < slb_> is there a downside to that?
13:37 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 252 seconds]
13:38 -!- takamichi [~pri@78.133.36.225] has joined ##openvpn
13:43 -!- takamichi [~pri@78.133.36.225] has quit [Ping timeout: 248 seconds]
13:44 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
13:58 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
13:58 < grendal_prime> ok guys...is there a way to support two cyphers?
13:59 < grendal_prime> like if i have two groups of clients and i want to change the cyphers without having to run another instance of openvpn on a different port.  
14:00 < grendal_prime> currently they are using des and i want to migrate them two AES.  I cant find any docs that show its possible. 
14:09 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 258 seconds]
14:10 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
14:11 < ecrist> isn't the cipher argument a list?
14:12 -!- p3rror [~Ali@2001:5c0:1400:b::63cb] has quit [Read error: Operation timed out]
14:12 < ecrist> no, it's not.
14:15 < slb_> do i need to use tap instead of tun to access my files? i want to be able to connect to my vpn and just access one folder and the files in it, how can i accomplish this?
14:16 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
14:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
14:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:10 -!- dextro_ [~dex@vpn.m3th.org] has quit []
15:15 < grendal_prime> so it looks pretty much like a nogo on the multiple cyphers
15:16 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
15:19 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit []
15:22 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
15:23 -!- fwest_ [~fwest@cpc2-cmbg8-0-0-cust286.cmbg.cable.ntl.com] has joined ##openvpn
15:25 -!- theoretical [~theoretic@64-135-203-23.FoxValley.net] has quit [Quit: Bye]
15:33 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Ping timeout: 260 seconds]
15:34 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
15:38 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
16:06 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
16:12 -!- fwest_ [~fwest@cpc2-cmbg8-0-0-cust286.cmbg.cable.ntl.com] has quit [Remote host closed the connection]
16:23 -!- Optic [~Optic@miso.capybara.org] has quit [Ping timeout: 252 seconds]
16:25 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 264 seconds]
16:26 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
16:33 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
16:44 < slb_> i am following the ethernet bridging documentation on openvpn.net but i have a local dns set up and when i run bridge-start it messes up my local dns on windows i guess because bridging eliminates the ip of my linux box with the dns which is what windows is using as a dns server so how do i fix this?
16:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:49 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
16:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:06 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 245 seconds]
17:33 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
17:33 -!- mode/##openvpn [+o openvpn2009] by ChanServ
17:36 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
17:44 -!- ser [~ser@house.metalab.unc.edu] has joined ##openvpn
17:45 < ser> !welcome
17:45 < vpnHelper> ser: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:46 < ser> do you use any web-based CA to maintain keys for openvpn?
17:46  * Rienzilla uses tinyca2
17:57 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
18:13 -!- mikkel_ [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:21 -!- p3rror [~Ali@anonymous-196-206-105-71.broker.freenet6.net] has joined ##openvpn
18:42 < ser> Rienzilla: OK, to run a vpnd i need server cert and client cert? i am talking about tinyca2
18:43 < Rienzilla> yes (both signed by the same CA)
18:44 < ser> thanks, trying...
18:45 < ser> one question - tinyca2 requires passwords for certs, is really required to have a password?
18:59 -!- rkantos [robin@hp1.jaketus.net] has quit [Read error: Operation timed out]
19:02 -!- rkantos_UK [robin@hp1.jaketus.net] has quit [Ping timeout: 240 seconds]
19:36 -!- Gabe_G23 [~mac-mini@bzflag/player/GabrielG] has quit [Quit: leaving]
19:39 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has joined ##openvpn
19:54 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit []
20:01 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
20:01 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
20:01 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:14 < pflanze> "Options error: --server-bridge and --secret cannot be used together (you must use SSL/TLS keys)"
20:14 < pflanze> why is this?
20:15 < pflanze> I don't see how the kind of key and the kind of interface would have anything to do with each other.
20:17 -!- p3rror [~Ali@anonymous-196-206-105-71.broker.freenet6.net] has quit [Quit: أستودعكم الله]
20:17 < pflanze> Actually I don't even see why I have to tell openvpn that tap0 is part of a bridge.
20:19 < pflanze> (Sort of. I mean all that's relevant is that it should not create a new interface but use an existing userspace interface. Which would have to be a bridge if it's a tap device, admittedly.)
20:20 < pflanze> Can anyone enlighten me why I should go through the trouble to almost completely rewrite my scripts now just to create key pairs?
20:20 < rob0> --server-bridge is a server mode option. --secret is a peer mode option.
20:21 < pflanze> hm.
20:21 < rob0> If you're just doing a single point-to-point tunnel, you do not need server mode.
20:21 < pflanze> Ok, I just need it to use tap0. (How?)
20:21  * pflanze checking manpage
20:21 < rob0> see the 1.x howto
20:22 < rob0> why bridging/tap?
20:22 < pflanze> I need direct access to my home lan from the outside.
20:22 < rob0> so? Why not use tun and routing?
20:22 < pflanze> That's what I've done now, but my SIP clients then are behind double NAT and that seems to break some things.
20:22 < rob0> are you using non-IP protocols?
20:23 < pflanze> no
20:23 < rob0> SIP is IP, no need to nat a tun interface if you set up routing properly.
20:24 < SerajewelKS> pflanze: my understanding is that with --secret, if all the clients were to use the same key, the server would not be able to distinguish their traffic
20:24 < rob0> Um, not quite. There are no "clients" if there is --secret.
20:25 < SerajewelKS> rob0: logically speaking.  if there were a multi-client server mode that used a static key.
20:25 < rob0> oh, but openvpn never supported that. You might be right about the "why".
20:26 < SerajewelKS> ser: tinyca does not require passwords
20:26 < rob0> My CA key has no password. I got tired of forgetting it. :)
20:27 < rob0> I think it's my 3rd or 4th CA.
20:27 < SerajewelKS> ser: export pkcs12 without password
20:27 < SerajewelKS> rob0: yeah my understanding is that with --secret, the key is the only thing that identifies that packets are genuine
20:29 < SerajewelKS> my passwords are all the same :)
20:30 < SerajewelKS> if people can break my uber-random ssh password they can have my vpn keys
20:33 < pflanze> rob0: my setup would look like: (internet) -- [router] -- [server eth1 tun1] == [laptop tun1]
20:33 < pflanze> am I right assuming that I'd have to configure [router] to know where to route packets for [laptop]?
20:33 < pflanze> == is the vpn connection.
20:34 < rob0> um, maybe ... this laptop is where, on a remote hotspot or something?
20:34 < pflanze> let's say eth1 has ip 192.168.1.133
20:34 < pflanze> tun1 has ip 10.0.1.1
20:34 < pflanze> ^ server tun1, that is; laptop tun1 has ip 10.0.1.2
20:35 < pflanze> router has ip 192.168.1.1
20:35 < pflanze> so if a packet originates from 10.0.1.2 it should go to gateway 10.0.1.1, there to gateway 192.168.1.1
20:36 < pflanze> and in the other direction: a returning packet coming into router, will be NAT'ed back to target 10.0.1.2
20:36 < pflanze> but the only way router knows where it should be sent is by configuring routes in router, right?
20:36 < pflanze> (Which I honestly never did, but why not trying.)
20:37  * pflanze tris
20:37  * pflanze tries
20:52 < Bushmills> pflanze: you probably want to setup NAT on server, and don't care about router
20:52 < pflanze> That's what I did, but that's double NAT then.
20:52 < Bushmills> (assuming you want to reach internet from notebook)
20:52 < pflanze> Which works fine for HTTP, but only partially for SIP.
20:52 < Bushmills> why double?
20:53 < Bushmills> notebook to server is not natted
20:53 < pflanze> "router" is doing NAT
20:53 < pflanze> no, but notebook to router is.
20:53 < pflanze> and router to internet another time.
20:55 < Bushmills> well, then it depends. router may be configured to NAT other addresses then those of subnet where server is on
20:56 < Bushmills> i.e. may not let notebook packets with their original source ip through
20:56 < Bushmills> may be configured to *not* NAT ...
20:57 < Bushmills> i'd probably go for letting server NAT as well, to let router believe that packets origin from server
20:57 < pflanze> Well, I've got a standard DLS line, so router *has* to NAT if I am to use multiple ip's in my network.
20:58 < pflanze> And even if router does NAT for 10.0.*.* too:
20:58 < pflanze> it would still not know which of the machines on 192.168.1.* would have 10.0.1.2 behind it.
20:58 < Bushmills> having to change config of a system 2 hops away if your system changes (ip address) is not very maintenance friendly
20:59 < Bushmills> having those changes only effect the closest hop is probably preferable
20:59 < pflanze> Which means, bridging.. so there's the choice.
20:59 < Bushmills> i don't see why server wouldn't be able to NAT notebook packets
21:00 < pflanze> Being able to NAT notebook packets shouldn't be an issue.
21:00 < pflanze> Making "router" know where they originate from will be, I think.
21:00 < Bushmills> then for router, notebook traffic appears to originate from server
21:01 < pflanze> "router" will just know that a certain packet has to be rewritten back to target 10.0.1.2; iptables will store nothing about routing I think.
21:02 < pflanze> How would it "appear" so?
21:02 < Bushmills> but that meats the goal. packets go back to server
21:02 < Bushmills> meets
21:02 < pflanze> *how*?
21:02 < Bushmills> and server can return them to notebook
21:02 < pflanze> You consciously avoid the problem point.
21:02 < Bushmills> appears because server, doing NAT, replaces the origin address against its own
21:03 < pflanze> We said that only router does NAT?
21:03 < Bushmills> well, if i avoid it, it might be because i don't see it
21:03 < pflanze> I repeat:  (internet) -- [router] -- [server eth1 tun1] == [laptop tun1]
21:03 < Bushmills> "we"?  hm IIRC, I said "i'd probably go for letting server NAT as well"
21:04 < Bushmills> well, just my opinion
21:04 < pflanze> Well I think you're trying to say that it can work without double NAT.
21:04 < pflanze> That's what I *thought*.
21:05 < Bushmills> well, it most likely can, but it will be more messy
21:05 < pflanze> It will require setting a route on "router".
21:05 < ser> SerajewelKS: i do not know - how... it still prints "Error: private key password verification failed"
21:06 < Bushmills> in the case of not NATting on server ,yes
21:06 < Bushmills> part of the added messiness
21:07 < ser> SerajewelKS: export key file --> PKC#12 - should I include key PEM or not?
21:07 < pflanze> Bushmills: so I have the choice of either double NAT (which, I repeat, was what I've used and doesn't work for SIP), or single NAT and route on router, or bridging.
21:07 < pflanze> Now let me finish testing those two remaining choices.
21:07 < pflanze> :)
21:31 < ser> SerajewelKS: OK mate, it works, the interface is not very intuitive, but i managed it to work, thanks :)
21:38 < ecrist> sup, bitches?
22:10 < pflanze> So my testing has revealed that single nat with a route on the router works just fine for normal traffic, but still not for SIP. (Outgoing calls work, incoming don't).
22:11 < pflanze> Thus I'm back at trying to implement bridging.
22:11 < pflanze> rob0: I haven't found anything for "tap" in the 1.x howto that I see relevant for me; right now I'm getting these warnings:
22:12 < pflanze> WARNING: 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
22:12 < pflanze> and warnings about link-mtu and tun-mtu differences.
22:12 < pflanze> and pump (on the client) doesn't get an ip through the vpn.
22:13 < pflanze> I'm currently assuming that on the client I need a tun device (there's no bridging on the client to be done),
22:13 < Bushmills> pflanze: i do have SIP through NAT, incoming calls working
22:13 < pflanze> but tap on the server (bridged with eth1)
22:13 < Bushmills> though i don't run it through vpn. buit that shouldn't matter
22:13 < pflanze> Bushmills: I do have SIP working through NAT too. *But* it's single NAT and *directly* behind the nat.
22:14 < Bushmills> same here
22:14 < pflanze> The *directly* seems to make the difference.
22:14 < pflanze> Which is why I'm looking into bridging.
22:24 < pflanze> wow it works with tap0 on the client. (Still not understanding the difference between tap and tun then)
22:25  * pflanze maybe sees it though
22:27 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
22:32 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
22:43 < pflanze> Hrm. Somehow my laptop's kernel will send arp replies for the tap0 interface ip through eth0 instead through the vpn.
22:43 < theDoc> Did you find that out via tcpdump?
22:44 < pflanze> tcpdump on tap0 on the server doesn't show any traffic, and the arp cache on the gateway shows the mac of my laptop's eth0
22:44 < pflanze> (m
22:45 < pflanze> (my laptop is on the lan twice: through eth0, and through tap0 to the server which is on the same lan)
22:47 < pflanze> Now I think the laptop kernel should receive the arp who-is twice, and probably first the one on eth0, and it seems to answer that on eth0, by saying that the ip is on eth0.
22:47 < pflanze> Not entirely incorrect, but it prevents me from testing my vpn.
22:48 < pflanze> (Since, on top of that, openwrt on the gateway doesn't have the arp tool to set a static arp entry.)
22:48 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
22:49 < slb_> i set up openvpn using tap and it seems to work on osx and it connects on windows but i cant access anything on my network from windows
22:49 < slb_> any idea why?
22:52 < pflanze> access what?
22:52 < pflanze> (I've read that some windows services are non-ip and need bridging)
22:52 < slb_> my file shares, local web server, etc
22:52 < slb_> osx it appears i can
22:54 < pflanze> You'll have to research the problem in more detail I guess.
23:01 < Bushmills> (04:57:14) slb_: i tried setting up an ethernet bridge on my box to work with tap and openvpn and i have dns setup and my windows box works wiht that dns ip and it all seemed fine but when i restarted my linux box i completely lost my interent connection
23:02 < Bushmills> already slightly more detailed :D
23:02 < slb_> lol
23:03 < slb_> i since took the bridge off and restarted and i can still connect with tap through osx
23:03 < slb_> so thats hwy i feel its a windows thing
23:03 < slb_> but maybe if i had the bridge proper it would work all around
23:03 < slb_> although i can still connect on windows like i said
23:04 < Bushmills> "when i restarted my linux box i completely lost my interent connection" seems to be a key 
23:04 < slb_> any idea why
23:04 < Bushmills> because ... something is misconfigured?
23:04 < slb_> i thought i configured everything ok
23:05 < slb_> apparantly not
23:05 < slb_> i tried using the bridge-start script on openvpn
23:08 -!- pflanze [~chris__@69-196-152-229.dsl.teksavvy.com] has quit [Ping timeout: 258 seconds]
23:13 -!- daya [~daya@202.63.242.211] has joined ##openvpn
23:17 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:22 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit []
23:29 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
23:33 -!- daya [~daya@202.63.242.211] has quit [Ping timeout: 246 seconds]
23:36 < slb_> in the bridge-start script when it wants eth_ip is that my gateway or the ip of the computer thats running the server?
23:44 -!- rhernandez [~rhernande@201.110.109.26] has joined ##openvpn
23:44 < rhernandez> hi fellows
23:45 < rhernandez> helo
23:45 < rhernandez> ok
23:45 < rhernandez> i have my openvpn server and client running OK
23:47 < rhernandez> but when i try to put a static route in the client using the as gw the internal ip from the openvpn server 
23:47 < rhernandez> yep
23:47 < rhernandez> for sample 
23:47 < rhernandez> in my client machine
23:47 < rhernandez> route add -host 204.11.11.11 gw 192.168.200.5 
23:48 < rhernandez> my openvpn its with tun interfaces 
23:48 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit []
23:48 < rhernandez> so when i try to ping 204.11.11.11... no reply 
23:48 < rhernandez> i saw in the tun interface with tcpdump 
23:49 < rhernandez> and all i see is 
23:49 < rhernandez> 192.168.200.6 , 204.11.11.11 echo request 
23:50 -!- daya [~daya@202.63.242.180] has joined ##openvpn
--- Day changed Tue Mar 16 2010
00:00 -!- pflanze [~chris__@69-196-152-229.dsl.teksavvy.com] has joined ##openvpn
00:20 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
00:22 -!- rhernandez [~rhernande@201.110.109.26] has quit [Quit: Leaving]
00:28 < Bushmills> does 192.168.200.5   know how to route replies from 204.11.11.11 back to your client?
00:28 < Bushmills> or 192.168.200.1, presumable.
00:29 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
00:30 -!- pflanze [~chris__@69-196-152-229.dsl.teksavvy.com] has quit [Read error: Connection reset by peer]
00:36 < slb_> im confused about openvpn docs it says for bridge-start the local ip address is 192.168.8.4 then on the server-bridge 192.168.8.4 255.255.255.0, etc hwoever on the faq it goes by the gateway ( server-bridge 192.168.1.1 255.255.0, etc) so when i edit bridge-start do i want local ip address to equal gateway or use my local ip address of the computer serving the vpn
01:34 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Operation timed out]
01:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:36 -!- crazygir [~jason@unaffiliated/crazygir] has quit [Ping timeout: 246 seconds]
01:36 -!- rgubler [rob@happybox.org] has quit [Ping timeout: 265 seconds]
01:37 -!- MegaHerz [~fantomas@pool-62-84-112-224.pppoe.dubna.ru] has joined ##openvpn
01:37 < MegaHerz> hi all
01:37 < MegaHerz> How to see the list of current connections on openvpn server?
01:37 < MegaHerz> on Ubuntu if this matters
01:38 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
01:38 -!- rgubler [rob@happybox.org] has joined ##openvpn
01:39 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
01:40 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit [Ping timeout: 245 seconds]
01:44 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
01:44 -!- tjz [~pc@bb220-255-23-81.singnet.com.sg] has joined ##openvpn
01:44 -!- tjz [~pc@bb220-255-23-81.singnet.com.sg] has quit [Changing host]
01:44 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
01:49 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has joined ##openvpn
01:49 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit [Ping timeout: 252 seconds]
02:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
02:16 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 246 seconds]
02:49 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Ping timeout: 252 seconds]
02:51 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
03:02 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
03:25 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:35 -!- MegaHerz [~fantomas@pool-62-84-112-224.pppoe.dubna.ru] has quit [Read error: Operation timed out]
03:39 -!- MegaHerz [~fantomas@pool-62-84-112-224.pppoe.dubna.ru] has joined ##openvpn
03:50 -!- daya [~daya@202.63.242.180] has quit [Ping timeout: 246 seconds]
03:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:03 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:10 -!- master_of_master [~master_of@p57B55EDA.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:12 -!- master_of_master [~master_of@p57B56D57.dip.t-dialin.net] has joined ##openvpn
04:16 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:21 -!- salax [~salax@219.95.96.90] has joined ##openvpn
04:21 < salax> hi, 1 quick question
04:21 < salax> can i install openvpn client on top of vmware esxi 4
04:36 < Rienzilla> euhm
04:36 < Rienzilla> not directly on the hypervisor
04:36 < Rienzilla> but you can install a virtual machine which in turn runs openvpn
04:38 < |Mike|> sure you can install a openvpn server on a dom0 and domU's :P
04:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:41 < salax> Rienzilla: that's my problem now.. because of the vmware esxi 4 itself running busybox, i can't do any installation/configuration. i know that my guest Os can join the private network, but i need the esxi itself to be connected with the private network.. anyway, thank you
04:42 < Rienzilla> you can probably do that as well
04:42 -!- ocornu [~olivier@AMarseille-158-1-143-26.w90-10.abo.wanadoo.fr] has joined ##openvpn
04:43 < ocornu> hi there
04:45 < ocornu> i just set up a (tun) openvpn server: everything works fine except that there seems to be some upload bandiwth limit (~200kB/s) that is inferior to my DSL line upload limit
04:45 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
04:46 < ocornu> is there any such limitation as a default in openvpn?
04:51 -!- Steak__ [~alex@fire.perspectix.com] has joined ##openvpn
04:51 < Steak__> hello
04:51 < macsppadic> hello Steak__ 
04:51 < Steak__> hi macsppadic 
04:52 < Steak__> !welcome
04:52 < vpnHelper> Steak__: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:53 < |Mike|> ocornu: no
04:53 < |Mike|> ocornu: what kind of encryption cipher are you using?
04:54 < Steak__> is it possible to use for OpenVPN a certificate which is currently used by a web server?
04:55 < ocornu> |Mike|: default one
04:56 < ocornu> |Mike|: alright, i guess that must come from somewhere else, then
04:56 < ocornu> |Mike|: thanks for the tip
04:56 < |Mike|> ocornu: remove the encryption and test it over plain text :)
04:56 < |Mike|> and messure your max download.
04:56 < ocornu> |Mike|: will do
05:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:08 -!- salax [~salax@219.95.96.90] has quit [Read error: Connection reset by peer]
05:08 -!- salax [~salax@219.95.96.90] has joined ##openvpn
05:15 < ocornu> bye
05:16 < ocornu> have a good day/night
05:16 -!- ocornu [~olivier@AMarseille-158-1-143-26.w90-10.abo.wanadoo.fr] has quit [Quit: Ex-Chat]
05:20 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
05:32 -!- RichiH [~richih@freenode/staff/richih] has joined ##openvpn
05:33 < RichiH> http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html claims that in server mode, "keepalive" will automagically have double the timout on the server than on the client
05:33 < RichiH> is that true or not?
05:33 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
05:35 < rob0> If not, it's either a software bug or a man page bug.
05:37 -!- fanti [~fanti@p5DDF207B.dip.t-dialin.net] has joined ##openvpn
05:38 < fanti> hello! i like to use my default vpn config given by the openvpn server, but all connections to 192.168.0.0 should be routed via eth0 direct, instead of tun0. how is that possible?
05:38 < rob0> RichiH: Being a "helper directive", you can get more fine-grained control by setting the 4 settings individually.
05:43 < RichiH> rob0: that's fine. i just wanted to know if that's the case as it looked weird
05:43 < RichiH> if it's not the case, i would have written a quick patch
06:04 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:04 -!- cityOfLights [~user@62.0.1.62] has joined ##openvpn
06:05 < cityOfLights> !welcome
06:05 < vpnHelper> cityOfLights: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:08 < cityOfLights> can I just ask about dhcp over openvpn here?
06:08 < cityOfLights> !route
06:08 < vpnHelper> cityOfLights: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:09 < cityOfLights> I establish connectin , but get an IP address for the client
06:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:15 -!- cityOfLights [~user@62.0.1.62] has quit [Ping timeout: 245 seconds]
06:33 -!- MegaHerz [~fantomas@pool-62-84-112-224.pppoe.dubna.ru] has quit [Quit: leaving]
06:42 -!- crazygir [~jason@li14-82.members.linode.com] has quit [Changing host]
06:42 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
06:48 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:51 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
06:55 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Ping timeout: 276 seconds]
07:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:01 -!- amd64 [~kyle@1-1-8-10a.far.sth.bostream.se] has joined ##openvpn
07:01 < amd64> Hi, is there any reason to not run TCP if you are using tap?
07:09 < theDoc> Yes.
07:09 < theDoc> !tcp
07:09 < vpnHelper> theDoc: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
07:20 < amd64> okey
07:33 -!- amd64 [~kyle@1-1-8-10a.far.sth.bostream.se] has quit [Quit: leaving]
07:57 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:00 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
08:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
--- Log closed Tue Mar 16 08:26:59 2010
--- Log opened Tue Mar 16 08:38:05 2010
08:38 -!- Irssi: Join to ##openvpn was synced in 45 secs
08:48 < Munksgaard_> Hi there. I'm having a problem getting my openvpn configuration working. I followed some of the guides on openvpn.net and initially got the setup working with tun. Now, i want a bridged vpn, so i tried settings things up to use tap instead, and it won't work. I can connect, and both server and client reports no problem, but i can't ping the server or any of the other computers on the subnet. Configuration and ifconfig output: http://p
08:48 < Munksgaard_> Configuration and ifconfig output: http://pastebin.com/0wyp1nk6
08:49 < Munksgaard_> !welcome
08:49 < vpnHelper> Munksgaard_: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:49 < Munksgaard_> !route
08:49 < vpnHelper> Munksgaard_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:50 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:50 < Munksgaard_> !goal
08:50 < vpnHelper> Munksgaard_: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:51 < Munksgaard_> !logs
08:51 < vpnHelper> Munksgaard_: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
09:04 -!- dazo_afk is now known as dazo
09:10 < Munksgaard_> Isn't the the whole purpose of tap that you dont have to set up routing like descriped in !route ?
09:11 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:13 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:20 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:21 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
09:26 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:28 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:32 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:34 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:40 -!- takamichi [~pri@213.163.66.192] has quit [Read error: Connection reset by peer]
09:40 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
09:43 < theDoc> takamichi o/
09:48 -!- Munksgaard_ [~munksgaar@94.191.246.185.bredband.3.dk] has quit [Quit: Java user signed off]
09:54 -!- Munksgaard [~Munksgaar@94.191.246.185.bredband.3.dk] has quit [Ping timeout: 246 seconds]
09:59 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
10:01 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
10:23 < hyper_ch> hmmm, the devices listed in /dev/disk/by-id/... --> are those files that can be probed if they exist with  if [ -d /dev/disk/by-id/...... ] ?
10:27 < hyper_ch> hmmm, ok, it's not recognized as file and neither as directory....
10:27 < hyper_ch> ups, wrong channel
10:29 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:35 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has quit [Read error: Operation timed out]
10:36 < reiffert> hyper_ch: ls -ald /dev/disk/by-id/......
10:36 < reiffert> Most probably block devices, so if [ -b
10:36 < hyper_ch> if [ -e /dev/disk/by-id/..... ] ; then   else    fi
10:37 < hyper_ch> that works on my external usb devices :)
10:37 < reiffert> would please paste a single whatever it is you want to test?
10:37 < hyper_ch> a what?
10:37 < reiffert> /dev/disk/by-id/.....
10:37 < reiffert> ls -al /dev/disk/by-id/.....
10:38 < hyper_ch> reiffert: I already got it :)
10:38 < hyper_ch> I have to use the -e in bash
10:38 < reiffert> please do it, so that I can explain why -e is bad.
10:38 < hyper_ch>   lrwxrwxrwx 1 root root  10 2010-03-16 08:26 usb-WD_My_Book_1110_574D41565531313433393930-0:0-part1 -> ../../sdb1
10:39 < reiffert> it's a symbolic link. let's follow that link:
10:39 < reiffert> ls -al /dev/disk/by-id/../../sdb1
10:39 < hyper_ch> brw-rw---- 1 root disk 8, 17 2010-03-16 08:26 /dev/disk/by-id/../../sdb1
10:39 < reiffert> so when testing on a link, use if [ -h
10:39 < reiffert> when testing on a block device, use -b
10:39 < hyper_ch> why?
10:40 < hyper_ch> and why is -e bad?
10:40 < reiffert> touch /dev/disk/by-id/nowyourtestisbroken
10:41 -!- Optic [~Optic@miso.capybara.org] has quit [Ping timeout: 252 seconds]
10:41 < hyper_ch> I still don't get why it's bad
10:41 < reiffert> now your test will succeed but it's a file and not a symbolic link to a block device.
10:42 < hyper_ch> but why would I touch anything in there?
10:42 < reiffert> Maybe it's not you but something/someone else.
10:42 < hyper_ch> who would do that on my computer?
10:42 < reiffert> however, you want to check for a symlink and a block-device? Then do so.
10:43 < hyper_ch> :)
10:43 < hyper_ch> thx for the input :)
10:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:43 < reiffert> Not expecting that someone or something will or can do something does not mean that it will not happen.
10:45 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
10:45 < hyper_ch> I just need to make my script anacron safe :)
10:45 < hyper_ch> when I'm at home I don't have the external usb drives plugged in
10:45 < hyper_ch> so I cannot make backups onto them :)
10:47 < reiffert> Do whatever you like, but when testing for something, use the proper special test and not the unspecial one (-e)
10:47 < hyper_ch> I asked in #bash and was told there to use -e
10:48 < hyper_ch> wanna have a look at that backup script?
10:48 < reiffert> sure.
10:51 < reiffert> here is mine: http://pastebin.ca/1842485
10:51 < hyper_ch> reiffert: I already use rsync at home to create backups onto another disk in the computer and use this to create an "off-site" backup at work: http://www.pastebin.ca/1842482
10:52 -!- fanti [~fanti@p5DDF207B.dip.t-dialin.net] has quit [Remote host closed the connection]
10:52 < reiffert> check -S and -H,
10:53 < hyper_ch> -s -h?
10:53 < reiffert> no, -S -H, man rsync
10:53 < reiffert> if target is offline = no backup?
10:53 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 264 seconds]
10:54 < hyper_ch> reiffert: yes
10:54 < reiffert> s,?,!,
10:54 < hyper_ch> if it's offline I can't access it :)
10:54 < reiffert> Then wait until it's online.
10:54 < hyper_ch> well, mostly it's offline when the dynIP changes and hasn't updated dns yet
10:54 < reiffert> or have the vice versa attempt: let it put the backup when its online.
10:55 < reiffert> also check out on incremental backups, see that pastebin link I gave
10:56 < hyper_ch> reiffert: that's the backupdir I use on the homeserver etc.  http://www.pastebin.ca/index.php
10:56 < hyper_ch> it's got incremental snapshot-style backups
10:57 < hyper_ch> using hardlinks :)
10:57 < reiffert> index.php? no.
10:57 < hyper_ch> http://pastebin.ca/1842492
10:58 < reiffert> mysql backups?
10:58 < hyper_ch> sure :)
10:58 < hyper_ch> mysql data also needs to be backed up
10:58 < hyper_ch> you can backup the binaries
10:58 < hyper_ch> but when changes occur in the binary database files while coyping them you can render them useless
10:58 < hyper_ch> hence I do a dump of them
10:59 < reiffert> --add-drop-database
10:59 < hyper_ch> could be added but I don't need it :) if a db is corrupt
11:00 < hyper_ch> then I don't need to drop it by script I'll do it manually
11:00 < reiffert> it helps when migrating.
11:00 < reiffert> so, understood -S and -H by now?
11:00 < hyper_ch> for what command?
11:01 < reiffert> rsync.
11:01 < hyper_ch> yes, I do
11:01 < reiffert> Especially /usr/bin and /bin uses a lot of hardlinks on Linux.
11:02 < hyper_ch> I use -H already (where I need to)
11:02 < hyper_ch> but not really sure what the sparse files are
11:02 -!- Guest56310 [robin@hp1.jaketus.net] has joined ##openvpn
11:02 -!- Guest56310 [robin@hp1.jaketus.net] has quit [Quit: leaving]
11:03 -!- rkantos [robin@hp1.jaketus.net] has joined ##openvpn
11:04 < hyper_ch> and I'm still trying to understand your script
11:05 < rkantos> Anyone have any idea on how to change TAP adapter's network location to home on W7?
11:06 < reiffert> Use a screwdriver?
11:06 < reiffert> Pull it out, put in your bag and reinstall at home?
11:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 256 seconds]
11:07 < hyper_ch> so, I have to figure out now how to run anacron :)
11:09 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
11:09 < reiffert> does you script use -z? It's an enormous advantage when using slow links.
11:09 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
11:10 < hyper_ch> -Havz --delete --delete-excluded 
11:10 < reiffert> still no S and X?
11:10 < hyper_ch> you said "H" above :)
11:11 < hyper_ch> and still, I don't get what a sparse file is or how I'd benefit from it
11:11 < reiffert> http://en.wikipedia.org/wiki/Sparse_file
11:11 < hyper_ch> and what are the extended attributes?
11:11 < vpnHelper> Title: Sparse file - Wikipedia, the free encyclopedia (at en.wikipedia.org)
11:11 -!- cityOfLights [~user@95.35.253.77] has joined ##openvpn
11:12 < cityOfLights> hi all
11:12 < reiffert> hyper_ch: extended attributs like Posix Access Controls.
11:12 < hyper_ch> I don't use ACL :)
11:12 < reiffert> hyper_ch: sorry, extended attributes is stuff OS X uses on almost every file.
11:12 < hyper_ch> iieeks :)
11:13 < cityOfLights> can anyone help me with pulling an IP address from dnsmasq?
11:13 < hyper_ch> good that I don't use OS X then :)
11:13 < reiffert> so it's a not a fault using it.
11:13 < rkantos> reiffert: no really, it is messing up the firewall settings
11:14 < rkantos> so then there's no ping or anything else
11:14 < rkantos> windows<3
11:14 < hyper_ch> reiffert: will that re-retrieve all files again?
11:14 < hyper_ch> reiffert: if I add -X?
11:14 < reiffert> rkantos: sorry man, no deeper windows understandings here.
11:14 < reiffert> hyper_ch: no, it wont. Be sure to add -S as well.
11:15 < reiffert> hyper_ch: Sparse files: use 10GB on disk, 1KB effective usage and 9.999GB empty file.
11:15 < reiffert> hyper_ch: without -S: transfer 10GB,  with -S: transfer 1KB
11:15 < cityOfLights> 1. if the server bridge the openvpn device tap0 must the client do the same - use tap0 and a bridge?
11:15 < hyper_ch> reiffert: :) ok
11:15 < hyper_ch> added them now
11:18 < hyper_ch> reiffert: how well do you know anacron?
11:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:18 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
11:22 < reiffert> hyper_ch: is it the one made by paul vixie?
11:23 < hyper_ch> cron is the one made by paul vixie
11:23 < hyper_ch> but not sure if he also made anacron
11:23 < reiffert> no manpage for anacron, I'm sorry.
11:23 < reiffert> Guess it works 100% like cron does on the userlevel side?
11:23 < reiffert> or is it that file based stuff like /etc/cron.d/*?
11:23 < hyper_ch> well, cron assumes the computer is always running so it can run its jobs
11:24 < hyper_ch> anacron is based upon checking when a task was run last and if necessary run it at belated if for some reasons it couldn't be run on time
11:24 < reiffert> just never put your computer off then.
11:25 < hyper_ch> well, it's a notebook here that I carry with me
11:25 < hyper_ch> and not always have internet access
11:31 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
11:32 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
11:40 -!- agagag [~anton@royalrabbit.goto10.org] has quit [Quit: leaving]
11:47 -!- cityOfLights [~user@95.35.253.77] has quit [Ping timeout: 245 seconds]
11:50 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
11:51 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:04 -!- Coldie [~twisted.s@gerli.vkhk.ee] has joined ##openvpn
12:05 < Coldie> helloworld. Is it possible to nat all traffic from vpn client to wan via ipfw+natd?
12:06 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
12:09 < Coldie> !welcome
12:09 < vpnHelper> Coldie: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:10 < Coldie> !redirect
12:10 < vpnHelper> Coldie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:10 -!- Blues-Man [~bluesman@host246-119-dynamic.246-95-r.retail.telecomitalia.it] has joined ##openvpn
12:11 < Coldie> !def1
12:11 < vpnHelper> Coldie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
12:12 < Coldie> !man
12:12 < vpnHelper> Coldie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:23 < |Mike|> Coldie: you found def1 ;)
12:29 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
12:33 < Visual`> !routes
12:33 < vpnHelper> Visual`: Error: "routes" is not a valid command.
12:33 < Visual`> !route
12:33 < vpnHelper> Visual`: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:34 < Visual`> !ipforward
12:34 < vpnHelper> Visual`: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
12:34 < Visual`> !fbsdipforward
12:34 < vpnHelper> Visual`: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
12:35 < Visual`> and open? :D
12:35 < ecrist> Visual`: !factoids
12:35 < Visual`> apologies
12:35 < Visual`> i'll use the vpnHelper in priv
12:36 < ecrist> no, I'm just saying, there's a webpage with all of them
12:36 < ecrist> !factoids
12:36 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:36 < Visual`> ecrist: tks
12:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
12:44 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
12:45 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 256 seconds]
12:53 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:57 -!- kyrix [~ashley@77.117.221.103.wireless.dyn.drei.com] has joined ##openvpn
13:13 -!- Blues-Man [~bluesman@host246-119-dynamic.246-95-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
13:18 -!- Blues-Man [~bluesman@host246-119-dynamic.246-95-r.retail.telecomitalia.it] has joined ##openvpn
13:31 -!- Blues-Man [~bluesman@host246-119-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
14:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
14:21 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
14:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:36 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
14:59 -!- dazo is now known as dazo_afk
15:20 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
15:23 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
15:28 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
15:31 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
15:32 < DarthGandalf> !welcome
15:32 < vpnHelper> DarthGandalf: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:33 < DarthGandalf> !configs
15:33 < vpnHelper> DarthGandalf: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:33 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
15:33 < DarthGandalf> !howto
15:33 < vpnHelper> DarthGandalf: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:35 < DarthGandalf> Hi, how to set arbitrary name for new interface on linux instead of tun0/tun1 ?
15:35 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
15:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:52 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 276 seconds]
16:04 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
16:23 < slb_> i have followed the howto and faq to the letter but when i try to run bridge-start i completely lose my internet and i have no idea why
16:23 < slb_> as far as i know all my settings are correct
16:33 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
16:34 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds]
16:34 < agagag> DarthGandalf: use dev and dev-type
16:38 < DarthGandalf> Thanks, agagag!
16:44 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
17:03 -!- LobbyZ [~default@188.72.255.194] has quit [Remote host closed the connection]
17:10 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:18 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
17:19 -!- kyrix [~ashley@77.117.221.103.wireless.dyn.drei.com] has quit [Ping timeout: 248 seconds]
17:24 -!- Coldie [~twisted.s@gerli.vkhk.ee] has quit [Ping timeout: 258 seconds]
17:25 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:33 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has quit [Ping timeout: 260 seconds]
17:33 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
17:38 -!- sgn [~someone@48.81-167-171.customer.lyse.net] has joined ##openvpn
17:39 < sgn> Can anyone recommend a US-based vpn provider?
17:42 < reiffert> http://www.google.de/search?q=openvpn+provider+us
17:42 < vpnHelper> Title: openvpn provider us - Google-Suche (at www.google.de)
17:44 < sgn> Yeah, I know and I did. Just asking if anyone has had dealings with any of the providers and were able to recommend one :)
17:47 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Ping timeout: 256 seconds]
17:48 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Ping timeout: 268 seconds]
17:48 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
17:48 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
17:48 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
17:50 -!- jeffl [coz@teledojo.com] has quit [Ping timeout: 256 seconds]
17:50 -!- jeffl [coz@teledojo.com] has joined ##openvpn
17:51 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit []
17:52 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
17:53 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
17:57 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Ping timeout: 256 seconds]
17:58 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 256 seconds]
17:59 -!- rkantos [robin@hp1.jaketus.net] has joined ##openvpn
17:59 -!- sgn [~someone@48.81-167-171.customer.lyse.net] has quit [Quit: ...]
18:00 -!- dxtr [dexter@unaffiliated/dxtr] has quit [Ping timeout: 256 seconds]
18:00 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
18:00 -!- dxtr [dexter@dxtr.cc] has joined ##openvpn
18:00 -!- dxtr [dexter@dxtr.cc] has quit [Changing host]
18:00 -!- dxtr [dexter@unaffiliated/dxtr] has joined ##openvpn
18:01 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has joined ##openvpn
18:15 -!- kyrix [~ashley@77.118.182.140.wireless.dyn.drei.com] has joined ##openvpn
18:15 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 256 seconds]
18:19 < slb_> i have my bridge setup and everything and i can connect to openvpn from my laptop which is osx however i can not access my local web server by name as i have a local dns set up, what do i need to alter in order to do that?
18:19 < slb_> or have that work rather
18:20 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
18:20 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
18:23 -!- kyrix [~ashley@77.118.182.140.wireless.dyn.drei.com] has quit [Ping timeout: 246 seconds]
18:26 < slb_> i guess teh dhcp push works for osx also
18:27 < slb_> i thoguht it was only for win
18:52 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
19:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:40 < krzie> it works in osx / unix as well
19:40 < krzie> but for those you must use an up script to pull out those dhcp options
19:41 < krzie> and apply them as needed
19:44 -!- tjz [~pc@bb121-7-103-148.singnet.com.sg] has joined ##openvpn
19:44 -!- tjz [~pc@bb121-7-103-148.singnet.com.sg] has quit [Changing host]
19:44 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:58 < krzie> or you could just put that single host entry into your hosts file
19:58 < krzie> if thats the only reason you need the other NS
20:22 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
21:02 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
21:35 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
22:08 -!- Bushmills1 [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
22:08 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
22:08 -!- Bushmills1 is now known as Bushmills
22:23 -!- joh_ [johannj@caracal.stud.ntnu.no] has joined ##openvpn
22:23 -!- rkantos_ [robin@hp1.jaketus.net] has joined ##openvpn
22:27 -!- Sorcier_` [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
22:28 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has quit [Disconnected by services]
22:29 -!- Sorcier_` is now known as Sorcier_FXK
22:29 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has quit [Changing host]
22:29 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined ##openvpn
22:31 -!- Netsplit *.net <-> *.split quits: rkantos, kreg, joh
22:32 -!- Netsplit over, joins: kreg
22:59 -!- dextro_ [~dex@173.183.43.243] has joined ##openvpn
23:04 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 258 seconds]
23:09 -!- slb_ [~nada@ool-4354b092.dyn.optonline.net] has quit []
23:18 -!- salax [~salax@219.95.96.90] has quit [Quit: WeeChat 0.2.6]
23:30 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:48 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
--- Day changed Wed Mar 17 2010
01:06 -!- Coldie [~twisted.s@gerli.vkhk.ee] has joined ##openvpn
01:14 -!- AntoineBk [~Antoine@188.165.75.17] has quit [Ping timeout: 260 seconds]
01:14 -!- AntoineBk [~Antoine@188.165.75.17] has joined ##openvpn
01:33 -!- Coldie [~twisted.s@gerli.vkhk.ee] has quit []
02:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:09 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has joined ##openvpn
02:12 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:14 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:14 -!- mode/##openvpn [+o mattock] by ChanServ
02:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:39 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
02:52 -!- Steak__ [~alex@fire.perspectix.com] has quit [Quit: Leaving]
02:52 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:52 -!- mode/##openvpn [+o mattock] by ChanServ
02:54 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
03:06 -!- marceloa__ [~marceloa@95.211.21.34] has joined ##openvpn
03:06 < marceloa__> how does openvpn handle fragmantation with UDP
03:08 -!- cityOfLights [~user@p11811120.orange.net.il] has joined ##openvpn
03:10 < cityOfLights> can anyone help me with giving a client an ip using my dnsmasq?
03:10 -!- marceloa__ is now known as zxd_
03:22 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
03:51 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Excess Flood]
03:54 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:56 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:59 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
03:59 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
03:59 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
04:11 -!- master_of_master [~master_of@p57B56D57.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:13 -!- master_of_master [~master_of@p57B5672B.dip.t-dialin.net] has joined ##openvpn
04:15 < cityOfLights> hi all
04:16 < cityOfLights> can anyone assist me with serving out dhcp over the vpn?
04:16 < cityOfLights> I thought I could use my dnsmasq lan server
04:35 -!- mario__ [~mario@projekte.imos.net] has joined ##openvpn
04:35 < mario__> Hello!
04:35 < mario__> i have a network behind a client and i want to reach this network from my vpn server
04:36 < mario__> i read that i need ccd and in its client-file the "route xxx.xxx.xxx.xxx 255.255.255.0" option
04:36 < mario__> however, i get: Options error: option 'route' cannot be used in this context
04:43 < mario__> anyone?
04:59 < |Mike|> !iroute
04:59 < vpnHelper> |Mike|: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
05:03 < mario__> |Mike|, so i need iroute?!
05:04 < mario__> in the ccd client file
05:04 < mario__> this is mynetwork/setup: http://i41.tinypic.com/14k8cva.gif
05:05 < |Mike|> internal route <-- so yes :)
05:06 < mario__> and then i have to set my route manually ?
05:07 < mario__> i my case: route add -net 192.168.2.0/24 gw 10.8.0.2
05:13 < mario__> since i get: # route  add -net 192.168.2.0/24 gw 10.8.0.2
05:13 < mario__> SIOCADDRT: Network is unreachable
05:13 < mario__> but i can ping 10.8.0.2
05:14 < mario__> ah! I think i got it...
05:18 < mario__> |Mike|, where do i bet put the manual roud add command?
05:20 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has quit [Ping timeout: 268 seconds]
05:26 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
05:29 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
05:35 < |Mike|> !route
05:35 < vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:36 -!- mape2k [~mape2k@p5B287C1D.dip.t-dialin.net] has joined ##openvpn
05:39 -!- tjz [~pc@bb116-14-94-13.singnet.com.sg] has joined ##openvpn
05:39 -!- tjz [~pc@bb116-14-94-13.singnet.com.sg] has quit [Changing host]
05:39 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
05:44 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 240 seconds]
05:45 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
05:48 -!- joh_ is now known as joh
05:49 -!- joh [johannj@caracal.stud.ntnu.no] has left ##openvpn []
05:52 -!- Thuuugs [~sdanaksn@ppp118-208-189-77.lns20.bne4.internode.on.net] has joined ##openvpn
05:53 -!- cityOfLights [~user@p11811120.orange.net.il] has quit [Quit: Leaving]
05:53 < Thuuugs> Was in here not to long ago, and someone was kindly helping me - we concluded it must of been an issue with Windows 7 - however found a XP Machine to test on and still no go
05:54 < Thuuugs> Client Conf: http://pastebin.com/7S7E4wZj   Server Conf: http://pastebin.com/ighib8J1     Client Log: http://pastie.org/private/z63sgjitsrmybhpx7xrtuw    Server Log: http://pastebin.com/DWhVjEqc
05:54 < Thuuugs> Any help would be greatly appreicated
05:57 -!- hoonches [~user@c-71-234-165-17.hsd1.ct.comcast.net] has joined ##openvpn
05:58 < hoonches> how do you save your username and password in ubuntu, so that it automatically enters it when the prompt comes up in a .OVPN file?
05:59 -!- cityLights [~cityLight@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn
06:01 < cityLights> hi all, I am still trying to fix this: I want dnsmasq to give out DHCP to openvpn clents, I still dont see how to do it in google
06:01 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
06:01 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
06:02 < cityLights> allready read the openvpn faq . there it only say : The one complexity about this configuration is that you need to modify your DHCP server configuration to differentiate between local clients and VPN clients.
06:02 < cityLights> but I am missing how to actually do this
06:06 -!- hoonches [~user@c-71-234-165-17.hsd1.ct.comcast.net] has quit [Ping timeout: 245 seconds]
06:23 -!- hoonches [~user@212.117.162.194] has joined ##openvpn
06:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:38 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:49 -!- hoonches [~user@212.117.162.194] has quit [Ping timeout: 256 seconds]
06:55 -!- hoonches [~user@c-71-234-165-17.hsd1.ct.comcast.net] has joined ##openvpn
06:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:01 -!- hoonches [~user@c-71-234-165-17.hsd1.ct.comcast.net] has quit [Ping timeout: 245 seconds]
07:14 < ecrist> good morning kids
07:17 -!- hoonches [~user@212.117.165.197] has joined ##openvpn
07:17 < reiffert> Hi dad, gonna pay me the latest iphone for me, pleeeeaaasssee
07:22 < |Mike|> "NO!"
07:24 < reiffert> Look, it's snowing outside (grabbing the credit card)
07:26 < cityLights> ha?
07:27 < cityLights> ok, can anyone help me understand dhcp a bit?
07:27 < cityLights> I mean I tought I got it
07:28 < cityLights> on the server I am using bridging mode
07:28 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
07:28 < cityLights> same host also runs dnsmasq - so this dhcp should also supply address to the clients
07:32 < rob0> It's a major issue on the openvpn-devel mailing list the past couple of weeks.
07:32 < cityLights> rob0: me?
07:33 -!- dazo_afk is now known as dazo
07:34 < rob0> Either that or dads buying iphones.
07:35 < |Mike|> i guess it was dazo
07:37  * dazo runs and hides
07:37 < rob0> I thought I was taking an interest in that issue, until I remembered that I have no interest in bridging, therefore no need to help make it work for people who can't configure it. :)
07:38 < theDoc> brr, sure is cold in here.
07:38 < theDoc> Why the hell do people love to turn the aircons down till it feels like siberia.
07:38 < dazo> cityLights:  what kind of openvpn clients do you have?
07:38 < cityLights> thanks dazo
07:38 < |Mike|> theDoc: for the female which don't wear a bra :p
07:38 < cityLights> I am running a client from a nokia N900 - maemo
07:39 < dazo> nice! :)
07:39 < cityLights> I just dont get an IP address there
07:39 < theDoc> |Mike|> Do you get an intense urge to flick those nipples?
07:39 < cityLights> but the logs reflact that connection is established
07:39 < dazo> cityLights:  you need to run a DHCP client on the N900 when the openvpn connection is established .... should be doable via the --up script hook
07:40 < Thuuugs> Was in here not to long ago, and someone was kindly helping me - we concluded it must of been an issue with Windows 7 - however found a XP Machine to test on and still no go
07:40 < Thuuugs> Client Conf: http://pastebin.com/7S7E4wZj   Server Conf: http://pastebin.com/ighib8J1     Client Log: http://pastie.org/private/z63sgjitsrmybhpx7xrtuw    Server Log: http://pastebin.com/DWhVjEqc
07:40 < cityLights> does it have to do with me using bridgin mode on the server?
07:40 < dazo> cityLights:  OpenVPN does not do any DHCP client trickery at all nowadays .... it's been discussed on -devel mailing list if/how to do this .... and some of us there are leaning towards implementing a simple DHCP client into openvpn .... but the discussion is not completely closed yet
07:41 < cityLights> OH finnaly a good answer
07:41 < cityLights> thanks
07:41 < dazo> cityLights:  to use an external DHCP server, this is needed .... then you do bridging and have a DHCP server responding to DHCP clients over the VPN
07:41 < cityLights> o
07:42 < dazo> cityLights:  if you're letting the OpenVPN server provide the IP addresses, the OpenVPN client will be able to pick it up automatically and configure the IP address itself
07:42 < cityLights> dazo: I having searching and searching about this
07:42 < cityLights> dazo, let me ask you this
07:42 < dazo> cityLights:  yeah, it's not much info about it ... but I've noticed more often people do ask about it lately
07:43 < cityLights> in my home I got one LAN and another in my folks home
07:44 < cityLights> I connect them using openvpn, so I can remote control some pcs there
07:44 < cityLights> now in both sites the gateways serve dhcp to their lan.
07:45 < dazo> (which, initially, is a recommended way how to do it)
07:45 < cityLights> at the folks home I have a client connect to my home. when a laptop on the folks site powers on it , may get an IP address from my home dhcp
07:46 < cityLights> is this in order?
07:46 < cityLights> I mean I want hosts in the folks home to get dhcp from the folks gateway not my remote dhcp
07:47 < cityLights> must I use ebtables to block this?
07:47 < dazo> That is really recommended way.  You can just block UDP traffic on port 67 and 68 in both directions, to avoid "leaking" DHCP client requests across networks
07:48 < dazo> cityLights:  but why do you initially do bridging?  For me it sounds like a standard routed network is what you need
07:48 < dazo> !route
07:48 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:48 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
07:48 < rob0> See what I mean? :)
07:48 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has joined ##openvpn
07:48 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has quit [Changing host]
07:48 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
07:49 < dazo> (this article covers some other topics mainly, but it will provide some good info for you as well)
07:49 < cityLights> dazo: yes I allready used routing which was fine except it doesnt support upnp and avahi
07:49 < rob0> Perhaps this DHCP problem can be solved, but what good does the solution do?
07:49 < rob0> !tap
07:49 < vpnHelper> rob0: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
07:49 < vpnHelper> rob0: where the protocol uses MAC addresses instead of IP addresses.
07:50 < cityLights> dazo: ok, let me ask this
07:50 < dazo> cityLights:  aha! well, I have little experience with upnp and avahi, in general (I always turn such things off ... I know what I want and how to do it myself, I don't need that help :-P)
07:51 < cityLights> assuming I block dhcp request between the two sites, can I still accept a road warrior laptop?
07:52 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
07:52 < dazo> cityLights:  yeah ... but then you need to block that traffic on the client side, not the server side ... or else, you'll block the roadwarrior as well
07:52 < cityLights> I mean , can I still use my home dhcp (dnsmasq) to give out IP to the N900 connection via 3G?
07:52 < cityLights> EXACTLY
07:52 < cityLights> wow , it is so good to finally meet some one how actually understand this
07:52 < cityLights> sorry
07:53 < dazo> cityLights:  wow!  I'm good at cheating today! :-P
07:53 < cityLights> ok so here is the ebtables I started with 
07:53 < cityLights> ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
07:54 < cityLights> so I cant be running it on the home openvpn server 
07:54 < dazo> iptables on the tap interface should be more than enough ... no need to bring ebtables into this, probably easier to follow
07:54 < cityLights> else it will never hand out DHCP
07:54 < reiffert> ebtables working for bridges.
07:54 < reiffert> iptables is not.
07:54 < cityLights> dazo: how?
07:55 < dazo> ebtables digs deeper down in the OSI stack, while iptables lays on the IP layer .... iptables should be sufficient 
07:55 < dazo> iptables -o tap0 -p udp --sport 67:68 --dport 67:68 -j DROP
07:56 < reiffert> blocking dhcp requests from one side of the net getting to the other side might be relevant.
07:56 < rob0> Actually I think a DHCP server uses raw sockets, which, due to an obscure netfilter bug, cannot be controlled by iptables.
07:56 < dazo> iptables -I OUTPUT -o tap0 -p udp --sport 67:68 --dport 67:68 -j DROP
07:56 < reiffert> dazo: forget about it.
07:56 < reiffert> dazo: ebtables or fail.
07:57 < dazo> reiffert:  if you say so ... I've not done bridging as much ... I just blocked a lot of other stuff directly on TAP devices in other setups
07:57 < cityLights> reiffert: pls explain why it wont work, I would also rather block it in IP level
07:57 < dazo> reiffert:  could it be a difference if you do the filtering on the DHCP client side vs server side?
07:57 < reiffert> I have had lots of fun not using ebtables.
07:58 < cityLights> ha?
07:58 < reiffert> do filtering on the bridge.
07:58 < cityLights> which one?
07:58 < reiffert> for what purpose?
07:58 < cityLights> server side or lan in folks home
07:58 < cityLights> I actually got a bridge in each site
07:58 < reiffert> server side, you cant really control whats going on at road warriors.
07:59 < rob0> With CONFIG_BRIDGE_NETFILTER=y you might make that work, or you might not. Try it and see. But there really is a problem with netfilter and DHCP.
07:59 < cityLights> so you want me to block dhcp requests coming from the folks home gateway?
07:59 < reiffert> rob0: it's by design. netfilter no ethernet frames.
07:59 < reiffert> cityLights: it really depends on what you are trying to achieve.
08:00 < reiffert> cityLights: hand an IP to the openvpn client? Yes. Hand an IP to other computers in the clients LAN? No.
08:00 < rob0> um, not exactly, no, are you not familiar with CONFIG_BRIDGE_NETFILTER? There are some things which iptables can do in layer 2.
08:00 < cityLights> I want my mobile host to connect using 3g and get an dhcp answer from my home server which runs the openvpn server
08:01 < reiffert> rob0: no, I always use ebtables when it comes to bridges. ebtables is made for this, eh?
08:01 < rob0> yes
08:01 < cityLights> I also want the client gateway from my folks site to have layer 2 connection to the home lan
08:02 < rob0> But this particular issue all comes down to the "why bridge?" question.
08:02 < dazo> cityLights:  actually ... you might trample into a trap now ... when you do bridging .... when I think once more about it
08:02 < cityLights> right - but how can ebtales distinguish from where the requests are coming?
08:02 < dazo> rob0:  to make avahi and upnp work easily
08:02 < rob0> yuck :)
08:03 < reiffert> cityLights: think about using hamachi, working stuff, GUI, bridging.
08:03 < cityLights> avahi is truly magic
08:03 < cityLights> google: what is hamachi ...
08:03 -!- thm [d1c812c22b@fedora/thm] has joined ##openvpn
08:03 < rob0> Zeroconf is fine in simple networks. VPNs are by definition not simple.
08:04 < cityLights> minute
08:04  * dazo is not convinced having boxes on a network screaming out "Here am I, my name is XXXX and I have service X, Y, Z available for YOU!!!!  Come and abuse me!!!" .....
08:04 < cityLights> I mean you already told me how to do this - right?
08:04 < cityLights> let me recap here
08:05 < thm> hi. I'm trying to operate openvpn over vpnc, which seemed to work at first, but is really instable (i.e. an ssh connection hangs very soon)
08:05 < thm> could this be an mtu issue?
08:05 < cityLights> if I use bridging on the server - must I use it also on the client ?(NO/yes)
08:05 < reiffert> dazo: the concept works for LANs quite well.
08:05 < reiffert> dazo: see those apple users, no idea what they are doing, but it just works. as it should for users, to my eyes.
08:05 < dazo> reiffert:  it's many concepts which works well .... but how clever is it in reality, if you also consider security ;-)
08:05 < dazo> reiffert:  exactly!
08:06 < cityLights> but openvpn takes care of security - right?
08:06 < reiffert> dazo: tell a user about ip addresses, URI like afp:// smb:// whatever:// and he will stop listening after "IP"
08:06  * dazo don't like users who don't understand what they are doing .... it's like entering a car and begin driving without having learned how to drive
08:06 < reiffert> dazo: no. thats wrong.
08:06 < reiffert> dazo: it's driving a car without knowing how to replace the engine.
08:07 < cityLights> guys
08:07 < cityLights> (girls?)
08:07 < reiffert> dazo: let's not dig into this any further.
08:07 < dazo> agreed!
08:07 < cityLights> can you pls answer my last questin
08:08 < cityLights> I just didnt find an answer for it - even though it seems obvius to me
08:08 < reiffert> cityLights: girls? maybe.
08:08 < cityLights> no 
08:08 < cityLights> I mean
08:08 < reiffert> no? I'm fine.
08:08 < dazo> cityLights:  openvpn do not take care of security other than to authenticate users connecting ... when begin connected, it does not care much what passes of the tun/tap devices ... that's the firewall's task
08:08 < cityLights> errrr
08:08 < reiffert> cityLights: openvpn: tun: layer 3, routing
08:08 < dazo> openvpn is kind of like a "network cable" between two networks
08:09 < reiffert> cityLights: openvpn: tap: layer 2, briding
08:09 < reiffert> dazo: when talking about a network cable you are referring to anything special like ethernet or routing concepts?
08:09 < cityLights> so I can use tun on the client while the server uses tap?
08:09 < reiffert> cityLights: no.
08:09 < cityLights> thanks
08:09 < cityLights> this is importent
08:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
08:09 < dazo> reiffert:  no, I was purely on the metaphoric concept level .... not going deep now
08:10 < reiffert> cityLights: on top of that: On windows the openvpn adapter is called tap. no matter if used in bridging or routing setup.
08:10 < cityLights> I dont care for windows
08:10 < reiffert> dazo: metaphoric concept levels are somewhat more complicated when they mix up thing. "Network Cable" is close to layer 2 for me.
08:10 < dazo> reiffert:  that's almost like Linux ... where the TAP device is available from the tun driver ;-)
08:10 < dazo> reiffert:  agreed!
08:11 < cityLights> ok, so this is my problem
08:11 < thm> anyone an idea, or a pointer for further reading on the openvpn-over-vpnc issue?
08:11 < cityLights> as dazo told me - I need to issue a dhcp request on the N900 to get an IP address
08:12 < cityLights> as it connects only on layer 2
08:12 < reiffert> thm: vpnc is what exactly?
08:12 < cityLights> so please explain why I see this message:
08:12 < dazo> thm:  I've managed to make vpnc-over-openvpn work, but never the other way around .... vpnc messes up the routing table and /etc/resolv.conf without caring about other VPNs .... at least that's my experience
08:12 < reiffert> thm: openvpn does not talk to cisco.
08:12 < dazo> vpnc is a open source cisco VPN client
08:13 < thm> dazo: it works at first
08:13 < reiffert> thm: but anyprotocol _over_ another it's just basic routing and briding. they dont interfere.
08:13 < dazo> thm:  yeah ... and then it breaks .... that's what I also found out ;-)
08:13 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
08:13 < reiffert> it breaks? why is that?
08:13 < thm> dazo: I suspect somethings odd with mtus
08:14 < cityLights> Wed Mar 17 15:13:55 2010 MULTI: no dynamic or static remote --ifconfig address is available for
08:14 < dazo> reiffert:  not the tunnelled stuff ... but the rest ... configuration of routes, resolvers, tun/tap devices etc ... that's the trouble
08:14 < thm> reiffert: I can make an ssh connection, but when I do ls in a full dir, connection stops in between
08:14 < reiffert> dazo: sounds like when vpnc in userland tries to enforce stuff?
08:14 < cityLights> reiffert: why do I see this message
08:15 < dazo> cityLights:  when doing bridging, and using a LAN DHCP server .... you need to start a dhcp client on your N900 .
08:15 < dazo> reiffert:  that's right
08:15 < reiffert> cityLights: guess most probably because you misconfigured something.
08:15 < dazo> and it's not too clever, even
08:17 < thm> dazo: point is, I cannot connect to the company's openvpn server without using vpnc, where I am currently :(
08:17 < cityLights> getting them config files in pastebin
08:17 -!- dunc_ [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
08:17 < dazo> cityLights:  on the N900 after having made OpenVPN start .... try running something like /sbin/udhcpc -i tap0 -s /etc/udhcpc/libicd_network_ipv4.script 
08:18 < cityLights> wow, THANKS mate
08:18 < dazo> cityLights:  I've not tried it ... but it's a pointer to the direction you might need to go 
08:18 < reiffert> dazo: you are typing two spaces after that ':' on irc
08:19 < cityLights> err...
08:19 < dazo> cityLights:  the reason DHCP over TAP devices + bridging with OpenVPN documentation is lacking ... is that not many really tries/does it .... so you're a little bit on your own ... so expect a lot of failures before you'll succeed 
08:19 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 256 seconds]
08:19 < |Mike|> Uch, nagios is a bitch to set up
08:20 -!- hoonches [~user@212.117.165.197] has quit [Ping timeout: 245 seconds]
08:20 < dazo> reiffert:  ??
08:20 < reiffert>  < dazo> reiffert:  ??
08:20 < reiffert> reiffert:  <-- two spaces
08:20 < dazo> ahh
08:20 < dazo> I haven't noticed
08:20  * dazo checks his irc client
08:21 < cityLights> dazo: I am willing to write this
08:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:21 < dazo> cityLights: please do!  if you're nice enough, you could put it up on our wiki as well
08:21 < dazo> !wiki
08:21 < vpnHelper> dazo: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
08:22 < dazo> (it'll move to an official openvpn wiki with time ... but it's not quite there yet :))
08:22 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 252 seconds]
08:26 < thm> dazo: just for the record: setting a lower mtu for tun1 seems to help
08:26 < reiffert> even though vpnc uses GRE?
08:26 < thm> I have no clue what GRE is?
08:26 -!- Deepy [~deepy@wrongplanet/deepa] has quit [Read error: Connection reset by peer]
08:27 < reiffert> A protocol made to prevent conflicts when tunnling udp and/or tcp over a tun and/or tcp layer.
08:27 < cityLights> dazo: client config http://dpaste.com/172879/
08:27 < reiffert> so that you dont run into MTU problems.
08:27 < reiffert> http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation
08:27 < vpnHelper> Title: Generic Routing Encapsulation - Wikipedia, the free encyclopedia (at en.wikipedia.org)
08:27 < thm> reiffert: hm. doesn't seem to work in my tunnel-in-tunnel scenario
08:27 < reiffert> Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocol packet types inside IP tunnels, creating a virtual point-to-point link to various brands of routers at remote points over an Internet Protocol (IP) internetwork.
08:28 < rob0> GRE is the transport layer used by PPTP
08:29 < reiffert> rob0: when not using ... lemme look that up.
08:29 < rob0> (Not that anyone here does, nor should, care.)
08:29 < reiffert> L2TP that is.
08:29 < cityLights> reiffert: server file: http://dpaste.com/172882/
08:30 < reiffert> "line"?
08:31 < cityLights> in line I mean I removed /path/to/file
08:31 < cityLights> sorry 
08:31 < cityLights> but communication is established
08:31 < reiffert> looks ok then.
08:31 < cityLights> I am sure
08:31 < reiffert> I'm not.
08:31 < cityLights> logs?
08:32 < reiffert> "logs?"?
08:32 < cityLights> I mean -- I dont want to post sensative info here
08:32 < reiffert> like the name of your certificate..
08:32 < cityLights> should I prove that I can establish connection but dont get an IP address
08:32 < cityLights> ?
08:32 < dazo> cityLights: This is wrong .... 
08:32 < dazo> log         /var/log/openvpn.log
08:32 < dazo> log-append  /var/log/openvpn.log
08:33 < dazo> cityLights: use just one of them
08:33 < cityLights> dazo: should they be named diffrent?
08:33 < reiffert> cityLights: server: brctl show; iptables -v -n -L; ebtables -v -n -L
08:33 < cityLights> o
08:33 < cityLights> sorry
08:34 < dazo> cityLights: "esolv-retry infinite" ..... try "resolv-retry infinite"
08:34 < cityLights> reiffert: II sir
08:34 < dazo> cityLights: ca line, cert line, key line .... I hope 'line' refers to different files ....
08:35 < cityLights> ovcourse
08:35 < dazo> good :)
08:36 < cityLights> min pls
08:38 < dazo> cityLights: generally ... it looks good .... on your N900 you can wrap little udhcpd line into a script, make it runnable and call this script via a 'up <script>' line in the client config
08:38 < reiffert> and route -n while beeing here.
08:38 < reiffert> let's see how many faults he implants by removing "secrets"
08:38 < cityLights>   brctl show>/tmp/txt; iptables -v -n -L>>/tmp/log; ebtables  -L >>/tmp/log     http://dpaste.com/172893/
08:38  * dazo hands things over to reifert :)
08:39 < cityLights> but
08:39 < cityLights> dazo you where very kind
08:39 < reiffert> rude /me raises the problem mirror and hands cityLights back to dazo ;)
08:39 < dazo> cityLights: no prob :)   I just gotta run doing some work I'm paid to do as well ;-)
08:40 < dazo> reiffert: heh
08:40 < dazo> reiffert: my deflection shield is still stronger :-P
08:40 < reiffert> brctl show is missing
08:40 < cityLights>  reiffert: sorry for this last remark
08:40 < cityLights> I didnt mean to be rude
08:40 < reiffert> cityLights: no problem here, I'm fine.
08:40 < cityLights> I am learning no so much
08:41 < reiffert> when seeing this firewall only one thought comes to mind? It does not work? It's your fault.
08:41 < cityLights> firewall?
08:41 < |Mike|> TOPIC ! :P
08:42 < reiffert> cityLights: firewall. this stuff that comes out when typing iptables -v -n -L
08:45 < cityLights> right - I think that after requesting dhcp on the N900 I will be ok
08:45 < |Mike|> reiffert: use ferm :)
08:45 < reiffert> brctl show
08:45 < cityLights> thanks for all your help
08:45 < reiffert> still missing.
08:46 < cityLights> oh right
08:46 < cityLights> sorry
08:46 -!- thm [d1c812c22b@fedora/thm] has left ##openvpn []
08:46 < reiffert> |Mike|: ferm?
08:46 < reiffert> a generic "I dont need no firefall"-firewall remover?
08:46 < |Mike|> ferm, pronounced "firm", stands for "For Easy Rule Making".
08:46 < cityLights> brctl show http://dpaste.com/172899/
08:47 < reiffert> cityLights: good. tap adapter lists up fine there.
08:47 < reiffert> cityLights: be sure to make dhcp-server listen on br0 interface. see dhcp request coming in with tcpdump -n -i br0 
08:47 < reiffert> or -i tap0
08:47 < cityLights> route -n : http://dpaste.com/172900/
08:48 < reiffert> route is fine.
08:48 < cityLights> right
08:48 < reiffert> I know your gateway now...
08:48 < cityLights> ok, I shell test and come back tommorow if I see more isuues
08:48 < cityLights> must go soon
08:49 < cityLights> thanks for your time and help
08:49 < reiffert> welcome and good luck
08:49 < cityLights> seems patience here does pay off
08:49 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 246 seconds]
08:49 < |Mike|> reiffert: http://pastie.org/873755
08:49 < |Mike|> say no to idiotic iptables syntax, use ferm! :D
08:50 -!- sno [~sno@85-10-202-144.clients.your-server.de] has joined ##openvpn
08:56 -!- CaBa [caba@unique-inter.net] has joined ##openvpn
08:56 < CaBa> hi
08:57 < CaBa> is the --up command called before the ip connection to the openvpn server is made?
08:57 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
08:58 < reiffert> lets ask the manpage
08:59 < reiffert> CaBa: it says no.
09:00 < CaBa> reiffert: the manpage says after the tun/tap device is created. that does not happen before the server connection is made?
09:03 -!- cityLights [~cityLight@bzq-84-111-46-151.red.bezeqint.net] has quit [Quit: Leaving]
09:15 < reiffert> it says "device open
09:16 < reiffert> ", not created.
09:18 < reiffert> You can create them manually with mknod, or let openvpn do this by --mktun or similar.
09:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:25 < CaBa> reiffert: the --up script is called *before* the ip connection to the server is made, just tried
09:27 -!- kyrix [~ashley@77.118.140.96.wireless.dyn.drei.com] has joined ##openvpn
09:36 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:38 -!- dazo is now known as dazo_afk
09:39 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:40 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
09:41 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:43 -!- zxd_ [~marceloa@95.211.21.34] has quit [Ping timeout: 276 seconds]
09:48 -!- dextro_ [~dex@173.183.43.243] has quit [Remote host closed the connection]
09:51 -!- mario__ [~mario@projekte.imos.net] has quit [Quit: Ex-Chat]
09:53 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:55 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:07 -!- hphreak [~chatzilla@i114-185-173-131.s04.a012.ap.plala.or.jp] has joined ##openvpn
10:09 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
10:15 -!- zxd_ [~marceloa@95.211.21.34] has joined ##openvpn
10:22 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:22 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
10:22 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:25 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
10:33 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:34 -!- mape2k [~mape2k@p5B287C1D.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
10:50 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
11:10 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
11:10 -!- mode/##openvpn [+o mattock] by ChanServ
11:16 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
11:21 -!- burnbrighter [~kurt@astound-64-85-228-221.ca.astound.net] has joined ##openvpn
11:22 < burnbrighter> Hi all - looking for client mode only installation guide howto for linux, but more specifically CentOS 
11:23 < burnbrighter> most googling gives me server set up, not client
11:23 < burnbrighter> any URLs, guides are apprecitaed
11:24 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
11:40 -!- Deepy [deepy@109-124-137-48.customer.t3.se] has joined ##openvpn
11:40 < burnbrighter> any takers?
11:49 < cron2> I seem to remember that there is a howto document on the openvpn web site that explains both client and server setup
11:50 < cron2> the difficult part is setting the server and the CA, and generating keys for the client - after that, it's just "copy the sample config, change the remote IP address and the name of the key files, and off you go"
12:04 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 276 seconds]
12:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:19 < takamichi> Has anyone got openVPN working with freeRADIUS? If so, did you use the pam module or the radiusplugin?
12:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
12:31 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
12:33 -!- Rolybrau [~Rolybrau@133-96.78-83.cust.bluewin.ch] has joined ##openvpn
12:33 -!- Rolybrau [~Rolybrau@133-96.78-83.cust.bluewin.ch] has quit [Changing host]
12:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:35 -!- kyrix [~ashley@77.118.140.96.wireless.dyn.drei.com] has quit [Quit: Leaving]
12:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:38 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
12:44 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 264 seconds]
12:44 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 245 seconds]
12:51 -!- ^scott^ [~scott@stthom.org] has joined ##openvpn
12:57 < burnbrighter> cron2: do you have to do all the key set up and everything for a client set up too?
13:08 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
13:14 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
13:47 -!- DarthGandalf is now known as DarthGandalf|BNC
13:48 -!- DarthGandalf|BNC is now known as DarthGandalf
13:49 -!- Kas [~Kasx@213.155.4.68] has joined ##openvpn
13:51 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
13:51 -!- mode/##openvpn [+v Kasx] by ChanServ
13:55 -!- Kas [~Kasx@213.155.4.68] has quit [Ping timeout: 252 seconds]
14:01 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
14:13 -!- Thuuugs [~sdanaksn@ppp118-208-189-77.lns20.bne4.internode.on.net] has quit [Ping timeout: 276 seconds]
14:16 -!- Thuuugs [~sdanaksn@ppp118-208-142-58.lns20.bne1.internode.on.net] has joined ##openvpn
14:21 -!- mkay [~mkay@gentoo/user/mkay] has joined ##openvpn
14:22 < mkay> hi
14:23 < mkay> how can i list all active clients-certificates from my server? i've googled a bit, but i can't find it and i don't have much time right now;/
14:25 < ^scott^> mkay Have you looked at the config option called status?
14:26 < mkay> ^scott^: hmm - i do not have any list in file it points to
14:27 < ^scott^> It's on the default config for OpenVPN server.conf config. Did you leave it out of your configuration file?
14:28 < mkay> i've got it set: status openvpn-status.log
14:28 < mkay> but there's nothing interesting in taht file
14:28 -!- Thuuugs [~sdanaksn@ppp118-208-142-58.lns20.bne1.internode.on.net] has quit [Ping timeout: 265 seconds]
14:29 < ^scott^> mkay Oh, the docs say otherwise. Hold on.
14:31 < ^scott^> mkay Do you know that someone is connected at all? That should have the certificate common names of the people connected.
14:32 < mkay> ^scott^: hmm - i've just connected myself and my cert didn't show there;/
14:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:33 < mkay> uh
14:33 < mkay> ok
14:33 < mkay> i'm there now
14:33 < mkay> (took some time)
14:33 < ^scott^> Doesn't surprise me, connections aren't quite immediate anyways.
14:33 < mkay> but it's not what i need. i'd like to have a list of all certificates, which where generated and not revoked
14:34 < ^scott^> Ohh! I thought you wanted those of the connected parties
14:34 < ^scott^> Did you use easy-rsa
14:34 < mkay> yes
14:34 -!- Thuuugs [~sdanaksn@ppp118-208-89-146.lns20.bne4.internode.on.net] has joined ##openvpn
14:34 < ^scott^> There is an index file in/near the keys directory
14:35 < ^scott^> It's going to have all the information about certificates it's created, and they're status. It's not quite designed for human consumption, it's actually prepared by openssl, but I think that'll do the trick for you.
14:36 < mkay> hmm - should it be named 'index' or something similar?
14:38 < ^scott^> yea, it's going to be in the directory where openssl program was called by easy-rsa I think. Are you using Linux?
14:39 < mkay> ok - i've found it
14:39 < mkay> am i right thinking that R in first column means revoked?
14:40 < ^scott^> yes, have a look at http://www.mail-archive.com/openssl-users@openssl.org/msg45982.html
14:40 < vpnHelper> Title: RE: ca format of index.txt. File - IT WORKS! (at www.mail-archive.com)
14:40 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
14:41 < grendal_prime> hey guys im looking to see if its possible to run two ciphers on the same server.
14:41 < mkay> ^scott^: great;) thanks for help
14:41 < grendal_prime> im thinking now that it could be done with a client connect script..but...well im having a hard time finding info on this
14:43 < ^scott^> I'm sure you could run two daemons on separate portts, but I doubt that's your intent.
14:47 < grendal_prime> ^scott^: ya we are trying to avoid that if possible
14:47 < mkay> ^scott^: one more question... i've got one valid certificate, which i do not have on disk. can i somehow revoke it?
14:47 < grendal_prime> we want to keep everything on port 1194 if possible
14:48 < grendal_prime> it looks like you can specify anthing in the ccd file that was specified in the main config...soooo im gonna give it a try
14:48 < ^scott^> I think you need the certificate to revoke it. I guess you could recreate the certificate if you still have the CSR, but without that, I'm not sure.
14:49 < mkay> i do not have it either;/
14:50 < ^scott^> This feels like a bad idea, but why not try swapping the V out for an R, and then try to generate the CRL.
14:51 < ^scott^> I think the CRL just needs the information that's already in the index.txt.
14:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:53 < mkay> ^scott^: i've found an answer. http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/2032.html < if you're interested
14:53 < vpnHelper> Title: Is it possible to revoke without their crt? - ReadList.com (at readlist.com)
14:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:55 < ^scott^> Ah, those pem files, that's good to know, I forgot it stored those, thank you.
14:59 < grendal_prime> looks like cipher cannot be used in the client config dir
15:00 < grendal_prime> it just seems odd that you cant do this
15:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:10 < grendal_prime> grrrr
15:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:43 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
15:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:49 -!- bandini [~bandini@host174-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
15:57 -!- ^scott^ [~scott@stthom.org] has quit [Ping timeout: 246 seconds]
15:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
16:04 -!- ^scott^ [~scott@stthom.org] has joined ##openvpn
16:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:40 < grendal_prime> this is just amazing that this is not possible
16:44 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
16:45 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
16:46 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
16:48 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
16:48 -!- bdheeman [~bdheeman@bdheeman-2-pt.tunnel.tserv20.hkg1.ipv6.he.net] has joined ##openvpn
16:58 -!- bandini [~bandini@host174-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
17:16 -!- mrrcp [~cp@99.4.131.15] has joined ##openvpn
17:17 < mrrcp> How do i add more keys for more users or pc's?
17:17 < mrrcp> do i have to remake everyones?
17:18 -!- dazo_afk [~dazo@nat/redhat/x-mrgweesefhinbybk] has quit [Quit: ZNC - http://znc.sourceforge.net]
17:20 < mrrcp> anyone
17:22 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
17:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
17:30 -!- dazo [~dazo@nat/redhat/x-jbrxnjkmyufaiuoq] has joined ##openvpn
17:31 -!- dazo is now known as dazo_afk
17:31 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
17:33 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
17:33 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
17:39 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
17:41 < n5> hello is it possible to make only one port to use open vpn, because my current config replaces my home ip with openvpn server ip, and i want to config, only apache to use tunnel
17:41 < bdheeman> mrrcp: though dated, but http://howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-and-setup-openvpn-on-debian-4-0-etch has everything you need to know
17:41 < vpnHelper> Title: Install and setup OpenVPN on Debian 4.0 Etch Lone-Wolf Scripts (at howto.landure.fr)
17:41 < n5> i found forum, will look to it
17:43 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
17:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:56 < Thuuugs> Was in here not to long ago, and someone was kindly helping me - we concluded it must of been an issue with Windows 7 - however found a XP Machine to test on and still no go
17:56 < Thuuugs> Client Conf: http://pastebin.com/7S7E4wZj   Server Conf: http://pastebin.com/ighib8J1     Client Log: http://pastie.org/private/z63sgjitsrmybhpx7xrtuw    Server Log: http://pastebin.com/DWhVjEqc
17:58 -!- Baz_ [~baaaz@c-67-183-155-189.hsd1.wa.comcast.net] has joined ##openvpn
17:58 < Baz_> anyone know of a router that comes with openvpn and gui besides the hack-it-yourself wwrt type stuff?
18:05 -!- mustafa [~mustafa@41.235.82.27] has joined ##openvpn
18:06 < mustafa> I've installed openVPN on ubuntu and when I try to login from the admin UI page, it asks me for the root username and password while on ubuntu there is no account as root
18:06 < mustafa> and when I try to use my account, it refuses. any ideas?
18:08 < cwillu_at_work> mustafa, which admin ui page?
18:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
18:09 < mustafa> I mean the browser page http://ip:port/admin
18:10 < mustafa> cwillu_at_work: I mean that page https://ip:port/admin
18:10 < cwillu_at_work> sec
18:10 < Baz_> it seems like it would be a great business idea for openvpn to have a hardware solution ready to go with a simple web gui - i'd pay for it without question
18:12 -!- Baz_ [~baaaz@c-67-183-155-189.hsd1.wa.comcast.net] has quit [Remote host closed the connection]
18:12 < cwillu_at_work> mustafa, you mean --management and company?
18:12 -!- Baz_ [~baaaz@c-67-183-155-189.hsd1.wa.comcast.net] has joined ##openvpn
18:12 < mustafa> cwillu_at_work: https://192.168.2.100:943/admin I'm not able to login from here.
18:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
18:15 < cwillu_at_work> mustafa, are you using ubuntu's package?
18:17 < mustafa> cwillu_at_work: ya
18:17 < cwillu_at_work> and you're getting a web page?
18:19 < mustafa> cwillu_at_work: ya, after i finished the installation i went to the browser page which i should manage the software from
18:19 < cwillu_at_work> mustafa, ubuntu's openvpn package doesn't include a web admin page;  the only obvious thing I can think of that you might have is ebox-openvpn, which is a third party thing
18:20 < cwillu_at_work> do you know if that's what you're using, or is it something else?
18:20 < mustafa> I'm using the package I got from the site
18:20 < cwillu_at_work> so you're _not_ using ubuntu's package
18:21 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
18:21 < mustafa> cwillu_at_work: I'm using the debian package from the site
18:22 < cwillu_at_work> mustafa, okay, but that's not ubuntu's package
18:22 < cwillu_at_work> which is fine
18:22 < mustafa> cwillu_at_work: Ah! I'm sorry. Will Ubuntu's package be easeir to use?
18:22 < cwillu_at_work> you've run ovpn-init?
18:22 < cwillu_at_work> mustafa, ubuntu's package doesn't have a web interface :p
18:22 < cwillu_at_work> I find it easier, but that's me
18:23 < mustafa> cwillu_at_work: Ah, so do you have any ideas how can I login to the web interface?
18:23 < cwillu_at_work> mustafa, have you run ovpn-init?
18:24 < mustafa> ya
18:24 < cwillu_at_work> """Do you wish to login as 'root'?
18:24 < cwillu_at_work> > Press ENTER for default [yes] no"""
18:24 < cwillu_at_work> what did you answer for that question?
18:25 < mustafa> yes
18:25 < cwillu_at_work> you should probably think about that :p
18:25 < mustafa> ah!
18:25 < mustafa> ok, thanks :)
18:26 < cwillu_at_work> when in doubt, re-read the instructions :p
18:26 < Baz_> you'll surely have to do a ton of that to setup openvpn
18:27 < cwillu_at_work> well, the web admin is supposed to be point-and-clicky
18:27 < cwillu_at_work> not that such a thing is necessarily a good thing :p
18:27 < mustafa> i will, i have to go now my cat is making a mess all around the house
18:27 < Baz_> is that new? a couple of months back it was all config files
18:28 < cwillu_at_work> it still is;  the web thingie is an "added value" thing you pay for
18:28 < Baz_> i'd love to pay for that... where can i see it?
18:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:28 < cwillu_at_work> Baz_, um, on the homepage of openvpn :p
18:29 < cwillu_at_work> you have to click past it in order to find the community site :)
18:29 -!- mustafa [~mustafa@41.235.82.27] has quit [Quit: Lost terminal]
18:29 < cwillu_at_work> 5$ a client I believe
18:31 < Baz_> cwillu_at_work, "OpenVPN Access Server"?
18:31 < cwillu_at_work> yep
18:32 < Baz_> and thats a separate product from openvpn?
18:32 < Baz_> which is free..
18:32 < cwillu_at_work> kinda yes
18:33 < Baz_> haha, is it even possible to have a more ocnfusing name than "Access Server Downloads"
18:33 < Baz_> especially with only one download... call the section "Download"
18:35 -!- DrPepper [~DrPepper@ks32620.kimsufi.com] has joined ##openvpn
18:35 < DrPepper> hi there
18:36 < DrPepper> is there a way to route the traffic back to the OpenVPN Server and than to the client ?
18:37 < DrPepper> anyone there ?
18:38 < Baz_> yeah, but i dont know anything
18:39 < Baz_> DrPepper, did u pay for openvpn?
18:39 < Baz_> DrPepper, where did u get it
18:40 < DrPepper> apt-get install openvpn
18:41 < DrPepper> !welcome
18:41 < vpnHelper> DrPepper: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:43 < DrPepper> Baz_: why r u asking ?
18:44 < Baz_> i'm revisiting setting it up and their site requires an account and pushes pricing info without giving you a download or source... apt-get is good
18:45 < DrPepper> however, do you have any clue about the solution of my problem ?
18:46 < Baz_> Probably not, but I don't fully undertsand it either - what do u mean route traffic "back" to the openvpn server - is it going through it?
18:47 < Baz_> "is it" = "isn't it"
18:47 < DrPepper> i want people to access my pc for example
18:47 < Baz_> from where
18:47 < DrPepper> which is routed trhough a openvpn server with some IP
18:47 < DrPepper> my pc is conncected to an openvpn server
18:47 < DrPepper> now
18:48 < DrPepper> i want people to access the vpn server IP and through that access my pc
18:48 < DrPepper> without knowing my IP
18:48 < DrPepper> do you get what i mean ?
18:48 < Baz_> so similar to port forwarding on a router but through the openvpn server instead?
18:49 < DrPepper> yes
18:49 < Baz_> would it be port based, like all requests on port 80 would be forwarded to your pc?
18:49 < DrPepper> port based
18:49 < Baz_> and u want this locally or from the outside world
18:50 < DrPepper> like dyndns:1234 -> should come out on my pc
18:50 < DrPepper> outside
18:50 < DrPepper> ok
18:50 < DrPepper> i have an application running on my PC
18:50 < DrPepper> ip:1234 -> is the access
18:50 < DrPepper> now i want people to do
18:51 < Baz_> ok and finally when u say "outside" do u mean an outside pc vpn'ed into your network or a completely outside independent pc?
18:51 < DrPepper> dyndns:1234 -> VPN -> ip:1234
18:51 < DrPepper> outside independant pc
18:51 -!- mustafa [~mustafa@41.235.82.27] has joined ##openvpn
18:51 < DrPepper> not connected to vpn
18:51 < mustafa> cwillu_at_work: i figured out how to configure it, do u know any good free vpns?
18:52 < DrPepper> Baz_: i don't even know if it's feasible what i want to do , is it ?
18:52 < Baz_> DrPepper, I am sure it is... that outside request is going to come to your router first through your public ip
18:53 < DrPepper> yes
18:53 < Baz_> DrPepper, then your router has to do something with it, perhaps just forward it to your local (non-vpn) ip?
18:53 < DrPepper> yes
18:53 < Baz_> this kind'of doesn;t seem like a vpn thing?
18:53 < DrPepper> well yes
18:53 < DrPepper> ok
18:54 < DrPepper> let my try again
18:54 < DrPepper> my PC is connected through a router on the internet
18:54 < DrPepper> i than do a VPN connection
18:54 < DrPepper> to a hosted Server
18:54 < DrPepper> which is my Open VPN Server
18:55 < DrPepper> which i also use as gaetway to get out to the internet
18:55 < DrPepper> now
18:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:55 < DrPepper> i want the people
18:55 < DrPepper> to access my PC through Portforwarding through that OpenVPN Server
18:56 < DrPepper> do you know now what i mean ?
18:56 < Baz_> ok, i see, the openvpn server is not local... ok
18:56 < DrPepper> no
18:56 -!- mustafa [~mustafa@41.235.82.27] has quit [Quit: Lost terminal]
18:56 < DrPepper> it's not
18:56 < Baz_> DrPepper, well now that the question is nicely outlined, I hope someone who knows how any of this works helps you :)
18:57 < DrPepper> looooool
18:57 < DrPepper> thanks
18:58 < Baz_> for shits and giggles did you try simply forwarding the request oin the router to the vpn ip?
18:58 < DrPepper> there is no router
18:58 < DrPepper> it's directly exposed
18:59 < Baz_> Internet >> PC >> VpnServer?
18:59 < Baz_> no router, wow
18:59 < Baz_> hardcore
18:59 < DrPepper> it's a hosted server
18:59 < DrPepper> on a server farm
19:00 < Baz_> oh ok
19:04 -!- bdheeman [~bdheeman@bdheeman-2-pt.tunnel.tserv20.hkg1.ipv6.he.net] has left ##openvpn []
19:05 < Baz_> DrPepper, take a look at: http://www.no-x.org/?p=103
19:05 < vpnHelper> Title: No-x Linux » Port Forward With IPTABLES Through Openvpn (at www.no-x.org)
19:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
19:06 < DrPepper> nice
19:06 < DrPepper> thanks
19:13 -!- hphreak [~chatzilla@i114-185-173-131.s04.a012.ap.plala.or.jp] has quit [Ping timeout: 240 seconds]
19:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:43 < cwillu_at_work> did he just ask if I knew any good vpn's, or did I misunderstand that?
19:50 < Thuuugs> Was in here not to long ago, and someone was kindly helping me - we concluded it must of been an issue with Windows 7 - however found a XP Machine to test on and still no go
19:50 < Thuuugs> Client Conf: http://pastebin.com/7S7E4wZj   Server Conf: http://pastebin.com/ighib8J1     Client Log: http://pastie.org/private/z63sgjitsrmybhpx7xrtuw    Server Log: http://pastebin.com/DWhVjEqc
19:53 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
20:10 -!- tjz [~pc@bb116-15-47-117.singnet.com.sg] has joined ##openvpn
20:10 -!- tjz [~pc@bb116-15-47-117.singnet.com.sg] has quit [Changing host]
20:10 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:28 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
20:28 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 246 seconds]
20:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
21:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:23 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
21:28 < vpnHelper> New forum entry openvpnforum: Off Topic, Related :: Re: unable to connect to NW :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=1&t=2901&p=4106#p4106>
21:46 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
22:01 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 240 seconds]
22:05 -!- zxd_ [~marceloa@95.211.21.34] has quit [Ping timeout: 246 seconds]
22:25 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
22:33 -!- zxd_ [~marceloa@95.211.21.34] has joined ##openvpn
22:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
22:33 -!- burnbrighter [~kurt@astound-64-85-228-221.ca.astound.net] has quit [Ping timeout: 256 seconds]
22:40 -!- mrrcp [~cp@99.4.131.15] has quit []
23:07 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:42 -!- Winkie [~urmom@87.194.109.4] has quit [Remote host closed the connection]
--- Day changed Thu Mar 18 2010
00:05 -!- burnbrighter [~kurt@astound-64-85-228-221.ca.astound.net] has joined ##openvpn
00:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:14 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 248 seconds]
00:19 -!- SerajewelKS [~me@c-98-222-140-181.hsd1.in.comcast.net] has joined ##openvpn
00:19 -!- Netsplit *.net <-> *.split quits: master_of_master, Grapsus, meepmeep, a-zlex, Morgan_Phoenix, ufoman, Gabe_G23, redfox, cron2, RichiH,  (+6 more, use /NETSPLIT to show all of them)
00:20 < SerajewelKS> i know this is a longshot, but is there something openvpn might be doing that would be messing with multiplayer games that discover other servers on a LAN?  i had a friend over a while ago, plugged into my network and such games worked.  now, with a bridged vpn (he is in the same subnet) the game cannot find a server (i can't find his and he can't find mine).
00:20 < SerajewelKS> running tcpdump over the bridge shows lots of UDP traffic between our computers, which makes me think the network layer is behaving, but still no joy.
00:21 < SerajewelKS> i have not ruled out the possibility that the game just plain doesn't like the fact that there are two NICs on his end.
00:21 < SerajewelKS> but the fact that there is traffic between our computers on the VPN seems to indicate that it is aware of the VPN network on some level.
01:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:11 -!- burnbrighter [~kurt@astound-64-85-228-221.ca.astound.net] has quit [Quit: burnbrighter]
01:33 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
01:39 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:45 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
02:14 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
02:14 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
02:14 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
02:14 -!- master_of_master [~master_of@p57B5672B.dip.t-dialin.net] has joined ##openvpn
02:14 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
02:14 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has joined ##openvpn
02:14 -!- RichiH [~richih@freenode/staff/richih] has joined ##openvpn
02:14 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has joined ##openvpn
02:14 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has joined ##openvpn
02:14 -!- MatBoy [~MatBoy@wiljewelwetenhe.xs4all.nl] has joined ##openvpn
02:14 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
02:14 -!- ahf [ahf@irssi/staff/ahf] has joined ##openvpn
02:14 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has joined ##openvpn
02:14 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
02:14 -!- meepmeep [meepmeep@212.24.104.229] has joined ##openvpn
02:14 -!- redfox [~redfox2@ns351996.ovh.net] has joined ##openvpn
02:14 -!- a-zlex [~as@null0.ipv6.bgp4.org] has joined ##openvpn
02:15 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
02:16 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:37 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
02:37 -!- DrPepper [~DrPepper@ks32620.kimsufi.com] has quit [Read error: Connection reset by peer]
02:38 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:44 -!- sonnie [~sonnie@202.141.162.106] has joined ##openvpn
02:46 < sonnie> hi there, I setup an openvpn server on a linux box, but I found that internal machines like 192.168.1.x can only connect as one single IP. any new client will overwrite the old ones. why?
02:48 < cron2> !config
02:48 < vpnHelper> cron2: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
02:48 < reiffert> !configs
02:48 < cron2> nah, that wasn't what I want
02:48 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
02:48 < cron2> \o/
02:51 -!- SerajewelKS [~me@c-98-222-140-181.hsd1.in.comcast.net] has quit [Changing host]
02:51 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has joined ##openvpn
03:07 -!- DrPepper [~DrPepper@ks32620.kimsufi.com] has joined ##openvpn
03:21 -!- dazo_afk is now known as dazo
03:40 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:48 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has joined ##openvpn
04:09 -!- SmokeyD [~dolf@93-125-157-31.dsl.alice.nl] has joined ##openvpn
04:10 < SmokeyD> hey everyone. Do you guys know a dsl broadband modem which comes with a builtin openvpn server? I'd hate to have to install a separate machine to create openvpn connectivity to my home network
04:10 -!- master_of_master [~master_of@p57B5672B.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:13 -!- master_of_master [~master_of@p57B540FD.dip.t-dialin.net] has joined ##openvpn
04:19 < dazo> SmokeyD: have a look at OpenWRT hardware support list
04:20 < dazo> http://oldwiki.openwrt.org/TableOfHardware.html
04:20 < vpnHelper> Title: TableOfHardware (at oldwiki.openwrt.org)
04:20 < SmokeyD> dazo: ok, thanks. Will check it out
04:21 < dazo> SmokeyD: sorry ... old link .... this is the new one: http://wiki.openwrt.org/oldwiki/tableofhardware
04:22 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 240 seconds]
04:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
04:35 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:45 -!- SmokeyD [~dolf@93-125-157-31.dsl.alice.nl] has left ##openvpn []
05:28 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
05:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:46 -!- mape2k [~mape2k@2001:6f8:997:1000:21e:37ff:fe90:fbfd] has quit [Read error: Operation timed out]
05:53 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
05:53 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
06:11 -!- SandGorgon [~OmNomNomO@122.160.41.129] has joined ##openvpn
06:12 -!- SandGorgon [~OmNomNomO@122.160.41.129] has left ##openvpn ["Leaving"]
06:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
06:31 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
06:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:45 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
06:49 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
07:13 < cron2> mmmmh.  Can I use "route" commands in ccd/ files?  That would be quite convenient right now... add new client networks without restarting the OpenVPN server and without interrupting other clients
07:17 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:23 -!- mmm2m [~moritz@dialbs-092-079-167-115.static.arcor-ip.net] has joined ##openvpn
07:23 < mmm2m> !welcome
07:23 < vpnHelper> mmm2m: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:24 < mmm2m> !howto
07:24 < vpnHelper> mmm2m: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:25 < ecrist> good morning
07:26 < mmm2m> !goal
07:26 < vpnHelper> mmm2m: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:27 < ecrist> cron2: yes, you can
07:27 < mmm2m> !goal I would like to access the clients of my vpn from each other.
07:27 < vpnHelper> mmm2m: Error: "goal" is not a valid command.
07:27 < mmm2m> I would like to access the clients of my vpn from each other.
07:27 < mmm2m> !logs
07:27 < vpnHelper> mmm2m: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:27 < ecrist> !client-to-client
07:27 < vpnHelper> ecrist: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
07:27 < vpnHelper> ecrist: other clients
07:27 < MatBoy> guys, openvpn -- status does not work, any idea ?
07:28 < MatBoy> I get errors on openvpn -- shateveroption
07:29 < MatBoy> *whatever
07:29 < ecrist> logs and configs...
07:30 < mmm2m> !config
07:30 < vpnHelper> mmm2m: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
07:30 < ecrist> configs, mmm2m 
07:30 < mmm2m> ecrist: I'm on the way :-)
07:30 < mmm2m> Server config: http://openvpn.pastebin.com/wRByhspq
07:30 < MatBoy> any idea about the optins ?
07:31 < MatBoy> !commands
07:31 < vpnHelper> MatBoy: Error: "commands" is not a valid command.
07:31 < MatBoy> !status
07:31 < vpnHelper> MatBoy: Error: "status" is not a valid command.
07:31 < ecrist> MatBoy: configs and logs
07:31 < MatBoy> mhh
07:31 < MatBoy> ecrist: how do you mean ?
07:31 < ecrist> !configs
07:31 < ecrist> !logs
07:31 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:31 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:31 < MatBoy> ecrist: my vpns are working OK !
07:31 < ecrist> mmm2m: I told you the option you need, already
07:31 < MatBoy> I just need to kill a vpn using openvpn -- kill ip.ip.ip.ip:port
07:32 < ecrist> 07:27 < ecrist> !client-to-client
07:32 < mmm2m> ecrist: Yes. It's already in the server configuration
07:32 < ecrist> then it should work
07:32 < MatBoy> ecrist: sorry, but you are quite understandable
07:32 < mmm2m> line 26
07:32 < MatBoy> openvpn -- kill should work
07:32 < ecrist> if it isn't, you have firewall issues
07:33 < ecrist> MatBoy: you just want to kill the process?
07:33 < ecrist> there is no openvpn --kill option
07:33 < mmm2m> nope. I can ping both clients from the server and the server from both clients, but I can't ping the clients from each other
07:33 < ecrist> you just kill <pid>
07:33 < MatBoy> openvpn is stopped already but the VPN still exists
07:33 < MatBoy> true
07:33 < MatBoy> but I want to kill the vpn
07:33 < ecrist> if openvpn is stopped, then the vpn is down.
07:34 < MatBoy> mhh netstat tells me it's there
07:34 < ecrist> mmm2m: did you stop/restart the server process after adding the option?
07:34 < ecrist> MatBoy: then you have something else going on
07:34 < mmm2m> ecrist: several times
07:34 < MatBoy> ecrist: I thnik so
07:34 < mmm2m> The server and the clients
07:35 < ecrist> then it should work.
07:35 < ecrist> if it isn't working, you have firewall issues on the vpn server or on the clients.
07:37 < mmm2m> ecrist: Do I need any iptables or forwarding at the server?
07:38 < MatBoy> ecrist: weird, vpn was still open for a while
07:38 < MatBoy> server was down
07:39 < MatBoy> ok, solved... will investigate what happened and told the user to LOGOUT next time from home :D
07:39 < MatBoy> thanks
07:41 < ecrist> mmm2m: no
07:44 -!- Munksgaard [~Munksgaar@95.209.150.196.bredband.3.dk] has joined ##openvpn
07:45 < Munksgaard> !welcome
07:45 < vpnHelper> Munksgaard: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:45 < Munksgaard> !howto
07:45 < vpnHelper> Munksgaard: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:51 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
07:51 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
07:52 < cron2> ecrist: cool.  *go testing*
07:57 < mmm2m> ecrist: works now. But I don't know, what I changed. I just added a third client.
08:00 < mmm2m> Well... it works from and to that third client to and from the other clients and the server, but the first two clients can still not ping each other.
08:02 < ecrist> try restarting those other clients
08:03 < ecrist> honestly, it's not an openvpn issue at this point.
08:15 -!- hphreak [~chatzilla@i114-185-173-131.s04.a012.ap.plala.or.jp] has joined ##openvpn
08:21 -!- dbill [~mike@97.66.26.10] has joined ##openvpn
08:21 < dazo> cron2: I already do exactly what asked about in one of my setups ... using push route
08:23 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 264 seconds]
08:27 -!- dxtr [dexter@unaffiliated/dxtr] has quit [Quit: I'm outta here]
08:27 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
08:32 -!- Munksgaard [~Munksgaar@95.209.150.196.bredband.3.dk] has left ##openvpn []
08:33 -!- hphreak [~chatzilla@i114-185-173-131.s04.a012.ap.plala.or.jp] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100202165920]]
08:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
09:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
09:31 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
09:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:42 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:51 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 245 seconds]
09:52 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 265 seconds]
09:52 -!- sno [~sno@85-10-202-144.clients.your-server.de] has quit [Ping timeout: 276 seconds]
09:52 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 252 seconds]
09:52 -!- CaBa [caba@unique-inter.net] has quit [Ping timeout: 264 seconds]
09:52 -!- reiffert [~thomas@mail.webersheim.de] has quit [Ping timeout: 264 seconds]
09:54 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
09:54 -!- CaBa [~caba@unique-inter.net] has joined ##openvpn
09:55 -!- mmm2m [~moritz@dialbs-092-079-167-115.static.arcor-ip.net] has quit [Quit: Leaving.]
09:56 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
09:56 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
09:58 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
09:58 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
10:08 -!- waldner [~c2c9d2d1@gateway/web/freenode/x-bldiyuurmyvcdmbu] has joined ##openvpn
10:08 -!- waldner [~c2c9d2d1@gateway/web/freenode/x-bldiyuurmyvcdmbu] has left ##openvpn []
10:09 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:23 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:32 -!- DrPepper [~DrPepper@ks32620.kimsufi.com] has quit [Ping timeout: 268 seconds]
10:33 -!- DarthGandalf is now known as DarthGandalf|BNC
10:35 -!- DarthGandalf|BNC is now known as DarthGandalf
10:40 -!- dazo is now known as dazo_afk
10:42 -!- FinnTux [~smr@et456.netikka.fi] has quit [Ping timeout: 252 seconds]
10:43 -!- FinnTux [~smr@et456.netikka.fi] has joined ##openvpn
10:56 -!- FinnTux [~smr@et456.netikka.fi] has quit [Ping timeout: 240 seconds]
10:57 -!- FinnTux [~smr@et456.netikka.fi] has joined ##openvpn
11:04 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
11:09 -!- kc0itq [~kc0itq@75-146-149-17-MInnesota.hfc.comcastbusiness.net] has joined ##openvpn
11:10 < kc0itq> !welcome
11:10 < vpnHelper> kc0itq: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:10 -!- kc0itq is now known as Igg-man
11:11 < Igg-man> !route
11:11 < vpnHelper> Igg-man: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:16 < Igg-man> Wow, that's quite helpful
11:18 < rob0> Congratulations on having read the /topic
11:20 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
11:21 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds]
11:24 -!- FinnTux [~smr@et456.netikka.fi] has quit [Ping timeout: 246 seconds]
11:25 -!- FinnTux [~smr@et456.netikka.fi] has joined ##openvpn
11:29 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
11:29 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
11:33 < Igg-man> Am I the first one?
11:34 < Igg-man> !wiki
11:34 < vpnHelper> Igg-man: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
11:39 < rob0> No, it happens sometimes. And occasionally someone actually begins to figure out their answer! It's a beautiful thing when that happens. :)
11:40 < Igg-man> I started to, but I just am not making the connection
11:41 < Igg-man> that was probably a poor choice of words
11:42 < Igg-man> the connection works fine
11:42 -!- macsppadic_ [~sonupunno@82.109.74.162] has joined ##openvpn
11:42 < Igg-man> Is there a way to add a metric to the routes pushed to the clients?
11:44 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Ping timeout: 246 seconds]
11:46 -!- macsppadic_ [~sonupunno@82.109.74.162] has quit [Ping timeout: 256 seconds]
11:49 -!- buntfalke_ is now known as buntfalke
11:49 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
11:57 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Ping timeout: 246 seconds]
12:02 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:04 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Disconnected by services]
12:05 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:08 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm_]
12:09 < rob0> Igg-man, not sure, probably varies by client OS. What is the actual problem and goal?
12:09 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
12:09 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:10 -!- mode/##openvpn [+o openvpn2009] by ChanServ
12:12 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
12:12 -!- mode/##openvpn [+o mattock] by ChanServ
12:13 -!- green-freq [~tfpi@174.46.208.82] has joined ##openvpn
12:14 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
12:15 < green-freq> !welcome
12:15 < vpnHelper> green-freq: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:16 < green-freq> Is it possible to integrate 'pgp' type pki keys into ovpn?  If so is it trivial?
12:32 < rob0> Possible with some coding, I'd think; no, not trivial.
12:36 < green-freq> rob0 -- ok thanks for that.
12:36 -!- green-freq [~tfpi@174.46.208.82] has left ##openvpn [""My question was answered""]
12:38 < rob0> (Answered, but maybe someone else would know more.)
12:43 < cron2> ecrist: just for completeness - "iroute" can go to ccd/, "route" can not.
12:44 < cron2> internal handling is different, there is no way to un-add a "route" that is configured, so it's basically incompatible with ccd/ (it would need to be removed upon client disconnect)
12:44 < cron2> "iroute" cannot go to main config, OTOH...
12:45 < cron2> dazo: "push route" is yet another thing :-) - I want the OpenVPN server to install a route "operating system -> server-tun" (-> "route"), but do not want to restart the openvpn server if a client-specific route needs to be added
12:46 < cron2> "push route" will install the route on the client's OS side -> client-tun -> server
12:46 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
12:49 < reiffert> moin
13:00 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
13:18 -!- bandini [~bandini@host174-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
13:29 -!- Baz_ [~baaaz@c-67-183-155-189.hsd1.wa.comcast.net] has quit [Quit: Leaving]
13:43 -!- daguz [~leo@208-1-63-34.celito.net] has quit [Quit: Leaving.]
13:46 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
14:01 < DrPepper> moin
14:04 < hyper_ch> abend
14:25 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
14:45 < ecrist> cron2: push "route ...." can
14:53 < DrPepper> hi there , is someone here who can help me with gatway issues ?
14:53 < reiffert> DrPepper: see topic.
14:54 < DrPepper> i did already yesterday
14:54 < DrPepper> i mean the welcome
14:54 < DrPepper> and firewall is not installed yet
14:54 < DrPepper> basically i manage to get out but not in
14:55 < DrPepper> i can do outgoing connections but not incoming
14:55 < DrPepper> and it seems that i have 2 gateways
14:56 < DrPepper> could someone take a look at this please ? http://pastebin.com/YdCtvaDt
14:57 < DrPepper> !redirect
14:57 < vpnHelper> DrPepper: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:58 < DrPepper> !def1
14:58 < vpnHelper> DrPepper: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:58 < DrPepper> !ipforward
14:58 < vpnHelper> DrPepper: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
14:58 < DrPepper> !linipforward
14:58 < vpnHelper> DrPepper: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
15:00 < DrPepper> !nat
15:00 < vpnHelper> DrPepper: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
15:00 < Igg-man> rob0: sometimes users are at the sites included in the route statements
15:00 < Igg-man> rob0: I was just trying to find an easy way to exclude the routes to the sites that the user is at, or change the metric so it's higher than the local routes
15:01 < cron2> ecrist: huh?
15:02 < cron2> ecrist: how do you get "push route" applied to the server side?
15:02 < DrPepper> !linnat
15:02 < vpnHelper> DrPepper: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:02 < ecrist> never mind
15:02  * ecrist gives up
15:04 < cron2> ecrist: I'm sure I'm overlooking something - this is why I'm so stubborn
15:05 < DrPepper> !iporder
15:05 < vpnHelper> DrPepper: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
15:05 < DrPepper> !ipp
15:05 < vpnHelper> DrPepper: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
15:05 < DrPepper> !static
15:05 < vpnHelper> DrPepper: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
15:07 -!- Otacon22 [~otacon22@93-36-88-88.ip59.fastwebnet.it] has joined ##openvpn
15:07 < Otacon22> hi
15:07 < rob0> !factoid
15:07 < vpnHelper> rob0: Error: "factoid" is not a valid command.
15:07 < rob0> !factoids
15:07 < vpnHelper> rob0: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:07 < rob0> DrPepper: ^^
15:07 < Otacon22> i have a openvpn server on a tcp port, can i open it also on another port but on UDP?
15:08 < cron2> Octacon22: not as of today, you need to run two servers
15:08 < rob0> Otacon22, any openvpn instance can only be TCP or UDP.
15:08 < rob0> !tcp
15:08 < vpnHelper> rob0: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
15:09 < DrPepper> yes rob0
15:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:34 -!- jmccree [~Jeff@z69-94-215-205.ips.direcpath.com] has joined ##openvpn
15:35 < jmccree> Is there any way in openvpn client (winxp) to block openvpn server from pushing routes to client?
15:46 -!- dbill [~mike@97.66.26.10] has quit [Ping timeout: 256 seconds]
15:51 -!- jmccree [~Jeff@z69-94-215-205.ips.direcpath.com] has quit [Quit: Leaving.]
16:01 < hyper_ch> why not just disable it on the server?
16:10 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:11 < cron2> --route-nopull (but jmccree has left anyway)
16:13 -!- bandini [~bandini@host174-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:16 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
16:18 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 252 seconds]
16:18 -!- takamichi [~pri@78.133.36.225] has joined ##openvpn
16:33 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 252 seconds]
16:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:40 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
17:33 -!- Netsplit *.net <-> *.split quits: julius, tw, elge, dazo_afk, Thuuugs, kala, Sky[x], vpnHelper, Typone, Ramjar,  (+1 more, use /NETSPLIT to show all of them)
17:36 -!- atlantic [~atlantic@hok.duf.hu] has quit [Ping timeout: 240 seconds]
17:36 -!- Netsplit over, joins: dazo_afk, vpnHelper, FinnTux, Sky[x], Thuuugs, tw, julius, Typone, elge, Ramjar (+1 more)
17:40 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 258 seconds]
17:41 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
17:46 -!- Netsplit *.net <-> *.split quits: julius, tw, elge, dazo_afk, Thuuugs, kala, Sky[x], vpnHelper, Typone, Ramjar,  (+1 more, use /NETSPLIT to show all of them)
17:50 -!- Netsplit over, joins: dazo_afk, vpnHelper, FinnTux, Sky[x], Thuuugs, tw, julius, Typone, elge, Ramjar (+1 more)
17:53 -!- reiffert_ [~thomas@mail.webersheim.de] has joined ##openvpn
17:53 -!- Netsplit *.net <-> *.split quits: reiffert, krzie, zxd_, SerajewelKS, mikkel, Rolybrau
17:55 -!- Netsplit over, joins: SerajewelKS
17:56 -!- Netsplit *.net <-> *.split quits: julius, tw, elge, dazo_afk, Thuuugs, kala, Sky[x], vpnHelper, Typone, Ramjar,  (+1 more, use /NETSPLIT to show all of them)
17:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:59 -!- zxd_ [~marceloa@95.211.21.34] has joined ##openvpn
17:59 -!- krzie [~krzee@butters.secure-computing.net] has joined ##openvpn
17:59 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
17:59 -!- Netsplit over, joins: dazo_afk, vpnHelper, FinnTux, Thuuugs, tw, julius, Typone, elge, Ramjar, kala
18:03 -!- takamichi [~pri@78.133.36.225] has quit [Ping timeout: 264 seconds]
18:04 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
18:06 -!- jww_ [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
18:07 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds]
18:07 -!- plundra [404@article.se] has quit [Ping timeout: 264 seconds]
18:07 -!- plundra [404@article.se] has joined ##openvpn
18:11 -!- diffen3 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
18:11 -!- mkay_ [~mkay@sla.com.pl] has joined ##openvpn
18:12 -!- d303k [~heiko@vpn.astaro.de] has joined ##openvpn
18:14 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
18:14 -!- mkay [~mkay@gentoo/user/mkay] has quit [Ping timeout: 240 seconds]
18:14 -!- clyons [~clyons@unaffiliated/clyons] has quit [Ping timeout: 240 seconds]
18:14 -!- d457k [~heiko@vpn.astaro.de] has quit [Ping timeout: 240 seconds]
18:14 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
18:16 -!- mkay_ is now known as mkay
18:16 -!- diffen3 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
18:16 -!- mkay [~mkay@sla.com.pl] has quit [Changing host]
18:16 -!- mkay [~mkay@gentoo/user/mkay] has joined ##openvpn
18:22 -!- rkantos [robin@hp1.jaketus.net] has joined ##openvpn
18:25 -!- agagag_ [~anton@eudaimonia.goto10.org] has joined ##openvpn
18:25 -!- balboah_ [~johnny@joonix.se] has joined ##openvpn
18:27 -!- rkantos_ [robin@hp1.jaketus.net] has quit [Ping timeout: 264 seconds]
18:27 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 264 seconds]
18:27 -!- balboah [~johnny@joonix.se] has quit [Ping timeout: 264 seconds]
18:39 -!- jetole [~Joe@irc.fossl.net] has quit [Ping timeout: 260 seconds]
18:39 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has quit [Ping timeout: 260 seconds]
18:40 -!- jetole [~Joe@irc.fossl.net] has joined ##openvpn
18:40 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has joined ##openvpn
18:57 -!- SkyX [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:01 -!- tjz [~pc@bb116-15-61-34.singnet.com.sg] has joined ##openvpn
19:01 -!- tjz [~pc@bb116-15-61-34.singnet.com.sg] has quit [Changing host]
19:01 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:23 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
19:24 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
19:24 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
19:24 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
20:08 -!- jww_ [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 246 seconds]
20:08 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
21:11 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 252 seconds]
22:46 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 260 seconds]
22:58 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
23:27 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:29 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 264 seconds]
23:35 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:39 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
--- Day changed Fri Mar 19 2010
01:17 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
01:51 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
01:52 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
02:03 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
02:26 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:26 -!- mode/##openvpn [+o mattock] by ChanServ
02:27 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
02:39 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
02:47 -!- d303k [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
02:48 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:49 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
02:52 -!- Thuuugs [~sdanaksn@ppp118-208-89-146.lns20.bne4.internode.on.net] has quit [Ping timeout: 276 seconds]
02:54 < Error404NotFound> I am asked to setup a shared-static-key openvpn client with key of "HelloVPN", what does it mean? does static.key (or whatever) has to contain this text exactly? wasn't there a command like openvpn --genkey or something?
03:24 < |Mike|> You might want to use openssl to generate your private key ;)
03:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
03:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:45 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
03:49 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:11 -!- master_of_master [~master_of@p57B540FD.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:12 -!- stephenh [~stephenh@94-23-158-103.kimsufi.com] has quit [Ping timeout: 245 seconds]
04:12 -!- master_of_master [~master_of@p57B57DAB.dip.t-dialin.net] has joined ##openvpn
04:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:18 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
04:25 -!- huzaifas [~huzaifas@nat/redhat/x-pkmpdlhkdcxpbajf] has joined ##openvpn
04:25 < huzaifas> hi
04:25 < huzaifas> i am trying to use nc to read the mangement interface
04:25 < huzaifas> but there is no response
04:25 < huzaifas> any tips on trouble shooting what could be wrong?
04:27 < |Mike|> "management interface" elaborate yourself :-)
04:29 < huzaifas> i am using --mangement 127.0.0.1 1194
04:44 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:45 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
05:01 -!- Clumsy [~Clumsy@xbmc/staff/clumsy] has joined ##openvpn
05:01 < Clumsy> !welcome
05:01 < vpnHelper> Clumsy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:15 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has joined ##openvpn
05:20 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has quit [Quit: Leaving.]
05:20 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has joined ##openvpn
05:26 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
05:43 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
05:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:11 -!- DarthGandalf is now known as DarthGandalf|BNC
06:20 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 246 seconds]
06:20 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
06:22 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
06:23 -!- DarthGandalf|BNC is now known as DarthGandalf
06:24 -!- ufoman_ [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
06:25 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
06:25 -!- MatBoy_ [~MatBoy@wiljewelwetenhe.xs4all.nl] has joined ##openvpn
06:25 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
06:28 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Ping timeout: 268 seconds]
06:29 -!- Netsplit *.net <-> *.split quits: mkay, ufoman, MattJD, Grapsus, a-zlex, GBit, redfox, MatBoy
06:31 -!- huzaifas [~huzaifas@nat/redhat/x-pkmpdlhkdcxpbajf] has quit [Quit: Leaving]
06:34 -!- mkay [~mkay@sla.com.pl] has joined ##openvpn
06:34 -!- a-zlex [~as@null0.ipv6.bgp4.org] has joined ##openvpn
06:35 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
06:35 -!- mkay [~mkay@sla.com.pl] has quit [Changing host]
06:35 -!- mkay [~mkay@gentoo/user/mkay] has joined ##openvpn
06:36 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
06:38 -!- MatBoy_ [~MatBoy@wiljewelwetenhe.xs4all.nl] has quit [Quit: leaving]
06:41 -!- redfox [~redfox2@ns351996.ovh.net] has joined ##openvpn
06:41 -!- redfox is now known as Guest58385
06:45 -!- SandGorgon [~OmNomNomO@122.160.41.129] has joined ##openvpn
06:47 < SandGorgon> can I restrict certain client certificates to certain ip addresses - for example I want "client1" to be only be able to connect if they are connecting from a particular IP address. Other clients "admin-client1" to be able to connect from any IP address
06:47 < SandGorgon> !welcome
06:47 < vpnHelper> SandGorgon: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:48 < SandGorgon> !/30
06:48 < vpnHelper> SandGorgon: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
07:14 -!- Clumsy [~Clumsy@xbmc/staff/clumsy] has quit [Quit: Clumsy]
07:23 < rob0> !ccd
07:23 < vpnHelper> rob0: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:25 -!- DarthGandalf is now known as DarthGandalf|BNC
07:28 < |Mike|> what, am I connected to quakenet?!
07:29 < Krikke> O_o
07:29 < Krikke> this is freenode
07:30 < |Mike|> DarthGandalf is now known as DarthGandalf|BNC
07:30  * |Mike| did quit Quakenet for such *peeps*
07:30 < Krikke> ah :D
07:31 -!- DarthGandalf|BNC is now known as DarthGandalf
07:31 < |Mike|> DarthGandalf: could you please remove that afk nick, tnx.
07:31 < Krikke> that's how much I follow the backlog
07:31  * |Mike| has a big screen ;)
07:37 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:37 < Krikke> 80x24 in putty
07:38 < rob0> ewww.
07:40 < Krikke> yeah
07:51 < SandGorgon> can I restrict certain client certificates to certain ip addresses - for example I want "client1" to be only be able to connect if they are connecting from a particular IP address. Other clients "admin-client1" to be able to connect from any IP address
07:52 < Rienzilla> maybe with ccd directory?
07:52 < Rienzilla> I'm not sure
07:55 < macsppadic> SandGorgon: yes ccd is ur friend 
07:55 < macsppadic> u will have to make files with the same name within that folder as the client s connecting 
07:55 < macsppadic> client-config-dir option in openvpn 
07:55 < macsppadic> !client-config-dir
07:55 < vpnHelper> macsppadic: Error: "client-config-dir" is not a valid command.
07:56 < SandGorgon> macsppadic, I have ccd setup to assign static IPs to clients.
07:56 < macsppadic> baah
07:56 < macsppadic> if i remember right- the order in which the connection is looked for depends on the ccd specific file n then last it defaults to generic settins in the openvpn.conf 
07:56 < SandGorgon> macsppadic, however I want to restrict a particular client (which implies a particular cert file) to be only allowed to connect if it is coming from a particular IP address.
07:58 < SandGorgon> for example - I want regular employees to be able to connect from anywhere, however contractors can only use their certificates to connect iff they are in the office
08:07 < rob0> Did you ignore the bot factoid I showed you earlier?
08:07 < rob0> Does that not answer your question?
08:08 < macsppadic> !learn-address
08:08 < vpnHelper> macsppadic: Error: "learn-address" is not a valid command.
08:08 < rob0> SandGorgon, scroll up to 12:23 UTC
08:10 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
08:10 < SandGorgon> rob0, do u mean ccd - sorry, but I was not able to restrict the IP address from which a client is able to connect from. I am able to configure ccd to restrict the client's assigned IP addresses though. could you help me a bit ?
08:11 < rob0> oh connect FROM
08:11 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:11 < rob0> hmmm
08:11 < macsppadic> rob0: doesnt learn-address script enable dynamic chnage of firewall access ?
08:11 < rob0> probably yes
08:12 < rob0> I've never messed with that
08:12 < macsppadic> me neithre
08:12 < SandGorgon> macsppadic, should I google on learn-address ?
08:12 < rob0> some sort of script is what's needed, offhand I don't know which one
08:12 < macsppadic> http://pwet.fr/man/linux/administration_systeme/openvpn
08:12 < vpnHelper> Title: man openvpn - secure IP tunnel daemon. / Outils d'administration système (at pwet.fr)
08:12 < macsppadic> there u go SandGorgon 
08:12 < macsppadic> have a look see in there
08:12 < rob0> um, "man openvpn"
08:13 < macsppadic> tho i would suggest man pages as rob0 says
08:16 < macsppadic> Since  OpenVPN  provides the association between virtual IP or MAC address and the client’s authenticated common name, it
08:16 < macsppadic>               allows a user-defined script to configure firewall access policies with regard to the client’s  high-level  common  name,  rather
08:16 < macsppadic>               than the low level client virtual addresses.
08:16 < macsppadic> aargh 
08:16 < macsppadic> damn it
08:18 < rob0> So what's the real goal here? Some clients can connect from anywhere, but one has to be restricted to connect from a specific IP address?
08:18 < macsppadic> i believe so rob0 
08:20 < SandGorgon> macsppadic, rob0 - I believe that I will have to write a "client-connect" script.. atleast that's what I learned from google
08:20 < ecrist> good morning
08:21 < macsppadic> http://www.mail-archive.com/slug@slug.org.au/msg63849.html perhaps of some use SandGorgon 
08:21 < vpnHelper> Title: Re: [SLUG] Restricting access to certain IP addresses with OpenVPN (at www.mail-archive.com)
08:21 < rob0> SandGorgon: ^ the question above was for you
08:21 < SandGorgon> rob0, yup exactly... 
08:23 -!- dazo_afk is now known as dazo
08:23 < SandGorgon> macsppadic, great link! I think I can google up ahead.. thanks!
08:23 < macsppadic> np SandGorgon 
08:28 < rob0> That would be a trivial script, a one-liner, in bash(1): if ! [ "$2" = "permit.IP.add.ress" ]; then exit 1 ; fi
08:43 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
09:16 -!- SandGorgon [~OmNomNomO@122.160.41.129] has quit [Ping timeout: 246 seconds]
09:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
09:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:58 < balboah_> anyone tried running openvpn on powerpc with limited hardware (dreambox)?
09:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:36 < takamichi> Can someone recommend a good openvpn gui for linux?
10:39 -!- SandGorgon [~OmNomNomO@122.162.124.26] has joined ##openvpn
10:56 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
10:58 -!- elventear [~elventear@2001:470:1f11:7d2:226:4aff:fe12:5092] has joined ##openvpn
10:58 -!- elventear [~elventear@2001:470:1f11:7d2:226:4aff:fe12:5092] has quit [Client Quit]
11:00 -!- Otacon22 [~otacon22@93-36-88-88.ip59.fastwebnet.it] has quit [Disconnected by services]
11:00 -!- Otacon22_ [~otacon22@93-36-88-88.ip59.fastwebnet.it] has joined ##openvpn
11:01 -!- Otacon22_ [~otacon22@93-36-88-88.ip59.fastwebnet.it] has quit [Remote host closed the connection]
11:05 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:14 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:14 -!- mode/##openvpn [+v Kaspx] by ChanServ
11:17 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 258 seconds]
11:27 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: Leaving]
11:34 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:34 -!- mode/##openvpn [+v Kas] by ChanServ
11:46 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
12:12 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
12:36 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:37 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
12:40 -!- topher [~topher@epiar/founder/topher] has joined ##openvpn
12:42 < topher> im interested in using openvpn but it seems to imply that it requires a client installed on a random box (say xp or os x). both xp and os x include built in vpn client software ala pptp or l2tp. does openvpn work with this or does it require an openvpn-specific client?
12:43 < topher> i would assume openvpn does not require openvpn-specific client software and the stuff that comes with xp or os x will work but i want to confirm before diving into this
12:44 < rob0> !pptp
12:44 < vpnHelper> rob0: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
12:44 < vpnHelper> rob0: read about why to not use pptp
12:44 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
12:45 < topher> oo, wikipedia apparently says my assumption is wrong. so i do need openvpn-specific client software?
12:45 < rob0> Assumption re: Windows is wrong. OpenVPN is not shipped by Microsoft. Apple probably does.
12:46 < rob0> But I suppose if Internet Exploder is good enough for you, so is PPTP. :)
12:50 < topher> ah i see
12:55 < topher> thanks for the help #openvpn!
13:04 < Hypnoz> Windows Client -- http://openvpn.net/index.php/open-source/downloads.html
13:04 < Hypnoz> Mac Client -- http://code.google.com/p/tunnelblick/
13:04 < vpnHelper> Title: Downloads (at openvpn.net)
13:04 < vpnHelper> Title: tunnelblick - Project Hosting on Google Code (at code.google.com)
13:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
13:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:10 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
13:12 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
13:40 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
14:13 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
14:32 -!- toolman667 [~unknown@adsl-76-254-28-173.dsl.pltn13.sbcglobal.net] has joined ##openvpn
14:33 -!- toolman667 [~unknown@adsl-76-254-28-173.dsl.pltn13.sbcglobal.net] has left ##openvpn []
14:57 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
14:58 -!- bdheeman [~bdheeman@bdheeman-2-pt.tunnel.tserv20.hkg1.ipv6.he.net] has joined ##openvpn
14:59 < bdheeman> hi, friends :)
14:59 -!- topher [~topher@epiar/founder/topher] has left ##openvpn []
14:59 < bdheeman> here at http://cto.homelinux.net/pub/Linux/ports/distfiles/openvpn-config.tar.xz is partially developed package, try it if you want to have an early look at how it works
15:04 -!- dazo is now known as dazo_afk
15:09 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
15:11 -!- Netsplit *.net <-> *.split quits: Optic, Visual`, fremo__, crazygir, DarthGandalf, zero-_, Krikke, Deepy, mrnice1, insane^,  (+3 more, use /NETSPLIT to show all of them)
15:12 -!- Netsplit over, joins: fremo__
15:13 -!- Netsplit over, joins: uchimata
15:14 -!- insane^ [~jg@pizza.internetx.de] has joined ##openvpn
15:14 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
15:15 -!- AntoineBk [~Antoine@188.165.75.17] has joined ##openvpn
15:15 -!- Deepy [deepy@109-124-137-48.customer.t3.se] has joined ##openvpn
15:15 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
15:15 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
15:15 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
15:15 -!- zero-_ [~zero@195.88.84.100] has joined ##openvpn
15:15 -!- plundra [404@article.se] has joined ##openvpn
15:15 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
15:15 -!- Krikke [~ixevix@62.142.105.142] has joined ##openvpn
15:29 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:29 -!- mode/##openvpn [+o openvpn2009] by ChanServ
15:47 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
16:02 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
16:03 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
16:12 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
16:18 -!- Igg-man [~kc0itq@75-146-149-17-MInnesota.hfc.comcastbusiness.net] has left ##openvpn []
16:23 -!- Without [Without@218.111.10.24] has joined ##openvpn
16:30 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:35 -!- bdheeman [~bdheeman@bdheeman-2-pt.tunnel.tserv20.hkg1.ipv6.he.net] has left ##openvpn []
16:35 -!- Without [Without@218.111.10.24] has quit []
16:39 -!- agagag_ is now known as agagag
16:49 -!- Without [Without@218.111.10.24] has joined ##openvpn
17:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
17:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:50 -!- lifechamp [~gary@201.39.174.228] has joined ##openvpn
17:51 < lifechamp> Hi, I need to make some online payments and hitting security blocks as I am outside US. Can I use a VPN to get an American IP to circumvent this (with, say, smallvpn.com), and, if so, what is better option, OpenVPN, or OpenSSH, just to make some payments online?
18:49 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
19:03 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
19:35 -!- lifechamp [~gary@201.39.174.228] has quit [Quit: lifechamp]
19:36 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
19:40 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 245 seconds]
19:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:40 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
19:51 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has quit [Read error: Operation timed out]
20:00 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has joined ##openvpn
20:05 -!- FinnTux [~smr@et456.netikka.fi] has quit [Ping timeout: 276 seconds]
20:11 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has quit [Read error: Operation timed out]
20:15 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
20:15 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
20:21 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 246 seconds]
20:36 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
20:43 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
20:44 -!- tjz [~pc@bb121-7-13-184.singnet.com.sg] has joined ##openvpn
20:44 -!- tjz [~pc@bb121-7-13-184.singnet.com.sg] has quit [Changing host]
20:44 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:52 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
20:57 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Ping timeout: 268 seconds]
21:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
21:14 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
21:37 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
21:40 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Client Quit]
21:41 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
21:42 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
21:58 < Bushmills> if you have access to an openvpn system outsite your defensive perimeter, then yes
22:04 -!- nb_ [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
22:07 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
22:27 -!- sonnie [~sonnie@202.141.162.106] has quit [Ping timeout: 246 seconds]
22:28 -!- sonnie [~sonnie@202.141.162.106] has joined ##openvpn
22:34 -!- fbe [~fbe@91.177.45.54] has joined ##openvpn
22:34 < fbe> hi.
22:35 < fbe> trying openvpn-as, is somoeone here having a clue about "Main Page: error communicating with server agent" ? (and yes, i've read the FAQ and my license is ok)
22:38 < rob0> Did the entrymsg mention AS?
22:38 < fbe> #openvpn-as ?
22:39 < fbe> the entrymsg *did* mention openvpn
22:39 < fbe> so at least, i can try
22:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:44 < fbe> AS seems to fuck quite well in fact
22:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
22:59 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
22:59 -!- nb_ is now known as nb
23:00 < rob0> :) Doesn't the company provide commercial support? Or is that something you pay extra for?
23:10 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
23:13 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:15 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
23:32 -!- SandGorgon [~OmNomNomO@122.162.124.26] has quit [Read error: Operation timed out]
23:44 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
23:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
--- Day changed Sat Mar 20 2010
00:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:31 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:58 -!- Without [Without@218.111.10.24] has quit []
01:10 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
01:11 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:21 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
01:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
01:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:37 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
01:38 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
01:45 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
01:45 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Client Quit]
01:51 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 256 seconds]
01:51 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
01:55 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
02:12 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 240 seconds]
02:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 276 seconds]
03:12 -!- ease2 [~ease@114.92.144.55] has joined ##openvpn
03:45 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
04:11 -!- master_of_master [~master_of@p57B57DAB.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:12 -!- master_of_master [~master_of@p57B53C31.dip.t-dialin.net] has joined ##openvpn
04:14 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:16 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
04:22 -!- ease2 [~ease@114.92.144.55] has quit [Read error: Connection reset by peer]
04:47 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:52 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:16 -!- slav0nic [~o@bogelena.dp.ua] has joined ##openvpn
05:17 < slav0nic> hi, i have some trouble. Connected to VPN via NAT server, and client sended my local local network IP (not public ip), can i set it manual?
05:21 < agagag> slav0nic: maybe this will help?
05:21 < agagag> !nat
05:21 < vpnHelper> agagag: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
05:26 < slav0nic> no=\
05:27 < slav0nic> i have bad source address from client
05:47 -!- reiffert_ is now known as reiffert
05:51 -!- slav0nic [~o@bogelena.dp.ua] has quit [Ping timeout: 265 seconds]
05:54 -!- slav0nic [~o@icore.com.ua] has joined ##openvpn
05:55 -!- slav0nic [~o@icore.com.ua] has quit [Remote host closed the connection]
06:43 -!- Guest58385 is now known as redfox
06:44 -!- redfox is now known as Guest61344
07:08 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
07:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:00 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
08:04 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:06 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
08:11 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
08:11 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
08:17 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:18 -!- Err404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
09:02 -!- Sleeping`Dragon [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
09:23 -!- bdheeman [~bdheeman@122.173.23.154] has joined ##openvpn
09:46 < bdheeman> hi, friends!
09:46 < gorkhaan> hi
09:48 < bdheeman> The development and in house testing of 'openvpn-config' is complete, user and, or testers may fetch a fresh copy at http://anu.homelinux.net/pub/Linux/ports/distfiles/openvpn-config.tar.xz
09:50 < bdheeman> The 'openvpn-config' is wizard written in bash based of easy-rsa and a few other scripts
09:50 < bdheeman> s/based of/based on/
10:03 -!- bdheeman [~bdheeman@122.173.23.154] has left ##openvpn []
10:50 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
10:51 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 258 seconds]
11:30 -!- _Syamz [rhel@72.20.37.172] has joined ##openvpn
11:30 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:30 -!- _Syamz [rhel@72.20.37.172] has quit [Excess Flood]
11:31 -!- _Syamz [rhel@72.20.37.172] has joined ##openvpn
11:31 -!- _Syamz is now known as LowKey
11:31 -!- LowKey [rhel@72.20.37.172] has quit [Changing host]
11:31 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
11:32 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Client Quit]
11:32 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
12:19  * LowKey is away (Offline)
13:16 -!- havoc [~havoc@saturn.chaillet.net] has joined ##openvpn
13:16 < havoc> afternoon
13:17  * havoc is fighting w/ win7
13:17 < havoc> stupid thing connects (as client) fine, ping works, then starts failing
13:18 < havoc> ping works as soon as it connects, then starts failing
13:19 < havoc> ...until the vpn connection times out and it reconnects
13:19 < havoc> it only works for a few seconds
13:20 < havoc> I'm guessing a firewall issue, but I have yet to locate the specific rule
13:51 -!- Guest61344 is now known as redfox
13:52 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 246 seconds]
13:52 -!- redfox is now known as Guest31393
13:53 < havoc> yup, tracked down the offending FW rules
13:53 -!- havoc [~havoc@saturn.chaillet.net] has left ##openvpn ["god I hate win7"]
13:55 -!- Guest31393 is now known as redfox
15:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:41 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Remote host closed the connection]
15:41 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
15:51 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has quit [Changing host]
15:51 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined ##openvpn
15:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:21 -!- fbe_ [~fbe@91.179.68.7] has joined ##openvpn
16:22 -!- fbe [~fbe@91.177.45.54] has quit [Ping timeout: 265 seconds]
17:25 -!- bdheeman [~bdheeman@122.173.23.154] has joined ##openvpn
17:54 < krzie> hello ladies, gentlemen, and ecrist 
17:54 < krzie> ;]
18:08 -!- Some-body_ [~Vetinari@pyramid.cluenet.org] has joined ##openvpn
18:09 -!- plndra [404@article.se] has joined ##openvpn
18:13 -!- Netsplit *.net <-> *.split quits: plundra, DarthGandalf
18:13 -!- Some-body_ is now known as DarthGandalf
18:13 -!- DarthGandalf [~Vetinari@pyramid.cluenet.org] has quit [Changing host]
18:14 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
18:32 -!- bdheeman [~bdheeman@122.173.23.154] has quit [Quit: ircII EPIC4-2.0 Plan9 4 -- Are we there yet?]
18:49 -!- plndra is now known as plundra
19:55 -!- ltgamer [~scotty@120.29.241.2] has joined ##openvpn
19:55 < ltgamer> !welcome
19:55 < vpnHelper> ltgamer: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:56 < ltgamer> !goal
19:56 < vpnHelper> ltgamer: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:56 < krzie> fire away
19:56 < ltgamer> !logs
19:56 < vpnHelper> ltgamer: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
19:56 < ltgamer> hi
19:57 < krzie> lets start with goal
19:57 -!- CaBa [~caba@unique-inter.net] has quit []
19:57 < ltgamer> I'm trying to install OpenVPN onto a CentOS v5.3 VM and I get a wierd error when I run the conf
19:58 < ltgamer> (just checking it now)
19:58 < ltgamer> error could not initialize sa
19:58 < ltgamer> Eventually the goal is to allow remote computers access to the LAN behind the server
19:59 < rob0> What is "sa"?
19:59 < ltgamer> no idea
19:59 < ltgamer> that is the error
20:00 < ltgamer> it occours during the inital config '/usr/local/openvpn_as/bin/ovpn-init'
20:00 < rob0> How do you "run the conf"?
20:00 < ltgamer> right after putting in the serial
20:00 < rob0> oh, AS
20:00 < ltgamer> it's lowercase for me
20:00 < ltgamer> but sure
20:01 < ltgamer> it's a plain centos v5.3 with only the stock server packages
20:01 < ltgamer> im just firing up a new one atm to play with
20:02 < rob0> I've never used the commercial Access Server product. This channel is for the GPL'ed openvpn project. AS is based on the GPL code, but I don't know anything more than that.
20:02 < ltgamer> oh, there are two?
20:02 < ltgamer> right
20:02 < ltgamer> that makes more sense now
20:02 < ltgamer> (ive only been looking at it for the past 30min)
20:03 < ltgamer> but I couldn't see anything on the error, so I came here ;)
20:03 < ltgamer> what's the site for the gpl version?
20:03 < ltgamer> (I had assumed it was just a similar product seperation to smoothwall)
20:04 < krzie> !as
20:04 < vpnHelper> krzie: Error: "as" is not a valid command.
20:04 < krzie> !factoids search access
20:04 < vpnHelper> krzie: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
20:04 < vpnHelper> krzie: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html
20:04 < krzie> hrm
20:04 < krzie> it does not mention that we dont really support access server here
20:04 < rob0> The entrymsg does, IIRC.
20:04 < krzie> for the open source version
20:05 < krzie> rob0 ahh prolly right
20:05 < krzie> for opensource:
20:05 < krzie> !download
20:05 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) see !gui for more information for Windows clients.
20:05 -!- krzie [~krzee@butters.secure-computing.net] has left ##openvpn []
20:05 -!- krzie [~krzee@butters.secure-computing.net] has joined ##openvpn
20:05 < krzie> yup, its there in CAPS
20:05 < ltgamer> ah same site, different section
20:05 < ltgamer> excellent
20:06 < krzie> =]
20:06 < rob0> It would be an ancient version, but I bet CentOS has it.
20:07 < ltgamer> probably
20:07 < ltgamer> might as well build and install the current
20:07  * ltgamer is just reading through the documentation page
20:10 < krzie> good call on current
20:10 < krzie> and the docs
20:10 < krzie> !man
20:10 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:10 < krzie> !howto
20:10 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:11 < krzie> also, you mentioned wanting to have access to your LAN(s)...
20:11 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
20:11 < krzie> !route
20:11 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:11 < ltgamer> thx
20:11 < krzie> that is a writeup i made which goes over setting up 3 lans being accessed over the vpn, 1 behind server and 1 behind each of 2 clients
20:12 < ltgamer> i need to get a vpn up as my sister is away on holiday (out of country). Her machine has decided that it has been away from the AD server for over a month and is going to lock her out of the AD account. So I need to get her to vpn back in and talking to the AD server so she can use her normal account again :S
20:12 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds]
20:12 < ltgamer> cool
20:14 < ltgamer> well ill have a read, play and see how I go
20:14 < ltgamer> thanks a lot for the pointers
20:15 < krzie> np =]
20:17 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
20:19 -!- tjz [~pc@bb121-7-67-184.singnet.com.sg] has joined ##openvpn
20:19 -!- tjz [~pc@bb121-7-67-184.singnet.com.sg] has quit [Changing host]
20:19 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
20:20 < tjz> Good Morning, guys~
21:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
21:02 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
21:04 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
21:12 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
21:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:21 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
21:24 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
21:33 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
21:51 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
22:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:20 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 258 seconds]
22:28 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
23:48 < tjz> If you have watch the documentary 'the cove' about jap killing dolphin.. check out the south park verion - hilarious http://www.southparkstudios.com/episodes/251888/
23:48 < vpnHelper> Title: South Park Episode Player - Whale Whores (at www.southparkstudios.com)
23:53 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
--- Day changed Sun Mar 21 2010
00:11 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
00:26 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 260 seconds]
01:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
02:14 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
02:19 -!- ltgamer [~scotty@120.29.241.2] has quit [Read error: Connection reset by peer]
02:29 -!- atlantic [~atlantic@hok.duf.hu] has quit [Ping timeout: 258 seconds]
02:33 -!- ltgamer [~scotty@120.29.241.2] has joined ##openvpn
03:46 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
04:02 -!- gimpy530 [~white@c-67-163-185-220.hsd1.pa.comcast.net] has joined ##openvpn
04:02 -!- gimpy530 [~white@c-67-163-185-220.hsd1.pa.comcast.net] has left ##openvpn []
04:02 -!- gimpy530 [~white@c-67-163-185-220.hsd1.pa.comcast.net] has joined ##openvpn
04:04 < gimpy530> !welcome
04:04 < vpnHelper> gimpy530: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:09 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
04:11 -!- master_of_master [~master_of@p57B53C31.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:12 < gimpy530> OpenVPN in Tomato is not working and the only clue is that once connected the client shows: local (bound): [undef]:1195, why does it say undef?
04:12 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 268 seconds]
04:12 -!- master_of_master [~master_of@p57B565EC.dip.t-dialin.net] has joined ##openvpn
04:25 < reiffert> "Tomato"?
04:26 < reiffert> [undef] should be the local ip address like e.g. [5.4.2.6]:1195
04:27 < reiffert> you should be able to change that by 'local 6.5.4.3' in your config file
04:27 < reiffert> !factoids search --values local
04:27 < vpnHelper> reiffert: 'ifconfig', 'bridge-dhcp', 'dhcp', 'nobind', 'wintaphide', 'local', and 'win2k8'
04:27 < reiffert> !local
04:27 < vpnHelper> reiffert: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
04:27 < reiffert> forget about that, it's --local in the manpage, see
04:27 < reiffert> !man
04:27 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
04:28 < gimpy530> I tried setting that but let me play around with it
04:40 -!- barbie [~barbie@109.65.184.122] has joined ##openvpn
04:40 < barbie> hii all
04:41 < gimpy530> reiffert: Still fails: http://pastebin.com/tPuVLu6F
04:43 < reiffert> allright, remove the local 10.4.4.2, [undef] will be fine.
04:44 < barbie> i try to config the openvpn on win compeuter, 
04:44 < barbie> and connect to the linux machin
04:44 < gimpy530> How would undef be fine if it does not get an IP, when it says undef it simply gets an APIPA.
04:46 < barbie> gimpy530, do ypu want the ip address?
04:47 < reiffert> gimpy530: undef means "all" IIRC.
04:47 < reiffert> gimpy530: you can check this with netstat -an |grep 1195
04:48 < gimpy530> I'll explain this a bit more; This is on a Windows client; I have never used OpenVPN before now; When I connect and it says "undef", ipconfig shows an APIPA address on TUN0, which is the VPN NIC I told it to use.
04:51 < gimpy530> So my unqualified idea is that undef=bad
04:55 < reiffert> ah. so that message is coming from your client, right?
04:56 < gimpy530> Yes, the Windows box is the client.
04:56 < reiffert> At the beginning I was asking for "Tomato"? Please paste client and server config file and tell me which openvpn version you are using.
05:00 < gimpy530> server: http://pastebin.com/yH08T96Q   --  client: http://pastebin.com/UBzaQQZC  --  Tomato is a router firmware btw, and I assume there are stupid mistakes in my configs since I have no idea what I am doing, wel barely any idea at least
05:09 < reiffert> because when you came here, you said that openvpn on tomato/serverside is broken.
05:09 < reiffert> dev tun21 twenty-one??
05:10 < gimpy530> I'm not positive if the problem is server side or client.  No idea about the 21, that's what tomato made it.
05:10 < reiffert> on client conf, remove the port 1195 line and have the remote line like this:
05:11 < reiffert> remote host 1195
05:11 -!- cityOfLights [~user@p11811112.orange.net.il] has joined ##openvpn
05:11 < reiffert> you might want to change dev tun21 to "dev tun"
05:11 < cityOfLights> hi reiffert
05:12 < cityOfLights> I got openvpn in bridging working on my N900
05:12 < cityOfLights> but I still need help
05:13 < cityOfLights> how to have udhcpc issue after the openvpn device is ready
05:13 < cityOfLights> I tried --up-delay 
05:14 < cityOfLights> I tried adding sleep 15 before running udhcpc
05:14 < reiffert> --connect "some.shell.script.you.write.sh"
05:15 < cityOfLights> min pls seeking connect argument in man
05:15 < gimpy530> Still just gives the error "Socket bind failed on local address 10.4.4.2:1142: The requested address is not valid in its context."
05:16 < reiffert> gimpy530: would you please try that client config with a non windows client?
05:17 < gimpy530> That would be difficult as I'll need to build a Linux box outside my internal network.
05:17 < reiffert> allright, when it comes to windows you need to have that ifconfig line different than you do.
05:18 < reiffert> windows only works with /30 networks, read up here:
05:18 < reiffert> !topology
05:18 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
05:18 < reiffert> !/30
05:18 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
05:18 < reiffert> and you didnt tell me about your openvpn version I was asking for.
05:19 < barbie> how i can make open-vpn server on ubuntu 9.10??
05:19 < reiffert> barbie: 
05:19 < cityOfLights> reiffert: I only see a --connect-client argument
05:19 < reiffert> !howto
05:19 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:19 < gimpy530> reiffert: OpenVPN 2.1.1 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Feb 17 2010
05:19 < barbie> i read it
05:20 < barbie> it totaly not work
05:20 < barbie> i try it
05:20 < reiffert> cityOfLights: sorry for that, use --up "script.sh"
05:20 < reiffert> gimpy530: and your client?
05:20 < cityOfLights> I am using --up
05:21 < reiffert> barbie: in fact it's one of the best howtos out there. follow that of choose another vpn software.
05:21 < reiffert> s,of choose,or choose,
05:21 < gimpy530> client: OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009
05:21 < cityOfLights> if I run openvpn start then udhcpc start all works
05:21 < cityOfLights> if I use --up "openvpn start" it doesnt work
05:21 < barbie> reiffert, is very importent to me..
05:22 < reiffert> barbie: then follow the howto.
05:22 < reiffert> cityOfLights: up "script"
05:22 < barbie> but is very it not work
05:22 < reiffert> barbie: from where on?
05:23 < cityOfLights> reiffert: my script is a udhcpc deamon
05:23 < barbie> you can giude me to the exact "how to"
05:23 < cityOfLights> reiffert: as I need also --down "openvpn stop"
05:23 < cityOfLights> am I wrong?
05:23 < barbie> i need only a simple server
05:25 < barbie> reiffert ^
05:25 < cityOfLights> barbie: did u try the openvpn documantation ?
05:25 < barbie> yes
05:25 < cityOfLights> which setup?
05:25 < barbie> with the exsampels
05:26 < barbie> i try also with Gadmin
05:27 < cityOfLights> barbie: please marke sure you got a line in your config that starts with log /var
05:27 < cityOfLights> then tell us the last line of error there
05:27 < cityOfLights> in that log file
05:27 < barbie> how i see that?
05:28 < barbie> what log file??
05:28 < cityOfLights> less /var/log/file
05:28 < barbie> i have many files..
05:29 < cityOfLights> reiffert: should I add sleep in thre up script?
05:29 < barbie> cityOfLights less /var/log/WHAT FILE?
05:30 < cityOfLights> barbie: only the file that in the open vpn config
05:30 < barbie> i cant see that file
05:30 < cityOfLights> so if the config is /etc/openvpn/openvpn.conf
05:31 < cityOfLights> look in it for a line starting with log
05:31 < barbie> but i cant see a log file of open vpn...
05:33 -!- barbie-server [~inbar@109.65.184.122] has joined ##openvpn
05:34 < barbie-server> hii again
05:34 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:34 -!- mode/##openvpn [+o mattock] by ChanServ
05:35 < barbie-server> http://pastebin.com/LZMz2f2e
05:35 < cityOfLights> reiffert: http://pastebin.com/9xrkk68b
05:35 < barbie-server> inbar@inbar-desktop:/etc/openvpn$ ls
05:35 < barbie-server> 2.0  easy-rsa  examples  update-resolv-conf
05:36 < barbie-server> the update-resolv-conf, is the conf file?
05:37 < cityOfLights> no
05:37 < barbie-server> mm ok.. what to do?
05:37 < cityOfLights> you need openvpn.conf
05:37 < barbie-server> make it?
05:37 < barbie-server> ok i make it
05:37 < cityOfLights> but I need to go to Nokia now
05:37 < barbie-server> nokia?
05:40 < cityOfLights> fix my N900
05:40 -!- ik_5 [~ik@85.64.245.182.dynamic.barak-online.net] has joined ##openvpn
05:41 < barbie-server> ok
05:41 < barbie-server> cityOfLights, nice
05:43 < barbie-server> maybe someone can help me with the configuration?
05:43 -!- ltgamer [~scotty@120.29.241.2] has quit [Read error: Connection reset by peer]
05:44 -!- ltgamer [~scotty@120.29.241.2] has joined ##openvpn
05:44 < barbie-server> hii
05:53 < Bushmills> who wants to configure barbie?
05:54 < barbie> i want to make openvpn server on ubuntu 9.10
05:54 < barbie> Bushmills^
05:55 < Bushmills> yes?
05:55 < Bushmills> apart from intentions, how is it progressing?
05:55 < ik_5> barbie, what exactly are the things you are unable to configure, the more details you will provide, it will be easier to help you 
05:56 -!- Ramjar [~Ramjar@d226.broadband.quicknet.se] has quit [Ping timeout: 276 seconds]
05:58 < barbie> Bushmills, you can help me with that?
05:58 < Bushmills> shall i read the documentation to you?
05:59 < Bushmills> or do you need short instructions?
05:59 < Bushmills> "install, configure, run"
06:01 -!- ik_5 [~ik@85.64.245.182.dynamic.barak-online.net] has quit [Quit: Leaving]
06:03 -!- barbie-server [~inbar@109.65.184.122] has quit [Quit: Ex-Chat]
06:05 -!- cityOfLights [~user@p11811112.orange.net.il] has quit [Quit: Leaving]
07:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:20 -!- ease2 [~ease@114.92.144.55] has joined ##openvpn
07:31 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
07:31 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
07:37 -!- ease2 [~ease@114.92.144.55] has quit [Quit: Leaving]
08:13 -!- citylights2 [~user@p11811120.orange.net.il] has joined ##openvpn
08:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:23 < citylights2> ok, I need help with openvpn --up 
08:24 < citylights2> seems the tap device doesnt exist for the up script
08:24 < citylights2> http://pastebin.com/wCz63sEp
08:26 < citylights2> I run this script with start http://pastebin.com/zcYGLjRH
08:46 < ecrist> it would appear it does
08:46 < ecrist> it says so right in the logs you posted.
08:50 < Bushmills> what does     file /sys/class/net/tap0/mtu     say? 
08:53 < citylights2> min
08:57 -!- zxd_ [~marceloa@95.211.21.34] has quit [Ping timeout: 260 seconds]
08:58 -!- zxd_ [~marceloa@95.211.21.34] has joined ##openvpn
09:00 < citylights2> ecrist: thanks for responding , I was on the phone
09:03 < citylights2> Bushmills: if I run it during the time "udhcpc start" reachs the sleep I get
09:05 < citylights2> ls /sys/class/net/tap0/mtu
09:05 < citylights2> /sys/class/net/tap0/mtu
09:05 < citylights2> so it seems the tap device exist
09:06 < Bushmills> that's not what i asked you
09:07 < citylights2> file /sys/class/net/tap0/mtu
09:07 < Bushmills> i can't see from what you pasted whether the file will be considered "a file", and not a symlink, for example
09:07 < citylights2> /sys/class/net/tap0/mtu: ASCII text
09:08 < citylights2> I just can't automate dhcp requests
09:08 < Bushmills> well, here is the reason for your error:  [ -f /sys/class/net/tap0/mtu ] && echo " tap0/mtu missing" &&exit 1
09:08 < Bushmills> script pukes because it doesn't see   /sys/class/net/tap0/mtu   when it runs
09:08 < citylights2> I kept seeing "waiting for dhcp server" messages
09:08 < Bushmills> try to insert a sleep 1
09:08 < citylights2> right
09:09 < Bushmills> oh. there is one already
09:09 < Bushmills> sleep 35
09:09 < citylights2> aha
09:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:10 < citylights2> now if I dont use the --up script. and run it manually
09:10 < Bushmills> maybe it hits timeout, and has disconnected by then already
09:10 < citylights2> udhcpc start - it gets th address after 5 sec
09:10 < citylights2> pls explain
09:12 < Bushmills> no. *you* explain. it is your script
09:20 < Bushmills> if script says "35 sec" and you say "but after 5 sec", i can alternatively only explain "you lie"
09:33 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
09:44 < citylights2> Bushmills: you are correct. my fault
09:44 < citylights2> sorry about the delay
09:45 < citylights2> but I am keen in solving this
09:46 < citylights2> Bushmills: how can I prove tap0 exist before I run udhcpc in the script?
09:46 < ecrist> citylights2: it does exist
09:46 < ecrist> your openvpn log shows it
09:47 < ecrist> openvpn won't run your up command unless it is able to open the device
09:48 < citylights2> ecrist: so why is it thaat udhcpc doesnt fetch an address
09:48 < citylights2> hmm
09:48 < ecrist> not sure
09:48 < ecrist> I don't support udhcpc
09:48 < citylights2> lets try static ip
09:50 < Bushmills> it doesn't because script says that  /sys/class/net/tap0/mtu  is either no file, or not present
09:50 < ecrist> up script works for me...;
09:51 < Bushmills> you know the joke about looking for lost keys on the side of the road with the lights, instead of on the side where one lost the keys ...
09:52 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:52 < Bushmills> that's what the focussing on "tun0 present" reminds me of
09:52 < citylights2> Bushmills: ok so the question is why the tap device is missing?
09:52 < Bushmills> no
09:53 < Bushmills> the question is "why does the script determine that there is no /sys/class/net/tap0/mtu  file"
09:53 < Bushmills> s/tun/tap/
09:55 < citylights2> need I change the condition?
09:55 < citylights2> need I totally remove the line?
09:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
09:56 < Bushmills> you need to find out why it is not there, when the script tests for it
09:56 < citylights2> dman low disk space
09:56 < citylights2> brb
09:56 -!- citylights2 [~user@p11811120.orange.net.il] has quit [Quit: leaving]
09:57 -!- gorkhaan [~gorkhaan@87.229.108.75] has left ##openvpn []
09:57 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
10:00 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:01 -!- kyrix [~ashley@77.117.199.108.wireless.dyn.drei.com] has joined ##openvpn
10:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
10:41 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
11:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
11:24 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
11:43 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
11:45 -!- gorkhaan [~gorkhaan@87.229.108.75] has left ##openvpn []
11:57 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
12:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:50 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
13:27 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
14:02 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
14:25 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
14:31 -!- kyrix [~ashley@77.117.199.108.wireless.dyn.drei.com] has quit [Ping timeout: 248 seconds]
14:33 -!- havoc [~havoc@saturn.chaillet.net] has joined ##openvpn
14:33 < havoc> hole
14:33 < havoc> bah
14:33 < havoc> hola
14:33  * havoc has a brand-new problem
14:34 < havoc> trying to do proxy_arp over TUN
14:34 < havoc> and/or TAP; neither works
14:36 < havoc> FYI, neptune sees to have come up fine
14:39 < havoc> wrong window
14:42 -!- Deepy [deepy@109-124-137-48.customer.t3.se] has quit [Changing host]
14:42 -!- Deepy [deepy@wrongplanet/deepa] has joined ##openvpn
15:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
15:37 < krzie> why proxy arp?
15:37 < krzie> arp should go across tap normally i would think
15:38 < havoc> krzie: trying to set a machine up at a remote site
15:38 < havoc> but needs to have a static pub IP
15:38 < havoc> would like to use an IP from the subnet at the colo where the ovpn server is
15:39 < havoc> it's not working though :(
15:39 < havoc> basically: http://www.havoc.org/tmp/proxy_arp.vpn.thing.for.rob.png
15:40 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:47 < rob0> Who's Rob? I have done this before, BTW.
15:47 < rob0> pretty sure I used tun
15:49 < krzie> binat
15:50 < havoc> rob0: different rob :)
15:51 < havoc> rob0: I'm happy to do it w/ TUN, I just need it to work
15:57 < rob0> Results 1 - 10 of about 21 from openvpn.net for rob0 openvpn proxy arp. (0.32 seconds)
15:57 < rob0> browse through those
15:59 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
16:05 < krzie> you dont need arp for that dude
16:05 < krzie> a) you can hand out a routable ip with ovpn using tun
16:05 < krzie> b) binat
16:05 < havoc> I was doing it the same way I DMZ hosts elsewhere, just w/ a vpn tunnel
16:06 < havoc> but I'm happy to do it whatever way works
16:09 < havoc> it'd be nice if there was something to RTFM
16:09 < havoc> ...aside from mailing lists
16:11 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
16:23 < rob0> The proxy ARP was just the way to get the IP through the tunnel.
16:23 < rob0> I have a /29 and do not control the upstream router therefrom.
16:24 < havoc> this is a /24
16:24 < havoc> and proxy_arp is set in the kernel on the server
16:25 < havoc> but I'm using TAP, and I'm guessing it'll only work w/ TUN?
16:27 < rob0> If you use tap, ARP goes through the tunnel, no need to proxy it.
16:29 < havoc> ok, so if I have a connected TAP tunnel I don't need proxy_arp
16:33 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
16:34 < havoc> bah, routes exist, vpn is connected, still can ping either side from the other
16:34 -!- alpha [~alpha@41.224.178.113] has joined ##openvpn
16:34 < havoc> routes exist
16:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:37 < havoc> oh crap, missing a hot route on server
16:37 < havoc> geez, retard (me)
16:38 < alpha> hello, have got no route to host message on the client machine
16:38 < alpha> pls help
16:39 < |Mike|> alpha: pls read topic ;)
16:39 < alpha> link?
16:40 < |Mike|> are you **** kidding me?
16:40 < alpha> no
16:40 < |Mike|> Topic for ##openvpn: OpenVPN 2.1.1 Most Current || Your problem is your firewall, really. || Type  !welcome  before asking your questions. 
16:40 < alpha> what is the link of the topic?
16:40 < |Mike|> there is no such thing as a link.
16:40 < havoc> jesus fuck
16:41 < |Mike|> havoc: shush.
16:42 < alpha> I have deactivated the firewall, and still hav the same problem
16:42 < |Mike|> !welcome
16:42 < vpnHelper> |Mike|: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:42 < |Mike|> alpha: ^
16:42 < alpha> havoc: you are not in a forest
16:47 < alpha> |Mike|: yesit was the firewall
16:48 < |Mike|> w o w
16:48 < havoc> hahaha
16:49 < alpha> |Mike|: but now it says: unable toconnect because your certificate is not yet valid check that your system time is correct
16:50 < |Mike|> alpha: then synchronize your time and regenerate certs :)
16:51 < alpha> ok
16:51 < alpha> thanks
16:52 < havoc> "read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=113)"
16:52 < havoc> that's pretty much always a client side FW issue, right?
16:52 < alpha> havoc: please disble the dirty havoc
16:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:56 < fbe_> hi. is there someone who have successfully deployed openvpn-as on something ?
16:56 < fbe_> i'm stuck with a "Main Page: error communicating with server agent".
16:56 < krzie> theres a person or 2 here who have, and if they help thats great, but we dont support AS here
16:57 < krzie> (as the on-join message states in big capital letters)
16:57 < fbe_> ok
16:57 < fbe_> am i wrong if I think AS is not loved by openvpn community ?
16:58 < krzie> thats actually an advantage of AS, it has corporate support
16:58 < fbe_> and it has community download too ;-)
16:58 < krzie> i have no problem with AS, i hope it gets widespread use, but since it is not like opensource openvpn i cant support it
16:59 < |Mike|> i/we
16:59 < krzie> communities generally form around opejnsource software, not really the case with corporate software
17:00 < havoc> gah, getting that "read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=113)" but there is no FW running at either end (that I'm aware of)
17:01 < havoc> it connects fine, then ping times out
17:02 < krzie> havoc check routing tables
17:02 < krzie> maybe you didnt run as root and couldnt add the route...?
17:03 < havoc> running as root
17:03 < havoc> and there is a route for the other subnet on tap0
17:04 < havoc> bah, there *may* be a FW in between, but I have no cotrol over it
17:04 < havoc> ok, guy's gonna put it right on th Net on a static
17:05 < krzie> oh its tap
17:05 < havoc> krzie: if the tunnel's up I should at least be able to ping the other side
17:05 < krzie> im kinda useless on that too, havnt used tap in yrs
17:05 < krzie> but it shouldnt have anything to do with routes iirc
17:05 < havoc> as I said, I don't care what it is, so long as it works
17:05 < krzie> since its layer2 its arp not routing
17:06 < krzie> routes are for layer3
17:06 < havoc> but I think this guy's router/fw is/was blocking stuff
17:06 < krzie> not if you are tunneled through it
17:06 < krzie> all his router sees is an encrypted connection
17:06 < havoc> well the tunnel would connect and then I'd start getting those "read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: No route to host (code=113)" logs immediately
17:07 < krzie> unless its running on that machine or you are trying to access something beyond that machine
17:07 < havoc> right now just trying to access the other side
17:07 < havoc> but I'll wait til this guy gets it back up, then there'll at least be one less dep
17:10 < havoc> I'm trying to get this setup for the colo I pay nothing to ;)
17:10 < havoc> anyway, I have many DMZ setups working elsewhere, but all via hware NIC, not via VPN tunnel
17:11 < havoc> I figured I'd just set this up the same way (if it were TAP)
17:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
17:17 < havoc> bah, no diff
17:18 < krzie> tap is prolly the more elegant way, personally since i like tun ild use a BINAT or just assign the ip directly
17:19 < havoc> ok
17:19 < havoc> right now I'm just trying to eliminate any unknowns
17:19 < havoc> got it back up on a public static
17:19  * rob0 -- being unknown -- hides!
17:20 < havoc> ok, "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" on server side
17:20 < havoc> that's always indicated client side FW TLS issue to me
17:20 < havoc> that about right?
17:21 < krzie> *shrug*
17:21 < havoc> rest of the connection looks fine
17:24 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:28 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
17:35 -!- kyrix [~ashley@77.117.8.231.wireless.dyn.drei.com] has joined ##openvpn
17:40 < ecrist> Connection refused means just that.  Firewall issues.
17:40 < havoc> ecrist: my thoughts exactly
17:40 < havoc> "refused", not "couldn't find"
17:42 < ecrist> yep
17:42 < havoc> ok, that problem is eliminated
17:43 < havoc> not to deal w/ the remaining issues
17:43 < havoc> Net access is severely degraded when the tunnel is brought up
17:43 < havoc> e.g. tripple ping times
17:43 < havoc> yet primary routes are unchanged
17:43 < havoc> and still can't ping far end of tunnel (from client right now)
17:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:44 < havoc> and I'm guessing that's where the "read UDPv4 [EHOSTUNREACH]: No route to host (code=113)" is coming from
17:45 < havoc> default route is unchanged
17:45 < havoc> and no --redirect-gateway in client vpn config
17:46 < havoc> server is showing client inactivity timeouts
17:46 < havoc> so I'm guessing it's a routing issue on the client side
17:46 < ecrist> sounds like conflicting routing
17:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:46 < havoc> ecrist: yeah, except there's only 4 routes ont he machine :)
17:46 < havoc> i.e. I can't see any conflicting routes
17:47 < havoc> eth0, eth1, tap0, and default is eth0 (as it should be)
17:47 < havoc> eth0 and tap0 are both public IPs, but different subnets
17:48 < havoc> note: both boxes are debian
17:48 < havoc> so no Windows
17:49  * havoc re-checks client config
17:49 < havoc> sonething in it is blocking routes
17:50 < ecrist> forwarding enabled on the vpn server?
17:50 < havoc> hmm, probably, lemme check
17:50 < havoc> no, it is not
17:51 < havoc> but it need not be
17:51 < havoc> at least not yet
17:51 < havoc> Net access on the client should still be out eth0
17:51 < havoc> nothing else setup yet
17:52 < ecrist> ok, if routes don't conflict, it's hard to blame openvpn
17:53 < havoc> "hard" != impossible ;)
17:54 < ecrist> you can blame all you'd like, doesn't make it true. :P
17:55 < havoc> ecrist: http://pastebin.com/Gr47cjG8
17:55 < havoc> routing table w/ vpn up
17:56 < ecrist> ok...
17:56 < havoc> there are no conflicting routes there
17:57 < ecrist> sure, then you cannot blame openvpn for crappy internet performance to non-openvpn routed subnets
17:57 < havoc> it's perfect as soon as I stop openvpn though
17:58 < havoc> tshark isn't helping either
17:58 < havoc> I feel I'm missing something simple/stupid here
18:05 < krzie> ecrist you happen to have ms sql server 2k5?
18:06 < krzie> all i can find is 2k8 =/
18:07 < ecrist> I think so.  
18:07  * ecrist looks
18:07 < ecrist> what do you need it for?
18:08 < krzie> backend for some app
18:08 < krzie> they told me to use 2k5, i figure maybe 2k8 would work, but may as well go with whatthey said
18:09 < ecrist> nope, I don't have it.
18:09 < ecrist> I used to, but I've never needed it, so I deleted it.
18:09 < krzie> ya it kinda hurts my pride to even ask for mssql
18:09 < krzie> heh
18:09 < ecrist> no doubt
18:10 < ecrist> mssql is pretty nice, though
18:10 < ecrist> we're deep into pgsql right now at work.  I wouldn't mind testing cassandra or something similar.
18:10 < ecrist> oh, if you care, we're hoping to submit freeswitch 1.0.5 to ports tomorrow
18:11 < krzie> ahh cool
18:11 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
18:11 < krzie> i dont actually even have a softpbx up right now, but i think if i did ild stick to svn anyways
18:11 < havoc> ok, got it
18:11 < ecrist> the freebsd port will pull a tar.gz from one of my servers, since 1.0.5 hasn't actually been released yet, they still do a 'nightly' -latest tarball, so it would break checksum
18:12 < krzie> its once of those rare apps that is so rapidly developed that the svn version is niceness
18:12 < ecrist> imho, pulling regularly from svn is unstable
18:12 < krzie> usually
18:12 < krzie> not so much with FS
18:12 < krzie> but in general, thats very very true
18:13 -!- kyrix [~ashley@77.117.8.231.wireless.dyn.drei.com] has quit [Ping timeout: 240 seconds]
18:13 < havoc> I'll explain in a bit, if anyone cares; gotta finish making dinner right now
18:13 < ecrist> we're doing some other things with the port though, such as putting things in the right place, according to hier
18:14 < krzie> oh cool
18:14 < krzie> havoc i wouldnt mind hearing
18:15 < krzie> (the cool was @ecrist)
18:16 < ecrist> krzie: you know of any USB FXS ata that's not overly expensive?
18:21 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Quit: Leaving...]
18:21 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 252 seconds]
18:22 < havoc> krzie: apparently the magic combo is proxy_arp + host route on server (w/ push "route-gateway"), and --redirect-gateway on client
18:22 < havoc> I thought I could get away w/o --redirect-gateway, and should have been able too
18:22 < havoc> but no such luck :(
18:24 < havoc> the goal w/o it was to add my own routes to control which iface client traffic used
18:24 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
18:24 < havoc> no such luck :(
18:25 < krzie> ecrist nope, hell i didnt even know you could get a usb FXS whatsoever
18:25 < havoc> but now I'll throw shorewall on both boxes and be done w/ it
18:27 < havoc> ack, gotta enable ip_forward on this client router/vpn box now too
18:28 < havoc> and of course the guy I'm doing this for is now MIA :(
18:29 < havoc> krzie: so anyway, I still don't know why the tunnel being up would break stuff w/o it adding any additional routes, yet it did
18:30 < havoc> and although I would have prefered to not redirect-gatewat, it'll be good enough for the purposes here
18:30 -!- alpha [~alpha@41.224.178.113] has quit [Quit: Quitte]
18:33 -!- kyrix [~ashley@77.116.142.211.wireless.dyn.drei.com] has joined ##openvpn
18:33 -!- sbx [~sbx@91-64-48-13-dynip.superkabel.de] has joined ##openvpn
18:35 < krzie> werd
18:37 < havoc> it's frustrating to deal with quicks when you *know* netowkring
18:37 < havoc> but I'f run into stranger stuff
18:37 < havoc> like ping setting tcpflags ;)
18:38 < havoc> these edge cases keep attacking me :(
18:38 < havoc> I think it's time for a *good* beer
18:38 < agagag> havoc: they attack you because of your nick :)
18:39 < havoc> bah :(
18:40 < havoc> that ping/tcpflags things was from a win2k8r2 KVM VM on a PVE kernel, very strange
18:40 < havoc> HTF does ICMP set IP proto flags?
18:40 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 246 seconds]
18:41 < havoc> and the pve kernel's netfilter allowed/enabled it
18:41 < havoc> there was much tshark'ing
18:42 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
18:52 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 258 seconds]
18:52 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
19:00 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
19:08 < havoc> ok, I now know why I *needed* --redirect-gateway
19:08 < havoc> <Omache> You needed --redirect-gateway if you wanted symmetric routing for proxy arp'd requests
19:08 < havoc> <Omache> Unless you can identify all of the networks that those might originate from
19:09 < havoc> makes sense now
19:25 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
19:26 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
19:26 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
19:26 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:30 -!- sbx [~sbx@91-64-48-13-dynip.superkabel.de] has quit [Quit: sbx]
19:40 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
19:42 < ecrist> week 12, 2010 development snapshot is out, sent to freebsd ports tree.
19:45 < krzie> just scored another server
19:45 < krzie> they are starting to pile up, lol
19:46 < ecrist> that's how I feel
19:46 < ecrist> my miami colo double billed me a month ago, claimed I was going to be refunded, never was.
19:46 < ecrist> I'm pissed.
19:49 < havoc> aCk :(\
19:50 < havoc> but then I don't pay my colo
19:50 < havoc> I just have to fix their shit as payment :(
19:52 < krzie> whoa!
19:52 < krzie> double billed!?
19:52 < krzie> thats SO not ok
19:56 < mithridates> I'm learning ruby
19:56 < mithridates> is it fine if I write a web interface for openvpn by ruby?
19:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:58 < krzie> of course!
20:00 < mithridates> I think it's better than php to do that
20:00 < mithridates> because I saw the project that was with smarty
20:01 < mithridates> it had lots of bugs around permissions
20:04 < ecrist> ruby sucks, imho
20:04 < ecrist> I would write it in PHP, myself.
20:05 < krzie> using ruby to build one is a good way to learn some ruby, and currently there are no great web interfaces
20:06 < mithridates> is there any reason for it?
20:06 < mithridates> that ruby sucks?
20:06 < ecrist> mithridates: I hate frameworks, for one
20:06 < krzie> i know people who LOVE ruby
20:06 < ecrist> and, I'm a little old school.  PHP does things fine.  for things it doesn't do well, I have perl or shell.
20:06 < mithridates> I think it's only personal view of languages
20:07 < krzie> mithridates, correct
20:07 < ecrist> I didn't say I have any technical reason.
20:07 < mithridates> yup I know
20:07 < mithridates> ecrist: as krzie said some people really love ruby but some people hate it
20:11 < krzie> either way sounds like your primary motivation is to learn the lang, great reason to use it
20:11 < mithridates> yup, not only learning lang
20:12 < mithridates> because I was looking for a web interface around 2 weeks that do what an administrator needs
20:12 < mithridates> but I couldn't find that
20:12 < ecrist> ssl-admin was my first major perl project.  It kinda shows.
20:13 < mithridates> oh I saw that
20:13 < mithridates> that was a good job
20:15 < ecrist> thanks. This summer I'm hoping to rewrite it in C
20:32 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
20:39 -!- alexc_school [~a1323002@gateway/web/freenode/x-pmanarvhglzhpvht] has joined ##openvpn
20:39 -!- kyrix [~ashley@77.116.142.211.wireless.dyn.drei.com] has quit [Quit: Leaving]
20:40 < alexc_school> Hello, i'm trying to connect to my vpn from a new ubuntu laptop and i keep getting an error message saying that it can't read my client.crt
20:44 < alexc_school> http://pastebin.fr/7290
21:01 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:17 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
21:17 -!- tjz [~pc@bb121-7-67-184.singnet.com.sg] has joined ##openvpn
21:17 -!- tjz [~pc@bb121-7-67-184.singnet.com.sg] has quit [Changing host]
21:17 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:26 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Remote host closed the connection]
21:26 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
21:27 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has quit [Changing host]
21:27 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined ##openvpn
21:33 < krzie> alexc_school isnt that error pretty obvious?
21:34 < krzie> hint: you need to start openvpn as root
21:36 < alexc_school> okay
21:37 < alexc_school> still getting the same error
21:37 < krzie> use full paths for EVERYTHING in your configs
21:42 -!- alexc_school [~a1323002@gateway/web/freenode/x-pmanarvhglzhpvht] has quit [Quit: Page closed]
21:56 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
22:06 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 252 seconds]
22:08 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
22:09 -!- ltgamer [~scotty@120.29.241.2] has left ##openvpn []
22:21 -!- tjz [~pc@bb121-7-67-184.singnet.com.sg] has joined ##openvpn
22:21 -!- tjz [~pc@bb121-7-67-184.singnet.com.sg] has quit [Changing host]
22:21 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
22:24 -!- cwillu_at_work [~cwillu@cwillu.com] has quit [Ping timeout: 248 seconds]
22:37 -!- takamichi [~pri@213.163.66.192] has quit []
22:39 -!- madbob [~madbob@213.163.66.192] has joined ##openvpn
22:47 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
22:56 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
23:07 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
23:19 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
23:20 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:32 -!- tjz [~pc@bb121-7-67-184.singnet.com.sg] has joined ##openvpn
23:32 -!- tjz [~pc@bb121-7-67-184.singnet.com.sg] has quit [Changing host]
23:32 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
23:58 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Mon Mar 22 2010
00:06 -!- Err404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
00:08 -!- madbob [~madbob@213.163.66.192] has quit []
00:09 -!- takamichi [~madbob@213.163.66.192] has joined ##openvpn
00:16 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
00:16 -!- Err404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X Button]
00:16 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
00:26 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X Button]
00:27 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
01:53 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:14 -!- dunc_ [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
02:22 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
02:26 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
02:32 -!- fbe_ [~fbe@91.179.68.7] has quit [Ping timeout: 256 seconds]
02:36 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 268 seconds]
02:39 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:39 -!- mode/##openvpn [+o mattock] by ChanServ
02:56 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
02:57 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
02:57 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
02:57 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
03:04 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Quit: Leaving...]
03:16 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
03:16 -!- mode/##openvpn [+v Kasx] by ChanServ
03:20 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
03:20 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 260 seconds]
03:20 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 276 seconds]
03:21 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
03:23 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
03:23 -!- mode/##openvpn [+v Kaspx] by ChanServ
03:23 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 256 seconds]
03:23 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
03:24 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
03:24 -!- mode/##openvpn [+v Kaspx] by ChanServ
03:24 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
03:24 -!- mode/##openvpn [+v openvpn2009] by ChanServ
03:24 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:24 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:29 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:29 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:31 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
03:31 -!- takamichi [~madbob@213.163.66.192] has quit [Ping timeout: 246 seconds]
03:31 -!- takamichi [~madbob@213.163.66.192] has joined ##openvpn
03:35 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
03:36 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:36 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:38 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:38 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:42 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X Button]
03:48 -!- barbie [~barbie@109.65.184.122] has quit [Read error: Connection reset by peer]
03:50 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 252 seconds]
03:51 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:52 -!- fbe_ [~fbe@garfield.amster.com] has joined ##openvpn
03:54 -!- cityligh1s [~user@p11811120.orange.net.il] has joined ##openvpn
03:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:55 < cityligh1s> Bushmills: hi there
03:56 < cityligh1s> my problem was that the rootfs was full
03:56 < cityligh1s> yet even now that /sys/class/net/tap0/mtu exist , dhcp doesnt get an IP
03:57 < cityligh1s> that happens only when used in --up script
03:57 < cityligh1s> if I run it manuannly after openvpn start - it works fine
03:59 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
04:00 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
04:00 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 246 seconds]
04:05 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
04:10 -!- zxd_ [~marceloa@95.211.21.34] has quit [Killed (idoru (Spam is off topic on freenode.))]
04:10 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:11 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
04:11 -!- master_of_master [~master_of@p57B565EC.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:11 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
04:13 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
04:13 -!- master_of_master [~master_of@p57B559E6.dip.t-dialin.net] has joined ##openvpn
04:14 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Client Quit]
04:19 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 268 seconds]
04:19 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Ping timeout: 246 seconds]
04:20 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
04:30 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
04:32 -!- xro [~c3b00c02@gateway/web/freenode/x-rejnzooibfqzoetu] has joined ##openvpn
04:33 < xro> hi, what should i use to connect to my openvpn server with a seven client?
04:34 < theDoc> That didn't make sense, try it again
04:35 < xro> theDoc, wich client should i use! openvpn gui 2.09 isn't supported on win seven 64 bits... i tried shrew but didn't work!
04:35 -!- dazo_afk is now known as dazo
04:36 < theDoc> Get version 2.1, I believe.
04:39 < xro> theDoc, that's the lat one... openvpn-2.0.9-gui-1.0.3-install.exe
04:39 < xro> theDoc, or should i use the beta?
04:40 < theDoc> xro> I did try the beta copy a few months ago and I didn't have any problems working it on Win7.
04:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:40 < theDoc> However, that was on a 32bit system, so I'm not too sure what's different on the x64.
04:43 < xro> theDoc, the openvpn win gui doesn't work! is there another soft?
04:46 -!- xro [~c3b00c02@gateway/web/freenode/x-rejnzooibfqzoetu] has quit [Quit: Page closed]
04:50 -!- meme [~barbie@bzq-109-65-184-122.red.bezeqint.net] has joined ##openvpn
04:50 < meme> hii all
04:51 < meme> someone here?
04:51 < meme> ?
04:53 < theDoc> Sort of, what's going on?
04:55 < meme> i make openvpn server  on ubuntu 9.10
04:56 < meme> and i cant conect to him from win compeuter
04:58 < meme> Options warning: Bad backslash ('\') usage in client.ovpn:10: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as "c:\\openvpn\\static.key"
04:58 < meme> Use --help for more information.
05:01 -!- meme_ [~inbar@109.65.184.122] has joined ##openvpn
05:01 < meme_> hii form the server
05:02 < meme_> this is the server conf file
05:02 < meme_> http://pastebin.com/2HVz85VC
05:02 < meme> and.. this is the client conf file
05:03 < meme> this is the server conf file
05:04 < meme> and.. this is the client conf file
05:04 < meme> http://pastebin.com/CtkWb6D7
05:05 < meme> someone here??
05:06 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
05:09 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:12 < meme> kyrix, ?
05:12 < meme> i try to make openvpn server  on ubuntu 9.10
05:12 < meme> this is the server conf file
05:12 < meme> http://pastebin.com/2HVz85VC
05:12 < meme> and.. this is the client conf file
05:12 < meme> http://pastebin.com/CtkWb6D7
05:13 < kyrix> its been a while since i havent configured a server
05:13 < kyrix> whats the problem?
05:13 < meme> Options warning: Bad backslash ('\') usage in client.ovpn:10: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as "c:\\openvpn\\static.key"
05:14 < meme> ^^ is the error from the client
05:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:14 < kyrix> post the client config
05:16 < meme> http://pastebin.com/CtkWb6D7
05:20 < meme> kyrix, you see somthing?
05:22 < meme> someone here?
05:22 < meme> someone here?
05:22 < kyrix> #me, hold on
05:22 < meme> ho.. ok..
05:22 < kyrix> i know its hard but you have to have patience. 
05:22 -!- comps [~comp@gw-gsosfm.gsosfm.cz] has joined ##openvpn
05:24 < comps> hi, I'd like to ask if it's possible to specify tap interface name for the tap device "to be created" (without the need of making it manually first)
05:24 < comps> so far no luck
05:25 < meme> ok kyrix.. a little tired.. i try to make this vpn almost a month 
05:25 < kyrix> meme: did you try quoting as in the example?
05:25 < kyrix> meme: can u connect from a linux client?
05:26 < meme> no.
05:26 < meme> the server is linux ubuntu
05:26 < meme> and the client is win
05:26 < kyrix> meme: try quoting the windows file path
05:26 < kyrix> meme: cant help you much as i dont use windows
05:26 < meme> this is the 
05:26 < meme> exemple
05:27 < meme> what is the "windows file path"
05:27 < kyrix> try quoting the paths: "C:\\..."   the " is important
05:27 < meme> ok..
05:27 < meme> i try to connect now..
05:28 < meme> not work :-(
05:28 < meme> i get error
05:28 < kyrix> comps: no idea, never used tap ;) which error
05:28 < kyrix> meme which error
05:28 < meme> Options warning: Bad backslash ('\') usage in client.ovpn:10: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as "c:\\openvpn\\static.key"
05:28 < meme> Use --help for more information.
05:28 < meme> what is tap?
05:29 < meme> i need only to make vpn server.. tap or not..
05:29 < kyrix> meme, btw on your server config you dont want to use dev tap0
05:29 < comps> kyrix: well it somehow work if I use "dev tapblahblah" (ie. the name begins with "tap", I guess strncmp gets used), but it's a little bit hacky
05:30 < meme> ok i delete th line dev tap in the server conf/
05:30 < meme> i back i 1 hour.. ok
05:30 < kyrix> ok
05:30 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
05:31 < meme> pleas stay here..
05:43 -!- cybertron [~cybertron@84.200.248.176] has left ##openvpn []
05:44 -!- DarthGandalf is now known as DarthGandalf|BNC
05:49 < |Mike|> nohoho...
05:58 < cityligh1s> נ/quit
05:58 -!- cityligh1s [~user@p11811120.orange.net.il] has quit [Quit: leaving]
06:29 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
06:29 -!- mode/##openvpn [+v Kasx] by ChanServ
06:29 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 268 seconds]
06:30 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 268 seconds]
06:33 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
06:33 -!- mode/##openvpn [+v openvpn2009] by ChanServ
06:35 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Ping timeout: 246 seconds]
06:47 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has quit [Read error: Operation timed out]
06:49 -!- HardDisk_WP [~Marco@velirat.de] has joined ##openvpn
06:49 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
06:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
07:14 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
07:14 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
07:26 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
07:29 < meme> hiiii 
07:29 < macsppadic> hello meepmeep 
07:29 < macsppadic> oops meme even
07:29 < macsppadic> apoloiges tab completion go the betterof me ther
07:31 < meme> macsppadic
07:36 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:37 < meme> macsppadic YoooHoooo
07:37 < meme> it work now!
07:38 -!- mah_cfsi [~mah@mail.cfsi.dk] has joined ##openvpn
07:38 < mah_cfsi> !welcome
07:38 < vpnHelper> mah_cfsi: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:39 < havoc> bah
07:40 < meme> but how i can get IP from my DHCP?
07:41 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:05 < |Mike|> !logs
08:05 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:08 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
08:13 < meme> mmmm
08:14 < meme> i get all the time IP from the OPENVPN server, and i want to get IP from my DHCP server
08:27 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn
08:27 < xok> hello all..
08:28 < xok> I want to redirect all the traffic of client through the openvpn server..
08:28 < xok> how do I accomplish this?..
08:28 < xok> I've added "push redirect-gateway def1" but have no idea what does this "def1" do..
08:28 < xok> is it something I need to change it?..
08:28 < xok> thanks..
08:35 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
08:43 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
08:44 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:49 -!- meme_ [~inbar@109.65.184.122] has quit [Ping timeout: 265 seconds]
08:55 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has quit [Ping timeout: 260 seconds]
08:58 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn
08:58 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has quit [Client Quit]
08:59 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn
08:59 < xok> anyone please?..
09:00 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
09:02 < theDoc> !def1
09:02 < vpnHelper> theDoc: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
09:03 < xok> theDoc: thanks, can you please help me to accomplish my task?..
09:03 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 256 seconds]
09:04 < xok> I've put that as said in the config file for server, but clients can't connect to any other side of internet..
09:04 < theDoc> !nat
09:04 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
09:04 < theDoc> !linnat
09:04 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
09:04 < theDoc> !winnat
09:04 < xok> I've done that too..
09:04 < vpnHelper> theDoc: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS)
09:04 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
09:04 -!- meme_ [~inbar@109.65.184.122] has joined ##openvpn
09:04 < xok> I'm on the linux...
09:04 < theDoc> !ipforward
09:04 < vpnHelper> theDoc: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
09:04 < xok> want clients on the linux...
09:04 < theDoc> !linipforward
09:04 < vpnHelper> theDoc: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
09:06 < xok> theDoc: thanks, I will try with that..
09:06 < theDoc> No probs.
09:09 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has quit [Quit: I quit!...]
09:09 -!- xok1 [~xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn
09:09 < xok1> theDoc: doesn't work though.. ;-(
09:10 < theDoc> xok1> That's not a good enough reason.
09:10 < theDoc> !welcome
09:10 < theDoc> !logs
09:10 < vpnHelper> theDoc: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:10 < vpnHelper> theDoc: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
09:10 < theDoc> !goal
09:10 < vpnHelper> theDoc: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:10 < xok1> theDoc: yeah, I'm doing it..
09:10 < xok1> I will paste my confs in the pastebin...
09:10 < xok1> sec..
09:11 < xok1> http://pastebin.com/Nv23255X
09:11 < xok1> this is a server config file..
09:12 < xok1> http://pastebin.com/mueVtkuU
09:12 < xok1> so does look my client conf..
09:12 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
09:12 < xok1> theDoc: but, I can't find the logs neither on the server side nor on the client...
09:13 < comps> !/30
09:13 < vpnHelper> comps: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
09:15 < theDoc> xok1> Do you have a DNS server configured for your user to use?
09:15 -!- fremo___ [~fremo@noc.toile-libre.net] has joined ##openvpn
09:15 -!- balboah [~johnny@joonix.se] has joined ##openvpn
09:15 -!- uchimata_ [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
09:15 < xok1> theDoc: the server that runs the openvpn server has actully got DNS server as well..
09:15 -!- |Mike|_ [mike@2001:1af8:2:444::2] has joined ##openvpn
09:17 -!- APTX_ [~APTX@chello089076052083.chello.pl] has joined ##openvpn
09:17 -!- APTX_ [~APTX@chello089076052083.chello.pl] has quit [Changing host]
09:17 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
09:18 < xok1> theDoc: anything else?..
09:19 -!- Serajewe1KS [~me@wikipedia/Crazycomputers] has joined ##openvpn
09:19 -!- serek [~ser@house.metalab.unc.edu] has joined ##openvpn
09:20 -!- meme_ [~inbar@109.65.184.122] has quit [Ping timeout: 265 seconds]
09:21 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Disconnected by services]
09:21 -!- |Mike|_ [mike@2001:1af8:2:444::2] has quit [Quit: Reconnecting]
09:21 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
09:24 -!- Netsplit *.net <-> *.split quits: ScriptFanix, fremo__, balboah_, uchimata, SerajewelKS, ser, APTX
09:24 < theDoc> Hm.
09:28 -!- xok1 [~xok@host-62-168-165-53.adsl.caucasus.net] has quit [Ping timeout: 246 seconds]
09:28 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn
09:28 < xok> theDoc: I have no idea why, but it now works with IPs only...
09:28 < xok> I mean, there is only DNS problem now..
09:33 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 276 seconds]
09:34 -!- xok1 [~xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn
09:34 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has quit [Read error: Connection reset by peer]
09:34 < xok1> theDoc: I get: "Mon Mar 22 18:33:27 2010 xok/62.168.165.53:14866 MULTI: bad source address from client [192.168.1.4], packet dropped" this error when trying to connect to google.com for example...
09:34 < xok1> this is from the server log..
09:35 -!- xro [~c3b00c02@gateway/web/freenode/x-momqtyemxsqmjoed] has joined ##openvpn
09:36 < xro> hi, is there an alternative to openvpn gui? Can i use shrew to connect a openvpn server?
09:39 < xro> nobody?
09:40 <@mattock> there are: http://users.utu.fi/sjsepp/openvpn/openvpn_community_projects.ods
09:41 <@mattock> unfortunately I don't have it in any other format right now
09:42 -!- rw83 [robin@ipv6.unixload.de] has joined ##openvpn
09:43 -!- rw83 [robin@ipv6.unixload.de] has left ##openvpn ["*wupps*"]
09:44 < xok1> I get "14866 MULTI: bad source address from client [192.168.1.4], packet dropped"
09:44 < xok1> when I try to connect to any site from the client side..
09:44 < xok1> can anyone please help?..
09:44 < xok1> I think it's a DNS related problem...
09:44 < xok1> how can I fix it?..
09:47 < xro> is there a openvpn client that work better than openvpn GUI for windows? 
09:48 -!- xro [~c3b00c02@gateway/web/freenode/x-momqtyemxsqmjoed] has quit [Quit: Page closed]
09:56 -!- Serajewe1KS is now known as SerajewelKS
09:59 -!- macsppadic is now known as johnmcclane
10:00 -!- Sky[x] [~SkyB0x@193.2.72.254] has joined ##openvpn
10:01 -!- cwillu_at_work [~cwillu@cwillu.com] has joined ##openvpn
10:02 -!- xok1 [~xok@host-62-168-165-53.adsl.caucasus.net] has quit [Ping timeout: 264 seconds]
10:07 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn
10:07 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:11 < xok> after succesfully configuring the server I can connect to different hosts on their IPs but can't with their domains..
10:12 < xok> can anyone please help me figure out how to provide the DNS to my server so that it could translate names to addresses?..
10:12 -!- takamichi [~madbob@213.163.66.192] has quit [Ping timeout: 245 seconds]
10:12 < xok> so that clients could translate*
10:17 -!- APTX_ is now known as APTX
10:17 -!- drecute [~pdrealg@41.155.76.83] has joined ##openvpn
10:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:20 -!- xok [~xok@host-62-168-165-53.adsl.caucasus.net] has quit [Ping timeout: 258 seconds]
10:26 -!- fbe_ [~fbe@garfield.amster.com] has quit [Remote host closed the connection]
10:27 -!- jnss [janes@gateway/shell/sign.io/x-qybglzbgbirjifdl] has joined ##openvpn
10:27 < jnss> hi!
10:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:08 -!- Sky[x] [~SkyB0x@193.2.72.254] has quit []
11:15 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: Operation timed out]
11:16 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
11:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
11:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:22 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:22 -!- mode/##openvpn [+v Kas] by ChanServ
11:22 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
11:24 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 260 seconds]
11:25 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 276 seconds]
11:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
11:29 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:29 -!- mode/##openvpn [+v openvpn2009] by ChanServ
11:31 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
11:42 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:45 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
12:19 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
12:28 -!- barbie_ [~barbie@bzq-109-65-184-140.red.bezeqint.net] has joined ##openvpn
12:28 -!- johnmcclane [~sonupunno@82.109.74.162] has quit [Quit: johnmcclane]
12:31 -!- meme [~barbie@bzq-109-65-184-122.red.bezeqint.net] has quit [Ping timeout: 245 seconds]
12:33 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
12:38 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
13:13 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:13 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:23 -!- Err404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
13:26 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
13:26 -!- Err404NotFound is now known as Error404NotFound
13:40 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
13:44 -!- dazo is now known as dazo_afk
14:01 -!- drecute [~pdrealg@41.155.76.83] has left ##openvpn []
14:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
14:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
14:18 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
14:18 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
14:18 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
14:18 -!- a-zlex [~as@null0.ipv6.bgp4.org] has left ##openvpn []
14:28 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- Err404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
14:43 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 245 seconds]
14:44 -!- Err404NotFound is now known as Error404NotFound
14:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:54 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
15:04 -!- rajin [~a@port-12943.pppoe.wtnet.de] has joined ##openvpn
15:10 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
15:10 < jpalmer> is it possible to have one openvpn instance listen on multiple ports?
15:11 < jpalmer> researching,  it seems as though you need multiple instances,  but I'm hoping those posts are wrong/old/outdated.
15:11 < hyper_ch> hmmm, depends on how narrow or wide you consider the "is it possible" part
15:12 < jpalmer> ok,  let me rephrase.  with the latest stable build of openvpn,  does it support binding to multiple ports at the same time using a single instance?  ;)
15:12 < hyper_ch> no clue
15:12 < jpalmer> so.. you were just busting balls, eh?
15:12 < reiffert> jpalmer: no.
15:13 < hyper_ch> but on a wide definition of "is it possible" I would reply that the source code is open and that it's under a free licence and hence you can add such a functionality if it's not there yet :)
15:13 < hyper_ch> hence it is possible .)
15:13 < jpalmer> hyper_ch: which is why I narrowed it down when you commented.  I've run into your type before ;)
15:13 < reiffert> jpalmer: oh, so we were shaking balls and if you want to improve things, there you go. welcome to #openvpn-devel.
15:14 < hyper_ch> hi reiffert :)
15:14 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Read error: Connection reset by peer]
15:14 < jpalmer> reiffert: thanks.  
15:14 -!- DarthGandalf|BNC is now known as DarthGandalf
15:14 < jpalmer> reiffert: since it appears to be a fairly common request, I'm assuming someone would have already submitted patches if the development team were interested in them.
15:15 < hyper_ch> jpalmer: fairly common? what makes you think so?
15:15 < jpalmer> I haven't looked at the openvpn source specifically,  but it seems like it'd be trivial to just bind to multiple ports.
15:15 < reiffert> jpalmer: infact there is a new development team on the road for 4 weeks now, right now they are looking for all patches that came in the last couple of years.
15:15 < jpalmer> hyper_ch: the sheer number of requests for that ability in a single search
15:16 < reiffert> jpalmer: so multiple port binding is on the list to be done, feel free to help.
15:16 < jpalmer> reiffert: as I said,  thanks for the info.
15:16 < hyper_ch> jpalmer: I tend to think, as that functionality is not there yet that it is not a top priority and hence not really a common request :)
15:16 < reiffert> jpalmer: guess it will be done in the next six month.
15:16 < reiffert> jpalmer: join #openvpn-devel
15:16 < jpalmer> I have.
15:21 -!- alpha_ [~alpha@41.224.139.200] has joined ##openvpn
15:21 < alpha_> Hello
15:21 < hyper_ch> hello alpha_
15:23 < alpha_> in the client side we choose the port of the vpn server. In the server we choose the port used by it. is it possible to also force the port of the client by which it sends the request to the server (ie: the source port)
15:23 < hyper_ch> I don't quite understand
15:25 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
15:25 < alpha_> I mean Is it possible to fix the port of the client that receives the traffic from the server?
15:26 < hyper_ch> I still don't quite follow :) in the client config you set the port for the server and all the traffic routed through that tunnel uses that port - I think
15:26 < jpalmer> alpha_: I don't think there is a way to specify the source port.
15:26 < alpha_> ok
15:27 < alpha_> thks
15:27 < reiffert> jpalmer: there is. check manpage next time.
15:27 < alpha_> there is an option: nobind
15:28 < alpha_> is it useful for my case
15:28 < alpha_> ?
15:28 < reiffert> alpha_: no, it's not nobind. jpalmer will look it up for you.
15:28 < alpha_> ok thks
15:28 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Read error: Connection reset by peer]
15:28  * jpalmer is looking now, actually :P
15:30 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
15:31 < jpalmer> the only thing that I see that lookes remotely like it,  is --rport.  but the description isn't very helpful.
15:31 < reiffert> check again.
15:31 < reiffert> you are close.
15:32 < hyper_ch> reiffert: you're almost as mean as me :)
15:34  * jpalmer doesn't consider it mean.  I'm wrong about something, and the best way to learn is from your mistakes.
15:34 < jpalmer> you don't learn if someone hands it to you.
15:34 < reiffert> even close as in two line up.
15:34 < jpalmer> I only see port, lport, and rport.  and from the manpage,  none of those really appear to be it.
15:35 < reiffert> jpalmer: what about you try it out and report back?
15:35 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Read error: Connection reset by peer]
15:35 < jpalmer> I can't go that far,  I don't have a test environment available at the moment ;)
15:35 < reiffert> alpha should try it out for himself then.
15:35 < jpalmer> but from your reaction, I'm guessing one of those three is it.  so alpha can try it ;)
15:36 < jpalmer> --lport port TCP/UDP port number for bind.
15:36 < jpalmer> while that doesn't seem very clear,  I'm guessing it's the one.
15:43 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
15:48 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Quit: leaving]
15:49 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
15:53 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Client Quit]
15:55 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
15:57 -!- rajin [~a@port-12943.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Chicks dig it]
15:58 -!- medum [kevin@d67-193-176-255.home3.cgocable.net] has joined ##openvpn
15:58 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
16:00 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
16:01 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
16:02 -!- takamichi [~pri@213.163.66.192] has quit [Client Quit]
16:02 < alpha_> Ok, will try it and give you the result of the test
16:02 < alpha_> thank you for help
16:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
16:03 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
16:04 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
16:20 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
17:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:26 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
17:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 258 seconds]
17:34 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
17:34 -!- mode/##openvpn [+v Kasx] by ChanServ
17:38 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 264 seconds]
17:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:00 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Quit: Leaving...]
18:09 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
18:09 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
18:09 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:11 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:21 -!- alpha_ [~alpha@41.224.139.200] has quit [Quit: Quitte]
18:30 -!- serek [~ser@house.metalab.unc.edu] has quit [Remote host closed the connection]
18:40 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
18:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:03 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 246 seconds]
19:03 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
19:13 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
19:13 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:57 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
19:59 -!- tjz [~pc@bb116-14-149-42.singnet.com.sg] has joined ##openvpn
19:59 -!- tjz [~pc@bb116-14-149-42.singnet.com.sg] has quit [Changing host]
19:59 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:04 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X Button]
20:18 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
20:24 -!- medum [kevin@d67-193-176-255.home3.cgocable.net] has quit [Quit: leaving]
21:36 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
21:43 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
21:45 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
22:33 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 246 seconds]
22:39 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
22:43 -!- bdheeman [~bdheeman@bdheeman-2-pt.tunnel.tserv20.hkg1.ipv6.he.net] has joined ##openvpn
22:44 < bdheeman> hi, friends :)
22:44 < bdheeman> openvpn-config goes public http://sourceforge.net/projects/openvpn-config/
22:44 < vpnHelper> Title: OpenVPN Configuration CLI Wizard | Get OpenVPN Configuration CLI Wizard at SourceForge.net (at sourceforge.net)
23:45 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 260 seconds]
23:51 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
23:57 -!- bdheeman [~bdheeman@bdheeman-2-pt.tunnel.tserv20.hkg1.ipv6.he.net] has left ##openvpn []
--- Day changed Tue Mar 23 2010
00:35 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 264 seconds]
00:35 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
01:09 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:16 -!- oc80z [oc80z@blea.ch] has quit [Quit: ZNC - http://znc.sourceforge.net]
01:18 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
01:45 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Remote host closed the connection]
02:06 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
02:09 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
02:12 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
02:14 < cjae> Hi, I am brand new to openvpn, to am using on ddwrt. From what I understand in need to install openvpn on a box on my lan, then run the key generator (this was done with the windows version), which makes me a key which starts with ---begin--then the key and ---end--
02:15 < cjae> I noticed that the ---begin part does not have a # sign in front of it so it is it safe to just take the contents of the key between --begin-- and --end-- 
02:16 < cjae> is that worded right?
02:17 < cjae> in the above example here ^^ I would be taking only the word 'and' not the --begin and end--- parts
02:18 < reiffert> why?
02:19 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 240 seconds]
02:19 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
02:19 < cjae> well in linux config files anything that is not parsed (i think is the right word) is taken in to account
02:21 < cjae> and the -----BEGIN OpenVPN Static key V1----- is not parsed (no root sign in front) so do I include it with the key?
02:22 < reiffert> The keygen does right. Dont touch the files.
02:23  * cjae thinks I should just use the key part and forget the -----BEGIN OpenVPN Static key V1----- part
02:23 < reiffert> dont try to think.
02:23 < cjae> oh ok
02:24 < cjae> well I can just use the generator for my keys since I dont not intend to use openvnc on windows
02:24 < |Mike|> Rienzilla: GOOD MORNING !
02:24 < cjae> there just happens to be win box on this lan
02:24 < reiffert> cjae: openssl on windows is the same like openssl on a nother platfrom.
02:25 < cjae> so I would not be just linking to the file so I need to know what to copy 
02:25 < rob0> It's a key file, not a "linux config file". But you do have to convert DOS to Unix text line ends.
02:26 < reiffert> cjae: it's all in here:
02:26 < reiffert> !howto
02:26 < cjae> I was using that as an example
02:26 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:26 < reiffert> and stop thinking, please.
02:26 < cjae> nice
02:27 < rob0> the HOWTO is for TLS certificates, not for static keys. The 1.x howto is for static keys.
02:30 < cjae> all I wanted to know if if I need just whats in between the lines or not http://pastebin.ca/1850079
02:30 < reiffert> cjae: answer already given, next.
02:39 < cjae> rob0: so static keys are for just making one tunnel between a server and a client?
02:40 < |Mike|> please sir, read the howto
02:43 < rob0> With static keys, there is in VPN terms no "server" and no "client". They are peers; it is called "peer mode".
02:44 < cjae> thank you
02:44 < rob0> and yes, just one tunnel per peer mode instance
02:46 < cjae> http://openvpn.net/index.php/open-source/documentation/miscellaneous/88-1xhowto.html  aahhh :)
02:46 < vpnHelper> Title: 1xHOWTO (at openvpn.net)
02:47 < cjae> thanks need a break
02:47 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
02:48 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
02:48  * rob0 used to run numerous 1.x tunnels
02:48 < |Mike|> lawl
02:48 < |Mike|> what a weirdo :x
02:51 < rob0> Um, it wasn't weird to run 1.x-style tunnels before 2.0 was released! And still, there are things that a peer mode is better at.
02:53 < rob0> Site-to-site with relatively static IP on both ends, a peer mode will do better with short outages on either end. Each side will be actively trying to contact the other.
03:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
03:08 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
03:09 -!- cityLights2 [~cityLight@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn
03:10 < cityLights2> hi all
03:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:10 < cityLights2> ok , here is my problem:
03:10 < cityLights2> I run openvpn to establish a tap0 device , I use the --up to run a script as soon as the connection is established
03:10 < cityLights2>  this is the script http://pastebin.com/uZ3mrqmP
03:10 < cityLights2> and this is the output: http://pastebin.com/jBE8LDBd
03:16 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 240 seconds]
03:18 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
03:20 -!- Rienzilha [rien@sinas.rename-it.nl] has joined ##openvpn
03:20 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Remote host closed the connection]
04:02 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has joined ##openvpn
04:04 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
04:11 -!- master_of_master [~master_of@p57B559E6.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:13 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
04:13 -!- master_of_master [~master_of@p57B57709.dip.t-dialin.net] has joined ##openvpn
04:20 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Remote host closed the connection]
04:22 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:31 -!- geri [~Gerald@143.205.215.28] has joined ##openvpn
04:31 < geri> hi
04:32 < geri> i am on a windows machine, is it possible to save the password to a text file for automatically connecting to the server?
04:33 < geri> text file may be unsecure;) but is there some other way around?
04:33 < geri> i am using openvpn gui
04:42 -!- spiekey [~mario@projekte.imos.net] has joined ##openvpn
04:42 < spiekey> Hello!
04:46 < macsppadic> hey there spiekey 
04:46 < macsppadic> morning geri
04:46 < geri> hey
04:47 < macsppadic> u want openvpn to read passie from a text file?
04:47 < macsppadic> there is a tcl based program called expect in unix for passing passwords along to programs ..though dont know if that iwll solve ur issue 
04:48 < geri> macsppadic, yeah
04:48 < geri> macsppadic, i am using the openvpn gui
04:48 < macsppadic> well that takes expect out then:-)
04:48 < geri> when i connect to the server it asks me for the password
04:49 -!- Rienzilha [rien@sinas.rename-it.nl] has quit [Ping timeout: 248 seconds]
04:51 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
04:52 < macsppadic> geri: in ur .ovpn file could u not add auth-user-pass: path to file 
04:55 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
04:55 < macsppadic> geri: http://pwet.fr/man/linux/administration_systeme/openvpn there is a section in there - u will have to check config-win32.h 
04:56 < vpnHelper> Title: man openvpn - secure IP tunnel daemon. / Outils d'administration système (at pwet.fr)
04:56 < spiekey> i have this supder duper setup here: http://pastebin.com/Xkuisekp
04:56 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
04:57 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
04:57 < spiekey> the problem: an icmp ping from 192.168.99.5 to 192.168.101.5 does not work....
04:57 < Rienzilla> this morning is everything but good, |Mike| 
04:57 < spiekey> i used to get a error in my logs: "Bad source address" so i added the iroute/route stuff.
04:58 < spiekey> however, i can now see the icmp ping leaving my tun0 device on the openvpn client machine: PC-192.168.99.254/24-LinuxOpenVPNClientMachine - VPN: 10.8.1.201
04:59 < spiekey> but it never turns up on my tun0 device on the openvpn server
04:59 < geri> config-win32.h?
04:59 < geri> will i need to recombile?
04:59 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
05:00 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
05:00 < macsppadic> looks like it geri ...have a google 
05:00 < spiekey> you mean me?
05:07 < spiekey> here is the pastebin with some logs/routes: http://pastebin.com/0UqJA9Ww
05:10 < spiekey> anyone?
05:10 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:15 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
05:18 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left ##openvpn []
05:23 < |Mike|> Rienzilla: o, how comes?
05:27 < spiekey> ah, with verb 9 i get: "TLS State Error: No TLS state for client"
05:30 < Rienzilla> major network disruption at the datacenter my company is hosted
05:31 < macsppadic> ouch...have had those Rienzilla 
05:31 < macsppadic> u just sit there - waiting for a message 
05:33 < |Mike|> Rienzilla: that sounds as PITA :x
05:33 < Rienzilla> yeah
05:33 < |Mike|> DC den bosch? (interconnect) ?
05:33 < Rienzilla> no not interconnect
05:33 < Rienzilla> equinix 
05:33 < Rienzilla> amsterdam, enschede, zwolle
05:33 < |Mike|> brr
05:34 < spiekey> does anyone know what "TLS State Error: No TLS state for client" and GET INST BY REAL: (..) [failed]" means?
05:34 < spiekey> the tunnel seems to work if i ping directly from the openvpn machines. 
05:37 < spiekey> hmm..now this msg seems to have disappared
05:39 < spiekey> anyone?
05:41 < |Mike|> spiekey: tried google ?
05:41 < spiekey> yes, but it seems that the "TLS State Error:" is not really related to my problem...maybe this was just after a restart
05:42 < spiekey> i am not getting this error anymore
05:42 < spiekey> this must be some config/setup  issue
05:42 < |Mike|> REAL < - realtech card maybe?
05:42 < |Mike|> http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=GET+INST+BY+REAL:+(..)+[failed]
05:42 < vpnHelper> Title: GET INST BY REAL: (.. - Google zoeken (at www.google.nl)
05:46 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Remote host closed the connection]
05:47 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
05:48 < spiekey> nope, i am not getting there errors anymore. I even restarted all the vpn connections
05:48 < spiekey> so why wont the ping from my PC2 LAN get to the tun0 device of my openvpn server?
05:51 < spiekey> so i guess i better write to the ML, he?
05:59 < |Mike|> Or wait for someone which has seen this erro before..
06:01 < spiekey> |Mike|, the error is obsolete ;)
06:01 < spiekey> forget the error ;)
06:10 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Ping timeout: 260 seconds]
06:13 -!- uchimata_ is now known as uchimata
06:43 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 276 seconds]
06:50 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
06:52 -!- geri [~Gerald@143.205.215.28] has quit [Ping timeout: 268 seconds]
06:55 < cityLights2> is the maintainer of maemo openvpn here?
06:55 -!- cityLights2 [~cityLight@bzq-84-111-46-151.red.bezeqint.net] has quit [Read error: Connection reset by peer]
06:55 -!- cityLights2 [~cityLight@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn
06:57 < ecrist> not that I'm aware.
06:58 < cityLights2> hmm
07:00 < cityLights2> ecrist: well maybe you can help me
07:00 < cityLights2> how can I get this to work?
07:00 < ecrist> get what to work?
07:00 < cityLights2> here is my script http://pastebin.com/uZ3mrqmP
07:01 < cityLights2> I run it using --up
07:01 < ecrist> and what's the problem?
07:01 < cityLights2> this is the output of openvpn log
07:01 < cityLights2> http://pastebin.com/jBE8LDBd
07:02 < ecrist> what's the problem?
07:02 < cityLights2> as you see it doent get an IP and retry for ever
07:02 < cityLights2> problem: tap0 is established but dhcp request doesnt work from script
07:03 < ecrist> it sounds like a udhcp problem more than an openvpn problem.
07:03 < cityLights2> by the way I dont see the request in wireshark on the server side
07:03 < ecrist> try setting a delay on the up script
07:03 < ecrist> give it 2 seconds or something
07:03 < cityLights2> see in there I got a while loop with sleep 1
07:05 < ecrist> don't know what to tell you, sorry
07:05 < ecrist> I think it's a problem with udhcp, not openvpn
07:13 < cityLights2> hmm
07:13 < cityLights2> is there a udhcp channel here? 
07:13 < cityLights2> where can I ask
07:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:20 -!- geri [~Gerald@143.205.215.23] has joined ##openvpn
07:22 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:26 -!- cityLights2 [~cityLight@bzq-84-111-46-151.red.bezeqint.net] has quit [Quit: Leaving]
07:38 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
07:49 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Remote host closed the connection]
07:55 < zamba> i've set up a client-to-client network.. where i'm able to reach the subnets behind every router in the virtual network.. but i have one network where one of the hosts only is a member, but not set as the default gw for all hosts.. how can i reach this network from inside the vpn tunnel?
07:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
08:02 < agagag> !iroute
08:02 < vpnHelper> agagag: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
08:02 < agagag> zamba: thats for you i *think*
08:04 < zamba> i'm already using that
08:04 < zamba> and that only works for networks where the openvpn peer is the default gateway for all hosts in the subnet
08:04 < zamba> but then it works beautifully :)
08:04 < zamba> i now have the case where the openvpn peer isn't the default gw for the network
08:05 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
08:05 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
08:05 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
08:11 < havoc> bah
08:11 < havoc> morning
08:12 < zamba> morning
08:12 < havoc> ok, gotta convert this TAP setup to TUN
08:12 < havoc> just trying to figure out how to do it cleanest
08:13 < havoc> cd ..
08:13 < havoc> bah
08:16 -!- sikor_sxe__ [~mkulke@144.41.253.148] has joined ##openvpn
08:18 < sikor_sxe__> hello, i have a problem with a client machine having the same subnet as the local lan :/
08:19 < havoc> ok, looke like I only need to change the --dev and --ifconfig lines
08:19 < sikor_sxe__> cisco vpn clients have the functionality to somehow shut off the local networking
08:19 < sikor_sxe__> is it possible to have that behaviour for openvpn clients?
08:21 < SerajewelKS> sikor_sxe__: i don't believe it is possible, not without removing the route for the existing network
08:22 < sikor_sxe__> could that be factored into a config file?
08:22 < sikor_sxe__> a clients config file
08:22 < SerajewelKS> sikor_sxe__: there is no cross-platform way to do it, but you can create platform-specific config files using --up and --down
08:23 < SerajewelKS> sikor_sxe__: the problem is, on --down you have to know which interface the route was on to restore it properly
08:23 < sikor_sxe__> one could store it somewhere
08:23 < SerajewelKS> sikor_sxe__: this idea is perilous though.  i don't know what magic the cisco client uses, but removing that route will likely mean that the default gateway ceases to function, which means the VPN dies too...
08:24 < sikor_sxe__> true :/
08:24 < SerajewelKS> sikor_sxe__: better to change the network address of the client's lan
08:24 < sikor_sxe__> no chance
08:25 < SerajewelKS> eh, then it's their problem and not yours :)
08:25 < sikor_sxe__> i'd like to shut down the crappy cisco thing
08:25 < sikor_sxe__> but this is a showstopper
08:26 < SerajewelKS> whatever the cisco client does is a terrible hack
08:26 < SerajewelKS> sikor_sxe__: also note that the client script will not be able to deal with subsets of the network either
08:27 < SerajewelKS> sikor_sxe__: e.g. if you are serving 192.168.0.0/16 and a client is using 192.168.2.0/24, the latter network will still be unroutable over the VPN
08:27 < SerajewelKS> sikor_sxe__: i can't think of a route command on windows that would remove the smaller network when you are looking for the larger one
08:28 < sikor_sxe__> hmm
08:29 < sikor_sxe__> windows does not matter here, i think
08:31 < SerajewelKS> well same goes for linux :P
08:32 < havoc> ok, now I can't ping the ends of the tunnel from each other :(
08:32 < SerajewelKS> either way, there is no built-in support for this.  you'll have to roll it yourself.
08:32 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
08:32 -!- DarthGandalf is now known as DarthGandalf|BNC
08:32 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
08:33 < sikor_sxe__> yeah, but it seems there is no way
08:34 < sikor_sxe__> if the clients default route is 10.0.0.1
08:34 < zamba> when using client-to-client all openvpn peers routes directly between each other, instead of going through the openvpn server, right?
08:34 < havoc> where is krzie when I need him, now that I'm finally using TUN ;)
08:35 -!- DarthGandalf|BNC is now known as DarthGandalf
08:37 < SerajewelKS> zamba: no, it means that when a packet arrives at the server from one client, destined for another client, the routing happens in the openvpn process itself
08:37 < SerajewelKS> zamba: otherwise, openvpn will send the packet to the host OS network layer
08:37 < zamba> SerajewelKS: that's the only difference?
08:37 -!- sonnie [~sonnie@202.141.162.106] has quit [Quit: leaving]
08:37 < SerajewelKS> zamba: which means iptables (on Linux) etc rules will apply, which could alter the destination of the packet, or filter it out
08:37 < zamba> in the latter case i can use netfilter to filter traffic between networks, right?
08:38 < zamba> yeah, exactly.. cool
08:38 < zamba> what about performance?
08:38 < SerajewelKS> zamba: yes, if you are not using client-to-client, you can use iptables.  when/if the packet re-enters the tap interface, openvpn will transmit it to the appropriate client.
08:38 < zamba> so for the clients there's no implications when going from client-to-client?
08:39 < SerajewelKS> zamba: you will have to conduct your own performance tests.  in my tests it's not significant, but my vpn is not high-load either.
08:39 < zamba> the reason i ask is because i want to do exactly what you say here.. i want to be able to control access from a central point, the openvpn server, instead of relying on the different clients to do this
08:40 -!- steelnwool [~jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
08:40 < steelnwool> g'day eh.
08:40 < steelnwool> i've got a pretty simple vpn setup , with about 8 machines behind the VPN. i need to give someone access to just one of them. Is there a recommended way of doing this?
08:40 < SerajewelKS> zamba: --client-to-client is a server-side option only, using it on clients does nothing at all
08:40 -!- comps [~comp@gw-gsosfm.gsosfm.cz] has quit [Ping timeout: 260 seconds]
08:40 < zamba> SerajewelKS: ok, cool
08:41 < SerajewelKS> zamba: so if you are using tap, clients will not notice the difference.  if you are using tun, there are some routing table changes.
08:41 < zamba> SerajewelKS: i'm using tun
08:42 < SerajewelKS> zamba: i think the only difference is that when using client-to-client, the server will push the appropriate route automatically
08:42 < SerajewelKS> zamba: if using --server anyway
08:42 < SerajewelKS> zamba: you might run a test server with an identical config to test
08:43 < SerajewelKS> zamba: if you are pushing the appropriate route already, then you should be fine removing client-to-client
08:43 < zamba> i'm pushing it already, yeah
08:43 < SerajewelKS> zamba: it only does magical config changes when using the "server" option
08:43 < zamba> i have push "route ... in the server.conf
08:43 < macsppadic> hello steelnwool 
08:43 < SerajewelKS> zamba: otherwise it should only affect inter-client routing
08:43 < steelnwool> macsppadic: hello.
08:43 < SerajewelKS> zamba: nod, you should be ok then
08:43 < zamba> SerajewelKS: ok, cool
08:44 < zamba> SerajewelKS: do you btw have any idea about my earlier question?
08:44 < SerajewelKS> zamba: i didn't see it
08:44 < macsppadic> so u want to enable access ffor user to just one machine inside the network?
08:44 < zamba> SerajewelKS: i'll try to rephrase it here
08:45 -!- sikor_sxe__ is now known as sikor_sxe
08:45 < SerajewelKS> steelnwool: use iptables something like this:  iptables -A FORWARD -i the-vpn-interface \! --dest the-allowed-destination -j REJECT
08:45 < zamba> all my openvpn clients are already routers for their respective networks.. all apart from one (network, that is).. where the openvpn peer only is a member of the subnet.. but i still want to be able to reach the network "behind" the peer
08:45 < SerajewelKS> zamba: is it a linux box?
08:45 < steelnwool> SerajewelKS: taht doesn't really sound user specific..
08:45 < SerajewelKS> steelnwool: ah, that part wasn't clear
08:46 < steelnwool> word. if i wanted to allow access to just one machine, i'd only push that one route.
08:46 < zamba> SerajewelKS: yeah
08:46 < SerajewelKS> zamba: if it is, then it should be as simple as turning on forwarding and masquerading traffic coming from the main VPN box
08:46 < zamba> ah!
08:46 < zamba> of course
08:46 < steelnwool> hrmm this plan isn't going to work well anwyays, because even if he can ony ssh toone box, he can use that box as a bastion and ssh to any others.
08:46 < SerajewelKS> zamba: so on that one client you'd do something like  iptables -t nat -A POSTROUTING -o ethN -j MASQUERADE
08:47 < zamba> where ethN is the network i want to include?
08:47 < SerajewelKS> zamba: adding --source or --dest if you'd like to fine-tune the rule
08:47 < SerajewelKS> zamba: where ethN attaches to that network, yes
08:47 < zamba> let's try
08:47 < SerajewelKS> zamba: basically that's going to make connections going through that box get NATed
08:48 < SerajewelKS> zamba: and since that box is not a gateway for any of the machines on the subnet, that forces them to reply through that box
08:48 < SerajewelKS> zamba: the downside is that all the connections will appear to be coming from that box.  if you are ok with that then masquerading is what you want.
08:48 < SerajewelKS> zamba: (i did this on my home network before i switched to tap for my vpn server)
08:48 < zamba> SerajewelKS: i think i'm ok with that
08:49 < zamba> SerajewelKS: we'll see implications later
08:49 < SerajewelKS> zamba: nods.  like i said, make sure you turn on ip forwarding if it's not already on
08:49 < zamba> SerajewelKS: the router is already masquerading clients going out on the internet for some other networks, so it's already one
08:49 < zamba> on*
08:49 < SerajewelKS> zamba: your main vpn router or this one client?
08:50 < SerajewelKS> zamba: you need to apply these rules on the VPN client that is not a router
08:50 < SerajewelKS> zamba: or the peer rather.  the "peer [is] only a member of the subnet"
08:50 < zamba> SerajewelKS: this one client
08:50 < zamba> SerajewelKS: openvpn peer client, that is
08:50 < zamba> SerajewelKS: sure
08:50 < SerajewelKS> zamba: right.  that box is where the forwarding/masquerading needs to happen.
08:51 < zamba> yup
08:51 < zamba> trying it out now
08:51 < zamba> just waiting for the peer to reconnect :)
08:51 < SerajewelKS> why would it need to reconnect
08:51 < zamba> i could just add the route using 'route', of course
08:52 < SerajewelKS> on all the machines on that LAN, sure
08:52 < SerajewelKS> or push it with DHCP
08:52 < zamba> on the vpn server side
08:52 < SerajewelKS> yeah, that will do squat to help
08:52 < zamba> there
08:52 < zamba> it works :)
08:52 < SerajewelKS> woot
08:53 < SerajewelKS> the problem is not the route, the problem is that the other boxen on the LAN won't know who to reply to if you don't masquerade it
08:53 < zamba> thanks a bunch :)
08:53 < SerajewelKS> np
08:53  * havoc *hates* TUN :(
08:53 < SerajewelKS> TUN is nice for "i want a quick VPN and don't want to dick around with X509"
08:53 < zamba> i thought tun was preferred?
08:53 < SerajewelKS> even with TinyCA, CA management is a PITA
08:53 < havoc> it is, supposedly
08:54 < SerajewelKS> tun is nice, but it doesn't allow legacy games to work... you know, the games that find servers with broadcasts
08:54 < SerajewelKS> unless you hack up iptables to forward broadcasts.  but that would be just silly.
08:54 < SerajewelKS> anywho, gotta run, later all
08:55 < havoc> ah, I wonder if my TLS crap is messing it up
08:55 < havoc> I converted a working config from TAP to TUN
08:55 < havoc> and now I can connect, but that's it, and --redirect-gateway is fail
08:56 -!- sikor_sxe [~mkulke@144.41.253.148] has quit [Read error: No route to host]
08:56 < havoc> getting "MULTI: bad source address from client" on the server, but the IP it says is bad is the PtP client
08:56 < havoc> but I'm using TLS
08:57 < havoc> should I not be using TLS?
09:00 < steelnwool> is the guy that wrote ssl-admin around?
09:00 < steelnwool> or someone that uses it?
09:02 -!- jnss is now known as a
09:02 -!- a is now known as jnss
09:04 -!- geri [~Gerald@143.205.215.23] has quit [Ping timeout: 260 seconds]
09:07 < zamba> does 'iroute' do any more magic than DON'T including the route in the routing table?
09:07 < zamba> or is 'iroute' an indication that the spesific network is terminated at the point where you define iroute
09:07 < zamba> `?
09:11 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
09:12 -!- steelnwool [~jeff@204-232-209-119.static.cloud-ips.com] has left ##openvpn []
09:13 < havoc> yes, I hate tun :(
09:18 < zamba> hm..
09:18 < zamba> removing client-to-client was no success
09:18 < zamba> not able to communicate between the networks no longer, and i have no idea why
09:18 < zamba> the server is running ip forwarding
09:18 < zamba> and the FORWARD table is set to ACCEPT
09:18 < zamba> what else can i do?
09:19 < zamba> do i explicitly have to carry the traffic between the networks+
09:20 < zamba> the routes are pushed to the different routers, so that part should be ok
09:21 < macsppadic> hello zamba whats happened?
09:21 < zamba> macsppadic: i want to be able control the traffic by using the openvpn server..
09:21 < zamba> macsppadic: the traffic that goes between the different nat-ed subnets
09:22 < zamba> macsppadic: so by removing client-to-client, i thought i'd accomplish that
09:23 < macsppadic> no go there then 
09:24 < macsppadic> so u have got forwarding enabled and u want to control how packets go between different subnets
09:25 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
09:25 < macsppadic> zamba: client-to-client is required if u want the different clients to connect 
09:25 < macsppadic> sorry see each other 
09:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:35 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Remote host closed the connection]
09:40 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has joined ##openvpn
09:49 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
09:55 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
09:59 -!- spiekey [~mario@projekte.imos.net] has quit [Quit: Ex-Chat]
10:00 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Quit: Leaving...]
10:06 -!- pwiggi [~pwiggi@nat/redhat/x-euhmvnonzvvjmszk] has joined ##openvpn
10:09 < pwiggi> I have openvpn setup using server mode and tls over tcp.  Everything works, but with a quirk: when the client connects, the connection looks established, but ping/ssh/etc doesn't work. After exactly 4 minutes, connection times out, re-connects, and everything immediately works.
10:10 < pwiggi> Anyone know of a common misconfiguration that would do something like that?
10:12 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:20 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
10:27 -!- dazo_afk is now known as dazo
10:27 -!- daveborg98 [~daveborg9@COX-66-210-91-34-static.coxinet.net] has joined ##openvpn
10:40 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
10:43 < SerajewelKS> pwiggi: paste configs?
10:44 < daveborg98> !welcome
10:44 < vpnHelper> daveborg98: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:45 < SerajewelKS> pwiggi: also, don't use tcp unless it's absolutely necessary
10:45 < pwiggi> SerajewelKS: Unfortunately, it is
10:45 < SerajewelKS> tcp in tcp is fail
10:46 < daveborg98> !howto
10:46 < vpnHelper> daveborg98: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:46 < pwiggi> SerajewelKS: Well, it works great except for this one problem...
10:46 < SerajewelKS> pwiggi: which side of the connection times out?
10:46 < SerajewelKS> pwiggi: and still waiting for configs
10:47 < pwiggi> SerajewelKS: Working on them, and I'm not entirely sure, but it looks like the client is timing out.
10:50 < SerajewelKS> macsppadic: that is not true
10:50 < pwiggi> http://pastebin.com/759hyX9p  (and yeah, I'm using 192.168.1.0/24 right now, which will change in the future.  At any rate, there is no conflict on the test client's network)
10:50 < SerajewelKS> macsppadic: client-to-client means that routing happens in the openvpn process instead of in the host OS network stack
10:50 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Quit: Leaving...]
10:50 < macsppadic> hello SerajewelKS sorry did i say otherwise...
10:50  * macsppadic cant remember 
10:51 < SerajewelKS> pwiggi: you are missing the keepalive stanza in the client config for one
10:51 < SerajewelKS> which explains the connection timing out
10:52 < pwiggi> Ahh, fair enough.  Odd that it doesn't time out after the initial one; after 1 reconnect, it works perfectly for hours.
10:52 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
10:52 < SerajewelKS> also you can push the keepalive from the server
10:53 < SerajewelKS> pwiggi: you also do not push comp-lzo, which explains everything else
10:54 < SerajewelKS> pwiggi: the server is expecting compressed packets and the client is sending uncompressed packets
10:54 < SerajewelKS> pwiggi: also, it would help you to, you know, read the manpage... because this is all documented there... :P
10:54 < pwiggi> SerajewelKS: You mean comp-lzo cannot be pushed?
10:55 < SerajewelKS> pwiggi: ahaha i'm a tool, i missed the push
10:56 < pwiggi> And I did read the manpage, fwiw
10:57 < SerajewelKS> nods
10:57 < SerajewelKS> are you sure that the ping problems are not due to other things?  firewall rules, routing rules...
10:57 < pwiggi> I just failed to grok which parts were necessary, as it is long and assumes much prior knowledge (like most man pages)
10:58 < pwiggi> I suspected that, but everything seems to be basically functional; after all, it works *after* the timeout/reconnect, and the routing table looks identical before and after.
10:58 < SerajewelKS> pwiggi: oh, interesting
10:59 < SerajewelKS> pwiggi: does restarting the server cause the broken behavior to resume, and does rebooting the client machine do the same?
10:59 < pwiggi> Further manpage reading might have the answer, though... the client config needs a comp-lzo line, otherwise it ignores comp-lzo pushes, apparently?
10:59 < pwiggi> Yes and yes.  Restarting either side makes the 4-minute timeout happen again.
10:59 < SerajewelKS> pwiggi: no, pushing comp-lzo should work, i just missed that line
10:59 < SerajewelKS> pwiggi: but you do need to push timeout
10:59 < pwiggi> Indeed.
11:00 < SerajewelKS> pwiggi: do you observe the same behavior when pushing timeout?
11:00 < pwiggi> Nope, that fixed it.  Thanks for the help, you are awesome :)
11:00 < SerajewelKS> np
11:00 < SerajewelKS> i dunno why that would fix pings not responding, but hey
11:01 < pwiggi> Well, I added 'comp-lzo' to the client config too, and I'll admit I was less than granular with testing the changes.
11:01 < SerajewelKS> yeah, i don't think that would affect anything since you're pushing it to, but hey
11:01 < SerajewelKS> if you feel so inclined you could try one and the other and see which works
11:01 < SerajewelKS> my gut says the timeout
11:02 < pwiggi> Yeah, commented out the timeout push and it still works.
11:02 < SerajewelKS> oh really...
11:02 < pwiggi> Err, the lzo push rather.
11:02 < SerajewelKS> ah, that makes more sense :)
11:03 < pwiggi> Hmm, no, it definitely is related to the comp-lzo line being IN the client config... I removed that, and kept 'push "comp-lzo yes"' and the timeout push on the server. and it breaks again.
11:04 < SerajewelKS> huh
11:04 < pwiggi> But your RTFM comment led me back to the comp-lzo option in the man page, which explains why that's true.
11:04 < pwiggi> So, thanks again :)
11:05 < SerajewelKS> hey np :)
11:05 -!- pwiggi [~pwiggi@nat/redhat/x-euhmvnonzvvjmszk] has left ##openvpn []
11:05 < SerajewelKS> ah, i see.  interesting.
11:06 < SerajewelKS> and that explains why it magically worked when the client reconnects, i think... the push didn't have any effect for the first connection but openvpn must remember that option when it reconnects
11:06 < SerajewelKS> not sure if that can be considered a bug or not
11:29 < zamba> SerajewelKS: did you see my problem after turning off client-to-client?
11:31 < SerajewelKS> zamba: yes
11:31 < SerajewelKS> zamba: is ip forwarding turned on?  does iptables allow the two networks to talk?
11:32 < SerajewelKS> zamba: the routing table on the host machine is very important here, since it will be accessed to determine where to send packets
11:32 < zamba> SerajewelKS: yup to both question
11:32 < zamba> questions*
11:32 < zamba> # cat /proc/sys/net/ipv4/ip_forward
11:32 < zamba> 1
11:33 < SerajewelKS> zamba: if it doesn't contain correct routing information directing VPN-bound packets out the appropriate VPN interface, they will be sent to the default gateway
11:33 < zamba> Chain FORWARD (policy ACCEPT 200 packets, 16492 bytes)
11:33 < zamba> and no rules in
11:33 < zamba> i suspect the problem is in the openvpn configuration
11:33 < SerajewelKS> zamba: pastebin your vpn configs then, and your host routing table
11:34 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:34 < zamba> http://pastebin.com/i510nSQY
11:34 < zamba> that's the server.cfg
11:35 < zamba> i see i have some duplicity with ca|cert|key|dh but that shouldn't matter..
11:35 < zamba> SerajewelKS: does 'iroute' determine where the different networks are terminated?
11:35 < zamba> SerajewelKS: at what endpoint?
11:36 < zamba> SerajewelKS: that configuration is with client-to-client enabled, but i'll disable it now and give you the routing table for the openvpn server
11:36 < SerajewelKS> zamba: for openvpn internally, yes
11:36 < zamba> SerajewelKS: yeah
11:36 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 268 seconds]
11:37 < SerajewelKS> zamba: i would not expect client-to-client to work either without appropriate iroutes set up
11:37 < zamba> SerajewelKS: i have that set up
11:37 < zamba> SerajewelKS: under /etc/openvpn/ccd i have configuration files for the different peers
11:37 < SerajewelKS> ok
11:37 < zamba> SerajewelKS: basically just one iroute entry that corresponds to the local network local to that peer
11:37 < SerajewelKS> right
11:37 < zamba> SerajewelKS: one or several, that is
11:38 < zamba> SerajewelKS: a related question.. how can i say that one of the endpoint shouldn't get a certain route?
11:38 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:38 < SerajewelKS> zamba: put the push directives in each client config and omit the ones you don't want
11:39 < zamba> SerajewelKS: ah
11:39 < zamba> SerajewelKS: i suspected that :)
11:39 < zamba> but good thing i've understood that much :)
11:40 < zamba> SerajewelKS: routing table for the openvpn server
11:40 < zamba> http://pastebin.com/u2L4BHe3
11:40 < SerajewelKS> zamba: i'm curious what this box's IP is, and what its routing tables look like after openvpn is brought up
11:40 < SerajewelKS> 10.8.0.2?
11:40 < zamba> inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
11:40 < zamba> that's the tun0 interface
11:41 < SerajewelKS> ok so does each peer have its own subnet here?
11:41 < zamba> vpn subnet?
11:41 < SerajewelKS> does each "route" effectively correspond to one client?
11:41 < zamba> each route corresponds to a local subnet at one of the endpoints, yeah
11:41 < SerajewelKS> because the way i read the routing table, *all* routes point to *one* peer
11:42 < zamba> this is on the server
11:42 < SerajewelKS> yes
11:42 < SerajewelKS> 10.8.0.2 looks like a remote tunnel endpoint, no?
11:42 < zamba> http://pastebin.com/mPhkhkVT
11:42 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
11:42 < zamba> this is the routing table of one of the peers (the one with the most networks connected locally)
11:42 < SerajewelKS> right
11:42 < SerajewelKS> and 10.8.0.17 is the server's endpoint?
11:43 < SerajewelKS> (the "server" being the central vpn hub)
11:43 < zamba> think so, yeah
11:43 < zamba> though it doesn't answer to my ping requests
11:44 < zamba> 10.8.0.1 does
11:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
11:45 < SerajewelKS> on the server, can you ping addresses on the other side of the tunnels?  addresses from the "route" address spaces?
11:45 < zamba> yeah
11:45 < zamba> without problems
11:45 < SerajewelKS> does it work with each remote peer?
11:45 < zamba> yeah
11:45 < zamba> i can even ping hosts in the local subnets
11:45 < zamba> as long as i do it from the openvpn server
11:46 < zamba> so that works perfectly
11:46 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
11:46 < zamba> gotta run.. back in 45 minutes
11:46 < zamba> if you're still here
11:46 < SerajewelKS> you might throw in: iptables -A FORWARD -i tun0 -j LOG --log-prefix 'tun0: '
11:46 < SerajewelKS> see what happens when you ping one network from one of the peers
11:46 < SerajewelKS> (check dmesg)
11:47 < SerajewelKS> i don't have client-to-client, using a tap VPN and my clients can see each other just fine
11:47 < SerajewelKS> in a multi-subnet setting though i'm not too experienced, but this looks like something in the kernel's routing process that's not going quite right
11:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
12:05 -!- notbrien|weshop [~notbrien|@208.82.13.214] has joined ##openvpn
12:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:13 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
12:16 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
12:19 -!- notbrien|weshop [~notbrien|@208.82.13.214] has left ##openvpn []
12:19 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
12:20 < notbrien> how can i have an internal ip such as 172.16.0.8 be seen as 10.8.0.8 from a vpn client? I want to map a vpn ip to an internal ip instead of exposing the internal network subnet to vpn clients.
12:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
12:28 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
12:36 < SerajewelKS> notbrien: by using iptables and DNAT
12:40 < notbrien> SerajewelKS: thanks
12:41 -!- daveborg98 [~daveborg9@COX-66-210-91-34-static.coxinet.net] has quit [Quit: Bersirc 2.2: Looks, feels and sounds (?!) different! [ http://www.bersirc.org/ - Open Source IRC ]]
12:42 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
12:42 < SerajewelKS> notbrien: np
12:48 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Quit: Leaving...]
12:53 -!- kyrix [~ashley@77.116.132.147.wireless.dyn.drei.com] has joined ##openvpn
13:05 < zamba> SerajewelKS: where does the log output go?
13:05 < zamba> SerajewelKS: syslog?
13:06 < zamba> find nothing there
13:06 < zamba> SerajewelKS: it doesn't look like it even hits the FORWARD table
13:06 < zamba>    0     0 LOG        all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `tun0: ' 
13:14 < zamba> nevermind, it's working now :)
13:18 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:18 -!- ryanrhee90 [~Adium@wireless-128-62-157-151.public.utexas.edu] has joined ##openvpn
13:19 -!- ryanrhee90 [~Adium@wireless-128-62-157-151.public.utexas.edu] has left ##openvpn []
13:25 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
13:25 < zamba> SerajewelKS: i now got it working for all subnets except the peers themselves.. they are not able to contact hosts in other subnets than their own
13:25 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
13:29 < SerajewelKS> zamba: but hosts behind those peers can?
13:29 < SerajewelKS> zamba: what was the problem preventing that?
13:35 < zamba> SerajewelKS: stupidity :)
13:36 < SerajewelKS> haha
13:36 < zamba> basically me fucking a bit up :)
13:36 < zamba> i checked at the wrong host.. a host that already was behind a firewall blocking the replies
13:36 < SerajewelKS> my guess as to why you can't ping from the vpn peers is because the source ip is getting set to the ip on their tun interface, since that's the one it's going out
13:37 < zamba> SerajewelKS: yeah, looks that way to me as well
13:37 < SerajewelKS> zamba: try ping -I ethN
13:37 < zamba> SerajewelKS: i guess the ping request reaches the host, but the reply is sent the wrong way
13:37 < SerajewelKS> zamba: should force it to use the LAN IP as the source IP 
13:38 < zamba> yup, that worked
13:38 < SerajewelKS> tada :)
13:38 < SerajewelKS> so now you should see traffic through that LOG rule
13:38 < zamba> yup :)
13:38 < SerajewelKS> which implies that you can filter inter-peer traffic using the FORWARD chain
13:38 < SerajewelKS> cool, well glad to see it's working :)
13:38 < zamba> yeah, that works perfectly with the hosts behind the routers
13:38 < zamba> but.. :)
13:39 < zamba> i have this one windows peer that only should access the other networks
13:39 < zamba> and it's not a router in its own network at all
13:39 < zamba> basically someone that just needs to reach a certain network
13:39 < zamba> hwo can i get that working..?
13:40 < zamba> since the traffic originating from that peer will have the ip of the vpn interface visible
13:40 < SerajewelKS> mmm
13:40 < SerajewelKS> a separate openvpn instance? :S
13:40 < zamba> on the server, you mean?
13:40 < zamba> just for handling that traffic?
13:40 < SerajewelKS> i think the main problem is that a multi-peer tun setup uses /30 subnets, one IP for the interface and one IP for the openvpn process, AIUI
13:41 < zamba> yeah
13:41 < SerajewelKS> hmm, you should still be able to ping the VPN endpoints though
13:41 < SerajewelKS> just not the openvpn processes
13:41 < SerajewelKS> e.g. from a vpn peer, can you not ping 10.8.0.1?
13:42 < zamba> that works
13:42 < SerajewelKS> right
13:42 < SerajewelKS> so i don't see the problem :)
13:42 < zamba> if i have a windows peer that needs to reach a host on a remote subnet
13:42 < SerajewelKS> on the IP level it's working fine
13:43 < SerajewelKS> do the routers between the remote host in question know to direct 10.8.0.0/24 back to the vpn server?
13:43 < SerajewelKS> if they do, it should just work
13:43 < SerajewelKS> if you can get pinging from a vpn peer to work (without -I), then this should work too
13:44 < SerajewelKS> my guess is that some router doesn't know where 10.8.0.0/24 is supposed to go
13:44 < zamba> no routers know that
13:44 < SerajewelKS> and neither does its default gateway etc
13:44 < zamba> i have no route added for 10.8.0.0./24
13:44 < zamba> -.
13:44 < SerajewelKS> you do on the VPN server itself, by necessity
13:44 -!- mape2k [~mape2k@f053197117.adsl.alicedsl.de] has joined ##openvpn
13:44 < zamba> 10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
13:45 < zamba> yeah, but not on the peers
13:45 < SerajewelKS> right
13:45 < SerajewelKS> so you need to push that route
13:45 < SerajewelKS> are the non-central peers the default routers for their segments?
13:45 < SerajewelKS> openvpn pushes 10.8.0.0/24 implicitly when you use --client-to-client
13:46 < SerajewelKS> if you want inter-client chatter on that subnet and you are not using client-to-client, you have to push that route yourself
13:46 < zamba> aha
13:46 < zamba> cool
13:46 < SerajewelKS> ten bucks says if you start pushing that route, inter-client pings will begin working
13:46 < zamba> trying now :)
13:47 < SerajewelKS> the trick is, if this windows box can reach random network segments, you have to make sure that all the possible network segments it could be reaching can route 10.8.0.0/24 back to the VPN server
13:47 < SerajewelKS> if that is not the case then you need to masquerade traffic from that box.  or at a minimum, masquerade it to networks that cannot route 10.8.0.0/24 back to the VPN server.
13:48 < zamba> waiting for the peers to reconnect
13:48 < SerajewelKS> nods
13:48 < zamba> let's see what happens then
13:48 < SerajewelKS> hope this isn't critical infrastructure (yet)
13:48 < zamba> it's only critical for me :)
13:48 < zamba> i'm the only one using it
13:48 < SerajewelKS> good deal
13:48 < zamba> wor
13:48 < zamba> wow*
13:48 < zamba> works :)
13:49 < SerajewelKS> \o/
13:49 < SerajewelKS> yeah you were just missing that route the whole time :)
13:49 < zamba> you know your stuff
13:49 < SerajewelKS> which client-to-client provided for you
13:49 < SerajewelKS> oh pssh, dude i'm an openvpn noob
13:49 < zamba> i'm officially impressed
13:49 < zamba> well.. you've given the best help in #openvpn for ages
13:49 < SerajewelKS> but i do know something about networking :)
13:49 < SerajewelKS> well i'm honored
13:49 < SerajewelKS> IP just fascinates me, so i tinker... a lot
13:50 < zamba> to the point and informative
13:50 < SerajewelKS> my wife doesn't always appreciate it :)
13:50 < zamba> hehe
13:50 < zamba> so your wife doesn't speak ip? :)
13:50 < SerajewelKS> not yet.  i taught her binary though.
13:50 < zamba> you should hook her up ;)
13:51 < SerajewelKS> her eyes glazed when i began explaining subnetting
13:51 < zamba> haha
13:51 < SerajewelKS> one day
13:51 < zamba> does she have a sister? :)
13:51 < SerajewelKS> two brothers
13:52 < zamba> ok, i'm not that desperate - yet :)
13:52 < SerajewelKS> heh well they're married anyway :P
13:52 < zamba> hehe
13:52 < zamba> anyway.. openvpn related.. when using a PKI.. do you know how to disable/terminate a peer?
13:52 < SerajewelKS> use --disable if it's temporary
13:53 < SerajewelKS> if it's due to compromise, use a proper CRL
13:53 < zamba> let's say i want to give an external party access to my openvpn server for doing some work.. but then i need to disable/terminate the client/peer after the work's done
13:53 < zamba> --disable? where?
13:53 < SerajewelKS> in that case i would issue them a certificate with a short lifetime
13:53 < SerajewelKS> or, a long lifetime, but revoke it and use a CRL
13:54 < SerajewelKS> the CRL will tell the server "this certificate is permanently revoked"
13:54 < SerajewelKS> disable tells the server "don't accept the certificate with this CN"
13:54 < SerajewelKS> which you typically should only use for misbehaving peers, or for testing
13:54 < SerajewelKS> if you revoke the cert you will have to issue a new one if they need to do more work.  that's still probably preferable though.
13:55 < zamba> i'm using the easy-rsa stuff.. what command am i basically running here?
13:55 < SerajewelKS> because if you do this enough, you will have "disable" littered all through your config.  CRLs also have the benefit of being a proper registry of revoked certs.
13:55 < SerajewelKS> hmm, i dunno, i don't use easy-rsa
13:55 < SerajewelKS> at a glance, revoke-full is probably what you're after
13:55 < zamba> dang.. i guess i really should study and learn this stuff soon :)
13:56 < SerajewelKS> it will throw the CRL in crl.pem
13:56 < SerajewelKS> which you then copy to your server conf dir and reference it with crl-verify
13:57 < SerajewelKS> or symlink if you prefer
13:57 < SerajewelKS> basically, that generates a CA-signed "revokation certificate"
13:58 < SerajewelKS> it's the CA asserting that a certificate is no longer valid.  the CRL contains all such revokation certificates.
13:58 < zamba> and i can do this "on the run", without having to restart the vpn server?
13:58 < SerajewelKS> i believe so, yes
13:58 < SerajewelKS> i don't think any existing client will be disconnected
13:58 < SerajewelKS> but future connections should be rejected
13:59 < zamba> ok
14:00 < SerajewelKS> i do not know if you must send a signal to openvpn for it to reread the CRL
14:00 < SerajewelKS> my gut says that it probably reads the file on each connection, but i am not sure
14:00 < SerajewelKS> you could send SIGHUP to be sure, which will drop all connections and reload the config
14:01 < zamba> ok.. i'll look into this in more detail..
14:01 < SerajewelKS> which would require a reconnection, yes, but it would also ensure that no existing connections would be rejected by the CRL
14:01 < zamba> again - thanks a bunch :)
14:01 < SerajewelKS> np, good luck
14:01 < zamba> you'll hear from me ;)
14:03 < SerajewelKS> anytime :)
14:05 < SerajewelKS> also just because i'm online doesn't mean i'm at the keyboard (i'm connected to IRC 24/7) so if i don't reply in here, leave me a PM or something
14:06 < SerajewelKS> that's so i'll notice your message.  we'll of course discuss anything openvpn-related in here so people can chime in and/or listen.
14:33 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
14:36 -!- dazo is now known as dazo_afk
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:39 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
14:46 -!- kyrix [~ashley@77.116.132.147.wireless.dyn.drei.com] has quit [Ping timeout: 276 seconds]
14:48 -!- kyrix [~ashley@77.116.132.147.wireless.dyn.drei.com] has joined ##openvpn
14:51 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Read error: Connection reset by peer]
14:59 -!- daveborg98 [~daveborg9@COX-66-210-91-34-static.coxinet.net] has joined ##openvpn
15:01 < daveborg98> !welcome
15:01 < vpnHelper> daveborg98: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:01 < zamba> you can 'push' routes, but is it possible to 'pull|delete' them as well?
15:01 < zamba> !push
15:01 < vpnHelper> zamba: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
15:01 < daveborg98> !configs
15:01 < vpnHelper> daveborg98: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:08 < zamba> is it possible to predefine what vpn ip a peer should get?
15:08 < daveborg98> !logs
15:08 < vpnHelper> daveborg98: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
15:09 < zamba> i'm using 'server 10.8.0.0 255.255.255.0'
15:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
15:14 -!- kyrix [~ashley@77.116.132.147.wireless.dyn.drei.com] has quit [Ping timeout: 260 seconds]
15:18 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
15:18 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
15:18 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
15:18 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
15:23 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
15:29 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Quit: Leaving...]
15:33 -!- daveborg98 [~daveborg9@COX-66-210-91-34-static.coxinet.net] has quit [Ping timeout: 240 seconds]
15:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
15:46 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 264 seconds]
15:52 < zamba> is it possible to set up the vpn server so that the peers get the same ip address every time they connect?
15:54 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 246 seconds]
16:01 < zamba> push-reset, btw. :p
16:27 -!- mape2k [~mape2k@f053197117.adsl.alicedsl.de] has quit [Remote host closed the connection]
16:28 < notbrien> doing a scp test shows that openvpn is 1/3 (10MB/s versus 30MB/s) the speed of of a regular connection. Is there anything I can do to increase performance?
16:29 < SerajewelKS> zamba: perhaps ifconfig-pool-persist?
16:29 < SerajewelKS> zamba: keys off of the cert CN
16:30 < SerajewelKS> notbrien: there are configuration switches you can use that trade security for performance
16:30 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:30 < zamba> SerajewelKS: what do you mean keys off?
16:31 < SerajewelKS> zamba: it remembers what IPs it has assigned to clients by their cert CN
16:31 < SerajewelKS> zamba: so if your certs have duplicate CNs, this will not work
16:32 < SerajewelKS> zamba: you can preseed the list using the format in the manpage
16:32 < notbrien> SerajewelKS: where can i find a list of the switches?
16:33 < SerajewelKS> notbrien: man openvpn
16:33 < zamba> SerajewelKS: so i can define a file name and then openvpn will start writing the entries in there as the clients connect?
16:33 < zamba> SerajewelKS: or preseed it with the CN->ip i want
16:34 < SerajewelKS> zamba: both are true, yes
16:34 < SerajewelKS> zamba: if an entry is in the file, it uses it.  otherwise it will assign the next address in the pool to the CN of the connecting client, and write it back to the file (after at most 600 seconds if you don't specify the seconds option).
16:35 < zamba> SerajewelKS: lovely :)
16:35 < SerajewelKS> zamba: if you specify seconds of 0 it will never write new entries into the file, and only the ones you've put in the file are sure to be assigned to their respective client
16:36 < SerajewelKS> zamba: remember that you are assigning out of /30s though :)
16:36 < zamba> SerajewelKS: you calling yourself a openvpn noob is this year's understatement :)
16:36 < SerajewelKS> zamba: heh
16:36 < zamba> SerajewelKS: yeah, that's why i want openvpn to write the file itself :)
16:36 < SerajewelKS> zamba: so if the server is .1, the first client is .5, then .9, tc
16:36 < SerajewelKS> etc*
16:36 < SerajewelKS> nod
16:37 < zamba> i just want it to predictable in my firewall rules
16:37 < SerajewelKS> right
16:37 < SerajewelKS> it doesn't look like it ever expires addresses either, perhaps when the pool is full, i dunno about that
16:38 < SerajewelKS> i dunno if openvpn can do per-client tun interfaces, but that's another way to go
16:38 < SerajewelKS> tun-foobar, tun-baz
16:38 < SerajewelKS> then you can filter on -i instead
16:38 < rob0> Per-client tun means separate instance per client, in which case a server mode makes no sense, a peer mode would be better.
16:39 < SerajewelKS> right, i didn't know if server mode could dynamically allocate new tuns for incoming clients or if it's only capable of using one tun node
16:39 < rob0> one tun per instance, regardless of mode.
16:39 < SerajewelKS> would be cool though, that would mean you could use the same port for many clients on different tuns
16:40 < SerajewelKS> zamba: remember that nothing is preventing the peers from sending traffic as another peer.  not very dangerous for TCP, but UDP is easy to spoof this way.
16:41 < SerajewelKS> so multiple instances / tuns is the only truly secure way to do it, if you do not trust your clients :)
16:41 < SerajewelKS> because iptables cannot distinguish between the openvpn client, except by IP, which can be spoofed easily enough.  of course, replies won't be routed back to the spoofer, but you get the idea.
17:12 < cwillu_at_work> SerajewelKS, this is accounting for --learn-address?
17:13 < cwillu_at_work> my impression was that that option is intended for exactly that use
17:32 < SerajewelKS> cwillu_at_work: hmm, that's an idea... would not be fun to maintain, but would work
17:33 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
17:35 -!- medum [kevin@d67-193-176-255.home3.cgocable.net] has joined ##openvpn
17:35 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Client Quit]
17:41 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
17:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:56 < jetole> Hey guys. I have a firewall in our office which also acts as VPN for the road warriors. I want to add a new VPN that is from our office to the data center. Can I do this without restarting the current VPN?
17:56 < jetole> basically without resetting all the connected employees?
17:58 < cwillu_at_work> run it on another port?
17:59 < jetole> well technically I'm making it a client to the data center so it's already a server and now I want to make it a client
17:59 < jetole> too
18:00 < jetole> typically when I have had to reload it in the past I just run /etc/init.d/openvpn restart but yeah, I know that kills everyone. This is on ubuntu 9.04
18:00 < cwillu_at_work> give me a sec and I can check what the default job is, but you could even just run it by hand to set up the new instance if you wanted to
18:00 < cwillu_at_work> you could make an upstart job in about 5 lines that would do it
18:01 < jetole> hmmm, so say I manually start the client but next time openvpn restarts it should start them both
18:01 < cwillu_at_work> jetole, it looks like you can just /etc/init.d/openvpn start (not restart) to kick in the new file;  there's ways to specify which ones you want to configure as well
18:02 < jetole> hmmm, ok
18:02 < cwillu_at_work> /etc/init.d/openvpn start <name> should work
18:02 < cwillu_at_work> according to line 121 of /etc/init.d/openvpn
18:02 < cwillu_at_work> er, around there
18:02  * jetole looks at the init.d
18:02 < jetole> ah neat
18:03 < cwillu_at_work> that whole mess would be about 20 lines in an upstart job, hopefully they update the job in 10.10 if they haven't already in 10.04
18:03 < jetole> yeah I see what you are saying. I should have looked there first
18:04 < jetole> also, if openvpn is configured through /etc/default to load all vpn, how does it know if a file in the vpn dir is for a vpn? Right now it just has server.conf
18:04 < cwillu_at_work> each .conf file is a vpn config
18:04 < jetole> sweet
18:04 < cwillu_at_work> there's a line somewhere to be more selective
18:04 < jetole> thanks for the help
18:04 < cwillu_at_work> /etc/default/openvpn can probably set it
18:05 < cwillu_at_work> yep, set AUTOSTART to the particular ones you want, or to all
18:05 < jetole> AUTOSTART="all"
18:05 < cwillu_at_work> basically exactly what the comments say :p
18:05 < jetole> thats from my /etc/default/openvpn
18:05 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Ping timeout: 260 seconds]
18:05 < jetole> ok, well I'm gonna read the install docs again anyways now because frankly I can't remember how to build the certs anyways but again, thanks for the help
18:06 < cwillu_at_work> easyrsa is in the /usr/share folders, not sure the exact path
18:06 < cwillu_at_work> I use tinyca myself
18:07 < jetole> with mine it's in /etc/openvpn and I use it all the time
18:07 < jetole> but I forget how to make the server cert, ca.crt and I think there was another one, three letter acronym that started with t
18:08  * jetole reads his server.conf
18:08 < cwillu_at_work> crl
18:08 < cwillu_at_work> standard stuff
18:08 < jetole> tls
18:08 < jetole> crl too
18:08 < jetole> I see both in there
18:08 < jetole> tls-auth ta.key 0
18:08 < cwillu_at_work> you understand how the chain works?
18:10 < jetole> Lets say I understand but I forget which is why I am reverting to the docs. I set up the vpn over a year ago, migrated it to the new OS when we changed computers but other then that it was configured and forgotten
18:11 < cwillu_at_work> the cert stuff is generic, applies to all sorts of stuff, not just vpn
18:11 < jetole> No I know, a lot of it is familiar from the work I have done with ssl
18:11 < cwillu_at_work> okay
18:12 < cwillu_at_work> you can do it the same way, except you have to act as your own ca
18:12 < jetole> I know and I do
18:12 < cwillu_at_work> so it's just the other million config item? :p
18:12 < jetole> no, it's just brushing up on the details
18:12 < jetole> like I said, it's been a while since I set this up
18:13 < jetole> crash course 
18:13 < jetole> I'll be fine 
18:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
18:13 < jetole> Actually I appreciate you're concern, you don't see it often enough on IRC but this is something that I'm not too worried about so don't worry about me 
18:14  * cwillu_at_work coddles jetole 
18:14 < jetole> awwww... muffin
18:14 < jetole> ;)
18:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
18:24 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has joined ##openvpn
18:27 -!- medum [kevin@d67-193-176-255.home3.cgocable.net] has quit [Ping timeout: 276 seconds]
18:27 < ecrist> !ssl-admin
18:27 < vpnHelper> ecrist: "ssl-admin" is (#1) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#2) if you use freebsd, it is in ports, or (#3) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
18:30 -!- DrPepper [~DrPepper@vodsl-8803.vo.lu] has quit [Quit: Leaving...]
18:33 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
18:33 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
18:33 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
18:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:26 -!- krzie_ [~krzee@butters.secure-computing.net] has joined ##openvpn
19:29 -!- Visual`_ [~visualsta@ip-80-236-251-222.dsl.scarlet.be] has joined ##openvpn
19:29 -!- APTX_ [~APTX@chello089076052083.chello.pl] has joined ##openvpn
19:29 -!- APTX_ [~APTX@chello089076052083.chello.pl] has quit [Changing host]
19:29 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:29 -!- Serajewe1KS [~me@wikipedia/Crazycomputers] has joined ##openvpn
19:31 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
19:31 -!- krzie [~krzee@butters.secure-computing.net] has quit [Ping timeout: 260 seconds]
19:31 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
19:31 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has quit [Ping timeout: 260 seconds]
19:31 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds]
19:31 -!- diffen3 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
19:38 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:17 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
20:18 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
20:21 < havoc> is there a good way to tell when a tun ptp client has dropped off?
20:52 < jpalmer> havoc:  logfiles,  or the status file (though it's not updated realtime)
20:53 < havoc> so no openvpn options/triggers?
20:54 < jpalmer> on the client,  you have a down script that runs
20:54 < havoc> I need to know on the server
20:54 < jpalmer> hrm,  can't say I've ever looked for such an option.  no expertise there
20:59 < havoc> oh well
20:59 < havoc> can be scripted w/ ping anyway
20:59 < havoc> I was just wondering if ovpn had a builtin method
21:04 < jpalmer> if it's an always-on connection,  you could setup a network monitor such as nagios
21:23 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Disconnected by services]
22:02 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
22:08 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:05 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Operation timed out]
23:27 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
--- Log closed Wed Mar 24 00:10:31 2010
--- Log opened Wed Mar 24 07:22:18 2010
07:22 < dazo> bogard: and as long as it's not documented in the kernel docs ... it's not official, and the kernel devels don't care too much about what users might expect or not - they would just say the (unofficial) docs are wrong
07:22 < bogard> the intent of most of these howto's is to figure out if a node on the network is directly connected or via virtual devices/tunnels
07:23 < dazo> bogard: what I see through the code (doing git log --follow -p) ... the hwaddr randomisation have been a ping-pong game ... switching from memcpy() to random_ether_addr()
07:23 < bogard> dazo, yep, you're right ... that's why i searched for docs stating the fact officially
07:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
07:25 < dazo> bogard: commit 36226a8ded46b8 and commit f271b2cc78f09c9 are the most interesting ones
07:25 < dazo> the latter one was commited Jul 14, 2008
07:26 < bogard> hehe, but since we're on ##openvpn, do you know a way for an external dhcp-server to figure out if a dhcp-request comes from a physical node or a vpn-client? :)
07:26 < bogard> uhm, dazo, can you point me to the webgit?
07:26 < dazo> bogard: you haven't a cloned git kernel repo? :-P .... sure, no prob!  Just a sec
07:27 < dazo> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=summary
07:27 < vpnHelper> Title: git.kernel.org - linux/kernel/git/torvalds/linux-2.6.git/summary (at git.kernel.org)
07:29 < dazo> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=36226a8ded46b8 .... http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=f271b2cc78f09c9
07:29 < vpnHelper> Title: git.kernel.org - linux/kernel/git/torvalds/linux-2.6.git/commitdiff (at git.kernel.org)
07:29 < dazo> bogard: direct links to the commits ^^
07:29 -!- steak__ [~alex@fire.perspectix.com] has joined ##openvpn
07:29 < steak__> hello
07:30 < bogard> dazo, thanks ... searching didnt work the way i expected
07:30 < dazo> bogard: yeah, I know ... I always search commits via the URL and not the web interface
--- Log closed Wed Mar 24 07:39:04 2010
--- Log opened Wed Mar 24 08:24:35 2010
08:24 -!- DarthGandalf is now known as DarthGandalf|BNC
08:28 -!- kajl [~kyle@80.67.10.198] has joined ##openvpn
08:29 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
08:29 < Error404NotFound> i am trying to configure a preshared based openvpn and i get "Options error: Parameter dh_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified."
08:30 < Error404NotFound> i am trying to configure a preshared based openvpn and i get "Options error: Parameter dh_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified."
08:30 < rob0> Looks pretty clear to me, both times!
08:31 < Error404NotFound> damn, pasted wrong error message :P
08:34 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Remote host closed the connection]
08:36 < Error404NotFound> "Options error: specify only one of --tls-server, --tls-client, or --secret" is the error that i get..
08:37 < Error404NotFound> if i remove --tls-server i am back to previous error
08:37 < rob0> see the 1.x howto for setting up a peer mode (preshared key) tunnel.
08:42 < Error404NotFound> okay, remote peer guy has told me to use "HelloVPN" as pre-shared-secret key, if i generate it via commandline, it generates some other gibberish...
08:44 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
08:48 < meepmeep> does anyone knows why my ipp.txt isn't showing actual pool of ip ?
08:50 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 264 seconds]
08:53 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X Button]
08:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
08:58 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has joined ##openvpn
09:04 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:07 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:23 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
09:23 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
09:23 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
09:24 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
09:31 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:32 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:36 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:39 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
09:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:47 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
09:52 -!- java [~java@41.230.116.241] has quit [Quit: Leaving]
09:54 -!- michal` [~michal@rsbac/developer/michal] has joined ##openvpn
09:54 < michal`> hello :)
09:54 < michal`> ^^ topic, well, my problem isn't a firewall, really
09:54 < michal`> but is AS
09:55 < michal`> and if you don't support it, cya :)
09:55 < michal`> .wc
09:55 -!- michal` [~michal@rsbac/developer/michal] has left ##openvpn [">/dev/yachill"]
10:01 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has left ##openvpn []
10:01 -!- tsaitgaist [~d4c96f42@gateway/web/freenode/x-gwqpxxwbcegksrho] has joined ##openvpn
10:02 < tsaitgaist> how to configure in the server so that it tells to use one of the client as default gateway ?
10:03 -!- jww is now known as jwwwoid
10:04 < tsaitgaist> the client can view each other. "redirect-gateway client_ip" does not work, adding a route by hand neither
10:07 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 246 seconds]
10:10 < havoc> bah
10:11 -!- tsaitgaist [~d4c96f42@gateway/web/freenode/x-gwqpxxwbcegksrho] has quit [Ping timeout: 252 seconds]
10:13 -!- rob0 [~rob0@tuxaloosa.org] has quit [Read error: Connection reset by peer]
10:13 -!- rob0 [~rob0@38.104.216.66] has joined ##openvpn
10:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
10:23 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has joined ##openvpn
10:23 -!- Getterac7 [~wally@user-12l35v4.cable.mindspring.com] has joined ##openvpn
10:23 < Getterac7> !welcome
10:23 < vpnHelper> Getterac7: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:26 < Getterac7> i have a question about OpenVPN... if i have a server set up and two (A and B) clients are connected over the internet, would the OpenVPN server high bandwidth if A wanted to transfer files to B?  Does OpenVPN open peer-to-peer connections for file transfers and such?
10:27 < Getterac7> would the server need high bandwidth*
10:29 -!- jwwwoid is now known as jww
10:32 -!- rob0__ [~rob0@216.23.247.75] has joined ##openvpn
10:32 -!- rob0 [~rob0@38.104.216.66] has quit [Read error: Connection reset by peer]
10:36 -!- rob0__ [~rob0@216.23.247.75] has quit [Ping timeout: 246 seconds]
10:40 < |Mike|> Getterac7: define 'high' ?
10:41 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
10:42 < Getterac7> |Mike|: i just want to know if data would transfer through the server or if it would transfer directly peer to peer.
10:42 < |Mike|> client to client you refering to?
10:42 < Getterac7> |Mike|: yes, client to client.
10:44 < |Mike|> you can configure that :)
10:44 < Getterac7> |Mike|: any articles you could link me to that show that configuration?
10:45 < |Mike|> !client-to-client
10:45 < vpnHelper> |Mike|: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
10:45 < vpnHelper> |Mike|: other clients
10:45 < |Mike|> there ya go
10:47 < Getterac7> ah, thanks!
10:48 -!- rob0_ [~rob0@216.23.247.75] has joined ##openvpn
10:52 -!- karamorf [~no@216.230.246.4] has joined ##openvpn
10:53 < |Mike|> np
10:55 -!- Getterac7 [~wally@user-12l35v4.cable.mindspring.com] has left ##openvpn []
10:55 < karamorf> Anyone have a good tutorial for setting up OpenVPN on a gateway? every tutorial seems to expect the host to be behind a router or its from 2004, I'd rather not bring down my internet again see as I'm trying to set this up remotely. I'm using shorewall for the firewall if that helps.
10:55 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
10:55 < |Mike|> !def1
10:55 < vpnHelper> |Mike|: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
10:55 < |Mike|> karamorf: ^
10:55 < rob0_> um, why def1?
10:56 < |Mike|> !redirect-gateway
10:56 < vpnHelper> |Mike|: Error: "redirect-gateway" is not a valid command.
10:56 < |Mike|> (not sure if that works)
10:56 < rob0_> I don't see how it's relevant.
10:56 < |Mike|> oh, on a gateway, misread that.
10:57 < |Mike|> eeee!howto
10:57 < |Mike|> !howto
10:57 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:59 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
10:59 -!- java [~java@41.230.116.241] has joined ##openvpn
10:59 < java> hello
10:59 < rob0_> You'd have to ask a more specific question to indicate what you were having problems with. There's nothing special about running on a gateway, except that routing is easier.
11:00 < java> I am using openvpn with a voip switch
11:00 < java> which is asterisk
11:01 < |Mike|> and you have terrible lag ? :p
11:01 < java> The call is established, RTP is transmitted for a while and then stops
11:02 < java> Has anyone had this problem or can help me
11:02 < java> thank you
11:02 < rob0_> are you watching this in the management console when RTP stops?
11:03 < java> yes
11:04 < java> with wireshark
11:04 < java> also the CLI of asterisk shows the RTP stops
11:05 < rob0_> *openvpn* management console
11:06 < java> no
11:06 < java> I see only the log of openvpn
11:07 < java> how can I access the management console of openvpn?
11:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
11:09 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
11:11 -!- steak__ [~alex@fire.perspectix.com] has left ##openvpn ["Leaving"]
11:12 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
11:15 < java> rob0_: I have set the management
11:15 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: No route to host]
11:16 < java> rob0_: how can I see the problem?
11:18 < rob0_> I don't know! You might, or you might not. It was just a suggestion for possible troubleshooting assistance. You connect with a simple text TCP client like nc(1) or telnet(1), enable the real-time logs with appropriate verbosity, and watch.
11:19 < rob0_> If it doesn't help, I'll refund triple what you paid for the advice.
11:21 < java> rob0_: you mean paid assistance
11:21 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
11:55 -!- dazo is now known as dazo_afk
12:03 -!- dazo_afk is now known as dazo
12:10 -!- Serajewe1KS is now known as SerajewelKS
12:10 < SerajewelKS> zamba: pong
12:15 -!- dazo is now known as dazo_afk
12:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
12:17 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Ping timeout: 246 seconds]
12:20 -!- dazo_afk is now known as dazo
12:32 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
12:54 -!- bigpresh [~bigpresh@freenode/sponsor/bigpresh] has joined ##openvpn
12:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:56 < bigpresh> For Windows compatibility, must the server end of the VPN connection end up with a different IP each time? 
12:56 < bigpresh> I had a setup using the client-config-dir to give each client a static IP, and the same IP for the server (e.g. 10.1.20.1), and that worked fine with a few Linux machines
12:56 < bigpresh> However, when trying to connect from a Windows client, it couldn't do it, and I found out that each client needed a seperate /30
12:57 < bigpresh> (So the first client  could have 1. and .2 for client & server, the second could be .5 and .6, etc)
12:57 < bigpresh> However, I'd much rather each client know the server as 10.1.20.1...
13:00 < bigpresh> ... OK.  After commenting out the client-config-dir setting and allowing OpenVPN to assign an IP from the pool for me, it seems that, although the client got .6 and sees the server as .5, it can still talk to the server as .1
13:00 < bigpresh> Problem solved, then, I guess :)
13:02 < rob0_> !/30
13:02 < vpnHelper> rob0_: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
13:03 < rob0_> Right, the client's peer IP is purely makebelieve.
13:03 < rob0_> The real server IP is .1
13:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
13:08 -!- dazo is now known as dazo_afk
13:09 < bigpresh> rob0_: Ahhhh, right.  Thank you :)
13:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:27 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
13:30 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 252 seconds]
13:39 -!- rob0_ is now known as anti-rob0
13:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
13:46 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has joined ##openvpn
13:55 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
13:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:01 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
14:14 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
14:17 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 258 seconds]
14:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
14:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:30 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: Leaving]
14:35 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has joined ##openvpn
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:39 -!- anti-rob0 is now known as rob0
14:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:46 -!- rob0 [~rob0@216.23.247.75] has quit [Ping timeout: 245 seconds]
14:46 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
14:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
14:58 -!- Rolybrau [~Rolybrau@183-203.3-85.cust.bluewin.ch] has joined ##openvpn
14:58 -!- Rolybrau [~Rolybrau@183-203.3-85.cust.bluewin.ch] has quit [Changing host]
14:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:03 -!- alpha_ [~mosbah.ab@41.224.140.45] has joined ##openvpn
15:03 < alpha_> hello all
15:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
15:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:10 -!- DarthGandalf|BNC is now known as DarthGandalf
15:41 -!- alpha_ [~mosbah.ab@41.224.140.45] has quit [Ping timeout: 252 seconds]
15:41 -!- alpha_ [~mosbah.ab@74.115.1.52] has joined ##openvpn
15:44 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 258 seconds]
15:44 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
15:45 -!- disappearedng__ [~disappear@125.34.48.61] has joined ##openvpn
15:48 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 240 seconds]
15:51 -!- alpha_ [~mosbah.ab@74.115.1.52] has quit [Ping timeout: 268 seconds]
15:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
15:57 -!- alpha_ [~mosbah.ab@74.115.1.52] has joined ##openvpn
16:01 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
16:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:06 -!- alpha_ [~mosbah.ab@74.115.1.52] has quit [Ping timeout: 252 seconds]
16:07 -!- alpha_ [~mosbah.ab@41.224.140.45] has joined ##openvpn
16:10 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has joined ##openvpn
16:10 -!- DarthGandalf is now known as DarthGandalf|BNC
16:13 -!- disappearedng__ [~disappear@125.34.48.61] has quit [Ping timeout: 260 seconds]
16:20 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
16:21 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
16:21 -!- DarthGandalf|BNC is now known as DarthGandalf
16:22 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
16:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
16:46 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
16:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:52 < alpha_> Hello
16:53 < alpha_> I am using openvpn with asterisk ippbx
16:53 < alpha_> I have a problem with the rtp part of the calls
16:54 < krzie> but openvpn only sends stuff based on route, it can not distinguish between type of traffic
16:54 < alpha_> the RTP is not transported between two sip clients
16:54 < krzie> likely firewall issue
16:55 < krzie> or an issue with the RTP coming from VPN ip but expected from LAN ip in your setup
16:56 < alpha_> the rtp works only for 3 or 4 seconds between the asterisk server and the 2 clients and then stops
16:56 < krzie> and you can still ping?
16:56 < krzie> are you using TCP as your transport protocol and also sending TCP over the VPN?
16:57 < alpha_> yes the ping succeeds
16:57 < alpha_> i have tried with tcp and also udp still have the same problem
16:59 < krzie> udp prefered
16:59 < krzie> !tcp
16:59 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
17:00 < krzie> but if the ping succeeds, its either a matter of too much latency over the link for voip or your asterisk setup
17:00 < krzie> btw, unrelated... if you like asterisk you will LOVE freeswitch
17:00 < alpha_> rtp is over udp so it is not tcp over tcp
17:00 < krzie> i have not said that to anyone, had them listen and try it, and then disagree with me
17:01 < krzie> i understand, but there IS a reason voip uses udp
17:02 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:02 < alpha_> yes because real time
17:14 < krzie> mercutioviz i get to be tom hanks!
17:15 < krzie> oops wrong chan
17:15 < krzie> woohoo my new alfa wifi adapter came today!
17:15  * krzie does the aircrack dance
17:15 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Read error: Connection reset by peer]
17:33 < SerajewelKS> aircrack is teh shit
17:34 -!- alpha_ [~mosbah.ab@41.224.140.45] has quit []
17:34 < SerajewelKS> also, so is openvpn
17:34 < krzie> agreed, and agreed
17:35 -!- krzie [~krzee@butters.secure-computing.net] has quit [Changing host]
17:35 -!- krzie [~krzee@unaffiliated/krzee] has joined ##openvpn
17:35 -!- krzie [~krzee@unaffiliated/krzee] has left ##openvpn []
17:35 -!- krzie [~krzee@unaffiliated/krzee] has joined ##openvpn
17:36 < SerajewelKS> can anyone think of a reason why LAN-server-seeking games would not find game servers on the other side of a bridged openvpn setup?
17:37 < SerajewelKS> i have tried with several games, and the game fails to report anything, even though tcpdump on the bridge interface shows the traffic i would expect flowing both ways
17:37 < SerajewelKS> if connecting directly by IP, everything works
17:37 < SerajewelKS> my iptables rules log all denials, and during testing i did not see any denials during the server seek process
17:38 < SerajewelKS> if the same person on the same computer brings his box to my house and plugs into my switch, server seeking works
17:39 < SerajewelKS> i ask because a particular game does not allow connecting to a server by IP, it only supports using broadcasts to find servers.  and we'd like to play that at our own houses.  (that was half the motivation of the VPN in the first place.)
17:40 < krzie> hrm, thats weird to me
17:40 < krzie> if you see the relevant traffic just like you see on lan, it should work afaik
17:40 < SerajewelKS> it's very bizarre
17:40 < SerajewelKS> right, that's what i thought
17:41 < krzie> im no bridging expert my ANY means (i do tun setups) but lan games are a popular reason to use tap bridge, and it seems to work for everyone ive talked to
17:41 < SerajewelKS> the odd part is that after the broadcasts, i see UDP unicast between my box and his, and there is two-way exchange over the bridge (nothing is dropped by iptables)
17:41 < SerajewelKS> which tells me that his box sees my server
17:41 < SerajewelKS> but he reports no game servers in the list
17:41 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
17:41 < SerajewelKS> having him host did not work either, i could not find his server
17:42 < krzie> i wonder if there is a low timeout by the game
17:42 < SerajewelKS> our houses ping about 50ms
17:42 < krzie> but on lan like the game expects ping at like <1ms
17:42 < krzie> im not saying thats the reason of course
17:42 < SerajewelKS> perhaps, but that seems like a stretch
17:42 < krzie> its just all i think of
17:42 < krzie> i agree, sounds weird
17:43 < SerajewelKS> right.  i'm wondering if perhaps it only accepts responses from servers on the "primary" interface.
17:43 < SerajewelKS> even though i see banter between the two boxes
17:43 < SerajewelKS> the odd thing is we've tried two games already and neither work.  though i know why the other worked.
17:43 < krzie> if thats the case the programmers suck
17:43 < krzie> cause they should be concerned with what interface traffic goes out from
17:43 < krzie> thats not the job of the application layer
17:43 < SerajewelKS> (it was sending broadcasts on my LAN. 192.168.3.0/24 using a source IP of his primary interface 192.168.1.0/24)
17:44 < SerajewelKS> my iptables rules were dropping those, as they should
17:44 < SerajewelKS> so in that case it was a retard programmer.  (actually it was directplay, so... same reason.)
17:45 < krzie> does it only use broadcasts and UDP?
17:45 < krzie> not other layer2 traffic?
17:45 < krzie> if so, you could always give it a shot with tun and bcrelay
17:45 < krzie> !bcrelay
17:45 < vpnHelper> krzie: Error: "bcrelay" is not a valid command.
17:45 < krzie> grr
17:45 < krzie> !factoids search bcrelay
17:45 < vpnHelper> krzie: No keys matched that query.
17:45 < krzie> weird
17:46 < SerajewelKS> i know what bcrelay is :)
17:46 < krzie> reiffert what was the info on bcrelay? i coulda sworn i made a factoid for it
17:46 < krzie> cool, i still want !bcrelay there for future helping ;]
17:46 < krzie> its in the pptp source tree or something iirc
17:46 < SerajewelKS> honestly though, if it's not working with tap i don't see how bcrelay and tun is going to be any different.  sounds even more limited.
17:46 < SerajewelKS> the tap should be able to send other layer2 traffic anyway, i'm not filtering on anything but IP
17:47 < SerajewelKS> ebtables is ACCEPT all
17:47 < krzie> i agree, its just that if you are getting all right traffic over the vpn when you sniff, all i can think is to try other ways
17:47 < krzie> but ya, thats a weird problem
17:48 < SerajewelKS> the only thing i can really conclude is that the game is broken
17:48 < SerajewelKS> i'll have to try a bunch of other games, see which work
17:48 < SerajewelKS> other broadcast-type things like nmb work just fine -- the network view on 'doze shows the computers on the other side of the VPN
17:48 < krzie> if you find that its not just the game, ild be interested in hearing the solution
17:48 < SerajewelKS> (though i block smb connections on the bridge)
17:49 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
17:49 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
17:49 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
17:49 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
17:49 < krzie> (or the problem that makes it not doable if thats the case)
17:49 < SerajewelKS> (and yes, client-to-client is off too, so even client-to-client smb gets filtered out)
17:49 < SerajewelKS> yeah i'll definitely let you guys know what i find
17:49 < SerajewelKS> i still can't believe that one game was sending broadcasts with the wrong source IP
17:49 < SerajewelKS> the dest wasn't even 255.255.255.255
17:50 < krzie> nice, not too many people come here already realizing that c2c is about filtering and not about allowing =]
17:50 < SerajewelKS> it was sending from 192.168.1.x to 192.168.3.255
17:50 < krzie> ohhh, lol
17:50 < SerajewelKS> you mean not using c2c is about filtering?
17:50 < krzie> well ya
17:50 < SerajewelKS> right
17:50 < krzie> using it bypasses filtering, not allows it
17:50 < krzie> !c2c
17:50 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
17:50 < vpnHelper> krzie: behind other clients
17:50 < SerajewelKS> i mean what else does pushing it up to the kernel do?  heh
17:51 < krzie> yup, you're 100% right ;]
17:51 < SerajewelKS> the kernel will just turn around and shove it back into openvpn
17:51 < SerajewelKS> if you'd like i can pastebin my iptables
17:51 < SerajewelKS> just for kicks
17:51 < krzie> im more a bsd guy, and you did the ground work (tcpdump/wireshark) to prove thats not your issue
17:52 < SerajewelKS> sure, but i'm just curious if there's anything else i could be doing with the tables
17:52 < krzie> might as well paste them, theres plenty of linux guys in here
17:52 < SerajewelKS> http://pastebin.ca/1851931
17:53 < SerajewelKS> nothing is censored, all the subnets are private blocks anyway
17:54 < SerajewelKS> the UPnP DROP is mainly to prevent those from getting logged, since my wife's vista laptop likes sending those out a lot
17:54 < SerajewelKS> the idea is that all traffic going into the bridge or coming out of the bridge (even traffic between clients) goes to over-vpn-bridge
17:55 < SerajewelKS> that's where i apply the blunt hammer to all traffic i don't want
17:55 < SerajewelKS> brb
18:00 < SerajewelKS> well i gotta run now, laters
18:08 < krzie> gl
18:08 -!- DrPepper [~DrPepper@78.141.146.227] has quit [Ping timeout: 260 seconds]
18:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:25 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
18:25 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
18:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:29 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
18:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
18:48 -!- karamorf [~no@216.230.246.4] has quit []
19:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:24 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
--- Log closed Wed Mar 24 19:28:49 2010
--- Log opened Wed Mar 24 19:29:23 2010
19:29 -!- Irssi: Join to ##openvpn was synced in 33 secs
19:31 -!- ecrist [ecrist@pdpc/supporter/professional/ecrist] has quit [Ping timeout: 246 seconds]
19:31 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 246 seconds]
19:31 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 246 seconds]
19:31 -!- balboah [~johnny@joonix.se] has quit [Ping timeout: 246 seconds]
19:31 -!- diffen3 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 246 seconds]
19:31 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has quit [Ping timeout: 246 seconds]
19:31 -!- jetole [~Joe@irc.fossl.net] has quit [Ping timeout: 246 seconds]
19:31 -!- reiffert [~thomas@mail.webersheim.de] has quit [Ping timeout: 246 seconds]
19:31 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 246 seconds]
19:31 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has quit [Ping timeout: 246 seconds]
19:31 -!- meepmeep [meepmeep@212.24.104.229] has quit [Ping timeout: 246 seconds]
19:32 -!- Netsplit *.net <-> *.split quits: havoc, Morgan_Phoenix, AntoineBk, atlantic, takamichi, nb, MadTBone, krzie, stein0, julius,  (+77 more, use /NETSPLIT to show all of them)
19:32 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
19:32 -!- Netsplit over, joins: dazo_afk, jpalmer, theneb, disco-, zamba, dotCOMmie, Zordrak, stein0, Cap_J_L_Picard, LeRrA (+57 more)
19:32 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
19:32 -!- diffen3 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
19:32 -!- uchimata_ [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
19:32 -!- Netsplit over, joins: vpnHelper, cron2, krzie, le0, java, master_of_master, sigius, Visual`_, MadTBone, barbie_ (+10 more)
19:33 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
19:33 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
19:33 -!- jetole [~Joe@irc.fossl.net] has joined ##openvpn
19:33 -!- Gabe_G23 [~gabe@s66-76-118-56.eldocmta01.eldoar.lr.sta.suddenlink.net] has joined ##openvpn
19:33 -!- RichiH [~richih@freenode/staff/richih] has quit [Read error: Connection reset by peer]
19:33 -!- RichiH [~richih@freenode/staff/richih] has joined ##openvpn
19:36 -!- balboah [~johnny@joonix.se] has joined ##openvpn
19:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
19:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
20:03 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
20:11 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:49 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
20:57 -!- takamichi [~pri@213.163.66.192] has quit [Read error: Connection reset by peer]
20:57 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
21:04 -!- Netsplit *.net <-> *.split quits: havoc, Morgan_Phoenix, AntoineBk, atlantic, takamichi, nb, MadTBone, krzie, stein0, julius,  (+85 more, use /NETSPLIT to show all of them)
21:06 -!- Netsplit over, joins: dazo_afk, jpalmer, vpnHelper, cron2, Gabe_G23, takamichi, tjz, oc80z, balboah, RichiH (+84 more)
22:07 -!- gimpy530 [~white@c-67-163-185-220.hsd1.pa.comcast.net] has left ##openvpn []
22:35 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:44 -!- disappearedng_ [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 268 seconds]
23:05 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
23:11 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
23:23 -!- ryanrhee90 [~Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn
23:23 -!- ryanrhee90 [~Adium@rrcs-71-42-217-13.sw.biz.rr.com] has left ##openvpn []
23:26 -!- ryanrhee90 [~Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn
23:26 < ryanrhee90> hi guys. i can't get strongswan//openswan to help me. fml. just want to say that openvpn rocks. as soon as I can jailbreak my iPhone i'm ditching this L2TP/IPsec shit. :)
23:31 -!- ryanrhee90 [~Adium@rrcs-71-42-217-13.sw.biz.rr.com] has left ##openvpn []
23:34 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has quit [Ping timeout: 276 seconds]
23:39 -!- ryanrhee90 [~Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn
23:40 < ryanrhee90> quick question: with a tunneled openvpn, layer 2 traffic and layer 3 multicast will both be passed, right?
23:57 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 264 seconds]
23:57 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
23:59 < tjz> this is not a openswarn channel
--- Day changed Thu Mar 25 2010
00:01 < ryanrhee90> quick question: with a tunneled openvpn, layer 2 traffic and layer 3 multicast will both be passed, right? <— it says openvpn
00:18 -!- java [~java@41.230.116.241] has quit [Ping timeout: 245 seconds]
00:24 -!- ryanrhee90 [~Adium@rrcs-71-42-217-13.sw.biz.rr.com] has quit [Ping timeout: 264 seconds]
00:38 < jnss> Are there situations where OpenVPN is prefferd to Ipsec type protocols
00:45 -!- Netsplit *.net <-> *.split quits: hyper_ch, Sorcier_FXK, ^scott^, freaky[t]
00:48 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
00:49 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 248 seconds]
00:52 -!- Netsplit over, joins: Sorcier_FXK, freaky[t], hyper_ch, ^scott^
01:33 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
01:45 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 276 seconds]
01:45 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
01:53 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
02:15 -!- DrPepper [~DrPepper@88.207.142.4] has joined ##openvpn
02:20 -!- DrPepper [~DrPepper@88.207.142.4] has quit [Client Quit]
02:26 < krzee> jnss, to me, yes
02:26 < krzee> i trust openssl more than ipsec encryption
02:35 < |Mike|> orly
02:35 < krzee> orly
02:35 < |Mike|> damn i'm tired
02:36 < krzee> also, openvpn operates on udp or tcp, so it can be set to any port
02:36 < krzee> meaning you can run multiple configurations on a single server
02:36 < krzee> whereas ipsec is its own protocol
02:40 < krzee> also, you can only have 1 ipsec connection through your home router unless it supports NAT-T
02:41 < krzee> which would very very much not work for me
02:41 < krzee> at any given time i could be on many openvpn networks
02:42 < krzee> and i make a regular habit of being on more than 1
02:43 < |Mike|> same here
02:43 < |Mike|> but ehm, ubuntu's network manager sucks ass imho
02:44 < reiffert> !ubuntu
02:44 < vpnHelper> reiffert: "ubuntu" is dont use network manager!
02:53 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:53 -!- mode/##openvpn [+o mattock] by ChanServ
02:56 < jnss> krzee, meaning ipsec can be blocked on a router
02:56 < jnss> as it  is just one protocol
02:56 < jnss> ssl is a lot more
02:56 < jnss> shame it has to be such a pain to configure sometimes!
03:04 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
03:21 -!- DrPepper [~DrPepper@88.207.142.4] has joined ##openvpn
03:37 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
03:38 < sanderj> Hi. Do anyone know if it works to create a cert request in 2048 bit.. and get back a 256 bit encrypted cert from the CA?
03:39 < sanderj> ..Or does the request also have to be 2048 bit?
03:39 < sanderj> *256*
03:43 -!- DarthGandalf is now known as DarthGandalf|BNC
03:55 -!- dazo_afk is now known as dazo
03:56 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:07 -!- Err404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
04:08 -!- Err404NotFound is now known as Error404NotFound
04:10 -!- master_of_master [~master_of@p57B56A3A.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:13 -!- master_of_master [~master_of@p57B54334.dip.t-dialin.net] has joined ##openvpn
04:13 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
04:14 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
04:30 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
04:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:43 -!- diffen3 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
04:48 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
04:50 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
04:54 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
05:02 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 245 seconds]
05:02 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
05:07 -!- sanderj is now known as Snadder
05:13 -!- DarthGandalf|BNC is now known as DarthGandalf
05:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:25 -!- mattock [~samuli@sparkgw.utu.fi] has joined ##openvpn
05:25 -!- mode/##openvpn [+o mattock] by ChanServ
05:29 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:31 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
06:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
06:07 -!- mattock [~samuli@sparkgw.utu.fi] has quit [Quit: Leaving.]
06:09 -!- takamichi [~pri@213.163.66.192] has quit [Read error: Connection reset by peer]
06:09 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
06:09 -!- ycas [~yann@84.114.50.173] has joined ##openvpn
06:09 < ycas> !welcome
06:09 < vpnHelper> ycas: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:10 < ycas> !route
06:10 < vpnHelper> ycas: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:42 -!- You're now known as ecrist
06:54 -!- barbie__ [~barbie@109.65.184.140] has joined ##openvpn
06:55 -!- barbie_ [~barbie@bzq-109-65-184-140.red.bezeqint.net] has quit [Read error: Connection reset by peer]
06:56 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X Button]
07:00 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
07:21 -!- jkd4 [debian-tor@gateway/tor-sasl/jkd4] has joined ##openvpn
07:22 < jkd4> what does "script security 2" do and do you have to put "--" in front of it to work? could anyone please tell me?
07:23 < Bushmills> on command line, you need --  , when put into config file, you don't
07:23 < jkd4> ok, thanks
07:23 < Bushmills> for what script security is required for, look at --up and --down  
07:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:24 < jkd4> Bushmills: how about this:
07:24 < jkd4> user nobody
07:24 < jkd4> group nobody
07:25 < jkd4> do you have to put "--" before that in the config file?
07:25 < jkd4> because it is giving me an error
07:25 < Bushmills> you never put the "--" into config files
07:25 -!- ycas [~yann@84.114.50.173] has quit [Ping timeout: 258 seconds]
07:25 < Bushmills> you alway put them when specifying options on command line
07:25 < jkd4> how do I get those commands to work
07:25 < jkd4> ok thanks
07:26 < jkd4> but how do I get those commands to work
07:26 -!- Snadder [~sanderj@195.204.103.72] has quit [Read error: Operation timed out]
07:26 < Bushmills> apart from configuring?
07:27 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
07:27 < jkd4> I don't know what you mean Bushmills. I was just told to put those commands in my .ovpn file to increase security.
07:28 < Bushmills> if you don't need them, don't specify them. you use them to reduce security, by giving additional privileges to openvpn regarding execution of external scripts 
07:29 < jkd4> Bushmills: when you said "config file" you did mean .ovpn, didn't you?
07:30 < Bushmills> mine isn't an .ovpn file, therefore i mean "config file", and not ".ovpn" exclusively.
07:30 -!- ycas [~yann@84.114.50.173] has joined ##openvpn
07:30 < Bushmills> mine ends in .conf 
07:32 < jkd4> Bushmills: but it /could/ be a .ovpn file, correct?
07:32 < jkd4> sorry I'm not good at this
07:33 < jkd4> Bushmills: I understand that but do the same rules apply when adding commands to ovpn files?
07:33 < Bushmills> yes, it could be one. that's a matter of how you name it
07:34 < Bushmills> you could name your car  "Pete" but I'd still continue to refer to cars as "car" instead of "Petes"
07:34 < jkd4> Bushmills: are there ever occasions when you would use "--" before a command in a .ovpn file?
07:36 < Bushmills> before an option?  the only situation i could think of when i'd use -- in a config file is when i wanted to confuse somebody by providing a non-working configuration file
07:37 < jkd4> lol
07:45 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
07:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
07:52 -!- balboah [~johnny@joonix.se] has quit [Remote host closed the connection]
07:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:09 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
08:11 -!- uchimata_ is now known as uchimata
08:17 -!- derjohn_mob [~aj@139.12.1.252] has joined ##openvpn
08:41 < ecrist> jkd4: .conf or .ovpn, it doesn't matter, really
08:42 < ecrist> I think the windows gui looks for .ovpn files, though
08:42 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
08:54 < jkd4> thanks ecrist :)
08:55 < ecrist> no problem, jkd4 
08:56 < ecrist> if it helps, I disribute .ovpn files to my users.
08:56 < ecrist> 90% of them use windows, so it 'just works'
08:56 < ecrist> the other 10% use linux or mac and they know what to do to get it working
08:58 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
08:58 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
09:00 -!- jkd4 [debian-tor@gateway/tor-sasl/jkd4] has quit [Quit: Lost terminal]
09:05 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Ping timeout: 276 seconds]
09:07 -!- mischief [~mischief@unaffiliated/mischief] has joined ##openvpn
09:08 < mischief> i want to do bridging... to have VPN client use the DHCP server already on my network i just set 'server-bridge' correct?
09:09 < krzee> believe so
09:09 < mischief> clients* :|
09:09 < havoc> krzee: morning
09:09 < mischief> i guess there's one way to find out eh
09:09 < krzee> [08:36]  <Bushmills> before an option?  the only situation i could think of when i'd use -- in a config file is when i wanted to confuse somebody by providing a non-working configuration file
09:09 < krzee> hahahahah
09:10 < krzee> mornin havoc 
09:10 < krzee> !--
09:10 < vpnHelper> krzee: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.
09:10 < krzee> (just pointing out it is on the bot)
09:11 < havoc> krzee: I got that point to point stuff working
09:11 < havoc> but both TAP and TUN have advantages and disadvantages in that case
09:11 < krzee> ive had a crazy real life the last week, can i get more of a refresher?
09:12 < havoc> krzee: http://www.havoc.org/tmp/proxy_arp.vpn.thing.for.rob.png
09:12 < havoc> it's using TUN right now
09:12 < krzee> ahhhh righhhht
09:13 < havoc> TUN makes routing *easier* (but not perfect)
09:13 < krzee> handing over the public ips using ovpn
09:13 < havoc> TAP requires some ARP magic
09:13 < havoc> krzee: yup
09:13  * krzee smells a good wiki article
09:13 < havoc> also TUN doesn't notify server on client disconnect, have to do some ping script to restart ovpnd
09:14 < krzee> actually that smell might be me, brb shower
09:18  * ecrist switched to tap on his corporate vpn
09:19 < havoc> I usually use TAP
09:21  * krzee gives ecrist his tunortap lecture
09:21 < krzee> ;]
09:21  * ecrist feeds krzee his dick
09:22 < krzee> lol
09:27 < havoc> my TUN setup is probably a bib non-standard though
09:28 < krzee> like a lil appetizer 
09:28 < havoc> it's the same as my TAP, but w/ diff --dev, --ifocnfig, and --tls-auth commented out
09:29 < havoc> I suppose I could have some logic in there to key of --dev to decide what to enable or not and use the same config for everything
09:47 -!- DrPepper [~DrPepper@88.207.142.4] has quit [Quit: Leaving...]
09:55 -!- ycas [~yann@84.114.50.173] has quit [Quit: leaving]
10:03 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
10:04 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:06 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
10:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:24 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
10:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:32 -!- DrPepper [~DrPepper@88.207.142.4] has joined ##openvpn
10:38 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
10:48 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
10:49 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm_]
10:53 -!- barbie__ [~barbie@109.65.184.140] has quit [Read error: Connection reset by peer]
10:54 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:11 -!- Kas [~Kasx@173.192.223.187-static.reverse.softlayer.com] has joined ##openvpn
11:17 -!- kyrix [~ashley@178.114.4.29.wireless.dyn.drei.com] has joined ##openvpn
11:21 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
11:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
11:50 -!- dazo is now known as dazo_afk
11:51 -!- Blues-Man [~bluesman@host102-117-dynamic.27-79-r.retail.telecomitalia.it] has joined ##openvpn
11:53 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
11:57 -!- jww is now known as Jww
12:00 -!- derjohn_mob [~aj@139.12.1.252] has quit [Ping timeout: 246 seconds]
12:08 -!- TSM [~the_softw@fw-lon1.wenn.com] has joined ##openvpn
12:09 < TSM> which room is for openvpn-als?
12:09 -!- DrPepper [~DrPepper@88.207.142.4] has quit [Quit: Leaving...]
12:14 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
12:14 -!- mode/##openvpn [+o mattock] by ChanServ
12:17 -!- ChUbB [~IceChat7@cpc2-aztw12-0-0-cust229.aztw.cable.virginmedia.com] has joined ##openvpn
12:19 < ChUbB> HI, I have a openvpn server running for gaming (TAP) we have to use IP address to connect broadcasts dont seem to be working.... anyone having this problems ? do I need to get all the clients to move the TAP device up in the network card list on windows 
12:20 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
12:21 < SerajewelKS> ChUbB: i mave similar issues with *some* games that don't properly broadcast on multiple interfaces
12:22 < SerajewelKS> ChUbB: run tcpdump over the bridge and ensure it's even seeing broadcast traffic
12:22 < SerajewelKS> ChUbB: also, i don't know how you could "move the TAP device up in the network card list on windows"
12:23 < SerajewelKS> ChUbB: if the windows network server list shows people on the other side of the bridge (and if they are not blocking nmb) then you know broadcasts are working
12:25 -!- TSM [~the_softw@fw-lon1.wenn.com] has left ##openvpn []
12:29 < ChUbB> erajewelKS: Cheers for the reply. So what u are saying is just use the windows networks thing to see if the other clients come on the there ? which would of course mean broadcasts are working 
12:32 -!- takamichi [~pri@213.163.66.192] has quit []
12:37 -!- derjohn_mob [~aj@f048244103.adsl.alicedsl.de] has joined ##openvpn
12:41 < SerajewelKS> ChUbB: right, that's a good first diagnostic step
12:42 < SerajewelKS> ChUbB: the only way windows file sharing servers find each other is by broadcast, unless you are on a domain
12:42 < SerajewelKS> ChUbB: the next step would be sniffing on the bridge interface on the vpn central peer
12:42 < SerajewelKS> ChUbB: see what traffic is flowing over the bridge when you attempt to find game servers
12:43 -!- ChUbB [~IceChat7@cpc2-aztw12-0-0-cust229.aztw.cable.virginmedia.com] has quit [Read error: Connection reset by peer]
12:43 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
12:47 < SerajewelKS> but yeah i experience roughly the same thing, for some reason, and i'm not sure why
12:47 < SerajewelKS> but only on some games, mostly games that use directplay
12:49 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:55 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Ping timeout: 265 seconds]
13:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
13:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:32 -!- Blues-Man [~bluesman@host102-117-dynamic.27-79-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
13:56 -!- DrPepper [~DrPepper@88.207.142.4] has joined ##openvpn
14:02 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Obtain user attributes from Radius server :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=2434&p=4192#p4192>
14:12 -!- DrPepper [~DrPepper@88.207.142.4] has quit [Ping timeout: 260 seconds]
14:23 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
14:37 -!- DarthGandalf is now known as DarthGandalf|BNC
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:56 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
15:06 -!- DrPepper [~DrPepper@88.207.142.4] has joined ##openvpn
15:12 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
15:13 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
15:16 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
15:22 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
15:29 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
15:29 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
15:30 -!- le0 [~tehle0@unaffiliated/le0] has quit [Client Quit]
15:31 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
15:31 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:37 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has left ##openvpn []
15:37 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
15:42 -!- DrPepper [~DrPepper@88.207.142.4] has quit [Quit: Leaving...]
15:46 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
15:47 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Ping timeout: 265 seconds]
15:49 -!- SkyX [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:06 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
16:08 -!- Irssi: ##openvpn: Total of 102 nicks [0 ops, 0 halfops, 1 voices, 101 normal]
16:13 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 264 seconds]
16:59 -!- ChrisandRon [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
17:10 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:10 -!- ChrisandRon [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has quit [Ping timeout: 260 seconds]
17:11 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:17 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
17:23 -!- ChrisandRon [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
17:29 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: leaving]
17:33 -!- kyrix [~ashley@178.114.4.29.wireless.dyn.drei.com] has quit [Quit: Leaving]
17:34 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:58 -!- ChrisandRon [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
18:22 -!- Gabe_G23 [~gabe@s66-76-118-56.eldocmta01.eldoar.lr.sta.suddenlink.net] has quit [Ping timeout: 252 seconds]
18:24 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 248 seconds]
18:38 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
19:29 -!- vhann [~vhann@vl102-res-out.collegeahuntsic.qc.ca] has joined ##openvpn
19:38 -!- troy- [8c15d130cf@bgp4.us] has joined ##openvpn
19:39 < troy-> what would be some potential causes of poor throughput?
19:39 < troy-> both systems are on 100Mb/s internet connections
19:44 -!- Colloguy [~flx@64.134.19.223] has joined ##openvpn
19:56 < Bushmills> dry, ungreased cables?
20:01 < havoc> low blinker-fluid
20:07 < vhann> Alright, my 2 tun endpoints can ping both of their peer's VPN and local IP, client1 can ping VPN1's VPN IP but not VPN2's VPN IP, is this normal?!
20:07 < vhann> client1: http://pastebin.com/3nUB9KDf VPN1: http://pastebin.com/ULSg62qY VPN2: 
20:07 < vhann> http://pastebin.com/zdStWR0q
20:27 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has joined ##openvpn
20:33 -!- tjz [~pc@bb116-14-145-84.singnet.com.sg] has joined ##openvpn
20:33 -!- tjz [~pc@bb116-14-145-84.singnet.com.sg] has quit [Changing host]
20:33 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:37 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
20:43 < krzee> [21:07]  <vhann> Alright, my 2 tun endpoints can ping both of their peer's VPN and local IP, client1 can ping VPN1's VPN IP but not VPN2's VPN IP, is this normal?!
20:43 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Operation timed out]
20:43 < krzee> you mean LAN IPs at the end part?
20:43 < krzee> cause you said each peer can ping eachothers VPN ip
20:44 < krzee> if so, you could be missing ip forwarding on VPN2, or the route on its default gateway
20:44 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
20:44 < krzee> assuming they are peers, if its client server and VPN2 is a client, you could be missing an iroute entry for the client in the servers ccd
20:44 < krzee> im not speaking very clearly, just got home from jui jitsu
20:45 < krzee> if you dont know what i mean by route on default router, see "ROUTES TO ADD OUTSIDE OPENVPN" here:
20:45 < krzee> !route
20:45 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:49 < ecrist> sup
20:51 -!- Colloguy [~flx@64.134.19.223] has quit [Ping timeout: 246 seconds]
20:51 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
20:52 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
21:08 < vhann> krzee: (sorry for the delay) I'm pretty sure my routing tables are ok
21:08 < vhann> I've posted the 'ifconfig' and 'route -n' outputs of the 3 machines
21:09 < vhann> (on pastebin)
21:11 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
21:14 < rob0> Personally, I prefer a single pastebin. Not that I'd pick the whole thing over carefully, but if something looks wrong, it's all there to be able to check easily.
21:15 < rob0> Furthermore, the reply did not answer krzee's questions. Which of the multiple pastes does?
21:19 < vhann> rob0: Well, VPN1 can ping the tun IP and the ethernet LAN IP of VPN2 and conversely
21:19 < vhann> That's what I meant
21:20 < vhann> rob0: Plus, I separated it all because I thought it would be easier to not mix things together, but if you prefer 1 pastebin, I don't have a problem with tha
21:20 < vhann> s/tha/that
21:43 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:45 -!- derjohn_foo [~aj@g228197206.adsl.alicedsl.de] has joined ##openvpn
21:48 -!- derjohn_mob [~aj@f048244103.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
22:33 -!- karamorf [~no@216.127.52.126] has joined ##openvpn
22:34 < karamorf> I'm confused about setting up a windows client ... in the readme it says put the config/cert in \Program Files\OpenVPN\config, but that doesn't exist in win7 and there is no config folder under openvpn. Where are they suppose to go?
22:34 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:41 -!- karamorf [~no@216.127.52.126] has left ##openvpn []
22:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:02 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
23:48 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
23:52 -!- WormFood [~wormfood@121.34.202.114] has joined ##openvpn
23:53 < WormFood> I just learned about the openvpn management interface (forgot about it before), and I was wondering if there are tools that already exist for using this feature of openvpn? I tried google, but couldn't find anything.
--- Day changed Fri Mar 26 2010
01:11 < newmember> WormFood: what you need some steps to use openvpn?
01:12 < newmember> WormFood: I use these steps for laptops, http://forum.pfsense.org/index.php/topic,7840.0.html
01:12 < vpnHelper> Title: OpenVPN on pfSense - Installation guide for (Windows) Dummies :-) (road-warrior) (at forum.pfsense.org)
01:12 < WormFood> no, I'm asking about the "openvpn management interface"...to manage the server
01:13 < WormFood> I would expect someone would have made tools publicly available for that, instead of having to write my own tools
01:13 < newmember> oh right
01:13 < WormFood> but perhaps some of my users could use that url :P
01:14 < newmember> I just use webmin on my non-pfsense servers
01:15 < WormFood> I haven't used webmin in a long time 
01:16 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:16 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
01:21 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
01:25 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
01:27 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
01:27 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:02 -!- derjohn_foo [~aj@g228197206.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
02:23 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:23 -!- mode/##openvpn [+o mattock] by ChanServ
02:33 -!- derjohn_foo [~aj@139.12.1.252] has joined ##openvpn
02:46 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
02:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
02:52 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
02:54 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:55 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
03:09 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
03:15 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
03:15 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
03:59 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 258 seconds]
03:59 -!- takamichi [~pri@74.81.170.4] has joined ##openvpn
03:59 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:04 -!- vhann [~vhann@vl102-res-out.collegeahuntsic.qc.ca] has quit [Ping timeout: 246 seconds]
04:12 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
04:12 -!- master_of_master [~master_of@p57B54334.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:12 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
04:13 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
04:13 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
04:14 -!- master_of_master [~master_of@p57B542D8.dip.t-dialin.net] has joined ##openvpn
04:20 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
04:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:28 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
04:31 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
04:58 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
05:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds]
05:04 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
05:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:34 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
05:35 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
05:39 -!- kyrix [~ashley@chello084113224094.15.14.vie.surfer.at] has joined ##openvpn
05:41 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
05:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:06 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:06 -!- mode/##openvpn [+o mattock] by ChanServ
06:16 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
06:17 -!- dazo_afk is now known as dazo
06:18 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
06:37 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
06:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
06:52 -!- Visual`_ [~visualsta@ip-80-236-251-222.dsl.scarlet.be] has quit [Ping timeout: 264 seconds]
06:53 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
07:16 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:18 < meepmeep_> hi
07:18 < meepmeep_> I just revoke a cert file ... restart openvpn, but the user could still connect to the vpn :/
07:30 -!- DarthGandalf|BNC is now known as DarthGandalf
07:36 < dazo> meepmeep_: have you configured openvpn server with the new CRL file?
07:38 < krzee> !crl
07:38 < vpnHelper> krzee: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
07:38 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you
07:45 < meepmeep_> ok
07:45 < meepmeep_> my bad
07:46 < meepmeep_> stupid crl file which wasn't copied to the correct directory :)
07:46 < meepmeep_> it works great:)
07:46 < meepmeep_> is there a way to "un-revoke" an revoke crt ? 
07:47 -!- mischief [~mischief@unaffiliated/mischief] has quit [Quit: Leaving]
07:51 -!- ease2 [~ease@114.92.151.203] has joined ##openvpn
07:52 < dazo> meepmeep_: nope ... revoked is revoked
07:52 < dazo> meepmeep_: revoke is like killing people ... there's no 'undo' to such actions ... so use it with care ;-)
07:53 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
07:55 < meepmeep_> ok :)
07:55 < meepmeep_> I saw that I could create a new crt with the same common name
07:55 < meepmeep_> so, it isn't a real probleme
07:55 < ecrist> !tcp
07:55 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
07:56 < ecrist> that was for me
07:56 < dazo> ecrist: answering -users ML posts?
07:56  * dazo just responded to two of them now
08:00 -!- DrPepper [~DrPepper@88.207.142.4] has joined ##openvpn
08:00 < ecrist> get off my lawn, dazo.
08:00 < dazo> ecrist: heh ... to late! ;-)
08:01 < insane^> anyone could give me a hint how i can configure the following scenario: i got a dedicated server with a /28 subnet and want to give some of those public static ip adresses to a adsl client with dynamic ips
08:01 < ecrist> insane^: bridged is the best for that
08:01 < insane^> just bridge tap0 and eth0
08:01 < insane^> ?
08:03 < ecrist> yeah, and hand out the ips
08:03 < insane^> sounds much more easier than i thought :)
08:03 < insane^> thanks :) i'll give it a try :)
08:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:10 -!- ease2 [~ease@114.92.151.203] has quit [Quit: Leaving]
08:19 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
08:21 -!- jkd4 [debian-tor@gateway/tor-sasl/jkd4] has joined ##openvpn
08:28 < jkd4> I have openvpn set to have ALL traffic routed through it. Why then, does only about 66% of my internet activity go through the tunnel?
08:28 < jkd4> could anyone please help?
08:31 < Jww> jkd4: did you checked your routes ?
08:31 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:32 < jkd4> what?
08:32 < jkd4> what does that mean Jww?
08:32 < Jww> umm
08:32 < Jww> which os are you running ?
08:33 < jkd4> Ubuntu
08:33 < Jww> can you run /sbin/route -n from a shell ?
08:33 < jkd4> by shell do you mean terminal?
08:33 < Jww> yes.
08:40 < Jww> meow.
08:41 < jkd4> ok there' don't seem to be any suspicious connections except one that appears to be on my lan. but tun0 is connecting to that :/
08:42 < Jww> what about putting the output on pastebin.ca ?
08:44 < jkd4> Jww: this is the only one that seems suspicious:
08:44 < jkd4> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
08:44 < jkd4> 10.0.32.9       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
08:45 < jkd4> can you read that ok?
08:46 < Jww> that seems ok. trough the full output would give much informations.
08:52 < jkd4> Jww: are you there
08:52 < Jww> I do. I'm looking the pastebin.
08:52 < jkd4> ok
08:52 < Jww> [ my vpn server ] is a public ip ?
08:52 < jkd4> yes
08:54 < Jww> it sound ok to me. how do you check 66% of your internet activity go trough the tunnel ?
08:55 < jkd4> my firewall
08:55 < Jww> oh I may notice something.
08:57 < Jww> umm no.
08:57 < jkd4> ok
08:57 < Jww> the first line seemed unusual because it doesn't have G flag, and have 0.0.0.0 gateway.
08:58 < jkd4> what could that mean?
08:58 < Jww> but but 0.0.0.0 have 10.0.32.9 as GW and G flag.
08:58 < Jww> G flag is 'use gateway'
08:59 < jkd4> 10.0.32.9 is on my lan
08:59 < jkd4> im didn't start any connection to it
08:59 < jkd4> I*
09:01 < jkd4> Jww: what do you think of it?
09:03 < Jww> I'm a bit confused.
09:03 < Jww> routes seems ok, but they should not be .
09:03 < Jww> otherwise you would not have this problem.
09:04 < Jww> we can make a few test, to check what's going on.
09:04 < jkd4> ok
09:04 < Jww> do you have an example of your traffic that doesn't go trough the vpn ?
09:06 < jkd4> no. the firewall shows all connections going through either Tor or my vpn
09:10 < Jww> I'm a bit short on ideas :\
09:11 < jkd4> that's ok. thanks for your help
09:11 < Jww> maybe your could delete all routes, exept one from your computer to the vpn server ip. and one that redirect all to 10.0.32.9  .
09:13 < jkd4> what does that mean?
09:13 < jkd4> what do you mean?
09:14 < jkd4> why would I do that
09:14 < Jww> if you just keep 2 routes, one saying that to reach your vpn server you use eth0, and another that say everything else go trough tun0 . 
09:15 < Jww> this should give you 100% output by the vpn, if not then the problem is not on your ovpn client.
09:16 < jkd4> how do you do that?
09:17 < Jww> route del -[host|net] x.x.x.x 
09:17 < jkd4> ok. how do you do that?
09:17 < Jww> look at genmask to see if it's 255.255.255.255 then it's host,
09:17 < Jww> otherwise it's net.
09:18 < Jww> be aware that it may cut your internet connection :)
09:23 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
09:24 -!- vhann [~vhann@vl102-res-out.collegeahuntsic.qc.ca] has joined ##openvpn
09:25 -!- Sleeper- [~quassel@ip-88-152-88-241.unitymediagroup.de] has joined ##openvpn
09:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:44 < vhann> What do I need to do in order for my VPN server (machine) to forward to its VPN peer(via tun0) traffic  coming from eth0 (and meant to reach the other end of the VPN)?
09:46 < vhann> Namely, I want to get the LAN peers of VPN1 to be able to ping the LAN peers of VPN2 (both VPN endpoints are servers i.e.: not the default gateway)?
09:47 < vhann> I've been messing with routing tables for a long while and it won't work though I'm pretty sure it's all ok
09:49 < Bushmills> have you enabled ip forwarding? 
09:50 < Bushmills> (allowing incoming packets to cross over to other interfaces)
09:50 < rob0> Each end of what you would like to route needs to know how to reach the other.
09:51 < rob0> !route
09:51 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:51 < vhann> Bushmills: Ahh, so it's called ip forwarding
09:51 < Bushmills> it still needs a proper route
09:51 < vhann> rob0: Yeah, I'm editing the routing table of the 3
09:52 < vhann> 2 VPN endpoints + 1 client
09:52 < Bushmills> it is just that the route alone won't be enough
09:52 < rob0> right, any intermediate router has to know how (and be willing) to handle the packets
09:52 < Bushmills> !ip_forward
09:52 < vpnHelper> Bushmills: Error: "ip_forward" is not a valid command.
09:52 < rob0> !ipforward
09:52 < vpnHelper> rob0: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
09:52 < Bushmills> !ipforward
09:52 < vpnHelper> Bushmills: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
09:53 < vhann> Bushmills: It's ok, I found it on openvpn.org
09:53 < vhann> *.net
10:01 -!- mah_cfsi [~mah@mail.cfsi.dk] has quit [Quit: Ex-Chat]
10:06 -!- kyrix [~ashley@chello084113224094.15.14.vie.surfer.at] has quit [Ping timeout: 265 seconds]
10:13 < vhann> Thanks a lot Bushmills, you can't believe how much time I tried to debug this (maybe it'll teach to read the manpage more carefully next time ^^)
10:19 -!- Blues-Man [~bluesman@host28-73-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn
10:31 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:34 -!- Sleeper-_ [~quassel@ip-88-152-89-20.unitymediagroup.de] has joined ##openvpn
10:34 -!- Sleeper- [~quassel@ip-88-152-88-241.unitymediagroup.de] has quit [Ping timeout: 246 seconds]
10:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
10:42 -!- Sleeper-_ [~quassel@ip-88-152-89-20.unitymediagroup.de] has quit [Ping timeout: 260 seconds]
10:43 -!- vhann [~vhann@vl102-res-out.collegeahuntsic.qc.ca] has quit [Quit: leaving]
10:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
10:50 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Read error: Operation timed out]
10:58 -!- vhann [~vhann@vl102-res-out.collegeahuntsic.qc.ca] has joined ##openvpn
10:59 < vhann> Hi, I'm trying to automate the activation of ip forwarding, but I can't use the command with '--up' or put the command in a script (which would then be called by --up). Is there a way to do this via the openvpn config file or should I rather edit the "/etc/init.d/" (debian) script?
11:00 < dazo> vhann: you want to enable ip_forward on boot?
11:01 < rob0> You want forwarding activated only while the VPN is up? Is the VPN full-time?
11:01 < vhann> dazo: rob0 The best would be to only activate ip forwarding when the VPN is up
11:02 < vhann> But the VPN will probably be up as long as the 2 hosts are
11:03 < dazo> vhann: I would rather leave ip_forward on constantly ... that's not the security danger.  If somebody manage to crack your box, your network is anyway at risk
11:03 < dazo> vhann: and you can do that via modifying /etc/sysctl.conf
11:04 < vhann> Also, if ip_forward is set, does it mean (provided an empty iptables is in use) that local administration ports could be accessed from other machines?
11:04 < vhann> e.g. 127.0.0.1:431
11:04 < vhann> (or whatever the CUPS port is)
11:05 < dazo> vhann: the FORWARD rule takes care of traffic going in on one interface and out on another one ..... INPUT / OUTPUT chains takes care of what goes in and out to/from local process on that box
11:05 < rob0> 127.0.0.1 is not routable
11:06 < vhann> rob0: Yeah, but if someone was to access my WLAN, they would be on the same subnet
11:06 < dazo> vhann: 127.0.0/8 is only accessible from the local host ... no other places
11:06 < rob0> 127.0.0.1 is not reachable on the same subnet :) ... it ... yes
11:10 < dazo> vhann: the only way you can make 127.0.0.1 ports available on the network is by explicit setup some port natting from another network interface, which sends the traffic to f.ex 127.0.0.1:631 
11:10 < vhann> rob0: Anyway, I'm only asking this from a theorical POV
11:10 < rob0> If you're really worried about it, use firewall rules to take the place of disabled forwarding.
11:11 < vhann> dazo: As I said, couldn't it be possible, theorically, to empty your routing table and redirect 127.0.0.0/8 to some other host
11:12 < rob0> dazo, I'm not sure if that is possible (DNAT to 127.0.0.1). I've tried, don't know how to do it without binding to a different non-loopback IP.
11:13 < dazo> vhann: not a complete subnet ... you can manage per port, using the nat table and PRE/POSTROUTING chains ....
11:13 < dazo> it's an interesting thought, though!
11:16 -!- DrPepper [~DrPepper@88.207.142.4] has quit [Quit: Leaving...]
11:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
11:25 -!- Blues-Man [~bluesman@host28-73-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
11:25 -!- Blues-Man [~bluesman@host28-73-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn
11:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:28 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:36 -!- jkd4 [debian-tor@gateway/tor-sasl/jkd4] has quit [Quit: Lost terminal]
11:46 -!- Blues-Man [~bluesman@host28-73-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
11:50 -!- derjohn_foo [~aj@139.12.1.252] has quit [Read error: Operation timed out]
11:54 -!- Blues-Man [~bluesman@host28-73-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn
11:55 < SerajewelKS> vhann: it is possible to route 127.0.0.0/8 to other boxen, but then you will find that many services on your box will break
11:56 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
11:56 < SerajewelKS> ah, i see, you meant as an attack
11:58 < SerajewelKS> i would expect that the linux kernel is smart enough to drop all incoming traffic on non-lo interfaces with a dest of 127.0.0.0/8
11:58 < SerajewelKS> otherwise that would be a pretty glaring security hole
11:58 < SerajewelKS> ##networking would probably know
11:58 -!- karam [~no@216.230.246.4] has joined ##openvpn
12:00 < karam> so I'm trying to get an OpenVPN server set up. I think I finally got shorewall / bridge interface set up right (mostly because it at least initially connects) but I'm getting a TLS error. From the 10min or so I looked into that it means a problem communicating with the server properly. The only port I need to open is on the server and its 1194 right? don't need to open anything on the client side?
12:02 -!- Blues-Man [~bluesman@host28-73-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 248 seconds]
12:03 < macsppadic> hello there karam 
12:03 < macsppadic> nope that is rite - udp port 1194 is all u would need 
12:03 < macsppadic> whats ur logs showing 
12:07 < karam> the server dumps stuff like this out: "Fri Mar 26 10:06:58 2010 Client_IP:46220 TLS Error: reading acknowledgement record from packet"
12:07 < karam> will it matter that the client is behind a nat as well?
12:09 < karam> where is the an actual log file normally at for openvpn? (Ubuntu)
12:09 < macsppadic> u shud be able to set that up in the openvpn.conf 
12:09 < macsppadic> usually goes into /var/log/openvpn.log
12:10 < macsppadic> paste ur configs on here karam
12:10 < macsppadic> rite gotta dash 
12:10 < macsppadic> !tls-auth
12:10 < vpnHelper> macsppadic: "tls-auth" is "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret
12:10 < vpnHelper> macsppadic: ta.key to make the tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
12:11 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
12:12 < SerajewelKS> karam: a client behind NAT is normal and expected
12:12 < karam> figured, just wanted to make sure ... thanks.
12:14 < karam> these are my configs: http://www.friendpaste.com/3RG8edwBucPtWm5Twtr74v
12:15 -!- d12fk is now known as d000k
12:15 -!- d000k is now known as d12fk
12:20 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
12:22 < karam> here is the server output from attempting to connect: http://www.friendpaste.com/3iunPVGuBdUQ0LLbfCLYIq
12:22 < karam> would the client output be helpful as well?
12:33 -!- d12fk is now known as d000k
12:33 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 246 seconds]
12:40 -!- ChUbB [~IceChat7@cpc2-aztw12-0-0-cust229.aztw.cable.virginmedia.com] has joined ##openvpn
12:49 -!- troy- [8c15d130cf@bgp4.us] has quit [Read error: Operation timed out]
12:52 -!- troy- [83976af57d@bgp4.us] has joined ##openvpn
12:54 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:55 -!- dxtr [dexter@unaffiliated/dxtr] has joined ##openvpn
12:55 < dxtr> Hey guys!
12:55 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
12:56 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:56 < dxtr> http://pastebin.ca/1853039 <- Are there any flaws in that config? The logs don't say much (Neither on the server or the client side) but I can't access 172.30.0.129
12:58 < dxtr> And I can connect and stuff
12:59 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
12:59 < dxtr> And I can't access my client from the server so to speak
13:00 < dxtr> And I'm guessing it's not my firewall because I'm not firewalling my tap or bridge interface :)
13:00 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:02 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:28 -!- jkd4 [debian-tor@gateway/tor-sasl/jkd4] has joined ##openvpn
13:28 < jkd4> Jww: are you there?
13:28 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
13:29 < jkd4> could anyone please tell me what MDNS is?
13:44 -!- ryanrhee90 [~Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn
13:44 < ryanrhee90> !welcome
13:44 < vpnHelper> ryanrhee90: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:45 < ryanrhee90> !howto
13:45 < vpnHelper> ryanrhee90: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:45 < SerajewelKS> jkd4: multicast dns
13:45 < jkd4> SerajewelKS: what does that mean?
13:46 < SerajewelKS> jkd4: it's a protocol that is primarily used by linux (avahi) and OS X (bonjour) for finding services/computers on a network
13:46 < SerajewelKS> jkd4: like nmb is on windows, only more powerful
13:46 < jkd4> but not the internet right?
13:46 < jkd4> just the LAN?
13:47 < SerajewelKS> jkd4: no, discovery is by broadcast, just like nmb, and broadcasts should be restricted to one segment
13:47 < SerajewelKS> jkd4: there is unicast mdns, but that's usually used for interrogation of a discovered computer, like smb is used to interrogate a windows host after nmb finds it
13:48 < jkd4> SerajewelKS: what does it mean to interrogatet a pc?
13:48 < jkd4> interrogate*
13:48 < SerajewelKS> jkd4: in the case of mdns/smb, to ask what services it is offering
13:48 -!- bandini [~bandini@host87-24-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
13:48 -!- ryanrhee90 [~Adium@rrcs-71-42-217-13.sw.biz.rr.com] has left ##openvpn []
13:49 < SerajewelKS> mdns broadcasts "who else on this lan supports mdns?"
13:49 < SerajewelKS> all the computers respond "i do!"  then your computer asks each one "ok, what services do you offer?"
13:49 < jkd4> ok
13:49 < SerajewelKS> mdns services can also broadcast services they offer, which other computers on the lan can then pick up and use without ever asking for services
13:49 < jkd4> thanks
13:50 < SerajewelKS> it's a hybrid push/pull protocol.  if you don't have a good reason to block it, don't block it.
13:50 < SerajewelKS> (i assume that's why you're asking)
13:50 < jkd4> well I thought I had all traffic routed through the vpn, but this is apparently LAN traffic
13:51 -!- medum [kevin@d67-193-176-255.home3.cgocable.net] has joined ##openvpn
13:51 < SerajewelKS> you mean all internet-bound traffic?
13:51 < jkd4> yes
13:51 < SerajewelKS> right, mdns should stay on the lan and not be routed
13:52 < SerajewelKS> 100% of mdns traffic should be switched/bridged
13:54 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:57 < Fiouz> !mitm
13:57 < vpnHelper> Fiouz: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
14:14 -!- dazo is now known as dazo_afk
14:28 -!- derjohn_foo [~aj@e180195201.adsl.alicedsl.de] has joined ##openvpn
14:32 < vhann> Ahah, ads displaying 'bandwidth exceeded' in place of the actual ads: http://www.comptechdoc.org/os/linux/usersguide/linux_ugipmasq.html
14:32 < vpnHelper> Title: IP Masquerading (at www.comptechdoc.org)
14:42 -!- DarthGandalf is now known as DarthGandalf|BNC
14:43 -!- DarthGandalf|BNC is now known as DarthGandalf
15:29 -!- dazo_h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
15:32 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
15:33 -!- DarthGandalf is now known as DarthGandalf|BNC
15:40 -!- kusznir [~kusznir@jim-1.eecs.wsu.edu] has joined ##openvpn
15:40 -!- kusznir [~kusznir@jim-1.eecs.wsu.edu] has left ##openvpn ["Leaving"]
15:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:46 -!- ziarkaen [~ziarkaen@87.113.156.158] has joined ##openvpn
15:47 < ziarkaen> I'm running the default ArchLinux openvpn package, which has confid dir /etc/openvpn.  IS this where I should put certificates/auth files?
15:54 -!- ziarkaen [~ziarkaen@87.113.156.158] has quit [Ping timeout: 276 seconds]
16:00 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
16:00 < reiffert> Hi
16:00 < ChUbB> hi
16:00 < reiffert> How is life?
16:02 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
16:02 -!- bandini [~bandini@host87-24-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:04 -!- ziarkaen [~ziarkaen@87.113.156.158] has joined ##openvpn
16:04 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
16:08 -!- HardDisk_WP [~Marco@velirat.de] has quit [Changing host]
16:08 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has joined ##openvpn
16:09 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
16:11 < karam> Finally got my OpenVPN client to connect successfully (yay) but I can't ping the other computers on the LAN. Is client-to-client the only setting I need to enable this on the server?
16:12 < Bushmills> !route
16:12 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:13 < karam> I thought that was for a routed VPN? I have a bridged VPN...
16:13 < dazo_h> karam:  in !route, you'll learn about iroute (yup, with an 'i' before 'route') ... that might be what you need
16:14 < karam> ok thanks. Just wanted to make sure before I delved into that doc.
16:16 < Bushmills> karam: I assume routed mode as that is what is recommended unless bridged is needed for a reason
16:16 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
16:16 < Bushmills> !tunortap
16:16 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
16:16 < vpnHelper> Bushmills: against you over the vpn
16:17 -!- ziarkaen [~ziarkaen@87.113.156.158] has quit [Ping timeout: 276 seconds]
16:18 -!- dazo_h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Quit: Leaving]
16:23 -!- ziarkaen [~ziarkaen@87.113.156.158] has joined ##openvpn
16:28 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
16:28 -!- ziarkaen [~ziarkaen@87.113.156.158] has quit [Ping timeout: 245 seconds]
16:30 < karam> hmm, I really just want it to play lan games. Don't I need it bridged for that?
16:30 < SerajewelKS> or bcrelay
16:30 -!- ziarkaen [~ziarkaen@87.113.156.158] has joined ##openvpn
16:30 < SerajewelKS> but honestly, bridged is much easier to set up and less error-prone (especially for older games that use IPX)
16:35 -!- mkay [~mkay@gentoo/user/mkay] has quit [Ping timeout: 242 seconds]
16:44 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
16:50 < ecrist> fwiw, ##openvpn-discussion is now defuct, and forwarding to #openvpn-devel
16:52 < cron2> yes, I noticed :)
16:54 < reiffert> how sad.
16:55 < reiffert> what about the forum<->openvpn-devel sync, any progress here?
16:55 < ecrist> what do you mean, reiffert?
16:56 < reiffert> ecrist: you were about to sync the openvpn forum with openvpn-devel mailinglist. Whats the status of that?
16:57 < ecrist> no progress until we get the new forum online
16:57 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
16:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:58 < reiffert> While asking stupid questions, did openvpn release their trac yet?
16:58 < ecrist> they're getting close
16:58 < ecrist> they've got ldap setup and a few other things
16:58 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:59 < ecrist> reiffert: http://www.secure-computing.net/wiki/index.php/OpenVPN/IRC_meetings
16:59 < vpnHelper> Title: OpenVPN/IRC meetings - Secure Computing Wiki (at www.secure-computing.net)
16:59 < reiffert> IIRC they have been close some weeks ago already, maybe 4?
17:02 < karam> hmm, I don't really see how routes are helpful. For one, having to know the client subnet seems to defeat the purpose. Second, this seems to be if you want to allow an entire remote subnet onto your network. I just want to enable the one client computer connecting to talk to everyone on the host subnet.
17:02 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:02 < karam> Anywise, I tried adding them anywise and I don't see a change in functionality
17:03 < reiffert> karam: without routers the world would be a single hell of a broadcast domain.
17:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
17:03 < reiffert>                                                               +single
17:03 < karam> yep, which is why routers exist and I want to use vpn to undo this...
17:03 < reiffert> karam: the host subnet = the openvpn server subnet
17:03 < reiffert> ?
17:04 < karam> ya
17:04 < reiffert> tell the openvpn server to
17:04 < reiffert> push "route thatsmysubnet/mask"
17:04 -!- ^scott^ [~scott@stthom.org] has left ##openvpn []
17:04 < karam> so, push "route 192.168.1.0 255.255.255.0"
17:04 < reiffert> the client will get it and will have a route to the subnet of the server.
17:05 < reiffert> karam: sounds ok. I asume the openvpn server is not the default gateway of 192.168.0.1/24?
17:05 < karam> yes, it is
17:05 < reiffert> oh, great, that simplifies things.
17:06 < karam> br0 bridges to eth1 for local and eth0 is my public IP if any of that info helps...
17:06 < reiffert> sure you are an advanced user and you dont mix up routing with bridging?
17:07 < reiffert> Please do as told:
17:07 < reiffert> !configs
17:07 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:07 < karam> well I know the difference between routing and switching ... as to if I actually configured it right ...
17:07 < karam> sure
17:07 < karam> want my bridge script as well/
17:08 < reiffert> na, bridge config in running mode is sufficient.
17:08 < reiffert> it's "will be sufficient", is it?
17:10 < karam> http://www.friendpaste.com/5obojQdZjy8QL67xQpp96r
17:14 < reiffert> 23:08 < reiffert> na, bridge config in running mode is sufficient.
17:14 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
17:16 < reiffert> that means, paste your bridge config.
17:16 < reiffert> while beeing there, paste firewall setting as well.
17:17 < reiffert> and routing tables from both, server and client, with and without beeing connected.
17:18 -!- vhann [~vhann@vl102-res-out.collegeahuntsic.qc.ca] has quit [Ping timeout: 245 seconds]
17:19 < karam> oh
17:20 < karam> bridge config: http://www.friendpaste.com/52X5w6pRQk2jQ5g2jOWoTY
17:24 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: leaving]
17:24 < karam> shorewall config: http://www.friendpaste.com/88pQtXZsm7c6dbXzticky
17:25 -!- vhann [~vhann@vl102-res-out.collegeahuntsic.qc.ca] has joined ##openvpn
17:26 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
17:27 < karam> routing tables: http://www.friendpaste.com/vjC8jaG2VmnpA9gmxxlVa
17:28 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
17:30 -!- vhann [~vhann@vl102-res-out.collegeahuntsic.qc.ca] has quit [Client Quit]
17:35 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
17:37 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:02 < karam> got nothing for me reiffert?
18:10 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
18:22 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
18:36 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:37 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
18:37 < jkd4> !mirm
18:37 < vpnHelper> jkd4: Error: "mirm" is not a valid command.
18:55 -!- karam [~no@216.230.246.4] has quit []
18:58 -!- ziarkaen [~ziarkaen@87.113.156.158] has quit [Remote host closed the connection]
19:00 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 258 seconds]
19:01 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
19:07 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 264 seconds]
19:15 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
19:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
19:33 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: Lost terminal]
19:35 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
19:38 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
19:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:56 < jkd4> hi?
19:58 < krzee> hi?
20:00 -!- jkd4 [debian-tor@gateway/tor-sasl/jkd4] has quit [Quit: leaving]
20:04 -!- karamorf [~no@216.127.52.126] has joined ##openvpn
20:08 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:11 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
20:12 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
20:13 -!- Colloguy [~flx@64.134.19.223] has joined ##openvpn
20:14 < Colloguy> does openvpn on osx by default tunnel all ports ?
20:15 < krzee> it doesnt work based on ports, it tunnels based on routes
20:15 < krzee> and there is no default
20:15 < krzee> !goal
20:15 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:17 < Colloguy> my goal is to be able to run one instance of firefox through the vpn, alongside another instance that runs in the clear
20:18 < krzee> i have that
20:18 < krzee> but you'll need 2 diff browsers
20:18 < krzee> ie: 1 firefox 1 opera
20:18 < Colloguy> or 2 different profiles
20:18 < krzee> i do that with socks over openvpn
20:18 < krzee> !factoids search route
20:18 < vpnHelper> krzee: 'winroute', 'iroute', 'router', 'route', and 'routebyapp'
20:18 < krzee> !routebyapp
20:18 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
20:20 < Colloguy> !route
20:20 < vpnHelper> Colloguy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:22 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
20:23 < krzee> you wouldnt actually need proxifier
20:23 < krzee> i use it, but i select many apps to go over the vpn, and some not to
20:24 < krzee> you could just set the socks settings for the app
20:24 < Colloguy> oh okay
20:24 -!- daemon [~daemon@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] has joined ##openvpn
20:26 < daemon> good day all, I was wondering if anyone would spare a minute to reverse a config for me, I have been following a howto and its worked great so far. I have generated client and server certificates however the client part of the howto is 404, if I paste the server howto would someone be able to quickly alter it from what the client should use? I already generated the neccesary certificates etc
20:28 < krzee> lol
20:28 < krzee> why not just learn what you are doing
20:28 < krzee> !goal
20:28 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:28 < daemon> krzee, dont be silly its easier to moan on irc till someone hand holds me!
20:29 < krzee> not likely to happen tho, we help people we dont do their work for them
20:29 < daemon> krzee, how about if I bitch about some other vpn software and compare how easy that was
20:30 < daemon> incase you are wondering, yes im bored -_- 
20:30 < krzee> how bout if you go to their channel and see if they hold your hand cause you dont want help?
20:30 < daemon> hold on I need to think the right response to that one
20:30 < krzee> in case you are wondering too, yes im not in a good mood, lol
20:31 < krzee> anyways, if you want help, respond to !goal
20:31 < daemon> I already have the answer I got it 2 seconds after posting the question
20:31 < daemon> I run incremental backups so I dragged the conf out of one of those ;)
20:31 < daemon> server upgrade
20:31 < krzee> cool
20:31 < daemon> but im trying to be a troll for fun but I kind of suck at it
20:32 < krzee> gotchya
20:32 < daemon> I for the hell of me cant remember what they normally say to '<krzee> how bout if you go to their channel and see if they hold your hand cause you dont want help?'
20:32 < krzee> ya not very good, not even deserving of a /kick
20:32 < krzee> lol
20:32 < daemon> ;/
20:32 < daemon> I must strength up my trolling skill
20:32 < krzee> may i recommend efnet?
20:33 < daemon> hell no that place is way to high level, most of the channels there I want to hang my self; thats before even asking a question
20:33 < daemon> mind you undernet is just as bad
20:33 < daemon> apart from on undernet you get mystics/psychics and people who study magic which adds a touch of mystiscism(sp?) to the conversation
20:34 < krzee> mysticism
20:34 < daemon> ah ha, the one thing I miss about my freebsd box is that aspell is compiled inline with xchat to correct my crappy spelling
20:34 < krzee> if it will make you feel better i can kick you, make you feel like a real troll
20:34 < daemon> Ychat/silverx on win32/64 does not
20:35 < krzee> ya my osx xchat has spell check too
20:36 < daemon> krzee, be rather redundant now, kick me later ill try to start one of those flame wars like browser debates. The only problem is that IPSEC/openvpn/pptp are so different you can't really create a flame war between because they have very different feature sets
20:36 < daemon> mind you if im trolling will that even matter?
20:37 < daemon> OSX you say.. out of interest is that a real mac or a hackintosh box
20:37 < krzee> one of each
20:37 < krzee> laptop is real, desktop is osx86
20:38 < daemon> I have a friend on hackintosh can he emulate a DX10 game (its not very cpu or graffics demanding [primarily sprite based]) within bootcamp?
20:38 < daemon> say bootcamp/xp
20:38 < krzee> wrong chan
20:38 < krzee> but also he doesnt need bootcamp
20:39 < daemon> ok my apologies, but as its quiet... will he ever get a DX10 game to run without virtualization of his desktop
20:39 < krzee> ok troll time is over =]
20:39 -!- mode/##openvpn [+o krzee] by ChanServ
20:39 < daemon> did I do well?
20:40 -!- mode/##openvpn [+b *!*@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] by krzee
20:40 -!- daemon was kicked from ##openvpn by krzee [daemon]
20:40 -!- mode/##openvpn [-o krzee] by krzee
20:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:58 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
20:58 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
20:58 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
21:03 -!- Colloguy [~flx@64.134.19.223] has quit [Ping timeout: 276 seconds]
21:12 -!- DarthGandalf|BNC is now known as DarthGandalf
21:39 -!- ChUbB [~IceChat7@cpc2-aztw12-0-0-cust229.aztw.cable.virginmedia.com] has quit [Quit: On the other hand, you have different fingers.]
22:00 -!- aj__ [~aj@e180192095.adsl.alicedsl.de] has joined ##openvpn
22:03 -!- derjohn_foo [~aj@e180195201.adsl.alicedsl.de] has quit [Ping timeout: 258 seconds]
22:33 -!- aj__ [~aj@e180192095.adsl.alicedsl.de] has quit [Ping timeout: 246 seconds]
22:47 -!- aj__ [~aj@e180194125.adsl.alicedsl.de] has joined ##openvpn
23:01 -!- mode/##openvpn [+o krzee] by ChanServ
23:02 -!- mode/##openvpn [-b *!*@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] by krzee
23:02 -!- mode/##openvpn [-o krzee] by krzee
23:44 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:51 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
23:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 248 seconds]
--- Day changed Sat Mar 27 2010
00:01 -!- takamichi [~pri@74.81.170.4] has quit [Ping timeout: 264 seconds]
00:02 -!- takamichi [~pri@74.81.170.4] has joined ##openvpn
00:11 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
00:24 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
02:26 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has left ##openvpn []
02:26 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
02:39 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
02:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
02:46 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
02:47 -!- gallatin [~gallatin@188.109.201.71] has joined ##openvpn
02:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:59 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Remote host closed the connection]
03:14 -!- gorkhaan [~gorkhaan@195.228.21.253] has joined ##openvpn
03:33 -!- gorkhaan [~gorkhaan@195.228.21.253] has quit [Ping timeout: 245 seconds]
03:36 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
03:37 -!- gorkhaan [~gorkhaan@91.144.92.132] has joined ##openvpn
03:41 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
04:08 -!- gorkhaan [~gorkhaan@91.144.92.132] has quit [Ping timeout: 258 seconds]
04:12 -!- master_of_master [~master_of@p57B542D8.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:13 -!- master_of_master [~master_of@p57B56558.dip.t-dialin.net] has joined ##openvpn
04:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
05:07 -!- gallatin [~gallatin@188.109.201.71] has quit [Ping timeout: 258 seconds]
05:12 < jetole> Hey guys. I setup my openvpn and I can connect but I can't seem to connect to any hosts in the 10.10.0.128/26 network and the logs all look pretty clean. I posted my config and appreciate any help. http://pastebin.com/NRkN2F06
05:12 < jetole> Also the server is two nic's in bridge mode but planning on keeping the vpn in routing mode
05:42 -!- gorkhaan [~gorkhaan@91.144.92.132] has joined ##openvpn
05:48 -!- DrPepper [~DrPepper@88.207.142.4] has joined ##openvpn
06:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Client Quit]
06:28 -!- DrPepper [~DrPepper@88.207.142.4] has quit [Ping timeout: 245 seconds]
06:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
06:52 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:57 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
08:05 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds]
08:10 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
08:15 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
08:35 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
08:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:50 -!- bazo [~Anonimo@95.234.92.36] has joined ##openvpn
08:50 -!- bazo [~Anonimo@95.234.92.36] has left ##openvpn []
08:59 -!- fabio_ [~fabio@249.229.18.95.dynamic.jazztel.es] has joined ##openvpn
08:59 < fabio_> hello, can i request some help with openvpn and resolv.conf
09:03 < hyper_ch> fabio_: as with most support channels you don't ask for help you just state what your problem is and maybe someone knows and answers
09:03 < fabio_> sorry hyper_ch , ill explain
09:04 < fabio_> im succesfully connected to a lan with openvpn
09:04 < fabio_> i make the routes in the .conf
09:04 < fabio_> but im using ubuntu
09:04 < fabio_> with network manager
09:04 < fabio_> and i have to run a script 
09:04 < fabio_> to get the nameserver right
09:05 < cron2> 01:34 <RichiH> http://freenode.net/group_registration.shtml
09:05 < cron2> 01:34 <RichiH> http://freenode.net/group_registration_form.php
09:05 < vpnHelper> Title: Group Registration (at freenode.net)
09:05 < vpnHelper> Title: freenode: Group Registration Form (at freenode.net)
09:05 < cron2> oops, wrong channel
09:06 < fabio_> echoing the nameserver clause in the resolv.conf
09:06 < fabio_> but the nameserver is of the other lan,
09:06 < fabio_> and then, i get slow resolves
09:06 < fabio_> beacuse im not using my router dns anymore
09:06 < kajl> have you installed resolvconf?
09:07 < fabio_> nope, just apt-geting now
09:07 < jetole> I found I had some issues with resolvconf on my ubuntu even after I installed it so I just wrote a up and down bash script
09:08 < fabio_> jetole, i use the same manner
09:08 < fabio_> but im tired to run a bash script every time
09:08 < jetole> fabio_: I was wondering if you can help me out with my problem (which I am about to repaste since you came in after)
09:08 < jetole> Hey guys. I setup my openvpn and I can connect but I can't seem to connect to any hosts in the 10.10.0.128/26 network and the logs all look pretty clean. I posted my config and appreciate any help. http://pastebin.com/NRkN2F06
09:08 < jetole> Also the server is two nic's in bridge mode but planning on keeping the vpn in routing mode
09:08 < fabio_> in fact 2, because i need to modify iptables in the other side
09:09 < jetole> fabio_: I used the up and down openvpn options in the client config to change resolv.conf
09:09 < jetole> all the other people who use that vpn connection are on windows so they get it through the dhcp push
09:09 < fabio_> up /etc/openvpn/update-resolv-conf?
09:10 < jetole> but yeah, talking about two different setups here, the question I just asked is about a second / new openvpn setup
09:10 < jetole> fabio_: yeah, again, I had issues doing it that way
09:10 < jetole> mine is custom
09:10 < fabio_> i dont understand the hole process, can you give a webpage with info to set up a vpn and make the dns to work fine?
09:11 < fabio_> ok, i think ill continue to work with custom scripts
09:11 < jetole> do you have a static DNS host when you are not connected to vpn?
09:11 < jetole> i.e. your dns host never changes?
09:11 < fabio_> yea, my router
09:11 < fabio_> 192.168.1.1
09:11 < fabio_> adsl home router
09:11 < jetole> http://pastebin.com/BkRe9fQb
09:11 < jetole> thats what I use
09:12 < jetole> edit the client config to run that bash script with up and down
09:12 < jetole> i.e. up /etc/openvpn/myresolv.sh
09:12 < jetole> will run it every time the vpn is up
09:12 < jetole> down /etc/openvpn/myresolv.sh
09:12 < jetole> that will run it every time the vpn is down
09:12 < fabio_> i dont understand
09:12 < jetole> change the DNS servers inside the bash script
09:13 < fabio_> i think i need more skills
09:13 < jetole> do you know how to make a bash script?
09:14 < jetole> if the answer is no then I doubt I can help you
09:14 < fabio_> yea, i know, i have mine
09:14 < fabio_> 4 scripts
09:14 < fabio_> 2 up on the both side
09:14 < fabio_> and 2 down on the both sides
09:14 < jetole> what?
09:15 < fabio_> i can paste the for you
09:15 < jetole> paste if you like but I'm hoping in the shower. Maybe someeone else can help
09:15 < jetole> I would really appreciate it if anyone in here could look at my own problem and recommend something
09:16 < jetole> oh and fabio_, ask before you PM someone 
09:16  * jetole goes to hop in the shower
09:37 < jetole> fabio_: do they speak english in the country you're from
09:37 < jetole> don't PM me
09:38 < fabio_> sorry jetole 
09:55 -!- gorkhaan_ [~gorkhaan@91.144.92.132] has joined ##openvpn
09:57 -!- gorkhaan [~gorkhaan@91.144.92.132] has quit [Read error: No route to host]
10:11 < RichiH> ecrist, cron2: fwiw, i am in here, as well
10:14 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
10:17 < rob0> RichiH is everywhere!
10:22 < cron2> RichiH: so why am I doing this the complicated way???
10:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:38 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
10:39 < RichiH> cron2: how should _i_ know?
10:39 < RichiH> ou are the one who can't use /names ;)
10:47 < jetole> not sure what client you guys are talking about but have you tried /n
10:48 -!- fabio_ [~fabio@249.229.18.95.dynamic.jazztel.es] has quit [Read error: No route to host]
10:49 -!- gorkhaan_ [~gorkhaan@91.144.92.132] has quit [Read error: Connection reset by peer]
11:05 -!- WormFood [~wormfood@121.34.202.114] has quit [Ping timeout: 260 seconds]
11:06 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:11 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
11:17 -!- WormFood [~wormfood@58.61.134.210] has joined ##openvpn
11:19 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:01 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
12:40 -!- karamorf [~no@216.127.52.126] has quit [Ping timeout: 268 seconds]
12:45 -!- karamorf [~no@216.127.52.126] has joined ##openvpn
12:53 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Ping timeout: 276 seconds]
12:54 < cron2> RichiH: what is /names?
12:55 < cron2> ah, same thing as /who * elsewhere
13:00 -!- mirco [~mirco@p5B23E110.dip.t-dialin.net] has joined ##openvpn
13:14 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
13:15 < jetole> cron2: in irssi "Shows the names (nicks) in the specified channels."
13:18 < cron2> yep
13:43 -!- PrinceAmjad [~zjb@87.109.235.194] has joined ##openvpn
14:02 -!- dieselz [~dieselz@c-68-40-122-117.hsd1.mi.comcast.net] has joined ##openvpn
14:03 < dieselz> Hi all, I'm new to VPNs and I'm trying to figure out how to deal with authentication between the boxes
14:03 < krzee> !goal
14:03 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:04 < dieselz> I would like to centralize authentication, so that if a user exists in the system, they can access any of the clients
14:04 < krzee> please define "user exists in the system"
14:04 < krzee> existing system, or people you issue certs to?
14:05 < dieselz> um, if a user has an account in ldap on the server?
14:05 < krzee> ok, there is a script you can use to auth based on LDAP
14:05 < krzee> are you also able to issue certificates to people who should have access to the vpn?
14:06 < dieselz> well here is my idea: we have about 50 boxes that folks in the company need access to
14:06 < dieselz> when we add a box, we need to setup the authentication again
14:06 < dieselz> it would be nice if someone just logged into the openvpn server
14:07 < dieselz> then could ssh [without password] to any of the clients
14:07 < krzee> ahh i gotchya
14:07 < krzee> you are aware this means if any compromises the server, they own EVERY machine, right?
14:08 < dieselz> well, yes.
14:08 < dieselz> but honestly, the state of the security currently is pretty weak
14:08 < krzee> however, you said you have an LDAP server as well
14:09 < dieselz> well currently they are just 50 ubuntu boxes with no integration among them
14:09 < krzee> so maybe you can hook in LDAP auth into sshd using PAM over openvpn links
14:09 < krzee> or of course, with no openvpn needed, you could write a script to remotely login via sshd, setup all accounts and add the ssh keys
14:09 < krzee> which would be trivial
14:10 < dieselz> but they could easily get out of sync
14:10 < dieselz> for example, if someone got a new computer, then i would have to fix every server to allow the new RSA key
14:10 < krzee> from a script i made before:
14:10 < krzee> 		ssh -p ${sshport} ${username}@${sship} cat ".ssh/authorized_keys.temp >> .ssh/authorized_keys2"
14:11 < krzee> right, thats easy to fix but it would suck if a machine is down when running that
14:11 < dieselz> why is that?
14:11 < krzee> cause then its really out of sync
14:11 < dieselz> ah, gotcha
14:12 < krzee> although thats fixable as well
14:12 < krzee> i could shell script that fairly easily
14:12 < dieselz> with that plan, wouldn't you need to setup each user account on each box still?
14:13 < dieselz> then iterate over them and sync the authorized_keys file
14:13 < krzee> useradd
14:13 < dieselz> but thats annoying every time we add a box
14:14 < krzee> scripted to run remotely
14:14 < krzee> =]
14:14 < dieselz> i wonder if http://code.google.com/p/openvpn-auth-ldap/ would be helpful
14:14 < vpnHelper> Title: openvpn-auth-ldap - Project Hosting on Google Code (at code.google.com)
14:15 < dieselz> haha
14:15 < krzee> that is authenticating to the vpn using LDAP passwords
14:16 < krzee> thing is, if users can ssh to machines without sshkeys once on the vpn, so can anyone who gets access to the server some other way
14:17 < krzee> will the server at least be physically secure and not run ANY other open ports?
14:17 < dieselz> well, it will be in a rackspace datacenter, idk if you consider that secure :p
14:17 < dieselz> the server box could be kept very lean
14:17 < krzee> better than at someones house or office ild think
14:17 < dieselz> maybe just leave some random port open for ssh
14:18 < dieselz> or some craziness with the knock-knock ssh protocol
14:18 < krzee> if i were you i wouldnt even allow ssh without vpn if you are seriously going to setup ssh to not require passwords on the client machines
14:18 < krzee> ya the knocking is another decent way to do that
14:19 < jpalmer> bleh.   lock down ssh to only allow authorized keys.  then have you authorized_keys file restrict access to all but specific IP's.
14:19 < dieselz> the SSH on the clients would only listen to the vpn IP
14:19 < dieselz> jpalmer: difficult to limit to IP since we are all traveling a lot
14:20 < krzee> that problem goes away once you have a vpn
14:20 < krzee> their ip is the vpn ip
14:20 < jpalmer> dieselz: you have a VPN.   use client config directories to assign static VPN addresses.
14:20 < krzee> !static
14:20 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:20 < krzee> also, let me suggest this as well:
14:20 < krzee> 2 vpn servers on the server
14:20 < jpalmer> ie.  joes lapto is always 10.72.15.44,   that is the *only* IP that shoud be able to use that key.
14:20 < krzee> 1 for servers to connect to as clients
14:20 < krzee> 1 for users
14:20 < jpalmer> krzee: right.
14:21 < krzee> servers use certs, no passwords
14:21 < krzee> users use certs AND ldap password
14:21 < dieselz> hmmm i think I'm a little confused, let me recap:
14:22 < dieselz> Bob logs onto vpn server using public key then through ldap can access any of the clients on the vpn?
14:22 < krzee> dieselz, am i correct assuming you want all users to login to each server as the same login?
14:22 < krzee> (which is a nightmare for accountability)
14:22 < dieselz> no, each would have their own account
14:23 < jpalmer> smart move
14:23 < krzee> if each has their own account, whats the problem with ssh keys?
14:23 < krzee> is the vpn for centralized auth or for easier managing of what IP to login to?
14:23 < dieselz> well the idea would be that if we added a new box, we could theoretically run one script and everyone would be able to login to that machine
14:24 < dieselz> and if someone updated their public key, it would automatically get distributed to each box
14:24 < krzee> that script will remotely add users then, right?
14:24 < dieselz> the key to this whole thing is that 50 boxes are a bitch to maintain consistancy
14:24 < jpalmer> dieselz: sounds like you may want something like centralized user management (LDAP maybe?)  and something else like cfengine or parrot, or scripted ssh commands.
14:24 < krzee> sounds like the script could have sanity checking for each user to add / key to move over, compare, and add if needed, then it can be crontabbed
14:25 < krzee> or you could setup each server to auth SSH using LDAP, then have that LDAP session protected by openvpn if you choose
14:25 < dieselz> so using an ldap server, the clients would automatically create all the user accounts on the server?
14:25 < krzee> but users wouldnt need vpn
14:26 < dieselz> that sounds like a good idea
14:26 < jpalmer> brb,  need to run to store.
14:26 < krzee> or even if you do require them to vpn in, they STILL need their LDAP pass
14:26 < dieselz> pass or public key? or just pass
14:26 < krzee> depends
14:26 < krzee> public key requires no pass, but a script to keep consistent across the machines
14:27 < krzee> if LDAP, a pass i believe
14:27 < jpalmer> ready for the bomb?   This area (centralized management over mass deployments) is one area where the unix world is severly lacking, and the windows world handles quite gracefully.
14:27 < krzee> now i havnt played with LDAP, maybe it can have public keys as part of it
14:28 < dieselz> google says that you need a patch to handle that
14:28 < krzee> jpalmer, if he uses ldap does each machine also need the users manually added?
14:28 < jpalmer> krzee, depends on his LDAP schema.  properly implemented, no.  users just need to exist in LDAP.
14:29 < dieselz> http://dpw.threerings.net/projects/splat/manual/ch02s03.html
14:29 < vpnHelper> Title: OpenSSH Public Keys (at dpw.threerings.net)
14:29 < dieselz> looks promising
14:29 < jpalmer> the problem with LDAP,  is *everything* is a custom patch or hack.
14:29 < krzee> ahh cool, then that is a possible solution
14:29 < jpalmer> so what works here, may not work in your environment.  there is no standardization in the unix communities for LDAP
14:29 < dieselz> jpalmer: that doesn't sound good since clearly im no pro in this arena
14:30 < jpalmer> dieselz: it's a fact you're going to have to accept if you choose LDAP.
14:30 < jpalmer> also something to keep in mind.. if you hire a new admi, they will have a learning curve, even if the know LDAP..  they don't know *your implementation* of LDAP.
14:31 < dieselz> well all the employees are currently web devs [as am I]
14:31 < dieselz> im going to be the new admin hire [lol]
14:32 < krzee> hire me to write a script to keep all users in sync across all the machines :)
14:32 < jpalmer> I really wish the unix communities would get together,  and standardize on a common LDAP schema.   that is one of the things that makes microsofts Active Directory so versatile and powerful.  
14:33 < krzee> jpalmer, its my understanding that AD is actually just a standardized (by MS) LDAP schema, is that correct?
14:33 < jpalmer> in a MS environment,  a new admin comes in.. the learning curve is low, because if he understands AD,  it's the same implementation in all MS environments.
14:33 < jpalmer> krzee: it's LDAP on steroids,  but yes.
14:33 < krzee> werd
14:34 < jpalmer> krzee: comparing LDAP to AD is akin to comparing openvpn with pptp.  they are both vpns.  to that extent,  openvpn is "pptp on steroids" (from an analagous standpoint, not a technical one obviously)
14:34 < krzee> ahh, so very different from what i was thinking
14:35 < krzee> since pptp is a broken protocol and doesnt deserve to be mentioned next to openvpn
14:35 < jpalmer> probably ;)   the basis of AD is LDAP,  but it's got a lot of other components and such.
14:35 < krzee> !pptp
14:35 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
14:35 < vpnHelper> krzee: read about why to not use pptp
14:35 < krzee> ;]
14:36 < dieselz> pretty interesting stuff about openldap https://help.ubuntu.com/community/OpenLDAPServer#Web%20Based%20Administration%20Tools
14:36  * jpalmer would love a link to official MS docs that say not to use PPTP
14:36 < vpnHelper> Title: OpenLDAPServer - Community Ubuntu Documentation (at help.ubuntu.com)
14:36 < jpalmer> anyway, brb.  store time.
14:37 < jpalmer> MS's flagship security products (ISA server, and forefront TMG) both use PPTP/L2TP,  so I'd really like to see an official MS doc that says not to use it.
14:38 < dieselz> I'm gonna put my head in a book and see what i can figure out about openldap - thanks guys for the help!
14:39 < krzee> np, and in regard to the vpn
14:39 < krzee> !sample
14:39 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
14:39 < krzee> thats a decent place to start
14:39 < krzee> make sure to read the manual about every option in them as well tho, important to understand
14:39 < krzee> you'll also want
14:39 < krzee> !topology
14:39 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
14:40 < krzee> so that each client only needs 1 ip and not a whole /30
14:40 < dieselz> completely lost me :-\
14:41 < dieselz> when i setup the vpn, the server got 10.10.0.1 and client got 10.10.0.6
14:41 < krzee> first link is some basic configs
14:41 < krzee> with topology subnet config option on server, client will get .2
14:41 < krzee> .3
14:41 < krzee> etc
14:41 < krzee> instead of .6 .10 .14
14:41 < dieselz> ah, gotcha
14:42 < dieselz> thats weird that thats the default behavior - i was wondering where that came from
14:42 < krzee> the link talks about where it came from
14:42 < krzee> was a work-around around windows lamesauce
14:42 < krzee> til they found a better way and used it in topology subnet
14:43 < dieselz> :-\ microsoft
14:48 < krzee> jpalmer, i emailed pmueller asking if he could show me the ms doc where they state that
14:48 < krzee> he said it in 2005 so he may not still have any clue where to find it
14:48 < krzee> http://marc.info/?l=pptpclient-devel&m=112369658101913&w=2
14:48 < vpnHelper> Title: '[pptp-devel] RE: [Poptop-server] Why not use PPTP?' - MARC (at marc.info)
14:51 < dieselz> what do you think about having a nfs mount for /etc/ssh/public_keys/$USER and then on the client, link those files to the proper user account?
14:52 < krzee> <pmueller@sidestep.com>: host ASPMX.L.GOOGLE.com[209.85.223.84] said: 550-5.1.1
14:52 < krzee>     The email account that you tried to reach does not exist. Please try
14:52 < krzee> aww weakness
14:52 < dieselz> who is this pmueller
14:53 < krzee> jpalmer mentioned he'ld like to see the MS doc about not using pptp, i would also like to, so i found who said it and when, it was him on the pptp-devel mail list
14:53 < dieselz> ah gotcha
14:53 < krzee> NFS mount of the keys over ovpn could work
14:54 < krzee> then the only consistency issue is user accounts being added
14:54 < dieselz> so its just a question of getting the user accounts on the clients, which is looks like openldap would do
14:54 < krzee> well if you do that, might as well just put the keys in the LDAP too since you already found how
14:55 < krzee> but ya either way
14:55 < dieselz> i'd rather keep it as production stable as possible though - idk how stable that thing looked
14:56 < krzee> shit im bout to be late for work
14:56 < dieselz> hasnt been updated since march 08
14:56 < dieselz> run man, run
14:56 < krzee> hope i helped ya some
14:56 < krzee> bbl
14:56 < dieselz> thanks for the help
15:01  * jpalmer is back
15:01 < dieselz> yo.
15:02 < dieselz> so i think the plan will be to use ldap over vpn to handle the user accounts and nfs mount the authorized_keys files for each user
15:19 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
15:20 < jpalmer> you could NFS mount their entire home dir.
15:28 < dieselz> idk if i want to centralize all the files, might cause problems
15:39 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 265 seconds]
15:44 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
15:45 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 248 seconds]
15:46 -!- jnss is now known as yoda
15:47 -!- yoda is now known as jnss
15:47 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 248 seconds]
15:48 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
15:50 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:50 -!- mode/##openvpn [+v openvpn2009] by ChanServ
15:56 -!- alpha [~mosbah.ab@41.224.201.20] has joined ##openvpn
16:01 -!- PrinceAmjad [~zjb@87.109.235.194] has quit [Ping timeout: 245 seconds]
16:05 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
16:08 -!- dieselz [~dieselz@c-68-40-122-117.hsd1.mi.comcast.net] has quit [Quit: dieselz]
16:22 -!- DarthGandalf is now known as DarthGandalf|BNC
16:23 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has quit [Read error: Connection reset by peer]
16:25 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has joined ##openvpn
16:27 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
16:33 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has quit [Remote host closed the connection]
16:33 -!- SerajewelKS [~me@c-98-222-140-181.hsd1.in.comcast.net] has joined ##openvpn
16:33 -!- SerajewelKS [~me@c-98-222-140-181.hsd1.in.comcast.net] has quit [Changing host]
16:33 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has joined ##openvpn
16:38 -!- _insane [~un@ppp-188-174-91-251.dynamic.mnet-online.de] has joined ##openvpn
16:38 < _insane> hello everyone, i am trying to setup a bridge with static keys but i want to use ips from the same /29 network on both sides. if i add a ifconfig ipfromsamenetwork on the client side i cant reach the vpn server anyone
16:46 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
16:46 -!- mode/##openvpn [+v Kasx] by ChanServ
16:48 -!- Kas [~Kasx@173.192.223.187-static.reverse.softlayer.com] has quit [Ping timeout: 252 seconds]
16:55 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
17:01 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
17:02 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:20 -!- karamorf [~no@216.127.52.126] has quit [Ping timeout: 276 seconds]
17:21 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:26 -!- karamorf [~no@216.127.52.126] has joined ##openvpn
17:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:27 -!- alpha_ [~mosbah.ab@41.228.184.18] has joined ##openvpn
17:28 -!- alpha [~mosbah.ab@41.224.201.20] has quit [Ping timeout: 240 seconds]
17:32 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Read error: Connection reset by peer]
17:32 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
17:40 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
17:42 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
17:44 -!- alpha_ [~mosbah.ab@41.228.184.18] has quit [Ping timeout: 245 seconds]
17:54 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 245 seconds]
17:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:32 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 268 seconds]
18:35 < SerajewelKS> _insane: you need to pastebin your openvpn configs and network interface configuration
18:36 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:41 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 264 seconds]
18:56 < rawDawg> http://pastebin.com/76Ta5y14 is my server config
18:57 < rawDawg> ^ running on windows server
18:57 < rawDawg> i am going to be adding a monitoring server (nagios) onto the local subnet of the server 10.200.0.0/24
18:58 < rawDawg> how can i monitor the openVPN 192.168.10.0/24 subnet from the new monitoring subnet?
18:59 < rawDawg> well its not going to be a new subnet
18:59 < rawDawg> 10.200.0.21 will be the nagios box
19:00 < rawDawg> 10.200.0.20 is the openVPN server
19:01 < rawDawg> since nagios is on a diferent subnet than the openVPN clients, im wondering how i can monitor the openVPN clients
19:35 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 260 seconds]
20:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
20:04 -!- takamichi [~pri@74.81.170.4] has quit [Ping timeout: 276 seconds]
20:04 -!- takamichi [~pri@74.81.170.4] has joined ##openvpn
20:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:32 -!- mirco [~mirco@p5B23E110.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
20:32 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
20:38 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Ping timeout: 265 seconds]
20:38 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 265 seconds]
20:39 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
20:39 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
20:40 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
20:40 -!- mirco [~mirco@p5B23E630.dip.t-dialin.net] has joined ##openvpn
20:43 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
20:58 -!- tjz [~pc@bb116-14-146-178.singnet.com.sg] has joined ##openvpn
20:58 -!- tjz [~pc@bb116-14-146-178.singnet.com.sg] has quit [Changing host]
20:58 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
21:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:18 -!- redfox [~redfox2@ns351996.ovh.net] has quit [Ping timeout: 258 seconds]
21:26 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
21:41 -!- jnss is now known as visitor
21:56 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
22:04 -!- aj__ [~aj@e180194125.adsl.alicedsl.de] has quit [Ping timeout: 246 seconds]
22:09 -!- visitor is now known as jnss
22:16 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 252 seconds]
22:16 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
22:17 -!- aj__ [~aj@e180194045.adsl.alicedsl.de] has joined ##openvpn
22:18 -!- takamichi [~pri@74.81.170.4] has quit []
22:19 -!- redfox [~redfox2@ns351996.ovh.net] has joined ##openvpn
22:20 -!- redfox is now known as Guest23432
22:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
22:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:59 -!- takamichi [~pri@74.81.170.5] has joined ##openvpn
23:08 -!- DarthGandalf|BNC is now known as DarthGandalf
23:19 -!- ptg [~ptg@coolstoryb.ro] has joined ##openvpn
23:20 < ptg> !welcome
23:20 < vpnHelper> ptg: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:20 < ptg> Fair enough
23:21 < ptg> !goal
23:21 < vpnHelper> ptg: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:24 < ptg> Greetings gents. I've got an issue that's not configuration related
23:24 < ptg> http://pastebin.ragingfist.net/?page=view&id=1269750190
23:24 < ptg> Any thoughts as to why openvpn works brilliantly post install - perform a reboot and it's no longer routable?
23:25 < ptg> Amazon EC2 instance - so it may be xen related
23:41 -!- tjz [~pc@bb116-14-146-178.singnet.com.sg] has joined ##openvpn
23:41 -!- tjz [~pc@bb116-14-146-178.singnet.com.sg] has quit [Changing host]
23:41 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
--- Day changed Sun Mar 28 2010
00:04 < ecrist> shh
00:04 < ecrist> ptg: never used EC2, so I can't comment on that.
00:05 < ecrist> I'm guessing it's a missing route, or something that doesn't come up right away.  are you trying to connect in to an EC2 instance, or connect out?
00:05 < ecrist> I'm guessing connecting out would be easier.
00:06 < ptg> ecrist: Connect out, and there's no problem in establishing the connection
00:06 < ecrist> not sure what your exact issue is, you're not very clear.
00:06 < ptg> If/when the node is rebooted - I have to un/reinstall openvpn
00:07 < ptg> Which is weird, to say the least
00:07 < ecrist> why do you think you have to reinstall?
00:07 < ecrist> there must be something specific.
00:08 < ptg> Pre-reboot the routes are listed with a legitimate interface name
00:08 < ptg> Post-reboot the routes are listed with "d" or "c" or some-such junk
00:09 < ptg> That is, until I uninstall openvpn, reboot, reinstall and dial
00:09 < ecrist> I would suggest contacting your rep at amazon.
00:10 < ecrist> sounds like an issue with the tun/tap adapter on their systems
00:10 < ptg> My experience with their support insofar is "lol we don't provide openvpn"
00:10 < ecrist> I'm guessing that's your answer, then.
00:10 < ptg> Ah well. Thanks ecrist
00:10 < ecrist> np
00:11 < ecrist> http://www.google.com/search?client=safari&rls=en&q=EC2+openvpn&ie=UTF-8&oe=UTF-8
00:11 < vpnHelper> Title: EC2 openvpn - Google Search (at www.google.com)
00:11 < ecrist> may give some insight.
00:11 < ptg> About to loose my mind on this one. I've been setting up openvpn because windows builtin pptp nukes the windows routing table on disconnect
00:11 < ptg> To which amazon responded "lol we didn't write windows
00:11 < ecrist> what 'feature' of EC2 are you dependent on?
00:12 < ptg> The vhost feature :P
00:12 < ptg> So - all of it
00:12 < ecrist> what is the vhost feature?
00:13 < ptg> I'm migrating our physical hardware to virtual hardware. Calls from higher up to get rid of our rack
00:13 < ecrist> stupid move, IMHO
00:14 < ecrist> we just bought two more racks and $50K worth of new hardware
00:14 < ptg> There's pros and cons, but I'm a cog in the machine here
00:14 < ecrist> once a cog, always a cog
00:14 < ptg> heh
00:15 < ptg> Guess I'll start looking at stunnel >:-/
00:15 < ptg> If anyone else has a thought, I'll be lurking all week o7
01:09 < rawDawg> !route
01:09 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:32 < rawDawg> i turned on routing and remote access on my windows 2003 server
01:32 < rawDawg> but it does not seem to be routing packets :\
01:41 < ptg> rawDawg: What does the routing table look like?
01:42 < rawDawg> i had to add a route to the LAN's default gw
01:42 < rawDawg> now it works :D
01:42 < rawDawg> ty for asking
01:42 < ptg> gw
01:43 < rawDawg> now i just have to setup nagios to monitor all my windows clients
02:05 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
02:21 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
02:26 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
02:49 < jetole> Hey guys. I am setting up my second openvpn connection and so far all seems to work from the logs. I mean I can connect and no errors in the logs but I can't seem to connect to 10.10.0.128/26 from the client and I can't figure out why. Can anyone please take a look at my config and tell me what I am missing? http://pastebin.com/NRkN2F06 Also, I don't know if it matters but the server I am connecting to has two nics which are part of a bridge but I still ...
02:49 < jetole> ... want the VPN routed
02:49 < jetole> just to clearify, I meant this is the second instance of openvpn I have setup. I setup another one on a another server involving different clients and it has run fine
02:54 < Fiouz> is IP forwarding enabled?
02:56 < jetole> um, it should be but let me look
02:57 < jetole> no
02:57 < jetole> no it is not
02:57 < jetole> thanks Fiouz 
02:58 < jetole> let me test this now
02:59 < jetole> Fiouz: that didn't actually fix anything, I enabled ip forwarding with sysctl -w net.ipv4.ip_forward=1
03:03 < Fiouz> try some tcpdump to see whether packets are received/forwarded on the server end
03:04 < jetole> I have done that and I don't see them on the server when I do a simple hping... well hold on, let me try from another angle 
03:04 < Fiouz> also, check that netfilter isn't actualy filtefing forwarded packets iptables -L FORWARD -v
03:05 < jetole> ah crap
03:06 < jetole> I'm not getting any packets outside the firewall i.e. udp to the udp port
03:06 < jetole> Well it shouldn't since I put an allow rule for packets coming in the vpn0 interface but it seems like they are not getting to openvpn in the first place
03:06 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
03:06 < jetole> let me look into why
03:08 < jetole> ok, now I am a little confused. It seems the client isn't even sending them
03:08 < jetole> brb, getting a glass of water
03:11 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
03:12 < jetole> ok, I stand corrected. The client is sending it's openvpn packets to the server from 10.101.0.6 which is the IP it is supposed to have once it is connected to the vpn which that IP comes from the server via ccd so
03:12 < jetole> wtf?
03:15 < jetole> perhaps it's worth noting that the client I am testing on, it will be connecting to 10.10.0.128/26 through two vpn connections although neither of them have been running at the same time yet however it needs to connect to another net which also connects to 10.10.0.128/26 not through vpn and I have been able to connect to the 10.10.0.128/26 through that other vpn fine for some time however this net is intended to also connect to 10.10.0.128/26 as well as ...
03:15 < jetole> ... 10.32.0.0/16
03:15 < jetole> and yeah
03:15 < jetole> my routing table looks rather messed up
03:17 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
03:18  * Fiouz is confused
03:25 < Fiouz> I understand that the vpn tunnel is actually connected. is the client sending packets to the correct gateway?
03:25 -!- _insane [~un@ppp-188-174-91-251.dynamic.mnet-online.de] has quit [Ping timeout: 276 seconds]
03:28 < jetole> I just rebooted and started only the new vpn. The routing table looked proper and through tcpdump I saw that there is two way communication occuring between the vpn server and my client 
03:28 < jetole> however I still don't seem to be able to communicate within my vpn
03:28 -!- _insane [~un@ppp-188-174-78-151.dynamic.mnet-online.de] has joined ##openvpn
03:29 < jetole> I'm also pretty confused at this point but after the restart I took all the overhead off
03:30 < jetole> so now I am just using one supposedly normal connection
03:30 < jetole> they are communicating with each other over the openvpn port
03:30 < jetole> I don't know what else to look at her
03:30 < jetole> 8here
03:30 < jetole> *here
03:32 < Fiouz> client can't ping vpn0 interface either?
03:32 < jetole> I just changed the policy on the forward table to be accept on the gateway 
03:33 < jetole> what do you mean?
03:34 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
03:34 < Fiouz> are you able to ping 10.101.0.1 from the client side?
03:34 < jetole> let me try
03:35 < jetole> I can't ping 10.101.0.1 or 10.101.0.5
03:42 < Fiouz> hum, I have no idea then, do the openvpn logs look good?
03:43 < jetole> yes they actually do, at least I think. One second and I will post them
03:45 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
03:46 < jetole> here is the log from the server from time the vpn starts up until I ping 10.101.0.1 => http://pastebin.com/uXxdGX23
03:47 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:47 -!- mode/##openvpn [+o mattock] by ChanServ
03:47 < jetole> same thing but from the client logs => http://pastebin.com/Pf55MNFi
03:48 < jetole> I will be back ~10. Need to hit the bathroom
03:48 < krzee> !route
03:48 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:48 < krzee> but ya, going to bed
04:08 < jetole> thanks
04:12 -!- master_of_master [~master_of@p57B56558.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:14 -!- master_of_master [~master_of@p57B544BB.dip.t-dialin.net] has joined ##openvpn
04:51 -!- hertzi [~4f7073e4@gateway/web/freenode/x-apsyiqwayetmakmx] has joined ##openvpn
04:54 < hertzi> hey
04:54 < hertzi> somebody here?
04:54 < hyper_ch> no
04:54 < hyper_ch> nobody is here
04:54 < |Mike|> echo $?
04:56 < hertzi> I just downloaded openVPN for webOS from http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/openvpn_2.1_rc15-1_arm.ipk
04:56 < hertzi> now I was wondering if some one can tell me where to get the source code from?
04:58 < hyper_ch> isn't it provided on that site?
04:58 < |Mike|> it actually is hyper_ch :P
04:58 < hyper_ch> mystery solved :)
04:58 < hertzi> nop
04:58 < |Mike|> http://openvpn.net/index.php/open-source/downloads.html
04:58 < vpnHelper> Title: Downloads (at openvpn.net)
04:59 < |Mike|> Source Tarball           openvpn-2.1.1.tar.gz
04:59 < hertzi> jo - but that doesn't tell me if for the binary were some changes made - no?
05:00 < |Mike|> i don't get your question?
05:02 < hyper_ch> hertzi: if they don't provide the source then you can ask them for it as openvpn commnity is under gpl
05:04 -!- mirco [~mirco@p5B23E630.dip.t-dialin.net] has quit [Quit: mirco]
05:06 < hertzi> hyer_ch: my problem is I don't know who put that file there - I hoped somebody here could help me 
05:06 < hertzi> will ask in the webOS channel then - thanks
05:08 < hertzi> Mike: I dont know how this binary got compiled - if the sources from openvpn.net need changes to run on the pre - that's why I was looking for somebody who knows 
05:09 < |Mike|> hmz, isn't there a way to see all configured options on your OS?
05:20 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:20 -!- hertzi [~4f7073e4@gateway/web/freenode/x-apsyiqwayetmakmx] has quit [Quit: Page closed]
05:22 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:31 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 276 seconds]
05:52 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
05:54 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 246 seconds]
06:35 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
06:36 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
06:39 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
06:45 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
07:01 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
07:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:05 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
07:08 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:10 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
07:29 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
07:37 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
07:52 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:05 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
08:41 < vpnHelper> New forum entry openvpnforum: Server Administration :: OpenVPN Issues :: Reply by undunk <http://www.ovpnforum.com/viewtopic.php?f=4&t=2748&p=4221#p4221>
08:41 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
08:56 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
08:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:58 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
09:14 -!- aj__ [~aj@e180194045.adsl.alicedsl.de] has quit [Ping timeout: 276 seconds]
09:41 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has joined ##openvpn
09:41 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
09:49 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:52 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
10:11 -!- aj__ [aj@80.187.212.13] has joined ##openvpn
10:18 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:21 -!- aj__ [aj@80.187.212.13] has quit [Ping timeout: 264 seconds]
10:23 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
10:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
10:37 -!- ScriptFanix [vincent@Tuluk.riquer.fr] has quit [Quit: I'll be back…]
10:44 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:46 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
10:46 < MrJK> hello
10:47 < MrJK> I've 2 public static IP and one domaine name for my server
10:48 < MrJK> But, I don't understand why i'm not able to connect my server with my domain name nor the second IP
10:48 < MrJK> Do I need to use the local parameter, into the server side ? ?
10:48 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
10:49 < MrJK> in the case of routed OVPN server
11:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:05 -!- WormFood [~wormfood@58.61.134.210] has quit [Ping timeout: 246 seconds]
11:06 < Bushmills> sometimes it may be useful, usually you don't need it
11:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
11:17 -!- WormFood [~wormfood@121.15.46.90] has joined ##openvpn
11:41 -!- Netsplit *.net <-> *.split quits: kala, jeffl, jetole, julius, fremo__, bigpresh, d000k, takamichi, UdontKnow, krzee,  (+24 more, use /NETSPLIT to show all of them)
11:42 -!- HardDisk_WP [~Marco@velirat.de] has joined ##openvpn
11:45 -!- WormFood [~wormfood@121.15.46.90] has joined ##openvpn
11:45 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
11:45 -!- takamichi [~pri@74.81.170.5] has joined ##openvpn
11:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:45 -!- karamorf [~no@216.127.52.126] has joined ##openvpn
11:45 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:45 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
11:45 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
11:45 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has joined ##openvpn
11:45 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
11:45 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
11:45 -!- jetole [~Joe@irc.fossl.net] has joined ##openvpn
11:45 -!- kajl [~kyle@80.67.10.198] has joined ##openvpn
11:45 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
11:45 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
11:45 -!- jnss [janes@gateway/shell/sign.io/x-qybglzbgbirjifdl] has joined ##openvpn
11:45 -!- cwillu_at_work [~cwillu@cwillu.com] has joined ##openvpn
11:45 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
11:45 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
11:45 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
11:45 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
11:45 -!- d000k [~heiko@vpn.astaro.de] has joined ##openvpn
11:45 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
11:45 -!- elge [~elge@mx2.nethence.com] has joined ##openvpn
11:45 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
11:45 -!- julius [~julius@217.20.127.15] has joined ##openvpn
11:45 -!- tw [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has joined ##openvpn
11:45 -!- dazo_afk [~dazo@nat/redhat/x-jbrxnjkmyufaiuoq] has joined ##openvpn
11:45 -!- jeffl [coz@teledojo.com] has joined ##openvpn
11:45 -!- rgubler [rob@happybox.org] has joined ##openvpn
11:45 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
11:45 -!- dotCOMmie [tox@glitchinthe.net] has joined ##openvpn
11:45 -!- ServerMode/##openvpn [+v Kasx] by verne.freenode.net
11:53 -!- Netsplit *.net <-> *.split quits: havoc, Morgan_Phoenix, Guest23432, AntoineBk, sanderj, atlantic, nb, takamichi, krzie, stein0,  (+84 more, use /NETSPLIT to show all of them)
--- Log closed Sun Mar 28 11:58:05 2010
--- Log opened Sun Mar 28 11:58:42 2010
11:58 -!- Irssi: Join to ##openvpn was synced in 35 secs
11:59 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 260 seconds]
11:59 -!- theneb [~theneb@theneb.co.uk] has quit [Ping timeout: 260 seconds]
11:59 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has joined ##openvpn
11:59 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
11:59 -!- dxtr [dexter@unaffiliated/dxtr] has joined ##openvpn
11:59 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
11:59 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has quit [Ping timeout: 240 seconds]
11:59 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
11:59 -!- jnss_ [janes@gateway/shell/sign.io/x-gdowoirjxqwyqwga] has joined ##openvpn
12:00 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
12:00 -!- Some-body_ [~Vetinari@pyramid.cluenet.org] has joined ##openvpn
12:00 -!- Netsplit *.net <-> *.split quits: stein0, sno, dug_, Rienzilla, havoc, MrJK, mrnice1, LeRrA, sigius, rkantos_,  (+1 more, use /NETSPLIT to show all of them)
12:00 -!- jnss_ [janes@gateway/shell/sign.io/x-gdowoirjxqwyqwga] has left ##openvpn []
12:01 -!- jnss [janes@gateway/shell/sign.io/x-qybglzbgbirjifdl] has quit [Ping timeout: 264 seconds]
12:01 -!- d000k [~heiko@vpn.astaro.de] has quit [Ping timeout: 264 seconds]
12:01 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 264 seconds]
12:01 -!- Some-body_ is now known as DarthGandalf
12:01 -!- DarthGandalf [~Vetinari@pyramid.cluenet.org] has quit [Changing host]
12:01 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
12:02 -!- Netsplit over, joins: dug_
12:04 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
12:08 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Write error: Connection reset by peer]
12:08 -!- oc80z [oc80z@blea.ch] has quit [Write error: Broken pipe]
12:09 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
12:09 -!- rkantos_ [robin@hp1.jaketus.net] has joined ##openvpn
12:09 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
12:09 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
12:09 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
12:09 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
12:09 -!- havoc [~havoc@saturn.chaillet.net] has joined ##openvpn
12:09 -!- AntoineBk [~Antoine@188.165.75.17] has joined ##openvpn
12:09 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
12:09 -!- LeRrA [~lerra@c-83-233-243-2.cust.bredband2.com] has joined ##openvpn
12:09 -!- stein0 [~stein@mail.vgnett.no] has joined ##openvpn
12:09 -!- HardDisk_WP [~Marco@velirat.de] has quit [Excess Flood]
12:09 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has quit [Remote host closed the connection]
12:09 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
12:09 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has joined ##openvpn
12:15 -!- Netsplit *.net <-> *.split quits: Sorcier_FXK
12:16 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
12:18 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
12:19 -!- HardDisk_WP [~Marco@velirat.de] has joined ##openvpn
12:20 -!- Fiouz_ is now known as Fiouz
12:22 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
12:25 -!- Visual`_ [~visualsta@ip-80-236-251-212.dsl.scarlet.be] has joined ##openvpn
12:25 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
12:25 -!- ahf_ [ahf@irssi/staff/ahf] has joined ##openvpn
12:25 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 245 seconds]
12:25 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 245 seconds]
12:25 -!- ahf [ahf@irssi/staff/ahf] has quit [Ping timeout: 245 seconds]
12:25 -!- hyper__ch is now known as hyper_ch
12:26 -!- ahf_ is now known as ahf
12:26 -!- Kaspx [~Kasx@173.192.223.187-static.reverse.softlayer.com] has joined ##openvpn
12:30 -!- dazol [~dazo@nat/redhat/x-mapwmqrcrxvxhtni] has joined ##openvpn
12:30 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
12:30 -!- dazo_afk [~dazo@nat/redhat/x-jbrxnjkmyufaiuoq] has quit [Write error: Broken pipe]
12:32 -!- cwillu_at_work [~cwillu@cwillu.com] has quit [Excess Flood]
12:32 -!- cwillu_at_work [~cwillu@cwillu.com] has joined ##openvpn
12:40 -!- takamichi [~pri@74.81.170.5] has quit [Ping timeout: 248 seconds]
12:42 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:42 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Write error: Connection reset by peer]
12:44 -!- Some-body_ [~Vetinari@pyramid.cluenet.org] has joined ##openvpn
12:45 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 260 seconds]
12:45 -!- Some-body_ is now known as DarthGandalf
12:45 -!- DarthGandalf [~Vetinari@pyramid.cluenet.org] has quit [Changing host]
12:45 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
12:45 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:46 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
12:48 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Write error: Connection reset by peer]
13:04 -!- aj__ [~aj@c152236.adsl.hansenet.de] has joined ##openvpn
13:17 -!- daemon [~daemon@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] has joined ##openvpn
13:18 < daemon> hey all is there a page somewhere which could clarify a little if I sohuld be using tun or tap 
13:18 < Bushmills> !tunortap
13:18 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
13:18 < vpnHelper> Bushmills: against you over the vpn
13:18 < daemon> !wins
13:18 < vpnHelper> daemon: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
13:19 < daemon> thank you Bushmills 
13:19 < Bushmills> np
13:26 -!- sanderj_ [~sanderj@195.204.103.72] has joined ##openvpn
13:27 -!- sanderj [~sanderj@195.204.103.72] has quit [Ping timeout: 268 seconds]
13:31 -!- wwalker [~wwalker@mailbox.eclipsing.com] has joined ##openvpn
13:32 < wwalker> ping and smb connections work.  how do I make the windows clients capable of seeing hosts on the routed openvpn connections via netbios name lookup?
13:35 < wwalker> the PCs are mostly in one office, but some will be in a separate office (different state) and some will be at home.  I'd like the ones in the office to see stuff in the office, so pointing them to a remote wins server doesn't make sense 
13:36 < wwalker> (this is a star topology with a server on the net acting as an openvpn server for all endpoints.  the openvpn server will also run samba on an openvpn available address.)
13:36 -!- Kaspx [~Kasx@173.192.223.187-static.reverse.softlayer.com] has quit [Read error: Connection reset by peer]
13:37 -!- Kas [~Kasx@173.192.223.187-static.reverse.softlayer.com] has joined ##openvpn
13:37 -!- WormFood [~wormfood@121.15.46.90] has quit [Read error: Connection reset by peer]
13:38 < rob0> Seems like it's more a Windows or Samba question than an openvpn one. Anyway, if it was me, I'd see if the WINS servers could talk to one another, so each server's own clients would only talk to it.
13:39 < rob0> That approach works well with DNS.
13:41 < wwalker> rob0: I was hesitant to ask in windows land as they often think the network is magic and things like "routed" and "/30" require that I give a training class...
13:42 < daemon> wwalker, no idea if thisd would help
13:42 < daemon> it works for me in a limited situation to get around samba's broken ness
13:42 < wwalker> I figured someone here had solved the problem
13:42 < rob0> oh I know you can't find a Windows expert ... not even in Redmond, I bet.
13:42 < daemon> well not samba, netbios
13:42 < daemon> I basically do all my shares via nfs
13:42 < daemon> then I have one single samba server
13:42 < wwalker> rob0: 2 points!
13:42 < daemon> where all the nfs shares are mounted and samba shares them
13:42 < daemon> no need for routing issues
13:43 < daemon> basically use nfs as thye transport layer from samba
13:43 < rob0> Samba can use DNS for WINS. So if you set up DNS as I suggested, Samba WINS would Just Work.
13:44 < wwalker> I'm a consultant to a consultant, not sure if I can have them depend on the openvpn 100% of the time, but if I can, then I just set wins pointing at their only official server (the on-the-internet-but-only-over-openvpn samba server)
13:44 < rob0> If you;re talking about non-Samba, you're out of luck.
13:46 < rob0> For DNS, in dnsmasq it's --server option. In BIND named(8) it would be "type forward" zones.
13:46 < wwalker> crap, I can't even find where to set WINS anymore... 
13:46 -!- derjohn_foo [~aj@c195148.adsl.hansenet.de] has joined ##openvpn
13:47 < wwalker> true, I can do bind stuff.  but have no "servers" on site, only across openvpn.  don't want to slow down DNS by running all their queries across openvpn.
13:48 < wwalker> thanks for the different viewpoints.  off to experiment.
13:49 < rob0> smb.conf.5.html#WINSSERVER
13:50 -!- aj__ [~aj@c152236.adsl.hansenet.de] has quit [Ping timeout: 264 seconds]
13:50 < rob0> The DNS queries across VPN would ONLY be queries for names.in.VPN.zones.
13:51 < wwalker> rob0: that would require that I had a DNS server at the offices that they all point to that I can forward zones on.  as they are in 10 locations (2 offices and 8 roving notebooks)....
13:52 < wwalker> so they all point to the DNS they get via DHCP from their provider of the moment
13:52 -!- WormFood [~wormfood@121.34.202.88] has joined ##openvpn
13:52 < rob0> DNS via dnsmasq is quick-and-easy, and IMO worth the trouble for a SOHO.
13:53 < rob0> but whatever ... if the feature you want is important, there's how you can make it happen
13:54 < _insane> i got a openvpn bridge working and want to use ip adresses from the same subnet than the vpn server is. but if i insert: server-bridge 85.236.42.252 255.255.255.248 85.236.42.253 85.236.42.254 at the server config the vpn connection comes up but shortly after the connect the vpn server isnt reachable anymore. seems like the reason for this is that i use ip adresses from the same /29 subnet
13:54 < _insane> any ideas how to deal with that?
13:54 < _insane> bridge is working, i see the mac addresses from both tap devices on each side
13:55 < rob0> You're trying to bridge the same interface that your outbound tunnel connection is going over?
13:55 < _insane> yes
13:56 < rob0> haha that is .... _insane :)
13:56 < _insane> i got a /29 subnet on a dedicated server. and want to push some of them home to my adsl connection
13:56 < _insane> why ?
13:57 < _insane> it seems to me that the reason is the usage of ips from the same subnet
13:57 < rob0> I suppose it tries to push the tunnel through the tunnel, doesn't sound very workable to me.
13:57 < _insane> tunnel through tunnel?
13:57 < _insane> no
13:57 < |Mike|> it's a chicken egg problem imho.
13:58 < _insane> for my understanding i bridge nic + tap interface on both sides
13:58 < _insane> then i should be able to use ips from the server side subnet
13:58 < _insane> on the clien
13:58 < _insane> t
13:58 < rob0> the dedicated server OS is what? The home machines' OS are what?
13:58 < _insane> bot linux
13:58 < daemon> hey all i swapped my tap config to tun, it all works auths etc but neither box can talk to one another i seen warnings baout my inconfigs, I have: ifconfig 10.0.2.1 255.255.255.0 and ifconfig 10.0.2.2 255.255.255.0
13:58 < _insane> +h
13:59 < daemon> did I get something wrong?
13:59 < rob0> you're in luck
13:59 < |Mike|> !tunortap
13:59 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
13:59 < vpnHelper> |Mike|: against you over the vpn
13:59 < _insane> rob0 i am?
14:00 < rob0> _insane, I would go back to tun for this, and then use ipip tunnels over tun. Proxy ARP on the dedicated server, and bingo, you're online!
14:00 < Bushmills> !client-to-client
14:00 < vpnHelper> Bushmills: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
14:00 < vpnHelper> Bushmills: other clients
14:00 < rob0> for example, ...
14:00 < _insane> hmm i thought what i want to do is only possible with tap / bridge
14:00 -!- x-day_ [~x-day@216.23.247.78] has joined ##openvpn
14:01 < _insane> proxyarp is ugly isnt it?
14:01 < daemon> !ifconfig
14:01 < vpnHelper> daemon: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
14:01 < _insane> could it help if i get a 2nd different subnet from my hoster?
14:01 < x-day_> ... here I am on my netbook via an ipip tunnel.
14:01 < _insane> for the clients
14:01 < daemon> ah ha
14:01 < _insane> x-day_ setup like what i try to do?
14:01 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:02 < x-day_> It's amazingly easy.
14:02 < _insane> possible, seems i think way to difficult
14:03 < rob0> Your luck is such that I was even writing a HOWTO this very day.
14:03 < _insane> oh?
14:03 -!- x-day_ is now known as x-day
14:03 < _insane> you already got it online?
14:03 < x-day> compare my /whois ... rob0 is .75 and I'm .78
14:04 < _insane> hups :)
14:04 < x-day> I have a /29
14:04 < x-day> 72/29
14:05 < _insane> yep me too
14:06 < daemon> hey guys if I am using tun, and in inconfig I use: ifconfig 10.0.2.2 10.0.2.1
14:06 < daemon> , that is on the client. on the server I should have: ifconfig 10.0.2.1 255.255.255.0
14:06 < daemon>  ?
14:07 -!- x-day [~x-day@216.23.247.78] has left ##openvpn ["who needs two windows of one channel?"]
14:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
14:10 < _insane> rob0 you do some iptables stuff, too or?
14:10 < rob0> oh indeed
14:12 < vpnHelper> New forum entry openvpnforum: Off Topic, Related :: Re: Blocking OpenVPN :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=1&t=3738&p=4234#p4234>
14:34 -!- daemon [~daemon@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] has quit [Ping timeout: 276 seconds]
14:37 -!- daemon [~daemon@cpc1-linc11-2-0-cust594.12-1.cable.virginmedia.com] has joined ##openvpn
14:39 -!- daemon [~daemon@cpc1-linc11-2-0-cust594.12-1.cable.virginmedia.com] has quit [Client Quit]
14:43 -!- daemon [~daemon@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] has joined ##openvpn
14:43 < daemon> guys can someone give me a hand out after shifting from tap->tun non of my machines can talk to each other or the server, they do auth correctly though
14:44 < daemon> non show any errors what so ever its just nothing can ping anything else
14:45 < daemon> here is my client config
14:45 < daemon> http://pastebin.com/mJWcZfJL
14:46 < daemon> and my server: http://pastebin.com/XXdsMNA3
14:47 < daemon> ifconfig tun0 on the client looks like:  inet 10.0.2.2 --> 10.0.2.1 netmask 0xffffffff
14:47 < daemon> and the server:  inet 10.0.2.1 --> 255.255.255.0 netmask 0xffffffff
15:06 < _insane> rob0 one more question... the iptables stuff you do is SNAT & Masquerading
15:07 < _insane> correct?
15:14 < rob0> huh? MASQUERADE is a form of SNAT, and no, my ipip tunnel is not NAT'ed.
15:16 < _insane> hmz i´m still alone in the dark dark forest
15:22 < Bushmills> there is a maze of twisty passages
15:23 < rob0> And I'm still writing, off and on, but I expect to finish it today.
15:23 < Bushmills> you hear steps in the distance
15:24 < rob0> I do!!
15:24 < _insane> oh sorry rob :) 
15:24 < rob0> they're coming to take me away!!!
15:24 < _insane> only twinkles...
15:25 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Read error: Connection reset by peer]
15:36 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
15:51 -!- wwalker [~wwalker@mailbox.eclipsing.com] has left ##openvpn []
15:51 -!- mirco [~mirco@p5B23E630.dip.t-dialin.net] has joined ##openvpn
16:01 < ecrist> hello, peeps
16:13 -!- mirco [~mirco@p5B23E630.dip.t-dialin.net] has quit [Quit: mirco]
16:21 < rob0> _insane: http://j.r.bobdobbs.info/Linux-ipip-tunnels , not really carefully proofread yet, I just wanted to bang it out while it was fresh in my mind.
16:24 < ecrist> !linnat
16:24 < vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
16:26 < ecrist> rob0: you're welcome to put that writeup on the wiki.
16:27 -!- mirco [~mirco@p5B23E630.dip.t-dialin.net] has joined ##openvpn
16:27 < rob0> maybe a good idea ... it's not really openvpn applicable, because you could just bind those IP addresses in openvpn.
16:28 < rob0> but, I found when trying to do this from an openvpn server, it's more difficult. (I used to do it in peer mode long ago.)
16:28 -!- mirco [~mirco@p5B23E630.dip.t-dialin.net] has quit [Client Quit]
16:29 -!- mirco [~mirco@p5B23E630.dip.t-dialin.net] has joined ##openvpn
16:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:43 < _insane> rob0 thanks! :)
16:47 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
16:48 < _insane> hm rob0 you dont use openvpn there at all... ?
16:51 < rob0> sure I do, other.ip.add.ress goes through openvpn
17:02 -!- Diffen2 [~diffen2@78-82-118-208.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
17:19 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
17:20 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:24 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Ping timeout: 264 seconds]
17:28 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
17:29 -!- mirco [~mirco@p5B23E630.dip.t-dialin.net] has quit [Quit: mirco]
17:37 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Read error: Connection reset by peer]
17:42 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
17:42 -!- mode/##openvpn [+v Kasx] by ChanServ
17:45 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
17:45 -!- Kas [~Kasx@173.192.223.187-static.reverse.softlayer.com] has quit [Ping timeout: 260 seconds]
18:34 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
18:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 246 seconds]
18:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
19:09 -!- Hydrant [~aj@unaffiliated/hydrant] has joined ##openvpn
19:10 < Hydrant> hello all... how do I disable a key entirely?  Can you give me a link?  I have a user that I want to remove... so I think I need to blacklist the key ?
19:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
20:11 -!- tjz [~pc@bb116-14-146-178.singnet.com.sg] has joined ##openvpn
20:11 -!- tjz [~pc@bb116-14-146-178.singnet.com.sg] has quit [Changing host]
20:11 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
20:19 -!- Manjula [~Manjula@h156n2fls32o256.telia.com] has joined ##openvpn
20:20 < Manjula> Read all about what is happening in these rotten times -> http://mange.dynalias.org/linux.html
20:20 < vpnHelper> Title: The GAdminTools Project (at mange.dynalias.org)
20:20 < Manjula> Thanks!
20:21 < Manjula> bot
20:22 < Manjula> I have 200+ people to play with those who are bad
20:23 < Manjula> I like honest peoples
20:26 < Manjula> Not: "Psi-Jack-" also notice the last '-' char. 'Fieldy' <- chem lab bitch, i dont like when ordinary peoples are DUPED into thinking they are gonna die if they dont TAKE PFIZER DRUGS! /Something i never did dude to the fatality rate.
20:27 < Manjula> I need to take a little charter :=)
20:27 < Manjula> To pound on that lying fuckers face!
20:28 < Manjula> He lied to all of Sweden, Germany, Ireland, England ........................
20:29 < Manjula> I can engage 1500 people atleast, at once. Im uncertain of the survival rate.
20:29 < Manjula> "Alexander The Great av Iron Maiden från Somewhere In Time"
20:30 < Manjula> May death be with those as it has coressed my soul
20:31 < Manjula> A killer is headed to Illinois as we speak.
20:32 < Manjula> My friend didnt like him so he put some thousand dollars to have him waxxored
20:32 < Manjula> Sorry.
20:35 -!- Manjula [~Manjula@h156n2fls32o256.telia.com] has quit [Quit: Quit]
20:55 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
21:09 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
21:42 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:42 < rawDawg> im having a strange routing problem
21:43 < rawDawg> the local subnet of my openVPN server is 10.200.0.0/24
21:43 < rawDawg> the vpn subnet is 192.168.10.0/24
21:44 < rawDawg> the local ip of the openVPN server is 10.200.0.20
21:44 < rawDawg> i have another device 10.200.0.21
21:45 < rawDawg> i want to be able to communicate with devices on the vpn subnet from 10.200.0.21
21:45 < rawDawg> in the devices route table i have a route: 192.168.10.0 255.255.255.0 10.200.0.20
21:46 < rawDawg> strange thing is... i can ping 10.200.0.21 from the vpn clients (let say 192.168.10.3 is one of them)
21:46 < rawDawg> but i cannot ping 192.168.10.3 from 10.200.0.21
21:47 < rawDawg> the vpn server is running on windows 2003 (i have routing and remote access enabled as a router)
21:48 < rawDawg> i cant figure this out :X
21:50 < Hydrant> did you read the howto ?
21:50 < rawDawg> yes
21:51 < Hydrant> so you have vpn-client -> vpn-server working
21:51 < Hydrant> but not vpn-server->vpn-client ?
21:51 < rawDawg> no from the vpn server i can ping the clients
21:51 < rawDawg> but from a device on the local subnet of the vpn server i cannot ping the clients
21:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:52 < Hydrant> okay
21:52 < Hydrant> did you read the part of the howto that talked about that ?
21:52 < rawDawg> !route
21:52 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:52 < rawDawg> i've read that like 10 times
21:53 < rawDawg> !paste
21:53 < vpnHelper> rawDawg: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
21:53 < Hydrant> okay
21:53 < Hydrant> so... did you enable verbose logging maybe?
21:53 < Hydrant> check the server logs for anything unusual?
21:53 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:56 -!- Total_Meltdown [~Edwards@sean-edwards.umeres.maine.edu] has joined ##openvpn
21:58 < rawDawg> ill check
22:03 < Total_Meltdown> Does anyone have any idea why setting VirtualBox to bridge over my TAC device would not work? (Windows host, Linux VM, Linux VPN server)
22:03 < Total_Meltdown> My question on ServerFault: http://serverfault.com/questions/127129/bridging-virtualbox-over-openvpn-tac-adapter-on-windows
22:03 < vpnHelper> Title: Bridging VirtualBox over OpenVPN TAC adapter on Windows - Server Fault (at serverfault.com)
22:07 < rawDawg> i dont see anything in the log
22:34 < troy-> how can i increase the windows vpn adapter from 10 to 100Mb/s?
22:38 < rob0> IIUC that's merely a display issue. If you have 100Mb/s on the VPN link, you can use it, but the TUN/TAP driver still shows 10. Answer: maybe hack the source. Better answer: don't worry about it.
22:38 < rob0> What is a TAC adapter?
22:39 < troy-> i am not sure :) 
22:41 < Total_Meltdown> Sorry, I meant TAP
23:13 -!- Hydrant [~aj@unaffiliated/hydrant] has left ##openvpn ["Konversation terminated!"]
23:33 -!- Total_Meltdown [~Edwards@sean-edwards.umeres.maine.edu] has quit [Ping timeout: 264 seconds]
23:38 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Read error: Connection reset by peer]
23:41 -!- jfkw_ [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:46 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
23:58 -!- karamorf [~no@216.127.52.126] has quit [Ping timeout: 260 seconds]
--- Day changed Mon Mar 29 2010
00:05 -!- karamorf [~no@216.127.52.126] has joined ##openvpn
00:10 -!- WormFood [~wormfood@121.34.202.88] has quit [Ping timeout: 246 seconds]
00:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:24 -!- WormFood [~wormfood@119.123.240.143] has joined ##openvpn
00:26 -!- derjohn_foo [~aj@c195148.adsl.hansenet.de] has quit [Ping timeout: 260 seconds]
00:32 -!- Deepy [deepy@wrongplanet/deepa] has quit [Read error: Connection reset by peer]
00:50 -!- derjohn_foo [~aj@213.238.45.2] has joined ##openvpn
00:55 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
01:08 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
01:08 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
01:11 -!- Netsplit *.net <-> *.split quits: kala, jeffl, jetole, bigpresh, julius, fremo__, Nappy, d12fk, theneb_, UdontKnow,  (+19 more, use /NETSPLIT to show all of them)
01:18 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
01:19 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
01:30 -!- Netsplit over, joins: d12fk, cron2, Rolybrau, troy-, jpalmer, PrinceAmjad, hyper_ch, SerajewelKS, Nappy, theneb_ (+19 more)
01:39 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:39 -!- mode/##openvpn [+o mattock] by ChanServ
01:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
01:51 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
01:55 < rob0> http://j.r.bobdobbs.info/Linux-ipip-tunnels was revised, probably is done
01:55 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
02:20 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:37 -!- fabrizio [~Anonimo@94.138.190.74] has joined ##openvpn
02:38 -!- fabrizio [~Anonimo@94.138.190.74] has left ##openvpn []
02:44 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
03:07 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
03:07 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
03:07 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
03:07 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
03:14 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:16 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
03:16 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
03:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
03:19 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:22 -!- sanderj_ [~sanderj@195.204.103.72] has quit [Read error: Connection reset by peer]
03:23 -!- sanderj_ [~sanderj@195.204.103.72] has joined ##openvpn
03:23 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Read error: Operation timed out]
03:24 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Read error: Operation timed out]
03:24 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
03:26 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
03:26 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
03:26 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
03:35 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:42 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
03:49 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
03:49 < AlHafoudh> hi al
03:49 < AlHafoudh> is it possible to use only some Preshared key and username/password for authentication in openvpn ?
03:59 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has quit [Ping timeout: 265 seconds]
04:00 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has joined ##openvpn
04:01 < macsppadic> hello AlHafoudh - u shu be able to use a preshared key 
04:12 -!- master_of_master [~master_of@p57B544BB.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
04:14 -!- master_of_master [~master_of@p57B54C57.dip.t-dialin.net] has joined ##openvpn
04:24 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
04:32 < dazol> AlHafoudh: yes, that is possible.  You can use static key files on both sides.  Then you can use or write your own authentication module with OpenVPN, using either the script hook --auth-user-pass-verify ... or you can write a plug-in in f.ex. C/C++ and use the --plugin option .... There exists pure auth plug-ins for LDAP, PAM, MySQL ... I've been writing a auth plug-in which authenticates usernames and SSL certificates against an SQLite data
04:32 < dazol> base
04:40 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
05:21 -!- d12fk is now known as d000k
05:26 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Remote host closed the connection]
05:26 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
05:27 < AlHafoudh> dazol: nice
05:27 -!- dazol is now known as dazo
05:29 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Remote host closed the connection]
05:29 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
05:40 < AlHafoudh> !welcome
05:40 < vpnHelper> AlHafoudh: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:40 < AlHafoudh> !interface
05:40 < vpnHelper> AlHafoudh: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
05:53 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
06:07 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
06:16 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
06:17 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
06:18 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
06:31 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
06:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:51 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
06:59 -!- d000k is now known as d12fk
07:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
07:34 < SerajewelKS> AlHafoudh: note that using TLS is required for a multi-peer setup though
07:35 < SerajewelKS> AlHafoudh: if you're going to be serving more than one peer at a time, you need to set up a PKI anyway
07:38 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Read error: Connection reset by peer]
07:47 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
07:53 -!- d12fk is now known as d000k
08:02 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
08:07 -!- vpnguru [~mosbah.ab@41.230.16.230] has joined ##openvpn
08:07 < vpnguru> hello all
08:08 < macsppadic> hello vpnguru 
08:08 < vpnguru> Please, how to configure multiple openvpn instances to listen of different ports on the same server
08:08 < vpnguru> ?
08:11 < macsppadic> hello vpnguru  what os are u using?
08:14 < dazo> vpnguru: openvpn can only listen to one port ... you might be able to tweak this in f.ex. Linux with nat rules using -j REDIRECT ...
08:15 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
08:15 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
08:19 -!- X-Raimo [~alexmurav@opensuse/member/raimoschmidt] has joined ##openvpn
08:20 -!- X-Raimo [~alexmurav@opensuse/member/raimoschmidt] has quit [Client Quit]
08:25 < vpnguru> I am using openvpn 2.1.1 under centos 5.4
08:30 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
08:31 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X Button]
08:34 < dazo> vpnguru: in that case, if using multiple instances of openvpn, the start-up script (started via 'service openvpn start') will start one openvpn process for each file configured in /etc/openvpn/ with the filename extension .conf
08:34 -!- box [~box@static-71-245-229-44.bstnma.fios.verizon.net] has joined ##openvpn
08:34 < box> good morning vietnam
08:34 < box> i have a 10054 WSA disconect issue.
08:35 < box> i am able to bridge tcp over the network i am on..100%
08:35 < box> however, when i open a remote desktop session --- the access point chokes the packets and i subsequently am disconnected.
08:35 < box> from an admins guard, how is this done? 
08:36 < box> SSH  to the 10.x.x.x network is OK 
08:37 < box> however, SSH plus a dynamic port forward , eg, localhost:8080->10.x.x.1 for website.traffic.com:80 will disconnect too.
08:38 < box> so i can poke the hole, and SSH.. how are the admins reforming their access control lists 
08:38 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:39 < vpnguru> Thank you dazo
08:40 < box> Hi vpnguru 
08:40 < vpnguru> so it is not possible to use the same config for all the instances?
08:41 < dazo> vpnguru: no
08:41 < vpnguru> ok
08:41 < vpnguru> thank you
08:41 < dazo> you're welcome
08:41 < vpnguru> very good community, very good software, I hope a good future for openvpn
08:43 -!- d000k is now known as d12fk
08:44 < box> yeah vpn
08:49 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:09 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Ping timeout: 264 seconds]
09:13 -!- box [~box@static-71-245-229-44.bstnma.fios.verizon.net] has quit [Ping timeout: 265 seconds]
09:22 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Quit: Quitte]
09:25 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
09:30 -!- whirler [~whirler@cpe-098-026-232-086.triad.res.rr.com] has joined ##openvpn
09:31 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
09:33 < whirler> does anyone know of a good book for learning how to configure/use OpenVPN?
09:38 -!- whirler [~whirler@cpe-098-026-232-086.triad.res.rr.com] has quit [Ping timeout: 246 seconds]
09:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:49 -!- GreyFoxx [greg@out.of.phaze.org] has joined ##openvpn
10:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
10:11 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:22 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Read error: Connection reset by peer]
10:33 -!- d12fk is now known as d000k
10:34 -!- d000k is now known as d12fk
10:40 < MrJK> hey
10:41 < MrJK> there is somebody ? I would like to know how to change the listening interface of openvpn
10:42 < krzee> --local
10:42 < krzee> !man
10:42 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
10:44 < rob0> The man is always there for you!
10:44 < rob0> hmm, is man-beta.html still valid, and if so, why?
10:46 < krzee> yes, and i agree
10:46 < krzee> shoulda had better naming convention from the start
10:46 < krzee> like man211.html
10:47 < krzee> err
10:47 < krzee> man21.html rather
10:47 < |Mike|> woah, I just demolished a webserver with google's pentest tool
10:48 < MrJK> okay, thks, I'll have a look
10:51 < MrJK> Ok, but, if I read the text: If unspecified, OpenVPN will bind to all interfaces.
10:51 < MrJK> It's not specified, and it bind only the main interface
10:51 < krzee> not for me...
10:52 < krzee> for me it bins to *:port
10:52 < krzee> binds to
10:52 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
10:53 < MrJK> ok ... I make some others trys
10:53 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
11:02 < MrJK> krzee: '*:local' doesn't work in my conf file
11:02 < MrJK> oops, sorry
11:02 < krzee> lol
11:03 < MrJK> krzee: 'local *:1234' doesn't work in my conf file
11:03 < krzee> no kidding
11:03 < krzee> did you read --local in he man?
11:03 < MrJK> krzee: yes i do, it attenpts to have an IP or a host name
11:04 < krzee> does it mention putting :port anywhere in that option?
11:05 -!- WormFood [~wormfood@119.123.240.143] has quit [Ping timeout: 246 seconds]
11:05 < MrJK> krzee: no, so why you told me to do that ? I'm here to learn ...
11:05 < krzee> i didnt tell you to
11:05 < krzee> [11:51]  <krzee> not for me...
11:05 < krzee> [11:52]  <krzee> for me it bins to *:port
11:05 < krzee> [11:52]  <krzee> binds to
11:06 < krzee> when i dont specify local it binds to *:port
11:06 < MrJK> yes
11:06 < MrJK> ok, right ...
11:06 < krzee> i never said "hey go put *:port ito your config"
11:06 < MrJK> okok
11:07 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:17 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:17 -!- mode/##openvpn [+v Kaspx] by ChanServ
11:17 -!- WormFood [~wormfood@121.34.165.212] has joined ##openvpn
11:20 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 264 seconds]
11:29 -!- vpnguru [~mosbah.ab@41.230.16.230] has quit []
11:42 < kajl> Hi, I have started 3 OpenVPN processes on diffrent ports for loadbalancing did only have one before. Since i started 3 processes i got allot of TLS errors?
11:42 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
11:43 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
11:43 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
11:44 -!- Guest112 [~bk@g224067053.adsl.alicedsl.de] has joined ##openvpn
11:45 < Guest112> hi folks
11:45 < Guest112> http://pastebin.com/RkBGGB6L
11:45 < Guest112> can someone please take a look at it? i have a vpn server so that users from outside can connect to the office
11:46 < Guest112> every user has his own key
11:46 < Guest112> now i had yesterday this
11:46 < Guest112> do i see it riht that the oriin user with the IP1 lost his private key?
11:47 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
11:49 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
11:49 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:52 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
11:58 -!- d12fk is now known as d000k
12:18 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:18 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
12:21 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 252 seconds]
12:28 -!- daemon [~daemon@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] has quit [Read error: Connection reset by peer]
12:29 -!- daemon [~daemon@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] has joined ##openvpn
12:32 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
12:46 < SerajewelKS> Guest112: are the two ip addresses close?
12:46 < SerajewelKS> Guest112: does the user you gave the key to have two computers in different locations?
12:48 -!- dazo is now known as dazo_afk
12:50 < Guest112> no the both IPs are from different IPs however the same city
12:50 < Guest112> and the user installed the key only one that pc
12:51 < Guest112> err different ISPs i mean ;)
12:52 < Guest112> SerajewelKS: i just want to be sure, so it looks like the key is compromised or is there a other explanation?
12:53 < rob0> explanation for WHAT? The log snippet did not show a problem, and neither did your problem description.
12:54 < Guest112> well IP1 is the users IP who owns that key
12:55 < Guest112> IP2 is not known by any of us but it can establish a connection with the user key
12:55 < Guest112> or not?
13:01 -!- dollabill [~mike@213.sub-75-248-85.myvzw.com] has joined ##openvpn
13:07 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:11 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 276 seconds]
13:13 -!- Visual`_ [~visualsta@ip-80-236-251-212.dsl.scarlet.be] has quit [Quit: leaving]
13:14 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
13:18 -!- Guest112 [~bk@g224067053.adsl.alicedsl.de] has quit [Quit: leaving]
13:31 -!- dollabill [~mike@213.sub-75-248-85.myvzw.com] has quit [Ping timeout: 246 seconds]
13:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:47 -!- HardDisk_WP [~Marco@velirat.de] has quit [Changing host]
13:47 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has joined ##openvpn
14:14 -!- GreyFoxx [greg@out.of.phaze.org] has left ##openvpn []
14:20 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:27 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:45 -!- mirco [~mirco@p5B23B04A.dip.t-dialin.net] has joined ##openvpn
15:06 -!- derjohn_foo [~aj@213.238.45.2] has quit [Ping timeout: 252 seconds]
15:26 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:26 -!- mode/##openvpn [+o openvpn2009] by ChanServ
15:42 -!- daemon [~daemon@2a01:348:1f9:feed:582b:7ce4:e7b2:cf00] has quit [Disconnected by services]
15:51 -!- DarthGandalf is now known as DarthGandalf|BNC
15:54 -!- Guest23432 is now known as redfox
15:55 -!- redfox is now known as Guest24519
16:22 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
16:25 -!- derjohn_foo [~aj@d045093.adsl.hansenet.de] has joined ##openvpn
16:30 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:44 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:31 -!- agagag_ is now known as agagag
17:38 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
17:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
17:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:56 -!- rkantos_ [robin@hp1.jaketus.net] has quit [Ping timeout: 276 seconds]
17:56 -!- rkantos [robin@hp1.jaketus.net] has joined ##openvpn
18:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:13 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
18:28 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has quit [Ping timeout: 246 seconds]
18:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:29 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Read error: Operation timed out]
18:37 -!- HardDisk_WP [~Marco@velirat.de] has joined ##openvpn
18:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:58 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has joined ##openvpn
19:14  * EugeneKay waves
19:21 -!- Sorcier_FXK [~Sorcier_F@rps2660.ovh.net] has quit [Changing host]
19:21 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has joined ##openvpn
19:31 < EugeneKay> I'm having trouble with tunneling. I believe it to be a problem with my routing, but I honestly don't know. Would anybody care to volunteer some time to help me out?
19:31 < EugeneKay> Configs - http://eugenekay.pastebin.com/T6XzL6cy
19:32 < EugeneKay> From the client, I can ping 10.8.0.1, but not 10.100.0.1, or any other IP address on that network
19:33 < oc80z> oh
19:34 < krzie> !goal
19:34 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:35 < krzie> looks like " I would like to access the lan behind the server "
19:35 < EugeneKay> Looking to let client access all address on 10.100.0.1
19:35 < krzie> is that right?
19:35 < EugeneKay> While not routing ALL traffic through the remote server(IE, my web browser stuff)
19:35 < EugeneKay> Yessir.
19:35 < krzie> is your server also the default gateway for its lan?
19:35 < EugeneKay> Yessir
19:36 < krzie> your server is the router for its lan
19:36 < EugeneKay> Yes. eth0 is on the public internet
19:36 < krzie> and eth1 goes to a switch, and is the default route on the LAN
19:36 < EugeneKay> Correct.
19:36 < krzie> ok
19:36 < EugeneKay> Pretty vanilla setup.
19:37 < krzie> sorry to ask that 3 diff ways, often people say yes but dont know what i meant
19:37 < EugeneKay> "The noob factor"
19:37 < krzie> none of the clients are on LAN ips of 10.100.0.* or 10.8.0.*, correct?
19:38 < EugeneKay> Correct. Client is on a 192.168.x.x
19:38 < krzie> are you routing VPN traffic to the inet at all?
19:38 < krzie> or the VPN is ONLY for reaching the lan
19:38 < EugeneKay> VPN is only to get to the LAN
19:38 < krzie> you dont want to NAT the VPN subnet then
19:39 < krzie> oh i see the typo
19:40 < krzie> #
19:40 < krzie> push "10.100.0.0 255.255.255.0"
19:40 < krzie> you forgot the word route ;]
19:40 < EugeneKay> Ahhh
19:40 < krzie> push "route ..."
19:41 < EugeneKay> Makes sense
19:41 < krzie> but also #
19:41 < krzie> -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth1 -j MASQUERADE
19:41 < krzie> shouldnt be needed
19:41 < EugeneKay> k.
19:41 < EugeneKay> I'll try it and let you know
19:41 < krzie> they will respond to the VPN ip that reached them, but their default gateway knows how to reach that over the vpn so all is well
19:42 < krzie> if your server wasnt default gateway youd need to add a route to the gateway
19:42 < krzie> but since it is, 1 less step
19:43 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
19:44 < EugeneKay> Success!
19:44 < EugeneKay> Ok, now, for the bonus round. :-p
19:45 < krzie> 2nd pair of eyes helps every now and then, you already had the config right, just missiong 1 word
19:45 < krzie> =]
19:45 < EugeneKay> Yeah, looking at the logfile, I see where it was throwing a wibbly 
19:45 < EugeneKay> I'm planning on putting in a twin to the server, at 10.100.0.2 on the private LAN
19:45 < EugeneKay> The idea being full failoverability, etc
19:46 < EugeneKay> I'm guessing that the second box should use 10.9.0.0, and I need to add a route statement to each server for it's partner's subnet
19:47 < EugeneKay> (at a minimum)
19:49 < krzie> yup
19:50 < krzie> really only on 1
19:50 < EugeneKay> This is because each one will be setup as a gateway, and the 50/50 possibility that traffic heading "out" to the 10.8/9.x.x VPN clients will end up being routed out to the internet
19:50 < krzie> the spare wont be the default gateway, the main will (im assuming)
19:51 < krzie> so the spare doesnt need a new route, everything defaults to the main already unless a more specific route says otherwise
19:51 < EugeneKay> Ok
19:51 < krzie> however, the main one will need to know the new VPN subnet is behind the LAN ip of the spare
19:51 < EugeneKay> Unless I disable random, and force clients to only connect to the spare when the main is down
19:51 < EugeneKay> (which is a possbility)
19:52  * EugeneKay is new to OpenVPN still
19:52 < krzie> routed out to the internet?
19:52 < krzie> i dont get it
19:53 < EugeneKay> If a internal LAN machien is sending data to a 10.8.0.x and using the spare as it's gateway, the spare wouldn't know where 10.8.0.x is, so would send it out eth1, instead of passing it over to the main
19:54 < EugeneKay> (I think)
19:54 < krzie> why would an internal lan machine send data to 10.8.0.x machine?
19:54 < krzie> and why would it EVER use the spare as its gateway?
19:54 < EugeneKay> 1) Dunno, but I like to make sure to cover all my bases
19:54 < EugeneKay> 2) Load-balancing
19:55 < krzie> or are you saying you plan on having 2 default gateways?
19:55 < EugeneKay> Yes, 2 gateways as default.
19:55 < krzie> you gunna use CARP or something?
19:56 < EugeneKay> The LAN machines are configured manually, not DHCP
19:57 < EugeneKay> So if I set half of them to the main as primary, and the other half vice-versa
19:57 < EugeneKay> Though, if it's too much trouble, I can just skip it and treat the spare as a true spare
19:58 < EugeneKay> It's just nice to be able to point to load graphes and show how these expensive machines are doing something
19:58 < krzie> lol
19:58 < krzie> you're gunna make more problems than you solve
19:59  * EugeneKay nods
19:59 < krzie> unless you plan on doing it with CARP or something similar
19:59  * EugeneKay artifically inflates the numbers with BitTorrent instead
19:59 < krzie> nothing artificial about that
19:59 < krzie> just might not be what they were hoping your BW goes to
20:00 < EugeneKay> Well, Fedora .iso's don't pay the bills
20:00 < EugeneKay> They work great for meeting my monthly bandwidth quotas
20:00 < EugeneKay> I'm always within 10%
20:04 -!- tjz [~pc@bb116-15-200-153.singnet.com.sg] has joined ##openvpn
20:04 -!- tjz [~pc@bb116-15-200-153.singnet.com.sg] has quit [Changing host]
20:04 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:06 < EugeneKay> Thanks for your help, krzie. I have to pack all these machines up tomorrow and drive almost to Mexico >_<
20:07 < tjz> wow
20:07 < tjz> drive them over to mexico
20:07 < tjz> -_-"
20:07 < krzie> hrm
20:07 < krzie> you gunna colo near the san diego mexico border
20:07 < krzie> ?
20:08 < krzie> i prolly know people at the DC if so, lol
20:09 < ecrist> sup, krzie?
20:10 < krzie> waddup man!
20:11 < ecrist> not much - tipping a few back watching some family guy
20:12 < EugeneKay> McAllen, TX
20:12 < EugeneKay> In a cell phone tower
20:12 < krzie> ahh
20:12 < krzie> sweet
20:12 < krzie> i have 2 servers on the border as well
20:12 < krzie> but in california
20:13 < ecrist> why are you hosting a box in a cell tower?
20:13 < EugeneKay> Cheap bandwidth :-p
20:13 < ecrist> really?
20:13 < EugeneKay> Yeah. They're way over-capacitied
20:13 < krzie> o_O
20:13 < krzie> i figured sms gateway or something, lol
20:13 < EugeneKay> Hah!
20:14 < EugeneKay> When I went to install my rack the first time around the crew came prepped to go put my antenna up
20:14 < EugeneKay> "I'm uh.... webhost, not AT&T"
20:15 < krzie> shoulda gone with it!
20:15 < krzie> "you're going to X-connect to my other machines, right?"
20:15 < krzie> heheh
20:16  * EugeneKay shrugs
20:16 < ecrist> how much bandwidth?
20:16 < EugeneKay> $20/TB, 100mb pipe
20:16 < ecrist> neat
20:17 < ecrist> how did you find that?
20:17 < krzie> + base hosting cost?
20:17 < EugeneKay> Our marketing guy goes to church with the owner of the company
20:17 < krzie> damn who knew something good could come of going to church!
20:17 < EugeneKay> $250/mo for a full rack
20:18 < krzie> im talking to a girl on aim right now who has a full rack
20:18 < krzie> a very very full rack
20:18 < krzie> <g>
20:18 < EugeneKay> Don't say that, I'll pull out a picture of my Fiancee
20:19 < ecrist> Don't say that, I'll climb on top my wife who's not a picture and who's not talking to me over the internet
20:19 < ecrist> :P
20:19 < EugeneKay> Eh. Fiancee's in school in Maine.
20:19 < EugeneKay> Last semester woo!
20:20 < EugeneKay> Then she's mine again. All mine. Bwahahaha.
20:21 < krzie> ecrist, pics or it didnt happen!
20:21 < tjz> omg
20:21 < tjz> $250/mo for a full rack.. -_-"
20:21 < tjz> @_@
20:21 < ecrist> krzie: you think I don't have pics, and HD video?
20:21 < ecrist> we're paying $1500/mo for two full racks on a 15Mb connection
20:21 < krzie> my $ would say you do, but i dont!
20:21 < krzie> :-p
20:22 < krzie> wow
20:22 < krzie> you should colo in a cell tower!
20:22 < krzie> ;]
20:22 < EugeneKay> Yeesh.
20:22 < ecrist> no doubt
20:22 < EugeneKay> I try not to pay over $10/U/mo
20:22 < ecrist> I have a 1u box in Miami on a 100Mb connection for $32/mo
20:22 < EugeneKay> I think I know that place.
20:22 < EugeneKay> dedicatedserverstore.com?
20:22 < tjz> EugeneKay, i never see such a cheap colo b4
20:23 < tjz> :)
20:23 < tjz> hee
20:23 < ecrist> no, colopronto.com
20:23 < tjz> ecrist, how much bw included?
20:23 < ecrist> their customer service sucks balls, but it's hard to beat the price
20:23 < ecrist> tjz: I think 500GB
20:23 < ecrist> I never get close, so I'm not worried.
20:23 < tjz> ah..good enough
20:23 < tjz> lol
20:24 < ecrist> I use that for file serving right now.
20:24 < EugeneKay> My personal webserver is a rental out of.... Virginia, I do believe. 
20:24 < ecrist> I house all but that one box on a business connection with comcast out of my basement.
20:24 < EugeneKay> $113/mo gets me a Core 2 Duo, 2GB of memory, 500GB of HD, 3.3TB of bandwidth, a 100mb port, and 4 IPs
20:24 < tjz> hee..everyone have own remote personal server :D :D
20:24 < tjz> eurgenekay, wow! another insane deal
20:24 < tjz> -_-"
20:25 < ecrist> the colopronto box is new for me.
20:25 < EugeneKay> Their current special is actually for a Core 2 Quad
20:25 < ecrist> the server was gifted to me by a friend, he didn't want it any more.
20:25 < EugeneKay> Only 2.5TB a month
20:25 -!- Blu3 [~dford@BlueLabs/Blu3] has joined ##openvpn
20:25 < EugeneKay> http://www.serverbeach.com/servers/specialoffers_quad_core_dedicated_servers.php/
20:25 < vpnHelper> Title: ServerBeach Dedicated Servers Special Offers - Quad Core Power For Less (at www.serverbeach.com)
20:25 < EugeneKay> I don't even get a referral bonus at this joint :v
20:27 < tjz> serverbeach is pretty reliable
20:27 < tjz> they are under peer1
20:27 < tjz> :D
20:27 < EugeneKay> Yeah.
20:27 < EugeneKay> They have the occasional flub, like a double-breaker failure.
20:30 < tjz> wow
20:30 < tjz> -_-"
20:30 < tjz> can't be so unlucky
20:33 -!- mirco [~mirco@p5B23B04A.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
20:41 -!- mirco [~mirco@p5B23AC37.dip.t-dialin.net] has joined ##openvpn
21:12 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Ping timeout: 240 seconds]
21:18 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
21:23 -!- DarthGandalf|BNC is now known as DarthGandalf
21:28 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:13 -!- eradiate [~eradiate@pool-96-255-191-252.washdc.fios.verizon.net] has joined ##openvpn
22:13 < eradiate> hi how can i track connection attempts to my openvpn server?
22:14 < EugeneKay> Use the log or log-append directive in openvpn.conf
22:22 < eradiate> thx
22:24 < ecrist> that was easy
22:25 < theDoc> Way too easy ;p
22:25 < theDoc> and hello all. o/
22:26  * EugeneKay shrugs
22:40 -!- DarthGandalf is now known as DarthGandalf|BNC
22:48 < theDoc> Out of curiosity, has anyone ever managed to open up a ssh tunnel between 2 remote hosts and do routing over it?
22:48 -!- DarthGandalf|BNC is now known as DarthGandalf
22:53 < theDoc> I'm interested to know exactly how you guys found the latency over the link?
22:54 < EugeneKay> A normal SSH tunnel, you mean?
22:55 < theDoc> EugeneKay> Yep, a ssh tunnel which carries other forms of encrypted traffic.
22:55 < EugeneKay> Connecting two LANs with one would be..... painful.
22:55 < theDoc> How painful would it be? ;p
22:55 < theDoc> I'm guessing that it's close to a nightmare.
22:56 < EugeneKay> To abuse an analogy, don't buy a donkey cart when there's a perfectly servicable pickup truck right there.
22:56 < theDoc> There's a particular reason why I'm wanting to try that out. I have a vpn server somewhere, I was wondering how complex it would be to forward it all to another proxy device via an SSH tunnel that was established, based on source/dst address.
22:57 < theDoc> Openvpn? :p
22:57 < EugeneKay> Well, it *is* ##openvpn
22:58 < EugeneKay> Im no expert, but common sense says it's a silly thing to do
22:58 < theDoc> EugeneKay> Not really, do you happen to have a better idea in mind how I can do some form of source/dst based routing otherwise?
22:58 < theDoc> I could be missing something here. :/
22:58 < EugeneKay> iptables perhaps?
22:59 < theDoc> Yes, well. I could do iptables but I would like to keep that connection stream from server1 to server2 tunneled. (although I'm getting a little worried about the overhead involved).
23:01 < EugeneKay> Well, there's the "why bother?" question first
23:02 < theDoc> That doesn't really answer my question ... ;p
23:03 < EugeneKay> I wouldnt have a clue how to do such a thing
23:16 < rob0> SSH tunnels, AFAIK, can only handle TCP traffic.
23:16 < rob0> It's not capable of being a complete IP address/interface.
23:38 < theDoc> rob0> Ah, tcp traffic only?
23:38 < theDoc> That's moot point then ;p
23:38 < theDoc> Thanks.
23:48 -!- Cap_J_L_Picard [~ewanm89@unaffiliated/ewanm89] has quit [Ping timeout: 246 seconds]
23:49 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
23:50 -!- Cap_J_L_Picard [~ewanm89@unaffiliated/ewanm89] has joined ##openvpn
--- Day changed Tue Mar 30 2010
00:20 -!- insane^ [~jg@pizza.internetx.de] has quit [Ping timeout: 258 seconds]
00:29 -!- DarthGandalf is now known as DarthGandalf|BNC
00:31 -!- DarthGandalf|BNC is now known as DarthGandalf
00:38 -!- mirco [~mirco@p5B23AC37.dip.t-dialin.net] has quit [Quit: mirco]
01:05 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
01:09 -!- derjohn_foo [~aj@d045093.adsl.hansenet.de] has quit [Ping timeout: 246 seconds]
01:21 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:21 -!- mode/##openvpn [+o mattock] by ChanServ
01:24 -!- kala__ [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
01:27 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has quit [Ping timeout: 276 seconds]
01:30 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 258 seconds]
01:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
02:04 -!- Blu3` [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
02:15 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
02:16 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
02:18 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Client Quit]
02:19 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
02:20 -!- d000k is now known as d12fk
02:45 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
02:50 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
03:02 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:16 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
03:32 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Remote host closed the connection]
03:33 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
03:34 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
03:39 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:41 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:56 -!- Blu3 [~dford@BlueLabs/Blu3] has quit [Quit: I ❤♥❤ Guys]
04:11 < krzee> theDoc, re: your ealier conversation, sockd
04:12 < theDoc> networkproxyserver?:)
04:12 < krzee> socks is same proto as ssh tunnel, but you can use udp if you set it up that way
04:12 < theDoc> Awesome.
04:12 < theDoc> krzee> Do you know how much overhead that adds?
04:12 -!- master_of_master [~master_of@p57B54C57.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:12 < krzee> of course theres the "what the hell is your real goal" factor
04:12 < krzee> but ya
04:12 < krzee> theDoc, same as your orig idea of ssh tunnel
04:12 < theDoc> Hm, ok.
04:13 < krzee> since ssh tunneling is really socks5
04:13 < krzee> :-p
04:13 -!- derjohn_foo [~aj@213.238.45.2] has joined ##openvpn
04:13 < theDoc> krzee> Well .. why do you say it's really socks5?
04:13 < krzee> i use dante daemon for my socks5
04:13 < krzee> have you read the man for ssh? im pretty sure it mentions what im saying
04:13 < krzee> lemme check
04:13 < theDoc> No, I haven't.
04:14 -!- master_of_master [~master_of@p57B576BD.dip.t-dialin.net] has joined ##openvpn
04:14 < krzee> Whenever a
04:14 < krzee>              connection is made to this port, the connection is forwarded over
04:14 < krzee>              the secure channel, and the application protocol is then used to
04:14 < krzee>              determine where to connect to from the remote machine.  Currently
04:14 < krzee>              the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
04:14 < krzee>              as a SOCKS server.
04:14 < krzee> but ya
04:15 < krzee> im sure you realized you had to use your ssh tunnel as a socks proxy
04:16 < krzee> like to actually use the tunnel
04:18 < krzee> btw heres a weak ass dante config that you should only use over openvpn
04:18 < theDoc> Yes, I noticed/realized that.
04:18 < krzee> !sockd
04:18 < vpnHelper> krzee: "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
04:18 < theDoc> ;p
04:19 < krzee> i also have a config that is set to use fbsd PAM
04:19 < krzee> if you care
04:19 < krzee> if you use linux it has  built in linux auth method
04:19 < theDoc> krzee> Mind if I talk to you about this in private? :p
04:20 < krzee> fine by me man, known you for quite awhile in here
04:20 < theDoc> Cheers.
04:20 < krzee> but im drinking, so warning has been given
04:22 < theDoc> Ok!
04:25 < krzee> !vpnchains
04:25 < vpnHelper> krzee: Error: "vpnchains" is not a valid command.
04:25 < krzee> bleh
04:25 < krzee> !wiki
04:25 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
04:25 < theDoc> !vpnchain
04:25 < vpnHelper> theDoc: Error: "vpnchain" is not a valid command.
04:25 < theDoc> feh.
04:29 < krzee> it was http://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
04:29 < vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
04:44 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
04:44 < reiffert> moin
04:46 < krzee> moin moin
04:46 < krzee> !linnat
04:46 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
05:16 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
05:24 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
05:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:08 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
06:17 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: Lost terminal]
06:43 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
06:47 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
06:57 -!- DarthGandalf is now known as DarthGandalf|BNC
06:58 -!- DarthGandalf|BNC is now known as DarthGandalf
07:01 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has quit [Ping timeout: 264 seconds]
07:01 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has joined ##openvpn
07:07 -!- d12fk is now known as d000k
07:11 -!- d000k is now known as d12fk
07:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:41 -!- Blu3` [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
07:41 -!- Blu3` [~David@BlueLabs/Blu3] has joined ##openvpn
07:41 -!- Blu3` is now known as Blu3
07:42 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
07:44 -!- d12fk is now known as d000k
08:04 -!- dazo_afk is now known as dazo
08:15 -!- d000k is now known as d12fk
08:16 -!- d12fk is now known as d000k
08:38 -!- d000k is now known as d12fk
08:49 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
08:51 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:52 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
08:56 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
09:04 -!- Sorcier_FXK [~Sorcier_F@unaffiliated/sorcierfxk] has quit [Quit: Coyote finally caught me]
09:11 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Remote host closed the connection]
09:20 -!- d12fk is now known as d000k
09:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:31 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:31 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Ping timeout: 268 seconds]
09:33 -!- simplechat [~simplecha@123-243-79-139.tpgi.com.au] has joined ##openvpn
09:33 -!- simplechat [~simplecha@123-243-79-139.tpgi.com.au] has quit [Changing host]
09:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:41 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 276 seconds]
09:53 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:00 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Remote host closed the connection]
10:01 -!- d000k is now known as d12fk
10:01 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
10:07 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
10:07 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
10:07 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:08 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
10:18 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
10:28 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
10:31 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
10:39 -!- d12fk is now known as d000k
10:51 -!- d000k is now known as d12fk
10:58 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Read error: Connection reset by peer]
11:05 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Read error: Connection reset by peer]
11:06 -!- PrinceAmjad [~zjb@87.109.192.202] has joined ##openvpn
11:08 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Remote host closed the connection]
11:10 -!- PrinceAmjad [~zjb@87.109.192.202] has quit [Read error: Connection reset by peer]
11:23 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
11:27 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:50 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
12:04 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
12:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
12:06 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:15 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
12:21 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
12:22 -!- mirco [~mirco@p5B23AC37.dip.t-dialin.net] has joined ##openvpn
12:27 -!- dazo is now known as dazo_afk
12:33 -!- d12fk is now known as d000k
12:35 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
12:52 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
12:56 -!- bandini [~bandini@host241-27-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
13:25 -!- EugeneKay is now known as EugeneKaway
13:29 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
13:47 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
13:57 -!- ed4 [~Rodyd4@atm91-3-88-166-199-153.fbx.proxad.net] has joined ##openvpn
14:03 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has quit [Ping timeout: 245 seconds]
14:04 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 246 seconds]
14:05 < rob0> (Not that I'm expecting anyone to be able to figure it out, but ... maybe ...)
14:05 -!- jeffl [coz@teledojo.com] has quit [Ping timeout: 248 seconds]
14:05  * rob0 has a LARTC-type problem, not quite on topic here: http://pastebin.slackadelic.com/p/O82jub14.html
14:06 < rob0> I figured there might be some folks here who know routing.
14:09 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Read error: Connection reset by peer]
14:12 -!- Some-body_ [~Vetinari@97.107.142.96] has joined ##openvpn
14:13 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
14:14 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has joined ##openvpn
14:16 -!- Some-body_ is now known as DarthGandalf
14:16 -!- DarthGandalf [~Vetinari@97.107.142.96] has quit [Changing host]
14:16 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
14:17 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 252 seconds]
14:26 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
14:26 < jpalmer> ecrist: I figured out what my (2) problems with dd-wrt as openvpn client were.  I solved one issue,  still have a forum post for the other.
14:27 < ecrist> which issue did you solve?
14:27 < jpalmer> remember I said I lost all connectivity when I set it as openvpn client?
14:28 < ecrist> yes
14:28 < jpalmer> I stupidly was using a private key that had a password.  so,  the router would sit there for a LONG time,  and then skip it.  so I thought I'd just lost connectivity..  when it hadn't even fully booted
14:29 < ecrist> ah
14:29 < ecrist> that makes sense.
14:29 < jpalmer> second issue (that I'm still working on) is: I can't figure out how to add a 'cipher' line to it.  I can do it as an openvpn server, but not client.
14:30 < jpalmer> if I ssh in, and manually add the cipher line and restart openvpn,  it works flawlessy.   but when I reboot,  that modification goes away.
14:30 < ecrist> hand-edit the config?
14:30 < ecrist> yeah, as I said, they sort of break openvpn is funny ways
14:31 < jpalmer> well,  I'm thinking they have a config stored in nvram that the webserver writes to.  then when you boot,  it's read from nvram and mounted in a ramdisk type deal.  I just need to know where the nvram version is stored.
14:31 < jpalmer> so,  I've posted on their forums.  no response yet though.  will let you know when I have an answer.
14:32 < ecrist> excellent.
14:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:36 < krzee> !linipforward
14:36 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:37 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
14:38 -!- ed4 [~Rodyd4@atm91-3-88-166-199-153.fbx.proxad.net] has quit [Quit: Quitte]
14:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
14:50 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:50 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:54 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:58 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
15:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:12 -!- HardDisk_WP [~Marco@velirat.de] has quit [Changing host]
15:12 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has joined ##openvpn
15:13 -!- derjohn_foo [~aj@213.238.45.2] has quit [Ping timeout: 248 seconds]
15:26 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
15:52 -!- DarthGandalf is now known as DarthGandalf|BNC
16:03 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
16:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:25 -!- derjohn_foo [~aj@c175154.adsl.hansenet.de] has joined ##openvpn
16:49 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Excess Flood]
16:54 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
16:54 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
16:54 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
16:58 -!- Guest24519 is now known as redfox
16:59 -!- redfox is now known as Guest29381
17:09 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
17:09 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Connection reset by peer]
17:09 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
17:32 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 265 seconds]
17:43 -!- mirco [~mirco@p5B23AC37.dip.t-dialin.net] has quit [Quit: mirco]
17:51 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
18:02 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
18:07 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
18:07 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
18:09 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
18:19 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
18:39 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
18:59 -!- jnss [janes@gateway/shell/sign.io/x-ezqdeznfzlaqjrih] has joined ##openvpn
19:01 -!- jnss is now known as slave1
19:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:13 -!- bandini [~bandini@host241-27-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
19:21 -!- slave1 is now known as jnss
19:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:51 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:02 -!- tjz [~pc@bb116-14-146-235.singnet.com.sg] has joined ##openvpn
20:02 -!- tjz [~pc@bb116-14-146-235.singnet.com.sg] has quit [Changing host]
20:02 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:08 -!- rawDawg [~omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
20:09 -!- SkyX [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
20:09 < rawDawg> i want to upgrade my openvpn server
20:10 < rawDawg> will my certs still be valid?
20:10 < jpalmer> as long as you keep ther server certs, and client certs..  yes.
20:10 < rob0> Until they expire, yes. Not after that.
20:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:23 -!- diogo_79 [~diogo_79@186.211.108.93.rev.vodafone.pt] has joined ##openvpn
20:23 < diogo_79> hi al
20:24 < diogo_79> can someone help me with zerina
20:24 < diogo_79> ?
20:24 < diogo_79> i cannot find the tutorial about zerina net2net (extension)
20:25 < diogo_79> the web site is down
20:26 < diogo_79> !welcome
20:26 < vpnHelper> diogo_79: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:26 < rawDawg> jpalmer so if i just save the easy-rsa folder? i should be able to just upgrade the server then copy it back?
20:27 < jpalmer> I can't say specifically yes or no,  as I don't know your environment.  look in your vars file, and see where the keys are stored.
20:27 < diogo_79> !howto
20:27 < vpnHelper> diogo_79: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:27 < rawDawg> ok
20:29 < rawDawg> KEY_DIR=keys
20:32 < diogo_79> someone
20:33 < ecrist> sup bitches?
20:34 < ecrist> diogo_79: what is zerina?
20:34 < diogo_79> zerina is addon for ipcop
20:35 < diogo_79> it is based on openvpn
20:35 < diogo_79> the site is openvpn.eu
20:36 < diogo_79> but some parts of the site are down like the how to net2net (extension)
20:36 < ecrist> I'm sorry, but we cannot offer support for that in here.
20:37 < ecrist> this channel is specific to raw openvpn - it's too difficult for us to know everyone's schema and implementation.
20:37 < diogo_79> ok sorry
20:38 < ecrist> no worries.
20:41 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
20:42 -!- jnss is now known as slave1
20:43 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Quit: Quitte]
20:43 < rawDawg> is there a recommended way to upgrade openvpn on windows?
20:43 < rawDawg> i want to make sure all my certs are still valid so my clients reconnect
20:47 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
20:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:52 < ecrist> rawDawg: uninstall - reinstall
20:52 < ecrist> not sure what you mean by "i want to make sure all my certs are still valid so my clients reconnect"
20:53 < rawDawg> when i install the new server, i want all my certs to still work
20:53 < rawDawg> so that clients will automatically reconnect
20:53 < ecrist> oh, just make sure you use the same certificate chain
20:54 < rawDawg> so if i just save the server.crt and server.key i should be ok?
20:55 < ecrist> you need the ca.crt, as well
20:55 < ecrist> if you want to generate new certificates, you need all the ca.crt, ca.key, index, crl, etc
20:59 < rawDawg> what are index.txt.start and serial.start for?
21:02 < ecrist> not sure
21:04 < rawDawg> will 2.1_rc19 clients work with 2.1.1 server?
21:04 < ecrist> they should, yes
21:05 < rawDawg> the reason i wasnt to upgrade is im having all sorts of problems on windows 2003 with openvpn server
21:05 < ecrist> everything after rc19 was windows-specific, so that's really the latest for linux/unix systems
21:05 < rawDawg> ip routing stops working unless i restart the openvpn service
21:05 < rawDawg> then if i reboot the server IAS stops working until i restart the openvpn service
21:06 < rawDawg> im not sure if its a config problem or maybe 2.1.1 will fix it
21:07 < ecrist> sounds like a config/routing issue
21:07 < rawDawg> routing works fine after i restart the service
21:07 < rawDawg> all the routing tables look good too
21:08 < rawDawg> ill post my configs
21:08 < ecrist> since I'm not your admin, I can only conjecture about your problems.
21:10 < rawDawg> http://www.pastebin.org/129053
21:11 < rawDawg> well take a took and see if you see anything
21:12 < rawDawg> i cant remember why i put float on the server
21:14 < ecrist> does IIS have a problem listening to an address that doesn't exist on the system?
21:15 < rawDawg> no IIS on that server
21:15 < rawDawg> i mentioned IAS, which i use for radius authentication
21:16 -!- diogo_79 [~diogo_79@186.211.108.93.rev.vodafone.pt] has quit [Ping timeout: 276 seconds]
21:16 -!- DarthGandalf|BNC is now known as DarthGandalf
21:17 < rawDawg> i might have put float in there because all the clients are dynamic ips
21:17 < rawDawg> but im not sure if im using it on the right side
21:18 < ecrist> I meant IAS
21:18 < rawDawg> since it is a server, im thinking --float is on by default, because you dont specify --remote
21:18 < rawDawg> IAS works fine if I restart openvpn after a reboot
21:23 -!- slave1 is now known as jnss
22:35 -!- jnss [janes@gateway/shell/sign.io/x-ezqdeznfzlaqjrih] has quit [Quit: leaving]
22:49 -!- EugeneKaway is now known as EugeneKay
22:49 -!- EugeneKay is now known as EugenePhone
22:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:18 -!- EugenePhone is now known as EugeneKay
23:20 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
23:20 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:22 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 246 seconds]
23:35 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
23:40 -!- datalock [ircap@189.35.137.219] has joined ##openvpn
23:41 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
23:43 -!- EugeneKay is now known as EugeneKaway
--- Day changed Wed Mar 31 2010
00:14 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
00:19 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
01:08 -!- derjohn_foo [~aj@c175154.adsl.hansenet.de] has quit [Ping timeout: 260 seconds]
01:12 -!- datalock [ircap@189.35.137.219] has quit []
01:17 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
01:17 -!- mode/##openvpn [+o mattock] by ChanServ
01:39 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:48 -!- d000k is now known as d12fk
01:54 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
02:11 -!- d12fk [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
02:13 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
02:42 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
02:44 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Remote host closed the connection]
02:45 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
03:08 -!- diogo_79 [~diogo_79@62.28.141.90] has joined ##openvpn
03:15 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
03:17 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 260 seconds]
03:17 -!- atlantic [~atlantic@hok.duf.hu] has quit [Ping timeout: 264 seconds]
03:24 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
03:26 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:29 -!- diogo_79 [~diogo_79@62.28.141.90] has quit [Quit: Leaving]
03:52 -!- d12fk is now known as d000k
03:54 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
03:57 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
04:02 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:11 -!- master_of_master [~master_of@p57B576BD.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:13 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Ping timeout: 246 seconds]
04:13 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
04:13 -!- master_of_master [~master_of@p57B56334.dip.t-dialin.net] has joined ##openvpn
04:19 -!- d000k is now known as d12fk
04:29 -!- d12fk is now known as d000k
04:30 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
04:34 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
04:39 -!- Diffen2 [~diffen2@212.112.46.106] has joined ##openvpn
04:47 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:49 -!- dazo_afk is now known as dazo
05:03 -!- EugeneKaway is now known as EugeneKay
05:11 -!- EugeneKay is now known as EugeneKaway
05:15 -!- karamorf [~no@216.127.52.126] has quit []
05:19 -!- rawDawg2 [~omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
05:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:22 -!- rawDawg [~omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 276 seconds]
05:29 -!- Diffen2 [~diffen2@212.112.46.106] has quit [Ping timeout: 248 seconds]
05:30 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
05:44 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
06:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:33 -!- tommyd3mdi [~tommyd@178-25-69-92-dynip.superkabel.de] has joined ##openvpn
06:34 < tommyd3mdi> Hi all! I recently get many many "write UDPv4: No buffer space available (code=55)" on every connect from an OSX client to a ovpn server - I've read that this might be a problem with an errornous configuration, i.e. the IP of the ovpn server is pushed as route as well
06:35 < tommyd3mdi> the problem is that this once worked, and while I can comment out the route pushing, this is just a temporary solution
06:36 < tommyd3mdi> the ovpn is setup on a dd-wrt router btw... I could not check for netstat -m (this is not available on the machine), is there anything else I could investigate?
06:39 < rob0> My guess would be that you have exceeded the router's capability to act as a VPN server, out of memory probably.
06:46 -!- tommyd3mdi [~tommyd@178-25-69-92-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
06:48 -!- tommyd3mdi [~tommyd@178-25-69-92-dynip.superkabel.de] has joined ##openvpn
06:56 -!- d000k is now known as d12fk
07:02 < cpm> tommyd3mdi, did you see this? <rob0> My guess would be that you have exceeded the router's capability to act as a VPN server, out of memory probably.
07:03 < rob0> Probably didn't see it, because the router crashed. ;)
07:05 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
07:08 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
07:10 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
07:18 -!- d12fk is now known as d000k
07:19 -!- d000k is now known as d12fk
07:23 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
07:34 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
07:35 < tommyd3mdi> rob0: heh, I saw it, however I cannot fix it currently
07:41 < tommyd3mdi> maybe its also the issue that I'm testing this currently while I'm connected physically to the network - I check this with another guy who's currently external
07:48 -!- tommyd3mdi [~tommyd@178-25-69-92-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
07:48 -!- tommyd3mdi [~tommyd@178-25-69-92-dynip.superkabel.de] has joined ##openvpn
07:52 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
07:54 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds]
08:18 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:29 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
08:31 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 260 seconds]
08:36 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
08:36 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco]
08:48 -!- tommyd3mdi_ [~tommyd@178-25-69-92-dynip.superkabel.de] has joined ##openvpn
08:48 -!- tommyd3mdi [~tommyd@178-25-69-92-dynip.superkabel.de] has quit [Read error: Operation timed out]
08:48 -!- tommyd3mdi_ is now known as tommyd3mdi
08:49 -!- tommyd3mdi [~tommyd@178-25-69-92-dynip.superkabel.de] has left ##openvpn []
08:50 -!- gravyface [~chatzilla@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has joined ##openvpn
08:50 < gravyface> hello all
08:53 < gravyface> have my cert auth-based VPN client config working in Ubuntu from the terminal successfully, but not sure the best way to set the openvpn daemon to a) only load the client config (I dont' have a server config so I'm assuming it won't) b) run as a daemon for the client config.  The client config is the only .ovpn in /etc/openvpn but openvpn start complains about a missing config.
08:53 < gravyface> I'd like to have an "always on" vpn client setup for a thin client I'm building.
08:55 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Ping timeout: 252 seconds]
08:57 -!- d12fk is now known as d000k
08:58 -!- d000k is now known as d12fk
09:03 < Bushmills> rename it to client.conf
09:04 < Bushmills> .ovpn is a windowism. 
09:06 < rob0> requiring ANY particular file naming scheme is a windowsism too :)
09:06 < rob0> mine are all *.cpm files
09:06 -!- d12fk is now known as d000k
09:07 < cpm> yeah, you say that /now/. 
09:08 < rob0> /cpm/cpm/cpm.cpm
09:11 -!- badserii [debian-tor@gateway/tor-sasl/badserii] has joined ##openvpn
09:22 -!- d000k is now known as d12fk
09:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:48 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
10:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:14 -!- Mythmon [~cooperm@osuosl/staff/Mythmon] has joined ##openvpn
10:26 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
10:37 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:48 -!- star314 [~star314@xchg.fiss-oeaw.at] has joined ##openvpn
10:49 < star314> Hello! Any android users here? I'm tying to get openvpn running on my android phone. :-)
10:49 < star314> And I guess I'm just one step away from getting it working. :-)
11:04 -!- DarthGandalf is now known as DarthGandalf|BNC
11:04 -!- DarthGandalf|BNC is now known as DarthGandalf
11:06 < cpm> http://android.modaco.com/content/software/291919/openvpn-on-android/
11:06 < vpnHelper> Title: OpenVPN on android - Android @ MoDaCo (at android.modaco.com)
11:10 -!- WormFood [~wormfood@121.34.165.212] has quit [Ping timeout: 276 seconds]
11:12 < star314> cpm: I have seen that
11:12 < star314> and a couple of more links
11:17 -!- WormFood [~wormfood@58.61.134.94] has joined ##openvpn
11:28 -!- star314 [~star314@xchg.fiss-oeaw.at] has quit [Quit: Ex-Chat]
11:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
11:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:56 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
12:09 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
12:17 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 276 seconds]
12:17 -!- dazo is now known as dazo_afk
12:24 -!- badserii [debian-tor@gateway/tor-sasl/badserii] has quit [Remote host closed the connection]
12:29 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:33 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
12:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
12:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Excess Flood]
12:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
12:53 -!- d12fk is now known as d000k
13:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:11 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:28 -!- Guest29381 is now known as redfox
13:28 -!- redfox is now known as Guest92802
13:31 -!- derjohn_foo [~aj@213.238.45.2] has joined ##openvpn
13:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
13:58 -!- nebula_ [nebula@matrix.greyunknown.com] has joined ##openvpn
13:59 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
14:04 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
14:17 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Read error: Operation timed out]
14:25 -!- rawDawg2 [~omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
14:25 -!- rawDawg2 [~omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
14:30 < rawDawg> hey its me at home :D
14:31 < rawDawg> i am having a problem routing traffic between my local subnet and my vpn
14:32 < rawDawg> i was reading http://www.runpcrun.com/howtoopenvpn. Under the section "Setup VPN routing" there is a mentioned issue with Routing and Remote access
14:33 < rawDawg> does anyone know of a resource where problems like this are supposed to be reported?
14:33 < rawDawg> i'd like to search for any potential solutions
14:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
14:34 < rob0> reported? To whom and for what purpose?
14:34 < _insane> rob0 thx btw worked :)
14:35 < _insane> ipip howto
14:35 < rob0> oh great
14:35 < _insane> but i figured out my problem, too
14:35 < rob0> I'm presently having much fun with ipip tunnels as well.
14:35 < _insane> the reason was that i tried to use one ip of the same /29 subnet on my vpn clients
14:36 < _insane> using a ip from a 2nd /29 which i got, works too
14:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:36 < _insane> some kind of routing problem
14:36 < _insane> dunno
14:36 < _insane> but i stay with ipip
14:38 < rawDawg> rob0 reported to developers for the purpose of fixing
14:44 < rob0> Raw, is it truly a bug, or just that you don't understand how to set up routing?
14:45 -!- krzee [nobody@unaffiliated/krzee] has quit [Remote host closed the connection]
14:46 < Bushmills> rob0: have you ever looked at anytun?
14:47 < rob0> nope
14:47 < Bushmills> ok. has just installed it on local machine, to glimpse at docs, until i make up my mind whether i try it on the servers
14:48 < Bushmills> the load balancing capability sounds interesting 
14:48 -!- derjohn_foo [~aj@213.238.45.2] has quit [Ping timeout: 260 seconds]
14:56 < rawDawg> rob0 im pretty sure i have routing set up right
14:57 < rawDawg> i've tried two different methods of turning on ip routing on my windows 2003 server, and i have problems with both methods
15:02 < rawDawg> rob0 apparantly it is a bug, if i am not the only one having an issue
15:12 -!- derjohn_foo [~aj@c154136.adsl.hansenet.de] has joined ##openvpn
15:14 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 268 seconds]
15:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:00 -!- derjohn_foo [~aj@c154136.adsl.hansenet.de] has quit [Ping timeout: 265 seconds]
16:01 -!- derjohn_foo [~aj@c154136.adsl.hansenet.de] has joined ##openvpn
16:03 -!- DarthGandalf is now known as DarthGandalf|BNC
16:03 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Ping timeout: 260 seconds]
16:03 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
16:08 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
16:15 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
16:16 -!- EugeneKaway [~EugeneKay@unaffiliated/eugenekay] has quit [Ping timeout: 252 seconds]
16:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:19 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
16:26 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 246 seconds]
16:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:30 < SerajewelKS> it's sad that i have to do tcp-in-tcp-in-tcp for this configuration :(
16:31 < krzie> 3x!?
16:31 < SerajewelKS> openvpn tcp connection through an ssh tunnel
16:31 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
16:32 < SerajewelKS> so whatever tcp connections i open on my client are encapsulated in two layers of tcp
16:34 < SerajewelKS> it's all kinds of slow
16:36 -!- nebula_ [nebula@matrix.greyunknown.com] has quit [Quit: [BX] Who ate my nuggets?!]
16:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:45 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
16:47 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
16:52 < rob0> Makes you want to get out and help push, huh?
16:54 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
16:54 -!- SkyX [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:54 < Bushmills> can't you run openvpn server on the same port as ssh server, and let them coexist?  i think port-sharing is the term
16:56 < rob0> yes, that should work, and reduce one level of pain.
16:57 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:58 -!- bakermd [~bakermd@38.104.0.102] has joined ##openvpn
16:58 < bakermd> Is there a way to configure multiple server addresses in the openvpn.conf file on a client so that it will try each of the servers until it is able to connect?
17:06 < Bushmills> yes, just repeat the "remote" statement for each server
17:06 < krzie> yup, just multiple remotes
17:07 < bakermd> Hmm... tried that, it just hits the first one and then says waiting for 5 seconds to retry...
17:34 < SerajewelKS> i'm trying instead to write a UDP-forwarding program
17:35 < krzie> like a real socks proxy instead of ssh tunnel
17:35 < krzie> lol
17:35 < krzie> ssh tunnel acts as a basic socks proxy, a real socks proxy would do udp
17:35 < SerajewelKS> which appears to work for DNS, but not for openvpn
17:35 < krzie> (i use dante)
17:35 < SerajewelKS> krzie: problem is, the relay/gateway is a windows box
17:36 < krzie> however, openvpn doesnt handle authenticating to a socks daemon when connecting over it
17:36 < SerajewelKS> so i'm just trying to relay the UDP packets.  i've successfully got dig to resolve through it, but no luck with openvpn.
17:36 < krzie> (which i find odd)\
17:36 < krzie> in fact, time for me to add that
17:36 < krzie> !wishlist
17:36 < vpnHelper> krzie: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
17:37 < SerajewelKS> tcpdump on the server end shows the relayed packets coming in, and it is sending replies... but the listening udp socket in my relay program never sees anything come back
17:38 < SerajewelKS> time to pop open wireshark on this end...
17:39 < SerajewelKS> mmm it's right, no replies are coming back
17:40 < krzie> sounds like a firewall or dead route somewhere
17:40 < SerajewelKS> i don't think the firewall here is that fascist
17:41 < SerajewelKS> well let's try running it on port 53 and see what's what...
17:42 < SerajewelKS> haha oh that's fucking awesome
17:43 < SerajewelKS> the firewall allows all outbound traffic but restricts the source ports of inbound traffic
17:44 < krzie> the SRC ports!?
17:44 < SerajewelKS> yes
17:44 < krzie> not DST ports!?
17:44 < krzie> hahaha
17:44 < SerajewelKS> if i connect to port 1194 (also tried 1196) then the traffic makes it out the firewall, but the replies are blocked
17:44 < SerajewelKS> if i connect to port 53, everything works great
17:44 < SerajewelKS> i really need to come up with another port though
17:45 < SerajewelKS> using 53 makes me feel dirty
17:45 < SerajewelKS> hmm, looks like high packet loss though
17:46 < SerajewelKS> if outgoing DNS is rate-limited then... wtf
17:47 < krzie> it should be
17:47 < krzie> assuming its openly recursive
17:47 < SerajewelKS> :/
17:47 < SerajewelKS> seems i need to find another port
17:47 < krzie> if you cannot stop from leaving your NS open recursive, you must ratelimit your outgoing traffic from it
17:48 < krzie> because there is a way to bounce DDOS through NS's with a ~60x amplification of BW
17:48 < SerajewelKS> maybe TFTP is open
17:49 < krzie> thats really odd tho
17:49 < krzie> usually outgoing packets open a hole in the NAT
17:49 < krzie> for responses
17:49 < SerajewelKS> it does seem to
17:49 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:49 < SerajewelKS> but it's also blocking some source ports apparently
17:50 < SerajewelKS> which is a retarded setup
17:50 < SerajewelKS> ooo what about 80...
17:50 -!- [mutex]_ [~portn0k@unaffiliated/mutex/x-1106097] has joined ##openvpn
17:51 < SerajewelKS> nope :(
17:51 < [mutex]_> http://pastie.org/private/tucv8jy2eztnp66mbrka <-- i have no idea whats wrong.  google isnt telling me anything.
17:51 < [mutex]_> !welcome
17:51 < vpnHelper> [mutex]_: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:51 < krzie> [mutex]_ bad certs
17:52 < krzie> actually, quite possibly bad permissions
17:52 < [mutex]_> krzie: bad in what sense?
17:52 < [mutex]_> on the server side, correct?
17:53 < krzie> is that a server log im looking at?
17:53 < [mutex]_> well, i dontt hink thats what it is, i chmodded to 777 just to see if that fixed it 5 minutes ago
17:53 < [mutex]_> krzie: no, client.  sec ill fetch the server log
17:53 < SerajewelKS> maybe 531, AIM uses that one
17:53 < krzie> [mutex]_ are you dropping permissions?
17:53 < [mutex]_> what do you mean
17:53 < krzie> --user / --group
17:54 < [mutex]_> when chmodding or starting the openvpn server?
17:54 < krzie> if so, the dir containing the certs needs +x for the user to read files in it, even if the user has access to read those files
17:55 < krzie> openvpn comes with user and group config options
17:55 < krzie> do you use them or not
17:55 < krzie> ok how bout this
17:55 < krzie> !configs
17:55 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:55 < krzie> !logs
17:55 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:55 < [mutex]_> aye.  sec
17:55 < krzie> !goal
17:55 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:56 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
17:59 -!- rawDawg2 is now known as rawDawg
18:00 < rawDawg> krzie: i noticed you wrote the article in !route
18:00 < rawDawg> maybe you can help me out
18:01 < krzie> sure did
18:01 < krzie> ill try to =]
18:02 < rawDawg> well to start here is my configs: http://pastebin.com/f60aCnq0
18:03 < rawDawg> my local subnet is 10.200.0.0/24
18:03 < rawDawg> vpn is 192.168.10.0/24
18:03 < krzie> only sharing 1 lan?
18:03 < krzie> and that lan is behind the server?
18:03 < rawDawg> i dont care about the lans behind the clients
18:03 < rawDawg> only the local server lan
18:03 < krzie> ok you dont need any iroutes then
18:03 < rawDawg> right
18:03 < krzie> did you add a route to the router which the server LAN uses?
18:03 < [mutex]_> krzie: http://pastie.org/898017 <-- client config, http://pastie.org/898020 <-- server config, http://pastie.org/898027 <-- server logfile, http://pastie.org/898028 <-- client logfile.  
18:04 < [mutex]_> goal: connect to the lan in my office.
18:04 < krzie> [mutex]_ would you pls put them in 1 pastebin if you dont mind
18:04 < krzie> makes it easier to help multiple people =]
18:04 < rawDawg> i only have one client on the server lan that needs access to the vpn
18:04 < [mutex]_> expect 5 minute dealy, working on a super tiny laptop
18:04 < krzie> cool, thx [mutex]_ 
18:05 < rawDawg> so i added a route 192.168.10.0 255.255.255.0 10.200.0.20
18:05 < rawDawg> to that client
18:05 < krzie> rawDawg ok that works too
18:05 < rawDawg> all of the routing tables seem to check out
18:05 < krzie> but then change your push route
18:05 < krzie> to only push the single ip you need
18:05 -!- bakermd [~bakermd@38.104.0.102] has quit [Quit: bakermd]
18:05 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
18:06 < krzie> NONE of your clients are on 10.200.0.x or 192.168.10.x, right?
18:06 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
18:06 < rawDawg> right
18:07 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has quit [Ping timeout: 246 seconds]
18:07 < krzie> what is the LAN ip of the machine on 10.200.0. which needs routing to the vpn?
18:07 < rawDawg> i see what you mean about pushing the route, they actually need access to two ips now that i think of it
18:07 < rawDawg> 10.200.0.21
18:07 < krzie> and the other?
18:07 < rawDawg> 10.200.0.20 is the server
18:07 < krzie> (you said 2)
18:08 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has joined ##openvpn
18:08 < rawDawg> the server being one
18:08 < krzie> the server can be accessed by vpn ip
18:08 < krzie> but ya, you can access it by LAN ip as well if you have a route to it and you desire to
18:09 < krzie> did you enable ip forwarding on the server?
18:09 < krzie> !winipforward
18:09 < vpnHelper> krzie: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
18:09 < rawDawg> there is my problem
18:09 < rawDawg> ip routing on windows 2003 shits the bed
18:09 < krzie> nah ive done ip forwarding on win2k3 before
18:09 < rawDawg> ive tried enabling through the registry and also using routing and remote access
18:09 < krzie> worked fine
18:10 < rawDawg> i do a traceroute and pings get stuck at the server
18:10 < krzie> ive seen routing and remote access fubar stuff
18:10 < krzie> but the reg method worked for me before
18:11 < rawDawg> let me ask you this: does my config look good as far as topology subnet is concerned?
18:11 < krzie> disable routing and remote access if you can
18:11 < rawDawg> i did
18:11 < krzie> enable it via link i just gave
18:11 < krzie> then disable windows firewall for a test
18:11 < rawDawg> i will test this out again 1 sec
18:12 < krzie> if test doesnt work, try again after a reboot
18:12 < krzie> and once connected, test as follows:
18:12 < krzie> ping 192.168.10.1
18:12 < krzie> ping 10.200.0.20
18:12 < krzie> ping 10.200.0.21
18:12 < krzie> all 3
18:13 < krzie> each failing points to diff problem
18:13 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
18:13 < rawDawg> ok i disabled rras
18:13 < rawDawg> now ipconfig shows IP Routing Enabled. . . . . . . . : No
18:14 < rawDawg> so i think i have to reset the reg key
18:14 < krzie> that doesnt matter
18:14 < krzie> just make the reg key as i said
18:14 < krzie> you arent enabling routing you are enabling ip forwarding
18:14 < rawDawg> ok im going to reboot to make sure
18:15 < krzie> ya in windows thats good practice
18:15 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
18:15 < krzie> lol
18:15 < rawDawg> yeah windows bugs me sometimes
18:16 < krzie> for me, s/sometimes//
18:16 < rawDawg> so do my configs look good?
18:16 < rob0> Not me. I just stay away from it, never bothers me. Well ... except for all the spambots.
18:17  * rawDawg waits for server to reboot
18:17 < krzie> ild make the push route smaller, but that doesnt make a big diff, yes they look good
18:17 < krzie> rob0, i have no choice at work, we must use some apps only designed for windows
18:18 < krzie> although very soon ill build an osx86 box and run those apps in a VM
18:18 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Client Quit]
18:18 -!- MrBIOS [~aperez@38.104.194.62] has joined ##openvpn
18:18 < rawDawg> the other LAN ip 10.200.0.21 is a vm running ubuntu
18:18 < MrBIOS> anybody around? I just installed the OpenVPN VHD and can't get logged in via the web management console
18:19 < MrBIOS> I get the page on https port 5480
18:19 < rob0> aha, the thick plottens
18:19 < krzie> rawDawg that could have an issue, do the first 2 pings work and not the third?
18:19 < MrBIOS> but when I click to login, I get an uncaught exception, javascript error
18:19 < rob0> raw, can the VM route to the world?
18:19 < MrBIOS> and things do not progress from there
18:19 < MrBIOS> !welcome
18:19 < vpnHelper> MrBIOS: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:20 < MrBIOS> hm, I take it my previous question didn't go to channel?
18:20 < rawDawg> rob0: the vm can route to the world
18:20 < krzie> MrBIOS whats openvpn VHD?
18:20 < MrBIOS> it's the virtual appliance 
18:20 < rawDawg> i will send the ping results whenever this thing comes back up
18:21 < krzie> MrBIOS, you prolly need help from whoever makes that, openvpn does not come with a web interface or anything of the likes
18:21 < rob0> Why did you think you didn't go out to the channel? If you saw it, and you're seeing us, it did.
18:21 < MrBIOS> krzie: it's openVPN-AS
18:21 < MrBIOS> anyways, it wound up being a linux-firefox bug
18:21 < krzie> did you see the onjoin message when you entered this channel?
18:22 < krzie> in caps, "we dont support access server" ;]
18:22 < rob0> !as
18:22 < vpnHelper> rob0: Error: "as" is not a valid command.
18:22 < krzie> rob0, its not in that factoid
18:22 -!- krzie [~krzee@unaffiliated/krzee] has left ##openvpn []
18:22 -!- krzie [~krzee@unaffiliated/krzee] has joined ##openvpn
18:22 < Bushmills> !factoids search access
18:22 < vpnHelper> Bushmills: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
18:22 < MrBIOS> krzie: my bad, it opened up in a separate tab
18:22 < vpnHelper> Bushmills: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html
18:22 < krzie> -ChanServ(ChanServ@services.)- [##openvpn] Welcome to ##openvpn.  WE DO NOT SUPPORT
18:22 < krzie>           ACCESS SERVER. 
18:23 < Bushmills> ah, right before it said "hidden in that text is a number which you need to enter to obtain voice on this channel"
18:24 < rob0> that would be cool
18:25 < Bushmills> or "read and memorize this text, as you will be asked three questions related to it"
18:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:33 < rawDawg> krzie: all 3 pings replied from a client
18:33 < rawDawg> but i cannot ping the same client from 10.200.0.21
18:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 246 seconds]
18:34 < [mutex]_> krzie: http://pastie.org/898028
18:34 < [mutex]_> sorry for the delay.
18:34 < [mutex]_> client/server configs and logs are there
18:34 < krzie> rawDawg, is the client windows?
18:35 < rawDawg> yes
18:35 < krzie> try turning off its firewall for the test
18:37 < rawDawg> !
18:38 < rawDawg> worked
18:38 < rob0> /topic
18:38 < rawDawg> i should have read the topic
18:38 < rawDawg> LOL
18:38 < [mutex]_> ;p
18:38 < krzie> [mutex]_ in client config use full paths to files
18:38 < [mutex]_> oh ok.  ill try real quick
18:38 < krzie> not ca ca.crt but /path/to/ca.crt
18:39 < rawDawg> symantec endpoint protection blocked it
18:39 < krzie> rawDawg =]
18:40 < rawDawg> krzie i feel stupid now
18:40 < krzie> second pair of eyes is known to help ;]
18:40 < rob0> At least not as stupid as if you had made a bug report!
18:40 < krzie> rob0++
18:40 < rawDawg> rob0 well routing and remote access is a windows bug
18:40  * rob0 is now known as rob1
18:40 < krzie> windows is a windows bug
18:40 < rawDawg> LOL
18:41 < krzie> lol rob
18:41 < rawDawg> well the good thing is... the firewall works
18:43 < [mutex]_> krzie: same thing. ;/
18:44 < krzie> mutex, show me ls -la in that dir
18:44 < [mutex]_> client or server
18:44 < krzie> client
18:44 < [mutex]_> its a windows machine, server is freebsd
18:45 < krzie> show me those 3 lines again
18:45 < krzie> you can paste that to here
18:45 < krzie> your new ca cert key lines
18:45 < [mutex]_> im sorry, which 3 lines?
18:45 < [mutex]_> oh
18:45 < krzie> with full paths
18:45 < [mutex]_> ca C:/Program Files (x86)/OpenVPN/config/ca.crt
18:45 < [mutex]_> cert C:/Program Files (x86)/OpenVPN/config/n8laptop.crt
18:45 < [mutex]_> key C:/Program Files (x86)/OpenVPN/config/n8laptop.key
18:45 < [mutex]_> tried with \\
18:45 < [mutex]_> but it still complained.
18:46 < krzie> rawDawg, wanna tell [mutex]_ what he did wrong there
18:46 < krzie> ?
18:46 < rawDawg> [mutex]_ check the firewall
18:46 < [mutex]_> firewall is disabled completely
18:46 < rawDawg> lol
18:46 < krzie> nope
18:46 < krzie> rawDawg paste me your configs again
18:46 < rawDawg> ok let me actually look
18:46 < [mutex]_> C:/ != C:\, C:\\ i thought would be right
18:46 < krzie> so i can be lazy
18:47 < rawDawg> http://pastebin.com/f60aCnq0
18:47 < krzie> #
18:47 < krzie> ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"  
18:47 < krzie> #
18:47 < krzie> cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.crt"
18:47 < krzie> #
18:47 < krzie> key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key"
18:47 < [mutex]_> groovy, ill give it a try
18:47 < krzie> the  path doesnt matter, the quotes and \\ do
18:48 < krzie> thanx rawDawg =]
18:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:48 < rawDawg> hey no problem
18:48 < [mutex]_> krzie: , same thing.
18:48 < rawDawg> im glad i did something right :D
18:48 < [mutex]_> also, indeed thanks rawDawg .
18:50 < rawDawg> now i gotta try to get some work done on my network monitor :D
18:50 < krzie> mutex, update your paste, and strip all comments from your configs this time
18:50 < rawDawg> 10.200.0.21 is nagios. im going to monitor all my clients :D
18:50 < [mutex]_> http://pastie.org/898089 surely this has something to do with it
18:51 < krzie> yes, that is the problem
18:51 < [mutex]_> dude i cbf now, this tiny laptop is a pita to work with.  ill have to do it when i get back home.
18:51 < krzie> it can not access the CA.crt to verify the server cert is signed
18:52 < rawDawg> krzie im off to get some work done
18:52 < rawDawg> thanks a mil
18:52 < krzie> np =]
18:52 < rawDawg> rob0 too for your comic relief
18:52 < rawDawg> gl [mutex]_
18:52 < krzie> hes rob1 now
18:52 < [mutex]_> thats odd.  the path is correct in the config, and permissions are good.  ;/
18:52 < krzie> hehehe
18:53 < [mutex]_> in regards to your ca.crt line
18:53 < krzie> [mutex]_ well check the ca.crt is =
18:53 < krzie> the contents
18:53 < [mutex]_> im not trying to be difficult, but im not sure what you mean by that.
18:54 < [mutex]_> it certainly exists, -----BEGIN CERTIFICATE----- .....
18:55 < [mutex]_> shit
18:55 < [mutex]_> gotta go
18:55 < krzie> adios
18:55 -!- [mutex]_ [~portn0k@unaffiliated/mutex/x-1106097] has quit [Quit: Lost terminal]
19:05 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:05 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
19:08 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:26 -!- WormFood [~wormfood@58.61.134.94] has left ##openvpn ["Leaving"]
19:26 -!- rawDawg [~omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
20:06 -!- _insane [~un@ppp-188-174-78-151.dynamic.mnet-online.de] has quit [Read error: Connection reset by peer]
20:07 -!- _insane [~un@ppp-188-174-78-151.dynamic.mnet-online.de] has joined ##openvpn
20:22 < vpnHelper> New forum entry openvpnforum: Wishlist :: authenticate to socks daemon :: Author krzee <http://www.ovpnforum.com/viewtopic.php?f=10&t=3790&p=4289#p4289>
20:22 -!- Guest92802 is now known as redfox
20:23 -!- redfox is now known as Guest25722
20:24 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:25 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
20:28 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Ping timeout: 268 seconds]
20:33 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has joined ##openvpn
20:33 -!- Blu3 [~David@FirefighterBlu3-2-pt.tunnel.tserv15.lax1.ipv6.he.net] has quit [Changing host]
20:33 -!- Blu3 [~David@BlueLabs/Blu3] has joined ##openvpn
20:33 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Client Quit]
20:34 -!- FirefighterBlu3 [~David@BlueLabs/Blu3] has joined ##openvpn
21:16 -!- MrBIOS [~aperez@38.104.194.62] has quit [Quit: Leaving.]
21:45 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
21:45 -!- havoc [~havoc@saturn.chaillet.net] has quit [Ping timeout: 276 seconds]
21:46 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:48 < theDoc> !vpnchains
21:48 < vpnHelper> theDoc: Error: "vpnchains" is not a valid command.
21:48 < theDoc> !chains
21:48 < vpnHelper> theDoc: Error: "chains" is not a valid command.
21:48 < theDoc> Hrm.
21:52 -!- havoc [~havoc@saturn.chaillet.net] has joined ##openvpn
21:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 258 seconds]
22:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:08 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
22:08 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
22:19 -!- FirefighterBlu3 is now known as Blu3
22:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:24 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 260 seconds]
22:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
22:27 < krzie> its in the wiki
22:27 < krzie> !wiki
22:27 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
22:28 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 252 seconds]
22:30 < krzie> theDoc there is no factoid for it because its nothing anyone has ever asked about, or will likely ever ask about
22:30 < krzie> but here is the link
22:30 < krzie> http://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
22:30 < vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
22:31 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
22:32 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
22:37 < theDoc> krzie> Ahh, yeah. I got it.
22:37 < theDoc> Thanks.
22:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:38 < theDoc> I'm still waiting for the day openvpn brings in ipv6 support for AS.
22:38 < theDoc> :|
22:39 < theDoc> Like, native ipv6 support or something, well I'm sure I could build a 4to6 tunnel or something too.
23:00 -!- oc80z [oc80z@blea.ch] has quit [Read error: Connection reset by peer]
23:00 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
23:06 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
23:06 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
23:07 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Ping timeout: 276 seconds]
23:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
23:17 -!- DarthGandalf|BNC is now known as DarthGandalf
23:21 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
23:46 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
--- Day changed Thu Apr 01 2010
00:06 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:36 -!- greppy [~mharlow@lopsa/tech-team/grephead] has joined ##openvpn
00:36 < greppy> !welcome
00:36 < vpnHelper> greppy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:38 < greppy> !howto
00:38 < vpnHelper> greppy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:42 -!- d000k is now known as d12fk
00:52 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
00:52 -!- mode/##openvpn [+o mattock] by ChanServ
00:56 -!- chupacabra [~chupacabr@cpe-70-112-123-173.austin.res.rr.com] has joined ##openvpn
00:58 < chupacabra> ok, my tunnel is up and I can hit localhost on 10.8.0.1  in a browser.  How can I see files and directories on the vpn also?
01:00 < theDoc> chupacabra> Your question does not make sense.
01:01 < chupacabra> probably not.
01:02 < chupacabra> what I mean is I can browse the webserver on my vpn machine but how do I access my files in my home dir.
01:04 < greppy> is your webserver configured to serve your home directory?
01:04 < chupacabra> no
01:04 < chupacabra> only the site
01:05 < chupacabra> I thought vpn was like being there.  almost like vnc
01:05 -!- cwillu_at_work [~cwillu@cwillu.com] has quit [Read error: Operation timed out]
01:05 < greppy> it can be.
01:05 < greppy> how do you want to browse to your files?
01:05 < greppy> through a webbrowser or through a fileshare?
01:05 < chupacabra> Im on fedora on both ends
01:06 -!- cwillu_at_work [~cwillu@64.22.125.185] has joined ##openvpn
01:06 < chupacabra> generally I use ls
01:06 < greppy> vpn is like having two computers on the same network
01:06 < greppy> not having two computers be one.
01:06 < greppy> if you want to share files, I would suggest using something like samba
01:06 < chupacabra> I understand that I think.
01:07 < chupacabra> samba is running on the vpn machine
01:08 < chupacabra> and sharing some directories
01:16 < chupacabra> I need to know this for win users.  I can ssh in and do whatever myself but it would be good to know it better for user documentation
01:17 < chupacabra> Course win users will have a click and drool gui I imagine.
01:18 < chupacabra> guess I neet to set up windows virtual machine in here.  grrr
01:18 -!- derjohn_foo [~aj@c154136.adsl.hansenet.de] has quit [Ping timeout: 265 seconds]
01:24 < greppy> chupacabra: see if you can mount a shared directory
01:24 < theDoc> !lans
01:24 < vpnHelper> theDoc: "lans" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
01:24 -!- dazo_afk is now known as dazo
01:24 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
01:24 < greppy> chupacabra: smbmount or mount.cifs may help
01:26 < chupacabra> how would I call it?  10.8.0.1:/Music   ??
01:27 < chupacabra> yall see xkcd today?
01:27 < greppy> chupacabra: that may work, if you have a samba share named Music
01:28 < chupacabra> k   tks
01:34 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
01:40 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 276 seconds]
01:47 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
01:53 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
02:02 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:06 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
02:06 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 246 seconds]
02:10 -!- d12fk is now known as d000k
02:11 -!- guy8888888 [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
02:11 < guy8888888> help !!!!
02:13 < guy8888888> someone can help me please ?
02:14 -!- d000k is now known as d12fk
02:14 < guy8888888> I try to run openvpn server without the daemon and I receive no output
02:14 < guy8888888> what's wrong ?
02:15 < guy8888888> I am running openvpn under ubuntu
02:20 -!- d12fk is now known as d000k
02:20 -!- d000k is now known as d12fk
02:20 -!- d12fk is now known as d000k
02:20 -!- d000k is now known as d12fk
02:20 -!- d12fk is now known as d000k
02:24 < guy8888888> hello ?
02:27 -!- LobbyZ [~default@188.72.255.194] has quit [Quit: Free FTW]
02:31 -!- AlHafoudh [~alhafoudh@77.93.192.244] has joined ##openvpn
02:33 < guy8888888> hello !!!!
02:40 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
02:45 < guy8888888> please
02:45 < guy8888888> help
02:45 < |Mike|> read the topic please.
02:46 < guy8888888> it seems that openvpn is not even running, how can we check that the configuration is working fine
02:46 < |Mike|> As I said before, read the topic 
02:46 < guy8888888> first my problem is not the firewall, second there is no such topic in the forum
02:47 < |Mike|> *sigh* 
02:47 < |Mike|> bye.
02:48 < |Mike|> Type  !welcome  before asking your questions.
02:48 < |Mike|> Maybe we should put quotes around !welcome krzee 
02:50 < guy8888888> !welcome
02:50 < vpnHelper> guy8888888: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:50 < guy8888888> !howto
02:50 < vpnHelper> guy8888888: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:51 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
02:56 < guy8888888> ok I read the how to before coming here, I still have a problem with openvpn
02:56 < guy8888888> !configs
02:56 < vpnHelper> guy8888888: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
02:56 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
02:56 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:05 < theDoc> !pastebin
03:05 < vpnHelper> theDoc: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
03:07 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:07 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:08 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:11 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 245 seconds]
03:25 < Bushmills> "seems that openvpn is not even running"  .. start it
03:27 < theDoc> service openvpn start
03:27 < theDoc> GO!
03:28 < |Mike|> Bushmills: :P
03:28 < |Mike|> I would have entered dd if=/dev/null of=/dev/hda for starting openvpn :$
03:29 < |Mike|> </april 1 joke>
03:29 < Bushmills> luckily, in a time of SATA drives being omnipresent, there's not that much harm coming from this anymore
03:30 < theDoc> You could just change it to sda and still cause the same amount of damage ;p
03:30 < Bushmills> "oh, i just backupped my nulldevice"  :)
03:30 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:31 < Bushmills> mine have names like "mmcblk..."  
03:33 < Bushmills> after starting, 
03:33 < Bushmills> !logs
03:33 < vpnHelper> Bushmills: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
03:34 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
03:34 < Bushmills> though look at them first, before pasting
03:34 < Bushmills> often, the cause of problems is clearly indicated in the logs
03:34 < Bushmills> it is rumoured that logs are created for actually that purpose 
03:44 < greppy> Bushmills: blasphemy!  to find out what is going wrong we need a live chicken! (to start with anyway)
03:44 < Bushmills> there were fish in the ocean before any chicken were around
03:45 < greppy> yes, but have you ever tried to do a reading using a fish?  it's not as easy as with a chicken.
03:45 < krzee> [03:48]  <|Mike|> Maybe we should put quotes around !welcome krzee 
03:46 < krzee> the bot actually supports multiple word factoids
03:46 < Bushmills> outlining letters with fish yields more legible results, as they tend less to run away
03:46 < krzee> !howto bleh
03:46 < vpnHelper> krzee: Error: "howto" is not a valid command.
03:46 < krzee> !howto
03:46 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:46 < krzee> !learn howto bleh as test
03:46 < vpnHelper> krzee: Joo got it.
03:46 < krzee> !howto bleh
03:46 < vpnHelper> krzee: "howto bleh" is test
03:46 < krzee> !forget howto bleh
03:46 < vpnHelper> krzee: Joo got it.
03:47 < krzee> Bushmills, with fish?  /me types /keyx #openvpn
03:47 < krzee> (xfish.so)
03:48 < Bushmills> that's because you don't have any logfish where you are
03:48 < krzee> nope, only blowfish
03:48 < krzee> and all those fish other people eat
03:48 < krzee> but i dont eat seafood
03:48 < krzee> only fish i deal with have to do with encryption =]
03:50 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined ##openvpn
03:50 < Bushmills> just no fish, or no animal proteines at all?
03:51 < zoredache> !welcome
03:51 < vpnHelper> zoredache: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:51 < krzee> i eat tons of animal
03:52 < krzee> just dont have a taste for seafood
03:52 < krzee> i eat cow, pork, chicken, turkey, goat, etc
03:52 < krzee> seafood is actually much more healthy, i just dont like it
03:53 < Bushmills> wel, depends a bit where it was caught, and what they eat
03:53 < Bushmills> some do accumulate considerable amounts of heavy metals
03:54 < krzee> kinda
03:54 < krzee> all the polutants end up in their fat
03:54 < krzee> fish are unique that way
03:54 < zoredache> *grumbles* why does the topic point to a forum where the search is broken...
03:54 < krzee> and their fat is darker than their meat
03:54 < krzee> search is broken at ovpnforum.com???
03:55  * krzee checks
03:55 < zoredache> krzee: Sorry but you are not permitted to use the search system.
03:55 < dazo> zoredache:  you're not worthy yet? :-P
03:55 < zoredache> I suspect they requie me to login, but I think that is very annoying and stupid
03:56 < dazo> you're not worthy yet! ;-)
03:56 < krzee> oh, but you have no idea the admin nightmare that is ovpnforum.com
03:56 < zoredache> and yes, I know I can search via google with site:blah....
03:56 < |Mike|> just hack it!
03:56 < krzee> trust me, i help admin it!
03:57 < krzee> hah mike
03:57 < krzee> mike, if you wanna hack so bad i have a 1k bounty on a server but no time to deal with it
03:57 < zoredache> well anyway.  So are there any options to allow a non-admin user to start/stop vpns on vista/7?
03:58 < |Mike|> krzee: my boss pays me enough to legit "hack" (read: pen-test) stuff :)
03:58 < krzee> !factoids search admin
03:58 < vpnHelper> krzee: 'ssl-admin', 'win_noadmin', and 'ssl-admin 1'
03:58 < krzee> dunno how well this works in vista, but here:
03:58 < krzee> !win_noadmin
03:58 < vpnHelper> krzee: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
03:58 < krzee> that worked in some versions
03:59 < krzee> but basically, whatever user starts openvpn needs access to change adapter settings as well as routes
03:59 < krzee> which is pretty serious settings
03:59 < Bushmills> at least you don't need to reboot windows (anymore) for those :D
03:59 < zoredache> I am not finding anything and I am strongly consdering setting it up as a service, setting up managment-hold and and writing a gui that will connect to the managment port and send the release
04:00 < zoredache> just trying to decide if I will be reinventing a wheel
04:00 < Bushmills> reinventing the wheel is good
04:01 < zoredache> sometimes, sometimes not
04:01 < Bushmills> or we'd still have sliced tree logs on our cars
04:02 < zoredache> Yes, but I don't want to reinvent the exact same wheel
04:02 < krzee> setting it as a service should be enough
04:02 < zoredache> I see lots of suggestions to mess around with service permissions, but I don't think I have anyone suggesting the use of the managment-hold
04:02 < krzee> services start with advanced privs
04:03 < krzee> dont they?
04:03 < krzee> i been outside the win world for awhile now
04:03 < zoredache> right, but the point is that I don't want to deal with messging around with permissions to start/stop the service.  And there are multiple configurations and only one should be used at at ime
04:03 < zoredache> the service typically will start everything
04:04 < krzee> oh, the headaches of windows
04:05 < krzee> hey Bushmills, should i get another beer or try to sleep?
04:05 < greppy> beer!
04:05 < greppy> always beer
04:05 < |Mike|> https://www.twenty-five.nl/kies.html
04:05 < vpnHelper> Title: Twenty-Five | Kies VPS (at www.twenty-five.nl)
04:05 < |Mike|> wow, those guys are cheap
04:05 < greppy> unless of course something harder is available.
04:05 < krzee> i do need to work in like 5.5 hrs
04:05 < |Mike|> 2gb ram, 1cpu, 125gb hdd, 250gb traffic for 25 euro
04:05 < |Mike|> lawl
04:05 < krzee> plenty harder available, i have a full bar
04:06 < Bushmills> krzee: if you can't decide that anymore, i suppose sleep is needed
04:06 < krzee> Bushmills, ok good point, greppy was right =]
04:06  * krzee goes to the fridge
04:07 < Bushmills> |Mike|:  8 GiB RAM, quad-core CPU, 1.5 TiB disks, unlimited traffic (with first 2 TiB unthrottled) for twice that
04:08 < |Mike|> Bushmills: for 200 ? :)
04:08 < Bushmills> 50
04:08 < |Mike|> not bad hehe
04:09 < |Mike|> got an url? :)
04:09 < Bushmills> yes
04:09 < agagag> i think my isp (orange uk) is doing something to my vpn 
04:09 < agagag> very annoying 
04:10 < greppy> how so
04:10 < greppy> ?
04:10 < krzee> thanx greppy, got more beer
04:11 < Bushmills> |Mike|: i pm'ed you the url
04:11 < krzee> i only have 650ml, but ill have to deal with it =]
04:11 < agagag> i can not check my email using offlineimap with imaps thru the vpn althought it works from other locations 
04:12 -!- master_of_master [~master_of@p57B56334.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:12 < agagag> scp also hungs at; the end of the file 
04:13 < krzee> agagag, does it not work when VPN'ing to a location where it DOES work if you are there?
04:13 < |Mike|> Bushmills: thanks
04:13 -!- master_of_master [~master_of@p57B553DE.dip.t-dialin.net] has joined ##openvpn
04:13 < agagag> krzee: yes it also works with vpn from other location/isp 
04:13 < krzee> Bushmills, nice deal, if i was in the market to pay ild go for that
04:14 < krzee> agagag, i thought you said it doesnt work over vpn
04:14 < Bushmills> I have converted several servers to virtual servers on such a machine.
04:14 < Bushmills> saves money :)
04:14 < agagag> krzee: it doesnt work from this location/isp 
04:16 < krzee> ahh
04:16 < krzee> they must filter then
04:17 < agagag> krzee: i thought so but the tunnel is up and i can do most things i usually do 
04:17 < krzee> which further proves my point
04:18 < agagag> krzee: how is that?
04:18 < krzee> if you can reach other things, but not a specific host:port, they filter
04:18 < agagag> no i can vpn to my network
04:18 < agagag> but some stuff dont work 
04:19 < agagag> if i take my laptop to other location they do 
04:19 < krzee> well you seem to have it set to reach inet
04:19 < krzee> so if you can reach google but not that, they do
04:20 < agagag> i can also vpn to my server, just some things seems such as scp and imaps sem crippled 
04:21 < agagag> maybe throttled ?
04:21 < agagag> weird 
04:21 < greppy> as long as you are going across your tunnel, it shouldn't matter what they have filtered.
04:21 < krzee> maybe, or maybe mtu issues or something
04:21 < krzee> greppy, unless they are QOS'ing your connection to your server
04:22 < krzee> agagag, are you using udp or tcp as your transport layer?
04:22 < agagag> qos seems like whats up there. 
04:22 < greppy> krzee: true, but they still shouldn't be able to tell WHAT is going cross the tunnel, just that there is an encrypted tunnel setup
04:22 < agagag> udp 
04:22 < krzee> right, they cant tell what is inside the tunnel
04:23 < agagag> krzee: switching to tcp might fix this problem form what i read but is not very practical...
04:23 < krzee> !tcp
04:23 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
04:23 < krzee> stick with udp
04:23 < theDoc> Unless you have an exceptional reason to use tcp, no one should be using tcp.
04:24 < Bushmills> i'm using impa, imaps, scp through openvpn w/o problems 
04:24 < krzee> like i say bout tap!
04:24 < theDoc> I haven't seen anyone with a really compelling reason to run tcp yet though, so ymmv.
04:24 < agagag> well if the tunnel is crippled from my home is quite an exceptional reason but still not going to 
04:24 < Bushmills> udp tunnel now, was tcp tunnel not long ago
04:25 < theDoc> agagag> tcp is just going aggravate the problem, not solve it.
04:25 < theDoc> Bushmills> Why tcp?
04:25 < Bushmills> because on that cellular link, udp wouldn't connect
04:25 < theDoc> ahh.
04:25 < agagag> it seems that the bandwidth is very low with udp over the vpn link as seen with iperf 
04:26 < krzee> theDoc, ive seen reasons for tcp, nazi firewalls
04:26 < Bushmills> compelling enough?
04:27 < krzee> ie: what Bushmills said
04:27 < theDoc> krzee> Well yes, that's a specific enough situation. I was caught in one the other day but was out of there fast enough.
04:27 < Bushmills> i suppose i could have tried to port share udp/53
04:28 < krzee> Bushmills, assuming they even let you choose your own NS
04:28 < krzee> some dont
04:28 -!- ScriptFanix [vincent@2001:910:100b::1] has joined ##openvpn
04:28 < Bushmills> but as the name server on vpn server side is authoritative, i didn't feel to introduce the additional overhead
04:29 < theDoc> I'm sure it can be filtered over udp/53, although the logic eludes me right now.
04:29 -!- derjohn_foo [~aj@213.238.45.2] has joined ##openvpn
04:29 < krzee> i have many servers so that would be fine for me (most arent NS) but some nazi firewalls require you use their NS
04:30 < theDoc> I'm still a fan on pushing the traffic through 443, mainly because most sites I'm at can't/don't know how to filter it properly. It's SSL! OMG! Let it all through!
04:30 < krzee> theDoc, thats tcp!
04:31  * greppy is now tempted to setup openvpn to listen on 53...
04:31 < theDoc> krzee> I know, I run it over udp and since no one filters those ports, what ever for should I swap to tcp? :-)
04:31 < krzee> any firewall that filters outgoing but allows 443 should only do so for tcp 443
04:32 < krzee> otherwise they are complete dildos
04:32 < theDoc> They seem to be under the impression that if it's ssl, it has to be tcp, I'm not about to correct them.
04:32 < krzee> udp 443 has nothing to do with ssl
04:32 < greppy> too many notwork engineers don't understand the difference between tcp & udp, so when they open a port for one, they open it for both.
04:32 < theDoc> krzee> Doesn't matter to them, or maybe they just don't know.
04:33 < krzee> then they are gui using dildos, but its not common
04:33 < theDoc> greppy> Hah, yeah. I just spoke to one recently whom insisted that tcp/ip is a protocol.
04:34 < krzee> at least not among locations which filter outbound
04:34 < krzee> tcpdude
04:34 < krzee> tcp/ip IS a protocol
04:34 < krzee> LOL
04:35 < theDoc> krzee> tcp/ip in that sense is a group of protocols, not tcp as a protocol.
04:35 < krzee> well a suite of protocols
04:35 < ScriptFanix> theDoc: and you answered "stack"?
04:36 < theDoc> ScriptFanix> No, told him it was a suite of protocols.
04:36 < krzee> tcp is a protocol, ip is a protocol
04:36 < theDoc> krzee> Which is true.
04:36 < krzee> so to say the tcp/ip protocol, is not so far off
04:37 < theDoc> krzee> I don't know about you but it doesn't feel right to me calling tcp/ip a protocol.
04:38 < krzee> granted its slightly higher level, but ild let it slide
04:39 < theDoc> I guess it's a situation of ymmv.
04:39 < krzee> its a matter of semantics imo 
04:39 < krzee> Bushmills, opinion?
04:40 < theDoc> Although to be frank, I wonder if it's 2 different schools of thought on this subject.
04:41 < Bushmills> on tcp/ip being a protocol?
04:41 < Bushmills> well, otherwise those would be tcnp and inp for "non-protocol"
04:41 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
04:41 < krzee> that will require some google form me
04:42 < krzee> lol
04:42 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
04:42 < Bushmills> or tnp
04:42 < Bushmills> "tnp is not a protocol"
04:43 < krzee> ya no help from the good
04:43 < krzee> goog*
04:44 -!- ptg [~ptg@coolstoryb.ro] has quit [Disconnected by services]
04:55 < agagag> is it possible to make openvpn listen to two ports or it will require a second instance of it?
04:56 < hyper_ch> second instance IIRC
05:01 < Bushmills> you might be able to use your firewall to redirect incoming traffic from another port to your openvpn port, and have both that way 
05:02 < hyper_ch> :)
05:02 < hyper_ch> wouldn't that be way too simple :)
05:02 < Bushmills> well, i never tried that, but i don't see why it shouldn't work
05:03 < hyper_ch> why make things simple when you can make them complicated and hence ensure that you'll be continued  asked for help/services
05:04 < Bushmills> that may be a valid point for a business
05:04 < ScriptFanix> is it possible to force a fixed ethernet address on tap devices ? I'm planning to use openvpn to provide ipv6 addresses using tap + radvd
05:05  * hyper_ch is borrowing the principle from "How to write unmaintainable code"
05:05 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:05 < Bushmills> write it in APL :)
05:05 < hyper_ch> can't I get a sheevaplug at all in Switzerland :(
05:06 < Bushmills> seen those on ebay. but not for attractive prices
05:06 < Bushmills> maybe gumstix are an alternative?
05:07 < hyper_ch> well, I'd like to have one with the according power outlet/inlet sticks thingies to use here
05:07 < hyper_ch> Bushmills: http://www.plugpbx.org/ --> hence sheeva :)
05:07 < vpnHelper> Title: PlugPBX Project (at www.plugpbx.org)
05:08 < Bushmills> here is an example of a bit of a small APL program. taken from wikipedia:  http://upload.wikimedia.org/wikipedia/en/0/09/StripHtmlFromText.gif
05:09 < Bushmills> (~R∊R∘.×R)/R←1↓⍳R    or this one (looks actually quite allright, pasted here):   finds all prime numbers from 1 to R
05:09 < Bushmills> conway's game of life:   http://upload.wikimedia.org/wikipedia/en/f/ff/LifeInApl.gif
05:26 < agagag> it seems that there something fishy with my incoming vpn traffic. i can spc a large file to my server inside the vpn. scp back to my computer stalles. scp back without the vpn works fine 
05:26 < agagag> s/spc/scp/
05:35 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
05:40 -!- ZummiG777 [~ZummiG777@campfieldm-work.sworps.tennessee.edu] has joined ##openvpn
05:41 < ZummiG777> Question: Is there a way to write a push rule that says "Push this entire subnet to the client's routing table?"
05:48 -!- guy8888888 [~g@sge78-1-82-228-21-90.fbx.proxad.net] has left ##openvpn []
06:01 < agagag> ok i fixxed it, using tun-mtu 1500
06:01 < agagag> fragment 1300 and mssfix
06:01 < agagag> on the server
06:08 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 245 seconds]
06:09 -!- olli [olli@tmo-018-171.customers.d1-online.com] has joined ##openvpn
06:09 < olli> !welcome
06:09 < vpnHelper> olli: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:10 < olli> !route
06:10 < vpnHelper> olli: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:18 < cpm> have a good handle on routing first, if you hope for vpn success. 
06:21 -!- olli [olli@tmo-018-171.customers.d1-online.com] has quit []
06:22 -!- temba [~temba@188-193-35-229-dynip.superkabel.de] has joined ##openvpn
06:24 -!- olli [olli@tmo-018-171.customers.d1-online.com] has joined ##openvpn
06:28 < olli> hi, i'm unable to reach the mashines in the server subnet, push route is set in server.conf, ip-forwarding is enabled on the server, flushed all iptables rules, but still no success, i followed the howto
06:29 -!- greppy [~mharlow@lopsa/tech-team/grephead] has quit [Ping timeout: 264 seconds]
06:29 -!- AlHafoudh_ [~alhafoudh@77.93.192.244] has joined ##openvpn
06:33 -!- AlHafoudh [~alhafoudh@77.93.192.244] has quit [Ping timeout: 246 seconds]
06:33 < olli> I get this error on the client (win7) route addition failed using CreateIpForwardEntry: One or more arguments are not correct.
06:38 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
06:38 < vpnguy> !welcome
06:38 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:39 < vpnguy> !goal
06:39 < vpnHelper> vpnguy: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:39 < vpnguy> I would like to access the lan behind the server
06:40 < vpnguy> what configuration type fits better ?
06:40 < vpnguy> ethernet bridging ?
06:41 < vpnguy> !route
06:41 < vpnHelper> vpnguy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:41 < olli> ethe
06:43 < olli> ethernet is easier to set up because you don't have to set routes, but needs more traffic because broadcast traffic goes through the tunnel
06:46 < rob0> !tunortap
06:46 < vpnHelper> rob0: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
06:46 < vpnHelper> rob0: you over the vpn
06:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:48 < olli> !wins
06:48 < vpnHelper> olli: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
06:53 < rob0> If the error says, "One or more arguments are not correct," you will have to determine which argument[s] [is]are wrong and make them right. No better answer is possible, even on April Fools' Day.
06:55 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
06:55  * cpm sends rob0 over tap
07:01 < olli> rob0:seems that this is a vista / win7 issue, i fixed it with adding route-method exe route-delay 2 in the client.conf, so im not getting any errors anymore in the client log, but i still can only ping the lan ip address of the server, not the computers behind
07:01 < rob0> !winipforward
07:01 < vpnHelper> rob0: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
07:03 < olli> rob0: my server is running linux (ubuntu server 8.04) /proc/sys/net/ip_v4/ip_forward is set to 1
07:05 < olli> because of ip-routing, i dont need to add the route back to the ovpn client on every single client right?
07:05 < rob0> Routing is bidirectional. Each end of an intended TCP/IP connection must know how to route to the other, and this includes any intermediate routers.
07:08 < olli> server subnet is 192.168.100.240 255.255.255.240, server ip is 100.250, i want to reach 100.254 ..enabling iproute on the vpn server should work, right?
07:10 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
07:10 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
07:10 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:13 < rob0> If a host doesn't have a route to tell it what to do with a packet, that packet is sent to the default gateway.
07:30 < Bushmills> a default route *is* a route, telling what to do with a packet
07:30 < Bushmills> if there is no route, host will complain that destination can't be reached
07:35 < olli> hmm but isn't there a difference between route and ip-route? It really cant be a solution to add the route back to every vpn client on every host on the servers subnet. 
07:37 < Bushmills> you can route per destination net and interface
07:37 < Bushmills> supposedly, all your clients are in the same subnet, with server vpn address on one single interface to route to
07:41 < olli> yes, they are directly connected to the ethernet interface of the vpn server, iptables disabled, route 192.168.100.240 255.255.255.0 pushed to the client. I see ping requests from the vpn client on the servers tun interface, but ovpn don't forward them to the lan interface
07:43 < Bushmills> are the echo replies visible on vpn server eth interface?
07:45 < olli> no
07:45 < Bushmills> you'd want to check out why not
07:45 < Bushmills> whether vpn server routes them back or not is irrelevant if they don't even get there
07:45 < olli> yes, but i don't know how, im currently double checking my server.conf
07:46 < olli> ip-forwarding is definately enabled on the server
07:46 < Bushmills> well, check whether the request arrive at clients. check what clients do with replies
07:47 < Bushmills> only worth trying to fix a problem in the config if you know what the problem actually is
07:49 < olli> ok
07:54 < agagag> is it possible to push fragment and mssfix?
07:54 < agagag> i get option 'fragment' cannot be used in this context
07:55 < agagag> i can fix the broken vpn because of my isp my adding them on both sides but it will break the other clients that dont have them
08:06 -!- gravyface [~chatzilla@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has left ##openvpn []
08:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:22 < olli> Bushmills: get a request on the mshines on the server subnet, but the reply goes to the default gw... why openvpn doesn't change the source address of the packet
08:29 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
08:29 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
08:33 -!- derjohn_foo [~aj@213.238.45.2] has quit [Ping timeout: 260 seconds]
08:40 -!- olli_ [olli@tmo-090-107.customers.d1-online.com] has joined ##openvpn
08:41 -!- olli [olli@tmo-018-171.customers.d1-online.com] has quit [Ping timeout: 265 seconds]
08:43 -!- AlHafoudh_ [~alhafoudh@77.93.192.244] has quit [Ping timeout: 276 seconds]
08:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
08:50 -!- ZummiG777 [~ZummiG777@campfieldm-work.sworps.tennessee.edu] has quit [Quit: Leaving]
08:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:56 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
09:08 < Bushmills> why should openvpn change any address?
09:09 < Bushmills> it is meant to make connection between two machines. what is beyond is task of your routing
09:10 < olli_> hmm
09:11 < dazo> olli_:  you need to consider OpenVPN more like a "virtual cable" between two networks .... (while this metaphor is discussable with OpenVPN in TUN mode, it is even more true and closer to reality when being in TAP mode)
09:12 < olli_> so the best option is to do nat on my tun interface, if i dont want to set up routes back on every host in the server subnet?
09:12 -!- atlantic [~atlantic@hok.duf.hu] has quit [Ping timeout: 276 seconds]
09:13 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
09:13 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
09:14 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
09:17 -!- drecute [~pdrealg@41.155.43.22] has joined ##openvpn
09:18 < drecute> heya, please what could be the problem if i can connect to the internet but i can browse webpages
09:19 < theDoc> How do you know you are connected to the internet?
09:20 < drecute> theDoc: i can connect to IRC for instance
09:20 < theDoc> Do you have a DNS set?
09:20 < drecute> theDoc: i really am not sure about the importance of that
09:21 < drecute> but i have it set on the server
09:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:21 < drecute> does it require any settings on the client as well
09:21 < theDoc> Is your server pushing the DNS to the client?
09:21 < theDoc> !howto
09:21 < vpnHelper> theDoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:21 < drecute> i have push "dhcp-option DNS 10.8.0.1" set on the server
09:22 < theDoc> 10.8.0.1? You have an internal DNS server somewhere?
09:22 < drecute> i have read that doc over and over again
09:22 < drecute> yes
09:22 < drecute> that's not the ip address
09:22 < drecute> just to let u know i have it set already
09:23 < theDoc> drecute> Can you pastebin your config?
09:23 < drecute> client or server?
09:24 < theDoc> server.
09:24 < drecute> ok
09:24 < drecute> just a sec
09:29 < Bushmills> " if i can connect to the internet but i can browse webpages"  .. no problem, then.
09:30 < Bushmills> what OS runs on your client?
09:35 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:51 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
09:51 -!- mode/##openvpn [+o mattock] by ChanServ
09:52 < drecute> theDoc: http://pastebin.com/YG5DMeZq
09:52 < drecute> Bushmills: windows server
09:52 < drecute> 2003
09:54 < theDoc> Are you sure this is a dhcp server? push "dhcp-option DNS 74.207.0.0"
09:54 < drecute> theDoc: positive
09:55 < drecute> theDoc: sorry not sure
09:55 < drecute> i'm not sure about its function
09:56 < theDoc> You're not sure about it's function and you're presuming it's a DNS server? Really?
09:56 < theDoc> and that's an entire subnet, http://ws.arin.net/whois/?queryinput=74.207.0.0
09:56 < vpnHelper> Title: ARIN: WHOIS Database Search (at ws.arin.net)
09:57 < theDoc> Try changing that to 8.8.8.8 (google's DNS) and see if that solves the problem for you, remember to restart the service.
09:57 < drecute> ok
09:58 < theDoc> drecute> www.lmgtfy.com/?q=what+is+a+dns+server
09:59 < drecute> theDoc: thanks
10:00 < drecute> theDoc: will add that to my knowledge
10:00 < theDoc> np.
10:17 < drecute> ok. I think i can now browse the net. but not with the vpn at the moment
10:22 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:24 -!- dazo is now known as dazo_afk
10:25 -!- coodu [~pdrealg@41.155.25.23] has joined ##openvpn
10:27 -!- drecute [~pdrealg@41.155.43.22] has quit [Ping timeout: 276 seconds]
10:29 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 276 seconds]
10:32 -!- coodu is now known as drecute
10:39 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
10:41 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:48 -!- temba [~temba@188-193-35-229-dynip.superkabel.de] has quit [Quit: Verlassend]
10:58 < drecute> theDoc: pls can i do next
11:09 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 258 seconds]
11:15 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
11:21 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:46 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
11:47 -!- drecute [~pdrealg@41.155.25.23] has quit [Ping timeout: 260 seconds]
11:51 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
11:52 -!- drecute [~pdrealg@li85-35.members.linode.com] has joined ##openvpn
12:02 -!- ScriptFanix [vincent@2001:910:100b::1] has quit [Quit: coin]
12:02 -!- ScriptFanix [vincent@2001:910:100b::1] has joined ##openvpn
12:09 -!- dotCOMmie [tox@glitchinthe.net] has quit [Read error: Connection reset by peer]
12:13 -!- MrBIOS [~aperez@38.104.194.62] has joined ##openvpn
12:21 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:56 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
12:57 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
12:59 -!- drecute [~pdrealg@li85-35.members.linode.com] has quit []
12:59 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
12:59 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:01 -!- dazo_ [~dazo@89-24-6-84.i4g.tmcz.cz] has joined ##openvpn
13:03 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 248 seconds]
13:03 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
13:08 < flok420> hi. i have the following server config: http://pastebin.org/130512 and client config http://pastebin.org/130514 now authentication works fine but no traffic goes though. what can be the cause?
13:13 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
13:13 -!- sparch [~sparch@pdpc/supporter/active/sparch] has joined ##openvpn
13:14 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
13:16 < sparch> noon.
13:17 -!- dazo_ [~dazo@89-24-6-84.i4g.tmcz.cz] has quit [Ping timeout: 258 seconds]
13:26 -!- dazo_ [~dazo@89-24-6-33.i4g.tmcz.cz] has joined ##openvpn
13:33 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
13:35 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
13:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
13:38 -!- derjohn_mob [~aj@e180194145.adsl.alicedsl.de] has joined ##openvpn
13:40 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
13:42 -!- theoretical [~theoretic@64-135-203-23.FoxValley.net] has joined ##openvpn
13:44 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:49 -!- sparch [~sparch@pdpc/supporter/active/sparch] has left ##openvpn ["Leaving"]
14:07 < krzie> (this is for me)
14:07 < krzie> !configs
14:07 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:15 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
14:15 < star314> Hi!
14:16 -!- dazo_ [~dazo@89-24-6-33.i4g.tmcz.cz] has left ##openvpn ["Leaving"]
14:24 -!- SkyX [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
14:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
14:34 -!- greppy [~mharlow@lopsa/tech-team/grephead] has joined ##openvpn
14:35 -!- greppy [~mharlow@lopsa/tech-team/grephead] has quit [Client Quit]
14:40 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:48 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 258 seconds]
15:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
15:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
15:13 < flok420>  is it possible to do user/password authentication AND have a shared key?
15:14 < krzie> not sure about shared key, but definitely possible with certs and login/pass
15:14 < krzie> should be easy to test with shared key
15:14 < krzie> !authpass
15:14 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
15:14 < krzie> use your normal shared key setup, and auth-user-pass-verify
15:14 -!- star314 [~star314@starnet1.sinh.us] has left ##openvpn ["Leaving"]
15:17 -!- dazo_h [~dazo@mail.umc.cz] has joined ##openvpn
15:19 -!- dazo_h [~dazo@mail.umc.cz] has quit [Client Quit]
15:28 -!- DarthGandalf is now known as DarthGandalf|BNC
15:31 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 246 seconds]
15:36 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:41 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
15:42 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
15:48 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Read error: Connection reset by peer]
15:54 -!- SkyX [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
15:57 -!- olli_ [olli@tmo-090-107.customers.d1-online.com] has quit []
15:58 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
16:09 -!- AntoineBk [~Antoine@188.165.75.17] has quit [Ping timeout: 276 seconds]
16:10 -!- AntoineBk [~Antoine@188.165.75.17] has joined ##openvpn
16:15 -!- chupacabra [~chupacabr@cpe-70-112-123-173.austin.res.rr.com] has quit [Ping timeout: 252 seconds]
16:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:26 -!- _insane [~un@ppp-188-174-78-151.dynamic.mnet-online.de] has quit [Ping timeout: 258 seconds]
17:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:32 -!- _insane [~un@ppp-93-104-81-134.dynamic.mnet-online.de] has joined ##openvpn
17:34 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
17:34 -!- Xanthaos [~sacreddel@66-191-193-093.dhcp.spbg.sc.charter.com] has joined ##openvpn
18:01 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 248 seconds]
18:20 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has quit [Ping timeout: 276 seconds]
18:40 -!- sunbug [sunbug@absolutlinux.no] has joined ##openvpn
18:40 < sunbug> !welcome
18:40 < vpnHelper> sunbug: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:53 < Xanthaos> Hi I've got some questions before I begin establishing openvpn server on fedora 12.  Anyone willing to entertain them for just a moment?
19:00 -!- HardDisk_WP [~Marco@velirat.de] has joined ##openvpn
19:12 < zoredache> Xanthaos: on irc the etiquette is to simply ask a question.  You really don't gain anything by asking permission to ask
19:27 -!- havoc [~havoc@saturn.chaillet.net] has quit [Quit: brb]
19:37 -!- theoretical [~theoretic@64-135-203-23.FoxValley.net] has quit [Quit: Bye]
19:38 -!- theoretical [~theoretic@64-135-203-23.FoxValley.net] has joined ##openvpn
19:47 -!- theoretical [~theoretic@64-135-203-23.FoxValley.net] has quit [Quit: Bye]
19:50 < Xanthaos> I have two routers in the network, router 2 wan comes off of router 1 lan port.  router 1 is network frontend with .22.1/24 subnet.  router 2 is behind 1 with .33.1/24 subnet.  My linux server connects to both routers and sees both subnets.  I want to place openvpn on the server as the vpn endpoint.
19:51 < Xanthaos> I have clients in the .22.1/24 subnet that I want to vpn into the server (again exists on both subnets physically) and be able to see .33.1/24 devices as though the client were in that subnet as well.  In essence use the vpn as a bridge into the other subnet, or a tunnel into the subnet, but a tunnel that will support all types of traffic.
19:51 < Xanthaos> Will openvpn on the server provide this functionality?
19:56 < zoredache> From what I understand, yes that should be possible. A diagram would make it easier.  does .33.1/24 have enough free address space so that clients connecting from the other network could get assigned an IP on that network?
19:56 < eradiate> !config
19:56 < vpnHelper> eradiate: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
19:58 < eradiate> anyone have a document for best practices on securing an openvpn server?
19:59 < Xanthaos> yes, there are still numerous addresses available
19:59 < eradiate> what is wrong with masquerading traffic via the nat tables in openvpn
19:59 < eradiate> i mean optables
19:59 < eradiate> *iptables
20:00 < eradiate> eh netfilter
20:00 < Xanthaos> lemme help out my wife, and I'll draw up a diagram and paste a url...
20:00 < Xanthaos> brb
20:01 < zoredache> eradiate: you can do that, but nat doesn't work well for all protocols.  If the requirements only include basic protocols like http, or ssh then nat would probably work fine
20:02 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
20:04 -!- astrophy [~astrophy@95.211.87.137] has joined ##openvpn
20:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:22 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
20:27 -!- ScriptFanix [vincent@2001:910:100b::1] has quit [Ping timeout: 260 seconds]
20:28 < Xanthaos> The website will be available for only a few minutes.  You mentioned a diagram, here's a topo.  IP addresses are slightly altered but concept and relationships are accurate.  Take a look and let me know if openvpn endpoint on D3 server will allow what I need...
20:28 < Xanthaos> http://mtfedoranet.homelinux.org/networktopo.jpg
20:30 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 240 seconds]
20:31 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
20:35 < Xanthaos> any ideas yet?
20:41 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:42 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:43 -!- _______ [~astrophy@64-135-203-23.FoxValley.net] has joined ##openvpn
20:45 -!- astrophy [~astrophy@95.211.87.137] has quit [Ping timeout: 276 seconds]
20:46 < Xanthaos> yes? no?
20:48 -!- [mutex]_ [~portn0k@unaffiliated/mutex/x-1106097] has joined ##openvpn
20:48 -!- _______ [~astrophy@64-135-203-23.FoxValley.net] has quit [Ping timeout: 248 seconds]
20:59 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:00 -!- derjohn_foo [~aj@e180195100.adsl.alicedsl.de] has joined ##openvpn
21:01 -!- derjohn_mob [~aj@e180194145.adsl.alicedsl.de] has quit [Read error: Operation timed out]
21:05 -!- astrophy [~astrophy@95.211.87.136] has joined ##openvpn
21:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
21:17 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
21:17 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
21:17 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
21:19 -!- Xanthaos [~sacreddel@66-191-193-093.dhcp.spbg.sc.charter.com] has quit [Quit: ..::Elightenment In The Darkness::.. ¤ZoMBiE¤ Sc®ïþt 2.2 .ßý. xom[b] .::[http://otai.cjb.net/]::.]
21:29 < [mutex]_> "Cannot load private key file C:\Program files\OpenVPN\config\n8laptop.key error:0B080074:x509 certificate routines:X509A_check_private_key:key values mismatch"
21:29 < [mutex]_> ;/
21:29 < [mutex]_> x509 certificate routines:X509A_check_private_key:key values mismatch
21:29 < [mutex]_> oops
21:31 -!- aj__ [~aj@e180193038.adsl.alicedsl.de] has joined ##openvpn
21:32 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
21:33 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:34 -!- derjohn_foo [~aj@e180195100.adsl.alicedsl.de] has quit [Ping timeout: 264 seconds]
21:34 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:02 < rawDawg> what up
22:23 < theDoc> grr.
22:24 < theDoc> I hate Windows DNS servers.
22:34 -!- DarthGandalf|BNC is now known as DarthGandalf
22:49 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Fri Apr 02 2010
00:13 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
00:29 < hyper_ch> there are windows dns servers?
01:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:08 < theDoc> hyper_ch> Yep, I'm annoyed with it at the moment.
01:08 < theDoc> Not my server though.
01:12 < Bushmills> there is maradns for windows
01:15 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
01:15 -!- mode/##openvpn [+o mattock] by ChanServ
01:27 -!- ScriptFanix [vincent@2001:910:100b::1] has joined ##openvpn
01:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
01:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
01:38 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
01:42 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 246 seconds]
02:01 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
02:03 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
02:03 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:28 < krzee> hyper_ch, yes and they suck... you need to run them when you run AD
02:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:43 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
02:47 -!- diegoviola [~diego@adsl-144-146.click.com.py] has joined ##openvpn
02:47 < diegoviola> hello, i have a vpn connection and pinging to the vpn ip work, etc, but when i ping the vpn domain it should ping the vpn ip and it doesn't, any ideas?
02:47 < diegoviola> should i add a dns for the vpn?
03:05 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
03:07 -!- diegoviola [~diego@adsl-144-146.click.com.py] has quit [Ping timeout: 265 seconds]
03:17 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
03:18 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
03:41 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:41 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
03:47 -!- aj__ [~aj@e180193038.adsl.alicedsl.de] has quit [Ping timeout: 246 seconds]
04:06 -!- bigpresh [~bigpresh@freenode/sponsor/bigpresh] has quit [Remote host closed the connection]
04:07 -!- bigpresh [~bigpresh@freenode/sponsor/bigpresh] has joined ##openvpn
04:10 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
04:10 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 258 seconds]
04:10 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
04:12 -!- master_of_master [~master_of@p57B553DE.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:14 -!- master_of_master [~master_of@p57B56760.dip.t-dialin.net] has joined ##openvpn
04:34 -!- DarkM [~DarkM@acro.fr] has joined ##openvpn
04:34 < DarkM> Hey everybody
04:34 < DarkM> I'm having some troubles :
04:34 < DarkM> I got openvpn running on my server
04:34 < DarkM> Which is a debian
04:34 < DarkM> But when I do a netstat -lp it doesn't display as "LISTEN"
04:34 < DarkM> And when I scan my server it says that the connection is closed
04:34 < DarkM> But openvpn is running
04:35 < DarkM> Any idea ?
04:35 < DarkM> :(
04:35 < DarkM> (And it's not something about firewall, cause it says that the port is open but that there is no connection available on it)
04:36 < DarkM> Please help me with that x)
04:46 < DarkM> ..?
04:50 < theDoc> Try starting the service?
04:51 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
05:00 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
05:02 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
05:15 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 240 seconds]
05:15 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
05:17 -!- DarkM [~DarkM@acro.fr] has quit [Remote host closed the connection]
05:20 -!- aj__ [~aj@48.42.69.80.in-addr.net-lab.net] has joined ##openvpn
05:41 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
05:57 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
06:09 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
06:11 -!- aj__ [~aj@48.42.69.80.in-addr.net-lab.net] has quit [Ping timeout: 276 seconds]
06:21 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
06:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
06:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:36 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
06:56 -!- havoc [~havoc@neptune.chaillet.net] has joined ##openvpn
07:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:40 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
07:45 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:50 -!- mape2k [~mape2k@2001:6f8:997:1000:21f:3bff:fe27:21a9] has joined ##openvpn
07:56 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
07:59 -!- mape2k [~mape2k@2001:6f8:997:1000:21f:3bff:fe27:21a9] has quit [Quit: Leaving]
07:59 -!- mape2k [~mape2k@p5B2870A9.dip.t-dialin.net] has joined ##openvpn
08:14 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:28 -!- bigpresh [~bigpresh@freenode/sponsor/bigpresh] has quit [Excess Flood]
08:32 -!- bigpresh [~bigpresh@freenode/sponsor/bigpresh] has joined ##openvpn
08:39 -!- HardDisk_WP [~Marco@velirat.de] has quit [Changing host]
08:39 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has joined ##openvpn
08:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
09:10 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
09:12 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
09:14 -!- vhann [~media@142-217-83-39.telebecinternet.net] has joined ##openvpn
09:17 -!- vhann [~media@142-217-83-39.telebecinternet.net] has quit [Client Quit]
09:25 -!- theDoc [~jaki@60.52.186.173] has joined ##openvpn
09:26 -!- theDoc_ [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:29 -!- daltio12 [~daltio@nccpl.pk] has joined ##openvpn
09:30 -!- theDoc [~jaki@60.52.186.173] has quit [Ping timeout: 240 seconds]
09:30 < daltio12> guys i want installed openvpnn p-tp on 2 machine both are up and working now i want to add routes so that clinets pcs behind both machines can access email server
09:31 -!- theDoc_ is now known as theDoc
09:31 < daltio12> ip tunnel ip is 18.18.18.1 for 1 machine and 18.18.18.6 for another machine now i want to add route like route add -host 10.157.8.2/32 gw 18.18.18.1 on 2 machine is this ok
09:36 < rawDawg> you can push routes
09:37 < rawDawg> use the other side as the gateway for the destination lan
09:37 < rawDawg> !route
09:37 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:41 < daltio12> other side means 18.18.18.1
09:41 < daltio12> right
09:42 -!- daltio12 [~daltio@nccpl.pk] has quit [Quit: Leaving]
09:56 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
10:08 -!- mape2k [~mape2k@p5B2870A9.dip.t-dialin.net] has quit [Read error: Operation timed out]
10:13 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
10:18 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
10:29 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:40 -!- osama [~un@ppp-93-104-77-247.dynamic.mnet-online.de] has joined ##openvpn
10:41 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
10:41 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
10:42 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
10:42 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
10:42 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
10:43 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:43 -!- _insane [~un@ppp-93-104-81-134.dynamic.mnet-online.de] has quit [Ping timeout: 245 seconds]
10:47 -!- pif [~ldm@zenon.apartia.fr] has joined ##openvpn
10:48 < pif> hi, I connect to an openvpn server to its external IP, but then can I also redirect traffic to this IP through the tunnel?
10:48 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:49 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
10:52 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
10:52 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
11:12 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:17 < gorkhaan> !route
11:17 < vpnHelper> gorkhaan: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:47 < Bushmills> pif: no. openvpn client needs to be able to reach the server by a route which is not through its own tunnel 
11:49 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
12:03 -!- osama [~un@ppp-93-104-77-247.dynamic.mnet-online.de] has quit [Ping timeout: 260 seconds]
12:05 -!- _insane [~un@ppp-88-217-27-66.dynamic.mnet-online.de] has joined ##openvpn
12:30 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:30 -!- astrophy [~astrophy@95.211.87.136] has quit [Ping timeout: 240 seconds]
12:31 < Hypnoz> Does anyone if there is a way to have the windows client support multiple simultaneous vpn connections
12:34 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
12:35 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Remote host closed the connection]
12:36 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
12:43 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
12:44 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
13:16 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Quit: No Ping reply in 180 seconds.]
13:16 < Mythmon> Ramereth: mostly
13:16 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
13:16 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
13:16 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
13:16 < Mythmon> er. oops
13:41 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:41 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:46 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
13:46 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Read error: Connection reset by peer]
13:46 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
13:46 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
13:46 -!- mode/##openvpn [+v Kaspx] by ChanServ
13:46 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:46 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:04 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:15 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
14:31 -!- DarthGandalf is now known as DarthGandalf|BNC
14:31 -!- kala_ [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
14:31 -!- kala__ [~kala@83.151.191.90.dyn.estpak.ee] has quit [Ping timeout: 240 seconds]
14:32 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:32 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:38 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:38 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:44 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:45 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:45 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Quit: Quitte]
14:55 -!- MrBIOS [~aperez@38.104.194.62] has quit [Remote host closed the connection]
14:59 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
15:01 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:01 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
15:03 -!- dazo_afk [~dazo@nat/redhat/x-mapwmqrcrxvxhtni] has quit [Ping timeout: 265 seconds]
15:05 -!- dazo_afk [~dazo@nat/redhat/x-atcocohtjlaaateb] has joined ##openvpn
15:05 -!- dazo_afk is now known as Guest27041
15:15 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 260 seconds]
15:20 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Remote host closed the connection]
15:20 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
15:22 -!- [mutex]__ [~portn0k@unaffiliated/mutex/x-1106097] has joined ##openvpn
15:30 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:33 < [mutex]__> http://pastie.org/900865 <-- client/server configs/logs.  i'm able to connect to my vpn, but 2 things are wrong.  first, i'd like to be able to obtain a DHCP leased IP on the 10.0.0.0/24 network other dhcp clients get ips from, second, im not getting a default gateway from the server.  can anyone spot anything wrong?
15:33 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
15:34 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:35 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:35 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
15:35 -!- _insane [~un@ppp-88-217-27-66.dynamic.mnet-online.de] has quit [Ping timeout: 246 seconds]
15:38 -!- _insane [~un@ppp-93-104-75-111.dynamic.mnet-online.de] has joined ##openvpn
15:41 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:41 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
15:44 -!- diegoviola [~diego@67.110.142.99.ptr.us.xo.net] has joined ##openvpn
15:44 < diegoviola> hello
15:44 < diegoviola> i have a vpn connection, i can ping the vpn ip adddress, etc, but whenever i ping vpn.dataxu.net that tries to ping the public ip, but it should ping the internal (vpn) ip
15:44 < diegoviola> any ideas?
15:44 < [mutex]__> are you using a public nameserver or a private one?
15:45 < diegoviola> public
15:45 < diegoviola> my isp nameserver
15:45 < diegoviola> sorry i'm a noob with networking
15:46 < [mutex]__> so youve set the vpn A record for your domain to your public ip.  
15:46 < diegoviola> i want the domain-based vpns go to the vpn and the "normal" domains go to my isp dns
15:46 < diegoviola> vpn-based domains*
15:47 < [mutex]__> youre using your isp as a registrar are you?
15:48 < [mutex]__> wait, ik think i misunderstood your question.  youre wanting the vpn A record to point to an IP in your LAN, right?
15:48 < [mutex]__> @_@
15:48 < [mutex]__> port forwarding is what youre looking for i believe?
15:48 < [mutex]__> im off to bed, sorry, been up too long
15:49 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 260 seconds]
15:50 < diegoviola> [mutex]__: no dude
15:50 < diegoviola> [mutex]__: let me try to explain again :)
15:50 < diegoviola> sorry
15:50 < diegoviola> i have a vpn.dataxu.net domain
15:50 < diegoviola> and
15:50 < diegoviola> svn.dataxu.net
15:50 < diegoviola> when i ping these
15:50 < diegoviola> it should ping 10.x.x.x
15:51 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:51 < diegoviola> when i ping google.com it should ping google's ip
15:51 < diegoviola> right now i'm using my ISP nameserver, so if i try to ping svn.dataxu.net (which is the vpn domain) it tries to ping a public ip
15:52 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
15:56 < [mutex]__> diegoviola: you wouldnt tyically use public nameservers for accessing yur LAN shit, i'd just pop those entriesyou mntioned in your /etc/hosts file personally, or setup BIND
15:57 < diegoviola> thanks
15:59 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
16:00 -!- tekk [~me@cpc3-shep11-2-0-cust599.8-3.cable.virginmedia.com] has joined ##openvpn
16:00 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
16:00 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
16:02 < tekk> hi guys, i just have a quick question, i travel around a lot and wherever i go i'm heavily firewalled, however I can always establish an outbound VPN connection. My openvpn server currently allocates me a 10.10.10.x ip address, however i'd like it to allocate me an externally reachable ip address and then forward all traffic to it, so basically, when i travel, no matter what network i'm on, i'll always have a static ip that is 
16:02 < tekk> reachable from the outside world to my machine.
16:02 < tekk> would this be possible using openvpn+iptables?
16:04 < [mutex]__> for only the single ip youre server is on, you could theoretically foward everything but your vpn port to whatever ip you wanted
16:04 < tekk> hmm
16:04 < tekk> the idea was, is that my server has several ip's
16:05 < tekk> and i wanted to route an unused one to my connecting laptop whenever i connected
16:05 < tekk> and then everything woudl be forwarded, so for example, i could run apache on my laptop on some NAT'd network, connect to the VPN and then the apache on laptop would be reachable fro manywhere using the ip i allocated
16:06 < [mutex]__> oh, i'd assign an unused ip to a new interface and bridge that and then forward.
16:06 < tekk> right ok
16:06 < tekk> is there a name for what i'm describing?
16:06 < [mutex]__> im a complete nub at openvpn though i wouldnt take my word for it, im not sure if openvpn can do that
16:06 < [mutex]__> ;p
16:06 < tekk> ah k heh
16:06 < [mutex]__> seems logical enough to me though
16:06 < [mutex]__> id be dissapontied if it couldnt
16:07 < tekk> my other idea was to make a PTP openvpn tunnel, make openvpn assign the ip 
16:07 < tekk> then on the server have an iptables rule
16:07 < tekk> forward all MYIP to some new interface i just created
16:07 < tekk> its single-client only, so doesn't need anything too fancy
16:08 < tekk> or it could be done in a similar configuration to "extending an existing LAN to vpn clients" style thing
16:10 < [mutex]__> while ive got you here though, mind looking at a question i have on just basic configuration? 0:)
16:10 < [mutex]__> http://pastie.org/900865 <-- client/server configs/logs.  i'm able to connect to my vpn, but 2 things are wrong.  first, i'd like to be able to obtain a DHCP leased IP on the 10.0.0.0/24 network other dhcp clients get ips from, second, im not getting a default gateway from the server.  can anyone spot anything wrong?
16:14 < tekk> k
16:15 < tekk> what do you want to acheive?
16:15 < tekk> a client getting an ip from the 10./24 network and that client having reachability to the 10./24 network also?
16:15 < [mutex]__> really just being able to reach machines in the LAN at my office from afar
16:15 < tekk> ah k
16:16 < tekk> in that case
16:16 < tekk> you'll need to push the route for 10.0.0.0
16:16 < [mutex]__> which is 10.0.0.1
16:16 < tekk> make sure ipv4 forwarding is enabled in your linux kernel (i assume linux)
16:16 < tekk> no
16:16 < [mutex]__> freebsd
16:16 < tekk> you push the route for the network
16:16 < tekk> freebsd too
16:16 < tekk> and also have an iptables rule in effect to forward
16:17 < [mutex]__> well, pf in this case.  but yeah thats all taken care of
16:17 < tekk> yeah
16:17 < tekk> sorry pf
16:18 < [mutex]__> sysctl net.inet.ip.forwarding=1
16:18 < [mutex]__> oops
16:18 < [mutex]__> wrong terminal
16:18 < tekk> -w
16:18 < tekk> :)
16:18 < [mutex]__> yeah those are set
16:19 < tekk> shit, i gtg man sorry :s, good luck, p.s. i have the exact same configuration at the moment as you require (reaching lan clients from outside)
16:19 < tekk> so if i'm around later pm me
16:19 < tekk> and i'll send you confs
16:19 < [mutex]__> word, thanks.
16:21 < [mutex]__> meh, changing the route related push lines in my server config to 10.0.0.0 didnt change anything ;/
16:33 -!- osama [~un@ppp-88-217-3-233.dynamic.mnet-online.de] has joined ##openvpn
16:34 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
16:35 < [mutex]__> i dont understand what im doing wrong.  
16:36 -!- _insane [~un@ppp-93-104-75-111.dynamic.mnet-online.de] has quit [Ping timeout: 240 seconds]
16:51 -!- Netsplit *.net <-> *.split quits: rob0, Zordrak, Krikke, Rolybrau, kala_, ufoman_, fahadsadah, jpalmer, LobbyZ
16:53 -!- Netsplit over, joins: kala_, Rolybrau, jpalmer, LobbyZ, rob0, Krikke, ufoman_, Zordrak
17:00 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has joined ##openvpn
17:10 -!- Netsplit *.net <-> *.split quits: rob0, Zordrak, Krikke, Rolybrau, kala_, ufoman_, jpalmer, LobbyZ
17:12 -!- Netsplit over, joins: jpalmer
17:12 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
17:13 -!- Netsplit over, joins: Rolybrau, LobbyZ
17:13 -!- Netsplit over, joins: Zordrak
17:14 -!- Netsplit over, joins: rob0
17:16 -!- kala_ [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
17:16 -!- Krikke [~ixevix@62.142.105.142] has joined ##openvpn
17:20 -!- Netsplit *.net <-> *.split quits: Krikke, kala_
17:20 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
17:23 -!- Netsplit over, joins: Krikke, kala_
17:39 -!- Xanthaos [~sacreddel@66-191-193-093.dhcp.spbg.sc.charter.com] has joined ##openvpn
17:46 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
17:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
18:28 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
18:43 < diegoviola> [mutex]__: adding these entries in /etc/hosts worked fine, thanks
18:49 < diegoviola> [mutex]__: but what about if i don't know the ip of the vpn for those domains?
18:54 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 264 seconds]
18:55 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
19:14 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
19:39 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:24 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
20:30 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
20:30 < vpnguy> !welcome
20:30 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:30 < vpnguy> !man
20:30 < vpnHelper> vpnguy: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:31 < vpnguy> !goal
20:31 < vpnHelper> vpnguy: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:31 < vpnguy> !howto
20:31 < vpnHelper> vpnguy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:33 < vpnguy> hello
20:33 < vpnguy> Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2)
20:34 < vpnguy> do I need to create a tap device manually ?
20:37 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:37 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
20:44 -!- DarthGandalf|BNC is now known as DarthGandalf
20:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:58 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:04 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 258 seconds]
21:23 < theDoc> Somewhat offtopic but has anyone ever had the experience of having an OD wipe out all the DNS settings on an AD when the DNS service isn't turned on on the OD?
21:37 -!- diegoviola [~diego@67.110.142.99.ptr.us.xo.net] has quit [Quit: Lost terminal]
21:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
21:54 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
22:28 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
22:53 -!- rawDawg [~rawDawg@cpe-76-189-164-149.neo.res.rr.com] has joined ##openvpn
23:04 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
23:05 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
23:45 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
23:45 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
23:48 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
--- Day changed Sat Apr 03 2010
00:02 -!- azizLIGHTS [deltron@silenceisdefeat.com] has joined ##openvpn
00:03 < azizLIGHTS> hi guys
00:03 < azizLIGHTS> !welcome
00:03 < vpnHelper> azizLIGHTS: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:03 < azizLIGHTS> hm, well
00:04 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:05 < azizLIGHTS> im using openvpn gui. i upgraded from windows xp to windows 7. a previously functioning openvpn service on openvpn gui worked perfect on winxp. now, however, on win7, connecting to the same service results in: 
00:05 < azizLIGHTS> Options error: unknown --redirect-gateway flag: bypass-dhcp
00:06 < azizLIGHTS> i basically copied everything from config/ and pasted
00:06 < azizLIGHTS> so not sure whats going on!
00:07 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
00:07 < vpnguy> !welcome
00:07 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:08 < vpnguy> !forum
00:08 < vpnHelper> vpnguy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
00:09 < azizLIGHTS> alright, ill try posting in the forum
00:19 < azizLIGHTS> where exactly do i post in the forum... theres no 'problems' section
00:26 < vpnguy> I am not working for openvpn, like you I am wondering some questions
00:45 -!- azizLIGHTS [deltron@silenceisdefeat.com] has quit [Ping timeout: 248 seconds]
00:47 -!- azizLIGHTS [deltron@silenceisdefeat.com] has joined ##openvpn
00:47 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
00:47 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
01:29 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
01:39 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
01:40 -!- mode/##openvpn [+o mattock] by ChanServ
01:58 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
02:11 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 276 seconds]
02:40 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
02:42 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
02:53 -!- azizLIGHTS [deltron@silenceisdefeat.com] has left ##openvpn []
03:05 -!- mwheeler [~mwheeler@unaffiliated/theskorm] has joined ##openvpn
03:06 -!- Xanthaos [~sacreddel@66-191-193-093.dhcp.spbg.sc.charter.com] has quit [Quit: .::Dealings With Evil Spirits::. ¤ZoMBiE¤ Sc®ïþt 2.2 .ßý. xom[b] .::[http://otai.cjb.net/]::.]
03:07 < mwheeler> Hi Guys and Girls, I have a quick question that you can answer easily. Setting up point to point links with OpenVPN, and running RIP over the top for routing. Now being a point to point link, the netmask is set to 255.255.255.255, so that's what RIP (quagga) annoances, which isn't what I want. I want RIP to annoance /30's. manually setting the netmask to 255.255.255.252 after the VPN is setup works. How can I get openvpn to setup the netmask as 
03:09 -!- iateadonut [~dan@221.0.239.39] has joined ##openvpn
03:09 < iateadonut> i've connected but don't know why i can't open any webpages now.
03:10 < iateadonut> so, i've got an openvpn server running and i've got a connection from my local computer, but when i route my traffic through it, webpages don't come up, i can't use irc, etc.
03:11 < mwheeler> iateadonut: have you nat runing, and gateway enabled?
03:12 < iateadonut> gateway is enabled (not now, becuase i need to be able to access the internet) on the client.
03:12 < iateadonut> for nat, that should be on the client or server?
03:13 < mwheeler> server
03:13 < iateadonut> (for client, i enabled gateway with redirect-gateway; that's what you meant, right?
03:14 < mwheeler> hmmm no, I meant on the server you have to enable routign between interfaces, what OS is your server running?
03:14 < iateadonut> debian
03:14 < mwheeler> sudo sysctl net.ipv4.ip_forward=1
03:14 < iateadonut> i can route through my web browser with a socks proxy and ssh running, so i thought that should also mean that it was configured to let traffic through it.
03:15 < iateadonut> it responded by repeating "net.ipv4.ip_forward = 1"
03:15 < mwheeler> hehe it doesn't work like that
03:15 < iateadonut> i see.
03:15 < mwheeler> iateadonut: yup that's good
03:16 < iateadonut> so, i should try it again?
03:16 < iateadonut> with --redirect-gatway?
03:16 < mwheeler> a socks proxy is an applicatio nthing, it doesn't route traffic
03:16 < mwheeler> yeah why not, did you get nat running?
03:17 < mwheeler> Because you need to turn your local openvpn ip addresses, into external facing ones
03:17 < iateadonut> nope, i've only heard of nat.
03:18 < mwheeler> what's your internet interface ? eth0/ppp0 ?
03:18 < iateadonut> oh... you mean that the client/server can ping each other?
03:18 < mwheeler> and what's your tunnels interface
03:18 < iateadonut> tun0
03:18 < iateadonut> eth0
03:18 < mwheeler> http://pastebin.ca/1855621
03:19 < mwheeler> erm
03:19 < mwheeler> change tun00 to tun0
03:20 < mwheeler> if that dfoesn't work, do a traceroute to 4.2.2..1, so I can get an understanding of what's going on
03:22 < iateadonut> after i reconnect openVPN with --redirect-gatway, the way to turn it off again if it doesn't work is to 'service openvpn stop'?
03:22 < mwheeler> not sure, that should work
03:22 < mwheeler> or killall openvpn
03:23 < iateadonut> how would i stop it (last time i tryed to kill the openvpn process and that didn't work - had to reboot)
03:23 < mwheeler> try pinging across the tunnel toom using the local IP addresses
03:23 < iateadonut> that works (without redirect-gateway)
03:23 < iateadonut> anyway, this might hang up on me, i'm going to try now.
03:26 < iateadonut> hung up on me - pinging works with redirect traffic as well.
03:26 < iateadonut> hung up on me - pinging works with redirect traffic as well.
03:27 < iateadonut> ca you see that?
03:27 < mwheeler> yes
03:27 < iateadonut> so, you want me to do that again and then traceroute 4.2.2.1?
03:27 < mwheeler> yup
03:29 < iateadonut> sudo traceroute 4.2.2.1
03:29 < iateadonut> traceroute to 4.2.2.1 (4.2.2.1), 30 hops max, 60 byte packets
03:29 < iateadonut> send: Operation not permitted
03:29 < mwheeler> :S
03:29 < mwheeler> sudo ip route
03:29 < iateadonut> now, without openvpn - udo traceroute 4.2.2.1
03:29 < iateadonut> traceroute to 4.2.2.1 (4.2.2.1), 30 hops max, 60 byte packets
03:29 < iateadonut>  1  10.0.0.1 (10.0.0.1)  4.139 ms  4.369 ms  4.658 ms
03:30 < iateadonut> without openvpn:
03:30 < iateadonut> sudo ip route
03:30 < iateadonut> 10.0.0.0/24 dev wlan0  proto kernel  scope link  src 10.0.0.3  metric 35 
03:30 < iateadonut> 169.254.0.0/16 dev wlan0  scope link  metric 35 
03:30 < iateadonut> 127.0.0.0/8 dev lo  scope link 
03:30 < iateadonut> default via 10.0.0.1 dev wlan0
03:30 < mwheeler> You should prob be using the pastebin ;)
03:31 < iateadonut> with openvpn
03:31 < iateadonut> sudo ip route
03:31 < iateadonut> 10.9.8.1 dev tun0  proto kernel  scope link  src 10.9.8.2 
03:31 < iateadonut> 65.60.56.139 via 10.0.0.1 dev wlan0 
03:31 < iateadonut> 10.0.0.0/24 dev wlan0  proto kernel  scope link  src 10.0.0.3  metric 35 
03:31 < iateadonut> 169.254.0.0/16 dev wlan0  scope link  metric 35 
03:31 < iateadonut> 127.0.0.0/8 dev lo  scope link 
03:31 < iateadonut> default via 10.9.8.1 dev tun0
03:31 < iateadonut> ok, next time?  or want me to do it again in pastebin?
03:32 < mwheeler> next time
03:33 < mwheeler> could you ping 10.9.8.1 across the VPN, and was the openvpn proccess running after it started (ps ax | grep openvpn)
03:34 < iateadonut> yes, openvpn always runs after starting (i have to kill it to get out of it after turning off the service)
03:36 < iateadonut> From 10.9.8.2 icmp_seq=1 Destination Port Unreachable
03:36 < iateadonut> sorry, i thought that was ok (i had pinged 10.9.8.1) before.
03:37 < krzee> !riproute
03:37 < vpnHelper> krzee: Error: "riproute" is not a valid command.
03:37 < krzee> !factoids search rip
03:37 < vpnHelper> krzee: '2.1-winpass-script' and 'rip'
03:37 < krzee> !rip
03:37 < vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
03:38 < mwheeler> Thanks krzee 
03:38 < iateadonut> is that for me to read?
03:39 < mwheeler> iateadonut: for me 
03:39 < iateadonut> any advice on what a next step would be?
03:40 < krzee> iateadonut, 
03:40 < krzee> !redirect
03:40 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
03:40 < krzee> !def1
03:40 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
03:40 < krzee> !linipforward
03:40 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
03:40 < krzee> !linnat
03:40 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
03:41 < krzee> mwheeler, np =]
03:43 < iateadonut> !nat
03:43 < vpnHelper> iateadonut: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
03:48 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
03:49 < theDoc> wooooo!
03:49 < theDoc> It works.
03:49 < iateadonut> can you check this: http://pastebin.ca/1855635
03:49 < krzee> wassup doc?
03:50 < krzee> iateadonut, 
03:50 < krzee> !configs
03:50 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
03:50 < krzee> !goal
03:50 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:51 < iateadonut> i would like to access the internet over my vpn (use skype, etc)
03:51 < krzee> cool, i actually do the same
03:51 < krzee> although i selectively route certain apps over it using a socks daemon
03:52 < krzee> but for routing it all, i gave all factoids above
03:52 < krzee> !sample
03:52 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
03:52 < krzee> that + those = it works
03:52 < iateadonut> http://pastebin.ca/1855637
03:53 < krzee> holy small config
03:53 < krzee> make certs based on the cert making part of this:
03:53 < krzee> !howto
03:53 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:53 < krzee> use this as your base:
03:53 < krzee> !sample
03:53 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
03:53 < krzee> then check this out
03:53 < krzee> !def1
03:53 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
03:54 < krzee> your server needs these:
03:54 < krzee> !linipforward
03:54 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
03:54 < krzee> !linnat
03:54 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
03:58 < theDoc> krzee> Some DNS stuff on the xserve.
04:12 -!- master_of_master [~master_of@p57B56760.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:14 -!- master_of_master [~master_of@p57B57C6E.dip.t-dialin.net] has joined ##openvpn
04:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
04:21 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.2/20100316074819]]
04:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:54 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Remote host closed the connection]
04:56 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
05:05 -!- julius [~julius@217.20.127.15] has quit [Ping timeout: 276 seconds]
05:06 -!- julius [~julius@217.20.127.15] has joined ##openvpn
05:26 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:30 -!- iateadonut [~dan@221.0.239.39] has quit [Ping timeout: 240 seconds]
05:42 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
05:44 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:45 -!- iateadonut [~dan@221.0.239.39] has joined ##openvpn
06:06 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:20 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
06:20 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
06:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
06:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
06:29 -!- drecute [~pdrealg@li85-35.members.linode.com] has joined ##openvpn
06:55 -!- drecute [~pdrealg@li85-35.members.linode.com] has quit [Ping timeout: 276 seconds]
06:58 -!- sp0tteh [~sdfhk@ppp118-210-195-22.lns20.adl6.internode.on.net] has joined ##openvpn
07:02 < sp0tteh> Hey, simple question: does openvpn (with freeradius) support sending Interim-Update with the accounting info? meaning updating the radacct table with user usage / session time at reglar intervals. cheers
07:03 -!- coodu [~pdrealg@li85-35.members.linode.com] has joined ##openvpn
07:04 -!- coodu is now known as drecute
07:56 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:00 < vpnHelper> New forum entry openvpnforum: Pay OpenVPN Service Provider Reviews/Comments :: Re: Anonyproz OpenVPN Service Provider :: ... <http://www.ovpnforum.com/viewtopic.php?f=21&t=2502&p=4335#p4335>
08:22 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:25 -!- sp0tteh [~sdfhk@ppp118-210-195-22.lns20.adl6.internode.on.net] has quit [Ping timeout: 258 seconds]
08:27 < iateadonut> tun0 inet addr:10.8.1.6  P-t-P:10.8.1.5 - what's that mean?  which one am i?
08:28 < drecute> hello
08:29 < theDoc> donuts.
08:29 < theDoc> mmm.
08:29 -!- sp0tteh [~sdfhk@ppp118-210-44-6.lns20.adl2.internode.on.net] has joined ##openvpn
08:29 < drecute> my openvpn client resets
08:29 < drecute> what could cause this
08:30 < theDoc> Who knows?
08:35 < iateadonut> i bought some $3 wine but it's not bad.
08:36 < iateadonut> how's a good way to start debugging this - can i put my connects in a pastebin (i can't ping each other) for someone to take a look at?
08:36 < iateadonut> does the hostname i write in my config file have to be the hostname of my computer?
08:36 < iateadonut> for example, if client1 is named 'localhost' do i have to write that when i make the client1 config files?
08:38 < theDoc> Yes, but that would be weird as hell.
08:40 < iateadonut> http://pastebin.com/pd4iVsn6
08:40 < iateadonut> you mean i should change the name of my computer and then do it?
08:41 < theDoc> You are confusing me but I'll take a look at it later, I'm somewhat busy trolling chatroulette ;p
08:43 < iateadonut> Common Name (eg, your name or your server's hostname) [client2]: - should i put my hostname on this, or leave the default?
08:43 < iateadonut> (thanks, the Doc)
08:44 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
08:46 < theDoc> iateadonut> What was your question again?
08:46 < theDoc> Why do you want to use your hostname for the CN?
08:48 -!- iateadonut [~dan@221.0.239.39] has quit [Ping timeout: 240 seconds]
08:52 -!- sp0tteh [~sdfhk@ppp118-210-44-6.lns20.adl2.internode.on.net] has quit [Ping timeout: 245 seconds]
08:52 -!- thrope [~thrope@87.244.118.2] has joined ##openvpn
08:52 < thrope> hi - im having trouble with this configuration http://pastie.org/901648
08:52 -!- sp0tteh [~sdfhk@ppp118-210-44-6.lns20.adl2.internode.on.net] has joined ##openvpn
08:57 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
09:00 -!- drecute [~pdrealg@li85-35.members.linode.com] has quit [Ping timeout: 240 seconds]
09:02 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:03 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has left ##openvpn []
09:04 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
09:05 -!- thrope [~thrope@87.244.118.2] has quit [Ping timeout: 240 seconds]
09:05 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has left ##openvpn []
09:09 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
09:28 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
09:30 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
09:30 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
09:30 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:35 -!- _insane [~un@ppp-93-104-87-222.dynamic.mnet-online.de] has joined ##openvpn
09:36 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
09:38 -!- daltio12 [~daltio@116.71.44.150] has joined ##openvpn
09:38 -!- osama [~un@ppp-88-217-3-233.dynamic.mnet-online.de] has quit [Ping timeout: 276 seconds]
09:38 < daltio12> hi
09:38 < daltio12> guys i want to run my debain as router how i do this, i have 2 debain boxes connected with vpn , my local network ins 10.157.41.0 and its has a seperate wan ip and another box as local network 192.168.3.0 with 1 wan ip, both machines are ok and access each other now 1 machine as a juniper router with ip 10.157.41.1 and thrugh this router i add a route add -host 10.1578.2/32 gw 10.157.41.1 1 machine can access 10.157.8.2  ,,i want second machine should a
09:38 < daltio12> ccess the mail server 10.157.8.2 what routes should i add,my vpn ip on 1 machine is 18.18.18.1 and on 2 machine is 18.18.18.5 , i add route on 2 machine route add -host 10.157.8.2 gw 18.18.18.1
09:39 < daltio12> route add -host 10.64.16.209/32 gw 18.18.18.1
09:39 < daltio12> SIOCADDRT: No such process
09:39 < daltio12> on 2 mchine any idea
09:42 < rob0> A gateway is a non-local IP to which you have an existing route (not the default route.)
09:43 < rob0> !route
09:43 < vpnHelper> rob0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:51 -!- Blues-Man [~bluesman@95.239.113.182] has joined ##openvpn
09:55 -!- rawDawg [~rawDawg@cpe-76-189-164-149.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
09:57 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn
09:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:02 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
10:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
10:05 -!- daltio12 [~daltio@116.71.44.150] has quit [Ping timeout: 246 seconds]
10:06 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
10:08 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:16 -!- julius [~julius@217.20.127.15] has quit [Remote host closed the connection]
10:16 -!- julius [~julius@217.20.127.15] has joined ##openvpn
10:16 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:17 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
10:19 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
10:21 -!- DarthGandalf is now known as DarthGandalf|BNC
10:21 -!- DarthGandalf|BNC is now known as DarthGandalf
10:26 -!- iateadonut [~dan@65.60.56.139] has joined ##openvpn
10:27 < iateadonut> I'm on a VPN that i set up on a debian box. Everything is OK; when I check the website "whatismyip.com", it shows the ip of my debian server and not my home linux system.
10:27 < iateadonut> The thing is, I'm behind a firewall that blocks some sites (eg. facebook) and sends them to the wrong IP address. If all my traffic is going through the VPN, why are they still blocked? (I'm guess DNS lookup, but I can't get to facebook by the IP address either.)
10:27 < iateadonut> The second question is that I just started up skype and I want to know how I can see how my traffic is routed.
10:29 < Fiouz> which IP are you using for testing?
10:29 < rob0> No way to guess that what's going on without information. About skype, you probably would not want to route that through the VPN, because it will add latency and jitter in the calls.
10:33 -!- Xanthaos [~sacreddel@66-191-193-093.dhcp.spbg.sc.charter.com] has joined ##openvpn
10:33 < Xanthaos> I'm using this quickstart:
10:33 < Xanthaos> http://fedoraproject.org/wiki/Openvpn
10:33 < vpnHelper> Title: Openvpn - FedoraProject (at fedoraproject.org)
10:33 < Xanthaos> Which seems to infer openvpn installation on a network frontend box
10:34 < Xanthaos> Will this setup also work with a box not on the frontend my omitting the FORWARD iptables lines?
10:38 < rob0> The iptables filter table's FORWARD chain is only used for traffic passing through, neither source nor destination on the iptables machine itself. If IP forwarding is not enabled, no packets hit FORWARD.
10:49 -!- iateadonut [~dan@65.60.56.139] has quit [Ping timeout: 258 seconds]
11:10 < sp0tteh> Hey, simple question: does openvpn (with freeradius) support sending Interim-Update with the accounting info? meaning updating the radacct table with user usage / session time at reglar intervals. cheers
11:23 -!- Blues-Man [~bluesman@95.239.113.182] has quit [Quit: Sto andando via]
11:27 -!- mithridates [~chatzilla@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]]
11:31 < vpnHelper> New forum entry openvpnforum: Wishlist :: Idea for direct connections :: Reply by undunk <http://www.ovpnforum.com/viewtopic.php?f=10&t=141&p=4339#p4339>
11:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:42 < Xanthaos> okay
11:43 < Xanthaos> gotta server side issue, failed to start with service openvpn start.
11:43 < Xanthaos> one line in /var/log/messages, want it here or fpaste?
11:44 < Xanthaos> http://fpaste.org/N6Is/
11:44 < Xanthaos> That is the server.conf file
11:46 < Xanthaos> Apr  3 12:41:11 MTFedora openvpn[28257]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
11:46 < Xanthaos> that is the only error from the error logs
12:19 -!- daltio12 [~daltio@119.155.21.104] has joined ##openvpn
12:22 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has joined ##openvpn
12:23 < aaronorosen1> !welcome
12:23 < vpnHelper> aaronorosen1: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:23 < aaronorosen1> !howto
12:23 < vpnHelper> aaronorosen1: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:35 < daltio12> guys
12:36 < daltio12> guys i want to run my debain as router how i do this, i have 2 debain boxes connected with vpn , my local network ins 10.157.41.0 and its has a seperate wan ip and another box as local network 192.168.3.0 with 1 wan ip, both machines are ok and access each other now 1 machine as a juniper router with ip 10.157.41.1 and thrugh this router i add a route add -host 10.1578.2/32 gw 10.157.41.1 1 machine can access 10.157.8.2  ,,i want second machine should 
12:36 < daltio12> access the mail server 10.157.8.2 what routes should i add,my vpn ip on 1 machine is 18.18.18.1 and on 2 machine is 18.18.18.5 , i add route on 2 machine route add -host 10.157.8.2 gw 18.18.18.1
12:47 < daltio12> any idea 
12:47 < daltio12> ?
12:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:51 < daltio12> vpnHelper u there
12:51 < vpnHelper> daltio12: Error: "u" is not a valid command.
12:51 < daltio12> can u help me
12:51 < daltio12> sorry
12:51 < daltio12> you there
12:53 < daltio12> can we talk on my prb?
12:56 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 264 seconds]
13:01 -!- daltio [~daltio@119.155.16.30] has joined ##openvpn
13:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:03 -!- daltio12 [~daltio@119.155.21.104] has quit [Ping timeout: 276 seconds]
13:12 -!- billub [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has joined ##openvpn
13:12 < billub> anyone successfully compiled openvpn for windows using mingw32 ? 
13:13 < daltio> guys 
13:13 < daltio> route add -host 10.157.8.2 gw 18.18.18.1
13:13 < daltio> SIOCADDRT: No such process
13:13 < daltio> any idea?
13:26 -!- daltio [~daltio@119.155.16.30] has quit [Quit: Leaving]
13:35 -!- billub [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has quit [Ping timeout: 240 seconds]
13:36 -!- Hydrant [~aj@unaffiliated/hydrant] has joined ##openvpn
13:36 -!- billub [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has joined ##openvpn
13:36 < Hydrant> hey all... how do I blacklist user keys?  I have a terminated user that I want to forbid from accessing the VPN
13:39 < Hydrant> ah ./revoke-full
13:41 < billub> find out the disgusting scumbags that were responsible for ruining your job, including people that try to harass others by tapping their ISP spit on their faces, and then use your head
13:42 < billub> there would be 2 scumbags responsible for it
13:42 < billub> not one
13:42 < billub> got it hydrant ? 
13:45 < billub> filthy disgusting scum that returns even when you spit on it
13:48 -!- daltio12 [~daltio@119.155.16.30] has joined ##openvpn
13:48 < daltio12> hows 
13:48 < daltio12> guys i want reall help i am stuck in routes things
13:48 < daltio12> guys i want to run my debain as router how i do this, i have 2 debain boxes connected with vpn , my local network ins 10.157.41.0 and its has a seperate wan ip and another box as local network 192.168.3.0 with 1 wan ip, both machines are ok and access each other now 1 machine as a juniper router with ip 10.157.41.1 and thrugh this router i add a route add -host 10.1578.2/32 gw 10.157.41.1 1 machine can access 10.157.8.2  ,,i want second machine should a
13:48 < daltio12> ccess the mail server 10.157.8.2 what routes should i add,my vpn ip on 1 machine is 18.18.18.1 and on 2 machine is 18.18.18.5 , i add route on 2 machine route add -host 10.157.8.2 gw 18.18.18.1
13:51 < billub> daltio : would you know how to compile windows openvpn ? 
13:53 < Hydrant> I tried ./revoke-full username... but the contents of crl.pem have only one key... shouldn't there be a key per revoked user?
13:55 < daltio12> openvpn have a windows client download that it works flwaless
13:56 < billub> daltio12 : i wanted to change it, but having tough time trying to compile (even without changes first)
13:56 < billub> Hydrant: try spitting on Erik Lindskogs face ... that would help you
14:01 -!- Hydrant [~aj@unaffiliated/hydrant] has left ##openvpn ["Konversation terminated!"]
14:05 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 248 seconds]
14:17 -!- billub [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has left ##openvpn []
14:18 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
14:27 < krzee> dougy approved some spammers 3rd post, lol
14:27 < krzee> lemme delete the guy
14:27 < krzee> luckily the 3rd post was a reply to one of mine
14:29 < krzee> well i think its a spammer
14:29 < krzee> ecrist, check out undunk on the forum
14:30 < krzee> he has 1 post that mentions openvpn, so i hesitate to just remove... but im not so sure hes not a spammer either... 
14:31 < |Mike|> krzee: are it bots or human spammers?
14:32 < |Mike|> if 1; fix a captcha at the "become a member" page
14:32 < krzee> ya i have suggested that before
14:33 < |Mike|> but?
14:34 < krzee> but its not there
14:34 < krzee> :-p
14:35 < krzee> oh actually there is one there
14:49 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:27 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
15:30 -!- daltio12 [~daltio@119.155.16.30] has quit [Ping timeout: 265 seconds]
16:00 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
16:00 < vpnguy> !welcome
16:00 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:01 < vpnguy> !configs
16:01 < vpnHelper> vpnguy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
16:01 < vpnguy> hello
16:03 < vpnguy> TLS Error: cannot locate HMAC in incoming packet from 192.168.68.70
16:03 < vpnguy> need help ...
16:04 < vpnguy> I can provide config files
16:05 < vpnguy> local 192.168.75.80
16:05 < vpnguy> port 1194
16:05 < vpnguy> proto tcp
16:05 < vpnguy> dev tap
16:05 < vpnguy> mode server
16:05 < vpnguy> tun-mtu 1500
16:05 < vpnguy> tls-server
16:05 < vpnguy> mssfix
16:05 < vpnguy> persist-key
16:05 < vpnguy> persist-tun
16:05 < vpnguy> ca /etc/openvpn/ca.crt
16:05 < vpnguy> cert /etc/openvpn/smartusers.fr.crt
16:05 < vpnguy> key /etc/openvpn/smartusers.fr.key  # This file should be kept secret
16:05 < vpnguy> dh /etc/openvpn/dh1024.pem
16:07 < |Mike|> dude
16:07 < vpnguy> yes
16:08 < |Mike|> don't paste configs on irc
16:08 < |Mike|> use pastie.org or pastebin
16:08 < vpnguy> ok
16:12 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
16:12 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
16:14 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
16:14 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
17:14 < Xanthaos> trying to establish openvpn server on fedora 12, /var/log/messages shows selinux denial, ausearch confirms.  Someone able to help me with this?
17:15 < Xanthaos> http://fpaste.org/H7N6/
17:15 < Xanthaos> is the sealert
17:52 -!- Gellert [~gellert@home.gellert.pro] has joined ##openvpn
17:54 < Gellert> !welcome
17:54 < vpnHelper> Gellert: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:55 < Gellert> !howto
17:55 < vpnHelper> Gellert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:56 < Gellert> !configs
17:56 < vpnHelper> Gellert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:57 -!- Gellert [~gellert@home.gellert.pro] has left ##openvpn []
18:02 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
18:10 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
18:12 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
18:55 < ecrist> krzee: did you delete the user and all topics?
19:16 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:17 -!- clyons [~clyons@unaffiliated/clyons] has quit [Ping timeout: 240 seconds]
19:56 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:32 < sp0tteh> Hey, simple question: does openvpn (with freeradius) support sending Interim-Update with the accounting info? meaning updating the radacct table with user usage / session time at reglar intervals. cheers
21:03 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 268 seconds]
21:09 -!- billub [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has joined ##openvpn
21:09 < billub> hi, what is the command to strip all lines starting with # ? 
21:11 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
21:11 -!- billub [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has left ##openvpn []
21:13 < ecrist> !configs
21:13 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
21:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:41 -!- Douglas [~me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
21:49 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
21:49 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
21:49 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:52 -!- DarthGandalf is now known as DarthGandalf|BNC
23:19 -!- Douglas [~me@ool-435033e6.dyn.optonline.net] has quit []
23:23 < krzee> ecrist, yes
23:52 -!- skor [~skor@unaffiliated/skor] has joined ##openvpn
23:56 -!- skor [~skor@unaffiliated/skor] has quit [Quit: Leaving]
--- Day changed Sun Apr 04 2010
00:06 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
00:06 < vpnguy> !welcome
00:06 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:09 < vpnguy> please help
00:09 < vpnguy> !goal
00:09 < vpnHelper> vpnguy: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:10 < vpnguy> I cannot connect from the client to the server
00:11 < vpnguy> SIGUSR1[soft,connection-reset] received, process restarting
00:11 < vpnguy> Sun Apr 04 07:10:51 2010 us=711060 Restart pause, 5 second(s)
00:11 < theDoc> !logs
00:11 < vpnHelper> theDoc: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
00:12 < vpnguy> to whom I send those files ?
00:14 < theDoc> Try pastebinning your logs and drop the link in the channel main
00:16 < vpnguy> ok
00:19 < vpnguy> http://pastebin.com/YMQhvdqc
00:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
00:21 -!- tjz [~pc@bb116-14-138-11.singnet.com.sg] has joined ##openvpn
00:21 -!- tjz [~pc@bb116-14-138-11.singnet.com.sg] has quit [Changing host]
00:21 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
00:21 < vpnguy> http://pastebin.com/6dFtymb2
00:24 < theDoc> vpnguy> Can you pastebin your client connection log?
00:24 < vpnguy> yes
00:25 < vpnguy> http://pastebin.com/B6Bz20Qb
00:25 -!- Colloguy [~flx@adsl-99-33-30-42.dsl.pltn13.sbcglobal.net] has joined ##openvpn
00:27 < theDoc> Sorry man, no clue at the moment.
00:27 < vpnguy> ok
00:27 < vpnguy> thanks anyway
00:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:50 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:25 < vpnguy> ok I found the problem
01:26 < vpnguy> I am getting an IP Adress but I cannot ping a client
01:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
01:27 < vpnguy> whereas client-to-client is setup on the server configuration file
01:38 < Bushmills> !ipforward
01:38 < vpnHelper> Bushmills: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
01:38 < Bushmills> !factoids search forward
01:38 < vpnHelper> Bushmills: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward'
01:39 < Bushmills> !ipforward
01:39 < vpnHelper> Bushmills: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
01:47 < vpnguy> !ipforward
01:47 < vpnHelper> vpnguy: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
01:48 < vpnguy> !linipforward
01:48 < vpnHelper> vpnguy: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
01:50 < vpnguy> I just set net.ipv4.ip_forward = 1
01:50 < vpnguy> do I need to restart the interface ?
01:51 < vpnguy> because I still have the same problem
01:53 < Bushmills> no need
01:53 < Bushmills> ah. yes
01:53 < Bushmills> unless you set it in /proc
01:54 < Bushmills> echo 1 > /proc/sys/net/ipv4/ip_forwards  i think
01:54 < Bushmills> ip_forward
01:55 < vpnguy> I just setup echo 1 > /proc/sys/net/ipv4/ip_forwards
01:55 < vpnguy> nothing changed
01:55 < Bushmills> "ip_forwards" should be wrong
01:56 < vpnguy> echo 1 > /proc/sys/net/ipv4/ip_forward
01:56 < Bushmills> nf_conntrack module needs to be loaded
01:57 < vpnguy> what is nf_conntrack ?
01:57 < vpnguy> I mean how do I load it
01:57 < Bushmills> modprobe nf_conntrack
01:58 < Bushmills> that's what provides /proc/..../ip_forward
01:58 < vpnguy> done
01:58 < vpnguy> can I find something useful on my logs
01:58 < vpnguy> ?
01:59 < Bushmills> i haven't looked at your logs, so i can't tell you
01:59 < Bushmills> you might want to ask someone who has access to your machine
02:01 < vpnguy> nothing useful in my logs
02:01 < vpnguy> maybe it is my server network interfaces
02:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:01 < vpnguy> that are not correctly set
02:05 < vpnguy> it is 
02:05 < vpnguy> in fact I just solved the problem
02:06 < vpnguy> and it is working fine now
02:06 < vpnguy> thanks
02:06 < vpnguy> a lotr
02:11 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has quit [Killed (evilmquin (Please do not harass users or channels on freenode))]
02:11 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has joined ##openvpn
02:15 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
02:15 -!- mode/##openvpn [+o mattock] by ChanServ
02:40 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
03:25 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: This computer has gone to sleep]
03:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
03:48 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
04:00 -!- Colloguy [~flx@adsl-99-33-30-42.dsl.pltn13.sbcglobal.net] has quit [Quit: bye]
04:04 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 268 seconds]
04:12 -!- master_of_master [~master_of@p57B57C6E.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:14 -!- master_of_master [~master_of@p57B53E58.dip.t-dialin.net] has joined ##openvpn
04:49 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 246 seconds]
05:15 -!- cherva [~cherva@78.128.16.162] has joined ##openvpn
05:15 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
05:15 -!- pif [~ldm@zenon.apartia.fr] has left ##openvpn []
05:17 < cherva> can I make different groups of users that CAN see the PCs only in their group not all PCs on the server. Something like Hamachi ?
05:18 < cherva> I suppose I have to make this with IPTABLES...
05:23 < hyper_ch> run multiple instances of openvpn with different subnets
05:27 < cherva> hyper_ch, thx I saw how to do it :)
05:30 < Bushmills> see PC only is the default
05:30 < Bushmills> seeing other clients requires extra config
05:31 < Bushmills> oh. see other clients in the same group .. not seen that bit
05:33 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
05:52 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
06:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:14 -!- cherva [~cherva@78.128.16.162] has quit [Quit: Leaving]
06:18 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
06:56 -!- mape2k [~mape2k@2a01:198:23f:10ff:f7:67ff:fe5c:d2c8] has joined ##openvpn
07:32 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:59 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
09:02 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
09:31 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:33 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:33 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
09:34 -!- mape2k [~mape2k@2a01:198:23f:10ff:f7:67ff:fe5c:d2c8] has quit [Ping timeout: 276 seconds]
09:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:42 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:45 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:48 -!- meepmeep_ is now known as meepmeep
09:48 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:15 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
10:18 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:43 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
10:51 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:00 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:04 -!- dvrcoder [~asdfasd@77-58-85-244.dclient.hispeed.ch] has joined ##openvpn
11:05 < dvrcoder> hi, question: is there any inbuilt mechanism to autostart the openvpn client only conditionally (i.e. if my IP is not in a certain range)?
11:05 < dvrcoder> (as a linux client)
11:16 -!- xinit [~wouter@mail.pruts.nl] has joined ##openvpn
11:16 < xinit> hi
11:19 < xinit> I have just setup an openvpn server and most works fine, but there is a thing with DNS.. I push a dns domain and nameserver.. that works, but after a while, my own network dhcp server gives me a new lease, so my /etc/resolv.conf changes back
11:19 < xinit> that either causes my openvpn (I use Tunnelblick) to reconnect, dropping all connections, or, when I turn of monitoring of the tunnel, I loose lookups on my VPN network
11:19 < xinit> is there any way to circumvent this?
11:21 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
11:21 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:03 < SerajewelKS> dvrcoder: you could just write a shell script to do that
12:04 < dvrcoder> SerajewelKS: yes obviously :D i was hoping there was a built-in thing which already works flawlessly
12:04 < SerajewelKS> dvrcoder: don't think so
12:04 < dvrcoder> ok
12:06 -!- dauergast [~sag@188-193-229-244-dynip.superkabel.de] has joined ##openvpn
12:08 -!- floh1111 [~floh1111@host-091-097-034-094.ewe-ip-backbone.de] has joined ##openvpn
12:08 -!- floh1111 [~floh1111@host-091-097-034-094.ewe-ip-backbone.de] has left ##openvpn ["Konversation terminated!"]
12:08 -!- floh1111 [~floh1111@host-091-097-034-094.ewe-ip-backbone.de] has joined ##openvpn
12:10 < floh1111> Hi I´m using openvpn in tap mode and dont want to get an ip adress (disable dhcp?) is this posible? I tried "ifconfig-push 0.0.0.0 0.0.0.0" in a ccd but this didnt worked
12:11 < |Mike|> !ccd
12:11 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
12:13 -!- DarthGandalf|BNC is now known as DarthGandalf
12:23 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:23 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
12:26 < dauergast> floh1111: use ebtables to block dhcp traffic going through the tunnel (my solution for this problem - dont know if there is an easier)
12:29 -!- DarthGandalf is now known as DarthGandalf|BNC
12:29 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
12:29 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:52 < SerajewelKS> dauergast: you can use iptables for that...
12:52 < SerajewelKS> dauergast: just block all UDP traffic on port 67
12:54 < dauergast> SerajewelKS: thanks, will add this to my knowledge :)
12:55 < floh1111> Isn´t there any option in openvpn directly? ip-/ebtables are no solution for me because i have clients that should get ips and clients that should not and everything should as dynamically as posible... this is for a freifunk network wich is using batman advanced
12:59 < dauergast> how many clients are on your network which need such dynamic settings?
12:59 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
13:01 < floh1111> 2-500... depends on in wich city you are...
13:01 < floh1111> on how big the local freifunk network is
13:01 < floh1111> *and
13:02 < floh1111> the best option for me would be to be able to set this in a ccd like "ifconfig-push 0.0.0.0" or "no-ip"
13:05 -!- caution [~caution@unaffiliated/caution] has quit [Ping timeout: 258 seconds]
13:06 -!- nb_ [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
13:07 < krzee> floh1111, in the client use no-pull
13:07 < krzee> !man
13:07 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
13:09 < krzee> --route-nopull i guess
13:09 < krzee> but really, what is your goal?
13:09 < krzee> !goal
13:09 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:11 < ecrist> happy easter to those who celebrate, I just enjoy chocolate bunnies. :)
13:12 < krzee> ahh forgot it was easter...
13:12 < krzee> happy easter
13:12  * ecrist goes to eat ham and other goodies.
13:13 < krzee> my easter bunnies got kicked out last night when i was done with them
13:15 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Ping timeout: 276 seconds]
13:19 -!- billub [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has joined ##openvpn
13:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:21 < billub> anyone know how to avoid bad packet errors ?
13:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 265 seconds]
13:28 -!- billub1 [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has joined ##openvpn
13:28 < billub1> the error i get is 
13:28 < billub1> Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
13:30 -!- billub [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has quit [Ping timeout: 246 seconds]
13:32 < billub1> itsnot just a warning message but it doesn't work, i rebuilt the openvpn.exe form the source without any modifications and tried to use that (and prebuilt openssl.exe)
13:32 < krzee> are you connecting over wifi?
13:36 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Remote host closed the connection]
13:36 -!- nb_ is now known as nb
13:43 -!- dauergast [~sag@188-193-229-244-dynip.superkabel.de] has quit [Ping timeout: 246 seconds]
13:45 < billub1> krzee: yes (just saw your msg)
13:46 < billub1> krzee: the usual openvpn works fine, its just the version that i created doesn't, tls negotation etc. all seem to work, but at the end i get the above error
13:46 < krzee> have you read the portions of the man page which mentions that
13:46 < krzee> then use the normal version!
13:46 < krzee> lol
13:46 < billub1> i did, but they seem to saw how to suppress the warnings
13:47 < billub1> thing is if i use the openvpn gui and the same openvpn.exe that gave above errors it works fine. the errors come if i simply call openvpn using command line : openpvn.exe configfile
13:47 < krzee> if you have made it work fine, why dont you do what worked fine?
13:48 < krzee> and use what you read to make it shutup about the warnings
13:48 < billub1> i don't want to use the openvpn gui with which it works
13:48 < billub1> i just wnated ot use command line
13:48 < billub1> i tried to shutup the warnings, but there is some problem on it - it doesn't connection
13:48 < billub1> connect
13:48 < krzee> when you install openvpn with gui it can be run from cli as well
13:48 < billub1> can you tell me if the command line call is correct ? 
13:48 < billub1> i installed openvpn portable version with the gui
13:48 < krzee> !download
13:48 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) see !gui for more information for Windows clients.
13:49 < krzee> install from there
13:49 < billub1> ok, i'll try that
13:50 < billub1> bbl
13:50 -!- billub1 [~billub@c-24-130-224-207.hsd1.ca.comcast.net] has left ##openvpn []
13:51 < oc80z> hi
14:00 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
14:00 < vpnguy> !welcome
14:00 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:00 < vpnguy> !interface
14:00 < vpnHelper> vpnguy: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
14:01 < vpnguy> !mitm
14:01 < vpnHelper> vpnguy: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
14:02 < vpnguy> hello
14:07 < vpnguy> I would like to keep my firewall
14:07 < aaronorosen1> I have a question about the official howto it says. "Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above." What does that mean which files do i edit? server.conf ?
14:08 < vpnguy> yes
14:08 < aaronorosen1> vpnguy: are you talking to me? 
14:08 < vpnguy> server.conf
14:11 < aaronorosen1> vpnguy: I'm looking at server.conf and i don't see where it says anything like /path/to/keys/ am i missing something? Sorry
14:12 < vpnguy> I would like to keep my firewall settings but the problem is that I cannot access to other client services
14:12 < vpnguy> ok
14:12 < vpnguy> you should ca
14:12 < floh1111> krzee: with no-pull I don´t get a ip from openvpn? That would be nice.. where do I add this option? client.conf or ccd? I only need a connection on layer2 and no ip-adress
14:13 < vpnguy> ca /etc/openvpn/ca.crt
14:13 < vpnguy> cert /etc/openvpn/cert.fr.crt
14:13 < vpnguy> key /etc/openvpn/....fr.key  # This file should be kept secret
14:13 < vpnguy> dh /etc/openvpn/dh1024.pem
14:14 < aaronorosen1> vpnguy: Are you talking about this? http://pastebin.com/WnV2XksV
14:14 < aaronorosen1> kkk
14:14 < aaronorosen1> gotcha
14:14 < aaronorosen1> thanks
14:17 < vpnguy> what IPtables settings do I need to setup in order to allow each client to access other's client services ?
14:18 -!- cwillu_at_work [~cwillu@64.22.125.185] has quit [Excess Flood]
14:18 -!- cwillu_at_work [~cwillu@cwillu.com] has joined ##openvpn
14:21 -!- floh1111 [~floh1111@host-091-097-034-094.ewe-ip-backbone.de] has quit [Remote host closed the connection]
14:35 < Bushmills> !route
14:35 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:35 < Bushmills> vpnguy: ^^^
14:35 < Bushmills> !iroute
14:35 < vpnHelper> Bushmills: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
14:35 < Bushmills> !client-to-client
14:35 < vpnHelper> Bushmills: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
14:35 < vpnHelper> Bushmills: other clients
14:36 < vpnguy> I am using ethernet bridging
14:37 < Bushmills> why?
14:37 < aaronorosen1> I'm trying to configure ethernet bridging and in start_bridge script it has eth_ip="192.168.8.4" Is that just the ipaddress of the interface that i'm using? 
14:37 < krzee> if floh1111 comes back, someone tell him to read everything --server-bridge expands to, and remake it to his needs
14:38 < Bushmills> krzee: freenode has a msgserv bot in operation
14:39 < Bushmills> memoserv
14:39 < aaronorosen1> Also when i run ./bridge_start is that supposed to exit by it self it seems like that script doesn't return? 
14:40 < krzee> assuming he was identified
14:40 -!- purifiedmadness [~jesus@c-67-177-231-60.hsd1.co.comcast.net] has joined ##openvpn
14:40 < aaronorosen1> shoot after i ran bridge_start my computer seems to be no longer accessable vi ssh? 
14:42 < vpnguy> it is normal
14:42 < krzee> the 1 time i did setup a bridge i remember i had to add a line at the bottom of that script to set gateway
14:42 < vpnguy> you are chnaging network interfaces
14:43 < krzee> bbl, work
14:43 < aaronorosen1> grr i'/m going to have to go to a different building to fix this bbl 
14:44 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
15:12 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
15:15 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
15:33 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
15:35 < aaronorosen2> Hello, I've just configure the bridge_start script and after doing so I can not access the internet on that computer. After runnning the script it has created a br0 interface and when running ifconfig everything on that br0 interface looks right. Any ideas what i've done wrong? 
15:35 < Bushmills> why bridge?
15:36 < aaronorosen2> Bushmills: I want to configure my Openvpn server such that it hands out public ip address from the network 
15:36 < aaronorosen2> Bushmills: I'm following this http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
15:36 < vpnHelper> Title: Ethernet Bridging (at openvpn.net)
15:39 < Bushmills> why bridge? 
15:39 < rob0> What I do for that, kind of a kludge, is just use tap, but then have an ipip tunnel through the VPN with the IP for the other end.
15:39 < rob0> s/tap/tun/ sorry
15:39 < aaronorosen2> Bushmills: I guess i don't need the bridge? 
15:39 < rob0> If it's Linux-to-Linux on both ends, you are in luck, I wrote a howto.
15:40 < rob0> (howto for ipip on linux)
15:40 < Bushmills> you don't need bridge to hand out addresses of your choice to openvpn clients
15:41 < rob0> and you probably don't even need my kludge, just use the public IPs as the server address pool
15:41 < aaronorosen2> Bushmills: I want to set it up such that the ip address will be handed out from the dhcp server already on the network.
15:42 < Bushmills> are the dhcp clients also openvpn clients?
15:42 < aaronorosen2> Bushmills: I want the openvpn clients to be handed an ip address from the dhcp server on the lan so yes. 
15:43 < aaronorosen2> Bushmills: when would one want to use  bridging? 
15:43 < Bushmills> seems easier to tell your openvpn server to assign those addresses to clients
15:44 < Bushmills> !tunortap
15:44 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:44 < vpnHelper> Bushmills: against you over the vpn
15:45 < aaronorosen2> Bushmills: I want to pass layer2 traffic 
15:46 < Bushmills> for other than dhcp requests?
15:46 < aaronorosen2> Bushmills: yes. (I can explain why if you want)
15:46 < Bushmills> no need. suffices to have a reason
15:47 < Bushmills> usually people thiink they need bridging while they don't
15:47 < aaronorosen2> Bushmills: Could you point me in the right direction for setting this up ? 
15:48 < aaronorosen2> Bushmills: do i need bridging for layer2. To be honest i'm not quite sure what bridging does for me? Is the point of bridging to join the eth interface with a tap interface? 
15:49 < Bushmills> it is making network segments at openvpn server and client appear to be connected
15:49 < Bushmills> (instead of a router in between)
15:49 < aaronorosen2> Bushmills: So i need to configure a bridge for what i want correct? 
15:50 < Bushmills> i don't know. i suppose you do, as you say you want layer 2 traffic. 
15:51 < aaronorosen2> Bushmills: Any idea why when i run start_bridge why it breaks the internet connection on that computer? Here is the output if ifconfig and the bridge_start script. http://pastebin.com/0LuPTN0N
15:54 < Bushmills> you checked out http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html?
15:54 < vpnHelper> Title: Ethernet Bridging (at openvpn.net)
15:54 < aaronorosen2> When i run ./bridge_start it creates an br0 interface with everything that lookes exactly the same as what my eth2 was before
15:55 < aaronorosen2> Bushmills: yea thats the page i used to configure this. 
15:55 < aaronorosen2> Bushmills: After running bridge_start and a new interface is created do i have to do something to tell the OS to start using that interface or should it just work? 
15:57 < aaronorosen2> I've read that hole page but i'm not sure why internet no longer works after the br0 interface is created. 
15:58 -!- samyray [~samyray@218-123-132-95.pool.ukrtel.net] has joined ##openvpn
16:03 < vpnguy> !forward
16:03 < vpnHelper> vpnguy: Error: "forward" is not a valid command.
16:03 < vpnguy> !welcome
16:03 < |Mike|> !def1
16:03 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:03 < vpnHelper> |Mike|: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
16:03 < Bushmills> !ipforward
16:03 < vpnHelper> Bushmills: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
16:03 < aaronorosen2> vpnguy: do you have any idea about my problem i was chatting with you earlier 
16:04 < vpnguy> !linipforward
16:04 < vpnHelper> vpnguy: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
16:04 < aaronorosen2> vpnguy: is that for me? 
16:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
16:05 < samyray> Hi,can someone help me with openvpn configuration
16:05 < samyray> I have installed openvpn on the windows 2008 server where I have one network interface
16:05 < samyray> Also I have bought public IP,and I want that when my client computer connect to the server,it must get this IP,so that when he goes to the some services such as http://ip-lookup.net/ I will see my public IP and not the Ip of the server.
16:05 < vpnHelper> Title: IP Address Lookup (IPv4 & IPv6) (at ip-lookup.net)
16:05 < samyray> Is it real?
16:06 < vpnguy> sorry no
16:06 < aaronorosen2> vpnguy: are you talking to me? 
16:07 < |Mike|> samyray: see !def1
16:07 < samyray> vpnguy: Or you talking for me?)
16:07 < |Mike|> !def1
16:07 < vpnHelper> |Mike|: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
16:08 < aaronorosen2> When i run that bridge_start script I get the following error to stdout on the actual box. br0 Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature
16:08 < samyray> |Mike|:yes,I tried this,but when I go to internet i have Ip from my serve and that IP what I have got from the openvpn
16:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:09 < samyray> *not that IP
16:09 < |Mike|> samyray: your client must use your openvpn server's gateway ? or just not ?
16:10 < samyray> |Mike|: I think my client must use this gateway to reach the internet
16:10 < samyray> Am I right?
16:11 < |Mike|> rule #1, assumption is the mother of all fuckups ;)
16:11 < samyray> What do you mean?)
16:12 < |Mike|> why needs it that specific gateway, and why shouldn't it ? :)
16:14 < aaronorosen2> is this ->> br0: dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature. Because i don't have a specific kernel mod loaded? 
16:14 < samyray> I think the sheme is like this :
16:14 < samyray> client -> openvpn server -> server interface -> server gateway -> internet
16:14 < samyray> So I think it must user server gateway
16:15 < |Mike|> samyray: sounds reasonable, but you can also configure your openvpn server as non-gateway and let your clients use their own gateway. Only specific data what needs the tunnel goes over the tunnel then :)
16:21 < aaronorosen2> Could anyone point me in the right direction with the following error message? Sorry br0 Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature
16:21 < samyray> |Mike|:But what about public IP? My current problems after days of searching across the internet is how to make some change on server so that my client could be visible from the intenet,for example if I have this scheme:
16:21 < samyray> ftp server(openvpn clientl) -> openvpn server -> server interface -> server gateway ->internet  <- client 
16:21 < samyray> and client want to connect  threw the internet to my ftp server 
16:21 < samyray> Is it real to do?
16:22 < |Mike|> what do you mean by openvpn server => server interface ?
16:22 < rob0> There is no difference to the networking stack between a "public" IP and a "private" one.
16:22 < |Mike|> your openvpn server hangs behind a NAT box?
16:23 < samyray> I mean that openvpn server and gateway is the same computer
16:23 < rob0> What it requires, like many things, is understanding of what you're doing. :)
16:24 < |Mike|> you can forward ports from your clients with an ftpd on it to the outside interface of your openvpn server :)
16:24 < |Mike|> works like NAT tbh.
16:25 < samyray> |Mike|: So on windows server I must you RRAS for this task?
16:25 < |Mike|> what the * is RRAS ?
16:25 < |Mike|> Windows is an OS what i rather not touch, but networking is pretty non-OS related :)
16:26 < aaronorosen2> After a bridge is created is there something that has to be done so that the computer uses it? I've setup this bridge on a different box running Fedora 12 instead of debian and i don't get that  br0: dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature error messssage but my internet still doesn't work. 
16:26 < samyray> |Mike|: Routing  and Remote Access,it is Microsoft implementation of NAT
16:26 < |Mike|> i believe you if you say so :P
16:26 < samyray> |Mike|::-)
16:27 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
16:27 -!- mode/##openvpn [+o mattock] by ChanServ
16:28 < samyray> |Mike|:Ok,thanks,I am going to have more sex with this shit,hope it will work)
16:29 < |Mike|> I hope you work it out :P
16:33 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Quit: Leaving.]
16:33 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
16:34 < aaronorosen2> After creating the bridging and giving it the correct iptable rules does one HAVE to have openvpn running inorder for the network to work? 
16:35 < |Mike|> first the network must be up before the openvpn client/server starts, yah.
16:35 < |Mike|> aaronorosen2: using debian lenny by accident? :)
16:35 < aaronorosen2> |Mike|: what do you mean by accident? 
16:36 < |Mike|> Debian's boot order is also fucked on default, it wants to start openvpn before the network is up aswell
16:37 -!- samyray [~samyray@218-123-132-95.pool.ukrtel.net] has left ##openvpn []
16:38 < aaronorosen2> |Mike|: Well i'm having the same problem with Fedora X.x 
16:38 < |Mike|> I see
16:38 < aaronorosen2> |Mike|:  would you have a sec to see if you know what i'm doing wrong? 
16:39 < aaronorosen2> I'm stuck on setting up the bridge X.x
16:39 < |Mike|> I had a few beers already, so hardcore networking isn't ON atm aaronorosen2, sorry.
16:41 < aaronorosen2> |Mike|: do you mind if i ask anyways i think i'm doing something silly this is my first time setting up openvpn. 
16:41 < |Mike|> sure :)
16:42 < aaronorosen2> Ok here is my bridge_start scripted with all the info filled in also with the output of my ifconfig http://pastebin.com/vzKsR3yR
16:43 < aaronorosen2> |Mike|: When i run that and then i setup the iptables rules my internet doesn't work 
16:44 < aaronorosen2> |Mike|: one sec let me try this again i may disconnect 
16:45 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Quit: Leaving.]
16:45 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
16:45 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
16:46 < aaronorosen2> |Mike|: Here is also the output of my iptables though i'm not sure if they are right since they say nothing about br0 which i think may be my problem http://pastebin.com/WN5ucEPy
16:46 < aaronorosen2> Does that look right? 
16:46 < |Mike|> aaronorosen2: doesn't fedora use something like /etc/network/interfaces to set bridges up?
16:46 < |Mike|> instead of dot slashing that script manually..
16:47 < aaronorosen2> |Mike|: I really want to get this setup on debian but i was trying this on fedora because of that error message i was getting. 
16:47 < |Mike|> then install debian hehe
16:48 < |Mike|> but why would you like to bridge anyway?
16:48 < aaronorosen2> |Mike|: I have debian installed. Do i want to set this bridge up in /etc/network/interfaces for debian instead of this script?
16:48 < aaronorosen2> |Mike|: Ineed to beable to pass layer 2 traffic though this vpn
16:49 < rob0> Okay, I'm curious. Why do you need layer 2 traffic besides for DHCP?
16:50 < aaronorosen2> rob0: I'm working on this thing called openflow (http://www.openflowswitch.org/) and that uses layer2 traffic. I want to setup this vpn so that i can put people on this "Openflow" network with out being physically on it. 
16:50 < vpnHelper> Title: The OpenFlow Switch Consortium (at www.openflowswitch.org)
16:51 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Ping timeout: 240 seconds]
16:52 < aaronorosen2> |Mike|: Does my iptables output look right? 
16:52 < aaronorosen2> rob0: make sense? 
16:53 < rob0> Probably so.
16:54 < aaronorosen2> rob0: after i create that bridge my internet stops working though. Any idea why? 
16:54 < |Mike|> aaronorosen2: yeah, you accept all :p
16:55 < aaronorosen2> |Mike|: i pasted this in iptables -A INPUT -i tap0 -j ACCEPT
16:55 < aaronorosen2> iptables -A INPUT -i br0 -j ACCEPT
16:55 < aaronorosen2> iptables -A FORWARD -i br0 -j ACCEPT
16:55 < |Mike|> aaronorosen2: yep, you create a bridge which resets your eth0 interface due the br add command :)
16:55 < |Mike|> (chicken egg issue)
16:56 < aaronorosen2> |Mike|: Ok i'm going to run bridge_start and then re input these rules? 
16:56 < rob0> Bridging is tricky, sure, a lot of things can go wrong. Also iptables rules are evaluated in linear fashion, so if you DROP/REJECT a packet before your ACCEPT rules, it's gone.
16:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
16:56 < aaronorosen2> rob0: So i should run iptables -F first? 
16:57 < |Mike|> I'm to ..... beerish to answere that question hehe, rob0 is still sober i guess :)
16:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:57 < rob0> As /topic says ... "Your problem is your firewall, really."
16:58 < |Mike|> rob0: ++ :d
16:59 < aaronorosen2> rob0: after inputting those iptable rules its still saying source ALL and not br0 and tap0 i've already started the bridge and br0 and tap0 are interfaces that are up. 
17:02 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 268 seconds]
17:03 < aaronorosen2> when i run iptables -L should it say something differently from what i have ? 
17:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:09 < aaronorosen2> Here is the output when i run iptables -L -n -v http://pastebin.com/utQkSnGc
17:11 < rob0> Okay, I don't see how that firewall could block anything.
17:12 < aaronorosen2> rob0: right now the internet is broken on that box after starting up the bridge. Thats pretty much where i am stuck 
17:13 < aaronorosen2> rob0: could this be a problem with my /etc/interface/network file? 
17:17 < aaronorosen2> Here is the output of that file http://pastebin.com/JEqFdBhZ
17:18 < aaronorosen2> idk i'm kinda stuck here i'm just guessing at this point. 
17:21 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
17:27 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
17:29 < aaronorosen2> Here is the output of my ifconfig after running bridge_start http://pastebin.com/YA8ULE31
17:33 < aaronorosen2> Any one around >_< 
17:34 < aaronorosen2> ls
17:45 < aaronorosen2> Is the web interface to configure openvpn free? 
17:45 < aaronorosen2> Perhaps i'll give that a shot
17:45 -!- troy- [929a372812@bgp4.us] has quit [Ping timeout: 248 seconds]
17:51 < vpnguy> aaronorosen2 disable your firewall
17:51 < aaronorosen2> vpnguy: How do i do this sorry? 
17:51 < aaronorosen2> vpnguy: iptables -F ? 
17:52 < vpnguy> what is your OS ?
17:52 < aaronorosen2> Debian lenny
17:52 < aaronorosen2> vpnguy: here is the output of my iptables http://pastebin.com/AX7NwpjN
17:53 < aaronorosen2> For some reason running -L vs -L -v -n yeild different results. 
17:53 < vpnguy> are you using firestarter ?
17:54 < aaronorosen2> vpnguy: not that i know off. I just ran ps -eaf | grep fire and nothing was returned
17:54 < aaronorosen2> vpnguy: no i'm not
17:54 < vpnguy> sudo apt-get install firestarter
17:55 < |Mike|> what the hell is firewstarter ?
17:55 < aaronorosen2> vpnguy: you want me to install all that stuff? 
17:57 < aaronorosen2> |Mike|: I think its a firewall programming that has a gui thats is a wrapper for iptables but i'm not sure. 
17:57  * |Mike| adores 'ferm'
17:58 < aaronorosen2> vpnguy: ?
17:59 < vpnguy> yes it is
17:59 < aaronorosen2> vpnguy: you want me to install this? 
18:00 < rob0> "22:11 < rob0> Okay, I don't see how that firewall could block anything." This time the problem is NOT the firewall. Wild goose chases can be fun, but by definition, not productive.
18:01 < rob0> You *did* bring up the bridge before the VPN, right? And then add the tap interface thereto?
18:01 < aaronorosen2> rob0: I did
18:01 < aaronorosen2> rob0: I brought up the bridge then i inputed those iptables. I did not bring up the VPN. 
18:02 < aaronorosen2> rob0: I'm rebooting the box (just for the hell of it) and i'm going to try this again. 
18:02 < |Mike|> rebooting is not a solution.
18:03 < rob0> Does the bridge work with just the ethernet interface?
18:03 < aaronorosen2> rob0: What do you mean? Here is the output of ifconfig after i run the bridge_start script. http://pastebin.com/YA8ULE31
18:04 < rob0> and everything is fine with the bridge up?
18:04 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has left ##openvpn []
18:04 -!- aaronorosen3 [~arosen@130.127.255.224] has joined ##openvpn
18:05 < aaronorosen3> Opps sorry i got disconnected I didn't miss anything right? 
18:05 < rob0> 23:04 < rob0> and everything is fine with the bridge up?
18:05 < |Mike|> 2010/04/05 00:53:04 < aaronorosen2> rob0: What do you mean? Here is the output of ifconfig after i run the bridge_start script. http://pastebin.com/YA8ULE31
18:05 < |Mike|> 2010/04/05 00:53:30 < rob0> and everything is fine with the bridge up?
18:06 < rob0> Mike's system clock is ~11 minutes slow :)
18:06  * |Mike| knows about hat
18:06 < |Mike|> *that
18:06 < aaronorosen3> rob0: I just can't get out to the internet on my box so i can't continue with configuring the VPN
18:06 < |Mike|> I blame the secure level of this freebsd box :P
18:08 < aaronorosen3> I'm sorry i feel like i'm asking the same question over and over... 
18:08 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Ping timeout: 248 seconds]
18:09 < aaronorosen3> Should I try to configure this using the web gui or no? 
18:09 < |Mike|> I still don't get why you want to build a bridge imho.
18:10 < aaronorosen3> |Mike|: is there any way to do layer2 with out setting up a bridge? 
18:14 < rob0> Aaron does seem to need a bridge to do what he wants.
18:16 < rob0> Anyway, it's narrowed down now. You need to find out how to get your OS working and connecting to the network through the bridge before messing with adding the VPN in.
18:18 < aaronorosen3> rob0: I just rebooted and for some reason the bridge came up automatically any idea why? 
18:19 < aaronorosen3> rob0: i guess becuase openvpn started too 
18:19 < aaronorosen3> rob0: should my computer now be sending traffic out br0 ? Is there anything i need to change to make that happen? 
18:21 < |Mike|> 1; no, 2; see 1 3; test it out :)
18:21 < rob0> You're getting into Debian configuration territory, and I am not a Debian user. Maybe you will find some kind of documentation from Debian.
18:22 < aaronorosen3> rob0: debian documentation for creating bridges? 
18:22 < rob0> right
18:22 < aaronorosen3> rob0 kk i'll check into that what OS do you use? 
18:22 < rob0> Slackware.
18:23 < |Mike|> lol
18:23 < |Mike|> Debian bridges aren't that horrid tho.
18:23 < aaronorosen3> alright i'm going to call it quits for now and get some dinner. Thanks for your help guys. 
18:23 < rob0> good luck
18:27 < aaronorosen3> rob0: last quick question. So i have two eth cards in this box. I just hooked up the other one just incase i break the internet on this box so i can still get to it. I want to setup the bridge on eth2. Is there any way to test the connection on eth2? Since it seems like it goes though eth1 if eth2 goes down? 
18:31 < |Mike|> STP ?
18:32 -!- aaronorosen3 [~arosen@130.127.255.224] has quit [Ping timeout: 260 seconds]
18:32 < |Mike|> wireshark or tcpdump :p
18:34 < rob0> Just as with any VPN use, you have to understand IP routing.
19:07 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
19:07 -!- troy- [80d389ee64@bgp4.us] has joined ##openvpn
19:39 -!- sanderj_ [~sanderj@195.204.103.72] has quit [Ping timeout: 265 seconds]
19:45 -!- sanderj_ [~sanderj@195.204.103.72] has joined ##openvpn
19:46 -!- dvrcoder [~asdfasd@77-58-85-244.dclient.hispeed.ch] has left ##openvpn []
19:47 < sp0tteh> Hey, simple question: does openvpn (with freeradius) support sending Interim-Update with the accounting info? meaning updating the radacct table with user usage / session time at reglar intervals. cheers
20:02 -!- aaronorosen2 [~arosen@host-69-59-112-98.nctv.com] has joined ##openvpn
20:04 < aaronorosen2> Hello, I'm trying to setup a bridged ethernet. I've just run bridge-start (after configuing it) and I've inputted the following iptable rules iptables -A INPUT -i tap0 -j ACCEPT, iptables -A INPUT -i br0 -j ACCEPT, iptables -A FORWARD -i br0 -j ACCEPT but now after doing that my internet no longer works. (I'm running Fedora 12)
20:05 < aaronorosen2> Interestingly i can ssh into the box though but i can't ping out? 
20:15 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
20:17 < aaronorosen2> Ah i think i found the problem. The bridge-start doesn't set a gateway for the br0 device? 
20:22 -!- tjz [~pc@bb116-14-138-11.singnet.com.sg] has joined ##openvpn
20:22 -!- tjz [~pc@bb116-14-138-11.singnet.com.sg] has quit [Changing host]
20:22 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:48 -!- aaronorosen2 [~arosen@host-69-59-112-98.nctv.com] has quit [Quit: Leaving.]
20:49 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
20:51 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Client Quit]
21:02 -!- caaok [caaok@85.17.200.211] has joined ##openvpn
21:03 < caaok> !welcome
21:03 < vpnHelper> caaok: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:04 < caaok> !redirect
21:04 < vpnHelper> caaok: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
21:06 < caaok> Hmm, well in any case I have a quick question guys. I have a bridged OpenVPN connection set up between a dedicated server and my home computer. The server starts successfully and the client is able to connect to the server. However, when I attempt to browse the internet, I can't access the web. I have push redirect-gateway and push DNS <my server's DNS nameserver> set in my server.conf file. Any thoughts?
21:06 < caaok> Sorry, push dhcp-option DNS <etc> I should say
21:08 -!- iateadonut [~dan@123.235.86.70] has joined ##openvpn
21:09 < iateadonut> how do i turn on openvpn on my server without it turning off once i kill the ssh connection between me and the server?
21:17 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
21:19 -!- caaok [caaok@85.17.200.211] has quit [Remote host closed the connection]
21:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
21:21 -!- caaok [caaok@85.17.200.211] has joined ##openvpn
21:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:35 -!- aaronorosen [~arosen@host-69-59-112-98.nctv.com] has joined ##openvpn
21:38 < aaronorosen> I just configured a  vpn using openvpn and i have a client connected to the vpn with the ip address 130.127.60.118. I'm wondering why I can not ssh to that clients ip address that the vpn assigned it?  I can ssh to it via its other interface ip address. (Both of these computers are on the same lan)
21:42 -!- caaok [caaok@85.17.200.211] has quit [Quit: Leaving]
21:52 -!- DarthGandalf|BNC is now known as DarthGandalf
22:01 < iateadonut> aaron you might know this: how do i turn on openvpn on my server without it turning off once i kill the ssh connection between me and the server?
22:04 < mwheeler> iateadonut: run it as a daemon, background it, or run it inside screen
22:17 -!- iateadonut [~dan@123.235.86.70] has quit [Ping timeout: 258 seconds]
22:19 < aaronorosen> I've added the following line to my server.conf and restarted both server and clients.  push "redirect-gateway def1"  Though for some reason the clients are still not passing any traffic though the tun0 device
22:20 < aaronorosen> Also the output from ifconfig looks kind of funny. Is there a reason why for my tun0 device P-t-P is 255.255.255.224 ? and mask is 255.255.255.255 ?
22:21 < aaronorosen> The P-t-P seems like its may network mask on the other side of the network (I setup bridging since i need layer 2 as well)
22:41 -!- aaronorosen [~arosen@host-69-59-112-98.nctv.com] has quit [Ping timeout: 240 seconds]
22:42 -!- Zordrak [~jaz@87-194-141-163.bethere.co.uk] has quit [Ping timeout: 246 seconds]
22:42 -!- aaronorosen [~arosen@host-69-59-112-98.nctv.com] has joined ##openvpn
22:43 -!- Zordrak [~jaz@87-194-141-163.bethere.co.uk] has joined ##openvpn
23:01 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
23:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:04 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Client Quit]
23:19 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:55 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
--- Day changed Mon Apr 05 2010
00:13 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:40 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
00:48 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
00:53 -!- eradiate [~eradiate@pool-96-255-191-252.washdc.fios.verizon.net] has quit [Ping timeout: 260 seconds]
00:55 -!- eradiate [~eradiate@pool-173-73-104-50.washdc.fios.verizon.net] has joined ##openvpn
01:06 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
01:13 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Read error: Operation timed out]
01:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
01:14 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
01:29 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has joined ##openvpn
01:30 < unimatrix> !welcome
01:30 < vpnHelper> unimatrix: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:31 < unimatrix> !route
01:31 < vpnHelper> unimatrix: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:32 < unimatrix> no that's not it
01:32 < unimatrix> !interface
01:32 < vpnHelper> unimatrix: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
01:32 < unimatrix> !iporder
01:32 < vpnHelper> unimatrix: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
01:33 < unimatrix> !howto
01:33 < vpnHelper> unimatrix: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
01:35 < unimatrix> Bridging advantages: "No route statements to configure."
01:35 < unimatrix> yeah right
01:38 < unimatrix> !bridging
01:38 < vpnHelper> unimatrix: Error: "bridging" is not a valid command.
01:38 < unimatrix> !bridge
01:38 < vpnHelper> unimatrix: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP
01:38 < vpnHelper> unimatrix: addresses. (but not samba, see !wins)
01:50 < unimatrix> what interface should i bridge to on my router
01:50 < unimatrix> internal or external
01:50 < unimatrix> (eth0/eth1)
01:58 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has quit [Remote host closed the connection]
01:59 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
01:59 -!- DarthGandalf is now known as DarthGandalf|BNC
02:00 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
02:03 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Remote host closed the connection]
02:03 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has joined ##openvpn
02:06 < unimatrix> why does bridging screw up my routes?
02:13 -!- oc80z [oc80z@blea.ch] has quit [Quit: ZNC - http://znc.sourceforge.net]
02:17 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X Button]
02:31 < vpnguy> hello
02:37 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
02:37 -!- mode/##openvpn [+o mattock] by ChanServ
02:48 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:49 < vpnguy> I cannot ping the VPN server
02:51 < vpnguy> but I can get an IP address from the server
02:52 < vpnguy> my firewall is disabled
02:52 < vpnguy> could it be my interfaces ?
02:52 < vpnguy> network interfaces ?
03:00 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
03:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:15 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
03:47 -!- ScriptFanix [vincent@2001:910:100b::1] has quit [Quit: coin]
03:47 -!- ScriptFanix [vincent@2001:910:100b::1] has joined ##openvpn
03:56 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
04:12 -!- master_of_master [~master_of@p57B53E58.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:14 -!- master_of_master [~master_of@p57B55354.dip.t-dialin.net] has joined ##openvpn
04:29 -!- floh1111 [~floh1111@host-091-097-087-212.ewe-ip-backbone.de] has joined ##openvpn
04:40 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
04:41 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Client Quit]
04:41 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
04:41 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:52 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
04:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:01 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
05:18 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
05:20 -!- DarthGandalf|BNC is now known as DarthGandalf
05:23 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
05:45 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
05:45 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Read error: Connection reset by peer]
05:48 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:24 -!- Xanthaos [~sacreddel@66-191-193-093.dhcp.spbg.sc.charter.com] has quit [Quit: .::S e c r e t s - o f - W a r::. ¤ZoMBiE¤ Sc®ïþt 2.2 .ßý. xom[b] .::[http://otai.cjb.net/]::.]
06:28 -!- floh1111 [~floh1111@host-091-097-087-212.ewe-ip-backbone.de] has quit [Remote host closed the connection]
06:33 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:10 -!- DarthGandalf is now known as DarthGandalf|BNC
07:24 -!- sanderj_ [~sanderj@195.204.103.72] has quit [Ping timeout: 260 seconds]
07:31 -!- sparch [~sparch@pdpc/supporter/active/sparch] has joined ##openvpn
07:31 -!- sparch [~sparch@pdpc/supporter/active/sparch] has left ##openvpn []
07:33 -!- DrPepper [~DrPepper@vodsl-10428.vo.lu] has joined ##openvpn
07:41 -!- sanderj_ [~sanderj@195.204.103.72] has joined ##openvpn
07:43 -!- sanderj_ [~sanderj@195.204.103.72] has quit [Max SendQ exceeded]
07:49 -!- sanderj_ [~sanderj@195.204.103.72] has joined ##openvpn
08:03 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
08:04 -!- mode/##openvpn [+o mattock] by ChanServ
08:05 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
08:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
08:09 -!- sanderj_ [~sanderj@195.204.103.72] has quit [Ping timeout: 264 seconds]
08:18 -!- kira_sama [~chatzilla@16.104.181.58.dynamic.max.com.pk] has joined ##openvpn
08:19 < kira_sama> hey guys - if i have 2 separate openvpn servers running (but with same users), is it okay for me to copy crl.pem to the other server as needed? 
08:19 < theDoc> Sure, why not?
08:20 < kira_sama> for some reason, when i copy my crl.pem from one server of mine to the other, the target server then starts refusing connections from all certs (not just the ones revoked)
08:21 < ecrist> you need to be able to verify the crl, kira_sama 
08:21 < ecrist> that requires access to the same ca certificate
08:21 < kira_sama> ecrist: so bottom line is that i need to ensure that the ca cert is the same for both ?
08:22 < theDoc> Well, you can copy the certs over, it should work just fine.
08:22 < ecrist> kira_sama: yes
08:22 < kira_sama> theDoc, ecrist: cool, i'll see if that makes a difference - seems likely it'll fix the problem.
08:23 < kira_sama> thanks for the tip guys
08:23 < ecrist> np
08:29 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
08:32 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 258 seconds]
08:33 -!- sanderj [~sanderj@195.204.103.72] has quit [Max SendQ exceeded]
08:36 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:43 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:50 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
08:50 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
08:55 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
08:57 -!- sanderj [~sanderj@195.204.103.72] has quit [Max SendQ exceeded]
09:00 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
09:00 -!- kira_sama [~chatzilla@16.104.181.58.dynamic.max.com.pk] has left ##openvpn []
09:12 -!- VirusTB [~VirusTB@thetouch.demon.nl] has joined ##openvpn
09:18 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:20 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
09:29 -!- sanderj [~sanderj@195.204.103.72] has quit [Max SendQ exceeded]
09:31 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:42 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
09:48 -!- sanderj [~sanderj@195.204.103.72] has quit [Max SendQ exceeded]
09:55 -!- AzaToth [~azatoth@wikipedia/AzaToth] has joined ##openvpn
09:57 < AzaToth> dunno if I should ask thois question here or at dnsmasq. It's so I have setup a tunnel to work, and enabled in dnsmasq to have specific domains both at work and at home; Most works except I can't access the vpn servers directly via server.work/home, which I can do with ll other boxen on the networks.  is this a commin issue among noobs like me?
09:57 < AzaToth> common*
10:02 < AzaToth> config is approx http://paste.debian.net/67551/
10:03 < AzaToth> i.e. from home to get to the local router I need to do "ssh client.localdomain", and the same on work to get to the work router
10:04 < AzaToth> on the reverse, I need to type out the IP for the work router from home, as I can't access it via host name at all :(
10:04 < AzaToth> and same from work to access home router
10:04 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
10:04 < AzaToth> the rest works fine
10:05 < AzaToth> wery well..
10:05 < AzaToth> !welcome
10:05 < vpnHelper> AzaToth: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:05 < AzaToth> !route
10:05 < vpnHelper> AzaToth: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:06 < AzaToth> been there ,done that ツ
10:06 < AzaToth> have an iroute to the client fyi
10:06 < AzaToth> the routing aint the problem, so perhaps it's not yuur issue
10:07 < AzaToth> you think I sohuld poke the dnsmasq folks instead?P
10:11 -!- sanderj [~sanderj@195.204.103.72] has quit [Max SendQ exceeded]
10:15 -!- cwillu_at_work [~cwillu@cwillu.com] has quit [Remote host closed the connection]
10:16 < rob0> Use dig(1) to test name resolution from each end. Pastebin that output if you don't get it.
10:19 < AzaToth> ok
10:25 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
10:28 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
10:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:38 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
10:38 -!- AzaToth [~azatoth@wikipedia/AzaToth] has quit [Ping timeout: 276 seconds]
10:39 < aaronorosen2> Hello, i'm setting up openvpn to use a bridge and i'm trying to set it up such that, " configure the DHCP server on the LAN to also grant IP address leases to VPN clients."
10:39 < aaronorosen2> Does anyone know where this documentation lives? I only see documentation which lets OpenVPN manage its own client IP address pool using the server-bridge
10:42 -!- AzaToth [~azatoth@wikipedia/AzaToth] has joined ##openvpn
10:43 < aaronorosen2> I found it. http://openvpn.net/index.php/open-source/faq.html#bridge-addressing
10:43 < vpnHelper> Title: FAQ (at openvpn.net)
10:45 < AzaToth> rob0: http://paste.debian.net/67556/
10:45 < AzaToth> (had fogottenly mistyped an iroute before) *hides*
10:46 < AzaToth> "kangaroo" is ther work server, and "bubba" is the home server
10:47 < rob0> still not clear on what the desired result is, I suppose that the NXDOMAIN names should resolve ...
10:48 < rob0> azabox is authoritative for excito. ? And bubba-work for carl. ?
10:48 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Ping timeout: 260 seconds]
10:49 < aaronorosen2> rob0: you were helping me yesterday. I figured out the problem i was having was because I didn't have a route set to the gateway on my br0 interface after it was configured 
10:49 < rob0> simply use server=... directives on each end to refer to the remote's dnsmasq
10:49 -!- sanderj [~sanderj@195.204.103.72] has quit [Ping timeout: 258 seconds]
10:49 < rob0> Aaron, yes, I saw that.
10:50 < aaronorosen2> rob0: I want to configure the DHCP server on the LAN to also grant IP address leases to VPN clients. From reading the documentation it seems like i only need to add "mode server" http://openvpn.net/index.php/open-source/faq.html#bridge-addressing ?
10:50 < vpnHelper> Title: FAQ (at openvpn.net)
10:51 < rob0> I think you simply need to run the DHCP client with appropriate options in the client's --up script.
10:51 < rob0> taking care, of course, NOT to trash the existing default route
10:51 < SerajewelKS> aaronorosen2: openvpn doesn't need to know about the dhcp server, just don't use the ifconfig-pool or whatever directive, otherwise openvpn essentially runs its own dhcp server
10:52 < rob0> this sort of thing has been discussed quite a bit recently on the openvpn-devel list.
10:52 < rob0> (Feb-Mar 2010)
10:52 < AzaToth> hmm
10:52 < rob0> James/OpenVPN wants it to work out of the box for any OS.
10:53 < aaronorosen2> SerajewelKS: I want openvpn to use the DHCP server on my lan. I need to pass layer 2 traffic as well 
10:53 < SerajewelKS> aaronorosen2: right, then a pure bridged setup is all you need
10:53 < SerajewelKS> aaronorosen2: what platform are your clients?
10:54 < aaronorosen2> SerajewelKS: Ok i have a bridge setup. Here is the output of ifconfig http://pastebin.com/UTRC8Yv8
10:54 < aaronorosen2> SerajewelKS: Well mostly all linux but i guess there could be some windows. 
10:54 < AzaToth> rob0: I'm simply using the server directive on each ends
10:55 < AzaToth> or do you mean each client on each lan should have each ends dns server in it's resolve?
10:55 < SerajewelKS> aaronorosen2: what is the problem you are having?
10:55 < aaronorosen2> SerajewelKS: I used that bridge_start script to set this up after filing in the information. 
10:56 < rob0> AzaToth: maybe wrong IP. Looks like the VPN IPs are  10.8.x.x
10:56 < aaronorosen2> SerajewelKS: What do i have to change in the server.conf file so that it uses the dhcp server on the lan? I've changed it to use dev tap 
10:56 < rob0> try a directed dig query, "dig whatever @10.8.x.x"
10:56 < SerajewelKS> aaronorosen2: you don't have to change anything
10:57 < SerajewelKS> aaronorosen2: DHCP requests are broadcasts and will traverse the bridge as though it were a switch
10:57 < aaronorosen2> SerajewelKS: I do have to change tun to tap right? 
10:57 < SerajewelKS> aaronorosen2: yes, that does a lot more than "use the DHCP server on the lan"
10:58 < AzaToth> rob0: true
10:58 < SerajewelKS> aaronorosen2: you will likely have to change a lot more of your config.  but without knowing what your config is -- surprise! -- we can't help.
10:58 < AzaToth> but I don't want to care about the "vpn" ips
10:58 < AzaToth> I have 192.168.20.* at home and 192.168.37.* at work
10:59 < AzaToth> I've seen the VPN ip:s more of some openvpn internal affair
10:59 < aaronorosen2> SerajewelKS: Here is my server.conf http://pastebin.com/qbxWbQEv 
11:00 < aaronorosen2> SerajewelKS: right now my client got the ip address addr:10.8.0.2 which is not from the dhcp server on the vpn's side. 
11:01 < aaronorosen2> SerajewelKS: do i need to change "server 10.8.0.0 255.255.255.0" to be what my lan is?  "server 130.127.60.103 255.255.255.224" ?
11:01 < SerajewelKS> aaronorosen2: no
11:01 < SerajewelKS> aaronorosen2: you need to not use "server" at all, because this essentially sets up another dhcp server in the openvpn process
11:01 < aaronorosen2> SerajewelKS: my dhcp server hands out 130.127 addresses
11:01 < SerajewelKS> aaronorosen2: you need "mode server" and *NO* "server" line at all
11:02 < aaronorosen2> SerajewelKS: so just add "mode server" to the top of server.conf? 
11:02 < SerajewelKS> aaronorosen2: openvpn will be acting as a switch port.  switch ports don't care about ip addresses.  so your openvpn config doesn't need to know about them either.
11:02 < aaronorosen2> Should i comment out that "server 10.8.0.0. 255.255.255.0" line? 
11:02 < SerajewelKS> aaronorosen2: yes to both
11:02 < aaronorosen2> SerajewelKS: thanks let me try this out :D
11:03 < SerajewelKS> aaronorosen2: you don't need ifconfig-pool-persist either
11:03 < aaronorosen2> SerajewelKS: when i go to restart openvpn service i'm getting the following Starting virtual private network daemon: server failed!
11:03 < aaronorosen2> is there a log somewhere to tell me what is wrong? 
11:04 < SerajewelKS> aaronorosen2: which distro?
11:04 < aaronorosen2> debian
11:04 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
11:04 < SerajewelKS> aaronorosen2: i find it's easier to debug by cding to /etc/openvpn and running "openvpn --config server.conf"
11:04 < SerajewelKS> aaronorosen2: then you get messages right on the terminal you run it from
11:05 < aaronorosen2> Options error: --mode server requires --tls-server
11:05 < SerajewelKS> so add tls-server
11:05 < aaronorosen2> gotcah
11:05 < SerajewelKS> it looks like you are already using ca/etc directives
11:06 < SerajewelKS> so you are set up to run a tls server, it just doesn't know that's what you want
11:07 < aaronorosen2> SerajewelKS: here is the output of openvpn ./client.conf  but when i do ifconfig it doesn't seem to be creating a tap0 dev http://pastebin.com/M7X3Q8UM
11:08 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
11:10 < SerajewelKS> aaronorosen2: pastebin the output of "ip link"
11:10 < aaronorosen2> SerajewelKS:  this is from the client http://pastebin.com/0aueVeB0
11:12 -!- sanderj [~sanderj@195.204.103.72] has quit [Max SendQ exceeded]
11:12 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
11:12 < aaronorosen2> SerajewelKS: should i bring the tap0 interface up? 
11:14 < aaronorosen2> SerajewelKS: it looks like i may want to uncomment server-bridge in the server.conf as well? 
11:26 < aaronorosen2> SerajewelKS: you still there? 
11:33 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
11:34 -!- Lilarcor [~Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn
11:39 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Quit: Leaving.]
11:39 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
11:42 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
11:42 -!- sparch [~sparch@pdpc/supporter/active/sparch] has joined ##openvpn
11:42 -!- sparch [~sparch@pdpc/supporter/active/sparch] has left ##openvpn []
11:44 < SerajewelKS> aaronorosen2: sorry, yes, i'm at work
11:44 < SerajewelKS> aaronorosen2: so i might not always reply right away
11:45 -!- Lilarcor [~Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit [Quit: The Lord of Murder Shall Perish.]
11:45 < SerajewelKS> aaronorosen2: no, you don't want to uncomment server-bridge
11:45 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Ping timeout: 248 seconds]
11:49 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
11:51 < aaronorosen2> Hello, could someone help me with my server.conf file? I want have my vpn clients get their ipaddress from the dhcp server on the vpn side. I've already configured my network interface to be bridged on my vpn side. 
11:54 < SerajewelKS> aaronorosen2: i responded to you
11:55 < SerajewelKS> aaronorosen2: you will need to create a client "up" script that will bring up the interface and run a dhcp client
11:56 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Ping timeout: 245 seconds]
11:56 < SerajewelKS> -_-
11:57 -!- VirusTB_ [~VirusTB@thetouch.demon.nl] has joined ##openvpn
11:57 -!- VirusTB_ [~VirusTB@thetouch.demon.nl] has quit [Client Quit]
11:59 -!- VirusTB [~VirusTB@thetouch.demon.nl] has quit [Ping timeout: 276 seconds]
12:00 -!- aaronorosen2 [~arosen@130.127.255.224] has joined ##openvpn
12:01 < SerajewelKS> aaronorosen2: if you want our help you need to stick around for more than 5 seconds after asking your questions
12:03 < rob0> 15:51 < rob0> I think you simply need to run the DHCP client with appropriate options in the client's --up script. 15:51 < rob0> taking care, of course, NOT to trash the existing default route
12:04 < rob0> SerajewelKS gave basically the same answer an hour later
12:06 < rob0> Aaron, do note, I'm only going to give high level answers, and not try to do your work for you. Some might, but IMO that's not a good thing for you nor for the community.
12:16 -!- aaronorosen2 [~arosen@130.127.255.224] has quit [Quit: Leaving.]
12:16 -!- aaronorosen2 [~arosen@130.127.255.224] has joined ##openvpn
12:37 -!- aaronorosen2 [~arosen@130.127.255.224] has quit [Ping timeout: 264 seconds]
12:38 -!- sparch [~sparch@pdpc/supporter/active/sparch] has joined ##openvpn
12:39 -!- sparch [~sparch@pdpc/supporter/active/sparch] has left ##openvpn []
12:52 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
13:02 -!- sparch [~sparch@pdpc/supporter/active/sparch] has joined ##openvpn
13:02 -!- sparch [~sparch@pdpc/supporter/active/sparch] has left ##openvpn []
13:05 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
13:26 -!- meero [~google@41-123-207-85.morava.adsl-llu.static.bluetone.cz] has joined ##openvpn
13:31 < meero> how to create certificates, when i allready have CA file from previous creation?
13:34 -!- DrPepper [~DrPepper@vodsl-10428.vo.lu] has quit [Ping timeout: 245 seconds]
13:37 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:37 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:42 < hyper_ch> !howto
13:42 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:50 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
13:50 -!- mode/##openvpn [+o mattock] by ChanServ
13:52 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
14:06 < aaronorosen2> Would anyone mind looking at my server.conf http://pastebin.com/T7ijXRfJ for some reason my clients are not creating a tap0 interface
14:08 < aaronorosen2> Here is the output of both my client and server http://pastebin.com/BcEHUi9h
14:11 < meero> vpnHelper : in what section i can find that info?
14:11 < vpnHelper> meero: Error: ":" is not a valid command.
14:22 < ecrist> meero: search the document on how to create certificates.
14:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
14:28 < aaronorosen2> vpnHelper: I have my vpn up and running. I've set up my server-bridge 130.127.60.108 255.255.255.224 130.127.60.120 130.127.60.123 and when my client connects he gets 130.127.60.120. For some reason tough my clients are unable to ping the server 130.127.60.108? 
14:28 < vpnHelper> aaronorosen2: Error: "I" is not a valid command.
14:29 < aaronorosen2> lol vpnhelper is a box nvm
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:29 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 246 seconds]
14:30 < aaronorosen2>  I have my vpn up and running. I've set up my server-bridge 130.127.60.108 255.255.255.224 130.127.60.120 130.127.60.123 and when my client connects he gets 130.127.60.120. For some reason tough my clients are unable to ping the server 130.127.60.108? 
14:31 < aaronorosen2> Could this be because its doing arp quries for 130.127.60.108 and doesn't know how to get there? 
14:40 -!- meero [~google@41-123-207-85.morava.adsl-llu.static.bluetone.cz] has quit [Read error: Connection reset by peer]
14:40 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:41 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:43 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:43 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:43 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
14:46 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:46 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:46 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:49 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:49 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:52 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:52 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
14:54 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has left ##openvpn []
15:04 -!- jfkw [~jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 264 seconds]
15:09 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
15:09 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
15:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
15:19 < |Mike|> HARRRRRRRRRRRRRRRRR !
15:23 < aaronorosen2> |Mike|: would you have a sec to help me out with my openvpn configuration? 
15:24 < aaronorosen2> I have my bridge configured correctly but i'm not passing layer 2 traffic correctly. 
15:24 < aaronorosen2> I want to configure my vpn such that the ip addresses are handed out from the dhcp server on the lan but i'll setting for server-bridge. 
15:25 < aaronorosen2> I have server-bridge configured right now and that hands me an ipaddress but for some reason i can't ping anything on the network of the ipaddress that it gives me. 
15:26 < |Mike|> firewall?
15:29 < aaronorosen2> |Mike|: Here is the output from iptables -L -n -v http://pastebin.com/jd1Tbh9w i don't think the firewall is the problem
15:29 < aaronorosen2> |Mike|: would you mind looking at my server.conf? 
15:34 < |Mike|> aaronorosen2: sorry, im a bit in a rush at the moment.
15:37 < aaronorosen2> I'm getting this error on my server if anyone knows how to fix it. 
15:37 < aaronorosen2> Mon Apr  5 16:46:14 2010 client2/130.127.199.95:44726 MULTI: no dynamic or static remote --ifconfig address is available for client2/130.127.199.95:44726
15:46 < aaronorosen2> Does anyone know what that message means sorry ?
15:51 -!- Archeron [~wade@69.10.147.2] has joined ##openvpn
15:51 < Archeron> hello folks.
15:54 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
15:55 < aaronorosen2> SerajewelKS: before when you were helping me you told me to just put mode server in my server.conf but looking at the documentation mode server seems to be the same as server-bridge except you need to specify everything manually? 
15:57 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
15:57 < aaronorosen2> Its seems like the problem i'm having is that there is never a dhcp request being sent from the client side? is that possible? 
15:59 < aaronorosen2> When using server-bridge do you have to specify anything about gateway in the configuration? 
16:01 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
16:01 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
16:07 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
16:07 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
16:08 < SerajewelKS> aaronorosen2: rob0 and i told you several times what the problem is
16:09 < SerajewelKS> aaronorosen2: linux boxen don't automatically start spamming DHCP requests when a network interface comes up -- you need to script that in your config
16:10 < aaronorosen2> SerajewelKS: When i use the server-bridge option to hand out ip addresses my client gets an ip address (130.127.60.120) but after getting that he can no longer ping 130.127.60.108. 
16:11 < aaronorosen2> SerajewelKS: So what your saying is after i use the configuration with just mode server i should call dhclient tap0 ? 
16:11 < SerajewelKS> aaronorosen2: that would be one way to do it... or pump, whatever dhcp client you like
16:13 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
16:13 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
16:13 < aaronorosen2> SerajewelKS: When i run the configuration with the mode server in it i get the following error from openvpn on the server side. MULTI: no dynamic or static remote --ifconfig address is available for client2/130.127.199.95:47422
16:13 < aaronorosen2>  
16:14 < aaronorosen2> Also tap0 is never created on the client side. 
16:14 < SerajewelKS> aaronorosen2: pastebin your client config
16:15 < SerajewelKS> aaronorosen2: that sounds like your server is still running in tun mode...
16:15 < aaronorosen2> SerajewelKS:  http://pastebin.com/VLXTJB4e
16:16 < aaronorosen2> Here is my server config http://pastebin.com/W8dS5NAK
16:22 < aaronorosen2> SerajewelKS:  Any idea? 
16:26 < SerajewelKS> aaronorosen2: reading...
16:28 < SerajewelKS> aaronorosen2: at a quick glance everything looks ok... did you restart the server since you've changed the config?
16:28 < aaronorosen2> SerajewelKS: I've been running everything with openvpn ./config_file
16:29 < aaronorosen2> SerajewelKS: When using those files i've sent you on the client side a tap interface is also never getting created. 
16:29 < aaronorosen2> If i use the bridged-server option with my ip, subnet, range. My tun0 is created but i can't access anything in that given ip range.
16:30 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
16:30 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
16:30 < aaronorosen2> For example if i use this
16:30 < aaronorosen2> server-bridge 130.127.60.108 255.255.255.224 130.127.60.118 130.127.60.120
16:30 < aaronorosen2> My tap0's ip adress will be 130.127.60.118 but then i will be unable to ping 130.127.60.108
16:33 < aaronorosen2> SerajewelKS: any idea what is going on there? (Sorry for asking so many questions i've just been stuck on this for the last 2 days)
16:36 < SerajewelKS> aaronorosen2: perhaps your interfaces are not properly bridged?
16:37 < aaronorosen2> SerajewelKS: Is there any way to test this? I used the bridge_start script to do it. 
16:37 < SerajewelKS> aaronorosen2: pastebin "ifconfig" and "brctl show" from the server
16:38 < aaronorosen2> SerajewelKS: http://pastebin.com/QLSDFYLc
16:38 < SerajewelKS> aaronorosen2: looks right
16:38 < SerajewelKS> aaronorosen2: i gotta run though, hopefully you can figure it out...
16:44 < aaronorosen2> Might i have to push a route? or a gateway? 
17:01 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:03 -!- ScriptFanix [vincent@2001:910:100b::1] has quit [Quit: coin]
17:03 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
17:08 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Ping timeout: 246 seconds]
17:08 -!- aaronorosen3 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
17:17 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
17:21 -!- Archeron [~wade@69.10.147.2] has left ##openvpn ["Leaving"]
17:37 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has joined ##openvpn
17:37 < zambaboo> hi all
17:38 < zambaboo> i have a client on win7, trying to connect using openvpn gui - there is no 'connect' option when i right click the systray icon
17:38 < zambaboo> im not sure how to initialize the connection 
17:44 -!- fflush [~lrfurtado@unaffiliated/fflush] has joined ##openvpn
17:45 < fflush> !welcome
17:45 < vpnHelper> fflush: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:46 < fflush> !iporder
17:46 < vpnHelper> fflush: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
17:51 -!- aaronorosen3 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Remote host closed the connection]
18:06 -!- [mutex]_ [~portn0k@unaffiliated/mutex/x-1106097] has quit [Disconnected by services]
18:06 -!- [mutex]_ [~portn0k@unaffiliated/mutex/x-1106097] has joined ##openvpn
18:20 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Ping timeout: 258 seconds]
18:32 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
18:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:09 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has quit [Ping timeout: 260 seconds]
19:09 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
19:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
19:17 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:17 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
19:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:28 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:28 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
19:32 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 245 seconds]
19:40 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:40 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
19:46 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:46 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
19:46 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
19:46 < vpnguy> !welcome
19:46 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:47 < vpnguy> I can get an IP address but I cannot ping the server or a client in LAN, I am using ethernet bridge
19:48 < vpnguy> I activated ip_forward on the VPN Server
19:48 < vpnguy> but without any result
19:48 < vpnguy> hello
19:48 -!- tjz [~pc@bb116-14-141-53.singnet.com.sg] has joined ##openvpn
19:48 -!- tjz [~pc@bb116-14-141-53.singnet.com.sg] has quit [Changing host]
19:48 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:57 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:57 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
20:00 < vpnguy> help
20:09 -!- purifiedmadness [~jesus@c-67-177-231-60.hsd1.co.comcast.net] has quit [Quit: Leaving.]
20:13 < vpnguy> !interface
20:13 < vpnHelper> vpnguy: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
20:18 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has joined ##openvpn
20:20 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:20 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
20:21 < vpnguy> please help
20:25 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
20:32 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 276 seconds]
20:34 -!- AzaToth [~azatoth@wikipedia/AzaToth] has quit [Remote host closed the connection]
20:35 < vpnguy> nobody
20:53 < vpnguy> ok
21:25 < tjz> your question?
21:30 < vpnguy> I can get an IP adress but I cannot ping the server
21:32 < vpnguy> I am using ethernet bridging
21:32 < vpnguy> what 's wrong ?
21:38 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
21:39 < zambaboo> oh he's the vpn guy.
21:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:42 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
21:42 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Client Quit]
21:45 -!- DarthGandalf|BNC is now known as DarthGandalf
21:53 -!- aaronorosen [~arosen@host-69-59-112-98.nctv.com] has quit [Ping timeout: 245 seconds]
22:22 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:48 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:11 -!- GBit [~nop@78-60-200-182.static.zebra.lt] has quit [Remote host closed the connection]
23:25 -!- LumberCartel [~LumberCar@24.86.160.252] has joined ##openvpn
23:26 < LumberCartel> Is there MacOS X support for OpenVPN?
23:26 < LumberCartel> ...as a client...
23:26 < rob0> !mac
23:26 < vpnHelper> rob0: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
23:27 < LumberCartel> Thanks rob0.
23:28 < rob0> of course the Unix source would compile there too
23:29 < rob0> and there is no client/server binary, the same one does either/both.
23:32 < LumberCartel> Yes, that's something I really like about OpenVPN.
23:39 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:39 -!- LumberCartel [~LumberCar@24.86.160.252] has left ##openvpn ["Sign the anti-spam petition: [ http://www.lumbercartel.ca/law/canada/s-220/ ]"]
--- Day changed Tue Apr 06 2010
00:18 -!- [mutex]_ [~portn0k@unaffiliated/mutex/x-1106097] has quit [Quit: Lost terminal]
01:35 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Quit: Leaving...]
01:37 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
01:39 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Client Quit]
01:43 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
01:54 -!- sanderj [~sanderj@195.204.103.72] has quit [Ping timeout: 252 seconds]
02:09 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
02:12 -!- DrPepper [~DrPepper@88.207.192.171] has joined ##openvpn
02:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
03:01 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
03:01 < vpnguy> !welcome
03:01 < vpnHelper> vpnguy: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:01 < vpnguy> hello
03:02 < vpnguy> why my firewall is blocking all traffic trough the VPN
03:02 < vpnguy> whereas I setup the right rules to allow traffic
03:02 < Bushmills> because your admin has configured the firewall that way? 
03:04 < vpnguy> $IPT -A INPUT -i tun+ -j ACCEPT
03:04 < vpnguy> $IPT -A OUTPUT -o tun+ -j ACCEPT
03:04 < vpnguy> $IPT -A INPUT -i tap+ -j ACCEPT
03:04 < vpnguy> $IPT -A OUTPUT -o tap+ -j ACCEPT
03:05 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:05 < Bushmills> "my firewall is blocking all traffic"  " I setup the right rules to allow"   one of those must be wrong. choose which one.
03:07 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined ##openvpn
03:07 < vpnguy> I think I setup the right rules
03:08 < vpnguy> the thing is when I disable the software firewall "iptables" everything is working fine but I activate it 
03:09 < vpnguy> il is blocking whereas I allowed traffic on tap interface for incoming and outgoing traffic
03:09 < Bushmills> conclusion?
03:10 < vpnguy> there is something wrong with my rules
03:10 < vpnguy> but i do not know what
03:10 < vpnguy> could you please tell me what rules I need to apply
03:11 < Bushmills> no, because i don't know your setup
03:11 < Bushmills> iptables -P INPUT ACCEPT would probably do.
03:12 < Bushmills> but that't wouldn't leave a lot of firewall then
03:15 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
03:15 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
03:28 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit []
03:30 -!- sp0tteh [~sdfhk@ppp118-210-44-6.lns20.adl2.internode.on.net] has quit [Read error: Connection reset by peer]
03:30 -!- sp0tteh [~sdfhk@ppp118-210-44-6.lns20.adl2.internode.on.net] has joined ##openvpn
04:10 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 252 seconds]
04:12 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Read error: Connection reset by peer]
04:12 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
04:12 -!- master_of_master [~master_of@p57B55354.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:14 -!- master_of_master [~master_of@p57B53F04.dip.t-dialin.net] has joined ##openvpn
04:16 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
04:16 -!- d000k [~heiko@vpn.astaro.de] has quit [Ping timeout: 248 seconds]
04:18 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
04:24 < krzee> LOL
04:25 < krzee> I've tried to run openvpn (on a virtual server) like this:
04:25 < krzee> > openvpn --config server.ovpn --daemon myvpn --log myvpn.log &
04:25 < krzee> When I do this, the ssh connection I'm using (the one in which I typed the command above) stops working, together with any other ssh connections I have open, and I can't create new ones.  I can't reconnect until I reboot my virtual server.
04:25 < krzee> Has anyone else had this problem?  Any ideas?
04:25 < krzee> Jon
04:25 < krzee> from mail list...
04:25 < krzee> he wins the least information given award!
04:25 < krzee> im tempted to reply something like this:
04:26 < krzee> I am trying to help people on the mail list, but they do not include any details about their setup.  Has anyone else has this problem?  Any ideas?
04:29 < |Mike|> yeah, drink more beer!
04:31 < |Mike|> But no, they should provide more information about their setup krzee, otherwise its kinda hard to help them with their "problem(s)"
04:37 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:07 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:11 -!- TheGenius [~HyeVoltag@cpe-67-49-30-155.socal.res.rr.com] has joined ##openvpn
05:12 < TheGenius> Hey guys is openvpn free?
05:13 < mwheeler> yes
05:13 < mwheeler> free as in beer
05:14 < TheGenius> hmm
05:14 < TheGenius> why is there a purchase link on the site?
05:16 < mwheeler> there is community openvpn, and there is access server or something
05:16 < mwheeler> I dunno
05:17 < TheGenius> ah
05:17 < TheGenius> ok makes sense
05:18 < ScriptFanix> if you're lazy, you pay
05:20 < ScriptFanix> money vs. time :)
05:22 -!- zamba [marius@flage.org] has quit [Read error: Operation timed out]
05:22 -!- zamba [marius@flage.org] has joined ##openvpn
05:30 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:30 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
05:37 -!- HyeVoltage [~HyeVoltag@cpe-67-49-30-155.socal.res.rr.com] has joined ##openvpn
05:37 -!- HyeVoltage [~HyeVoltag@cpe-67-49-30-155.socal.res.rr.com] has quit [Client Quit]
05:38 -!- TheGenius [~HyeVoltag@cpe-67-49-30-155.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
05:51 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
05:53 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has left ##openvpn []
05:58 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
06:02 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
06:05 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
06:07 -!- le0 [~tehle0@unaffiliated/le0] has quit [Client Quit]
06:07 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
06:08 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 246 seconds]
06:09 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
06:10 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:29 -!- julius [~julius@217.20.127.15] has quit [Disconnected by services]
06:29 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
06:45 -!- sparch [~sparch@pdpc/supporter/active/sparch] has joined ##openvpn
06:48 -!- sparch [~sparch@pdpc/supporter/active/sparch] has left ##openvpn []
06:55 -!- Zordrak [~jaz@87-194-141-163.bethere.co.uk] has left ##openvpn []
06:57 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
07:04 -!- HardDisk_WP [~Marco@wikipedia/harddisk] has quit [Quit: Caught sigterm, terminating...]
07:14 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 248 seconds]
07:15 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
07:29 -!- kinlo [peter@panda.pfoe.be] has joined ##openvpn
07:38 < kinlo> is there a way to put key files/certificates etc inline in the config file?
07:41 -!- sparch [~sparch@pdpc/supporter/active/sparch] has joined ##openvpn
07:41 -!- sparch [~sparch@pdpc/supporter/active/sparch] has left ##openvpn []
07:42 -!- bezourox [~bezou_rox@130.171.64-86.rev.gaoland.net] has joined ##openvpn
07:42 < bezourox> !welcome
07:42 < vpnHelper> bezourox: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:44 < bezourox> hello. i surch many informations about openVPN because i have to developp a VPN multi points. A
07:49 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
07:51 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 276 seconds]
07:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:57 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
08:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:05 -!- sp0tteh [~sdfhk@ppp118-210-44-6.lns20.adl2.internode.on.net] has quit []
08:05 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
08:13 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
08:24 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
08:38 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
08:40 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
08:44 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has joined ##openvpn
08:52 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
08:52 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:53 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
09:06 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
09:06 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 276 seconds]
09:06 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
09:08 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
10:07 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
10:09 -!- elge [~elge@mx2.nethence.com] has left ##openvpn []
10:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:27 -!- DarthGandalf is now known as DarthGandalf|BNC
10:29 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
10:29 -!- mode/##openvpn [+o mattock] by ChanServ
10:33 -!- DarthGandalf|BNC is now known as DarthGandalf
10:42 -!- Netsplit *.net <-> *.split quits: mwheeler, Fiouz, ufoman, dunc, tjz, KaiForce
10:42 -!- Netsplit over, joins: KaiForce, dunc, tjz, mwheeler, ufoman, Fiouz
10:53 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:30 -!- rawDawg2 [~rawDawg@68.177.41.242] has joined ##openvpn
11:31 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
11:31 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has left ##openvpn []
11:31 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
11:32 -!- cjs [~AndChat@9.sub-97-14-71.myvzw.com] has joined ##openvpn
11:33 -!- cjs [~AndChat@9.sub-97-14-71.myvzw.com] has quit [Client Quit]
11:39 < aaronorosen2> Hello, I've been chatting with people in this room for the past few days about my VPN setup and I think i figured out what the problem is
11:40 < aaronorosen2> My vpn server's ip address is 130.127.60.108. I configured my server-bridge in the server.conf to be 130.127.60.108 255.255.255.224 130.127.60.120 130.127.60.124
11:40 < aaronorosen2> Would that cause a conflict since my server's ipaddress is in the same vpn ip address pool?
11:47 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
12:00 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has joined ##openvpn
12:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
12:01 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Quit: Leaving.]
12:01 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
12:08 -!- aaronorosen3 [~arosen@130.127.255.224] has joined ##openvpn
12:09 -!- aaronorosen3 [~arosen@130.127.255.224] has quit [Client Quit]
12:10 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Ping timeout: 265 seconds]
12:30 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 245 seconds]
12:43 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
12:43 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
12:44 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
12:48 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Client Quit]
12:57 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
13:01 -!- brenddie [~eddie@32.179.187.62] has joined ##openvpn
13:02 < brenddie> hi all, it seems is possible to change the certificate password by the user. Is this correct?
13:03 < brenddie> in openVPN gui thers a change password option that seems to let users change the password. can this be blocked in the server?
13:29 -!- Guest25722 is now known as redfox
13:30 -!- redfox is now known as Guest39845
14:02 < |Mike|> brenddie: certs != ldap
14:05 < brenddie> when i issue a cert it has a password
14:06 < brenddie> it seems it sposible to change the password from the openvpn gui option
14:07 < |Mike|> i doubt that ;)
14:07 < |Mike|> test it out :)
14:08 < brenddie> im using linux network manager openvpn plug in so cant test it for now
14:12 < ecrist> !ubuntu
14:12 < vpnHelper> ecrist: "ubuntu" is dont use network manager!
14:13 < |Mike|> network manager works just fine in Koala :p
14:13 < |Mike|> just not the default one :d
14:13 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
14:15 < hyper_ch> wicd ftw
14:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
14:40 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
15:20 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
15:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:43 -!- BashLogic [~BashLogic@NS1.Kielletty.net] has joined ##openvpn
15:43 < BashLogic> hello
15:43 < BashLogic> i was wondering if someone could give a pointer, 
15:44 < BashLogic> for two days ive been going over why i am able to connect from my client to my server, obtain an ip and the routing yet i am unable to connect to the network behind the vpn
15:44 < BashLogic> any hints on where i could attempt to troubleshoot his?
15:45 < BashLogic> welcome
15:45 < BashLogic> !welcome
15:45 < vpnHelper> BashLogic: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:45 < BashLogic> !route
15:45 < vpnHelper> BashLogic: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:45 -!- rawDawg2 [~rawDawg@68.177.41.242] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:56 -!- f0g [~f0g@pool-173-48-164-86.bstnma.fios.verizon.net] has joined ##openvpn
15:57 < f0g> IS there a way to forward all traffic except http(s) through the vpn? Or is redirect-gateway all or nothing?
15:58 < Fiouz> you can use policy routing under linux
15:58 < Fiouz> so that packets to 80/443 use anoter routing table
16:00 < f0g> Does redirect-gateway simply instruct the clients to change the routing table?
16:01 < Fiouz> I guess it's a client option (you can push it), but yes
16:01 < f0g> Hrn.
16:02 < Fiouz> are you trying not to redirect http from a client or from the server?
16:02 < f0g> Perhaps I should simply say what the problem is in case my attempt at the solution is stupid.
16:03 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:03 < f0g> I have a friend in hospital who is using their guest internet connection which is highly restrictive - captive portal, tcp over 80 and 443 to the outside world only except for things internal to their network.
16:04 < f0g> And considering the length of his stay, it's beginning to drive him up the wall.
16:05 < f0g> So, we made a vpn run on 443 and we're trying to push everything through that vpn. Fine. redirect-gateway, done. Except, we hit a snag.  When we do that, it kills the connection (I assume because there is no longer some traffic that it periotically sends through http.)
16:06 < f0g> Hence the wish for 80 continuing to go through their connection.
16:06 < Fiouz> is the client OS Linux? If so, policy routing can do the trick
16:07 < f0g> Yes, it is.
16:08 < f0g> Alright. Time to go bury myself in quite frightening network documentation, then.
16:08 < Fiouz> then make sure kernel has CONFIG_IP_MULTIPLE_TABLES
16:08 < f0g> Hm...
16:08 < Fiouz> and use "ip" to configure additional routing rule
16:08 < f0g> It's not a custom kernel.
16:09 < Fiouz> check with "ip rule"
16:10 < f0g> Which should give an error if it's not, correct?
16:10 < Fiouz> yep
16:10 < f0g> Okie-dokie! :)
16:10 < Fiouz> then for port filtering, you need to use iptables as well (policy routing can't filter by port I think)
16:11 < f0g> So, iptables to somehow flag traffic for the different routing?
16:11 < Fiouz> yep, that's it
16:12 < f0g> By, what, MASQUERADE?
16:13 < Fiouz> table mangle, OUTPUT (I don't remember well), and -j MARK --set-mark XXX
16:13 < f0g> Dear god, I am not smart enough for this. D:
16:13  * f0g reads manpages
16:13 < BashLogic> oh boy... things are not working out for other people as well..
16:14 < BashLogic> cat eithe of you two confirm the following; do i need to create a ccd/iroute for every client that conencts to my openvpn server?
16:15 < Fiouz> BashLogic: only if you want computers behind client to communicate with VPN I think
16:16 < BashLogic> but if i want so that the vpn client can communicate with hosts behind the vpn server, do i require client-to-client ?
16:16 < f0g> So... ip route to make a static route in table n. ip rule to push marked packets to follow table n, and iptables to mangle the tables and mark the packets?
16:17 < Fiouz> f0g: yes that's the idea
16:17 < BashLogic> fog that sounds about what i have figured out so far from the manuals..
16:17 < f0g> Wheheeeeee, I know just enough to get myself into trouble.
16:17 < f0g> This should be /fun/
16:18 < BashLogic> join the club!
16:18 < Fiouz> BashLogic: there should be no need for client-to-client but you need ip forwarding enabled
16:18 < BashLogic> then what networks do i need to push?
16:19 < BashLogic> if my vpn is 172.16.1.0 and my lan is 192.168.0.0
16:19 < BashLogic> what push route should enable the vpn client to access 192.168.0.10
16:20 < Fiouz> for a single host behind VPN, you can push its sole IP address push "route 192.168.0.10 255.255.255.255" but it may be simpler to push /24
16:21 < BashLogic> do i do a push route 172.16.0.0 and push route 192.168.0.0 or is it enough to push only 192
16:21 < BashLogic> Fiouz: so i have no need to push the 172 ?
16:23 < Fiouz> are you able to ping the VPN server without it?
16:23 < Fiouz> (by its VPN IP address)
16:23 < BashLogic> about to try.. when i was pushing both 192 and 172, i was unable to ping over the vpn
16:24 < BashLogic> btw, im working on windows systems
16:24 < Fiouz> just make sure 192.168.0.0 doesn't clash with your possible current LANs, client side
16:32 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
16:38 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
16:43 -!- mithridates [~chatzilla@142.166.49.197] has joined ##openvpn
--- Log closed Tue Apr 06 16:50:13 2010
--- Log opened Wed Apr 07 07:15:25 2010
07:15 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
07:15 -!- Irssi: ##openvpn: Total of 103 nicks [2 ops, 0 halfops, 1 voices, 100 normal]
07:15 -!- Irssi: Join to ##openvpn was synced in 8 secs
07:41 < aaronorosen1> Hello, I've setup a bridge because i need to pass layer 2 traffic. In my sever.conf i have the following 
07:41 < aaronorosen1> bridge-server 130.127.62.8 255.255.255.224 130.127.62.10 130.127.62.15
07:42 < aaronorosen1> When i got to ping 130.127.62.2 i see in wireshark it does an arp query for 130.127.62.2 and then i get an answer back for its mac address though i can still not ping it. 
07:42 < aaronorosen1> any idea why that is happening? 
07:43 < ecrist> aaronorosen1: do you have a firewall blocking traffic?
07:43 < aaronorosen1> ecrist: nope
07:45 < ecrist> does the .2 address ever see the ping packets?
07:45 < aaronorosen1> ecrist: maybe you can answer this for me. Would this cause a conflict. My vpn server  lives at 130.127.60.108 and if i set my server-bridge to be 130.127.60.108 255.255.255.224 130.127.60.111 130.127.60.122 I am unable to contract anything in the 130.127.60.* network. 
07:46 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
07:46 < aaronorosen1> ecrist: i'm guessing not. (I don't have root on that machine so i really can't see)
07:48 < aaronorosen1> ecrist: should that matter if the machines actual ip address is 130.127.60.108 and i'm handing out ip addressses in that range? Someone told me that causes a loop? That is why i am unable to get to anything in the .60 network
07:50 < ecrist> it shouldn't really cause a problem, though it's not a good practice
07:50 < aaronorosen1> ecrist: hmm it seems to. 
07:51 < aaronorosen1> ecrist: also if i get 130.127.62.10 from the vpn server pool is there a reason why i can't ssh to that ip address from the .62 network? (Even though i can ssh to the machines normal ip address)
07:58 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has quit [Ping timeout: 240 seconds]
07:59 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has joined ##openvpn
08:00 < ecrist> aaronorosen1: your problems realy appear to be firewall related.
08:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
08:03 < aaronorosen1> ecrist: I have no iptable rules on client and server except on the server i have ones that forward traffic to br0 and tap0
09:16 -!- brenddie [~eddie@mobile-166-214-046-016.mycingular.net] has joined ##openvpn
09:18 -!- aaronorosen2 [~arosen@130.127.120.235] has joined ##openvpn
09:19 < aaronorosen2> Does anyone know what the following error message means? MULTI: no dynamic or static remote --ifconfig address is available for client2/130.127.120.235:41576
09:19 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:44 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Quit: Bye]
09:45 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
09:48 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
09:54 -!- aaronorosen2 [~arosen@130.127.120.235] has quit [Quit: Leaving.]
09:54 -!- aaronorosen2 [~arosen@130.127.120.235] has joined ##openvpn
09:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:58 -!- aaronorosen2 [~arosen@130.127.120.235] has quit [Ping timeout: 246 seconds]
09:59 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
09:59 -!- aaronorosen2 [~arosen@130.127.120.235] has joined ##openvpn
10:00 -!- aaronorosen2 [~arosen@130.127.120.235] has quit [Remote host closed the connection]
10:00 < dmz> yeah! i got one of my openvpn servers to auth to my 2FA radius server but verify that the users are in valid AD groups :) what a pita that was...i hate pam :)
10:20 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
10:20 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:20 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
10:20 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:23 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 264 seconds]
10:37 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Ping timeout: 276 seconds]
10:38 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
10:51 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has joined ##openvpn
10:51 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:06 -!- Blues-Man [~bluesman@host248-123-dynamic.23-79-r.retail.telecomitalia.it] has joined ##openvpn
11:14 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:17 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
11:28 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:34 -!- bezourox [~bezou_rox@130.171.64-86.rev.gaoland.net] has quit [Ping timeout: 260 seconds]
11:39 -!- bezourox [~bezou_rox@130.171.64-86.rev.gaoland.net] has joined ##openvpn
11:51 -!- romel_ [~romel@194.187.148.97] has joined ##openvpn
11:52 -!- DrPepper [~DrPepper@88.207.192.171] has quit [Ping timeout: 276 seconds]
11:54 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
11:54 -!- romel [~romel@unaffiliated/romel] has quit [Ping timeout: 265 seconds]
11:54 < aaronorosen2> Hello, when i setup bridge-server and then i do dhcp tap0 i get an ip address from the dhcp server on the lan. But i am unable to ping anyone on the lan. It seems like my arp requests  are not getting passed though my tap0 interface. 
11:55 < aaronorosen2> Any idea what could be causing that? 
12:01 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Read error: Connection reset by peer]
12:02 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
12:03 < ecrist> aaronorosen1: again, loot to your firewall
12:03 < ecrist> look*
12:04 < aaronorosen2> ecrist: I've shown you my iptables there is nothing blocking it? 
12:04 < ecrist> I wouldn't know, regardless of what you show me.
12:04 < ecrist> !iptables
12:04 < vpnHelper> ecrist: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
12:04 < vpnHelper> ecrist: computing.net/wiki/index.php/OpenVPN/Firewall
12:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
12:07 -!- aaronorosen3 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
12:07 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Read error: Connection reset by peer]
12:08 < aaronorosen3> ecrist: i just ran iptables -F; iptables -Z; on the client. On there server here is the output of iptables -L -n -v http://pastebin.com/ivGqvVW7
12:09 < ecrist> aaronorosen3: I don't know anything about iptables, nor do I want to.
12:09 < ecrist> using tcpdump, see what the traffic is really doing.
12:09 < ecrist> !configs
12:09 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:14 < aaronorosen3> ecrist: I have done that. If i run dhclient on tap0 my client will get an ip address from the dhcp server that resides on the VPN server side. After getting that when i run ping vpn server. It will do arp queries for who is VPN server and no one ever replies. 
12:14 < aaronorosen3> It seems like the arp queries are not getting forwarded though the tap0 interface on the client side. 
12:14 < aaronorosen3> Though i have no idea why the dhclient tap0 works and ping doesn't. 
12:18 -!- Artio [~a@port-14765.pppoe.wtnet.de] has joined ##openvpn
12:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:20 -!- aaronorosen3 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Quit: Leaving.]
12:21 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
12:29 -!- Blues-Man [~bluesman@host248-123-dynamic.23-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
12:31 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Ping timeout: 276 seconds]
12:39 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:46 -!- brenddie [~eddie@mobile-166-214-046-016.mycingular.net] has quit [Ping timeout: 258 seconds]
12:46 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
12:51 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Ping timeout: 276 seconds]
12:53 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
12:56 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Client Quit]
12:57 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
12:58 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Client Quit]
13:03 -!- romel_ [~romel@194.187.148.97] has quit [Ping timeout: 248 seconds]
13:07 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
13:15 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has joined ##openvpn
13:17 < aaronorosen2> I'm trying to pass layer2 traffic using bridging on a VPN sever but for some reason my ARP queries from my clients seem not to be getting passed though my tap0 interface. Any idea why this would be happening? 
13:17 < ecrist> aaronorosen2: quit asking, you've asked the same question over and over and over
13:17 < ecrist> I've told you what to look for.
13:18 < ecrist> you have failed to provide me your configs.
13:20 < aaronorosen2> ecrist: here is my server.conf http://pastebin.com/aCLGMRkv
13:20 < aaronorosen2> Here is my client.conf http://pastebin.com/SYMQ7CJB
13:21 < ecrist> ok, when a client connects, what address do they get?
13:22 < aaronorosen2> ecrist: when i connect i get 130.127.60.122 for my tap0
13:23 < ecrist> ok, and can you ping the .108 IP?
13:23 < aaronorosen2> ecrist: no i can not. in wireshark i see arp requests for who is 108
13:23 < aaronorosen2> on the tap0 interface on the client
13:25 < ecrist> does the tap0 interface have the 108 IP, or is that on one of your ethernet interfaces?
13:25 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
13:25 -!- dmz [~dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has left ##openvpn ["Ex-Chat"]
13:26 < aaronorosen2> ecrist: on the server? on the server my br0 interface has the .108
13:26 < aaronorosen2> i used the bridge_start script to do that. 
13:27 < ecrist> what what is the public IP  of the server, the client is using to connect on?
13:28 < aaronorosen2> ecrist: in my client.conf i have remote 130.127.60.108 1194
13:28 < ecrist> I think that may be your problem
13:28 < ecrist> you have a logical loop
13:28 < ecrist> create a tunnel to 108, then your trying to route traffic to the subnet 108 is on through the tunnel.
13:29 < aaronorosen2> ecrist: how is this problem fixed? 
13:30 < aaronorosen2> ecrist: when i set my server-bridge to server-bridge 130.127.62.8 255.255.255.224 130.127.62.10 130.127.62.14
13:30 < aaronorosen2> and then call dhclient tap0
13:30 < aaronorosen2> it gives me a 130.127.60.XXX from the dhcp server on the VPN server side
13:30 < ecrist> the problem is fixed by having your remote address outside your bridge space
13:30 < ecrist> the IP you connect to the VPN with cannot be inside the VPN
13:33 < aaronorosen2> ecrist: How am I able to put this computer outside of this subnet and then bridge it to the one that i want? 
13:33 < ecrist> that's for you to figure out
13:33 < aaronorosen2> I want to be able to connect to a vpn that puts me on this 130.127.60 subnet. 
13:33 < aaronorosen2> ecrist: i can do that with two ethernet cards having one outside of the subnet and one inside and that should work but is there no solution with just one card? 
13:34 < ecrist> sure, so get an IP that's outside that subnet, assign it to the vpn server, and have openvpn listen on that new ip
13:34 < ecrist> you can put more than one IP on an ethernet interface
13:34 < aaronorosen2> ecrist: is that using virtual interfaces? 
13:34 < ecrist> no
13:35 < ecrist> you can put more than one IP on an ethernet interface
13:35 < aaronorosen2> ecrist: using ifconfig? how? 
13:35 < ecrist> man ifconfig 
13:35 < ecrist> look for alias
13:38 < aaronorosen2> ecrist: according to http://openvpn.net/index.php/open-source/documentation/install.html?start=1 section Notes -- Ethernet bridging, Windows client, Linux Server, the bridging should just work configuring with one ethernet with out alias? Is this page not accurate or am i misunderstanding this? 
13:38 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net)
13:39 < ecrist> you're misunderstanding how subnetting works.
13:40 < ecrist> you're trying to encrypt traffic for the entire /27 subnet, including the IP you're connecting to
13:40 < ecrist> you have a chicken/egg issue
13:40 < krzee> mmmm chicken and eggs
13:41 < krzee> ill take chicken in my omelet pls
13:42 < aaronorosen2> ecrist: I just want tap0 to be a layer2 tunnel to the 130.127.60 network. This way clients will get assigned an ip address via the dhcp server on the vpn server side? 
13:43 < aaronorosen2> all communication to and from 130.127.60 should go though tap0
13:44 < aaronorosen2> ecrist: so what you were saying is if i put another ethernet card in the box such that it has an ipaddress that is not in the same network that i'm try to bridge this will work? 
13:44 < ecrist> should, yep
13:45 < ecrist> but you don't need another ethernet card, you just need a proper config on your existing interface.
13:45 < ecrist> is this a university project?
13:46 < aaronorosen2> ecrist: yup i'm working on this openflowswitch.org stuff and i want people to beable to vpn onto the network and not have to be physically on the network 
13:47 < ecrist> well, the university has at least a class B network, so you should be able to get plenty of IPs outside your /27
13:48 < aaronorosen2> ecrist: if i want the dhcp server on the VPN server side to give me an ipaddress without using server bridge should this config file work ? http://pastebin.com/agSTdWUu
13:48 < aaronorosen2> Using this config does not bring my client's tap0 up but i can play with that more. 
13:48 < ecrist> I'd defer to the openvpn docs
13:48 < ecrist> there are, iirc, some specific config args to allow dhcp to pass through the tunnel
13:49 < aaronorosen2> http://openvpn.net/index.php/open-source/faq.html#bridge-addressing they just say to add this mode server
13:49 < aaronorosen2> dev tap0 # must be bridged with LAN ethernet interface
13:49 < aaronorosen2> [SSL/TLS parms]
13:49 < aaronorosen2> [keepalive parms]
13:49 < aaronorosen2>  
13:49 < vpnHelper> Title: FAQ (at openvpn.net)
13:49 < ecrist> ok, then do that
13:49 < ecrist> I'm not really any sort of expert.
13:50 < aaronorosen2> ecrist: No problem. I really appreciate your help with this. 
13:50 < aaronorosen2> ecrist: i'll go a head and try the alias thanks for your help. 
13:51 < ecrist> no
13:51 < aaronorosen2> no? 
13:52 < ecrist> wrong chan.
13:53 < aaronorosen2> ecrist: I'm getting this message when i try that setup.
13:53 < aaronorosen2> TCP/UDP: Incoming packet rejected from 130.127.60.108:1194[2], expected peer address: 130.127.198.212:1194 (allow this incoming source address/port by removing --remote or adding --float)
13:54 < aaronorosen2> in my client config i have remote 130.127.198.212 1194 
13:54 < aaronorosen2> and all the 130.127.60.108 stuff is commented out
13:54 < ecrist> and is openvpn listening on .212 address?
13:54 < aaronorosen2> I'm also getting this on the server side
13:54 < aaronorosen2> 7 15:04:14 2010 130.127.249.138:57183 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
13:54 < aaronorosen2> Wed Apr  7 15:04:14 2010 130.127.249.138:57183 TLS Error: TLS handshake failed
13:54 < ecrist> oh, you need to make the 'new' IP the first IP on the interface
13:55 < ecrist> and set your default route to the default route for the IP in that subnet
13:55 < ecrist> most specifically the default route
13:55 < aaronorosen2> ecrist: i do see here if my ifconfig http://pastebin.com/1y71m3R4
13:55 < ecrist> ifconfig doesn't show default route
13:56 < aaronorosen2> Here is my routing table on the server
13:56 < aaronorosen2> Kernel IP routing table
13:56 < aaronorosen2> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
13:56 < aaronorosen2> 130.127.60.96   *               255.255.255.224 U     0      0        0 br0
13:56 < aaronorosen2> 130.127.198.0   *               255.255.254.0   U     0      0        0 eth0
13:56 < aaronorosen2> default         130.127.198.2   0.0.0.0         UG    0      0        0 eth0
13:56 < aaronorosen2> default         130.127.60.97   0.0.0.0         UG    0      0        0 br0
13:56 < ecrist> remove the secondary default
13:56 < aaronorosen2> thats the 130.127.198.2? 
13:56 < ecrist> no
13:56 < aaronorosen2> the br0 is a bridge of eth2 and tap0
13:56 < ecrist> the other
13:56 < ecrist> aaronorosen2: I can't teach you routing 101
13:57 < ecrist> s/can't/don't want to/
13:58 < aaronorosen2> ecrist: that fixed the problem it seems to work now :D
13:59 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
14:05 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
14:08 < |Mike|> ifconfig should be deprecated imho
14:09 < ecrist> in favor of what, |Mike| ?
14:10 < |Mike|> well, if you add an ip with ip2route tools, they won't show up in ifconfig 
14:10 < ecrist> ip2route isn't on *bsd, or darwin
14:10 < |Mike|> and with ip you can configure a lot more than with ifconfig imho
14:10 < |Mike|> serious ?
14:10 < ecrist> yes, serious
14:10 < |Mike|> it's a linux only thing then? word.
14:11 < ecrist> ip2route sounds hackish
14:11 < |Mike|> it's actually 'ip'
14:11 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:11 < |Mike|> with 'ip route show' you can see all routes
14:12 < |Mike|> iproute2 even, word. I have configured a shitload of ipv6 addresses today
14:13 < |Mike|> puppet++
14:17 < ecrist> I've been happy with ifconfig
14:24 < rob0> ifconfig *is* deprecated in Linux, but indeed, iproute2 is Linux-specific.
14:24 < Krikke> deprecated in favor of what?
14:25 < rob0> iproute2 supports all kernel IP and routing features
14:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:08 -!- dangra [~dan@r190-135-5-131.dialup.adsl.anteldata.net.uy] has joined ##openvpn
15:09 < dangra> hi guys, is there a way to negate an option after sourcing another config file that enables it ?
15:10 < dangra> I have multiples openvpn servers running in the same host using a base common configuration, but happens that one of them require client-to-client disabled
15:10 < dangra> all servers configuration sources (using `config` option) a base conf that enables it
15:12 < dangra> removing client-to-client from base conf is not an option (at least not the one I am looking for :( )
15:15 < dangra> negating options doesn't works: no-client-to-client
15:15 < dangra> using negation values neither: client-to-client no|off|0|disabled
15:16 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:16 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
15:21 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:23 < dangra> !welcome 
15:23 < vpnHelper> dangra: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:27 -!- Artio [~a@port-14765.pppoe.wtnet.de] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Chicks dig it]
15:33 < flok420> !iporder
15:34 < vpnHelper> flok420: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
15:34 < flok420> !forum
15:34 < vpnHelper> flok420: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
15:34 < flok420> !wiki
15:34 < vpnHelper> flok420: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
15:36 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
16:04 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
16:25 -!- notbrien [~notbrien@208.82.13.214] has quit [Remote host closed the connection]
16:25 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
16:53 -!- dangra [~dan@r190-135-5-131.dialup.adsl.anteldata.net.uy] has quit [Quit: Leaving.]
17:04 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:04 -!- leev [lee@220.157.68.202] has joined ##openvpn
17:04 < leev> !welcome
17:04 < vpnHelper> leev: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:14 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 240 seconds]
17:14 -!- rkantos [robin@hp1.jaketus.net] has joined ##openvpn
17:20 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
17:25 < eradiate> !redirect
17:25 < vpnHelper> eradiate: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:26 < eradiate> !def1
17:26 < vpnHelper> eradiate: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
17:32 -!- brenddie [~eddie@32.179.123.194] has joined ##openvpn
17:35 -!- aaronorosen2 [~arosen@eib199dhcp95.ces.clemson.edu] has quit [Remote host closed the connection]
17:39 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has quit [Ping timeout: 264 seconds]
17:41 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
17:45 -!- brenddie [~eddie@32.179.123.194] has quit [Ping timeout: 258 seconds]
17:50 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
18:14 -!- torrancew [~torrancew@ip70-172-225-171.br.br.cox.net] has joined ##openvpn
18:14 < torrancew> hi all
18:14 < torrancew> i have a udp, bridged openvpn server, certs set up with easy-rsa tools, and was hoping to move the server to another box
18:15 < torrancew> (from an ubuntu server to a proxmox ve[debian] server)
18:15 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
18:15 < torrancew> i tarred up /etc/openvpn, moved it over, set up a bridge and what-not, but i get a message about local and remote keys being out of sync
18:16 < torrancew> is this directly related to a poor migration? or is there some other error?
18:16 < ecrist> make sure the time is correct on the new server
18:16 < torrancew> it is
18:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
18:16 < torrancew> that was the first thing i checked
18:16 < ecrist> that's all I can think of 
18:16 < ecrist> !logs
18:16 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
18:16 < ecrist> would help
18:16 < torrancew> heh
18:16 < torrancew> i can't access the server logs at the moment (i'm now off site)
18:17 < torrancew> but can post client logs
18:17 < ecrist> we can start with that
18:17 < torrancew> and nab server ones later tonight/tomorrow
18:20 < torrancew> http://pastebin.ca/1858269
18:23 < torrancew> oy
18:23 < torrancew> that wasn't verb 6 though
18:23 < torrancew> apologies
18:23 < torrancew> that was verb 3
18:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:24 < torrancew> http://pastebin.ca/1858271
18:24 < torrancew> that's updated with verb 6
18:29 < torrancew> ecrist: any of that look funky?
18:31 < torrancew> for reference, is that not the correct way to migrate?
19:00 < ecrist> torrancew: sounds right, will need the server logs to really help, though.
19:02 < torrancew> understandable
19:02 < torrancew> be around tomorrow?
19:02 < torrancew> i dont' know that i'm going to make it back to the office tonight
19:02 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
19:02 < ecrist> I'm in here all the time - normally at a console 0700 to 1500 CDT
19:03 < torrancew> heh
19:03 < torrancew> familiar drill
19:03 -!- diogo_79 [diogo_79@186.211.108.93.rev.vodafone.pt] has joined ##openvpn
19:03 < diogo_79> hi all
19:03 < torrancew> alright, i'll hit you up tomorrow then
19:03 < torrancew> thanks
19:03 < ecrist> n
19:03 < ecrist> p
19:03 < diogo_79> any one uses openvpn on ipcop?
19:04 < ecrist> not i
19:04 < torrancew> nor i
19:04 < torrancew> ecrist: in the meantime, i have another proxmox server here at home, and will try migrating my personal openvpn and see how it all pans out
19:04 < torrancew> but first, dinner!
19:04 < torrancew> later all
19:21 -!- diogo_79 [diogo_79@186.211.108.93.rev.vodafone.pt] has quit [Quit: Leaving]
19:24 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
19:54 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:00 -!- rob0 [~rob0@tuxaloosa.org] has quit [Ping timeout: 246 seconds]
20:01 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
20:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
20:36 -!- tjz [~pc@bb116-14-142-85.singnet.com.sg] has joined ##openvpn
20:36 -!- tjz [~pc@bb116-14-142-85.singnet.com.sg] has quit [Changing host]
20:36 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:54 -!- d1b [~db@d1b.org] has joined ##openvpn
20:55 < d1b> hi um is it possible to have a client config so i can be on more than one openvpn network at a time ? 
20:57 < Bushmills> you can have several client configs, one for each
20:57 < d1b> so i would need to run the openvpn client multiple times then
20:58 < d1b> for the different configs 
20:58 < Bushmills> run openvpn multiple times then, yes
20:58 < d1b> no other way ?
20:58 < Bushmills> the configs are what make openvpn a client
20:58 < d1b> sure
21:04 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has joined ##openvpn
21:10 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
21:13 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
21:14 -!- kala_ [~kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: Operation timed out]
21:19 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
21:44 -!- aaronorosen1 [~arosen@130-127-6-60.generic.clemson.edu] has joined ##openvpn
21:46 < aaronorosen1> Hello, i'm getting the error message read UDPv4 [EHOSTUNREACH]: No route to host (code=113) on the server when clients try to connect. 
21:46 < aaronorosen1> Any idea what is causing tihs? 
21:46 < theDoc> Evidently, no route to host
21:47 < aaronorosen1> theDoc: the server can ssh to that client though. 
21:48 < theDoc> How are your clients connecting?
21:49 < aaronorosen1> I'm trying to do a bridged. 
21:50 < aaronorosen1> theDoc: here is my client.conf http://pastebin.com/Ctj47hmR
21:50 < aaronorosen1> theDoc:  here is my server.conf http://pastebin.com/iyMDgfEa
21:51 < aaronorosen1> theDoc: here are my routes and ifconfig output http://pastebin.com/h5YVDz3v
21:53 < theDoc> aaronorosen1> You might want to do a packet dump and see why it's yelling about a no route to host.
21:53 < theDoc> Hang on, you're getting that on the server?
21:53 < theDoc> Which logs did you get that info from?
21:54 < aaronorosen1> theDoc: i got that message from the server
21:54 -!- rawDawg [~omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:54 < theDoc> I wasn't aware that the server throws out such messages.
21:54 < aaronorosen1> theDoc: I'm running openvpn ./test.conf and thats what it spit out
21:54 < theDoc> test.conf is your client config file?
21:55 < aaronorosen1> theDoc: no that is my server.conf
21:57 < aaronorosen1> theDoc: in the client config i'm telling it to connect to 130.127.198.212 and then in the server config i say use dev tap0 which is bridged with eth2 which is 130.127.60.108
21:57 < theDoc> You're confusing me now.
21:57 < aaronorosen1> The reason for this is because it causes a logical loop (i've been told) if i connect to 130.127.60.108 and i'm trying to pass layer 2 traffic there. 
21:58 < aaronorosen1> theDoc: I want to have a layer2 connections to a 130.127.60 network which my eth2 is on
21:58 < aaronorosen1> br0 is a bridge between eth2 and tap0
21:59 < aaronorosen1> bridge name	bridge id		STP enabled	interfaces
21:59 < aaronorosen1> br0		8000.001b2143a1e4	no		eth2
21:59 < aaronorosen1> 							tap0
21:59 < theDoc> aaronorosen1> I'm not too familiar with bridging over openvpn.
21:59 < theDoc> You might want to try asking someone that has more experience than I do, ;p
22:02 < aaronorosen1> theDoc: any idea what this means? 
22:02 < aaronorosen1>  MULTI: no dynamic or static remote --ifconfig address is available for client2/130.127.6.60:36906
22:07 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
22:20 -!- rawDawg [~omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
22:22 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
22:30 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
22:32 -!- krzee [nobody@unaffiliated/krzee] has quit [Remote host closed the connection]
22:41 < theDoc> Anyone familiar with socat?
22:43 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
23:05 -!- aaronorosen1 [~arosen@130-127-6-60.generic.clemson.edu] has quit [Ping timeout: 248 seconds]
23:16 -!- aaronorosen1 [~arosen@host-69-59-109-112.nctv.com] has joined ##openvpn
23:53 -!- aaronorosen1 [~arosen@host-69-59-109-112.nctv.com] has quit [Ping timeout: 245 seconds]
--- Day changed Thu Apr 08 2010
00:02 -!- djshotglass [~dex@173.183.62.32] has joined ##openvpn
00:08 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has joined ##openvpn
00:09 < djshotglass> ugh this vpn stuff makes no sense! all i want to do is tunnel my lan though a remote machine these docs are for people who know what they are doing is there more noob docs?
00:12 -!- obsd123 [~obsd123@ip70-179-177-115.fv.ks.cox.net] has joined ##openvpn
00:20 < Bushmills> !redirect
00:20 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:21 < Bushmills> !route
00:21 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:21 < Bushmills> !howto
00:21 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:33 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:33 -!- mode/##openvpn [+o mattock] by ChanServ
00:34 < djshotglass> !def1
00:34 < vpnHelper> djshotglass: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
00:34 < djshotglass> !ipforward
00:34 < vpnHelper> djshotglass: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
00:34 < djshotglass> !nat
00:34 < vpnHelper> djshotglass: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
00:34 < djshotglass> !fbsdipforward
00:34 < vpnHelper> djshotglass: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
00:35 < djshotglass> !fbsdnat
00:35 < vpnHelper> djshotglass: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD
00:44 < obsd123> Where am I going wrong with my routing tables -- I'm trying to connect a client to another /24 (192.168.1.64) that's behind the openvpn server (192.168.1.0)
00:44 < obsd123> http://pastebin.com/dEthfb8U
00:45 < obsd123> oops, meant /26
00:46 < obsd123> the 192.168.1.5, 192.168.1.2, etc that openvpn is throwing into my routing tables as gateways are really throwing me off -- AFAIK these are not actual hosts, and the server itself is listening on 192.168.1.1, so what are these?
00:51 < djshotglass> all these docs are for joining to lans with multi machines on each side over the inet 
00:52 < djshotglass> i just want to forward my one lan though a dedicated server im renting from a datacenter
01:00 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 245 seconds]
01:02 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
01:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:06 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
01:10 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
01:17 -!- obsd123 [~obsd123@ip70-179-177-115.fv.ks.cox.net] has quit [Quit: obsd123]
01:51 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
01:59 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
02:02 -!- djshotglass [~dex@173.183.62.32] has quit []
02:09 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
02:34 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
03:08 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:27 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
03:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:37 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 268 seconds]
03:45 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:54 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
04:05 -!- medum [kevin@d67-193-176-255.home3.cgocable.net] has quit [Ping timeout: 245 seconds]
04:13 -!- master_of_master [~master_of@p57B57085.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
04:15 -!- master_of_master [~master_of@p57B576C6.dip.t-dialin.net] has joined ##openvpn
04:23 < leev> i've setup openvpn in bridge mode. i have bridge0 with em1 and tap0 in it.  the client can ping the bridge, but nothing on the other side (em1).  and the server with the bridge can no longer ping anything on the em1 interface
04:23 < leev> if i drop the bridge and assign the ip back to em1, the server can ping other local servers again
04:24 < leev> any ideas?
04:24 < mwheeler> I smell BSD
04:25 < leev> yes
04:25 < leev> fbsd 8
04:25 < mwheeler> <3 FreeBSD, also, no idea
04:25 < leev> damn
04:26 < leev> might have to go back to tun instead of tap
04:26 < mwheeler> Routed networks are better anyway
04:27 < leev> why?
04:27 < mwheeler> saves sending broadcasts across the internet
04:27 < mwheeler> lowers your broadcast omain
04:28 < macsppadic> good nose there mwheeler 
04:28 < leev> i guess
04:28 < macsppadic> aye leev better to use routing as mentioned
04:28 < mwheeler> is it talk  like a pirate day macsppadic ?
04:28 < macsppadic> aaar
04:28 < macsppadic> :-)
04:29 < macsppadic> btw leev that sounds like cud be a firewall issue 
04:29 < mwheeler> Sep 19th is
04:29 < mwheeler> I thought I missed it for a second :P
04:29 < leev> mwheeler: no firewall running
04:30 < macsppadic> hmm 
04:30 -!- le0 [~tehle0@82.132.248.213] has joined ##openvpn
04:30 -!- le0 [~tehle0@82.132.248.213] has quit [Changing host]
04:30 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
04:31 < leev> oh well, i'll go back to routed
04:31 < macsppadic> oh leev have u got forwarding enabled?
04:32 -!- medum [kevin@d67-193-176-255.home3.cgocable.net] has joined ##openvpn
04:32 < leev> yeah
04:34 < macsppadic> hmm cant think of anything else off the top of my head sorry leev 
04:34 < leev> yeah no problem.  its something with the bridge.  cos oven the box with the bridge can't ping anything local to it when the bridge exists
04:35 < leev> tke the itnerface out of the bridge, assign the ip back to the interface and it can ping them again
04:35 < macsppadic> brctl options must be then 
04:35 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 264 seconds]
04:36 < leev> freebsd not linux :)
04:36 < macsppadic> doh..freebsd - am outta here
04:36 < macsppadic> :-)
04:37 < leev> c ya
04:38 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:39 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
04:41 -!- le0 [~tehle0@unaffiliated/le0] has quit [Client Quit]
04:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:05 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
05:12 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:17 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
05:23 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
05:57 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 268 seconds]
05:59 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
06:10 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
06:24 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 258 seconds]
06:25 < vpnguy> hello
06:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:09 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
07:26 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:52 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
07:55 -!- mape2k [~mape2k@2a01:198:23f:10ff:8819:e8ff:fefa:7699] has joined ##openvpn
08:04 -!- mape2k [~mape2k@2a01:198:23f:10ff:8819:e8ff:fefa:7699] has quit [Ping timeout: 276 seconds]
08:17 -!- le0 [~tehle0@82.132.139.245] has joined ##openvpn
08:17 -!- le0 [~tehle0@82.132.139.245] has quit [Changing host]
08:17 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
08:20 -!- bezourox [~bezou_rox@130.171.64-86.rev.gaoland.net] has quit []
08:26 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 264 seconds]
08:26 -!- leev [lee@220.157.68.202] has quit [Quit: leaving]
08:29 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
08:30 -!- torrancew [~torrancew@ip70-172-225-171.br.br.cox.net] has quit [Read error: Operation timed out]
08:33 -!- torrancew [~torrancew@ip70-172-225-171.br.br.cox.net] has joined ##openvpn
08:37 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
08:54 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
08:57 < flok420> while the '--mtu-test' runs (on a new connection?), will normal traffic flow through the connection? or must one wait for it to finish?
08:58 < macsppadic> flok420: i believe shud only take a few mts to run mtu-test
08:58 < flok420> macsppadic: the man-page says it takes 3 minutes
09:02 < ecrist> \o
09:07 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
09:16 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has joined ##openvpn
09:17 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
09:29 < krzee> even if you COULD send traffic over it, i wouldnt
09:29 < krzee> you want the test to be optimal :p
09:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:40 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
09:46 -!- obsd123 [~obsd123@ip70-179-177-115.fv.ks.cox.net] has joined ##openvpn
09:49 -!- fflush [~lrfurtado@unaffiliated/fflush] has quit [Quit: Leaving]
09:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
10:12 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
10:19 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
10:27 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
10:27 -!- mode/##openvpn [+o mattock] by ChanServ
10:42 -!- ZummiG777 [~ZummiG777@campfieldm-work.sworps.tennessee.edu] has joined ##openvpn
10:42 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Quit: Lost terminal]
10:43 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
10:43 < ZummiG777> Question: Is it possible to use the 'push' rules to push an entire subnet?  For example pushing "... 192.168.0.0 255.255.0.0"
10:44 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Client Quit]
10:44 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
10:57 < ecrist> ZummiG777: sure
10:58 < ecrist> it's covered in the manual
11:03 < ZummiG777> ecrist: Thanks!
11:05 < ZummiG777> ecrist: Do you know a keyword that would be associated with this process so I can rapidly find it in the rules?
11:05 < ZummiG777> s/rules/packet
11:06 < ecrist> push route ...
11:07 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Ping timeout: 246 seconds]
11:09 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:18 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
11:19 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
11:27 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has joined ##openvpn
11:29 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has quit [Client Quit]
11:29 -!- aaronorosen2 [~arosen@riggs249dhcp138.ces.clemson.edu] has joined ##openvpn
11:29 -!- aaronorosen2 [~arosen@riggs249dhcp138.ces.clemson.edu] has quit [Read error: Connection reset by peer]
11:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:38 < agagag> ./wi15
11:38 < agagag> oups
12:00 -!- ZummiG777 [~ZummiG777@campfieldm-work.sworps.tennessee.edu] has quit [Quit: Leaving]
12:01 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:02 -!- _insane is now known as insane^
12:03 -!- aaronorosen2 [~arosen@riggs249dhcp138.ces.clemson.edu] has joined ##openvpn
12:10 -!- aaronorosen2 [~arosen@riggs249dhcp138.ces.clemson.edu] has quit [Ping timeout: 258 seconds]
12:12 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has joined ##openvpn
12:14 < aaronorosen1> (I'm sorry i'm not sure if my last posts came though since i was knocked of the internet so i'm going to repost)
12:14 < aaronorosen1> Does this routing table look correct for my clients? 
12:14 < aaronorosen1> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
12:14 < aaronorosen1> 130.127.60.96   *               255.255.255.224 U     0      0        0 tap0
12:15 < aaronorosen1> 130.127.249.0   *               255.255.255.0   U     1      0        0 eth0
12:15 < aaronorosen1> default         130.127.60.97   0.0.0.0         UG    0      0        0 tap0
12:16 < ecrist> no copy in here, please.
12:17 < aaronorosen1> ecrist: does that look like the right routing tables for a client? 
12:17 < ecrist> no
12:18 < aaronorosen1> ecrist: the default route should be 130.127.249.1 for eth0? 
12:18 < ecrist> sorry, no time to look at your issue right now
12:21 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
12:26 < Bushmills> oh, just to note of encouragement: on latest openwrt backfire (10.03), openvpn installs and works neatly, no problems.
12:27 < Bushmills> (running the mips version here)
12:38 < cron2> bushmills: openvpn 2.1.1 or openvpn-testing?
12:39 < Bushmills> OpenVPN 2.1.1 mips-openwrt-linux [SSL] [LZO2] built on Mar 19 2010
12:49 -!- dazo [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
12:53 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 248 seconds]
13:02 -!- obsd123 [~obsd123@ip70-179-177-115.fv.ks.cox.net] has quit [Quit: obsd123]
13:08 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined ##openvpn
13:27 < zoredache> is their an equivalent to '--route-nopull' that would allow a client to ignore the dns settings?
13:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:28 < zoredache> or is the only option to do a 'push-reset' for that client on the server?
13:44 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has left ##openvpn []
13:46 -!- obsd123 [~obsd123@ip70-179-177-115.fv.ks.cox.net] has joined ##openvpn
14:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:21 -!- monttyle [~monttyle@71-17-245-34.yktn.hsdb.sasknet.sk.ca] has joined ##openvpn
14:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:39 -!- aaronorosen2 [~arosen@130.127.255.224] has joined ##openvpn
14:41 < aaronorosen2> When i connect my client to my vpn (using tap0). my clients tap0 does not automatically run dhclient tap0. After i do that manually i get an ip address from the dhcp servers from the network i want to be on. After this is done my default gateway is changed to go though tap0 instead of eth0. Am i doing something wrong? Is there a way so that clients don't have to do that? 
14:44 < ecrist> !configs
14:44 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:45 < ecrist> you don't really want your network DHCP server to assign the address - you want the openvpn server to do it
14:45 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
14:46 < aaronorosen2> ecrist: using server-bridge? Why is that? What if i have a dhcp server already on the lan, can't the openvpn server cause conflicts? 
14:47 < ecrist> no, the vpn server will only hand addresses to vpn clients
14:47 < ecrist> your lan dhcp server is overwriting the client's default router, which is bad.
14:48 < aaronorosen2> ecrist: The one complexity about this configuration is that you need to modify your DHCP server configuration to differentiate between local clients and VPN clients.
14:48 < aaronorosen2> How would the dhcp server be able to differentiate between local clients and vpn clients? 
14:48 < ecrist> yep
14:48 < ecrist> you tell me.
14:49 < aaronorosen2> ecrist: i think only by mac address but then that seems like a sloppy solution because its static.? 
14:49 < ecrist> yes.  personally, I'd do it as I said above
14:50 < aaronorosen2> ecrist: If i do it with server bridge i have to make sure that the VPN address pool does not overlap the dhcp server pool? 
14:51 < aaronorosen2> Otherwise a conflict could arrise.
14:51 < aaronorosen2> ecrist: am i incorrect in believing that? 
14:52 -!- Netwolf [~bdelbono@unaffiliated/netwolf] has joined ##openvpn
14:52 < Netwolf> !welcome
14:52 < vpnHelper> Netwolf: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:52 < ecrist> no, the dhcp server is going to make sure an address isn't in use before it issues it to a client in most cases.
14:52 < Netwolf> !route
14:52 < vpnHelper> Netwolf: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:53 < aaronorosen2> ecrist: would the vpn server check if an ip address is in use before handing it to a client? 
14:53 < ecrist> I don't think so
14:53 < ecrist> aaronorosen2: I'm sure you could do something with client grouping
14:55 < ecrist> if request was on interface eth0 group foobeans { defaultrouter = 10.0.0.1 }; pool blah blah
14:55 < ecrist> dhcp is extremely capable if you read the docs
14:55 < ecrist> however, this isn't a dhcp support channel
14:56 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
14:59 < aaronorosen2> ecrist: i just have one last question. I'm using 2 ethernet cards to do this right now to avoid the logical loop problem i had before. You were saying that i could use an alias (though ifconfig) such that i could do this with one ethernet card.  That means that my 1 ethernet card would be on two different subnets? 
15:00 < aaronorosen2> (I think that each subnet has a different VLAN ID. so that isn't going to work)
15:00 < monttyle> what OS?  on linux you can configure one ethernet adaptor to many subnets.  They act like and are configured as different cards.  ifconfig eth0 whatever, ifconfig eth0:1 whatever, etc, etc.
15:02 < monttyle> I've done this plenty of times.  Though I avoid configurations that put more than one on the SAME subnet.
15:02 < aaronorosen2> monttyle: i don't think my network would actually allow this to happen since each port has its own VLAN id? 
15:02 < ecrist> you can set a VLAN id for a given subnet
15:02 < ecrist> aaronorosen2: I think you need to spend some time reading docs
15:02 < monttyle> this a hardware thing?  your switch or what have you only lets certain ports talk to certain subnets?
15:02 < aaronorosen2> ecrist: the openvpn docs or just network docs in general? 
15:03 < ecrist> openvpn docs and networking docs for your OS, specifically
15:03 < aaronorosen2> ecrist: kk will do 
15:03 < ecrist> also, I think you would benefit from a better understanding of ethernet
15:03 < aaronorosen2> Thanks guys for your help
15:04 < monttyle> I think MOST folks would benefit from a better understanding of ethernet, me included.  ;)  That's easier said than done unfortunately
15:06 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
15:08 -!- retro_neo [~hello_wor@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn
15:08 < retro_neo> Apple announced support for SSL VPN in iPhone OS 4 - any idea if openvpn will be compatible?
15:09 < monttyle> if they don't call it openvpn I highly doubt it.
15:10 < retro_neo> apparently it will be via apps providided by Cisco and Juniper
15:10 < retro_neo> maybe that means new APIs will be available, and we'll be able to make an openvpn client 
15:11 < monttyle> why would an openvpn client be made for a protocol that's not openvpn?
15:13 < retro_neo> no I'm saying if Cisco/Juniper are able to build a iPhone VPN clients for their protocols, it should be possible to build one for openvpn too
15:14 < rob0> Of course it's possible.
15:14 < monttyle> The difference is, *Apple* is contracting *Cisco* to make the VPN client.  Apple hasn't contacted anyone maintaining OpenVPN as far as I know.  Sure it's possible to make an openvpn client for iphone.  It's probably also possible to put better than a tinkertoy single-tasking OS on it.  But Apple is in full control.
15:14 < retro_neo> FYI there is already a build for the iphone : http://code.gerade.org/tunemu/ but of course only for jailbroken devices
15:14 < vpnHelper> Title: tunemu - Tun device emulation for Darwin (at code.gerade.org)
15:15 < retro_neo> monttyle: they annonced background services as well
15:17 < monttyle> wonderful.
15:20 -!- dazo [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Quit: Leaving]
15:25 -!- obsd123 [~obsd123@ip70-179-177-115.fv.ks.cox.net] has quit [Quit: obsd123]
15:29 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
15:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:37 -!- DarthGandalf is now known as DarthGandalf|BNC
15:39 -!- Netwolf [~bdelbono@unaffiliated/netwolf] has left ##openvpn []
15:40 -!- aaronorosen2 [~arosen@130.127.255.224] has quit [Remote host closed the connection]
15:42 -!- monttyle [~monttyle@71-17-245-34.yktn.hsdb.sasknet.sk.ca] has quit [Quit:  I love my HydraIRC -> http://www.hydrairc.com <-]
15:42 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:52 -!- retro_neo_ [~retro_neo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn
16:01 -!- retro_neo [~hello_wor@cust-146-10.on4.ontelecoms.gr] has left ##openvpn ["Leaving"]
16:07 -!- retro_neo_ [~retro_neo@cust-146-10.on4.ontelecoms.gr] has quit [Remote host closed the connection]
16:41 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has quit [Ping timeout: 276 seconds]
16:43 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
16:44 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
16:49 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:54 -!- zambaboo [~zambaboo@adsl-75-11-174-251.dsl.sndg02.sbcglobal.net] has joined ##openvpn
17:39 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
17:59 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
18:00 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
18:15 -!- zambaboo [~zambaboo@adsl-75-11-174-251.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
18:15 -!- dxtr [dexter@unaffiliated/dxtr] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
18:21 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has joined ##openvpn
18:21 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
18:27 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Quit: leaving]
18:27 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
18:52 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
19:02 -!- aaronorosen2 [~arosen@130.127.57.43] has joined ##openvpn
19:03 < aaronorosen2> hello, after my clients are assigned an ip address from the vpn server. I am unable to ssh/ping to their ip address (tap0 interface) besides from within the vpn they are connected. 
19:03 < aaronorosen2> Any idea what could be blocking this? 
19:04 < ScriptFanix> did you enable ip forwarding ?
19:06 < aaronorosen2> ScriptFanix: are you talking about /proc/sys/net/ipv4/ip_forward? (Client or server)? 
19:10 < ScriptFanix> yes, on the server
19:15 -!- kithpom [~samuelell@adsl-66-126-220-27.dsl.sndg02.pacbell.net] has joined ##openvpn
19:31 -!- kithpom [~samuelell@adsl-66-126-220-27.dsl.sndg02.pacbell.net] has quit [Quit: kithpom]
19:35 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
19:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:59 -!- tjz [~pc@bb116-14-145-66.singnet.com.sg] has joined ##openvpn
19:59 -!- tjz [~pc@bb116-14-145-66.singnet.com.sg] has quit [Changing host]
19:59 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:37 -!- aaronorosen2 [~arosen@130.127.57.43] has quit [Remote host closed the connection]
20:43 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
20:56 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
21:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:01 -!- DarthGandalf|BNC is now known as DarthGandalf
22:41 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit [Ping timeout: 268 seconds]
23:01 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:04 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
23:24 -!- DarthGandalf is now known as DarthGandalf|BNC
23:27 -!- DarthGandalf|BNC is now known as DarthGandalf
23:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 264 seconds]
23:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
--- Day changed Fri Apr 09 2010
00:12 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.8/20100214235958]]
00:28 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 265 seconds]
00:33 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
00:49 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
00:50 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
01:52 -!- takamichi [~pri@213.163.66.192] has quit [Read error: Connection reset by peer]
01:52 -!- takamichi [~pri@213.163.66.192] has joined ##openvpn
01:57 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
02:06 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
02:26 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
02:39 -!- jmm is now known as jww
02:46 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
02:46 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
02:46 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
02:59 -!- mape2k [~mape2k@p5B28736E.dip.t-dialin.net] has joined ##openvpn
03:09 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:18 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:29 -!- julius [~julius@217.20.127.15] has joined ##openvpn
03:33 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
03:33 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:50 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has left ##openvpn []
04:01 -!- gngkai [~marco@ip-45-99.sn3.eutelia.it] has joined ##openvpn
04:01 < gngkai> hi
04:04 < gngkai> does dns suffix push work on damned windows clients?
04:06 < gngkai> ipconfig /all show dns suffix specific for connection
04:06 < gngkai> still it does not seem to work when I try to resolve a name
04:13 -!- master_of_master [~master_of@p57B576C6.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:15 -!- master_of_master [~master_of@p57B56B5E.dip.t-dialin.net] has joined ##openvpn
04:18 -!- bodom [~quassel@2001:470:1f0a:ac0::1:2] has joined ##openvpn
04:18 < bodom> Hello, I got a trouble with openVPN with IP address space conflicts
04:19 < bodom> My private network is 192.168.1.0/24. Somethimes I have to use OpenVPN through another 192.168.1.0/24 network and IP address spaces collides.
04:19 < bodom> Whats' the best way to solve this?
04:25 < rob0> Seems like the question contains the answer, does it not?
04:25 < rob0> !welcome
04:25 < vpnHelper> rob0: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:26 < rob0> There's plenty of RFC 1918 netspace to go around.
04:28 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
04:30 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
04:31 -!- VirusTB [~VirusTB@ip-145-93-222-188.fontys.nl] has joined ##openvpn
04:33 < bodom> rob0: Even if I remap my whole LAN address space, maybe one day I still could find a LAN with same addressing. Let's suppose i remap my LAN to 192.168.52.0/24 ore 10.23.56.0/24: I can always find someone who uses 192.168.0.0/16 ore 10.0.0.0/8. This is not a definitive solution
04:33 < Bushmills> not if you hook up 17 million nanobots to vpn
04:34 < bodom> ???
04:35 < Bushmills> ah, yes. but you could remap your *vpn* to 10.random.random.0
04:35 < Bushmills> reduces chance of collision
04:35 -!- Guest27041 is now known as dazo
04:35 -!- gngkai [~marco@ip-45-99.sn3.eutelia.it] has quit [Quit: Leaving]
04:36 < rob0> It's obviously going to be better than some ugly, silly NAT kludge.
04:36 < bodom> Bushmills: yep, reducing chance of collision is an improvement, but making OpenVPN work even when a collision is present, would be a definitive solution. I'm just wondering if this is possible.
04:36 < Bushmills> that someone uses whole 10.0.0.0/8  is not very likely
04:36 < rob0> But no, you never know what the future might bring
04:37 < rob0> You DO know that the present AND the future has lots of sites using 192.168.0.0/23 blocks.
04:37 < Bushmills> i think we can wait this problem out. eventually, ipv6 will be in general use.
04:38 < bodom> Bushmills: mhhh... making an IPv6-only LAN looks like a good idea and definitive solution
04:39 < rob0> If you're a business looking to expand, you take control of all network assignments with your own company-level registry.
04:39 < rob0> so any future site gets a unique netblock
04:42 < rob0> Anyway, no, no solution within openvpn is possible, since system routing tables are not under openvpn's control.
04:52 < mwheeler> remap it to 172.16.0.0/12 most home users don't use it
04:56 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
04:56 -!- mode/##openvpn [+o mattock] by ChanServ
04:56 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
04:57 < bodom> I've made some reading and I'm gonna remap it to IPv6
05:20 -!- VirusTB [~VirusTB@ip-145-93-222-188.fontys.nl] has quit [Quit: VirusTB]
05:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
05:28 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:36 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 240 seconds]
05:40 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
05:48 < flok420> when doing SSL/TLS (ca/cert/key), does it make sense to set the Diffie hellman parameters as well?
05:55 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
05:55 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
05:55 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
05:58 < dazo> flok420: yes, on the server side it makes sense .... openvpn will create needed dh params if not given anyway, but the dh param generation is CPU intensive ... so creating strong dh params and providing this to openvpn makes openvpn work lighter
05:59 < flok420> ok, thank you
05:59 < dazo> bodom: if you're thinking about IPv6 with OpenVPN ... consider testing out the openvpn-testing version ... it includes a more complete IPv6 stack ... both for transport (openvpn connections over IPv6) and payload (sending IPv6 traffic through the tunnel, also tun devices)
06:08 < flok420> dazo: can i later on generate a new DH prime? or do I then also need to recreate certificates etc?
06:08 < flok420> and keys etc
06:08 < dazo> flok420: you can create/replace dhparam independently of certificates
06:09 < dazo> flok420: the dhparam is basically just a big prime number used for generating temporary encryption keys for each session
06:10 < flok420> ok
06:16 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Remote host closed the connection]
06:21 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
06:29 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
06:40 -!- dazo is now known as dazo_afk
07:02 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
07:05 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
07:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
07:54 -!- LeRrA [~lerra@c-83-233-243-2.cust.bredband2.com] has quit [Ping timeout: 276 seconds]
07:55 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
07:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
08:21 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has quit [Ping timeout: 276 seconds]
08:32 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:35 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
08:35 -!- bodom [~quassel@2001:470:1f0a:ac0::1:2] has quit [Remote host closed the connection]
08:49 -!- dazo_afk is now known as dazo
09:21 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
09:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:46 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
10:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:10 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 258 seconds]
10:14 -!- eagle [eagle@systembolaget.us] has joined ##openvpn
10:14 < eagle> push "route 10.0.0.0 255.255.255.0" in the server config, is that all i need todo to be able to access the servers subnet from my client?
10:20 -!- SkyX [~SkyB0x@212.235.177.25] has quit []
10:32 < Bushmills> !route
10:32 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:48 -!- frootee [~frootee@rotterdam.perfect-privacy.com] has joined ##openvpn
10:48 < frootee> if you are running openvpn on your computer and not on a router, do you still need to have a lot of memory on your router?
10:51 < Bushmills> nope. 
10:52 < Bushmills> but if you can spare those 4 meg or what it is of RAM on the router, it makes it pretty comfortable
10:55 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
10:56 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
11:02 -!- kithpom [~samuelell@adsl-66-126-220-27.dsl.sndg02.pacbell.net] has joined ##openvpn
11:06 < frootee> Bushmills, those two statements kind of conflict. do you need the extra ram or not? :)
11:07 -!- LeRrA [~lerra@c-94-255-223-67.cust.bredband2.com] has joined ##openvpn
11:07 < Bushmills> router does not need to be openvpn aware if no openvpn runs on it. in that case, no extra memory is needed
11:07 < frootee> Bushmills, thanks :)
11:07 < Bushmills> if you run openvpn on router, it needs the ram for openvpn to run
11:08 < Bushmills> sort of evident, isn't it?
11:08 < frootee> do you mean "obvious"?
11:12 < zambaboo> morning guys
11:13 < zambaboo> i cannot get the tap adapter to install in windows seven, can anyone help please?
11:25 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:46 -!- zambaboo [~zambaboo@adsl-71-154-206-122.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
11:52 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
11:53 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
11:53 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
11:54 -!- torrancew [~torrancew@ip70-172-225-171.br.br.cox.net] has left ##openvpn []
11:54 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
11:55 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
11:56 < eagle> Do i have to set any ipforwarding rules to be able to access for example 192.168.50.123 on the servers subnet? i can ping 192.168.50.1 (servers ip)
11:56 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
11:57 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
11:57 < rob0> I see you've already been given the !route factoid.
11:58 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
11:58 < dazo> eagle: yes, ip forwarding must be enabled when relying on network routing ... and in the firewall, you need to allow traffic to be forwarded as well
11:58 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
11:59 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
11:59 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:02 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:02 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:02 < eagle> rob0: yes but the !route didnt say anything about any iptables stuff
12:03 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:03 < rob0> !firewall
12:03 < vpnHelper> rob0: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
12:03 < eagle> dazo: okej hmm tnx will google for iptable rules
12:03 < eagle> rob0: tnx!
12:03 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:03 < rob0> I bet there is a more specific factoid too
12:03 < rob0> !help
12:03 < vpnHelper> rob0: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
12:04 < rob0> !search iptables
12:04 < dazo> !factoid
12:04 < vpnHelper> rob0: There were no matching configuration variables.
12:04 < vpnHelper> dazo: Error: "factoid" is not a valid command.
12:04 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:04 < dazo> !factoids
12:04 < vpnHelper> dazo: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:04 < rob0> yeah
12:04 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:04 < rob0> I thought there was a search feature, haven't learned this bot yet.
12:05 < dazo> I'd expect iptables to show up on your search, though ... as you have !iptables ....
12:09 -!- mape2k [~mape2k@p5B28736E.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
12:10 < rob0> !help search
12:10 < vpnHelper> rob0: (search <word>) -- Searches for <word> in the current configuration variables.
12:11 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has joined ##openvpn
12:11 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:11 < rob0> !linfw
12:11 < vpnHelper> rob0: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info
12:12 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:14 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Remote host closed the connection]
12:14 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:14 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:15 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:16 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
12:19 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:21 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:22 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:22 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:23 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:23 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:25 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: Operation timed out]
12:26 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
12:26 -!- zambaboo_ [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has joined ##openvpn
12:31 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has quit [Ping timeout: 268 seconds]
12:31 -!- zambaboo_ is now known as zambaboo
12:32 < eagle> what i can understand this is the only two rules in iptalbes that are needed, am i correct:
12:32 < eagle> iptables -A INPUT -i tun+ -j ACCEPT
12:32 < eagle> iptables -A FORWARD -i tun+ -j ACCEPT
12:33 < zamba> well, not -only-, if policies are set to DROP
12:33 < rob0> not necessarily. You also want to -A FORWARD -o tun+ -j ACCEPT for return packets. And rule order matters, a DROP that matches first, it's dropped.
12:34 < zamba> yeah, or just a state match
12:35 < eagle> hmm
12:37 < rob0> Also ...
12:37  * rob0 rule of thumb: if you have to ask for help to make it work, there should be no OUTPUT filtering rules at all. Just Say No To DROP.
12:42 < eagle> hmm Ive cleared my firewall and just wrote thoose 3 rules to try
12:42 < eagle> but still doesnt work
12:43 < eagle> is there a sysctl command that i need to enable forwarding or something like that? 
12:46 < eagle> haha found it :D that was it! =)
12:46 < eagle> thank you guys for your help =)
12:50 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
12:50 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
12:52 -!- |Mike|_ [mike@2001:1af8:2:444::2] has joined ##openvpn
12:54 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Ping timeout: 248 seconds]
13:15 -!- [mutex]_1 [~portn0k@70-57-173-99.clsp.qwest.net] has joined ##openvpn
13:17 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: Operation timed out]
13:17 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
13:18 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:19 -!- [mutex]__ [~portn0k@unaffiliated/mutex/x-1106097] has quit [Ping timeout: 260 seconds]
13:30 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
13:32 -!- dazo is now known as dazo_afk
13:34 -!- DarthGandalf is now known as DarthGandalf|BNC
13:34 -!- graffz [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
13:34 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
13:37 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:39 -!- dug_ [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Quit: Quitte]
13:41 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
13:42 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:45 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
13:47 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
13:48 -!- kithpom [~samuelell@adsl-66-126-220-27.dsl.sndg02.pacbell.net] has quit [Remote host closed the connection]
13:49 -!- kithpom [~samuelell@adsl-66-126-220-27.dsl.sndg02.pacbell.net] has joined ##openvpn
13:57 -!- kithpom [~samuelell@adsl-66-126-220-27.dsl.sndg02.pacbell.net] has quit [Ping timeout: 258 seconds]
14:05 -!- linux77__ [~linux77@c-69-246-11-169.hsd1.mi.comcast.net] has joined ##openvpn
14:13 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
14:31 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
14:41 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
14:42 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has joined ##openvpn
14:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:49 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:55 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Ping timeout: 276 seconds]
14:57 -!- linux77__ [~linux77@c-69-246-11-169.hsd1.mi.comcast.net] has quit [Quit: Leaving]
15:12 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
15:19 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
15:34 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:35 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
15:47 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
15:53 -!- troy- [80d389ee64@bgp4.us] has quit [Ping timeout: 240 seconds]
16:00 -!- troy- [8ce6135bb6@bgp4.us] has joined ##openvpn
16:35 -!- dopiwan [~soulrebel@pool-74-104-126-31.bstnma.fios.verizon.net] has joined ##openvpn
16:35 < dopiwan> !welcome
16:35 < vpnHelper> dopiwan: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:38 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
16:39 < dopiwan> Looking for some assistance with LDAP query to Active Directory.  I have an OU called "VPN User" contained inside OU "Security Groups" this is a security list with my User account as the only current member.  My User account is actually stored in another OU off the root called "Redirected" which holds most domain users.  I am trying to authenticate only users who have membership of the "VPN User" group but can't get the darn
16:41 < dopiwan> if I have Base DN set to:  DC=domain,DC=int I can connect and get a tunnel but it allows any domain user to connect.
16:41 < dopiwan> I've used LDP.exe to write the queries and it works in LDP but not in OpenVPN
16:42 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:44 < dopiwan> note to self, dont ask after 5PM on a friday.
16:53 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
16:53 -!- mode/##openvpn [+v Kasx] by ChanServ
16:54 -!- dopiwan is now known as dopigwan
16:56 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 248 seconds]
16:56 -!- Kaspx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 276 seconds]
17:00 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
17:00 -!- mode/##openvpn [+v openvpn2009] by ChanServ
17:07 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:16 -!- takamichi [~pri@213.163.66.192] has quit [Ping timeout: 260 seconds]
17:37 -!- FrankL [~bla@mar153.athome226.wau.nl] has joined ##openvpn
17:37 < FrankL> hi
17:38 < FrankL> I've got a question, and it's not my firewall :)
17:39 < FrankL> anyone alive?
17:39 -!- FrankL is now known as Frank_L
17:39 -!- Frank_L is now known as Frank__L
17:40 < Frank__L> anyhow, question is as follows: my server has only 1 ethernet interface, which I want to bridge to tap0, and run openvpn on the tap0
17:41 < Frank__L> I want this server to get its IP from the DHCP server
17:41 < Frank__L> that all works
17:42 < Frank__L> now what should I set the first argument of server_bridge to in openvpn's server.conf 
17:42 < Frank__L> as the gateway is the IP of the server itself, which is dependent on the DHCP lease
17:43 < Frank__L> do I need complicated scripting which generates a server.conf whenever my dhcp client obtains a different IP address, and restart openvpn daemon with this altered script?
17:45 -!- trumee [~nobody@cpc2-cmbg15-0-0-cust1000.5-4.cable.virginmedia.com] has joined ##openvpn
17:45 < trumee> !welcome
17:45 < vpnHelper> trumee: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:45 < trumee> !route
17:45 < vpnHelper> trumee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:46 < Frank__L> !config
17:46 < vpnHelper> Frank__L: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
17:46 < Frank__L> !configs
17:46 < vpnHelper> Frank__L: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:47 < trumee> guys, anybody has a Nokia N900 working with openvpn?
17:47 < Frank__L> I'll try it if you provide me with a N900 :)
17:48 < trumee> http://talk.maemo.org/showpost.php?p=603336&postcount=35
17:50 < Frank__L> does SIP work with tun?
17:50 < trumee> i am able to ping to the openvpn server, but if i try pinging to say www.google.com it doesnt get through. The dns resolution although works, ping report backs the ip address
17:50 < trumee> Frank__L: no idea
17:50 < Frank__L> try tap
17:50 < Frank__L> ah
17:50 < Frank__L> sounds like some routing issue or something
17:50 < Frank__L> or firewall
17:51 < trumee> i dont have any firewall
17:52 < Frank__L> hmm
17:52 < Frank__L> good luck anyway
17:52 -!- Frank__L [~bla@mar153.athome226.wau.nl] has quit []
17:57 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
17:58 < trumee> tap didnt help
17:58 < rob0> Of course SIP works with tun. Any IP protocol works with tun, if the routing is understood.
17:59 -!- trumee [~nobody@cpc2-cmbg15-0-0-cust1000.5-4.cable.virginmedia.com] has quit [Remote host closed the connection]
18:02 < krzee> right, tun doesnt even understand what its tunneling, it just blindly tunnels any ip traffic which is routed over it
18:12 -!- eagle [eagle@systembolaget.us] has left ##openvpn []
18:29 -!- notbrien [~notbrien@208.82.13.214] has quit [Ping timeout: 276 seconds]
18:35 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
18:35 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
18:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
18:38 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
18:45 -!- mithridates [~chatzilla@142.166.45.165] has joined ##openvpn
19:03 -!- zroysch [~dongery@pool-96-254-64-78.tampfl.fios.verizon.net] has joined ##openvpn
19:03 < zroysch> what could i do to find out why i cant access LAN computers after connecting to the VPN server/firewall in front of them
19:06 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
19:09 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:14 -!- mithridates [~chatzilla@142.166.45.165] has quit [Ping timeout: 260 seconds]
19:21 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
19:23 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has joined ##openvpn
19:31 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has left ##openvpn []
19:31 -!- zambaboo [~zambaboo@adsl-99-75-177-241.dsl.sndg02.sbcglobal.net] has quit [Quit: zambaboo]
19:41 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
20:00 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
20:02 < Bloodsong> Good evening?
20:03 < ecrist> Hi!
20:07 < Bloodsong> Gasp people!
20:07 < Bloodsong> So, is the channel very active?
20:09 < ecrist> sure, but most of us are in the US/western hemi
20:09 < ecrist> so, it's 8pm my time here.
20:09 < ecrist> many of us are active during the normal work day
20:09 < Bloodsong> 9PM mine :P
20:09 < ecrist> what I can recommend is to ask your question and await an answer. ;)
20:10 < Bloodsong> I just thought I'm always on the mail list, I ought to check out the IRC for once.
20:10 < ecrist> ah, IRC is far more active than the mailing list.
20:10 < Bloodsong> Wow, must be extremely active then.
20:10 < ecrist> and, since ~January #openvpn-devel is especially active, mostly on Thursdays (meeting day)
20:11 < Bloodsong> Hmm, probably why the sourceforge bugzilla is being worked on.
20:17 < ecrist> yeah
20:18 < ecrist> a few of us (no names) were getting ready to fork back in January and at the same time, OpenVPN Technologies, Inc decided to embrace the community
20:18 < ecrist> since then, there has been a LOT of activity
20:18 < ecrist> we (the community) have tried to get more leverage/participation for the last three years, and it finally came to fruition.
20:18 < ecrist> :)
20:18  * ecrist does happy dance.
20:18  * ecrist drinks more rum.
20:26 < ecrist> jpalmer: ping
20:31 -!- mithridates [~chatzilla@142.166.45.152] has joined ##openvpn
20:32 -!- mithridates [~chatzilla@142.166.45.152] has quit [Client Quit]
20:33  * Bloodsong wishes he had some rum to join in.
20:34 < Bloodsong> ecrist... I see you on the list ever?
20:34 < ecrist> probably not - I'm a list lurker on openvpn.
20:34 < ecrist> but I'm more than active on IRC
20:34 < ecrist> !irclogs
20:34 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
20:35 < ecrist> crap, I need to update that script
20:35 < ecrist> I moved my irc console
20:35 < Bloodsong> HEhe kk, thought I might have seen your name before.
20:35 < ecrist> Bloodsong: I've been active in the *nix community for about 13 years
20:35 < ecrist> particularly active in the freebsd community
20:36 < Bloodsong> ecrist: very cool, I wish I'd started on *nix that long ago. I remember having some Linux install discs back then, but never got around to using 'em... Parent's PC and all.
20:36 < rawDawg2> hey im looking for the openvpn gui for windows with the different icon
20:38 < rawDawg2> the system tray icon with the keyhole logo, anyone ever seen it?
20:40 < ecrist> nope
20:41 < ecrist> is that that one packaged with the new windows exec?
20:41 < rawDawg2> no i have the newest
20:41 < rawDawg2> i used to have it, not sure where i found it
20:42 < ecrist> is it better?
20:43 < rawDawg2> the icon looks nicer
20:43 < ecrist> ...
20:43 < ecrist> you can change the icon with some simple utils...
20:46 -!- DarthGandalf|BNC is now known as DarthGandalf
20:53  * Bloodsong pokes at his resource hacker.
20:58 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
21:00 -!- tjz [~pc@bb116-14-142-40.singnet.com.sg] has joined ##openvpn
21:00 -!- tjz [~pc@bb116-14-142-40.singnet.com.sg] has quit [Changing host]
21:00 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:03 < zroysch> what could i do to find out why i cant access LAN computers after connecting to the VPN server/firewall in front of them
21:03 < ecrist> tcpdump?
21:04 < zroysch> but its udp?
21:05 < ecrist> tcpdump does udp, as well
21:06 < zroysch> oh
21:06 < zroysch> i know i've used it before but could you explain where to use it
21:06 < ecrist> packetdump or ethernet dump must have been taken. ;)
21:06 < zroysch> im running a pfsense server
21:06 < zroysch> which is serving the openvpn
21:06 < ecrist> you *may* need to install a package on pfSense.
21:06 < ecrist> but, run it on the tap/tun interface
21:07 < ecrist> tcpdump -n -e -tttt -i <int>
21:07 < ecrist> would be a start
21:10 < zroysch> oh sweet i figured it out. had to run the openvpn gui as administrator in windows7
21:11 < zroysch> glad i didnt listen to you!
21:11 < zroysch> ha
21:12 < ecrist> why shouldn't you listen to me?
21:12 < ecrist> in your question, you indicated you connected, which means your computer and the remote VPN server had a successful connection.
21:13 < zroysch> yo dude chillout the ha indicated my joking
21:14  * rob0 chills out
21:14  * ecrist is a guy, but not a 'dude' in the sense that a 'dude' is defined as an in-grown hair on an elephant's ass.
21:15 < zroysch> language evolves. your turn 
21:15 -!- mode/##openvpn [+o ecrist] by ChanServ
21:15 <@ecrist> you're turn.
21:15 <@ecrist> your* even.
21:16 <@ecrist> muahaha
21:16 < zroysch> goin for the ban eh
21:16  * rob0 cowers in fear
21:16 <@ecrist> naw, just holding the banhammer over your head. :)
21:17 < zroysch> yea its weird cause the ovpn gui client was saying it connected but had all these errors in the log
21:17 <@ecrist> ah
21:17 -!- mode/##openvpn [-o ecrist] by ecrist
21:18 < zroysch> so now oi can connect to the file server
21:18 < zroysch> by IP
21:18 < ecrist> in /topic, we ask for logs and other fun stuff to help - I didn't get that from you, so I had to guess.
21:18  * ecrist goes to the clug
21:18 < ecrist> club*
21:18 < zroysch> what is the best way to make it see by computer name
21:19 < rob0> the connection itself uses a non-privileged port, but any OS requires more privilege to add IP addresses and routes.
21:19 < rob0> !wins
21:19 < vpnHelper> rob0: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
21:25 < Bloodsong> zroysch, but really if you're just doing a few names for yourself, just modify your hosts file.
21:25 < zroysch> Bloodsong: yea
21:25 < zroysch> probably the easiest
21:25  * Bloodsong nods
21:26 < Bloodsong> And keeps unnecessary traffic to a minimum
21:28 < Bloodsong> hmm
21:29 < Bloodsong> I should right an up script... echo blah blah blah >> %windir%/system32/drivers/etc/hosts
21:32 < jpalmer> ecrist: pong
21:42 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has quit [Ping timeout: 260 seconds]
21:44 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
21:44 < zroysch> Bloodsong: for wut
22:08 -!- troy- [8ce6135bb6@bgp4.us] has quit [Ping timeout: 260 seconds]
22:09 -!- troy- [1079c6126e@bgp4.us] has joined ##openvpn
22:21 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
22:47 -!- rawDawg [~omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:48 < rawDawg> ecrist: here is the link to the custom gui: http://www.linksysinfo.org/forums/showthread.php?t=61964
23:10 -!- notbrien [~notbrien@user-12lc0fe.cable.mindspring.com] has joined ##openvpn
23:17 -!- takamichi [~pri@95.211.4.12] has joined ##openvpn
23:24 -!- notbrien [~notbrien@user-12lc0fe.cable.mindspring.com] has quit [Quit: notbrien]
23:33 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
23:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
23:47 -!- takamichi [~pri@95.211.4.12] has quit [Ping timeout: 276 seconds]
23:48 -!- takamichi [~pri@95.211.4.12] has joined ##openvpn
--- Day changed Sat Apr 10 2010
00:37 -!- frootee [~frootee@rotterdam.perfect-privacy.com] has quit [Quit: Leaving]
01:13 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
02:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:17 -!- Lili1 [~Leila@80.191.194.54] has joined ##openvpn
02:17 -!- Lili1 [~Leila@80.191.194.54] has left ##openvpn []
02:37 -!- Frank__L [~bla@mar153.athome226.wau.nl] has joined ##openvpn
02:37 < Frank__L> hi
02:56 < mwheeler> hi Frank
02:58 < Frank__L> I've got a question about the server configuration of openvpn
02:58 < Frank__L> in particular the server_bridge parameters
03:00 < Frank__L> the server gets its IP address from my router which is running a DHCP server
03:00 < Frank__L> should I leave all parameters blank on the server_bridge statement in openvpn's config?
03:01 < Frank__L> as the static IP I need to set might change depending on what the DHCP server hands out
03:14 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
03:14 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
03:14 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
03:14 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
03:35 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.9/20100402010516]]
03:38 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
03:45 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:45 -!- mode/##openvpn [+o mattock] by ChanServ
04:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
04:01 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
04:13 -!- master_of_master [~master_of@p57B56B5E.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:15 -!- master_of_master [~master_of@p57B57C2E.dip.t-dialin.net] has joined ##openvpn
04:25 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
04:28 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
04:32 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
04:33 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
04:33 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
04:33 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:37 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has joined ##openvpn
04:37 < vpnguy> hola
04:49 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Quit: No Ping reply in 180 seconds.]
04:50 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
04:50 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
04:50 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:58 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
04:58 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
04:58 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
04:58 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
05:01 -!- vpnguy [~g@sge78-1-82-228-21-90.fbx.proxad.net] has quit []
05:08 -!- Frank__L [~bla@mar153.athome226.wau.nl] has quit []
05:19 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:28 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has left ##openvpn []
05:29 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
05:54 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
06:57 -!- mithridates [~chatzilla@142.166.45.152] has joined ##openvpn
07:04 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
07:29 -!- Guest49458 is now known as redfox
07:30 -!- redfox is now known as Guest5953
07:31 -!- Guest5953 is now known as redfox
08:15  * ecrist is a hurtin' unit this AM
08:21 -!- zroysch [~dongery@pool-96-254-64-78.tampfl.fios.verizon.net] has quit [Ping timeout: 245 seconds]
08:38 -!- zroysch [~dongery@pool-96-254-64-78.tampfl.fios.verizon.net] has joined ##openvpn
08:53 -!- CorvetteZR1 [~CorvetteZ@CPE0014d11371a6-CM001ceab56a26.cpe.net.cable.rogers.com] has joined ##openvpn
08:58 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Remote host closed the connection]
08:59 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
09:03 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Ping timeout: 240 seconds]
09:05 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
09:09 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
09:17 < CorvetteZR1> hi.  i'm using openvpn, it's working great.  except for some reason, i can not ping a host on the lan using a bridged interface
09:18 < CorvetteZR1> i mean the vpn client, can't hit a remote bridged if
09:18 < CorvetteZR1> i can ping it internally on the lan and directly from the openvpn server; but the vpn client can not, even though he can ping everything else on the network
09:21 -!- f1assistance1 [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
09:21 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Ping timeout: 252 seconds]
09:26 < CorvetteZR1> ok, i few more details.  so it doesn't matter if the remote ip is bridged or not, i just assigned that ip to the nic
09:26 < Bloodsong> Interesting issue
09:26 < CorvetteZR1> this server has 2 nics, 2 different ips
09:27 < CorvetteZR1> i can ping one, but not the other
09:27 -!- f1assistance1 [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Ping timeout: 245 seconds]
09:27 < CorvetteZR1> but only on the vpn clients...on the actual lan, i can ping both with no issues
09:33 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:41 -!- f1assistance [~Carl@cpe-071-065-252-066.nc.res.rr.com] has joined ##openvpn
09:51 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
09:52 -!- d1b [~db@d1b.org] has quit [Ping timeout: 258 seconds]
09:59 -!- d1b [~db@d1b.org] has joined ##openvpn
10:13 -!- f1assistance [~Carl@cpe-071-065-252-066.nc.res.rr.com] has quit [Ping timeout: 245 seconds]
10:14 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:15 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 240 seconds]
10:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:36 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:10 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
11:13 -!- Mkools [~mukul@117.196.209.55] has joined ##openvpn
11:20 < Mkools> Hello their I have some problems in configuring open vpn in Ubuntu.
11:21 < krzee> !ubuntu
11:21 < vpnHelper> krzee: "ubuntu" is dont use network manager!
11:21 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Remote host closed the connection]
11:22 < Mkools> krezee: Relating this https://help.ubuntu.com/9.10/serverguide/C/openvpn.html
11:22 < vpnHelper> Title: OpenVPN (at help.ubuntu.com)
11:22 < krzee> !welcome
11:22 < vpnHelper> krzee: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:22 < krzee> start with !goal and !configs
11:24 < Mkools> krzee: In the manual above can I choose random IP addresses?
11:27 < rob0> huh? random??
11:30 < Mkools> rob0: Actually I wanted to ask that do I need to follow the same IP addresses given in https://help.ubuntu.com/9.10/serverguide/C/openvpn.html or I can choose my own appropriately.
11:30 < vpnHelper> Title: OpenVPN (at help.ubuntu.com)
11:31 < krzee> i tried to give you some direction, but you ignored me
11:31 < krzee> and that lame howto is about bridging, which you dont likely need
11:31 < krzee> !tunortap
11:31 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
11:31 < vpnHelper> krzee: against you over the vpn
11:32 < rob0> You choose your own, but you should use RFC 1918 addresses unless you own a "real" netblock. Agreed w/krzee about bridging.
11:32 < krzee> !howto
11:32 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:39 < Bloodsong> !wins
11:39 < vpnHelper> Bloodsong: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:43 < Mkools> vhHelper: Can you help.
11:43 < krzee> !bot
11:44 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
11:45 < Mkools> krzee: export KEY_COUNTRY
11:45 < Mkools> export KEY_PROVINCE
11:45 < Mkools> export KEY_CITY Why are this field for? Can set my own country, city etc.?
11:48 < Mkools> And what does dev tap0 mean?
11:48 < krzee> !man
11:48 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:58 < Mkools> krzee: Thanks a lot, but how to know which bridge, ip, network address I am using.
12:00 < Mkools> krzee: I am asking this because I want to setup VPN over Internet.
12:02 < krzee> !sample
12:02 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
12:02 < krzee> !howto
12:02 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:02 < krzee> !goal
12:02 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:03 < Mkools> Goal: I want setup a LAN over Internet. 
12:04 < Bushmills> !tunortap
12:04 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
12:04 < vpnHelper> Bushmills: against you over the vpn
12:04 < krzee> !route
12:04 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:07 -!- brainbox [~brainbox@CPE001d09638b69-CM00169242a0ee.cpe.net.cable.rogers.com] has joined ##openvpn
12:07 < Mkools> krzee: In my case there is no LAN behind the two users.
12:07 < Mkools> they directly connected to Internet.
12:07 < brainbox> hey guys i am trying to setup a vpn with a friend of mine, we got ourselves connected he gets a vpn ip however we can't ping each other nor can he see our webportal 
12:08 < krzee> [13:03]  <Mkools> Goal: I want setup a LAN over Internet. 
12:08 < brainbox> is there anything i need to add to the config of the server or the client config to allow them to be able to see our webportal ?
12:08 < krzee> Mkools, so you mean: "I just want a secure connection between 2 computers"
12:08 < Mkools> krzee: Yes
12:08 < krzee> !sample
12:08 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
12:09 < krzee> see !howto for generating certs
12:09 < krzee> brainbox, portal is on the vpn server?
12:09 < brainbox> yes
12:09 < krzee> if the httpd listens on vn ip, no
12:09 < krzee> vpn ip*
12:10 < brainbox> i added  client-to-client
12:10 < brainbox>  to server config 
12:10 < krzee> !c2c
12:10 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
12:10 < vpnHelper> krzee: behind other clients
12:10 < brainbox> they can not ping the server either 
12:10 < krzee> !configs
12:10 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:11 < brainbox> http://pastebin.com/btuD4dd7
12:11 < brainbox> thats the server config 
12:13 < brainbox> heres the client config http://pastebin.com/BrZ03j0p
12:13 < brainbox> server runs ubuntu, client is running windows7 
12:14 < krzee> read this again
12:14 < krzee> !configs
12:14 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:14 -!- Mkools [~mukul@117.196.209.55] has quit [Quit: Leaving]
12:15 < Bushmills> dev tap  on client  and  dev tun on server?
12:15 < krzee> i didnt notice, i see a bunch of comments and close the window
12:18 < brainbox> i found the prob 
12:18 < brainbox> i had blowfish and aes on the same 
12:18 < brainbox> two lines 
12:18 < brainbox> i had fixed the tap earlier i copied an old config 
12:18 < brainbox> restarting it now to see if it works :)
12:19 < brainbox> feel free to look these over with the corrections http://pastebin.com/phS1WwZq
12:20 < brainbox> im waiting on my commrad
12:23 < brainbox> he still can't view the portal 
12:28 < brainbox> any ideas as what is wrong with my config?
12:34  * Bushmills doesn't feel inclined anymore to look at old configs with relevant things changed already
12:35 < brainbox> from what I can tell everything looks ok... 
12:35 < brainbox> just cant ping each other or access portal 
12:35 < brainbox> so idk 
12:35 < brainbox> user has a valid vpn ip addy 
12:37 < brainbox> hmm few people in here from anonet
12:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
12:50 -!- brainbox [~brainbox@CPE001d09638b69-CM00169242a0ee.cpe.net.cable.rogers.com] has quit [Quit: Leaving]
12:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:55 < krzee> must be a full moon
12:55 -!- DarthGandalf is now known as DarthGandalf|BNC
13:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:11 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:11 -!- mithridates [~chatzilla@142.166.45.152] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]]
14:26 -!- rawDawg [~omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
14:47 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
15:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:23 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:36 -!- max06 [~max06@freenode/sponsor/max06] has quit [Ping timeout: 260 seconds]
15:37 -!- max06 [~max06@freenode/sponsor/max06] has joined ##openvpn
15:37 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
15:41 -!- tvstebut [~tvstebut@80.125.173.121] has joined ##openvpn
15:42 < tvstebut> Hello
15:42 < tvstebut> my machine doesn't ping , that's the log : http://pastebin.fr/7498
15:42 < tvstebut> It's a network issue 
16:35 -!- tvstebut [~tvstebut@80.125.173.121] has quit [Ping timeout: 268 seconds]
16:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Read error: Operation timed out]
16:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
16:58 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
17:05 -!- aaronorosen2 [~arosen@130.127.255.224] has joined ##openvpn
17:09 < aaronorosen2> I am handing out ip addresses to clients via server-bridge. For some reason i am unable to ssh/ping to the ip address the the vpnserver hands out from outside of the vpn network. I have ipv4_forward =1 
17:09 < aaronorosen2> Any ideas what could be causing this? 
17:10 < aaronorosen2> Oh i see the ICMP requests coming to the client but he isn't sending back a reply 
17:11 < aaronorosen2> any idea why he would not reply? (I just ran iptables -F so there should be no firewall problem
17:28 -!- astrophy [~astrophy@95.211.0.162] has joined ##openvpn
17:34 -!- astrophy [~astrophy@95.211.0.162] has quit [Ping timeout: 268 seconds]
17:34 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Quit: Leaving]
17:35 -!- tvstebut [~tvstebut@80.125.173.121] has joined ##openvpn
17:39 -!- aaronorosen2 [~arosen@130.127.255.224] has quit [Read error: Operation timed out]
17:48 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
18:04 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
18:08 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Read error: Connection reset by peer]
18:09 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
18:12 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:55 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
19:13 -!- stealth- [~stealth@S0106002436a25c5e.ok.shawcable.net] has joined ##openvpn
19:19 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
19:22 -!- tvstebut [~tvstebut@80.125.173.121] has quit [Ping timeout: 264 seconds]
19:28 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has quit [Read error: Connection reset by peer]
19:33 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
19:49 -!- takamichi [~pri@95.211.4.12] has quit [Read error: Connection reset by peer]
19:50 -!- takamichi [~pri@95.211.4.12] has joined ##openvpn
20:03 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has quit [Ping timeout: 264 seconds]
20:13 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 276 seconds]
20:17 -!- tjz [~pc@bb116-14-142-40.singnet.com.sg] has joined ##openvpn
20:17 -!- tjz [~pc@bb116-14-142-40.singnet.com.sg] has quit [Changing host]
20:17 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:29 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
20:43 -!- CorvetteZR1 [~CorvetteZ@CPE0014d11371a6-CM001ceab56a26.cpe.net.cable.rogers.com] has left ##openvpn ["Leaving"]
20:43 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
20:43 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 264 seconds]
21:25 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
21:35 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Ping timeout: 248 seconds]
21:38 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
21:55 -!- DarthGandalf|BNC is now known as DarthGandalf
21:56 -!- cjae [~quassel@142-165-27-241.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
22:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
23:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
23:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:57 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Sun Apr 11 2010
00:18 < stealth-> openvpn is encrypted by default, right?
00:24 -!- stealth- [~stealth@S0106002436a25c5e.ok.shawcable.net] has quit [Remote host closed the connection]
00:52 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
00:58 -!- tvstebut [~tvstebut@78.251.67.42] has joined ##openvpn
01:35 < ecrist> he waited just about 6 minutes.
01:52 < mwheeler> indeed
02:23 -!- DarthGandalf is now known as DarthGandalf|BNC
02:41 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.9/20100402010516]]
02:58 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
03:05 -!- ease2 [~ease@114.92.147.40] has joined ##openvpn
03:06 -!- ease2 [~ease@114.92.147.40] has quit [Client Quit]
03:32 -!- DarthGandalf|BNC [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 268 seconds]
03:36 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
03:36 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
03:43 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:59 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has joined ##openvpn
04:04 -!- zheng [~zheng@114.92.147.40] has joined ##openvpn
04:06 -!- xamanu_ [~xamanu@p54A67B07.dip.t-dialin.net] has joined ##openvpn
04:09 -!- xamanu_ [~xamanu@p54A67B07.dip.t-dialin.net] has quit [Quit: Leaving]
04:13 -!- master_of_master [~master_of@p57B57C2E.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:15 -!- master_of_master [~master_of@p57B561D3.dip.t-dialin.net] has joined ##openvpn
04:34 -!- xamanu [~xamanu@p54A67B07.dip.t-dialin.net] has joined ##openvpn
04:34 < xamanu> !welcome
04:35 < vpnHelper> xamanu: "welcome" is We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:21 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
05:22 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
05:22 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
05:22 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
05:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:44 < krzee> !learn welcome as is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:44 < vpnHelper> krzee: Joo got it.
05:44 < krzee> !forget welcome 1
05:44 < vpnHelper> krzee: Joo got it.
05:44 < krzee> !welcome
05:44 < vpnHelper> krzee: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:47 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
05:48 < xamanu> Hello, I just want to gain some privacy through an anonymous registered domain, but this is going to point to a normally registered server/ip.
05:48 < xamanu> Is it possible to use this openvpn tunnel (http://prq.to/?p=tunnel&intl=1) to mask the end ip where the dns of the domain is redirecting to? Could anybody be so kind and help me with this doubt?
05:48 < vpnHelper> Title: PRQ - Colocation, Dedicated Servers, Web hosting, VPN Tunnels, Privacy services (at prq.to)
05:57 < insane^> xamanu get a vds or dedicated server in a country which doesnt care about
05:57 < insane^> eastern europe probably
05:57 < insane^> not germany ;)
05:57 < insane^> cz, pl, ru
06:02 < Bushmills> don't register a domain, then no information can be obtained thorugh it.
06:03 < Bushmills> and for privacy, it is better when the system can not be reached at all
06:04 < insane^> Bushmills i think he wants to prepare for europe "data collection"
06:05 < insane^> there are plans to record all connections 
06:05 -!- zheng [~zheng@114.92.147.40] has quit [Read error: Connection timed out]
06:05 < insane^> so ip is enaugh for this
06:05 -!- zheng [~zheng@114.92.147.40] has joined ##openvpn
06:07 < Bushmills> my understanding is that "smaller" providers have been excempted from the requirement to log all connection data. and those partain to access providers, giving internet access, not content providers, as in server hosting companies. 
06:07 < insane^> correct
06:08 < Bushmills> which would give a convinient way around: tunnel to server at server farm, use it as gateway
06:10 < Bushmills> actually, server hosting is infrastructure provision, not content.
06:15 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
06:16 < xamanu> insane^ thanks, but the server i'm running is a pretty good offer (but it is in germany). and there are a lot of public services running. i don't want to pay an offshore server. actually i don't want to do anything illegal
06:18  * Bushmills can't understand that there are actually people who don't even *want* to do anything illegal 
06:18 < xamanu> Bushmills i know that a big player like NSA could just listening which ip is communicating with the openvpn-ip. but i'm not that paranoid. just a little bit paranoid
06:18 < Bushmills> xamanu: yes, it helps to have many .. clients? co-users?  using the same gateway
06:19 -!- bigpresh [~bigpresh@freenode/sponsor/bigpresh] has quit [Excess Flood]
06:20 < xamanu> haven't heard about the data collection. there is a european "data retention" law. but german supreme court kicked it. this was mainly aimed to email and messenger logs. this can be avoided easily by just running an own server. doesn't matter where, so could be in germany
06:20 < xamanu> my idea is to have an openid server on a domain that is not related to me
06:21 < xamanu> so getting a domain by an offshore registrant
06:21 < xamanu> using this openvpn tunnel by this Swedish company, pointing to my regular server
06:21 < xamanu> this would be pretty good privacy
06:21 < xamanu> i guess
06:22 < mwheeler> Just don't use a domain ?
06:22 < xamanu> i just wasn't sure if this vpn they offer to privatize "outgoing" traffic could be used to mask the ip of the server, by pointing the domain to the vpn
06:23 < Bushmills> like a proxy would do
06:23 < xamanu> mwheeler but a domain is nice for running a openid server
06:23 < xamanu> Bushmills yes, proxy would do it. but vpn is more versatile , isn't it?
06:24 < xamanu> i might extend the anonymous services running on this masked domain
06:24 < mwheeler> Sounds evil
06:24 < xamanu> haha
06:25 -!- X-Raimo [~alexmurav@opensuse/member/raimoschmidt] has joined ##openvpn
06:25 -!- bigpresh [~bigpresh@freenode/sponsor/bigpresh] has joined ##openvpn
06:27 < xamanu> thanks guys for answering. so you can't see why this service i posted should't work for my purposes? I'm just new to vpn, but i'm confident i can configure it. Just want to know if i'm missing anything in my thoughts
06:28 -!- X-Raimo [~alexmurav@opensuse/member/raimoschmidt] has left ##openvpn []
06:29 < Bushmills> you could offer the service you think of taking yourself, and then hide behind your customers. becoming your own customer, in a way.
06:29 < Bushmills> that way you know what is done to your client information
06:30 < mwheeler> I imagine that a few more Aussies will be coming here when their firewall goes up
06:33 < Bushmills> depends on how they implement that. the german "firewall" was merely an intended dns record bending.
06:33 < Bushmills> plans have been abandoned now
06:34 < xamanu> Bushmills but now you are talking about censorship, right?
06:35 < insane^> no vorratsdatenspeicherung
06:35 < insane^> i think
06:35 < Bushmills> indeed. i think so did mwheeler
06:35 < insane^> thats over, too
06:35 < xamanu> not really!
06:35 < insane^> but european govs have plans for that, too
06:35 < krzee> the au firewall will implement censorship from my understanding
06:35 < xamanu> supreme court said that it has to be controlled in a better way
06:36 < xamanu> so that not every policeman could access, only in tough cases, like terrorismo (what a joke)
06:36 < insane^> but its not over at all...
06:36 < krzee> i have a real good way to control it
06:36 < krzee> get laws out of it
06:36 < krzee> ie: dont control it
06:36 < insane^> NS/Stasi 2.0
06:36 < krzee> hehe
06:37 < krzee> yay my new work hackintosh is done
06:37 < krzee> i can finally stop using the lame winbox they make me use
06:37 < krzee> windows will just be another vm in it
06:37 < krzee> (for the win-only apps
06:40 < krzee> and <3 the unattended win install feature of vmware fusion
06:40 < krzee> so lazy
06:56 < Optic> i find that install usually gets SOMETHING wrong 
06:56 < Optic> I tend to do the manual install
06:56 < Optic> but vmware fusion is nice :)
06:56 < Optic> it even runs my rc helicopter sim
07:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:11 < Bushmills> does your helicopter onboard computer also run vmware?
07:13 < insane^> my refrigrator runs linux!
07:13 < insane^> refigerator
07:13 < insane^> :|
07:16 < krzee> it got everything right enough for me
07:16 < insane^> you hacked your fridge?
07:16 < krzee> just needed an install, ill handle the user/domain stuff when i get the computer in there
07:17 < insane^> noone will search for illegal internet gateways in fridges!
07:17 < insane^> sorry... drunk
07:17 < krzee> heh
07:17 < krzee> try the toaster, netbsd runs on it
07:17 < insane^> huum
07:17 < insane^> kitches are terrorist camps!
07:17 < insane^> kitchens
07:18 < krzee> http://www.netbsd.org/gallery/in-Action
07:18 < vpnHelper> Title: See NetBSD in Action (at www.netbsd.org)
07:19 < insane^> ok :)
07:39 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has quit [Quit: ZNC - http://znc.sourceforge.net]
07:51 -!- takamichi [~pri@95.211.4.12] has quit [Ping timeout: 246 seconds]
07:51 -!- takamichi [~pri@95.211.4.12] has joined ##openvpn
07:59 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:03 -!- Bulain [~bulain@114.92.165.144] has joined ##openvpn
08:05 < Bulain> !welcome
08:05 < vpnHelper> Bulain: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:07 -!- Bulain [~bulain@114.92.165.144] has left ##openvpn []
08:23 -!- zheng [~zheng@114.92.147.40] has quit [Quit: Leaving]
08:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
09:02 -!- trumee [~nobody@cpc2-cmbg15-0-0-cust1000.5-4.cable.virginmedia.com] has joined ##openvpn
09:04 < trumee> guys, this is making me crazy. My local network is 192.168.xx.xx and remote vpn server is 172.16.xx.xx. The client reports that WARNING: potential route subnet  conflict between LAN [192.168.1.0/255.255.255.0] and remote  VPN [192.168.1.0/255.255.255.0]
09:05 < trumee> why the hell is it saying remote VPN is 192.168.1.0, whereas i have spent the last half an hour converting to 172.16.xx.xx !!!!!!!
09:07 < trumee> The onlu everybody dead here?
09:07 < trumee> everybody dead here?
09:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:37 < ecrist> trumee: not dead, just idling.
09:37 < ecrist> I'm guessing you didn't change the push route statements in your server config and restart the vpn server
10:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
10:01 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:06 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
10:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:49 -!- vronp_ [~4a8189d4@gateway/web/freenode/x-ogqjvgsxmxjyukzw] has joined ##openvpn
10:49 < vronp_> hi all
10:51 < vronp_> Can anyone tell me if under typical circumstances, does LZO compression "compensate" for the VPN overhead with port 443 traffic ?
10:57 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
10:59 < caution> not in server mode, can I start a new instance of openvpn configured to use IPs in the same LAN as the previous so all the VPNs are on the same LAN?
11:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:23 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
11:24 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
11:34 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Quit: Bye]
11:35 -!- xamanu [~xamanu@p54A67B07.dip.t-dialin.net] has left ##openvpn ["Leaving"]
11:35 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
11:49 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
12:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:15 -!- caution [~caution@unaffiliated/caution] has quit [Read error: Connection reset by peer]
12:25 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.9/20100402010516]]
12:38 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
12:41 < caution> if I start a new instance of openvpn and use IPs in the same subnet as my first instance, will it work?
12:43 < Bushmills> assuming a packet needs to get routed to your vpn net - will the router have to route it to tun0, first instance, or tun1, second instance?
12:44 < caution> yes
12:44 < Bushmills> which one?
12:44 < rob0> That's just it with IP routing ... you can't distinguish between one IP address and the same IP address.
12:45 < rob0> So only one route can be used.
12:45 < caution> they won't have the same IP address, just in the same subnet
12:45 < caution> I'll try drawing a diagram since I can't explain very well
12:45 < Bushmills> no, you can have many routes
12:45  * rob0 hands caution a copy of RFC 1918
12:46 < rob0> Many routes to the same IP?
12:46 < Bushmills> but routes should be such that packets get to their intended destination
12:46 < rob0> Which one is chosen?
12:54 < caution> this is what I want to achieve: http://imgur.com/qV6T4.gif
12:57 < caution> Bushmills / rob0 
12:57 < ScriptFanix> caution: why not just set up 211.1.2.3 as a server with on subnet ?
12:58 < caution> I really don't want to restart the first instance
12:58 < Bushmills> where does the need come from to use addresses from the same subnet for both connections?
12:58 < Bushmills> seems to me you could use one for one machine, and the next for the other machine
12:59 < caution> just so they can all communicate over the vpn
12:59 < caution> use a different subnet and then netfilter rules?
12:59 < rob0> If you want "full mesh", openvpn doesn't currently support that, except by running direct tunnels among all peers.
12:59 < Bushmills> having ip addresses in the same subnet will not be of any help. more the contrary
13:00 < ScriptFanix> maybe you can circumvent that with some bridging on 211.1.2.3
13:00 < Bushmills> because then, machines don't know anymore how to route packets to the proper destinations
13:00 < rob0> For a 3-point configuration like that, it would be fine, but as the network grows, the complexity grows geometrically.
13:00 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
13:01 < Bushmills> you can use really small subnets. say, /28 or /29, for each machine, then it will look as they all sit in the same /24 subnet
13:02 < caution> I don't mind how it looks, I just want 10..2 to be able to establish TCP connections over the vpn to 10..4
13:02 < Bushmills> !route
13:02 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:02 < caution> and vice versa
13:03 < Bushmills> oh
13:03 < Bushmills> no need
13:03 < Bushmills> client-to-client
13:03 < Bushmills> make 211.1.2.3 server
13:03 < Bushmills> 69 and 81 are clients
13:03 < ScriptFanix> he doesn't want that
13:03 < Bushmills> he just said he does
13:03 < ScriptFanix> though that would be the best solution
13:04 < Bushmills> " I just want 10..2 to be able to establish TCP connections over the vpn to 10..4"
13:04 < ScriptFanix> he said he didn't want to restart the first tunnel
13:04 < Bushmills> then use a 4th machine as server
13:04 < Bushmills> make all three clients
13:16 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined ##openvpn
13:16 -!- hapt1K [~jdr@188-221-43-87.zone12.bethere.co.uk] has joined ##openvpn
13:16 < hapt1K> hello
13:20 < hapt1K> i'm struggling to figure out where to put the configuration files on ubuntu
13:21 < hapt1K> could someone point me in the correct direction?
13:22 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Quit: Leaving]
13:23 < hyper_ch> hapt1K: where does ubuntu or rather where do debian-based distros put their config files?
13:23 < hyper_ch> well, probably, where do all distros usually put there system-wide configs
13:26 < rob0> That varies widely. For openvpn, most default to /etc/openvpn, but you have to look at your distro documentation to see what your distro init scripts do and expect.
13:27 < caution> I put the config files in whatever directory I felt like and then passed that path to openvpn
13:27 -!- tvstebut [~tvstebut@78.251.67.42] has quit [Read error: Connection reset by peer]
13:27 < rob0> and that works fine
13:27 -!- tvstebut [tvstebut@78.251.67.42] has joined ##openvpn
13:27 < rob0> in fact, that's what the distro init scripts do, they pass the path to openvpn
13:32 -!- |Mike|_ [mike@2001:1af8:2:444::2] has quit [Quit: Reconnecting]
13:32 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
13:32 -!- tvstebut [tvstebut@78.251.67.42] has quit [Ping timeout: 246 seconds]
13:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:56 -!- caution [~caution@unaffiliated/caution] has quit [Ping timeout: 258 seconds]
14:01 -!- Sleeper- [~quassel@ip-88-152-80-169.unitymediagroup.de] has joined ##openvpn
14:09 < hapt1K> thank you i figured it out.
14:09 -!- hapt1K [~jdr@188-221-43-87.zone12.bethere.co.uk] has left ##openvpn ["Leaving"]
14:12 -!- vronp_ [~4a8189d4@gateway/web/freenode/x-ogqjvgsxmxjyukzw] has quit [Ping timeout: 248 seconds]
14:24 -!- DarthGandalf is now known as DarthGandalf|BNC
14:29 < |Mike|> ok
14:31 < trumee> I have an openvpn setup, all the web/email traffic go via tun0. But i can see sip registration on non-tunneled link (wlan0 here). is that normal?
14:33 -!- Sleeper-_ [~quassel@ip-88-152-88-20.unitymediagroup.de] has joined ##openvpn
14:33 -!- Sleeper- [~quassel@ip-88-152-80-169.unitymediagroup.de] has quit [Ping timeout: 246 seconds]
14:34 < |Mike|> trumee: is the client correctly configured (the sip one0
14:34 < trumee> you mean the sip client itself?
14:36 < |Mike|> yes
14:37 < trumee> |Mike|: i only need to specify the uri in the sip client. something like 10@xx.dyndns.org.  I dont specify any proxy address for it. One thing i am confused about is that whether i should specify the vpn/asterisk server address in the sip uri instead of public address.
14:38 < |Mike|> you might want to concider that :P
14:38 < trumee> hmm. i tried xx@10.8.0.1 and xx@172.16.1.132, both of them did work.
14:39 < trumee> 10.8.0.1 is tun0 ip for the server and 172.16.1.132 is the eth0  ip.
14:40 -!- Sleeper- [~quassel@ip-88-152-88-36.unitymediagroup.de] has joined ##openvpn
14:40 < trumee> i cant do a telnet 10.8.0.1 5060 just to check if asterisk is reachable, can i?
14:40 < |Mike|> yep
14:41 -!- Sleeper-_ [~quassel@ip-88-152-88-20.unitymediagroup.de] has quit [Ping timeout: 252 seconds]
14:45 < trumee> |Mike|: The route of the client has 86.9.87.233     192.168.1.254   255.255.255.255 UGH   0      0        0 wlan0
14:46 < trumee> |Mike|: and xx.dyndns.org points to 86.9.87.233, so if sip client registers to 50@xx.dyndns.org, the traffic goes via 192.168.1.254  rather than tun0 (10.8.0.5)
14:47 < trumee> |Mike|: 192.168.1.254  is the router at the client side.
14:47 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:48 < trumee> |Mike|: i dont understand how i can force xx.dyndns.org to resolve to 10.8.0.5 as it is also my openvpn server
14:51 -!- tvstebut [~tvstebut@vol75-6-82-227-149-222.fbx.proxad.net] has joined ##openvpn
14:51 < rob0> OpenVPN is merely the transport layer. DNS service would be done by other software, e.g., dnsmasq(8) or named(8).
14:58 -!- Sleeper- [~quassel@ip-88-152-88-36.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
15:06 < trumee> can i have multiple up scripts defined in openvpn.conf?
15:07 < trumee> or do they need to be collated together and put in a single script?
15:07 < trumee> rob0: any idea?
15:08 < no_maam> Hi
15:08 < no_maam> iI need some tips
15:08 < no_maam> I am running openvpn on a gsm or 3g link
15:08 < no_maam> and the link breaks down very often
15:08 < rob0> IIRC the man page says it is one script only.
15:08 < rob0> !man
15:08 < vpnHelper> rob0: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
15:22 < no_maam> which parameters should I choose, so that openvpn doesn't need to reconnect so often
15:22 < no_maam> so that a session is still active, even if there is no communication for 5-10 minutes
15:27 < no_maam> the ip doesn't change 
15:31 < no_maam> so that athe openvpn client is just not able to send areceive packets for a while
15:46 -!- oreo [~anonymous@unaffiliated/oreo] has joined ##openvpn
15:47 < oreo> hey everyone! how can I, on a client, remove a route pushed by the server?
15:57 < SerajewelKS> oreo: by using the route command of your particular OS
15:58 < oreo> SerajewelKS: the problem is that my custom "up" script's route change is executed before openvpn's pushed routes
15:58 < SerajewelKS> oreo: so you actually mean "prevent the addition of a route" and not "remove a route"
15:59 < rob0> If you need different routes for specific clients, the best way to handle that is with --client-config-dir.
15:59 < rob0> !ccd
15:59 < vpnHelper> rob0: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:59 < oreo> i am not in control of the server
15:59 < oreo> SerajewelKS: basically
16:00 < SerajewelKS> oreo: does adding up-delay also not work?
16:00 < oreo> SerajewelKS: haven't tried it. should i try up-route too?
16:01 < SerajewelKS> oreo: dunno, that option isn't available in my version.  you might also try --route-nopull and specify all routes yourself.
16:01 < oreo> nvm up-route isn't an option
16:03 < oreo> SerajewelKS: there's no way to reject one of the routes, or to remove it afterwards?
16:03 < SerajewelKS> oreo: or you could use --route-up and --route-noexec
16:03 < SerajewelKS> oreo: those two options together will let you use a script to add routes instead of automatically adding them
16:03 < SerajewelKS> oreo: you can check if the route isn't the one you want to ignore and then add it
16:04 < SerajewelKS> oreo: there's no built-in mechanism to ignore a specific route, but --route-up and --route-noexec are probably the most sane way to accomplish this
16:07 -!- oreo [~anonymous@unaffiliated/oreo] has quit [Ping timeout: 246 seconds]
16:07 -!- Sleeper- [~quassel@ip-88-152-80-30.unitymediagroup.de] has joined ##openvpn
16:19 -!- trumee [~nobody@cpc2-cmbg15-0-0-cust1000.5-4.cable.virginmedia.com] has quit [Remote host closed the connection]
16:28 -!- oreo [~anonymous@unaffiliated/oreo] has joined ##openvpn
16:28 < oreo> hey
16:28 < oreo> sorry, my computer had a problem
16:28 < oreo> route-up works like a charm
16:28 < oreo> (except i have to provide an extra argument: --script-security 2, but that's no biggie)
16:28 < oreo> thanks for the help
16:33 -!- tvstebut [~tvstebut@vol75-6-82-227-149-222.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
17:00 -!- vlt [~dm@suez.activ-job.com] has joined ##openvpn
17:01 -!- Sleeper- [~quassel@ip-88-152-80-30.unitymediagroup.de] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
17:06 < vlt> Hello. Or local network has one external IP address. When I connect to that IP address from the outside an use the 'push "redirect-gateway"' option, all my traffic is routed through VPN. How can I assure that HTTP connections to the VPN server's IP address will be encrypted too?
17:11 < Bushmills>  you can't (easily): openvpn client needs to talk to openvpn server through other route than through itself.
17:11 < Bushmills> your http requests to http server would go along the same route
17:12 < Bushmills> you can, however, bind your web server to openvpn tun interface
17:12 < Bushmills> and request on that address instead
17:13 < vlt> Bushmills: I can't touch the web server config. Is there any way to tell my client's kernel to use the former default gateway for OopenVPN traffic only?
17:14 < Bushmills> what operating system?
17:15 < vlt> 2.6.30
17:15 < vlt> erm, linux
17:16 < Bushmills> !routebyapp
17:16 < vpnHelper> Bushmills: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
17:16 -!- jetole [~Joe@irc.fossl.net] has quit [Quit: Lost terminal]
17:17 < Bushmills> probably won't help
17:18 < Bushmills> but .. if web server isn't bound to tun interface ... how are you supposed to access it through vpn then?
17:18 < vlt> Maybe I could define an IP tables rule based on the VPN destination port, amrk the packet and then create an iproute2 rule ...
17:20 < Bushmills> put host name of web server into your hosts file with vpn ip address, and specify server ip address in openvpn client config by ip address, not by histname
17:20 < Bushmills> host name
17:21 < vlt> Bushmills: The weserver (behind the gateway) doesn't know. I need to create another forwarding rule then. But I don't know how to persuade the client to always use the internal VPN IP address instead of the external one for other traffic than VPN.
17:22 < Bushmills>  /etc/hosts
17:23 < vlt> Bushmills: If I put the hostname there and assign the internal address, will OpenVPN still be able to connect then?
17:23 < Bushmills> use ip address, not host name, in openvpn client config
17:25 < vlt> hmmm, there seems to be no absolutely safe way ... maybe I should order a second IP address to be used for VPN only ;-)
17:25 -!- oreo [~anonymous@unaffiliated/oreo] has quit []
17:57 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 276 seconds]
18:12 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
18:22 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
18:25 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
18:40 -!- takamichi [~pri@95.211.4.12] has quit [Ping timeout: 240 seconds]
18:42 -!- takamichi [~pri@78.133.32.157] has joined ##openvpn
18:51 -!- takamichi [~pri@78.133.32.157] has quit [Ping timeout: 276 seconds]
18:51 -!- takamichi [~pri@95.211.4.12] has joined ##openvpn
19:14 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
19:22 < krzee>  <krzee> yay
19:22 < krzee>  <krzee> finally got an apple at work
19:22 < krzee>  <krzee> no more lamesauce windows for me
19:22 < krzee>  <krzee> i still need to run win in a VM, but thats fine
19:22 < krzee> =]
19:24 -!- krzee [krzee@unaffiliated/krzee] has quit [Remote host closed the connection]
19:31 -!- monkeytwin [~user_name@unaffiliated/monkeytwin] has joined ##openvpn
19:32 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
19:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
20:02 -!- monkeytwin [~user_name@unaffiliated/monkeytwin] has quit [Quit: leaving]
20:02 -!- monkeytwin [~user_name@unaffiliated/monkeytwin] has joined ##openvpn
20:02 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
20:02 -!- takamichi [~pri@95.211.4.12] has quit [Ping timeout: 252 seconds]
20:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:20 -!- tjz [~pc@bb116-14-145-147.singnet.com.sg] has joined ##openvpn
20:20 -!- tjz [~pc@bb116-14-145-147.singnet.com.sg] has quit [Changing host]
20:20 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
21:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:17 -!- stealth- [~stealth@S0106002436a25c5e.ok.shawcable.net] has joined ##openvpn
21:17 < stealth-> All openvpn transmittions are encrypted by default, right?
21:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
21:34 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:49 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
21:50 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:12 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
22:29 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
22:30 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
22:52 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
22:55 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
23:17 < SerajewelKS> stealth-: as there is no default configuration file, that question doesn't really make much sense.  openvpn does what you tell it to.
23:36 < stealth-> SerajewelKS: well, let me rephrase: I havn't set any specific option to turn encryption on or off, so how do I know it's on?
23:37 < SerajewelKS> stealth-: are you using "secret" or the TLS options like ca/key or pkcs12?
23:39 < stealth-> SerajewelKS:  I have lines in my config for ca and key, yes
23:39 < SerajewelKS> stealth-: then encryption is enabled
23:39 < stealth-> Ah, okay. Thanks a bunch for answering, I didn't think i was going to get one :)
23:40 < stealth-> SerajewelKS: ^
23:40 < rob0> See "Data Channel Encryption Options" in the man page.
23:55 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
23:58 -!- stealth- [~stealth@S0106002436a25c5e.ok.shawcable.net] has quit [Remote host closed the connection]
--- Day changed Mon Apr 12 2010
00:04 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: Getting started with OpenVPN :: Reply by Kartik <http://www.ovpnforum.com/viewtopic.php?f=5&t=2831&p=4490#p4490>
00:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:46 -!- tvstebut [~tvstebut@vol75-6-82-227-149-222.fbx.proxad.net] has joined ##openvpn
00:47 -!- zroysch [~dongery@pool-96-254-64-78.tampfl.fios.verizon.net] has quit [Ping timeout: 245 seconds]
00:52 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.9/20100402010516]]
00:58 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
01:16 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has quit [Ping timeout: 245 seconds]
01:17 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has joined ##openvpn
01:32 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:34 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
01:36 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
02:08 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
02:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:22 -!- krzy [nobody@hemp.ircpimps.org] has joined ##openvpn
02:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
02:45 -!- krzy [nobody@hemp.ircpimps.org] has quit [Quit: This computer has gone to sleep]
02:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:49 -!- krzy [nobody@hemp.ircpimps.org] has joined ##openvpn
02:52 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
03:05 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:05 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:05 -!- mode/##openvpn [+o mattock] by ChanServ
03:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:09 -!- DarthGandalf|BNC is now known as DarthGandalf
04:13 -!- master_of_master [~master_of@p57B561D3.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:15 -!- master_of_master [~master_of@p57B53CE2.dip.t-dialin.net] has joined ##openvpn
04:34 -!- dazo_afk is now known as dazo
04:40 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:53 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:15 -!- macsppadic is now known as bandanasppadic
05:24 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 268 seconds]
05:27 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
06:01 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit []
06:02 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
06:32 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
06:34 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
06:39 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
06:58 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has joined ##openvpn
07:01 -!- dug [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Ping timeout: 246 seconds]
07:09 -!- tvstebut [~tvstebut@vol75-6-82-227-149-222.fbx.proxad.net] has quit [Quit: Leaving]
07:14 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
07:18 < ScriptFanix> Hi
07:18 < ScriptFanix> how can i check openvpn's internal routing table ?
07:29 < |Mike|> ip route show
07:32 < ScriptFanix> this shows that the subnets behind both vpn clients are routed to tun0
07:33 < ScriptFanix> I have a VPN server with 2 clients, both with a subnet behind them (192.168.64 and 192.168.192)
07:33 < dazo> ScriptFanix: openvpn does little magic with the routing in reality, unless if you're using --iroute .... the rest of the routing it completely relies on the normal OS routing
07:33 < |Mike|> http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=openvpn+internal+routing
07:33 < vpnHelper> Title: openvpn internal routing - Google zoeken (at www.google.nl)
07:33 < ScriptFanix> from a machine behind the server, i can join 192.168.192 but not 192.168.64
07:34 < dazo> --iroute is also only used when the openvpn server side will route traffic to the client side network, behind the openvpn client
07:34 < ScriptFanix> on teh server, I have iroute directives in ccd/<client CommonName>
07:34 < rob0> "join"?
07:35 < ScriptFanix> from the server, i can ping any machine on any network
07:35 < ScriptFanix> but machines in 192.168.64 cannot communicate with machines behind teh server, while machines in 192.168.192 can
07:36 < ScriptFanix> machines behind the server cannot communicate with 192.168.64 but can reach 192.168.192
07:36 < rob0> 192.168.64.* hosts don't have a route to the subnet behind the server
07:36 < ScriptFanix> yes they do
07:37 < ScriptFanix> tcpdump shows trafic coming in on tun0, and nothing coming out on eth2, firewall is wide open between both interfaces
07:37 < rob0> traceroute/tracepath shows them hitting the VPN and it dies.
07:37 < ScriptFanix> here are some traces from the openvpn server : http://vincent.riquer.fr/routesmtp2.txt
07:39 < rob0> !ipforward
07:39 < vpnHelper> rob0: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
07:40 < ScriptFanix> forwarding between all other interface plus between eth2 and tun0/192.168.192 works perfectly
07:41 < ScriptFanix> and i disabled rp_filter on tun0, just in case
07:42 < ScriptFanix> wait while i pastebin relevant config files
07:42 < havoc> bah
07:46 < ScriptFanix> http://paste.debian.net/68556/
07:49 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 268 seconds]
07:51 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
07:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:39 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:51 -!- dazo is now known as dazo_afk
08:52 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
08:55 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
08:57 -!- dazo_afk is now known as dazo
09:18 < theDoc> \o/
09:31 < ecrist> o//
09:32 < ecrist> \\o
09:32 < ecrist> \o/
09:33 < ScriptFanix> <Village people> \o/ |o| /o_ /o\ </Village people>
09:33 < theDoc> http://www.i-am-bored.com/bored_link.cfm?link_id=48364
09:33 < vpnHelper> Title: If You See Someone Drowning... [Pic] | I Am Bored (at www.i-am-bored.com)
09:33 < theDoc> ;p
09:35 < ScriptFanix> :)
09:35 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 276 seconds]
09:35 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
09:37 < theDoc> Of course, if someone is drowning, lol is the way to go.
09:39 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 240 seconds]
09:43 -!- MrJK [~jezu@194.199.166.96] has joined ##openvpn
09:55 -!- bandanasppadic is now known as phphater
10:07 -!- rawDawg2 is now known as rawDawg
10:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
10:53 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
10:54 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
10:55 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Client Quit]
10:56 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:00 < rob0> ~~~|o|~~~ glug glug glug
11:01 < ScriptFanix> sorry, i cannot do anything for you : 911 doesn't work in france :)
11:06 < vpnHelper> New forum entry openvpnforum: Installation Help :: Re: Getting started with OpenVPN :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=5&t=2831&p=4498#p4498>
11:09 -!- openvpn2009 [~email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:30 -!- bigpresh [~bigpresh@freenode/sponsor/bigpresh] has left ##openvpn ["Leaving"]
11:33 -!- phphater [~sonupunno@82.109.74.162] has quit [Quit: phphater]
11:43 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
11:44 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: "BOf !"]
11:55 -!- dazo is now known as dazo_afk
12:17 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
12:29 < dopigwan> any gurus with LDAP -><- Active Directory ?
12:30 -!- dopigwan is now known as dopiwan
12:38 < dopiwan> Looking for some assistance with LDAP query to Active Directory.  I have an OU called "VPN User" contained inside OU "Security Groups" this is a security list with my User account as the only current member.  My User account is actually stored in another OU off the root called "Redirected" which holds most domain users.  I am trying to authenticate only users who have membership of the "VPN User" group but can't get the darn
12:41 -!- torrance1 [~torrancew@ip70-172-225-171.br.br.cox.net] has joined ##openvpn
12:42 < torrance1> how different is the set up of openvpn server (in bridged mode) in a linux-based virtualbox vm?
12:44 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
12:48 < |Mike|> torrance1: it's not that different :)
12:55 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
12:57 < Mythmon> is it possible do use cert based authentication OR username/password? (think ssh with passwords OR keys, but both aren't needed)
12:57 -!- nate [~nate@unaffiliated/nate] has joined ##openvpn
12:58 < nate> !welcome
12:58 < vpnHelper> nate: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:58 < nate> good lord.
12:58 < |Mike|> Mythmon: not sure, but i doubt it.
12:59 < nate> I think we'll start with lunch first
12:59 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
12:59 < Mythmon> |Mike|: i didn't think so, but i thought i would ask.
13:01 < |Mike|> Mythmon: You might want to read the '!howto', even I don't know all the functions :p
13:01 < |Mike|> !howto
13:01 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:02 < Mythmon> ya, i have been working from the howto, it was actually useful. it has idea for using certs only, or user/pass only, or certs and pass, but not certs or pass.
13:03 < magic_1> certs work pretty good most of the time
13:05 < |Mike|> Yep
13:13 < Mythmon> !wiki
13:13 < vpnHelper> Mythmon: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
13:25 -!- Sleeper- [~quassel@ip-88-152-88-32.unitymediagroup.de] has joined ##openvpn
13:29 -!- d1b [~db@d1b.org] has quit [Quit: "how many roads must a .... =42"]
13:36 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
13:38 < torrance1> |Mike|: am i right to assume that the majority of the changes needed to virtualize a server are mainly dealing with the networking of the guest OS?
13:45 < ecrist> torrance1: not at all
13:46 < ecrist> the majority of the changes have to do with deal with hardware, most specifically negotiating access to that hardware, including CPU.
13:46 < ecrist> and convincing the guest OS that it really _is_ in charge, even though it's not
13:54 -!- Sleeper- [~quassel@ip-88-152-88-32.unitymediagroup.de] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
13:54 < torrance1> ecrist: can you elaborate?
13:55 < torrance1> in this case, OS X is the host OS, Ubuntu 9.10 Server is the guest, and virtualbox is the vm platform
13:55 < torrance1> it's a buddy of mine's
13:56 < torrance1> which is only relevant in that, I am nowhere near the server
13:57 < torrance1> i've been testing for him
13:57 < torrance1> and my client is connecting
13:57 < torrance1> but not getting a route or dns, etc
14:00 < ecrist> sounds like a vpn issue, not a VM issue
14:02 < krzy> God helps those who help themselves. In other words, God wants to help you masturbate.
14:06 < nate> !route
14:06 < vpnHelper> nate: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:06 < nate> !/30
14:06 < vpnHelper> nate: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
14:06 < nate> !topology
14:06 < vpnHelper> nate: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
14:06 < nate> !iporder
14:06 < vpnHelper> nate: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
14:07 < nate> forgive the flood
14:07 < nate> !static
14:07 < vpnHelper> nate: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:08 < krzy> nate. you might like this
14:08 < krzy> !factoids
14:08 < vpnHelper> krzy: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:09 < nate> I have my tunnel working, but neither side can talk to the other
14:09 < nate> so I guess I have a lot of reading to do before I even try asking a question :-)
14:10  * ecrist points to the /topic
14:10 < nate> ecrist: uh yeah that's why I started with !welcome :-)
14:10 < krzy> firewall most likely
14:11 < nate> if it is the packets are magically vanishing and not being logged
14:11 < nate> cause I log every dropped packet
14:11 < krzy> OR you tried address stuff manually and fubared it
14:11 < krzy> !configs
14:11 < vpnHelper> krzy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:11 < nate> for simplicity I stopped using ccd/ and am only using the pool
14:12 < krzy> cool, 1 less thing to pastebin
14:12 < nate> man this /30 thing is so messy :-) damn windows.
14:13 < nate> I'm trying to replace an existing vtund network (linux only)
14:15 < ecrist> nate: I was referencing the part abou t a firewall. ;)
14:17 < nate> yeah I'll try digging in there more
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:33 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
14:34 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
14:35 < krzy> lol @ no pasted configs
14:35 < krzy> bbiaf as krzee
14:35 -!- krzy [nobody@hemp.ircpimps.org] has quit [Quit: Leaving]
14:37 < nate> server config: http://pastebin.com/8ZS9PBYZ
14:37 < nate> client config: http://pastebin.com/SmKv9aeA
14:37 < nate> includes additional system info at the bottom
14:37 < nate> tunnel is up, can't ping either side.
14:41 < nate> you know I think the packets are hitting the server, verb 6 shows me the packets coming in from the client when I run ping
14:41 < nate> but the server just doesn't seem to know what to do with them
14:43 < nate> and I don't see how it could be the firewall because at the top of my rules I have a blanket allow for 192.168.0.0/16 across input,output,forward.
14:45 < nate> !interface
14:45 < vpnHelper> nate: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
14:46 < nate> yeah tcpdump shows the icmp coming in
14:46 < nate> the server just isn't responding
14:48 < nate> okay this is interesting
14:48 < nate> so it is working, I can nmap the server over the tunnel
14:48 < nate> and hit ports with telnet
14:48 < nate> just no icmp
14:49 < |Mike|> < krzy> God helps those who help themselves. In other words, God wants to help you masturbate. <== krzee of president
14:49 < |Mike|> nate: i blame you firewall
14:50 < nate> man this is weird. 
14:50 < |Mike|> I wouldn't blame your computer, I would blame the guy what configured it :)
14:51 < nate> so if I want a mixture of static and dynamic hosts (ccd/ and from the cidr pool), where do I assign the static IPs too? inside the CIDR pool or outside? if its outside, does the server need to be bound on another IP or how's this all work?
15:01 -!- mekula [~mekulc@h156n2fls32o256.telia.com] has joined ##openvpn
15:06 < mekula> Neat! http://qa.debian.org/popcon.php?package=gadmin-openvpn-server | http://qa.debian.org/popcon.php?package=gadmin-openvpn-client
15:06 < vpnHelper> Title: Popularity Contest Statistics -- Debian Quality Assurance (at qa.debian.org)
15:06 < mekula> Informative +1
15:11 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Read error: Operation timed out]
15:11 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Read error: Connection reset by peer]
15:11 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:12 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
15:14 < mekula> This is the first VPN-solution that is usable on windows as well as on all other systems ?
15:17 < mekula> Truely awesome!
15:19 < SerajewelKS> cisco has a vpn client for at least linux, i dunno about other platforms
15:20 < |Mike|> cisco != openvpn
15:20 < mekula> Ive seen that client. Not very good :P
15:21 < nate> it works... with quite a bit of pain
15:22 < nate> can you push routes on a per client basis? so instead of pushing a /16 from server.conf, can I do it just via the ccd/ files?
15:22 < |Mike|> Yep :)
15:22 < nate> will ccd/ override server.conf or do I have to remove server.conf's setting?
15:23 < krzee> what do you mean?
15:24 < SerajewelKS> |Mike|: i never said anything at all that would indicate that i was equating the two products
15:24 < mekula> nate: It should override.
15:25 < SerajewelKS> just indicating that i've used their client to connect to my old uni's vpn before and it seemed to work just fine
15:25 < nate> the problem is that I'm on a private darknet that spans 192.168.0.0/16, but at work we also use that same /16. for my work host I only want to have routes for 2 /24's on the /16. but at home and for all other clients I want the full /16 to be routed (eventually we'll do an subnet change to 172)
15:25 < SerajewelKS> of course i prefer openvpn, but to say that openvpn is the only cross-platform vpn solution would be erroneous
15:25 < |Mike|> SerajewelKS: as long as the end point a cisco router is, sure :)
15:25 -!- alpha_ [~mosbah.ab@41.228.173.196] has joined ##openvpn
15:25 < alpha_> hello all
15:26 < |Mike|> ohai alpha_ 
15:26 < nate> if I have push "route 192.168.0.0 255.255.0.0" in server.conf, can I override that some how in ccd/work_machine so that it only maps one or two networks
15:26 < mekula> SerajewelKS: To be fair i think it blows because or way hard to understand things such as "Peer .. blah, lost, could not connect, peer" ... Who is this Peer ? :)
15:26 < Fiouz> nate: use push-reset
15:26 < mekula> Peer guy /hehe
15:26 < alpha_> openvpn does not succeed to establish vpn connection on port 80 in the presence of arkoon firewall!!!!!
15:26 < SerajewelKS> mekula: are you speaking of openvpn or cisco vpn?
15:27 < |Mike|> cisco ;)
15:27 < mekula> ^^
15:27 < alpha_> openvpn of course
15:27 < nate> Fiouz: I can specify --push-reset in the command line arguments of the clients opvn client?
15:28 < |Mike|> alpha_: read the topic :D
15:28 < mekula> Im not sure why people pay that much for the ASAs.
15:28 < Fiouz> nate: you can use it in a ccd config file
15:28 < alpha_> on port 443 https the openvpn ok
15:28 < nate> oh excellent, thanks
15:28 < alpha_> is there any solution of that
15:28 < alpha_> ??
15:28 < Fiouz> nate: in a client config file, you can use route-nopull
15:28 < |Mike|> alpha_: yeah, use ports above 1024 :P
15:29 < dopiwan> in OpenVPN_AS where would i find the equivilent file to  /etc/openvpn/openvpn.conf
15:29 < alpha_> I want specifically port 80!!
15:31 < Fiouz> alpha_: since HTTP 80 isn't encrypted, firewall usually do some protocol parsing and discard invalid trafic
15:34 < alpha_> ok thanks
15:34 < alpha_> is there any workaround to use port 80
15:34 < alpha_> ?
15:37 < Fiouz> appart from disabling firewall HTTP filtering, I guess not but I've never really thought about it
15:40 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
15:41 < mekula> alpha_: Redirect port 80 to 1194 could be a start
15:42 < rob0> HTTP is TCP; openvpn can be TCP but should be UDP.
15:42 < mekula> Beloney, TCP works just as nice. Program: "Redir" is easy to use
15:43 < mekula> As is port 80 cant handle tcp/udp
15:43 < mekula> As if
15:44 < alpha_> ok ythanks
15:44 < rob0> "Beloney, TCP works just as nice"? It's a proven fact that there are problems with VPNs on TCP.
15:44 < rob0> !tcp
15:44 < vpnHelper> rob0: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
15:44 < alpha_> and what about using a http proxy??
15:54 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Read error: Operation timed out]
15:55 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
15:57 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
16:03 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Ping timeout: 260 seconds]
16:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:07 < mekula> rob0: "It's a proven fact that there are problems with VPNs on TCP" <- On windows /Lol
16:08 -!- mekula [~mekulc@h156n2fls32o256.telia.com] has quit [Quit: Boorings]
16:16 -!- dug` [~dug@che91-1-88-176-66-114.fbx.proxad.net] has quit [Quit: Quitte]
16:42 -!- [mutex]__ [~portn0k@168-103-249-104.clsp.qwest.net] has joined ##openvpn
16:43 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
16:45 -!- [mutex]_1 [~portn0k@70-57-173-99.clsp.qwest.net] has quit [Ping timeout: 264 seconds]
16:47 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:49 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
16:49 -!- mode/##openvpn [+o openvpn2009] by ChanServ
16:49 -!- alpha_ [~mosbah.ab@41.228.173.196] has quit []
17:00 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
17:02 -!- CZroe [~czroe@166.134.88.9] has joined ##openvpn
17:06 -!- corretico [~laguilar@201.201.46.106] has quit [Quit: Leaving]
17:06 < CZroe> I'd like to set up OpenVPN on a home PC or my Tomato router in a way where my Internet traffic from public WiFi and tethering will be routed through my home Internet connection and appear to originate there.
17:06 < CZroe> Is this possible?
17:08 < CZroe> My problem with other VPNs is that only traffic for that subnet goes through the VPN and everything else sees the higher-priority gateway from the WiFi or tethering connection.
17:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
17:17 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
17:18 -!- openvpn0x02 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
17:18 -!- mode/##openvpn [+v openvpn0x02] by ChanServ
17:22 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 258 seconds]
17:22 -!- openvpn0x02 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has left ##openvpn []
17:23 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
17:23 -!- mode/##openvpn [+o openvpn2009] by ChanServ
17:24 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
17:24 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
17:25 -!- Kaspx [~Kasx@lax.raidz.net] has joined ##openvpn
17:27 -!- CZroe [~czroe@166.134.88.9] has quit [Quit: Colloquy for iPhone - http://colloquy.mobi]
17:27 -!- openvpn [~openvpn@atlantis.openvpn.org] has joined ##openvpn
17:27 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 268 seconds]
17:28 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
17:28 -!- mode/##openvpn [+o openvpn2009] by ChanServ
17:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:28 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
17:28 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 264 seconds]
17:28 -!- openvpn [~openvpn@atlantis.openvpn.org] has quit [Client Quit]
17:29 -!- openvpn [~openvpn@atlantis.openvpn.org] has joined ##openvpn
17:30 < troy-> why does atlantis keep sinking?
17:31 < openvpn> ran out of resources
17:31 < openvpn> ;)
17:33 < openvpn> one more time, so I can fix the identd
17:33 -!- openvpn [~openvpn@atlantis.openvpn.org] has quit [Client Quit]
17:35 < Kaspx> Must have sank again...
17:36 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
17:47 -!- mode/##openvpn [+o openvpn] by openvpn2009
17:52 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
17:52 -!- mode/##openvpn [+v Kasx] by ChanServ
17:56 -!- Kaspx [~Kasx@lax.raidz.net] has quit [Ping timeout: 248 seconds]
17:57 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
17:59 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 264 seconds]
18:01 -!- nate [~nate@unaffiliated/nate] has left ##openvpn []
18:09 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
18:16 -!- troy- [1079c6126e@bgp4.us] has quit [Ping timeout: 260 seconds]
18:21 < krzee> ild kill for a openvpn.org A entry in DNS
18:21 < krzee> (or AAAA of course)
18:23 -!- nb is now known as i
18:27 < rob0> openvpn.org.            30      IN      A       174.36.59.154
18:27 < rob0> yikes, that's a crazy TTL
18:34 < krzee> ircpimps            IN   A     <ill tell whoever will add it, if they decide they will>
18:34 < krzee> lol
18:47 -!- i is now known as nb
19:01 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 265 seconds]
19:05 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
19:06 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
19:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:29 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
19:36 -!- theDoc [~jaki@119.73.165.162] has joined ##openvpn
19:41 -!- theDoc [~jaki@119.73.165.162] has quit [Ping timeout: 265 seconds]
19:45 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
19:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:48 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
19:57 -!- tekk [~me@cpc3-shep11-2-0-cust599.8-3.cable.virginmedia.com] has quit [Ping timeout: 265 seconds]
20:06 -!- troy- [647ddeaf52@bgp4.us] has joined ##openvpn
20:07 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
20:07 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:09 < theDoc> morin' all.
20:22 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
20:33 -!- tekk [~me@cpc3-shep11-2-0-cust599.8-3.cable.virginmedia.com] has joined ##openvpn
21:13 -!- timbul [~aryo@125.162.237.164] has joined ##openvpn
21:14 < timbul> hello, i have problem to configure openvpn, any body can help me
21:15 < timbul> ?
21:17 < theDoc> !welcome
21:17 < vpnHelper> theDoc: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:18 < timbul> ilyas@gto:/etc/openvpn/2.0$ sudo ./build-ca
21:18 < timbul>   Please edit the vars script to reflect your configuration,
21:18 < timbul>   then source it with "source ./vars".
21:18 < timbul>   Next, to start with a fresh PKI configuration and to delete any
21:18 < timbul>   previous certificates and keys, run "./clean-all".
21:18 < timbul>   Finally, you can run this tool (pkitool) to build certificates/keys.
21:19 < timbul> under keys directory is no file any more
21:19 < theDoc> Seems like you haven't edited things right
21:20 < timbul> its sars content 
21:20 < timbul> :
21:20 < timbul> # easy-rsa parameter settings
21:20 < timbul> # NOTE: If you installed from an RPM,
21:20 < timbul> # don't edit this file in place in
21:20 < timbul> # /usr/share/openvpn/easy-rsa --
21:20 < timbul> # instead, you should copy the whole
21:20 < timbul> # easy-rsa directory to another location
21:20 < timbul> # (such as /etc/openvpn) so that your
21:21 < timbul> # edits will not be wiped out by a future
21:21 < timbul> # OpenVPN package upgrade.
21:21 < timbul> # This variable should point to
21:21 < timbul> # the top level of the easy-rsa
21:21 < timbul> # tree.
21:21 < timbul> export EASY_RSA="`pwd`"
21:21 < timbul> #
21:21 < timbul> # This variable should point to
21:21 < timbul> # the requested executables
21:21 < timbul> #
21:21 < timbul> export OPENSSL="openssl"
21:21 < timbul> export PKCS11TOOL="pkcs11-tool"
21:21 < timbul> export GREP="grep"
21:21 < timbul> # This variable should point to
21:21 < timbul> # the openssl.cnf file included
21:21 < timbul> # with easy-rsa.
21:21 < timbul> export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
21:21 < timbul> # Edit this variable to point to
21:21 < timbul> # your soon-to-be-created key
21:21 < timbul> # directory.
21:21 < timbul> #
21:21 < timbul> # WARNING: clean-all will do
21:21 < timbul> # a rm -rf on this directory
21:21 < timbul> # so make sure you define
21:21 < timbul> # it correctly!
21:21 < timbul> export KEY_DIR="$EASY_RSA/keys"
21:21 < timbul> # Issue rm -rf warning
21:21 < timbul> echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
21:22 < timbul> # PKCS11 fixes
21:22 < timbul> export PKCS11_MODULE_PATH="dummy"
21:22 < timbul> export PKCS11_PIN="dummy"
21:22 < timbul> # Increase this to 2048 if you
21:22 < timbul> # are paranoid.  This will slow
21:22 < timbul> # down TLS negotiation performance
21:22 < timbul> # as well as the one-time DH parms
21:22 < timbul> # generation process.
21:22 < timbul> export KEY_SIZE=1024
21:22 < timbul> # In how many days should the root CA key expire?
21:22 < timbul> export CA_EXPIRE=3650
21:22 < timbul> # In how many days should certificates expire?
21:22 < timbul> export KEY_EXPIRE=3650
21:22 < timbul> # These are the default values for fields
21:22 < timbul> # which will be placed in the certificate.
21:22 < timbul> # Don't leave any of these fields blank.
21:22 < timbul> export KEY_COUNTRY="ID"
21:22 < timbul> export KEY_PROVINCE="GORONTALO"
21:22 < timbul> export KEY_CITY="Gorontalo"
21:22 < timbul> export KEY_ORG="bkpgorontalo"
21:22 < timbul> export KEY_EMAIL="bkpgorontalo@yahoo.com"
21:22 < timbul> i just change to this line: export KEY_COUNTRY="ID"
21:22 < timbul> export KEY_PROVINCE="GORONTALO"
21:22 < timbul> export KEY_CITY="Gorontalo"
21:22 < timbul> export KEY_ORG="bkpgorontalo"
21:22 < timbul> export KEY_EMAIL="bkpgorontalo@yahoo.com"
21:27 -!- mode/##openvpn [+o ecrist] by ChanServ
21:27 -!- mode/##openvpn [+b timbul!*@*] by ecrist
21:34 -!- mode/##openvpn [-b timbul!*@*] by ecrist
21:35 -!- mode/##openvpn [-o ecrist] by ecrist
21:48 < rob0> Ouch!!
21:49 < krzee> holy pastebin!
21:50 < timbul> hi..
21:57 < theDoc> I almost died at that.
21:58 < rob0> Good thing you didn't. You would be missed.
21:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
22:00 < theDoc> :?
22:26 < timbul> sorry, last time i send so much question
22:26 < timbul> i can not generate server..
22:27 < torrance1> ok, does anyone have a bridged (tap) server running inside of virtualbox?
22:28 < timbul> after this comand ./build-ca
22:28 < krzee> not i, but you'll need to be sure the vm software can handle promiscuous mode
22:30 < torrance1> krzee: where might i best find that out?
22:30 < torrance1> actually, to clarify, do you mean on the virtual adapter or the host adapter?
22:31 < krzee> the vm software itself
22:31 < krzee> i dont use virtualbox
22:34 < torrance1> does stp come into play at all?
22:35 < krzee> doubtful
22:38 < torrance1> kk
22:38 < torrance1> that's what i thought
22:38 < torrance1> just wanted to confirm
22:42 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
22:43 < timbul> really.., no body can help me..?
22:47 -!- DarthGandalf is now known as DarthGandalf|BNC
22:50 -!- DarthGandalf|BNC is now known as DarthGandalf
22:55 < torrance1> krzee: would the promisc problem keep me from having wan access on my guest OS when the bridge is up?
23:01 < torrance1> interesting
23:01 -!- monkeytwin [~user_name@unaffiliated/monkeytwin] has quit [Quit: leaving]
23:01 < torrance1> the routing table gets borked when the bridge is initiated
23:05 < torrance1> left with only 1 entry
23:05 < torrance1> <localnet> 0.0.0.0 255.255.255.0
23:31 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 265 seconds]
23:34 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Read error: Connection reset by peer]
23:34 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
23:49 -!- tjz [~pc@bb116-14-175-27.singnet.com.sg] has joined ##openvpn
23:49 -!- tjz [~pc@bb116-14-175-27.singnet.com.sg] has quit [Changing host]
23:49 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
--- Day changed Tue Apr 13 2010
00:23 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has joined ##openvpn
00:23 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has quit [Changing host]
00:23 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
00:33 -!- Netsplit *.net <-> *.split quits: oc80z, MJD, troy-, Rolybrau, atlantic, plundra, rkantos, medum, master_of_master, agagag,  (+21 more, use /NETSPLIT to show all of them)
00:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
00:35 -!- Netsplit over, joins: uchimata, troy-, Rolybrau, ||arifaX, theDoc, MJD, [mutex]__, MrJK, jfkw, master_of_master (+21 more)
00:36 -!- Netsplit *.net <-> *.split quits: +Kasx, max06, Optic, disco-, ScriptFanix, rkantos, @openvpn, ahf, meepmeep, Blu3,  (+65 more, use /NETSPLIT to show all of them)
00:37 -!- Netsplit over, joins: +Kasx, @openvpn, vpnHelper, Rolybrau, troy-, krzie, jpalmer, uchimata, plundra, zero-_ (+65 more)
00:40 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
00:46 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
00:47 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.9/20100402010516]]
00:51 -!- LobbyZ [~default@188.72.255.194] has quit [Ping timeout: 276 seconds]
01:11 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
01:19 -!- f1assistance [~Carl@cpe-071-065-252-227.nc.res.rr.com] has quit [Ping timeout: 265 seconds]
01:30 -!- LobbyZ [~default@188.72.255.194] has joined ##openvpn
02:20 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
02:23 -!- martrandala [~martranda@235.169.191.90.dyn.estpak.ee] has joined ##openvpn
02:31 < martrandala> !welcome
02:31 < vpnHelper> martrandala: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:31 < martrandala> !goal
02:31 < vpnHelper> martrandala: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:31 < martrandala> !howto
02:31 < vpnHelper> martrandala: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:31 < martrandala> !route
02:31 < vpnHelper> martrandala: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:32 < martrandala> !logs
02:32 < vpnHelper> martrandala: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:33 < martrandala> !interface
02:33 < vpnHelper> martrandala: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
02:33 -!- torrance1 [~torrancew@ip70-172-225-171.br.br.cox.net] has quit [Remote host closed the connection]
02:33 -!- torrance1 [~torrancew@ip70-172-225-171.br.br.cox.net] has joined ##openvpn
02:53 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
02:56 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
02:56 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
02:57 < martrandala> Hello. I would like to access a LAN with my laptop over OpenVPN. LAN is configured for 10 computers with several services (samba, dhcp, ftp, etc); I went through http://openvpn.net/index.php/open-source/documentation/howto.html but I ran into a rather peculiar problem; after creating an ethernet bridge I can access the LAN remotely, but all LAN clients lose their ability to access their samba shares. http://pastebin.com/eFGAR7RT I w
02:57 < martrandala> ould appreciate all hints towards the solution.
02:57 < vpnHelper> Title: HOWTO (at openvpn.net)
02:57 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
03:12 -!- krzy [nobody@hemp.ircpimps.org] has joined ##openvpn
03:24 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
03:30 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
03:42 -!- julius [~julius@217.20.127.15] has quit [Disconnected by services]
04:05 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
04:13 -!- master_of_master [~master_of@p57B53CE2.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:15 -!- master_of_master [~master_of@p57B56268.dip.t-dialin.net] has joined ##openvpn
04:34 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
04:36 < timbul> is there openvpn server for windows..?
04:39 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
04:47 < mwheeler> Yes timbul 
04:47 -!- timbul [~aryo@125.162.237.164] has quit [Ping timeout: 260 seconds]
04:49 -!- theDoc [~jaki@69.10.59.166] has quit [Ping timeout: 264 seconds]
05:40 -!- atmos4 [~sunset@ip-78-94-208-223.unitymediagroup.de] has joined ##openvpn
05:42 < atmos4> hi
05:45 < atmos4> I'm having trouble connecting to an openvpn server portforwarded through a router. If I connect to openvpn on the LAN it works, but the portforwarded connection doesn't and shows No route to host: http://pastebin.com/PReshiYQ
05:45 < atmos4> the connecting IP is reachable by theOpenVPN server through its default gateway and a traceroute works fine
05:46 < atmos4> the router has forwarded port 1194 udp to the openvpn server
05:48 < atmos4> I'm using a similar setup on another router/network without problems
05:54 < atmos4> I also can connect to the same server via portforwarded ssh
06:03 < atmos4> k, seems the router cannot do proper NAT for UDP
06:03 < atmos4> TCP works
06:04 < atmos4> netgear crap ...
06:06 -!- SerajewelKS [~me@wikipedia/Crazycomputers] has quit [Ping timeout: 260 seconds]
06:29 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:29 -!- mode/##openvpn [+o mattock] by ChanServ
06:34 -!- krzy [nobody@hemp.ircpimps.org] has quit [Quit: This computer has gone to sleep]
06:35 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
06:38 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco]
06:40 -!- dazo_afk is now known as dazo
07:24 -!- noganex [~noganex@p5DDE6D37.dip.t-dialin.net] has joined ##openvpn
07:25 < noganex> !welcome
07:25 < vpnHelper> noganex: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:25 < noganex> ah
07:25 < noganex> hi guys
07:26 < ecrist> hello
07:27 < noganex> i was wondering... my local network is 192.168.122.0/24 and the remote network is exactly the same. i was wondering if i could access the remote network somehow via 192.168.somethingnot122.0/24?
07:28 < ScriptFanix> noganex: you'll have to play with NAT
07:31 < noganex> sounds like i'd rather change my local net ;)
07:31 < noganex> thanks
07:31 -!- noganex [~noganex@p5DDE6D37.dip.t-dialin.net] has left ##openvpn []
07:52 -!- aryo [~aryo@202.152.172.4] has joined ##openvpn
07:53 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
07:58 -!- Error404NotFound [~Eror404@119.153.22.199] has joined ##openvpn
07:58 -!- Error404NotFound [~Eror404@119.153.22.199] has quit [Changing host]
07:58 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:04 -!- mekula [~mekulc@h156n2fls32o256.telia.com] has joined ##openvpn
08:10 < mekula> SnickettySnakk Jak Jak Jak :P
08:22 < aryo> hello..
08:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
08:36 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has joined ##openvpn
08:39 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:43 -!- toddc [~chatzilla@ip24-251-95-180.ph.ph.cox.net] has left ##openvpn []
09:01 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
09:03 < mekula> aryo: HiyaWatha!
09:04 < aryo> mekula : what is hiyawatha..?
09:07 < mekula> Its a cartoon thingy. You n3ver seen that one ?
09:07 < mekula> Here you go son: http://www.youtube.com/watch?v=4MUuDFeoyvM
09:07 < vpnHelper> Title: YouTube - Little Hiawatha (at www.youtube.com)
09:08 < mekula> You never seen it before ?
09:08 < mekula> Im speakaboo redneckish atm yo! :=)
09:08 < mekula> YeeHaaw!!
09:09 < aryo> little indian
09:09 < mekula> aryo: Cool, anit it ? :=)
09:09 < mekula> ;)
09:10 < aryo> so.., any corellation with openvpn..?
09:10 < mekula> aint, by a kite ? :=)
09:11 < mekula> Oh, yeah... i like to code OSS for kernels and all the surrounding shit for etc
09:11 < mekula> I began learning how to code back in 1996
09:12 < aryo> wow..
09:12 < mekula> Then i got really good at C and GTK+ back in 2000, mabe alot of programs and shit
09:13 < mekula> I just made my page look like a yellabelly phile a crap a week ago or so...
09:13 < mekula> mange.dynalias.org/linux.html
09:14 < mekula> Dont blaim me, id like nothing more then to work with this type of shit.
09:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:14 < mekula> I get many thanks from the US military and things. I thank them back but they arent allowed to pay even a dime ?
09:15 < mekula> aryo: where do you live ?
09:16 < aryo> my live, what its important..
09:16 < mekula> (checkout: Blue collar comedy tour but grapple some beers)
09:16 < ecrist> mekula: can we watch the language, please?
09:16 < mekula> No, but thanks for shutting up mrs ecrist
09:17 -!- mode/##openvpn [+o ecrist] by ChanServ
09:17 < |Mike|> behave or leave :)
09:17 -!- mode/##openvpn [+b *!*mekulc@*.telia.com] by ecrist
09:17 -!- mekula was kicked from ##openvpn by ecrist [mekula]
09:17 < |Mike|> that's one hell of an evil ban ecrist 
09:18 <@ecrist> it's what irssi does for /ban
09:18 -!- mode/##openvpn [-o ecrist] by ecrist
09:18 -!- tiav [~tiav@mx.fr.smartjog.net] has joined ##openvpn
09:21 -!- Irssi: ##openvpn: Total of 99 nicks [2 ops, 0 halfops, 1 voices, 96 normal]
09:21 < rob0> Thanks.
09:22 < rob0> That idiot was annoying yesterday, too.
09:22 < ecrist> oh, was he?
09:22 < ecrist> I'm sorry for not catching that.
09:22 < ecrist> I don't mind general conversation, but rudeness and flat-out disprespect doesn't sit well with me.
09:22 < rob0> oh he was trying to argue that VPN over TCP is fine
09:22 < ecrist> lol
09:23 < rob0> and I set him straight and he was an idiot about it
09:23  * ecrist reads the buffer
09:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
09:25 < ecrist> yeah, reading the buffer makes me feel better about the +b
09:25 < ecrist> the problem with a popular channel is that we've got to expect more of that crap.
09:25 < ecrist> :\
09:27 < |Mike|> ecrist: /set ban_type
09:27 -!- nate [~nate@unaffiliated/nate] has joined ##openvpn
09:27 < nate> !configs
09:28 < vpnHelper> nate: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:28 -!- nate [~nate@unaffiliated/nate] has left ##openvpn []
09:28 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
09:29 < ecrist> |Mike|: what don't you like about that ban?
09:35 -!- Futility [~Futility@h156n2fls32o256.telia.com] has joined ##openvpn
09:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:41 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
09:42 < rob0> ecrist, when he started off this time, I saw it and was expecting it to turn stupid. Then I went AFK, came back after the ban.
09:43 < rob0> Only thing I would suggest is to give them a chance to mend their ways, like Mike's warning ... occasionally they will back down. Not usually of course.
09:44 -!- nate [~nate@unaffiliated/nate] has joined ##openvpn
09:45 < rob0> All in all, I think it was a gain for the channel.
09:45 < nate> where can I find a sample windows client config
09:45 < ecrist> nate: windows/linux configs are the same
09:45 < ecrist> the only difference is the path slashes
09:45 < nate> exactly, that's the problem I'm having
09:45 < ecrist> c:\\foo\\beans\\bar
09:45 < rob0> (and a few windows-only/unix-only settings)
09:46 < nate> it's saying it can't find my key/cert and I can't figure out what the heck kind of path it wants
09:46 < ecrist> just double your slashes
09:46 < ecrist> if the config and keys are in the same dir, no need for a path
09:46 < nate> since it's apparently not realative to the config
09:46 < nate> they are
09:46 < nate> and it fails on fopen
09:46 < ecrist> are they readable by the process?
09:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:48 < nate> I'm an admin, so I don't see why not
09:50 < nate> Cannot load certificate file client.crt: error:0200107B:system library:fopen:Unknown error: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
09:50 < nate> is the error
09:50 < Futility> Mape!!!
09:51 < nate> thats with no path to the file, in the same dir as the config
09:51 < Futility> I have NEWSMURF! ... Who are you girls and gents !?
09:51 < nate> client config is a copy of my linux client config with tun change to tap and persist-tun removed
09:52 < ecrist> nate, are you using the windows gui?
09:52 < nate> yes
09:52 < Futility> nate: The Linnux GUI's are clearly better. Heck, i made some of em.
09:52 < nate> Futility: never used a gui in linux
09:53 < nate> so yeah, that error is a bit too cryptic for me to figure out
09:54 < Futility> Server GUI: http://mange.dynalias.org/linux/gadmintools-webpage/
09:54 < vpnHelper> Title: The GAdmintools Project (at mange.dynalias.org)
09:54 < |Mike|> ecrist: it's pretty easy to work around that ban, asin changing his ident :)
09:54 < Futility> Client GUI: http://mange.dynalias.org/linux/gadmintools-webpage
09:54 < vpnHelper> Title: The GAdmintools Project (at mange.dynalias.org)
09:54 < rob0> |Mike|: and he did ;)
09:54 < Futility> He* Yeehaw!
09:55 < nate> well it's not Linux that I'm having a problem with. that was the easy part.
09:55 < nate> my win7 install is the issue
09:55 < |Mike|> rob0: hehe, why am I not surprised :P
09:56 < rob0> nate, looks like a file format error to me, the certificate file client.crt is not what openssl needed it to be, for some reason only you can begin to guess.
09:56 < Futility> The multinational and global lovings and prices... Well!!!, You are allowed to ignore my encodings my friends.
09:56 -!- mode/##openvpn [+o ecrist] by ChanServ
09:57 < Futility> B
09:57 -!- mode/##openvpn [+b *!*@h156n2fls32o256.telia.com] by ecrist
09:57 -!- Futility was kicked from ##openvpn by ecrist [Futility]
09:57 < rob0> :)
09:58 -!- mode/##openvpn [-o ecrist] by ecrist
09:58 < rob0> I'm greatly amused by the fact that the first thing he saw when rejoining was me, talking about how stupid he was.
09:58 < ecrist> LOL
09:59 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:59 < ecrist> next we'll just do a domain ban
10:00 < rob0> telia is big, that would not be good
10:00 < ecrist> ban are only temp
10:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
10:00 < ecrist> nobody else from telia currently in the channel
10:01 < ecrist> a bridge to cross if the time comes.
10:01 < ecrist> for some, even an domain ban wouldn't suffice
10:01 < ecrist> depends on how bored he is, I suppose
10:02 < |Mike|> next time we're going to call his provider to disconnect him :P
10:04 < |Mike|> http://pastie.org/917546
10:05 < ecrist> not a lot of folks coming in from telia
10:06 < rob0> Wow, that is interesting.
10:08 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
10:09 < rob0> h[[:digit:]]+n[12]fls3[24]o[[:digit:]]+@telia\.com
10:10 < ecrist> I suspect it wouldn't be that difficult to figure out their host masking, given enough samples.
10:12 < rob0> some ISPs might even have a web page telling you, I know AOL does.
10:12 < ecrist> that mask if freenode, not telia
10:12 < ecrist> I think
10:12 < |Mike|> freenode doesn't handle host masking imho
10:12 < |Mike|> only those unaffiliated/username's
10:13 < ecrist> oh, that's right
10:13 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
10:13 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
10:13 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:13 < |Mike|> Like theDoc :)
10:13 < theDoc> Err?
10:13 < ecrist> we know your IP, sucka!
10:14 < theDoc> am I supposed to give you an award for that? ;p
10:15 < theDoc> I can't believe my sales guy misquoted an entire quotation.
10:15  * theDoc sighhhs ;p
10:15 < theDoc> More work, work work work.
10:16 < |Mike|> hehe, better than installing win2k8 on KVM :P
10:16 < theDoc> |Mike|> Ew, sounds crappy.
10:31 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:38 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:44 -!- Cope [~stephen@li145-168.members.linode.com] has joined ##openvpn
10:46 < aryo> crazy.............
10:47 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Ping timeout: 258 seconds]
10:51 -!- aryo [~aryo@202.152.172.4] has quit [Quit: Leaving]
11:31 -!- eKKiM [~ekkim@d5152FCBD.static.telenet.be] has joined ##openvpn
11:31 < eKKiM> !welcome
11:31 < vpnHelper> eKKiM: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:32 < eKKiM> !redirect
11:32 < vpnHelper> eKKiM: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:32 < eKKiM> !nat
11:32 < vpnHelper> eKKiM: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
11:33 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:50 -!- eKKiM [~ekkim@d5152FCBD.static.telenet.be] has quit [Ping timeout: 276 seconds]
11:51 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
11:51 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:52 -!- nate [~nate@unaffiliated/nate] has left ##openvpn []
11:52 -!- eKKiM [~ekkim@d5152FCBD.static.telenet.be] has joined ##openvpn
11:55 < eKKiM> !def1
11:55 < vpnHelper> eKKiM: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:56 < eKKiM> !ipforward
11:56 < vpnHelper> eKKiM: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
11:56 < eKKiM> !linipforward
11:56 < vpnHelper> eKKiM: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
11:59 < eKKiM> !linnat
11:59 < vpnHelper> eKKiM: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
11:59 < eKKiM> Hmm
11:59 < eKKiM> i did all these steps
11:59 < eKKiM> and still doesn't work =/
11:59 < eKKiM> is it normall there is no Default Gateway set?
12:05 -!- eKKiM [~ekkim@d5152FCBD.static.telenet.be] has quit []
12:27 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:52 -!- dazo is now known as dazo_afk
13:20 -!- eKKiM [~ekkim@d5152FCBD.static.telenet.be] has joined ##openvpn
13:21 < eKKiM> Is there a way to force the OpenVPN Network Device on windows to a 100 Mbit or even gbit speed instead of 10 Mbit?
13:21 < ecrist> eKKiM: I think the interface speed is a misnomer
13:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
13:31 -!- martrandala [~martranda@235.169.191.90.dyn.estpak.ee] has quit [Quit: Leaving]
13:32 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 248 seconds]
13:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:46 -!- fellipe_brasil [~fellipe@201.17.33.165] has joined ##openvpn
13:46 < fellipe_brasil> hi everyone, do I have to make certificates or I just have to generate a key to copy to the vpn clients?
13:49 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
13:56 -!- fellipe_brasil [~fellipe@201.17.33.165] has quit [Quit: Leaving]
14:15 -!- krzy [nobody@hemp.ircpimps.org] has joined ##openvpn
14:15 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
14:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:41 -!- krzy [nobody@hemp.ircpimps.org] has quit [Quit: This computer has gone to sleep]
14:41 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
14:54 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
14:54 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Connection reset by peer]
15:13 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
15:13 -!- mode/##openvpn [+o openvpn2009] by ChanServ
15:26 -!- max06 [~max06@freenode/sponsor/max06] has left ##openvpn ["Verlassend"]
15:28 -!- monkeytwin [~user_name@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn
15:28 -!- monkeytwin [~user_name@i.dont.get.mad.i.get.stabby.net] has quit [Changing host]
15:28 -!- monkeytwin [~user_name@unaffiliated/monkeytwin] has joined ##openvpn
15:35 -!- monkeytwin [~user_name@unaffiliated/monkeytwin] has quit [Quit: leaving]
15:38 -!- monkeytwin [~user_name@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn
15:38 -!- monkeytwin [~user_name@i.dont.get.mad.i.get.stabby.net] has quit [Client Quit]
15:39 -!- monkeytwin [~user_name@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn
15:40 -!- monkeytwin [~user_name@i.dont.get.mad.i.get.stabby.net] has quit [Client Quit]
15:43 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:47 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:54 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:00 -!- krzie [~krzee@unaffiliated/krzee] has quit [Quit: User abortion with 5 coathooks]
16:00 -!- krzee [krzee@unaffiliated/krzee] has left ##openvpn ["Leaving"]
16:00 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
16:08 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:18 -!- tiav [~tiav@mx.fr.smartjog.net] has quit [Remote host closed the connection]
16:27 -!- monkeytwin [~user_name@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn
16:29 -!- monkeytwin [~user_name@i.dont.get.mad.i.get.stabby.net] has quit [Client Quit]
17:13 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
17:20 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
17:30 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
19:11 -!- eKKiM [~ekkim@d5152FCBD.static.telenet.be] has quit [Ping timeout: 246 seconds]
19:38 -!- atmos4 [~sunset@ip-78-94-208-223.unitymediagroup.de] has quit [Quit: atmos4]
20:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:02 -!- tjz [~pc@bb116-14-146-190.singnet.com.sg] has joined ##openvpn
20:02 -!- tjz [~pc@bb116-14-146-190.singnet.com.sg] has quit [Changing host]
20:02 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
20:59 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
21:06 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:08 -!- iateadonut [~dan@222.173.119.42] has joined ##openvpn
21:08 < iateadonut> potential route subnet conflict between local LAN [10.8.1.0/255.255.255.0] and remote VPN [10.8.1.0/255.255.255.0] - any clue?
21:09 < theDoc> Overlapping subnet.
21:11 < iateadonut> which is configured where?  i didn't know the client had a subnet configuration.
21:15 -!- iateadonut [~dan@222.173.119.42] has quit [Quit: Leaving.]
21:16 < krzee> its just a warning
21:16 < krzee> oh wait
21:16 < krzee> local lan is 10.8.1.x???
21:16 < krzee> thats weird
21:16 < krzee> and he was right, overlapping subnet :-p
21:17 < krzee> dont use the subnet for vpn same as LAN subnet
21:19 < theDoc> ;p
21:19 < theDoc> Stupid ass of a customer.
21:20 < theDoc> Refusing to buy a support contract and wanting to get a major network investigation done on latency ;p
21:20 < theDoc> Not happening for 250 bucks.
21:20 -!- iateadonut [~dan@222.173.119.42] has joined ##openvpn
21:20 < iateadonut> anyone say anything useful (to me) while i was gone?
21:21 < theDoc> Yes.
21:21 < theDoc> Overlapping subnet from your local lan and vpn subnet.
21:21 < theDoc> It's going to cause problems.
21:21 < iateadonut> where is that configured?
21:22 < theDoc> Just change the subnet that you use for your remote vpn.
21:22 < theDoc> Problem magically goes away.
21:22 < iateadonut> ok... config on the server.
21:22 < iateadonut> thanks.
21:23 < iateadonut> is there a good alternative to server 10.8.1.0, or is anything ok?
21:24 < theDoc> Try anything like, 10.23.32.0
21:24 < theDoc> or something
21:24 < theDoc> Who knows.
21:27 < iateadonut> we will soon.
21:31 -!- Disk1of5 [~disk1of5@linxufordummies/Disk1of5] has joined ##openvpn
21:32 -!- iateadonut [~dan@222.173.119.42] has quit [Ping timeout: 248 seconds]
21:34 < Disk1of5> hello, i have a interesting problem that i can use some help with, i have a openvpn set for dev tap and  server-bridge i can log in and see my internal network but i can't brows the internet .. i can resolve host names to ip's with a pings but im not getting any ICMP responses
21:34 -!- iateadonut [~dan@222.173.119.42] has joined ##openvpn
21:35 < Disk1of5> i don't think its a DNS issue.. but it seems like traffic isn't making it back properly..
21:36 < Disk1of5> can any one plz help me iv been over the documentation, and im stuck on where to start trouble shooting thing.. im hoping its something as simple as a routing statement
21:37 < theDoc> !goals
21:37 < vpnHelper> theDoc: Error: "goals" is not a valid command.
21:37 < theDoc> !goal
21:37 < vpnHelper> theDoc: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:37 < theDoc> !pastebin
21:37 < theDoc> !log
21:37 < vpnHelper> theDoc: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
21:37 < vpnHelper> theDoc: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
21:37 < Disk1of5> !welcome
21:37 < vpnHelper> Disk1of5: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:38 < krzee> [19:11]  <iateadonut> potential route subnet conflict between local LAN [10.8.1.0/255.255.255.0] and remote VPN [10.8.1.0/255.255.255.0] - any clue?
21:38 < krzee> oh nm
21:38 < krzee> i misunderstood the next line i was gunna paste
21:38 < krzee> heheh
21:39 < krzee> Disk1of5, why are you bridging?
21:39 < krzee> because some howto said so or because you have a specific layer2 protocol you need over your vpn?
21:39 < krzee> !tunortap
21:39 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
21:39 < vpnHelper> krzee: against you over the vpn
21:41 < Disk1of5> krzee, my ip range is 192.168.1.x so im using the bridging on the vpn server to bridge ips 192.168.1.20 to 192.168.0.1.30.. and that part works.. im assigned an ip in that range and i can see all my pc's on 192.168.1.X but not able to brows the net
21:41 < iateadonut> oh nm?
21:41 < krzee> did you misunderstand my question?
21:41 < krzee> i didnt ask "what problem are you having while bridging"
21:41 < krzee> [19:41]  <krzee> Disk1of5, why are you bridging?
21:41 < krzee> [19:42]  <krzee> because some howto said so or because you have a specific layer2 protocol you need over your vpn?
21:42 < Disk1of5> krzee, because due to my research i was under the influence that bridge would meet my needs
21:43 < Disk1of5> krzee, perhaps i'm wrong?
21:43 < krzee> it only meets your needs if your needs are "i need a specific layer2 protocol to work over my vpn"
21:43 < krzee> as !tunortap said
21:43 < krzee> [19:42]  <krzee> !tunortap
21:43 < krzee> [19:42]  <vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
21:45 < Disk1of5> well then it looks like i should be using dev tun
21:46 < Disk1of5> thnx krzee for pointing that out to me
21:49 < iateadonut> still get that same message when using another subnet... i'm only configuring on the server though - i don't see any place to configure on the client.
21:49 < iateadonut> (and i'm about to try something, so i will likely lose my connection.)
21:49 < theDoc> I still say, tap should only be used in certain cases. Most people are only going to be using tun.
21:49 < theDoc> iateadonut> pastebin your config with your network setup
21:49 < krzee> np Disk1of5 
21:50 < krzee> iateadonut, client side is its LAN subnet
21:50 < krzee> not related to openvpn
21:50 < krzee> basically, your LAN subnet cant conflict with your VPN subnet
21:50 < krzee> what is your lan network and netmask?
21:50 < theDoc> I still say he's doing something wrong ;p 
21:50  * theDoc whistles.
21:50 < krzee> im guessing something like 10/8
21:51 < krzee> so that 10.* in VPN subnet would be a conflict
21:51 < iateadonut> inet addr:192.168.100.69  Bcast:192.168.100.255  Mask:255.255.255.0
21:51 < krzee> hrm, wtf
21:51 < krzee> !configs
21:51 < rob0> I am doing something wrong too.
21:51 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
21:51 < krzee> !interface
21:51 < vpnHelper> krzee: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
21:51 -!- Disk1of5 [~disk1of5@linxufordummies/Disk1of5] has quit [Quit: Ex-Chat]
21:51 < krzee> i only need interface info from client
21:51 < krzee> gimme both configs tho
21:51 < iateadonut> ok.  let me try one thing first.  (i really appreciate the help.)
21:52 < theDoc> Well, it's a 10.*/24 so he should be fine really ;p
21:53 < iateadonut> ifconfig on both server and client, right?
21:54 < theDoc> Yes.
21:57 < iateadonut> http://pastebin.com/P5ut0GQK
22:07 < krzee> the client in question is not client1, right?
22:11 < iateadonut> it is.
22:12 < theDoc> Did you restart the vpn service?
22:13 < iateadonut> the config i just put up is just having restarted on both client and server
22:14 < iateadonut> should i post the debugging thing from both?
22:15 < krzee> im gunna go with yes
22:15 < krzee> cause i dont see the problem
22:16 < iateadonut> neither do i, but i'm no expert.
22:16 < iateadonut> posting now...
22:16 < iateadonut> the first line of the client file doesn't have to say 'client1' or anything, right?
22:16 < krzee> nope
22:16 < iateadonut> if there's no problem, i must've made the configuration files incorrectly.
22:16 < krzee> but is that client client1?
22:17 < iateadonut> yes.
22:17 < krzee> cause i dont understand your iroute statement if so
22:17 < krzee> why would you iroute 10.0.0.0 when on lan 192.168.100.x
22:17 < krzee> !iroute
22:17 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
22:18 < iateadonut> that's a config file on the server, right?  my lan 192 is on my local network here where my client is.
22:18 < iateadonut> oh.
22:19 < iateadonut> ok.  let me change that.
22:19 < krzee> are you trying to share a lan behind the client?
22:19 < krzee> (over the vpn)
22:19 < iateadonut> no.
22:19 < krzee> then you dont need an iroute
22:19 < krzee> are you trying to share a lan the server is on to clients?
22:19 < iateadonut> yes.
22:20 < krzee> then you simply push a route to clients in the server config
22:20 < krzee> i dont see a server lan in its ifconfig
22:20 < krzee> it has an inet routable ip on eth0, not a lan
22:21 < iateadonut> oh my.  that eth0 has an old ip address.
22:21 < iateadonut> they just moved my server.
22:21 < krzee> hehe
22:21 < krzee> then howd you connect to it!?
22:22 < iateadonut> yeah.
22:22 < iateadonut> that's really wierd.
22:22 < krzee> lol
22:22 < iateadonut> you can try yourself if you wish.
22:22 < krzee> im working
22:22 < krzee> forget bout the lan for now
22:22 < krzee> lose the ccd entry
22:22 < krzee> see if it connects
22:22 < iateadonut> i mean, if you want to see how wierd it is, you can ssh into my box and then ifconfig.
22:22 < iateadonut> ok.
22:22 < krzee> when you are actually on a lan we can see bout routing the lan over ovpn ;)
22:23 < krzee> but it amounts to a push route and being sure ipforwarding is enabled (!ipforward)
22:23 -!- Uriell [uriel@hurricane.urts.info] has joined ##openvpn
22:23 < Uriell> !welcome
22:23 < vpnHelper> Uriell: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:24 < Uriell> What would be my best solution, routing or bridging? the scenario is openvpn server on debian and clients on windows 7 (fixed ip's for clients is a must)
22:24 < krzee> !tunortap
22:24 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
22:24 < vpnHelper> krzee: against you over the vpn
22:25 < krzee> so the counter-question is this:  do you need layer2 protocols over your VPN?
22:25 < Uriell> no
22:25 < krzee> you want routed vpn
22:25 < krzee> lets get more specific now
22:25 < krzee> !route
22:25 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:25 < krzee> errr
22:25 < krzee> i mean
22:25 < krzee> !goal
22:25 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:26 < Uriell> I would like to route some of my clients traffic (all web surfing) to my vpn that runs a proxy
22:27 < krzee> ahh ok
22:27 < krzee> !sample
22:27 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
22:27 < krzee> !routebyapp
22:27 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
22:27 < Uriell> multiple clients get multiple proxy settings - thats why I must have each client its own IP, all clients on same computer having dif. accounts
22:27 < krzee> !static
22:27 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
22:27 < krzee> !ccd
22:27 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
22:28 < krzee> waitwait
22:28 < Uriell> ?
22:28 < krzee> all clients are on the same computer?
22:29 < Uriell> yes
22:29 < Uriell> windows 7 computer
22:29 < krzee> at the same time?
22:29 < Uriell> could be that they switch between them
22:29 < krzee> well
22:29 < krzee> first, you need admin to start a vpn
22:29 < Uriell> I have
22:29 < krzee> second, if they connect to the same server, things will get fubar
22:29 < krzee> openvpn works on routes
22:30 < Uriell> if each of them get dif. ip
22:30 < krzee> the route to the server will already exist after 1 is connected
22:30 < Uriell> so i'll have to run a server for each client?
22:30 < krzee> and the machine wont know what src ip to use based on user
22:30 < krzee> its not how routing works
22:30 < krzee> i guess you could do that, but any user could still use any other user's proxy
22:31 < Uriell> yeah
22:31 < krzee> hell you could accomplish that WAY easier
22:31 < krzee> 1 vpn connection for all
22:31 < krzee> each user uses a proxy on a diff port
22:32 < krzee> multiple sockd's on the same machine, 1 for each user
22:32 < Uriell> I use dansguardian on the vpn server
22:32 < Uriell> I want to have seperated configs per users
22:32 < krzee> i have no clue what that is
22:32 < Uriell> And I can do that if each of the users have its own ip
22:32 < krzee> well dude
22:32 < Uriell> thats the reason I need fixed ips per users
22:32 < krzee> if all users are on the same machine, they will all have the same ips
22:33 < krzee> lol thats not how addressing and routing work
22:33 < krzee> ESPECIALLY in windows
22:33 < Uriell> I can still seperate then disabling the option to change proxy in the web browser, each user will be able to surf only using his vpn
22:34 < Uriell> and firewall will allow only connection to localhost which will have tcpproxy to the vpn
22:34 < krzee> so then just setup multiple vpn configs and only allow each user to proxy through his proxy port
22:34 < Uriell> multiple vpn servers?
22:34 < krzee> not needed
22:34 < Uriell> i didn't get itthen
22:35 < krzee> you could have multiple vpn servers (serious pain in the ass) or just run the proxy multiple times on different listen ports on 1 server
22:35 < Uriell> will I have seperated ips per clients?
22:35 < krzee> YOU DONT NEED THEM AND WONT HAVE THEM
22:36 < krzee> nothing you do will give different windows users different ips while using the machine at the same time
22:36 < krzee> it just doesnt work that way
22:36 < Uriell> ok, if users log off?
22:36 < Uriell> only 1 user at the time
22:37 < krzee> does his processes live?
22:37 < Uriell> if user logout so no
22:37 < krzee> (i dont use windows)
22:37 < krzee> you seem to be caught up on something you think matters but does not
22:37 < krzee> they do NOT need to have a specific ip dude
22:38 < krzee> you want to config the user by his ip
22:38 < krzee> im telling you that you can have them all on the same ip
22:38 < Uriell> I only need fixed ips per users so dansguardian will be able to serv them with seperated configs
22:38 < krzee> because you will have each with their own proxy server dedicated only to them
22:38 < krzee> run dansgayprogram once for each client, listening on a port only for that client
22:39 < krzee> with a config for that client!
22:39 < Uriell> multiple dansguardians is a possibility, then I don't need vpn at all
22:39 < krzee> personally ild still require vpn
22:39 < Uriell> or i need only to have the traffic secured
22:39 < krzee> unless dan is a master in security
22:40 < rob0> Dan is a strange guy, I suspect. :)
22:40 < krzee> if its Dan Bernstein you might get away with it open to the world ;)
22:40 < rob0> I had to set it up one time, and was greatly amused by the expressions.
22:40  * krzee gets his qmail shield out to block the flames
22:41 < krzee> if its dan kaminsky please do yourself a favor and run it inside a vpn
22:41 < krzee> lol
22:42 < Uriell> ok, if running multiple dansguardians is not an option? I managed to have multiple users with multiple fixed ips on windows at the same time, seperating them from using each other's tunnels using firewall nad removing web browser proxy settings, however it did work for me only when the clients were connected using LAN, never worked if they were connected directly using ADSL
22:42 < Uriell> I got the DHCP error even I have it running
22:42 < Uriell> tried the ip-win32 options and they all didn't work
22:43 < iateadonut> anyone have a guess as to how my server ip could have been changed to y.y.y.y - this is what i can ssh into, but when i hit ifconfig, it shows x.x.x.x, my old ip address (before the vps hosting company moved the server)?
22:43 < Uriell> were using bridged networking
22:44 < krzee> iateadonut, im guessing you need to update some config files
22:44 < krzee> basic networking, very much not related to a vpn
22:45 < iateadonut> that's true.  i think that's the problem with my vpn, though.
22:45 < iateadonut> anyway, thanks for checking over all my stuff.
22:46 < krzee> yw
22:51 < iateadonut> here's with the debugging output if you wouldn't mind taking a look: http://pastebin.com/krqGJAs6
22:52 < krzee> its not complaining anymore
22:53 < krzee> :-p
22:53 < krzee> thats logs from a successful connection
22:54 < troy-> krzee!
22:54 < troy-> how are ya?
22:55 < krzee> im doing good, how you been?
22:55 < troy-> pretty good! living
22:55 < troy-> working
22:55 < troy-> sleeping :<
23:00 < krzee> right on
23:16 < Uriell> !wins
23:16 < vpnHelper> Uriell: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
23:24 -!- iateadonut [~dan@222.173.119.42] has left ##openvpn []
23:25 -!- krzee [krzee@unaffiliated/krzee] has quit [Quit: Leaving]
23:45 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
--- Day changed Wed Apr 14 2010
00:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
00:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:31 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has joined ##openvpn
00:31 -!- ||arifaX [~ContikiC6@inetpop1.witron.de] has quit [Changing host]
00:31 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
00:34 < krzee> meep meep
00:44 -!- CraigSJD [~Craig@cpe-24-166-74-198.neo.res.rr.com] has joined ##openvpn
00:46 < CraigSJD> I know this isn't the main purpose of OpenVPN, but hoping it can help.  I can a server in a datacenter with a public IP, and the only 2 ports I currently have open to the public are 1194 for OpenVPN and SSH.  Is it possible to configure OpenVPN so that when I connect to it I can access the server through the tunnel so I can set pf to allow traffic to any port from people on the VPN?
00:46 < CraigSJD> *I have a server...
00:48 < CraigSJD> my tun0 shows 10.8.1.1 ---> 10.8.1.2 however from my computer that is VPNd in (10.8.1.6) I cannot access the server via 10.8.1.2, the only way to still access it is via the public IP
00:48 < CraigSJD> (I'll post any config or log file requested)
00:55 < krzee> i dont understand what you're saying
00:55 < krzee> tun will always show .2, but the client is .6
00:55 < krzee> .2 is something internal
00:55 < krzee> !/30
00:55 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
00:56 < krzee> you can avoid that now, it is default topology for backwards compatibility, but there is now a better way
00:56 < krzee> !topology
00:56 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
00:57 < krzee> if you are using 2.1 on all sides you can do that, and clients will get .2 .3 .4 instead of .6 .10 .14
00:59 < theDoc> Quote for truth ^
01:01 < krzee> and yes, just by creating a simple vpn you can access anything on the server which runs at 10.8.1.1:anyport
01:01 < krzee> they cant block that even if they wanted to
01:02 < krzee> because it is tunneled in over openvpn, all they see is the outter vpn stream
01:04 < CraigSJD> so what im trying to do is port 80 is closed to the outside world, and i want to be able to VPN in to access port 80.  i can VPN in just fine however if i try to go to http://10.8.1.1 i just get a could not connect error
01:05 < krzee> is your webserver running on port 80?
01:05 < krzee> err
01:05 < CraigSJD> yes
01:06 < krzee> 10.8.1.1:80
01:06 < krzee> does apache bind to it, and does apache serve pages on that ip?
01:06 < CraigSJD> hmm, good question
01:07 < krzee> if you can ping 10.8.1.1 its not a vpn issue
01:07 < krzee> from there its "is something listening" and "is something blocking"
01:08 < CraigSJD> no i cannot ping 10.8.1.1 (even with pf disabled)
01:10 < krzee> ok, then its a vpn problem =]
01:10 < krzee> !configs
01:10 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
01:10 < krzee> read that carefully pls
01:12 < CraigSJD> do you want all configs in 1 paste?  or multiple
01:15 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
01:17 < CraigSJD> http://pastebin.com/Ujw8rnKx
01:17 < CraigSJD> I believe thats everything
01:19 < CraigSJD> i'm honestly not sure what the push route 10.55.0.0 is for, it was just in all the examples i saw
01:21 < theDoc> Don't push random routes without knowing -exactly- what they do.
01:21 < CraigSJD> ok ill remove that one
01:21 < theDoc> They have a tendency to break things if you start pushing random routes around
01:21 < krzee> not only that
01:22 < krzee> read the manual on every option you use
01:22 < krzee> it'll help you a ton in knowing whats going on
01:22 < theDoc> Call me cynical or something but I'm really curious as to why people like to push random routes around and pray that it works.
01:22 < krzee> client is windows or unix?
01:22 < CraigSJD> yea this is actually based on a config that i was using where my server was at my house and with an internal IP.  with that setup i still couldnt hit 10.8.1.1 but i could hit the internal IP of the server and all was well
01:23 < CraigSJD> now im trying to adapt it to my new server
01:23 < CraigSJD> client is windows
01:23 < krzee> you need full path to files
01:23 < theDoc> Ah.
01:23 < CraigSJD> theDoc:  i was assuming that was something internal to openvpn?  it was in all of the examples i saw from people who aparantly shouldnt have been pushing it so i assumed it was supposed to be there
01:24 < CraigSJD> krzee, the VPN connects just fine, i just cant ping 10.8.1.1, but ill give it a try with absolute paths
01:24 < krzee> it connects just fine and you cant ping
01:24 < krzee> heh
01:24 < CraigSJD> lol let me reword, it doesnt error and i get an IP
01:24 < krzee> with all firewalls off
01:25 < CraigSJD> i get an IP regardless of firewall.  even with firewall off i cant ping or hit port 80
01:25 < krzee> you seen the log output and dont see errors?
01:25 < krzee> windows firewall is off?
01:25 < theDoc> brb, phone
01:26 < CraigSJD> i just tried again with absolute paths to the files with the same result.  i didnt try disabling the windows firewall, doing that now
01:27 < CraigSJD> same result with windows firewall off
01:27 < krzee> is there a lan behind the client?
01:27 < CraigSJD> client is behind a wireless router
01:27 < krzee> which you want access to from the server or other clients?
01:28 < CraigSJD> i want the client to access the server
01:28 < CraigSJD> i dont care about other clients in this case
01:28 < krzee> get rid of the iroute
01:28 < krzee> !iroute
01:28 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
01:29 < CraigSJD> !ccd
01:29 < vpnHelper> CraigSJD: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
01:30 < CraigSJD> removing the iroute produces the same result
01:31 < krzee> !logs
01:31 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
01:31 < CraigSJD> sure, one sec let me change verb to 6
01:32 < CraigSJD> hmm... where do the openvpn server logs go?
01:33 < krzee> whereever you tell them to
01:33 < krzee> !man
01:33 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
01:33 < krzee> see --log
01:33 < CraigSJD> lol i dont think i told them to go somewhere
01:33 < CraigSJD> thanks
01:33 < krzee> yw
01:39 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:39 -!- mode/##openvpn [+o mattock] by ChanServ
01:40 < |Mike|> morning.
01:42 < CraigSJD> client log: http://pastebin.com/u1C7Kgea
01:42 < CraigSJD> server log: http://pastebin.com/fAk58WZt
01:44 < CraigSJD> i started server, connected client to VPN, tried to ping 10.8.1.1, then disconnected and stopped server
01:47 < |Mike|> !config
01:47 < vpnHelper> |Mike|: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
01:48 < |Mike|> !configs
01:48 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
01:49 < krzee> you know what i see in those logs?
01:49 < CraigSJD> ?
01:49 < krzee> a working vpn
01:50 < krzee> tcpdump on the server
01:50 < CraigSJD> so... why cant i ping 10.8.1.1 if both my server and client have firewalls off?
01:50 < krzee> only on tun interface
01:50 < CraigSJD> is there a !tcpdump?
01:50 < CraigSJD> lol
01:50 -!- dazo_afk is now known as dazo
01:50 < krzee> yes
01:50 < CraigSJD> btw |Mike|, my configs are http://pastebin.com/Ujw8rnKx
01:50 < CraigSJD> !tcpdump
01:50 < vpnHelper> CraigSJD: Error: "tcpdump" is not a valid command.
01:50 < krzee> its man tcpdump
01:50 < krzee> ll
01:50 < krzee> lol
01:50 < CraigSJD> oh
01:51 < krzee> should basically be tcpdump -i tun0
01:51 < krzee> (as root)
01:52 < CraigSJD> 0 packets captured, received, and dropped
01:52 < krzee> were you pinging while dumping?
01:53 < CraigSJD> yes
01:53 < krzee> !interface
01:53 < vpnHelper> krzee: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
01:53 < krzee> is windows running other security software?
01:54 < krzee> such as norton, zonealarm, mcaffee
01:56 < CraigSJD> no
01:56 < CraigSJD> working on the interface request
01:58 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
01:59 < CraigSJD> http://pastebin.com/dWpEtJp9
02:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:02 < krzee> why so many tap adapters
02:02 < CraigSJD> dunno
02:03 < CraigSJD> its just Windows 7 with VMware and OpenVPN, plus some dev tools
02:03 < krzee> ahh vmware
02:04 < krzee> oh it is the host tho
02:05 < krzee> ok
02:05 < CraigSJD> the windows box is the client
02:06 < CraigSJD> ooh you mean vmware is the host
02:06 < CraigSJD> sorry
02:06 < krzee> i mean the windows machine runs vmware, but is not inside of it
02:06 < CraigSJD> right
02:06 < CraigSJD> sorry, tired
02:09 < krzee> !linfw
02:09 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info
02:10 < CraigSJD> not running iptables, im using pf (im on FreeBSD not linux)
02:10 < krzee> oh right
02:10 < krzee> !fbsdfw
02:10 < vpnHelper> krzee: Error: "fbsdfw" is not a valid command.
02:10 < CraigSJD> and before everything i ran pfctl -d to disable it
02:10 < krzee> !bsdfw
02:10 < vpnHelper> krzee: Error: "bsdfw" is not a valid command.
02:11 < CraigSJD> (i just redisabled it, so you can hit apache at http://208.86.227.182/)
02:11 < CraigSJD> you can also ping it, but when i vpn in i cannot ping 10.8.1.1
02:12 < CraigSJD> another interesting thing is while VPNd in it appears i cannot hit 208.86.227.182 either
02:13 < krzee> can the server ping the client at 10.8.1.6?
02:13 < CraigSJD> nope
02:13 < krzee> are you still pushing routes in your server config?
02:14 < krzee> ohhhhhh
02:14 < krzee> 10.0.0.0/8         10.11.22.1         UGS         0        0    re1
02:14 < CraigSJD> i still have the route for 208.86.227.0 in there
02:14 < krzee> wtf is that
02:14 < CraigSJD> re1 is my host's backup network
02:14 < CraigSJD> or my provider's backup network i should say
02:15 < krzee> but dude
02:15 < krzee> its 10/8
02:15 < krzee> meh, then again more specific route is to the vpn, i guess that doesnt hurt anything
02:16 < krzee> comment out the push route
02:16 < CraigSJD> lol i just did and now everything works!
02:16 < CraigSJD> thank you!
02:16 < krzee> yw
02:16 < CraigSJD> <3
02:16 < CraigSJD> lol
02:16 < krzee> i thought you did that awhile ago
02:16 < CraigSJD> i removed the iroute and the route for that 10.55.0.0
02:17 < krzee> [02:21]  <theDoc> Don't push random routes without knowing -exactly- what they do.
02:17 < CraigSJD> i thought he was referring to the 10.55.0.0
02:17 < krzee> that push route was telling your server to route over your vpn a subnet which included your vpn server 
02:17 < theDoc> You would have thought that line would refer to routes that you have no idea what they do ;p
02:18 < CraigSJD> lol yea i guess that makes sense
02:18 < CraigSJD> theDoc, problem was i _thought_ i knew what it was doing
02:18 < krzee> damn theDoc you nailed it all in 1 line and i read all that stuff just to get back to what you orig said
02:18 < krzee> lol
02:18 < theDoc> krzee> ;p
02:18 < |Mike|> haha
02:19 < CraigSJD> easy way or hard way, you both accomplished fixing my problem so i am grateful!
02:19 < krzee> np
02:19 < krzee> repay me by suggesting a movie to watch
02:20 < krzee> lol
02:20 < CraigSJD> hmm
02:20 < CraigSJD> i recently saw 2012 but it was a bit over the top
02:20 < theDoc> No problem, I bill at 250/hr
02:20 < CraigSJD> lol
02:20 < CraigSJD> trying to think what ive seen recently
02:20 < krzee> hope you prorate! lol
02:21 < CraigSJD> theDoc, i dont think i can come up with 250 moves/h to recommend
02:21 < CraigSJD> sorry
02:21  * krzee points to the imdb top 250 list
02:21 < CraigSJD> lol
02:22 < CraigSJD> anyways i would stay, but i dont really have anything to contribute (plus i need to sleep or my daughters gonna be pissed when i dont wake up).  so thank you very much!  and good morning/day/night depending on where you are
02:22 < krzee> !google imdb top 250
02:22 < vpnHelper> krzee: IMDb Top 250: <http://www.imdb.com/chart/top>; IMDb Top 250: <http://www.imdb.com/chart/top?tt0468569>; IMDb top 250 mistakes: <http://www.moviemistakes.com/imdb250>
02:22 < CraigSJD> lol nice
02:22 < theDoc> CraigSJD> You understood it wrong, I bill at $250/hr
02:22 < theDoc> ;p
02:22 < krzee> nite
02:23 < CraigSJD> lol i understood it right, but i took advantage of you not clarifying your requirements for assistance
02:23 < CraigSJD> *for providing assistance
02:23  * theDoc taps his foot impatiently.
02:23 < theDoc> I think someone just fucked up my mac servers really badly.
02:23 < krzee> ooooo
02:23 < theDoc> Yep, someone did.
02:23 < krzee> owned or idiot tech?
02:23 < theDoc> Idiot SI.
02:23 < CraigSJD> well goodnight.  good luck with your mac issue
02:24 -!- CraigSJD [~Craig@cpe-24-166-74-198.neo.res.rr.com] has quit [Quit: Leaving]
02:24 < theDoc> krzee> SI from India.
02:24 < krzee> ouch
02:24 < theDoc> They really have no fucking clue as to what they are doing.
02:24 < krzee> so both, owned by indian tech
02:24 < theDoc> I'm about to burst a vein just trying to get them to send me the commands they used to configure the aggregated links on the Cisco 6500.
02:25 < krzee> just dump configs
02:37 < theDoc> krzee> Problem is, they refuse to.
02:37 < theDoc> I suspect it's either they have no fucking clue or they aren't sure what the fuck they are doing.
02:54 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:00 -!- atmos4 [~sunset@ip-78-94-208-223.unitymediagroup.de] has joined ##openvpn
03:04 -!- dazo is now known as dazo_afk
03:17 -!- julius [~julius@217.20.127.15] has joined ##openvpn
03:38 -!- takamichi [~pri@95.211.4.12] has joined ##openvpn
03:48 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:00 -!- kyrix [~ashley@81-223-16-245.c-wsechshaus.xdsl-line.inode.at] has joined ##openvpn
04:05 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
04:07 -!- kyrix [~ashley@81-223-16-245.c-wsechshaus.xdsl-line.inode.at] has quit [Remote host closed the connection]
04:08 -!- eKKiM [~ekkim@ks311098.kimsufi.com] has joined ##openvpn
04:09 -!- eKKiM [~ekkim@ks311098.kimsufi.com] has quit [Client Quit]
04:14 -!- master_of_master [~master_of@p57B56268.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:15 -!- master_of_master [~master_of@p57B55BA8.dip.t-dialin.net] has joined ##openvpn
04:17 < krzee> you dont have access to it?
04:22 < |Mike|> krzee: nope!
04:39 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
04:41 -!- rebry [rebry-@dhcp-010027.wlan.ntnu.no] has joined ##openvpn
05:14 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
05:15 -!- dazo_afk is now known as dazo
05:17 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
05:37 < Uriell> Windows 7 question: inorder to connect to my openvpn server, Do I have to make the internet connection adapter a "home connection" instead of "public connection"?
05:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:01 < Fiouz> I don't think so, since it's  a mere outgoing connection
06:17 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
06:17 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
06:19 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:19 -!- mode/##openvpn [+o mattock] by ChanServ
06:25 < dazo> Uriell: but you might need to change such settings on your TUN/TAP adapter
06:25  * dazo is not a Windows user so he might be wrong
06:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:40 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Read error: No route to host]
06:45 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
06:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
06:55 -!- rebrymini [~nnscript@dhcp-105-193.idi.ntnu.no] has joined ##openvpn
06:56 -!- rebry [rebry-@dhcp-010027.wlan.ntnu.no] has quit [Ping timeout: 264 seconds]
07:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:18 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 245 seconds]
07:23 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
07:23 -!- rebrymini [~nnscript@dhcp-105-193.idi.ntnu.no] has quit [Ping timeout: 258 seconds]
07:55 < flok420> how can I make sure that client-systems that connect to my vpn-server do not let other networks forward via their system? via some push command?
07:56 < dazo> flok420: sounds more like firewall rules on the server side
07:56 < dazo> but you can never really be sure that the client don't do some NATing
07:57 < flok420> ok. problem is that my boss now uses some kind of lucent/cisco vpn-system which automatically seems to disable tunneling/natting/etc on a client system. and he wants that with openvpn as well
07:59 -!- StewartW [~stewart@213.152.254.36] has joined ##openvpn
08:02 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:04 < dazo> flok420: that's not possible with openvpn afaik.  If the client adds NAT rules, it will still do the forwarding ... and I honestly can't imagine that cisco vpn would be anyhow different ... but I can try that out in the evening when I come home from work
08:05 < dazo> flok420: push rules can also be "disabled" by removing --pull from the client config, so you cannot be sure that pushed rules really are used on the client side (you might only confirm it by reading the log files on the server, on more verbose logging)
08:08 -!- penguinFunk [user@unaffiliated/penguinfunk] has joined ##openvpn
08:10 < penguinFunk> hi, how can I join the mailing list to report a bug ?
08:13 < dazo> penguinFunk: yes, please do that! ... https://lists.sourceforge.net/lists/listinfo/openvpn-users
08:14 < vpnHelper> Title: Openvpn-users Info Page (at lists.sourceforge.net)
08:56 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
09:06 -!- xinit [~wouter@mail.pruts.nl] has left ##openvpn []
09:11 < havoc> I don't think that's possible either
09:11 < havoc> doesn't the cisco/checkpoint crap run in kernel-space, and openvpn in user-space?
09:28 < dazo> havoc: not necessarily ... IPsec in general run parts in kernel space ... but f.ex. you have Cisco VPN which runs entirely in user space (f.ex. the open source vpnc Cisco client)
09:29  * dazo have access to a solution based on the latter one
09:29 < havoc> ah
09:30 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:31 < agagag> Hey, I have a client that needs --fragment set to work. I have to set the same on the server and this breaks the other clients. Is there an elegant solution to this? 
09:35 -!- mithridates [~chatzilla@142.166.45.152] has joined ##openvpn
09:45 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:47 < agagag> hm, am i asking a stupid question maybe?
09:47  * agagag occasionally does 
09:48 < theDoc> 'sup all.
09:51 -!- StewartW [~stewart@213.152.254.36] has quit [Read error: Operation timed out]
09:52 -!- StewartW [~stewart@213.152.254.36] has joined ##openvpn
09:54 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:05 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
10:05 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
10:14 -!- DrPepper [~DrPepper@94.252.35.132] has joined ##openvpn
10:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:24 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:24 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
10:24 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
10:25 < flok420> dazo: fyi: what my boss said me about the lucent vpn offering is not true; you can still reach other networks on the client system when the lucent vpn is up
10:25 < flok420> found that out with some experimenting
10:25  * dazo thought so
10:32 -!- dmz [~dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has joined ##openvpn
10:33 < dmz> TLS_ERROR: BIO read tls_read_plaintext error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number; anyone have any idea what this is?
10:34 < Mythmon> !howto
10:34 < vpnHelper> Mythmon: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:38 -!- MarMotte [~supernoob@v7v95-3-78-240-12-72.fbx.proxad.net] has joined ##openvpn
10:38 -!- MarMotte [~supernoob@v7v95-3-78-240-12-72.fbx.proxad.net] has left ##openvpn []
10:39 < dmz> was that for me?
10:40 < flok420> any big companies out there using openvpn?
10:41 < flok420> looking for arguments to persuade $boss to use openvpn instead of that lucent junk
10:41 < dmz> they have a commercial product; just compare prices
10:44 -!- DrPepper [~DrPepper@94.252.35.132] has quit [Read error: Connection reset by peer]
10:52 -!- smellynoser [~ashley@87-194-183-38.bethere.co.uk] has joined ##openvpn
10:53 < smellynoser> Hi
10:53 < smellynoser> If I take out comp-lzo from the servers config, will the clients with comp-lzo fail
10:53 < smellynoser> or will they realise comp-lzo isn't supported and be awesome?
10:56 < theDoc> I believe it will fail.
11:05 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
11:09 -!- DrPepper [~DrPepper@94.252.53.22] has joined ##openvpn
11:25 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:31 < flok420> on a virtual ethernetdevice called 'ipv6', ipv6 comes in. now i have a 2001:888:10:3b3-range and would like to let my openvpn-clients use native ipv6 as well. how can i accomplish this?
11:32 < theDoc> I do not think that native v6 support is available on openvpn just yet.
11:32 < theDoc> If you have information that is otherwise, please let me know.
11:33 < flok420> oh ok. thanks.
11:36 -!- scfe [~scfe@213.128.113.197] has joined ##openvpn
11:36 -!- scfe [~scfe@213.128.113.197] has left ##openvpn []
11:36 -!- scfe [~scfe@213.128.113.197] has joined ##openvpn
11:38 < scfe> Hi - I think I have a common problem but despite of this I can't find a solution: ICMP+tcp works great over my openvpn connection but UDP not at all.
11:38 < scfe> I don't have any firewall on my client (Fedora Linux)
11:38 < theDoc> That's hardly a question.
11:39 < scfe> so where should I look to find out what's wrong?
11:39 < scfe> OpenVPN emits no warnings
11:39 < scfe> others use the VPN server without problems
11:39 < theDoc> You haven't said what the problem is with icmp.
11:40 < scfe> theDoc: As I wrote ICMP+tcp are working
11:40 < scfe> only UDP doesn't
11:40 < scfe> I suspected an MTU issue (as I did not send big TCP packages yet)
11:41 < scfe> So I set 'mssfix 900' with 'tun-mtu 1500' - but the situation did not improve
11:41 < theDoc> scfe> When you say it's not working, what is not working. It's like I'm telling you, well mate, ferrari+shell oil works but ferrari+exxon mobil oil doesn't work.
11:41 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
11:41 < scfe> Sorry about that
11:41 < scfe> Actually I just get timeouts, when using dig
11:41 < theDoc> or rather, what do you expect and what are you seeing?
11:42 < scfe> so "dig @... google.com" just waits and then I get the timeout message
11:42 < scfe> as soon I say 'dig +tcp ...' it returns correct results instantly
11:42 < scfe> basically all DNS queries just time out
11:42 < theDoc> I don't think it's a mtu issue, is it just dig that is not working or is everything else also broken?
11:43 < scfe> all dns resolutions do not work
11:43 < scfe> even if I use 'good' servers like 8.8.8.8
11:43 < theDoc> Do you have a dns server set and that configuration pushed down to your connected clients?
11:43 < scfe> nope
11:44 < theDoc> and you said, other people are using the server without problems..
11:44 < scfe> but anyway 'dig @8.8.8.8 google.com' should not depend on any dns server
11:44 < theDoc> Chances are, it's not the server.
11:44 < scfe> yes, therefore I think the server itself is configured correctly
11:44 < theDoc> I wouldn't be tweaking random mtu settings on the client side if I were you.
11:44 -!- DrPepper [~DrPepper@94.252.53.22] has quit [Read error: Connection reset by peer]
11:45 < theDoc> scfe> Have you tried sniffing the packets to see what might be broken?
11:46 < scfe> not yet - anything special that I should look for? I suspect that packages will be sent but no answer packages will arrive. Should I confirm that guess with wireshark?
11:46 < theDoc> Please do.
11:46 -!- scfe [~scfe@213.128.113.197] has left ##openvpn []
11:49 < ScriptFanix> had something like this, and i realised i had a dnat rule forwarding all dns traffic back to my local server...
11:49 < dazo> theDoc: flok420: Native IPv6 is on the way into openvpn ... the code is ready for real testing in the openvpn-testing.git repository ... and ecrist got tar balls ready for "home brewed" compilations, in addition to FreeBSD ports of openvpn-devel based on the same code
11:50 < ScriptFanix> \o/
11:50 < theDoc> dazo> Nice.
11:51 < dazo> another feature people are working on is VLAN support as well, but those patches are not yet in ... in addition to better passtos support
11:52 < theDoc> I may at some point test out ipv6 for my current setup.
11:53 < theDoc> Not right now though, trying to get into proper production.
11:53 < theDoc> But v6 is high on the list of todo.
11:53 < dazo> theDoc: that would really be good!  We're missing a lot of real testers .... we have some who have raised their interest ... but we would benefit having a lot more testers
11:53 < ScriptFanix> i have v6 tunneling working quite well here
11:54 < ScriptFanix> (tap + radvd)
11:54 < theDoc> dazo> I intend to test it out as beta in conjunction with access-server.
11:54 < dazo> that goes even for testers who just want to use the openvpn-testing for general purpose as well
11:54 < theDoc> I'll let you know how that goes in due time, if the finances permit that.
11:54 < dazo> theDoc: sure!
11:54 < theDoc> Although I'm not holding my breath ;p
11:54 < ScriptFanix> dazo: i think i have to try it
11:55 < dazo> ScriptFanix: is that the openvpn-testing code?  or 2.1.1 with bridging TAP?
11:55 < ScriptFanix> 2.1.1
11:55 < theDoc> It's 1, I have to go to bed.
11:55 < theDoc> Good night folks. o/ and a good morning to those of you in the US/EU regions.
11:55 < dazo> theDoc: gnight!
11:56 < dazo> ScriptFanix: yeah, if you have the setup basically there ... if you could test out the IPv6 implementation in -testing, that would be really great!
11:56 < ScriptFanix> dazo: maybe this week-end i'll try to set up native v6
11:57 < dazo> ScriptFanix: on #openvpn-devel you'll find the developer of the IPv6 payload patches (IPv6 inside the tunnel), so if you need some help he might be able to help out!
11:58 < dazo> look for cron2 
11:58 < theDoc> dazo> I'll have to work with ecrist (possibly) and see how I can slip the v6 code into an access-server setup or something.
11:58 < ScriptFanix> dazo: thanks :)
11:59 < dazo> theDoc: I don't think ecrist can help too much there, though .... maybe some of the openvpn tech guys (openvpn, openvpn2009, Kasx or mattock) can provide some ideas
11:59 < dazo> ScriptFanix: you're welcome!
11:59 < theDoc> Are those guys working for openvpn directly?
11:59 < dazo> Yeah
12:00 <+Kasx> Hello guys, theDoc: yes we work driectly for OpenVPN :-)
12:02 <+Kasx> Feel free to PM me on here.
12:02 < theDoc> Kasx> It's 1am right now in Asia, I have to go to bed.
12:03 < theDoc> I'll drop you a message sometime later in the day when I'm slightly awake ;)
12:03 <+Kasx> Sounds good
12:11 -!- zroysch [~dongery@mailex.oncologyplus.com] has joined ##openvpn
12:12 < zroysch> could someone tell me what the proper procedure is when setting up a company vpn for employees trying to connect from their personal home PC's
12:13 < zroysch> i am concerned that the company network could be compromised since their home pc's are not managed by myself, if they were to get a trojan or virus or whatever
12:14 < dazo> zroysch: first of all, firewall the tun/tap adapters on the server - only allow services you want to allow
12:14 < dazo> zroysch: add extra authentication levels is the default SSL certificates, but username/passwords can be used in addition to establish connections
12:15 < zroysch> dazo: the vpn server is run by pfsense
12:15 < zroysch> so i assume it is firewalled by default
12:15 < dazo> zroysch: you can also use --tls-auth which adds another security feature which makes it more difficult to establish connections, especially when using UDP transport for OpenVPN
12:16 < dazo> zroysch: don't assume anything ... that's false security ;-)
12:16 < zroysch> true. i'm going to ask over at #pfsense because I remember it not being able to ask for a login/password
12:16 < dazo> zroysch: then some companies on top of this only allows shell or remote console access, like RDP to a Windows Terminal server or SSH to *nix hosts, where you need to use that connection to get further into the network
12:17 < dazo> zroysch: the keywords is layers of authentication and firewalling
12:18 < dazo> *are
12:18 < dazo> zroysch: to enable username/password for OpenVPN you'll need to add some extra scripts or authentication modules ... there are modules available for PAM, LDAP, MySQL and SQLite3
12:19 < dazo> (the latter one, I'm working on)
12:20 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:30 < havoc> hmm, can a non-admin restart the openvpn service on XP?
12:30  * havoc will be testing soon either way
12:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 245 seconds]
12:32 < dmz> havoc, no
12:32 < havoc> dmz: gah, ok
12:32 < havoc> so I have to either make this user a local admin, or have them reboot whenever something doesn't work
12:33 < havoc> oh wait, or psexec it
12:33 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
12:33 < havoc> yeah, that'll work
12:34 < zroysch> how would i go about setting up ovpn keys for a new user, using a different computer than i used before
12:34 < zroysch> or does it not matter if i use the same info 
12:50 < dazo> zroysch: not sure what you really ask about ... as that part is standard SSL key management
12:51 < zroysch> ok when i try to run build-key.bat (same computer as i setup the first user with) its giving me all the options for the command
12:51 < dazo> zroysch: ahh ... easy-rsa-2.0, I presume
12:51 < zroysch> in the easy-rsa directory yes
12:52 < zroysch> do i need the files that were created when setting up the server
12:52 < zroysch> because i moved them to 'config' 
12:52 < dazo> zroysch: I believe the syntax is:  build-key.bat {common name} .... so it needs an argument with the common name of the certificate to be created
12:52 < zroysch> like it told me to
12:52 < zroysch> yes im using that format
12:52 < zroysch> build-key.bat ovpn_username
12:53 < dazo> The OpenVPN server only needs a few files .... CA cert, server key, server certificate and preferably DH parameters
12:53 < zroysch> yes it has them. all i'm trying to do is create a new key for the next user
12:53 < dazo> and that's all the server needs
12:53 < dazo> then the next set of user key, user certificate and CA certificate goes to the client
12:53 < dazo> and that's it
12:54 < zroysch> right. i am trying to create them.
12:54 < dazo> what kind of information you feed the certificate with, is more or less irrelevant .... the relevant thing is that the client certificate is signed by the CA key
12:55 < zroysch> ok, i setup the server and client#1 with http://www.jpuddy.net/2008/11/25/setting-up-a-road-warrior-style-vpn-connection-with-pfsense-and-openvpn/
12:55 < vpnHelper> Title: Setting up a road warrior style VPN connection with pfsense and OpenVPN | J Puddy.net (at www.jpuddy.net)
12:55 < dazo> (a lot of people mix together CA key/cert pair with OpenVPN server key/cert pair ... which should not be mixed ... this is an important thing to know)
12:56 < zroysch> on step 11, i'm running like it says build-key.bat ovpn_username
12:56 < zroysch> and it gives me all the option sfor build-key.bat like im not doing it rihgt
12:57 < dazo> Have you closed the command line window before doing the second key set?  If so, you probably need to do only step 6 again
12:57 < dazo> before heading for 11
12:57 < zroysch> yes the computer was rebooted
12:58 < dazo> try to run vars.bat first, before running build-key.bat
12:58 < zroysch> thank you.
12:59 < dazo> you're welcome!
12:59 -!- zroysch [~dongery@mailex.oncologyplus.com] has quit [Read error: Connection reset by peer]
13:00 -!- dazo is now known as dazo_afk
13:35 -!- DrPepper [~DrPepper@94.252.39.57] has joined ##openvpn
13:44 -!- DrPepper [~DrPepper@94.252.39.57] has quit [Read error: Connection reset by peer]
14:00 -!- StewartW [~stewart@213.152.254.36] has quit [Quit: Ex-Chat]
14:16 < krzee> !winroute
14:16 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
14:30 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
14:34 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:45 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:58 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:01 -!- smerz [~daniel@smerz.demon.nl] has quit [Ping timeout: 264 seconds]
15:10 -!- mithridates [~chatzilla@142.166.45.152] has quit [Ping timeout: 252 seconds]
15:15 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:26 -!- mithridates [~chatzilla@142.166.49.229] has joined ##openvpn
15:27 -!- mithridates [~chatzilla@142.166.49.229] has quit [Client Quit]
15:43 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
15:59 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
16:02 -!- ScriptFanix [~vincent@Hanaman.riquer.fr] has joined ##openvpn
16:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 268 seconds]
16:17 -!- ScriptFanix [~vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
16:19 -!- ScriptFan [~vincent@Hanaman.riquer.fr] has joined ##openvpn
16:26 -!- ScriptFan [~vincent@Hanaman.riquer.fr] has quit [Quit: coin]
16:26 -!- atmos4 [~sunset@ip-78-94-208-223.unitymediagroup.de] has quit [Read error: Connection timed out]
16:26 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
16:27 -!- atmos4 [~sunset@ip-78-94-208-223.unitymediagroup.de] has joined ##openvpn
16:49 -!- atmos4 [~sunset@ip-78-94-208-223.unitymediagroup.de] has quit [Read error: No route to host]
16:51 -!- atmos4 [~sunset@ip-78-94-208-223.unitymediagroup.de] has joined ##openvpn
16:51 < Uriell> When running openvpn clients as windows 7 service at startup, and the ADSL is not connected, even after I connect the ADSL, still the openvpn not auto connecting with the service. any idea how to make it try again and again even no internet until there is internet?
16:55 < mwheeler> What's your config
16:55 < mwheeler> You might to setup keepalive
16:56 < Uriell> keepalive will make it try again and again to bring up the vpn?
16:56 < mwheeler> yup
16:58 < Uriell> hmm, is there a keepalive option for clients?
16:58 < Uriell> I can see it on the server sample config file
16:58 < Uriell> not on the clients sample config file
16:58 < mwheeler> I beleive so
16:59 < Uriell> so its not helping me, I need the client's service to retry connecting even there is no internet, until there is internet
17:00 < mwheeler> that's what keepalive should AFAIK
17:00 < Uriell> but the keepalive is in the server's config not in client's config
17:01 < mwheeler> Put it in the clients config.....
17:01 < Uriell> oh
17:01 < Uriell> I'll try it
17:01 < Uriell> :) thanks
17:18 < krzee> or checkout the retry options in the manual
17:31 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
18:00 -!- atmos4 [~sunset@ip-78-94-208-223.unitymediagroup.de] has quit [Quit: atmos4]
18:02 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
18:08 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
18:12 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Remote host closed the connection]
18:12 -!- ScriptFan [vincent@Hanaman.riquer.fr] has joined ##openvpn
18:12 -!- ScriptFan [vincent@Hanaman.riquer.fr] has quit [Client Quit]
18:12 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
19:02 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
19:08 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
19:17 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Ping timeout: 246 seconds]
19:22 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
19:51 -!- theDoc [~jaki@119.73.165.162] has joined ##openvpn
19:56 -!- theDoc [~jaki@119.73.165.162] has quit [Ping timeout: 264 seconds]
19:56 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
20:00 -!- vronp [~4a8189d4@gateway/web/freenode/x-ivmxqivjilyytlzv] has joined ##openvpn
20:07 -!- tjz [~pc@bb116-14-138-136.singnet.com.sg] has joined ##openvpn
20:07 -!- tjz [~pc@bb116-14-138-136.singnet.com.sg] has quit [Changing host]
20:07 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:10 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
20:10 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:15 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
20:16 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
21:19 -!- dopiwan [~soulrebel@pool-74-104-126-31.bstnma.fios.verizon.net] has quit []
21:38 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
22:44 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:03 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
23:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:41 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:42 -!- takamichi [~pri@95.211.4.12] has quit [Ping timeout: 276 seconds]
23:42 -!- takamichi [~pri@95.211.4.12] has joined ##openvpn
23:42 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
23:58 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
--- Day changed Thu Apr 15 2010
00:11 -!- APTX_ [~APTX@chello089076052083.chello.pl] has joined ##openvpn
00:11 -!- APTX_ [~APTX@chello089076052083.chello.pl] has quit [Changing host]
00:11 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
00:13 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
00:34 -!- Netsplit *.net <-> *.split quits: flok420, Rolybrau, insane^, jww
00:39 -!- Netsplit over, joins: Rolybrau, jww, insane^, flok420
00:46 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 265 seconds]
00:58 -!- takamichi [~pri@95.211.4.12] has quit [Ping timeout: 240 seconds]
01:13 -!- penguinFunk [user@unaffiliated/penguinfunk] has left ##openvpn ["Leaving"]
01:30 -!- sunbug [sunbug@absolutlinux.no] has quit [Ping timeout: 240 seconds]
02:02 -!- straterra [~straterra@2001:470:8a81::4] has joined ##openvpn
02:03 < straterra> I have a pretty simple tls point to point openvpn tunnel..however, if one of the vpn servers dies, the other one dies too. I'm using TCP. Is there any way to have it continually listen/try to reconnect, instead of dying?
02:03 < julius> tehehe, same here
02:05 < straterra> The error I get when OVPN dies is.. TCP/UDP: Socket bind failed on local address x.x.x.x:443: Permission denied
02:05 < straterra> But where the x.x.x.x is, is the IP of the remote site
02:05 < julius> o.O    you could try udp and allow changing IPs
02:05 < straterra> I can't use udp
02:06 < straterra> Besides, I have other TCP tunnels that dont have this issue
02:07 < straterra> Actually..I think I know what it is
02:07 < straterra> OpenVPN starts as root and drops privs
02:07 < straterra> I'm using port 443..which needs root
02:11 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
02:11 < julius> and openvpn can't simply keep the listening socket open?
02:11 < julius> or is it the local one?
02:11 < julius> uh
02:12 < julius> I mean client one
02:12 < straterra> Eh?
02:13 < straterra> The conection drops, so the socket is closed
02:17 < julius> the endpoints still have server/client roles, don't they?
02:19 < straterra> Yes..but the socket closes
02:20 < straterra> Openvpn tries to reopen it..and fails because its already dropped the root privs
02:26 < krzie> is Olivier Sessink here?
02:39 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has quit [Ping timeout: 260 seconds]
02:40 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
02:40 -!- DrPepper [~DrPepper@94.252.43.70] has joined ##openvpn
03:04 < krzie> !learn route_outside_openvpn as http://www.secure-computing.net/wiki/index.php/Graph
03:04 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
03:05 < krzie> !learn route_outside_openvpn as http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: "ROUTES TO ADD OUTSIDE OPENVPN" in !route
03:05 < vpnHelper> krzie: Joo got it.
03:09 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:14 -!- DrPepper [~DrPepper@94.252.43.70] has quit [Read error: Connection reset by peer]
03:17 -!- anebi [~anebi@91.207.191.17] has joined ##openvpn
03:39 < anebi> hi, we have an openvpns server on machine that has also a public ip address. we are using this server as web and voip server. we configured a linksys router to be an openvpn client. our point now is all devices located behind this router to be able to access the voip server this way: when we are behind the router, then voip traffic to go thru the tunnel, when we are outside of this network, then to be used server public ip address and voip traffic to go as us
03:40 < anebi> the point is i always to use mydomain.tld in my voip client configuration
03:41 < anebi> instead to have 2 profiles. one with mydomain.tld and the second with openvpn ip address
03:42 < straterra> Linksys routers support openvpn now?
03:43 < anebi> straterra: my boss told me that he uses dd-wrt firmware on linksys wrt610n and as i understood he has configured this router to connect to openvpn. so i suppose yes if i have not understood him wrong :)
03:46 -!- dazo_afk is now known as dazo
03:48 < dazo> ecrist: krzee: I just stumbled upon a presentation from James - and here is a lot of good info, especially a simpler explanation why TCP over TCP is bad ... http://www.openvpn.net/papers/BLUG-talk/14.html  .... maybe consider this presentation and direct slide links to the factoids db?
03:48 < vpnHelper> Title: Slide 14 (at www.openvpn.net)
04:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:13 -!- master_of_master [~master_of@p57B55BA8.dip.t-dialin.net] has quit [Ping timeout: 258 seconds]
04:15 -!- master_of_master [~master_of@p57B5652F.dip.t-dialin.net] has joined ##openvpn
04:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
04:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:27 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 268 seconds]
04:28 < krzie> awesome! reading now
04:56 < krzie> !tcp
04:56 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
04:57 < krzie> !forget tcp
04:57 < vpnHelper> krzie: Joo got it.
04:57 < krzie> !learn tcp as Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html  Why TCP Over TCP Is A Bad Idea.
04:57 < vpnHelper> krzie: Joo got it.
04:58 < krzie> !learn tcp as The author of openvpn explains it here:  http://www.openvpn.net/papers/BLUG-talk/14.html
04:58 < vpnHelper> krzie: Joo got it.
05:01 -!- atlas95 [~atlas95@serveur.levis-heb.net] has joined ##openvpn
05:02 -!- atlas95 [~atlas95@serveur.levis-heb.net] has quit [Changing host]
05:02 -!- atlas95 [~atlas95@unaffilated/atlas95] has joined ##openvpn
05:05 -!- anebi [~anebi@91.207.191.17] has quit [Ping timeout: 240 seconds]
05:06 -!- anebi [~anebi@91.207.191.17] has joined ##openvpn
05:10 < flok420> can openvpn do tinc-style routing? e.g. with multiple connections via other routes and such. like: http://keetweej.vanheusden.com/stats/tinc-fvh-network-graph.png
05:21 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
05:30 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:31 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:37 -!- straterra [~straterra@2001:470:8a81::4] has left ##openvpn []
05:38 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
05:40 < krzie> sure
05:40 < krzie> !rip
05:40 < vpnHelper> krzie: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
05:49 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:54 < krzie> flok420, your network diagram would be greatly simplified by 2way arrows
05:58 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
06:09 < anebi> in order to route the traffic to a specific IP address from VPN client to go through VPN and the rest from ISP, is this the right way?
06:09 < anebi> 1. Add a "push route" in server side where i set the ip of the host for that i want to route the traffic
06:09 < anebi> 2. Add a pull in client site with the same IP
06:09 < anebi> are these the right steps?
06:10 -!- APTX_ is now known as APTX
06:10 < plundra> You just need push route on the serverside, no pull.
06:11 < anebi> plundra:  thanks
06:11 < plundra> push "route 1.2.3.4 255.255.255.255" for example
06:12 < flok420> krzie: that diagram is automatically drawn by the tinc vpn daemon
06:12 < anebi> plundra: thanks.
06:17 -!- vronp [~4a8189d4@gateway/web/freenode/x-ivmxqivjilyytlzv] has quit [Quit: Page closed]
06:21 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
06:26 < krzie> you only dont need pull if you have client
06:27 < krzie> and pull would be by itself
06:27 < krzie> pull just lets the client know to accept options from the server, but is included in client
06:28 < anebi> krzie: i see. now is more clear :)
06:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
06:46 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
06:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:59 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
07:01 -!- jupiter15 [~jupiter@unaffiliated/jupiter15] has joined ##openvpn
07:02 < jupiter15> !welcome
07:02 < vpnHelper> jupiter15: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:05 -!- DrPepper [~DrPepper@94.252.40.5] has joined ##openvpn
07:08 < jupiter15> !howto
07:08 < vpnHelper> jupiter15: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:15 < jupiter15> !route
07:15 < vpnHelper> jupiter15: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:22 -!- StewartW [~stewart@213.152.254.36] has joined ##openvpn
07:33 -!- mugwort13 [~mugwort13@pool-151-196-183-156.balt.east.verizon.net] has joined ##openvpn
07:34 -!- DrPepper [~DrPepper@94.252.40.5] has quit [Quit: Leaving...]
07:36 < mugwort13> if I am setting up one windows client and one linux client to an openvpn server, do I use the same server.crt for both clients, or do I generate a separate one for each?
07:43 < ecrist> !tcp
07:43 < vpnHelper> ecrist: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) The author of openvpn explains it here: http://www.openvpn.net/papers/BLUG-talk/14.html
07:44 < ecrist> !learn tcp as http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
07:44 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
07:44 < ecrist> !learn tcp as http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
07:44 < vpnHelper> ecrist: Joo got it.
07:44 < ecrist> dazo ^^^
07:45 < dazo> !tcp
07:45 < vpnHelper> dazo: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) The author of openvpn explains it here: http://www.openvpn.net/papers/BLUG-talk/14.html, or (#3) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
07:45 < ecrist> blast
07:45 < dazo> ecrist: ^^ ... krzie was quicker than you ;-)
07:45 < ecrist> !forget tcp 3
07:45 < vpnHelper> ecrist: Joo got it.
07:52 -!- mape2k [~mape2k@2a01:198:23f:10ff:6441:92ff:fe8e:a968] has joined ##openvpn
07:59 -!- mape2k [~mape2k@2a01:198:23f:10ff:6441:92ff:fe8e:a968] has quit [Ping timeout: 276 seconds]
08:05 < krzie> !learn tcp as http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
08:05 < vpnHelper> krzie: Joo got it.
08:05 < krzie> !forget tcp 2
08:05 < vpnHelper> krzie: Joo got it.
08:05 < krzie> his was better ;]
08:06 < anebi> guys i added push "route 1.2.3.4 255.255.255.255" to server side and restarted openvpn, but now i see this error in logs:
08:06 < anebi> ERROR: Linux route delete command failed: shell command exited with error status: 2
08:06 < anebi> i see this also if i comment this configuration, any ideas?
08:09 < dazo> krzie: sure, it's easier to understand ... but the other one goes more in-depth
08:10 < dazo> anebi: I'm guessing you use --user and/or --group in your client configs ... then you'll see those ones, as OpenVPN tries to tare down the routes when shutting down but is then lacking privileges to do so
08:10 -!- mugwort13 [~mugwort13@pool-151-196-183-156.balt.east.verizon.net] has left ##openvpn []
08:11 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has joined ##openvpn
08:12 < dazo> anebi: if this is the case, you don't need to worry much, as when the tun/tap device is removed it, the OS will remove the routes related to that interface automatically
08:13 < krzie> dazo, i mean how ecrist wrote it, i replaced #2 with his
08:13 < krzie> !tcp
08:13 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
08:13 < anebi> dazo: i see. thanks for the good explanation :)
08:13 < dazo> krzie: ahh :)
08:15 < dazo> anebi: I'll make a little note about that for developers discussions ... as it is an error, due to lacking privileges ... but not a critical error in reality
08:18 < Uriell> ok I am having very wired problem. got a linux openvpn server and windows client, when the windows client connected to the internet using my home lan, the client connect with no problems, but when I am connecting the windows client using direct dsl connection, I am getting an error - lots of "waiting for tun/tap to go up" and then error regarding dhcp (i have dhcp client service running). any ideas?
08:28 < Bushmills> your windows config seems to contain some dependecy on tun, i.e. on openvpn being up and running
08:29 -!- DarthGandalf is now known as DarthGandalf|BNC
08:31 -!- DarthGandalf|BNC is now known as DarthGandalf
08:32 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:36 < Uriell> how do i fix it?
08:39 < Uriell> http://pastebin.com/2M3nuqry
08:39 < Uriell> here is my client config
09:00 -!- StewartW [~stewart@213.152.254.36] has quit [Quit: Ex-Chat]
09:17 < DarthGandalf> !welcome
09:17 < vpnHelper> DarthGandalf: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:18 < DarthGandalf> !interface
09:18 < vpnHelper> DarthGandalf: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
09:18 < DarthGandalf> !howto
09:18 < vpnHelper> DarthGandalf: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:18 < DarthGandalf> Is it possible to listen on :: (ipv6) ?
09:20 < rob0> IPv6 support is under development.
09:21 < dazo> DarthGandalf: not with stock openvpn ... you might want to check out the openvpn-testing version
09:21 -!- StewartW [~stewart@213.152.254.36] has joined ##openvpn
09:21 < dazo> DarthGandalf: http://www.secure-computing.net/wiki/index.php/OpenVPN/Documentation_for_testers
09:21 < vpnHelper> Title: OpenVPN/Documentation for testers - Secure Computing Wiki (at www.secure-computing.net)
09:23 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
09:41 -!- DrPepper [~DrPepper@94.252.38.114] has joined ##openvpn
09:49 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:53 < anebi> when i use iroute and ccd to enable access to subnets behind clients side, do i need to see the route in routing table on client side or only in server side?
09:57 < anebi> i see your network in logs now
09:57 < anebi> 192.168.1.1, .1.2, .1.3, .1.10, 1.11 
09:58 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
10:01 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has joined ##openvpn
10:09 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:17 < anebi> ops, wrong chat, sorry :)
10:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
10:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
10:41 -!- DrPepper [~DrPepper@94.252.38.114] has quit [Read error: Connection reset by peer]
10:41 -!- DrPepper [~DrPepper@94.252.49.18] has joined ##openvpn
10:41 -!- DrPepper [~DrPepper@94.252.49.18] has quit [Read error: Connection reset by peer]
10:45 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 268 seconds]
10:45 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
10:46 -!- mode/##openvpn [+v Kas] by ChanServ
10:51 < DarthGandalf> !config
10:51 < vpnHelper> DarthGandalf: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
10:52 < DarthGandalf> !configs
10:52 < vpnHelper> DarthGandalf: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:52 -!- DrPepper [~DrPepper@94.252.47.144] has joined ##openvpn
10:53 < DarthGandalf> !logs
10:53 < vpnHelper> DarthGandalf: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:56 -!- anebi [~anebi@91.207.191.17] has quit [Quit: Leaving.]
11:10 < guy_> anyone got a clue why am I getting an invalid arg here - http://pastebin.ca/1861984 ? 
11:10 < guy_> The full error message is in the pastebin
11:18 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has quit [Remote host closed the connection]
11:22 -!- le0 [~tehle0@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
11:28 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: Leaving]
11:33 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:33 -!- mode/##openvpn [+v Kas] by ChanServ
11:33 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
11:36 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:51 < Bushmills> server 10.0.0.0   - that specifies a network, not an ip address
11:54 -!- DrPepper [~DrPepper@94.252.47.144] has quit [Read error: Connection reset by peer]
12:00  * DarthGandalf made many logs to help you in helping me...
12:02 < DarthGandalf> Server: log http://sprunge.us/QQdF conf http://sprunge.us/ghcL http://sprunge.us/gUMQ ifconfig http://sprunge.us/aNgK http://sprunge.us/RbMe route http://sprunge.us/JaPY http://sprunge.us/jBei
12:02 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
12:02 -!- mode/##openvpn [+o mattock] by ChanServ
12:03 < DarthGandalf> Client: log http://pastebin.com/ZWXQzJEe conf http://pastebin.com/PSpH2ShN ifconfig http://sprunge.us/IWHD http://sprunge.us/CQPQ route http://sprunge.us/GZLb http://sprunge.us/Aehd
12:05 < DarthGandalf> Client has network behind it, and when I try to ping server from box-behind-client, packets go to server, but server doesn't understand that.
12:05 < krzee> !configs
12:05 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:05 < krzee> did you read my routing document?
12:05 < krzee> here:
12:06 < krzee> !route
12:06 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:06 < krzee> srry i see configs now
12:07 -!- dazo is now known as dazo_afk
12:09 < krzee> route 10.100.200.0 255.255.254.0 is the LAN behind the vpn client?
12:11 < krzee> !tcp
12:11 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
12:14 < DarthGandalf> Anyone sees what's wrong in my conf?
12:14 < krzee> not if you dont answer my questions
12:14 < krzee> [10:12]  <krzee> route 10.100.200.0 255.255.254.0 is the LAN behind the vpn client?
12:15 < DarthGandalf> You need route and iroute.
12:16 < krzee> if its behind the client you do
12:22 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:22 < Hypnoz> if i had two vpn servers in different datacenters, anyone know if there would be an issue with having one vpn server connected as a client to the other, so I'd only have to vpn to the primary to get routes to both datacenters
12:27 < ecrist> no issues
12:27 < ecrist> we're doing that now amonth three systems
12:27 < ecrist> !route
12:28 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:28 < ecrist> that page has an example
12:29  * cpm makes an example of ecrist 
12:30 < krzee> Hypnoz, not only is it not a problem, its a common use of ovpn
12:36 -!- dazo [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
12:46 < Hypnoz> so i would do like "openvpn --config configfile.ovpn &" from primary vpn server to secondary vpn server? or set up the client-config-dir ccd stuff and have secondary server vpn into primary server?
12:55 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
13:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:30 < Bushmills> only client can connect to server. server can't connect to server 
13:31 < Bushmills> means, you need a client config
13:31 < Bushmills> but you can run openvpn twice. once as server, once as client
13:31 < Bushmills> you probably want to use "nobind" option for client
13:35 -!- DrPepper [~DrPepper@94.252.37.67] has joined ##openvpn
13:44 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
13:55 -!- mirco [~mirco@p5B23F14C.dip.t-dialin.net] has joined ##openvpn
13:56 -!- StewartW [~stewart@213.152.254.36] has quit [Quit: Ex-Chat]
13:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:58 < plundra> Hmm :-)
13:59 -!- mirco [~mirco@p5B23F14C.dip.t-dialin.net] has quit [Remote host closed the connection]
14:00 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
14:00 < plundra> Oh yeah, I remembered what I wanted to ask :-P If there was an option to execute a script after the connection with the client was done, passing along which addresses from the pool was used etc.
14:00 -!- mirco [~mirco@p5B23F14C.dip.t-dialin.net] has joined ##openvpn
14:02 < Bushmills> client side? server side?
14:02 < plundra> Server side, I'm checking dox right now :)
14:02 < Bushmills> --client-disconnect
14:02 < Bushmills> !client-disconnect
14:02 < plundra> You mean client-connect? :-)
14:02 < vpnHelper> Bushmills: Error: "client-disconnect" is not a valid command.
14:03 < plundra> (Just found it :-P)
14:03 < Bushmills> ok. i read "after the connection with the client was done" as "disconnected"
14:03 < plundra> Ah, yes, I can see how that might be missread, sorry :-)
14:04 < plundra> Thanks anyway. Will try that tomorrow.
14:05 -!- DrPepper [~DrPepper@94.252.37.67] has quit [Ping timeout: 246 seconds]
14:20 < plundra> ovpn-py looks cool, anyone used it? :) The project even seems alive, having activity this year and all.
14:22 < plundra> Would be pretty cool doing most things in there, instead of executing all my python-code via the script-interfaces.
14:25 < krzee> never hearda it
14:25 < krzee> !google ovpn-py
14:25 < vpnHelper> krzee: ovpn-py - Project Hosting on Google Code: <http://code.google.com/p/ovpn-py/>; openvpn-plugin.h - ovpn-py - Project Hosting on Google Code: <http://code.google.com/p/ovpn-py/source/browse/openvpn-plugin.h>; 17 search results for: openvpn | freshmeat.net: <http://unix.freshmeat.net/search/?Go.x=1&Go.y=1&q=openvpn&section=projects>
14:26 < plundra> http://code.google.com/p/ovpn-py/source/browse/etc/ovpn-def.py <-- Better example then on the frontpage.
14:27 < vpnHelper> Title: ovpn-def.py - ovpn-py - Project Hosting on Google Code (at code.google.com)
14:29 < krzee> ahh kinda cool
14:29 < krzee> an all-in-1 script
14:30 < plundra> Yeah, well, more of a plugin I guess :) 
14:30 < plundra> But yes, it seems very cool. I've been meaning to rewrite some stuff anyway, and now I can try that out at the same time.
14:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:41 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
14:41 -!- dazo [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Quit: Leaving]
14:47 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
14:50 -!- atlas95 [~atlas95@unaffilated/atlas95] has quit [Quit: leaving]
14:53 < Uriell> Bushmills, Here is my client config, what is that dependency?  thanks http://pastebin.com/2M3nuqry
14:54 < Bushmills> i have no idea what your windows set up, but i don't expect that dependency in your openvpn config - it shows, after all, when openvpn is *not* running
14:55 < Bushmills> you should ask the one who has set up your windows for you
14:55 < Uriell> I set up my windows :)
14:56 < Bushmills> then you are the authority on setup of your windows system
14:56 < Uriell> Yes I am
14:56 < plundra> Is something not working for you?
14:56 < Uriell> I got a linux openvpn server and windows client, when the windows client connected to the internet using my home lan, the client connect with no problems, but when I am connecting the windows client using direct dsl connection, I am getting an error - lots of "waiting for tun/tap to go up" and then error regarding dhcp (i have dhcp client service running). any ideas?
14:57 < Bushmills> a problem may be that your vpn client config is incomplete.
14:57 < Uriell> windows 7
14:57 < Uriell> What do I miss?
14:57 < Bushmills> it contains things like "emote ip port # (replace with your server IP)"
14:57 < Bushmills> remote
14:57 < Uriell> I removed my ip port due to security
14:57 < Uriell> I have real ip and port
14:57 < Uriell> and it gets connected
14:59 < Uriell> It gets connected when I am using my home lan.. so the config is fine
15:00 < Bushmills> do you connect to internet, using pptp?
15:00 < Uriell> yes
15:00 < Uriell> no
15:00 < Uriell> pppoe
15:00 < Bushmills> doesn't pptp use tun(tap interface as well?
15:00 < Bushmills> ah
15:02 < rob0> No, pptp invokes pppd(8) which uses ppp interfaces.
15:04 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
15:08 < Uriell> client running windows
15:08 < Uriell> server running linux
15:08 < Uriell> the error is on the windows side
15:09 < Uriell> no error when the windows connecting using home lan (windows box->linux router->adsl modem), error is only when connecting windows box -> adsl modem
15:11 -!- DrPepper [~DrPepper@94.252.53.11] has joined ##openvpn
15:14 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
15:14 < Bushmills> your openvpn server is remote, as in, route to it through internet?  and your windows box receives ip address, gateway and such, so it can talk to internet? 
15:15 -!- DrPepper [~DrPepper@94.252.53.11] has quit [Ping timeout: 240 seconds]
15:15 < Uriell> yes
15:15 < Uriell> and I have internet connection working fine
15:15 < Bushmills> what happens when you manually try to start openvpn?
15:15 < Uriell> same
15:16 < Uriell> tried both in service or manually
15:16 -!- DrPepper [~DrPepper@94.252.50.117] has joined ##openvpn
15:16 < Bushmills> can you ping openvpn server?
15:17 < Uriell> I get connected
15:17 < Uriell> its tcp based
15:18 < Uriell> do I need to open anything else than 1 tcp port on the server's firewall?
15:18 < Bushmills> no, ping is icmp
15:18 < Uriell> openvpn needs icmp? (if the server running tcp mode)
15:19 < Bushmills> "can you ping openvpn server?"   "its tcp based"  "no, ping is icmp"
15:20 < Uriell> I can ping if I will open the linux firewall for ping
15:20 < Uriell> I didn't open it for ping
15:20 < Uriell> does openvpn must be opened for ping to work properly?
15:20 < Bushmills> no. but blocking outgoing pings doesn't make a lot of sense
15:21 < Fiouz> Uriell: unless your adsl modem acts as a router, don't bridge but use routing (tun instead of tap)
15:21 < Uriell> outgoing on the windows is not firealled, incoming ping on the linux server is firewalled
15:22 < Uriell> Fiouz, I am using bridge as it was simple to set up on both sides and did just work.. any reason to change it?
15:24 < Fiouz> actually, bridging is needed for broadcast or non-routable protocols, it's less efficient as it works at the OSI layer 2 instead of layer 3 for routing
15:25 < Uriell> I saw that linux only support tap
15:26 < Uriell> windows support tun aswell?
15:27 < Fiouz> Linux supports both
15:28 < Uriell> i have windows clients
15:28 < Uriell> on a linux server
15:28 < Fiouz> as well as Windows iirc
15:28 < Uriell> what should i use then? bridge, right?
15:28 < Fiouz> depends on your requirements
15:29 < Uriell> I don't need broadcast or non routable protocols
15:29 < Uriell> just simple tcpip communication
15:29 < Fiouz> what do you use your VPN for? Windows/Samba shares?
15:29 < Uriell> I want web traffic to go using the vpn
15:29 < Uriell> web/mail etc
15:30 < Fiouz> your can use routing (tun) then
15:31 < Uriell> will it fix the current problem?
15:31 < Fiouz> actually, I didn't see your error logs, so can't be sure
15:32 < Uriell> Thu Apr 15 23:32:55 2010 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
15:32 < Uriell> Thu Apr 15 23:32:55 2010 Route: Waiting for TUN/TAP interface to come up...
15:33 < Fiouz> but I tend to think routing shouldn't give you such errors
15:33 < Uriell> Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
15:33 < vpnHelper> Title: FAQ (at openvpn.net)
15:33 < Uriell> I do have dhcp working, and it works when connecting internet using home lan instead of direct dsl
15:34 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
15:36 < Fiouz> is your server acting as a DHCP?
15:36 < Uriell> yes
15:37 < Uriell> the server assign ips to clients
15:37 < Uriell> does that need anything else in the server's firewall then the openvpn port?
15:38 -!- be [~be@217.117.190.9] has joined ##openvpn
15:38 < Fiouz> meaning you have a DHCP daemon running on tap0 (or is tap0 bridged to a DHCP-enabled interface) ?
15:39 < Uriell> no dhcp server running
15:39 < be> hi
15:40 < be> i can't make client-to-client configuration work
15:40 < be> can anyone help me?
15:41 < Uriell> Fiouz, the clients getting fixed ips using the dhcp conf ccd, again, its working when the clients are inside my home lan
15:42 < be> !welcome
15:42 < vpnHelper> be: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:42 < Fiouz> what I don't know is are you bridging the DSL interface with the TAP-Win32 interface ?
15:42 < Uriell> no
15:43 < Fiouz> be: how do you check?
15:44 < be> can ping server from client while connected, but not other clients, and can't ping clients from server while it sees clients mac addresses
15:45 < Fiouz> Uriell: then I have no idea, but give routing a try, it's less tricky
15:47 < Uriell> Fiouz, i will try, thanks!
15:50 < Fiouz> be: are client routing tables set accordingly ?
15:52 < be> i can see route to virtual network with local-end ip as gateway on client
15:54 < be> http://pastebin.org/152704
15:54 < be> here are configs
16:00 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:02 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
16:16 < be> hmm, it's probably a routing problem
16:16 < be> but i don't understand what is exactly the problem
16:17 < be> http://pastebin.org/152734
16:18 < be> it's a routing table on client 192.168.0.200
16:19 < be> i can see arp requests on server but not icmp packets
16:20 -!- DrPepper [~DrPepper@94.252.50.117] has quit [Ping timeout: 264 seconds]
16:22 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
16:26 -!- DrPepper [~DrPepper@94.252.46.130] has joined ##openvpn
16:26 -!- DrPepper [~DrPepper@94.252.46.130] has quit [Read error: Connection reset by peer]
16:28 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
16:44 -!- crazygir [~jason@unaffiliated/crazygir] has quit [Ping timeout: 252 seconds]
16:44 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
16:47 -!- crazygir [~jason@li14-82.members.linode.com] has quit [Changing host]
16:47 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
17:01 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
17:07 -!- le0 [~tehle0@unaffiliated/le0] has joined ##openvpn
17:08 -!- be [~be@217.117.190.9] has left ##openvpn []
17:10 < Bushmills> how come that so many people who use bridging instead of routing is so much easier end up having problems those who route don't have?
17:11 < Bushmills> instead of routing *because* it is (supposedly) so much easier ...
17:11 -!- be [~be@217.117.190.9] has joined ##openvpn
17:11 -!- be [~be@217.117.190.9] has left ##openvpn []
17:12 < Bushmills> it just strikes me as odd whenever i look at a config with problems, it is "tap" or "bridge" or such
17:13 < Bushmills> and when asked, reason for bridge often given is "because it was easier to set up"
17:13 < Bushmills> let's try ...
17:13 < Bushmills> be, does your use of openvpn require bridging?
17:14 < Bushmills> hm. seems i'm a bit late ..
17:18 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
17:33 -!- mirco [~mirco@p5B23F14C.dip.t-dialin.net] has quit [Quit: mirco]
17:35 < rob0> haha
17:35 < rob0> yeah, I don't go very far in trying to help the bridgers
17:58 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
18:01 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
18:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
18:09 -!- LobbyZ [~default@188.72.255.194] has left ##openvpn []
18:12 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined ##openvpn
18:32 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
18:32 < Bushmills> i actually wouldn't know how to in most cases
18:32 < Bushmills> well, at least i have a bridged config now here
18:32 < Bushmills> not openvpn
18:32 < Bushmills> wlan router
18:33 < Bushmills> well, also openvpn, but its config on that machine is still routed
18:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
18:43 < rob0> Right, likewise, my VPNs have always been tun. In fact playing with openvpn is how I learned routing. I remember being thrilled at my first multihop VPN. :)
19:07 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
19:07 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
19:07 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:13 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
19:25 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Read error: Connection reset by peer]
19:26 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
19:28 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
19:37 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:43 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
19:44 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
20:11 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:25 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has quit [Ping timeout: 260 seconds]
20:30 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has joined ##openvpn
20:48 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
20:48 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
20:48 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:58 -!- medum [kevin@d67-193-176-255.home3.cgocable.net] has quit [Ping timeout: 252 seconds]
21:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:55 -!- Morgan_Phoenix [~macbabe@CPE-24-166-141-95.new.res.rr.com] has quit [Read error: Connection reset by peer]
23:37 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Fri Apr 16 2010
02:13 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:31 -!- DrPepper [~DrPepper@94.252.51.32] has joined ##openvpn
02:39 -!- DrPepper [~DrPepper@94.252.51.32] has quit [Ping timeout: 260 seconds]
02:53 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
02:58 -!- dazo_afk is now known as dazo
03:05 -!- ayam_jago [~diKi@202.152.40.74] has joined ##openvpn
03:05 < ayam_jago> !welcome
03:05 < vpnHelper> ayam_jago: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:06 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
03:06 < ayam_jago> !goal
03:06 < vpnHelper> ayam_jago: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:06 < ayam_jago> !goal I would like to access the internet over my vpn
03:06 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
03:06 < vpnHelper> ayam_jago: Error: "goal" is not a valid command.
03:07 < ayam_jago> !howto
03:07 < vpnHelper> ayam_jago: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:07 < ayam_jago> !route
03:07 < vpnHelper> ayam_jago: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:09 -!- timbul [~aryo@125.162.237.164] has joined ##openvpn
03:09 < ayam_jago> !config
03:09 < vpnHelper> ayam_jago: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
03:10 -!- DrPepper [~DrPepper@94.252.53.98] has joined ##openvpn
03:12 < Fiouz> ayam_jago: use the redirect-gateway option
03:12 < ayam_jago> !redirect
03:13 < vpnHelper> ayam_jago: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
03:13 < ayam_jago> !redirect-gateway
03:13 < vpnHelper> ayam_jago: Error: "redirect-gateway" is not a valid command.
03:13 < ayam_jago> !def1
03:13 < vpnHelper> ayam_jago: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
03:14 < ayam_jago> !man
03:14 < vpnHelper> ayam_jago: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
03:17 < ayam_jago> private key server.key verification failed
03:31 -!- smellynoser [~ashley@87-194-183-38.bethere.co.uk] has quit [Quit: leaving]
03:46 -!- DrPepper [~DrPepper@94.252.53.98] has quit [Read error: Connection reset by peer]
03:50 -!- roam [~rk@reiko.vzsze.de] has joined ##openvpn
03:51 < roam> !welcome
03:51 < vpnHelper> roam: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:55 -!- timbul [~aryo@125.162.237.164] has quit [Ping timeout: 264 seconds]
04:02 < roam> I have a working vpn tunnel. DNS resolves fine, there is a nameserver running on the vpn-server host and it's at first place in /etc/resolv.conf. But sending mail with postfix fails when I'm connected via umts. IIRC it's working when I'm connected via wlan or ethernet. The Errormessage is(Host or domain name not found. Name service error for name=reiko.vzsze.de type=MX: Host not found, try again) reiko.vzsze.de is my smarthost. 
04:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
04:11 -!- ayam_jago [~diKi@202.152.40.74] has left ##openvpn ["Leaving"]
04:12 < mwheeler> roam: are you SURE it's working
04:14 -!- master_of_master [~master_of@p57B5652F.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:15 < roam> mwheeler: normal operation is working
04:15 -!- master_of_master [~master_of@p57B5419B.dip.t-dialin.net] has joined ##openvpn
04:16 < mwheeler> when the VPN is running do a dig reiko.vzsze.de mx @nameserver in resolv.conf
04:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:17 < mwheeler> if that works, it means your resolv.conf is misconigured, if it fails, try pinging the nameserver, if that passes, it means named is misconfigured
04:20 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
04:24 < roam> mwheeler: there is no mx for reiko.vzsze.de it should use A instead.
04:24 < roam> I just added one manually, but without vpn or with out pppd it works fine without one.
04:25 < mwheeler> It's not openvpn's problem
04:27 -!- DrPepper [~DrPepper@94.252.60.45] has joined ##openvpn
04:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:35 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:41 -!- DrPepper [~DrPepper@94.252.60.45] has quit [Read error: Connection reset by peer]
05:41 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:41 -!- le0 [~tehle0@unaffiliated/le0] has quit [Quit: Leaving]
05:41 -!- fin [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
05:42 -!- fin [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Client Quit]
05:49 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
06:12 -!- j03 [~6de08059@gateway/web/freenode/x-lrwypasqnfghdozx] has joined ##openvpn
06:13 < j03> Hi
06:13 < j03> What's the easiest way to set up an OpenVPN Server on my Xen VPS?
06:21 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
06:22 < Krikke> <insert package manager here> openvpn ?
06:22 < Krikke> and follow the howto
06:35 < j03> I think I need to get a TUN/TAP Driver installed by my VPS Provider...
06:35 < j03> does that make sense? Since I only have loopback and an external IP address
06:50 < dazo> j03: you got root access to the box?
06:50 < j03> Yep
06:50 < dazo> modprobe tun .... if that works, you got all you need
06:51  * dazo would be very much surprised if that's missing ... but could be VPS provider don't like tunnelling services
06:51 < j03> It doesn't exist. 
06:51 < j03> Haha.
06:51  * dazo is surprised then ;-)
06:51 < j03> However, "find /lib/modules/ -name '*tun*' -print" show's a lot of tun.ko files
06:51 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:51 -!- mode/##openvpn [+o mattock] by ChanServ
06:51 < j03> But if I understand correctly, they are for different kernels?
06:52 < dazo> 'uname -r' gives the kernel version you're running ... then you should have the tun.ko file under /lib/modules/`uname -r`
06:53 < dazo> j03: anyway, with root access, you can compile that module easily manually if needed
06:53 < j03> http://pastebin.com/rXSTesjY
06:53 < dazo> which kernel are you running  (uname -r)
06:53 < j03> 2.6.18-128.1.10.el5xen 
06:54 < j03> My /lib/modules/ directory has got many folders...
06:54 < dazo> gah ... it shouted that in my face in the pastebin! :-P
06:54 < j03> :P
06:54 < ecrist> good morning
06:54 < havoc> morning
06:55 < dazo> yeah ... it should be this one /lib/modules/2.6.18-128.1.6.el5xen/kernel/drivers/net/tun.ko
06:55 < j03> Morning/afternoon
06:55 < j03> OK, So how can I make it load that?
06:55 < dazo> insmod /lib/modules/2.6.18-128.1.6.el5xen/kernel/drivers/net/tun.ko ...
06:55 < dazo> does that work?
06:55 < j03> "Operation not permitted"
06:55 < dazo> you might need to run depmod -ae, to update the module dependencies
06:55 < dazo> and you are root?
06:55 < j03> Yep
06:56 < dazo> you can't be
06:56 < dazo> what does dmesg | tail -n10 say?
06:56 < dazo> and what does this say:  id
06:57 < j03> http://pastebin.com/jN4LkxAn
06:57 < j03> (I have no swap, hence the "0kb free swap"
06:57 < dazo> "ksign: module signed with unknown public key" ... ahh that might be
06:57 < j03> )
06:57 < j03> Ah
06:57 < dazo> that's no prob
06:57 < j03> OK good
06:58 < j03> How can i fix it? Do I need to compile my own module?
06:58 < dazo> I've never really worked with signed kernel modules, so not quite sure how that really works
06:58 < j03> OK
06:58 < j03> Can't i tell it to ignore the public key..?
06:58 < dazo> what surprises me is that you're not running the latest kernel ... so I would probably first try to boot up the 2.6.18-164.el5xen kernel
06:59 < j03> OK. I'm sorry about this.. but how does one do that?
06:59 < dazo> (not sure why you're running xen kernels, as I presume you're running it inside a VM ... but that might be Xen related ... KVM VM's does not need that)
06:59 < j03> I'm using the Debian 5.0 image my VPS provider gave me
07:00 < dazo> j03: do you have a virtual console access to the VM, which is not based on SSH into the VM?
07:00 < j03> It just came like that :)
07:00 < dazo> j03: is this Debian? .... it looks like RHEL to me
07:00 < j03> It's debian
07:00 < dazo> the kernel versions matches very well with RHEL ... :-P
07:01 < j03> Well i've been using apt, and it's worked OK so far, so i'm fairly confident that it's Debian :P
07:01 < dazo> heh :)
07:01 < j03> RE Virtual Console - I'll check
07:02 < j03> on one of my two VPS's, it's not working.
07:03 < j03> OK, working
07:03 < j03> I've got console access now. 
07:03 < dazo> then it's just to reboot ... and pay attention when the Grub boot meny shows up ... and change to the latest version
07:03 < j03> Ah right! OK
07:04 < j03> That's simple! :)
07:04 < j03> oh dear
07:04 < j03> It booted me off when it said "now restarting system"
07:05 < j03> my 200 days of uptime! ruined! :P
07:05 < dazo> that might explain why you're running an old kernel too .....
07:05 < j03> It might!
07:05 < dazo> you do know it's clever to boot to newer kernels whenever available? ;-)
07:06 < j03> I do now! :P
07:06 < dazo> heh :-P
07:06 < j03> Hmm
07:06 < j03> it's booted to the same kernel
07:06 < j03> I might just re-install Debian
07:07 < j03> I was planning on doing so anyway
07:07 < dazo> gah ... reinstall upon boot? ... sounds less clever .... imagine a kernel panic ... and then an automatic reboot .... whoops, you start from scratch ....
07:08 < j03> That's what I mean, start from scratch
07:08 < j03> There isn't anything important on there :P
07:08 < dazo> I was more concerned if this happens normally, when being in "production mode" .... the server booting automatically while you're sleeping, and then scratching your installation
07:09 < j03> CentOS 5, Debian 5.0, or Ubuntu 5.0, or Fedora 9?
07:09 < j03> Wait
07:09 < j03> Not ubuntu 5.0 - Ubuntu 9.04 :P
07:09 < dazo> I'd recommend CentOS or Debian
07:09 < dazo> for production
07:09 < j03> Yeah. I think I might got for Debian
07:10  * dazo hopes Fedora 9 sounds way too old ...
07:10 < j03> I'm more used to it. (that's not saying much, though)
07:10 < j03> OK, The VPS is being "rebuilt".
07:15 < j03> oh great. SSH isn't working. 
07:15 < j03> Ah, there we go.
07:19 < j03> It's using the same kernel - I think it might be botched anyway. I'm getting errors about modules.dep not being found on bootup
07:41 < dazo> j03: that modules.dep issue is then the trouble .... depmod -ae as root should fix that
07:41 < j03> OK, Thanks. I will try that!
07:43 < j03> Uh-oh. That didn't work.
07:43 < j03> http://pastebin.com/Rt3aw7D3
07:45 < dazo> j03: I'd say this begins now to look like a support case with your VPS
07:47 -!- geaaru [~geaaru@host87-190-dynamic.211-62-r.retail.telecomitalia.it] has joined ##openvpn
07:48 < geaaru> hi, how can disable push on default gateway from vpn server
07:48 < geaaru> ?
07:48 < dazo> geaaru: remove --pull from the client config
07:49 < geaaru> k i try... thanks 
07:54 < Uriell> Fiouz,  You there?
07:56 < Uriell> Any idea why openvpn client on windows 7 will act like there is no dhcp service running while there is?
08:00 < j03> dazo: Uh-oh! 
08:00 < j03> dazo: Couldn't I edit the grub config files to make the latest kernel boot first?
08:03 < dazo> j03: well ... then you might be trapped if you can't change the kernel during boot in your VM console ... if the kernel doesn't boot up ...
08:03 < j03> I can edit files on the VPS through the control panel
08:04 < Uriell> Can anyone look at my confs? http://pastebin.com/ujywT6ji its wired why I can connect the clients to the vpn while the windows is inside a lan, but can't connect the windows clients if the windows box is connected directly to the internet using adsl... i switched from bridging to routing and it didn't fix this problem
08:09 < dazo> j03: also grub.conf?
08:10 < j03> I should be able to.
08:10 < dazo> j03: then you have a "backdoor" to fix issues ... then it shouldn't be a problem
08:10 < j03> I'm assuming that Xen uses grub?
08:11 < agagag> m/wi4
08:11 < j03> It would do, wouldn't it?
08:11 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
08:11 -!- roam [~rk@reiko.vzsze.de] has left ##openvpn []
08:12 < dazo> j03: ahh ... true ... you're on Xen ... well, I would normally think so, yes ... but it's about 3 years since I was using Xen last time, so I don't remember these details
08:12  * dazo is used to KVM now ... with even it's own "BIOS" screen during boot
08:13 < j03> Hmm
08:13 < j03> I dont think it does :\
08:21 < havoc> kvm is kinda neat
08:22 < j03> I'm going to ask at ##xen
08:23 < Fiouz> Uriell: does it show as "no internet connectivity" whereas it actually has an IP and works fine? I have it too and doesn't cause any functional  problem
08:27 < Uriell> Fiouz, no connectvity and it ends up getting wired 169.somethign address
08:28 < Uriell> sec I will bring up the log
08:28 -!- rkantos_ [robin@hp1.jaketus.net] has joined ##openvpn
08:28 -!- ufoman_ [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
08:30 < Uriell> Fiouz, here is the error log from the client: http://pastebin.com/Q4NraFjW
08:31 -!- neb [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
08:32 -!- Netsplit *.net <-> *.split quits: rkantos, ufoman, @openvpn2009
08:34 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:40 < Fiouz> Uriell: is there some firewall running on the tap adapter?
08:42 < Uriell> both sides have firewalls
08:42 < Uriell> I disabled the windows firewall it didn't change anything, on the linux firewall I have the tcp port open
08:43 < Fiouz> you have 2 tap32 adapters, is it needed?
08:43 < Uriell> yes
08:44 < Uriell> should I open anything else on the linux server?
08:45 < Fiouz> no, I think it's more a client issue
08:45 < Uriell> you see its all connecting, dhcp client service is running
08:45 < Fiouz> try the "dev-node" option to specify the tap adapter name, since you have 2 adapters
08:46 < Uriell> I tried that yesterday, didn't help
08:46 < Uriell> don't forget that if I connect the vpn server using my home lan -> internet it works as it is, just when i connect windows box -> internet it doesn't
08:47 < Uriell> I can show you the log of the connection using the home lan>internet
08:47 < Uriell> sec
08:49 < Uriell> http://pastebin.com/XBUCBTRD
08:53 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
08:53 < Fiouz> Uriell: maybe a workaround http://openvpn.net/archive/openvpn-users/2006-05/msg00270.html
08:53 < vpnHelper> Title: Re: [Openvpn-users] Warning: route gateway is not reachable on any active network adapters (at openvpn.net)
08:54 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
08:55 < Uriell> the ip should be the server ip?
08:55 < dazo> from the log: "Fri Apr 16 15:55:13 2010 CreateFile failed on TAP device: \\.\Global\{6C009DCE-3300-4FE6-B5EA-02C966A60B3E}.tap"
08:55 < Uriell> in my case 192.168.100.0 ?
08:56 < dazo> "Fri Apr 16 16:28:08 2010 Warning: route gateway is not reachable on any active network adapters: 192.168.100.6"
08:56 < Fiouz> .1
08:56 < Uriell> ok trying, brb
08:56 < Fiouz> and yeah, you should keep the dev-node option to prevent opening the wrong TAP device
08:57 < dazo> Uriell: looks like you got some basic issues you need to figure out first ... if TAP device is not available to openvpn ... you're already looking at the wrong place
08:58 < dazo> Uriell: try running with --verb 4 when debugging, that will give more info about which TAP device it tries to access
09:00  * dazo agrees with Fiouz ... dev-node seems to be needed
09:00 < dazo> not --dev-node .... --dev ... and then set --dev-type as well
09:01 < dazo> or maybe Windows is different
09:03 < Uriell> ok same error
09:04 < Uriell> :\
09:08 < Uriell> maybe should I change the server.conf from dev tun to dev tun0 ?
09:08 < dazo> Uriell: you're running the server on Windows?
09:09 < dazo> Uriell: check the man page ... look at --dev-node and --show-adapters, especially ... that might help you further
09:09 < Uriell> server running on linux
09:09 < Uriell> dazo, i tried sepecfiying dev nodes on the client, it didn't fix the problem
09:09 < dazo> Uriell: this is not a server issue then ... the log you pastbin'ed is client side troubles
09:10 < dazo> Uriell: it looks like OpenVPN struggles getting access to the TAP adapter, that seems to be the issue
09:10 < Uriell> http://openvpn.net/archive/openvpn-users/2004-08/msg00564.html
09:10 < vpnHelper> Title: Re: [Openvpn-users] 2.0_beta11 on XP unable to inizialize IP of tun interface (at openvpn.net)
09:11 < Uriell> could be the route-delay ?
09:12 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:12 < dazo> oh dear ... that article might mislead you, as it's in connection to 2.0_beta11 - about 6 years ago ... we're now on 2.1.1 ... a lot has happened here, also with Windows implementation .... but yeah, some Windows boxes need --route-delay ... but I don't think that will help
09:12 -!- j03 [~6de08059@gateway/web/freenode/x-lrwypasqnfghdozx] has quit [Quit: Page closed]
09:13 < dazo> the route is set up *after* the TUN/TAP device is ready ... if that device is unavailable, route will fail ... even with --route-delay
09:13 < Uriell> I can try the dev-node again, it didn't help yesterday
09:13 < Uriell> sec
09:17  * dazo need to run to a meeting now
09:27 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 246 seconds]
09:43 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has joined ##openvpn
09:44 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
09:45 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has quit [Client Quit]
09:45 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has joined ##openvpn
09:47 < Uriell> dev-node didn't help
09:50 < Uriell> error:
09:50 < Uriell> http://pastebin.com/CBz747ZV
09:55 -!- DarthGandalf is now known as DarthGandalf|BNC
09:57 < Fiouz> it helped removing the "CreateFile failed on TAP device" error
10:01 < Fiouz> Uriell: what is 109.65.20.99 ?
10:02 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has quit [Quit: Reconnecting]
10:02 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has joined ##openvpn
10:04 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has quit [Client Quit]
10:05 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has joined ##openvpn
10:11 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has quit [Quit: leaving]
10:13 < Uriell> thats the dynamic ip from my dsl
10:15 < Fiouz> try switching to subnet topology, on server: topology subnet / push "topology subnet"
10:16 < Fiouz> maybe Windows is confused as how to use its own DSL IP address as a gateway
10:24 < Uriell> to add this line to server.conf ?
10:24 < Uriell> topology subnet / push "topology subnet"
10:27 < Fiouz> 2 lines actually :
10:27 < Fiouz> topology subnet
10:27 < Fiouz> push "topology subnet"
10:27 < Fiouz> (OpenVPN >= 2.1 required)
10:28 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:28 < Fiouz> !topology
10:28 < vpnHelper> Fiouz: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
10:32 < dazo> Uriell: now it might be that --route-delay is closer to the needed stuff ... --dev-node did indeed help
10:33 < dazo> Fri Apr 16 17:45:16 2010 Warning: route gateway is not reachable on any active network adapters: 192.168.100.6
10:33 < dazo> ^^^ this is the core problem now ... routes are being set up before the TAP device got the IP address
10:34 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Ping timeout: 246 seconds]
10:34 < dazo> but I do see that it attempts to set the IP address on line 32 ... so this is not leaning towards a problem where Windows don't catch the DHCP IP address
10:34 < dazo> s/not/now/
10:36 < dazo> and also look at the error at the very end ... on line 146 ... I presume you've looked at the contents of that URL ....
10:37 -!- tekk [~me@cpc3-shep11-2-0-cust599.8-3.cable.virginmedia.com] has quit [Quit: tekk]
10:38 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
10:42 < Uriell> yeah
10:43 < Uriell> dhcp client service is running
10:43 < Uriell> trying the win32 ip didn't help
10:43 < dazo> What happened with --route-delay?
10:43 < Uriell> didn't try
10:44 < Uriell> !route-delay
10:44 < vpnHelper> Uriell: Error: "route-delay" is not a valid command.
10:44 < dazo> !man
10:44 < vpnHelper> dazo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
10:44 < dazo> Uriell: try link #2 
10:45 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
10:45 < Uriell> defualts seems fine
10:45 < Uriell> in windows
10:46 < dazo> Uriell: defaults might not be fine .... try might need to also try --route-default 10 ... or a higher value .... the 'w=30' is fine, though
10:47 < Uriell> --route-default 30 ?
10:47 < Uriell> --route-default 10 30 ?
10:47 < dazo> --route-default [wait 1st] [windows extra wait]
10:48 < dazo> --route-default 10
10:48 < Uriell> ah ok sec
10:48 < dazo> that means .... --route-default 10 30 ...... only --route-default => --route-default 0 30
10:49 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:50 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
10:59 < Uriell> not working
10:59 < Uriell> http://pastebin.com/Bwd08r8r
11:00 < dazo> Uriell: yes, this is working ... you don't have that error message any more
11:00 < dazo> Uriell: that your goal is not working is actually less relevant than to get rid of all error messages you had to start with
11:01 < Uriell> :)
11:01 < Uriell> still the tunnel is not coming up
11:01 < dazo> Now, is the time to look at your !goals ... and then your !configs ...
11:02 < Uriell> !goals
11:02 < vpnHelper> Uriell: Error: "goals" is not a valid command.
11:02 < Uriell> !goal
11:02 < dazo> !goal
11:02 < vpnHelper> Uriell: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:02 < vpnHelper> dazo: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:02 < Uriell> I just want secure connection between 2 compuers, 1 - linux server running openvpn server, 2 - windows 7 running openvpn client
11:02 < Uriell> !configs
11:02 < vpnHelper> Uriell: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:04 < dazo> Uriell: what's the next step then ... that's to make sure you can ping the VPN server's VPN address .... when you have that established, you know you can transport data over the VPN tunnel
11:04 < dazo> then routing is the next thing ... so that you can route traffic from your Windows client to the IP addresses you want to access via the VPN
11:05 < Uriell> Here is my configs:
11:05 < Uriell> http://pastebin.com/wV63YBHE
11:05 < Uriell> vpn server allows all icmps to all ips
11:06 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
11:08 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:08 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
11:09 < Uriell> bbl
11:09 < Uriell> thanks for all the help
11:14 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
11:19 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
11:19 -!- neb is now known as Guest12047
11:21 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
11:26 < dazo> Uriell: if you get responses to 'ping <VPN server IP address>' ... then you get the basics ready ... and your configs are lacking either [server config] push "route <network> <netmask>" or [client config] route <network> <netmask>
11:27  * dazo goes home
11:30 -!- dazo is now known as dazo_afk
11:34 -!- geaaru [~geaaru@host87-190-dynamic.211-62-r.retail.telecomitalia.it] has quit [Ping timeout: 260 seconds]
11:52 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
11:58 -!- Guest12047 is now known as openvpn2009
11:58 -!- mode/##openvpn [+o openvpn2009] by ChanServ
12:06 -!- geaaru [~geaaru@host87-190-dynamic.211-62-r.retail.telecomitalia.it] has joined ##openvpn
12:15 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
12:21 -!- geaaru [~geaaru@host87-190-dynamic.211-62-r.retail.telecomitalia.it] has quit [Quit: Leaving]
12:31 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:33 < Hypnoz> If anyone can help, I am connecting a client to the vpn with a subnet behind it I want other vpn clients to be able to access. The vpn client can ping the server, but none of the clients in the "behind" subnet can ping the server.
12:34 < Hypnoz> I'm testing setting up static routes on a machine in the behind subnet, to get it to ping the main vpn server.
12:40 < Hypnoz> so now a client in the "behind" subnet can ping the vpn server, but the vpn server can't ping that client
12:40 < Hypnoz> I'm not sure how that's even possible...
12:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:02 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:02 < krzee> Hypnoz, 
13:02 < krzee> first
13:02 < krzee> !route
13:02 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:02 < Hypnoz> I've seen that page
13:02 < krzee> and 1 way ping is always a firewall problem
13:02 < Hypnoz> I set up cdd, route, the iroute file and all that
13:02 < Hypnoz> hmm interesting...
13:03 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
13:03 < Hypnoz> thx for the tip
13:03 < krzee> np
13:03 < Hypnoz> makes sense now
13:03 < krzee> if routes allowed it to go 1 way, and return, they allow both the other way around
13:03 < krzee> firewall not the case ;]
13:04 < krzee> this is always valid when you remember what source ip and dst ip are being used
13:04 < Hypnoz> ya hard to keep track of what source IP and dest IP are with all the hops .... thought the source IP was being changed by the vpn client with the subnet behind it
13:05 < krzee> nope
13:05 < krzee> src ip doesnt change unless a NAT makes it
13:06 < krzee> tun interface just tunnels what is sent to it, does not do any NAT
13:06 < krzee> unless a firewall does it, but that is outside of openvpn
13:09 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
13:16 < Hypnoz> krzee: If I already have a VPN tunnel setup between the firewalls of the two datacenters, do you think openvpn could use that tunnel instead
13:17 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has joined ##openvpn
13:17  * EugeneKay waves
13:18 < EugeneKay> Just installed OpenVPN GUI 2.0.9, and Windows refuses to let me install the TAP adapter because of "invalid signature". The previous version(1.0.3) worked fine.
13:18 < EugeneKay> Any suggestions?
13:18 < EugeneKay> (other than revert to what was working, which I'm considering)
13:18 -!- buntfalke [~nobody@openvpn-p0-ipv6-100f.triple-a.uni-kl.de] has joined ##openvpn
13:18 -!- buntfalke [~nobody@openvpn-p0-ipv6-100f.triple-a.uni-kl.de] has quit [Changing host]
13:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:19 < krzee> Hypnoz, yes
13:20 < krzee> just as shown in !route
13:20 < Hypnoz> EugeneKay: newest version is 2.1.1  http://openvpn.net/index.php/open-source/downloads.html
13:20 < vpnHelper> Title: Downloads (at openvpn.net)
13:20 < krzee> you only need 1 vpn per lan
13:20  * EugeneKay tries
13:21 < EugeneKay> Is the openvpn.se client "unofficial build" or...? (it's the first Gewgle result)
13:22 < Hypnoz> EugeneKay: I'm not sure what openvpn.se is
13:22 < EugeneKay> http://openvpn.se/
13:22 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se)
13:22 < krzee> thats old and unneeded
13:22 < krzee> openvpn didnt always come with a win gui
13:23 < krzee> you see the dates on things there?
13:23 < krzee> Latest stable release: 1.0.3 with OpenVPN 2.0.9 (2006-10-17)
13:23 < EugeneKay> Herp derp.
13:23 < EugeneKay> So it is.
13:23  * EugeneKay kicks Google
13:24 < EugeneKay> For reference, my laptop's HD ate it, so I'm reinstalling everything piece by piece.
13:24 < EugeneKay> Upgrading things like 7-Zip, which I last installed a year ago.
13:25 < EugeneKay> Ha! And the *right* client just works. Thanks, Hypnoz.
13:25 < Hypnoz> EugeneKay: :)
13:26 < EugeneKay> A lot of stuff I just install and leave it be, once it "just works"
13:27 < EugeneKay> Which leads to "Uhhh how the hell did I do this, anyway?" when I reinstall/upgrade/etc
13:27 < Hypnoz> EugeneKay: haha ya I have text file howto's scattered all over my computer
13:27 < Hypnoz> I know i'm having a bad day when I have to go digging for one
13:28 < EugeneKay> I keep all the .exe's and .tar.gz's and such I download stored on my house-server, which does a nightly rsync to my webserver
13:28 < EugeneKay> So I can find out what i installed, but not how I did it
13:29 < EugeneKay> It wasn't too hard to get Filezilla using my PuTTY key again, though. Along with a hundred other tweaks.
13:29 < Hypnoz> EugeneKay: I tried setting up filezilla ftps a while ago, that sucked
13:29 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
13:30 < EugeneKay> SFTP works great
13:30 < EugeneKay> Client, that is.
13:30 < EugeneKay> Server, avoid at all costs.
13:30 < Hypnoz> SFTP != FTPS
13:30 < EugeneKay> Indeed.
13:30 < Hypnoz> ftps is annoying, dealing with implicit and explicit and shit
13:31 < EugeneKay> I avoid it. :-p
13:45 < Mythmon> so, is ./build-dh from easy-rsa supposed to take >30 minutes?
13:46 < krzee> basically, yes
13:46 < krzee> its random, roll of the dice
13:47 < krzee> and it takes a long time and lot of cpu power
13:47 < krzee> its finding a prime number the size of the key
13:48 < Mythmon> ah. i ran it before for testing and it took only about 2 minutes, so i was a bit worried
13:50 < krzee> smaller keysize im guessing
14:13 -!- DarthGandalf|BNC is now known as DarthGandalf
14:13 -!- LeRrA [~lerra@c-94-255-223-67.cust.bredband2.com] has quit [Ping timeout: 276 seconds]
14:17 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
14:20 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
14:55 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has left ##openvpn ["Leaving"]
15:00 -!- corretico [~laguilar@201.201.46.106] has quit [Quit: Leaving]
15:01 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
15:11 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Ping timeout: 260 seconds]
15:13 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:16 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
16:04 -!- mf-no [~mf-no@friend.mill.volia.net] has joined ##openvpn
16:13 -!- mf-no [~mf-no@friend.mill.volia.net] has quit []
16:46 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
16:48 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 240 seconds]
16:49 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
17:00 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
17:02 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 248 seconds]
17:06 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
17:09 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has left ##openvpn []
17:25 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
17:30 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
17:31 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
17:34 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
17:46 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
17:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:52 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 258 seconds]
19:59 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
20:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
20:10 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds]
20:24 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
20:35 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
20:35 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
20:35 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:18 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
21:18 < Bloodsong> Hey guys
21:32 < ecrist> hi
21:39 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
21:39 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
21:39 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
21:40 < Bloodsong> You really are always in here ecrist.
21:40 < ecrist> I'm in and out. :)
21:52 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Ping timeout: 276 seconds]
22:01 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
22:06 < rob0> ecrist: tmi ;)
22:08  * Bloodsong chuckles
22:16 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Operation timed out]
22:26 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
22:37 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
23:03 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Ping timeout: 245 seconds]
23:21 < ecrist> I suppose that's better than just being 'out,' like you, rob0 
23:44 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
--- Day changed Sat Apr 17 2010
00:21 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:45 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
00:46 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
00:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
01:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:27 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:39 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
01:39 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
01:39 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
01:39 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
01:42 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
01:44 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:04 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Read error: Connection reset by peer]
02:18 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:18 -!- mode/##openvpn [+o mattock] by ChanServ
02:57 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
02:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
03:14 -!- iateadonut [~dan@221.0.151.147] has joined ##openvpn
03:14 < iateadonut> !welcome
03:14 < vpnHelper> iateadonut: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:15 < iateadonut> if i started openvpn on a client without redirect, should tun0 have an ip address?
03:21 < iateadonut> my tun0 on my server is working and showing an ip address.
03:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:28 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
03:29 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
03:45 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
04:14 -!- master_of_master [~master_of@p57B5419B.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:15 -!- master_of_master [~master_of@p57B56D48.dip.t-dialin.net] has joined ##openvpn
04:25 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
04:25 -!- iateadonut [~dan@221.0.151.147] has quit [Ping timeout: 240 seconds]
04:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:42 -!- iateadonut [~dan@221.0.151.147] has joined ##openvpn
04:42 -!- iateadonut [~dan@221.0.151.147] has left ##openvpn []
04:59 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
05:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:06 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
05:10 -!- Gabe_G23_ [~gabe@s66-76-118-56.eldocmta01.eldoar.lr.sta.suddenlink.net] has joined ##openvpn
05:12 -!- iateadonut [~dan@221.0.151.147] has joined ##openvpn
05:12 < iateadonut> http://www.linuxquestions.org/questions/linux-networking-3/please-check-my-openvpn-config-802519/
05:12 < vpnHelper> Title: please check my openvpn config (at www.linuxquestions.org)
05:13 -!- j03 [~6de08059@gateway/web/freenode/x-zuvcqjhkmcuvbqff] has joined ##openvpn
05:13 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has quit [Ping timeout: 246 seconds]
05:18 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has joined ##openvpn
05:21 < Fiouz> according to your logs, there should be a IP address "Sat Apr 17 16:13:10 2010 us=462912 /sbin/ifconfig tun0 10.8.1.6 pointopoint 10.8.1.5 mtu 1500" that's odd
05:25 < guy_> I'm getting "Options error: --server directive network/netmask combination is invalid" anyone got a clue why ? http://pastebin.ca/1864652
05:28 < Fiouz> use 172.16.0.0 instead of 172.16.0.1
05:30 < guy_> Fiouz: Is it possible to display the log to stdout and openvpn.log ?
05:31 < Fiouz> I don't really know, I use it as a daemon, which outputs to syslog. I running from console, you could use "tee"
05:33 < Bushmills> guy_: server netwerk netmask,   not server ipaddress netmask
05:34 < Bushmills> network ...
05:34 < Fiouz> s/I/If
05:35 < Bushmills> "If don't really know. I use..."  ??
05:36 < Fiouz> I meant "If running from console" ;-)
05:37 < guy_> Hmm, I see.
05:37 < Bushmills> s/I r/If r/
05:38 < iateadonut> fiouz, so it might be my client... something wrong with my client here?
05:38 < Bushmills> guy_: that took you three day to fail to discover?
05:38 < Bushmills> days
05:38 < guy_> Bushmills: I haven't touched it much, but yes
05:39 < iateadonut> openvpn is actually trying to make the ip address on the client, sending the command, but the command is not going through, is that right?
05:39 < j03> Hi. I'm trying to set up an OpenVPN Server. I think the server-side is OK, but I'm not too sure how to make my client config files. I copied the example config and changed the certificate names to match mine, and the hostname to match mine.... but it doesn't seem to want to connect
05:42 < Fiouz> iateadonut: that's my understanding. what happens when you issue that command as root?
05:42 < j03> Ah, I've fixed the connection problem now... ish. I'm guessing "Connection reset by peer" is a server-side issue?
05:43 < iateadonut> issuing it under sudo.
05:43 < iateadonut> let me check if loggin in as root would make a difference.
05:43 < Bushmills> j03: http://scarydevilmonastery.net/client.template is what i use for generating connection "packs".  what is between <> gets replaced against real data when the files is customised (by sed).
05:43 < j03> Bushmills: Thanks. I will try that!
05:43 < iateadonut> nevermind.  it was issued as root.
05:44 < Bushmills> rest is a script which generates keys, customises the template, and packs everything into one archive file
05:45 < j03> Cool
05:47 < j03> Urch. Well that was silly. I had deleted the VPN Server!
05:49 -!- bejo [~aryo@202.152.172.4] has joined ##openvpn
05:49 < bejo> help me..
05:49 < guy_> Fiouz: I have three devices in this machine, eth0, wlan0, and tun0 used for the vpn, I wish to setup an application that will listen on some port that only people using the vpn will be able to connect to it, is it possible ?
05:50 < bejo> i run su /etc/openvpn/server.conf
05:50 < bejo> but any error
05:50 < j03> Does anyone have any experience with running OpenVPN on an OpenVZ VPS?
05:50 < bejo> /etc/openvpn/server.conf: 1: port: not found
05:51 < bejo> /etc/openvpn/server.conf: 2: proto: not found
05:51 < bejo> /etc/openvpn/server.conf: 3: dev: not found
05:51 < bejo> /etc/openvpn/server.conf: 4: ca: not found
05:51 < bejo> and others
05:51 < bejo> ....
05:51 < Fiouz> guy_: most software allow specific IP/interface binding, check your application documentation. if not found, you still have netfilter/iptables
05:51 < guy_> bejo: you need to specify those variables. Follow /usr/share/doc/openvpn/examples/
05:51 < Bushmills> bejo: don't run the config file
05:52 < Bushmills> run openvpn instead
05:53 < bejo> if i run /etc/init.d/openvpn restart
05:53 < bejo> fail :
05:54 < bejo> any this report
05:54 < bejo> * Stopping virtual private network daemon(s)...                                 *   Stopping VPN 'openvpn'                                              [ OK ] 
05:54 < bejo>  * Starting virtual private network daemon(s)...                                 *   Autostarting VPN 'openvpn'                                          [ OK ] 
05:54 < bejo>  *   Autostarting VPN 'server'                                           [fail]
05:54 < Bushmills> fix your config
05:55 < bejo> for server.conf ..?
05:55 < Bushmills> look at log files
05:55 < Bushmills> they tell you more about what is wrong than you tell us
05:56 < bejo> where i can see log file..?
05:57 < bejo> Bushmaills : /etc/openvpn/openvpn-status.log is empty
05:57 < Bushmills> read man page of openvpn.  look how to specify where to write logs
05:57 < iateadonut> ok.  i just ran those two commands myself and now i can ping...
05:58 < iateadonut> any idea why openvpn is not executing them?
05:58 < Bushmills> because it is full moon soon?
05:59 < iateadonut> big brain on bushmills
05:59 < iateadonut> wow, man... how did you know that?
05:59 < Bushmills> did you read about script-security ?
06:00 < iateadonut> actually, april 24, that's not sos soon.
06:00 < iateadonut> no, i didn't - are you asking me?
06:00 < Bushmills> that's probably why
06:01 -!- guy_ [~guy@bzq-79-181-45-203.red.bezeqint.net] has quit [Remote host closed the connection]
06:01 < iateadonut> where do i read about script-security?
06:01 < Bushmills> i'd try the man page
06:02 < Bushmills> you could try the yellow pages
06:02 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Remote host closed the connection]
06:02 < Bushmills> but man page will be more likely to have something to say about it
06:02 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
06:03 < mwheeler> Win Bushmills 
06:05 < Bushmills> irc support is great. you can come close to abusing people, and some even thank you for it :D
06:06 < bejo> my server.conf :
06:06 < bejo> port 1194
06:06 < bejo> proto udp
06:06 < bejo> dev tun
06:06 < bejo> ca /etc/openvpn/2.0/keys/ca.crt
06:06 < bejo> cert /etc/openvpn/2.0/keys/server.crt
06:06 < bejo> key /etc/openvpn/2.0/keys/server.key    
06:06 < bejo> dh /etc/openvpn/2.0/keys/dh1024.pem
06:06 < bejo> client-to-client                    
06:06 < bejo> server 10.10.10.0 255.255.255.0      
06:06 < bejo> ifconfig-pool-persist ipp.txt
06:06 < bejo> keepalive 10 120
06:06 < bejo> cipher AES-128-CBC   # AES
06:06 < bejo> comp-lzo
06:06 < bejo> persist-key
06:06 < bejo> persist-tun
06:06 < Bushmills> !paste
06:06 < bejo> user nobody
06:06 < vpnHelper> Bushmills: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
06:06 < mwheeler> lrn2pastebin
06:06 < bejo> group nobody
06:06 < bejo> status openvpn-status.log
06:06 -!- iateadonut [~dan@221.0.151.147] has quit [Ping timeout: 258 seconds]
06:06 < bejo> verb 3
06:06 < bejo> what its unough..?
06:06 < bejo> enough
06:07 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Ping timeout: 264 seconds]
06:07 < mwheeler> bejo: just do openvpn server.conf
06:08 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
06:16 -!- iateadonut [~dan@221.0.151.147] has joined ##openvpn
06:22 -!- iateadonut [~dan@221.0.151.147] has quit [Ping timeout: 240 seconds]
06:24 -!- iateadonut [~dan@221.0.151.147] has joined ##openvpn
06:26 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:30 -!- iateadonut [~dan@221.0.151.147] has quit [Ping timeout: 240 seconds]
06:32 -!- iateadonut [~dan@221.0.151.147] has joined ##openvpn
06:33 < iateadonut> when i  --redirect-gateway i can ping the ip address of the server (the internet ip) and the server's VPN IP, but i can't ping anything else.
06:34 < iateadonut> and setting security to 3 had no effect
06:35 < iateadonut> and i keep getting logged out of linuxquestions after like 5 seconds.
06:35 < iateadonut> this OS i'm running is totally screwed.
06:36 < Fiouz> make sure IP forwarding is enabled and SNAT/MASQUERADE is enabled for WAN access
06:37 < Bushmills> iateadonut: set up server to either route or masquerade
06:38 < Bushmills> !nat
06:38 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
06:38 < Bushmills> server has no reason to let you ping anything else, unless you configure server to do so
06:41 < bejo> mwheeler : i was doing openvpn server.conf
06:41 < iateadonut> echo 1 > /proc/sys/net/ipv4/ip_forward
06:41 < iateadonut> iptables -P FORWARD ACCEPT
06:41 < iateadonut> iptables --table nat -A POSTROUTING -o tun0 -j MASQUERADE -s 10.8.1.1/24 
06:41 < iateadonut> iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE -s 10.8.1.1/24
06:41 < iateadonut> like that, right?
06:41 < bejo> any much report
06:41 < Bushmills> http://scarydevilmonastery.net/masq as comparison
06:43 < bejo> report at http://www.pastebin.ca/1864730
06:43 < bejo> what its mean..?
06:46 < Bushmills> it means, your time zone differs from mine
06:46 < iateadonut> i had this working before.  i think my client OS blew up.  i'll try my other OS
06:46 -!- iateadonut [~dan@221.0.151.147] has quit [Quit: Leaving.]
06:49 < bejo> and then, is there line at server.conf must be changed..?
06:51 < Bushmills> have you checked whether you are connected to the VPN?
06:53 < bejo> what its mean there specialy IP for VPN, not public IP ?
06:56 < Bushmills> rfc 1918 addresses are fine
06:56 < Bushmills> p in "vpn" means "private".  p in "public" doesn't mean "private"
06:58 < bejo> but v is virtual (likes)
06:58 < bejo> so its just like PV (private network)
06:58 < Bushmills> http://tools.ietf.org/html/rfc1918
06:58 < vpnHelper> Title: RFC 1918 - Address Allocation for Private Internets (at tools.ietf.org)
07:03 < mwheeler> 192.168/16 172.16/12 10/8 are all you need to know
07:05 < Bushmills> #!/usr/bin/env bash ??
07:05 < Bushmills> oops, sry.
07:07 < bejo> and then, if i use 10.10.10.0, what its false?
07:09 -!- drecute [~pdrealg@li85-35.members.linode.com] has joined ##openvpn
07:10 < Bushmills> 10.10.10.0 net is fine
07:11 < bejo> i conect to internet with this IP 125.162.237.xxx (ip public), what i can u ise for VPN server..?
07:11 < bejo>  what i can u ise it for VPN server..?
07:12 < Bushmills> !redirect
07:12 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
07:12 < drecute> can someone point me to a manual on openvpn encryption
07:13 < Bushmills> " what i can u ise for VPN server"   ... *your* VPN server
07:13 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
07:13 < Bushmills> there are also some vendors of vpn accounts
07:14 < Bushmills> but those usually provide the configs
07:14 < bejo> sorry, wrong to write what i can use it for VPN server..?
07:14  * Bushmills scratches head
07:15 < drecute> some manual that has to do with Hashmapping and MD5ing of VPN
07:15 < drecute> OpenVPN in this regard
07:15 < bejo> but, can public IP used for VPN server too..?
07:16 < j03> Hi. I think my OpenVPN Server is configured correctly... but then I try and connect, it asks for the password, which it initially accepts
07:16 < j03> then it asks for it again
07:17 < j03> I'm getting "AUTH_FAILED" errors
07:18 < Bushmills> !readme
07:18 < vpnHelper> Bushmills: Error: "readme" is not a valid command.
07:18 < bejo> !man
07:18 < vpnHelper> bejo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
07:19 < drecute> any ideas pls
07:20 -!- openforall [~openforal@202.152.172.4] has joined ##openvpn
07:22 < openforall> drecute : can you copy configuraton to www.pastebin.ca
07:22 < j03> hmm... I've fixed my previous error
07:23 < openforall> j03 ; can you copy configuraton to www.pastebin.ca
07:24 < j03> Sure.
07:24 < j03> However, I think I've found the source of the problem.
07:25 < openforall> good...
07:25 < drecute> openforall: why
07:26 < drecute> openforall: i'm just asking for some manual for MD5ing VPN under OpenVPN
07:26 < drecute> as seen with IPsec
07:26 < Bushmills> bejo: http://soho.hgs.name/media/shorewalll-4.2.8/images/TwoNets1.png
07:27 < Bushmills> bejo: maybe better this one:  http://www.linux-user.de/ausgabe/2002/10/030-tunnel/firewall.png
07:28 < bejo> 10.0.0.0/8 for server side..?
07:28 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
07:28 < bejo> 192.168.1.0/24 for client side..?
07:28 < bejo> what its true..?
07:28 < Bushmills> if you *really* need 16 million clients on server, sure
07:29 < Bushmills> if you're fine with fewer clients, say 100 or so, you can just use a /24 net 
07:29 < bejo> you are joke..
07:29 < bejo> i jus have 25 computers
07:30  * Bushmills is dead serious
07:31 < bejo> Bushmills : for better goal, i must use 10.0.0.0 or 10.10.10.0
07:32 < bejo> ..?
07:32 < Bushmills> i use 10.86.80.0.  a friend uses  10.122.22.0
07:32 < Bushmills> results are identical
07:34 < Bushmills> echo "10.$(($RANDOM%255)).$(($RANDOM%255)).0/24"  is best
07:36 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
07:36 < bejo> is it mean i can use 10.0~254.0~254.0~24, for example 10.211.45.7 ?
07:37 < Bushmills>  10.211.45.0/24  or   10.211.45.0/26  etc, yes sure.
07:38 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
07:41 < bejo> mr bushmills : after i run openvpn server.conf, openvpn-status always change
07:42 < bejo> openvpn-status.log
07:42 < bejo> but only for time
07:42 < j03> how can one tunnel an internet connection through OpenVPN? I've set up my Server, and I can connect.
07:45 < bejo> mr bushmills : openvpn-status.log at private mesage
07:46 < openforall> j03 : how with your port forwarding..?
07:47 < j03> Sorry?
07:51 < krzee> !redirect
07:51 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
07:52 < j03> OK, Thanks.
07:52 < krzee> np
07:52 < Bushmills> glad you take over, krzee
07:52 < bejo> Bushmills : what VPNserver must use 10.x.x.1
07:52 < j03> So do I need to bridge two networks - is that basically what i'm doing?
07:53 < krzee> you dont need to bridge unless its layer2 traffic
07:53 < Bushmills> krzee: i am about to get baldheaded from headscratching
07:53 < krzee> Bushmills, damn what did i just get myself into, ;]
07:53 < j03> OK.
07:53 < krzee> !sample
07:53 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
07:53 < krzee> !def1
07:53 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
07:53 < krzee> what OS is the server?
07:54 < j03> Debian x64
07:54 < krzee> !linipforward
07:54 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
07:54 < krzee> !linnat
07:54 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
07:54 < krzee> there you go
07:54 < j03> my head melted a bit then
07:54 < krzee> bejo, how bout you? still need help?
07:54 < j03> Thanks :D
07:54 < bejo> yes.., sure..
07:55 < krzee> use any /24 that is very uncommon
07:55 < krzee> no client can connect if he happens to be on a LAN with the same ip addressing scheme
07:55 < krzee> which is why Bushmills told you to make it random
07:55 < j03> krzee: Are there any guides/tutorials on how to do it?
07:55 < krzee> j03, kinda... its called the howto and the manual
07:55 < krzee> !howto
07:56 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:56 < krzee> !manual
07:56 < vpnHelper> krzee: Error: "manual" is not a valid command.
07:56 < j03> Mwahaha
07:56 < krzee> you arent supposed to just type in junk from some guide
07:56 < j03> OK, I'll have a look.
07:56 < krzee> you are supposed to understand what you're doing
07:56 < j03> OK
07:57  * Bushmills gone. 
07:57 < krzee> !samesubnet
07:57 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
07:57 < Bushmills> watching a match, meeting up with reiff in a few min
07:57 < krzee> ooo nice
07:57 < krzee> tell him i said wassu
07:57 < krzee> +P
07:57 < Bushmills> cid
07:58 < krzee> oh my god
07:58 < krzee> i went through like 2 packs of smokes last night
07:58 < krzee> damn drunken chainsmoking
07:59 < Bushmills> placebo kind?
07:59 < krzee> nope
07:59 < krzee> newports
07:59 < Bushmills> placebos :)
07:59 < krzee> lol
07:59 < krzee> do you understand the meaning of the word placebo?
08:00 < Bushmills> a pretend-to 
08:00 < krzee> google wasnt very helpful
08:00 < krzee> says it translates to placebo
08:00 < krzee> lol
08:01 < krzee> http://en.wikipedia.org/wiki/Placebo
08:01 < vpnHelper> Title: Placebo - Wikipedia, the free encyclopedia (at en.wikipedia.org)
08:01 < Bushmills> a smoke with tobacco only = a placebo :) 
08:01 < krzee> example is giving a patient sugar pills and they think it heals their problem
08:01 < krzee> ohhh
08:02 < krzee> we dont say that, but i got ya now
08:02 < krzee> i def smoked other as well ;]
08:02 < bejo> !lol
08:02 < Bushmills> yes, because those pills don't contain a really effective substance 
08:02 < vpnHelper> bejo: Error: "lol" is not a valid command.
08:03 < bejo> i think more valid wkwkwkkkwwwkkkkwkwk
08:04 < krzee> !factoids
08:04 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
08:10 < Bushmills> vpnHelper: placebo is a dose of a compound having no pharmacological activity given to a subject.
08:10 < vpnHelper> Bushmills: Error: "placebo" is not a valid command.
08:11 < krzee> !learn noenc as but you would use cipher none
08:11 < vpnHelper> krzee: Joo got it.
08:12 < Bushmills> !learn placebo as a dose of a compound having no pharmacological activity given to a subject.
08:12 < vpnHelper> Bushmills: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
08:13 < krzee> oooo
08:13 < krzee> rejected
08:13 < krzee> ;]
08:51 -!- drecute [~pdrealg@li85-35.members.linode.com] has quit [Ping timeout: 246 seconds]
08:52 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
08:56 -!- j03 [~6de08059@gateway/web/freenode/x-zuvcqjhkmcuvbqff] has quit [Quit: Page closed]
09:18 < openforall> Bushmills... you still there
09:28 -!- LeRrA [~lerra@c-94-255-212-180.cust.bredband2.com] has joined ##openvpn
09:30 < krzee> just ask :-
09:30 < krzee> :-p
09:34 -!- openforall [~openforal@202.152.172.4] has quit [Quit: Leaving]
09:34 < krzee> or that
09:36 -!- iateadonut [~dan@66.219.29.99] has joined ##openvpn
09:36 < iateadonut> bushmills: oh man, my OS (on my clientn) was screwed beyond recognition. i'm using another OS on the same computer (dual boot two mandriva versions) and it worked fine.
09:37 < iateadonut> thanks for your help today.
10:18 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:25 -!- bejo [~aryo@202.152.172.4] has quit [Quit: Leaving]
10:31 -!- guy_ [~guy@bzq-79-181-23-21.red.bezeqint.net] has joined ##openvpn
10:34 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:44 < Bushmills> now that was a good match
11:54 < krzee> whod ya watch?
11:55 < Bushmills> hamburg - mainz
11:55 < Bushmills> actually, the match wasn't that great. but the result was.
12:08 -!- le0 [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
12:08 -!- le0 [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Changing host]
12:08 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
12:19 -!- j03 [~6de08059@gateway/web/freenode/x-cmwunbizaaafjpcg] has joined ##openvpn
12:19 < j03> Hey all.
12:25 < j03> I've got a working OpenVPN Server/Client setup, but I want clients to share the servers internet connection. Do I need to use OpenVPN?
12:43 < krzee> i already gave you what to do
12:44 < krzee> !redirect
12:44 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:44 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:46 < krzee> !def1
12:46 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
12:46 < krzee> !linnat
12:46 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
12:46 < krzee> !linipforward
12:46 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:46 < krzee> everything you need is clearly spelt out there
13:01 -!- Getterac7 [~wally@user-12l35v4.cable.mindspring.com] has joined ##openvpn
13:04 < Getterac7> Could someone point me to a how-to on setting up OpenVPN for client-to-client?  I have some friends that want to do LANs over VPN (similar to Hamachi minus the restrictions), is there some specific configurations i should look for?
13:10 < krzee> !route
13:10 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:10 < krzee> !sample
13:10 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man)
13:11 < Bushmills> no, for sharing internet you don't need openvpn
13:11 < krzee> !learn sample as these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:11 < vpnHelper> krzee: Joo got it.
13:11 < Bushmills> but for connecting clients to server through openvpn, you need openvpn
13:12 < krzee> right, internet sharing can be done with a socks server, or even a normal GRE tunnel
13:12 < Bushmills> or even without any vpn at all
13:12 < krzee> but if you already have openvpn setup, and then want to share inet, may as well use ovpn
13:13 < krzee> its 1 more line on the server config, a single NAT entry, and 1 change to a sysctl
13:14 -!- iateadonut [~dan@66.219.29.99] has left ##openvpn []
13:15 < Bushmills> openvpn doesn't disallow using your server for internet sharing. 
13:15 < Bushmills> it actually can facilitate it
13:16 < Bushmills> but what needs to be done on server, is about the same, whether you use openvpn to connect to it, or not.
13:19 -!- j03 [~6de08059@gateway/web/freenode/x-cmwunbizaaafjpcg] has quit [Ping timeout: 248 seconds]
13:19 < Getterac7> we aren't trying to share internet... we just want a virtual LAN to play LAN games and such with each other.  I don't want my whole LAN connected to someone else's LAN... i just want client-to-client setup.
13:20 < krzee> we were talking bout jo3
13:20 < krzee> for you,
13:20 < Getterac7> oh lol
13:20 < krzee> !redirect
13:20 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:20 < krzee> however, client to client traffic will always flow through the server
13:21 < Getterac7> so server will need relatively high bandwidth?  I won't be able to run 30-person VPN setup on a cable connection most likely?
13:21 < krzee> depends what they are doing
13:22 < Getterac7> ...lan games
13:22 < krzee> lol no
13:22 < krzee> unless your cablemodem is like ecrists
13:22 < krzee> he has like 50mbit cable
13:22 < Getterac7> christ..
13:22 < krzee> +e,-h
13:22 < Getterac7> i thought OpenVPN could setup a direct connect between clients?
13:23 < krzee> negative
13:23 < krzee> client traffic goes through the server always
13:23 < krzee> the nature of SSL vpns
13:23 < Getterac7> fail
13:23 < krzee> although i have an idea of how it could POSSIBLY one day be done
13:23 < Getterac7> any other options for a VPN with direct client-to-client traffic?
13:23 < krzee> and its on the wishlist
13:23 < krzee> !wishlist
13:23 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
13:23 < krzee> ipsec and hamachi do it
13:24 < krzee> however i dont think either can tunnel layer2, which you need for lan gaming
13:24 < Getterac7> we can't use Hamachi... it is limited to 10-person groups or something.
13:24 < krzee> you prolly need a colo on a fast line to be your server
13:24 < krzee> (like anyone else hosting 30 user game servers ;)
13:25 < Getterac7> dang... lol
13:25 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
13:25 < Bushmills> client-to-client
13:25 < Bushmills> !client-to-client
13:25 < vpnHelper> Bushmills: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
13:25 < vpnHelper> Bushmills: other clients
13:25 < Bushmills> ^^^^ Getterac7
13:25 < krzee> Bushmills, he wants it direct without hitting the server
13:25 < Bushmills> (though traffic goes through server)
13:26 < krzee> c2c config option just controls how the server handles those types of packets
13:26 < Getterac7> yeah, i was hoping to lower the bandwidth required by the server.
13:27 < Getterac7> i don't exactly have money to buy a large pipe.
13:27 < krzee> game server VPS shouldnt cost THAT much
13:28 < Bushmills> especially not if people throw together
13:29 < Getterac7> any comments on this software? http://www.poptop.org/
13:29 < vpnHelper> Title: Poptop - Open Source PPTP Server (at www.poptop.org)
13:29 < krzee> yes
13:29 < krzee> !pptp
13:29 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
13:29 < vpnHelper> krzee: read about why to not use pptp
13:30 < Getterac7> i have no care for security... i don't care that people can see my game traffic.
13:30 < Bushmills> half an hour ago, different channel:  http://scarydevilmonastery.net/snap/1271529000380332047.png
13:30 < Getterac7> i just really need point-to-point connections.
13:31 < Getterac7> oh fail, that dosn't sound good.
13:31 < Bushmills> and for a funny reason too
13:33 < Bushmills> you may want to check out anytun or vtun, whether they suit your purposes. i honestly don't know.
13:34 < Getterac7> hrm, i'll look into them.
13:34 < Bushmills> tinc might also be an option
13:37 -!- guy_ [~guy@bzq-79-181-23-21.red.bezeqint.net] has quit [Quit: Lost terminal]
13:40 < Getterac7> Well i thank you all for help and suggestions.  Time to do some more research!
13:40 -!- Getterac7 [~wally@user-12l35v4.cable.mindspring.com] has left ##openvpn []
13:59 -!- master_of_master [~master_of@p57B56D48.dip.t-dialin.net] has quit [Ping timeout: 246 seconds]
14:01 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:34 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:47 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:35 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
15:46 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:56 -!- JRandolph [~Casper@207.126.40.193] has joined ##openvpn
15:56 -!- JRandolph [~Casper@207.126.40.193] has left ##openvpn []
16:05 -!- torrance1 [~torrancew@ip70-172-225-171.br.br.cox.net] has quit [Quit: leaving]
17:12 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 264 seconds]
17:12 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
17:27 -!- blueboxthief [~None_of_y@86-46-78-41-dynamic.b-ras1.wtd.waterford.eircom.net] has joined ##openvpn
17:27 < blueboxthief> Hi there.
17:29 < blueboxthief> I am looking for some help on OpenVPN 2.1 running on Mac OS X 10.5 as server and client. I wonder if someone would be available to gimme a hand?
17:30 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
17:38 -!- j03 [~cee110df@gateway/web/freenode/x-lctcnnsegjrdnqms] has joined ##openvpn
17:38 -!- j03 [~cee110df@gateway/web/freenode/x-lctcnnsegjrdnqms] has quit [Client Quit]
17:41 -!- j03 [~cee110df@gateway/web/freenode/x-khchglednatmfrqt] has joined ##openvpn
17:42 < j03> Could a slow-ish processor running the OpenVPN make download speed slow?
17:42 < Bloodsong> Define slow-ish...
17:42 < Bloodsong> I run oVPN off a Linksys WRT54G v3.0, and get decent speeds.
17:44 < krzee> blueboxthief, its no different on osx than any other OS
17:44 < j03> Well
17:44 < krzee> thats one beautiful thing about openvpn :)
17:44 < j03> My friend is getting a download speed of 120KB/s
17:44 < krzee> well except that you need tuntap kext
17:44 < j03> I am getting a download speed of 1200KB/s
17:44 < krzee> !factoids search tuntap
17:44 < vpnHelper> krzee: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers
17:45 < blueboxthief> krzee: hea there. yep I got that installed on both server & client.
17:46 < krzee> so whats the problem?
17:46 < blueboxthief> I followed this set of instructions: http://tinyapps.org/docs/openvpn/
17:46 < vpnHelper> Title: TinyApps.Org : Simple OpenVPN Server and Client Setup for OS X 10.5 Leopard (at tinyapps.org)
17:46 < blueboxthief> which seems ok. 
17:46 < krzee> what version installed?
17:47 < blueboxthief> I get as far as starting the tunnel from the "office" to the "home" side, and then start the home to office, but no traffic passes.
17:47 < blueboxthief> What version of OpenVPN?
17:47 < krzee> right
17:47 < krzee> i install from source on my apples
17:47 < blueboxthief> Herm..
17:47 < blueboxthief> This is the version I installed: OpenVPN 2.1.1 i386-apple-darwin9.8.0 [SSL] [LZO2] 
17:48 < krzee> ok thats cool
17:48 < krzee> whats your goal?
17:48 < blueboxthief> I go as far as step "V. Encrypted Tunnel Test"
17:49 < blueboxthief> My goal is to a) connect to my home network via OpenVPN, and b) pass all Internet traffic out thru whatever connection I have "locally"
17:49 < krzee> im really not a fan of those walkthroughs
17:49 < krzee> ok so you do NOT want to redirect internet traffic over the vpn
17:49 < blueboxthief> I only got the OpenVPN book after I installed it..
17:49 < blueboxthief> Nope
17:49 < krzee> but you want to connect to the lan on other side of the vpn
17:49 < blueboxthief> It would be too slow
17:50 < blueboxthief> Yep.
17:50 < krzee> would you like multiple vpn users?
17:50 < blueboxthief> Network shares, ssh servers
17:50 < blueboxthief> Nope, just me
17:50 < krzee> maybe 1 from home 1 from your laptop...
17:50 < blueboxthief> Nope. 
17:50 < blueboxthief> Only to be able to connect to "home" from "laptop".
17:50 < blueboxthief> and the hosts that are on that "home" LAN
17:51 < krzee> ok, ive never routed a lan in ptp mode but im sure you can
17:51 < krzee> and you dont mind that you are using a static key instead of certificates?
17:51 < blueboxthief> I can show you the startup log of the laptop and the "home-vpn server" f it helps.
17:51 < krzee> sure, show me these:
17:51 < krzee> !configs
17:51 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:51 < krzee> !logs
17:51 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:51 < krzee> verb 5 is fine
17:52 < blueboxthief> Well, not really. In that I understand it is slightly insecure if the key is found.
17:52 < blueboxthief> Ok one tic..
17:53 < Bloodsong> Yeah, for 1-to-1 I'd suggest static and just change it once in a while when you're board :P
17:54 < Bloodsong> bored even
17:54 < blueboxthief> Good idea.
17:54 < Bloodsong> Also for running into a network, I find there's nothing easier routing wise than having the router be your OpenVPN server... but you have to be willing to play with Tomatoe or DD-WRT or some such.
17:55 < blueboxthief> yeah, I will at some point get to that..
17:55 < blueboxthief> i use a dumb netopia  dsl router, and do NATing on it. I will eventually change that to something smarter..
17:56 < krzee> no biggie tho, you just add a route to the router if ovpn isnt on it
17:56 < krzee> as explained here
17:56 < krzee> !factoids search route
17:56 < vpnHelper> krzee: 'winroute', 'iroute', 'router', 'route', 'routebyapp', and 'route_outside_openvpn'
17:56 < blueboxthief> maybe just passthrough all traffic to a bsd machine running openvpn
17:56 < krzee> !route_outside_openvpn
17:56 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
17:56  * Bloodsong nods
17:56 < Bloodsong> Anyway I think people are gonna drag me out, I'll be back in a while.
17:56 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Quit: Leaving]
17:57 < blueboxthief> hmm, my find for server.conf isn't finding anything other than example configs...
17:58 < krzee> you should know your config files name
17:58 < krzee> you made it...
17:59 < krzee> oh i forgot you are using some walkthrough
17:59 < blueboxthief> yep ;)
17:59 < krzee> skip to the section where you make real configs
17:59 < krzee> lol
17:59 < krzee> i hate those walkthroughs
18:00 < blueboxthief> i was going to say i went as far as the ping test at the bottom of step v
18:00 < krzee> they are the source of almost all openvpn questions that actually have something to do with openvpn and not just basic networking
18:00 < blueboxthief> haha..
18:00 < krzee> right, but i dont want to have to read walkthrough #1000
18:00 < krzee> i dont read them, i value them as worthless and move on
18:00 < blueboxthief> yeah I know where the issue is...../me indicates to BIG general circle "over there"
18:03 < blueboxthief> ok, I'm just making the configs now
18:05 < krzee> cool
18:05 < krzee> no sense in troubleshooting some middle step in a walkthrough
18:05 < krzee> lets just get you up and running :-p
18:05 < blueboxthief> ta :)
18:07 < blueboxthief> ok, confs built, test started, starts up, but no traffic passes..
18:07 < blueboxthief> i'll copy the confs into pastebin now
18:09 < blueboxthief> ok, "remote end" config: http://pastebin.com/8mYGF770
18:10 < blueboxthief> laptop end config: http://pastebin.com/KZZnx7Kr
18:19 < blueboxthief> ok, remote end startup log: http://pastebin.com/Cp4Q4Fap
18:19 < krzee> laptop you want nobind
18:19 < krzee> and the logs...?
18:19 < krzee> you are starting this as root, right?
18:20 < blueboxthief> yep, starting both ends as root
18:21 < blueboxthief> and here is the client startup log: http://pastebin.com/c97cjF4T
18:23 < blueboxthief> nobind is if i want openvpn to use some other port than 1194, right?
18:26 < krzee> nobind on the client
18:26 < krzee> !man
18:26 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:26 < krzee> what LAN networks is the server and client on?
18:27 < krzee> (the ip ranges for each LAN)
18:27 < blueboxthief> This is I think where the issue might be.
18:28 < blueboxthief> The LAN range on the remote side is 192.168.1.0/24
18:28 < blueboxthief> And its the same on the client side: 192.168.1.0/24
18:28 < krzee> thats not gunna work
18:28 < krzee> its not the problem yet, but you cant share the lan like that
18:28 < krzee> !samesubnet
18:28 < blueboxthief> hehe, I didn't think so..
18:28 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
18:29 < blueboxthief> ok...well thats easy. i can change the subnet of this LAN
18:29 < krzee> solution to that, change 1 of the lans
18:29 < krzee> yup
18:29 < krzee> and since you wont be connecting from laptop in the wild, that will work fine
18:30 < blueboxthief> huh?
18:30 < krzee> you will only be connecting from home
18:30 < krzee> from a network you control to not conflict
18:30 < krzee> otherwise its a bad idea to have a common subnet on the lan you use over the vpn
18:30 < krzee> because any time you go to a place with conflicting subnet, it wouldnt work
18:30 < blueboxthief> hmm..my intention is to use this vpn tunnel to connect to my home network from outside it...
18:31 < krzee> oh
18:31 < krzee> i thought it was to connect to work
18:31 < blueboxthief> ja...
18:31 < blueboxthief> no...
18:31 < krzee> are you testing this while home?
18:31 < blueboxthief> no, I am connected from a different network, that *just so happens* to have the same subnetting
18:32 < krzee> ok
18:32 < blueboxthief> ISP customer default setup #1 <-------------> ISP customer default setup #2
18:33 < blueboxthief> at the moment...but I will be using this OpenVPN setup when connecting from wifi hotspots, work, other offices, etc
18:33 < krzee> then be sure the lan you want shared is a very uncommon subnet
18:33 < blueboxthief> i can change the subnet of this network where I am now.
18:33 < krzee> if you're not afraid of using certs i can guide you the way i do it
18:33 < blueboxthief> Hmm. good point. I can change than when I get home tomorrow.
18:34 < krzee> also, that log wasnt complete
18:34 < blueboxthief> Yeah, I am ok with creating certs. I do it regularly for my work
18:34 < blueboxthief> Oh? What was missing? I just grabbed the output to the terminal
18:34 < krzee> it hadnt finished connecting
18:34 < blueboxthief> oh ok...
18:34 < blueboxthief> lemme rerun it
18:34 < krzee> and after it does, i want you to ping the other side
18:35 < krzee> and then ping FROM the other side
18:35 < blueboxthief> ok
18:37 < krzee> we'll keep like this, but if it doesnt work out we'll switch to what i do ;)
18:37 < krzee> i always use certs
18:37 < blueboxthief> sure ok.
18:37 < blueboxthief> it looks like its connected...
18:37 < blueboxthief> getting WrWrWr on server end, and rrrrr on client end
18:38 < krzee> ahh
18:38 < blueboxthief> I'll copy and paste if you want
18:38 < krzee> we have a firewall issue :)
18:38 < blueboxthief> ok
18:38 < krzee> on 1 of the machines
18:38 < blueboxthief> neither of those routers are open to pass port 1194, which was one thing i thought of
18:38 < krzee> who was pinging who?
18:38 < krzee> nah its not the router
18:38 < blueboxthief> both
18:39 < krzee> both at the same time?
18:39 < blueboxthief> remote end ---> client end and vice-versa
18:39 < blueboxthief> yep
18:39 < krzee> or when each pinged, same results in WRWRWR RRRRR
18:39 < blueboxthief> one sec i'll repeat
18:39 < krzee> well do the pings separate
18:39 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
18:40 < blueboxthief> ok, client --> remote:
18:40 < blueboxthief> on client side: rrrrrrrrrrrrrrrr
18:41 < blueboxthief> on server side: one W
18:41 < blueboxthief> server --> client:
18:41 < blueboxthief> on client side: nothing
18:41 < blueboxthief> on server side: WWWWWWWrWrWWrWrWrWrWrWrWrWrWr
18:42 < krzee> client pinging server all you got was RRRR ?
18:42 < krzee> on the client
18:42 < krzee> thats pretty odd, ild expect WWWWW
18:42 < blueboxthief> yep
18:42 < blueboxthief> doing it now again..rrrrrrrrrrrrrrrrrr
18:43 < krzee> well ya, its being blocked by firewalls on those machines
18:43 < blueboxthief> hmm, lemme look at that
18:43 < blueboxthief> my laptop should have it turned off
18:45 < blueboxthief> yep: laptop "allow all incoming connections"
18:45 < krzee> well the connection is made, so its not outter firewalls
18:46 < blueboxthief> ok, firewall should be off on the remote end too
18:46 < krzee> tcpdump the tun interfaces and do those pings again
18:46 < krzee> (1 at a time)
18:46 < blueboxthief> using this command from commandline: http://www.macosxhints.com/article.php?story=20080110103812947
18:46 < vpnHelper> Title: 10.5: Control the firewall from the command line - Mac OS X Hints (at www.macosxhints.com)
18:50 < blueboxthief> listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes
18:50 < blueboxthief> 00:50:00.494426 IP 10.0.0.2 > 10.0.0.1: ICMP echo request, id 2822, seq 0, length 64
18:50 < blueboxthief> thats it/
18:50 < blueboxthief> -/
18:51 < krzee> only 1 time?
18:51 < krzee> you only sent 1 ping?
18:51 < krzee> are you sniffing both sides of the connection?
18:51 < blueboxthief> no they are continually sent
18:51 < blueboxthief> yet both side
18:52 < blueboxthief> sudo tcpdump -vv -i tun0
18:52 < krzee> does the other side receive the request?
18:52 < blueboxthief> nope
18:52 < blueboxthief> tcpdump: listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes
18:52 < krzee> ok now ping the other way around
18:54 < blueboxthief> nope, other side receives nothing
19:01 < krzee> so same deal both ways
19:02 < blueboxthief> yup
19:02 < blueboxthief> i was thinking that maybe due to both ends being connected via wireless
19:03 < krzee> nope
19:04 < krzee> you may see replay errors in logs cause of that, but thats all
19:04 < krzee> did you say earlier the server doesnt have the vpn port open?
19:04 < blueboxthief> the router on the side of the server doesnt..
19:05 < blueboxthief> i do NATing for SSH, and SFTP thats all thats open from the outside
19:05 < krzee> how the hell do they make a connection at all?
19:05 < krzee> hrm, maybe they arent
19:06 < blueboxthief> hehe..
19:06 < krzee> im used to reading client/server logs
19:06 < krzee> this is peer to peer
19:06 < blueboxthief> well I can open a port for them
19:06 < blueboxthief> eh..yeah I guess so..
19:06 < blueboxthief> well..
19:06 < krzee> go open the vpn port UDP for the server side only
19:06 < blueboxthief> ok, that'll take a bit..
19:06 < blueboxthief> using links for a browser...
19:07 < krzee> im in no rush
19:07 < krzee> just sitting here workin
19:08 < blueboxthief> heh, I should be in bed by now!
19:14 < krzee> thats when i get all my best work done
19:24 < blueboxthief> ok, so the only port required is 1149?
19:25 < krzee> correct
19:25 < blueboxthief> cool
19:26 < krzee> unless of course you choose to run it on a different port ;]
19:27 < blueboxthief> i'll go with vanilla for the moment, then i'll start changing it
19:30 < blueboxthief> hmm, ok it looks like the port it open
19:30 < blueboxthief> one tic
19:35 -!- j03 [~cee110df@gateway/web/freenode/x-khchglednatmfrqt] has quit [Ping timeout: 248 seconds]
19:42 -!- Gabe_G23_ is now known as Gabe_G23
19:42 -!- Gabe_G23 [~gabe@s66-76-118-56.eldocmta01.eldoar.lr.sta.suddenlink.net] has quit [Changing host]
19:42 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has joined ##openvpn
19:47 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
19:49 < blueboxthief> krzee: I have to wait until this server updates its IP to the dyn dns service
19:49 < blueboxthief> it could be a while...:(
19:49 < krzee> or you could plug in the IP to the config for testing :-p
19:50 < krzee> oh, of course that assumes you know it
19:50 < blueboxthief> nope
19:50 < blueboxthief> it doesnt work
19:50 < blueboxthief> yeah i know it
19:50 < krzee> umm yes it works by ip
19:50 < krzee> all DNS is is a method for humans to remember IPs
19:50 < blueboxthief> no i mean the IP has changed
19:51 < krzee> cause we take to words better than 4 octets of numbers
19:51 < Bloodsong> Yeah, krzee is suggesting you some how know what the new IP is.
19:51 < krzee> [17:53]  <blueboxthief> yeah i know it
19:52 < blueboxthief> No: the IP on the router has changed as I had to reboot it. 
19:52 < blueboxthief> I knew what the old one was
19:52 < blueboxthief> I had hope it would be the same but..no
19:52 < krzee> gotchya
19:52 < krzee> the dyndns isnt on the router i take it
19:53 < blueboxthief> Nope..
19:53 < blueboxthief> I must see if this netopia box has dyn support
19:54 -!- straterra [~straterra@2001:470:8a81::4] has joined ##openvpn
19:54 < straterra> !welcome
19:54 < vpnHelper> straterra: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:54 < straterra> !interface 
19:54 < vpnHelper> straterra: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
19:55 < straterra> Bah
19:55 < straterra> Is there a decent HTTP interface for managing OpenVPN? Something like easy-rsa, but over http
19:56 < krzee> depends
19:56 < krzee> with the opensource version, and the keyword being decent... no
19:56 < krzee> however
19:56 < krzee> !AS
19:56 < vpnHelper> krzee: Error: "AS" is not a valid command.
19:56 < krzee> !factoids search access
19:56 < vpnHelper> krzee: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
19:56 < vpnHelper> krzee: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html
19:56 < krzee> however, we do not support Access Server here
19:57 < krzee> and its not free or open source
19:57 < krzee> but it is a product from the openvpn company
19:58 < Bloodsong> Is AS compeletely closed?
20:00 < krzee> well its based on openvpn, but basically yes
20:02 < blueboxthief> krzee: ok, I am going to have to wait til til is updated. if you're around tomorrow night/afternoon I'd appreciate your help again
20:03 < blueboxthief> no sure where you are...EU?
20:03 < krzee> near usa
20:03 < krzee> in the caribbean
20:03 < blueboxthief> ah ok..
20:03 < krzee> but you can think of it as new york for time purposes ;]
20:03 < krzee> although my sleep schedule is far from normal... in that way im more like australia
20:03 < blueboxthief> so if you're around tomorrow night i'll be in again
20:03 < blueboxthief> haha
20:03 < blueboxthief> I hear ya
20:04 < krzee> anyways
20:04 < krzee> make a note of this
20:04 < krzee> if it does work pinging across
20:05 < krzee> you will need a route entry for the lan behind the server, in your client config
20:05 < krzee> and you will need a route added to your router on server side
20:05 < blueboxthief> yep, after I change my subnet here.
20:05 < krzee> as explained better (but with way more stuff also explained) here:
20:05 < krzee> !route
20:05 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:06 < krzee> !factoids search outside
20:06 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
20:06 < krzee> that should finish you off, but i should be around if you need help
20:06 < krzee> read that doc tho, i spent a lot of time on it and i think its a good read ;)
20:06 < blueboxthief> Great, I appreciate it.
20:06 < krzee> np
20:06 < blueboxthief> I will read it..thanks again. 
20:07 < blueboxthief> enjoy your evening/morning/afternoon/night
20:07 < blueboxthief> laters
20:07 -!- blueboxthief [~None_of_y@86-46-78-41-dynamic.b-ras1.wtd.waterford.eircom.net] has quit [Quit: It ain't BitchX that's for sure]
20:25 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
20:25 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
20:25 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
21:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
21:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
21:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
22:57 -!- voleoso [~voleoso@212.117.160.22] has joined ##openvpn
22:57 < voleoso> does anyone here know anything about TomatoVPN?
22:59 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
23:12 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:54 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
--- Day changed Sun Apr 18 2010
00:03 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
00:23 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
01:24 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Quit: Leaving]
02:03 -!- rkantos_ [robin@hp1.jaketus.net] has quit [Remote host closed the connection]
02:20 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
02:21 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
02:32 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
02:33 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:34 -!- mode/##openvpn [+o mattock] by ChanServ
02:54 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has joined ##openvpn
02:55 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
02:55 -!- atlantic_ [~atlantic@hok.duf.hu] has joined ##openvpn
02:56 -!- tjz_ [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
02:56 -!- Netsplit *.net <-> *.split quits: meepmeep, atlantic, ufoman_, tjz
04:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:01 -!- seemant [~trinity@unaffiliated/seemant] has joined ##openvpn
05:09 -!- seemant [~trinity@unaffiliated/seemant] has left ##openvpn []
05:51 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
05:54 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
06:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:06 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
06:26 -!- straterra [~straterra@2001:470:8a81::4] has left ##openvpn []
06:42 -!- voleoso [~voleoso@212.117.160.22] has quit [Remote host closed the connection]
06:43 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
06:58 -!- redfox [~redfox2@ns351996.ovh.net] has quit [Remote host closed the connection]
07:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
07:10 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
07:22 -!- MatBoy [~MatBoy@wiljewelwetenhe.xs4all.nl] has joined ##openvpn
07:22 < MatBoy> guys, is there a decent way to route all traffic over your VPN when you are connected to the remote side ? 
07:27 -!- redfox [~redfox2@ns351996.ovh.net] has joined ##openvpn
07:28 -!- redfox is now known as Guest93590
07:43 -!- blueboxthief [~None_of_y@86-46-78-41-dynamic.b-ras1.wtd.waterford.eircom.net] has joined ##openvpn
07:43 < blueboxthief> ay Back later on
07:43 < blueboxthief> ay
07:45 < Bushmills> !redirect
07:45 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
07:45 < Bushmills> MatBoy: ^^^
07:47 < MatBoy> Bushmills: yes, but with all these default 192 and 10 ranges at home you have an issue.... I think you need to use 172 at the office than ?
07:47 < Bushmills> i don't see the issue,
07:47 < Bushmills> for all destination you have routes to, default route doesn't apply
07:48 < MatBoy> Bushmills: at the moment I'm in a 192.168.1.0 range and connect to a vpn with the same range...
07:49 < Bushmills> i was replying to your "route all traffic" question, and not to your "how to avoid network conflicts" question. in fact, the latter i haven't seen or looked at yet
07:49 < MatBoy> I'm thinking about using the 172 range @ companies form now on
07:49 < MatBoy> *from
07:50 < Bushmills> 10.x.x.0 gives you the widest selection, therefore the smallest potential of conflict
07:50 < Bushmills> that assumes your remote doesn't use 10.0.0.0/8 as lan
07:51 < MatBoy> true
07:51 < MatBoy> I have checked some corporate customers and most use the 10 range indeed
07:52 < Bushmills> but if they use /0, those 16 million address will probably not be enough, and they will claim whole 172.16.0.0/20 too 
07:53 < Bushmills>  (8
07:54 < Bushmills> well, assuming /24 nets, your chance of conflict is about 1:65000 vs 1:4000
07:57 < MatBoy> hehe
08:04 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
08:05 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
08:07 -!- insane^ [~un@ppp-93-104-87-222.dynamic.mnet-online.de] has quit [Ping timeout: 264 seconds]
08:17 -!- insane^ [~un@ppp-82-135-91-155.dynamic.mnet-online.de] has joined ##openvpn
08:39 -!- aryo [~aryo@202.152.172.5] has joined ##openvpn
08:41 < MatBoy> ok, it might be that I'm going to the the 172 range
08:49 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:12 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:17 -!- aryo [~aryo@202.152.172.5] has quit [Quit: Leaving]
09:35 -!- jforman [~jforman@unaffiliated/jforman] has joined ##openvpn
10:05 < julius> is there any option to make openvpn client directly connect to each other?
10:05 < julius> keeping the server from having to route all the traffic
10:06 < julius> now that I've written it - that'd increase complexity extremely, never mind :-/
10:06 < rob0> Not really. The only way to do "full mesh" is to run tunnels from each point to each other point.
10:07 < rob0> OTOH, I think it might be possible to use a server as a central authentication point such that clients could route traffic directly to other clients.
10:08 < rob0> but yes, it would probably be a feature for 3.0 or 4.0
10:08 < julius> sounds cool
10:32 -!- tjz_ [~pc@bb116-14-141-167.singnet.com.sg] has quit [Quit: bbl.]
10:52 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
11:30 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
11:37 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:46 -!- guy_ [~guy@bzq-109-67-53-93.red.bezeqint.net] has joined ##openvpn
11:47 < guy_> I've managed to set up openvpn however whenever a client tries to connect I get the error "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" , anyone got a clue why ? (all the keys are correct, etc)
11:50 < |Mike|> is your openvpn daemon started ?
11:50 < guy_> Yes
11:50 < |Mike|> and openvpn-server ? 
11:50 < guy_> I just ran /etc/init.d/openvpn start, I think it's up
11:51 < guy_> That's a server log BTW ^, not the client log
11:51 < |Mike|> !logs
11:51 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:54 < guy_> client: pastebin.ca/1866499 server:1866500
11:58 < guy_> |Mike|: any luck ?
11:59 < |Mike|> pastebin.ca doesn't seem to work from here
12:00 < Fiouz> pastebin.ca doesn't work over IPv6
12:01 < guy_> Does pastebin.com work over ipv6?
12:01 < |Mike|> nope 
12:01 < guy_> :/ 
12:02 < guy_> Which server does then?
12:02 < |Mike|> hmz, can't even reach it over ipv4 :s
12:02 -!- guy_ [~guy@bzq-109-67-53-93.red.bezeqint.net] has quit [Quit: Reconnecting]
12:03 -!- guy_ [~guy@109.67.53.93] has joined ##openvpn
12:03 < guy_> Fiouz, |Mike| : ?:/
12:04 < Fiouz> I can access pastebin.com (it's a IPv4 only server)
12:05 < Fiouz> try zpaste.org
12:05 < guy_> kk
12:05 < guy_> server: http://zpaste.org/21799
12:06 < guy_> client: http://zpaste.org/21800
12:08 < |Mike|> maybe a firewall is in between ?
12:08 < |Mike|> !welcome
12:08 < vpnHelper> |Mike|: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:09  * Bushmills doesn't associate firewall with "welcome", but with "stay out"
12:09 < guy_> |Mike|: I'm running it from my own LAN,The box'es IP are 10.0.0.1/11 , is it possible ?
12:09 < |Mike|> Bushmills: :P
12:10 < guy_> I've also forwarded all 6969 to 172.16.0.1 :/
12:10 < |Mike|> and your openvpn server uses 172.x range, correct?
12:10 < guy_> yes
12:10 < |Mike|> ok, that shouldn't clash then.
12:10 < |Mike|> have you checked if port 6969 is open ? (netstat / telnet .... )
12:10 < guy_> nmap..
12:11 < guy_> http://zpaste.org/21805
12:12 < |Mike|> there ya go, must be a firewall then
12:12 < |Mike|> see topic :D
12:12 < guy_> lol?wtf?
12:13 < Fiouz> "Sun Apr 18 19:47:13 2010  us=421148 There are no TAP-Win32 adapters on this system"
12:13 < Fiouz> (client log)
12:13 < guy_> Fiouz: I've configured it, it says on win32 that the "LAN connection is d/c" 
12:13 < guy_> s/connection/cable
12:16 < guy_> Any idea?:/
12:16 < Fiouz> try specifying the dev-node option? openvpn doesn't seem to open any tap-win32 device
12:16 < guy_> I've set it to "MyTap", and also renamed the device, is there anything else I should do ?
12:17 < guy_> (and also defined it in my conf)
12:19 < Fiouz> that should be enough, but if it still doesn't work and you only have 1 tap device, try removing the option (it should use the only available device, regardless of its name)
12:21 < guy_> Same error
12:22 < Fiouz> try a newer version of openvpn
12:22 < Fiouz> 2.1.1 is the current version (you currently have 2.0.9)
12:23 < Fiouz> it has an updated tap driver
12:23 < guy_> Where can I fetch it ? (client,win32 version)
12:23 -!- krzee [~k@unaffiliated/krzee] has left ##openvpn ["Leaving"]
12:27 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
12:28 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
12:31 < Fiouz> http://openvpn.net/index.php/open-source/downloads.html
12:31 < vpnHelper> Title: Downloads (at openvpn.net)
12:32 < krzee> aka !download
12:36 < guy_> Weird, it worked.
12:37 -!- blueboxthief [~None_of_y@86-46-78-41-dynamic.b-ras1.wtd.waterford.eircom.net] has quit [Remote host closed the connection]
12:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:58 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:14 -!- olli [~sag@188-193-229-244-dynip.superkabel.de] has joined ##openvpn
13:47 -!- olli [~sag@188-193-229-244-dynip.superkabel.de] has quit [Quit: Sperma die Tür auf. ..]
13:49 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:57 -!- guy_ [~guy@109.67.53.93] has quit [Remote host closed the connection]
13:57 < krzee> hahah
13:57 < krzee> i just found a post from ecrist 
13:57 < krzee> while search for AFP in fbsd
13:57 < krzee> i found http://www.caboo.se/articles/2006/1/18/apple-file-sharing-via-freebsd
13:57 < vpnHelper> Title: caboose Apple File Sharing (AFP) via FreeBSD (at www.caboo.se)
13:57 < krzee> Eric Crist Says: 
13:57 < krzee> January 13th, 2009 at 12:23 PM 
13:57 < krzee> I've got a similar how-to, updated, with PAM information at the following URL:
13:57 < krzee> http://www.secure-computing.net/wiki/index.php/AppleFileSharing
13:59 -!- jforman [~jforman@unaffiliated/jforman] has left ##openvpn []
13:59 < krzee> but broken link :(
14:00 < krzee> hey ecrist, http://www.secure-computing.net/wiki/index.php/Transfer_Mail.app
14:00 < vpnHelper> Title: Transfer Mail.app - Secure Computing Wiki (at www.secure-computing.net)
14:00 < krzee> you say
14:00 < krzee> Note, the file name may be com.apple.mail on more recent versions of OS X. Unix systems are CaSe SeNsItIvE.
14:00 < krzee> but thats not true in osx
14:00 < krzee> its case insensitive
14:01 < krzee> jeffs-Mac-Pro:test jeff$ ls
14:01 < krzee> TeSt
14:01 < krzee> jeffs-Mac-Pro:test jeff$ cat test
14:01 < krzee> bleh
14:10 < krzee> oh and i found the right link, it was http://www.secure-computing.net/wiki/index.php/Apple_File_Sharing
14:10 < vpnHelper> Title: Apple File Sharing - Secure Computing Wiki (at www.secure-computing.net)
14:22 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:27 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:56 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 265 seconds]
15:38 -!- magic_1 [~magic@41.123.147.24] has joined ##openvpn
15:38 -!- magic_1 [~magic@41.123.147.24] has quit [Changing host]
15:38 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
15:56 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 260 seconds]
15:56 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has joined ##openvpn
15:57 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has quit [Changing host]
15:57 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
15:57 -!- jforman [~jforman@unaffiliated/jforman] has joined ##openvpn
15:58 < jforman> if i have the management interface set to a socket (on a linux host), is there anything i need to do on the host to create the socket file, or will openvpn do that upon startup?
16:05 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:17 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:25 -!- jforman [~jforman@unaffiliated/jforman] has left ##openvpn []
16:31 < krzee> !man
16:31 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
16:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:48 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 240 seconds]
17:04 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 246 seconds]
17:04 -!- jwm [~jwm@dev.dist.us] has joined ##openvpn
17:05 < jwm> hi guys, I'm trying to bridge on the client end
17:05 < jwm> and using tap0 both sides
17:05 < jwm> I'd like to bridge on one of my clients the network 192.168.1.x
17:05 < jwm> so my server can see it and can be seen on it
17:06 < jwm> not sure if that is logical
17:06 < jwm> right now I put the openvpn clients on the 192.168.2.x network
17:07 < jwm> was just going to bridge on a openvpn client machine on my lan at home
17:20 -!- jwm [~jwm@dev.dist.us] has left ##openvpn []
17:36 < krzee> is today "answer in under 20min or i leave" day?
17:37 < ScriptFanix> still better than "answer in 30 seconds or i highlight averyone"
17:40 < krzee> depends
17:40 < krzee> that WILL get a fast response
17:40 < krzee> but that response will be a ban
17:40 < krzee> lol
17:43 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
17:43 < ScriptFanix> :)
18:02 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
18:44 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
18:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
18:50 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
18:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:28 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
19:29 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
19:48 < ecrist> krzee: http://www.secure-computing.net/wiki/index.php/Apple_File_Sharing
19:48 < vpnHelper> Title: Apple File Sharing - Secure Computing Wiki (at www.secure-computing.net)
20:09 < krzee> yup, found it
20:09 < krzee> via search feature
20:14 -!- ajbelayer [~aaron@c-24-9-123-167.hsd1.co.comcast.net] has joined ##openvpn
20:15 < ajbelayer> !welcome
20:15 < vpnHelper> ajbelayer: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:18 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
20:19 < ajbelayer> I would like to use extreme compression with openvpn between 2 sites  in order to effectively increase the bandwidth between them (allowing faster file transfers particularly).  One site has a 7mb DSL (main w/ ovpn server) connection and the other has a 1.5MB Sat (remote, ovpn client) connection.  I have a Quad core 2.8GHz IBM server available on each end to dedicate 100% to processing this compression so processing power is not an is
20:29 < krzee> see --comp-lzo
20:29 < krzee> !man
20:29 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:29 < krzee> by default with no args it is adaptive
20:30 < krzee> attempts to be efficient and increase compression levels when needed
20:30 < krzee> but you can set it to always compress more
21:03 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
21:03 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
21:03 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:29 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
21:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:52 -!- DennisNuel [~matthew@cpe-24-193-231-174.nyc.res.rr.com] has joined ##openvpn
22:04 -!- jwm [~jwm@dev.dist.us] has joined ##openvpn
22:04 < jwm> I've got my vpn network running finally
22:04 < jwm> I'd just like the settings to be automatic from the config heh
22:05 < jwm> !welcome
22:05 < vpnHelper> jwm: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:05 < jwm> !route
22:05 < vpnHelper> jwm: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
22:06 < jwm> heh
22:07 < jwm> I just want to do a simple server (no lan) <-> multiple clients with lans of their own
22:07 < jwm> which I accomplished but only by doing my own ifconfig after openvpn is running
22:07 < jwm> I'd like to stop openvpn from assigning ips to the tap adapter on the client machines
22:07 < jwm> since I have them bridged already and with the proper ip
22:59 < krzee> why bridging?
23:00 < krzee> and multiple clients with lans of their own is explained on !route
23:00 < krzee> just dont push the server route
23:01 < krzee> !route wasnt meant to give you something to blindly type in, it was meant to teach you based on a past users needs, so once you learn you can do whatever you need regarding LANs behind openvpn
23:01 < vpnHelper> krzee: Error: "route" is not a valid command.
23:01 < krzee> as far as bridging, unless you need a specific layer2 protocol, you should be using a routed tun
23:15 < jwm> well I've got it working
23:15 < jwm> I just would like to stop openvpn from setting client ips 
23:16 < jwm> I found out the rest
23:16 < jwm> ie I need to setup the bridge and tap interfaces myself manually
23:16 < jwm> which I did do I was just trying to figure out how to write it all down and make it auto hehe
23:17 < jwm> been reading all day on it
23:17 < jwm> I just have a dev server and some developers connecting to it
23:17 < jwm> and we wanted to all be on the same subnet that is all
23:18 < jwm> I also have a work laptop I want to connect
23:18 < jwm> that I'd like to access my home lan from too
23:19 < jwm> I'd like to use broadcasts on the lan also :)
23:19 -!- sage1 [~sage@dsl092-035-022.lax1.dsl.speakeasy.net] has joined ##openvpn
23:21 < sage1> anybody have any idea why i might get 'Authenticate/Decrypt packet error: packet HMAC authentication failed'?  the key files are definitely identical on both ends
23:23 < jwm> same versions of openvpn? :)
23:25 < sage1> not quite. 2.1.0 and 2.1_rc11.  will try upgrading
23:27 < sage1> same now, same problem.
23:30 < jwm> do you also have a server key
23:30 < jwm> tls file
23:31 < krzie> its definitely about the tls file
23:31 < krzie> !hmac
23:31 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
23:31 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
23:31 < krzie> that file is not = on both sides
23:31 < sage1> using a static key.  same md5sum on both ends.
23:31 < krzie> HMAC error is about the tls-auth file
23:31 < krzie> thats the only thing that does HMAC
23:32 < jwm> yeah do you have 0 on server, 1 on client sage1 
23:32 < krzie> he doesnt have a server and client
23:32 < krzie> hes using ptp if he has static keys
23:33 < sage1> yeah, it's ptp.  the line is just 'secret foo.key'
23:34 < krzie> jwm, 
23:34 < krzie> [00:17]  <jwm> and we wanted to all be on the same subnet that is all
23:34 < krzie> you would have been in the same subnet, the vpn subnet (with tun)
23:35 < krzie> the lans would have been their own subnets however
23:35 < krzie> sage1, pastebin your configs
23:35 < krzie> with no comments
23:35 < krzie> !configs
23:35 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
23:39 < sage1> krzie: http://pastebin.com/hqpY0rws
23:39 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:39 < sage1> krzie: it actually seems to be working fine now, but i still see the hmac errors in syslog... :/
23:40 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
23:57 < krzie> whoa, weird for that machine to go to sleep... its a desktop
23:58 < krzie> even weirder, that error with no tls-auth
23:59 < krzie> i wonder if it uses an HMAC in static key mode as well, since it does have a pre-shared key to sign with...
23:59 < krzie> !mail
23:59 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
23:59 < krzie> that would be a really good question for the mail list
--- Day changed Mon Apr 19 2010
00:00 < krzie> feel free to obfuscate your IP from your configs on the list when you send it if you wanna
00:04 < sage1> thanks!
00:07 -!- sage1 [~sage@dsl092-035-022.lax1.dsl.speakeasy.net] has left ##openvpn []
00:28 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
00:32 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
00:56 -!- demonTormentor [~chatzilla@112.203.118.12] has joined ##openvpn
00:56 < demonTormentor> hi!
00:56 -!- ajbelayer [~aaron@c-24-9-123-167.hsd1.co.comcast.net] has quit [Quit: Leaving.]
00:57 < demonTormentor> how can I remedy this message from openvpn, OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
00:58 < demonTormentor> can i ignore that or i need to install that "--script-security 2'"? Where can i get that?
01:03 < demonTormentor> anyone here?
01:03 < demonTormentor> vpnHelper: can you help me?
01:03 < vpnHelper> demonTormentor: Error: "can" is not a valid command.
01:08 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:09 -!- demonTormentor_ [~chatzilla@112.203.118.12] has joined ##openvpn
01:11 -!- demonTormentor [~chatzilla@112.203.118.12] has quit [Ping timeout: 276 seconds]
01:11 -!- demonTormentor_ is now known as demonTormentor
01:17 -!- demonTormentor_ [~chatzilla@112.203.118.12] has joined ##openvpn
01:21 -!- demonTormentor [~chatzilla@112.203.118.12] has quit [Ping timeout: 258 seconds]
01:21 -!- demonTormentor_ is now known as demonTormentor
01:22 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
01:29 < krzee> demonTormentor, thats not an error, it is a warning
01:29 < krzee> if you are not calling external scripts ignore it
01:29 < krzee> if you are, see --script-security in the manual
01:29 < krzee> !man
01:29 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
01:30 < demonTormentor> krzee: tnx for the response. I guess not, I just need to connect to my vpn server
01:30 < krzee> !goal
01:30 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:30 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:30 -!- mode/##openvpn [+o mattock] by ChanServ
01:32 < demonTormentor> krzee: can i test accessing my openvpn server from within the same domain?
01:33 < Bushmills> indeed does that warning not make a lot of sense without --up/down/client-connect/disconnect etc  in the config
01:34 < Bushmills> why warn about a requirement which doesn't apply?
01:36 < demonTormentor> that's right
01:41 < demonTormentor> what can these logs mean? I still can't connect
01:42 < Bushmills> may eveb be counterproductive: i could imagine that users exist, who set script-security for no other reason than to get rid of the warning - thereby unnecessarily reducing system security
01:42 < demonTormentor> http://pastebin.com/xR6fq94m
01:51 -!- demonTormentor [~chatzilla@112.203.118.12] has quit [Read error: Connection reset by peer]
01:54 < krzee> Bushmills, agreed
02:12 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
02:14 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:29 < krzee> !tcp
02:29 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
02:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
02:41 < insane^> should tcp be avoided?
02:41 < insane^> i trust tcp much more than "fireandforget" udp
02:41 < krzee> did you read the above links?
02:42 < insane^> i will, kk :)
02:42 < krzee> you had a free one there, the bot giving the links sparked your interest without you thinking of the question
02:42 < krzee> hehe
02:42 < insane^> ah i think ip ip tunneling... mtu related
02:42 < insane^> ... reading
02:43 < krzee> first link is more technical, second is for non-techs
02:51 -!- guy_ [~guy@bzq-79-177-42-16.red.bezeqint.net] has joined ##openvpn
02:53 < guy_> I've managed to setup openvpn local (behind a NAT/modem), however when trying to connect remotely to the machine I get the following error: (client): http://zpaste.org/22192  (server): http://zpaste.org/22193
02:54 < guy_> I've set port forwarding in my modem to be transfer everything on port 6969 (openvpn server port) to 10.0.0.1 (my eth0 address), should it be to my openvpn address ? (172.16.0.1)
03:00 < theDoc> Which ip are you listening on? 10.0.0.1 or 172.*?
03:00 < theDoc> Set it to what you are listening on.
03:07 < krzee> what verb is that?
03:08 < krzee> is it UDP you are forwarding in your NAT?
03:09 < krzee> Mon Apr 19 10:49:28 2010 us=596326 /sbin/ifconfig tun0 0.0.0.0
03:09 < guy_> krzee: I'm using prot udp and openvpn is listening on 172.16.0.1
03:10 < krzee> im just saying be sure your nat is for udp in the router ;]
03:10 < guy_> what do you mean ?
03:10 < krzee> [03:54]  <guy_> I've set port forwarding in my modem to be transfer everything on port 6969 (openvpn server port) 
03:11 < krzee> make sure its udp you are forwarding
03:11 < theDoc> or you can be real classy and forward all traffic/protocol to that ip ;p
03:11 < krzee> and use verb 5 instead of verb 9 pls
03:11 < krzee> hah
03:11 < guy_> theDoc: I've set all tcp/udp on port 6969 to get forwarded to 172.16.0.2
03:11 < krzee> or not
03:12 < krzee> guy_, what is the routers ip?
03:12 < guy_> 10.0.0.138
03:12 < krzee> then use the 10.0.0.x address to forward the port to
03:13 < krzee> !configs
03:13 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
03:13 < guy_> krzee: my eth0 IP is 10.0.0.1, my tun0 IP is 172.16.0.1, should I forward to 10.0.0.1 then?
03:13 < guy_> Ah, sure, 1s
03:13 < krzee> correct
03:14 < guy_> server: http://zpaste.org/22202
03:14 -!- dazo_afk is now known as dazo
03:14 < krzee> openvpn is running on 10.0.0.138 handing out 172.16.0.2
03:14 < guy_> krzee: no, openvpn is running on my box(10.0.0.1), the modem/router is 10.0.0.138
03:15 < krzee> ok
03:15 < krzee> openvpn is running on 10.0.0.1 handing out 172.16.0.x
03:15 < krzee> better =]
03:15 < guy_> Yes.
03:15 < krzee> why 255.255.0.0?
03:15 < guy_> Why not ?
03:16 < krzee> too big of a pool
03:16 < guy_> I'll set it to 255.255.255 afterwards, but I wonder now why it doesn't work :/
03:16 < krzee> also any client joining this lan from 172.16.0.x will have routing issues
03:17 < krzee> i cant read those errors well, too much debug
03:17 < krzee> but i THINK thats too big of a subnet
03:17 < krzee> i know there is a limit
03:17 < krzee> might not be tho
03:17 < krzee> it would say in logs
03:17 < krzee> but either way
03:17 < krzee> your port forward was bad
03:18 < krzee> fix it and retest
03:18 < guy_> I did:/
03:18 < krzee> verb 5, smaller pool
03:18 < guy_> kk
03:18 < krzee> you using 2.1.1?
03:18 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:19 < guy_> I've set the subnet to 255.255.255.0
03:19 < guy_> Here's the server log http://zpaste.org/22207
03:20 < krzee> are you just HUP ing?
03:20 < guy_> What do you mean ?
03:20 < krzee> kill it all the way
03:20 < krzee> then start it
03:21 < krzee> what are you doing to restart it? kill -HUP?
03:21 < guy_>  Ah, no. /etc/init.d/openvpn restart
03:27 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
03:29 < guy_> krzee: any idea?
03:29 < krzee> still waiting on new log
03:30 < guy_> ?
03:30 < guy_> I gave you the log :\
03:30 < krzee> i told you to kill it, start it fresh
03:30 < krzee> now i need a new log ;]
03:30 < guy_> kill -9 `pidof openvpn` ?
03:30 < krzee> yup
03:31 < krzee> or im sure that same script would work
03:31 < krzee> with stop instead of restart
03:31 < guy_> http://zpaste.org/22212
03:32 < krzee> theres no problem
03:32 < krzee> client log now?
03:32 < guy_> sure, 1s.
03:33 < krzee> and tail server log
03:33 < krzee> see if when client connects server sees it
03:33 < krzee> if not its either port forwarding or firewall on server or router
03:34 < guy_> client: http://zpaste.org/22213
03:34 < guy_> It doesn't sees it
03:34 < krzee> firewall or port forward
03:34 < guy_> No change in the log whatsoever
03:34 < krzee> not openvn related
03:35 < krzee> vpn*
03:35 < guy_> Mmmm, how should I fix it then? I've set the port forwarding :/
03:35 < krzee> check the server for a firewall on the os
03:35 < krzee> windows?
03:35 < krzee> nope linux
03:35 < guy_> openvpn is running on my ubuntu :/
03:35 < krzee> !linfw
03:35 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info
03:36 < guy_> krzee: It worked inside my LAN, I don't think I have any iptables configuration at all
03:37 < krzee> then its your port forward dude
03:37 < guy_> :\
03:37 < krzee> this is basic networking
03:38 < guy_> I know, I've set it to what you told me, how can this be then?:/
03:39 < krzee> maybe your ISP doesnt allow it
03:39 < krzee> the traffic on whatever port
03:39 < krzee> cause SOMETHING is blocking it or not port forwarding it
03:39 < krzee> ill be coding a shell script
03:39 < guy_> Yeah, figured :/
03:39 < guy_> ?
03:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:42 < krzee> lemme know when you get that part solved and can get data to the port
03:42 < krzee> its either being blocked or not forwarded
03:43 < krzee> check both sides for firewalls, check you are forwarding right, try other ports, try tcp if you have to
03:43 < krzee> if tcp works and udp not, try udp 53
03:45 -!- StewartW [~stewart@213.152.254.36] has joined ##openvpn
03:45 < guy_> kk, gotta leave for sometime, thanks anywho :)
03:46 -!- StewartW [~stewart@213.152.254.36] has quit [Remote host closed the connection]
03:52 -!- demonTormentor [~chatzilla@112.203.118.12] has joined ##openvpn
03:55 -!- guy-_ [~guy@bzq-79-180-33-200.red.bezeqint.net] has joined ##openvpn
03:58 -!- guy_ [~guy@bzq-79-177-42-16.red.bezeqint.net] has quit [Ping timeout: 276 seconds]
04:02 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:38 -!- DennisNuel [~matthew@cpe-24-193-231-174.nyc.res.rr.com] has quit [Read error: Connection reset by peer]
04:44 -!- DennisNuel [~matthew@cpe-24-193-231-174.nyc.res.rr.com] has joined ##openvpn
04:53 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
04:55 < demonTormentor> hi, can I try connecting to a VPN server if I'm already inside the servers' dmoain?
05:01 < mwheeler> domain, what type of domain?
05:03 < krzee> demonTormentor, depends on the setup
05:03 < krzee> assuming by domain you mean LAN
05:03 < demonTormentor> yes, i'm in the same network, ISP as the server
05:04 < demonTormentor> I'm trying to test the connection to my server (It won't connect) i'm just making sure being in one lan/isp is not the issue.
05:04 < krzee> see topic
05:04 < krzee> second part
05:05 < krzee> LAN is not same as ISP
05:05 < krzee> LAN is your house
05:05 < krzee> ISP is the internet
05:05 < krzee> they can block however they want, but much more likely that you are
05:07 < krzee> (this is for me)
05:07 < krzee> !winpath
05:07 < vpnHelper> krzee: Error: "winpath" is not a valid command.
05:07 < krzee> !factoids search path
05:07 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
05:07 < krzee> !factoids search win
05:07 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', 'win2k8', 'sudowin', and 'win_tcplimit'
05:07 < krzee> bleh
05:07 < krzee> !howto
05:07 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:08 < demonTormentor> so if i'm in one LAN with the openvpn server, can this result for OpenVPN client failing to connect to the OpenVPN server?
05:11 < krzee> nope, but depending on config it would lose all connectivity after
05:12 < krzee> as i said
05:12 < krzee> look at the topic, section 2
05:12 < krzee> your problem is a firewall
05:12 < krzee> possibly on the computer itself
05:21 -!- demonTormentor [~chatzilla@112.203.118.12] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.9/20100315083431]]
05:25 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has quit [Ping timeout: 252 seconds]
05:29 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
05:29 < DennisNuel> I am connecting three LANs using tun and open vpn I can connect but The client cannot see the servers LAN but the server can see all of the Clients LANs
05:30 < krzee> !route
05:30 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:30 < krzee> that happens to be an example, with 3 lans
05:30 < krzee> sounds like you need: on the servers router
05:30 < krzee> !factoids search outside
05:30 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
05:31 < krzee> or maybe you didnt push the server lan
05:31 < krzee> either way, read !route
05:38 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has quit [Ping timeout: 248 seconds]
05:40 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Read error: Connection reset by peer]
05:41 < mwheeler> krzee: that graph could be improved with some subnet masks :>
05:41 < mwheeler> that said, I'm too lazy
05:41 < krzee> you ping subnet masks?
05:42 < krzee> its just following the path of a icmp packet
05:42 < krzee> along a route
05:42 < mwheeler> No, but that graph is a tad bit confusing. I first interepted it as /8 
05:42 < mwheeler> until I worked out what it was trying to illustrate 
05:43 < krzee> hrm, noted
05:43 < krzee> the ips match with !route
05:43 < mwheeler> ah :>
05:44 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:46 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
06:43 < ecrist> krzee: unix systems are case sensitive, HFS simply has an option to make the file system case insensitive
06:46 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Quit: Leaving]
06:49 < DennisNuel> this is killing me
06:50 < DennisNuel> all of the settings look correct and i still cannot see the servers lan
06:51 < DennisNuel> i am running openvpn from the router
06:52 < mwheeler> traceroute is your friend :>
06:54 < DennisNuel> hmm gets to 10.8.0.1 then nothing
06:54 < mwheeler> and from the other side?
06:58 < DennisNuel> goes through 10.8.0.6 to 192.168.12.100(computer i am using)
06:59 < mwheeler> Can you draw a diagram of what you are going to achieve. I don't understand your goal as of yet
07:00 < DennisNuel> it is exactly like the diagram http://www.secure-computing.net/wiki/index.php/Graph without the client to client
07:00 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
07:01 < DennisNuel> All of the clients and servers are running on the gateway routers.
07:01 < mwheeler> without the client to client?
07:02 < DennisNuel> only really need to see the servers LAN from each client
07:02 < mwheeler> so where were you pinging ?
07:02 < mwheeler> *tracing
07:03 < DennisNuel> I am pinging from the client 192.168.12.1 to a computer on the LAN 192.168.10.1
07:03 < DennisNuel> sorry 192.168.133
07:04 < DennisNuel> sorry 192.168.10.133
07:04 < DennisNuel> have been working on this for two days straight
07:04 < mwheeler> subnet /24 ?
07:04 < DennisNuel> yes
07:05 < mwheeler> Sorry, but I'm still not understanding your topolodgy, maybe I've been drinking....
07:09 < DennisNuel> I have two tomatovpn three tomato routers pointed at each other one is a server the other two are clients.
07:09 < DennisNuel> disregard the two i am running on 3 hours of sleep in 2 days
07:10 < mwheeler> Well, I would put it down to a routing issue
07:10 < DennisNuel> I would too
07:11 < DennisNuel> Nothing I have tried has worked and all of the documentation I have found has told me I my settings are correct.
07:11 < mwheeler> https://bubbl.us/beta/
07:11 < vpnHelper> Title: bubbl.us 2.0 beta - free web application for brainstorming online (at bubbl.us)
07:12 < mwheeler> Put exact interface names and ip addresses
07:12 < mwheeler> with subnet masks
07:13 < DennisNuel> great flash
07:13 < DennisNuel> 64 bit linux 
07:13 < DennisNuel> flash apps don't work well with it
07:14 < mwheeler> flash apps don't work well at all :P
07:14 < DennisNuel> this is true
07:15 < DennisNuel> ok now it works ?
07:15 < mwheeler> it does?
07:16 < mwheeler> DennisNuel: I'll have your openvpn anyday over my asterisks problem
07:19 < DennisNuel> asterisks can be a bitch but at least i know about 20 people who use it professionally
07:19 < DennisNuel> There is also better documentation.
07:23 < DennisNuel> Just be glad its not a Vodavi IP-PBX
07:24 < DennisNuel> I still want to go to Phoenix rotten fish in there offices.
07:25  * mwheeler used to admister an old NEAX 7400 PABX
07:25 < mwheeler> that thing was scary
07:26 < DennisNuel> I hate it when you have to work on a system and there are features in the manual that don't even work.
07:26 < mwheeler> The stuff I want to do is too hard for me to bother with, so I let freepbx do it. Bt freepbx will just not run on this machine -_-
07:26 < mwheeler> I knew features that weren't in the manual :P
07:27 < DennisNuel> its provably a better product
07:27 < mwheeler> wonderful beast
07:27 < mwheeler> state of the art for it's time
07:27 < DennisNuel> Vodavi makes out right defective product.
07:27 < mwheeler> considering it's age, and it's still running is amazing
07:28 < mwheeler> it's denisity for the time was amazing, and awesome software
07:29 < mwheeler> I <3 the developers work
07:29 < mwheeler> So advanced, it logged fuses blowing
07:30 < DennisNuel> That is pretty impressive.
07:30 < mwheeler> Deep down I miss admistering that babe
07:32 < mwheeler> NEC still has maintance contracts fro them
07:36 < mwheeler> fuck
07:36 < mwheeler> the cards are on ebay for $2000 each
07:36 < mwheeler> at my old work we were ready to through a whole heap
07:42 < guy-_> I solved the blocking problem :)
07:43 < mwheeler> meh, you guys should be watching the shuttle landing 
07:43 < guy-_> Which shuttle ?
07:43 < mwheeler> http://www.nasa.gov/55644main_NASATV_Windows.asx
07:43 < vpnHelper> Title: NASA TVNASA TV (at www.nasa.gov)
07:43 < mwheeler> discovery 
07:44 < guy-_> Doesn't seem to work on FF/vlc
07:44 < guy-_> Ah, wait, it does
07:44  * mwheeler is watching it using gstreamer
07:44 < mwheeler> I think
07:44 < guy-_> VLC ftw 
07:45 < guy-_> I don't see anything special ? Just some room w/ some maps and someother stuff I don't recognize ?
07:45 < mwheeler> hehe
07:45 < mwheeler> 32 minutes till de orbit burn
07:46 < guy-_> Their system seem to be old as a turtle
07:48 < guy-_> Woo, some sort of voice (:
07:51 < mwheeler> Do you really want NASA running on flash?
07:51 < guy-_> Not really (:
08:18 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
08:26 -!- wimpog [~wimpog@75.150.76.189] has joined ##openvpn
08:26 < wimpog> what's the difference between a regular VPN and L2TP?
08:27 < ecrist> !google what's the difference between a regular VPN and L2TP
08:27 < vpnHelper> ecrist: Internetworking Technology Handbook - Virtual Private Networks ...: <http://www.cisco.com/en/US/docs/internetworking/technology/handbook/VPN.html>; L2TP VPN issue in Vista SP1: <http://social.technet.microsoft.com/Forums/en/itprovistanetworking/thread/a825640e-9be2-4ce1-8776-ad2915d5bdbd>; What is the difference between VPN and VPN pass-through?:
08:27 < vpnHelper> ecrist: <http://searchnetworking.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid7_gci917257,00.html>
08:28 < ecrist> wimpog ^^^
08:28 < insane^> !route
08:28 < vpnHelper> insane^: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:30 < wimpog> when a VPN is not L2TP, what is it then?
08:34 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:35 -!- notbrien [~notbrien@208.82.13.214] has quit [Read error: Connection reset by peer]
08:35 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:37 < insane^> i got a vpn server which provides dynamic ips to the clients. how can i configure a linux client to route  traffic from the private network behind him through the vpn. server private network is 192.168.100.0/24 , private one is 192.168.1.0/24. the vpn server gives out ips from 192.168.66.0/24
08:37  * insane^ is confused
08:41 < Bushmills> insane^: your clients routes *to* server. that ip address is fixed
08:41 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
08:41 < Bushmills> for all traffic, read:
08:41 < Bushmills> !redirect
08:41 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:42 < insane^> i dont want to redirect the gate
08:42 < insane^> only to access the corporate lan from my private lan
08:42 < wimpog> when a VPN is not L2TP, what is it then?
08:42 < Bushmills> redirect-gateway sets a host router to server
08:42 < Bushmills> ah.
08:43 < Bushmills> !route
08:43 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:43 < Bushmills> !factoids search lan2lan
08:43 < vpnHelper> Bushmills: No keys matched that query.
08:43 < Bushmills> !factoids search lantolan
08:43 < vpnHelper> Bushmills: No keys matched that query.
08:44 < insane^> already googling :)
08:48 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
09:08 -!- blueboxthief [~None_of_y@86-43-219-42-dynamic.b-ras2.bbh.dublin.eircom.net] has joined ##openvpn
09:10 -!- rebry [~nnscript@ti0019a380-1265.bb.online.no] has joined ##openvpn
09:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:14 -!- wimpog [~wimpog@75.150.76.189] has quit [Quit: wimpog]
09:17 -!- Bloodsong [~Nimbus@bas2-barrie18-1242454821.dsl.bell.ca] has joined ##openvpn
09:20 -!- rebry [~nnscript@ti0019a380-1265.bb.online.no] has quit [Ping timeout: 258 seconds]
09:28 -!- DennisNuel [~matthew@cpe-24-193-231-174.nyc.res.rr.com] has quit [Quit: Leaving]
09:43 -!- bakermd [~bakermd@38.104.0.102] has joined ##openvpn
09:44 < bakermd> Anyone know how to get the Windows client to output a logfile?  i.e. the gui?
09:44 -!- Guest93590 is now known as redfox
09:45 -!- redfox is now known as Guest17687
09:45 -!- Guest17687 is now known as redfox
09:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:12 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
10:24 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
10:39 < Bloodsong> Hmm, while using the Gui...
10:40 < Bloodsong> I've never tried that.
10:45 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 246 seconds]
10:58 < bakermd> One of my users says that they put in their password and the client just goes back to Disconnected... 
10:59 < bakermd> I can log into the account just fine, and the password is mainly the user's last name, and is a password they use for another system, so I am pretty sure it is being entered correctly
11:05 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
11:06 < dazo> bakermd: you could always try to use 'log <filename>' in the config file 
11:07 < dazo> (but might be the GUI overriding with it's own --log entry via the command line when it starts openvpn, I dunno
11:07 < dazo> )
11:10 -!- WormFood [~wormfood@58.60.223.28] has joined ##openvpn
11:10 < WormFood> I've discovered that if I try to push more than 30 routes, things don't work...is this a client or server issue, and can I recompile with a different setting to work around that problem?
11:11 < WormFood> if I try to push 31 routes, I get "SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)", and no routes get added/pushed
11:15 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:15 < Bushmills> afaik, it is a matter of total number of chars, not of number of routes
11:17 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
11:19 < dazo> WormFood: iirc, you can push maximum 2048 bytes to the client
11:19 < WormFood> aaahhh
11:20 < dazo> WormFood: that was increased from 1024 in 2.1_rc17
11:20 < WormFood> so that is a server setting?
11:20 < WormFood> I really want to push about 800 routes
11:20 < dazo> 800 routes!?!?!?
11:21 < WormFood> hahaha
11:21 < WormFood> yeah
11:21 < WormFood> sounds totally insane, eh?
11:21 < dazo> no, it's not a server setting ... it's a compile time setting ... but I honestly doubt you'll manage to stretch the PUSH implementation to such amounts
11:21 < dazo> yeah, that *is* insane, if you ask me
11:22 < WormFood> yeah, I don't expect to be able to push that many routes
11:22 < WormFood> it isn't insane, when you understand why...
11:22 < WormFood> I'm in China...I want to route all non-chinese IPs over the VPN, and leave the chinese IPs over the local network
11:23 < WormFood> and there are 800 some odd chinese subnets allocated
11:24 < WormFood> 866
11:24 < WormFood> so, I'll probably route EVERYTHING over the vpn, except for a few select subnets (some sites here don't work well with foreign addresses, like QQ (or so I'm told))
11:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:25 -!- blueboxthief [~None_of_y@86-43-219-42-dynamic.b-ras2.bbh.dublin.eircom.net] has quit [Quit: Leaving.]
11:28 < dazo> WormFood: I'd probably try a completely different approach ... I'd let the OpenVPN handle the easy stuff ... then I'd write an own "configure routes client" ... which pulls down all subnets via another protocol (might even be DNS or HTTP, if that could work) ... and let this client do the heavy duty routing stuff ... this client could be started via a script-hook in openvpn ... f.ex --route-up
11:28 < WormFood> yeah, I have a script that will do this
11:29 < WormFood> but I will probably take the easiest route, and simple route everything over the vpn
11:29 < WormFood> maybe make that approach (of hooking a shell script) an option
11:29 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:30 < WormFood> in fact, I was thinking of running 2 instances of openvpn server...with one that pushes the default route, and one that pushes selected routes, but I don't want to do that either....i think your suggestion is the right way to do it (and I had already thought about that)...thanks for confirming
11:32 < Hypnoz> WormFood: I just joined the chan, what was the suggestion to your issue? I have had that same need occasionally as well.
11:33 < WormFood> Hypnoz, I want to push about 866 routes
11:33 < Hypnoz> :O
11:33 < WormFood> but using openvpn to push that many routes really isn't viable, so it was suggested to make a script to do that, then hook to that script from openvpn client
11:34 < WormFood> Hypnoz, surprised? you don't have that many networks you want to route?
11:35 < Hypnoz> 50 person startup with about 300 pieces of equip in our datacenter...  nah not yet but maybe one day :)
11:35 < dazo> WormFood: have actually tried to add 800 routes on a decent computer?  Just to see that it really will work out well?
11:36 < WormFood> it should work out ok
11:36 < dazo> Hypnoz: WormFood have counted that there are 866 Chinese ISP networks ... which should not be routed via VPN ... then you probably get the idea
11:36 < Hypnoz> WormFood: Are all the routes in the same range, like could you just push 10.0.0.0/8
11:36 < WormFood> I mean, it is not like we're running on 8088 CPUs anymore
11:37 < dazo> WormFood: well, routes to use kernel memory .... even though it's binary, kernel space is still limited ... another thing is if it goes into memory, what about the performance afterwards?
11:37 < WormFood> yeah, that is true. I hadn't thought about that
11:37 < WormFood> this will be mostly on winblows
11:38 < WormFood> I don't know how that will handle it
11:38 < dazo> (searching for the right gateway in such a big routing table do take CPU cycles, even though being efficiently parsed)
11:38 < WormFood> under Linux, I just want to route a handfull of route
11:38 < WormFood> you know, you can download a list of all the subnets and what country they go to?
11:39 < WormFood> http://ftp.apnic.net/apnic/dbase/data/country-ipv4.lst
11:40 < dazo> I didn't know that ... but I'm not surprised :)
11:41 < Bushmills> wgetting such a list when connection to VPN is done may be more effective+
11:41 < Bushmills> (wgetting for the aspect of central administration, what is probably intended to by pushing it)
11:41 -!- guy-_ [~guy@bzq-79-180-33-200.red.bezeqint.net] has quit [Ping timeout: 246 seconds]
11:42 < WormFood> I'm thinking maybe 866 routes will simply be too much
11:42 < WormFood> probably better to just reroute problem addresses, and let everything else go through the vpn
11:45 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
11:48 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
11:51 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
11:56 < Mythmon> trying to wrap my head around key revoking: if i have a crl.pem file that is empty, it should not drop any connections, correct?
12:10 < Mythmon> ah. nevermind. for some reason openvpn can't read the crl.pem files... even though its world readable... :(
12:23 -!- mgolisch [~michi@85.93.11.18] has joined ##openvpn
12:29 < mgolisch> is there any magic option is need to specify for openvpn to respect pushed dns settings?
12:30 < Mythmon> mgolisch: on windows? or something else?
12:30 < mgolisch> its linux
12:30 < Mythmon> you have to use an up and down script, because linux won't automatically do it
12:31 < Mythmon> most packages include one, and then you just have to add up <script> and down <script> to your client config files
12:33 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:34 < mgolisch> hm
12:34 < mgolisch> seems odd
12:34 < mgolisch> why doenst it do that on its own?
12:35 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 252 seconds]
12:39 < Mythmon> i don't know.
12:42 -!- magic_1 [~magic@41.123.149.33] has joined ##openvpn
12:44 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
12:44 < mgolisch> anyways works
12:44 < mgolisch> thx
12:47 -!- AgentKGB [~e18925@pool-96-244-150-106.bltmmd.fios.verizon.net] has joined ##openvpn
12:47 -!- pa_ [~pa@host179-1-dynamic.61-82-r.retail.telecomitalia.it] has joined ##openvpn
12:49 < mgolisch> is there a way to start openvpn as non admin?
12:49 < mgolisch> on vista/win7?
12:50 < mgolisch> for xp it was enough to make the users member of the network confoguration operators group
12:50 < mgolisch> but that doenst work no more on vista/win7
12:50 < mgolisch> any ideas on howto get openvpn working without the user beeing admin?
12:51 -!- blueboxthief [~None_of_y@83.71.0.204] has joined ##openvpn
12:53 -!- magic_1 [~magic@41.123.149.33] has quit [Changing host]
12:53 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
12:57 < dazo> mgolisch: the reason for DNS push working on Windows only without any extra scripts, is that the Windows implementation uses DHCP requests from the TUN/TAP adapter
12:58 < dazo> mgolisch: while on Linux/OSX/*BSD/*nix ... it configures only the TUN/TAP adapter directly, without use of DHCP .... thus no OS dependent modules are involved in preparing the network, except basic IP address, netmask and routes
12:59 < mgolisch> i see
13:00 < mgolisch> why doenst windows have sudo :(
13:00 < dazo> mgolisch: having that said ... there has been some development discussions about how to change that more easily .... but what makes it difficult, is that there's almost as many solutions as there are Linux distributions ... and not one united solution as in Windows
13:00 < dazo> mgolisch: it does .... it's called "runas" ;-)
13:00 < dazo> (even from command line, I belive
13:00 < dazo> )
13:00 < mgolisch> yeah but it requires the password of the account
13:01 < dazo> ahh ... true ... runas == su ...
13:01 < mgolisch> service wrapper wont work either as i need to use user authentication
13:01 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
13:02 < mgolisch> i wonder what my options are to get it working on vista/win7 without admin
13:03 < dazo> mgolisch: don't have too high expectations yet ... d12fk is doing some work on the windows GUI, iirc ... he might have some clues
13:05 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 268 seconds]
13:07 -!- magic_1 [~magic@41.123.149.33] has joined ##openvpn
13:07 -!- magic_1 [~magic@41.123.149.33] has quit [Changing host]
13:07 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
13:09 -!- dazo is now known as dazo_afk
13:10 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has quit [Ping timeout: 260 seconds]
13:12 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 265 seconds]
13:12 -!- magic_1 [~magic@41.123.183.9] has joined ##openvpn
13:16 -!- magic_1 [~magic@41.123.183.9] has quit [Read error: Connection reset by peer]
13:16 -!- magic_1 [~magic@41.123.190.159] has joined ##openvpn
13:26 < Bushmills> mgolisch: question could be, more correctly, "why does mgolisch have windows"  :P
13:27 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has joined ##openvpn
13:28 -!- DarthGandalf is now known as DarthGandalf|BNC
13:32 -!- Bloodsong [~Nimbus@bas2-barrie18-1242454821.dsl.bell.ca] has quit [Quit: Leaving]
13:33 < mgolisch> actualy i dont have windows at home, doenst change the fact i dont want to give our sales ppl admin account for vpn on their laptops
13:36 < Mythmon> mgolisch: clearly you just need to give your sales people linux :P (*shudder*)
13:38 < rob0> That's not really such a radical idea. It's just that FUD is very powerful, and capable administrators are needed but hard to find.
13:39 < mgolisch> will get ugly when it comes to software and stuff
13:39 -!- blueboxthief [~None_of_y@83.71.0.204] has quit [Ping timeout: 276 seconds]
13:44 -!- blueboxthief [~None_of_y@83-71-4-64-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
13:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
13:45 -!- bakermd [~bakermd@38.104.0.102] has quit [Quit: bakermd]
13:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:48 -!- magic_1 [~magic@41.123.190.159] has quit [Ping timeout: 246 seconds]
13:49 -!- dmz [~dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has quit [Quit: Ex-Chat]
13:52 < Hypnoz> is anyone familiar with "ccd-exclusive"? I've heard you can create this folder, and put files with only the common names of clients allowed to connect, all other connecting clients will be denied
13:58 < rob0> s/folder/directory/ , and yes, I use that, and it is described in the man page.
14:00 < Hypnoz> can you show me the lines for how you implemented it in your server.conf?
14:03 < rob0> "client-config-dir clients" and "ccd-exclusive"
14:04 -!- magic_1 [~magic@41.123.189.229] has joined ##openvpn
14:04 < Hypnoz> rob0: then create an empty file for each common name that is allowed to connect?
14:05 < |Mike|> !ccd
14:05 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:05 < Hypnoz> |Mike|: thx but that didn't really answer my question, if the file could be empty and still be used to restrict access
14:05 < rob0> Empty would work, but most of mine are non-empty, containing client-specific stuff.
14:06 < Hypnoz> rob0: Interesting. What kind of info do you put in the file? I've only used iroute
14:06 < Hypnoz> rob0: can you restrict what subnet or IP's a client is able to connect to from their file?
14:09 -!- magic_1 [~magic@41.123.189.229] has quit [Ping timeout: 264 seconds]
14:09 < rob0> I put in routes I want to push, and in some cases push redirect-gateway
14:10 < Hypnoz> rob0: So you don't push any routes from server.conf, only from the individual CCD files? I wonder if I could push a few /32 routes to restrict a client to only see certain IP's
14:12 < rob0> If the person running the client knows networking, s/he could add whatever routes are desired and delete undesired routes you pushed.
14:13 < Hypnoz> rob0: hmm ya good point
14:14 < Hypnoz> rob0: thanks for the tips I have some new things to try out. Btw, do you use crl-verify to revoke certs or do you just remove the common name file from ccd and forget about revoking certs?
14:16 -!- cjm [~cjm@adsl-99-55-121-198.dsl.scrm01.sbcglobal.net] has joined ##openvpn
14:20 < cjm> !welcome
14:20 < vpnHelper> cjm: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:21 < cjm> !goal
14:21 < vpnHelper> cjm: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:24 -!- magic_1 [~magic@41.123.189.229] has joined ##openvpn
14:24 -!- magic_1 [~magic@41.123.189.229] has quit [Changing host]
14:24 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
14:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:26 < rob0> I have not needed to revoke a certificate yet, so I never bothered setting up --crl-verify. But indeed, ccd-exclusive makes a CRL less important, depending what else the cert might be used for, of course.
14:28 < Hypnoz> rob0: Say there was a request to revoke a clients rights to connect to the vpn right now. Do you think you would simply remove the file from your ccd directory and be done with it?
14:32 < cjm> My first goal is remote users able to connect to group LAN.  MOSTLY they will be simulating romaing profiles, but doing so with UNISON and on request, not on login. The reasoning is, of course, to mitigate lost/stolen remote computers.  For the time being, I only need to consider UNISON.
14:32 < cjm> I have some pretty basic questions that appear as I read http://openvpn.net/index.php/open-source/documentation/howto.html
14:32 < vpnHelper> Title: HOWTO (at openvpn.net)
14:33 < cjm> For example, does the "server" statement create a server with the specified IP or simply indicate that one is to be found there?
14:34 < cjm> And does the server dish out the IP addresses or do I rely on the DHCP server at the remote LAN to do so?
14:35 < cjm> Can I BOTH dev tun and dev tap?
14:40 < Bushmills> yes, just run openvpn twice
14:41 < Bushmills> it is openvpn, assigning ip addresses  
14:42 < Bushmills> server statement informs server what subnet to make use of.
14:43 < Bushmills> can't "create" a server with the specified ip address because you don't specify an ip address. instead, you specify a subnet
14:44 -!- [mutex]__ [~portn0k@168-103-249-104.clsp.qwest.net] has quit [Ping timeout: 246 seconds]
14:44 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 276 seconds]
14:45 -!- Hypnoz1 [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
14:46 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
14:46 -!- Hypnoz1 [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Client Quit]
14:46 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
14:47 -!- [mutex]__ [~portn0k@97-112-135-231.clsp.qwest.net] has joined ##openvpn
14:48 < Hypnoz> openvpn hates my laptop. Connecting with any persons cert files always produces "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" on my machine
14:49 < havoc> that's usually a FW issue on the client side
14:49 < cjm> Bushmills, Thanks very much.  This is very helpful as I continue to push through this stuff.
14:49 < Hypnoz> I have several other openvpn connections open already
14:49 < Hypnoz> its just this one connection...
14:49 < havoc> very odd then
14:49 < Hypnoz> yeah
14:49 < havoc> as I said, "usually"
14:52 < cjm> If I have dynamic ip on BOTH sides, and one side changes, does the changed side take the initiative to tell the other side of his new address?
14:52 < Bushmills> when server ip changes, client can't reconnect
14:52 < Bushmills> after all, you specify host name or server ip address in client config
14:54 < Bushmills> once TTL of server ns record hsa expired (assuming zone file has been updated with new ip address), can client connect again 
14:55 < cjm> Bushmills, Yes.  I see.  And the calls are one way in?  But doesn't the sesrver necessarily know the last known good IP for that client?  Is it theoretically possible for the server to re-establish connection, or is there something that I don't yet understand?  Obviously, there are practical considerations, like, "It isn't implemented."
14:56 < Bushmills> client calls in. server grants (or doesn't) permission to connect.
14:57 < Bushmills> i suppose the idea is that server sits on static ip address
14:59 -!- magic_1 [~magic@41.123.189.229] has joined ##openvpn
14:59 -!- magic_1 [~magic@41.123.189.229] has quit [Changing host]
14:59 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
15:08 < cjm> ... server 10.255.1.99 255.255.255.0 is logging that the network/netmask combination is not permitted.  I can't see it.  Can anybody advise me?
15:12 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
15:15 -!- hagna [~hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has joined ##openvpn
15:16 < hagna> should openvpn2.0 on freebsd -> openvpn2.1 on linux over the simple two line p2p example work?
15:19 < hagna> !welcome
15:19 < vpnHelper> hagna: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
15:22 < Bushmills> cjm: (21:43:35) Bushmills: can't "create" a server with the specified ip address because you don't specify an ip address. instead, you specify a subnet
15:23 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
15:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:35 -!- Hypnoz1 [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
15:37 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:39 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 248 seconds]
15:39 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
15:42 -!- barefoot [~magic@196.30.46.202] has joined ##openvpn
15:43 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 252 seconds]
15:43 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
15:52 < cjm> Bushmills, So, my server already exists and is already on subnet 10.255.1.*  Is the subnet I specify in the server directive supposed to be different from the server's existing LAN?
15:52 < cjm> Or can the VPN clients simply join into the existing LAN?
15:53 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
15:54 < Bushmills> cjm: yes (different) - that's the subnet from which server and client tun interfaces are recruited.
15:55 < Bushmills> no, can't join - in the sense of overlapping - , or the router wouldn't know what interface to send packets with destination lan/subnet to
15:56 < Bushmills> "router" as an server routing
15:57 < Bushmills> well, actually, server would know what interface to send them too, but often it will be the wrong one, not reaching the destinations on the other interface
15:58 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:03 < hagna> le0: you seem like a bsd guy?
16:29 < le0> nope, fraid not
16:38 -!- cjm [~cjm@adsl-99-55-121-198.dsl.scrm01.sbcglobal.net] has left ##openvpn ["Leaving"]
16:48 -!- Mythmon [~cooperm@osuosl/staff/Mythmon] has quit [Quit: leaving]
16:51 -!- mythmon [~mythmon@osuosl/staff/Mythmon] has joined ##openvpn
16:59 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
17:01 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
17:04 -!- pa_ [~pa@host179-1-dynamic.61-82-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
17:05 -!- blueboxthief [~None_of_y@83-71-4-64-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Ping timeout: 276 seconds]
17:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
17:05 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
17:10 -!- blueboxthief [~None_of_y@83-71-4-64-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
17:14 < Hypnoz1> rob0: Hey you still there?
17:21 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
17:30 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
17:39 -!- barefoot [~magic@196.30.46.202] has quit [Ping timeout: 240 seconds]
18:02 < vlt> Hello. I push a "dhcp-option DNS" to a client. There's this update-resolv-conf script in /etc/openvpn, but it is not executed. How to invoke it?
18:03 < krzie> !factoids search script
18:03 < vpnHelper> krzie: "2.1-winpass-script" is http://article.gmane.org/gmane.network.openvpn.user/24575
18:03 < krzie> thats not it
18:03 < krzie> !man
18:03 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:03 < krzie> see SCRIPT ORDER OF EXECUTION
18:03 < krzie> i forget which you use, i THINK its --up
18:06 < vlt> krzie: Where to put "--up"?
18:06 < vlt> To client.conf? Like a new line "--up update-resolv-conf"?
18:07 < vlt> Or rather "up update-resolv-conf"?
18:07  * Bushmills has his up in the freezer
18:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:13 < vlt> When I add "up update-resolv-conf" to client.conf I get a line containing update-resolv-conf in /var/log/syslog but /etc/resolv.conf isn't touched at all. Any idea what's missing here?
18:13 -!- ufoman [ufoman@kolos.math.uni.lodz.pl] has left ##openvpn []
18:13 < krzie> yes, but i recommend using full path unless you are also using --cd
18:14 < krzie> you can mod the script to echo out whatever you want
18:14 < krzie> also, the client needs permission to change that file, see if not dropping privs (no --user / --group) helps at all
18:15 < krzie> if it does help, you can then work out how you wish to fix that
18:15 < krzie> (like sudo privs, or +s executable)
18:15 < krzie> personally i have never used ovpn to update dns, but i have seen it come up a few times)
18:16 < vlt> krzie: The line is now "/etc/openvpn/update-resolv-conf tun0 1500 1544 10.168.0.18 10.168.0.17 init" (with full path) but still no change of /etc/resolv.conf.  I'll try w/o user/group. Thank you.
18:18 < vlt> krzie: hmmm, user/group option was already disabled in the example file I used from /usr/share/doc/..., so it is actually running as root.
18:20 -!- Cap_J_L_Picard [~ewanm89@unaffiliated/ewanm89] has quit [Remote host closed the connection]
18:20 < Bushmills> actually, just about an hour ago i finished a setup, involving updating dns through vpn
18:21 < Bushmills> but openvpn is merely the transport, in this case. just happens to sit between update and name server
18:21 < vlt> I just found out that the script calls /sbin/resolvconf which doesn't exist.
18:22 -!- krzie [~k@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
18:23 < vlt> What pkg do I need to install on Debian? (Seems to be a missing dependancy)
18:23 < Bushmills> to do what?
18:24 < vlt> Bushmills: To provide /sbin/resolvconf. I think it's called "resolvconf" ;-)
18:25 < Bushmills> ah. yes. a that was that obvious, i doubted that that was what you actually asked
18:26 < vlt> Bushmills: Yes, I'm sorry. It's just too late (here).
18:28 < vlt> Ok, it works now.
18:50 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
18:50 -!- krzie [~k@unaffiliated/krzee] has quit [Client Quit]
19:18 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: No route to host]
19:18 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
19:22 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Remote host closed the connection]
19:25 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
19:37 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
19:37 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
19:37 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:43 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
19:48 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
20:02 -!- Hypnoz1 [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
20:11 -!- uchimata [~uchimata@HSI-KBW-095-208-192-010.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn
20:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:41 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
20:41 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
20:41 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:43 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:45 < theDoc> Morn' all.
20:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
20:45 < krzie> mornin
20:46 < theDoc> So, udp/443 still hasn't been closed.
20:47 < theDoc> I wonder if I could sell my services to random users in here that would like to circumvent filters or something ;p
20:47 < krzie> shouldnt be too much demand for udp/443
20:47 < krzie> its only open when others arent if someone misconfigs
20:48 < theDoc> Shouldn't, but since it's not closed might as well exploit it.
20:58 < krzie> a) it might get closed at any time
20:58 < krzie> b) only clients with similar misconfigs on their firewalls would benefit
20:59 < krzie> and theyd only benefit until the random time when a) happens
20:59 < krzie> at which point theyd be paying for something they dont recieve
21:00 < theDoc> krzee> Remember, this is within a corporate lan, the tunnels itself should already be breaking the IT policies ;p
21:00 < theDoc> I was just kidding on that really, I'm involved in a project here at the moment and I have no intention of breaking it.
21:19 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
21:35 -!- jforman [~jforman@unaffiliated/jforman] has joined ##openvpn
21:36 < jforman> anyone using topology subnet in here? i'm trying to switch to it from net30, but it seems that when clients connect, they get the routes, but not the gateway. 
21:37 < krzie> are they using 2.1.1?
21:37 < krzie> are you using tun?
21:37 < jforman> krzie: yes, both sides are 2.1. client is 2.1_rc15, server is 2.1_rc19
21:38 < krzie> why still using version with known bugs?
21:38 < krzie> those wouldnt be RC if there werent bugs found ;]
21:38 < jforman> heh understood. both are included packages of the various OSes, openbsd 4.6 and ubuntu 9.10 respectively
21:43 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
21:45 < jforman> krzie: looks like there was an update in a later rev to the freebsd ifconfig for topo subnet.. :/ will start digging
21:46 < eradiate> .
21:46 < eradiate> ..
21:47 < krzie> why dig!?
21:47 < krzie> just upgrade dude
21:47 < krzie> source compiles fine
21:47 < krzie> if your OS's repo's dont update themselves that is
21:48 < krzie> i know fbsd and osx both use 2.1.1
21:48 < jforman> yeah, need to work on the port upgrade for obsd on this machin
21:49 < rob0> obie esdy
22:03 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
22:14 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
22:26 -!- DarthGandalf|BNC is now known as DarthGandalf
22:28 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:33 -!- scoil [platypus@unaffiliated/coil] has joined ##openvpn
22:33 < scoil> openvpn[90033]: Cannot open file key file 'ta.key': No such file or directory (errno=2)
22:33 < scoil> but its ovbously there in the right directory
22:33 < scoil> openvpn/keys
22:40 < Bushmills> why "obviously"?
22:42 < scoil> never mind
22:42 < scoil> i didn't have the tls-auth line in my config
22:43 < scoil> i got it working
22:43 < scoil> oh
22:43 < scoil> i mean i had that line
22:43 < scoil> but it wasn't pointed to the full path
22:43 < scoil> it was just tls-auth ta.key 0
22:44 < theDoc> So it obviously wasn't there in the config file :)
22:44 < scoil> ;p
22:51 < scoil> i guess ill regenerate my certs and keys to be 2048bit
22:51 < scoil> or is that necessary?
22:53 < krzie> damn i cant believe i did not put my openvpn config generator script on a server somewhere so i could work on it from work
22:53 < krzie> sitting here bored wanting to work on it
22:53 < krzie> hell i use 4096 :-p
22:53 < krzie> necessary, only you can judge
22:53 < krzie> ive heard nothing to make me think 1024 isnt ok
22:54 < krzie> and ive never seen any studies pointing to the fact that 4096 holds up and doesnt actually hurt the encryption methods
22:54 < krzie> but i feel use 4096 anyways *shrug*
22:54 < krzie> one thing is for sure, a 4096 ta.key is pointless
22:55 < krzie> since both sides only use a small part of it (less than 1024bits iirc)
22:55 < scoil> ahh...ok
22:55 < krzie> (its only used as an HMAC to sign packets)
22:55 < scoil> ill just let it be and see if i can get it working from school
22:55 < scoil> i need to remember to copy over the certs and keys though
22:56 < krzie> yup, that would help ;]
22:56 < scoil> i saw someone using just a l/p to login
22:56 < scoil> with their configuration
22:57 < krzie> sure
22:57 < krzie> !authpass
22:57 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
22:58 < scoil> cool, thanks
23:10 < krzie> np
23:10 < krzie> if you ever find yourself bored, dig through !factoids
23:10 < krzie> its got tons of goodies
23:10 < krzie> ;]
23:27 < krzee> yay im home again
23:27 < krzee> now i can smoke a blunt and work on that ovpn-confgen
23:29 -!- clee [clee@fruit.freedesktop.org] has joined ##openvpn
23:29 < clee> having an argument with a coworker about whether or not openvpn can handle this setup.
23:30 < clee> we use RSA SecurID tokens and ActiveDirectory for user auth
23:30 < clee> is there way to configure openvpn to talk to the SecurID server and also to the AD auth server?
23:31 < krzee> sure
23:32 < krzee> in 1 step
23:32 < krzee> a radius server =]
23:32 < clee> awesome. can you point me to docs on setting one up for this configuration?
23:32 < clee> he claims that the problem is that openvpn doesn't know how to prompt the user for two passwords
23:32 < clee> but my thinking was it must be possible to have the user enter token+password
23:33 < clee> then strip the first 6 characters from the string and use that as the token ID, and use the rest as the password
23:33 < krzee> hrm, actually that IS interesting
23:33 < krzee> well it wouldnt be openvpn really
23:33 < krzee> openvpn has nothing ITSELF which checks passwords
23:33 < krzee> rather, it hands that off the a script
23:33 < krzee> script returns 1, client has access
23:33 < krzee> script returns 0, client does not have access
23:33 < clee> so the script gets the unencrypted password?
23:34 < krzee> only if the script asks for a password ;]
23:34 < clee> again, please, docs
23:34 < krzee> you could have a script which just has the line:   true
23:34 < clee> if I have to write my own script/plugin, I will do it
23:34 < krzee> in which case it would simply execute true, and allow *
23:34 < clee> I just really want to prove him wrong. :)
23:34 < krzee> ok well if you can write the script, you can auth HOWEVER you wish
23:34 < krzee> !man
23:34 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
23:35 < krzee> SCRIPT ORDER OF EXECUTION
23:35 < krzee> and below it has ENV vars the script gets
23:36 < krzee> !authass
23:36 < vpnHelper> krzee: Error: "authass" is not a valid command.
23:36 < krzee> erm
23:36 < krzee> !authpass
23:36 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
23:36 < krzee> you would want the script used with:  --auth-user-pass-verify
23:36 < krzee> there are a few scripts which do SOME of what you asked about
23:36 < clee> I assume there's a way to set that as a config option in my server.ovpn, like 'auth-user-pass-verify foo.pl'
23:37 < krzee> exactly, although you should use a full path to foo.pl
23:37 < krzee> !--
23:37 < vpnHelper> krzee: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file.
23:37 < clee> of course, of course
23:37 < krzee> damn
23:38 < krzee> !forget --
23:38 < vpnHelper> krzee: Joo got it.
23:38 < krzee> !learn -- as OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
23:38 < vpnHelper> krzee: Joo got it.
23:38 < clee> krzee: thank you very much.
23:38 < krzee> i s/can/must// there ;]
23:38 < krzee> np
23:38 < krzee> you also have the ability to build a plugin instead of a scrit if you so wish
23:39 < krzee> oh and heres something for your script
23:39 < krzee> !ad
23:39 < vpnHelper> krzee: Error: "ad" is not a valid command.
23:39 < krzee> !factoids search directory
23:39 < vpnHelper> krzee: "activedirectory" is http://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD
23:39 < krzee> the OTP tokens should auth against a radius server
23:39 < krzee> your script could be a hybrid of both
23:39 < krzee> btw
23:39 < krzee> if you do this
23:40 < krzee> PLEASE come back and make a writeup on the wiki
23:40 < krzee> that would be a sweet setup to document
23:41 < krzee> also, i assume theres a possibility that the GUI wouldnt know about asking for the second pass (havnt looked at that code) but if thats true it would be good to know about, there are weekly dev meetings on IRC and it could be brought up there
23:41 < krzee> !wiki
23:41 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
23:41 < krzee> !wishlist
23:41 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
23:41 < krzee> if the gui doesnt support the dual passes and your script does, dump it on the wishlist and ill forward it along
23:43 < krzee> hope that helps =]
--- Day changed Tue Apr 20 2010
00:15 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Remote host closed the connection]
00:15 -!- agagag [~anton@83.167.185.34] has joined ##openvpn
00:42 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
00:43 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
00:51 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
01:01 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
01:06 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:06 -!- mode/##openvpn [+o mattock] by ChanServ
01:06 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
01:29 -!- hagna [~hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has quit [Ping timeout: 276 seconds]
01:29 -!- hagna [~hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has joined ##openvpn
01:29 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Disconnected by services]
01:31 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
01:59 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
02:17 -!- StewartW [~stewart@213.152.254.36] has joined ##openvpn
02:20 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:26 < krzee> !learn static_key_details as http://svn.openvpn.net/projects/openvpn/web/trunk/faq-static-key-explanation.txt for an explanation of how static key files are used
02:26 < vpnHelper> krzee: Joo got it.
02:38 -!- mattock [~samuli@sparkgw.utu.fi] has joined ##openvpn
02:38 -!- mode/##openvpn [+o mattock] by ChanServ
02:39 -!- blueboxthief [~None_of_y@83-71-4-64-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Ping timeout: 276 seconds]
02:44 -!- blueboxthief [~None_of_y@83-71-4-64-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
02:56 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:01 < krzee> !winnat
03:01 < vpnHelper> krzee: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS)
03:01 -!- anebi [~anebi@91.207.191.17] has joined ##openvpn
03:03 < anebi> hi. we have installed openvpn-2.1.1 on centos 5 and configured it as a server. we want to push a route to this machine public ip address in order to get a workaround related with voip and access to the server using its public ip address. after adding the push route on we get this error: "write UDPv4: No buffer space available (code=55)". what is the right way to go to get this working properly?
03:03 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
03:05 < krzee> routing loop
03:05 < krzee> you cant possibly route your vpn server over the vpn
03:05 < krzee> cause then you cant reach your vpn over the internet anymore
03:05 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:05 < krzee> the vpn itself and your gateway are the 2 things you can NEVER route over the vpn
03:06 < anebi> krzee: yes, this is what happens actually. when i push this route, then i cannot reach the server thru internet
03:06 < theDoc> Then maybe, stop pushing that route?
03:07 < krzee> hehe
03:07 < krzee> tell the voip app to expect the client from VPN_IP
03:07 < anebi> theDoc: i do thisof course. but i'm trying to find a way to make the voip working thru tunnel. the software is working only with the ublic ip address and listen only on this. so in order to get this working with tunneling, i need to push the traffic from openvpn to the public ip
03:08 < theDoc> krzee> Any chance I could get you to test my vpn services? :)
03:08 < krzee> then access the voip app using its VOIP_IP
03:08 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:08 < krzee> theDoc, im writing a script to generate vpn configs for people
03:08 < krzee> what do you need tested?
03:08 < theDoc> krzee> Ease of use, ;p
03:08 < theDoc> and the likes.
03:08 < theDoc> What ever people usually want to test.
03:09 < anebi> krzee: here comes the problem :) voip server is able to listen only on one ip address :( and is set to be the public ip
03:09 < krzee> well i know how use would be without connecting :-p
03:09 < krzee> by looking at your configs ill know that ;]
03:09 < krzee> umm
03:09 < theDoc> krzee> I could toss my config over to you after I have removed all the offending lines which include radius server ips/ports and stuff ;p
03:09 < krzee> what voip software would that be?
03:10 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:10 < theDoc> anebi> Which voip software is that?
03:10 < anebi> krzee: sipxecs with freeswicth
03:10 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
03:10 < theDoc> Have you tried looking at *?
03:10 < krzee> freeswitch can only listen on 1 ip?
03:10 < krzee> i highly doubt that
03:10 < krzee> theDoc, freeswitch > *
03:10 < theDoc> I don't know, not really a voip person but I've heard some good things about *
03:10 < anebi> krzee: yeah, the one that is used from sipxecs listen only on ip and cannot work with multiple NICs (IPs)
03:10 < krzee> theDoc, http://www.freeswitch.org/node/117
03:10 < vpnHelper> Title: How does FreeSWITCH compare to Asterisk? | FreeSWITCH (at www.freeswitch.org)
03:11 < krzee> it was started by people heavily involved with dev'ing for *
03:11 < krzee> (namely anthm)
03:11 < krzee> you dont need more nics for VPN ip
03:12 < krzee> [04:11]  <krzee> ie: vpn ip and inet IP
03:12 < krzee> [04:11]  <sekil> yes it can but per profile
03:12 < krzee> oops
03:12 < krzee> [04:11]  <krzee> can freeswitch listen on multiple IPs?
03:12 < krzee> [04:11]  <krzee> ie: vpn ip and inet IP
03:12 < krzee> [04:11]  <sekil> yes it can but per profile
03:13 < krzee> theDoc, freeswitch is actually the most impressively developed app i have ever seen
03:13 < anebi> krzee: yes yes, i know. but it cannot work with multiple ip addresses too. as i read, sipxecs will work very well only with one ip and bonding channels.
03:13 < theDoc> Hmm:)
03:13 < krzee> theDoc, i know a guy who has effectively dos'ed metaswitch with a single freeswitch box
03:13 < krzee> metaswitch units are used by CLECs, they start at 250,000 USD
03:14 < theDoc> Win.
03:14 < krzee> well anebi , you cant route your vpn over your vpn
03:14 < krzee> you can vpn to another machine on the LAN as the voip server
03:14 < krzee> then NAT
03:14 < krzee> in fact i guess you could NAT on the same machine as the voip server
03:14 < theDoc> krzee> Sounds really dirty.
03:15 < krzee> routing loops are dirtier ;]
03:15 < krzee> but yes, its filthy
03:15 < anebi> krzee: yes, i will think on such solution. thanks
03:15 < theDoc> I wouldn't go down that way unless there's no other option, it makes it look like an administrative nightmare.
03:16 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
03:16 < krzee> well not THAT bad, youd just make it look like the VPN client's static vpn ip is on the LAN
03:17 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:17 < krzee> but ya, not good
03:19 < krzee> Please take a number: http://conference.freeswitch.org/number.jpg
03:19  * theDoc has a house in mind
03:19 < theDoc> :)
03:21 -!- blueboxthief [~None_of_y@83-71-4-64-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
03:21 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
03:24 -!- mattock [~samuli@sparkgw.utu.fi] has quit [Quit: Leaving.]
03:29 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
03:29 -!- dekroning [~dekroning@cp434307-b.dbsch1.nb.home.nl] has joined ##openvpn
03:37 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
03:39 < krzee> !forget winnat
03:39 < vpnHelper> krzee: Joo got it.
03:39 < krzee> !learn winnat as http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
03:39 < vpnHelper> krzee: Joo got it.
03:40 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
03:40 < krzee> !linnat
03:40 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
03:41 -!- anebi [~anebi@91.207.191.17] has quit [Quit: Leaving.]
03:41 -!- anebi [~anebi@91.207.191.17] has joined ##openvpn
03:42 < krzee> !winipforward
03:42 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
03:42 < krzee> !linipforward
03:42 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
03:42 < krzee> !bsdipforward
03:42 < vpnHelper> krzee: Error: "bsdipforward" is not a valid command.
03:42 < krzee> !fbsdipforward
03:43 < vpnHelper> krzee: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
03:43 -!- anebi [~anebi@91.207.191.17] has left ##openvpn []
03:45 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
03:47 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:51 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
03:51 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
03:59 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 264 seconds]
04:01 < WormFood> is there a package for the latest 2.1.1 openvpn for windows (where the installer can be recompiled), or do I have to extract the files from the existing installer?
04:05 -!- Diffen2 [~diffen2@79.138.217.203.bredband.tre.se] has joined ##openvpn
04:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
04:10 < krzee> it should be in the source iirc
04:10 < krzee> if not maybe this will help you
04:10 < krzee> OpenVPN testing source tree: git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git | Browse the git tree: http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=summary
04:10 < vpnHelper> Title: SourceForge - openvpn/openvpn-testing.git/summary (at openvpn.git.sourceforge.net)
04:11 < WormFood> but not the compiled apps are in the source
04:11 < WormFood> I don't want to have to recompile everything, I just want to edit the installer
04:11 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 260 seconds]
04:12 < WormFood> customize some options, and add a default config file
04:12 < WormFood> nothing really special
04:12 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
04:13 -!- Diffen2 [~diffen2@79.138.217.203.bredband.tre.se] has quit [Quit: This computer has gone to sleep]
04:16 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
04:17 -!- Diffen2 [~diffen2@79.138.217.203.bredband.tre.se] has joined ##openvpn
04:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
04:28 -!- dazo_afk is now known as dazo
04:30 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:34 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:36 -!- Diffen2 [~diffen2@79.138.217.203.bredband.tre.se] has quit [Quit: This computer has gone to sleep]
04:37 -!- Diffen2 [~diffen2@79.138.217.203.bredband.tre.se] has joined ##openvpn
04:43 -!- graffz` is now known as graffz`420
04:52 -!- graffz`420 is now known as graffz
04:56 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
04:56 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:56 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has quit [Remote host closed the connection]
04:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:07 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:11 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
05:16 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
05:25 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
05:30 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
05:38 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
05:38 -!- Diffen2 [~diffen2@79.138.217.203.bredband.tre.se] has quit [Ping timeout: 260 seconds]
05:41 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
05:42 -!- graffz` [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
05:43 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
05:43 -!- Diffen2 [~diffen2@95.209.83.163.bredband.tre.se] has joined ##openvpn
05:48 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:48 -!- mode/##openvpn [+o mattock] by ChanServ
05:50 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Ping timeout: 258 seconds]
05:51 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:57 -!- Diffen2 [~diffen2@95.209.83.163.bredband.tre.se] has quit [Ping timeout: 240 seconds]
05:59 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has joined ##openvpn
05:59 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
05:59  * theDoc sighs.
05:59 < theDoc> 61% packet drops?
06:00 < theDoc> fuck this shit.
06:01 < dazo> WormFood: to edit the installer, you'll have to recompile it ... but iirc, that's doable with the nsis compiler
06:01 < WormFood> yeah, I have to recompile the installer...I don't want to recompile the binaries
06:02 < WormFood> I've done it before, with 2.0.x, but now winblows 7 complains about compatibility problems with the 2.0.x tap32 driver, but works fine with the 2.1.1 installer
06:03 < theDoc> 1748 packets transmitted, 681 packets received, 61.0% packet loss
06:03 < theDoc> round-trip min/avg/max/stddev = 271.031/843.104/1996.468/599.947 ms
06:03 < theDoc> \o/
06:20 < mwheeler> not bad theDoc 
06:21 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
06:25 -!- graffz`` [~graffz@118.175.66.195] has joined ##openvpn
06:26 < dazo> WormFood: 2.0.9 was released many years ago, even before Vista I believe ... don't ever expect 2.0.x to work on Vista or newer ... 2.1.1 do have the latest stuff needed to make it work on the latest Windows versions
06:27 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
06:27 < dazo> WormFood: rather upgrade to 2.1.1 rather than staying on 2.0.x ... that's just the same as shooting yourself in the foot ... ie. not clever
06:28 -!- Diffen2 [~diffen2@79.138.213.165.bredband.tre.se] has joined ##openvpn
06:32 < WormFood> if I remember correctly 2.0.1 worked on vista
06:33 < WormFood> but the files installed are just normal files...but I need to wrap them in a new installer....I just didn't want to have to compile openvpn from source is all (and I know I don't have to, as I can extract the binaries from the 2.1.1 installer, and use the install scripts to make a new installer)
06:37 < dazo> WormFood: 2.0.1!?!?!?  man, you really want to be in trouble ... 2.0.1 was probably released somewhere in late 2004 - early 2005 ... you do know that 2.1.1 do have a good doze of security fixes which 2.0.9 or earlier do not have?
06:37 < dazo> in addition to stability fixes as well
06:38 < dazo> and other bug fixes 
06:38 < WormFood> I'm talking about the gui, windows front end
06:38 < WormFood> and maybe I'm off on my versions too
06:38 < dazo> but 2.1.1 ships with gui installer and everything ... what kind of changes are you going to do?
06:39 < WormFood> yeah, I'm off...getting 2 different versions mixed up
06:39 < dazo> WormFood: the gui installer, with sources only are available here: http://sourceforge.net/projects/openvpn-gui/
06:39 < vpnHelper> Title: OpenVPN GUI | Get OpenVPN GUI at SourceForge.net (at sourceforge.net)
06:39 < WormFood> 2.1 beta 7 is what I was using before, with the 1.0.3 GUI
06:40 < WormFood> yeah, I have it already...I want the gui installer, with the binaries
06:40 < WormFood> so ignore everything I said about 2.0.1, and replace it with 2.1 beta 7 ;)
06:41 < WormFood> what do I need to compile it? visual studio?
06:41 < dazo> ahh ... that's quite a bit better :)
06:41 < WormFood> sorry about the confusion
06:41 < dazo> there's been some discussions on the openvpn-devel mailing list
06:41 < dazo> about windows building 
06:42 < dazo> I'm not building on windows at all, so I'm not much useful there at all when it comes to the gory details ... I only got the overview over the different parts
06:43 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
06:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:44 < WormFood> yeah, if it was on Linux, it'd be no problems for me
06:44 < WormFood> but I hate compiling stuff on windows
06:44 < WormFood> it just never seems to come out right, even when I follow instructions to the letter
06:45 < WormFood> On Linux, things seem to just work 98% of the time.
06:47 < WormFood> I should be able to extract all the files out of the installer package...since we have the nsis installer script...that should work best I think
06:48 < theDoc> Now, any of you guys can't stand customers that want a shitton of stuff but yet refuse to pay for it?
06:48 < dazo> WormFood: I know cron2 have done cross compilations in Linux for Windows binaries ... and I've done some NSIS compilation on Linux, creating good Windows installers .... that's how I like it to be :-P
06:49 < WormFood> yeah, actually I want to do that too, but some features of nsis do not work under Linux when compiling for winblows (and some of those features are what I need)
06:49 < WormFood> I did try to compile the nsis scrip under Linux...didn't work for me :(
06:50 < dazo> hmm ... pitty ...
06:50 < WormFood> theDoc, a lot of people are that way....those are the type of customers to avoid
06:50 < dazo> what kind of features?
06:50 < WormFood> I don't remember now
06:50 < WormFood> it was probably 6 months ago or more I was last playing with that stuff
06:50 < WormFood> real pain in the ass...I HATE their scripting language
06:51 < WormFood> why couldn't they make it more C-like, or BASIC-like
06:51 < WormFood> ?
06:51 < WormFood> or even bash script-like?
06:51 < theDoc> WormFood> I got just asked to quote 7 machines, 3 of them being high end graphic systems for autocad and a RAID5 server + SAS and another 3 fairly mid-range machines + network/systems deployment for less than 10k US.
06:51 < theDoc> I don't even know where to go about fixing thing :-)
06:51 < theDoc> s/thing/this thing.
06:53 < WormFood> so, clearly they don't want quality machines
06:53 < WormFood> fast, cheap, reliable....pick any two
06:54 < theDoc> Precisely, I'm probably going to knock the RAID stuff off the server and bill them with double the fee if it breaks and they need to recover that box.
06:54 < WormFood> if it is fast and cheap, it won't be reliable....if it is fast and reliable, it won't be cheap
06:54 < theDoc> I can just imagine the pain, Oh, we need to now migrate this RAID 1 mirror into a RAID 5 setup with no down time.
06:54 < WormFood> some customers want too much
06:55 < theDoc> I have half a mind not to do this project, because of their perceived "budget" constrains.
06:56 < WormFood> my dad repairs air conditioners....i've actually seen him go to people's houses and give them their money back, plus 10% extra, because they are bad customers.....nothing is ever right for them, always wants more...you gotta draw the line somewhere.
06:56 < theDoc> It would be really alot easier for myself AND them if they went with RAID5 for all their servers, so we get to -gasp- skip the whole painful process of restriping the RAID from 1 - 5.
06:56 -!- Diffen2 [~diffen2@79.138.213.165.bredband.tre.se] has quit [Quit: This computer has gone to sleep]
06:56 < theDoc> Yeah, I'm going to talk to accounts and decide by tonight as to what we're going to do with this project.
06:57 -!- Netsplit *.net <-> *.split quits: flok420
06:57 < theDoc> I mean really, quadro fx cards, raid 5, 15k RPM SAS drives and hardware RAID.
06:57 < theDoc> How does anyone expect that to be cheap?
06:57 < theDoc> :/
06:57 < WormFood> hahaha
06:58 -!- graffz`` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
06:58 < WormFood> they are delusional
06:58 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
06:58 < theDoc> Autocad LT, PhotoshopCS5 aren't exactly the cheapest thing around.
06:58 < WormFood> simply ask them what type of quality they expect
06:58 -!- Diffen2 [~diffen2@79.138.213.165.bredband.tre.se] has joined ##openvpn
06:58 < WormFood> and when they say the best quality, tell them that what they want isn't possible under the limitations they have asked for
06:59 < WormFood> they want the software in that price too?
06:59 < WormFood> wow...they are crazy
06:59 < WormFood> tell them you can't do what they ask for within their budget constraints
06:59 -!- Diffen2 [~diffen2@79.138.213.165.bredband.tre.se] has quit [Remote host closed the connection]
06:59 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
06:59 < theDoc> WormFood> I did, they wanted something like, hardware for 20k (SGD) and no more than that. The hardware works out to be something like, 24k before my man hours on site.
06:59 -!- Diffen2 [~diffen2@79.138.213.165.bredband.tre.se] has joined ##openvpn
07:00 < theDoc> WormFood> Yes, the autocad licenses are something like, 2.4k a pop.
07:00 < WormFood> or, if you want, you can simply say "肏你妈" hehehe :D
07:00 < theDoc> I'm not quite willing to do this for free, to be honest.
07:00 < WormFood> you can't do it for free
07:00 < theDoc> 3k, for quoting, arranging, setting up and support.
07:00 < WormFood> ask them how much they expect you to pay out of your pocket
07:00 < theDoc> I don't think that's overly expensive, to be honest.
07:00 < WormFood> because what they're asking for, at that price, requires you to pay for it
07:01 < theDoc> True that. I can't do this at el-cheapo freelance rates like for 250$
07:02 < theDoc> So we have all the brand-spanking new i7 intel processors and maybe we'll have to get them something cheaper :)
07:02 < theDoc> Maybe the i5's or something, then we'll just tell them, you get what you paid for. :)
07:02 < WormFood> ask them what kind of drugs they are on that makes them so delusional as to think they can get what they want at that price
07:03 < theDoc> WormFood> That's not going to help ;p
07:03 < theDoc> but it's advice too. At some point, we'll probably tell them that.
07:03 < WormFood> you should make a web site, where they can pick out what they want....so they can see they are asking for really costs
07:04 < WormFood> they've given you 2 things they want....computers/software and price....what they ask for does not fit within that price
07:04 < theDoc> WormFood> I would give it to them for cheaper, if not for them rushing me to push out a quotation within 2 days.
07:04 < WormFood> that is like going to the car dealer, and saying "I want a corvette and I want to pay $20,000 for it"....not gonna happen
07:04 < theDoc> This particular project, the markup was about 30% after all that jazz and stress that I got put through ;p
07:04 < theDoc> Too high? Maybe. Do I want to drop it? Probably not.
07:05 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
07:05 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
07:06 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
07:07 < WormFood> well, it sounds like you'll have a lot of other issues with these customers
07:07 < WormFood> they sound too demanding right off the bat
07:07 < theDoc> True. :/
07:09 < WormFood> I think I may have found a solution to my "problem"
07:09 < WormFood> find out in a few minutes
07:12 -!- DarthGandalf is now known as DarthGandalf|BNC
07:14 -!- DarthGandalf|BNC is now known as DarthGandalf
07:17 -!- Diffen2 [~diffen2@79.138.213.165.bredband.tre.se] has quit [Quit: This computer has gone to sleep]
07:28 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
07:38 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
07:42 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Client Quit]
07:42 -!- MatBoy [~MatBoy@wiljewelwetenhe.xs4all.nl] has quit [Quit: Lost terminal]
07:50 -!- krzee [nobody@unaffiliated/krzee] has quit [Excess Flood]
07:54 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
07:54 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
07:55 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
07:55 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
07:55 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:57 < krzee> !def1
07:57 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:04 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
08:28 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Quit: Bye]
08:28 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
08:32 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Quit: Leaving]
08:46 -!- macsppadic is now known as phphater
08:53 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
08:58 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
09:02 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
09:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
09:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:05 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
09:13 -!- AgentKGB [~e18925@pool-96-244-150-106.bltmmd.fios.verizon.net] has quit [Ping timeout: 265 seconds]
09:13 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:16 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
09:25 < WormFood> oops...I got distracted....but I did find what I was looking for. this http://legroom.net/software/uniextract did the trick.
09:25 < vpnHelper> Title: Universal Extractor | LegRoom.net (at legroom.net)
09:26 -!- Stummi [stummi@doppeldenk.org] has joined ##openvpn
09:26 < Stummi> does openvpn not using enviroment-variables on windows?
09:28 < WormFood> probably not...what does the docs say?
09:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
09:29 < Stummi> i don't know. I just tried to run openvpn, but it fails because he could not find C:\Windows\System32\netsh.exe
09:29 < Stummi> my windows-directory is on F:\
09:29 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
09:29 < krzee> you using 2.1.1?
09:29 < Stummi> so i had to create C:\Windows\System32 and copy F:\Windows\System32\netsh.exe to there. Its very dirty, but it works now :)
09:29 < Stummi> yes, i am using 2.1.1
09:30 < krzee> thank you, forwarded it
09:30 < Stummi> np
09:31 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:47 < ecrist> Stummi: you're escaping the \ in the path in your config, right?
09:47 < ecrist> F:\\Windows\\System32\\netsh.exe
09:49 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
09:50 < Stummi> ecrist, which config do you mean? I didn't give any path in the config for vpn, so i thought it will use the enviroment-variables from the system.
09:52 < ecrist> interesting
09:53 -!- StewartW [~stewart@213.152.254.36] has quit [Quit: Ex-Chat]
10:13 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
10:13 < McBoingbo> Heeeelp lol, trying to get Windows 7 and OpenVPN working for my users, without admin privileges, can anyone help please?
10:13 -!- Stummi [stummi@doppeldenk.org] has left ##openvpn ["Verlassend"]
10:17 < McBoingbo> I tried setting up the OpenVPN service but still can not run it as a non privileged user
10:19 < ecrist> McBoingbo: have you googled?  there are some pretty specific instructions on how to do that
10:21 < McBoingbo> I have googled my face off
10:21 < McBoingbo> most articles I came across were 6 years old, and nothing is working
10:21 < McBoingbo> I dont want to be spoonfed, I just am running out of options
10:21 < ecrist> windows xp or windows 7?
10:21 < ecrist> have you seen http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html
10:21 < vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at openvpn.se)
10:22 < McBoingbo> windows 7
10:22 < McBoingbo> sorry I think I may have seen this but thought it was pointless as its 5 years old
10:23 < ecrist> nope, still valid
10:23 < McBoingbo> I thought with windows 7 its route.exe thats causing the grief?
10:24 < McBoingbo> and "runas" shortcuts with our admin password is never a good idea
10:24 < havoc> my Limited users still have local admin passwd on their laptops, I just have them run as Limited to avoid stupid mistakes
10:25 < havoc> so I just psexec the GUI
10:25 < havoc> I'd use the service but they have several configs of which only one needs to be connected at a time
10:26 < McBoingbo> only 1 config here, my concern is I dont want them connected to the VPN when they are here at work
10:26 < havoc> but another option that could/should work would be to add actual perms for those specific users to all the required DLLs and EXEs
10:26 < havoc> McBoingbo: why not?
10:26 < havoc> McBoingbo: set your routing metrics right and it shouldn't matter
10:27 < havoc> I'm an admin on my laptop but I still have the service running so it's always connected whereever and whenever it has Net
10:27 < McBoingbo> yeah, that would work, but seems cumbersome
10:28 < havoc> it is
10:28 < havoc> but you can procmon.exe it to see exactly what needs to be changed
10:29 < havoc> but that or the service are your *only* two choices if they're not allowed to know the local admin passwd
10:29 -!- jforman [~jforman@unaffiliated/jforman] has left ##openvpn []
10:31 < McBoingbo> I may go the service route
10:31 < McBoingbo> always on, and there is a way to grant the users the ability to stop/start the service
10:31 < McBoingbo> that should suffice no?
10:38 < havoc> I don't think they can control the service at all as Limited users
10:38 < McBoingbo> really?
10:38 < havoc> correct
10:38 < McBoingbo> the article ecrist forwarded to me says you can
10:38 < havoc> but always on shouldn't be a problem
10:39 < havoc> my limited users could not
10:39 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:39 < McBoingbo> yeah, true
10:42 < McBoingbo> fuck it, your right, these are work laptops
10:42 < McBoingbo> VPN all the time baby
10:43 < havoc> just set your ping and retry times so that it'll reconnect reasonably
10:43 < McBoingbo> ah so there is some tweaking needed
10:44 < havoc> to the client configs, maybe
10:44 < McBoingbo> parameters are "ping" and "retry"
10:44 < McBoingbo> will look into it
10:44 < McBoingbo> what do you typically use?
10:44 < havoc> and resolv-retry-infinite
10:44 < havoc> not sure, something low I think
10:44 < McBoingbo> if these settings are not used, what occurs?
10:45 < McBoingbo> timeout disconnect and needs the service restart
10:45 < havoc> possibly
10:46 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
10:47 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:50 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
10:50 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
10:50 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:52 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
10:53 -!- phphater [~sonupunno@82.109.74.162] has left ##openvpn []
10:59 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
11:01 < aaronorosen1> If i want to have bridge_start run automatically when i boot my computer is there any Openvpn way to do that besides putting it in my /etc/rc3.d? 
11:02 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
11:05 -!- WormFood [~wormfood@58.60.223.28] has quit [Ping timeout: 245 seconds]
11:05 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Quit: Bye]
11:07 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
11:07 < havoc> there should be up/down or start/stop commands you can put in the config, man openvpn
11:09 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
11:14 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
11:17 -!- WormFood [~wormfood@121.15.110.61] has joined ##openvpn
11:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:33 < krzee> Bushmills, here?
11:37 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
11:39 < Bushmills> now i am
11:39 < Bushmills> krzee ^^^
11:40 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
11:41 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:43 < krzee> bleh
11:43 < krzee> had a question, now i broke syntax somewhere
11:43 < krzee> so i gotta fix that first =/
11:47 < krzee> ooo i MIGHT have it
11:47 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has quit [Read error: Connection reset by peer]
11:47 -!- aaronorosen2 [~arosen@riggs249dhcp138.ces.clemson.edu] has joined ##openvpn
11:47 < krzee> nope
11:48 < krzee> ok ill take it to msg
11:48 < Bushmills> you're fixing the syntax of your question?
11:48 < Bushmills> try gesticulating :)
11:48 -!- aaronorosen2 [~arosen@riggs249dhcp138.ces.clemson.edu] has quit [Remote host closed the connection]
11:59 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
12:00 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
12:01 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has joined ##openvpn
12:03 < aaronorosen1> After starting the openvpn server i setup my tun0 interface has this information           inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255 and one of the clients gets this.           inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
12:03 < aaronorosen1>  
12:03 < aaronorosen1> I'm a little confused why? I thing its all working correctly because from the client i can ssh to 10.8.0.1 and that traffic is going though tun0 but why is the clients address pointing to 10.8.0.5 and the server to 10.8.0.2? 
12:06 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
12:06 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
12:06 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:07 < Hypnoz> aaronorosen1: all openvpn setups are like that. I'm not sure why, but thats how it works. You don't want to know how the meat is butchered just be happy it comes in a clean syrofoam container and is delicious.
12:09 < aaronorosen1> Hypnoz: I still figure there is a logical reason why the server points to 10.8.0.2 and the client is pointing to 10.8.0.5 (I figure the client would point a the server and the server would point at its self)
12:10 < aaronorosen1> Even though the clients ip address is 10.8.0.6 and the server is 10.8.0.1
12:11 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:13 < Bushmills> aaronorosen1: P-t-P address
12:13 < Bushmills> the local representation of "other side of the connection"
12:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 268 seconds]
12:14 < aaronorosen1> Bushmills: so for the client Its ip adress is 10.8.0.2 and its pointing at 10.8.0.5 server ip = 10.8.0.1 and that is pointing at 10.8.0.2. So you are saying for the client the 10.8.0.5 is really 10.8.0.5 (the server? )
12:15 < aaronorosen1> **Is really 10.8.0.1
12:15 < Bushmills> no, that's server.
12:15 < aaronorosen1> Bushmills: who is 10.8.0.5? and 10.8.0.2? (sorry)
12:16 < Bushmills> server is 10.8.0.1. its local idee of "remote" is 10.8.0.2
12:16 < aaronorosen1> idee = idea? 
12:17 < Bushmills> client is 10.8.0.6, and its P-t-P 10.8.0.5
12:17 < aaronorosen1> so its just assigns those addresses and thinks thats what it is pointing to but it really doesn't matter. Those are just randomly assigned. I guess thats how the implementation is done? 
12:17 < Bushmills> look at --topology to change that
12:17 < Bushmills> not quite, they're within the /30 net assigned to each interface
12:18 < aaronorosen1> the client sends its data to 10.8.0.5 and the vpn tun interface handles routing it correctly ?
12:19 < aaronorosen1> Just seems kinda odd that it wouldn't just P-t-P to the server ip address
12:20 < aaronorosen1> Bushmills: I'm trying to read about P-t-P and the interface man page says "This  keyword  enables  the point-to-point mode of an interface, 	      meaning that it is a  direct  link  between  two	machines  with 	      nobody else listening on it. "
12:20 < aaronorosen1> but the 10.8.0.5 is who sorry you said it was the remote side to 10.8.0.6? What does that mean?
12:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:29 < Bushmills> no. i said it is the local represention of "remote"
12:29 < Bushmills> remote does not know about that address
12:30 < Bushmills> only local knows about it
12:30 < Bushmills> but local pretends it is remote
12:30 < Bushmills> (and what is send there, is then actually routed to remote)
12:33 < Bushmills> but to the actual i address of remote, not to the "pretend" address
12:34 < aaronorosen1> Interesting. Any idea of why its done like that? 
12:35 < Bushmills> that's common for ppp kind of connections
12:35 < Bushmills> but openvpn knows alternatives to that
12:35 < Bushmills> !topology
12:35 < vpnHelper> Bushmills: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
12:37 < Bushmills> for now you could see the client P-t-P address as a sort of alias of servers real (visible) ip address
12:38 < Bushmills> it may be so that ppp clients don't need to be concerned with the ppp servers real ip address, as they have the "pretend" address, within their own subnet, to talk to
12:38 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Quit: Bye]
12:44 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
13:12 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
13:19 -!- dazo is now known as dazo_afk
13:22 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
13:29 -!- jpalmer_ [~jpalmer@208.51.3.136] has joined ##openvpn
13:29 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 265 seconds]
13:46 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Read error: Connection reset by peer]
13:50 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
14:06 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:29 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Connection reset by peer]
14:38 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:48 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:50 -!- bandini [~bandini@host40-108-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn
14:55 < McBoingbo> is the option to edit registry key "service_only" depracted at version 2.1.1?
14:56 < McBoingbo> I created the key, but openvpn-gui still behaves as it would normally, failing out with you dont have admin privileges, etc
14:56 < McBoingbo> err *deprecated
15:16 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
15:26 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 245 seconds]
15:29 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
15:32 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:39 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
15:39 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
15:39 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
15:42 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 252 seconds]
15:44 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
15:44 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
15:44 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 264 seconds]
15:45 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
15:58 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 245 seconds]
16:02 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
16:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:17 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 240 seconds]
16:27 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
16:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:31 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Read error: Operation timed out]
16:32 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 264 seconds]
16:38 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
16:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
16:57 < Hypnoz> anyone know why I might see "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" when i try to connect
17:04 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
17:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:17 -!- dekroning [~dekroning@cp434307-b.dbsch1.nb.home.nl] has left ##openvpn []
17:20 -!- Hypnoz1 [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
17:21 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
17:22 < Bushmills> because something in you setup doesn't allow connection?
17:23 < Bushmills> or, because you're looking at the error output?
17:24 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
17:26 < krzie> sup Bushmills 
17:26 < krzie> sorry i passed out last night
17:27 < krzie> then i was late to get into work so i havnt seen what i missed on that client
17:27 < Bushmills> grin, that's "earlier that evening" for me :D
17:27 < Bushmills> check the  -r  option of read. saves you some work
17:28 < Bushmills> read -rp "what is the difference between a crocodile? "  tellme
17:34 < krzie> ya come to think of it i never read man read
17:34 < krzie> i will do so today for sure
17:36 < krzie> ahh it takes me to builtin()
17:42 < Bushmills> man bash
17:42 < Bushmills> or read --help for terse options overview
17:43 -!- krzie is now known as krzee
17:43 < krzee> ya i saw -h
17:43 < Bushmills> -r turns of escape nature of \
17:43 < Bushmills> off
17:43 < krzee> -a seems cool
17:43 < krzee> ohhhh
17:44 < Bushmills> one of the sources of complexity in your script
17:44 < krzee> i have a fealing that googling manual read wont show up a manual on the command named read, lol
17:44 < krzee> did you catch what the script is for?
17:44 < Bushmills> more or less.
17:45 < Bushmills> as far that little fragment allowed to interpolate
17:45 < krzee> im pretty sure you caught it all ;)
17:45 < krzee> its gunna be a config generator for here
17:46 < krzee> will setup configs for !route !redirect type setups
17:46 -!- tptptptptp [~tptptptpt@212.117.160.22] has joined ##openvpn
17:47 < tptptptptp> ok I would like to block all traffic that doesn't go through openvpn. could someone please tell me how to do that??
17:47 < Bushmills> firewall
17:47 < Bushmills> just allow traffic to/from vpn server
17:48 < krzee> yupyup
17:48 < tptptptptp> so use the internal IP?
17:48 < Bushmills> if your openvpn server is internal too, probably
17:48 < tptptptptp> or the external IP of the vpn server?
17:48 < Bushmills> if your openvpn server is external, that too
17:49 < Bushmills> you see .. openvpn packets need to be able to get to the server
17:49 < Bushmills> if they don't, there'll be no vpn
17:50 < Bushmills> other than that, whether it's internal or external ip address, doesn't really matter
17:50 < Bushmills> as long as traffic can get there
17:50 < rob0> Real men can VPN without connectivity.
17:50 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:50 < krzee> chuck norris could
17:51 < rob0> you betcha
17:51 < Bushmills> one could tunnel openvpn through a vpn
17:51 < krzee> yupyup
17:51 < krzee> like my vpnchains writeup
17:51 < Bushmills> chuck norris probably couldn't :D
17:55 -!- tptptptptp [~tptptptpt@212.117.160.22] has quit [Remote host closed the connection]
18:02 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
18:02 -!- tptptptptp [~tptptptpt@212.117.160.22] has joined ##openvpn
18:03 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
18:04 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
18:06 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
18:06 < tptptptptp> if you install openvpn on your router, will a wireless connection to your router be encrypted with openvpn?
18:06 < krzee> if you tell it to be
18:06 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
18:06 < krzee> !local
18:06 < tptptptptp> what I mean is
18:06 < vpnHelper> krzee: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
18:07 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
18:07 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
18:07 < tptptptptp> will the encryption between a computer and the router be encrypted?
18:07 < krzee> if you tell it to be!
18:07 < krzee> it CAN be
18:07 < Bushmills> tptptptptp: not if you don't install openvpn on the machine you are talking to the router with
18:07 < krzee> just because you have openvpn on the router doesnt magically encrypt everything
18:08 < krzee> but you CAN do it =]
18:08 < tptptptptp> Bushmills, I want it installed on the router
18:08 < Bushmills> and where else?
18:08 < tptptptptp> no where else
18:08 < Bushmills> no encryption then
18:08 < krzee> erm
18:08 < krzee> youd need a client as well as a server
18:08 < krzee> a server with nothing connected wont encrypt anything
18:09 < tptptptptp> because I connect to a VPN service that changes the ports i have to forward all the time
18:09 < tptptptptp> so i want a permanent connection via my router
18:09 < Bushmills> i have openvpn on my router
18:09 < tptptptptp> so when i restart my pc, i dont have to worry about anything
18:09 < Bushmills> but i also have it on a remote internet server
18:09 < Bushmills> router is client, remote server is server
18:10 < tptptptptp> Bushmills, openwrt?
18:10 < Bushmills> through that openvpn connection, all my traffic goes
18:10 < Bushmills> yes
18:10 < tptptptptp> was it difficult?
18:11 < Bushmills> so everything between my router and remote server is encrypted.  no, was a snap setting it up
18:11 < krzee> "difficult" depends on skill level
18:11 < tptptptptp> Bushmills, you have any good guides still?
18:11 < krzee> but if you understand networking its rather easy
18:11 < tptptptptp> skill level = barely able to use linux
18:11 < tptptptptp> im using ubuntu lol
18:11  * krzee doubts Bushmills used a guide
18:11 < Bushmills> most difficult part was getting openwrt to use the external usb stick for partial installation of stuff
18:12 < tptptptptp> Bushmills, what router?
18:12 < Bushmills> but openvpn and other essentials run from router internal flash.
18:12 < Bushmills> a tp-link wr1043nd
19:11 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has joined ##openvpn
19:12 < Bloodsong> Hey
19:59 < krzee> heyhey
20:19 -!- Hypnoz1 [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
20:25 -!- Lenhix [~lenho@190.25.39.135] has joined ##openvpn
20:26 < Lenhix> Hello. Does anyone here has experience with the OpenVPN included in Endian Firewall?
20:37 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:38 < krzee> neg, but if you can get to the shell it SHOULD be the same
20:40  * theDoc senses a political brewfest in office soon.
20:40 < krzee> brew!?
20:40 < krzee> its 4/20
20:41 < krzee> should be a smokefest
20:41 < theDoc> Oh, lol.
20:41 < theDoc> krzee> You can't even start to imagine how much political shit a single person can stir up in office ;p
20:43 -!- Lenhix [~lenho@190.25.39.135] has quit [Quit: Knowledge IS power | No se puede lo que no se quiere | Voices of fear can only be dispelled by trusting the voice that comes from the heart]
20:43 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
20:43 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
20:43 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:44 -!- Lenhix [~lenho@190.25.39.135] has joined ##openvpn
20:49 -!- Lenhix [~lenho@190.25.39.135] has quit [Ping timeout: 264 seconds]
20:55 -!- Lenhix [~lenho@186.29.109.141] has joined ##openvpn
21:01 -!- Lenhix [~lenho@186.29.109.141] has quit [Ping timeout: 260 seconds]
21:13 -!- cjm [~cjm@adsl-99-55-121-198.dsl.scrm01.sbcglobal.net] has joined ##openvpn
21:14 < cjm> Hi Folks, I have limited success.  the openvpn service is running on both client and server, but they arenot talking yet.
21:15 < theDoc> cjm> What's not right?
21:16 < cjm> theDoc, I have some obvious TLS problems with both sides making accusations. Should I start with server or client?
21:16 < cjm> I am reasonably confident of my PKI.
21:17 < cjm> But not so much of my openvpn config files.
21:17 < cjm> HMAC authentication failed seems to be a common complaint.
21:18 < krzee> welp
21:18 < krzee> is it ptp or server/client?
21:18 < cjm> Krikke, I believe I am server/client.
21:18 < krzee> lets check
21:19 < krzee> !configs
21:19 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
21:19 < cjm> I used the "road-warrior" pair 
21:19 < theDoc> !logs
21:19 < vpnHelper> theDoc: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
21:19 < krzee> start with config
21:19 < krzee> (s)
21:20 < cjm> krzee, Coming up.  Give me some time to get what you need and to filter away the noise...
21:20 < krzee> thanx for reading all of !configs
21:20 < krzee> i hate when people read that then post with full comments, lol
21:20 < theDoc> lewlz@krzee
21:21 < krzee> theDoc, in other news, openvpn-confgen.sh is coming along nicely
21:21 < krzee> finished the server config generating app
21:21 < theDoc> krzee> Awesome, at sometime, I'll have to try the v6 patch on one of my test servers.
21:21 < krzee> just about done with the CLI data collection interface
21:22 < krzee> just gotta bust out the client config generator
21:22 < krzee> which should be very similar to server config generator, but with some different options
21:22 < theDoc> That too.
21:22 < krzee> then go back to CLI interface and modify a lil to work with client generator
21:22  * theDoc is terribly annoyed by office politics.
21:23 < theDoc> All the more reason to come out and work on my own outfit.
21:23 -!- Lenhix [~lenho@190.25.39.135] has joined ##openvpn
21:24 < Lenhix> krzee, u still there?
21:24 < krzee> sure amn
21:24 < cjm> theDoc, Well, I just found one error.  tls-auth <> [01] is "0" on the server and "1" on the client.  Right?
21:24 < theDoc> cjm> What?
21:24 < krzee> correct
21:24 < krzee> !hmac
21:24 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
21:24 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
21:24 < theDoc> In your config or where?
21:25 < krzee> and your error was about HMACs you said
21:25 < krzee> so that definitely what i was going to find when you posted your configs
21:25 < krzee> that was first thing i was gunna look @
21:26 < cjm> theDoc, in my configs I had "0" in BOTH client and server.  krzee Good job!  Let me see if that fixes my problem.
21:27 < Lenhix> Ok. so I have the CA cert and I want to connect using PSK. I have "ca file.pem" and auth-user-pass on the .ovpn file. What else do I need?
21:28 < cjm> MUCH different.  Now I have unroutable control packet, so I'll just pack up these conf files and pastebin them to you.  Standby...
21:29 < theDoc> cjm> Before that, was it working?
21:34 < krzee> theDoc, no, he said he had HMAC error
21:35 < theDoc> Oh right, ok.
21:36 < krzee> we'll see what else is up shortly when he pastebins
21:52 < cjm> http://pastebin.com/80FRw7ri
21:53 < cjm> cli/srv conf  and cli/srv logs for a single run
21:53 < krzee> great
21:53 < krzee> love when its all in 1 pastebin
21:54 < krzee> remove these
21:54 < krzee> tls-server
21:54 < krzee> mode server
21:54 < krzee> ifconfig 10.255.255.1 10.255.255.2
21:54 < krzee> ifconfig-pool-persist ipp.txt
21:54 < krzee> put this:
21:54 < krzee> server 10.255.255.0 255.255.255.0
21:55 < krzee> remove this:
21:55 < krzee> push "route 10.255.255.1 255.255.255.255"
21:55 < krzee> route 10.255.255.0 255.255.255.0
21:55 < krzee> ifconfig-pool 10.255.255.4 10.255.255.255
21:56 < Lenhix> Uhm, my openvpn server is behind a router that doesn't do DNAT, so I tried to connect via a SSH tunnel but I get this: TLS Error: client->client or server->server connection attempted from 127.0.0.1:1194. Any ideas on how to ignore that?
21:56 < krzee> is 10.255.1.0 255.255.255.0 the lan behind the server?
21:56 < cjm> 10.255.1.0 is the LAN where the server currently lives.
21:56 < krzee> Lenhix, 
21:57 < krzee> !notovpn
21:57 < cjm> So, yes, it is behind the server.
21:57 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
21:57 < krzee> cjm
21:57 < krzee> make those changes and report just the server config
21:57 < krzee> so i can see it cleaned up some
21:57 < cjm> krzee, Got it.  Stand by...
21:59 < Lenhix> krzee, i read the topic :P, but I thought openvpn had an option for that, hehe
21:59 < cjm> krzee, I'm removing tls-server from server.conf.  Do I also remove tls-client from client.conf?
21:59 < krzee> yes
21:59 < krzee> i was JUST about to say that =]
21:59 < cjm> krzee, Thanks...
21:59 < krzee> but add this:
21:59 < krzee> client
21:59 < krzee> you can remove pull too
22:00 < krzee> see --server and --client in the manual for details ;)
22:00 < krzee> they are helper config options, they expand to a lot of options
22:10 < cjm> krzee, This is really stupid..  But as I'm making these changes, it occurs to me, how does "service openvpn start" know to use the client.conf or the server.conf?  Or will is simply use what ever he finds?
22:10 < krzee> thats specific to your OS
22:11 < krzee> openvpn doesnt come with a 'service' command
22:12 -!- Lenhix [~lenho@190.25.39.135] has quit [Ping timeout: 260 seconds]
22:16 -!- Lenhix [~lenho@201.244.169.159] has joined ##openvpn
22:17 < cjm> http://pastebin.com/np9H85rT
22:17 < cjm> No logs, just *.conf
22:17 < krzee> perfect, looking now
22:17 < cjm> If you think I have made all the changes correctly, then I will collect and report the logs.
22:21 < krzee> you dont need --inactive when you have keepalive
22:21 < krzee> other than that, looks good
22:22 < krzee> keepalive will restart the tunnel before inactive could possibly kick it
22:22 < krzee> kick in*
22:22 < krzee> For example, --keepalive 10 60 expands as follows: 
22:22 < krzee>  if mode server:
22:22 < krzee>    ping 10
22:22 < krzee>    ping-restart 120
22:22 < krzee>    push "ping 10"
22:22 < krzee>    push "ping-restart 60"
22:22 < krzee>  else
22:22 < krzee>    ping 10
22:22 < krzee>    ping-restart 60
22:25 < cjm> krzee, These comments look unfamiliar for my situation.  Are your comments directed at me or are you working on multiple issue at once?
22:25 < krzee> it was at you
22:26 < krzee> you have keepalive and inactive
22:26 < krzee> but inactive will never apply
22:26 < krzee> not a biggie, but thought ild point it out
22:26 < krzee> anyways, vpn looks good now
22:26 < cjm> Yeah!  So I do.  I inherited these from the skeleton.conf.
22:26 < krzee> heres a side note
22:26 < krzee> if the server is not the router for its lan, you have 1 more thing to do
22:26 < krzee> outside of openvpn
22:27 < krzee> is the server the router for its lan?
22:27 < cjm> The server is not the router.  I have an appliance that is the gateway to the ISP.
22:27 < krzee> !factoids search ourside
22:27 < vpnHelper> krzee: No keys matched that query.
22:27 < krzee> !factoids search outside
22:27 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
22:28 < krzee> go ahead and start up your vpn
22:28 < krzee> your client should be able to ping 10.255.255.1
22:28 < krzee> your server should be able to ping 10.255.255.6
22:28 < cjm> O.K.  Stand by...
22:29 < rob0> I can PING
22:32 < cjm> krzee, I see I have a problem with my PKI, and that is not going tobe described in the conf files.  this may take me some time to sort out, and I will have to do it tomorrow.  However, after I eliminate that error from /var/log/messages, I'll report back with what I discover.
22:33 < cjm> You have been very generous with your time and I appreciate the help you've given me.
22:33 < krzee> just rebuild the PKI from scratch
22:33 < krzee> you're welcome
22:33 < cjm> krzee, Ha!  You're a very funny guy!
22:33 < krzee> oh and when you rebuild, you dont need new dh or ta.key
22:33 < krzee> just the CA server and client
22:33 < krzee> !ssl-admin
22:33 < vpnHelper> krzee: "ssl-admin" is (#1) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#2) if you use freebsd, it is in ports, or (#3) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn
22:33 < krzee> you might like that
22:33 < cjm> Thanks, I'll be in touch.
22:34 < cjm> Later.
22:34 -!- cjm [~cjm@adsl-99-55-121-198.dsl.scrm01.sbcglobal.net] has left ##openvpn ["Leaving"]
23:15 -!- Lenhix [~lenho@201.244.169.159] has quit [Ping timeout: 276 seconds]
23:20 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
23:20 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:34 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:35 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
23:39 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
23:39 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
--- Day changed Wed Apr 21 2010
00:48 -!- tptptptptp [~tptptptpt@212.117.160.22] has quit [Quit: Leaving]
01:13 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:14 -!- mode/##openvpn [+o mattock] by ChanServ
01:17 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
01:54 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
02:30 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
02:32 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:46 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
02:50 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
02:53 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Ping timeout: 265 seconds]
03:05 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 245 seconds]
03:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:07 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Remote host closed the connection]
03:08 -!- Uriell [uriel@hurricane.urts.info] has quit [Quit: Leaving]
03:13 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
03:14 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
03:16 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
03:20 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
03:22 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
03:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:31 -!- Uriell [uriel@hurricane.urts.info] has joined ##openvpn
03:32 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:48 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:51 -!- theDoc [~jaki@69.10.59.166] has quit [Quit: Leaving]
03:53 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:00 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
04:10 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
04:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
04:13 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:17 -!- dazo_afk is now known as dazo
04:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
04:36 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:03 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:11 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:22 -!- dazo is now known as dazo_afk
05:48 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:00 -!- blueboxthief [~None_of_y@83-71-7-68-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
06:17 -!- blueboxthief1 [~None_of_y@83-71-7-68-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
06:17 -!- blueboxthief [~None_of_y@83-71-7-68-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Read error: Connection reset by peer]
06:28 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
06:34 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn
06:34 < Perun_> hi all
06:35 < Perun_> I have 2 vserver with openvpn and own roadwarriors, need to connect them together... I want to use 1 subnet for all vpn connections, possible? 
06:36 < Perun_> AFAIK I can use only tun devices (provider limitation)
06:37 < krzie> 2 subnets                                                                                                                                                                                                                                                                                                                                                                                                                                                               
06:37 < krzie>                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
06:37 < krzie>                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
06:37 < krzie>                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
06:37 < krzie>                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
06:37 < Perun_> huh cant see what you write
06:37 < krzie>                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
06:38 < krzie>                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
06:38 < krzie>                                                                                                                                                                                                                                                                                                             
06:38 < krzie> oops
06:38 < krzie> 2 subnets, 1 for each
06:38 < krzie> that doesnt mean each needs to be a /24 tho
06:38 < krzie> you could make each a /25 if you like
06:38 < krzie> either way, they dont need to be in the same subnet
06:39 < Perun_> hmm ok
06:40 < krzie> if you fully understand this page, you'll be able to do it
06:40 < krzie> !route
06:40 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:41 < krzie> think of any foreign  network behind a node as a LAN
06:42 < Perun_> krzie: but shouldnt be 3 subnets? roadwarriors to first server (1 subnet) roadwarriors to second server (2 subnet) server to server (3 subnet)
06:43 < krzie> the 2 servers will link to eachother
06:43 < krzie> to server 1, server 2 has a "LAN" of VPN nodes
06:43 < krzie> to server 2, server 1 has a "LAN" of VPN nodes
06:44 < krzie> then each server pushes those routes to its clientd
06:44 < krzie> clients
06:44 < krzie> this means each server will run 2 openvpn instances
06:44 < krzie> also means both need ip forwarding enabled
06:45 < krzie> i guess technically you could have only 1 server with an extra openvpn process
06:45 < krzie> and it could connect to the other as a client
06:45 < krzie> and that client would have a "LAN" of vpn nodes
06:45 < krzie> whichever way you prefer
06:47 < krzie> time for sleep
06:50 -!- Bloodsong [~Nimbus@bas13-toronto12-1167984050.dsl.bell.ca] has quit [Quit: Leaving]
06:58 -!- HyperZid [~sanderj@195.204.103.72] has joined ##openvpn
06:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
06:59 < HyperZid> Hi. Does anyone know how to get a signed certificate working.. compeard to a self signed one?
07:09 < rob0> With openvpn, generally you want to control your own CA. There is no reason to use a purchased, commercially-signed certificate over a self-signed, private CA. In fact, there is reason NOT to.
07:09 < rob0> We're talking about access to your VPN, not a web browser.
07:10 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:10 < rob0> If you're using an external CA for your certificates, that CA is in control of VPN access.
07:15  * cpm puts rob0 in control of his vpn access
07:16 < rob0> Thank you.
07:17  * rob0 sends cpm a Bill
07:17  * cpm puts Bill in control of his VPN access
07:24 < ecrist> not really...
07:24 < ecrist> unless you're not using anything else for authentication
07:32 < kinlo> isn't there a way to skip CA's and use public keys for authentication?
07:33 < ecrist> one for a one to one vpn
07:34 < rob0> I use the certificate for auth. Sure, you can add more into that if you need. Still, there's no benefit to commercially-signed certificates over a self-signed, private CA.
07:34 < kinlo> rob0: actually, every belgian citizen has a certificate on his identity card, signed by the governement
07:35 < rob0> And you certainly would NOT want to use those certificates for VPN access.
07:35 -!- dazo_afk is now known as dazo
07:35 < kinlo> for me it would be an advantage to use that, but I would prefer to be able to select the users I allow vpn to
07:35 < kinlo> why not?
07:39 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
07:40 < ecrist> kinlo - just couple that with an ldap/pam backend and you're good to go
07:40 < ecrist> or even a flat text file
07:40 < ecrist> if $CN exists in 'list' exit 0 else exit 1
08:02 < mgolisch> is there any alternate mirrors for the openvpngui files?
08:02 < mgolisch> openvpn.se seems to be down
08:02 < mwheeler> Who needs guis
08:04 < Bushmills> those without access to shells, maybe?
08:05 < Bushmills> those suffering from unreasonable restrictions, imposed by their administrators
08:06 < Bushmills> and those who have been taught that entering commands on a command line is outdated, and the wave of the future are pretty icons you can click on.
08:08 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
08:09 < ecrist> mgolisch: the gui is incorporated into the windows tarball on openvpn.net now
08:09 < Bushmills> point-and-grunt
08:09 < mgolisch> its more about that i dont want to give them admin, it seems like that developmentversion comes with a patched openvpn executable that allows to display a dialog to enter a passphrase or username/passwords even when run using the servicewrapper
08:10 < mgolisch> googled for the filename some university had the file on their servers too
08:10 < mgolisch> :)
08:21 -!- Bloodsong [~Nimbus@bas2-barrie18-1242454308.dsl.bell.ca] has joined ##openvpn
08:33 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:34 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
08:37 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:50 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 246 seconds]
09:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
09:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:14 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
09:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:32 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote host closed the connection]
09:50 -!- jww is now known as Jww
09:51 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:55 < dazo> mgolisch: the official site is now on http://www.sourceforge.net/projects/openvpn-gui .... d12fk is the maintainer of it
09:55 < vpnHelper> Title: OpenVPN GUI | Get OpenVPN GUI at SourceForge.net (at www.sourceforge.net)
10:09 -!- Lenhix [~lenho@proxy4.unal.edu.co] has joined ##openvpn
10:11 -!- Lenhix [~lenho@proxy4.unal.edu.co] has left ##openvpn []
10:16 -!- MrFluffy [~phil@lns-bzn-47f-62-147-135-174.adsl.proxad.net] has joined ##openvpn
10:16 < MrFluffy> !welcome
10:16 < vpnHelper> MrFluffy: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:16 < MrFluffy> !route
10:16 < vpnHelper> MrFluffy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:21 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:21 < MrFluffy> having read !route earlier, question maybe someone could point me towards an answer. I have a openvpn client (I dont control the server), and it has no default route out to the internet, nor do I want it to have one. It has a static route defined that can route out the lan default route, and its own default route is set to its own interface on the local subnet. So it starts to establish the tunnel. Once its managed, it adds a st
10:21 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
10:23 < MrFluffy> I should add, that I had this configuration working with this server previously, but the drive failed and I have no backup of the config. Which is poor I know.
10:30 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
10:32 -!- MrFluffy [~phil@lns-bzn-47f-62-147-135-174.adsl.proxad.net] has quit [Quit: Leaving.]
10:42 -!- eradiate [~eradiate@pool-173-73-104-50.washdc.fios.verizon.net] has quit [Ping timeout: 240 seconds]
10:47 -!- symbenian [~AndChat@82.132.248.141] has joined ##openvpn
10:47 -!- symbenian [~AndChat@82.132.248.141] has left ##openvpn []
10:48 -!- symbenian [~AndChat@82.132.248.141] has joined ##openvpn
10:52 -!- symbenian [~AndChat@82.132.248.141] has quit [Quit: Bye]
11:05 -!- WormFood [~wormfood@121.15.110.61] has quit [Ping timeout: 260 seconds]
11:17 -!- WormFood [~wormfood@58.60.222.13] has joined ##openvpn
11:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:21 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Read error: Connection reset by peer]
11:32 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:33 -!- blueboxthief1 [~None_of_y@83-71-7-68-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
11:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
11:44 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
11:50 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:03 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
12:10 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
12:11 < Hypnoz> Are there any decent webui's for managing openvpn yet?
12:26 < Bloodsong> Good question
12:26 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
12:27 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left ##openvpn []
12:33 -!- blueboxthief [~None_of_y@83-71-14-203-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
12:41 < Bushmills> yes. graphical interactive openvpn configuration frontends, called "editors"
12:47 -!- dazo is now known as dazo_afk
12:47 < Hypnoz> url?
12:59 -!- steelnwool [~jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
12:59 < steelnwool> Hi,
13:00 < steelnwool> I'm looking for the ssl-admin guy. The link from the GOSC site goes to a 500 error page.
13:00 < steelnwool> http://www.secure-computing.net/ssl-admin/
13:01 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:01 < steelnwool> i think it was ecrist
13:14 -!- clee [clee@fruit.freedesktop.org] has left ##openvpn []
13:15 < ecrist> it's me
13:16 < ecrist> GOSC link is *old*
13:16 < ecrist> I started using it, realized it sucks, and moved to my own servers
13:16 < ecrist> what's up?
13:17 < ecrist> http://code.google.com/p/ssl-admin/
13:17 < vpnHelper> Title: ssl-admin - Project Hosting on Google Code (at code.google.com)
13:17 < steelnwool> oh just setting up fresh.
13:17 < steelnwool> on redhat. so needed to find source. i just got the freebsd tarball from ftp site.
13:17 < ecrist> it does seem my trac is down.
13:18 < ecrist> or you can svn co, but 1.0.3 is current
13:18 < steelnwool> groove.
13:18 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
13:18 < ecrist> svn co https://www.secure-computing.net/svn/trunk/ssl-admin
13:18 < vpnHelper> Title: svn - Revision 220: /trunk/ssl-admin (at www.secure-computing.net)
13:21 < ecrist> where did you see the GOSC link, steelnwool ?
13:21 < steelnwool> ecrist: i googled for ssl-admin
13:27 < ecrist> I updated that page to point to my trac repo
13:27 < ecrist> thanks for the info
13:27 < steelnwool> np.
13:27 < steelnwool> is trac fixed now ? :)
13:27 < ecrist> yes
13:28 < ecrist> even though trac was down, /svn would have worked.
13:46 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
13:49 -!- eradiate [~eradiate@pool-173-73-104-50.washdc.fios.verizon.net] has joined ##openvpn
14:03 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
14:03 -!- mode/##openvpn [+v Kas] by ChanServ
14:07 -!- kasx [~Andrew@seance.openvpn.org] has joined ##openvpn
14:07 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
14:10 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:13 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 252 seconds]
14:15 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: Leaving]
14:15 < steelnwool> ecrist: what does ssl-admin look for, to know to ask you to package this file for openvpn or not?
14:15 < steelnwool> anything.ovpn in packages?
14:18 < steelnwool> hrm it must ask that anyways and i just missed it.
14:24 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 276 seconds]
14:29 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
14:35 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
14:46 -!- agagag [~anton@83.167.185.34] has quit [Ping timeout: 258 seconds]
14:53 -!- geek_cl [~lletelier@190.54.47.162] has joined ##openvpn
14:55 < geek_cl> hi guys, i need some help, my openvpn daemon don't start , here is the debug, http://fpaste.org/SJ0t/ and here is the conf.   http://fpaste.org/N3qq/
14:56 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
14:57 < geek_cl> then i do some combination, with #script-security 3 system variables , and nothing work 
14:58 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
14:59 < kslen> hey there fellas. i'm having trouble getting dns through my bridged vpn. i can ping the dns server through the vpn, but all name lookups fails. any suggestions?
14:59 < geek_cl> tcp/udp 53 blocks ? 
14:59 < geek_cl> kslen:
15:00 < kslen> on the client?
15:00 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
15:00 < kslen> if i connect to the vpn from the same isp as my server is located on, i get dns
15:00 < kslen> other isp, no go
15:00 < geek_cl> with a 3g modem? 
15:01 < kslen> amongst other things
15:01 < kslen> yes in other words. sorry. :)
15:01 < geek_cl> then 3g have problems to get a real good connection
15:02 < geek_cl> anyone more can add something ? 
15:02 < kslen> the connection is good
15:02 < kslen> get no packetloss
15:02 < krzee> with 3g, try testing your mtu
15:02 < krzee> !mtu
15:02 < vpnHelper> krzee: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
15:02 < kslen> i can ping the entire network, the external dns, but it fails when i try to visit www.google.com
15:03 < krzee> why are you bridging?
15:03 < kslen> is that of importance?
15:03 -!- dazo_afk [~dazo@nat/redhat/x-atcocohtjlaaateb] has quit [Quit: ZNC - http://znc.sourceforge.net]
15:03 < krzee> well, unless you have a specific layer2 protocol you need over the vpn, you're doing it wrong
15:04 < geek_cl> vpnHelper:  my openvpn daemon don't start OK, but the daemon is LISTENING, here is the debug, http://fpaste.org/SJ0t/ and here is the conf.   http://fpaste.org/N3qq/
15:04 < vpnHelper> geek_cl: Error: "my" is not a valid command.
15:04 < geek_cl> my?
15:04 < krzee> !bot
15:04 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
15:05 < krzee> vpnHelper, bot
15:05 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
15:05 < kslen> geek_cl, mind elaborating on the wrong bit?
15:05 < krzee> ;]
15:05 < krzee> i assume you meant me
15:05 < geek_cl> yes
15:05 -!- dazo_afk [~dazo@nat/redhat/x-kzbwookxophpjiby] has joined ##openvpn
15:05 -!- dazo_afk is now known as Guest48299
15:05 < geek_cl> "my " english is bad, sorry buddy
15:05 < krzee> well, using a bridge exposes you to layer2 attacks over the vpn, as well as requiring additional overhead and more complex setup
15:06 < kslen> yea, but that doesn't make it wrong
15:06 < krzee> geek_cl, vpnHelper is not a human, it is a bot we use to help people in here, when you talk to him he thinks it is a command
15:06 < geek_cl> oh i see
15:06 < geek_cl> thanks 
15:07 < krzee> kslen, *shrug* good luck to you :-p
15:07 < geek_cl> then   the daemon FAILED when /etc/init.d/openvpn start ...but, the daemon is listening and the client can connect fine. 
15:07 < geek_cl> but i dont ' wanna see that FAILED error and NOTE in the log 
15:07 < kslen> krzee, thanks :>
15:07 < krzee> geek_cl, the init.d script is part of your OS, not part of openvpn
15:08 < krzee> is there a problem in OpenVPN?
15:08 < krzee> also, i see you are using tcp
15:08 < krzee> !tcp
15:08 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
15:08 < geek_cl> krzee: please check the line 220 http://fpaste.org/SJ0t/
15:09 < geek_cl> my topic more than a problem is a question dude
15:09 < krzee> geek_cl, that is just a warning
15:09 < krzee> oh wait
15:10 < geek_cl> m
15:10 < krzee> you're using script-security
15:10 < krzee> are you calling external scripts?
15:10 < geek_cl> in my conf. NONE
15:10 < krzee> then dont use script-security
15:10 < geek_cl> there is my conf , please see http://fpaste.org/N3qq/
15:10 < krzee> i assume the warning threw you off and got you to enter that there
15:11 < krzee> which i understand, in fact the next dev meeting will address that
15:11 < krzee> geek_cl, did you read the info i gave on TCP?
15:11 < krzee> you dont have script-security in that config, which means it must be getting passed over on commandline through your OS script
15:11 < krzee> ps auxww|grep openvpn
15:11 < krzee> show me the output
15:12 < geek_cl> ok
15:13 < geek_cl> boom!
15:13 < geek_cl> krzee: http://fpaste.org/f2F1/
15:13 < geek_cl> there is! 
15:14 < geek_cl> that is
15:14 < geek_cl> that's all!
15:14 < krzee> read the !tcp links too
15:14 < krzee> !tcp
15:14 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
15:15 < geek_cl> i read the #2
15:15 < geek_cl> i go for the #1
15:15 < krzee> you will get better performance over UDP if it is possible to use
15:15 < geek_cl> many thanks 
15:15 < krzee> no problem =]
15:15 < geek_cl> ohh good advice
15:15 < geek_cl> krzee: thanks man , greetings from chile
15:16 < krzee> ahh que bien, bienvenidos del caribe
15:16 < magic_1> quite keen to use RSA and openvpn together
15:16 < magic_1> or any other form of OTP
15:16 < krzee> yupyup
15:16 < krzee> do that via radius server =]
15:17 < krzee> i plan on doing it with some free mcafee OTP keychains i got from a friend and documenting it
15:17 < krzee> but im somewhat lazy plus im working on config file generation scripts
15:17 < krzee> the config generator will handle networks with lans behind server/clients, redirecting clients internet over the vpn, or just normal client/server stuff
15:18 < krzee> should be nice i hope
15:18 < krzee> then maybe ill remake easy-rsa into a shell script which looks and acts like ssl-admin, and package it all together as a 1-stop program for ovpn setup
15:26 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
15:33 < magic_1> wow that would be awesome
15:33 < magic_1> let me know when you get started would love to help test
15:36 < krzee> i already have the server config generation done
15:36 < krzee> and the interface for collecting data to build the server config with
15:37 < magic_1> nice
15:37 < krzee> if its slow at work i figure i can bust out the client stuff today
15:47 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 276 seconds]
15:55 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 260 seconds]
15:57 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
16:02 < Hypnoz> krzee: do you use ccd for connecting client validation and pushing routes and stuff?
16:07 < krzee> connecting client validation??
16:09 < krzee> personally i only use it for static ips and iroutes
16:09 < krzee> can use it for pushing routes, but i never needed to
16:09 < Hypnoz> do you use "ccd-exclusive" in server.conf?
16:09 < krzee> nope, never needed to
16:10 < krzee> mine is cert exclusive ;]
16:10 < krzee> no cert no connection
16:10 < Hypnoz> what does cert exclusive mean?
16:10 < krzee> it was a joke
16:10 < krzee> you can only join with a cert, so i have no need for ccd-exclusive
16:10 < krzee> it does have its uses, i just dont need it
16:12 -!- Bloodsong [~Nimbus@bas2-barrie18-1242454308.dsl.bell.ca] has quit [Quit: Leaving]
16:12 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:19 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
16:19 < Hypnoz> krzee: ah. Ya I think I might use ccd-exclusive instead of crl-verify, it seems like a more trustworthy solution
16:20 < Hypnoz> both accomplish the same task, but ccd-exclusive I can look at the list of allowed clients any time by just doing an ls on the ccd folder
16:24 < krzee> HELL NO
16:25 < krzee> thats a terrible idea
16:25 < krzee> and the devs are pretty clear about the fact that nothing should replace CRL as the right way to stop people from having access
16:26 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
16:39 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
16:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
17:05 -!- lletelier_ [~lletelier@190.54.47.162] has joined ##openvpn
17:05 -!- lletelier_ [~lletelier@190.54.47.162] has quit [Read error: Connection reset by peer]
17:06 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
17:07 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
17:09 -!- geek_cl [~lletelier@190.54.47.162] has quit [Ping timeout: 245 seconds]
17:09 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 245 seconds]
17:22 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
17:34 -!- ralphte [~noway@cpe-065-191-175-222.nc.res.rr.com] has joined ##openvpn
17:35 < ralphte> Tue Apr 20 21:23:40 2010 TCP/UDP: Socket bind failed on local address [undef]:1999: Permission denied
17:35 < ralphte> ideas?
17:38 < ralphte> ran netstat -p -e nothing on that port
17:39 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:40 < ralphte> ps -aux openssh is not running
17:43 -!- kslen^^ [~idkfa@static229-147.adsl.no] has joined ##openvpn
17:52 < ralphte> selinux was the problem
17:57 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 240 seconds]
17:58 -!- zero-_ [~zero@195.88.84.100] has quit [Ping timeout: 252 seconds]
18:00 < krzee> it wouldnt be openssh
18:00 < krzee> it would be sshd
18:01 < krzee> (not sure how openssh came up, but thought ild mention that)
18:01 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
18:01 -!- zero-_ [~zero@noc.toile-libre.net] has joined ##openvpn
18:05 < ralphte> true
18:06 -!- kslen^^ is now known as kslen
18:06 < ralphte> dont really know much about selinux but that it make smy head hurt
18:11 < krzee> its never hurt my head, but i also know nothing about it
18:12 < krzee> (never used it ;])
18:13 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 260 seconds]
18:16 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
18:20 -!- blueboxthief [~None_of_y@83-71-14-203-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
18:29 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
18:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
18:48 -!- ralphte [~noway@cpe-065-191-175-222.nc.res.rr.com] has quit [Ping timeout: 245 seconds]
19:06 -!- ksnp [~ksnp@c-76-126-210-103.hsd1.ca.comcast.net] has joined ##openvpn
19:07 < ksnp> i have openvpn compiled on windows, and it works if i use it with the openvpn portable gui, however if i try to do the same using cli, it does the tls negotiation etc, but finally gives bad packet error
19:07 < ksnp> any suggestions ?
19:15 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
19:15 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:17 < krzee> openvpn portable is not made by the openvpn team, and ive never used it
19:17 < krzee> have you tried the real openvpn?
19:17 < krzee> !download
19:17 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) see !gui for more information for Windows clients.
19:18 < ksnp> yes
19:18 < ksnp> it uses the same openvpn.exe
19:18 < krzee> openvpn portable is 2.1.1?
19:18 < ksnp> i think it just modifies the gui
19:18 < krzee> you think!
19:19 < theDoc> Anyone has experience with sftp?
19:19 < ksnp> one online is 1.66
19:19 < ksnp> 1.6.6
19:19 < krzee> ksnp, USE THE REAL OPENVPN!
19:19 < krzee> i thought i said that above
19:19 < ksnp> no it really does, i used the real openvpn exe with portable and vice versa
19:19 < ksnp> on different machines and both work
19:19 < krzee> theDoc, really? hehe
19:20 < theDoc> krzee> Yeah, I need a web dev to fix something on my box.
19:20 < krzee> ksnp, just switch to the real openvpn and be done with it
19:20 < krzee> theDoc, whats the problem with sftp?
19:21 < ksnp> i already had that option :) if you can think of why the exe in command line (after driver installation) gives bad packet errors but not with the gui version, that would behelpful
19:21 < ksnp> i am checking if there a channel for the gui version
19:21 < ksnp> i mean just the gui part
19:21 < krzee> well i cant, cause you're using some 3rd party mod
19:21 < theDoc> krzee> I have a local user created, I'm just not sure how I should go about doing that and give writable access to /var/www
19:21 < krzee> if you get the same issues with the REAL openvpn, come talk to us :-p
19:22 < krzee> otherwise take it up with the openvpn-portable guys i guess
19:22 < krzee> theDoc, just give that user (or group) write access to the dir
19:22 < krzee> just like if he was logging in via ssh...
19:23 < theDoc> Yeah, I was thinking group is fine.
19:23 < krzee> (since he basically is, sftpd is just a subsystem of sshd)
19:23 < ksnp> ok
19:23 < theDoc> root is a member of the group wheel right?
19:23 < krzee> by default yes, but your group file will tell all
19:24 < theDoc> Yes, true that ;p
19:24 < krzee> grep wheel /etc/group
19:24 < theDoc> Sorry about the newb questions, it's way too ealry here and I have yet to brush my teeth
19:24 < krzee> you been around here long enough you get a few free ones ;]
19:25 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:26 < theDoc> Hm, this is dangerous.
19:26 < krzee> well dont add him to wheel
19:26 < krzee> lol
19:26 < theDoc> This is annoying as fuck.
19:27 < theDoc> I cannot for the love of god come up with a good idea on how to do this.
19:27 < krzee> its not hard dude
19:27 < krzee> make the dirs he needs access to owned by his group
19:27 < krzee> give g+w
19:27 < theDoc> It's not, ;p I'm buzzed as fuck and the hippie music isn't helping ;p
19:27 < krzee> if theres multiple people, add them to a common group and do the same
19:28 < krzee> its standard unix permission management
19:28 < krzee> (although in your defense, many admins get it wrong)
19:28 < theDoc> That too.
19:29 < theDoc> aha, ok I think I have got it.
19:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
19:36 < krzee> i wonder if he figured out that the group needs +w access to the files it needs to write to as well ;]
19:39 -!- ksnp [~ksnp@c-76-126-210-103.hsd1.ca.comcast.net] has left ##openvpn []
19:44 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
19:44 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
19:44 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:19 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
20:20 -!- APTX [~APTX@chello089076052083.chello.pl] has joined ##openvpn
20:20 -!- APTX [~APTX@chello089076052083.chello.pl] has quit [Changing host]
20:20 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
20:21 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Client Quit]
20:22 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
21:03 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:04 < theDoc> teehee, got it workin'.
21:31 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
21:33 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
21:36 < theDoc> OH YES
21:36 < theDoc> HOTEL CHANGE!
21:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
21:42 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
--- Log closed Wed Apr 21 22:23:11 2010
--- Log opened Wed Apr 21 22:28:43 2010
22:28 -!- ecrist [~ecrist@troy.mcclure.secure-computing.net] has joined ##openvpn
22:28 -!- Irssi: ##openvpn: Total of 93 nicks [2 ops, 0 halfops, 0 voices, 91 normal]
22:29 -!- Irssi: Join to ##openvpn was synced in 30 secs
22:32 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
22:32 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
22:48 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
22:52 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
22:53 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
22:53 -!- jpalmer_ [~jpalmer@208.51.3.136] has quit [Quit: leaving]
22:54 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
22:54 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
22:58 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
23:12 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:47 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:51 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
23:53 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
23:54 < theDoc> Any DNS monkeys here?
--- Day changed Thu Apr 22 2010
00:03 < rob0> oo ooo ooo AAA
00:04 < theDoc> Probably not!
00:07  * rob0 swings from the top of the cage
00:26 < krzie> ill help you with it later
00:26 < krzie> busy but i know dns
00:31 < theDoc> brb, relocating the laptop.
00:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
00:45 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
00:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
00:47 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
00:51 < krzie> hah sux for him im back for a min
00:53 < Bushmills> here's his q:  (04/22/10 06:48:52) theDoc: Hi all, question. I have a DNS server in a domain which serves only apple clients, I'd like that DNS server to hand off further requests to another Windows DNS server somewhere else on the same domain if it doesn't have an response for the DNS request. Is that possible? If yes, how is it done?
00:54 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
00:56 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
01:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
01:05 < krzie> whoe whered you find that
01:06 < Bushmills> in his brain
01:06 < krzie> nice hack
01:07 < krzie> full 100% props on brain hacking
01:07 < krzie> i would have told him
01:07 < krzie> http://dnsmasq.darwinports.com/
01:07 < vpnHelper> Title: Dnsmasq version 2.51 - How to Download and Install on Mac OS X (at dnsmasq.darwinports.com)
01:08 < krzie> aka port install dnsmasq
01:09 < krzie> also ild be surprised if its not running bind on the backend
01:10 < krzie> likely could be configured manually to do anything you want
01:11 < Bushmills> like, iron my shirts?
01:14 < Bushmills> hehe, my router flashes "cq cq cq" at me - that means its dhcp client must have just renewed its ip adress lease 
01:18 < krzie> haha
01:18 < krzie> your router is sounding pretty dope lately
01:19 < krzie> is it a pc or embedded device?
01:20 < Bushmills> embedded
01:23 < Bushmills> thought first i teach it single letter morse status codes through its leds, but then i threw in radio amateur lingo :)
01:24 < krzie> haha nice
01:24 < krzie> love it
01:24 < Bushmills> when cpu load goes  up, it complains "QRL"
01:25 < krzie> Im saving a bunch of $ for a seriously expensive laptop
01:25 < Bushmills> will be outdated in 2 years
01:26 < krzie> 2.66 i7, 8gb ram, 80gig intel ssd for os, 7200rpm 500gig sata, 17" anti-glare display macbook pro, 9 hour battery
01:27 < krzie> yes will be outdated
01:27 < Bushmills> ok, you can upgrade te SSD next year
01:27 < krzie> but will still own
01:27 < krzie> true, i dont need the ssd immediately
01:27 < krzie> im getting the $50 7200rpm upgrade from apple
01:28 < Bushmills> try to get an accu pack with screws, not glued
01:28 < krzie> then getting a mod for the dvd drive area to be for a HD, comes with slick superdrive enclosure
01:28 < krzie> accu?
01:28 < Bushmills> battery
01:28 < krzie> ahh
01:29 < krzie> 4 screws to change
01:29 < Bushmills> for opening the case of the battery pack
01:29 < krzie> i cant believe they have batteries for laptops that last 9 hours now, thats sweet
01:29 < Bushmills> they usually contain 18650 type cells
01:30 < Bushmills> those can be obtained cheaply
01:30 < krzie> ahh nice
01:30 < Bushmills> well, much cheaper than complete packs
01:30 < krzie> thats with the new ones or the old?
01:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
01:31 < Bushmills> and LiIon will deteriorate
01:31 < Bushmills> they are in most battery packs
01:31 < Bushmills> including Apple's
01:31 < Bushmills> they're also in hybrid cars
01:32 < krzie> i gave my mom my hybrid when i left usa
01:32 < krzie> she used it for awhile, then didnt for long enough that she killed it
01:32 < krzie> because the main battery went bad
01:32 < Bushmills> so when the battery is down, it is much cheaper to replace the 18650 cells, instead of a new battery pack
01:33 < krzie> it was expensive enough that to get it fixed was more than the car was still worth
01:33 < krzie> aww damn
01:33 < Bushmills> but that's difficult to do with glued packs
01:33 < krzie> i wonder if she still has it
01:33 < krzie> would be a cool project when i visit
01:35 < Bushmills> single cells you can get from about 3$ and up. each one is (medium charged) 3.7 Volt, max charged 4.2 Volt, and about 2500 mAh
01:36 < Bushmills> so divide pack voltage by 3.7, and divide capacity by 2.5, multiply the two results, and that number cells you need
01:36 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
01:36 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 260 seconds]
01:38 < Bushmills> calculated differently, each cell has about 8..10Wh capacity. Thereore divide total capacity by 8...10, for number of cells needed
01:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
01:39 < Bushmills> 80 Wh 11 V would be most likely 9 cells.  3x3
01:39 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
01:41 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
01:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:45 < krzie> you just stack the cells?
01:50 < Bushmills> in series for adding voltages, and those stacks parallel for adding capacity. like, 2x4 or such.
01:57 -!- harlan [~harlan@ntp/programmemanager/harlan] has joined ##openvpn
01:58 < harlan> !welcome
01:58 < vpnHelper> harlan: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:01 < harlan> I generated a self-signed cert for openvpn at a site, and have been using it just fine for a year.  I just installed tunnelblick on my mac laptop, and it seems to hate the self-signed server certificate and will not bring up the connection.  Is this a red-herring, or do I need to re-generate a better server cert and make new keys for everybody?  I'm running openvpn-2.1.1...
02:01 < flok420> !/30
02:01 < vpnHelper> flok420: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
02:01 < theDoc> !logs
02:01 < vpnHelper> theDoc: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:02 < flok420> !topology
02:02 < vpnHelper> flok420: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
02:02 < flok420> !iporder
02:02 < vpnHelper> flok420: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
02:03 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 264 seconds]
02:05 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 248 seconds]
02:06 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
02:09 -!- Netsplit *.net <-> *.split quits: krzee, atlantic_, Jww
02:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
02:11 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:13 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
02:13 -!- Netsplit over, joins: krzee, atlantic_, Jww
02:17 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
02:22 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
02:50 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
02:51 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 276 seconds]
03:02 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
03:05 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
03:07 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Read error: Operation timed out]
03:08 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
03:09 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
03:11 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 248 seconds]
03:12 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
03:12 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:13 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Ping timeout: 264 seconds]
03:14 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:14 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 248 seconds]
03:18 -!- Guest48299 is now known as dazo
03:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:20 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
03:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:32 < mgolisch> would have been too easy
03:32 < mgolisch> :(
03:32 < mgolisch> tap driver version 8 doenst work in win7
03:32 < mgolisch> the patched openvpn with user/pass input dialog doesnt work work with tap v9
03:33 < mgolisch> :(
03:40 -!- ABL_ [~ABLomas@193.219.82.175] has joined ##openvpn
03:41 < ABL_> hi! Any quick hint about blocking users _only_ by their CN in cert?
03:41 < ABL_> i mean, each client has cert, but i want to block certificates with common name "foo" and "bar", without revoking them server side, it is possible?
03:41 -!- ABL_ is now known as ABLomas
03:44 < ABLomas> --tls-remote ?
03:51 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
03:52 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 258 seconds]
03:58 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
04:00 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Ping timeout: 248 seconds]
04:03 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 248 seconds]
04:03 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
04:09 < dazo> mgolisch: have you checked the mailing list?  There are several people there who have received help with Win7 and OpenVPN
04:10 < dazo> ABLomas: have a look at --tls-verify .... there you can do such "extra" filtering
04:11 < dazo> make sure to also look at the "Environmental Variables" section in the man page as well, here which env variables available for you is described
04:12 < ABLomas> yeah, thanks
04:12 < ABLomas> i did that already, using ccd and "disable" directive
04:12 < ABLomas> works perfectly
04:12 < ABLomas> and simpler than writing separate script to verify certs
04:14 < dazo> well, that script could just look up in a "database" (e.g. do grep in a file) to consider if it should be disabled or not ... but ccd and disable is about the same principle
04:14 < ABLomas> yeah ;-)
04:15 < ABLomas> hm, wait, as i understood that tls-verify should use separate openssl process instance to "pull" out needed fields from cert
04:15 < ABLomas> and only then verify them against "database"
04:15 < ABLomas> still, maybe i got that wrong
04:15 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
04:15 < ABLomas> but "disable" works atm ;-)
04:17 < dazo> ABLomas: not a separate openssl process ... you get common_name as a environment variable into the the script ... which you then can check against
04:17 < dazo> no extra openssl stuff, it's already parsed and ready for you
04:19 < ABLomas> hm, ok
04:19 < ABLomas> that's may be solution, as i misunderstood docs...
04:33 -!- rc55 [~rc55@exchange.switchsystems.co.uk] has joined ##openvpn
04:33 < rc55> Good morning everyone - does anyone know how I can monitor the data throughput on an OpenVPN interface from within Windows?
04:34 < rc55> SNMP would have been ideal, but I'm not sure that's possible.
04:34 < rc55> If anyone has any ideas, perhaps via WMI, that'd be awesome.
04:37 < ABLomas> maybe perfmon has counters, like on "normal" network interface?
04:37 < ABLomas> just check, if it has - just fetch them trough SNMP built-in service
04:38 < ABLomas> (or WMI)
04:38 < dazo> rc55: you can enable the management interface ... and telnet into it and grab live stats directly from there
04:39 < dazo> rc55: see --management in the man page
04:40 < rc55> ABLomas / dazo: thank you both, I will see what I can find out from there; should do the job :)
04:42 < mgolisch> dazo: hm the latest versions work fine on win7 but there is no binary which has that --win32-gui patch applied
04:42 < mgolisch> guess ill try building that myself
04:43 < mgolisch> or find out if i can use this older version with the new tap v9 driver somehow
04:43 < dazo> mgolisch: where does that --win32-gui patch come from? 
04:44 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
04:44 < mgolisch> found it on openvpn.se but its for 2.0.1 or so, probably wont apply without modifying anyways
04:45 < mgolisch> what it does is instead of asking username/password on stdin it spawns a win32 dialog so user-pass can be used even with the service wrapper
04:47 < dazo> mgolisch: I see ... I believe that there will be some enhanced work on OpenVPN-GUI so that it will use the management interface instead ... giving the same result, where the openvpn process can be started as a service, and will wait for the GUI to hook up and ask for the needed details
04:48 < dazo> d12fk: ^^ please correct me if I'm wrong
04:49 < dazo> mgolisch: but in general ... expect pain when trying to make older openvpn versions work with newer tap drivers ... there might be incompatibilities here, and that would be an unsupported setup
04:50 < mgolisch> so the servicewrapper in new versions provides some way to interact with it?
04:51 < dazo> mgolisch: I don't know how far the development process has come ... but it's been mentioned that the management interface is an important improvement, iirc
04:52 < dazo> mgolisch: the --win32-gui part has most probably been removed due to not being solid enough or too buggy and the management interface in 2.1 would provide a better ground for improved GUI implementations
04:52 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
04:56 < d12fk> mgolisch dazo: i feel the the --win32-gui is a rather crude hack, right way would be to use the mgmt itf and come up with a small protocol that can be spoken with the service to passthrough the mgmt itf communication for the processes
04:57 < d12fk> however it's currently the only way to do it, which makes it valueable =)
04:57 < dazo> d12fk: the --win32-gui is that a openvpn.exe argument ... or is it openvpn-gui stuff?
04:58  * dazo expect it to be the former
04:58 < mgolisch> yeah its a patch for openvpn
04:59 < dazo> that explains why it's not present in 2.1
04:59 < mgolisch> i guess ill either have to figure out howto get 2.0.1 working with tap v9 or somehow try to apply that patch to the current openvpn source
05:00 < dazo> mgolisch: which files does that patch touch?
05:00 < dazo> mgolisch: and why not rather spend some time helping d12fk getting a better fix into openvpn-gui?
05:02 -!- kaspx [~Andrew@seance.openvpn.org] has joined ##openvpn
05:02 -!- sanderj_ [~sanderj@195.204.103.72] has joined ##openvpn
05:04 -!- Netsplit *.net <-> *.split quits: kasx, BashLogic, APTX, buntfalke, kslen, mwheeler, HyperZid, kala
05:05 -!- Netsplit over, joins: APTX
05:06 -!- Netsplit over, joins: kasx, buntfalke, kslen, kala, BashLogic, mwheeler
05:06 -!- kasx [~Andrew@seance.openvpn.org] has quit [Ping timeout: 280 seconds]
05:06 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has quit [Ping timeout: 241 seconds]
05:06 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
05:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:38 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:55 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
05:56 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 268 seconds]
05:57 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Ping timeout: 240 seconds]
05:58 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
05:59 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 246 seconds]
06:00 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
06:01 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
06:02 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Ping timeout: 240 seconds]
06:16 -!- phrag [~phrag@about/slackware/phrag] has joined ##openvpn
06:17 < phrag> hi guys, anyone alive?
06:18 < phrag> we have openvpn server running, and others can connect np.. however my client is not assigning an IP to the tun device, and subsequently not adding routes.. others clients work just fine, any idea's ?
06:20 < macsppadic> what os is ur client running phrag ?
06:21 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
06:21 < mgolisch> dazo: ill look into that when iam back at home
06:22 < mgolisch> think ill just go with cpau or something like that for the time beeing, theyll rip my head off if i dont give them vpn soon :)
06:32 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 276 seconds]
06:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:39 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
06:55 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
07:00 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Read error: No route to host]
07:00 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
07:02 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:08 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
07:42 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
07:45 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
07:56 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 276 seconds]
07:56 -!- blueboxthief [~None_of_y@86-43-218-179-dynamic.b-ras2.bbh.dublin.eircom.net] has joined ##openvpn
07:59 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
08:05 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
08:07 < phrag> macsppadic: sorry for delay, using Slackware-current
08:07 < phrag> http://pastebin.slackadelic.com/p/2pEaZ310.html
08:08 < phrag> that's my config, server seems fine as others can connect np (mac clients)
08:08 < phrag> it connects, verifys and says complete, no errors... just no ip being assigned to tun device or any routes added
08:15 < macsppadic> phrag: whats the log on ur client achien showing?
08:16 < phrag> macsppadic: no errors, all looks good.. will have to edit it if want posting
08:16 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
08:16 < phrag> Peer Connection Initiated with...
08:17 < phrag> Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication .... Initialization Sequence Completed
08:18 < phrag> the device exists, just no IP or route
08:19 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:27 -!- kajl [~kyle@80.67.10.198] has quit [Ping timeout: 276 seconds]
08:31 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco]
08:38 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
08:48 -!- ABLomas [~ABLomas@193.219.82.175] has left ##openvpn []
08:58 < steelnwool> can i get a bit of routing help
08:59 < steelnwool> i'll draw up a digram.
09:00 < macsppadic> sorry phrag was away in meeting 
09:00 < macsppadic> rite hmm can u do a tcpdump on the device 
09:01 < macsppadic> sorry no route or IP?
09:01 < steelnwool> my vpn works to the vpn host. but other machines on that LAN can't talk back. so my plan is to create a static route on the default gateway in that network , to tell the hosts to route traffic back thru the vpn.
09:04 -!- mwheeler [~mwheeler@unaffiliated/theskorm] has quit [Read error: Connection reset by peer]
09:05 < steelnwool> http://dl.dropbox.com/u/2335126/vpn.jpg basically this.
09:05 < steelnwool> pretty basic/standard setup.
09:06 < steelnwool> i'd like "Some other machine" to be able to learn the route 10.33.34/24 via gateway 10.33.33.13
09:06 < steelnwool> so i added a static route to teh SSG5, I think my understanding is correct.
09:14 < steelnwool> ah ha. i mis understand route propagation.
09:14 < steelnwool> disregard.
09:15 < krzee> !route
09:15 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:15 < krzee> !factoids search outside
09:15 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
09:16 < krzee> read the link in !route and i posted the diagram below in case thats what your situation is
09:16 < krzee> (and i think it is)
09:16 < steelnwool> my situation is simpler than that. I just had to make sure the clients iside the VPN, know how to talk back out, so just had to add a route to each of them.
09:16 < krzee> no you didnt
09:16 < steelnwool> i have a much more complex situation else wehre, that does indeed match those documents.
09:16 < krzee> you needed to add only 1 route
09:16 < steelnwool> oh. I'll read then.
09:16 < steelnwool> doesn't hurt :)
09:16 < krzee> but you needed to do it on their default router
09:16 < krzee> as shown in bottom diagram
09:17 < krzee> but what you did works, and is offered as a 2nd approach in !route section ROUTES TO ADD OUTSIDE OPENVPN
09:17 < krzee> its just more of a PITA
09:18 -!- mwheeler [~mwheeler@unaffiliated/theskorm] has joined ##openvpn
09:18 < steelnwool> reading now.
09:19 < steelnwool> ah, i know the actual issue.
09:19 < steelnwool> I don't have ip forwarding enabled.
09:19 < krzee> yup, thats a problem
09:20 < krzee> !ipforward
09:20 < vpnHelper> krzee: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
09:21 -!- crazeekennee [~crazeeken@static-72-87-91-10.prvdri.fios.verizon.net] has joined ##openvpn
09:21 < crazeekennee> !welcome
09:22 < vpnHelper> crazeekennee: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:22 < crazeekennee> !howto
09:22 < vpnHelper> crazeekennee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:24 < crazeekennee> hello all -- if mv vpn client can ping my vpn server (on both its virtual interface and its LAN interface) across the tunnel, but the client can't ping anything else behind the LAN then i should be looking at routing -- does that make sense ?
09:25 -!- steelnwool [~jeff@204-232-209-119.static.cloud-ips.com] has left ##openvpn []
09:41 < krzee> crazeekennee, have a look at this
09:41 < krzee> !route
09:41 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:41 < krzee> if your VPN stuff is configured correctly, you could be missing this:
09:41 < krzee> !factoids search outside
09:41 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
09:43 < krzee> you're welcome (pls talk here instead of msg)
09:44 < krzee> =]
09:44 < crazeekennee> gotcha -- I've got wireshark going on the Lan side and I'm ssh'd into my vpn client box
09:44 < crazeekennee> looks like my icmp packets aren't being routed to their lan destination
09:44 < crazeekennee> !route
09:44 < vpnHelper> crazeekennee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:44 < krzee> do you have ip forwarding enabled?
09:45 < krzee> (very beginning of !route mentioned that)
09:45 < crazeekennee> yes, would you like me to list my pertinent nat rules ?
09:45 < krzee> nope, just read !route
09:45 < crazeekennee> right -- on it now
10:02 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 268 seconds]
10:19 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 258 seconds]
10:37 < krzee> howd reading that work for you?
10:37 < krzee> find anything helpful?
10:38 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 246 seconds]
10:41 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
10:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Connection reset by peer]
10:59 < crazeekennee> the reading was nice, but not quite what I needed
11:00 < crazeekennee> I had to add a route line in my server config that took packets destined for the local LAN and route then to the server's LAN interface
11:00 < crazeekennee> something like "route 192.168.1.0 255.255.255.0 192.168.1.1"
11:01 < krzee> umm, you didnt already have a route for your lan?
11:01 < krzee> openvpn shouldnt have needed to be involved in that
11:01 < krzee> but glad you found your answer :)
11:01 < crazeekennee> It took me a while, but I noticed that the openvpn server was saying "destination unreachable" -- so I knew the packet was making it to the other side, but the vpn didn't  have a gateway to send it to
11:02 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
11:02 < crazeekennee> the client was getting "10.8.0.1 says destination unreachable" as a response -- and 10.8.0.1 is the server
11:03 < crazeekennee> I setting it up so many road warriors can get on the vpn -- and openvpn is perfect, once I get the config right !
11:04 < crazeekennee> as usual, the problem was between the seat and the keyboard  :)
11:04 < crazeekennee> thank you for your help !
11:05 < krzee> no problem
11:05 < krzee> i agree, openvpn is great for that
11:05 -!- WormFood [~wormfood@58.60.222.13] has quit [Ping timeout: 265 seconds]
11:06 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:07 < krzee> i just noticed your hostname
11:07 < krzee> let me inform you how jealous i am
11:07 < krzee> =[
11:17 -!- WormFood [~wormfood@121.15.47.33] has joined ##openvpn
11:17 < crazeekennee> yours is more succinct -- but still cool
11:17 < crazeekennee> thanks again 
11:17 -!- crazeekennee [~crazeeken@static-72-87-91-10.prvdri.fios.verizon.net] has quit [Quit: Leaving]
11:17 -!- Lenhix [~lenho@mail.coltanques.com.co] has joined ##openvpn
11:19 < Lenhix> Hello. I've created certs for 4 clients. All of them are connecting via the same public IP as they are behind a router. 3 of them can use the vpn normally but when the 4th tries to connect it gets an error. the client log is at http://pastebin.com/qv4ugw8u
11:20 < Lenhix> (I cropped it) I think the important part is at the end, the connection seems to be being reset'd but dunno why
11:23 < krzee> happen to be using the same certs?
11:25 < Lenhix> Nope, I created 4 distinct ones... but let me check with the ppl at the other side if they are using each one the one i made for each one
11:27 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:28 < krzee> also,
11:28 < krzee> !tcp
11:28 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
11:28 < krzee> you MAY need
11:28 < krzee> !winroute
11:28 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
11:28 -!- dazo is now known as dazo_afk
11:29 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
11:31 -!- tums2004 [~zero_aphe@wsip-24-234-74-232.lv.lv.cox.net] has joined ##openvpn
11:31 < tums2004> hey all my openvpn is up and running, but I cant seem to find one option,. how do i make it run on only 1 IP address? not all of the 6 this server has?
11:32 < krzee> config option: local
11:33 -!- macsppadic [~sonupunno@82.109.74.162] has quit [Quit: macsppadic]
11:33 < Lenhix> krzee, thx for the tcp tunneling idea
11:34 < Lenhix> I'll change it to UDP and try
11:35 < tums2004> thank you krzee, I looked over it 3 times but mistook it for meaning only run localhost
11:35 < tums2004> thanks a bunch
11:35 < tums2004> bye all
11:35 -!- tums2004 [~zero_aphe@wsip-24-234-74-232.lv.lv.cox.net] has quit [Client Quit]
11:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
11:38 < Lenhix> krzee: thx for your help. I'm changing to UDP right now. Btw, they just told me that all of them can connect (the openvpn tray icon [yeah, windows] turns green), but some can't ping the server while others do (there are no FW rules which
11:38 < Lenhix> impede ICMP traffic or limit it
11:38 < krzee> ahh
11:39 < krzee> they need to disable windows firewall on the TAP adapter
11:39 < krzee> same for any security software
11:39 < krzee> (zone alarm, norton, whatever)
11:39 < krzee> and give them
11:39 < krzee> !winroute
11:39 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
11:39 < krzee> it may fix it, wont hurt it
11:39 < Lenhix> Uh, let me check my config here as I have another open connection
11:40 < Lenhix> Mmh, I have winFW active and the exception for openvpn is unchecked and I have no problems... but I'll keep that in mind to
11:40 < Lenhix> *too
11:40 -!- blueboxthief [~None_of_y@86-43-218-179-dynamic.b-ras2.bbh.dublin.eircom.net] has quit [Quit: Leaving.]
11:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
11:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
11:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:49 -!- rc55 [~rc55@exchange.switchsystems.co.uk] has quit []
11:50 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 245 seconds]
11:55 < krzee> ive seen tons of problems fixed by disabling win firewall for the tap adapter
11:55 < krzee> and most likely you have no reason to enable it on that adapter anyways
11:55  * krzee points to the 3nd part of the topic
11:56 < krzee> its so often the firewall we have it in the topic ;]
11:56 < krzee> 2nd*
11:59 -!- steelnwool [~jeff@204-232-209-119.static.cloud-ips.com] has joined ##openvpn
11:59 < steelnwool> any drawbacks to using the lzo compression?
11:59 < Lenhix> krzee, hehe
11:59 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
12:00 < Lenhix> afaik, steelnwool, it's recommended
12:01 < steelnwool> okay thanks.
12:03 -!- Bloodsong [~Nimbus@bas2-barrie18-1178020770.dsl.bell.ca] has joined ##openvpn
12:04 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
12:04 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:08 -!- dazo_afk is now known as dazo
12:26 -!- kaspx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
12:26 -!- kas [~Andrew@seance.openvpn.org] has joined ##openvpn
12:26 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:26 -!- mode/##openvpn [+v Kasx] by ChanServ
12:44 -!- hagna [~hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has quit [Ping timeout: 246 seconds]
12:46 -!- hagna [~hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has joined ##openvpn
12:48 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
12:48 -!- mode/##openvpn [+o mattock] by ChanServ
12:51 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
12:57 < krzee> !wishlist
12:57 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
13:02 < hyper_ch> lol:  Google won't allow the co-inventor of Unix and the C language to check-in code, because he won't take the mandatory language test.  -  http://www.theregister.co.uk/2010/04/21/ken_thompson_take_our_test/
13:03 -!- Netsplit *.net <-> *.split quits: +Kasx, jupiter15, zamba, LowKey, mrnice1, stein0, bandini, Rienzilla, vpnHelper, Diffen2,  (+6 more, use /NETSPLIT to show all of them)
13:04 -!- DarthGandalf|BNC [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
13:08 -!- Netsplit over, joins: +Kasx, vpnHelper, @openvpn, jfkw, Diffen2, cpm, bandini, LeRrA, jupiter15, zamba (+6 more)
13:22 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:54 -!- hagna [~hagna@74-92-245-181-Utah.hfc.comcastbusiness.net] has quit [Quit: leaving]
14:06 -!- steelnwool [~jeff@204-232-209-119.static.cloud-ips.com] has left ##openvpn []
14:10 -!- dazo is now known as dazo_afk
14:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:12 -!- dazo_afk is now known as dazo
14:14 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Read error: Operation timed out]
14:15 -!- OpenUser [~57524f99@gateway/web/freenode/x-znzuvxyilzgjoepy] has joined ##openvpn
14:16 < OpenUser> Hi, I have a hopefully quick question about getting OpenVPN to work
14:17 < OpenUser> I can see my local network when connected to OpenVPN, but I have no Internet connectivity
14:17 < OpenUser> (No DNS either)
14:17 < OpenUser> The server is running XP Pro, and the client is Vista 64 bit
14:17 < krzee> !goal
14:17 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:17 < OpenUser> I want to access the net through my VPN =)
14:18 < OpenUser> I'll paste the config files now
14:18 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:19 < OpenUser> http://pastebin.com/Eve9kGwj - Server config
14:20 < krzee> !redirect
14:20 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:20 < OpenUser> Okay, thanks, I'll try that
14:20 < OpenUser> I did try the gateway one mind, but it didn't help
14:20 < OpenUser> !ipforward
14:20 < vpnHelper> OpenUser: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
14:20 < OpenUser> !winipforward
14:20 < vpnHelper> OpenUser: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
14:21 < OpenUser> !def1
14:21 < vpnHelper> OpenUser: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:21 < krzee> btw you have remote-gateway
14:21 < krzee> its redirect-gateway ;]
14:21 < OpenUser> Thanks, will switch it
14:22 < OpenUser> I tried redirect earlier but it didn't seem to do anything :(
14:22 < krzee> oh dude
14:22 < krzee> also
14:22 < krzee> push "route 10.0.0.0 255.0.0.0"
14:22 < krzee> NOOOOOOO
14:22 < krzee> that will make it so ANY client connecting from 10.x loses connectivity
14:22 < krzee> bad bad idea
14:22 < OpenUser> Ah
14:22 < krzee> what were you trying to accomplish?
14:23 < OpenUser> I thought I needed that to access the internal network (10.0.0.x, 255.0.0.0)
14:24 < krzee> is your internal network really a /8?
14:24 < krzee> cause if so, WHY!?
14:24 < krzee> heh
14:24 < OpenUser> I've changed a lot of settings today trying to get it to work ;P
14:25 < krzee> also
14:25 < krzee> when i said !goal
14:25 < krzee> you said nothing about a lan behind the server
14:25 < OpenUser> Ah, well
14:25 < OpenUser> I don't care about that really
14:25 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:25 < OpenUser> My goal is net access
14:25 < krzee> !winnat
14:26 < vpnHelper> krzee: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
14:26 < krzee> !winipforward
14:26 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
14:26 < OpenUser> I've done that already :)
14:26 < krzee> remove remote-gateway from your config
14:26 < OpenUser> Done
14:26 < krzee> add push "redirect-gateway def1"
14:26 < OpenUser> Done too
14:26 < krzee> connect and test
14:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 268 seconds]
14:27 < rob0> Net access is not enough for me. I want gross access.
14:27 < krzee> but also test by IP
14:27 < krzee> lol rob0 
14:27 < krzee> as in test pinging 66.249.81.104 (a google ip)
14:27 < krzee> that way we can separate DNS issues from other ones
14:28 -!- buntfalke_ is now known as buntfalke
14:28 < krzee> Openuser, you already setup Windows NAT?
14:28 < OpenUser> I've never heard about that, hm
14:28 < OpenUser> I'll explain
14:28 < krzee> LOL
14:28 < OpenUser> (In anything I've read today)
14:28 < krzee> your server MUST NAT for a !redirect setup
14:29 < krzee> check this out
14:29 < OpenUser> The server is connected to a router that handles that?
14:29 < OpenUser> :<
14:29 < krzee> ok
14:29 < krzee> but the router must NAT your VPN subnet
14:29 < krzee> which MUST NOT conflict with your normal subnet
14:29 < krzee> if its a linux box, thats not a problem
14:29 < OpenUser> It doesn't conflict
14:29 < krzee> if its a linksys, problem!
14:29 < OpenUser> Just to clarify
14:29 < OpenUser> The client doesn't go through the router
14:30 < krzee> since you cant NAT random subnets in those things
14:30 < OpenUser> It's connected to the server machine
14:30 < krzee> SOMETHING has to NAT the vpn traffic
14:30 < krzee> packets with vpn subnet wont have a way back to your home network, and wont likely even make it out at all due to egress filtering
14:30 < OpenUser> Well
14:31 < OpenUser> I added a static route
14:31 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
14:31 < krzee> routes dont make NAT
14:31 < krzee> check this out
14:31 < krzee> !redirect
14:31 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:31 < OpenUser> !nat
14:31 < krzee> that doesnt say optionally you can have NAT
14:31 < vpnHelper> OpenUser: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
14:31 < krzee> it says YOU NEED NAT
14:31 < krzee> ;]
14:31 < OpenUser> I'll do that now, thanks
14:31 < OpenUser> !winnat
14:31 < vpnHelper> OpenUser: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
14:32 < krzee> np
14:32 < krzee> however, if your router is a computer, or linux runnong on openWRT or something like that, it actually CAN do the NAT'ing
14:32 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
14:33 < krzee> which is actually preferable (tho less common), because then you're not behind a double-nat on the vpn
14:33 < bodom> hi there. I can't find out what's the MIB to check load average on OpenBSD's SNMP. May someone give me a link?
14:33 < krzee> this is ##OpenVPN
14:34 < krzee> you seem to have taken a wrong turn =]
14:34 < bodom> lol, sry guys, I've misclicked
14:35 < krzee> np
14:35  * krzee gets out the map and points out the way to #OpenBSD
14:38 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
14:50 -!- dmz [~dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has joined ##openvpn
14:51 -!- OpenUser [~57524f99@gateway/web/freenode/x-znzuvxyilzgjoepy] has quit [Ping timeout: 248 seconds]
14:52 < dmz> anyone ever run into capacity problems w/openvpn? i was doing a file transfer that hit 30M and it caused vpn to "die", btw we have > 1000M on each side
14:52 < krzee> you using TCP?
14:52 < dmz> tried tcp & udp
14:53 < krzee> ok, for the record
14:53 < krzee> !tcp
14:53 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
14:53 < dmz> yeah we primarily use udp
14:53 < krzee> !config
14:53 < vpnHelper> krzee: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
14:53 < krzee> err
14:53 < krzee> !configs
14:53 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:54 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has joined ##openvpn
14:55 -!- OpenUser [~57524f99@gateway/web/freenode/x-goxxredajnhvtwbq] has joined ##openvpn
14:55 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has quit [Client Quit]
14:55 < OpenUser> Oops :>
14:55 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Client Quit]
14:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:58 < OpenUser> Right, got RRAS fixed finally
14:58 < OpenUser> Stupid XP
14:58 < OpenUser> Now the problem of finding it...
14:59 < krzee> i believe XP cant do NAT
14:59 < OpenUser> Neither of my XP machines has a shortcut to it
14:59 < krzee> but i could be wrong
14:59 < OpenUser> Oh
15:00 < krzee> if i understand right, only their 'server' OS's can
15:00 < OpenUser> The service is there so I presumed it could
15:00 < krzee> however, i dont use windows so i could be wrongt
15:00 < krzee> RRAS does more than NAT from what i understand...
15:00 < OpenUser> !winnat
15:00 < vpnHelper> OpenUser: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
15:00 < OpenUser> So hm
15:00 < OpenUser> OpenVPN is a no go on XP?
15:01 < krzee> openvpn works great on XP
15:01 < krzee> its the NAT thing you are stuck at
15:01 < krzee> however, any machine on the LAN can do the NAT for you
15:02 < OpenUser> I've only got two XP machines :(
15:02 < OpenUser> Besides the Vista one which is the client
15:02 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit []
15:02 < krzee> (for the record, NAT is something in the OS, not part of openvpn)
15:02 < OpenUser> Yeah
15:02 < krzee> you could check if your router can NAT extra subnets
15:03 < krzee> if so, just NAT your VPN subnet and you're good to go
15:03 < Lenhix> Bye krzee, thx for the help... perhaps I'll come back if this doesn't get resolved.
15:03 -!- Lenhix [~lenho@mail.coltanques.com.co] has left ##openvpn []
15:03 < krzee> fyi, 192.168.0.0 is a poor choice of vpn subnet
15:03 < krzee> you want to choose something rarely used
15:04 < krzee> because any time a client is on that subnet, he wont be able to connect
15:04 < krzee> he'll connect but then lose access to the vpn and internet
15:04 < OpenUser> True
15:05 < OpenUser> I did go for a rarer one, but I couldn't get it to work at that point
15:05 < OpenUser> I've spent about 11 hours on this today :<
15:05 < krzee> my first setup took longer ;]
15:06 < krzee> thing is, the common issues people have (including yours) are not openvpn issues but rather general networking ones
15:09 < OpenUser> True :P
15:10 < OpenUser> Right, that's NAT working on XP
15:10 < OpenUser> Wish me luck!
15:10 < krzee> g'luck!
15:10 < krzee> if you make it happen ild love to know bout it
15:10 < krzee> since it really could be possible, i just know nothin bout it
15:10 < krzee> that link in !winnat was all i found
15:11 < OpenUser> Ah
15:11 < krzee> and that was for server OS
15:11 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
15:16 < OpenUser> Well, NAT seems to be set up
15:17 < OpenUser> Local Area Connection configuration - Address and Port Translation
15:17 < OpenUser> OpenVPN configuration - Private interface
15:18 < OpenUser> No luck with the net connectivity mind :/
15:20 < OpenUser> Infact, the VPN is broken now too, oops
15:20 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:26 < OpenUser> Alright, VPN works again
15:31 < OpenUser> !win
15:31 < vpnHelper> OpenUser: Error: "win" is not a valid command.
15:31 < OpenUser> !help
15:31 < vpnHelper> OpenUser: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
15:32 < OpenUser> !commands
15:32 < vpnHelper> OpenUser: Error: "commands" is not a valid command.
15:37 -!- dazo is now known as dazo_afk
15:40 < OpenUser> Thanks for the help anyway krzee 
15:41 < OpenUser> I'll let you know if I ever get it to work, although I doubt it =D
15:41 -!- Bloodsong [~Nimbus@bas2-barrie18-1178020770.dsl.bell.ca] has quit [Quit: Leaving]
15:42 < OpenUser> Oh, and one more thing
15:42 < OpenUser> In push "redirect-gateway def1", it's okay to leave it at def1, right?
15:42 < OpenUser> Some posts say it needs replaced :X
15:45 < OpenUser> 'Final' server config, presuming there's nothing wrong with it: http://pastebin.com/uC3NFnpk
15:45 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
15:46 < OpenUser> Apparently Internet Connection Sharing is sufficient for OpenVPN
15:46 < OpenUser> Which is what I was using already, hence the 192.168.0.0
15:47 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
15:47 < OpenUser> As the connection that wants to use the shared connection has to be 192.168.0.1
15:47 < OpenUser> So I guess the problem lies elsewhere...
15:59 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has joined ##openvpn
15:59 -!- PeterFA [~Peter@2002:1871:8ebb:1234:21a:73ff:fe3b:d510] has quit [Changing host]
15:59 -!- PeterFA [~Peter@unaffiliated/peterfa] has joined ##openvpn
16:00 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:09 < mgolisch> scheiss irssi 
16:09 < mgolisch> ups
16:09 -!- mgolisch [~michi@85.93.11.18] has left ##openvpn []
16:18 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
16:19 -!- dazo_afk is now known as dazo
16:22 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
16:24 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
16:25 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:30 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
16:39 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
16:39 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Client Quit]
16:43 -!- dazo is now known as dazo_afk
17:00 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
17:03 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:12 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:21 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
17:21 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Client Quit]
17:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
17:55 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
18:14 -!- graffz` [~graffz@118.175.66.195] has quit [Read error: Connection reset by peer]
18:15 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
18:19 -!- brain0 [~brain0@archlinux/developer/brain0] has joined ##openvpn
18:19 < brain0> hello
18:20 < brain0> I am trying to set up a p2p openvpn with tls-server/tls-client mode
18:20 < brain0> I've done this a couple of times, but only in real server/client mode
18:20 < brain0> now I am getting "VERIFY ERROR: depth=0, error=unsupported certificate purpose: ..." on the tls-client
18:20 < brain0> I have never seen that before
18:20 < brain0> can someone elighten me?
18:22 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
18:29 < brain0> okay, the docs say nowhere you actually need a server type cert for tls-server mode
18:30 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
18:31 < krzie> brain0, 
18:31 < krzie> !certinfo
18:31 < vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
18:31 < krzie> err wait a sec
18:31 < krzie> i dont think you use certs for ptp
18:31 < brain0> actually, latest easy-rsa will include that info in the .crt
18:32 < brain0> I just found out that I need to use build-key-server, even though I don't use the "ns-cert-type server" option
18:32 < krzie> iirc ptp (granted ive never used ptp) uses shared key and server/client uses certs
18:32 < brain0> actually, you're wrong about that
18:32 < krzie> ok
18:32 < brain0> p2p can use tls-server/client OR static keys
18:33 < brain0> server mode can only use tls-server/client
18:33 < krzie> gotchya
18:33 < brain0> but still, I think this is a glitch in the openvpn docs
18:33 < brain0> OR it is new in openssl 1.0
18:33 < brain0> because that message is emitted by openssl, not openvpn
18:34 < brain0> the docs state that openvpn only checks the usage type if you specify the "ns-cert-type server" option
18:35 < brain0> I used the "tls-remote $CN" options instead
18:35 < krzie> theres another newer usage type check
18:35 < brain0> can you elaborate?
18:35 < krzie> 1sec
18:35 < krzie> !man
18:35 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:35 < krzie> ill find it
18:38 -!- PeterFA [~Peter@unaffiliated/peterfa] has quit [Ping timeout: 260 seconds]
18:39 < brain0> I've read "man openvpn" from top to bottom at least 5 times
18:39 < brain0> if something is in there, I've read it already
18:43 < krzie> there is
18:43 < krzie> --tls-remote name
18:44 < krzie> !mitm
18:44 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
18:44 < krzie> and
18:44 < krzie> remote-cert-tls server
18:45 < brain0> I use tls-remote "name"
18:45 < brain0> but it still requires the "tls-server" end to have a server type certificate
18:47 < krzie> erm
18:47 < krzie> did you read --tls-remote?
18:47 < krzie> thats the point of it, to verify whatever "name" you pass to it, if no verify no connect
18:47 < brain0> well yes
18:47 < brain0> and that was all fine
18:48 < krzie> so comment it and see if you connect
18:48 < brain0> it does connect now as I said
18:48 < krzie> oh ok
18:48 < krzie> well ya thats why
18:48 < brain0> but as I also said, it required the "server type" certificate, although I nowhere specified that this should be verified
18:48 < krzie> if build-key-server script made it word, i bet you used --tls-remote server
18:49 < brain0> naw, I used: tls-remote $CN
18:49 < brain0> where $CN is the common name of the other endpoint
18:49 < krzie> o right
18:49 < krzie> ok well its all good now either way =]
18:49 < krzie> time for me to watch some UFC
18:51 < brain0> so, maybe that should be documented :)
18:54 < krzie> it doesnt normally require build-key-server
18:54 < krzie> something goofy bout the setup
18:54 < krzie> however, its working now so why change anything
18:59 < brain0> I am just curious
18:59 < brain0> it might actually be caused by recent changes in openssl
18:59 < brain0> sadly, I don't have any setup using an older openssl version than 1.0.0
19:00 < krzie> i see what you're saying
19:00 < krzie> i dont have 1 anywhere either
19:01 < brain0> this setup is cool anyway
19:01 < brain0> I just deleted all the CA data for this p2p setup, esp. the CA private key
19:01 < krzie> so maybe at some point i can setup your style setup, then upgrade openssl
19:01 < brain0> so nobody - not even me - can ever generate new certificates for this case
19:01 < krzie> nice
19:01 < brain0> you just have to love cryptography
19:01 < krzie> wanna pastebin your configs?
19:02 < brain0> sure
19:02 < krzie> ill use them for testing it later
19:02 < krzie> !configs
19:02 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
19:04 < brain0> server: http://pastebin.com/MDfKCbxY client http://pastebin.com/gzkKMaj9
19:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:08 -!- graffz`` [~graffz@118.175.66.195] has joined ##openvpn
19:08 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
19:10 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
19:11 -!- graffz1 [~graffz@118.175.66.195] has joined ##openvpn
19:12 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
19:13 < brain0> well, thanks anyway
19:13 < brain0> good night
19:13 -!- brain0 [~brain0@archlinux/developer/brain0] has quit [Quit: leaving]
19:13 -!- OpenUser [~57524f99@gateway/web/freenode/x-goxxredajnhvtwbq] has quit [Ping timeout: 252 seconds]
19:14 -!- graffz`` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
19:16 -!- graffz1 [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
19:21 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Remote host closed the connection]
19:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:37 -!- avdd [~avdd@203.39.34.236] has joined ##openvpn
19:38 -!- avdd [~avdd@203.39.34.236] has left ##openvpn []
19:38 -!- graffz` is now known as graffz
19:39 -!- avdd [~avdd@203.39.34.236] has joined ##openvpn
19:58 -!- avdd [~avdd@203.39.34.236] has quit [Quit: leaving]
20:24 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
20:25 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
20:29 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
20:56 -!- graffz`` [~graffz@118.175.66.195] has joined ##openvpn
20:57 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
20:57 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
20:57 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
20:57 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:58 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
21:02 -!- graffz`` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
21:15 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
21:15 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
21:15 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:31 -!- graffz`` [~graffz@118.175.66.195] has joined ##openvpn
21:35 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
21:35 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
21:45 -!- graffz`` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
21:53 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
21:57 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
21:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
21:58 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
22:05 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
22:06 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
22:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
22:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:14 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
22:26 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
22:35 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:49 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Disconnected by services]
22:49 -!- DarthGandalf|BNC is now known as DarthGandalf
22:50 -!- DarthGandalf|BNC [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
23:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 252 seconds]
--- Day changed Fri Apr 23 2010
00:25 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
00:50 -!- pawz_ [~pawz@ppp118-208-89-178.lns20.bne4.internode.on.net] has joined ##openvpn
00:54 < pawz_> hi. when i edit easy-rsa/vars to specify my openssl.cnf file location and then source ./vars it looks like it's trying to run the stuff in openssl.cnf with bash because it just gives a heap of command not found errors. my output is http://pastebin.com/rh1fh2m4
00:59 < pawz_> nm, i think i fixed it. the default gentoo config had the wrong sort of quotes. it was trying parse it all through bash
01:19 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:21 -!- fink [~guest@1Cust7163.an3.dca17.da.uu.net] has joined ##openvpn
01:22 < fink> are there any known issued using dev tap to bridge to a cloned interface?
01:50 < krzie> fink, you sure you even need a bridge?
01:51 < krzie> !tunortap
01:51 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
01:51 < vpnHelper> krzie: against you over the vpn
01:51 < fink> krzie: well no, i'm not sure; i started out with tun, but tap seemed simpler
01:52 < fink> cool, thanks
01:52 < krzie> no problem
01:53 < krzie> so... lets go further
01:53 < krzie> !goal
01:53 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:56 < fink> krzee: goal = 1; with slight variation
01:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
01:56 < fink> i have a number of jails hosted on a private loopback interface (freebsd), with nat via pf
01:59 < fink> currently, the client can connect, is given an ip, but can't ping the server, and the server can't ping it
02:00 < fink> i suspect something is up with my routes, but it seems like they're all created automatically
02:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:05 < fink> krzie: i think you're right, i'm going to go back to tun and try again. thanks for your help
02:06 < krzie> sry was away
02:06 < krzie> yes, should go to tun
02:06 < krzie> !fbsdjail
02:06 < vpnHelper> krzie: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
02:07 < krzie> in case you need it inside a jail ;)
02:07 < fink> no, i'm just running it on the host
02:07 < fink> but thanks
02:07 < krzie> set it u as tun, say something when you have a problem
02:07 < krzie> up*
02:07 < krzie> ill be here
02:07 < fink> ok, thanks
02:07 < krzie> gunna work on a script
02:07 < krzie> but with this window visable
02:08 < fink> are you west coast or europe?
02:08 < krzie> west coast orig, live in caribbean now
02:08 < krzie> its 3am, im just nocturnal
02:08 < fink> 3am for me too
02:08 < fink> thanks, night
02:08 -!- fink [~guest@1Cust7163.an3.dca17.da.uu.net] has quit [Quit: fink]
02:09 < krzie> hah thought he was gunna work on his setu
02:09 < krzie> bleh my P key is dying
02:15 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:17 -!- zyant [~zyant@rotterdam.perfect-privacy.com] has joined ##openvpn
02:17 < zyant> ok i have a unique question
02:17 < hyper_ch> I don't think it's a unique question
02:17 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds]
02:17 < krzie> nor do i
02:18 < hyper_ch> morning krzie
02:18 < zyant> if you run virtualbox with openvpn on the host but not on the guest, are there any privacy risks?
02:18 < krzie> 3am, good mornin =]
02:18 < hyper_ch> 9am good morning :)
02:19 < hyper_ch> you should be in bed sleeping
02:19 < hyper_ch> zyant: depends on what you mean by privacy risks
02:20 < krzie> zyant, ya i dont really understand the question
02:20 < zyant> would someone be able to obtain my IP, in any way, from the guest while I use the host for surfing or vise-versa 
02:20 < zyant> vice*
02:20 < krzie> im not 100% how virtual box works
02:20 < krzie> does it have a virtual network adapter and i ts own routing table?
02:21 < krzie> does it sit on a bridge or a NAT to the host?
02:21 < hyper_ch> vbox connection can be setup multiple ways... host-only, nat and bridged
02:21 < hyper_ch> and you can also select what interface to use
02:21 < krzie> ok, like my vmware
02:21 < krzie> gotchya
02:21 < krzie> so
02:21 < krzie> if you were to setup bridge on vbox, and bridge in openvpn, yes
02:21 < hyper_ch> the only think I miss in vbox is to make easy screenshots :)
02:21 < hyper_ch> vmware does it nicely
02:22 < krzie> however, if you were NAT vbox and tun in host, for sure no
02:22 < zyant> I forgot, which type uses the connection of the host?
02:24 < zyant> hello?
02:25 < krzie> umm
02:25 < krzie> depends what you mean
02:25 < krzie> the NAT way, vbox would be on its own subnet
02:25 < krzie> the bridge way, it would be on the same subnet as the host
02:26 < krzie> but the switch must be ok with 2 MACs coming from the same NIC
02:26 < krzie> some dont like it
02:27 < krzie> however, for openvpn its easier to decide...
02:27 < krzie> use tun
02:27 < krzie> unless you need something specifically in layer2 over the vpn
02:27 < krzie> in which case use tap bridge
02:28 < zyant> sorry this is a bit over my head :S
02:31 < pawz_> i've configured my server and client keys as described in the openvpn howto and used the client and server.conf files as a guide and i'm getting this error on my client side: http://pastebin.com/uaBvD1sr  Any idea what that means ?
02:42 < pawz_> ahh no matter i think i know what i did wrong
02:42 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
02:45 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
02:51 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:51 < krzie> !factoids search cert
02:51 < vpnHelper> krzie: 'servercert', 'certs', 'nocert', 'certverify', and 'certinfo'
02:51 < krzie> !certinfo
02:52 < vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
02:52 < krzie> !certverify
02:52 < vpnHelper> krzie: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
02:52 < krzie> are you using nscerttype server in your client config?
03:09 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:18 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
03:22 -!- dazo_afk is now known as dazo
03:55 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
04:30 -!- DarthGandalf|BNC [~Vetinari@shellium/developer/darthgandalf] has quit [Quit: Bye]
04:36 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
04:36 -!- mode/##openvpn [+o mattock] by ChanServ
05:16 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
05:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:41 -!- Sp4rKy [~Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn
05:42 < Sp4rKy> hi, I'm trying to have a PtP with the server behind a NAT
05:42 < Sp4rKy> the configs http://paste.dunnewind.net/show/398/
05:43 < Sp4rKy> port 2003 is NAT to the server
05:43 < Sp4rKy> the connection seems to be established, but timeout (no answer to the ping)
05:46 < Sp4rKy> http://paste.dunnewind.net/show/399/ the logs on the client syslog
05:47 < krzie> why not give them ips in same subnet?
05:48 < Sp4rKy> it's a pretty complexe setup
05:48 < Sp4rKy> 10.x ips are in /32
05:49 < Sp4rKy> but it works perfectly well with 12 servers 
05:49 < theDoc> krzee> I still can't wrap my head around why anyone would want to tunnel pptp INSIDE openvpn, might as well just ditch pptp.
05:49 < krzie> ptp
05:49 < krzie> point to point
05:49 < krzie> ;]
05:49 < Sp4rKy> but the one which does not work is behind a NAT
05:50 < krzie> ahh interesting
05:50 < krzie> followed the tcpdump?
05:50 < theDoc> Sp4rKy> What kind of a device is doing the NAT'ing?
05:51 < Sp4rKy> a gateway with shorewall
05:51 < krzie> did you not only forward the port but also open it?
05:51 < Sp4rKy> sure
05:51 < Sp4rKy> in fact, if I telnet from the server to the public ip, port 2003
05:52 < Sp4rKy> and type some random string
05:52 < Sp4rKy> I have error messages in the server log
05:52 < Sp4rKy> Authenticate/Decrypt packet error: missing authentication info
05:52 < krzie> client have a fw?
05:52 < krzie> telnet? this is tcp?
05:53 < krzie> your client log shows udp
05:53 < theDoc> Sp4rKy> Check your client/server assigned protocol
05:53 < theDoc> Both udp?
05:53 < Sp4rKy> no it's udp
05:53 < Sp4rKy> I used nc -u
05:53 < krzie> you said telnet :-p
05:53 < Sp4rKy> yep
05:53 < Sp4rKy> I said wrong :)
05:54 < krzie> what verb is that log?
05:54 < Sp4rKy> verb 7 
05:54 < krzie> show me server log too
05:54 < Sp4rKy> ok
05:54 < krzie> in the remote
05:55 < krzie> you xxx'ed the ip:port
05:55 < krzie> however, that is relevant
05:55 < Sp4rKy> only the ip
05:55 < krzie> well you need to specify ort
05:55 < krzie> port
05:55 < Sp4rKy> where ? 
05:55 < krzie> ip port
05:56 < Sp4rKy> on which config  ?
05:56 < krzie> client
05:56 < Sp4rKy> there is 
05:56 < krzie> remove --port
05:56 < krzie> use remote ip port
05:56 < Sp4rKy> ok
05:56 < Sp4rKy> I try
05:56 < krzie> and show me logs after stopping starting from both on verb 5
05:57 < Sp4rKy> ehh ... it works
05:57 < krzie> cool =]
05:57 < Sp4rKy> with remote ip port
05:57 < krzie> --port  is for listening
05:57 < krzie> you can add nobind to your client
05:58 < Sp4rKy> but .. why does my setup works for the other nodes ? 
05:58 < krzie> *shrug* if they arent broke we dont need to fix them
05:58 < krzie> but default port is 1194
05:58 < krzie> if server doesnt have --port it will use that
05:59 < krzie> if remote doesnt have port, also uses that
06:01 < Sp4rKy> netstat -anup says they do not listen on port 1194
06:01 < Sp4rKy> but on the ones defined by "port" directive in the config file
06:02 < krzie> right, because they have --port
06:03 < krzie> btw you only need clients listening, can use nobind to do that
06:05 < Sp4rKy> k
06:05 < Sp4rKy> thanks 
06:05 < krzie> np
06:10 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
06:12 < Sp4rKy> krzie: does this behaviour changed in recent openvpn versions ? 
06:12 < Sp4rKy> the remote host port seems not to work on the other nodes
06:13 < Sp4rKy> arggg
06:14 < Sp4rKy> in fact, it does not work correctly on the previous case
06:14 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:14 < Sp4rKy> it uses port 1194
06:14 < Sp4rKy> instead of the defined port
06:14 < Sp4rKy> if I use the remote host port syntax
06:14 < krzie> maybe it did change
06:15 < krzie> ive been on 2.1 since the rc's started, has been ahwile
06:15 < krzie> lets see
06:15 < krzie> !man
06:15 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
06:15 < Sp4rKy> I'm using 2.1rc and 2.1.0 
06:15 < krzie> --remote host [port]
06:15 < krzie> even in 2.0
06:16 < krzie> use 2.1.1
06:16 < krzie> i forget what the error was on 2.1.0, and rc obviously had known bugs
06:16 < krzie> otherwise they would have been final ;]
06:27 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
07:51 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 245 seconds]
07:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:56 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
07:59 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:00 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:36 -!- gngkai [~marco@ip-45-99.sn3.eutelia.it] has joined ##openvpn
08:36 < gngkai> hi
08:36 < gngkai> anyone know is there is a openvpn client for iphone?
08:36 < krzie> !iphone
08:36 < vpnHelper> krzie: "iphone" is http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone
08:37 < krzie> ild be interested in hearing how it goes
08:37 < krzie> its quite the ugly hack
08:37 < gngkai> 404 not found
08:37 < krzie> (to get around there not being tuntap drivers)
08:37 < krzie> aww damn!
08:38 < theDoc> http://www.youtube.com/watch?v=10soDkucSWU
08:38 < vpnHelper> Title: YouTube - Ring Ring (at www.youtube.com)
08:38 < theDoc> Trip on it.
08:38 < krzie> http://www.google.com/search?client=opera&rls=en&q=tuntap-iphone.source.tgz&sourceid=opera&ie=utf-8&oe=utf-8
08:38 < vpnHelper> Title: tuntap-iphone.source.tgz - Google Search (at www.google.com)
08:42 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
08:43 < krzie> http://article.gmane.org/gmane.network.openvpn.user/28033/match=iphone
08:43 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org)
08:46 < gngkai> krzie:  in short, that's for jailbreak...
08:46 < gngkai> I presume
08:46 < krzie> umm dude
08:46 < krzie> you have to have it jailbroken to have ANY chance
08:46 < krzie> nobody made a pretty iphone app, its a total hack
08:47 < krzie> you gotta ssh
08:47 < krzie> or drop to a CLI
08:47 < gngkai> ah ok, sorry if I ask, but that's for a customer of mine.  I don't know iphone
08:47 < krzie> ok well theres no official suport for iphone, but people have made it work
08:48 < krzie> he will need it jailbroken, he will need to know normal unix CLI, and he can try that link
08:48 < gngkai> so in thousand of apps , no one wrote a openvpn client available in the appstore...
08:48 < krzie> correct
08:48 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 260 seconds]
08:48 < theDoc> No, mainly because of the tun/tap adapter thing.
08:48 < gngkai> I'm surprised ;)
08:48 < krzie> its totally new that anyone got it working period
08:49 < krzie> i was wishing for it for yrs
08:49 < krzie> they didnt even get tuntap workin
08:49 < krzie> they found a crazy workaround
08:49 < krzie> which is ugly and hackish
08:49 < krzie> but hell, people reported success!
08:53 < gngkai> krzie:  but it need jailbreak...
08:53 < theDoc> Yes, that's right.
08:53 < theDoc> and even so, it was still as ugly as hell.
08:53 < gngkai> bad news
08:53 < gngkai> ok thanks
08:58 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
09:02 < krzie> np
09:11 -!- notbrien [~notbrien@208.82.13.214] has quit [Remote host closed the connection]
09:12 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:35 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
09:39 -!- gngkai [~marco@ip-45-99.sn3.eutelia.it] has quit [Quit: Leaving]
09:49 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Ping timeout: 260 seconds]
09:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:00 < krzie> http://github.com/jfx2006/OpenVPN_iphone/downloads
10:00 < vpnHelper> Title: Downloads for jfx2006's OpenVPN_iphone - GitHub (at github.com)
10:00 < krzie> doh he left too soon
10:00 < krzie> i found precompiled iphone binaries
10:00 < krzie> !learn iphone as http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries
10:00 < vpnHelper> krzie: Joo got it.
10:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
10:08 -!- Bloodsong [~Nimbus@bas2-barrie18-1178019924.dsl.bell.ca] has joined ##openvpn
10:13 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
10:14 < krzie> Bushmills, here?
10:22 < Bushmills> now i am
10:27 -!- Bloodsong [~Nimbus@bas2-barrie18-1178019924.dsl.bell.ca] has quit [Ping timeout: 240 seconds]
10:28 -!- fink [~guest@static-162-84-93-164.fred.east.verizon.net] has joined ##openvpn
10:28 < dazo> krzie: OpenVPN_iphone ... using .deb packages!?
10:31 < dazo> indeed ... the wiki explains how to do it 
10:38 -!- zyant [~zyant@rotterdam.perfect-privacy.com] has quit [Remote host closed the connection]
10:43 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:03 -!- WormFood [~wormfood@121.15.47.33] has quit [Read error: Operation timed out]
11:16 -!- WormFood [~wormfood@121.34.164.80] has joined ##openvpn
11:19 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
11:28 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:30 -!- fink [~guest@static-162-84-93-164.fred.east.verizon.net] has quit [Quit: fink]
11:30 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:40 -!- MTecknology [~MTeck@kalliki/admin/pdpc.supporter.mtecknology] has joined ##openvpn
11:42 -!- MTecknology [~MTeck@kalliki/admin/pdpc.supporter.mtecknology] has left ##openvpn ["I was in this channel. Then I left."]
11:57 -!- Bloodsong [~Nimbus@bas2-barrie18-1178019924.dsl.bell.ca] has joined ##openvpn
12:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:10 -!- DarthGandalf is now known as DarthGandalf|BNC
12:12 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:23 -!- Bloodsong [~Nimbus@bas2-barrie18-1178019924.dsl.bell.ca] has quit [Ping timeout: 265 seconds]
12:43 -!- Bloodsong [~Nimbus@bas2-barrie18-1178019924.dsl.bell.ca] has joined ##openvpn
12:45 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
12:45 -!- DarthGandalf|BNC is now known as DarthGandalf
13:01 -!- dunc [~dunc@2a01:348:1d2:1212:219:d2ff:febd:78f] has joined ##openvpn
13:03 -!- muh2000 [~muh2000@unaffiliated/muh2000] has joined ##openvpn
13:03 < muh2000> hi
13:06 < muh2000> is it possible to use 2 openvpn connection each on a seperate line(same site) to bundle the combinded bandwidth of the dsl/cable/whatever internetconnections. server side would be 100mbit root server in a data center...
13:30 < muh2000> would look something like that: http://imagebin.ca/view/2uOT07Id.html
13:30 < vpnHelper> Title: openvpn.png (at imagebin.ca)
13:38 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
13:42 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
13:42 < dazo> muh2000: I would say that should be possible, at least in Linux ... I don't recall how such "bundling" was done, but it's possible to do it on ordinary ethernet devices, so openvpn in TAP mode should be doable then
13:43 < muh2000> yeah trunking on normal eth devs
13:44 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Client Quit]
13:45 < muh2000> i think i have to bridge the vpns together and omit the ip settings of one tunnel.
13:46 < dazo> muh2000: tun/tap devices are almost the same as physical devices.  The only difference is that instead of putting traffic unto copper, it sends it to an application ... the difference between tun and tap are that tun goes on the IP level, while tap uses ethernet frames ... so tap is even closer to a real virtual ethernet device
13:47 < dazo> muh2000: on Linux, it's called bonding ... http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding
13:47 < vpnHelper> Title: bonding | The Linux Foundation (at www.linuxfoundation.org)
13:48 < muh2000> i am going to read that, thnx dazo
13:49 < dazo> muh2000: you're welcome :)
13:49  * dazo starts the weekend ... late but good :)
13:50 -!- dazo is now known as dazo_afk
13:50 < muh2000> :D
13:54 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
13:56 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
14:01 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
14:12 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:16 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
14:17 -!- Nokio [~gvachon@69.70.231.230] has joined ##openvpn
14:19 -!- graffz [~graffz@118.175.66.195] has joined ##openvpn
14:20 < Nokio> Hi all, I have a serveur with 2 WAN both work fine I can ssh from the WAN to either of those 2 ISP and it work. If i configure my vpn and use it using my first ISP it work. But when I use the second ISP it does not work. Packet enter via the second ISP but try to get out using the first ISP. What do you think ? Should i provide on the server the "local ip_addresse" in my server config file?
14:21 < Nokio> !welcome
14:21 < vpnHelper> Nokio: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:22 < Nokio> !iporder
14:22 < vpnHelper> Nokio: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
14:22 < Nokio> !static
14:22 < vpnHelper> Nokio: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:25 -!- Bloodsong [~Nimbus@bas2-barrie18-1178019924.dsl.bell.ca] has quit [Quit: Leaving]
14:34 -!- Nokio [~gvachon@69.70.231.230] has quit [Quit: Leaving]
14:40 -!- geek_cl [~geek@190.54.47.162] has joined ##openvpn
14:40 < geek_cl> alguien habla español / somebody speak spanish ?
14:41 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
14:43 < hyper_ch> !en
14:43 < vpnHelper> hyper_ch: Error: "en" is not a valid command.
14:44 < geek_cl> !es 
14:44 < vpnHelper> geek_cl: Error: "es" is not a valid command.
14:45 < Bushmills> yes. you do.
14:51 -!- [mutex]_ [~portn0k@unaffiliated/mutex/x-1106097] has joined ##openvpn
14:54 < geek_cl> i see many any iptables how to in the openvpn site, but i can't make a good conection: my openvpn.conf and iptables script http://fpaste.org/5O5c/
14:55 < geek_cl> somebody can see that paste please ? 
14:57 < [mutex]_> http://pastie.org/private/0qnvxjrmmyvzewm0ul15fw <-- server/client config/logs.  goal: all the machines on my office network are on 10.0.0.0/24.  i'm getting a 10.0.1.6 ip when i connect with the client machine from my home.  i cannot ping or connect to any machine on the 10.0.0.0/24 network at my office.  why not?
14:58 < geek_cl> !welcome
14:58 < vpnHelper> geek_cl: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:58 < geek_cl> !configs
14:58 < vpnHelper> geek_cl: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:58 < [mutex]_> !route
14:58 < vpnHelper> [mutex]_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:03 < geek_cl> hyper_ch: please can you see this: http://fpaste.org/5O5c/
15:08 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
15:09 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit []
15:09 < [mutex]_> i just read that, and tried the things it suggested without any luck.  i've found that `ipconfig` on the Windows client machine returns no "Default Gateway" for the vpn interface.  i've been working on this for about 2 weeks now with absolutely no luck.  i hate to just give up but i really cant afford to waste any more time on this.
15:10 < krzie> you using redirect-gateway?
15:11 < krzie> windows client on dialup?
15:11 < krzie> (asking you [mutex]_)
15:12 < newmember> [mutex]_ make sure you have logging on to 'verb 3'
15:12 < newmember> then look at the logs
15:13 < newmember> you want to see a "push" statement like this
15:13 < newmember> Fri Apr 23 14:12:00 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.0.0 255.255.255.0,ifconfig 192.168.3.6 192.168.3.5'
15:13 < newmember> if there is no push, there is no route
15:14 < [mutex]_> sorry krzie / newmember was talking to a client
15:15 < [mutex]_> krzie: no the windows client is on a t1, likewise with the server.
15:15 -!- geek_cl [~geek@190.54.47.162] has quit [Read error: Connection reset by peer]
15:15 -!- BashLogic [~BashLogic@NS1.Kielletty.net] has quit [Ping timeout: 276 seconds]
15:16 -!- BashLogic [~BashLogic@NS1.Kielletty.net] has joined ##openvpn
15:16 < [mutex]_> also newmember, verb 3 is set.  and i do have that line in my config -> Fri Apr 23 14:07:01 2010 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.555.0,dhcp-option DNS 10.0.0.1,route 10.0.1.0 255.255.255.0,ifconfig 10.0.1.6 10.0.1.5'
15:18 < krzie> !configs
15:18 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:18 < krzie> does the server have IP forwarding enabled?
15:18 < [mutex]_> http://pastie.org/private/0qnvxjrmmyv13:56 < [mutex]_> http://pastie.org/private/0qnvxjrmmyvzewm0ul15fw <-- server/client config/logs. 
15:18 < [mutex]_> oops
15:18 < [mutex]_> ;p
15:19 < [mutex]_> aye.  it does
15:19 < krzie> lose the ifconfig
15:19 < [mutex]_> in client?
15:19 < krzie> both
15:20 < [mutex]_> k. sec
15:20 < krzie> you can lose the tls-client/tls-server 
15:21 < krzie> they are included in 'server' and 'client'
15:21 < krzie> mode server can go byebye for same reason
15:21 < krzie> 10.0.0.0/24 should be the lan behind the server
15:21 < krzie> NO CLIENTS can connect from 10.0.0.0/24 without a problem
15:22 < krzie> (if they are road warriors, you should change your server LAN subnet)
15:22 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has joined ##openvpn
15:23 < [mutex]_> removed all that extra stuff.  
15:24 < [mutex]_> 10.0.0.0/24 is the lan behind the server
15:24 < [mutex]_> my network here at home is on 192.168.1.0/24 so no issue there
15:24 < [mutex]_> and im not sure what you mean by road warriors
15:25 < [mutex]_> nevertheless, restarted everything and i get teh same problem
15:26 < zoredache> if I am running a couple different openvpn server instances with different access policies should I have a different dh parameters for each?  Is there any danger in using the same dh parameters file for many vpns on a single server?
15:27 < krzie> people who are on the move changing subnets based (often) on whatever wireless they end up on
15:27 < [mutex]_> oh gotcha, yeah well thats not the case
15:27 < krzie> [mutex]_, did you add a route to the server's router?
15:27 < krzie> as shown in ROUTES TO ADD OUTSIDE OPENVPN in !route
15:28 < [mutex]_> yes 
15:28 < krzie> zoredache, no reason to not use different ones
15:28 < [mutex]_> ;/
15:28 < krzie> [mutex]_time to break out your tcpdump
15:29 < zoredache> krzie: You are probably right, I am just getting impatient at watching the computer generate them...
15:30 < zoredache> figured I would ask if I was wasting my time while I wait
15:30 -!- geek_cl [~geek@190.54.47.162] has joined ##openvpn
15:31 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:32 < [mutex]_> [root@n8colorado ~
15:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
15:33 -!- muh2000 [~muh2000@unaffiliated/muh2000] has quit [Remote host closed the connection]
15:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:42 < newmember> [mutex]_ the webmin openvpn module made my life really easy to manage our openvpn servers.  its a gui and helps make changes really fast.
15:42 < newmember> [mutex]_I like that I can have multiple openvpn server configs
15:43 < [mutex]_> interesting
15:43 < krzie> very interesting
15:43 < [mutex]_> ive never used webmin with freebsd
15:43 < newmember> http://www.webmin.com/cgi-bin/search_third.cgi?search=openvpn
15:43 < vpnHelper> Title: Webmin (at www.webmin.com)
15:43 < krzie> i never heard of a decent web ui
15:43 < [mutex]_> http://www.webmin.com/cgi-bin/search_third.cgi?search=openvpn
15:43 < [mutex]_> oops
15:43 < [mutex]_> stupid PuTTY
15:44 < newmember> it creates keys on demand, then you can assign the keys to a user and to a server
15:44 < newmember> it doesnt say, but you ahve to remember to create a CA key for a user first, then go to the server and then add the CA to that server
15:45 < newmember> it also exposes all the optional config spaces for users and servers
15:52 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Operation timed out]
15:53 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
15:56 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
15:58 -!- geek_cl [~geek@190.54.47.162] has quit [Read error: Connection reset by peer]
15:58 < krzie> so your vpn infrastructure is as secure as your webserver
15:59 < krzie> my CA doesnt even connect to a network
16:11 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
16:14 -!- geek_cl [~geek@190.54.47.162] has joined ##openvpn
16:14 -!- graffz [~graffz@118.175.66.195] has quit [Ping timeout: 258 seconds]
16:30 -!- graffz` is now known as graffz
17:07 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
17:11 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
17:11 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
17:18 -!- geek_cl [~geek@190.54.47.162] has quit [Quit: Saliendo]
17:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:23 -!- notbrien [~notbrien@208.82.13.214] has quit [Read error: Operation timed out]
17:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:38 -!- graffz [~graffz@118.175.66.195] has quit [Quit: stfu & gtfo]
18:08 < krzie> whats the default windows config dir?
18:08 < krzie> i know the gui has a default dir for configs...
18:18 < zoredache> same place as the gui I believe
18:19 < zoredache> %profilefiles%\openvpn\config\
18:21 < krzie> thanx
18:21 < krzie> i dont use win
18:21 < krzie> does it come with a standard ccd dir?
18:22 < zoredache> not to my knowledge, but I only use windows as a client
18:22 < krzie> perfect answer tho
18:22 < krzie> if your client didnt come with a ccd dir pre-made, then its a nope
18:23 < zoredache> or rather I only have to configure windows as a client.  
18:23 < zoredache> I don't personally use it as a client.  
18:23 < krzie> gotchya
18:29 -!- upb [cmpxchg@preteam.org] has joined ##openvpn
18:29 < upb> hai
18:29 < upb> is it possible to make openvpn server bind to multiple ip's ?
18:29 < upb> in tcp mode
18:34 < zoredache> don't specify any ip address and it will bind to them all?
18:34 < upb> yes 
18:34 < upb> f***g braindead
18:34 < zoredache> just uncomment the 'local 1.1.1.1'
18:35 < upb> so there is no way to selectively bind to addresses ?
18:35 < zoredache> on my linux boxes I bind to one address and just setup NAT rules to forward to the right address
18:35 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
18:36 < zoredache> I don't know if it is or is not possible though.
18:36 < Bushmills> upb: there is
18:38 < Bushmills> oh, zoredache found it already
18:38 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Ping timeout: 265 seconds]
18:40 < upb> binding to 0.0.0.0 is not binding to multiple addresses
18:40 < rob0> I think it is all (0.0.0.0) or only one.
18:41 < Bushmills> binds to all interfaces. what more interfaces than all do you want to bind to?
18:41 < upb> some ip's on one interface and one ip on another
18:42 < upb> ok so its not possible, thx
18:43 < Bushmills> running from xinetd would be an option 
18:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
18:45 < upb> ...
18:46 -!- upb [cmpxchg@preteam.org] has left ##openvpn []
18:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:04 < krzie> lol
19:15 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
19:16 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
19:17 < rob0> There are tons of workarounds, but I don't think xinetd is one of them.
19:19 < Bushmills> well, there is one more, then.
19:32 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Ping timeout: 265 seconds]
19:32 < rob0> I don't think openvpn would run from inetd without patching.
19:43 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
20:00 < krzie> www.doeshosting.com/code/openvpn-confgen.tgz
20:00 < krzie> im just going to make the help functions, clean up some stuff and its done
20:12 < Bushmills> rob0: then it is sort of surprising that openvpn has command line option for being run from inetd
20:15 < krzie> heh
20:21 < Bushmills> yes! my wlan router works as net boot server :)
20:22 < krzie> haha you get your moneys worth out of that thing
20:23 < Bushmills> most sensible machine here to boot frim
20:23 < Bushmills> from
20:23 < rob0> Bushmills, wow, I never saw that one before.
20:24 < rob0> Looks like a 1.x remnant.
20:24 < Bushmills> never tried it, but noticed that it was there
20:24 < rob0> (Like me for that matter, I was big into 1.x)
20:32 < Bushmills> krzie: it indeed is adding up functionality as I go on loading more stuff into it. quite i like its nsupdate of remote dns through domain keys, that it runs openvpn of course, is node for drawing misc graphs with system parameters from, (is node for munin). soon it will become a music server.  
20:32 < Bushmills> zone keys
20:33 < Bushmills> oh, and it flashes morse at me
20:33 < Bushmills> when its dhcp client requests an ip address, it flashes "cq cq cq"
20:34 < Bushmills> usually it just flashes the number of connected hosts.
20:35 < krzie> haha thats dope
20:35 < krzie> how much was it?
20:36 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has joined ##openvpn
20:36 -!- tjz [~pc@bb116-14-141-167.singnet.com.sg] has quit [Changing host]
20:36 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:36 < Bushmills> 53$
20:38 < Bushmills> about the pxe boot server i'm rather happy, because of the always-on character of the wifi-router.
20:39 < Bushmills> had boot servers running before, but not on a dedicated machine which remained on
20:40 < Bushmills> that's also the idea of the music server in the router - can use it even when the computer is off
20:41 < Bushmills> i might have to add some morse input through the qss button, the only means of giving it input, other than over the net
20:48 -!- itright [~itright@213.163.65.50] has joined ##openvpn
20:52 -!- scoil is now known as PuppyNuts
21:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:13 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
22:16 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:12 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
23:16 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 276 seconds]
23:18 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
23:20 < ralphte> I keep getting the error when i try to start openvpn "Cannot open keys/lucidnetwork/dh2048.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file" The file exist i check recheck and rechecked i even gave is chmod 777 premssions still nothing tryed eveything can not get openvpn to start
23:21 < ralphte> had openvpn working did a server reboot now i get this
23:22 < ralphte> checked the config and the file location is right
23:55 < Bushmills> try absolute path
23:59 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
--- Day changed Sat Apr 24 2010
00:00 < ralphte> did it no dice
00:10 < Bushmills> what's the error now?
00:13 < ralphte> same one
00:14 < ralphte> here is the full eroor
00:14 < ralphte> error
00:15 < Bushmills>  keys/lucidnetwork...  is not an absolute path
00:16 < Bushmills> where is dh2048.pem?
00:21 < ralphte> Fri Apr 23 04:11:13 2010 Warning: Error redirecting stdout/stderr to --log file: servers/VPN1/logs/openvpn.log: No such file or directory (errno=2)
00:21 < ralphte> Fri Apr 23 04:11:13 2010 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
00:21 < ralphte> Fri Apr 23 04:11:13 2010 Note: cannot open servers/VPN1/logs/openvpn-status.log for WRITE
00:21 < ralphte> Fri Apr 23 04:11:13 2010 Cannot load certificate file keys/lucidnetwork/server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
00:21 < ralphte> Fri Apr 23 04:11:13 2010 Exit
00:21 < ralphte> i pluged in the absolute paths for all the keys and not it just hangs when i run the command
00:22 < ralphte> open vpn was working then i rebooted not it wont work
00:24 < ralphte> now 
00:25 < Bushmills> looks like a discrepancy between error message and supposed setup - error message spits out relative paths, while - as you say - you have configured absolute paths
00:26 < Bushmills> make sure you load the correct config file
00:28 < ralphte> ya i hear ya i am useing this command " openvpn --config /etc/openvpn/VPN1.conf
00:28 < Bushmills> pastebin the config
00:29 < ralphte> hold one
00:29 < ralphte> server restarting
00:32 < ralphte> ok found out something
00:32 < ralphte> if i put the absolute paths the command will not work at all
00:32 < ralphte> if i take them out it will start but say that it cant find the files
00:34 < ralphte> here is the config without absolute pathshttp://pastesite.com/14993
00:36 < ralphte> openvpn will not start with that config and absolute paths
00:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
00:45 -!- fink [~guest@1Cust2732.an2.dca17.da.uu.net] has joined ##openvpn
00:46 -!- fink [~guest@1Cust2732.an2.dca17.da.uu.net] has quit [Remote host closed the connection]
00:47 -!- fink [~guest@1Cust2732.an2.dca17.da.uu.net] has joined ##openvpn
00:47 < fink> hey krzee 
00:47 < fink> i mean krzie 
00:47 < fink> sorry
00:49 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Ping timeout: 276 seconds]
00:49 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
01:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
01:43 -!- metaleks [~kev@66.208.128.131.reshall.uri.edu] has joined ##openvpn
01:43 < metaleks> who's around?
01:43 < metaleks> anybody?
01:43 < hyper_ch> nobody's around
01:44 < metaleks> hey
01:44 < hyper_ch> it's early morning
01:44 < metaleks> you're around
01:44 < hyper_ch> no
01:44 < hyper_ch> I just pretend to be
01:44 < metaleks> you're clever
01:44 < metaleks> anyways, i'm connected to my VPN right now
01:44 < metaleks> using OpenVPN
01:44 < metaleks> but no traffic is going through it
01:44 < metaleks> what's going on?
01:44 < hyper_ch> you did something wrong :)
01:44 < metaleks> again, clever
01:44 -!- itright [~itright@213.163.65.50] has quit [Quit: itright]
01:45 < metaleks> wonderful, one retard
01:45 < metaleks> and nobody else around
01:45  * metaleks sighs
01:45 < hyper_ch> so, if nobody's around but you
01:45 < hyper_ch> and you state one retard is around
01:46 < hyper_ch> that leds to certain assumptions :)
01:46 -!- metaleks [~kev@66.208.128.131.reshall.uri.edu] has left ##openvpn []
02:02 -!- metaleks [~kev@66.208.128.131.reshall.uri.edu] has joined ##openvpn
02:03 -!- metaleks [~kev@66.208.128.131.reshall.uri.edu] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
02:27 -!- krzie [nobody@unaffiliated/krzee] has quit [Remote host closed the connection]
02:32 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
02:40 -!- fink [~guest@1Cust2732.an2.dca17.da.uu.net] has quit [Quit: fink]
03:14 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
03:31 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
03:46 -!- gallatin [~gallatin@188.109.205.173] has joined ##openvpn
03:57 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
04:10 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
04:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
04:27 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
04:29 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
04:53 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 276 seconds]
05:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:02 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
05:04 < krzie> !learn confgen as http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
05:04 < vpnHelper> krzie: Joo got it.
05:04 < hyper_ch> hmmmm, bash config generator
05:04 < hyper_ch> that sounds promising
05:05 < hyper_ch> will it also add a take-over-the-world button to openvpn?
05:06 < rob0> OpenVPN won't take over the world. It will just tunnel under it until the world collapses.
05:06 < hyper_ch> hmmmm, collapser of worlds... I wouldn't mind that title :)
05:19 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:19 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
05:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
05:25 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:43 -!- vlt is now known as fbi
05:44 -!- fbi is now known as vlt
05:50 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has joined ##openvpn
05:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:51 < mudassar> hello people I have a problem in setting up the openvpn 
05:59 -!- screenn [~screenn@77.222.135.254] has joined ##openvpn
06:00 < screenn> may I use config file to start several tunnels with  static-key  security
06:01 < screenn> ?
06:02 < screenn> web page openvpn.net has an error "DB function failed with error number 145"
06:18 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has quit [Remote host closed the connection]
06:21 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:30 -!- gallatin [~gallatin@188.109.205.173] has quit [Quit: Client exiting]
07:23 -!- screenn [~screenn@77.222.135.254] has quit [Quit: Leaving]
07:34 -!- fjm [~user@p578b665c.dip0.t-ipconnect.de] has joined ##openvpn
07:34 < fjm> Hi guys.
07:35 < fjm> My computer is a client in an openvpn network. the server always pushes a default route onto my computer. how can i prevent this on the client side?
07:36 < fjm> i thought about something like a post-up script doing "ip route del" but it would be a better to use a configuration builtin if there is any
07:42 < hyper_ch> !ccd
07:42 < vpnHelper> hyper_ch: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
08:06 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:32 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
08:32 -!- fink [~guest@1Cust231.an3.dca17.da.uu.net] has joined ##openvpn
09:11 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
09:13 -!- fjm [~user@p578b665c.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
09:24 -!- fjm [~user@123.108.110.206] has joined ##openvpn
09:26 -!- Niklas- [~niklas@217.116.253.195] has joined ##openvpn
09:27 < Niklas-> Hey. Is it possible to prevent openvpn from creating arp entries for remote hosts, when it's using tap?
09:30 -!- fjm [~user@123.108.110.206] has quit [Ping timeout: 246 seconds]
09:32 -!- fjm [~user@p578b665c.dip0.t-ipconnect.de] has joined ##openvpn
09:41 < ralphte> for all note to self DISABLE selinux when setting up openvpn
09:41 < ralphte> it could make you pull your hair out
09:42 < ralphte> and make you wanna kill a small baby 
09:44 < fink> ;)
09:48 < ralphte> i do have a open question for all. What the best way to setup openvpn for this setup. I want a openvpn server and openvpn clients but each client will have there own network behind there tunnle i want all the network to be routable over the vpn?
09:50 < fink> ralphte: there's section in the manual on that
09:51 < ralphte> to easy i will check it out then reply when i get stuck lol
09:55 -!- fink [~guest@1Cust231.an3.dca17.da.uu.net] has quit [Quit: fink]
10:08 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:10 < krzie> hyper_ch, feel free to help me test =]
10:14 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
10:20 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
10:24 < ralphte> when ever i use puch route it messes up my routes because openvpn is sending me a route for the network i am alreayd part of
10:24 < ralphte> push
10:25 < ralphte> it also is sending a route for a network on the otherside of the VPN but i dont need the one that is local
10:34 -!- fink [~guest@1Cust231.an3.dca17.da.uu.net] has joined ##openvpn
10:36 < fink> when my freebsd box boots, openvpn starts after pf; my pf.conf refers to tun0, but pf can't find that interface, so it can't parse its config file, so i get this error: pfctl: Syntax error in config file: pf rules not loaded
10:36 < fink> which results in me being locked out after boot
10:37 < fink> should i just define tun0 in rc.conf?
10:38 < fink> !welcome
10:38 < vpnHelper> fink: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:38 < fink> hehe
10:44 < ralphte> how do you tell openvpn not a puch a route that the client already knows about??
10:45 < ralphte> "push"
10:46 < fink> ralphte: which route?
10:46 < ralphte> well in your guide you said i need to put in some puch routes to the clients
10:46 < ralphte> push
10:47 < ralphte> well lets say i have two networks
10:47 < fink> ok
10:47 < Fiouz> !iroute
10:47 < vpnHelper> Fiouz: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:47 < Fiouz> ralphte: that's for you
10:47 < ralphte> network a 127.21.1.0 and network 127.21.2.0
10:47 < ralphte> ya i have the irouts no help
10:48 < fink> ralphte: i don't know if it's just me or what, but i tried connecting openvpn networks based on loopback (127) and it did not work
10:48 < ralphte> when ever i start openvpn clients on 127.21.2.0 network i get a puch route to 127.21.1.0 and 127.21.2.0 But my router already knows the 127.21.2.0 network
10:49 < ralphte> but with the puch route it alters my routing table and then all my computer on he network loss contivity
10:51 < Fiouz> iroute works fine for me (provided my clients have fixed/well-known networks) and prevent server from sending specific routes
10:51 < Fiouz> do you use metric? I had issue where iroute ignores routes with metrics
10:52 < ralphte> well the client is a dd-wrt router
10:53 < ralphte> not sure if it uses metric
10:54 < Fiouz> then you don't
10:54 < Fiouz> you use the "iroute" option in a client-config-dir file on server, right?
10:54 < ralphte> yep 
10:55 < ralphte> "iroute 127.21.2.1 255.255.255.0"
10:56 < Fiouz> I have such log lines whenever iroute removes a route when a client is connecting: openvpn[4103]: ClientCname/a.b.c.d:XXX REMOVE PUSH ROUTE: 'route x.x.x.x y.y.y.y'
10:57 < Fiouz> right before PUSH: Received control message: 'PUSH_REQUEST'
10:57 < ralphte> let me see
10:58 < Fiouz> use the network addrese in iroute
10:59 < Fiouz> you should use "iroute 127.21.2.0 255.255.255.0"
10:59 < Fiouz> .0
10:59 < Fiouz> address*
11:02 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
11:03 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
11:03 < ralphte> that might be it
11:03 -!- fink [~guest@1Cust231.an3.dca17.da.uu.net] has quit [Quit: fink]
11:04 -!- fink [~guest@1Cust231.an3.dca17.da.uu.net] has joined ##openvpn
11:05 -!- WormFood [~wormfood@121.34.164.80] has quit [Ping timeout: 265 seconds]
11:05 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
11:08 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
11:08 < ralphte> ok this is wierd not it just hangs on the PUSH: Received control message: 'PUSH_REQUEST' and then i loss all network conectivity
11:10 < Fiouz> you fixed the iroute option by repacing 127.21.2.1 with 127.21.2.0 and it did that?
11:11 < ralphte> ya i dont think that is why it is doing that though i dont know why
11:11 < ralphte> but yes that was all i changed
11:12 -!- fink [~guest@1Cust231.an3.dca17.da.uu.net] has quit [Read error: Connection reset by peer]
11:13 < ralphte> ok i removed the all the puch routes and i can not get on the tunnle
11:13 < ralphte> push routes
11:13 < ralphte> so it has to be them
11:13 -!- fink [~guest@1Cust231.an3.dca17.da.uu.net] has joined ##openvpn
11:13 -!- fjm [~user@p578b665c.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
11:15 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
11:15 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
11:16 < ralphte> yep put them back in and then the router hangs 
11:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
11:17 < ralphte> check this out
11:17 -!- WormFood [~wormfood@58.60.222.42] has joined ##openvpn
11:17 < ralphte> if i take out the route  push "route 172.20.2.0 255.255.255.0" from the server it works
11:18 < ralphte> but if it's there it wont work
11:19 < Fiouz> add an iroute for that network 
11:19 < ralphte> ya that the one i have setup
11:20 < ralphte> i have the iroute 172.20.2.0 255.255.255.0
11:20 < ralphte> for that client name
11:23 < ralphte> I double checked in the file system and the iroute file is there and does contain iroute 172.20.2.0 255.255.255.0
11:23 < ralphte> is there another poption in the server config that i might need
11:24 < ralphte> or maybe the client config
11:24 < Fiouz> !logs
11:24 < vpnHelper> Fiouz: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:25 < ralphte> you want my logs
11:25 < Fiouz> yep, that'd help 
11:25 < ralphte> to easy let me get them for you
11:26 < Fiouz> use http://pastebin.com
11:30 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 264 seconds]
11:30 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
11:31 < ralphte> http://pastebin.com/gQkeWwJM
11:31 < ralphte> there go. Thanks by the way for helping me out. 
11:41 < Fiouz> I think you meant "172.20.2.0" instead of "127.20.2.0" in you ccd config file
11:43 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
11:44 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
11:45 < ralphte> i think that was it
11:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:45 < ralphte> NICE
11:45 < ralphte> well thats what i get for not checking ip;s
11:49 < fink> ralphte: but i told you that at the beginning
11:54 < ralphte> ya i know and i check it but i was not looking close enough
11:55 < ralphte> what iptables do i need to open up to make sure i can route though the server?
11:57 < Fiouz> if using client-to-client option, I think there is no need for iptables
11:59 < Fiouz> (if you actually meant routing from a VPN client to another VPN client)
11:59 < Bushmills> for routing? non. for NAT you do
12:01 < ralphte> well VPN client in this case is a dd-wrt router
12:02 < ralphte> with networks attaced to each side
12:04 < Bushmills> routing doesn't suddenly magically require iptables only because there is "wifi router" printed on the box 
12:05 < ralphte> well iptables are running ether way on both client and server by default
12:06 < Bushmills> but as you have the internal interfaces, bridged, and the wan port, iptables will have to NAT there
12:06 < Bushmills> though that is to be done independently of openvpn
12:06 < ralphte> yep
12:06 < Bushmills> " what iptables do i need to open up to make sure i can route though the server?"  -> none
12:07 < ralphte> ok do i need to setup and forwards?
12:08 < Bushmills> for routing, you need to set up routes
12:08 < Bushmills> routing is not an iptables taks
12:08 < Bushmills> rask
12:08 < Bushmills> grr
12:08 < Bushmills> task
12:08 < ralphte> ok far enough
12:08 < fink> fair
12:08 < ralphte> but thats always my fall back if shit ait working iptables lol
12:08 < fink> sorry, that was impulsive
12:09 < ralphte> ya my typing skills suck need to slow down and look at what I am typing.
12:09 < Fiouz> actually, additional iptables configuration is needed when routing and not using client-to-client and default FORWARD policy isn't ACCEPT
12:10 < fink> ralphte: yea, i think you learned that with "127" vs "172" ;)
12:10 < ralphte> yes i did
12:11 < fink> btw if anybody is interested: i solved my problem with pf dying on boot because it can't find a tun interface by wrapping the 'tun' in pf.conf with parentheses : ( tun )
12:14 < ralphte> ok well here is my setup i have a server. I have two clients both running openvpn on dd-wrt routers. Each client router has a network behind it. client one has network 172.20.1.0 . Client 2 has the network 172.20.2.0 . both clients a are now connected to the server AND they both where sent puch routes with the other ones network. 
12:14 < ralphte> Now my 1st question is from client one i should be able to ping my tunnle ip's right local and server?
12:15 < fink> yes, there's a section in the docs about connecting the subnets of multiple clients
12:15 < fink> they use names like "contractor" or "employee" or something
12:16 < ralphte> which docs
12:16 < fink> opevpn docs, duh
12:16 < ralphte> just checking
12:16 < ralphte> i can ping my local openvpn tun interface but not my server tun interface
12:17 < fink> ralphte: sounds like you're not pushin the right routes
12:17 < fink> i had the same problem this morning
12:18 < ralphte> what you mean i am not even talking about the pinging the client networks. I am just talking about the tunnle network
12:19 < fink> yea i know
12:20 < ralphte> which routes do i need to push then?
12:21 < fink> ralphte: i have to go lunch
12:21 < fink> bbl
12:21 < Fiouz> check whether you see ping packets on server using "tcpdump -i tun0"
12:21 < ralphte> ok
12:22 < Fiouz> according to your logs, your client has 10.0.20.0/24 route
12:22 < ralphte> yep i do see ping packets
12:22 < ralphte> to my server tunnle end point why i not get replys back
12:23 < Fiouz> then check netfilter/iptables rules
12:23 < Fiouz> you only see incoming packets I guess?
12:23 < ralphte> yep echo req
12:24 < ralphte> what rule would i need to add
12:25 < Fiouz> something like: iptables -A INPUT -i tun0 -m comment --comment "Allow OpenVPN trafic" -j ACCEPT
12:28 < Fiouz> there may be another reason for you server not responding to packets, I think it's Linux route-path filter "rp_filter"
12:28 < Fiouz> !rp_filter
12:28 < vpnHelper> Fiouz: Error: "rp_filter" is not a valid command.
12:29 < Fiouz> try: sysctl -w net.ipv4.conf.tun0.rp_filter=0
12:30 < Fiouz> hum it's actually reverse-path filter
12:32 < ralphte> so sysctl -w net.ipv4.conf.tun0.rp_filter=0 should work?
12:33 < Fiouz> that should prevent Linux kernel from droping some packets
12:33 < ralphte> i tryed that and still same problem
12:34 < Fiouz> pastebin the result of: iptables -L -v -n
12:34 < Fiouz> !lans
12:34 < vpnHelper> Fiouz: "lans" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
12:35 < Fiouz> that might help too
12:36 < ralphte> http://pastebin.com/quUvdQgu
12:37 < ralphte> yep have already read all the way though  https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
12:37 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
12:39 < Fiouz> your last rule in RH-Firewall-1-INPUT is dropping your pings
12:39 < Fiouz> try this: iptables -I INPUT 1 -i tun0 -j ACCEPT
12:41 < ralphte> well the last rule is reject all
12:41 < ralphte> lol
12:51 < ralphte> mmm i dont think it;s a firwall rule
12:54 < Fiouz> what do you mean?
12:57 < ralphte> well I been messing with the firewall and no matter what rule i add or take away from the server does not hlep
12:58 < Bushmills> not allowing vpn traffic of specific hosts is easier done by simply revoking keys, instead of blocking with firewall 
12:58 < Fiouz> netfilter is obviously dropping your packets, see the counters
13:00 < ralphte> so what would you suggest?
13:00 < Fiouz> use the command I gave you: iptables -I INPUT 1 -i tun0 -j ACCEPT
13:00 < ralphte> i did still not working :(
13:01 < ralphte> i tryed it as soon as you told me
13:02 < Fiouz> can you pastebin again? iptables -L -v -n
13:02 < ralphte> sure
13:03 < Fiouz> putting that aside (pinging the server), iptables doesn't affect routing if using client-to-client option
13:04 < ralphte> http://pastebin.com/hXqgdM2E
13:04 < ralphte> this is true 
13:04 < ralphte> but would be nice to find out why
13:05 < ralphte> it's for trouble shooting
13:08 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
13:09 < Fiouz> is your server able to ping your dd-wrt router?
13:09 < ralphte> let me see
13:09 < ralphte> yep
13:12 < Fiouz> next step would be check whether router A can ping router B
13:33 < ralphte> ok so my server can not even ping 10.0.20.5
13:33 < ralphte> which is the defualt gatway for my VPN
13:33 < ralphte> dont get it
13:35 < ralphte> this confuses me Sat Apr 24 13:34:35 2010 us=373243 /sbin/ifconfig tun0 10.0.20.6 pointopoint 10.0.20.5 mtu 1500
13:35 < ralphte> Sat Apr 24 13:34:35 2010 us=412354 /sbin/route add -net 172.20.1.0 netmask 255.255.255.0 gw 10.0.20.5
13:35 < ralphte> Sat Apr 24 13:34:35 2010 us=449154 /sbin/route add -net 10.0.20.0 netmask 255.255.255.0 gw 10.0.20.5
13:35 < ralphte> Sat Apr 24 13:34:35 2010 us=483907 Initialization Sequence Completed
13:36 < ralphte> 10.0.20.5 is the server right?
13:36 < ralphte> i checked out ifconfig and tun0 ip is 10.0.20.1
13:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:42 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
13:50 < krzie> !/30
13:50 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
13:51 < krzie> !forget /30 #2
13:51 < vpnHelper> krzie: Error: There is no such factoid.
13:51 < krzie> !forget /30 2
13:51 < vpnHelper> krzie: Joo got it.
13:51 < ralphte> ya i know what a .30 cidr is lol
13:51 < krzie> !learn /30 you can avoid this behavior by reading !topology
13:51 < vpnHelper> krzie: (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
13:51 < krzie> !learn /30 as you can avoid this behavior by reading !topology
13:51 < vpnHelper> krzie: Joo got it.
13:51 < ralphte> though it might have something to do with that
13:51 < krzie> ralphte, /30 for each client is the default
13:52 < krzie> topology net30
13:52 < krzie> !topology
13:52 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
13:52 < krzie> i didnt scroll higher, whats the rest of the problem?
13:54 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
13:54 < ralphte> thats it
13:54 < ralphte> you naled it
13:54 < krzie> everything else is good?
13:54 < ralphte> As 192.168.1.5 is only a virtual IP address inside the OpenVPN server, used as an endpoint for routes, OpenVPN doesn't bother to answer pings on this address, while the 192.168.1.1 is a real IP address in the servers O/S, so it will reply to pings.
13:55 < krzie> correct
13:55 < ralphte> wow
13:55 < krzie> .6 for first client, .10 for second, .14
13:55 < krzie> etc
13:55 < ralphte> yep /30 cidr
13:55 < krzie> or topology subnet and it goes .2 .3 .4 hehe
13:55 < ralphte> to easy ccna pays off
13:55 -!- fink [~guest@1Cust231.an3.dca17.da.uu.net] has left ##openvpn []
13:55 < ralphte> to bad they dont psupport openvpn
13:56 < krzie> no other issues?
13:58 < ralphte> no i think i am good you guys rock.
13:58 < krzie> sweet
13:59 < ralphte> took me two full days of working on this but i know a TON more then i ever knew before about openvpn
13:59 < krzie> thats how its done!
14:00 < krzie> reminds me of my first time setting stuff up in ovpn
14:01 < krzie> if you get bored you wanna play with my config generator and gimme feedback?
14:01 < krzie> i just finished it
14:01 < ralphte> sure 
14:01 < krzie> !confgen
14:01 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
14:01 < ralphte> you always got to give back
14:03 < ralphte> goiong to put a full guide on how to do what i did on my site when ever i get my new deticated server all setup
14:03 < krzie> !wiki
14:03 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
14:03 < krzie> feel free to document stuff there too if you like
14:03 < ralphte> ok will do
14:04 < krzie> i saw someone linked you to the routing doc, did it help ya?
14:04 < ralphte> ya that was helpfull. But it was all one peace of the pie
14:05 < ralphte> but it was the finall peace that made the routing work
14:05 < krzie> iroute or routes outside openvpn?
14:06 < ralphte> routes outside your vpn tunnle. you have to use the iroutes or it will mess up the client
14:06 < krzie> ahh both!
14:06 < krzie> glad it helped =]
14:07 < ralphte> ya i am the type to go look up all the guides to do what i want before i ask questions. I did not find your till later
14:10 < ralphte> off topic what you think is the best way to have file shares over VPN? windows and linux computers
14:11 < krzie> if you want SMB, check out running a WINS server
14:11 < krzie> !wins
14:11 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
14:12 < krzie> i use BSD an osX so i  share with scp and NFS
14:12 < ralphte> smb support srsume
14:12 < ralphte> resume?
14:12 < krzie> smb is the windows filesharing i doubt they support resume
14:12 < ralphte> ya thats what i thought
14:12 < ralphte> scp ?
14:13 < ralphte> never mind i know scp
14:13 < krzie> secure copy, uses ssh basically
14:14 < ralphte> what about Network file system
14:14 < ralphte> resume support
14:14 < krzie> windows doesnt do NFS
14:14 < krzie> i dont believe so
14:14 < ralphte> windows can go to hell LOL
14:16 < ralphte> windows does support nfs
14:17 < ralphte> found a few guides just not out of the box
14:17 < krzie> for free?
14:17 < ralphte> http://sagehacks.wordpress.com/2009/01/21/howto-mount-nfs-shares-under-windows-7/
14:17 < vpnHelper> Title: HOWTO: Mount NFS shares under Windows 7 « Sage Hacks (at sagehacks.wordpress.com)
14:17 < krzie> if so pass the guide, will be helpful when i have visitors
14:18 < krzie> oh win7
14:18 < ralphte> win xp also
14:18 < ralphte> i got the guide for that
14:18 < ralphte> microsoft even states they support it 
14:18 < ralphte> with there unix support package
14:18 < krzie> all i saw required spending i could have sworn
14:19 < krzie> oh its a MS snapin, that must have came since i last cared
14:19 < krzie> thanx
14:19 < ralphte> install Microsoft Windows Services for UNIX 3.5
14:19 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has joined ##openvpn
14:19 < ralphte> ya i can uderstand that
14:19 < mudassar> hello can any body solve my issue with openvpn ? 
14:20 < ralphte> you must ask 
14:20 < krzie> !ask
14:20 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help
14:20 < krzie> ;]
14:20 < Bushmills> that *was* the question.
14:20 < ralphte> lol your little chat shortcuts
14:20 < mudassar> ralphte: Actualy I have configured the openvpn server but it is not reachable ........ where can I paste the configuration file of the server ? 
14:21 < Bushmills> i think there are three possible answers.  yes. no. maybe.
14:21 < krzie> !pastebin
14:21 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
14:21 < krzie> no comments in the configs tho
14:21 < krzie> configs
14:21 < krzie> !configs
14:21 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:21 < krzie> ralphte, ya i love that bot ;]
14:21 < Bushmills> what does "server is not reachable" mean?
14:21 < ralphte> it is usefull i will say
14:21 < krzie> Bushmills, evalbot in bash is awesomeness!
14:22 < Bushmills> if you can't reach server, there's little point in running openvpn on it
14:22 < Bushmills> krzie: on #bash channel?
14:22 < krzie> yes
14:22 < ralphte> so it not a openvpn problem
14:22 < Bushmills> ah
14:23 < ralphte> you have access to server cli
14:23 < Bushmills> good for testing whether something works on different versions of bash
14:23 < Bushmills> as one usually doesn't have all versions installed
14:24 < krzie> i wanna remember to join that chan from the office, will be cool reading when bored at work
14:25 < krzie> besides the couple things that could use cleaning (ie: incrementing inside the array counter like arg[c++]) how ya like the confgen Bushmills ?
14:25 < Bushmills> was just checking, not seeing you, wondering how useful a bot on a channel one hasn't joined is.
14:25 < krzie> lol i was there yesterday
14:26 < Bushmills> to be honest ... a user interface asking questions and letting me type in things makes me shudder
14:26 < ralphte> quick responds to common questions can make helping others much faster
14:27 < krzie> Bushmills, lol i understand that for sure, you happen to be FAR from the target audience
14:27 < krzie> ;]
14:27 < mudassar> I have configured the vpn server on a virtual machine (xen virtual guest), this virtual machine has public IP. The configuration file for openvpn server is given here http://pastebin.com/MAK8zcDD    I have generated keys and certificates for the clients, but clients cannot reach the vpnserver
14:27 < Bushmills> but i suppose that if the purpose is being able to point people with config problem to that script, it is useful
14:27 < krzie> they can not reach it at all?
14:28 < krzie> mudassar, please clarify "they can not reach it"
14:28 < Bushmills> mudassar: clarify "virtual machine"
14:28 < ralphte> what error do you get from the client !firewall
14:28 < Bushmills> xen guest?
14:28 < ralphte> well i tried
14:28 < krzie> virtual machine (xen virtual guest)
14:28 < krzie> yup xen guest
14:28 < Bushmills> does tun interface come up when starting server?
14:29 < krzie> ralphte, commands go by themselves
14:29 < krzie> !firewall
14:29 < ralphte> dam
14:29 < vpnHelper> krzie: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
14:29 < ralphte> i knew it
14:29 < mudassar> vpn clients cannot connect the vpn server ......... virtual machine means a guest os in a host os using virtualization
14:29 < krzie> mudassar, if you cant start the connection, your problem is not likely openvpn
14:29 < ralphte> ya got that you check port on iptables
14:29 < krzie> sounds like firewall
14:30 < ralphte> make sure it's open on tcp or udp and the port to are using for the openvpn
14:30 < krzie> the only way it could be openvpn is if protocol / port  dont match or if you are connecting to the wrong IP
14:30 < mudassar> I can paste the output of ifconfig as well for the server machine ... 
14:31 < mudassar> I am pasting the client's configuration file 
14:32 < krzie> im out, headed to work
14:32 < krzie> see ya as krzee
14:35 < mudassar> see the client's configuration here http://pastebin.com/Ysep3k8s
14:35 < mudassar> please tell me what is the problem 
14:36 < ralphte> oo this one is easy
14:36 < mudassar> pasting again OpenVPN configuration for server ==> http://pastebin.com/MAK8zcDD   client ==> http://pastebin.com/Ysep3k8s 
14:36 < ralphte> remote 10.1.0.1 1194   
14:37 < mudassar> what is problem in it ? 
14:37 < ralphte> should be remote ip address of the server 1194
14:37 < ralphte> not of the tunnle
14:37 < ralphte> so what ever the internet ip address of the server is
14:38 < mudassar> ok
14:38 < ralphte> unless this is all local in that case dont really know if you need openvpn
14:38 < mudassar> you are talking about client's configuration file ? 
14:39 < ralphte> yes
14:39 < ralphte> the clinet needs to know where the server is on the internet
14:40 < mudassar> ralphte: works like a charm......... thanks alot brother
14:40 < ralphte> yep made the same mistake before
14:40 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
14:42 < mudassar> but how can I ping the server machine now ? 
14:42 < mudassar> I mean on which IP ? 
14:42 < mudassar> that will use the vpn 
14:42 < ralphte> well you server is the 10.1
14:43 < ralphte> thats the tunnle address ip's
14:44 < mudassar> at client side there should be a new interface like tun0 ....... but I cannot see that 
14:44 < mudassar> let me past the logs of server and client now 
14:44 < ralphte> what os?
14:44  * krzie comes with the quick ubuntu guess
14:45 < ralphte> openvpn --mktun --dev tun0
14:46 < krzie> only if it needs to be static
14:46 < krzie> a dynamic dev is usually just fine
14:46 < mudassar> Please see the logs for server and client here ... there is still some problem
14:46 < mudassar> http://pastebin.com/QfY7WRwL
14:46 < ralphte> there always is
14:46 < mudassar> OS is centOS 
14:46 < ralphte> server or client
14:47 < mudassar> both
14:47 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:47 < ralphte> well i know cent os 1st had
14:47 < ralphte> hand*
14:48 < ralphte> what is not working>
14:48 < mudassar> what is the difference between vpn tunnel's ip and vpn server's ip ??
14:49 < ralphte>  a /30
14:49 < ralphte> lol
14:49 < mudassar> what ? 
14:50 < ralphte> http://openvpn.net/index.php/open-source/faq.html#slash30
14:50 < vpnHelper> Title: FAQ (at openvpn.net)
14:51 < ralphte> what network is on your server?
14:52 < ralphte> is the client have a network
14:52 < ralphte> does the client have a network?
14:53 < mudassar> client and server both have public IPs
14:53 < mudassar> I can show you the ifconfig for both 
14:53 < mudassar> I am not good in networking
14:54 < ralphte> well of course no nat on client
14:54 < mudassar> you can analyze 
14:54 < mudassar> let me give you
14:55 < mudassar> http://pastebin.com/9i3ULfDe
14:55 < mudassar> please see here 
14:56 < mudassar> you can understand the network for bth 
14:56 < mudassar> client and server
14:56 < ralphte> client with public ip not very commen now adays
14:57 < ralphte> are both client and server vertulized
14:58 < ralphte> dont see a tun interface on ether one
14:58 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 265 seconds]
15:00 < ralphte> openvpn --mktun --dev tun+ will make the tun dev
15:00 < mudassar> on client side ? 
15:00 < mudassar> both are virtualized 
15:00 < ralphte> both
15:00 < mudassar> oh sorry I gave you the ifconfig of the server after closing vpnserver ... let me paste the latest one
15:01 < mudassar> it has tun 
15:01 < ralphte> ok
15:01 < mudassar> http://pastebin.com/Mmqc35Te
15:01 < mudassar> see here 
15:04 < ralphte> change verb to 6 on the client config run the client and tell me what output you get
15:07 < mudassar> ok
15:08 < mudassar> no it didn't add any interface on client side 
15:09 < ralphte> ya add that
15:11 < mudassar> how to add that ?
15:11 < mudassar> openvpn --mktun --dev tun+
15:11 < mudassar> ??
15:12 < ralphte> ya
15:13 < mudassar> still no luck 
15:13 < mudassar> will it show some interface on client side for ifconfig ? 
15:14 < ralphte> should
15:14 < ralphte> what doe sit say when you enter the command?
15:15 < ralphte> should say somthing like this 
15:15 < ralphte> Sat Apr 24 15:14:30 2010 TUN/TAP device tun+ opened
15:15 < ralphte> Sat Apr 24 15:14:30 2010 Persist state set to: ON
15:16 < mudassar> yes it said like this on client side 
15:16 < ralphte> ok you see the tun in ifconfig
15:16 < mudassar> but after connecting with vpn server from client, using openvpn client.conf ... will it show the interface in ifconfig output ? 
15:17 < ralphte> what does openvpn say when you connect
15:18 < mudassar> it says like Peer connection Initiated with 65.110.21.132 ......... initialization sequence completed 
15:18 < mudassar> then like this
15:18 < mudassar> us=424934 TCPv4_CLIENT READ [53] from 65.110.21.132:1194: P_DATA_V1 kid=0 DATA len=52
15:18 < ralphte>  initialization sequence completed means that it is working
15:19 < mudassar> yes but how can I use this private network now ? 
15:19 < ralphte> next step what you trying to do
15:19 < ralphte> well how ever you want
15:19 < mudassar> I want to ping the server machine from client machine using VPN network
15:19 < ralphte> ping the tunnlle ips
15:20 < mudassar> you mean 10.1.0.1 ? 
15:20 < ralphte> yep
15:20 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
15:20 < mudassar> it says unreachable
15:20 < mudassar> :(
15:21 < ralphte> try .2
15:21 < mudassar> i guess it must show interface 
15:21 < mudassar> I have tried many 
15:21 < mudassar> .2 .3 .4 .5 .6
15:21 < ralphte> ok
15:21 < ralphte> to easy
15:21 < ralphte> send me a copy of the client log
15:21 < ralphte> !log
15:21 < vpnHelper> ralphte: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
15:22 < mudassar> whoami says root
15:22 < ralphte> !logs
15:22 < vpnHelper> ralphte: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
15:25 < mudassar> see the client's log here http://pastebin.com/v0QtXit6
15:25 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
15:27 < ralphte> you client config should have "dev tun1" not "dev tun"
15:28 < mudassar> what should I do then 
15:28 < mudassar> openvpn --mktun --dev tun1 
15:28 < mudassar> ?
15:29 < ralphte> dont neeed to
15:29 < mudassar> then ? 
15:30 < ralphte> change the config and then try to connect agean
15:30 < mudassar> what change ? 
15:30 < ralphte> in the client config
15:30 < ralphte> open that up
15:31 < ralphte> you will see the line -- dev tun
15:31 < ralphte> change to -- dev tun1
15:31 < mudassar> ok
15:32 < mudassar> Cannot open TUN/TAP dev /dev/tun2: No such file or directory (errno=2)
15:32 < mudassar> i created tun1 and tun2
15:33 < mudassar> checked for both 
15:33 < mudassar> but both say the same
15:33 < ralphte>  openvpn --mktun --dev tun1 
15:33 < ralphte> what happends after you enter that
15:34 -!- Lantizia [~lantizia@93-97-23-110.zone5.bethere.co.uk] has joined ##openvpn
15:34 < mudassar> Note: Cannot ioctl TUNSETIFF tun1: Device or resource busy (errno=16)
15:34 < mudassar> Sat Apr 24 16:40:37 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
15:34 < mudassar> Sat Apr 24 16:40:37 2010 Cannot open TUN/TAP dev /dev/tun1: No such file or directory (errno=2)
15:37 < ralphte> mkdir /dev/net; mknod /dev/net/tun c 10 200
15:37 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
15:37 < mudassar> it says it already exists 
15:38 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
15:38 < ralphte> try a reboot
15:38 < ralphte> hsould be real quick on a vm
15:39 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
15:39 < mudassar> ok I am booting both 
15:40 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
15:41 < krzee> maybe you have to do something xen specific to give the guest access to the dev
15:41 < mudassar> hmm
15:42 < krzee> !google xen tun device
15:42 < vpnHelper> krzee: [Xen-users] OpenVPN tun/tap in domU - Xen Source: <http://lists.xensource.com/archives/html/xen-users/2005-12/msg00863.html>; Re: [Xen-users] Re: XEN 3.1: critical bug: vif init failure afte ...: <http://lists.xensource.com/archives/html/xen-users/2007-07/msg00574.html>; TUN/TAP device with OpenVPN or Hamachi - VPSLink Wiki: <http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi>
15:43 < krzee> oh you likely just dont have tuntap compiled in
15:43 < krzee> Xen Platform 
15:43 < krzee> Please ensure you have installed the kernel modules which your software requires to use the TUN/TAP device.
15:46 < mudassar> client machine and server machine has exactly same configuration ......... at server side I can see the tun1 interface when I run the openvpn server and give the command ifconfig
15:46 -!- krzee [~k@unaffiliated/krzee] has left ##openvpn ["Leaving"]
15:46 < mudassar> this means tun1 works
15:47 -!- dmz [~dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has quit [Quit: Ex-Chat]
15:52 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:52 < mudassar> how to ensure this ==> Please ensure you have installed the kernel modules which your software requires to use the TUN/TAP device. 
15:52 < krzee> by configuring your kernel
15:53 < mudassar> krzee: I am not good at this.. :( I wish I can do that. 
15:57 -!- zertu [~58bdda96@gateway/web/freenode/x-mfizpquqdeeivupf] has joined ##openvpn
15:58 < krzee> try modprobe tun
16:01 < krzee> do that first in the host
16:01 < mudassar> which host ? 
16:01 < mudassar> that contains the client's virtual machine ? 
16:02 < krzee> the xen host
16:02 < krzee> http://serverfault.com/questions/91340/how-to-install-tun-tap-driver-for-openvpn-on-centos-linux
16:02 < mudassar> ok
16:02 < vpnHelper> Title: How to install tun/tap driver for openvpn on centos linux? - Server Fault (at serverfault.com)
16:02 < krzee> hit #6 from google: centos kernel tun
16:03 -!- fink [~guest@1Cust3895.an2.dca17.da.uu.net] has joined ##openvpn
16:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
16:12 < mudassar> this is very difficult for me to follow this :(
16:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:24 -!- kas [~Andrew@seance.openvpn.org] has quit [Ping timeout: 240 seconds]
16:30 -!- kas [~Andrew@seance.openvpn.org] has joined ##openvpn
16:30 -!- kas [~Andrew@seance.openvpn.org] has quit [Client Quit]
16:31 < krzee> we help with openvpn, for help in your OS try a channel that deals with your OS
16:31 < krzee> first try:
16:31 < krzee> modprobe tun
16:31 < krzee> in the xen host
16:37 < mudassar> it did not show the tun interface :( 
16:37 < mudassar> even in the log of vpn client is says TUN/TAP device tun1 opened 
16:37 < mudassar> it says *
16:38 < krzee> didnt you paste it not being able to open?
16:53 < mudassar> the client's log shows that device tun1 is opened 
16:54 < mudassar> but when I do ifconfig it does not come in the list 
16:57 < krzee> pastebin the log
16:57 < krzee> !configs
16:57 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:00 -!- zertu [~58bdda96@gateway/web/freenode/x-mfizpquqdeeivupf] has quit [Quit: Page closed]
17:02 -!- fink [~guest@1Cust3895.an2.dca17.da.uu.net] has left ##openvpn []
17:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:15 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
17:43 -!- Lantizia [~lantizia@93-97-23-110.zone5.bethere.co.uk] has quit [Quit: Leaving]
17:45 < hyper_ch> krzee: test what?
17:55 -!- ribx [~ribx@p5B2D80CC.dip0.t-ipconnect.de] has joined ##openvpn
17:55 < ribx> !welcome
17:55 < vpnHelper> ribx: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:57 < ribx> ok, here we go: is there any posiblity to drop the dns option pushed by a server? i am on linux
18:02 < ralphte> ya remove the push command from the server
18:02 < ralphte> lol
18:04 < ribx> really? is that the only posibility?
18:06 < ribx> isnt there something like "--route-nopull" ?
18:08 < ralphte> not that i know of
18:12 < krzee> hyper_ch, the confgen
18:12 < krzee> ribx, 
18:12 < krzee> dns in linux is only applied by an --up script
18:12 < hyper_ch> krzee: it could mess up my con :)
18:13 < krzee> dont run the script and even tho your server pushes it, you wont apply it
18:13 < krzee> hyper_ch, just play with it :-p
18:14 < Bushmills> "route" and "dns" aren't exactly the same
18:14 < krzee> if the client was windows there would be more to it
18:14 < krzee> but since the client is linux, its SIMPLE to not accept the pushed dns
18:15 < krzee> since openvpn cant handle applying the DNS anyways, and requires a script to do it ;]
18:15 < Bushmills> there *is* a --route-nopull .. i think i got now what you meant ... a dns equivalent of that
18:16 < ribx> krzee: my distri (gentoo) even offers a switch for this in the openvpn config file (i was wondering how openvpn can do it when i invoke as user "nobody") thank you!
18:17 < Bushmills> --up is executed as root.  --down as user openvpn is running as
18:17 < ribx> ok
18:30 < mudassar> sorry krzee, I want interviewing someone 
18:34 < mudassar> was *
18:38 < troy-> mudassar: did they get the job?
18:38 < mudassar> I was interviewing someone ... for hiring him :)
18:38 < troy-> did he get the job?
18:41 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
18:47 < mudassar> yes
18:48 < troy-> can i have it instead?
18:48 < troy-> i'll even tell him there was a misunderstanding
18:49 < ralphte> 200k max speed with openvpn and dd-wrt router
18:51 -!- dauergast [~sag@188-193-231-147-dynip.superkabel.de] has joined ##openvpn
18:54 < ralphte> pretty disapointing
18:54 < troy-> dauergast: i get slow throughput too
18:55 < dauergast> ?
18:55 < troy-> err ralphte :P
18:55 < ralphte> ya kinda sucks might have to get a better router
18:56 < troy-> well i'm running it on a quad core and its not better
18:56 < ralphte> you mean your client is the desktop and it's still that slow?
18:56 < troy-> client and desktop are both quad cores 
18:56 < troy-> client and server rather
18:57 < ralphte> what kinda connection?
18:57 < troy-> both are on 100Mb/s fiber 33ms apart
18:57 < ralphte> WTF
18:57 < ralphte> still only 200kbps
18:57 < troy-> yeah
18:58 < troy-> gah i'm bleeding everywhere
18:59 < troy-> next time i'll make the woman move the fridge 
19:01 -!- dauergast [~sag@188-193-231-147-dynip.superkabel.de] has quit [Quit: Man gewöhnt sich an allem, selbst am Dativ.]
19:03 < krzee> for the record, openvpn only runs on 1 core
19:03 < flok420> does the windows version of openvpn also have some kind of "up.sh" (or "up.bat/cmd") mechanism?
19:03 < krzee> flok420, windows doesnt run .sh, but --up still exists
19:04 < flok420> ok, thanks
19:04 < krzee> and .sh has nothing to do with --up
19:04 < krzee> --up would happily run .sh, but will also run whatever app is passed to it
19:04 < krzee> compiled C app, perl, ruby, whatever
19:05 < flok420> ok
19:10 -!- ribx [~ribx@p5B2D80CC.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
19:36 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
19:47 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has quit [Remote host closed the connection]
19:55 -!- ribx [~ribx@p5B2D9020.dip0.t-ipconnect.de] has joined ##openvpn
19:59 < ralphte> is there any way to make openvpn faster
19:59 < ralphte> 3mbit is just too slow
19:59 < ralphte> my server is on a 10mbit
20:00 < krzee> you could try playing with MTU settings
20:00 < krzee> if you are using tap, use tun
20:00 < krzee> if you are using tcp, use udp
20:00 < ralphte> i am useing tun
20:01 < ralphte> what the best way to setup mtu
20:03 < krzee> trial and error?
20:03 < ralphte> lol ok
20:03 -!- ribx [~ribx@p5B2D9020.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
20:07 -!- pawz_ [~pawz@ppp118-208-89-178.lns20.bne4.internode.on.net] has quit [Ping timeout: 264 seconds]
20:21 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
20:22 -!- ribx [~ribx@p5B2D86F3.dip0.t-ipconnect.de] has joined ##openvpn
20:30 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has joined ##openvpn
20:30 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has quit [Changing host]
20:30 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:46 -!- WormFood [~wormfood@58.60.222.42] has quit [Ping timeout: 268 seconds]
20:47 -!- WormFood [~wormfood@58.60.222.42] has joined ##openvpn
20:52 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
21:00 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
21:06 -!- ribx [~ribx@p5B2D86F3.dip0.t-ipconnect.de] has quit [Quit: Bereue im Leben immer nur was du getan hast, und niemals, was du nicht getan hast.]
21:11 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
22:02 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
22:13 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:13 < theDoc> \o/
22:27 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:01 -!- fink [~guest@1Cust3059.an4.dca17.da.uu.net] has joined ##openvpn
23:09 -!- fink [~guest@1Cust3059.an4.dca17.da.uu.net] has left ##openvpn []
23:40 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
23:43 < donavan> Hello friends.  I have an openvpn server configured and working well when clients are connecting from public IP addresses.
23:44 < donavan> The open vpn server lives in the 192.168.77.x network and connections get natted in from a firewall on the network edge.
23:45 < donavan> sorry 192.168.88.x network for the open vpn server.
23:46 < theDoc> What's the problem?
23:46 < donavan> right now I'm trying to configure a vpn from a 192.168.25.x network.  I'm successfully establishing the VPN, tun0 is created, I'm assigned a /30 address.
23:47 < theDoc> !30
23:47 < vpnHelper> theDoc: Error: "30" is not a valid command.
23:47 < theDoc> !factoids
23:47 < vpnHelper> theDoc: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
23:47 < theDoc> Yes, so what's the issue?
23:47 < theDoc> !topology
23:47 < vpnHelper> theDoc: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
23:47 < theDoc> !/30
23:47 < donavan> however, I'm unable to ping the open VPN server
23:47 < vpnHelper> theDoc: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
23:48 < donavan> or connect to any of the servers on the backside of the VPN server.
23:48 < theDoc> !logs
23:48 < vpnHelper> theDoc: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
23:48 < donavan> I think it is a /30 ...
23:49 < theDoc> Well, paste the logs and we'll give it a go.
23:49 < donavan> Doesn't look like it after all.  inet addr:192.168.77.14  P-t-P:192.168.77.13  Mask:255.255.255.255
23:49 < donavan> Let me do some reading :)
23:51 < donavan> @tunnelblick
23:51 < donavan> !tunnelblick
23:51 < vpnHelper> donavan: "tunnelblick" is http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X
--- Day changed Sun Apr 25 2010
00:04 < donavan> theDoc: I think I know the issue, but how much of these logs do you want?
00:04 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
00:05 < theDoc> If you know the issue, solve it ;p
00:05 < theDoc> I don't really want to have your logs
00:05 < donavan> What I suspect is happening is that it is using the source address of my request (the 192.168.25.x) and trying to route it out the ethernet instead of the VPN.
00:14 < donavan> okay theDoc I fail.
00:23 < theDoc> one sec
00:24 < theDoc> i'm at work
00:43 -!- atlantic_ [~atlantic@hok.duf.hu] has quit [Ping timeout: 240 seconds]
00:49 < donavan> theDoc: I finally pulled my head out -- I can't establish the openVPN circuit to 192.168.88.x and try to route traffic for 192.168.88.x over the VPN at the same time.
00:57 < theDoc> 192.168.88.x is your local lan AND the vpn subnet?
00:58 < donavan> no, the vpn subnet is 77
00:59 < donavan> but I'm connecting from .25 to .88 to establish the VPN and pushing a route for .88 to the client
01:00 < donavan> I just setup a nat on the .25 firewall to push the traffic to VPN server and all is now well.
01:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:01 < donavan> basically all I'm after is isolating the .88 network from the rest of my private networks and only making it accessible via openVPN
01:22 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
01:25 < theDoc> Sorry, I'm buried up to my neck in work. Trying to fix this fucking pos from Taiwan
01:32 < donavan> no problem, I've accomplished my objectives.
01:32 < donavan> Thank you the helpers.
01:32 < troy-> i never get thanked :<
01:33 < donavan> troy-: Thank you for helping the thankless.
01:33 < troy-> any time!
01:59 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
02:10 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: This computer has gone to sleep]
03:39 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
04:22 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
05:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
06:03 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
06:09 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:45 -!- dauergast [~sag@188-193-231-147-dynip.superkabel.de] has joined ##openvpn
06:59 -!- dauergast [~sag@188-193-231-147-dynip.superkabel.de] has quit [Quit: Manche Leute sind selbst für Vorurteile zu blöd.]
07:06 < rob0> "--redirect-gateway local" does not CHECK that the client is directly connected, does it?
07:08 < rob0> If it did, that would be a nice feature for laptops; you'd have secured wifi while onsite, and VPN without redirection while away.
07:12 < Bushmills> well, i am on wifi sometimes, and on eth sometimes, on site, but want redirect-gateway to redirect traffic in identical way
07:12 < Bushmills> which it does
07:13 < Bushmills> was openvpn to check, that could only be with the intention to treat both interfaces differently
07:13 < Bushmills> (your local traffic will have an extra route anyway, not going through default)
07:14 < rob0> yeah, I don't have the bandwidth to support redirection while offsite
07:15 < rob0> It's not really a problem at this point. I don't need secure wifi, there is no one in range to try to use my wifi anyway.
07:15 < Bushmills> different runlevels for on-site and off-site can be useful
07:17 < Bushmills> also, wpa  or wpa2 wifi  encryption isn't that easy to break for casually using somebody elses wlan
07:18 < Bushmills> i think it is based on AES
07:18 < rob0> Yes, but when I did need secure wifi, I went for openvpn, which was simpler for me to set up because I already had the openvpn server running.
07:19 < rob0> even WEP can frustrate a passerby
07:19 < hyper_ch> wep can be hacked in a couple of minutes
07:20 < rob0> but the few people who pass by here are only in range for a few seconds at a time :)
07:20 < rob0> I just leave mine open.
07:20 < hyper_ch> my wifi is open anyway to protect me
07:21 < rob0> "plausible deniability" when confronted by the RIAA/MPAA or equivalent? :)
07:21 < hyper_ch> kind of
07:21 < Bushmills> wouldn't work in many cases here in germany
07:22 < havoc> rob0: right on ;)
07:22 < hyper_ch> luckily switzerland is still a country that follows the letter of the law :)
07:22 < Bushmills> owner is responsable if he didn't take adequate steps to protect the connection
07:22 < hyper_ch> and not the wishes of the media instutry
07:22  * havoc does the same; open/public hotspot + openvpn
07:22 < hyper_ch> Bushmills: which shouldn't be a case
07:22 < havoc> plus my wlan is it's own ethernet segment
07:22 < rob0> Ah, law could be a good thing it existed. Here in USA it is dead.
07:23 < Bushmills> i agree to thhat but don't have the power to change that
07:23 < hyper_ch> Bushmills: well, let's look at a car
07:23 < havoc> rob0: there is law in the US; Rule of the Dollar :(
07:23 < hyper_ch> Bushmills: you are not allowed to drive a car without driver licence, right?
07:23 < Bushmills> one without registration plates?
07:23 < Bushmills> no, you aren't
07:23 < hyper_ch> Bushmills: you know why you need a driver licence?
07:23 < Bushmills> well, depends what you call "wihtout"
07:24 < rob0> you can drive it on your own property
07:24 < mwheeler> I run various open access servers, eg TOR and have a VPN dedicated to purely randoms that want to make use of resoures and network of servers. However my Wireless is secured for the fact is I want to be able to have hosts running off it without data being sniffed, and I don't want someone leeching while I'm making a VoIP call
07:24 < mwheeler> I'm yet to setup my second AP for free internet
07:24 < Bushmills> not having the license, or not having the paper, showing that you have a license
07:24 < hyper_ch> rob0: driving on own property is a very specific case and in this matter not of any relevance
07:24 < Bushmills> both cases are treated differently
07:24 < hyper_ch> Bushmills: not having a driver licence
07:24 < Bushmills> graver case
07:25 < hyper_ch> Bushmills: it's not different... you are allowed to drive without having the licence with you... you just get a fine if you do that
07:25 < Bushmills> so when you drive without having one, they can't take it away from you
07:25 < hyper_ch> Bushmills: but the law does not allow to drive a car without having a licence
07:26 < Bushmills> no. you may drive a car
07:26 < hyper_ch> Bushmills: but why do you think you are required to have a valid driver licence in order to be legally allowed to drive a car?
07:26 < Bushmills> just not on public roads
07:26 < hyper_ch> Bushmills: ok, how many private roads do you have?
07:26 < hyper_ch> Bushmills: see, that is not of relevance for that discussion
07:26 < Bushmills> in the whole country?
07:26 < hyper_ch> yes
07:26 < rob0> haha I know some folks who have miles of private road
07:26 < Bushmills> more than i have personally
07:27 < hyper_ch> Bushmills: but why do you think you are required to have a valid driver licence in order to be legally allowed to drive a car?
07:28 < Bushmills> to demonstrate that you have received lessons for steering a car where it may affect wellbeing of others
07:29 < Bushmills> to demonstrate that you are deemed fit to do so
07:29 < hyper_ch> Bushmills: pretty close... a car is by law regarded as inherently dangerous thing to operate
07:29 < hyper_ch> for safe-guarding the other people you have to prove that you know the basic rules on how to operate it safely
07:29 < hyper_ch> hence you also have a Gefährdungshaftung while driving a car
07:30 < hyper_ch> applying this now for internet access
07:30 < Bushmills> that applies to internet, not to wifi
07:30 < hyper_ch> either you have  Kausalhaftung where you are only liable if you have given sufficient cause
07:31 < Bushmills> your are more describing  the requirement to lock your car
07:31 < hyper_ch> if operating a wifi would be considered as inherently dangerous it would also require that you get a wifi-licence to operate a wifi network
07:31 < hyper_ch> operating car != operating a wifi
07:32 < Bushmills> the equivalent of driver license would be administrator training before you are allowed to connect your computer to internet
07:32 < rob0> So back on topic briefly: does "--redirect-gateway local" only assume that the client is on a common physical subnet, or does it check to be sure that it is? The man page implies the former.
07:32 < hyper_ch> if courts stipulate that you are liable just for having an open wifi then the law should require you to get a licence for operating wifis first-place
07:33 < rob0> oooo, an "Internet driver's license"! :)
07:33 < Bushmills> it just routes traffic through openvpn. and adds a host route to vpn server
07:33 < Bushmills> no need for common subnet
07:33 < rob0> the local flag does NOT add the host route
07:34 < hyper_ch> yey, KDE 4.4.2 :)
07:34 < Bushmills> oh, not seen that local
07:34 < Bushmills> the -- grabbed all my attention
07:34 < rob0> "Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless.  The local flag will cause step 1 above to be omitted." Step 1 being to add the host route to existing gateway.
07:35 < rob0> --
07:36 < Bushmills> yes, in that case there will exist a route to gateway already
07:36 < Bushmills> no need to add another one
07:36 < Bushmills> to openvpn server
07:37 < Bushmills> with common subnet, openvpn traffic will find openvpn server, even with default traffic going through openvpn interface
07:37 < Bushmills> without, traffic wouldn't know how to get to server
07:39 < rob0> Yes, i understand all that, just wondered if it was a conditional redirect.
07:39 < Bushmills> it is control of what routes are added and which ones aren't, the moment connection to vpn takes place
07:40 < Bushmills> later, client may not be able to change routes any longer
07:44 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:18 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:19 -!- mode/##openvpn [+o mattock] by ChanServ
08:28 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
08:31 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
08:32 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:32 -!- barefoot [~magic@41.123.167.224] has joined ##openvpn
08:33 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 245 seconds]
08:37 -!- barefoot [~magic@41.123.167.224] has quit [Client Quit]
08:37 -!- jnss_ [janes@gateway/shell/sign.io/x-vwlduembtdtjdmud] has joined ##openvpn
08:37 < jnss_> hi guys
08:38 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
08:38 < jnss_> i get this crap when i try running vpn
08:38 < jnss_> Sun Apr 25 11:37:55 2010 us=369409 Cannot load CA certificate file /etc/openvpn/ca.crt (SSL_CTX_load_verify_locations) (OpenSSL)
08:38 < theDoc> Check your filepaths
08:39 < jnss_> it's the same.
08:39 < jnss_> i have this same config file running smoothly on a fedora machine.
08:40 < jnss_> it doesn't want to work and results in said error message on a bsd box
08:40 < theDoc> Are you using a fullpath?
08:41 < jnss_> tried that 
08:42 < jnss_> i'll go back to googling some more
08:43 < theDoc> Sorry mate, no clue at the moment. Trying to figure out how to make use target="frame_name" in css.
08:45 < jnss_> bet there's a chan for css ;p
08:47 < theDoc> There is, I'm looking at it.
08:52 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
09:56 < ralphte> for remote users the server doe snot need to have a network route doe sit
10:04 -!- AwayML [~AndyML@pool-173-49-144-213.phlapa.fios.verizon.net] has joined ##openvpn
10:04 < AwayML> is it possible to run openvpn without encryption at all?
10:09 < Bushmills> had you looked at the man page, you could have told
10:09 < AwayML> Bushmills: just saw that
10:09 < Bushmills> it even says *how* to do that
10:10 < AwayML> i googled it a couple different times and never came up with anything related. even looked through the sample configs for just such an option - didn't think to look at the man pages.
10:10 < AwayML> of course not everyone's installation is the same... alauppe-mbp-3:~ alauppe$ man openvpn
10:10 < AwayML> No manual entry for openvpn
10:11 < AwayML> either way, thanks.
10:11 < ralphte> the big question is why there are better tunnling protocol then openvpn when you take away the secruity
10:11 < Bushmills> http://doc.scarydevilmonastery.net/cgi-bin/dwww/usr/share/man/man8/openvpn.8.gz?type=man
10:11 < vpnHelper> Title: openvpn(8) - Man pages (at doc.scarydevilmonastery.net)
10:14 < AwayML> ralphte: i'm open to other tunnels, but i need something that can be easily run across the public internet to clients with dynamic ip's, being nat routers. 
10:15 < AwayML> since i was already somewhat familiar with openvpn, it seemed to me a decent solution. the protocols we're planning on using across the tunnels are already encrypted.
10:15 < AwayML> ralphte: i'm open to other tunnels, but i need something that can be easily run across the public internet to clients with dynamic ip's, being nat routers * that we don't have control over or access to.
10:26 < jnss_> i have this problem http://www.mail-archive.com/misc@openbsd.org/msg78074.html
10:26 < vpnHelper> Title: Re: how to debug 'starting network' hangs (at www.mail-archive.com)
10:26 < jnss_> the solution is: >> echo 'ERROR: cannot start openvpn; file /usr/local/sbin/openvpn is missing.'
10:26 < jnss_> >> fi
10:26 < jnss_> > 
10:27 < jnss_> > Don't start openvpn there. Stick it in your /etc/hostname.tunX file like so:
10:27 < jnss_> would anyone happen to know how to stick openvpn in /etc/hostname.tunX? 
10:29 < Bushmills> "file /usr/local/sbin/openvpn is missing"  .. where is your openvpn executable?
10:29 < Bushmills> if on /usr/sbin/openvpn, you may have to correct the path
10:30 < Bushmills> and why not start it from  /etc/init.d/openvpn?
10:32 < jnss_> no, this is my error message http://pastie.org/934118.txt
10:32 < jnss_> Sun Apr 25 13:31:37 2010 us=465815 Tried opening /dev/tap254 (failed): No such file or directory (errno=2)
10:32 < jnss_> Sun Apr 25 13:31:37 2010 us=465845 Tried opening /dev/tap255 (failed): No such file or directory (errno=2)
10:32 < jnss_> Sun Apr 25 13:31:37 2010 us=465861 Cannot allocate TUN/TAP dev dynamically
10:32 < jnss_> Sun Apr 25 13:31:37 2010 us=465885 Exiting
10:33 < jnss_> i don't know what that is about
10:34 < Bushmills> does your kernel have support for tun/tap?
10:38 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
10:52 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:56 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 245 seconds]
11:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:06 -!- WormFood [~wormfood@58.60.222.42] has quit [Ping timeout: 276 seconds]
11:18 -!- WormFood [~wormfood@121.35.147.137] has joined ##openvpn
11:19 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
11:20 -!- jnss_ is now known as jnss
11:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:46 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
11:53 -!- yesi [~yesi@bgl93-2-82-227-160-53.fbx.proxad.net] has joined ##openvpn
12:09 < jnss> Bushmills, yes.
12:09 < jnss> issue is the bsd jail i wanted vpn tunnel to run from
12:09 < jnss> apparently there is no way you can run the required openvpn ifconfig command inside a jail
12:34 -!- Kattalunikes [~Marco@p5B0CA619.dip0.t-ipconnect.de] has joined ##openvpn
12:35 < Kattalunikes> hi
12:35 < bandini> what's the gui client people use on windows nowadays? (securepoint's?)
12:36 < Kattalunikes> Is there a way to create a client-config, that let's the server access the clients network?
12:37 < Bushmills> yes. just the same as other way around
12:40 < Kattalunikes> :)
12:40 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
12:40 < rob0> jnss, it might work with a preconfigured tun or tap device, see --dev-node in the man page.
12:41 < Kattalunikes> openvpn is so complicated ...  ;)
12:46 < Bushmills> openvpn? or setting routes properly?
12:47 < Kattalunikes> setting up everything
12:47 < Bushmills> like, making client connect to server?
12:50 < Kattalunikes> yup .. and certificates and stuff
12:51 < Bushmills> ah. answer to that is probably: "because openvpn uses ssl"
12:52 < Bushmills> setting up, say, https with apache  is similar 
12:52 < Kattalunikes> ^^ .. mumble does, too , but it is made to create certificates itself
12:53 < Bushmills> that's maybe installation scripts, doing that?
12:55 < Kattalunikes> some kind of .. when you start it, it generates a certificate and stores it in an sqlite-db (with all the other stuff like users)
12:57 < Kattalunikes> i want to be able to connect with friends to play, but without hamachi
12:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:58 < rob0> If all you want is a simple point-to-point (or single site-to-site) tunnel, "peer" mode is easier and does not require SSL. See the 1.x HOWTO if so.
13:06 < Kattalunikes> the line "route 0.0.0.0 0.0.0.0" means that the client or server will route ?
13:13 < jnss> rob0, but it still will need to update the ip using ifconfig
13:13 < jnss> and as that is not doable from inside a jail
13:14 < jnss> well, i dont know what benefit --dev-node will have ;)
13:18 < Kattalunikes> hmm .. i don't know if i got everything right.. will i connect 2 networks if i'd use this configurations? http://pastebin.com/z688abK2
13:23 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
13:45 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
13:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
13:59 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
13:59 -!- eKKiM [~ekkim@d5152FCBD.static.telenet.be] has joined ##openvpn
13:59 < eKKiM> !welcome
13:59 < vpnHelper> eKKiM: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:59 < eKKiM> !redirect
13:59 < vpnHelper> eKKiM: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:59 < eKKiM> !ipforward
13:59 < vpnHelper> eKKiM: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
14:00 < eKKiM> !linipforward
14:00 < vpnHelper> eKKiM: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:01 -!- eKKiM [~ekkim@d5152FCBD.static.telenet.be] has quit [Client Quit]
14:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:10 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 276 seconds]
14:22 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
14:23 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
14:25 < Kattalunikes> !route
14:25 < vpnHelper> Kattalunikes: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:30 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
14:36 -!- Kattalunikes [~Marco@p5B0CA619.dip0.t-ipconnect.de] has left ##openvpn []
14:42 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
14:42 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has joined ##openvpn
14:45 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:50 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
14:51 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
14:59 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
15:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:04 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has quit [Remote host closed the connection]
15:06 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
15:13 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
15:13 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
15:14 -!- barefoot [~magic@mail.pharmed.co.za] has joined ##openvpn
15:15 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 268 seconds]
15:22 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
15:33 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
15:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:35 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:38 < krzee> Bushmills, that bash FAQ in the topic in the other chan is awesome!
15:41 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
15:42 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
15:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:49 -!- magic_1 [~magic@41.123.167.224] has joined ##openvpn
15:50 -!- magic_1 [~magic@41.123.167.224] has quit [Changing host]
15:50 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
15:50 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
15:53 -!- barefoot [~magic@mail.pharmed.co.za] has quit [Ping timeout: 240 seconds]
15:54 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
15:55 -!- qfr [void@unaffiliated/yw] has joined ##openvpn
15:55 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
15:56 < qfr> !welcome
15:56 < vpnHelper> qfr: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:59 < qfr> I want to have my entire outgoing traffic go through a remote server I have internet access to. I don't want my IP to be visible to the outside world for any TCP/UDP stuff I run through that server. Currently the server is only running SOCKS5 but I can put other stuff on it, too. The local operating system is Arch Linux (on a Windows 7 host). Is OpenVPN any good for this or should I be looking at other programs?
15:59 < qfr> The first I tried was dante socksify but the bind() fails with it hmm
16:00 -!- insane^ [~un@ppp-82-135-91-155.dynamic.mnet-online.de] has quit [Ping timeout: 248 seconds]
16:13 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 258 seconds]
16:18 -!- DarthGandalf is now known as DarthGandalf|BNC
16:24 -!- DarthGandalf|BNC is now known as DarthGandalf
16:26 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
16:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:36 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 240 seconds]
16:36 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has joined ##openvpn
16:36 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has quit [Remote host closed the connection]
16:40 < zoredache> qfr: why not just do a redirect-gateway and then setup nat on the tunnel?
16:41 < qfr> zoredache: Is there software to create such redirect-gateways for SOCKS5?
16:42 < zoredache> the suggestion would completely avoid the need for socks
16:43 < zoredache> establish the vpn change your routes so everything crosses the VPN. setup a nat on the VPN interface and your personal address is hidden
16:44 < zoredache> but perhaps you can tell us more about why you think you need a socks5 setup, perhaps I am missing something
16:48 < qfr> zoredache: Oh, I don't
16:48 < qfr> I just thought it was the technically most simple solution
16:48 < qfr> I'm currently just using danted SOCKS5 on the box to run most of my stuff through
16:49 < qfr> Unluckily I have yet to come across a BitTorrent client which supports full socksification natively
16:49 < qfr> Most of the ones which claim to have SOCKS support actually leak most of the data
16:49 < qfr> Totally insecure
16:50 < zoredache> Are you sure the same thing won't happen with openvpn?
16:50 < zoredache> wouldn't it be easier to just run your bt client from the that particular computer?
16:51 < qfr> No, because its local data storage is too small
16:51 < qfr> It has only a 250 GB HDD whereas the local box has around 7 TB now
16:52 < qfr> zoredache: Well if the entire TCP/UDP traffic of the OS was routed through a VPN or whatever it couldn't get leaked, right?
16:52 < zoredache> qfr: that is not true.  many applications include ip addresses withing the payload of a packet
16:52 < zoredache> there is nothing a nat,proxy, or vpn can do that will fix this
16:53 < qfr> Well, it wouldn't even have access to that information, would it?
16:53 -!- yesi [~yesi@bgl93-2-82-227-160-53.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
16:53 < qfr> How would it even get the local ISP IP?
16:54 < zoredache> what is 'it'?
16:54 < zoredache> your local BT client would know your computers address
16:54 -!- yesi [~yesi@bgl93-2-82-227-160-53.fbx.proxad.net] has joined ##openvpn
16:55 < qfr> I'm behind a Linux router, the desktop is running Windows 7 and the VM (where the BT client would run) is running an Arch Linux host
16:55 < qfr> Err guest*
17:00 < qfr> It'd have to pull a trick like connecting to some external server which then tells it its IP in order to retrieve it?
17:00 < qfr> But yeah the easiest solution is just running the stuff on the server itself, I'd just have to come up with a nice interface and it would greatly limit me
17:01 < qfr> Oh I just had a fabulous idea!
17:02 < qfr> Using sshfs
17:02 < qfr> Hahaha
17:02 < qfr> The BT client on the server would simply read/write using sshfs
17:02 < Bushmills> qfr: stun server
17:02 < qfr> stun = ?
17:02 < qfr> Secure tunnel something?
17:04 < Bushmills> http://www.stunserver.org/
17:04 < vpnHelper> Title: stunserver.org (at www.stunserver.org)
17:05 < zoredache> you could also just not use bt to infringe copyright.  That way it won't matter what you download
17:06 < qfr> zoredache that is probably the most secure solution
17:06 < qfr> However, that would utterly depress me and greatly decrease the quality of my life
17:06 -!- qfr [void@unaffiliated/yw] has left ##openvpn []
17:07 -!- qfr [void@unaffiliated/yw] has joined ##openvpn
17:07 < qfr> Woops, left the wrong channel
17:10 < qfr> I had to look for quite some time on both IRC and Googl before anybody even bothered to reply :( it seems this is a surprisingly unpopular topic
17:11 < qfr> Google* even
17:11 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
17:19 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
17:48 -!- yesi [~yesi@bgl93-2-82-227-160-53.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
18:01 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:11 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
18:19 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:39 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
18:47 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
18:49 -!- [JFET] [~dome@catv-89-133-27-205.catv.broadband.hu] has joined ##openvpn
18:50 < [JFET]> hi all! How can I increase bridge speed using openvpn? I use tap0, and ethtool says it can produce only 10Mbit, which is really not enough for a server that's main purpose is to do openvpn
18:50 < [JFET]> can i somehow bond togethe more tap devices?
19:01 < ralphte> from what i have read tap can can faster then 10mbit
19:01 < ralphte> but i have never tested it
19:01 < ralphte> though it says 10mbit they say you can transfer faster then that
19:02 < ralphte> try a local test with 100mbit links 
19:03 < [JFET]> ethtool says this: # ethtool -s tap0 speed 100
19:03 < [JFET]> Cannot set new settings: Operation not supported
19:03 < [JFET]>   not setting speed
19:03 < [JFET]> and munin graph draws a pretty much flat graph at 10Mbit
19:03 < ralphte> so you do have a local test setup
19:04 < rob0> ethtool says that? Are you sure ethtool is right about that?
19:05 < rob0> No, it can't set the speed, but no, I doubt the 10Mbit limit is correct.
19:06 -!- qfr [void@unaffiliated/yw] has left ##openvpn []
19:10 < [JFET]> hmm. probably you are right, ethtool does not mean anything here
19:11 < [JFET]> I can copy to it from an other 100Base-T connected machine with 2.1MB/s according to scp
19:11 < rob0> What you have discovered is that ethtool is not able to control a tap device. A single tun/tap should be able to handle anything the physical NIC can throw at it, less a tiny bit of software latency.
19:11 < [JFET]> and iptraf also says 25000Kbit/s
19:11 < [JFET]> ok. thanks
19:11 < rob0> Of course tun is going to perform better than tap.
19:12 < rob0> But I suppose you knew that, otherwise you wouldn't have chosen bridging.
19:16 < [JFET]> i chose bridging because i have to serve samba
19:16 < [JFET]> and netbios magic needs the broadcast
19:18 < rob0> !wins
19:18 < vpnHelper> rob0: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
19:18 < rob0> You have a lot of pre-Win95 clients, huh?
19:19 < [JFET]> actually not, but I haven't really used windows in the last 5 years, so i am just starting to learn how is this working.
19:19 < rob0> then you don't need bridging.
19:20 < [JFET]> and is this wins working on any client? I mean we only have vpn, and if he/she writes in \\alpha\hisuser then it will work fine?
19:21 < [JFET]> i have XPs, win7, standalone and domain-enabled machines mixed as well
19:21 < rob0> Offer void where taxed or prohibited by law, or if you failed to set it up properly in smb.conf(5) and at the clients.
19:22 < [JFET]> so i have to modify clients as well?
19:23 < [JFET]> that won't work i'm afraid
19:23 < rob0> you have to tell them who is their WINS server
19:24 < ecrist> evening, folks
19:24 < rob0> not sure if they can discover that on their own, probably not, unless you tell the dhcpd
19:24 < ecrist> can someone setup my vpn for me?
19:24 < rob0> ecrist: sure.
19:24 < rob0> ecrist: done. YW.
19:24 < ecrist> w00t
19:24 < [JFET]> hmm. if dhcp is enough, then vpn can send WINS setting. I hope that they'll accept. (i still don't know too much about domain-enabled XPs)
19:41 < krzee> ecrist, openvpn-confgen.tgz and ssl-admin will set it up for you
19:41 < krzee> ;]
19:41 < krzee> !confgen
19:41 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
19:43 < krzee> i dont think i need to !ssl-admin since you happen to be its author :-p
19:45 < ecrist> ugh, bash scripting.
19:45 < ecrist> :\
19:45 < krzee> really?
19:46 < ecrist> change it to sh and i'll put it in freebsd ports tree.
19:46 < krzee> i was thinking about bash-afying ssl-admin
19:46 < ecrist> yeah, really.
19:46 < krzee> sh would be a PITA because of the arrays
19:46 < krzee> ahh but with ssl-admin it would be easy to keep it sh
19:46 < krzee> hrm, actually i could make this work in sh
19:46 < ecrist> while i agree that the lack of arrays sucks with sh, bash isn't included by default on many systems.
19:47 < krzee> instead of an array i could do it ugly
19:47 < ecrist> freebsd being one of those systems...
19:47 < ecrist> :)
19:47 < krzee> arg="$arg -Z"
19:47 < krzee> arg="$arg -C whatever"
19:47 < krzee> etc
19:52 < krzee> ill get around to making it work on sh =]
19:55 < ecrist> does it use ssl-admin?
19:55 < krzee> it doesnt do the certs
19:55 < krzee> it compliments ssl-admin well
19:56  * ecrist ponders openvpn metaport
19:56 < ecrist> *openvpn, *ssl-admin, *openvpn-confgen
19:56 < jnss> is ther ANY way
19:56 < krzee> but if i port ssl-admin to sh, i could build them together
19:56 < ecrist> jnss: any way for what?
19:56 < jnss> if someone is spying on every packet being sent over this insecure network
19:57 < ecrist> krzee: ssl-admin is going to be my vfirst c,c++ project
19:57 < jnss> is tehre a chance they can figure out that my ssl traffic to port 443 is not http traffic but vpn traffic
19:57 < jnss> 443 because it needs to be masked as https to get through corporate firewalls and stuff
19:57 < ecrist> jnss: only by the volume, really
19:57 < jnss> ecrist, heh. 
19:58 < jnss> that's cool ;)
19:58 < krzee> ecrist, ahh, thats awesome too
19:58 < krzee> jnss, by encryption as well
19:58 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has joined ##openvpn
19:58 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has quit [Changing host]
19:58 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:58 < jnss> by what, the rsa key? 
19:59 < krzee> LETS SEE IF I CAN FIND IT
19:59 < jnss> you mentioned freebsd
19:59 < krzee> oops c/l
19:59 < jnss> do you happen to know if it is possible to get openvpn clients working inside a bsd jail? 
19:59 < krzee> !fbsdjail
19:59 < vpnHelper> krzee: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
19:59 < jnss> nice
20:00 < jnss> that is pretty cool
20:00  * jnss figured out the devfs ruleset alread 
20:00 < jnss> heh
20:00 < jnss> i'll try this when i get home. thanks ;)
20:00 < krzee> ok so...
20:01 < krzee> it could be detected the same way openvpn detects it for port sharing
20:01 < krzee> im trying to find the details again
20:02  * ecrist wants his new laptop to ship already
20:03 < krzee> MBP?
20:04 < krzee> !factoids search port
20:04 < vpnHelper> krzee: No keys matched that query.
20:04 < krzee> bleh
20:04 < krzee> !factoids search share
20:04 < vpnHelper> krzee: No keys matched that query.
20:04  * krzee kicks vpnHelper 
20:04 < krzee> ok well
20:05 < krzee> when i read about how --port-share works, it made me think that openvpn could be detected in a very intelligent firewall
20:06 < ecrist> krzee: !factoids
20:06 < ecrist> :P
20:06 < ecrist> I find a cmd-F <text> is quicker than figuring out vpnHelper's syntax
20:07 -!- [JFET] [~dome@catv-89-133-27-205.catv.broadband.hu] has quit [Quit: Leaving]
20:09 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
20:17 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
20:17 < krzee> http://xkcd.com/715/
20:17 < krzee> lol
20:17 < vpnHelper> Title: xkcd: Numbers (at xkcd.com)
20:17 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
20:23 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
20:27 -!- jwm [~jwm@dev.dist.us] has left ##openvpn []
20:31 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
20:33 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit [Read error: Connection reset by peer]
20:41 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has joined ##openvpn
22:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
23:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
--- Day changed Mon Apr 26 2010
00:16 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:46 < jnss> !fbsdjail
00:46 < vpnHelper> jnss: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
00:47 < jnss> yeah, i think i have tried that
00:47 < jnss> one sec. let me try it again
00:49 < jnss> having done that. trying it 
00:49 < jnss> i get this
00:49 < jnss> Mon Apr 26 03:48:14 2010 us=560138 WARNING: Since you are using --dev tun, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.128) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
00:49 < jnss> openvpn: writing to routing socket: No such process
00:49 < jnss> Mon Apr 26 03:48:14 2010 us=562583 Cannot allocate TUN/TAP dev dynamically
00:55 -!- [mutex]_ [~portn0k@unaffiliated/mutex/x-1106097] has quit [Disconnected by services]
01:02 < jnss> Hmmm screw it. this is never going to work
01:03 -!- sam_ [~sam@210.73.203.83] has joined ##openvpn
01:04 -!- sam_ is now known as Guest26343
01:04 -!- Guest26343 is now known as zheng
01:07 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:07 -!- krzie [nobody@unaffiliated/krzee] has quit [Remote host closed the connection]
01:08 -!- insane^ [~un@ppp-82-135-91-155.dynamic.mnet-online.de] has joined ##openvpn
01:09 < rob0> Wow. That is a helpful warning. You didn't understand what it said? "Since you are using --dev tun, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.128) that looks more like a netmask."
01:12 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:20 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:33 -!- jnss is now known as ANNA
01:36 -!- zheng [~sam@210.73.203.83] has quit [Quit: Leaving]
01:38 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:38 -!- mode/##openvpn [+o mattock] by ChanServ
03:00 < krzie> new confgen uploaded to web
03:01 < krzie> per ideas on mail list
03:06 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:20 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:25 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
03:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
03:32 < hyper_ch> hi krzie
03:38 < krzie> hey
03:41 < krzie> hows it goin
03:54 < hyper_ch> krzie: fine, and yourself?
03:54 < hyper_ch> just updated my repo generator :)
03:54 < krzie> repo generator?
03:54 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Read error: Connection reset by peer]
03:55 < hyper_ch> krzie: http://repogen.simplylinux.ch :)
03:55 < vpnHelper> Title: Ubuntu Sources List Generator (at repogen.simplylinux.ch)
03:56 < krzie> ahh cool
03:56 < hyper_ch> you use *buntu?
03:57 < krzie> nah basically just freebsd/osx
03:57 < hyper_ch> :)
03:57 < krzie> i once ran ubuntu on my macbookpro, but i ended up not doing it again when i changed hard drives
03:57 < hyper_ch> hehehe :)
03:58 < krzie> i mainly did it to a) play with dual boot on MBP b) use aircrack with my internal adapter c) play with beryl (now compiz)
03:59 < krzie> however, as i look at your generator i cant help but to think we need to work together on my confgen!
03:59 < krzie> my scripts as the backend, your web code as the frontend!
03:59 < hyper_ch> how does your confgen work?
03:59 < krzie> !confgen
03:59 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
03:59 < hyper_ch> sources lists are simple :)
03:59 < krzie> it has a CLI frontend right now
04:00 < hyper_ch> bash is good :)
04:00 < krzie> but the CLI apps that do the work are made with a new frontend in mind
04:00 < krzie> i seperated them, and made the apps that actually generate configs non-interactive
04:00 < krzie> they take it all at the commandline
04:01 < hyper_ch> why not using... hmmm... zenity?
04:01 < krzie> whats zenity?
04:01 < hyper_ch> zenity is a simple way of making bash script interactive with gui
04:01 < krzie> interesting
04:01 < krzie> !google zenity
04:01 < vpnHelper> krzie: Zenity | freshmeat.net: <http://freshmeat.net/projects/zenity>; Zenity Manual: <http://library.gnome.org/users/zenity/stable/>; Zenity - GNOME Live!: <http://live.gnome.org/Zenity>
04:02 < hyper_ch> (however it requires to have zenity installed)
04:02 < krzie> oh
04:02 < krzie> well then thats why!
04:02 < krzie> ;]
04:03 < hyper_ch> I don't mind cli only
04:03 < krzie> hell, if nobody makes a web frontend ill likely be changing a couple things to remove the bash dependancy 
04:03 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined ##openvpn
04:03 < hyper_ch> ok, one could also say that people who want to setup openvpn server should know their way around bash and cli
04:03 < krzie> even if they only use windows ;]
04:04 < krzie> but ya, while you are right, they should also read the manual and not follow random walkthroughs on the web
04:05 < Bushmills> wouldn't whiptail or dialog be a better choice for interactivity, due to those working on console as well?
04:06 < hyper_ch> krzie: typo: What user do you want to drop privledges to after startup? --> priviledges
04:06 < Bushmills> ledger?
04:07 < hyper_ch> isn't the source code documentation enough? ^^
04:07 < Bushmills> sorry, your correction contains a typo :D
04:07 < krzie> privileges 
04:08 < hyper_ch> Bushmills: what I say is always correct
04:08 < krzie> according to my xchat spellcheck ;]
04:08 < hyper_ch> you all type it wrong :)
04:08 < krzie> thanx, fixing now
04:08 < Bushmills> that must be right, then
04:09 < hyper_ch> geee, your confgenerator takes like forever
04:09 < Bushmills> there is no right or wrong. there is only hyper_ch-approved and lacking-hyper_ch-approval :D
04:10  * hyper_ch gives cookies and beer to Bushmills
04:10 < krzie> it takes a long time to run? its instantaneous for me
04:10 < krzie> or you mean it asks a lot of stuff
04:10 < hyper_ch> to answer all those questions
04:10 < krzie> haha ya
04:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
04:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:11 < Bushmills> mybe having each question followed by "Are you sure? (y/n)" would be helpful?
04:11 -!- dazo_afk is now known as dazo
04:12 < hyper_ch> and each question with a default answer already would be good
04:12 < hyper_ch> people like me have no clue what subnets etc. are :)
04:12 < krzie> ya the default answer thing was mentioned on the mail list, that is going to be done
04:13 < krzie> so if you hit enter the default is used
04:13 < krzie> currently it has an ie: for people like you ;]
04:14 < krzie> hyper_ch, you know you wanna make a frontend html for the openvpn-confgen!
04:14 < hyper_ch> I'm not very good at designing appealing webpages
04:14 < hyper_ch> mine need to be functional :) see my repo generator :)
04:14 < krzie> appealing??
04:15 < krzie> screw looks, i want something like your repo-gen
04:15 < krzie> your repogen is the reason i asked!
04:15 < hyper_ch> hehehe :)
04:15 < hyper_ch> shouldn't be too hard actually to create something like that
04:16 < hyper_ch> question is only how static / extendable do you want it to be :)
04:18 < krzie> ild be very happy to answer anything as they come up
04:19 < krzie> or of course you could make it to your tastes and edit based on feedback (thats what ive done with my CLI version)
04:21 < hyper_ch> :)
04:21 < krzie> haha zenity is gtk, i dont even have a box with gui except my apples
04:22 < hyper_ch> ok :)
04:23 < hyper_ch> I think with jquery and jquer ui there could be easily done something that supports 1 server config and multiple client configs
04:24 < hyper_ch> easily = not too complicated
04:25 < hyper_ch> the questionnaire remains all the same for the different client, right?
04:25 < krzie> basically yes
04:26 < krzie> in fact the only thing that changes between clients is the keydir
04:27 < hyper_ch> keydir changes?
04:27 < krzie> and if they have lans behind them, but thats actually part of server setup not client
04:27 < krzie> like /path/to/keys
04:27 < hyper_ch> ah ok :)
04:27 < krzie> maybe 1 client is windows, other linux, other linux but keys are ~/keys or something
04:27 < hyper_ch> and the name of the client
04:28 < krzie> right, but thats only for the filename
04:28 -!- ralphte [~noway@cpe-065-191-169-179.nc.res.rr.com] has quit []
04:29 < hyper_ch> :)
04:34 < krzie> i think just by running genclient and genserver without args you'll see everything needed
04:34 < hyper_ch> :)
04:34 < krzie> they should stand by themselves well enough to not need to see confgen.sh
04:36 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
04:37 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 246 seconds]
04:37 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
04:52 < flok420> i'm having difficulties using a 'up'-script on windows: i always get "script returned 1" and the script is never executed. i tried entering the full path to the script but that didn't help. 
04:52 < flok420> anyone got a suggestion?
04:53 < Bushmills> flok420: did you read manual about  --script-security ?
04:54 < flok420> Bushmills: I set script-security to 3
04:54 < Bushmills> sounds fine
04:54 < Bushmills> wondering why script would return 1 when it's not executed
04:54 < flok420> i've got: script-security 3
04:54 < flok420> up "C:\\Program Files\\OpenVPN\\config\\connect-disks.bat"
04:55 < flok420> if I run the script manually, it runs fine
04:56 < Bushmills> how do you know that it's not executed?
04:56 -!- iladm [~tobias@port-83-236-198-134.static.qsc.de] has joined ##openvpn
04:56 < flok420> Bushmills: because it does a net use, and the drive it tries to map is not connected
04:57 < iladm> Is there a mechanism to rename the interface installed on windows while it is installing it?
04:57 < Bushmills> but that could also happen when the script is executed, but just fails, right?
04:57 < krzie> iladm, during install? no
04:57 < flok420> Bushmills: yes. but if i run it manually, the drive mapping succeeds
04:58 < krzie> flok420, http://www.robvanderwoude.com/errorlevel.php
04:58 < Bushmills> add a line like    echo foo > filewithpathandnameofyourchoice
04:58 < iladm> i want to have the virtual interface from windows not named "LAN Verbindung2" I want it to name it like '"opnvon" or so. Is there a howto or script?
04:58 -!- Cope [~stephen@li145-168.members.linode.com] has left ##openvpn []
04:59 < Bushmills> as one of the first actions the script executed ...
04:59 < krzie> or echo out the error code and see why it returns 1 while it can execute well
05:00 < flok420> Bushmills: it's in the first line, no file is created
05:00 < Bushmills> i'm out of ideas then
05:01 < krzie> if you actually set errorlevel, nothing will overwrite it
05:01 < krzie> so if you are sure it works, you can set errorlevel=0
05:02 < krzie> but if it DOES error, openvpn wont know
05:02 < flok420> krzie: yes, but the script is not executed at all
05:02 -!- iladm [~tobias@port-83-236-198-134.static.qsc.de] has left ##openvpn []
05:03 < krzie> you almost have me ready to setup a win VM
05:04 < krzie> maybe ill get bored at work tomorrow, i have a win VM there
05:07 < flok420> ok i fixed it
05:07 < krzie> how?
05:07 < flok420> i had the full path in the config, e.g.: up "c:\\program files\\etc" -> that doesn't work because of the space between program and files
05:07 < flok420> furthermore i renamed it from .cmd to .bat
05:07 < flok420> now it all works
05:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
05:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:08 < krzie> you sure full path doesnt work after the rename?
05:08 < krzie> cause that is important to know, surprised i hadnt heard of that before
05:08 < flok420> what do you mean?
05:08 < krzie> after .bat
05:08 < flok420> yes, i'm sure
05:09 < krzie> cool, thx
05:09 < flok420> if i run the commandline version of openvpn, it says "c:\program not found"
05:09 < flok420> also; the gui-version still doesn't work
05:09 < krzie> ahh
05:09 < krzie> whats in the log about it?
05:10 < flok420> only "script failed: returned error code 1"
05:11 < flok420> i moved the file to a location without spaces, but still the gui version gives this error code 1 problem
05:11 < krzie> and the CLI works now?
05:11 < flok420> yes
05:18 < flok420> ok back in half an hour, lunch
05:19 < krzie> bring me some
05:19 < krzie> im hungry but not willing to leave this girl sleeping in my bed at my house if im not here
05:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:30 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
05:33 < flok420> also up C:/Progra~1/OpenVPN/config/myscript.bat doesn't work from the gui
05:34 < krzie> of course it doesnt
05:34 < krzie> double slashes and quotes on windows dirs :-p
05:36 < krzie> oh and you are using 2.1.1 right?
05:36 < flok420> yes
05:36 < flok420> i found a workaround:
05:36 < flok420> my config file is bps.ovpn
05:36 < flok420> so i created a file bps_up.bat in the config-dir
05:36 < flok420> now when I connect, that script gets executed!
05:37 < flok420> so all is fine now \o/
05:37 < krzie> interesting!
05:51 -!- screenn [~screenn@77.222.135.254] has joined ##openvpn
05:51 < screenn> !welcome
05:51 < vpnHelper> screenn: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:56 < flok420> !mitm
05:56 < vpnHelper> flok420: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
06:00 < krzie> !factoids search win
06:00 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', and 'winnat'
06:02 < krzie> !learn winscript as a user reported that his --up script was not executed in windows gui. his config was bps.ovpn, he renamed the script to bps_up.bat and put it in the dir with his config... then it worked!
06:02 < vpnHelper> krzie: Joo got it.
06:04 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
06:05 < krzie> screenn, 
06:05 < krzie> !goal
06:05 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:20 < screenn> !goal I want to create a few tunnels by one server
06:20 < vpnHelper> screenn: Error: "goal" is not a valid command.
06:21 < screenn> !goal
06:21 < vpnHelper> screenn: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:21 -!- WormFood [~wormfood@121.35.147.137] has quit [Ping timeout: 265 seconds]
06:24 < krzie> you want a few computers to connect to a single server, nothing more?
06:28 < screenn> I have a server and a clients connected by tls keys, and have an old linux gre tunnels, and now I want to migrate from gre tunnels to vpn tls key based tunnels with my openvpn server  
06:28 < krzie> !sample
06:28 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
06:29 < krzie> remember to upgrade to openvpn 2.1.1 =]
06:29 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
06:29 < screenn> !sample A tunnels with full TLS-based security
06:29 < vpnHelper> screenn: Error: "sample" is not a valid command.
06:29 < krzie> !factoids
06:30 < vpnHelper> krzie: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
06:30 < screenn> !sample
06:30 < vpnHelper> screenn: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
06:30 < krzie> and the configs at !sample use TLS for hmac sigs, SSL for control channel and communications channel, and RSA for cert auth
06:31 < krzie> tls static key for hmac*
06:31 < krzie> blowfish cipher for communications chan*
06:32 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
06:33 < screenn> can I use different rules for different tun ifaces in server.conf file?
06:33 < krzie> different rules?
06:33 -!- WormFood [~wormfood@wormfood.net] has joined ##openvpn
06:34 < screenn> for example to use tun0 for openvpn server, and tun1 for firest tunnel, tun2 for second, etc
06:34 < krzie> yes you can specify which static tun interface to use, see the manual --dev
06:34 < krzie> !man
06:34 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
06:34 < screenn> ok
06:34 < krzie> but the server only needs 1 interface for server process
06:34 < krzie> 1 interface per process
06:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:38 < screenn> how to configure each process? I ran it from scripts but when added both ifaces to server.conf it doesn't run
06:39 < krzie> each config is only for 1 process
06:39 < krzie> the server only uses 1 interface
06:39 < krzie> no matter how many clients connect to it
06:40 < screenn> so, can I create server1.conf and server2.conf for different server processes?
06:40 < krzie> why do you want multiple server processes?
06:41 < screenn> for example I want to have different tun ifaces for each tunnels
06:41 < krzie> why
06:41 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
06:42 < screenn> or I want to use a tunnel with  static-key  security for one tunnel, and with tls based for other
06:42 < krzie> w h y
06:43 -!- WormFood [~wormfood@wormfood.net] has quit [Ping timeout: 276 seconds]
06:43 < screenn> good question :)
06:44 < krzie> seems to be, it has yet to be answered
06:45 < screenn> ok, real reason what I have, I want to create tunnels separated from openvpn server to another network, and restrict access for this network by firewall rules
06:46 < krzie> then why didnt you ask how to do that!
06:46 < krzie> lol
06:46 < krzie> back when !goal
06:46 < krzie> !route
06:46 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:46 < krzie> !c2c
06:46 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
06:46 < vpnHelper> krzie: behind other clients
06:47 < krzie> you may find this handy:
06:47 < krzie> !confgen
06:47 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
06:48 < screenn> ok, thanks
06:48 < krzie> it does not do input validation yet, so be careful to understand the questions and look at the examples
06:50 < screenn> yet one question: "push "route"" isn't works, is it problem of iproute version?
06:51 < krzie> show me the line you have in your config
06:59 -!- WormFood [~wormfood@wormfood.net] has joined ##openvpn
06:59 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
07:14 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 276 seconds]
07:16 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 264 seconds]
07:18 -!- WormFood [~wormfood@wormfood.net] has quit [Ping timeout: 246 seconds]
07:31 -!- WormFood [~wormfood@121.35.147.137] has joined ##openvpn
07:40 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
07:42 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
07:51 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Ping timeout: 276 seconds]
07:51 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:55 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
08:25 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
08:30 -!- Bloodsong [~Nimbus@bas2-barrie18-1178019924.dsl.bell.ca] has joined ##openvpn
08:35 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco]
08:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:40 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
08:50 -!- ANNA is now known as jnss
08:58 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
09:15 -!- mithridates [~chatzilla@142.166.49.129] has joined ##openvpn
09:25 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:28 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 245 seconds]
09:29 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
09:34 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 264 seconds]
09:35 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
09:36 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
09:59 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
10:00 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
10:01 -!- sanderj_ [~sanderj@195.204.103.72] has quit [Ping timeout: 240 seconds]
10:03 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
10:12 -!- mithridates [~chatzilla@142.166.49.129] has quit [Ping timeout: 240 seconds]
10:17 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has joined ##openvpn
10:17 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has quit [Remote host closed the connection]
10:20 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
10:24 -!- DammitJim [~Elive_use@204.15.142.18] has joined ##openvpn
10:25 < DammitJim> what are the disadvantages of using the same client key on different machines?
10:26 < ScriptFanix> how is the server supposed to differentiaite each client then ?
10:26 < DammitJim> does it need to?
10:26 < ScriptFanix> yup, it needs to know where to send packets
10:29 < ecrist> wrong
10:30 < ecrist> DammitJim: if you've got a very simply VPN, you can share certificates amongst different clients.
10:30 < DammitJim> ecrist, yeah, it's a very simple configuration
10:30 < DammitJim> it's for 3 friends
10:30 < ecrist> if you need to do things on the server side, say setup firewall rules or send specific routes, you will need, or likely want separate certs for those users.
10:30 < DammitJim> I only generated 3 certificates
10:30 < ecrist> then you'll be fine.
10:30 < DammitJim> and now another friend wants in
10:31 < DammitJim> so, I didn't know what to do... I don't have the original files to re-generate the stuff
10:31 < ecrist> just add duplicate-cn to your config
10:31 < DammitJim> and it'll be a pain to update all other 3 clients
10:31 < DammitJim> ok, I added duplicate-cn from what I had been reading
10:31 < DammitJim> thank you
10:32 < ecrist> npn
10:35 < DammitJim> ecrist, do I add duplicate-cn to the client configs or the server configs?
10:35 < ecrist> server config
10:35 < DammitJim> thanks
10:41 -!- Netsplit *.net <-> *.split quits: simplechat, dunc, MattJD
10:42 -!- Netsplit over, joins: simplechat, MattJD, dunc
10:52 < mythmon> are there any useful links for setting up a vpn to route all traffic, but only for specific clients?
10:54 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
10:55 < ecrist> mythmon: just add the default gateway directive to those clients.
10:58 < mythmon> and what would that look like?
10:59 -!- mithridates [~chatzilla@142.166.49.129] has joined ##openvpn
11:00 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Ping timeout: 248 seconds]
11:00 -!- DammitJim [~Elive_use@204.15.142.18] has left ##openvpn ["I ♥ Elive"]
11:04 -!- mithridates [~chatzilla@142.166.49.129] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]]
11:05 -!- WormFood [~wormfood@121.35.147.137] has quit [Ping timeout: 245 seconds]
11:06 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
11:07 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
11:08 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
11:09 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 276 seconds]
11:12 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
11:12 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:18 -!- WormFood [~wormfood@121.34.202.131] has joined ##openvpn
11:19 < WormFood> WTF? I'm getting a boat load of "FRAG TTL expired" in my log files...what is going on?\
11:19 < WormFood> google is no help
11:19 < WormFood> and NOW I'm getting a boat load of " bad source address from client" on a different client...WTF?
11:21 -!- DarthGandalf is now known as DarthGandalf|BNC
11:21 < screenn> !routing
11:22 < vpnHelper> screenn: Error: "routing" is not a valid command.
11:22 < screenn> !route
11:22 < vpnHelper> screenn: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:22 -!- kslen [~idkfa@static229-147.adsl.no] has joined ##openvpn
11:23 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:24 < screenn> !iroute
11:24 -!- DarthGandalf|BNC is now known as DarthGandalf
11:24 < vpnHelper> screenn: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
11:25 < WormFood> which issues are those supposed to address?
11:25 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit []
11:36 -!- kslen [~idkfa@static229-147.adsl.no] has quit [Ping timeout: 240 seconds]
11:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
11:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:50 -!- dunc [~dunc@2a01:348:1d2:1212:219:d2ff:febd:78f] has quit [Ping timeout: 276 seconds]
12:02 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
12:19 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
12:26 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:28 < rob0> "bad source address from client" means a client is pushing traffic through the VPN that the server does not know how to handle.
12:29 < rob0> "Expired TTL" might mean a routing loop.
12:31 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:56 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
13:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
13:04 -!- X-Raimo_nbook [~alexmurav@109.252.53.196] has joined ##openvpn
13:04 -!- X-Raimo_nbook [~alexmurav@109.252.53.196] has left ##openvpn []
13:25 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
13:28 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
13:57 -!- dazo is now known as dazo_afk
14:02 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:02 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
14:02 -!- mode/##openvpn [+o mattock1] by ChanServ
14:04 -!- mattock2 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
14:04 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Client Quit]
14:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:06 -!- mattock2 [~samuli@dyn55-11.yok.fi] has quit [Read error: Connection reset by peer]
14:06 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
14:06 -!- mode/##openvpn [+o mattock1] by ChanServ
14:08 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
14:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:26 -!- KuArZo [~kuarzo@kuarzo.freebsd.cl] has joined ##openvpn
14:29 -!- bobly [~bobly@dyn-109-169-34-221.connexionplus.com] has joined ##openvpn
14:29 -!- KuArZo [~kuarzo@kuarzo.freebsd.cl] has left ##openvpn []
14:30 < bobly> !welcome
14:30 < vpnHelper> bobly: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:31 < bobly> !goal
14:31 < vpnHelper> bobly: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:32 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
14:33 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
14:34 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
14:35 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
14:38 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
14:38 < bobly> Well I don't think I fall under any of these categories so let's go for it :) I've got an established OpenVPN tunnel from a WRT54GL w/ DD-WRT (VPN) to a commercial VPN provider for which the primary use is to stream video. However I have found bandwidth to be considerably reduced to the point where streaming is barely feasible. No VPN = ~5000 kbps, L2TP = ~3500 kbps, OpenVPN = ~1000 kbps.     I would stick to L2TP but that crashes my 
14:38 < bobly> modem :P Is there any way I can somehow optimise bandwidth for video streaming? I'm currently examining bandwidth with MTU set to 1300 (not much better), next I'm going to try disabling comp-lzo (can I just remove that line or do I have to specify NO compression somehow?).
14:38 -!- krzee [~k@unaffiliated/krzee] has quit [Remote host closed the connection]
14:40 -!- Bloodsong [~Nimbus@bas2-barrie18-1178019924.dsl.bell.ca] has quit [Quit: Leaving]
14:41 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
14:42 < bobly> Diagram of home network: http://i42.tinypic.com/21mr9u8.png   /   Bandwidth graph with OpenVPN: http://i43.tinypic.com/xlxj6p.png
14:44 < krzee> i love it
14:48 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 265 seconds]
14:59 < bobly> Oh well bbl, time to fiddle with more settings but connection is gonna drop :)
14:59 -!- bobly [~bobly@dyn-109-169-34-221.connexionplus.com] has quit [Quit: Leaving]
14:59 < krzee> did he have a question?
15:05 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
15:14 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
15:16 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:17 -!- bobly [~bobly@dyn-109-169-34-221.connexionplus.com] has joined ##openvpn
15:22 -!- bobly [~bobly@dyn-109-169-34-221.connexionplus.com] has quit [Read error: Connection reset by peer]
15:27 -!- tiav [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has joined ##openvpn
15:33 <@openvpn2009> apparently not :-)
15:33 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
15:34 < hyper_ch> krzee: help :)
15:34 < krzee> openvpn or html confgen?
15:35 < hyper_ch> krzee: html confgen :) can you give me a list of the required and optional parameters that you want to ask for?
15:35 < krzee> yay!
15:35 < hyper_ch> and shall the output be in boxes or a tgz file or soemthing?
15:36 < krzee> output should be zip'ed so win users can access too
15:36 < hyper_ch> and can you give me your bank account number and pin code to your card? :)
15:36 < krzee> optional / required are given in -h for genclient and genserver
15:36 < krzee> dont have a card =]
15:36 < hyper_ch> ebanking access works also :)
15:37 < krzee> i live by cash
15:37 < hyper_ch> !confgen
15:37 < vpnHelper> hyper_ch: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
15:37 < krzee> although i do have some people that handle online transactions for me ;]
15:37 < hyper_ch> you have minions? cool
15:38 < krzee> i do stuff for them too of course ;]
15:38 < hyper_ch> "do stuff for them" like commanding them around for their - and especially your - benefit?
15:38 < krzee> negative
15:39 < krzee> like fixing computers or whatever i can do that they need
15:39 < krzee> everyone needs help with something at some point
15:39 < hyper_ch> :)
15:40 -!- bobly [~bobly@dyn-109-169-34-221.connexionplus.com] has joined ##openvpn
15:40 < krzee> bobly, i saw your diagrams, but not a question
15:41 < bobly> Oh you joined after :)
15:41 < krzee> yup
15:41 < hyper_ch> maybe he has no questions :)
15:41 < krzee> [13:02]  <bobly> Oh well bbl, time to fiddle with more settings but connection is gonna drop :)
15:41 < krzee> [13:02]  * bobly has quit (Quit: Leaving)
15:41 < krzee> [13:03]  <krzee> did he have a question?
15:41 < krzee> hehe
15:41 < bobly> Yup before lemme find log :P
15:41 < hyper_ch> try /var/log/
15:41 < hyper_ch> ^^
15:42 < krzee> if you see his network diagram, you'll know he knows how to find his logs
15:42 < krzee> hehehe
15:42 < bobly> lmao sarcasm? :P
15:42 < bobly> Coz that diagram was drawn with lovelycharts.com or something XD
15:43 -!- alex_vantWestend [~AvtW@58.37.210.51] has joined ##openvpn
15:43 < krzee> ;]
15:43 < alex_vantWestend> !welcome
15:43 < vpnHelper> alex_vantWestend: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:43 < hyper_ch> hi alex_vantWestend
15:43 < alex_vantWestend> !route
15:43 < alex_vantWestend> hi
15:43 < vpnHelper> alex_vantWestend: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:43 < hyper_ch> he's the first one to use the !welcome command that I've seen in here
15:44 < alex_vantWestend> arf
15:44 < bobly> I used it :(
15:44 < bobly> and !goal :P
15:44 < hyper_ch> since when did people start reading channel topics?
15:44 < bobly> Well I don't think I fall under any of these categories so let's go for it :) I've got an established OpenVPN tunnel from a WRT54GL w/ DD-WRT (VPN) to a commercial VPN provider for which the primary use is to stream video. However I have found bandwidth to be considerably reduced to the point where streaming is barely feasible. No VPN = ~5000 kbps, L2TP = ~3500 kbps, OpenVPN = ~1000 kbps.     I would stick to L2TP but that crashes my 
15:45 < bobly> modem :P Is there any way I can somehow optimise bandwidth for video streaming? I'm currently examining bandwidth with MTU set to 1300 (not much better), next I'm going to try disabling comp-lzo (can I just remove that line or do I have to specify NO compression somehow?).
15:45 < alex_vantWestend> your help system is neat.. (or at least, seems neat)
15:45  * bobly hangs out in support channels for other networks, I know the ordeal :P
15:45 < hyper_ch> bobly: what cpu do you have?
15:45 < bobly> I found out how to disable lzo btw (comp-lzo no) which helped (~1500kbps), wondering what else might help
15:46 < bobly> WTR54GL w/ DD-WRT: 200MHz
15:46 < krzee> bobly, removing compression you can do, but server has to as well
15:46 < krzee> bobly, did you test MTU?
15:46 < krzee> !mtu-test
15:46 < hyper_ch> you run openvpn client or server on the wrt?
15:46 < vpnHelper> krzee: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is
15:46 < krzee> you are using UDP, right?
15:46 < krzee> and TUN
15:46 < bobly> hyper_ch, You can run both
15:46 < hyper_ch> but do you?
15:47 < bobly> Oh, client ^^
15:47 < hyper_ch> the wrt router could be just too low powered to be used as server or client with that transfer
15:48 < krzee> be sure to use UDP, and tun, test your MTU
15:48 < hyper_ch> !mtu
15:48 < vpnHelper> hyper_ch: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
15:48 < bobly> Load doesn't go above 1.0, and L2TP was able to do considerably better, I'm using TCP as UDP connectinos weren't being established, about to test MTU
15:48 < bobly> Can I test MTU without dropping the currently running tunnel?
15:49 < bobly> actually lemme just go test it and I'll return :)
15:52 < alex_vantWestend> !howto
15:52 < vpnHelper> alex_vantWestend: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:52 < krzee> !tcp
15:52 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
15:53 -!- bobly [~bobly@dyn-109-169-34-221.connexionplus.com] has quit [Read error: Connection reset by peer]
15:55 -!- geek_cl [~geek@190.54.47.162] has joined ##openvpn
15:56 < alex_vantWestend> guys, I'm at this point where I have my openvpn server running, and my client on OSX running. But I don't know how to edit my routing table, I need all my outgoing traffic to use the VPN (I'm in China...) can anybody help me in pvt maybe?
15:56 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
15:56 < krzee> !redirect
15:56 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:56 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
15:56 < krzee> what OS is your server?
15:57 < krzee> alex_vantWestend, we help people right here in the channel
15:57 < krzee> what OS is your server?
15:57 -!- [mutex]__ [~portn0k@97-112-135-231.clsp.qwest.net] has quit [Remote host closed the connection]
15:57 < alex_vantWestend> ok my server is redhat 9
15:57 < krzee> !linnat
15:57 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:57 < krzee> !linipforward
15:57 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
15:57 < krzee> !def1
15:57 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
15:58 < krzee> use those 3 things, and you're done!
15:58 < alex_vantWestend> I don't have iptables
15:58 < alex_vantWestend> no fw
15:58 < krzee> yes you do, you use linux
15:58 < krzee> you need it
15:58 < krzee> you must NAT the vpn ip
15:59 < Bushmills> (on server)
15:59 < krzee> correct
15:59 < Bushmills> in fact, you don't need that to route all your traffic to server
15:59 < geek_cl> hi guys, i do this http://pastebin.com/HTZqmjA8 bash script for run iptables rules for openvpn , but in my private network can ping/ssh to the vpn_lan
16:00 < Bushmills> but you need that if server is meant to send them on, and return replies to you
16:00 < krzee> geek_cl, i dont understand the question
16:01 < alex_vantWestend> damned 
16:01 < krzee> alex_vantWestend, you use linux, you DO have iptables
16:01 < krzee> and you're going to need to use it :-p
16:02 < alex_vantWestend> so you mean it can NOT work without masquerading? (no I dont I didn't install.. it's a webserver)
16:02 < geek_cl> krzee: openvpn is work, the clients are connected to the vpn server, in that vpn server i put that iptables script http://pastebin.com/HTZqmjA8, but when from my desktop in 192.168.168.=/24 can't get access to ssh in some ip in 192.168.204.0/24 (vpn_network)
16:03 < krzee> theres 2 ways it can
16:03 < krzee> if you have enough inet routable IPs that you can give vpn clients their own inet routable subnet
16:03 < Bushmills> alex_vantWestend: without, the server has no reason to send your traffic out into the world, once it gets there.
16:03 < krzee> 2) if your router can NAT a network which it is not handing out
16:04 < krzee> (your router on server side)
16:04 < krzee> geek_cl, 
16:04 < krzee> !factoids search openvpn
16:04 < vpnHelper> krzee: 'notopenvpn' and 'route_outside_openvpn'
16:04 < krzee> errrr
16:04 < geek_cl> krzee: that is for me or to alex_vantWestend
16:04 < krzee> !route_outside_openvpn
16:04 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
16:04 < krzee> first was to alex_vantWestend, route_outside_openvpn was to you
16:05 < krzee> your router on LAN side must have a return route for VPN subnet
16:05 < krzee> as shown in the cool diagram that reiffert made
16:06 < geek_cl> krzee: very good graph
16:06 < krzee> thanx, i like it too
16:06 < geek_cl> :) 
16:06 < krzee> reiffert made a mockup to show me how it works, i adapted it to my needs for !route
16:07 < geek_cl> !route
16:07 < vpnHelper> geek_cl: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:07 < krzee> for what i suspect your issue is, skip to ROUTES TO ADD OUTSIDE OPENVPN
16:07 -!- bobly [~bobly@dyn-109-169-34-221.connexionplus.com] has joined ##openvpn
16:07 < krzee> bobly, you see my links on using tcp?
16:08 < bobly> Nope last I got was <krzee> be sure to use UDP, and tun, test your MTU
16:08 < krzee> !tcp
16:08 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
16:08 < bobly> I tried to test with --mtu-test but I got an error :/
16:08 < bobly> Changing proto to udp won't connect to the VPN server :/
16:08 < krzee> ya, mtu-test MAY require udp, im not sure
16:09 < krzee> that sucks, if you can find a way to use udp, do it
16:09 < krzee> ie: maybe port 53 udp is allowed
16:09 < bobly> hehe ok, lemme check IPTables
16:09 < bobly> For what it's worth this is already using port 443
16:09 < krzee> still tcp
16:09 < krzee> read those links for good description, 1st link is more technical
16:10 < krzee> 2nd link (by the lead ovpn dev) is less technical, seems the slideshow was aiming at non techs
16:11 < alex_vantWestend> ok I have iptable... As my server is a production server, is it somehow dangerous to follow !linnat !linipforward and !def1  ? like, can it break something? 
16:11 < krzee> make sure you have everything set to allow
16:11 < krzee> !linfw
16:11 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info
16:12 < krzee> once everything is set to allow...
16:12 < krzee> then you can NAT the VPNsubnet by following !linnat
16:12 < krzee> make sure !linipforward is enabled (that poses no risk by enabling)
16:13 < alex_vantWestend> you mean !linfw will clear all the rules? can I use !linfw to quickly reset the rules if there is a problem?
16:13 < krzee> make sure everything is set to accept
16:14 < krzee> dont deny anything
16:14 < krzee> then NAT your vpn subnet
16:14 < alex_vantWestend> ok i'll see that
16:16 < bobly> I'll be back in a bit :) Going to try and connect via udp
16:19  * Bushmills wonders about this constellation: somebody allowed to change iptables rules on a production server, without actually knowing iptables
16:19 < alex_vantWestend> yeah I too think it's not a good idea
16:20 < alex_vantWestend> I'm one guy in the company though
16:20 < alex_vantWestend> never needed to configure a firewall before
16:20 < alex_vantWestend> I think I'd better pay for a commercial vpn rather than breaking everything
16:21 < Bushmills> "you mean !linfw will clear all the rules?" what rules, if you haven't set up any?
16:21 < alex_vantWestend> yes I just figured out iptables --list  ... they are no rules set
16:21 < Bushmills> by default there are none
16:22 < Bushmills> just policies.
16:22 -!- bobly_ [~bobly@ANice-754-1-2-186.w90-52.abo.wanadoo.fr] has joined ##openvpn
16:24 < Bushmills> the rules you're about to add don't affect traffic from outside to server.
16:24 < krzee> as i dont use iptables (or linux) i just felt i should say to be sure its all set to ACCEPT
16:25 < Bushmills> just avoid setting INPUT table policy to DROP or REJECT
16:25 -!- zer0 [~zer0@67.159.28.235] has joined ##openvpn
16:25 -!- zer0 is now known as Guest43757
16:25 -!- bobly [~bobly@dyn-109-169-34-221.connexionplus.com] has quit [Ping timeout: 264 seconds]
16:25 < bobly_> krzee, It really doesn't like --mtu-test, is it possible the dd-wrt version is compiled without it?
16:26 < krzee> and you're right to want to test your setup on a non production server
16:26 -!- Guest43757 is now known as yikes_
16:26 < krzee> bobly_, if its not 2.1, yes
16:26 < krzee> in which case, upgrade to 2.1.1
16:26 < bobly_> pr 26 23:24:51 DD-WRT daemon.err openvpn[4125]: Options error: Unrecognized option or missing parameter(s) in /tmp/myvpn/remote.ovpn:25: mtu-test (2.1_rc20)
16:27 < alex_vantWestend> hey, do I still need some NAT if all the computers using the VPN are behind the same LAN? (...)
16:27 < krzee> yes
16:27 < alex_vantWestend> okay..
16:27 < krzee> however, you only actually need 1 vpn node in the LAN
16:27 < alex_vantWestend> the router?
16:28 < krzee> sure, that is best
16:28 < bobly_> How much of a performance impact will setting mtu to 1300 instead of an optimal theoretical 1450 actually have?
16:28 < krzee> makes the rest easier
16:28 < krzee> bobly_, depends on your network
16:28 < Bushmills> do those computers using VPN intend to connect to internet? or just talk to each other?
16:28 < alex_vantWestend> it is not a computer though, apple stuff, not configurable afaik
16:28 < krzee> Bushmills, internet, he is in china
16:29 < Bushmills> i read that. still, he might want to talk to other computer on the LAN only
16:29 < alex_vantWestend> Bushmills: my 3 clients are at home, in China
16:29 < alex_vantWestend> the server is Paris
16:29 < alex_vantWestend> +in
16:30 < Bushmills> you only need NAT if any computer on openvpn want to talk to outside world. internet.
16:30 < krzee> if 1 client runs openvpn, the others can route through it (assuming you correctly configure routing AND the lan behind the client)
16:30 < Bushmills> if none needs internet, NAT is not necessary
16:30 < krzee> right, what Bushmills said
16:31 < alex_vantWestend> ok.. internet is the purpose here
16:31 < Bushmills> NAT needed
16:32 < alex_vantWestend> ok I'll read the commands again, but guess I'll have to read some FM
16:32 < Bushmills> essentially, enabling NAT is a two-liner
16:32 < bobly_> krzee, With UDP I get TLS Error: TLS key negotiation failed to occur within 60 seconds, does that sound like the server isn't set to accept udp?
16:33 < bobly_> (iptables is currently set to allow everything, tcp and udp, in, out and forward)
16:33 < bobly_> (on client, server is commercial, I don't have access to it's conf)
16:33 < krzee> try udp 53
16:33 < krzee> maybe your ISP doesnt allow it
16:33 < krzee> OH
16:33 < alex_vantWestend> Bushmills: when you have the experience it's always like this, but when you don't you need to make mistakes, and I can't make mistakes in this situation :O 
16:33 < krzee> well ya if server doesnt listen for it, you cant connect to it
16:34 -!- yikes_ [~zer0@67.159.28.235] has quit [Quit: yikes_]
16:34 < bobly_> I dunno if it does :) Gonna launch up their live chat and ask if they offer udp
16:34 < krzee> bobly_, you cant configure ANYTHING that we've been talking about without access to the server to change stuff
16:34 < bobly_> :(
16:34 < krzee> you cant change MTU, protocol, port, anything
16:34 < krzee> we kinda assume you control both sides in here :-p
16:34 < Bushmills> even without experience it is still a two-liner :)
16:34 < bobly_> I would but UK servers cost a bomb :P
16:35 < krzee> alex_vantWestend, use a test server :-p
16:35 < krzee> get it right on a test server, THEN do it on production
16:36 < krzee> (and get used to doing that)
16:36 < Bushmills> or put the "closed" sign up
16:36 -!- geek_cl [~geek@190.54.47.162] has quit [Quit: Saliendo]
16:37 < Bushmills> "due to server maintenance, business is temporarily suspended"
16:37 < krzee> "down until we learn how to run our firewall"
16:38 < alex_vantWestend> "due to webmaster craziness, business is seriously compromised"
16:38 < Bushmills> right. running without firewall, you should have had that sign up all the time
16:38 < krzee> LOL
16:39 < alex_vantWestend> really? well it's just a webserver
16:39 < alex_vantWestend> I don't want to slow down everything
16:39 < Bushmills> no sql server on it?
16:39 < alex_vantWestend> sql is on server 2
16:39 < alex_vantWestend> no FW either
16:40 < alex_vantWestend> but there is a password!! 
16:40 < bobly_> krzee, Will setting "mtu 1300" and "comp-lzo no" only on the client side have any effect if not also done on the server side?
16:40 < Bushmills> unless firewall rules get unreasonable complicated, there is no appreciateble slowdown
16:40 < alex_vantWestend> yes but what about configuration
16:41 < alex_vantWestend> it's been like this for years, I didn't spend a minute configuring the FW
16:41 < alex_vantWestend> (except now but I wonder whether I'm going to do it)
16:41 < krzee> bobly_, they must agree on both sides
16:41 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
16:42 < Bushmills> well, it is not my intention to advocate firewalls. it is also not my server.
16:43 < Bushmills> and internet is such a cuddly place that evolution has driven away the bad guys :D
16:44 < bobly_> Krikke, From VPN provider: "No, we changed it to TCP for accessibility reasons
16:44 < bobly_> UDP port 1194 is often blocked, tcp 443 is never blocked"
16:44 < bobly_> Guess I'm stuck on TCP :P
16:44 < alex_vantWestend> Bushmills: yes! that's right, the world is marvellous
16:45 < alex_vantWestend> ok seriously I'll make some reading then I can decide what to do 
16:45 < alex_vantWestend> thank you 
16:46 < bobly_> whoops tab complete >.< krzee :P
16:49 < bobly_> brb rebooting router
16:50 < krzee> let them know they can run 2 server instances
16:50 < krzee> 1 for UDP 1 for TCP
16:50 -!- bobly_ [~bobly@ANice-754-1-2-186.w90-52.abo.wanadoo.fr] has quit [Read error: Connection reset by peer]
16:50 < krzee> (like our resident vpn provider does (thedoc)
16:50 < krzee> )
16:52 -!- bobly_ [~bobly@dyn-109-169-34-221.connexionplus.com] has joined ##openvpn
16:52 < alex_vantWestend> to sum up, I just need those 3 lines?  
16:52 < alex_vantWestend> echo 1 > /proc/sys/net/ipv4/ip_forward
16:52 < alex_vantWestend> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
16:52 < alex_vantWestend> push "redirect-gateway def1"
16:53 < alex_vantWestend> (the last one is in server.conf)
16:53 < bobly_> Oh well I guess you're right, checked the log properly and it looks like lzo IS still enabled, I was running on the assumption that the client still has some say in how it connects :P
16:53 < krzee> yes, HOWEVER
16:53 < krzee> !linipforward
16:53 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
16:53 < krzee> the echo is only til next reboot
16:53 < alex_vantWestend> yep
16:53 < krzee> you want to make it permanent as well
16:53 < alex_vantWestend> I noticed
16:53 < krzee> cool
16:54 < krzee> oh btw
16:54 < krzee> your vpn subnet is 10.8.0.0/24?
16:54 < alex_vantWestend> yes
16:54 < krzee> ok
16:54 < alex_vantWestend> last question
16:54 < krzee> and eth0 is your inet interface?
16:54 < alex_vantWestend> do I need some special modules?
16:54 < alex_vantWestend> yes for eth0
16:54 < krzee> not sure, i dont use linux
16:55 < krzee> (as far as modules)
16:55  * krzee pokes Bushmills 
16:55 < alex_vantWestend> ok I'll first begin with the ip forwarding..
16:55 < alex_vantWestend> see if it can work
16:55 < Bushmills> modules should autoload
16:55 < Bushmills> usually no explicit loading needed
16:55 < krzee> does he need to build them?
16:55 < alex_vantWestend> provided they were compiled :P
16:56 < krzee> ie: is NAT automatically avail when you setup iptables
16:56 < alex_vantWestend> this distrib was installed ages ago
17:00 < alex_vantWestend> if iptables is on the server, does it necessarily imply the packets are running through it, even though I didn't touch a thing?
17:01 < alex_vantWestend> ie. is it running?
17:04 < Bushmills> no, not commonly. 
17:04 < Bushmills> what distribution on server?
17:04 < alex_vantWestend> redhat 9
17:04 < Bushmills> should be fine
17:04 < alex_vantWestend> and another question.. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERA  -> is this permanent? 
17:04 < alex_vantWestend> or until next reboot
17:05 < Bushmills> not permanent
17:05 < Bushmills> for making it permanent, it needs to be loaded or executed during start
17:06 < alex_vantWestend> ok I'll do this
17:06 < Bushmills> cheapest (but not best) way is probably to stick it into a script which is executed during start.
17:06 < Bushmills> often, /etc/rc.local  is
17:07 < Bushmills> some like to execute it when interface comes up - there can be scripts associated with that event too,.
17:07 < Bushmills> again others run it from a runlevel script.
17:09 < alex_vantWestend> ok! time to test
17:09 < alex_vantWestend> the webserver is still up by the way
17:12 < Bushmills> magic!
17:13 < Bushmills> what do you do to resolve host names?
17:15 -!- alex_vantWestend [~AvtW@58.37.210.51] has quit [Ping timeout: 248 seconds]
17:15 -!- alex_vantWestend [~AvtW@58.37.210.51] has joined ##openvpn
17:16 < alex_vantWestend> to resolve host names.. I set my client to use nameserver from the server but I'm not sure if it's working
17:16 < bobly_> krzee, UDP 53, is that a port which is not normally blocked by firewalls similar to TCP 443?
17:17 < krzee> yes, its for DNS
17:17 -!- alex_vantWestern [~AvtW@sd1351.sivit.org] has joined ##openvpn
17:17 < bobly_> lmao yeah that prob shouldn't be blocked ^^
17:17 < alex_vantWestern> hi again
17:17 < bobly_> Sending an email to VPN sysop asking if he would consider setting up server to listen on UDP :)
17:18 < alex_vantWestern> test
17:18 < alex_vantWestern> ah yes now it's using the vpn for irc I can see 
17:18 < alex_vantWestern> cool
17:18 < alex_vantWestern> next test: facebook..
17:18 < krzee> also give him the links from !tcp
17:18 < bobly_> !tcp
17:18 < vpnHelper> bobly_: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
17:19 < krzee> link #1 is from the openvpn manual
17:19 < krzee> link #2 is from the lead openvpn dev
17:19 < bobly_> :) Cheers, that should add some weight to my argument. Would their be any downside to them running the servers on UDP 53?
17:19 < Bushmills> bobly_: some internet access provider do block that, but between internet servers, especially those provide name services, that's an essential service, not be be blocked
17:20 < krzee> bobly_, they cant do it if that machine runs a NS
17:20 < krzee> bobly_, and they can run 2 VPN servers on the same machine, 1 for tcp 1 for udp
17:20 < Bushmills> access providers usally provide a name server for clients as resolver
17:20 < krzee> as long as they dont use conflicting subnets
17:20 -!- alex_vantWestend [~AvtW@58.37.210.51] has quit [Ping timeout: 240 seconds]
17:21 < bobly_> Ah yeah they offer DNS names soo maybe 53 isnt an option
17:21 < bobly_> but they could just offer default UDP and TCP 443 for those who can't default UDP
17:21 < krzee> if its on the same ip... they MAY have multiple IPs
17:21 < krzee> yup, that is true
17:21 < krzee> either way, they really need to have a udp option
17:22 < krzee> since tcp is to be avoided when possible
17:23 < bobly_> Let's hope the sysop sees reason in my arguments :) Thanks for the info about tcp krzee 
17:24 < alex_vantWestern> it's almost working here
17:24 < krzee> point out where those links came from (not just irc, but the openvpn manual and the lead dev)
17:24 < krzee> if the guy who made openvpn says to avoid tcp, the people using it should listen ;]
17:24 < krzee> especially if they want to earn $ using it
17:26 < bobly_> Done and done :) Hopefully I'll hear back tomorrow
17:26 < bobly_> I hope they agree because so far they've been really good
17:26 < bobly_> Cheap, fast servers, live chat support until 2AM
17:27 < alex_vantWestern> have you got some information for stopping using my ISP dns servers?
17:27 < Bushmills> resolving through your name server on your server should be fine
17:28 < Bushmills> but i understood you run a web server only - then there is no name server :P
17:28 < krzee> !pushdns
17:28 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
17:28 < alex_vantWestern> .p
17:28 < krzee> OR
17:28 < krzee> !dns
17:28 < vpnHelper> krzee: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8
17:28 < krzee> you could just use 1 of those
17:28 < alex_vantWestern> thank you krzee
17:29 < krzee> yw
17:30 < alex_vantWestern> 8
17:30 < krzee> 9
17:30 < Bushmills> i you *do* run a name server there, you most likely will have to set it to allow clients from vpn to recurse  
17:31 < krzee> if it setup correctly =]
17:32 < krzee> (since we know you arent rate limiting it in a firewall)
17:32 < alex_vantWestern> what do you mean recurse?
17:33 < alex_vantWestern> is it reverse resolution?
17:33 < alex_vantWestern> or do you mean something else
17:33 < Bushmills> reply to your requests to return ip addresses of host names which are not in its own database
17:33 < Bushmills> (i.e. by asking other name servers)
17:33 < zoredache> the DNS system is a tree.  To lookup an arbitrary record you need to be able to recurse through the tree
17:34 < krzee> !google dns recursion
17:34 < vpnHelper> krzee: Understanding DNS Recursion: <http://www.windowsnetworking.com/articles_tutorials/Understanding-DNS-Recursion.html>; DNS Recursion: <http://www.simpledns.com/help/v50/df_recursion.htm>; WikiAnswers - What does Disable Recursion in DNS mean: <http://wiki.answers.com/Q/What_does_Disable_Recursion_in_DNS_mean>
17:34 < zoredache> the wikipedia article probably states that a lot better
17:34 < alex_vantWestern> will it not be able to do that if I use 8.8.8.8?
17:35 < krzee> it will
17:35 < krzee> as !dns said, it is an open recursive nameserver
17:35 < alex_vantWestern> so I can push "dhcp-option DNS 8.8.8.8"
17:35 < krzee> but you will need a script on the client
17:35 < alex_vantWestern> ok..
17:35 < krzee> for now, just set DNS manually on the client to 8.8.8.8 and test
17:35 < Bushmills> or just edit it into your resolv.conf file
17:35 < krzee> THEN you can worry about making the VPN do it
17:36 < krzee> best to do 1 thing at a time
17:36 < krzee> then when it doesnt work you have less to troubleshoot
17:37 < alex_vantWestern> yeeeeeeeeees
17:37 < alex_vantWestern> it's working very well
17:37 < krzee> =]
17:37 < alex_vantWestern> now I can access everything
17:38 < krzee> congrats on breaking out of the great firewall of china
17:38 < krzee> welcome to the real internet
17:38 < alex_vantWestern> yeah thank you, I would have dropped before if you guys were not so helpful :)
17:38 < alex_vantWestern> so now..
17:38 < alex_vantWestern> I should push 8.8.8.8 ?
17:39 < krzee> depends
17:39 < krzee> if you can use that NS while off the vpn, it doesnt matter
17:39 < alex_vantWestern> yes..
17:39 < alex_vantWestern> guess I'll push it
17:40 < krzee> ok, but you will need a script to actually use what is pushed
17:40 < krzee> unless client is windows
17:40 < alex_vantWestern> less configuration 
17:40 < alex_vantWestern> ah
17:40 < alex_vantWestern> what script to use on OSX?
17:40 < krzee> likely same as linux
17:40 < krzee> update-resolv-conf
17:41 < krzee> !google update-resolv-conf osx openvpn
17:41 < vpnHelper> krzee: [Openvpn-users] Re: OpenVPN startup/DHCP scripts for OS X: <http://openvpn.net/archive/openvpn-users/2006-02/msg00358.html>; [Openvpn-users] Re: /etc/resolv.conf automation: <http://openvpn.net/archive/openvpn-users/2004-10/msg00415.html>; Configure DNS lookups from the terminal - Mac OS X Hints: <http://www.macosxhints.com/article.php?story=20050621051643993>
17:45 < alex_vantWestern> it seems difficult, maybe i'll stick with the google dns if it's working
17:45 < zoredache> if you are on osx, and using tunnelblick you don't need any thing other then what comes as part of tunnelblick
17:45 < alex_vantWestern> cool!
17:45 < zoredache> just make sure the 'use nameservers' box is checked
17:45 < alex_vantWestern> ok that's a good news cause i;m using it
17:45 < alex_vantWestern> okay!
17:45 < alex_vantWestern> great!!!
17:45 < alex_vantWestern> it's 6am45 but it working! youhouu
17:46  * alex_vantWestern pays a beer to everyone
17:47 < krzee> hrm, i wonder if chinese beer is good
17:47 < krzee> ill have to go there sometime and find out!
17:47 < alex_vantWestern> it's not very string
17:47 < alex_vantWestern> strong
17:48 < Bushmills> there are - supposedly - some good brands
17:48 < alex_vantWestern> tsingtao
17:48 < Bushmills> yes, i think that's one of them
17:49 < alex_vantWestern> it's decent, but I think the exported one tastes better (at least in my memories)
17:49 < bobly_> Prob have to abide to different regulations when they export it >.>
17:50 < alex_vantWestern> hopefully they are many imported brands from belgium and many places
17:50 < Bushmills> not french beer, i suppose
17:50 < alex_vantWestern> humm
17:50 < alex_vantWestern> not to my knowing
17:51 < alex_vantWestern> french beers are not so good anyway
17:52 < Bushmills> they are *awful*
17:52 < krzee> Bushmills knows his beer, he is german
17:52 < krzee> i MUST go to germany, if for no other reason, to try the beer!
17:53 < Bushmills> belgium isn't far, there the sampling can continue :D
17:54 < alex_vantWestern> I have to admit, but yes go belgium!
17:54 < Bushmills> i lived near andechs monastery for a while.,
17:54 < Bushmills> (that's southern germany, Bavaria)
17:55 < alex_vantWestern> near or do you mean inside the monastery
17:55 < Bushmills> they produce some quite decent beer. in most part of the country, is it considered a "speciality" item
17:55 < Bushmills> but there, it was the lowest cost beer available in the surrounding supermarkets
17:57 < alex_vantWestern> no wonder why babies drink beer in germany
17:58 < Bushmills> http://www.bov.ch/labels/Germany/ger-andechs-andechser-hell.jpg
17:59 < krzee> a monastery named their beer HELL!>?
17:59 -!- bobly_ [~bobly@dyn-109-169-34-221.connexionplus.com] has quit [Ping timeout: 276 seconds]
17:59 < alex_vantWestern> they probably were drunk
18:01 < alex_vantWestern> I'll see if I can find some at my local beer reseller tommorrow
18:01 < Bushmills> no, they started to brew http://www.bov.ch/labels/Germany/ger-andechs-andechser-spezial-hell.jpg  when they were drunk
18:01 < alex_vantWestern> ok guys time to sleep for me
18:01 < krzee> gnite
18:01 < alex_vantWestern> thanks for your help :)
18:01 < krzee> once again, welcome to the real internet ;)
18:02 < alex_vantWestern> yes it's a real relief man..
18:02 < alex_vantWestern> it's been too long..
18:02 < alex_vantWestern> anyway, good night/day: )
18:02 < alex_vantWestern> see you
18:03 -!- alex_vantWestern [~AvtW@sd1351.sivit.org] has quit [Quit: alex_vantWestern]
18:03 < krzee> i hope australia riots when their gov attempts to put in a china-like firewall
18:05 < zoredache> one can always hope.    
18:08 < krzee> it wouldnt even effect me (since i know how to use openvpn rather well) and ild still join in the riot
18:08 < krzee> (if i lived there)
18:09 < zoredache> if their firewall is good, why wouldn't they just block openvpn.   Or more specifically block any traffic which isn't well known and in the clear?
18:09 < krzee> game of cat and mouse, eventually ild win
18:09 < krzee> they can only aim against the majority
18:12 < Bushmills> zoredache: tunnel traffic through a well known channel
18:13 < Bushmills> like, encode ip packets into words on web pages
18:13 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
18:14 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Ping timeout: 260 seconds]
18:15 < zoredache> anyway.  Can the windows installer be automated/scripted?  
18:15 < krzee> you can already tunnel over DNS/ICMP
18:15 < krzee> although tunneling IP over DNS comes with serious MTU issues
18:16 < krzee> !factoids search rollup
18:16 < vpnHelper> krzee: "win_rollup" is (#1) http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html for a doc on HowTo Roll Your Own OpenVPN Windows Installation Package, or (#2) http://gentoo-wiki.com/HOWTO_OpenVPN_RoadWarrior#For_Installation_on_Windows_Client for a batch you can use to install certs in win client automagically
18:16 < krzee> you can automate script just about anything if you have the required skills
18:17 -!- havoc [~havoc@neptune.chaillet.net] has joined ##openvpn
18:20 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has joined ##openvpn
18:20 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has quit [Remote host closed the connection]
18:23 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn
18:34 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Ping timeout: 248 seconds]
18:34 < zoredache> krzee: yeah I had seen that.  But is there anything updated for 2.1.x?
18:36 < krzee> they dont release new versions with no reason :-p
18:37 < zoredache> I could almost accept that, except that the 2.0 version doesn't support the multiple connections using <connections>
18:37 < zoredache> krzee: I assumed that since it hadn't been updated since 2005 it was dead
18:38 < krzee> it seems to be for awhile there ;]
18:38 < krzee> seemed*
18:43 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn
18:55 < zoredache> seemed?  are you saying you think it isn't dead?
18:56 < krzee> it certainly is not
18:56 < krzee> 2.1.1 is very new actually
18:56 < krzee> there is more activity on the dev list than ever before
18:56 < zoredache> no, I mean the instructions on openvpn.se
18:56 < krzee> the devs and the community work together now, weekly IRC meetings
18:56 < krzee> ohhh
18:56 < zoredache> the howtos and customizeable packages
18:56 < krzee> quite possibly, i dont know
18:56 < krzee> i dont use windows
18:57 < krzee> but im sure if you have skills with the type of stuff they did, you can figure out what to do for newer versions
18:57 < krzee> but thats the best info i can send at ya
19:00 < zoredache> what it appears like they did is give binaries for all the files and inlude a nullsoft installer script to build that anyone can use to rebuild the package.  For me to redo what they did I believe I would have to recompile openvpn 2.1.1 on windows...
19:01 < zoredache> I probably could rease the source and figure it out, but I was hoping someone else had already done all the hard work...
19:03 < krzee> yes
19:03 < krzee> you would have to rebuild it
19:03 < zoredache> personally I think the howto on openvpn.se is so out of date you should soncider removing it from your factoid.
19:03 < krzee> *shrug*
19:03 < krzee> show me a newer better one and i may do that
19:04 < krzee> til then, its the best you're getting
19:04 < zoredache> krzee: krzee I suppose you don't know where there are any docs telling you what tools need to be installed to actually do a build on win32?
19:04 < krzee> so someone with the required skills and desire can see that and realize what they must do
19:04 < rob0> I have a better one.
19:04 < krzee> rob0, cool, kick down!
19:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
19:09 < zoredache> I don't suppose you know if there is an updated 'prebuild' file for 2.1.1?  As I am reading through the source I see a link to http://openvpn.net/prebuilt/ which seems to have most of what I would need
19:09 < vpnHelper> Title: Index of /prebuilt (at openvpn.net)
19:11 < rob0> HEY! I just realized that I have something useful to say.
19:11  * rob0 checks for fever
19:12 < krzee> i dont see one there, but worst case scenario i could mention it in the dev meeting on thursday
19:12 < rob0> krzee: the confgen script ... what do you use for VPN network addresses?
19:12 < krzee> the network can be entered by the user, the netmask i have set to make it /24
19:13 < krzee> personally, i use 10.8.X.0/24
19:13 < rob0> is there a default if they Just Hit Enter?
19:13 < zoredache> maybe there doesn't need to be one.  When I look at the changelog between 2.1.rc22 and 2.1.1 the corrected issues seem to be completely about stuff on Linux/Unix.   
19:13 < rob0> anyway, my suggestion is that it should be something relatively rare
19:13 < krzee> nope, although i MAY do that... genserver will default to 10.8.1.0/24 if not specified
19:13 < zoredache> a fix from an rpm spec, a fix for an issue with aut-pam, ansome doc fixes...
19:14 < krzee> rob0, hyper_ch is going to work on a html interface for genclient and genserver
19:14 < krzee> rob0, 10.8.1.0/24 is relatively rare
19:14 < rob0> That way if someone asks a question, the VPN IP addresses will indicate that they used your script.
19:14 < krzee> 10.8.0.0/24 is in the openvpn docs
19:14 < krzee> MY docs always use 10.8.1.0/24
19:15 < krzee> so when i see 10.8.1.0/24 i figure they either used my routing doc, my sample configs, (or now my confgen)
19:15 < rob0> I'm a one-ninety-two one-sixty-ater, personally.
19:15 < krzee> and i see that subnet in use a lot more often now a days ;)
19:15 < krzee> not me, i like 10.
19:15 < krzee> =]
19:16 < krzee> and i stay within 10.8. with ovpn
19:16 < krzee> as well as within 10.7 for random tunneling apps like iodine (for tunneling over DNS)
19:16 < rob0> iodine sounds cool, I'll mess with that sometime
19:17 < krzee> if you do, check out my script for doing it right / easy
19:17 < krzee> !google krzee iodine
19:17 < vpnHelper> krzee: TipsAndTricks – iodine: <http://dev.kryo.se/iodine/wiki/TipsAndTricks>; iodine: <http://dev.kryo.se/iodine>; brool » DNS Tunneling (on Mac OS X): <http://www.brool.com/?p=94>
19:17 < krzee> first link
19:17 < rob0> ty
19:17 < krzee> np
19:19 < krzee> oh and if you care if that works on solaris, let me know and ill see bout adding solaris to supported by NStun.sh
19:19 < krzee> i didnt have opensolaris when i first made that script
19:19 < krzee> now its in a VM so i dont mind adding it if anyone ever cares
19:19 < krzee> although im not sure if iodine even compiles there or not ;]
19:20 < krzee> i believe they DO have tun drivers cause i think openvpn runs on it
19:46 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
20:06 -!- sanderj_ [~sanderj@195.204.103.72] has joined ##openvpn
20:06 -!- sanderj [~sanderj@195.204.103.72] has quit [Ping timeout: 246 seconds]
20:08 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has joined ##openvpn
20:08 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has quit [Changing host]
20:08 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:37 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 264 seconds]
20:47 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:50 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
20:51 -!- PuppyNuts is now known as thecoil
20:51 -!- thecoil is now known as thepuppynuts
22:01 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:29 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
22:31 < theDoc> ecrist/krzee, either of you around?
22:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:38 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
22:39 < krzee> yupyup
22:39 -!- sanderj_ [~sanderj@195.204.103.72] has quit [Ping timeout: 240 seconds]
22:43 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 276 seconds]
22:48 < theDoc> krzee> Got a second for a private msg? :)
22:49 < krzee> sure
22:49 < theDoc> Thanks.
22:58 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
23:07 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
23:26 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:36 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
23:38 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
--- Day changed Tue Apr 27 2010
00:20 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:49 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
01:06 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
01:06 -!- Sp4rKy [~Sp4rKy@freenode/sponsor/sp4rky] has quit [Quit: leaving]
01:23 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
01:59 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
02:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:04 -!- mode/##openvpn [+o mattock] by ChanServ
02:05 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:09 -!- LeRrA [~lerra@c-94-255-212-180.cust.bredband2.com] has quit [Ping timeout: 276 seconds]
02:40 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: Connection reset by peer]
02:40 -!- Kasx [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
02:40 -!- mode/##openvpn [+v Kasx] by ChanServ
02:47 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
02:56 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:03 -!- andriijas [~andreas@h-163-104.A155.priv.bahnhof.se] has joined ##openvpn
03:04 < andriijas> So when Im at work I connect to my openvpn at home, and choose to use my dns server at home. But for some domains I need to use the office dns server. How would I solve that if i dont want to use /etc/hosts ?
03:18 -!- Blu3 [~David@BlueLabs/Blu3] has quit [Ping timeout: 245 seconds]
03:20 < krzie> something like dnsmasq
03:20 < andriijas> on my local laptop?
03:21 < krzie> on a nameserver
03:21 < krzie> if your laptop can run dnsmasq, that would work
03:21 < andriijas> yeah
03:22 < andriijas> then i could add entries that should override the upstream dns, right?
03:23 < krzie> go check it out
03:23 < krzie> !google dnsmasq
03:23 < krzie> !dnsmask
03:23 < vpnHelper> krzie: Dnsmasq - a DNS forwarder for NAT firewalls.: <http://www.thekelleys.org.uk/dnsmasq/doc.html>; Index of /dnsmasq: <http://www.thekelleys.org.uk/dnsmasq/>; Dnsmasq - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Dnsmasq>
03:23 < vpnHelper> krzie: Error: "dnsmask" is not a valid command.
03:25 < krzie> !learn splitdns as see http://www.thekelleys.org.uk/dnsmasq/doc.html for dnsmasq, which will let you do split-dns setups
03:25 < vpnHelper> krzie: Joo got it.
03:26 -!- andriijas [~andreas@h-163-104.A155.priv.bahnhof.se] has left ##openvpn []
03:59 -!- lifeforms [~walter@tau.lfms.nl] has joined ##openvpn
04:01 < lifeforms> when I say "I'm thinking of running OpenVPN over TCP", am I in for a world of headaches?
04:02 -!- LeRrA [~lerra@c-94-255-219-216.cust.bredband2.com] has joined ##openvpn
04:02 < lifeforms> a customer has changed their firewall and the IT people are too incompetent to set up a stateful rule to allow my box over there to do an UDP openvpn any more
04:03 < krzie> not necessarily
04:03 < meepmeep> i'm using ovpn over tcp, it works great
04:03 < krzie> but if you find yourself with a headache, you know why :-p
04:03 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
04:04 < lifeforms> ok :)
04:04 < lifeforms> a little bit of overhead is not a big problem I think.. I don't anticipate lots of packet loss, and we are just doing query type request/response traffic every now/then
04:05 < lifeforms> I guess I'll hop in my car and move it over to VPN before I go on a murderous rampage
04:05 < lifeforms> to TCP*
04:21 -!- dazo_afk is now known as dazo
04:25 < krzie> !ask
04:25 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help
04:33 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 268 seconds]
04:37 -!- networkn [networkn@121.98.152.39] has joined ##openvpn
04:37 < networkn> !welcome
04:37 < vpnHelper> networkn: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:37 < networkn> !howto
04:37 < vpnHelper> networkn: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
04:37 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
04:39 < networkn> I have inherited a site with lots of openvpn site to site and client to server vpn's, and I am trying to get a grip on it, though I don't really know what I am looking at..
04:42 < networkn> How can I easily tell whether I am using static key?
04:44 < networkn> on one workstation it seems to me that on windows xp, it's showing a connection 10mbps to the destination, but I can't ping 192.160.20.1 (request timed out), is there a log file I can check to see why?
04:44 < networkn> the strange thing is, no-one changed anything that we are aware of but it has stopped working
04:51 < dazo> networkn: you're using static keys if you're seeing --static <file> in the config files ... if you see --ca, --key, --cert or --pkcs12, you're using SSL certificates
04:52 < dazo> networkn: for logging, you can use --log or --log--append ... and --verb sets the verbosity .... --verb 5 gives pretty much of the traffic passed over itself, while --verb 4 gives an indication of read/writing operations on the tun/tap device and to/from the remote side
04:52 < networkn> ok
04:53 < dazo> (--{key,cert,pkcs12,ca,etc} are command line arguments, in the config files, you'll just remove the double dashes - and its the same usage)
04:55 < dazo> networkn: the man page is also pretty neat to figure out what those different arguments does ... it's a pretty comprehensive document in that regards
05:01 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
05:03 -!- Syniq [~heifer@pdpc/supporter/monthlygold/syniq] has joined ##openvpn
05:07 < krzie> !--
05:07 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
05:07 < Syniq> Hi. I know nothing about setting up OpenVPN and the network admin here has decided to go on holiday for the last two weeks of the project I'm working on.  I have this config: http://www.pastie.org/936986, and the p12 and ta.key files are both in /etc/openvpn/ along with the config file, which is called rock-client.conf. Why is it not working? :(
05:07 < Syniq> I have everything except tun0 listed in ip addr
05:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:08 < krzie> what isnt working first of all
05:08 < Syniq> 11:07 < Syniq> I have everything except tun0 listed in ip addr
05:09 < Syniq> openvpn process is running, but it's not actually creating the tunnel.
05:09 < krzie> ifconfig tun0
05:09 < Syniq> Unsurprisingly returns tun0: error fetching interface information: Device not found.
05:10 < krzie> load the tun module
05:10 < krzie> or compile it into your kernel
05:10 < krzie> and look at openvpn logs
05:10 < Syniq> root@portaldev ~ $ modprobe tun
05:10 < Syniq> FATAL: Module tun not found.
05:10 < krzie> compile the tun module then
05:10 < Syniq> Where are the openvpn logs?  I can't see them in /var/log/
05:11 < krzie> wherever you told them to be
05:11 < krzie> --log
05:11 < krzie> !man
05:11 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
05:12 < Syniq> Yes, I kind of assumed that it would have a default log file.  Silly me for assuming some semblance of standards is followed in Linux-based software.
05:13 < krzie> or if you use --daemon to send it to the background it goes to syslog
05:13 < krzie> because if you dont, it outputs to STDOUT
05:13 < krzie> :-p
05:15 < krzie> silly of me to think you checked the manpage
05:15 < dazo> lol ... touché!
05:16 < krzie> couldnt resist ;]
05:16 < Syniq> Yes, and it's hardly unreasonable to assume it also gets locked on the filesystem as well.
05:16 < Syniq> But it turns out /etc/init.d/openvpn start shoves it into syslog.
05:16 < Syniq> *logged, not locked
05:17 < krzie> if it goes to syslog it gets its own file if your syslog config says so
05:18 < krzie> this is all specific to the packaging you pick it up in
05:18 < krzie> for example, the freebsd port maintainer could choose to edit your syslog when you install (maybe optionally via make config) to have your own log file
05:19 < krzie> or for you, whatever linux package you used
05:20 < Syniq> apt-get install openvpn apparently doesn't include the tun module. :/
05:20 < krzie> networkn, check this out
05:20 < krzie> !route
05:20 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:20 < krzie> nah thats something you need to do in your kernel
05:20 < krzie> its not something from apt-get
05:21 < krzie> it comes with your OS, you just need to compile it in your OS's method
05:21 < Syniq> Debian doesn't have a compiling method. :p  It gets shirty if you even start typing apt-get install gcc
05:22 < krzie> !google debian tun install
05:22 < vpnHelper> krzie: QEMU - Debian - Linux - TUN/TAP - network bridge: <http://compsoc.dur.ac.uk/~djw/qemu.html>; VirtualBox - Debian Wiki: <http://wiki.debian.org/VirtualBox>; Installing Windows XP under Debian with QEMU - Debian Manual: <http://www.crazysquirrel.com/computing/debian/applications/xp-under-debian-with-qemu.jspx>
05:22 < krzie> !google debian tun kernel
05:22 < vpnHelper> krzie: QEMU - Debian - Linux - TUN/TAP - network bridge: <http://compsoc.dur.ac.uk/~djw/qemu.html>; Debian Lenny Tun/Tap Bridge Setup: <http://www.shakthimaan.com/installs/debian-tun-tap-setup.html>; #338549 - TUN/TAP networking not working in *this* basilisk2 ...: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338549>
05:23 < Syniq> Already done that.
05:23 < krzie> Basics
05:23 < krzie> First off you need to configure a network bridge. Which requires the bridge-utils package. For the TUN/TAP you need to check your kernel config file for CONFIG_TUN=m or CONFIG_TUN=y. 
05:23 < krzie> # grep CONFIG_TUN= /boot/config-`uname -r`
05:23 < krzie> Also you need to make sure /dev/net/tun exists. To make it: 
05:23 < krzie> # mknod /dev/net/tun c 10 200
05:23 < krzie> you did THAT?
05:23 < krzie> (from hit #1 on both googles)
05:24 < Syniq> Aha, second link has it.
05:24 < Syniq> I was searching debian openvpn tun module install
05:24 < Syniq> Argh, nope
05:25 < krzie> ok well thats a linux question
05:25 < krzie> when you figure out your kernel and get tun loaded, we'll be here
05:26 < Syniq> I installed bridge-utils, and it's not in there.
05:26 < krzie> bridge-utils!?
05:26 < krzie> did you try what i just pasted?
05:26 < Syniq> Shall I go away and come back and start again?
05:27 < krzie> grep CONFIG_TUN= /boot/config-`uname -r`
05:27 < krzie> whats the output
05:27 < krzie> honestly tho, you'll get better linux specific help in a linux channel
05:27 < krzie> tun doesnt come with openvpn, it comes with linux
05:27  * Syniq bangs his head against a wall.
05:27 < krzie> in osx you need it separate, in windows it comes with openvpn
05:27 < Syniq> root@portaldev ~ $ grep CONFIG_TUN= /boot/config-`uname -r`
05:27 < Syniq> grep: /boot/config-2.6.18.8-linode22: No such file or directory
05:27 < krzie> in freebsd it comes with the OS as well
05:28 < Syniq> I hate Xen.
05:28 < krzie> omg
05:28 < Syniq> Hate it dead with fire.
05:28 < krzie> dude
05:28 < krzie> why didnt you mention being inside xen
05:28 < Syniq> Why is it working on the other one?
05:28 < krzie> go load tun on the XEN controller
05:28 < Syniq> Because I klnew the reaction would be hissing rollowed by dousal with holy water. :p
05:28 < Syniq> I don't have access to it.
05:28 < krzie> well you're done then
05:29 < dazo> krzie: mknod should really not be needed if you're running a 2.6 kernel ... udev takes care of automatically creating device nodes automatically
05:30 < Syniq> Xen is one of those great ideas which, like Communism and eugenics, end up being fscking retarded in practice.
05:31 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:31 < krzie> but he has no tun module
05:31 < Syniq> krzie: I'm working on that.  If I have to go to London myself and budgeon the hosts to death, it'll get one. >:(
05:32 < krzie> http://lists.xensource.com/archives/html/xen-users/2007-02/msg00493.html
05:32 < krzie> KERNEL=="tun",                          NAME="net/%k",MODE=0666
05:32 < vpnHelper> Title: Re: [Xen-users] No /dev/net/tun in dom0 - Xen Source (at lists.xensource.com)
05:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
05:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:34 < krzie> but ya
05:34 < krzie> !notovpn
05:34 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
05:37 < Syniq> OK, dmesg | grep tun: tun: Universal TUN/TAP device driver, 1.6
05:37 < Syniq> So, apparently, it's already loaded.
05:37 < dazo> Syniq: you should really be careful with your characteristics and comparisons ... And even though I'm not a Xen fan (I'm using KVM mostly) ... I don't see how Xen and Communism can ever be compared ... I'm born and grown up in a democratic country, and moved a couple of years ago to a former communistic country .... And I struggle to see your point
05:38 < Syniq> dazo: Not really.  They're all great ideas in theory that ended up not being great ideas in practice. :p  Anyway, it was a throwaway comment.
05:39 < Syniq> Ah, I give up.
05:39 -!- newzen [~newzen@200.8.56.168] has joined ##openvpn
05:39 < Syniq> Can fix it tomorrow.
05:39 < dazo> Syniq: well, you might offend people ... IRC is a multi-cultural arena ... throwaway characteristics are still not always appropriate, unless there are some real points to it
05:41 < Syniq> o/
05:41 -!- Syniq [~heifer@pdpc/supporter/monthlygold/syniq] has left ##openvpn []
05:41 -!- newzen [~newzen@200.8.56.168] has left ##openvpn []
05:42 < krzie> that would have been answered hella fast in #debian
05:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
06:00 < networkn> krzie: was route actually intended for me>
06:00 < krzie> yup
06:00 < networkn> I found my way to some good things.
06:00 < krzie> you may find it helpful to understand what you may have on your hands
06:01 < networkn> I think in he first instance I will take all the config files and create a map of these 13 sites and what and where they are connecting to
06:01 < networkn> the vpn was broken because someone had removed the dns record for the destination server
06:02 < krzie> heh
06:03 < networkn> looks like they are using key systems not static
06:04 < networkn> wondering how I can test my own on a virtual network
06:12 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
06:36 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
06:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:09 -!- DarthGandalf is now known as DarthGandalf|BNC
07:11 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
07:18 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
07:25 -!- qfr [void@unaffiliated/yw] has joined ##openvpn
07:26 < qfr> Trying to create a simple point to point tunnel with one remote server and one client: http://siyobik.info/index.php?module=pastebin&id=424
07:26 < qfr> Can't ping the remote 10.0.0.* on either of those boxes - only the local ones
07:27 < qfr> I just realised those masks on the tun are wrong, right?
07:27 < qfr> Should be 255.255.255.0, for example?
07:28 < qfr> ifconfig tun0 netmask 255.255.255.0 hmm
07:28 < qfr> Still doesn't work
07:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:33 < qfr> root@voidandfire:/etc/openvpn# lsmod | grep tun
07:33 < qfr> Opening /proc/modules: No such file or directory
07:33 < qfr> Uhhhh
07:34 < qfr> FATAL: Could not load /lib/modules/2.6.32.2-xxxx-std-ipv4-64/modules.dep: No such file or directory :(
07:34 < Bushmills> you try to use same subnet for both openvpn and your lan?
07:34 < qfr> Huh? No?
07:34 < qfr> They're totally different
07:35 < qfr> LAN is 192.168.*.*
07:35 < qfr> OpenVPN is 10.0.0.*
07:35 < qfr> LAN is 192.168.0.*, rather
07:35 < Bushmills> ah. "Can't ping the remote 10.0.0.* on either of those boxes - only the local ones" suggested that you did
07:35 < qfr> I mean, perelman can ping 10.0.0.2
07:35 < qfr> And voidandfire can ping 10.0.0.1
07:35 < qfr> Apparently the problem is that there's no tun kernel module on the Debian box :|
07:35 < qfr> Could it be... a part of the kernel config?
07:36 < Bushmills> kernel compiled yourself?
07:36 < qfr> I mean if there is a tun device it already has to be working, right?
07:36 < qfr> Nope, it's an OVH kernel
07:36 < qfr> netboot
07:36 < Bushmills> then there is tun support
07:36 < qfr> Nice
07:36 < qfr> I guess I might need to fix the netmask inside the openvpnf.conf's though
07:37 < qfr> dmesg doesn't provide anything pertaining to OpenVPN/tun on voidandfire hmm
07:37 < Bushmills> modprobe -l|grep tun.ko
07:37 < qfr> FATAL: Could not load /lib/modules/2.6.32.2-xxxx-std-ipv4-64/modules.dep: No such file or directory
07:38 < Bushmills> depmod -a
07:38 < Bushmills> you use a kernel for which you have no modules, it seems.
07:38 < qfr> WARNING: Couldn't open directory /lib/modules/2.6.32.2-xxxx-std-ipv4-64: No such file or directory
07:38 < qfr> FATAL: Could not open /lib/modules/2.6.32.2-xxxx-std-ipv4-64/modules.dep.temp for writing: No such file or directory
07:38 < qfr> Yes
07:38 < Bushmills> booted from alternative media?
07:38 < qfr> It's from netboot because the box previously failed to boot from its HD
07:38 < Bushmills> that's the reason
07:38 < qfr> Anyways does it matter? obviously it already works
07:38 < qfr> The device is up
07:38 < qfr> And I can ping the local tun IP
07:38 < Bushmills> well, you see. there are no modules for that kernel
07:39 < qfr> PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
07:39 < qfr> 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.080 ms
07:39 < qfr> What's the problem? You don't need a module if you already have it <*> instead of <m>
07:39 < Bushmills> (14:33:55) qfr: root@voidandfire:/etc/openvpn# lsmod | grep tun
07:39 < Bushmills> (14:33:56) qfr: Opening /proc/modules: No such file or directory
07:39 < qfr> In make menuconfig
07:39 < qfr> Or .config
07:40 < Bushmills> according the command you executed, tun is not loaded
07:40 < Bushmills> and according modprobe, there is no tun module
07:40 < qfr> Bushmills you do realise that you don't need a module, right?
07:40 < qfr> if it's part of the kernel
07:40 < qfr> You have two options
07:40 < qfr> 1. make it part of the kernel bzImage
07:40 < qfr> 2. compile and load it as a module
07:41 < qfr> In this case it appears to be part of the Linux bzImage
07:41 < qfr> No?
07:41 < Bushmills> if it is compiled into kernel, why you bother with lsmod command and set me on the wrong foot?
07:41 < qfr> Because I didn't know it was :O I was puzzled at first
07:42 < Bushmills> ifconfig tun0
07:42 < qfr> I already posted the ifconfig output
07:42 < qfr> See http://siyobik.info/index.php?module=pastebin&id=424
07:42 < qfr> On all boxes involved
07:42 < qfr> It still says 255.255.255.255 there though, which should be wrong, right?
07:42 < Bushmills> i wasn't here then. your tun0 is up.
07:43 < qfr> I changed that to 255.255.255.0
07:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
07:44 < qfr> The static.key is identical on both the server and the client
07:45 < qfr> root@voidandfire:/etc/openvpn# md5sum < static.key
07:45 < qfr> afbba9346c8c4032e5ebc0db4fea6256  -
07:46 < qfr> [root@perelman openvpn]# md5sum < static.key
07:46 < qfr> afbba9346c8c4032e5ebc0db4fea6256  -
07:46 < Bushmills> what are "remote boxes" when you talk about "one client"?
07:47 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
07:48 < qfr> Bushmills: voidandfire is in another country, I want to use its eth0 ipv4 addr as my outgoing IP for torrenting stuff I do at home
07:48 < qfr> perelman is an Arch Linux VM
07:48 < qfr> voidandfire is the OpenVPN server
07:48 < qfr> perelman is the OpenVPN client
07:48 < qfr> voidandfire is 10.0.0.1
07:48 < Bushmills> !redirect
07:48 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
07:48 < qfr> perelman is the 10.0.0.2
07:49 < qfr> !def1
07:49 < vpnHelper> qfr: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
07:49 < qfr> !ipforward
07:49 < vpnHelper> qfr: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
07:49 < qfr> !linipforward
07:49 < vpnHelper> qfr: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
07:50 < qfr> !nat
07:50 < vpnHelper> qfr: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
07:50 < qfr> !linnat
07:50 < vpnHelper> qfr: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
07:53 < qfr> Bushmills the pinging can't work until all these are configured?
07:53 < qfr> Because IIRC at least pinging worked for me before I had ever set up anything like this, in the past
07:54 < Bushmills> you can ping server, but not beyond that
07:54 < qfr> Well I can't even do that
07:54 < qfr> So anything beyond that won't work either
07:54 < Bushmills> then you need to fix that first
07:54 < qfr> Yeah, so what do I check? What logs/messages etc?
07:54 < Bushmills> !firewall
07:54 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
07:54 < qfr> The TCP port on the server is definitely open
07:55 < qfr> I can telnet to it and it spits out a garbled encrypted hello message
07:55 < Bushmills> you can telnet, but not ping?
07:55 < qfr> Yep
07:55 < qfr> Wait no
07:55 < Bushmills> not a vpn problem
07:55 < qfr> I mean telnet on the regular eth0
07:55 < Bushmills> !firewall
07:55 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
07:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:56 < qfr> perelman is behind a router but voidandfire isn't
07:56 < qfr> voidandfire is the server
07:57 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 268 seconds]
07:57 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
07:58 < qfr> The Arch box has no pfctl
07:58 < qfr> iptables-save/restore are Debian specific stuff, no?
08:00 < qfr> Bushmills it doesn't even have iptables, haha
08:00 < Bushmills> then you'll be out of luck with NAT
08:01 < krzie> hey Bushmills 
08:01 < qfr> Didn't you say I should be able to ping 10.0.0.1 on perelman right now?
08:01 < krzie> !linnat
08:01 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
08:01 < krzie> with that, how can i specify netmask instead of CIDR
08:01 < krzie> for -s
08:01 < krzie> (if you know offhand)
08:01 < qfr> Do you have a non-CIDR compatible netmask? :O
08:02 < qfr> Like 255.255.0.255?
08:02 < krzie> nope
08:02 < krzie> but my user will enter a netmask, and ild like to not need to script converting it
08:02 < qfr> Ok
08:03 < krzie> qfr, your other option besides NAT is this
08:03 < Bushmills> morning krzie
08:03 < krzie> !factoids search app
08:03 < vpnHelper> krzie: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
08:03 < qfr> Do I need NAT to ping...? I thought Bushmills previously said no
08:03 < krzie> not to ping across the VPN, just to ping the internet through the VPN
08:03 < Bushmills> for pinging server, not needed
08:03 < krzie> moin moin Bushmills 
08:04 < Bushmills> for pinging internet hosts, yes
08:04 < qfr> Well all the redirect/NAT stuff appears to be irrelevant right now because perelman can't ping 10.0.0.1
08:04 < Bushmills> for pinging a subnet of yours behind server, not needed
08:04 < krzie> qfr, 
08:04 < krzie> !configs
08:04 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:04 < Bushmills> (but extra action required)
08:04 < qfr> They're in the same OpenVPN subnet
08:04 < qfr> krzie I already did, sec
08:04 < krzie> o lemme scroll
08:04 < qfr> <qfr> Trying to create a simple point to point tunnel with one remote server and one client: http://siyobik.info/index.php?module=pastebin&id=424
08:04 < qfr> It was the first thing I said, of course :P
08:05 < qfr> static.key md5sums also match
08:05 < qfr> I think the netmask on the tun0s is wrong though
08:05 < qfr> 255.255.255.255 can't work, can it?
08:05 < qfr> I set it to 255.255.255.0 but still no go
08:06 < qfr> proto tcp-server <- uh
08:06 < krzie> does openvpn log show they are connected?
08:06 < qfr> Where is that log?
08:06 < krzie> !log
08:06 < vpnHelper> krzie: An error has occurred and has been logged. Please contact this bot's administrator for more information.
08:06 < Bushmills> why is client 10.0.0.2?
08:06 < krzie> its ptp
08:06 < krzie> netmask is right for that reason as well
08:07 < krzie> qfr, use --log
08:07 < qfr> I just used /etc/rc.d/openvpn start
08:07 < krzie> log /path/to/logfile
08:07 < krzie> then it may be in syslog
08:07 < qfr> Hmm /usr/sbin/openvpn --daemon --writepid "${STATEDIR}"/"$(basename "${cfg}" .conf)".pid --cd "${CFGDIR}" --config "${cfg}" || success=$?
08:08 < qfr> I could modify the script I guess
08:08 < Bushmills> ptp address of client is 10.0.0.1, but  tun0 address is 10.0.0.2
08:08 < qfr> To /var/log/openvpn.conf or whatever
08:08 < Bushmills> seems strange
08:08 < krzie> --daemon means it is in syslog
08:08 < Bushmills> what topology has been set in config?
08:08 < qfr> Bushmills: Huh? The paste says inet addr:10.0.0.2  P-t-P:10.0.0.1  Mask:255.255.255.255
08:09 < qfr> I posted the configs, see paste
08:09 < krzie> its right Bushmills 
08:09 < qfr> krzie: Is proto tcp-server even right?
08:09 < krzie> thats how ptp configs should look
08:09 < qfr> For the client, too?
08:09 < krzie> qfr, 
08:09 < krzie> !tcp
08:09 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
08:09 < krzie> and no
08:10 < qfr> "proto tcp" on the client and "proto tcp-server" on the server?
08:10 < krzie> if you WERE going to use tcp-server, the config with remote should have tcp-client
08:10 < qfr> Ahhhh
08:10 < Bushmills> krzie: depending on topology, 10.0.0.2 would be too low for client
08:10 < qfr> Now that is one major error
08:10 < krzie> or both with proto tcp
08:10 < krzie> Bushmills, topology ptp
08:10 < qfr> Bushmills have you read the config?
08:10 < qfr> http://siyobik.info/index.php?module=pastebin&id=424
08:10 < Bushmills> no
08:10 < krzie> its ifconfig 10.0.0.2 10.0.0.1 style
08:11 < qfr> That fixed it \o/ it works
08:11 < qfr> Cheers krzie
08:11 < qfr> 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=32.4 ms
08:11 < krzie> you still dont want tcp
08:11 < krzie> !
08:11 < qfr> krzie: My mate told me it's much faster for torrenting
08:11 < qfr> Hmmm
08:11 < krzie> hes wrong
08:11 < krzie> read this
08:11 < krzie> !tcp
08:11 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
08:12 < krzie> link #1 from openvpn manual under --proto
08:13 < qfr> <upb> don't use udp <upb> why would you use udp for TLS ?! <upb> iirc openvpn works over tls 
08:13 < krzie> [09:11]  <krzie> hes wrong
08:13 < krzie> [09:11]  <krzie> read this
08:13 < krzie> [09:11]  <krzie> !tcp
08:14 < krzie> you trust your friend or the openvpn manual and the guy who MADE openvpn
08:14 < Bushmills> "why would you want to tunnel tcp through a tcp tunnel?"
08:14 < qfr> krzie: I switched ot UDP
08:14 < krzie> right, Bushmills is asking that valid question
08:15 < krzie> qfr, understand why tho, read the first link
08:15 < krzie> so when your friend says that you can school him with your new-found knowledge!
08:15 < qfr> krzie I think I already get it
08:15 < qfr> Because you'd have the mechanisms of TCP on two layers instead of just one on top of UDP?
08:16 < Bushmills> good answer
08:16 < krzie> yes, and that has horrible side effects
08:16 < krzie> sometimes
08:17 < krzie> whereas with UDP as outter layer, you still have the benefits of TCP on the inside of the tunnel
08:17 < krzie> (assuming you use TCP inside it)
08:17 < qfr> Yeah I will
08:17 < krzie> i actually tunneled OpenVPN over OpenVPN with udp, and tested with iperf, and had surprisingly good results
08:19 < qfr> Haha
08:19 -!- dekroning [~dekroning@cp434307-b.dbsch1.nb.home.nl] has joined ##openvpn
08:19 < dekroning> hi
08:20 < dekroning> in my daemon.log i see that my connection is established, however i don't see a "tun" interface
08:20 < qfr> !man
08:20 < vpnHelper> qfr: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
08:20 < qfr> (that was not for you)
08:20 < dekroning> phew :-)
08:21 < qfr> I'm just looking up --redirect-gateway
08:23 < dekroning> really strange, because i tested my config, and it worked, the only thing i've changed now is, redirect the tunnel via a http proxy
08:27 < qfr> Bushmills: I presume --redirect-gateway corresponds to a simple "redirect-gateway" in the openvpn.conf?
08:27 < Bushmills> correct
08:27 < krzie> !def1
08:27 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:27 < qfr> krzie: Yeah I am reading that atm
08:27 < qfr> In the man page
08:27 < Bushmills> (in client config)
08:27 < krzie> you likely want def1
08:27 < qfr> Yeah
08:28 < qfr> krzie oh is that less work?
08:28 < krzie> if you disconnect you will still have access to the internet
08:28 < Bushmills> def1 is useful when you tun off vpn again
08:28 < Bushmills> turn
08:28 < krzie> without def1 you lose your orig default route
08:28 < qfr> It must never attempt to use the regular non-VPN access
08:28 < qfr> Nothing must be leaked
08:29 < krzie> ok
08:29 < qfr> Then I want redirect-gateway?
08:29 < Bushmills> matter of setting client firewall
08:29 < krzie> then go ahead and dont use def1
08:29 < krzie> then your only route to the internet will be the vpn once you have connected once
08:29 < krzie> even if openvpn somehow dies
08:29  * rob0 leaked, oops!
08:30 < Bushmills> consider that traffic to vpn server will be routed over a "leaky"  connection, unless you explicitely specify server openvpn address 
08:30 < krzie> true
08:30 < krzie> and that can not be changed
08:31  * rob0 goes to change
08:31 < Bushmills> i think it can, but haven't tried it.
08:31 < krzie> nah it cant, it needs that to have the vpn
08:31 < krzie> chicken v egg
08:31 -!- networkn [networkn@121.98.152.39] has quit [Ping timeout: 252 seconds]
08:31 < Bushmills> block all non-vpn traffic to server, and reroute other traffic to vpn
08:31 < rob0> mmmm breakfast
08:31 < Bushmills> by firewall
08:32 < krzie> but services may not be on vpn_ip
08:32 < krzie> in which case, they are now unreachable
08:32 < Bushmills> in which case you don't want them
08:32 < krzie> thats true tho
08:32 < Bushmills> (as they require "leaky router/server)
08:32 < krzie> you have a strong point =]
08:33 < Bushmills> i have been hiding my traffic from misc providers for a while :D
08:33 < Bushmills> includes blocking any non-vpn traffic 
08:33 < rob0> You can combine port 53 TCP/UDP redirection with --redirect-gateway, to force DNS through the VPN.
08:33 < krzie> i tunnel by using socks
08:33 < rob0> unless the pre-VPN DNS was on a physical link
08:34 < krzie> over the vpn
08:34 < krzie> so i can choose what to tunnel and what not to
08:34 < qfr> DNS leaking is actually no problem in this case
08:35 < Bushmills> both recursing local dns, using default route through vpn,  as well as   local upstream recursor, using recursive dns on vpn server, or outside, work 
08:35 < qfr> http://siyobik.info/index.php?module=pastebin&id=425 <- this is my current route, I'm a noob at this, I have no idea how to modify it according to the manual :[ what should it look like in the end? Everything is supposed to go through 10.0.0.1 ultimately, perelman's tun0 IP is 10.0.0.2 and the IP of the router perelman is behind is 192.168.0.1 (niflheim)
08:35 < Bushmills> my wlan router uses upstream name server thorugh dns on vpn server.
08:36 < Bushmills> through vpn on vpn server, i mean
08:36 < qfr> I am attempting the redirect-gateway one
08:36 < Bushmills> result is that network clients don't need to bother
08:36 < qfr> But niflheim still needs to appear in the route, right?
08:37 < qfr> perelman -> niflheim -> voidandfire
08:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
08:44 < Jww> hello guys.
08:46 -!- dekroning [~dekroning@cp434307-b.dbsch1.nb.home.nl] has left ##openvpn []
08:46 -!- eradiate_ [~eradiate@pool-173-73-104-50.washdc.fios.verizon.net] has joined ##openvpn
08:46 -!- eradiate [~eradiate@pool-173-73-104-50.washdc.fios.verizon.net] has quit [Ping timeout: 264 seconds]
08:53 < qfr> Urgh I have no idea how to set up the routing table for this
08:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:56 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Quit: Leaving]
08:57 < qfr> Oh, it's ush "redirect-gateway"
08:57 < qfr> push*
09:02 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:04 -!- annih [~chatzilla@dslb-188-103-238-021.pools.arcor-ip.net] has joined ##openvpn
09:05 < annih> hello - can anyone tell me, if there is a possibility to configure the windows interface metric property by ovpn config file?
09:05 < annih> (i'm not talking about the route metrics)
09:05 < annih> (which i do not understand, too)
09:07 < annih> cos i noticed that it works much better if i disable "automatic metric" in interface properties and set it to 1 or a higher value
09:09 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
09:19 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 258 seconds]
09:19 -!- magic_1 [~magic@41.123.170.189] has joined ##openvpn
09:19 -!- magic_1 [~magic@41.123.170.189] has quit [Changing host]
09:19 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
09:31 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: Connection reset by peer]
09:32 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
09:37 < Fiouz> annih: not tested but you could do that in a --route-up script: http://gallery.technet.microsoft.com/ScriptCenter/en-us/73367c75-7a39-44dc-a8d7-eb2359030969
09:37 < vpnHelper> Title: Modify the IP Connection Metric for a Network Adapter (at gallery.technet.microsoft.com)
09:40 -!- zer0 [~zer0@ip26.208-100-1.static.steadfast.net] has joined ##openvpn
09:41 -!- zer0 is now known as Guest6591
09:41 < annih> nice idea, too bad it wont work with 7
09:42 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: Operation timed out]
09:45 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
09:45 < qfr> http://siyobik.info/index.php?module=pastebin&id=426 <- does this routing table make any sense? 10.0.0.1 is the VPN address of the OpenVPN server, 91.* is its actual internet IP, 192.168.0.1 is my local router, 10.0.0.2 is the VPN address of the local Arch Linux installation. I want to forward everything through the OpenVPN
09:45 < qfr> Using push "redirect-gateway" in the local openvpn.conf
09:56 < Fiouz> "local" = client?
09:58 < qfr> Fiouz yes
09:59 < qfr> In the client openvpn.conf of the Arch box (perelman)
09:59 < qfr> IPv4 forwarding is sysctl'ed to 1 on the server, too
09:59 < qfr> Just no iptables rules set up yet
09:59 < qfr> Because I know even less about that than the proper routes
09:59 < Fiouz> just put redirect-gateway then, not push "redirect-gateway" in client configuration
09:59 < qfr> Oh, ok
10:00 < qfr> Fiouz: push means the server distributes the command to all clients?
10:00 < Fiouz> yep that's it
10:00 < qfr> The stuff is then received with "pull" in client configs? I see
10:00 < qfr> redirect-gateway def1 or redirect-gateway?
10:00 < qfr> Some site suggested redirect-gateway def1 hmm
10:01 < Fiouz> redirect-gateway def1 is safer as it doesn't overwrite existing default route
10:01 < qfr> But I don't think I wanted def1 according to what some said here
10:01 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:01 < qfr> It added a 128.0.0.0       10.0.0.1        128.0.0.0       UG    0      0        0 tun0 rule
10:01 < qfr> Curious
10:02 < Fiouz> actually it adds 2 "giant" network 0.0.0.0/1 and 128.0.0.0/1
10:03 < qfr> I don't see anything with /1
10:03 < qfr> In route -n
10:03 < Fiouz> making them the default rules, and "disabling" default route
10:03 < Fiouz> /1 is 128.0.0.0 netmask
10:03 < qfr> http://siyobik.info/index.php?module=pastebin&id=426
10:04 < qfr> Oh right
10:04 < qfr> Does that route make any sense now or do I need to get rid of some of those?
10:04 < qfr> The next step would be setting up iptables? But on which box? client? server? Both?
10:05 < qfr> !linnat
10:05 < vpnHelper> qfr: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
10:05 < qfr> That's... for the server?
10:05 < Fiouz> yes
10:06 < qfr> When I do stuff on the client it still simply uses its regular outgoing IP though ;[
10:06 < Fiouz> all client trafics should be forwarded to your vpn according to your routing table, unless the destination is 91.121.18.93
10:06 < qfr> So the route must be invalid
10:07 < Fiouz> how do you test?
10:07 < qfr> links whatismyip.com haha
10:08 < Fiouz> try a traceroute to make sure
10:09 < Bushmills> http://scarydevilmonastery.net/myip.cgi  should give you a clue too
10:10 < qfr> Fiouz: Tons of * * * 
10:10 < qfr> Bushmills trying to get my IP, eh!
10:10  * qfr does not fall for it
10:12 < Bushmills> as if i would be interested in your precious ip :P
10:12 < qfr> Argh, I gotta go now, everything that is said until I am on my notebook at my destination will not be repeated by znc ;[
10:14 < Bushmills> hope you proxied the misc URL from the bot, or somebody could look you address up there ...
10:20 -!- Guest6591 [~zer0@ip26.208-100-1.static.steadfast.net] has quit [Quit: Guest6591]
10:30 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 258 seconds]
10:33 < qfr> I have arrived
10:33 < qfr> Anyways, shouldn't the route be broken then?
10:34 < qfr> If it still uses the regular IP?
10:37 -!- magic_1 [~magic@196.30.46.202] has joined ##openvpn
10:42 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
10:45 -!- magic_1 [~magic@196.30.46.202] has quit [Changing host]
10:45 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:49 < qfr> When I go links blah.com - does it attempt to use eth0 first?
10:50 < qfr> So it would first use the following routing rule in the stuff I posted: 0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0 ?
10:51 < qfr> Or is the device irrelevant? I have no idea how this works
10:51 < qfr> I suspect only the address matters
10:53 < Fiouz> try removing def1, see if that helps
10:58 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 276 seconds]
11:00 -!- WormFood [~wormfood@121.34.202.131] has quit [Read error: Connection reset by peer]
11:01 < qfr> Fiouz I am not using that
11:01 < qfr> Also, I screwed up the ssh access somehow and I am not at home right now ;[
11:01 < qfr> Oh wait, I think my current local provider simply blocks ports 1 - 8 haha
11:02 < qfr> Having two 0.0.0.0 destinations makes no sense in route -n, does it?
11:02 < qfr> Only the first one will be used, the other one is irrelevant?
11:02 < Fiouz> are the netmask identical?
11:03 < qfr> Oh, nope
11:03 < qfr> 128.0.0.0 vs 0.0.0.0
11:04 < qfr> I am referring to http://siyobik.info/index.php?module=pastebin&id=426
11:04 < Fiouz> def1 option would do such routing
11:05 < Fiouz> !def1
11:05 < vpnHelper> Fiouz: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:05 < qfr> Oh yeah it's in there still, you're right
11:07 < qfr> http://siyobik.info/index.php?module=pastebin&id=427
11:07 < qfr> Ok I can no longer ping 8.8.8.8 etc on the box now
11:08 < qfr> So I guess it attempts to use the VPN box which has no iptables for this yet
11:08 < qfr> Time to set up the iptables
11:08 < qfr> On the OpenVPN server
11:08 < qfr> !linnat
11:08 < vpnHelper> qfr: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
11:12 < qfr> Hmm still doesn't work
11:12 < qfr> -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
11:12 < qfr> In *nat hmm
11:14 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:15 < qfr> http://siyobik.info/index.php?module=pastebin&id=428 this is the output
11:15 < qfr> And yes, I do have IPv4 forwarding activated on the OpenVPN server
11:16 < qfr> Wtf it says 0 when I cat cat /proc/sys/net/ipv4/ip_forward
11:16 < qfr> :(
11:16 < qfr> Oh that was the wrong box
11:17 < qfr> I have so many ssh prompts open I get confused myself sometimes
11:17 < qfr> I only need that on the server, not on the client, right?
11:18 -!- WormFood [~wormfood@58.61.134.222] has joined ##openvpn
11:18 < qfr> root@voidandfire:~# echo -n 1>/proc/sys/net/ipv4/ip_forward
11:18 < qfr> root@voidandfire:~# cat /proc/sys/net/ipv4/ip_forward
11:18 < qfr> 0
11:18 < qfr> Oh boy.
11:18 < qfr> Does that mean this kernel does not support it? :|
11:18 < qfr> I might just wipe that box and install Arch from scratch or something, I am rather dissatisfied with the outdated binaries on Debian
11:19 < rob0> why -n? Why not just echo 1 > ...
11:19 < qfr> rob0 invalid argument
11:19 < qfr> Due to trailing newline
11:19 < qfr> It does check for that
11:19 < qfr> How can I check if my kernel even supports IP forwarding? Hmm
11:19 < rob0> hmm,strange, I just do echo 1 > /proc/sys/net/ipv4/ip_forward
11:19 < qfr> :[
11:19 < rob0> if it's a stock distro kernel, it supports forwarding
11:19 < qfr> May have to wipe this whole thing then
11:19 < qfr> It's not
11:20 < qfr> It's an OVH netboot kernel, I might have to replace it
11:20 < qfr> No idea how to check its configuraton
11:20 < qfr> configuration*
11:20 < qfr> I have the binary only I think
11:23 < qfr> root@voidandfire:~# sysctl net.ipv4.ip_forward  
11:23 < qfr> net.ipv4.ip_forward = 1
11:23 < qfr> What's the difference between using the file system and sysctl>
11:23 < qfr> ?
11:23 < qfr> Yay it says 1 now when I cat it.
11:24 < qfr> Amazing! I can ping 4.2.21
11:24 < qfr> 4.2.2.1 even :D
11:24 < qfr> Holy shit, it works
11:24 < qfr> OPENVPN POINT TO POINT TUNNEL: SUCCESS
11:25 < qfr> So it was just that breaking it
11:26 < qfr> Alright, the next issue is enabling the OpenVPN client to bind certain ports now I guess
11:26 < qfr> This is not possible by default if I am not mistaken
11:26 < zoredache> wha do you mean bind to specific ports?
11:27 < qfr> zoredache: I want my OpenVPN client to be able to bind ports, such that they are bound on the OpenVPN server
11:27 < qfr> I was told this is problematic to set up
11:27 < qfr> Like, when port 80 on the OpenVPN server is accessed, I want it to go to my OpenVPN client
11:27 < zoredache> couldn't you just do NAT on the vpn server and re-write the destination to the address of the vpn client?
11:28 < qfr> Yeah I guess that's it
11:28 < qfr> Luckily I already know how to do that because I use it on my Linux router
11:28 < qfr> I did all of this just to run rtorrent through OpenVPN haha
11:28 < qfr> I bet the performance will blow anyways
11:28 < qfr> Due to TCP heuristics failing on me
11:29 < qfr> Single TCP transfers between endpoints all over the world generally appear to fail speedwise
11:30 < qfr> Like, a single transfer won't hit 12.3 MiB/s
11:30 < qfr> When I'm talking to my servr
11:30 < qfr> I always need to use 6-8 TCP connections to get the full speed
11:30 < qfr> This is the same with HTTP, SFTP, FTP, etc
11:30 < qfr> Single TCP connections usually hit the limit around 1-3 MiB/s
11:31 < qfr> And I do not think that it is apache2/opensshd/whatever throttling them
11:31 < qfr> I think it's just TCP heuristics failing on me
11:31 -!- guy_ [~guy@bzq-79-178-54-156.red.bezeqint.net] has joined ##openvpn
11:32 -!- bfallik [~bfallik@173-166-6-145-newengland.hfc.comcastbusiness.net] has joined ##openvpn
11:33 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:33 < bfallik> hi, i'm having trouble with the client-config-dir directive and was hoping for help.  everything looks okay on the server; logs suggest that it's reading the ccd file correctly for the client.  The client seems to ignore the ifconfig-push directive.  The client does not report any errors and the openvpn process stays up, but the tun device never gets its IP address.
11:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:56 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
11:59 < bfallik> if i manually ifconfig the tun device on the client, everything works ok.  I'd expect the ifconfig-push to do this for me.
12:02 < dazo> bfallik: and you are absolutely sure OpenVPN does read the correct file inside the ccd/ directory?
12:03 < dazo> bfallik: that it's not that you have a wrong file name, or something like that?
12:03 < dazo> (the filename should match the CN of the certificate, with some renaming tweaks)
12:04 < dazo> look at the "String Types and Remapping" in the man page for more info about the character remapping in CN
12:05 -!- plaerzen [~carpe@vip1.tundraeng.com] has joined ##openvpn
12:05 < plaerzen> hey ecrist 
12:05 < plaerzen> and krzee too, I guess.
12:05 < plaerzen> :P
12:08 < ecrist> hey ther.
12:11 < bfallik> dazo:  yes.  i see this in hte server log:  OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/fox
12:11 < bfallik> where 'fox' is the name of the client
12:12 < bfallik> in all ways it appears like the server thinks everything is ok, but the client never executes ifconfig
12:12 < dazo> bfallik: can you please pastebin client logs?  ... with --verb 4?
12:12 < bfallik> the final msg i see on the client log is:  Initialization Sequence Completed
12:12 < bfallik> dazo:  sure, one sec.
12:15 < bfallik> http://pastebin.com/D2zSyNZJ   <--- does that work?
12:17 < Fiouz> you don't have "client" or "pull" option enabled
12:18 < bfallik> just add 'client' to the client file?
12:18 < Fiouz> I think they are needed to retrieve server-specified parameters such as the IP address
12:18 < Fiouz> give it a try
12:19 < bfallik> oooh
12:19 -!- annih_ [~chatzilla@dslb-188-103-255-128.pools.arcor-ip.net] has joined ##openvpn
12:19 < bfallik> Fiouz, Excellent.  That works.  Thanks, and nice catch.
12:22 -!- annih [~chatzilla@dslb-188-103-238-021.pools.arcor-ip.net] has quit [Ping timeout: 276 seconds]
12:23 -!- annih_ is now known as annih
12:24 -!- mario__ [~mario@projekte.imos.net] has joined ##openvpn
12:24 < mario__> Hello!
12:24 < mario__> on my openvpn client (windows 7) i get: read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
12:24 < mario__> any hint?
12:26 < mario__> is this client or server related?
12:29 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
12:31 < Fiouz> not much information, when do you gen that? at startup? sometime later? do you always get that error? that it prevent openvpn from working? (got more questions than you!)
12:34 -!- bfallik [~bfallik@173-166-6-145-newengland.hfc.comcastbusiness.net] has quit [Quit: Ex-Chat]
12:45 -!- JackCorleone [~Jack@187.11.184.68] has joined ##openvpn
12:57 < JackCorleone> !walcome
12:57 < vpnHelper> JackCorleone: Error: "walcome" is not a valid command.
12:57 < JackCorleone> !welcome
12:57 < vpnHelper> JackCorleone: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:00 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 252 seconds]
13:00 < JackCorleone> !goal
13:00 < vpnHelper> JackCorleone: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:03 < mario__> Fiouz, the vpn is successful if i connect via cable
13:03 < mario__> Fiouz, i get this error only if i use utms/mobile access
13:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:04 < JackCorleone> OpenVPN work with Proxy? because, i need the open vpn client conect to server, but host gateway don't have internet he is dead!, i have only proxy for this conection!  one help please?
13:06 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has joined ##openvpn
13:09 < dazo> JackCorleone: yes, OpenVPN works with most proxies ... HTTP and SOCKS afaik
13:11 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has quit [Ping timeout: 276 seconds]
13:12 < JackCorleone> dazo - how ?
13:12 < JackCorleone> !sample
13:12 < vpnHelper> JackCorleone: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:12 < dazo> !man
13:12 < vpnHelper> dazo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
13:13 < dazo> JackCorleone: look at #2 .... search for  <connection>
13:14 < dazo> on that area both socks-proxy and http-proxy are described pretty well
13:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:16 < JackCorleone> dazo, yeah, thanks!!!
13:16 < dazo> you're welcome!
13:17 -!- guy_ [~guy@bzq-79-178-54-156.red.bezeqint.net] has quit [Quit: Lost terminal]
13:24 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:47 < JackCorleone> dazo, sucess, but you can see my pastbin log? i have a little problem
13:58 -!- TheDavidFactor [~chatzilla@c-68-34-116-180.hsd1.md.comcast.net] has joined ##openvpn
14:00 < JackCorleone> dazo: http://code.bulix.org/nk1qjb-74862
14:00 < vpnHelper> Title: bulix.org / pastebin (at code.bulix.org)
14:00 < dazo> JackCorleone: Tue Apr 27 15:36:50 2010 HTTP proxy returned: 'X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0'  ... this perhaps?
14:00 < TheDavidFactor> I'm trying to setup a many-clients <-> one-server config where 10.8.0.0/24 is for normal clients and I can put clients with static IPs in 10.8.1.0/24
14:01 < dazo> JackCorleone: this gives more hints as well .... Tue Apr 27 15:36:50 2010 HTTP proxy returned: 'HTTP/1.0 407 Proxy Authentication Required'
14:01 < TheDavidFactor> I'm not sure what I should put on the ifconfig-push line for the static clients
14:01 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
14:02 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
14:02 < TheDavidFactor> if I follow the example I think I get this for a client with static ip 10.8.1.60: ifconfig-push 10.8.1.60 10.8.1.61 is that accurate?
14:03 < JackCorleone> dazo: If HTTP Proxy-Authenticate is required, authfile is a file containing a username and password on 2 lines, or "stdin" to prompt from console. 
14:03 < JackCorleone> dazo: my .txt thats ok! no is worng user/pass
14:03 < JackCorleone> dazo: wrong*
14:03 < TheDavidFactor> or should it be: ifconfig-push 10.8.1.60 10.8.0.1 (10.8.0.1 which what the server line uses)
14:03 < TheDavidFactor> any pointers?
14:03 < TheDavidFactor> thx
14:04 < dazo> JackCorleone: have you tried without file ... and used 'auto' instead?
14:05 < JackCorleone> dazo: not, because my proxy need auth!
14:06 < dazo> "The auto flag causes OpenVPN to automatically determine the auth-method and query stdin or the management interface for username/password credentials, if required. This flag exists on OpenVPN 2.1 or higher. "
14:06 < JackCorleone> Ok! testing..
14:06  * dazo need to run in 10 min
14:13 < JackCorleone> dazo: thanks a lot! sucess, i use basic auth and work!
14:13 < JackCorleone> dazo ++
14:13 < dazo> JackCorleone: cool! :)
14:22 -!- dazo is now known as dazo_afk
14:23 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
14:25 -!- networkn [networkn@121.98.152.39] has joined ##openvpn
14:29 -!- qfr [void@unaffiliated/yw] has left ##openvpn []
14:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Operation timed out]
14:40 -!- bobly [~bobly@ks358975.kimsufi.com] has joined ##openvpn
14:40 < bobly> !tcp
14:40 < vpnHelper> bobly: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
14:40  * bobly is spreading the no TCP over TCP luv ^^
14:43 -!- JackCorleone [~Jack@187.11.184.68] has quit [Quit: thanks mans, see u]
14:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:49 -!- DarthGandalf|BNC is now known as DarthGandalf
14:56 -!- aaronorosen1 [~arosen@riggs249dhcp138.ces.clemson.edu] has quit [Remote host closed the connection]
15:05 -!- TheDavidFactor [~chatzilla@c-68-34-116-180.hsd1.md.comcast.net] has quit [Read error: Connection reset by peer]
15:10 -!- TheDavidFactor [~chatzilla@c-68-34-116-180.hsd1.md.comcast.net] has joined ##openvpn
15:14 -!- oc80z [oc80z@blea.ch] has quit [Write error: Connection reset by peer]
15:14 -!- Optic [~Optic@miso.capybara.org] has quit [Ping timeout: 354 seconds]
15:14 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
15:15 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
15:18 -!- annih [~chatzilla@dslb-188-103-255-128.pools.arcor-ip.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:46 -!- mario__ [~mario@projekte.imos.net] has quit [Quit: Ex-Chat]
15:50 -!- sanderj [~sanderj@195.204.103.72] has quit [Read error: Connection reset by peer]
15:50 -!- sanderj [~sanderj@195.204.103.72] has joined ##openvpn
15:51 -!- insane^ [~un@ppp-82-135-91-155.dynamic.mnet-online.de] has quit [Remote host closed the connection]
16:23 -!- TheDavidFactor [~chatzilla@c-68-34-116-180.hsd1.md.comcast.net] has quit [Ping timeout: 260 seconds]
16:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
16:26 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:35 -!- TheDavidFactor [~chatzilla@c-68-34-116-180.hsd1.md.comcast.net] has joined ##openvpn
16:38 -!- TheDavidFactor [~chatzilla@c-68-34-116-180.hsd1.md.comcast.net] has quit [Client Quit]
16:44 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
17:14 -!- graffz` is now known as digikult
17:14 -!- digikult is now known as graffz`
17:16 -!- graffz` is now known as digikult
17:16 -!- digikult is now known as graffz`
17:29 -!- zer0 [~zer0@95.211.0.237] has joined ##openvpn
17:29 -!- zer0 [~zer0@95.211.0.237] has quit [Client Quit]
17:30 -!- invis- [~invis@95.211.0.237] has joined ##openvpn
17:43 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:46 < ecrist> boats and hos
17:47 < krzee> im on a boat
17:47 < krzee> im on a boat
17:52 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 260 seconds]
17:58 < rob0> idaho idaho
18:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:32 < ecrist> !ircstats
18:32 < vpnHelper> ecrist: Error: "ircstats" is not a valid command.
18:32 < ecrist> !irclogs
18:32 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
18:35 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:37 < krzee> hey ecrist is it easy to make me always krzee on stats?
18:37 < krzee> somehow krzie overtook krzee
18:42 < krzee> if not it dont matter
18:52 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Quit: No Ping reply in 180 seconds.]
18:52 < ecrist> yes, I think so, let me look
18:52 < ecrist> I'm playing with stats stuff anyhow
18:52 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:55 < ecrist> there, seems to have fixed it
18:57 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
18:58 < krzee> sweet =]
19:02 < ecrist> the box that is on has been down since 26 march
19:02 < ecrist> finally found the time to fix it
19:03 < ecrist> setting up logging for #openvpn-devel, as well
19:03 < krzee> ahh that explains why i was last active in march
19:03 < ecrist> refresh should fix is
19:03 < ecrist> it*
19:04 < krzee> wow, active 97%
19:04 < krzee> i might need more hobbies
19:04 < krzee> lol
19:05  * ecrist agrees
19:06 < krzee> ive started adding defaults and input validation to confgen
19:06 < krzee> and hyper_ch is working on a web interface
19:06 < ecrist> you should have just written it in perl
19:06 < ecrist> :P
19:06 < krzee> then ild be requiring people to have perl
19:08 < ecrist> so?
19:08 < ecrist> don't most system already have perl?
19:08 < krzee> i did fully go to bash tho
19:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:08 < ecrist> so, you're sticking with bash?
19:09 -!- Irssi: ##openvpn: Total of 95 nicks [1 ops, 0 halfops, 1 voices, 93 normal]
19:09 < krzee> yup
19:09  * ecrist will probably never fire it up, then
19:10 < krzee> ok
19:10 < krzee> and if you do that C version of ssl-admin ill prolly build it into the confgen
19:11 < ecrist> I'll probably start that in a couple weeks, tbh
19:12 < krzee> cool
19:13 < zoredache> I am reading through the source for the windows installer.  There is a mention of an XML Gui?  Is that something that is part of access-server?
19:41 -!- invis- [~invis@95.211.0.237] has quit [Quit: invis-]
19:57 -!- tiavv [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has joined ##openvpn
20:00 -!- tiav [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has quit [Ping timeout: 268 seconds]
20:05 -!- tiav [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has joined ##openvpn
20:06 -!- tiavv [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has quit [Read error: Connection reset by peer]
20:08 -!- graffz` [~graffz@118.175.66.195] has quit [Ping timeout: 246 seconds]
20:26 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
20:45 -!- darkdrgn2k [~darkdrgn2@bas2-toronto44-1242514693.dsl.bell.ca] has joined ##openvpn
20:45 < darkdrgn2k> Hey all i have 2 machiesn on either side of a vpn tunnel
20:45 < darkdrgn2k> they both can see each other
20:46 < darkdrgn2k> however i cannot access UNC paths
20:46 < darkdrgn2k> System error 67 has occurred.
20:46 < darkdrgn2k> any ideas
20:47 -!- tiavv [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has joined ##openvpn
20:48 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
20:49 < krzee> example of UNC path pls
20:50 -!- tiav [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
21:13 -!- Cvele [~cveks@93.86.228.73] has joined ##openvpn
21:13 < Cvele> hello guys
21:18 < Bushmills> \\server\volume\file   should be one
21:19 < Bushmills> though i have no idea how these relate to openvpn
21:19 < krzee> oh, then he needs WINS
21:19 < Bushmills> !wins
21:19 < vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
21:19 < krzee> !wins
21:19 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
21:19 < krzee> haha jinx!
21:19 < rob0> So in other words, the VPN works perfectly, but you don't understand how to use Windows and/or Samba?
21:20 < rob0> I know how to use Windows. Not.
21:21 < Bushmills> i know how to google "windows"
21:21 < rob0> This time of year it's nice to open windows for fresh air.
21:21 < krzee> not here
21:22 < krzee> i did that, got bit the hell up by mosquitos
21:22 < krzee> (last night)
21:22 < Bushmills> no pocket SDI, laser them right into the wing joints?
21:22 < rob0> yeah, screens are handy
21:23 < krzee> i woke up itching my body and went on a mosquito killing rampage
21:23 < krzee> i hate those lil fuqs
21:24 < Bushmills> last year i had erected my tent in the house. kept them outside :D
21:25 -!- darkdrgn2k [~darkdrgn2@bas2-toronto44-1242514693.dsl.bell.ca] has quit [Ping timeout: 260 seconds]
21:26 < Bushmills> http://forthfreak.net/tent/img_1373.jpg   <- urban camping
21:28 < rob0> You could use nails instead of tent stakes.
21:29 -!- tiav [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has joined ##openvpn
21:29 -!- tiavv [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has quit [Read error: Connection reset by peer]
21:29 < Bushmills> right, in case a storm runs through the house
21:29 < krzee> that doesnt look comfy
21:34 < Bushmills> space?
21:39 -!- invis- [~invis@67.159.28.235] has joined ##openvpn
21:39 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
22:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
22:20 -!- invis- [~invis@67.159.28.235] has quit [Quit: invis-]
22:21 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:46 -!- darkdrgn2k [~darkdrgn2@bas2-toronto44-1242514693.dsl.bell.ca] has joined ##openvpn
22:46 < darkdrgn2k> soryr guys im back
22:46 < darkdrgn2k> yeh any ideas why openvpn wong allo wme to access unc paths between a domained DC and a win2k3 server?
22:46 < darkdrgn2k>  System error 67 has occurred.
22:54 < Bushmills> !wins
22:54 < vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
22:56 < darkdrgn2k> Bushmills: i dont think its wins.. i dont have name resolutions problems..
22:56 < darkdrgn2k> Bushmills: ie i can ping hostnames and such without a problem
22:56 < Bushmills> therefore openvpn works
22:57 < darkdrgn2k> Bushmills: yes but i cant figure out why i  cant access shares...
22:57 < darkdrgn2k> windows ppl suggested it may be vpon
22:57 -!- plaerzen [~carpe@vip1.tundraeng.com] has quit [Disconnected by services]
22:58 -!- carpe_ [~carpe@vip1.tundraeng.com] has joined ##openvpn
22:58 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:59 < Bushmills> if it's not a resolving problem with those unc paths - what other problem is it?
23:00 < darkdrgn2k> Bushmills: i donno.. i know in the past (long time ago) there was some special paramaters i eneded to add to ovpn to get certain things to work
23:00 < Bushmills> how do you know that it is *not* a resolving problem?
23:01 < darkdrgn2k> Bushmills: because i can ping anythign and everythign by use of a hostname?
23:01 < darkdrgn2k> and even IP addys dont work
23:01 < darkdrgn2k> oh lol yeh and im not getting 67 The network name cannot be found.
23:02 < darkdrgn2k> sorry
23:02 < Bushmills> ) darkdrgn2k:  System error 67 has occurred.
23:02 < darkdrgn2k> how can this be casuing a resolution issue:
23:02 < darkdrgn2k> net use q: \\192.168.0.247\c$
23:02 < darkdrgn2k> (yeh i just noticed that
23:03 < darkdrgn2k> so yeh how can "net use q: \\192.168.0.247\c$" cause a resoltuion error
23:03 < darkdrgn2k> if i can ping 0.247 
23:06 < darkdrgn2k> even when i pointed the DNS to the dc same issue
23:09 < krzee> if you can ping, the vpn is not the issue
23:09 < krzee> ild suggest looking up error code 67
23:09 < theDoc> http://support.microsoft.com/kb/843156
23:09 < vpnHelper> Title: You receive a System error 67 has occurred. The network name cannot be found error message in Windows Server 2003 (at support.microsoft.com)
23:10 < krzee> or whatever error code you have
23:11 < krzee> !notopenvpn
23:11 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
23:11 < thepuppynuts> whats the trigger to find out more about how to require login/pass for openvpn
23:12 < krzee> !authpass
23:12 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
23:32 < darkdrgn2k> krzee: wierd part is i donthave a problem on the local lans!
23:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
23:42 < WormFood> what is the cause of "FRAG TTL expired"? I'm getting a TON of those in my log files
23:47 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
--- Day changed Wed Apr 28 2010
00:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:12 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
00:23 -!- aiother [~ramji@71.93.70.44] has joined ##openvpn
00:24 < aiother> hello there
00:27 < aiother> If you're using VPN to go from your laptop to an access point then to another network would it be possible for others to see where your traffic was coming from and where it was going to?
00:31 < julius> it shouldn't
00:31 < julius> unless they can intercept it after it has left the tunnel
00:32 < aiother> So they can't just see IP addresses, those are encrypted?
00:32 < WormFood> others can't see anything inside of the vpn tunnel, unless they happen to have your keys
00:33 < WormFood> they can see the source and destination of your laptop and the vpn server, but anything else would be encrypted
00:34 < aiother> I see, so the IP of the destination would be easy to see?
00:36 < WormFood> the destination being the vpn server...yes, easy to see
00:37 < aiother> Thank you.  Is it possible to send my vpn tunnel thru a proxy network like tor?
00:38 < WormFood> sure
00:38 < WormFood> if you want it to be super slow
00:38 < aiother> Would the destination then be hidden?
00:39 < WormFood> to all except the exit node on the tor network
00:40 < WormFood> not sure if tor would work with udp
00:40 < WormFood> it may only work with tcp
00:40 < WormFood> that is something you'd want to check out
00:41 < aiother> is it possible for someone to hack your vpn key?
00:41 < WormFood> sure
00:41 < WormFood> anything is possible
00:41 < WormFood> however, it is extremely unlikely
00:42 < WormFood> they may get lucky and guess your vpn key on the first try
00:42 < WormFood> but what are the odds of that happening? 35667867896795686745623452562366235123423463454574:1 ?
00:42 < aiother> harder to crack then WEP I hope :-)
00:42 < WormFood> wep is shit
00:42 < WormFood> wep has major design flaws
00:43 < aiother> So they would have to guess it manually, brute force wise?
00:43 < WormFood> yeah
00:44 < WormFood> it would be brute force for sure
00:44 < WormFood> in an infinite world of infinite possibilities, ANYTHING is possible
00:45 < WormFood> however, the chances of someone hacking your vpn key are extremely remote
00:47 < WormFood> and if your tinfoil hat is too tight, perhaps you want to use 4096 or 8192 bit vpn keys ;P
00:49 < aiother> what tinfoil isn't secure, I have a high grade platinum alloy hat. :-)
00:52 < WormFood> mine is made out of layers...aluminum, iron, copper, steel, silver, platinum, mercury....want to make sure nothing gets through.
00:56 < aiother> Can I setup OpenVPN to go from my laptop at a public hotspot to my home network?
00:57 < WormFood> of course
00:57 < WormFood> in fact, that is the best way to do that, even if it is "secured" with WEP, as we all know that shit is shit
00:57 < aiother> Do I put it on my router or one of the home computers?
01:04 < aiother> One of my routers has DD-WRT on it and I believe I can put OpenVPN right on the router, though it's the router that's wirelessly bridged to the other, not the one connected to the outside world, would that be a problem?
01:12 < theDoc> lolwep
01:15 < WormFood> aiother, you can run openvpn on your dd-wrt router, but it is a little tricky (I do it, but I don't find it it to be that reliable)
01:16 < WormFood> after you connect to the vpn server, all the encryption is stripped of, and it goes out of the vpn server like normal data...so you have to decide if it is safe/ok or not after the vpn server
01:17 < theDoc> Chances are, you aren't going to be able to estab a full tunnel from you to the remote end point if you're doing casual web surfing/chatting.
01:17 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
01:19 < aiother> I see, should swap positions of the routers, then it will work?
01:20 < aiother> I mean, I see, so I should swap the positions of the routers, then it will work?
01:25 -!- bobly [~bobly@ks358975.kimsufi.com] has quit [Quit: Leaving]
01:26 < aiother> How does OpenVPN compare to the VPN that comes with dd-wrt?
01:37 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:38 < theDoc> takamichi o/
01:49 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
01:50 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:50 -!- mode/##openvpn [+o mattock] by ChanServ
02:03 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
02:04 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
02:15 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Remote host closed the connection]
02:31 -!- Netsplit *.net <-> *.split quits: hyper_ch, sanderj, fremo__, aiother, theDoc, unimatrix
02:36 -!- HyperZid [~sanderj@195.204.103.72] has joined ##openvpn
02:37 -!- Netsplit over, joins: aiother, fremo__, unimatrix, hyper_ch
02:37 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Remote host closed the connection]
02:41 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
02:43 -!- dazo_afk is now known as dazo
02:45 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:45 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
02:48 < theDoc> krzee> You around?
02:51 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
02:51 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
03:07 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
03:10 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
03:13 -!- macsppadic [~sonupunno@82.109.74.162] has joined ##openvpn
03:17 -!- tiav [~tiav@ram94-3-82-225-11-215.fbx.proxad.net] has quit [Quit: Parti]
03:36 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
03:46 < WormFood> god damn it! this fuckin' shit is really pissing me off....and I can find NO information about it! why am I getting a TON of "FRAG TTL expired" errors from one client, but nobody else?
03:47 -!- Rene [~Rene@jumbo52.adsl.netsonic.fi] has joined ##openvpn
03:47 < WormFood> I can't even duplicate the god damn problem for testing and troubleshooting.
03:47 < Rene> Hi all!
03:48 < Rene> i have a question: Does the data that goes through the VPN-tunnle always go throught the VPN-server?
03:48 < Rene> or can it route packages that happen to be in the same local network?
03:49 < WormFood> Rene, do you know what a VPN is?
03:49 < Rene> well, yes..
03:49 < Rene> so it goes through the server..
03:49 < WormFood> then you should know the answer to your question :P
03:49 < WormFood> yes, it must go through the server
03:50 < WormFood> but you can configure routing so that some addresses don't go through the vpn, and others do
03:50 < Rene> that was actually to what i wanted to come to :-)
03:51 < Rene> to make things convinient, i have my mediaserver at home in my vpn-segment
03:51 < WormFood> I'm in China, and as you probably know, many web sites are blocked....I don't want to send ALL of my traffic through the VPN, only the problem sites....so that is what I do
03:51 < Rene> and at home it's a bit silly to route my mp3:s via my server at my isp ;-)
03:52 < Rene> ok, cool :-)
03:52 < WormFood> don't reroute your default gateway over hte vpn
03:52 < WormFood> tell your vpn server, and your local machine where to route packets to the remote network
03:52 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
03:53 < Rene> after al, i think that it wont work..
03:54 < Rene> my vpn-runs on 192.168.3.0 network, and i have mapped my home-server \\192.168.3.10\mp3 to r:
03:54 < Rene> so that is anyway going around through my server..
03:55 < WormFood> but your home server has a routable IP
03:55 < Rene> hmm.. got to figure out a better way how to manage my medialibrary..
03:55 < WormFood> 192.168.x.x is not routable over the internet
03:55 < WormFood> it is routable over the vpn tho
03:56 < WormFood> and your vpn server is on at least 2 different networks....one for the vpn, and one for the local network....and maybe one for your internet connection
03:56 < Rene> my server's physical address is 192.168.0.1, and yes, that goes directly out
03:56 < WormFood> how are you handling keys? static key? public/private key?
03:57 < Rene> static public/private keys
03:57 < WormFood> you're using one or the other, not both
03:58 < WormFood> that is like saying "I have a spherical cube"
03:58 < Rene> sorry, i misread. static keys
03:58 < WormFood> did you configure it to reroute your default gateway over the vpn?
03:59 < WormFood> I don't remember if you can push configurations to the client using the static key or not
03:59 < Rene> i'm running a setup based on this howto: http://brneurosci.org/linuxsetup71.html
03:59 < vpnHelper> Title: Installing a Virtual Private Network with OpenVPN (at brneurosci.org)
03:59 < krzie> Rene, 
03:59 < krzie> what exactly is your goal?
03:59 < krzie> to send all your internet through the vpn, but not LAN traffic?
04:00 < krzie> !goal
04:00 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:00 < Rene> i'll try to rephase myself ;-)
04:01 < krzie> ok, just start with the purpose of the vpn
04:01 < Rene> i have a working setup with the client-to-client setting set in my server
04:01 < krzie> !c2c
04:01 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
04:01 < vpnHelper> krzie: behind other clients
04:01 < Rene> this way i can access all my machines on my vpn-network: 192.168.3.0
04:02 < krzie> ok, you you use server 192.168.3.0 255.255.255.0 in your config?
04:02 < krzie> so you*
04:02 < Rene> one of my mediservers is in the vpn-segment at 192.168.3.10, and i can access it witn my laptop always witht the same addres
04:03 < krzie> ahh ok
04:03 < Rene> but, when i'm at home, it's a bit silly to route my media throught my server
04:03 < krzie> easy
04:03 < krzie> DNS
04:03 < Rene> cause i have mapped r:\ to 192.168.3.10\mp3
04:03 < krzie> first try to hit it by LAN ip
04:04 < krzie> then by VPN ip
04:04 < Rene> ok..
04:04 < krzie> know what i mean?
04:04 < Rene> so, what you say, i should fiddle with my hosts-file a bit..
04:04 < Rene> hold on..
04:04 < krzie> you might be able to do that in a hosts file, ive never tried
04:05 < krzie> but basically you want it to resolve to both IPs
04:05 < Rene> hmm... i wonder how to achieve that..
04:06 < Rene> i understand what you mean, it's just my brains that are currently stalled..
04:06 < Rene> ;-)
04:08 < Rene> darn..
04:08 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
04:09 < Rene> krzie, i'm btw not running a local dns-server, so this might be tricky..
04:09 < Rene> so i have to go for the hosts-file.. 
04:10 < Rene> cause this would be just for one machine, my laptop
04:10 < WormFood> you shouldn't need to use a name, an IP should be just as good
04:11 < Rene> um, but then if i use an ip (in this case 192.168.3.10), it would always go over my vpn
04:11 < Rene> and my local servers address is 192.168.0.1
04:11 < WormFood> if you add it to your hosts file, it will always resolve to the same ip, so same difference
04:11 < Rene> yep, exactly..
04:12 < krzie> just make 2 entries in hosts
04:12 < krzie> from what i just read it works fine
04:12 < WormFood> while I setup dns for my home network with only 2-5 hosts, it really is overkill
04:12 < krzie> make both ips the same hostname
04:12 < Rene> ok, so first my local ip, then the vpn..
04:12 < Rene> or viceversa?
04:12 < krzie> ild go with home first
04:13 < krzie> if it doesnt end up doing what you want, you could write a script to do it, and hook it into openvpn
04:14 < krzie> the script could try to mount via LAN (thus mounting it for you as well), and if that fails mount via VPN (which would also mount  it for you)
04:14 < Rene> i think that the double-entrys does not work..
04:14 < krzie> so in the end you would have it mounted upon starting your vpn, and transparently bypassing the vpn when home
04:15 < Rene> just tested it with the first entry as a bogus-ip, and the second as my vpn-ip
04:15 < krzie> and it didnt connect?
04:15 < Rene> no, ping did not go throug. it was just trying to go for the bogus-ip
04:15 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
04:15 < krzie> does it connect if you move the bogus entry?
04:15 < krzie> remove
04:15 < Rene> yes
04:15 < krzie> ok
04:15 < krzie> so the script method
04:15 < Rene> if i put it "after" the vpn-ip
04:16 -!- vernr [~vernr@212.117.165.197] has joined ##openvpn
04:16 < Rene> this would have bee an exxxxxelent solution, with this kind of fallback
04:16 < vernr> could anyone please tell me how to fix this? 
04:16 < vernr> ERROR: Linux route add command failed: external program exited with error status: 7
04:16 < krzie> which could just be <mount via lan> || <mount via vpn>
04:16 < WormFood> vernr, is "route" in your path? are you running openvpn as root?
04:17 < vernr> WormFood, im running openvpn as root. i dont know what "is route in your path" means
04:17 < krzie> error code 7 is from route command not openvpn
04:17 < krzie> !configs
04:17 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
04:17 < krzie> !logs
04:17 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
04:18 < vernr> what is route command
04:18 < Rene> vernr, i guess i'll just create a that maps a different ip to r:
04:18 < krzie> you dont know what a route is?
04:18 < krzie> Rene, just make a script that tries to mount over LAN ip, if that command fails it mounts over VPN
04:18 < vernr> im sorry krzee I don't think I can paste those things as that would betray my privacy
04:18 < WormFood> then we can't help you
04:19 < vernr> krzee, i dont know what a route is in openvpn
04:19 < vernr> im trying to help myself
04:19 < Rene> can btw the openvpngui do this for me?
04:19 -!- mode/##openvpn [+o krzee] by ChanServ
04:19 < Rene> run a script each time it refreshes the connection?
04:19 -!- mode/##openvpn [+o krzie] by ChanServ
04:19 -!- mode/##openvpn [+b *!*vernr@212.117.165.*] by krzie
04:19 -!- vernr was kicked from ##openvpn by krzie [sorry we cant help you, as that would betray your privacy]
04:19 -!- mode/##openvpn [-o krzee] by krzie
04:20 -!- mode/##openvpn [-o krzie] by krzie
04:20 < WormFood> we're not psychic enough to help him ;)
04:20 < krzie> Rene, see --up in the manual
04:20 < Rene> ahh, cool!
04:21 < krzie> !factoids search win
04:21 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', and 'winscript'
04:21 < krzie> !winscript
04:21 < vpnHelper> krzie: "winscript" is a user reported that his --up script was not executed in windows gui. his config was bps.ovpn, he renamed the script to bps_up.bat and put it in the dir with his config... then it worked!
04:21 < krzie> but still read --up
04:21 < krzie> you need to understand when it executes and stuff
04:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
04:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:24 < WormFood> krzie, do you have any ideas why I'm getting a ton of "FRAG TTL expired" errors? Linux server, windows 7 client. I can not duplicate the problem at home :(
04:24 < krzie> never heard of that error
04:25 < WormFood> google is no help
04:25 < krzie> you playing with your MTU settings?
04:25 < WormFood> I found one reference to it
04:25 < Rene> WormFood, did you "refresh" your connection?
04:25 < WormFood> the problem is, the computer that is generating this error isn't here....and I can't duplicate the problem
04:25 < WormFood> I wonder if it is their router that is causing this problem.
04:26 < Rene> krzie, now i have a script that runs net use r:/ delete /yes, and then re-maps the drive
04:26 < krzie> you playing with your MTU settings?
04:26 < WormFood> http://www.strongvpn.com/forum/viewtopic.php?id=399
04:26 < vpnHelper> Title: OpenVPN FRAG TTL Expired i=x (Page 1) - Setup Help - StrongVPN Forum (at www.strongvpn.com)
04:27 < krzie> WormFood, do you have fragment, mssfix, or any mtu settings in your server config?
04:27 < WormFood> yes
04:28 < krzie> make sure that client has the right settings to match
04:28 < WormFood> tun-mtu 1500 - mssfix 1300 - fragment 1300 <-- 3 lines in config, one line here as not to "flood"
04:28 < krzie> why those settings?
04:28 < WormFood> yeah, the client matches....but I will double check
04:28 < krzie> you read it worked for someone else or you tested and found you needed it?
04:29 < WormFood> because that is what fixed my other problems...don't remember the details now, as I set it up months ago
04:29 < WormFood> one of my friends suggested those values
04:29 < krzie> Rene, sounds good, you may find ways to improve the script, but that sounds like it got what you wanted going
04:29 < WormFood> I know I can probably go with 1450, but haven't tried
04:29 < krzie> didnt one of your friends suggest tcp?
04:29 < krzie> iirc
04:29 < WormFood> no
04:29 < krzie> oh that was someone else
04:29 < WormFood> maybe you're thinking of someone else :P
04:30 < krzie> well dont blindly listen to your friend
04:30 < krzie> !mtu-test
04:30 < vpnHelper> krzie: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is
04:30 < WormFood> in fact, I'm probably the one who suggested against tcp
04:30 < WormFood> really? I wasn't aware of mtu-test
04:30 < krzie> yupyup =]
04:30 < WormFood> is that a config setting?
04:30 < krzie> comment out the mtu settings (all 3)
04:30 < krzie> then use it
04:30 < krzie> (comment them out of server and client)
04:31 < WormFood> I've setup a 2nd vpn server to test, as not to disrupt my normal users....only 3 of them now, but hope to have lots more.
04:31 < krzie> and yes, config or CLI
04:31 < krzie> !--
04:31 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
04:31 < Rene> krzie, yes it worls as it should
04:31 < Rene> i should just figure out how to do a ping-test in a batch-file ;-)
04:31 < krzie> better than ping
04:31 < WormFood> ok krzie, give me a few minutes and I'll test it out. I have both Linux and winblows clients to test
04:32 < krzie> get your route, if on that  subnet try lan
04:32 < krzie> if not, skip to vpn
04:32 < krzie> if you were on any other os it would be easy for me to say how
04:32 < krzie> i really know almost completely nothing about win batch scripting
04:33 < WormFood> oops...maybe I'm wrong....maybe I only have fragment 1300 in my client config
04:33 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
04:33  * WormFood checks other client configs
04:34 < krzie> you can test your side and your server now
04:34 < krzie> and test from the other client when you can
04:34 < krzie> ive setup vpn over sat links and not needed to play with mtu
04:36 < krzie> with that said, sometimes it is needed
04:36 < WormFood> well, when I originally tried getting everything setup, I was having problems
04:37 < krzie> i had tons of problems on my original vpn too ;] 
04:37 < WormFood> but it appears I only set "fragment" in my client config (to 1300)
04:38 < krzie> unset all in both and try openvpn --mtu-test --config /path/to/config
04:38 < krzie> in client
04:38 < WormFood> but I expect to have clients on dd-wrt, osx, linux winblows xp, vista and winblows 7
04:38 < WormFood> yes, thats what I'm doing now
04:38 < krzie> cool
04:38 < WormFood> where will it give me the answer?
04:38 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 246 seconds]
04:38 < krzie> to STDOUT
04:38 < krzie> your console
04:39 < WormFood> yeah, i know stdout :P
04:39 < krzie> if it has daemon in the config, comment it
04:39 < WormFood> still waiting
04:39 < WormFood> seems to take a bit
04:39 < WormFood> it is not in daemon mode....I always run on the command line, untill I'm 100% happy with everything
04:39 < WormFood> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541]
04:40 < krzie> ya you dont need mtu settings from there
04:40 < WormFood> so it is the client that reports that....I get nothing from the server
04:40 < WormFood> what about different clients?
04:40 < krzie> the server is fine
04:40 < WormFood> is there a chance some other clients may need those settings?
04:40 < krzie> if some clients have issues, run a mtu-test on them
04:40 < WormFood> ok, let me try this
04:45 < WormFood> does verbosity of "6" tell me when data is coming/going?
04:46 < Rene> krzie, now think that i have a working script!
04:46 < Rene> http://www.paste.me.uk/1384.html
04:47 < Rene> if the home-gw is found, then it maps it one way, of not found then the other way :-)
04:48 < WormFood> sounds like a deal to me Rene ;)
04:48 < Rene> yeah. works at home
04:49 < krzie> !wiki
04:49 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
04:49 < krzie> would make a cool writeup if you feel like it
04:51 < Rene> yep.. but in what section?
05:02 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:03 < Rene> krzie, it does not seem to work as expected..
05:03 < Rene> darn
05:04 < Rene> as stanalone it works, but not else
05:12 < Rene> ok, i think i got it.. but not sure how it behaves at my office
05:12 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
05:12 < Rene> added vpnconfig_up.bat to my windows-config dir, and that is launched by openvpn-gui
05:12 < Rene> time to run!
05:13 < Rene> thanks for your help guys!
05:13 -!- Rene [~Rene@jumbo52.adsl.netsonic.fi] has left ##openvpn ["I would like to die in my sleep just like my grandfather, not screaming and yelling like his passengers."]
05:17 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
05:19 -!- cron2_ [~gert@kirk.greenie.muc.de] has joined ##openvpn
05:19 -!- mythmon_ [~mythmon@ash.osuosl.org] has joined ##openvpn
05:22 -!- notworkn [networkn@121.98.152.39] has joined ##openvpn
05:22 -!- donavan` [~donavan@unaffiliated/donavan] has joined ##openvpn
05:24 -!- Netsplit *.net <-> *.split quits: cron2, Bushmills, Rolybrau, networkn, mythmon
05:27 -!- Netsplit over, joins: Rolybrau
05:29 -!- Netsplit over, joins: Bushmills
05:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
05:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:25 -!- HyperZid [~sanderj@195.204.103.72] has quit [Read error: Connection reset by peer]
06:25 -!- HyperZid [~sanderj@195.204.103.72] has joined ##openvpn
06:34 -!- takamichi [~pri@78.133.92.164] has quit []
06:34 -!- screenn [~screenn@77.222.135.254] has quit [Ping timeout: 245 seconds]
06:35 -!- screenn [~screenn@77.222.135.254] has joined ##openvpn
06:42 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
06:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:58 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
07:13 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 246 seconds]
07:20 -!- mithridates [~chatzilla@142.166.49.129] has joined ##openvpn
07:37 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
07:38 -!- mquin [~mquin@freenode/staff/mquin] has joined ##openvpn
07:38 -!- mquin [~mquin@freenode/staff/mquin] has left ##openvpn []
07:44 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 245 seconds]
07:48 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Remote host closed the connection]
07:49 -!- Uriell is now known as Uriel
07:56 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
07:59 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
08:09 -!- carpe_ is now known as plaerzen
08:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
08:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:21 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
08:23 -!- TheDavidFactor [~chatzilla@c-68-34-116-180.hsd1.md.comcast.net] has joined ##openvpn
08:23 -!- notworkn [networkn@121.98.152.39] has quit [Ping timeout: 258 seconds]
08:25 < TheDavidFactor> I know you can use the duplicate-cn option to allow multiple clients to use the same cert. is it possible to put this in a common name specific config file and only allow multiple connections from certain certs?
08:27 -!- aiother [~ramji@71.93.70.44] has quit [Ping timeout: 265 seconds]
08:29 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 276 seconds]
08:30 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
08:43 -!- donavan` [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
08:58 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
09:11 < Bushmills> krzee, krzie: ping
09:23 < ecrist> TheDavidFactor: I don't think so.
09:24 < TheDavidFactor> ok, thx
09:40 < krzie> pong
09:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
09:46 -!- takamichi [~pri@95.211.4.12] has joined ##openvpn
09:56 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
09:59 -!- TheDavidFactor [~chatzilla@c-68-34-116-180.hsd1.md.comcast.net] has left ##openvpn []
09:59 -!- mythmon_ [~mythmon@ash.osuosl.org] has left ##openvpn []
09:59 < Bushmills> krzie: i have an update for you.
10:04 -!- Bloodsong [~Nimbus@bas2-barrie18-1279301444.dsl.bell.ca] has joined ##openvpn
10:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
10:22 -!- darkdrgn2k [~darkdrgn2@bas2-toronto44-1242514693.dsl.bell.ca] has quit [Ping timeout: 246 seconds]
10:38 -!- mithridates [~chatzilla@142.166.49.129] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]]
10:46 -!- macsppadic [~sonupunno@82.109.74.162] has left ##openvpn []
10:52 -!- darkdrgn2k [~darkdrgn2@CPE000c419e662f-CM0011aea0fa16.cpe.net.cable.rogers.com] has joined ##openvpn
10:56 -!- Uriel is now known as Guest34769
10:59 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:01 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
11:06 -!- WormFood [~wormfood@58.61.134.222] has quit [Ping timeout: 276 seconds]
11:12 -!- darkdrgn2k3 [~darkdrgn2@40-024.tor.economux.com] has joined ##openvpn
11:14 -!- darkdrgn2k [~darkdrgn2@CPE000c419e662f-CM0011aea0fa16.cpe.net.cable.rogers.com] has quit [Ping timeout: 268 seconds]
11:18 -!- WormFood [~wormfood@58.60.223.152] has joined ##openvpn
11:23 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
11:23 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:33 -!- eradiate_ [~eradiate@pool-173-73-104-50.washdc.fios.verizon.net] has quit [Quit: leaving]
11:35 -!- xargs [~xargs@69.73.167.236] has joined ##openvpn
11:48 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:51 -!- jnss [janes@gateway/shell/sign.io/x-vwlduembtdtjdmud] has quit [Remote host closed the connection]
11:58 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
12:08 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
12:12 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
12:12 -!- JackCorleone [~Jack@187.11.184.68] has joined ##openvpn
12:12 -!- darkdrgn2k3 [~darkdrgn2@40-024.tor.economux.com] has quit [Ping timeout: 276 seconds]
12:13 < JackCorleone> dazo: o/
12:13 < dazo> JackCorleone: hi!
12:32 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
12:34 -!- Jackkk [~Jack@187.11.184.68] has joined ##openvpn
12:38 -!- JackCorleone [~Jack@187.11.184.68] has quit [Ping timeout: 265 seconds]
12:38 -!- Jackkk [~Jack@187.11.184.68] has left ##openvpn []
12:41 -!- darkdrgn2k [~darkdrgn2@bas2-toronto44-1242514693.dsl.bell.ca] has joined ##openvpn
12:46 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
12:54 -!- Bloodsong [~Nimbus@bas2-barrie18-1279301444.dsl.bell.ca] has quit [Quit: Leaving]
13:13 -!- mithridates [~chatzilla@142.166.49.129] has joined ##openvpn
13:13 -!- mithridates [~chatzilla@142.166.49.129] has quit [Client Quit]
13:36 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:45 < krzie> !route
13:45 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:06 -!- dazo is now known as dazo_afk
14:07 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
14:07 -!- GiZme [~GiZme@ip169.edshus2.riksnet.nu] has joined ##openvpn
14:10 -!- mithridates [~chatzilla@142.166.49.129] has joined ##openvpn
14:44 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
15:00 -!- mithridates [~chatzilla@142.166.49.129] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]]
15:05 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:09 -!- HyperZid [~sanderj@195.204.103.72] has quit [Ping timeout: 248 seconds]
15:31 < thepuppynuts> can i specify multiple ip's and ports to listen on?
15:31 < thepuppynuts> i tried to add two ports in the conf but it seems to only pick one of the ports
15:31 < thepuppynuts> so i was wondering if i can do local ip.ad.dr.es:3242 twice or something
15:34 < krzee> ips, you have 2 options
15:34 < krzee> ALL or 1
15:34 < krzee> for multiple ip:port, you need multiple instances of openvpn
15:34 < krzee> its on the wishlist tho
15:34 < krzee> !wishlist
15:34 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
15:35 < thepuppynuts> so how would i go about running multiple instances ?
15:35 < thepuppynuts> just copy the openvpn binary to something like openvpn1 or what
15:35 < krzee> no
15:36 < krzee> just need a second config
15:37 < thepuppynuts> oh
15:42 < thepuppynuts> so i have them both started
15:42 < thepuppynuts> one works
15:42 < thepuppynuts> the other doesnt
15:42 < thepuppynuts> i mean i guess i can connect to both (not at the same time) 
15:43 < thepuppynuts> but i can't get out on the internet on one
15:43 -!- gaet- [~doudou@2a01:e35:2431:71e0:225:ff:fef7:caa7] has joined ##openvpn
15:43 < krzee> they must use different subnets
15:43 < krzee> and you must nat both of them
15:43 < gaet-> hi !
15:44 < krzee> hai
15:44 < gaet-> I've a question about running openvpn (with the gui) in non admin mode on windows seven. I've done the work on XP with a modified openvpn-service but I wonder if there is a magic trick on seven.
15:44 < thepuppynuts> Wed Apr 28 16:44:27 2010 TCP/UDP: Incoming packet rejected from my.ip:4
15:44 < thepuppynuts> 43[2], expected peer address: 206.125.172.67:1194 (allow this incoming source ad
15:44 < thepuppynuts> dress/port by removing --remote or adding --float)
15:45 < thepuppynuts> oh
15:45 < krzee> lol
15:45 < gaet-> It's ok on Vista if the user is in the network administrator's group but it seems that it does not work on seven.
15:45 < krzee> gaet-, personally no idea but stick around im sure someone has a clue
15:45 < krzee> all i know bout that is:
15:45 < krzee> !factoids search noadmin
15:45 < vpnHelper> krzee: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
15:47 < troy-> hey krzee 
15:47 < gaet-> krzee : thanks, the (#2) seems to be very interesting :-)
15:47 < krzee> hey
15:47 < krzee> np
15:49 -!- takamichi [~pri@95.211.4.12] has quit [Ping timeout: 276 seconds]
15:50 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
15:51 < thepuppynuts> sweet, thanks krzee i think i got it running
15:51 -!- fine [~lordnynex@otter.scoil.info] has joined ##openvpn
15:51 < fine> vpn2
15:51 -!- fine [~lordnynex@otter.scoil.info] has quit [Client Quit]
15:52 -!- fine [~lordnynex@ima.sleepingwolf.net] has joined ##openvpn
15:52 < fine> vpn1
15:52 < troy-> krzee: i'm using iptables masquerade but traceroute is broken
15:52 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
15:52 < thepuppynuts> but im still getting 
15:52 < thepuppynuts> Wed Apr 28 16:52:14 2010 TCP/UDP: Incoming packet rejected from 206.125.172.67:1
15:52 < thepuppynuts> 194[2], expected peer address: 206.125.172.66:443 (allow this incoming source ad
15:52 < thepuppynuts> dress/port by removing --remote or adding --float)
15:53 < gaet-> nice, i'm going to submit the trick to a windows guru and I will let you know... thanks again, bye !
15:53 -!- gaet- [~doudou@2a01:e35:2431:71e0:225:ff:fef7:caa7] has left ##openvpn []
15:54 < troy-> i keep getting TTL exceeded in tcpdump
15:54 -!- xemdetia [~exec-kula@adsl-99-135-37-190.dsl.wlfrct.sbcglobal.net] has joined ##openvpn
15:54 -!- coils [~lordnynex@ima.sleepingwolf.net] has joined ##openvpn
15:54 < coils> ping
15:54 < xemdetia> pong
15:54 -!- takamichi [~pri@78.133.92.164] has quit [Client Quit]
15:56 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
15:56 -!- fine [~lordnynex@ima.sleepingwolf.net] has quit [Ping timeout: 276 seconds]
15:57 -!- coils [~lordnynex@ima.sleepingwolf.net] has quit [Client Quit]
16:02 < krzee> troy-, can you ping the vpn ip?
16:03 < troy-> yep
16:03 < troy-> i can ping the internet over the vpn too
16:03 < troy-> when i traceroute i see the vpn ip and the destination but nothing inbetween
16:04 < Bushmills> that's good
16:04 < Bushmills> there *is* nothing in between
16:04 < troy-> yes there is 
16:04 < troy-> there is about 8 or so hops i'm missing
16:04 < Bushmills> not for the vpn tunnel
16:04 < troy-> correct.
16:04 < troy-> one second..
16:04 < Bushmills> meaning, "not for tunneled packets"
16:06 < krzee> right
16:06 < krzee> !vpn
16:06 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal
16:06 < krzee> read that troy :)
16:06 < troy-> Bushmills: http://paste2.org/p/799336
16:07 < Bushmills> but that's not traffic through openvpn
16:07 < troy-> correct again
16:07 < Bushmills> vpn server and client are in the same subnet - what could there be between?
16:08 < troy-> i am saying after the tunnel i'm missing a bunch of hops
16:08 < krzee> troy-, thats unrelated to your vpn
16:08 < troy-> you are right
16:08 < troy-> but i still have the problem
16:08 < krzee> its someones firewall
16:08 < krzee> likely your ISPs
16:08 < krzee> i cant traceroute from 2 of my servers either
16:09 < krzee> by ISP i mean the one you tunnel through
16:19 < xemdetia> My question is, do you have to do any fancy routing to make a client-to-client connection? I can get a HTTP server serving client to client but another application I am working with isn't working.
16:20 < Bushmills> xemdetia: no
16:21 < Bushmills> (client to client as in openvpn client to openvpn client)
16:21 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
16:22 < xemdetia> Bushmills: Thanks, but now I might have to get booze later.
16:22 < krzee> xemdetia, you just need the web server or whatever listening and serving on the VPN ip
16:22 < krzee> and:
16:22 < krzee> !c2c
16:22 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
16:22 < vpnHelper> krzee: behind other clients
16:23 < krzee> decide if you want that or not
16:23 < Bushmills> "postponed is not repealed" they say here
16:24 < xemdetia> krzee: My problem is that while I can ping, use a simple http server to get a connection client to client, I can't get this proprietary app to connect. I gave up on the routing rules for the moment but I just assume it's because it isn't listening on that port.
16:25 < krzee> are you sure your proprietary app operates on layer3?
16:25 < krzee> it might be layer2, thus requiring a bridge
16:25 < krzee> you should always use routed, UNLESS you need layer2 for a specific reason
16:25 < krzee> that app COULD be such a reason
16:26 < krzee> or maybe its not listening on the vpn ip
16:26 < krzee> netstat would show how it listens
16:26 < xemdetia> Nah it definitely is TCP, I've gotten it working over openvpn before, just in a different way.
16:26 < krzee> sniffing traffic would show how it communicates
16:29 < xemdetia> I mean am I just missing a step for routed VPN traffic? In the vpn conf I push the network and the specific host as separate routes, iptables accept input and forward... and then I should be cake right? I mean I can ping across the VPN and get the host's IP address to respond but nothing else on the foreign subnet.
16:30 < krzee> you shouldnt even need to push anything
16:30 < krzee> you didnt mention any LANs
16:31 < xemdetia> Yeah this is if I wanted to do it the proper way of a routed instead of patching it client-to-client. Client-to-client was the desparation attempt to just get something to work.
16:31 < krzee> !route
16:31 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:32 < krzee> client-to-client is something
16:32 < krzee> else
16:32 < krzee> !c2c
16:32 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
16:32 < vpnHelper> krzee: behind other clients
16:48 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
17:00 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
17:00 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
17:03 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
17:04 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
17:08 -!- darkdrgn2k [~darkdrgn2@bas2-toronto44-1242514693.dsl.bell.ca] has quit [Ping timeout: 264 seconds]
17:11 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Ping timeout: 276 seconds]
17:11 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
17:12 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
17:17 -!- xemdetia [~exec-kula@adsl-99-135-37-190.dsl.wlfrct.sbcglobal.net] has quit [Quit: Lost terminal]
17:18 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 246 seconds]
17:22 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
18:03 -!- Saviq [~Saviq@sawicz.net] has joined ##openvpn
18:03 < Saviq> hi everyone, is it possible on one server to use either key/cert or user/pass auth?
18:04 < Saviq> or do I have to keep to one scheme?
18:05 < krzee> !authpass
18:05 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
18:40 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
18:41 -!- Jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: Operation timed out]
19:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
19:08 -!- zero-_ [~zero@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
19:09 -!- Netsplit *.net <-> *.split quits: Rolybrau, atlantic, jpalmer
19:09 -!- zero-_ [~zero@noc.toile-libre.net] has joined ##openvpn
19:11 -!- Netsplit over, joins: jpalmer
19:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:18 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
19:46 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
19:53 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
19:59 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:03 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
20:09 < theDoc> Anyone knows if iptables can be setup as an adaptive firewall?
20:10 < UdontKnow> well, however you can adapt it
20:10 < krzee> what do you mean
20:10 < UdontKnow> its a firewall, adaptiveness is up to you or something else
20:11 < UdontKnow> either get an opensource project for that, buy something or write your own -- to handle iptables
20:11 < krzee> theDoc, what are you trying to do?
20:14 < theDoc> krzee> Trying to port forward some stuff automatically upon client connection.
20:15 < krzee> openvpn client connecting?
20:15 < theDoc> Yep.
20:15 < krzee> --client-connect
20:15 < krzee> use a script to "adapt" iptables how you want it when clients connect :-p
20:17 < theDoc> I realized.
20:17 -!- Saviq [~Saviq@sawicz.net] has left ##openvpn []
20:20 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has joined ##openvpn
20:20 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has quit [Changing host]
20:20 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:24 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:00 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
21:01 -!- GiZme_ [~GiZme@ip169.edshus2.riksnet.nu] has joined ##openvpn
21:04 -!- GiZme [~GiZme@ip169.edshus2.riksnet.nu] has quit [Ping timeout: 258 seconds]
21:33 -!- Cvele [~cveks@93.86.228.73] has quit [Ping timeout: 246 seconds]
23:11 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has left ##openvpn ["Leaving"]
23:14 -!- plaerzen [~carpe@vip1.tundraeng.com] has quit [Disconnected by services]
23:14 -!- carpe_ [~carpe@vip1.tundraeng.com] has joined ##openvpn
23:26 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
23:38 -!- Sumdude [~fsff1@modemcable193.101-56-74.mc.videotron.ca] has joined ##openvpn
23:44 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 245 seconds]
--- Day changed Thu Apr 29 2010
00:22 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
00:41 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 258 seconds]
00:47 -!- Lilarcor [~Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn
01:06 -!- Lilarcor [~Lilarcor@ip70-187-168-252.oc.oc.cox.net] has left ##openvpn []
01:14 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:15 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:15 -!- mode/##openvpn [+o mattock] by ChanServ
01:21 -!- HyperZid [~sanderj@195.204.103.72] has joined ##openvpn
01:35 -!- dazo_h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
01:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
01:46 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
01:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:00 -!- AntoineBk [~Antoine@188.165.75.17] has quit [Remote host closed the connection]
02:05 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:26 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Quit: coin]
02:28 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
02:39 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
02:45 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
03:04 -!- dazo_afk is now known as dazo
03:04 -!- dazo_h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Quit: Leaving]
--- Log opened Thu Apr 29 12:31:08 2010
12:31 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
12:31 -!- Irssi: ##openvpn: Total of 98 nicks [2 ops, 0 halfops, 1 voices, 95 normal]
12:31 -!- Irssi: Join to ##openvpn was synced in 27 secs
12:31 < phantomcircuit> alright both client.crt and server.crt are pass the verification test
12:32 < krzee> Apr 29 02:09:26 covertinferno openvpn[3779]: 10.45.134.121:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size
12:33 < phantomcircuit> yeah that's off
--- Log closed Thu Apr 29 12:34:20 2010
--- Log opened Thu Apr 29 12:34:30 2010
12:34 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
12:34 -!- Irssi: ##openvpn: Total of 98 nicks [2 ops, 0 halfops, 1 voices, 95 normal]
12:34 -!- ecrist_mac [~ecrist@pdpc/supporter/professional/ecrist] has left ##openvpn []
12:34 -!- Irssi: Join to ##openvpn was synced in 31 secs
12:35 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
--- Log closed Thu Apr 29 12:35:13 2010
--- Log opened Thu Apr 29 12:35:21 2010
12:35 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
12:35 -!- Irssi: ##openvpn: Total of 98 nicks [2 ops, 0 halfops, 1 voices, 95 normal]
12:35 -!- Irssi: Join to ##openvpn was synced in 34 secs
12:37 < krzee> how big is your keysize?
12:38 < phantomcircuit> what's the maximum size?
12:38 < krzee> and have you finished upgrading to 2.1.1?
12:38 < krzee> why ask a question with a question in a help channel?
12:38 < krzee> how big is your keysize?
12:39 < phantomcircuit> 8192
12:39 < krzee> there ya go
12:40 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
12:40 < phantomcircuit> so you know what the maximum size is?
12:40 < krzee> regen them, try 4096
12:40 < krzee> ive used 4096
12:40 < krzee> then again i also dont run RC code which has known bugs
12:40 < caution> I get "Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv" even though I'm using "ip-win32 manual". Everything works but I don't like that warning.
12:41 < vpnHelper> Title: FAQ (at openvpn.net)
12:41 < phantomcircuit> well this is the stable version gentoo runs, i believe that it's patched
12:41 < krzee> its not
12:41 < krzee> if it was patched to be 2.1.1 it would be 2.1.1
12:41 < krzee> lol
12:41 < krzee> just compile from source if your distro cant figure out how to be up to date
12:41 < krzee> !download
12:41 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) see !gui for more information for Windows clients.
12:42 < phantomcircuit> yes i can install a newer version from portage if i want
12:42 < krzee> then do it!
12:43 < phantomcircuit> ima check something first
12:44 < phantomcircuit> interesting 2.1.1 is not in portage at all, not even masked as unstable
12:44 < krzee> rc* is "unstable"
12:44 < krzee> as its a RC
12:44 < krzee> 2.1.1 is stable
12:44 < krzee> first real stable since 2.0.9 really
12:44 < krzee> (2.1 was too, but had a lil bug)
12:45 < krzee> but distros used rc, and rightly so, since 2.0.9 was so old
12:45 < phantomcircuit> yeah im aware that it's a release candidate
12:45 < krzee> of course now that a real stable exists, they should upgrade
12:46 < krzee> as should you ;]
12:46 < phantomcircuit> oh wow 2.1.1 is from december? jeez gentoo is behind the times on this one
12:47 -!- plaerzen [~carpe@vip1.tundraeng.com] has quit [Remote host closed the connection]
12:51 < phantomcircuit> well while that's compiling
12:51 < phantomcircuit> do you know what the actual maximum is?
12:52 < krzee> nope but i know ive used 4096
12:52  * ecrist finally has irssi setup to autoconnect and layout all his windows automatically
12:52 < phantomcircuit> well then that's the maximum since rsa keys in openssl only work as powers of 2
12:59 -!- caution [~caution@unaffiliated/caution] has quit [Read error: Connection reset by peer]
13:05 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:05 < WormFood> fuck me! What a stupid cunt! She does something wrong, to get my VPN blocked (I have no idea what), then blames ME for her problems. I call the company, and they say they can't help because she is not a paying customer. The web site gets horrible reviews as being a scam, but she does not care, she just wants it to work. Someone shoot me!
13:05 < n5> hello, I'm getting error on startin openvpn - http://pastebin.com/uXyQzedF
13:05 < n5> any help?
13:06  * krzee shoots WormFood 
13:06 < phantomcircuit> n5, you don't have permission to bind to ports < 1024 (only root does)
13:06 < n5> on another server works fine, on new install of centos nop
13:06 < phantomcircuit> n5, either change the port number or get root
13:06 < n5> its from root
13:06 < WormFood> ScentOS stinks....SentOS should be sent away....and CentOS isn't worth a cent.
13:07 < krzee> phantomcircuit, you must ALWAYS have root to use openvpn
13:07 < krzee> n5, 
13:07 < krzee> !configs
13:07 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:07 < phantomcircuit> possibly you already have something listening on that port
13:08 < n5> http://pastebin.com/k1m2YFJx
13:08 < n5> its with config
13:08 < phantomcircuit> krzee, openvpn needs root to create the tun/tap device right (and probably to read the tls files)
13:09 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
13:09 < krzee> and adding routes
13:10 < krzee> umm
13:10 < krzee> that config sucks
13:10 < krzee> that error was on a client?
13:11 < krzee> if so, add nobind
13:12 < n5> krzee to config file?
13:12 < phantomcircuit> krzee, well so then root isnt strictly necessary, you can use SElinux or the POSIX file capabilities stuff
13:13 < krzee> phantomcircuit, *shrug* ok
13:13 < n5> ok works fine with nobind
13:14 < n5> so what i'm loosing without bind?
13:14 < krzee> read the manual
13:14 < krzee> !man
13:14 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
13:14 < n5> right
13:23 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
13:26 < phantomcircuit> krzee, thanks for the help, it's odd that openssl supports 8192bit keys but openvpn does not, the crypto in openvpn is based on openssl right?
13:26 < krzee> yes openssl handles the encryption
13:26 < krzee> however, openvpn handles the messages back and forth
13:26 < krzee> seems thats where it runs into the problem based on the error
13:27 < phantomcircuit> weird the udp packets where all much smaller than the 65507 maximum (like 142 bytes)
13:27 < phantomcircuit> whatever
13:27 < phantomcircuit> 4096 should keep me safe longer than i'll live
13:28 < krzee> ya its safe to say you're using stronger encryption than many governments ;]
13:28 < krzee> consider using this too
13:28 < krzee> !mitm
13:28 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
13:31 < phantomcircuit> krzee, im using tls-auth
13:31 < phantomcircuit> and im the only user
13:31 < phantomcircuit> so for now that's not really relevant
13:31 < phantomcircuit> and i guess using tls is a bit much
13:31 < phantomcircuit> :P
13:31 < phantomcircuit> darn
13:31 < phantomcircuit> i screwed up the routing
13:34 < krzee> tls-auth is for HMAC sigs
13:34 < krzee> what i gave above is for stopping man in the middle attacks
13:35 < phantomcircuit> yes but how can you run a mitm if you cannot create an hmac?
13:37 < krzee> by using your hmac and your cert against you
13:37 < krzee> but its cool, do whatever you like
13:38 < krzee> im just suggesting it because you wanted 8192 keysize ;]
13:38 < krzee> which led me to think you wanna do anything you can to secure the vpn
13:39 < phantomcircuit> the secret key file is well secret
13:39 < krzee> cool
13:39  * krzee kills the subject
13:39 < phantomcircuit> at least for right now while i fix the routing :P
13:40 < phantomcircuit> oh and i did set the usage fields in server.crt correctly
13:42 < krzee> then its only a 1 line mod to your client config
13:42 < krzee> (i figured you did, since you mentioned using easy-rsa)
13:42 -!- phantomcircuit [~phantomci@adsl-99-37-226-248.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
13:54 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
13:54 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
14:01 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
14:10 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X]
14:18 < krzie> !wishlist
14:18 < vpnHelper> krzie: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
14:20 -!- plaerzen [~carpe@vip1.tundraeng.com] has joined ##openvpn
14:27 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
14:40 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: leaving]
14:41 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
15:07 -!- zorzar_ [~zz@p5DC1FE50.dip.t-dialin.net] has joined ##openvpn
15:10 -!- zorzar [~zz@p5DC1F7EC.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
15:11 -!- zorzar_ is now known as zorzar
15:28 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Read error: Connection reset by peer]
15:28 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:37 -!- plaerzen [~carpe@vip1.tundraeng.com] has left ##openvpn ["Leaving"]
15:40 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Read error: Connection reset by peer]
15:45 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
15:50 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:51 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Remote host closed the connection]
16:08 < jpalmer> bleh.  can't get openvpn to start from init.d ona ubuntu machine.  works fine on the command line.   added a log line to the config, still no info.
16:09 < jpalmer> I assume it's an env variable,  but I don't see any logs that I can use to track it down.  oddly,  it's like it's ignoring the log directive (or, maybe not calling the .conf at all?)
16:11 < zoredache> so when you do a invoke-rc.d openvpn start you don't see a note about yoru vpn being started?
16:12 < zoredache> have you looked at /etc/default/openvpn?  Maybe you have it set to not start any vpns?
16:12 < jpalmer> yeah.  openvpn is mentioned.  but doesn't start.  as I mentioned - no logs.
16:13 < zoredache> not openvpn generally, I mean does it say that your configuration has been starte?
16:14 < jpalmer> # invoke-rc.d openvpn start
16:14 < jpalmer>  * Starting virtual private network daemon(s)...
16:14 < jpalmer> then back to a prompt
16:15 < zoredache> so if you have a /etc/openvpn/blah.conf it should say Stopping virtual private network daemon: blah.
16:15 < zoredache> Starting rather
16:15 < jpalmer> oh lord.  I named it .cnf 
16:15 < jpalmer> thanks.
16:17 -!- SkyLIVE [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:20 -!- dazo is now known as dazo_afk
16:51 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
16:56 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:19 -!- takamichi [~pri@95.211.4.12] has quit [Ping timeout: 276 seconds]
17:19 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
17:37 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
17:37 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
17:42 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:51 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
17:56 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:12 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
18:46 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
18:49 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
19:15 -!- Someguy [~user@cpc2-dund12-2-0-cust171.sgyl.cable.virginmedia.com] has joined ##openvpn
19:15 < Someguy> !welcome
19:15 < vpnHelper> Someguy: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:16 < Someguy> !goal
19:16 < vpnHelper> Someguy: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:18 < Someguy> Hi, I have a working vpn through which I can access the lan behind my server, I'd like to enable auto-discovery of upnp services running on the lan over the vpn which I think requires broadcast traffic to work. Is that possible, and if sow, how would I set it up?
19:19 < Someguy> s/sow/so
19:29 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving.]
19:34 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
20:04 -!- theDoc [~jaki@119.73.165.162] has joined ##openvpn
20:05 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 260 seconds]
20:08 -!- theDoc [~jaki@119.73.165.162] has quit [Ping timeout: 260 seconds]
20:08 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
20:18 < Bushmills> !tap
20:18 < vpnHelper> Bushmills: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming,
20:18 < vpnHelper> Bushmills: anything where the protocol uses MAC addresses instead of IP addresses.
20:28 -!- Someguy [~user@cpc2-dund12-2-0-cust171.sgyl.cable.virginmedia.com] has quit [Remote host closed the connection]
20:33 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
20:33 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:06 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has joined ##openvpn
21:06 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has quit [Changing host]
21:06 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:18 -!- invis- [~invis@67.159.28.235] has joined ##openvpn
21:18 -!- invis- [~invis@67.159.28.235] has quit [Client Quit]
21:19 -!- y0tta [~y0tta@67.159.28.235] has joined ##openvpn
21:34 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Ping timeout: 252 seconds]
21:51 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
21:51 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
21:52 -!- AndyML is now known as AwayML
22:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:54 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
23:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
23:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
--- Day changed Fri Apr 30 2010
00:13 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
00:15 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 246 seconds]
00:16 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn
01:16 -!- y0tta [~y0tta@67.159.28.235] has quit [Ping timeout: 260 seconds]
01:19 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 276 seconds]
01:19 -!- tjz_ [~pc@bb116-14-172-208.singnet.com.sg] has joined ##openvpn
01:34 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
01:34 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
01:41 -!- screenn [~screenn@77.222.135.254] has quit [Ping timeout: 260 seconds]
01:51 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
02:07 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
02:12 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:13 -!- mode/##openvpn [+o mattock] by ChanServ
02:17 -!- SkyLIVE [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:21 -!- micw [~micw@p50992bfa.dip0.t-ipconnect.de] has joined ##openvpn
02:21 < micw> hi
02:22 < micw> i have an openvpn server running on ubuntu where ip persist not work. i run for testing on command line with --ifconfig-pool-persist ip_pool.txt
02:22 < micw> (i also tried with --ifconfig-pool-persist ip_pool.txt 5 which should save the file every 5 seconds
02:22 < micw> but everytime i restart my client, it get a new ip
02:23 < micw> on all my other servers (gentoo) it works
02:24 < micw> the divverence is that on ubuntu is 2.1_rc7 while on gento rund rc15
02:35 -!- dazo_afk is now known as dazo
03:15 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has quit [Quit: The Lord of Murder Shall Perish.]
03:28 -!- screenn [~screenn@77.222.135.254] has joined ##openvpn
03:28 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
04:18 -!- micw [~micw@p50992bfa.dip0.t-ipconnect.de] has quit [Quit: Verlassend]
04:45 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
04:52 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
04:53 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
05:06 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
05:11 < WormFood> ok, teamviewerQS (Quick Support) does not uninstall itself (well, it does not install itself per se, but it does not delete itself) when it is finished running....I saw reference to remote control software that does do that...does anyone know what that is?
05:11 < WormFood> d'oh, wrong channel
05:12 < WormFood> of course, if anyone knows what I'm talking about, feel free to answer ;)
05:12 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
05:35 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 268 seconds]
05:42 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
05:47 < meepmeep> the "push route X.X.X.X X.XX.X" is made to help the client to reach private subnet behind the server, or private subnet on the client ?
05:47 < meepmeep> (my client is connected to 2 private subnet 10.9.0.0 & 192.168.1.0)
05:47 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
06:03 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Remote host closed the connection]
06:05 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
06:07 -!- Young_Luck [~chatzilla@187.4.35.4] has joined ##openvpn
06:15 -!- reg9009 [~chatzilla@ip-94-79-162-2.unitymediagroup.de] has joined ##openvpn
06:16 -!- reg9009 [~chatzilla@ip-94-79-162-2.unitymediagroup.de] has left ##openvpn []
06:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:32 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:42 -!- screenn [~screenn@77.222.135.254] has quit [Ping timeout: 260 seconds]
06:44 -!- screenn [~screenn@77.222.135.254] has joined ##openvpn
06:55 -!- Young_Luck [~chatzilla@187.4.35.4] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100402184117]]
06:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:00 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:06 -!- screenn [~screenn@77.222.135.254] has quit [Ping timeout: 276 seconds]
07:18 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
07:29 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:34 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
07:36 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
07:53 -!- SkyLIVE [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
08:14 -!- edit_21 [~Who@unaffiliated/edit21/x-00000001] has joined ##openvpn
08:14 < edit_21> hi all
08:15 < edit_21> error 3 at 0 depth lookup:unable to get certificate CRL keep getting this when trying to revoke access
08:15 < edit_21> could anyone help ?
08:16 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
08:16 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
08:22 -!- y0tta [~y0tta@ip12.208-100-1.static.steadfast.net] has joined ##openvpn
08:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:29 -!- screenn [~screenn@77.222.135.254] has joined ##openvpn
08:32 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 246 seconds]
08:39 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
09:04 < ecrist> edit_21: seems pretty straight-forward to me.
09:14 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
09:19 -!- squidly [~squidly@HoodLUG/member/squidly] has joined ##openvpn
09:19 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
09:19 -!- Blues-Man [~bluesman@host53-119-dynamic.246-95-r.retail.telecomitalia.it] has joined ##openvpn
09:19 < squidly> !welcome
09:19 < vpnHelper> squidly: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:20 < squidly> ~/30
09:20 < squidly> !/30
09:20 < vpnHelper> squidly: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
09:20 < squidly> !topology
09:20 < vpnHelper> squidly: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
09:24 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 258 seconds]
09:35 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
09:36 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
09:37 -!- simNIX [~simNIX@156-60.bbned.dsl.internl.net] has joined ##openvpn
09:42 < simNIX> hello. I'm planing a setup with 3 routers each runnig a full openvpn server (in bridged mode). Then I would like each of the 3 routers to conect to all 3 vpn servers. This to have direct encrypted link from each router to each router over one backbone subnet/nic/switch. This is firstof to get a encrypted link between each router directly even if eather one of the 3 fails 
09:44 < simNIX> is this as simple as creating 3 bridge interfaces of each box and running 3 instances of openvpn; 2 to connect as clients to the other 2 routers and one to run the openvpn server for that box and then setup correct multipath routing ?
09:44 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
09:45 < simNIX> or is there a better way mabe or hurdles I don't see yet ?
09:46 < simNIX> *to all 3 vpn servers. should read; to all 2 other vpn server
09:58 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
10:12 -!- screenn [~screenn@77.222.135.254] has quit [Quit: Leaving]
10:14 < Bushmills> openvpn server can't connect to openvpn server
10:14 < Bushmills> openvpn client can connect to openvpn server
10:14 < theDoc> Someone has to be a client.
10:14 < theDoc> Then do a LAN behind LAN and some clever routing?
10:15 < Bushmills> but one router can be one server and two clients at the same time
10:16 < Bushmills> even better, a client can connect to one server in a list of servers
10:16 < Bushmills> if one server fails, it tries the next
10:19 < simNIX> I shall try to clarify; Im asking can I have 1 pc that runs openvpn in (server mode) on tap0 have at the same time a tap1 on which another openvpn instance/config controls/is running as a client to another openvpn server?
10:20 < Bushmills> yes
10:20 < simNIX> ty - ill also keep in mind you ; if one is down connect to 2
10:20 < simNIX> apreciated
10:20 < Bushmills> that would be this scenario: "but one router can be one server and two clients at the same time"
10:20 < Bushmills> just replace router against pc.  and drop one client.
10:21 < simNIX> cool piece of kit - )
10:21 < simNIX> (openvpn)
10:41 -!- tjz_ [~pc@bb116-14-172-208.singnet.com.sg] has quit [Quit: bbl.]
10:42 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
10:51 -!- dazo is now known as dazo_afk
10:51 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
11:05 -!- WormFood [~wormfood@121.34.202.45] has quit [Ping timeout: 245 seconds]
11:08 -!- AwayML is now known as AndyML
11:15 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
11:17 -!- WormFood [~wormfood@121.34.164.224] has joined ##openvpn
11:35 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:55 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Read error: Operation timed out]
11:57 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
12:34 -!- Blues-Man [~bluesman@host53-119-dynamic.246-95-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
12:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:52 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
12:52 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:58 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 240 seconds]
13:00 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:04 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:04 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:26 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
13:50 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
13:53 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:53 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:55 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:55 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
14:01 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
14:14 -!- edit_21 [~Who@unaffiliated/edit21/x-00000001] has left ##openvpn ["Leaving"]
14:27 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has joined ##openvpn
14:38 -!- Error404NotFound [~Eror404@unaffiliated/error404notfound] has quit [Read error: Connection reset by peer]
14:41 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:58 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
15:07 -!- zorzar_ [~zz@p4FFD131A.dip.t-dialin.net] has joined ##openvpn
15:10 -!- zorzar [~zz@p5DC1FE50.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
15:18 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:32 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
15:48 -!- matthias2 [~hans@84.19.169.170] has joined ##openvpn
15:52 < matthias2> Hello. I'm using Cyberghost VPN Service, which is actually based on OpenVPN. I just have one question: When Cyberghost has successfully connected, Netlimiter shows, that for example XChat does also use bandwith, not only OpenVPN. Does this mean, that I'm not connecting "anonymous"?
15:53 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:54 < jpalmer> not sure what netlimiter is,  but there is no anonymous with openvpn.  by the nature of SSL, your key is identifiable.
15:55 < matthias2> netlimiter is a traffic monitoring tool
15:55 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Client Quit]
15:55 < matthias2> I just want to know if really 100% of my traffic is running through OpenVPN if running
15:56 < jpalmer> ok well..   heres the important part.
15:56 < jpalmer> the client can generally be configured to either use the remote VPN endpoint as it's default gateway,  or not.
15:57 < jpalmer> IF it's configured as the default gateway,  all traffic from your machine is tunneled over the VPN, encrypted (at least until the remote endpoint)   
15:57 < zoredache> use wireshark/tcpdump and watch
15:57 < jpalmer> If not,  then the only traffic that is encrypted, is that which is destined for the remote endpoint
15:58 < jpalmer> by the fact that you can see it in this monitoring tool,  I would assume (key word, assume) that you are not tunneling everything.
15:58 < zoredache> jpalmer: even if it is a default gateway some traffic may not cross the vpn.  For example if you have a proxy configured in your browser and the proxy lives on the local network
15:58 < matthias2> but why does netlimiter show connections and traffic of xchat if openvpn is running? http://checkip.dyndns.org shows the IP of my VPN
15:58 < vpnHelper> Title: Current IP Check (at checkip.dyndns.org)
15:59 < jpalmer> zoredache: remote proxies and such are a valid concern.  yes.
15:59 -!- zorzar_ is now known as zorzar
16:02 < Fiouz> matthias2: because you are running xchat
16:03 < Fiouz> what's the point of having a VPN if you don't want to actually run another program to benefit from the VPN?
16:03 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has joined ##openvpn
16:04 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:10 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
16:11 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
16:14 < matthias2> Fiouz, I mean this: http://img42.imageshack.us/img42/8369/vpn.png
16:15 < matthias2> Why does OpenVPN AND Xchat show traffic?
16:15 < Fiouz> what you don't get is that a VPN doesn't hide connections from the OS running the actual processes
16:15 < Bushmills> "IF it's configured as the default gateway,  all traffic from your machine is tunneled" with one exception:  traffic to the interface of machine which runs openvpn server is not tunneled. unless you direct that traffic to the server's vpn address. 
16:16 < Fiouz> a VPN operates at the network layer, not the process layer
16:16 < zoredache> matthias2: ti depends completely on how that application works
16:16 < matthias2> Ah now it's all clear
16:17 < zoredache> does netlimitr monitor a specific interface or all network traffic?
16:17 < matthias2> All
16:17 < zoredache> wireshark would give you a better view of exactly what is going on
16:17 < zoredache> you can pick a specific interface to monitor
16:19 < Bushmills> blocking all outgoing traffic on client which is not with destination, port and protocol of openvpn server is a simple way to make sure no traffic is sent around openvpn  
16:20 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
16:21 -!- matthias2 [~hans@84.19.169.170] has quit [Read error: Connection reset by peer]
16:35 < Bushmills> seems to have worked
17:13 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
17:26 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
17:26 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
18:42 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has joined ##openvpn
18:42 -!- tjz [~pc@bb116-14-172-208.singnet.com.sg] has quit [Changing host]
18:42 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
18:55 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Quit: Leaving.]
18:56 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
19:14 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
20:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
20:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:43 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has joined ##openvpn
21:07 -!- simNIX [~simNIX@156-60.bbned.dsl.internl.net] has quit [Quit: Ik ga weg]
21:38 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
21:43 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
22:42 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
22:48 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
23:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:36 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:37 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
--- Day changed Sat May 01 2010
00:16 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 264 seconds]
00:17 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
00:30 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
02:34 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
03:13 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:13 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:17 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:17 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:29 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:29 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:40 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:40 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:40 -!- zheng [~zheng@114.92.136.154] has joined ##openvpn
03:42 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:42 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:45 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
03:46 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:50 -!- zheng [~zheng@114.92.136.154] has quit [Quit: Leaving]
05:03 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
05:31 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
05:31 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
05:36 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:36 -!- mode/##openvpn [+o mattock] by ChanServ
07:01 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
07:01 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
07:26 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
07:27 -!- KaiForce [~chatzilla@adsl-70-228-91-140.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
09:32 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
09:32 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
09:49 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
09:49 -!- krzee [nobody@unaffiliated/krzee] has quit [Remote host closed the connection]
09:55 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
10:01 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:16 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
10:17 -!- sryder [~sryder@113.81.70.115.static.exetel.com.au] has joined ##openvpn
10:20 < sryder> hi
10:21 < hyper_ch> hi krzee
10:25 < krzee> hey
10:26 < hyper_ch> should have some results tomorrow :)
10:26 < krzee> sweet!
10:26 < hyper_ch> :)
10:36 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
10:36 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
10:39 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
11:03 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
11:05 -!- WormFood [~wormfood@121.34.164.224] has quit [Ping timeout: 246 seconds]
11:16 < hyper_ch> yey, it's doctor who day :)
11:17 -!- WormFood [~wormfood@121.35.146.188] has joined ##openvpn
11:32 -!- sryder [~sryder@113.81.70.115.static.exetel.com.au] has quit [Ping timeout: 246 seconds]
11:35 -!- sryder [~sryder@113.81.70.115.static.exetel.com.au] has joined ##openvpn
11:48 -!- sryder [~sryder@113.81.70.115.static.exetel.com.au] has left ##openvpn ["WeeChat 0.2.6.3"]
11:49 -!- frankS2 [frank@188.113.119.245] has joined ##openvpn
11:49 < frankS2> !welcome
11:49 < vpnHelper> frankS2: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:49 < frankS2> !configs
11:49 < vpnHelper> frankS2: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:58 < frankS2> hello; id like that my openvpn clients should have access to my internal network 10.0.0.1/24 this is my confikg file http://pastie.org/941632
11:58 < frankS2> does nayone see anything thats wrong?
11:59 < krzee> is ip forwarding enabled?
11:59 < krzee> oh wow
11:59 < frankS2> yes krzee 
11:59 < frankS2> this is on my linux based router
12:00 < krzee> theres a lot wrong
12:00 < krzee> its basically better to start over than fix that
12:00 < krzee> !sample
12:00 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
12:00 < krzee> use my server config
12:00 < krzee> only add this to my server config
12:01 < krzee> push "route 10.0.0.0 255.255.255.0" #route to company network
12:01 < frankS2> aha
12:01 < krzee> of course change the path to certs
12:02 < krzee> you can add these too:
12:02 < krzee> push "dhcp-option DOMAIN cmtx.net"  #push the DNS domain suffix
12:02 < krzee> push "dhcp-option DNS 10.0.0.42"  #push DNS entries to client
12:06 < frankS2> great krzee :) thank you so much
12:06 < krzee> yw
12:07 < frankS2> and for creating another client key is it good enough to ./build-key client2 in my easy-rsa dir?
12:07 < krzee> yup, after sourceing your vars again
12:07 < krzee> as shown in the howto :)
12:07 < frankS2> okey, thanks
12:08 < krzee> of course if vars was already sourced in that terminal, dont hafta do it again
12:08 < krzee> but if its a new terminal, gotta source them
12:08 < krzee> thats what the extra . does
12:08 < krzee> in    . ./vars
12:09 < frankS2> yep
12:09 < krzee> cool =]
12:10 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
12:11 < n0sq> i've been trying to setup openvpn using the instructions at http://people.mandriva.com/~ybourhis/openvpn/index.html#Client_Configuration but the server fails to start and i don't see any error messages in dmesg or the logs
12:11 < vpnHelper> Title: Open-VPN HowTo (at people.mandriva.com)
12:12 < krzee> i dont care to read another lame howto
12:12 < krzee> lets do this instead...
12:12 < krzee> !goal
12:12 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:13 < frankS2> krzee: if id like to allow my vpn clients to access the internet too, how?
12:13 < krzee> !redirect
12:13 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:13 < frankS2> !def1
12:14 < vpnHelper> frankS2: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
12:14 < n0sq> krzee: i want to be able to have a vpn connection from my hotel to my network 
12:15 < krzee> n0sq, so:   "I would like to access the lan behind the server"
12:15 < krzee> right?
12:15 < n0sq> sounds right
12:15 < krzee> !sample
12:15 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
12:16 < krzee> and in server config, push "route 10.0.0.0 255.255.255.0"   (assuming your lan behind server is 10.0.0.0/24)
12:16 < krzee> then, if your server is not the router for its lan, see this:
12:16 < krzee> !route
12:16 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:16 < krzee> section: ROUTES TO ADD OUTSIDE OPENVPN
12:16 < krzee> also explained in this picture:
12:16 < krzee> !factoids search outside
12:16 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
12:17 < n0sq> i guess i'll just stick with ssh connections - i didn't want to spend hours researching how to do this
12:17 < krzee> i just handed it to you
12:17 < krzee> lol
12:17 < krzee> but go ahead and use ssh *shrug*
12:18 < krzee> you're lucky you werent trying to do this a couple yrs ago before this channel was active, lol
12:18 < krzee> i read docs for a couple days before my first setup worked
12:18 < krzee> now theres a ton of people in here helping people
12:19 < rob0> I'm not quite a ton yet, but I've got a cake out there in the kitchen.
12:20  * krzee mounts /dev/rob0
12:20 < krzee> lol
12:21 < krzee> mount: /dev/rob0: unknown special file or file system
12:21 < krzee> i guess freebsd doesnt support you
12:22 < n0sq> rob0: come on over for chocolate chocolate cupcakes
12:23 < rob0> Hmm, I thought there was a BSD rob0 driver.
12:24 < n0sq> ok, i'll put a little more effort in getting vpn going. i tried using the cli & webmin to configure it but i can't get the server to start and webmin won't save the configuration that i created with it
12:25 < n0sq> time to go eat my cupcake first
12:30 < krzee> rob0, maybe i need to compile you into my kernel
12:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:17 -!- shift- [~shift@bzq-79-178-54-156.red.bezeqint.net] has joined ##openvpn
13:45 < shift-> I'm having problems with openvpn server log shows : http://zpaste.org/27184 ( failed TLS authentication) and so does the client ( http://zpaste.org/27185 ) anyone got a clue why ?
14:23 -!- frankS2 [frank@188.113.119.245] has quit [Ping timeout: 264 seconds]
14:28 < krzee> !certverify
14:28 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
14:29 < krzee> make sure you have full paths to all files referenced in your config
14:29 < krzee> or a cd /path/to/files before referencing them
14:44 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn
14:47 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has quit [Client Quit]
14:49 < shift-> krzee: the user created his own certs, and so did I. How can we both sign them together ? 
14:49 < shift-> (Should the server sign the client certs?)
14:49 < krzee> the CA signs both
14:50 < krzee> server and clients give their CSR to the CA
14:50 < krzee> CA signs both, gives them their CRT
14:50 < krzee> they never gave away their KEY
14:50 < krzee> your ca.key is the cornerstone of PKI
14:57 < shift-> Ah, I see.
14:58 < shift-> I'm the server in this maze, how can I sign my client's .csr ? 
15:00 < krzee> the CA signs it
15:00 < krzee> !pki
15:00 < vpnHelper> krzee: Error: "pki" is not a valid command.
15:00  * krzee kicks vpnHelper 
15:01 < krzee> !google pki
15:01 < vpnHelper> krzee: Public key infrastructure - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Public_key_infrastructure>; PKI - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/PKI>; Kings Island Theme Park - The Fun And Only! | Mason, OH: <http://www.visitkingsisland.com/>
15:01 < shift-> I'm the ca (I've created the ca.crt), how can I sign it ? using openssl ?
15:01 < krzee> once you understand how PKI works it will make sense
15:01 < krzee> do you use freebsd?
15:01 < shift-> Ubuntu
15:01 < krzee> use easy-rsa
15:07 -!- zorzar_ [~zz@p4FFD0C1D.dip.t-dialin.net] has joined ##openvpn
15:08 -!- shift- [~shift@bzq-79-178-54-156.red.bezeqint.net] has quit [Quit: Lost terminal]
15:09 < krzee> !linnat
15:09 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:10 -!- zorzar [~zz@p4FFD131A.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
15:19 -!- SkyLIVE [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:23 -!- zorzar_ is now known as zorzar
15:41 -!- y0tta [~y0tta@ip12.208-100-1.static.steadfast.net] has quit [Ping timeout: 248 seconds]
15:53 -!- SkyLIVE [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
16:00 -!- bandini [~bandini@host40-108-dynamic.41-79-r.retail.telecomitalia.it] has quit [Quit: Ex-Chat]
16:08 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has joined ##openvpn
16:08  * EugeneKay waves
16:16 < EugeneKay> I have two LANs that I'm trying to connect together. The server is on a 10.100.x.x, and the client is on a 192.168.x.x. Both are the gateway for their respective LANs. I can reach from behind the client's network out to the server's network, but not vice-versa.
16:17 < EugeneKay> IE, 192.168.100.37 can ping 10.100.0.96, but not the other way around.
16:17 < EugeneKay> I *think* what I need is an iptables MASQUERADE on the client's side to tell it what to do with the incoming traffic(backwards through the VPN), but I'm not sure.
16:19 < Fiouz> there should be no need for NAT, you just need routing
16:19 < EugeneKay> Well, I'm missing something. :-p
16:20 < EugeneKay> FWIW, 10.100.0.96 can ping 192.168.100.1, but not 192.168.100.37
16:20 < EugeneKay> .1 being the Client's internal network IP
16:20 < EugeneKay> Pretty sure the client is just not sending packets back out eth1 like it should be.
16:21 < EugeneKay> And yes, thinking about it, Masquerading would be wrong.
16:21 < Fiouz> did you run tcpdump on the OpenVPN interface?
16:21 < EugeneKay> No. Which interface? tun0 on the client?
16:22 < Fiouz> yep, and the server tun0 too would help figuring out where packets are lost
16:23 < EugeneKay> http://eugenekay.pastebin.com/EXCYM6qp
16:24 < EugeneKay> blackbeard is the name of the Client, eektop is 192.168.100.37
16:25 < EugeneKay> It looks like the pings are getting to the client, and it's forwarding them on to the internal network, but nothing is going back.
16:26 < EugeneKay> ....which may have something to do with the fact that Windows Firewall is enabled, and this dropping the pings. >_<
16:27  * EugeneKay headdesks
16:27 < EugeneKay> Thanks for showing me where to look, Fiouz. I got it. :-D
16:27 < Fiouz> glad I could help ;-)
16:28 < EugeneKay> I pinged a different box on the client's internal network, which IS accepting pings, and it worked like a charm.
16:29 < EugeneKay> It amuses me that the topic was right on this one.
16:29 < Fiouz> hehe
16:30 < EugeneKay> I had all the proper holes poked in it and all, too. Just not the right one.
16:48 < krzee> EugeneKay, 
16:48 < krzee> !route
16:48 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:48 < krzee> oh you got it
16:48 < krzee> nevermind
16:48 < EugeneKay> Yeah. And I think I have that bot on /ignore to boot
16:48 < EugeneKay> I had my routing right the first time. It was Windows Firewall :-p
16:48 < krzee> ahh, ill put you on my ignore then
16:49 < EugeneKay> Hey!
16:49 < EugeneKay> You're the guy that helped me get this set up to begin with.
16:49 < EugeneKay> :-p
16:49 < krzee> (likely by using my bot)
16:49 < EugeneKay> It was a typo in server.conf :-p
16:49 < krzee> prolly got your conf with !configs
16:49 < EugeneKay> Nope. Good old pastebinning.
16:50  * EugeneKay has a damn thang of a memory
16:50 < krzee> pastebin is how !configs tells you to do it, it also gives you a command for stripping comments (if its full of comments like the sample configs i wont look at it)
16:51 < Bushmills> !beer
16:51 < vpnHelper> Bushmills: Error: "beer" is not a valid command.
16:51 < Bushmills> hm
16:51 < krzee> !seen vpnhelper
16:51 < vpnHelper> krzee: I have not seen vpnhelper.
16:51 < krzee> !seen krzee
16:51 < vpnHelper> krzee: krzee was last seen in ##openvpn 9 seconds ago: <krzee> !seen vpnhelper
16:51 < krzee> heh
16:52  * EugeneKay makes a note to put a few hours into his EugeneBot extension for ZNC this weekend
16:53 < EugeneKay> But first, I must go break a few RFCs with my DNS setup!
16:53 < krzee> dont do it!
16:53 < EugeneKay> Eh. It's all third-level domains under vpn.mydomain.com
16:54 < EugeneKay> They just all happen to point to RFC1918 addresses
16:54 < EugeneKay> Which OpenDNS hates.
16:54 < EugeneKay> Google DNS doesn't seem to mind, though.
16:55 < krzee> opendns has a problem with that!?
16:55 < EugeneKay> Yeah. It's a filter to prevent phishing or something.
16:55 < krzee> werd
16:55 < krzee> i just use bind
16:56 < EugeneKay> OpenDNS is for my forwarders
16:56 < EugeneKay> All of my gateway boxen resolve off of local named caches.
16:57 < EugeneKay> I sorta fixed the problem by specifying the first forwarder to be the same gateway's external IP(which has a MyDNS server glombed onto it), but occasionally it just "doesn't work"
16:58 < krzee> sounds ugly
16:58 < EugeneKay> It actually works rather well in practice.
16:59 < EugeneKay> With one UPDATE, I can change any one my domain's IPs, across 4 separate nameservers.
17:00 < krzee> umm my normal setup does that as well
17:00 < krzee> lol
17:00 < krzee> in fact everyone with slaves setup has that
17:00 < EugeneKay> I have a fancy webpage interface for it, though. :-p
17:00 < krzee> i prefer no web-ui
17:00 < krzee> i did script it tho ;]
17:01 < krzee> addbind and rmbind, built them back when i did webhosting
17:01 < EugeneKay> Nice.
17:01 < krzee> in fact if im adding an entire zone it emails my guys who do my secondary
17:01 < krzee> it gives them the entry to paste into their config, formatted how they each prefer
17:03 < EugeneKay> Another fun one is the use of ALIASes(Something mydns does, it's a CNAME that reports as an A but doesn't eat your MX records) across everything. I only have to change an IP in one place and all the references to it are done.
17:04 < EugeneKay> But, now that I have this multi-to-multi VPN setup going right, I don't need to setup a dozen differnt VPN keys for all the boxen in my house.
17:05 < EugeneKay> Should cut down on the "idle" traffic, too.
17:05  * EugeneKay considers his project list
17:28 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
17:28 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
17:49 -!- frankS2 [frank@188.113.119.245] has joined ##openvpn
17:50 < frankS2> krzee: I used your configfile
17:50 < frankS2> http://www.ircpimps.org/openvpn.configs
17:50 < frankS2> but my clients seem to get randomly disconnected
18:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
18:18 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
18:18 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
18:22 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
18:22 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
18:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:30 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
18:30 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
18:42 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:24 < krzee> i bet there is nothing random about it
19:25 < krzee> you prolly have some sort of firewall attempting to keep-state on UDP or something
19:25 < krzee> or just a crappy connection between the 2 machines
19:56 -!- sryder [~sryder@vpn.syd.cargowise.com] has joined ##openvpn
19:59 -!- astrophy [~astrophy@95.211.87.136] has joined ##openvpn
20:04 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:21 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
20:24 -!- takamichi [~pri@78.133.92.164] has quit [Read error: Connection reset by peer]
20:25 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
20:34 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 260 seconds]
20:52 -!- lstarnes [lucius@uncyclopedia/Starnestommy] has joined ##openvpn
20:52 -!- lstarnes [lucius@uncyclopedia/Starnestommy] has left ##openvpn []
20:54 -!- simoinfonet [simoinfone@41.214.145.248] has joined ##openvpn
20:55 < simoinfonet> Hello 
20:56 < simoinfonet> i want to set up a openvpn server in linux debain 
20:57 < simoinfonet> i use a bride mode but i have somme probleme to confiure my server 
20:57 < simoinfonet> some one can help me please 
20:59 < astrophy> what's the problem?
21:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
21:07 < simoinfonet> i want use my dhcp server 
21:07 < krzee> why do you want bridge?
21:08 < simoinfonet> because my server is in the lan wich have a @IP from a cisco router 
21:08 < krzee> aka, what layer2 protocol do you need to work over the vpn
21:08 < krzee> i dont see why that matters
21:08 < simoinfonet> TCP 
21:09 < krzee> TCP is layer3
21:09 < krzee> !tunortap
21:09 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
21:09 < vpnHelper> krzee: against you over the vpn
21:09 < simoinfonet> ok 
21:10 < simoinfonet> but if i use a Tun i can have access to my private LAN and ivry client can have a IP adress from my server DHCP
21:10 < simoinfonet> ??
21:12 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
21:12 < krzee> no need for dhcp
21:12 < krzee> try this out
21:12 < krzee> !confgen
21:12 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
21:12 < krzee> i need to go
21:12 < krzee> see ya later
21:12 < krzee> also read on sharing lans here
21:12 < simoinfonet> thanks 
21:12 < krzee> !route
21:12 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:21 -!- simoinfonet [simoinfone@41.214.145.248] has quit [Ping timeout: 246 seconds]
21:22 -!- simoinfonet [simoinfone@41.214.139.253] has joined ##openvpn
21:27 -!- simoinfonet [simoinfone@41.214.139.253] has quit []
21:29 -!- simoinfonet [simoinfone@41.214.139.253] has joined ##openvpn
21:33 -!- sryder [~sryder@vpn.syd.cargowise.com] has left ##openvpn ["WeeChat 0.2.6.3"]
21:39 -!- simoinfonet [simoinfone@41.214.139.253] has quit [Ping timeout: 268 seconds]
21:42 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
22:46 < n0sq> i'm not having much success getting my vpn server to start. the openvpn.log says it can't open a file that does exist and has permissions 755. see http://pastebin.com/4tSgavYc
23:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:45 -!- DarthGandalf is now known as DarthGandalf|BNC
--- Day changed Sun May 02 2010
00:06 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has joined ##openvpn
00:16 < harlan> n0sq: what are the permissions on the directories *above* the file?
00:16 < harlan> the file itself needs read permissions only, I think.  It should not need any eXecute perms.
00:45 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:49 -!- takamichi [~pri@78.133.92.164] has quit []
00:51 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
01:12 -!- astrophy [~astrophy@95.211.87.136] has quit [Ping timeout: 240 seconds]
01:31 -!- zorzar_ [~zz@p4FFD29ED.dip.t-dialin.net] has joined ##openvpn
01:34 -!- zorzar [~zz@p4FFD0C1D.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
01:37 -!- bandini [~bandini@host40-108-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn
01:41 -!- SkyLIVE [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:46 -!- riddla [~Riddla@cm27.epsilon103.maxonline.com.sg] has joined ##openvpn
01:46 < riddla> hi quick question: is it possible (on the server side) to have multiple ciphers?
01:46 < riddla> in perticluar, i would like to have cipher AES... (a 'real' cipher), as well as cipher none
01:47 < riddla> so that some clients can use cipher none, while others use an encrypted connection
01:47 < riddla> thanks in advance.
01:48 -!- DarthGandalf|BNC is now known as DarthGandalf
02:24 -!- SkyLIVE [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
02:43 -!- takamichi [~pri@78.133.92.164] has quit []
02:52 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
02:55 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
03:35 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 -!- DarthGandalf is now known as DarthGandalf|BNC
03:49 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has quit [Ping timeout: 265 seconds]
03:52 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has joined ##openvpn
03:52 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
03:57 -!- astrophy [~astrophy@64-135-203-23.FoxValley.net] has joined ##openvpn
04:04 -!- bandini [~bandini@host40-108-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
04:49 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
04:50 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has quit [Ping timeout: 252 seconds]
05:00 -!- DarthGandalf|BNC is now known as DarthGandalf
05:01 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
05:26 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has joined ##openvpn
05:31 -!- julius [~julius@217.20.127.15] has quit [Quit: Hackers of the world, unite!]
05:32 -!- julius [~julius@217.20.127.15] has joined ##openvpn
05:40 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has joined ##openvpn
05:40 < propagandhi> how can I set a client.cfg to aut reconnect on dropout
05:47 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has quit [Read error: Connection reset by peer]
06:13 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:13 -!- mode/##openvpn [+o mattock] by ChanServ
06:27 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 264 seconds]
06:27 -!- riddla [~Riddla@cm27.epsilon103.maxonline.com.sg] has quit [Ping timeout: 240 seconds]
06:36 -!- hyatt [~kora-chan@110-174-77-158.static.tpgi.com.au] has joined ##openvpn
06:37 < hyatt> hi, i have a small question; if i have a openvpn setup with two clients connected, if those two clients talk to each other, will all the traffic be routed over the server, or do they have a direct channel?
06:42 < propagandhi> hyatt they have to pass through the tunnel, which is through the server
06:42 < Bushmills> traffic goes through server
06:43 < hyatt> thank you
06:43 < Bushmills> would be bad if one client could decipher the encrypted stream, meant for the server, wouldn't it?
06:43 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
06:44 < hyatt> that is definitely true ;)
06:45 -!- hyatt [~kora-chan@110-174-77-158.static.tpgi.com.au] has quit [Quit: hyatt]
06:56 < rob0> I think full mesh might be on the agenda for future enhancements of openvpn. In that case the server would merely provide the authentication service and peer lookup tables for client-to-client traffic.
06:56 -!- zorzar_ [~zz@p4FFD29ED.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
06:56 < rob0> sort of an ARP who-has thing
06:58 < rob0> Server would probably have to tell the clients that connections are coming from another client, get a port to connect to. Not sure how/if it could work behind NAT.
07:15 < EugeneKay> Assuming you don't midn a bunch of fiddling, you can do that as-is. Anything over a dozen clients / disjoint networks to be bound together and you will quickly go mad.
07:16 < EugeneKay> Each server/client is connected to every other client, and routes appropriately.
07:17 < EugeneKay> It depends on what you're trying to do, really.
07:20 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
07:20 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
07:28 < Bushmills> would be a mess of routers, with redirect-gateway in place, setting default router to vpn server
07:28 < Bushmills> routes
07:29 < Bushmills> after all, those direct routes are meant to *prevent* traffic from having to go to server first
07:29 < Bushmills> not much use for that if they're sent to server because it is the gateway of the default  rroute ..
07:31 < Bushmills> unless ... all those direct connect clients would be in an own subnet, which is then routed through the previously default gateway
07:32 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
07:55 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
08:21 < hyper_ch> can someone summon krzee in here?
08:21 -!- simoinfonet [simoinfone@41.214.223.197] has joined ##openvpn
08:21 < hyper_ch> or conjure
08:21  * theDoc waves his hands in the air.
08:21 < hyper_ch> theDoc: :)
08:21 < hyper_ch> isn't that the rain dance?
08:22 < theDoc> or possibly a pole dance.. ;p
08:22 < hyper_ch> :)
08:22 < hyper_ch> why does 160gb uploading at a 1mbyte connection take so long
08:23 < theDoc> Maybe because it's 160gb?
08:23 < hyper_ch> internet would be so much faster if I had a 1gb connection here
08:25 -!- simoinfonet [simoinfone@41.214.223.197] has quit [Ping timeout: 248 seconds]
08:26 -!- simoinfonet [simoinfone@41.214.234.230] has joined ##openvpn
08:32 -!- mithridates [~chatzilla@142.166.45.200] has joined ##openvpn
08:33 -!- mithridates [~chatzilla@142.166.45.200] has left ##openvpn []
08:34 < hyper_ch> why does one of my cats always want to sleep on the mouse....
08:36 < Bushmills> internet would be so much faster if everybody else had a 2400 bps connection
08:38 -!- zorzar [~zz@p4FFD29ED.dip.t-dialin.net] has joined ##openvpn
08:49 < simoinfonet> Hello for every body 
08:51 < simoinfonet> how can i configure my virtual client to use the DHCP server 
08:51 < simoinfonet> please some one have a good idea to help me 
09:05 < Bushmills> no idea what a virtual client is.  
09:05 < Bushmills> and of what
09:09 < simoinfonet> i set up a server open vpn in a debian eth 
09:10 < simoinfonet> i want to have acces to my private LAN from my house 
09:10 < simoinfonet> in the lan i have a dhcp server who dispath ip adress to all machines in the lan 192.168.1.1
09:11 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
09:11 < simoinfonet> is there a solution to give a ip adress to evry openvpn client from my dhcp server 
09:11 < simoinfonet> ???
09:12 < simoinfonet> you can look my server.conf here http://www.spiwit.net/2008/01/06/creation-dun-serveur-vpn/#comment-2046
09:13 < rob0> Most of us here ("us" meaning those who tend to answer most questions) do not use nor recommend the use of bridging.
09:14 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:14 < rob0> But indeed, you can have a DHCP server hand out addresses to bridged VPN clients.
09:15 < Bushmills> ip addresses for the openvpn interface? or for other interfaces on your system? 
09:15 < rob0> How to configure the client is pretty much off topic, it depends on the OS and the DHCP client it uses.
09:15 < simoinfonet> i use a XP client 
09:15 < rob0> I don't.
09:16  * Bushmills looks up this funny term "XP" on wikipedia
09:16 < simoinfonet> windows XP 
09:16 < theDoc> I use a mac.
09:17 < simoinfonet> ah ok 
09:17 < Bushmills> ah. "Extreme Programming", a software development methology
09:17 < krzee> simoinfonet, why do you think you need IP addresses handed out by your dhcp server?
09:17 < Bushmills> "there must be food" it states
09:17  * Bushmills likes that
09:18 < krzee> mmm, a programming methodology that involved food sounds ok to me
09:18 < krzee> does it say anything about weed or beer?
09:18 < rob0> Perhaps the OS vendor would support that OS? (I know, not in the real world, but I get tired of being asked to do the job that people paid Microsoft to do.)
09:18 < Bushmills> not as far. but they favour short meetings, without chairs
09:19 < ScriptFanix> without chairs! that clearly excludes the use of weed
09:19 < simoinfonet> to have acces for all machines in the LAN and any client must have a adress witch it not already  used 
09:19 < ScriptFanix> !route
09:19 < vpnHelper> ScriptFanix: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:20  * Bushmills looks whether there's a mention of "sofa" anywhere
09:20 < krzee> simoinfonet, i gave you !route and !tunortap yesterday when i was leaving work
09:20 < krzee> did you read them?
09:20 < Bushmills> simoinfonet: openvpn can assign ip addresses to clients. you'd choose an own subnet exclusively for openvpn clients
09:21 < Bushmills> that way, openvpn makes sure that all clients have unique addresses, and no collision occurs
09:22 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Ping timeout: 246 seconds]
09:22 < Bushmills> if machines behind the vpn on either side collide with ip addresses, there is not a lot openvpn can do about it
09:22 < simoinfonet> yes but how can i do that for be able to access to my private LAN 
09:22 < krzee> and you can have lans behind the server, and as many clients as you want, as long as you dont use the same subnets
09:22 < krzee> by reading !route
09:23 < Bushmills> especially not requiring them to re-request new ip addresses because somewhere an openvpn connection from outside has been established 
09:23 < krzee> you've had it sent to you 2x that i have seen now
09:23 < Bushmills> you read:
09:23 < Bushmills> !route
09:23 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:23 < Bushmills> and then you send a beer to krzee
09:23 < rob0> Another advantage, openvpn knows not to mess with the route for the tunnel itself. If your DHCP server messes up your external route to the server, your connection breaks.
09:24 < simoinfonet> my openvpn server have you take a look to my server.conf please ??
09:24 < rob0> But all this falls under the "don't do bridging" advice.
09:24 < krzee> simoinfonet, 
09:24 < krzee> try this
09:24 < krzee> !confgen
09:24 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
09:24 < krzee> it will do all the work for you
09:24 < krzee> i just made it recently
09:24 < Bushmills> no. why? do you have a problem with your config?
09:24 < krzee> (you can only use that on a system with bash)
09:24  * Bushmills tends to look at configs only when he knows what a specific problem is
09:24 < simoinfonet> ok
09:25 < krzee> simoinfonet, but still read !route (which i have now seen given to you 3x)
09:25 < krzee> i wrote all that stuff for a reason, and it wasnt for entertaining myself
09:25 < Bushmills> !beer
09:25 < krzee> it was to make your life easier when trying to do what you are trying to do
09:25 < vpnHelper> Bushmills: Error: "beer" is not a valid command.
09:26 < simoinfonet> ok thanks men 
09:26 < krzee> !learn beer as after reading !route send krzee a beer
09:26 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
09:26 < ScriptFanix> :)
09:26 < krzee> !learn beer as after reading !route send krzee a beer
09:26 < vpnHelper> krzee: Joo got it.
09:26 < Bushmills> !weed
09:26 < vpnHelper> Bushmills: Error: "weed" is not a valid command.
09:26 < krzee> there you go Bushmills 
09:26 < krzee> lol
09:27 < krzee> !learn weed as pls see !beer, it goes for weed too
09:27 < vpnHelper> krzee: Joo got it.
09:27 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
09:27 < krzee> Bushmills, better?
09:27 < Bushmills> ok. you the beer and weed.
09:27 < Bushmills> !cash
09:27 < vpnHelper> Bushmills: Error: "cash" is not a valid command.
09:27 < krzee> !forget beer
09:27 < vpnHelper> krzee: Joo got it.
09:27 < Bushmills> want my paypal?
09:27 < krzee> !forget weed
09:27 < vpnHelper> krzee: Joo got it.
09:28 < Bushmills>  !forget weed    "sorry, i forgot how to forget weed"
09:28 < krzee> heh
09:34 < Bushmills> "“Researchers have discovered that chocolate produces some of the same reactions in the brain as marijuana. The researchers also discovered other similarities between the two but can't remember what they are.”"
09:37 < theDoc> Is that a subtle way of them saying, it's ok to smoke weed? ;p
09:37 < krzee> hehe
09:37 < krzee> theDoc, if its not, let me do it for them
09:37 < krzee> it is ok to smoke weed =]
09:37 < theDoc> lmao.
09:38 < ScriptFanix> in some countries it is not ok to say it is ok to smoke weed
09:39 < theDoc> I believe weed is an illegal substance here.
09:39 -!- mithridates [~chatzilla@142.166.45.200] has joined ##openvpn
09:39 < rob0> s/some/most/ if by "ok" you mean "not going to bring harassment by armed thugs"
09:39 -!- mithridates [~chatzilla@142.166.45.200] has left ##openvpn []
09:40 < rob0> Law is organized crime and deserves almost as much respect.
09:42 < krzee> i respect the first more than the second in many ways
09:43 < hyper_ch> hi krzee
09:45 < hyper_ch> he ignores me again :(
09:45 < rob0> I have a Nazi jackboot print on my front door, so I don't. Different personal experiences lead to different value judgments. But we should stop this offtopic discussion. :)
10:01 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
10:01 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
10:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:07 < krzee> hey hyper_ch 
10:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:07 < krzee> i went to drop off the girl who was in my bed, then i stopped at the store and hit the jackpot
10:07 < krzee> they had mountain dew and dr pepper
10:07 < krzee> super-rare to find here
10:07 < krzee> so i bought all they had
10:09 < hyper_ch> krzee: and then you woke up?
10:09 < hyper_ch> krzee: http://localhost/confgen
10:09 < hyper_ch> sorry
10:09 < krzee> lol
10:09 < krzee> thats not gunna work for me ;]
10:10 < krzee> funny you say that, 2 nights ago i really did have a dream about mountain dew
10:10 < krzee> i had a dream that i started a riot in prison to get a mountain dew
10:10 < hyper_ch> krzee: http://www.simplylinux.ch/confgen/
10:10 < vpnHelper> Title: OpenVPN Config Generator (at www.simplylinux.ch)
10:10 < hyper_ch> it's far from finished
10:10 < hyper_ch> just to give a little tase
10:10 < hyper_ch> taste
10:12 < krzee> that will be sweet
10:12 < krzee> with mouseovers to help people know what they are doing
10:12 < krzee> client-to-client should be a checkbox
10:12 < krzee> protocol should be radio button for tcp/udp
10:13 < krzee> with udp already selected
10:13 < hyper_ch> krzee: I know... there's a lot of things still to be done
10:13 < krzee> compression = checkbox
10:13 < krzee> cool
10:13 < hyper_ch> I first need basic functionality... meaning adding / removing tabs and passing them to the generator :)
10:13 < krzee> im not criticizing, just tossing ideas
10:13 < krzee> i love it tho!
10:14 < krzee> it will be way better than my confgen ;]
10:14 < hyper_ch> btw, what items on the client can be altered?
10:15 < krzee> honestly, nothing
10:15 < hyper_ch> so that in the "pop up" you can fill that already in and the rest of the fields will just be copied over
10:15 < krzee> some things should just match the server, like proto/port/etc
10:15 < hyper_ch> well, if you have two clients, are there no settings that are different between them?
10:15 < krzee> nope
10:15 < hyper_ch> so it would be sufficient to just have 1 client?
10:15 < krzee> just if 1 has a lan, server gets a ccd entry
10:16 < krzee> ok i lied, the cd line will be different
10:16 < krzee> cd /path/to/configs/
10:16 < krzee> err
10:16 < krzee> cd /path/to/keys/
10:16 < krzee> but thats all
10:16 < hyper_ch> :)
10:18 -!- astrophy [~astrophy@64-135-203-23.FoxValley.net] has quit [Quit: Bye]
10:18 < hyper_ch> so, I'll keep going on then :)
10:18 < krzee> hrm
10:18 < krzee> for client lan
10:19 < krzee> im thinking one of those drop down boxes like you had on your ubuntu sources generator
10:19 < krzee> then when selected, ccd apears
10:19 < krzee> and common name, and subnet
10:19 < krzee> then you can choose another, and another
10:20 < hyper_ch> ufff :)
10:20 < krzee> maybe not like that, but something like that
10:22 < hyper_ch> :) I'll continue then working on it :)
10:22 < krzee> sweet
10:22 < krzee> i love it
10:26 < hyper_ch> :)
10:34 < krzee> !iphone
10:34 < vpnHelper> krzee: "iphone" is (#1) http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone, or (#2) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries
10:39 < krzee> !vpn
10:39 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal
10:39 < krzee> (im helping someone outside the chan)
10:40 < krzee> !pptp
10:40 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
10:40 < vpnHelper> krzee: read about why to not use pptp
10:44 -!- X-Raimo_nbook [~alexmurav@109.252.52.21] has joined ##openvpn
10:44 -!- X-Raimo_nbook [~alexmurav@109.252.52.21] has left ##openvpn []
10:56 -!- Webhostbudd [~Webhostbu@24.102.153.25.res-cmts.sm.ptd.net] has joined ##openvpn
10:58 < Webhostbudd> would anyone be willing to help me setup a full route through vpn for a road warrior? I've got my configs setup but I just can't figure out why my packets aren't being routed through the server. It can sucessfully reach the server but packets aren't forwarded from there. If I tracert an external ip every request out of the server is dropped. The server connection is perfectly fine and I believe iptables is setup correctly.
10:59 < krzee> !goal
10:59 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:59 < krzee> #2?
10:59 < hyper_ch> !krzee
10:59 < vpnHelper> hyper_ch: Error: "krzee" is not a valid command.
10:59 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
10:59 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
11:01 < hyper_ch> Webhostbudd: pastebin your configs
11:01 < hyper_ch> !help
11:01 < vpnHelper> hyper_ch: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
11:01 < hyper_ch> !welcome
11:01 < vpnHelper> hyper_ch: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:01 < krzee> heh
11:02 < krzee> i THINK he wants !redirect but he hasnt answered me
11:02 < Webhostbudd> Server: http://pastebin.com/az7RfcaN
11:03 < hyper_ch> krzee: you mean the def1 gateway thingy?
11:03 < krzee> well it also comes with:
11:03 < krzee> !linnat
11:03 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
11:03 < Webhostbudd> Client: http://pastebin.com/aRgRNZPP
11:03 < krzee> !linipforward
11:03 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
11:03 < Bushmills> Webhostbudd, does server have any reason to forward packets from openvpn interface to wan interface?
11:04 < Bushmills> ah. krzee took care of that one
11:04 < Webhostbudd> it has 1 set in /proc/sys/net/ipv4/ip_forward and iptables -t nat -A POSTROUTING -s 10.30.0.0/24 -j MASQUERADE
11:04 < simoinfonet> re
11:05 < simoinfonet> Hello 
11:05 -!- WormFood [~wormfood@121.35.146.188] has quit [Ping timeout: 240 seconds]
11:05 < Webhostbudd> Sorry, the command is iptables -t nat -A POSTROUTING -s 10.30.0.0/24 -o eth0 -j MASQUERADE
11:05 < Webhostbudd> eth0 is the WAN interface
11:06 < Bushmills> Webhostbudd: firefall rules is blocking traffic
11:06 < Webhostbudd> I doubt it but I will look into that
11:06 < krzee> # allow several users to connect with the same certificate
11:06 < krzee> duplicate-cn
11:06 < krzee> you should not use that
11:06 < Webhostbudd> yes, i know
11:06 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
11:06 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
11:07 < Bushmills> your client run windows, right?
11:07 < Webhostbudd> yes
11:07 < Webhostbudd> it does recieve the dns server and all of the required routes
11:07 < Bushmills> because of dns, that was my concern
11:08 < krzee> can it ping 10.30.0.1 ?
11:08 < krzee> (the client)
11:08 < Webhostbudd> yes it can
11:09 < krzee> im inclined to agree with Bushmills 
11:09 < krzee> part 2 of our topic
11:09 < krzee> ;]
11:10 < Bushmills> show output of server ifconfig
11:10 < simoinfonet> Hello some one can help me to resolve this warning please 
11:10 < simoinfonet> WARNING: potential route subnet conflict between local LAN 
11:10 < krzee> simoinfonet, 
11:10 < krzee> !samesubnet
11:10 < Webhostbudd> there, ifconfig: http://pastebin.com/M93RbpeR
11:10 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
11:11 < krzee> aka, dont use conflicting subnets
11:11 < Bushmills> you took care to specify vpn-user interface, instead of tun, in you firewall rules?
11:11 < Webhostbudd> yes i did
11:12 < Webhostbudd> i actually have the firewall wide open right now, just to make sure it isn't interfering
11:12 < krzee> !iptables
11:12 < vpnHelper> krzee: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
11:12 < vpnHelper> krzee: computing.net/wiki/index.php/OpenVPN/Firewall
11:12 < krzee> hha #4 url got chopped in 1/2
11:17 -!- WormFood [~wormfood@121.35.52.129] has joined ##openvpn
11:27 -!- Webhostbudd [~Webhostbu@24.102.153.25.res-cmts.sm.ptd.net] has quit [Quit: If you think nobody cares, try missing a few payments]
12:03 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has joined ##openvpn
12:04 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
12:13 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:15 -!- cmo-0 [~user@92.96.14.113] has joined ##openvpn
12:23 < cmo-0> I have a problem with bridging. The setup goes like this: a linksys modem/router, a LAN with DHCP 10.0.1.30 to 10.0.1.50 range, a server has two NICs, one is configured to be 10.0.1.1 (and is connected to the LAN switch), the other one is configured to be 192.168.1.2 (and is connected to one of the 4 ports of the modem/router which by default is 192.168.1.1) finally the modem/router is connected to WAN (the ISP interent connection). the
12:23 < cmo-0> bridging is done due to the fact we have another PC that is connected to the modem/router (thus it will be in the 192.168.1.x subnet) and It should be able to bridge to the 10.0.1.x subnet. the bridging is done on the first NIC, and It works well, HOWEVER, other PC on the 10.0.1.x can not access the internet (still they can see each other within the LAN) and can not access the modem/router subnet. Any Ideas? Hints?
12:27 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
12:27 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:28 -!- rawDawg [~rawDawg@cpe-76-189-164-252.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
12:37 -!- EugeneKay is now known as EugeneKaway
12:39 -!- EugeneKaway is now known as EugeneKay
12:40 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
12:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:53 -!- simoinfonet [simoinfone@41.214.234.230] has quit [Read error: Connection reset by peer]
13:00 < krzee> cmo-0, why do you need a bridge?
13:01 < krzee> your setup is rather easy with routing assuming you dont need a specific layer2 protocol
13:01 < Bushmills> maybe because he can't walk across water?
13:01 < krzee> hahah
13:01 < krzee> good one ;]
13:03 < Bushmills> I was thinking of http://www.approximity.com/cgi-bin/blogtariAgile/index.rb/Forth
13:03 < vpnHelper> Title: smart stuff (at www.approximity.com)
13:03 < fahadsadah> !nat
13:03 < vpnHelper> fahadsadah: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
13:03 < fahadsadah> !linnat
13:03 < vpnHelper> fahadsadah: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:18 < cmo-0> krzee: the LAN uses samba and this last PC needs to see the sharing of other PCs in the LAN.
13:18 < krzee> !wins
13:18 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
13:18 < krzee> !tunortap
13:18 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
13:18 < vpnHelper> krzee: against you over the vpn
13:19 < krzee> #2 ;)
13:21 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:21 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
13:24 < cmo-0> krzee: I have samba running on the server box setup as wins server.
13:25 < krzee> then you dont need a bridge
13:25 < cmo-0> do you mean to connect that last PC point-to-point to the server and push to it the wins params and other routing info
13:26 < krzee> doesnt need to be ptp
13:26 < krzee> can be client/server
13:26 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
13:26 < cmo-0> ok!
13:26 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:27 < cmo-0> krzee: I'll try that. Thanks.
13:28 < krzee> np
13:28 < krzee> as for the lans
13:28 < krzee> !route
13:28 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:29 < cmo-0> another thing before I forget. there is also an HP 2600n printer on the 10.0.1.x, and I could'nt get that bridged PC connection to connect to the printer? Any thoughts?
13:29 < krzee> i dont do bridges
13:29 < cmo-0> only routing!?
13:30 < krzee> yupyup
13:30 < krzee> its rare people need bridges
13:30 < krzee> lan gaming being one of the few real reasons to use it
13:30 < cmo-0> can you give me a couple of examples?
13:30 < krzee> better than an example, ill give you the rule of thumb...
13:30 < cmo-0> sure!
13:31 < krzee> if you dont need a specific layer2 protocol, (and smb doesnt count) you dont need a bridge
13:31 < cmo-0> now I can go fishing ;)
13:31 < cmo-0> krzee: thanks Again!
13:31 < krzee> no problem!
13:32 < krzee> and as for both 192 and 10 subnets
13:32 < krzee> they are both lans behind that vpn node
13:32 < krzee> treat them as such in your setup and you will have access to both
13:35 -!- cmo-0 [~user@92.96.14.113] has quit [Remote host closed the connection]
13:46 -!- hrubi [~hrubi@2a01:5f0:1017:0:2::1] has joined ##openvpn
13:48 -!- hrubi [~hrubi@2a01:5f0:1017:0:2::1] has left ##openvpn []
14:11 < krzee> http://muhom.org/data/2007/brain.jpg
14:16 < |Mike|> hi krzee 
14:35 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
14:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:58 < n0sq_> harlan: the permissions are 755
14:59 < harlan> on the file or the directories, or all?
15:00 < n0sq_> all
15:00 < harlan> OK, and you checked the perms on each subdir in the chain, starting from / ?
15:02 < n0sq_> yes - from /etc/openvpn down to /etc/openvpn/easy-rsa/1.0/keys
15:02 < harlan> check /, /etc, and /etc/openvpn to be sure.
15:03 < harlan> If you got a permission error, it is caused by something, somewhere along that path.
15:03 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
15:04 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
15:04 < n0sq_> directory /etc is 755 also
15:05 < harlan> amazing.
15:05 < harlan> Then this makes no sense, as the dirs have rx perms all the way, and the file itself is readable by everybody.
15:05 < harlan> Any chance of a typo in the path or file name?
15:06 < n0sq_> the absolute path to the file is specified in server.conf
15:06 < n0sq_> i triple checked it
15:06 < harlan> and you can read the file as non-root?
15:08 < harlan> is any of this NFS or other remote filesystem?
15:10 < n0sq_> yes
15:10 < harlan> there could be a remote ACL problem then.
15:10 < n0sq_> no to NFS
15:10 < harlan> ah, wrong "yes"!
15:11 < n0sq_> yes to reading as non-root
15:11 < n0sq_> !welcome
15:11 < vpnHelper> n0sq_: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:12 < Bushmills> !config
15:12 < vpnHelper> Bushmills: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
15:13 < n0sq_> i guess i need to use a different subnet scheme also
15:13 < n0sq_> but that shouldn't prevent the server from running
15:20 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:23 -!- VPNer [JavaUser@i577ABC3A.versanet.de] has joined ##openvpn
15:23 < VPNer> !welcome
15:23 < vpnHelper> VPNer: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:23 < VPNer> !howto
15:23 < vpnHelper> VPNer: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:24 < VPNer> Okay, already know.
15:24 < VPNer> Hello @ anybody
15:26 < VPNer> I've a DAU-like question. I'm new with openVPN, because my old vServers didn't support tun-devices, but my new dedicatet linux-server does. My question is just: Whats the difference between the server-certs and the client-certs. I thought, that the certs are just for the encryption and the static key ist to auth. But then I fell about the different scripts of easy-rsa, namely "build-key" and "build-key-server". May somebody tell me up?
15:27 < hyper_ch> what's a DAU-like question?
15:28 < harlan> n0sq_: That's about all I can do for now - I will be back online in about 10 hours' time, give or take.
15:28 < VPNer> Ah, sry, DAU is a german joke =)
15:28 < n0sq_> ok
15:28 -!- dauergast [~sag@188-193-231-73-dynip.superkabel.de] has joined ##openvpn
15:29 < n0sq_> i did find some config errors and corrected them be i still get a FAILED when i start the server - interesting that nmap shows the port (1194) open so i assume that the server is running now but i guess there's still problems
15:30 < krzee> VPNer, there is no difference, the difference with that script is that it is specially signed as a server so you can have clients check if the server was signed right
15:30 < krzee> see this for more:
15:30 < krzee> !mitm
15:30 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
15:31 < VPNer> Ah, thx, krzee. Give me a while to read for myself ;-)
15:36 < krzee> =]
15:36 < VPNer> !servercert
15:36 < vpnHelper> VPNer: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm
15:39 < n0sq_> http://pastebin.com/vzFyp9Fu
15:52 < krzee> n0sq_, where are the errors when you start the server?
15:53 < krzee> the errors i see are deleting the routes when stopping it, which is normal when you drop privileges but unimportant because when the device goes away after the app dies, the routes disappear
15:53 < krzee> i do see a warning about common subnets, which only matters if you are pushing those subnets to clients
16:00 < frankS2> is it possible to make openvpn not to use client certs but rather a user/password auth
16:01 -!- dauergast [~sag@188-193-231-73-dynip.superkabel.de] has quit [Quit: Das Hirn ist so leer, der Gang so locker.Das ist der deutsche Einheitspopper]
16:02 < krzee> sure
16:02 < krzee> !authpass
16:02 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
16:02 < krzee> but then you go from having a super-secure vpn to having a vpn as secure as your passwords
16:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
16:04 < krzee> im not saying dont do it, im just making sure you are aware of the consequences?
16:08 < n0sq_> krzee: they're in the openvpn log and in /var/log/messages - 
16:08 < n0sq_> May  2 14:27:18 server2 openvpn[9663]: Cannot load certificate file /etc/openvpn/easy-rsa/1.0/keys/ki7rw.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
16:10 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has left ##openvpn ["Leaving"]
16:13 < krzee> n0sq_, ahh
16:13 < krzee> either wrong path, bad cert, or bad permissions
16:40 < VPNer> Ehm, I have a secound question. It's about the openvpn-service with Windows: Which Config does the service loads? ans is there any possibility to load espacially one config while having a secound one in the config folder, e.g. for the intern network of the university, which is only used in the uni-networks and not at home?
16:43 < krzee> all configs in the config dir i believe
16:44 < krzee> i dont think you can do that with the service, but you could with the GUI i think, and you could certainly with a bat script
16:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
16:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:49 < VPNer> Yeah, I alreade thought about a batch-file, but I miss the intelligent Cron-params of Linux. Is there a possibility to run the .bat after each suspend and each stand-by? After (re)boot is no problem, but who does a complete shut-down each time?
16:50 < krzee> you could always start the vpn using your .bat :-p
16:50 < krzee> its not that hard to click
16:53 < VPNer> Should not be. But my girlfriend is not the fittest whith computers. And the VPN is not used for essentials but for sometimes used services like SMB. With my father it's the same. It would be nice, if there would be a possibility to start it without user-activity. I think, I have to google a litle bit. There must be a solution for this quiet polular problem...
16:54 < krzee> i have setup vpns for people who know NOTHING about computers
16:55 < krzee> i tell them "click this little icon to connect"
16:55 < krzee> that little icon is openvpn-gui
16:55 < krzee> thats all there is to it
16:55 < krzee> if they can turn it on, they can handle that
16:55 < krzee> if they cant handle that, take away their computer and their phone, because its too much for them
16:57 < krzee> in fact if they cant handle clicking the icon to connect, they should operate no more technology than a toaster
16:58 < VPNer> yeah, but the people, which shall use the vpn simply habe no desire always to remember to click on the button to serve a function, which is seldom used. Including me =)
16:58 < krzee> if its seldom used its seldom needed
16:58 < krzee> when needed, click it
16:59 < krzee> lol
17:00 < VPNer> but when it's needet, then it should be served without phoning the owner of the dialed PC ;-)
17:00 < krzee> whatever
17:00 < krzee> either let it always run or run it when needed
17:00 < krzee> openvpn wont read your mind, it can only do 1 of the 2
17:04 < VPNer> The computers normally run 12 hours a day and are used just 3 of them. So, when the service is needet, most nobody is there in front of the computer. But for always have to start the service manually, my girlfriend and my father (and me) are just too lazy. And a boot is very rarely, it just spends too much time. I'm now writing a daemon, which checks and writes a timestamp and sleeps 30 secounds. And if the timestamp
17:04 < VPNer>  is older than 30 secounds, it performs a start. But really fine is otherwise...
17:09 < VPNer> Hmm, or the way upside down: Is there a possibility to set the path to the .ovpn-files, which are used by the GUI-tool?
17:12 < krzee> not that i know of, i believe the config dir is hard coded
17:12 < krzee> like %programfiles%/openvpn/config or something
17:12 < krzee> i dont really use windows
17:13 < VPNer> yeah, I've looked at the folders and thinks so, too.
17:13 < VPNer> But I have found a soultion. Just have to try it =)
17:13 < krzee> right on
17:13 < krzee> if you like, you can make a writeup on whatever your solution ends up being on the wiki
17:16 < VPNer> "My solutions" sounds better than it is: I found a ready-made tool...
17:16 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has joined ##openvpn
17:17 < VPNer> But all download-links are down. I think, I have to code it for myself :-(
17:17 < krzee> whats the ready-made tool?
17:18 < VPNer> A already written tool by a third person ;-)
17:18 < VPNer> *An
17:18 < krzee> it doesnt have a name?
17:19 < VPNer> "hibernate runner".
17:21 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has quit [Ping timeout: 265 seconds]
17:25 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
17:25 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
17:28 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
17:28 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
17:29 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has joined ##openvpn
17:30 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
17:33 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 268 seconds]
17:34 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
17:34 < VPNer> Okay, I#m going to sleep. I have to wake up at 04:30 to got to the uni...
17:34 < VPNer> Have a nice night and thanks a lot for help!
17:34 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
17:36 -!- VPNer [JavaUser@i577ABC3A.versanet.de] has quit [Remote host closed the connection]
17:41 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
17:43 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
17:45 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
17:48 < krzee> !factoids
17:48 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
17:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
18:14 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
18:20 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
18:21 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
18:22 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
18:22 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
18:24 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
18:27 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:29 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 276 seconds]
18:31 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: No route to host]
18:32 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
18:55 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
18:57 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
18:57 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
18:57 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
18:57 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
19:02 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
19:03 -!- rob0 [~rob0@tuxaloosa.org] has quit [Read error: Operation timed out]
19:03 -!- rob0 [~rob0@tuxaloosa.org] has joined ##openvpn
19:03 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
19:04 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
19:11 -!- y0tta [~y0tta@95.211.0.238] has joined ##openvpn
19:13 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has quit [Ping timeout: 252 seconds]
19:16 -!- kasx [~Andrew@seance.openvpn.org] has quit [Read error: Connection reset by peer]
19:17 -!- kasx [~Andrew@seance.openvpn.org] has joined ##openvpn
19:17 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has joined ##openvpn
19:17 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
19:19 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
19:21 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn
19:22 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has quit [Client Quit]
19:23 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
19:23 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:27 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
19:28 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:39 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn
19:47 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
19:49 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
19:54 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 246 seconds]
19:54 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:59 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
19:59 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
20:01 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Ping timeout: 276 seconds]
20:04 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
20:05 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 245 seconds]
20:05 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:08 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
20:09 < y0tta> hmm
20:11 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:12 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 276 seconds]
20:17 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:18 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 240 seconds]
20:21 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 240 seconds]
20:21 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
20:22 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:23 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
20:28 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:30 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:30 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 248 seconds]
20:36 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
20:37 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 240 seconds]
20:41 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:42 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
20:42 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
21:24 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
21:31 -!- y0tta [~y0tta@95.211.0.238] has quit [Quit: y0tta]
21:32 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
21:35 -!- EugeneKay is now known as EugeneKaway
21:38 -!- thepuppynuts is now known as TheThePuppyNuts-
21:38 -!- TheThePuppyNuts- is now known as ThePuppyNuts-87
22:46 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 240 seconds]
22:47 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
23:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
23:03 -!- EugeneKaway is now known as EugeneKay
23:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:38 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
23:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
23:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:49 -!- riddla [~Riddla@bb220-255-202-155.singnet.com.sg] has joined ##openvpn
23:50 < riddla> does anyone know if its poissible to run multiple ciphers (on the server side), in perticular: cipher AES.... (a 'real' cipher) and cipher none? So that some clients use an encrypted connection, while others use a non-encrypted one?
23:50 < riddla> thanks.
23:55 < theDoc> riddla> No.
23:56 < theDoc> and why would you want to do that anyway?
23:58 < krzie> did you try it in connection blocks?
23:58 < krzie> thats where it would be if it could be done
23:59 < theDoc> Yay, checkout.css is finally fixed.
23:59  * theDoc whistles.
--- Day changed Mon May 03 2010
00:01 < riddla> thdoc, some of my vpn is on the private (lan) side of my network. only so that i can do client -> client.
00:01 < riddla> and the clients on the lan side, do not need to be encrypted.
00:01 < riddla> but the clients connecting from the external side, do.
00:02 < theDoc> Within the LAN, why are you running a vpn inside it?
00:02 < riddla> so that i can run it all without needing iptables.
00:03 < riddla> and so that the vpn clients can communicate together.
00:03 < theDoc> riddla> I'm not sure what you are doing but openvpn doesn't do the job of iptables.
00:03 < theDoc> Neither does iptables do the job of openvpn.
00:03 < riddla> umm, it does some form of routing rite?
00:03 < riddla> via client-to-client
00:04 < theDoc> Openvpn doesn't do any routing. You can push routes to clients via openvpn
00:04 < riddla> so what does the client-to-client directive do?
00:04 < riddla> that would be a form of routing no?
00:04 < theDoc> client-to-client permits clients on the *SAME* vpn subnet to communicate with each other.
00:04 < rob0> Why can't LAN machines connect to one another directly?
00:04 < theDoc> That would be nit picking.
00:04 < theDoc> Not a form of routing.
00:05 < riddla> i may be wrong, but, client1 -> openvpn (client-to-client) -> client2
00:05 < riddla> that looks like a form of routing, no?
00:05 < rob0> LAN host -> openvon Host -> openvpn client
00:05 < riddla> rob0, yes, using iptables
00:05 < krzie> !wishlist
00:06 < vpnHelper> krzie: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
00:06 < rob0> openvpn client -> openvpn server -> LAN host
00:06 < krzie> its on there rob0
00:06 < rob0> huh?
00:06 < krzie> the reason is because of how ssl works
00:06 < theDoc> Once again, no. There is no routing involved on that. It is just a client-to-client directive which permits clients on the same network to talk to each other.
00:06 < krzie> and routing
00:06 < krzie> but i had an idea for it
00:06 < krzie> http://ovpnforum.com/viewforum.php?f=10
00:06 < vpnHelper> Title: OpenVPN Forum View forum - Wishlist (at ovpnforum.com)
00:07 < krzie> no
00:07 < theDoc> I don't exactly see how having 2 clients on the *SAME* subnet is routing.
00:07 < krzie> !c2c
00:07 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
00:07 < vpnHelper> krzie: behind other clients
00:07 < krzie> oh sorry
00:07 < rob0> The wishlist thing is full mesh. That's doable but a ways off, at the least.
00:08 < krzie> i thought someone was asking about client traffic not hitting the server
00:08 < riddla> *shrugs*, and i dont mean to be cheeky... maybe not on a technical level, but packets come into openvpn, openvpn then sends them to another client... that looks like a form of routing :/
00:08 < krzie> the mesh thing is doable with RIP and scripts to make all the configs if desired
00:08 < krzie> !riproute
00:08 < vpnHelper> krzie: Error: "riproute" is not a valid command.
00:08 < krzie> !factoids search rip
00:08 < vpnHelper> krzie: '2.1-winpass-script', 'rip', and 'winscript'
00:08 < krzie> !rip
00:08 < vpnHelper> krzie: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
00:09 < theDoc> riddla> What do you want to accomplish with openvpn?
00:09 < theDoc> Maybe that might give us more insight into helping you with the problem. ;)
00:09 < krzie> ya i totally misunderstood, but see the scroll now
00:09 < riddla> the doc, i want some clients to use cipher none, while others use (for example) use cipher AES-128-CBC
00:09 < riddla> nothing more.
00:09 < rob0> sigh
00:10 < theDoc> riddla> Those clients that are not using any cipers are within your own LAN right?
00:10 < riddla> yes.
00:10 < riddla> exactly.
00:10 < theDoc> and not a remote machine, right?
00:10 < riddla> yes.
00:10 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
00:10 < theDoc> Why are you running a vpn within your own LAN?
00:10 < rob0> Asking again, why can't LAN machines connect to one another directly?
00:11 < riddla> because i dont want to run iptables on the host machine.
00:11 < riddla> the lan machines can
00:11 < riddla> but remote -> lan machines cannot
00:11 < riddla> without iptables
00:11 < rob0> what do you mean "run iptables"?
00:11 < riddla> iptables -F; rmmod all iptables modules;
00:11 < krzie> you could set openvpn to connect to lan ip first
00:11 < theDoc> riddla> Seems like you are looking for LAN behind Openvpn.
00:11 < EugeneKay> That's the worst idea I've ever heard.
00:11 < rob0> You need to learn basic IP networking concepts. iptables is not a necessary part of this, at all.
00:11 < krzie> then tell the firewall to not allow real ip to be reached from the lan
00:11 < EugeneKay> Well, today.
00:12 < theDoc> EugeneKay> We all learn from somewhere ;p
00:12 < krzie> or even block the vpn all the way when at home
00:12 < EugeneKay> theDoc - you don't learn to ahve babies by removing your nads with a pair of rusty scissors
00:12 < riddla> i see.
00:13 < krzie> omg, a vpn to not run a firewall?
00:13 < riddla> no
00:13 < theDoc> wtf? vpn != firewall
00:13 < theDoc> EugeneKay> I guess you could put it that way.
00:14 < riddla> i dont want to run iptables because the server is doing quite a bit of traffic
00:14 < rob0> I'd also question the reasoning of not wanting to have a firewall. Ah, there's the "why".
00:14 < krzie> just use layer2 for your lan without a vpn
00:14 < EugeneKay> Yes, because iptables is SUCH a huge load.
00:14 < krzie> tell your firewall to not let you connect when home
00:15 < rob0> Netfilter rules are not resource intensive, but your openvpn approach would be. Even with cipher none, far heavier than netfilter.
00:17 < krzie> is this at home or in a datacenter on a public switch?
00:18 < riddla> datacenter, the lan is on a private switch.
00:18 < riddla> the 'remote' machines, are at 'home'.
00:18 < krzie> public switch i suggest static arp, and maybe even a vpn if you are worried about someone hacking the switch
00:18 < krzie> ok
00:19 < krzie> use topology subnet on the server
00:19 < riddla> anyways, thank you kindly to everyone for the help. as it is now, openvpn works great! i just want to get rid of the encryption overhead, but see now its not possible.
00:19 < riddla> was kind of hoping for somthing like:
00:19 < krzie> see this
00:19 < krzie> !route
00:19 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:20 < krzie> you have a LAN behind the server
00:20 < krzie> you have a LAN at home
00:20 < krzie> i wrote this based on 3 lans, 2 clients and a server
00:20 < krzie> adapt it for your needs and you're done
00:20 < krzie> 1 oenvpn node on each side
00:28 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
01:27 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
01:32 -!- zorzar_ [~zz@p4FFD0CF5.dip.t-dialin.net] has joined ##openvpn
01:35 -!- zorzar [~zz@p4FFD29ED.dip.t-dialin.net] has quit [Ping timeout: 252 seconds]
01:36 -!- EugeneKay is now known as EugeneKaway
01:40 -!- EugeneKaway is now known as EugeneKay
02:13 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
02:25 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
02:27 -!- graffz [~graffz@unaffiliated/graffz] has joined ##openvpn
02:33 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
02:41 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has quit [Quit: The Lord of Murder Shall Perish.]
02:44 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has left ##openvpn ["Leaving"]
02:44 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has joined ##openvpn
02:44 < EugeneKay> !route
02:44 < vpnHelper> EugeneKay: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:50 < EugeneKay> Ah. iroute, not route.
02:50  * EugeneKay claps hands at his accomplishment - VMWare routes!
03:11 -!- zheng [~zheng@114.92.136.154] has joined ##openvpn
03:33 -!- dazo_afk is now known as dazo
03:36 < krzie> hey dazo
03:36 < dazo> krzie: hiya!
03:36 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
03:36 < krzie> whatchya upto
03:37 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
03:37 < dazo> gah ... monday morning ... trying to wake up probably :-P
03:37 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 < dazo> krzie: I see you've had great progress with your confgen ... haven't had time to test it out again lately ... but seems to progress very well :)
03:39 < krzie> thanx =]
03:40 < krzie> im actually working on it right now
03:43 < dazo> nice :)
03:45 -!- graffz [~graffz@unaffiliated/graffz] has quit [Ping timeout: 252 seconds]
03:51 < dazo> damn
03:53 < dazo> ecrist: your openvpn-devel script fails again ... packing down an outdated tree ... the one you have dates Thu 22 Apr 2010 23:29:34 CEST, while the latest change to allmerged were  Fri 30 Apr 2010 23:29:44 CEST.... 
03:54  * dazo thought ecrist update should be run on Sundays ....
03:58 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has joined ##openvpn
03:58 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has quit [Changing host]
03:58 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
04:17 -!- zheng [~zheng@114.92.136.154] has quit [Quit: Leaving]
04:51 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has joined ##openvpn
05:00 -!- SkyLIVE [~SkyB0x@212.235.177.25] has joined ##openvpn
05:02 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:08 -!- SkyLIVE [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
05:18 -!- graffz [~graffz@unaffiliated/graffz] has joined ##openvpn
05:29 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
05:31 -!- riddla [~Riddla@bb220-255-202-155.singnet.com.sg] has left ##openvpn []
05:40 -!- zorzar_ is now known as zorzar
05:41 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
05:42 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
05:42 -!- le0 [~fin@unaffiliated/le0] has quit [Client Quit]
06:17 -!- graffz [~graffz@unaffiliated/graffz] has quit [Ping timeout: 276 seconds]
06:20 < ecrist> dazo: I'll look at it this morning.
06:20 < ecrist> there's some environment issue with the cronjob.  when I run the script from a real shell, it works fine.  when cron runs it, it breaks.
06:21 < dazo> ecrist: ahh ... I see ... that makes sense though, why the last update was right
06:22  * ecrist looks into it now
06:22 < ecrist> what, specifically is wrong, just an old tree?
06:31 < ecrist> dazo?
06:31 < ecrist> at least the new tarball bootstrapped.
06:47 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 246 seconds]
06:47 -!- takamichi [~pri@94.75.217.250] has joined ##openvpn
06:47 < dazo> ecrist: yes, in general old tree
06:56 -!- hyatt [~kora-chan@110-174-77-158.static.tpgi.com.au] has joined ##openvpn
07:04 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has quit [Read error: Connection reset by peer]
07:05 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has joined ##openvpn
07:13 < Bushmills> krzee, krzie: ping
07:17 < krzie> ong
07:17 < krzie> pong
07:17 < krzie> fixing a bunch of that code
07:18 < krzie> realized how right you were about not needing to unset those vars
07:21 < Bushmills> you watch bashbot?
07:22 < krzie> <3 that thing
07:23 < Bushmills> then look
07:23 < Bushmills> that's your multiple awk lines :)
07:25 < Bushmills> that was your conditional substitute and print
07:26 < krzie> where/
07:26 < Bushmills> I just run it through the bot 
07:26 < krzie> i mean where in my orig script
07:26 < krzie> oh
07:26 < Bushmills> http://scarydevilmonastery.net/snap/1272889599494792338d.png 
07:27 < krzie> im in the other chan mentioned just now to you in there
07:30 < Bushmills> modified files are online under obby
07:30 < krzie> ahh cleaned up a bit of other stuff too
07:31 < krzie> ahh yes i can install obby here
07:31 < Bushmills> you'd want a client, such as gobby
07:33 < Bushmills> or even a server, then i could edit those files in a session on your machine, actually
07:33 < Bushmills> well, doesn't matter where the server is
07:35 < Bushmills> whether you open session, or files, here or there requires exactly the same steps, just a different host name
07:35 < Bushmills> same is true for saving files
07:35 < Bushmills> (no hostname needed)
07:40 -!- hyatt [~kora-chan@110-174-77-158.static.tpgi.com.au] has quit [Quit: hyatt]
07:54 < krzie> On Mac OS X 10.5, tiff 3.9.2 requires Xcode 3.1 or later but you have Xcode 3.0.
07:54 < krzie> lol
07:54 < krzie> ill get the new one
07:55 < atlantic> Hi. I have an OpenVPN 2.0 in bridge mode working flawlessy. on the my laptop client the required route is coming up with push with TAP interface. I want to connect to my laptop client a PCMCIA NIC and to that NIC I want to connect a wireless AP, and from the wireless client I want to access the network coming up with push OpenVPN route. How should I configure tha wireless AP? thanks in advance
07:55 < Bushmills> ouch
07:56 < Bushmills> atlantic: just pretend that there is no difference between PCMCIA NIC and your other NIC
07:57 < Bushmills> refer to them by ip address, and then for WLAN and OpenVPN everything remains identical
07:59 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
08:25 -!- SkyLIVE [~SkyB0x@212.235.177.25] has joined ##openvpn
08:34 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:36 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
08:41 -!- takamichi [~pri@94.75.217.250] has quit [Ping timeout: 248 seconds]
08:42 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
08:44 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
08:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:49 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 264 seconds]
09:50 -!- takamichi [~pri@94.75.217.247] has joined ##openvpn
09:55 -!- donavan [~donavan@unaffiliated/donavan] has quit [Ping timeout: 276 seconds]
09:58 -!- donavan [~donavan@4wx.net] has joined ##openvpn
09:59 -!- donavan [~donavan@4wx.net] has quit [Changing host]
09:59 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
09:59 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
10:03 -!- mode/##openvpn [+o mattock] by ChanServ
10:20 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
10:26 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
10:27 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:01 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:05 -!- WormFood [~wormfood@121.35.52.129] has quit [Ping timeout: 252 seconds]
11:18 -!- WormFood [~wormfood@121.34.202.56] has joined ##openvpn
11:20 -!- SkyLIVE [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
11:22 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:24 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
11:24 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
11:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
11:37 -!- AndyML [~AndyML@pool-173-49-144-213.phlapa.fios.verizon.net] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
11:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:40 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:06 -!- zoredache [~zoredache@pdpc/supporter/professional/zoredache] has quit [Ping timeout: 252 seconds]
12:12 -!- mwheeler [~mwheeler@unaffiliated/theskorm] has quit [Ping timeout: 264 seconds]
12:20 -!- mwheeler [~mwheeler@unaffiliated/theskorm] has joined ##openvpn
12:27 -!- qfr [void@unaffiliated/yw] has joined ##openvpn
12:31 -!- dazo is now known as dazo_afk
12:39 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
12:39 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
13:01 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
13:02 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:10 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
13:11 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
13:18 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 246 seconds]
13:22 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
13:26 -!- dauergast [~sag@188-193-231-73-dynip.superkabel.de] has joined ##openvpn
13:51 -!- jnss [janes@gateway/shell/sign.io/x-wjlnwgeubumvkxzf] has joined ##openvpn
14:03 -!- dauergast [~sag@188-193-231-73-dynip.superkabel.de] has quit [Quit: ich nutze das [G]Script... ©daGroove neuste versionen: www.grooves-welt.de]
14:08 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
15:24 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
15:25 -!- PolywogWrk [~polywog@75-151-186-130-Philadelphia.hfc.comcastbusiness.net] has joined ##openvpn
15:29 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
15:58 -!- dmz [~dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has joined ##openvpn
15:59 < dmz> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain...i've never seen this before; this is my 8th openvpn box i'm building and they are all self signed certs; any suggestions???
16:00 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Ping timeout: 246 seconds]
16:01 < ecrist> dmz: you're missing the ca.crt in your openvpn config
16:03 < dmz> no, it's right there (i'm looking @ it; even copy/paste it to be sure there are no typos)
16:04 -!- Guest12047 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
16:05 -!- Guest12047 is now known as openvpn2009
16:05 -!- mode/##openvpn [+o openvpn2009] by ChanServ
16:06 < dmz> naturally, i've done this many time and the one time i'm in a rush it "doesn't work"
16:06 < dmz> it's gotta be a typo but everything matches
16:09 < dmz> hmm it has the ca file but it isn't finding it; very weird
16:11 < krzee> !certverify
16:11 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
16:11 < krzee> and md5 the ca.crt to be sure they are = on both sides
16:12 < ecrist> also, make sure in your config it's path is correct
16:13 -!- ThePuppyNuts-87 [platypus@unaffiliated/coil] has quit [Ping timeout: 260 seconds]
16:15 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
16:17 < dmz> thanks i'll check that
16:17 < dmz> my configs & stuff are all scripted to generate so i don't hav etypos :) something just isn't right on this new box
16:17 < dmz> sigh
16:17 < dmz> ok let me test
16:19 < dmz> verifies OK on the server & client
16:19 < krzee> if ca md5 on both sides is = it is the path in the configs
16:19 < krzee> make sure its full paths too
16:21 -!- coil_ [platypus@unaffiliated/coil] has joined ##openvpn
16:22 < dmz> doh, typo in config :) thanks y'all
16:24 < krzee> np
16:28 < ecrist> :)
16:28  * ecrist puts one on the board
17:12 < krzee> haha i considered adding a ++ to the bot
17:13 < krzee> so we could say ecrist++
17:13 < krzee> but i figured it was pointless and likely to be played with
17:13 < krzee> lol
17:14 < ecrist> indeed, it would be.
17:14 < rob0> And I can't be incremented. I want to stay as rob0.
17:14 < ecrist> now, if we rolled out a ticket system like #freeswitch, and the ++ had to go toward a ticket, that would allow for some normalization
17:15 < krzee> i remember incrementing you before rob0 
17:15 < krzee> cracked me up when you /nick rob1
17:15 < krzee> lol
17:17 < rob0> haha
17:18 < krzee> ecrist, good point
17:19 < krzee> i would fully support a ticketing system like in #freeswitch as well
17:19 < krzee> i think its a wonderful system
17:19 < krzee> the ++ thing wouldnt matter to me one way or the other, but that ticketing system is great
17:20  * ecrist wonders if c888 is open-source
17:27 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
17:42 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
17:53 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:59 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:05 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
18:05 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 265 seconds]
18:05 -!- hyper__ch is now known as hyper_ch
18:27 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
18:40 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
18:43 < propagandhi> excuse me people, I have a client.cfg in /etc/openvpn and openvpn reports when I issue a restart that it is
18:44 < propagandhi> Starting vpn tunnels, however it never starts
18:44 < ecrist> !logs
18:44 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
18:44 < propagandhi> if i manually run openvpn with the --config switch it all works
18:45 < propagandhi> where does openvpn log its output to by default?
18:45 < propagandhi> ubuntu by the way
18:46 -!- surfdue [~surfdue@unaffiliated/surfdue] has joined ##openvpn
18:46 < surfdue> hello
18:47 -!- qfr [void@unaffiliated/yw] has left ##openvpn []
18:50 < ecrist> propagandhi: it doesn't, be default
18:50 < ecrist> that's all configured in the config file
18:51 < ecrist> I'm guessing that the process either doesn't have the proper permissions, or it's looking in the wrong place for the config.
18:52 < propagandhi> ecrist: okay i will take a quick look and get some logging going
18:58 -!- coil_ is now known as sheath
18:59 -!- prakriti [~jeremy@24.100.137.18] has joined ##openvpn
19:00 < prakriti> I've got my tunnel working just fine,  but it insist on changing my default gateway.  Is there any way to tell it not to change my gateway?
19:00 < prakriti> Hm... maybe I'm going about the problem wrong.
19:01 < prakriti> I only want to put certain traffic through the vpn.
19:01 < ecrist> prakriti: are you the admin for the server?
19:02 < ecrist> you can set no-pull in your client config
19:02 < prakriti> I have no control over the server, only the client.
19:02 < ecrist> then add no-pull to your client config, and you'll have to manually setup routes
19:02 < ecrist> !man
19:03 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
19:03 < prakriti> ok, I see
19:03 < prakriti> thanks
19:03 < ecrist> no problem.
19:38 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
19:53 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
19:58 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has joined ##openvpn
19:58 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has quit [Changing host]
19:58 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:10 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Ping timeout: 268 seconds]
20:22 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Ping timeout: 264 seconds]
20:34 -!- EugeneKay is now known as EugeneDrunK
20:34 < WormFood> has there been any issues with using the version of openvpn that ships with debian?
20:39 < tjz> if you have the problem
20:39 < tjz> use from the source.. better
20:39 < rob0> check the Debian bug database
20:43 -!- surfdue [~surfdue@unaffiliated/surfdue] has quit [Quit: Leaving]
20:47 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
20:49 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
20:49 < WormFood> yeah, I was gonna compile from source, since the version shipping with stable is 2.1_rc11, and who knows what crazy shit they'll do to the source...maybe they'll break the crypto in it, so they can feel happy about eliminating some compiler warnings.
20:51 < rob0> sigh, indeed
20:52 < rob0> there were some major issues in later RCs
20:52 < rob0> but I don't remember specifics
20:54 < WormFood> I'm wondering if some of those revisions may be the source of my issues
20:58 < WormFood> damn it! there have been like 22+ revisions since the one shipped in stable....yeah, I'm just gonna compile from source
21:01 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Ping timeout: 248 seconds]
21:20 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
21:22 < krzee> hah, they still use rc11? lol
21:59 -!- astrophy [~astrophy@ip12.208-100-1.static.steadfast.net] has joined ##openvpn
22:03 < astrophy> !help
22:03 < vpnHelper> astrophy: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
22:12 < frankS2> is there a place where each cert file is explained like the .ca .csr .crt .key 
22:12 < frankS2> what each of them do
22:12 -!- notworkn [networkn@smtp.sapphiresolutions.co.nz] has joined ##openvpn
22:12 < notworkn> Hi There!
22:15 < astrophy> !help command
22:15 < vpnHelper> astrophy: Error: There is no command "command".
22:15 < astrophy> !help plugin
22:15 < vpnHelper> astrophy: Error: There is no command "plugin".
22:15 < astrophy> !help howto
22:15 < vpnHelper> astrophy: Error: There is no command "howto".
22:15 < astrophy> !welcome
22:15 < vpnHelper> astrophy: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:16 < astrophy> !howto
22:16 < vpnHelper> astrophy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
22:16 < notworkn> Ok so when I ran removealltap.bat and then added addtap.bat, I can see the connection, but it doesn't show up in ipconfig /all on windows xp
22:16 < notworkn> why would that be?
22:17 < astrophy> !redirect
22:17 < vpnHelper> astrophy: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
22:17 < astrophy> !nat
22:17 < vpnHelper> astrophy: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
22:20 < astrophy> I have no idea man
22:21 < astrophy> !configs
22:21 < vpnHelper> astrophy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
22:21 < krzee> !goal
22:21 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:22 < astrophy> well my goal is to access teh internet over my vpn
22:22 < krzee> so ya, !redirect
22:23 < astrophy> !def1
22:23 < vpnHelper> astrophy: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
22:25 < astrophy> !ipforward
22:25 < vpnHelper> astrophy: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
22:25 < astrophy> !linipforward
22:25 < vpnHelper> astrophy: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
22:35 -!- EugeneDrunK is now known as dicknipples
22:35 -!- dicknipples is now known as EugeneKay
22:35 -!- EugeneKay is now known as EugeneDrunK
22:52 < notworkn> I run openvpn on windows xp, and I have a problem where the tap driver doesn't show up in ipconfig, and I believe it should
23:00 < krzee> well were you hiding it in the registry?
23:01 < notworkn> where would that setting be? I don't believe so
23:04 < krzee> !factoids search hide
23:04 < vpnHelper> krzee: "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89, or (#2) To show again, set it to 0x81
23:04 < krzee> if you didnt play with that
23:04 < krzee> reboot, check
23:04 < krzee> if not there, uninstall all of it, reboot again
23:04 < krzee> then install and check again
23:05 < krzee> when i say all of it, i mean openvpn and the adapter
23:05 < krzee> i dont use windows, but i know rebooting often helps
23:05 < krzee> lol
23:06 -!- prakriti [~jeremy@24.100.137.18] has quit [Ping timeout: 252 seconds]
23:25 -!- Netsplit *.net <-> *.split quits: notworkn, BashLogic, Rolybrau
23:28 -!- Netsplit over, joins: Rolybrau, BashLogic
23:43 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 276 seconds]
23:56 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
23:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
--- Day changed Tue May 04 2010
00:02 -!- HyperZid [~sanderj@195.204.103.72] has quit [Read error: Connection reset by peer]
00:02 -!- HyperZid [~sanderj@195.204.103.72] has joined ##openvpn
00:10 -!- Netsplit *.net <-> *.split quits: ScriptFanix, stein0, zamba, jupiter15, sno, Rienzilla, mrnice1
00:16 -!- Netsplit over, joins: ScriptFanix, jupiter15, zamba, sno, Rienzilla, mrnice1, stein0
00:46 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
00:53 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:53 -!- mode/##openvpn [+o mattock] by ChanServ
01:00 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
01:02 -!- prakriti [~jeremy@24.100.137.18] has joined ##openvpn
01:14 -!- angel-tsankov [~angel@109.160.108.246] has joined ##openvpn
01:15 -!- angel-tsankov [~angel@109.160.108.246] has left ##openvpn []
01:15 -!- angel-tsankov [~angel@109.160.108.246] has joined ##openvpn
01:16 < angel-tsankov> is it possible to configure openvpn client to read user/pass from file
01:25 < EugeneDrunK> It works on a per-key basis
01:26 < EugeneDrunK> You can set it up such that the keys are only readable by certain users, but that user is going to need sudo permissions to activate the routing, etc anyway
01:35 -!- zorzar [~zz@p4FFD0CF5.dip.t-dialin.net] has quit [Ping timeout: 246 seconds]
01:37 -!- zorzar [~zz@p4FFD1D8B.dip.t-dialin.net] has joined ##openvpn
01:44 < angel-tsankov> EugeneDrunK: what is per-key basis
01:44 < EugeneDrunK> You authenticate using a key combination, not a password
01:45 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
01:54 < angel-tsankov> well, the server I connect to, requires user/pass
02:00 < krzie> angel-tsankov, yes
02:00 < krzie> !pwfile
02:00 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
02:00 < krzie> assuming you use user/pass
02:00 < krzie> which would be done via:
02:00 < krzie> !authpass
02:00 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
02:01 < krzie> =]
02:02 -!- EugeneDrunK is now known as EugeneKay
02:04 -!- dazo_afk is now known as dazo
02:17 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 265 seconds]
02:42 < angel-tsankov> krzie: thanks
02:43 < krzie> yw
02:43 < krzie> in the future if it takes too long, search !factoids
02:43 < krzie> !factoids
02:43 < vpnHelper> krzie: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
02:44 < krzie> i read over it myself every now and then, its full of goodness
02:49 -!- dazo is now known as dazo_afk
02:51 -!- dazo_afk is now known as dazo_afk_afk
02:53 < |Mike|> dazo_afk_afk: hi afk!
02:59 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
03:07 < krzie> hes super sfk
03:07 < krzie> hes way far from his keyboard
03:08 < krzie> based on amount of time ild guess teleportation
03:23 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
03:36 < vpnHelper> New forum entry openvpnforum: Configuration :: Configure client to read user/pass from file? :: Author angel.tsankov <http://www.ovpnforum.com/viewtopic.php?f=6&t=4374&p=4895#p4895> || Configuration :: Re: Configure client to read user/pass from file? :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=4374&p=4896#p4896>
03:37 -!- EugeneKay is now known as EugeneKaway
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:46 < krzie> !route
03:46 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
04:05 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
04:05 < tjz> already pre-order my sc2 CE @ amazon USD$99.99 :D
04:06 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Access lan behind OpenVPN client :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=4273&p=4899#p4899>
04:08 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
04:21 -!- EugeneKaway is now known as EugeneKay
04:35 -!- frankS2 [frank@188.113.119.245] has quit [Changing host]
04:35 -!- frankS2 [frank@unaffiliated/franks2] has joined ##openvpn
04:55 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
05:02 -!- SkyLIVE [~SkyB0x@88.200.89.134] has joined ##openvpn
05:28 -!- SkyLIVE [~SkyB0x@88.200.89.134] has quit []
06:00 -!- GBiT` [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 268 seconds]
06:08 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
06:14 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
06:33 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has left ##openvpn ["Leaving"]
06:35 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Ping timeout: 245 seconds]
06:39 -!- teddy_ [~teddy@bas4-toronto02-1176313789.dsl.bell.ca] has joined ##openvpn
06:43 -!- dazo_afk_afk is now known as dazo
06:46 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
06:54 -!- takamichi [~pri@94.75.217.247] has quit [Ping timeout: 240 seconds]
06:54 -!- takamichi [~pri@ip-174-142-98-110.static.privatedns.com] has joined ##openvpn
07:18 -!- takamichi [~pri@ip-174-142-98-110.static.privatedns.com] has quit [Ping timeout: 252 seconds]
07:18 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
07:28 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
07:30 -!- UdontKnow is now known as KnightWhoSaysNi
07:46 -!- angel-tsankov [~angel@109.160.108.246] has quit [Quit: Leaving.]
08:15 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
08:24 -!- zheng [~zheng@114.92.136.154] has joined ##openvpn
08:46 -!- JoKoT3 [~JoKoT3@estlibre.org] has joined ##openvpn
08:46 < JoKoT3> !welcome
08:46 < vpnHelper> JoKoT3: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:47 < JoKoT3> !topology
08:47 < vpnHelper> JoKoT3: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
08:50 < JoKoT3> !howto
08:50 < vpnHelper> JoKoT3: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:52 < JoKoT3> hum
08:53 -!- SkyLIVE [~SkyB0x@212.235.177.25] has joined ##openvpn
09:00 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
09:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
09:14 -!- SkyLIVE [~SkyB0x@212.235.177.25] has quit []
09:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:23 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Ping timeout: 264 seconds]
09:31 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
09:34 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Read error: Connection reset by peer]
09:34 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has joined ##openvpn
10:00 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:02 < ecrist> \o
10:05 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:08 < dazo> o/
10:09 < theDoc> \o
10:09 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
10:15 < rob0> /o\
10:15 < theDoc> \o/
10:18  * ScriptFanix putting some romantic music
10:21 < ecrist> \o
10:21 < ecrist> lol
10:22 < ecrist> ^^ doing the egyptian
10:24 < agagag> ls
10:24 < agagag> oups
10:35 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
10:36 -!- zheng [~zheng@114.92.136.154] has quit [Quit: Leaving]
10:39 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:39 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 248 seconds]
10:54 -!- JoKoT3 [~JoKoT3@estlibre.org] has quit [Quit: Quitte]
11:00 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
11:01 -!- WormFood [~wormfood@121.34.202.56] has quit [Quit: Leaving]
11:02 -!- WormFood [~wormfood@58.60.223.61] has joined ##openvpn
11:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:31 -!- SkyTIME [~SkyB0x@212.235.177.25] has joined ##openvpn
11:31 -!- SkyTIME [~SkyB0x@212.235.177.25] has quit [Excess Flood]
11:32 -!- SkyTIME [~SkyB0x@212.235.177.25] has joined ##openvpn
11:34 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:40 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:45 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:46 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
12:06 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:47 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
12:47 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
12:48 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
12:55 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
12:56 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
13:09 < hyper_ch> wow, never knew that Marge Simpson is so tightly knotted to Europe:  http://images.sjau.ch/img/6b4d7c42.jpg
13:11 < krzie> hahahahahah
13:22 -!- dazo is now known as dazo_afk
13:27 < hyper_ch> this is so cute:  http://images.sjau.ch/img/fd09bc86.gif
13:27 < frankS2> should be a tiger
13:28 < hyper_ch> it's tigerish
13:56 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
13:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:59 < WormFood> this is an interesting problem I'm having tonight....it seems to be inconsistent...when I start the vpn, I get very good speed, but after a short time, 30-60 seconds, it gets very very slow...I restart the vpn, and the speed goes back to normal (fast)...then get slow again soon thereafter....restart and it is normal speed again.
14:00 < WormFood> sometimes It works great with no slowdowns, other times it is always slow....but tonight, it is fast then slow, over and over. I'm trying to watch youtube over it, so I can see the amount of video downloaded, and can visually see how fast it is....I'm also tailing my log file with a log level set highish, so I can see the "r" and "w" go across the screen as a crude gauge of speed
14:01 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
14:02 < WormFood> I know, I know, someone will say it is network issues, but that does not fit the patterns I'm seeing. And for what it is worth, I'm using udp (I understand tcp has slowdown problems like what I describe, but haven't tried it yet)....anyone have any comments or suggestions?
14:14 < krzie> WormFood, using TCP?
14:15 < WormFood> no, I just said I was using udp
14:15 < krzie> oh nm
14:15 -!- Local587 [~larryt@68-115-234-222.static.spbg.sc.charter.com] has joined ##openvpn
14:15 < krzie> dunno
14:15 < krzie> could test your MTU
14:15 < WormFood> I tried tcp, but it does not seem to make any difference....and then I tried changing port numbers, thinking maybe it is the GFWC screwing with me
14:16 < WormFood> the mut is set to default. I tested that before.
14:16 < WormFood> mtu I mean
14:17 < WormFood> seems to be very inconsistent...perhaps I should break out wireshark, and see if that shows me anything out of the ordinary
14:23 < WormFood> krzee, what was the option to test the mtu again? mtu-test, or test-mtu?
14:24 < WormFood> mtu-test
14:25 < WormFood> how long should that take generally?
14:26 < WormFood> damn! this stuff is driving me crazy!
14:29  * hyper_ch must have:  http://gizmodo.com/5530773/darth-vader-drives-you-through-the-dark-side-of-the-road
14:29 < vpnHelper> Title: Darth Vader Drives You Through the Dark Side of the Road - Darth Vader - Gizmodo (at gizmodo.com)
14:32 < WormFood> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541]
14:35 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
14:36 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
14:36 < WormFood> The usual symptom of such a breakdown is an OpenVPN connection which successfully starts, but then stalls during active usage. (from the man page) <-- my connection does not seem to stall, it just goes horribly slow.
14:56 < WormFood> --tun-mtu 1500 --fragment 1300 --mssfix seems to do the trick....no slow-downs at all now...WTF?
14:56 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
15:10 -!- prakriti [~jeremy@24.100.137.18] has quit [Read error: Connection reset by peer]
15:17 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
15:24 < krzee> interesting
15:24 < krzee> but hey if it works for you im happy
15:31 < WormFood> me too
15:31 < WormFood> but I think I need to play around with it, and try to find the optimum values
15:31 < WormFood> but I'm really very curious to know the root of the problem
15:32 < krzee> me too
15:32 < krzee> ive never run into mtu issues before
15:32 < krzee> even over sat links
15:33 < krzee> so ive never been able to play with it
15:33 < WormFood> if you remember (you probably don't), you suggested I remove those options I had there before :P
15:33 < Bushmills> krzee: moinmoin
15:33 < WormFood> that was a few weeks ago
15:33 < WormFood> krzee, I'll give you a shell account, if you want to play with it on the client (sorry, can't give you shell on the server)
15:33 < krzee> WormFood, yes i did, because you didnt know why you had them there
15:33 < WormFood> you remember?
15:33 < krzee> yes
15:33 < krzee> Bushmills, moinmoin
15:33 < Bushmills> i have more or less completed the first round of script review. all changes untested, of course. mileage may vary.
15:33 < WormFood> cool
15:34 < WormFood> I expect with so many people you talk with, you would have forgotten that ;)
15:34 < krzee> normally youd be right, it could be the unique irc handle maybe
15:34 < WormFood> fuck! it is after 4:30 am here, and I want to get out in the morning and do things....I gotta go to bed, but very happy to at least know something more about this problem.
15:34 < WormFood> :D
15:35 < WormFood> I can give you a key to use for my server, if you want to try to play with it on your side as a client
15:35 < WormFood> I mean, vpn server, not the server itself
15:36 < WormFood> I actually had my ex-girlfriend get mad at me over this nick....she knew nothing about it, but decided to look it up in the dictionary, and announced she understood what it means (she hadn't a freakn' clue)
15:38 < vpnHelper> New forum entry openvpnforum: Configuration :: Re: Configure client to read user/pass from file? :: Reply by angel.tsankov <http://www.ovpnforum.com/viewtopic.php?f=6&t=4374&p=4897#p4897>
15:43 < krzee> WormFood, that wouldnt work, you need root to start openvpn
15:45 < WormFood> I can give you root on a box here at my home, but I don't know how much that'd help
15:45 < krzee> Bushmills, i have xcode here now =]
15:46 < Bushmills> you should be able to get right into the editor and save the files
15:46 < Bushmills> session open, files open, auth granted
15:47 < Bushmills> tmux or screen session would be an alternative, but saving a file doesn't write it to your local disk.
15:49 < Bushmills> obby is lazy mode... just leaving file open in editor, and being able to say "here they are, freshly edited, still open. go save them"
15:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:14 < krzee> --->  Computing dependencies for gobby
16:14 < krzee> finally installing
16:14 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
16:15 < krzee> i still (yrs after learning it) cant believe osX doesnt come with make... you shouldnt be able to get UNIX certification as an OS without make
16:19 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:20 < Bushmills> but make is a command line tool
16:20 < Bushmills> what should the common apple use do with those?
16:23 < krzee> build C files?
16:23 < krzee> ;)
16:23 < krzee> nah i see your/their point, but then why did they bother registering as a UNIX?
16:23 < krzee> i dont think freebsd is even registered as an official unix
16:32 -!- Local587 [~larryt@68-115-234-222.static.spbg.sc.charter.com] has quit [Quit: Ex-Chat]
17:06 -!- SkyTIME [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:08 -!- prakriti [~jeremy@24.100.137.18] has joined ##openvpn
17:11 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:21 -!- longword [~paul@eventhorizon.hosting365.ie] has joined ##openvpn
17:21 -!- longword [~paul@eventhorizon.hosting365.ie] has left ##openvpn ["Leaving"]
17:21 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 264 seconds]
17:22 -!- garymc [~chatzilla@host86-135-203-71.range86-135.btcentralplus.com] has joined ##openvpn
17:23 < garymc> HI Guys im new to linux etc and I need a VPN on my server so I can use SIP office phone from abroad
17:26 < krzee> if you dont know linux, why do it on linux?
17:26 < krzee> openvpn runs on all major OS's
17:28 < Bushmills> means maybe "because I gave a valid reason why I don't know what to do, you are therefore morally obliged to read the manual for me"
17:29 < garymc> krzee cos my Asterisk Server is setup on Centos
17:29 < garymc> yeah im just a little low on time and could do with a VPN that I access via my Iphone when im abroad and connected to a wifi channel
17:30 < Bushmills> and your question is?
17:30 < krzee> a) it can run on any machine in that lan, b) setting up openvpn is the same on ANY os basically
17:30 < Bushmills> maybe he wants to hire?
17:31 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
17:31 < krzee> iphone integration is REALLY weak and hackish
17:32 < garymc> Yeah I want to use a SIP phone from hotel that doesnt allow port 5060
17:33 < Bushmills> will you have any other device with you in the hotel?
17:33 < Bushmills> i mean, internet capable. not thinking of recreational gear 
17:33 < garymc> nope
17:34 < garymc> just my iphone
17:34 < garymc> I just thought maybe a VPN would be easy to setup and connect too
17:34 < garymc> maybe not :(
17:34 < rob0> !howto
17:34 < vpnHelper> rob0: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:35 < rob0> The SSL PKI bits are (for me) the most troublesome part, but there are enough "do this" examples and wrapper scripts that I managed it.
17:35 < Bushmills> a laptop could have been nice
17:35 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
17:38  * Bushmills makes mental note:  don't forget to pack a reflashed wlan router when staying in a hotel.
17:39 < garymc> Ok Iam unsure on what openVPN to install
17:39 < garymc> I just want to beable to connect to my asterisk box through a VPN with my Iphone when abroad
18:01 -!- garymc [~chatzilla@host86-135-203-71.range86-135.btcentralplus.com] has left ##openvpn []
18:03 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
18:09 < krzee> !iphone
18:09 < vpnHelper> krzee: "iphone" is (#1) http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone, or (#2) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries
18:09 < krzee> oops he left
18:10 < krzee> damn gobby is taking FOREVER to build, so many dependancies and such slow internet to get them with
18:10 < rob0> FWIW I doubt he would save any time by asking these questions here.
18:11 < krzee> methinks he'll never have that setup
18:11 < rob0> another thing bugs me ... international travel and hotels, an iphone ... there is some revenue involved. Why won't they spend a bit on technical expertise?!?
18:12 < Bushmills> 349484 bytes
18:12 < krzee> he'ld also do better to use something like pptp or ipsec just because its built into his iphone
18:12 < Bushmills> can't take *that+ long
18:12 < krzee> Bushmills, im building python currently
18:12 < krzee> its the dependancies that have taken 2 hours so far
18:12 < Bushmills> ah.  "if you want to create an apple pie from scratch, you must first invent the universe"
18:13 < Bushmills> carl sagan, IIRC
18:13 < Bushmills> or, "if you want the banana, you will get the whole gorilla"
18:14 < Bushmills> (from smalltalk + OO times)
18:14 < krzee> haha
18:14 < krzee> a girl online said something like "love can do anything"
18:14 < krzee> i responded "tell your love to buy me a laptop"
18:15 < Bushmills> know that i know where you buy your t-shirts, i can believe that
18:15 < krzee> s/^k//
18:16 < Bushmills> rye-t
18:18 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn
18:18 < Bushmills> but ... gobby doesn't have a python dependency
18:19 < Bushmills> http://scarydevilmonastery.net/snap/1273015162259770611d.png 
18:34 < ecrist> hello
18:34 < ecrist> !float
18:34 < vpnHelper> ecrist: Error: "float" is not a valid command.
18:42 -!- mode/##openvpn [+v krzee] by openvpn2009
18:45 < ecrist> why does HE get +v?
18:45 < ecrist> :(
18:45 < ecrist> lol
18:45 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
18:50 <@openvpn2009> lol
18:50 <@openvpn2009> because he's old schoo;
18:50 <@openvpn2009> :-)
18:51 <@openvpn2009> i know you are too but your /supporter/professional is a bit intimidating ;)
18:54 -!- kasx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
18:55 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
18:59 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: Leaving]
19:08 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 246 seconds]
19:09 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
19:18 <+krzee> lol
19:30 -!- Omancho [~Omancho@ip70-187-168-252.oc.oc.cox.net] has quit [Quit: The Lord of Murder Shall Perish.]
19:37 -!- slyboots [~slyboots@188-223-55-137.zone14.bethere.co.uk] has joined ##openvpn
19:37 < slyboots> Hi
19:42  * slyboots is haivng some trouble getting a OpenVPN connection between my server and a Android phone going
19:43 < slyboots> Have the server and client configured (using a briged) connection and in the logs I can see the client connect, it verfies the certificates, then pushes the new IP address out..
19:43 < slyboots> SENT CONTROL [localhost]: 'PUSH_REPLY,route-gateway 192.168.1.199,ping 10,ping-restart 120,ifconfig 192.168.1.10 255.255.255.0' (status=1)
19:44 < slyboots> But, almost straight after I get read UDPv4 [ECONNREFUSED]: Connection refused (code=111) several times then the client gives up and drops the connection
20:06 -!- slyboots [~slyboots@188-223-55-137.zone14.bethere.co.uk] has quit [Remote host closed the connection]
20:07 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:12 <+krzee> a) why bridge?
20:13 <+krzee> b) sounds like something is blocking the VPN addresses
20:13 <+krzee> (firewall on 1 side or the other)
20:21 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
20:24 <+krzee> Bushmills, still installing dependencies, lol
20:24 < Bushmills> i can't believe that
20:25 < Bushmills> it takes 3 days to install a program?
20:25 <+krzee> 4 hours of dependencies so far
20:25 <+krzee> lol
20:26 < Bushmills> but where do those deps come from? what needs them?
20:26 <+krzee> port install gobby
20:27 < Bushmills> (01:18:45) Bushmills: but ... gobby doesn't have a python dependency
20:27 < Bushmills> (01:19:42) Bushmills: http://scarydevilmonastery.net/snap/1273015162259770611d.png 
20:27 <+krzee> *shrug* port install gobby installed python
20:27 < Bushmills> that related to installation of dependency python
20:29 < Bushmills> are you encoding 8 movies at the same time?
20:32 <+krzee> bash-3.2# port deps gobby
20:32 <+krzee> Full Name: gobby @0.4.12
20:32 <+krzee> Build Dependencies:   pkgconfig
20:32 <+krzee> Library Dependencies: glib2, gtk2, glibmm, libxmlxx2, gtkmm, gtksourceview2, libgnomecups, net6, obby
20:32 <+krzee> nope, my very powerful system isnt doing much besides this
20:32 <+krzee> however, the internet maxes out around 30kn/s
20:33 <+krzee> kB/s
20:33 < Bushmills> now where do you see python there, in those deps?
20:33 < Bushmills> pkgconfig needs python?
20:34 <+krzee> something needed it
20:38 <+krzee> www.ircpimps.org/bush
20:39 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
20:39 < Bushmills> tcl 8|
20:40 < Bushmills> could it be that you also install optionals, suggestions?
20:41 < Bushmills> (rather than just the strictly required stuff)
20:47 < Bushmills> gcc-fortran :D
20:47 < Bushmills> math-atlas?
20:51 -!- raidz [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
20:55 <+krzee> ya dude no idea
20:55 <+krzee> just gunna let it run all week til i fill up the TB harddrive with every package in the world
20:55 <+krzee> ;)
21:25 <+krzee> --->  Cleaning gobby
21:25 <+krzee> bash-3.2# 
21:25 <+krzee> wow
21:31 < Bushmills> finished?
21:32 <+krzee> da
21:34 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
21:34 < Bushmills> ok... let it spin
21:35 <+krzee> wow
21:35 <+krzee> shortest manpage in the history of applications
21:36 < Bushmills> -j server    
21:36 <+krzee> ya i remembered
21:36 <+krzee> but i have a habit of looking at the manpage
21:37 < Bushmills> for own sessions, with files immediately opened,  -j server file1 file2 file3    or   -j server files*
21:44 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has joined ##openvpn
21:47 -!- mode/##openvpn [+o raidz] by ChanServ
21:49 -!- Irssi: ##openvpn: Total of 94 nicks [2 ops, 0 halfops, 1 voices, 91 normal]
21:51 <+krzee> what is verhau
21:52 -!- mode/##openvpn [+o krzee] by ChanServ
21:52 -!- mode/##openvpn [-v krzee] by krzee
21:52 -!- mode/##openvpn [-o krzee] by krzee
21:52 < krzee> ;]
21:53 < Bushmills> entanglement
21:53 < krzee> line 41 on genserver says verhau, i think that was a typo ;)
21:53 < Bushmills> .de
21:53 < Bushmills> or scarydevilmonastery.net
22:02 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
22:03 < krzee> cool program
22:42 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:42 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:42 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:42 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:42 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:43 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:43 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:43 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:43 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:43 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:44 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:44 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:44 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:44 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:44 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:44 -!- openvpn [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:45 -!- openvpn [openvpn@atlantis.openvpn.org] has quit [Disconnected by services]
22:45 -!- openvpn_ [openvpn@atlantis.openvpn.org] has joined ##openvpn
22:47 -!- openvpn_ [openvpn@atlantis.openvpn.org] has quit [Remote host closed the connection]
22:51  * ecrist heads to bed.
22:54 < EugeneKay> krzee, before I spend too much more ridiculously long googling inepty, can you link me to a note on how to assign a static IP based on the key being used?
22:56 < ecrist> by key, do you mean certificate?
22:56 < ecrist> !ccd
22:56 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
22:56 < EugeneKay> Yesh.
22:57 < ecrist> ^^^
22:57 < ecrist> :)
22:57  * ecrist really goes to bed now.
22:57 < EugeneKay> I figured that bit, it was he specific directive that had me scratching my head
23:03 < EugeneKay> Ah, I think I have it. Seems it's a different syntax depending on whether the client is Windows or Linux, though? 
23:03 < EugeneKay> That's.... odd
23:06 < EugeneKay> This explains why it didn't work when I was trying it before.
23:15 < krzee> !static
23:15 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
23:15 < krzee> when you have a feeling the bot knows, try !factoids
23:15 < krzee> !factoids
23:15 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
23:16 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:32 -!- raidz [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
23:32 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:49 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
23:49 -!- mode/##openvpn [+o raidz] by ChanServ
--- Day changed Wed May 05 2010
00:22 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
00:22 -!- raidz [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
00:22 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
00:23 -!- mode/##openvpn [+o raidz] by ChanServ
00:31 -!- angel-tsankov [~angel@212.73.151.246] has joined ##openvpn
00:32  * theDoc is freezing in g-damn server rooms
00:32 < theDoc> :(
00:33 < angel-tsankov> krzee: after some period of inactivity, openvpn closes VPN the connection; how can I avoid this
00:40 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Ping timeout: 246 seconds]
01:00 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
01:20 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 240 seconds]
01:20 -!- takamichi [~pri@94.75.217.248] has joined ##openvpn
01:22 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:26 -!- geri [~Gerald@143.205.215.28] has joined ##openvpn
01:26 < geri> hi
01:26 < geri> i use openvpn gui...is it possible to start openvpn gui via console?
01:27 < geri> command line
01:32 -!- zorzar_ [~zz@p4FFD1AA0.dip.t-dialin.net] has joined ##openvpn
01:36 -!- zorzar [~zz@p4FFD1D8B.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
01:39 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Read error: Connection reset by peer]
01:39 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
01:40 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Client Quit]
01:40 -!- geri2 [~Gerald@143.205.215.14] has joined ##openvpn
01:43 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
01:44 -!- geri [~Gerald@143.205.215.28] has quit [Ping timeout: 276 seconds]
01:45 -!- geri2 [~Gerald@143.205.215.14] has quit [Ping timeout: 276 seconds]
01:48 -!- geri [~Gerald@143.205.215.17] has joined ##openvpn
01:48 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Quit: Leaving...]
02:00 < angel-tsankov> hello
02:00 < angel-tsankov> is there anybody theer
02:06 < hyper_ch> no, nobody's here
02:10 -!- geri2 [~Gerald@143.205.215.21] has joined ##openvpn
02:11 < angel-tsankov> excellent
02:13 -!- geri [~Gerald@143.205.215.17] has quit [Ping timeout: 276 seconds]
02:14 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
02:23 -!- astrophy [~astrophy@ip12.208-100-1.static.steadfast.net] has quit [Ping timeout: 260 seconds]
02:23 -!- dazo_afk is now known as dazo
02:25 < dazo> geri2: yes, you can run openvpn from console .... in fact openvpn-gui is just a GUI wrapper for openvpn
02:25 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has joined ##openvpn
02:26 < dazo> geri2: you'll need to locate the openvpn.exe on your computer and your configuration files ... go into the the directory of the config files ... and write <fullpath to openvpn>\openvpn.exe --config <your config file>
02:26 -!- angel-tsankov [~angel@212.73.151.246] has quit [Quit: Leaving.]
02:27 < geri2> ok
02:40 -!- prakriti [~jeremy@24.100.137.18] has quit [Read error: Connection reset by peer]
03:06 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
03:16 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
03:17 -!- n5 [~nop@78-60-200-182.static.zebra.lt] has quit [Ping timeout: 240 seconds]
03:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:26 -!- Lantizia [~Lantizia@93-97-23-110.zone5.bethere.co.uk] has joined ##openvpn
03:26 < Lantizia> Has anyone in here managed to use the KDE Network-Manager interface to add an OpenVPN connection?
03:26 < Lantizia> I can make one, but theres no import function for the conf/ovpn file - so I'm kind of guessing what needs to be entered/ticked :(
03:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 -!- lifeforms_ [~walter@tau.lfms.nl] has joined ##openvpn
03:46 -!- Netsplit *.net <-> *.split quits: meepmeep, lifeforms, julius, vlt, kinlo, theneb_, zero-_, Krikke, dazo, tw,  (+3 more, use /NETSPLIT to show all of them)
03:46 < krzie> Lantizia, 
03:46 < krzie> !netman
03:46 < vpnHelper> krzie: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
03:47 -!- Netsplit over, joins: dazo, jpalmer, sigius, julius, zero-_, lifeforms, meepmeep, vlt, kinlo, Krikke (+3 more)
03:47 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 246 seconds]
03:47 -!- lifeforms [~walter@tau.lfms.nl] has quit [Ping timeout: 285 seconds]
03:47 -!- theneb_ [~theneb@theneb.co.uk] has quit [Ping timeout: 246 seconds]
03:47 -!- theneb [~theneb@theneb.co.uk] has joined ##openvpn
03:48 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
03:48 < Lantizia> krzee, well it works just fine importing the file using the GNOME version of the nmapplet
03:48 < Lantizia> which in the end I've installed replacing the KDE one
03:48 < krzie> welp
03:48 < krzie> thats the answer here ;]
03:49 < krzie> this channel is for openvpn, not network manager
03:49 < krzie> if you want help with openvpn, im happy to help
03:50 -!- zorzar_ is now known as zorzar
04:00 -!- Lantizia [~Lantizia@93-97-23-110.zone5.bethere.co.uk] has left ##openvpn ["Leaving"]
04:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:10 -!- geri [~Gerald@143.205.215.24] has joined ##openvpn
04:13 -!- geri2 [~Gerald@143.205.215.21] has quit [Ping timeout: 260 seconds]
04:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:38 -!- prakriti [~jeremy@24.100.137.18] has joined ##openvpn
05:23 -!- pawz [~pawz@ppp118-208-58-60.lns20.bne1.internode.on.net] has joined ##openvpn
05:23 -!- geri [~Gerald@143.205.215.24] has quit [Ping timeout: 240 seconds]
05:25 < pawz> I've got two clients connected to a server with client-to-client enabled, iroutes setup in the ccd directory on the server, and routes to each subnet pushed to the clients. the problem is, the clients can reach SOME hosts on the opposite subnet, but not others. There seems to be no pattern to it, some hosts work, some hosts don't. What could cause this ?
05:26 < pawz> none of the systems have firewalls but the two clients are behind nat
05:26 < pawz> however, both clients are in the dmz on their respective networks
05:28 < krzie> its either routes or firewalls, tcpdump to see where packets get to
05:29 < krzie> you seen this?
05:29 < krzie> !route
05:29 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:30 < pawz> well, done that and the result is as expected. if i start a ping to a host on the opposite network, and run tcpdump on the destination network, i can see the pings hit the destination network just fine, but some hosts on the destination LAN respond.. some don't
05:30 < krzie> lol
05:30 < krzie> then you didnt trace far enough
05:30 < krzie> do those hosts that dont respond even see the ping?
05:31 < pawz> hrmm, haven't gone that far. i'll check
05:48 < krzie> it takes that long to run tcdump on another machine?
05:49 < pawz> no_maam, sorry. i realised the problem
05:49 < pawz> err, no. rather (nick completion)
05:49 < pawz> it hadn't occcur to me to add a route to the opposite network to each othe client machines on the LAN side
05:50 < pawz> the openvpn clients aren't on the default router for the LAN's
05:50 -!- geri [~Gerald@143.205.215.17] has joined ##openvpn
05:50 < pawz> the reason it was working on some machines is some machines apparently they were learning the route back, while others weren't
05:50 < pawz> the network printer on one lan happily "learns" the route, but the other machines on the lan don't
05:51 < pawz> so i'm wondering what i can do. if i could add a static route on the router for each network it would solve the problem, but they don't support adding static routes
05:52 < pawz> i'm thinking i need to replace the routers on both lans with ones that either support static routes, or else ones that support openvpn natively
05:52 < pawz> because i don't have access to all the other clients on the lan's to add static routes to them
05:56 < krzie> !factoids search outside
05:56 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
05:56 < krzie> all routers can add static routes
05:56 < krzie> thats part of what makes them routers
05:57 < pawz> well i'm using a belkin router and it doesn't have a terminal interface, only a web interface, and the web interface does NOT have an option for adding static routes
05:57 < pawz> by router i'm talking about a home adsl modem that performs NAT, not a true "router"
05:58 < krzie> well lets call it a nat box
05:59 < krzie> if you cant add routes to it, i refuse to hear it called a router
05:59 < pawz> i know, the terminology is retarded. they shouldn't call them routers, but they do
06:00 < pawz> i think i'll try and replace both modems with something can run openwrt, then i can just run the openvpn server on them
06:01 < pawz> can't think of any other alternative unfortunately
06:01 < krzie> well there is no other alternative
06:02 < krzie> either you route it on their default router or on each machine on the lan
06:02 < pawz> it's amusing that on both lans, it was the network printers that learned the correct route from the openvpn server
06:02 < krzie> well
06:02 < krzie> i guess you could hack something up with NAT, but i refuse to support it
06:02 < pawz> indeed. i'd rather not do that either
06:03 < pawz> how do you suppose the printers learned the route ? i'm not running rip or any protocol that should announce routes to my knowledge
06:10 < pawz> actually i've got one linux box behind the nat which happily responds to pings from the other LAN despite not having a static route to that network. why, i do not know
06:11 < krzie> its default router is set to the belkin...?
06:11 < pawz> yeah
06:11 < krzie> *shrug*
06:11 < krzie> dunno
06:11 < krzie> 1min, this isnt for you
06:11 < krzie> !servercert
06:11 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm
06:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
06:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:39 < geri> dazo, is it possible to pass the password using openvpn --config ... ?
06:42 < krzie> password for auth or for private key
06:44 < Bushmills> pawz: check out the TP-Link WR1043ND
06:44 < Bushmills> very affordable for its features
06:45 < Bushmills> (and runs openvpn nicely)
06:45 < Bushmills> 400 MHz MIPS, 32 MiB RAM
06:53 < pawz> i'll see if it's available locally. i was looking at a generic brand one that came with dd-wrt
06:54 < pawz> retail price for that tp-link is very high locally
06:55 < pawz> also i don't need the wireless, so an N router is unnecessary
06:55 < Bushmills> how much is "very high" for your locality?
06:55 < pawz> $98 AUD
06:55 < Bushmills> yes, seems high
06:56 < pawz> and that's the lowest price from a wide range. 
06:56 < Bushmills> starting at about 53$
06:56 < pawz> i can get an unbranded one for $45 including postage. i'll probably get two of them
06:56 < Bushmills> 60$ consistently.  us$, that is
06:58 -!- Slyboots [~Slyboots@188-223-55-137.zone14.bethere.co.uk] has joined ##openvpn
06:59 < Bushmills> guess your prices have the island surcharge already included
07:00 < Bushmills> funnel web tax
07:01 < pawz> heh something like that
07:02 < krzie> geri, gunna answer my question so i can answer yours?
07:02 < geri> i want to start openvpn using the config file and pass the passwort
07:02 < geri> via command line
07:02 < krzie> [07:39]  <geri> dazo, is it possible to pass the password using openvpn --config ... ?
07:02 < krzie> [07:42]  <krzie> password for auth or for private key
07:03 < geri> in the config file?
07:03 < krzie> lol
07:03 < |Mike|> ofc not!
07:03 < krzie> is it an auth password or a private key password?
07:04 < krzie> does openvpn talk to the server AT ALL before asking for the password?
07:04 < krzie> or is the first thing that happens that openvpn asks for a password
07:04 < krzie> before attempting a connection
07:08 < dazo> krzie: openvpn will ask for all passwords *before* doing any connection at all
07:08 < krzie> umm
07:08 < krzie> an auth-pass is initiated by the server
07:08 < dazo> if --user-auth-pass fails .... it will disconnect immediately
07:08 < krzie> client wont know til told
07:09 < krzie> so it must attempt a connection before asking for that
07:09 < dazo> nope
07:09 < krzie> ?
07:09 < dazo> openvpn collects user name password ... and then initiates the contact with the server ... if it's wrong, it disconnects
07:10 < dazo> but it will only ask for username/password if --auth-user-pass is given, of course
07:10 < krzie> oh ok
07:10  * Slyboots is having issues with connecting his N1 to his VPN as well.. Seems to connect and verfiy the Certs OK, but when it reaches the stage to push out the new IP address it throws up an error on the server
07:10 < krzie> anyways
07:10 < krzie> if it is an auth pass
07:10 < krzie> !pwfile
07:10 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
07:10 < Slyboots> read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
07:11 < krzie> if not, just dont put a pass on your keyfile :-p
07:11 < dazo> geri: ^^^ 
07:11 < dazo> and it's possible (and easy) to remove a password from any SSL keys
07:12 < geri> dazo, ?
07:12 -!- takamichi [~pri@94.75.217.248] has quit [Ping timeout: 276 seconds]
07:13 -!- takamichi [~pri@67.159.55.234] has joined ##openvpn
07:13 < dazo> geri: ^^ == read up ;-)  krzie and I briefly discussed passwords and config files ... and the msg from vpnHelper is useful if you're having --auth-user-pass in your client config file
07:15 < geri> he asks me for the private key
07:18 < geri> is it possible to save the private key somewhere?
07:19 < ecrist> geri, see here:
07:19 < ecrist> !pwfile
07:19 < vpnHelper> ecrist: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
07:20 < ecrist> or, try reading the man page.
07:20 < ecrist> :)
07:21 < geri> hm
07:21 < geri> maybe min version is too old
07:21 < geri> openvpn gui v1.0.3
07:22 < dazo> geri: do you use the latest openvpn-2.1.1?
07:22 < geri> OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on Apr 25 2007
07:23 < dazo> geri: try updating to 2.1.1 ... your ones are almost 3 years old 
07:23 < dazo> in fact ... it is over 3 years old :-P
07:25 < krzie> wow, i didnt realize rcx was that out
07:25 < krzie> old*
07:26 -!- Draiden [~stefan@5354A5F0.cable.casema.nl] has joined ##openvpn
07:27 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
07:27 < dazo> the first beta came in 2005 (16 betas was released)... and the first rc in in late 2006 
07:28 < Slyboots> ow, I've been goggling the error messsage but I've not found anything that really matches the issue's I've been having (Cept one report about a firewall, but I've already forwarded the ports and disabled the firewall on the server.. so its not that)
07:29 < ecrist> what is your error, Slyboots ?
07:29 < Slyboots> read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
07:29 < dazo> ehh ...  Connection refused
07:29 < ecrist> that would be a firewall
07:29 < Slyboots> It *appears* to the connecting OK, verfies the Certs.. but its when it comes to push out the new IP address. I get that
07:29 < dazo> or in general ... the client cannot not reach the server ....
07:29 < Slyboots> I've disabled iptables
07:29 < ecrist> !logs
07:29 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:30 < Slyboots> If I disable ethernet bridging it connects.. but I cant do anything usful :P
07:30 < ecrist> !configs
07:30 < Slyboots> Mm okay hold on
07:30 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:30 < dazo> Slyboots: increase verb logging on server side and look carefully through server logs ... it'll be written pretty clearly in that log, I'm pretty sure of that
07:30 < ecrist> if you provide us with more information, we can try to help
07:30 < Slyboots> Okay, let me just stick em into pastebin
07:31 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
07:31 -!- mode/##openvpn [+o mattock] by ChanServ
07:34 < Slyboots> Okay
07:34 < Slyboots> This is the config file..
07:34 < Slyboots> http://pastebin.com/5LcRb6y1
07:35 < ecrist> um, you need to choose a better IP range to start
07:35 < ecrist> !1918
07:35 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
07:36 < Slyboots> Wont I have to reconfigure my entire network for that?
07:37 < ecrist> yes.
07:37 < ecrist> the issue you're going to run into is the network you're using is way too common.
07:37 < ecrist> nearly all home network routers use the 192.168.1.0/24 or 192.168.0.0/24 subnet
07:38 < ecrist> which means, anyone who connects to your VPN from one of those networks is going to run into problems.
07:39 < Slyboots> Im goign to be the only one :P
07:39 < Slyboots> Its a very private vpn haha
07:39 < ecrist> ok, but where are you going to connect to your vpn from?
07:39 < Slyboots> Work (which uses the 10.x net, ad my phone
07:39 < ecrist> ok
07:42 < ecrist> logs, too, please
07:43 < Slyboots> Heres the logs
07:43 < Slyboots> http://pastebin.com/ZXbr4d6a
07:43 < Slyboots> Sorry, kind of a lot of em
07:45 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:49 < krzie> !pptp
07:49 < vpnHelper> krzie: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
07:49 < vpnHelper> krzie: read about why to not use pptp
07:50 < dazo> Slyboots: this is client side?  try server side as well
07:50 < Slyboots> thats the server side logs
07:50 < dazo> uhh 
07:50  * dazo rereads the fine print
07:50 < Slyboots> My phone doesnt give logs in that way (that Ic an tell)
07:50 < theDoc> hello folks ;p
07:51 < dazo> Slyboots: it looks  then like it's the client who don't accept the server certificate
07:52 < dazo> Slyboots: but you have some WARNINGS in the log file you should dig into ... line 395-396 for example
07:52 < Slyboots> Hmm, misconfigration on the client?
07:53 < dazo> Slyboots: and it can be the routes you push ... conflicts with the clients default route ... thus chopping the Internet connection
07:53 < Slyboots> Crapy android os
07:53 < Slyboots> Perhaps it only supports tunneling
07:55 < dazo> Slyboots: no, that's not the issue ... get a hold of the client logs ... and you'll probably see that there better
07:55 < Slyboots> Once I figure ot how...
07:55 < dazo> Slyboots: but .... fix WARNINGS first ... they will solve some issues as well
07:55 < Slyboots> the client on the phone is *really* .. weak
07:56 < Slyboots> I cant really change anything
07:56 < EugeneKay> Android doesn't have a usable OpenVPN client AFAIK
07:56 < Slyboots> Using a 3rd party (Cyanogen) not sure how complete the cient is..
07:56 < dazo> huh?? ... how did they manage to do that?
07:57 < Slyboots> Heard peopel having good success with it
07:57 -!- johnf [~johnf@124-170-18-159.dyn.iinet.net.au] has joined ##openvpn
07:57 < johnf> !welcome
07:57 < vpnHelper> johnf: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:58 < theDoc> What the fuck. Why the hell are people so desperate for o:lines.
07:58  * theDoc screams.
07:58 < dazo> o:lines?
07:58  * Slyboots rubs whats left of his sanity
07:59 < krzie> dazo: to be an irc oper
07:59 < johnf> so this is probably a dumb question. But I'll ask anyway
07:59 < krzie> personally, i wouldnt accept an O:
07:59 < johnf> I've got multiple hosts in EC2 that act as open vpn clients. For simplicity I've given them all the same certificate
07:59 < theDoc> I wouldn't go near any O;o:lines. More trouble than they're worth.
07:59 < johnf> this means at each key exchange they seem to get a new IP address
08:00 < johnf> is there anyway around that?
08:00 < theDoc> johnf> ccd
08:00 < theDoc> !ccd
08:00 < vpnHelper> theDoc: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
08:01 < johnf> theDoc: Yeah my problem is every client is using the same cert so they all have the same common name
08:01 < theDoc> Get them new certs.
08:01 < johnf> theDoc: Yeah I knew that was going to be the answer :)
08:01 < theDoc> The vpn server has no way of knowing who they "actually" are, mainly because they all have the same CN.
08:01 < johnf> thought it was worth asking nayway
08:02 < Slyboots> I dont think it supports tunneling.. (I cant see any way of altering the configureation files)
08:02 < Slyboots> ... crap -.-
08:03 < dazo> Slyboots: you got root access to your Android?
08:03 < Slyboots> ya
08:03 < dazo> Slyboots: then it should be easy ... get a shell going ... and start openvpn --config <your own config file>
08:03 < dazo> as root
08:03 < dazo> that's it
08:05 < Slyboots> Hmmm okay
08:05 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
08:06 < dazo> well, it's not a fancy smancy gui ... but should work ... and if it does, then you can haunt and stalk the gui developers instead :-P
08:06 < Slyboots> hehe
08:10 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:10 < WormFood> does mssfix need a value? The man page does not specify it needing a value, but all the examples I see use one.
08:11 < ecrist> WormFood: it does specifiy an option
08:11 < ecrist> s/option/value/
08:12 < WormFood> oops, I have it backwards....it shows a value, but the example does not
08:12 < ecrist> which example?
08:13 < WormFood> in the man page
08:14 < WormFood>  Therefore, one could lower the maximum UDP packet size to 1300 (a good first try for solving MTU-related connection problems) with the following options:
08:14 < WormFood>               --tun-mtu 1500 --fragment 1300 --mssfix
08:15 < dazo> WormFood: it defaults to 1450 if not given, I believe
08:15 < ecrist> looks like an omission to me.
08:15 < WormFood> yeah, I agree ecrist 
08:15 < dazo> (could be mentioned in the docs, though)
08:15 < WormFood> i use it with no value, and nothing complains
08:16 < dazo>  * Default MSSFIX value, used for reducing TCP MTU size
08:16 < dazo>  */
08:16 < dazo> #define MSSFIX_DEFAULT     1450
08:16 < dazo> from mtu.h
08:16 < WormFood> ok, looks good to me
08:16 < dazo> WormFood: want to provide a patch for the man-page?
08:17 < WormFood> I don't believe the man page is in error, because it has a default value
08:17 < ecrist> but the man page should mention the default.
08:17 < dazo> the man page should state that the default value is 1450 if no value is given ;-)
08:17 < ecrist> and max should be surrounded in square brackets
08:17 < ecrist> --mssfix [max]
08:17 < dazo> agreed
08:23 -!- Local587 [~larryt@68-115-234-222.static.spbg.sc.charter.com] has joined ##openvpn
08:27 -!- xNice [~Benz@qss-193.qualitynet.net] has joined ##openvpn
08:27 < xNice> hello...
08:27 < xNice> hello...i need recommendations for a vpn service for about 100 clients pptpd/openvpn most of them below 2mb adsl connection...what cpu/ram/bandwidth i may need for that ?
08:27 < krzie> a)
08:27 < krzie> !pptp
08:27 < vpnHelper> krzie: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
08:27 < vpnHelper> krzie: read about why to not use pptp
08:29 < xNice> the security is not my issue it will be like a proxy service to unblock sites/torrents
08:29 < xNice> i am talking about the cpu/ram/bandwidth i may need to run this service for about 100 clients
08:30 < WormFood> yeah dazo and ecrist, I agree with you guys about that mssfix
08:30 < krzie> i have no idea about your needs since i dont know what pptp will need
08:30 < krzie> however, bandwidth should be easy to know
08:31 < krzie> however many concurrent clients connect * avg bw concurrently used by client
08:31 < xNice> lets say i will offer openvpn service for 100 clients who allowed to use torrents...
08:31 < |Mike|> xNice: there is some table on the openvpn site about specs / clients
08:31 < xNice> what cpu/ram i may need
08:32 < xNice> ooh i have to see that thanks mike
08:33 < WormFood> damn! I wished it wasn't so hit-and-miss with this fragment/mssfix shit....takes forever to find out if it works or not.
08:34  * Slyboots tosses the idea in the bin :P
08:34 < Slyboots> Think the openvpn client is pretty broken on this :P
08:34 < Slyboots> And time for work anyway :P
08:34 < Slyboots> Cheers for the advice and tips though
08:37 < dazo> Slyboots: don't blame the client if it is the system you're running it on which fails ...
08:37 < Slyboots> heh
08:37 < Slyboots> :D
09:03 -!- chandoo [~chandoo@ool-4353b978.dyn.optonline.net] has joined ##openvpn
09:03 < chandoo> hi
09:03 < ecrist> hello
09:03 < chandoo> i configured columbia university vpn, i am getting below error
09:04 < chandoo> "VPN Connection Failed...Invalid VPN secrets"
09:04 < chandoo> ecrist) hello
09:04 < |Mike|> see the topic :)
09:04 < ecrist> chandoo: that error seems pretty self-explainitory to me.
09:05 -!- Slyboots [~Slyboots@188-223-55-137.zone14.bethere.co.uk] has quit [Quit: The Cow goes.. "Wark!"]
09:05 < chandoo> ecrist) do i need to be in the columbia univeristy network for vpn to work?
09:06 < chandoo> ecrist) i followed this link in configuring the vpn
09:06 < chandoo> http://cumc.columbia.edu/it/getting_started/vpn_linux.html
09:06 < vpnHelper> Title: VPN for Linux - Columbia University Medical Center Information Technology (at cumc.columbia.edu)
09:06 < chandoo> i am unsucessful in compiling the cisco vpn they are providing
09:07 < chandoo> i used the information they provided and configured the vpn in linux
09:08 < chandoo> ecrist) i am not that good in vpn concepts, i understand the error i didn't get it clearly
09:08 < chandoo> i provided valid username and password
09:08 < chandoo> please advice
09:10 -!- Draiden [~stefan@5354A5F0.cable.casema.nl] has quit [Quit: Leaving]
09:11 < ecrist> chandoo: you'll need to talk to the administrators for columbia university
09:11 -!- geri2 [~Gerald@143.205.215.17] has joined ##openvpn
09:12 -!- johnf [~johnf@124-170-18-159.dyn.iinet.net.au] has left ##openvpn []
09:12 < ecrist> chandoo: columbia university uses Cisco VPN, not openvpn
09:13 < chandoo> ecrist) can't we use openvpn if we have the connection info, sorry for my ignorance
09:13 -!- geri [~Gerald@143.205.215.17] has quit [Ping timeout: 264 seconds]
09:13 < ecrist> no, you cannot
09:14 < ecrist> cisco vpn and openvpn are completely different animals
09:14 < chandoo> i think i am using "cisco Anyconnect Compatiable VPN(openconnect)" from network manager
09:15 < EugeneKay> http://en.wikipedia.org/wiki/An_Elephant_Makes_Love_to_a_Pig
09:15 < vpnHelper> Title: An Elephant Makes Love to a Pig - Wikipedia, the free encyclopedia (at en.wikipedia.org)
09:15 < ecrist> this is a support channel for openvpn
09:15 < |Mike|> no it's not, we serve ice cream :d
09:15 < EugeneKay> That's what you're trying to ask us to do.
09:15 < ecrist> EugeneKay: ?
09:15 < EugeneKay> Try #ciscovpn
09:16 < EugeneKay> Or something.
09:16 < chandoo> EugeneKay) thanks for pointing me in right direction
09:16 < ecrist> chandoo: contact your helpdesk.
09:16 < |Mike|> svn commit .
09:16 < |Mike|> err
09:16 < EugeneKay> Well, the direction is "not in here"
09:16 < chandoo> ecrist) okay sure
09:17 < chandoo> ?close
09:17 -!- chandoo [~chandoo@ool-4353b978.dyn.optonline.net] has left ##openvpn ["Leaving...Leaving...Left"]
09:23 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:41 -!- Netsplit *.net <-> *.split quits: Rolybrau
09:50 -!- Netsplit over, joins: Rolybrau
10:02 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
10:03 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
10:11 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
10:13 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
10:15 -!- fullstop [~me@63.88.93.79] has joined ##openvpn
10:18 < fullstop> What would be the best way to switch ciphers for an existing openvpn network?
10:23 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
10:42 -!- BashLogic [~BashLogic@NS1.Kielletty.net] has quit [Ping timeout: 264 seconds]
10:42 -!- BashLogic [~BashLogic@NS1.Kielletty.net] has joined ##openvpn
10:47 -!- dazo [~dazo@nat/redhat/x-kzbwookxophpjiby] has quit [Read error: Connection reset by peer]
10:47 < ecrist> fullstop: update client and server configs.  done.
10:47 -!- dazo [~dazo@nat/redhat/x-kenkicgjnnszajpo] has joined ##openvpn
10:59 < fullstop> ecrist: That's what I expected.  :D
10:59 < fullstop> ecrist: I was secretly hoping that there was a way to allow either the client or the server to attempt more than one cipher.
11:00 < ecrist> not that I know of, the man page would likely be a good place to start.  I'm not sure if openvpn allows for al ist or not.
11:05 -!- WormFood [~wormfood@58.60.223.61] has quit [Ping timeout: 245 seconds]
11:12 < dazo> afaik, it's not possible to provide a cipher list
11:13  * dazo would like to see the cipher settings only being needed on the server side, the client should auto-detect
11:13 -!- dazo is now known as dazo_afk
11:17 -!- WormFood [~wormfood@121.34.165.247] has joined ##openvpn
11:17 < WormFood> anyone know the solution to "FRAG TTL expired i=X" (where X is a number)? I can find no solution via google, but this page http://www.strongvpn.com/forum/viewtopic.php?id=399 suggests they know the solution or what to do to fix it.
11:17 < vpnHelper> Title: OpenVPN FRAG TTL Expired i=x (Page 1) - Setup Help - StrongVPN Forum (at www.strongvpn.com)
11:23 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Ping timeout: 276 seconds]
11:26 -!- Guest12047 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
11:28 -!- Guest12047 is now known as openvpn2009
11:28 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:38 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
11:41 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:42 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
12:13 -!- geri2 [~Gerald@143.205.215.17] has quit [Quit: Leaving]
12:15 -!- mgolisch [~michi@85.93.11.18] has joined ##openvpn
12:16 < mgolisch> had one guy that had problems for some time now, seems like his router/modem sometimes loses its connection, and openvpn doenst seem to reconnecz properly
12:16 < mgolisch> or just think its still connected
12:40 -!- SkyTIME [~SkyB0x@212.235.177.25] has joined ##openvpn
12:46 -!- SkyTIME [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
13:40 < EugeneKay> Happy Fake Mexican Holiday, all.
13:48 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 248 seconds]
13:50 <@raidz> lol, one of my friends is from Mexico, he says this whole Cinco de Mayo think is a joke
13:50 -!- mudassar [~quassel@laptop-0-24-7e-e1-dd-56.ida.liu.se] has joined ##openvpn
13:51 < EugeneKay> It's a bit like Saint Patrick's Day
13:51 < EugeneKay> Drink Corona / XX / Whatever, scream something about mexico, eat burritos, pass out.
13:51 < EugeneKay> My kinda holiday
13:51 < |Mike|> bloat
13:52 < ecrist> I try to avoid all these types of holidays.
13:52 < ecrist> I want to get a beer with a couple friends tonight, but I cringe at the thought of the bar scene.
13:52 <@raidz> ugh, not the night for that ecrist!
13:52 < ecrist> indeed
14:03 < krzie> cinco de drinko
14:08 < ecrist> I can get drunk ANY day.
14:22 < EugeneKay> Yes, but this is an especially good holiday for getting drunk
14:23 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
14:33 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
14:41 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:53 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 246 seconds]
14:59 -!- mudassar [~quassel@laptop-0-24-7e-e1-dd-56.ida.liu.se] has quit [Read error: Connection reset by peer]
15:00 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
15:17 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:25 -!- krzee [~k@unaffiliated/krzee] has left ##openvpn ["Leaving"]
15:29 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
15:38 < fullstop> some of the new intel cpus have AES implemented in hardware.  It would be awesome if openvpn supported this some day.
15:50 < krzee> its openssl that would support it
15:51 < Bushmills> i don't think is something for openvpn to do
15:51 < krzee> openvpn doesnt do its own encryption, it uses openssl
15:51 -!- Hypnoz [~colin@75.98.0.98] has joined ##openvpn
15:51 < Bushmills> some OS do provide encryption support to be called from drivers/apps
15:53 < Bushmills> supposedly with the idea to form an interface to hardware encryption support
15:53 < Bushmills> openvpn would use those transparently
15:56 < Bushmills> compare it to the ability of some CPUs or chipsets to provide real noise through a diode or a resistor. demanding that every app in need of random should interface with that noise source, instead of pulling noise from a system function which interfaces instead, would be a flawed approach  
15:59 < EugeneKay> Why the hell would you ned a special driver
15:59 < EugeneKay> read from /dev/random and be done with it
16:00 < EugeneKay> I get annoyed whenever I have to "move my mouse randomly over the area to generator random data"
16:01 < hyper_ch> EugeneKay: computers can't really randomize things
16:01 < krzee> i figure a good source of random is the name of the last girl in my bed as a seed
16:01 < krzee> ;]
16:01 < EugeneKay> And I always move my mouse in a figure 8
16:02 < EugeneKay> IRQ interrupt timings are pretty random
16:02 < hyper_ch> krzee: isn't that a constant for you?
16:02 < krzee> negative
16:02 < krzee> its rather random
16:02 < EugeneKay> It is for me. :-D
16:02 < hyper_ch> negative = no girl in your bed?
16:02 < EugeneKay> Though, Cydnie is at school still.
16:02 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
16:03 < EugeneKay> Not sure when she's coming back down.
16:03 < hyper_ch> you live below the school?
16:03 < hyper_ch> in the school basement?
16:03 < EugeneKay>  She's in Maine. I'm in AR.
16:03 < krzee> negative as in no its not constant
16:04 < EugeneKay> 28 hour drive, plus sleep
16:04 < hyper_ch> negative as in "not defined"
16:04 -!- zorzar is now known as zorzarAway
16:04 < krzee> and on occasion it would be 2 names
16:04 < hyper_ch> you got cats?
16:04 < EugeneKay> I hate Java for that reason. -1 is not false
16:04 < EugeneKay> It's negative one
16:04 < krzee> hyper_ch, i feel bad for you if thats the first thing you think of
16:05 < hyper_ch> ^^
16:06 < Bushmills> EugeneKay: where does /dev/random obtain its random from?
16:06 < hyper_ch> it's not really random
16:06 < Bushmills> it isn't sitting there just magically in the device file
16:06 < EugeneKay> Depends on the kernel driver 
16:06 < Bushmills> random is - if enough entropy available.  urandom isn't 
16:07 < EugeneKay> It's not like it's going to sit there and put out 1111111111111 all day
16:07 < Bushmills> urandom is pseudo random. faster. sometimes pulling from random if available entropy permits.
16:08 < Bushmills> thus potentially lower quality to read from urandom than from random
16:08 < EugeneKay> Though that would be random, just unlikely
16:08 < hyper_ch> I thought urandom is more random than random
16:08 < Bushmills> EugeneKay: random pool needs replenishing all the time
16:09 < Bushmills> hyper_ch: hex dump either. you'll find that urandom will be consistently fast. random will slow down eventually
16:09 < Bushmills> that's then entropy pool is exhausted
16:10 < hyper_ch> you always use such big techy words :)
16:11 < Bushmills> random is the right candidate to feed from real noise source 
16:11 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
16:11 < EugeneKay> I fully support the use of a breast jiggle monitor to create entropy
16:11 < EugeneKay> My fiancee, for example, would produce oodles of needed infor for said generator. http://img97.imageshack.us/img97/4867/dscn0417small.jpg
16:11 < hyper_ch> EugeneKay: you jiggle your breasts in front of your computer?
16:11 < EugeneKay> Yes, actually. http://www.kashpureff.org/cam/eektop.html
16:11 < vpnHelper> Title: Eugene Kashpureff Home Live Camera ! (at www.kashpureff.org)
16:12 < Bushmills> how do you interface those to the entropy pool?
16:12 < hyper_ch> why aren't home live cameras banned yet under the patriot act?£
16:12 < EugeneKay> The same way that lava lamp RNG worked. Take a cap from the webcam
16:14 < Bushmills> i learned recently that a script which pauses once every so often (say, every 5 secs) in a loop, then runs a program, will drain the entropy pool 
16:15 < hyper_ch> entropy pool... that sounds somewhat drug related
16:17 < EugeneKay> o.O
16:17 < EugeneKay> What language?
16:18 < hyper_ch> well, entropy reminds me of chemistry and the only real world use of chemistry is for producing drugs
16:22 -!- Hypnoz is now known as EverythingsARout
16:24 < EugeneKay> Eh
16:24 < EugeneKay> Not much of a fan of hard stuff
16:25 -!- EverythingsARout is now known as UbuntuOwnzJoo
16:26 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
16:26 -!- Local587 [~larryt@68-115-234-222.static.spbg.sc.charter.com] has quit [Quit: Ex-Chat]
16:26 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
16:27 < Bushmills> that's more a term from physics.  thermodynamics
16:29 -!- fullstop [~me@63.88.93.79] has left ##openvpn ["Leaving"]
16:30 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
16:39 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
16:47 -!- UbuntuOwnzJoo is now known as UbuntuRouter
16:56 < krzee> !factoids search tuntap
16:56 < vpnHelper> krzee: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers
17:01 -!- astrophy [~astrophy@ip12.208-100-1.static.steadfast.net] has joined ##openvpn
17:13 -!- krzee [~k@unaffiliated/krzee] has left ##openvpn ["Leaving"]
17:14 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
17:20 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
17:29 -!- UbuntuRouter is now known as Hypnoz
17:43 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:55 < ecrist> I hate that mac os x doesn't have good bridging support
17:57 -!- raidzx [~Andrew@seance.openvpn.org] has joined ##openvpn
18:01 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 268 seconds]
18:01 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 268 seconds]
18:01 -!- sheath is now known as coil
18:01 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
18:01 -!- raidz [~Andrew@seance.openvpn.org] has quit [Ping timeout: 268 seconds]
18:02 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
18:53 -!- takamichi [~pri@67.159.55.234] has quit [Ping timeout: 276 seconds]
19:09 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Ping timeout: 276 seconds]
19:13 -!- dmz [~dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has quit [Quit: Ex-Chat]
19:13 -!- Guest12047 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
19:23 -!- Hypnoz [~colin@75.98.0.98] has quit [Ping timeout: 240 seconds]
20:06 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has joined ##openvpn
20:06 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has quit [Changing host]
20:06 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:41 -!- theDoc [~jaki@210.19.225.130] has joined ##openvpn
20:41 -!- theDoc [~jaki@210.19.225.130] has quit [Remote host closed the connection]
21:58 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:11 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:15 -!- EugeneKay is now known as EugenaKed
22:40 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
23:29 -!- theDoc- [~jaki@69.10.59.166] has joined ##openvpn
23:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
23:48 -!- theDoc- is now known as theDoc
23:48 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
23:48 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:51 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
--- Day changed Thu May 06 2010
00:20 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
00:21 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
00:21 -!- mode/##openvpn [+o raidz] by ChanServ
00:43 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
00:44 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
01:04 -!- astrophy [~astrophy@ip12.208-100-1.static.steadfast.net] has quit [Ping timeout: 276 seconds]
01:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:31 -!- SkyTIME [~SkyB0x@212.235.177.25] has joined ##openvpn
01:32 -!- zorzarAw1y [~zz@p4FFD39E5.dip.t-dialin.net] has joined ##openvpn
01:35 -!- zorzarAway [~zz@p4FFD1AA0.dip.t-dialin.net] has quit [Ping timeout: 248 seconds]
01:38 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
01:41 -!- SkyTIME [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
01:42 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
01:49 -!- EugenaKed is now known as EugeneKay
01:58 -!- dazo_afk is now known as dazo
02:10 -!- teddy_ [~teddy@bas4-toronto02-1176313789.dsl.bell.ca] has quit [Ping timeout: 245 seconds]
02:11 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: roentgen]
02:20 -!- zorzarAw1y is now known as zorzar
02:24 -!- Guest12047 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Ping timeout: 240 seconds]
02:29 -!- Guest12047 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
02:47 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
02:47 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
02:48 -!- teddy [~teddy@bas4-toronto02-1176005859.dsl.bell.ca] has joined ##openvpn
02:53 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:53 < theDoc> o/
02:55 -!- teddy [~teddy@bas4-toronto02-1176005859.dsl.bell.ca] has quit [Read error: Connection reset by peer]
02:55 < EugeneKay> \o/
02:56 -!- teddy [~teddy@bas4-toronto02-1176005859.dsl.bell.ca] has joined ##openvpn
02:56 < krzie>  /o\
02:56 < krzie> (handstand)
02:56 < theDoc> \o
02:56 < EugeneKay> Oh snap
02:57  * theDoc just found someone that wanted to use traceroute to find the external ip of a device ;(
02:57 < krzie> err
02:57 < krzie> secure-computing.net/ip.php
02:57 < krzie> http://secure-computing.net/ip.php
02:57 < vpnHelper> Title: SCN: SCN (at secure-computing.net)
03:02 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:12 < theDoc> krzee> Tell that to the indian network engineer
03:12 < theDoc> :(
03:12 < theDoc> He makes me sad.
03:18 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
03:19 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
03:20 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
03:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:47 < macsppadic> hello chaps
03:47 < macsppadic> theDoc: the indian network engineer makes u sad?
03:53 < krzie> sup macsppadic 
03:57 -!- pawz [~pawz@ppp118-208-58-60.lns20.bne1.internode.on.net] has left ##openvpn ["Leaving"]
03:59 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
03:59 < macsppadic> hey there chaps
04:11 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
04:11 < theDoc> macsppadic> Yeah, ;(
04:11  * macsppadic is indian 
04:12 < macsppadic> may i ask whats cause of sadness-  hope its not one of my countrymen 
04:13 < theDoc> macsppadic> He plugged a cisco switch in without making sure that vtp mode was in transparent and that wiped some configs
04:13 < theDoc> :(
04:14 < theDoc> then he tried to use traceroute to find the external ip address of a device.
04:14 < macsppadic> ouch 
04:14 < theDoc> He was making me a sad panda for a little while.
04:14 < macsppadic> not that i am any better 
04:14 < macsppadic> hopefully damage wasnt too bad 
04:15 < theDoc> macsppadic> No biggie, I'm not the network engineer here. I'm here doing some server work.
04:15 < theDoc> but taking it down isn't fun ;(
04:15 < macsppadic> ahh ...well i know feck all about switch progamming 
04:15 < macsppadic> heehe
04:16 < macsppadic> yeah i can imagine  have enough fun with server routes as is 
04:16 < macsppadic> switches a whole differnt level 
04:16 < theDoc> I mean really, vtp is somewhat taught in CCNA and there's no reason to get smacked by that.
04:17 < theDoc> But it's all cool now.
04:44 < krzie> well
04:44 < krzie> the vtp thing... people sometimes make mistakes
04:44 < krzie> but the traceroute thing... shows a lack of understanding
04:47 < theDoc> krzee> Well, yeah. I'm more worried about the traceroute thing because he was chasing down some flakey network stuff and he was looking at traceroutes and asking me if that was the external facing ip. ;(
04:47 < theDoc> but well, we all learn from somewhere and since the net connection works just fine, ;p
04:48 < krzie> everyone learns somewhere is right
04:48 < krzie> but i prefer my network engineers learn before they manage my stuff
04:48 < krzie> :-p
04:49 < theDoc> krzee> The network isn't under my charge, I'm not terribly impressed by him but it seems like he's really trying to chase it down.
04:49 < theDoc> So.. ;p 
04:50 < krzie> i can realy try to cure your sickness, but i bet youd prefer a doctor instead
04:50 -!- HyperZid [~sanderj@195.204.103.72] has quit [Ping timeout: 260 seconds]
04:50 < theDoc> What? :?
04:51 < krzie> it seems like he's really trying to chase it down.
04:51 < krzie> [05:49]  <theDoc> So.. ;p 
04:51 < krzie> if you're sick, i could really try to help you...
04:51 < krzie> but youd likely prefer a doctor instead
04:51 < theDoc> krzee> You have me confused there.
04:52 < krzie> just because someone wants to help does not qualify them to do it
04:52 < theDoc> krzee> I know, his team was supposed to be chasing that problem down
04:52 < theDoc> lol
04:52 < krzie> if he thinks he can use traceroute to find his external ip, he obviously isnt fit to be messing with networking equipment
04:53 < theDoc> krzee> Probably not but he's the only person on site and I'm not about to get involved in chasing it down with him and get into a mess if he does something that breaks everything.
04:53 < krzie> i hear ya
04:53 < krzie> oh its a noc monkey
04:53 < krzie> now i understand
04:54 < krzie> hes just some support clown
04:54 < krzie> answers the phone, files trouble tickets and whatnot
04:54 < theDoc> krzee> pfft, it's not a noc!
04:55 < krzie> what is it
04:55 < theDoc> Some broadcasting place.
05:14 -!- DrPepper [~DrPepper@ip-88-207-237-235.dyn.luxdsl.pt.lu] has quit [Ping timeout: 245 seconds]
06:06 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
06:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:55 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
07:04 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 265 seconds]
07:04 -!- kloeri_ [kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
07:04 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 246 seconds]
07:05 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 265 seconds]
07:06 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has quit [Ping timeout: 615 seconds]
07:07 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
07:09 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
07:14 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 276 seconds]
07:14 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
07:15 -!- hyper__ch is now known as hyper_ch
07:28 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:38 -!- tlir [~tlir@bzq-84-110-103-229.red.bezeqint.net] has joined ##openvpn
07:43 -!- tlir [~tlir@bzq-84-110-103-229.red.bezeqint.net] has left ##openvpn []
07:56 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 246 seconds]
08:08 -!- g4tsu [~g4tsu@ks301270.kimsufi.com] has joined ##openvpn
08:08 < g4tsu> Hi
08:09 < g4tsu> I've got a problem with openvpn : I can ping my vpn server (10.8.0.1) but I can't ping the net (ex : google.fr)
08:09 < g4tsu> any idea ?
08:11 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
08:11 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
08:16 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
08:17 < hyper_ch> krzee: help :)
08:17 < hyper_ch> g4tsu: I guess it's a routing problem
08:19 < g4tsu> yep but I couldn't find what is the rules that make problem
08:19 < g4tsu> -s
08:19 < macsppadic> firewall g4tsu 
08:19 < g4tsu> no firewall
08:19 < g4tsu> I can join my vpn
08:19 < hyper_ch> without firewall you'll catch tons of malwar :)
08:19 < macsppadic> amen to that 
08:19 < hyper_ch> what's your routing table?
08:19 < g4tsu> I mean it is not a firewall problem
08:19 < g4tsu> hyper_ch> with or without vpn up ?
08:20 < hyper_ch> with vpn
08:20 < g4tsu> http://pastebin.com/Qe41LYrW
08:20 < g4tsu> I have two ADSL Line in failover with pfsense
08:21 < g4tsu> and I try to have net with my vpn
08:21 < macsppadic> pfsense
08:21 < g4tsu> and not just the vpn
08:21 < g4tsu> it's a routing problem I think
08:21 < g4tsu> not a firewall one
08:21 < hyper_ch> !howto
08:21 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:22 < g4tsu> ok
08:23 < hyper_ch> so, you want all your traffic go throught the vpn?
08:24 < g4tsu> what I want : ping 10.8.0.1 ok and ping google.fr ok
08:24 < g4tsu> so I think yes
08:24 < hyper_ch> !config
08:24 < hyper_ch> you want to ping google.fr throught 10.8.0.1?
08:24 < hyper_ch> -t
08:24 < vpnHelper> hyper_ch: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
08:25 < g4tsu> yep
08:25 < macsppadic> push dns-server setting perhaps unless i have misunderstood
08:25 < g4tsu> ok
08:25 < g4tsu> but a ping on an ip doesn't do anything
08:26 < hyper_ch> g4tsu: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
08:26 < vpnHelper> Title: HOWTO (at openvpn.net)
08:28 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 246 seconds]
08:28 -!- takamichi [~pri@94.75.217.248] has joined ##openvpn
08:29 < hyper_ch> no clue
08:29 < hyper_ch> I guess you just lack according firewall entries on the server
08:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:34 < g4tsu> firewall on the server is good...
08:37 < g4tsu> if I give you my vpn server + client conf + my iptables rules, could you tell me what is wrong ?
08:42 < g4tsu> ok find it
08:47 -!- daguz1 [~leo@208-1-63-34.celito.net] has joined ##openvpn
08:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:03 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:10 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:38 -!- kloeri_ is now known as kloeri
09:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:42 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 248 seconds]
09:47 < krzee> g4tsu, you got it working?
09:49 < hyper_ch> krzee: hi there
09:49 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
09:49 < krzee> wassup man!
09:50 < krzee> im insanely tired
09:50 < krzee> 3 hours of sleep last night
09:50 < krzee> up all night reading gnuplot manuals / examples
09:52 < hyper_ch> krzee: can openvpn handle ipv6?
09:53 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 276 seconds]
09:54 < krzee> yes and no
09:55 < krzee> the patches exist, are in the testing branch, are in queue to be merged
09:55 < krzee> but you can manually apply them
09:55 < krzee> !ipv6
09:55 < vpnHelper> krzee: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
09:55 < vpnHelper> krzee: (adds some nice ipv6 options)
09:55 < krzee> see #3
10:00 -!- theDoc [~jaki@210.19.225.130] has joined ##openvpn
10:02 -!- theDoc_ [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:04 < krzee> however
10:04 < krzee> OpenVPN testing source tree: git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git | Browse the git tree: http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=summary
10:04 < vpnHelper> Title: SourceForge - openvpn/openvpn-testing.git/summary (at openvpn.git.sourceforge.net)
10:04 < krzee> feel free to grab it from there
10:05 -!- theDoc [~jaki@210.19.225.130] has quit [Ping timeout: 240 seconds]
10:05 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:05 < krzee> and report how it works for you please =]
10:06 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:07 < krzee> dazo, your testing branch has ipv6 payload patch right?
10:08 < dazo> krzee: yes ... feat_ipv6_payload
10:08 < krzee> werd
10:08 < dazo> but those features are also found in the allmerged branch as well
10:08 < dazo> krzee: what's wrong?
10:08 < krzee> more sense to recommend testing allmerged then =]
10:09 < krzee> nothing, hyper_ch was asking if ipv6 is supported
10:09 < hyper_ch> krzee:  :)
10:09 < dazo> allmerged got all bugfixes and accepted feat_* branches
10:11 < krzee> Fetching 8967 new ports or files... 
10:11 < krzee> hah
10:11 < dazo> hyper_ch: you can also pull the openvpn snapshots ecrist prepares ... they should be fine as well, and are based on the allmerged branch
10:11 < hyper_ch> I'm just curious :)
10:11 < krzee> thats what happens when you have a box that you keep from having a route to the internet
10:11 < dazo> ftp://ftp2.secure-computing.net/pub/FreeBSD/ports/openvpn-devel/
10:11 < hyper_ch> as the last free IPv4 addresses are being splitted up and handed over
10:12 < rob0> Does JJK show up at meetings? "janjust", is he?
10:12 < krzee> hyper_ch, if you do use it, feedback is requested ;]
10:12 < dazo> hyper_ch: :) please, if you are willing to test it out ... that'd be nice
10:12 < dazo> rob0: sometimes, yes ... and JJK = janjust
10:12 < krzee> rob0, not that i have noticed yet, but i hope to see him
10:13 < hyper_ch> I don't have any IPv6 thingy yet :)
10:13 < rob0> I want to ask him a question. HOW can he keep on answering all those questions on the list? :) I get too frustrated.
10:13 < krzee> lol
10:13 < dazo> lol
10:13 < krzee> ya, its harder to answer ?'s on the mail list
10:13 < krzee> especially with my web based email ;)
10:14 < rob0> What frustrates me is the lack of effort that so many of them show.
10:14 < krzee> the forum and irc are so much easier to help people on
10:14 < krzee> ahh, that's universal ;)
10:14 < theDoc_> How do I turn on my openvpn service? I try it doesn't work and manual isn't inside.
10:15 < krzee> theDoc_, was that an example, or a real question?
10:15 < theDoc_> ;p
10:15 < theDoc_> krzee> I wouldn't be asking that question, lol
10:15 -!- theDoc_ is now known as theDoc
10:15 < krzee> good ;]
10:15 < theDoc> It almost reminds me of the fradius list.
10:21 -!- Bloodsong [~Nimbus@bas2-barrie18-1279301444.dsl.bell.ca] has joined ##openvpn
10:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:22 -!- barefoot [~magic@41.123.163.138] has joined ##openvpn
10:25 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 276 seconds]
10:26 -!- DrPepper2 [~DrPepper@88.207.188.176] has joined ##openvpn
10:26 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
10:26 -!- barefoot [~magic@41.123.163.138] has quit [Ping timeout: 240 seconds]
10:26 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has joined ##openvpn
10:29 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has quit [Changing host]
10:29 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:35 -!- barefoot [~magic@41.123.163.138] has joined ##openvpn
10:35 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
10:35 -!- barefoot [~magic@41.123.163.138] has quit [Client Quit]
10:36 -!- barefoot [~magic@41.123.163.138] has joined ##openvpn
10:38 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 252 seconds]
10:38 < daguz1> this may or may not be an openvpn question... I have shorewall too if that helps:  I cant seem to get my route to work between two networks.   192.168.0.x -  to 192.168.255.x   The firewalls/vpn routers between them are getting a little wonky.    When my openvpn on the 192.168.0.x side receives a ping packet for the local network (from the remote 192.168.255.x) the interface says ICMP unreachable.
10:39 < daguz1> I can tcpdump the tun2 interface and see that.
10:39 < daguz1> It never gets sent out on eth1 (my lan interface)
10:39 < daguz1> but the source IP address is the tun2 (local) interface.  
10:40 < daguz1> Not the remote IP address nor the remote(peer) tun2 ip address
10:40 < daguz1> what should I see here?
10:42 -!- barefoot [~magic@41.123.163.138] has quit []
10:42 -!- magic_1 [~magic@41.123.163.138] has joined ##openvpn
10:42 -!- magic_1 [~magic@41.123.163.138] has quit [Changing host]
10:42 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:55 -!- daguz1 [~leo@208-1-63-34.celito.net] has quit [Ping timeout: 246 seconds]
11:02 -!- WormFood [~wormfood@121.34.165.247] has quit [Remote host closed the connection]
11:02 -!- WormFood [~wormfood@121.15.46.195] has joined ##openvpn
11:07 -!- dazo is now known as dazo_afk
11:07 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:10 -!- daguz [~leo@208-1-63-34.celito.net] has joined ##openvpn
11:13 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
11:28 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:45 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:49 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 245 seconds]
11:50 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:58 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:58 -!- krzie [nobody@unaffiliated/krzee] has quit [Remote host closed the connection]
12:10 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 246 seconds]
12:11 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:33 -!- PolywogWrk [~polywog@75-151-186-130-Philadelphia.hfc.comcastbusiness.net] has left ##openvpn []
12:34 -!- Bloodsong [~Nimbus@bas2-barrie18-1279301444.dsl.bell.ca] has quit [Read error: Connection reset by peer]
12:46 -!- astrophy [~astrophy@ip12.208-100-1.static.steadfast.net] has joined ##openvpn
12:56 -!- Hypnoz [~colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn []
12:58 -!- Hypnoz` [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
13:00 -!- cron2_ is now known as cron2
13:03 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
13:20 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:23 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
13:44 -!- janjust [~janjust@5355E9DA.cable.casema.nl] has joined ##openvpn
13:46 -!- mode/##openvpn [+o janjust] by ChanServ
13:51 -!- vishku [~eth0@unaffiliated/houjin] has joined ##openvpn
13:51 -!- Hypnoz` [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Quit: Leaving]
13:51 -!- Hypnoz` [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
13:51 -!- Hypnoz` is now known as Hypnoz
13:53 < vishku> Can anyone guide me as to how to setup Mac ID based authentication for individuals accessing VPN while on road?
13:53 < vishku> right now the access is granted through IP whitelisting in shorewall
13:53 < hyper_ch> why mac id based?
13:53 < krzee> you auth based on IP???
13:53 < vishku> because the laptops will always be authenticated
13:54 < krzee> you auth based on cert or password...
13:54 < vishku> IP + cert
13:54 < vishku> thats how we do it now
13:55 < vishku> cert auth in VPN and IP auth in shorewall
13:55 < krzee> you made a special script that does that using auth-pass-verify?
13:55 < hyper_ch> and that's not good?
13:55 < krzee> hyper_ch, road warriors dont have predictable IP
13:55 < vishku> hyper_ch: the problem with that is IP check fails when the individual is travelling
13:55 < rob0> A MAC is only visible on a hardware segment. Anything coming from the Internet has the MAC of your upstream router.
13:56 < rob0> SSL authentication is pretty good.
13:56 < vishku> rob0: wont the information be still encoded in the packets?
13:56 < hyper_ch> can't you just use cert + pwd?
13:56 < rob0> no
13:56 < krzee> ya there is no way you can see MAC address while auth'ing, you CAN see the tap MAC address AFTER auth'ing if you use tap
13:56 <@janjust> I guess you could use an auth-pass-verify script that passes the eth0 mac address to the server for verification but that is far too easy to spoof
13:56 < krzee> good point, mac address is trivial to spoof
13:57 < krzee> you will be better off using certs AND passes instead
13:57 -!- DrPepper2 [~DrPepper@88.207.188.176] has quit [Quit: Leaving...]
13:57 < krzee> !authpass
13:57 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
13:57 < vishku> how about cert based auth for openVPN and once connected, leave shorewall to figure out if the right MAC is connecting?
13:57 <@janjust> which mac would that be, vishku ?
13:57 <@janjust> the mac of the tun adapter? the mac of the ethernet adapter is not seen on the shorewall side
13:57 < krzee> then a client-connect script could make firewall rules based on mac address (assuming you use tap)
13:57 < rob0> vishku: bridging? Not a good idea.
13:57 < krzee> tun doesnt have a MAC
13:58 <@janjust> pseudo-mac, krzee  ;-)
13:58 < rob0> Big Mac.
13:58 < krzee> tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
13:58 < krzee> 	inet 172.16.1.14 --> 172.16.1.13 netmask 0xffffffff 
13:58 < krzee> 	open (pid 4894)
13:58 < vishku> janjust: wont the mac be visible once the tunnel is established?
13:59 <@janjust> vishku: nope, the ethernet of wifi mac never goes beyond the local router
13:59 < rob0> No. The MAC is only visible on a hardware segment.
13:59 < krzee> vishku, you're doing it wrong, honestly, you dont want to do any sort of trusting based on mac address
13:59 < krzee> use certs and passwords, much better
14:00  * hyper_ch agrees with krzee
14:01 < vishku> ok.. aside from the fact that Mac based auth is not trustworthy, is it technically feasible to do a mac based auth as a second level filtering after a cert based connection is made?
14:01 <@janjust> in theory it is possible to send any kind of text to the remote server ; a script can then pick this up and do something with it
14:02 < hyper_ch> hi janjust
14:03 <@janjust> hi hyper_ch 
14:03 < krzee> janjust, hyper_ch is working on a web based version of the confgen =]
14:04 < krzee> (i have 0 webdev skills)
14:04 < hyper_ch> krzee: same for me, that's why it takes so long
14:04 < krzee> ;]
14:04 <@janjust> hehe krzee , hyper_ch 
14:04 < hyper_ch> I'll have a 5h flight on saturday... will code some more on it :)
14:05 -!- mgolisch [~michi@85.93.11.18] has left ##openvpn []
14:05 < krzee> hyper_ch, im almost done fixing the confgen, ill shoot ya a heads up when its final
14:05 < krzee> i need to go over it and check for completeness
14:05 < hyper_ch> good :)
14:06 < krzee> !rip
14:06 < vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
14:15 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
14:17 -!- maxime_ [~maxime@mut38-6-88-167-71-250.fbx.proxad.net] has joined ##openvpn
14:17 < maxime_> hi 
14:17 < krzee> hi
14:17 < maxime_> after an ubuntu update (to lucid) I'm having trouble with openvpn
14:18 < maxime_> I replace the pkcs11-slot-type id pkcs11-slot 0 pkcs11-id-type subject pkcs11-id in my config file
14:18 < maxime_> by pkcs11-id  with a serialize id
14:19 < maxime_> as I was told by openvpn :p
14:19 <@janjust> what was your old version of openvpn and what is your new version?
14:19 < maxime_> old was 2.1_rc19 and new is 2.1.0
14:19 < maxime_> I also tried the 2.1.1 with no success
14:20 <@janjust> hmmm the pkcs11 mechanisms did not change between rc19 and 2.1
14:20 < maxime_> the problem may be that I had to comment the line  pkcs11-sign-mode sign
14:20 < maxime_> maybe a dependency ?
14:21 < maxime_> and the error I now get is :
14:21 <@janjust> in the "regular" 2.1 code base there is no 'pkcs11-sign-mode' flag
14:22 < maxime_> hmm this is stange I have it in my config file and everything work until now ...
14:23 <@janjust> perhaps this was in the 2.1rc19 codebase and was removed later but I'd have to look that one up
14:24 < maxime_> I would say something like that. Do you know what might has replaced it ?
14:24 -!- dazo_afk [~dazo@nat/redhat/x-kenkicgjnnszajpo] has quit [Read error: Connection reset by peer]
14:25 <@janjust> I have no idea - I'll download the rc19 code tomorrow and take a peek but it could also be a debian/ubuntu only patch 
14:25 -!- janjust [~janjust@5355E9DA.cable.casema.nl] has quit [Quit: Leaving]
14:26 < maxime_> yep it might :(
14:26 -!- dazol [~dazo@nat/redhat/x-ptfackcljdhimteg] has joined ##openvpn
14:30 -!- janjust [~janjust@5355E9DA.cable.casema.nl] has joined ##openvpn
14:30 < janjust> maxime? I just downloaded the rc19 code and it also does not contain a pkcs11-sign option.... odd
14:30 < janjust> really signing off now
14:30 -!- janjust [~janjust@5355E9DA.cable.casema.nl] has quit [Client Quit]
14:31 -!- maxime_ [~maxime@mut38-6-88-167-71-250.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
14:38 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 276 seconds]
14:40 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Quit: Leaving...]
15:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:05 -!- teddy [~teddy@bas4-toronto02-1176005859.dsl.bell.ca] has quit [Read error: Connection reset by peer]
15:17 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
15:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:40 -!- jnss [janes@gateway/shell/sign.io/x-wjlnwgeubumvkxzf] has quit [Ping timeout: 240 seconds]
15:41 -!- jnss [janes@gateway/shell/sign.io/x-ocdttpnlvtnzsfgg] has joined ##openvpn
15:49 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 276 seconds]
16:02 -!- jnss [janes@gateway/shell/sign.io/x-ocdttpnlvtnzsfgg] has quit [Ping timeout: 240 seconds]
16:02 -!- jnss [janes@gateway/shell/sign.io/x-krajqtccmzimepfh] has joined ##openvpn
16:11 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 248 seconds]
16:20 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:23 -!- vishku [~eth0@unaffiliated/houjin] has quit [Ping timeout: 245 seconds]
16:23 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
16:34 -!- Guest12047 is now known as openvpn2009
16:35 -!- mode/##openvpn [+o openvpn2009] by ChanServ
16:38 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
16:48 -!- prakriti [~jeremy@24.100.137.18] has quit [Read error: Connection reset by peer]
17:03 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:25 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
17:34 -!- astrophy [~astrophy@ip12.208-100-1.static.steadfast.net] has quit [Ping timeout: 265 seconds]
17:39 -!- astrophy [~astrophy@ip26.208-100-1.static.steadfast.net] has joined ##openvpn
17:59 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
18:13 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
18:24 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:39 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
18:46 -!- prakriti [~jeremy@24.100.137.18] has joined ##openvpn
19:12 -!- hackeron_ [~hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has joined ##openvpn
19:13 < hackeron_> hey, I have my openvpn set up so all clients connect to a server, the server can see all clients but the clients can't see eachother - can I add one special client to this that can see all the other clients?
19:19 < rob0> um, without bothering to ask what you mean by "see", I will just say no. Routing, for any meaningful protocol, has to be bidirectional. If A can get to B, but B can't get back to A, A & B won't have much of a conversation.
19:20 < hackeron_> rob0: on the server, I can do ping 10.8.0.54 - however if I ssh to 10.8.0.62 and try to ping 10.8.0.54 from there I can't - this is how I want it -- but I want one special client that will be able to ping all hosts on the VPN
19:24 < rob0> ping(1) sends ICMP echo request, which in order to be useful has to be able to receive the ICMP echo reply.
19:25 < hackeron_> rob0: erm, ok?
19:27 < hackeron_> rob0: you know the option client-to-client?
19:27 < hackeron_> rob0: that lets clients see eachother?
19:27 < hackeron_> rob0: I want to enable it for a single client, not all clients
19:32 < hackeron_> rob0: i.e. I will be happy if all clients see this extra client and this client will see all clients - but I don't want to see eachother like without the client-to-client option
19:32 < hackeron_> rob0: does that make sense?
19:33 < hackeron_> the "see" terminology is from the man page btw
19:52 -!- hackeron_ [~hackeron@cpc3-seve19-2-0-cust263.13-3.cable.virginmedia.com] has quit [Killed (idoru (Spam is off topic on freenode.))]
19:52 < krzie> !c2c
19:52 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
19:52 < vpnHelper> krzie: behind other clients
19:53 < krzie> you want to firewall
19:54 < krzie> and
19:54 < krzie> !ipforward
19:54 < vpnHelper> krzie: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
20:18 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 260 seconds]
20:20 < rob0> I tried to explain why that's not possible. Oh well.
20:21 < rob0> oh, but the factoid says client-to-client can work without that setting? I've never tried that.
20:23 -!- zorzar [~zz@p4FFD39E5.dip.t-dialin.net] has quit [Ping timeout: 246 seconds]
20:24 < krzie> it is possible
20:30 -!- zorzar [~zz@p4FFD0C82.dip.t-dialin.net] has joined ##openvpn
21:13 -!- astrophy [~astrophy@ip26.208-100-1.static.steadfast.net] has quit [Quit: Bye]
21:14 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has joined ##openvpn
21:14 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has quit [Changing host]
21:14 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:53 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
21:54 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
21:59 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
23:35 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:47 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has quit [Quit: restart fubared irssi]
23:47 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
23:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
--- Day changed Fri May 07 2010
00:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:05 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
00:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:47 <@raidz> krzee, ecrist: either of you around?
00:47 <@raidz> *krzie
01:24 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:24 -!- mode/##openvpn [+o mattock] by ChanServ
01:26 < krzie> werd
01:33 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
01:37 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
01:38 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:44 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
01:53 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
01:56 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
02:14 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:14 < krzie> raidz, hey
02:20 < |Mike|> morning
02:26 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
02:34 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:47 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
02:57 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:58 -!- macsppadic is now known as embarasppadic
02:58 -!- embarasppadic [~sonupunno@88.211.55.77] has left ##openvpn []
03:00 -!- xNice [~Benz@qss-193.qualitynet.net] has quit [Ping timeout: 264 seconds]
03:04 -!- xNice [~Benz@qss-193.qualitynet.net] has joined ##openvpn
03:36 -!- xNice [~Benz@qss-193.qualitynet.net] has quit [Ping timeout: 248 seconds]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 -!- Diffen2 [~diffen2@mail.feab.se] has joined ##openvpn
03:42 -!- xNice [~Benz@qss-193.qualitynet.net] has joined ##openvpn
03:42 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has joined ##openvpn
03:44 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
03:45 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
04:12 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
04:37 -!- dazol is now known as dazo
05:23 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
06:18 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
06:28 < xNice> hello...i did setup openvpn server on debian 5 and i can connect to it but there seems to be a dns problem i can ping internet ips but not domains
06:31 < xNice> can i install openvpn-as on xen solusvm server ?
06:33 < mwheeler> dns isn't openvpns problem :P
06:36 < xNice> whats may be the problem
06:36 < mwheeler> what's your DNS server set to?
06:38 < xNice> in the /etc/resolv.conf or where you mean exactly ?
06:38 < mwheeler> in /etc/resolv.conf
06:39 < xNice> #cat /etc/resolv.conf
06:39 < xNice> nameserver 208.69.231.254
06:39 < xNice> nameserver 208.69.228.30
06:39 < mwheeler> When the VPN is up, can you ping those addresses
06:40 < xNice> no
06:41 < xNice> i am connected to the vpn in my laptop near me but cant ping it
06:42 < mwheeler> Well there is your problem
06:42 < xNice> routing ?
06:42 < mwheeler> I'm guessing so
06:42 < mwheeler> traceroute to that
06:43 < mwheeler> can you ping that address without VPN?
06:43 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
06:43 < xNice> yes
06:44 < xNice> i can ping it without vpn
06:45 < xNice> i did install it by this page/script http://vpsnoc.com/blog/how-to-install-openvpn-on-a-debianubuntu-vps-instantly/
06:45 < vpnHelper> Title: How to install OpenVPN on a Debian/Ubuntu VPS instantly | VPS Network Operation Center (at vpsnoc.com)
06:46 < xNice> maybe the script it missing somethign
06:46 < xNice> yeah thats it
06:46 < xNice> i did follow that one
06:47 < xNice> push "route 10.8.0.0 255.255.255.0"
06:47 < xNice> push "redirect-gateway"
06:47 < xNice> is this something  i have to modify ?
06:57 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:08 < dazo> xNice: check that ip_forwarding is enabled on the server, routing and firewall ... in 99.99999% of all cases, the problem is in one of these three areas
07:12 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:12 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
07:16 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
07:24 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
07:25 -!- hackeron [~hackeron@gentoo/user/hackeron] has joined ##openvpn
07:31 < xNice> dazo i did enable ip_forward  what else ?
07:31 < dazo> xNice: routing and firewall?  are you sure none of these is not a problem?
07:32 < xNice> dazo may you point me to what i have to do for routing and firewall ? i didnt touch them
07:33 < dazo> xNice: first of all ... figure out how your firewall is setup ... and how NAT is configured ... if you want --redirect-gateway to access Internet via the VPN tunnel, you need to NAT the traffic going out from the tunnel
07:37 < xNice> i would love to find a tutorial about that :D
07:44 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
07:46 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:00 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:02 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds]
08:06 < dazo> xNice: have a look at the mailing list ... http://thread.gmane.org/gmane.network.openvpn.user/ ... lately the OpenVPN routing discussion might lead you towards the right direction
08:06 < vpnHelper> Title: Gmane Loom (at thread.gmane.org)
08:28 -!- ribasushi [~rabbit@ip-109-91-187-9.unitymediagroup.de] has joined ##openvpn
08:28 < ribasushi> is the "run in compat mode" still necessary to install ovpn on win7?
08:29 < ribasushi> or will this always be the case due to the signature issues?
08:35 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
08:35 -!- theDoc [~jaki@69.10.59.166] has quit [Ping timeout: 260 seconds]
08:36 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:46 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
08:48 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:08 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
09:11 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
09:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:36 -!- Diffen2 [~diffen2@mail.feab.se] has quit [Quit: This computer has gone to sleep]
09:57 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:07 < xNice> is there easier way to deploy openvpn client to users who are totally newbie and dont know how to copy the keys to c:\programs files\openvpn\config ?
10:07 < xNice> something with 1 click and install  ?
10:13 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Operation timed out]
10:14 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
10:23 < dazo> xNice: I've written my own installer for one site which needed that ... you start the installer, it will ask for a zip file (a small file which contains config file, certificate files) ... then it will download openvpn-installer, do a simple MD5 check of the download, and run the openvpn installer (unfortunately, I've not managed to make run in "unattended" mode) ... and it extracts the zip file at the end in the config dir 
10:24 < dazo> xNice: that approach do work very well, and gives you a pretty good control, without having to recompile this installer for each new release ... you just replace the download file on a webserver
10:33 < krzie> sounds way more sane
10:33 < krzie> that would be an awesome wiki entry
10:33 < krzie> or forum - bragging rights
10:35 < dazo> krzie: I can translate it into English and generalise away some extra tweaks for the particular site ... maybe I'll manage it this weekend
10:36 < krzie> awesome
10:38 < krzie> i know ill enjoy reading it
10:38 < krzie> and ill replace:
10:39 < krzie> !win_rollup
10:39 < vpnHelper> krzie: "win_rollup" is (#1) http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html for a doc on HowTo Roll Your Own OpenVPN Windows Installation Package, or (#2) http://gentoo-wiki.com/HOWTO_OpenVPN_RoadWarrior#For_Installation_on_Windows_Client for a batch you can use to install certs in win client automagically
10:49 -!- dazo is now known as dazo_afk
10:49 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:57 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
10:59 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
11:06 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
11:06 -!- WormFood [~wormfood@121.15.46.195] has quit [Ping timeout: 246 seconds]
11:14 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:17 -!- WormFood [~wormfood@116.30.179.66] has joined ##openvpn
11:26 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Remote host closed the connection]
11:34 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
11:36 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
11:36 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
11:43 -!- blueboxthief [~None_of_y@86.43.5.9] has joined ##openvpn
11:44 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
11:46 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
11:49 -!- xNice [~Benz@qss-193.qualitynet.net] has quit [Ping timeout: 240 seconds]
11:53 -!- xNice [~Benz@62.150.227.15] has joined ##openvpn
12:30 -!- blueboxthief [~None_of_y@86.43.5.9] has quit [Quit: Leaving.]
12:42 -!- jfkw_ [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
12:47 -!- Netsplit *.net <-> *.split quits: jfkw
12:48 -!- Irssi: ##openvpn: Total of 100 nicks [2 ops, 0 halfops, 0 voices, 98 normal]
12:55 < ecrist> krzie: ping
13:03 < krzie> pong
13:11 <@mattock> ni!
13:12 < krzie> debugging what i hoe are the final changes to confgen
13:12 < ecrist> neat
13:12 < ecrist> krzie: do you keep that in an svn repo somehwere?
13:12 < ecrist> if not, can I recommend one?
13:12 < ecrist> ;)
13:13 < krzie> nah i havnt been
13:13 < krzie> i guess thats not such a bad idea tho
13:13 < ecrist> re: ping, I leave for BSDCan in 2 days.
13:13 < ribasushi> krzee: the rollup stuff
13:13 < ribasushi> 2nd link is dead
13:13 < krzie> i did work on it using gobby with Bushmills
13:13 < ecrist> krzie: you already have read/write to https://www.secure-computing.net/svn/trunk
13:13 < vpnHelper> Title: svn - Revision 256: /trunk (at www.secure-computing.net)
13:14 < krzie> ribasushi, ya that stuff is old, dazo is going to make something better that wont be outdated
13:14 < krzie> hrm i wonder if i know my pass on it
13:14 < krzie> lol
13:14 < ribasushi> allrighty
13:14 < ribasushi> is the "run in compat mode" still necessary to install ovpn on win7?
13:14 < ecrist> if not, I can reset it
13:14 < ribasushi> or will this always be the case due to the signature issues?
13:14 < ecrist> I'm friends with the admin.
13:14 < ecrist> lol
13:14 < krzie> lol
13:15 < krzie> tell him i said wassup ;]
13:19 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
13:27 < krzie> yay, ready for testing
13:27 < krzie> like by others again
13:30 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
13:30 -!- mode/##openvpn [+o openvpn2009] by ChanServ
13:32 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
13:34 < krzie> heh spoke too soon
13:35 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 260 seconds]
13:44 -!- smerz [~daniel@smerz.demon.nl] has quit [Ping timeout: 245 seconds]
13:49 < krzie> !confgen
13:49 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
13:49 < krzie> (new)
14:10 < ecrist> krzie: can I put that in svn?
14:15 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 276 seconds]
14:17 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
14:20 -!- raidz [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
14:22  * ecrist does it anyway, and is willing to suffer the consequences later.
14:22 < Bushmills> ecrist, you can access the most recent versions from the edit server
14:23 < Bushmills> some minor modifications done on them
14:25 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
14:28 -!- raidzx [~Andrew@seance.openvpn.org] has joined ##openvpn
14:28 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Client Quit]
14:29 -!- mode/##openvpn [+o raidz] by ChanServ
14:35 < krzie> Bushmills, i cant tell what file is what now, theres like 3 of each
14:35 -!- raidz [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
14:36 < Bushmills> i was editing in your first session when you opened a second. those files i close here right away again
14:36 < krzie> that first session was from when?
14:36 < Bushmills> let me add a version number at the top of those i edited most recently
14:37 < krzie> cause i never tried to add files after i got yours
14:37 < krzie> until just now
14:37 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:38 < Bushmills> version and date on second line on my recent edits
14:38 < ecrist> https://www.secure-computing.net/trac/changeset/257/trunk/openvpn-confgen/
14:38 < vpnHelper> Title: Changeset 257 for trunk/openvpn-confgen – SCN Open Source – Trac (at www.secure-computing.net)
14:39 -!- 16SAAJSIU [~Andrew@seance.openvpn.org] has joined ##openvpn
14:39 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
14:39 -!- raidz [~Andrew@seance.openvpn.org] has quit [Client Quit]
14:39 -!- 16SAAJSIU [~Andrew@seance.openvpn.org] has left ##openvpn []
14:39 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
14:40 < Bushmills> krzie: when reconnecting to that session, you may not want to specify a set of files - as those will be opened (again) in addition to those already open in the session 
14:40 -!- mode/##openvpn [+o raidz] by ChanServ
14:40 < krzie> werd
14:40 < krzie> but the files are very edited since you last saw
14:41 < ecrist> krzie: depending on the amount of partying next week, I may start my C++ conversion of ssl-admin.
14:43 < krzie> cool!
14:43 -!- raidzx [~Andrew@seance.openvpn.org] has joined ##openvpn
14:43 < krzie> would be nice to package these together
14:44 < krzie> pls make c++ version take cli flags
14:44 < krzie> so confgen can call it
14:45 < ecrist> that's the plan
14:45 -!- theDoc [~jaki@69.10.59.166] has quit [Ping timeout: 260 seconds]
14:45 < ecrist> I'm hoping for ldap integration, batch manipulation, and CRL publishing via SSH, FTP, and HTTP Post
14:47 < krzie> we could even build in dazo's win_rollup
14:47 < krzie> for the clients / server when windows
14:48 < ecrist> yep
14:48 < ecrist> baby steps though.
14:48 < ecrist> it will be my first c++ program
14:48 < krzie> right
14:48 < krzie> then my confgen will do the rollup
14:48 < krzie> cause it already knows who is windows
14:48 < krzie> and it will call your c++ app with the needed vars
14:49 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
14:49 < ecrist> I'm thinking, maybe, ssl-admin will not include specifics about openvpn, though.
14:50 < krzie> right
14:50 < krzie> but confgen will
14:50 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
14:50 < krzie> and will call ssl-admin with whats needed for openvpn setup
14:50 < ecrist> yeah
14:50 < krzie> it'll be a openvpn-specific interface for ssl-admin
14:51 < ecrist> good way to put it
14:51 < krzie> (as well as building the configs, and rolling up the windows nodes)
14:54 -!- Kas [~Kasx@216.59.17.27] has joined ##openvpn
14:54 -!- Kas [~Kasx@216.59.17.27] has quit [Client Quit]
14:55 < krzie> hyper_ch, see new confgen
15:03 -!- dazo [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
15:06 < krzie> there
15:06 < krzie> !confgen
15:06 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
15:07 < krzie> updated with an improvement by Bushmills 
15:08 < krzie> put a notice on them as well
15:08 < krzie> # released by krzee as public domain
15:13 < dazo> krzie:  http://www.secure-computing.net/wiki/index.php/HowTo_for_Windows_2
15:13 < vpnHelper> Title: HowTo for Windows 2 - Secure Computing Wiki (at www.secure-computing.net)
15:13 < dazo> Just some stuff thrown together ... probably needs some tweaking and testing by others ... but the basic stuff is here and should give a pretty good starting point
15:20 -!- theDoc [~jaki@69.10.59.166] has quit [Ping timeout: 240 seconds]
15:20 < ribasushi> bah
15:20 < ribasushi> no one on my win7 question?
15:20 < ribasushi> I need to write an installation instruction and I don't have a win7 handy to test 
15:21 < dazo> :(  Sorry to say, but I dunno ... There are some Win7 users here from time to time ... but Fridays might not be the best time to catch them here
15:22 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
15:41 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
16:02 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
16:06 < ribasushi> hm hm hm 
16:06 < ribasushi> the openvpn-gui that comes with 2.1.something
16:06 < ribasushi> it doesn't seem to autostart anymore, and there is no installer option
16:06 < ribasushi> what did I miss?
16:07 < ribasushi> or I need to manually drag it into startup?
16:38 -!- dazo [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Quit: Leaving]
16:38 -!- takamichi [~pri@94.75.217.248] has quit [Ping timeout: 260 seconds]
17:05 -!- Netsplit *.net <-> *.split quits: g4tsu, dunc, freaky[t]
17:08 -!- Netsplit over, joins: dunc, freaky[t], g4tsu
17:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:41 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
18:07 -!- Guest12047 [pandora@matrix.openvpn.org] has joined ##openvpn
18:07 -!- Guest12047 is now known as openvpn2009
18:07 -!- mode/##openvpn [+o openvpn2009] by ChanServ
18:31 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Quit: Leaving...]
19:36 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
20:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
20:18 -!- Rolybrau [~Rolybrau@198-229.3-85.cust.bluewin.ch] has joined ##openvpn
20:18 -!- Rolybrau [~Rolybrau@198-229.3-85.cust.bluewin.ch] has quit [Changing host]
20:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:20 -!- xachen [~Justin@pdpc/supporter/student/xachen] has joined ##openvpn
20:21 -!- xachen [~Justin@pdpc/supporter/student/xachen] has quit [Client Quit]
20:21 -!- xachen [~Justin@pdpc/supporter/student/xachen] has joined ##openvpn
20:23 -!- xachen [~Justin@pdpc/supporter/student/xachen] has quit [Client Quit]
20:28 -!- zorzar_ [~zz@p4FFD1EE9.dip.t-dialin.net] has joined ##openvpn
20:30 -!- xNice [~Benz@62.150.227.15] has quit [Ping timeout: 276 seconds]
20:32 -!- zorzar [~zz@p4FFD0C82.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
20:35 -!- xNice [~Benz@62.150.228.225] has joined ##openvpn
20:36 -!- theDoc [~jaki@69.10.59.166] has quit [Ping timeout: 252 seconds]
20:38 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
20:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
20:52 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
20:55 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
21:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:20 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has joined ##openvpn
21:20 -!- tjz [~pc@bb119-74-183-143.singnet.com.sg] has quit [Changing host]
21:20 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:21 < tjz> ?
21:21 < tjz> BAN this guy
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:21 -!- tjz [~pc@unaffiliated/tjz] has left ##openvpn []
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:23 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:50 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:51 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:52 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:53 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:54 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:55 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:56 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:57 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:58 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
21:59 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:00 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:01 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:02 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:03 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:04 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:05 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:06 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:07 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:08 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:09 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:10 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:11 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:12 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:13 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:14 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:15 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:16 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:17 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:18 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:19 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:20 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:21 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
22:22 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
22:37 < UdontKnow> heh
22:52 < frankS2> h3h
22:58 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
22:59 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 246 seconds]
23:21 < ecrist> someone's have join/part problems.
23:55 -!- jfkw_ [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Sat May 08 2010
00:31 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
00:57 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:01 -!- takamichi [~pri@94.75.217.249] has joined ##openvpn
01:17 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Operation timed out]
01:17 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
01:59 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Ping timeout: 245 seconds]
02:08 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
02:15 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:15 -!- mode/##openvpn [+o mattock] by ChanServ
02:30 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
02:34 -!- tiger2wander [~tiger2wan@123.30.181.4] has joined ##openvpn
02:34 < tiger2wander> Hi there
02:34 < tiger2wander> Is there anyway to figure out OpenVPN using LDAP as authentication back-end?
02:35 < tiger2wander> someone please help me
02:36 < tiger2wander> I'm setting up OpenVPN server on a Ubuntu server to provide VPN connection for a lots of clients with almost is windows and some are Ubuntu/Linux
02:38 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
02:48 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
02:58 -!- shady [~shan@WimaxUser3756-49.wateen.net] has joined ##openvpn
03:02 < tiger2wander> exit
03:02 -!- tiger2wander [~tiger2wan@123.30.181.4] has left ##openvpn ["Ex-Chat"]
03:05 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:06 -!- shady [~shan@WimaxUser3756-49.wateen.net] has left ##openvpn []
03:10 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit]
03:11 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:21 -!- kyrix [~ashley@194.48.133.8] has joined ##openvpn
03:24 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 < xNice> is there openvpn-as for debian lenny ?
03:44 < xNice> hello
03:50 -!- gallatin [~gallatin@188.109.207.194] has joined ##openvpn
04:15 -!- xNice [~Benz@62.150.228.225] has quit [Ping timeout: 264 seconds]
04:20 -!- zorzar_ is now known as zorzar
04:23 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Quit: Leaving...]
05:04 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
05:25 -!- Netsplit *.net <-> *.split quits: g4tsu, dunc, freaky[t]
05:25 -!- Netsplit over, joins: freaky[t]
05:27 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
05:27 -!- g4tsu [~g4tsu@ks301270.kimsufi.com] has joined ##openvpn
05:58 -!- gallatin [~gallatin@188.109.207.194] has quit [Quit: Client exiting]
06:06 -!- kloeri [kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: brb]
06:14 -!- Netsplit *.net <-> *.split quits: ScriptFanix, stein0, zorzar, zamba, jupiter15, sno, magic_1, Rienzilla, mrnice1
06:14 -!- squidly [~squidly@HoodLUG/member/squidly] has quit [Read error: Operation timed out]
06:14 -!- squidly [~squidly@HoodLUG/member/squidly] has joined ##openvpn
06:19 -!- Netsplit over, joins: ScriptFanix, zorzar, magic_1, zamba, sno, Rienzilla, mrnice1, stein0
06:22 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
06:26 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Client Quit]
06:26 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
06:28 -!- jupiter15 [~jupiter@unaffiliated/jupiter15] has joined ##openvpn
06:37 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:34 -!- kyrix [~ashley@194.48.133.8] has quit [Quit: Leaving]
07:47 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 276 seconds]
07:47 -!- magic_1 [~magic@mail.pharmed.co.za] has joined ##openvpn
07:54 -!- magic_1 [~magic@mail.pharmed.co.za] has quit [Changing host]
07:54 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
08:00 -!- Netsplit *.net <-> *.split quits: ScriptFanix, stein0, zorzar, zamba, sno, Rienzilla, mrnice1
08:06 -!- Netsplit over, joins: ScriptFanix, zorzar, zamba, sno, Rienzilla, mrnice1, stein0
08:19 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
08:51 -!- APTXderZweite [~APTX@xtreeme.org] has joined ##openvpn
08:51 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:15 -!- AlexJ[CS]1 [~AlexJ@nat-249.cs.pub.ro] has joined ##openvpn
09:16 < AlexJ[CS]1> hello
09:16 < AlexJ[CS]1> how can i set up my vpn sever so it adds a iptables rule when the tap0 interface comes online?
09:24 -!- AlexJ[CS] [~AlexJ@nat-254.cs.pub.ro] has joined ##openvpn
09:27 -!- AlexJ[CS]1 [~AlexJ@nat-249.cs.pub.ro] has quit [Ping timeout: 276 seconds]
09:30 -!- AlexJ[CS] [~AlexJ@nat-254.cs.pub.ro] has quit [Ping timeout: 264 seconds]
09:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
10:20 -!- barefoot [~magic@41.123.143.216] has joined ##openvpn
10:23 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Disconnected by services]
10:24 -!- barefoot [~magic@41.123.143.216] has quit [Client Quit]
10:24 -!- magic_1 [~magic@41.123.143.216] has joined ##openvpn
10:25 -!- magic_1 [~magic@41.123.143.216] has quit [Changing host]
10:25 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:32 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 264 seconds]
10:39 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
10:46 -!- APTXderZweite [~APTX@xtreeme.org] has quit [Remote host closed the connection]
10:59 -!- xargs [~xargs@69.73.167.236] has quit [Ping timeout: 240 seconds]
11:00 -!- xargs [~xargs@69.73.167.236] has joined ##openvpn
11:05 -!- WormFood [~wormfood@116.30.179.66] has quit [Ping timeout: 245 seconds]
11:13 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
11:16 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:17 -!- WormFood [~wormfood@121.34.164.254] has joined ##openvpn
11:35 -!- xNice [~Benz@adsl4-93.qualitynet.net] has joined ##openvpn
11:36 < xNice> hello...i deleted iptables rules which has openvpn access server rules in it...how to restore them ?
11:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:39 < xNice> i got it sorry
11:41 < krzie> ecrist, just realized i never responded re: svn, yes of course you can!
11:42 < krzie> in fact these are released as public domain, you may do anything with/to them that you like =]
11:44 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:47 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:50 < krzie> who here wants to play with my configuration file generator?
12:15 -!- elliotdenk [~Adium@mario.edlabs.de] has joined ##openvpn
12:16 < elliotdenk> Hi, is it possible to push a client specific hostname using ccd from the server to each openvpn client?
12:33 < krzie> you mean specific I
12:33 < krzie> IP
12:33 < krzie> right?
12:34 < krzie> openvpn isnt a nameserver...
12:34 < krzie> !static
12:34 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
12:57 -!- elliotdenk [~Adium@mario.edlabs.de] has left ##openvpn []
13:06 < Bushmills> you can push an ip address
13:09 < krzie> right, vpnHelper just said how above
13:16 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:18 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
13:19 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:50 < Bushmills> was too late anyway
13:56 -!- takamichi [~pri@94.75.217.249] has quit [Ping timeout: 264 seconds]
14:25 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
14:33 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
15:25 -!- magic_1 [~magic@41.123.181.171] has joined ##openvpn
15:25 -!- magic_1 [~magic@41.123.181.171] has quit [Changing host]
15:25 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
15:46 -!- Bloodsong [~Nimbus@69-165-217-17.dsl.teksavvy.com] has joined ##openvpn
15:50 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Quit: Leaving...]
16:44 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:56 -!- Bloodsong [~Nimbus@69-165-217-17.dsl.teksavvy.com] has quit [Quit: Leaving]
17:03 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
17:11 < krzee> !forget win_rollup
17:11 < vpnHelper> krzee: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
17:12 < krzee> !forget win_rollup
17:12 < vpnHelper> krzee: Error: 2 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
17:12 < Bushmills> rollup?
17:12 < krzee> !forget win_rollup
17:12 < vpnHelper> krzee: Error: 2 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
17:12 < krzee> !forget win_rollup *
17:12 < vpnHelper> krzee: Joo got it.
17:13 < krzee> !learn win_rollup as please see http://www.secure-computing.net/wiki/index.php/HowTo_for_Windows_2 for dazo
17:13 < vpnHelper> krzee: Joo got it.
17:13 < krzee> err
17:13 < krzee> !forget win_rollup *
17:13 < vpnHelper> krzee: Joo got it.
17:18 < krzee> !learn win_rollup as please see http://www.secure-computing.net/wiki/index.php/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
17:18 < vpnHelper> krzee: Joo got it.
17:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
17:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:49 -!- cron2_ [~gert@kirk.greenie.muc.de] has joined ##openvpn
17:54 -!- Netsplit *.net <-> *.split quits: krzie, cron2
17:56 -!- xNice [~Benz@adsl4-93.qualitynet.net] has quit [Ping timeout: 240 seconds]
17:59 -!- Netsplit *.net <-> *.split quits: ScriptFanix, stein0, zorzar, zamba, sno, Rienzilla, buntfalke, mrnice1
18:00 -!- Netsplit over, joins: ScriptFanix, buntfalke, zorzar, zamba, sno, Rienzilla, mrnice1, stein0
18:00 -!- Netsplit *.net <-> *.split quits: ScriptFanix, stein0, zorzar, zamba, sno, Rienzilla, buntfalke, mrnice1
18:01 -!- Netsplit over, joins: ScriptFanix, buntfalke, zorzar, zamba, sno, Rienzilla, mrnice1, stein0
18:01 -!- xNice [~Benz@62.150.124.86] has joined ##openvpn
18:18 -!- jupiter15 [~jupiter@unaffiliated/jupiter15] has quit [Ping timeout: 248 seconds]
18:18 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 248 seconds]
18:36 -!- dougy [~me@ool-435033e6.dyn.optonline.net] has joined ##openvpn
18:37 < dougy> -NickServ- 22 failed logins since last login.
18:37 < dougy> o.O
18:37 < krzee> hah
18:37 < dougy> hmm
18:37 < dougy> krzee are you on a pc w/a gui
18:37 < dougy> ii never know with you
18:38 < krzee> im on a pc running osX
18:39 < krzee> hows the datacenter going?
18:41  * krzee starts a portupgrade -a
18:42 < krzee> that should keep that server busy for a long long time
18:42 < dougy> lol
18:42 < dougy> that server is still off
18:42 < dougy> krzee: http://zoomvps.com/matt_nooooo/
18:42 < vpnHelper> Title: ZoomVPS.com (at zoomvps.com)
18:42 < dougy> critique pls
18:44 < krzee> ahh it is down
18:44 < krzee> i was gunna ask that, lol
18:44 < dougy> it is not down
18:44 < dougy> oh that server
18:44 < krzee> ya
18:44 < dougy> yea its been off for ages
18:45 < dougy> ever sine i moved it to nj really
18:45 < krzee> thought so
18:45 < dougy> since
18:45 < dougy> i did need the power
18:45 < krzee> ahh cool
18:45 < krzee> its not in your way tho, right?
18:45 < dougy> nah they reserved whole rack for me
18:46 < krzee> nice =]
18:46 < dougy> http://www.upload3r.com/serve/080510/1273362367.jpg
18:46 < dougy> at tehe bottom of the rack
18:46 < dougy> that pic rather
18:46 < dougy> where that shit is piled on top of
18:46 < dougy> thats you
18:46 < krzee> oh dude if you want a presence in germany Bushmills mentioned a BADASS rate on a rack
18:46 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
18:46 < dougy> yea, i got hookups
18:47 < dougy> rack with gbit dedicated of real good bw for 500
18:47 < dougy> lol
18:49 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
18:50 < krzee> whao nice
18:50 < dougy> yea
18:50 < dougy> but imma pass
18:50 < dougy> dc is a shit shack.. just good bw
18:50 < krzee> cool my server is like a shelf :)
18:50 < dougy> its just got some cables
18:50 < dougy> that 3u server is nice
18:50 < krzee> hey, i dont care what you stack on it
18:50 < dougy> its only half full and uses 2-3amps
18:51 < krzee> you can put a hamster cage on it for all i care
18:51 < krzee> heheheh
18:51 < dougy> ill keep that in mind
18:51 < krzee> :-p
18:51 < dougy> hrmmm
18:51 < dougy> my ex has a house to herself for a week and she invited me to come ther etomorrow
18:51  * dougy scratches chin
18:51 < krzee> uhhhh ohhhh
18:52 < krzee> dougy is gunna lose his virginity!
18:52 < dougy> already have bud
18:52 < dougy> lol
18:52 < krzee> but with a girl this time!
18:52 < krzee> :-p
18:53 < krzee> oh common, im just playin
18:53 < krzee> on your page
18:53 < krzee> i think mach x should look different
18:54 < krzee> it seemed to me that mach 1 had 25GB ram
18:54 < krzee> i was thinking "wtf"
18:54 < krzee> maybe put the labels on the left of the numbers
18:54 < krzee> like ram 0.25 storage 25GB etc
18:55 < dougy> hmm
18:56 < dougy> the layout forces it like that
18:56 < krzee> not if you change the layout, lol
18:56 < dougy> i dont feel like getting that deep into it
18:56 < krzee> cant be hard to change the order of things which already exist
18:56 < dougy> im working on launching xen VM's soon
18:56 < dougy> freebsd and shit
18:56 < dougy> win
18:57 < dougy> i wanna get some jquery in that layout
19:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
19:26 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
19:30 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
19:32 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
19:34 -!- Chaot_s [~1@d54C0C5DB.access.telenet.be] has joined ##openvpn
19:37 < dougy> http://www.dailymotion.com/video/xbopd5_jasondarulowhatchasayparodyrussia-r_music
19:37 < dougy> lmfao
19:37 < vpnHelper> Title: Dailymotion - JasonDaRuloWhatchaSayPARODYRussia~RuckaRuckaAli - a Music video (at www.dailymotion.com)
19:37 < dougy> russians
19:37 < dougy> dont watch
19:37 < dougy> please
19:37  * dougy doesnt want to get DDoS'd
19:50 -!- Chaot_s [~1@d54C0C5DB.access.telenet.be] has quit []
20:04 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:05 < ecrist> \o
20:05 < dougy> hi eric
20:07 < ecrist> sup, dood?
20:07 < dougy> not shit
20:07 < dougy> you
20:08 < ecrist> krzee: I already put it into svn - you're welcome to keep it up to date. ;)
20:08 < ecrist> dougy: going to BSDCan next week
20:08 < ecrist> should be fun, but I'm going the week of the month I'm a broke-ass
20:08 < krzee> right on
20:08 < dougy> lol
20:08 < ecrist> if Bushmills needs/wants access, I'll give it to him.
20:09 < ecrist> not looking forward to going out of the country with $200 cash and $300 on plastic
20:10 < krzee> what country is it in?
20:10 < ecrist> Canada
20:10 < ecrist> that's why it's called BSDCan
20:10 < ecrist> ;)
20:10 < dougy> i read BSDCon
20:10 < ecrist> ah
20:11 < ecrist> I wouldn't be a broke-ass if I hadn't bought my new MBP
20:13 < dougy> MBP?
20:13 < dougy> oh
20:13 < dougy> macb ook pro
20:13 < ecrist> aye
20:13 < krzee> ya i read bsdcon too, lol
20:24 -!- xNice [~Benz@62.150.124.86] has quit [Ping timeout: 276 seconds]
20:28 -!- xNice [~Benz@62.150.55.63] has joined ##openvpn
20:28 -!- zorzar_ [~zz@p4FFD30B3.dip.t-dialin.net] has joined ##openvpn
20:32 -!- zorzar [~zz@p4FFD1EE9.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
20:48 -!- zorzar_ is now known as zorzar
21:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
21:28 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:39 -!- y0tta [~y0tta@ip26.208-100-1.static.steadfast.net] has joined ##openvpn
21:40 -!- timburke [tim@ip197.67-202-95.static.steadfast.net] has joined ##openvpn
21:55 -!- dougy [~me@ool-435033e6.dyn.optonline.net] has quit []
22:02 < theDoc> Anyone has had the opportunity to install freenibs on an existing freeradius install before?
22:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:39 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
23:02 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
23:04 -!- y0tta [~y0tta@ip26.208-100-1.static.steadfast.net] has quit [Quit: y0tta]
23:31 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
23:46 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
23:47 < takamichi> hey, does anyone know where I can get info on specing a server to handle x number of concurrent connections?
--- Day changed Sun May 09 2010
00:05 < theDoc> ;D
00:06 < julius> either the openvpn or the iptables manpage
00:06 < julius> or neither
00:07 < julius> maybe some forwarding daemon or something like that, dunno
00:15 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
00:45 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
00:50 -!- theDoc [~jaki@bb121-7-120-126.singnet.com.sg] has joined ##openvpn
00:50 -!- theDoc [~jaki@bb121-7-120-126.singnet.com.sg] has quit [Client Quit]
01:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:46 -!- jnss [janes@gateway/shell/sign.io/x-krajqtccmzimepfh] has quit [Read error: Connection reset by peer]
01:46 -!- jnss [janes@gateway/shell/sign.io/x-ntearvtvepeegpyt] has joined ##openvpn
01:53 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:53 -!- mode/##openvpn [+o mattock] by ChanServ
03:06 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has joined ##openvpn
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:50 < Gnewt> I have a box (192.168.1.1) in one of my VPN client's LANs. How do I get my client to route a VPN IP to 192.168.1.1?
04:09 < Bushmills> Gnewt: by putting openvpn on the client
04:22 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
04:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
04:56 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Ping timeout: 260 seconds]
05:37 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn
05:44 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Quit: Lost terminal]
07:07 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
07:09 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
07:18 -!- SkyTIME [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
08:40 -!- xNice [~Benz@62.150.55.63] has quit []
08:45 -!- hillbicks [~foo@rotterdam.perfect-privacy.com] has joined ##openvpn
08:45 < hillbicks> !welcome
08:45 < vpnHelper> hillbicks: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:46 -!- hillbicks [~foo@rotterdam.perfect-privacy.com] has left ##openvpn []
09:32 -!- Steph_ [~Mikes@64.120.179.218] has joined ##openvpn
09:32 < Steph_> !welcome
09:32 < vpnHelper> Steph_: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:33 < Steph_> !goal
09:33 < vpnHelper> Steph_: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:34 < Steph_> I want to keep existing connections when i start openvpn. can anyone help?
09:43 -!- Steph_ [~Mikes@64.120.179.218] has quit [Quit: Leaving]
09:55 -!- y0tta [~y0tta@ip12.208-100-1.static.steadfast.net] has joined ##openvpn
10:07 -!- mutex [~mutex@67-23-13-54.static.slicehost.net] has joined ##openvpn
10:10 < mutex> When I try to run network traffic for networks on the opposite side of VPNs
10:10 < mutex> I get duplicate ping packets:
10:10 < mutex> 08:10:07.131720 IP 10.8.1.6 > 192.168.17.1: ICMP echo request, id 43038, seq 9, length 64
10:10 < mutex> 08:10:07.270038 IP 10.8.1.6 > 192.168.17.1: ICMP echo request, id 43038, seq 9, length 64
10:10 < mutex> Did I do something wrong ?
10:31 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:02 -!- Krikke [~ixevix@62.142.105.142] has quit [Ping timeout: 276 seconds]
11:03 -!- Krikke [~ixevix@62.142.105.142] has joined ##openvpn
11:05 -!- WormFood [~wormfood@121.34.164.254] has quit [Ping timeout: 246 seconds]
11:13 -!- VirusTB [~VirusTB@thetouch.demon.nl] has joined ##openvpn
11:17 -!- WormFood [~wormfood@121.15.47.188] has joined ##openvpn
11:35 -!- Hypnoz [~X@adsl-99-35-229-249.dsl.pltn13.sbcglobal.net] has joined ##openvpn
11:46 -!- VirusTB [~VirusTB@thetouch.demon.nl] has quit [Quit: VirusTB]
12:02 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
12:11 -!- vegar_ [~vegar@123.84-49-126.nextgentel.com] has joined ##openvpn
12:12 < vegar_> quick question: What role has as0t0 opposed to tun0? OpenVPN creates both interfaces but only on one end
12:12 < vegar_> the other end only creates tun0
12:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:29 -!- vegar_ [~vegar@123.84-49-126.nextgentel.com] has quit [Quit: leaving]
12:39 -!- ChrisandRon [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
12:43 -!- ChrisandRon [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
12:44 -!- cjae_ [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
13:12 -!- cjae_ [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
13:16 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 268 seconds]
13:16 -!- y0tta [~y0tta@ip12.208-100-1.static.steadfast.net] has quit [Quit: y0tta]
13:17 -!- dazo_h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
13:19 -!- thisguy [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
13:20 -!- thisguy [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
13:21 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
13:40 -!- dazo_h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Quit: Leaving]
13:41 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has left ##openvpn []
13:54 -!- SkyTIME [~SkyB0x@212.235.177.25] has joined ##openvpn
14:04 < krzie> lol
14:04 < krzie> i bet he only waited 17 minutes cause he realized as0t0 was not from openvpn
14:07 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
14:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
14:22 < krzie> oh maybe im wrong, i guess as0t0 is for AS
14:22 < krzie> (or maybe not, but that all i see for as0t0 in google)
14:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:44 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
14:46 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
14:47 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
14:49 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
14:50 -!- Hypnoz [~X@adsl-99-35-229-249.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 276 seconds]
14:56 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
15:19 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
15:22 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
15:26 -!- SkyTIME [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
15:31 < zamba> if i want to tunnel ALL my traffic out through my vpn tunnel.. what's the best way of doing that?
15:31 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
15:32 < krzee> !redirect
15:32 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:34 < zamba> !def1
15:34 < vpnHelper> zamba: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
15:34 < zamba> and this is a server-side option?
15:35 < zamba> i can include that in a ccd to make it client-specific?
15:37 < krzee> you can put it in the client config
15:37 < krzee> however, you most certainly need ipforwarding enabled and NAT on the server
15:38 < zamba> yup
15:38 < zamba> thanks :)
15:38 < krzee> np
15:39 < krzee> for the record, if you were to put it in the server config, youd need to use push
15:39 < krzee> you can push many options from server to client
15:39 < krzee> !push
15:39 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
15:42 < zamba> what do you mean?
15:42 < zamba> so i can add it client-side?
15:42 < zamba> redirect-gateway def1
15:42 < krzee> yes its a client side option
15:43 < krzee> in order to use it in server config, if that was what you wanted, you would need to push it
15:43 < zamba> ah
15:43 < zamba> no, i want to define it on the client
15:43 < zamba> let's try
15:43 < krzee> just wanted to tell you for your own knowledge :)
15:45 < zamba> hehe, thanks again :)
15:46 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
15:47 < krzee> np
15:50 < zamba> getting lousy performance, though
15:50 < zamba> only getting 2 mbit
16:19 -!- Hypnoz [~X@adsl-99-35-229-249.dsl.pltn13.sbcglobal.net] has joined ##openvpn
16:20 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
16:21 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
16:21 -!- mode/##openvpn [+o mattock] by ChanServ
16:21 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Client Quit]
16:57 -!- Hypnoz [~X@adsl-99-35-229-249.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 252 seconds]
17:05 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:05 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
17:09 -!- mutex [~mutex@67-23-13-54.static.slicehost.net] has left ##openvpn []
17:11 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
17:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
17:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
17:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
17:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
17:49 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
17:49 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
18:23 -!- Tim-7967 [~Tim@opennic/Tim-7967] has joined ##openvpn
18:24 < Tim-7967> !wecome
18:24 < vpnHelper> Tim-7967: Error: "wecome" is not a valid command.
18:24 < Tim-7967> !welcome
18:24 < vpnHelper> Tim-7967: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:24 < krzee> !goal
18:24 < Tim-7967> err... :P
18:24 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:25 -!- Tim-7967 [~Tim@opennic/Tim-7967] has left ##openvpn ["Leaving"]
18:25 < Bushmills> that scared him
18:25 < krzee> lol
18:25 < Bushmills> existential questions, those
18:26 < Bushmills> "what's my goal? What's my purpose? Why am I here at all? Do I even exist?"
18:27 < krzee> solipsism
18:27 < krzee> hehe
18:29 < Bushmills> "Isn't it statistically of much higher probability that we're just emulated in a Matrix kind of environment?"
18:30 < Bushmills> after all, te sum of all humans ever considered to have lived is a tiny number compared to the number od potential simulacrons
18:31 < Bushmills> potentially emulated minds in simulacrons .. 
18:45 < ecrist> for the record, the triplehead2go doesn't work well with Dual DVI + automatic graphics switching on my new MBP
18:45 < ecrist> sorry, wrong chan.
18:48 -!- frankS2 [frank@unaffiliated/franks2] has quit [Ping timeout: 246 seconds]
18:59 -!- Gabe_G23 [~gabe@bzflag/player/GabrielG] has quit [Remote host closed the connection]
19:42 < krzee> ecrist, i was on xxx, forgot bout your ftp mirror, typed `last` and almost had a heart attack
19:42 < krzee> lol
19:43 < ecrist> lol
19:43 < krzee> then i promptly remembered, and returned to normality
19:43 < ecrist> as I look at 'last,' I can understand why!
19:44 < ecrist> I can turn off wtmp reporting in proftp, if you want.
19:44 < krzee> either way
19:44 < krzee> makes no biggie to me, i just thought youd get a chuckle from that
19:44 < ecrist> chuckle, I did.
19:44 < ecrist> :)
19:45 < ecrist> krzee: do you back that box up, or want it backed up/
19:45 < ecrist> ?
19:45 < krzee> nope
19:45 < krzee> theres nothing special on it
19:46 < krzee> all its used for is your backup ftpd and for me to bounce through to IRC smoetimes
19:46 < krzee> sometimes*
19:47 < ecrist> ok
20:07 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
20:19 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 240 seconds]
20:32 -!- zorzar [~zz@p4FFD30B3.dip.t-dialin.net] has quit [Ping timeout: 246 seconds]
20:33 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
20:34 -!- zorzar [~zz@p4FFD191B.dip.t-dialin.net] has joined ##openvpn
20:43 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
20:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:55 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:27 < krzie> !win_rollup
21:27 < vpnHelper> krzie: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
21:41 < krzie> !forget win_rollup
21:41 < vpnHelper> krzie: Joo got it.
21:42 < krzie> !learn win_rollup as please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
21:42 < vpnHelper> krzie: Joo got it.
22:18 -!- Scynix [~nburr@ip67-90-82-68.z82-90-67.customer.algx.net] has joined ##openvpn
22:21 < Scynix> Can someone advise me what I can do or where I can start troubleshooting, to determine why a system can connect, access the local network its connected to, but can't access the internet itself? The connecting machine, running windows, says the connection is local only.
22:22 -!- Omancho [~Omancho@ip70-187-165-232.oc.oc.cox.net] has joined ##openvpn
22:34 < krzie> we are talking about something using oenvpn, right?
22:34 < krzie> openvpn
22:35 < krzie> !redirect
22:35 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
22:35 < krzie> is this what you want?
22:37 < Scynix> Yeah. I followed the guide on openvpn's site for a tap adapter, bridged to the eth0, and set up redirect-gateway. I can connect just fine. On the client I can ipconfig and see the network addresses just fine. It just... doesn't go anywhere. I can only communicate with the vpn's network, not actually out to the net. I'm trying to figure out where I can start looking to figure out why.
22:41 < krzie> why are you bridging?
22:42 < krzie> try this
22:42 < krzie> tell me what you think
22:42 < krzie> !confgen
22:42 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
22:42 < krzie> unless you need a bridge for a specific layer2 protocol
22:47 < rob0> Seems to me a significant majority of the people who come in here asking questions are trying to do bridging. A minority (if ANY) of the people *answering* questions do bridging.
22:48 < krzie> ecrist does it
22:48 < rob0> and I'll bet I've already made that observation here before
22:48 < krzie> but ya, its rarely needed and often documented
22:48 < krzie> which leads to people using it by default instead of deciding which to use based on informed decision
22:49 < rob0> yeah, that's kind of what I'm thinking, but I don't know why/how tap is a default.
22:50 < krzie> google with basic terms
22:50 < krzie> so many random guides on bridging
22:50 < krzie> none advise which to do
22:51 < rob0> Sounds like draft beer, whereas tun sounds like what you weigh after drinking too much draft beer.
22:51 < krzie> hah
22:52 < krzie> the site does say bridging is easier to setup
22:52 < krzie> i dunno, ild have to disagree and say routing should be easy to setup
22:52 < rob0> yeah, I don't think bridging is necessarily easier either.
22:58 < Scynix> krzie, I just followed directions on bridging to allow an external system to pass all tis information through the openvpn server- not any particular reason. I don't believe the bridge is even the issue, though. 
23:00 < Scynix> My goal is to allow my windows laptop to connect to my debian box at home, and get access to the local network AND the internet through that connection. The only, recent, updated guide I could find used tap instead of tun.
23:00 < krzie> well here you go
23:00 < krzie> !confgen
23:00 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
23:01 < krzie> this will set that up for you with tun =]
23:01 < krzie> just follow what it says, working setup
23:01 < krzie> rather, answer its questions
23:01 < Scynix> Alright, I'll try it. I don't understand exactly why the implication would be that my configuration is incorrect, since I can connect just fine, and get a IP address for the VPN, and access the VPN's network
23:02 < krzie> supports lans behind openvpn nodes, and redirecting all traffic over server
23:02 < krzie> im not, i want someone to try my config generator!
23:02 < krzie> heheh
23:02 < krzie> people have tested it, not sure how many have used it
23:03 < krzie> :-p
23:03 < krzie> v.2 will make the certs  and package it all too
23:03 < krzie> with crl management and all
23:04 < krzie> (all cert stuff via ecrist's ssl-admin once he rewrites it out of perl)
23:08 < krzie> ild help you with the bridge if i knew anything about it, but i can help you accomplish it with routing which is better anyways if using IP traffic
23:16 -!- Omancho [~Omancho@ip70-187-165-232.oc.oc.cox.net] has left ##openvpn []
23:25 < Scynix> Well, I'll give it a try. Am I going to need to run this thing on both the server and the client?
23:34 < krzie> nope
23:34 < krzie> it will output files for both
23:34 < krzie> from 1 run
23:35 < krzie> as many clients as desired
23:41 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 245 seconds]
23:42 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
23:45 < krzie> just run ./confgen
23:48 < Scynix> yeah figured that out.. saw three shell files and went with the generic one
23:48 < krzie> all 3 need +x
23:48 < Scynix> It didn't really explain anything about tun, or why the conf file is named differently than what the linux autostart script expects ;d
23:48 < krzie> the linux autostart scripts do *.conf
23:49 -!- rgubler [rob@happybox.org] has quit [Quit: leaving]
23:49 < Scynix> oh, never noticed that. Good point.
23:49 < krzie> windows does ovpn
23:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
23:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:56 < Scynix> openvpn failed to start using the conf flie
23:56 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
23:57 < Scynix> Don't see any reason in the logs x_X
--- Day changed Mon May 10 2010
00:06 < krzie> are the cert files named right?
00:07 < Scynix> Yep. Verified it myself.
00:07 < Scynix> thought maybe I mistyped. I can't find a log that even says why it's failing
00:07 < krzie> !logs
00:07 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
00:07 < Scynix> syslog shows it gets up to making the status_file then nothing
00:08 < krzie> !forget logs *
00:08 < vpnHelper> krzie: Joo got it.
00:08 < krzie> !learn logs as is please pastebin your logfiles from both client and server with verb set to 5
00:08 < vpnHelper> krzie: Joo got it.
00:09 < Scynix> You're confusing me with the crazy bot.
00:09 < krzie> !learn logs as In Tunnelblick, right-click and select copy to copy log text to clipboard.
00:09 < vpnHelper> krzie: Joo got it.
00:09 < krzie> sorry
00:09 < krzie> but ya
00:09 < krzie> pastebin your logs with verb 5
00:09 < Scynix> Is there a location openvpn would write to about why it failed to start?
00:09 < krzie> try log filename in your config
00:09 < krzie> then start it with verb set to 5 in the config
00:10 < krzie> pastebin the file
00:11 < Scynix> designated "log openvpn.log" in the conf, restarted, no file made.
00:12 < krzie> you did it below to cd line?
00:12 < krzie> below the cd line*
00:13 < Scynix> ah, thanks
00:13 < Scynix> thought I put it before the line
00:23 < Scynix> appparently its' defaulting to a tls key that I don't have in the openvpn setup, last conf file didn't need one
00:30 < krzie> !hmac
00:31 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
00:31 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
00:31 < krzie> see #2
00:31 < krzie> needs to be the same file on all sides
00:32 < krzie> soon it will make all the certs and everything so it wont matter
00:32 < Scynix> Well, I created the key before you did that, but it's still failing. 
00:33 < krzie> well, ive been waiting for your log for 23 minutes
00:33 < Scynix> wrong failing
00:33 < Scynix> I fixed the starting fali
00:33 < Scynix> Once you pinte dout the location I corrected that
00:33 < Scynix> crud I can't type at all apparently
00:33 < Scynix> anyways, I can start it just fine now
00:34 < Scynix> the client is getting "TLS Error: TLS key engotatin flied to occur within 60 seconds", so I looked that up, and the only solution recommendations I can find tell me to forward ports- but if the ports weren't forwarded I wouldnt' be able to connect to begin with.
00:34 < Scynix> IE, I already did.
00:34 < krzie> you using 2.1?
00:34 < krzie> openvpn --version
00:35 < Scynix> Yes.
00:35 < krzie> both sides?
00:35 < Scynix> Yes.
00:35 < krzie> pastebin
00:35 < krzie> lol
00:35 < krzie> im not even trying to keep guessing your roblems
00:36 < Scynix> what am I pastebinning? The log file doesn't even show the tls error
00:36 < krzie> !logs
00:36 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
00:36 < Scynix> yeah, ok, I get that, you want a log, I'm trying to tell you, the only logs I can post, don't mention the error at all.
00:37 < krzie> then you have the port/protocol firewalled off
00:37 < krzie> if it says nothing and the server doesnt see an attempt
00:37 < krzie> but with 1 line from 1 file, its hard to tell you whats going on
00:37 < Scynix> the server is seeing the attempt to connect, not the tls issue
00:38 < Scynix> And that line wasn't from a file, it's from the client status
00:38 < krzie> client status!?
00:38 < krzie> status files dont say anything useful
00:38 < krzie> you want the log
00:38 < Scynix> norly.
00:39 < Scynix> is the TLS auth going to be passed by tcp or udp? do you know?
00:40 < krzie> which protocol did you select?
00:40 < Scynix> The default. 
00:40 < krzie> udp
00:40 < krzie> im getting trolled here huh
00:41 < Scynix> No krzie, you aren't. I'm just not mentally handicapped. I understand you're trying to help, and I really appreciate it, genuinely
00:41 < Scynix> but once you reminded me I blanked out and put the log in the wrong location I was easily able to identify and correct the problem, which is why I didn't post the log
00:42 < Scynix> Unfortunately, now that the server is running, when I try to connect with the client, it finds the server, tries to connect, then idles for 60~ seconds and fails
00:42 < Scynix> Due to the TLS
00:42 < Scynix> I'm looking at the logs to find anything that would be relevant
00:42 < Scynix> unfortunately the server log says nothing about the tls negotation failure, just the connection/disconnectin
00:43 < krzie> whatever
00:43 < krzie> bye
00:43 < krzie> ill come back when they are up
00:44 < Scynix> the old conf file was using tcp and could connect fine- if I swapped from udp to tcp would that give any notification?
00:45 < Scynix> that worked, guess the udp port is blocked where I am
00:46 < Bushmills> (07:37:04) krzie: then you have the port/protocol firewalled off
00:47 < Scynix> Bushmills, on the client side, not the server. I'm working remotely.
00:47 < Scynix> Though, unfortunately, after all that, it's still the same issue I had with the tap setup
00:47 < Scynix> I can connect, I can ping the vpn server from within the vpn, but I can't access the internet itself
00:47 < krzie> server has NAT setup?
00:47 < Bushmills> !redirect
00:47 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:48 < Bushmills> !nat
00:48 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
00:48 < Scynix> krzie, would I need to re-do it if I'm not using the tap now?
00:48 < Bushmills> unrelated to your other problem.
00:48 < Bushmills> if you can ping vpn server through vpn, vpn works
00:48 < krzie> Scynix,
00:48 < krzie> !linnat
00:48 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:49 < Scynix> the default gateway is blank
00:49 < Bushmills> if you can't access internet, it is your setup problem 
00:49 < krzie> !def1
00:49 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
00:49 < Scynix> I didn't change your generation file
00:49 < krzie> oh right
00:49 < krzie> then its there
00:49 < krzie> oh and why am i back
00:49 < krzie> still no logs
00:50 < Scynix> will a log explain why I can't access the internet through the vpn? o_O
00:50 < krzie> it will explain what is being changed in the routing table
00:50 < Scynix> Which log do you need?
00:50 < krzie> i showed you the nat entry
00:50 < Scynix> the server log?
00:50 < krzie> and
00:50 < krzie> !inipforward
00:50 < vpnHelper> krzie: Error: "inipforward" is not a valid command.
00:50 < krzie> !linipforward
00:50 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
00:50 < krzie> those are the only 3 things needed
00:50 < Scynix> yeah ipforward is set already
00:51 < Scynix> the file contains "1"
00:51 < krzie> !iptables
00:51 < vpnHelper> krzie: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
00:51 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Firewall
00:51 < krzie> !linnat
00:51 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:51 < Scynix> If I may ask, should the vpn server's gateway be totally blank ?
00:51 < Bushmills> !nutshell
00:51 < vpnHelper> Bushmills: Error: "nutshell" is not a valid command.
00:51 < Scynix> er, not server
00:51 < Scynix> cliient
00:51 < Scynix> The clients gateway is totally blank.
00:51 < Scynix> despite the def1
00:51 < krzie> no log, no answers
00:51 < krzie> :-p
00:52 < Bushmills> "fix it"
00:52 < Scynix> I swear you better get magic cookies out of this log for how big of a deal you're making out of it
00:52 < krzie> its been 47 minutes since i first asked to see a log
00:52 < krzie> we've guessed everything so far
00:52 < krzie> hah
00:52 < Scynix> and I fixed the original issues already
00:52 < krzie> ok how bout you hel you then
00:52 < Scynix> and now I'm back to square 1
00:52 < krzie> help*
00:52 < krzie> bbl
00:52 < Scynix> Instead of on my conf, I'm on your conf
00:52 < Scynix> with the exact same issue.
00:53 < Bushmills> (07:37:04) krzie: then you have the port/protocol firewalled off
00:53 < krzie> which i would have answered about 15 minutes faster with a log
00:53 < Scynix> the port/protocol firewall is preventing me from accessing the internet through the vpn, despite the vpn itself being able to access the internet, and my client being able to connect to the vpn?
00:53 < krzie> no, your lack of posting logs is
00:53 < Bushmills> nope
00:54 < krzie> basically heres how it works
00:54 < krzie> you come here, ask questions
00:54 < krzie> people tell you what they need, in order to help you
00:54 < Bushmills> (07:48:39) Bushmills: if you can ping vpn server through vpn, vpn works
00:54 < Scynix> Ok
00:54 < Scynix> Stop already, I understand, I'm getting your log right now
00:54 < krzie> you provide those, they try to help for free
00:54 < krzie> lol
00:54 < krzie> welcome to irc
00:55 < Scynix> I've been on IRC for years, but I've never been to a channel that immediately assumed I couldn't read.
00:56 < krzie> ive been helping people for yrs, ive never seen someone ask for help but only show you what they want to instead of what asked for
01:00 < Scynix> http://pastebin.com/2uhDSauP
01:04 < Scynix> So, what am I looking for in that log that will explain to me why the client can't reach the internet, but can communicate with the network itself just fine?
01:16 < Scynix> The client, when I run ipconfig, shows no gateway, and the dns entries are ipv6 entries
01:17 < Scynix> ip_forward is set to 1 (enabled), iptables has the 10.8.1.x postrouting/masquerade set.
01:20 < krzie>    - Unknown paste ID, it may have expired or been deleted!
01:20 < Scynix> oi, I'll try again
01:21 < Scynix> oh, nevermind, typed it wrong : http://pastebin.com/2uhD5auP
01:21 < krzie> you typed it?
01:21 < Scynix> yeah, working on three systems. The system that posted the log isn't on irc
01:22 < Scynix> I typed the address wrong, I mean.
01:33 < Scynix> thoughts?
01:38 < Scynix> !man --redirect-gateway
01:38 < vpnHelper> Scynix: Error: "man" is not a valid command.
01:40 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
01:47 < Scynix> are you still there, krzie?
01:47 < Scynix> I have a question about routing.
01:48 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
01:56 < krzie> !samesubnet
01:56 < vpnHelper> krzie: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
01:56 < Scynix> ?
01:56 < Scynix> I'm not on the same subnet
01:57 < Scynix> I'm not even in the same building as the server.
01:58 < Bushmills> "subnet" does not just related to a strand of wire
01:58 < krzie> you are pushing a route for 192.168.1.0 to go over the lan
01:58 < Bushmills> relate
01:58 < krzie> if client connects from a lan of that subnet, you will break stuff
01:59 < krzie> in fact my config generator told you that
02:00 < Scynix> alright, I'll try again, and explain it in simpler terms. I'm not just in a different building, I'm on a completely different network. A network that uses a completely different subnet.
02:01 < Scynix> Not just a different subnet- a different everything. The server uses 192.168.1.*, 255.255.255.0. The client uses 172.20.217.*,255.255.252.0
02:01 < Scynix> So which one are you implying is the same?
02:01 < krzie> i had to keep guessing, because of the lack of info given
02:02 < Scynix> Didn't I just give you a log?
02:02 < krzie> 1 side
02:02 < Scynix> And tell you I know how to read?
02:02 < Scynix> And as you stated yourself
02:02 < krzie> evidently you dont
02:02 < Scynix> your own config says it can't be the same
02:02 < krzie> !logs
02:02 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:02 < krzie> see how it says client and server?
02:03 < krzie> goodnight
02:03 < Scynix> Ah, yes, because you failed to find anything on the server, which is where theissue is
02:03 < Scynix> Thank you for attempting to help.
02:03 < Bushmills> krzie: suffering from compulsive need to help syndrome? 
02:03 < krzie> bored watching stuff compile
02:03 < Bushmills> ah. that slow machine?
02:04 < krzie> aye
02:04 < Bushmills> distributed compilation not an option?
02:04 < krzie> not a big deal really
02:04 < krzie> rarely ever need to do stuff on it
02:04 < Scynix> brb
02:04 -!- Scynix [~nburr@ip67-90-82-68.z82-90-67.customer.algx.net] has quit [Quit: Leaving.]
02:04 < krzie> it just sits there analyzing stuff
02:05 < krzie> i really think that guy just trolled the shit outta me
02:05 < Bushmills> but it does so with vigor
02:06 < Bushmills> don't think so
02:08 < Bushmills> looked like he was in that difficult phase where one has the feeling of being not far from mastering it but real world observations just don't much that mental image yet 
02:09 < Bushmills> so he thinks he knows what ain't the problem, or what isn't needed to pinpoint the problem, but that there's just a tiny neglectancy on config or such.
02:09 < krzie> but its kinda anti-helpable
02:10 < Bushmills> so he sort of thought to knew what wasn't needed on order to diagnose the  problem with is setup
02:10 < Bushmills> know
02:11 < Bushmills> grr.. s/much/match;s/with is/with his/
02:11  * Bushmills seems to suffer from caffeine deficiency
02:12 < krzie> he said the client has no route, then scoffed at the need for client log
02:12 < krzie> Sun May  9 15:57:05 2010 us=362745 Darkschism/67.90.82.68:30886 SENT CONTROL [Darkschism]: 'PUSH_REPLY,redirect-gateway def1,route 192.168.1.0 255.255.255.0,route-gateway 10.8.1.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.1.2 255.255.255.0' (status=1)
02:12 < krzie> heh
02:16 -!- dazo_afk is now known as dazo
02:36 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:40 -!- Scynix [~Scynix@24.234.137.70] has joined ##openvpn
02:41 < Scynix> I realized while travelling to my next location that perhaps your hostility stems from a lack of proper explanation on my part. I don't want you to fix the issue *for me*. I just want to know where I should be looking or what I should be doing in order to identify the issue *myself*. If you're still alive, at any rate.
02:43 -!- SkyTIME [~SkyB0x@193.2.72.254] has joined ##openvpn
02:50 < Scynix> So I will attempt to ask what I asked when I first joined the channel hours ago. How can I ago about identifying what may be causing my client(s) to be unable to pass through the server to the internet itself, but can access the local network just fine? Thank you again.
02:53 < Bushmills> !redirect
02:53 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:53 < Bushmills> !def1
02:53 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
02:53 < Bushmills> !nat
02:53 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
02:54 < Bushmills> !nutshell
02:54 < vpnHelper> Bushmills: Error: "nutshell" is not a valid command.
02:55 < Bushmills> http://scarydevilmonastery.net/masq
02:55 < Scynix> Yes.. that's all fantastic. What about if I can ping the ip address of google but I can't actually resolve it? As if the DNS isn't resolving?
02:55 < Bushmills> !dns
02:55 < vpnHelper> Bushmills: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8
02:56 < Bushmills> what name server is supposed to resolve for you?
02:56 < Scynix> Yeah, or I can just use opendns- that's not the problem. Oi.
02:56 < Bushmills> openvpn is not a name server, you know?
02:56 < Scynix> The server that openvpn is ON *is* a name server
02:56 < Scynix> it can resolve domains on its own
02:57 < Bushmills> then fix your config such that your clients use it
02:57 < Scynix> Shouldn't his auto config have taken that into accuont?
02:57 < Bushmills> no. why?
02:57 < Scynix> Because it's an autoconfig.
02:57 < Scynix> It kind of removes the point of autoconfig if it isn't going to work on its own.
02:58 < Bushmills> i assume the config assumes that you have a proper resolving setup already
02:58 < Bushmills> it is a vpn config, not a name server config, after all
02:58 < Scynix> You don't have to be hostile, you know.
02:58 < Scynix> Alright, now my head hurts. And what is a proper resolving setup, exactly? opendns specificallys tates itself that it will pass DNS queries through the vpn if the vpn is used for the route
02:59 < Bushmills> it is more likely to break if it assumes that the vpn server also doubles as name server
02:59 < Bushmills> yes. queries.  what name server is queried by your client?
02:59 < Bushmills> it doesn't say "queries a different name server than it would without openvpn"
03:00 < Bushmills> queries go to same name server as before, only through different route (through openvpn)
03:00 < Scynix> Forgive me, but I believe you are not understanding me. The client uses a virtual adapter to create the vpn connection. That adapter itself would have to have its own dns servers, would it not?
03:00 < Scynix> Associated with it, at least.
03:00 < Bushmills> no. hosts use name servers. not adapters
03:01 < Scynix> And when the system is set to automatic dns resolution?
03:01 < Scynix> where is it acquiring the dns servers from, praytell?
03:01 < Bushmills> then it requests a resolver address from dhcp server
03:01 < Scynix> and in a vpn setup, whats the dhcp server?
03:01 < Bushmills> dhcp requests are broadcasts
03:02 < Bushmills> any dhcp server on the segment will reply
03:02 < Bushmills> !dns-option
03:02 < vpnHelper> Bushmills: Error: "dns-option" is not a valid command.
03:03 < Bushmills> look at man page. read about  push "dhcp-option dns"
03:03 < Bushmills> !dhcp-option
03:03 < vpnHelper> Bushmills: Error: "dhcp-option" is not a valid command.
03:04 < Scynix> Yeah, it's fine, I already figured it out on my own after you dodged answering the question. Thank you for that rousing game.
03:05 < Bushmills> you know what? i won't dodge any answers from you. i will just let you help yourself.
03:05 < Bushmills> !howto
03:05 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:06 < Scynix> You don't have to. I've already resolved the problem. Thanks though. The hostility in this channel helped me focus on finding somewhere with people that were less, uhh... what would be the word, pretentious?
03:06 < Scynix> In the future I'd advise you help someone learn how to fix things on their own rather than browbeat them into letting you fix it for them.
03:06 < Bushmills>  /ignored
03:07 < Scynix> That's a crying shame. Thanks for nothing anyways, though. It's appreciated.
03:07 -!- Scynix [~Scynix@24.234.137.70] has left ##openvpn []
03:28 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
03:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
03:43 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
03:48 -!- d12fk [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
03:51 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
04:05 -!- massoud [~massoud@unaffiliated/massoud] has quit [Ping timeout: 258 seconds]
04:14 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Read error: No route to host]
04:14 -!- zero-_ [~zero@noc.toile-libre.net] has quit [Read error: No route to host]
04:14 -!- zero-_ [~zero@noc.toile-libre.net] has joined ##openvpn
04:14 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
04:22 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
04:23 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Client Quit]
04:24 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
04:25 -!- raw_ [~raw@chipotle118.server4you.de] has joined ##openvpn
04:26 < raw_> is it possible to push a route including a netmask to client? i want to explude some ips from being routet through the VPN
04:28 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
04:28 < raw_> iam using push "redirect-gateway def1" to route all traffic, but i want some ips excluded
04:39 -!- zorzar [~zz@p4FFD191B.dip.t-dialin.net] has quit [Read error: Operation timed out]
04:48 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
04:54 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
05:04 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 245 seconds]
05:16 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
05:19 -!- elnovicio [~Phoenix_S@SCZ-190-104-6-00227.wimaxtigo.bo] has joined ##openvpn
05:19 < elnovicio> help SOS
05:19 < elnovicio> ./openvpn: error while loading shared libraries: libssl.so.0.9.8: cannot open shared object file: No such file or directory
05:23 < jmm> hehe help SOS , funny :)
05:30 < mwheeler> elnovicio: stab in the dark, do you have ssl libaries installed?
05:31 < elnovicio> yeah, openssl
05:32 < mwheeler> do "locate libssl"
05:32 < elnovicio> /lib64/libssl.so.0.9.8e
05:33 < elnovicio> it shows there
05:33 < elnovicio> I've installed openvpn rpm from the website, over centos 5
05:33 < mwheeler> ln -s /lib64/libssl.so.0.9.8e /lib64/libssl.so.0.9.8
05:34 < mwheeler> a bit dodgy, but usually works
05:35 < elnovicio> ./openvpn: error while loading shared libraries: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory
05:35 < mwheeler> I suppose you could try the same trick
05:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:36 < mwheeler> elnovicio: centos doesn't have a package system that you could use to install it from?
05:37 < elnovicio> mwheeler: seems no
05:37 < mwheeler> ah
05:37 < elnovicio> not showing anything using: yum search openvpn
05:38 < mwheeler> Just try making those symlinks then
05:38 < elnovicio> yeah, i suppose
05:38 < elnovicio> thanks bro
05:38 < mwheeler> No worries
05:39 < mwheeler> I imangine it's due to you being on a 64bit system
05:40 -!- elnovicio is now known as elnovato
05:40 -!- elnovato is now known as elnovatillo
05:40 -!- elnovatillo is now known as elnovato
05:40 -!- elnovato is now known as elnovatillo
05:53 -!- SkyTIME [~SkyB0x@193.2.72.254] has quit []
05:53 -!- ribasushi [~rabbit@ip-109-91-187-9.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
06:08 -!- ribasushi [~rabbit@ip-109-91-187-9.unitymediagroup.de] has joined ##openvpn
06:29 -!- elnovatillo [~Phoenix_S@SCZ-190-104-6-00227.wimaxtigo.bo] has quit [Ping timeout: 260 seconds]
06:32 < dazo> FYI: openvpn-2.1.1-2.el5 should be available in default CentOS repositories
06:33 < dazo> (Checked on CentOS 5.4)
06:33  * mwheeler shruges
06:33 < dazo> ahh ... via EPEL, that is
06:34  * dazo forgot epel was enabled
06:34 < mwheeler> <- never used centos
06:35 < dazo> mwheeler: never too late ;-)
06:36 < mwheeler> nope
06:36 < mwheeler> too late
06:36 < mwheeler> just rebuilt 3 of my servers and desktop
06:36 < mwheeler> All picked for differnt reasons, freebsd, debian and gentoo
06:36 < mwheeler> odly enough, gentoo for my desktop :P
06:39 < dazo> heh :)
06:40  * dazo has had his doze of Gentoo on the server side ... will probably move to CentOS 6 when that comes
06:43 < mwheeler> <3 Gentoo and FreeBSD
06:43  * cpm isn't smart enough for gentoo
06:45 < mwheeler> It's simple :P
06:45 < mwheeler> after a few goes
06:52 < dazo> Gentoo isn't bad ... it just takes a lot more effort to keep up-to-date, especially if you go for the hardened versions ... and it's not so easy to control in a centralised manner
06:53  * dazo is just waiting for Spacewalk to complete the PostgreSQL integration ...
07:06 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:52 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:52 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:53 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
08:03 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
08:20 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
08:20 < IceD^> hello
08:20 < IceD^> having problem with my ovpn
08:21 < IceD^> under heavy (well, wget with 500kb/s) load it works 30seconds .. 10 mins (can't predict)
08:22 < IceD^> and... turns into zombie or something
08:22 < IceD^> connection is alive, but no data received
08:23 < IceD^> when running with verb 5 I see endless rWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrW
08:23 < IceD^> when it happens
08:24 < IceD^> it's tun / tcp / comp-lzo 
08:27 -!- corretico__ [~laguilar@201.201.46.106] has quit [Quit: Leaving]
08:27 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
08:41 < krzie> !tcp
08:41 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
08:41 < krzie> sounds normal
08:44 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 246 seconds]
08:45 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 240 seconds]
08:56 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
09:04 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 265 seconds]
09:04 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
09:09 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 258 seconds]
09:12 -!- d12fk [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
09:13 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
09:14 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
09:16 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
09:18 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:19 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 264 seconds]
09:22 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
09:22 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
09:26 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 240 seconds]
09:27 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
09:32 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 265 seconds]
09:32 -!- daharon [~con@173-11-102-86-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
09:35 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
09:36 < daharon> Hey guys, I have a little problem.  I have an openvpn server that was moved from a physical to virtual machine.  Now, I can sign in to the vpn server and ssh into it.  But I have no access to the rest of the remote network...
09:37 < daharon> Is it my firewall :)  ?
09:38 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
09:39 < dxtr> Hey guys
09:39 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 260 seconds]
09:40 < dxtr> I'm using OpenVPN 2.1.1 amd64-portbld-freebsd8.0 and I am getting Assertion failed at crypto.c:1713 when I'm using http://nopaste.snit.ch/20514
09:44 < dxtr> How come?
09:51 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
09:52 < IceD^> !tcp
09:52 < vpnHelper> IceD^: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
09:52 < dazo> dxtr: good question!  Can you please try another cipher?
09:53 < dxtr> dazo: I tried AES-256-CBC and AES-256-CFB8 (As shown in openvpn --show-ciphers)
09:53 < dazo> daharon: firewall, enable ip_forward and routing are covering 99.999% of all support cases .... so try debugging with tcpdump or wireshark 
09:53 < dazo> dxtr: and you get the same assertion?
09:54 < dxtr> Yep
09:54 < dazo> dxtr: which openssl version do you use?
09:54 < dxtr> And even with BF-CBC
09:55 < dxtr> dexter@bowser:~ $ openssl version
09:55 < dxtr> OpenSSL 0.9.8k 25 Mar 2009
09:55 < daharon> dazo, ip_forward is 1.  I'm using bridging.
09:55 < dxtr> I'm updating it now :)
09:56 -!- IceD^ [~iced@live.bn.by] has quit [Read error: Connection reset by peer]
09:56 -!- IceD^^ [~iced@live.bn.by] has joined ##openvpn
09:56 < dxtr> Err
09:56 < IceD^^> well - you see how it sucks
09:56 < dazo> dxtr: 0.9.8k should be safe .... which distro?
09:56 < dxtr> dazo: FreeBDS
09:56 < dxtr> FreeBSD*
09:56 < dazo> gah
09:56 < IceD^^> probably I should tweak MTU?
09:56  * dazo forgot
09:57 < dxtr> amd64 :)
09:57 < krzee> IceD^^, try udp
09:57 < dxtr> I'm saying it isn't user error though
09:57 < IceD^^> can't ;]
09:57 < dazo> dxtr: this assertion happens because it gets an unexpected result (either more data or too little) when doing some PRNG work
09:57 < IceD^^> I know it works perfectly with upd
09:57 < IceD^^> upd
09:57 < IceD^^> udp fsck it
09:57 < dxtr> dazo: can't it just toss some of it then? Or just loop and get some more? :D
09:57 < IceD^^> but in this case I stuck with tcp over tcp
09:58 < dazo> dxtr: it's not a user error, that's seems pretty clear to me
09:58 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:58 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
09:58 < dazo> dxtr: heh .... you dare to try a hack like debian did with openssl some years ago? :-P
09:58 < dxtr> I'm calling shenanigans!
09:58 < dxtr> :D
09:58 < dxtr> Yeah, I heard about that
09:58 < theDoc> Anyone might have a good guide on port triggering for iptables?
09:59 < dazo> dxtr: the challenge with your bug (I'm presuming it is a bug) ... is that this is difficult to reproduce on other boxes ... and there are quite some FreeBSD users as well ... and I'm pretty sure they run a pretty similar setup as you (software wise)
10:00 < dxtr> dazo: Are you a developer?
10:00 < dazo> dxtr: so I'd investigate your PRNG setup in general
10:00 < dazo> dazo: I'm maintaining the openvpn-testing.git tree
10:00 < dxtr> Ah, right
10:00 < krzee> im a fbsd user
10:01 < krzee> ecrist is as well
10:01 < dazo> krzee: running openssl 0.9.8k with openvpn 2.1.1? 64bit?
10:02 < IceD^^> I do not care about speed much
10:02 < dxtr> Is it normal to get openssl 0.9.8k when I've actually installed 1.0.0?:P
10:02 < IceD^^> I can afford like 30-40% of bandwith loss
10:02 < IceD^^> but I really need to make it stable
10:02 < krzee> OpenSSL 0.9.7e-p1 25 Oct 2004
10:02 < IceD^^> _or_ reconnect on such problem within <1s
10:02 < dxtr> IceD^^: How isn't udp stable?
10:02 < krzee> 2.1.1
10:02 < dazo> dxtr: heh ... as a Linux user I'd say no ... but I'm not sure how the library stuff on freebsd works
10:02 < IceD^^> well
10:02 < krzee> 32bit
10:03 < dxtr> I mean, tunneling tcp over udp 
10:03 < IceD^^> I told two times already
10:03 < IceD^^> this server is with tcp only
10:03 < krzee> RELENG_6
10:03 < IceD^^> not my server
10:03 < dxtr> right
10:03 < IceD^^> I requested three times to switch it to udp
10:03 < dazo> IceD^^: if you want it stable ... don't use tcp ... it's not going to be stable, especially not if you experience packet loss on the connection ... then you'll just trample into troubles ....
10:04 < IceD^^> but no luck and I need to do smth to make tcp over tcp useful
10:04 < theDoc> tcp over tcp?
10:04 < IceD^^> no packet loss
10:04 < theDoc> You're looking at some major potential issues happening.
10:04 < IceD^^> connection to server is fast & stable
10:04 < IceD^^> I know it
10:04 < theDoc> !tcp
10:04 < vpnHelper> theDoc: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
10:04 < dazo> IceD^^: if you can't control the server side ... you're having a challenge :(
10:04 < IceD^^> :)
10:04 < dazo> theDoc: he's got that one definitely 3 times already :-P
10:04 < IceD^^> and I know this as well
10:04 < theDoc> dazo> lmao, ok. ;p
10:04 < IceD^^> ;]
10:05 < IceD^^> and read as well
10:05 < IceD^^> and I know that tcp over tcp is baaaad
10:05 < theDoc> dazo> Remember that port forwarding thing I was trying to pull off? ;)
10:05 < IceD^^> so - will MTU reducing help?
10:05 < dazo> theDoc: not really, tbh ... but if it makes you feel better, I can say yes :-P
10:05 < dazo> IceD^^: MTU needs to be the same on server and client side as well
10:05 < IceD^^> fsck
10:06 < theDoc> dazo> lmao, nevermind on that. I wanted to ask if you had any guides on port triggering for iptables.
10:06 < IceD^^> hmm
10:06 < IceD^^> let me try smth
10:07 -!- IceD^^ [~iced@live.bn.by] has quit [Read error: Connection reset by peer]
10:07 < dazo> theDoc: hmm ... no, can't say I do :( ... not been playing with any triggering at all on ipt ... you want to open up a certain port (or set of ports) when a connection is established on another port?
10:07 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
10:08 < theDoc> dazo> Pretty much open a certain port if traffic goes out by that port.
10:08 < theDoc> Mainly for torrent use.
10:09 < dazo> figured ... hmm ... I'm sorry, I'm clueless here ... but if you stumble upon something, let me know!  This is interesting things to know!
10:09 < dxtr> Hey, is it possible to bind to both a ipv6 and ipv4 ip?
10:09 < dxtr> Btw, dazo. Got it working :) 
10:10 < dxtr> Just had to recompile it
10:10 < theDoc> dazo> I'm about to test a script out. Something I found online.
10:10 < dazo> dxtr: nice!
10:10 < dazo> dxtr: you're using openvpn-testing.git version?  (or the testing snapshot?)
10:11 < dxtr> I'm actually using stable :p
10:11 < dazo> cron2_: ^^  do you know?  ipv4 and ipv6 simultaneously?  Or is it the same issue as multi-port binding?
10:11 < dazo> dxtr: well, stable cannot do ipv6, afaik
10:11 < dxtr> Ah, right then
10:11 < dazo> (not the stable from openvpn.net ... unless the freebsd ports have patched it)
10:11 < dxtr> I wonder if openvpn-devel is from the git repository
10:11 < dazo> yes it is
10:12 < dazo> that's based on the allmerged branch with all the nice goodies :)
10:12 < dxtr> openvpn-201017.tar.gz
10:12 < dxtr> Right :)
10:12 < dxtr> I'll go with that then
10:13 < dazo> 201019.tar.gz is available now too ... but ecrist might not have pushed that one out to the ports system
10:13 < dxtr> I'll update it whenever there is one :)
10:13 < dazo> :)
10:13 < dxtr> So what new features am I looking at?
10:14 < dazo> dxtr: I know ecrist don't have time to update every week ... but I think he tries something around every 2-4 week or so
10:14 < dxtr> right
10:15 < dazo> dxtr: you'll get IPv6 payload (IPv6 inside the tunnel) and IPv6 transport (listen to IPv6 interfaces) ... and quite some bugfixes and minor enhancements
10:15 < dxtr> Cool
10:15 < dazo> but the IPv6 stuff is the biggest change
10:16 -!- IceD^ [~iced@live.bn.by] has quit [Quit: Leaving]
10:16 -!- kyrix [~ashley@194.48.133.8] has joined ##openvpn
10:17 < dxtr> But I can't really listen on v6 and v4 simultaneously?
10:18 < dazo> dxtr: I don't think so ... cron2_ has done a lot of the IPv6 coding, so he knows for sure ... but if I remember the code well enough, that's not doable right now
10:18 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
10:19 < IceD^> hmm
10:19 < IceD^> I set keepalive 2 4
10:19 < dxtr> dazo: Right :)
10:19 < IceD^> hope this will help
10:20 < dazo> dxtr: but please keep us updated how the -devel version works for you! ... we're in need of feedback from people who test it ... that will make the openvpn-testing.git stuff go quicker into a stable release
10:20 < theDoc> Interesting.
10:20 < theDoc> Anyone has a sandboxed shell I could borrow? ;p
10:22 < dazo> dxtr: http://fpaste.org/0VhU/ ... a short changelog with changes since OpenVPN v2.1.1 
10:23 < dazo> theDoc: do you got sf.net account? :-P
10:23 < theDoc> No, I don't have a sf account.
10:23 < dazo> (those shells might be too restricted though)
10:23 < theDoc> I need to compile something and test iptables.
10:23 < theDoc> That's all.
10:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
10:35 < dxtr> dazo: sure will
10:36 < dazo> dxtr: thx! :)
10:36 < dxtr> So... How do I push an IP from the pool to a client?
10:36 < theDoc> dxtr> ccd.
10:36 < dxtr> Right
10:36  * theDoc grumbles.
10:36 < theDoc> Need new monitor.
10:36 < krzee> !static
10:36 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
10:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:37 < dxtr> !ccd
10:37 < vpnHelper> dxtr: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
10:38 < dxtr> theDoc: But I want it to get a random IP from the pool. Much like a dhcp server. Isn't that possible?
10:38 < dxtr> I've got a feeling I've done it before
10:40 < dxtr> zerg/X:51540 MULTI_sva: pool returned IPv4=10.9.8.6, IPv6=1::1800:0:800:0 <- Shouldn't I be able to push 10.9.8.6 to the client?
10:40 < theDoc> dxtr> You just specify a server pool? :) (I think that's what it is called)
10:40 -!- daharon [~con@173-11-102-86-SFBA.hfc.comcastbusiness.net] has quit []
10:42 < dxtr> Yeah I did but the client dont' get an IP
10:42 < theDoc> What is it getting?
10:45 < krzee> you using IPP?
10:45 < dxtr> yep
10:45 < krzee> !ipp
10:45 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
10:45 < krzee> try losing that, and using !static instead
10:46 < dxtr> server 10.9.8.0 255.255.255.240
10:46 < dxtr> or is that bad? :P
10:46 < krzee> why such a small pool?
10:46 < dxtr> Because of awesomeness
10:46 < dxtr> Why not?
10:46 < krzee> how many clients will you have?
10:46 < theDoc> .240, only 16 ips usable?
10:46 < dxtr> like.. 2-3
10:46 < dxtr> 2-4*
10:47 < dxtr> theDoc: That is 10 more than I need
10:47 < krzee> erm no
10:47 < dxtr> So I thought it would be enough
10:47 < theDoc> !30
10:47 < vpnHelper> theDoc: Error: "30" is not a valid command.
10:47 < theDoc> Hrm?
10:47 < krzee> !/30
10:47 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
10:47 < dxtr> Oh damn, yeah right :P
10:47 < dxtr> but it should still be enough for one?
10:47 < krzee> yup
10:47 < krzee> !static
10:47 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
10:47 < dxtr> But I don't want a static IP :/
10:48 < krzee> i thought thats what you were asking
10:48 < krzee> [08:39]  <dxtr> So... How do I push an IP from the pool to a client?
10:48 < dxtr> No, I want the client to automagically get an IP from the pool
10:48 < dxtr> I thought it was possible
10:48 < theDoc> I think dxtr means his client isn't getting an ip address at all after connecting.
10:49 < theDoc> Nothing to do with static addressing or anything.
10:49 < krzee> is that what you mean dxtr?
10:49 < dxtr> Yeah
10:49 < krzee> !logs
10:49 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:50 < krzee> the client is starting as root, right?
10:50 < dxtr> yeah
10:52 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 265 seconds]
10:53 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
10:54 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:54 < dxtr> http://nopaste.snit.ch/20515
10:54 < dxtr> There you go
10:54 < dxtr> Logs
10:55 < krzee> you still have IPP?
10:55 < krzee> on May 10 17:51:36 2010 IFCONFIG POOL LIST
10:55 < krzee> Mon May 10 17:51:36 2010 zerg,10.9.8.4
10:55 < dxtr> Yeah
10:56 < krzee> looks like the client is given the IP .6 based on IPP
10:56 < krzee> verb 5 on client...?
10:57 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 248 seconds]
10:58 < dxtr> Oh yeah. I think I got it :P
10:58 < dxtr> (By using verb 5! Yay!)
10:58 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
10:58 < krzee> what was it?
10:58 < dxtr> I forgot pull
10:58 < krzee> oh
10:58 < dxtr> :D
10:58 < krzee> you can use --client
10:58 < krzee> !--
10:58 < vpnHelper> krzee: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
10:59 < krzee> also, feel free to make configs with my configuration generator and to give me feedback on it ;]
10:59 < krzee> !confgen
10:59 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
10:59 < dxtr> hehe
11:01 -!- Bloodsong [~Nimbus@ip-66-159-116-60.dsl.csolve.net] has joined ##openvpn
11:07 -!- WormFood [~wormfood@121.15.47.188] has quit [Ping timeout: 260 seconds]
11:17 -!- WormFood [~wormfood@58.60.222.110] has joined ##openvpn
11:26 -!- Bloodsong [~Nimbus@ip-66-159-116-60.dsl.csolve.net] has quit [Ping timeout: 246 seconds]
11:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
11:40 -!- Netsplit *.net <-> *.split quits: WormFood
11:40 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:46 < dxtr> Now I've just got to get nat working
11:46 < dxtr> For some reason it won't work :P
11:46 < krzee> which os?
11:47 -!- dazo is now known as dazo_afk
11:47 < dxtr> freebsd
11:47 -!- WormFood [~wormfood@58.60.222.110] has joined ##openvpn
11:49 < krzee> !fbsdnat
11:50 < vpnHelper> krzee: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD
11:50 < krzee> ahh unfortunately we dont have the 1-liner for freebsd in there
11:52 < dxtr> Yeah, well, I've added the correct NAT rule to pf.conf (and set net.inet.ip.forward to 1
11:52 < dxtr> )
11:53 < krzee> i guess when you get it working kick down the nat rule =]
11:53 < krzee> did you also make sure you are allowing the vpn subnet in pf.conf?
11:53 < krzee> or blindly allow * over vpn interface...
11:54 < dxtr> pass quick in from tun0
11:54 < dxtr> But that works. I can ping the openvpn server
11:54  * ecrist sits in Detroit
11:54 < dxtr> So that's no problem. But the problem is when I wanna connect to the world through openvpn
11:54 < ecrist> I died a little inside when I landed.
11:55 < dxtr> ecrist: Sweden here ;)
11:55 < ecrist> I'll be in Ottawa in 4 hours
11:55 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 246 seconds]
11:55 < dxtr> krzee: "nat on em0 from 10/8 to any -> dxtr.cc" <- That's my nat rule
11:56 < krzee> you can NAT to a hostname!?
11:56 < ecrist> krzee: you can with pf
11:56 < krzee> cool
11:57 < krzee> i havnt done NAT in fbsd for yrs, last time i did was with ipf
11:57 < ecrist> pf resolves the hostname upon reload
11:57 -!- bigpaws [~bigpaws@plns-208-111-227-160-pppoe.dsl.plns.epix.net] has joined ##openvpn
11:57 < ecrist> it won't follow a DNS change without a manual reload, though.
11:57 < krzee> the corresponding IP is on a local interface, right?
11:57 < dxtr> yep
11:58 < krzee> tried dumping packets to see whats going on?
11:58 < ecrist> krzee: yes
11:58 < dxtr> Actually I didn't
11:59 < krzee> see if that sheds any light
11:59 < krzee> ecrist, ya detroit kinda blows
11:59 < ecrist> fortunately, I'll be leaving in 1.5 hours
11:59 < ecrist> :)
11:59 < krzee> ecrist, where is bsdcan?
11:59  * ecrist shoves panini in mouth and logs.
11:59 < krzee> vancouver?
11:59 < ecrist> Ottawa, ON
11:59 < krzee> oh cool
11:59 < krzee> how far from toronto is that?
11:59 < krzee> good partying in toronto!
11:59 < ecrist> long ways
12:00 < ecrist> Ottawa is north of NY state
12:00 < ecrist> isn't toronta on the west coast?
12:00 < dxtr> http://nopaste.snit.ch/20516 <- The first part is when I ping the openvpn server
12:00 < krzee> nope
12:00 < dxtr> The second part when I ping ping.sunet.se
12:00 < krzee> its just north of niagra falls, maybe 45 minutes
12:01 < krzee> (by car)
12:01 < krzee> i drove to toronto from new york
12:01 < krzee> its in ontario, BC is west coast
12:02 < krzee> (ie: vancouver)
12:02 < ecrist> I'll be hanging with the guys from iX Systems, so wherever they want to party.
12:03 < dxtr> krzee: The packets even make it to em0
12:03 < dxtr> And then... stop! :P
12:03 < krzee> ill be getting my iv-XX on
12:03 < ecrist> I'm out - later.
12:04 < krzee> dxtr, sounds like they are being forwarded, then blocked by the firewall
12:04 < krzee> later ecrist 
12:04 < krzee> dxtr, when they get to em0, do they have the NAT rule applied?
12:04 < dxtr> krzee: Yeah
12:05 < krzee> dxtr, is your server on a LAN with 1918 ips?
12:05 < dxtr> My server isn't on a LAN at all
12:05 < dxtr> So no
12:05 < krzee> gotchya
12:05 < krzee> do you run the router it uses?
12:06 < dxtr> Nope
12:06 < krzee> can you try to hit a server through the vpn and see if the server sees any packets come in?
12:07 < krzee> (to verify the problem is sending packets out and not receiving them back)
12:08 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 240 seconds]
12:08 < dxtr> hit a server? :P
12:09 < krzee> like ping another server you own through the vpn while dumping
12:09 < dxtr> Oh hold on a minuter
12:09 < dxtr> minute*
12:09 < krzee> see if that server sees it
12:09 < dxtr> I'll just try one thing
12:09 < dxtr> I might know what it is
12:09 < dxtr> Silly me
12:12 < krzee> firewall, right?
12:12 < dxtr> Yep
12:12 < dxtr> Well, yeah, I know pf is the problem :P
12:12 < krzee> keep-state related?
12:12 < dxtr> I knew that from the beginning
12:12 < dxtr> But.. I'm only passing on traffic on the interface to specific IPs (That I have assigned to that interface)
12:13 < dxtr> I'm not allowing any inbound traffic destined to 10.9.8.0/24 :P
12:13 < dxtr> could that be the problem?
12:13 < krzee> returning traffic from inet machines?
12:13 < dxtr> Yeah.. Or wait, should it save those states when natting right?
12:14 < krzee> are you using keep-state rules to keep track of what to allow back?
12:14 < krzee> and denying the rest...?
12:14 < krzee> try disabling the blocking rules 1 by 1 till you find the offender
12:14 < krzee> if you block based on state, thats a good place to start
12:15 < krzee> if you are allowing stuff out through NAT without keeping state, but keeping state on other stuff, then blocking stuff without state kept, would make sense to not work
12:15 < krzee> (if that made any sense... i know it may not have sounded coherent)
12:16 < dxtr> Hehe
12:16 < dxtr> Well, I'm basically blocking everything in as default
12:17 < dxtr> by*
12:17 < krzee> and allowing things that are returning, based on keep-state when they left, right?
12:17 < dxtr> Yeah
12:17 < dxtr> That's what pf do :P
12:17 < krzee> but not keeping state on the stuff you let out via NAT...?
12:18 < krzee> if so, the test i asked you to do will show it
12:18 < krzee> (pinging a machine you control on the inet, through the VPN)
12:19 < dxtr> Oh yeah, right
12:19 < krzee> if its what i said, the ping will get to the machine, with ip of your vpn server (external ip), and reply, but server wont allow the reply
12:21 < dxtr> I don't get anything on the other machine I'm pinging
12:22 < krzee> stop block things in the firewall
12:23 < krzee> then test
12:23 < krzee> if that works, work it out from there
12:23 < krzee> adding back blocks with log rules, see whats going on in there
12:24 < dxtr> I've got two block rules..
12:24 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
12:24 < krzee> then you know what to get rid of for testing
12:24 < krzee> make them allow for testing :-p
12:25 < krzee> then work it out from there
12:25 < dxtr> Well, didn't work
12:25 < krzee> but they get to em0 with NAT already applied?
12:26 < dxtr> Yep
12:26 < krzee> that tcpdump i saw in pastebin showed src ip 10.9.8.6
12:26 < krzee> that was in tun dev?
12:26 < dxtr> Yep
12:27 < krzee> show me in em0
12:27 < krzee> should have src ip dxtr.cc and dst ip ping.sunet.se
12:27 < krzee> i guess i dont need to see, if the above is true
12:28 < dxtr> http://nopaste.snit.ch/20517
12:29 < krzee> seems your NAT rule isnt being hit
12:29 < dxtr> That's weird
12:30 < krzee> do you see the counter on that rule going up?
12:30 < krzee> something before it could be using a quick rule?
12:32 < dxtr> There
12:32 < dxtr> PMed you my rules :)
12:37 < krzee> # VPN Interface
12:37 < krzee> <code>vpn_if="tun0"
12:37 < krzee> # VPN Network
12:37 < krzee> <code>vpn_network="10.8.0.0/24"
12:37 < krzee> # NAT the VPN connections (for access to the remote secure networks)
12:37 < krzee> nat on $ext_if from $vpn_network to any -&gt; ($ext_if)
12:37 < krzee> # VPN connections inbound
12:37 < krzee> pass in on $ext_if proto udp from any to port 1194 keep state
12:37 < krzee> pass quick on $vpn_if
12:41 < dxtr> and...?
12:42 < dxtr> krzee?
12:47 -!- kyrix [~ashley@194.48.133.8] has quit [Quit: Leaving]
12:56 -!- bigpaws [~bigpaws@plns-208-111-227-160-pppoe.dsl.plns.epix.net] has quit [Ping timeout: 252 seconds]
13:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:59 -!- SkyTIME [~SkyB0x@212.235.177.25] has joined ##openvpn
14:07 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
14:07 < kraut> hi
14:07 < kraut> is there an option on client-side to use the vpn tunnel as default gateway?
14:07 < krzee> !def1
14:07 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:07 < kraut> i don't want to use push "redirect-gateway" on server-side, because ....
14:07 < krzee> moinmoin kraut 
14:07 < krzee> you dont need to push it
14:08 < krzee> just put it in client config
14:08 < krzee> !push
14:08 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
14:08 < krzee> anything you can push, can be put in client config without "push"
14:08 < kraut> oO
14:08 < kraut> krzee: so what's the exact flag in the config on the clientside?
14:08 < kraut> def1?
14:08 < krzee> redirect-gateway def1
14:09 < kraut> aaaah, ok
14:09 < krzee> def1 being optional, but usually desired
14:09 < kraut> hmm, what's def1 on windows für "LAN-Verbindung 2"?
14:09 < kraut> ok
14:09 < krzee> with def1 when you disconnect you still have a route to the internet
14:09 < krzee> without it, you wont
14:09 < kraut> ok, and what's the name-specification on windows?
14:10 < kraut> <- windows noob
14:10 < krzee> name specification??
14:10 < kraut> what's def1 called, if ipconfig says "LAN-Verbindung 2"?
14:10 < krzee> i dont understand
14:10 < kraut> Ethernetadapter Drahtlose Netzwerkverbindung 2:
14:10 < kraut> for example
14:10 < krzee> you just put redirect-gateway def1 in the config
14:10 < kraut> is that the device name?
14:11 < krzee> i dont speak the german
14:11 < kraut> aaaah
14:11 < krzee> you shouldnt need the device name
14:11 < kraut> "def1" as a syntax, not a variable for my interface
14:11 < kraut> sorry, i was dumb
14:11 < kraut> thanks
14:11 < krzee> def1 is a flag to --redirect-gateway
14:11 < krzee> no problem
14:32 -!- phrag [~phrag@about/slackware/phrag] has left ##openvpn []
14:36 -!- bigpaws [~bigpaws@clsm-74-47-87-136-pppoe.dsl.clsm.epix.net] has joined ##openvpn
14:50 -!- igrowstuff [~igrowstuf@94.197.138.122.threembb.co.uk] has joined ##openvpn
14:52 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:56 -!- barefoot [~magic@41.123.129.33] has joined ##openvpn
14:58 < krzee> dxtr, those were rules that worked for someone else
14:58 < krzee> http://www.ubergeek.co.uk/blog/2008/05/openvpn-freebsd-pf-windows-howto/
14:59 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 268 seconds]
15:01 < dxtr> Yeah I know
15:05 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
15:07 -!- daguz [~leo@208-1-63-34.celito.net] has left ##openvpn []
15:08 -!- Knio [~Knio@174.0.88.23] has joined ##openvpn
15:14 -!- igrowstuff [~igrowstuf@94.197.138.122.threembb.co.uk] has quit [Quit: igrowstuff]
15:17 -!- SkyTIME [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
15:18 -!- barefoot [~magic@41.123.129.33] has quit []
15:19 -!- magic_1 [~magic@41.123.129.33] has joined ##openvpn
15:19 -!- magic_1 [~magic@41.123.129.33] has quit [Changing host]
15:19 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
15:22 < Knio> how do you build openvpn on windows?
15:24 < krzee> you wanna rebuild it so you can enable reading passwords from files?
15:25 < Knio> found it
15:26 < krzee> otherwise theres not much reason to rebuild for windows
15:26 < Knio> no, I just wanted to play around with stuff
15:26 < krzee> ahh
15:26 < krzee> if it was to repackage with certs and all, see this
15:26 < krzee> !win_rollup
15:26 < vpnHelper> krzee: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
15:26 < Knio> thanks
15:27 < krzee> yw
15:36 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 246 seconds]
15:38 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
15:52 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
15:58 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 260 seconds]
15:58 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
16:00 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
16:09 -!- bigpaws [~bigpaws@clsm-74-47-87-136-pppoe.dsl.clsm.epix.net] has quit [Ping timeout: 276 seconds]
16:12 -!- bigpaws [~bigpaws@clsm-74-47-87-136-pppoe.dsl.clsm.epix.net] has joined ##openvpn
16:18  * ecrist unpoofs from Ottawa
16:20 -!- bigpaws [~bigpaws@clsm-74-47-87-136-pppoe.dsl.clsm.epix.net] has quit [Ping timeout: 264 seconds]
16:31 -!- houkouonchi-home [~linux@99-10-165-54.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn
16:31 < houkouonchi-home> anyone know why i wouldn
16:31 < houkouonchi-home> t whups
16:32 < houkouonchi-home> anyone know why I wouldn't be able to ping two machines that are connected with openvpn (initialization sequence completed on client) but i cant ping or do anything
16:33 < houkouonchi-home> pinging does show the RX go up as the TX goes up on the other machine though
16:34 -!- stealth- [~stealth@unaffiliated/stealth-] has joined ##openvpn
16:34 < stealth-> I set up a openvpn solution according to the tutorial, but I accidently lost all the client files for a client (laptop was erased). How can I rebuild him another certificate?
16:35 < stealth-> (Without having to restart from the beginning and causing a bunch of trouble for already working clients, preferably)
16:43 -!- houkouonchi-home [~linux@99-10-165-54.lightspeed.irvnca.sbcglobal.net] has left ##openvpn ["Client exiting"]
16:50 -!- stealth- [~stealth@unaffiliated/stealth-] has left ##openvpn ["Peace."]
16:55 < krzee> haha
16:55 < krzee> always funny when people are so impatient
17:03 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
17:04 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
17:21 < mwheeler> agreed krzee 
17:30 -!- houkouonchi-home [~linux@99-10-165-54.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn
17:38 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
17:43 < krzee> mwheeler... you arent a regular on the qmail mail list are you...?
17:45 < mwheeler> Nope
17:45 < krzee> werd
17:47 < mwheeler> Off to work
17:47 < mwheeler> I like money
17:50 < krzee> yup im @ work right now
17:50 < krzee> playing with automaticly generating bar graphs from data that shell scripts generate from hitting a db and doing a ton of math
18:04 < houkouonchi-home> anyone know how to NAT through openvpn? IE treat the opevpn connectio like like a LAN interface and route traffic through it to access the internet?
18:10 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 248 seconds]
18:19 < houkouonchi-home> I would think that redirect-gateway def1 would do what I want but it only works for a couple of seconds and then my internet connetion dies
18:24 -!- houkouonchi-home [~linux@99-10-165-54.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 276 seconds]
18:37 -!- houkouonchi-home [~linux@box.houkouonchi.jp] has joined ##openvpn
18:47 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
18:54 < krzee> houkouonchi-home, 
18:54 < krzee> !redirect
18:54 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:54 < krzee> as for the NAT part, openvpn doesnt do that, your OS does
18:54 < krzee> !nat
18:54 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
18:58 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
19:04 < houkouonchi-home> krzee: I think I got it working except for the fact that port forwarding from a WAN interface on the VPN server to a LAN IP (via the VPN) shows the connetion comming from VPN servers VPN IP instead of the clients actual IP
19:04 < krzee> and it should
19:04 < houkouonchi-home> I am trying to use a VPN connection instead of a physical link between a server and have the VPN server also act as a router. on my machines usually when I do port forwarding the conneting IP is the normal WAN IP and not my routers LAN IP
19:05 < houkouonchi-home> so I am not sure why this is acting differently
19:05 < krzee> its not
19:05 < krzee> its showing the src ip in both situations
19:06 < krzee> you seem to expect openvpn to NAT, but it doesnt and shouldnt
19:06 < houkouonchi-home> well when I test it with the VPN I am seeing the connection from 192.168.168.1 (my VPN servers VPN IP) instead of the WAN IP
19:06 < krzee> whats your goal?
19:06 < houkouonchi-home> ok basically I ther eare two machines hooked up to the internet
19:07 < houkouonchi-home> I want one to route traffic through the other so the other one acts as a router just like a normal router would with NAT
19:07 < houkouonchi-home> and forward specific ports to the machine behind the 'router'
19:07 < krzee> its basic NAT you need
19:07 < krzee> which is dont outside of openvpn
19:07 < krzee> what is the server OS?
19:07 < houkouonchi-home> well yeah I got that I am using iptables
19:08 < krzee> look at it this way, your VPN is a lan behind the server, treat it as such
19:08 < houkouonchi-home> and I got the port forwarding working with iptables except that in the access.log on the server behind the NAT (vpn link) it shows the VPN connections IP instead of the IP of the actual client making the request
19:08 < krzee> !linnat
19:08 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
19:08 < krzee> well no shit
19:08 < krzee> its connecting over the vpn, it uses its vpn ip as the source
19:09 < krzee> until it hits a NAT rule and gets a new src ip
19:09 < houkouonchi-home> Is there anyway to get around that or not have the VPN do any actual routing. I really want it to just be treated like any other LINK/interface as if it was a regular NIC
19:09 < krzee> it is treated as a interface, but that interface uses a different subnet
19:10 < houkouonchi-home> well I am trying to make it similar to a normal linux router box, IE wan connection on ETH0, LAN connection on ETH1, different subnets etc..
19:10 < houkouonchi-home> except LAN connection = tun0, wan connection = eth1, etc...
19:10 < krzee> if you had a ethernet adapter hooked to a switch, and the machines on that switch used 10.8.1.0 (example of vpn subnet), then theyd use 10.8.1.x as their src ip
19:10 < krzee> thats EXACTLY how its being treated
19:11 < krzee> when a machine on ETH1 communicates, why would it use a source IP different than what its subnet is on ETH1?
19:11 < krzee> you are expecting something that never happens in any situations
19:11 < krzee> this has NOTHING to do with openvpn ;]
19:12 < houkouonchi-home> well lets say on my router box I forward port 22 on 50.50.50.50 (WAN IP on eth1) to 192.168.168.2  port 22 (LAN IP on eth0). An external WAN IP IE: 70.70.70.70 connets to 50.50.50.50 on port 22.. well the LAN machine (192.168.168.2) in this case would actually see the connection comming from 70.70.70.70
19:12 < houkouonchi-home> no VPN at all in this situation
19:12 < krzee> right, because that is its source IP
19:13 < krzee> keep going
19:13 < houkouonchi-home> well when I am using a VPN, IE...
19:13 < krzee> to the vpn server, the vpn client (when sending traffic over the vpn) has an IP inside the vpn subnet
19:13 < houkouonchi-home> 50.50.50.50 (WAN IP on eth1) to 192.168.2 port 22 (LAN ip on tun0) and an external IP (wan IP 70.70.70.70) connects the client see the connection comming from 192.168.168.1 (the VPN ip on the server doing the NAT)
19:14 < krzee> your explanation is convoluted
19:14 < krzee> !factoids search outside
19:14 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
19:15 < krzee> can you make something like that or something...?
19:15 < houkouonchi-home> um ok let me try
19:15 < krzee> you could use gliffy.com if you like
19:16 < krzee> tell me this
19:16 < krzee> are you using NAT so your client can reach the internet through the server?
19:16 < houkouonchi-home> basically I am trying to use the VPN interface as a LAN interface in a NAT setup instead of an actual connetion, IE tun0 instead of eth0 and whatnot
19:16 < houkouonchi-home> yes
19:16 < houkouonchi-home> though the VPN
19:17 < krzee> ok that is WAY more simple than you are making it
19:17 < houkouonchi-home> and I need to forward traffic on the WAN IP on the server running the VPN server to forward ti to a VPN client
19:17 < krzee> !linnat
19:17 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
19:18 < houkouonchi-home> I mean it could just be something I am doing with iptables that is not working how I expect
19:18 < krzee> it is
19:18 < krzee> nothing we are talking about is something to do with openvpn
19:18 < krzee> its all about NAT
19:19 < houkouonchi-home> because normally when I forward ports from a WAN IP to a LAN IP then connetions to the WAN IP that are port forwarded to the LAN IP don't show up as the routers LAN IP address (lan machines gateway)
19:20 < krzee> forget about port forwarding at first
19:20 < houkouonchi-home> well that is where I am having the problem
19:20 < krzee> just setup the nat, reach the internet over the vpn
19:20 < houkouonchi-home> already got that
19:20 < krzee> THEN worry about port forwarding
19:20 < houkouonchi-home> I am connecting through the VPN right now
19:20 < krzee> ok
19:21 < rob0> There are two basic types of NAT: SNAT and DNAT.
19:21 < krzee> iirc from reading docs, snat happens before routing, dnat after...?
19:22 < rob0> DNAT, destination NAT: change the packet destination.
19:22 < houkouonchi-home> well the machine running my VPN server
19:22 < houkouonchi-home>  iptables -t nat -A PREROUTING -p tcp --dport 10010 -i bond0 -j DNAT --to 192.168.168.2:443
19:22 < houkouonchi-home> I am running that
19:22 < rob0> SNAT, source NAT: change the packet source.
19:22 < houkouonchi-home> maybe the problem is the SNAT is not working how I would expect
19:23 < rob0> maybe so.
19:23 < houkouonchi-home> since the source IP I am seeing on the connection is 192.168.168.1 instead of the IP of the connecting machine 
19:23 < rob0> and where is this 192.168.168.1
19:23 < houkouonchi-home> that is the ip of tun0 on the server (VPN servers link)
19:24 < houkouonchi-home> vpn client is 192.168.168.2
19:25 -!- STF [~chatzilla@dslb-084-061-177-211.pools.arcor-ip.net] has joined ##openvpn
19:25 -!- STF [~chatzilla@dslb-084-061-177-211.pools.arcor-ip.net] has quit [Client Quit]
19:27 < houkouonchi-home> i guess what I dont understand is if dnat only messes with the destination why is the source IP being listed as different than the original after going through dnat
19:30 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
19:36 < houkouonchi-home> rob0: See what seems odd to me is the exact example in http://security.maruhn.com/iptables-tutorial/x9305.html I use  iptables -t nat -A PREROUTING --dst <wanIP> -p tcp --dport 443 -j DNAT --to-destination 192.168.168.2 and it works except again connections show as comming from 192.168.168.1 instead of the actual sorce IP
19:36 < vpnHelper> Title: DNAT target (at security.maruhn.com)
19:37 < rob0> Sounds like another rule might be doing SNAT/MASQ.
19:38 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:40 < krzee> it is, he has SNAT to hit the internet
19:41 < houkouonchi-home> well I have masquerade rules in postrouting
19:42 < krzee> and?
19:43 < houkouonchi-home> I have 2 SNAT rules but those are for forwards to a completely external host
19:43  * rob0 bets it's not restricted by interface
19:43 < rob0> are you going to show them or not?
19:43 < houkouonchi-home> yeah one sec
19:45 < houkouonchi-home> http://box.houkounchi.jp/nat_iptables.txt
19:46 < houkouonchi-home> that is what my nat table looks like
19:46 < krzee> You tried to access the address http://box.houkounchi.jp/nat_iptables.txt, which is currently unavailable. Please make sure that the Web address (URL) is correctly spelled and punctuated, then try reloading the page.
19:46 < ecrist> sssshhh
19:47 < krzee> passion of the ecrist!
19:47 < rob0> NXDOMAIN
19:47 < houkouonchi-home> http://box.houkouonchi.jp/nat_iptables.txt
19:47 < houkouonchi-home> typo'd
19:47 < rob0> NXDOMAIN
19:47 < rob0> oh nm
19:47 < ecrist> lol
19:48 < ecrist> next time, I shall show up with more money
19:48 -!- ribasushi [~rabbit@ip-109-91-187-9.unitymediagroup.de] has quit [Read error: Operation timed out]
19:48  * krzee assumes you mean show up to canada and not ##openvpn
19:48 < ecrist> I've met half my geek obligation, I shall finish that, then prowl the CA for teh womens.
19:48 < krzee> ;]
19:48  * rob0 wins the bet: 00:43  * rob0 bets it's not restricted by interface
19:52 < krzee> ild ++ you but i know you dont like being rob1
19:53 < rob0> :)
19:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
19:53 -!- ribasushi [~rabbit@ip-109-91-187-9.unitymediagroup.de] has joined ##openvpn
19:54 < rob0> Oh wait, no, it's restricted, but there is one for bond0 and one for tun0.
19:56 < houkouonchi-home> well traffic is being masquerated between bond0 and tun0
19:56 < houkouonchi-home> bond0 being the internet connection and tun0 being the VPN
20:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:09 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
20:09 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
20:09 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:11 -!- houkouonchi-home [~linux@box.houkouonchi.jp] has quit [Quit: Client exiting]
20:13 -!- tjz [~pc@bb116-14-149-52.singnet.com.sg] has joined ##openvpn
20:13 -!- tjz [~pc@bb116-14-149-52.singnet.com.sg] has quit [Changing host]
20:13 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:22 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 240 seconds]
21:28 -!- Omancho [~Omancho@ip70-187-165-232.oc.oc.cox.net] has joined ##openvpn
21:30 -!- Omancho is now known as Lilarcor
21:30 -!- astrophy [~astrophy@ip12.208-100-1.static.steadfast.net] has joined ##openvpn
21:48 -!- julius [~julius@217.20.127.15] has quit [Ping timeout: 276 seconds]
21:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
21:54 -!- Lilarcor [~Omancho@ip70-187-165-232.oc.oc.cox.net] has quit [Quit: The Lord of Murder Shall Perish.]
21:55 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:05 -!- julius [~julius@217.20.127.15] has joined ##openvpn
22:13 -!- julius [~julius@217.20.127.15] has quit [Remote host closed the connection]
22:16 -!- mwheeler [~mwheeler@unaffiliated/theskorm] has quit [Ping timeout: 240 seconds]
22:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
22:17 -!- mwheeler [~mwheeler@unaffiliated/theskorm] has joined ##openvpn
22:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
22:21 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
22:21 -!- julius [~julius@217.20.127.15] has joined ##openvpn
22:28  * theDoc crosses his fingers.
22:55 -!- pclaven [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
22:58 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Ping timeout: 246 seconds]
23:50 -!- tseymour [~tiim@96.231.224.135] has joined ##openvpn
23:53 -!- tseymour is now known as t11m
23:53 -!- SilentAnswers [~silentans@94.200.43.132] has joined ##openvpn
23:54 < SilentAnswers> !welcome
23:54 < vpnHelper> SilentAnswers: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:55 < SilentAnswers> Having a few problems with my OpenVPN setup. It connects just fine for about five to ten minutes, then just seems to freeze.
23:57 -!- t11m [~tiim@96.231.224.135] has quit [Quit: leaving]
--- Day changed Tue May 11 2010
00:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
00:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:05 -!- atlantic [~atlantic@hok.duf.hu] has quit [Ping timeout: 245 seconds]
00:08 -!- SilentAnswers [~silentans@94.200.43.132] has quit [Ping timeout: 265 seconds]
00:10 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
00:15 -!- SilentAnswers [~silentans@ip68-97-226-205.ok.ok.cox.net] has joined ##openvpn
00:28 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
00:29 -!- pclaven [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Read error: Connection reset by peer]
00:30 -!- SilentAn_ [~silentans@94.200.43.132] has joined ##openvpn
00:31 -!- SilentAnswers [~silentans@ip68-97-226-205.ok.ok.cox.net] has quit [Ping timeout: 240 seconds]
00:36 -!- SilentAn_ [~silentans@94.200.43.132] has quit [Ping timeout: 265 seconds]
00:44 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
01:09 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:14 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
01:15 -!- dazo_afk is now known as dazo
01:24 < dazo> !tcp
01:24 < vpnHelper> dazo: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
01:27 -!- pclaven [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
01:31 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Ping timeout: 248 seconds]
01:42 < jnss> why doesnt this work on freebsd
01:42 < jnss> the stupid server scripts arent working
01:43  * theDoc grumbles.
01:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:44 < theDoc> This port triggering nonsense on linux is annoyingly annoying.
01:47 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
01:47 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
01:48 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
01:51 -!- pclaven [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Ping timeout: 276 seconds]
01:53 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
02:25 < krzie> jnss, wanna be more specific?
02:25 < jnss> krzie, running the build-ca script does not build a certificate
02:26 < krzie> did you source vars file?
02:26 < krzie> the leading . is important
02:26 < krzie> . ./vars
02:26 < krzie> however
02:26 < krzie> you're on freebsd
02:26 < krzie> do it the easy way
02:26 < krzie> !ssl-admin
02:26 < vpnHelper> krzie: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
02:27 < theDoc> Hmm.
02:27 < theDoc> dazo> You around?
02:27 < dazo> theDoc:  yup
02:27 < krzie> and if you wanna make configs too
02:27 < krzie> !confgen
02:27 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
02:27 < theDoc> dazo> I think that port triggering problem can be solved by using iptables and conntrack.
02:29 < dazo> theDoc:  aha?  writing your own conntrack module, or is there something more generic available already?
02:29 < jnss> ra# sh ./build-ca
02:29 < jnss> req [options] <infile >outfile
02:29 < jnss> where options  are -inform arg    input format - DER or PEM
02:29 < jnss> it does not build a ca
02:29 < theDoc> dazo> The existing conntrack module seems to be able to pull that off. I'm just looking at testing it right now.
02:29 < jnss> just outputs some  openssl garbage
02:30 < krzie> honestly i havnt used easy-rsa in yrs
02:30 < dazo> theDoc:  that's really nice!!
02:30 < krzie> im a freebsd user as well
02:30 < krzie> i portinstall ssl-admin
02:31 < krzie> edit the config file real quick
02:31 < krzie> then i have a perl UI for doing *
02:31 < jnss> you have x?
02:31 < krzie> hells no
02:31 < krzie> its just a perl text ui
02:32 < theDoc> dazo> I'm not holding my breath on it yet
02:32 < theDoc> lol
02:32 < theDoc> mumble, grumble.
02:32 < jnss> ill get ssladmin
02:33 < jnss> oh, it's just a script
02:34 < krzie> right
02:34 < krzie> !ssl-admin
02:34 < vpnHelper> krzie: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
02:34 < krzie> see #3
02:34 < jnss> building perl now
02:35 < jnss> do you run openvpn inside a jail?
02:35 < krzie> !fbsdjail
02:35 < vpnHelper> krzie: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
02:35 < jnss> yeah i tried doing that
02:36 < jnss> thing is, my vpn assigns a non-static ip
02:36 < krzie> !static
02:36 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
02:36 < jnss> i have no control over what ip i get assigned
02:37 < krzie> you dont run the server?
02:37 < krzie> then you have no need from ssl-admin, or a CA at all, you need certs from your provider
02:39 < theDoc> Hmm.
02:39 < theDoc> This might be harder than I thought it would be.
02:45 < krzie> thats what she said
02:52 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:54 < theDoc> hmm.
03:03 < jnss> i do intend to runa  server
03:04 < jnss> run it on udp/53
03:04 < jnss> to bypass a login at work 
03:04 < jnss> there is wireless only you have to login
03:04 < jnss> and i cant do that but i can get dns working
03:05 < jnss> hopefully i will get wireless working in a 5700m2 building 
03:05 < jnss> so having a vpn server running at home will do exactly that
03:07 < krzie> how so?
03:12 < theDoc> takamichi> You around?
03:14 < jnss> can punch through to the internet over dns port
03:24 -!- dazo is now known as dazo_afk
03:25 < krzie> that may not work, gl tho
03:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
04:00 < kraut> moin
04:02 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:02 < krzie> moin
04:14 < mwheeler> moin
04:15 -!- astrophy [~astrophy@ip12.208-100-1.static.steadfast.net] has quit [Ping timeout: 264 seconds]
04:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:22 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 246 seconds]
04:23 -!- takamichi [~pri@94.75.217.249] has joined ##openvpn
04:26 < theDoc> takamichi> You around mate?
04:30 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Ping timeout: 246 seconds]
04:30 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined ##openvpn
05:04 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
05:08 < takamichi> Hey theDoc..
05:09 -!- dro__ [~droutin@gw.theralys.com] has joined ##openvpn
05:10 < dro__> hi!
05:10 < dro__> i just have a little question i have to follow a procedure to generate new openvpn client
05:10 < dro__> but in the procedure there is something i don't understand
05:10 < dro__> openssl ca -name CA_bi gencrl -out bi.crl
05:11 < dro__> ho no sorry
05:11 < dro__> -gencrl
05:11 < dro__> what is the aim of regenerating CRL each time ?
05:11 < dro__> i m scared doing that...
05:19 -!- xt3mp0r [xt3mp0r@117.254.14.9] has joined ##openvpn
05:21 < xt3mp0r> i'm starting a vpn connection using an config file on my linux box. Is there anyway, where i can use the same terminal to perform various tasks after establishing the connection ? When i connect to vpn. i can't use the same terminal box. i have to open another one.
05:21 < jnss> add & to the end of the line
05:22 < jnss> & will send it away 
05:23 < xt3mp0r> that shall work..i will try it out. thanks
05:24 < Bushmills> press ctrl-z  in a term where openvpn already runs
05:24 < Bushmills> possibly followed by a "bg" command
05:33 < xt3mp0r> hmm thanks bushmills.
05:33 < Bushmills> np
05:34 -!- dro__ [~droutin@gw.theralys.com] has quit [Quit: WeeChat 0.3.0]
05:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:38 -!- dazo_afk is now known as dazo
07:06 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:43 -!- mithridates [~chatzilla@142.166.50.45] has joined ##openvpn
07:49 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
07:56 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left ##openvpn []
08:04 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
08:06 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
08:18 -!- le0 [~fin@205.138.35.74] has joined ##openvpn
08:18 -!- le0 [~fin@205.138.35.74] has quit [Changing host]
08:18 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
08:19 -!- takamichi [~pri@94.75.217.249] has quit [Ping timeout: 240 seconds]
08:19 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
08:30 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
08:32 < Zathraz> Hi. I am setting up a new server with openvpn. It will replace a server serving as a gateway. Is there an easy way to test the openvpn setup without installing stuff at the current gateway?
08:40 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:56 -!- xt3mp0r [xt3mp0r@117.254.14.9] has quit [Ping timeout: 276 seconds]
09:10 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
09:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
09:13 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Read error: Connection reset by peer]
09:13 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
09:14 -!- DrPepper2 [~DrPepper@87-98-163-122.kimsufi.com] has joined ##openvpn
09:18 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
09:18 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Ping timeout: 276 seconds]
09:27 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:47 < ScriptFanix> Hi
09:49 -!- coil is now known as coil-desktoppcwi
09:49 < ScriptFanix> When running in udp, the status log holds obsolete data
09:50 < ScriptFanix> are there any way to change this behavior ?
09:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:54 < dazo> ScriptFanix: what do you mean?  can you provide some more details?
09:57 < ScriptFanix> I have an openvpn server, using tap. After restarting the client, a few times, the status log looks like this: http://paste.debian.net/72950/
09:58 < ScriptFanix> I'm trying to parse the status file to get the mac address of the client's tap device
10:04 < ScriptFanix> i need the mac address to find its ipv6 and generate DNS zones
10:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:09 < ScriptFanix> obviously, of the 3 MAC addresses listed there, only one is currently valid
10:20 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:27 -!- dazo is now known as dazo_afk
10:30 < Zathraz> Hi. Just found and installed OATS on Debian Lenny 64bit. Is it normal that it is quite troublesome?
10:30 < Zathraz> sudo issues. 32 vs 64 bit issues
10:31 < Zathraz> Cannot load 64-bit SWT libraries on 32-bit JVM <--- afaik everything on my system is 32 bit!
10:31 < Zathraz> *64bit
10:35 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:36 < theDoc> Aloha folks!
10:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:50 -!- dazo_afk is now known as dazo
11:01 -!- WormFood [~wormfood@58.60.222.110] has quit [Read error: Connection reset by peer]
11:17 -!- WormFood [~wormfood@121.35.53.127] has joined ##openvpn
11:28 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:29 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Quit: Leaving]
11:34 -!- magic_1 [~magic@41.123.160.131] has joined ##openvpn
11:35 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:39 -!- magic_1 [~magic@41.123.160.131] has quit [Ping timeout: 276 seconds]
11:40 -!- magic_1 [~magic@mail.pharmed.co.za] has joined ##openvpn
11:40 -!- magic_1 [~magic@mail.pharmed.co.za] has quit [Changing host]
11:40 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
11:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:46 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
11:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:53 -!- dazo is now known as dazo_afk
12:06 < theDoc> Whoopy!
12:06 < theDoc> dazo_afk> You there? I found a solution!
12:58 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has quit [Ping timeout: 248 seconds]
12:58 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
13:08 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
13:15 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
13:36 -!- DarthGandalf is now known as DarthGandalf|BNC
13:40 -!- DarthGandalf|BNC is now known as DarthGandalf
13:44 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
13:48 -!- DrPepper2 [~DrPepper@87-98-163-122.kimsufi.com] has quit [Ping timeout: 248 seconds]
14:03 -!- DarthGandalf is now known as DarthGandalf|BNC
14:14 -!- DarthGandalf|BNC is now known as DarthGandalf
14:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:48 -!- davids [~user@87.115.58.220.plusnet.pcl-ag01.dyn.plus.net] has joined ##openvpn
14:51 < davids> !welcome need help getting openvpn working on my nokia n900 can anyone help?
14:51 < vpnHelper> davids: Error: "welcome" is not a valid command.
14:51 < davids> !welcome
14:51 < vpnHelper> davids: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:51 < davids> !howto
14:51 < vpnHelper> davids: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:57 < davids> !welcome
14:57 < vpnHelper> davids: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:58 < davids> !logs
14:58 < vpnHelper> davids: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:58 -!- davids [~user@87.115.58.220.plusnet.pcl-ag01.dyn.plus.net] has quit [Quit: Leaving]
15:05 -!- cpg [U2FsdGVkX1@irc.pommepause.com] has joined ##openvpn
15:16 -!- cpg [U2FsdGVkX1@irc.pommepause.com] has left ##openvpn []
15:22 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 245 seconds]
15:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:25 -!- barefoot [~magic@41.123.160.131] has joined ##openvpn
15:27 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Read error: Connection reset by peer]
15:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:30 -!- barefoot [~magic@41.123.160.131] has quit [Ping timeout: 252 seconds]
15:33 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has joined ##openvpn
15:33 -!- magic_1 [~magic@mail.virtuallogistics.co.za] has quit [Changing host]
15:33 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
16:03 -!- Aboulfeth [~hamza@41.141.58.71] has joined ##openvpn
16:19 -!- EugeneKay is now known as EugeneK
16:23 -!- FreddyK [~18cf09e1@gateway/web/freenode/x-wsqyxyqixrvqpwiz] has joined ##openvpn
16:23 < FreddyK> Hi!
16:23 < FreddyK> How can I download OpenVPN network adapter drivers for Windows?  Is it on a new web site?  I can't find it on www.openvpn.org.
16:24 < Bushmills> you don't
16:24 < FreddyK> I clicked on "OpenVPN Software Downloads" on the home page, but that link takes me to the Access Server download.
16:24 < FreddyK> Is it not available anymore?
16:24 < Bushmills> tun/tap drivers should come by default
16:24 < FreddyK> They don't come with Windows.
16:25 < FreddyK> Microsoft has their own, and it sucks.
16:26 < FreddyK> OpenVPN doesn't take over the gateway (unless you want it to).  With Microsoft's, it doesn't matter if you configure it not it, it still does anyway.
16:26 < FreddyK> I used to be able to download the TUN/TAP network adapter drivers for Windows from the OpenVPN web site, but now the only option is to download Access Server, which is not what I'm after.
16:27 < FreddyK> Has this project been abandoned, and taken over by a commercial firm or something?
16:27 < FreddyK> Are there alternatives to OpenVPN that I should be using?
16:28 < Bushmills> once you have installed openvpn version for windows, the tun/tap driver bundled with openvpn package shpud be installed too
16:29 < FreddyK> Well, yeah, that's what I'm trying to do, but I need to download it first.
16:30 < FreddyK> The web site requires a username and password to download the Access Server, but I don't want that.  I just want the OpenVPN TUN/TAP drivers that I used to download in the past.  I really need to get this set up.
16:31 < FreddyK> If I can't download this software, which is what the OpenVPN project is all about, then how do you expect folks like me to use it?
16:32 < FreddyK> There used to be a download for v2.0.9 and 2.1 but now that's gone.
16:32 < Bushmills> just for curiosity, i typed "openvpn windows download" into a search engine, and the first link had a pointer to the .exe
16:32 < FreddyK> Is it on a different web site?
16:32 < Bushmills> that took much less typing then you raging about that you couldn't download it
16:32 < FreddyK> I just went to http://www.openvpn.net/ (re-directed from www.openvpn.org) and clicked on "OpenVPN Software Downloads."
16:32 < vpnHelper> Title: OpenVPN - Open Source VPN (at www.openvpn.net)
16:32 < FreddyK> I'm not raging, I'm asking for help.
16:33 < Bushmills> link on openvpn.net
16:33 < Bushmills> http://www.google.de/search?hl=de&q=openvpn+windows+download&cts=1273613432832&aq=f&aqi=g1&aql=&oq=&gs_rfai=
16:33 < vpnHelper> Title: openvpn windows download - Google-Suche (at www.google.de)
16:33 -!- FreddyK_ [~18cf09e1@gateway/web/freenode/x-yvxjwqanewfsawnl] has joined ##openvpn
16:33 < Bushmills> your google-fu is very weak
16:33 < FreddyK_> Thanks.  This http://openvpn.net/index.php/open-source/downloads.html is what I needed.
16:34 < vpnHelper> Title: Downloads (at openvpn.net)
16:34 < FreddyK_> My Google-fuck-you is weak?  What the hell?  Why the FUCK isn't this download link on the home page of OpenVPN.Net?  Yeah, now I'm raging because I'm frustrated.
16:34 < FreddyK_> I just wanted to download.  I have the link now, but this is stupid.
16:34 < FreddyK_> The web site is messed up.
16:35 < FreddyK_> Why should I have to use Google to find a download link on a web page?
16:35 < FreddyK_> I should be able to find it from the web site itself./
16:35 < Bushmills> good luck
16:35 < FreddyK_> Thanks for your help, and thanks for setting off my rage.
16:35 < FreddyK_> You're not typical of the type of people who have helped me here before.  Most people around here are nice.
16:36 < FreddyK_> If I was new, I wouldn't use this product because I'd think everyone here is like you.
16:36 < Bushmills> i tend to be acrid when people don't manage themselves with the simplest of tasks
16:36 < FreddyK_> Fix the web site, or else other people like me are just going to give up and look for other stuff.
16:36 < FreddyK_> I hope this is logged and someone reads this conversation.
16:36 < Bushmills> i am not associated with that site at all. you fix it - it is you having problems with it, not me.#
16:37 -!- FreddyK [~18cf09e1@gateway/web/freenode/x-wsqyxyqixrvqpwiz] has quit [Ping timeout: 252 seconds]
16:37 < FreddyK_> No, you're acrid because you like to fuck people around.  Telling me to use Google to navigate a web site is stupid.
16:37 -!- FreddyK_ is now known as FreddyK
16:37 < Bushmills> it helped me.
16:38 < FreddyK> Yeah, well, the web site is broken because the link for "OpenVPN downloads" doesn't take me to the download page.
16:38 < Bushmills> had i need that version, i would have found it that way. you didn't,
16:38 < Bushmills> as stupid as it sounds, it works
16:38 < FreddyK> No, I expected to find it through the web page.  This works with all open source projects, and also most commercial applications, without the need for a search engine..
16:38 < FreddyK> If they can't run the web site properly, then they probably need a new web site.
16:38 < Bushmills> it may be a test
16:39 < FreddyK> My download is done, so I am too.  Hopefully someone around here will "get it" and fix the web site.  Your attitude is broken, as is the web site, not me.  I just wanted to download it.
16:39 -!- FreddyK [~18cf09e1@gateway/web/freenode/x-yvxjwqanewfsawnl] has quit []
16:39 < Bushmills> of the kind "if you can't find the download, then you might need to pay for access server"
16:40 < Bushmills> i thought ubuntu people were the worst kind.
16:40 < Bushmills> seems i was wrong
16:45 -!- astrophy [~astrophy@95.211.87.138] has joined ##openvpn
16:46 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
16:54 < krzee> hah
16:54 < krzee> too bad i notice notice that quicker
16:54 < krzee> coming into a help chan with that attitude is worthy of the banhammer
16:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
16:59 -!- astrophy [~astrophy@95.211.87.138] has quit [Ping timeout: 276 seconds]
17:03 < ecrist> he didn't have an attitude to begin with.
17:04  * ecrist goes to find people and drink beer/eat dinner
17:04 < krzee> hrm, i didnt read it carefully
17:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:13 <@openvpn2009> wow
17:13 <@openvpn2009> what did I miss!
17:13 <@raidz> too funny!
17:13 -!- astrophy [~astrophy@67.159.28.162] has joined ##openvpn
17:19 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
17:19 <@raidz> Downloads are located in: Community Sotware>Downloads.....
17:20 < krzee> !download
17:20 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) see !gui for more information for Windows clients.
17:20 < krzee> hrm, that might be old
17:20 < krzee> !gui
17:20 < vpnHelper> krzee: "gui" is OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore.
17:20 < krzee> oh ok, its not
17:20 < krzee> !forget gui
17:20 < vpnHelper> krzee: Joo got it.
17:21 < krzee> !forget download 2
17:21 < vpnHelper> krzee: Joo got it.
17:21 < krzee> !learn download OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
17:21 < vpnHelper> krzee: (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
17:21 < krzee> !learn download as OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
17:21 < vpnHelper> krzee: Joo got it.
17:44 -!- xod [~onats@112.201.158.40] has joined ##openvpn
17:47 -!- barefoot [~magic@41.123.160.131] has joined ##openvpn
17:47 -!- barefoot [~magic@41.123.160.131] has quit [Client Quit]
17:47 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:49 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
17:51 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 276 seconds]
17:56 -!- xod [~onats@112.201.158.40] has quit [Quit: Ex-Chat]
18:35 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
19:03 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
19:03 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
19:09 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
19:17 < ecrist> krzee: you around?
19:18 < ecrist> krzie: ping
19:25 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 258 seconds]
19:34 -!- mithridates [~chatzilla@142.166.50.45] has quit [Ping timeout: 260 seconds]
19:38 < krzee> hey
19:43 < krzee> ecrist, pong
19:43 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 260 seconds]
19:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:59 -!- Aboulfeth [~hamza@41.141.58.71] has quit [Quit: Leaving]
20:05 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
20:05 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
20:05 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:08 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:12 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
20:47 -!- p3rror [~Ali@adsl196-10-86-206-196.adsl196-3.iam.net.ma] has joined ##openvpn
20:47 < p3rror> hello
20:47 < p3rror> when i start openvpn
20:47 < p3rror> i got Cannot allocate TUN/TAP dev dynamically
20:47 < p3rror> what does it mean ?
20:51 < krzee> you dont have tun loaded into your kernel
20:51 < krzee> it can be there via kernel module or compiled in
20:59 < p3rror> yep so modprobe tun 
20:59 < p3rror> thanks
21:10 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
21:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
21:17 -!- EugeneK is now known as EugeneKay
22:28 < ecrist> krzee: what problems does pfSense have with OpenVPN?
22:28 < ecrist> I was having beers with the pfSense lead tonight, will be again tomorrow, so I have his ear.
22:33 -!- Hypnoz [~X@adsl-99-35-229-249.dsl.pltn13.sbcglobal.net] has joined ##openvpn
23:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
23:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
--- Day changed Wed May 12 2010
00:03 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
00:03 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 260 seconds]
00:04 -!- SkyTIME [~SkyB0x@212.235.177.25] has joined ##openvpn
00:23 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Read error: Operation timed out]
00:23 -!- dxtr_ [dxtr@dxtr.cc] has joined ##openvpn
00:26 < theDoc> fuck man
00:26 < theDoc> This is ridiculous.
00:26 < theDoc> How the fuck is a switch which I installed 3 months ago my problem now.
00:26 < theDoc> >:|
00:28 -!- WormFood [~wormfood@121.35.53.127] has quit [Read error: Connection reset by peer]
00:38 < jpalmer> ecrist: where do you live?  didn't you say LA?
00:45 -!- SkyTIME [~SkyB0x@212.235.177.25] has left ##openvpn []
00:55 < krzie> jpalmer, whois his domain
00:55 < krzie> minn
00:56 < krzie> ecrist, honestly i have no idea re: problems with pfsense, imho if it accepts standard openvpn config files, its all good... even better if it allows them to be uploaded via the web interface (as opposed to needing to do it via ssh or web config)
00:56 < krzie> its been awhile since a pfsense user was here, so i dont remember any specifics about how pfsense works with openvpn
00:57 < krzie> in general my only problems with non handmade configs are with thinks like network manager or AS where they handle configs their own way instead of the opensource openvpn way
01:01 -!- Hypnoz [~X@adsl-99-35-229-249.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 268 seconds]
01:09 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
01:09 < IceD^> ok
01:09 < IceD^> looks like the problem is with mtu
01:09 < IceD^> /sbin/ifconfig tun0 10.8.0.74 pointopoint 10.8.0.73 mtu 1500 it ups it as is
01:10 < IceD^> but I have MTU of 1500 on the eth0 (link) device
01:10 < IceD^> err
01:10 < IceD^> interface
01:10 < IceD^> so - should I change eth0 MTU to 1544?
01:10 < krzie> try not adjusting it at all
01:11 < krzie> or have you done that and found issues that were fixed by adjusting it
01:11 < IceD^> you remember, I have tcp over tcp
01:11 < IceD^> it looks more-less ok without traffic
01:11 < krzie> tun1: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
01:11 < krzie> mine is mtu 1500 by default...
01:11 < krzie> have you tried tcp noqueue?
01:12 < IceD^> but wget on 500kb/s ---> it zombies after few megabytes
01:12 < krzie> sounds like the standard tcp over tcp problem
01:12 < krzie> you cant polish a turd
01:13 < krzie> ild say feel free to play with mtu, try noqueue, try anything you like... but dont be shocked if the problem remains there no matter what
01:13 < krzie> what you describe (ESPECIALLY if it starts good and gets worse til it dies) is whats talked about in the docs that talk about tcp-over-tcp
01:14 < IceD^> what noqueue does (nothing in man)
01:14 < IceD^> I know it, OK
01:14 < krzie> 1sec lemme find the option
01:15 < krzie> --tcp-nodelay
01:15 < IceD^> it's server-side
01:16 < IceD^> I don't have any access to the server
01:16 < IceD^> and admin of that server is asshole
01:16 < krzie> this channel generally needs to assume you do
01:16 < IceD^> I'm trying to configure client
01:16 < IceD^> with existing server ;]
01:16 < krzie> theres only so much you can do from client
01:16 < krzie> but best of luck to ya
01:17 < IceD^> k, let me try with mtu
01:17 -!- IceD^ [~iced@live.bn.by] has quit [Quit: Leaving]
01:18 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
01:18 < IceD^> no, it doesn't help
01:19 < krzie> im not surprised
01:19 < krzie> theres really nothing you can do
01:19 < IceD^> why it can't realize it's dead already
01:19 < IceD^> and restart
01:19 < IceD^> at least
01:19 < krzie> oh well with that
01:19 < krzie> see --keepalive
01:20 < krzie> you cant even ping, deaddead right?
01:20 < IceD^> iced extract # cat /etc/openvpn/bn.conf | grep keep
01:20 < IceD^> keepalive 2 4
01:20 < IceD^> yes - totally dead
01:20 < krzie> dude, thats too much
01:21 < IceD^> well
01:21 < IceD^> what's reasonable number
01:21 < IceD^> you see, I have really good link to that server
01:22 < IceD^> 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=21.6 ms
01:32 < IceD^> OpenVPN  is  designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used.  In comparison with UDP, TCP will usually be some‐
01:32 < IceD^>               what less efficient and less robust when used over unreliable or congested networks.
01:32 < IceD^> (c) man
01:32 < IceD^> well, it should be fixed ;]
01:34 < krzie> its not a matter of fixing anything, in james' slide show about openvpn he makes it sound like openvpn was made to avoid the tcp-over-tcp issue
01:34 < krzie> otherwise ssh tunnels suffice
01:34 < IceD^> I mean - fix man page
01:34 < IceD^> ;]
01:34 < krzie> ahh
01:34 < IceD^> as it simply doesn't work
01:35 < IceD^> so - what about better k-a numbers?
01:35 < IceD^> if it'll reconnect withing second - it'd be OK
01:38 < IceD^> testing..
01:38 -!- IceD^ [~iced@live.bn.by] has quit [Quit: Leaving]
01:44 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
01:44 < IceD^> krzie, man, it's some other problem
01:45 < IceD^> see - it locks somewhere inside
01:45 < IceD^> or something
01:45 < krzie> a more normal keep-alive is 10 60, but that takes 120 sec to reconnect
01:46 < IceD^> I'm pinging server via vpn (IP 10.8.0.1) and pings stops when vpn is hanged
01:46 < IceD^> but no restart happens
01:46 < IceD^> I tested this with 1 30
01:46 < IceD^> and 10 30
01:46 < IceD^> no way - it simply doesn't restart
01:46 < krzie> also, have you looked at whats pushed at you?
01:46 < krzie> your keep-alive might not even matter
01:47 < krzie> if overridden by server
01:47 < krzie> if he uses keep-alive it will push to you and override
01:47 < IceD^> hmm
01:47 < krzie> In client mode, the --ping-restart parameter is set to 120 seconds by default. This default will hold until the client pulls a replacement value from the server, based on the --keepalive setting in the server configuration.
01:48 < IceD^> no - no k-a on the server side
01:48 < krzie> and my bad, for client its 60sec for restart by default
01:48 < IceD^> I have openvpn 2.1.0 - should I try to downgrade?
01:48 < krzie> 2.1.1 is newest
01:49 < krzie> downgrading wont help dude, i dont think you can be heled
01:49 < krzie> helped
01:49 < IceD^> let me try
01:49 < krzie> you're in a no-winner
01:49 < krzie> try all you like
01:49 < IceD^> well - I'm pretty sure, there is bug in openvpn
01:49 < IceD^> as ping-restart doesn't work in my case
01:50 < IceD^> brb
01:50 -!- IceD^ [~iced@live.bn.by] has quit [Quit: Leaving]
01:58 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
01:58 < IceD^> well
01:58 < IceD^> I see the problem now
01:58 < IceD^> krzie, http://pastie.org/956603
01:58 < IceD^> it's trying to ping server by real IP
01:58 < IceD^> which is, of course, available
01:59 < IceD^> again - line to the server is, virtually, patchcord and doesn't provide any packet loss
02:06 < IceD^> the question is - why it's pinging real server over real connection, not via vpn channel
02:07 < krzie> openvpn works based on routing, you cant route to the vpn server over the vpn
02:07 < krzie> because then you wouldnt have a connection to the vpn
02:07 < IceD^> sure
02:07 < IceD^> but we have end-point inside vpn channel
02:07 < krzie> to ping vpn server over vpn, use vpn ip
02:07 < IceD^> in my case it's 10.8.0.1
02:07 < krzie> that goes over the vpn
02:08 < IceD^> and pings to it stops when vpn connection is dead
02:08 < IceD^> (using normal ping)
02:08 < krzie> well no shit
02:08 < IceD^> but vpn tries to ping real ip - which is available
02:08 < IceD^> and think that everything is OK
02:09 < krzie> why do you think that? looked at the source?
02:09 < IceD^> <IceD^> krzie, http://pastie.org/956603
02:09 < IceD^> I'm pretty sure, it's ping
02:10 < krzie> right, thats how its shown, the pings should still be over the vpn channel
02:10 < IceD^> but they are going in this case
02:10 < krzie> whatev
02:10 < krzie> bbl
02:10 < IceD^> so - pings are going, but everything else is dead
02:15 -!- IceD^ [~iced@live.bn.by] has quit [Quit: Leaving]
02:21 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
02:21 < IceD^> weeeeel
02:22 < IceD^> krzee, I booted to windows, installed openvpn there 
02:22 < IceD^> and it works perfectly
02:22 < IceD^> so - the problem is with linux openvpn
02:22 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
02:24 < theDoc> Check your mtu?
02:24 < IceD^> 1500
02:24 < IceD^> I think, the same in windows
02:24 < IceD^> but I don't know how to check it there
02:25 < IceD^> as I'm using windows only for playing bioware games last 10 years ;]
02:29 < IceD^> trying 2.1.1
02:29 -!- IceD^ [~iced@live.bn.by] has quit [Quit: Leaving]
02:30 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:31 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
02:31 < IceD^> well, 2.1.1 (the same as in windows) works the same bad as 2.1.0
02:32 < IceD^> so - now I know that the problem is with linux version - what and how to check?
02:32 < IceD^> I'm running gentoo linux with -O2 -march=native flags, 2.6.33 kernel
02:34 < IceD^> also, on this box vpn to udp server works perfectly as well
02:35 -!- cron2_ is now known as cron2
02:37 -!- IceD^ [~iced@live.bn.by] has quit [Quit: Leaving]
02:38 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:40 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
02:40 < IceD^> more amazing news from me
02:40 < IceD^> I started vbox with opensuse in it
02:40 < IceD^> stopped openvpn on the host pc, started it inside opensuse - works like a charm
02:41 < IceD^> so it's either gentoo openvpn issue
02:41 < IceD^> or gentoo tun module issue
02:41 < IceD^> or some other gentoo issue
02:43 < krzie> i think you can cross openvpn off that list
02:43 < IceD^> gentoo is source based
02:43 < krzie> !notovpn
02:43 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
02:43 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 246 seconds]
02:44 < IceD^> so it's possible that it's build improperly
02:44 -!- havoc [~havoc@neptune.chaillet.net] has joined ##openvpn
02:46 -!- IceD^ [~iced@live.bn.by] has quit [Quit: Leaving]
02:46 -!- dazo_afk is now known as dazo
02:47 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
02:47 < IceD^> problem solved
02:47 < IceD^> it was gentoo patches involved
02:47 < IceD^> I built it without them - and voila
02:49 < IceD^> http://distfiles.gentoo.org/distfiles/openvpn-2.1_rc22-ipv6-0.4.10.patch.gz - this patch
02:49 < IceD^> fsck!
02:49 -!- DarkM [~DarkM@acro.fr] has joined ##openvpn
02:49 < DarkM> Hi everybody
02:49 < krzie> didnt you say you had 2.1.1?
02:49 < DarkM> I'm trying to setup a vpn server. It says "Initialization Sequence Completed" but I can't connect to it :o !
02:50 < dazo> !welcome
02:50 < vpnHelper> dazo: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:50 < dazo> DarkM: ^^
02:50 < IceD^> sorry guys for bothering you ;]
02:50 < IceD^> krzie, big thanks to you
02:50 -!- IceD^ [~iced@live.bn.by] has quit [Client Quit]
02:50 < DarkM> dazo > Thanks :) Hmm....
02:50 < DarkM> !redirect
02:50 < vpnHelper> DarkM: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:51 < DarkM> Okayyyyy but my server doesn't even respond right now T_T
02:51 < krzie> via vpn ip?
02:51 < DarkM> Well I got openvpn running on my server, and uh, all my ports are open just to check
02:51 < DarkM> And i'm using tunnelblick here (on mac os x)
02:51 < DarkM> and try to connect to the server and it times out
02:51 < krzie> can you ping the vpn ip?
02:51 < DarkM> Yes
02:52 < DarkM> You mean the ip of the server right ?
02:52 < krzie> like 10.8.0.1 or whatever the vpn uses
02:52 < DarkM> Oh
02:52 < DarkM> Of course I can't, I would have to be connected to it in the first place 
02:52 < DarkM> :/
02:52 < krzie> !logs
02:52 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:52 < DarkM> Hold on :
02:53 < krzie> "i cant connect" has meant many many things in here before
02:54 < DarkM> Okay okay, hold on let me paste
02:54 < DarkM> http://pastebin.com/tg2ecmg3
02:55 < DarkM> I'm trying on port 23, just to check if my firewall on my client is blocking the regular port
02:55 < DarkM> But doesn't work either
02:55 < DarkM> !def1
02:55 < vpnHelper> DarkM: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
02:56 < krzie> !logs
02:56 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:56 < krzie> verb 5, client AND server
02:56 < DarkM> Oh okay sorry :/
02:56 < DarkM> Hold on
02:57 < DarkM> krzie: First the server http://pastebin.com/Zzp6T3Hy
02:58 < DarkM> And client http://pastebin.com/1tWW0Gk6
02:58 < DarkM> I haven't put the certificates yet I just would like to have a response from the server for now on
02:59 < krzie> first, you should upgrade
02:59 < krzie> 2.1.1
02:59 < DarkM> hmm okay
02:59 < krzie> you are using very old code that has plenty of stuff fixed in it
03:00 < DarkM> It's the one from apt-get :s
03:00 < krzie> after that, its your firewall or port forwarding, or yourclient trying to connect to the wrong ip:port:protocol
03:00 < krzie> !download
03:00 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
03:00 < DarkM> Okay so I'm gonna check this out right now
03:00 < krzie> build from source if your OS package manager doesnt know how to stay current
03:00 < krzie> osx has 2.1.1 in macports
03:01 < krzie> but thats already 2.1.1 anyways
03:01 < DarkM> Hmmmm
03:01 < krzie> i dunno what the other os is
03:01 < DarkM> Yeah
03:01 < DarkM> The other os is ubuntu
03:01 < DarkM> The server I mean
03:01 < krzie> heh
03:01 < krzie> at least you arent trying to use network manager
03:02 < krzie> so ya, its a firewall
03:02 < krzie> likely on 1 of the machines
03:02 < krzie> but possibly in between
03:02 < DarkM> Okay :/ Can you try with yours if you know that there's nothing wrong with your firewall ? :/
03:02 < krzie> *shrug* ok
03:03 < krzie> pastebin your client config
03:03 < DarkM> 94.23.227.72:23 udp
03:03 < DarkM> Yup sure
03:03 < krzie> actually that works
03:03 < DarkM> Okay :/.... So that's my network I guess that is being restrictive
03:03 < DarkM> I have to put it on something like 443 I guess :/
03:03 < krzie> 1min
03:04 < DarkM> Thanks :) That's nice, helping me so much
03:04 < krzie> no no
03:04 < krzie> i didnt test yet
03:04 < DarkM> Yeah but thanks for helping anyway :p
03:06 < DarkM> I'm changing the port to 443 to be sure.
03:07 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
03:07 < krzie> i could reach it
03:07 < DarkM> Yeah but it'sl ogged.
03:07 < krzie> Wed May 12 04:07:27 2010 TLS: Initial packet from 94.23.227.72:23, sid=e386e9ba bf462db4
03:07 < krzie> Wed May 12 04:07:29 2010 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=FR/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
03:07 < DarkM> I see some connection refused
03:07 < DarkM> I can't even trigger the logs.
03:08 < DarkM> Okay so it's "working" I mean the problem is on my client
03:08 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
03:08 < krzie> btw, port 53 is better for udp outbound firewalls
03:08 < DarkM> I'm shutting the server down to change the port
03:08 < krzie> 23 is telnet port, which is tcp
03:08 < krzie> 443 is tcp https
03:08 < krzie> 53 is udp, dns
03:09 < DarkM> Hmmm yeah I know but uh
03:09 < DarkM> I must keep my dns server on
03:09 < DarkM> Can I use like... 53 with tcp ? 
03:09 < krzie> ahh
03:09 < DarkM> And keep my dns on ?
03:09 < DarkM> I'm not using 443 :3
03:09 < krzie> dns often also uses 53tcp
03:09 < DarkM> Okay then I'll go 443 :)
03:10 < krzie> tcp is only there for large zone xfer tho and can safely be disabled on many NS
03:11 < DarkM> Okay :o
03:11 < DarkM> Didn't know that
03:14 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:16 < krzie> heh i guess im wrong and queries can go over dns
03:16 < krzie> err tcp dns
03:16 < krzie> but dunno, ive had it off and it hurt nothing i noticed
03:16 < theDoc> What could my problem be if I can't ping a client on my vpn network.
03:17 < krzie>     udp  53    53    Queries between servers (eg, recursive queries)
03:17 < krzie>                      Replies to above
03:17 < krzie>     tcp  53    53    Queries with long replies between servers, zone
03:17 < krzie>                      transfers Replies to above
03:17 < krzie> firewall
03:17 < DarkM> :o 
03:18 < krzie> (@thedoc)
03:18 < theDoc> krzee> Yeah, that too. 
03:19 < theDoc> lol, and it works
03:22 < DarkM> krzie: It displays "connected" on my client now :D
03:24 < DarkM> krzie: Thanks a lot :) You have no idea how much you helped me xD
03:24 < krzie> yw
03:24 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:26 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
03:26 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
03:27 -!- raimon [~romain@86.66.22.240] has joined ##openvpn
03:29 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
03:29 -!- DarkM [~DarkM@acro.fr] has quit [Remote host closed the connection]
03:31 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
03:31 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
03:33 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
03:34 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
03:35 -!- Esya [~Esya@acro.fr] has joined ##openvpn
03:35 < Esya> Hi guys uh i'm back :p
03:35 -!- Esya is now known as DarkM
03:35 < DarkM> krzie: Uhhh :D I have one little question once again :/
03:35 < DarkM> Now I can only have one client connected
03:35 < krzie> generate more certs for more clients to use
03:36 < DarkM> Oh :o.
03:36 < DarkM> I was using a .key file, the same on the server and on the client
03:36 < DarkM> But okay i will generate more certificates using the vars file I guess
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
03:38 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:40 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
03:41 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
03:42 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Remote host closed the connection]
03:43 -!- DrPepper [~DrPepper@88.207.188.176] has joined ##openvpn
03:49 < DarkM> krzie: Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
03:49 < DarkM> Just because I added a "ca"
03:50 < DarkM> Do I really have to use TLS ? :o
03:50 < DarkM> http://pastebin.com/9HNxcMDL new server conf
03:52 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Read error: Connection reset by peer]
03:54 < DarkM> Does anyone know what I should do ? :o
03:54 < krzie> follow the howto
03:54 < krzie> !howto
03:54 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:54 < krzie> its pretty clear in that section
03:54 < DarkM> I'll read it :3
03:55 < krzie> you obviously didnt follow it fully for certs
03:55 < krzie> you dont need --tls
03:55 < DarkM> I used a tuto from another website :$
03:55 < krzie> you can use --server and --client
03:55 < krzie> try this
03:55 < krzie> !confgen
03:55 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
03:55 < krzie> and btw
03:56 < krzie> !tcp
03:56 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
03:56 < DarkM> Okayyy :o
03:56 < DarkM> you're pretty good x)
03:56 < DarkM> I made my certificates that way
03:56 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
03:56 < DarkM> with . ./vars, clean-all, etc etc
03:56 < krzie> ya i didnt look at your config
03:56 < DarkM> and I used the build-key-server and build-key
03:57 < krzie> you are using --ifconfig and all
03:57 < krzie> its not your certs
03:57 < krzie> its your config
03:57 < DarkM> Oh okay :$
03:57 < krzie> thats why i passed you the confgen
03:57 < DarkM> Okay okay, but it worked before the certs
03:57 < krzie> because you were using ptp setup
03:57 < krzie> you should have tested by trying for your goal
03:57 < DarkM> Okayyyyyy :o
03:57 < krzie> you did entirely different setups
03:58 < DarkM> How can I easily make it work ? Without generating a whole new conf file ? :o
03:58 < krzie> by fixing it
03:59 < DarkM> XD
03:59 < krzie> reading the manual
03:59 < krzie> specificly --server
03:59 < DarkM> like uh
03:59 < krzie> and you should use udp
03:59 -!- dxtr_ [dxtr@dxtr.cc] has quit [Read error: Operation timed out]
03:59 < DarkM> openserver myconf.conf --server ?
03:59 < DarkM> This doesn't work :/
03:59 < krzie> !--
03:59 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
03:59 < krzie> !man
03:59 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
04:02 < DarkM> I'm trying that
04:06 -!- dxtr [dxtr@dxtr.cc] has joined ##openvpn
04:06 -!- dxtr [dxtr@dxtr.cc] has quit [Changing host]
04:06 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
04:07 < DarkM> :/
04:07 < DarkM>  94.23.227.72:57050 TLS Error: unknown opcode received from 94.23.227.72:57050 op=15
04:07 < DarkM> Wed May 12 11:08:43 2010 us=787676 94.23.227.72:57050 Fatal TLS error (check_tls_errors_co), restarting
04:07 < DarkM> T_T
04:08 < krzie> just try my confgen
04:08 < krzie> i made it for you!
04:08 < DarkM> :D
04:08 < DarkM> Okay okay I'm gonna try it
04:12 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 276 seconds]
04:12 -!- takamichi [~pri@94.75.217.248] has joined ##openvpn
04:17 -!- DarkM [~Esya@acro.fr] has quit [Remote host closed the connection]
04:23 -!- Esya [~Esya@acro.fr] has joined ##openvpn
04:23 < Esya> I'm back!
04:23 -!- Esya is now known as DarkM
04:23 < DarkM> x)
04:24 < DarkM> krzie:  Something does not work even with your generated config files :(
04:24 < DarkM> It keeps retrying, and on the server side i got
04:24 < krzie> checked filenames are right?
04:24 < DarkM> Yes they are
04:24 < DarkM> I got this :
04:25 < DarkM> (I'm pasting 2 min)
04:25 -!- prakriti [~jeremy@24.100.137.18] has quit [Ping timeout: 252 seconds]
04:25 < DarkM> Client side : http://pastebin.com/Miivfx03
04:26 < krzie> 2009-05-12 11:25:30  error=certificate is not yet valid: /C=FR/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.
04:26 < DarkM> Huuuuu
04:26 < DarkM> damn -_-
04:26 < DarkM> I'm in 2009 on this computer for a stupid reason
04:26 < krzie> heh
04:27 < DarkM> Thankkkkks :D 
04:27 < DarkM> It works
04:27 < krzie> yw
04:27 < DarkM> hopefully T_T
04:27 < DarkM> I sincerely hope I did not make you waste your time
04:27 < krzie> all good im sitting here working on a script
04:29 < DarkM> :) 
04:29 < DarkM> So you did the config generator script ?
04:29 < krzie> yup
04:29 < DarkM> Very useful :D.
04:29 < krzie> thanx!
04:29 < krzie> its new
04:29 < DarkM> Well openvpn is a bit... how to say that
04:30 < DarkM> Something huge, when you haven't done much with certificates, vpns, etc
04:30 < DarkM> You're a bit lost
04:30 < DarkM> So that's really useful
04:30 < krzie> glad you like
04:31 < DarkM> I've got to go :)
04:31 < DarkM> Thanks once again
04:31 < DarkM> See you later :)
04:31 -!- DarkM [~Esya@acro.fr] has quit [Quit: DarkM]
04:32  * hyper_ch heard the word "generator"
04:32 < krzie> just had him use it instead of fixing his config for him
04:32 < krzie> =]
04:36 < hyper_ch> I know
04:36 < hyper_ch> I'll really work on the webgenerator soon again :) didn't have time during the flights
04:38 < krzie> =]
04:43 -!- DarkM [~DarkM@acro.fr] has joined ##openvpn
04:43 < DarkM> krzie: Sorry to bother once again T_T But it works yeah, but it does not transmit the packets to the internet
04:43 < DarkM> But I specified that I want to using your config generator
04:44 < DarkM> And I have the forwarding rules using iptables etc.
04:44 < krzie> !redirect
04:44 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:44 < DarkM> Hmm push "redirect-gateway def1"
04:44 < DarkM> It isn't enough ?
04:44 < DarkM> I have this in my config file
04:44 < krzie> thats enough for that part
04:44 < DarkM> And nat is enabled and working
04:45 < krzie> you also need i forwarding enabled in the OS
04:45 < DarkM> When I was using client-to-client it worked
04:45 < krzie> and nat correctly setup
04:45 < krzie> when those 3 things happen, it will work
04:45 < krzie> !c2c
04:45 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
04:45 < vpnHelper> krzie: behind other clients
04:45 < DarkM> It worked in c2c
04:45 < krzie> nope
04:45 < krzie> c2c has nothing to do with that
04:45 < DarkM> Yeah I know but I mean
04:45 < krzie> its about routing between clients
04:45 < DarkM> Okay
04:45 < krzie> show your nat rule
04:45 < DarkM> Oh I know why T_T
04:46 < DarkM> My nat rule is for 192.168....
04:46 < krzie> wrong NAT i bet
04:46 < krzie> yup
04:46 < DarkM> And your generator uses 10....
04:46 < krzie> it uses whatever you set it to
04:46 < DarkM> iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d ! 192.168.10.0/24 -j MASQUERADE
04:46 < DarkM> Yeah I know I mean by default
04:46 < krzie> but it has a default
04:46 < DarkM> So huuu
04:46 < DarkM> What would it be then 
04:46 < DarkM> 10.8.0.0/24 ?
04:46 < krzie> !linnat
04:46 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
04:46 < krzie> check your config
04:47 < DarkM> server 10.8.1.0 255.255.255.0
04:47 < krzie> so why would it be 10.8.0.0/24 :-p
04:47 < DarkM> :D
04:47 < DarkM> Sorry :$
04:48 < DarkM> I guess its working now :o
04:48 < DarkM> Yeah it do works :D.
04:48 < DarkM> And accepts multiple client thanks :D.
04:49 < DarkM> Have a nice day and once again thanks for helping :D 
04:49 -!- DarkM [~DarkM@acro.fr] has quit [Quit: DarkM]
05:05 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
05:17 < raimon> Hi there. I'm going to present OpenVPN at the rmll (http://2010.rmll.info).... Could you take give a look at the summary... :
05:17 < vpnHelper> Title: Accueil - 11es RMLL du 6 au 11 juillet 2010 (at 2010.rmll.info)
05:18 < raimon> vpnHelper : (impressive)
05:18 < vpnHelper> raimon: Error: ":" is not a valid command.
05:18 < raimon> OpenVPN - Smart, Simple, Secure VPN solution for home and business
05:18 < raimon> OpenVPN is a GNU/GPL application that provides VPN connexions using OpenSSL libraries for authentication and encryption.
05:18 < raimon> It's a lightweight, secure and flexible solution for creating either site-to-site or multiclient-server secure connexions.
05:18 < raimon> OpenVPN is available on Linux, MacOS, Windows, Solaris, OpenBSD, FreeBSD, dd-wrt, ...
05:18 < raimon> Content of the conference :
05:18 < raimon>     * Introduction : Quick overview of today's VPN solutions (IPSEC, L2TP-IPSEC, PPTP, "Web based VPN" so-called WebVPN, WebSSL...). Pros and cons for each of them and you'll choose the right one, advisingly...!
05:18 < raimon>     * Focus on OpenVPN :
05:18 < raimon>         * The secure layers of OpenVPN :
05:18 < raimon>               o Authentication
05:18 < raimon>               o Encryption
05:18 < raimon>               o Encapsulation (networking) : tunneling vs tapping, UDP vs TCP - why TCP over TCP is not good...
05:18 < raimon>         * OS side security
05:18 < raimon>         * Using OpenVPN :
05:18 < raimon>               o a 4 lines config file, and it works !
05:18 < krzie> WHOA
05:18 < raimon>               o performance and limitations
05:19 < raimon>         * Few tales about OpenVPN :
05:19 < raimon>               o "Escaping the proxy jail" or 'how to establish a VPN through a web proxy'
05:19 < raimon>               o "The OpenVPN server, the CAS WebSSO and the firewall (...and plenty of Windows users)", a tale of a business wonderland
05:19 < raimon>     
05:19 < raimon> (sorry for the flood)
05:19 < krzie> wtf
05:19 < raimon> Wtf, the rmll ?
05:19 < krzie> the flood!
05:20 < raimon> sorry
05:21 < raimon> although, not a lot of choice to post it...
05:21 < dazo> raimon: To call OpenVPN might be a bit overstatement ... all it does is to take some network traffic, encrypt it and toss it to another box
05:21 < krzie> when you joined chanserv said pastebin  for any paste
05:22 < raimon> krzie, sorry, first time here...
05:23 < raimon> dazo: sure, yet, it's interresting to know what it is, what it is not, how it works and how you can use it...
05:24 < dazo> raimon: true ... I just say calling OpenVPN smart ... is an overstatement ;-)
05:24 < krzie> you had missed the word smart
05:24 < krzie> but i thought thats what you meant
05:25 < raimon> ok, got it ;-)
05:25 < krzie> although one could argue that the non-smartness of it makes it smart!
05:25 < krzie> whereas ipsec tried to be all smart making their own protocol etc
05:25 < dazo> heh ... depends on the definition of smart ;-)
05:26 < raimon> isn't the last S of KISS /Stupid/...?
05:26 < raimon> ;;-)
05:27 < dazo> yupp!  And OpenVPN is actually pretty stupid, it don't try to do anything clever ... except encrypt the traffic being passed between two sites/users
05:28 < dazo> but you can make openvpn more smart by using the --plugin API ... or use the script hooks available, to do extra checks 
05:28 < raimon> And so it's simple... Do you realy think I should entitle my conf "OpenVPN, Stupid, Simple Secure..." ? Wouldn't make it...:-\
05:28 < dazo> for example - you can run brute-force attacks against an openvpn server using all kind of SSL certificates until you find one which works
05:29 < dazo> while with a plugin ... it can identify the client IP, and reject the connection based on the IP in such cases
05:29 < dazo> I think it would make it :-P
05:30 < dazo> "OpenVPN - Stupidly simple but Secure"
05:30 < raimon> Right, I should enphasise it's /plugability/...
05:31 < raimon> Great title... why not...
05:31 < dazo> :)
05:31 < dazo> and it fits with your "  o a 4 lines config file, and it works !"
05:31 < krzie> Security in simple stupidness
05:31 < krzie> lol
05:32 < dazo> :)
05:32 < raimon> Oups, gotta go now... I'll be back in 2h... maybe we'll catch later...?
05:32 < dazo> probably :)
05:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:15 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
06:17 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
06:53 -!- Netsplit *.net <-> *.split quits: g4tsu
06:58 -!- Netsplit over, joins: g4tsu
07:19 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:21 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:21 < hyper_ch> lol:  http://feeds.arstechnica.com/~r/arstechnica/index/~3/mnbGiPi20Hk/how-removing-ps3-linux-hurts-the-air-force.ars
07:21 < vpnHelper> Title: Air Force suffers collateral damage from PS3 firmware update (at feeds.arstechnica.com)
07:26 < macsppadic> hahahah god thats gotta hurt 
07:27 < hyper_ch> yeah right, 1700 PS3 for "float point calculations"...
07:27 < hyper_ch> I'd rather say there are 1700 people who want to game at work
07:27 < macsppadic> all that powerful ps3 cell chips just sitting there hyper_ch 
07:28 < macsppadic> :-0
07:28 < macsppadic> :-D
07:28 < hyper_ch> I read a little while ago that some reasearcher at a university ordered 32 PS3 to calculate black hole collissions
07:28 < hyper_ch> it was cheaper doing that on paralleled PS3s than getting a supercomputer
07:30 < hyper_ch> sorry, was only 16 PS3s
07:30 < hyper_ch> http://www.reghardware.co.uk/2008/02/28/ps3s_put_to_use_simulating_blackholes/
07:30 < vpnHelper> Title: Boffin stacks 16 PS3s to simulate black hole collisions • reghardware (at www.reghardware.co.uk)
07:32 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
07:46 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
07:47 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 245 seconds]
07:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:51 -!- astrophy [~astrophy@67.159.28.162] has quit [Quit: Bye]
07:57 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
07:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
07:58 < amialive> lo, with topology "subnet", whould it be possible to give the server NOT the .1 IP address? 
07:59 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:06 < amialive> One of the clients needs to be .1...
08:07 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:11 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
08:13 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:14 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
08:18 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
08:18 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:20 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
08:21 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:21 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
08:22 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
08:25 -!- rob0 [~rob0@tuxaloosa.org] has left ##openvpn ["afk a few days"]
08:26 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
08:27 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:32 < raimon> dazo: Back.... Do you think the admin /interface/ is worth notifying ?
08:33 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
08:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:43 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
08:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
08:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:48 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
09:04 -!- Bloodsong [~Nimbus@70.50.177.230] has joined ##openvpn
09:16 -!- DrPepper [~DrPepper@88.207.188.176] has quit [Ping timeout: 248 seconds]
09:36 -!- p3rror [~Ali@adsl196-10-86-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 252 seconds]
09:48 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
09:48 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
09:48 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:50 < dazo> raimon: no, not really ... the admin interface is just to control the connection ... it's nothing particular about it ... but if it is for technical people, then yeah maybe more interesting
09:50 < raimon> dazo: ok, will make a line about it...
09:51 < raimon> btw, I removed /smart/ from the title... : OpenVPN - Simple, Secure and Flexible VPN solution for home and business
09:52 -!- p3rror [~Ali@adsl196-53-66-206-196.adsl196-3.iam.net.ma] has joined ##openvpn
09:52 < raimon> Stupid/ is a quite strong word in french... might be missunderstood
09:53 < theDoc> Hello all!
09:54 < dazo> raimon: yeah, using stupid needs to be done in a setting where it would be understood correctly and with humour
09:55 < raimon> dazo: I'll definitly talk about it's /stupidity/ during the presentation... "just like in KISS".
09:57 < raimon> Although, I don't think it'll seems simple and stupid to everyone when presenting the encapsulation and the multiplexer...;-)
10:16 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Quit: Lost terminal]
10:18 -!- lifeforms_ [~walter@tau.lfms.nl] has quit [Quit: leaving]
10:22 -!- SkyTIME [~SkyB0x@212.235.177.25] has joined ##openvpn
10:25 < jnss> openvpn server side setup must be simplified
10:25 < jnss> i just gave up 
10:26 < jnss> it is exceedingly difficult
10:26 < jnss> and sadly it is also the only ssl software vpn i know of
10:35 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:36 < Bushmills> !confgen
10:36 < vpnHelper> Bushmills: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
10:36 < Bushmills> but that one still ask questions which may be exceedingly difficult to answer,
10:52 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
10:58 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 258 seconds]
11:12 < jnss> i've known about openvpn for a long time. this is the first i hear of confgen
11:29 -!- DarthGandalf is now known as DarthGandalf|BNC
11:30 -!- DarthGandalf|BNC is now known as DarthGandalf
11:31 -!- DarthGandalf is now known as DarthGandalf|BNC
11:32 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:34 -!- raimon [~romain@86.66.22.240] has quit [Quit: leaving...]
11:35 -!- DarthGandalf|BNC is now known as DarthGandalf
11:36 -!- DarthGandalf is now known as DarthGandalf|BNC
11:42 -!- DarthGandalf|BNC is now known as DarthGandalf
11:43 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
11:46 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:54 < dazo> jnss: that's not so strange ... confgen was written quite recently (last month or so) by krzie ;-)
12:00 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
12:11 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
12:13 < jnss> oh i see now, that's pretty nice
12:13 < jnss> hopefully this will solve peoples server problems ;)
12:13 -!- ribasushi [~rabbit@ip-109-91-187-9.unitymediagroup.de] has quit [Remote host closed the connection]
12:14 < Bushmills> actually, it is my understanding that confgen isn't meant to solve problems, but to direct people asking configuration questions whose answers could be easily taken from the manpage to spam the channel :)
12:15 < Bushmills> to keep from spamming the channel ...
12:16 < Bushmills> so when you found server config "exceedingly difficult", you kind of qualified :D
12:18 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
12:18 < fluxdude> my openvpn reprompts me to put in my username/password every now and again, roughly once an hour I'd say
12:18 < fluxdude> is there any way to switch this off?
12:18 < hyper_ch> fluxdude: used a keyfile
12:18 < hyper_ch> -d
12:19 < fluxdude> keyfile?
12:19 < fluxdude> you mean certificates?
12:19 < fluxdude> I am using certificates
12:19 < fluxdude> as well as username/pw on top
12:19 < hyper_ch> bad luck then
12:19 < hyper_ch> I think
12:19 < hyper_ch> no clue
12:20 < fluxdude> must be some renegotiation or something... not sure why
12:20 < fluxdude> timeout based I believe, rather than inactivity based
12:20 < dazo> fluxdude: or make sure you have compiled with --enable-password-save (iirc) ... and that you don't use --auth-nocache in your config
12:21 < fluxdude> ah, but I have openvpn-gui clients on windows as well
12:21 < dazo> default is to renegotiate the tunnel every hour (--reneg-sec 3600 is default when not specified in the config)
12:21 < hyper_ch> you can compile openvpn clients also on windows I tend to think
12:22 < dazo> I believe the official windows openvpn binary is with --enable-password-save as default
12:22 < dazo> official == downloadable from openvpn.net
12:24 -!- dazo is now known as dazo_afk
12:31 < fluxdude> ah, that's exactly the one I think!
12:31 < fluxdude> thanks
12:31 < fluxdude> will try reneg sec on both sides
12:32 < amialive> Lo, does someone know, with topology "subnet", if the server can be configured to NOT use the .1 address?
12:38 < fluxdude> amialive: why would you want to do that?
12:38 < fluxdude> it's an unused IP in a dedicated subnet
12:39 < fluxdude> .1 is a good choice for a gateway I would have thought
12:39 < amialive> fluxdude: one of the clients needs to get .1
12:39 < fluxdude> why?
12:39 < amialive> For ICS. ICS only works on 192.168.0.1. I know, not my fault tho. ;-)
12:41 < fluxdude> geez
12:41 < fluxdude> ok no idea, sounds horrid
12:41 < fluxdude> just set up a linux gateway box
12:42 < fluxdude> straight forward routing, non of this mickeysoft stuff
12:42 < amialive> Can't do it, it's my work PC... :-) I'll figure it out somehow, possibly patch the source myself, no problem, tnx m8!
12:43 < fluxdude> can't you just get some old box and install linux on it?
12:43 < fluxdude> would be the better solution I would have thought
12:47 -!- frank [~frank@188.113.120.158] has joined ##openvpn
12:47 < frank> !welcome
12:47 < vpnHelper> frank: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:48 < frank> !goal log in to vpn without keys 
12:48 < vpnHelper> frank: Error: "goal" is not a valid command.
12:48 < frank> !goal
12:48 < vpnHelper> frank: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:49 < ecrist> bitches
12:53 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 276 seconds]
12:57 < frank> auth-user-pass-verify looks like what i need
12:58 -!- frank [~frank@188.113.120.158] has quit [Quit: leaving]
13:05 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
13:05 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
13:05 < rawDawg> !win7
13:05 < vpnHelper> rawDawg: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7
13:06 < rawDawg> does 2.1.1 work with Windows 7
13:06 < rawDawg> i've been having problems with connectivity ever since I installed it
13:10 < amialive> if you just want to connect 1 client with a server, and both client and server are under your full control, does it matter which one becomes the client and which one becomes the server, if both the client and server are gateways to networks behind them?
13:11 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
13:13 < ecrist> rawDawg: yes, it should work fine.
13:13 < rawDawg> cool thanks
13:14 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 258 seconds]
13:16 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
13:24 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Quit: amialive]
13:37 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
13:41 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 258 seconds]
14:13 -!- bandini [~bandini@host202-107-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn
14:30 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
14:42 -!- SkyTIME [~SkyB0x@212.235.177.25] has quit []
14:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:49 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 240 seconds]
14:50 -!- takamichi [~pri@94.75.217.248] has quit []
14:57 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
15:06 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:11 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:12 -!- Bloodsong [~Nimbus@70.50.177.230] has quit [Quit: Leaving]
15:20 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
15:22 -!- bandini [~bandini@host202-107-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
15:25 -!- fvultee [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
15:25 < fvultee> anyone know of a good doc to set up a private vpn using open vpn?
15:26 < fvultee> want to connect my laptop to my home computer to surf thru openvpn
15:27 < fvultee> !welcome
15:27 < vpnHelper> fvultee: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:27 < fvultee> !redirect
15:27 < vpnHelper> fvultee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:27 < fvultee> !ipforward
15:27 < vpnHelper> fvultee: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
15:28 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
15:28 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
15:29 < ecrist> fvultee: !howto
15:30 < fvultee> !howto
15:30 < vpnHelper> fvultee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:35 -!- fvultee [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:36 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 265 seconds]
15:36 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
15:41 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
15:47 -!- coil-desktoppcwi is now known as scort
15:48 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 265 seconds]
15:48 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
15:48 -!- hyper__ch is now known as hyper_ch
15:52 -!- takamichi [~pri@78.133.92.164] has quit []
15:57 -!- takamichi [~pri@94.75.217.248] has joined ##openvpn
16:08 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Quit: Leaving]
16:10 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Read error: Operation timed out]
16:12 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
16:19 -!- fvultee [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
16:19 -!- fvultee is now known as Alphanaut
16:20 < Alphanaut> well those howtos were helpful.  client and server talking to eachother.  So now I want to be able to surf the net and check email through the tunnel between my laptop and my home computer, is that "ipforwarding"?
16:22 < Alphanaut> oh hrm, may have found it
16:23 < krzee> !redirect
16:23 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:24 < Alphanaut> push "redirect-gateway def1"
16:24 < Alphanaut> heh, thounk i found it
16:24 < Alphanaut> and i can speel real gud
16:24 < krzee> you also need NAT
16:24 < Alphanaut> rgr
16:24 < Alphanaut> got it, thank you
16:25 < krzee> yw
16:28 < Alphanaut> hmm, so i cant specify natting in the openvpn config, but have to do it in windows itself?
16:29 < krzee> !winnat
16:29 < vpnHelper> krzee: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
16:29 < krzee> openvpn doesnt do ipforwarding or nat, thats your OS
16:29 < krzee> note, i dont think XP or other client windows does NAT
16:29 < krzee> but i could be wrong, i dont use windows
16:30 < Bushmills> they do
16:30 < Bushmills> calling it "connection sharing" i think
16:30 < Alphanaut> oh yah, i have all that disabled, hmm
16:32 < Alphanaut> hahha i bridged the tap adapter and my lan nic on the server and lost my uvnc connection, how nice
16:32 < Alphanaut> should be fun trying to get that back without a keyboard, mouse, or monitor
16:33 < krzee> Bushmills, true, but also ICS restricts the NAT to 192.168.0.x
16:33 < krzee> windows weirdness
16:33 < Alphanaut> hmm crud
16:33 < Bushmills> ouch. that must suck
16:33 < krzee> why bridge anyways
16:34 < Bushmills> ehm ... no. i am pretty sure that i had a 192.168.1.x net natted through a windows box once
16:34 < krzee> !tunortap
16:34 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
16:34 < vpnHelper> krzee: against you over the vpn
16:34 < Bushmills> situation was, only dial in internet, and only analog modem was a laptop with internal winmodem
16:35 < Bushmills> and my local ip addresses were 192.168.1.x based
16:35 < Alphanaut> i only want to route internet traffic from my laptop to my home computer thru the tunnel, i dont care about windows shares
16:36 < Alphanaut> if i change the config files do i need to quit out of openvpn and restart it, or is it read when i "connect"
16:36 < krzee> However, while ICS makes use of DHCP, there is no way to review DHCP leases using ICS. The service is also not customizable in terms of which addresses are used for the internal subnet, and contains no provisions for bandwidth limiting or other features common to more advanced systems, that can be also combined with Wi-Fi and dial-up mobile modems.
16:36 < krzee> The server will normally have the IP address 192.168.0.1 (the IP Address is changeable) and will provide NAT services to the whole 192.168.0.x subnet, even if the address on the client was set manually, not by the DHCP server.
16:36 < Bushmills> had to do weeks with that setup until i got me an analog external modem from ebay, for the time until i got DSL there.
16:36 < krzee> Alphanaut, stop and start it
16:36 < Alphanaut> rgr
16:45 < Alphanaut> stupid windows
16:49 -!- DarthGandalf is now known as DarthGandalf|BNC
17:01 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 245 seconds]
17:14 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
17:15 < Alphanaut> anyone here vpn internet traffic between two windows machines? (flame on)
17:30 -!- EugeneKay is now known as Tommy
17:31 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
17:33 -!- Tommy is now known as EugeneKay
17:35 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 258 seconds]
17:40 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
17:51 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
17:52 < Alphanaut> there's got to be a way to route internet traffic between a windows client and server, anyone get that working?
17:53 < Bushmills> !redirect
17:53 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:55 < Alphanaut> !def1
17:55 < vpnHelper> Alphanaut: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
17:55 < Alphanaut> !ipforward
17:55 < vpnHelper> Alphanaut: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
17:56 < Alphanaut> !winipforward
17:56 < vpnHelper> Alphanaut: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
17:56 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Quit: brb]
17:56 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
17:56 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Client Quit]
17:56 < Alphanaut> !nat
17:56 < vpnHelper> Alphanaut: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
17:57 < Alphanaut> !winnat
17:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
17:57 < vpnHelper> Alphanaut: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
17:57 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
18:01 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
18:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:22 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
18:24 < Alphanaut> !ipforwarding
18:24 < vpnHelper> Alphanaut: Error: "ipforwarding" is not a valid command.
18:24 < Alphanaut> !ipforward
18:24 < vpnHelper> Alphanaut: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
18:24 < Alphanaut> !winipforward
18:24 < vpnHelper> Alphanaut: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
18:24 < Alphanaut> !winnat
18:24 < vpnHelper> Alphanaut: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
18:24 -!- FirstSgt [~cheney@host2.complimentsinternational.com] has joined ##openvpn
18:24 < Alphanaut> bleh
18:24 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 268 seconds]
18:26 < FirstSgt> I am attempting to test openvpn locally.  Client A (192.168.1.8) is attempting to connect to Server B (192.168.1.69) --client log: http://www.pastie.org/private/ahk5e7suektk21w4j7ysta
18:29 < FirstSgt> okay, cancel that .... I didn't have permission to /dev/net/tun ... so I ran with sudo and got further.
18:29 < FirstSgt> now I have Wed May 12 16:27:53 2010 read TCPv4_CLIENT []: No route to host (code=113)
18:30 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 260 seconds]
18:30 < FirstSgt> is this because I am vpn'ing from the same subnet?
18:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
18:37 < Bushmills> FirstSgt: your VPN addresses seem to be in the same subnet as the addresses on your physical NICs
18:37 < Bushmills> use a different subnet for your VPN
18:37 < FirstSgt> yes.  the reason for that was I wanted clients vpn'd to be able to access network resources on that subnet
18:38 < Bushmills> why wouldn't you able to do so when VPN is a different subnet?
18:38 < FirstSgt> I have setup open vpn before correctly with a different subnet, but was unable to access the 192.168.1.xxx range
18:39 < Bushmills> your attempted fix for that (by using VPN addresses in the same subnet) is flawed
18:39 < FirstSgt> e.g. Jennifer-PC has a samba share on 192.168.1.25, but I can only access samba shares on the *nix box I am using to vpn with.
18:39 < FirstSgt> Bushmills: I appologize :(
18:39 < FirstSgt> I will try to fix
18:39 < FirstSgt> I also have a question about tunneling.
18:39 < Bushmills> problem with VPN and physical address in same subnet is:  what interface will traffic be routed to?
18:40 < FirstSgt> I have made a bridged adapter in my /etc/networking/interfaces
18:40 < Bushmills> one of those routes will be put behind the other, receiving no traffic
18:40 < Bushmills> any reason for needing bridged setup?
18:40 < FirstSgt> I guess I can figure out code=113 later.  my question now is: My vpn server is behind a firewall that I cannot do port forwarding on.  I have used ssh before to do ssh -R 111:localhost:22 (connecting to the web server out on the internet), then from home, sshing to the same server, then typing ssh localhost -p 111 (And I get the application-level port forwarding).....
18:41 < FirstSgt> Bushmills:  I was told by someone in #linux I had to do it like that if I was going to use openvpn
18:41 < Bushmills> !tunortap
18:41 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
18:41 < vpnHelper> Bushmills: against you over the vpn
18:42 < Bushmills> (tun is routed, tap is bridged setup)
18:42 < FirstSgt> should I pastie my server.conf file? (would that help?)
18:42 < Bushmills> no. fix it first
18:43 < krzee> try my confgen!
18:43 < krzee> !confgen
18:43 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
18:43 < krzee> and the thing about having a server which you cant port forward to...
18:44 < krzee> setup a server somewhere else and use that as a client
18:44 < FirstSgt> my server.conf file: http://www.pastie.org/private/hwzwbkmfs5iilrudpcbbfw
18:44 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
18:44 < FirstSgt> I am not sure where I need to change.
18:45 < Alphanaut> !winipforwarding
18:45 < vpnHelper> Alphanaut: Error: "winipforwarding" is not a valid command.
18:45 < Alphanaut> !winnat
18:45 < vpnHelper> Alphanaut: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
18:45 < FirstSgt> I am using tap/tcp/server-bridge, pushing a route
18:45 < Alphanaut> !winipforward
18:45 < krzee> !winipforward
18:45 < vpnHelper> Alphanaut: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
18:45 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
18:45 < Alphanaut> got it
18:45 < Bushmills> !tcp
18:45 < vpnHelper> Bushmills: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
18:46 < Alphanaut> not that it's helping me :)
18:46 < Bushmills> FirstSgt: ^^^^
18:46 < FirstSgt> okay
18:46 < krzee> FirstSgt, unless you have a layer2 protocol you need over the vpn, you want tun... unless you cant connect using udp, you want udp
18:46 < krzee> FirstSgt, try my config generator
18:46 < krzee> !confgen
18:46 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
18:47 < FirstSgt> I have windows clients and linux clients connecting, does that matter?
18:47 < Bushmills> yes. your conscience will devour you
18:47 < FirstSgt> lol
18:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:48 < krzee> FirstSgt, it is ok with both
18:48 < krzee> just go try it
18:48 < krzee> also, move your server to somewhere that clients can connect to
18:49 < krzee> you said its in a lan where you cant get a port forwarded, use another location as the server
18:51 -!- astrophy [~astrophy@95.211.0.238] has joined ##openvpn
18:51 < FirstSgt> krzee, Bushmills: I have updated my pastie with my current configuration: http://www.pastie.org/private/hwzwbkmfs5iilrudpcbbfw
18:52 < FirstSgt> I have included my network bridging from /etc/network/interfaces
18:53 < Bushmills> and what do you want to know? how to change "tap" to "tun", or "tcp" to "udp"?
18:54 < FirstSgt> Bushmills: if I do that, will I be able to tunnel connections from Server B (Web Server on the internet with open firewall access) to Server A (VPN server behind an firewall i cannot modify)
18:54 < Alphanaut> billions of people in the world and google cant find a single comprehensive doc on sending all traffic from one windows machine to another and out to the net with openvpn
18:54 < Bushmills> those settings won't affect your ability to do so
18:54 < Bushmills> !redirect
18:54 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:54 < Bushmills> Alphanaut: ^^^^
18:55 < Bushmills> Alphanaut: that's a matter of routing. not of openvpn
18:55 < Alphanaut> all those docs are either windows to a win server or windows to linux but no windows to a nonserver flavor of windows
18:55 < Alphanaut> rgr
18:55 < Alphanaut> i get that
18:55 < Alphanaut> but still a doc would be nice :)
18:55 < Bushmills> write one
18:55 < FirstSgt> I get: --server-bridge directive only makes since with --dev tap
18:55 < Alphanaut> !redirect
18:55 < vpnHelper> Alphanaut: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:56 < Alphanaut> !winnat
18:56 < vpnHelper> Alphanaut: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
18:56 < Bushmills> though "windowsnetworking" doesn't sound overly linux specific to me
18:58 < Alphanaut> it's not
18:58 < Alphanaut> but it's only for win 2003
18:58 < Alphanaut> you be correct
18:58 < Bushmills> you mean that changes with every incarnation of windows?
18:59 < Bushmills> i had thought routing remains routing
18:59 < FirstSgt> ok, so i commented out my --server-bridge and tried to start openvpn, said " you need --mode server "
18:59 < FirstSgt> so I added --mode server
18:59 < FirstSgt> then it yelled at me again, and said I must define DEV/TAP interface
19:00 < FirstSgt> So I put --dev br0 ... and it told me unrecgonized option
19:01 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
19:01 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:01 < Alphanaut> well the way you get to rras and whether or not it even exists changes with each flavor of winblows
19:01 < Bushmills> i have no experience with bridged setups and can't help with those
19:02 < Alphanaut> nice when they change everything regardless of whether it was necessary
19:02 < Bushmills> can't you use the command line tools then?
19:04 < Bushmills> but i understand that they must change things. otherwise they couldn't sell them as all new
19:04 -!- Alphanaut_ [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
19:05 < FirstSgt> wow, that was tough... tried like 30 opts to get to start
19:06 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 260 seconds]
19:06 -!- Alphanaut_ is now known as Alphanaut
19:06 < Bushmills> wow, that's more than my whole config has
19:07 < FirstSgt> i had to try different combos... try permutations :)
19:07 < FirstSgt> okay
19:07 < FirstSgt> it looks like my client connected
19:07 < FirstSgt> but I do not see another adapter in ifconfig (client)
19:08 < FirstSgt> does this look right (client): http://www.pastie.org/private/bvoczvjqnw257yobz4etw
19:08 < Bushmills> neither do I
19:09 < FirstSgt> I can't tell if this is working guys.
19:10 < Bushmills> who is 192.168.1.254?
19:12 < FirstSgt> gateway
19:12 < FirstSgt> its the gateway for the office
19:13 < Bushmills> you tell your vpn clients to use your office gateway as gateway when they connect to openvpn?
19:13 < Bushmills> i somehow fail to understand the logic behind this
19:14 < FirstSgt> all yes
19:14 < FirstSgt> the vpn server is 192.168.1.69
19:14 < Bushmills> in addition, it seems that your clients don't know how to reach that gateway
19:14 < FirstSgt> our gateway (cisco router) is 192.168.1.254
19:15 < FirstSgt> what conf file do I use to tell the vpn clients the route for the .254 ?
19:15 < FirstSgt> don't I have to "push" that route to them?
19:15 < Bushmills> and what is the address range of your vpn?
19:16 < FirstSgt> well the vpn address pool should be 192.168.1.200-250
19:16 < FirstSgt> the computers at the office are 192.168.1.1-199
19:17 < FirstSgt> our cisco dhcp assigns 192.168.1.1-199 for local office computers
19:17 < Bushmills> what have you done about the advice to put vpn address into a different subnet?
19:17 -!- astrophy [~astrophy@95.211.0.238] has quit [Quit: Bye]
19:17 < FirstSgt> ummm :)
19:17 < FirstSgt> is that a push ?
19:17  * Bushmills goes talking to a tree
19:18 < Bushmills> those are known to be more receptive
19:18 < FirstSgt> awe, common man, im tryin
19:18 < Bushmills> !howto
19:18 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
19:19 < FirstSgt> okay
19:19 < FirstSgt> i tried that one, i will try again
19:19 < FirstSgt> thanks tho
19:19 < Bushmills> i shouldn't call that "advice", but "requirement"
19:20 < Bushmills> and read a bit about routing
19:20 < Bushmills> especially what its purpose is
19:20 < FirstSgt> okay... I will read all about routing tables tonight
19:20 < FirstSgt> what is the point in ethernet bridging?
19:20 < Bushmills> maybe bot has a factoid
19:21 < FirstSgt> I was told I needed to use it in the #linux chan
19:21 < Bushmills> !factoids search routing
19:21 < vpnHelper> Bushmills: No keys matched that query.
19:21 < Bushmills> !tunortap
19:21 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
19:21 < vpnHelper> Bushmills: against you over the vpn
19:21 < Bushmills> tap is bridging
19:22 < Bushmills> that is "what's the point" in  a nutshell
19:22 < FirstSgt> so I should have left on tap?
19:23 < Bushmills> that concllusion is not clear to me
19:23 < FirstSgt> okay, can windows clients use tun?
19:23 < Bushmills> "you ONLY want tap if you need to pass layer2 traffic over the vpn.  If you are using IP traffic you want tun"
19:24 < Bushmills> read tun as routed config. tap as bridged config
19:25 < FirstSgt> okay, i need to start with a fresh example conf file, and figure out how to un-bridge my /etc/networking/interfaces
19:25 < Bushmills> i think krzee dropped out because his suggestion to use 
19:25 < Bushmills> !confgen
19:25 < vpnHelper> Bushmills: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
19:25 < Bushmills> was thoroughly ignored
19:26 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 246 seconds]
19:26 -!- kinlo [peter@panda.pfoe.be] has quit [Quit: maintenance]
19:26 < Bushmills> though - you need a machine which can run bash
19:26 < Bushmills> there is no powershell version
19:27 < Bushmills> sourceforge offers free shells
19:42 < Alphanaut> !winnat
19:42 < vpnHelper> Alphanaut: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
19:42 < Alphanaut> !winipforward
19:42 < vpnHelper> Alphanaut: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
19:45 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
19:56 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:03 < krzee> Bushmills, what uses powershell?
20:14 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:47 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
21:00 -!- smerz [~daniel@smerz.demon.nl] has quit [Read error: Connection reset by peer]
21:10 < Bushmills> krzee: hm.. windows?
21:10 -!- p3rror [~Ali@adsl196-53-66-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 258 seconds]
21:17 -!- buntfalke_ is now known as buntfalke
21:25 < krzee> oh didnt know they called it that
21:25 < krzee> they should call it no-power shell
21:27 -!- p3rror [~Ali@adsl196-3-72-206-196.adsl196-3.iam.net.ma] has joined ##openvpn
21:41 -!- Hypnoz [~X@adsl-99-186-43-118.dsl.pltn13.sbcglobal.net] has joined ##openvpn
22:09 -!- Hypnoz [~X@adsl-99-186-43-118.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 258 seconds]
22:27 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 276 seconds]
22:53 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
23:00 -!- FirstSgt [~cheney@host2.complimentsinternational.com] has quit [Ping timeout: 260 seconds]
23:45 -!- n0mad [~n0mad@212.117.165.197] has joined ##openvpn
23:46 < n0mad> Hi everyone
23:46 < n0mad> I was just wondering how I can makesure no traffic goes outside of the VPN and also be able to do port forwarding. I'm on Ubuntu Linux Lucid
23:49 < n0mad> are logs and configs actually needed for that? I'm just going through port 1149.
23:50 < theDoc> Hm, I just realized that the RSA-private key is generated by the server for AS and it's obtainable by a 3rd party.
23:54 < n0mad> theDoc, do they need my config?
23:55 < n0mad> this is a generic question
--- Day changed Thu May 13 2010
00:00 < krzie> n0mad, 
00:00 < krzie> !redirect
00:00 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:00 < krzie> the port forwarding and NAT is outside of openvpn, thats iptables stuff
00:00 < krzie> !linnat
00:00 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:00 < krzie> !liniporward
00:00 < vpnHelper> krzie: Error: "liniporward" is not a valid command.
00:01 < krzie> !linipforward
00:01 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
00:01 < krzie> !def1
00:01 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
00:08 < n0mad> sorry, I meant "no traffic goes outside the vpn even when it loses it's connection" from what I gather that's another iptables thing, right?
00:26 < krzie> remove the def1 flag from redirect-gateway
00:27 < krzie> this will overwrite the default route to the internet with that of the vpn
00:27 < krzie> when you cant communicate over the vpn, no internet
00:27 < krzie> you only use def1 to avoid this
00:43 < n0mad>  so if openvpn totally shuts down then it still wont connect to the internet?
00:44 < krzie> until you add a default route to the internet
00:44 < n0mad> I dont know what you mean
00:45 < n0mad> !defualt route
00:45 < vpnHelper> n0mad: Error: "defualt" is not a valid command.
00:45 < krzie> ok
00:45 < krzie> well yes
00:45 < krzie> with --redirect-gateway  but without def1 the client will lose its route to the internet until you add it
00:46 < n0mad> how do you "add it" ?
00:46 < krzie> with def1 flag given to it, the client will not lose its route to the internet
00:46 < krzie> your OS's route command
00:47 < n0mad> is def1 in the config file or the openvpn file itself?
00:47 < n0mad> .ovpn
00:47 < n0mad> !man
00:47 < vpnHelper> n0mad: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
00:49 < n0mad>  ok now i see
00:50 < n0mad> i found it in the .ovpn file
00:56 < krzie> keep it to allow internet activity after killing openvpn
00:56 < krzie> remove it to dis-allow
00:57 < n0mad> will i still be able to connect to the vpn with def1 gone?
00:57 < n0mad> i mean once it disconnects
01:09 -!- takamichi [~pri@94.75.217.248] has quit [Ping timeout: 258 seconds]
01:10 < krzie> of course
01:10 < krzie> but only the vpn
01:10 -!- takamichi [~pri@94.75.217.248] has joined ##openvpn
01:19 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
01:28 < hyper_ch> krzie: http://www.youtube.com/watch?v=yGk2TojOd-4
01:28 < vpnHelper> Title: YouTube - Four Lions Trailer (at www.youtube.com)
01:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
01:42 < krzie> heh
01:42 < hyper_ch> krzie: must have :)
02:49 -!- n0mad [~n0mad@212.117.165.197] has quit [Quit: Leaving]
02:49 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:56 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:03 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:08 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:09 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
03:22 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Quit: amialive]
03:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
03:37 -!- DarthGandalf|BNC is now known as DarthGandalf
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:02 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
04:20 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
04:36 < Bushmills> "will i still be able to connect to the vpn with def1 gone? i mean once it disconnects"  not necessarily
04:36 < Bushmills> you may have to add a route manually first
04:37 < Bushmills> depends on the route to your von server
04:38 < Bushmills> and once client is disconnected from vpn server, you can't connect to vpn - until client reconnects
04:39 < Bushmills> ugh - time warp ...
04:46 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:49 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
04:52 < krzie> Bushmills, when it overrides default route it adds a route to server using old default route
04:52 < krzie> it has to in order to not create a routing loo
04:52 < krzie> loop
04:53 < Bushmills> but that host route will be removed on disconnect
04:53 < krzie> you sure?
04:53 < Bushmills> along with the new default route
04:53 < krzie> new default route has to go if tun is destroyed
04:54 < krzie> if ran as root it CAN delete that new host route
04:54 < krzie> not sure if it does
04:54 < krzie> but if he drops perms, it isnt able to
04:54 < Bushmills> hm. possibly there's a difference between disconnect and shutdown
04:55 < krzie> disconnect without shutdown shouldnt remove any routes
04:55 < Bushmills> true - shouldn't be. but - 0.0.0.0/1 and 128.0.0.0/1 are removed too
04:56 < krzie> upon losing connection or on tun close?
04:56 < Bushmills> ah. that's because of interface going down
04:56 < krzie> right
04:56 < Bushmills> that also happens on disconnect
04:56 < krzie> when tun closes all routes using it must go
04:56 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
04:56 < krzie> on disconnect like timeout due to keepalive?
04:57 < krzie> on timeout you get timeouts on vnp ips, not no route to host
04:57 < Bushmills> hm. i think we ought to look at the shutdown situation - as only this situation is where def1 - for reinstating former default - is really relevant
04:58 < krzie> tun routes should go away, host route shouldnt
05:00 < Bushmills> just checked debian connect and disconnect scripts, there is no route magic in those.  they only run openvpn init.d script on openvpn interfaces. 
05:01 < krzie> why would they do anything with routes?
05:01 < Bushmills> isn't that a bit the wrong way around
05:01 < Bushmills> "why" because that would explain discarded host route with priv dropped openvpn
05:01 < Bushmills> s/would/could/
05:02 < krzie> why are you sure it gets discarded?
05:02 < Bushmills> i won't test it right now - actually, i could, on the wlan router, hang on
05:03 < Bushmills> no host router, because no redirect-gateway on that one
05:03 < Bushmills> route
05:04 < Bushmills> openvpn on router is used more for purpose of server authentication than actually routing traffic  
05:06 < Bushmills> handheld machines remain clients, not relying on router, as they can be used from other locations 
05:07 < Bushmills> oh well, i'll just power up another machine
05:09 < Bushmills> i was wrong - the host route survives openvpn shutdown
05:13 < krzie> werd
05:14 < krzie> do logs show it tried to?
05:14 < Bushmills> "host route survives shutdown" - means, it is still there
05:15 < krzie> right, but i assume you have lowered privs
05:15 < Bushmills> true
05:15 < krzie> it HAS to survive shutdown with lowered privs, im curious if it ever even tried
05:16 < krzie> oh damn
05:16 < krzie> my power just went out
05:17 < Bushmills> yes, it tried
05:17 < krzie> it must have been out all night, my inverter has 4 car batteries for backup
05:17 < krzie> ahh, must have been a hiccup, all better
05:17 < krzie> good thing i have UPS's as well ;]
05:17 < Bushmills> route del -net serverip netmask 255.255.255.255   - external program exited  with error status: 7 
05:17 < krzie> ahh good to know
05:18 < krzie> so theres no way with a windows server
05:18 < Bushmills> SIOCDELRT: Operation not permitted
05:18 < krzie> but with *nix you just gotta lower privs
05:19 < Bushmills> it also tried to remove the two /1 routes
05:19 < Bushmills> failing as well
05:19 < krzie> right, but then tun closed and they vanished
05:19 < Bushmills> right
05:21  * Bushmills wonders whether some unixoid users have route command with SUID bit set :)
05:22 < Bushmills> not that that would be a great idea to do, of course
05:22 < Bushmills> s/unixoid users/kamikaze pilots/
05:24 < krzie> haha
05:24 < krzie> sounds like quite the bad idea
05:25 < |Mike|> ./hack -t the%20planet
05:28 < Bushmills> also, with multiple openvpn clients with --redirect-gateway each, only the first client seems to set the /1 routes - which makes sense
05:35 < krzie> right, when using def1, when not using it the last one should win
05:35 < krzie> because you keep overwriting the default route
05:36 < Bushmills> but that is not the case. once /1 routes are set, they continue to refer to interface of first openvpn instance 
05:37 < Bushmills> clients started later don't change that
05:39 -!- dazo_afk is now known as dazo
05:46 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:14 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
06:14 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
06:18 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:20 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
06:24 -!- AldoBR [~AldoBR@1898750115.rec.megazon.com.br] has joined ##openvpn
06:24 < AldoBR> any tutorial on how to use TAP-Win32 driver ? (Programming)
06:24 < AldoBR> !welcome
06:24 < vpnHelper> AldoBR: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:25 < AldoBR> !wiki
06:25 < vpnHelper> AldoBR: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
06:48 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
07:03 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:34 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Read error: Connection reset by peer]
07:34 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
07:43 -!- buntfalke_ is now known as buntfalke
07:59 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
08:01 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:01 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Client Quit]
08:02 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
08:05 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Quit: Leaving]
08:49 -!- rcs [~rcs@mail.robacks.se] has joined ##openvpn
08:49 < rcs> !welcome
08:49 < vpnHelper> rcs: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:52 < rcs> I have a router set up with firestarter with forwarding to an internal server with openvpn
08:52 < ecrist> ok
08:52 < rcs> If I connect from within the firewall all is fine, but from outside no luck
08:53 < ecrist> I'm guessing you're still blocking something within your firewall ruleset.
08:53 < rcs> I can see the connection to openvpn but get: "expected remote option hash ver v4"
08:53 < ecrist> !logs
08:53 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:54 < rcs> brb
09:01 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
09:23 -!- Murdoch5 [~AMurdoch@mail.gabaedevelopment.com] has joined ##openvpn
09:23 < Murdoch5> anyone know how to install openvpn certs in the iphone
09:36 < rcs> Hi again. There seems to be a routing problem for me
09:36 < rcs> Thanks for the help
09:36 -!- p3rror [~Ali@adsl196-3-72-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 246 seconds]
09:58 < dazo> !iphone
09:58 < vpnHelper> dazo: "iphone" is (#1) http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone, or (#2) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries
09:58 < dazo> Murdoch5: ^^
09:59 < dazo> Murdoch5: the certs needs to be files on the filesystem ... and referenced in the config file
10:03 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Excess Flood]
10:03 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
10:07 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Disconnected by services]
10:09 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
10:39 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:43 -!- rcs [~rcs@mail.robacks.se] has quit [Quit: Leaving]
10:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
11:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:07 < krzee> as far as how to move certs there, scp or sftp should both work...
11:07 < krzee> seeing as both use sshd
11:08 < krzee> ive never used scp on it, but can speak for sftp working
11:09 < hyper_ch> scp works :)
11:10 < krzee> werd, i thought it should
11:10 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
11:10 < theDoc> o/
11:10 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
11:10 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:14 < krzee>  /o\
11:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
11:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:48 < theDoc> Need sleep, I'm absolutely smashed.
11:48 < theDoc> ta.
11:52 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
12:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:07 <@raidz> I'm trying to get in touch with theDoc, if anyone has his e-mail addy please pm me.
12:11 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:19 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
12:19 < ecrist> raidz: I might, let me look.
12:20 < ecrist> raidz: pm sent.
12:22 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has quit [Ping timeout: 258 seconds]
12:24 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
12:27 -!- dazo is now known as dazo_afk
12:43 -!- dazo_afk is now known as dazo
12:43 < krzee> wb dazo 
12:44 < dazo> krzee:  ??
12:46 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
12:47 < krzee> wb = welcome back
12:47 < krzee> your bnc tells us when you're attached ;]
12:47 < krzee> (or i assume its a bnc)
12:54 -!- AldoBR [~AldoBR@1898750115.rec.megazon.com.br] has quit [Ping timeout: 264 seconds]
12:58 < jnss> how do i run the vpn in server mode
12:58 < jnss> is there a specific switch?
12:58 -!- AldoBR [~AldoBR@1898750115.rec.megazon.com.br] has joined ##openvpn
12:58 < Bushmills> you can run one machine in server mode. but vpn is client/server
12:59 < amialive> jnss: u mean topology subnet?
12:59 < jnss> no
13:00 < jnss> nothing works
13:00 < dazo> krzee:  ahh :)  thx :) 
13:00 < jnss> easyrsa doesnt work
13:00 < jnss> they dont even tell you where the keys are supposed to come from
13:00 < Bushmills> !howto
13:00 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:00 < krzee> jnss, --server runs it in server mode
13:00 < krzee> easy-rsa does work
13:01 < krzee> many many people use it
13:01 < krzee> jnss, dont you use freebsd?
13:01 < jnss> yes
13:01 < krzee> didnt i tell you to try ssl-admin?
13:01 < jnss> i dont know how much longer i will be using freebsd
13:01 < krzee> from ports
13:01 < jnss> you did but nothing makes sense
13:01 < krzee> the problem is using the keyboard ;)
13:01 < jnss> i get some serious anxiety whenever i try configuring it in server
13:02 < Bushmills> that results in nothing working?
13:04 < jnss> string is too long, it needs to be less than  2 bytes long
13:04 < jnss> i get that using ssl-admin
13:04 < krzee> prolly with part of the location
13:04 < krzee> in the ssl vars
13:04 < jnss> yeah
13:05 < jnss> i dont even know where that is
13:05 < jnss> centos 5.5 came out today
13:05 < krzee> you edited the file...
13:05 < jnss> or should come out soon,. i think im insdtalling it
13:05 < jnss> might be easier than bsd
13:05 < krzee> there does not exist a serious hand-holding ssl key management app
13:06 < krzee> it will be identical
13:06 < Bushmills> no anxiety problems with centos?
13:06 < krzee> except that ssl-admin may or may not install clean there
13:06 < krzee> whereas it does in freebsd, from ports
13:06 < krzee> either way you need to understand PKI and in centos you will possibly be confined to ssl-admin
13:06 < krzee> err
13:06 < krzee> s/ssl-admin/easy-rsa/
13:07 < jnss> easy-rsa didnt run well for me
13:08 < jnss> i read the openssl commands from the script file
13:08 < ecrist> ssl-admin is cross-platform to any system with the required perl modules
13:08 < jnss> tried typing them manually. well, it wasnt very fun
13:08 < jnss> dont even want openvpn with certificate authority.
13:08 < krzee> right, but my ./configure + changes to Makefile are so ugly, i cant stand by them
13:08 < krzee> lol
13:08 < jnss> there is a rumor that centos breaks perl
13:08 < krzee> jnss, you cant run a server without certs
13:09 < krzee> oh no i take that back
13:09 < jnss> i just want one cert. ca.crt
13:09 < jnss> not client certs, chritst
13:09 < krzee> you could do it with passwords or similar auth only, if you dont like security
13:09 < krzee> do you have any idea why ca.crt exists?
13:09 < jnss> to auth the server
13:09 < jnss> easy
13:10 < jnss> alright, im trying easyrsa with the bash 
13:13 < jnss> ra# bash clean-all
13:13 < jnss> Please source the vars script first (i.e. "source ./vars")
13:13 < jnss> Make sure you have edited it to reflect your configuration.
13:13 < jnss> silly thing
13:13 < jnss> doesnt make sense at all. i edit the crap file like it says then i run source on it
13:13 < jnss> nothng
13:16 < jnss> you know what, im gonna try with ipsec ;)
13:16 < jnss> either that or shoot myself in the head ;)
13:31 < Bushmills> you could try ssh
13:37 -!- openvpn2009 [pandora@matrix.openvpn.org] has quit [Ping timeout: 264 seconds]
13:39 < krzee> heh
13:39 < krzee> all source does is include the file
13:39 < krzee> for this case, it sets the vars into your env
13:40 < krzee> it wont output anything
13:40 < krzee> but it DOES do something
13:40 < krzee> comes down to you not knowing what that "something" is =/
13:41 < krzee> but i hope the [ipsec|headshot] goes well :-p
13:42 -!- openvpn2009 [pandora@matrix.openvpn.org] has joined ##openvpn
13:43 -!- openvpn2009 is now known as Guest12047
13:43 -!- Guest12047 is now known as openvpn2009
13:44 -!- mode/##openvpn [+o openvpn2009] by ChanServ
14:04 < krzee> !wishlist
14:04 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
14:06 < krzee> !as
14:06 < vpnHelper> krzee: Error: "as" is not a valid command.
14:06 < krzee> !AS
14:06 < vpnHelper> krzee: Error: "AS" is not a valid command.
14:06 < krzee> !factoids search access
14:06 < vpnHelper> krzee: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
14:06 < vpnHelper> krzee: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html
14:07 < krzee> !learn access-server as go to http://openvpn.net/index.php/access-server/support-center.html for support
14:07 < vpnHelper> krzee: Joo got it.
14:14 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
14:30 < krzee> !rip
14:30 < vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
14:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:20 -!- dazo is now known as dazo_afk
15:42 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 258 seconds]
15:47 -!- Guest94485 [~x@ANantes-555-1-13-46.w92-158.abo.wanadoo.fr] has joined ##openvpn
15:47 < Guest94485> hello
15:48 -!- Guest94485 is now known as sunshine12
15:52 -!- sunshine12 [~x@ANantes-555-1-13-46.w92-158.abo.wanadoo.fr] has quit [Ping timeout: 245 seconds]
15:53 <@raidz> !as
15:53 < vpnHelper> raidz: Error: "as" is not a valid command.
15:53 <@raidz> !access-server
15:53 < vpnHelper> raidz: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
15:54 < vpnHelper> raidz: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
15:54 <@raidz> ;-)
15:56 -!- sunshine12 [~x@ANantes-555-1-13-46.w92-158.abo.wanadoo.fr] has joined ##openvpn
15:57 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
16:03 -!- sunshine12 [~x@ANantes-555-1-13-46.w92-158.abo.wanadoo.fr] has quit [Ping timeout: 246 seconds]
16:08 -!- sunshine12 [~x@ANantes-555-1-13-46.w92-158.abo.wanadoo.fr] has joined ##openvpn
16:09 -!- blipX [~irc@c-174-52-45-167.hsd1.ut.comcast.net] has joined ##openvpn
16:10 -!- blipX [~irc@c-174-52-45-167.hsd1.ut.comcast.net] has left ##openvpn []
16:15 -!- sunshine12 [~x@ANantes-555-1-13-46.w92-158.abo.wanadoo.fr] has quit [Ping timeout: 260 seconds]
16:15 -!- AldoBR [~AldoBR@1898750115.rec.megazon.com.br] has quit []
16:18 -!- sunshine12 [~x@ANantes-555-1-13-46.w92-158.abo.wanadoo.fr] has joined ##openvpn
16:23 -!- sunshine12 [~x@ANantes-555-1-13-46.w92-158.abo.wanadoo.fr] has quit [Ping timeout: 260 seconds]
16:46 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Ping timeout: 248 seconds]
17:15 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Quit: amialive]
17:18 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
17:19 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
18:00 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
18:06 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
18:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:13 -!- EugeneKay is now known as EugeneKaway
18:13 -!- EugeneKaway is now known as EugeneKay
18:51 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:50 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 248 seconds]
20:18 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:18 < theDoc> raidz> Do you happen to be around?
20:29 < krzie> he was lookin for you earlier
20:38 < theDoc> Ah, snap.
20:38 < theDoc> ;p
20:38 < theDoc> I wanted to ask him something about client certs.
20:59 < krzie> whats the question
20:59 < krzie> better to ask before you get him, that way you dont waste time
20:59 < krzie> hour later he says whats up, you dont see, then you say hi and he doesnt see, etc...
21:00 < krzie> whereas you can ask the ?, then he'll (or someone else will) answer
21:00 < theDoc> I was just wondering if there was a better way to sync all the user certs across multiple vpn servers.
21:00 < krzie> sure, scp
21:00 < krzie> lil script
21:00 < krzie> should be a rather simple script
21:01 < krzie> thats very much not an openvpn question
21:01 < krzie> ;)
21:02 < theDoc> krzee> Yep, I know but due to the way access-server works, it's all in a single file. I'm just wondering if that is going to cause issues.
21:02 < krzie> oh
21:02 < krzie> i know nothing bout AS
21:02 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:02 < krzie> you seen they have a support center too?
21:02 < krzie> #4 here
21:02 < krzie> !access-server
21:02 < vpnHelper> krzie: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
21:02 < vpnHelper> krzie: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
21:03 < theDoc> krzee> Yep, I'm in some what close contact with their support center.
21:03 < krzie> ahh werd
21:03 < krzie> i learned of it today
21:06 < theDoc> What's weird?
21:06 < krzie> werd = cool
21:06 < krzie> weird has an 'i'
21:09 < theDoc> Oh right, ok.
21:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
21:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
21:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
22:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
22:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
22:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
22:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:48 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
22:49 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
22:50 -!- notbrien [~notbrien@69.86.1.238] has quit [Client Quit]
22:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
22:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
22:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:57 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
23:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
23:03 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
23:06 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
23:18 -!- buntfalke [~nobody@openvpn-p1-ipv6-101a.triple-a.uni-kl.de] has joined ##openvpn
23:18 -!- buntfalke [~nobody@openvpn-p1-ipv6-101a.triple-a.uni-kl.de] has quit [Changing host]
23:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
23:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:59 -!- EugeneKay is now known as EugeneGay
--- Day changed Fri May 14 2010
00:33 -!- EugeneGay is now known as EugeneKaway
00:41 -!- jnss [janes@gateway/shell/sign.io/x-ntearvtvepeegpyt] has quit [Remote host closed the connection]
02:15 -!- Murdoch5 [~AMurdoch@mail.gabaedevelopment.com] has quit [Read error: Connection reset by peer]
02:18 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
03:03 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has joined ##openvpn
03:13 -!- xod [~onats@112.201.158.40] has joined ##openvpn
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:47 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
04:47 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
04:54 -!- fluxdude [~fluxdude@unaffiliated/fluxdude] has left ##openvpn []
05:04 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
06:16 -!- blueboxthief [~None_of_y@89.181.19.237] has joined ##openvpn
06:17 -!- dazo_afk is now known as dazo
06:45 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 260 seconds]
06:45 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
06:53 -!- takamichi [~pri@94.75.217.248] has quit [Ping timeout: 260 seconds]
06:53 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
07:09 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:17 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
07:19 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
07:20 -!- zheng [~zheng@114.92.133.4] has joined ##openvpn
07:23 -!- zheng [~zheng@114.92.133.4] has quit [Quit: Leaving]
07:29 -!- zheng [~zheng@114.92.133.4] has joined ##openvpn
07:36 -!- blueboxthief [~None_of_y@89.181.19.237] has quit [Ping timeout: 276 seconds]
07:38 -!- jumbers [~jumbers@fsf/member/jumbers] has joined ##openvpn
07:40 < jumbers> If my VPN server's local network is 192.168.1.x and I'm using the static key method via TUN to connect to the network, will I be able to access everything under the 192.168.1.x subnet or will I just be restricted to 10.8.0.1 which is the server's VPN IP?
07:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
07:44 -!- zheng [~zheng@114.92.133.4] has quit [Quit: Leaving]
07:44 -!- TiE_ [~TiE@114.92.133.4] has joined ##openvpn
07:45 < TiE_> jumbers, yes, VPN ip is different from LAN IP, 
07:46 < jumbers> So then the yes is to "I'll be restricted"?
07:46 < TiE_> but you can use ethernet bridging which can combine LAN with VPN using the same IP range, such as 10.0.0.1/24
07:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:56 -!- blueboxthief [~None_of_y@89.181.19.237] has joined ##openvpn
07:57 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
07:58 -!- TiE_ [~TiE@114.92.133.4] has quit [Quit: Leaving]
07:58 -!- itEase [~itEase@114.92.133.4] has joined ##openvpn
08:04 -!- EugeneKaway is now known as EugeneKay
08:20 -!- itEase [~itEase@114.92.133.4] has quit [Remote host closed the connection]
08:28 -!- blipX [~irc@c-174-52-45-167.hsd1.ut.comcast.net] has joined ##openvpn
08:39 -!- blueboxthief [~None_of_y@89.181.19.237] has quit [Quit: Leaving.]
08:40 -!- blueboxthief [~None_of_y@89.181.19.237] has joined ##openvpn
08:44 < Bushmills> !route
08:44 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:44 < Bushmills> jumbers: ^^^^
08:49 < blipX> Anyone had to deal with overlapping subnet issues? Trying to think of a way to get around it by dynamic inital subnet assignment(perhaps real IP), kind of a middle man natting and interception of dns queries... dunno just babbling outloud.
08:50 < blipX> I hear juniper has something that solves the overlap issue I presume they do something along those lines to resolve it.
09:03 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:10 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
09:13 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
09:14 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:15 -!- notbrien [~notbrien@208.82.13.214] has left ##openvpn []
09:15 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:25 -!- mirco [~mirco@p5B23B87B.dip.t-dialin.net] has joined ##openvpn
09:31 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has quit [Quit: notbrien_]
09:31 -!- notbrien is now known as notbrien|weshop
09:34 -!- notbrien|weshop [~notbrien@208.82.13.214] has quit [Remote host closed the connection]
09:34 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
09:37 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has quit [Remote host closed the connection]
09:48 -!- jumbers [~jumbers@fsf/member/jumbers] has quit [Ping timeout: 245 seconds]
09:49 -!- EugeneKay is now known as EugeneKaway
09:50 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:51 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 246 seconds]
09:57 -!- jumbers [~jumbers@fsf/member/jumbers] has joined ##openvpn
09:58 -!- jumbers [~jumbers@fsf/member/jumbers] has quit [Client Quit]
10:04 -!- EugeneKaway is now known as EugeneKay
10:10 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
10:54 -!- Bloodsong [~Nimbus@70.50.177.230] has joined ##openvpn
11:29 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:38 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
11:41 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
12:07 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
12:08 < Alphanaut> !welcome
12:08 < vpnHelper> Alphanaut: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:08 < Alphanaut> !redirect
12:08 < vpnHelper> Alphanaut: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:08 < Alphanaut> !def1
12:08 < vpnHelper> Alphanaut: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
12:09 < Alphanaut> !ipforward
12:09 < vpnHelper> Alphanaut: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
12:09 < Alphanaut> !winipforward
12:09 < vpnHelper> Alphanaut: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
12:09 < Alphanaut> !winnat
12:09 < vpnHelper> Alphanaut: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
12:09 < Alphanaut> grrr
12:11 < Alphanaut> !man
12:11 < vpnHelper> Alphanaut: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:13 -!- Alphanaut_ [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
12:15 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
12:15 -!- Alphanaut_ is now known as Alphanaut
12:19 < Alphanaut> arrrrrrrrrrrrrrgh!!!!!!!!!
12:19 < Alphanaut> :0
12:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:25 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
12:35 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 265 seconds]
12:43 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
12:43 -!- hackeron [~hackeron@gentoo/user/hackeron] has quit [Read error: Connection reset by peer]
12:50 -!- mirco [~mirco@p5B23B87B.dip.t-dialin.net] has quit [Quit: mirco]
13:13 < hyper_ch> hmmmm, don't you hate it when your car breaks down?
13:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
13:17 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
13:18 < Alphanaut> i have to say i'm absolutely amazed at how little there is on setting up openvpn between two windows boxes
13:19 < Alphanaut> specifically how to get the traffic from the client to go thru the vpn to the server then out to the net
13:19 < hyper_ch> setting up openvpn on windows is way too complicated
13:20 < Alphanaut> apparently!
13:20 < Alphanaut> unfortunately my home computer runs too much windows junk to switch to something else
13:21 < hyper_ch> you can virtualize stuff that you really, really, really, really need
13:21 < hyper_ch> virtualized windows with host-only networking is probably the safest way to run windows
13:22 < Alphanaut> i agree, but i'm just playing around with openvpn, that's a whole different project alltogether :0
13:22 < Alphanaut> i'm trying to get my laptop to route thru the tunnel to my home cmputer then out to the net
13:23 < hyper_ch> !def1
13:23 < vpnHelper> hyper_ch: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
13:23 < Alphanaut> you'd think there was a document related to this somewhere on the net :)
13:23 < Alphanaut> i did that
13:23 < hyper_ch> you disabled windows firewall?
13:23 < Alphanaut> rgr NO firewalls at all
13:23 < hyper_ch> your home router is configured accordingly?
13:23 < hyper_ch> your homebox has according firewall settings?
13:24 < Alphanaut> how to i get all my laptop traffic into the tunnel and vice versa?  add a ROUTE or just change the default gateway in the network config?
13:24 < Alphanaut> yep
13:24 < Alphanaut> yah i can connect via openvpn just fine thru the router
13:24 < hyper_ch> def1 should direct all traffic trough the tun interface
13:24 < Alphanaut> and i can surf shares on my home computer
13:25 < Alphanaut> but how do i direct all my client traffic into the tunnel?
13:25 < Alphanaut> def1 is set
13:25 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
13:26 < hyper_ch> then they should use all through the openvpn server
13:26 < Alphanaut> i also find it odd that push "redirect-gateway def1" has quotes.  yah, the server is set i think, now i just need to force all client traffic to go thru the connected vpn
13:26 < Alphanaut> just dont know how to force all client traffic into the pipe
13:27 < hyper_ch> Alphanaut: pastebin server config and client config
13:28 < Alphanaut> server: dev tun
13:28 < Alphanaut> ifconfig 10.8.0.1 10.8.0.2
13:28 < Alphanaut> secret key.txt
13:28 < Alphanaut> port 13938
13:28 < Alphanaut> comp-lzo
13:28 < Alphanaut> keepalive 10 60
13:28 < Alphanaut> ping-timer-rem
13:28 < Alphanaut> persist-tun
13:28 < Alphanaut> persist-key
13:28 < Alphanaut> push "redirect-gateway def1"
13:29 < hyper_ch> !pastebin
13:29 < vpnHelper> hyper_ch: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
13:29 < Alphanaut> client: !pastebin
13:29 < Alphanaut> heh
13:29 < hyper_ch> you don't push dns servers to be queried?
13:30 < Alphanaut> nope, i have those set locally
13:30 < Alphanaut> in the TAP as well
13:30 < Alphanaut> i'm trying to keep it ultrasimple just to get it working, then i can get fancy
13:30 < Alphanaut> heh, pastebin timed out
13:30 < Alphanaut> aparently boston to canada is too far
13:30 < Alphanaut> oh well
13:31 < Alphanaut> whats the deal, pastebin down?
13:32 < Alphanaut> so i assume i paste the link
13:32 < Alphanaut> client: http://pastebin.com/rMAgSdBn
13:32 < hyper_ch> Alphanaut: http://pastebin.com/Vw88hRYX
13:33 < hyper_ch> Alphanaut: I use that on a setup
13:33 < hyper_ch> pastebin.ca has been down for some time
13:33 < Alphanaut> we use the same dhcp i see
13:33 < Alphanaut> er dns servers rather
13:34 < Alphanaut> if i need push "redirect-gateway def1" to get it working correctly i dont see it in your pastebin
13:34 < hyper_ch> Alphanaut: one line didn't get copied:  http://pastebin.com/tr8wE9Az
13:35 < hyper_ch> Alphanaut: I use client-config-dir
13:35 < hyper_ch> see Client 1 CCD
13:35 < Alphanaut> oh i c
13:35 < hyper_ch> because on this computer here
13:35 < Alphanaut> pardon my ignorance, what is CCD?
13:35 < hyper_ch> I want to have openvpn access but not route all traffic through it
13:35 < hyper_ch> "c"lient-"c"onfig-"d"ir
13:36 < Alphanaut> ahhh
13:36 < hyper_ch> you can set different options for the clients there
13:36 < hyper_ch> e.g. assign static ips
13:36 < hyper_ch> or push different routes and stuff
13:37 < Alphanaut> what the heck, i'll try those
13:38 < hyper_ch> so, on this computer here I have in the CCD only this:
13:38 < hyper_ch> ifconfig-push 10.8.0.4 10.8.0.5
13:38 < hyper_ch> push "route 10.8.0.0 255.255.255.0"
13:38 < hyper_ch> it allows me to access the vpn but not all traffic is routed by default through it
13:42 < Alphanaut> is there ever a time when the def1 in the push redirect line needs to be replaced?  
13:43 < hyper_ch> i don't know what you mean
13:46 < Alphanaut> so i merged your configs and mine together and the vpn connects still, now i will change to an offsite network and see if i can 1. connect and 2. pipe traffic thru the vpn
13:47 < hyper_ch> the server runs windows?
13:48 -!- Alphanaut_ [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
13:48 < hyper_ch> Alphanaut_: both show the same hostmask
13:49 < hyper_ch> no, they don't... IP is different
13:49 < Alphanaut_> yah one is .252 and the other is .0
13:50 < Alphanaut_> so i can still connect to my server vpn just fine from offsite, but traffic is still bypassing the vpn
13:50 < hyper_ch> windows is just too complicated :)
13:50 < Alphanaut_> haha
13:50 < Alphanaut_> dang it
13:50 < Alphanaut_> i can still browse my shares thru the vpn from offsite
13:50 < Alphanaut_> but i cant force traffic thru the pipe
13:50 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 265 seconds]
13:51 -!- Alphanaut_ is now known as Alphanaut
13:51 < Alphanaut> must be something to do with ROUTE
13:51 < hyper_ch> the server is windows?
13:51 < Alphanaut> yah
13:51 < Alphanaut> they both are
13:51 < Alphanaut> unfortuantely
13:51 < Alphanaut> the vpn connects fine
13:51 < Alphanaut> can browse the server shares
13:51 < hyper_ch> well, in order to being connectable (meaning the vpn client being connectable from the internet) I had to add some iptable rules
13:52 -!- EugeneKay is now known as EugeneKaway
13:52 < hyper_ch> but you are not just waiting to be connected to, you do connect
13:52 < Alphanaut> i am connected right now
13:52 < hyper_ch> so it should be working except if the firewall on the openvpn server prohibits something
13:52 < hyper_ch> Alphanaut: you misunderstand
13:52 < Alphanaut> i'm sure i do :)
13:52 < hyper_ch> if you have a homerouter and on a box behind the router (nat) has apache webserver installed
13:53 < hyper_ch> then you need to tell the router that port 80 should be forwarded to that client
13:53 < hyper_ch> otherwise apache is not connectable from the outside
13:53 < hyper_ch> but usually apache can connect itself to the outside
13:53 < Alphanaut> hmm
13:53 < hyper_ch> it's some routing / firewall issue I think
13:53 < Alphanaut> rgr
13:53 < hyper_ch> more likely a routing issue
13:53 < hyper_ch> pastebin all the configs please :)
13:54 < hyper_ch> (and remove sensitive IP addresses / hostnames)
13:54 < Alphanaut> hmm
13:54 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:54 < Alphanaut> my tap adapter doesnt have a default gateway
13:54 < Alphanaut> shows as blank
13:54 < Alphanaut> ok
13:54 < Alphanaut> i shall
13:55 < hyper_ch> tap? not tun?
13:55 < hyper_ch> !tap
13:55 < vpnHelper> hyper_ch: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming,
13:55 < vpnHelper> hyper_ch: anything where the protocol uses MAC addresses instead of IP addresses.
13:55 < |Mike|> !tunortap
13:55 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
13:55 < vpnHelper> |Mike|: against you over the vpn
13:55 < hyper_ch> hi |Mike|
13:58 < hyper_ch> krzee: HALP :)
13:58 < |Mike|> hey
13:58 < hyper_ch> |Mike|: you are very knowledgable about openvpn right?
13:58 < |Mike|> depends on the OS tho
13:58 < hyper_ch> linux :)
13:59 < hyper_ch> are there any other OSes worthwhile mentioning?
13:59 -!- EugeneKaway is now known as EugeneKay
13:59 < |Mike|> nah, windows questions are ignored by brain :)
14:00 < hyper_ch> |Mike|: can you edit the openvpn wiki?
14:00 < |Mike|> unfortunatly
14:00 < Alphanaut> bleh
14:00 < Alphanaut> i know it's not ideal
14:00 < Alphanaut> but it should still work
14:00 < Alphanaut> :)
14:00 < hyper_ch> |Mike|: well, I use those rules here to make openvpn clients connectable:  http://pastebin.com/2F0jZ8Sz
14:00 < hyper_ch> |Mike|: I thought maybe that could somewhere be added to the wiki
14:01 < hyper_ch> it's just an example of tcp/udp on port 80
14:01 < |Mike|> hyper_ch: you could msg them to krzee or ecrist 
14:02 < |Mike|> i'm quite sure that they have an account :-)
14:02 < hyper_ch> |Mike|: but with those pipes in your nick you sound sooooo much more geeky :)
14:03 < hyper_ch> krzee: hi there, if you don't read the backlog, then here's a short summary: to make services on vpned clients accessible to the internet you'll need to alter iptables on linux. Here's an example for port 80 udp/tcp : http://pastebin.com/2F0jZ8Sz  --> I thought that could somewhere be added to the wiki... it took me a little while to figure that out
14:04 -!- LumberCartel [~LumberCar@24.86.160.252] has joined ##openvpn
14:04 < Alphanaut> hahah so much info on exact config in linux, zip in winblows
14:04 < hyper_ch> |Mike|: you don't have an account?
14:04 < hyper_ch> Alphanaut: well, the configs I pastebined work fine on linux :)
14:04 < Alphanaut> yah i'm sure they do :)
14:04 < LumberCartel> What's the current version of OpenVPN for Windows?
14:05 < Alphanaut> 1.0.3
14:05 < Alphanaut> is waht i have 
14:05 < hyper_ch> oh....
14:05 < hyper_ch> I'm using v 2.1
14:06 < LumberCartel> I've got 2.1_rc15.  I'd like to find out if there's a newer one because I don't see it on the web site.
14:06 < Alphanaut> just frustrating cause i'm 90% of the way there
14:06 < LumberCartel> Which RC are you on, hyper_ch?
14:06 < hyper_ch> Alphanaut: you should use a newer version
14:06 < Alphanaut> hmm
14:06 < Alphanaut> i thought i got the latest one for win
14:06 < hyper_ch> LumberCartel: 
14:06 < hyper_ch> openvpn --version
14:06 < hyper_ch> OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jan 26 2010
14:07 < LumberCartel> Oh, it's not in beta anymore?  Cool1
14:07 < LumberCartel> s/Cool1/Cool!/
14:07 < hyper_ch> http://www.openvpn.net/release/openvpn-2.1.1-install.exe
14:07 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
14:07 < LumberCartel> Thanks.  I couldn't find it on the web site.
14:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:08 < hyper_ch> LumberCartel: :)
14:08 < hyper_ch> there's even 2.1.1 but it's not in the ubuntu repos
14:09 < LumberCartel> You know, I often have to send the installer to people so they can try OpenVPN.  Nobody can ever find it on the web site anymore.  Seems the download links go to the access server now.
14:09 < hyper_ch> tehy need to go to community
14:09 < LumberCartel> Oh, "Community software" and THEN to "Downloads."
14:10 < hyper_ch> yes :)
14:10 < LumberCartel> That's great, there are changelogs there and old versions too.
14:10 < LumberCartel> Thanks.
14:10 < LumberCartel> I think should have a link to it from the main downloads page as well though.
14:10 < hyper_ch> quite a few projects that differentiate between free and paid open source software label the free one "community"
14:10 < LumberCartel> I've had so many people ask me about getting an account set up on the Access Server, and then I've been eMailing an older version in attachments.
14:11 < hyper_ch> :)
14:11 < LumberCartel> I've never seen that before.
14:11 < LumberCartel> I deal with a lot of open source software too.
14:11 < LumberCartel> It just never occurred to me to click on Community...
14:11 < LumberCartel> The old web site was much better.
14:11 < hyper_ch> :)
14:11 < hyper_ch> I just try to think where there's the community thingies
14:12 < LumberCartel> It should be set up like this:  In the "Downloads" section there should be a link to "Community" or "Open source" downloads, and the other to the "Access Server downloads."
14:12 < hyper_ch> I think it's the same for Zimbra
14:12 < hyper_ch> and Kolab
14:12 < LumberCartel> Oh, I don't use Zimbra.
14:13 < LumberCartel> None of these projects do this:  http://www.lumbercartel.ca/resources/freeware.pl  --or--  http://www.lumbercartel.ca/resources/security.pl
14:13 < vpnHelper> Title: [LumberCartel.ca] Resources - Freeware (at www.lumbercartel.ca)
14:13 < hyper_ch> not kolab but zimbra:  http://www.zimbra.com/products/product_editions.html
14:13 < vpnHelper> Title: Zimbra - Product Editions (at www.zimbra.com)
14:13 -!- dazo is now known as dazo_afk
14:13 < hyper_ch> perl? iiieks
14:13 < hyper_ch> adobe isnt opensource
14:14 < LumberCartel> I know.  Some of that stuff isn't.  There just isn't a usable alternative to Adobe's stuff yet.
14:14 < LumberCartel> OpenVPN is in the Security link though.
14:14 < hyper_ch> well, you labelled it as freeware :)
14:14 < hyper_ch> so that's correct
14:15 < hyper_ch> well, I don't need adobe acrobat (reader) anymore
14:15 < hyper_ch> dolphin can fill in forms and saven them filled in
14:15 < hyper_ch> openoffice can export directly to pdf
14:15 < hyper_ch> gimp can import pdf files
14:15 < hyper_ch> and flash is evil and must day
14:15 < hyper_ch> die
14:15 < LumberCartel> Oh, most of this is the software I typically install on all new computers (I'm a consultant).
14:15 < hyper_ch> yeah, you have to do what your clients want :)
14:16 < LumberCartel> Yeah, I don't like Flash, but everyone wants to see the "cute and furry" stuff jumping around on their corporate web pages so I'll gladly take their money to install it for them.
14:16 < hyper_ch> I'm slowly turning my office all to open source
14:16 < hyper_ch> 99% of flash pages don't need flash
14:16 < LumberCartel> If there was an open source alternative to Flash and Shockwave, and also PDF Reader, I would gladly use them instead.
14:16 < LumberCartel> I agree with your 99% figure.
14:16 < hyper_ch> what OSes? Linux?
14:16 < hyper_ch> or Windows?
14:16 < hyper_ch> or Mac?
14:17 < LumberCartel> All Windows for users.  NetBSD for servers.
14:17 < hyper_ch> Mac has a good integrated file viewer
14:17 < hyper_ch> windows is the only one that sux at pdfs :)
14:17 < LumberCartel> I have more than 40 NetBSD servers running Samba and pf and a whole bunch of other stuff for internal corporate LAN servers at various companies.
14:17 < LumberCartel> Actually, I find that Windows generally sucks at just about everything.
14:17 < hyper_ch> except at marketing and brainwashing :)
14:17 < LumberCartel> Wow, this changelog improves a lot of stuff.  I'm so glad to have to updated one.
14:18 < LumberCartel> Yeah, I call it "The Redmond Syndrome" (think "The Stockholm Syndrome").
14:18 < hyper_ch> actually microsoft is the best gaming platform on computers....
14:18 < LumberCartel> That's because the games are written to work fast on them.
14:18 < hyper_ch> on personal computers
14:18 < LumberCartel> ...and hardware drivers are optimized for it.
14:18 < hyper_ch> although dedicated systems like ps3 etc. are much better for gaming
14:18  * LumberCartel jokes "It's a conspiracy I tell you!!!"
14:19 < hyper_ch> and well, Microsoft Exchange is still a bitch
14:19 < hyper_ch> kolab / horde / kontact is getting there as other projects also
14:20 < hyper_ch> well, at work we got a few macs
14:20 < LumberCartel> I quite like AlphaMail.
14:20 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
14:20 < hyper_ch> and I successfully made them use OpenOffice
14:21 < LumberCartel> It's difficult to get working though.
14:21 < hyper_ch> instead of paying tons of money for MS Office licences
14:21 < hyper_ch> and I still think that styling the docs in OOo is much easier than in MSO
14:21 < LumberCartel> Lots of my clients are using OpenOffice.org these days.  Some still can't because it lacks certain features.
14:21 < LumberCartel> It'll get there.
14:21 < hyper_ch> well, being in a lawfirm
14:21 < hyper_ch> you mainly write letters and once in a while you need some calc sheets
14:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:22 < hyper_ch> and OOo Writer and Calc are en par with MSO for what we need
14:22 < LumberCartel> Then you must be familiar with the "Reveal Codes" feature from WordPerfect.  If you are, you'll enjoy this idea:  http://www.lumbercartel.ca/images/interesting/
14:22 < vpnHelper> Title: [LumberCartel.ca] Interesting images (at www.lumbercartel.ca)
14:22 < hyper_ch> as said, I think the whole styling in OOo is much simpler
14:22 -!- Alphanaut_ [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
14:23 < hyper_ch> I always had troubles with footnotes on MSO so after first year of law school I changed to OOo
14:23 < Alphanaut_> i am convinced the "server" is configured correctly
14:23 < hyper_ch> my master thesis was formatted in like 3h
14:23 < hyper_ch> some of my buddies ended up formating and printing each page seperately
14:23 < Alphanaut_> is there any instance where "def1" in push "redirect-gateway def1" is not correct?
14:23 < Alphanaut_> that's default eh?
14:24 < hyper_ch> Alphanaut_: are you sure you still use v. 1 of openvpn?
14:25 < hyper_ch> LumberCartel: not sure what to do with that reveal code thingy... I don't think I'd ever use it
14:25 < Alphanaut_> oh hell
14:25 < Alphanaut_> who orders older software at the top!
14:25 < Alphanaut_> duh
14:25 < Alphanaut_> :)
14:25 < hyper_ch> http://www.openvpn.net/release/openvpn-2.1.1-install.exe
14:25 < Alphanaut_> who doesnt read the page before he downloads?
14:25 < Alphanaut_> <---
14:25 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
14:25 -!- Alphanaut_ is now known as Alphanaut
14:26 < Alphanaut> ahhh
14:26 < Alphanaut> i am using 2.1.1.
14:26 < Alphanaut> the GUI is 1.x
14:26 < hyper_ch> a gui?
14:26 < Alphanaut> hahah oh dont
14:26 < Alphanaut> i can see where this is headed
14:26 < Alphanaut> more bashing :)
14:26  * hyper_ch evil grin
14:27 < Alphanaut> hahha i'm reading a 300 page book i found on openvpn and even that doesnt tell me what i need
14:27 < Alphanaut> crazy
14:27 < Alphanaut> i know the server is configured right
14:27 < Alphanaut> i just cant figure out how to force all traffic into the vpn on the client
14:29 < hyper_ch> if everything else fails, you can still apply magic :)
14:29 < hyper_ch> magic usually solves all problems magically
14:29 <@raidz> :-)
14:30 < hyper_ch> GUIs are caveman style... they also used to point and click and eventually they evolved and started to use text to transmit ideas
14:31 < Bushmills> !redirect
14:31 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:31 < Bushmills> Alphanaut: ^^^
14:31 < hyper_ch> Bushmills: how to do that on windows?
14:32 < Bushmills> to my knowledge, windows client adds routes too
14:32 < hyper_ch> for some reasons redirect gateway does not add routes to Alphanaut
14:33 < Bushmills> windows 7 seemed to have problems with it occasionally
14:33  * hyper_ch personally just blames it on windows
14:33 < hyper_ch> Bushmills: can you edit the wiki?
14:33 < Bushmills> windows has a route command as well.  redirect-gateway doesn't a lot more than adding few routes to client
14:34 < Bushmills> a host route so that openvpn client can still send packets to server, and a new default route, using openvpn server as gateway
14:35 < Bushmills> with def1, instead of default route,  two  routes, 0.0.0.0/1 and 128.0.0.0/1, both with gateway openvpn server, are added
14:36 < Bushmills> should, for whatever reason, windows not add those routes as result of redirect-gateway, adding them manually or by script should have the same effect
14:36 < Bushmills> wiki? no idea, haven't tried
14:37 < Bushmills> but looking into client log should tell what happens when client attempts to add those routes, and why it failed
14:37 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
14:38 < LumberCartel> Whatever problems Vista had, Windows 7 might still have (even if only intermittent) since it really is just a big patched up Vista.
14:38  * Bushmills thinks of the 15 year old font bug in windows
14:39 < hyper_ch> there are no bugs in windows
14:39 < Bushmills> was funny to read that all windows version were affected
14:39 < hyper_ch> it has a lot of random features to improve the user experience
14:39 < Bushmills> all post-3.11 versions ...
14:39 < hyper_ch> so that users don't get bored too quickly by acting always the same way
14:39 < Bushmills> ah. predictable computing is out
14:40 < Bushmills> that may explain the extremely high acceptance those systems have as servers
14:40 < hyper_ch> well, it's self-preservation of windows sys admins
14:40 < hyper_ch> if windows worked as good as linux, then you could sack 80% of the windows servera dmins
14:41  * LumberCartel laughs.
14:41  * hyper_ch thinks windows server admins pays micrsoft to implement random features for securing their own jobs
14:41 < LumberCartel> Which 15-year-old bug?  I hear there's more than one of those.
14:41 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
14:41 < Bushmills> in a moment, somebody will wake up and express his disregard for linux as server, in favour of bsd
14:41 < LumberCartel> Well it won't be me.
14:42 < LumberCartel> Although I don't use Linux.
14:42 < Bushmills> LumberCartel: some problem with fonts, which allowed to compromise the system, using those character rendering routines
14:42 < hyper_ch> bsd is like linux but for grown ups :)
14:42 < Alphanaut> so sad that i cant get this to work
14:42 < Alphanaut> i'm sure it's one little thing
14:42 < Bushmills> one could compromise the system by offering a doctored font
14:43 < LumberCartel> Bushmills:  Oh yeah, that one.  I've noticed that SpyWare vendors still occasionally ask users to install "harmless fonts" on their computers to view their web sites.
14:43 < Bushmills> was discovered about .. 3 years maybe, ago
14:43 < LumberCartel> No, this was discovered long before that.
14:43 < LumberCartel> Unless this is a different bug.
14:44 < Bushmills> maybe earlier - it is difficult to keep track of all windows problems
14:44 < Alphanaut> !killmypc
14:44 < vpnHelper> Alphanaut: Error: "killmypc" is not a valid command.
14:45 < LumberCartel> You need to install some SpyWare before you can use the "killmypc" command.
14:45 < Bushmills> as the common windows bug are of no concern to me, i don't even try
14:45 < Alphanaut> clearly
14:45 < Alphanaut> alas it is clean
14:45 < LumberCartel> ...but it might be disguised as a different command like "clean my pc."
14:45 < Alphanaut> haha
14:47 < Bushmills> though i have been somewhat successful to convert people to non-windows systems. slowly, albeit, but those who eventually dropped windows completely usually never look back
14:47 < LumberCartel> I've been working on that too.  I start with free, open source software solutions.
14:47 < LumberCartel> I try to pick the ones that are available cross-platform.
14:47 < hyper_ch> well, if you get them to use Mac they're already using a Unix :)
14:48 < hyper_ch> LumberCartel: filezilla is missing in that list
14:48 < Bushmills> making them use openoffice and firefox on windows is often a good start
14:48 < LumberCartel> Then, in the future, I hope to eventually switch them to Linux for workstation (unless I can find a BSD that will do it just as well).  So far Ubuntu is looking like the best Linux for end users.
14:48 < Bushmills> covers at least 50% of many users needs
14:48 < LumberCartel> hyper_ch:  You're right.  There are a few others as well.
14:48 < hyper_ch> well, I setup Kubuntu for my mom
14:48 < hyper_ch> all she usually needs is Amarok, Kontact, Firefox, OOo
14:49 < hyper_ch> and picasa
14:49 < LumberCartel> Is Picasa open source, or just free?
14:49 < Bushmills> helps when one boots linux then, when they see the same programs still running
14:49 < hyper_ch> just free
14:49 < LumberCartel> That's what I thought.
14:50 < LumberCartel> Google Earth is one that I find users respond to extremely well.
14:50 < LumberCartel> It's dead-easy to justify as a "business class" application too.
14:50 < hyper_ch> I setup Picasa for her because its easy to put her pics online
14:50 < hyper_ch> otherwise I'd probably use digikam
14:50 < LumberCartel> Have a link for Digikam?  I assume it's open source.
14:50 < hyper_ch> it's part of KDE
14:51 < hyper_ch> http://www.digikam.org/
14:51 < vpnHelper> Title: digiKam - Photo Management Program | Manage your photographs as a professional with the power of Open Source (at www.digikam.org)
14:51 < hyper_ch> hmmm, there's a picasaweb plugin
14:52 < hyper_ch> does that mean digikam can publish pics to google picasa... hmm
14:52 < Bushmills> shotwell is received well among my convertites
14:52 < Bushmills> though it is a bit feature stripped. but maybe therefore.
14:52 < hyper_ch> haven't heard of that one yet
14:53 < LumberCartel> That looks like a really nice application.  I'm looking for something for my Dad who does a lot of photography as a hobby, and this looks like it would be right for him.  Too bad it doesn't seem to have a Windows version.
14:53 < hyper_ch> there's a kde4 windows port
14:53 < hyper_ch> but no clue how good it is
14:54 < LumberCartel> I tried to get that working once, and it was a bloody mess.  So I gave up.
14:54 < hyper_ch> http://windows.kde.org/news.php#itemKDESC440forWindowsavailable
14:54 < vpnHelper> Title: The KDE on Windows Project - KDE on Windows News (at windows.kde.org)
14:54 < hyper_ch> well, you can retry in a VM :)
14:55 < hyper_ch> KDE 4.4 has really matured a lot compared to kde 4.0 and 4.1
14:55 < Bushmills> http://scarydevilmonastery.net/snap/1273866878582881876d.png that's how the main interface of shotwell looks like
14:55 -!- adamramadhan [~adamramad@125.166.20.121] has joined ##openvpn
14:55 < adamramadhan> hello
14:56 < hyper_ch> Bushmills: can it publish to a webserver?
14:56 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
14:56 < Bushmills> i actually don't know.  as my own "publishing" is over openvpn and nfs, anything can publish.
14:56 < Bushmills> and autofs
14:56 < hyper_ch> Bushmills: well, I need "mom-safe" applications :)
14:57 < LumberCartel> My Dad won't use that because it doesn't look like Windows' native interface.  In fact, I'd have trouble convincing a lot of users to use it.  They have enough trouble using computers in general.
14:57 < adamramadhan> please see my log , http://pastebin.com/gdF1tJct i dont know what should i do to make my vpn running .
14:57 < hyper_ch> picasa just makes it really, really easy to publish pics on the web
14:57 < adamramadhan> btw ive check my vps with 
14:57 < adamramadhan> -bash-3.2# ls -al /dev/net/tun
14:57 < adamramadhan> crw------- 1 root root 10, 200 Apr 15 03:17 /dev/net/tun
14:58 < hyper_ch> adamramadhan: did you try to start openvpn as root?
14:58 < Bushmills> it has publishing to facebook, flickr and picasa in the menz
14:58 < Bushmills> menu
14:58 < adamramadhan> hyper_ch : yes im useing root.
14:58 < hyper_ch> facebook is evil
14:58 < hyper_ch> Bushmills: nice :) I'll have a closer look then
14:58 < hyper_ch> picasa uses it's own wine IIRC
14:59 < adamramadhan> anyone? have same problem with the tun thing ? or tap thing
14:59 < hyper_ch> adamramadhan: no clue really
14:59 < LumberCartel> LinkedIn.com is the only social network that I've found to be pretty good, but that's probably because it focuses on professional life more than anything and doesn't bombard me with a constant deluge of crap.
14:59 < hyper_ch> adamramadhan: just works for me (tm)
14:59 < adamramadhan> hyper_ch : have you see the logs ? http://pastebin.com/gdF1tJct ?
15:00 < LumberCartel> adamramadhan:  Does your device actually exist?  Do you need to run MAKEDEV to craete it?
15:00 < hyper_ch> adamramadhan: I did
15:00 < hyper_ch> there was a time, when I liked social network sites
15:00 < hyper_ch> and then I grew older :)
15:00 < hyper_ch> I don't even have a facebook account
15:01 < adamramadhan> LumberCartel : how can i check that my device is actually exist ?
15:01 < hyper_ch>  just out of curiositry, what kernel are you running?
15:01 < LumberCartel> Look in the "/dev/" directory for it.
15:02 < hyper_ch> and if you have coloured bash, does it appear in yellow?
15:02 < adamramadhan> yes
15:02 < adamramadhan> crw------- 1 root root 10, 200 Apr 15 03:17 /dev/net/tun
15:02 < LumberCartel> And then you should also be able to find it with "ifconfig" and see what its status is.
15:02 < adamramadhan> the /dev/net/tun is yellow
15:02 < LumberCartel> I'm colour-blind because I use BSD.
15:02 < adamramadhan> ifconfig ?
15:03 < LumberCartel> Try:  ifconfig -l
15:03 < LumberCartel> Does the device show up in the list there?
15:03 < hyper_ch> LumberCartel: no bash on bsd?
15:03 < LumberCartel> I don't use it.  I only use Bash to configure OpenVPN.
15:03 < adamramadhan> -l ?
15:03 < LumberCartel> I use Midnight Commander for most of my management.
15:03 < adamramadhan> ifconfig: option `-l' not recognised. XD
15:04 < LumberCartel> Yes, -l should list all your network interfaces.  Try "man ifconfig" to see if your OS is doing something different.
15:04 < Bushmills> -a
15:04 < LumberCartel> On NetBSD, I can use "ifconfig -av" but this doesn't work on some other platforms.
15:04 < adamramadhan> centos 5.4
15:06 < adamramadhan> anyother way ? here is the ifconfig shows me http://pastebin.com/P1uWuqTP
15:07 < LumberCartel> That shows that you only have two adapters.
15:07 < LumberCartel> So your "tun" adapter isn't coming up.
15:08 < adamramadhan> what is exectly a tun ? hardware ? any wiki links ? 
15:08 < adamramadhan> tun = tunesia :| ( wikipedia google )
15:09 < Bushmills> http://en.wikipedia.org/wiki/TUN/TAP
15:09 < vpnHelper> Title: TUN/TAP - Wikipedia, the free encyclopedia (at en.wikipedia.org)
15:09 < hyper_ch> !tun
15:09 < vpnHelper> hyper_ch: Error: "tun" is not a valid command.
15:09 < adamramadhan> thanks :)
15:10 < Bushmills> a tun is a reverse nut
15:11 < hyper_ch> and nuts is a reverse stun
15:12 < hyper_ch> ha! I knew you didn't see that coming :)
15:18 -!- nachox [~imarambio@190.216.26.210] has joined ##openvpn
15:18  * LumberCartel proclaims "Don't stun Ned!"
15:18 < hyper_ch> can I poke his eye with a stick?
15:18 < LumberCartel> Only if he's not a stick fighter.
15:19 < hyper_ch> you know the Order of the Stick?
15:19 < LumberCartel> No, but I know a thing or two about Ass Burgers.
15:19 < hyper_ch> you should read Order of the Stick
15:19 < LumberCartel> Oh, it's a book?
15:20 < hyper_ch> no, a web comic
15:20 < LumberCartel> Is it about stick fighting, and old men in Thailand with rolled up newspapers?
15:20 < hyper_ch> http://www.giantitp.com/comics/oots0001.html
15:20 < vpnHelper> Title: Giant In the Playground Games (at www.giantitp.com)
15:22 < LumberCartel> Ha ha ha!  I love it!  That's excellent!  Thanks for sharing that comic.
15:22  * LumberCartel is designing an MMORPG with an emphasis on Massive.
15:23 < hyper_ch> LumberCartel: it takes a while to get to issue 702
15:23 < hyper_ch> but it's fun :)
15:24 < LumberCartel> Wow!  Does that mean there are 702 good comics there?
15:24 < hyper_ch> I have it in my rss feed... as well as daily dilbert and xkcd
15:24 < hyper_ch> LumberCartel: there are 702 sketches for order of the stick
15:24 < LumberCartel> Fabulous!
15:24 < LumberCartel> I'll read a few each day.
15:24 < hyper_ch> sometimes you get mini-stories that spin accross a couple of sketches
15:24 < LumberCartel> That's good.  That's very MMORPG-ish.
15:24 < hyper_ch> it is :)
15:25 < hyper_ch> very Dungeon & Dragon-ish
15:25 < LumberCartel> The MMORPG that I'm creating takes place on a planet with 19 continents, each with hundreds of cities.
15:25 -!- nachox [~imarambio@190.216.26.210] has quit [Ping timeout: 240 seconds]
15:25 < LumberCartel> I've already designed many cities, but I'm nowhere close to finished yet.
15:25 < LumberCartel> I also have a story that I've written which is close to 65 MBs of raw text.
15:25 < hyper_ch> lol :) sounds like a gargantuous task
15:26 < LumberCartel> It's been my life's work, on the side though.
15:26 < LumberCartel> It's fun.
15:26 < LumberCartel> I just started programming the prototype for the communications protocols.
15:26 < hyper_ch> you mean it's like duke nukem forever?
15:26 < LumberCartel> No, not at all.
15:26 < hyper_ch> I mean always wanting to improve it
15:26 < hyper_ch> and never getting it released
15:26 < LumberCartel> I plan to have 3D characters roaming around on 2D isometric tiles, which are at a slight angle so it looks nice.
15:27 < LumberCartel> Heheh.  The vapourware syndrome.
15:27 < LumberCartel> Well, at the very least I'll have a story that can be published across multiple volumes.
15:27 < hyper_ch> DN Forever was announced to be released for like the last 12 years or so
15:28 < LumberCartel> I never played Dungeons & Dragons, so the mechanics in my game are quite different.
15:28 < LumberCartel> DN Forever?  I've never heard of it.
15:28 < hyper_ch> Duke Nukem Forever :)
15:28 < LumberCartel> Oh.  That's what you mean.  Heheh.
15:28 < hyper_ch> I did a lot of paper and pen D&D playing
15:29 < hyper_ch> Duke Nukem Forever is a first-person shooter video game that has been in development since 1997 by the software developer 3D Realms. It is intended to be a sequel to the 1996 game Duke Nukem 3D, as part of the long-running Duke Nukem video game series. The game's development is directed by George Broussard, one of the creators of the original Duke Nukem game. Intended to be groundbreaking, it became infamous for its severely-protracted 
15:29 < hyper_ch> development schedule. The game has been the subject of much speculation, and has frequently been referred to as vaporware.
15:30 < LumberCartel> My brother used to play it on a 386.
15:30 < LumberCartel> That is hilarious.
15:30 < hyper_ch> http://en.wikipedia.org/wiki/Duke_Nukem_Forever
15:30 < vpnHelper> Title: Duke Nukem Forever - Wikipedia, the free encyclopedia (at en.wikipedia.org)
15:32 < LumberCartel> I think this definition is much better:  http://www.uncyclopedia.org/wiki/Duke_Nukem_Forever
15:32 < vpnHelper> Title: Duke Nukem Forever - Uncyclopedia, the content-free encyclopedia (at www.uncyclopedia.org)
15:33 < hyper_ch> LumberCartel: lol, that's great
15:33 < hyper_ch> didn't know uncyclopedia
15:34 < LumberCartel> I think it was the solution to about 90% of the vandalism problem.
15:35 < LumberCartel> This article will make you laugh so hard:  http://uncyclopedia.wikia.com/wiki/Mother-in-law
15:35 < vpnHelper> Title: Mother-in-law - Uncyclopedia, the content-free encyclopedia (at uncyclopedia.wikia.com)
15:36 -!- nachox [~imarambio@200.68.83.121] has joined ##openvpn
15:36 < hyper_ch> hehehe :)
15:36 < nachox> guys, i'm having some issues with openvpn, the client is a windows vista, the server is a linux behind a nat with ip forwarding enabled
15:36 < hyper_ch> does it have a 9/11 entry
15:36 < LumberCartel> The link to the one about the "sores" (at the bottom) is pretty funny too.
15:37 < nachox> the connection, according to the openvpn gui is established properly
15:37 < hyper_ch> but?
15:37 < nachox> but i cannot ping any machine from the network
15:37 < hyper_ch> !howto
15:37 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:38 < hyper_ch> routing issue I tend to think
15:38 < hyper_ch> !route
15:38 < vpnHelper> hyper_ch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:38 < LumberCartel> nachox:  Make sure your firewall is disabled if you're using Windows.
15:38 < nachox> already checked
15:39 < hyper_ch> what does your routing table look like?
15:39 < LumberCartel> Well, hyper_ch, thank you for the laughs.  I really enjoyed this conversation.  I have to go, but I look forward to seeing you again.  You can usually find me in #NetBSD if you like.
15:39 < hyper_ch> bsd is too complicated for my simple brain :)
15:39 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: Sign the anti-spam petition: [ http://www.lumbercartel.ca/law/canada/s-220/ ]]
15:40 < Alphanaut> anyone know what this means in the server log: Fri May 14 16:36:48 2010 us=911000 Error opening registry key: SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\Properties
15:40 < hyper_ch> it means it couldn't open that registry key
15:40 < hyper_ch> or rather upon trying to open that registry key an error occured
15:42 < nachox> hyper_ch, http://pastebin.com/EjakDCM6
15:43 < nachox> i pasted the relevant part of route print and the tap device
15:43 < hyper_ch> you use tap not tun?
15:43 < hyper_ch> !tunortap
15:43 < vpnHelper> hyper_ch: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:43 < vpnHelper> hyper_ch: against you over the vpn
15:44 < Alphanaut> holy shiznit i think it worked
15:44 < nachox> hyper_ch, tap
15:44 < Alphanaut> brb!
15:44 < hyper_ch> I see that you use tap.. why don't you use tun=
15:44 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
15:46 < nachox> hyper_ch, i guess because the openvpn tutorial i found when i configured this used tap :)
15:46 < hyper_ch> !howto
15:46 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:46 < hyper_ch> !route
15:46 < vpnHelper> hyper_ch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:46 < |Mike|> ^!welcome would suit that aswell ;)
15:46 < |Mike|> err, s/suit/explane
15:46 < hyper_ch> |Mike|: why make things simple if you can make them complicated?
15:47 < |Mike|> because we use openvpn :D
15:47 < |Mike|> Hmz, Should I start using twitter ?
15:47 < hyper_ch> hmmm
15:47 < hyper_ch> I have no clue about twitter
15:47 < hyper_ch> but it doesn't look as evil as facebook
15:48 < nachox> hyper_ch, you're suggesting that i switch to tun instead?
15:48 < |Mike|> I always tough that Twitter was for persons which had too much free time ;)
15:48 < |Mike|> *thought
15:48 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 260 seconds]
15:48 < hyper_ch> !tunortap
15:48 < vpnHelper> hyper_ch: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:48 < vpnHelper> hyper_ch: against you over the vpn
15:48 < hyper_ch> nachox: read the above
15:49 < |Mike|> !tunortap nachox 
15:49 < vpnHelper> |Mike|: Error: "tunortap" is not a valid command.
15:49 < |Mike|> meh.
15:49 < hyper_ch> |Mike|: gentoo is for people with too mcuh free time and no friends
15:49 < |Mike|> bots--
15:49 < |Mike|> hyper_ch: i totally agree on that :-p
15:50 < hyper_ch> twitter is apparently for people that don't have time to make a full comprehensive post
15:50 < |Mike|> twitter is a short term for short blogs :-p
15:51 < hyper_ch> well, I have a very popular blog :)
15:51 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
15:52 < |Mike|> hyper_ch: url! :-)
15:52 < hyper_ch> http://stats.simplylinux.ch/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday#module=Dashboard&action=embeddedIndex&idSite=1&period=day&date=yesterday
15:52 < vpnHelper> Title: Piwik Web Analytics Reports (at stats.simplylinux.ch)
15:52 < hyper_ch> there's the stats :)
15:52 < hyper_ch> I must have one of the most popular websites on the whole wide internets
15:52 < hyper_ch> :)
15:52 < |Mike|> that translation is the bomb haha
15:53 < hyper_ch> :)
15:53 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
15:55 < |Mike|> <3 google analytics :p
15:55 < hyper_ch> google is evil
15:55 < |Mike|> one of the (ex) owners of the company i work for works @ google ;)
15:56 < |Mike|> for, ...
15:56 < hyper_ch> although google is less evil than facebook and microsoft and apple
15:57 < |Mike|> Vimium is a Google Chrome extension which provides keyboard shortcuts for navigation and control in the spirit of the Vim editor.
15:57 < |Mike|> I have to try that out !
15:58 < hyper_ch> chromium is nice but no no-script extension :(
15:58 -!- Bloodsong [~Nimbus@70.50.177.230] has quit [Read error: Connection reset by peer]
16:06 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Quit: amialive]
16:18 -!- adamramadhan [~adamramad@125.166.20.121] has quit []
16:21 -!- squidly [~squidly@HoodLUG/member/squidly] has left ##openvpn ["So long and thanks for all the fish!"]
16:34 -!- nachox [~imarambio@200.68.83.121] has quit [Ping timeout: 240 seconds]
16:54 -!- qfr [~kafir@unaffiliated/yw] has joined ##openvpn
17:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
17:01 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has quit [Quit: notbrien]
17:24 -!- dauergast [~sag@188-193-231-73-dynip.superkabel.de] has joined ##openvpn
17:30 -!- G-Script50 [~sag@f055133188.adsl.alicedsl.de] has joined ##openvpn
17:30 -!- dauergast [~sag@188-193-231-73-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
17:30 -!- G-Script50 [~sag@f055133188.adsl.alicedsl.de] has quit [Client Quit]
17:41 -!- UdontKnow is now known as KnightWhoSaysNi
17:54 -!- EugeneKay is now known as EugeneKaway
18:06 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
18:07 < Alphanaut> !slitmywristswithabloodyscrewdriver
18:07 < vpnHelper> Alphanaut: Error: "slitmywristswithabloodyscrewdriver" is not a valid command.
18:07 < krzie> do it!
18:07 < Alphanaut> !welcome
18:07 < vpnHelper> Alphanaut: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:07 < Alphanaut> i'm about to
18:07 < Alphanaut> i'm so close to getting this working
18:07 < krzie> arent you the one with 2 windows machines trying to redirect from 1 to another?
18:07 < Alphanaut> !redirect
18:07 < vpnHelper> Alphanaut: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:07 < Alphanaut> yah i'm close
18:08 < krzie> you know ANYTHING bout linux?
18:08 < Alphanaut> yep
18:08 < Alphanaut> i run ubuntu on my laptop
18:08 < krzie> run a virtual machine on the windows server machine
18:08 < krzie> vpn to that, NAT with that
18:08 < krzie> since XP doesnt do real NAT
18:08 < Alphanaut> hmm
18:09 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
18:09 < Alphanaut> at this point it's the challenge of the whole thing, i could run it in my virtualbox but i KNOW this has to work
18:10 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
18:11 < Alphanaut> !ipforward
18:11 < vpnHelper> Alphanaut: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
18:11 < Alphanaut> !winipforward
18:11 < vpnHelper> Alphanaut: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
18:11 < Alphanaut> !winnat
18:11 < vpnHelper> Alphanaut: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
18:13 < krzie> however
18:13 < krzie> you NEED nat
18:13 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
18:13 < krzie> you could set your router to NAT the vpn traffic
18:14 < |Mike|> got wind blows?
18:14 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
18:15 < circut> hey all
18:15 < circut> got a question regarding a briding setup
18:15 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 246 seconds]
18:15 < krzie> ok but first, what is the layer2 protocol you need over the vpn to use tap?
18:16 < circut> ... ?
18:16 < krzie> !tunortap
18:16 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
18:16 < vpnHelper> krzie: against you over the vpn
18:16 < circut> i need to forward DHCP requests over the VPN link..
18:16 < krzie> not likely
18:16 < krzie> whats your real goal?
18:16 < circut> it is working...
18:16 < krzie> !goal
18:16 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:16 < circut> ok give me 1 minute
18:17 < krzie> no no i mean not likely that you actually need that
18:17 < krzie> you can push dhcp options like wins / dns with ovpn
18:17 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
18:17 < krzie> you can route to lans and redirect over the internet with it
18:17 < krzie> all without a bridge
18:17 < krzie> bridging is when you need a certain layer2 protocol
18:17 < circut> http://i39.tinypic.com/73l0rm.jpg
18:17 < circut> that is the topology im working with right now
18:18 < krzie> bridging just for phones!?
18:18 < circut> sorry im not a network ninja but this is the approach that was seeming to work for our setup
18:18 < krzie> adding extra overhead with such small data transfers... you're basically maximizing the overhead of adding another layer
18:19 < krzie> since voip is rone to have many small packets
18:19 < krzie> prone*
18:19 < circut> do you have anything beneficial to offer or are you just here to go off on people
18:19 < krzie> you havnt asked a question, im giving you advice
18:20 < circut> ok then chill out and let me ask a question before you go off
18:20 < circut> im like 75% of the way completed with this briding setup
18:20 < krzie> lol
18:21 < krzie> you act like i called you a dumbass or something, i was just letting you know you could improve your setup
18:21 < circut> i can get a DHCP address  on the phones behind that vpn device
18:21 < circut> krzie: ok then heres the goal
18:21 < circut> krzie: i have voip server which serve's DHCP to phones
18:21 < circut> the phones then grab their config via TFTP and update their firmware
18:21 < circut> we have a sales guy in a satellite office who needs a phone
18:22 < circut> he will be bringing people on so we need to get his office setup to use our VOIP system up north
18:22 < circut> so the only requirement i really have is to have the phones able to pull DHCP/TFTP from a remote location over a VPN
18:23 < circut> from what i (think) i understand, TUN links will not work for this
18:23 < krzie> does it get tftp info from dhcp?
18:23 < circut> yes
18:23 < circut> as well as a few other settings (gateway,NTP server, etc)
18:23 < Bushmills> dhcp3-relay should do nicely
18:23 < krzie> werd
18:24 < circut> dhcp relay using a tun link?
18:24 < krzie> Bushmills, i agree but this one seems violent to the idea of listening to ideas about changing his setup
18:24 < krzie> hehe
18:24 < Bushmills> circut: right
18:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:25 < circut> is there another way that krzie would agree with?
18:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:26 < Bushmills> he'd agree with you sending him a beer
18:26 < circut> it will be light..
18:26 < krzie> i dont mind if you choose to use bridge, just wanted you to do so knowing the reasons why not
18:26 < krzie> ooo sending a light would damn near be banhammer worthy!
18:28 < krzie> i know a bit about openvpn and know some about voip too (read: used to be 1/2 owner of a profitable voip company)
18:28 < circut> we're all proud of you
18:28 < krzie> using a bridge for a voip setup isnt the best way :-p
18:28 < |Mike|> breezz ? ;)
18:30 < krzie> so circut do you plan on forming your question?
18:30 < krzie> only one i saw was this [19:24]  <circut> dhcp relay using a tun link?  [19:24]  <Bushmills> circut: right
18:31 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
18:31 < krzie> Bushmills, i have a drinking contest tonight
18:32 < krzie> Bushmills, my right hand vs my left hand
18:32 < Bushmills> grin
18:32 < Bushmills> lifting or aiming?
18:32 < circut> basically im unable to ping from the 192.168.154.107 to 192.168.154.10
18:32 < circut> but i can ping 154.12 to 154.10 and vice versa
18:33 < circut> i can arping the broadcast from .107 to .10 all day long, but unicast doesnt seem to work
18:33 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
18:34 < circut> let me look into this p2p relay setup
18:34 < circut> which im sure will introduce a whole new slew of problems
18:34 < circut> but i just want this this working
18:35 < circut> s/this/thing/
18:35 < Bushmills> i won an auction of yet another openvpn client..   ARM based 16MiB flash, 64MiB RAM wifi router for 4.50€ :D
18:35 < krzie> !confgen
18:35 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
18:35 < krzie> circut, that will make it pretty lazy
18:36 < circut> the p2p setup?
18:36 < |Mike|> lol
18:36 < Bushmills> dhcp relay was a snap to set up
18:36 < krzie> ya, server client
18:37 < krzie> so you can have more clients as well if you like
18:37 < circut> that would be sexy
18:37 < krzie> you already have certs for the bridge setup, right?
18:37 < circut> yup
18:37 < krzie> cool, you'll be using those
18:37 < krzie> if you dont recognize a file referenced in the configs when done, you may want to make another file
18:37 < krzie> ie: ta.key / dhparams
18:38 < circut> i have those as well
18:39 < krzie> cool
18:39 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
18:39 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
18:40 < circut> so for voip traffic, is a tcp or udp based vpn desired?
18:40 < |Mike|> circut: are you kidding me ?
18:40 < krzie> udp
18:40 < krzie> very much so
18:40 < circut> |Mike|: i am asking a question
18:40 < |Mike|> do some research, for f*ck sake.
18:40 < krzie> do you understand why SIP is udp?
18:40 < circut> one day i will have time to do all that
18:40 < krzie> wait i just thought of something...
18:41 < circut> for now i need something in place
18:41 < krzie> err nm
18:41 < qfr> You always want UDP tbh
18:41 < qfr> Wrapping TCP inside another layer of TCP is catastrophic for the performance
18:41 < |Mike|> 1024 bit packets mmmmmmmkay
18:42 < krzie> hey Bushmills do you know dhcp-relay will work for him?
18:42 < circut> this is what happens when you ask a systems guy to make a vpn
18:42 < |Mike|> circut: systems administrator, okay.
18:42 < circut> pretty much
18:43 < Bushmills> i know that it can be used to forward dhcp request through a router, and deliver replies
18:43 < Bushmills> whether anything works in a specific situation can only be said once it has been actually tested
18:44 < krzie> qfr, voip doesnt use tcp either, but he still wants udp because voip needs to be send and forget, if you start retransmitting do to TCP's error correction the voices lay games
18:44 < krzie> better to have small skips in the voice than retransmissions 
18:45 < qfr> Yeah
18:45 < krzie> s/lay games/play games/
18:45 < |Mike|> penis games ?!
18:46 < |Mike|> what the hell krzie, what's wrong with you !
18:46 < circut> im starting to regret taking his advice
18:46 < |Mike|> this or his?
18:47 < circut> his
18:47 < |Mike|> circut: are you a lesbo?
18:47 < circut> yes
18:47 < |Mike|> okay.
18:48 < |Mike|> But for voip, you might want to look at Breezz (.nl) :d
18:48 < krzie> circut, im not sure... you may need dhcp really
18:48 < krzie> you most certainly need udp tho
18:48 < circut> and compression?
18:48 < |Mike|> krzie: nah he doesn't, dhcp only does tcp, or igmp oid 
18:48 < krzie> circut, what codecs do you use primary
18:49 < krzie> lol |Mike| 
18:49 < circut> ulaw/alaw
18:50 < circut> i think.. id have to double check
18:50 < krzie> ya may as well use compression then
18:50 < krzie> or test it at least
18:50 < krzie> but it would be able to compress some
18:50 < |Mike|> I wonder if his latency gets under 50ms 
18:50 < |Mike|> voip over 50+ms is suckage to the bone
18:50 < krzie> if you used g729 or some other compressed codec ild say no
18:51 < krzie> |Mike|, that is so completely false
18:51 < |Mike|> i'm quite sure that it isn't :)
18:51 < krzie> voip even works over sat links if done right
18:51 < |Mike|> lagg--
18:51 < krzie> nope
18:51 < krzie> perfect
18:51 < krzie> |Mike|, im quite sure of what im talking about, trust me
18:52 < |Mike|> I'm too
18:52 < krzie> ive touched these setups
18:52 < krzie> no, you're sure you werent able to do it
18:52 < krzie> im sure that its currently being used, and works right
18:52 < |Mike|> I suck, i know :D
18:54 < Bushmills> i have usa-europe calls on a daily base. packet latency alone is at least 100 ms. no problems.
18:55 < krzie> Bushmills, the reason i dont think dhcp-relay would work is... which side do you set the route for the dhcp-enabled lan?
18:55 < krzie> youd have the same subnet on both sides of the vpn
18:55 < Bushmills> one the away-side of the dhcp server
18:55 < krzie> and in his rare case, he really does need dhcp
18:56 < krzie> Bushmills, then how will the vpn route back to the clients which need to use dhcp given ip
18:56 < Bushmills> it catches the broadcasts, and will retransmit them to the specified interface.  openvpn tun that would be
18:56 < krzie> oh so bcrelay too
18:56 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
18:57 < krzie> sounds like his is an edge case where a bridge is needed
18:57 < krzie> for dhcp even, heh
18:58 < theDoc> Morn' all.
19:03 < circut> so your saying i need two relay agents now?
19:03 < circut> one for broadcasts and one for dhcp?
19:04 < krzie> honestly you may want bridge
19:06 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 260 seconds]
19:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:10 < krzie> usually its best to use tun, but yours seems to be a situation where you do need it
19:10 < krzie> so when you use those bridge configs, and dont get your ping
19:10 < krzie> start tcpdump, see where its getting stopped
19:12 < krzie> you bridged tap and ethernet device on both vpn endpoints, right?
19:22 < circut> yes
19:24 < circut> the issue is like i said
19:24 < circut> i can ping the broadcast all day long
19:24 < circut> but when i try to ping the actual device, the first arping gets through (bcast) and the unicasts drop off
19:24 < circut> the weird thing is that i see no other traffic going over the bridge after the initial Who-has response
19:24 < circut> its like the connection just drops
19:26 < circut> or traffic rather
19:32 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
19:35 < circut> got pretty quiet alla sudden I see..
19:36 < krzie> [20:10]  <krzie> start tcpdump, see where its getting stopped
19:37 < circut> yea and i said where
19:37 < circut> the arp who-has goes out
19:37 < circut> the answer comes back to the device, and then the traffic just stops ;/
19:38 < krzie> oh
19:38 < circut> i see some rarp's going out too, but no responses for them
19:38 < krzie> so the client doesnt try to keep sending traffic at all? it sends and gets stopped at box?
19:39 < circut> well i have the ping going on the client
19:39 < circut> and it keeps sending them
19:39 < circut> but the intermediate device (.12) doesnt see em..
19:39 < circut> literally, there is *NO* traffic on the bridge
19:41 < krzie> !configs
19:41 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
19:41 < circut> ok 1 min
20:00 -!- xod [~onats@112.201.158.40] has quit [Quit: Ex-Chat]
20:35 -!- tjz [~pc@bb116-14-149-52.singnet.com.sg] has joined ##openvpn
20:35 -!- tjz [~pc@bb116-14-149-52.singnet.com.sg] has quit [Changing host]
20:35 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:37 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 258 seconds]
20:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
20:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
20:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
21:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
21:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
21:08 -!- buntfalke [~nobody@openvpn-p0-127.triple-a.uni-kl.de] has joined ##openvpn
21:08 -!- buntfalke [~nobody@openvpn-p0-127.triple-a.uni-kl.de] has quit [Changing host]
21:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
21:11 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
21:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
21:12 -!- buntfalke_ is now known as buntfalke
21:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
21:41 -!- troy- [647ddeaf52@bgp4.us] has quit [Ping timeout: 246 seconds]
21:43 -!- troy- [8102a30e16@bgp4.us] has joined ##openvpn
21:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:42 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Sat May 15 2010
00:04 -!- jumbers [~jumbers@fsf/member/jumbers] has joined ##openvpn
00:06 < jumbers> I'm using a static key TUN setup and while monitoring my traffic with Wireshark, I noticed that all traffic seems to be going through the TUN, except for DNS. It looks like the DNS is going through wlan0 interface instead of tun0. Is there any way to route DNS through the tunnel also?
00:09 < Bushmills> traffic, also dns traffic, follow route
00:10 < Bushmills> so, yes, there is a way. set routes such that traffic goes to desired interface
00:11 < jumbers> Right, but when I go to google.com for example, the DNS seems to go through the wlan interface and then the HTTP traffic seems to go through the tunnel
00:12 < Bushmills> dns traffic doesn't respect google hits. instead, it respects routing table entries.
00:12 < jumbers> I can pastebin my routing table if you'd like
00:13 < Bushmills> helps only of you also show what your resolver is
00:22 -!- jumbers [~jumbers@fsf/member/jumbers] has quit [Ping timeout: 240 seconds]
00:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
01:42 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
01:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:48 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Quit: amialive]
02:23 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
02:45 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 240 seconds]
03:00 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
03:09 -!- EugeneKaway is now known as EugeneKay
03:11 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 240 seconds]
03:11 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
03:14 -!- EugeneKay is now known as EugeneSleep
03:20 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Quit: amialive]
03:21 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
03:21 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Client Quit]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:45 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Ping timeout: 276 seconds]
03:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
04:04 -!- blueboxthief [~None_of_y@89.181.19.237] has quit [Quit: Leaving.]
04:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:16 -!- InfoAddict [~ios@60-242-254-22.static.tpgi.com.au] has joined ##openvpn
04:27 < krzie> !iporder
04:27 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
04:27 < hyper_ch> hi krzie
04:28 < hyper_ch> you've seen my highlight to you?
04:46 -!- theDoc [~jaki@bb121-6-23-10.singnet.com.sg] has joined ##openvpn
04:51 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 264 seconds]
04:52 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
05:12 < krzie> nope, lemme scroll up
05:13 < krzie> it must have been longer ago than my scroll goes
05:13 < krzie> whats up
05:36 -!- theDoc [~jaki@bb121-6-23-10.singnet.com.sg] has quit [Quit: This computer has gone to sleep]
05:36 -!- StewartW [~stewart@78-86-230-247.zone2.bethere.co.uk] has joined ##openvpn
05:38 -!- StewartW [~stewart@78-86-230-247.zone2.bethere.co.uk] has quit [Client Quit]
05:52 < hyper_ch> krzie: [21:03] <hyper_ch> krzee: hi there, if you don't read the backlog, then here's a short summary: to make services on vpned clients accessible to the internet you'll need to alter iptables on linux. Here's an example for port 80 udp/tcp : http://pastebin.com/2F0jZ8Sz  --> I thought that could somewhere be added to the wiki... it took me a little while to figure that out
05:56 < krzie> ahh cool
05:56 < krzie> would you like to make a small writeup on it?
05:57 < hyper_ch> SERVERIP is the ip of the openvpn server
05:57 < hyper_ch> krzie: your english is much better than mine :) and you even know where to add it
05:57 < krzie> the wiki is open for modifications, just gotta sign up
05:57 < hyper_ch> besides, wikis hate me :)
05:57  * hyper_ch doesn't like to sign up
05:57 < krzie> heh
05:59 < krzie> !learn linportforward as to forward port 80 tcp to a vpn client over the VPN, add this to your iptables (replacing <SERVERIP> with the real ip of the server):   iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to 10.8.0.8     and     iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
05:59 < vpnHelper> krzie: Joo got it.
06:00 < krzie> !linportforward
06:00 < vpnHelper> krzie: "linportforward" is to forward port 80 tcp to a vpn client over the VPN, add this to your iptables (replacing <SERVERIP> with the real ip of the server): iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to 10.8.0.8 and iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
06:00 < krzie> !forget linportforward
06:00 < vpnHelper> krzie: Joo got it.
06:00 < krzie> !learn linportforward as to forward port 80 tcp to a vpn client over the VPN, add this to your iptables (replacing <SERVERIP> with the real ip of the server)
06:00 < vpnHelper> krzie: Joo got it.
06:00 < hyper_ch> well, 10.8.0.8 is the vpn client ip :)
06:01 < krzie> !learn linportforward as iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to 10.8.0.8
06:01 < vpnHelper> krzie: Joo got it.
06:01 < krzie> bleh good point
06:01 < krzie> !forget linportforward *
06:01 < vpnHelper> krzie: Joo got it.
06:01 < hyper_ch> and eth0 is the "public" interface on the server
06:01 < krzie> !learn linportforward as to forward port 80 tcp to a vpn client over the VPN, add this to your iptables (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip)
06:01 < vpnHelper> krzie: Joo got it.
06:01 < krzie> fuckit, they can figure that part out :-p
06:02 < krzie> !learn linportforward as iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>
06:02 < vpnHelper> krzie: Joo got it.
06:02 < krzie> !learn linportforward as iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
06:02 < vpnHelper> krzie: Joo got it.
06:02 < krzie> !linportforward
06:02 < vpnHelper> krzie: "linportforward" is (#1) to forward port 80 tcp to a vpn client over the VPN, add this to your iptables (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip), or (#2) iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>, or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j
06:02 < vpnHelper> krzie: ACCEPT
06:02 < hyper_ch> :)
06:02 < krzie> bleh
06:03 < krzie> i want it in 1 message, cant split the iptables command
06:03 < krzie> !forget linportforward *
06:03 < vpnHelper> krzie: Joo got it.
06:03 < hyper_ch> wouldn't it be simpler to create a page in the wiki
06:03 < hyper_ch> and have the bot referring to it?
06:03 < krzie> !learn linportforward as to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip)
06:03 < vpnHelper> krzie: Joo got it.
06:03 < krzie> !learn linportforward as iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>
06:03 < vpnHelper> krzie: Joo got it.
06:03 < krzie> !learn linportforward as iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
06:03 < vpnHelper> krzie: Joo got it.
06:04 < krzie> yes it would, but you dont want to do that
06:04 < krzie> nor do i, i dont even use linux
06:04 < krzie> !linportforward
06:04 < vpnHelper> krzie: "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip), or (#2) iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>, or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
06:04 < krzie> there
06:04 < hyper_ch> what do you mean by you don't use linux?
06:05 < krzie> i mean i dont use linux
06:05 < hyper_ch> what do you use then?
06:05 < krzie> i use freebsd for servers and osx for desktop
06:05 < hyper_ch> Mac?
06:05 < hyper_ch> ah :)
06:05 < hyper_ch> BSD
06:05 < hyper_ch> does BSD not have iptables?
06:05 < krzie> ipf / ipfw / pf
06:05 < mwheeler> It can have iptables
06:05 < krzie> in order of which i feel is better, last being best
06:05 < mwheeler> But ipfw is win
06:06 < hyper_ch> :)
06:14 < hyper_ch> what makes ipfw so good?
06:15 < hyper_ch> !linportforward
06:15 < vpnHelper> hyper_ch: "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip), or (#2) iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>, or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
06:15 < hyper_ch> btw, is there a way that I can make the bot output a factoid to someone?
06:15 < hyper_ch> e.g.  !howto | krzie
06:16 < krzie> nope, would be cool tho
06:16 < hyper_ch> it's not a supybot, is it?
06:18 < krzie> sure is
06:18 < krzie> if you know how, show me =]
06:18 < krzie> !howto > hyper_ch 
06:18 < vpnHelper> krzie: Error: "howto" is not a valid command.
06:18 < krzie> !howto | hyper_ch 
06:18 < vpnHelper> krzie: Error: "howto" is not a valid command.
06:18 < krzie> !howto
06:18 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:18 < hyper_ch> I've seen that modification on supybot
06:19 < krzie> oh
06:19 < hyper_ch> but not sure if vpnHelper is a supybot
06:19 < krzie> he is
06:19 < hyper_ch> :)
06:27 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has joined ##openvpn
06:27 < motd2k> !welcome
06:27 < vpnHelper> motd2k: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:27 < hyper_ch> !testotest
06:27 < vpnHelper> hyper_ch: Error: "testotest" is not a valid command.
06:29 < motd2k> !redirect
06:29 < vpnHelper> motd2k: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:30 < hyper_ch> krzie: what factoids plugin are you using?
06:31 < krzie> !plugins
06:31 < vpnHelper> krzie: Error: "plugins" is not a valid command.
06:31 < krzie> bleh
06:31 < krzie> !help
06:31 < vpnHelper> krzie: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
06:31 < krzie> !list
06:31 < vpnHelper> krzie: Admin, Channel, ChannelLogger, Config, Factoids, Google, Misc, Owner, Seen, Services, User, and Web
06:31 < krzie> Factoids
06:39 < hyper_ch> !Config
06:39 < vpnHelper> hyper_ch: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
06:59 < hyper_ch> @tell hyper_ch factoids linipforward
07:00 < hyper_ch> !tell hyper_ch factoids linipforward
07:07 < krzie> !tell
07:07 < vpnHelper> krzie: (tell <nick> <text>) -- Tells the <nick> whatever <text> is. Use nested commands to your benefit here.
07:07 < krzie> !tell hyper_ch [linipforward]
07:08 < hyper_ch> hmmm
07:08 < krzie> !tell hyper_ch hey whats up
07:08 < hyper_ch> !tell krzie [howto]
07:08 < krzie> oh its in msg
07:08 < krzie> cool
07:08 < hyper_ch> :)
07:33 -!- g4tsu [~g4tsu@ks301270.kimsufi.com] has quit [Quit: leaving]
08:20 < qfr> I have one 100 Mbit server S, several clients A, B, C all over the world. I want to enable A, B, C to use the outgoing IP of S to access the internet using OpenVPN. It would also be nice if A, B, C could access each other using their VPN addresses. What kind of setup should I be looking at? What guide shall I read? The last time I did this I used a point-to-point tunnel but I believe that is limited to just one client per interface or something?
08:26 < krzie> !redirect
08:26 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:26 < qfr> Thanks
08:26 < qfr> !def1
08:26 < vpnHelper> qfr: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:27 < krzie> yw
08:27 < krzie> also
08:27 < krzie> !confgen
08:27 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
08:28 < krzie> that will get the config portion up and running very fast
08:28 < krzie> you'll still need to generate certs, dh params, and a tls static key for hmac
08:28 < krzie> and of course setup your NAT and ip forwarding on the OS of your server
08:28 < krzie> server is what OS?
08:29 < qfr> Arch Linux
08:29 < qfr> IPv4 forwarding is already sysctl'ed
08:29 < krzie> !linnat
08:29 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
08:29 < qfr> I know how to iptables DNAT etc that too
08:29 < krzie> !linipforward
08:29 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
08:30 < krzie> actually its a src nat
08:30 < qfr> I used DNAT for my tunnel :O
08:30 < qfr> Worked fine
08:30 < qfr> I don't even know what SNAT is
08:30 < krzie> *shrug* ok, dont see how it would tho
08:31 < krzie> dnat changes destination IP, snat changes source ip
08:31 < krzie> a destination change would be useful for port forwarding
08:31 < qfr> Yes, I forwarded one port
08:31 < krzie> a source change would be useful for communicating out to the internet with source ip that can be routed back to
08:32 < krzie> in this instance its not dnat you need ;]
08:32 < krzie> its the snat entry given above
08:33 < krzie> my confgen will give you yours tho =]
08:33 < ecrist> \o
08:33 < qfr> In my last setup I didn't have to use iptables at all to use the outgoing IPv4 of the server
08:33 < qfr> Through the VPN
08:33 < krzie> qfr, well im telling you how to do it =]
08:33 < krzie> if you know a better way, feel free to try
08:33 < krzie> however, you did ask :-p
08:35 < ecrist> morning, krzie
08:35 < qfr> I'd have to use SNAT if I wanted to give one outgoing IPv6 to each of the clients?
08:35 < qfr> I have a global IPv6/64 block on that box
08:35 < krzie> good morning ecrist, back in usa?
08:35 < ecrist> krzie: not yet.  sitting in YOW awaiting my flight at 1105 local
08:35 < krzie> you cant give ipv6 ips with openvpn yes, unless you use a patch
08:35 < krzie> !ipv6
08:35 < vpnHelper> krzie: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
08:35 < vpnHelper> krzie: (adds some nice ipv6 options)
08:36 < krzie> #3
08:36 < qfr> Aw, too bad :[
08:36 < ecrist> qfr: download our devel snapshot, IPv6 is supported.
08:36 < ecrist> !devel
08:36 < vpnHelper> ecrist: Error: "devel" is not a valid command.
08:36 < krzie> oh good point
08:36 < ecrist> !learn devel as Download devel snapshot at ftp://ftp.secure-computing.net/pub/openvpn/
08:36 < vpnHelper> ecrist: Joo got it.
08:37 < krzie> i try not to end factoids with URLs because when you add a second, it appends a , to the first
08:37 < qfr> Well, I don't really need that anyways, in this case I need to talk to IPv4 clients almost exclusively ;[
08:37 < qfr> It's sad how ISPs are ignoring IPv6
08:37 < ecrist> qfr: they're not
08:37 < ecrist> Comcast is rolling IPv6 out this summer
08:37 < qfr> Really? Wow.
08:37 < ecrist> I should have my block in ~30 days
08:37 < qfr> Awesome.
08:37 < qfr> I bet it'll take until 2015 until IPv6 kicks in in Germany
08:38 < krzie> ive gone all this time not caring if anyone uses ipv6...
08:38 < qfr> However, I have a DOCSIS3 modem - that protocol was explicitly designed for IPv6, in 2006
08:39 < krzie> hah
08:39 < ecrist> krzie: I'm guessing there will be address block applications refused in <2 years due to shortage of space
08:39 < krzie> it sure wasnt
08:39 < krzie> DOCSIS3 had a LOT more special about it than ipv6
08:39 < qfr> krzie: oh? Wikipedia suggested that it was one of the major features
08:39 < qfr> Well, not the sole reason, obviously :)
08:39 < ecrist> qfr: DOCSIS3 was more designed for higher bandwidth and multip channel negotiations than IPv6
08:39 < krzie> increased bandwith, protection from people stealing internet / spoofing other modems
08:39 < qfr> Right
08:40 < krzie> you said "that protocol was explicitly designed for IPv6"
08:40 < krzie> i didnt say that ipv6 wasnt a feature in it
08:40 < krzie> but explicitly designed, not
08:40 < ecrist> qfr: most major ISPs now, at least state-side, have been using IPv6 in their core for years.  last mile is always the most difficult.
08:40 < qfr> Yeah, my choice of words was wrong
08:40 < qfr> Their setup is irritating
08:40 < qfr> I receive about 200-600 ARPs per second
08:40 < qfr> From them
08:41 < qfr> From other modems in my area
08:41 < ecrist> IPv6 doesn't do ARP
08:41 < krzie> ipv4 doesnt either ;]
08:41 < ecrist> actually, it is a necessary part of LAN IPv4
08:42 < krzie> different layer
08:42 < qfr> The DOCSIS modems are broadcasting ARPs on the local network here apparently
08:42 < krzie> arp happens in layer2, ipv* is layer3
08:42 < qfr> So... I could reply to them, hijacking ISP gateways I guess?
08:42 < ecrist> I understand, krzie, but IPv5 breaks at the LAN without it
08:42 < ecrist> s/IPv5/IPv4/
08:42 < krzie> so a lan with ipv6 doesnt use ARP?
08:43 < ecrist> not at all
08:43 < krzie> interesting, how does the layer2 handle communications?
08:43 < ecrist> it has a neighbor discovery with ICMP6
08:43 < krzie> ahh
08:43 < ecrist> with IPv6, you cannot block ICMP6 the way we do with IPv4's ICMP
08:43  * ecrist was in some low-level seminars this week on IPv6
08:44 < ecrist> by low level, I mean source code review of the protocol stack in FreeBSD
08:44 < krzie> its still a specific icmptype tho, and the ones you choose can still be blocked, right?
08:44 < qfr> Anyways, IPv6 would eradicate the need for NAT, eh?
08:44 < krzie> personally, i never blocked all icmp, always left 0,1,8 open iirc
08:44 < ecrist> krzie: yes, but there's scoping and such to help with that.
08:44 < qfr> I could just give out globally unique addresses to all of my boxes in the network
08:44 < qfr> - assuming I want them DMZ'ed.
08:45 < krzie> not 100% on the types, but from memory i think its 0,1,8
08:45 < ecrist> I'm going to be glad to be rid of this old POS MBP
08:45 < ecrist> my battery has lasted about 30 mins, and it'll be dead in another 15
08:45 < qfr> MBP = ?
08:46 < krzie> macbookpro
08:46 < qfr> o_O
08:46 < krzie> ya im looking forward to getting my new one too
08:46 < krzie> i have over 1/2 the $ saved
08:46 < qfr> You buy Apple products?
08:46 < krzie> you dont?
08:46 < qfr> Of course not
08:46 < krzie> oh wait, rather:
08:46 < krzie> you care?
08:47 < qfr> Certainly
08:47 < krzie> *shrug* care less, go setup your vn
08:47 < krzie> vpn
08:47 < krzie> :p
08:47 < krzie> for the record, if you use my confgen it will go everything for you, including giving you the NAT entry to add
08:48 < krzie> you'll just need to make your certs
08:48 < krzie> (and it will do that too after ecrist rewrites ssl-admin)
08:48 < qfr> Yeah the last time I didn't use certs
08:48 < qfr> Just that key
08:48 < qfr> Which people recommended against
08:48 < krzie> nobody cares about last time =]
08:49 < krzie> everything ive told you that you need, you tell me how you did something else last time
08:49 < qfr> Sure, because I'd like to get feedback on what I did in the past
08:50 < qfr> "that's a bad setup"
08:50 < krzie> sry if that seems rude, but you should focus on this time
08:50 < qfr> "yeah that was a bad idea"
08:50 < krzie> its an option for last time, not for this time
08:50 < krzie> last time you could only have 2 endpoints, no client or server, which means no multiple clients
08:50 < qfr> So is using a key over a cert bad?
08:50 < krzie> its less good
08:50 < qfr> Somebody told me that's easy to MITM or something
08:50 < krzie> i wouldnt do it...
08:51 < krzie> *shrug* you would be done with your setup already if you were using my confgen
08:51 < qfr> I was busy eating ;[
08:51 < krzie> youd have configs for your server and every client already finished
08:54 < ecrist> krzie: ftr, I was informed by Colin Percival that CBC ciphers are not secure, and can be easily forged.
08:54 < krzie> no shit
08:54 < krzie> did he give any reading material?
08:55 < krzie> that no shit was more like a surprised one, not me saying i knew
08:55 -!- EugeneSleep is now known as EugeneKay
08:55 < ecrist> there will be a copy of the presentation soon.  when I get it, I'll forward it to you.
08:55 < krzie> thx
08:55 < krzie> so this was just dropped?
08:55 < ecrist> no, it's been known about ~5 years
08:55 < krzie> hah
08:56 < krzie> now im really surprised, i didnt know bout that
08:57 < ecrist> BSDCan was quite enlightening
08:57 < ecrist> also, Canadian strip clubs are ++++
08:57 < krzie> hah
08:57 < krzie> thats cause you havnt been here
08:58 < ecrist> invite me some time. ;)
08:58 < krzie> here there is no lap dance, just a by the hour hotel in the back
08:58 < krzie> and they dance 100% nude
08:58 < ecrist> they are 100% nude here, too
08:59 < ecrist> and you can touch
08:59 < krzie> here too
08:59 < ecrist> :)
08:59 < krzie> and they stay open til like 5am, whereas the bars close at 2, and you can drink of course
08:59 < krzie> in fact its not so uncommon to take your girl there after hours just to get beers
09:02 < ecrist> I need to log, my battery is dead.
09:02 < krzie> werd
09:02 < krzie> i should sleep prolly
09:03 -!- julius [~julius@217.20.127.15] has quit [Disconnected by services]
09:14 < qfr> krzie I am using your script
09:14 < qfr> "Will the server share its LAN with the VPN?" I presume I want yes there so they can use its outgoing IPv4?
09:18 < qfr> Oh, "Do you want clients to send all their internet traffic through the server", nevermind :P
09:28 -!- AldoBR [~AldoBR@189.70.55.133] has joined ##openvpn
10:09 -!- disposable [disposable@blackhole.sk] has joined ##openvpn
10:13 < disposable> is there a way to limit which openvpn client can talk to which? e.g. some clients can only talk to openvpn server, some can also talk to selected others. 
10:14 < qfr> disposable: krzie's OpenVPN configuration generator has an option for that - no idea what it outputs though
10:14 < qfr> There's an option which enables firewalling between VPN clients
10:14 < qfr> On the OpenVPN server
10:15 < qfr> Then you can use iptables to block stuff I guess
10:18 < disposable> qfr: thanks
10:19 < qfr> !confgen
10:19 < vpnHelper> qfr: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
10:19 < qfr> That's his script
10:20 -!- AldoBR [~AldoBR@189.70.55.133] has quit [Ping timeout: 268 seconds]
10:21 < qfr> Hmm ./buid-server generated a 01.pem which appears to be radically different from openssl dh1024.pem output - which, in name, is referred to by krzie's confgen
10:41 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:49 < qfr> Hmm it seems openvpn fails to ifconfig if I have it drop to a non-root account
10:49 < qfr> Sat May 15 17:47:44 2010 us=941852 /sbin/ifconfig tun0 0.0.0.0
10:49 < qfr> SIOCSIFADDR: Permission denied
10:51 < hyper_ch> well, openvpn must be run as root
10:51 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:52 < qfr> hyper_ch: So using a separate user doesn't work? krzie's script generates that hm
10:52  * qfr shrugs
10:52 < qfr> I guess I'll run it as root then
10:52 < qfr> hyper_ch: I mean I initially launch it as root of course
10:52 < qfr> With user vpn
10:52 < qfr> group vpn
10:52 < qfr> In the .conf
10:54 < hyper_ch> I still have no clue what you do
10:54 < qfr> hyper_ch: You can launch openvpn and have OpenVPN change its own uid and gid, right?
10:54 < qfr> Using the user and group command, respectively
10:54 < qfr> krzie recommends to do that
10:54 < qfr> For security reasons
10:55 < hyper_ch> if that user has according rights
10:55 < hyper_ch> but better confer with krzie
10:56 < Bushmills> changing firewall rules would be done with for example an --up script, which runs while openvpn still has root privileges
10:57 < Bushmills> after downgrade of permissions, there is no mechanism to change firewall rules anymore
10:57 < krzie> my script tells you to start it as root
10:57 < Bushmills> (unless shutdown leads to execution of --down script)
10:57 < krzie> --user and --group downgrade permissions after
10:57 < krzie> [11:57]  <Bushmills> after downgrade of permissions, there is no mechanism to change firewall rules anymore
10:58 < krzie> not true, a --client-connect script could do that on a per-client basis, but then you cant drop permissions
10:58 < Bushmills> ah. you think server?
10:58 < Bushmills> i though client
10:58 < Bushmills> thought
10:58  * hyper_ch still thinks the best way to protect the computer is to compile everything with the --no-bugs option
10:58 < qfr> krzie: Well I launch it as root of course
10:59 < krzie> oh, no idea, i didnt read enough scroll possibly
10:59 < qfr> But openvpn was so far unable to ifconfig tun0 when it uses --user and --group
10:59 < krzie> [11:21]  <qfr> Hmm ./buid-server generated a 01.pem which appears to be radically different from openssl dh1024.pem output - which, in name, is referred to by krzie's confgen
10:59 < krzie> dh*.pem is DH params
10:59 < krzie> !dh
10:59 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
10:59 < qfr> Yeah I generated a dh1024.pem with openssl
10:59 < qfr> And a ta.key
11:00 < qfr> Neither of which were covered by the easy-rsa thing
11:00 < qfr> Which I did use, too
11:00 < krzie> disposable, 
11:00 < krzie> !c2c
11:00 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
11:00 < vpnHelper> krzie: behind other clients
11:00 < qfr> It also appears to have generated lots of files which aren't referred to at all by the confgen output so I've been ignoring them so far
11:00 < krzie> qfr, ya, once you understand PKI fully you'll know what all those files are ;]
11:01 < qfr> krzie: Do you have any idea how to run openvpn with --user and --group such that openvpn will not run into ifconfig permission problems?
11:01 < krzie> but your config only needs what is referenced in those configs
11:01 < qfr> Excellent
11:01 < krzie> qfr, you should have ifconfig permission issues from --user  --group
11:01 < krzie> err
11:01 < krzie> should NOT
11:01 < qfr> :O
11:02 < krzie> ive never run a non-win vpn as root
11:02 < krzie> lets see your configs and logs on pastebin
11:02 < krzie> ild type !configs and !logs, but my confgen should have made stuff how ild wanna see it ;]
11:03 < krzie> assuming you used default log verbosity
11:03 < qfr> Oh, odd, it works now
11:03 < qfr> It just failed the first time
11:03 < qfr> I am not sure why
11:03 < krzie> it was scared of me ;)
11:03 < qfr> I didn't even change the config
11:03 < krzie> im guessing maybe you accidently forgot 'sudo' or something
11:03 < krzie> but doesnt matter now, cause it works!
11:03 < qfr> Nah I ran it as root
11:03 < qfr> I don't have sudo installed
11:04 -!- bandini [~bandini@host198-107-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn
11:04 < qfr> Yeah, cheers
11:04 < krzie> you just gave me a ++ on if the confgen was worth coding
11:04 < krzie> its not entirely wrong to say many have spent days getting that same setup running for their first time
11:05 < qfr> Sat May 15 18:02:56 2010 us=972163 /sbin/ifconfig tun0 0.0.0.0
11:05 < qfr> SIOCSIFADDR: Permission denied
11:05 < qfr> SIOCSIFFLAGS: Permission denied
11:05  * hyper_ch just bugged all the people here in the channel until his setup worked :)
11:05 < qfr> Oh yeah it still fails
11:05 < krzie> hrm, logs and configs
11:06 < krzie> !pastebin
11:06 < qfr> krzie: I mean, this is not really surprising since non-root accounts can't ifconfig, if I am not mistaken
11:06 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
11:06 < hyper_ch> !tell qfr [welcome]
11:06 < krzie> it does ifconfig and routes and all before it drops permissions
11:06 < krzie> lol hes far past [welcome]
11:07 < hyper_ch> doesn't welcome list all the logs and stuff?
11:07 < hyper_ch> !welcome
11:07 < vpnHelper> hyper_ch: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:07 < krzie> but i understand the wanting to play with the feature we just found
11:07 < krzie> he doesnt need !logs or !configs
11:07 < qfr> krzie: http://siyobik.info/index.php?module=pastebin&id=452
11:07 < krzie> he used my confgen, configs are clean and logs are verb 5 by default
11:07 < hyper_ch> krzie: you said he does: [18:05] <krzie> hrm, logs and configs
11:08 < krzie> right, but the point of those commands is so people do it right
11:08 < krzie> i wont look at a page of comments on 15 lines of config options
11:08 < krzie> nor does a verb 3 logfile help any
11:08 < qfr> Now it says: Sat May 15 18:08:04 2010 us=854074 /sbin/ifconfig tun0 10.0.0.1 netmask 255.255.255.0 mtu 1500 broadcast 10.0.0.255
11:08  * qfr shrugs
11:08 < qfr> No error
11:08 < qfr> Ahhh haha
11:09 < qfr> I am stupid
11:09 < qfr> It only happens when I Ctrl + C out of it and I erroneously thought it occured prior to the Ctrl + C :P
11:09 < krzie> lol
11:09 < qfr> Because it has already lost privilege at the time
11:09 < qfr> Obviously
11:09 < krzie> so that was on stoppage
11:09 < qfr> Yeah, which makes sense
11:09 < krzie> when you stop it, it will ALWAYS do that when you have dropped perms
11:10 < krzie> but then all routes over the vpn drop, cause the tun device closes
11:10 < qfr> Ok
11:10 < krzie> and heres something to know
11:10 < qfr> So it's no issue
11:10 < krzie> !def1
11:10 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:10 < krzie> WITH def1 you will still have routes after closing the vpn
11:10 < krzie> WITHOUT def1, you wont
11:10 < qfr> Oh snap
11:10 < krzie> both can be useful, depending on your needs
11:10 < krzie> my script should use def1
11:10 < qfr> It does
11:11 < krzie> (most common need)
11:11 < qfr> In my case I want the routes to persist since the client's ISP IPv4 must not be leaked
11:11 < qfr> I guess?
11:11 < krzie> so the client must NEVER access the net without the vpn, even if he kills the vpn
11:11 < krzie> ?
11:12 < qfr> Well, if the VPN is killed then it's intentional so it's alright
11:12 < krzie> ok
11:12 < krzie> then you're fine
11:12 < qfr> Cheers
11:12 < krzie> under 3 hours from start to finish
11:12 < krzie> confgen++
11:12 < qfr> Haha I am not done yet
11:12 < qfr> Plus I am not really working hard :P I am watching series etc
11:12 < krzie> you said it works, what else do you want it to do
11:13 < krzie> it cant do backflips ;)
11:13 < qfr> I mean, openvpn launches without errors :P
11:13 < qfr> On the server
11:13 < qfr> The actual drama is about to start!
11:13 < krzie> well if ip forwarding is enabled, and you ran the iptables command given by my script, it works :-p
11:14 < krzie> ya you most certainly werent working hard on it if you just started the server ;)
11:14 < krzie> unless you made 4096 dh params, which would be VERY pointless since all 1024 bits arent even used
11:15 < krzie> shit i have to wakeup for work in 2.5 hours
11:15 < krzie> maybe im better off not sleeping
11:15 < hyper_ch> krzie: work on a saturday?
11:15 < krzie> and sunday
11:15 < hyper_ch> what poor job do you have :(
11:15 < krzie> fridays off
11:16 < krzie> computer guy :-p
11:16 < hyper_ch> oh cool.... so you know lots about computers and stuff? :)
11:16 < krzie> :-
11:16 < krzie> :-p
11:17 < hyper_ch> you do comcast support in a call center?
11:17 < krzie> nope, im not indian
11:17 < hyper_ch> well, krzie sounds indian
11:17 < krzie> and support would force me to kill
11:17 < hyper_ch> so you're a on site tech guy?
11:17 < krzie> here is different, i can fuck with the annoying ones, and/or ban them
11:17 < qfr> Sat May 15 18:17:37 2010 us=755486 Initialization Sequence Completed
11:17 < qfr> :O
11:18 < krzie> i do whatever needs to be done
11:18 < hyper_ch> hehehe, order 1500 PS3s for flight simulation calclations?
11:18 < krzie> if theres a need for it, ill get it done :p
11:18 < hyper_ch> :)
11:18 < krzie> (assuming the pay is right)
11:19 < hyper_ch> you also hack cars?
11:19 < krzie> i even hack panties
11:19 < qfr> 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=22.1 ms; cheers
11:19 < qfr> Time to iptables it
11:19 < hyper_ch> --> http://www.theinquirer.net/inquirer/blog-post/1648690/researchers-hack-cars-computers
11:19 < vpnHelper> Title: Researchers hack cars' computers - The Inquirer (at www.theinquirer.net)
11:20 < hyper_ch> qfr: you want to run servers on one of the clients?
11:20 < qfr> hyper_ch: Servers? I have already forwarded ports
11:20 < qfr> -A PREROUTING -i eth0 -p tcp -m tcp --dport 44312 -j DNAT --to-destination 10.0.0.2:44312
11:20 < qfr> Etc
11:21 < hyper_ch> oh, you already did it :(
11:21 < krzie> hehe
11:21 < krzie> qfr, hyper_ch just donated some DNAT commands to the bot last night for that ;]
11:21 < hyper_ch> !linipforward
11:21 < vpnHelper> hyper_ch: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
11:21 < qfr> What does the WRWRWRWWWWRRRRRRR stuff in the openvpn CLI output mean?
11:22 < hyper_ch> no, that's not it
11:22 < qfr> Read write?
11:22 < hyper_ch> hmmm, waht was it again?
11:22 < qfr> Is that because of level 5?
11:22 < hyper_ch> !linportforward
11:22 < vpnHelper> hyper_ch: "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip), or (#2) iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>, or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
11:22 < qfr> Oh I had only net.ipv4.conf.default.forwarding = 1
11:23 < qfr> net.ipv4.ip_forward was still 0
11:23 < krzie> !linipforward
11:23 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
11:23 < qfr> Still can't ping the internet hmm
11:24 < hyper_ch> do you miss dns entries
11:24 < hyper_ch> I mean nameserver entries
11:24 < qfr> I am trying to ping 4.2.2.1
11:25 < hyper_ch> do you have routes to there?
11:25 < krzie> !iptables
11:25 < vpnHelper> krzie: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
11:25 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Firewall
11:25 < krzie> do that, then set the iptables rule given to you by my script
11:25 < qfr> Well it pushed def1
11:25 < krzie> save your rules first
11:26 < krzie> [12:22]  <qfr> Is that because of level 5?
11:26 < krzie> yes
11:26 < krzie> thats in fact WHY its at level 5 =]
11:26 < qfr> http://siyobik.info/index.php?module=pastebin&id=453
11:26 < qfr> Where xx is the global IPv4 of the OpenVPN server
11:26 < krzie> routes look good
11:27 < krzie> do what i said
11:27 < krzie> i knew it wasnt routes
11:27 < krzie> i believe its firewall
11:27 < qfr> I shall iptables-save
11:27 < krzie> (see part 2 of our topic ;] )
11:27 < qfr> http://siyobik.info/index.php?module=pastebin&id=454
11:28 < qfr> Looks like those are missing
11:29 < krzie> im gunna get 1.5 hrs of sleep while i can
11:29 < krzie> do !iptables then your NAT rule
11:30 < qfr> I just did that
11:30 < krzie> then test, once it works, then you can start adding back in your rules
11:30 < qfr> Still no replies
11:30 < qfr> Oh
11:30 < qfr> You mean removing them all?
11:30 < krzie> no shit
11:30 < krzie> !iptables
11:30 < vpnHelper> krzie: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
11:30 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Firewall
11:30 < krzie> get rid of them all
11:31 < krzie> sorry that wasnt clear, it does say OR
11:31 < krzie> but ya, try that
11:31 < krzie> while adding them back once working, keep testing, see what breaks it, then fix it
11:33 < qfr> iptables -L is empty hmm
11:33 < qfr> All policy accept
11:34  * hyper_ch gvies krzie a chocolated coated cookie and noms one himself
11:34 < qfr> Why does iptables-save still show my old rules
11:34 < qfr> I am puzzled
11:34 < qfr> iptables -L is empty
11:34 < qfr> I thought iptables-save basically created data from iptables -L, active rules
11:34 < Bushmills> check   iptables -t nat -nvL
11:35 < qfr> They're still in there >:O
11:35 < Bushmills> thus, you didn't delete them
11:35 < qfr> But shouldn't iptables -F kill all of them?
11:36 < hyper_ch> don't you have to specify which table to flush?
11:37 < qfr> Oh :|
11:37 < hyper_ch> well, not too familiar with iptables myself :)
11:38 < Bushmills> not sure whether the -t nat tables are flushed too without explicitely specifying them
11:38 < qfr> [root@voidandfire ~]# iptables -F POSTROUTING
11:38 < qfr> iptables: No chain/target/match by that name.
11:38 < qfr> :|
11:38 < qfr> I tried -F postrouting -F post etc
11:38 < qfr> None of them work
11:38 < Bushmills> add   -t nat
11:39 < qfr> That did the trick
11:39 < qfr> iptables -F -t nat
11:39 < qfr> Now iptables -L -t nat is empty
11:39 < hyper_ch> so I was right :
11:39 < qfr> Alright, all policies are set to accept
11:39 < qfr> No NAT rules
11:40 < qfr> Still not working :(
11:40 < hyper_ch> !iptables
11:40 < Bushmills> sounds logical
11:40 < vpnHelper> hyper_ch: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
11:40 < vpnHelper> hyper_ch: computing.net/wiki/index.php/OpenVPN/Firewall
11:40 < qfr> hyper_ch: Yep, did that
11:40 < qfr> All 3 say, (policy ACCEPT)
11:40 < Bushmills> for server doing NAT you *need* masquerading rule
11:40 < hyper_ch> hmmmm
11:40 < qfr> Oh, so I do need that one?
11:41 < Bushmills> "that" one if it is the right one
11:41 < qfr> First they told me to get rid of it
11:41 < qfr> Now to add it back
11:41 < Bushmills> http://scarydevilmonastery.net/masq
11:41 < hyper_ch> Bushmills: what do you mean for server doing NAT?
11:41 < qfr> iptables -t nat -A POSTROUTING -s 10.0.0.2/24 -o eth0 -j MASQUERADE
11:41 < qfr> Still nothing
11:42 < Bushmills> "for server" -> the vpn server, intended to resend LAN packets over WAN interface
11:42 < Bushmills> "doing" -> performing the deed
11:43 < hyper_ch> Bushmills: ah ok... you're not refering to have servers on the client vpn that shall be accessible throught the internet
11:43 < Bushmills> "NAT" replacing packet source address against its own address and conntracking it 
11:43 < qfr> Bushmills: Already did that
11:43 < Bushmills> no, i didn't
11:43 < qfr> ping 4.2.2.1 still not doing anything :[
11:44 < qfr> Bushmills: I already did that
11:44 < qfr> [root@voidandfire ~]# cat /proc/sys/net/ipv4/ip_forward
11:44 < qfr> 1
11:44 < qfr> target     prot opt source               destination
11:44 < qfr> MASQUERADE  all  --  10.0.0.0/24          anywhere
11:44 < Bushmills> what is your openvpn network address range?
11:45 < qfr> 10.0.0.0/24 ;O
11:46 < qfr> So 10.0.0.1 to 10.0.0.254
11:46 < qfr> Server is 10.0.0.1, client #1 is 10.0.0.2
11:46 < Bushmills> try to traceroute or mtr a remote host from a client machine
11:46 < qfr> traceroute to 4.2.2.1 (4.2.2.1), 30 hops max, 52 byte packets
11:47 < qfr> 1 * * *
11:47 < qfr> [...]
11:47 < qfr> And so on
11:47 < Bushmills> you have firewall on client too?
11:47 < qfr> Nope
11:47 < qfr> Wow, even ping 10.0.0.1 fails now
11:47 < qfr> Odd.
11:48 < Bushmills> then fix your server connection first, before attempting to redirect traffic through it
11:48 < qfr> Ah my client says something unsettling
11:48 < qfr> Sat May 15 18:48:02 2010 us=730789 TLS Error: TLS handshake failed
11:48 < qfr> Sat May 15 18:48:02 2010 us=730883 TCP/UDP: Closing socket
11:48 < qfr> Over and over again
11:49 < qfr> Sat May 15 18:48:04 2010 us=731875 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
11:49 < qfr> The server openvpn console hasn't printed any messages other than RWRWRW for 30 min though
11:49 < qfr> Sat May 15 18:45:58 2010 us=459289 TLS Error: TLS handshake failed
11:49 < qfr> Sat May 15 18:47:00 2010 us=417984 TLS Error: TLS handshake failed
11:50 < qfr> Sat May 15 18:48:02 2010 us=730789 TLS Error: TLS handshake failed
11:50 < qfr> It's quite regular o_O
11:50 < qfr> May 15 18:50:06 2010 us=144276 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
11:51 < qfr> Oh the server OpenVPN froze up o_O
11:51 < qfr> ping 4.2.2.1 works now \o/
11:52 < qfr> Cheers, it's using the correct outgoing IP
12:27 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
12:33 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:40 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
12:41 -!- notbrien [~notbrien@69.86.1.238] has quit [Client Quit]
12:41 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
12:42 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 276 seconds]
12:43 -!- notbrien [~notbrien@69.86.1.238] has quit [Client Quit]
12:46 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
12:47 -!- notbrien [~notbrien@69.86.1.238] has quit [Client Quit]
12:47 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
12:51 -!- notbrien [~notbrien@69.86.1.238] has quit [Client Quit]
12:51 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
13:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:21 < motd2k> please could anyone tell me if there's a way to push a route from a client to the server  (rather than from the server to the client)
13:22 < hyper_ch> motd2k: ?
13:23 < motd2k> i have subnet via some clients, and i'd like the server to be able to access them
13:23 < motd2k> so i'd like to have the client push the subnets it has available to the server
13:25 < hyper_ch> !client-to-client
13:25 < vpnHelper> hyper_ch: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
13:25 < vpnHelper> hyper_ch: other clients
13:26 < motd2k> the server will still need a route to the subnets though
13:26 < hyper_ch> openvpn client can't do that I guess
13:26 < hyper_ch> imagine multiple clients pushing the same subnet to the server
13:26 < hyper_ch> that would give confusion
13:27 < motd2k> yea for sure its not something that'd be good outside a controlled environment
13:27 < hyper_ch> why not just make a script then that runs on its own?
13:28 < motd2k> yea - would have just been easier if there was some way to get the push directive to work in reverse
13:28 < motd2k> but i'll fix it up with a script instead
13:58 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Quit: Leaving]
13:59 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has quit [Changing host]
13:59 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
14:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
14:02 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:15 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
14:23 < qfr> rtorrent gives me "Storage error: [File chunk read error: Cannot allocate memory]" all the time
14:23 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:23 < qfr> How is that an error really? It simply hit the limit I specified in the .rtorrent.rc
14:23 < qfr> And it continues to operate as usual
14:25 < Bushmills> file a bug report
14:26 < qfr> Well I'm not even sure if it's all kosher
14:26 < qfr> Which is why I am asking
14:26 < qfr> Rule of thumb: user error
14:27 < hyper_ch> not enough space, it says there
14:32 -!- xt3mp0r [xt3mp0r@117.254.3.216] has joined ##openvpn
14:33 < xt3mp0r> how can i disconnect an openvpn connection via command line (unix) ? I'm running openvpn as an background process and using kill command to kill it doesn't reset back to the default routing prior to connection.
14:45 -!- scb [~scb@201.248.13.160] has joined ##openvpn
14:45 < hyper_ch> scb: issue:  !welcome
14:45 < scb> !welcome
14:45 < vpnHelper> scb: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:46 < xt3mp0r> !welcome
14:46 < vpnHelper> xt3mp0r: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:46 < Bushmills> xt3mp0r: what was the default. as in, what difference do you have as result of killing openvpn?
14:47 < scb> !whatis welcome
14:47 < vpnHelper> scb: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:48 < xt3mp0r> Bushmills, check http://pastebin.com/e6Pr5JbS first one is default ... and second if after i kill openvpn process
14:48 < Bushmills> !def1
14:48 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:48 < Bushmills> xt3mp0r: ^^^^
14:50 < xt3mp0r> Bushmills, Thanks..will try it out
14:50 < krzee> oh hey Bushmills check this out
14:50 < krzee> !tell Bushmills [howto]
14:51 < krzee> !tell Bushmills whats up brutha
14:51 < krzee> !tell Bushmills read this! [howto]
14:52 < Bushmills> !def1  is 5 keys,   !tell xt3mp0r [def1] is 20
14:52 < vpnHelper> Bushmills: Error: "def1" is not a valid command.
14:52 < krzee> heh
14:52 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
14:53 < krzee> brb
14:53 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
14:54 < Bushmills> not having mentioned the PM autoblockers yet
14:54 < hyper_ch> pm autoblocker?
14:57 < xt3mp0r> Bushmills, i think def1 is used to use openvpn server as the default gateway for all traffic.. Actually, I'm connecting to a vpn server and when i kill openvpn process, it doesn't reset back to the routing which was prior connection..so what i want is to remove all those routing changes done by openvpn and get back to normal
14:57 < Bushmills> !tell xt3mp0r [def1]
14:58 < Bushmills> redirect-gateway is.  def1 preserves the original default route. without preserving it, it can't be restored.
14:59 < Bushmills> the host route isn't deleted because you downgrade openvpn privileges, which disables deleting of added host route when openvpn terminates  
15:00 < Bushmills> but that leftover host route won't bite.
15:01 < xt3mp0r> Bushmills, hmm..thanks for explanation. i understand it now
15:02 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:02 < Bushmills> ehm - you don't use redirect-gateway ..
15:02 < xt3mp0r> nope, i haven't
15:02 < Bushmills> openvpn should then leave the default route alone
15:06 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
15:07 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
15:12 -!- xt3mp0r [xt3mp0r@117.254.3.216] has quit []
15:14 < krzee> unless you have conflicting subnets...
15:14 < krzee> oh, he left
15:20 -!- scort [platypus@unaffiliated/coil] has quit [Ping timeout: 260 seconds]
15:25 -!- scb [~scb@201.248.13.160] has quit [Remote host closed the connection]
16:27 -!- irado [~irado@201-74-10-31-sc.cpe.vivax.com.br] has joined ##openvpn
16:27 < irado> goodday people.
16:28 < irado> can someone pls point me to tutorial/paper on connection one server to many clients?
16:31 -!- bandini [~bandini@host198-107-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:32 < Bushmills> mode server
16:33 < Bushmills> (probably default by now)
16:33 < Bushmills> !howto
16:33 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:33 < Bushmills> that's just a config option. no papers or tutorials for that option
16:41 < irado> ok, tks
16:41 -!- irado [~irado@201-74-10-31-sc.cpe.vivax.com.br] has left ##openvpn ["xiii... caí?"]
17:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
17:18 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
17:20 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
17:22 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
17:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
17:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
17:54 -!- mithridates [~chatzilla@142.166.45.216] has joined ##openvpn
18:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
18:19 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
18:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:30 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:35 < krzee> he woulda been prime for the confgen
18:35 < krzee> for now on, anyone starting out wanting redirect, lans behind openvpn, or simple server/client setups are just getting !confgen from me, lol
18:36 < krzee> it will be super powerful when ecrist's new ssl-admin is done and built into the confgen!
18:38 < krzee> !tell ecrist look what i can do! [howto]
18:39 < krzee> !tell ecrist [logs] [configs]
18:39 < krzee> !tell krzee [logs] [configs]
19:12 < qfr> krzee: You still need to add the generation of the keys to the confgen though :)
19:13 -!- mithridates [~chatzilla@142.166.45.216] has left ##openvpn []
19:15 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Ping timeout: 248 seconds]
19:16 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
19:16 -!- EugeneKay is now known as MrWinkler
19:17 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
19:26 -!- MrWinkler is now known as EugeneKay
20:00 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
20:04 < krzee> qfr, thats what im talking about, im waiting for ecrist's new ssl-admin, which will take flags from CLI
20:05 < krzee> i could rebuild easy-rsa myself, and planned on doing it, but i like ssl-admin a lot and since ecrist plans on rewriting it in C i figure ill just use that
20:06 < krzee> ill add a precompile for osX tho, so people dont need xcode to compile it when in osX
20:06 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Ping timeout: 265 seconds]
20:06 < qfr> Hmm easy-rsa didn't cover all of the stuff your config uses either :[
20:06 < qfr> Had to google a bit but in the end it worked out well \o/
20:07 < krzee> actually it does, except for this:
20:07 < qfr> Although I use a 1024-bit DH PEM
20:07 < krzee> !mitm
20:07 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
20:07 < qfr> Not a 2048 one
20:07 < krzee> err wait not that
20:07 < krzee> i mean:
20:07 < krzee> !hmac
20:07 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
20:07 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
20:07 < krzee> using 2048 dh makes no sense anyways
20:07 < krzee> did my confgen use the filename as 2048?
20:07 < qfr> Then take it out of the gen :D
20:07 < qfr> Yes
20:08 < krzee> heh, ill fix that soon
20:08 < krzee> got a couple other lil things to do as well
20:09 < krzee> a shopt command will get rid of all case requirements
20:09 < krzee> lil stuff like that
20:15 -!- theDoc [~jaki@69.10.59.166] has joined ##openvpn
20:15 -!- theDoc [~jaki@69.10.59.166] has quit [Changing host]
20:15 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:17 -!- astrophy [~astrophy@95.211.87.138] has joined ##openvpn
20:38 -!- tjz [~pc@bb119-74-158-41.singnet.com.sg] has joined ##openvpn
20:38 -!- tjz [~pc@bb119-74-158-41.singnet.com.sg] has quit [Changing host]
20:38 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
20:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
21:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:26 -!- astrophy [~astrophy@95.211.87.138] has quit [Quit: Bye]
21:28 -!- astrophy [~astrophy@67.159.28.182] has joined ##openvpn
21:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
22:05 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
22:09 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Remote host closed the connection]
22:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:22 -!- krzee [~k@unaffiliated/krzee] has quit [Read error: Operation timed out]
22:26 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
22:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
22:43 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
22:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:24 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay]
23:26 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
23:28 -!- xod [~onats@112.201.158.40] has joined ##openvpn
23:29 -!- xod is now known as onats
23:29 -!- onats [~onats@112.201.158.40] has quit [Changing host]
23:29 -!- onats [~onats@unaffiliated/onats] has joined ##openvpn
--- Day changed Sun May 16 2010
00:18 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
00:33 -!- EugeneKay is now known as EugeneKaway
00:37 -!- EugeneKaway is now known as EugeneKay
01:22 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:31 -!- EugeneKay is now known as EugeneKaway
01:34 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
01:34 -!- krzii [~k@ftp.secure-computing.net] has joined ##openvpn
01:46 < krzie> whoa, weird
01:47 < theDoc> ping!
02:08 < hyper_ch> morning world
02:11 < theDoc> hello hyp.
02:11  * theDoc cheers for himself.
02:12 < theDoc> radius works, my website is done.
02:12 < theDoc> all at laaast.
02:12  * theDoc claps.
02:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
02:37 < krzie> you making a writeup on radius setups or what sukka
02:37  * krzie cracks the whip
02:38 < theDoc> krzie> Not really a write up but I could do one based on my radius experience on debian
02:38 < theDoc> It's a fairly good system.
02:39 < krzie> well bust something out and lets see how it looks
02:39 < krzie> !wiki
02:39 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
02:39 < krzie> !tell theDoc [wiki]
02:39 < krzie> !tell theDoc go write some stuffs!
02:40 < theDoc> lol
02:40 < theDoc> Yessir.
02:40 < theDoc> I'll get to that in a few.
02:40 < theDoc> :D
02:41  * theDoc is still some what confused over encrypted passwords in the db
02:41 < theDoc> :?
02:41 < krzie> <-- never used radius
02:42 < krzie> been meaning to use a windows radius server for awhile now
02:42 < theDoc> lol
02:42  * theDoc has a freeradius server.
02:42 < krzie> cause it can hook in with some OTP dongles i was given
02:42 < theDoc> Ah.
02:42 < krzie> through some lame proprietary windows app that came with them
02:43 < theDoc> Oh.
02:44 < krzie> i know how to use pam to auth to the radius server, and setting it up should be pretty easy, but ive yet to do it
02:45  * theDoc is wondering if he should use phpmyadmin to handle the radius sql db
02:46 < theDoc> krzie> PAM auth on radius is insanely easy.
02:46 < krzie> right
02:47 < krzie> phpmyadmin is less easy to me than cli managing
02:47 < krzie> im not sure why, but it seems gui's are always more complicated
02:49 < theDoc> It is, but I need to let my other "tech challenged" guy handle the db as well.
02:50  * theDoc is ramen profitable.
02:50 < theDoc> :?
02:59 < hyper_ch> krzie: phpmyadmin is so easy :)
03:00 < krzie> ive played with it, not my thing
03:00 < krzie> ild rather type out my queries
03:00 < krzie> *shrug* guess im weird
03:00 < hyper_ch> :) you are weird :)
03:01 < hyper_ch> but less-weird because you know you are :)
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:48 < krzie> qfr, seems 2048 ta.key is the norm in the docs, must be why i used 2048, ill stay with 2048 in my configgen for that reason
03:48 < krzie> http://www.openvpn.net/index.php/open-source/faq.html#static-key-explanation
03:48 < vpnHelper> Title: FAQ (at www.openvpn.net)
03:49 < krzie> So you might ask why is the OpenVPN static key file so large, if such a 
03:49 < krzie>  	small percentage of the bits are currently used?  The answer is to 
03:49 < krzie> accomodate future ciphers and HMAC hashes which use large keys.  Changing  	
03:49 < krzie> a file format is obviously problematic from a compatibility perspective, 
03:49 < krzie> so 2048 bits were chosen so that two sets of 512-bit encrypt and  	HMAC keys 
03:49 < krzie> could be derived for two separate key directions.
03:53 -!- julius [~julius@217.20.127.15] has joined ##openvpn
05:58 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Ping timeout: 240 seconds]
07:04 -!- jnss [janes@gateway/shell/sign.io/x-xzxilhxfialtphyq] has joined ##openvpn
07:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
07:17 -!- bandini [~bandini@host57-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
07:20 < jnss> Options error: Unrecognized option or missing parameter(s) in ra.ovpn:5: keydir (2.1.1)
07:21 < jnss> nothing is working
07:21 < jnss> 'keydirectory' doesnt work
07:21 < jnss> local_ip didnt work
07:21 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
07:21 < jnss> protocol udp didnt work either
07:23  * theDoc groans.
07:23 < theDoc> :(
07:25 < hyper_ch> !tell jnss [welcome]
07:27 < jnss> one moment
07:27 < jnss> well, i removed the conf files. im starting again
07:27 < jnss> but this time im running the easy-rsa on a linux machine
07:31 < qfr> krzie: Oh well
07:31 < theDoc> radius will seriously fucking blow your mind out if you aren't familiar with it
07:31 < theDoc> >:(
07:41 < ecrist> o/
07:48  * Bushmills wonders how easy-rsa is related to faulty openvpn config
07:55 < hyper_ch> Bushmills: :)
07:57 < Bushmills> 'morning hyper_ch
07:58 < hyper_ch> morning Bushmills :)
08:14 < hyper_ch> http://www.nytimes.com/interactive/2010/05/12/business/facebook-privacy.html
08:14 < vpnHelper> Title: Facebook Privacy: A Bewildering Tangle of Options - Graphic - NYTimes.com (at www.nytimes.com)
08:18 < Bushmills> hyper_ch: if you're interested in that, you might like http://scarydevilmonastery.net/facebook-spy.pdf
08:20 -!- bandini [~bandini@host57-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
08:20 -!- bandini [~bandini@host103-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn
08:20 < hyper_ch> Bushmills: I don't have a facebook account :)
08:21 < Bushmills> that's probably better. though facebook is of course not the only data collector
08:22 < Bushmills> good to have a common name, like  John Miller
08:24 < hyper_ch> :)
08:24 < hyper_ch> there are other data collectors?
08:45 < jnss> what should i use this tls server config
08:46 < jnss> god this is horrible
08:48 < jnss> how about i  use the roadwarrior template
08:49 < jnss> for client server
08:49 < jnss> but i still have no freakin idea how im going to get servers keys, etc to work
08:49 < jnss> !keyts
08:49 < vpnHelper> jnss: Error: "keyts" is not a valid command.
08:49 < jnss> !keys
08:49 < vpnHelper> jnss: "keys" is http://openvpn.net/howto#pki
09:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:02 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:08 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:10 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:26 -!- EugeneKaway is now known as EugeneKay
09:27 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:29 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:41 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:40 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
10:43 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
10:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
11:04 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
11:38 -!- EugeneKay is now known as EugeneKaway
11:39 -!- EugeneKaway is now known as EugeneKay
11:42 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
11:47 -!- graffz [~graffz@unaffiliated/graffz] has joined ##openvpn
11:48 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 240 seconds]
11:48 -!- magic_1 [~magic@41.123.138.177] has joined ##openvpn
11:48 -!- magic_1 [~magic@41.123.138.177] has quit [Changing host]
11:48 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
11:50 -!- graffz` [~graffz@118.175.66.195] has joined ##openvpn
11:54 -!- graffz [~graffz@unaffiliated/graffz] has quit [Ping timeout: 260 seconds]
11:58 -!- bandini [~bandini@host103-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Quit: Ex-Chat]
11:59 -!- jnss [janes@gateway/shell/sign.io/x-xzxilhxfialtphyq] has quit [Quit: leaving]
12:06 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
12:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:27 -!- graffz` is now known as graffz
12:27 -!- graffz [~graffz@118.175.66.195] has quit [Changing host]
12:27 -!- graffz [~graffz@unaffiliated/graffz] has joined ##openvpn
12:32 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
12:35 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
13:22 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
13:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:49 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
14:10 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
14:24 < n0sq> !howto
14:24 < vpnHelper> n0sq: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:25 -!- realex [~alex@ppp-88-217-59-28.dynamic.mnet-online.de] has joined ##openvpn
14:25 < realex> !welcome
14:25 < vpnHelper> realex: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:26 < realex> !goal
14:26 < vpnHelper> realex: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:27 < realex> !route
14:27 < vpnHelper> realex: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:28 < realex> !redirect
14:28 < vpnHelper> realex: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:38 -!- graffz [~graffz@unaffiliated/graffz] has quit [Quit: elvis has left the building]
14:42 -!- realex [~alex@ppp-88-217-59-28.dynamic.mnet-online.de] has quit [Quit: Verlassend]
15:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
15:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:01 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
15:13 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Quit: amialive]
15:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
15:53 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 252 seconds]
15:57 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
16:00 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
16:27 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 246 seconds]
16:28 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
16:30 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
16:38 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
16:38  * Bloodsong is curious what exactly Access Server does.
16:39 < Bloodsong> I mean... OpenVPN Server/Client works great, what need is there for Access Server *shrug*
16:44 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
16:44 < krzii> Bloodsong, its for companies that want corporate support and automated setup and whatnot
16:45 < krzii> honestly, i will never have a reason to use it either, but it does serve its purpose for those who would choose ipsec over openvpn simply for cisco support
16:46 < krzii> openvpn technologies is good with us not supporting it here, because they run a professional support for it
16:57 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Read error: Connection reset by peer]
16:57 < krzii> Bushmills, here?
16:58 -!- krzii is now known as krzie
16:58 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
16:58 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
16:58 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
16:59 -!- astrophy [~astrophy@67.159.28.182] has quit [Quit: Bye]
17:00 < krzie> !iphone
17:00 < vpnHelper> krzie: "iphone" is (#1) http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone, or (#2) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries
17:05 -!- ksnp [~ksnp@c-76-126-210-103.hsd1.ca.comcast.net] has joined ##openvpn
17:06 < ksnp> anyone here ?
17:06 < krzie> nope
17:06 < krzie> whats up man
17:11 < ksnp> whats down ?
17:12 < ksnp> i have have a question/issue on the server config
17:13 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
17:13 < ksnp> actually my config is down ;-)
17:13 < ksnp> can you tell how to create 2 subnets with 10.8.1.x and 10.8.0.x ?
17:14 < ksnp> somehow one of the lines in the howto doesn't make sense to me
17:14 < krzie> 2 subnets 1 config?
17:14 < krzie> why??
17:15 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
17:15 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
17:15 < Bushmills> krzie: yes
17:15 < ksnp> just to differentiate two different classes of clients say
17:16 < ksnp> so i can put different firewall rules
17:16 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
17:16 < krzie> Bushmills, can you kill and start gobby pls?
17:16 < ksnp> doesnt "server 10.8.0.0 255.255.255.0" imply that you CAN'T do 10.8.1.x with it ?
17:16 < Bushmills> done
17:16 < ksnp> shouldn't it be server 10.8.0.0 255.255.0.0 instead ?!
17:17 < krzie> ksnp, you dont need 2 subnets for that
17:18 < ksnp> i know its just easy to firewall basedon the subnet for me
17:18 < ksnp> so 10.8.0.x and 10.8.1.x
17:18 < krzie> but then you need to assign each to the subnet
17:18 < ksnp> that's fine
17:18 < krzie> you can already do that, a subnet is not only a /24
17:18 < ksnp> i have only 2 users :)
17:18 < krzie> !static
17:18 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
17:18 < ksnp> shouldn't it be server 10.8.0.0 255.255.0.0 instead ?!
17:18 < krzie> for 2 clients? lol
17:19 < ksnp> well
17:19 < krzie> keep the /24 for server
17:19 < krzie> firewall based on smaller subnet
17:19 < krzie> or since only 2 clients, do it based on static ip if you like
17:19 < ksnp> i want to firewall using : 10.8.0.0/24, and 10.8.1.0/24
17:19 < ksnp> so that i can refer to the howto if i need
17:19 < krzie> lol
17:19 < ksnp> if i deviate i wont be able to :)
17:19 < krzie> there is so no reason to have a /24 for a single client
17:20 < ksnp> that's fine krzie, just want to follow howto
17:20 < ksnp> lets say its not 2 clients for sake of it
17:20 < krzie> and if you admin a freeswitch setup (ive seen you there a bit) you can handle knowing how to admin your firewall sanely without the howto holding your hand so specificly
17:20 < ksnp> ah you saw me there :)
17:21 < Bushmills> ksnp: most howtos are not really meant to stick to the letter to them. instead they are meant to introduce the subject in such a way that they can be understand and applied.
17:21 < Bushmills> stood
17:21 < ksnp> i had so many problems with freeswitch and NAT, that's why i want to use openvpn
17:21 < ksnp> krzie just help me on this ! :)
17:21 < krzie> i am
17:21 < ksnp> please, so i can follow the howto when u are not around ;-)
17:21 < krzie> im telling you to stop trying to follow a howto on firewalling to the letter
17:21 < ksnp> Bushmills, i know, i have good luck following it so far
17:21 < krzie> and try to understand it insteal
17:21 < krzie> instead
17:22 < ksnp> ok
17:22 < Bushmills> ksnp: let me guess: you had problems because the howtos didn't exactly describe what you needed
17:22 < ksnp> can you tell me if server 10.8.0.0. 255.255.255.0 implies that the ip pool is only 10.8.0.x ?
17:22 < ksnp> and not 10.8.1.x ?
17:22 < ksnp> Bushmills, this part is the only one that didn't work, everything else did
17:22 < krzie> of course it does
17:22 < krzie> see --server in the manual
17:23 < krzie> !man
17:23 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:23 < ksnp> then  that implies that such a config wont even assign 10.8.1.x to any client regardless of his ccd entry ?
17:24 < Bushmills> ksnp: http://en.wikipedia.org/wiki/Netmask
17:24 < vpnHelper> Title: Subnetwork - Wikipedia, the free encyclopedia (at en.wikipedia.org)
17:24 < krzie> !google cidr cheatsheet
17:24 < vpnHelper> krzie: CIDR SUBNET MASK CHEATSHEET & ICMP TYPE CODES: <http://oav.net/mirrors/cidr.html>; IPv4 CIDR notation cheat sheet: <http://old.tamasrepus.hotnudiegirls.com/pages/IPv4+CIDR+notation+cheat+sheet>; CIDR Block Prefix: <http://www.internetsecurityguru.com/cidr.html>
17:24 < ksnp> i know the subnet mask, cidr etc thanks
17:24 < krzie> then why do you need a /24 to be able to use your firewall because the howto does?
17:24 < ksnp> its just to confirm since the howto says to use 10.8.0.x for one tpye of clients and 10.8.1.x for another type and says to use server 10.8.0.0. 255.255.255.0
17:24 < Bushmills> "can you tell me if server 10.8.0.0. 255.255.255.0 implies that the ip pool is only 10.8.0.x ?" didn't suggest that you do
17:25 < ksnp> which must be a typo and should have been 10.8.0.0 255.255.0.0
17:25 < krzie> nope
17:25 < krzie> you can hand out ips outside the pool
17:25 < ksnp> oh ok
17:25 < krzie> but seriously, learn how to use your firewall better than blindly following the howto
17:25 < ksnp> via ccds  /
17:25 < krzie> you DONT need a /24 per client
17:25 < krzie> lol
17:25 < ksnp> i know
17:26 < ksnp> lets say there are more for that purpose
17:26 < krzie> you could do it based on /30
17:26 < krzie> or /29, or whatever
17:26 < ksnp> i know krzie, can we just assume those are the subnets please
17:26 < krzie> but theres not
17:26 < krzie> lol
17:26 < krzie> whatever
17:26 < ksnp> how does it handout ips outside the pool
17:26 < Bushmills> --server:  This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask.  
17:26 < Bushmills> from the man page
17:26 < krzie> if you need to follow the howto 100%, ill leave you to the howto :-p
17:26 < ksnp> not 100%, but 100-x %
17:27 < krzie> since you cant accept a way that more directly applies to you
17:27 < ksnp> where x > 0
17:27 < krzie> what im saying follows the howto 99%
17:27 < ksnp> ok, there are multiple clients, and there are two classes, each with different rules of firewalling
17:27 < krzie> just isnt firewalling based on /24
17:27 < krzie> thats the ONLY diff
17:27 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
17:27 < ksnp> ok, how about we keep the /24 as given ?
17:27 < ksnp> in that case can u please tell how the server hands out ips outside the pool ? does using just the ccd suffice ?
17:28 < krzie> !static
17:28 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
17:28 < ksnp> ok, so within the pool it can do static OR dynamic, but outisde the pool it uses static - did i get this right ?
17:28 < ksnp> i am seeing the iporder now
17:29 < krzie> did you try it...?
17:29 < ksnp> ifconfig-push i did, i am assigning static ip now, but its withing the pool
17:30 < ksnp> i guess if i just change to assign outside the pool it should just work ?
17:30 < krzie> give it a try
17:31 < krzie> ive seen people post with it like that, ive never tried, nor will i
17:31 < krzie> and you shouldnt be either, but whatever
17:31 < krzie> you know... one day you may run into something thats not 100% spelt out in a howto and you'll actually have to admin things by learning :-p
17:32 < krzie> at that point, i recommend doing what makes sense ;]
17:35 < ksnp> ok, i'll try it assuming it works again
17:35 < ksnp> but if it doesn't i am back here
17:35 < ksnp> in abt 30-60 mins
17:38 < krzie> Bushmills, thanx
17:38 < krzie> i had changes made here, and some at home
17:38 < krzie> im using your server to merge them ;)
17:38 < Bushmills> also a way to transport data :)
17:47 < krzie> exactly
17:52 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
17:59 -!- jnss [janes@gateway/shell/sign.io/x-vfxqbcwptafgwcel] has joined ##openvpn
17:59 < jnss> .
18:01 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
18:14 < krzie> .
18:15 < krzie> [05:24]  <jnss> Options error: Unrecognized option or missing parameter(s) in ra.ovpn:5: keydir (2.1.1)
18:15 < krzie> did you see a --keydir in the manual?
18:15 < jnss> yes
18:15 < krzie> erm
18:15 < krzie> !man
18:15 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:16 < krzie> lemme look, cause i dont think so...
18:16 < krzie> no you didnt
18:16 < krzie> lol
18:22 < krzie> however, you can use --cd
18:22 < krzie> likely accomplishes what you thought --keydir would
18:28 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Read error: Connection reset by peer]
18:35 < ksnp> krzie i am having a tough time trying to figure, can you please tell if by simply using ifconfig-push and push route in the CCD, and in the server conf add push for that subnet, is good enough (supposed to be) ?
18:36 < krzie> dunno,
18:36 < krzie> if i was you ild do it how i suggested
18:36 < jnss> im pretty sure i did 
18:36 < krzie> but you insist on having a /24 for each client
18:36 < jnss> but ill let it slide
18:36 < krzie> jnss, you did not
18:36 < krzie> jnss, unless you modified the manual, then saw it in your modified version
18:37 < jnss> maybe i compiled some trojaned version of ovpn
18:37 < krzie> where they decided to add --keydir
18:37 < krzie> LOL
18:37 < jnss> thank god ezrsa is working on linux
18:44 < ksnp> krzie, ok tell me what you suggested, i am using static ip using ccds
18:45 < krzie> i suggested that you dont need a subnet outsite of your --server command for client2
18:45 < ksnp> ok
18:45 < krzie> give him a static ip in the second half of the /24 and firewall by /25, or something similar
18:45 < krzie> if you arent using topology subnet, you must be aware of this:
18:45 < krzie> !/30
18:45 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
18:46 < krzie> so the given ip must be .6 .10 .14 etc etc
18:46 < ksnp> ok
18:46 < krzie> or you can use topology subnet on the server, and use any ip you want
18:46 < ksnp> ok
18:46 < ksnp> if i want to expand the subnet i can simply cahnage the mask in the server 10.8.0.0 line correct ?
18:47 < krzie> you have no reason to need more than a /24, but yes to an extent
18:47 < krzie> i know the netmask can only go so high, not sure of the limit
18:48 < ksnp> ok
18:50 < ksnp> i am not using topology subnet, the ip assigned etc. is all in the hands of the server correct ? i can simply change the ccd and change the ip assigned correct ?
18:53 < krzie> it must be right in /30 terms
18:53 -!- theDoc [~jaki@bb121-6-23-10.singnet.com.sg] has joined ##openvpn
18:53 < krzie> so .6 .10 .14 .18 etc
18:53 < krzie> unless you use topology subnet
18:53 -!- theDoc [~jaki@bb121-6-23-10.singnet.com.sg] has quit [Client Quit]
18:53 < ksnp> ok
18:53 < ksnp> thanks
18:54 -!- ksnp [~ksnp@c-76-126-210-103.hsd1.ca.comcast.net] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Chicks dig it]
19:16 -!- Alphanaut [~Alphanaut@12.160.222.130] has joined ##openvpn
19:17 < Alphanaut> who was i talkin to about getting openvpn to work on two vista machines... hmm
19:20 -!- Alphanaut [~Alphanaut@12.160.222.130] has quit [Client Quit]
19:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
20:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:06 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:06 < theDoc> raidz> You around?
20:24 < jnss> how about keys larger than 1024
20:34 -!- tjz [~pc@bb119-74-158-41.singnet.com.sg] has joined ##openvpn
20:34 -!- tjz [~pc@bb119-74-158-41.singnet.com.sg] has quit [Changing host]
20:34 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:56 < jnss> even thoguh i set vars to 2048 bit keys
20:56 < jnss> i still got 1024 keys
21:05 < jnss> Mon May 17 02:05:36 2010 us=811846 172.0.0.3:53 SIGUSR1[soft,tls-error] received, client-instance restarting
21:05 < jnss> i get thsoe.
21:06 < jnss> good thing though, everything seems to be workng this far
21:09 < jnss> Mon May 17 02:08:50 2010 us=43125 172.0.0.3:53 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
21:09 < jnss> hmm
21:15 < jnss>  error=certificate is not yet valid:
21:15 < jnss> ah
21:16 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
21:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
21:26 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
21:50 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
21:51 -!- APTX_ [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
--- Day changed Mon May 17 2010
00:27 < krzee> [20:16]  * Alphanaut (~Alphanaut@12.160.222.130) has joined ##openvpn
00:27 < krzee> [20:17]  <Alphanaut> who was i talkin to about getting openvpn to work on two vista machines... hmm
00:27 < krzee> [20:20]  * Alphanaut has quit (Client Quit)
00:27 < krzee> thats some funny shit
00:27 < krzee> that guy will never ever get his setup working
00:27 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:29 < qfr> krzee why not?
00:29 < qfr> Because they're all Windows? :)
00:37 < theDoc> Maybe because he leaves before anyone can respond.
00:37 < theDoc> or possibly .. vista.
00:37 < theDoc> wtf. How long does Thawte take to assign a cert
00:37 < theDoc> >:(
01:06 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
01:09 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
01:12 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:10 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:20 -!- astabeno [~chatzilla@86.108.5.66] has joined ##openvpn
02:22 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
02:22 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
02:24 < astabeno> I am having a problem making my OpenVPN client work with the IPcop Zerina plugin.  I got everything installed but and an Open connection that I can see on both the client and in the IPCop gui but I cannot ping anything on the other side of the firewall.  It like the routes aren't working but they are all there.
02:28 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
03:02 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:05 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:05 -!- mode/##openvpn [+o mattock] by ChanServ
03:06 -!- dazo_afk is now known as dazo
03:26 -!- astabeno [~chatzilla@86.108.5.66] has quit [Ping timeout: 240 seconds]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:43 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 264 seconds]
03:44 -!- takamichi [~pri@ip-174-142-36-146.static.privatedns.com] has joined ##openvpn
03:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:02 < kraut> moin
04:15 -!- takamichi [~pri@ip-174-142-36-146.static.privatedns.com] has quit [Ping timeout: 264 seconds]
04:16 -!- takamichi [~pri@94.75.217.247] has joined ##openvpn
04:50 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
04:54 -!- takamichi [~pri@94.75.217.247] has quit [Read error: Connection reset by peer]
04:55 -!- takamichi [~pri@94.75.217.247] has joined ##openvpn
05:00 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
05:34 -!- SkyX [~SkyB0x@212.235.177.25] has joined ##openvpn
05:37 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
05:43 -!- SkyX [~SkyB0x@212.235.177.25] has quit []
05:52 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has joined ##openvpn
05:52 -!- makomi_work [~chatzilla@p509966c5.dip0.t-ipconnect.de] has left ##openvpn []
05:58 -!- graffz [~graffz@unaffiliated/graffz] has joined ##openvpn
06:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:22 -!- Sky[x] [~SkyB0x@193.2.72.254] has joined ##openvpn
06:35 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
06:35 < Brayn> !welcome
06:35 < vpnHelper> Brayn: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:36 < Brayn> !howto
06:36 < vpnHelper> Brayn: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:40 < Brayn> !goal
06:40 < vpnHelper> Brayn: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:44 < Brayn> hey, so what I want to do is setup my VPN so that only putty uses the VPN connection, and I can;t seem to configure putty to crate the VPN and can't configure openVPN to use only username / password without a 'ca'
06:54 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
07:07 < Bushmills> Brayn: block non-port 22 traffic on server tun interface.
07:10 < Bushmills> though i think, opening an openvpn tunnel for ssh is unnecessary
07:10 -!- graffz [~graffz@unaffiliated/graffz] has quit [Ping timeout: 240 seconds]
07:10 < Bushmills> if vpn client can connect to server, supposedly ssh client can do too
07:11 < Bushmills> (unless you want to connect to other openvpn clients)
07:14 -!- Sky[x] [~SkyB0x@193.2.72.254] has quit []
07:39 -!- onats [~onats@unaffiliated/onats] has quit [Remote host closed the connection]
07:47 -!- Sky[x] [~SkyB0x@193.2.72.254] has joined ##openvpn
08:06 < Brayn> Bushmills: I don't have access to the server, they have a VPN and the servers only accept ssh connections from VPN IPs
08:07 < Bushmills> so what's the problem then? just putty to the vpn server
08:07 < Bushmills> leave it to them to care about nothing else being able to connect
08:15 < Brayn> Bushmills: Not sure I follow. I have 2 servers that I have to connect to in order to develop some stuff. I use SSH to connect to the servers but it only works when I am on the VPN connection they gave me. I used the Windows VPN wizard to create a dial-up type VPN connection with Host, Username and Password
08:16 < Brayn> but that routes all my traffic through the VPN, I want to only send putty through the VPN to connect to the servers using SSH
08:16 < Bushmills> does server push redirect-gateway? if no, does your client config contain redirect-gateway? if no, openvpn up won't change your ability to access non-vpn addresses
08:17 < Bushmills> if yes: if in client config, remove.  
08:17 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
08:17 < Bushmills> if pushed by server, remove the pushed default route, and reinstate the original.
08:17 < Bushmills> of pushed with def1, delete the two  /1 routes
08:19 < Brayn> thanks, I'll have to check with them about the server config, I don't have access to the VPN server, only to the 2 webservers I have to work with
08:21 < Bushmills> client log will tell
08:30 -!- Braynid [~Brayn@host247.213-244-172.ixs.dedigate.com] has joined ##openvpn
08:31 -!- dazo is now known as dazo_mtg
08:32 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 268 seconds]
08:41 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:41 -!- Braynid is now known as Brayn
08:45 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:49 -!- Braynid [~Brayn@89.39.174.245] has joined ##openvpn
08:52 -!- Brayn [~Brayn@host247.213-244-172.ixs.dedigate.com] has quit [Ping timeout: 245 seconds]
09:00 -!- Braynid [~Brayn@89.39.174.245] has quit [Ping timeout: 258 seconds]
09:00 -!- Brayn [~Brayn@host247.213-244-172.ixs.dedigate.com] has joined ##openvpn
09:05 < jnss> initialization has worked
09:05 < jnss> yay!
09:06 < jnss> now i cant get a link to the outside world
09:06 -!- Sky[x] [~SkyB0x@193.2.72.254] has quit []
09:10 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 248 seconds]
09:11 < jnss> question
09:12 < jnss> i have a freebsd machine which acts as a vpn client 
09:12 < jnss> when it clients it receives a random ip address, i cannot change this to static
09:12 < jnss> this machine  also acts as a vpn server
09:12 < Bushmills> !ccd
09:12 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
09:13 < jnss> i want a client to connect to this vpn-client-server 
09:13 < jnss> and use thclient feature
09:13 < jnss> i dont know what ccd is
09:13 < jnss> let me read up on tat
09:14 < jnss> is there no other way
09:14 < Bushmills> ifconfig-push
09:14 < Bushmills> (through ccd)
09:15 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
09:16 < jnss> w does a ccd file look like
09:16 < Bushmills> like a config file, with just the client specific settings
09:16 < jnss> but how would a ccd solve my problem
09:17 < Bushmills> ", i cannot change this to static"  .. you can
09:17 < jnss> no, i mean
09:17 < jnss> the vpn server i connect to has a vpn client
09:17 < jnss> i use a pay vpn thingy
09:17 < jnss> that makes my internet anonmyous 
09:18 < jnss> thats the outside address i get
09:18 < jnss> and its always random
09:18 < jnss> it changes on reconnection
09:18 -!- Serideru [~GTWebster@24-117-150-192.cpe.cableone.net] has joined ##openvpn
09:18 < jnss> you're saying i can ask for a static ip? 
09:19 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
09:19 < jnss> can i make the client connect to my home vpn server and just use tun0 available on the local machine
09:20 < Bushmills> i say "there are provisions in openvpn which allow to configure an openvpn server such tha an openvpn client will be assigned the same ip address in the vpn net whenever it connects"
09:20 < jnss> basically to utilize whatever ip route my vpn give3s me
09:21 < Bushmills> you can configure your home machine as gateway, and packets will respect the routes set up there. 
09:22 < Bushmills> in terms of routing, a tun interface behaves pretty much like an eth interface
09:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:24 -!- dazo_mtg is now known as dazo
09:25 -!- Braynid [~Brayn@89.39.174.245] has joined ##openvpn
09:28 -!- Brayn [~Brayn@host247.213-244-172.ixs.dedigate.com] has quit [Ping timeout: 260 seconds]
09:29 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
09:36 < jnss> can this be done using openvpn switches
09:39 -!- cherva [~cherva@78.128.16.162] has joined ##openvpn
09:39 < jnss> using something like 
09:39 < jnss> # Push route to client to bind it to our local
09:39 < jnss> # virtual endpoint.
09:39 < jnss> push "route 10.1.0.1 255.255.255.255"
09:40 < jnss> maybe push "route 10.10.1 255.255.255.255 tun0" would work
09:40 < jnss> --interface tun0, i mean
09:40 < cherva> I'm trying to bridge br0 to my eth0 but when I do this and restart I can't see or use eth0 ...
09:40 < jnss> im trying it
09:46 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
09:47 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
09:48 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has quit [Client Quit]
09:48 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:48 -!- notbrien [~notbrien@208.82.13.214] has quit [Client Quit]
09:49 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:57 -!- coil- [platypus@2607:f2f8:1280::f] has joined ##openvpn
09:57 -!- coil- is now known as husky
09:57 -!- husky [platypus@2607:f2f8:1280::f] has quit [Changing host]
09:57 -!- husky [platypus@unaffiliated/coil] has joined ##openvpn
10:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:23 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:41 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:42 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
10:45 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
10:46 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
11:15 -!- raidz [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
11:25 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:29 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
11:35 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 248 seconds]
11:42 -!- Braynid [~Brayn@89.39.174.245] has quit [Ping timeout: 240 seconds]
11:54 -!- vlt [~dm@suez.activ-job.com] has left ##openvpn []
12:03 -!- astabeno [~chatzilla@79.173.228.49] has joined ##openvpn
12:05 < astabeno> I am having a problem making my OpenVPN client work with the IPcop Zerina plugin. I got everything installed but and an Open connection that I can see on both the client and in the IPCop gui but I cannot ping anything on the other side of the firewall. It like the routes aren't working but they are all there.
12:07 -!- dazo is now known as dazo_afk
12:09 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
12:09 < ecrist> astabeno: we need configs and logs, pleas
12:09 < ecrist> !tell astabeno logs
12:09 < ecrist> !tell astabeno configs
12:09 < ecrist> !tell ecrist logs
12:10 -!- mode/##openvpn [+o raidz] by ChanServ
12:10 < ecrist> !tell ecrist !logs
12:10 < ecrist> that didn't work.
12:10 < ecrist> !logs
12:10 < ecrist> !configs
12:10 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
12:10 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:10 < ecrist> krzee: how did you do that?
12:10 -!- fcukk [~d9d1a817@gateway/web/freenode/x-clxzlrbprnjjnubt] has joined ##openvpn
12:11 < astabeno> No problem which ones do you need
12:12 < fcukk> Hi. Im new to all of this. I have used VPN before. Easy stuff. But now im on a wireless network with port 1723 blocked. And i cant get into the router and change it. SOO. Are there any vpn on port 443 etc? 
12:12 < ecrist> yes, there are.  don't know any off-hand, though
12:12 < fcukk> OR. Can i insall openvpn and then pay some company and just surf in there secure on port 433 or something i can change myself?
12:13 < fcukk> install..
12:13 < fcukk> ok, ecrist...I have googled a while. have not found any vpn company that offers that.. hmm.
12:13 < fcukk> thanks
12:13 < ecrist> fcukk: there are commercial vpn providers that can do that for you
12:13 < ecrist> check ovpnforum.com
12:13 < ecrist> I think there was one mentioned there.
12:13 < fcukk> cool.
12:14 < fcukk> I will!
12:15 -!- Brayn [~Brayn@188.27.65.99] has joined ##openvpn
12:15 < krzee> !tell
12:15 < vpnHelper> krzee: (tell <nick> <text>) -- Tells the <nick> whatever <text> is. Use nested commands to your benefit here.
12:16 < krzee> !tell ecrist [logs]
12:17 < ecrist> w00t, thanks
12:18 < fcukk> awesome. http://ovpnforum.com/viewtopic.php?f=21&t=2502
12:18 < astabeno> ecrist: Here you go: http://pastebin.com/yp9bAvA3
12:18 < vpnHelper> Title: OpenVPN Forum View topic - Anonyproz OpenVPN Service Provider (at ovpnforum.com)
12:18 < astabeno> This is my client config set up by Zerina in IPcop running on Windows xp OpenVPN 1.0.3
12:19 < ecrist> ahhh
12:19 < ecrist> astabeno: we don't support OpenVPN 1.0.3
12:19 < ecrist> please update to 2.1.1
12:20 < astabeno> I was just noticing it was old.  The setup guide for ipcop directed me toward that version.  I'll try the newer version and hopefully that will work
12:21 -!- Bloodsong [~Nimbus@70.50.177.230] has joined ##openvpn
12:25 < Bushmills> !tell ecrist [logs]
12:26 < hyper_ch> Bushmills: http://img580.imageshack.us/img580/6899/dailypicdump41364063.jpg
12:26 < Bushmills> uch? vpnhelper triggered hyper_ch?
12:26 < hyper_ch> Bushmills: :)
12:28 < Bushmills> ah, was too late anyway
12:28 < hyper_ch> but I wonder, did you spot the error?
12:28 < hyper_ch> I had to look twice until I got it :(
12:28 < Bushmills> the wrong continent, you mean?
12:28 < hyper_ch> :)
12:28 < hyper_ch> you're too smart
12:29 < ecrist> that's pretty lol
12:30 < hyper_ch> american news aren't that good with other countries / continents /borders and stuff :)
12:31 < Bushmills> hyper_ch: staying with football, after a match turkey-germany, in german news this picture was shown: http://www.welt.de/multimedia/archive/1220254495000/00656/buhro_fahne_DW_Poli_656195g.jpg
12:31 < hyper_ch> Bushmills: lol... I guess you konw that one:  http://dirkriehle.com/humorous-takes/fun-photos/ch-according-to-cnn.jpg
12:32 < ecrist> s%other .* stuff%other stuff%
12:32 < Bushmills> ouch :) geography is not their strongest point
12:37 < Bushmills> and that station with the wrong flag has problems with those. Not long after, this was shown:  http://p3.focus.de/img/gen/T/h/HBThNQ8y_492edc1b44d2_Pxgen_r_467xA.jpg
12:44 < hyper_ch> Bushmills: http://1.bp.blogspot.com/_2uHTfCv6Ppw/SNlhNt4HnPI/AAAAAAAAALM/YwXubmmzeDw/s1600/0011345-stomatologist-dental-care-funny-sign.jpg
12:45 < hyper_ch> Bushmills: I don't get that second one
12:45 < Bushmills> one extra white stripe at the bottom
12:45 -!- astabeno [~chatzilla@79.173.228.49] has quit [Read error: Connection reset by peer]
12:45 < hyper_ch> do non-americans have to know that? :)
12:46 < Bushmills> just as much as us americans need to know where czech republic ist
12:47 < hyper_ch> well, knowing all details on a flag and knowing the worlds countries is a tiny difference IMHO ;)
12:48 < Bushmills> some might have put belgium there
12:49 < Bushmills> or the country of amsterdam :)
12:49 < hyper_ch> why would anyone do that?
12:49 < Bushmills> because believing is knowing?
12:49 < hyper_ch> ;)
12:53 < Bushmills> oh, from an online retailer site, the top links:  http://forthfreak.net/snap/md.png
12:54 < hyper_ch> hehhe
12:54 < hyper_ch> this is cute:  http://img2.purerave.com/5/10/5505910.gif
12:55 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
12:57 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:01 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
13:04 -!- astabeno [~chatzilla@79.173.228.49] has joined ##openvpn
13:10 < astabeno> I am on OpenVPN 2.1.1 for windows connecting to an IPCop firewall.  I have no problem connecting from 2 different clients.  The Client shows a successful Connection and the IPCop web interface shows a successful connection but I cannot ping anything on the other side of the IPCop firewall.  My client settings are here is here.
13:10 < astabeno> http://pastebin.com/yp9bAvA3
13:11 < astabeno> And client logs are here
13:11 < astabeno> http://pastebin.com/TX8GgCCB
13:23 < astabeno> !welcome
13:23 < vpnHelper> astabeno: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:26 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:34 < Bushmills> astabeno:  "cannot ping anything on the other side of the IPCop firewall"  - disable firewall
13:34 < Bushmills> (and check out:)
13:34 < Bushmills> !route
13:34 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:36 -!- stix [~stix@x1-6-00-1e-2a-87-8d-aa.k1.webspeed.dk] has joined ##openvpn
13:37 < stix> HI guys. I am completely new to openvpn. Do you know where I can find a good guide to installing an openvpn-server on debian 5 which windows xp/7 clients can connect to?
13:37 < Bushmills> !howzo
13:37 < vpnHelper> Bushmills: Error: "howzo" is not a valid command.
13:37 < Bushmills> !howto
13:37 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:37 < hyper_ch> !tell stix [howto]
13:37 < astabeno> The firewall mentioned is the a Linux Firewall appliance running IPCop which has been set up with OpenVPN on it.  I installed it with the Zerina plugin.  It is also the OpenVPN server.
13:38 < Bushmills> stabeno:  "cannot ping anything on the other side of the IPCop firewall"  - disable firewall and check out:
13:38 < Bushmills> !route
13:38 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:21 < krzee> !redirect
14:21 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:27 -!- Testy2 [~457cc372@gateway/web/freenode/x-rfzvrwwflpahhpih] has joined ##openvpn
14:27 < Testy2> Hi!
14:27 < Testy2> any one around?
14:27 < krzee> !goal
14:27 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:28 < Testy2> ahh ok. 
14:28 < Testy2> Anyhow, having multiple issues. The one that concenrs me the most is my install of 2.1.1 for windows 7 32 bit 
14:29 < Testy2> tI can not seem to get the tap interface working 
14:29 < krzee> !win7
14:29 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7
14:29 < krzee> err nm that
14:29 < krzee> !forget win7
14:29 < vpnHelper> krzee: Joo got it.
14:29 < krzee> !vista
14:29 < vpnHelper> krzee: "vista" is 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
14:29 < krzee> hrm thats not it either
14:29  * krzee goes back to hiding since he knows damn near nothing about windows anymore
14:29 < krzee> dont worry tho, others here do
14:30 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
14:31 < Testy2> I I was under the impression that 2.1.1 was fully supported in windows 7? Is this not the case? 
14:31 < krzee> i know for sure that others use win7 with 2.1.1 without issue
14:32 < Testy2> indeed thats what I belive as well 
14:32 < hyper_ch> it's just that windows and networking are things mutually exlusive to each other
14:32 < krzee> Testy2, are you 100% sure you're starting it with admin rights...
14:33 < krzee> "If they launch the GUI via right-klik on the icon and select Run as Administrator.... no problem. If they simply launch the GUI as themself (they are administrator on the machine) it wil fail."
14:33 < Testy2> These systems are modified and tweaked beyond belief. Do we have a list of services that must be running in order to get the tap interface to work correctly?>
14:33 < Testy2> most certainly 
14:33 < Testy2> We run as admin to configure these systems before we lock them all down 
14:33 < krzee> did you see what i just pasted...?
14:33 < Testy2> I havent had this issue in thr past with the same config though 
14:33 < krzee> "If they launch the GUI via right-klik on the icon and select Run as Administrator.... no problem. If they simply launch the GUI as themself (they are administrator on the machine) it wil fail."
14:34 < krzee> anyways, gotta goto work
14:34 < krzee> bbl
14:34 < Testy2> the GUI starts, the tap interface shows as install 
14:34 < Testy2> however tcpview shows no attempt for outbound service. nor does the server log indicate a connection of any kind
14:35 < Testy2> thank you for your time krzee
14:35 < Testy2> any one else? 
14:36 < Testy2> 50+ people in here 
14:36 < Testy2> no ones talking 
14:36 < Testy2> heh
14:37 < hyper_ch> firewall issue?
14:37 < Testy2> disabled all firewalls
14:37 < Testy2> windows and after market 
14:37 < hyper_ch> well, just instlal linux
14:38 < hyper_ch> so much easier :)
14:38 < Testy2> In the connection log on the client side I belive the tap adaptor shows up as unbound 
14:38 < Testy2> dont start with that seriously 
14:38 < Testy2> We run all OS'es here 
14:39 < hyper_ch> then you have at least two linux boxes?
14:39 < Testy2> and all of them suck and rule at various things 
14:39 < Testy2> the VPN is for our feild agents who either use win or mac 
14:39 < Testy2> depending 
14:39 < hyper_ch> and if you have two linux boxes
14:39 < Testy2> the servers are both linux 
14:40 < hyper_ch> setup server client on there and check that it's working
14:40 < Testy2> its working 
14:40 < hyper_ch> then you know that at least the server works
14:40 < Testy2> people are using it right now 
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:40 < hyper_ch> so if windows can't use openvpn it's windows fault for some reason
14:40 < Testy2> server is working fine 
14:40 < Testy2> no 
14:40 < Testy2> if your not a windows guy thats just fine 
14:40 < Testy2> I will wait for some one who is 
14:41 < Testy2> but don't hate things you dont use 
14:41 < Testy2> Frankly we have the least problems with windows, set up correctly it will forever 
14:41 < jpalmer> Testy2: because of the way windows handles networking,  you have to give it a 4 IP subnet.  I forget what the setting is called.  let me see if I can find it.
14:41 < jpalmer> s/windows/the windows/tun/tap driver/
14:42 < Testy2> hmm, all I know is that several months back we had no issues what so ever with open vpn and win7 
14:42 < jpalmer> Testy2: do you have other win machines working with it?
14:42 < Testy2> today were setting up some new machines for new people and things just dont seem to work 
14:42 < Testy2> yes 
14:42 < Testy2> twith out issue 
14:42 < jpalmer> oh,  then that isn't the problem.
14:42 < Testy2> this is a client side problem 
14:43 < jpalmer> can yu post logs from both the client and server when one of the faulty clients connects?
14:43 < Testy2> it seems to be related to tap driver. as I can not even see an attempt to make an outbound connection 
14:43 < Testy2> yeh hold on 
14:44 < Testy2> PS using 2.1.1 installer, on win 7 pro 32 
14:44 < jpalmer> are you sure it's not a dns issue?  like maybe your using a LAN hostname, on an external client?
14:44 < Testy2> the config is the same config we use for all windows boxes 
14:44 < jpalmer> ok
14:44 < Testy2> and they work 
14:44 < Testy2> brb
14:45 < Testy2> so im going to just install openvpn 2.1.1 as admin copy the config and rsa keys and give you some logs 
14:45 < Testy2> I dont need to specify compatability when I install? 
14:45 < Testy2> with 2.1.1 
14:45 < Testy2> ?
14:46 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:47 < Testy2> ok its installing, running as admin user 
14:47 < Testy2> ok copyed settings and keys 
14:48 -!- testy2point2 [~457cc372@gateway/web/freenode/x-rqsymdhkftzjzuio] has joined ##openvpn
14:48 < testy2point2> ok im over here now
14:48 < testy2point2> Mon May 17 15:47:41 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Dec 11 2009 Mon May 17 15:47:41 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info. Mon May 17 15:47:41 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Mon May 17 15:47:42 2010 LZO compression initialized
14:49 < testy2point2> obviously we get the warning 
14:49 < testy2point2> but what concerns me is local link undef
14:51 < testy2point2> even if all our settings were wrong we should still see and atempt for open vpn and tap device to be transmitting data out
14:51 < testy2point2> but we do not
14:51 < testy2point2> nor do any such packets reach the server
14:51 < jpalmer> what version of the client are the other win machines using?
14:52 < testy2point2> any one know spasificly what services need to be running for the tap device to work?
14:52 < testy2point2> lets see
14:52 < testy2point2> I think 2.1_rc15?
14:53 < testy2point2> We were asked to upgrade and use this version spasificly to address man in the middle attacks. 
14:54 < jpalmer> I'm not familiar with that error,  but..  I would venture a guess that it's a fatal error.  if it can't verify the certificate, it probably shouldn't continue.
14:55 < Testy2> so you think It may not have anything to do with the tap device 
14:55 < jpalmer> also,  the second message about --script-security 2,   what are you trying to execute?
14:55 < Testy2> I can try and recopy a fresh set of keys 
14:55 < Testy2> hmm lets open the config 
14:56 < Testy2> looks like a very very simple client config 
14:56 < Testy2> client 
14:56 < Testy2> dev tun 
14:56 < Testy2> prto udp 
14:56 < Testy2> remote (servers IP) 
14:56 < jpalmer> to be getting that message,  I would assume it's trying to execute something..
14:57 < Testy2> resolv-retry infinite 
14:57 < Testy2> noboind 
14:57 < hyper_ch> !tell Testy2 [pastebin]
14:57 < Testy2> persist-key
14:57 < Testy2> persist-tun
14:57 < Testy2> key and cert locations... 
14:57 < Testy2> and then cippher BF-CBC
14:57 < Testy2> comp-lzo 
14:58 < Testy2> verb 3
14:58 < Testy2> thats the entire thing
14:59 < Testy2> I don't understand enough to know whats being executed 
15:00 < jpalmer> I don't see anything being executed.  which, I find odd.  why give that warning then.
15:00 < Testy2> who knows 
15:00 < Testy2> i find it odd that it wont even atempt an outbound connection 
15:00 < hyper_ch> change verb lvl to 5
15:00 < Testy2> will do 
15:01 < hyper_ch> and log file location is missing
15:01 < Testy2> Whats the command to add it 
15:01 < Testy2> I can do that as well 
15:02 < hyper_ch> change it to verb 6
15:02 < Testy2> ok 
15:02 < hyper_ch> and:  log     openvpn.log
15:02 < hyper_ch> probably need to give it a path or something
15:02 < hyper_ch> don't really know on windows
15:02 < Testy2> ok 
15:02 < Testy2> do you know what line it needs to go on 
15:03 < Testy2> or any is fine
15:03 < hyper_ch> if no path is given then it should log to the same dire as the config file is in I think
15:03 < hyper_ch> doesn't matter I think
15:04 -!- Alphanaut [~Alphanaut@12.45.255.3] has joined ##openvpn
15:04 < hyper_ch> restart the vpn then and then check the logfile
15:04 < Testy2> wilco
15:05 < Testy2> OK 
15:05 < Testy2> started it and got an error about the log file 
15:05 < Testy2> says its not nesicery with windows 
15:05 < Testy2> and thats its all logged anyway 
15:05 < Testy2> lemme find that 
15:05 < hyper_ch> no clue on windows
15:06 < Alphanaut> uh oh
15:06 < Alphanaut> more windows people to annoy you :)
15:06 < Testy2> Hopefully I am not. 
15:07 < Alphanaut> i got it working flawlessly on vista after 2 days.  now even though i can browse and use the computer, nslookup shows all domains resolving to 0.0.0.1
15:07 < hyper_ch> hi Alphanaut
15:07 < Alphanaut> so i screwed something else up !
15:07 < Alphanaut> hey there
15:07 < Testy2> as  I mentioned we use all OS's here and today we just happen to be having an issue with these new windows laptops. We use win 7 all the time with out issue. no issues really 
15:07 < Testy2> something with this exact situation 
15:07 < Testy2> not universal 
15:08 < Alphanaut> i was kidding, i was bugging hyper a few days ago with some windows stuff
15:08 < Alphanaut> finally got it to work, now i have an all new problem that seems odd ;)
15:08 < Testy2> wow you want me to paste this entire thing
15:08 < Testy2> its huge 
15:09 < hyper_ch> well, stop openvpn
15:09 < hyper_ch> delete the log
15:09 < hyper_ch> start openvpn
15:09 < hyper_ch> so you have a clean log :)
15:09 < hyper_ch> and then
15:09 < hyper_ch> !pastebin
15:09 < vpnHelper> hyper_ch: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
15:10 < hyper_ch> Alphanaut: you're a cat's person?
15:10 < hyper_ch> s/'/
15:10 < Testy2> ok 
15:10 < Testy2> taking a look at pastebin
15:10 < hyper_ch> pastebin.com
15:10 < hyper_ch> I think .ca is still down
15:11 < hyper_ch> or pastebin.org
15:11 < hyper_ch> or pastie.org
15:12 -!- Alphanaut [~Alphanaut@12.45.255.3] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:13 < testy2point2> http://pastie.org/964375
15:14 -!- cherva [~cherva@78.128.16.162] has quit [Quit: Leaving]
15:14 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
15:14 < hyper_ch> testy2point2: port 443?
15:14 < testy2point2> yep
15:14 < testy2point2> always
15:15 < hyper_ch> isn't that imap tls?
15:15 < hyper_ch> ir or smtp tls
15:15 < testy2point2> 443 is just ssl
15:15 < krzie> https
15:15 < testy2point2> or https
15:15 < hyper_ch> ah :)
15:15 < stix> I am able to get a tunnel established without any errors. But the client cannot ping any hosts on the server side and the vpn-server says: Mon May 17 22:11:11 2010 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
15:15 < hyper_ch> lines 324/325 ....
15:15 < stix> where should I go from here?
15:16 < krzie> firewall
15:16 < testy2point2> wow wish I had that problem 
15:16 < testy2point2> heh
15:16 < testy2point2> :)
15:17 < hyper_ch> krzie: do you see anything in the log?
15:17 < krzie> btw
15:17 < krzie> Secure IMAP (IMAP4-SSL) - port 585
15:17 < krzie> IMAP4 over SSL (IMAPS) - port 993
15:17 < krzie> what log?
15:17 < testy2point2> the one I posted 
15:18 < hyper_ch> krzie: [22:13] <testy2point2> http://pastie.org/964375
15:18 < krzie> i just got to work, eating a whopper
15:18 < krzie> 1sec ill look
15:18 < testy2point2> just so you know we have people using the server right now 
15:18 < hyper_ch> you eat a whopper at work
15:18 < testy2point2> the server works 
15:18 < testy2point2> and the port config works 
15:18 < testy2point2> yum whopper 
15:19 < hyper_ch> big king xxl
15:20 < krzie> client firewall
15:20 -!- fcukk [~d9d1a817@gateway/web/freenode/x-clxzlrbprnjjnubt] has quit [Ping timeout: 252 seconds]
15:21 < krzie> !winfw
15:21 < vpnHelper> krzie: Error: "winfw" is not a valid command.
15:21 < krzie> heh
15:21 < krzie> disable win firewall and retest
15:21 < hyper_ch> he says he did :)
15:21 < hyper_ch> but that was also my first guess
15:22 < krzie> norton, mcaffee, some sort of security software
15:22 < hyper_ch> antivir
15:22  * krzie points at part 2 of topic
15:22 < Testy2> if your talking about my issue. no firewall running. services disavbled and 3rd party turned off 
15:22  * hyper_ch starts hacking Testy2's computer
15:23 < Testy2> heh
15:23 < Testy2> legs spread to world 
15:23 < Testy2> OHH YEH 
15:24 < Testy2> I think I got it boys!
15:24 < Testy2> hold on 
15:27 -!- testy2point2 [~457cc372@gateway/web/freenode/x-rqsymdhkftzjzuio] has quit [Ping timeout: 252 seconds]
15:36 < Testy2> Ok 
15:37 < Testy2> Were up and running! 
15:37 < Testy2> Wana know what it was 
15:37 < Testy2> your going to laugh 
15:37 < krzie> some piece of security software acting as a firewall...?
15:37 < Testy2> nope 
15:37 < Testy2> heh 
15:37 < Testy2> The keys are curupted 
15:37 < Testy2> we copyed them over again and everything works just fine 
15:38 < krzie> oh, so server log would have shown the real error
15:38 < Testy2> the usb stick is no good 
15:38 < krzie> (which is why we always ask for both at the same time)
15:38 < Testy2> server log has no indication at any one from this IP tried to contact it 
15:38 < hyper_ch> server log verbosity?
15:38 < Testy2> whatever happend caused a situation where there was no outbound connectivity 
15:39 < Testy2> its at 6 
15:39 < Testy2> and we searched it 
15:39 < hyper_ch> hmmm ok
15:39 < Testy2> you were right, it faild so why continue with connect 
15:39 < Testy2> our tunnel is up and even our DNS is resolving via the tunnel 
15:39 < Testy2> everything is working 
15:40 < Testy2> however .... 
15:40 < Testy2> and their is a small however 
15:40 < Testy2> can some one explain the error that we get when we first connect 
15:40 < Testy2> its new since 2.1.1 
15:40 < krzie> what error
15:40 < krzie> script-security warning?
15:40 < Bushmills> i can't. the top of your problem description has already been scrolled out  
15:41 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:41 < Testy2> yeh im trying to find it again 
15:41 < Testy2> no server cert verification method 
15:41 < krzie> !mitm
15:41 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
15:42 < krzie> if you used easy-rsa ./build-key-server you have your server cert right for that
15:42 < Testy2> I was not here when they built these keys 
15:42 < Testy2> it was before my time 
15:42 < krzie> so you just need ns-cert-type server in the client config
15:42 < krzie> well, give it a test
15:42 < krzie> put ns-cert-type server in the client config
15:42 < krzie> see if it works
15:42 < Testy2> you act as if I have test in my name  :)
15:42 < Testy2> heh
15:43 < krzie> if it does, put it in all client configs for added security
15:43 < krzie> if it does not, consider rebuilding the server cert with it
15:43 < hyper_ch> so, I can finally lay off the first couple of eye drops since the surgery :)
15:43 < krzie> hyper_ch, got the laser correction?
15:43 < Testy2> ok so I am adding ns-cert-type into cleint configs (what do I put in the type feild) 
15:44 < krzie> no...
15:44 < Testy2> im reading the link 
15:44 < hyper_ch> krzie: so I did :)
15:44 < Testy2> just dont understand it 
15:44 < krzie> ns-cert-type server
15:44 < hyper_ch> live is great without glasses and contacts :)
15:44 < krzie> hyper_ch, right on, a lot of people i know have had that and love it
15:44 < hyper_ch> krzie: well, not much can go wrong
15:45 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit [Ping timeout: 260 seconds]
15:45 < krzie> i know, people i know have had it done here, and they are super dumb out here
15:45 < Testy2> so nothing goes where the word type is in ns-cert-type server 
15:45 < Testy2> just that line exactly 
15:45 < krzie> so if these people didnt fuck it up, it must be hard to screw up
15:45 < hyper_ch> krzie: I just have to take natural tear drops for another 3 weeks
15:45 < hyper_ch> and I must not do any sports for another 2 weeks :)
15:46 < hyper_ch> krzie: where is "here"?
15:46 -!- magic_1 [~magic@41.123.153.82] has joined ##openvpn
15:46 < hyper_ch> well, depends on what procedure you get... a femto-lasik is everythign fully automated... with a "normal" lasik the cut and flip of the eye flap is done by a surgeon
15:47 < hyper_ch> but the actual correction is then also done fully automatic with a laser... if the equipment isn't failing exacte at the time you have your surgery it's pretty safe IMHO
15:47 < krzie> hyper_ch, caribbean
15:47 < hyper_ch> krzie: well, I did it in Turkey :)
15:48 < hyper_ch> and each eye just takes a couple of seconds for actual lasering.... chances of a failure at just that moment are really, really small I think
15:48 < Testy2> I still get the error when i add that line 
15:49 < Testy2> does this mean I need to rebuild the keys for my VPN users 
15:49 < hyper_ch> you need to generate certificates and export them
15:49 < hyper_ch> or not?
15:49 < hyper_ch> no clue, krzie knows it bette :)
15:49 < Testy2> wow lots of new stuff for me today 
15:49 < krzie> Testy2, now try with remote-cert-tls server in the client config
15:49 < hyper_ch> I just followed the easy-rsa howto
15:50 < krzie> hyper_ch, hes just seeing if his certs were built to support checking server signature
15:50 < krzie> also:
15:50 < krzie> !factoids search cert
15:50 < vpnHelper> krzie: 'servercert', 'certs', 'nocert', 'certverify', and 'certinfo'
15:50 < krzie> !certinfo
15:50 < vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
15:50 < krzie> !certverify
15:50 < vpnHelper> krzie: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
15:50 < Testy2> My guys just said that everyone here is state state side and if we needed to rebuild now is the time to do it 
15:51 < Testy2> the person who generated these certs is long gone 
15:51 < krzie> well how trusted is the old admin?
15:51 < Testy2> and I think they are only 128 bit 
15:51 < krzie> you mean 1024 ;)
15:51 < Testy2> we revoked his key when i came in 
15:51 < krzie> you revoked his key
15:51 < Testy2> I wish Iknew more about this 
15:51 < krzie> but he made the CA
15:51 < Testy2> im just the only lakie on today 
15:52 < krzie> the ca.key is the cornerstone to your entire PKI
15:52 < hyper_ch> !easy-rsa
15:52 < vpnHelper> hyper_ch: Error: "easy-rsa" is not a valid command.
15:52 < krzie> !pki
15:52 < vpnHelper> krzie: Error: "pki" is not a valid command.
15:52 < krzie> bleh
15:52 < krzie> !google pki howstuffworks
15:52 < vpnHelper> krzie: HowStuffWorks "Prosecuting Identity Theft": <http://money.howstuffworks.com/identity-theft6.htm>; 810 Media Technology: <http://www.wrneuman.com/Comm_810_F08.pdf>; Research: Electronic commerce: <http://www.networkworld.com/ecomm2001/research/research.html>
15:53 < krzie> hrms
15:54 < Testy2> ok, wow this is a tad serious it looks 
15:54 < krzie> ignore my google
15:54 < krzie> http://www.internet-computer-security.com/VPN-Guide/PKI.html
15:54 < vpnHelper> Title: PKI Public Key Infrastructure - How PKI and CA's work (at www.internet-computer-security.com)
15:54 < Testy2> essently to rebuild we have to re create all credentials and hand them out 
15:55 < krzie> just certs
15:55 < Testy2> its a bit beyond me but they just gave me access to VM to try it out before we make a perm change 
15:56 < krzie> the ONLY time you need to completely rebuild your PKI is when you feel the ca.key was compromised
15:56 < Testy2> I hate to ask this as I should be able to just follow instructions but things seem easy are never. Would one of you be willing to talk me through it? 
15:56 < krzie> anyone having your ca.key can sign as many certs for themselves as they want
15:56 < krzie> !howto
15:56 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:56 < Testy2> we need 5 certs 
15:56 < krzie> thats all you need
15:56 < Testy2> ok 
15:57 < krzie> it works for tons of people every day
15:57 < Testy2> I just put up a test server on a differnat port and forwarded it 
15:57 < hyper_ch> easy-rsa makes it simple to create certs
15:57 -!- astabeno [~chatzilla@79.173.228.49] has quit [Max SendQ exceeded]
15:57 < Testy2> Im using the Server config that we have, on a new port and IP 
15:57 < Testy2> what do I need add to the client config exaclty after I try to make new keys 
15:58 < Testy2> ns-cert-type server
15:58 < krzie> that or
15:58 < krzie> remote-cert-tls server
15:59 < Testy2> either or? 
15:59 < krzie> one of them will work if you made the server cert with build-key-server
15:59 < krzie> try 1, if it gives an error about not being verified right, try other
16:00 -!- astabeno [~chatzilla@79.173.228.49] has joined ##openvpn
16:00 < Testy2> Im about to start this atempt, lets see if it works 
16:00 < Testy2> just installing 2.1.1 on the VM 
16:00 < Testy2> this is so cool 
16:00 < Testy2> you guys are cool 
16:00 < krzie> hehe thx
16:00 < Testy2> I work for cool people.. but just a hired hand 
16:00 -!- magic_1 [~magic@41.123.153.82] has quit [Ping timeout: 248 seconds]
16:01 < Testy2> they tell me how to do it and I do it. thats my job 
16:01 < Testy2> heh
16:01 < Testy2> but the big guy is in japan at the other office today 
16:01 < Testy2> so... lets see if I can fill his shoes 
16:01 -!- stix [~stix@x1-6-00-1e-2a-87-8d-aa.k1.webspeed.dk] has quit [Quit: stix]
16:01 < krzie> i work for cool people too
16:01 < krzie> but they dunno tech stuff
16:02 < Testy2> but clearly you know things 
16:02 < krzie> so most the time i decide what we need, and impliment it, then i show the cool people what i did and how it helps them
16:02 < Testy2> Im several years away from being more important then I currently am. 
16:03 < krzie> our system only figures out gross profits, which really means NOTHING in real life... only NET matters
16:04 < krzie> so i wrote 3200 lines of script to break that all down and output an html page displaying it all along with any numbers and stats the main people ever want
16:04 < krzie> and bargraphs / pie graphs auto-generated
16:05 < krzie> now when my iphone comes (soon) ill work on a 1-click solution to join the vpn, run the script, and bring up the website from the iphone
16:05 < Testy2> I built this as a side project from my normal job where I work for cool people (www.pctv76.org) 
16:06 < krzie> i built this as a side project from work
16:06 < krzie> !confgen
16:06 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
16:06 < krzie> which you wont likely need since your configs are already fine
16:08 < Testy2> WOW 
16:08 < Testy2> thats cool 
16:08 < Testy2> im going to favorite that 
16:09 < Testy2> oo well 
16:09 < Testy2> forbiddden 
16:09 -!- astabeno [~chatzilla@79.173.228.49] has quit [Read error: Operation timed out]
16:10 -!- astabeno [~chatzilla@79.173.228.49] has joined ##openvpn
16:11 < Testy2> ok 
16:11 < Testy2> starting here 
16:11 < astabeno> !route
16:11 < Testy2> Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients
16:11 < vpnHelper> astabeno: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:11 < Testy2> is this the right place
16:12 < astabeno> Does my OpenVPN client in Windows need a Gateway.  If so what?
16:13 -!- xt3mp0r [xt3mp0r@117.254.207.132] has joined ##openvpn
16:14 < krzie> astabeno, 
16:14 < krzie> !goal
16:14 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:14 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
16:14 < xt3mp0r> I am connecting to an vpn server and after connection is initialized i automatically get this error " event_wait : Interrupted system call (code=4)" and connection goes down.. any help ?
16:15 < krzie> xt3mp0r, 
16:15 < krzie> !configs
16:15 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
16:15 < krzie> !logs
16:15 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
16:16 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:17 < xt3mp0r> krzie, config : http://pastebin.com/7XZNRtit  logs : http://pastebin.com/4vpvUV4K
16:18 < Testy2> ok I really do need some help with this 
16:18 < xt3mp0r> i'm using Centos and running openvpn as an background process, to be specific.
16:18 < Testy2> sorry I have to ask :( 
16:18 < Testy2> after getting the build-ca step
16:18 < Testy2> I get an error 
16:18 < krzie> Testy2, the . in front of ./vars is important
16:18 < krzie> . ./vars
16:19 < Testy2> windows 
16:19 < krzie> so?
16:19 < krzie> you still need to source the vars...
16:19 < Testy2> the howto says On Windows:      vars     clean-all     build-ca
16:20 < krzie> ok i stand corrected i guess its just vars to source them in win
16:20 < krzie> (i dont use windowS)
16:20 < krzie> country needs to be 2 letters
16:20 < Testy2> but when I get to build-ca I get "open ssl is not recognized as an internal or external command 
16:20 < Testy2> ok lemme check 
16:20 < Testy2> in vars.bat
16:20 < astabeno> Sorry, no problem I am trying to connect to the internal network of my IPCop firewall using OpenVPN.  I have the server running on IPCop and a client running on a windows machine.  I have an Open connection between the Server and the client but can ping nothing on the other side of the server.  The goal is to be able to fileshare through OpenVPN.  My TAP-Win32 Adapter has been assigned an IP...
16:21 < astabeno> ...address of 192.168.6.10.  The other side of the VPN server is 192.168.5.0 /24.  I get can ping nothing on this network.  My Tap adapter has no Gateway, is that a problem.
16:21 < krzie> oh
16:21 -!- Brayn [~Brayn@188.27.65.99] has quit [Ping timeout: 246 seconds]
16:21 < krzie> you dont have openssl in your VM
16:21 < krzie> you really shouldnt have needed to ask with that clear of an error
16:21 < krzie> wtf is today 'everyone needs help with windows' day!?
16:22 < Testy2> as I said this is all new to me. sorry 
16:22 < Testy2> I thought it was part of the install 
16:22 < krzie> i mean every question from everyone is windows
16:22 < krzie> lol
16:22 < Testy2> lemme go find it and path it 
16:22 < krzie> (thats not so normal really)
16:22 < hyper_ch> krzie: I got a linux question :)
16:22 < xt3mp0r> krzie, mine is linux based :P
16:22 < krzie> yay
16:22  * krzie pushes hyper_ch to the front of the line
16:22 < hyper_ch> krzie: when will you add a take-over-the-world button to openvpn on linux?
16:23  * hyper_ch smiles evilish
16:23 < krzie> hyper_ch, there are no 'buttons' on the openvpn for linux
16:23 < krzie> :-p
16:23 < hyper_ch> oh :(
16:23 < xt3mp0r> lol
16:23 < krzie> xt3mp0r, loading your links now =]
16:24 < xt3mp0r> krzie, great ;)
16:24 < krzie> xt3mp0r, 
16:24 < krzie> read this again
16:24 < krzie> !configs
16:24 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
16:24 < krzie> read the whole thing, then post your configs how i will actually read them
16:25 < xt3mp0r> alright.
16:25 < krzie> likewise with logs
16:25 < krzie> !logs
16:25 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
16:30 < xt3mp0r> hi krzie, i am done with config.. http://pastebin.com/0iDvbxFX  what exactly does it mean "with verb set to 5" for logs ? i'm new to this.
16:30 < hyper_ch> xt3mp0r: verb is a setting in the client and server config... it's short for verbosity
16:30 < krzie> verb 5
16:30 < krzie> config option
16:31 < krzie> see how yours says verb 3
16:31 < hyper_ch> basically you can control how much detail should be logged
16:31 < krzie> make it verb 5 before showing me logs
16:31 < krzie> holy failover setup
16:31 < krzie> xt3mp0r, wheres the server config...
16:32 < krzie> ./keys/ca.crt
16:32 < krzie> BAD
16:32 < krzie> use full paths
16:32 < xt3mp0r> alright, i will be ready with logs in a moment. 
16:32 < xt3mp0r> krzie, the server is not mine. i am using an paid vpn service.
16:32 < hyper_ch> uhhh, krzie is in a helping spree :)
16:32 < krzie> xt3mp0r, oh, then you need to get help from them
16:32 < krzie> hyper_ch, yep, this spree has lasted a couple yrs
16:33 < krzie> lol
16:33 < krzie> !irclogs
16:33 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
16:33 < xt3mp0r> oh..no other option ? is there no way to solve this issue without server config ?
16:33 < hyper_ch> krzie: btw, when you come up with better things at work, you should make your boss feel like it was his idea :)
16:33 < krzie> hyper_ch, my boss doesnt pretend to know anything about computers, he likes me coming up with stuff
16:34 < hyper_ch> :)
16:34 < krzie> he didnt hire me to make him feel good
16:35 < Testy2> krzie 
16:35 < Testy2> question 
16:35 < Testy2> downloaded open ssl lite installed and pathed it 
16:36 < Testy2> re-ran build-ca 
16:36 < krzie> openssl is 1 word btw
16:36 < Testy2> aorry 
16:36 < Testy2> sorry 
16:36 < Testy2> oops
16:36 < Testy2> anyhow 
16:36 < Testy2> I get a a popup as if the program that triggerd it is using the incorrect parameters 
16:37 < Testy2> any way to check to see if build.ca did anything 
16:37 < Testy2> what can I look for to see if it worked
16:37 < krzie> ive never heard of someone needing to install openssl seperately
16:37 < krzie> check the keys dir
16:37 < krzie> see if files were made
16:38 < Testy2> if you read up, I was told that you dont have openssl in your VM [17:21] <krzie> you really shouldnt have needed to ask with that clear of an error heh
16:38 < Testy2> :)
16:38 < Testy2> checking 
16:39 < Testy2> keys folder has 2 items it 
16:39 < Testy2> both have no size 
16:39 < krzie> !google "openssl is not recognized as an internal or external command" windows openvpn
16:39 < vpnHelper> krzie: From Command Prompt: "The Name Specified Is Not Recognized...": <http://support.microsoft.com/kb/103368>; Insecure Mag 11: <http://www.scribd.com/doc/2085334/Insecure-Mag-11>; S. Beatty Consulting » Blog Archive » A Simple OpenVPN Version 2 ...: <http://www.sbeattyconsulting.com/OpenVPN/OpenVPN-20070729.htm>
16:39 < krzie> weird, different 1st hit for me
16:39 < krzie> http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23441545.html
16:39 < vpnHelper> Title: Creating extra keys for OpenVPN : Open Source, OpenVPN (at www.experts-exchange.com)
16:39 < krzie> In the meantime (and working along the same lines), I've found that there is an openssl.exe program within the bin directory. Rather than edit any standard batch files, I copied the .exe file to the easy-rsa directory and everything works as I had imagined and described within the question.
16:40 < hyper_ch> experts-exchange is evil
16:40 -!- Bloodsong [~Nimbus@70.50.177.230] has quit [Ping timeout: 265 seconds]
16:40 < krzie> hyper_ch, well it answered his question and was my first google hit
16:40 < hyper_ch> it only works if you pretend to be google :)
16:40 < Testy2> ok lemme clean this up and try that 
16:40 < hyper_ch> otherwise you don't see the responses
16:40 < krzie> hyper_ch, you can see the answer at the bottom
16:41 < Testy2> well I must say we google all the time... some times its better to hold a hand... at least im not lieing 
16:41 < krzie> after all the BS ads
16:41 < hyper_ch> if you pretend to be google
16:41 < astabeno> Should I leave the tap adapter on dhcp
16:41 -!- googleman [~Reactor16@41.105.85.20] has joined ##openvpn
16:41 < krzie> astabeno, yes, openvpn handles the giving of IPs you dont need to edit the adapter manually using your OS
16:41 < googleman> hi all
16:41 < astabeno> Or is there something that needs to be changed on the server
16:42 < hyper_ch> speaking of google and googleman appears... coincidence?
16:43 < krzie> xt3mp0r, your error is NOT Mon May 17 14:47:16 2010 event_wait : Interrupted system call (code=4)
16:43 < krzie> that is given when you kill openvpn
16:43 < krzie> your error is likely seen in server log file
16:44 < googleman> i have problem with openvpn server
16:44 < googleman> MULTI: bad source address from client [192.168.1.66], packet dropped
16:44 < googleman> any solution for this ?
16:44 < krzie> googleman, you trying to share your client LAN?
16:44 < xt3mp0r> krzie, ya..i am killing openvpn at a point..hmm. i will consult about this with the support :)
16:45 < googleman> i just want to route all trafic through openvpn
16:45 < krzie> xt3mp0r,
16:45 < krzie> just for your knowledge
16:46 < krzie> !pwfile
16:46 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
16:46 < krzie> in case you didnt do that
16:46 < xt3mp0r> krzie, oh.. i did it and it works 
16:46 < krzie> googleman, 
16:46 < googleman> yes
16:46 < krzie> !configs
16:46 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
16:47 < googleman> you want to see my config ?
16:47 < krzie> read what my bot said entirely
16:47 < krzie> i want to see BOTH configs without comments
16:47 < googleman> k
16:48 -!- astabeno [~chatzilla@79.173.228.49] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:49 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
16:51 < Testy2> can I leave organizational unit name feild blank?
16:52 < googleman> krzie
16:52 < googleman> http://pastebin.com/PRQENcyS
16:54 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
16:55 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:56 -!- xt3mp0r [xt3mp0r@117.254.207.132] has quit []
16:57 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has joined ##openvpn
16:58 -!- Bloodsong [~Nimbus@bas13-toronto12-1167983118.dsl.bell.ca] has quit [Read error: Connection reset by peer]
16:58 < krzie> yes
16:58 < googleman> ?
16:59 < krzie> yes @ Testy2 
16:59 < krzie> for you,    - Unknown paste ID, it may have expired or been deleted!
17:00 < Testy2> I just put in "owner" I know when generate for the server I have to use "server"
17:00 < Testy2> im doing that now 
17:00 < Testy2> have I screwed up?
17:01 < googleman> i past again
17:01 < krzie> Testy2, what are you talkin bout?
17:01 < googleman> http://pastebin.com/keixGPwQ
17:01 < Testy2> orgainizational unit name 
17:01 < googleman> this is krzie
17:02 < krzie> its not mandatory Testy2 
17:02 < Testy2> for the command build-ca 
17:02 < Testy2> yeh but if I did put it in no harm?
17:02 < krzie> none i know of, ive never used it
17:02 < Testy2> ok 
17:02 < Testy2> im building the server key 
17:03 < krzie> but if it did harm ild have to suspect it wouldnt be an option :-p
17:03 < googleman> krzie you see it ?
17:03 < Testy2> its asking if I want a challenge password
17:03 < krzie> Testy2, ive never had to walk someone through this before, the howto really does tell you what to do...
17:04 < Testy2> well I can pay you brother. Boss says I cant leave untill this works 
17:04 < Testy2> soooo.....
17:04 < Testy2> heh 
17:04 < krzie> dont bother with a challenge pw
17:05 < krzie> the pay thing is fully optional, we offer free support here... but we reserve the right to poke fun at people who need hand holding :-p
17:05 < krzie> !donate
17:05 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
17:06 < krzie> googleman, i only see a client config
17:07 < googleman> http://pastebin.com/zp2X1kWe
17:07 < googleman> sorry i forgot to put both cfg
17:09 < krzie> googleman, what LAN uses 192.168.100.x ?
17:09 < krzie> and im such a nice guy, i redid your pastebin for you
17:09 < krzie> http://pastebin.com/5F7QQb2k
17:09 < googleman> i just past this code from a tutorial
17:09 < krzie> OH
17:09 < krzie> well screw that
17:10 < googleman> i follow steps 
17:10 < krzie> try this
17:10 < krzie> !confgen
17:10 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
17:10 < krzie> i coded it, not all that long ago
17:10 < krzie> go test it for me ;]
17:10 < googleman> k
17:10 < krzie> it will generate all your configs
17:10 < krzie> note, you'll also want this:
17:10 < krzie> !hmac
17:10 < googleman> i arealy generate keys and certificates
17:10 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
17:10 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
17:11 < krzie> yes, use your certs still
17:11 < krzie> my confgen doesnt do that yet anyways
17:11 < googleman> oke
17:11 < googleman> i test it
17:11 < krzie> but you didnt make a ta.key
17:11 < krzie> and you'll want it =]
17:12 < Testy2> I got an error  creating client2 key
17:12 < googleman> krzie
17:12 < googleman> 2010-05-17 23:11:54 ERROR 403: Forbidden.
17:12 < krzie> oh bleh
17:12 < krzie> 1sec i forgot to chmod when i reuploaded today
17:12 < googleman> ok
17:13 < Testy2> faild to update database TXT_DB error number 2
17:14 < Testy2> could not find c:\program files\openvpn\easy-rsa\keys\*.old
17:14 < krzie> ok googleman 
17:14 < Testy2> will do 
17:15 < krzie> no no
17:15 < Testy2> ohh
17:15 < krzie> googleman is a person in here
17:15 < krzie> hehehe
17:15 < Testy2> ha
17:15 < Testy2> Hi googleman
17:15 < googleman> hi bro
17:15 < Testy2> sorry 
17:15 < Testy2> concentraiting 
17:15 < Testy2> just want to leave for the day 
17:15 < Testy2> but cant 
17:17 < Testy2> boss took my card and told me he would leave it with security I can leave after he can log in from home with new key and no error on the server saying we need to fix somthing  
17:17 < Testy2> lol
17:17 < krzie> Testy2, too bad you dont use freebsd, cert generating is made simple there by ecrist's ssl-admin
17:17 < krzie> heheh
17:18 < Testy2> yeh that would benice 
17:18 < krzie> was the client certs made and signed in the keydir?
17:18 < Testy2> I did everything from the easy-rsa dir 
17:19 < Testy2> the first one worked 
17:19 < Testy2> key1
17:19 < Testy2> key2 gave me the issue 
17:20 < Testy2> looks like I filled everything out correctly 
17:20 < krzie> you didnt remove index.txt, right?
17:20 < Testy2> no havent touched anything
17:20 < krzie> or the serial file
17:21 < Testy2> not a 1 
17:21 < Testy2> I can try it again 
17:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
17:22 < Testy2> BTW in the keys dir 
17:22 < krzie> 1sec
17:22 < Testy2> it looks like there is a key2 
17:22 < krzie> first hit on google seems to have an answer again
17:22 < Testy2> it made the file
17:22 < Testy2> what did you search for 
17:22 < googleman> lolz i hate interogation
17:22 < Testy2> yikes are you saying im an asshat? 
17:23 < krzie> oh
17:23 < Testy2> listen for the record your correct 
17:23 < krzie> all your common-names MUST be different
17:23 < krzie> i used: TXT_DB error number 2 easy-rsa
17:23 < Testy2> ahh ok 
17:24 < krzie> came up withL
17:24 < krzie> http://openvpn.net/archive/openvpn-users/2004-05/msg00335.html
17:24 < vpnHelper> Title: [Openvpn-users] Re: easy-rsa guide, problem, please help (at openvpn.net)
17:24 < Testy2> So what happens if I generate key 2again and write over the the one that it made 
17:24 < Testy2> is that a no no 
17:25 < googleman> krzie
17:25 < googleman> what is ta.key
17:27 < Testy2> Yeh Boy 
17:27 < Testy2> back in busniess 
17:27 < Testy2> your a genious for using google better then me! 
17:27 < googleman> just for quick reply
17:27 < Testy2> If this works. Im seriously going to give some one money 
17:27 < googleman> google is long and not transparent
17:28 < Testy2> might as well be you 
17:28 < Testy2> krzie
17:28 < Testy2> you paypal? 
17:28 < Testy2> im making OT right now 
17:28 < Testy2> want dinner on me? 
17:28 < Testy2> Im serious 
17:28 < Testy2> so I have 5 keys here 
17:29 < Testy2> I assume Im going to put them into the keys folders 
17:29 < Testy2> and update my client config with ns-cert-type server
17:29 < Testy2> and the warning will go away 
17:30 < Testy2> here goes 
17:32 -!- googleman [~Reactor16@41.105.85.20] has quit [Ping timeout: 245 seconds]
17:32 < krzie> your server doesnt need any keys except his own key
17:32 < krzie> he needs ca.crt and his own .crt too
17:33 < krzie> the clients get the ca.crt and their own crt/key
17:33 < krzie> as shown in the howto
17:36 < Testy2> ok 
17:36 < Testy2> im building dh
17:36 < Testy2> then I test
17:36 < krzie> dont forget ta.key =]
17:36 < krzie> !hmac
17:36 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
17:36 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
17:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:37 < Testy2> ok Im going to copy the entirity of the keys folder any way just to get it off my VM
17:37 < Testy2> then distribute them as needed
17:38 < krzie> werd
17:38 < krzie> make sure the client configs are referencing the right filenames too
17:38 < krzie> im not sure why googleman left, i had an answer for him but im at work so answers come when im available
17:52 < Testy2> hmm 
17:52 < Testy2> ok almost ready to test 
17:58 < Testy2> ohh man 
17:58 < Testy2> Im still getting the warning 
17:58 < krzie> what warning
17:58 < Testy2> when i start the server 
17:59 < Testy2> about script security 2
17:59 < krzie> it doesnt apply to you
17:59 < krzie> we were just talking about that in a dev meeting the other week
17:59 < Testy2> Wait so I did all this for naught 
17:59 < Testy2> LOL
17:59 < krzie> we wanna remove that warning when it doesnt apply
17:59 < Testy2> how come it doesent apply 
17:59 < Testy2> and are we safe from man in the middle ?
18:00 < krzie> because that warning is ALWAYS printed on startup
18:00 < Testy2> AGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
18:00 < krzie> the man in the middle thing is a different warning
18:00 < Testy2> lol
18:00 < Testy2> what does it look like 
18:00 < Testy2> and does that apply 
18:00 < krzie> the MITM warning would say you have not enabled certificate verification and give you a link to something with MITM in its URL
18:01 < Testy2> do I need to change anything? other then add ns-cert-type server
18:01 < krzie> disable that ns-cert-verify line and start it, you'll see the warning
18:01 < krzie> you need to test connection after adding that line
18:01 < krzie> you might need the other line, depending on the server cert
18:01 < Testy2> ok lemme go back to old keys 
18:01 < krzie> my configs use  ns-cert-type server
18:01 < krzie> old keys!?!?
18:01 < krzie> no
18:02 < krzie> just comment out ns-cert-type line to see that warning
18:02 < Testy2> Ok i dident add that line to server config 
18:02 < Testy2> only client 
18:03 < Testy2> as for going back to the old keys, Im merely doing that becasue that allready works 
18:03 < Testy2> as of now I would have to add them 5 differant machines
18:04 < krzie> either way, your old PKI is untrusted
18:04 < Testy2> if all i need to do is add ns-cert-type server to the client configs thats much more simple 
18:04 < krzie> since you dont trust the old admin
18:04 < krzie> (you revoked his cert, but he made the ca.key, he can give himself new certs)
18:04 < Testy2> I see 
18:04 < krzie> anyone with your ca.key owns your PKI
18:04 < krzie> its the only 100% vital part of your PKI
18:08 -!- reactor16 [~Reactor16@41.105.85.20] has joined ##openvpn
18:08 < reactor16> hi 
18:08 < reactor16> all
18:08 < krzie> hai2u
18:08 < reactor16> krzie hi
18:08 -!- reactor16 is now known as googleman
18:08 < googleman> it still some
18:09 -!- googleman [~Reactor16@41.105.85.20] has left ##openvpn []
18:09 -!- googleman [~Reactor16@41.105.85.20] has joined ##openvpn
18:09 < krzie> lol
18:09 < googleman> krzie
18:09 < krzie> googleman, you left before i could answer
18:09 < krzie> ta.key...
18:09 < krzie> !hmac
18:09 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
18:09 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
18:09 < googleman> can us skip this ?
18:10 < googleman> because i disabled in cfg files
18:11 < Testy2> ns-cert-type server     <------- OK adding this line into the client side 
18:11 < krzie> googleman, yes you may
18:11 < krzie> but i recommend using it
18:11 < krzie> its a great lil added piece of security
18:11 < googleman> it have relation with problem of' MULTI: bad source address from client"
18:11 < krzie> Testy2, see that warning disappear when you added that? ;]
18:11 < krzie> nope, no relation
18:12 < googleman> than i just want to resolve it
18:12 < googleman> after i back to ta.key
18:12 < krzie> so pastebin your new configs
18:13 < googleman> oke
18:13 < krzie> the ones made from my confgen
18:13 < googleman> yes
18:13 < Testy2> perhaps I just dont know jack... 
18:14 < Testy2> I was only talking about the NOTE: openvpn requires security script 2 thing 
18:14 < googleman> http://pastebin.com/8jkS4da6
18:14 < krzie> when you mentioned an "error" i asked if it was a script-security warning
18:14 < krzie> had you said yes, i woulda said to ignore that
18:14 < Testy2> Im looking through the logs right now to see if I can find a warning 
18:15 < googleman> kraut: about your confgen its nice tools i thinked before to make one but in gui :)
18:16 < googleman> i hope get free time
18:17 < krzie> hyper_ch is making a html confgen
18:18 < googleman> good 
18:19 < krzie> but mine will end up being a CA management system as well
18:19 < krzie> ill be building in ecrist's ssl-admin
18:20 < googleman> did u know ultravpn
18:20 < krzie> nope
18:20 < googleman> free openvpn server
18:20 < krzie> openvpn is a free openvpn server
18:20 < krzie> oh you mean a free provider
18:20 < googleman> yes
18:20 < krzie> gotchya
18:21 < krzie> i run my own ;]
18:21 < googleman> it it generate online cert and config file
18:21 < googleman> for client
18:21 < krzie> right, that means their CA is accessible from their server
18:21 < krzie> not very good security
18:21 < googleman> did you route all trafic to your vpn ?
18:21 < krzie> personally, i do a hybrid
18:22 < krzie> i do optional routing by application using socks
18:22 < krzie> !routebyapp
18:22 < vpnHelper> krzie: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
18:22 < krzie> that way my torrents dont go over my vpn, nor do specific apps i told not to
18:23 < Testy2> proxifier
18:23 < googleman> i like to send all trafic over vpn
18:23 < Testy2> even handels DNS resolvs for me 
18:23 < Testy2> at least thats what we use 
18:23 < Testy2> tunnel everything... 
18:23 < googleman> yes
18:24 < Testy2> but its hard to forward ports to the end of tunnel
18:24 < Testy2> I feel Like I have so much more I could ask about in here but I feel bad wasting your time 
18:24 < googleman> that what i want to do
18:24 < Testy2> thanks 
18:24 < googleman> i see this in pptpd server
18:24 < krzie> Testy2, yup, thats what i use =]
18:25 < googleman> relakks offer this option
18:25 < googleman> but in pptp
18:25 < krzie> googleman, 
18:25 < googleman> yes
18:25 < Testy2> if krzie wants to provide me with some ay to contact him. I can pay you
18:25 < krzie> Testy2, 
18:25 < krzie> !donate
18:25 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
18:25 < googleman> ?
18:25 < krzie> googleman, 
18:25 < Testy2> I will do that 
18:26 < krzie> your config has the openvpn side of it done
18:26 < krzie> !redirect
18:26 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:26 < krzie> your cofnig has push "redirect-gateway def1"
18:26 < Testy2> and I will be back to learn more 
18:26 < krzie> which is good for your goal
18:26 < krzie> now your server needs NAT and ip forwarding
18:26 < googleman> ?
18:26 < googleman> can you explain more ?
18:26 < krzie> ok...
18:26 < krzie> !def1
18:26 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
18:26 < Testy2> right now I have if I add ns-cert-type server to my clients. I have to assume thats better then it was 
18:27 <@raidz> krzie: could you pm me dazo's e-mail addy? thnks
18:27 < krzie> Testy2, it connects when you added that?
18:27 < Testy2> Yeh 
18:27 < krzie> raidz, sure, im sure ill have it if i look on the mail list, hes quite active there
18:27 < Testy2> read up on static routing 
18:27 <@raidz> I looked on there, it looks like it is an e-mail dedicated to the mailing list
18:28 < Testy2> We have used several virtual nat devices to help us with this as well 
18:28 <@raidz> I can try that one thouhg if its all you have
18:28 < krzie> raidz, yup, all i have
18:28 <@raidz> ok, thanks!
18:28 < Testy2> should it not work after adding that krzie?
18:29 < googleman> krzie i should add 0.0.0.0/1 where listen ?
18:31 -!- husky is now known as coil
18:32 < googleman> s
18:32 -!- googleman [~Reactor16@41.105.85.20] has quit []
18:35 < Testy2> http://pastie.org/964678 
18:36 < Testy2> Last thing krzie 
18:36 < Testy2> take a look at the pastie.org link 
18:36 < Testy2> If you can tell me if you see anything glairingly retarded that would be cool 
18:37 < krzie> googleman doesnt get it
18:37 < krzie> his configs are right
18:37 < Testy2> right now the VPN is working and tunneling is up and running 
18:37 < Testy2> DNS is working remotly.. 
18:37 < Testy2> so Yeh its nice 
18:37 < Testy2> Just want to make sure that everything is put away before I leave 
18:38 < Testy2> and before I call my boss 
18:38 < Testy2> if possible look them over when you get a chance and if you need any more info I can give it to you 
18:38 < krzie> im looking
18:38 < krzie> !tcp
18:38 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
18:39 < krzie> !ipp
18:39 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
18:39 < krzie> why are you using mssfix?
18:39 < krzie> you dont need that unless you know why you need it
18:40 < krzie> its in some guides, and people sometimes add it without knowing if they need it or not, or what it does
18:40 < Testy2> thats probobly why 
18:40 < krzie> also
18:41 < Testy2> I coppie dmost of what I saw in the old configs when I built these 
18:41 < krzie> you use proxifier on the clients to use a proxy that listens on VPN ip?
18:41 < krzie> cause if so, why do you also push redirect-gateway??
18:41 < Testy2> I should remove it from both server and client? mssfix 1400 ?
18:41 < krzie> its not in the client
18:41 < Testy2> uhm lets see.. the server runs a proxy via the tunnel that open vpn makes 
18:42 < krzie> then why do you redirect-gateway?
18:42 < Testy2> and proxifier connects to the end of that tunnel 
18:42 < Testy2> ok I can comment that out and see if it makes a diff 
18:42 < krzie> those are 2 different ways to handle that same goal
18:43 < Testy2> ok so comment out mssfix 1400 and redirect gateway
18:43 < Testy2> anything else
18:43 < krzie> !tcp
18:43 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
18:43 < krzie> !ipp
18:43 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
18:43 < Testy2> what is !tcp and !ipp
18:43 < krzie> read what my bot said
18:43 < Testy2> ohhh 
18:43 < krzie> !bot
18:43 < vpnHelper> krzie: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
18:44 < Testy2> I can move to UDP
18:44 < Testy2> lol 
18:44 < Testy2> can I comment out that line as well then? 
18:45 < krzie> after you change to UDP, you'll also need to change the port forwarding to the server's LAN ip
18:45 < krzie> ipp can be commented out
18:46 < Testy2> right now I think both are forwarded, I have access anyway I just need to make a call 
18:46 < krzie> if you want static VPN ips, handle it differently
18:46 < krzie> ipp doesnt do that, but is often used as an attempt by those who dunno
18:46 < krzie> !iporder
18:46 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
18:47 < krzie> !static
18:47 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
18:48 < krzie> so did you already test connecting with ns-cert-type server ??
18:48 < Testy2> Ok their must be some reason it was set that way //// NS-cert-type server seems to connect 
18:48 < krzie> ok
18:49 < Testy2> Im going tocmment it all out and see what happens 
18:49 < krzie> many people who dunno what they're doing use ipp thinking it makes static ips
18:49 < krzie> but it doesnt
18:49 < Testy2> perhaps we dont need ipp
18:49 < krzie> openvpn sees it as a suggestion
18:49 < krzie> you can choose to keep it if you want
18:49 < krzie> but i make everyone i see using it aware of that
18:49 < Testy2> if I rem it and it wont work I will put it back for now 
18:49 < krzie> if ns-cert-type connects, all good =]
18:50 < Testy2> if I rem it and everything still works I think its prolly ok 
18:50 < krzie> your vpn will work fine with or without it
18:50 < krzie> (it being ipp)
18:50 < krzie> if it connected with ns-cert-type, you're good there
18:50 < krzie> you are checking against MITM attacks
18:50 < krzie> heres something else you should do since you are redistributing certs
18:50 < Testy2> ahh I see 
18:50 < krzie> !hmac
18:50 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
18:50 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
18:51 < krzie> once you set that up you can tell your boss how much you improved the vpn
18:51 < krzie> that the old admin still had unlimited access until now
18:51 < Testy2> so this goes in server.ovpn 
18:51 < Bushmills> !beer to krzie
18:51 < Testy2> ok 
18:51 < vpnHelper> Bushmills: Error: "beer" is not a valid command.
18:51 < krzie> that you werent safe against MITM attacks until now
18:52 < Testy2> testing 
18:52 < krzie> that you just protected your company from DOS attacks to the vpn server, and made it much harder to hack even if one day a flaw is found in openvpn
18:53 < krzie> openvpn --genkey --secret ta.key to make the tls static key
18:53 < krzie> in configs, tls-auth ta.key 0     in server config       and tls-auth ta.key 1   in client config
18:53 < krzie> full path of course
18:54 < krzie> like the rest of your configs already have
18:54 < krzie> Bushmills, as long as its good german beer!
18:54 < Testy2> OK great 
18:54 < Testy2> commented out the things in server.ovpn switched to UDP 
18:54 < krzie> not light, like that 1 assclown said he'ld send me!
18:54 < Testy2> seems to be working 
18:54 < krzie> Testy2, wanna repaste and ill look again?
18:54 < Testy2> my client comp got a new IP 
18:54 < Testy2> but thats ok 
18:55 < krzie> you did the tls-auth as well, right?
18:55 < krzie> oh and that change to UDP was a big deal
18:55 < krzie> can largely improve your performance
18:55 < krzie> (another thing you improved)
18:56 < Testy2> Ok Only did ns-cert-type server in client side config
18:56 < krzie> right
18:56 < Testy2> what about the TLS ?
18:57 < krzie> !hmac
18:57 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
18:57 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
18:57 < krzie> lol
18:57 < Testy2> as for the IP's not being static it will only matter if we need to do forwarding and I think i can cross that bridge when and if I ever need to deal with it 
18:57 < Testy2> ok thats TLS is what im going to do now 
18:57 < Testy2> just wanted to test everythign else before I added new stiff 
18:57 < krzie> Testy2, ya it usually isnt needed
18:57 < Testy2> stuff
18:57 < krzie> (static ips)
18:58 < krzie> thats good
18:59 < Testy2> Ok from what you said Im guessing I can add this tls option in multiple places 
18:59 < krzie> always best to test like that =]
18:59 < Testy2> ?
18:59 < krzie> you put it on client and server, with different #
18:59 < Testy2> its all you man 
18:59 < Testy2> your the steam in my engine 
18:59 < krzie> [16:56]  <krzie> openvpn --genkey --secret ta.key to make the tls static key
18:59 < krzie> [16:56]  <krzie> in configs, tls-auth ta.key 0     in server config       and tls-auth ta.key 1   in client config
18:59 < krzie> [16:56]  <krzie> full path of course
18:59 < krzie> [16:57]  <krzie> like the rest of your configs already have
19:00 < Testy2> ok gimme a min to let it sink in 
19:00 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
19:00 < Testy2> my brain is a 486 today 
19:00 < Alphanaut> heh
19:02 < Testy2> ok so im going back to the machine where the keys were generated, 
19:02 < Testy2> and Im going into the open vpn dir 
19:02 < Alphanaut> the "server" :)
19:02 < Testy2> ok 
19:02 < Testy2> server 
19:03 < krzie> actually no
19:03 < Testy2> and im typing in openvpn --genkey --secret ta.key
19:03 < Testy2> ohh 
19:03 < krzie> keys get generated on the CA
19:03 < krzie> Testy2, dont listen to Alphanaut :-p
19:03 < Alphanaut> CA is a nice name.
19:03 < krzie> and Testy2, you can generate it anywhere openvpn exists
19:03 < Testy2> ok 
19:03 < krzie> but the file must go to all clients and the server, and must not change
19:04 < krzie> it must be = everywhere
19:04 < Testy2> in this case Im goign to do it on my VM 
19:04 < krzie> ok, it doesnt matter where you make it
19:04 < Testy2> so this has nothing to do with existing keys then 
19:04 < krzie> it will be on EVERY node of your vpn
19:04 < krzie> nope, nothing at all
19:04 < Testy2> for instance even a new install can do it 
19:04 < Testy2> with out any keys 
19:04 < Testy2> ok 
19:05 < krzie> its another layer of security, which has nothing to do with any other layer
19:05 < krzie> it adds a signature to EVERY single VPN packet
19:05 < krzie> an HMAC signature
19:05 < krzie> any packet not having the signature will be dropped immediately and not be processed
19:06 < Testy2> ok looks like no errors 
19:06 < Testy2> lemme find ta.key now 
19:07 < krzie> ild think its in the dir you are currently in
19:07 < krzie> when you typed that
19:07 < Testy2> got it 
19:07 < Testy2> sending it to the server and the clients 
19:08 < krzie> you're gunna have some good stuff to brag to the boss about :-p
19:08 < krzie> your vpn is way way better than it was when you took it over
19:08 < Testy2> you know gets me about this... 
19:09 < Testy2> the guy who is doing this is at conf in jappan about network security!
19:09 < Testy2> Im the damn web guy 
19:09 < Testy2> Im not even an admin 
19:10 < krzie> well then it might make you feel better to know that i SUCK at webdev
19:10 < Testy2> I just have priveleges and when shit started to fail today srgt was like fix it 
19:10 < krzie> ;]
19:10 < Testy2> I know you can
19:10 < Testy2> now Im going to get stuck with it whenever 
19:10 < Testy2> HAHA
19:10 < Testy2> web dev... PHP mysqlk 
19:10 < Testy2> oops 
19:10 < Testy2> yeh 
19:10 < Testy2> thats all I know 
19:11 < Testy2> but I guess I can fix comps 
19:11 < Alphanaut> i make a mean vodka tonic
19:11 < Testy2> because I fixed like 5 problems today that this guy apparently couldent 
19:11 < Alphanaut> that's a skill.
19:11 < Testy2> yum
19:11 < Alphanaut> :)
19:11 < Testy2> ok backj to work for me 
19:11 < Testy2> brb
19:11 < Alphanaut> that's a shame
19:12 < Alphanaut> i'm on mandatory "rest", no work for me
19:12 < Alphanaut> only vodka tonics
19:12 < krzie> lol
19:12 < Testy2> any spasific place I need to put ta.key 
19:12 < krzie> Alphanaut, did you realize XP doesnt do NAT yet?
19:12 < Testy2> or just any place as long as my path works 
19:12 < Alphanaut> i dont use xp :")
19:12 < Alphanaut> but yes
19:12 < krzie> Testy2, yes, whereever you tell the config to look for it
19:12 < Alphanaut> but i dont need it
19:12 < Testy2> server 2003 hope 
19:13 < Alphanaut> it works flawlessly
19:13 < Alphanaut> on my computer that doesnt do nat
19:13 < krzie> Alphanaut, oh, cool
19:13 < Alphanaut> :)
19:13 < Alphanaut> yah, neato
19:13 < krzie> maybe i had you mixed with someone else
19:13 < Testy2> you can use wooweb or lots of other virtual nats 
19:13 < Alphanaut> no, that was me
19:13 < Alphanaut> two vista computers
19:13 < Alphanaut> as bad as xp
19:13 < Alphanaut> er, worse
19:13 < krzie> worse
19:13 < Alphanaut> rgr
19:13 < Testy2> ohh yeh 
19:13 < Testy2> worse 
19:13 < Alphanaut> but it works great
19:14 < Alphanaut> only issue is a uvnc anomaly but that's no big deal
19:17 < Testy2> ok
19:17 < Testy2> ta.key distributed to all clients and server 
19:17 < Testy2> I put it in the key folder
19:18 < Testy2> now adding config 
19:18 < Testy2> brb 
19:18 < Testy2> I have to use the bathroom bad 
19:18 < Testy2> way to much to drink
19:19 < n0sq_> why doesn't the openvpn-easy-rsa package for openwrt install the utilities to build a certificate?
19:20 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 612 seconds]
19:21 < krzie> n0sq_, thats a question for whoever packages the openWRT thing (its not done by the openvpn team)
19:21 < krzie> im guessing it could have to do with space
19:21 < Testy2> ohhh open vpn built into a router 
19:21 < Testy2> sexy 
19:21 < Testy2> I have no life 
19:22 < Testy2> any spasific place the line needs to go in the config 
19:22 < Testy2> or just anywhere?
19:22 < krzie> n0sq_, do you happen to also you freebsd?
19:22 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has joined ##openvpn
19:22 < krzie> theres a nice cert management system in ports, replaces easy-rsa nicely
19:22 < krzie> (its what i use)
19:22 < krzie> Testy2, anywhere should be fine
19:22 < Testy2> wilco
19:23 < n0sq_> krzie: nope, i don't do freebsd
19:24 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Remote host closed the connection]
19:25 -!- testy2point9 [~451f510d@gateway/web/freenode/x-vpvhghlmfmbywkwb] has joined ##openvpn
19:25 < testy2point9> hey hey
19:25 < testy2point9> on the server now 
19:25 < testy2point9> tls-auth 0 "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key"
19:25 < testy2point9> heres the line as I would imagine it for winblows 
19:25 < testy2point9> can you confirm
19:26 < testy2point9> clicnt will be tls-auth 1 "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key"
19:29 < Testy2> ok shutting down vpn and testing
19:30 < krzie> Testy2no
19:30 < krzie> !hmac
19:30 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
19:30 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
19:30 < krzie> tls-auth FILE #
19:30 < krzie> not tls-auth # file
19:30 < krzie> the 1/0 goes AFTER file
19:32 < testy2point9> Mon May 17 20:30:41 2010 Cannot open file key file 'C:\Program Files\OpenVPN\easy-rsa\keys\ta.key 0': The system cannot find the file specified.   (errno=2)
19:32 < testy2point9> here is the line in the config 
19:32 < testy2point9> tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key 0"
19:33 < krzie> there is no chroot or cd command above that, right?
19:33 < Testy2> ill try with out quotes... nope 
19:33 < krzie> nope, you need the "'s
19:34 < Testy2> ok 
19:34 < krzie> oh
19:34 < krzie> lol
19:34 < krzie> your quote is wrong
19:34 < krzie> endquote needs to be before the 0
19:34 < krzie> after the y
19:34 < Testy2> ahhh
19:35 < testy2point9> its connected !
19:35 < testy2point9> YAYAYAYAYA 
19:36 < Testy2> Wow its allot faster!!!
19:36 < Testy2> it really is faster 
19:36 < Testy2> that must be the UDP 
19:37 < krzie> yup =]
19:37 < Testy2> shall I post everything again for you to see 
19:37 < Testy2> or are you sick of me! 
19:37 < Testy2> heh
19:37 < krzie> and its more secure
19:37 < krzie> you can if you like
19:37 < Testy2> thats great! 
19:37 < Testy2> this is a great 
19:37 < krzie> im killing time at work, not too many options of other things to do...
19:37 < Testy2> I love openvpn, Im sure it gets real complex but this isent to bad 
19:38 < Testy2> gotta find a book on it or somthing 
19:38 < Testy2> that other guy who was talking about DDWRT 
19:38 < Testy2> I think I know of a tomato release that has it built in 
19:38 < Testy2> that sould be sick 
19:40 -!- testy [~451f510d@gateway/web/freenode/x-cygwxsbmhrjqnhez] has joined ##openvpn
19:41 < testy> http://pastie.org/964741
19:41 < testy> thats the client
19:41 < krzie> [17:40]  <Testy2> I love openvpn, Im sure it gets real complex but this isent to bad 
19:41 < krzie> LOL
19:41 < krzie> isnt too bad, i just told you everything to do
19:42 < krzie> im sure that makes things rather easy :-p
19:42 < Testy2> yeh but imagine if I wasent an ass hat
19:42 < Testy2> and I was you 
19:42 < krzie> but ya, i love openvpn too
19:42 < Testy2> it wouldent be to bad 
19:42 < Testy2> !:)
19:42 < vpnHelper> Testy2: Error: ":)" is not a valid command.
19:42 < krzie> as far as a book, JJK will be releasing one soonish
19:42 < krzie> my advice is wait for that
19:42 < krzie> hell, ill prolly buy it
19:43 < testy2point9> http://pastie.org/964743
19:43 < testy2point9> thats the server
19:43 < krzie> JJK is a person from the openvpn mail list
19:44 < Testy2> yeh?
19:44 < Testy2> is that you?
19:45 < Testy2> im on that list 
19:45 < Testy2> I get the email 
19:45 < Testy2> I dont read it becasue this is my first time configing the VPN 
19:46 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Remote host closed the connection]
19:46 < Testy2> so, it all looks good... 
19:48 < testy> ?
19:48 < testy> you know I must thank you 
19:48 < testy> you saved my ass
19:48 < testy> I dident want to let my guys down 
19:48 < testy> and you totaly helped me 
19:49 < krzie> no no its not me
19:50 < krzie> JJK is someone else
19:50 < krzie> i sign my emails -krzee
19:50 < krzie> i was just saying JJK is writing a book on openvpn
19:50 < krzie> and if you want a book on openvpn, ild wait for that
19:50 < krzie> i plan on reading it as well
19:50 < testy> I will 
19:50 < krzie> the configs look good to me
19:51 < krzie> cipher BF-CBC is pointless really since thats the default, but that doesnt hurt anything
19:51 < testy> ok
19:51 < krzie> you look good to go
19:51 < krzie> and you're welcome =]
19:52 < testy> krzie 
19:52 < testy> my offer still stands
19:52 < testy> I will donate anyway
19:53 < testy> but can I b uy you dinner 
19:53 < testy> you have been helping me all day 
19:53 < krzie> i already ate, but a donation is plenty good... and much appreciated =]
19:53 < krzie> and you'll liev in infamy on our thank you page to donators
19:54 < krzie> live*
19:54 < krzie> http://secure-computing.net/wiki/index.php/OpenVPN/Donations
19:54 < vpnHelper> Title: OpenVPN/Donations - Secure Computing Wiki (at secure-computing.net)
20:00 < testy> are you really in IT dude
20:01 < krzie> lo,l yes
20:01 < krzie> s/,l/l,/
20:02 < testy> wow
20:03 < testy> you helped me all the way from over the ocen...
20:03 < testy> your a cool dude 
20:03 < krzie> =]
20:05 < Testy2> Ok I donated 
20:05 < krzie> ^5
20:05 < Testy2> hope it in some way helps
20:06 < Testy2> and thank you again! 
20:06 < krzie> certainly does!
20:06 < Testy2> Im sure I will be back 
20:06 < Testy2> the boss says it is faster and... yeh its my job now... 
20:06 < krzie> helps us with costs of maintaining our servers and whatnot =]
20:06 < Testy2> so 
20:06 < Testy2> I know I will be back 
20:06 < krzie> that makes you pretty important there
20:06 < Testy2> im sure they will ask me all kinds of questions that I wont look on google for 
20:06 < Testy2> :)
20:06 < Testy2> lol
20:06 < krzie> since if they get rid of you, they need to rebuild their PKI!
20:07 < Testy2> HAHA 
20:07 < Testy2> never thought of that 
20:07 < Testy2> but they diident with the old guy 
20:07 < krzie> protect ca.key with your life
20:07 < Testy2> so 
20:07 < Testy2> will do ! 
20:07 < krzie> right, but let them know you did that
20:07 < krzie> because he still had full access if he wanted it
20:07 < krzie> they'll put the rest together in their heads ;]
20:11 < Testy2> im telling my boss about you right now 
20:11 < Testy2> he says find a way to get your email address so he can pay you 
20:11 < Testy2> lol 
20:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:19 -!- testy [~451f510d@gateway/web/freenode/x-cygwxsbmhrjqnhez] has quit [Quit: Page closed]
20:20 < oc80z> Thats an nice error i got.
20:21 < krzie> lol
20:21 < krzie> im jeff@doeshosting.com or krzee@ircpimps.org
20:22 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
20:27 < oc80z> must have been an ip conflic, spit "RwwRwRRwwRwRRwwRwR.." 255+ times into the ovpngui.exe
20:27 < krzie> those are just read/writes
20:27 < krzie> you can lower verb and not get them
20:27 < krzie> assuming you arent currently debugging
20:28 < krzie> for debug, verb 5, for normal usage, ver 3
20:28 < krzie> verb 3
20:34 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
20:38 < oc80z> hmmph
20:39 < oc80z> its kind of loopy what im trying to do 
20:39  * oc80z wanders off
20:39 < krzie> ?
20:40 < oc80z> hrmph
20:40 < oc80z> no clue whats going on, i shouldnt get those rw's 
20:41 < krzie> lol
20:41 < krzie> you have verb 5 dude
20:42 < oc80z> yep. 
20:42 < krzie> thats WHY i want verb 5 when i troubleshoot
20:42 < krzie> helps see firewall issues
20:42 < krzie> if you dont want them there, lower your verb
20:43 < krzie> 4 is basically everything 5 is, without rwrwrw across your screen iirc
20:43 < krzie> and 3 is less info, but good for daily usage
20:43 < krzie> you should only have 5 IF YOU WANT the rwrwrw
20:43 < krzie> basically, thats the point!
20:44 < oc80z> wow..
20:44 < oc80z> i never noticed it do this, ever.
20:44 < krzie> lol
20:44 < oc80z> it was 5
20:45 < oc80z> wierd bro
20:46 < oc80z> i did see an ip conflict on this machine 
20:52 < oc80z> tellin ya man, shits wierd. i think its a stale DNS On one of the hops too
20:52 < oc80z> ...shit arp on one of the hops
20:54 < oc80z> i bet its dnsmasq
20:55 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:56 < Testy2> home now 
20:56 < Testy2> logged into work pc
20:56 < Testy2> couldent leave you krzie!
20:56 < Testy2> having some drink on you!
20:57 < krzie> nice!
20:57 < krzie> what are we drinking?
20:58 < Testy2> Palm 
20:58 < Testy2> my favorite 
20:58 < krzie> whats that
20:58 < Testy2> palm ale
20:58 < krzie> ahh beer
20:58 < Testy2> ohh its just a an amzing beer 
20:58 < Testy2> it really really is 
20:58 < Testy2> at 15 bucks a case 
20:59 < Testy2> its worth it 
20:59 < Testy2> http://www.google.com/products?hl=en&q=palm+beer&um=1&ie=UTF-8&ei=cPTxS9T8C8X7lwfH3uyNDQ&sa=X&oi=product_result_group&ct=image&resnum=4&ved=0CC8QzAMwAw
20:59 < vpnHelper> Title: palm beer - Google Product Search (at www.google.com)
21:00 < Testy2> I get it through the importer down the road 
21:00 < Testy2> looks cheeper online 
21:00 < oc80z> pretty sure dnsmasq is confusing routes 
21:00 < Testy2> flush dns?
21:01 < oc80z> well, 
21:01 < krzie> lol
21:01 < krzie> dnsmasq has nothing to do with routes
21:02 < krzie> my bet is that you're confusing yourself ;]
21:02 < oc80z> ofc it does.
21:02 < krzie> no, it does not
21:02 < krzie> it has to do with name resolution
21:02 < oc80z> its dhcp?
21:02 < oc80z> first off, its dd-wrt
21:02 < krzie> how high are you bro?
21:03 < oc80z> you can use dnsmasq for dhcp
21:03 < Testy2> wow I wish I was holding 
21:03 < Testy2> if so I could be high right now 
21:03 < oc80z> agreed.
21:03 < Testy2> heh
21:03 < oc80z> cmd
21:04 < krzie> oc80z, yes, it can be a dhcp server.... that doesnt make it some sort of routing protocol...
21:05 < Testy2> if I hang out long enough I wonder if I can learn more
21:05 < oc80z> well it is giving who-has for netbios requests.
21:05 < oc80z> and it is reffering to a static-dhcp lease 
21:06 < krzie> Testy2, heres something that'll help you
21:06 < krzie> !factoids
21:06 < vpnHelper> krzie: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
21:06 < krzie> thats everything the bot knows =]
21:09 < Testy2> sweet 
21:09 < Testy2> reading 
21:09 < oc80z> am i wrong?
21:10 < Testy2> I think if what boss man said is true that I will be earning my money from this point on. 
21:10 < oc80z> its all bridged, netbios 
21:10 < krzie> netbios is also not a routing protocol oc80z 
21:11 < oc80z> its a resolution protocol
21:11 < krzie> its more or less name resolution for WINS
21:11 < oc80z> right
21:11 < Testy2> Seems as if fatty in Japan need some help. Tommarow I get to reconfigure an asterix server!~!! Lets see how that goes!  
21:11 < krzie> asterisk in business environment!?
21:11 < krzie> someone needs to tell your head tech about freeswitch
21:12 < oc80z> freeswitch?
21:12 < krzie> asterisk was great, as a first attempt at opensource telephony
21:12 < oc80z> asterisk is tight we use that at MIT
21:12 < krzie> oc80z, you serious!?
21:12 < krzie> lol
21:12 < krzie> 1sec
21:12 < krzie> oc80z, i expected you to know better =[
21:12 < oc80z> heh, yeah absolutly! 
21:12 < krzie> oc80z, yanno i used to be 1/2 owner of a voip company, ya?
21:13 < oc80z> hey man, im just saying
21:13 < oc80z> wahts freeswitch eh?
21:13 < krzie> exactly
21:13 < krzie> you love asterisk, cause its all you know of :-p
21:14 < krzie> im getting a link for you
21:14 < oc80z> hmm
21:14 < krzie> anthm (lead fs dev) was heavily involved in dev for asterisk
21:14 < oc80z> the freeswitch site is running on drupal.
21:14 < oc80z> <g>
21:14 < krzie> http://www.freeswitch.org/node/117
21:14 < vpnHelper> Title: How does FreeSWITCH compare to Asterisk? | FreeSWITCH (at www.freeswitch.org)
21:14 < krzie> let me share a lil info with you
21:15 < krzie> asterisk crashes when you throw real amounts of traffic at it, even with all patches in the wild for different issues
21:15 < Testy2> DAMN 
21:15 < Testy2> thats really cool 
21:15 < oc80z> heh
21:15 < oc80z> i know.
21:16 < krzie> freeswitch has out-performed metaswitch in a live telco environment, actually DOS'ed metaswitch
21:16 < krzie> metaswitch is CLEC grade telco equipment, STARTS at $250k
21:16 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:16 < Testy2> http://wiki.freeswitch.org/wiki/Getting_Started_Guide reading
21:16 < vpnHelper> Title: Getting Started Guide - FreeSWITCH Wiki (at wiki.freeswitch.org)
21:16 < krzie> i know the person who had his freeswitch kill his uplinks metaswitch, runs a telco in alabama
21:17 < krzie> Testy2, #freeswitch is their channel
21:18 < Testy2> you will hate me for it but YAY windows support
21:19 < oc80z> hhmph
21:19 < krzie> doesnt bother me that you prefer inferior operating systems ;]
21:19 < Testy2> holly crap this looks much more simple 
21:19 < krzie> more stable as well
21:20 < krzie> and super-rapidly developed
21:20 < krzie> if your boss doesnt mind paying $ for his setup, check out cudatel (freeswitch based with web gui config)
21:20 < Testy2> we share part of a trunk for a building, about 15 ofices worth of phone 
21:21 < krzie> i just picked up 2 cudatels recently
21:21 < Testy2> probobly about 1000 lines or more 
21:21 < krzie> (well the biz did, but im in charge of making it happen, etc)
21:21 < krzie> https://www.cudatel.com/
21:21 < vpnHelper> Title: Barracuda Networks CudaTel Communication Server (at www.cudatel.com)
21:21 < Testy2> ill bring it up 
21:21 < Testy2> see what they say 
21:22 < Testy2> we only need 10 more lines 
21:22 < theDoc> Greetings, ;p
21:22 < oc80z> wow
21:22 < Testy2> at least to our setup but my guess is that big boss man will take interest if we bring it up 
21:23 < Testy2> that is me and other lakie types 
21:23 < Testy2> heh
21:23 < Testy2> we have problems with asterix, constant hacking 
21:23 < Testy2> complaints from other offices 
21:23 < Testy2> calls dropped 
21:23 < Testy2> its miss manged, ignored and the hardware it runs on is ancinet 
21:25 < krzie> right
21:25 < krzie> i was about to say, if your setup works without issue no reason to change it
21:25 < krzie> however, those issues you have, are thanx to asterisk
21:26 < Testy2> hardly, its on the list of upgrades 
21:26 < krzie> you really shouldnt need to constantly manage a phone setup
21:26 < Testy2> were a tech firm, who has some semi military contracts and other such things...
21:26 < Testy2> but our own stuff works the worst 
21:27 < Testy2> and they hire guys like me but most of them leave becasue the work if hard 
21:27 < Testy2> its a lot to know 
21:27 < Testy2> but when things change so quickly its hard to get anything done around here  
21:28 < Testy2> we do most work for our clients 
21:28 < Testy2> and then our own issues come up 
21:28 < Testy2> like for instance the VPN
21:29 < krzie> and the way your boss solves them is stealing key cards
21:29 < krzie> when i setup my first ovpn setup, this chan was more or less dead
21:29 < oc80z> .. http://goo.gl/PpD6
21:29 < vpnHelper> Title: MIT Pilots VoIP, Internet-Based Phone Service With 500 Users - The Tech (at goo.gl)
21:29 < krzie> took me a couple days to have everything right
21:29 < krzie> oc80z, ya they have a cluster then
21:29 < oc80z> was 2009 when things started to roll out.
21:30 < Testy2> 5 new laptops, all for some semi perm guys who work out of a military office a few floors down 
21:30 < krzie> ok work is over
21:30 < krzie> see ya guys later
21:30  * krzie &
21:30 < Testy2> DUDE 
21:30 < Testy2> Hey 
21:30 < krzie> ?
21:30 < Testy2> once more@!@@
21:30 < Testy2> THAK YOU SO MUCH!@!!! 
21:31 < Testy2> you made my life livable today!
21:31 < krzie> you're welcome =]
21:31 < Testy2> have a good one!
21:31 < Testy2> talk to you later
21:40 -!- hyatt [~kora-chan@dyn-118-139-54-115.its.monash.edu.au] has joined ##openvpn
21:44 -!- testy2point9 [~451f510d@gateway/web/freenode/x-vpvhghlmfmbywkwb] has quit [Ping timeout: 252 seconds]
21:46 < hyatt> hi im trying to connect two router via a vpn tunnel, my configs are pretty small and can be seen here: http://skitch.com/tommay/dd9ge/serverconf for the server and http://skitch.com/tommay/dd9g8/clientconf for the client. openvpn connects and the tunnel interface is established and a route reveals the right routes, ping just cant get through. any ideas where to start debugging?
21:46 < vpnHelper> Title: Skitch.com > tommay > serverConf (at skitch.com)
21:52 < ecrist> !donate
21:52 < vpnHelper> ecrist: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
21:53 < ecrist> !learn donate as Contribution totals and benefactors can be found at http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations
21:53 < vpnHelper> ecrist: Joo got it.
21:53 < ecrist> !donate
21:53 < vpnHelper> ecrist: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) Contribution totals and benefactors can be found at http://www.secure-
21:53 < vpnHelper> ecrist: computing.net/wiki/index.php/OpenVPN/Donations
22:12 -!- proxyuser [~a1323002@gateway/web/freenode/x-exqlhgaydigxcxby] has joined ##openvpn
22:13 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
22:14 < proxyuser> I'm trying to connect through a proxy to my openvpn server, but i am as of yet failing. are either of these errors causing the problem? http://pastebin.com/6dAy9v2y
22:16 < krzee> no
22:16 < krzee> you'd get much further by pasting your entire log at verb 5
22:21 < proxyuser> okay
22:21 < proxyuser> HTTP proxy returned: 'HTTP/1.0 403 Forbidden'
22:22 < proxyuser> how do i change the HTTP/*** in the config file?
22:24 < krzee> well thats the issue
22:24 < krzee> your vpn on UDP?
22:24 < krzee> your http proxy prolly cant handle that...
22:24 < proxyuser> i have one tcp one udp
22:24 < krzee> which ild know for sure had you pasted the whole log
22:24 < proxyuser> this one is connecting tcp
22:27 < proxyuser> http://pastebin.com/iC01yzTe
22:30 -!- hyatt [~kora-chan@dyn-118-139-54-115.its.monash.edu.au] has quit [Quit: hyatt]
22:40 < proxyuser> I remember that there was some way to change the http/1.0 to something else but i can't remember where it was
22:41 < proxyuser> I can't see it in the manpage
22:45 < Knio> the proxy server at 161.50.1.131:8080 is refusing you
22:45 < proxyuser> i know
22:45 < Knio> does it require credentials?
22:45 < proxyuser> yes
22:46 < proxyuser> but i won't allow you to connect nomatter what you send it
22:46 < proxyuser> even my proxy user and pass
22:46 < proxyuser> which i know to be correct
22:47 < proxyuser> i think there is a way to change the 'HTTP/1.0' to say 'HTTP/1.1' or whatever else you might need it to be
22:49 < Knio> h
22:49 < Knio> m
22:49 < Knio> http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
22:49 < proxyuser> it sends to the proxy: Send to HTTP proxy: 'CONNECT ****.net:8008 HTTP/1.0'
22:49 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
22:49 < Knio> --http-proxy-option VERSION 1.1
22:50 < proxyuser> oh thanks
22:50 < proxyuser> i didn't see that
22:51 < Knio> you also don't seem to specify an auth file in your config?
22:52 < proxyuser> do i need to?
22:52 < Knio> if it requires credentials yes
22:52 < Knio> http-proxy server port [authfile] [auth-method]
22:52 < Knio> Connect to remote host through an HTTP proxy at address server and port port. If HTTP Proxy-Authenticate is required, authfile is a file containing a username and password on 2 lines, or "stdin" to prompt from console.
22:52 < Knio> auth-method should be one of "none", "basic", or "ntlm".
22:55 < proxyuser> i have stdin in the config file
22:55 < proxyuser> so it prompts when run
22:56 < Knio> ok
22:56 < proxyuser> even with HTTP/1.1 it still comes back with HTTP/1.0 403 forbidden
22:56 < proxyuser> it that because it doesn't want to connect to my server
22:57 < proxyuser> or doesn't like the port?
22:57 < Knio> could be anything
23:01 < proxyuser> is there any way to check?
23:01 < Knio> the server might have send a more detailed message after the 403 header
23:01 < Knio> or check the server logs itself, if you can
23:02 < proxyuser> i can't ssh to my sever because i'm behind a proxy
23:02 < proxyuser> there's my problem
23:03 < Knio> other connections to this proxy do work?
23:03 < Knio> can you see what they are doing?
23:03 < krzee> best way to check will be the proxy's logs
23:03 < Knio> or, test the same host/port you want to connect to with anoher proxy client and see what it does
23:05 < proxyuser> it's university proxy
23:05 < proxyuser> i have no access to it
23:05 < krzee> in the end, the proxy is denying, so you get to guess and check if you cant access the proxy logs
23:06 < krzee> =/
23:06 < Knio> try to see what other proxy clients that you have are doing
23:06 < proxyuser> the web browser works fine
23:06 < krzee> could try running your vpn on port 443 or 80 tcp
23:06 < proxyuser> so i'm guessing it doesn't want to connect to port 8008
23:07 < Knio> truy to browse a webpage at 8008
23:07 < krzee> possibly only port 80 as well, not all handle https even
23:07 < Knio> and see what happens
23:07 < krzee> good call knio
23:07 < krzee> hey, thats neo!
23:07 < krzee> cool nick
23:08 < Knio> lol
23:08 < proxyuser> it will only accept 80
23:08 < proxyuser> okay i'll have to fix it when i have direct access
23:09 < krzee> also, it STILL might not work
23:09 < krzee> cause not all proxy encrypted traffic
23:10 < krzee> try browsing a https page over the proxy
23:10 < krzee> if that works, tcp 443 should work for the vpn
23:11 < krzee> if you already have 443 tcp in use for https on your server, see --port-share
23:11 < proxyuser> it won't accept any port throught openvpn
23:12 < krzee> does your web browser connect to https pages over the proxy...?
23:12 < proxyuser> yes
23:13 < krzee> then tcp 443 is your best bet for openvpn to work
23:13 < proxyuser> i tried that
23:14 < krzee> while it technically COULD tell them apart, nobody really knows how yet (hint: they would need to look at how --port-share works)
23:14 < krzee> oh, ok
23:14 < proxyuser> i tried to get it to connect even though 443 but it said forbidden before it tried to connect
23:14 < proxyuser> and 80
23:23 -!- proxyuser [~a1323002@gateway/web/freenode/x-exqlhgaydigxcxby] has quit [Ping timeout: 252 seconds]
23:56 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
--- Day changed Tue May 18 2010
00:24 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:30 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
00:43 -!- EugeneKay [~EugeneKay@unaffiliated/eugenekay] has quit [Ping timeout: 246 seconds]
01:00 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:00 -!- mode/##openvpn [+o mattock] by ChanServ
01:00 < krzee> sup mattock 
01:22 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
01:30 -!- dazo_afk is now known as dazo
01:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
01:53 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
02:12 -!- takamichi [~pri@94.75.217.247] has quit [Ping timeout: 258 seconds]
02:13 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
02:16 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
02:59 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:13 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:52 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
03:58 -!- Daemon_Byte [opera@89.191.5.238] has joined ##openvpn
03:58 -!- Daemon_Byte [opera@89.191.5.238] has quit [Changing host]
03:58 -!- Daemon_Byte [opera@pdpc/supporter/active/daemon-byte] has joined ##openvpn
04:00 < Daemon_Byte> Hi, I used webmin to create my configuration for openVPN and I keep getting the same error. After connecting it dies straight away and in the log file is Assertion failed at crypto.c:162   A google didn't turn up much at all so any help would be great
04:00 < krzee> sounds like a bad compile
04:01 < krzee> btw if you arent comfy with making your config by hand, consider using my bash config generator instead of webmin
04:01 < krzee> whats your goal for your vpn?
04:01 < krzee> !goal
04:01 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:03 < Daemon_Byte> I did try it manually first and actually got it to connect. But the server wasn't sharing it's internet connection so I thought I'd try webmin and see if that would do it. What I am trying to do is vpn to a linux box and use it's internet connection
04:06 < krzee> !redirect
04:06 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:06 < krzee> !def1
04:06 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
04:06 < krzee> !linipforward
04:06 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
04:06 < krzee> !linnat
04:06 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
04:07 < krzee> there ya go =]
04:07 < krzee> my confgen does support that too, !confgen
04:07 < dazo> Daemon_Byte:  I helped a guy last week with the exact same assertion ... he needed to recompile OpenVPN against a more recent OpenSSL to fix it, I believe
04:07 < dazo> Daemon_Byte:  when he recompiled, it worked immediately
04:08 < Daemon_Byte> Thanks I will give all that a go.
04:10 < Daemon_Byte> What would I put in the client config file if I wanted to use the cypher AES-256-CBC? Webmin keeps putting in cipher DES-CFB which is clearly wrong
04:12 < krzee> after verifying its available on both sides with --show-ciphers
04:12 < krzee> cipher AES-256-CBC
04:13 < krzee> [05:09]  <mihhdu> pcs are like air conditioners, they work fine unless you open windows
04:13 < krzee> lol
04:13 < krzee> !widnows
04:13 < vpnHelper> krzee: Error: "widnows" is not a valid command.
04:13 < krzee> err
04:14 < krzee> !windows
04:14 < vpnHelper> krzee: Error: "windows" is not a valid command.
04:14 < krzee> yes!
04:14 < krzee> !learn windows as pcs are like air conditioners, they work fine unless you open windows
04:14 < vpnHelper> krzee: Joo got it.
04:17 -!- Daemon_Byte [opera@pdpc/supporter/active/daemon-byte] has quit [Ping timeout: 260 seconds]
04:44 -!- dazo is now known as dazo_afk
04:45 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 245 seconds]
04:45 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
05:09 -!- gevaerts [~fg@rockbox/developer/gevaerts] has joined ##openvpn
05:18 -!- cpm [~Chip@border0.avitecture.net] has joined ##openvpn
05:18 -!- cpm [~Chip@border0.avitecture.net] has quit [Changing host]
05:18 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:29 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
05:35 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:37 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Client Quit]
06:01 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 248 seconds]
06:04 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
06:34 -!- lobbin [~c331ac91@gateway/web/freenode/x-gdfxmiwnczydyxkx] has joined ##openvpn
06:35 < lobbin> !welcome
06:35 < vpnHelper> lobbin: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:40 < qfr> !ccd
06:40 < vpnHelper> qfr: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
06:41 < qfr> (trying to set up static IPs
06:41 < qfr> )
06:45 < lobbin> I'm seeing a lot of lingering connections in CLOSE_WAIT state with 1 byte i Recv-Q since we tried running over an openvpn tunnel, any specific reason I should see these? The application is written in-house using C/C++
06:46 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Ping timeout: 248 seconds]
06:52 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
07:00 < qfr> Nice, it works
07:03 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:04 -!- stix_ [~stix@firewall.o4.dk] has joined ##openvpn
07:08 < qfr> Hmm def1 isn't working :|
07:08 < qfr> My routes are no longer fixed now that I started using ccd
07:10 < stix_> Hi guys. I have a tunnel established (Initialization Sequence Completed) and the client gets an IP, but pings doesn't work. When I use a br0 device and start it with the start-bridge script, no connection can be made. But if I don't use the start-bridge script the tunnel gets established. Still no pings go through. Where should I go from here?
07:14 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
07:15 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
07:25 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
07:25 -!- mode/##openvpn [+o mattock] by ChanServ
07:44 -!- dazo_afk is now known as dazo
07:52 -!- stix_ [~stix@firewall.o4.dk] has quit [Read error: Connection reset by peer]
07:52 -!- stix_ [~stix@firewall.o4.dk] has joined ##openvpn
08:09 < stix_> Why does it say "TUN/TAP device tap2 opened" when it should be tap0 ?
08:09 -!- lobbin [~c331ac91@gateway/web/freenode/x-gdfxmiwnczydyxkx] has quit [Quit: Page closed]
08:39 < stix_> anyone alive in here?
08:42 < ecrist> yep, people are alive
08:43 < ecrist> why do you think it should be tap0?
08:43 < ecrist> !logs
08:43 < ecrist> !configs
08:43 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:43 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:06 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:32 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:34 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
09:36 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
09:57 -!- stix_ [~stix@firewall.o4.dk] has quit [Quit: Ex-Chat]
10:00 -!- Berlinermauer [~5d5ef58a@gateway/web/freenode/x-wruwudvrmlajsnpz] has joined ##openvpn
10:01 < Berlinermauer> Hey guys, i have a problem: the openvpn tap driver doesnt seems to be signed in order to work with my x64
10:01 < Berlinermauer> it says:Der Gerätetreiber für diese Hardware kann nicht geladen werden. Der Treiber ist möglicherweise beschädigt oder nicht vorhanden. (Code 39)  "The Devicedriver for this Hardware could not be loaded. The Driver is maybe corrupt or not existing"
10:02 < Berlinermauer> thats what i get when i look into the devicemanager, and click on the with an exclamation marked TAP Driver
10:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:07 < ecrist> Berlinermauer: driver signing costs lots of money
10:07 < ecrist> it's not going to be signed.
10:08 < Berlinermauer> ok, is there any way to get it working on my x64 System?
10:09 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:09 < ecrist> yes, just install it
10:09 < ecrist> it works fine, despite not being signed.
10:09 < ecrist> lots of folks are using it.
10:12 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
10:12 < theDoc> o/
10:13 < ecrist> hello, theDoc 
10:16 < Berlinermauer> The Problem is, i cannot use it it means: 
10:16 < Berlinermauer> * it say
10:16 < Berlinermauer>  Tue May 18 17:16:33 2010 CreateFile failed on TAP device: \\.\Global\{9DA0ED57-ED34-420F-B487-347D9271437B}.tap Tue May 18 17:16:33 2010 All TAP-Win32 adapters on this system are currently in use.
10:18 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:23 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
10:23 < Berlinermauer> Or do i have the 32bit Driver installed *duck*
10:23 < Berlinermauer> wtf
10:23 < Berlinermauer> penVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
10:24 < ecrist> Berlinermauer: try 2.1.1
10:24  * ecrist point to /topic
10:25 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
--- Log closed Tue May 18 10:32:03 2010
--- Log opened Tue May 18 10:32:10 2010
10:32 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined ##openvpn
10:32 -!- Irssi: ##openvpn: Total of 100 nicks [3 ops, 0 halfops, 0 voices, 97 normal]
10:32 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 246 seconds]
10:32 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 246 seconds]
10:32 -!- gevaerts [~fg@rockbox/developer/gevaerts] has left ##openvpn []
10:32 -!- Irssi: Join to ##openvpn was synced in 44 secs
10:33 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Ping timeout: 246 seconds]
10:33 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 246 seconds]
10:33 -!- disposable [disposable@blackhole.sk] has quit [Ping timeout: 246 seconds]
10:33 -!- timburke [tim@ip197.67-202-95.static.steadfast.net] has quit [Ping timeout: 245 seconds]
10:33 -!- BashLogic [~BashLogic@NS1.Kielletty.net] has quit [Ping timeout: 260 seconds]
10:33 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has quit [Ping timeout: 246 seconds]
10:33 -!- BashLogic [~BashLogic@NS1.Kielletty.net] has joined ##openvpn
10:33 -!- You're now known as ecrist
10:34 -!- disposable [disposable@blackhole.sk] has joined ##openvpn
10:35 -!- jfkw_ [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:36 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
10:37 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 252 seconds]
10:37 -!- timburke [tim@ip197.67-202-95.static.steadfast.net] has joined ##openvpn
10:39 -!- chantra [~chantra@ns22757.ovh.net] has joined ##openvpn
10:39 < Berlinermauer> now it works i had the really old version
10:40 < chantra> hi all, I was wondering if a plugin will receive the OPENVPN_PLUGIN_CLIENT_DISCONNECT "signal" only when a client disconnect
10:40 < chantra> or also when a client got idle for some time?
10:41 < Berlinermauer> why don't you try it? 
10:41 < Berlinermauer> btw: http://pastebin.com/Ha5Ub8Tk Do I have to care?
10:41 < chantra> by idle i mean that his ip link went down for instance and server do not receive ping/keep alive anymore
10:42 < Berlinermauer> hm i think it is so, otherwise there would be a dead connection, blocking the maxconnections after a time when you have a bad internet
10:42 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
10:42 < chantra> Berlinermauer: sounds like it is openvpn is not run as admin in your pastebin.... but i did not get the beginning of the conversation :p
10:43 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined ##openvpn
10:43 < Berlinermauer> yeah i just started openvpngui does it automaticall run openvpn as admin too? 
10:43 < chantra> nope
10:44 < chantra> Berlinermauer: on window > XP you need to modify the launcher to run it as admin
10:44 < dazo> chantra: good question re: OPENVPN_PLUGIN_CLIENT_DISCONNECT ... I'll check some of my code
10:45 < chantra> dazo: tks
10:45 < chantra> I was going to try it out, but if somebody got it on top of its head, better :)
10:48 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
10:48 < dazo> chantra: from what I can see, OPENVPN_PLUGIN_CLIENT_DISCONNECT is called when the clients disconnects - or that the connection is dropped somehow ... then after a while, when OpenVPN figures the client won't try to reconnect, OPENVPN_PLUGIN_LEARN_ADDRESS will be called, with "delete" as the first argument 
10:49 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 265 seconds]
10:49 -!- Berlinermauer [~5d5ef58a@gateway/web/freenode/x-wruwudvrmlajsnpz] has quit [Quit: Page closed]
10:49 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
10:49 < dazo> it quite some interaction between OPENVPN_PLUGIN_CLIENT_CONNECT, OPENVPN_PLUGIN_CLIENT_DISCONNECT and OPENVPN_PLUGIN_LEADN_ADDRESS ... with different states to the latter one, indicating if the client is alive or not
10:50 < dazo> (f.ex. OPENVPN_PLUGIN_LEARN_ADDRESS is only called when the first packet hits the tunnel after OPENVPN_PLUGIN_CLIENT_CONNECT is called)
10:51 < chantra> dazo: tks
10:51 < dazo> chantra: you're welcome
10:51 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has quit [Remote host closed the connection]
10:52 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has joined ##openvpn
10:52 -!- Some-body_ [~Vetinari@delta.cluenet.org] has joined ##openvpn
10:55 -!- Some-body_ is now known as DarthGandalf
10:55 -!- DarthGandalf [~Vetinari@delta.cluenet.org] has quit [Changing host]
10:55 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
11:02 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Quit: Bye]
11:06 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 600 seconds]
11:10 < chantra> dazo: i can confirm
11:10 < chantra> doing a ctrl-c from linux openvpn client
11:10 < dazo> chantra: :)  Good to hear, then I don't remember wrong, and I understood my code correctly :-P
11:10 < chantra> after 5min (-10sec) the plugin receive a disconnect
11:10 < chantra> dazo: :)
11:11 < chantra> actually, it also seems that learn_address in plugin context is only adding IP
11:11 < chantra> while in scripting context it is used for add/update/deete
11:11 < dazo> chantra: it should call learn_address after disconnect, with "delete" as the argument
11:11 < chantra> dazo: yop
11:11 < chantra> i typed to fast :)
11:11 < dazo> chantra: but I've not really got the exact scheme for when "update" is called
11:12  * dazo wonders if that's related to a reconnect before timeout
11:12 < chantra> in my case, it was received after 2min30
11:13 < chantra> meaning after disconnect
11:13 < chantra> but, dumping the environment variable, it was empty
11:13 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
11:15 -!- jfkw_ [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Remote host closed the connection]
11:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:15 < chantra> dazo: if that can interest you:
11:15 < chantra> http://pastebin.org/248659
11:16 < chantra> so, i received client_connect , then learn_address right after
11:16 < chantra> then, I canceled the client and 5 min later, I received client_disconnect 
11:17 < chantra> 2min30 later, learn_address , but totally empty
11:17 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:19 < dazo> chantra: with learn_address you don't get much in environment variables ... you get only argv[] in delete mode, that tricked me!
11:20 < dazo> and when using TAP, you get the clients MAC address as an argument ... but not sure what you get with TAP now
11:23 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 276 seconds]
11:26 -!- openvpn2009 is now known as Guest12047
11:26 -!- Guest12047 is now known as openvpn2009
11:30 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
11:31 < chantra> dazo: indeed i am using tun
11:32 < dazo> chantra: I think you only dump the environment table ... in your example ... so I'd try to dump out argv as well
11:34 < chantra> yop, good point, i missed that one, but I would have thought it would be the same for any func_v1 call once the plugin was initialized
11:34 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has joined ##openvpn
11:38 -!- Irssi: ##openvpn: Total of 94 nicks [3 ops, 0 halfops, 0 voices, 91 normal]
11:42 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 240 seconds]
11:43 < chantra> dazo: tks a million for the drive through ;)
11:44 < chantra> saved me loads
11:45 -!- terje [~terje@h-74-0-231-178.dnvtco56.static.covad.net] has joined ##openvpn
11:45 < dazo> chantra: you're welcome! :)
11:46 < terje> Hi, I'm setting up an OpenVPN server. Actually that's done. I'm using 172.16.0.0/24 as the network the clients/server talk over. Server side, there is an inteface on the 192.168.1.0/24 network and I'd like clients to be able to see and talk to that network.
11:46 < terje> I've pushed a route to the clients for 192.168.1.0/24 through the tunnel
11:47 < terje> but clients are unable to ping anything on that network.
11:47 < ecrist> client-to-client in your config?
11:47 < terje> no
11:47 < terje> I'll try that.
11:49 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 615 seconds]
11:49 < terje> no love on client-to-client
11:49 < ecrist> terje: I misunderstood
11:49 < ecrist> client-to-client gets you contact between vpn clients
11:50 < terje> that's what i figured
11:50 < terje> :)
11:50 < ecrist> I'm guessing you're missing return path routing on the 192.168.1.0/24 subnet
11:50 < ecrist> also, that's a poor choice of subnet to use.
11:50 < ecrist> !1918
11:50 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
11:50 < terje> agree, that wasn't my choice
11:51 < ecrist> ok, just so you're aware that will break everyone that tries to connect from a home lan that uses that address space
11:51 < terje> k
11:52 < terje> i wonder then, if I just used 192.168.1 rather than 172.16.0 if that would just flatten it out and things would start working
11:52 < terje> worth a shot
11:53 < ecrist> if you're going to do that, you need to use TAP
11:55 < terje> oh ok
11:56 < terje> Why is that?
11:58 < ecrist> because you can't route a subnet to another subnet by the same number
11:58 < ecrist> you can't route two 192.168.1.0/24 subnets to eachother
12:06 -!- sYsk [~a@117.136.12.148] has joined ##openvpn
12:08 < terje> yea, I was hoping that they'd appear as a single subnet
12:08 < terje> if I make the default route for the 192.168.1.0/24 network the interface on my openvpn server (192.168.1.75)
12:09 < terje> I can at least ping the hosts on the 192.168.1.0 network from VPN clients
12:09 < terje> which is a step in the right direction
12:09 < terje> tcp connections are failing howerver
12:19 -!- Berlinermauer [~59f79052@gateway/web/freenode/x-pijlnjhgrbgozrih] has joined ##openvpn
12:19 < ecrist> terje: if you use TAP, it will be a bridged network, and it will all appear as one network.
12:20 < Berlinermauer> Hey guys i have some problems with the static ips in openvpn. Im not able to ping the client from the server, and from the server im not able to ping the client. In the Config i set: ifconfig 10.8.0.1 10.8.0.2, so the server is 10.8.0.1 and in the client i inverted the ip's
12:20 < Berlinermauer> what do i have to change on top of that if i want to use static ips?
12:21 < krzee> Berlinermauer, server ALWAYS has static ips
12:21 < krzee> !static
12:21 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
12:21 < krzee> !configs
12:21 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:23 < Berlinermauer> ah k, so it seems that i did left out the push, because i thought, that this defines the subnet, so that 10,8,0,0, -> 10.8.0.0. - 10.8.0.255
12:23 < krzee> lol, if that made sense to you... cool
12:23 < krzee> you should prolly pastebin your comments as my bot said
12:24 < krzee> err
12:24 < krzee> your configs without comments
12:24 -!- Brayn [~Brayn@188.27.65.99] has joined ##openvpn
12:25 -!- dazo is now known as dazo_afk
12:26 -!- mirco [~mirco@p5B23A8F2.dip.t-dialin.net] has joined ##openvpn
12:33 < Berlinermauer> http://pastebin.com/Kg4MkEN2
12:34 < krzee>    - Unknown paste ID, it may have expired or been deleted!
12:34 < krzee> THE SITE IS IN READ-ONLY MODE AS WE ARE CURRENTLY MOVING HOSTER, SOME PASTES MIGHT BE MISSING FOR A FEW HOURS!
12:34 < krzee> try pastebin.ca
12:35 < Berlinermauer> ok
12:35 < Berlinermauer> http://nopaste.info/f7a63792cc.html
12:35 < Berlinermauer> i used this because at .ca i got timeout
12:36 < krzee> cool
12:36 < krzee> always use full paths in your configs
12:36 < krzee> remove ifconfig 10.8.0.1 10.8.0.2
12:37 < krzee> see --server in manual for why
12:37 < krzee> remove the ifconfig from your client as well
12:37 < krzee> (--server also explains that)
12:37 < krzee> client should have full paths too
12:37 < krzee> !winpath
12:37 < vpnHelper> krzee: Error: "winpath" is not a valid command.
12:38 < krzee> !factoids search path
12:38 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
12:39 < krzee> Remember on            #
12:39 < krzee> # Windows to quote pathnames and use            #
12:39 < krzee> # double backslashes, e.g.:                     #
12:39 < krzee> # "C:\\Program Files\\OpenVPN\\config\\foo.key"
12:40 < hyper_ch> hmmm..... more Windows stuff?
12:40 < krzee> !learn winpath as Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
12:40 < vpnHelper> krzee: Joo got it.
12:40 < krzee> !winpath
12:40 < vpnHelper> krzee: "winpath" is Remember on Windows to quote pathnames and use double backslashes, e.g.: C:\Program Files\OpenVPN\config\foo.key
12:40 < krzee> damn bot eats quotes
12:40 < krzee> !forget winpath
12:40 < vpnHelper> krzee: Joo got it.
12:41 < krzee> !learn winpath as Remember on Windows to quote pathnames and use double backslashes, e.g.: \"C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key\"
12:41 < vpnHelper> krzee: Joo got it.
12:41 < krzee> !winpath
12:41 < vpnHelper> krzee: "winpath" is Remember on Windows to quote pathnames and use double backslashes, e.g.: \"C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key\"
12:41 < krzee> hah
12:41 < krzee> !forget winpath
12:41 < vpnHelper> krzee: Joo got it.
12:41 < krzee> screw it
12:42 < ecrist> !winpath
12:42 < vpnHelper> ecrist: Error: "winpath" is not a valid command.
12:42 -!- sYskk [~a@117.136.12.219] has joined ##openvpn
12:42 -!- sYskk [~a@117.136.12.219] has quit [Changing host]
12:42 -!- sYskk [~a@unaffiliated/syskk] has joined ##openvpn
12:43 < krzee> hehe \\ turned into \ but \\\\ stays \\\\ and "'s disappear but \" stays \"
12:43 -!- Serideru [~GTWebster@24-117-150-192.cpe.cableone.net] has quit [Ping timeout: 264 seconds]
12:43 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
12:43 < ecrist> krzee: let me do it the hard way
12:43 < krzee> direct in the db?
12:43 < ecrist> aye
12:43 < krzee> Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
12:43 < krzee> thx =]
12:44 < Berlinermauer> the Path's are only necessary if the auth doesnt work or?
12:44 < krzee> Berlinermauer, 
12:44 < krzee> !path
12:44 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
12:44 < krzee> thats there from much experience
12:44 < krzee> you may not be having a problem at the moment, you may later... and you'll be confused because it used to work
12:45 < krzee> and the error wont be a simple "hey i cant find your files"
12:45 -!- sYsk [~a@117.136.12.148] has quit [Ping timeout: 246 seconds]
12:45 < ecrist> !learn winpath as place_holder
12:45 < vpnHelper> ecrist: Joo got it.
12:45 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has joined ##openvpn
12:45 < krzee> hey hey freenode staff in the house!
12:46 < krzee> ;]
12:47 < |Mike|> do you know him krzee ? ;)
12:47 < krzee> seen him around
12:47 < |Mike|> u don't know him? *gees* 
12:47 < |Mike|> </joke>
12:47 < krzee> do i know you...?
12:47 < |Mike|> freenode/staff/udontknow <--
12:47 < krzee> oh, lol
12:47 < ecrist> !winpath
12:48 < vpnHelper> ecrist: "winpath" is (#1) place_holder, or (#2) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
12:48 < |Mike|> krzee: yeah, i know some guy called chris 
12:48 < hyper_ch> forget *win* :)
12:48 < krzee> !forget !winpath 1
12:48 < vpnHelper> krzee: Error: There is no such factoid.
12:48 < krzee> !forget winpath 1
12:48 < vpnHelper> krzee: Joo got it.
12:48 < krzee> !winpath
12:48 < vpnHelper> krzee: "winpath" is Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
12:48 < krzee> perfect
12:48 < krzee> ^5 @ ecrist 
12:48 < ecrist> :)
12:49 < ecrist> insert into factoids (key_id,added_by,fact) VALUES(253,'ecrist','Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"');
12:49 < krzee> nice
12:49 < Berlinermauer> hm, im not able to ping the server, though i removed the entries. Windows says that the Network device is only local
12:50 < krzee> oh win7?
12:50 < krzee> repaste your configs, lets see you changed them correctly
12:52 < Berlinermauer> i just commented out the two ifconfigs, and replace the paths
12:55 < Berlinermauer> openvpn says everytime that my ip has been assigned to 10.8.0.6 but i configured it to be .2 ?!
12:55 < krzee> !/30
12:55 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
12:56 < krzee> first client is .6 then .10 .14 .18 etc
12:56 < krzee> unless you use
12:56 < krzee> !topology
12:56 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
12:56 < Berlinermauer> ok now it works
12:57 < qfr> push "redirect-gateway def1" stopped working since I started using CCD, no matter where I put it :(
12:58 < krzee> qfr, they are unrelated, but you can use it in client config without push as well
12:58 < krzee> it doesnt HAVE TO be pushed
12:58 < qfr> Yeah I tried it there, too
12:58 < krzee> !configs
12:58 < qfr> Still doesn't modify the routing table
12:58 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:59 < krzee> be sure you are starting as root
12:59 < qfr> I just used the default script
12:59 < qfr> Provided by Arch Linux
12:59 < ecrist> still need to start as root
13:00 < krzee> ya its not like that script will elevate permissions if you dont run it as root
13:00 < qfr> Well, it is launched by the root
13:00 < krzee> and the configs...?
13:00 < qfr> I shall post them, sec
13:01 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has quit [Read error: Operation timed out]
13:02 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has joined ##openvpn
13:05 -!- bandini [~bandini@host103-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn
13:07 < qfr> krzee: http://siyobik.info/index.php?module=pastebin&id=456
13:07 < qfr> redirect-gateway def1 in the client config :[ routing table wrong
13:07 < qfr> It doesn't even a default route, I am puzzled
13:07 < qfr> Usually it's 3 entries
13:08 < Berlinermauer> now im able to ping the server but windows says that network device (the TAP device) would be Local
13:10 < krzee> tls-auth ta.key 0
13:10 < krzee> !path
13:10 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
13:10 < krzee> thats not your problem, but im telling you what i see
13:11 -!- sYskk [~a@unaffiliated/syskk] has quit [Ping timeout: 260 seconds]
13:11 < krzee> ifconfig-push 10.0.0.3 10.0.0.1
13:11 < krzee> erm
13:11 < krzee> !static
13:11 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:12 < Berlinermauer> !ccd
13:12 < vpnHelper> Berlinermauer: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:12 < qfr> Netmask :O
13:14 < qfr> krzee: I restarted both services - routing table didn't change
13:14 < qfr> The tun0 IP is wrong now, too
13:14 < qfr> Oh err, no it's not
13:15 < krzee> lets see client log 
13:15 < qfr> Where is it stored?
13:15 < qfr> I don't see anything in /var/log
13:16 < qfr> It's all daemonised
13:16 < krzee> if your OS script starts it in the backgroun with daemon it goes through syslog
13:16 < qfr> Oh boy
13:16 < krzee> check messages
13:16 < krzee> and full path your ta.key on both sides
13:16 < krzee> oh wait no
13:16 < krzee> sorry i forgot you have cd
13:16 < krzee> thats good
13:17 < krzee> there were made by my confgen, werent they
13:17 < krzee> these*
13:17 < qfr> Yes
13:19 < qfr> SIOCADDRT: File exists
13:19 < qfr> Tue May 18 20:19:06 2010 us=888330 ERROR: Linux route add command failed: external program exited with error status: 7
13:20 < krzee> that route exists already, why have you not posted your log file yet...?
13:20 < qfr> Odd, now the route is correct
13:20 < krzee> lol
13:21 < qfr> Wtf now it works when I run it with the normal script, too
13:21 < qfr> This is just odd
13:21 < qfr> I didn't even change anything in the config
13:21 < qfr> On either side
13:21 < krzee> maybe it had to do with your bad static ip
13:22 < krzee> yes you did
13:22 < krzee> you fixed your ifconfig-push
13:22 < qfr> Well I already restarted them both after I did that
13:22  * qfr rhugs
13:23 < qfr> shrugs even
13:34 -!- pmatulis [~peter@64.34.151.178] has joined ##openvpn
13:36 < pmatulis> i have a untrusted client i want to connect to.  however, they must (policy) connect to my vpn server first.  is there any way then to connect back to the client?
13:36 < krzee> only is they dont use nobind
13:37 < krzee> if*
13:37 < pmatulis> krzee: can you elaborate?
13:37 < krzee> and if they are not behind a NAT (or have port forwarding enabled)
13:37 < pmatulis> krzee: i'm sure they are behind a NAT.  it's a large organization
13:38 < krzee> then nope, no way
13:38 < pmatulis> krzee: routing or bridging modes do not play a role here?
13:38 < krzee> nope
13:39 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
13:42 < qfr> krzee do I need to give 10.0.0.1 to the server in the config? Or does OpenVPN always use the first address in the address space by default?
13:43 < krzee> qfr, read --server in the manual
13:44 < krzee> but yes, it takes .1
13:44 < qfr> Ok
13:45 -!- ScoobyDoo [~zack@91.108.16.243] has joined ##openvpn
13:45 < ScoobyDoo> Can someone walk me through how to setup openvpn?
13:46 < krzee> !confgen
13:46 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
13:46 < krzee> !howto
13:46 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:46 < krzee> the bash confgen can make your configs, the howto will help you make the certs
13:47 < ScoobyDoo> Once I get it setup and and get a someone connected, What operations can I do? Just control hes desktop?
13:47 < krzee> !vpn
13:47 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal
13:47 < krzee> read that
13:49 -!- ScoobyDoo [~zack@91.108.16.243] has quit [Client Quit]
14:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
14:05 -!- Berlinermauer [~59f79052@gateway/web/freenode/x-pijlnjhgrbgozrih] has quit [Quit: Page closed]
14:05 < qfr> Tue May 18 21:03:31 2010 us=793733 Cannot load private key file perelman.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
14:05 < qfr> Tue May 18 21:03:31 2010 us=793765 Error: private key password verification failed
14:05 < qfr> Oh boy
14:06 < krzee> you set a pw on your key, and typed it in wrong
14:06 < qfr> I just used ./build-client perelman
14:06 < qfr> Never typed in a password :|
14:06 < qfr> Left it empty
14:12 < qfr> Please enter the following 'extra' attributes
14:12 < qfr> to be sent with your certificate request
14:12 < qfr> A challenge password []:
14:12 < qfr> failed to update database
14:12 < qfr> TXT_DB error number 2
14:13 < qfr> Huh >:O
14:13 -!- Rolybrau [~Rolybrau@24-158.79-83.cust.bluewin.ch] has joined ##openvpn
14:13 -!- Rolybrau [~Rolybrau@24-158.79-83.cust.bluewin.ch] has quit [Changing host]
14:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:14 -!- stix [~stix@x1-6-00-1e-2a-87-8d-aa.k1.webspeed.dk] has joined ##openvpn
14:16 -!- pmatulis [~peter@64.34.151.178] has quit [Quit: leaving]
14:16 < qfr> This time it worked
14:16 < qfr> Odd, I didn't change anything
14:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
14:20 < qfr> Tue May 18 21:20:14 2010 us=644396 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
14:21 < qfr> tun0 is actually down.
14:21 < qfr> What the hell.
14:21 < qfr> WWWWWWWWWWWWWWWWWWWWWWWWWWWWTue May 18 21:21:14 2010 us=905002 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
14:21 < qfr> Tue May 18 21:21:14 2010 us=905042 TLS Error: TLS handshake failed
14:21 < qfr> Oh, right, it just took some time
14:23 < qfr> [root@perelman ~]# ifconfig tun0
14:23 < qfr> tun0: error fetching interface information: Device not found
14:23  * qfr puzzled
14:24 < ecrist> is openvpn running?
14:24 < qfr> ecrist yes
14:24 < ecrist> is it set up to auto-create the tunnel interface?
14:25 < ecrist> is it using tun0, and not tun1, tun2, etc?
14:25 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
14:25 < qfr> Oh the conf says dev 0
14:26 < qfr> Err dev tun*
14:26 < qfr> Not tun0
14:26 < qfr> But it's still not ifconfig'able
14:26 < qfr> [root@perelman openvpn]# ifconfig tun
14:26 < qfr> tun: error fetching interface information: Device not found
14:27 < qfr> I just copied the config from my other VM really
14:27 < qfr> Renamed the config
14:27 < qfr> Generated new keys
14:27 < qfr> New ta.key
14:27 < qfr> This is puzzling
14:27 -!- googleman [~Reactor16@41.105.85.20] has joined ##openvpn
14:28 < googleman> hi all
14:28 < qfr> Tue May 18 21:27:06 2010 us=827777 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
14:28 < qfr> Tue May 18 21:27:06 2010 us=827792 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
14:29 < googleman> krzie
14:29 < googleman> u here ?
14:30 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
14:30 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
14:30 < qfr> Ok here's the problem
14:30 < qfr> Tue May 18 21:30:26 2010 Authenticate/Decrypt packet error: packet HMAC authentication failed
14:30 < qfr> Tue May 18 21:30:26 2010 TLS Error: incoming packet authentication failed from blah
14:31 < qfr> That's in the server console
14:31 < googleman> it should keys error or sertificate 
14:31 < qfr> Oh, the ta.key is shared? I am stupid
14:31 < googleman> mybe
14:31 < qfr> I generated a new one :|
14:32  * qfr hits his own face
14:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:35 < qfr> Victory, it works
14:35 < qfr> it's embarrassing how I make such mistakes over and over again although I already have working setups haha
14:36  * ecrist agrees
14:36 < qfr> Interesting - when I ping a local box in the VPN it isn't actually routed through my remote OpenVPN server - the ping is 0.2 ms
14:36 < qfr> So they know about each others IPv4s?
14:36 < qfr> The global ones?
14:36 < ecrist> what's a traceroute show, qfr?
14:37 < qfr> Oh, nevermind, it does go through the server
14:37 < qfr> I actually misspelled the IP.
14:37  * qfr more facepalm
14:37  * ecrist isn't sure how to misspell a number
14:37 < jpalmer> foive
14:38 < ecrist> jpalmer!
14:38 < jpalmer> ecrist!
14:38 < ecrist> may I pm?
14:38 < jpalmer> sure thing
14:38 < qfr> Curiously the ping to my local other VPN endpoint is 38 ms
14:38 < qfr> But the ping to the server is 19 ms
14:38 < qfr> twice the RTT through the VPN?
14:39 < qfr> Can you actually restrict clients to a certain IP using ccd + ifconfig-push?
14:39 < qfr> Or can they still choose freely even with that?
14:39 < qfr> Because I'd like to do some iptables magic on some of their static IPs
14:39 < qfr> But if they can evade it it's no use
14:54 -!- googleman [~Reactor16@41.105.85.20] has quit []
14:56 < krzie> [12:42]  <qfr> Can you actually restrict clients to a certain IP using ccd + ifconfig-push?
14:56 < krzie> sure
14:56 < krzie> have you tried evading it?
14:57 < qfr> Nope, krzie
14:57 < krzie> well shouldnt you do that before asking?
14:59 < qfr> If I didn't make it work it might still be possible
14:59 < qfr> But anyways, that's good news
15:00 < qfr> Anyways, I shall start using OpenVPN for like everything
15:00 < qfr> I just realised it's actually less work than messing with my dynamic DNS crap etc when I'm gone from home
15:00 < krzie> im not 100% sure about your setup whether they can or not
15:00 < qfr> Just need to use passwords on the keys on my non-home clients
15:00 < krzie> but i AM 100% sure that without topology subnet, they can NOT
15:01 < qfr> Well I do use subnet :/
15:01 < krzie> i know
15:01 < krzie> which is why i said that
15:02 < qfr> Now, on to making it work on Windows
15:02 < krzie> if you dont use topology subnet, be sure to understand the /30 nature of clients
15:02 < qfr> Huh? /30?
15:02 < krzie> so first ip is .6 then .10 .14 .18 etc
15:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:02 < qfr> Whaat
15:02 < krzie> default topology is net30
15:02 < krzie> !/30
15:02 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
15:03 < krzie> you have topology subnet, which makes it able to use .2 .3 .4 etc
15:03 < qfr> I am puzzled, I am currently using 10.0.0.1 (server), 10.0.0.2 (desktop), 10.0.0.3 (notebook), .4 for VM#1, .5 for VM#2
15:03 < qfr> !topology
15:03 < vpnHelper> qfr: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
15:04 < qfr> Well I'm using that
15:04 < krzie> right
15:04 < krzie> and thats good, i use it too
15:04 < krzie> im just saying, i know 100% that net30 wont allow ips to be changed by the client
15:05 < krzie> im not 100% if they can or not with topology subnet
15:06 < qfr> I tried once but it resulted in everything breaking
15:06 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 276 seconds]
15:06 < qfr> But I just used ifconfig tun 10.0.0.23 or something random
15:06 < qfr> Might cause anything, no idea
15:07 < qfr> Maybe you need to specify it in the conf
15:07 < krzie> you must use the right ips with net30 topology
15:07 < krzie> (when using static ips)
15:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
15:10 < qfr> http://www.google.com/search?num=100&hl=en&safe=off&client=firefox-a&hs=S38&rls=org.mozilla%3Aen-US%3Aofficial&q=intitle%3A%22index+of%22+%22easy-rsa%22&aq=f&aqi=&aql=&oq=&gs_rfai=
15:10 < vpnHelper> Title: intitle:"index of" "easy-rsa" - Google Search (at www.google.com)
15:10 < qfr> Rofl.
15:10 < qfr> http://www.sl-soluciones.com/soporte/originarsa/originarsa/openvpn/easy-rsa/keys/ca.key
15:15 < krzie> wow, that is bad
15:16 < qfr> :D
15:17 < qfr> Is any of the server private files any good without the other files btw?
15:18 < qfr> ca.key, dh1024.pem hmm
15:20 < krzie> ca.key is the cornerstone of PKI
15:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:21 < krzie> even if all files on the server are compromised, you just CRL that and make a new server
15:21 < krzie> same for client
15:23 < krzie> but if ca.key is compromised, you must start over with your PKI
15:23 < krzie> which is why my CA doesnt have an internet connection
15:23 < qfr> heh
15:28 < qfr> Tue May 18 22:28:27 2010 us=890000 NOTE: FlushIpNetTable failed on interface [24
15:28 < qfr> ] {D5045634-651B-42D3-BD64-A1C1C8E11601} (status=5) : Access is denied.
15:30 < qfr> Yeah, redirect-gateway def1 is a bad idea
15:30 < qfr> leaks IP when OpenVPN server restarts
15:31 < qfr> Because the old route is restored
15:35 < qfr> Tue May 18 22:35:27 2010 us=608221 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
15:35 < qfr> What o_O
15:51 < qfr> I'm switching to static routing scripts
15:51 < qfr> Letting OpenVPN handle it is risky
15:53 -!- achilles [~achilles@82.166.20.125] has joined ##openvpn
15:54 < achilles> hello, is there a way to integrate openvpn client to web ? I'm looking for a way I can let users connect to my site by starting a web page, like Cisco SSL Remote VPN
15:59 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
16:06 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
16:06 < qfr> achilles not unless they run a software environment you can customise.
16:08 < achilles> qfr, ah, yes sure it's okay. can you please provide more information ?
16:08 < qfr> Well, you'd have to code that.
16:08 < achilles> hmm .. it looks not possible at the short run then
16:09 < qfr> achilles I have no idea why you would want it though?
16:09 < achilles> I thought it would be easier for people 
16:09 < achilles> and honestly to try something new :)
16:12 < achilles> qfr, anyway thank you very much, perhaps it would be nice to offer it in the coming versions of openvpn
16:12 < qfr> No way
16:12 < achilles> hehe, why ?
16:12 < qfr> It doesn't belong into the package
16:12 < achilles> you against the idea ?
16:12 < qfr> It would upset people
16:12 < qfr> If, at all, it should be a separate proejct
16:12 < qfr> project*
16:13 < achilles> why ? I think people will like it, you open a web, run an application that does the client apart of client installation .. etc
16:13 < qfr> Why would you want a HTTP interface for that...?
16:14 < qfr> A regular application would be superior
16:14 < achilles> sometimes it's not viable for users to install applications
16:14 < qfr> ...I thought you had control over the boxes
16:14 < qfr> Like, an office of 50-100 boxes you administrate
16:15 < qfr> Then it is even more bizarre
16:15 < achilles> yeah but for remote users hard to control and administer 
16:15 < qfr> If you provided an installer everything could be done in one click.
16:15 < qfr> Or two.
16:16 < achilles> one click installing certs and configuration files at clients side ?
16:17 < achilles> maybe I miss something, I request from users to copy their configuration file and cert into /program files/openvpn/config 
16:17 < qfr> You can obviously automatise all of that
16:17 < qfr> In one bundle
16:17 < achilles> wow. how would be ?
16:17 < qfr> Huh? Well, code it
16:18 < qfr> If you aren't a programmer you can pretty much forget about it
16:18 < achilles> hehe, I thought it's already done :D
16:18 < achilles> some feature or something comes with the package
16:19 < achilles> okay that's it, thank you very much
16:20 < qfr> No problem
16:20 < achilles> :)
16:34 -!- stix [~stix@x1-6-00-1e-2a-87-8d-aa.k1.webspeed.dk] has quit [Remote host closed the connection]
16:42 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
16:43 < IceD^> my problems with openvpn hangups f
16:43 < IceD^> finally solved
16:43 < IceD^> I set sndbuf/rcvbuf to 10MB and now it works
16:44 < IceD^> it smells like bug to me
16:48 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 265 seconds]
16:58 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
17:08 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has quit [Read error: Operation timed out]
17:10 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has joined ##openvpn
17:15 -!- Brayn [~Brayn@188.27.65.99] has quit [Ping timeout: 260 seconds]
17:20 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
17:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:48 -!- graffz [~graffz@unaffiliated/graffz] has joined ##openvpn
17:49 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
17:54 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
18:37 < krzie> welp, im gunna make an icon on the iphone springboard you can click, and will allow for connecting/disconnecting from openvpn server
18:37 < krzie> that will come out soon after my iphone gets here
18:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:47 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
18:55 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
18:56 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 608 seconds]
18:57 -!- KnightWhoSaysNi [~evaldo@freenode/staff/udontknow] has joined ##openvpn
19:03 < krzie> !iphone
19:03 < vpnHelper> krzie: "iphone" is (#1) http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone, or (#2) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries
19:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
19:38 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 246 seconds]
20:02 -!- graffz [~graffz@unaffiliated/graffz] has quit [Ping timeout: 268 seconds]
20:05 -!- theDoc [~jaki@119.73.165.162] has joined ##openvpn
20:07 -!- theDoc_ [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:10 -!- theDoc [~jaki@119.73.165.162] has quit [Ping timeout: 240 seconds]
20:21 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:41 < krzie> woohoo nevermind my iphone dev idea
20:41 < krzie> it exists already!
20:41 < krzie> http://modmyi.com/cydia/package.php?id=15784
20:41 < vpnHelper> Title: ModMyi.com | OpenVpn Toggle for SBSettings (at modmyi.com)
20:42 < krzie> !!iphone
20:42 < vpnHelper> krzie: Error: "!iphone" is not a valid command.
20:42 < krzie> err
20:42 < krzie> !iphone
20:42 < vpnHelper> krzie: "iphone" is (#1) http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone, or (#2) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries
20:43 < krzie> !forget iphone 1
20:43 < vpnHelper> krzie: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
20:43 < krzie> heh
20:43 < jpalmer> krzie: iphone dev idea?
20:44 < krzie> !forget iphone 1
20:44 < vpnHelper> krzie: Joo got it.
20:44 < krzie> !learn iphone as http://modmyi.com/cydia/package.php?id=15784 for the gui portion
20:44 < vpnHelper> krzie: Joo got it.
20:44 < krzie> jpalmer, 
20:44 < krzie> [16:40]  <krzie> welp, im gunna make an icon on the iphone springboard you can click, and will allow for connecting/disconnecting from openvpn server
20:44 < krzie> [16:40]  <krzie> that will come out soon after my iphone gets here
20:44 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
20:45 < jpalmer> krzie: ahh, scrolled up after I asked.  my bad.
20:45 < jpalmer> krzie: I'm under NDA with apple,  so I can't give full details.  however,  they've asked me for a list of things that I felt the iphone needed to be more "enterprise friendly"    openVPN access in the iphoneOS was on th list.
20:46 < krzie> all that requires from them is tuntap
20:46 < krzie> which already exists for osX
20:46 < krzie> !tuntap
20:46 < vpnHelper> krzie: Error: "tuntap" is not a valid command.
20:46 < krzie> !factoids search tuntap
20:46 < vpnHelper> krzie: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers
20:47 < jpalmer> well, not exactly.  openvpn is GPL licensed,  so they may be very hesitant to add it, even if they wanted to.
20:48 < krzie> oh right, forgot its not expected to jailbreak
20:48 < krzie> lol
20:48 < jpalmer> right,  I mean "official" apple support ;)
20:49 < theDoc_> I don't see how openvpn being gpl licensed makes it hard for apple. Do they have to pay openvpn or something? :?
20:49 < jpalmer> but I'll say this..   the last time I was asked about enterprise readiness,  two of my suggestions were added to iphoneOS 4
20:49 < theDoc_> I'm not terribly familiar with commercial aspects.
20:50 < jpalmer> theDoc_: under the NDA,  I can't disclose much.  but lets just say..  yes,  Apple is very strict about the licensure of software it adds into iphoneOS
20:50 < theDoc_> jpalmer> It'll be really nice to see openvpn added to the iphone, so I can finally drop my plans of supporting pptp.
20:51 < jpalmer> theDoc_: I added it to the list.  don't get your hopes up.
20:51 < krzie> theDoc_, im sure apple doesnt feel like distributing the openvpn source code and whatnot... if it were BSD license theyd have no problem
20:51 < krzie> i dont use GPL for ANYTHING i do
20:51 < krzie> i go bsd or public domain
20:51 < jpalmer> it's much lower priority than some of the other things I mentioned.  and the licensure thing more than likely effectively kills the idea.
20:51 < theDoc_> Hm.
20:52 < jpalmer> krzie: agreed 100% about your choices ;)
20:52 < theDoc_> jpalmer> It's a real pity. I have to now get my pptp vpn servers going ;(
20:52 < jpalmer> theDoc_: unless you jailbreak, yes.
20:54 < theDoc_> What a bummer.
20:54 < theDoc_> jpalmer> I have an iphone myself but really.. ;p
20:55  * jpalmer was never an iphone fan..  but,  I carry one now for work.  they aren't as bad as I initially thought.
21:05 -!- STF_ [~chatzilla@20-130.stw.uni-duisburg.de] has joined ##openvpn
21:08 -!- STF__ [~chatzilla@dslb-084-061-147-038.pools.arcor-ip.net] has joined ##openvpn
21:08 -!- STF__ [~chatzilla@dslb-084-061-147-038.pools.arcor-ip.net] has quit [Client Quit]
21:10 -!- STF_ [~chatzilla@20-130.stw.uni-duisburg.de] has quit [Ping timeout: 276 seconds]
21:14 < krzie> theDoc_, just jailbreak, lol
21:14 < krzie> !iphone
21:14 < vpnHelper> krzie: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion
21:22 -!- mimecine [~Adium@cpe-67-250-38-114.nyc.res.rr.com] has joined ##openvpn
21:25 -!- mimecine [~Adium@cpe-67-250-38-114.nyc.res.rr.com] has left ##openvpn []
21:30 < theDoc_> No!
21:30 < theDoc_> ;p
21:34 < krzee> the gpl is kind of funny to me
21:34 < krzee> cause it talks about 'freedom'
21:34 < krzee> but bsd license is more freedom really
21:34 < krzee> bsd license is more or less "do ANYTHING you want with this, just give me my props"
21:44 < jpalmer> and don't sue me
21:44 < krzee> tru
21:44 < jpalmer> I don't want to get into a license discussion.  but my take is:  GPL promises freedom. BSD actually delivers it.
21:45 < krzee> ya thats what i took from it too
21:45 < krzee> 99 people in here
21:46  * krzee waits for someone to join
21:46 < krzee> i dont think ive ever seen this many people in here
21:46 < krzee> it sure has grown
21:47 < krzee> jpalmer, interesting... you have a windows spoof and an apple NDA
21:47 < jpalmer> krzee: I'm a whore.  I get around :P
21:47 < krzee> you get around ;]
21:47 < krzee> damn beat me to it
21:47 < jpalmer> krzee: I'm also a 15 year BSD admin ;)
21:47 < krzee> thats more than me
21:47 < krzee> shit that must have been like version 1 or prior
21:48 < krzee> fbsd3 was my first, and you have a few yrs on me
21:48  * theDoc_ applauds.
21:48 < jpalmer> in a nutshell:  I'm a channop in ##FreeBSD and ##windows, and ##windows-server.  my day job is working for a company that deals with iphones, itouches, and ipads.  we had ipads in the office 5 months before they were announced.
21:48 < krzee> fbsd3 was RELENG about 10 yrs ago
21:49 < krzee> i turned down a free ipad
21:49 < jpalmer> krzee: I still have 4 freebsd 2.2.7 boxes in production, if that tells you anything
21:49 < krzee> lol
21:49 < krzee> in production, lol again
21:50 < jpalmer> well,  not connected to the net.   they run a 1-off point of sale system.   they'll be 2.2.7 until the hardware dies.
21:50 < krzee> ahh
21:50 < ecrist> sup, bitches?
21:50 < jpalmer> who you calling bitches, ho?
21:50 < jpalmer> :P
21:51 < ecrist> krzee: the average population for the last couple months has been ~100
21:51 < krzee> oh cool, i didnt notice
21:51 < jpalmer> krzee: when you get your iphone,    first thing you need to download is "words with friends" the free edition.  then ADD ME!
21:52 < krzee> false, first thing is get openvpn running on it
21:52 < jpalmer> it's a very addicting version of scrabble.
21:52 < jpalmer> openvpn is nowhere near as important as words@
21:52 < jpalmer> get your priorities straight,  jesus
21:52 < krzee> the iphone exists so i get openvpn on it
21:53 < krzee> the boss will be able to see everything he wants from anywhere in the world once i get that rockin
21:53  * theDoc_ applauds krzee.
21:53 < theDoc_> That's exactly what I'm doing too ;p
21:53 < krzee> since i made an internal app that outputs all $ stuff to an internal website
21:53 < ecrist> iphone is lame
21:54 < theDoc_> ecrist> is not.
21:54 < theDoc_> ;p
21:54 < jpalmer> ecrist: I used to agree.
21:54 < krzee> ecrist, if you wanna buy me something else that'll work for me
21:54 < krzee> i like the iphone tho
21:54 < theDoc_> I like it because I can pretend to be an apple fanboy.
21:54 < krzee> except the lamesauce idea that i should only be able to sync with 1 computer
21:54 < ecrist> I'm not a fan of the iP[ad|hone] ecosystem and will not subscribe.
21:54 < theDoc_> krzee> 5.
21:54 < theDoc_> Not 1.
21:54 < krzee> umm
21:54 < krzee> huh?
21:55 < theDoc_> I thought you could sync your iphone to a max of 5 computers or something like that via itunes?
21:55 < krzee> if so, thats very new
21:55 < theDoc_> Well, it works that way for me at least.
21:55 < theDoc_> I'm on the 3gs.
21:56 < krzee> my ipod touch could only sync to 1
21:56 < krzee> wanted to format to sync to a second
21:56 < theDoc_> Yeah, ipod touch is a single machine.
21:56 < jpalmer> theDoc_: you aren't jailbroken, and can sync to 5 computers?
21:56 < ecrist> krzee: all ipods have only been able to sync to one computer
21:56 < ecrist> however, if you're willing to use rsync, you can do it with more. ;)
21:57 < theDoc_> jpalmer> Yeah. Well, let me recheck. :P I jailbroke it a day or two ago and resetted it back to factory.
21:57 < theDoc_> Not sure if that may have caused something to go screwy.
21:57 < jpalmer> theDoc_:  jailbroken phones can sync to more than 1.  stock firmware cannot
21:57 < krzee> reset to factory by going to DFU mode and reloading via itunes?
21:57 < krzee> jpalmer, oh sweet!
21:58 < theDoc_> Yeah.
21:58 < theDoc_> Something like that.
21:58 < krzee> i wanna sync to my laptop, my work machine, and my home desktop
21:58 < jpalmer> krzee: it's a pain in the ass though.  fair warning
21:58 < theDoc_> jpalmer> What is that thing about number of authorized computers that comes up when you plug the iphone into a mac and start itunes up?
21:58 < krzee> not really for music, but for phone numbers and stuff
21:58 < jpalmer> theDoc_: oh,  thats the DRM licensure.
21:58 < theDoc_> Oh, that's a DRM license?
21:59 < theDoc_> Hah, I was under the impression that was for syncing
21:59 < theDoc_> My bad
21:59 < theDoc_> :P
21:59 < jpalmer> theDoc_: it's saying that you can allow up to 5 machines to PLAY drm'd content you buy off the itunes store
21:59 < theDoc_> Ohh.
21:59 < theDoc_> snap:P
21:59  * ecrist sleeps
22:00 < krzee> nite eric
22:00 < jpalmer> ecrist: wait
22:00 < jpalmer> ecrist: is -devel open to all?  and..  the thursday meeting?
22:00 < krzee> yes and yes
22:01 < jpalmer> ok,  going to a baseball game thurs.  but if it doesn't conflict, I'd like to be involved in the meeting chat about the topic ecrist will be bringing up
22:01 < krzee> ooo, whats the topic?
22:02 < jpalmer> something I'd rather discuss privately for now ;)
22:02 < jpalmer> can I /msg?
22:02 < krzee> yes
22:05 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Remote host closed the connection]
22:16 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 265 seconds]
23:01 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
23:03 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 245 seconds]
23:03 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
23:04 -!- kunnis [~someone@cpe-70-124-90-148.austin.res.rr.com] has joined ##openvpn
23:04 < kunnis> !welcome
23:04 < vpnHelper> kunnis: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:04 < kunnis> !routes
23:05 < vpnHelper> kunnis: Error: "routes" is not a valid command.
23:05 < kunnis> !route
23:05 < vpnHelper> kunnis: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:07 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 276 seconds]
23:08 < kunnis> I'm trying to do what's in !route at work.  We have 2 offices.  One currently has a cisco router, a Domain Controller, windows shares, everything.  We have a satlite office that we're setting up... but the only IT department is a group of programmers, and i'm the unlucky one.
23:09 < kunnis> Will vpn via routing allow all of the AD traffic to flow correctly over the network, or do I need to do ethernet bridging?
23:10 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
23:10 < kunnis> (site to site VPN via routing)
23:10 -!- takamichi [~pri@78.133.92.164] has joined ##openvpn
23:12 -!- corretico__ [~laguilar@201.201.46.106] has quit [Ping timeout: 258 seconds]
23:13 < kunnis> And for the server, the router won't be the primary office router.  What else do I need to do?  Setup a route on the main office router to route satlite office traffic to the openvpn server?
23:15 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
23:15 -!- mistergibson [~mistergib@97-120-91-175.ptld.qwest.net] has joined ##openvpn
23:17 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
23:25 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
23:26 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:39 -!- kunnis [~someone@cpe-70-124-90-148.austin.res.rr.com] has quit [Ping timeout: 260 seconds]
23:43 -!- buntfalke_ [~nobody@openvpn-p1-026.triple-a.uni-kl.de] has joined ##openvpn
23:43 -!- buntfalke_ [~nobody@openvpn-p1-026.triple-a.uni-kl.de] has quit [Changing host]
23:43 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
23:47 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
23:51 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 268 seconds]
23:52 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has quit [Quit: notbrien]
23:55 -!- achilles [~achilles@82.166.20.125] has quit [Ping timeout: 246 seconds]
23:56 -!- erosx [~de_la_ghe@adsl-226-84-58.mem.bellsouth.net] has joined ##openvpn
23:57 < erosx> Why doesn't the Ip address OpenVPN assigned me show up on IRC or java/flash stuff? is there is a guide for this somewhere?
23:59 < jpalmer> erosx: do you have the openvpn server acting as your default gateway?
23:59 < erosx> I have no idea, how would i find out? Let's just say i'm so new to this i don't even know what to search in google to help myself
--- Day changed Wed May 19 2010
00:00 < jpalmer> erosx: well,  the "p" in vpn means "private"  as in, not known or accessible by the public internet.  so your private IP isn't going to show up on IRC.
00:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
00:01 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
00:01 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Read error: Connection reset by peer]
00:03 < erosx> you can still see my internet prover and my email on irc though
00:03 < erosx> provider*
00:04 < erosx> I just went into an empty channel with two irc accs(on the same acc) and when i went into the channel the first acc could see the sec acc IP
00:04 < jpalmer> right,  I just told you why
00:05 < theDoc_> erosx> You have a misconfiguration somewhere.
00:05 < jpalmer> the IP given to you by your ISP is *public* and is the one visible to public servers on the internet.  your vPn address is private.  not public
00:05 -!- LumberCartel [~LumberCar@24.86.160.252] has joined ##openvpn
00:06 < erosx> how can i make my private address be my public address as well?
00:06 < theDoc_> You can't.
00:06 < theDoc_> RFC-1918 address are NOT routable over the public internet.
00:07 < LumberCartel> hyper_ch:  Thanks for "pointing" me to The Order Of The Stick.  I'm addicted now, and have read more than 300 episodes.  That's some pretty awesome content!
00:07 < hyper_ch> LumberCartel: hehehe, well, many jokes realy on the dungeon and dragons rulesets but if you done 300 eps, you'll also do the other 398 left :)
00:08 < jpalmer> erosx: I'm not trying to sound like a jerk.  but you may want to read up and understand how tcp/IP and ipv4 addressing work, before getting into VPN's
00:08 < LumberCartel> I'm not planning on stopping after making it this far!
00:08 < LumberCartel> That author is just awesome.
00:09  * LumberCartel is currently about to read episode 391.
00:09 < erosx> I don't really know what i'm trying to say here, but the only example i can think of is: Hot spot shield by anchorfree. The address given to me is used for irc as well because i can get banned in a channel and just turn on hotspot shield and i can go back in
00:09 < theDoc_> erosx> hotspotshield is a horrible horrible piece of software.
00:09 < LumberCartel> hotspotshield is bad?  I've never heard of it before.  Is it SpyWare?
00:10 < erosx> yea, so i was told. A friend said the same thing and reccom. Openvpn
00:10 < jpalmer> erosx: in addition to my above comment..  I'm also going to add..  if you're looking into this to avoid IRC bans..  you may want to consider htrying to be civil and curteous on IRC, so you don't get banned in the first place.
00:11 < erosx> I'm not trying to evade anything, i just want to surf the internet anonymous. and i don't like that people can see my isp on IRC
00:11  * theDoc_ runs an anonymizing service
00:11 < theDoc_> :)
00:11 < theDoc_> On openvpn-access server.
00:11 < erosx> lIKE I SAID, i don't know what i'm trying to say and that was the only exmaple i could think of
00:11 < jpalmer> erosx: simple answer.  google: freenode cloak
00:12 < theDoc_> Such a pain, to get the ssl cert signed.
00:12  * LumberCartel points to RFC 5737 regarding IPv4 address blocks that are reserved as a good one to read also: http://rfc5737.openrfc.org/
00:12 < erosx> i will look into ty jp
00:13 < LumberCartel> Ashamed of your ISP (who I will not mention here)?
00:14 < erosx> yes..
00:14 < erosx> -__- i'm paranoid
00:14 < erosx> i download really freaky doujins, i don't want that getting back to me if some group desides to ring up my old isp to get my docs
00:15 < LumberCartel> Freaky Doujins?  What the heck is that?
00:15 < theDoc_> erosx> the freenode cloak is *NOT* going to encrypt your traffic!
00:15 < theDoc_> It's just going to hide your ip from people on IRC.
00:15 < theDoc_> Your traffic is still going to be in plain text. Just a heads up on that.
00:16 < erosx> What can i do about that?
00:16 < erosx> and lumber doujin is japanese comic books, for.. adults
00:16 < theDoc_> erosx> Encrypt with openvpn. I'd refrain from using pptp, that shit is broken.
00:16 < theDoc_> IPSec is just a pain to configure :P
00:17 < LumberCartel> I like OpenVPN -- it's very easy to configure.
00:17 < LumberCartel> And everything is stored in text files (not the damned Windows Registry which seems to be bi-polar sometimes).
00:18 < theDoc_> lolwindows.
00:18 < jpalmer> I dunno man.  my thought:  if it's something you don't want to get caught doing,  don't do it.
00:18 < erosx> Thedoc, how do i encrypt with openvpn? What's a pptp and a IPSecs
00:19 < erosx> MEH, why not when there's stuff like openvpn?
00:19 < LumberCartel> theDoc_:  You don't laugh as much as other people.  Are you still not fully recovered from the Redmond Syndrome (think "Stockholm Syndrome")?
00:19 < theDoc_> jpalmer> I disagree. What ever I decide to do with my life is really up to me and a 3rd party has no reason sniffing into it, therefore, I encrypt.
00:19 -!- corretico__ [~laguilar@201.201.46.106] has quit [Quit: Leaving]
00:19 < erosx> yup. couldn't have said it better
00:19 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
00:20  * LumberCartel smirks.
00:20 < theDoc_> LumberCartel> I don't know, I've not really used a Windows machine for production work since eons ago :P
00:21 < erosx> is there a guid to encrypting on the forums?
00:21 < theDoc_> erosx> You will need to setup a server somewhere.
00:21 < theDoc_> !howto
00:21 < vpnHelper> theDoc_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:22 < erosx> ty
00:24  * LumberCartel welcomes erosx to OpenVPN, knowing full well that he/she will probably develop a fondness for it after getting it working.
00:25 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
00:28 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 264 seconds]
00:29 < theDoc_> takamichi> You around?
00:30 -!- erosx [~de_la_ghe@adsl-226-84-58.mem.bellsouth.net] has quit []
00:38 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: Sign the anti-spam petition: [ http://www.lumbercartel.ca/law/canada/s-220/ ]]
00:39 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
00:51 < tjz> any idea why install Tap32 on win xp system will failed?
00:52 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
00:54 -!- mirco [~mirco@p5B23A8F2.dip.t-dialin.net] has quit [Quit: mirco]
01:12 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
01:15 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:15 -!- mode/##openvpn [+o mattock] by ChanServ
01:15 -!- mistergibson [~mistergib@97-120-91-175.ptld.qwest.net] has left ##openvpn ["Leaving."]
01:21 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
01:21 -!- Divine_Latin [~de_la_ghe@adsl-226-84-58.mem.bellsouth.net] has joined ##openvpn
01:21 -!- Divine_Latin [~de_la_ghe@adsl-226-84-58.mem.bellsouth.net] has quit [Client Quit]
01:31 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:37 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
01:43 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
02:09 < jnss> http://www.pastie.org/967230
02:09 < jnss> please, that is my configuration file
02:09 < jnss> what is blocking me from connecting to this server and gettting access to an internet linked interface
02:09 < jnss> been at it for days
02:22 < hyper_ch> !tell jnss [welcome]
02:24 < jnss> !redirect
02:24 < vpnHelper> jnss: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:24 < jnss> !ipforward
02:24 < vpnHelper> jnss: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
02:24 < jnss> !fbsdipforward
02:24 < vpnHelper> jnss: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
02:24 < jnss> word
02:24 < jnss> if thats all i had to dop
02:25 < jnss> !def1
02:25 < vpnHelper> jnss: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
02:26 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
02:27 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Operation timed out]
02:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:48 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:56 -!- macsppadic is now known as B-EATbasher
02:56 -!- Testy2 [~457cc372@gateway/web/freenode/x-rfzvrwwflpahhpih] has quit [Ping timeout: 252 seconds]
03:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:22 -!- IceD^ [~iced@live.bn.by] has quit [Ping timeout: 240 seconds]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:43 -!- theDoc_ [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
03:52 -!- dazo_afk is now known as dazo
03:54 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
04:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:20 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
04:21 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
04:21 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
04:25  * theDoc cheers.
04:25 < theDoc> The new cert is in!
04:29 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Read error: Connection reset by peer]
04:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
04:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:36 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Read error: Connection reset by peer]
04:36 -!- theDoc_ [~jaki@unaffiliated/thedoc] has joined ##openvpn
04:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
04:41 -!- theDoc_ [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:45 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
04:45 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
04:52 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 246 seconds]
04:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
05:12 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Disconnected by services]
05:12 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
05:13 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Client Quit]
05:13 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
05:13 -!- tw [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has quit [Ping timeout: 276 seconds]
05:14 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
05:14 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
05:14 -!- tw [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has joined ##openvpn
05:15 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
05:24 -!- sp4rc [sp4rc@194.209.17.162] has joined ##openvpn
05:24 -!- sp4rc [sp4rc@194.209.17.162] has left ##openvpn []
05:24 -!- sp4rc [sp4rc@194.209.17.162] has joined ##openvpn
05:25 < sp4rc> !welcome
05:25 < vpnHelper> sp4rc: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:27 < sp4rc> guys, beyond all security stuff i would like to know if it is possible to build something using mobile ip which already mobile ip (rfc3344) does
05:28 < sp4rc> i mean is it possible to switch between networks ('bind' together via openvpn) without loosing the client ip address?
05:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
05:28 < sp4rc> don't know how i can describe this is in more detail... is it clear what i am thinking about?
05:29 < sp4rc> i am thinking of building a vpn using openvpn to do somekind of 'seamless handoff'
05:30  * sp4rc is back in half an hour
05:39 -!- krzie [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
05:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:41 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
05:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
05:44 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
05:44 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
05:45 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
05:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:07 -!- adies [~adies@213.186.121.4.utel.net.ua] has joined ##openvpn
06:07 < adies> test
06:08 < adies> is there an 'openvpn for dummies' of sorts?
06:08 < adies> for clients
06:11 < adies> one of the ops here gave me instructions that disabled my computers' ability to connect unless I have a firewall open and enabled
06:17 -!- paul_train [~Chip@border0.avitecture.net] has joined ##openvpn
06:19 -!- paul_train [~Chip@border0.avitecture.net] has quit [Client Quit]
06:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:23 < sp4rc> anyone here?
06:26 < adies> hi
06:28 < sp4rc> adies, did you have a look at \!welcome?
06:29 < adies> !welcome ?
06:29 < vpnHelper> adies: Error: "welcome" is not a valid command.
06:30 < adies> !welcome
06:30 < vpnHelper> adies: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:32 < adies> !goal
06:32 < vpnHelper> adies: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:32 < adies> !howto
06:32 < vpnHelper> adies: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:34 < adies> sp4rc, I dont know what osi layer 2 and 3 is. Should I start off with some other reading?
06:35 < sp4rc> adies, i would suggest reading this: http://en.wikipedia.org/wiki/Iso_osi
06:35 < vpnHelper> Title: OSI model - Wikipedia, the free encyclopedia (at en.wikipedia.org)
06:36 < sp4rc> especially the 'examples' section should give a quick overview
06:39 -!- alexc [~admin@unaffiliated/alexc] has joined ##openvpn
07:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:07 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
07:19 -!- B-EATbasher is now known as tunnelsppadic
07:21 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has joined ##openvpn
07:21 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has quit [Changing host]
07:21 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
07:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
07:42 < sp4rc> are there any other openvpn irc channels where more discussions take place?
07:44 -!- tunnelsppadic is now known as Whandsppadic
07:44 < kala> sp4rc: no, this is it
07:45 < kala> has anyone experimented with dynamic configuration of OpenVPN? Like discovering from DNS, that there's another endpoint to make tunnel to and then on the fly configuring the openvpn client to do that?
07:45 < kala> sp4rc: but you could send the question to mailing-list as well. 
07:46 < sp4rc> kala, good idea, will do that!
07:48 < krzee> kala, dns would do that automatically, --resolv-retry 
07:50 < krzee> --resolv-retry n 
07:50 < krzee> If hostname resolve fails for --remote, retry resolve for n seconds before failing. 
07:50 < krzee> Set n to "infinite" to retry indefinitely. 
07:50 < krzee> By default, --resolv-retry infinite is enabled. You can disable by setting n=0.
07:50 < kala> krzee: yes, but only when you have already configured that endpoint. 
07:50 < krzee> if thats not what you want, youd need a script to handle it
07:51 < kala> script sounds like bad hack, but I suppose it will work
07:51 < krzee> its the only way, openvpn was made for all sides to be pre-configured
07:53 < kala> true
07:53 < kala> I need to come up with a sort of self-configuring, least-effor-management system
07:53 < krzee> i take it your setting up a mesh
07:54 < krzee> you're*
07:54 < kala> yes
07:54 < kala> and when the new node is added to the mesh, other nodes shouldn't require manual reconfiguring
07:55 < kala> the IP-addressing issue comes to mind
07:55 < kala> there are n tunnels from endpoint to other endpoints
07:55 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:55 < krzee> all endpoints could hit a db to check what they need to have
07:57 < krzee> they could do dynamic setup / teardown based on the db using a script
07:57 < kala> with transparent IPSEC I wouldn't need complicated IP-addressing plan, but then again, IPSEC itself wouldn't do fault-tolerance networking and I would need to configure some kind of routing protocol beneath the security layer
07:57 < krzee> you need a routing protocol for this too...
07:57 < krzee> !rip
07:57 < vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
07:57 < kala> hmm. let me read that
07:57 < krzee> theres a doc on setting up mesh in ovpn using rip
07:57 < krzee> its not a walkthrough, but its handy info
07:58 < kala> uh, you mean that if there's a VPN link from nodeA to nodeB and nodeB to nodeC, then nodeA could talk to nodeC? 
07:59 < krzee> no, but i did make a writeup on that
07:59 < krzee> i called it vpnchains
07:59 < krzee> http://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
07:59 < vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
08:00 < kala> ok, thanks, let me read them and see if I can come up with more specific questions
08:01 < kala> :)
08:01 < krzee> =]
08:08 < krzee> !iphone
08:08 < vpnHelper> krzee: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion
08:11 < krzee> !mactuntap
08:11 < vpnHelper> krzee: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers
08:13 -!- CareBear\ [peter@stuge.se] has joined ##openvpn
08:14 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:14 < theDoc> raidz> If you're around!
08:14 < theDoc> ;p
08:14 < krzee> (buggs bunny voice) whats up doc
08:14 < theDoc> I have no witty comment to that.
08:15 < theDoc> lol
08:15 < theDoc> It's great, I finally have my new ssl cert.
08:15 < CareBear\> Hello all. I see two very strange problems in an installation of mine. Linux server working fine with many clients. One Win7-64 client can connect successfully but with VPN up DNS lookups fail! The DNS resolver is not change by connecting. Ping to the DNS resolver works. Ping over VPN works. TCP over VPN works. Just DNS lookups fail. What gives?
08:15 < krzee> !pushdns
08:15 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
08:16 < krzee> didnt know the problem exists in win7 64bit... but its an old windows issue
08:16 < krzee> and as normal windows issues, im not surprised it still exists
08:16 < CareBear\> krzee : There are many other clients without issues.
08:16 < CareBear\> I don't really want to push a DNS server.
08:16 < krzee> oh you arent pushing dns?
08:16 < CareBear\> no
08:16 < krzee> then why do you expect resolver to change?
08:16 < CareBear\> I don't
08:17 < CareBear\> I just expect it to work
08:17 < krzee> whats the problem again...
08:17 < theDoc> Which dns server are you using?
08:17 < CareBear\> I'm using a DNS resolver running on the local network
08:17 < krzee> oh, you are redirecting gateway?
08:17 < theDoc> !def1
08:17 < vpnHelper> theDoc: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:17 < krzee> you are doing that?
08:18 < theDoc> krzee> I'm wondering if I should write a guide on openvpn + radius/sql 
08:18 < CareBear\> nay, not doing def1
08:18 < CareBear\> (unless it's the default)
08:18 < krzee> theDoc, ild say go for it!!!
08:18 < CareBear\> yes, I do push route-gateway
08:18 < krzee> that was my question
08:19 < krzee> !opendns
08:19 < vpnHelper> krzee: Error: "opendns" is not a valid command.
08:19 < krzee> !dns
08:19 < vpnHelper> krzee: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8
08:19 < CareBear\> no opendns thanks :)
08:19 < krzee> try one of those, tell me if it works
08:19 < theDoc> krzee> I'll take a look at writing a guide for the opensource implementation, not for access-server in a week or two, once things settle down.
08:19 < CareBear\> krzee : ok, time for addresses :)
08:19 < adies> sp4rc, there is another one
08:19 < krzee> or if you want, we can make dns still work on the LAN, however, you will be leaking your IP via dns if you do that
08:19 < CareBear\> krzee : (note that all is great if i just start nslookup and make queries)
08:20 < theDoc> krzee> That's not a good idea.
08:20 < CareBear\> let me give some more info about the setup
08:20 < theDoc> It kind of defeats the purpose of a vpn already if you're leaking ips.
08:20 < krzee> just go set it to 8.8.8.8
08:20 < krzee> theDoc, no shit
08:20 < krzee> thats why i mentioned it
08:21 < krzee> CareBear\, go set it to 8.8.8.8 and test if it works
08:21 < CareBear\> hm. "just go set"..
08:21 < CareBear\> the DNS server address is assigned by DHCP
08:21 < theDoc> What?
08:21 < CareBear\> and again works splendidly for all other OpenVPN clients
08:21 < krzee> thats not hard to override, lol
08:21 < CareBear\> no, it's not hard to override
08:21 < CareBear\> question is why win7 needs it
08:21 < CareBear\> (would need it)
08:21 < krzee> !windows
08:21 < vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
08:22 < theDoc> lol
08:22 < CareBear\> yes, windows is crap, I know this :)
08:22 < krzee> ;]
08:22 < adies> I have a quick question, do I need to have some background in networking to understand the openvpn site guide?
08:22 < krzee> adies, pretty much
08:22 < theDoc> adies> Yes.
08:22 < krzee> if you dont understand routes and firewalls, you will have quite a bit to learn most likely
08:23 < krzee> adies, 
08:23 < krzee> !goal
08:23 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:23 < theDoc> I found something really weird, a service network restart didn't bring the network card back up.
08:23 < theDoc> Now I have a broken vpn server.
08:23 < theDoc> :|
08:23 < theDoc> I might have typed stop instead of restart though.
08:23 < theDoc> :?
08:23 < krzee> network card needed to go down...? you use bridge mode doc!?
08:23 < adies> Id like to understand ovpn files so I can know what various configuration options do.
08:24 < krzee> !man
08:24 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
08:24 < theDoc> krzee> No, I changed the hostname of the box for an ssl cert which I got.
08:24 < krzee> adies, if you use *nix you can play with my confgen too
08:24 < krzee> !confgen
08:24 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
08:24 < theDoc> and I got hammered when I restarted the network services.
08:24 < theDoc> I'll have to look into it.
08:24 < CareBear\> krzee : I changed the DNS server for the wifi card to 8888, lookups work, changed it back to DHCP, verify that ipconfig -all reports the private resolver IP, lookups (of other names) then start working
08:24 < krzee> you SO dont need to restart anything to change a hostname
08:24 < krzee> literally, you just use the hostname command and handle DNS
08:24 < theDoc> krzee> I don't? :? I've always restarted the service.
08:24 < theDoc> lol
08:25 < theDoc> Oh fuck me. >:(
08:25 < krzee> CareBear\, funny, that sounds like the solution from !pushdns (restart the resolver)
08:25 < krzee> CareBear\, im now guessing dhcp is over the vpn
08:26 < CareBear\> no
08:26 < krzee> *shrug*
08:26 < CareBear\> well, the TAP is assigned an address by server
08:26 < krzee> you use dev tap or dev tun?
08:27 < CareBear\> "Notified TAP-Win32 driver to set a DHCP IP/netmask of ...
08:27 < CareBear\> tap
08:27 < krzee> and DNS is set by dhcp from local lan or over vpn?
08:27 -!- Whandsppadic is now known as macsppadic
08:32 < CareBear\> DNS is set by DHCP on local network, and no DNS server address is pushed to the vpn client
08:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
08:34 < CareBear\> one explanation would be that the dns cache can not adjust to the changed route
08:34 < CareBear\> ..it binds to the local interface
08:34 < vpnHelper> New forum entry openvpnforum: Wishlist :: Re: OpenVPN client for the iPhone and iPad :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=10&t=4568&p=5139#p5139>
08:35 < CareBear\> so I could try pushing a route also to the DNS resolver
08:37 < krzee> i would do it regardless, since if you do DNS via lan, you will be leaking your IP via dns
08:37 < krzee> which in most cases is not desired
08:37 < krzee> depending on why you redirect-gateway, of course
08:38 < krzee> if its for anonymity, you dont want to leak your IP
08:38 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:38 < CareBear\> I push redirect-gateway def1 when clients are on the local wifi
08:39 < CareBear\> to route internet through a prioritized outbound connection
08:39 < krzee> hrm
08:39 < CareBear\> and it's only then I should push the route to the DNS resolver
08:39 < krzee> you sure you didnt add this to it...
08:39 < krzee> !local
08:39 < vpnHelper> krzee: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
08:40 < CareBear\> yes, redirect-gateway def1 is pushed only to clients on wifi
08:40 < CareBear\> checked via ${trusted_ip} in a client-connect script
08:41 < CareBear\> leaking addresses is not a big problem
08:41 < CareBear\> hmm..
08:41 < CareBear\> grr
08:41 < CareBear\> this is a problem
08:42 < CareBear\> the resolver is not on the same subnet
08:42 < CareBear\> but, ok, let's try
08:45 < krzee> time for me to catch a lil more sleep (i hope)
08:47 -!- alexc [~admin@unaffiliated/alexc] has quit [Quit: Lost terminal]
08:48 < CareBear\> no - it still does not work :(
08:49 < CareBear\> restarting the dnscache also does not work
08:50 < CareBear\> nslookup still works fine
08:53 < CareBear\> I was not using ip-win32 dynamic before, but adding it does not help
08:56 < krzee> but setting it to use 8.8.8.8 worked
08:56 < krzee> sounds like you found your solution
08:56 < krzee> lol
08:56 < CareBear\> not really :\
08:57 < CareBear\> if I unset it, it keeps working
08:57 < CareBear\> and, lots of other clients are working
08:59 -!- adies [~adies@213.186.121.4.utel.net.ua] has quit [Quit: Leaving]
09:00 < krzee> also, i never said restarting the cache
09:00 < krzee> i said restarting the resolver
09:00 < CareBear\> true - dnscache was from the thread
09:00 < CareBear\> do you know the service name of the resolver?
09:00 < CareBear\> "resolver" ?
09:01 < krzee> oh it was dnscache in the thread?
09:01 < CareBear\> yes
09:01 < krzee> i guess thats what i meant then
09:01 < krzee> honestly i dont use windows, i figured you meant flushdns
09:02 < krzee> but if this is an issue on a single machine, ild set the dns manually and be done with it
09:02 < krzee> that would be less acceptable for 100 machines, for 1 who cares
09:03 < CareBear\> if it's just one now, it will be another later, and another :)
09:03 < CareBear\> there's about 50 clients
09:03 < krzee> thats a slippery slop fallacy
09:04 < krzee> http://www.nizkor.org/features/fallacies/slippery-slope.html
09:04 < vpnHelper> Title: Fallacy: Slippery Slope (at www.nizkor.org)
09:04 < CareBear\> well, what I did now was to change the DNS resolver address pushed by the DHCP server on local LAN to be directly reachable on the interface
09:05 < CareBear\> LAN interface
09:05 < CareBear\> so that the route and interface used to reach the resolver does not need to change with the VPN connection
09:05 < kala> if openvpn doesn't specify the address on the tunnel, the operating system may be able to negotiate the rfc3927 link-local-addresses (169.254/16) automatically?
09:06 < CareBear\> the tunnel gets an IP address
09:06 -!- d12fk [~heiko@vpn.astaro.de] has quit [Read error: Connection reset by peer]
09:06 < CareBear\> wifi was 172.22.32.0/21
09:06 < CareBear\> DNS 172.22.1.1
09:07 < CareBear\> changing DNS to 172.22.32.1 (the DHCP has that IP on the wifi anyway) means the DNS remains reachable without routing
09:07 < CareBear\> I guess the routing changes were too confusing for the resolver
09:07 < CareBear\> client
09:07 < CareBear\> service
09:07 < CareBear\> dnscache
09:07 < CareBear\> win7 crap :)
09:07 < krzee> oh i guess i didnt dive far enough into your setup
09:08 < CareBear\> I also didn't provide addresses before
09:08 < CareBear\> but this feels right
09:09 < CareBear\> well..
09:09 < CareBear\> there's another issue!
09:09 < CareBear\> :)
09:09 < CareBear\> Vista Home Premium
09:09 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
09:10 < CareBear\> for one client, server says: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=SE/...
09:10 < krzee> !verifycert
09:10 < vpnHelper> krzee: Error: "verifycert" is not a valid command.
09:10 < CareBear\> hm, let me check the issuer of that
09:10 < krzee> !certverify
09:10 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
09:15 < CareBear\> yeah no this client cert has not been properly updated
09:21 < Zathraz> Hi. 2005 seems a bit old. Is this still working with current OpenVPN or is there a better alternative to see the status of openVPN in a webpage? http://sourceforge.net/projects/openvpn-web-gui/
09:21 < vpnHelper> Title: OpenVPN Web GUI | Get OpenVPN Web GUI at SourceForge.net (at sourceforge.net)
09:29 < CareBear\> this is amazing. :( the cert on a USB memory is correct. when copied to C: the cert is wrong. :(
09:29 < CareBear\> Zathraz : I use openvpn-gui from openvpn.se
09:30 < CareBear\> (yep, from 2005)
09:30 < Zathraz> openvpn.se is like for Windows
09:30 < theDoc> CareBear\> Are you matching the md5sum of both certs?
09:30 < ecrist> 2.1.1 includes the GUI now
09:31 < Zathraz> I have  2.1~rc11-1
09:31 < CareBear\> theDoc : I'm comparing openssl x509 -noout -text
09:32 < CareBear\> theDoc : file on USB drive correct, "copy f:cert" then running on c: shows data for an old cert with the same name
09:32 < CareBear\> (which I just deleted)
09:32 < CareBear\> wtf!
09:32 < theDoc> Your Wintendo machine has a problem
09:32 < theDoc> !windows
09:32 < vpnHelper> theDoc: "windows" is pcs are like air conditioners, they work fine unless you open windows
09:32 < CareBear\> haha
09:32 < theDoc> lol
09:32 < theDoc> That's your problem sir.
09:38 < CareBear\> :)
09:38 < CareBear\> yes I know
09:38 < CareBear\> but it doesn't help my poor clients
09:39 < theDoc> http://www.youtube.com/watch?v=O2rGTXHvPCQ&feature=related
09:39 < vpnHelper> Title: YouTube - Numb3rs' description of IRC (at www.youtube.com)
09:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
09:50 < CareBear\> okey, the vista problem solved too..
09:51 < CareBear\> reinstalled OpenVPN
09:57 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Ping timeout: 276 seconds]
09:58 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
09:58 -!- macsppadic is now known as WHandsppadic
10:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:02 < CareBear\> all right - I'm out - thanks for your help!
10:02 -!- CareBear\ [peter@stuge.se] has left ##openvpn []
10:07 -!- sp4rc [sp4rc@194.209.17.162] has quit []
10:12 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
10:13 < Alphanaut> any easy tricks to improve throughput on the vpn?
10:13 < krzie> use udp
10:13 < krzie> check for MTU issues
10:13 < Alphanaut> yah i'm doing that, seems like alot of overhead
10:13 < Alphanaut> ahhh
10:13 < Alphanaut> ok
10:13 < krzie> !mtu
10:13 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
10:15 < Alphanaut> hmm i named my tap device TAP but --dev TAP isn't right, what is it looking for?
10:15 < Alphanaut> interface #?
10:15 < theDoc> tap0 most probably.
10:15 < Alphanaut> ahh
10:16 < krzie> oh
10:16 < krzie> well thats another thing
10:16 < Alphanaut> hmm no mtu test with the vpn up eh?
10:16 < theDoc> Why are you using tap instead of tun?
10:16 < krzie> tun has less overhead than tap
10:16 < theDoc> Any particular reason?
10:16 < krzie> so thats another way to improve your throughput
10:16 < theDoc> Hm, my SP seems to be rate limiting me quite severely.
10:16 < Alphanaut> hmm cause i couldnt get tun to work
10:17 < theDoc> Alphanaut> tun/tap are just interfaces, it's more likely it's your config.
10:17 < Alphanaut> and i think in my case tap is right (according to what i've read)
10:18 < Alphanaut> ok mtu test, one sec
10:18 < theDoc> Alpa> Where did you read that tap is right for your case?
10:19 < jnss> what errors does this conf file have http://www.pastie.org/967230
10:19 -!- Alphanaut_ [~Alphanaut@c-68-50-164-107.hsd1.md.comcast.net] has joined ##openvpn
10:20 < theDoc> jnss> What is not working?
10:21 < jnss> cant use the clients tun0 to connect to the vpn machine
10:21 < jnss> like ssh, or ping
10:21 < jnss> is there anything obvious in there that might be keeping that from happening?
10:22 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
10:22 -!- Alphanaut_ is now known as Alphanaut
10:22 < theDoc> Yes.
10:22 < theDoc> !nat
10:22 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
10:23 < theDoc> !linnat
10:23 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
10:23 < theDoc> !forward
10:23 < vpnHelper> theDoc: Error: "forward" is not a valid command.
10:23 < theDoc> Hm
10:23 < theDoc> !factoids
10:23 < vpnHelper> theDoc: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
10:23 < theDoc> !linipforward
10:23 < vpnHelper> theDoc: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
10:24 < jnss> i on freebsd
10:24 < jnss> im on that.'
10:24 < jnss> okay so  its iptabls
10:24 < theDoc> Look into that.
10:27 -!- WHandsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
10:29 -!- winter [q3@game.satkol.pl] has joined ##openvpn
10:29 -!- Alphanaut [~Alphanaut@c-68-50-164-107.hsd1.md.comcast.net] has quit [Ping timeout: 240 seconds]
10:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
10:31 < winter> hello i've made an openvpn connection of a client mashine with a server on my home local area network to have a possibility of playeing a game on lan cause my home bridge seems to be rejecting this possibility
10:31 < theDoc> !goals
10:31 < vpnHelper> theDoc: Error: "goals" is not a valid command.
10:31 < theDoc> !welcome
10:31 < vpnHelper> theDoc: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:32 < theDoc> !goal
10:32 < vpnHelper> theDoc: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:32 < winter> the mashines are 'seeing' eachothers (pings, nmaps, whatever can be done easly) but still those games are 'invisible' to eachother
10:32 < winter> and i don't have a clue 
10:33 < theDoc> !configs
10:33 < vpnHelper> theDoc: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:33 < motd2k> !firewall
10:33 < vpnHelper> motd2k: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
10:33 -!- Alphanaut [~Alphanaut@c-68-50-164-107.hsd1.md.comcast.net] has joined ##openvpn
10:33 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
10:33 < winter> ok, configs,one moment
10:34 < Alphanaut> so aside from just saying "tun" is better, how should i choose tap or tun?
10:34 < Alphanaut> tap already works but the thruput is crap
10:34 -!- Braynid [~Brayn@host247.213-244-172.ixs.dedigate.com] has joined ##openvpn
10:34 < Alphanaut> like 90% overhead
10:34 < winter> server http://pastebin.org/254495
10:35 < theDoc> Use udp as a protocol
10:35 < theDoc> also, dev tun
10:35 < theDoc> not  dev tap
10:36 < winter> i used it earlier also
10:36 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 240 seconds]
10:36 < winter> it's my second configuration of another try
10:36 < theDoc> !tcp
10:36 < vpnHelper> theDoc: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
10:36 < winter> i used tcp also
10:36 < winter> udp*
10:37 < Alphanaut> if i switch from tap to tun am i going to have to completely change my configs?
10:37 < Alphanaut> aside from tap to tun?
10:37 < Alphanaut> sounds like it
10:37 < theDoc> I don't know, I'm not familiar with games over openvpn. Not sure what that entails.
10:38 < theDoc> Alphanaut> Just change the dev tap to dev tun
10:39 < winter> ok thanks for help
10:39 < Alphanaut> we'll see, just changed it on client and server, server is in MA, i am in MD so we will see if i can connect :)
10:41 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
10:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:42 -!- winter [q3@game.satkol.pl] has left ##openvpn []
10:42 -!- winter [q3@game.satkol.pl] has joined ##openvpn
10:44 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
10:44 < jnss> http://www.isgsp.net/freebsd/freebsd-openvpn.html
10:44 < vpnHelper> Title: OpenVPN under FreeBSD (at www.isgsp.net)
10:44 < jnss> this seems to help
10:45 < jnss> dudes, i shouild just try this on linux
10:47 < theDoc> ecrist/krzee is good at this fbsd thing.
10:47 < theDoc> Look for them for help.
10:48 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:49 < krzie> whoever wrote that howto should check out ssl-admin as an easy-rsa replacement
10:49 < krzie> they should also learn about portinstall
10:49 < krzie> he says they are bash scripts, then he calls them via sh, lol
10:50 < krzie> this is why i frown upon most howtos found by google...
10:50 -!- Alphanaut [~Alphanaut@c-68-50-164-107.hsd1.md.comcast.net] has quit [Ping timeout: 260 seconds]
10:51 < theDoc> lmao.
10:51 < krzie> he says to add gateway_enable, but fails to point out that you only sometimes need that (it enables ip forwarding)
10:51 < theDoc> krzee> Have you tried searching for freeradius howtos on google?
10:51 < krzie> nope, never cared about freeradius
10:51 < theDoc> fuck, I just want to beat the living daylights out of people when I have to search for a tutorial on freeradius
10:51 < theDoc> Most of the things on it is from '03.
10:51 < theDoc> >:|
10:52 < krzie> Edit /usr/local/etc/openvpn/openvpn.conf enough to get tunelling going
10:52 < krzie> Leave it at that if you want
10:52 < krzie> lol
10:52 < krzie> this guy needs my confgen
10:52 < krzie> he used bridge cause he couldnt figure out routing
10:52 < krzie> why do people like this make writeups at all!>?!?@#$
10:52 < krzie> hes just going to lead more people to lame setups
10:53 < theDoc> lmao.
10:53 < theDoc> bridging over routing?
10:53 < theDoc> routing is like point and go.
10:53 < krzie> then they come here and we hafta convince them to start over, which is normally the hardest part of helping them
10:53 < theDoc> bridging is more complex.
10:53 < krzie> "Because of the routing pain, I then tried Bridge
10:53 < krzie> OpenVPN's scripts do not automatically create the bridge device
10:53 < krzie> I could not find a solution
10:53 < krzie> Based on some reading, I made a startup script to build the bridge at startup
10:53 < krzie> So far so good, It's probably a bad hack, maybe someone will help me out here"
10:54 < krzie> lol
10:54 < krzie> jnss, do you know who that guy is? he should come talk to me
10:54 < theDoc> lmao
10:54 < krzie> ill get him up the right way damn near instantly, all he needs is !ssl-admin and !confgen
10:54 < krzie> he did so much more work than needed
10:55 < winter> ok seems that i wont get help with it over here
10:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
10:55 < theDoc> krzee> is it correct that tun doesn't support bridging?
10:55 < krzie> winter, what was your issue?
10:55 < krzie> theDoc, no tun supports bridging
10:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:55 < winter> being unable to play warcraft over vpn or my poor homemade bridge
10:56 < krzie> oh, ya im not much help with bridging, but some others here are
10:56 < theDoc> His config has a problem.
10:56 < theDoc> Using tap for bridging in that tutorial
10:56 < winter> i mean i can ping or nmpa those virtual devices, the network exists but the games are unconnectivable
10:57 < krzie> theDoc, tun cant support bridging because tun is layer3, tap is layer2
10:57 < krzie> bridging requires layer2
10:57 < theDoc> Oh.
10:57 < theDoc> snap.:)
10:57 < krzie> winter, you tried tcpdump/wireshark to see whats not making it over?
10:57 < winter> not yet
10:59 < winter> ok, emerging wireshark
10:59 < krzie> emerging?
10:59 < krzie> gentoo?
10:59 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
10:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
10:59 < krzie> you should be fine with tcpdump anywhere but windows
10:59 < krzie> windows you need wireshark
10:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:00 < theDoc> You can just do tcpdump -X -i interface_name host host_ip
11:00 < theDoc> or something to that extend.
11:01 < winter> i prefere gtk interface for it
11:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
11:02 < winter> and what should i be looking for
11:02 < winter> that sucks, i'll go play golf
11:03 < theDoc> You'll be looking for the traffic going to the machine hosting the game and the response.
11:03 -!- Braynid [~Brayn@host247.213-244-172.ixs.dedigate.com] has quit [Ping timeout: 264 seconds]
11:04 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 276 seconds]
11:05 < winter> in a moment
11:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:11 < winter> which interface i shoud sniff?
11:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:13 < winter> i can see no packets going trough tun devices
11:14 < winter> only trough my physical interface
11:20 < krzie> tun device you said?
11:20 < krzie> you cant do bridge over tun
11:20 < krzie> !configs
11:20 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:21 < krzie> i saw one of your configs, but promply ignored it because you didnt remove the comments
11:21 < krzie> im not reading 100 lines of comments to see 15 lines of config
11:21 < winter> yeah but i've changed the config now
11:22 < Bushmills> comply or suffer :)
11:22 < winter> openvpn would'nt start in that way
11:22 < theDoc> Did you create your tap device?
11:22 < winter> i've got 2 tun devices now
11:23 < winter> and configs to work with tun devices
11:24 < winter> is it possible for an application (warcraft on wine) to work only with my eth0 interface?
11:24 < winter> cause seems that the packets are going only trough eth0
11:25 < krzie> not sure, but its very unlikely any lan gaming will work with tun
11:25 < krzie> tun is layer3 (IP) only
11:25 < krzie> tap is layer2 only
11:25 < winter> OK..
11:25 < krzie> im basically the tun nazi, im ALWAYS telling people to not use tap
11:25 < krzie> lan gaming is an exception tho
11:26 < krzie> that usually requires tap
11:26 < krzie> when you are sniffing, does it look like IP traffic or layer2 that your game is trying to use...?
11:26 < krzie> layer2 being something destined for a mac address
11:26 < winter> ok i have to go anyway
11:27 < winter> thanks for attencion
11:27 < winter> have a nice day
11:27 -!- winter [q3@game.satkol.pl] has left ##openvpn []
11:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
11:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:41 < theDoc> Great.
11:41 < theDoc> I must have typed the wrong command.
11:41 -!- mirco [~mirco@p5B23F8B8.dip.t-dialin.net] has joined ##openvpn
11:57 -!- SkyHAPPY [~SkyB0x@212.235.177.25] has joined ##openvpn
11:58 -!- SkyHAPPY [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
11:58 -!- Brayn [~Brayn@188.27.65.99] has joined ##openvpn
12:24 < hyper_ch> good evening channel
12:24 < krzie> good morning hyper_ch 
12:25 < ecrist> good afternoon
12:25 < hyper_ch> you live all in the wrong timezone
12:25 < hyper_ch> krzie: btw, you're in the carribean, right?
12:25 < krzie> sure am
12:26 < hyper_ch> krzie: do you have a wodden leg, a hook for your left arm, an eye patch and a parrot on your shoulder?
12:26 < krzie> all of the above
12:26 < hyper_ch> cool :)
12:26 < ecrist> well, actually, he has a parrot for a left arm and a hook on his shoulder
12:26 < hyper_ch> and you often say Arrr?
12:26 < krzie> haha
12:27 < krzie> hyper_ch, i kinda mix it up... ace ventura and pirate... arrrrrrighty then
12:27 < hyper_ch> so you get an ace ventura hair style?
12:27 < krzie> no hair style, i wear a pirate hat
12:28 < hyper_ch> do all people look like you in the carribean?
12:28 -!- dauergast [~sag@188-193-136-54-dynip.superkabel.de] has joined ##openvpn
12:30 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
12:38 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn ["Leaving."]
12:42 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 252 seconds]
12:43 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
12:46 < theDoc> g'night folks!
12:46 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
12:50 -!- mirco [~mirco@p5B23F8B8.dip.t-dialin.net] has quit [Read error: Connection reset by peer]
12:50 -!- mirco [~mirco@p5B23F8B8.dip.t-dialin.net] has joined ##openvpn
12:56 < krzie> hyper_ch, no
12:56 < hyper_ch> :)
12:57 < krzie> hey ecrist, i just figured out how im getting my MBP for free
12:57 < krzie> well i figured it out a little bit ago to be honest
12:57 < hyper_ch> offering sexual pleasures to Steve Jobbs?
12:58 < krzie> i saved up almost enough for it, now im going to bet it all on a fight where they got the line WAYYYYY wrong
12:58 < krzie> i handicap UFC fights
12:58 < ecrist> nice
12:59 < ecrist> I have a URL so you can get a gov't discount, too
12:59 < krzie> my guy should be a -300 favorite, they have the line +150 underdog
12:59 < krzie> im already getting corporate discount
12:59 < krzie> my buddy is a unix admin for them
13:00 < krzie> he gets 1 discount / yr, im getting his this yr
13:00 < krzie> its a fatty 25%
13:00 < hyper_ch> how many bears do you have to treat him for that?
13:00  * krzie thinks you mean beers
13:00 < krzie> (i hope)
13:01 < hyper_ch> well, I already had too mean bears today... so I can't really type anymore ;)
13:01 < krzie> if i bring him a bear ill prolly lose my discount
13:01 < krzie> (and my friend)
13:01 < hyper_ch> bear / beer... it's all the same
13:02 -!- dazo is now known as dazo_afk
13:09 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
13:16 -!- dauergast [~sag@188-193-136-54-dynip.superkabel.de] has quit [Quit: Moralisten sind Leute, die sich da kratzen, wo's andere juckt!]
13:17 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
13:24 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
13:33 -!- yakub [~www-data@unaffiliated/yakub] has joined ##openvpn
13:42 < ecrist> krzie: that's more than I would have gotten you, I think.
13:43 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
13:45 < ecrist> my discount is only a few hundred bucks
13:45 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
13:45 < ecrist> I think the $800 ram upgrade was only $600, and the laptop itself was $200 off
13:46 < krzie> i do appreciate the offer tho
13:46 < krzie> for sure
13:46 < krzie> oh i meant 20%... sounds about the same
13:46 < krzie> instead of $3000 it'll be $2500
13:47 < krzie> 17" with all the upgrades (except ssd, which im doing myself aftermarket)
13:48 < krzie> getting the ssd upgrade through them is a bad idea... ild rather take their 500gb HD (upgraded to 7200 rpm) and replace the dvd-rw with an intel ssd
13:48 < ecrist> I ended up with the 15" for portability
13:49 < ecrist> i7, 8GB, 500GB SATA 7200rpm, glossy screen
13:56 -!- blueboxthief1 [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
13:56 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Read error: Connection reset by peer]
14:03 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Ping timeout: 246 seconds]
14:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:05 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined ##openvpn
14:13 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
14:18 < krzie> right on
14:18 < krzie> ya ill be rockin 8gb / i7 as well
14:18 < krzie> but im gunna get a ssd for the OS
14:19 < krzie> and ill use 4gb of the ram as a ramdrive for tempfiles to stay off the ssd
14:28 -!- Googleman [~reacting@41.105.78.200] has joined ##openvpn
14:28 < Googleman> hi all
14:32 < ecrist> hello
14:32 < Googleman> krzie, 
14:32 < ecrist> krzie: what do you plan on doing with all that horsepower?
14:32 < Googleman> what's up bro
14:34 < redfox> ecrist: just havin it =)
14:34 -!- mirco [~mirco@p5B23F8B8.dip.t-dialin.net] has quit [Quit: mirco]
14:39 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
14:52 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
15:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:12 < krzie> redfox is correct
15:12 < krzie> i just plan on using it
15:12 -!- Kniggedigge [~Knigge@g228199211.adsl.alicedsl.de] has joined ##openvpn
15:13 < krzie> nothing overly special
15:13 < Kniggedigge> hi everyone
15:13 < krzie> my current MBP is getting ready to bite the dust... this will replace it and should be plenty for another 6 yrs or so
15:13 < Kniggedigge> can anyone give me some help, configuring openvpn on an ubuntu linux an mac snow leopard system ?
15:14 < krzie> Kniggedigge, where are you stuck, what is your goal?
15:14 < krzie> or have you started yet?
15:15 < Kniggedigge> hi krzie i configured the server.conf, client.conf and created all keys, i like to create a full tunnel but i dont know why it does not work...
15:15 < krzie> !configs
15:15 < Kniggedigge> im using openvpn on the mac...
15:15 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:15 < krzie> what do you mean by "full tunnel"
15:15 < krzie> !goal
15:15 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:18 < Kniggedigge> http://pastebin.com/E3jN1yRh
15:18 < krzie> read this again, then repost how it says to
15:18 < krzie> !configs
15:18 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:19 < krzie> i will never understand why those instructions seem difficult to people
15:19 < Kniggedigge> i mean a bridged-ethernet if this is the right description; if i connect to my vpn i like to put all the traffic trough it
15:19 < Kniggedigge> oh sry
15:19 < Kniggedigge> one moment pls
15:19 < krzie> ok so you want this
15:19 < krzie> !redirect
15:19 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:19 < krzie> right?
15:20 < Kniggedigge> yes thats right
15:20 < krzie> server is linux?
15:20 < Kniggedigge> do i also have to delete the ; lines in the pastebin ?
15:21 < krzie> you use linux and osx, just use the command given to you in !configs
15:21 < krzie> grep -vE '^#|^;|^$' <config_file>
15:21 < Kniggedigge> k all right
15:22 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
15:22 -!- motd2k [~motd2k@xbmc/staff/motd2k] has left ##openvpn []
15:23 -!- Kniggedigge_ [~Knigge@f048245151.adsl.alicedsl.de] has joined ##openvpn
15:23 < Kniggedigge_> sry krzie my router is trash
15:25 < Kniggedigge_> there you are
15:25 < Kniggedigge_> http://pastebin.com/9m3QzyJn
15:25 < krzie> whoa
15:26 -!- Kniggedigge [~Knigge@g228199211.adsl.alicedsl.de] has quit [Ping timeout: 246 seconds]
15:26 -!- Kniggedigge_ is now known as Kniggedigge
15:26 < krzie> why bridging??
15:26 < krzie> you just wanna redirect over vpn, right?
15:26 < krzie> no special layer2 protocol needed or anything?
15:26 < Kniggedigge> cause i thought i need it to make a "full tunnel" sry im just getting started with linux and openvpn :)
15:26 < krzie> tun is for layer3 (IP traffic)
15:27 < krzie> tap is for ethernet traffic
15:27 < krzie> you only need ip traffic for redirecting over vpn
15:27 < krzie> try this:
15:27 < krzie> !confgen
15:27 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
15:27 < krzie> it will make your configs for you =]
15:27 < krzie> use the same certs you already made
15:27 < krzie> the server is linux, correct?
15:27 < Kniggedigge> ok ill try but i like to understand what im doint
15:27 < Kniggedigge> doing sry
15:27 < Kniggedigge> yes thats righ
15:27 < Kniggedigge> t
15:28 -!- mirco [~mirco@p5B23F8B8.dip.t-dialin.net] has joined ##openvpn
15:28 < krzie> if you wanna understand what you're doing, once you have those configs, read the manual on every single command in each config
15:28 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:28 < krzie> but basically, you need to start over
15:28 < krzie> my config generator will put you on the fast track
15:28 < krzie> then you will need to setup NAT and ip forwarding on your linux box
15:28 < krzie> !linnat
15:28 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:28 < krzie> !linipforward
15:28 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
15:29 < Kniggedigge> ook ill see what i can do :)
15:29 < krzie> i believe my config generator tells you that too tho
15:32 < Kniggedigge> how do i run your script ?
15:34 -!- Alphanaut [~Alphanaut@mail.ridecj.com] has joined ##openvpn
15:35 < krzie> just run ./confgen (as it says at the top of every file if you take a look)
15:35 < Kniggedigge> i already tried but it doesnt work i also unzipped the files
15:35 < krzie> erm
15:35 < Kniggedigge> do i have to be in a certain directory to do this ?
15:35 < krzie> unzipped?
15:36 < krzie> ya, the directory in the tgz
15:36 < Kniggedigge> ah ok i dont have to unzipp the file ?
15:36 < krzie> tar -zxf <file>
15:36 < krzie> since its not a zip...
15:36 < Kniggedigge> no i meant to untar :)
15:36 < Kniggedigge> ;)
15:37 < Kniggedigge> i thought unzip you can use with all compressed archives :)
15:37 < krzie> did it extract a directory...?
15:37 < Kniggedigge> yes
15:37 < Kniggedigge> openvpn-conf
15:37 < krzie> did you enter it!?
15:38 < Kniggedigge> yes i did an i also read the .sh file where it says how to run the script...
15:38 < Kniggedigge> :)
15:38 < krzie> lol this is the furthest into nooblandia ive traveled since the early-mid 90's
15:38 < Kniggedigge> :P
15:38 < Alphanaut> hmm i see this in the output: link-mtu 1542,tun-mtu
15:38 < Alphanaut> shoudnt those two mtu's match?
15:38 < Alphanaut> er tun-mtu 1500
15:38 < Alphanaut> and link-mtu 1542
15:38 < krzie> Alphanaut, sounds like you have a valid reason to play with mtu settings...
15:39 < Alphanaut> :)
15:39 < Alphanaut> even if i didnt i would :)
15:39 < Kniggedigge> i didnt do any scripting until now...
15:39 < krzie> Kniggedigge, enter the command prompt
15:39 < krzie> run the script
15:41 < Kniggedigge> im trying :) 
15:42 < krzie> from the dir, in command prompt, ./confgen.sh
15:42 < Kniggedigge> oh gosh i'm a real noob :D
15:44 < Alphanaut> hahah i changed tap to tun earlier today and now i cant connect anymore
15:44 < Alphanaut> wtf
15:44 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 240 seconds]
15:45 < Kniggedigge> so the vpn gives out a new ip subnet or how do i have to understand this ?
15:47 < krzie> yes, new subnet for the vpn
15:48 < krzie> feel free to use the default
15:48 < krzie> Alphanaut, 
15:48 < krzie> !configs
15:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:53 -!- Alphanaut_ [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
15:53 -!- Kniggedigge_ [~Knigge@f048142159.adsl.alicedsl.de] has joined ##openvpn
15:55 -!- Kniggedigge [~Knigge@f048245151.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
15:55 -!- Kniggedigge_ is now known as Kniggedigge
15:56 -!- Alphanaut [~Alphanaut@mail.ridecj.com] has quit [Ping timeout: 264 seconds]
15:56 -!- Alphanaut_ is now known as Alphanaut
15:57 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
15:58 < Kniggedigge> i wonder why i cant copy the file to the server, although i chmod 777 the file
15:58 < Kniggedigge> ... oO
15:59 < krzie> i think you need a lot more than ##openvpn
15:59 < krzie> you need general unix/networking knowledge =/
15:59 < Kniggedigge> yes i'm hardly trying to get it :D
16:00 < Kniggedigge> :P
16:01 < Kniggedigge> didnt you began one time or were you born with your knowledge :p
16:02 < krzie> i sure did, but honestly there was little hand holding involved, i remember spending many nights reading both the freebsd handbook and the man pages for every file in $PATH i could find
16:03 < Kniggedigge> uuh freaky :P :)
16:03 < krzie> just saying, setting up a vpn has prerequisites in understanding your OS (read: knowing how to use it) and networking
16:04 < Kniggedigge> yes i know but starting with a working samba server, vdr, etc is also a goal ;)
16:04 < Bushmills> Kniggedigge: the server you try to copy to doesn't care what permissions you set the file to before copying
16:04 < krzie> you should probably know how to run a script before trying such advanced goals ;)
16:04 -!- Alphanaut_ [~Alphanaut@68-244-216-82.pools.spcsdns.net] has joined ##openvpn
16:05 < Bushmills> permissions describe for example whether you can read it at all (needed prior to copying)
16:05 < krzie> yay Bushmills is here!
16:05  * krzie hides
16:05 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:05 < krzie> tag you're it!
16:05 < Kniggedigge> maybe not nessesarily :P
16:05 < Bushmills> ah, the evening shift :)
16:05 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
16:05 -!- Alphanaut_ is now known as Alphanaut
16:05 < Kniggedigge> yes i know so far bushmills, i also chmod +x the file on my local system but when i ls -l it, i get an @ behind the rights... ?
16:06 < Googleman> how i can forward all trafic to throught vpn server i have venet0 interface
16:06 < Bushmills> x doesn't affect whether you may or may not copy it
16:06 < Googleman> ?
16:07 < Bushmills> !redirect
16:07 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:07 < krzie> the @ is apple specific, ls -l@ will show the special apple permission, note: this is not the problem
16:07 < Googleman> !nat
16:08 < vpnHelper> Googleman: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
16:08 < Kniggedigge> ah ok so where can i set a permission to copy ? is it based on the local configuration or the config of my samba server ? :)
16:08 < Bushmills> in terms of copyability of a file, openvpn is not much more than a network cable between two ethernet cards
16:08 < Bushmills> don't blame the wire
16:08 < krzie> Kniggedigge, this channel is for openvpn, your samba server and file permissions are not on topic
16:08 < Googleman> anyone tried on vps ?
16:08 < krzie> (unless Bushmills feels like helping with it)
16:08 < Kniggedigge> ...
16:09 < Bushmills> i new next to nothing about samba
16:09 < Googleman> hi krzie 
16:09 < Bushmills> know
16:09 < Bushmills> seems to be only needed when a windows machine is involved somewhere, which isn't the case in my setups
16:10 < Bushmills> !windows
16:10 < vpnHelper> Bushmills: "windows" is pcs are like air conditioners, they work fine unless you open windows
16:10 < Bushmills> ah, something like that
16:10 < Kniggedigge> :D
16:11 < Googleman> when i give     iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
16:11 < Googleman> iptables: No chain/target/match by that name
16:11 < Googleman> what's problem here ?
16:13 < krzie> Bushmills, does NAT need to be compiled in separately in linux?
16:13 < krzie> cause thats my guess for Googleman's error
16:13 < Bushmills> can be compiled into, but usually it is loaded as module
16:13 < Bushmills> conntrack
16:14 < Bushmills> ah. no. if name not match, support has been loaded
16:14 -!- Brayn [~Brayn@188.27.65.99] has quit [Ping timeout: 260 seconds]
16:15 < Bushmills> -t nat.  ... hm.   try to  modprobe nf_nat  and/or  modprobe nf_conntrack
16:15 -!- mistergibson [~mistergib@97-120-91-175.ptld.qwest.net] has joined ##openvpn
16:15 < mistergibson> !welcome
16:15 < vpnHelper> mistergibson: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:17 -!- Googleman [~reacting@41.105.78.200] has quit [Ping timeout: 246 seconds]
16:17 -!- Googleman [~reacting@41.105.9.46] has joined ##openvpn
16:18 < Googleman> re hi
16:18 < mistergibson> hello
16:18 < Googleman> <Googleman> when i give     iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
16:18 < Googleman> <Googleman> iptables: No chain/target/match by that name
16:19 < mistergibson> I'm a beginner (absolute beginner) .. try !welcom
16:19 < mistergibson> err... !welcome
16:20 < Bushmills> remove  err...   and try again
16:21 < mistergibson> Bushmills: I was giving advice, not requesting assistance
16:21 < mistergibson> however, I would like to banter and discuss openvpn strategy if someone is in the mood
16:21 -!- Alphanaut [~Alphanaut@68-244-216-82.pools.spcsdns.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:22 < Bushmills> ah. seemed you stated that you were an absolute beginner, which suggested you were struggling with getting help
16:22 < mistergibson> oh
16:22 < mistergibson> not struggling yet, this is before the struggles I suppose
16:22 < mistergibson> that's why I was interested in banter first
16:23 -!- Kniggedigge_ [~Knigge@f049144154.adsl.alicedsl.de] has joined ##openvpn
16:23 < mistergibson> is this the wrong channel for general discussion of openvpn?
16:24 < Kniggedigge_> krzie: thre shouldnt be a problem with this server.conf or ? because the vpn server doesnt start... http://pastebin.com/532k66QK
16:26 -!- Kniggedigge [~Knigge@f048142159.adsl.alicedsl.de] has quit [Ping timeout: 276 seconds]
16:26 -!- Kniggedigge_ is now known as Kniggedigge
16:27 < mistergibson> Bushmills: is this the wrong channel for general openvpn discussion?
16:27 -!- Brayn [~Brayn@188.27.65.99] has joined ##openvpn
16:27 < Bushmills> no, not at all
16:27 < mistergibson> I see
16:28 < mistergibson> Anyone: read in the config section of admin on forum: not to use tcp but udp for tunneling.  Not sure why or what the rationale is.  your thoughts?
16:28 < Bushmills> Kniggedigge: how do you know that server doesn't start?
16:29 < Kniggedigge> Starting virtual private network daemon(s)...
16:29 < Kniggedigge>  *   Autostarting VPN 'server'
16:29 < Kniggedigge>    ...fail!
16:29 < Bushmills> hm.  look at server log, it should tell you why it failed
16:29 < Kniggedigge> ah thats a good idea thanks ;)
16:31 < Bushmills> i suspect that it couldn't find one of the crt, key or pem  files
16:32 < Kniggedigge> oh gosh i should take a break
16:32 < Kniggedigge> of course it cant if they are in /keys -.-
16:32 < krzie> not if you dont have dh / ta.key
16:33 < krzie> !dh
16:33 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
16:33 < krzie> !hmac
16:33 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
16:33 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
16:34 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 248 seconds]
16:38 < Kniggedigge> i do have a dh in the keys folder an i just wanted to try the connection without the tls-auth.key
16:40 < mistergibson> I'm looking at: http://sites.inka.de/~bigred/devel/tcp-tcp.html .  I'm not sure how to overcome this issue.  I was under the impression that TCP would be the majority of traffice over a vpn as web,mail, (all but media, etc) would use tcp.
16:40 < vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de)
16:42 < mistergibson> does this mean I would have to modify timeouts of the tun/tap or services to properly work over a tcp based vpn?
16:47 < Googleman> krzie, 
16:47 < Googleman> i still have some problem
16:48 < Googleman> anyone tried to install openvpn on vps ?
16:48 < Bushmills> well, i tried under vserver but didn't work for me. though vserver is not the usual type of vps.
16:49 < krzie> [14:21]  <Googleman> <Googleman> when i give     iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
16:49 < krzie> [14:21]  <Googleman> <Googleman> iptables: No chain/target/match by that name
16:49 < krzie> that is not an openvpn problem, you dont have NAT
16:49 < krzie> Kniggedigge, then comment out the tls-auth line in client and server
16:49 < Googleman> oke
16:50 < Kniggedigge> yes i did, but shouldnt it be 1024.pem
16:50 < krzie> mistergibson, it means you want UDP for your transport protocol (for the vpn)
16:50 < Kniggedigge> instead of 2014 ?
16:50 < krzie> openvpn docs default to 2048, but you can use 1024 if you like
16:50 < krzie> change it accordingly
16:52 < Googleman> is 2048 will compresse betere than 1024 ?
16:52 < mistergibson> krzie: ok, thanks - that makes sense
16:53 -!- Kniggedigge_ [~Knigge@g227193159.adsl.alicedsl.de] has joined ##openvpn
16:54 < Kniggedigge_> is it important to get the commands in the server.conf in the right order ?
16:55 < Kniggedigge_> in the old .conf the line with client-to-client was before the keepalive line...
16:55 -!- Kniggedigge [~Knigge@f049144154.adsl.alicedsl.de] has quit [Ping timeout: 260 seconds]
16:55 -!- Kniggedigge_ is now known as Kniggedigge
16:55 -!- blueboxthief1 [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Read error: Connection reset by peer]
17:06 < Kniggedigge> grr you config file is totally mixed up krzie 
17:07 < Kniggedigge> no i mean that the lines are mixed up i had to sort them, there was local and usergroup at the end of the conf etc...
17:09 < krzie> do you feel better with it alphabetized?
17:09 < krzie> lol
17:09 < Kniggedigge> isnt it importan in which order they are ?
17:09 < Kniggedigge> i thought sry
17:09 < krzie> no, order doesnt matter
17:10 < Kniggedigge> ah i thought the file is worked out from above to the bottom ok sry
17:10 < Kniggedigge> but now i found the problem ,my pem file is named dh1024.pem :)
17:10 < Kniggedigge> now its running :)
17:13 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:18 < Kniggedigge> do i have to use the comp-lzo line ?
17:21 -!- Brayn [~Brayn@188.27.65.99] has quit [Ping timeout: 252 seconds]
17:22 < krzie> !man
17:22 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:22 < krzie> read it, decide for yourself
17:22 < krzie> it must match on both sides
17:23 -!- Kniggedigge_ [~Knigge@g227200091.adsl.alicedsl.de] has joined ##openvpn
17:25 < Kniggedigge_> krzie: do you like to give me a little bit more support ? :)
17:25 -!- Kniggedigge [~Knigge@g227193159.adsl.alicedsl.de] has quit [Ping timeout: 248 seconds]
17:25 -!- Kniggedigge_ is now known as Kniggedigge
17:27 < krzie> not especially, lol
17:27 -!- mirco [~mirco@p5B23F8B8.dip.t-dialin.net] has quit [Quit: mirco]
17:27 < Kniggedigge> :P :(
17:28 < krzie> whats the question
17:28 -!- mirco [~mirco@p5B23F8B8.dip.t-dialin.net] has joined ##openvpn
17:29 < Kniggedigge> so i got the server running, client config, server config, keys everything is allright i hope, i set the iptable, the forward in linux and i forwarded the port 1194 on my router but i cant connect :)
17:29 < krzie> Googleman, 1024 dh will work fine, james explains somewhere on the website that he uses 2048 as the default to allow for future changes in algorithms without needing to regenerate dh params
17:29 < krzie> look at your logs, try to figure it out yourself
17:30 < krzie> if that doesnt work,
17:30 < krzie> !logs
17:30 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:30 < Googleman> k
17:30 < krzie> Googleman, only that first part was to you
17:31 < krzie> the thing about logs was at Kniggedigge 
17:31 < Googleman> oke
17:31 < Kniggedigge> k thanks ill try to figure it out ;)
17:32 < Kniggedigge> but i cant see where it is stuck, or ? for example that the router doesnt forward correctly the right port... ?
17:33 < krzie> if those are the case, it falls into general networking and not an openvpn problem
17:33 < krzie> we're here for openvpn problems
17:33 < krzie> it needs to be somewhat assumed that you understand general networking before you come here
17:33 < krzie> i dont care to teach you how to port forward on your router or anything else
17:34 < krzie> once you verify you forwarded the right port on your server's router for the right protocol, check firewalls
17:35 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:36 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:36 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
17:39 -!- Kniggedigge_ [~Knigge@f049065193.adsl.alicedsl.de] has joined ##openvpn
17:42 -!- Kniggedigge [~Knigge@g227200091.adsl.alicedsl.de] has quit [Ping timeout: 264 seconds]
17:42 -!- Kniggedigge_ is now known as Kniggedigge
17:55 -!- Kniggedigge [~Knigge@f049065193.adsl.alicedsl.de] has quit [Ping timeout: 246 seconds]
17:58 -!- Kniggedigge [~Knigge@g227189006.adsl.alicedsl.de] has joined ##openvpn
18:15 -!- Googleman [~reacting@41.105.9.46] has quit [Ping timeout: 276 seconds]
18:24 -!- Kniggedigge [~Knigge@g227189006.adsl.alicedsl.de] has quit [Ping timeout: 246 seconds]
18:24 -!- mirco [~mirco@p5B23F8B8.dip.t-dialin.net] has quit [Quit: mirco]
18:27 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
18:28 < Alphanaut> can i force the server to always dole out the same IP to the same client?
18:28 < Alphanaut> !morestupidquestionsfromalphanaut
18:28 < vpnHelper> Alphanaut: Error: "morestupidquestionsfromalphanaut" is not a valid command.
18:30 < krzie> only if you use:
18:30 < krzie> !static
18:30 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
18:30 < krzie> and actually you're working your way to more commonly asked questions ;]
18:30 < krzie> ^5
18:31 < krzie> (thats a high 5)
18:31 < Alphanaut> i answered it myself
18:31 < Alphanaut> just found iff.txt
18:31 < krzie> nope
18:31 < krzie> !ipp
18:31 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
18:31 < Alphanaut> er i meant ipp.txt
18:31 < Alphanaut> not iff
18:31 < Alphanaut> oh
18:31 < Alphanaut> dang it
18:31 < Alphanaut> !iporder
18:31 < vpnHelper> Alphanaut: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
18:31 < Alphanaut> !ipstatic
18:31 < vpnHelper> Alphanaut: Error: "ipstatic" is not a valid command.
18:31 < Alphanaut> !static
18:31 < vpnHelper> Alphanaut: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
18:32 < Alphanaut> hmm
18:33 < Alphanaut> all of a sudden i cant connect to my vnc server (also my openvpn server) with the openvpn IP address, even though it worked great yesterday
18:33 < Alphanaut> if i connected the vpn client to server i could connect, now i cant
18:33 < Alphanaut> odd
18:33 < krzie> check if windows firewall re-enabled itself
18:35 < Alphanaut> naw i have about 90% of windows services disabled
18:35 < Alphanaut> including that one
18:35 < krzie> dunno then
18:35 < krzie> but doesnt sound like openvpn is to blame...
18:35 < krzie> if you can still ping that is
18:36 < krzie> personally, on the only windows machine i vnc into, i dont do it by vpn ip, i have a route command in the client
18:36 -!- KnightWhoSaysNi is now known as UdontKnow
18:36 < krzie> like route <LAN_IP> 255.255.255.255
18:36 < krzie> but the openvpn machine is the server
18:37 < Alphanaut> rgr
18:37 < Alphanaut> and i can ping it fine
18:37 < Alphanaut> odd
18:37 < Alphanaut> and i can connect to windows shares and such
18:37 < Alphanaut> and i can connect vnc to it's nonvpn ip
18:37 < krzie> sounds like remote desktop isnt listening on the vpn ip
18:37 -!- Kniggedigge [~Knigge@f048235079.adsl.alicedsl.de] has joined ##openvpn
18:37 < Alphanaut> sounds like i need another drink
18:37 < Alphanaut> this one is gettin low
18:37 < krzie> vodka tonic?
18:37 < Alphanaut> :)
18:38 < Alphanaut> you know it
18:38 < Alphanaut> extra lime
18:38 < Alphanaut> good memory
18:38 < krzie> ya, no idea why i remember that
18:38 < Alphanaut> not a ton of traffic in here
18:38 < krzie> with how much weed i smoke youd think i wouldnt remember that stuff
18:38 -!- Kniggedigge_ [~Knigge@f048235079.adsl.alicedsl.de] has joined ##openvpn
18:39 < Alphanaut> hahah i havent smoked in umm, 
18:39 < Alphanaut> 17 years
18:39 < Alphanaut> if i could get away with it i would definitely
18:39 < Alphanaut> the whole random drug testing thing
18:40 -!- Kniggedigge__ [~Knigge@f048162170.adsl.alicedsl.de] has joined ##openvpn
18:40 < Alphanaut> every time i open services on my windows server i find about 15 services that have magically reenabled themselves
18:40 < Alphanaut> i freakin hate windows
18:41 < Alphanaut> it's like a virus
18:41 -!- Kniggedigge [~Knigge@f048235079.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
18:41 -!- Kniggedigge__ is now known as Kniggedigge
18:43 -!- Kniggedigge_ [~Knigge@f048235079.adsl.alicedsl.de] has quit [Ping timeout: 246 seconds]
18:47 -!- Kniggedigge_ [~Knigge@f048162170.adsl.alicedsl.de] has joined ##openvpn
18:48 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
18:48 -!- Kniggedigge [~Knigge@f048162170.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
18:48 -!- Kniggedigge_ is now known as Kniggedigge
19:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
19:20 -!- Netsplit *.net <-> *.split quits: timburke, havoc, mwheeler, xargs, atlantic, takamichi, nb, krzie, kraut, stein0,  (+72 more, use /NETSPLIT to show all of them)
19:22 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
19:22 -!- Netsplit over, joins: d12fk, krzee, krzie, vpnHelper, @mattock, @raidz, mape2k, @openvpn2009, Knio, ScriptFanix (+72 more)
19:22 -!- Guest34769 [uriel@hurricane.urts.info] has quit [Ping timeout: 260 seconds]
19:25 -!- Uriell [uriel@hurricane.urts.info] has joined ##openvpn
19:45 -!- Kniggedigge [~Knigge@f048162170.adsl.alicedsl.de] has quit [Ping timeout: 248 seconds]
19:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:50 -!- Kniggedigge [~Knigge@g227194019.adsl.alicedsl.de] has joined ##openvpn
19:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
19:54 -!- Kniggedigge [~Knigge@g227194019.adsl.alicedsl.de] has quit [Client Quit]
20:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:31 -!- Lenhix [LordChaman@190.156.63.4] has joined ##openvpn
20:43 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has joined ##openvpn
20:44 < Alphanaut> so apparently my problem with vnc and openvpn is my mtu setting
20:44 < Alphanaut> every time i adjust tun-mtu in the ovpn do i need to reboot or will it take after a restart of the tunnel?
20:45 < krzie> stop and start openvpn
20:45 < Alphanaut> this is annoying
20:45 < Alphanaut> it says windows mtu is 1500
20:45 < Alphanaut> and even if i set the vpn mtu lower uvnc still shows a black screen
20:45 < Alphanaut> which i read everywhere is because if mismatched mtu
20:46 < Alphanaut> even if i'm running in "tap" mode does mtu-tun work?
20:46 < Alphanaut> there is no mtu-tap command
20:46 < krzie> i dont use tap, whats the manual say...
20:46 < Alphanaut> it says i'm an idiot
20:46 < Alphanaut> :)
20:46 < krzie> theres a ton more mtu settings than JUST mtu-tun
20:46 < Alphanaut> oh
20:46 < Alphanaut> great
20:46 < krzie> try mssfix
20:47 < krzie> ive never had to play with mtu
20:47 < krzie> so i cant really help
20:47 < Alphanaut> rgr
20:47 < krzie> but what you said from your mtu-test agrees that you have a reason to play with mtu
20:48 < Alphanaut> yah but mtu test errors out for me
20:51 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:54 < krzie> you said the results earlier...
20:54 < krzie> you shouldnt have any mtu settings when using mtu-test
20:55 < theDoc> yippie!
20:58 -!- tjz [~pc@bb119-74-158-41.singnet.com.sg] has joined ##openvpn
20:58 -!- tjz [~pc@bb119-74-158-41.singnet.com.sg] has quit [Changing host]
20:58 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:02 -!- Alphanaut [~Alphanaut@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
21:08 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds]
21:11 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 252 seconds]
21:12 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
22:26 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
22:28 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
22:55 -!- BashLogi1 [~BashLogic@NS1.Kielletty.net] has joined ##openvpn
22:57 -!- Netsplit *.net <-> *.split quits: mistergibson
23:00 -!- Netsplit *.net <-> *.split quits: BashLogic
23:04 -!- takamichi [~pri@78.133.92.164] has quit [Ping timeout: 240 seconds]
--- Day changed Thu May 20 2010
00:09 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
00:27 < jnss> i want 4096 keys
00:29 < jnss> ahem
00:29 < jnss> actually i jsut want this to work ;)
00:31 < theDoc> 4096bit encryption keys?
00:31 < theDoc> Why?
00:35 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
00:38 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
00:38 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 245 seconds]
00:53 < krzee> i use 4096
00:54 < krzee> *shrug*
01:02 -!- Lenhix [LordChaman@190.156.63.4] has quit [Quit: m]
01:11 -!- SkyHAPPY [~SkyB0x@212.235.177.25] has joined ##openvpn
01:13 -!- disappearedng [~disappear@unaffiliated/disappearedng] has joined ##openvpn
01:14 < disappearedng> ok I just upgraded my OS recently, and right now when I run openvpn, my /etc/resolv.conf is not updated. This is the traceback + my config file, any help?
01:18 < krzee> !pushdns
01:18 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
01:19 < krzee> sounds like your need update-resolv-conf script
01:19 < krzee> you*
01:21 < disappearedng> ok let me download that
01:22 < disappearedng> I do have update-resolv-conf though
01:22 < disappearedng> in /etc/openvpn
01:22 < krzee> your config calls it?
01:26 < disappearedng> oh crap I didn't paste http://paste.pocoo.org/show/216093/
01:26 < disappearedng> sorry
01:26 < disappearedng> yeah it does call it with the up option, or at least theoretically
01:28 < krzee> Thu May 20 14:08:53 2010 /etc/openvpn/update-resolv-conf tun0 1500 1542 10.176.0.182 10.176.0.181 init
01:28 < krzee> well it calls it
01:28 < krzee> is it +x?
01:29 < krzee> if so, make it echo some stuff out if you need
01:29 < disappearedng> -rwxr-xr-x 1 root root 1.4K 2010-01-26 17:48 update-resolv-conf
01:30 < disappearedng> http://paste.pocoo.org/show/216095/ where would you suggest? 
01:30 < disappearedng> bash looks cryptic to me
01:31 < krzee> ahh i never looked at this before
01:32 < disappearedng> krzee: i am doing the right thing right? 
01:32 < disappearedng> cause I am able to use openvpn in ubuntu 9.10
01:32 < disappearedng> exact same config
01:32 < krzee> looks good, i assume the server didnt change any
01:32 < disappearedng> migrated to ubuntu 10.04 
01:32 < krzee> you are using 2.1.1 right?
01:32 < disappearedng> no they didn't 
01:32 < krzee> try /sbin/resolvconf -a
01:32 < disappearedng> 2.1.0
01:32 < krzee> thats what its using to add the nameserver
01:32 < krzee> update to 2.1.1
01:32 < disappearedng> bash: /sbin/resolvconf: No such file or directory
01:33 < krzee> well theres your problem
01:33 < disappearedng> wow how do you know that
01:33 < disappearedng> ok let me try vpn I will be off for a while thx 
01:33 < krzee> 	for NS in $IF_DNS_NAMESERVERS ; do
01:33 < krzee>         	R="${R}nameserver $NS
01:33 < krzee> "
01:33 < krzee> 	done
01:33 < krzee> 	echo -n "$R" | /sbin/resolvconf -a "${dev}.inet"
01:33 < krzee> 	;;
01:33 < krzee> thats what adds the NS
01:34 < krzee> i dunno  why the script doesnt just copy the file to a backup, change the NS entry, and on down move the backup back
01:36 < krzee> but i guess maybe thats cause i never heard of resolvconf ;)
01:38 -!- disappearedng [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 265 seconds]
01:38 < krzee> in fact
01:38 < krzee> [ -x /sbin/resolvconf ] || exit 0
01:38 < krzee> very first line
01:38 < krzee> if executable, /sbin/resolvconf, OR exit
01:39 < krzee> so if that file doesnt exist with +x, exit immediately
01:53 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 268 seconds]
01:57 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
02:02 -!- dazo_afk is now known as dazo
02:19 -!- SkyHAPPY [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
02:24 < dazo> http://xkcd.com/742/
02:24 < vpnHelper> Title: xkcd: Campfire (at xkcd.com)
02:25 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
04:09 -!- Kniggedigge [~Knigge@g228199158.adsl.alicedsl.de] has joined ##openvpn
04:28 < Kniggedigge> hi guys, can someone tell me whether these two config should work together correctly ? http://pastebin.com/zmXi3WBg
04:34 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
04:34 -!- Kniggedigge_ [~Knigge@f049085058.adsl.alicedsl.de] has joined ##openvpn
04:36 -!- Kniggedigge [~Knigge@g228199158.adsl.alicedsl.de] has quit [Ping timeout: 260 seconds]
04:36 -!- Kniggedigge_ is now known as Kniggedigge
04:36 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
04:36 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
04:48 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:04 -!- Kniggedigge_ [~Knigge@f054231223.adsl.alicedsl.de] has joined ##openvpn
05:06 -!- Kniggedigge [~Knigge@f049085058.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
05:06 -!- Kniggedigge_ is now known as Kniggedigge
05:25 < Kniggedigge> anyone any idea ?
05:26 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has joined ##openvpn
05:26 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has quit [Changing host]
05:26 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
05:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:36 -!- Kniggedigge [~Knigge@f054231223.adsl.alicedsl.de] has quit [Ping timeout: 260 seconds]
05:39 -!- Kniggedigge [~Knigge@f054230216.adsl.alicedsl.de] has joined ##openvpn
05:39 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Ping timeout: 268 seconds]
05:46 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has joined ##openvpn
05:46 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has quit [Changing host]
05:46 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
05:51 -!- Kniggedigge [~Knigge@f054230216.adsl.alicedsl.de] has quit [Ping timeout: 258 seconds]
05:51 -!- motd2k [~motd2k@xbmc/staff/motd2k] has left ##openvpn []
06:10 -!- Kniggedigge [~Knigge@g228214030.adsl.alicedsl.de] has joined ##openvpn
06:24 -!- Kniggedigge_ [~Knigge@g228214030.adsl.alicedsl.de] has joined ##openvpn
06:26 -!- Kniggedigge [~Knigge@g228214030.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
06:26 -!- Kniggedigge_ is now known as Kniggedigge
06:29 < Kniggedigge> krzie: youre here ?
06:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
06:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
06:47 < Kniggedigge> whats the error message i'll get if the keys are wrong ?
06:47 < Kniggedigge> its different from TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) or ?
06:48 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:51 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
07:03 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Ping timeout: 252 seconds]
07:04 -!- VirusTB [~VirusTB@ip-145-93-223-156.fontys.nl] has joined ##openvpn
07:11 -!- Netsplit *.net <-> *.split quits: ScriptFanix, stein0, bandini, zamba, sno, disco-, dunc, yakub, Uriell, freaky[t],  (+2 more, use /NETSPLIT to show all of them)
07:14 -!- 14WAAOJHF [uriel@hurricane.urts.info] has joined ##openvpn
07:14 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
07:14 -!- yakub [~www-data@unaffiliated/yakub] has joined ##openvpn
07:14 -!- bandini [~bandini@host103-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn
07:14 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
07:14 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
07:14 -!- Knio [~Knio@174.0.88.23] has joined ##openvpn
07:14 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
07:14 -!- zamba [marius@flage.org] has joined ##openvpn
07:14 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
07:14 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
07:14 -!- stein0 [~stein@mail.vgnett.no] has joined ##openvpn
07:21 -!- VirusTB [~VirusTB@ip-145-93-223-156.fontys.nl] has quit [Quit: VirusTB]
07:22 < Kniggedigge> how can i certify a certificate ?
07:22 < Kniggedigge> it says VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=DE
07:26 -!- Kniggedigge [~Knigge@g228214030.adsl.alicedsl.de] has quit [Quit: Kniggedigge]
07:29 < qfr> Which commandline argument do I require to specify an additional password in stdin? I get "Key file 'ta.key' used in --tls-auth contains insufficient key material [keys found=1 required=2]" right now - I used ./build-key for the client with "send password request with certificate" or something like thast
07:34 < qfr> krzee? :[
07:39 < qfr> --askpass stdin didn't help hmm
07:47 < dazo> qfr: read the man page more carefully about --tls-auth ... you need to use either two keying material inputs ... or openvpn --genkey --secret ta.key
07:48 -!- SkyHAPPY [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
07:48 < dazo> for the "two keying material", the file needs to be "big enough" to provide the two needed keys
07:51 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:56 -!- dollabill [~mike@97.66.26.10] has quit [Client Quit]
08:17 -!- mithridates [~chatzilla@142.166.45.236] has joined ##openvpn
08:17 -!- mithridates [~chatzilla@142.166.45.236] has quit [Client Quit]
08:18 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:39 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
08:40 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
08:43 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
08:45 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:45 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:51 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 252 seconds]
08:57 -!- dazo is now known as dazo_afk
09:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:03 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:07 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
09:11 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:13 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:22 < qfr> dazo: I don't get it - I can't modify the ta.key just for this one client anyways, the rest of the VPN needs to use the same one after all
09:23 < qfr> I just want this one client to be required to input a password in stdin every time they connect to the VPN
09:24 < krzee> just pw protect its private key
09:24 < qfr> The ./build-key from easy-rsa offers that as a requirement
09:24 < krzee> bbiab
09:24 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
09:24 < qfr> Well I think I did that
09:24 < qfr> It prompted me for a password :[ but I'm doing something wrong
09:24 < qfr> because openvpn never queries me for a password with my current config
09:35 -!- djMax [~chatzilla@66.92.65.4] has joined ##openvpn
09:35 < djMax> Do I need to use a different subnet for openvpn clients?
09:36 < djMax> !welcome
09:36 < vpnHelper> djMax: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:36 < djMax> !route
09:36 < vpnHelper> djMax: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:38 < djMax> hrmph, I can ping across the subnets fine, but "net view" no likey.
09:45 < krzie> !wins
09:45 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:47 < djMax> was actually quite strange, the dns server in Tomato (where the openvpn server is running) had just stopped responding to most queries.
09:48 < djMax> not all mind you, but most.  So I just rebooted the router and now it's all fine (net view still doesn't work w/o a machine name, but all else fine)
09:49 < djMax> I also have to append the full domain name, which I didn't used to have to do in pptp
09:49 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
09:51 < krzie> !pptp
09:51 < vpnHelper> krzie: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
09:51 < vpnHelper> krzie: read about why to not use pptp
09:54 < qfr> krzie: How do I specify the password I entered in the easy-rsa build-key prompt?
09:54 < qfr> I mean that should make the [client].key passworded, right?
09:54 < djMax> I know pptp sucks, that's why I'm here.  Just saying that it's doing something that allows either multiple domains to be checked (?) or hijacking something
09:54 < qfr> And the [client].crt should reflect that?
09:55 < djMax> i.e. what do I set in openvpn so that when a client types "ping foo" it checks both the clients domain suffix as well as my servers?
09:56 < Bushmills> djMax: " the dns server stopped responding..."  after using --redirect-gateway?
09:56 < djMax> I'm really not sure when/why.  All I did was restart it.
09:57 < Bushmills> i am not good at diagnosing speculative error causes
09:57 < djMax> Not trying to diagnose that anymore, more just saying "that's odd" but moving onto this other issue of how do I get clients to check both domains for non-qualified DNS queries (if it's possible)
09:58 < Bushmills> add search  to resolv.conf
09:59 < djMax> so no way to push it down from the vpn server to the clients?
09:59 < djMax> clients are windows boxes
10:00 < Bushmills> can't help you with those
10:00 < krzie> you mean split dns setups?
10:01 < djMax> I guess so.  When I type "ping foo" into a windows client connected via PPTP, it will try both the local DNS suffix (e.g. myclient.local) and the servers (mynetwork.local)
10:01 < Bushmills> i understood "looking ab fully qualified host names when not querying for FQ, by appending from a list of search domains!"
10:01 < Bushmills> up
10:01 < djMax> and that "mynetwork.local" suffix is not preset on the windows box, it comes down from the server.
10:02 < djMax> (Maybe this is a dhcp option)
10:03 < djMax> yeah, it is a DHCP option but unsupported by most clients, including all of windows, so it must be doing it some other way for PPTP
10:08 < jpalmer> why are you people always yelling at me?
10:08 < jpalmer> I mean,  hi guys.
10:09 < djMax> pushing the dhcp option via openvpn seems to work, oddly.  I'll take it!
10:16 < ecrist> 7 x 13 = 28
10:16 < ecrist> http://www.youtube.com/watch?v=yHZzObQUgE8
10:16 < vpnHelper> Title: YouTube - 7x13=28 (at www.youtube.com)
10:16 < krzie> not 91?
10:16 < ecrist> krzie: see the youtube proof
10:17 -!- djMax [~chatzilla@66.92.65.4] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
10:22 -!- blipX [~irc@c-174-52-45-167.hsd1.ut.comcast.net] has left ##openvpn []
10:24 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
10:24 < Alphanaut> !mtu
10:24 < vpnHelper> Alphanaut: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
10:25 < Alphanaut> !mtu-test
10:25 < vpnHelper> Alphanaut: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is
10:25 < Alphanaut> Thu May 20 11:22:16 2010 us=664000 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
10:25 < Alphanaut> Thu May 20 11:22:16 2010 us=664000 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
10:26 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
10:26 < Alphanaut> D:138 ?
10:28 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
10:28 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
10:28 < krzie> ecrist, nice
10:30 < Alphanaut> should i be concerned that the log says MTU Parameters for the control cahnnel are D:138
10:30 < Alphanaut> that doesnt mean the mtu is 138 does it?
10:31 < Alphanaut> so it says Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541]
10:32 < Alphanaut> but tap mtu is 1500
10:32 < Alphanaut> so do i need to change the mtu to 1500 or less?
10:34 < krzie> ignore what you think it is
10:34 < krzie> theres overhead you dont understand
10:34 < krzie> important thing is
10:34 < krzie> MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541]
10:35 < krzie> that means you shouldnt really need to play with MTU
10:38 -!- Alphanaut_ [~Alphanaut@70-88-199-130-ubr905-ne-ma.hfc.comcastbusiness.net] has joined ##openvpn
10:38 -!- krzie [~k@unaffiliated/krzee] has quit [Quit: Leaving]
10:39 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
10:39 -!- Alphanaut_ is now known as Alphanaut
10:42 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
10:49 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 264 seconds]
11:03 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:04 -!- ike [ike@unaffiliated/ike] has joined ##openvpn
11:05 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
11:06 < ike> Hello. I have one question. Can two (or more) configurations share the same ifconfig-pool-persist file? Like I want user to have the same ip address regardless if one uses tcp or udp protocol.
11:08 < krzee> !ipp
11:08 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
11:09 < krzee> and also, no
11:09 < krzee> cant even share same subnet
11:10 < ike> Pity.
11:10 < ike> :-) but thanks for the answer.
11:12 < krzee> np
11:12 < krzee> btw reason i say they cant share same subnet...
11:12 < krzee> it would create routing issues
11:12 < krzee> !samesubnet
11:12 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
11:13 < krzee> you also cant have 2 vpn's with same subnet
11:14 < krzee> however, you should not need to either
11:14 < krzee> what are you trying to accomplish?
11:14 < ike> Well yeah. That makes sense since I'm using two different tap interfaces.
11:15 < krzee> !tunortap
11:15 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
11:15 < vpnHelper> krzee: against you over the vpn
11:15 < ike> krzee: actually I wonder if I could have only one ip address per user regardless used protocol. This could make firewalling and routing a bit easier.
11:15 < ike> I mean - I wondered.
11:16 < ike> This is not critical so I'll do it the right way.
11:16 < krzee> no, but you can dynamically firewall based on common-name via --client-connect script
11:16 < krzee> without even needing static ips =]
11:16 < ike> Ah! Yeah. It can pass common name as argument, right?
11:16 < krzee> in fact if you use linux and LDAP, there was recently a script released for that
11:16 < krzee> not can, does =]
11:17 < krzee> you *can* use that argument in a script ;]
11:17 < ike> Awesome! Thanks. Yeah. --client-connect is the way to go.
11:17 -!- Alphanaut [~Alphanaut@70-88-199-130-ubr905-ne-ma.hfc.comcastbusiness.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
11:17 < ike> krzee: :>
11:17 < krzee> well here ill throw you a link to the ldap script recently released on the mail list
11:17 < krzee> maybe you find something useful from it
11:18 < ike> Sure I will. LDAP is also used here.
11:18 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
11:18 < krzee> and you use linux?
11:18 < ike> Yup.
11:18 < krzee> sounds like this was made for you!
11:18 < ike> :-)
11:18 < krzee> you'll likely wanna mod 1 thing... it only firewalls TCP at the moment
11:19 < krzee> but that should be an easy mod
11:19 < ike> Easy to fix I suppose.
11:19 < krzee> the author just didnt need it, and its 0.1
11:19 < ike> The lovely pre-alfa version. If it works - I take it.
11:19 < krzee> http://planetjoel.com/files/openvpn_ldap_iptables.0.1.zip
11:19 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Client Quit]
11:20 < krzee> ill find the mail list entry too
11:21 < krzee> http://permalink.gmane.org/gmane.network.openvpn.user/30168
11:21 < vpnHelper> Title: Dynamically create IPtables rules based on LDAP group membership (at permalink.gmane.org)
11:21 < ike> :-) thank you very much krzee. This is more than I was looking for.
11:22 < krzee> you're welcome, real thanx go to Joel as well, he just released this a week ago
11:22 < krzee> im sure he'ld be happy to know its already being used by someone in the community
11:23 < krzee> i know i like when i find that people use my configuration file generator
11:23 < krzee> !confgen
11:23 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
11:23 < krzee> that ^
11:23 < krzee> heres Joels page, http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership
11:23 < vpnHelper> Title: PlanetJoel.com : OpenVPN: Dynamically create IPtables rules based on LDAP group membership (at planetjoel.com)
11:41 < krzee> hey ecrist you here?
11:42 < krzee> im in my 1000th argument regarding the immigration law in AZ, curious as to your viewpoint, also curious if you have read the law
12:03 <@openvpn2009> new immigration law in AZ == #EPICFAIL
12:08 < krzee> its actually nothing new
12:09 < krzee> EVERYONE i have talked to that is against the law has failed to actually read it
12:09 < krzee> all it says is they will enforce the federal law that the federal government has failed to enforce
12:09 < krzee> every is making a big deal out of it, saying it does this and that... in reality it changes NOTHING
12:10 < krzee> i figure eric would have read it, hence why i ask his opinion ;)
12:11 < krzee> the epicfail is how many people talk about it before doing the research (reading the law)
12:12 < krzee> thats actually a large part of why i left USA and only return to visit friends / family... half the sheep blindly go with the gov, half blindly go against it, and damn near nobody takes the time to read the laws and form an educated opinion
12:12 < krzee> i fought it as long as i could, but eventually i gave up and left
12:16 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
12:16 < qfr> krzee where do you live now?
12:19 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
12:20 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:20 < ecrist> I'm here now, krzee 
12:21 < ecrist> krzee: my personal opinion, kick all the illegals out and give them a way to be here legally, just like every other country does.
12:22 < ecrist> as you said, they're just going to enforce laws already on the books.
12:25 <@openvpn2009> well I am going to have to agree with eric.
12:26 <@openvpn2009> but I also think that radmonly looking them just because a LEO is suspicious is not cool
12:26 -!- Bloodsong [~Nimbus@70.50.177.230] has joined ##openvpn
12:27 < ecrist> openvpn2009: that's how almost ALL police work is done
12:28 < ecrist> somewhere like AZ, you HAVE to draw a line somewhere, and simply asking for identification seems reasonable
12:29 < ecrist> somewhere else, say MN, it's far enough away that such measures wouldn't bear as much fruit
12:32 <@openvpn2009> eric: agreed!
12:38 < qfr> easy-rsa: ./build-key test: Please enter the following 'extra' attributes to be sent with your certificate request. A challenge password []: [blah] <- when does the client specify this challenge password? My current OpenVPN configuration does not support it it seems :(
12:40 < qfr> Still getting "Key file 'ta.key' used in --tls-auth contains insufficient key material [keys found=1 required=2]"
12:47 < ecrist> qfr: what OS are you using?
12:47 < qfr> Arch, Arch, Arch, Gentoo, Arch, Windows 7, FreeBSD
12:47 < qfr> Do you mean the client?
12:47 < qfr> It's an Arch notebook
12:48 < ecrist> naw, if you've got a freebsd box, ssl-admin (in ports) can generate you certificates and such
12:48 < qfr> The server is running Arch Linux, too
12:49 < ecrist> certificates don't have to be created on the server
12:49 < qfr> Right
12:49 < ecrist> best practice would dictate they aren't created on the server, actually
12:49 < qfr> I really want to make it work with the regular tools though :(
12:49 < qfr> I suspect the crt/key are fine - I am just misusing OpenVPN
12:50 < qfr> I just used the easy-rsa scripts that came with OpenVPN
12:50 < ecrist> qfr: ssl-admin was written as a replacement for easy-rsa
12:50 < ecrist> easy-rsa sucks balls, IMHO
12:50 < qfr> :O
12:51 < qfr> But ssl-admin still wouldn't solve my problem - I am just misusing openvpn it seems
12:51 < ecrist> !configs
12:51 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:51 < ecrist> !tell ecrist [configs
12:51 < vpnHelper> ecrist: Error: Missing "]".  You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands.
12:51 < ecrist> !tell ecrist [configs]
12:51 < qfr> I used krzee's generator, it works fine for all my other clients
12:51 < qfr> Gonna post it, sec
12:52 < ecrist> ah, still haven't looked into the conf generator
12:52 < ecrist> krzee: you around?
12:52 < qfr> It just doesn't work for my passworded crt/key
12:57 < qfr> ecrist: http://siyobik.info/index.php?module=pastebin&id=457
12:57 < qfr> All the other clients who didn't have a password on the easy-rsa output worked fine
13:02 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 240 seconds]
13:04 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
13:05 < qfr> Any idea? :[
13:05 < ecrist> ta.key has a password?
13:05 < ecrist> and ta.key is the same on both systems, right?
13:07 < qfr> It's the same
13:07 < qfr> And no it doesn't
13:07 < ecrist> the error leads me to believe the files are different.
13:07 < qfr> Second
13:07 < ecrist> or that the client's file only has one of the two keys
13:08 < qfr> The ta.key's do indeed differ >:O how did this happen
13:08 < qfr> I sftp'ed it hm
13:09 < qfr> Wow this ta.key contains totally wrong data
13:09 < qfr> It's not even an OpenVPN key
13:09 < qfr> I have no idea how this happened
13:14 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Read error: Connection reset by peer]
13:15 -!- meepmeep [meepmeep@212.24.104.229] has joined ##openvpn
13:16 < qfr> Looking good :) what an odd incident
13:16 < qfr> It looks like the ta.key was actually a client key
13:16 < qfr> No idea how I managed to screw that one up
13:16 < qfr> Since I never typed their names
13:19 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
13:20 < grendal_prime> hey guys i need a client connect script that gathers the connected clients mac address
13:20 < grendal_prime> im very confused. I thought that info was put into the log file but i dont see it..
13:21 < grendal_prime> the managment console has the info in it.
13:22 < qfr> Huh? tun interfaces all have the MAC 00:00:00:00:00:00, no?
13:26 < grendal_prime> these are tap's
13:26 < grendal_prime> they had to be bridged
13:27 < grendal_prime> i didnt design the network.  I just have to find a way to let people know when a box goes off line and what box it is.  
13:27 < grendal_prime> the all use the same key so i cant use that.
13:28 < qfr> Ah, I don't know anything about taps really ;[
13:42 -!- astrophy [~astrophy@95.211.87.139] has joined ##openvpn
13:44 -!- Exilant [goelzera@berlin.ethz.ch] has joined ##openvpn
13:44 < Exilant> !welcome
13:44 < vpnHelper> Exilant: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:45 < Exilant> !route
13:45 < vpnHelper> Exilant: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:47 -!- astrophy [~astrophy@95.211.87.139] has quit [Ping timeout: 252 seconds]
13:52 -!- znh [~znh@unaffiliated/znh] has joined ##openvpn
13:52 < znh> Hello lads :-)
13:53 < znh> client traffic is routed to the server. I verified that with tcpdump.. but nothing is routed back to the client. any ideas?
13:53 < znh> !welcome
13:53 < vpnHelper> znh: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:53 < znh> !redirect
13:53 < vpnHelper> znh: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:54 < znh> !ipforward
13:54 < vpnHelper> znh: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
13:54 < znh> !linipforward
13:54 < vpnHelper> znh: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
13:54 < znh> !nat
13:54 < vpnHelper> znh: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
13:54 < znh> !linnat
13:54 < vpnHelper> znh: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:55 < znh> IP forwarding and NAT is enabled
13:57 < qfr> Can tcpdump even do UDP?
13:58 < znh> heh, sharpie
13:58 < Exilant> mhm, remote setting up openvpn is a bad idea :( but a nice software anyway, have a good time :)
13:58 -!- Exilant [goelzera@berlin.ethz.ch] has left ##openvpn []
13:59 < znh> same result with TCP though
13:59 < znh> only client->server traffic, not backwards
14:01 < znh> client-client isn't involved with that right
14:03 < znh> nope...
14:03 < krzee> qfr, lol, of course tcpdump can sniff udp
14:03 < krzee> or icmp, or ethernet frames
14:03 < krzee> its a packet dumper, read its manual
14:04 < krzee> as far as client-to-client...
14:04 < krzee> !c2c
14:04 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
14:04 < vpnHelper> krzee: behind other clients
14:04 < qfr> <Exilant> mhm, remote setting up openvpn is a bad idea :( but a nice software anyway, have a good time :)
14:04 < qfr> Huh? It's perfect for that
14:04 < qfr> I do it all the time
14:04 < krzee> that guy has never helped in here, ignore him
14:04 < znh> any idea's...?
14:04 < krzee> im sure he did something wrong and thinks what he said is right
14:04 < krzee> znh, whats the problem?
14:05 < qfr> <krzee> its a packet dumper, read its manual
14:05 < qfr> How misleading ;[
14:05 < krzee> ive been busy at work and theres a dev meeting right now
14:05 < krzee> qfr, not if you mean its manual...
14:05 < qfr> I have to admit I never used it, Ethereal was my first packet logger
14:05 < znh> client can talk to server, but server doesn't talk back
14:05 < krzee> (which you should always do when using an app you dunno)
14:05 < qfr> Never used a CLI one
14:05 < krzee> znh, firewall
14:05 < znh> there's none...
14:06 < krzee> not true, you said you have NAT
14:06 < krzee> nat exists in the firewall
14:06 < znh> the openvpn range has to be natted right
14:07 < krzee> pastebin your entire firewall ruleset
14:08 < znh> http://pastebin.org/258806
14:08 < znh> that's all there is
14:08 < qfr> I didn't know until recently that iptables-restore doesn't actually flush :(
14:08 < znh> 172.16.0.0 is the range used by the clients
14:09 < hyper_ch> hi crazy :)
14:09 < krzee> sup hyper
14:09 < hyper_ch> long day :)
14:09 < hyper_ch> and tomorrow also
14:09 < krzee> to flush
14:09 < krzee> !iptables
14:10 < vpnHelper> krzee: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
14:10 < vpnHelper> krzee: computing.net/wiki/index.php/OpenVPN/Firewall
14:10 < qfr> iptables -F doesn't actually work on its own
14:10 < qfr> IIRC
14:10 < qfr> You need to specify a chain?
14:10 < znh> yeah that helps
14:10 < hyper_ch> you need to specify a table IIRC
14:10 < krzee> honestly i dunno, that was either from the manual or a linux guy
14:10 < krzee> i dont use linux
14:10 < qfr> *table :|
14:10 < krzee> <-- bsd / osx
14:11 < hyper_ch> bsd is like linux... only different :)
14:11 < znh> anything wrong with my iptables?
14:11 < qfr> znh looks correct to me
14:11 < znh> crap
14:11 < qfr> Outgoing stuff should work
14:11 < krzee> shouldnt it have an interface in there?
14:11 < krzee> !linnat
14:11 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:12 < krzee> you use that command with your subnet?
14:12 < znh> yep
14:12 < krzee> with -o eth0?
14:12 < znh> yep
14:12 < krzee> and you're sure its NAT thats wrong...?
14:12 < qfr> One time I had a discrepancy between the ipv4 forwarding entry in the filesystem in /proc and the sysctl entry
14:12 < qfr> That was odd
14:12 < krzee> if it is, you should see your packets going out eth0 with src of vpn ip
14:12 < qfr> But that was some broken kernel anyways
14:12 < krzee> (if NAT isnt NATTING)
14:12 < znh> I don't know what's wrong. tcpdump shows traffic from the client, but no traffic going back to the client
14:13 < krzee> znh, but you need to trace it further
14:13 < krzee> since the server isnt the destination
14:13 < krzee> or is that when you ping the VPN ip?
14:13 < qfr> znh I'd start out by running both the server and the client in screen sessions with verb 5 to see all the details hmm
14:14 < qfr> That way you can see the reads/writes, too
14:14 < znh> pinging VPN ip goes fine
14:14 < qfr> Ok
14:14 < qfr> Then that shouldn't be the issue hmm
14:15 < qfr> You're trying to access the outside world through the VPN from the client through the server?
14:15 < znh> Yep
14:15 < qfr> What happens when you go ping 4.2.2.1 or whatever on the client?
14:15 < qfr> Timeout?
14:15 < qfr> Or network unreachable?
14:16 < znh> times out
14:16 < qfr> Ok
14:16 < krzee> znh, and when you do that...
14:16 < krzee> sniff icmp only on eth0
14:16 < qfr> What does the client's route -n say?
14:16 < krzee> see if the packets even try to leave eth0
14:16 < qfr> Do you use redirect-gateway def1 or something or do you set up the routes manually?
14:16 < krzee> if they do, tell me the src ip
14:17 < znh> qfr, push redirect-gateway def1
14:17 < krzee> if they do not, its routing or ip forwarding
14:17 < krzee> znh, your INPUT chain is not in your pastebin
14:17 < krzee> nor is FORWARD chain
14:17 < znh> The packets leave the eth0 device btw
14:18 < krzee> the packets destined for 4.2.2.1?
14:18 < znh> Yes
14:18 < krzee> if so, they leave with what src ip?
14:18 < znh> eth0's
14:18 < krzee> and 4.2.2.1 responds...?
14:19 < krzee> (seen via tcpdump on eth0)
14:19 < znh> no, it doesn't!
14:19 < krzee> login to your server via shell
14:19 < krzee> ping 4.2.2.1 from there
14:19 < znh> yea that goes fine
14:20 < krzee> then you told me something incorrect
14:20 < znh> nope
14:20 < krzee> because if the packets leave eth0 with eth0 ip, to 4.2.2.1, as far as packets go thats the same as pinging from shell, the packets will make it back to eth0 at a minimum
14:20 < krzee> check the command you sniff with
14:21 < krzee> when you ping from shell, sniff the same way
14:21 < krzee> see it go out, see it come back
14:21 < znh> I verified. I pinged from the shell, sniffers sees feedback. same process with VPN inbetween doesn't
14:21 < krzee> then keep that sniff going, and ping from client
14:21 < krzee> the only way that would be true is if the SRC ip isnt the same, but you say it is
14:22 < krzee> does your server have multiple IPs?
14:22 < znh> just one
14:24 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
14:24 < krzee> if the ping from client leaves the server's eth0 ip with SRC ip of servers eth0, its the exact same thing as pinging from the server, and the server will at least see it return on eth0
14:24 < krzee> you are telling me that the clients ping and the shells ping look 100% identical when sniffing eth0...
14:24 < krzee> same src, same dest
14:26 < znh> creepy shit. 
14:26 < hyper_ch> krzee: you're a cats person, right?
14:27 < krzee> well i do like pussy...
14:27 < hyper_ch> :)
14:28 < znh> The lenght differs
14:28 < znh> but that's likely cuz of the diff operating sys
14:32 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
14:35 < krzee> change length in shell at commandline, i think thats doable
14:35 < krzee> make it =, should have = results...
14:38 < znh> http://pastebin.org/258885
14:39 < znh> used 4.2.2.3 as example btw
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:40 < krzee> also you never showed INPUT or FORWARD chains
14:40 < znh> output of iptables --list ?
14:40 < krzee> umm
14:40 < krzee> i dont see 4.2.2.3 in those dumps
14:41 < krzee> i want to see the packets leaving server for 4.2.2.3
14:41 < krzee> and returning to server from 4.2.2.3
14:42 < znh> that hostname is 4.2.2.3
14:46 < krzee> oh lol it is
14:56 < znh> The mac destination seems to get changed
14:57 < krzee> mac?? its IP traffic...
15:01 < znh> It's sending the packet to the wrong gateway
15:02 < krzee> your server has 2 gateways?
15:02 < znh> nope, just one. but the end destination mac changes
15:02 < znh> I'll show you
15:04 < znh> nah I was wrong
15:04 < znh> http://pastebin.org/258955
15:11 < grendal_prime> ok is there any tools that query the management console and then write the results to a database server?
15:11 < grendal_prime> i mean i should be able to hammer something out that does this..but thought id ask if anyone has seen similar scripts to this?
15:18 -!- flok420 [folkert@keetweej.vanheusden.com] has quit [Quit: Terminated with extreme prejudice - dircproxy 1.0.5]
15:19 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 245 seconds]
15:37 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
15:47 -!- Bloodsong [~Nimbus@70.50.177.230] has quit [Read error: Connection reset by peer]
15:50 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
15:54 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
15:55 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:00 -!- astrophy [~astrophy@67.159.28.166] has joined ##openvpn
16:07 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
16:12 -!- Brayn [~Brayn@188.27.65.99] has joined ##openvpn
16:13 < Bushmills> query what?
16:14 < Bushmills> !management_console
16:14 < vpnHelper> Bushmills: Error: "management_console" is not a valid command.
16:20 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
16:36 -!- jumbers [~jumbers@fsf/member/jumbers] has joined ##openvpn
16:39 -!- znh [~znh@unaffiliated/znh] has quit [Quit: Ik ga weg]
16:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
16:47 -!- BillyCrook1 [~BillyCroo@BillyCrook-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has joined ##openvpn
16:47 < BillyCrook1> what could cause $username to != $common_name during an auth-user-pass-verify script?
16:48 < BillyCrook1> !welcome
16:48 < vpnHelper> BillyCrook1: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:49 < BillyCrook1> btw i am using client-cert-not-required and username-as-common-name in my server config
16:51 < BillyCrook1> interestingly enough in the client-connect and client-disconnect scripts, the common_name is set!
16:51 < BillyCrook1> I've never even issued client certs.  these users connect only with username andpassword
16:59 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-irykofadhsexiduk] has joined ##openvpn
16:59 -!- jumbers [~jumbers@fsf/member/jumbers] has quit [Ping timeout: 265 seconds]
17:00 < HoboSteaux> hey im having difficulty with a TAP interface, people can connect, but the subnet routing isnt working (for games)
17:00 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:02 < HoboSteaux> heres my pastebin of relevant items: http://pastebin.com/h8SP6Bd8
17:02 < HoboSteaux> i think its a firewall issue, but jsut dont know enough :S
17:03 -!- Brayn [~Brayn@188.27.65.99] has quit [Ping timeout: 260 seconds]
17:03 < HoboSteaux> oh and its running on my router (ddwrt), lan @ 192.168.2.1 [dhcp .100+], TAP @192.168.2.50-99
17:03 -!- fremo___ [~fremo@noc.toile-libre.net] has joined ##openvpn
17:04 -!- zero-__ [~zero@noc.toile-libre.net] has joined ##openvpn
17:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:07 -!- cron2_ [~gert@kirk.greenie.muc.de] has joined ##openvpn
17:07 -!- kala_ [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
17:07 -!- harlan_ [~harlan@minnie.everett.org] has joined ##openvpn
17:08 -!- Netsplit *.net <-> *.split quits: zero-_, fremo__, cron2, unimatrix, BillyCrook1, kala, mape2k, harlan
17:08 -!- Netsplit over, joins: unimatrix
17:09 -!- Netsplit over, joins: mape2k
17:09 < HoboSteaux> !welcome
17:09 < vpnHelper> HoboSteaux: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:09 < HoboSteaux> !route
17:09 < vpnHelper> HoboSteaux: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:10 -!- Netsplit over, joins: BillyCrook1
17:11 < HoboSteaux> could anyone take a quick look at my route/iptables and tell me whats wrong with them?
17:23 < BillyCrook1> HoboSteaux: sure, whats your IP and rootpw?
17:34 < HoboSteaux> lol
17:34 < HoboSteaux> 127.0.0.1 ;)
17:35 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:40 < HoboSteaux> heres a pastebin billycrook1 http://pastebin.com/h8SP6Bd8
17:42 < BillyCrook1> you sure you dont want to mktun tun0? (instead of tap0)
17:42 < BillyCrook1> taps are only appropriate if you're doing something other than ipv4 inside the tunnel
17:42 < Bushmills> games sound like a good reason for tap
17:43 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 240 seconds]
17:43 < HoboSteaux> yeah i looked up and it seems like games call for a tap
17:43 < BillyCrook1> weird
17:43 < BillyCrook1> ipx?
17:43 < Bushmills> broadcast, more likely
17:43 < BillyCrook1> ah
17:44 < HoboSteaux> yeah broadcasts
17:44 < Bushmills> one-to-many
17:44 < BillyCrook1> well, i wouldn't ifconfig the tap up manually, but if i had to i wouldn't specify 0.0.0.0 promisc
17:44 < BillyCrook1> everything else looks fine
17:45 < BillyCrook1> what makes you believe the subnet routing 'isn't working'
17:45 < BillyCrook1> what part of 'working' is it not doing?
17:45 < HoboSteaux> its not recieving the broadcasts from games
17:45 < HoboSteaux> i can manually join ones, but no broadcasting is working
17:56 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
17:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
18:03 < BillyCrook1> route -n on the clients
18:03 < grendal_prime> this is really frustrating
18:03 < BillyCrook1> make sure the address its broadcasting to has its best route out through the tap
18:03 < grendal_prime> i need to get the status unformation from the box....hey wait a min...thats already written out in the openvpn-status file.
18:03 < BillyCrook1> if its 255.255.255.255/24 that its bcasting to, route add -host 255.255.255.255 tap0
18:04 < grendal_prime> shit.
18:04 < BillyCrook1> the openvpn-status file only contains actual information, not any silly unformation
18:08 < HoboSteaux> alright ty
18:09 < HoboSteaux> those are both client-side right?
18:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:13 -!- SkyHAPPY [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
18:15 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
18:17 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
18:20 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:39 -!- harlan_ is now known as harlan
18:39 -!- harlan [~harlan@minnie.everett.org] has quit [Changing host]
18:39 -!- harlan [~harlan@ntp/programmemanager/harlan] has joined ##openvpn
18:42 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds]
18:43 -!- yakub is now known as dr_yakub
18:44 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
18:45 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:54 -!- Alphanaut [~Alphanaut@12.50.77.39] has joined ##openvpn
18:56 -!- dauergast [~sag@188-193-136-54-dynip.superkabel.de] has joined ##openvpn
18:56 < Alphanaut> anyone have any site reccos for looking up/understanding command usage?
19:27 -!- Alphanaut [~Alphanaut@12.50.77.39] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
20:06 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:13 -!- dauergast [~sag@188-193-136-54-dynip.superkabel.de] has quit [Quit: ich nutze das [G]Script... ©daGroove neuste versionen: www.grooves-welt.de]
20:16 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
20:18 -!- Webhostbudd [~Webhostbu@24.102.153.25.res-cmts.sm.ptd.net] has joined ##openvpn
20:28 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:34 -!- Webhostbudd [~Webhostbu@24.102.153.25.res-cmts.sm.ptd.net] has quit [Quit: Depression is merely anger without enthusiasm]
20:45 < HoboSteaux> gah!
20:45 < HoboSteaux> still not working
20:45 < HoboSteaux> new pastebin: http://pastebin.com/jXHKg22J
20:46 < HoboSteaux> im trying to play network games across it
20:47 < krzie> see if you have a default gateway
20:47 < HoboSteaux> alright
20:48 < krzie> im no good at helping with bridges, just thought ild throw that out there for ya
20:48 < HoboSteaux> lol im no good at almost any networking yet
20:48 < krzie> netstat -rn
20:49 < HoboSteaux> on server or client?
20:49 < krzie> oh my bad you did have routing table
20:49 < krzie> i just got home from jui jitsu, im pretty slow, lol
20:49 < HoboSteaux> heh niiice
20:49 < HoboSteaux> its on the bottom of the routing table
20:50 < krzie> yup
20:50 < HoboSteaux> pastebin*
20:50 < HoboSteaux> sorry
20:50 < krzie> ya i dunno, theres others here good with bridge tho
20:50 < krzie> or you could try the mail list
20:50 < krzie> !mail
20:50 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
20:50 < HoboSteaux> alrighty
20:51 < krzie> i normal try to talk people out of ta / bridge
20:51 < krzie> tap*
20:51 < krzie> however you said a magic word
20:51 < krzie> lan gaming
20:51 < krzie> lol
20:51 < HoboSteaux> yeah lol if it wasnt for that i wouldnt be using bridges
20:51 < krzie> i better shower, bbl
20:52 < HoboSteaux> ty
20:57 < HoboSteaux> the default server for the clients is 192.168.2.0... my server is at 192.168.2.1
20:57 < HoboSteaux> is there a way to change that to match
20:58 < HoboSteaux> and the default gateway is " " - aka none
21:28 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 240 seconds]
21:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
21:55 < HoboSteaux> !welcome
21:55 < vpnHelper> HoboSteaux: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:55 < HoboSteaux> !configs
21:55 < vpnHelper> HoboSteaux: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
21:55 < HoboSteaux> !forum
21:55 < vpnHelper> HoboSteaux: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
22:10 -!- tjz [~pc@bb121-7-118-156.singnet.com.sg] has joined ##openvpn
22:10 -!- tjz [~pc@bb121-7-118-156.singnet.com.sg] has quit [Changing host]
22:10 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
23:01 < krzie> !win_rollup
23:01 < vpnHelper> krzie: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
23:11 < vpnHelper> New forum entry openvpnforum: Routing and Firewall Scripts :: Joel's openvn ldap firewall script :: Author krzee <http://www.ovpnforum.com/viewtopic.php?f=17&t=4667&p=5192#p5192> || Rolling Your Own Installer :: Dazo's writeup for windows rollup :: Author krzee <http://www.ovpnforum.com/viewtopic.php?f=18&t=4665&p=5190#p5190>
23:43 -!- InfoAddict [~ios@60-242-254-22.static.tpgi.com.au] has quit [Ping timeout: 258 seconds]
--- Day changed Fri May 21 2010
00:02 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
00:13 -!- InfoAddict [~ios@60-242-254-22.static.tpgi.com.au] has joined ##openvpn
00:55 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
00:59 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Ping timeout: 276 seconds]
01:00 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
01:31 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has joined ##openvpn
01:46 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:46 -!- mode/##openvpn [+o mattock] by ChanServ
01:52 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
01:54 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn []
02:07 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Ping timeout: 240 seconds]
02:14 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
02:21 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined ##openvpn
02:23 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
02:26 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:31 -!- baffle [baffle@shell.eunet.no] has joined ##openvpn
02:31 < baffle> !welcome
02:31 < vpnHelper> baffle: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:34 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
02:40 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:59 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
03:15 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
03:30 < baffle> Does OpenVPN has any concept of groups? I.e. having users with different network access rules. Or do I have to implement this with scripts/iptables?
03:33 < hyper_ch> ecrist: halp!
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:45 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
04:02 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
04:14 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
04:25 -!- SkyHAPPY [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:27 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
04:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
04:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:41 -!- mape2k [~mape2k@p5B28665D.dip.t-dialin.net] has joined ##openvpn
04:42 -!- Kniggedigge [~Knigge@f048078152.adsl.alicedsl.de] has joined ##openvpn
04:42 < Kniggedigge> guten morgen
04:44 < Bushmills> baffle: neihter
04:44 < Bushmills> neither ...
04:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
04:44 < baffle> Bushmills: Neither?
04:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:45 < Bushmills> use the credential support the service you allow use of offers
04:45 < Bushmills> most "groups" kind of thing openvpn knows are subnets
04:46  * Bushmills afk
04:46 < baffle> Bushmills: Well, what I need to set up is "this user (or group of users) have access to these (not directly connected) subnets. This other user have access to a different subnet.
04:46 < Kniggedigge> can someone tell me wether this server.conf should work ? http://pastebin.com/LAR2AfBT i get a connection and can surf trough the web but i can reach the lan behind the vpn...
04:47 < baffle> Bushmills: I.e. I have multiple customers, and they need access to their LANs.
04:47 < hyper_ch> Bushmills: halp!
04:48 < hyper_ch> Bushmills: can you change factoids?
04:50 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
04:53 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:55 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:55 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
05:00 -!- Kniggedigge_ [~Knigge@xdsl-78-35-137-209.netcologne.de] has joined ##openvpn
05:00 -!- Kniggedigge_ [~Knigge@xdsl-78-35-137-209.netcologne.de] has quit [Client Quit]
05:02 -!- Kniggedigge [~Knigge@f048078152.adsl.alicedsl.de] has quit [Ping timeout: 260 seconds]
05:13 -!- dazo_afk is now known as dazo
05:42 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
05:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:04 -!- dauergast [~sag@f055075019.adsl.alicedsl.de] has joined ##openvpn
06:04 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
06:09 -!- VirusTB_ [~VirusTB@ip-145-93-222-233.fontys.nl] has joined ##openvpn
06:11 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
06:13 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 276 seconds]
06:19 -!- VirusTB_ [~VirusTB@ip-145-93-222-233.fontys.nl] has quit [Quit: VirusTB_]
06:20 -!- Brayn [~Brayn@89.39.174.245] has joined ##openvpn
06:36 < ecrist> hyper_ch: what's up?
06:36 < hyper_ch> !welcome
06:36 < vpnHelper> hyper_ch: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:36 < hyper_ch> ecrist: [13:36] <vpnHelper> hyper_ch: "welcome" is is Start with !goal ||  -->> see that double "is"?
06:37  * ecrist edits database
06:37 < kala_> can I do unnumbered tunnels with OpenVPN? I'm running into addressing problems with big meshed network.
06:41 < ecrist> !welcome
06:41 < vpnHelper> ecrist: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:43 < ecrist> kala_: yes, using the tap device instead of tun
06:44 < hyper_ch> ecrist: thx :)
06:44 < kala_> this tap device works on layer 2 level?
06:45 < ecrist> yes
06:45 < kala_> hmm ... 
06:45 < ecrist> !tunortap
06:45 < vpnHelper> ecrist: "tunortap" is (#1) Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#2)
06:45 < vpnHelper> ecrist: Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#3) Start with ! goal
06:46 < vpnHelper> ecrist: || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:46 < ecrist> kala_: see what vpnHelper just said
06:47 < kala_> but I'll need to address the endpoints on ethernet layer as well? 
06:49 < ecrist> why would you
06:49 < ecrist> IP addresses are layer 3
06:49 -!- macsppadic is now known as NOTWF1god
06:55 -!- NOTWF1god is now known as macsppadic
06:56 < kala_> so, ... I could just assign IP-addresses to machine lo:1 interface, create TAP tunnel between them and then add the route to the other machine lo:1 address, pointing to TAP device? and the ARP resolution protocol works on top of the TAP tunnel?
06:56 < ecrist> yes
06:56 < kala_> :)
06:57 < ecrist> loopback isn't going to work, you can assign a second IP to a real interface, then bridge them, or assign an IP to the tap interface
06:57 < kala_> and I can have many TAP tunnels?
06:57 < ecrist> !bridge
06:57 < vpnHelper> ecrist: "bridge" is (#1) Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#2)
06:57 < vpnHelper> ecrist: Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#3) Start with ! goal
06:57 < vpnHelper> ecrist: || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#4) Start with ! goal || we may need (1 more message)
06:57 < ecrist> what the heck
06:57 < ecrist> !logs
06:57 < vpnHelper> ecrist: "logs" is (#1) Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#2)
06:57 < vpnHelper> ecrist: Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:57 < kala_> bot is broken
06:58 < ecrist> I think the bot is screwed up
06:58 < Bushmills> baffle: set up client config such that those customers entitled to access services others don't go into the same subnet
06:58 < Bushmills> !ccd
06:58 < vpnHelper> Bushmills: "ccd" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:58 < ecrist> !forget welcome
06:58 < vpnHelper> ecrist: Joo got it.
06:58 < ecrist> !logs
06:58 < vpnHelper> ecrist: "logs" is (#1) Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict), or (#2)
06:58 < vpnHelper> ecrist: Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:58 < ecrist> oh, shit
06:58 < Bushmills> then config the service such that just that subnet is allowed
06:58 < ecrist> I think my sql query was wrong
06:59 < Bushmills> hyper_ch: no, i can't
06:59 < hyper_ch> Bushmills: ecrist already did it :)
07:02 < ecrist> !tunortap
07:02 < vpnHelper> ecrist: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
07:02 < vpnHelper> ecrist: against you over the vpn
07:02 < ecrist> !welcome
07:02 < vpnHelper> ecrist: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:02 < ecrist> !forget welcome
07:02 < vpnHelper> ecrist: Error: There is no such factoid.
07:03 < ecrist> !welcome
07:03 < vpnHelper> ecrist: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:03 < ecrist> !forget welcome
07:03 < vpnHelper> ecrist: Error: There is no such factoid.
07:03 < ecrist> grr
07:03 -!- jumbers [~jumbers@fsf/member/jumbers] has joined ##openvpn
07:03 < Bushmills> !beer
07:03 < vpnHelper> Bushmills: Error: "beer" is not a valid command.
07:03 < jumbers> !welcome
07:03 < vpnHelper> jumbers: "welcome" is is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:04 < Bushmills> a bot which doesn't know beer is seriously broken
07:04 < ecrist> !welcome
07:04 < vpnHelper> ecrist: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:04 < ecrist> !tunortap
07:04 < vpnHelper> ecrist: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
07:04 < vpnHelper> ecrist: against you over the vpn
07:04 < ecrist> ok, hyper_ch, I've fixed the bot for real this time
07:05 < jumbers> Is port 443 probably the best port to use so that I have the best chance of being able to connect from anywhere?
07:05 < ecrist> I forgot that pesky where clause the first time on the update, so it change all the factoids to be the welcome factoid
07:06  * ecrist heads to work.
07:06 < jumbers> I had myself set up on 1194 but found that the network I tried to connect from had blocked most ports except 80, 443, and a couple others
07:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:12 < baffle> Bushmills: But doesn't that only control wich routes are *pushed* to the client? I.e. if a customer routes other networks thru the tunnel, won't they be able to access those as well?
07:14 < Bushmills> ccd control any part of the config which you put into the client specific file
07:14 < Bushmills> routes too, if you choose to push them
07:20 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:34 < ecrist> baffle: when routing, you need to control both the forward and return paths
07:35 < ecrist> so, if the other end isn't routing back through the tunnel, it won't work.
07:49 -!- G-Script50 [~sag@188-193-136-54-dynip.superkabel.de] has joined ##openvpn
07:52 -!- dauergast [~sag@f055075019.adsl.alicedsl.de] has quit [Ping timeout: 260 seconds]
07:57 < baffle> Bushmills: The OpenVPN server itself has access to all networks by default; Does the route parameters placed in a CCD only control the routing of that client?
07:57 < Bushmills> what is pushed, affects client only
07:58 < Bushmills> you might want to look at ifconfig-push
07:59 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:01 -!- nubix [~asd@dslb-088-071-142-181.pools.arcor-ip.net] has joined ##openvpn
08:02 -!- nubix [~asd@dslb-088-071-142-181.pools.arcor-ip.net] has left ##openvpn []
08:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:28 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
08:36 -!- Lenhix [~lenho@190.146.247.120] has joined ##openvpn
08:57 -!- dazo [~dazo@nat/redhat/x-ptfackcljdhimteg] has quit [Read error: Connection reset by peer]
08:58 -!- dazo [~dazo@nat/redhat/x-equtpjhcpxlkmsts] has joined ##openvpn
09:27 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
09:31 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:37 -!- terje [~terje@h-74-0-231-178.dnvtco56.static.covad.net] has quit [Ping timeout: 240 seconds]
09:44 < krzie> !windows
09:44 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
09:44 < hyper_ch> krzie: hehehe :)
09:44 < hyper_ch> !linux
09:45 < vpnHelper> hyper_ch: Error: "linux" is not a valid command.
09:45 < hyper_ch> !bsd
09:45 < vpnHelper> hyper_ch: Error: "bsd" is not a valid command.
09:45 < hyper_ch> oh :(
09:45 < hyper_ch> !gentoo
09:45 < vpnHelper> hyper_ch: "gentoo" is http://gentoo.linuxhowtos.org/openvpn/openvpn.htm
09:45 < krzie> !freebsd
09:45 < vpnHelper> krzie: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server
09:46 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
09:46 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
09:47 < hyper_ch> In a world without walls and fences, who needs windows and gates?
09:47 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:52 < Alphanaut> haha
09:52 < Alphanaut> true
09:52 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 260 seconds]
09:52 < Alphanaut> speaking of windows, after 5 days of tinkering i got ovpn working fantastically on my windows boxes
09:52 < Alphanaut> i know you are happy to hear that
09:52 < Alphanaut> not
09:53 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
09:55 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
09:58 -!- G-Script50 [~sag@188-193-136-54-dynip.superkabel.de] has left ##openvpn []
10:01 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 240 seconds]
10:01 < krzie> !ubuntu
10:01 < vpnHelper> krzie: "ubuntu" is dont use network manager!
10:06 < hyper_ch> !wicd
10:06 < vpnHelper> hyper_ch: Error: "wicd" is not a valid command.
10:13 < theDoc> Ubuntu should be, Ubuntu is an afrikan word for gentoo is too hard for me ;)
10:14 < ScriptFanix> Ubuntu should be, Ubuntu is an afrikan word for I'm afraid of debian
10:15 < krzie> haha
10:15 < theDoc> lmao.
10:15 < theDoc> Distro bashing again, I see.
10:16 < krzie> happy birthday pacman!
10:16 < krzie> thanx for telling me google
10:16 < dazo> but I'd say ... none of these interpretations are wrong :-P
10:16 < ScriptFanix> anyway, now debian ships with network manager if you select desktop environment during installation
10:16 < theDoc> Ok, bbl.
10:16 < theDoc> :)
10:16 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
10:17 < krzie> holy shit you can lay it!
10:17 < krzie> play
10:46 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:49 < dazo> heh :)
10:49  * dazo stopped at the first "level" 
10:50 < dazo> ScriptFanix: it's not problem if Debian ships NM ... as long as it's not as borken as it often is on Ubuntu .... NM works find on Fedora with OpenVPN
10:50 < dazo> s/find/fine/
10:50 < ecrist> !*os
10:50 < vpnHelper> ecrist: Error: "*os" is not a valid command.
10:50 < ecrist> !learn *os  as just use FreeBSD
10:50 < vpnHelper> ecrist: Joo got it.
10:50 < ecrist> !*os
10:50 < vpnHelper> ecrist: Error: "*os" is not a valid command.
10:50 < ecrist> !\*os
10:50 < vpnHelper> ecrist: Error: "\*os" is not a valid command.
10:50 < dazo> heh
10:51 < ecrist> stupid bot
10:51 < krzie> you're the one giving it *os
10:51 < krzie> hehe
10:52 < dazo> obviously vpnHelper disagrees :-P
10:52  * krzie bets you decide to make it work anyways
10:52 < ScriptFanix> dazo: a few years agos, i tried network-manager, but purged it after unsuccessfully trying to set up a wifi ad-hoc network with it (to play networked frozzen-bubble in a train)
10:52 < ScriptFanix> some say it improved much
10:52 < ecrist> krzie: when I'm not neck-deep in sh!t at work.
10:53 < dazo> ScriptFanix: yeah, I've not been a big fan of NM at all .... but after Fedora 11 and Fedora 12 ... I begin to accept it
10:53 < krzie> meh i know how that is lately
10:53 < krzie> im doing way too much
10:54 < dazo> ScriptFanix: I even managed to get ad-hoc network work as well, in less than 3 minutes on first attempt
10:56 < ScriptFanix> NM is interesting though, as it provides a luser-friendly way of managing network interfaces
10:57 < ScriptFanix> but power-users will never like it :)
10:57 < dazo> exactly
10:57 < krzie> well they need to generate openvpn style openvpn configs
10:57 < krzie> instead of making their own
10:57 < krzie> then i wont be 100% against it
10:57 < dazo> that's in general one problem with GNOME at all ... it's removing power-user features, making it too simple and limited
10:57 < krzie> because if you use network manager, i cant help ya
10:58 < ScriptFanix> at work we use openvpn for roadwarriors, one of them uses ubuntu.
10:58 < dazo> krzie: well, NM just passes everything as command line arguments ... do not produce a config file at all
10:58 < krzie> dazo, i added your rollup to the forum kinda (i gave a link to wiki)
10:58 < ScriptFanix> i gave him the cert, key ca and config file, plus step by step instruction to import it in NM
10:58 < ScriptFanix> looks like it worked
10:58 < krzie> [00:11]  <vpnHelper> New forum entry openvpnforum: Routing and Firewall Scripts :: Joel's openvn ldap firewall script :: Author krzee <http://www.ovpnforum.com/viewtopic.php?f=17&t=4667&p=5192#p5192> || Rolling Your Own Installer :: Dazo's writeup for windows rollup :: Author krzee <http://www.ovpnforum.com/viewtopic.php?f=18&t=4665&p=5190#p5190>
10:58 < vpnHelper> Title: OpenVPN Forum View topic - Joel's openvn ldap firewall script (at www.ovpnforum.com)
10:59 < dazo> krzie: ahh cool!   I had completely forgotten I wrote that one :-P
10:59 < ScriptFanix> krzie: NM can simply import a standard openvpn config file so i don't have any problem with this
11:00 < dazo> ScriptFanix: true ... but it's a lot of openvpn features not supported ... and simply ignored
11:00 < krzie> ya it should run a config instead
11:01 < krzie> i foget who the ubuntu dev who was chillen in here was =/
11:02 < ScriptFanix> maybe… our roadwarrior setup is quite simple… 
11:02 -!- romel [~romel@unaffiliated/romel] has joined ##openvpn
11:03 < krzie> its a normal type of setup, ild expect that supported
11:03 < krzie> ild be surprised if my confgen could make a config not importable into NM
11:28 -!- Brayn [~Brayn@89.39.174.245] has quit [Ping timeout: 248 seconds]
11:30 < hyper_ch> nice article: http://www.groklaw.net/article.php?story=20100521100651738
11:30 < vpnHelper> Title: Groklaw - Infrastructures, by xkcd - It says it all (at www.groklaw.net)
11:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:33 < krzie> i find that i HAVE to go to xkcd just to see that alt-text
11:36 < hyper_ch> krzie: :) don't you have it in your rss feeder?
11:37 < krzie> only rss i do is screensaver, which doesnt mean much because its password protected screensaver and i cant hit the # to go to the link
11:37 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:37 < hyper_ch> lol
11:49 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:57 -!- Brayn [~Brayn@188.27.65.99] has joined ##openvpn
12:27 -!- astrophy [~astrophy@67.159.28.166] has quit [Ping timeout: 245 seconds]
12:45 -!- Brayn [~Brayn@188.27.65.99] has quit [Ping timeout: 252 seconds]
12:50 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
12:55 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
13:03 -!- euthymos [~chatzilla@93-40-97-27.ip38.fastwebnet.it] has joined ##openvpn
13:04 < euthymos> hi will OpenVPN (as a client) try to reconnect after a connection drop?
13:04 < euthymos> how many seconds / minutes (or just immediately) does it try to reconnect? for how much times?
13:04 < euthymos> I can find this information nowhere
13:09 < euthymos> hi?
13:10 < krzie> its in the manual
13:10 < krzie> !man
13:10 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
13:10 < krzie> do you use --keepalive?
13:10 < euthymos> is that option valid also for the client?
13:11 < krzie> see the manual
13:11 < euthymos> the docs say it's only for the server, like I used to think
13:12 < krzie> read them before commenting on what they say please
13:13 < euthymos> I've read them - and I found something interesting
13:13 < euthymos> on client side we can use --ping-restart
13:14 < krzie> you evidently missed --keepalive since you asked if it could be used client side or not =/
13:14 < krzie> note, your settings will be over-ridden by settings pushed to you by server
13:14 < krzie> if it pushes them
13:14 < euthymos> I've seen it and it *seems to me* (but I can be wrong easily) that keepalive is server-only
13:15 < krzie> --keepalive n m 
13:15 < krzie> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 
13:15 < krzie> For example, --keepalive 10 60 expands as follows: 
13:15 < krzie>  if mode server:
13:15 < krzie>    ping 10
13:15 < krzie>    ping-restart 120
13:15 < krzie>    push "ping 10"
13:15 < krzie>    push "ping-restart 60"
13:15 < krzie>  else
13:15 < krzie>    ping 10
13:15 < krzie>    ping-restart 60
13:15 < krzie> it really seems that way?
13:15 < euthymos> it didn't seem reading the specification (not the code)
13:15 < euthymos> A helper directive designed to simplify the expression of --ping and --ping-restart in SERVER mode configurations. 
13:15 < krzie> else
13:15 < krzie>    ping 10
13:15 < krzie>    ping-restart 60
13:16 < euthymos> stop repeating it :)
13:16 < euthymos> I usually think that if in the summary they say "SERVER" then I've not to read a code block seeking for and "else" clause
13:16 < krzie> oh, so you stopped reading after 1 line?
13:17 < euthymos> well if I say
13:17 < krzie> it does simplify server mode configurations
13:17 < krzie> i control clients and server with a single 1 line entry in my server conf
13:17 < euthymos> foo(bar) function converts bar from degrees to radiants
13:17 < krzie> that doesnt mean it cant be used in clients
13:17 < euthymos> then you won't read foo(bar) code to see if converts centimeters to meters
13:17 < krzie> it means what it says
13:17 < krzie> it SIMPLIFIES server mode configurations
13:18 < euthymos> oh whatever, you just want to blame me :)
13:18 < krzie> not mutually exclusive with usable in clients ;]
13:18 < euthymos> come on that's not carefully written
13:18 < krzie> well yes, dont stop after 1 line, read the docs =]
13:19 < krzie> skimming docs is equiv to trying to mount a girl after asking her name
13:19 < krzie> its not likely to go well ;]
13:19 < euthymos> krzie I'm not the n00b guy who enters the IRC channel
13:19 < euthymos> and says "please do my homework"
13:19 < euthymos> I've read bunch of docs
13:19 < krzie> glad to hear it ;]
13:20 < euthymos> and when I read that something is designed to do somewhat
13:20 < euthymos> I've no need to read further
13:20 < krzie> really?
13:20 < euthymos> really
13:20 < euthymos> and I never missed anything doing this way
13:20 < euthymos> if foo(bar) converts bar from deg to rad
13:20 < krzie> welp, evidently you have
13:20 < euthymos> sure
13:20 < krzie> exhibit a being above, when you took the 1 line to mean more than it means
13:20 < euthymos> with non-carefully written docs
13:21 < euthymos> come on
13:21 < euthymos> that line isn't clear
13:21 < krzie> feel free to report it on trac at community.openvpn.net if you like
13:21 < euthymos> whatever
13:21 < krzie> to me it was clear, especially with the details of how it works spelt out
13:21 < euthymos> that's why
13:21 < krzie> but i dont stop after 1 line
13:21 < euthymos> you already know how it works
13:22 < krzie> im not a dev
13:22 < euthymos> the no 1 problem of IT technicians
13:22 < krzie> i know how it works cause i read that
13:22 < euthymos> is that they have NO idea on what it means to put theirselves in other people shows
13:22 < euthymos> *shoes
13:22 < euthymos> you guessed and you were right
13:22 < euthymos> you're good
13:22 < krzie> all i did to understand it is read the same --keepalive that you only read 1 line of
13:22 < euthymos> sure
13:23 < euthymos> because you thought it was useful to read the code below
13:23 < krzie> didnt open the code, nothing of that sort
13:23 < euthymos> and now you're arguing with me on this stupid thing
13:23 < krzie> of course i did! they would not have put it there if it wasnt useful!
13:23 < euthymos> whatever
13:23 < euthymos> you just want to keep the point
13:24 < krzie> welp, its a winner :-p
13:24 < euthymos> you're right ok
13:24 < krzie> *shrug* need help with something?
13:24 < euthymos> no no it's ok
13:24 < euthymos> I understood what kind of help I can get here
13:24 < krzie> sounds good
13:24 < euthymos> I can hardly imagine what frustrated IT you can be
13:24 < euthymos> always winner behind the screen
13:25 < euthymos> clap clap
13:25 < krzie> telling you to rtfm really bothers you doesnt it
13:25 < euthymos> it's a standard answer
13:25 < hyper_ch> krzie: maybe he can't read
13:25 < euthymos> this time isn't fit
13:25 < krzie> ok, time to move on euthymos 
13:25 < euthymos> I can write a good manual
13:26 < euthymos> sure
13:26 -!- euthymos [~chatzilla@93-40-97-27.ip38.fastwebnet.it] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
13:27 < krzie> heh
13:27 -!- dr_yakub [~www-data@unaffiliated/yakub] has quit [Quit: leaving]
13:39 < dazo> gah ... quite a discussion
13:44 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
13:49 < krzie> ya i didnt even mean he had to leave, just to let the subject die
13:51 < dazo> yeah, I just think he left because it was too embarrassing for him to realise the realities ...
13:52 < dazo> krzie: have you had any experiences with the SCTP protocol?  (instead of UDP or TCP)
13:53 < krzie> neg
13:54 < krzie> is it used besides SS7?
13:56 < dazo> it's more like a protocol which combines the advantages of both UDP and TCP, how I've understood it .... with multi-homing support on both client and server side, where it will switch between the "channels" transparently based on which connection is best - without renegotiating the connection
13:57 < dazo> plus supports multiple separate streams on one connection
13:57 < dazo> http://www.ibm.com/developerworks/linux/library/l-sctp/
13:57 < vpnHelper> Title: Better networking with SCTP (at www.ibm.com)
13:58 < krzie> looks cool!
13:58 < krzie> i had only heard of it in reference to ss7
13:59  * dazo see more and more security related kernel fixes for SCTP ... so he needs to get to know this to do his real job well
13:59 < krzie> but it looks like it could be so much more useful than just ss7
13:59 < dazo> yeah
13:59 < krzie> if you dont use it, just disable it!
13:59 < krzie> then no fixes needed ;]
13:59 < dazo> heh
14:00 < krzie> use the hammer(tm)
14:00 < dazo> well, I'm doing kernel QA .... and some customers insist on having SCTP :-P
14:00 < krzie> ahh
14:00 < krzie> they do ss7 or is it being used for more currently?
14:01 < dazo> I dunno ... I'd guess it's just standard SCTP over normal networks
14:01 < dazo> sctp must be ideal for filesharing :-P
14:01 < krzie> i would sure think so!
14:02 < krzie> it seems to solve what so many have attempted to hack up in firewalls, real multi-homing
14:02 < dazo> exactly
14:03 < krzie> would be an interesting transport in ovpn3.0
14:03 < dazo> streaming on demand would be a clear winner for sctp
14:03 < dazo> krzie: exactly my thoughts ;-)
14:03 < krzie> (as a pluggable module of course =] )
14:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
14:03 < dazo> krzie: go and have a look at the roadmap :-P
14:03 < krzie> hah you already added sctp!?
14:04 < krzie> oh right
14:04 < krzie> socket module
14:04 < dazo> yeah ;-)
14:04 < krzie> ya exactly what i was thinking =]
14:05 < krzie> "for the creative minds"
14:05 < krzie> also could have a DNS module =]
14:06 < krzie> although we'ld basically kill a project i like, iodine
14:06 < dazo> I was thinking about writing that ... but I thought, let's not write it ... people will expect it immediately in v3 :-P
14:06 < krzie> then again, maybe those guys would want to write the socket module!
14:06 < krzie> i will talk to them about it when its time
14:07 < krzie> then instead of rewriting iodine for a new version they could use the ovpn network core
14:07 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
14:07 < krzie> since im sure they have a bunch of stuff theyd like to do, and using the ovpn3 way would make their lives easier
14:07 < dazo> yupp!
14:09 < krzie> and their app doesnt automaticly handle routing, etc
14:09 < dazo> I'm looking fwd to James' feedback to my updates on the roadmap ... to see if we're agreeing more on the path, but I believe this clarifies a lot of things from the meeting we had
14:09 < krzie> my script for doing that is on their trac
14:09 < krzie> lus their app doesnt support windows
14:09 < krzie> so theyd surely gain from making the module
14:09 < krzie> i do too, nicely done
14:09 < dazo> what do you really mean with dynamic routing?
14:10 < krzie> huh?
14:10 < krzie> like openvpn sets routes for the user, iodine does not
14:10 < dazo> that the server can push out new routes to clients during an open session?
14:10 < krzie> are you talking about a different subject?
14:10 < dazo> "dynamic" can be understood in different contexts
14:11 < krzie> i didnt use the word dynamic
14:11 < dazo> ahh!   true! :)
14:11  * dazo blames the late Friday
14:11 < krzie> *confused*
14:11 < krzie> oh ok
14:11 < krzie> you read automatic as dynamic?
14:11 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 276 seconds]
14:12 < krzie> gotchya i think =]
14:12 < krzie> im stuck with a tough decision
14:12 < dazo> yeah, I did :)
14:12 < krzie> im too lazy to get out of bed, but im hungry
14:12 < dazo> lol
14:12 < krzie> thinking bout calling delivery, but that still means i have to put pants on
14:12 < krzie> (when they get here)
14:12 < dazo> if you're not getting out ... you'll die unhappy of hunger :-P
14:13 < krzie> well i only get 1 day off, ild live til then
14:13 < krzie> eheh
14:15 -!- DrPepper2 [~DrPepper@88.207.189.81] has joined ##openvpn
14:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:15  * dazo so much dislikes people who starts mails with "sorry for my bad English" ... just to write a clearly understandable mail after that disclaimer ...
14:15 < dazo> :-P
14:23 < krzie> meh, i understand it
14:23  * dazo too
14:23 < krzie> my spanish is not perfect, but i can come across well on occasion
14:25 < krzie> think a mcdonalds cheeseburger from last night, still wrapped up, is still safe?
14:25 < krzie> lol
14:26 < dazo> heh
14:26 < dazo> got a microwave?  heat it well :-P
14:27 < krzie> works for me!
14:27 < krzie> the delivery i wanted isnt delivering right now
14:27 < dazo> what kind of openvpn hook was it where you could dynamically add config lines which could be pushed to a client?
14:27  * dazo can't recall how this was
14:28 < krzie> --client-connect?
14:29 < krzie> --client-connect
14:29 < krzie> Executed in --mode server mode immediately after client authentication.
14:29 < krzie> i know that can be used to push ifconfig at client, such as the first method in iporder
14:30 < dazo> not sure ... I believe you got a filename as either env variable or as an argument to the script (don't recall) ... you wrote your config lines to that file .... and voila, it's dynamically added to the config
14:30 < krzie> !iporder
14:30 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
14:30 < dazo> maybe I'm confusing it with some patches I've seen for inclusion to the -testing tree
14:30 < krzie> and if it needs to be done upon client connect, i would think thats the script to look at
14:31 < krzie> nah, i think thats how it works (how you said)
14:31 < krzie> i think the output file is like a dynamic ccd entry
14:32 < dazo> exactly!
14:32 < krzie> i havnt used it, but it sounds very familiar
14:32 < dazo> that makes me feel less crazy ... lol
14:32 < krzie> (i remember reading up on it time ago)
14:33 < dazo> hmm ... I think I remember something from when I hardened the create_temp_file() stuff some weeks ago
14:35 < dazo> krzie: I think you're right!  Looks like --client-connect ;-)
14:36 < krzie> =]
14:41 -!- pmatulis [~peter@64.34.151.178] has joined ##openvpn
14:45 -!- jumbers [~jumbers@fsf/member/jumbers] has quit [Quit: jumbers]
14:46 < pmatulis> how do i get my clients to use an internal dns server?
14:46 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
14:47 < pmatulis> the dhcp-option doesn't seem to work
14:47 < pmatulis> anyway, how does the client know what dns server to use?  it's global one or the pushed one?
14:49 < krzie> what os clients?
14:50 < pmatulis> krzie: ubuntu mostly
14:50 < krzie> !pushdns
14:50 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
14:50 < krzie> see #4
14:51 < pmatulis> krzie: looking
14:52 < pmatulis> krzie: so this script will re-write /etc/resolv.conf?
14:53 < krzie> it uses resolvconf app iirc
14:53 < krzie> take a look at it
14:56 < pmatulis> krzie: thanks
14:56 < krzie> np
14:57 < pmatulis> krzie: is it "all or nothing"?  ideally i just want to use the internal nameserver for internal systems
14:57 < krzie> yes it is
14:57 < krzie> the solution for making it not all-or-nothing is outside openvpn
14:57 < krzie> dnsmasq
14:57 < krzie> assuming you mean what i THINK you mean
14:58 < krzie> but maybe i misunderstand
15:02 -!- pmatulis [~peter@64.34.151.178] has quit [Ping timeout: 260 seconds]
15:12 -!- DrPepper2 [~DrPepper@88.207.189.81] has quit [Quit: Leaving...]
15:20 -!- SkyHAPPY [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
15:31 -!- Lenhix [~lenho@190.146.247.120] has quit [Quit: Mindwall!!]
15:31 < killown> i can't start openvpn http://pastebin.com/GapdrSNq can anyone help me?
15:32 < dazo> killown: I hope you can interpret the meaning of this sentence:  Cannot resolve host address: <your: [HOST_NOT_FOUND] The specified host is unknown.
15:33 < dazo> that means you need to check your config file ... and make sure the hostnames used there are proper hostnames
15:33 < killown> ok
15:34 < krzie> Cannot resolve host address: <your: 
15:34 < krzie> hehehe
15:34 < krzie> prolly says "your host here"
15:35 < krzie> <your server hostname>
15:36 < killown> push "dhcp-option DNS 200.204.0.10"
15:36 < killown> push "dhcp-option DOMAIN Matriz"
15:36 < killown> ?
15:36 -!- dazo is now known as dazo_afk
15:36 < krzie> what about it
15:38 < killown> i don't know where is wrong
15:38 < krzie> remote
15:38 < killown> ohh local <your ip address> ## ip/hostname of server
15:38 < killown> sorry
15:38 < krzie> there you go
15:38 < krzie> heh
15:39 < krzie> instead of blindly using some configs from the web
15:39 < krzie> maybe try this?
15:39 < krzie> !confgen
15:39 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
15:39 < killown> https://help.ubuntu.com/community/OpenVPN it's not so bad
15:39 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com)
15:40 < krzie> false
15:40 < krzie> theres no reason to use bridge unless you need layer2 traffic
15:40 < krzie> thats why i hate those wanna-be howtos
15:40 < killown> ok
15:40 < krzie> they give you bridge mode without telling you that 99% of the time you dont need it
15:48 < killown> Krikke, i am following this tutorial http://www.doeshosting.com/code/openvpn-confgen.tgz hehe
15:49 < krzie> its not a tutorial
15:49 < krzie> just a way of getting started =]
15:49 < krzie> still wants you to understand the howto / manual some
15:49 < krzie> it wont help with troubleshooting or gaining extra functionality, but it will give you a solid base
15:50 < killown> Krikke, ok thanks
16:13 < vpnHelper> New forum entry openvpnforum: Cert / Config management :: openvpn-confgen :: Author krzee <http://www.ovpnforum.com/viewtopic.php?f=22&t=4683&p=5208#p5208>
16:14 < ecrist> that being said, there's nothing really _wrong_ with bridge mode, either.
16:18 < krzie> more likely for the user to lock themselves out of the remote end, higher overhead, opens you up to layer2 attacks over the network
16:18 < krzie> there is nothing right about it, unless you need it
16:19 < ecrist> two of my three vpns use bridge mode. :P
16:19 < krzie> im happy for you =]
16:19 < krzie> i have gotten to my destination by starting in the wrong direction as well
16:20 < krzie> in fact i did that last night while getting food
16:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
16:36 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 272 seconds]
16:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:37 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
17:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
17:21 < killown> assuming I have two internet connection .. the first ADSL 'ip pppoe 200.201.100.121' is in openvpn server 'ip 192.168.1.0' and the another one 'pppoe ip 200.121.100.10' is in client '192.168.2.0 '   this  conf >> http://bpaste.net/show/6553/  should work?
17:23 < krzie> i would think so
17:23 < krzie> btw 'client' could use nobind
17:23 < krzie> also, this is only ptp, you cant use another "client"
17:23 < krzie> im saying "client" because its not server/client, just peer-to-peer
17:25 < killown> kraut, ok thank you
17:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:28 < killown> sorry i mean krzie 
17:28 < krzie> np
17:28 < krzie> confgen didnt work for you?
17:32 < killown> krzie, i not have two adsl connections... i am just figure out if it should be work
17:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
17:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:02 < killown> krzie, what port should i allow in openvpn server to allow client to connect?
18:03 < krzie> whichever you want, as long as everything agrees
18:03 < krzie> 1194 is ovpn default
18:03 < killown> krzie, thanks
18:14 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
18:23 -!- BillyCrook1 [~BillyCroo@BillyCrook-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has quit [Quit: Leaving.]
18:42 -!- corretico_ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
19:45 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:45 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
19:48 -!- blueboxthief [~None_of_y@83-71-8-221-dynamic.b-ras1.dbn.dublin.eircom.net] has quit [Quit: Leaving.]
20:21 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
20:44 -!- tjz [~pc@bb121-7-118-156.singnet.com.sg] has joined ##openvpn
20:44 -!- tjz [~pc@bb121-7-118-156.singnet.com.sg] has quit [Changing host]
20:44 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
20:45 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Operation timed out]
20:45 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
20:46 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:51 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
21:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
21:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:46 < HoboSteaux> anyone familliar with TAP devices?
21:55 < HoboSteaux> :[
22:04 -!- mape2k [~mape2k@p5B28665D.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
22:04 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
22:13 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
22:25 < tjz> Hobo, have you try create them via 'utilities'?
22:27 < HoboSteaux> i have one, layer 2 isnt getting through
22:27 < HoboSteaux> http://pastebin.com/uhfsVyBM
22:31 -!- dollabill [~mike@64.sub-75-203-28.myvzw.com] has joined ##openvpn
22:43 -!- raidzx [~Andrew@seance.openvpn.org] has joined ##openvpn
22:44 -!- dollabill [~mike@64.sub-75-203-28.myvzw.com] has quit [Ping timeout: 272 seconds]
22:46 -!- raidz [~Andrew@seance.openvpn.org] has quit [Ping timeout: 248 seconds]
23:00 -!- jumbers [~jumbers@fsf/member/jumbers] has joined ##openvpn
23:18 -!- BillyCrook1 [~BillyCroo@BillyCrook-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has joined ##openvpn
23:19 -!- BillyCrook1 [~BillyCroo@BillyCrook-1-pt.tunnel.tserv9.chi1.ipv6.he.net] has quit [Client Quit]
23:38 < Bushmills> Maxim Krasnyansky is
23:38 < Bushmills> (familliar with)
--- Day changed Sat May 22 2010
00:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:10 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:20 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
01:23 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
02:19 -!- DrPepper2 [~DrPepper@88.207.189.81] has joined ##openvpn
02:21 -!- alexc [~alexc@unaffiliated/alexc] has joined ##openvpn
02:21 < alexc> http://pastebin.fr/7935
02:22 < alexc> i can't figure out how to route it properely
02:28 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
02:28 < lazarus477> !welcome
02:28 < vpnHelper> lazarus477: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:29 < lazarus477> Howdy folks.
02:29 < lazarus477> I setup OpenVPN about three years ago and ran it for two.
02:30 < lazarus477> How is it these days, still snug and open or has it turned into a corporate mess?
02:33 < alexc> !redirect
02:33 < vpnHelper> alexc: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:34 < alexc> !ipforward
02:34 < vpnHelper> alexc: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
02:34 < alexc> !linipforward
02:34 < vpnHelper> alexc: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
02:40 < alexc> !nat
02:40 < vpnHelper> alexc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
02:41 < alexc> !linnat
02:41 < vpnHelper> alexc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
02:50 < alexc> is there anything wrong in my confs? http://pastebin.fr/7935
02:50 < alexc> I'm trying to redirect traffic
02:52 < alexc> How do you look at your NAT configuration?
02:55 < Bushmills> by listing your tables and chains 
03:00 < alexc> it doesn't say anything about NAT
03:00 < alexc> it pretty much just says accept everything
03:35 < Bushmills> then ask about the nat table 
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:37 < Bushmills> and look at this issue: WARNING: potential route subnet conflict between local LAN [10.88.0.0/255.255.255.0] and remote VPN [10.88.0.0/255.255.255.0]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:41 -!- SkyHAPPY [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:01 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
04:04 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
04:11 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
04:53 -!- alexc [~alexc@unaffiliated/alexc] has quit [Remote host closed the connection]
04:54 < tjz> real water bed... lol!! :D - http://www.youtube.com/watch?v=9wm-Ge8LL7o&feature=player_embedded
04:54 < vpnHelper> Title: YouTube - Real water bed (at www.youtube.com)
04:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
04:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:18 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
05:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
05:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:19 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-irykofadhsexiduk] has quit [Ping timeout: 258 seconds]
06:20 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-qnvvbztnxepqufif] has joined ##openvpn
06:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
06:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:51 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
06:52 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
07:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
07:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:01 -!- pingufan [~rainer@89-104-9-115.customer.bnet.at] has joined ##openvpn
08:03 < pingufan> Hello, is somebody here who can help me with openSuSE, openVPN and SuSEFirewall2?   I accidently changed something on the server side. Now I can reach only the server through the VPN tunnel, but not the clients behind of it.  I did something wrong withthe firewall, but I cannot find it.
08:03 < pingufan> Please, help.
08:23 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
08:23 < Bushmills> good that you know where the problem is. try disabling the firewall
08:24 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Client Quit]
08:24 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
08:24 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn []
08:27 < pingufan> Bushmills: I use class-routing in the firewall, this inter-connects eth1 (LAN) and tun0 (tunnel). Disabling the firewall will not help.
08:27 < Bushmills> !firewall
08:28 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
08:28 < Bushmills> when it works again without firewall, you can try to fix your firewall rules
08:29 < pingufan> I can reach the server through the tunnel from the client. This already (and still) works, but not the clients on the other side's LAN.
08:31 < pingufan> So the vpn itself works
08:31 < pingufan> between the two hosts at the ends of the tunnel
08:33 < pingufan> I had this situation long time ago, I tried several things without success, and then it suddenly worked again.
08:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
08:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:02 -!- Janus- [~peter@m83-185-25-246.cust.tele2.se] has joined ##openvpn
09:02 < Janus-> !welcome
09:02 < vpnHelper> Janus-: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:03 < hyper_ch> hi Janus-
09:03 < Janus-> hello.
09:03 < hyper_ch> what is it like to have two heads?
09:03 < hyper_ch> sorry, two faces :)
09:03 < Janus-> hyper_ch: at times. confusing. 
09:04 < Janus-> !configs
09:04 < vpnHelper> Janus-: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:05 < Janus-> on the other hand so is my openvpn problem. =D
09:06 < hyper_ch> there are no problems... just challenges to make it do what you want
09:06 < Janus-> hyper_ch: true. 
09:09 < Janus-> hyper_ch: Its just that I thought knew how to set up a vpn, since Ive done it a couple of times. But now, its strange, it connects, gets an ip. but there seems to be some kind of routing issue since I cant ping the server over the tap.
09:09 < hyper_ch> you have the def1 redirect push in the server config?
09:10 < Janus-> hyper_ch: no and I dont want it either. Im building a private vpn for internal use. 
09:10 < hyper_ch> pastebin youre grepped configs :)
09:10 < Janus-> hyper_ch: I do have client-to-client activated even though there is so far only one client. 
09:11 < Janus-> hyper_ch: working on it. 
09:13 < Janus-> server config: http://pastebin.com/uYFMb8hL client config: http://pastebin.com/CrgdNsUH
09:14 < Janus-> ignore the error with conflicting ips, I forgot to change it on the second one. *oops*
09:17 < hyper_ch> how about adding to the server:  push "route 10.103.47.0 255.255.255.0"
09:18 < Janus-> and here is the problem. http://pastebin.com/hqewLEjR , no other problems with the openvpn log.
09:18 < Janus-> oki
09:18 -!- romel [~romel@unaffiliated/romel] has quit [Ping timeout: 240 seconds]
09:20 < Janus-> hyper_ch: no, still 100% packetloss to the server over the vpn.
09:23 < hyper_ch> are you sure you need tap?
09:24 < hyper_ch> and why tcp?
09:25 < hyper_ch> and remote is not an ip address
09:25 < hyper_ch> there's a 443 at the end
09:31 < Janus-> hyper_ch: but the problem isn't that it doesnt connect. 
09:31 < Janus-> I have used tap for situations like this before with no problems. 
09:31 < hyper_ch> !tell Janus- [tunortap]
09:32 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
09:33 < Janus-> hyper_ch: hmm, but I was under the impression that client-to-client only worked on tap?
09:34 < hyper_ch> well, no clue
09:34 < hyper_ch> what do yu need client-to-client for?
09:36 < Janus-> hyper_ch: so that the clients can connect to each other. for example. having any services that are able to gain remote access to the machine are bound to the internal vpn network. therefore needing to authenticate oneself to the network before even being able to authenticate with remote services. 
09:37 < hyper_ch> well, I can connect to the different clients on the vpn
09:37 < hyper_ch> and don't have client-to-client enabled
09:37 < hyper_ch> ah, I think I see what you mean
09:37 < hyper_ch> !confeng
09:37 < vpnHelper> hyper_ch: Error: "confeng" is not a valid command.
09:38 < Janus-> hyper_ch: du you use tun? doesnt that use 4 ips per client?
09:38 < hyper_ch> !confgen
09:38 < vpnHelper> hyper_ch: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
09:39 < Janus-> hyper_ch: this looks interesting. Ill look through it. 
09:40 < hyper_ch> well, I just tested it, I can reach through the vpn the apache server on one of the vpn clients by using it's vpned address
09:40 < hyper_ch> haven't tried that before :)
09:41 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:43 < Janus-> hyper_ch: usefull if you want to have an internal web server that isnt accessable from the outsisde. 
09:49 < hyper_ch> I'll just pastebin my configs :)
09:52 -!- pingufan [~rainer@89-104-9-115.customer.bnet.at] has left ##openvpn ["Konversation terminated!"]
09:56 < hyper_ch> Janus-: http://pastebin.com/Quv2vPh6
09:58 < krzie> !c2c
09:58 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
09:58 < vpnHelper> krzie: behind other clients
09:59 < hyper_ch> mr. krzie has appeared on stage :)
09:59 < krzie> ya but only kinda
09:59 < krzie> hangover and puffing on a blunt
10:00 < krzie> (thats how i get rid of hangovers)
10:00 < hyper_ch> I don't get hangovers
10:00 < hyper_ch> at least I can't remember them ;)
10:11 -!- zheng [~zheng@114.92.133.4] has joined ##openvpn
10:12 < hyper_ch> krzie: you got some bash-fu for me?
10:14 < krzie> whatchya need?
10:14 < krzie> btw
10:14 < krzie> [10:25]  <hyper_ch> and remote is not an ip address
10:14 < krzie> [10:25]  <hyper_ch> there's a 443 at the end
10:14 < krzie> remote <ip> <port> <proto>
10:14 < krzie> at least in 2.1.1
10:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
10:14 < krzie> in 2.0 only ip port
10:14 < krzie> either way, port after ip is fine
10:15 < krzie> oh and all <> i meant [], they are optional on remote command
10:17 < hyper_ch> krzie: ok
10:18 < hyper_ch> krzie: well, assume I have really a lot of files that are labelled like   random text [20xx].txt --> where 20xx are different years
10:18 < hyper_ch> how would I now select all e.g. 2009 files and move them to some other place?
10:19 < hyper_ch> mv "*\[2009\].txt" /new/loc/   ?
10:19 < krzie> [11:19]  <krzie> !glob
10:19 < krzie> [11:19]  <greybot> "Glob", the common name for pattern matching, filename expansion, "wildcards", etc. http://mywiki.wooledge.org/glob
10:19 < vpnHelper> Title: glob - Greg's Wiki (at mywiki.wooledge.org)
10:20 < krzie> =]
10:21 < krzie> mv *2009*.txt /new/loc should be fine
10:22 < krzie> mv *2009?.txt /new/loc should be fine
10:22 < krzie> etc
10:22 < hyper_ch> krzie: wouldn't that be way too simple? well, I'll try it... stupid me
10:23 < krzie> what they just gave you is good too
10:33 < Janus-> hyper_ch: got it working. thx!
10:34 < krzie> !iphone
10:34 < vpnHelper> krzie: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion
10:39 -!- Netsplit *.net <-> *.split quits: sigius, zero-__, n0sq, APTX_
10:39 -!- zero-_ [~zero@noc.toile-libre.net] has joined ##openvpn
10:40 -!- Netsplit over, joins: n0sq
10:42 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:42 -!- Serideru [~GTWebster@24-117-150-192.cpe.cableone.net] has joined ##openvpn
10:46 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:52 -!- zheng [~zheng@114.92.133.4] has quit [Quit: Leaving]
10:54 < krzie> !learn android as http://github.com/fries/android-external-openvpn for the android version of openvpn
10:54 < vpnHelper> krzie: Joo got it.
10:56 -!- SkyHAPPY [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
11:01 < hyper_ch> Janus-: what configs did you use now?
11:16 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 245 seconds]
11:18 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
11:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:46 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 276 seconds]
11:47 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
11:47 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
11:50 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
11:52 < hyper_ch> http://gizmodo.com/5544988/how-to-try-android-froyo-on-your-computer
11:52 < vpnHelper> Title: How To: Try Android Froyo On Your Computer (at gizmodo.com)
12:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:19 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:20 < n0sq> it's interesting that every wiki and linux admin book has a different way to get openvpn running
12:20 -!- cron2_ is now known as cron2
12:20 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
12:21 < n0sq> one of these days i'll figure out how to put all the info together and get it working
12:25 < krzie> !confgen
12:25 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
12:27 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
12:38 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
12:40 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
12:49 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:16 -!- jumbers [~jumbers@fsf/member/jumbers] has quit [Quit: jumbers]
13:18 -!- SkyHAPPY [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:29 -!- avar [avar@wikipedia/avar] has joined ##openvpn
13:29 < avar> !welcome
13:29 < vpnHelper> avar: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:29 < avar> !redirect
13:29 < vpnHelper> avar: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:30 < avar> !def1
13:30 < vpnHelper> avar: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
13:30 < avar> !nat
13:30 < vpnHelper> avar: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
13:30 < avar> !linnat
13:30 < vpnHelper> avar: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:31 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
13:32 < zamba> can openvpn 2.0.x connect to 2.1.x?
13:32 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
13:33 < avar> Ah rad, !linnat solved my problem. I couldn't route through the VPN and was using the wrong iptables line
13:40 < avar> This is the OpenVPN setup I just set up (and documented). I'm using a shared secret key: http://github.com/avar/linode-etc/tree/master/openvpn/ 
13:40 < vpnHelper> Title: openvpn at master from avar's linode-etc - GitHub (at github.com)
13:40 < avar> It's working, but is there perhaps something I could be doing better?
13:40 < killown> !route
13:40 < vpnHelper> killown: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
13:55 -!- Janus- [~peter@m83-185-25-246.cust.tele2.se] has quit [Ping timeout: 240 seconds]
14:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:30 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 240 seconds]
14:35 < krzee> avar, congrats on using the bot to find your problem!
14:35 < krzee> most people stop too early =]
14:36 < krzee> and you asked if you could do something better
14:37 < krzee> you could use certificates
14:37 < krzee> !confgen
14:37 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
14:37 < krzee> that will build you server and client configs for that style setup, then you just need certs, dh params, and tls static key
14:37 < krzee> last 2 are optional, but recommended
14:38 < krzee> as for network-manager, you can import the configs into network manager
14:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
14:38 < krzee> zamba, yes, assuming your server has nothing 2.1 specific
14:39 < krzee> but thats for a server/client model
14:39 < krzee> yours right now is point to point, you cant have 2 clients (because there is no server or client, just 2 endpoints)
14:40 < krzee> of course thats all optional, your setup is working, and if you require no more it sounds like you're done, i only mention what i did above because you asked =]
14:44 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
15:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:23 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 248 seconds]
15:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
15:30 < avar> krzee: The public key mode looks more secure, but the static key mode is more idiotic and simple. So that's what I'm going for :)
15:30 < avar> krzee: This is just a personal setup anyway, something I'm using instead of running a browser in an stunnel
15:30 < krzee> cool
15:33 < avar> Trying to find out if dev tun0 / ifconfig 10.9.8.1 10.9.8.2
15:33 < avar> ..damn newline, is inherently incompatible with having >1 client though. And if I have to switch to TAP devices
15:35 < avar> This is very informatine: http://en.wikipedia.org/wiki/TUN/TAP  :)
15:35 < vpnHelper> Title: TUN/TAP - Wikipedia, the free encyclopedia (at en.wikipedia.org)
15:41 < krzee> not tap interfaces
15:41 < krzee> tun with server
15:41 < krzee> like this
15:41 < krzee> !sample
15:41 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
15:45 < avar> Thanks, but "--server and --secret cannot be used together". So I'll hammer up a TLS setup if someone else cares enough to use the vpn, right now it's just me.
15:49 < jnss> so i got vpn tunnels to work
15:52 < jnss> now i need to figure out how to get the routing from the local machine to the vpn server and then onto another vpn link
16:05 -!- notbrien [~notbrien@198.105.46.146] has joined ##openvpn
16:22 -!- notbrien [~notbrien@198.105.46.146] has quit [Quit: notbrien]
16:33 < jnss> need to get the ip traffic flowing out from the server to the internet to go through tun0, no eth0
16:33 < jnss> is this doable from inside the config file|?
16:34 < krzee> well kinda
16:34 < krzee> thing is, this setup is too advanced for me to really wanna explain it all
16:35 < krzee> if you fully understand !route you should be able to figure it out more or less
16:35 < krzee> its basically a vpnchain with default routing to internet
16:35 < krzee> !route
16:35 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:36 < krzee> http://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
16:36 < vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
16:57 < jnss> thanks
17:05 -!- datalock [ircap@189.35.138.3] has joined ##openvpn
17:05 -!- avar [avar@wikipedia/avar] has left ##openvpn []
17:09 -!- datalock [ircap@189.35.138.3] has quit [Client Quit]
17:43 < jpalmer> krzee: how goes it?
17:44 < krzee> hey man, doing alright
17:45 < jpalmer> can I /msg?
17:49 < krzee> sure
17:49 < krzee> no worries, your exempt from the no msg'ing thing
17:49 < krzee> msg when you like
17:49 < jpalmer> danke
17:53 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
17:55 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
18:14 < krzee> !iphone
18:14 < vpnHelper> krzee: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion
19:35 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
20:04 -!- InfoAddict [~ios@60-242-254-22.static.tpgi.com.au] has quit []
20:14 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:37 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:49 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
21:00 -!- dollabill [~mike@239.sub-75-202-135.myvzw.com] has joined ##openvpn
21:06 -!- dollabill [~mike@239.sub-75-202-135.myvzw.com] has quit [Ping timeout: 264 seconds]
21:34 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:45 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
21:45 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
21:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:23 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
22:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:43 -!- notbrien [~notbrien@69.86.1.238] has quit [Quit: notbrien]
22:58 -!- killown [~killown@189.110.229.219] has joined ##openvpn
22:58 -!- killown [~killown@189.110.229.219] has quit [Changing host]
22:58 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
23:39 -!- alexc [~admin@unaffiliated/alexc] has joined ##openvpn
23:41 -!- alexc [~admin@unaffiliated/alexc] has quit [Client Quit]
--- Day changed Sun May 23 2010
00:44 < HoboSteaux> hey im having troubles with a TAP bridge
01:41 < krzie> sry to hear that
01:48 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
01:52 < takamichi> Anyone have any info on CPU requirements and concurrent connections?
01:53 < hyper_ch> google
01:53 < hyper_ch> google knows it all :)
01:53 < krzie> takamichi, how many you wanting?
01:53 < krzie> how many cores you got?
01:54 < takamichi> Im specing a server. I need minimum 100 concurrent users
01:55 < takamichi> Users would be connecting and disconnecting at random times, no 9-5 spikes
01:56 < takamichi> @krzee, any idea? got any data?
02:06 < krzie> you didnt mention a maximum, and i have no real numbers
02:07 < krzie> as it seems so many people care more about getting them than giving them
02:07 < krzie> 1 thing i cant tell you is openvpn itself is a single core process right now
02:08 < krzie> so if you run it 4x with 4 subnets (1 for each) you can get 4x as much out of it itself
02:09 < krzie> remember, its encryption is done by openssl procs and not inside openvpn proc
02:18 < takamichi> krzie, that helps, thank you very much
02:19 < krzie> glad it helped!
02:19 < krzie> that 4x thing was if you had 4 cores btw
02:19 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Read error: Operation timed out]
02:19 < takamichi> did you mean running 4 instances of openvpn each with their own subnet?
02:19 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
02:19 < krzie> only in the case you have 4 cores
02:19 < takamichi> ah right
02:19 < takamichi> got it
02:20 < krzie> basically, openvpn core is not multithreaded
02:20 < krzie> so its bound to a core
02:20 < takamichi> gotcha
02:20 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 240 seconds]
02:20 < krzie> for encryption it calls openssl (openvpn doesnt do its own encryption)
02:20 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
02:20 < takamichi> yeah I know that much :)
02:20 < krzie> so each openssl is bound to whatever core its on
02:21 < takamichi> thx krzie
02:21 < krzie> np
02:22 < krzie> one day that wont be true
02:22 < krzie> but it could be awhile out
02:22 < krzie> and i think when that comes, openvpn itself will be quite different
02:23 < krzie> (while still being able to do the same stuff)
02:32 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined ##openvpn
02:33 < hid3> Hello everyone. How can I pass the multicast traffic through my OpenVPN tunnel (TUN interface)?
03:03 -!- DrPepper2 [~DrPepper@88.207.189.81] has quit [Remote host closed the connection]
03:06 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Ping timeout: 264 seconds]
03:16 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:32 -!- DrPepper2 [~DrPepper@88.207.189.81] has joined ##openvpn
05:32 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
05:33 -!- rare1980_ [rare1980_@115.186.16.201] has joined ##openvpn
05:33 < rare1980_> hi all
05:33 < rare1980_> is there any easy installtion guide for open vpn on debian
05:43 -!- rare1980_ [rare1980_@115.186.16.201] has quit []
05:53 < Bushmills> !howto
05:53 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:53 < Bushmills> somewhere there
05:54 < Bushmills> most complicated part is probably certificates, keys, signing etc
06:25 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
06:25 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
06:46 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
06:59 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
07:27 -!- dpetrek [~dpetrek@93-138-86-110.adsl.net.t-com.hr] has joined ##openvpn
07:27 < dpetrek> hihos
07:29 < dpetrek> so i have custom port deifned for openvpn connection, udp 1195
07:29 < dpetrek> however, i see connections failing if clients src port <> 1195
07:29 < dpetrek> how to fix this and allow any clients source port?
07:35 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Ping timeout: 260 seconds]
07:37 < dpetrek> so if i use "nobind" in clients config, the connection fails
07:37 < dpetrek> if i comment it out (default) it works
07:37 < dpetrek> is there a wa y for me to allow server part of openvpn to acept ANY client source port, not just 1195
08:08 -!- dpetrek [~dpetrek@93-138-86-110.adsl.net.t-com.hr] has quit [Quit: When two people dream the same dream, it ceases to be an illusion. KVIrc 3.4.2 Shiny http://www.kvirc.net]
08:18 < Bushmills> !firewall
08:18 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
08:19 < Bushmills> "any" .. no.
08:20 < Bushmills> unless you do port redirection, using your firewall software support, which may allow you to make it look as if openvpn was listening to multiple ports
09:18 -!- sathia [~quassel@151.61.130.171] has joined ##openvpn
09:19 < sathia> hi
09:19 < sathia> !welcome
09:19 < vpnHelper> sathia: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:20 < sathia> i have succesfully installed the server and the clients, i have a bit of troubles though. I'd like to route a second vpn installed on the office to the clients on the vpn. can't do it for the life of me.
09:21 < sathia> anyone here?
09:24 < Bushmills> specify a different tun device, for example tun1, in the config of the other vpn
09:24 < sathia> the other vpn is on PPTP, can't change that
09:25 < sathia> the pptp has an ip such as 10.0.1.14 and the openvpn server is on 192.168.3.1 
09:27 < sathia> also I'd like it to be transparent for the other clients
09:27 < Bushmills> maybe they know about pptp on  #pptp
09:27 < sathia> i think it's a routing problem
09:27 < Bushmills> !route
09:27 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:28 < sathia> !route
09:28 < vpnHelper> sathia: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:28 < sathia> let me check that, thanks for the heads up
09:44 < sathia> I'm not too smart on routing, can't understand it
09:50 < sathia> do you know if there's a paid support of some kind?
09:51  * krzie perks up
09:52 < krzie> you're saying theres a LAN behind a client (that lan is really a vpn connection, but we can call it a LAN)
09:53 < krzie> my !route document will help you just fine
09:53 < sathia> it isn't behind the client, it's installed on the server which we want to reach via openvpn
09:53 < krzie> on the vpn server?
09:53 < sathia> right
09:54 < krzie> then its a LAN behind the server
09:54 < krzie> which is even easier
09:54 < krzie> you just push the route, done
09:54 < krzie> why the hell do you wanna do that anyways?
09:54 < krzie> just get rid of the pptp
09:54 < krzie> !pptp
09:54 < vpnHelper> krzie: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
09:54 < vpnHelper> krzie: read about why to not use pptp
09:55 < sathia> unluckily it's pptp and we can't change it because one of our co worker has a strange internet connection called fastweb which doesn't allow pptp traffic
09:55 < krzie> then get rid of pptp all together, (pptp sucks)
09:55 < sathia> and we can't get rid of that vpn because it isn't runned by us
09:55 < sathia> that would be the client vpn
09:55 < sathia> i hat it too 
09:55 < sathia> *hate
09:56 < sathia> it's just a routing thing, but I can't understand it
09:56 < krzie> either way, its just a lan behind the server
09:56 < krzie> server needs ip forwarding
09:56 < sathia> definitely
09:56 < sathia> how would I doo it on a mac osx server?
09:56 < krzie> by learning your OS
09:57 < sathia> i'm willing to do that, we have osx server since 3 days, and I'm a bit confused
09:57 < krzie> ive never used osx as a server, it is my primary desktop tho
09:57 < sathia> anyway I'll try to get this ip forwarding thing
09:57 < krzie> same as freebsd it seems
09:57 < krzie> sysctl net.inet.ip.forwarding
09:58 < krzie> sysctl net.inet.ip.forwarding=1 to turn on
09:58 < sathia> we decided to take osx server since every client in the office is a mac
09:58 < sathia> that it?
09:58 < krzie> til reboot...
09:58 < sathia> let me see then
09:58 < krzie> theres likely a sysctl.conf to stick it in
09:59 < krzie> looks like it might be /etc/hostconfig 
09:59 < krzie> IPFORWARDING=-YES-
09:59 < sathia>  sysctl -w net.inet.ip.forwarding=1
10:00 < krzie> although from man sysctl.conf i can see you could also use /etc/sysctl.conf     net.inet.ip.forwarding=1
10:00 < sathia> sec
10:01 < krzie> then you must treat the gayvpn as a lan behind the server
10:01 < krzie> oh i mean pptp
10:01 < sathia> eheh
10:02 < krzie> so you push a route to it from server config, like i do in !route
10:02 < sathia> I'm not sure of what you mean for that
10:02 < krzie> however, the other side of the pptp vpn wont know about your VPN subnet
10:02 < krzie> so you need to have someone over there add a route for it to go over the pptp vpn
10:02 < krzie> or you need to NAT the vpn traffic
10:03 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:04 < sathia> I'm trying to undestand what it means
10:06 < krzie> well dont expect to do this without networking knowledge
10:07 < sathia> that's why i asked for a paid support, i hate doing this without full knowledge of what I'm doing
10:07 < krzie> ok i guess i can do some extra googles
10:07 < krzie> !donate
10:08 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) Contribution totals and benefactors can be found at http://www.secure-
10:08 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Donations
10:08 < krzie> ;]
10:08 < sathia> I'm totally into "donate" 
10:08 < krzie> dont go doing it yet tho, lets see if i can get it working first
10:09 < krzie> can you get someone on other side of pptp vpn to run a command for you?
10:09 < sathia> that would be awesome
10:09 < sathia> you mean the pptp server
10:09 < krzie> correct
10:09 < sathia> yes
10:09 < sathia> but that would be a pfsense server
10:09 < krzie> and over that vn, do you reach a whole LAN or just the server itself?
10:10 < krzie> vpn*
10:10 < krzie> (the pptp one)
10:10 < sathia> it's a lan with all the servers
10:10 < krzie> is pptp running on the router of that LAN?
10:10 < sathia> it's on the pfsense server
10:10 < sathia> which is a great firewall
10:10 < krzie> aka, does that entire network route through the pfsense server to reach the internet?
10:11 < sathia> yes
10:11 < krzie> ok
10:11 < krzie> pastebin your openvpn configs like this:
10:11 < krzie> !configs
10:11 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:11 < krzie> note the command used to strip comments
10:11 < krzie> i hate seeing 100 lines of comments to read 10 lines of config
10:11 < sathia> me too, this is why I removed them with vim
10:11 < sathia> sec
10:12 < sathia> http://pastebin.com/MmB7XGLg 
10:13 < krzie> ok... and pfsense is basically freebsd, so 1sec while i get the route command for that side
10:13 < sathia> ok
10:15 < krzie> route add 10.0.2.0/24 -gateway <pptp device>
10:15 < krzie> on the pfsense server
10:15 < krzie> for the record
10:15 < krzie> 10.0.2.0 ONLY exists on the vpn, right?
10:16 < krzie> it isnt the same ANYWHERE else
10:16 < sathia> yes
10:16 < krzie> ok
10:16 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
10:16 < krzie> so ya, pfsense needs that route
10:16 < sathia> the thing is that pfsense has a web interface
10:16 < sathia> let me see
10:16 < krzie> it also needs to be configured to allow that subnet in the firewall
10:17 < krzie> whatev, i dont use pfsense but i know its just freebsd
10:17 < krzie> can be logged into via ssh
10:17 < sathia> i know
10:17 < sathia> the thing is, that if I fu this server i'm dead
10:17 < krzie> [11:15]  <krzie> 10.0.2.0 ONLY exists on the vpn, right?
10:17 < krzie> [11:16]  <krzie> it isnt the same ANYWHERE else
10:17 < krzie> only way you can fuck anything up with that route command is if you answered that wrong
10:18 < sathia> I'm checking that
10:18 < sathia> also I'm looking if the virtual tty works
10:19 < krzie> what is the pptp vpn subnet?
10:19 < krzie> and the LAN subnet behind pptp
10:20 < krzie> and why in the hell dont you just openvn to the pfsense box and not need pptp???
10:20 < krzie> openvpn*
10:20 < krzie> you know pfsense can handle openvpn, right?
10:21 < sathia> the reason for that would be that I'm shitless afraid of doing something wrong
10:21 < krzie> you ARE trying to do something wrong
10:21 < krzie> by making this setup so convoluted you increase the chances of breaking something
10:21 < krzie> whereas if you do it the easy way, its more likely to work on the first try
10:22 < krzie> (especially after bribing krzee to do the work for you)
10:22 < sathia> do you think that running 2 vpn on that server is safe enough?
10:22 < krzie> lol yes
10:22 < sathia> as you can see I'm just the php guy
10:22 < krzie> hehe last guy to !donate was the php guy at his job too
10:23 < sathia> see, we run a site with 350k visits a day
10:23 < sathia> if i screw this i'm dead
10:23 < sathia> and the server is 2k km from here
10:23 < krzie> yanno you dont HAVE TO run it on the firewall either
10:23 < krzie> you can run it on any machine in the LAN
10:23 < sathia> those would be debian
10:23 < krzie> if that makes you sleep easier...
10:24 < krzie> so?
10:24 < krzie> openvpn likes *
10:24 < sathia> so i can manage to install openvpn
10:24 < sathia> i have debian here
10:24 < sathia> and did it succesfully
10:24 < krzie> if its iphone,qnx,android,win,lin,bsd,solaris openvpn will work
10:24 < krzie> heheh
10:24 < sathia> :)
10:25 < sathia> so I could just run an openvpn server 2k km from here and one in the office
10:25 < sathia> that would be painless right?
10:25 < krzie> i dont understand the question
10:25 < krzie> but ya, 1 endoint in each LAN
10:26 < sathia> we need to access both the office and the servers from home
10:26 < krzie> joining as many LANs as you want
10:26 < krzie> my !route doc has 3 lans in its example ;)
10:26 < sathia> i see
10:26 < krzie> so we can do away with the pptp bs, right?
10:27 < sathia> I guess so
10:27 < krzie> it'll make you safer anyways =]
10:27 < sathia> never liked pptp much
10:27 < sathia> yea
10:27 < krzie> nobody who understands vpns likes pptp
10:27 < krzie> ;]
10:27 < krzie> ok, so heres how i understand it
10:28 < krzie> 2 offices, and a bunch of road warriors
10:28 < krzie> right?
10:28 < sathia> 1 office and the bunch
10:28 < sathia> in the 1 office we want to keep the dev server
10:28 < sathia> the osx box
10:28 < krzie> ok...
10:28 < krzie> how many LANs?
10:28 < sathia> and we want to reach the 2k km apart from our homes too
10:28 < krzie> just 1 office?
10:29 < sathia> yes
10:29 < krzie> so 1 lan (behind the server) and a bunch of people in random places
10:29 < sathia> right
10:29 < krzie> what is the LAN subnet?
10:30 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
10:30 < sathia> office: 192.168.1.1 is that right?
10:30 < krzie> i honestly cant tell you if it is right
10:30 < sathia> online: 10.0.100.1
10:30 < krzie> but if it is, thats going to be a problem for some of your clients
10:30 < krzie> !samesubnet
10:30 < vpnHelper> krzie: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
10:31 -!- avar [avar@wikipedia/avar] has joined ##openvpn
10:31 < sathia> I can change the office subnet immediately
10:31 < krzie> oh you can!?
10:31 < sathia> that isn't a problem at all
10:31 < krzie> cool
10:31 < sathia> sure
10:31 < krzie> i expected a fight on that ;]
10:31 -!- avar [avar@wikipedia/avar] has left ##openvpn []
10:31 < sathia> i run the office
10:31 < sathia> at least the osx box
10:31 < sathia> aha
10:31 < krzie> php guy in charge!
10:31 < sathia> definitely
10:32 < krzie> ok so make the office LAN a different subnet, an uncommon one
10:32 < sathia> ok
10:32 < sathia> like 192.168.100 something?
10:33 < krzie> maybe .108 or something
10:33 < sathia> ok
10:33 < krzie> 100 isnt so uncommon either :-p
10:33 < sathia> ahah
10:33 < sathia> ok
10:34 < krzie> we're going to change your VPN to run on UDP instead of tcp
10:34 < krzie> because:
10:34 < krzie> !tcp
10:34 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
10:34 < sathia> ok
10:35 < krzie> whats your new LAN subnet?
10:35 < krzie> ill pastebin your new config file
10:35 < sathia> ok
10:35 < sathia> just a sec, I'm configuring the router remotely
10:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:37 < sathia> I think I will shut myself down if I do it from here, if i fo I'll run to the office, no problem
10:38 < krzie> well hold on
10:38 < krzie> lets get it setup first
10:38 < krzie> you can change the lan after i give you configs and all
10:38 < sathia> ok
10:39 < krzie> what subnet will it be
10:39 < sathia> 192.168.108
10:39 < sathia> 255.255.255.0
10:39 < sathia> you mean the new openvpn?
10:39 < krzie> nope, i meant the LAN
10:40 < krzie> openvpn i assumed you wanted 10.0.2.0/24
10:40 < sathia> yes, ok
10:40 < krzie> which is fine if that doesnt conflict ANYWHERE
10:40 < krzie> including a users house
10:40 < sathia> i don't think so
10:40 < sathia> no we are all fine, I've checked that
10:41 < krzie> http://pastebin.com/5YNtGCQG
10:41 < krzie> you need 1 more key file
10:41 < krzie> !hmac
10:41 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
10:41 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
10:41 < krzie> type this:
10:41 < krzie> openvpn --genkey --secret ta.key
10:42 < krzie> put it in /etc/openvpn2/easy-rsa/keys/
10:42 < krzie> your clients will need the same file, and will use tls-auth ta.key 1 in their configs
10:43 < sathia> ok
10:43 < sathia> done
10:43 < krzie> you only want 10 clients max?
10:43 < krzie> for sure?
10:43 < sathia> we can start with 10, yes
10:43 < krzie> you dont NEED to say how many max
10:43 < krzie> you can remove that line and its fine
10:43 < sathia> great
10:44 < krzie> you only need that line if you have a reason for it
10:44 < sathia> I thought it would be safe to hold it low
10:44 < krzie> no reason to
10:44 < sathia> I commented it
10:44 < krzie> you cant have more clients than certs you give out...
10:44 < sathia> right
10:45 < krzie> ok, so thats a good server config
10:45 < krzie> 1sec ill give you your client config
10:45 < sathia> ok
10:47 < krzie> http://pastebin.com/s17cu6h0
10:48 < sathia> ok
10:48 < krzie> no windows clients, right?
10:48 < sathia> 1 till the new macbook doesn't arrive
10:48 < krzie> !winpath
10:48 < vpnHelper> krzie: "winpath" is Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
10:48 < krzie> and cant use user / group in windows
10:49 < krzie> otherwise its the same
10:49 < sathia> ok, I'll remember that
10:49 < krzie> you see how i used cd /full/path/to/dir
10:49 < krzie> its much lazier, but still full paths
10:49 < sathia> yes
10:50 < krzie> so all you have left is:
10:51 < sathia> is it correct to say that a UDP port is "safer" because nobody knows if packets reach that? 
10:51 < krzie> change your lan subnet, add a route back to VPN
10:51 < krzie> no
10:51 < krzie> however, its correct to say you will get better performance over it
10:51 < sathia> ok
10:51 < krzie> it is "safer" because of tls-auth command
10:52 < krzie> any packets not signed by your ta.key will be dropped without any further inspection
10:52 < sathia> so, I'll restart the router with the dhcp server and change the ip to the box, i still have a link to the pptp vpn on that box which will run automatically
10:52 < sathia> just a sec
10:52 < sathia> yes
10:54 < sathia> ok the router is restarting
10:54 < sathia> hopefully I'll reach that in a few minutes
10:58 < sathia> it didn't work, i need to go there. it's a 4 min trip
10:58 < sathia> brb
10:58 < krzie> see ya soon
10:58 < sathia> thanks
10:58 -!- sathia [~quassel@151.61.130.171] has quit [Quit: brb]
11:01 -!- takamichi [~pri@78.133.37.89] has quit []
11:10 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:12 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
11:15 -!- sathia [~quassel@151.59.131.2] has joined ##openvpn
11:16 < sathia> back
11:16 < krzie> werd
11:17 < sathia> i have to understand why the osx box is a bit messed
11:17 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Client Quit]
11:17 < krzie> ?
11:18 < sathia> ok, it is fine now
11:19 < sathia> it didn't take the new ip
11:20 < krzie> http://bash.org/?587801
11:20 < vpnHelper> Title: QDB: Quote #587801 (at bash.org)
11:20 < krzie> LOL
11:20 < sathia> so, I'll just leave UDP on the router for port 1149 
11:20 < krzie> yu
11:20 < krzie> yup
11:21 < sathia> lol
11:21 < sathia> love bash.org
11:22 < sathia> i hope to never be a quote, there was this php guy... 
11:22 < sathia> ahah
11:22 < krzie> lol
11:34 < sathia> I'm trying to run the udp openvpn from home
11:34 < sathia> it hangs writing a lot of WWWW
11:34 < krzie> firewall
11:34 < krzie> does the server see it connecting?
11:34 < krzie> (in the log)
11:34 < sathia> maybe I need to restart the router
11:35 < sathia> it's a crappy dlink router
11:35 < sathia> sec, I'll be offline for a while
11:35 < krzie> umm ok...
11:36 < krzie> http://bash.org/?814243
11:36 < vpnHelper> Title: QDB: Quote #814243 (at bash.org)
11:36 < krzie> LOL
11:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
11:37 -!- sathia_ [~quassel@151.59.131.2] has joined ##openvpn
11:39 -!- sathia_ [~quassel@151.59.131.2] has quit [Client Quit]
11:39 -!- sathia_ [~quassel@151.59.131.2] has joined ##openvpn
11:39 < sathia_> yes, it works
11:40 -!- sathia [~quassel@151.59.131.2] has quit [Ping timeout: 245 seconds]
11:40 < sathia_> any idea why I have tun1 and tun0?
11:40 < krzie> openvpn running 2x
11:40 < sathia_> oh ye
11:41 < sathia_> one shell hanged and then connected
11:41 < sathia_> didn't see that
11:41 < sathia_> so, now I'm very very safe over UDP with one more layer, am I right?
11:42 < krzie> you're as safe as your ca.key and yours users .key files
11:42 < sathia_> definitely
11:42 < krzie> even if their certs/key files get lost, you can revoke them
11:42 < krzie> ca.key is the MOST important thing
11:42 < krzie> with that anyone can sign more certs
11:42 < krzie> its the cornerstone of PKI
11:43 < sathia_> yes
11:43 < sathia_> i need to keep it in a safe place
11:43 < sathia_> and I guess to change it from time to time
11:43 < krzie> i just keep it on a computer that never has access to a network
11:44 < krzie> offline CA machine
11:44 < sathia_> ok
11:47 < sathia_> I'm reading the openvpn-pfsense pdf
11:48 < krzie> ?
11:48 < sathia_> it explains how to create an openvpn on pfsense
11:48 < krzie> but its just freebsd!
11:48 < krzie> lol
11:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:49 < sathia_> i mean, the interface
11:49 < sathia_> which is very very neat
11:49 < sathia_> have you seen it?
11:49 < krzie> nope, i dont believe in server gui's
11:50 < sathia_> trust no one
11:50 < sathia_> :p
11:50 < sathia_> btw I've just learned that "road warrior" is a used idiom, the pdf is ok
11:53 -!- mattock [~samuli@gprs-internet-ff0bd100-176.dhcp.inet.fi] has joined ##openvpn
11:53 -!- mode/##openvpn [+o mattock] by ChanServ
11:56 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
12:00 -!- fahadsadah [~fahad@unaffiliated/fahadsadah] has joined ##openvpn
12:01 -!- coil [platypus@unaffiliated/coil] has quit [Ping timeout: 248 seconds]
12:02 < sathia_> do you think it's a good idea to use the same ca.key for both local and remote vpns?
12:02 -!- coil [platypus@unaffiliated/coil] has joined ##openvpn
12:02 < krzie> huh?
12:03 < sathia_> if I'm going to configure openvpn on the pfsense, would it be wise to use the same private keys?
12:04 < sathia_> looks idiot just saying it
12:04 < sathia_> "private" "shared"
12:04 < krzie> i have no idea what you're really trying to say
12:04 < krzie> why do you need 2 servers?
12:05 < krzie> you gave me a goal, i gave you configs to make it work
12:05 < sathia_> the problem is still to reach the remote servers
12:05 < krzie> how are you not done?
12:05 < krzie> the "remote servers" are the LAN behind the vpn, right?
12:05 < krzie> the lan behind the server
12:06 < sathia_> i mean the server behind the pfsense firewall
12:06 < krzie> you're confusing me
12:06 < sathia_> I'm sorry, english isn't even my native language
12:06 < sathia_> I may have messed up 
12:06 < krzie> is pfsense firewall part of the lan behind the VPN server?
12:07 < krzie> you only need a single VPN node per LAN
12:07 < sathia_> the situation is this: office now has the vpn with udp as you did it
12:07 < krzie> right, your native language is php, right?
12:07 < sathia_> ahah
12:07 < krzie> :-p
12:07 < sathia_> italian
12:07 < krzie> pizano!
12:07 < sathia_> torino
12:08 < sathia_> anyway, the office is reachable and it is working good
12:08 < sathia_> i still need to access the server that now are behind tha gayvpn 
12:08 < sathia_> pptp
12:09 < krzie> which is NOT on the same lan
12:09 < krzie> right?
12:09 < sathia_> no, it's 2k km apart 
12:09 < krzie> ok, so back when i said 2 offices with LAN, i was right
12:09 < krzie> what is the LAN of that office?
12:09 < krzie> subnet
12:11 < sathia_> i don't understand, let me explain, there is home, office and the servers which are behind the pfsense firewall
12:11 < sathia_> we have fixed home and office
12:11 < krzie> ok well what is the LAN subnet of the pfsense place
12:11 < sathia_> the goal is to reach both the office and the remote servers
12:12 < sathia_> 10.0.100.1 for the server 10.0.1.1 for the pptp lan
12:12 < sathia_> *servers, there are 10
12:12 < krzie> theres no other machines on that lan?
12:12 < sathia_> no
12:13 < krzie> so you ONLY want to reach the pfsense box
12:13 < sathia_> yes, either from the office or on a new vpn
12:13 < krzie> NO machines behind it?
12:13 < sathia_> nono, i don't care about the pfsense box, I need to reach the servers on 10.0.100 
12:14 < krzie> there we go
12:14 < sathia_> the webserver, db, memcache server and so on
12:14 < krzie> that was the easy answer about 100 lines up
12:14 < krzie> hehe
12:14 < sathia_> i'm sorry
12:14 < krzie> ok so make the pfsense box a client on the openvpn setup
12:14 < krzie> tell me its common-name
12:14 < sathia_> i guess we can call it pfsense, does it sound right?
12:15 < krzie> sure
12:15 < sathia_> ok
12:15 < krzie> now you need to enable
12:15 < krzie> !ccd
12:15 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
12:15 < krzie> then in the dir you use in client-config-dir , you add a file named pfsense
12:16 < sathia_> sec, I'm trying to understand it
12:16 < krzie> in your server config
12:16 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Ping timeout: 248 seconds]
12:16 < krzie> client-config-dir <dir>
12:16 < krzie> replacing <dir> with a full path to a directory you are about to make
12:17 < krzie> then make the dir
12:17 < krzie> then make a file in the dir named pfsense
12:17 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
12:17 < sathia_> sec
12:17 < krzie> then in that file, put this:   iroute 10.0.100.0 255.255.255.0
12:18 < krzie> then in server config, add this:   push "route 10.0.100.0 255.255.255.0"
12:18 < krzie> (this was all explained in !route)
12:20 < krzie> tell me when you catchup
12:21 < sathia_> http://pastebin.com/HxtMV0Le 
12:21 < sathia_> did I understand anything you said?
12:21 < krzie> paste your new server config
12:21 < krzie> because yes what you just showed is correct
12:22 < sathia_> http://pastebin.com/sNV115e2 
12:24 < krzie> http://pastebin.com/gFkxtm3w
12:25 < sathia_> ok
12:26 < sathia_> and the forwarding thing, is managed by the vpn server itself?
12:26 -!- SpaceBass [~SP@pool-173-67-241-238.rcmdva.fios.verizon.net] has joined ##openvpn
12:27 < krzie> what forwarding thing?
12:27 < krzie> ip forwarding?
12:27 < sathia_> yes
12:27 < krzie> that needs to be enabled on the client
12:27 < sathia_> if I understand correctly, we are telling the openvpn server to forward to 10.0.100
12:27 < krzie> !iroute
12:27 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:28 < krzie> but yes, pfsense box needs ip forwarding enabled
12:28 < krzie> !fbsdipforward
12:28 < vpnHelper> krzie: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
12:28 < krzie> there ya go
12:29 < sathia_> sec
12:33 < sathia_> I need to go home to try it
12:33 < sathia_> I'll brb
12:33 < krzie> to try what!?
12:33 < krzie> oh the vpn, wait tho
12:33 < sathia_> sec
12:33 < krzie> once you do all i said
12:33 < krzie> tell me, and i have a question
12:34 < krzie> you MIGHT need more
12:34 < krzie> might not
12:37 < sathia_> lol, strange things happening
12:37 < sathia_> I'm connected to my home box via the openvpn server 
12:38 < sathia_> if I write ifconfig the shell hangs
12:38 < sathia_> doesn't sound right
12:38 < sathia_> I'll go home, brb in 5 mins
12:39 < krzie> ok
12:46 -!- sathia_ [~quassel@151.59.131.2] has quit [Ping timeout: 260 seconds]
12:49 -!- sathia [~quassel@151.61.130.171] has joined ##openvpn
12:52 < sathia> something is acting weird
12:57 -!- BashLogi1 [~BashLogic@NS1.Kielletty.net] has quit [Quit: leaving]
12:59 < krzie> thats not very descriptive
12:59 < sathia> my bad, it was a mistake on the conf
12:59 < sathia> he couldn't find the ta.key
13:00 < krzie> it should be in same dir as other keys
13:00 < krzie> and the cd handles the rest
13:00 < sathia> yes, but it wanted the full path nonethelss
13:01 < krzie> *shrug* ok
13:02 < sathia>  /sbin/route add -net 10.0.100.0 netmask 255.255.255.0 gw 10.0.2.5 
13:02 < sathia> on my client (here at home), so the push sounds good 
13:03 < krzie> now for my questions
13:03 < sathia> yes
13:03 < krzie> is pfsense the router for its LAN?
13:03 < sathia> yes
13:03 < krzie> they all route internet through it
13:03 < sathia> yes
13:03 < krzie> ok, that makes that easy
13:03 < krzie> in the office, is the VPN server the router for that LAN?
13:04 < sathia> you mean the internet gateway?
13:04 < krzie> correct
13:04 < sathia> no
13:04 < krzie> ok so you have 2 routes to add
13:04 < sathia> it's the dns server, but the gateway is the router
13:04 < krzie> as talked about here:
13:04 < krzie> !factoids search outside
13:04 < vpnHelper> krzie: "route_outside_openvpn" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:04 < krzie> wtf
13:04 < krzie> who destroyed my factoid!
13:05 < krzie> !forget routes_outside_openvpn
13:05 < vpnHelper> krzie: Error: There is no such factoid.
13:05 < krzie> !forget route_outside_openvpn
13:05 < vpnHelper> krzie: Joo got it.
13:05 < krzie> weak
13:05 < sathia> easily forgot
13:05 < sathia> :p
13:06 < krzie> !learn route_outside_openvn as http://www.secure-computing.net/wiki/index.php/Graph for a description of why your gateway on LANs shared over openvpn needs routes added to it.  better explained in section "ROUTES TO ADD OUTSIDE OF OPENVPN" in !route
13:06 < vpnHelper> krzie: Joo got it.
13:06 < krzie> grr
13:07 < krzie> !forget route_outside_openvn
13:07 < vpnHelper> krzie: Joo got it.
13:07 < krzie> !learn route_outside_openvpn as http://www.secure-computing.net/wiki/index.php/Graph for a description of why your gateway on LANs shared over openvpn needs routes added to it.  better explained in section "ROUTES TO ADD OUTSIDE OF OPENVPN" in !route
13:07 < vpnHelper> krzie: Joo got it.
13:07 < sathia> sec
13:07 < krzie> so basically
13:08 < krzie> 10.0.2.0/24 and 10.0.100.0/24 needs routes on that gateway
13:08 < sathia> yes
13:08 < krzie> so it knows to route those subnets through the openvpn server and not over the internet
13:08 < sathia> right
13:09 < krzie> whats the servers LAN ip?
13:09 < sathia> 192.168.108.99 
13:09 < krzie> route add -net 10.0.2.0/24 gw 192.168.108.99
13:09 < krzie> thats for linux
13:09 < sathia> oh sec, you mean the web server?
13:09 < sathia> or the office server
13:09 < krzie> why would i care about a web server?
13:10 < krzie> the VPN server
13:10 < sathia> ok, then it's correct
13:11 < krzie> !factoids
13:11 < vpnHelper> krzie: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:11 < krzie> !welcome
13:11 < vpnHelper> krzie: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:11 < sathia> I need to add this route on the vpn server right?
13:11 < krzie> cool
13:12 < krzie> no dude
13:12 < krzie> on the ROUTER
13:12 < sathia> oh, the dlink router
13:12 < sathia> that would be nice
13:12 < sathia> let me see
13:12 < krzie> routers can handle adding routes
13:12 < sathia> i think so
13:12 < krzie> otherwise they arent routers ;]
13:13 < sathia> rith
13:13 < sathia> *right
13:14 < sathia> a static route is what I need, right?
13:14 < krzie> correct
13:14 < krzie> 2 of them
13:14 < krzie> telling it 2 networks exist behind .99
13:15 < sathia> Destination Network address - Subnet Mask - Gateway IP Address
13:15 < sathia> it's what it says
13:15 < krzie> destination: 10.0.2.0   subnet mask: 255.255.255.0     destination: 192.168.108.99
13:15 < krzie> destination: 10.0.100.0   subnet mask: 255.255.255.0     destination: 192.168.108.99
13:18 < sathia> ok, maybe i need to restart the router again
13:18 < krzie> why
13:18 < sathia> doesn't seem like they are working from here
13:18 < sathia> http://pastebin.com/eZSc6sWe
13:19 < krzie> in the dlink?
13:19 < sathia> right
13:19 < krzie> dlink is the router for VPN_SERVER's LAN, right?
13:19 < sathia> yes
13:19 < krzie> and VPN_SERVER is 192.168.108.99
13:19 < krzie> ok so do this:
13:19 < krzie> you are at home, right?
13:20 < sathia> yes
13:20 < krzie> you are connected to the VPN?
13:20 < sathia> yes
13:20 < sathia> the openvpn, but not the pptp
13:20 < krzie> fuck pptp
13:20 < krzie> you wont be needing it
13:20 < krzie> ping 192.168.108.99
13:20 -!- qfr [~kafir@unaffiliated/yw] has left ##openvpn []
13:20 < krzie> get response?
13:21 < sathia> no
13:21 < krzie> ping 10.0.2.1
13:21 < krzie> get response?
13:21 < sathia> 64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=16.0 ms
13:21 < krzie> ping 192.168.108.1
13:21 < sathia> 64 bytes from 192.168.108.1: icmp_seq=1 ttl=63 time=18.0 ms
13:21 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
13:21 < krzie> ok, looks good
13:22 < sathia> that is the router
13:22 < krzie> your vpn server seems to not like taking packets to .99, firewall related
13:22 < krzie> right, if you can talk to the router you can talk to anything on the lan
13:22 -!- mode/##openvpn [+o raidz] by ChanServ
13:22 < sathia> reaching!!
13:23 < krzie> now...
13:23 < krzie> ping 10.0.100.1
13:23 -!- mattock1 [~samuli@gprs-internet-ff0ad100-115.dhcp.inet.fi] has joined ##openvpn
13:23 -!- mode/##openvpn [+o mattock1] by ChanServ
13:23 < krzie> what is some other machine in that LAN?
13:23 < sathia> 10.0.100.11
13:23 < krzie> ping that too
13:23 < sathia> the web server, but they don't answer
13:24 < krzie> oh also
13:24 < krzie> !c2c
13:24 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
13:24 < vpnHelper> krzie: behind other clients
13:24 < sathia> let me past my routing table
13:24 < krzie> add this to your server config
13:24 < krzie> client-to-client
13:24 -!- mattock [~samuli@gprs-internet-ff0bd100-176.dhcp.inet.fi] has quit [Ping timeout: 272 seconds]
13:24 < sathia> oh, right
13:25 < krzie> so traffic from 1 client to another wont hit your vpn server firewall
13:25 < krzie> its very very not likely your routing table
13:25 < krzie> its your firewall
13:26 < krzie> 10.0.100.1 is pfsense, right?
13:26 < sathia> sec
13:26 < sathia> yes
13:26 < krzie> oh and also, pfsense is connected to the VPN, right?
13:26 < krzie> :-p
13:26 < sathia> yes
13:27 < sathia> I've added the client-to-client line on the server config file
13:28 < sathia> I'm afraid to say it, but pfsense is connected via pptp
13:29 < sathia> but it shouldn't matter anymore right now
13:29 < krzie> LOL
13:29 < krzie> yes it does
13:29 < sathia> it does
13:29 < sathia> ok
13:29 < krzie> didnt i tell you to make it a ovpn client?
13:29 < krzie> and we configured the openvpn server for it
13:29 < krzie> and i told you you no longer will be using pptp
13:30 < krzie> :-
13:30 < krzie> :-p
13:30 < krzie> you can keep pptp alive for now
13:30 < sathia> yes
13:30 < krzie> but you also need openvpn
13:30 < krzie> oh wait a sec
13:31 < sathia> shouldn't I be able to reach it anyway? 
13:31 < krzie> from home right now you can access 10.0.100.X over the pptp vpn?
13:31 < sathia> yes
13:31 < sathia> if I up the vpn yes
13:31 < sathia> pptp vpn
13:31 < krzie> ok but you are not connected to the pptp vpn, right?
13:31 < sathia> no
13:32 < krzie> and you can access the machine without the vpn, right?
13:32 < sathia> i can reach pfsense but the machine has only port 80 open
13:32 < sathia> so no, i can't reach it
13:32 < krzie> but i mean
13:32 < krzie> you are not locked out if not using pptp
13:33 < sathia> I shouldn't
13:33 < krzie> basically, because both VPNs push routes for the same subnet, only 1 can be in use at a time
13:33 < sathia> not sure to understand what you are saying
13:33 < krzie> so if you kill pptp and start openvpn, you do not run a risk of locking yourself out of the pfsense machine
13:34 < krzie> correct?
13:34 < sathia> you mean killing pptp on the pfsense server?
13:34 < krzie> hell yes i do
13:34 < krzie> pptp sucks, and you no longer need it
13:34 < sathia> i understand it
13:34 < krzie> you are migrating to openvpn, congratulations!
13:35 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
13:35 < krzie> we have been at this for 4 hours, i have to go to work soon
13:35 < krzie> so we need to speed things up a lil
13:35 < sathia> I'm sorry if i've been dog slow
13:35 < krzie> i come on from work but im slower while im there
13:36 < krzie> (cause i also need to work and stuff)
13:36 < sathia> eheh, i understand
13:36 -!- 14WAAOJHF [uriel@hurricane.urts.info] has left ##openvpn []
13:36 < sathia> I'll catch you later then
13:36 < krzie> im not leaving yet
13:36 < sathia> ok
13:36 < krzie> lets finish this thing
13:36 < krzie> you're basically done
13:36 < krzie> kill pptp on pfsense
13:36 < krzie> start openvpn as a client
13:37 < krzie> same config as at home, with its own certs
13:37 < krzie> you should be up and running at that point
13:37 < sathia> I understand this, but there are remote machines using pptp that need to do background jobs
13:37 < sathia> if I kill pptp right now
13:37 < krzie> they should become openvpn clients as well
13:37 -!- mattock1 [~samuli@gprs-internet-ff0ad100-115.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
13:37 < sathia> of course
13:38 < sathia> but those machines are not reachable 
13:38 < krzie> sure they are, they are connected over pptp
13:38 < sathia> i mean, I cannot admin them
13:38 < sathia> windows server et all
13:38 < krzie> go into them, make them login to openvpn, connect over openvpn, kill pptp
13:40 < sathia> I really don't have the admin password for them
13:40 < krzie> yes theres a way to keep pptp and integrate it... but do you really want a shitty VPN?
13:40 < krzie> then make the people who run them do it
13:40 < sathia> it would be cool for just a few days
13:40 < krzie> you said you're the boss
13:40 < sathia> so the other guys could catch up
13:40 < krzie> no such thing as "just a few days"
13:40 < krzie> you either do it right or not
13:40 < krzie> once it works you wont care
13:41 < sathia> i'm totally into it
13:41 < krzie> (which im sure is why you have been on pptp already)
13:41 < sathia> i really want to forget pptp 
13:41 < krzie> then make your employees do their job!
13:41 < krzie> tell them its migration time!
13:41 < sathia> pptp has been set up by a russian consultant
13:41 < sathia> which now is unavailable
13:41 < sathia> because he's working for facebook
13:41 < krzie> all they have to do is install openvpn from www.openvpn.net/download
13:42 < sathia> or something
13:42 < krzie> and put the config in the right dir, and keys in the right dir
13:42 < sathia> yes, I've installed it on my windows box here
13:42 < sathia> for testing purposes
13:42 < krzie> so when you want it to work, do all of that
13:42 < krzie> and its done
13:42 < sathia> ok
13:42 < sathia> !donate
13:42 < vpnHelper> sathia: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) Contribution totals and benefactors can be found at http://www.secure-
13:42 < vpnHelper> sathia: computing.net/wiki/index.php/OpenVPN/Donations
13:43 < krzie> make sure the pfsense common-name in its cert is pfsense
13:43 < sathia> when I create the key
13:43 < sathia> for it right?
13:43 < krzie> the ccd file requires it is named EXACTLY as the common-name
13:43 < krzie> basically yes
13:43 < sathia> ok
13:43 < sathia> so, now I'll prepare the keys
13:44 < sathia> and I'll see what has to be done
13:44 < krzie> you use freebsd?
13:44 < sathia> not to harm the site
13:44 < sathia> osx server
13:44 < krzie> but you also have freebsd?
13:44 < sathia> at home i use linux
13:44 < sathia> at work osx
13:44 < krzie> you may enjoy a CA application that replaces easy-rsa which is in freebsd ports
13:44 < krzie> but thats cool
13:44 < krzie> just use easy-rsa =]
13:44 < sathia> ok
13:45 < sathia> yes, yesterday i've learned the basics of it
13:45 < krzie> you already got this far with it, you're using it right =]
13:45 < sathia> you made me a big favour today
13:45 < krzie> crazy thing is i usually dont wake up til now
13:45 < krzie> lol
13:46 < sathia> where are you from?
13:46 < krzie> usa originally, caribbean now
13:46 < sathia> awesome
13:46 < krzie> !forget donate 3
13:46 < vpnHelper> krzie: Joo got it.
13:47 < sathia> ok
13:47 < krzie> !learn donate as http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
13:47 < vpnHelper> krzie: Joo got it.
13:47 < krzie> !donate
13:47 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) Contribution totals and benefactors can be found at http://www.secure-
13:47 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Donations
13:47 < krzie> weird
13:47 < krzie> !forget donate 3
13:47 < vpnHelper> krzie: Joo got it.
13:47 < sathia> krzee is that you?
13:47 < krzie> !donate
13:47 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) Contribution totals and benefactors can be found at http://www.secure-
13:47 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Donations
13:48 < krzie> yup, im krzee =]
13:48 < krzie> !forget donate 3
13:48 < vpnHelper> krzie: Error: Invalid factoid number.
13:48 < krzie> !donate
13:48 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) Contribution totals and benefactors can be found at http://www.secure-
13:48 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Donations
13:48 < krzie> hrm, weird
13:48 < krzie> ecrist, the bot is freaking out
13:48 < sathia> ehhe
13:49 < sathia> ok, I'll make some dinner now, thanks again
13:50 < krzie> you're welcome
13:50 < sathia> later
13:50 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Quit: krzie]
13:50 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
13:51 < krzie> !donate
13:51 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) Contribution totals and benefactors can be found at http://www.secure-
13:51 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Donations
13:51 < krzie> !forget donate 3
13:51 < vpnHelper> krzie: An error has occurred and has been logged. Please contact this bot's administrator for more information.
13:51 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit]
13:53 < krzie> oh lol
13:53 < krzie> ecrist, you didnt chown the db back to the bot ;]
13:53 < krzie> he was trippin
13:54 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
13:55 < krzie> !forget donate 3
13:55 < vpnHelper> krzie: Joo got it.
13:55 < krzie> !donate
13:55 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc.
13:55 < krzie> !learn donate as http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
13:55 < vpnHelper> krzie: Joo got it.
13:55 < krzie> !donate
13:55 < vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
13:55 < krzie> much better
13:55 < krzie> !route_outside_openvpn
13:55 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
13:55 < krzie> heh i wonder how many things didnt get added
13:56 < krzie> !iphone
13:56 < vpnHelper> krzie: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion
13:56 < krzie> !list factoids
13:56 < vpnHelper> krzie: change, forget, info, learn, lock, random, search, unlock, and whatis
13:56 < krzie> !list factoids search
13:56 < vpnHelper> krzie: (list [--private] [<plugin>]) -- Lists the commands available in the given plugin. If no plugin is given, lists the public plugins available. If --private is given, lists the private plugins.
13:56 < krzie> !factoids search
13:56 < vpnHelper> krzie: (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
13:56 < krzie> !factoids search --values dazo
13:56 < vpnHelper> krzie: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
13:57 < krzie> !factoids search --values ldap
13:57 < vpnHelper> krzie: No keys matched that query.
13:57 < krzie> !factoids search --values LDAP
13:57 < vpnHelper> krzie: No keys matched that query.
13:57 < krzie> !factoids search ldap
13:57 < vpnHelper> krzie: No keys matched that query.
13:57 < krzie> meg
13:57 < krzie> meh
14:02 -!- SkyHAPPY is now known as Sky[x]
14:10 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 265 seconds]
14:12 -!- SpaceBass [~SP@pool-173-67-241-238.rcmdva.fios.verizon.net] has quit [Ping timeout: 265 seconds]
14:17 -!- SpaceBass [~SP@pool-173-67-241-238.rcmdva.fios.verizon.net] has joined ##openvpn
14:23 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:35 -!- sathia [~quassel@151.61.130.171] has quit [Remote host closed the connection]
14:51 -!- sathia [~quassel@151.61.130.171] has joined ##openvpn
14:51 < sathia> krzie? you there?
14:52 < krzee> yup
14:52 < sathia> I've nmaped the router of the office
14:53 < sathia> i do see it
14:53 < sathia> it just doesn't answer to the ping requests
14:53 < sathia> but the port is open
14:54 < sathia> one thing I can't understand, in my route table i have:  http://pastebin.com/qAr9Nhx7 
14:54 < sathia> looks very messy from here
14:54 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has joined ##openvpn
14:54 < sathia> i have no idea
14:59 < krzee> how do you think that could be related to a route?
14:59 < sathia> you said earlier that everything reachable by the vpn server would have been  reachable from the openvpn clients with those rules, why isn't 10.0.100 reachable then?
14:59 < krzee> if you can get only some types of packets through
15:00 < krzee> because you didnt connect pfsense to the vpn
15:00 < krzee> LOL
15:01 < sathia> ok, i thought that a simple routing would have worked
15:01 < sathia> and you mentioned that there's a way to have a mix of openvpn and pptp 
15:01 < sathia> could I use it for a few _hours_ ?
15:04 < krzee> actually i just realized something
15:04 < krzee> you are currently setup for that, connect your openvpn server to the pptp network
15:04 < krzee> when you migrate off pptp, add this line to your server config
15:04 < sathia> how so?
15:05 < krzee> route 10.0.100.0 255.255.255.0
15:05 < krzee> because i forgot to tell your server to route that subnet over the vpn
15:05 < krzee> it will use whatever route it has for 10.0.100
15:05 < krzee> which is the pptp network
15:06 < sathia> you mean I have to add it now, and remove it when I'll migrate
15:06 < sathia> right?
15:08 < krzee> neg
15:08 < krzee> add it now with a # in front of it
15:08 < krzee> remove it when you migrate
15:08 < sathia> done
15:11 < sathia> and how would I connect the openvpn server to the pptp network?
15:11 < krzee> the vpn server should connect to both
15:11 < krzee> brb
15:11 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
15:11 < sathia> sur
15:23 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:33 < sathia> the vpn is connected to both of course
15:33 < sathia> http://pastebin.com/un5YftKM 
15:35 < sathia> here's  with the routing table of the openvpn server
15:35 < sathia> http://pastebin.com/MLhjiNgJ 
15:38 < krzee> how bout this
15:38 < krzee> just do it right
15:38 < krzee> i see no reason to troubleshoot something that is the wrong way to do it and only needed for a couple hours
15:39 < sathia> i see your point, but at this point I'd like to know why the forwarding isn't working, it should
15:40 < krzee> 10                 ppp0               USc             3       88    ppp0
15:40 < krzee> lol
15:40 < krzee> someone set pptp to route 10/8
15:40 < krzee> haha
15:40 < sathia> i have no idea
15:40 < krzee> well i wish you luck doing it wrong
15:43 < sathia> ok, thank you very much
15:43 < krzee> you're welcome =]
15:43 < krzee> you should focus your energy on getting everything migrated instead (for the record)
15:44 < sathia> no, i need a sysadmin 
15:44 < sathia> I shouldn't do these kind of things
15:44 < krzee> this is true
15:44 < sathia> I'm the php guy ffs
15:44 < sathia> :p
15:45 < krzee> you said you're the boss too, right?
15:45 < sathia> i'm the nearest thing to  the boss, at leastt on the IT front
15:45 < sathia> but since the consultant left us
15:46 < sathia> i didn't find anyone i could trust
15:46 < sathia> and my biggest fear is to screw up
15:52 < krzee> then stop trying to mix the 2 vpns
15:52 < krzee> and wait til its time to migrate
15:53 < krzee> (easiest way to not screw something up)
15:53 < sathia> this is what I'm going to do
15:54 < sathia> still, curious why the hell it isn't working right now, why there's tha 10 ppp0 etc.
15:54 < sathia> before going to sleep
15:54 < sathia> i'd like to understand that
15:59 < krzee> because of your pptp setup
15:59 < krzee> for the 10/8 at least
15:59 < krzee> just go to sleep, and work on the full migration next =]
16:00 < sathia> definitely, i'll see you here right?
16:00 < krzee> usually
16:00 < sathia> i'm very tired, best time to f up things 
16:00 < sathia> goodnight then
16:00 < krzee> nite
16:00 -!- sathia [~quassel@151.61.130.171] has quit [Quit: nite]
16:20 -!- graffz [~graffz@unaffiliated/graffz] has joined ##openvpn
16:44 -!- SpaceBass [~SP@pool-173-67-241-238.rcmdva.fios.verizon.net] has quit [Quit: Leaving]
16:47 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:14 -!- graffz [~graffz@unaffiliated/graffz] has quit [Quit: puff the magik drag0n]
17:35 -!- DrPepper2 [~DrPepper@88.207.189.81] has quit [Remote host closed the connection]
17:52 < krzee> !factoids search ldap
17:52 < vpnHelper> krzee: No keys matched that query.
17:53 < |Mike|> krzee: pwned!
17:54 < krzee> !learn ldap_iptables as see http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
17:54 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
17:55 < krzee> !learn ldap_iptables as see http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
17:55 < vpnHelper> krzee: Joo got it.
17:55 < krzee> sup mike
17:56 < |Mike|> krzee: are you into carp fishing ? :)
17:57 < krzee> i dont really fish
17:57 < |Mike|> only diving ?
17:58 < krzee> howd you know im into diving?
17:58 < |Mike|> we spoke eachother on the phone when you visited NL :)
17:58 < |Mike|> s/phone/skype...
17:59 < krzee> didnt know we talked about scuba
17:59 < krzee> haha
17:59 < |Mike|> true that :-P
17:59 < |Mike|> most people what dive do also fish over there?
18:00 < krzee> not really
18:00 < krzee> they're unrelated
18:00 < |Mike|> i see
18:23 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:33 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
18:36 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:36 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
18:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:37 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:58 -!- DrPepper2 [~DrPepper@88.207.189.81] has joined ##openvpn
19:01 < |Mike|> :D
19:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
20:15 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has quit [Ping timeout: 260 seconds]
20:18 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has joined ##openvpn
20:29 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
20:29 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
20:29 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:45 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
20:46 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:49 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:49 < theDoc> Morn' all.
21:43 -!- y0tta [~y0tta@67.159.34.102] has joined ##openvpn
22:39 -!- Lenhix [LordChaman@190.156.63.4] has joined ##openvpn
23:29 < killown> morn
23:29 < krzie> moin
23:38 < troy-> hiya krzie 
23:39 -!- y0tta [~y0tta@67.159.34.102] has quit [Quit: y0tta]
23:45 < krzie> heyhey
23:52 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
23:53 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 260 seconds]
23:53 -!- Lenhix [LordChaman@190.156.63.4] has quit [Ping timeout: 260 seconds]
--- Day changed Mon May 24 2010
00:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:07 -!- applejack [john@111.118.163.100] has joined ##openvpn
00:12 -!- applejack [john@111.118.163.100] has left ##openvpn ["I'm a happy Miranda IM user! Get it here: http://miranda-im.org"]
00:33 -!- grendal_grime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn
00:33 < grendal_grime> hey guys.
00:33 < krzie> hey
00:34 < grendal_grime> i have some pretty critical servers that seem to be experiencing some rather odd kernel panics
00:34 < grendal_grime> it happens when the cpy utilization gets close to 100 percent
00:34 < grendal_grime> cpu that is
00:35 < krzie> and whats using the cpu
00:35 < grendal_grime> these boxes basically are just openvpn servers
00:35 < krzie> have you analyzed whats eating your cpu?
00:35 < grendal_grime> we had a spike in utilzation the other day.
00:36 < krzie> so you're guessing what did it, or have you watched your system and analyzed whats going on?
00:36 < grendal_grime> my thinking is that it was a foundry machine gone apeshit..but anyway we use a physicall foundry to load ballance two 3 openvpn servers running on vmware vsphere
00:36 < krzie> what os do you run
00:37 < grendal_grime> they are all running on diff hosts in case of physical hardware falure.
00:37 < grendal_grime> the openvpn runns on ubuntu server 804 for now.
00:37 < grendal_grime> the physical hosts are sun servers
00:37 < krzie> you should prolly go to #ubuntu and figure out how to watch your processes and analyze what is eating 100% of your cpu
00:38 < grendal_grime> ?  its openvpn
00:38 < grendal_grime> im sorry i should have specified that i already knew there
00:38 < grendal_grime> that
00:38 < krzie> the openvpn process?
00:38 < grendal_grime> yep
00:38 < krzie> openssl processes?
00:38 < grendal_grime> and then..whammo kernel panic
00:38 < krzie> (openssl is used for all encryption in openvpn)
00:39 < krzie> how many clients are using this server?
00:39 < krzie> is it on gigabit?
00:40 < krzie> are you using 2.1.1?
00:40 < grendal_grime> now...something else we had this problem before a few months back and we knoticed that it happened on the machines that were running with rather skimpy memory. so we increased the memory to 2 gigs and that seemed to help alot.
00:40 < grendal_grime> umm yes on the gig, around 500 connections (usually around 200 for each server)
00:40 < krzie> were you running out of memory when that was happening?
00:41 < grendal_grime> yep
00:41 < krzie> then yup, i can see how more would help ;)
00:41 < krzie> what are your CPUs?
00:41 < grendal_grime> grrr....not sure on that but there are 32 per host (thats why whey went with the sun's )
00:42 < krzie> however
00:42 < krzie> only 1 is being used per openvpn process
00:42 < grendal_grime> correct
00:42 < krzie> its not multi-threaded :(
00:42 < krzie> oh ok, so you run 32 openvpn processes?
00:43 < grendal_grime> well to be honest (and i i should know this because i am a VCP)  im not exactly sure how vmware does that.
00:43 < krzie> VCP?
00:43 < krzie> have you observed that all 32 cpu's are being used?
00:43 < grendal_grime> VMWare Ceritfied Professional.  
00:44 < krzie> oh
00:44 < grendal_grime> there are allot of other vms running on these boxes
00:44 < krzie> ok...
00:44 < grendal_grime> the way this usually works is that the cpu is dished out to the box that most needs it.
00:44 < krzie> then how can you tell its openvpn doing this??
00:45 < grendal_grime> because i can log into the box just like any other machine and watch the processes and see them max out and then kernel panic
00:45 < krzie> however, if you are strong that it is, use a client limit on each server so it doesnt trigger, make more servers and you can use dns to load balance it with remote-random
00:46 < krzie> if you can do that, you can tell if its using 1 processor or 32
00:46 < grendal_grime> ok getting into the reasons that we do load ballancing the way that we do is a long story.
00:46 < krzie> because you can watch the actual system instead and see if 32 cpus are maxing out or 1
00:48 < grendal_grime> ok...lets get off of the vmware aspect of it. lets just think of it as one machine (because thats the way its configured from opnevpns view of things).  Have you ever seen an openvpn machine panic when the cpy is maxed.
00:48 < krzie> nope
00:48 < grendal_grime> me neither...untell now
00:48 < krzie> thats why im not willing to look at the underlying aspect
00:48 < krzie> its not openvpn's view, your system is crashing
00:48 < krzie> err
00:49 < krzie> why im not willing to overlook*
00:49 < krzie> openvpn can only attach to 1 cpu
00:49 < grendal_grime> ya...thats the thing though the openvpn processes are whats pushing it over the top.  hmmm...
00:49 < krzie> so most likely, you could easily run a few more instances of it and scale better
00:50 < krzie> also, you likely need to tune your OS
00:50 < grendal_grime> well now...one thing i just realized. we are running multiple instances on each one. one for udp and one for tcp also the tcp's are using aes .
00:50 < krzie> sysctls and whatnot
00:50 < krzie> BF would be more cpu friendly, is openssl is using the cpu
00:51 < krzie> (which is why i was askin about that earlier)
00:51 < grendal_grime> bf?
00:52 < krzie> blowfish, default
00:52 < krzie> but im guessing with 500 clients you cant really do that after the face
00:53 < krzie> fact*
00:53 < krzie> you also may or may not be bound to a single cpu by vmware
00:53 < krzie> i wouldnt know
00:53 < krzie> if you are, you need entire different vm's for the processes
00:53 < krzie> (openvpn processes)
00:54 < krzie> unless you can make multi-cpu vm's
00:54 < grendal_grime> which we can
00:55 < grendal_grime> we dont usually though because literally it does not speed things up
00:55 < grendal_grime> multiple cpu vm's fundamentally dont make sence
00:56 < grendal_grime> and the reason...as im sure you can guess is because the vmware os uses whatever cpu it needs for a vm.  if it has 32 of them it farms out the process to what ever cpu is available.
00:56 < krzie> and you are running more than 1 vpn proc in the vm, right?
00:57 < krzie> but i doubt it can make openvpn multi-threaded
00:57 < krzie> once executed, it will remain on the same cpu
00:57 < grendal_grime> no each one is on its own host for redundancy reasons
00:57 < krzie> this will change one day, but thats how it works now
00:58 < grendal_grime> hmm so im wondering if maybe the handoff to another cpu is not causeing the problem...but see i dont think thats possible the handoff is totally transparent to the "guest machine"
00:59 < krzie> i dont think its being handed off to a different cpu at all
00:59 < krzie> and you are punishing 1 out of 32 processors
00:59 < grendal_grime> well there you would be wrong it uses vmotion to move running machines to diff hosts 
00:59 < krzie> per openvpn process that is
01:00 < krzie> ya i know nothing bout vmware
01:00 < grendal_grime> its pretty amazing. Its pretty damn expensive to
01:00 < grendal_grime> but anyway.  
01:00 < krzie> give what i said a try, see how it helps
01:01 < krzie> (starting more openvpn processes, limiting max clients each will accept
01:01 < krzie> i would be very happy to know how that helps you
01:01 < krzie> its not often i get to talk to someone with as many clients as you
01:01 < grendal_grime> well...how would i do that exactly?
01:02 < krzie> stuff from checking out your issue and whats going on could help find unknown problems
01:02 < krzie> for all i know ;]
01:02 < krzie> 1sec ill look
01:02 < krzie> !man
01:02 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
01:03 < grendal_grime> are you talking more vms... or more openvpn processes?
01:03 < krzie> --max-clients n 
01:03 < krzie> Limit server to a maximum of n concurrent clients.
01:03 < krzie> !--
01:03 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
01:04 < grendal_grime> as far as more vm's thats easy enough to do but increasing the amount of openvpn processes and then limiting the number of connections to each one..well im a little lost on that.
01:04 < krzie> you currently load balance, correct?
01:04 < grendal_grime> we do that via the foundry.
01:05 < grendal_grime> not the openvpn server itself.
01:05 < krzie> so you can simply add more vms and do more via the foundry...?
01:06 < krzie> and from --remote
01:06 < krzie> If host is a DNS name which resolves to multiple IP addresses, one will be randomly chosen, providing a sort of basic load-balancing and failover capability.
01:06 < grendal_grime> so a connection request comes in to one ipaddress that is a foundry it has  any number of ip's it can send the request to on the otherside.
01:06 < krzie> which means its simple to add to your current load balancing
01:06 < grendal_grime> right we can create more vms and set up openvpn on each one.
01:07 < grendal_grime> the keys are all stored on a nfs share and are mounted from each box
01:07 < krzie> cool, give that a try, and give each openvpn server a --max-clients entry'
01:07 < grendal_grime> ok
01:07 < krzie> i dont know how many to use, but it sounds like you know what was doing ok and what was crashing...?
01:08 < grendal_grime> here is the problem...we need for each one of them to be able to handle all connections in the event the other two hosts(and therefor guests) go down.
01:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
01:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:08 < grendal_grime> if we set a max clients that is lower than our total clients we could have a seriouse problem.
01:09 < grendal_grime> the 500 is a round estament of simultaniouse connections..there are over 3000 possible;
01:09 < grendal_grime> is that a problem?
01:10 < krzie> depends how many you can make / have to make
01:10 < krzie> how many clients were connecting when you were crashing, how many were connecting when you were...?
01:10 < grendal_grime> oh i see what your saying...like 3 vms on one host
01:10 < krzie> were not / were *
01:10 < krzie> right
01:11 < krzie> see if that helps
01:11 < grendal_grime> ya...that would be a drag to have to do.  Alot more updates..well a shitload more maint thats for sure
01:12 < krzie> wouldnt they be almost identical systems?
01:12 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: Connection reset by peer]
01:12 < grendal_grime> see we handle a couple of terrabytes through those things per week.  But like i say we got a major spike the other day and..
01:12 < krzie> like 1 line different on the whole machine!
01:12 < grendal_grime> no...its not that simple.  
01:13 < grendal_grime> these machiens bridge these connections
01:13 < grendal_grime> so there are dhcp pools to consider
01:13 < krzie> omfg 200 bridges per machine!?
01:13 < krzie> over 500!
01:14 < krzie> thats a whole shitload of layer2!
01:14 < grendal_grime> they have to be split up.. ...ya sounds about right ya
01:14 < krzie> have you ever seen a 500 node layer2?!?
01:14 < krzie> wow no wonder openvpn is trippin
01:14 < krzie> youd be kicking switches asses too
01:14  * Bushmills googles that funny term "terrabyte"
01:14 < grendal_grime> well im pretty sure thats why we are using these now
01:15 < krzie> what do you guys do!?
01:15 < grendal_grime> not at liberty to say
01:15 < krzie> it really needs layer2?
01:15 < Bushmills> ah.  1024 terrabytes = 1 lunabyte
01:16 < grendal_grime> see my thinking was that we neede to route this instead of briding it..but everyone says..no bridging is more simple on the backend .
01:16 < krzie> false
01:16 < grendal_grime> I know that bridging is much more complicated.
01:17 < grendal_grime> on the config side.
01:17 < krzie> routing is better unless you need a specific layer2 protocol
01:17 < theDoc> LAN gaming.
01:17 < krzie> !tunortap
01:17 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
01:17 < vpnHelper> krzie: against you over the vpn
01:17 < krzie> lan gaming being a great example =]
01:17 < grendal_grime> ahhhh
01:18 < grendal_grime> see ill bet you thats what happened
01:18 < theDoc> Talking about gaming, I'm quite excited to see sc2.
01:18 < grendal_grime> umm ya on the tap you guessed it the app uses windows shares and windows machines .
01:18 < krzie> !wins
01:18 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
01:22 -!- Grumple [~Grumple@69.81.147.238] has joined ##openvpn
01:23 < krzie> !secret
01:23 < vpnHelper> krzie: "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
01:23 < krzie> lol
01:24 < Bushmills> "we run a business - we want your money - but we don't tell you what we do" :D
01:24 < grendal_grime> so basically we would use tap connetions to the opnevpn servers and then the shares that the windows machines (connected via taps) would see the shares that samba would be conneting two?
01:24 < Grumple> Hi. I'm trying to set up openvpn on my server for use while I'm in China. I would like to use it to encrypt all of my traffic (web, mail, ftp). I'm having trouble getting this to work. I can get the server and client connected but cannot get my internet connection forwarded properly. Any tips on where to start fixing htis?
01:25 < Bushmills> !redirect
01:25 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
01:25 < Bushmills> Grumple: ^^^^
01:25 < Grumple> I enabled the redirect-gateway bit and NATed my connection but I missed the forwarding part.
01:26 < Grumple> What does the exclamation point in front of ipforward indicate?
01:26 < krzie> cool, the easiest step
01:26 < krzie> !ipforward
01:26 < grendal_grime> Grumple, i dont get it you cant must make your opnevpn server the gateway?
01:26 < vpnHelper> krzie: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
01:26 < Bushmills> same as the exclamation mark in front of !redirect
01:26 < Bushmills> redirect
01:27 < grendal_grime> by the way I know of situations in china and networking. If you do not turn over your keys to them they will hunt your ass down.
01:27 < Bushmills> (nothing happens)
01:27 < Grumple> What does the exclamation point in front of ipforward mean?
01:27 < krzie> Grumple, 
01:27 < krzie> !bot
01:27 < vpnHelper> krzie: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
01:27 < Grumple> What does the exclamation point in front of redirect mean... I mean...lol
01:27  * Bushmills borrows Grumple a pair of glasses
01:28 < theDoc> Lend, as opposed to borrow? :P
01:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
01:28 < Grumple> !ipforward
01:28 < Bushmills> probably
01:28 < vpnHelper> Grumple: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
01:29 < Grumple> Ahhh.... that is actually helpful
01:29 < Grumple> So I would need to choose linipforward. So... just man linipforward?
01:29 < krzie> haha
01:29 < krzie> !linipforward
01:29 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
01:30 < grendal_grime> I still dont understand his problem  I mean if you set up the openvpn server with iptables and masquarade you can just make it your gateway and its a done deal.
01:30 < krzie> it needs ip forwarding =]
01:30 < grendal_grime> browse via your 386 in your living room
01:30 < grendal_grime> openvpn?
01:30 < krzie> the OS
01:30 < grendal_grime> howso?  we do this all the time.
01:30 < grendal_grime> ooooo
01:30 < grendal_grime> ok
01:31 < krzie> you have ip forwarding enabled then! its not like its hard to do
01:32 < Bushmills> lack of understanding of the problem doesn't render the problem nonexisting
01:32 < Grumple> So I did sudo echo 1 > /proc/sys/net/ipv4/ip_forward and I get "Permission denied"? With sudo? How is that possible?
01:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:32 < krzie> Grumple,
01:32 < krzie> !notovpn
01:32 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
01:32 < grendal_grime> ill tell you this much though when you deal with china its not some telco in china its straight up china. They own the infrstructure. You have to have a sister company in that country and they want the keys (both sides) before they alow tunnels
01:32 < Bushmills> Grumple: imagine any user able to turn forwarding off again
01:33 < grendal_grime> Grumple, what distro?
01:33 < Bushmills> that'd be fun, in respect to reliability to the connection
01:33 < Bushmills> of
01:33 < Grumple> grendal_grime: Ubuntu latest
01:33 < grendal_grime> 10.04?
01:33 < Grumple> yep
01:34 < grendal_grime> that should make things easy.
01:34 < Bushmills> grendal_grime: my china contacts are able (and do) openvpn to out-of-country servers all the time, without problems
01:34 < Grumple> re: China.... I've used web based proxies and Tor there many times with no trouble. Do you have specific knowledge of trouble using a VPN outside of a corporate setting?
01:35 < Bushmills> and they've been doing so for years 
01:35 < grendal_grime> umm basically ...hold on i think i have a link to this.(on the ip forwarding that is) As far as china goes, im not at liberty to say.
01:35 < grendal_grime> ive built boxes that go there.  
01:35 < krzie> lol
01:36 < krzie> !secret
01:36 < vpnHelper> krzie: "secret" is funny that people use free programs, consult free help for them, run a business with them, but are restricted to say what they do.
01:36 < grendal_grime> thats all i can say
01:36 < krzie> you obviously think you know more than you do tho
01:36 < Bushmills> but you are at liberty to say that you aren't at liberty to say?
01:36 < grendal_grime> ok
01:36 < Grumple> I'm asking because I've been working from China (I'm a web developer) on and off for 6 years without trouble but I've never used my own VPN
01:36 < krzie> cause people run their own vpns tunneling outside of china every day
01:36 < Grumple> I have used paid VPNs, however
01:36 < grendal_grime> ok...i know nothing then
01:36 < krzie> have been, continue to, etc
01:37 < krzie> nobody has knocked down their doors
01:37 < Bushmills> usually, folks how aren't allowed to state things try to avoid the subjects which may hint that they aren't
01:37 < Grumple> Well, I'm just trying to determine what is opinion and what you've got specific knowledge of.
01:37 < krzie> if you base your knowledge on whether that is true or not, you must not
01:37 < Bushmills> and they don't say "i have a secret but i won't tell you what it is" :)
01:38 < krzie> Bushmills, exactly
01:39 < grendal_grime> sorry i brought it up. Was just trying to warn that it could be dangerouse.  Your right i know nothing about it
01:39 < krzie> anyways, 500 node bridge layer2 setup =/
01:39 < Grumple> No sweat. Like I said, I work there a lot and am aware of certain "issues" but accessing my own VPN from, say Starbucks, shouldn't be a problem (until the block my server, anyway)
01:39 < krzie> lol
01:40 < grendal_grime> right.
01:41 < Grumple> So the secret is ip forwarding (which I can Google I guess) but sudo is somehow failing on my server (but only on this proc command... ugh).
01:42 < grendal_grime> oh oh sorry i got distracted by the ...china thing.  umm hold on asec
01:43 < grendal_grime> http://linuxpoison.blogspot.com/2008/01/how-to-enable-ip-forwarding.html
01:43 < vpnHelper> Title: How to enable IP Forwarding | Linux Poison (at linuxpoison.blogspot.com)
01:43 < grendal_grime> now on the sudo thing
01:43 < grendal_grime> just do this...
01:43 < grendal_grime> sudo -s
01:43 < krzie> and cat the file
01:44 < grendal_grime> (also you need to be using a user account that has sudo ie..andministration privilages) 
01:44 < grendal_grime> otherwise THEY REPORT YOU TO CHINA HAHAHAH just kidding
01:45 < grendal_grime> the sudo -s will basically log you in as root on the machine
01:45 < grendal_grime> proc....all the other shit should fall into line then
01:45 < Grumple> Lemme try that... 
01:46 < Grumple> Oh, and here are the commands I was running to get this working... do they look correct?   http://pastebin.com/raw.php?i=6wvsZVDp
01:46 < grendal_grime> so krzie  basically what your telling me is that all these damn bridges are probably the problem of my kernel panic.
01:47 < Grumple> Yup, that worked. I never had to use sudo -s before.
01:47 < Bushmills> sudo echo 1 > /proc/sys/net/ipv4/ip_forward doesn't
01:47 < grendal_grime> 500 bridges are not eh wa to go.
01:47 < Bushmills> the > part is not execute as root
01:47 < Bushmills> executed
01:47 < grendal_grime> use the -s switch 
01:47 < Bushmills> only the echo 1 is
01:48 < Grumple> I did is as sudo -s and it worked
01:48 < grendal_grime> ya...i tell ya sometimes i really liked the old debian. but i digress
01:48 < Grumple> So you don't have to set any proxy settings on the client machine? Like you would with a SOCKS Proxy?
01:49 < grendal_grime> sudo -s is the closest thing we get now...and ( a tear squirts out my eye ) when i type that.
01:50 < grendal_grime> umm think like this...you set up the openvpn server to be a router.  route all the traffice comming in on the openvpn interface ie tun0 to go out thgough your ..eth0 on that machine
01:50 < grendal_grime> or eth1 or...eth12.. whatever your outside interface is
01:51 < krzie> Bushmills, oh damn thats right!
01:51 < krzie> i forgot about that!
01:51 < grendal_grime> you might want to grab a utill for doing this sort of stuff. if you have never set up a router before i would recommend using something like webmin or shorwall or...something liekt hat.
01:52 < krzie> grendal_grime, i disagree, better to learn how the software actually works
01:52 < Bushmills> krzie: "use more quotes"
01:52 < Bushmills> :D
01:53 < Grumple> It works!
01:53 < Grumple> Yep, I see. Cool. In all of the instructions I found online I never saw anything about using: echo "1" > /proc/sys/net/ipv4/ip_forward
01:53 < grendal_grime> krzie,  iptables? from command line ..for a guy who is grappleing with sudo...are you sure about this?
01:53 < Grumple> I have eth0... I was not so sure about the IP address I used with iptables but since it was the same as the one in the server.conf I figured it would work
01:53 < krzie> Grumple, nope, its handled by routing
01:53 < krzie> (socks ?)
01:53 < grendal_grime> well you are aparently right
01:54 < krzie> grendal_grime, maybe you're right in general, but i feel they will never have a clue if they go the gui route, if they learn it, it will take time but at least one day they will understand whats going on
01:55 < Grumple> It would be "grappling", not grappleing but hey, we all have our strong areas.
01:56 < grendal_grime> Grumple, im not trying to give you a hard time honestly i like the interface in webmin for dealing with iptables.  better than the sysco bs...arx web interface thats for sure
01:57 < krzie> !linnat
01:57 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
01:57 < krzie> hehe
01:57 < Grumple> I've used webmin in the past (fugly graphics) but I prefer the command line.
01:57 < grendal_grime> and as far as my spelling...its late here and  im runing our of wine
01:57 < Grumple> Same with my handling of sudo
01:57 < Grumple> But I still have plnty of wine
01:58 < Grumple> Anyway, thx for the help. It did the trick and I appreciate it.
01:58 < grendal_grime> well the problem i have is that management likes to see things that at least 2 other poeple can grasp...guess what they mostly use macs and windows.  so im forced to do things so that we all understand it.
01:58 < krzie> Grumple, np
01:58 < grendal_grime> im a pilot  as well i fly light aircraft...they are scared.
01:59 < Bushmills> you shouldn't be allowed to spill out those management preferences
01:59 < krzie> agreed
01:59 < grendal_grime> im not at liberty to say if im telling the truth
02:00 < krzie> not at liberty to give menagement protocol
02:00 < Bushmills> and - telling us that they use windows and macs - that's a dead giveaway
02:00 -!- Grumple [~Grumple@69.81.147.238] has quit [Quit: Leaving]
02:00 < krzie> management
02:00 < theDoc> !windows
02:00 < vpnHelper> theDoc: "windows" is pcs are like air conditioners, they work fine unless you open windows
02:00 < krzie> yup, giving info on their infrastructure!
02:00 < grendal_grime> lock it down i you use webmin. only alow local access then tunnel yourself in with ssh.
02:00 < Bushmills> they could sue you
02:00 < grendal_grime> not that im at liberty to say thats how i do it but...if i had to use an interface i would lock it down like that..
02:00 < krzie> this is either against the law or an NDA
02:01 < krzie> dont break it by telling us all that!
02:01 < grendal_grime> Im blaiming the wine
02:01 < krzie> they dont care where you place blame
02:01 < Bushmills> now i understand why the amount of traffic was obfuscated by using the unit of "terrabytes"
02:01 < krzie> if they type !irclogs they will fire you!
02:02 < krzie> or have you killed
02:02 < grendal_grime> besides im using my vpn macine in china to get to this
02:02 < grendal_grime> china will yank my fingernails before the company here even realizes im online
02:02 < krzie> see, now chinas going to come after you
02:02 < krzie> the company already knows
02:02 < krzie> they are running a trace right now
02:03 < grendal_grime> god damn it...and all because my eyes are blue LOOK WHAT YOU ALL HAVE DONE TO ME!!!
02:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
02:18 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:19 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
02:25 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has quit [Quit: Leaving.]
02:28 -!- tazmania [~tazmania@194.46.49.60.kmr01-home.tm.net.my] has joined ##openvpn
02:32 -!- sathia [~sathia@151.59.128.58] has joined ##openvpn
02:32 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:23 -!- grendal_grime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has quit [Quit: Ex-Chat]
03:36 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:12 -!- dazo_afk is now known as dazo
04:23 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
04:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:47 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
05:02 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:25 < sathia> krzie: are you here?
05:31 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:39 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
05:39 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
05:47 -!- Champi [Champi@damn.e-leet.be] has joined ##openvpn
06:03 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn ["Leaving."]
06:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:59 -!- sathia [~sathia@151.59.128.58] has left ##openvpn []
07:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:16 -!- Netsplit *.net <-> *.split quits: agagag, macsppadic, DarthGandalf
07:16 -!- DrPepper2 [~DrPepper@88.207.189.81] has quit [Ping timeout: 265 seconds]
07:18 -!- Netsplit over, joins: agagag, DarthGandalf
07:20 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:31 -!- tazmania [~tazmania@194.46.49.60.kmr01-home.tm.net.my] has quit [Ping timeout: 258 seconds]
07:32 -!- tazmania [~tazmania@99.45.50.60.kmr04-home.tm.net.my] has joined ##openvpn
07:38 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
07:55 -!- Serideru [~GTWebster@24-117-150-192.cpe.cableone.net] has quit [Remote host closed the connection]
08:05 -!- sathia [~sathia@151.59.128.58] has joined ##openvpn
08:06 < sathia> krzie?
08:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:31 -!- tazmania [~tazmania@99.45.50.60.kmr04-home.tm.net.my] has quit [Ping timeout: 245 seconds]
08:31 -!- tazmania [~tazmania@124.13.149.30] has joined ##openvpn
08:46 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:49 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has left ##openvpn []
08:53 -!- sathia [~sathia@151.59.128.58] has quit [Ping timeout: 245 seconds]
09:00 -!- sathia [~sathia@151.59.128.62] has joined ##openvpn
09:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
--- Log closed Mon May 24 09:13:07 2010
--- Log opened Mon May 24 10:09:02 2010
10:09 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
10:09 -!- Irssi: ##openvpn: Total of 92 nicks [2 ops, 0 halfops, 0 voices, 90 normal]
10:09 !niven.freenode.net [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp
10:09 -!- Irssi: Join to ##openvpn was synced in 31 secs
10:10 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
--- Log closed Mon May 24 10:10:21 2010
--- Log opened Mon May 24 10:10:37 2010
10:10 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
10:10 -!- Irssi: ##openvpn: Total of 93 nicks [2 ops, 0 halfops, 0 voices, 91 normal]
10:11 -!- Irssi: Join to ##openvpn was synced in 33 secs
10:12 < sathia> i'll brb but I successfully installed openvpn on the pfsense thing :p
10:31 -!- tazmania [~tazmania@124.13.149.30] has quit [Ping timeout: 245 seconds]
10:31 -!- tazmania [~tazmania@124.82.43.152] has joined ##openvpn
10:32 -!- leleobhz [~leleobhz@unaffiliated/leleobhz] has joined ##openvpn
10:32 -!- leleobhz [~leleobhz@unaffiliated/leleobhz] has quit [Client Quit]
10:32 -!- leleobhz [~leleobhz@unaffiliated/leleobhz] has joined ##openvpn
10:33 < leleobhz> Im trying to use Openvpn + CCD with CACert certificates
10:33 < leleobhz> and i got with a problem: Users not assured have WoT Cacert in CN field
10:33 < leleobhz> (doesnt have the user name)
10:34 < leleobhz> have some way to compare another parameters inside certificate like mail address?
10:40 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
10:50 < krzee> Bushmills, good point
10:51  * Bushmills googles for beer of the brand "point"
10:52 < krzee> hah
10:52 < krzee> one probably exists
10:53 -!- quux [mota@unaffiliated/quux] has joined ##openvpn
10:53 -!- quux [mota@unaffiliated/quux] has left ##openvpn []
10:53 -!- mota [mota@about/windows/regular/mota] has joined ##openvpn
10:53 < krzee> www.pointbeer.com
10:57 < Bushmills> "i am 21 years old"   ->  no.  i am 21+ :P
10:58 < Bushmills> soda ... root beer ... vanilla cream ... pfff
10:59 < krzee> ya usa has a lot of bs beer companies
11:00 < krzee> not sure if you've ever tasted the piss known as budweiser...
11:02 < krzee> http://grapesandgrains.files.wordpress.com/2009/01/sierra-nevada-pale-ale.jpg
11:02 < krzee> thats good beer from usa
11:02 < krzee> http://4.bp.blogspot.com/_IOaEewD4p9w/SdIQlhV19FI/AAAAAAAAATY/_8m-fqlsOKQ/s320/Blue-Moon-Beer-780348.bmp.jpg
11:04 < ecrist> Summit EPA is good, Michelob Golden Draft Light is good
11:05 < krzee> http://i12.photobucket.com/albums/a205/coryses/GreatWhite_20041115114811.jpg
11:05 < krzee> eww @ michelob
11:05 < ecrist> krzee: have you had the golden draft light?
11:05 < ecrist> is specific to the midwest
11:05 < krzee> theres very very few decent pilsners or drafts in usa
11:05 < ecrist> s/is/its/
11:05 < krzee> i believe i have
11:05 < krzee> as far as usa, ive been almost everywhere
11:05 -!- leleobhz [~leleobhz@unaffiliated/leleobhz] has left ##openvpn ["Ex-Chat"]
11:06 < ecrist> I have not once heard someone who's tried it claim it was gross.
11:06 < krzee> including your home town =]
11:06 < ecrist> Hibbing?
11:06 < krzee> twin cities
11:06 < ecrist> or, where I call home now
11:06 < ecrist> ah
11:06 < krzee> never heard of hibbing ;]
11:06 < jpalmer> ecrist,  since you and krzee are active right now..  I got the quick gist from krzee about the bounty idea in last thursdays meeting.
11:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
11:07 < krzee> yanno logs from the dev meetings are out there too ;]
11:07 < jpalmer> sounds like it was generally accepted.  so,  curious:  are there plans to implement it in the nearish future?  or is there some deliberation about the splits and such that need to occur?
11:07 < jpalmer> krzee,  I wasn't aware of the logs.  happen to have a URL?
11:08 < krzee> lemme look
11:08 < jpalmer> awesome.
11:08 < jpalmer> krzee: also,  did you see that iphoneOS 4.0 is going to add SSL vpn capability?   we may have to consider doing an iphone openvpn app ;)
11:09 < krzee> you mean like
11:09 < krzee> !iphone
11:09 < vpnHelper> krzee: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion
11:09 < krzee> its already in cydia ;)
11:09 < jpalmer> krzee: I mean an actual app appstore style for those who can't/won't jailbreak ;)
11:09 < krzee> not possible since tun/tunemu isnt supported by them
11:10 < krzee> if apple had tun or tunemu im very sure the rest would happen very fast
11:11 < krzee> current case is you need jailbreak in order to install the device, as far as i understand it
11:11 -!- IAMYOURFATHER [~sonupunno@88.211.55.77] has left ##openvpn []
11:12 < jpalmer> krzee: hrm,  Thats another note I'll make to my "iphone in enterprise" collection for apple.
11:12 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
11:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:13 < krzee> !osxtuntap
11:13 < vpnHelper> krzee: Error: "osxtuntap" is not a valid command.
11:13 < krzee> !mactuntap
11:13 < vpnHelper> krzee: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers
11:13 < krzee> if they basically made that for iphone/ipad/itouch, the rest would be the community/openvpn's job
11:14 < krzee> and it would happen pretty quick
11:16 -!- grendal_grime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
11:17 < grendal_grime> hey guys
11:17 < krzee> and thats BSD licensed
11:17 < krzee> (osx tuntap)
11:17 < krzee> as seen here, http://sourceforge.net/projects/tuntaposx/
11:17 < vpnHelper> Title: tuntaposx | Get tuntaposx at SourceForge.net (at sourceforge.net)
11:17 < grendal_grime> krzee, you the same guy i was talking to last night about my kernel panicking openvpn servers?
11:18 < krzee> yupyup
11:18 < krzee> howd my suggestion go?
11:19 -!- y0tta [~y0tta@ip26.208-100-1.static.steadfast.net] has joined ##openvpn
11:19 < grendal_grime> ok i was just looking over our conversation.  I think i did not convey something correctly.. we do not create 500 bridges on those machines.  We have 500 machines connecting through one bridge.
11:19 < krzee> right
11:19 < krzee> 500 machines in a single broadcast domain
11:20 < krzee> insane, even without VPN
11:20 < krzee> if they were all in 1 building, insane
11:20 < krzee> maybe ecrist can comment on that
11:20  * krzee pokes ecrist 
11:21 < grendal_grime> ok, well there is a possibility of 500 on one machine, we usually have just under 200 per machine.  
11:21 < krzee> either way, all are in 1 broadcast domain, right?
11:22 < ecrist> afk, for a while, sorry
11:22 < krzee> np
11:23 < grendal_grime> ya.  I mean well basically they connect via one of three subnets to get to one of several windows boxes on the same network.
11:23 < krzee> arp / broadcast traffic / etc are going to every node, regardless of which vpn they are on
11:23 < krzee> so you have 200 clients on 1, but all 500 are talking layer2 with all the rest
11:23 < krzee> 500 nodes on a single bc domain is too much! regardless of it being a VPN or not
11:23 < grendal_grime> so as you were pointing out we are suceptalbe to arp attacks from each and every one of the boxes on there as well.
11:24 < krzee> correct
11:24 < krzee> layer2 was not built with security in mind
11:24 < krzee> you really should enable WINS (which can be pushed by openvpn) and switch to tun
11:24 < krzee> you will get better throughput and performance
11:24 < krzee> and no layer2 security issues
11:25 < grendal_grime> ya...That may be a hard sell here. all the machines in the field are using tap to connect.
11:25 < krzee> you may find that without all that layer2 chatter (which i would think is quite a bit with 500 nodes) you will be able to handle more per machine
11:27 < krzee> backwards compatibility is a problem that has made windows suck for many many yrs, personally i like apple's approach, with osx they admitted they needed to start over the right way, and as a result they have a nice OS now
11:27 < grendal_grime> ya no shit.
11:28 < krzee> the solution to doing something wrong is to not continue doing it just because you already were
11:28 < krzee> also, you dont have to move EVERYONE in 1 day, you could use a different port for tun and move people over a period of time
11:29 < krzee> with a cutoff date where tap will go byebye
11:29 < ecrist> krzee: what were you pinging me for?
11:29 < krzee> but of course, thats a business decision to be made
11:29 < krzee> [09:22]  <grendal_grime> ok i was just looking over our conversation.  I think i did not convey something correctly.. we do not create 500 bridges on those machines.  We have 500 machines connecting through one bridge.
11:29 < krzee> [09:22]  <krzee> right
11:29 < krzee> [09:22]  <krzee> 500 machines in a single broadcast domain
11:29 < krzee> [09:22]  <krzee> insane, even without VPN
11:29 < krzee> [09:23]  <krzee> if they were all in 1 building, insane
11:29 < krzee> [09:23]  <krzee> maybe ecrist can comment on that
11:29 < krzee> [09:23]  * krzee pokes ecrist 
11:29 < grendal_grime> ya.  Well again i didnt develop it.  Im just dealing with the aftermath and i ya that makes sense we have other upgrades we are pushing to these boxes.
11:30 < krzee> grendal_grime, if youd like me to take a look i could tell you anything else you might want to work into the migration
11:30 < grendal_grime> we could just go that route.
11:30 < ecrist> that's a lot of ethernet traffic...
11:30 < krzee> for example, if they arent checking server certs, if there is no HMAC sigs, etc
11:31 -!- ta2mania [~tazmania@114.33.50.60.kmr04-home.tm.net.my] has joined ##openvpn
11:31 < grendal_grime> i believe you would have to sign some paperwork first.  But...now this is something that i know they will be interested in....Do you offer training?
11:31 -!- tazmania [~tazmania@124.82.43.152] has quit [Ping timeout: 265 seconds]
11:31 < grendal_grime> asside from here.
11:32 < grendal_grime> hehehe
11:32 < krzee> not me, my name doesnt connect with IRC
11:32 < krzee> but a client cert with no remote address has NOTHING private about it
11:32 < krzee> err
11:32 < krzee> client config rather
11:33 < krzee> and i dont require the remote command to look at that
11:33 -!- DrPepper2 [~DrPepper@88.207.189.81] has joined ##openvpn
11:33 < grendal_grime> bummer.  Im sure they would pay for someone to train a few people.
11:33 < krzee> theres others here more than qualified
11:33 < grendal_grime> we cant find anyone who offers training for anything more complex than we have already gotten
11:34 < Bushmills> probably too restrictive NDAs?
11:34 < grendal_grime> if that makes sense?
11:34 < grendal_grime> i wish i could drink at work
11:34 < Bushmills> passing needles instead of pens, to sign with blood :)
11:34 < grendal_grime> anyway Bushmills your pretty on the nailhead with that.
11:35 < grendal_grime> needlehead
11:35 < krzee> Bushmills is one of the people especially qualified to do anything you could need
11:35 < krzee> ecrist is another
11:35  * Bushmills denies that
11:35 < grendal_grime> anyway.  You have given me some good information and thank you for that.
11:35 < krzee> well whether they need work, thats another matter i bet ;]
11:35 < grendal_grime> I mean i would marry your sister for this help you have given me....even the ugly one.
11:36 < krzee> dazo would be another, jjk from the mail list, etc
11:36 < krzee> the ugly one is far too young to marry
11:36 < krzee> :-p
11:38 < grendal_grime> ok...well do any of the guys you mentioned above have ugly sisters?
11:38 < krzee> youd have to ask them, but note thats not a good opener when looking for help
11:38 < krzee> lol
11:38 -!- sathia [~sathia@151.59.128.62] has left ##openvpn []
11:39 < grendal_grime> hehehe depends on what country your in i guess...in some countrys (so i hear) its down right hospitable to offer to marry the ugly daughter in trade for assistance.
11:39 < grendal_grime> there are allot of varriables to consider though im sure.
11:39 < krzee> jpalmer, https://community.openvpn.net/openvpn/wiki/IrcMeetings
11:39 < vpnHelper> Title: IrcMeetings – OpenVPN (at community.openvpn.net)
11:40 < grendal_grime> nevermind...wife says i cant marry anyone else.
11:42 < grendal_grime> that complicates things..ill have to use money now
11:42  * dazo looks up
11:43 < krzee> dazo, grendal_grime could use an openvpn tech for hire if said tech was willing to sign an NDA (that removes me from eligibility)
11:43 < krzee> i sign NADA unless the court makes me (which happened this morning coincidently)
11:43 < krzee> nada being "nothing"
11:43 < dazo> krzee: I don't think I'm allowed to sign any other NDA's than what I already have at work ....
11:45 < krzee> funny thing, he cant post his client config (without remote) to get suggestions on anything else to change without NDA, lol
11:45 < krzee> he has 500 vpn clients on a bridge, thats one hell of a broadcast domain!
11:46 < krzee> get rid of the words vpn / bridge and just think of that in terms of 500 machines in a BC domain, insanity!
11:46 -!- y0tta [~y0tta@ip26.208-100-1.static.steadfast.net] has quit [Ping timeout: 265 seconds]
11:49 < dazo> oh dear ....
11:50 < Bushmills> and he's not allowed to go into details, probably because information about the setup might scare away potential customers
11:54  * dazo thinks he passes this chance to someone else ... 
11:54 < krzee> Bushmills, lol too true
11:54 < krzee> i know i wouldnt use or especially pay to join a 500 member layer2
11:55 < krzee> i could static arp to the uplink, but they wouldnt have static arp to me... no thanks
11:56 < krzee> (besides the fact that my poor inet connection might kill itself over the chatter)
11:56 < Bushmills> arptables would still help - but then there's be very little point in bridging
11:56 < krzee> theres actually no point in it anyways, all he needs is WINS
11:56 < Bushmills> not to think of wasted bandwidth, right
11:58 < Bushmills> i actually don't know the reason for the bridge. maybe a multi user D&D? a massive FPS?
11:59  * Bushmills wonders whether arptables could be used to work as a selective cheat
12:00 < krzee> he mentioned they dont need layer2, but they do use windows shares so maybe thats why it was made as a bridge
12:00 < Bushmills> ehm  DD&D (for distributed, no central server)
12:00 < krzee> i wonder if he violated his signed-in-blood NDA by saying that
12:01 < krzee> (he wasnt at the company when they setup the current solution)
12:02 < Bushmills> bridging is often mistaken as the way to simplify a solution.
12:02 < krzee> yup, those thousands of BS walkthroughs dont help that situation any
12:02 < Bushmills> "we want our hubs back"
12:04 < Bushmills> i must admit that when i set up openvpn initially, i was tempted to use bridging, thinking i needed that for client to client comms
12:05 < Bushmills> then i decided against it, thinking of doing incremental refinement of my skills, and starting with client-server only
12:05 < Bushmills> could be that that thought is one causing people to set up bridged configs even though it isn't needed
12:05 < krzee> my very first setup was a bridge, long ago
12:06 < krzee> then i learned i was wrong
12:06 < krzee> ive been the tun V tap nazi ever since ;]
12:07 < Bushmills> of being able to push routes i first thought of a kind of hack to work around bridging
12:08 < Bushmills> only a bit later i learned then that i seemed to have managed to avoid the pitfalls by sort of chance
12:09 < krzee> i take my first vpn as a learning experience, and i sure did learn from it!
12:29 -!- tazman1a [~tazmania@160.33.50.60.kmr04-home.tm.net.my] has joined ##openvpn
12:32 -!- ta2mania [~tazmania@114.33.50.60.kmr04-home.tm.net.my] has quit [Ping timeout: 265 seconds]
12:40 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
12:41 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:55 -!- General_Jung [~anon@p57B66E18.dip.t-dialin.net] has joined ##openvpn
12:57 < General_Jung> Hi I try to use openvpn on a external root server to make samba more secure for my admins
12:58 < General_Jung> everytime I setup the brdige my network collapse and I have to use remote consle
12:58 < krzee> you dont need bridge
12:58 < krzee> use tun
12:58 < krzee> !wins
12:58 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
12:58 < grendal_grime> hmmm ok im starting to better understand the 500 node issue...basically its pretty difficult to even find a physical 500 node switch.
12:58 < krzee> and wins =]
12:58 < General_Jung> really ?
12:59 < General_Jung> I got two IP adresses 85.214.54.67 / 81.169.174.152
12:59 < krzee> grendal_grime, and even if you hooked switches together, you would kick their asses with that broadcast traffic
12:59 < General_Jung> will this works also for the rcon ?
12:59 < krzee> whats rcon?
13:00 < General_Jung> I got some gameservers there
13:00 < grendal_grime> right.  So basically ...now i could still use the tap between the vpn client and theserver right..just rout it from there to my backend processes...
13:00 < General_Jung> its the remote control systme
13:00 < General_Jung> but the gs running on different ips with the same port
13:00 < krzee> you wont use tap
13:00 < krzee> you will use tun
13:00 < General_Jung> so localhost internally wont work right ?
13:00 < General_Jung> yea
13:00 < krzee> and are you saying that you need access to a LAN behind the server?
13:00 < grendal_grime> thats a hard sell all the boxes in the field use tap to connect.
13:00 < grendal_grime> ya
13:00 < General_Jung> no
13:01 < grendal_grime> thats where the bridge comes in
13:01 < General_Jung> not directly
13:01 < krzee> nope
13:01 < grendal_grime> krzee, private ok?
13:01 < krzee> !route
13:01 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:01 < General_Jung> but there are two gameservers running on 85.214.54.67:27015 / 81.169.174.152:27015
13:01 < General_Jung> can I reach both ?
13:01 < krzee> meh, your names are so close its confusing me
13:01 < krzee> oh game servers
13:02 < krzee> so you have LAN gaming over the vpn?
13:02 < General_Jung> NO
13:02 < General_Jung> for RCOn
13:02 < General_Jung> because RCON is unsecure
13:02 < General_Jung> so I want to tunnel
13:02 < krzee> remote control over the machines?
13:02 < krzee> like remote desktop...?
13:02 < General_Jung> no
13:02 < General_Jung> its to change maps ,etcc
13:02 < krzee> it operates on layer3 (IP) ?
13:03 < General_Jung> Its complicated to explain
13:04 < krzee> actually its not
13:04 < krzee> either it is layer2 (mac address) or layer3 (ip address) which the protocol you need uses
13:04 < krzee> quite simple to answer :-p
13:04 < General_Jung> IP
13:04 < General_Jung> why to use ma
13:04 < krzee> ok, you dont need tasp / bridge
13:04 < General_Jung> MAC
13:05 < krzee> tap*
13:05 < krzee> if it used MAC address, you would need tap / bridge
13:05 < General_Jung> but the two gameservers runs on different ips with same port
13:05 < krzee> doesnt matter
13:05 < General_Jung> so would the reachable ?
13:05 < General_Jung> both
13:05 < krzee> the server has a route to them, you just need to push a route to the VPNs with those IPs
13:06 < krzee> route IP 255.255.255.255
13:06 < krzee> or for the whole /24, just change the netmask
13:06 < krzee> oh my mistake...
13:06 < krzee> !push
13:06 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
13:06 < krzee> push "route IP 255.255.255.255"
13:06 < krzee> !sample
13:06 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:07 < krzee> the route command causes the machine that runs it to route the subnet over the VPN
13:07 < krzee> so you push it from server, every client will run it
13:07 < krzee> server will also need IP forwarding
13:07 < krzee> !ipforward
13:07 < vpnHelper> krzee: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
13:08 < krzee> depending on your OS, choose 1 from above
13:09 < General_Jung> But how can I reach the different IPs throzgh the tunnel
13:09 < krzee> by pushing both!
13:10 < krzee> or a subnet including both
13:10 < General_Jung> but the IPS are reachable also in inet
13:10 < General_Jung> without vpn
13:10 < krzee> so?
13:10 < General_Jung> when will the client now when to use vpn
13:10 < krzee> based on its routing table
13:11 < krzee> when the server reaches them, does it do it over the LAN or the internet?
13:11 < General_Jung> internet
13:11 -!- y0tta [~y0tta@ip26.208-100-1.static.steadfast.net] has joined ##openvpn
13:11 < General_Jung> only the RCON system should be tunneld
13:11 < krzee> i mean
13:11 < General_Jung> so if aminds play on the server normally throgjh inet and if the want to administrate through VPN because it is blocked by ipt
13:11 < krzee> when the server communicates with the RCON system, is it LAN or internet?
13:12 < krzee> (without any vpn)
13:12 < General_Jung> inet
13:12 < General_Jung> normally
13:12 < General_Jung> but beacuse the system is very insecure
13:12 < krzee> so you want the clients to connect with the vpn server over VPN, and send traffic to the RCON system over the same VPN?
13:13 < General_Jung> I want to block RCON from the internet but allow acces though it
13:13 < krzee> !learn osxipforward as sysctl -w net.inet.ip.forwarding=1 for a temp solution
13:13 < vpnHelper> krzee: Joo got it.
13:15 < krzee> !learn osxipforward as add IPFORWARDING=-YES-    in /etc/hostconfig for a permanent solution
13:15 < vpnHelper> krzee: Joo got it.
13:15 < krzee> !osxipforward
13:15 < vpnHelper> krzee: "osxipforward" is (#1) sysctl -w net.inet.ip.forwarding=1 for a temp solution, or (#2) add IPFORWARDING=-YES- in /etc/hostconfig for a permanent solution
13:15 < krzee> General_Jung, ok, no problem
13:16 < krzee> General_Jung, i take it you need to use the same IP even when going over the VPN to reach the RCON stuff?
13:16 < General_Jung> So if my admins connect to RCON they use the VPN Server IP instead of inet  IP
13:16 < krzee> (the internet IP, as opposed to VPN ip)
13:16 < krzee> oh ok
13:16 < krzee> well thats even easier then
13:16 < General_Jung> yea
13:16 < krzee> err wait
13:16 < krzee> they CAN use vpn ip, right?
13:16 < General_Jung> but the problem is that there are running different gameservesr
13:16 < General_Jung> k
13:17 < General_Jung> on different internet ips
13:17 < General_Jung> so if the server vpn is 111.111.111.111
13:17 < General_Jung> but the rcon system runs on same port
13:17 < grendal_grime> holler when you are ready krzee
13:17 < General_Jung> so I need two VPN Server IPs
13:17 < General_Jung> linked to each inter IP
13:17 < General_Jung> or ?
13:18 < krzee> no you dont
13:18 < krzee> so answer this, can your people use VPN ip to do what they need, or does it HAVE TO go to inet ip?
13:18 < General_Jung> currently they only use inet
13:19 < General_Jung> because I can´t get even normal vpn works
13:19 < krzee> if the same machine had a VPN ip, could they use that!?
13:19 < General_Jung> tun and tap
13:19 < General_Jung> with a picture it would be much more usefull
13:19 < krzee> no
13:19 < krzee> i understand
13:19 < krzee> its you who doesnt
13:20 < krzee> if the same machine had a VPN ip, could they use that!?
13:20 < General_Jung> yea I dont´understnad
13:20 < General_Jung> ^^
13:20 < General_Jung> sry
13:20 < krzee> ok...
13:20 < krzee> lets say the RCON server had a VPN ip on it
13:20 < krzee> 10.8.0.X
13:20 < General_Jung> k
13:20 < krzee> does whatever you are running allow them to connect to THAT ip?
13:21 < General_Jung> yes
13:21 < General_Jung> thrigh inet
13:21 < krzee> umm dude
13:21 < krzee> 10. ips dont route over the internet
13:21 < krzee> that would be over the VPN
13:21 < General_Jung> whats your native langauge ?
13:21 < krzee> english
13:22 < General_Jung> k
13:22 < General_Jung> yea I now that 10 is a internal IP range
13:22 < General_Jung> as 192.168.1 + 2
13:22 < General_Jung> but currently there is no VPN config
13:23 < General_Jung> current the server are running only on internet and I cant bind the rcon system on other ip then the gameserver itself
13:23 < General_Jung> I only can block this port with iptables
13:23 < krzee> so heres all you need
13:23 < General_Jung> but that doesn´t met the encrytption problem
13:23 < krzee> a normal vpn setup
13:23 < krzee> no pushing routes or anything!
13:23 < General_Jung> with tap ?
13:23 < krzee> !sample
13:23 < General_Jung> without brdige
13:23 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:23 < krzee> NO!!!!
13:24 < krzee> with tun
13:24 < General_Jung> k
13:24 < krzee> you ONLY need tap when you need a layer2 protocol
13:24 < General_Jung> k
13:24 < krzee> you use IP, stop trying to make it harder than it is!
13:24 < General_Jung> ^^
13:24 < krzee> heres what you change from my sample configs
13:25 < krzee> !static
13:25 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:25 < krzee> the RCON machines need static IPs on the VPN
13:25 < krzee> traffic to the RCON machines is all you need to secure?
13:25 < General_Jung> correct
13:25 < krzee> you have 2.1.1 on all vpn nods i take it, since this is a new vpn
13:26 < krzee> if so, add this to the server:
13:26 < krzee> topology subnet
13:26 < General_Jung> yea debian lenny 
13:26 < krzee> !ccd
13:26 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:26 < krzee> client-config-dir /path/to/CCD_DIR
13:26 < krzee> then you make files in that dir for the RCON machines
13:26 < General_Jung> sry the clients are windows
13:27 < General_Jung> but k
13:27 < krzee> files must match certificate common-name EXACTLY
13:27 < General_Jung> yea already noticed that
13:27 < krzee> my client config will change slightly for windows
13:27 < krzee> for windows, remove group and user entries
13:27 < krzee> !winpath
13:27 < vpnHelper> krzee: "winpath" is Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
13:27 < General_Jung> yea
13:28 < krzee> once you give static IPs to the RCON machines, you access them by their VPN ip for now on
13:28 < krzee> boom, you're done
13:28 < General_Jung> k but I cant bind the RCON system different from the gameservers
13:28 < General_Jung> they have to be run on inet ips
13:28 < krzee> i asked you like 5 times if your system could handle you connecting to VPN_IP on rcon server
13:29 -!- ta2mania [~tazmania@209.46.49.60.kmr01-home.tm.net.my] has joined ##openvpn
13:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
13:29 < krzee> because if not, you can still solve this with routing
13:29 < krzee> but it becomes different
13:29 < General_Jung> 20:23:15) <General_Jung> current the server are running only on internet and I cant bind the rcon system on other ip then the gameserver itself
13:29 < krzee> so if you MUST reach RCON based on INET ips, heres what you do
13:29 < General_Jung> thx for you help
13:30 < krzee> RCON machines must have ip forwarding enabled
13:30 < krzee> then you read this:
13:30 < General_Jung> and sry for my very less knowledge
13:30 < krzee> !route
13:30 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:30 < General_Jung> k
13:30 < krzee> the INET ip of each RCON server should be thought of as a LAN behind that client
13:30 < krzee> and my !route document will work
13:31 < krzee> ignore the section "ROUTES TO ADD OUTSIDE OPENVPN" as you arent actually connecting to a LAN, just an IP which openvpn doesnt know about
13:31 < General_Jung> k
13:31 < krzee> everything else applies (except no lan behind server)
13:31 < krzee> grendal_grime, your turn!
13:32 -!- tazman1a [~tazmania@160.33.50.60.kmr04-home.tm.net.my] has quit [Ping timeout: 276 seconds]
13:33 < grendal_grime> krzee so i have one loadballancing  solution (boxA) that connect to three openvpn servers B,C, D.  I have three subnets  10.0.1.0 10.0.2.0 and 10.0.3.0.  that those vpnservers bridge to.  
13:33 < krzee> ok...
13:33 < krzee> (me notes again that DNS would be sufficient for load balancing)
13:34 < grendal_grime> the clients when connected are handed address from a pool for ech of those subnets (depneding on wich vpnserver they are connected to.
13:34 < grendal_grime> the clients are connecting NOW with tap devices.
13:34 < krzee> right...
13:35 < grendal_grime> so i have to look at those three subnets as ONE subnet because they all are seeing each other...netmast of 255.255.0.0
13:35 < grendal_grime> netmask that is
13:35 < krzee> right, they are 1 broadcast domain...
13:36 < grendal_grime> correct.  So now what exactly would the problem most likely be?  Is it the fact that there is sooo much broadcast info being thrown around on the switch that the openvpnserver has to work it out?
13:36 < krzee> i would assume so
13:36 < krzee> youd fry a switch ild think
13:36 < grendal_grime> the switch in essence being the openvpnservers.
13:37 < krzee> yupyup
13:37 < krzee> correction, youd fry a bunch of switches
13:37 < grendal_grime> ok.  Routing would not add overhead to these boxes that would not already be there in the switch?
13:37 < krzee> (seeing as youd never find *1* to hook 500 clients into)
13:37 < krzee> it would REMOVE overhead
13:37 < krzee> and for you, quite a bit of it
13:38 < krzee> performance overhead, bandwidth overhead
13:38 < krzee> ild love to get stats on what you save in each in fact!
13:39 < krzee> with roughly same number of clients
13:39 < krzee> that would be a great thing for you to add to the community
13:39 < krzee> please please do make a writeup on our WIKI after migrating and keeping notes on performance / bandwidth / and number of users
13:40 < grendal_grime> Ill do whatever i can.
13:40 < grendal_grime> if i can convince people that this is the best way to go.
13:41 < grendal_grime> ill talk to our ccne
13:41 < grendal_grime> ss
13:41 < grendal_grime> i mean it makes total sence to me
13:41 < krzee> anyone with a cisco cert should understand you cant have 500 machines in a single broadcast domain
13:41 < grendal_grime> the big thing..that im not quite understanding though is that we cant keep using the tap devicees on the clients?
13:41 < grendal_grime> and that is a very good point.
13:43 < krzee> because tap is layer2
13:43 < krzee> layer2 BS is your problem
13:44 < krzee> get rid of layer2, use layer3, watch stuff get better
13:44 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
13:45 < grendal_grime> oh...ya ...duuu thats right...
13:46 < krzee> while ive never helped anyone with a setup as large as yours, its more or less common sense that you cant run a 500 node broadcast domain
13:46 < krzee> another tech here just facepalmed when i told him about it
13:47 < grendal_grime> trying to figure out the best way to describe this I need some statistics I need a test enviroment first
13:47 < krzee> he couldnt believe how you got 500, then i explained you run this on 32 CPU vmware clusters
13:47 < krzee> he facepalmed again
13:47 < grendal_grime> ya.
13:47 < grendal_grime> We have nice hardware
13:48 < krzee> this with test environment, you wont see the problem with small amounts of clients
13:48 < krzee> (ie: the reason you werent here a long time ago)
13:48 < grendal_grime> we can simulate large amounts
13:48 < dazo> grendal_grime: it's not the hardware which is the main problem, it's the infrastructure limitations ... and in addition, there are known performance issues with OpenVPN when hitting 150-200 simultaneous users
13:48 < grendal_grime> i dont think they did.
13:49 < grendal_grime> dazo, how about if we are using tun what is the performance expectations then?
13:49 < grendal_grime> and we typically have about that many
13:49 < grendal_grime> per box
13:50 < krzee> dazo, his vmware cloud software lets him use all 32 processors transparently he says
13:50 < grendal_grime> I believe so..
13:50 < krzee> so ild think he could get more than 200 each, am i wrong?
13:50 < dazo> grendal_grime: the performance hit is no matter tun/tap config ... it's the amount of users and how the event handler is implemented in OpenVPN which hits you ... OpenVPN isn't a threaded application
13:50 < krzee> now you believe so, yesterday you said you observed openvpn process using all 32 processors
13:50 < grendal_grime> No i did not say that i said i should know this but i dont.
13:51 < krzee> dazo, do you think a 500 node broadcast domain would be something openvpn could handle?
13:51 < krzee> grendal_grime, you dont need to KNOW it, you can OBSERVE it
13:51 < krzee> from outside the VM, on the level where you see 32 processors
13:51 < krzee> as i explained last night
13:52 < dazo> Havnig 2-3 OpenVPN processes, will handle the load ... but the broadcast traffic ... depends on how heavy that broadcast is, but I think that will really be the worst for the tunnel 
13:53 < dazo> grendal_grime: I can promise you, one OpenVPN process will only use one CPU core ... nothing more, nothing less
13:53 < grendal_grime> ok
13:53 < krzee> i tried telling him that last night ;]
13:53 < grendal_grime> well im looking in the vmware client to see if i can get a better idea.
13:54 < krzee> in the vmware client cant show you anything, you would see it only using 1 CPU at a higher level
13:54 < krzee> at the level where there is 32 CPUs, not the vmware client which only has 1 that it sees
13:55 < grendal_grime> ya...but if the box has only one cpu assigend to it thats all its going to use.  but if it has two ...hmm the app would have to be multithread supported so ya your right.
13:55 < krzee> if you recall, i told you that you could make a vmware client with multiple CPUs and run openvpn multiple times in it, you said this was pointless because it uses all 32 CPUs
13:56 < grendal_grime> krzee, im talking about the vmware infrtructure client that lets me see what resources the "Guest" is using
13:56 < grendal_grime> not the vm machine itself sorry...
13:56 < krzee> you dont have a way to monitor the hardware of the machine itself?
13:56 < grendal_grime> guest or host?
13:56 < krzee> the hardware!!!!!!!
13:56 < krzee> REAL hardware
13:57 < grendal_grime> the host..of course
13:57 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 265 seconds]
13:57 < grendal_grime> thats what im looking at
13:57 < krzee> and you see only 1 CPU spiking twords 100%, right?
13:57 < krzee> of the 32 physical CPUs
13:58 < grendal_grime> looking now
13:58 < grendal_grime> this was several days ago.. i hope they kept the data actually
13:59 < krzee> would be funny if they didnt
13:59 < grendal_grime> now it is using 1 cpu and only 348 mhz out of 2493 alocated to it
13:59 < General_Jung> One more question why can nmap -sU not detect OpenVPN is running ?
13:59 < krzee> General_Jung, you using tls-auth?
13:59 < General_Jung> no
14:00 < krzee> i thought you were using my sample config
14:00 < krzee> (which has tls-auth)
14:00 < General_Jung> also telnet not work
14:00 < krzee> its running on UDP, right?
14:00 < General_Jung> yea
14:00 < dazo> telnet is tcp only
14:00 < krzee> telnet doesnt do udp :-p
14:00 < grendal_grime> and krzee im sorry but last night i did not have access to these machines. so i was not able to verify what you were asking
14:00 < General_Jung> beta:~# [ 4136.598443] tun0: Disabled Privacy Extensions
14:00 < General_Jung> the rest of the log seems fine
14:01 < krzee> General_Jung, can a CLIENT connect to it?
14:01 < General_Jung> not tested
14:01 < General_Jung> only telnet
14:01 < krzee> lol
14:01 < General_Jung> but firstofall I tested it with nmap
14:01 < General_Jung> ad telnet
14:01 < General_Jung> if there is no port running
14:01 < General_Jung> why should it work
14:01 < krzee> netstat -l
14:02 < krzee> there likely is a port running :-p
14:02 < General_Jung> 10.8.0.1:ntp 
14:02 < krzee> the fact that you used a TCP app to test a UDP port says something what you're doing to test it
14:02 < General_Jung> that is all
14:02 < krzee> umm, thats not all
14:03 < krzee> that might be all with a VPN IP
14:03 < krzee> but the vpn server doesnt listen on the VPN ip
14:03 < General_Jung> yea
14:03 < General_Jung> that correct
14:03 < General_Jung> on the inet ip is nothing
14:03 < General_Jung> I only posted that because that confused me
14:03 < krzee> test it with a client
14:03 < krzee> ask once it doesnt work
14:04 < General_Jung> k
14:10 < krzee> for the record
14:10 < krzee> Starting Nmap 4.76 ( http://nmap.org ) at 2010-05-24 12:07 PDT
14:10 < krzee> All 1000 scanned ports on hemp.ircpimps.org (66.11.114.212) are open|filtered (791) or closed (209)
14:10 < krzee> Nmap done: 1 IP address (1 host up) scanned in 2.65 seconds
14:10 < vpnHelper> Title: Nmap - Free Security Scanner For Network Exploration & Security Audits. (at nmap.org)
14:11 < krzee> that was -sU
14:11 < krzee> root@hemp:/usr/home/krzee> nmap -sU -p 1194 66.11.114.212
14:11 < krzee> Starting Nmap 4.76 ( http://nmap.org ) at 2010-05-24 12:10 PDT
14:11 < krzee> Interesting ports on hemp.ircpimps.org (66.11.114.212):
14:11 < krzee> PORT     STATE         SERVICE
14:11 < krzee> 1194/udp open|filtered unknown
14:11 < krzee> Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds
14:11 < vpnHelper> Title: Nmap - Free Security Scanner For Network Exploration & Security Audits. (at nmap.org)
14:11 < krzee> :-p
14:16 -!- sathia [~quassel@151.61.130.171] has joined ##openvpn
14:16 < sathia> krzee?
14:16 < krzee> sathia?
14:17 < sathia> hi, wanted to let you know that we have a fully workin openvpn vpn :)
14:17 < krzee> =]
14:17 < krzee> told ya it would work ;]
14:17 < sathia> this morning I bit the bullet
14:17 < sathia> and it worked flawlessly
14:17 < sathia> i created a subnet such as 192.168.150
14:18 < sathia> in order not to mess the other lans
14:18 < sathia> i feel very very good right now
14:18 < sathia> I'll be shutting down the gayvpn in these days
14:18 < krzee> =]
14:18 < sathia> only thing that didn't work is that extra layer
14:19 < krzee> (for onlookers, gayvpn = pptp, and an accurate description!)
14:19 < sathia> for the udp packets
14:19 < krzee> tls-auth?
14:19 < sathia> the one that would rejects udp packets
14:19 < sathia> if not signed
14:19 < krzee> yup, tls-auth
14:19 < krzee> !hmac
14:19 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
14:19 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
14:19 < krzee> that one =]
14:19 < sathia> but there's no support on pfsense for that
14:19 < sathia> yes
14:19 < krzee> heh, pfsense wont let you edit the config directly?
14:20 < sathia> do you think that adding a password to the certificates would be better?
14:20 < sathia> i guess it  can
14:20 < krzee> better? no, they do different things!
14:20 < sathia> but I don't want to risk that
14:20 < krzee> ok, its up to you
14:20 < sathia> i thought it would require an extra password upon connection
14:20 < sathia> we are a bit worried for stolen laptops and such
14:20 < krzee> sure, but thats not what tls-auth does
14:21 < sathia> so the policy for now is putting the keys on the truecrypt partition
14:21 < krzee> there is certainly nothing wrong with adding passes to private keys
14:21 < sathia> that should work
14:21 < krzee> in fact its a good thing
14:21 < sathia> so it's just a matter of recreating the keys with the password during the setup?
14:21 < krzee> all i meant above is that tls-auth does something very different than password protecting your private keys
14:21 < sathia> yes
14:22 < krzee> basically, when you password protect your private key... your system cant read the private key unless you give it the password
14:22 < krzee> so openvpn cant access the private key without the password, and thus cant even try to connect
14:22 < sathia> awesome
14:22 < krzee> tls-auth is protection from scanning and DOS attacking the VPN port
14:22 < sathia> yes
14:23 < krzee> and possible protection against any unknown security issues
14:23 < sathia> it will simply drop the packets, right?
14:23 < krzee> if they arent signed with the HMAC from tls-auth file, yes
14:23 < sathia> right
14:23 < krzee> drop them before processing any further
14:24 < krzee> but it IS optional
14:24 < sathia> ok, I'll be watching breaking bad now, we'll keep our promise !donate. and thanks again, it's really appreciated
14:24 < krzee> you're welcome =]
14:24 < sathia> see you krzee, bye
14:25 < krzee> adios!
14:25 -!- sathia [~quassel@151.61.130.171] has quit [Quit: bye bye]
14:27 -!- dazo is now known as dazo_afk
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:30 < krzee> whoa, nmap is at 5.21
14:30 < krzee> seems like yesterday it was 4.20
14:30 -!- tazman1a [~tazmania@170.45.49.60.kmr01-home.tm.net.my] has joined ##openvpn
14:31 -!- ta2mania [~tazmania@209.46.49.60.kmr01-home.tm.net.my] has quit [Ping timeout: 240 seconds]
14:36 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 272 seconds]
14:51 -!- Lenhix [~lenho@201.245.150.190] has joined ##openvpn
14:59 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:03 -!- edoceo [~edoceo@c-98-247-254-241.hsd1.wa.comcast.net] has joined ##openvpn
15:06 < edoceo> I'm a little confused about how to get my local network to see the VPN (my default gateway is not the VPN gateway)
15:06 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
15:07 < edoceo> My default is .1, my VPN machine is .6  VPN subnet is 10.52.51.0/24; I've set routes on my LAN systems to point to .6 for routing to that subnet but still cannot
15:07 < edoceo> Of course, the VPN system can see both VPN clients as well as the LAN (ip_forwared = 1)
15:14 < grendal_grime> would it be safe to assume that the number of connections openvpn could handle would go up considerable if it is using tunnels as opposed to taps?
15:14 < grendal_grime> or is 200 still a best practice max
15:18 -!- krzee [~k@ftp.secure-computing.net] has joined ##openvpn
15:18 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
15:18 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:19 < krzee> bleh, internet up and down =/
15:19 < krzee> !ipforward
15:19 < vpnHelper> krzee: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward
15:19 < krzee> !factoids search ipforward
15:19 < vpnHelper> krzee: 'winipforward', 'linipforward', 'ipforward', 'fbsdipforward', and 'osxipforward'
15:19 < krzee> !forget ipforward
15:19 < vpnHelper> krzee: Joo got it.
15:20 < krzee> !learn ipforward as please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
15:20 < vpnHelper> krzee: Joo got it.
15:23 < jnss> everything works'
15:23 < jnss> i can vpn to my server
15:24 < jnss> and over than tun0 i can run another tun
15:24 < jnss> which is odd but great
15:24 < jnss> just one thing i need to solve and that is pushing somethjing
15:24 < jnss> i need to push this to the client and this is a linux command route add default gw 10.8.0.5
15:25 < jnss> certainly tried push "route 10.8.0.5 255.255.255.0"
15:25 < jnss> or any combination thereof
15:25 < krzee> theres something like --route-gateway
15:25 < jnss> let me check that
15:25 < krzee> the you can redirect-gateway maybe, or simply push route 0.0.0.0 from ccd
15:26 < krzee> actually
15:26 < krzee> you said you did double-vpn
15:26 < krzee> i wonder if redirect-gateway would just work...
15:26 < krzee> or did you not double-vpn?
15:27 < krzee> you likely dont need to, unless you want the vpn nodes on the chain to not be trusted
15:27 < krzee> (for anyone reading this, this is a weird type of setup, which 99% chance does NOT apply to you at all)
15:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:31 -!- ta2mania [~tazmania@153.46.49.60.kmr01-home.tm.net.my] has joined ##openvpn
15:31 -!- tazman1a [~tazmania@170.45.49.60.kmr01-home.tm.net.my] has quit [Ping timeout: 260 seconds]
15:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
15:47 < jnss> yes, i do double vpn
15:48 < jnss> and no, route-gateway didnt do the job
15:48 < krzee> if your highest level vpn uses the exit node as the server, it should
15:49 < krzee> you would redirect-gateway when connecting to the exit-node vpn
15:49 < krzee> then you must nat the highest level vpn subnet
15:49 < jnss> http://pastie.org/975155
15:50 < jnss> the last route on that list is what i have to add to get the last vpn running
15:50 < krzee> .5
15:50 < krzee> so your highest level vpn server is NOT the exit node
15:51 < krzee> oh wait, nm
15:51 < krzee> forgot bout /30 for a sec there
15:51 < krzee> i only see 1 tun interface
15:51 < krzee> i thought you said you were double-vpn
15:52 < jnss> hmm
15:52 < jnss> i am
15:52 < jnss> got another paste coming
15:52 < krzee> you are not connecting to a vpn over the vpn
15:52 < krzee> from within the first vpn
15:52 < jnss> http://pastie.org/975160.txt
15:53 < jnss> yeah, disregard that first paste
15:53 < krzee> erm
15:53 < krzee> wtf is the vpn subnet for tun1
15:54 < krzee> are you trimming your routing tables before showing me?
15:54 < krzee> cause if so, knock that off
15:54 < krzee> but most likely, im not going to help with this setup anyways honestly
15:54 < jnss> .128 i think
15:54 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
15:54 < jnss> not intentinally
15:54 < krzee> no, thats the ip... not the vpn subnet
15:54 < jnss> the top part didnt paste
15:55 < krzee> 10.8.0.x is the tun0 subnet
15:55 < jnss> http://pastie.org/975163.txt
15:55 < jnss> there, thats theop part that didnt manage to get pasted the first time
15:55 < krzee> you see, in my opinion vpnchains are something you should not get to setup unless you figure it out ;)
15:55 < jnss> the top part
15:55 < jnss> well, i have figured it out mostly
15:55 < krzee> you mean the first 2 times :-p
15:55 < jnss> it works, it just wont run the route
15:56 < jnss> sure i had a great deal of trouble getting anything to work. i admit
15:56 < krzee> oh tun1 you're handing out real routable IPs
15:57 < krzee> ya?
15:57 < jnss> tun1 is run automatically
15:57 < jnss> i just have a client file and the server is out of my reach, really
15:57 < jnss> so yeah
15:57 < krzee> oh lol
15:57 < jnss> it just works
15:57 < krzee> welp, good luck
15:57 < krzee> you're getting warmer
15:58 < jnss> alright thanks
15:58 < jnss> ill see you ina m minute
15:58 < jnss> or 10 hours
15:58 < krzee> -route-gateway gw|'dhcp' 
15:58 < krzee> Specify a default gateway gw for use with --route.
15:58 < krzee> thats what ild play with
15:59 < krzee> if that doesnt effect redirect-gateway command, try duplicating the redirect-gateway command with a series of route commands
16:00 < krzee> which would likely require the --route-gateway command being places in the right spot between those route commands
16:02 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
16:07 -!- Lenhix [~lenho@201.245.150.190] has quit [Quit: Mindwall!!]
16:29 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
16:31 -!- ta2mania [~tazmania@153.46.49.60.kmr01-home.tm.net.my] has quit [Ping timeout: 245 seconds]
16:32 -!- ta2mania [~tazmania@25.37.50.60.kmr04-home.tm.net.my] has joined ##openvpn
16:38 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has joined ##openvpn
17:00 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
17:02 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
17:06 -!- y0tta [~y0tta@ip26.208-100-1.static.steadfast.net] has quit [Quit: y0tta]
17:12 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:30 -!- edoceo [~edoceo@c-98-247-254-241.hsd1.wa.comcast.net] has quit [Ping timeout: 265 seconds]
17:31 -!- ta2mania [~tazmania@25.37.50.60.kmr04-home.tm.net.my] has quit [Ping timeout: 245 seconds]
17:32 -!- ta2mania [~tazmania@107.47.50.60.kmr04-home.tm.net.my] has joined ##openvpn
18:31 -!- tazman1a [~tazmania@50.36.50.60.kmr04-home.tm.net.my] has joined ##openvpn
18:32 -!- ta2mania [~tazmania@107.47.50.60.kmr04-home.tm.net.my] has quit [Ping timeout: 260 seconds]
18:55 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
18:56 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
19:02 -!- grendal_grime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
19:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
19:38 -!- Rolybrau [~Rolybrau@184-86.78-83.cust.bluewin.ch] has joined ##openvpn
19:38 -!- Rolybrau [~Rolybrau@184-86.78-83.cust.bluewin.ch] has quit [Changing host]
19:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:53 -!- tazman1a [~tazmania@50.36.50.60.kmr04-home.tm.net.my] has left ##openvpn ["Leaving"]
19:58 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-qnvvbztnxepqufif] has left ##openvpn []
20:04 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
20:44 -!- krzee is now known as book
20:44 -!- book is now known as krzee
21:01 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:28 -!- General_Jung [~anon@p57B66E18.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
21:31 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has quit [Quit: Leaving.]
21:31 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has joined ##openvpn
21:31 -!- General_Jung [~anon@p57B66B8A.dip.t-dialin.net] has joined ##openvpn
21:32 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
21:32 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:32 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
21:33 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:34 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
21:34 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:36 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
21:36 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
23:49 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
23:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 258 seconds]
--- Day changed Tue May 25 2010
00:11 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
00:31 -!- Grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote host closed the connection]
00:58 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
01:24 -!- dazo_afk is now known as dazo
01:47 < theDoc> Not sure if you guys have seen this yet but, http://digg.com/comics_animation/How_the_male_angler_fish_gets_screwed_The_Oatmeal
01:47 < theDoc> lol
01:47 < vpnHelper> Title: How the male angler fish gets screwed - The Oatmeal (at digg.com)
01:59 < julius> oh my god
01:59 < julius> so cool
02:13 -!- julius [~julius@217.20.127.15] has quit [Remote host closed the connection]
02:19 -!- julius [~julius@217.20.127.15] has joined ##openvpn
02:47 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:47 -!- mode/##openvpn [+o mattock] by ChanServ
02:51 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:07 -!- dpetrek [~kvirc@93-139-26-64.adsl.net.t-com.hr] has joined ##openvpn
03:10 -!- dpetrek [~kvirc@93-139-26-64.adsl.net.t-com.hr] has quit [Client Quit]
03:19 -!- jhaar [~jhaar@2001:470:828b:0:21c:bfff:fea9:1197] has quit [Quit: Leaving.]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:50 -!- DrPepper2 [~DrPepper@88.207.189.81] has quit [Quit: Leaving...]
04:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:35 -!- dazo is now known as dazo|afk
04:53 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Quit: Leaving]
04:54 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
04:57 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:59 -!- DrPepper3 [~DrPepper@88.207.189.81] has joined ##openvpn
05:01 -!- DrPepper3 [~DrPepper@88.207.189.81] has quit [Read error: Connection reset by peer]
05:07 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:16 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
05:19 < demiurgen> just a general question: I want to use client certificates and passwor authentication (openvpn-auth-pam ). can I have my clients use a single client certificate while each of them have a unique user/password in order to differentiate between users?
05:19 < demiurgen> i.e. all clients use the same client cert
05:40 < |Mike|> !howto
05:40 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:41 < demiurgen> |Mike|: was that for me?
05:42 < |Mike|> nope
05:42 < |Mike|> !ldap
05:42 < demiurgen> ok, nevermind
05:42 < vpnHelper> |Mike|: Error: "ldap" is not a valid command.
05:42 < |Mike|> hmz, there are some things in the bot about your setup demiurgen 
05:42 < |Mike|> !factoids search ldap
05:42 < vpnHelper> |Mike|: "ldap_iptables" is see http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
05:43 < |Mike|> !factoids search auth-pam
05:43 < vpnHelper> |Mike|: No keys matched that query.
05:43 < |Mike|> !factoids search pam
05:43 < vpnHelper> |Mike|: No keys matched that query.
05:43 < |Mike|> !factoids search password
05:43 < vpnHelper> |Mike|: "password-only" is http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html
05:44 < demiurgen> well, I still want password + cert, it's just that I'd like to avoid having to generate a new cert for each client, as is done in the howto
05:47 < |Mike|> i'm not sure if that's doable with openvpn ( eg, i never used that... ) maybe that someone else could help you.
05:47 < demiurgen> |Mike|: well thanks any way!
05:47 < demiurgen> what would happen if two clients connect using the same client cert (no password auth)?
05:48 < demiurgen> would it work? or must each connected client have a unique "common name" or something like that?
06:16 < Bushmills> yes
06:17 < Bushmills> unless you allow duplicate names in config
06:17 < Bushmills> but better use unique CNs for each certt
06:18 < Bushmills> "yes" refers to "or must each connected client have..."
06:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
06:40 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
06:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:08 -!- dazo|afk [~dazo@nat/redhat/x-equtpjhcpxlkmsts] has quit [Read error: Connection reset by peer]
07:10 -!- dazo_ [~dazo@nat/redhat/x-nrqflwvmzhkeqahg] has joined ##openvpn
07:10 -!- dazo_ is now known as Guest37241
07:13 < General_Jung> Is there any way to let my router handle the connect to the VPN Server
07:18 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has quit [Ping timeout: 240 seconds]
07:18 -!- julius [~julius@217.20.127.15] has quit [Quit: Hackers of the world, unite!]
07:21 -!- julius [~julius@217.20.127.15] has joined ##openvpn
07:21 < Bushmills> General_Jung: openwrt.  opkg install openvpn
07:21 < Bushmills> put client config and certs on router. 
07:22 < General_Jung> k thx its an rvs4000
07:22 < Bushmills> you want to have about 4 MiB of RAM spare for openvpn
07:23 < Bushmills> well, 3 should just do.
07:26 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
07:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
07:31 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
07:33 -!- Guest37241 is now known as dazo
07:39 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
07:46 -!- demiurgen^ [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
07:47 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has quit [Ping timeout: 252 seconds]
07:48 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:53 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:54 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
07:54 -!- demiurgen^ [~demiurgen@nl103-154-253.student.uu.se] has quit [Ping timeout: 240 seconds]
08:00 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
08:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
08:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:55 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
09:02 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has quit [Remote host closed the connection]
09:21 -!- dazo [~dazo@nat/redhat/x-nrqflwvmzhkeqahg] has quit [Read error: Connection reset by peer]
09:22 -!- dazo [~dazo@nat/redhat/x-sujgpremkyivprmo] has joined ##openvpn
09:22 -!- dazo is now known as Guest85520
09:23 -!- Guest85520 is now known as dazo
09:24 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:30 -!- DrPepper [~DrPepper@88.207.189.81] has joined ##openvpn
09:58 -!- dazo [~dazo@nat/redhat/x-sujgpremkyivprmo] has quit [Read error: Connection reset by peer]
10:00 -!- dazo [~dazo@nat/redhat/x-lmlphlyfleqniipa] has joined ##openvpn
10:00 -!- dazo is now known as Guest27552
10:06 -!- Guest27552 is now known as dazo
10:08 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
10:13 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
10:40 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
10:43 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
10:44 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has quit [Remote host closed the connection]
10:46 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
10:55 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
10:58 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
11:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:04 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 276 seconds]
11:05 -!- Lenhix [~lenho@190.146.247.120] has joined ##openvpn
11:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:11 -!- openvpn2009 [pandora@matrix.openvpn.org] has quit [Ping timeout: 264 seconds]
11:15 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
11:17 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:27 -!- Lenhix [~lenho@190.146.247.120] has quit [Quit: BRB]
11:28 -!- Guest12047 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
11:41 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
11:48 -!- Guest12047 is now known as openvpn2009
11:49 -!- mode/##openvpn [+o openvpn2009] by ChanServ
12:05 -!- Lenhix [LordChaman@200.119.13.10] has joined ##openvpn
12:22 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
12:23 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:45 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
12:48 -!- General_Jung [~anon@p57B66B8A.dip.t-dialin.net] has quit [Ping timeout: 252 seconds]
12:52 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
13:03 < jnss> keysize 96 works
13:03 < jnss> as does keysize 448
13:03 < jnss> i guess even keysize 32 should work
13:03 < krzie> what are you making baby keys for
13:04 < jnss> baby rsa
13:04 < krzie> named as such because a baby could crack it?
13:04 -!- owner_ [~owner@80.92.106.75] has joined ##openvpn
13:05 -!- [Joshuah] [~joshuah@brln-4d0ceaf1.pool.mediaWays.net] has joined ##openvpn
13:05 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:06 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
13:06 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:06 < jnss> http://www.keylength.com/en/3/
13:06 < vpnHelper> Title: Keylength - ECRYPT II Report on Key Sizes (2009) (at www.keylength.com)
13:07 < [Joshuah]> hi, i am new to openvpn but i have to get it working now. i have a .crt and a .prt file from my institute and i am trying to use Viscosity. i have three options "SSL/TLS Client (PKCS12)" "SSL/TLS Client" "Static Key". google couldnt help me, can anyone here?
13:07 < jnss> hi
13:08 < jnss> isnt viscosity a osx client for vpn?
13:08 < krzie> it is
13:08 < [Joshuah]> for openvpn, yes
13:08 -!- dazo is now known as dazo_afk
13:08 < krzie> wtf is a .prt
13:09 < krzie> [Joshuah], dont use GUIs to make your configs
13:09 < krzie> they should have given you a config file
13:09 < krzie> the people who run your server
13:09 < [Joshuah]> they is a manual on the instituts wiki ... accessable only from the intranet
13:09 < [Joshuah]> smart guys, huh? :)
13:09 < [Joshuah]> our admins are ... paranoid
13:10 < krzie> they shouldnt need a manual
13:10 < krzie> they should have given you a config file with your crt
13:10 < [Joshuah]> may be there is  a config file to download from there, but i can access it, because i am at home
13:10 < [Joshuah]> i have the .crt and the .p12 files from them
13:10 < krzie> you cant know what to make the settings
13:10 < krzie> wait til you get the config
13:10 < [Joshuah]> hmm
13:10 < [Joshuah]> too bad
13:11 < [Joshuah]> i need access tonight
13:11 < krzie> go to the office
13:11 < [Joshuah]> and my institute is 2 hours away
13:11 < krzie> better get going then
13:11 < [Joshuah]> no way to get there tonight anymore
13:11 < [Joshuah]> no chance
13:11 < krzie> *shrug* too bad
13:11 < jnss> make a phone call
13:12 < jnss> call the network department
13:12 < jnss> the switchboard should be able to find you their number
13:12 < krzie> call anyone who has a config
13:12 < krzie> they will all be enough the same
13:12 < krzie> just gotta change paths and it'll be good to go
13:12 < krzie> !osx
13:13 < vpnHelper> krzie: "osx" is (#1) http://www.viscosityvpn.com/ (PAY), or (#2) http://www.tunnelblick.net/ (FREE)
13:13 < krzie> btw instead of paying for viscosity you may like using free tunnelblick to start your configs
13:13 < krzie> personally, i use a shell script in my stacks, i dont see the reason for a gui
13:13 < [Joshuah]> viscosity is not free?
13:13 < krzie> LOL
13:13 < [Joshuah]> i thought it was
13:13 < krzie> no, its not
13:14 < jnss> i use linuks
13:14 -!- owner_ [~owner@80.92.106.75] has quit [Quit: Leaving]
13:14 < krzie> Shareware
13:14 < krzie> This download is a fully functional version of Viscosity, which will stop working after 30 days. To continue using Viscosity after this period you will need to purchase a license.
13:14 -!- barberan [~owner@80.92.106.75] has joined ##openvpn
13:14 < krzie> i guess you missed that when you downloaded it
13:14 < [Joshuah]> yeah, just wanted to get _something_ running tonight :)
13:15 < [Joshuah]> i also downloaded tunnelblick
13:15 < krzie> too bad you didnt get what they needed to give you
13:15 < jnss> what do they offer you on the vpn server
13:15 < krzie> theres nothing you can do
13:15 < [Joshuah]> unfortunatly i could not install openvpn via macports. something seems not to work with macports anymore
13:15 < krzie> i installed like 2 weeks ago from macports
13:15 < krzie> its your install, mine works fine
13:15 < krzie> try port selfupdate
13:15 < [Joshuah]> mine seems f***ed up since today
13:15 < [Joshuah]> somehow
13:16 < [Joshuah]> but it also seems that today is just not my day ...
13:23 < [Joshuah]> ok, neither openvpn nor openvpn2 will install
13:25 -!- barberan [~owner@80.92.106.75] has quit [Quit: Leaving]
13:31 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 272 seconds]
13:44 -!- [Joshuah] [~joshuah@brln-4d0ceaf1.pool.mediaWays.net] has quit [Quit: [Joshuah]]
13:45 -!- ioan [man@74-93-190-107-Oregon.hfc.comcastbusiness.net] has joined ##openvpn
13:46 < ioan> hi, is there a way to save the username and password and connect without user interaction?
13:46 < krzie> !pwfile
13:46 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
13:47 < ioan> thanks!
13:47 < krzie> yw =]
13:47 < Bushmills> ioan: why not log in by key, instead of cert? same effect, no user interaction required
13:47 < Bushmills> instead of password, i mean
13:47 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
13:47 < krzie> prolly not his choice
13:48 < krzie> (the person who runs the server and forces passwords never seems to be the person who wants to write it to a file)
13:48 < krzie> lol
13:49 < ioan> Bushmills, do you have more info on how to do this?
13:49 < krzie> (cause that person would understand and care about the security implications of making a password "something you have" instead of "something you know"
13:49 < krzie> )
13:49 < Bushmills> not me personally but there are plenty of docs telling how to set that up
13:49 < Bushmills> !factoids search auth
13:49 < vpnHelper> Bushmills: 'authpass' and 'tls-auth'
13:49 < Bushmills> !authpass
13:49 < vpnHelper> Bushmills: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
13:49 < krzie> and what do you mean key instead of cert?
13:50 < Bushmills> i corrected that in the next sentence
13:50 < ecrist> krzie: is xxx being hit hard?
13:50 < Bushmills> mind was floating somewhere ahead of my fingers typing
13:50  * ecrist lols after realizing what he just typed
13:51 < krzie> LOL
13:51 < Bushmills> !factoids search key
13:51 < vpnHelper> Bushmills: 'keys' and 'static_key_details'
13:51 < Bushmills> !keys
13:51 < vpnHelper> Bushmills: "keys" is http://openvpn.net/howto#pki
13:51 < krzie> ecrist, no idea
13:51 < Bushmills> ioan: ^^^^
13:52 < ioan> yeap. thanks!
13:52 < ecrist> ok
14:16 < krzie> i know xxx isnt, but the ISP could be
14:27 < ecrist> ok
14:27 -!- ioan [man@74-93-190-107-Oregon.hfc.comcastbusiness.net] has left ##openvpn []
14:33 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
14:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:46 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
15:14 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:21 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
15:29 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
15:30  * jpalmer needs beer.
15:34 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has quit [Remote host closed the connection]
15:37 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
15:45 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
16:03 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:43 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:45 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:46 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
17:00 -!- notbrien [~notbrien@208.82.13.214] has quit [Remote host closed the connection]
17:26 -!- Lenhix [LordChaman@200.119.13.10] has quit [Quit: Mindwall!!]
17:46 -!- ff88 [~chatzilla@93-40-82-74.ip37.fastwebnet.it] has joined ##openvpn
17:47 < ff88> hi I've set a OpenVPN server and I'm having problems with allowing clients access the Internet throughout the VPN
17:47 < ff88> I followed the instructions in the HOWTO, especially the ones related to iptables settings
17:48 < ff88> I've put push "redirect-gateway def1 bypass-dhcp" in the server config file
17:48 < ff88> and I really don't understand what I have to do more
17:48 < Bushmills> to achieve what?
17:49 < ff88> I would like to allow clients access the Internet throughout the VPN server
17:49 < Bushmills> configure openvpn server as masqerading gateway
17:49 < Bushmills> !redirect
17:49 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:49 < Bushmills> !ipforward
17:49 < vpnHelper> Bushmills: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:49 < Bushmills> !nat
17:49 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
17:51 < ff88> !def1
17:51 < vpnHelper> ff88: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
17:51 < ff88> !linipforward
17:51 < vpnHelper> ff88: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
17:55 < ff88> ok, I've understood the problem is that I've ufw firewall running
17:56 < ff88> I've set a rule for port 443 (which is the listening port of my VPN server)
17:56 < ff88> but I have NO IDEA on how to allow routing
17:57 < Bushmills> no routing there. masquerading
17:57 < Bushmills> aka nat
17:57 < Bushmills> !nat
17:57 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
18:02 < ff88> ok :)
18:07 < krzee> !linnat
18:07 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:20 < ff88> yes I know
18:24 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
18:24 < Chosi> hey there
18:26 < Chosi> nevermind - i just found out my issue is a firewall one ;)
18:26 -!- Chosi [osxchosi@choseh.de] has left ##openvpn []
18:27 < krzee> +1 for the topic
18:28 < ff88> yeah
18:31 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
18:36 < ff88> may I ask you what is the simple way to perform a very very basic username/password authentication among with certificate autentication?
18:36 < ff88> please note I've got only -one- user
18:40 < krzee> !authpass
18:40 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
18:41 < krzee> for only 1 user, you may wish to just encrypt the private key instead of requiring user/pass
18:42 < krzee> but thats up to you
18:50 < ff88> uhm
18:50 < ff88> I'd prefer to have both
18:50 < ff88> to be sincere, I'm not so good with perl and I'm trying to edit the sample script
18:52 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
18:54 < krzee> if you encrypt the private key it will require a password to read the key
18:54 < krzee> so before even attempting to connect
18:55 < krzee> but theres nothing wrong with using both, in fact its even better ;)
18:55 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
18:57 < ff88> I've just edited the perl script to perform an idiot username eq "..." password eq "..." check
18:57 < ff88> it is silly but combined with certificate I think it will be fine
19:00 < ff88> Thank you guys. OpenVPN just rocks. It is safe, useful and breaks corporate firewalls
19:00 < ff88> :D
19:01 < ff88> thank you again
19:01 -!- ff88 [~chatzilla@93-40-82-74.ip37.fastwebnet.it] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
19:06 < krzee> lol
19:07 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:28 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has quit [Ping timeout: 276 seconds]
19:33 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
19:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
19:54 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:30 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 245 seconds]
20:49 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
20:49 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
20:49 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:05 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
21:11 < ecrist> sup bitches?
21:11 < krzee> wassup
21:11 < krzee> the FS fbsd port just got mentioned in #freeswitch
21:11 < ecrist> nm, just waiting for the wife to get home 
21:11 < ecrist> really?
21:11 < krzee> [19:12]  <mcrane> FreeSWITCH port is now being evaluated by the ports team
21:11 < krzee> [19:12]  <mcrane> so may have an updated port soon
21:11 < krzee> [19:12]  <krzee> mcrane, ecrist maintains the freeswitch port and hangs in here
21:14 < ecrist> krzee: mcrane is the dev for fusionpbx, and I usually have @ in that chan.
21:20 < theDoc> Morn' all.
21:20 < theDoc> It's midweek and the calendar goes, WTF.
21:32 -!- mota [mota@about/windows/regular/mota] has quit [Remote host closed the connection]
21:58 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:06 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 240 seconds]
23:08 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
23:12 -!- jnss [janes@gateway/shell/sign.io/x-vfxqbcwptafgwcel] has quit [Quit: leaving]
23:17 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
--- Day changed Wed May 26 2010
00:29 -!- grendal_prime_ [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn
00:30 < grendal_prime_> oi
00:31 < krzie> oi oi oi
00:31 < grendal_prime_> hey how goes it
00:32 < grendal_prime_> sorry i havent got back to you on the hugeo bridge thang. 
00:33 < krzie> all good
00:33 < krzie> just keep data from your tests pls
00:33 < grendal_prime_> so basically i droped the entire situation on our senior ccne and he says your right (and i gave you credit)  I aloso did some research i supplied him with.
00:34 < krzie> you could take credit if you wanted ;]
00:34 < krzie> its not like they know who or care who i am
00:34 < grendal_prime_> I sniffed the tap interface and basically looks like about 50%+ of the connections are actually broadcast, dns, arp requests...
00:35 < grendal_prime_> well...as far as credit goes..i mean i get credit for stumbling across the potential of a production meltdown.
00:35 < grendal_prime_> also people are probably mad at me for finding (ie listening to you) this entire thing.  I dont give  a shit 
00:36 < krzie> if they're mad they dont understand they would have had worse problems if you didnt find it
00:36 < krzie> dealing with unstable stuff sucks
00:37 < krzie> better to make everything work and monitor it with your feet up
00:37 < grendal_prime_> Anyway, i appreciate the attention you gave me..and since i cant marry your ugly sister because my wife said no.  I at least owe you lunch some time.
00:37 < krzie> feel free to !donate if you like, but its not necessary =]
00:38 < grendal_prime_> Im still trying to figure out if there is a way to to allow the clients to connect to the server with a layer 2 tap and route it from there to the backside
00:38 < grendal_prime_> If things work out ill...hmm you currently employed?
00:39 < krzie> yup
00:39 < grendal_prime_> bummer...where if you dont mind me asking
00:39 < krzie> currently in the middle of a huge thing like what you're going to start
00:39 < grendal_prime_> I doubt it
00:39 < grendal_prime_> ill bet this company would offer you better
00:39 < krzie> db migration to switch programs that run the biz, configuring that program as well, changing entire phone system from phones to PBX, redoing the entire network
00:40 < grendal_prime_> dont want more of a desk job? feet in the air allot
00:40 < krzie> well thats what i had
00:40 < krzie> then i decided shit had been done very wrong
00:40 < krzie> unstableness and whatnot
00:40 < grendal_prime_> or..you like to move around..these guys got field ops jobs
00:41 < krzie> so im redoing everything that had issues
00:41 < krzie> which is more or less everything
00:41 < grendal_prime_> what country?
00:41 < krzie> as for moving around, i take about 4 months vacation per year
00:41 < krzie> live in caribbean
00:41 < grendal_prime_> bastard
00:41 < krzie> ;]
00:41 < grendal_prime_> like yosemite?
00:42 < krzie> hehe im from cali
00:42 < grendal_prime_> well keep me in mind i get a bonus for recruiting
00:43 < krzie> out of curiosity, around what do they pay
00:43 < grendal_prime_> also...keep me in mind im also a top knotch instrument rated pilot i dont have a sea plane rating, but i could get one.
00:43 < grendal_prime_> the best
00:44 < grendal_prime_> well 100% medical
00:44 < grendal_prime_> just to start with
00:45 < grendal_prime_> the rest of it really depends on how much you want to work.  Now you...it seems you work all the time..so..they would probaly like you allot
00:45 < grendal_prime_> and You could probably work from where you are now.
00:46 < grendal_prime_> we have people all over ...kinda like fight club.  But without all that brad pitt stuff
00:47 < krzie> what do they want people doing
00:47 < grendal_prime_> we would have to meet. No long walks on beaches or anything like that..but  well i have to endorse you.
00:48 < grendal_prime_> and there are the costumes you will have to wear...hahaha just kidding
00:48 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:48 -!- mode/##openvpn [+o mattock] by ChanServ
00:48 < grendal_prime_> first of all...
00:49 < grendal_prime_> is there any way we can set up this layer 2 connection to route to a backend?
00:49 < krzie> layer2?
00:49 < grendal_prime_> tap devices
00:49 < krzie> you mean layer3?
00:49 < grendal_prime_> nope
00:49 < grendal_prime_> private?
00:49 < krzie> what do you mean route to a backend?
00:49 < krzie> sure
01:04 < krzie> !route
01:04 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:17 < krzie> !push
01:17 < vpnHelper> krzie: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
01:36 -!- DrPepper [~DrPepper@88.207.189.81] has quit [Quit: Leaving...]
02:23 < krzie> !tcp
02:23 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
02:27 < julius> it isn't possible to have openvpn listen on multiple ports with both tcp and udp, or is it?
02:28 < krzie> multiple instances
02:29 < julius> which would require multiple tun devices, routes, subnets etc?
02:30 < krzie> !android
02:30 < vpnHelper> krzie: Error: "android" is not a valid command.
02:30 < krzie> correct
02:33 < julius> I guess I'll stick to udp - haven't had a real firewalled situation yet
02:36 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:38 < krzie> if your server doesnt run a ns you can use udp 53 if you want, its more likely to be open ild think, its the dns port
02:39 < krzie> only lans which require you use their ns would have it blocked
02:42 < kraut> moin
02:42 < krzie> moinmoin
02:45 < julius> hehe, nice idea
02:50 -!- dazo_afk [~dazo@nat/redhat/x-lmlphlyfleqniipa] has quit [Read error: Connection reset by peer]
02:51 -!- dazo_afk [~dazo@nat/redhat/x-xcdqifoevvqibkao] has joined ##openvpn
02:51 -!- dazo_afk is now known as Guest41782
02:54 -!- grendal_prime_ [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has quit [Quit: Ex-Chat]
03:01 -!- [ilin] [~ilin@77.28.6.117] has joined ##openvpn
03:01 < [ilin]> !welcome
03:01 < vpnHelper> [ilin]: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:11 -!- [ilin] [~ilin@77.28.6.117] has left ##openvpn ["Leaving"]
03:16 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
03:17 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:21 -!- mintux [~mrg@unaffiliated/mintux] has joined ##openvpn
03:24 < mintux> I did this step https://help.ubuntu.com/community/OpenVPN but in the last step when I restart openvpn I got *   Autostarting VPN 'server'                                           [fail]   this is my log http://codepad.org/ARMLTw4B
03:24 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com)
03:25 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
03:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
03:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:35 < krzie> Cannot resolve host address: <your
03:37 < mintux> krzie: it's openvpn config problem ? or refer to /etc/hosts ?
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 < mintux> got it
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:43 < mintux> krzie: one question . my modem/dsl/router ip is 192.168.1.1 and it's a gateway of my system . in this document bridge set to 192.168.1.10  and in /etc/openvpn/server.conf it needs a ip for local and it's output of my ifconfig http://codepad.org/8yGndN8U  so what ip should I set for local in openvpn config ? 192.168.1.10 or I should define a ip for the0 and put it there? there is no conflict with my router ip address use 192.168.1.1
03:43 < vpnHelper> Title: C code - 46 lines - codepad (at codepad.org)
03:43 < krzie> !man
03:43 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
03:43 < krzie> see --local
03:43 < mintux> ok
03:43 < krzie> !--
03:43 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
03:44 < krzie> (just so you know why it says --local in there
03:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
03:47 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:57 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
03:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:53 -!- DrPepper [~DrPepper@88.207.189.81] has joined ##openvpn
05:00 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:07 -!- Guest41782 is now known as dazo
05:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:14 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
06:20 -!- dazo [~dazo@nat/redhat/x-xcdqifoevvqibkao] has quit [Read error: Connection reset by peer]
06:22 -!- dazo [~dazo@nat/redhat/x-oodvrlpcqqucelfa] has joined ##openvpn
06:22 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
06:23 -!- d12fk [~heiko@vpn.astaro.de] has quit [Read error: Connection reset by peer]
06:24 < Chosi> hi i seem to have some dns issue with openvpn+
06:24 < Chosi> -+
06:25 < Chosi> should i push the client a nameserver from the server's resolv.conf?
06:26 < Bushmills> linux client? windows clients?
06:27 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
06:27 < Chosi> linux server, windows client
06:27 < Bushmills> using redirect-gateway?
06:27 < Chosi> yup
06:27 < Chosi> gateway is working fine
06:27 < Chosi> but dns doesn't seem to work
06:27 < Bushmills> yes, you better do
06:28 < Chosi> ipconfig shows some ipv6 in his dns settings for the tunneling adapter
06:28 < Bushmills> better may be running a dns cache on server, and push server address as dns to client
06:29 < Chosi> i just tried to push one from my resolv.conf
06:29 < Chosi> but that doesn't seem have done anything
06:53 < Chosi> alright seems like it's another firewall issue here
06:53 < Chosi> incoming dns requests on tun0 and eth1(wan)
06:53 < Chosi> but nothing gets back as it seems
07:03 < mintux> I need some guide to set ip . I explain my problem here http://img6.tinypic.info/files/w8hqwsroajz11sr2r9sj.jpg I don't what the ip should I set for vpn or NIC my config file is http://codepad.org/r6jlJ7vi
07:03 < vpnHelper> Title: C code - 106 lines - codepad (at codepad.org)
07:09 < Chosi> okay nevermind - it works now
07:09 < Chosi> thanks
07:09 -!- Chosi [osxchosi@choseh.de] has left ##openvpn []
07:16 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
07:17 < Chosi> okay i need your help again ;) how do i allow multiple clients to connect to the server?
07:17 < Chosi> do i just have to remove the remote <clientip> line?
07:17 < Bushmills> what version of server?
07:19 < Bushmills> remote <clientip>??   where - and especially why - do you use that?
07:20 < Chosi> OpenVPN 2.1_rc11
07:20 < Chosi> uhm Bushmills i actually don't know
07:20 < Chosi> :)
07:20 < ecrist> Chosi: it's recommended you upgrade to 2.1.1
07:20 < Chosi> any dates for .debs? ;)
07:21 < ecrist> should be there, 2.1.1 was released on Dec 11th 2009
07:21 < ecrist> OpenVPN doesn't directly handle packaging, that's up to each os/pkg mgmt system
07:22 < Chosi> so - how do i specify a pool of ips for whatever clients that want to connect?
07:22 < ecrist> !man
07:22 < ecrist> !howto
07:22 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
07:22 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:22 < Chosi> --ifconfig-pool start-IP end-IP
07:22 < Chosi> ok thanks
07:22 < Chosi> :)
07:22 < ecrist> I would start with those docs, ask questions as they come up
07:24 < mintux> I put 192.168.0.1 for local in vpn config and I could connect to vpn server from 192.168.0.2 win server2003 but I could not connect to vpn server (ubutnu) from windows xp because windows xp is 192.168.1.6 and could not route 192.168.0.2 also could not route 192.168.1.10 because in config of openvpn I set it to 192.168.0.2 
07:24 < ecrist> ok...
07:24 < ecrist> so setup a route for it.
07:29 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 276 seconds]
07:32 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
07:33 < Chosi> do i need tls if you want to use an ip pool?
07:33 < Chosi> *i
07:34 < Chosi> i consider the keyfiles enough for my purpose, can i force the server use with key files?
07:34 < Chosi> (the text ones)=
07:42 < ecrist> no, key files are only good for one pair of systems, iirc
07:43 < mintux> my problem is the ubuntu server get a ip for Internet connection like 273.212.1.10.126  . and there is 4 machine in internal network that they want use 273.212.1.10.126  connection . so I plug two Ethernet cart . eth0 for 273.212.1.10.126 and eth1 for internal ip 192.168.1.10 so other machine has ip in this range like 192.168.1.3 with 192.168.1.10 gateway . my problem is a machine want connect to network and has access to one of internal machine . so I d
07:43 < ecrist> Chosi: the man page would likely answer your question.
07:43 < mintux> from outside
07:43 < ecrist> mintux: 273.212.1.10.126 isn't a valid internet connection
07:43 < ecrist> not even close
07:44 < mintux> ecrist: it's for example I know it . 
07:45 < mintux> ecrist: it's ip expect 192.168.... and ...
07:45 < mintux> ecrist: see this image http://img6.tinypic.info/files/w8hqwsroajz11sr2r9sj.jpg
07:45 < mintux> it's my configs http://codepad.org/r6jlJ7vi
07:45 < vpnHelper> Title: C code - 106 lines - codepad (at codepad.org)
07:46 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Remote host closed the connection]
07:47 < ecrist> mintux: you have two options
07:48 < ecrist> bridged vpn, give vpn clients IPs on the internal network, or two, use a routed vpn, and properly route the vpn IPs to the internal systems
07:50 < mintux> ecrist:it's bridge vpn now  iface br0 inet static  
07:50 < ecrist> great, so what problems are you having?
07:55 < mintux> ecrist:the problem is what ip should I set for openvpn ? for example in this virtual my internal system has 192.168.0.2 ip  but outside system has 192.168.1.6 ip . ubuntu server that has vpn server has two ethernet cart . one of them connected to internal network and another connected to switch . so if I set 192.168.0.1 for openvpn the internal system can connect to vpn but outside system can not because the ip range's are different . so I need both of s
07:56 < mintux> the network of internal and outside are separate and they should connect together with linux server . 
07:56 < ecrist> the VPN server needs to listen on the external IP address
07:57 < mintux> so it's my config http://codepad.org/r6jlJ7vi so  it refer to open vpn config or iptables ?
07:57 < vpnHelper> Title: C code - 106 lines - codepad (at codepad.org)
07:58 < ecrist> mintux: 192.168.0.2 isn't an external IP address
07:58 < mintux> yes
07:58 < mintux> it's internal ip address 
07:58 < mintux> eth1 is connect to internal network 
07:58 < ecrist> if you want user to connect to the vpn from outside, it needs to be external address
07:58 < ecrist> i just said that.
07:59 < ecrist> I'm referring to the local config line
08:00 < mintux> yes the user should connect to 192.168.1.10 and after that connect to internal network by vpn I think 
08:00 < mintux> 192.168.1.10 is external ip 
08:00 < mintux> that it set on bridge 
08:01 < mintux> if I change  local 192.168.0.2  to   local 192.168.1.10  just outside system can connect to vpn 
08:04 < ecrist> no, 192.168.1.10 is not an external IP address
08:04 < ecrist> !1918
08:04 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
08:04 < mintux> it's better to draw a new image of what should I do
08:05 < ecrist> I don't have time to draw you a picture.
08:10 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:14 < Bushmills> !tell mintux [route]
08:15 < |Mike|> :P
08:15 < |Mike|> works that Bushmills ?
08:15 < |Mike|> !tell |Mike| [route]
08:15 < |Mike|> o wow
08:16 < Bushmills> no feedback, unluckily. difficult to know whether the factoid was sent, or the bot is donw
08:16 < Bushmills> down
08:16 < mintux> ecrist: finish . I should do same thing like  this http://img6.tinypic.info/files/z9fi90u5gli63rw4lhm6.jpg  on real network 
08:17 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Read error: Operation timed out]
08:19 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
08:26 < |Mike|> Bushmills: it did work tho
08:34 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
08:38 -!- mintux [~mrg@unaffiliated/mintux] has quit [Ping timeout: 260 seconds]
08:44 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Quit: Lost terminal]
08:44 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:46 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
09:03 -!- buntfalke [~nobody@openvpn-p0-200.triple-a.uni-kl.de] has joined ##openvpn
09:03 -!- buntfalke [~nobody@openvpn-p0-200.triple-a.uni-kl.de] has quit [Changing host]
09:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:13 -!- mintux [~mrg@unaffiliated/mintux] has joined ##openvpn
09:22 -!- dazo [~dazo@nat/redhat/x-oodvrlpcqqucelfa] has quit [Read error: Connection reset by peer]
09:23 -!- dazo_ [~dazo@nat/redhat/x-maxdwqwfsabvatle] has joined ##openvpn
09:23 -!- dazo_ is now known as dazo
09:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
10:29 -!- dazo [~dazo@nat/redhat/x-maxdwqwfsabvatle] has quit [Read error: Connection reset by peer]
10:30 -!- dazo [~dazo@nat/redhat/x-ekvdimuejhtkoaqf] has joined ##openvpn
10:30 -!- dazo [~dazo@nat/redhat/x-ekvdimuejhtkoaqf] has quit [Client Quit]
10:31 -!- dazo [~dazo@nat/redhat/x-uiqgbngackroauig] has joined ##openvpn
10:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
10:48 -!- Bloodsong [~Nimbus@bas2-barrie18-1242455031.dsl.bell.ca] has joined ##openvpn
10:54 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
10:57 -!- kala_ [~kala@83.151.191.90.dyn.estpak.ee] has quit [Ping timeout: 276 seconds]
11:26 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
11:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:51 -!- [mutex] [~nnscript@unaffiliated/mutex/x-1106097] has joined ##openvpn
11:58 < [mutex]> client (windows) config: http://pastie.org/978315 | server (freebsd) config: http://pastie.org/978319 | goal: im trying to get a vpn set up at the central office in town. im usually at the south office, my co-workers at the north or vice versa. were looking to share files etc. clients can connect to the vpn and ping other workstations on the network, but they're both getting the IP 10.8.0.6
11:58 < [mutex]> so im wondering what you guys would suggest so that each client connecting gets their own ip in the 10.8.0.0/24 subnet
12:03 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
12:06 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:06 -!- notbrien [~notbrien@208.82.13.214] has quit [Ping timeout: 258 seconds]
12:07 < krzie> yourclient is using dev tap
12:07 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:07 < krzie> your server uses dev tun
12:07 < krzie> those must agree
12:07 < krzie> (tun)
12:07 < [mutex]> oops
12:07 < krzie> clients should have different certs
12:07 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
12:08 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:08 < [mutex]> ah, so by using different certs theyll get different ips?
12:08 < [mutex]> sounds right i suppose
12:08 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:12 < krzie> for sharing files, if using samba, look into wins
12:12 < krzie> !wins
12:12 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
12:24 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
12:41 < mintux> where is /path/to/ccd/ ?
12:44 < krzie> whereever you decide
12:44 < krzie> !ccd
12:44 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
12:48 < [mutex]> client (windows) config: http://pastie.org/978315 | server (freebsd) config: http://pastie.org/978319 | goal: i'm trying to get clients connecting to be able to ping eachother. theyre able to ping workstations on the physical LAN, but not eachother.
12:48 < [mutex]> edit: client config now uses dev tun as the server config does.
12:49 < krzie> you mean client cant ping 10.8.0.1 and server cant ping 10.8.0.6 ?
12:49 < [mutex]> correct
12:50 < krzie> but you can route through it to reach the LAN
12:50 < [mutex]> actually, client can ping 10.8.0.1, but server cant ping clients, nor can clients ping clients
12:50 < krzie> firewall
12:50 < [mutex]> ah, as the topic suggests
12:50 < [mutex]> probably need some NAT action eh?
12:50 < krzie> nope
12:51 < krzie> nat only needed for this:
12:51 < krzie> !redirect
12:51 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:51 < [mutex]> i see
12:52 < [mutex]> and a correction ( i was in the wrong terminal tab ). clients cannot ping clients, but clients can ping 10.8.0.1, and server can ping all clients
12:59 -!- MushBills [~MushBills@95-89-187-163-dynip.superkabel.de] has joined ##openvpn
12:59 < jpalmer> in a failover scenario (2 ovpn servers, one primary, one failover)  is there a way to make the ovpn clients check the primary, and reconnect when it comes back up.. but stay on the secondary if it's not?
13:00 < krzie> not that i know of, other than scripting it
13:00 -!- MushBills [~MushBills@95-89-187-163-dynip.superkabel.de] has quit [Client Quit]
13:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:02 < jpalmer> hrm, I'd probably script it server side then..  have a little daemon on the secondary check to see if primary is available  if it is,  shutdown openvpn server.  if its not..  start it.  the clients when they get disconnected will try to go back to primary.
13:02 < krzie> good call
13:02 < jpalmer> actually,  seems like a perfect bounty opportunity ;)
13:03 < krzie> haha also good call
13:04 -!- mirco [~mirco@p5B23AC88.dip.t-dialin.net] has joined ##openvpn
13:04 < jpalmer> so, 2 bounties I'll be contributing to, so far ;)
13:09 < krzie> !wishlist
13:09 < vpnHelper> krzie: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
13:19 < ecrist> jpalmer: CARP is your friend, if it's that simple. ;)
13:19 < ecrist> I know you're a *bsd guy...
13:19 < jpalmer> ecrist: I am,  the ovpn servers aren't :/
13:20 < ecrist> pf + route_to/other foo
13:20 < jpalmer> I've only got a fundamental grasp on CARP.  never actually used it.
13:20 < jpalmer> ecrist: pf doesn't exist on linux
13:20 < jpalmer> :P
13:24 -!- mirco_ [~mirco@p5B23AC88.dip.t-dialin.net] has joined ##openvpn
13:25 < jpalmer> ecrist: the goal is to have a backup openvpn server in a physical distant location, in case the rpimary goes down due to natural disaster.  from what I know of carp,  that wouldn't work too well.
13:25 < jpalmer> Our primary would be in like texas or denver.  the secondary would be on another continent.  like say, london.
13:26 < ecrist> no, carp wouldn't work well, then.
13:26 < ecrist> http://www.secure-computing.net/wiki/index.php/CARP
13:26 < vpnHelper> Title: CARP - Secure Computing Wiki (at www.secure-computing.net)
13:27 < jpalmer> of course,  considering how rarely the primary goes down..  I could just keep the keys/configs rsynced from primary to secondary..  then manually start the secondary if needed.   just pass out the appropriate openvpn.cfg that has both addresses listed.
13:27 < ecrist> either that, or set a short TTL on the CNAME for your DNS server
13:27 < ecrist> s/DNS server/VPN server/
13:27 < jpalmer> ahh, another good thought.
13:28 -!- mirco [~mirco@p5B23AC88.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
13:28 -!- mirco_ is now known as mirco
13:29 < jpalmer> the DNS answer is actually pretty decent.   if I keep the configs rsynced..  that'd be perfect.
13:29 < jpalmer> thanks ecrist.
13:29 < ecrist> np
13:29 < ecrist> tbh, although we have two data centers, we don't even bother with multiple servers
13:29 < ecrist> things just don't fail often enough to justify the time to set such a thing up.
13:30 < jpalmer> well,  we're using openvpn a bit differently than normal.
13:30 < jpalmer> and our solution is mission critical (literally.. life and death)  so,  we have to have redundancy.
13:32 < krzie> why not just distribute amongst multiple servers
13:33 < krzie> that handles failover, but they dont need to be all on the same server
13:33 < krzie> you canalso handle that via DNS
13:33 < ecrist> jpalmer: if it's THAT critical, I'd run a tunnel to each VPN server, and use CARP on each client system for the VPN tunnels.
13:34 < ecrist> or run two bridged VPNs and use link aggregation
13:34 < krzie> if multiple IPs come from a hostname, it randomizes which to connect to
13:34 < jpalmer> due to NDA,  I can't disclose too much..  but in short..  we run two vpn servers on the sme machine.  one for admins,  one for clients.
13:35 < krzie> you likely dont need 2 vpn procs for that
13:35 < krzie> !policy
13:35 < vpnHelper> krzie: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
13:35 < jpalmer> the clients are systems installed at hospitals.  they cannot speak to each other.  the admin clients can speak to clients.
13:35 < krzie> without !c2c you can set that up
13:35 < krzie> !c2c
13:35 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
13:35 < vpnHelper> krzie: behind other clients
13:36 < jpalmer> hrm.  interesting.
13:38 < jpalmer> dammit!  now I'm going to have to re-implement openvpn :P
13:39 < dazo> jpalmer: the third time will be the best one ;-)
13:39 < krzie> you can set firewall rules based on CN in --client-connect
13:39 < krzie> or based on ldap with this
13:39 < krzie> !factoids search ldap
13:39 < vpnHelper> krzie: "ldap_iptables" is see http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
13:40 < krzie> or you can assign static IPs and firewall accordingly
13:40 < krzie> !static
13:40 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:40 < jpalmer> we use the ccd statis IP's currently
13:40 < krzie> so just put admins in 1 subnet, clients in other
13:41 < dazo> jpalmer: have a look at http://www.eurephia.net/ ... for stronger access control
13:41 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
13:41 < krzie> firewall accordingly =]
13:41 < krzie> note, i havnt tested in topology subnet if clients can manually change IPs
13:41 < krzie> i think it could be possible, have been meaning to test it
13:41 < dazo> jpalmer: if you're interested, I can mail you a draft of the manual I'm writing for it
13:41 < krzie> in net30 (default) they can not because theyd lose their gateway
13:41 < jpalmer> krzie: yep.  thats what I'm thinking.  wrt firewall policies.
13:42 < jpalmer> we're using subnet, not net30
13:42 < jpalmer> dazo:  sure,  would love to read it over.
13:42 < krzie> be sure to test that then
13:43 < krzie> as if they can change ips, that would be a way to circumvent firewall rules
13:43 < krzie> should only take a sec since you already have topology subnet
13:44 < jpalmer> when you say manually change IP's,  are you talking about "ifconfig tun0"  or other?
13:44 < krzie> right
13:44 < krzie> ifconfig
13:45 < jpalmer> I'll have to test.  if they can't change IP's,  this could very easily simplify maintenance.
13:45 < krzie> im not sure if it will not work since mapped IP goes to inet ip, or if it does work since gateway remains the same for the client
13:46 < krzie> like if openvpns internal routing table will allow it or not
13:46 < jpalmer> that'd also address another issue I was about to face.  we're using bacula on all the clients..  the bacula storage daemon is going to only be accessible via the VPN..  our way, this is going to be a huge pain.  this way..  it'd just be another "client" with firewall rules allowing the other clients to access it on specific ports.
13:49 < krzie> every time someone says 'bacula' i hear "muahaha" in my head
13:50 < jpalmer> oh, why is that?
13:50 < jpalmer> oh, dracula..  I get it
13:50 < jpalmer> :P
13:50 < jpalmer> personally, I think it's a retarded name (and.. slogan..  have you see that?)  but the software is impressive as hell.
13:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
14:17 -!- svinkels [~svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn
14:37 -!- disappearedng [~disappear@unaffiliated/disappearedng] has joined ##openvpn
14:38 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:38 < disappearedng> my update-resolv.conf doesn't work what do I have to instalL ?
14:41 < disappearedng> yeah apparently resolvconf doesn't work in ubuntu, bug is actually filed
14:43 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:45 -!- disappearedng [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 245 seconds]
14:57 -!- dazo is now known as dazo_afk
14:58 -!- Bloodsong [~Nimbus@bas2-barrie18-1242455031.dsl.bell.ca] has quit [Ping timeout: 245 seconds]
15:00 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
15:00 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
15:03 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Read error: Connection reset by peer]
15:10 -!- GyrosGeier [~geier@honey.hogyros.de] has joined ##openvpn
15:10 < GyrosGeier> hi
15:11 < GyrosGeier> a customer of mine has had his TLS certificate expire and needs access ASAP. Is there an option to allow a TLS server to accept expired certs?
15:12 < Chosi> i wish there was a way to run a server without any certificates at all ;)
15:12 < GyrosGeier> well, no certificates at all would be too extreme :)
15:12 < julius> would make breaking those nasty barriers a little more comfortable…
15:13 < GyrosGeier> I still want to check that the cert was issued by me
15:13 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
15:13 < GyrosGeier> I mean, I can just deactivate NTP and change the system clock
15:13 < Chosi> would make setting up a quick and dirty temporary vpn easier :)
15:13 < Chosi> just spread the key.txt
15:13 < Chosi> and voila.
15:14 < GyrosGeier> Chosi, you can use symmetric encryption for that
15:14 < GyrosGeier> --gen-key
15:14 < Chosi> oh can you point me to the point of the howto that explains how?
15:14 < Chosi> i really don't need much fancy cert stuff, just something to set up quick
15:14 < Chosi> with a pools of ips
15:14 < Chosi> -s
15:15 < GyrosGeier> pool of ips needs certificates
15:15 < GyrosGeier> so the server can tell who is connecting
15:15 < GyrosGeier> symmetric key requires one openvpn instance per peer
15:16 < GyrosGeier> i.e. you tell it "connect from /this/ local port to /that/ remote port using /that/ key"
15:18 -!- mintux [~mrg@unaffiliated/mintux] has quit [Quit: Leaving.]
15:18 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
15:20 < krzee> [13:15]  <Chosi> i wish there was a way to run a server without any certificates at all ;)
15:20 < krzee> !authpass
15:20 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
15:21 < krzee> GyrosGeier, what you want requires prior planning, sign the certs for longer
15:23 < GyrosGeier> krzee, well, I need an after-the-fact solution now :)
15:24 < Chosi> !man
15:24 < vpnHelper> Chosi: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
15:25 < krzee> changing the clock may help, or may block EVERYONE
15:25 < krzee> your real solution is resign their cert
15:25 < GyrosGeier> that is a solution for tomorrow afternoon
15:26 < krzee> sounds like you will be fixed tomorrow afternoon
15:33 < GyrosGeier> hmpf
15:33 < GyrosGeier> the server cert also expired
15:33 < GyrosGeier> so I can't fix it on the server anyway
15:33 < GyrosGeier> *grmbl*
15:33 -!- diogo_79 [~diogo_79@186.211.108.93.rev.vodafone.pt] has joined ##openvpn
15:33 < diogo_79> hi
15:33 < diogo_79> i am having some trouble with openvpn
15:34 < diogo_79> in the server side i have a command like this push "route 10.15.0.0 255.255.0.0"
15:34 < diogo_79> but when the client trys to establish connection the route add is the 10.15.0.0 255.255.255.0"
15:35 < diogo_79> can some one point me to the rigth direction
15:35 < GyrosGeier> routes need destination, netmask and gateway
15:35 -!- disappearedng [~disappear@unaffiliated/disappearedng] has joined ##openvpn
15:35 < diogo_79> so how the command of the push me bee
15:36 < diogo_79> may be
15:39 < GyrosGeier> add the gateway the other side should use
15:39 < GyrosGeier> that would be the address on your side of the tunnel
15:40 < GyrosGeier> it is only added as default with a tun device, not with tap
15:40 < diogo_79> sorry GyrosGeier can you make an example
15:40 < diogo_79> ?
15:41 < GyrosGeier> diogo_79, the manpage has one in the "Server mode" section
15:41 < GyrosGeier> note how the bits for "tap" mode define route-gateway
15:41 < diogo_79> the other side is the server side or the client side?
15:42 < GyrosGeier> you can either set that, or add the gateway as a third parameter
15:42 < GyrosGeier> you are pushing from server to client, no?
15:42 < GyrosGeier> so the client should set the route
15:42 < GyrosGeier> hence the server needs to tell it where to set the route to
15:42 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
15:44 < diogo_79> yes i am pushing from server to client side
15:47 < diogo_79> but my dev is not tap but tun
15:47 < diogo_79> but my dev is not tap but tun
15:48 < Bushmills> luckily
15:52 < GyrosGeier> hmm
15:53 < GyrosGeier> with tun the default is the second arg to "ifconfig"
15:53 < GyrosGeier> so that should work then
15:58 -!- GyrosGeier [~geier@honey.hogyros.de] has left ##openvpn []
16:03 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:17 < ecrist> krzee: I think I might start my endeavor toward C++ ssl-admin today
16:20 < krzee> yay!
16:24 -!- Lenhix [~lenho@mail.coltanques.com.co] has joined ##openvpn
16:47 -!- General_Jung [~anon@p57B67247.dip.t-dialin.net] has joined ##openvpn
16:48 < General_Jung> Hi configured my OpenVPN but I cant connect to samab
16:48 < General_Jung> *samba
16:49 < krzee> !wins
16:49 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
16:50 < General_Jung> thx
16:55 -!- DrPepper [~DrPepper@88.207.189.81] has quit [Read error: Operation timed out]
16:55 -!- DrPepper [~DrPepper@88.207.189.81] has joined ##openvpn
16:56 -!- diogo_79 [~diogo_79@186.211.108.93.rev.vodafone.pt] has left ##openvpn []
16:59 -!- [mutex] [~nnscript@unaffiliated/mutex/x-1106097] has quit [Quit: %60 of the time it works every time]
17:05 < krzee> !route
17:05 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:09 < krzee> ecrist, good place to talk about ssl-admin: http://www.ovpnforum.com/viewforum.php?f=22
17:09 < vpnHelper> Title: OpenVPN Forum View forum - Cert / Config management (at www.ovpnforum.com)
17:09 < ecrist> ok
17:09 < krzee> I made that subforum for the config generator
17:26 < General_Jung> can I use iroute 192.168.1.101 255.255.255.0
17:26 < General_Jung> sry a full 32 mask
17:26 < General_Jung> I won´t route the whole subnet
17:33 < krzee> to tell openvpn server process to 'route' a single lan ip which exists behind a client?
17:34 < krzee> and you meant 255.255.255.255, right?
17:34 < krzee> !iroute
17:34 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
17:35 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
17:37 < General_Jung> yea
17:38 < General_Jung> !ccd
17:38 < vpnHelper> General_Jung: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
17:38 < General_Jung> my server got two ips 
17:38 < General_Jung> 85.214.54.67 / 81.169.174.152
17:39 < General_Jung> and I want to route only the single ips
17:39 < krzee> you dont use iroute
17:39 < krzee> iroute is if it were behind a client
17:39 < krzee> just push the route to the IP which openvpn is not on
17:39 < krzee> !push
17:39 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
17:40 < krzee> you can push a /32
17:40 < General_Jung> k
17:40 < General_Jung> great
17:40 < General_Jung> because I don´t know if my provier like that
17:40 < General_Jung> ^^
17:40 < krzee> note, you can NOT make the ip that clients connect to route over the openvpn
17:40 < krzee> if you tried to, you would create a routing loop
17:40 < krzee> the vpn is able to run because you reach the vpn over the internet
17:41 < krzee> which means your route to the IP the vpn server runs on MUST be reached over the internet
17:41 < General_Jung> How can clients say the VPN server which clients there are targent
17:41 < krzee> huh?
17:41 < General_Jung> yea some services runs on a other ip
17:42 < General_Jung> 85.214.54.67 / 81.169.174.152
17:42 < General_Jung> some on 67 
17:42 < General_Jung> that is I think the huge prublem
17:42 -!- mirco [~mirco@p5B23AC88.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
17:43 < krzee> i have no idea what you're saying is the problem
17:43 < General_Jung> generally if the client will reach port 27 the use VPNSERVER:27
17:44 < krzee> they will need to use VPN_IP:27 for it to go over the vpn
17:44 < General_Jung> so I can change ports ?
17:44 < General_Jung> in routing
17:44 < krzee> routing is not aware of ports
17:44 < General_Jung> because some services runs on 85.214.54.67:27 and some on the other also 27
17:44 < General_Jung> so how
17:44 < General_Jung> I want to tunnel both
17:45 < krzee> run the vpn server on a different machine in that LAN
17:45 < General_Jung> not possibnle
17:45 < krzee> welp
17:45 < General_Jung> this is my root with two ip
17:45 < krzee> you can NOT route the vpn server ip over the vpn
17:45 < krzee> period
17:46 < krzee> any attempt to do so will result in a routing loop and you will a) not have access to the vpn b) run out of MBUFs
17:46 < krzee> on all clients
17:46 < General_Jung> So it is not possbiel to reflect 192.168.1.1:27 to VPN:27 and the other 192.168.1.2 to VPN:28
17:46 < General_Jung> or whatever
17:47 < krzee> i have no clue what you're saying
17:47 < General_Jung> I said that my problem is not very common
17:48 < General_Jung> OK I will 192.168.1.1:27 available via VPn and 192.168.1.2:27 also on same machine
17:48 < krzee> 85.214.54.67 / 81.169.174.152 are your ips
17:48 < General_Jung> yea
17:48 < krzee> lets say you run vpn server on 85.214.54.67
17:48 < General_Jung> k
17:48 < krzee> you can route 81.169.174.152 over your vpn no problem
17:48 < General_Jung> k
17:49 < krzee> all clients will access that ip over the vpn if you say so
17:49 < krzee> however, you can NOT reach 85.214.54.67 over the vpn
17:49 -!- mirco [~mirco@p5B23DBCC.dip.t-dialin.net] has joined ##openvpn
17:49 < krzee> but what you CAN do is:
17:50 < krzee> run all the stuff which listens on 85.214.54.67 to also listen on 10.8.0.1 (or whatever ip your vpn server uses)
17:50 < krzee> then access stuff based on vpn ip
17:50 < General_Jung> yea I tried to run samba on 10.8.01
17:50 < krzee> those 2 ips are on the same machine, right?
17:50 < General_Jung> but that won´t work
17:50 < General_Jung> yes
17:50 < General_Jung> they are
17:52 < General_Jung> so I can push 85.214.54.67 into VPN but not the IP which the serve ris runnign ion ?
17:52 < General_Jung> so I have to bound those sevices on VPN
17:52 < General_Jung> did I understand that corectl?
17:52 < General_Jung> *correctly
17:53 < krzee> well in my example you could only NOT push .67
17:53 < General_Jung> k
17:53 < krzee> but if you run it on .152, correct
17:53 < General_Jung> yes
17:53 < krzee> for something like samba, you can just run it on all interfaces i bet
17:53 < krzee> but not specifying ip
17:54 < krzee> since i highly doubt you have samba running 2x, 1 for each ip
17:54 < General_Jung> so I won´t work bind to VPN
17:54 < krzee> (you would want to firewall it from using inet accessible ips if you have to do that)
17:54 < krzee> honestly ive never used samba, i dont know
17:54 < General_Jung> yes
17:54 < General_Jung> k
17:55 < krzee> samba is an inferior windows sharing method imo, so i dont use it
17:55 < krzee> ;]
17:55 < krzee> (i also dont use windows)
17:55 < krzee> !windows
17:55 < vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
17:55 < General_Jung> ^^
17:55 < General_Jung> but thx for you hgelp
17:55 < krzee> np
17:57 < General_Jung> but furthermore isn´t there any port forward ?
17:57 < General_Jung> iptables
17:58 < krzee> sure, ip tables can reroute packets, its called DNAT and normally used when setting up a linux router to do NAT
17:58 < krzee> !dnat
17:58 < vpnHelper> krzee: Error: "dnat" is not a valid command.
17:58 < krzee> !factoids search iptables
17:58 < vpnHelper> krzee: 'iptables' and 'ldap_iptables'
17:58 < krzee> !factoids search nat
17:58 < vpnHelper> krzee: 'nat', 'linnat', 'fbsdnat', 'pfnat', 'freebsdnat', 'bsdnat', 'donate', and 'winnat'
17:58 < krzee> hrm
17:58 < krzee> !factoids search port
17:58 < vpnHelper> krzee: "linportforward" is (#1) to forward port 80 tcp to a vpn client, use this (replacing <SERVERIP> with the real ip of the server, and <VPNIP> with the clients VPN ip), or (#2) iptables -t nat -A PREROUTING -i eth0 -d <SERVERIP> -p tcp --dport 80 -j DNAT --to <VPNIP>, or (#3) iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i eth0 -p tcp --dport 80 -j ACCEPT
17:58 < Bushmills> donate, grin
17:58 < General_Jung> yes tgx
17:58 < krzee> lol ya
17:59 < Bushmills> pronounced like doughnut
17:59 < General_Jung> I think I were talking about DNAT 
18:02 < krzee> General_Jung, you should prolly read the last link here:
18:02 < krzee> !iptables
18:02 < vpnHelper> krzee: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
18:02 < vpnHelper> krzee: computing.net/wiki/index.php/OpenVPN/Firewall
18:02 < krzee> err no
18:02 < krzee> !nat
18:02 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
18:02 < krzee> hrmmm
18:02 < krzee> !factoids search --values netfilter
18:02 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:02 < krzee> there it is!
18:02 < krzee> #3
18:15 < General_Jung> gtreat thx
18:16 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
18:29 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:34 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has quit [Quit: notbrien]
18:38 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
18:38 < Ricky_Rat5005> !welcome
18:38 < vpnHelper> Ricky_Rat5005: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:38 < Ricky_Rat5005> !howto
18:38 < vpnHelper> Ricky_Rat5005: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
18:39 < Ricky_Rat5005> !wiki
18:39 < vpnHelper> Ricky_Rat5005: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
18:40 < Ricky_Rat5005> !sample
18:40 < vpnHelper> Ricky_Rat5005: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
18:42 < Ricky_Rat5005> Hi, I am trying to set up openvpn with ddwrt.  The instructions say: you need the OpenVPN software installed on your computer, as it is used to create all the needed certificates.  Am I installing the client? or do I use a server config file... I have read the faq's but I don't quite follow what the next step is, can anyone help?
18:44 < Bushmills> you need a server and a client. if you have a server, you want ddwrt as client
18:44 < Bushmills> and vice versa
18:45 < Ricky_Rat5005> I have nothing right now... I am trying to install on Server 2008 R2 with DDWRT and have my laptop (with aircard) outside of my network vpn in.
18:45 < Bushmills> what's the purpose of using openvpn?
18:46 < Bushmills> !goal
18:46 < vpnHelper> Bushmills: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:46 < Ricky_Rat5005> !goal
18:46 < vpnHelper> Ricky_Rat5005: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:47 < Ricky_Rat5005> my goal is that with my laptop, I can VPN in and then be able to use RealVNC (or another VNC) to access computers in my office w/o having to do all the port forwarding.
18:47 < Ricky_Rat5005> As well as for learning/experience.
18:47 -!- mirco [~mirco@p5B23DBCC.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
18:47 < Bushmills> then you most likely want server on router and client on laptop
18:48 < Ricky_Rat5005> yes, I agree. But it looks like it want's me to d/l a client and create a certificate: http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B
18:48 < Bushmills> in that case, you also want 
18:48 < vpnHelper> Title: VPN (the easy way) v24+ - DD-WRT Wiki (at www.dd-wrt.com)
18:48 < Bushmills> !route
18:48 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:48 < Bushmills> openvpn is both server and client, depends on its config
18:52 < Ricky_Rat5005> Ok, but I am not to that point yet.  I need to create my certificates now. So do I do that WITHIN ddwrt or on the client with OpenVPN GUI?
18:53 < Bushmills> some users like to use a collection of scripts, called easy-rsa, to generate keys and sign them. 
18:54 -!- mirco [~mirco@p5B23E841.dip.t-dialin.net] has joined ##openvpn
18:54 < Bushmills> doesn't really matter where you create and sign them, as long as the preconditions (server cert) are given.  it usually is a good idea to keep those on machines which can't easily be compromised
18:55 < Bushmills> that means, the router would not be the ideal place for those
18:55 -!- zero-__ [~zero@noc.toile-libre.net] has joined ##openvpn
18:56 < Ricky_Rat5005> ok, just reading about easy-rsa now.
18:58 -!- zero-_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 264 seconds]
18:58 < krzee> !pki
18:58 < vpnHelper> krzee: Error: "pki" is not a valid command.
18:58 < krzee> !certs
18:58 < vpnHelper> krzee: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
18:58 < krzee> you can build the certs anywhere
18:59 < krzee> i use a machine with no network connection at all
18:59 < krzee> also for your configs, you can use this
18:59 < krzee> !confgen
18:59 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
19:00 < Ricky_Rat5005> ok, thanks. Still reading.
19:06 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
19:09 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
19:10 -!- Netsplit *.net <-> *.split quits: fahadsadah, Champi
19:10 -!- Netsplit over, joins: Champi
19:10 -!- Champi [Champi@damn.e-leet.be] has left ##openvpn []
19:10 -!- Champi [Champi@damn.e-leet.be] has joined ##openvpn
19:13 -!- krebipeti [~a@118.98.64.90] has joined ##openvpn
19:13 < krebipeti> !welcome
19:13 < vpnHelper> krebipeti: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:13 < krebipeti> !route
19:13 < vpnHelper> krebipeti: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:14 < krebipeti> hi...help please....
19:15 < krebipeti> i create a vpn that connecting 3 point....router A ---- router B and router A ----- router C
19:16 < krebipeti> the local area on router B can be accessed from A....the local area on router C can be accessed from A
19:17 < krzee> all 3 openvpn nodes have lans behind them?
19:17 < krebipeti> i want to access C from B...why it can't....i try to ping the tun interface that connect A ---- C from B.....but it can't
19:18 < krebipeti> A is a gateway that can be seen from the outside world
19:18 < krebipeti> B and C has lans behind them
19:18 < APTX> by default clients aren't allowd to see eachother
19:18 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
19:19 < Bushmills> what is server, what are clients?
19:19 < krebipeti> hmmmm....so is there any way how to create client "see each other"
19:19 < APTX> it's a ssetting
19:20 < krebipeti> i'm not using client server mode
19:20 -!- mirco [~mirco@p5B23E841.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
19:20 < Bushmills> do you use openvpn?
19:20 < krebipeti> i use point to point between A ---- C
19:20 < krebipeti> and point to point between A ---- B
19:20 < krebipeti> yep2
19:20 < krebipeti> i use openvpn
19:21 < Bushmills> so you set one up as server
19:22 < krebipeti> does what i create above make A as server?? i set A --- B and A --- C is in different config
19:23 -!- Lenhix [~lenho@mail.coltanques.com.co] has quit [Ping timeout: 264 seconds]
19:23 < Bushmills> no. but stating in the config of the non-client machine does so
19:23 < Ricky_Rat5005> ok, I set up my cert, but it didn't create all the files I was expecting... server.crt server.key and dh1024.pem aren't there am I missing a step?
19:23 < Bushmills> B and C could both be server, and A client to both of them
19:24 < Bushmills> but unless you tell us, nobody will know
19:25 < Ricky_Rat5005> duh, just saw it... nevermind
19:25 < krebipeti> hehe...i'm not stating any "server" parameter on any of A, B neither C
19:25 < Bushmills> then you use a way of configuring openvpn which is unknown to me
19:25 < Bushmills> maybe somebody else can help
19:26 < krebipeti> thx...but can i ask one question
19:26 < krebipeti> it is about tun device
19:26 -!- DrPepper [~DrPepper@88.207.189.81] has quit [Quit: Leaving...]
19:27 < krebipeti> tun0 in A connect to tun0 in B then tun1 in A connect to tun0 in C 
19:27 < krzee> why not just make 1 be a server, with other 2 as clients?
19:27 < krzee> like in !route
19:27 < krzee> in route theres 3 lans, and client/server works
19:28 < krebipeti> owwww...i get it...
19:29 < krebipeti> if i create the client server mode....then it will operate like "a computer in one LAN network"..isn't it?
19:30 < krebipeti> it is because on point2point like what i say above...from B i canot ping A tun1 interface....
19:30 < krebipeti> T_T
19:30 < krebipeti> !route
19:30 < vpnHelper> krebipeti: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:31 < krzee> all i know, you're making it harder than it needs to be
19:31 < krzee> you just make 1 a server, other 2 clients, then the server and a client have lans behind it
19:31 < krzee> and thats easy to do after understanding !route
19:31 < Ricky_Rat5005> what is a good way to cut and paste out of the cert files created w/o messing up the format... notepad? (with or without word wrap)
19:32 < krzee> you dont need to edit your cert files
19:32 < krzee> !certinfo
19:32 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
19:32 < krzee> !certverify
19:32 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
19:33 < Ricky_Rat5005> !certinfo
19:33 < vpnHelper> Ricky_Rat5005: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
19:35 < krebipeti> oke i'll try it
19:36 < krebipeti> i just not read it yet...but thanx for your help....
19:39 < Ricky_Rat5005> Krzee: That puts it on the screen but I need to get it into DDWRT text box.
19:39 < krzee> scp
19:39 < krzee> lol
19:39 < Ricky_Rat5005> scp?
19:40 < krzee> its one of the ways to send files over ssh
19:40 < krzee> sftp is another one
19:41 < Ricky_Rat5005> ok, I guess I'll just cut/paste... not sure how to do it that way...gotta paste it into the browser... I am using "the easy way" (which I am finding isn't all that easy) lol.
19:42 < krzee> LOL
19:42 < krzee> learn how to use your software instead
19:42 < krzee> just google scp or sftp
19:42 < krzee> i take it you use windows...
19:42 < Ricky_Rat5005> LOL yes.
19:43 < krzee> there exists gui sftp clients
19:44 -!- mirco [~mirco@p5B23CC01.dip.t-dialin.net] has joined ##openvpn
19:44 < Bushmills> i suppose he doesn't know where to copy files to, using a web config frontend for the router to set up openvpn
19:45 < Ricky_Rat5005> Yes, that's true!
19:45 < Ricky_Rat5005> but cut/paste working so far.
19:45 < krzee> lol
19:46 < Ricky_Rat5005> (I realize how that sounds to a Unix/Linux user) sorry, am a newbie.
19:52 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Ping timeout: 240 seconds]
19:57 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
19:57 < krzee> im curious how you got on IRC if you are so against learning how things work by reading about it
20:06 -!- mirco [~mirco@p5B23CC01.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
20:06 -!- ffffffff [~ffffffff@client-86-25-254-54.sqy-bng-012.adsl.virginmedia.net] has joined ##openvpn
20:07 -!- ffffffff [~ffffffff@client-86-25-254-54.sqy-bng-012.adsl.virginmedia.net] has quit [Client Quit]
20:07 -!- ffffffff [~ffffffff@client-86-25-254-54.sqy-bng-012.adsl.virginmedia.net] has joined ##openvpn
20:11 -!- ffffffff [~ffffffff@client-86-25-254-54.sqy-bng-012.adsl.virginmedia.net] has quit [Client Quit]
20:28 < Ricky_Rat5005> which certs do I now copy to the client lappy to work?
20:37 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
20:43 < krzee> the ones you made for it
20:45 < Ricky_Rat5005> ok, got that part but still getting error:
20:45 < Ricky_Rat5005> Wed May 26 19:43:06 2010 OpenVPN 2.1.1 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] bui
20:45 < Ricky_Rat5005> lt on Dec 11 2009
20:45 < Ricky_Rat5005> Wed May 26 19:43:06 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
20:45 < Ricky_Rat5005> her to call user-defined scripts or executables
20:45 < Ricky_Rat5005> Wed May 26 19:43:06 2010 Cannot load certificate file worklappy.crt: error:0906D
20:45 < Ricky_Rat5005> 06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX
20:45 < Ricky_Rat5005> _use_certificate_file:PEM lib
20:45 < Ricky_Rat5005> Wed May 26 19:43:06 2010 Exiting
20:45 < Ricky_Rat5005> Press any key to continue...
20:47 < Ricky_Rat5005> I am trying to muddle through this but just still missing something.
20:49 < krzee> its a problem with your certs
20:49 < krzee> which SERIOUSLY doesnt surprise me
20:49 < krzee> lol
20:49 < krzee> ill bbl
20:49 < Ricky_Rat5005> ok thanks
20:50 < Ricky_Rat5005> can any1 else help?
20:52 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
20:54 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
20:54 < ecrist> boats n hos
20:55 < jpalmer> I'll take 2 of each, please.
20:55 < ecrist> indeed
20:56 < jpalmer> maybe I'll just take 3 boats instead.  the fiancee probably wouldn't like the 2 others.
20:56 < ecrist> I'm a little salty tonight.  I have two nice 22" LCDs on my desk I can't use because Apple's mini displayport to dual-link dvi adapter blows balls
20:56 < krzee> whaaaaaaat
20:56 < krzee> thats BS
20:57 < jpalmer> I dunno.  sounds about right.  theirr adapters aren't very well made
20:57 < jpalmer> I've gone through several mini-displayport to dvi or svga adapters on a MBP
20:57 < ecrist> so, I'm shipping it back for my money, and will be buy the right hardware.
20:57 < jpalmer> the hdmi adapter seems to be holding up well though.
20:58 < ecrist> http://www.matrox.com/graphics/en/products/gxm/dh2go/
20:58 < vpnHelper> Title: Matrox Graphics - Products - Graphics eXpansion Module - DualHead2Go (at www.matrox.com)
20:58 < ecrist> the DP edition
20:59 < jpalmer> oh, I've used those before.  excellent concept.
21:00 < ecrist> I've been using the triplehead2go digital edition, which is why I need the dual-link dvi
21:02 < Ricky_Rat5005> ok running cert creation again... when I run build-key worklappy at the end I notice (after sign database) failed to update database, TXT_DB error number 2 could not find C:\Temp\Old
21:02 < Ricky_Rat5005> can any1 tell me how to fix that error please?
21:02 < jpalmer> make sure c:\temp\old exists, and you hve permissions to use it.
21:02 < jpalmer> (the error is pretty clear, I think)
21:02 < Ricky_Rat5005> even if there is nothing in it?
21:03 < krzee> try setting your vars right
21:04 < Ricky_Rat5005> I am trying to set my vars right... which var do I need to look at?  I have set KEY_DIR=C:\Temp
21:06 < Ricky_Rat5005> I am reading and I am trying to do it right... I just need some help (which I though is the point of this channel) please help, I am trying my best.
21:09 < krzee> !certs
21:09 < vpnHelper> krzee: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
21:10 < krzee> !easy-rsa-unix
21:10 < vpnHelper> krzee: "easy-rsa-unix" is http://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux
21:10 < krzee> weird
21:10 < krzee> no idea why it uses that link instead of howto
21:10 < krzee> !factoids search --values howto
21:10 < vpnHelper> krzee: 'howto', 'gentoo', 'keys', 'samba', 'secure', 'security', 'custom', 'win_noadmin', 'policy', 'nat', 'someclient2client', 'mitm', 'linnat', 'ipv6', 'fbsdnat', 'nat', 'welcome', and 'win_rollup'
21:10 < krzee> !keys
21:10 < vpnHelper> krzee: "keys" is http://openvpn.net/howto#pki
21:10 < jpalmer> well, that is a howto from Dan Langille,  on how to use it
21:10 < ecrist> krzee: should I go with gcc, or clang for the compiler?
21:10 < Ricky_Rat5005> but I am using windows not unix/linux
21:10 < jpalmer> according to the factoid,  only the directory changes on linux
21:11 < ecrist> jpalmer: were you at BSDCan this year?
21:11 < jpalmer> ecrist: sadly, no.
21:11 < krzee> ecrist, prolly gcc since ive never heard of clang, lol
21:11 < jpalmer> you?
21:11 < ecrist> yes, my first year
21:11 < jpalmer> krzee: clang is the new hotness.
21:11 < ecrist> krzee: fbsd 9 will use clang as system compiler
21:11 < krzee> Ricky_Rat5005, 
21:11 < krzee> !keys
21:11 < ecrist> it's sexy
21:11 < vpnHelper> krzee: "keys" is http://openvpn.net/howto#pki
21:11 < jpalmer> ecrist: I've been supposed to go the last 3 years..  and always have to change plans at the last minute.
21:11 < krzee> ecrist, will linux use it?
21:11 < ecrist> afaik, yes
21:12 < krzee> ecrist, use whatever will work on bsd/linux/(hopefully solaris)
21:12 < krzee> but like, by default linux will have it?
21:12 < ecrist> no
21:12 < jpalmer> depends on the "linux"
21:12 < krzee> well obviously not gentoo
21:12 < ecrist> but, code compiled by clang *should* work with gcc
21:12 < ecrist> s/compiled/compilable/
21:14 < ecrist> well, I'll get clang compiled/installed on cartman, and start real work tomorrow evening, I think.
21:14 < jpalmer> what are you working on?
21:14 < ecrist> krzee: I'm hoping for a working version end of june
21:14 < ecrist> jpalmer: converting ssl-admin from perl to c++
21:14 < jpalmer> oh, good choice.
21:14 < ecrist> I've never coded c++, so a slight curve is involved.
21:15 < jpalmer> I detest perl.
21:15 < ecrist> !ssl-admin
21:15 < vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
21:15 < ecrist> if you haven't see it...
21:15 < ecrist> I actually like perl, but I don't think it's the best choice in this case, given the size and complexity of the script
21:16 < ecrist> there are bigger/more complicated, but I'd better serve the users talking directly to the openssl libraries than I am dealing with the openssl cli interface
21:17 < jpalmer> generally,  I hate the language war discussions..  but I'll be honest.  perl is about the only languge that gives me a headache unless I wrote the code myself.
21:17 < ecrist> I would agree with that, though I'm getting better
21:18 < ecrist> PHP is my friend. lots of folks dog it pretty hard, but it's extremely capable, and I can write programs using PHP much quicker than any other scripting language
21:18 < ecrist> (save simply things in sh)
21:19 < jpalmer> I'm debating on learning ruby or python.  I've had an idea for a website for like.. 10 years now.  I still think it'd make bank (nobody has done anything like it yet)  but..  the only language I know well enough for a full website is PHP..  and I want to avoid that ;)
21:19 < Ricky_Rat5005> can I paste my vars file here?  I don't see anything wrong with it... I have read the keys area over and over and my eyes are bleeding.
21:19 < ecrist> jpalmer: why avoid PHP?
21:19 < ecrist> Ricky_Rat5005: no, you can paste a link to a pastebin, though.
21:20 < jpalmer> PHP itse;f is fine.   it's getting a bad rep *because* it's so easy to use/learn.  newcomers are using it (usually wrong) and leaving entire websites wide open to security issues.
21:20 < ecrist> jpalmer: if a site like facebook can use PHP, most anyone can use PHP.
21:20 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has joined ##openvpn
21:20 < jpalmer> ecrist: well "avoid" is probably the wrong term.  I want to use this as an opportunity to learn a new language
21:20 < ecrist> ah, that I can be on board with.
21:20 < networkn> What is the default path for a linux installation of openvpn?
21:20 < ecrist> ;)
21:20 < ecrist> networkn: no clue - every linux is different.
21:21 < jpalmer> networkn: depends on the distro, and how it was installed.
21:21 < networkn> ugh.
21:21 < networkn> of course it does :)
21:21 < networkn> linux ftw
21:21 < networkn> right then, is there anything I can take for granted about it, so I can try and find it ?
21:22 < ecrist> networkn: you could reinstall, using freebsd instead. ;)
21:22 < Ricky_Rat5005> ok, can you look at this please (email changed for privacy): http://pastebin.com/VmC7ki7m
21:22 < ecrist> networkn: try 'which openvpn' to find the binary
21:22 < networkn> ecrist: do you think that type of comment is helping ? :)
21:22 < networkn> ok
21:22 < jpalmer> sure.  the binary is generally called "openvpn"  so you can "locate openvpn" if the DB is up to date.  or 'which openvpn'  or find / -name openvpn
21:22 < ecrist> as far as where openvpn looks for configs, it doesn't
21:22 < ecrist> it looks for them where you tell it to.
21:23 < ecrist> and yes, I think suggesting freebsd over linux *is* helping heh
21:23 < networkn> ok well none of those commands found anything
21:23 < jpalmer> networkn: you could also look at your distros init scripts,  to see where it's being called from.
21:23 < jpalmer> afk a sec.  eating wings,  not gonna touch the keyboard for a few.
21:24 < networkn> hmm I wonder if they aren't actually using the cisco client :(
21:24 < networkn> err openvpn
21:24 < networkn> using cisco client instead
21:24 < networkn> since there is no openvpn service listed in etc/init.d
21:24 < ecrist> fwiw, cisco != openvpn
21:25 < networkn> yup I know
21:25 < networkn> I misspoke
21:25 < networkn> I see a vpnclient_init service in /etc/init.d
21:26 < Ricky_Rat5005> Can someone look at this please?: http://pastebin.com/VmC7ki7m
21:26 < networkn> yup it seems they might be using the cisco client :(
21:26 < networkn> on linux :(
21:28 < ecrist> Ricky_Rat5005: looking now
21:28 -!- General_Jung [~anon@p57B67247.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
21:29 < ecrist> what am I looking for?
21:30 < ecrist> Ricky_Rat5005: ?
21:30 < Ricky_Rat5005> I am getting an error when I run build-key worklappy
21:31 < ecrist> what's the error?
21:31 < Ricky_Rat5005> Sign the certificate? [y/n]:y
21:31 < Ricky_Rat5005> failed to update database
21:31 < Ricky_Rat5005> TXT_DB error number 2
21:31 < Ricky_Rat5005> Could Not Find C:\Temp\*.old
21:31 < Ricky_Rat5005> and worklappy.crt is 0 bytes
21:31 < ecrist> so, looks like it can't find C:\Temp\*.old
21:32 < Ricky_Rat5005> is that because I am running clean-all prior to creating the certs?
21:33 < Ricky_Rat5005> I don't understand what is supposed to be .old
21:33 < ecrist> I have no idea.  I HATE easy-rsa, which is why I wrote ssl-admin
21:34  * ecrist heads out
21:34 < Ricky_Rat5005> is that linux?
21:34 < ecrist> it's perl
21:34 -!- General_Jung [~anon@p57B66174.dip.t-dialin.net] has joined ##openvpn
21:34 < ecrist> not sure if it would run on windows, but it should run on linux and freebsd
21:35 < Ricky_Rat5005> ok, have ubuntu 10, how do I get it?
21:36 < Ricky_Rat5005> I don't see it in package manager
21:36 < Ricky_Rat5005> !certs
21:36 < vpnHelper> Ricky_Rat5005: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
21:36 < Ricky_Rat5005> !ssl-admin
21:36 < vpnHelper> Ricky_Rat5005: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
21:37 < Ricky_Rat5005> on your web page which one do I choose?
21:44 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:06 < Ricky_Rat5005> ok, redid everything in Ubuntu and it looks a lot better.  How do I get the files for the client off of the linux box and onto the windows box to use?
22:48 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-qnvvbztnxepqufif] has joined ##openvpn
22:49 < HoboSteaux> i need help with a TAP vpn
22:49 < HoboSteaux> people are able to connect but no broadcast data is going across the vpn
22:54 -!- brianV [~brian@bas8-ottawa23-1177968166.dsl.bell.ca] has joined ##openvpn
22:55 < brianV> hi all. I'm trying to set up OpenVPN on a rackspace server I have, and I think the OpenVPN server and client config is correct. However, my client can't connect, and I suspect that it is firewall issues
22:56 < brianV> can anyone rough out what I should look for? OS is CentOS 5.4
23:06 < jpalmer> brianV: from outside of rackspace's network,  can you telnet to the port openvpn server is listening on?
23:07 < jpalmer> (or netcat instead of telnet, if listening udp
23:08 < brianV> let me check
23:10 < brianV> looks like I can access (udp)
23:10 < brianV> that is, netcat seems to connect
23:12 < brianV> changed to TCP, restarted openvpn server, and can't connect via telnet
23:13 < brianV> jpalmer: (just using your name to trigger notification on your client. No rush, though!)
23:18 < brianV> jpalmer: btw, if I disable iptables on the server, looks like I can connect ok
23:18 < jpalmer> then, you've found your culprit ;)
23:19 < brianV> so, I need to add a rule to open my port... well, I know what to track down, anyways
23:19 < HoboSteaux> has anyone done TAPs before
23:21 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 245 seconds]
23:22 < HoboSteaux> i have a working TAP vpn but its behaving as a TUN
23:33 < krzie> you gave it the server command?
23:34 < krzie> instead of bridging and using server-bridge?
23:34 < krzie> this works and has a purpose
23:34 < krzie> but if you need full layer2 you want to bridge it
23:40 -!- brianV [~brian@bas8-ottawa23-1177968166.dsl.bell.ca] has quit [Ping timeout: 265 seconds]
23:41 -!- brianV [~brian@bas8-ottawa23-1177968166.dsl.bell.ca] has joined ##openvpn
23:45 -!- brianV [~brian@bas8-ottawa23-1177968166.dsl.bell.ca] has quit [Ping timeout: 260 seconds]
23:48 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit []
23:50 -!- brianV [~brian@bas8-ottawa23-1177968166.dsl.bell.ca] has joined ##openvpn
23:53 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
23:54 < Ricky_Rat5005> Getting error: read UDPv4:Connection reset by peer (WSAECONNRESET)
23:54 < Ricky_Rat5005> code 10054
23:56 -!- brianV [~brian@bas8-ottawa23-1177968166.dsl.bell.ca] has quit [Ping timeout: 240 seconds]
23:59 < Ricky_Rat5005> http://pastebin.com/1v9wpJFs
--- Day changed Thu May 27 2010
00:07 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Ping timeout: 276 seconds]
00:10 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
00:11 < Ricky_Rat5005> getting SIGUSR1[soft,tls-error] now, can anyone help with this?
00:14 < krzie> looks like firewall
00:15 < krzie> btw use verb 5 during debugging
00:15 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Ping timeout: 258 seconds]
00:17 < HoboSteaux> hrm krzie?
00:18 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
00:18 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
00:19 < krzie> [00:22]  <HoboSteaux> i have a working TAP vpn but its behaving as a TUN
00:20 < krzie> unless you're talking about the windows tap devic e
00:20 < krzie> in which case, thats just a name, it does both
00:20 < HoboSteaux> its stopping layer 2 items, but the vpn as a whole will still connect and work
00:20 < HoboSteaux> (minus layer 2)
00:21 < krzie> so you use dev tun
00:21 < krzie> right?
00:21 < HoboSteaux> dev tap
00:21 < krzie> and server
00:21 < HoboSteaux> yeah
00:21 < krzie> it allows broadcasts
00:21 < krzie> a tun wouldnt :p
00:22 < HoboSteaux> but i cant get any boradcasts over the vpn
00:22 < HoboSteaux> broadcasts*
00:22 < krzie> *shrug* what is your goal?
00:22 < HoboSteaux> play games over the vpn
00:22 < krzie> you need a bridge
00:23 < krzie> !bridge
00:23 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
00:23 < vpnHelper> krzie: (but not samba, see !wins)
00:23 < HoboSteaux> ty
00:23 < krzie> np
00:26 < HoboSteaux> so my config file will not have a 'server' line in it then
00:26 < HoboSteaux> 'mode server'
00:26 < krzie> see --server-bridge
00:26 < krzie> !man
00:26 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
00:29 -!- troy- [8102a30e16@bgp4.us] has quit [Ping timeout: 252 seconds]
00:34 -!- troy- [f27a6445c2@bgp4.us] has joined ##openvpn
00:49 < HoboSteaux> krzie: the vpn was configured perfectly and working, it just wasnt briidged on his end
00:49 < HoboSteaux> ty
00:50 < krzie> yw
00:53 < vpnHelper> New forum entry openvpnforum: Configuration :: TAP interface not carrying layer 2 :: Author HoboSteaux <http://www.ovpnforum.com/viewtopic.php?f=6&t=4806&p=5332#p5332> || Configuration :: Re: TAP interface not carrying layer 2 :: Reply by krzee <http://www.ovpnforum.com/viewtopic.php?f=6&t=4806&p=5333#p5333>
00:56 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:56 -!- mode/##openvpn [+o mattock] by ChanServ
01:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
01:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:23 < vpnHelper> New forum entry openvpnforum: Authentication Scripts :: 1 stop plugin for authentication / managing iptables :: Author krzee <http://www.ovpnforum.com/viewtopic.php?f=16&t=4807&p=5334#p5334>
01:30 -!- krebipeti [~a@118.98.64.90] has left ##openvpn []
01:53 -!- ike [ike@unaffiliated/ike] has quit [Ping timeout: 252 seconds]
01:53 -!- Niklas- [~niklas@217.116.253.195] has quit [Ping timeout: 252 seconds]
01:53 -!- raw_ [~raw@chipotle118.server4you.de] has quit [Ping timeout: 252 seconds]
01:54 -!- ike [ike@szluug.org] has joined ##openvpn
01:54 -!- Niklas- [~niklas@217.116.253.195] has joined ##openvpn
01:58 -!- nullified [nullfree@66.76.162.103] has joined ##openvpn
01:58 < nullified> !welcome
01:58 < vpnHelper> nullified: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:58 -!- Optic [~Optic@miso.capybara.org] has quit [Ping timeout: 252 seconds]
01:58 < nullified> !route
01:58 < vpnHelper> nullified: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:00 < nullified> !redirect
02:00 < vpnHelper> nullified: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:00 -!- raw_ [~raw@chipotle118.server4you.de] has joined ##openvpn
02:00 -!- Optic [~Optic@miso.capybara.org] has joined ##openvpn
02:07 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
02:09 -!- disappearedng [~disappear@unaffiliated/disappearedng] has quit [Ping timeout: 260 seconds]
02:12 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Client Quit]
02:12 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
02:12 -!- nullified [nullfree@66.76.162.103] has left ##openvpn []
02:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:22 -!- disappearedng [~disappear@unaffiliated/disappearedng] has joined ##openvpn
02:47 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 240 seconds]
02:47 < kraut> moin
02:49 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
03:10 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:14 -!- wao [wao@meine.xn--nck9azb.jp] has joined ##openvpn
03:14 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-qnvvbztnxepqufif] has left ##openvpn []
03:14 < wao> oh hai
03:15 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:16 -!- svinkels_ [~svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn
03:16 < svinkels_> hello
03:16 < wao> when I'm using push "route-gateway serverip" and at client I have redirect-gateway, routes simply don't add at client
03:17 < svinkels_> i use openvpn to connect my computer since work, to connect in my vpn home
03:17 < svinkels_> actually im connect 
03:17 < svinkels_> but when i go in internet, i use again the work network, and i would like use home network
03:18 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:18 < svinkels_> i have forget what ?
03:19 -!- wao [wao@meine.xn--nck9azb.jp] has left ##openvpn ["workz"]
03:23 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Read error: Operation timed out]
03:25 < Bushmills> svinkels, you forgot to connect to home server
03:32 < svinkels_> my home server must become a routeur ?
03:32 < svinkels_> so my conf in my server s not good ? 
03:33 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined ##openvpn
03:33 < svinkels_> or i can route add in my client ?
03:36 < Bushmills> !redirect
03:36 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 < General_Jung> I can still not connect to my service on the VPN machine
03:39 < General_Jung> I use the route settings, etc
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:40 < Bushmills> ten you must have misconfigured something
03:40 < Bushmills> then
03:41 < General_Jung> I want to use samba
03:41 < General_Jung> and use tun
03:41 < General_Jung> thats correct or
03:41 < General_Jung> because some documentations say that only works with bridges
03:41 < Bushmills> !wins
03:41 < vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
03:42 < General_Jung> is wins really needed because without Vn it works
03:42 < General_Jung> also apache is not reachable
03:42 < General_Jung> so I guess its and vpn problem
03:42 < General_Jung> ^^
03:43 < Bushmills> well, fix your configuration, and it should work
03:43 < General_Jung> how
03:44 -!- svinkels_ [~svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Quit: leaving]
03:44 < Bushmills> using an interactive configuration frontend, aka editor, and massage the offending configuration files, is a good approach
03:44 < General_Jung> yea I got a shell script 
03:45 < Bushmills> those can be edited too
03:45 < General_Jung> furthermore would it be better to use tap
03:45 < General_Jung> with brdiges
03:45 < General_Jung> because maybe I also have to host games
03:46 -!- dazo_afk is now known as dazo
03:46 < Bushmills> do you know that the games which you will be hosting require to broadcast traffic? 
03:46 < General_Jung> yea I think so but I can check this
03:47 < General_Jung> if then yes or
03:47 < General_Jung> ^^
03:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:47 < Bushmills> !tunortap
03:47 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
03:47 < vpnHelper> Bushmills: against you over the vpn
03:47 < General_Jung> yes I rember sorry
03:48 < General_Jung> so bridges and tun for gams?
03:48 < Bushmills> "and" ?
03:48 -!- jmm is now known as jww
03:49 < Bushmills> and "no".  only for those games which need it
03:50 < General_Jung> so samba doesn´t net netbios broadcast?
03:51 < General_Jung> *need
03:52 < Bushmills> for samba you don't need bridging. for locating hosts, you may, unless you use wins
03:52 < General_Jung> k
03:52 < General_Jung> if the with tun ?
03:53 < General_Jung> k because as I use tap with brdiges the whole connection were destroyed
03:53 < Bushmills> xlerb?
03:53 < General_Jung> *was
03:57 < General_Jung> how can increase the rsa key size ?
03:57 < General_Jung> to 2048?
03:59 < Bushmills> by generating a new key
03:59 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Remote host closed the connection]
03:59 -!- svinkels [~svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Remote host closed the connection]
04:09 < kisom> General_Jung: If your CA uses 1024 bit then you need to re-generate the entire PKI. But 1024 bit should be fine for now.
04:10 < General_Jung> I got a book from addision weley they said that 1Mbit is poor
04:10 < General_Jung> and 128 aes with 12 rounds also
04:11 < General_Jung> 768 is already compromised so they suggest using more then 1Mbit
04:11 < General_Jung> I am talking not from a private perspektive
04:12 < Bushmills> 1 Megabit??
04:12 < General_Jung> yea
04:13 < General_Jung> k
04:13 < General_Jung> sorry
04:14 < General_Jung> http://arstechnica.com/security/news/2010/01/768-bit-rsa-cracked-1024-bit-safe-for-now.ars
04:14 < vpnHelper> Title: 768-bit RSA cracked, 1024-bit safe (for now) (at arstechnica.com)
04:14 < General_Jung> yea
04:14 < General_Jung> ^^
04:14 < General_Jung> for exmaple
04:14 < Bushmills> whether key size yields a "poor" key or not depends also what you use it for
04:15 < General_Jung> I now that is a science perspektive that this should told use to double size the already cracked
04:15 < Bushmills> game servers aren't of that high confidentiality requirements that they are in need of 4096 bit keys
04:16 < General_Jung> gameservers?
04:16 < General_Jung> I am talking about generally usage
04:16 < Bushmills> as you said above, intending to run it as game server
04:17 < General_Jung> yea in addition
04:17 < General_Jung> maybe
04:17 < Bushmills> i don't know what "general use" is.  my server have usually a specific use.
04:18 < Bushmills> for passing politically sensitive documents through an encrypted line across public lines which are monitored, i'd not suggest to use 512 bit keys
04:19 < General_Jung> yea for example or two companies
04:19 < General_Jung> or scientists
04:20 < General_Jung> lets hope ECC is stable in a few years
04:20 < Bushmills> but in fact, in my mentioned case, i'd think more of steganografic means of information hiding
04:21 < General_Jung> I use also 1536 also for private
04:21 < Bushmills> ip-over-picasa, grin
04:22 < krzie> haha
04:22 < krzie> theres a transport protocol plugin for 3.0!
04:22 < krzie> shared key stego
04:23 < Bushmills> ip-over-woolen-sweater :)
04:25 < Bushmills> print bits on thread. knit. send. unravel. run through a thread scanner.
04:26 < Bushmills> short transmissions can be sent as socks
04:28 < kisom> General_Jung: Using long RSA keys in OpenVPN will not slow it down much. RSA is used only when negotiating a session key which happens once every hour by default. I use 4096 bit on all certificates and the server handles ~230 connection during peak.
04:29 < General_Jung> thats great
04:29 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 276 seconds]
04:29 -!- takamichi [~pri@94.75.217.251] has joined ##openvpn
04:29 < General_Jung> that was the fear I got for vpn
04:29 < General_Jung> a but
04:30 < General_Jung> and what asykey ?
04:31 < kisom> RSA.
04:31 < kisom> The symmetric cipher I use is 256 bit AES
04:31 < General_Jung> k
04:31 < kisom> If you want speed, try blowfish or RC4.
04:31 < General_Jung> is there are serpent?
04:31 < kisom> openvpn --show-ciphers
04:34 < Bushmills> blowfish is used by default
04:39 < kisom> Before we drop the subject... Does anyone know if it is possible to use multiple ciphers on one server, like SSL does? I would like to use camellia on systems that supports it and yet have AES as a fallback for older systems.
04:40 < kisom> The current solution is to have two servers running, each with a different cipher and let the clients find the right one.
04:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:48 < General_Jung> if my client is behind a linksysrouter do I have to passitthrough
04:49 < Bushmills> nope. nat is fine
04:52 < General_Jung> I really don´t understand why it won´t work I can use a 32 mask in push and route ?
04:52 < General_Jung> or only push ?
04:56 -!- mape2k [~mape2k@2001:6f8:997:1000:21f:3bff:fe27:21a9] has joined ##openvpn
04:57 < General_Jung> Thu May 27 11:56:38 2010 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.101/255.255.255.255]
04:58 -!- disappearedng [~disappear@unaffiliated/disappearedng] has quit [Remote host closed the connection]
05:05 -!- mape2k [~mape2k@2001:6f8:997:1000:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
05:06 -!- ultramage [umage@kurobara.netvor.sk] has joined ##openvpn
05:06 < ultramage> !welcome
05:06 < vpnHelper> ultramage: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:10 < ultramage> ARGH, I made a typo in the server address, that's why it's not doing anything ><
05:11 < General_Jung> I think I have to use IpSec
05:11 < General_Jung> I configured the route and nothing works 
05:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:11 < General_Jung> k the ping
05:14 < ultramage> hi, I'm setting up openvpn for the first time, a windows server and a freebsd client
05:15 < General_Jung> http://beta.jungservices.net/server.conf
05:15 < ultramage> is the server side supposed to autoconfigure the tap driver network settings? because ipconfig -all says it's using autoconfiguration
05:15 < General_Jung> please take a look guys the ccd is iroute 192.168.1.101 255.255.255.255
05:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
05:19 < General_Jung> !route
05:19 < vpnHelper> General_Jung: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:21 < ultramage> related question - do I need to modify the sample config if I just want to get a test client-server connection working?
05:25 < ultramage> the vpn gui client said it assigned 10.8.0.1, but I don't have any interface with this address and cannot ping it
05:31 < ultramage> http://codepad.org/Z7nhui9I
05:31 < vpnHelper> Title: Plain Text code - 109 lines - codepad (at codepad.org)
05:48 < Bushmills> !tell ultramage [tunortap]
06:03 < kisom> Is it only me or does the OpenVPN gui really suck?
06:03 -!- svinkels [~svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn
06:03 < ultramage> Bushmills: the windows side seems to only have a tap driver, so that's what I enabled on both sides
06:04 < svinkels> hello, I launched this command: openvpn --genkey --secret /etc/openvpn/svinkels.homelinux.com.key 
06:04 < svinkels> since my openvpn is broken
06:04 < svinkels> Can I go back? 
06:05 < ultramage> can the windows tap0901.sys driver do 'tun' too?
06:05 < ultramage> svinkels: what do you mean "go back"?
06:06 < svinkels> since this command
06:06 < svinkels> Thu May 27 13:10:20 2010 Cannot load private key file svinkels.homelinux.com.key: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
06:06 < svinkels> Thu May 27 13:10:20 2010 Error: private key password verification failed
06:06 < ultramage> oh, interesting, a non-tls auth metod
06:07 < ultramage> --genkey does not produce a x509-compatible key, it's something completely different it looks like
06:07 < ultramage> I guess that if you are going to be using shared keys instead of PKI, you need to flip some switch to tell the client to use that?
06:08 < ultramage> since from what you pasted it looks like it's trying to use that .key file as a x509 private key file
06:08 < ultramage> 13:06 < svinkels> Thu May 27 13:10:20 2010 Error: private key password verification failed
06:08 < ultramage> also, huh @ this
06:09 < ultramage> sorry that I can't help you... the people in here don't look very talkative, and this is my first day really messing with openvpn
06:10 < ultramage> Bushmills: "Only TAP virtual devices are supported on Windows, not TUN devices." <- that's why tap
06:12 < ultramage> "As of OpenVPN 1.5-beta8, the TAP-Win32 driver supports both "tun or "tap" style devices." oh.
06:13 < ultramage> I'll try anything to get a working setup that I can later improve -.-
06:14 < Bushmills> !confgen
06:14 < vpnHelper> Bushmills: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
06:14 < ultramage> :D
06:18 -!- takamichi [~pri@94.75.217.251] has quit [Ping timeout: 248 seconds]
06:18 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
06:19 < ultramage> I'll try that, nothing else seems to be working for me
06:27 < kisom> --genkey generates a random shared secret
06:27 < kisom> I recommend not using it, use PKI. Only use shared keys for testing.
06:28 < kisom> svinkels: I believe you just created a new random key. Simply copy the one you have on the client to the server and it should all work again.
06:28 < dazo> svinkels: --genkey does not generate SSL keys 
06:29 < dazo> svinkels: OpenVPN supports two types of keys .... static keys (which is generated via --genkey) or SSL PKI key/certs ... which you need ssl-admin, easy-rsa, tinyCA or similar tools to generate SSL keys and certificates
06:29 < dazo> error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
06:30 < dazo> ^^^ this indicates you tried to load a SSL key or certificate
06:30 < svinkels> dazo, yes i have rescue a save on my initial file
06:30 < svinkels> it's ok now
06:31 < svinkels> but i search how i can put my server vpn on router
06:31 < svinkels> for the client use vpn to go internet 
06:31 < dazo> svinkels: what kind of router?
06:32 < svinkels> actually the client use the network local to surf.  but i would like the vpn network , you know? 
06:32 < dazo> svinkels: the router will be the openvpn server?
06:32 < svinkels> yes 
06:32 < svinkels> it's possible ? 
06:32 < dazo> svinkels: yes, should be ... .what kind of router?
06:33 < svinkels> i dont understand the question
06:33 < svinkels> my english is poor
06:33 < dazo> svinkels: is it a computer?  is it a Linux based wifi router/access point?
06:33 < svinkels>  ah 
06:33 < svinkels> yes it's my computer 
06:33 < svinkels> linux base 
06:33 < svinkels> i have active ipfowrd
06:34 < kisom> IP forward does not work?
06:34 < svinkels> [root@svinkels keys]# cat /proc/sys/net/ipv4/ip_forward 
06:34 < svinkels> 1
06:34 < dazo> svinkels: good!
06:34 < kisom> Do you have another router? like a dlink, netgear?
06:34 < svinkels> no
06:35 < kisom> public IP on your router?
06:35 < svinkels> i use dyndns 
06:35 < kisom> and you cannot connect clients on the internet to openvpn?
06:36 < svinkels> but ? i must be use the connection of my linux to surf on my client 
06:36 < svinkels> the client connect ok 
06:36 < svinkels> by the 443 port
06:36 < svinkels> i can ssh my server 
06:36 < svinkels> but 
06:36 < svinkels> when i surf, i don't use the server connection 
06:37 < svinkels> i use the client connection actually
06:38 < svinkels> you understand me ? 
06:38 < kisom> no, i do not understand what you want to do
06:38 < dazo> svinkels: you need --redirect-gateway probably
06:38 < dazo> !redirect
06:38 < vpnHelper> dazo: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:38 < dazo> svinkels: ^^
06:38 < svinkels> ok
06:39 < svinkels> i rtfm
06:39 < kisom> svinkels: you want to send all traffic to the server and from there go to the internet?
06:39 < ultramage> on windows, should I be seeing a new interface in ipconfig -all?
06:39 < dazo> ultramage: ipconfig /all  ... I believe
06:39 < ultramage> I see it... should it have the proper ip address autoconfigured after the server is started?
06:39 < ultramage> because it doesn't!
06:40 < dazo> ultramage: openvpn server is running on Windows?
06:40 < ultramage> correct.
06:41 < ultramage> I used the confgen utility and the outcome is pretty much the same
06:41 < ultramage> the connection is established and keepalives are going back and forth, but I am unable to do any pings between the two machines
06:41 < dazo> ultramage: I've never tried that ... but I would say, it should be set .... you probably miss --ifconfig in your config .... or --server
06:42 < ultramage> yes, there is none
06:42 < ultramage> it's not in the sample script, nor does the confgen utility attempt to write any
06:43 < ultramage> I do have a server statement
06:43 < ultramage> and the docs say that it'll make the server pick an ip address.
06:44 < kisom> ultramage: Do you have windows installed in c:\windows? or some other path?
06:44 < ultramage> kisom: C:\Windows, yes
06:44 < ultramage> what are you thinking of?
06:44 < kisom> ok, in my experience openvpn does not work well if you do not use c:\windows
06:44 < ultramage> it says "initialization sequence completed"
06:45 < kisom> sorry i did not even read your problem :)
06:45 < ultramage> I so hate it when apps say everything is ok even though they break down in the background
06:45 < kisom> you dont get any IP-adress?
06:45 < kisom> am i correct?
06:45 < ultramage> the issue is - the windows server starts up, lets a freebsd client connect to it, tunnel works, server pushes ip settings to client
06:46 < ultramage> yet I can't ping the server machine, and the server machine can't even ping itself
06:46 < ultramage> as if the interface with that ip address isn't there at all
06:46 < kisom> you've verified both server and client get correct IP adresses?
06:46 < kisom> you use PKI or a static key?
06:46 < ultramage> I just said that the server does not have anything set
06:46 < ultramage> pki
06:47 < kisom> do you see any interface in the windows control panel?
06:47 < ultramage> on a running server on windows, when I do ipconfig /all, the TAP-Win32 Adapter V9 should have the vpn IP set, right?
06:47 < kisom> yes, it should
06:47 < kisom> do you use TAP or TUN?
06:47 < ultramage> yes, I do see it, it's TUN
06:48 < ultramage> and it says it has autoconfiguration enabled, giving it the ip 169.254.178.141
06:48 < ultramage> the client is already connected and I'm seeing keepalive packets being recorded on this interface
06:48 < kisom> well thats not a "real" ip adress, it's basically the windows fallback if DHCP fails
06:49 < ultramage> yes, which is why I'm asking for the Xth time - is it supposed to assume the 'server' ip address?
06:49 < kisom> try setting the IP adresses manually on both server and client.
06:49 < ultramage> sigh
06:49 < ultramage> okay, but I already did that and it didn't help one bit
06:49 < kisom> hold on, gotta check my conf
06:49 < ultramage> which is why I'm asking whether the ip address should really change
06:49 < kisom> yes it should.
06:50 < ultramage> or is it like gogo6's ipv6 tunnel adapter that does its magic inside, and not configuring the device ip at all
06:50 < kisom> openvpn changes the IP adresses at both client and server in my setup
06:50 -!- dazo [~dazo@nat/redhat/x-uiqgbngackroauig] has quit [Read error: Connection reset by peer]
06:50 < ultramage> Thu May 27 13:34:09 2010 /sbin/route add -net 10.0.0.0 10.0.0.2 255.255.255.0
06:50 < ultramage> route: writing to routing socket: File exists
06:50 < ultramage> add net 10.0.0.0: gateway 10.0.0.2: route already in table
06:51 < ultramage> hm.
06:51 < ultramage> that shouldn't affect the issue with the server not having an ip address, but still...
06:51 < ultramage> what is your config for a windows server then?
06:51 -!- dazo_ [~dazo@nat/redhat/x-ejnwkfklfiihdsqq] has joined ##openvpn
06:52 -!- dazo_ is now known as dazo
06:52 < kisom> https://ck3r.org/ov.txt
06:52 < kisom> thats my conf...
06:53 < ultramage> mine looks similar
06:53 < ultramage> of course, that's not a windows config file
06:54 < ultramage> if noone here runs windows then I should probably try pointing it out more
06:59 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 240 seconds]
07:02 < kisom> i use windows at the client side.
07:02 < kisom> never tried a windows openvpn server
07:11 < General_Jung> can anyone check my config
07:15 < ultramage> Thu May 27 14:15:07 2010 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set address Local Area Connection dhcp
07:16 < General_Jung> http://beta.jungservices.net/server.conf
07:16 < ultramage> if I set the ip manually, I get this... implying that the server actually forces the interface into dhcp mode at startup
07:16 < ultramage> and implying that the interface itself is not supposed to have any ip address set, and that the whole thing will be managed internally by packet manipulation
07:17 < ultramage> question - when I run an openvpn server, am I supposed to be able to ping the address it's running on?
07:17 < ultramage> for example, if I set server 4.0.0.0 255.255.255.0, should I be able to do a "ping 4.0.0.1" on the server machine and get back a reply?
07:20 < ultramage> kisom: when you have a linux tunnel created, how does the tunnel interface look like in ifconfig?
07:20 < Bushmills> tun0, for example
07:20 < ultramage> no, I mean the whole section
07:21 < Bushmills> pub
07:21 < ultramage> I have an ipv6 tunnel interface and there's an obvious arrow-like symbol pointing from my ip6 to the destination ip6
07:21 < ultramage> my tun1 interface doesn't have that.
07:21 < Bushmills> http://scarydevilmonastery.net/snap/1274962882716434374d.png  like this
07:21 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
07:21 < ultramage> okay
07:23 -!- dazo [~dazo@nat/redhat/x-ejnwkfklfiihdsqq] has quit [Read error: Connection reset by peer]
07:23 < ultramage> oh, it seems the tunnel is working, sort of, as I am receiving the ping packets
07:24 -!- dazo [~dazo@nat/redhat/x-vsvsbydijdeuovmj] has joined ##openvpn
07:26 < ultramage> D:\>nc -l -p 1024 -s 4.0.0.1
07:26 < ultramage> Can't grab 4.0.0.1:1024 with bind
07:26 < ultramage> the interface just isn't there
07:26 < kisom> ultramage: stupid question... but. do you have any active firewall? windows firewall blocks ICMP by default
07:26 < ultramage> I turned everything off
07:27 < ultramage> and when I send pings from the freebsd client, they are arriving on the server side
07:27 < kisom> but the server does not respond?
07:27 < ultramage> nope, it looks like they get discarded
07:28 < ultramage> since you know, the interface they're being delivered to does not exist (maybe)
07:28 < ultramage> ok, let me try this one more time with a clean install
07:30 < kisom> well, i'm kinda lost here
07:33 < Chosi> hey again
07:33 < Chosi> Thu May 27 14:32:44 2010 Cannot load private key file chosi.key: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
07:33 < Chosi> what's wrong here? :)
07:33 < Chosi> i placed my key next to the windows client config files
07:33 < ultramage> you need a full path I guess
07:33 < Chosi> oh okay
07:33 < ultramage> if that works, try finding out what the working directory is
07:34 < Chosi> Program Files (x86)\OpenVPN\bin
07:34 < Chosi> that's the cwd
07:34 < Chosi> :)
07:35 < Chosi> seems like the crt must be elsewhere
07:40 < ultramage> nope, reinstalled, restarted, and the interface does not appear
07:43 < kisom> download virtualbox
07:43 < kisom> run linux/freebsd/solaris/whatever
07:43 < kisom> best solution so far :)
07:43 < ultramage> ...
07:45 < kisom> have you enabled debugging? verb 7?
07:45 < ultramage> going to do that.
07:45 < kisom> tried wireshark to see what's happening?
07:45 -!- Krikke [~ixevix@62.142.105.142] has left ##openvpn []
07:46 < Chosi> ultramage: doesn't work even with a full path
07:46 < Chosi> http://nopaste.narf.at/show/75/
07:46 < Chosi> still the same
07:48 < Chosi> http://nopaste.narf.at/show/76/
07:48 < Chosi> that's my client config
07:49 < ultramage> the instructions say to put the paths in "" quotes
07:50 < kisom> try \\ instead of //
07:50 < kisom> nvm.
07:50  * kisom tired
07:51 < Chosi> ca "c:\\keys\\ca.crt"
07:51 < Chosi> like this?
07:51 < Chosi> same results
07:51 < Chosi> :)
07:53 < ultramage> erm, you're silly
07:53 < ultramage> Thu May 27 14:45:37 2010 Cannot load private key file c:\keys\chosi.key: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
07:53 < ultramage> Thu May 27 14:45:37 2010 Error: private key password verification failed
07:53 < ultramage> that has nothing to do with the ca setting
07:53 < ultramage> first, it's regarding the private key
07:53 < ultramage> "pem" format it looks like
07:54 < Chosi> i didn't specify a password
07:54 < ultramage> so make sure your key file involves a "RSA PRIVATE KEY" on the first line
07:54 < ultramage> I don't have a password on the key either
07:54 < Chosi> lol nevermind
07:54 < Chosi> i just had a look at the key
07:54 < ultramage> you used a cert file and named it .key, yes?
07:54 < Chosi> nah
07:54 < Chosi> worse
07:54 < Chosi> :D
07:55 < Chosi> <title>403 - Forbidden</title>
07:55 < Chosi> 'nuff said
07:55 < Chosi> *cough*
07:55 < ultramage> :]
07:55 < ultramage> PEM_read_bio:no start line: error:140B0009:
07:55 < ultramage> whoever wrote this code should be slapped in the face
07:56 < ultramage> what's so hard having a std::map<error code, error message>, huh?
07:56 < ultramage> I wonder where to look up that error code... probably something internal to the openssl code
07:56 < ultramage> and probably saying malformed header or some such
07:57 < ultramage> a better way would be to print "The specified file is not a PEM private key file."
07:58 < ultramage> no wonder I see so many openvpn haters - it's built like a black box, by developers for themselves
07:58 < ultramage> unfortunately that's not an uncommon sight
08:01 < ultramage> http://codepad.org/Yc7OK8fG here's the log
08:01 < vpnHelper> Title: Plain Text code - 431 lines - codepad (at codepad.org)
08:01 < ultramage> I see something obvious - it sets the interface ip, and then immediately asks it to go dhcp
08:03 < Chosi> server 10.0.0.0 255.255.255.0 will make the server 10.0.0.1, right?
08:03 < Chosi> and the clients .2, .3 etc
08:03 < kisom> correct
08:03 < ultramage> it's supposed to
08:04 < Chosi> http://nopaste.narf.at/show/77/
08:04 < Chosi> anything else that should be in there?
08:07 < kisom> you look good to go
08:08 < ecrist> ultramage: there are efforts to correct the code.
08:08 < ecrist> Chosi: not necessarily
08:09 < ecrist> !tell Chosi [/30]
08:09 < Chosi> May 27 15:08:49 10487-01 ovpn-config[4980]: /sbin/ifconfig tun0 10.0.0.1 pointopoint 10.0.0.2 mtu 1500
08:09 < Chosi> i thought i just told it to be server
08:09 < Chosi> :)
08:10 < Chosi> ecrist: that explains why my client just got .5 as server
08:10 < ecrist> !topology
08:10 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
08:12 < Chosi> i can live with the 5 anyways
08:26 -!- qm7 [debian-tor@gateway/tor-sasl/qm7] has joined ##openvpn
08:26 -!- qm7 [debian-tor@gateway/tor-sasl/qm7] has left ##openvpn []
08:28 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Read error: Connection reset by peer]
08:35 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:36 < Chosi> ecrist: so where do i place certs and keys without specifying the full path?
08:36 < Chosi> /bin or config?
08:38 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
08:40 < Chosi> okay it's config, nevermind =)
08:48 < ecrist> local to the config
08:58 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco]
09:16 < ultramage> I gave up.
09:16 < ultramage> I'll try tomorrow one last time and then I'll go look for some other vpn software.
09:18 < ultramage> the support centre gave me an "access denied, log in first" prompt right after entering it, so I don't even have to go check
09:25 < ultramage> if anyone feels like actually bothering to test the server software on windows 7, let me know if it sets up the interface properly on startup
09:26 < Chosi> mhh
09:26 < Chosi> Warning: route gateway is not reachable on any active network adapters: 10.0.0.5
09:26 < Chosi> it works for the first client that connects tho
09:27 < tjz> IRON BABY - http://www.youtube.com/watch?v=SyoA4LXQco4&feature=player_embedded
09:27 < vpnHelper> Title: YouTube - IRON BABY (at www.youtube.com)
09:27 < Chosi> any subsquent clients get that error
09:27 < Chosi> :|
09:27 -!- wao [wao@meine.xn--nck9azb.jp] has joined ##openvpn
09:27 < wao> oh hai
09:28 < wao> I have push "route-gateway 10.8.0.1", but it simply doesn't works at client, I just need add to the client.conf route-gateway 10.8.0.1 :§
09:29 < wao> push "route-gateway 10.8.0.1" at server.conf
09:32 < Chosi> ecrist: any idea why client != first_connected_client don't st that gateway correctly?
09:32 < Chosi> *set
09:32 -!- ultramage [umage@kurobara.netvor.sk] has left ##openvpn []
09:35 < Chosi> http://nopaste.narf.at/show/79/
09:40 -!- xod [~onats@112.201.158.40] has joined ##openvpn
09:42 < Chosi> system routing table seems to lack a route to 10.0.0.5 for some reason
09:43 < Chosi> :S
09:51 < Chosi> http://nopaste.narf.at/show/80/ complete log
09:58 < Chosi> oh well it's propably got something to do with http://openvpn.net/index.php/open-source/faq.html#slash30
09:58 < vpnHelper> Title: FAQ (at openvpn.net)
10:28 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:02 < krzee> !linnat
11:02 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
11:02 < krzee> (that wasnt for anyone here)
11:06 < krzee> Chosi, when you start it, runas administrator
11:06 < krzee> !factoids search win
11:06 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'windows', and 'winpath'
11:06 < krzee> !factoids search --values administrator
11:06 < vpnHelper> krzee: 'access-server' and 'vista'
11:06 < krzee> !vista
11:06 < vpnHelper> krzee: "vista" is 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
11:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
11:13 -!- wftl [~mgagne@CPE001c1022ab3d-CM00159a417d3c.cpe.net.cable.rogers.com] has joined ##openvpn
11:14 < wftl> Quick question. Can anyone recommend a wireless router that supports OpenVPN? Does such a beast exist?
11:15 < krzee> anything openWRT can run on
11:16 < krzee> openWRT is not the only firmware you can run it on, but i know its a popular one
11:16 < Bushmills> wftl: state your requirements
11:17 < krzee> haha ya Bushmills is the right guy for that question for sure
11:17 < krzee> his router tells him things via morse code and other craziness!
11:17 < Bushmills> why crazy?
11:18 < krzee> i mean that in a good (awesome) way
11:18 < Bushmills> that's just extending the usefulness of a single LED
11:18 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:18 < krzee> i think you misunderstood my usage of 'crazy'
11:19 < krzee> i meant it more like 'badass'!
11:19 < Bushmills> well, i understood it as "differening from normality" .. but i find it rather "normal" to extend things that way
11:20 < Bushmills> therefore, it is not even "badass" :)
11:20 < Bushmills> i did *not* understand it as challenging my mental sanity :D 
11:21 < krzee> ok
11:21 -!- mirco [~mirco@p5B23E0B9.dip.t-dialin.net] has joined ##openvpn
11:21 < krzee> well i bet if you take a poll from users who enter this channel, you will find a very very small percentage who have heard of extending it in such a way, and to me that is cool
11:22 < krzee> and its quite likely that even if someone heard of it, they havnt done it ;)
11:22 < Bushmills> ok, but this is not openwrt channel, no wonder those configurations don't rank high here
11:23 < krzee> and that could be why its badass to me, ive never had a reason to enter that channel
11:23 < krzee> maybe some people there see whats done in !route as badass, whereas its normal to us
11:24 < Bushmills> getting routing right is also sometimes a topic on a channel for routers ...
11:24 < krzee> tru
11:25 < krzee> both points remain
11:25 < krzee> (yours and mine, and i think we agree)
11:25 -!- krzee [~k@unaffiliated/krzee] has left ##openvpn ["Leaving"]
11:25 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
11:25 < krzee> lol wrong click
11:50 -!- dunc_ [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:50 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
11:50 -!- dunc_ [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: Connection reset by peer]
11:51 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:59 < General_Jung> Hi krzee can you help me with my config shortly ?
11:59 < General_Jung> http://beta.jungservices.net/server.conf
12:01 < General_Jung> ccd is iroute 192.168.1.101 255.255.255.255
12:03 < krzee> and when that client connects, server log shows it reading the iroute?
12:04 < General_Jung> yea I think so
12:04 < krzee> dont think so, know so
12:04 < krzee> also, when you paste configs
12:04 < krzee> !configs
12:04 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:04 < krzee> filter out the comments
12:05 < krzee> i dont surf through 100 lines of comments to read 10 lines of config
12:05 < General_Jung> k sry
12:05 < krzee> np =]
12:07 < General_Jung> I refreshed the config the debian lenny
12:07 -!- dazo is now known as dazo_afk
12:12 < krzee> cool
12:12 < krzee> now a couple questions
12:12 < krzee> [10:06]  <krzee> and when that client connects, server log shows it reading the iroute?
12:12 < krzee> if unsure, paste server log at verb 5, include the client connecting
12:18 < General_Jung> http://beta.jungservices.net/server.txt
12:18 < General_Jung> http://beta.jungservices.net/client.txt
12:20 < General_Jung> Do I have to use dev tun0 if ifconfig draws tun0 instead tun standalone
12:20 < General_Jung> but both isnßt working
12:21 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
12:21 < General_Jung> onyl for a general knowledge
12:21 -!- mirco [~mirco@p5B23E0B9.dip.t-dialin.net] has quit [Quit: mirco]
12:22 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:22 < krzee> nope, dev tun will allocate the tun device dynamicly
12:22 < General_Jung> k
12:22 < krzee> you need dev tun0 if you wanted it to be static, which doesnt matter for you
12:23 < krzee> Thu May 27 17:14:02 2010 us=109612 R._Jung/87.182.97.116:3236 MULTI: internal route 192.168.1.101 -> R._Jung/87.182.97.116:3236
12:23 < krzee> ok good, its being read
12:23 < krzee> now another question
12:23 < General_Jung> k
12:23 < krzee> is 192.168.1.101 on the client itself or behind the client?
12:24 < General_Jung> its my workstation in the 192.168.1.1 lan behind a router
12:24 < General_Jung> 87.... is my external IP adress
12:24 < krzee> is openvpn running on the router for that LAN?
12:25 < General_Jung> no its runing by STRATO
12:25 < krzee> !factoids search outside
12:25 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
12:25 < General_Jung> a server far away
12:25 < krzee> have you done that?
12:25 < krzee> i mean
12:25 < krzee> in the client lan, is openvpn on the router?
12:26 < krzee> ie, if the router for that lan is 192.168.1.1, is openvpn running on 192.168.1.1?
12:26 < General_Jung> no the vpn client runs on 192.168.1.10
12:26 < krzee> also note that any client connecting from 192.168.1.X will not be able to communicate with 192.168.1.101 on their local LAN
12:26 < General_Jung> sry 101
12:27 < krzee> dude!
12:27 < krzee> [10:26]  <krzee> is 192.168.1.101 on the client itself or behind the client?
12:27 < krzee> [10:26]  <General_Jung> its my workstation in the 192.168.1.1 lan behind a router
12:27 < krzee> lol
12:27 < krzee> so let me ask again
12:27 < krzee> is openvpn running on 192.168.1.101?
12:27 < General_Jung> no
12:27 < General_Jung> the server runs outside the lan
12:27 < krzee> im not asking about a server
12:28 < General_Jung> 81.169.174.152
12:28 < General_Jung> yes
12:28 < General_Jung> k then yes it the right answer
12:28  * Bushmills goes washing the dishes, or something similarily inspiring
12:28 < krzee> ok, so you dont need routes added to the router
12:28 < krzee> lol Bushmills 
12:28 < krzee> does your client have IP forwarding enabled in the OS?
12:28 < krzee> !linipforward
12:28 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:28 < General_Jung> WinXPSP3
12:29 -!- dazo_afk is now known as dazo
12:29 < krzee> the client is winxp?
12:29 < General_Jung> yes
12:29 < krzee> !winipforward
12:29 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
12:29 < krzee> also disable the windows firewall on the TAP interface
12:29 < krzee> and any other security software you may have
12:29 < General_Jung> no I won´t do that
12:29 < General_Jung> I only accept NetBios there
12:29 < krzee> only on the TAP interface, not all together
12:30 < General_Jung> If my root is compromised then it would be easy to get inside my pc
12:30 < krzee> at least do it for testing
12:30 < General_Jung> k
12:30 < krzee> once you have it working, do anything you want
12:30 < krzee> because you wont need our help to find the problem at that point :-p
12:31 < krzee> my dishes are already washed, today is the day my maid shows up in the morning =]
12:31 < General_Jung> Yes but that security risk is too much for me then I have dropp off OPenVPN but I think I will find a solution for the fw problem
12:31 < General_Jung> So the logs seems fine ?
12:31 < krzee> well enable ip forwarding
12:31 < General_Jung> on client k
12:31 < krzee> if you still have an issue, disable windows firewall on the tap adapter to test
12:32 < krzee> if it works without disabling it, you dont need to, if disabling it fixes it, configure your firewall right
12:33 < krzee> i certainly dont argue with setting it up correctly instead of disabling, im just saying to be sure the firewall isnt your issue (it commonly is as the topic suggests)
12:33 < General_Jung> I did not knwo that I have to also enabled the forward on the workstation
12:33 < krzee> yupyup
12:33 < krzee> you want packets to forward from IP on tun to ip on ethernet adapter
12:33 < krzee> thats what ip forwarding is for =]
12:34 < krzee> (well, its part of what its for)
12:36 < General_Jung> restart needed ?
12:36 < krzee> if i remember right, 85.214.57.67 is on the VPN server, correct?
12:36 < krzee> honestly im not sure in windows
12:36 < General_Jung> 81.169.174.152
12:36 < General_Jung> yea I am also
12:36 < krzee> probably is required, that is pretty standard in windows
12:37 < General_Jung> even because its loacl machine
12:37 < krzee> i mean, the same physical machine as the VPN server has 85.214.57.67
12:37 < General_Jung> however
12:37 < krzee> as in, its not another machine in a lan
12:37 < General_Jung> yea
12:37 < krzee> cool, no routes to add to that router either then
12:37 < krzee> thats often a big 'gotchya'
12:37 < General_Jung> great
12:37 < General_Jung> really no ones ?
12:38 < krzee> do you want OTHER clients to have access to 192.168.1.101?
12:38 < General_Jung> yea maybe
12:38 < krzee> ok, then the push route is good
12:38 < krzee> does the vpn server have IP forwarding enabled in its OS?
12:38 < General_Jung> yes
12:38 < General_Jung> on linux I know how
12:38 < General_Jung> ^^
12:38 < krzee> ok, sounds like you're ready to reboot windows and give her a test
12:38 < krzee> (after enabling ip forwarding of course)
12:39 < General_Jung> k I will wait with restart I restarts
12:39 < General_Jung> but I will report also if it works
12:39 < General_Jung> I alway waits till my windows collaps after a few days
12:39 < krzee> !windows
12:39 < vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
12:39 < krzee> ;]
12:40 < General_Jung> yes
12:40 < General_Jung> yes is pretty cool on linux where only have to reboot when for a new kernel
12:40 < krzee> thats just me being a smartass ;]
12:41 < Bushmills> i thought the linux kernel had provisions to allow loading a new kernel over the old kernel, without reboot :P
12:42 < krzee> Bushmills, really? never heard of that
12:42 < Bushmills> for several years already
12:42 < Bushmills> but i forgot its name
12:42 < Bushmills> in the kernel config, you can find options for that
12:42 < krzee> heh cool
12:42 < krzee> you havnt heard of fbsd doing that have you?
12:43 < krzee> (if it does, ill be enabling it!)
12:43 < Bushmills> i never use that - in case of kernel upgrade, i prefer to see that system can actually still boot
12:43 < krzee> good point actually
12:43 < Bushmills> let me check the name of that provision
12:47 < Bushmills> krzee: kexec
12:47 < General_Jung> great
12:47 < General_Jung> and that works ?
12:48 < krzee> ahh, good stuff ill read about it
12:48 < General_Jung> I got a remote console where I can also watch the boot process on the root
12:48 < krzee> but now that you mention it booting into the new kernel, even if it did exist in fbsd ild keep doing it as i do now
12:48 < General_Jung> after the boottable
12:48 < Bushmills> http://linux.die.net/man/8/kexec
12:48 < vpnHelper> Title: kexec(8) - Linux man page (at linux.die.net)
12:48 < General_Jung> thx
12:49 < General_Jung> hey maybe if I kill explorer.exe if reload at least a part of regstry new hopefully more then whenr relogg
12:49 < krzee> General_Jung, just reboot... its windows
12:49 < krzee> and explorer wouldnt force a reload of networking registry entries
12:49 < krzee> or shouldnt
12:50 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:51 -!- General_Jung [~anon@p57B66174.dip.t-dialin.net] has quit [Quit: get satisfied! • :: www.unitedservers.de ««« (Gamers.IRC) »»» gamersirc.net ::]
12:56 < krzee> !bridge
12:56 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
12:56 < vpnHelper> krzee: (but not samba, see !wins)
13:13 -!- General_Jung [~anon@p57B66174.dip.t-dialin.net] has joined ##openvpn
13:13 < General_Jung> Hi I am back
13:13 < General_Jung> with huge problem
13:13 < General_Jung> if openvpn runs then I connect to irc with VPN IP
13:13 < General_Jung> which won´t work
13:14 < General_Jung> quakenet works but freenode don´t accept that ip
13:14 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
13:25 < Bushmills> General_Jung: http://scarydevilmonastery.net/myip.cgi
13:26 < General_Jung> is the right one
13:26 < General_Jung> already test on several portals
13:26 < General_Jung> but 0:17:03) Local host: JUNG-QPDXXMFDJ4 (10.8.0.6)
13:26 < Bushmills> HTTP_X_FORWARDED_FOR  and REMOTE_ADDR are those which are interesting to you
13:26 < General_Jung> Quakenet works
13:27 < General_Jung> yea I am nit forwarded
13:27 < Bushmills> not all server farms allow ports 6660...6667 for irc.  not sure whether strato does
13:27 < General_Jung> Maybe its a mirco problem
13:27 < General_Jung> they does
13:27 < General_Jung> I am currently connected via VPN
13:27 < General_Jung> but can got to vpn before connect to freenode
13:28 < General_Jung> and quakenet works
13:28 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
13:28 < General_Jung> But is it possbielt hat Mirc desn´t find the correct IP that is the reason ?
13:29 < General_Jung> because it don´t seems that my general traffic is tunnel
13:29 < Bushmills> xlerb
13:29 < krzee> you repaste your configs
13:29 < krzee> please
13:29 < krzee> can you*
13:29 < General_Jung> http://beta.jungservices.net/server.conf
13:29 < Bushmills> http://forthfreak.net/snap/xlerb.png
13:31 < krzee> General_Jung, i dont see anything in your config suggesting you were trying to tunnel ALL traffic over the vpn
13:32 < krzee> just that you want to tunnel traffic to 192.168.1.101 and 85.214.57.67 (and vpn subnet) over the VPN
13:32 < General_Jung> yea I don´t think it is 
13:32 < General_Jung> maybe its a IRC Lient problem
13:32 < krzee> !redirect
13:32 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:32 < krzee> is that your goal?
13:32 < General_Jung>  Local host: JUNG-QPDXXMFDJ4 (10.8.0.6)
13:32 < General_Jung> no
13:32 < General_Jung> only to reach samba
13:32 < General_Jung> and to comunicate which the other clients
13:32 < krzee> ok
13:32 < General_Jung> and to communicate which the other clients
13:33 < krzee> your mirc looks like its grabbing who it is the wrong way, should be a setting for that
13:33 < General_Jung> yea
13:33 < General_Jung> sry for my kernel panic
13:33 < General_Jung> ^^
13:33 < General_Jung> but that still a prob
13:33 -!- opticy [alska@that.violates.us] has joined ##openvpn
13:33 < General_Jung> I don´t know why quakenet eat that
13:33 < General_Jung> and freenode not
13:34 < opticy> is it possible to have the client route packets for a particular destination for the server
13:34 < opticy> ?
13:34 < krzee> absolutely
13:34 < krzee> use a push route from server, or just route command on client
13:34 < krzee> !push
13:34 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
13:34 < opticy> whoops, i mean the other way around
13:35 < opticy> there's a particular destination that i'd like the server to route through the client
13:39 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
13:43 < krzee> you mean you want to share a lan behind the client with the server>?
13:44 < krzee> or an internet routable ip which is not on the client LAN
13:44 < Chosi> mh how can i debug client disconnects? all i can see is "Connection reset, restarting [-1]"
13:45 < Chosi> in the syslog
13:45 < krzee> using verb 5?
13:49 < Chosi> well, i think i need a log first
13:49 < Chosi> hehe
13:49 -!- doug_ndndn [~doug@78-86-178-196.zone2.bethere.co.uk] has joined ##openvpn
13:49 < krzee> if you wanna seperate it from your syslog you can use --log
13:49 < krzee> log /path/to/logfile in config
13:49 < Chosi> okay nice
13:49 < krzee> and use verb 5 for debugging
13:50 < krzee> verb 3 is cool for normal usage
13:50 < Chosi> so you say i need 5 for debugging disconnects?
13:50 < krzee> !log
13:50 < vpnHelper> krzee: An error has occurred and has been logged. Please contact this bot's administrator for more information.
13:50 < krzee> whoa
13:50 < Chosi> hehe
13:50 < doug_ndndn> hi all, I need to up the TLS reneg timeout - but it seems there is no option to do this - am i missing something obvious?
13:50 < krzee> you want 5 for debugging anything ;]
13:51 < Chosi> okay :)
13:51 -!- DrPepper [~DrPepper@88.207.189.81] has joined ##openvpn
13:51 < krzee> doug_ndndn, im not sure, search the manual for all instances of "reneg"
13:51 < krzee> !man
13:51 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
13:52 < krzee> !learn log as openvpn will log to syslog if started in daemon mode.  You can manually specify a logfile with: log /path/to/logfile
13:52 < vpnHelper> krzee: Joo got it.
13:52 < krzee> !learn log as verb 3 is good for everyday usage, verb 5 for debugging
13:52 < vpnHelper> krzee: Joo got it.
13:52 < Chosi> !log
13:52 < vpnHelper> Chosi: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:52 < Chosi> too bad ;)
13:52 < krzee> weird
13:52 < krzee> !log
13:52 < vpnHelper> krzee: An error has occurred and has been logged. Please contact this bot's administrator for more information.
13:52 < krzee> i guess its an internal
13:52 < krzee> !help log
13:52 < vpnHelper> krzee: An error has occurred and has been logged. Please contact this bot's administrator for more information.
13:52 < Chosi> well log is for other stuff i guess
13:52 < Chosi> yeah
13:53 < krzee> !learn logfile as openvpn will log to syslog if started in daemon mode.  You can manually specify a logfile with: log /path/to/logfile
13:53 < vpnHelper> krzee: Joo got it.
13:53 < Chosi> ?log
13:53 < Chosi> maybne
13:53 < krzee> !learn logfile as verb 3 is good for everyday usage, verb 5 for debugging
13:53 < vpnHelper> krzee: Joo got it.
13:53 < Chosi> would be somewhat moar appopriate
13:53 < krzee> nope, if i change ! to ? it'll be the same issue
13:54 < Chosi> mh alright
13:54 < krzee> and he only has 1 char for the factiods
13:54 < Chosi> then just !teach
13:54 < krzee> factoids
13:54 < Chosi> :>
13:54 < krzee> !learn logfile as see --daemon --log and --verb in the manual (!man) for more info
13:54 < vpnHelper> krzee: Joo got it.
13:54 < krzee> !logfile
13:54 < vpnHelper> krzee: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
14:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:00 < Chosi> uh this RWrWrW stuff is necessary?
14:00 < Chosi> hehe
14:00 < Chosi> but well i'll see whatever happens once they get disconnected
14:01 < krzee> well if you dont want it, you can go to 4
14:01 < krzee> but i like to see it during debugging
14:01 < krzee> and if it disconnects due to a stateful firewall losing state, it will save your ass some facepalming during the debug
14:01 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
14:01 < Chosi> well it's accumulating quite a lot of logdata and well the disconnects happen after an hour or something
14:01 < krzee> when you see it go from rWrWrW to WWWWWW
14:01 < Chosi> i'll just wait
14:02 < Chosi> :)
14:02 < Chosi> pretty anxious
14:08 -!- mirco [~mirco@tmo-109-252.customers.d1-online.com] has joined ##openvpn
14:09 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
14:11 < Chosi> krzee: do you know an easy way to find open udp ports on a machine? my friends have some issues with their uni dormatories - they forbid UDP and well we are trying to find some udp open udp port to tunnel through
14:11 < krzee> so to find what is allowed outbound...?
14:12 < Chosi> yup
14:12 < Alphanaut> portscan
14:12 < Alphanaut> ?
14:13 < Chosi> well i would need something listening on all udp ports on my server
14:13 < Chosi> and he would be like - sending stuff over all ports
14:14 -!- mirco [~mirco@tmo-109-252.customers.d1-online.com] has quit [Quit: mirco]
14:14 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
14:14 < krzee> Chosi, you could use something which listens on all ports
14:14 < krzee> like if you have a freebsd server, mtund has a UDP catchall
14:14 < krzee> THEN portscan it ;)
14:15 < Chosi> udp catchall on the firewalled udp box
14:15 < Chosi> or on the server
14:15 < Chosi> ?
14:15 < krzee> anywhere outside the firewall
14:16 < krzee> so the machine inside the firewall can try to reach by all udp ports, and see if any work
14:16 -!- demiurgen^ [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
14:16 < krzee> ive never used mtund, dunno if it works, but basically you wanna do something of that nature
14:16 < Chosi> well no bsd here tho
14:16 < krzee> or you can just try udp 53, thats the most commonly allowed (DNS port)
14:16 < Chosi> nope, dns is restricted aswell
14:16 < Chosi> to local dns servers inside the uni network
14:16 < Chosi> ;)
14:17 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has quit [Ping timeout: 260 seconds]
14:17 < krzee> you can use nc on a machine outside the network to listen on a udp interface
14:17 < krzee> and nc from inside to try connecting
14:17 < krzee> or whatever
14:18 < krzee> or fine some other app which does UDP catchall
14:18 < krzee> you might have to go to TCP, which is a last choice, but sometimes you have no choice
14:19 < Chosi> well right now we're tunneling through tcp, yes
14:19 < Chosi> :|
14:28 < Chosi> krzee: i think i'll just log any udp stuff from one ip with iptables
14:28 < Chosi> (and then portscan)
14:28 < krzee> that works!
14:29 < krzee> (better idea even)
14:30 < krzee> !bridge
14:30 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
14:30 < vpnHelper> krzee: (but not samba, see !wins)
14:32 < Alphanaut> is the default encryption algorithm the fastest, or can i set it lower for less overhead?
14:32 < Alphanaut> i dont care so much how "secure" it is as long as it's encrypted
14:32 < Alphanaut> i only use openvpn for public hotspot security
14:34 < krzee> BF is good
14:35 < krzee> (default)
14:36 < Bushmills> no encryption is faster
14:36 < Bushmills> correction.   "no encryption"  is faster
14:37 < Alphanaut> yes, but then it doesnt offer any security if it's completely off too eh?
14:37 < Alphanaut> i just dont want the packets to be plain text for scanning
14:38 < Bushmills> presumably, WLAN does encryption too
14:38 < Alphanaut> since when?  if someone is on the wlan with me they can see everything flowing back and forth
14:38 < Alphanaut> the whole "public hotspot" thing
14:39 < Alphanaut> thats all i use 1/2 the year
14:39 < Alphanaut> so all packets are free for everyone to see
14:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:39 < Alphanaut> i was just wondering if there was something faster that still offered security with openvpn aside from whatever is the default i'm using
14:39 < Alphanaut> wow, that's poor english, but you get my drift
14:40 < Bushmills> default blowfish is fairly fast
14:40 < Alphanaut> okie
14:40 < Alphanaut> yah my overhead is only 7% of my bandwidth, just wondering about it
14:40 < Alphanaut> not like 7% is all that bad
14:51 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
14:59 < krzee> !ircstats
14:59 < vpnHelper> krzee: Error: "ircstats" is not a valid command.
15:00 < krzee> !irclogs
15:00 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
15:06 -!- mirco_ [~mirco@p5B23E0B9.dip.t-dialin.net] has joined ##openvpn
15:09 -!- dazo is now known as dazo_afk
15:12 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:15 < ecrist> logs our out dated.
15:17 < krzee> i was looking at stats
15:18 < krzee> dazo is up to #5 =]
15:19 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
15:19 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Ping timeout: 260 seconds]
15:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:22 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
15:24 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
15:29 < krzee> !learn iphone as http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424  <-- be aware of that before putting your keys on an iphone
15:29 < vpnHelper> krzee: Joo got it.
15:29 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit []
15:36 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 248 seconds]
15:41 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
15:43 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
15:49 < jpalmer> krzee: just saw your email to the list.  I've know about that for a while now.  wonder why it's just being posted today by zdnet?
15:50 < krzee> no idea, but i didnt know about it until just now, and i see it as a big big deal to iphone vpn users
15:50 < krzee> pls see second post too
15:51 < jpalmer> I see it.    I've used openvpn on winmo.
15:52 < krzee> hrm, that could very well be my best bet
15:52 < jpalmer> I have to be honest.  even working fo a company that deals heavily in mobile devices..   I carry an iphone,  but I *much* prefer winmo.
15:53 < krzee> i used to have wm5 on an HTC wizard
15:53 < krzee> its pretty "meh" but hey it could be my solution
15:53 < jpalmer> same ;)
15:53 < jpalmer> winmo 6.5 has come a long way.
15:53 < krzee> ahh cool
15:53 < krzee> havnt seen nor played with it
15:54 < jpalmer> walk into your nearest cellphone store.  pick up an HTC touch pro, pure, evo, or whatnot.  pspend 20 minutes with it.
15:54 < krzee> from your experience with it, would it be rather easy (like 1 or 2 click) to open the vpn and view the internal page?
15:54 < jpalmer> and if you use exchange,  you can't beat winmo's exchange integration.
15:55 < Alphanaut> <-- Verizon TP2
15:55 < jpalmer> it can be fewer than 1-2 clicks.  you can set the openvpn client to load on phone boot,  and persist.
15:55 < Alphanaut> i love my TP2, but i'm an anomaly that likes windows
15:55 < krzee> no exchange for me
15:55 < Alphanaut> oh, and you can get unlimited data for 29.95 if you tell them you dont use it for work
15:55 < Alphanaut> which is hilarious
15:55 < Alphanaut> stupid verizon
15:56 < jpalmer> Alphanaut: I've had many HTC's from the wizard, through the original touch pro.  didn't get the TP2,   I started with a new company who supplied m with iphones.
15:56 < krzee> jpalmer, now we're talking! that could be the solution... do you know of any (im not asking if it exists, just if you know of any) ways to access the filesystem without the phone PW?
15:56 < Alphanaut> iphone looks sharp for sure, but i cant bring myself to switch from verizon
15:56 < Alphanaut> i've dropped probably 2 calls in 3 years with verizon, my friend with atnt drops daily
15:56 < Alphanaut> so i stick
15:57 < jpalmer> Alphanaut: thats very dependant on geography.  here, it's the opposite.
15:57 < Alphanaut> oh, i understand that
15:57 < Alphanaut> but in boston verizon is great
15:57 < jpalmer> krzee: I don't know of any personally.
15:57 < jpalmer> Alphanaut: I'll be in boston in about 2 weeks for work.
15:58 < Alphanaut> <-- loves it here
15:58 < krzee> bawston
15:58 < Alphanaut> heh
15:58 < Alphanaut> nothing uglier than a heavy boston accent
15:58 < Alphanaut> perhaps vietnamese
15:58 < jpalmer> I'll be in meetings all day at mass gen hospital
15:58 < krzee> jpalmer, iirc blackberries use windows mobile... right?
15:58 < Alphanaut> mgh is about a mile from my apt
15:58 < jpalmer> krzee: no.  hehe
15:58 < Alphanaut> Mans Greatest Hospital
15:58 < Alphanaut> thats waht they call it
15:59 < jpalmer> Alphanaut: if you see guys walking around in pink pants,  wave to us :P
15:59 < Alphanaut> waht!
15:59 < Alphanaut> pink pants?!?
15:59 < Alphanaut> waht the hell
15:59 < Alphanaut> what
15:59 < jpalmer> our company wears scrubs in the hospital.  pink pants,  black tops.
16:00 < krzee> ohhhh, it was a windows mobile THEME i saw, lol
16:00 < jpalmer> (it's a branding thing,  and it works insanely well)
16:00 < jpalmer> krzee: nah, blackberries use a proprietary OS.
16:00 < Alphanaut> i'm not waving to no dudes in pink pants :)
16:01 < jpalmer> Alphanaut: only those who are secure in their manhood can ;)  (those who are even more secure, can wear them.)
16:01 < Alphanaut> hahah
16:01 < Alphanaut> nonetheless i dont make it a habit of waving to strange men
16:02 < jpalmer> Alphanaut: any good sushi places near mgh?  thats generally what we do for lunch.
16:02 < Alphanaut> hmmm
16:02 < krzee> jpalmer, could you suggest a decent phone (not for techs necessarily, but for older, business owner, non-techs, who almost tech) that runs windows mobile?
16:02 < jpalmer> krzee: with keyboard,  or without?
16:02 < krzee> like how the iphone would be simple for them to use...
16:02 < Alphanaut> i cant think of any that stand out within walking distance but there is a whole foods about 2 minute walk away that has sushi
16:03 < Alphanaut> there are some great sushi places around boston, but none right next to mgh
16:03 < krzee> possibly without i guess, since theyd just be clicking a link
16:04 < jpalmer> krzee: the touch pro 2 has a keyboard.   it's keyboardless counterpart is nice..  I think it's like the diamond2 or something..  
16:04 < krzee> sounds like HTC
16:04 < krzee> (i love htc)
16:04 < Alphanaut> me too
16:05 < jpalmer> krzee: often,  if you walk into a cell store, and prove that you're a decision maker for a company..  they'll let you put a deposit on a "loaner" that you can use for a few days.
16:05 < krzee> oh so they dont HAVE TO run android...!
16:05 < krzee> cool
16:05 < Alphanaut> i do love my touch pro 2 but to be honest i think i'd get it without the keyboard
16:05 < jpalmer> yeah, HTC makes some nice hardware.
16:05 < krzee> jpalmer, i live in a 3rd world country
16:06 < jpalmer> krzee: nope,  HTC did primarily winmo for years.  just recently (since android has been out) got into that market.
16:06 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
16:06 < krzee> gotchya, ive been very out of the loop
16:06 < krzee> i have a motorola that costed about $15
16:06 < krzee> ;]
16:06 < krzee> W175
16:07 < Alphanaut> wow, that's a cheap lookin phone :)
16:07 < krzee> doesnt get much cheaper ;)
16:07 < Alphanaut> i remember that same keyboard from the razer days
16:07 < Alphanaut> razor
16:08 < krzee> razr
16:08 < Alphanaut> oh
16:08 < Alphanaut> :)
16:18 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
16:20 < krzee> thanx jpalmer, the diamond2 looks pretty good
16:21 < jpalmer> sure man.
16:21 < jpalmer> ok, heading home.
16:26 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86-2010031920 [Firefox 3.6.3/20100401080539]]
16:26 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
16:30 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
16:38 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has joined ##openvpn
16:39 < amialive> Lo, on Linux, using tun, traffic arriving on the client from the server, destined for that client, doesn't pass the "FORWARD" chain in iptables, does it?
16:44 -!- General_Jung [~anon@p57B66174.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
16:48 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
16:49 -!- General_Jung [~anon@p57B6712B.dip.t-dialin.net] has joined ##openvpn
17:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:08 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 240 seconds]
17:14 -!- krebipeti_ [~ca9a3cc2@gateway/web/freenode/x-uqskowqoytbqecab] has joined ##openvpn
17:14 < krebipeti_> hi
17:14 < krebipeti_> help please
17:14 < krebipeti_> i just read about openvpn on server mode
17:15 < krebipeti_> but i still don't get it
17:15 < krebipeti_> then i try to install and config it
17:15 < krebipeti_> it connected
17:16 < krebipeti_> when i do ifconfig on server it has a tun address 1.1.1.1 point to point 1.1.1.2
17:17 < krebipeti_> when i do ifconfig on my client....it has tun address 1.1.1.6 point to point 1.1.1.5
17:17 < krebipeti_> from client i can ping 1.1.1.1
17:17 < krebipeti_> but why i can;t ping 1.1.1.5??
17:18 < ecrist> !howto
17:18 < ecrist> !man
17:18 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:18 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:18 < ecrist> krebipeti_: ^^^^
17:18 < krebipeti_> :D
17:19 < krebipeti_> i'already read it...but i can't get the brief explanation about this kond of things
17:20 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:20 -!- amialive [~marcdebru@cc1341944-a.groni1.gr.home.nl] has quit [Quit: amialive]
17:21 < krebipeti_> and where is exactly 1.1.1.5?? does this ip is the server ip ? but why that i can ping is 1.1.1.1 not 1.1.1.5
17:21 < krebipeti_> !route
17:21 < vpnHelper> krebipeti_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:21 < ecrist> !/30
17:21 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
17:22 < krebipeti_> ecrist: i'll read it....thx
17:22 < ecrist> no problem
17:25 -!- General_Jung [~anon@p57B6712B.dip.t-dialin.net] has quit [Quit: get satisfied! • :: www.unitedservers.de ««« (Gamers.IRC) »»» gamersirc.net ::]
17:25 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
17:34 -!- mirco_ [~mirco@p5B23E0B9.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
17:36 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 608 seconds]
17:41 -!- mirco [~mirco@p5B23BA38.dip.t-dialin.net] has joined ##openvpn
17:46 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
17:53 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
17:58 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
18:03 < krebipeti_> !topology
18:03 < vpnHelper> krebipeti_: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
18:14 < Chosi> mew
18:14 < Chosi> what's using port 500 udp on a windows box and how do i open it for openvpn?
18:14 < Chosi> i really need it :)
18:20 -!- mirco [~mirco@p5B23BA38.dip.t-dialin.net] has quit [Quit: mirco]
18:24 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
18:26 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
18:35 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
18:53 < krebipeti_> hai again
18:54 < krebipeti_> i already read the user guide about setting openvpn in server mode using tun device
18:54 < krebipeti_> i still got problem
18:54 < krebipeti_> A B C is vpn router
18:55 < krebipeti_> A is the server B & C is the client
18:55 < krebipeti_> B & C has lan behind them
18:56 < krebipeti_> A, B, C is in different place and has their own default gateway
18:56 < krebipeti_> so i assign VPN ip to A is 1.1.1.1 B 1.1.1.2 and C 1.1.1.3
18:56 < krebipeti_> it connected and can ping eachother
18:57 < krebipeti_> but when i try to ping B's lan from A...it does't work
18:57 < krebipeti_> ip_forward already enabled in all gateway...A, B, C
18:58 < krebipeti_> any solution?
18:59 < ecrist> !iproute
18:59 < vpnHelper> ecrist: Error: "iproute" is not a valid command.
18:59 < ecrist> !route
18:59 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:59 < ecrist> !tell krebipeti_ [factoids]
19:04 < krebipeti_> hmmm...thx ecrist for replying...i already read that manual too....
19:05 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:05 < krebipeti_> i think there is a problem if B and C don't have default gw to A
19:06 < krebipeti_> routing from A to lan behind B via gw in B already set
19:07 < krebipeti_> so that;s mean packet from A can go to lan behind B....
19:07 < krebipeti_> but when the packet going back....it routed to default gw...which is not A....am i right?
19:10 < ecrist> krebipeti_: if you read all of that, you'd have your answer.
19:11 < ecrist> you need a return path route, which is indicated on the wiki link posted above.
19:38 -!- UdontKnow is now known as e
19:53 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:05 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86-2010031920 [Firefox 3.6.3/20100401080539]]
20:17 < krebipeti_> ecrist : thank you very much ecrist.....you save my live
20:18 < ecrist> np
20:18 < krebipeti_> echrist: my i comment for the manual.....it is a litle bit confusing....where should the ccd file be putted...
20:18 < krebipeti_> the first i think it should be putted on client....
20:19 < krebipeti_> but it dos't work....just look at the server log make me understand that ccd file must be placed on server side
20:20 < krebipeti_> hahahah,,,but it just comment from me ^^ hope everyone who has the same problem not confuse too....thank you very very much echrist
20:21 < ecrist> it's covered in the man page - put it on the server, whereever you tell openvpn it's going to be
20:21 < ecrist> ccd /path/to/ccd/directory
20:22 < krebipeti_> yeah..that;s what i mean...it is not explicitly written in manual...:D
20:23 < krebipeti_> and the picture make me think that ccd file must be put on client ^^
20:24 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
20:25 -!- e is now known as udontknow
20:37 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86-2010031920 [Firefox 3.6.3/20100401080539]]
20:40 -!- krebipeti_ [~ca9a3cc2@gateway/web/freenode/x-uqskowqoytbqecab] has quit [Quit: Page closed]
20:47 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
20:48 -!- Guest99814 [~nb@adsl-75-16-243-36.dsl.kntpin.sbcglobal.net] has joined ##openvpn
20:49 -!- wftl [~mgagne@CPE001c1022ab3d-CM00159a417d3c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
20:50 -!- Guest99814 [~nb@adsl-75-16-243-36.dsl.kntpin.sbcglobal.net] has quit [Changing host]
20:50 -!- Guest99814 [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
20:51 -!- Guest99814 is now known as nb
20:56 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
21:02 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
21:15 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
21:28 < krzie> [21:23]  <krebipeti_> and the picture make me think that ccd file must be put on client ^^
21:28 < krzie> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/.
21:29 < krzie> thats what happens when people skim it and just look at pictures =[
21:30 < ecrist> aye
21:31 < krzie> anyone know how to make a fist come out of their monitor when they skim that doc?
21:31 < krzie> html-fu?
21:34 < opticy> is it possible to have the server route through the client?
21:35 < ecrist> yes
21:35 < ecrist> !route
21:35 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:36 < opticy> ecrist: iroute is not what i'm referring to
21:37 < ecrist> opticy: what are you trying to route?
21:37 < opticy> i have: client and server...client routes various destinations via server
21:38 < opticy> however, i'd like server to be able to do the same
21:38 < opticy> (route packets thru client)
21:38 < opticy> so more of a mutual'
21:38 < opticy> more of a 'mutual relationship' than a client/server relationship
21:38 < ecrist> sure, just set a route command when a specific client connects
21:38 < ecrist> it's called a client connect script
21:38 < ecrist> ;)
21:39 < opticy> perhaps my firewall on the 'client' isn't setup properly
21:39 < opticy> to forward
21:40 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
21:43 < krzie> you would use iroute
21:43 < krzie> telling openvpn process those networks are 'lans' behind the client
21:43 < krzie> client gets ip forwarding
21:44 < krzie> you give the server route commands to make those 'lans' route to openvpn in routing table
21:44 < krzie> the iroutes make openvpn's internal routing table which client to route to when kernel sends it traffic
21:44 < krzie> then the client must NAT the server ip
21:44 < krzie> client must not be using redirect-gateway
21:44 < ecrist> NAT depends on layout and other things.
21:45 < krzie> how so? server would be sending packets with vpn i
21:45 < krzie> vpn ip
21:45 < ecrist> client *can* use redirect-gateway, if it has a lower-cost route for the traffic  you're forwarding.
21:45 < krzie> true
21:46 < krzie> so youd need routes on the client to help that be the case if using redirect-gatway
21:46 < krzie> and NAT the vpn ip on the client
21:47 < krzie> !linnat
21:47 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
22:03 < killown> do i need have two internet connections to learn configure openvpn?
22:22 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86-2010031920 [Firefox 3.6.3/20100401080539]]
22:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
22:38 -!- xod [~onats@112.201.158.40] has quit [Quit: Ex-Chat]
22:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:10 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:38 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Remote host closed the connection]
--- Day changed Fri May 28 2010
00:03 -!- opticy [alska@that.violates.us] has quit [Remote host closed the connection]
00:13 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
00:20 < krzie> killown, technically, you dont need any internet connections to learn it (reading the manual)
00:20 < krzie> heheh
00:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
00:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:40 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
01:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:53 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
02:04 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
02:15 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
02:15 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
02:26 -!- dazo_afk is now known as dazo
02:29 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:50 -!- no_maam_ [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined ##openvpn
02:50 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Read error: Connection reset by peer]
02:50 -!- b0nn [b0nn@203.184.2.252] has joined ##openvpn
02:52 < b0nn> hi all, I am trying to set up openvpn (2.1) on a debian box, I am using the example server.conf, but having troubles :) WHen I run #openvpn /etc/openvpn/server.conf, I get no output, none whatsoever, and my client (which is running on Ubuntu) cannot get a handshake up and running, any ideas?
03:02 < b0nn> hmm, 	 have a feeling that I cannot see any answers, due to me having no idea how to work mirc + windows vista, brb :)
03:05 < b0nn> !welcome
03:05 < vpnHelper> b0nn: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:06 < b0nn> hmm, that's working.
03:07 < b0nn> at any rate, I am fairly confident the issue is with either my server.conf, or my openvpn install, as there is no output  to either stdout, /var/log/syslog, or /var/log/messages when I start openvpn 
03:08 < kisom> b0nn: please paste your server conf somewhere
03:08 < kisom> and link it.
03:09 < kisom> hade you created a CA, generated server + client keys?
03:14 -!- b0nn [b0nn@203.184.2.252] has quit [Ping timeout: 264 seconds]
03:15 -!- b0nn [b0nn@203.184.1.9] has joined ##openvpn
03:15 < b0nn> hmm, sorry, dial up + vista
03:16 < kisom> dial up? :) 2010?
03:16 < b0nn> lol
03:16 < b0nn> shifted home, line is being hooked up to adsl at the exchange as we speak
03:17 < kisom> fair enough
03:17 < kisom> did you see my messages?
03:17 < b0nn> um, I am just pasting the server.conf
03:18 < b0nn> and I was following the how to, which generated the files you mentioned
03:18 < b0nn> http://pastebin.com/xXKwD9yX
03:19 < b0nn> the how to I was following is at http://www.openvpn.net/index.php/open-source/documentation/howto.html
03:19 < vpnHelper> Title: HOWTO (at www.openvpn.net)
03:19 < kisom> do you get a tun0 in ifconfig?
03:19 < kisom> at the debian box
03:20 < b0nn> no
03:20 < kisom> ok
03:20 < kisom> try commenting out "log-append" and you should see the log when running openvpn
03:20 < b0nn> ah
03:21 < b0nn> awesome, an error
03:21 < b0nn> cannot find the dh.pem
03:21 < kisom> change the paths in your conf file
03:21 < kisom> use the full path to all certificates and keys
03:22 < b0nn> :D
03:23 < b0nn> hmm, TLS STate Error: No TLS state for client 192.168.1.2:1194, opcode 15
03:24 < kisom> i'm guessing thats on the server side?
03:25 < b0nn> I think it's come right
03:26 < b0nn> an artifact perhaps
03:29 < kisom> wait, what?
03:29 < kisom> an artifact?
03:32 < b0nn> lol, sorry
03:32 < b0nn> I am just rebooting the debian machine, incase the FW is intefering with the TLS exchange
03:37 < kisom> i do not think the firewall will mess around with TLS..
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 < kisom> you could always do a temprary iptables -I INPUT -j ACCEPT; iptables -I OUTPUT -j ACCEPT
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:42 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
03:43 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
03:47 < b0nn> hmm
03:47 < b0nn> wifi is being a bit flakey
03:48 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:53 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
03:54 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
03:55 -!- General_Jung [~anon@p57B6712B.dip.t-dialin.net] has joined ##openvpn
03:58 < b0nn> hmm, how do I convince my wifi card to associate with a cell?
03:58 < kisom> iwconfig probably
03:59 < General_Jung> can I raelly bind services directly on the VPN IP ?
04:00 < b0nn> ah, am on the wrong channel
04:03 < General_Jung> push "dhcp options" helps forcing the client to use a specific DNS ?
04:11 < b0nn> the damn wifi card is coming up in mode managed, even though it;s configured to come up ad-hoc
04:13 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
04:21 < kisom> my wifi cards never work with mode Master :< OT
04:22 -!- dazo is now known as dazo_afk
04:28 < b0nn> heh
04:28 < b0nn> the damn thing was working before :(
04:50 -!- dazo_afk is now known as dazo
05:08 -!- dazo [~dazo@nat/redhat/x-vsvsbydijdeuovmj] has quit [Quit: ZNC - http://znc.sourceforge.net]
05:09 -!- dazo_ [~dazo@nat/redhat/x-lavgajowzvkfzepv] has joined ##openvpn
05:09 -!- dazo_ is now known as dazo
05:16 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 260 seconds]
05:19 -!- cityLights [~cityLight@di8-37059.dialin.huji.ac.il] has joined ##openvpn
05:20 < cityLights> hi all
05:20 < cityLights> does it make sense to request DHCP and disregard the default gateway?
05:21 -!- VirusTB [~VirusTB@ip-145-93-222-251.fontys.nl] has joined ##openvpn
05:21 < Bushmills> requesting dhcp after connecting to openvpn has the potential to undo part of the changes you've set up openvpn to do on clients
05:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:30 -!- b0nn [b0nn@203.184.1.9] has quit []
05:31 -!- VirusTB [~VirusTB@ip-145-93-222-251.fontys.nl] has quit [Quit: VirusTB]
05:33 -!- dazo [~dazo@nat/redhat/x-lavgajowzvkfzepv] has quit [Quit: Leaving]
05:34 -!- dazo_afk [~dazo@nat/redhat/x-niyacgpftukqnhmx] has joined ##openvpn
05:34 -!- dazo_afk is now known as dazo
05:37 -!- cityLights [~cityLight@di8-37059.dialin.huji.ac.il] has quit [Ping timeout: 240 seconds]
05:37 < dazo> krzee: have you seen this forum?  http://forums.untangle.com/openvpn/
05:50 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
05:51 < venom00> hello! I'm putting a vpn, when i try to create it from my lan everything works fine
05:51 < venom00> but if I try to make it pass through a proxy (slow) I receive the following error:
05:51 < venom00> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
05:51 < venom00> is there a way to increase this timeout?
05:51 < General_Jung> Can push "dhcp options" helps forcing the client to use a specific DNS ?
05:52 < General_Jung> to provide information about the vpn
05:53 -!- cityLights [~cityLight@IGLD-84-228-233-60.inter.net.il] has joined ##openvpn
05:54 < kisom> venom00: Your problem is most likly not timeout, it is probably happening because the proxy is either misconfigured or does not understand how to handle the incomming connection
05:54 < kisom> Key negotiation is usually done in less than one second.
05:54 < venom00> kisom, the proxy is used by the client not the server
05:55 < venom00> the connection is established fine fow what I can see
05:55 < kisom> It is still most likly the cause of your problem
05:55 < kisom> Yes, the connection itself may be accepted by the proxy, but it does not forward it to the VPN server.
05:55 < kisom> You can connect openvpn to a HTTP server and get the same error message
05:56 < kisom> (provided that the HTTP server does not respond 400 right away)
05:56 < venom00> kisom, the VPN server reply, I've the server terminal just here, it prints out some negotiation messages, so the connection is established
05:57 < kisom> Can you upload your config files? http://livepad.eu/openvpn
05:57 < vpnHelper> Title: EtherPad: openvpn (at livepad.eu)
05:57 < venom00> server or client?
05:58 < kisom> both
06:07 -!- cityLights [~cityLight@IGLD-84-228-233-60.inter.net.il] has quit [Ping timeout: 240 seconds]
06:13 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
06:15 < Chosi> heya
06:16 < kisom> Chosi: hello!
06:20 < Chosi> it seems like i found some open port on the restricted box (if anyone remembers my problem)
06:20 < Chosi> but the src port is 38400 and the destination port on my server is 500
06:20 < Chosi> is there a way to tunnel through these?
06:21 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
06:22 < Chosi> kernel: [16295949.586789] Shorewall:net2fw:LOG:IN=eth1 OUT= MAC=00:90:27:a8:93:c7:00:09:b6:a2:d0:0a:08:00 SRC=134.109.96.183 DST=77.244.247.106 LEN=220 TOS=0x00 PREC=0x00 TTL=38 ID=2312 PROTO=UDP SPT=38399 DPT=500 LEN=200
06:22 < Chosi> that's what the shorewall logged during the portscan
06:22 < kisom> yes well, source port is usually random.
06:23 < Chosi> i tried to use port 500 on the client but it is in use already
06:23 < Chosi> (ipsec whatever)
06:23 < kisom> if the client uses *nix then you need root access to use port 500.
06:23 < Chosi> nah in windows
06:24 < kisom> i do not even know what your problem is :)
06:24 < Chosi> i want to set up the client on port 500 udp :D
06:24 < Chosi> and it can't use 500 due to the fact that there already is something running on 500 on windows
06:27 -!- cityLights [~cityLight@di8-37059.dialin.huji.ac.il] has joined ##openvpn
06:28 < kisom> ok...
06:28 < kisom> well, then check whats using udp/500 and kill it
06:31 < Chosi> svchost.exe (netsvcs)
06:31 < Chosi> hrm
06:33 < Chosi> ok looks like i have to disable ipsec
06:41 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
06:52 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:52 -!- mode/##openvpn [+o mattock] by ChanServ
06:54 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
06:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:02 -!- mirco [~mirco@p5B23CD41.dip.t-dialin.net] has joined ##openvpn
07:03 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:18 -!- mirco [~mirco@p5B23CD41.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
07:18 -!- thunderstrike [~thunderst@60.254.57.12] has joined ##openvpn
07:19 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
07:19 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
07:24 -!- mirco [~mirco@p5B23C979.dip.t-dialin.net] has joined ##openvpn
07:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:29 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has left ##openvpn []
07:38 -!- mirco [~mirco@p5B23C979.dip.t-dialin.net] has quit [Ping timeout: 258 seconds]
07:45 -!- mirco [~mirco@p5B23DA15.dip.t-dialin.net] has joined ##openvpn
07:47 -!- dazo [~dazo@nat/redhat/x-niyacgpftukqnhmx] has quit [Read error: Connection reset by peer]
07:47 -!- dazo [~dazo@nat/redhat/x-ieefselzacwhedqp] has joined ##openvpn
07:49 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
07:51 < Chosi> are there any traffic accounting options i could use to restrict clients?
07:52 < Zathraz> as in bandwidth usage?
07:53 -!- mirco [~mirco@p5B23DA15.dip.t-dialin.net] has quit [Quit: mirco]
07:53 < Bushmills> poll stub iptables rules every few minutes. kick user when consuming excessively
07:53 < Chosi> nah as in traffic limits
07:53 < Chosi> like 5gig/day
07:53 < Chosi> or something
07:53 < Zathraz> traffic shaping at kernel level?
07:54 < Zathraz> seems more like an OS thing than an openvpn thing
07:55 < Chosi> to give users the same ip again after reconnecting i gotta use: ifconfig-pool-persist /etc/openvpn/ipp.txt
07:55 < Chosi> right?
07:59 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
08:03 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Ping timeout: 240 seconds]
08:04 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
08:07 -!- venom00ut [~venom00@unaffiliated/venom00] has joined ##openvpn
08:08 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
08:12 < ecrist> Chosi: bandwidth information is kept in the log status log file
08:13 < ecrist> you'd need a script to poll that file, and stash the value somewhere.  if the user disconnects/reconnects, the value resets
08:14 < Chosi> okay thanks
08:14 < ecrist> iirc, there is some facility to allow the openvpn daemon to run a script on client disconnect, which you could use to stash the data.
08:15 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 252 seconds]
08:19 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 265 seconds]
08:20 -!- venom00 [~venom00@net-93-70-15-178.cust.dsl.vodafone.it] has joined ##openvpn
08:20 -!- venom00 [~venom00@net-93-70-15-178.cust.dsl.vodafone.it] has quit [Changing host]
08:20 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
08:21 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:24 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Ping timeout: 240 seconds]
08:29 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
08:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Connection reset by peer]
08:42 -!- sp4rc [sp4rc@194.209.17.162] has joined ##openvpn
08:48 < sp4rc> guys, can someone please have a look at my network graph http://img571.imageshack.us/i/openvpnmobileip.jpg/
08:48 < vpnHelper> Title: Imageshack - openvpnmobileip.jpg (at img571.imageshack.us)
08:48 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:49 < sp4rc> is it possible to have to tunnels open? 
08:49 < sp4rc> i am trying to emulate some sort of mobile ip (rfc3344) with openvpn 
08:50 < sp4rc> let's say while i am in 'home network' and travel to 'foreign network b' 
08:53 < sp4rc> and let's asume that 'foreign network b' is already 'connectable' 
08:53 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: Connection reset by peer]
08:53 < sp4rc> i would like to perform some sort of parallel connection 
08:53 < sp4rc> are there any failover features i could use for such a scenario?
08:55 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:02 < sp4rc> the main goal is to come close to a seamless handoff while doing a sip/rtp voip call
09:07 < sp4rc> i am thinking of a script which could poll in a specific intervall for reachable access points
09:07 < sp4rc> and which then tries to establish a second tunnel to the home network 
09:09 < Chosi> !logging
09:09 < vpnHelper> Chosi: Error: "logging" is not a valid command.
09:09 < ecrist> sp4rc: the only thing like that I can think of is to use free/open BSD and couple to bridged VPN connections together with CARP
09:10 < dazo> !iphone
09:10 < vpnHelper> dazo: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion, or (#3) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone
09:10 < sp4rc> ecrist, okay so i would need to bring all partys together in a bridged manner and present them to the mobile node with one virtual ip address handeled by carp
09:10 < sp4rc> ecrist, right?
09:12 -!- Lenhix [~lenho@190.146.247.120] has joined ##openvpn
09:12 < ecrist> yep
09:12 < sp4rc> ecrist, i am not sure if i understood what you are conceiving
09:13 < ecrist> or, instead of carp, use link aggregation on the two tap interfaces.
09:13 < Chosi> Replay-window backtrack occurred [1]
09:13 < Chosi> is this bad?
09:13 < Chosi> :)
09:14 < sp4rc> ecrist, but to use link aggregation all partys need to be in the same lan 
09:16 < ecrist> yes, which is why you use a bridged config
09:18 < sp4rc> ecrist, so i would need to aggregate all tap devices in every network segment right?
09:18 < ecrist> umm no
09:19 < sp4rc> ecrist, this is what i was thinking of using tunnel mode http://img571.imageshack.us/f/openvpnmobileip.jpg/
09:19 < vpnHelper> Title: Imageshack - openvpnmobileip.jpg (at img571.imageshack.us)
09:21 < ecrist> I can't read that.
09:22 < Chosi> http://img571.imageshack.us/img571/9824/openvpnmobileip.jpg
09:22 < Chosi> :p
09:23 < ecrist> by, "can't read" I mean the handwriting is illegible
09:23 < Chosi> uhm
09:24 < sp4rc> ecrist, okay sorry for my miserable writing 
09:24 < Chosi> sp4rc: it's perfectly fine for me
09:24 < Chosi> :D
09:24 < sp4rc> ecrist, but i think without being able to read every label it's guessable what i am trying to achieve
09:33 -!- sp4rc [sp4rc@194.209.17.162] has quit []
09:39 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:02 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:17 < General_Jung> Can push "dhcp options" helps forcing the client to use a specific DNS ?
10:26 < ecrist> yes, it works well with windows, linux requires some scripts on the remote end.
10:31 -!- musca [musca@tyrael.eu] has joined ##openvpn
10:39 -!- musca [musca@tyrael.eu] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
10:52 -!- thunderstrike [~thunderst@60.254.57.12] has quit [Quit: Leaving]
11:01 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:06 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
11:17 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
11:24 -!- Irssi: ##openvpn: Total of 94 nicks [3 ops, 0 halfops, 0 voices, 91 normal]
11:38 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
11:39 < krzie> !pushdns
11:39 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
11:44 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:48 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:10 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
12:13 -!- Otacon22 [~otacon22@93-36-92-0.ip59.fastwebnet.it] has joined ##openvpn
12:13 < Otacon22> root@server:/etc/openvpn/private# openvpn --config private.conf 
12:13 < Otacon22> root@server:/etc/openvpn/private# 
12:13 < Otacon22> what is this?
12:13 < Otacon22> why does it not says anything?
12:13 < Otacon22> i've tried also with --verb 9
12:13 -!- Lenhix [~lenho@190.146.247.120] has quit [Quit: BRB]
12:13 < ecrist> !configs
12:13 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:14 < Otacon22> it's just 2 line please..
12:14 < Otacon22> uff
12:15 < Otacon22> This is the server http://pastebin.com/rF635Xp6
12:18 < Otacon22> so?
12:19 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 265 seconds]
12:21 -!- Otacon22 [~otacon22@93-36-92-0.ip59.fastwebnet.it] has left ##openvpn ["Part"]
12:23 < krzie> wow
12:27 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:41 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
12:50 < Chosi> is there a solution for the tls handshake failed problem occuring after ~ an hour or so?
12:50 < Chosi> http://nopaste.narf.at/show/81/
12:50 < Chosi> that's what happened
12:51 < Chosi> and he wasn't able to relogin for about an hour aswell
12:52 < Chosi> after a lot more handshake failures this is what reestablished the connection
12:52 < Chosi> http://nopaste.narf.at/show/82/
12:55 -!- dazo is now known as dazo_afk
12:59 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:05 < krzie> looks like maybe a stateful firewall issue or something
13:10 -!- achilles [~achilles@82.166.20.125] has joined ##openvpn
13:10 < Chosi> very propable
13:10 < achilles> Hello, is it possible to run the server on both TCP and UDP options and clients can chose ?
13:10 < Chosi> as we're "mis"using the only open udp port
13:10 < Chosi> :D
13:11 < Chosi> i better switch back to safe tcp then
13:11 < Chosi> :/
13:13 < achilles> I mean, can I set both proto udp and proto tcp on server side ?
13:15 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds]
13:19 < Chosi> krzee: another option would be port 5060 but i would have to transform the packets to pretend they're sip ones
13:19 < Chosi> :)
13:20 < ecrist> achilles: only by running two vpn server
13:20 < achilles> ecrist, ah I see now. thank you
13:40 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
13:41 -!- qfr [~kafir@unaffiliated/yw] has joined ##openvpn
13:41 < qfr> Hmm do I need to restart the server after adding ccd entries?
13:41 < qfr> Or should it work fine at runtime? One of my clients was just given a wrong IP
13:42 < qfr> Perhaps I screwed up the crt
13:42 < krzie> runtime should be fine
13:42 < qfr> Then I must have done something else wrong, checking crt
13:42 < krzie> what ip did you try to give? are you using topology subnet?
13:42 < qfr> The CCD says 10.0.0.6
13:42 < qfr> It was given 10.0.0.3
13:43 < krzie> so thats a yes to topology subnet
13:43 < qfr> Yes
13:43 < krzie> see server log
13:43 < qfr> ccd usually it works fine for my other clients
13:43 < qfr> ccd usually works fine for my other clients*
13:43 < krzie> see if it says its reading from the ccd when client is connecting
13:43 < krzie> !certinfo
13:43 < vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
13:43 < qfr> Got no logs hmm :[
13:44 < krzie> !logfile
13:44 < vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
13:44 < qfr> Does it use the CN or the N?
13:44 < qfr> For CCD?
13:45 < krzie> CN
13:45 < qfr> Ah, that's my mistake
13:45 < krzie> !ccd
13:45 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:48 < ecrist> qfr: ccd entries are fine to add while it's running
13:48 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 260 seconds]
13:48 < qfr> Yeah I just thought it used N and not CN
13:48 < qfr> I should stop using easy-rsa anyways
13:49 < qfr> I already wrote an SSL script myself
13:49 < ecrist> ssl-admin is awesome, I hear.
13:49 < qfr> But I only use it for HTTP stuff so far
13:49 < krzie> !ssl-admin
13:49 < vpnHelper> krzie: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
14:00 -!- codyc [~bip@FCodyC-1-pt.tunnel.tserv8.dal1.ipv6.he.net] has joined ##openvpn
14:00 < codyc> Hrmm.  I seem to have found a bug with openvpn v2.1.  
14:01 < ecrist> really?
14:01 < codyc> It seems that if you have configured client/server...
14:01 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:01 < codyc> and the server doesn't have any "push" configurations...
14:01 < codyc> the client just sits there doing PUSH_REQUESTs forever.
14:01 < ecrist> !bugs
14:01 < vpnHelper> ecrist: Error: "bugs" is not a valid command.
14:01 < codyc> I made it push "comp-lzo yes" and that seemed to fix it. 
14:02 < ecrist> community.openvpn.net
14:02 < codyc> irc.freenode.net
14:02 < codyc> Darmok and Jalad at Tanagra
14:03 < ecrist> I would suggest reporting your bug to the mailing list, or via the bug system on sourceforge.
14:03 < ecrist> possibly in #openvpn-devel, but nobody seems to be alive, currently.
14:05 < codyc> ah, ok.  Will do.   Prob'ly later this evening, as this isn't strictly work-related. 
14:05 -!- codyc is now known as NfNitLoop
14:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:06 < NfNitLoop> Just thought I'd come mention it here in case someone might've said "THAT'S BECAUSE YOU'RE AN IDIOT" or something. ;) 
14:06 < krzie> lets see your configs first
14:07 < krzie> you said you used server/clien
14:07 < krzie> client
14:07 < krzie> but server pushes a few things
14:07 < NfNitLoop> yep.
14:07 < krzie> so lets see the configs
14:07 < krzie> !configs
14:07 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:08 < NfNitLoop> Oh, okay. :)
14:10 < krzie> For example, --server 10.8.0.0 255.255.255.0 expands as follows: 
14:10 < krzie>  mode server
14:10 < krzie>  tls-server
14:10 < krzie>  push "topology [topology]"
14:10 < krzie>  if dev tun AND (topology == net30 OR topology == p2p):
14:10 < krzie>    ifconfig 10.8.0.1 10.8.0.2
14:10 < krzie>    if !nopool:
14:11 < krzie>      ifconfig-pool 10.8.0.4 10.8.0.251
14:11 < krzie>    route 10.8.0.0 255.255.255.0
14:11 < krzie>    if client-to-client:
14:11 < krzie>      push "route 10.8.0.0 255.255.255.0"
14:11 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
14:11 < krzie>    else if topology == net30:
14:11 < krzie>      push "route 10.8.0.1"
14:11 < krzie>  if dev tap OR (dev tun AND topology == subnet):
14:11 < krzie>    ifconfig 10.8.0.1 255.255.255.0
14:11 < krzie>    if !nopool:
14:11 < krzie>      ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
14:11 < krzie>    push "route-gateway 10.8.0.1"
14:11 < hyper_ch> hi krzie
14:12 < NfNitLoop> http://pastebin.com/v01Z5bkX
14:13 < NfNitLoop> I actually don't have a "server" line, since I *don't* want to push any ipv4 routes. 
14:13 < NfNitLoop> It's an ipv6 tunnel .
14:13 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has joined ##openvpn
14:13 < unknown> hi
14:13 < krzie> hey hyper_ch 
14:13 < unknown> is it possible to authenticate some users only with certs, and some users only with user/pass?
14:13 < krzie> oh
14:13 < unknown> !welcome
14:13 < vpnHelper> unknown: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:13 < hyper_ch> krzie: been quite busy lately so I couldn't work on it.... should have more time next week :)
14:13 < krzie> NfNitLoop, you seen the new ipv6 atches?
14:14 < krzie> patches
14:14 < Ricky_Rat5005> Hi, just set up OpenVPN on my ddwrt router.  I am getting http://pastebin.com/pMqVHh7D (client screenshot)
14:14 < krzie> its in the testing branch of openvpn, ecrist could give you link to that
14:14 < krzie> !ipv6
14:14 < vpnHelper> krzie: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
14:14 < NfNitLoop> krzie: "keepalive x y" supposedly expands to have a couple "push" entries too, and I've got a keepalive.  
14:14 < vpnHelper> krzie: (adds some nice ipv6 options)
14:14 < unknown> !wiki
14:14 < vpnHelper> unknown: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
14:14 < krzie> see #3
14:14 < NfNitLoop> Hrmm, well, I've got it working with the version I have now. 
14:15 < krzie> Ricky_Rat5005, either wrong ip/port or firewall
14:15 < NfNitLoop> the v2.1 in Ubuntu 10.04
14:15 < krzie> NfNitLoop, right, but look at the options in the patch
14:15 < krzie> you might love it
14:15 < krzie> server-ipv6 2001:db8::/64
14:15 < NfNitLoop> ah, that is nice. 
14:16 < krzie> before it was only in ptp mode
14:16 < Ricky_Rat5005> ok, I'll turn machine & router f/w off and check port...stby.
14:16 < krzie> (which may have been your problem, you prolly didnt want 'client'
14:17 < krzie> but prolly wanted tls-client instead (since server has tls-server)
14:17 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
14:17 < ecrist> weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
14:17 < ecrist> !snapshots
14:17 < vpnHelper> ecrist: Error: "snapshots" is not a valid command.
14:17 < krzie> but ya, tun-ipv6 only supported ptp mode before the ipv6 payload patch
14:17 < ecrist> !learn snapshots as weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
14:17 < vpnHelper> ecrist: Joo got it.
14:17 < krzie> ecrist, any factoids made during a certain period of time were lost
14:18 < krzie> the db had perms of your user :-p
14:18 < krzie> bot couldnt write to it
14:18 < ecrist> doh
14:18 < ecrist> that's because I had to restore a botched manual update
14:18  * ecrist will flog himself accordingly
14:18 < krzie> ahh
14:18 < krzie> good thing you backed it up!!!
14:18 < krzie> nah man, you thought to back it up first, thats worthy of a beer
14:19 < NfNitLoop> krzie: aah, I thought I needed client, since it implies pull and tls-client, and --pull says "This option must be used on a client which is connecting to a multi-client server."
14:19 < krzie> my point is you dont have a multi-client server
14:19 < NfNitLoop> and previously I had multiple clients set up to use the server.
14:20 < krzie> i believe you should have the ipv6 payload patch for that to work right
14:20 < krzie> tun-ipv6 	enable IPv6 routing on the tunnel. Not strictly a new option, but was only implemented in point-to-point mode so far (with manual configuration of all the IPv6 parameters and routing).
14:20 < krzie> (from the patch site)
14:20 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
14:20 < NfNitLoop> ah.  Huh. 
14:20 < krzie> !learn testing as [snapshots]
14:20 < vpnHelper> krzie: Joo got it.
14:21 < krzie> !testing
14:21 < vpnHelper> krzie: "testing" is "snapshots" is weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
14:21 < krzie> since it would benefit you, and we need it tested more before it can possibly be in stable
14:21 -!- mintux [~mrg@91.99.238.35] has joined ##openvpn
14:21 < krzie> woud you like to use the new ipv6 features of openvpn? =]
14:21 < mintux> I want to connect from outside to a computer inside of network .there is ubuntu server in this network that it has to share connection between internal computers . I want use openvpn to does that in this picture is the things I should do . http://img6.tinypic.info/files/z9fi90u5gli63rw4lhm6.jpg  . so the question is openvpn can share my internet connection or I should use iptables and I want my ubuntu server be a dhcp server so  is it related to openvpn or not 
14:21 < krzie> features explained here, http://www.greenie.net/ipv6/openvpn.html
14:21 < vpnHelper> Title: Gert Döring - IPv6 Payload Patch for OpenVPN (at www.greenie.net)
14:22 < krzie> !route
14:22 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:22 < unknown> is it possible to authenticate some users only with certs, and some users only with user/pass?
14:22 < krzie> !authpass
14:22 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
14:22 -!- achilles [~achilles@82.166.20.125] has quit [Quit: Leaving]
14:23 < krzie> hrm
14:23 < krzie> some with only each
14:23 < krzie> if so, i think your best bet would be eurephia (coded by dazo)
14:24 < krzie> http://www.ovpnforum.com/viewtopic.php?f=16&t=4807
14:24 < vpnHelper> Title: OpenVPN Forum View topic - 1 stop plugin for authentication / managing iptables (at www.ovpnforum.com)
14:24 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
14:25 < unknown> krzie: ok, so not possible
14:25 < krzie> if possible, best bet is the link i gave
14:25 < krzie> http://www.eurephia.net/
14:25 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
14:26 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
14:26 < unknown> then a second question, if i *only* use user/pass (no certs) how can i setup openvpn to load per-client config?
14:26 < krzie> that answer was already given
14:26 < krzie> [15:22]  <krzie> !authpass
14:26 < krzie> [15:22]  <vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
14:26 < krzie> #3
14:27 < unknown> krzie: i saw it, but it does not seem to be used
14:27 < krzie> ?
14:28 < mintux> ubuntu server should share INTERNET connection between internal computers and should be dhcp server and the computers should get ip automatically from ubuntu server (in this range 192.168.1.x) so I did first problem with ipatables and forward ip and second with dnsmasq . now I need vpn for rdp from outside to inside computer  . my question is  does openvpn has conflict with dhcp and sharing Internet connections ? or I should remove first steps anc computers con
14:28 < krzie> you dont need dhcp giving the ip
14:28 < krzie> or rather, why do you think you do?
14:29 < mintux> vpn does that ? 
14:29 < roentgen> krzie: if I'm to use ipv6 on the server
14:29 < roentgen> do the clients also need the openvpn
14:29 < roentgen> snapshot or 2.1.1 is enough?
14:29 < krzie> mintux, give ips?
14:29 < roentgen> s**t
14:29 < krzie> they would need the snapshot
14:29 < Ricky_Rat5005> ok, now it's giving me this error (with all firewalls off) http://pastebin.com/eQSDAUyQ
14:30 < Saar> someone here has the idea that with openvpn you would be able to route 2 internal networks AND also route an internet subnet, say the office has access to remote subnet 250.250.1.1/24 and all others are blocked, now an openvpn connection from a worker's home should not only connect the 2 local networks but also allow it to access the 250.250.1.1/24 subnet through the VPN, is that all all feasible?
14:30 < roentgen> krzie: ouch... no can't do then
14:30 < roentgen> but I have to try it in small test net
14:30 < krzie> well theyd need it if you're using new options
14:30 < unknown> krzie: i have a client-conf file for user, simply this: ifconfig-push 192.168.4.10 255.255.255.0
14:31 < krzie> you still have a connectivity problem Ricky_Rat5005, either wrong ip/port/protocol or port forward or firewall
14:31 < krzie> !ccd
14:31 < unknown> then i start openvpn, but the ip comes from the pool (192.168.4.0/24)
14:31 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:31 < roentgen> krzie: I'd use server-ipv6 which is
14:31 < roentgen> new, right?
14:31 < krzie> unknown, you have that, right?
14:31 < krzie> yup
14:31 < unknown> krzie: yes, and also username-as-common-name
14:31 < Ricky_Rat5005> So that doesn't indicate anything with a certificate more of a network issue still?
14:32 < krzie> is it because you cant change client installs or because you need a precompile for an os?
14:32 < krzie> (@ roentgen )
14:32 < mintux> krzie: 3 goals we need . 1- share INTERNET connections between internal computers 2-not need define ip for each system and be dhcp 3- can rdp from outside to inside  . it doesn't matter the dhcp be separately or with vpn even INTERNET connection . as I know if two system from outside and inside wants connect together both of them should connect to vpn server and get a ip is it true ?
14:32 < krzie> unknown, and the file is named EXACTLY as the username?
14:32 < roentgen> krzie: clients are windows
14:32 < roentgen> and are ~500
14:32 < krzie> unknown, and server has read permissions to the file (and x on the dir) when running?
14:33 < krzie> whoa
14:33 < krzie> ya, thats would be a bitch to migrate
14:33 < krzie> lol
14:33 < unknown> krzie: hmm, username-as-common-name was *not* in server conf :S (then where did i put it?). it works fine now
14:33 < unknown> thanks for your effort
14:34 < krzie> hehe
14:34 < krzie> yw
14:34  * mintux thinks the problem drive him crazy 
14:34 < krzie> roentgen, at least 1 day you'll like that new style a lot =]
14:35 < krzie> oh wait roentgen maybe im wrong
14:35 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
14:36 < roentgen> would be nice if certain clients
14:36 < roentgen> ignored server-ipv6
14:36 < krzie> Other combinations that have been (mostly successfully) tested:
14:36 < krzie> http://www.greenie.net/ipv6/openvpn.html
14:36 < vpnHelper> Title: Gert Döring - IPv6 Payload Patch for OpenVPN (at www.greenie.net)
14:36 < krzie> middle of the page
14:36 < krzie> sounds like thats actually what happens
14:36 < krzie> lol
14:36 < krzie> Client	Server	remarks
14:36 < krzie> unmodified 2.1rc15	IPv6-enabled server 	warnings about unknown config options (ifconfig-ipv6, route-ipv6), but does not fail
14:36 < krzie> unmodified, various client versions	IPv6-enabled server 	warnings about unknown config options (ifconfig-ipv6, route-ipv6), but does not fail
14:37 < mintux> krzie: so if I create a openvpn server and the  clients connect to it . they have INTERNET connections and they get ip address automatically and not need dnsmasq or iptables to share connection ?
14:37 < mintux> and also I can rdp from outside to inside system 
14:37 < krzie> roentgen, sounds like it will work if you dont push too much ipv6 stuff
14:37 < roentgen> well just the ip so far
14:38 < krzie> fails, because IPv4 ifconfig is sent in a 2nd ``push'' packet, which the older client doesn't handle (reduce number of ``push'' options)
14:38 < krzie> you would need iptables
14:38 < krzie> basically this
14:38 < krzie> !redirect
14:38 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:38 < krzie> !def1
14:38 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:38 < krzie> !linipforward
14:38 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:39 < krzie> !linnat
14:39 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:39 < krzie> then, because the lan is behind the client
14:39 < krzie> !ccd
14:39 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:39 < krzie> !iroute
14:39 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
14:39 < krzie> and add a route entry to the lan subnet
14:39 < krzie> in the server config
14:39 < mintux> the explain is for me ?
14:39 < krzie> yupyup
14:40 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
14:40 < Ricky_Rat5005> The Tap-Win32 Adapter V9 shows cable unplugged, could that be it?
14:40 < krzie> you have a lan behind the client, right?
14:40 < mintux> yes
14:40 < Ricky_Rat5005> it's an aircard modem
14:40 < krzie> ok then you add an iroute and a route
14:40 < krzie> iroute goes in ccd entry for that client
14:41 < mintux> so there is no conflict between openvpn and iptables and lan ?
14:41 < krzie> route goes in server config
14:41 < krzie> openvpn should have its own subnet
14:41 < krzie> like this
14:41 < krzie> !sample
14:41 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
14:41 < krzie> then you do all what i said above
14:41 < mintux> ok 
14:42 < krzie> if other clients will connect to the clients lan as well, push route in server config
14:42 < krzie> all the lan stuff is shown here
14:42 < krzie> !route
14:42 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:42 < unknown> if i enable `client-cert-not-required', then how is the connection encrypted?
14:42 < krzie> all the inet sharing stuff is here
14:42 < krzie> !redirect
14:42 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:43 < krzie> certs dont do the encryption
14:43 < krzie> they are authentication
14:43 < unknown> krzie: iirc, parts of those certs are used as keys?
14:44 < krzie> authentication can be something you know (password), something you have (certificate), something you are (biometrics)
14:44 < krzie> best security uses at least 2
14:44 < Saar> so it's a stupid idea to think you could route an internet subnet over an openvpn connection?
14:44 < krzie> Saar, why do you say that?
14:44 < unknown> krzie: ok, but that does not answer my questio
14:44 < Saar> well i am wondering if it is or not
14:45 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Ping timeout: 276 seconds]
14:45 -!- plundra [404@article.se] has quit [Ping timeout: 252 seconds]
14:45 < krzie> the answer is the certs never had anything to do with the encryption, nothing changes
14:46 < krzie> the question is not a valid question because its based on a false assumption
14:46 < unknown> krzie: so this is not valid <http://www.ossg.ru/docs/OpenVPN/faq.html> section ``I edited my OpenVPN static key, changing..''
14:46 < vpnHelper> Title: OpenVPN FAQ (at www.ossg.ru)
14:46 < krzie> what im saying is changing your quth method (certs not needed) does not change anything to do with encryption
14:47 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
14:47 < krzie> auth*
14:47 < krzie> Saar, nothing dumb bout it at all, whats your goal?
14:47 < unknown> krzie: hmm, i guess i don't understand how openvpn works then
14:48 < unknown> i'll read up
14:48 < krzie> unknown, certs are part of auth, nothing to do with ciphers
14:48 < Saar> oh, to route a certain subnet, say 250.250.1.1/24 through an openvpn connection, because the only the remote openvpn server has access to that subnet
14:48 < krzie> sure they are cryptographic, but for auth purposes, not securing the encryption
14:48 < Saar> in order to allow remote workers access to that subnet
14:49 < krzie> sure
14:49 < krzie> or like to bypass great firewall of china?
14:49 < Saar> hm no ;-)
14:49 < krzie> openvpn would be good for either
14:49 < krzie> hehe
14:50 < Saar> in fact the subnet blocks ssh for all the internet except workplace
14:50 < kisom> i just wish openvpn was more dynamic...
14:50 < krzie> Saar, you would use !redirect, excet no !def1
14:50 < Saar> so if remote worker wants to ssh they need to appear to come from workplace
14:50 < unknown> krzie: ok, thanks for your insights
14:50 < krzie> instead of !def1 you would just push a route to the subnet clients should route over vpn
14:50 < krzie> but theres a limit to show many things you can push
14:51 < Saar> krzie: yes i figured that could work
14:51 < krzie> so use bigger subnets instead of pushing tons of routes
14:51 < krzie> kisom, how so?
14:51 < Ricky_Rat5005> krzie the errors I am getting aren't related to certs at all right?
14:51 < Saar> would that work as well for a clueless windows user
14:52 < krzie> Ricky_Rat5005, they arent related to openvpn at all, you cant make a connection to what you're trying to connect to
14:52 < krzie> the clueless windows user, yes, as long as he isnt the admin
14:52 < krzie> but if hes the client, sure
14:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:53 < Saar> i see
14:53 < krzie> !windows
14:53 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
14:53 < Saar> that pushed route would be gone once the vpn connection has been closed i assume?
14:53 < krzie> Saar, when the vpn is killed the tun device closes
14:53 < krzie> and any routes bound to it must disapeer
14:53 < Saar> ok thanks
14:54 < Saar> i think i know enough to give it a try :)
14:54 < krzie> what os is your server?
14:55 < Saar> debian lenny
14:55 < krzie> oh cool
14:55 < krzie> go for it
14:55 < Saar> yeah we use lenny for all our servers
14:55 < hyper_ch> debian makes the world go round and round :)
14:55 < krzie> just hoping you didnt say winxp cause i dont think it does NAT
14:56 < Saar> hah that'd be torture
14:56 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:56 < krzie> [15:51]  <Saar> would that work as well for a clueless windows user
14:56 < kisom> krzie: well just some of my needs that openvpn does not offer. like running VPN over an FTP stream to keep DPI firewalls from dropping it.
14:56 < Saar> actually we do have a few windows servers, mssql, proprietary phone system and such
14:56 < krzie> i didnt know who that was about ;]
14:57 < krzie> kisom, ya, it def doesnt do that
14:57 < kisom> krzie: i know, thats the great deal with open source ;) already forked it
14:57 < Saar> krzie: well, i am tryong to replace proxy access with vpn to allow remote workers to access firewalled ports on that remote subnet
14:57 < krzie> although based on the 3.0 beta roadmap it would just be a plugin
14:57 < krzie> as would ip over http/dns/icmp
14:58 < hyper_ch> Saar: not using Asterisk?
14:58 < Saar> for certain users it's almost killing their brain to configure the proxy in their browser
14:58 < krzie> hyper_ch, not using freeswitch?
14:58 < Saar> hyper_ch: well i wish, not my call
14:58 < hyper_ch> krzie: freeswitch?
14:58 -!- plundra [404@article.se] has joined ##openvpn
14:58 < krzie> Saar, ya openvpn installed a tray icon, basically click to start
14:58 < Saar> so i wouldn't want to make it even harder ideally
14:58 < Saar> ok
14:58 < krzie> hyper_ch, hah, you are about to embark upon stable telephony... asterisk was a good first start but freeswitch is the real deal
14:59 < krzie> !win_rollup
14:59 < vpnHelper> krzie: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
14:59 < kisom> does openbts run with freeswitch?
14:59 < Ricky_Rat5005> krzie: so the LAN Tap Win32 Adapter that it installs, if it shows network cable unplugged could that be the issue?
14:59 < krzie> you can even give them installers that put their config and keys in place thanx to dazo's writeu
14:59 < krzie> writeup
14:59 < krzie> Ricky_Rat5005, its not connected is your problem
14:59 < krzie> and i told you why
15:00 < krzie> its beginner networking issue, you havnt gotten to the point where you can even have a problem in openvpn yet
15:00 < krzie> kisom, sounds like 1 for #freeswitch
15:00 < krzie> they are badass in there
15:01 < Ricky_Rat5005> ok, well my firewall is off. and I don't know why its not connected... I am sorry.
15:01 < krzie> Ricky_Rat5005, check you are using the right ip/port/protocol
15:01 < krzie> if server is behind a NAT, be sure you forwarded the right port/protocol to the right lan ip
15:02 < krzie> because its something to do with getting a connection made
15:02 < Saar> thanks for the link
15:02 < krzie> if you still cant, try a different port / protocol
15:02 < krzie> maybe your isp blocks what you are using now
15:02 < krzie> know you want udp if you can
15:02 < krzie> !tcp
15:02 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
15:02 < krzie> Saar, np
15:02 < roentgen> krzie: got ipv6 working :)
15:03 < roentgen> at least ping from server works
15:03 < krzie> using testing?
15:03 < hyper_ch> krzie: how easy is it to deploy freeswitch on debian?
15:03 < mintux> krzie: I read a lot of documents to install open vpn and I could try connect with client to server but I didn't understand anything of that . for example it has bridge (br0) and eth0 didn't has any ip . so I need a document that I understand what I am doing . I know these : openvpn create a virtual network device like tun and just this . so this problem drive me crazy . because I don't know what should I do and what config do I need and just try different confi
15:04 < krzie> hyper_ch, also sounds like one for #freeswitch, but ild say very easy
15:04 -!- plundra [404@article.se] has quit [Ping timeout: 245 seconds]
15:04 < hyper_ch> krzie: I will go bug the people there then :)
15:04 < roentgen> krzie: yes, testing and both linux,
15:04 < roentgen> server and client
15:05 < krzie> mintux,
15:05 < roentgen> stable 2.1.1 connected but complained
15:05 < roentgen> about ipv6
15:05 < Ricky_Rat5005> krzie: 1194 is port on both sides and not being blocked, but again the Tap adapter is showing disconnected which I would think would be a problem (regardless of ip or port).
15:06 < krzie> roentgen, let me make a place on the forum for this stuff
15:06 < krzie> roentgen, that cool for you?
15:06 < roentgen> I guess so :)
15:06 < krzie> thanx
15:06 < roentgen> np
15:07 < krzie> it needs to be documented, will help this stuff get to stable branch =]
15:07 < mintux> krzie: what ?  I need something that explain each line in config what does it do . or why the network config must be this .. do you know anythings ? I take  two weeks and I could not do anything ?and somebody are waiting for me to finish my job :-(
15:07 < krzie> mintux, !redirect will walk you through making clients use internet over vpn as default
15:08 < krzie> and !route will explain how routing works when lans are behind server / clients
15:08 < krzie> but basically, you need to understand networking
15:09 < Ricky_Rat5005> !redirect
15:09 < vpnHelper> Ricky_Rat5005: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:11 < krzie> !snapshot
15:11 < vpnHelper> krzie: Error: "snapshot" is not a valid command.
15:11 < krzie> !snapshots
15:11 < vpnHelper> krzie: "snapshots" is weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
15:16 < krzie> roentgen, http://ovpnforum.com/viewforum.php?f=23
15:16 < vpnHelper> Title: OpenVPN Forum View forum - Testing branch (at ovpnforum.com)
15:16 < mintux> hmm yes I know redirect before and use it to share connection . but must of document are step by step for special purpose or just general information. for example I understand something in route . but I don't know how can I do that .
15:16 < hyper_ch> krzie: what gui do you use for freeswitch?
15:17 < mintux> if I want say unclear of my knowledge is : in interfaces like eth0 and eth1 and also tun. which one of them should what get ip address and what about local  in server.conf 
15:17 < mintux> for example i set 188.136.129.126 for eth0 and i share it with !redirect 
15:17 < mintux> and eth1 is 192.168.1.2 
15:17 < mintux> so what should i put ip for local in in server.conf 
15:17 < mintux> or for get ip for vpn (via dhcp ) what should i put in server.conf 
15:17 < mintux> what server 10.8.1.0 255.255.255.0 does that mean ? and when tun get a ip
15:17 < krzie> oh
15:18 < krzie> heres what you need!
15:18 < krzie> !man
15:18 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
15:18 < krzie> also, you might like my configuration generator =]
15:18 < krzie> !confgen
15:18 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
15:18 < mintux> hmm
15:18 < krzie> to know how to use local, youd read --local in the manual
15:19 < mintux> ok
15:19 < krzie> i search with my web browser, but you can do it in man too
15:19 < krzie> with /target
15:19 < mintux> this man is available in my machine ? man openvpn 
15:19 < krzie> yes
15:19 < krzie> but from web is good too
15:20 < mintux> wow
15:20 < mintux> it's that what I need
15:21 < krzie> welcome to unix =]
15:21 < mintux> :-D or linux
15:21 < krzie> the man pages will be your best friend
15:21 < mintux> I knows man 
15:21 < mintux> but here is very strong 
15:22 < krzie> dont get trapped into the gui in linux
15:22 < krzie> read man pages and learn the cli, it'll be worth it
15:25 < Ricky_Rat5005> krzie: so can you help me get the Tap-Win32 adapter working?
15:26 < krzie> no, i told you a few times what the problem is
15:26 < krzie> and it has NOTHING to do with the adapter
15:26 < roentgen> krzie: I've read that multihome was
15:26 < krzie> the adapter wont show as connected until you make a connection
15:26 < roentgen> broken
15:26 < krzie> roentgen, ive never been able to try it =/
15:27 < krzie> do you have a multihomed link?
15:27 < roentgen> ohh...
15:27 < roentgen> yes
15:27 < mintux> ok
15:27 < krzie> !
15:27 < mintux> I love cli
15:27 < roentgen> I guess 23pm is the right time to test
15:27 < roentgen> things
15:27 < hyper_ch> 23pm?
15:28 < roentgen> lol
15:28 < krzie> hehe
15:28 < roentgen> or maybe not :)
15:28 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
15:28 < Ricky_Rat5005> krzie: I have changed the port and verified the port. I have done what you have asked.
15:29 < Chosi> now pay me
15:29 < krzie> if its the same error, it means you cant make a connection
15:29 < Chosi> :D
15:29 < krzie> i cant tell you why it doesnt connect
15:29 < krzie> but its not openvpn related
15:29 < General_Jung> krzie its seems working even without push route thats great I want to say thanks agan for your help for into the first steps of OpenVPN
15:30 < krzie> yw
15:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:30 < krzie> depending on what push route you're talking about, that could be needed for other clients
15:31 < General_Jung> yea still got some problesm with reaching the LAN and how to disabled client-to-client
15:31 < General_Jung> for only one
15:31 < krzie> !c2c
15:31 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
15:31 < vpnHelper> krzie: behind other clients
15:32 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:32 < Ricky_Rat5005> krzie: could anything in my openvpn client config file be the issue?  I have connection to the internet.
15:32 < General_Jung> so I have to use iptables if I want to restrict only some clients?
15:33 < krzie> sure, if you have the wrong ip/port/proto in its remote statement
15:33 < krzie> General_Jung, yes
15:33 < General_Jung> k so I can use ccd
15:33 < krzie> General_Jung, you would need to get rid of client-to-client and allow the allowed in the firewall
15:33 < Ricky_Rat5005> krzie: ok, here is what I have: http://pastebin.com/xezNa8FS
15:34 -!- plundra [404@article.se] has joined ##openvpn
15:34 < General_Jung> how can I handle lan broadcast with tun
15:34 < General_Jung> is that possibel
15:34 < krzie> Ricky_Rat5005, maybe your isp doesnt allow 9999 udp
15:35 < krzie> Ricky_Rat5005, is your server behind a NAT?
15:35 < Ricky_Rat5005> I have tried random ports... was originally using default port.
15:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:35 < krzie> Ricky_Rat5005, try tcp 443 just to test
15:36 < krzie> General_Jung, if you really need it, bcrelay should work
15:36 < krzie> !bcrelay
15:36 < vpnHelper> krzie: Error: "bcrelay" is not a valid command.
15:36 < krzie> bleh
15:37 < krzie> General_Jung, or do you want lan gaming?
15:37 < General_Jung> yea
15:38 < krzie> you want a tap bridge
15:38 < krzie> !tunortap
15:38 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:38 < vpnHelper> krzie: against you over the vpn
15:38 < krzie> !learn tunortap as lan gaming? use tap!
15:38 < vpnHelper> krzie: Joo got it.
15:39 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:39 < General_Jung> yea but that destroyed my ienet access
15:39 < General_Jung> on root
15:39 < Ricky_Rat5005> ok, now getting connection refused WSAECONNREFUSED
15:39 < krzie> Ricky_Rat5005, is your server behind a NAT?
15:40 < krzie> maybe some lil linksys router or something...?
15:40 < Ricky_Rat5005> server is on my router (using dd-wrt) http://www.dd-wrt.com/wiki/index.php/VPN_%28the_easy_way%29_v24%2B
15:40 < vpnHelper> Title: VPN (the easy way) v24+ - DD-WRT Wiki (at www.dd-wrt.com)
15:41 < krzie> problem is firewall
15:41 < krzie> something is actively REFUSING the connection
15:42 < krzie> maybe you need to get help configuring your firewall at the dd-wrt or iptables channel
15:43 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
15:44 < krzie> roentgen, after you signup for the forum lemme know and ill take you out of moderation
15:44 < roentgen> I did sign up
15:44 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
15:44 < roentgen> same username
15:45 < Ricky_Rat5005> right but firewall on router or client pc.
15:46 < Ricky_Rat5005> (cause it is off on both)
15:46 < General_Jung> !wins
15:46 < vpnHelper> General_Jung: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
15:48 < Ricky_Rat5005> krzie: firewall on client or router?
15:52 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Ping timeout: 260 seconds]
15:53 < General_Jung> can I use the rsa tool also for apache ?
15:53 < General_Jung> and do you guys also sugessting to use pw on the ckey
15:54 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
15:56 < Ricky_Rat5005> krzie: is it on the client or router that it's an issue?
16:03 < Ricky_Rat5005> krzie: you still here?
16:03 -!- qfr [~kafir@unaffiliated/yw] has left ##openvpn []
16:08 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit []
16:08 -!- mintux [~mrg@91.99.238.35] has quit [Read error: Connection reset by peer]
16:16 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has quit [Read error: Operation timed out]
16:19 -!- cityLights [~cityLight@di8-37059.dialin.huji.ac.il] has left ##openvpn ["Leaving"]
16:43 -!- General_Jung [~anon@p57B6712B.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
16:49 -!- General_Jung [~anon@p57B67D29.dip.t-dialin.net] has joined ##openvpn
17:00 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
17:02 < Ricky_Rat5005> ok, I am connected now!!! but it puts me into a 192.168.66.6 network and I can't ping or see anything on my 192.168.1.1 network (the instructions told me to use a seperate network) so there must be an iptables entry or something right?
17:03 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Quit: Leaving.]
17:03 < Ricky_Rat5005> http://pastebin.com/eUXQmSUZ
17:12 -!- redfox [~redfox2@ns351996.ovh.net] has quit [Remote host closed the connection]
17:13 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit []
17:21 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has joined ##openvpn
17:21 < Ricky_Rat5005> Hi, is OpenVPN client supposed to prompt me for a password?
17:24 < krzie> only  if theres a password to prompt for
17:25 < Ricky_Rat5005> I set one up in the certificate.
17:25 < krzie> you password protected the key?
17:26 < krzie> then ya openvpn will ask for the password before trying to connect
17:27 < Ricky_Rat5005> can I do that after the fact or do I need to re-create the cert?
17:27 < krzie> after the fact if you lookup how in openssl docs
17:28 < Ricky_Rat5005> ok, btw my connection issue was not a networking issue.  I incorrectly pasted the certificates and didn't include the ----Begin Certificate---- and -----End Certificate----  apparently ddwrt needs that.
17:30 < General_Jung> is there a hufe security risk if I don´t use a passowrd for clients because or is the key easier to break also or onyl not protected if you loise it
17:34 < Ricky_Rat5005> What is the reason for having multiple certs for different machines?  If I only use one at a time can I share certs?
17:46 -!- redfox [~redfox2@ns351996.ovh.net] has joined ##openvpn
17:46 -!- redfox is now known as Guest87812
18:18 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
18:26 < Ricky_Rat5005> what is the reason to have multiple certs (one for each client)?
18:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
18:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:54 -!- Ricky_Rat5005 [~acrist@c-67-166-69-68.hsd1.ut.comcast.net] has quit [Ping timeout: 260 seconds]
19:02 -!- Guest87812 is now known as redfox
19:02 -!- redfox is now known as Guest27808
19:08 -!- Guest27808 is now known as redfox
19:25 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:57 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
20:47 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
20:59 < krzie> General_Jung, if you dont pw protect the private key, anyone who gets ahold of the key and crt has access
20:59 < krzie> if you do, they need the pw
20:59 < krzie> theres also vpn passwords, up to you if you want them or not
21:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:00 < krzie> certs are strong, certs + l/p is stronger
21:31 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:55 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
22:00 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:01 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
22:05 -!- _stev0_ [~stev0@CPE-121-210-100-176.bkcz2.ken.bigpond.net.au] has joined ##openvpn
22:07 < _stev0_> hello all. i have a question around if OpenVPN will help in my situation. our data center network is running 10.0.0.0. i have a vmware esx host and inside, i have multiple servers that are configured with different networks, such as 192.168.1.0. i have added 2nd ip addresses to these servers for the local 10.0.0.0 network, question is if i setup OpenVPN on a different box in 10.0.0.0
22:07 < _stev0_> can i forward vpn traffic to these virtual machines?
22:08 < _stev0_> or does the vpn server need to be running on the virtual machines
22:08 < krzie> i believe you have to set something about promiscuous mode in vmware
22:08 < _stev0_> currently, i can access these virtual machine and all these services that they offer, but failed with getting PPTP to work, so im looking for an alternative solution
22:08 < krzie> then you can handle it with standard routing stuffs
22:09 < krzie> !route
22:09 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:09 < krzie> understand that, and find some option in vmware about promiscuous network
22:10 < _stev0_> so enabling that will let me forward VPN quests from the openvpn server to the VMs?
22:10 < _stev0_> requests*.
22:11 < krzie> from what ive read
22:11 < _stev0_> i can talk to the vms anyway though through the 2nd IP address i added in the local area network settings
22:11 < _stev0_> everything works, except windows being windows, i cant configure routing and remote access to work, it gives me errors like unable to negotiate protocols
22:12 < krzie> why do you need routing and remote access?
22:12 < _stev0_> routing and remote access is already configured on these boxes, so i thought id try and get that going
22:12 < krzie> whats it do?
22:12 < _stev0_> we're basically hosting client servers here
22:12 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:12 < krzie> (not a big win guy)
22:12 < _stev0_> krzie exchange, iis, dns, everything works
22:13 < _stev0_> except for the routing
22:13 < krzie> what do you expect RRAS to do?
22:13 < krzie> i dont know what the real function of it is by its windows name =/
22:13 < _stev0_> allow clients access to the server which is configured with two IP address, 192.168.1.5/10.0.0.78 through the 10.0.0.1 gateway/WAN ip address
22:14 < krzie> oh ip forwarding?
22:14 < _stev0_> no routing and remote access, runs the PPTP protocol to allow clients VPN access to the server
22:15 < _stev0_> i can connect to it, but some protocols fail to negotiate, probably because of the addition of the 10.0.0.78 ip address
22:15 < _stev0_> or the fact that the NIC changed (different ESX host)
22:15 < krzie> whats the goal
22:15 < krzie> you have windows termed me away from undertsanding
22:15 < krzie> but i know people havnt needed to enable RRAS to reach lans behind openvpn
22:16 < _stev0_> client connects to our data center (gateway/router) 10.0.0.1, PPTP port gets forwarded to 10.0.0.78 (which is also 192.168.1.5 - existing settings for DNS, Exchange, RAS)
22:16 < _stev0_> then ras fails to negotiate protocols
22:17 < _stev0_> so i want to ditch it
22:17 < krzie> read this, know it works with windows stuff
22:17 < krzie> !route
22:17 < _stev0_> i want to setup a seperate box to run openvpn, and then forward requests to connect to some.host.com to for example, 10.0.0.78
22:17 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:17 < _stev0_> is it going to work?
22:17 < krzie> i hope it helps, im headed to drink
22:17 < krzie> routing lans with openvpn is no roblem
22:17 < krzie> problem
22:17 < _stev0_> cool
22:18 < _stev0_> ill have a shot
22:18 < _stev0_> never used this before
22:18 < _stev0_> :D
22:24 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
22:24 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:43 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
22:44 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:44 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
22:46 -!- kite1 [~kite1@59.93.75.27] has joined ##openvpn
22:47 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
22:48 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:50 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
22:53 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Read error: Connection reset by peer]
22:56 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
22:58 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
23:07 -!- killown [~killown@unaffiliated/killown] has quit [Changing host]
23:07 -!- killown [~killown@unaffiliated/geek] has joined ##openvpn
23:15 < kite1> why openvpn doesn't start if i change in openvpn.conf, log openvpn.log to log /var/log/openvpn.log (i created file /var/log/openvpn.log with same permissions as /etc/openvpn/openvpn.log)
23:20 -!- _stev0_ [~stev0@CPE-121-210-100-176.bkcz2.ken.bigpond.net.au] has quit [Ping timeout: 276 seconds]
23:39 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Sat May 29 2010
00:04 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
00:09 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
00:09 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
00:27 -!- kite1 [~kite1@59.93.75.27] has quit [Read error: Connection reset by peer]
00:30 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
00:48 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
00:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
01:31 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Read error: Operation timed out]
01:45 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
01:50 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Ping timeout: 248 seconds]
01:57 -!- zubin71 [~zubin71@117.196.132.55] has joined ##openvpn
01:57 -!- __goo__ [~darthsiti@117.254.118.80] has joined ##openvpn
01:58 < zubin71> hi, ive set up an openvpn server at my place and handed out a certificate to a client who has an openvpn client at his place. however i require that he should be able to connect to the vpn server only from one ip(his current one). how can i do this?
02:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:26 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
02:29 -!- _stev0_ [~stev0@CPE-121-210-100-176.bkcz2.ken.bigpond.net.au] has joined ##openvpn
03:08 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
03:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:08 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
03:13 -!- zubin71 [~zubin71@117.196.132.55] has quit [Quit: Leaving]
03:36 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 -!- __goo__ [~darthsiti@117.254.118.80] has left ##openvpn ["To Infinity and Beyond...."]
04:10 -!- Netsplit *.net <-> *.split quits: buntfalke
04:16 -!- Netsplit over, joins: buntfalke
04:18 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
04:20 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has joined ##openvpn
04:30 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
04:37 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn ["Leaving."]
05:05 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has quit [Quit: leaving]
05:19 < General_Jung> Hi cant find more information about bcrelay and OpenVPN tun
05:20 < General_Jung> !bcrelay
05:20 < vpnHelper> General_Jung: Error: "bcrelay" is not a valid command.
05:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
05:47 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has joined ##openvpn
05:49 -!- no_maam_ [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Read error: Operation timed out]
06:11 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
06:14 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
06:17 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Client Quit]
06:29 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has quit [Remote host closed the connection]
06:45 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:07 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
07:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: Connection reset by peer]
07:43 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:45 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
08:03 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
08:30 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Ping timeout: 248 seconds]
08:33 -!- LeRrA [~lerra@c-94-255-219-216.cust.bredband2.com] has quit [Ping timeout: 248 seconds]
08:35 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
08:35 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
08:37 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
08:38 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn []
08:38 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
08:38 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn []
08:38  * hyper_ch grabs krzie and abducts him and forces him to do unimaginable things
08:43 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
09:41 -!- LeRrA [~lerra@c-94-255-214-117.cust.bredband2.com] has joined ##openvpn
09:53 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has joined ##openvpn
09:53 < x-demon> hi all, i get authentication loop
09:53 < x-demon> or something like that
10:07 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
10:08 < krzie> General_Jung, you dont want bcrelay, you want a bridge
10:08 < krzie> as i told you
10:09 < ecrist> krzie: fyi,  I'm updating dspam, so you may notice some oddness with email delivery for a bit.
10:09 < |Mike|> re.
10:09 < krzie> cool
10:09 < General_Jung> yes thx krzie but but did I made wrong when I activate the brdige its cuts me off internet on the root
10:10 < General_Jung> but much games runs if I bind the game on VPN Server IP
10:10 < General_Jung> and samba currently runs also fine
10:11 < General_Jung> *what
10:24 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:25 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:26 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:27 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:28 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:29 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:30 -!- s0x [~s0x@sixserv.org] has joined ##openvpn
10:30 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:31 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:32 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:33 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:34 < s0x> hey guys ... got a problem connecting to a vpn. i've a virtual machine where the connection with a specifict config file works without any problem. I wanna copy that to my workstation and use the same in there. Well I did copy th ovpn crt and key files .. the conenction seem to work as well. but when i connect to a webserver within the vpn i get connection refused. ping is working though. does anyone have a clue or idea where the problem might be?
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:34 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:35 < |Mike|> what the hell
10:35 < |Mike|> krzie: 
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:35 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:36 < |Mike|> krzee: 
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:36 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:36 < Bushmills> s0x: yes. webserver config
10:37 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:37 < |Mike|> ecrist: could you help me345 a hand?
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:37 < s0x> Bushmills: which config item might causes be the problem there?
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:37 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:38 < Bushmills> s0x: any which can cause it to not respond
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:38 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:39 < s0x> i can't change the webserver config btw, it should work ! 
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:39 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:40 < s0x> its by a proffesional it company and it supossed to work ... the problem gotta be on my pc
10:40 < Bushmills> that's the problem with "should"
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:40 < s0x> acctualy it does for anyone but me ...
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:40 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:41 < s0x> well ... i get the index file but it fails to load the frames ...
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:41 < Bushmills> if your openvpn client is connected to server, and traffic can go through the tunnel, it is not an openvpn problem
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:41 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:42 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:43 < Bushmills> if the web server is not the problem, another service you use is. name server, proxy cache, you name it,.
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:43 < ahf> me345: fix your client.
10:43 < ahf> jeez.
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:43 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:44 < |Mike|> looks like a bot to me 
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:44 < ahf> it doesn't do it in some of the other channels
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:44 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:45 < hyper_ch> hmmm, I'm pondering whether to put me345 onto my ignore list
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:45 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:46 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:47 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:48 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:49 -!- mode/##openvpn [+o ecrist] by ChanServ
10:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:49 -!- mode/##openvpn [+b *!*@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] by ecrist
10:49 -!- me345 [~me345@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:50 <@ecrist> sorry for the delay in setting the +b
10:50 -!- mode/##openvpn [-o ecrist] by ecrist
10:50 < ecrist> krzie: you still around?
10:53 < ecrist> I think we need another op or two, most of the chan ops in here are active the same times of day
10:54 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has left ##openvpn ["Leaving"]
11:14 < ecrist> krzie: dspam is running again, web interface is borked, but it's a holdiay weekend and I don't care. ;)  will worry about it next week unless tomorrow is rainy
11:16 -!- venom00ut [~venom00@unaffiliated/venom00] has joined ##openvpn
11:19 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Ping timeout: 248 seconds]
11:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:25 < Bushmills> !tell dmz_ [howto]
11:25 < vpnHelper> Bushmills: Error: I haven't seen dmz_, I'll let you do the telling.
11:25 < Bushmills> !howto
11:25 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:25 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:31 < Bushmills> !pptp
11:31 < vpnHelper> Bushmills: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml
11:31 < vpnHelper> Bushmills: to read about why to not use pptp
11:35 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
12:01 -!- DrPepper [~DrPepper@88.207.189.81] has quit [Quit: Leaving...]
12:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
12:28 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
12:46 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
12:46 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
12:58 -!- Lenhix [LordChaman@190.156.63.4] has joined ##openvpn
13:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:06 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 258 seconds]
13:14 -!- Lenhix [LordChaman@190.156.63.4] has quit [Ping timeout: 265 seconds]
13:15 -!- Lenhix [LordChaman@190.156.63.4] has joined ##openvpn
13:21 -!- APTX_ [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
13:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
13:22 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:31 -!- Lenhix [LordChaman@190.156.63.4] has quit [Ping timeout: 240 seconds]
13:41 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
13:46 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:48 -!- NfNitLoop [~bip@FCodyC-1-pt.tunnel.tserv8.dal1.ipv6.he.net] has left ##openvpn []
14:02 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
14:13 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
14:25 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
14:26 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
14:27 -!- dmc_ [~50c54215@gateway/web/freenode/x-rhaecpgclrzgncyc] has joined ##openvpn
14:27 < dmc_> hello
14:28 < dmc_> anyone up for a strange question? (where the answer most likely is a no)
14:34 < kisom> just ask the question
14:34 < dmc_> when i run vpn, is my only option that the whole desktop uses the vpn connection
14:34 < dmc_> i am using openvpn
14:35 < kisom> no, you may add routes as you wish...
14:35 < kisom> if that's what you mean
14:35 < kisom> so some ip ranges are going into the VPN and some are not.
14:35 < dmc_> so like i can start the vpn connection up and only route google chrome trugh it?
14:35 < kisom> both yes and no, google uses several IP adresses which makes it hard to keep your routing table up to date.
14:35 < dmc_> or just ipbased? (thats ok too)
14:36 < kisom> just IP based. unless you write some script that checks all the A records on www.google.com and updates your routing table accordingly
14:36 < dmc_> hehe i only use it for watching UK tv live
14:36 < dmc_> iplayer and tvcatchup
14:36 < s0x> um ... just wondering ... google chrome != google
14:37 < kisom> nvm, i read wrong :)
14:37 < kisom> (newline after "google"
14:37 < dmc_> hehe
14:37 < kisom> the anwser is no then, you cant get an application to tunnel trough openvpn
14:37 < dmc_> anyways my issue is that i dont trust all my traffic to my VPN provider hehe
14:37 < kisom> you should use SSH and configure dynamic forwarding instead
14:38 < dmc_> hehe i need it to be vpn :)
14:38 < dmc_> flash etc ;/
14:38 < kisom> flash will work just fine with SSH
14:39 < dmc_> hehe i have tried so many times, but they always seem to pick up my real ip ( i guess i need to setup squid)
14:39 < dmc_> anyways this vpn i got is unlimited, my servers are not hehe
14:40 < kisom> oh well, if you're using some sort of *nix then you should be able to tell your firewall to route packets from the chrome PID to the VPN
14:40 < kisom> i believe it is possible in iptables, never tried it tho.
14:40 < dmc_> hehe iptables
14:40 < dmc_> but only 2 sites is fine too
14:40 < dmc_> that will teach me to add more :)
14:41 < dmc_> got any url to some doc that will help me? :)
14:41 < kisom> yeah probably your best bet, just add the IP addresses to the UK tv servers
14:41 < kisom> man route
14:41 < dmc_> hehe
14:41 < kisom> the openvpn manual should be fine too
14:42 < dmc_> thats what i was aiming for hehe
14:42 < kisom> --route network/IP [netmask] [gateway] [metric]
14:43 < kisom> route 84.22.62.33 should be enough in your conf
14:43 < kisom> replace the IP address with the one you want.
14:43 < dmc_> thats nice
14:43 < kisom> anyways, i'm off for some time, good luck :)
14:44 < dmc_> i just need to tell it not to route everything trugh the vpn ( i does when i connect )
14:44 < dmc_> ty for your help
14:44 < dmc_> have a good one :)
14:45 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
14:48 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
14:48 < Alphanaut> why do i always get this in my log on startup: Sat May 29 15:47:17 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
14:50 -!- DrPepper [~DrPepper@88.207.189.81] has joined ##openvpn
14:53 < dmc_> hehe i did setup vpn on my fonera too :D
14:53 < krzee> [08:54]  <ecrist> krzie: you still around?
14:53 < krzee> ecrist, i nominate Bushmills if he is willing
15:04 < kisom> anyone tried openvpn on maemo?
15:04 < |Mike|> I guess not, never heard of that maemo :P
15:04 < |Mike|> (woah, yeah that wasn't that relative ;) )
15:04 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
15:04 < kisom> its debian on nokia cellphones, basically
15:04 < |Mike|> i see
15:04 < kisom> the n900 runs it
15:05 < krzee> it runs on n900
15:05 < krzee> did you try google...?
15:05 < krzee> !google n900 openvpn
15:05 < vpnHelper> krzee: HowTo: Nokia N900 (OS Maemo) OpenVPN Setup Tutorial | HideIpVPN: <http://www.hideipvpn.com/2010/02/howto-nokia-n900-os-maemo-openvpn-setup-tutorial/>; OpenVPN routing problem on N900 - maemo.org - Talk: <http://talk.maemo.org/showthread.php?t=38008>; Maemo « abology: <http://blog.andrea.borgia.bo.it/category/maemo/>
15:05 < kisom> i asked if someone tried it, i know it works on the n900
15:05 < krzee> ahh
15:05 < |Mike|> not yet, I do get my N900 on monday tho
15:06 < krzee> i believe someone here runs it (possibly dazo iirc)
15:06 < krzee> but not me
15:11 < kisom> anyone have any changelog or upcomming features for openvpn 3?
15:11 < kisom> would be nice to know what they are planning
15:12 < krzee> ya there is a beta roadmap
15:12 < kisom> cant seem to find it on google
15:12 < krzee> but the roadmap itself is still being worked on
15:13 < kisom> any alpha roadmap then? :)
15:13 < krzee> exactly!
15:13 < krzee> 1sec ill find the link
15:13 < krzee> and ya you're right, alpha roadmap =]
15:14 < dmc_> <|Mike|> not yet, I do get my N900 on monday tho
15:14 < dmc_> it owns
15:15 < |Mike|> cool, i wonder if i like it 
15:19 < krzee> kisom, community.openvpn.net
15:19 < krzee> link to roadmap there
15:19 < kisom> found it, thanks
15:20 < krzee> np
15:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
15:25 < dmc_> |Mike|: you will love it
15:26 < dmc_> you just gotta get used to the keyboard 
15:27 < dmc_> anyways n900 any linux users dream
15:28 < hyper_ch> I have other dreams than a n900
15:29 < dmc_> the G1 ? :P
15:29 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:31 < kisom> N900 seems great...
15:31 < kisom> but i do not need linux in my phone really. i only use it to text anyways
15:31 -!- General_Jung [~anon@p57B67D29.dip.t-dialin.net] has quit [Quit: get satisfied! • :: www.unitedservers.de ««« (Gamers.IRC) »»» gamersirc.net ::]
15:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
15:36 < krzee> kisom, also, since you were interested in the roadmap...
15:36 < krzee> theres a lot in the works for 2.x as well
15:36 < krzee> !testing
15:36 < vpnHelper> krzee: "testing" is "snapshots" is weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
15:36 < dmc_> kisom: hehe for me i want a handheld linux device so i can do anything
15:37 < kisom> dmc_: Yeah, i agree, its awesome with linux on a phone, but i dont need it just yet.
15:37 < kisom> Got my laptop with me everywhere.
15:37 < krzee> !learn snapshots as by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
15:37 < vpnHelper> krzee: Joo got it.
15:38 < krzee> !testing
15:38 < vpnHelper> krzee: "testing" is "snapshots" is weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn
15:38 < krzee> heh
15:38 < krzee> !forget testing
15:38 < vpnHelper> krzee: Joo got it.
15:38 < krzee> !learn testing as [snapshots]
15:38 < vpnHelper> krzee: Joo got it.
15:38 < krzee> !testing
15:38 < vpnHelper> krzee: "testing" is "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
15:38 < dmc_> hehe i have netbook with me mostly, but i have waited for a phone like n900 for 8 years :P
15:38 < kisom> Yeah i have an Eee 901 as well
15:39 < kisom> but just recently i bought a lenovo X100E :)
15:39 < dmc_> hp mini 1000 here as main netbook
15:39 < kisom> almost the same size, and a full-scale keyboard!
15:39 < dmc_> nice :)
15:39 < dmc_> i have a 98% full keyboard
15:39 < kisom> well i didn't buy the lenovo because of the keyboard, i needed more CPU power
15:40 < kisom> something that supports 720p playback
15:41 < dmc_> i got 720p working on my hp mini :)
15:41 < dmc_> the older one without ION
15:41 < dmc_> plays flawlessly and doesnt lag
15:42 < dmc_> anyways i gotta test my vpn so i might dc hehe
15:42 < dmc_> or i will
15:42 < kisom> oh yeah, i hate the TCP stack in windows vista/7...
15:43 < kisom> even if i add a new route, any active TCP connection will still get routed out the old interface
15:46 < kisom> https://ck3r.org/pub/20100528087.jpg
15:46 < kisom> fett ond blick på dunz0r :D
15:46 -!- dmc_ [~50c54215@gateway/web/freenode/x-rhaecpgclrzgncyc] has quit [Ping timeout: 252 seconds]
15:46 < kisom> nvm that
15:46 < kisom> wrong channel
16:06 -!- specnaz [~martin@213.231.108.123.dyn.user.ono.com] has joined ##openvpn
16:07 < krzee> kisom, which one is you
16:07 < kisom> i'm not on that image
16:07 < krzee> ahh
16:07 < kisom> http://sphotos.ak.fbcdn.net/hphotos-ak-snc3/hs612.snc3/32202_130080253676215_100000227225815_346490_1940711_n.jpg
16:07 < kisom> left one is me
16:07 < kisom> linux was free as in beer yesterday ;)
16:08 < krzee> or beer was free as in linux?
16:08 < kisom> nah
16:09 < krzee> i find the "free as in" thing funny, because i favor the bsd license where freedom is simply freedom ;)
16:10 < kisom> but does freebsd pay my beer? no
16:10 < krzee> lol
16:12 < Bushmills> are you free to place your own copyright on freebsd? 
16:13 < kisom> I like the GPL...
16:13 < kisom> that way there's no whine when microsoft steals the networking stack
16:15 < krzee> Bushmills, you are free to take any BSD licensed code, use it as your own (provided you admit to using it) sell it, use a different license, whatever
16:15 < Bushmills> and call it  krzeebsd
16:16 < krzee> with GPL code you must provide the orig source code
16:17 < krzee> there is much bsd code in linux/windows/apple for this reason
16:17 < Bushmills> not just the original source code. also your modifications, if you distribute binaries
16:18 < krzee> true
16:19 < Bushmills> microsoft or apple are not required to return anything for using that code. so bsd code doesn't really benefit from them using it
16:19 < Bushmills> if it was improved, the other users don't benefit from those improvements
16:20 < krzee> and because of that, ms and apple are willing to use it
16:20 < krzee> if they had to return their improvements, they wouldnt be willing to use the code and then implement their improvements
16:20 < Bushmills> yes "we can use this for free and don't need to return anything in turn"
16:21 < krzee> exactly, true freedom ;)
16:22 < |Mike|> krzeebee
16:23 < Bushmills> could it be that there are more linux developers hacking code than bsd developers because they're not exactly charmed by the idea of investing their time into code which can be used by microsoft without them returning anything? 
16:24 < kisom> or maybe because linux is backed by companies like canonical and red hat...
16:24 < |Mike|> redhat engineers are quite awesome :)
16:24 < kisom> does any "professional" BSD exist? where you can pay some company for support and all that
16:24 < |Mike|> I fed one drunk on puppetcamp last thursday :P
16:24 < |Mike|> kisom: nope
16:25 < |Mike|> professional / enterprise, nope
16:25 < |Mike|> (s or c ?)
16:26 < specnaz> Hi guys, I'm in the cafe and I'm using internet through lan network 192.168.x.x and I want to connect to my home network 10.2.x.x using openvpn but something is wrong...
16:26 < Bushmills> i think that bsd development is slower *because* companies are not required to feed their changes/improvements to code back
16:26 < kisom> specnaz: you need to connect to your public ip-adress
16:26 < Bushmills> just grab what is available, and distribute it as binary only in their own products
16:26 < specnaz> when openvpn connection is establish I lose my internet connection and I cannot to ping anything
16:26 < Bushmills> no wonder microsoft uses parts of it :)
16:26 < krzee> yes
16:27 < krzee> BSDi
16:27 < |Mike|> Bushmills: so you're sayi8ng that companies are always using enterprise crap for their production ? :)
16:27 < krzee> they bought freebsd from walnut creek cdrom btw
16:27 < kisom> specnaz: are you using gateway-redirect?
16:27 < specnaz> kisom: I have a connection with my home network but after that I lose the internet :P
16:27 < Bushmills> and no wonder that microsoft likes the bsd license much better than the gpl
16:27 < krzee> |Mike|, its very common in corporate, not ALWAYS but its common
16:27 < kisom> specnaz: OK, have you enabled routing/masquerade on your server?
16:28 < specnaz> kisom: yes
16:28 < krzee> Bushmills, exactly, apple too
16:28 < krzee> specnaz, do you have conflicting subnets...?
16:28 < krzee> !samesubnet
16:28 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
16:28 < |Mike|> krzee: well, according to the redhat dev i spoke last thursday, yeah :)
16:28 < Bushmills> developers must be proud: "look they use what we have written in their products" 
16:28 < Bushmills> "and we gave it to them for nothing"
16:28 < krzee> Bushmills, their code ends up being able to make everything better
16:29 < specnaz> krzee: I don't know thats why I'm asking here if it is ok to use 192.168.x.x and 10.2.x.x 
16:29 < Bushmills> "never mind that those are among the most valuable companies"
16:29 < Bushmills> "everything"?  but not the original bsd code
16:29 < krzee> personally ild find it cool if apple/MS/cisco were to impliment openvpn into their products by default, but they cant because its GPL and they wont be distributing the source code
16:29 < kisom> specnaz: ok, so if i got this correct: you are able to connect to your VPN server, you can ping the server over the VPN but you cannot access the internet?
16:29 < |Mike|> krzee: the only thing what kinda took my thought was that there's actually an team behind an enterprise linux distro :P
16:30 < Bushmills> krzee: as user, i can understand. not sure how you felt as developer by that prospect
16:30 < kisom> krzee: we'd just get a microsoft-branded implementation of the openvpn protocol where it's only compatible with win 2k10 server ;)
16:30 < krzee> kisom, ;]
16:31 < Bushmills> because microsoft most likely modifies it such way that you need a microsoft client to connect ...
16:31 < specnaz> kisom: I got a connection to my home LAN, I got my new IP 10.2.x.y but after that I cant ping my home server and even the world
16:31 -!- dmc_ [~50c54215@gateway/web/freenode/x-dvzghzeqqaaoolsp] has joined ##openvpn
16:31 < kisom> specnaz: can you ping your server on the 10.2.x.x subnet?
16:31 < specnaz> no
16:32 < Bushmills> and microsoft would then not be required to publish source of their customisations - it becomes proprietary
16:32 < dmc_> i seem to fail at this routing
16:32 < kisom> yeah, and then they take patent on the openvpn protocol ;)
16:32 < Bushmills> what is free should stay free, i think
16:32 < kisom> and sue the openvpn devs
16:32 < jpalmer> Bushmills: most of the BSD community has gotten past the "MS sucks" mindest that plagues the linux communites.  they dont generally care if MS uses the BSD codebases,  and in fact..  recognize that it makes the IT industry (as a whole) better.
16:32 < Bushmills> that's what GPL tries to achieve
16:33 < kisom> specnaz: does ifconfig show you the tun0 interface on both server + client?
16:33 < Bushmills> but bsd license is more like "we take that free stuff and convert it into something not free"
16:33 < specnaz> kisom: yes
16:33 < kisom> specnaz: and the client gets an IP address like 10.2.0.2, while the server has 10.2.0.1?
16:33 < jpalmer> GPL license promises freedom.   BSD license actually delivers it.   essentially the BSD license is:  do what you want with it,  but don't sue me.
16:33 < krzee> Bushmills, its more like "heres our code, do ANYTHING you want with it, just dont claim you wrote it, give us our respect"
16:33 < specnaz> I can try to connect again to my home lan but after that I will disconect here
16:34 < krzee> oh right, and "dont sue me"
16:34 < specnaz> kisom: yes
16:34 < kisom> as long as the openvpn devs does not sue me for forking and not publishing source code ;)
16:34 < Bushmills> jpalmer: maybe it makes the *industry* better.  granted, that's not linux's prime objective.
16:35 < jpalmer> Bushmills: sadly, I'm very aware that isn't linux's objective.
16:35 < specnaz> kisom: 10.2.0.1 is for router which redirect opevpn port to my server 10.2.0.2 and thanks to this I got a IP like 10.2.0.3
16:35 < Bushmills> jpalmer: you could also donate your time to companies, for free, to make them better. 
16:35 < jpalmer> hopefully, one day they'll come to the realization that its not a rat race, and will try to benefit the industry as a whole.
16:36 < kisom> specnaz: whats the IP adress of your WAN connection on your server?
16:36 < jpalmer> Bushmills: many people do.  they call it volunteering.  I do it every weekend.
16:36 < specnaz> Do you know what should I do to check what is wrong ??
16:36 < dmc_> this conversation is very funny when "palmer" is mentioned in it :P 
16:36 < jpalmer> dmc: I guess I don't get the humor.
16:36 < kisom> specnaz: i mean, are you using the same IP range on both your home network and the VPN network? because then you would need a bridge
16:36 < dmc_> aww jpalmer 
16:37 < Bushmills> jpalmer: i am sure that many companies grab that chance to reduce costs with both hands. that gives a better margin on products, and chances for higher turnovers
16:37 < jpalmer> Bushmills: sure.  some will take advantage of it.  but the bottom line is,  I do it because the *community* is better for it.
16:38 < Bushmills> http://scarydevilmonastery.net/jobs+gates.jpg
16:38 < kisom> hahaha
16:38 < jpalmer> karma is a bitch.  those who do it for the profit margins, will have ti come back at some point.
16:38 < specnaz> kisom: yes this is the problem cose I dont have br0 interface on my server  :/ thx for help
16:39 < kisom> specnaz: then you need to set up one, install bridge-utils (might be named something else depending on the distro)
16:39 < Bushmills> jpalmer: i think the *community* gets better when those companies who want to use community code are required to feed their improvements back to community code if they choose to use it.
16:39 < Bushmills> otherwise, as you say, *industry* will get better
16:39 < jpalmer> anywho,  the licensing debate/philosophy discussions get old pretty quick.  my suggestion:  use whatever license you like, but don't try to remove my right to do the same ;)
16:40 < kisom> specnaz: i would recommend using a different subnet instead... and set up NATing
16:41 < specnaz> kisom: do you know some good tutorials how to do this ?? I need openvpn mainly for samba service so I want to setup it as easy as possible  :P
16:42 < kisom> specnaz: if samba is running on some other machine in the network then a bridge would be the easiest way...
16:42 < Bushmills> !wins
16:42 < vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
16:42 < kisom> (i'm not that into samba)
16:42 < specnaz> kisom: no everythink is in one machine
16:43 < kisom> then you should be able to use another subnet on the VPN without any trouble
16:43 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
16:43 < jpalmer> Bushmills: I was going to stop the discussion,  but the "*industry* comment..   ugg.  you do realize that if it weren;t for that super evil "industrial" company named Microsoft,  you likely wouldn't even be *on* a computer right now,  right?   You can knock corporations or industries as much as you want,  but make no mistake about it,  it's BECAUSE of those very same entities that you live (and enjoy) the lifestyle you have.
16:44 < kisom> specnaz:
16:44 < Bushmills> jpalmer: i was on a computer before ibm introduces the pc
16:44 < jpalmer> (apologies if that got cut off)
16:44 < kisom> specnaz: there are lots of tutorials on NAT and masquerade
16:44 < krzee> ya Bushmills is a rare exception to that
16:44 < kisom> i believe openvpn has one as well
16:44 < krzee> but in general it is extremely true
16:44 < Bushmills> and before microsoft has, through that machine, the chance to launch their q+d os
16:45 < Bushmills> is used TSC's Flex09, and DR's CP/M before
16:45 < jpalmer> Bushmills: you were lucky.  but the bottom line is,  if a "microsoft" or a "microsoft-alike" hadn't made computers easy, affordable, and usable.. they'd be nowhere near as common or as ingrained as they currently are.
16:46 < Bushmills> jpalmer: i am aware that many users require something like windows to enable them to use a computer at all
16:46 < jpalmer> I'll end the discussion now,  as it serves no value.  and is offtopic here.  you're welcome to your own opinion.  But at least recognize that others have a right to theirs too.
16:46 < Bushmills> those users would probably be completely at loss with a BSD CD
16:46 < jpalmer> Bushmills: thanks for validating my point.
16:47 < jpalmer> without those evil giants..  you'd likely not be using a computer right now.
16:47 < Bushmills> those computers which i use mostly aren't even able to run microsoft products
16:48 < jpalmer> I think you're taking a very narrow view of a much broader picture I'm painting.
16:48 < jpalmer> if they weren't common, they'd be expensive. out of most peoples price ranges.
16:48 < Bushmills> i have to, because you tell me what *I* would not be able to.
16:48 < jpalmer> but I digress.  taking the family to outback.  another evil corporation!  later
16:49 < jpalmer> you can take the word "you" to mean you as an idividual,  or you can take it the way it's meant.  "you" as a collective.
16:50 < Bushmills> that computers are cheap is more IBM's doing, and less Microsoft's
16:50 < Bushmills> and it is not Apple's doing
16:50 < krzee> that computers became popular to the avg user, and thus the internet's explosion, can be credited to microsoft
16:50 < jpalmer> you really do have an idealized view of how the world works, don't you?
16:51 < kisom> Windows 7 is quite good.
16:51 < jpalmer> if cMS hadn't made computers popular,  IBM and Intel and such wouldn't mass produce the hardware, causing it to be a commodity item.
16:51 -!- dmc_ [~50c54215@gateway/web/freenode/x-dvzghzeqqaaoolsp] has quit [Quit: Page closed]
16:51 < Bushmills> had IBM launched the PC with another program loader, and not Microsoft's, it would maybe have increased the popularity of the PC
16:52 < jpalmer> if hardware is less common,  prices go up.   as prices go up, the availabilty for avg joe (rather than using the word "you" wouldn't be buying them.)
16:52 < Bushmills> MS/DOS was not exactly a program which made using a computer very easy or intuitive to the average user
16:52 < krzee> win 3.1 was, 95 more so, etc etc
16:52 < Bushmills> i's say, the PC became popular *in spite of* Microsoft
16:52 < jpalmer> anyway, as I mentioned..  this conversation has no value.  later
16:53 < krzee> later jpalmer 
16:53 < krzee> Bushmills, your view is quite distorted because of your place in things... you have never been an avg computer user
16:54 < Bushmills> before computers became popular, there weren't *average computer users*
16:54 < krzee> and that helps validate what im saying ;)
16:54 < |Mike|> oh.
16:54 < krzee> i started on win 3
16:54 < Bushmills> there was OS/2 before that
16:55 < krzee> i knew NOTHING, but i was able to pick things up because it was so overly easy
16:55 < Bushmills> Os/2's presentation manager was more intuitive
16:55 < Bushmills> but IBM sucked at marketing it
16:56 < Bushmills> itactually was a co-development of microsoft and ibm
16:56 < |Mike|> bushmills is typing like a drunken maniac 
16:56 -!- specnaz [~martin@213.231.108.123.dyn.user.ono.com] has quit [Ping timeout: 260 seconds]
16:57 < Bushmills> and then microsoft left the venture, and developed indepently what was to become windows 3.x later
16:57 < Bushmills> but at that time, PCs were already rather affordable and popular
16:58 < Bushmills> (though much less than today, of course)
16:58 < |Mike|> Bushmills: Do you have some kind of LinkedIn profile ? :)
16:59 < Bushmills> ope
16:59 < Bushmills> nope
16:59 < |Mike|> I'm quite interested in your job history hehe
16:59 < Bushmills> well, a bit of everything :)
17:00 < |Mike|> Maybe a strange Q, but where do you work at the moment? :)
17:00 < Bushmills> i don't 
17:00 < |Mike|> Heh 
17:06 < Bushmills> from designing and manufacturing bamboo products over chip card operating systems, production test software, over repairing PLC in support center, doing VR stuff, server admin, etc.  mostly i did implemenation of microcontroller-base interactive development environments. 
17:06 < |Mike|> bamboo, the java product ? :)
17:07 < Bushmills> no. the grass
17:08 < |Mike|> s/java/jar repository tool/
17:08 < |Mike|> you never worked with maeven btw?  :)
17:08 < Bushmills> no, i haven't
17:09 < krzee> hey Bushmills, can you show him that bash virtual environment for <some language, i forget, maybe fort>
17:09 < Bushmills> and java i know only from the back side. from the virtual machine side. result of porting an assembly implementation to another controller.
17:10 < Bushmills> krzee: perl, javascript, bash, choose your poison :)
17:10 < krzee> i remember a virtual env for some other language, coded in bash
17:10 < krzee> ild recognize it if you said it
17:11 < Bushmills> yes. but that was also implemented in the other languages. You mean that Forth interpreter+compiler
17:11 < krzee> yes
17:11 < krzee> thats it
17:11 < Bushmills> the javascript version is a bit faster than the bash version :)
17:12 < Bushmills> comparable with the perl version
17:12 < krzee> link to bash version pls?
17:12 < Bushmills> (either is about 100 times faster than the bash version)
17:12 < Bushmills> http://en.wikipedia.org/wiki/Bashforth
17:12 < vpnHelper> Title: Bashforth - Wikipedia, the free encyclopedia (at en.wikipedia.org)
17:14 < krzee> thx
17:14 < krzee> http://www.forthfreak.net/bashforth
17:59 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
18:00 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
18:05 -!- grendal_prime [~sgraham@74.120.139.103] has joined ##openvpn
18:05 < ecrist> krzee: spam filtering is pretty broken right now. :(
18:05 < ecrist> too lazy/busy to fix it.
18:13 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Ping timeout: 260 seconds]
18:33 < ecrist> krzee: fixed it, but it's going through a re-learn for a few days
18:33 < ecrist> they changed the hash file format and the directory structure so the work required to fix it all is > than work require to relearn.
18:44 < krzee> werd
18:44 < krzee> not a problem really, i keep dspam open most the time i check my mail
18:53 < ecrist> until now, the webui was broken, it's all fixed now.
18:54 -!- grendal_prime [~sgraham@74.120.139.103] has quit [Ping timeout: 272 seconds]
18:55 < krzee> yup, already marked my first new email as spam
18:56 < krzee> thanx for the heads up
18:56 < ecrist> np, l8r
18:56 < krzee> adios bro
19:20 < krzee> !topology
19:20 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
19:40 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:43 -!- wao [wao@meine.xn--nck9azb.jp] has quit [Ping timeout: 260 seconds]
19:50 -!- _stev0_ [~stev0@CPE-121-210-100-176.bkcz2.ken.bigpond.net.au] has quit []
19:58 -!- dougy [Douglas@ool-435033e6.dyn.optonline.net] has joined ##openvpn
20:39 -!- killown [~killown@unaffiliated/geek] has quit [Quit: Saindo]
20:56 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
20:59 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: Connection refused]
21:02 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
21:03 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
21:29 -!- humble-desser [~humble@174-25-236-13.rstr.qwest.net] has joined ##openvpn
21:30 < humble-desser> !welcome
21:30 < vpnHelper> humble-desser: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:33 < humble-desser> !redirect
21:33 < vpnHelper> humble-desser: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
21:33 < humble-desser> !ipforward
21:33 < vpnHelper> humble-desser: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
21:34 < humble-desser> !linipforward
21:34 < vpnHelper> humble-desser: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
21:34 < humble-desser> !def1
21:34 < vpnHelper> humble-desser: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
21:47 < humble-desser> !topology
21:47 < humble-desser> !/30
21:47 < humble-desser> !man
21:47 < vpnHelper> humble-desser: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
21:47 < vpnHelper> humble-desser: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
21:47 -!- humble-desser [~humble@174-25-236-13.rstr.qwest.net] has left ##openvpn []
21:47 < vpnHelper> humble-desser: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
21:55 -!- monolith_ [~monolith@ks354672.kimsufi.com] has joined ##openvpn
22:04 -!- humble-desser [~humble@174-25-236-13.rstr.qwest.net] has joined ##openvpn
22:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:14 -!- humble-desser [~humble@174-25-236-13.rstr.qwest.net] has quit [Quit: humble-desser]
22:16 -!- Johna [~johnaynag@74.115.208.58] has joined ##openvpn
22:17 < Johna> !welcome
22:17 < vpnHelper> Johna: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:25 < Johna> Is it possible to assign dynamic IP address from a ccd file? I basically need to assign ip's dynamically to the contractors using this eg. http://www.openvpn.net/index.php/open-source/documentation/howto.html#policy . I am trying to avoid running a separate openvpn instance just for contractors
22:25 < vpnHelper> Title: HOWTO (at www.openvpn.net)
22:25 < dougy> hm
22:25 < dougy> thats above my smarts
22:28 < Johna> any ideas please? I am totally lost on this.
22:32 < Johna> !forum
22:32 < vpnHelper> Johna: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
22:32 < dougy> :)
22:32 < dougy> stick it on there
22:33 < Johna> :D
22:59 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
23:00 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
23:06 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:06 < theDoc> Morning folks.
23:06 < dougy> hi
23:06 -!- Johna [~johnaynag@74.115.208.58] has quit [Ping timeout: 265 seconds]
23:07 -!- daishadar [~daishadar@47.sub-72-97-1.myvzw.com] has joined ##openvpn
23:08 < daishadar> i am connected to the internet via an openvpn tunnel over USB to my android cell phone
23:08 < daishadar> i'm wondering if it's possible to share that internet connection
23:09 < daishadar> via a wireless ad hoc network
23:09 < daishadar> basically have someone connect to me via wlan0 and access tun0 for an internet connection
23:10 < daishadar> anyone have any idea on how that might be accomplished?
23:11 -!- daishadar [~daishadar@47.sub-72-97-1.myvzw.com] has quit [Remote host closed the connection]
23:11 -!- daishadar [~daishadar@47.sub-72-97-1.myvzw.com] has joined ##openvpn
23:41 -!- daishadar [~daishadar@47.sub-72-97-1.myvzw.com] has quit [Quit: Leaving]
--- Day changed Sun May 30 2010
00:48 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:44 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
02:06 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:08 -!- _trine [~psybnc_ad@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Connection reset by peer]
02:08 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:12 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Client Quit]
02:12 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:21 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Quit: changing servers]
02:21 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:21 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has left ##openvpn []
02:25 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:31 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
02:31 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:35 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Client Quit]
02:36 -!- bandini [~bandini@host103-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Quit: Ex-Chat]
02:36 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:36 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Quit: Leaving.]
02:40 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Client Quit]
02:40 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
02:41 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote host closed the connection]
03:28 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:28 -!- venom00 [~venom00@net-93-71-48-181.cust.dsl.vodafone.it] has joined ##openvpn
03:28 -!- venom00 [~venom00@net-93-71-48-181.cust.dsl.vodafone.it] has quit [Changing host]
03:28 -!- venom00 [~venom00@unaffiliated/venom00] has joined ##openvpn
03:32 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Client Quit]
03:33 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:45 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: Operation timed out]
03:45 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:47 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote host closed the connection]
03:47 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
03:48 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has left ##openvpn []
04:21 < Bushmills> !redirect
04:21 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:38 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
04:38 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:05 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
05:33 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Quit: DOEVENTS!]
05:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:05 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Remote host closed the connection]
06:07 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
06:13 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
06:15 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
06:42 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
06:50 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Remote host closed the connection]
06:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:03 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
07:11 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
07:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:18 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
07:19 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn
07:19 -!- _trine [~trine@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has left ##openvpn []
07:38 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:39 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Remote host closed the connection]
08:02 -!- demiurgen^ [~demiurgen@nl103-154-253.student.uu.se] has quit [Remote host closed the connection]
08:02 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
08:02 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has quit [Client Quit]
08:08 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn ["Leaving."]
08:12 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
08:12 < gopp> what is the adress field in pfsense
08:12 < gopp> This is the address pool to be assigned to the clients. Expressed as a CIDR range (eg. 10.0.8.0/24). If the 'Use static IPs' field isn't set, clients will be assigned addresses from this pool. Otherwise, this will be used to set the local interface's IP.
08:12 < gopp> anyone can help walk through setting up open vpn on a pfsense box
08:12 < gopp> plase
08:12 < gopp> please thanks
08:13 < gopp> something like this right 192.168.0.0/24
08:13 < gopp> I see Client-to-client VPN
08:14 -!- max06 [~max06@freenode/sponsor/max06] has joined ##openvpn
08:17 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:22 < max06> Good evening... I'm trying to set up a vpn-tunnel between one Server and 3 Clients. All Clients should use the Server as gateway. Sadly, I'm not able to get a connection ... I collected configs and logs here: http://pastebin.com/EbZtDMHY
08:27 < dougy> clients -> node
08:27 < dougy> ?
08:27 < dougy> like, redirect all traffic?
08:27 < max06> right
08:27 < dougy> !def1
08:27 < vpnHelper> dougy: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:28 < max06> at the moment, it's not possible to establish a normal connection 
08:28 < dougy> hrm
08:28 < dougy> I have never seen the error in your logs before
08:28 < Bushmills> max06: "no connection" - does that mean the clients don't connect to server, or the clients can't see each other?
08:28 < dougy> Bushmills look at pastebin
08:28 < max06> no connection to server
08:31 < Bushmills> "--ifconfig-pool-persist will not work with --duplicate-cn"
08:31 < Bushmills> you have both
08:31 < max06> it's only a warning, without duplicate-cn same behaviour
08:35 < Bushmills> well, SSL3_GET_SERVER_CERTIFICATE:certificate verify failed  seems to be the problem. but why, i can't tell
08:35 < dougy> what OS is server running
08:35 < Bushmills> at least, that explains why client won't connect
08:35 < max06> Debian 5
08:35 < dougy> this is a stupid question
08:35 < dougy> is something stupid like selinux or grsecurity running
08:35 < max06> mhm... no, I'm running a xen kernel, but nothing more
08:36 < dougy> anything in /var/log tabout openvpn
08:36 < dougy> about
08:36 < max06> moment
08:36 < dougy> something may be holding it up from workign properly
08:36 < gopp> I am getting unable to write random state
08:36 < gopp> with open vpn and 
08:37 < gopp> windows 7
08:37 < dougy> !all
08:37 < vpnHelper> dougy: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
08:37 < gopp> widnows 7 open vpn 2.2 
08:37 < dougy> again
08:37 < dougy> !all
08:37 < vpnHelper> dougy: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface
08:38 < max06> dougy, only some "May 30 15:18:58 l101 kernel: [345688.308417] tap0: no IPv6 routers present"
08:38 < hyper_ch> krzee: help :)
08:38 < dougy> that's all?
08:38 < max06> right
08:38 < max06> nothing more
08:38 < dougy> hmm
08:39 < dougy> what are permissions on openvpn files? i am taking blind stabs at this, by the way
08:39 < dougy> some sort of cert error, trying to see if something server side is obstructing it, but most likely not
08:39 < max06> 644
08:39 < max06> 600 serverkey.pem
08:40 < max06> I guess if there's something wrong with the perms, server wouldn't start up?
08:40 < dougy> seems logical
08:40 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
08:40 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn []
08:41 < dougy> hmm
08:41 < dougy> why are you using tap ?
08:41 < max06> I want to build up a small network
08:41 < dougy> !tap
08:41 < vpnHelper> dougy: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything
08:41 < vpnHelper> dougy: where the protocol uses MAC addresses instead of IP addresses.
08:41 < dougy> !tunortap
08:41 < vpnHelper> dougy: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
08:41 < vpnHelper> dougy: against you over the vpn, or (#4) lan gaming? use tap!
08:41 < max06> okay...
08:41 < hyper_ch> dougy: are you a routing-guru?
08:42 < max06> switching to tun
08:42 < dougy> hyper_ch: not at all
08:42 < dougy> why do you ask?
08:42 < dougy> i am not an openvpn guru even to the first degree.. unless you are referring to something outside of it
08:42 < hyper_ch> dougy: well, I just read that an IP adress is not necessarily leading to where someone says it is
08:42 < dougy> explain?
08:42 < hyper_ch> dougy: it also has to do with BGP
08:43 < dougy> not leading to where someone says, explain
08:43 < dougy> i mean
08:43 < max06> !tun
08:43 < vpnHelper> max06: Error: "tun" is not a valid command.
08:43 < Bushmills> Border Gateway Protocol?
08:43 < dougy> yes
08:43 < hyper_ch> Broader Gateway Protocol
08:43 < dougy> if you have access to something with access to global bgp routing table, an its cisco
08:43 < dougy> you can
08:43 < dougy> sh ip bgp it
08:43 < Bushmills> RFC 1267/1771
08:43 < max06> with tun, I can connect more than one client at once?
08:44 < dougy> yes
08:44 < dougy> max06: how'd you make the certs?
08:44 < max06> moment, searching for the tutorial
08:44 < hyper_ch> up to know I thought an ip is unique -except for the private subnets
08:44 < theDoc> hyper_ch> Well, are you advertising prefixes which you don't own? :)
08:44 < dougy> max06:
08:44 < dougy> !howto
08:44 < vpnHelper> dougy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:44 < dougy> doesnt get any better then that
08:44 < hyper_ch> theDoc: ? what do you mean?
08:44 < max06> http://www.online-tutorials.net/security/openssl-tutorial/tutorials-t-69-207.html#beispiel-openvpn
08:44 < vpnHelper> Title: Online-tutorials.net - OpenSSL Tutorial (at www.online-tutorials.net)
08:44 < max06> I used this one
08:45 < dougy> check out what i sent you
08:45 < max06> Going to have a look at yours :)
08:45 < theDoc> hyper_ch> The ip address is unique but the routers that direct the traffic can mess up.
08:45 < dougy> i am going to say that tutorial's method is your issue
08:45 < max06> starting at zero?
08:45 < theDoc> Just look at pakistan hijacking youtube's network block and advertising it via bgp.
08:45 < dougy> heh
08:45 < dougy> a company i deal with fucked outblaze
08:45 < hyper_ch> theDoc: I think that what heise is writing about but they say china
08:46 < dougy> announced a nullroute and all over the internet, places took the routes
08:46 < max06> okay... give me some minutes for reading and testing
08:46 < Bushmills> well, i *suppose* you can, technically, use any ip address on you LAN if you don't mind not being able to reach the interfaces which have been assigned that address in internet, and as long you prevent any packets from/to those LAN addresses to leak through into internet
08:46 < dougy> max06: the easy-rsa is easy as it gets
08:46 < dougy> i am pretty confident that will sort you
08:46 < max06> I've been looking for that earlier, but I didn't find it
08:46 < dougy> IRC ftw
08:46 < dougy> !howto
08:46 < vpnHelper> dougy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:46 < dougy> :)
08:46 < hyper_ch> so a messed up bgp provider could make that different part of the world end up at different "machines" for a given ip?
08:47 < max06> ^^
08:47 < dougy> hyper_ch: yes you can hijack IP space
08:47 < theDoc> dougy> You'll get nullrouted fast enough.
08:47 < dougy> obviously
08:47 < Bushmills> just as much as a incorrect routing table entry in one of the backbone routers
08:47 < hyper_ch> well, I think that's interesting to konw
08:47 < theDoc> I wouldn't attempt injecting false routes into core routers if I were you :P
08:47 < theDoc> People get upset.
08:48 < dougy> more then upset, heh
08:48 < hyper_ch> since in legal prosecution an IP is like a fingerprint that cannot be disputed (or hardly)
08:48 < dougy> theDoc: im not sure exact price, but id put your quote somewhere between 100-120 @ the dc i work for
08:48 < dougy> just fyi
08:48 < theDoc> Ok
08:48 < dougy> ehh hyper_ch
08:48 < Bushmills> the problem 3 weeks ago in germany/frankfurt cix routers was, iirc, due to a wrong routing table entry in one of the backbone routers 
08:48 < dougy> bad comparison
08:48 < theDoc> hyper_ch> Wrong. The ip address is not an accurate representation of where/whom is behind an act.
08:49 < dougy> hyper_ch: whats your question
08:49 < Bushmills> as result, parts of germany were sort of cut off international internet
08:49 < dougy> are you askin if you can say an IP is in one place
08:49 < dougy> and annouce it there
08:49 < theDoc> It only shows you the end node which is connecting to the destination.
08:49 < dougy> but have it show elsewhere ?
08:49 < theDoc> Bushmills> That sucks big time. Did heads roll for that?
08:49 < Bushmills> no idea
08:49 < dougy> hyper_ch: a GRE tunnel sounds like something that would do what you are inquiring about
08:50 < hyper_ch> dougy: the question is how reliable an IP address can be used to trace to a internet subscriber
08:50 < dougy> poor
08:50 < theDoc> Anyone here terribly familiar with freeradius and usergroups on it?
08:50 < theDoc> rlm_sql mainly.
08:50 < Bushmills> not even sure whether that wrong route as the result of human interaction, or a protocol failure
08:50 < Bushmills> was
08:50 < hyper_ch> dougy: but current practice at court is that IPs are not disputed to being faulty
08:50 < theDoc> Bushmills> I'm inclined to go with human interaction, the protocols don't usually fail.
08:50 < theDoc> hyper_ch> The law needs to catch up with IT.
08:51 < hyper_ch> well, police looks at an IP address like a fingerprint
08:51 < dougy> my IP says..
08:51 < hyper_ch> although we all know how printers were accused of filesharing
08:51 < dougy> Hicksville, NY
08:51 < Bushmills> i tend to think that routes on backbone routers aren't usually hand-configured
08:51 < dougy> hmm
08:51 < dougy> i need to buy some used dell shit
08:51 < max06> easy! :)
08:51 < dougy> max06: ?
08:52 < theDoc> Bushmills> I don't know, I don't work with bbr's of that size but I'm quite sure that it's hand configured of it's advertising a new bgp prefix.
08:52 < max06> great scripts
08:52 < Bushmills> i just don't know. but i wasn't affected.
08:52 < hyper_ch> max06: easyrsa makes it easy to generate rsa certs :)
08:52 < theDoc> The above statement didn't make sense. :o
08:52 < max06> didn't know that :)
08:53  * theDoc needs a freeradius guru pronto :(
08:53 < hyper_ch> theDoc: can't you download one?
08:53 < Bushmills> power up the matter synthesizer
08:53 < theDoc> hyper_ch> I need some clarification on some usergroup issues.
08:53 < hyper_ch> theDoc: I only have a very, very, very faint idea on radius :)
08:54 < theDoc> I don't profess to be an expert on fr but I'm getting confused by the rlm_sql module.
08:55 < hyper_ch> theDoc: good luck
08:56 < hyper_ch> I just tuned my postfix a bit
09:01 < gopp> is thier a how to get pfsense open vpn + widnows 7 open vpn client working
09:01 < gopp> ????
09:04 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
09:07 -!- max06_ [~max06@freenode/sponsor/max06] has joined ##openvpn
09:07 < max06_> oh
09:07 < max06_> seems good :)
09:07 < max06_> moment
09:07 < max06_> it works perfectly!
09:08 < dougy> heh
09:08 < dougy> krzee
09:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
09:08 < dougy> first person ive successfully helped in 3+ months
09:08 < max06_> dougy, you're my hero :)
09:08 < dougy> shh
09:08 < dougy> dont make my ego any larger
09:08 < hyper_ch> max06_: you could give him cookies
09:09 < max06_> I tried this about 3 times in the last 12 month... this is the first time it works 100% :)
09:09 < dougy> win
09:09 < max06_> I can test this on linux on monday... at the moment i've got only a mac-client for testing
09:10  * hyper_ch takes dougy's egp. throws it to the ground and stomps on it repeteadly. Then he picks it up and returns it.
09:10 < hyper_ch> dougy: there you go, it's not inflated anymore :)
09:10 < hyper_ch> isn't mac like a linux client?
09:10 < max06_> like, yes
09:10 < max06_> os x is built on unix
09:11 < hyper_ch> :)
09:11 -!- max06 [~max06@freenode/sponsor/max06] has quit [Ping timeout: 258 seconds]
09:12 < max06_> If I want openvpn to start automaticly on system boot, what name do I need to give the config file?
09:12 < max06_> (english -.-)
09:14 < hyper_ch> on debian it's simple :)
09:14 < max06_> how? :)
09:15 < max06_> I'm running debian ^^
09:15 < theDoc> You wave your hands in the air and start chanting: Make it start! Make it start!
09:15 < hyper_ch> if you install openvpn it will auto-start as it adds it as system service
09:15 < hyper_ch> if for some reasons it did not do so, issue as root:  update-rc.d /etc/init.d/openvpn defaults
09:16 < max06_> yes... but how does it know which config file it should use?
09:16 < hyper_ch> ???
09:16 < max06_> I placed the config in /etc/openvpn/server.conf
09:16 < hyper_ch> so?
09:17 < max06_> at the moment, I'm starting it by calling "openvpn --server /etc/openvpn/server.conf"
09:17 < hyper_ch> you only have a server or a client config there
09:17 < max06_> yes
09:17 < hyper_ch> and on debian you do:  /etc/init.d/openvpn start|stop|restart
09:17 < max06_> not yet
09:18 < max06_> but i want to
09:18 < max06_> I just don't know, how to pass the config-filename :)
09:19 < max06_> It's even possible that I'm only to stupid for that... :D
09:20 < hyper_ch> if you use the init scripts you don't have to pass anything
09:20 < max06_> okay :)
09:20 < max06_> that sounds good
09:20 < max06_> moment... restarting as service
09:22 -!- max06_ [~max06@freenode/sponsor/max06] has quit [Quit: Verlassend]
09:22 -!- max06_ [~max06@freenode/sponsor/max06] has joined ##openvpn
09:22 < hyper_ch> freenode sponsor?
09:23 < max06_> alright :)
09:23 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
09:23 < max06_> daemon-start works :)
09:24 < hyper_ch> I guess the initscript frist checks if there's a server.conf and if so uses it, then checks if a client.conf and if so uses that and if none is available it'll probably output an error
09:24 < max06_> on windows it looks for all files ending with *.ovpn 
09:25 < max06_> as I can see, it's completly stable ... I'll try this with my mobile connection later :D
09:27 < max06_> okay... I wish you a nice evening ... thanks for this great help :)
09:28 -!- max06_ [~max06@freenode/sponsor/max06] has quit [Quit: Verlassend]
09:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
10:11 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
10:18 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
10:19 < gopp> I don't see
10:19 < gopp> .crt
10:19 < gopp> or .key for server.crt server.key
10:19 < gopp> in
10:19 < gopp> C:\Program Files (x86)\OpenVPN\easy-rsa\keys <--
10:19 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:40 < ecrist> gopp: so put them there...
10:43 < gopp> ok
10:43 < gopp> I just did
10:51 -!- gop_ [~gopp@ool-45713978.dyn.optonline.net] has joined ##openvpn
10:54 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 276 seconds]
10:56 < gop_> this is not connect
10:57 < gop_> this is my error http://pastebin.com/GMQC11mD
11:02 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
11:03 < gopp> hi
11:03 -!- Johna [~johnaynag@212.95.32.175] has joined ##openvpn
11:03 < gopp> http://pastebin.com/TZhWMW1a <--
11:04 -!- gop_ [~gopp@ool-45713978.dyn.optonline.net] has quit [Ping timeout: 260 seconds]
11:05 < Johna> In this example http://www.openvpn.net/index.php/open-source/documentation/howto.html#policy I am trying to assign dynamic ip's to all the contractors without having to run 2nd instance of openvpn just for contractors. Any pointers on how this can be done?
11:05 < vpnHelper> Title: HOWTO (at www.openvpn.net)
11:08 < hyper_ch> one of my little carnivores killed a bird today
11:11 < Johna> anyone? please please please
11:31 < kisom> Johna: what exactly do you want to do?
11:32 < kisom> different subnets for contractors on the same server?
11:32 < Bushmills> what you mean by "without having to run 2nd instance"?
11:33 < Bushmills> only openvpn server, nothing else?
11:33 < kisom> i believe he wants to run multiple subnets on the same openvpn server
11:33 < kisom> personally i would just shove them all on the same subnet.
11:36 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:54 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
12:09 < Johna> kisom and Bushmills: Yes I want to run multiple subnets on the same openvpn server
12:09 < Johna> using ccd file I was able to push static ip but i want it dynamic
12:10 < gopp> so what did I do wrong
12:11 -!- dougy [Douglas@ool-435033e6.dyn.optonline.net] has quit []
12:13 < Johna> kisom: The idea is to give contractors different public IP. I have squid running which gives out different public ip based on users / groups / ip's and each of them have different access restrictions.
12:13 < gopp> http://pastebin.com/VZM1Vdbn
12:13 < gopp> that what I did
12:13 < gopp> but it won't connect
12:14 < Johna> gopp you are getting TLS key negotiation error. Something is blocking your udp connection - it could be your firewall or even your antivirus or even your isp
12:14 < Bushmills> johna, you may want to set a low time with ifconfig-pool-persist
12:15 < gopp> oh
12:15 < gopp> Johna I setup firewall rules
12:15 < gopp> on my pfsense
12:15 < gopp> do I need to also setup nat rules
12:16 < Bushmills> without keep-alive, openvpn clients are more likely to dis- and reconnect
12:16 < gopp> were would this keep-alive option be 
12:18 < Johna> Bushmills: My understanding is ifconfig-ppol-persist gives out same ip that was assigned before if the user connection drops. Can you please explain how it would help me run multiple subnets?
12:18 < Johna> gopp: keepalive should be in your client config or you can push it from the server
12:19 < gopp> I can push from server
12:19 < gopp> hmm
12:19 < Bushmills> Johna: " I am trying to assign dynamic ip's to all the contractors ... using ccd file I was able to push static ip but i want it dynamic"
12:19 < gopp> I am using pfense Johna is it hard to do that in pfsense
12:20 < Bushmills> wanting to run several subnets is not related to wanting dynamic ip addresses.  my reply addressed your dynamic ip addresses question
12:21 < Bushmills> !route should help your routing non-vpn addresses through vpn
12:21 < vpnHelper> Bushmills: Error: "route" is not a valid command.
12:21 < Bushmills> !route
12:21 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:21 < gopp> were is the keep alive in client
12:21 < Johna> bushmills: Sorry I meant the static ip I assigned was in different subnet. I added route 10.8.10.0 255.255.255.0 in my server config and in the ccd file I was able to set the static ip for the contractor to 10.8.10.5 10.8.10.6
12:21 < gopp> do I need to show you my config or something to be best help
12:22 < Johna> my server is running on 10.8.20.0
12:23 < Bushmills> openvpn assigns addresses to tun interfaces. for routing packets from/to other ip adresses it is merely a transport, but not involved in assigning those 
12:23 < Johna> gopp: i have no experience with pfsense. i use debian with shorewall
12:23 < gopp> oh 
12:23 < gopp> shorewall is based on debian
12:23 < gopp> how is shorewall you like it
12:24 < julius> embedded pfsense openvpn seemed kinda broken to me back when I was using it
12:25 < julius> (incomplete config interface etc..)
12:25 < gopp> yea it does not seem to have a compelet interface
12:28 < julius> no way to store/use symmetric keys used with the pki config, can't store login credentials for user auth etc...
12:28 < julius> the non-embedded pfsense version should be at least a little better
12:38 < Johna> Bushmills: route is for linking different subnets correct? My problem is I need to assign IP's from different subnet to contractors. Currently I am running openvpn server on a different port just for contractors but I am trying to get away from this and use the "employees" openvpn server to handle even contractors. Employees get ip's in 10.8.20.0 subnet and contractors get ip in 10.8.10.0
12:39 < Johna> gopp i like shorewall. it took a while to figure out initially but now i like it
12:41 < gopp> is shorewall all cli
12:44 < Johna> gopp - check this http://www.shorewall.net/OPENVPN.html
12:44 < vpnHelper> Title: OpenVPN Tunnels and Bridges (at www.shorewall.net)
12:55 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 272 seconds]
12:57 -!- gop_ [~gopp@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
13:02 < gop_> k upgraded to 2.0
13:08 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
13:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
13:26 < Bushmills> Johna: why not assign static addresses (through ccd) in the low range of one subnet to employees, and dynamic address (no ccd) to high addresses of the same subnet? 
13:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:34 < Johna> Bushmills: we have multiple servers to load balance. static address is unfortunately not an option :(
13:35 < Bushmills> i don't see how assigning static or dynamic address to clients affects load balancing
13:38 < Johna> when employees are travelling they get the ip's in the contractors range. no access to the lan. Just secure internet.
13:39 < Bushmills> what is responsible for them to get a different address when travelling?
13:40 < Bushmills> (one from the contractor- instead of employee subnet)  .. i suppose they still use the same machine, and the same key
13:40 -!- bandini [~bandini@host103-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn
13:41 < Johna> yes they use the same server and key but different port to connect
13:43 < Johna> its a crazy requirement and i am completely lost
13:43 < Bushmills> so what mechanism would you want to use when there's only one instance, and one server, to determine whether they get an address from the one or the other subnet?
13:43 < Bushmills> will you have a checkbox for each employee, to click on for "travelling"?
13:44 < Johna> it will be based on their username which is also the common-name
13:44 < Johna> correct :)
13:44 < Bushmills> but that won't change - that's written in the key
13:45 < Bushmills> and the key doesn't care wether they are on site or travelling
13:47 < Johna> yes that's where i am stuck. I have generated 2 files - one having full access and other having restricted access. using tls-verify i should be able to figure out if they should have full access or restricted access but how do I push ip to them?
13:49 < Johna> i wish ccd supported dynamic ip's. it would have solved my issue
13:50 < Bushmills> so what's wrong with running two openvpn servers, if the needs for either group of users to connect to are that different?
13:52 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
13:52 < Bushmills> allow one to be connected to from LAN only, the other from WANM
13:52 < Bushmills> WAN
13:54 < Johna> its generating lot of support issues and we want to assign users to other subnets if needed very easily. 
13:55 < Johna> without having to run multiple openvpn servers on the same box
13:57 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
14:02 -!- mintux [~mrg@unaffiliated/mintux] has joined ##openvpn
14:04 -!- gop_ [~gopp@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 248 seconds]
14:07 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
14:08 < Bushmills> use two boxes
14:08 < Bushmills> for seperating those user groups, that may even be preferable
14:11 < krzie> !policy
14:11 < vpnHelper> krzie: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
14:11 < krzie> !ccd
14:11 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:11 < krzie> !static
14:11 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:11 < krzie> !factoids search ldap
14:11 < vpnHelper> krzie: "ldap_iptables" is see http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
14:11 < krzie> something from that should be able to help you ;]
14:13 < mintux> I could not solve my problem yet . no route to host 
14:13 < mintux> !route
14:13 < vpnHelper> mintux: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:14 < mintux> my ip is 192.168.1.15 so in this command I should put client1 with lan 192.168.1.15 ?
14:15 < mintux> route 192.168.1.15 255.255.255.0 
14:15 < mintux> ?
14:18 < Johna> krzie: I have been through most of them. my problem is i need to assign dynamic ip's from a different subnet to the contractors using ccd file or similar
14:18 < krzie> client-connect script
14:18 < krzie> !iporder
14:18 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
14:19 < krzie> mintux, no idea which ip you mean by "my ip is"
14:19 < krzie> and i gotta shower and goto work
14:19 < krzie> so bbiab
14:26 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
14:28 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:42 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
14:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:55 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
15:00 -!- mintux [~mrg@unaffiliated/mintux] has quit [Remote host closed the connection]
15:17 -!- DrPepper [~DrPepper@88.207.189.81] has quit [Quit: Leaving...]
15:18 -!- DrPepper [~DrPepper@88.207.189.81] has joined ##openvpn
15:20 -!- DrPepper [~DrPepper@88.207.189.81] has quit [Read error: Connection reset by peer]
15:26 < Johna> krzie: i am lost with Use --client-connect script generated file for static IP. Do you have an example or point me to a site?
15:26 < Johna> can I specify ifconfig-pool in client-connect script?
15:33 -!- bandini [~bandini@host103-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
15:46 < krzee> read the manual on it
15:46 < krzee> basically, it passes a file name to the script, whatever is written to that file is treated as a dynamic ccd entry
15:46 < krzee> for things like
15:46 < krzee> !static
15:46 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
15:47 < krzee> so your script can decide who belongs where based on that
15:54  * ecrist wonders at what point /ban should be cleaned out
15:54 < krzee> feel free *shrug*
15:55 < ecrist> oh, it's not something I'm losing sleep over.
15:55 < krzee> hehe ya
15:55 < krzee> omg im sore
15:59 < demiurgen> hm. what's the deal with the warning "--remote address [10.1.1.2] conflicts with --ifconfig subnet [10.1.1.200, 255.255.255.0] -- local and remote addresses cannot be inside of the --ifconfig subnet."
16:01 < demiurgen> what exactly is the problem?
16:16 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:32 < krzee> demiurgen, 
16:32 < krzee> !samesubnet
16:32 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
16:34 -!- DrPepper [~DrPepper@88.207.189.81] has joined ##openvpn
16:53 < Johna> !ipp
16:53 < vpnHelper> Johna: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
16:53 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
16:54 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
16:55 < Johna> Thanks krzee and Bushmills. I will do some more experiment
16:57 < krzee> np
17:06 -!- Johna [~johnaynag@212.95.32.175] has quit []
17:06 -!- zamba [marius@flage.org] has quit [Ping timeout: 276 seconds]
17:07 -!- zamba [marius@flage.org] has joined ##openvpn
17:11 < Bushmills> yw
17:15 -!- zamba [marius@flage.org] has quit [Ping timeout: 252 seconds]
17:24 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
17:25 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left ##openvpn []
17:35 -!- monolith_ [~monolith@ks354672.kimsufi.com] has quit [Quit: monolith_]
17:44 -!- zamba [marius@flage.org] has joined ##openvpn
17:51 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
17:56 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:20 < demiurgen> krzee: I see, thank you!
18:20 < krzee> np =]
18:21 < demiurgen> has anyone had any luck connecting a client to the openvpn server through a socks-proxy while using UDP?
18:22 < demiurgen> it works just fine when client and server is set up to use TCP, but UDP just b0rks
18:23 < krzee> demiurgen, yes
18:23 < krzee> i do it
18:23 < krzee> but your socks daemon needs to be setup for it
18:23 < krzee> sshd tunneling wont do it...
18:23 < demiurgen> krzee: huh, how come?
18:23 < demiurgen> ssh is what I use
18:23 < krzee> how come what?
18:24 < krzee> how come your socks daemon needs to support it?
18:24 < demiurgen> how come ssh won't do?
18:24 < krzee> ask the openssh team i guess
18:24 < krzee> i use dante, and configured it to work
18:24 < krzee> however, openvpn doesnt support socks auth
18:24 < demiurgen> what's needed beyond socks5?
18:25 < demiurgen> that's not an issue in this case
18:25 < krzee> so i openvpn to my main vpn machine, then i have a sockd running inside the vpn
18:25 < krzee> like this:
18:25 < krzee> !sockd
18:25 < vpnHelper> krzee: "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
18:25 < krzee> !routebyapp
18:25 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
18:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:27 < demiurgen> I'm confused... my client can't openvpn to my server due to its firewall. I need an external proxy to get to my server from the client, so the whole point is that the socks server then must be outside of the vpn, no?
18:27 < krzee> then i also set some of my other vpn's to use the socks (by vpn ip) to connect
18:28 < krzee> im just telling you what i do
18:28 < krzee> but basically, with ssh tunnel, you can only tunnel TCP
18:28 < krzee> thats just how it is
18:28 < demiurgen> but ssh supposedly supports socks5 which should handle udp
18:28 < krzee> you can argue all you like, it wont change anything
18:30 < demiurgen> of course :)
18:30 < demiurgen> conclusion: ssh doesn't support socks5 fully (probably)
18:31 < demiurgen> krzee: thanks again! I'll look into dante
18:32 < krzee> conclusion: socks5 doesnt require tunneling everything to be called socks5 ;)
19:12 -!- jjjj [noone@80.178.10.6.adsl.012.net.il] has joined ##openvpn
19:12 < jjjj> !welcome
19:12 < vpnHelper> jjjj: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:24 < jjjj> hey guys, i'm leasing an openvpn tunnel service, it works fine with one of my servers, i used the same configuration on one of my other servers, and its works only for outgoing connections, but for incoming. Could it be because the interface on that server is set to eth2 and not eth0?
19:24 < jjjj> no firewall btw
19:27 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:28 -!- DrPepper [~DrPepper@88.207.189.81] has quit [Ping timeout: 248 seconds]
19:29 < jjjj> both servers are on the same isp, and all the rest is the same
19:29 < Bushmills> jjjj: try mtr or traceroute, to see where packets get stuck+
19:34 -!- DrPepper [~DrPepper@ks27450.kimsufi.com] has joined ##openvpn
19:35 < jjjj> Bushmills: traceroute doesnt get stucked on vpn ip, but gets stucked on real ip
19:36 < jjjj> i cant axx the server on any port from any of the ips
19:37 < jjjj> ping response only from vpn ip
19:38 < jjjj> so as soon as i start the vpn, i cant axx the server from real ip
19:39 < jjjj> i can axx it only from its internal ip
19:41 < Bushmills> try tcpdump or tshark then, on server. loop at tun interface whether packets are routed.
19:45 -!- purifiedmadness1 [~jesus@c-67-177-231-60.hsd1.co.comcast.net] has joined ##openvpn
19:46 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
19:47 < jjjj> 888 packets captured
19:47 < jjjj> 888 packets received by filter
19:47 < jjjj> 0 packets dropped by kernel
19:49 < jjjj> when i stopped it
19:49 < jjjj> first time im using it, so im not sure what should i do exactly?
19:52 < jjjj> outgoing connections work btw, and vpn ip is recognized
19:58 < jjjj> 00:52:42.010131 IP serverhost > vpnhost: S 3795222880:3795222880(0) ack 3448711193 win 5792 <mss 1460,sackOK,timestamp 704145 812764057,nop,wscale 6>
19:59 -!- theDoc [~jaki@173.236.41.35] has joined ##openvpn
19:59 -!- theDoc [~jaki@173.236.41.35] has quit [Changing host]
19:59 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
19:59 < jjjj> Bushmills: any ideas?
20:01 < Bushmills> well, for example, try to ping client. follow the incoming echo requests towards clients. assuming that you can see them on server wlan interface, check whether you can still see them on server tun.
20:01 < Bushmills> if you can, check on client tun
20:03 < jjjj> ping the vpn ip or realip?
20:03 < Bushmills> as you can ping the real ip, you won't learn a lot from that. 
20:03 < Bushmills> you should do what cause the problem to manifest
20:06 < Bushmills> !pptp
20:06 < vpnHelper> Bushmills: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml
20:06 < vpnHelper> Bushmills: to read about why to not use pptp
20:09 -!- jjjj [noone@80.178.10.6.adsl.012.net.il] has quit [Ping timeout: 240 seconds]
20:11 -!- jjjj [noone@80.178.14.170.adsl.012.net.il] has joined ##openvpn
20:11 < jjjj> Bushmills: i dont see anything different in the output while pinging?
20:12 -!- purifiedmadness1 [~jesus@c-67-177-231-60.hsd1.co.comcast.net] has left ##openvpn []
20:15 < Bushmills> well, where the packets get stuck, there would be the problem
20:19 < jjjj> what i really dont understand is why the server (real ip) gets blocked as soon as i start the vpn service
20:20 < jjjj> when i start the vpn from another server both ips are reachable
20:20 < Bushmills> but contrary to us, you are in the position to find out
20:22 < jjjj> problem is, i dont know how to find out where the packets get stuck, first time im dealing with such problem
20:24 < Bushmills> you have learned already the name of a few tools which are helpful.   the route command, and its output, is also of great value
20:25 < Bushmills> an of course there is
20:25 < Bushmills> !firewall
20:25 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
20:27 < Bushmills> netstat can be helpful, especially to determine to what interfaces a service was bound
20:27 < jjjj> no iptable rules or firewall enabled
20:28 < jjjj> let me try netstat
20:30 < jjjj> since im connected to the server internally, i get spam output :S
20:31 < jjjj> 1000x tcp        0      0 192.168.10.1:56005      192.168.10.3:3306       TIME_WAIT
20:33 < Bushmills> i don't think that mysql should interest you when trying to trace openvpn problems
20:33 < Bushmills> unless you use mysql access to test the openvpn route
20:34 < jjjj> i axx the httpd server from the mysql server internally
20:38 < jjjj> how can i determine to what interface openvpn was bound?
20:38 < jjjj> with netstat
20:40 < Bushmills> by displaying the services the machine listens to, on the specified protocol
20:42 < jjjj> udp        0      0 0.0.0.0:5145            0.0.0.0:*                           7865/openvpn
20:44 < Bushmills> listening on all interfaces, to packets to udp port 5145
20:46 < jjjj> i see
20:55 < jjjj> where can i read about how to find where packets get stuck?
20:56 < jjjj> i dont see my ip on the server when pinging from home, and checking netstat
21:04 < jjjj> Bushmills: thanks anyway, i will let my isp handle it
21:04 -!- jjjj [noone@80.178.14.170.adsl.012.net.il] has quit []
21:53 -!- mode/##openvpn [+o ecrist] by ChanServ
21:53 -!- mode/##openvpn [-bbbb *!*vernr@212.117.165.* Iskorptix_!*@* *!*@193.139.191.* *!*@steinsel.perfect-privacy.com] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*angevin@*.cable.mindspring.com *!*SoulMast@*.telia.com *!*bios@121.243.61.* *!*@*.ice.net] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*flaccid*@* *!*chris@220.233.185.* *!*uned@*tor* *!*jimi@*.rr.com] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*dusty@*.as9105.com *!*@unaffiliated/nou *!*@gateway/web/ajax/mibbit.com/* *!*chatzill@*.fbx.proxad.net] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net *!*@@209.17.190.* mgs`*!*@* eX|Nazha!*@*] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*nchin@* *!*@60.53.50.84 *!*root@* *!*platyna@*platinum.edu.pl] by ecrist
21:53 -!- mode/##openvpn [-bbb *!*mekulc@*.telia.com *!*@h156n2fls32o256.telia.com *!*@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*angevin@*.cable.mindspring.com *!*SoulMast@*.telia.com *!*bios@121.243.61.* *!*@*.ice.net] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*flaccid*@* *!*chris@220.233.185.* *!*uned@*tor* *!*jimi@*.rr.com] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*dusty@*.as9105.com *!*@unaffiliated/nou *!*@gateway/web/ajax/mibbit.com/* *!*chatzill@*.fbx.proxad.net] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net *!*@@209.17.190.* mgs`*!*@* eX|Nazha!*@*] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*nchin@* *!*@60.53.50.84 *!*root@* *!*platyna@*platinum.edu.pl] by ecrist
21:53 -!- mode/##openvpn [-bbb *!*mekulc@*.telia.com *!*@h156n2fls32o256.telia.com *!*@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*flaccid*@* *!*chris@220.233.185.* *!*uned@*tor* *!*jimi@*.rr.com] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*dusty@*.as9105.com *!*@unaffiliated/nou *!*@gateway/web/ajax/mibbit.com/* *!*chatzill@*.fbx.proxad.net] by ecrist
21:53 -!- Irssi: No bans in channel ##openvpn
21:53 -!- mode/##openvpn [-bbbb *!*@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net *!*@@209.17.190.* mgs`*!*@* eX|Nazha!*@*] by ecrist
21:53 -!- mode/##openvpn [-bbbb *!*nchin@* *!*@60.53.50.84 *!*root@* *!*platyna@*platinum.edu.pl] by ecrist
21:54 -!- mode/##openvpn [-bbb *!*mekulc@*.telia.com *!*@h156n2fls32o256.telia.com *!*@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] by ecrist
21:54 -!- mode/##openvpn [-bbbb *!*dusty@*.as9105.com *!*@unaffiliated/nou *!*@gateway/web/ajax/mibbit.com/* *!*chatzill@*.fbx.proxad.net] by ecrist
21:54 -!- mode/##openvpn [-bbbb *!*@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net *!*@@209.17.190.* mgs`*!*@* eX|Nazha!*@*] by ecrist
21:54 -!- mode/##openvpn [-bbbb *!*nchin@* *!*@60.53.50.84 *!*root@* *!*platyna@*platinum.edu.pl] by ecrist
21:54 -!- mode/##openvpn [-bbb *!*mekulc@*.telia.com *!*@h156n2fls32o256.telia.com *!*@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] by ecrist
21:54 -!- mode/##openvpn [-bbbb *!*@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net *!*@@209.17.190.* mgs`*!*@* eX|Nazha!*@*] by ecrist
21:54 -!- mode/##openvpn [-bbbb *!*nchin@* *!*@60.53.50.84 *!*root@* *!*platyna@*platinum.edu.pl] by ecrist
21:54 -!- mode/##openvpn [-bbb *!*mekulc@*.telia.com *!*@h156n2fls32o256.telia.com *!*@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] by ecrist
21:54 -!- mode/##openvpn [-bbbb *!*nchin@* *!*@60.53.50.84 *!*root@* *!*platyna@*platinum.edu.pl] by ecrist
21:54 -!- mode/##openvpn [-bbb *!*mekulc@*.telia.com *!*@h156n2fls32o256.telia.com *!*@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] by ecrist
21:54 -!- mode/##openvpn [-bbb *!*mekulc@*.telia.com *!*@h156n2fls32o256.telia.com *!*@adsl-75-15-180-83.dsl.bkfd14.sbcglobal.net] by ecrist
21:54 -!- mode/##openvpn [-o ecrist] by ecrist
21:54 < ecrist> arrghh
21:54 < ecrist> sorry for the noise.
21:54 -!- Irssi: No bans in channel ##openvpn
21:54 < theDoc> x.x
21:55 < ecrist> turns out /unban * works smartly
21:55 < ecrist> I overdid it a bit
21:56 < ecrist> 21:54 -!- Irssi: No bans in channel ##openvpn
21:56 < theDoc> ecrist> irssi on a mac?
21:56 < ecrist> why would you think irssi on a mac?
21:56 < theDoc> I like irssi.
21:57 < theDoc> I just have issues compiling macports on this box.
21:57 < ecrist> theDoc: I use screen + irssi on a freebsd box.
21:57 < theDoc> Ah, ok.
21:57 < theDoc> Maybe I should do that too.
21:58 < theDoc> but I'd need a server for a start
21:58 < theDoc> lol
21:58 < ecrist> devio.us
21:59 < ecrist> that's a URL, btw
21:59 < theDoc> Doesn't resolve for me
21:59 < theDoc> :/
21:59 < ecrist> devio.us has address 66.7.199.108
21:59 < ecrist> devio.us mail is handled by 1 mx.devio.us.
22:00 < theDoc> Oh wait, it works now.
22:28 < krzie> xchat 2.6.1 Darwin 9.8.0 [i386/2.16GHz/SMP]
22:28 < krzie> MacBookPro17 CPU: Genuine Intel T2600 2.16GHz @ 2.16GHz [SSE3/PAE/XD/VMX/EST/DualCore] L2: 2MB FSB: 664MHz Temp 40 C RAM: 834.1MB/2.0GB swap: 1081.27M/2048.00M Disk: 300.89GB/467.36GB GPU: ATY,RadeonX1600 [256 MB/HWCI/QE/Stock] 1680x1050 and 1920x1080@60Hz OS: Mac OS X 10.5.8 (9L30) Kernel: 9.8.0 Arch: 32 Bit
22:34 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
22:37 < ecrist> FreeBSD kenny.secure-computing.net 7.1-RELEASE-p6 FreeBSD 7.1-RELEASE-p6 #0: Tue Jun  9 16:26:47 UTC 2009     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
22:39 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Quit: Leaving.]
22:46 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 265 seconds]
22:55 -!- LeRrA [~lerra@c-94-255-214-117.cust.bredband2.com] has quit [Ping timeout: 248 seconds]
23:01 -!- gopp [~gopp@ool-457137f1.dyn.optonline.net] has joined ##openvpn
23:17 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
23:32 -!- gopp [~gopp@ool-457137f1.dyn.optonline.net] has quit [Ping timeout: 248 seconds]
--- Day changed Mon May 31 2010
00:07 -!- hyatt [~kora-chan@dyn-118-139-57-182.its.monash.edu.au] has joined ##openvpn
00:11 < hyatt> hi, i have a setup of openvpn where i esstablish a point to point tunnel between two hosts with static ip addresses. the strange think is when i fire openvpn up it employs dhclient and all my other network interfaces get new addresses (b4 they had static ones) which messes up my network. is there any way to stop openvpn from broadcasting a dhclient request, since all the ips for the tunnel are static anyway there is no need for it. 
00:11 < hyatt> openvpnconf can be seen here (its pretty short) http://pastebin.com/ZtJyNFXN. thanks guys.
00:23 < Fiouz> do you have any logs? I'm not sure why OpenVPN would do that, isn't that triggered by your distro detecting a new interface?
00:24 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:24 -!- mode/##openvpn [+o mattock] by ChanServ
00:29 < hyatt> Fiouz: that might be the case i'll look into that. the strange thing is that it is requesting addresses for all interfaces, even the existing ones
00:29 < hyatt> but true this might more be a problem of the distro rather than openvpn, thanks
00:37 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
00:46 -!- hyatt [~kora-chan@dyn-118-139-57-182.its.monash.edu.au] has quit [Quit: hyatt]
00:47 < kisom> morning boys
01:07 -!- kurzweil4 [~someone@24.145.141.56] has joined ##openvpn
01:08 < kurzweil4> I installed OpenVPN onto my CentOS server ...and it automatically opened a port during the configuration process ...I did not add anything to the iptables file to open the web admin port ...so how was the port opened? thanks
01:08 -!- DrPepper [~DrPepper@ks27450.kimsufi.com] has quit [Ping timeout: 240 seconds]
01:10 < theDoc> How did you find that the port is open?
01:10 < theDoc> Open ports != security risk unless you have unwanted services listening on that port.
01:10 < kurzweil4> I found that the port was open by going to the web admin page
01:10 < kurzweil4> (web admin of OpenVPN)
01:11 < kurzweil4> anything else I have installed ..I had to go into the iptables file and allow traffic on that port
01:11 < theDoc> If that port is closed or not responding to requests, how exactly are people going to get to the web admin page?
01:12 < kurzweil4> it is responding ..that is how I am able to look at the web admin page ...I just don't know how the installation opened that port
01:13 < theDoc> Pre-configured iptables script evidently.
01:13 < kurzweil4> any idea how that works on CentOS?
01:14 < kurzweil4> this is the first time I have come across something automatic like this ...so I just want to make sure I understand how it works
01:14 -!- DrPepper [~DrPepper@88.207.183.72] has joined ##openvpn
01:14 < theDoc> kurzweil4> Where did you get this openvpn package from?
01:14 < Bushmills> kurzweil4: openvpn doesn'r modify any firewall settings
01:14 < kurzweil4> I downloaded it from the openvpn site
01:14 < theDoc> Access server or the OSS openvpn?
01:15 < kurzweil4> access server
01:15 < theDoc> access server *WILL* modify your iptables upon installation.
01:16 < kurzweil4> ok ...not a big deal ...I just like to make sure I understand how it does that
01:16 < Bushmills> it is correct when it "opens" a port, as it has to listen to the net. but when the port it binds to was blocked by firewall, it still will be so after openvpn was started
01:16 < theDoc> !access-server
01:16 < vpnHelper> theDoc: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
01:16 < vpnHelper> theDoc: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
01:18 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has joined ##openvpn
01:18 < b0nn> hmm
01:18 < b0nn> I am doing something wrong, my client cannot connect to the server, and I am not sure why
01:18 < theDoc> !logs
01:18 < vpnHelper> theDoc: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
01:18 < b0nn> read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
01:19 < b0nn> a few hundred of those :D
01:19 < theDoc> That can mean anything.
01:19 < Bushmills> b0nn: that's usually caused by incorrect configuration
01:19 < b0nn> ok
01:19 < kurzweil4> Bushmills: there is no entry in my iptables file for the port that my web admin is on ...so it must be some kind of auto-configuration script
01:19 < b0nn> I'll paste server.conf or client.conf?
01:19 < Bushmills> kurzweil4: my replay partains to openvpn, not to access server
01:19 < Bushmills> reply
01:19 < kurzweil4> ok ..gotcha
01:20 < Bushmills> b0nn: and the solution is to fix it
01:20 < b0nn> I see
01:23 < b0nn> http://pastebin.com/kpJycsiu
01:26 < b0nn> also, the firewalls on both machines have been shutdown
01:27 < theDoc> Looks like your service wasn't started or something.
01:27 < theDoc> b0nn> Just to make sure, your openvpn service was started right?
01:27 < Bushmills> http://scarydevilmonastery.net/snap/1275287254066155496d.png
01:28 -!- roentgen [~arthur@miranda/user/roentgen] has left ##openvpn ["Leaving."]
01:28 < b0nn> yes, # openvpn /etc/openvpn/openvpn.conv
01:28 < b0nn> er conf
01:28 < theDoc> Can you paste the entire connection log?
01:28 < theDoc> From your client?
01:29 < kurzweil4> theDoc: which authentication method do you recommend?
01:29 < Bushmills> the one which makes most sense for you
01:29 < b0nn> http://pastebin.com/M0XRxjqa
01:29 < theDoc> kurzweil4> You run what you can manage.
01:30 < kurzweil4> is my assumption correct that RADIUS would be most secure?
01:30 < theDoc> b0nn> Refer to Bushmill's link. enable comp-lzo
01:30 < theDoc> kurzweil4> radius does AAA, nothing with security at all.
01:30 < kurzweil4> so then is LDAP more secure?
01:31 < b0nn> enable comp-lzo?
01:31 < Bushmills> kurzweil4: preshared keys have same level of security if you have a trustable way to pass keys and certs to client
01:31 < kurzweil4> Bushmills: what do you use?
01:31 < theDoc> b0nn> Yes, on your client.
01:31 < Bushmills> preshared keys
01:32 < Bushmills> authentication by signed keys
01:32 < theDoc> PAM/RADIUS/LDAP are really different ways of handling userauth.
01:32 < b0nn> sorry, am trying to find the syntax
01:32 < b0nn> is it just "comp-lzo" 
01:32 < theDoc> I still feel it comes down to how you want to manage users, not so much of how to get started.
01:32 < theDoc> b0nn> Yep.
01:33 < kurzweil4> with PAM ..that means that each user will have a shell account ..right?
01:33 < theDoc> Not necessarily.
01:33 < b0nn> http://pastebin.com/N4WjQysr
01:38 < b0nn> hmm
01:38 < b0nn> I don't think traffic is leaving the client
01:39 < b0nn> what route command do I use to ensure all traffic meant for 172.20.0.1 goes over 192.168.1.1
01:40 < Bushmills> ping server
01:40 < b0nn> from?
01:40 < Bushmills> (on its vpn address).  from client
01:40 < b0nn> os
01:40 < b0nn> nothing
01:40 < b0nn> it's taking the wrong route
01:42 < hyper_ch> !route
01:42 < vpnHelper> hyper_ch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:42 < Bushmills> does  ifconfig  on client show you a tun0 interface?
01:43 < b0nn> yes
01:43 < b0nn> I have a default route on eth0, so I can use the internet from this machine
01:43 < Bushmills> do you have route table entry relating to that tun interface?
01:44 < b0nn> 172.20.0.1      *               255.255.255.255 UH    0      0        0 tun0
01:44 < b0nn> I'll pastebin the whole route table
01:44 < Bushmills> what are server and client vpn ip addresses?
01:44 < b0nn> http://pastebin.com/eMBBHQ8x
01:45 < kurzweil4> I notice that my install created an openvn_as user ...is this secure? ..I have no clue what it may have used as a default password
01:46 < Bushmills> usually, that *is* secure, as it gives openvpn a dedicated user to change ownership to when it drops privileges
01:46 < theDoc> I don't think openvpn_as is giving a shell.
01:46 < Bushmills> many services do, and those users don't have a password
01:47 < theDoc> I could be wrong but check before anything.
01:47 < Bushmills> though be aware that you get  openvpn replies here, not access server replies
01:48 < kurzweil4> ah ...sorry
01:48 < Bushmills> what may be right for one, may be incorrect for the other
01:48 < b0nn> you can grep /etc/passwd and check if openvpn_as has a valid shell
01:48 < kurzweil4> I did indeed check that ...and it does
01:48 < kurzweil4> it had a home directory and it assigned bash as the shell
01:48 < b0nn> weird
01:49 < b0nn> I would have thought /bin/false
01:49 < kurzweil4> I guess I have to just pray that the password is random and lengthy
01:49 < Bushmills> openvpn_as  suggests that it may be used to execute scripts or programs as user openvpn
01:49 < b0nn> at any rate, in order for this to work, I have to pull the wired plug out
01:49 < Bushmills> as such, as shell would be needed
01:50 < Bushmills> but you better check that with access server support channels
01:50 < b0nn> indeed. nobody is assigned /bin/sh on my machine
01:50 < b0nn> bbs
01:50 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has quit [Quit: leaving]
01:51 < kurzweil4> Bushmills: are you referring to support on the web site or another channel here?
01:51 < Bushmills> web site
01:51 < Bushmills> !access server
01:51 < kurzweil4> ok
01:51 < vpnHelper> Bushmills: Error: "access" is not a valid command.
01:51 < Bushmills> !access_server
01:51 < vpnHelper> Bushmills: "access_server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
01:51 < vpnHelper> Bushmills: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
01:51 < Bushmills> !as
01:51 < vpnHelper> Bushmills: Error: "as" is not a valid command.
01:52 < Bushmills> !factoids search access
01:52 < vpnHelper> Bushmills: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
01:52 < vpnHelper> Bushmills: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
02:02 < krzie> !learn as as [access-server]
02:02 < vpnHelper> krzie: Joo got it.
02:02 < krzie> !as
02:02 < vpnHelper> krzie: Error: "as" is not a valid command.
02:02 < krzie> heh
02:02 < krzie> !learn AS as [access-server]
02:02 < vpnHelper> krzie: Joo got it.
02:02 < krzie> !AS
02:02 < vpnHelper> krzie: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
02:02 < vpnHelper> krzie: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
02:03 < krzie> i guess as cant be used
02:04 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Ping timeout: 264 seconds]
02:07 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has joined ##openvpn
02:07 < b0nn> still no luck
02:09 < b0nn> so, on the server I can ping tun0
02:09 < b0nn> but, from the client I cannot ping the tun0 on the server
02:09 < krzie> ping doesnt take devices :-p
02:09 < b0nn> :)
02:09 < krzie> what ips are you pinging?
02:10 < b0nn> 172.20.0.1 is tun0 on the server
02:10 < b0nn> 192.168.7.1 is wlan0 on the server
02:10 < b0nn> I can ping 192.168.7.1 from the client
02:10 < b0nn> but not 172.20.0.1
02:10 < b0nn> I presume this is the problem?
02:11 < krzie> and the server can ping what ip
02:11 < Bushmills> -r     Bypass the normal routing tables and send directly to a host  on an  attached  interface.
02:11 < b0nn> the server can ping 172.20.0.1
02:11 < Bushmills> (from ping man page)
02:11 < krzie> the server can ping its own ip...? so?
02:11 < b0nn> so, what was your question
02:12 < krzie> whats the clients tun ip?
02:12 < krzie> 172.20.0.6?
02:12 < b0nn> 172.20.0.2
02:12 < krzie> you're using topology subnet or tap?
02:12 < krzie> or ptp?
02:12 < b0nn> and no, it cannot
02:12 < b0nn> don't know how to answer that
02:12 < krzie> !configs
02:12 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
02:13 < b0nn> hmm, I did
02:13 < b0nn> a whiles back
02:13 < krzie> if you have changed nothing, repost the link pls
02:13 < b0nn> hmm
02:13 < b0nn> I forget the link
02:13 < Bushmills> comment alert
02:13 < b0nn> oh, yeah
02:13 < b0nn> heaps of comments :)
02:13 < krzie> if there was comments, repost as my bot said
02:14 < krzie> !configs
02:14 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
02:14 -!- kurzweil4 [~someone@24.145.141.56] has quit [Ping timeout: 260 seconds]
02:17 < b0nn> http://pastebin.com/ysVb4rPu
02:19 < krzie> remote ifconfig from client
02:19 < b0nn> ?
02:19 < krzie> server command in server config will deal with assigning ips
02:19 < krzie> see --server in the manual
02:20 < krzie> secondly
02:20 < b0nn> what are you talking about?
02:20 < krzie> im talking about you need to delete the ifconfig line in your client config
02:20 < krzie> is that a confusing statement?
02:20 < krzie> read --server in the manual to understand why
02:20 < b0nn> it is if you dont supply the context
02:20 < krzie> !man
02:20 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
02:21 < krzie> the context is you shouldnt have it there
02:21 < krzie> also, is this for securing wireless?
02:21 < b0nn> yes
02:21 < krzie> !local
02:21 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
02:22 < b0nn> so, just "local"?
02:22 < krzie> meh
02:22 < krzie> read!
02:22 < b0nn> ...
02:22 < krzie> see --redirect-gateway in the manual
02:22 < b0nn> rofl, a little more context is always helpful
02:22 < krzie> "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
02:22 < krzie> the context is in the manual!
02:23 < b0nn> only if I knew you were talking about the manual
02:23 < b0nn> look, I'm not trying to start something, I just don't have an idea of what you are talking about. What seems obvious to you isn't to me
02:24 < krzie> what im saying is to read certain sections of the manual to understand
02:24 < krzie> for why you dont need ifconfig in a client config, see --server
02:25 < krzie> when you understand what --server does, you will know why not to use ifconfig in a client config when using server option
02:25 < krzie> for understanding why you need local in --redirect-gateway, see --redirect-gateway
02:25 < krzie> !man
02:25 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
02:28 < krzie> you say you didnt know i meant the manual...
02:28 < krzie> [03:20]  <krzie> read --server in the manual to understand why
02:28 < krzie> [03:22]  <krzie> see --redirect-gateway in the manual
02:28 < krzie> ;]
02:29 < b0nn> actually, the first thing you said, which was confusing, was remote, when you meant remove
02:29 < krzie> oh lol i see that typo now
02:29 < krzie> my bad
02:29 < b0nn> sorry
02:29 < b0nn> it threw me from the get go
02:30 < krzie> makes sense, sneaky lil 't'
02:30 < b0nn> I have added a redirect-gateway to the cleint script
02:30 < krzie> umm dude
02:30 < krzie> why
02:31 < krzie> you already push it from server config
02:31 < krzie> !push
02:31 < vpnHelper> krzie: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
02:31 < krzie> what you need to do is add the local flag
02:31 < b0nn> oh, I thought the push pushed like dhcp
02:31 < b0nn> but only ips, and dns
02:31 < krzie> also, delete your ipp.txt
02:32 < krzie> you may want to lose that ipp command all together
02:32 < krzie> !ipp
02:32 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
02:33 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds]
02:33 < b0nn> !static
02:33 < vpnHelper> b0nn: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
02:34 < b0nn> I think I have found the problem
02:34 < b0nn> Mon May 31 19:33:53 2010 /usr/sbin/openvpn-vulnkey -q /etc/openvpn/static.key
02:34 < krzie> thats not a problem
02:34 < krzie> the ifconfig was your problem
02:35 < krzie> and heres why
02:35 < krzie> !/30
02:35 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
02:35 < krzie> the first client ip needs to be .6 :-p
02:35 < krzie> remove the ipp.txt file
02:35 < b0nn> I did
02:35 < b0nn> and there was no change
02:35 < krzie> and remove the ifconfig from your client
02:35 < b0nn> again, I did, no change
02:36 < krzie> !logs
02:36 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
02:36 < krzie> there most certainly will be a change, you will get .6 instead of trying to have .2
02:36 < krzie> hehe
02:36 < krzie> whether that makes it work or not could be a diff story ;]
02:37 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:39 < b0nn> hmm, well I've just broken the static key
02:40 < b0nn> in fact, I am sure that key exchange is the issue 
02:42 < krzie> ok
02:42 < krzie> h wai
02:42 < krzie> oh wait
02:42 < krzie> you're right
02:42 < krzie> LOL
02:42 < krzie> client is using ptp style static key
02:42 < b0nn> yeah
02:42 < krzie> server is using server/client style PKI keys
02:42 < krzie> you need to choose 1
02:43 < b0nn> originally this was a one client, one server network
02:43 < krzie> and do the same on both ;]
02:43 < b0nn> now it is a multi client
02:43 < krzie> then your client needs certs
02:43 < krzie> no more static key
02:43 < b0nn> I have built the server correctly, I think, I now need to sort the client out
02:43 < b0nn> yeah
02:43 < b0nn> drop that static key line from the conf
02:43 < b0nn> I have the certs
02:43 < krzie> yup
02:43 < krzie> add cert lines
02:44 < krzie> and a line that says client
02:44 < krzie> like here
02:44 < krzie> !sample
02:44 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
02:44 < krzie> you can remove keep-alive from client
02:44 < krzie> its being over-written by server's keepalive anyways
02:45 < b0nn> ok
02:46 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
02:49 < b0nn> hmm I forget the authentication method
02:49 < b0nn> I have several .pem files, I suspect...
02:50 < krzie> what are you talking about?
02:50 < krzie> the auth method...
02:50 < krzie> the certs ARE the auth method ;)
02:50 < b0nn> tls
02:50 < b0nn> I don't have a tls cert
02:51 < krzie> RSA
02:51 < krzie> !pki
02:51 < vpnHelper> krzie: Error: "pki" is not a valid command.
02:51 < krzie> !certs
02:51 < vpnHelper> krzie: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs
02:51 < b0nn> I used easy-rsa
02:51 < krzie> then you have the certs, use them
02:52 < b0nn> but in easy-rsa/2.0/keys, I am not sure which key was for auth
02:52 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds]
02:52 < b0nn> Mon May 31 19:47:10 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
02:52 < krzie> thats ALL they are for
02:52 < krzie> !servercert
02:52 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm
02:52 < krzie> !mitm
02:52 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
02:52 -!- kurzweil4 [~someone@24.145.141.56] has joined ##openvpn
02:52 < b0nn> there, server.csr
02:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Connection reset by peer]
02:52 < krzie> the certs are ONLY for auth
02:53 < krzie> meh
02:53 < krzie> in the howto section on using easy-rsa it explains what files go where
02:53 < krzie> a csr is just an cert before it was signed by the ca
02:53 < krzie> useless basically
02:53 < b0nn> oh
02:54 < kurzweil4> anyone here successfully using the certs from a trusted certificate authority?
02:55 < Bushmills> krzee:  the medium sized ET clone just arrived
02:55 < krzie> kurzweil4, yes, from the certificate authority i trust most... me
02:55 < krzie> Bushmills, nice!
02:55 < krzie> how is it
02:55 < kurzweil4> I mean something that is not self-signed :-P
02:57 < Bushmills> that part looks like ... business
02:57 < Bushmills> has a mean look
02:58 < Bushmills> well built, first impression
02:58 < theDoc> I wouldn't trust any vpn servers that aren't signed by a CA.
02:58 < theDoc> and no, self-signed certs aren't acceptable ;p
02:59 < krzie> umm
02:59 < Bushmills> no slack.  a tad tail-heavy
02:59 < krzie> theDoc, you wouldnt trust your OWN ca?
02:59 < theDoc> krzee> if I were buying vpn services.
02:59 < theDoc> I'd trust my own CA, if I'm the only person using it
02:59 < krzie> i ONLY trust my own, why would i want one where some 3rd party can sign certs
02:59 < krzie> i want it to be self-signed
03:00 < theDoc> krzee> Unfortunately, the consumer that pays money to get access to it doesn't know better.
03:00 < krzie> using a 3rd party CA sounds goofy to me
03:00 < theDoc> All they see is, certificate is invalid.
03:00 -!- kurzweil4 [~someone@24.145.141.56] has quit [Ping timeout: 264 seconds]
03:00 < krzie> theDoc, you seem to be misunderstanding something
03:00 < krzie> ca.key is the cornerstone to PKI
03:00 < krzie> whoever has ca.key can sign any certs
03:01 < krzie> i prefer that to be whoever runs the server
03:01 < krzie> (for me, that is always me)
03:01 < theDoc> Yes, that's correct for the signing procedure but what I'm saying is that, for the consumer that is buying things online, self-signed certs don't make the cut.
03:02 < krzie> he wouldnt know
03:02 < theDoc> and that problem stems from the browser throwing up invalid cert errors.
03:02 < theDoc> If it's self-signed.
03:02 < krzie> oh, browser
03:02 < krzie> you are not talking about openvpn...
03:02 < theDoc> Oh no.
03:02 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
03:02 < theDoc> I was referring to certs in general
03:03 < krzie> i see
03:03 < krzie> very different for browser than openvpn
03:03 < theDoc> True that.
03:03 < krzie> cause your browser doesnt have their ca.crt to check their cert against
03:03 < krzie> your openvpn setup does
03:03 < theDoc> Yep.
03:04 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
03:06 < networkn> Hi, I have an sbs server I have been asked to look after. On it is vmware with openvpn. They have 4 pc's connected to the domain, and one of the pc's needs to move down the road to a new location but still fully participate on the local network. I understand in order for that to occur, I need to setup a bridge, so that the pc in the remote location can access resources on the old location...
03:07 < krzie> you only need a bridge for layer2
03:07 < krzie> !tunortap
03:07 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
03:07 < vpnHelper> krzie: against you over the vpn, or (#4) lan gaming? use tap!
03:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:11 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
03:13 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
03:18 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has joined ##openvpn
03:21 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:25 < SmokeyD> hey veryone, Can I use OpenVPN in a bi-directional way, both from client to server, but also to access files on the client from the server once a connection has been established from the client?
03:25 < krzie> sure
03:25 < Bushmills> SmokeyD: same as you can with a network patch cable 
03:25 < SmokeyD> Bushmills: ok
03:27 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
03:28 < krzie> b0nn, 
03:28 < krzie> fyi
03:28 < krzie> !verb
03:28 < vpnHelper> krzie: Error: "verb" is not a valid command.
03:28 < krzie> bleh
03:28 < krzie> !learn verb as verb command is for setting log verbosity, see --verb in the manual (!man) for more info
03:28 < vpnHelper> krzie: Joo got it.
03:29 < krzie> !learn verb as verb 5 is good for debugging, verb 3 is good for normal usage
03:29 < vpnHelper> krzie: Joo got it.
03:29 < krzie> !verb
03:29 < vpnHelper> krzie: "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for debugging, verb 3 is good for normal usage
03:29 < krzie> verb 9 in your config will make your logs way too hard to read
03:29 -!- b0nn_ [~shane@202-180-91-108.callplus.net.nz] has joined ##openvpn
03:30 < krzie> hehe
03:30 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has quit [Quit: Reconnecting]
03:30 < krzie> b0nn, fyi
03:30 < krzie> [04:29]  <krzie> !verb
03:30 < krzie> [04:29]  <vpnHelper> krzie: "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for debugging, verb 3 is good for normal usage
03:30 < krzie> [04:29]  <krzie> verb 9 in your config will make your logs way too hard to read
03:30 < networkn> krzie: layer 2?
03:31 < krzie> you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun.
03:36 < networkn> give me an example of layer 2 vs ip traffic? I have seperated a computer from this lan, and need it to participate back on the network across a vpn
03:37 < krzie> layer3 accesses things b ip, layer2 by mac address
03:37 < krzie> s/b/by/
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 < networkn> bridge == tun?
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 < krzie> bridge = tap = layer2
03:39 < krzie> routed = tun = layer3
03:42 < mwheeler> krzie: does openvpn compile on alpha ?
03:42 < mwheeler> erm, on openvms
03:42 < krzie> as in alpha-dec?
03:42 < krzie> no tun/tap device
03:42 < mwheeler> ah yeah :P
03:42 < krzie> and wow, im sorry to hear you have the displeasure of working on that
03:43 < mwheeler> haha, I have three new (well old) Alpha servers
03:43 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds]
03:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:43 < mwheeler> Going to have some fun
03:43 < krzie> i had to configure an openvms/alpha box a few years ago
03:43 < krzie> theres like NO docs on it
03:43 < krzie> and its fuckin different
03:43 < mwheeler> indeed
03:44 -!- b0nn_ [~shane@202-180-91-108.callplus.net.nz] has quit [Ping timeout: 265 seconds]
03:44 < krzie> most secure os, because even if you give someone root, odds are they wont know wtf to do with it
03:44 < krzie> lol
03:44 < mwheeler> security through obsecurity 
03:44 < krzie> i did end up getting it rocking tho
03:44 < mwheeler> survided defcon 9 because of that
03:44 < krzie> and months later the fucker died, HW issue
03:45 < krzie> i was pissed
03:45 < mwheeler> haha, I know of a cluster that has been up longer than I have been :P
03:45 < krzie> hahaha
03:45 < krzie> gov?
03:45 < mwheeler> aliminium smelter
03:45 < krzie> pls tell me it uses DECNET
03:46 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
03:46 < mwheeler> I think it's on IP now
03:46 < mwheeler> but I could be wrong
03:46 < mwheeler> I stayed away from it
03:46 < mwheeler> http://www.flickr.com/photos/theskorm/4651332787/
03:46 < vpnHelper> Title: photo.JPG on Flickr - Photo Sharing! (at www.flickr.com)
03:46 < krzie> the alpha i configured was on DECNET before i changed it
03:46 < mwheeler> Aren't they pretty :P
03:46 < krzie> i loved that
03:47 < mwheeler> My iPhone is faster than those bricks :P
03:47 < krzie> oh dude, the one i worked on was way bigger
03:47 < krzie> it came on wheels
03:47 < krzie> fuckin monstrous 
03:48 < mwheeler> haha win
03:49 < krzie> it was the only thing that could write to a certain tape (as in tape drive)
03:49 < krzie> and the biz i was helping out made secure printer things to have bankroll signatures and stuff on
03:49 < krzie> so you could lock it in the safe until needed
03:50 < krzie> some gov entities had printers the size of a room, which used these tapes
03:50 < mwheeler> I have no idea what type of tape these things use
03:50 < krzie> very very old school stuffs
03:50 < mwheeler> I should prob try and find it, so I can back it up
03:50 < krzie> yanno you can run real unix on them too
03:50 < krzie> ;]
03:50 < mwheeler> yeah
03:51 -!- dazo_afk is now known as dazo
03:51 < krzie> if you get tired of openvms and all
03:51 < mwheeler> I don't have any hdd's for them yet, so I pxe bootied freebsd
03:51 < krzie> which you will!
03:51 < krzie> oh werd
03:51 < mwheeler> <3 FreeBSD
03:51 < krzie> one thing i liked about openvms, you can tab complete options to programs
03:52 < mwheeler> one thing I like about these servers, they have grep built into the firmware
03:52 < krzie> example, openvpn --redire<TAB> would finish --redirect-gateway
03:52 < mwheeler> yeah that's nifty
03:52 < mwheeler> Being used to working on Cisco routers I always try to tab complete options
03:53 < krzie> but ya, eventually you will want to KILL the wizard from HP's "ask the wizard" (aka the ONLY docs that exist)
03:53 < mwheeler> Also noted, tab completing your password does not work=
03:53 < krzie> tab completing your password, LOL
03:53 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn
03:53 < mwheeler> the googling I have done just redirected me to the HP OpenVMS generic site
03:54 < mwheeler> I have a VMS I can always ask or get him to send me the truck load of books
03:54 < mwheeler> Also got acepted today into the OpenVMS hobbyist program 
03:55 < krzie> oh badass!
03:55 < krzie> i had no books or people to talk to
03:55 < krzie> that will be worth its weight in gold!
03:55 < mwheeler> indeed
03:55 < krzie> seriously, i printed out hundreds of pages of anything i could find that said how to do *anything*
03:55 < krzie> and taught myself how it worked from that
03:56 < krzie> nothing said how to do anything i wanted, but i could figure it out from what i did find
03:56 < krzie> like basic syntax and whatnot
03:56 < mwheeler> Nothing like a google challenge 
03:56 < krzie> even using a path is weird!
03:56 < Bushmills> it appears the windows NT is based on VMS
03:56 < Bushmills> that
03:56 < mwheeler> oh yeah, I hoven't worked that out yet
03:57 < krzie> device:path/to/file iirc
03:57 < mwheeler> There is a few versions of NT that support Alpha
03:57 < mwheeler> Yeah I think so
03:57 < Bushmills> before MS could obscure its legacy :)
03:58 < krzie> lol
03:58 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has left ##openvpn []
04:02 < krzie> !tcp
04:02 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
04:03 < krzie> !winroute
04:03 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
04:03 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
04:08 -!- Jezekus [~Jezekus@adslctc-5314.adslcust.sbone.cz] has joined ##openvpn
04:09 < Jezekus> Hello
04:09 < dazo> !welcome
04:09 < vpnHelper> dazo: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:14 < Jezekus> A have tun server and client http://pastebin.org/295509 (configs) but client is unable co connect
04:14 < Jezekus> http://pastebin.org/295511 server log
04:15 < Jezekus> client side
04:15 < Jezekus> http://pastebin.org/295514
04:15 < krzie> pls reaste configs like this
04:15 < krzie> repaste*
04:15 < krzie> !configs
04:15 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
04:15 < krzie> (no comments)
04:16 < Bushmills> comp-lzo in client config, but not in server config
04:16 < Bushmills> either add to server or remove from client
04:16 < krzie> its in his server config
04:16 < krzie> under his keepalive
04:16 < krzie> but its a PITA to see with all those comments
04:17 < krzie> odds are its because of his paths in client config
04:17 < krzie> !fullpath
04:17 < vpnHelper> krzie: Error: "fullpath" is not a valid command.
04:17 < krzie> !factoids search path
04:17 < vpnHelper> krzie: 'path' and 'winpath'
04:17 < krzie> !path
04:17 < vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
04:18 < Bushmills> oh, indeed. it is.  seen  ######### as a file delimiter
04:19 < mwheeler> !dinner
04:19 < vpnHelper> mwheeler: Error: "dinner" is not a valid command.
04:19 < Jezekus> http://pastebin.com/2KRUJvtG server
04:19 < mwheeler> One can only try -_-
04:20 < krzie> 172.17.23.0 255.255.255.0 is a lan behind the client KHS, right?
04:20 < Jezekus> krzie: yes
04:21 < krzie> do you want the server to reach 172.17.23.0 255.255.255.0 over the vpn?
04:21 < krzie> do you want other clients to reach 172.17.23.0 255.255.255.0 over the vpn?
04:21 < Jezekus> no I want connect client jezek as it's in client config, I only need jezek to reach server
04:22 < krzie> then why the iroute?
04:22 < krzie> !iroute
04:22 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
04:23 < krzie> without a corresponding route entry, the iroute should never really come into play, since no packets headed twords 172.17.23.0 255.255.255.0 will ever make it to the openvpn process
04:23 < krzie> but ya, use full paths
04:23 < krzie> !path
04:23 < vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
04:23 < krzie> !winpath
04:23 < Bushmills> !beer
04:23 < vpnHelper> krzie: "winpath" is Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
04:23 < vpnHelper> Bushmills: Error: "beer" is not a valid command.
04:24 < Jezekus> http://pastebin.com/bN2C1Qj4
04:24 < Jezekus> client
04:25 < krzie> remove pull and tls-client, add the word client
04:26 < Jezekus> ok
04:26 < krzie> then try again, and
04:26 < krzie> !logs
04:26 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
04:27 < Jezekus> http://pastebin.com/xYidTTxZ server
04:27 < Bushmills> !declare beer=dinner
04:27 < vpnHelper> Bushmills: Error: "declare" is not a valid command.
04:27 < Bushmills> hm
04:27 < krzie> you can remove both port entries in server and just use port command btw
04:27 < krzie> --port port 
04:27 < krzie> TCP/UDP port number for both local and remote. The current default of 1194 represents the official IANA port number assignment for OpenVPN and has been used since version 2.0-beta17. Previous versions used port 5000 as the default. 
04:27 < krzie> --lport port 
04:27 < krzie> TCP/UDP port number for bind. 
04:27 < krzie> --rport port 
04:27 < krzie> TCP/UDP port number for remote.
04:28 < krzie> in fact in your server rport does nothing, since there is no remote entry
04:28 < Jezekus> http://pastebin.com/8BFfSWXF client log
04:28 < krzie> !learn beer as its what's for dinner!
04:28 < vpnHelper> krzie: Joo got it.
04:29 < krzie> first off
04:30 < krzie> you're using a very very old version
04:30 < Jezekus> server or client?
04:30 < krzie> 2.0.9
04:30 < krzie> download
04:30 < krzie> you should upgrade
04:30 < krzie> !download
04:30 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
04:30 < Jezekus> client is centos repo
04:30 < krzie> if your OS cant stay current, install from source
04:31 < Jezekus> well I have only problem with this only server, I have other server using tap device and it's working like a charm
04:31 < krzie> im still waiting for server log as well
04:32 < Jezekus> http://pastebin.com/xYidTTxZ server logs
04:32 < Jezekus> I put them few minutes ago
04:32 < krzie> i wanted the new one
04:32 < krzie> after the changes i said
04:32 < krzie> you gave me a new one for the client...
04:34 < Jezekus> oh :-( I have a little problem there, I have 2 clients online right now on the server
04:35 < krzie> ok
04:35 < krzie> at least that rules out path issue on server
04:35 < Jezekus> yes for sure
04:35 < krzie> new log from when client connects pls
04:36 < Jezekus> http://pastebin.com/3nXBRRyG
04:37 < krzie> !certverify
04:37 < vpnHelper> krzie: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
04:38 < Bushmills> "but client is unable co connect"  ...  "I have 2 clients online right now" ... ??
04:38 < krzie> 1 specific client is unable
04:39 < Jezekus> yes that's it
04:39 < Bushmills> should be easy then. look what is different
04:39 < Jezekus> it looks like a certificate problem
04:39 < krzie> !certverify
04:39 < vpnHelper> krzie: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
04:41 < Jezekus> http://pastebin.com/HZiJs1Qp there's the problem
04:44 < krzie> so one of your files is bad
04:44 < krzie> you can md5 the ca.crt on both sides... must be equal
04:44 < Jezekus> I try to regenerate my client cert
04:44 < krzie> if it is equal, resend the cert file
04:49 < Jezekus> what do i need for creating client certificate? I have ca.crt and ca.key
04:50 < Jezekus> I need a pem file right?
04:51 < krzie> nope
04:51 < krzie> its kinda either or
04:51 < krzie> the pem is multiple files in 1
04:51 < Jezekus> great
04:52 < krzie> the howto goes over making certs well
04:52 < krzie> !howto
04:52 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
04:56 < Jezekus> I'm unable to force easy-rsa utility use my old ca.crt because someone (don't ask who) used this dir for generating another ca and clients certs
04:56 < krzie> sorry, cant help ya there
04:56 < krzie> but you know the problem... so now you get to fix it ;]
04:57 < Jezekus> I'll try it manualy generate it, thanks a lot
04:57 < krzie> yw
05:01 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
05:08 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
05:10 < Jezekus> :-( still stucked
05:10 < Jezekus> now getting error self signed certificate in certificate chain
05:11 < Jezekus> I'm giving up for now, thanks and bye
05:11 -!- Jezekus [~Jezekus@adslctc-5314.adslcust.sbone.cz] has quit [Quit: Jezekus]
05:19 < mwheeler> hehe
05:31 -!- tw-oic [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has joined ##openvpn
05:32 -!- tw [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has quit [Ping timeout: 264 seconds]
05:41 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
05:41 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
05:47 -!- svinkels [~svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Read error: No route to host]
05:51 -!- specnaz [~martin@193.145.150.120] has joined ##openvpn
06:01 -!- ahf [ahf@irssi/staff/ahf] has quit [Ping timeout: 258 seconds]
06:03 -!- theDoc [~jaki@bb121-6-175-9.singnet.com.sg] has joined ##openvpn
06:05 -!- theDoc [~jaki@bb121-6-175-9.singnet.com.sg] has quit [Client Quit]
06:07 -!- thunderstrike [~thunderst@static-mum-120.63.240.52.mtnl.net.in] has joined ##openvpn
06:07 -!- ahf [ahf@irssi/staff/ahf] has joined ##openvpn
06:17 -!- hyatt [~kora-chan@110-174-77-158.static.tpgi.com.au] has joined ##openvpn
06:19 -!- hyatt [~kora-chan@110-174-77-158.static.tpgi.com.au] has quit [Client Quit]
06:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
06:20 -!- hyatt [~kora-chan@110-174-77-158.static.tpgi.com.au] has joined ##openvpn
06:24 -!- specnaz [~martin@193.145.150.120] has quit [Ping timeout: 248 seconds]
06:26 < hyatt> hi, i am using quagga configured with rip  and openvpn according to this tutorial http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting. the strange this is, if i add new routes to quagge (which is done via the python script at the bottom of the page), quagga does not spread all new routes accross routers, only some. is there a way to enforce rip to spread all new routes? 
06:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:41 -!- specnaz [~martin@193.145.150.120] has joined ##openvpn
06:42 < krzie> hyatt, 
06:42 -!- specnaz [~martin@193.145.150.120] has quit [Read error: Connection reset by peer]
06:42 < krzie> sounds more like a quagga question
06:42 < krzie> !notovpn
06:42 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
06:44 < hyatt> krzie: ok thanks, i'll try there. i thought since the wiki is a subdomain of secure-computing maybe someone in here tried this too and has some pointers
06:44 < krzie> ya it was written by someone from here
06:45 < krzie> lemme check who, i dont think it was someone who comes around more
06:45 < krzie> and im not saying you cant ask it here, only that you'll likely get a faster answer in a channel more dedicated to quagga
06:46 < krzie> scudette write it may 28 2009
06:46 < krzie> hehe
06:46 < krzie> wrote it*
06:49 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:53 < hyatt> krzie: guys at #quagga are silent ;); trying my luck with ospf now,... looks better
06:54 < theDoc> ospf!
06:54 < theDoc> ;o
06:55 < krzie> LOL
06:55 < krzie> they have been silent for a whole 10min!?
06:55 < krzie> wow, off with their heads!
06:55 < theDoc> What's with ospf?
06:56 < hyatt> nothing, i just try ospf now instead of rip as routing protocol since it seems to exchange routes faster and somehow it can travel through my openvpn tunnels which rip packets couldn't
06:56 < krzie> but hell, if you get it up with ospf maybe you can make another wiki writeup =]
06:56 < krzie> rip packets CAN
06:56 < krzie> you seem to not have quagga setup right
06:56 < theDoc> You're using ospf with openvpn?
06:57 < krzie> no, hes talking about doing it
06:57 < hyatt> iÄm using it right now with openvpn
06:57 < theDoc> Wow, how large of a network do you run to do that? ;p
06:57 < hyatt> just not all routes get through only some
06:57 < krzie> theDoc, 
06:57 < krzie> !rip
06:57 < vpnHelper> krzie: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
06:57 < krzie> hes doing that kind of setup
06:57 < hyatt> its for a university project connecting different sites in cities
06:57 < krzie> [07:57]  <hyatt> just not all routes get through only some
06:58 < krzie> "somehow it can travel through my openvpn tunnels which rip packets couldn't"
06:58 < theDoc> Sounds like a vpn mesh of some sort.
06:58 < krzie> yes
06:58 < krzie> mesh
06:58 -!- thunderstrike [~thunderst@static-mum-120.63.240.52.mtnl.net.in] has quit [Ping timeout: 245 seconds]
06:58 < krzie> so ya, above you say that they 'cant travel over your vpn'
06:58 < krzie> then you say some do some dont
06:58 < hyatt> true
06:59 < krzie> its your quagga setup :-p
06:59 < hyatt> i'm pretty sure it s an quagga issue
06:59 < hyatt> yep ;)
06:59  * theDoc is planning something of that sort.
06:59 < theDoc> But only to certain destinations
06:59 < krzie> maybe the python script isnt adding the tun interface on some boxes
07:00 < krzie> but really, if you learn quagga well you should find that in your troubleshooting
07:00 < hyatt> <- just reading through daemon.log
07:00 < krzie> although if you're more comfy with ospf... do feel free to set it up and document it with another wiki writeup!
07:01 < krzie> whats daemon.log
07:01 < hyatt> if i manage to get it running ill post the configs and a walkthrough
07:02 < hyatt> a file in linux where background daemons sometimes put log output
07:02 < hyatt> guess its back to wiresharking now *g*
07:02 < krzie> if looking for openvpn, try messages
07:02 < krzie> or
07:02 < krzie> !logfile
07:02 < vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
07:02 < hyatt> ah thx
07:15 < Bushmills> krzie: it is the end of the month - time to sleep for you again
07:17 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
07:20 < gopp> so I checked my firewall don't see be a issue with my firewall
07:20 < gopp> running beta 2.0
07:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
07:23 -!- gop_ [~gopp@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
07:25 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 264 seconds]
07:26 -!- thunderstrike [~thunderst@60.254.57.12] has joined ##openvpn
07:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:27 -!- hyatt [~kora-chan@110-174-77-158.static.tpgi.com.au] has quit [Quit: hyatt]
08:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Excess Flood]
08:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has left ##openvpn []
08:30 -!- Netsplit *.net <-> *.split quits: buntfalke
08:33 -!- Netsplit over, joins: buntfalke
08:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:05 < hyper_ch> hi krzie
09:15 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit [Quit: Ex-Chat]
09:25 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
09:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
09:28 < kisom> anyone know if its possible to use multiple ciphers on the same openvpn server, much like https does?
09:30 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
09:33 -!- boingolov [~boingolov@c-68-53-91-143.hsd1.tn.comcast.net] has joined ##openvpn
09:35 < boingolov> does anyone know of any sort of project to implemet a java applet for the openvpn client, sort of like how the various commercial vendors have?
09:35 < boingolov> implement even
09:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:45 < kisom> boingolov: you mean run the whole VPN in a java app?
09:45 < kisom> that's not possible.
09:46 < kisom> well its possible, but nobody has written such a project.
09:46 < boingolov> kisom, it's possible, and it's implemented by several commercial vendors
09:46 < boingolov> but so far have not turned up anything on the open source front
09:46 < kisom> yes, but not with openvpn.
09:47 < kisom> i think thats a pretty stupid way to run a VPN anyways :)
09:47 < kisom> you might want to try access server, i think clients will be able to download an installer which will set up certificates and all that right away
09:48 < boingolov> kisom, the idea is that it doesn't require anything special on the client end.  in practice, usually the java applet just installs some client side software automagically and it is a different implementation for each client OS supported anyway, so it's not "clean", but to the client it gives the impression that click click click done
09:48 < boingolov> kisom, that might be an option
09:49 < boingolov> will look into that
09:49 < kisom> try a demo license :)
09:49 < boingolov> ahh, commercial?
09:49 < kisom> i've never tried access server, but it looks pretty good
09:49 < kisom> yes.
09:51 < kisom> oh well
09:51 < boingolov> looks liek the basic idea
09:51 < kisom> time to go home from work :) bbl
09:52 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
09:54 -!- meepmeep [meepmeep@212.24.104.229] has quit [Ping timeout: 260 seconds]
10:00 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 276 seconds]
10:11 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
10:11 < theDoc> Anyone up for doing a review?
10:15 -!- thunderstrike [~thunderst@60.254.57.12] has quit [Quit: Leaving]
10:18 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:26 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Ping timeout: 276 seconds]
10:27 -!- boingolov [~boingolov@c-68-53-91-143.hsd1.tn.comcast.net] has quit [Quit: This computer has gone to sleep]
10:30 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
10:37 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
10:46 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Ping timeout: 276 seconds]
10:46 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
10:53 -!- boingolov [~boingolov@c-68-53-91-143.hsd1.tn.comcast.net] has joined ##openvpn
10:53 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Ping timeout: 276 seconds]
10:54 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
11:02 -!- boingolov [~boingolov@c-68-53-91-143.hsd1.tn.comcast.net] has quit [Quit: This computer has gone to sleep]
11:06 -!- boingolov [~boingolov@c-68-53-91-143.hsd1.tn.comcast.net] has joined ##openvpn
11:08 -!- _Adam_Train_sim_ [~me@94-193-222-115.zone7.bethere.co.uk] has joined ##openvpn
11:09 -!- _Adam_Train_sim_ is now known as __Adam__
11:09 < __Adam__> hello i have a silly question, on a normal spec'ed server how many concurrent connections can i have?
11:10 < theDoc> Define normal.
11:10 < theDoc> Define size of pipe.
11:10 < theDoc> Define usage.
11:10 < boingolov> yeah, if you have an oc48, you may be limited by processor power
11:11 < boingolov> if you have a t1, you could probably run it off a dd-wrt linksys machine, heh
11:11 < __Adam__> normal server let say quad core at 2.4ghz
11:11 < theDoc> It's that kind of questions which makes absolutely no sense.
11:11 < __Adam__> its in  a datacenter so T1
11:11 < theDoc> Say guys, do you think a normal car can run on fuel?
11:12 < __Adam__> i said it was a silly question
11:12 < __Adam__> data will be snmp querys
11:12 < theDoc> Then yes.
11:12 < __Adam__> i want around 100 connections
11:12 < __Adam__> realistic?
11:13 < theDoc> Maybe, I don't know but sounds ok.
11:14  * __Adam__ nods
11:15 < __Adam__> there is QoS in openvpn, so can trim if needs be
11:15 < theDoc> raidz> You in yet? ;p
11:17 < dazo> __Adam__: you normally don't need to worry about hardware specs ... OpenVPN is light ... there is one thing to remember though
11:17 < dazo> OpenVPN is not multithreaded .... so if you run only one instance on the server, only one CPU core will be used by OpenVPn
11:17 < __Adam__> ah
11:18 < __Adam__> kk
11:18 < dazo> to solve that, several users run multiple OpenVPN processes and pin them to different CPU cores ... but it gives some challenges with routing and such things .... far from impossible, but worth taking into consideration
11:18 < __Adam__> it scales well with connections?
11:18 < sno> __Adam__: personally ran >20 on an old dual xeon 5110
11:18 < dazo> some people have mentioned that they begin to feel it's going slower when hitting 150-200 clients on one OpenVPN connection
11:18 < sno> thats on a 2.6.9 kernel too
11:19 < __Adam__> that could be a problem
11:19 < dazo> I've not investigated if that's the real case ... but, it is not unexpected, having looked at the code
11:20 < __Adam__> what about the paid for version?
11:20 < dazo> It's the same issue, I believe ... I believe it's basically the same stuff with some improved management features on top
11:20 < __Adam__> is that guaranteed to handle 200+?
11:21 < __Adam__> ok
11:21 < dazo> I dunno ... you should ask OpenVPN Technologies about that ;-)
11:21 < __Adam__> thanks :)
11:21 < dazo> But, if you have a quad core box ... you can pin 4 OpenVPN processes to each core .... and you should be fine up to about 800 users
11:23 < dazo> if you give the server 4 IP addresses ... and does a DNS round robin load balancing, you should be able to share the load easily .... each OpenVPN server process can be set up with a limit of number of connections it accepts .... and the clients can use multiple remote connection statements, which will then choose the next one automatically when being rejected
11:23 < theDoc> lol
11:23 < theDoc> dazo got it nailed down
11:24 < dazo> theDoc: I didn't say it's perfect ;-)
11:24 < theDoc> That's the way it's configured on some of my servers ;)
11:24 < dazo> ahh :)
11:24 < __Adam__> that certain sounds like a plan
11:26 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
11:27 < boingolov> seems strange that openvpn wouldn't be multithreaded
11:27 < kisom> __Adam__: you may want to consider using a fast encryption algorithm when dealing with a large number of connections.
11:27 < boingolov> do they just do select() ?
11:27 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
11:27 < kisom> or no encryption at all. if you feel no important data is going to be transmitted over the VPN
11:28 < dazo> boingolov: well, OpenVPN was written in a time where SMP boxes (using multiple CPUs and multi core CPU wasn't even invented) ... it do not make much difference, at least not on lower loads (ie. < 200 simultaneous clients)
11:29 < __Adam__> kisom i did think about that, didnt know if that could be done
11:29 < dazo> boingolov: it's some kind of round-robin event system ... I don't recall exactly, but there select() and poll() are used, depending on the OS
11:29 < __Adam__> whats openvepn techs phone number?
11:29 < kisom> __Adam__: http://openvpn.net/man.html
11:29 < kisom> press 1 for tech support
11:30 < __Adam__> +19253991481 dosnt work for me
11:30 < dazo> __Adam__: Encryption itself isn't that expensive ... it won't change the performance much ... the SSL handshake is the most expensive operation when using certificates, that process just negotiates a temporary encryption key, which is used for symmetric encryption  (standard SSL operations) 
11:31 < __Adam__> ah working now
11:31 < kisom> dazo: you're wrong. this is true for HTTPS where many handshakes are performed, but for openvpn one handshake is performed once every hour and it will not take much CPU
11:31 < __Adam__> pfft no one is answering the phone
11:32 < dazo> kisom: that's my point ... the one hour event (unless changed by --reneg-* options) is the most expensive operation ... the rest is pretty low load encryption
11:32 < kisom> in my experience the symmetic encryption takes way more CPU per hour than the negotiation ;)
11:33 < dazo> kisom: it of course depends on the SSL handshake algorithms used (DSS or RSA) ... DSS without pre-generated DH-param can be awfully slow 
11:34 < kisom> __Adam__: you may want to consider using rc4 instead of blowfish as well :)
11:34 < kisom> dazo: yes you're right. but i use pre-generated DH and its pretty fast
11:35 -!- boingolov [~boingolov@c-68-53-91-143.hsd1.tn.comcast.net] has quit [Quit: This computer has gone to sleep]
11:36 < dazo> kisom: but still, it's technically impossible that asymmetric handshake and encryption is faster than symmetric ... asymmetric encryption needs much more keying material (>1024 bits) ... while symmetric is way stronger at lower bit amount
11:36 < dazo> gah ... rc4 ... that's just scrambling .... that's not encryption anymore 
11:36 < kisom> dazo: i know, but my point was that it only needs to be done once for every session and hence it's not a problem at all, you should fucus on the encryption being done 100% of the time.
11:37 < kisom> RC4 is fine by todays standard if implemented correctly :)
11:37 < dazo> kisom: well, OpenVPN do not use SSL renegotiation for re-keying ... so when the --reneg-* phases hit in, it starts a brand new SSL renegotiation
11:37 < dazo> kisom: RC4 ... you gotta be kidding ...
11:38 < kisom> my bank uses RC4
11:38 < dazo> I would change bank then
11:39 < kisom> i don't see why. I've never heard of someone breaking an RC4 encrypted stream
11:39 < kisom> at least not when implemented correctly.
11:42 < __Adam__> cheers guys
11:42 < __Adam__> bye bye
11:42 -!- __Adam__ [~me@94-193-222-115.zone7.bethere.co.uk] has quit []
11:42 < dazo> kisom: http://webcache.googleusercontent.com/search?q=cache:UP7hH0C5x9UJ:cage.ugent.be/~klein/RC4/RC4-en.ps+rc4+attack&cd=3&hl=en&ct=clnk&gl=no&lr=lang_cs|lang_da|lang_en|lang_fr|lang_de|lang_no|lang_sk|lang_sv
11:42 < vpnHelper> Title: Attacks on the RC4 stream cipher (at webcache.googleusercontent.com)
11:42 < dazo> gah, nasty url
11:43 < dazo> kisom: RC4 is even prohibited by the PCI-DSS (Payment Card Industry Data Security Standard) for encrypting credit card information
11:45 < dazo> iirc ... somebody tried to crack RC4 on a "standard" computer with todays specs ... it took them about 15 minutes, based on these known attack vectors
11:46 < kisom> i don't think those attacks apply to SSL.
11:46 < kisom> http://blog.ivanristic.com/2009/08/is-rc4-safe-for-use-in-ssl.html
11:46 < vpnHelper> Title: Ivan Ristić: Is RC4 safe for use in SSL? (at blog.ivanristic.com)
11:47 < kisom> rsa also has an article: http://www.rsa.com/rsalabs/node.asp?id=2009
11:47 < vpnHelper> Title: RSA Laboratories - RSA Security Response to Weaknesses in Key Scheduling Algorithm of RC4 (at www.rsa.com)
11:48 < kisom> and just for the record, i never said RC4 was better than AES/Camellia/whatever, i know its not
11:48 < kisom> but i would still consider it pretty secure.
11:50 < dazo> kisom: I'll double check a book I have at home, but I believe one of the SSL designers (Eric Rescorla) even wrote in the "SSL and TLS - Designing and Building Secure Systems" recommends to stay away from RC4 ... that book is 10 years old now ...
11:51 < kisom> :-) let me know what you find
11:54 < dazo> I will :)
12:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:09 -!- boingolov [~boingolov@c-68-53-91-143.hsd1.tn.comcast.net] has joined ##openvpn
12:09 -!- boingolov [~boingolov@c-68-53-91-143.hsd1.tn.comcast.net] has quit [Client Quit]
12:20 -!- dazo is now known as dazo_afk
12:33 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
13:06 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:06 < gop_> anyone had luck with pfsense 2.0 beta 2 and open vpn
13:16 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
13:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
13:35 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
13:35 -!- f1assistance1 [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
13:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:42 -!- mirco [~mirco@p5B23CEC6.dip.t-dialin.net] has joined ##openvpn
13:48 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has joined ##openvpn
13:49 < hyper_ch> huhu krzie
13:50 -!- dauergast [~sag@188-193-136-54-dynip.superkabel.de] has joined ##openvpn
13:53 < dauergast> Hi when i try to route the servers lan subnet, the openvpn becomes unreachable from inside the lan, the only way to get a connection is back over the router with nat, aynone knows whats going wrong?
13:53 < dauergast> sorry the server which is running openvpn becomes unreachable
13:54 < hyper_ch> I have no clue what works and what doesn't for you
13:55 -!- LeRrA [~lerra@c-819372d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined ##openvpn
13:55 < dauergast> nothing works, cant even ping the server
13:58 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
13:59 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
14:00 < hyper_ch> !tell dauergast [welcome]
14:01 < dauergast> !goal
14:01 < vpnHelper> dauergast: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:02 < dauergast> !configs
14:02 < vpnHelper> dauergast: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:09 < dauergast> Ok im running an openvpn server its IP Address is 192.168.100.249/28, connections between the clients / subnets behind client are working fine. the only problem is, when the ovpn server is started, the server / ip 192.168.100.249 is not accessible from any computer in the servers lan. no iptable rules are set up. server.conf: http://pastebin.com/PSJFydvC
14:11 < dauergast> Ubuntu Server 10.04 x64 / OVPN Version 2.1.0
14:13 < dauergast> !route
14:13 < vpnHelper> dauergast: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:17 < dauergast> ok solved.. routing the internal lan is wrong, .. only need to push the route to the clients....sorry..
14:24 < krzee> =]
14:42 -!- roentgen [~arthur@miranda/user/roentgen] has joined ##openvpn
14:45 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
14:45 < roentgen> krzie: could you please tell me again
14:45 < roentgen> that openvpn dev snapshots site?
14:46 < roentgen> and maybe a sticky post in "testing"
14:46 < roentgen> wouldn't hurt
14:49 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Quit: Leaving.]
14:49 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:56 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:26 < Chosi> are there any premade scripts for per-user traffic accounting?
15:29 < krzee> not that im aware of, you may find polling the management interface useful
15:33 < Chosi> i thought about iptables rules based on their ipp.txt ips
15:33 < Chosi> or something
15:33 < krzee> !ipp
15:33 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
15:33 < Chosi> yeah i know
15:34 < Chosi> !iporder
15:34 < vpnHelper> Chosi: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
15:45 < Chosi> !static
15:45 < vpnHelper> Chosi: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
15:46 < Chosi> dammit...
15:46 < Chosi> !ccd :)
15:46 < vpnHelper> Chosi: Error: "ccd" is not a valid command.
15:46 < Chosi> !ccd
15:46 < vpnHelper> Chosi: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:47 < Chosi> what about just adding sections to the serverconfig instead of directories?
15:47 < Chosi> what's the reason for the dirs?
15:51 < Chosi> krzee: are there --client-connect script examples?
15:52 < Chosi> i'd rather use this than directories :)
15:55 < krzee> !ldap
15:55 < vpnHelper> krzee: Error: "ldap" is not a valid command.
15:55 < krzee> !factoids search ldap
15:55 < vpnHelper> krzee: "ldap_iptables" is see http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
15:55 < krzee> that uses client-connect
15:56 < Chosi> uhm uh
15:56 < Chosi> i just want to assign static ips for iptables logging :D
15:56 < Chosi> hrm
15:56 < krzee> i dont have a script to give you for that
15:56 < Chosi> thought so
15:56 < Chosi> =)
15:57 < krzee> but basically, i can explain how it works
15:57 < krzee> gimme a sec
15:57 < Chosi> okay great
15:57 < Bushmills> Chosi: check munin - there's even a plugin to poll iptables stub rules for traffic measurement
15:57 < Chosi> the iptables and munin stuff should be clear on my end. i just don't know how to assign separate ips based on the clients' common names
15:57 < krzee> a temp filename is fed to the script (whcih is called when a client connects), whatever you write to this file is used as a dynamic ccd
15:57 < Chosi> yeah Bushmills i already have that
15:57 < Chosi> =)
15:58 < Bushmills> (munin is used to draw nice graphs from it)
15:58 < Chosi> so much for accounting
15:59 < Chosi> krzee: ack
16:00 < Chosi> is that all?
16:00 < Chosi> hehe
16:04 < krzee> !learn client-connect as --client-connect <script>, runs script on client connection.  This can be useful for generating firewall rules dynamicly, or for assigning static ips.  This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
16:04 < vpnHelper> krzee: Joo got it.
16:04 < Chosi> krzee: don't take it personally but i'ma stick with the ccds first - it sounds easy
16:06 < krzee> i would too
16:06 < krzee> much easier
16:06 < krzee> ccd is for when you need more
16:06 < Chosi> well right now there's 6 users
16:06 < Chosi> so i think ccd sounds okay
16:07 < Chosi> client-config-dir <absolute path here>?
16:07 < Chosi> or what is it relative to?
16:08 < krzee> !path
16:08 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
16:08 < Chosi> :D
16:08 < Chosi> oh how i wish i had a fully trained bot like this for real life
16:08 < krzee> hahahaha me too
16:08 < Chosi> hey dude, what's the time?
16:08 < Chosi> !time
16:08 < vpnHelper> Chosi: Error: "time" is not a valid command.
16:08 < krzee> hrm, i kinda could...
16:08 < Chosi> :>
16:09 < krzee> i could program a series of extensions on the PBX for all common cases at work
16:09 < Chosi> trailing slashes? ;)
16:09 < krzee> nope, no trailing / needed
16:09 < Chosi> i thought you had a !ts ready or something
16:09 < Chosi> tsk
16:09 < Chosi> :)
16:10 < Chosi> chmod of the ccd files? vpn-user-readable should suffice, right?
16:10 < krzee> must be readable by the user owning the openvpn process... kinda obviously...
16:11 < krzee> (if you use --user / --group, pay attention to this)
16:11 < Chosi> so if i want them to have ip's like 10.0.0.4 and so on i just push sooo if i push ipconfig-push 10.0.0.4 10.0.0.0?
16:11 < Chosi> for example?
16:12 < krzee> !static
16:12 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
16:12 < krzee> also note you cant use .4 unless you use topology subnet or dev tap
16:12 < krzee> !/30
16:12 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology
16:14 < krzee> !learn /30 as so by default, first client is .6, then .10 .14 .18 etc etc
16:14 < vpnHelper> krzee: Joo got it.
16:15 < Chosi> oh yeah my bad
16:15 < Chosi> for some reason
16:15 < Chosi> http://choseh.de/~chosi/screens/SS-2010-05-31_22.28.07.png
16:15 < Chosi> my ipp started at 4
16:15 < Chosi> why?
16:15 < krzee> internal to the server
16:15 < krzee> but ipp is rarely useful anyways
16:16 < Chosi> okay i'll start at 8 then
16:16 < Chosi> *6
16:17 < Chosi> so the ccds have to include other info aswell or just the additional stuff?
16:17 < krzee> !ccd
16:17 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
16:19 < Chosi> uhm not clear :p
16:19 < Chosi> so i add
16:19 < Chosi> push "dhcp-option DNS 8.8.8.8"
16:19 < Chosi> push "redirect-gateway"
16:19 < Chosi> aswell?
16:19 < Chosi> (if i wanted that to be pushed)?
16:20 < Chosi> or will it be pushed anyways cause it's in the server config
16:20 < krzee> you only want that for certain clients?
16:20 < Chosi> nah for all of them
16:20 < Chosi> that's the same for all
16:20 < krzee> then it doesnt belong in ccd
16:20 < Chosi> i only want them to have static ips.
16:20 < Chosi> okay
16:20 < krzee> ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name.
16:20 < Chosi> okay :)
16:20 < krzee> as described by my bot :-p
16:20 < Chosi> :>
16:21 < jpalmer> infobot?
16:21 < krzee> supy
16:21 < jpalmer> shoula known ;)
16:22 < Chosi> WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
16:22 < Chosi> it's complaining :S
16:22 < Chosi> i'm not using p2p topology :/
16:22 < krzee> umm
16:22 < krzee> !configs
16:22 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
16:22 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:26 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn
16:26 < grendal_prime> hey guys
16:27 < Chosi> krzee: http://nopaste.narf.at/show/93/
16:27 < Chosi> server
16:27 < grendal_prime> thanks krzie for the help things are look very good now.
16:27 < Chosi> krzee: ccd for me: ifconfig-push 10.0.0.10 255.255.255.0
16:27 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
16:28 < grendal_prime> i got a couple more questions about routing though is this the best place to talk about his or can someone suggest a good understandable howto.  Ive always used iptables and masquarde to handle this sort of thing.
16:30 < krzee> !route
16:30 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:31 < krzee> Chosi, and client...?
16:31 < Chosi> http://nopaste.narf.at/show/94/
16:32 < Chosi> http://nopaste.narf.at/show/95/ errorlog
16:32 < Chosi> could it be that this is the problem? 10.0.0.5 ->255.255.255.0<-
16:33 < Chosi> 5=6
16:34 < Chosi> For assigning fixed IPs you would use “ifconfig-push 10.8.0.X 10.8.0.0" if you use the suggested subnet of “10.8.0.0"
16:34 < Chosi> i'm using tun
16:34 < Chosi> not tap
16:34 < Chosi> you know
16:34 < Chosi> (and i just pasted a line from some other howto=
16:35 < krzee> ifconfig-push 10.0.0.10 255.255.255.0   has always worked for others...
16:36 < Chosi> WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.
16:36 < krzee> also, you should change your VPN subnet
16:36 < krzee> its too common, any clients connecting from the same subnet will have issues
16:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
16:36 < krzee> !samesubnet
16:36 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
16:37 < krzee> also, regarding your using tcp...
16:37 < krzee> !tcp
16:37 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
16:37 < Chosi> _Sometimes you cannot avoid tunneling over tcp_
16:37 < Chosi> [x] can't avoid
16:37 < Chosi> :)
16:37 < krzee> cool, wanted to be sure you were aware =]
16:37 < krzee> im not sure whats missing from your config or where...
16:37 < Chosi> nah not cool. udp restrictions and a stateful firewall that peeks into the only udp port open = not cool
16:37 < krzee> !sample
16:37 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
16:38 < krzee> oh that was you
16:38 < Chosi> yup
16:38 < Chosi> :)
16:38 < krzee> with the stateful firewall fubaring stuff after an hour
16:38 < Chosi> well inspecting it propably
16:38 < Chosi> and blocking the port for an hour
16:38 < Chosi> after it found out stuff is going on there
16:38 < Chosi> :)
16:39 < krzee> what version openvpn are you running?
16:39 < krzee> on both sides
16:40 < Chosi> latest on client, OpenVPN 2.1_rc11 on debian
16:41 < krzee> thats not latest
16:41  * krzee points at topic
16:41 < krzee> and the server...?
16:45 < Chosi> latest version on windows client
16:45 < Chosi> and 2.1_rc11 on debian server
16:48 < Chosi> gnurl
16:48 < Chosi> so what's the main reason for it not working?
16:48 < Chosi> samesubnet?
16:48 < krzee> not sure, but you should upgrade to 2.1.1
16:48 < Chosi> mh okay
16:49 < grendal_prime> krzee,  ive read that document and i have things working the way it describes.  I still get arp requests (although not nearly as many) and it seems that it is not "routing" in the way that im most familar.  Im not going to get around the arp requests entirely am i.
16:49 < krzee> for all i know maybe thats the issue
16:49 < krzee> you dont get arp over a tun device
16:49 < krzee> you are sniffing tun, right...
16:49 < grendal_prime> no im not getting them on the tun.  Im getting them on the other side.
16:50 < krzee> lol
16:50 < krzee> vpn traffic goes over tun
16:50 < krzee> arp traffic is a normal part of a layer2, which is what you're seeing
16:50 < krzee> unrelated to your VPN
16:50 < Chosi> *searching 2.1.1 debian source*
16:50 < grendal_prime> ya
16:51 < krzee> !download
16:51 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
16:51 < krzee> that source compiles everywhere :-p
16:52 < grendal_prime> im just making sure that i understood the original problem entirely.  Since it was a bridge from the clients tap directly onto the internal network, i was getting arp from everyone of the clients.  Now im just getting arp from the vpn server.
16:52 < Chosi> i'm afraid it kills my configs
16:52 < Chosi> :d
16:52 < Chosi> i should backup them i guess
16:53 < krzee> they are backed up on pastebin :-p
16:53 < Chosi> touché
16:53 < Chosi> hehe
16:53 < Chosi> what about keys?
16:53 < Chosi> :)
16:53 < krzee> besides, you didnt really do anything too different from:
16:53 < krzee> !sample
16:53 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
16:53 < krzee> except proto tcp and a ccd entry
16:53 < Chosi> true
16:54 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
16:55 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has quit [Ping timeout: 240 seconds]
16:56 < grendal_prime> so it makes sence..i just wanted to make sure that there was not something else to think about
17:01 < Chosi> hrm
17:01 < Chosi> krzee
17:01 < krzee> hrm
17:01 < Chosi> still the same client errors with 2.1.1
17:01 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
17:02 < krzee> ok, try its suggestion
17:03 < Chosi> Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.
17:03 < Chosi> this?
17:03 < krzee> i still dont see why the hell it thinks you have ptp
17:03 < krzee> oh
17:03 < krzee> use proto tcp
17:03 < krzee> instead of tcp-server and tcp-client
17:03 < krzee> see if that does anything
17:04 < krzee> it knows who server and client is (since you use --server and --client), those are options for ptp
17:04 < krzee> maybe thats why
17:05 < Chosi> Tue Jun 01 00:04:55 2010 WARNING: Since you are using --dev tun with a point-to-point topology...
17:05 < Chosi> :)
17:05 < Chosi> i don't get it either
17:05 < Chosi> it doesn't like the 255.255.255.0
17:05 < Chosi> Tue Jun 01 00:04:55 2010 There is a problem in your selection of --ifconfig endpoints [local=10.0.0.10, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.
17:05 < Chosi> oh and this
17:05 < Chosi> in addition
17:06 < krzee> hrm, it really does think you are ptp...
17:06 < krzee> im missing something in one of your configs...
17:06 < krzee> are you using 2.0 on any clients?
17:06 < krzee> or all are 2.1*
17:06 < Chosi> clients are all 2.1.1 aswell
17:07 < krzee> put this in your server
17:07 < krzee> topology subnet
17:07 < krzee> (with that you can use .2 .3 .4 etc for clients as well
17:07 < krzee> )
17:07 < krzee> !topology 
17:07 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
17:07 < Chosi> server 10.0.0.0 255.255.255.0 shall i change this?
17:07 < Chosi> to .1 or something?
17:07 < krzee> nope
17:08 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:08 < krzee> well you should change the subnet
17:08 < krzee> to something uncommon
17:08 < krzee> like 10.8.0.0 255.255.255.0
17:08 < Chosi> mhm
17:08 < Chosi> let's see
17:08 < krzee> but thats an unrelated note
17:08 < Chosi> so the server config needs mode server and server 10.0.0.0 255.255.255.0?
17:08 < krzee> doesnt need mode server
17:08 < Chosi> okay
17:08 < Chosi> away it goes
17:08 < krzee> --server expands to have that
17:08 < krzee> topology subnet
17:09 < Chosi> is in
17:09 < krzee> server 10.8.0.0 255.255.255.0
17:09 < krzee> get off the common subnet or one day you will have problems and not know why
17:09 < krzee> when a client loses all inet connectivity when it connects
17:10 < Chosi> Tue Jun 01 00:09:22 2010 Initialization Sequence Completed
17:10 < Chosi> :)
17:10 < Chosi> maybe it was mode server or the subnet thingy
17:11 < krzee> and it got the ip you gave it?
17:11 < Chosi> yup
17:11 < krzee> btw, you can now use any IP you want
17:11 < krzee> not just .6 .10 .14
17:11 < Chosi> starting with 2
17:11 < Chosi> i guess :>
17:11 < krzee> but .2 .3 .4 .5 .6 etc
17:13 < Chosi> thanks a lot krzee
17:13 < Chosi> :)
17:13 < Chosi> i don't know where i read that mode server
17:13 < Chosi> must've been this
17:14 < Chosi> what do you think? adding an in and output iptables rule for the specific ips should cover their traffic, right?
17:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
17:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:24 < krzee> however you normally would do traffic accounting without a VPN...
17:25 < Chosi> mhm
17:26 < krzee> ive never had the need to go beyond awstats
17:26 < krzee> but ignore its a vpn and just think of it like you're accounting for a lan or something
17:26 < krzee> like you're the router for the lan and doing accounting
17:28 < Chosi> well there's a tun0_in and tun0_out chain
17:28 < Chosi> maybe i could put accept rules in there
17:29 < Chosi> i'm not using iptables often :)
17:29 < Chosi> Bushmills still there?
17:30 < Bushmills> sort of
17:31 < Chosi> where would i insert those iptables rules from the ip_ plugin description?
17:33 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 248 seconds]
17:35 < Chosi> because i tried to just iptables -A INPUT -d 10.x.x.x for example and it doesn't do anything
17:41 < Bushmills> top
17:41 < Bushmills> INPUT chain
17:41 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has joined ##openvpn
17:42 < Bushmills> don't append. insert at top
17:42 < Bushmills> preferable may be to jump to a new chain first thing, and add traffic counting rules in that new chain
17:43 < nat2610> hey, I'm kind of confuse with the config file for the server on openvpn. let say the server where I'm installing openvpn, has only 1 ip (public) let say 1.2.3.4 ... what do I put in server ? 1.2.3.4 ? 
17:43 < Bushmills> then you can append or insert as you like, doesn't matter
17:43 < Chosi> ah okay
17:43 -!- dauergast [~sag@188-193-136-54-dynip.superkabel.de] has quit [Quit: ich nutze das [G]Script... ©daGroove neuste versionen: www.grooves-welt.de]
17:43 < Bushmills> nat2610: no,.
17:44 < Chosi> -I is to the top right?
17:44 < Bushmills> behind server, you put the network and netmask  you wish your new interface (used for openvpn) to have
17:44 < Bushmills> Chosi: yes
17:45 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has quit [Quit: Ex-Chat]
17:46 < nat2610> I started of the sample conf file from the doc and for now I have server 10.8.0.0 255.255.255.0. Can I keep that for now ? 
17:46 < krzee> yes
17:48 < Chosi> hrm
17:48 < Chosi> Bushmills: still showing 0bytes
17:48 < Chosi> for the connection i just opened
17:48 < Chosi> meaning - i'm using it right now
17:48 < Chosi> :>
17:49 < Bushmills> you want to catch source and destination, i think. 
17:49 < Chosi> http://choseh.de/~chosi/screens/SS-2010-06-01_00.49.25.png
17:49 < Chosi> that's from my server
17:50 < Chosi> openvpn server that is
17:50 < Chosi> it's propably in the forward chain
17:50 < Bushmills> why would there any 10.0.0.x traffic if your vpn net is 10.8.0.x ?
17:51 < Chosi> it isn't
17:51 < Chosi> yet
17:51 < Chosi> :P
17:51 < Chosi> it's 10.0.0.x so that's "fine"
17:52 < Bushmills> oh, sorry, confused you with the 10.8.x.x setup
17:52 < Bushmills> well, if there's no traffic registered, than there is none
17:53 < Chosi> uhhhm yeah
17:53 < Chosi> :)
17:53 < Chosi> i'm connected right now and redirect-gateway is on
17:53 < Chosi> so there's propably traffic
17:53 < Chosi> but i think it's going through some forward and shorewall rules
17:58 < Bushmills> ehm.   input destiniation is not directed to vpn addresses
17:59 < Bushmills> on the gateway, add to forward chain
17:59 < Chosi> okay
17:59 < Bushmills> or output
18:00 < Bushmills> returned packets (destination vpn) should go through either
18:02 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
18:12 < Chosi> well Bushmills the ip_ plugin is looking into input/output chains and i don't know if it can determine if it's in or out if it's going through forward
18:13 < Chosi> i'll never understand this :S
18:13 -!- BoomSie_ [~gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
18:13 < Bushmills> those plugins are easy peasy to write and modify
18:13 < Bushmills> often just simple shell scripts
18:13 < Chosi> yeah i could easily change input into forward
18:14 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Ping timeout: 276 seconds]
18:14 < Chosi> iptables -L INPUT -v -n -x | grep -m1 $IP | awk "{ print \"in.value \" \$2 }"
18:14 < Chosi> iptables -L OUTPUT -v -n -x | grep -m1 $IP | awk "{ print \"out.value \" \$2 }"
18:14 < Chosi> but well as i said - how to determine in/out?
18:15 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
18:17 < Bushmills> -s / -d if you really want to seperate.
18:21 < Chosi> sooo
18:21 < Chosi> let me get this straight
18:21 < Chosi> 1437 311K tun0_fwd all -- tun0 * 0.0.0.0/0 0.0.0.0/0
18:22 < Chosi> this is where stuff comes from
18:22 < Chosi> it's from the forward chain
18:22 < Chosi> http://choseh.de/~chosi/screens/SS-2010-06-01_01.22.30.png
18:22 < Chosi> there
18:23 < Chosi> coming in from tun0 and going out to the intarwebs
18:24 < Chosi> ok nevermind i won't understand it tonight.
18:24 < Chosi> this is just too many chains with vpn2net and whatnot
18:29 -!- BoomSie_ is now known as BoomSie
18:30 < Bushmills> nat'ted packages traverse the forward and the output chain
18:31 < Bushmills> returned packages enter input chain and traverse forward chain.
18:31 < Bushmills> so with forward chain, you should catch both directions
18:31 < krzee> Chosi, there should be a good 10000000 docs on this
18:31 < krzee> forget that its a vpn...
18:31 < krzee> (this is unrelated to anything about a vpn)
18:31 < Chosi> i just need to find the chain to put that counting rule in
18:31 < Chosi> that's basically it.
18:31 < Chosi> :)
18:32 -!- mirco [~mirco@p5B23CEC6.dip.t-dialin.net] has quit [Quit: mirco]
18:47 < nat2610> I'm looking at http://www.publicvpn.com/support/Vista.php Is there a way to setup a user/password system with openvpn instead of keys ?
18:47 < vpnHelper> Title: Windows Vista VPN setup (at www.publicvpn.com)
18:52 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:03 < Chosi> yay my rules work :>
19:03 < krzee> nat2610, 
19:03 < krzee> !authpass
19:03 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
19:09 < Chosi> Bushmills: i almost have it =) thanks in advance for all your patience
19:10 < Chosi> same for krzee :)
19:10 < krzee> =]
19:11 < Chosi> i know this is not a grep help channel, but is there a way for grep to differentiate between these two lines without regex?
19:11 < Chosi> 10.0.0.3 0.0.0.0/0
19:11 < Chosi> 0.0.0.0/0 10.0.0.3
19:12 < Chosi> cause it seems i can't specify -s and -d when listing chains in iptables
19:18 < krzee> grep "^10"
19:18 < krzee> will match anything starting with 10
19:18 < Chosi> yeah but i have 10.x.x.x in both lines
19:18 < Chosi> :)
19:19 < krzee> STARTING with
19:19 < krzee> thats what the ^ does
19:20 < Chosi> oh okay - my bad again
19:20 < Chosi> 5206 1171567 all -- * * 10.0.0.3 0.0.0.0/0
19:20 < Chosi> 8706 10294740 all -- * * 0.0.0.0/0 10.0.0.3
19:20 < Chosi> that's what the complete lines look like ;)
19:21 < krzee> |cut -d" " -f7 | grep "^10"
19:21 < krzee> super-non elegant, but im going strictly based on only those 2 lines
19:21 < krzee> you can adapt for your real needs
19:32 -!- DrPepper [~DrPepper@88.207.183.72] has quit [Quit: Leaving...]
19:38 < krzee> !tcp
19:38 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
19:41 < Chosi> fetch ip_10.0.0.3
19:41 < Chosi> in.value 63297054
19:41 < Chosi> out.value 923696
19:41 < Chosi> WIN
19:41 < Chosi> i defeated the evil munin
19:41 < Chosi> with the help of my fellow...helpers!
19:41 < Chosi> <3
19:51 < nat2610> I'm planning on connecting windows xp/vista/7 to my server openvpn which is a centos box. (I'm guessing using the windows version of openvpn) should I select for the server config (centos) dev tun or dev tap and should I add dev-node MyTAP ?
19:52 < APTX> you can use either
19:53 < krzee> !tunortap
19:53 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
19:53 < vpnHelper> krzee: against you over the vpn, or (#4) lan gaming? use tap!
20:04 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:09 < nat2610> I managed to get a connection between my server and client through openvpn on both side, the client is a windows vista and now I'd like the internet browsing to go through the vpn so that it looks like the client is surfing the web from where the server is located ... what should I google ? Or what doc should I read ?
20:10 < krzee> !redirect
20:10 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:10 < nat2610> http://www.openvpn.net/index.php/open-source/documentation/howto.html#redirect
20:10 < vpnHelper> Title: HOWTO (at www.openvpn.net)
20:10 < nat2610> yeah
20:10 < nat2610> just found thanks
20:10 < krzee> since you use linux on your server
20:10 < krzee> !def1
20:10 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:10 < krzee> !linnat
20:10 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
20:10 < krzee> !linipforward
20:10 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
20:10 < krzee> and done
20:12 < nat2610> krzee, actually I alraedy did that part, server side, I'm lost windows side ... how do I setup the tcp stack to use the vpn connnection  ?
20:15 < krzee> by putting redirect-gateway in the client config (or pushing it in server config)
20:15 < nat2610> I see in ipconfig my interface with a 10.8.0.6 ip
20:15 < nat2610> but how do I route internet traffic into it ? 
20:15 < krzee> !def1
20:15 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:32 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:07 -!- fluvvell [~barryc@port166-72.ubs.maxnet.net.nz] has joined ##openvpn
21:08 < fluvvell> what do I do to get the 64bit windows drivers to work on the windows 7 64 bit client I have need of using ?
21:08 < fluvvell> !welcome
21:08 < vpnHelper> fluvvell: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:09 < fluvvell> I have numerous windows xp, and two or three windows 7 clients working, but the 64 bit client is giving me trouble
21:10 < fluvvell> !interface
21:10 < vpnHelper> fluvvell: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
21:45 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
21:52 < krzie> i dont use windows, but from what ive seen on the list it works just fine
21:52 < krzie> you just need to be sure to runas administrator
21:59 < fluvvell> run a driver or the install? I did as much, but it creates a driver called tap32 V8  , am I missing something?
22:00 < fluvvell> ftr, I don't use windows but my clients do to connect to their networks.
22:01 < fluvvell> there just seems a lack of feedback or help on the matter.
22:10 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
22:10 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:27 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has joined ##openvpn
22:48 < fluvvell> arrrgh, i was installing the wrong version!
23:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
--- Day changed Tue Jun 01 2010
00:12 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has quit [Ping timeout: 240 seconds]
00:27 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 276 seconds]
00:44 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Ping timeout: 248 seconds]
00:52 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
01:18 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has joined ##openvpn
01:25 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
01:26 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn ["Leaving."]
01:35 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
01:39 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
01:54 -!- dazo_afk is now known as dazo
02:00 < krzie> you werent installing 2.1.1?
02:02 -!- thisguy_ [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
02:02 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Ping timeout: 264 seconds]
02:04 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
02:06 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
02:06 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn
02:07 -!- b0nn [~shane@202-180-91-108.callplus.net.nz] has quit [Ping timeout: 240 seconds]
02:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:09 -!- thisguy_ [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Ping timeout: 276 seconds]
02:09 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has left ##openvpn []
02:14 -!- oligo [~oligo@vps257.xlshosting.net] has joined ##openvpn
02:39 -!- dazo is now known as dazo_afk
02:57 < kraut> moin
03:00 < hyper_ch> huhu kraut
03:00 < hyper_ch> krzie: onlien?
03:00 < hyper_ch> online :)
03:07 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
03:44 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
03:52 -!- notworkn [networkn@121.98.152.39] has joined ##openvpn
03:53 < notworkn> hi, I am hoping someone can tell me what is wrong with this config....
03:53 < notworkn> http://pastebin.ca/1875299
03:57 < kyrix> can u post the logs too
03:57 < notworkn> ok hang a tic
04:00 < notworkn> http://pastebin.ca/1875302
04:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
04:03 -!- mode/##openvpn [+o mattock] by ChanServ
04:09 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
04:11 < notworkn> where would the server side logs be typically on a linux box?
04:11 < oligo> /var/log/ 
04:13 < |Mike|> (heh lol?)
04:13 < |Mike|> notworkn: you can define whatever path for your logs in openvpn tho :)
04:13 < notworkn> argh for some reason putty ssh connections insist on opening on my first screen so big I can't see the title window or anything that would allow me to minimize or anyhting. Anyone know where I can set this not to occur?
04:15 < notworkn> ok it's only saved sessions :(
04:16 < |Mike|> no idea, i'm unfamilair with something named 'putty'
04:16 -!- LeRrA [~lerra@c-819372d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
04:16 < notworkn> well ok, anyone able to make head nor tail of my connection woes?
04:16 < notworkn> Shall I post the server config?
04:16 < |Mike|> !configs
04:16 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
04:16 < |Mike|> there ya go.
04:17 < |Mike|> !tell notworkn configs
04:17 < notworkn> Did you see the client config and log above? Any clues from that ?
04:17 < |Mike|> yep
04:17 < notworkn> [09:17pm] <vpnHelper> |Mike| wants me to tell you: configs
04:17 < notworkn> :)
04:17 < |Mike|> is the device tap80 correct ? ;)
04:18 < notworkn> how can I verify that ?
04:18 < |Mike|> !tunortap
04:18 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
04:18 < vpnHelper> |Mike|: against you over the vpn, or (#4) lan gaming? use tap!
04:18 < notworkn> is that what the connection would be called in ncpa.cpl ?
04:18 < |Mike|> i've no idea what ncpa.cpl is hehe
04:18 < notworkn> its the list of windows network connections
04:18 < notworkn> the connection that relates to this is called corpvpn
04:20 < notworkn> http://pastebin.ca/1875305
04:24 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:24 < notworkn> any ideas?
04:32 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:42 -!- dazo_afk is now known as dazo
04:54 < notworkn> Any tests I can do to help troubleshoot?
04:54 < notworkn> if I do an ipconfig in a cmd prompt the tap80 adapter is not showing
04:55 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Read error: Connection reset by peer]
05:02 -!- sara2010 [~sara2010@202.100.181.58.dynamic.max.com.pk] has joined ##openvpn
05:02 < sara2010> hi
05:02 < sara2010> anyone help me
05:03 < plundra> Impossible.
05:03 < sara2010> why
05:03 < sara2010> plundra
05:11 < dazo> !welcome
05:11 < vpnHelper> dazo: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:11 < dazo> sara2010: ^^
05:11 -!- s0x [~s0x@sixserv.org] has left ##openvpn []
05:15 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
05:24 < sara2010> dazo
05:25 < sara2010> dazo i m using centos 5.5
05:25 < sara2010> i want install and configure openvpn
05:26 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 264 seconds]
05:27 -!- takamichi [~pri@94.75.217.249] has joined ##openvpn
05:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:42 < kisom> sara2010: are you a chick? i dont believe you
05:45 < |Mike|> notworkn: i'm not familair with openvpn client on windows.. :x
05:49 < dazo> sara2010: !howto
05:49 < dazo> !howto
05:50 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:50 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
05:53 < dazo> !confgen
05:53 < vpnHelper> dazo: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
05:53 < dazo> sara2010: ^^ this one might help you get started as well
05:57 < sara2010> thanks
05:57 < sara2010> dazo
05:57 < sara2010> let me check
05:57 < dazo> you're welcome
05:58 < sara2010> do you have any step to step confg list?
06:01 < dazo> sara2010: I've never used the the confgen tool in real life, so I don't recall ... but there are two scripts there ... on of them will be more like a "wizard" guiding you through a lot of question and preparing the config file for you
06:03 -!- specnaz [~martin@193.145.150.120] has joined ##openvpn
06:03 < sara2010> ok
06:04 < |Mike|> http://theoatmeal.com/comics/email_address
06:05 < sara2010> |Mike| this is for me?
06:06 < specnaz> Hello, I've just setup my openvpn tunnel by tun0 device using default configuration, connection was successfully established but my client cannot to ping google.com, it only see the openvpn network, how to fix it?
06:13 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
06:20 -!- sara2010 [~sara2010@202.100.181.58.dynamic.max.com.pk] has quit []
06:26 < |Mike|> Saar: not really
06:27 -!- telenieko [~53aff1d2@gateway/web/freenode/x-hyehbbmaimyjunwr] has joined ##openvpn
06:27 < telenieko> Hi all. Can I specify a metric on the route, iroute and "push route.." config statements?
06:31 < telenieko> Just found it :)
06:32 -!- DrPepper [~DrPepper@88.207.183.72] has joined ##openvpn
06:33 -!- DrPepper [~DrPepper@88.207.183.72] has quit [Client Quit]
06:35 -!- telenieko [~53aff1d2@gateway/web/freenode/x-hyehbbmaimyjunwr] has quit [Quit: Page closed]
06:52 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
06:55 -!- specnaz [~martin@193.145.150.120] has quit [Quit: Leaving]
07:00 -!- meGenius [~meGenius@ner-as22376.alshamil.net.ae] has joined ##openvpn
07:00 < meGenius> !welcome
07:00 < vpnHelper> meGenius: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:01 < kisom> !interface
07:01 < vpnHelper> kisom: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
07:02 < meGenius> a small question, should i use openvpn client to connect to openvpn server? or, i can use the builtin vpn connection wizard in all OS??
07:02 -!- DrPepper [~DrPepper@88.207.183.72] has joined ##openvpn
07:02 < kisom> you must use openvpn
07:02 < meGenius> damn!
07:03 < kisom> well you can use pppd (i think it was named that?) to get microsoft compatibility
07:03 < kisom> but openvpn is far more secure and reliable.
07:04 < meGenius> i want to know how to let any OS user to connect to the openVPN server using his default VPN connection wizard
07:04 < kisom> thats not possible.
07:05 < kisom> your clients must have openvpn
07:05 < meGenius> so, whether i need more searching or i should start using openvpn :)
07:07 < kisom> Well as I said, regardless of what O/S the client is using you must install openvpn
07:08 < dazo> not pppd ... pptp is the old-and-not-so-safe VPN solution from Microsoft
07:10 < dazo> meGenius: OpenVPN is not a difficult product when get through the first setup .... the challenge with OpenVPN is that it is incredibly flexible, and everything is handled by one program alone ... one binary can act as a client or server ... (not both at the same time though)
07:11 < dazo> !wiki
07:11 < vpnHelper> dazo: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
07:11 < dazo> meGenius: check out the wiki ^^  as well
07:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
07:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:47 -!- gop_ [~gopp@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 248 seconds]
08:11 -!- takamichi [~pri@94.75.217.249] has quit [Ping timeout: 240 seconds]
08:12 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
08:24 -!- oligo [~oligo@vps257.xlshosting.net] has quit [Quit: leaving]
08:30 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
08:39 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
08:39 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has joined ##openvpn
08:55 -!- crazygir [~jason@unaffiliated/crazygir] has quit [Ping timeout: 260 seconds]
08:56 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
08:56 -!- gorkhaan_ [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
08:56 < jpalmer> !dns
08:56 < vpnHelper> jpalmer: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8
08:56 < jpalmer> !ddns
08:57 < vpnHelper> jpalmer: Error: "ddns" is not a valid command.
08:57 < jpalmer> !bind
08:57 < vpnHelper> jpalmer: Error: "bind" is not a valid command.
08:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:59 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:01 < kisom> I'm doing VPN over TCP btw :<
09:02 < meGenius> dazo: i didn't try the openVPN yet
09:02 < meGenius> but i beleive that's easy
09:02 -!- crazygir [~jason@li14-82.members.linode.com] has quit [Ping timeout: 260 seconds]
09:03 < meGenius> my problem is, i want the VPN for my personal use, because i use a "LOT" of computers
09:03 < meGenius> sometimes i use a computers i can't install programs on them
09:03 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
09:03 < meGenius> & that's why i don't want a VPN server that needs a client
09:04 < meGenius> anyway, i may use it for sometime, because i dont' have time for more searching :)
09:04 -!- apt_get [~dennis@200.180.32.50] has joined ##openvpn
09:04 < apt_get> Hi
09:04 < apt_get> I want to openvpn authenticated with pam_smb.conf
09:04 < apt_get> and try plugin openvpn-auth-pam.so openvpn
09:05 < apt_get> My openvpn file :    'auth required /lib/security/pam_smb_auth.so debug'
09:05 < apt_get> But i cant do this work
09:08 < kisom> apt_get: Sorry, i was playing WoW when we went trough PAM in university...
09:08 -!- crazygir [~jason@li14-82.members.linode.com] has quit [Ping timeout: 252 seconds]
09:08 < apt_get> : )
09:08 < kisom> as far as i know, samba encrypts the passwords, maybe its not possible to use them with openvpn.
09:10 < ecrist> apt_get: what errors are you getting?
09:11 < apt_get> the error:   User not known to the underlying authentication module
09:12 -!- meGenius [~meGenius@ner-as22376.alshamil.net.ae] has quit [Read error: Connection reset by peer]
09:22 < dazo> meepmeep: OpenVPN don't really needs to be installed ... it just needs admin access when started ... you basically just need openvpn.exe and the needed .dll (which is located in the same bin directory, iirc)
09:25 < kisom> you also needs to install the tap driver
09:26 < kisom> need. not needs.
09:29 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 260 seconds]
09:30 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
09:35 -!- lantizia_ [~lantizia@93-97-23-110.zone5.bethere.co.uk] has joined ##openvpn
09:36 < lantizia_> Hey is there any one particular directory (e.g. ~/.openvpn) that is handy for putting your config files in?  Also is the config file meant to end in .conf or .ovpn ?
09:37 < kisom> lantizia_: are we talking windows?
09:37 < lantizia_> kisom, no linux
09:37 < kisom> as far as i know, most distros use /etxc/openvpn
09:37 < kisom> etc*
09:38 < lantizia_> yeah but I want a place to put them where the user can write to normally
09:38 < kisom> users wont be able to open a tun interface :)
09:39 < lantizia_> true :) ok to lastly conf or opvpn ?
09:39 < lantizia_> so/to/so
09:40 < kisom> does not matter, in windows it should be .ovpn to make it auto start the openvpn daemon for each file
09:40 < kisom> but i believe .ovpn is "standard"
09:40 < lantizia_> ok :) 
09:41 < lantizia_> so in /etc/openvpn  I should have company.crt company-ca.crt company.key company.ovpn
09:41 < kisom> well it depends on what you've written in your conf file, but sounds like a good idea :)
09:43 < lantizia_> great :)
09:43 < lantizia_> thank you
09:44 < kisom> np, good luck
09:47 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
10:08 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
10:21 < ecrist> lantizia_: configs can go anywhere you want.
10:21 < ecrist> windows openvpn gui looks for the config file to end in.ovpn, whereas in reality, you can name it anything you want (i.e. openvpn doesn't care)
10:25 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
10:31 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:33 -!- spiffytech [spiffytech@pilot.trilug.org] has joined ##openvpn
10:35 < spiffytech> The HOWTO says I need tap for "browsing Windows file shares"- does that mean autodiscovering shares on the network, or viewing files/folders in the shares?
10:37 < dazo> spiffytech: that info might be a bit outdated ... even though, it's true - unless you use a WINS server
10:37 < dazo> it means browsing for servers, not files/folders on a server - that will work anyway
10:37 < spiffytech> OK, then I have a different problem. Yay. 
10:38 < dazo> :)
10:38 < dazo> spiffytech: check firewalls ... ports 137:139 (udp) and 445 (udp/tcp) needs to be open afair
10:41 < spiffytech> It's not just file sharing- I can't ping the server either. Both ping and filesharing worked yesterday, now I'm trying to figure out what's changed.
10:42 < spiffytech> Lucky me doesn't have access to the server right now to ease troubleshooting.
10:53 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco]
10:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
11:06 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:06 < nat2610> !def1
11:06 < vpnHelper> nat2610: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:16 < nat2610> my server is a linux (centos) my client a windows. I did set push "redirect-gateway def1" on my server config.  if It worked, when I go to whatismyip,.com I should see the ip of my server ? 
11:18 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
11:19 < nat2610> or do I have some kind of bridge for that to happen ? 
11:27 < kisom> nat2610: you need to set up routing
11:27 < kisom> i'd recommend masquerading a private IP range
11:27 < nat2610> kisom, client side ?
11:27 < kisom> server side
11:28 < kisom> something like...
11:28 < kisom> iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o eth0 -j MASQUERADE
11:28 < nat2610> I did !lnnat already 
11:28 < nat2610> !linnat
11:28 < vpnHelper> nat2610: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
11:29 -!- apt_get [~dennis@200.180.32.50] has quit [Quit: Ex-Chat]
11:29 < kisom> did you do echo 1 > /proc/sys/net/ipv4/ip_forward?
11:29 < nat2610> kisom, yes
11:29 < kisom> then you should be all set
11:29 < nat2610> kisom, is there a way to verify that server side, I'm ok ? 
11:30 < kisom> nat2610: try the connection maybe? :)
11:30 < nat2610> I did 
11:30 < nat2610> I'm connected
11:30 < kisom> and does ip.nu give you your server address?
11:31 < nat2610> kisom, no ... that's why I know there is something wrong somewhere
11:31 < nat2610> but I don't know where to look
11:31 < kisom> http://livepad.eu/openvpn
11:31 < vpnHelper> Title: EtherPad: openvpn (at livepad.eu)
11:31 < kisom> please paste your server conf
11:32 < nat2610> server conf: http://pastie.org/987609
11:33 < kisom> can you ping your server over the VPN?
11:34 < nat2610> I can ping it but I don't what route is taken
11:34 < kisom> can you ping 10.8.0.1?
11:34 < kisom> on the client side
11:35 < nat2610> kisom, no
11:35 < kisom> then you're probably not connected :)
11:35 < kisom> anyways, i'll have to go make some food
11:35 < kisom> i'll be back in 30-ish minutes
11:35 < kisom> good luck until then
11:35  * kisom &
11:36 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:36 < krzie> !ip
11:36 < vpnHelper> krzie: Error: "ip" is not a valid command.
11:36 < nat2610> kisom,  thanks ... it's odd because I see client side an interface with ip 10.8.0.6 so I'm pretty sure it got it from the server
11:36 < krzie> !factoids search --values ip.php
11:36 < vpnHelper> krzie: "tools" is https://www.secure-computing.net/ip.php
11:37 < krzie> you SHOULD have 10.8.0.6
11:37 < krzie> then that NATs to internet
11:37 < krzie> show me your NAT rule
11:38 < nat2610> actually I just realized on the log client side, it says route addition failed using createIpForwardEntry one ormore argument are not correct ... 
11:38 < krzie> windows?
11:38 < nat2610> krzie, http://pastie.org/987609 that's my server config
11:39 < nat2610> the server is a linux, the client a windows vista
11:39 < nat2610> and I'm using openvpn for windows
11:39 < krzie> !winroute
11:39 < nat2610> for the client
11:39 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
11:39 < krzie> i dont look at configs full of comments
11:39 < krzie> !configs
11:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:39 < Chosi> just run openvpn and the gui as admin
11:40 < Chosi> that's what worked for most of my users
11:40 < Chosi> :)
11:40 < krzie> right
11:40 < krzie> #4 from winroute ;)
11:40 < Chosi> yup
11:40 -!- openvpn2009 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has quit [Ping timeout: 258 seconds]
11:40 -!- Guest12047 [~admin@adsl-71-140-186-185.dsl.pltn13.pacbell.net] has joined ##openvpn
11:40 < nat2610> without comment => http://pastie.org/987620 
11:41 < Chosi> OpenVPN\bin -> right click openvpn.exe and openvpn-gui-1.0.3.exe, properties, compatability tab and enable the admin checkbox
11:41 -!- Guest12047 is now known as openvpn2009
11:41 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:41 < krzie> Chosi, what version openvpn do you run on windows?
11:41 < Chosi> 2.1.1
11:41 < krzie> ahh
11:42 < Chosi> why?
11:42 < krzie> didnt know the openvpn-gui-1.0.3.exe was still the name
11:42 < Chosi> mhm it is :)
11:42 < krzie> thought that was the old old .se link
11:42 < krzie> gotchya =]
11:44 < Chosi> i'm so glad all i wanted runs fine now
11:45 < Chosi> except that i still ned an open udp port in my users' firewall :>
11:45 < Chosi> they get disconnected regularly while playing
11:48 < nat2610> I added route-method exe and it works now
11:48 < nat2610> thanks ! 
11:50 -!- mirco [~mirco@p5B23FCF7.dip.t-dialin.net] has joined ##openvpn
11:51 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit [Quit: Ex-Chat]
11:55 -!- dazo is now known as dazo_afk
11:55 -!- nach0s [~nach0s@200.146.80.113.dynamic.adsl.gvt.net.br] has joined ##openvpn
11:55 < nach0s> !welcome
11:55 < vpnHelper> nach0s: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:56 < nach0s> !howto
11:56 < vpnHelper> nach0s: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:57 < nach0s> lol... well... I would like to know if is there any way to have openvpn with this vpn client http://openvpn.se/ and... without Certificate.... only LDAP authentication... I didn't find any howto about it...
11:57 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se)
12:06 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has joined ##openvpn
12:06 < Gnewt> Is there a way to make OVPN route my connections through IPv6, like dynamic port forwarding SOCKS proxies do in SSH?
12:08 -!- smith57389 [~42230162@gateway/web/freenode/x-xznlmyaxeijfsuie] has joined ##openvpn
12:08 < krzie> !ipv6
12:08 < vpnHelper> krzie: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
12:08 < vpnHelper> krzie: (adds some nice ipv6 options)
12:08 < krzie> see #3
12:08 < krzie> new options in openvpn
12:08 < krzie> but only in testing branch
12:08 < krzie> !testing
12:08 < vpnHelper> krzie: "testing" is "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
12:09 < hyper_ch> hi krzie
12:10 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
12:10 < smith57389> hello everyone, i had a quick question. is there a native server for open VPN available for XP? i see that its supported with VMs but i want to run it on a fairly low powered box that currently has xp on it.
12:10 < krzie> umm
12:10 < krzie> you dont need a VM
12:10 < krzie> just download openvpn, run your config, it works
12:10 < krzie> !download
12:10 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
12:11 -!- gopp [~gopp@pool-98-109-202-135.nwrknj.fios.verizon.net] has joined ##openvpn
12:11 < smith57389> ahhh, so the installer includes the client and the server?
12:11 < krzie> there is no difference in openvpn between client/server/point-to-point
12:12 < smith57389> i was confused by the "community software" and "server downloads" sections
12:12 < krzie> just different config files, same binary
12:12 < krzie> oh
12:12 < krzie> !access-server
12:12 < vpnHelper> krzie: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
12:12 < vpnHelper> krzie: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
12:12 < krzie> we only support  the community version here
12:13 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
12:15 < smith57389> so once i get home i just run the comunity installer on my home machine, and configure it as a server? once last question then, what sort of specs does openvpn require to work as a server running on xp?
12:16 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
12:17 < krzie> depends on your needs
12:17 < krzie> 1 client, EXTREMELY small
12:17 < hyper_ch> that's why I need a roomba: http://img2.purerave.com/5/85/5517985.gif
12:18 < smith57389> basically i just want to be able to remote into my home network so i can access my printers, rdp to my machines, access my media servers etc...
12:19 < smith57389> so a 1.5 ghz box should be PLENTY?
12:19 < krzie> how many clients
12:19 < krzie> a couple hundred, 1?
12:20 < smith57389> probably just me and or a few others max 10 or so
12:20 < krzie> very much plenty
12:20 < krzie> you will want
12:20 < krzie> !confgen
12:20 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
12:20 < krzie> if you have a unix box to run it on
12:20 < krzie> if not
12:20 < krzie> !sample
12:20 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
12:20 < krzie> !route
12:20 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:21 < smith57389> awesome! thanks.
12:23 -!- nach0s [~nach0s@200.146.80.113.dynamic.adsl.gvt.net.br] has quit []
12:23 -!- SmokeyD [~SmokeyD@f12099.upc-f.chello.nl] has joined ##openvpn
12:24 -!- smith57389 [~42230162@gateway/web/freenode/x-xznlmyaxeijfsuie] has quit [Quit: Page closed]
12:26 < SmokeyD> hey everyone. if I have an established connection between a linux openvpn server and a windows client with two-way access, what would be the most fool proof method to fetch filed located on the client, from the server?
12:26 < hyper_ch> SmokeyD: I assume you have a shell user account on the server?
12:27 < SmokeyD> hyper_ch: yes. I have root access
12:27 < hyper_ch> SmokeyD: and I assume a ssh server is instaleld?
12:28 < SmokeyD> yes. on the server. but what do I need on the client side so I can access files located on it from the server (through ssh  for instance)
12:29 < hyper_ch> use filezilla
12:29 < hyper_ch> or winscp
12:29 < krzie> psftp works too
12:29 < hyper_ch> use the ssh credentials in filezilla and use port 22
12:29 < krzie> pretty sure theres a sc for it as well
12:29 < hyper_ch> winscp can do nothing but scp access
12:29 < krzie> scp*
12:29 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 240 seconds]
12:29 < hyper_ch> krzie: 
12:29 < krzie> (cli scp i meant)
12:29 < hyper_ch> krzie: openvpn saved my but yesterday
12:30 < SmokeyD> hyper_ch, no I need it the other way around. I am sitting behind the server and want to access files located on the clients connected to it. someone else established that connection.
12:31 < hyper_ch> I forgot to properly forward port 81 on the router and then i installed openvpn as client there, hooked it up to my network
12:31 < krzie> hyper_ch, locked yourself out but could vpn in?
12:31 < hyper_ch> and well, port 80 and 81 worked then just perfectly
12:31 < hyper_ch> I had ssh access to it
12:31 < krzie> !route
12:31 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:31 < hyper_ch> but iddn't setup 81 properly :)
12:31 < hyper_ch> so I couldn't access apache on there
12:31 < hyper_ch> as I wanted to setup horde
12:31 < krzie> you need to push the server LAN subnet to the clients
12:32 < krzie> and prolly add a route to the router of the LAN
12:32 < krzie> all explained in !route
12:32 < hyper_ch> SmokeyD: you can't just access a machine or files on it, if they aren't made accessible somehow
12:34 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
12:34 < SmokeyD> hyper_ch: yes I know, so what would be the most fool proof method to make some folder available?
12:35 < hyper_ch> a samba share maybe?
12:35 < SmokeyD> I dont like windows file sharing because of the heterogenous nature of all the client machine (although they are all windows)
12:35 < hyper_ch> cygwin and start ssh server there
12:36 < hyper_ch> a linux vm that with ssh server that mounts a host folder
12:36 < hyper_ch> setting up a ftp server
12:36 < hyper_ch> installing apache and make a directory available and browseable
12:36 < hyper_ch> replace windows with linux
12:36 < hyper_ch> or unix
12:37 < hyper_ch> but honestly, there's no really a fool-proof way... it's windows
12:37 < SmokeyD> hyper_ch: the client machines are all simple workstations managed by some dumbass sysadmin. I want to keep it as simple as possible for him/her :) 
12:38 < hyper_ch> have him install linux :)
12:38 < SmokeyD> if only I could :)
12:38 < SmokeyD> but maybe I should make a samba share in the vpn server and make the rum a script on the client to copy the files to it, instead of accessing the files the other way around
12:39 < SmokeyD> the rum=them run
12:39 < SmokeyD> freudian error :)
12:40 < hyper_ch> well, don't know... I listed a couple of options
12:40 < krzie> !windows
12:40 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
12:40 < hyper_ch> Linux is like a wigwam
12:40 < hyper_ch> inside you always have an apache
12:40 < SmokeyD> :D
12:41 -!- mirco [~mirco@p5B23FCF7.dip.t-dialin.net] has quit [Quit: mirco]
12:41 < SmokeyD> I got to rember those :)
12:41 < SmokeyD> remember
12:41 < hyper_ch> In a world without walls and fences, who needs Windows and Gates?
12:41 < SmokeyD> :)
12:42 < hyper_ch> btw, you heard about Google ditching windows?
12:42 < SmokeyD> but you did help me get my thought organized. thanks :)
12:42 < SmokeyD> hyper_ch yes I heard.
12:42 < SmokeyD> really cool.
12:43 < hyper_ch> I used to run War FTP on windows
12:46 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 272 seconds]
12:46 -!- LeRrA [~lerra@c-579072d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined ##openvpn
12:48 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:49 -!- gopp [~gopp@pool-98-109-202-135.nwrknj.fios.verizon.net] has quit [Ping timeout: 260 seconds]
12:53 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
12:54 -!- gopp [~gopp@pool-98-109-202-135.nwrknj.fios.verizon.net] has joined ##openvpn
13:03 -!- manevra [~manevra@86.121.165.74] has joined ##openvpn
13:05 -!- squidly [~squidly@HoodLUG/member/squidly] has joined ##openvpn
13:05 < squidly> !welcome
13:05 < vpnHelper> squidly: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:06 < hyper_ch> hi squidly
13:07 < hyper_ch> squidly: how my krzie be of service to you? *ggg*
13:08 -!- manevra [~manevra@86.121.165.74] has quit []
13:08 < squidly> i'm having an issue with openvpn client setup. I used easy-rsa to build my key, but when ever I try to login to the vpn I keep getting  Error: private key password verification failed
13:08 < squidly> I know I'm using the correct password
13:09 < squidly> i'm kind of lost with this. I dont use openvpn all that often
13:09 < hyper_ch> why not first trying to build without password?
13:09 < squidly> hyper_ch: I did
13:09 < squidly> same thing
13:10 < hyper_ch> !tell squidly [config]
13:15 < squidly> hyper_ch: I'm not sure I understand
13:15 < hyper_ch> pastebin your configs
13:15 < hyper_ch> !config
13:15 < vpnHelper> hyper_ch: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
13:16 < hyper_ch> oh hmm
13:16 < hyper_ch> !welcome
13:16 < vpnHelper> hyper_ch: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:16 < hyper_ch> !tell squidly [configs]
13:17 < squidly> hyper_ch: ahh ok
13:17 < squidly> one sec and i will past my configs
13:20 < squidly> hyper_ch: got it. the copy of my key got corupted.
13:20 < hyper_ch> you don't scp the keys?
13:20 < squidly> hyper_ch: i'm local right now so I was able to use nfs..
13:20 < squidly> (which normally works)
13:23 < squidly> using scp did work..
13:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:26 -!- Netsplit *.net <-> *.split quits: xargs
13:30 -!- xargs [~xargs@69.73.167.236] has joined ##openvpn
13:37 -!- gop_ [~gopp@pool-98-109-202-135.nwrknj.fios.verizon.net] has joined ##openvpn
13:40 -!- gopp [~gopp@pool-98-109-202-135.nwrknj.fios.verizon.net] has quit [Ping timeout: 240 seconds]
13:41 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:41 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn []
13:41 -!- gop_ [~gopp@pool-98-109-202-135.nwrknj.fios.verizon.net] has quit [Ping timeout: 265 seconds]
13:44 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:57 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn ["Leaving."]
13:58 -!- troy-_ [ac495d3b25@bgp4.us] has joined ##openvpn
13:59 -!- troy- [f27a6445c2@bgp4.us] has quit [Read error: Connection reset by peer]
14:01 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:01 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn []
14:10 -!- SmokeyD [~SmokeyD@f12099.upc-f.chello.nl] has quit [Quit: Leaving]
14:14 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
14:15 -!- kmw2 [~kyle@cpc2-sotn9-2-0-cust191.15-1.cable.virginmedia.com] has joined ##openvpn
14:16 < kmw2> hi guys.. i dont if anyone can advise me on this. Ive got working openvpn, but i want to push a dns service to most of my clients.. but theres a couple i dont want to. Can i use ccd files to stop a general dns option being pushed out?
14:34 < hyper_ch> kmw2: yes, in the ccd you can put in what should and what should not be pushed to the clients
14:34 < kmw2> i know.. but if ive got a generic option how do i override that on a ccd?
14:39 -!- roentgen [~HaRT@psw.ro] has joined ##openvpn
14:39 -!- roentgen [~HaRT@psw.ro] has quit [Changing host]
14:39 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:41 < krzee> try just doing it, if that doesnt work try putting the one that is in server.conf in ccd/default
14:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:41 < krzee> i THINK that file is checked
14:41 < krzee> dunno why i think that, but im pretty sure i remember it
14:42 < krzee> oh, with caps
14:42 < krzee> ccd/DEFAULT
14:42 < krzee> from manual
14:42 < krzee>  If no matching file is found, OpenVPN will instead try to open and parse a default file called "DEFAULT", which may be provided but is not required.
14:44 < kmw2> ahhh yeah
14:44 < kmw2> thanks :)
14:44 < krzee> yw
14:44 < kmw2> thanks :)
14:44 -!- kmw2 [~kyle@cpc2-sotn9-2-0-cust191.15-1.cable.virginmedia.com] has quit [Quit: kmw2]
14:46 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn ["Leaving."]
14:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:03 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
15:17 -!- Niklas- [~niklas@217.116.253.195] has quit [Ping timeout: 240 seconds]
15:17 -!- Niklas- [~niklas@217.116.253.195] has joined ##openvpn
15:26 -!- mirco [~mirco@p5B23FCF7.dip.t-dialin.net] has joined ##openvpn
15:32 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
15:39 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
15:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:50 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
15:51 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:57 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
16:05 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 240 seconds]
16:10 -!- b0nn [~this@202-180-91-108.callplus.net.nz] has joined ##openvpn
16:10 < b0nn> hmm, my openvpn is up and running
16:10 < b0nn> I have one last task, setting the server to starting the correct vpn at boot time
16:12 < lantizia_> BUMPER CARZ
16:22 < krzee> b0nn, what OS
16:22 -!- mirco [~mirco@p5B23FCF7.dip.t-dialin.net] has quit [Quit: mirco]
16:23 < krzee> starting openvpn on boot is not openvpn's job, its your OS's
16:23 < krzee> so the OS matters
16:23 < krzee> in windows youd make it a service, in freebsd youd set some vars in rc.conf if installed via ports, etc
16:31 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
16:32 < b0nn> krzee: debian
16:33 < krzee> iirc debian will start all files named *.conf in the right dir on boot
16:33 < b0nn> yeah, just found it on the openvpn.net page
16:34 < b0nn> I hazard a guess that /etc/defaults/openvpn is configured to start all, which means all .conf files
16:35 < krzee> hazard how?
16:35 -!- lantizia_ is now known as Lantizia
16:35 < Lantizia> Bow chica bowow
16:37 -!- b0nn [~this@202-180-91-108.callplus.net.nz] has quit [Remote host closed the connection]
16:40 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
16:47 -!- simoinfonet [simoinfone@41.214.247.199] has joined ##openvpn
16:47 < simoinfonet> hi for every body
16:49 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:50 < simoinfonet> i install a openvpn server in a Debian VM , i can to have access remotly to my work but i have a speed probleme of my tun interface it fixed to 10 Mo/s
16:50 < simoinfonet> some one can help me to increase this speed to 100 Mo/S
16:50 < simoinfonet> thanks for help
16:55 < krzee> niether my fbsd box or osX box show a interface speed
16:55 < krzee> on the tun device
16:56 < krzee> what i can tell you is that the tun device is not part of openvpn, its part of your OS
16:56 < krzee> windows is the only place where the interface comes with openvpn
16:56 -!- simoinfonet [simoinfone@41.214.247.199] has quit [Ping timeout: 240 seconds]
17:04 -!- simoinfonet [simoinfone@41.214.227.230] has joined ##openvpn
17:04 < simoinfonet> Welcome
17:04 < simoinfonet> Hi for every body 
17:05 < krzee> [14:59]  <krzee> niether my fbsd box or osX box show a interface speed
17:05 < krzee> [14:59]  <krzee> on the tun device
17:05 < krzee> [14:59]  <krzee> what i can tell you is that the tun device is not part of openvpn, its part of your OS
17:05 < krzee> [15:00]  <krzee> windows is the only place where the interface comes with openvpn
17:06 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:06 < simoinfonet> i installed a OpenVpn server 
17:07 < krzee> [14:53]  <simoinfonet> i install a openvpn server in a Debian VM , i can to have access remotly to my work but i have a speed probleme of my tun interface it fixed to 10 Mo/s
17:07 < krzee> [14:53]  <simoinfonet> some one can help me to increase this speed to 100 Mo/S
17:07 < krzee> [14:54]  <simoinfonet> thanks for help
17:07 < krzee> i saw what you said
17:07 < krzee> then i answered it
17:07 < krzee> openvpn doesnt have any control over that
17:08 < simoinfonet> so have you some ideam about the problem 
17:08 < simoinfonet> the client openvpn is in windows XP 
17:09 < simoinfonet> and the connection to my site is very slow
17:09 < simoinfonet> i have 20 Mo ADSL speed
17:09 < krzee> for the record, its Mb
17:09 < krzee> (megabit)
17:10 < simoinfonet> yes
17:11 < simoinfonet> simply my question is how to increase the openvpn speed ??
17:11 < krzee> you're saying its your interface... if thats true its not openvpn
17:12 < krzee> if not, theres a couple things you can do to get more performance...
17:12 < krzee> using UDP, adjusting MTU
17:13 < simoinfonet> ok so when i use UDP i lost my connection 
17:13 < simoinfonet> how can i adjust MTU please ??
17:14 < krzee> i believe you need to be using UDP to do it
17:14 < krzee> !tcp
17:14 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
17:14 < krzee> note, you must be using udp on both sides, and adjust any firewall rules / port forwarding accordingly
17:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:37 -!- simoinfonet [simoinfone@41.214.227.230] has quit [Ping timeout: 264 seconds]
17:38 -!- simoinfonet [simoinfone@41.214.129.235] has joined ##openvpn
17:39 -!- simoinfonet [simoinfone@41.214.129.235] has quit [Client Quit]
17:39 -!- simoinfonet [~msahlaoui@41.214.129.235] has joined ##openvpn
17:39 < simoinfonet> hello
17:48 -!- b0nn [~this@202-180-91-108.callplus.net.nz] has joined ##openvpn
17:49 < b0nn> hmm, my client machine, I have to manually edite the routing table each time I restart the openvpn client
17:49 < b0nn> edit*
17:50 < b0nn> In order for traffic to flow correctly I need to execute "route add default gw <ip of tun0 on the client>"
17:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:03 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
18:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:29 < krzee> no you dont
18:29 < krzee> you just need redirect-gateway
18:29 < krzee> i coulda sworn i told you that before (not today)
18:29 < krzee> !def1
18:29 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
18:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:42 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 272 seconds]
18:45 -!- dan08 [~dan08@cpc1-shep1-0-0-cust673.lei3.cable.ntl.com] has joined ##openvpn
18:47 < dan08> Hey, can anyone help me? I'm having some problems
18:48 < dan08> on my ubuntu machine BTW
18:50 < jpalmer> I was under the impression that openvpn had a way to update DDNS entries for BIND,  but I'm not seeing it.  pointers?
18:51 -!- simoinfonet [~msahlaoui@41.214.129.235] has quit [Ping timeout: 240 seconds]
18:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:54 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
18:57 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Read error: Operation timed out]
18:58 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
19:01 < dan08> Ok I really think this is a bug, in the Web UI login page if my root password has got symbols like ? or ! it gives me a "incorrect password" but if doesn't have if it just like letters it works normally, and logs me in. is this normal?
19:01 < krzee> there is no webUI page with openvpn
19:01 < krzee> if you are talking about access-server, please go to their support
19:02 < krzee> !AS
19:02 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
19:02 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
19:08 < dan08> @vpnHelper Ok understand now. thanks for making it clear. im still pretty new with this stuff
19:09 < krzee> !bot
19:09 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
19:10 < jpalmer> I was under the impression that openvpn had a way to update DDNS entries for BIND,  but I'm not seeing it.  pointers?
19:10 < krzee> DDNS...?
19:10 < krzee> like those dynamic DNS sites...?
19:11 < jpalmer> dynamic DNS entries
19:11 < krzee> as in dyndns.org type thing...?
19:11 < jpalmer> no,  as in bind's DDNS
19:11 < krzee> bind has DDNS?
19:12 < krzee> how so...?
19:12 < krzee> or you mean you have scripts that change DNS entries in your BIND based on your IP changing
19:12 < jpalmer> it'd allow you to setup something like..  client-common-name.vpn.domain.com  and the entry would be populated by the current IP of that client
19:12 < krzee> that would go in a --client-connect script
19:12 -!- cobra [~cob@0-20.dsl.iskon.hr] has joined ##openvpn
19:13 < jpalmer> hrm,  I thought openvpn server could interface with nsupdate natively.  I guess I'll just keep researching
19:14 < krzee> openvpn purposely doesnt do things like that
19:14 < krzee> it doesnt admin your firewall, your dns, anything like that
19:14 < krzee> but theres hooks for scripts in many places for you to extend it to do so
19:14 < krzee> in your case, --client-connect is the hook you want
19:15 < krzee> !factoids search script
19:15 < vpnHelper> krzee: '2.1-winpass-script' and 'winscript'
19:15 < jpalmer> yeah, I'm guessing I'll have to script it.  I thought I'd done it once before using openvpn, but must be mistaken
19:15 < krzee> heh
19:15 < krzee> !factoids
19:15 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
19:15 < krzee> (thats for me)
19:16 < jpalmer> I just started learning python.  going to write a module for a supybot as one of my first learning projects.  after the mandatory helloworld.
19:17 -!- cobra [~cob@0-20.dsl.iskon.hr] has left ##openvpn []
19:18 < krzee> right on
19:18 < krzee> i been meaning to play with python as well
19:18 < krzee> already have a plan on what you want the supybot module to do?
19:19 < jpalmer> I've had a websie idea for about 10 years, that I think has a good  chance of becoming pretty profitable.  going to learn python and start working on it.
19:19 < jpalmer> the cool thing is, it's for a niche audience,  but the site idea is templatable and easily moved to other niches.
19:21 < jpalmer>  yeah, I have a specific need for a module. so, aleady have an idea in mind.
19:22 -!- dan08 [~dan08@cpc1-shep1-0-0-cust673.lei3.cable.ntl.com] has left ##openvpn ["Konversation terminated!"]
19:27 < krzee> nice
19:27 < krzee> whats it gunna do
19:28 < jpalmer> hehe  long story short:  it's going to enforce some rules,  but *only* when spcecific channel staff have been incative for X period of time.  to help when the channel is staff-less
19:29 < krzee> ahh cool
19:30 < jpalmer> (one of our channels experiences a lot of childish activity in the overnight hours. hopefully,  this will help.
19:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:00 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:25 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has quit [Remote host closed the connection]
20:30 < ecrist> we need some off-hours staff in here.
20:31 < ecrist> we don't have many problems, but once in a while things go down.
20:31 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
20:31 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
20:31 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:36 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
20:36 < theDoc> See guys, take jagerbombs in moderation
20:36 < theDoc> I don't know how I got home last night
20:37 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
20:37 < glguy> Is the OpenVPN packet format defined anywhere outside of the source code?
20:38 < krzee> kinda
20:38 < krzee> lemme try to find
20:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:40 < krzee> http://openvpn.net/index.php/open-source/documentation/security-overview.html
20:40 < vpnHelper> Title: Security Overview (at openvpn.net)
20:41 < glguy> I guess the answer really was "kinda" :)
20:41 < glguy> thanks
20:42  * glguy finds http://fengnet.com/book/VPNs%20Illustrated%20Tunnels%20%20VPNsand%20IPsec/ch08lev1sec5.html
20:46 -!- Lantizia [~lantizia@93-97-23-110.zone5.bethere.co.uk] has quit [Quit: Leaving]
21:02 < krzee> !pptp
21:02 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
21:02 < vpnHelper> krzee: read about why to not use pptp
21:07 < glguy> were you considering pptp before you ran that command?
21:08 < krzee> hells no
21:08 < krzee> i pasted it to a friend
21:08 < krzee> he mentioned his office uses pptp
21:16 -!- disposable [disposable@blackhole.sk] has quit [Ping timeout: 276 seconds]
21:17 -!- disposable [disposable@blackhole.sk] has joined ##openvpn
21:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:54 -!- glguy [~emertens@unaffiliated/glguy] has quit [Quit: WeeChat 0.3.2]
21:56 -!- glguy [~eric@2002:476f:30f5:0:21f:5bff:fec6:d71b] has joined ##openvpn
21:56 -!- glguy [~eric@2002:476f:30f5:0:21f:5bff:fec6:d71b] has quit [Changing host]
21:56 -!- glguy [~eric@unaffiliated/glguy] has joined ##openvpn
22:00 < glguy> What is the "access server" that ##openvpn doesn't support (from the chanserv channel message)?
22:04 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
22:05 < glguy> Ah, I guess openvpn.net has their own commercial offering
22:05 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Client Quit]
22:06 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
22:20 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
22:24 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 245 seconds]
22:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
22:30 < networkn> Hi I am trying to connect a windows pc to a linux box. my configs are here.. Could someone let me know why this isn't working?
22:30 < networkn> http://pastebin.ca/1875793
22:38 < glguy> networkn: you probably won't get very meaningful help without explaining the specific problem or logs
22:42 < networkn> hi, it won't connect. I can't ping either end of the tunnel, and when I do an ipconfig the tap80 isn't showing up
22:51 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
22:52 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has joined ##openvpn
23:18 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
23:24 < fluvvell> networkn, any reason you "have to" use pptp ?
23:25 < fluvvell> networkn, far easier to configure and free of most firewall issues is openvpn
23:25 < fluvvell> networkn, only port that needs to be open is 1194 with UDP
23:31 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
23:31 < networkn> fluvvell: they have about 20 connections all using their own port
23:31 < networkn> this one uses 1280
23:31 < networkn> given the server is listening on that port, is it likely that is the problem?
23:36 -!- b0nn [~this@202-180-91-108.callplus.net.nz] has quit [Ping timeout: 264 seconds]
23:41 -!- jhaar [~jhaar@222-154-246-214.adsl.xtra.co.nz] has quit [Quit: Leaving.]
23:42 < fluvvell> networkn, so your pastebin stuff is your openvpn config files ?
23:43 < fluvvell> I don't understand why you are using multiple ports. 
23:43 < fluvvell> or other than the normal 1194
23:52 < networkn> fluvvell: yes they are the configs from both sides
23:52 < networkn> server for the linux box, remote for the xp workstation
23:52 < networkn> fluvvell: re ports, it's how they have always done it.
23:53 < fluvvell> networkn, but not with openvpn ?
23:57 < fluvvell> networkn, i have multiple computers connected in at once, each getting their own ip address, all coming into the same port. Just to say an organisation has always done it, doesn't make it right
23:58 -!- smith43789 [~43b7fbdf@gateway/web/freenode/x-vhpkdgihmgqeklis] has joined ##openvpn
23:58 < smith43789> !welcome
23:58 < vpnHelper> smith43789: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:58 < smith43789> !sample
23:58 < vpnHelper> smith43789: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
23:59 < smith43789> !mitm
23:59 < vpnHelper> smith43789: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
23:59 < smith43789> !goal
23:59 < vpnHelper> smith43789: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
--- Day changed Wed Jun 02 2010
00:04 < fluvvell> networkn, are you interested in my sample configuration for server?
00:10 < hyper_ch> !tell networkn [tunortap]
00:11 < fluvvell> !tell fluvvell [tunortap]
00:12 < hyper_ch> besides, why such a complicated setup first... keep it simple, make sure it's working and then add complexity like different subnets etc
00:13 < hyper_ch> also protocol is missing... you don't say whether to use udp or tcp
00:16 < fluvvell> !iporder
00:16 < vpnHelper> fluvvell: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
00:18 < smith43789> I have an XP machine that i want to use as a vpn server, so I can access my home network from work, friends houses etc.. I am looking at the sample config files that came with the package and I am wondering what stuff i need to change. i'm assuming i want to use TCP instead of UDP for example.
00:21 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 240 seconds]
00:36 < smith43789> I have an XP machine that i want to use as a vpn server, so I can access my home network from work, friends houses etc.. I am looking at the sample config files that came with the package and I am wondering what stuff i need to change. i'm assuming i want to use TCP instead of UDP for example.
00:36 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
00:48 < krzie> !tcp
00:48 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
00:48 < krzie> you want UDP
00:49 < krzie> !sample
00:49 < networkn> fluvvell: that's true, however what I am saying is this should work, since this is how the other connections are setup.
00:49 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
00:49 < krzie> !route
00:49 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:49 < networkn> and if I see tunortap again i am going to scream
00:49 < networkn> I preume one or the other of my config files are wrong, I was hoping someone might see something obvious
00:49 < krzie> networkn, i have wanted to scream at all the gratuitous bridge using as well
00:49 < krzie> networkn, whats the pastebin?
00:49 < networkn> krzee: huh?
00:50 < krzie> [01:49]  <networkn> and if I see tunortap again i am going to scream
00:50 < networkn> http://pastebin.ca/1875793
00:50 < krzie> [01:49]  <krzie> networkn, i have wanted to scream at all the gratuitous bridge using as well
00:50 < networkn> I just want something that works, honestly :-) I don't care if it's tun or tap or tapdancing
00:51 < krzie> pastebin - invalid id
00:51 < networkn> argh hang a tic
00:51 < krzie> !goal
00:51 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:53 < networkn> http://pastebin.ca/1875833
00:54 < networkn> krzee: I need to connect a remote computer to the network at HQ, and allow bidirectional traffic between them
00:54 < networkn> it's a single xp pc
00:55 < krzie> what kind of traffic
00:55 < networkn> hmm netbios
00:55 < krzie> windows filesharing?
00:55 < networkn> and ip
00:56 < networkn> yes
00:56 < krzie> xp - xp?
00:56 < networkn> they need to be able to \\remotepc\c$ from hq to this pc
00:56 < krzie> linux smb server?
00:56 < networkn> nope the hq end is linux which frontends to the windows network they have there
00:56 < networkn> if I connect this xp pc to hq, apparently eveyrthing else is already setup
00:57 < krzie> do you have any access to config on the linux hq smb server?
00:57 < networkn> yup
00:57 < krzie> or: does it run WINS?
00:57 < krzie> oh cool
00:57 < krzie> !wins
00:57 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
00:57 < krzie> its super simple
00:57 < networkn> ok no I don't think you are understanding me
00:57 < krzie> then you push dhcp-option wins
00:57 < networkn> the linux box is a gateway for hq
00:58 < krzie> does it interface into the smb network?
00:58 < networkn> krzee: right now I can't even get the vpn up, I can't ping either end
00:58 < networkn> krzee: yes but I am unsure how
00:58 < krzie> right, but i can say !sample and its up
00:58 < krzie> its a matter of if you can runs a WINS server and do it easiest or not
00:59 < krzie> so the linux box is or is not running samba already?
00:59 < networkn> krzie: I took a working config and tried to adjust it, but it's not working
00:59 < networkn> krzee: I don't think the linux box is doing samba
00:59 < networkn> it's passing all that traffic through to the AD Domain somehow I think
01:00 < krzie> you made a static tun device and named it tap80?
01:00 < networkn> when I do an ipconfig on the remote xp pc, I don't see the tap device, like I do if I install it on a test machine here
01:00 < networkn> krzee: I am really new to this
01:01 < networkn> so I am not sure, I inherited this whole mess
01:01 < krzie> made dev tap80 dev tap
01:01 < networkn> how can i tell if the device exists already?
01:01 < krzie> did you install openvpn...?
01:01 < networkn> yup
01:01 < krzie> is this windows?
01:01 < networkn> yes
01:01 < networkn> xp
01:01 < krzie> its installed
01:02 < networkn> yes there is a tap device in windows connections list..
01:02 < krzie> wow
01:02 < krzie> you need entirely new configs
01:02 < networkn> was called local connection 6
01:02 < krzie> big tinme
01:02 < krzie> time
01:02 < krzie> !bridge
01:02 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
01:02 < vpnHelper> krzie: (but not samba, see !wins)
01:03 < krzie> im not much with bridge, but i also dont want to teach you how to run samba
01:05 < krzie> or you can do it easier and use the link in WINS to run a wins server
01:05 < krzie> then your openvpn config is !sample
01:06 < networkn> No I think I have confused you somehow
01:06 < krzie> with an option to push dhcp-option wins
01:06 < networkn> everything I need is already in place, I need to make it so that this remote computer can connect to the linux box
01:06 < networkn> I don't need to worry about samba, all that stuff should be in place, as all the other sites are working
01:06 < krzie> there is already a WINS server on the other side?
01:06 < networkn> I don't know, but it works
01:07 < krzie> ok, so they already have a openvpn server running?
01:07 < networkn> yes
01:07 < networkn> on linux
01:07 < krzie> cause those 2 configs you pasted shouldnt work together
01:07 < networkn> right.. what do I need to change on the remote side to make it match with the server side
01:08 < krzie> they should have supplied you with a config
01:08 < krzie> that already works for the other already working clients
01:08 < networkn> let's assume for the sake of simplicity that the server config is correct
01:08 < krzie> then you change path to certs, and it works
01:08 < krzie> i dont waste my time here assuming
01:08 < krzie> it just invites a long useless runaround
01:09 < networkn> well we need to start somewhere
01:09 < networkn> surely if the server and client side match, a connection should be possible
01:09 < krzie> do you or do you not currently have working clients?
01:10 < networkn> yes, but this site uses, I think, server and client configs for each seperate connection
01:10 < krzie> lol
01:10 < krzie> you need to start over
01:10 < networkn> so each store has a server side conf, and a client side ovpn for each store
01:10 < krzie> i wrote this doc
01:10 < krzie> !route
01:10 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:11 < krzie> and trust me that these configs are so far off, you need to start over
01:11 < networkn> well in 6 months we are replacing the entire system in 6 months time, but right now, I need to patch things together, so it will work until then
01:11 < krzie> and another thing, these configs would never allow netbios
01:11 < networkn> so both server AND client side are wrong, or they just don't match?
01:13 < krzie> they could work as oenvpn 1.0 style configs
01:13 < krzie> for one thing, you have them in different subnets
01:13 < networkn> how can i tell what version runs on the server?
01:13 < krzie> you use tap, which is for layer2, then you make your connection as ip instead of bridging
01:13 < krzie> so netbios wont work
01:14 < krzie> which is why yould need a WINS server
01:14 < krzie> 2.x runs 1.x style configs
01:14 < krzie> but basically, its before servers could have multiple clients connected to a single port
01:14 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
01:14 < krzie> its a point-to-point vpn
01:15 < networkn> [06:13pm] <krzie> you use tap, which is for layer2, then you make your connection as ip instead of bridging < are you telling me how it's configured now based on the configs I have pasted, or are you telling me how I need to do it >
01:15 < krzie> and with your addressing, they cant talk ip
01:15 < krzie> both i guess
01:15 < krzie> you are currently using tap, but not bridging
01:16 < networkn> I want tap though right?
01:16 < krzie> if you want to use ip, may as well use tun, but then you need a WINS server running
01:16 < krzie> if you use tap, you should bridge, and wont need a WINS server
01:16 < krzie> but you will have higher overhead
01:16 < networkn> ok let me see if I can grab the server conf for a working configuration
01:16 < krzie> not a big deal if using low bw
01:17 < krzie> you will also be using your layer2 over the vpn, which can have security issues because layer2 was made to be trusted and has no security
01:17 < krzie> (if tap bridge)
01:17 < networkn> GOD I hate putty, it keeps opening up larger than my screen side
01:17 < networkn> size
01:17 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:17 -!- mode/##openvpn [+o mattock] by ChanServ
01:17 < krzie> basically, if you use tap, use a bridge
01:17  * networkn goes and gets a knife
01:18  * networkn slits his wrists
01:18 < krzie> first of all
01:18 < krzie> there are no other clients connecting to this server currently
01:18 < krzie> i know that because its not made for multiple clients
01:18 < networkn> not to this instance of the server
01:18 < krzie> its a point to point config
01:18 < krzie> doesnt use server or server-bridge command
01:18 < networkn> there are lots of clients connected to this server.. about 15 other stores in various ways
01:19 < krzie> various ways?
01:19 < krzie> all you need is 1 server
01:19 < krzie> other 15 connect in
01:19 < krzie> done
01:19 < networkn> krzee: as I said, there are LOADS of conf files on this server
01:19 < krzie> well you're doing it wrong
01:19 < krzie> hehe
01:19 < networkn> I am not doing it wrong, I inherited this goddamn mess
01:20 < networkn> I am trying to work out what is going on
01:20 < krzie> ok, wanna know how to do it right?
01:20 < networkn> no, I wanna know how to get it going right now, so the client stops whining, so I can take my time and learn it properly so eventually I can create a properly working system
01:20 < networkn> right now I need a bandaid
01:20 < krzie> sorry, no good with bandaids
01:20 < krzie> ive only done things right ;]
01:21  * networkn shrugs
01:21 < krzie> gunna watch a movie then
01:21 < krzie> gl
01:21 < krzie> !man
01:21 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
01:21 < krzie> !howto
01:21 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
01:21 < networkn> all that for nothing awesome
01:21 < krzie> thats what i used to learn, its all in there
01:21 < krzie> well dude, you dont care about doing it right, i cant make those configs work
01:22 < networkn> I DO care, but I don't have the time right now, to reconfigure 15 stores from scratch
01:22 < networkn> but that's fine, hopefully someone else here might be able to help me sort it
01:22 < networkn> enjoy your movie
01:22 < krzie> its as easy as sending someone a file and telling them to run it
01:22 < krzie> uts keys and configs in place
01:22 < networkn> it really isn't
01:22 < krzie> then restart openvn, connected
01:22 < networkn> these sites are very complicated
01:22 < networkn> stupidly so
01:22 < krzie> right
01:23 < krzie> this would make it simple
01:23 < krzie> hell, my config generator could do it
01:23 < krzie> !confgen
01:23 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
01:23 < networkn> some of them use linux to linux configs, some of them connect some via windows, other connections to the same store via linux in a vm
01:23 < krzie> handles lans behind each location and all
01:23 -!- d457k [~heiko@vpn.astaro.de] has joined ##openvpn
01:23 -!- d12fk [~heiko@vpn.astaro.de] has quit [Ping timeout: 265 seconds]
01:23 < networkn> anyways...
01:23 < krzie> it also makes windows configs
01:23 < networkn> enjoy your movie
01:23 < krzie> i wrote it
01:23 < krzie> use linux to run it, runs on bash
01:24 < krzie> it will give you the configs, the howto shows you how to make certs
01:25 < networkn> I am simply not reconfiguring 15 sites to get this one to work
01:25 -!- b0nn [~this@202-180-91-108.callplus.net.nz] has joined ##openvpn
01:25 < networkn> there must be a quicker way in the meantime till I have time to fully understand the existing setup
01:25 < krzie> then make normal looking ptp configs, easily explained in the manual step by step
01:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:25 < krzie> when looking at that, remember this
01:25 < krzie> !--
01:25 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
01:26 < krzie> so when it shows doing it from cli with -- options, all can be put in a config
01:26 < krzie> instead of understanding the current setup, you should change it to be sane
01:26 < krzie> it clearly was designed long long ago
01:26  * networkn sighs
01:27 < networkn> I don't need a lecture
01:27 < networkn> really
01:27 < krzie> but you can do it like i said above
01:27 < krzie> see examples from manual
01:27 < networkn> You are making suggetions without all the facts
01:27 < krzie> i see the setup
01:27 < krzie> you have 15 ptp connections
01:27 < krzie> you need to put them in the same subnet
01:27 < krzie> and figure out your route / push routes
01:28 < krzie> them AT LEAST being the server/client
01:28 -!- glguy [~eric@unaffiliated/glguy] has quit [Quit: Leaving]
01:28 < networkn> it's not even CLOSE to that simple
01:28 < krzie> and it looks like you may be calling a nonexistent device
01:29 < networkn> how do I determine the correct device name, can you at least tell me that ?
01:29 < krzie> by not specifying it
01:29 < krzie> as --dev says in the manual
01:29 < networkn> so take out the dev line?
01:29 < krzie> read the manual on every command in your config
01:30 < krzie> no, you'd use dev tap
01:30 < krzie> but if you stay with tap, you will want a bridge
01:30 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
01:30 < krzie> which this connection doesnt make
01:30 < krzie> so dev tun should do the same thing i think
01:30 < networkn> I thought tap was ptp and tun was brigding?
01:30 < krzie> nope
01:30 < krzie> tun is layer3 (IP)
01:30 -!- glguy [~emertens@unaffiliated/glguy] has quit [Remote host closed the connection]
01:30 < krzie> tap is layer2 (ethernet)
01:31 < networkn> well I am not sure what exactly i want.
01:31 < krzie> but a layer2 without bridging into the same broadcast domain is kinda pointless
01:31 < krzie> i was trying to help you know what you want
01:31 < krzie> but you get mad
01:31 < krzie> so ya
01:31 < krzie> theres what to read
01:31 < networkn> all i want is for bidirectional communication over ip, between this client and the server
01:31 < krzie> you dont have a server and client config, you have a ptp config
01:32 < krzie> because you use ifconfig on both sides
01:32 < krzie> instead of like this:
01:32 < krzie> !sample
01:32 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
01:32 < krzie> this is a server which many clients connect to, and communicate over using IP
01:32 -!- emertens [~emertens@unaffiliated/glguy] has joined ##openvpn
01:32 < krzie> then here, it shows you how and why to change things for LANs on all sides of openvpn
01:33 < krzie> !route
01:33 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:33 < krzie> OR
01:33 -!- emertens [~emertens@unaffiliated/glguy] has quit [Remote host closed the connection]
01:33 < krzie> if you want ptp
01:33 < krzie> see in the manual when it gives examples
01:33 < krzie> starts without encryption, works its way up
01:34 < krzie> for first option, this will make configs AND route between lans behind server / clients
01:34 < krzie> !confgen
01:34 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
01:34 < networkn> I wish I had another site setup in an identical way I could base it from
01:35 < networkn> then I would have a starting point
01:35 < krzie> you said you do
01:35 < krzie> 15 sites
01:35 < networkn> not exactly the same
01:35 < krzie> post 2 of those
01:35 < krzie> then at least it will make sense
01:35 < networkn> all the other sites have a server, this is just a standalone single pc
01:35 < krzie> that will be easy to change to work
01:36 < krzie> doesnt need a server
01:36 < krzie> openvpn config is openvpn config
01:36 < networkn> I don't know what that means :)
01:37 < krzie> you think its different when its not
01:37 < krzie> post 2 of those configs, making a new connection will be simple
01:38 < krzie> 2 that currently work connected to eachother
01:38 < networkn> k
01:39 < kisom> networkn: i cant bother read all the chat, could you explain in short what you want to do?
01:39 < krzie> he wants to make a certain set of configs work
01:39 < krzie> but they are extremely non matching
01:40 < networkn> I have a standalone PC (XP) I need to connect to a linux openvpn server, so that I can have bidirectional ip and netbios traffic working
01:40 < kisom> just create one and copy-paste it then?
01:40 < krzie> he is not open to doing it right, he must use these configs
01:40 < krzie> hehe
01:41 < kisom> networkn: create one working config and distrubute it?
01:41 < networkn> the whole situation is very complicated, I am not sure who created the server config, or if that will do what I want, but if i was going to assume one part was right, I would presume the server side is right andI need to modify the client side to match
01:42 < krzie> [01:50]  <networkn> http://pastebin.ca/1875793
01:43 < kisom> invalid ID
01:43 < kisom> can you paste your server conf somewhere, networkn?
01:44 < krzie> he doesnt have a server
01:44 -!- ultramage [umage@kurobara.netvor.sk] has joined ##openvpn
01:44 < krzie> its a very broken ptp
01:44 < krzie> reposting it
01:44 < kisom> i have no experience with ptp at all... didn't even know openvpn does p2p
01:44 < ultramage> hello, last time I tried running a openvpn server on windows 7, the interface seemed to get configured, and then immediately switched back to dhcp/autoconf mode... is that a known issue?
01:45 < krzie> http://pastebin.ca/1875843
01:45 < krzie> kisom, enjoy =]
01:45 < networkn> http://pastebin.ca/1875833
01:45 < ultramage> o, you need to have an 'ifconfig' line?
01:46 < krzie> no no
01:46 < krzie> those configs are SERIOUSLY broken ultramage 
01:46 < krzie> dont look at them!
01:46 < ultramage> ahaha :)
01:46 < ultramage> yes, mine uses 'server
01:46 < krzie> how bout posting the logs like this
01:46 < krzie> !logs
01:46 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
01:46 < kisom> networkn: and you dont want to redo the VPN?
01:46 < krzie> if you dunno where log is,
01:46 < krzie> !logfile
01:46 < vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
01:47 < networkn> kisom: I need this connection working, but I don't wish to reconfigure the entire 15 stores to get it working
01:47 < kisom> takes no more than 1 hour to set up openvpn properly
01:47 < ultramage> http://codepad.org/Yc7OK8fG
01:47 < vpnHelper> Title: Plain Text code - 431 lines - codepad (at codepad.org)
01:47 < networkn> because it's way way way way more complicated than that
01:47 < networkn> there are users connecting from home, sites connecting to each other, all sorts of shit going on
01:47 < krzie> its only so complicated because it was done bad
01:47 < kisom> networkn: OK, so you can touch the server conf but not the client conf?
01:47 < networkn> right now, until I fully understand it, I need to get this working
01:48 < krzie> road warriors and LANS is handled in my !confgen
01:48 < krzie> thats how easy it is, i wrote a script that automated it
01:48 < ultramage> IP = 169.254.21.214/255.255.0.0  :/
01:48 < networkn> kisom: potentially if the server config for THIS connection is wrong, then I can potentially change it, I believe it's specific to THIS 1 site
01:49 < networkn> kisom: problem is I can't find the server log files
01:49 < kisom> networkn: i'm having serious trouble drawing a mental picture of your network topology...
01:49 < networkn> nor any way of telling if the server side is even listening
01:49 < krzie> he doesnt care bout topology
01:49 < krzie> he wants a ptp setup
01:49 < krzie> he has the other 14 ptp links up already
01:49 < krzie> which is lulz
01:49 < networkn> kisom: that's understandable, it's a hella mess I inherited when the existing guy swallowed a gun
01:49 < kisom> ok, then i'll shut up, i slept trough the PTP lectures in university
01:50 < krzie> you're from the bay area and you are wanting a broken setup!?!?!?
01:52 < krzie> ultramage, wow, what is your verb set to
01:52 < krzie> !configs
01:52 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
01:53 < krzie> looks like you have server 4.0.0.0 255.255.255.0
01:53 < krzie> but you need to use a non-routable subnet unless you own that IP block to hand it out
01:55 < krzie> ultramage, you are sure to run this as administrator right? try going to properties, compatibility mode, runass administrator if needed
01:57 < krzie> verb 9 is too much for troubleshooting, verb 5 is better
01:58 < krzie> verb 9 is more for devs
01:58 < networkn> http://pastebin.ca/1875847
01:58 < networkn> ok here is a working server conf
01:59 < networkn> let me ask you something. do you need to create dev "tun50" before you use it, or does it create it when you try and use it in a config file, and can I verify tap80 is created on the server side?
02:00 < networkn> can I get a list of the tuns and taps on the linux side?
02:00 < krzie> you can, or you can use dev tun and it makes it dyamicly
02:00 < krzie> thats a better looking ptp config
02:00 < krzie> get the client and you'll see how it works
02:01 < networkn> would that allow netbios/ip traffic if the other side is setup similarly?
02:02 < krzie> nope
02:02 < krzie> no WINS server nor is it a bridge setup
02:03 < krzie> i thought i was pretty clear thats the 2 ways to have netbios for windows share resolution
02:04 < krzie> cool movie is ready
02:05 < krzie> ultramage, check running as admin, if so post verb 5 logs from client and server, and the configs as well, type !configs and !logs
02:05 < krzie> even if i dont see, others will be able to help
02:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
02:25 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
02:28 < ultramage> krzie: thanks for talking to me
02:28 < ultramage> I'll get to it in a moment
02:28 < ultramage> I'm administrator running with uac turned off
02:29 < ultramage> the issue is - the client and server establish a connection, keepalives go back and forth, but neither side can talk to the other... mainly because the windows server side never configures its device's ip address
02:29 < ultramage> and all packets get dropped.
02:31 < networkn> anyone know of a simple edit.exe type editor for linux that would likely be built into debian etch?
02:31 < networkn> something I can pste some text into and then easily save to a specific filename?
02:32 -!- Netsplit *.net <-> *.split quits: DrPepper, unimatrix, mwheeler, n0sq_, dazo_afk
02:33 < networkn> nm
02:33 < networkn> nano works
02:34 < ultramage> mcedit :)
02:34 < networkn> easy one, how can I drop and restart 1 connection
02:34 < networkn> on linux
02:34 < networkn> ie If I just want to reset the 1.conf connection
02:34 < kisom> networkn: activate the management tcp port
02:35 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
02:35 < networkn> say what now ? :-)
02:35 < networkn> it it not just a case of openvpn -stop 1.conf or something?
02:35 < kisom> i've written a web GUI which talks to openvpn and allows me to list connections in real time and modify them
02:35 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:35 < networkn> kisom: that's pretty cool
02:35 < kisom> sec, let me check man.
02:36 < networkn> I just need to make sure I don't drop anything other than this one connection :)
02:36 < kisom> ok, if you dont have the management interface enables thats gonna be hard
02:37 < networkn> it might be, I inherited this site
02:37 < kisom> temporarily blocking the IP address in iptables is probably your best bet
02:37 < networkn> no, that doesn't sound right. I modified one of the conf files, I need to get that change to take effect
02:38 < kisom> you modified a ccd file or a client conf file?
02:38 < ultramage> you'd need an openvpnadmin cli utility or something :P
02:38 < networkn> err it's a conf file
02:38 < networkn> is that not what defines connections?
02:39 -!- Netsplit over, joins: dazo_afk, DrPepper, n0sq_, unimatrix, mwheeler
02:39 < kisom> there are many conf files.
02:39 < networkn> I don't know anything about any ccd file
02:39 < kisom> i use 1 server config file, 1 file per client on the server and 1 file on the client itself
02:39 < kisom> networkn: to be honest, you may want to go trough the trouble of rebuilding your 15 stores... might be faster than to resolve this
02:40 < ultramage> kisom: when I start the server via openvpn-gui, it says "server now connected to 175.16.0.1" (the address it's supposed to be), and....
02:40 < ultramage> holy crap, it actually configured the ip address that it was supposed to use O.o
02:41 < kisom> i have no idea about the GUI... i dont use it, i think it sucks
02:41 < ultramage> all it does is proxy the console... so no difference there
02:42 < ultramage> all I can think of - I've been using the gogo6 client and its ipv6 tunnel adapter
02:42 -!- d457k [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
02:42 < ultramage> it malfunctioned on me at least twice, hanging, and refusing to uninstall (netsh said "catastrophic failure")
02:43 < ultramage> I recall going into the device manager and deinstalling a bunch of those ptp tunnel adapters (and crossing my fingers to get the right ones out)
02:43 < ultramage> and it seems to have worked :>
02:43 < ultramage> so I guess this issue was openvpn interacting with my broken system in an unintended way
02:43 -!- d12fk [~heiko@2a01:198:4d7:0:21f:c6ff:fe44:aec8] has joined ##openvpn
02:44 < ultramage> I also installed hamachi, that might have been a trigger too (maybe openvpn doesn't like being the last adapter on the list or something)
02:44 < ultramage> anyways, /me goes to try out the vpn setup again, 20th time's the charm
02:45 < kisom> 20th... :)
02:45 < kisom> i succeded on my first try
02:45 < kisom> granted, took 7 hours, but it worked
02:45 < ultramage> well, I would have too if my system wasn't messed up and openvpn just went crazy
02:46 < kisom> reinstall then?
02:46 < ultramage> not an option
02:46 < ultramage> and yanking out those two faulty adapters seems to have solved it
02:46 < networkn> ok lets try something else. when you start the openvpn service on linux, what config file does it read so it knows what .conf files to use?
02:47 < kisom> uh
02:47 < ultramage> yes? :>
02:47 < kisom> i use openvpn /etc/sr/server & in my rc.local
02:47 < kisom> "openvpn /etc/sr/server &"
02:48 < kisom> starts it on boot and forks it. yes its ugly and you should use RC scripts instead
02:48 < networkn> is that linux?
02:48 < ultramage> as I said before, I'm trying to run it on windows, and noone in this room has ever ran a windows server before
02:48 < kisom> yes
02:48 < kisom> oh yeah
02:48 < kisom> then you need to name your conf files something.ovpn and put it in the config file
02:48 < kisom> and make sure the openvpn service auto starts
02:49 < networkn> so I can't just type openvpn /etc/openvpn/test.conf to start a single tunnel?
02:49 < kisom> yes you can
02:49 < kisom> will work in windows as well
02:49 < kisom> brb
02:49 < networkn> ok, and that won't affect any of the other tunnels that are already built?
02:53 < ultramage> yay, it works
02:53  * ultramage is happy
02:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:55 < networkn> and will openvpn --down /etc/openvpn/test.conf to stop JUST that one tunnel?
02:58 < ultramage> I wonder, is it possible to tell windows to suddenly start pushing all traffic through the openvpn interface?
02:59 < ultramage> as in, make the remote tunnel endpoint my new gateway
02:59 < Bushmills> !redirect
02:59 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:59 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
03:00 < Bushmills> not much reading done yet, right?
03:01 < ultramage> O.o
03:01 < ultramage> o.O
03:01 < ultramage> interesting, thank you
03:02 < ultramage> the remote side is already a gateway, I just needed the clientside
03:02 < ultramage> I assumed it could be done using netsh or some such
03:03 < ultramage> and no, I didn't read that much into it - my first priority was to actually get a working connection
03:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
03:04 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:05 < ultramage> hm, not sure if I can use "push redirect-gateway" since it's the openvpn client that will be acting as the gateway
03:06 < ultramage> (yes, this inverted setup sucks, but the destination machine does not have a public ip address)
03:07 < Bushmills> redirect-gateway adds new default route on machine it is configured on, to route traffic over vpn
03:07 < ultramage> oh, no pushing then
03:08 < Bushmills> pushing it tells other vpn machine to do so
03:08 < ultramage> I wonder why people use the -- commandline notation and not the config file notation
03:08 < Bushmills> configuring it on server lets server instruct all clients to use it as gateway
03:08 < ultramage> it makes it confusing, especially since I can't find openvpn.conf's manpage
03:09 < Bushmills> maybe because the conf file notation doesn't work on commandline?
03:09 < ultramage>  --config file   Load additional config options from file where each line  corre sponds  to  one  command  line option, but with the leading '--'  removed.
03:09 < ultramage> oh, so that's how it works
03:09 < ultramage> clever
03:12 < ultramage> Options error: --redirect-gateway cannot be used with --mode server 
03:12 < Bushmills> server should push that to clients
03:12 < ultramage> which is why I considered a batch file like solution instead
03:13 < Bushmills> to configure server as gateway, you need setup outside of openvpn
03:13 < ultramage> I'd have to run the 'server' on my NATed unreachable destination machine then
03:13 < Bushmills> NAT, ip forwarding ...
03:13 < ultramage> all I want is to be able to tunnel through my home router... =.=
03:13 < ultramage> which means I need to be running in client mode
03:13 < Bushmills> home router is server?
03:14 < ultramage> however the home router does not have a public ip address nor is there any way to connect to it over ipv4
03:14 < ultramage> so all I could think of was making myself the server and the home machine as the client
03:14 < ultramage> however then I discovered that the server instance does not allow gateway redirection
03:15 < ultramage> (for no obvious reason, since it CAN be done on the OS level... the application just has an artificial block in place)
03:15 < Bushmills> does home router client have any reason to router your vpn traffic to internet?
03:15 < ultramage> is there any reason why redirect-gateway cannot be used with mode-server?
03:16 < ultramage> huh, what?
03:16 < kisom> your home router does not have a public address?
03:16 < ultramage> no, it doesn't.
03:16 < kisom> it should have one on the WAN side
03:16 < ultramage> no, it doesn't.
03:16 < Bushmills> why would home router send your vpn traffic to internet? have you set it up to do so?
03:16 < kisom> if your ISP does nat you're pretty screwed
03:17 < ultramage> yes, my ISP does nat, and I'm too cheap to shell out 5$/month just for that
03:18 < ultramage> Bushmills: yes, it's already doing NAT for my LAN, I'll just add an ipfw nat rule or two to handle tun1 as well
03:18 < Bushmills> server and redirect-gateway doesn't usually make sense because server implies potentially several clients. but, if default traffic was routed through vpn - how to send traffic to those other clients?
03:19 < ultramage> I'm going for a one-client one-server scenario here
03:19 < ultramage> but other than that... sure, why not?
03:19 < Bushmills> you'd probably have to set up routes yourself then
03:19 < ultramage> I'm not making the server advertise a gateway
03:19 < Bushmills> you would need a host router, to your router
03:20 < ultramage> the openvpn man page describes a sequence of steps that the client does to the system's network settings
03:20 < Bushmills> (otherwise, your router can't be reached by openvpn, if all traffic, including traffic to your router, was attempted to be sent over vpn)
03:20 < kisom> ultramage: if you're NATed then you will not be able to use openvpn on the internet. well, you wont be able to host a server.
03:20 < Bushmills> that also means, your home router needs to be reachable by vpn server
03:21 < ultramage> kisom: I'm going for a reverse-connect setup here - I run my server on this box, make my home router connect to here, and then once the connection is established, I'll switch sides
03:21 < ultramage> Bushmills: yes, it is, thanks to the reverse connection setup I just did
03:21 < theDoc> If your isp uses nat, you need a new isp.
03:21 < kisom> "Switch sides"?
03:21 < Bushmills> currently, your home router is most likely reached  through the default route on your server
03:21 < ultramage> well, I have a ready and working vpn now, both machines are on a virtual lan
03:21 < kisom> NAT -> NAT cant be established without some sort of STUN solution
03:22 < Bushmills> but as you would need to changed that to vpn - connection to home router would be affected
03:22 -!- simoinfonet [~msahlaoui@41.250.253.239] has joined ##openvpn
03:22 < ultramage> kisom: this machine does have a public ip address.. that's why I'm using it as a server
03:22 < kisom> ah okay
03:22 < ultramage> Bushmills: yes... there is a route, but it is not the default route
03:22 < ultramage> my physical connection's gateway is being used for internet traffic
03:22 < Bushmills> well, if there is a router to your home router, don't route that one through the vpn
03:23 < Bushmills> route
03:23 < ultramage> I guess this all boils down to "google netsh change gateway route"?
03:23 < ultramage> the only route to my home machine is via openvpn's tunnel
03:23 < Bushmills> no
03:23 < ultramage> (and ipv6 and hamachi and tor)
03:23 < Bushmills> can't
03:23 < kisom> route the router!
03:23 < Bushmills> how would openvpn packages reach your home machine then?
03:24 < Bushmills> they can't be router through VPN if VPN packages can't reach your router
03:24 < ultramage> Bushmills: the same way they do now? there is an established connection between the two machines right now
03:24 -!- lkeijser [~leon@unaffiliated/lkeijser] has joined ##openvpn
03:24 < Bushmills> "established connection" implies, a route back
03:24 < ultramage> Bushmills: the nated machine opens a udp connection and keeps it alive, and the NAT machines along the way keep that temporary connection in their routing tables
03:24 < Bushmills> without a router back, no connection would be established
03:24 < Bushmills> route
03:24 < ultramage> that's how nat works - if it didn't, there would be no way to actually get replies back 
03:25 < Bushmills> even though, there's - after de-NATting - a route back
03:26 < lkeijser> i have a strange problem: when tunneling traffic through an openvpn server to another host, that host doesn't receive icmp packets but for tcp packets only the SYN with an incorrect checksum
03:26 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:26 < Bushmills> the route to the interface where your home router traffic seems to come from (NATted) must not be routed through VPN
03:27 < lkeijser> my openvpn server is hosted on a xen virtual, if that matters
03:27 < ultramage> I'm not doing this vpn for security reasons, I'm doing it for reachability reasons... I have a working virtual LAN, now I need to do stuff with that lan... since noone here has a clear idea about this, and noone has ever ever tried this, I'll try my luck with google
03:28 < theDoc> What are you trying to accomplish?
03:28 < theDoc> I got in halfway
03:28 < ultramage> I've got a router at home that I want to pipe my work traffic through
03:28 < networkn> ok well something is up with this xp pc.. I think I have the settings right now, but when I do an ipconfig in xp, it shows just the lan card, with it's ip, not the tun/tap adapter
03:29 < ultramage> the router's not reachable over the internet, so I put the client on it and ran the server here at work, and currently I'm trying to tell windows to make the remote vpn endpoint as my new gateway... I guess
03:30 < ultramage> and I'm worried that it's a chicken-egg situation... changing my gateway/default route could mess up the actual vpn udp packet delivery
03:30 < theDoc> Which router isn't reachable over the internet?
03:30  * Bushmills thanks ultramage for his "no clear idea" judgement and does that by putting him on /ignore
03:30 < theDoc> rage baby rage! >:)
03:30 < ultramage> thanks to the running VPN I now am able to talk to my home router
03:31 < ultramage> now I could set up a http proxy server or do SOCKS through ssh, easily
03:31 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
03:31 < ultramage> however, since I already have a vpn connection to it, and it's already set up for routing, I thought, why not use it as my gateway?
03:32 < ultramage> I've been trying to get the other people in the room to understand the concept, but we've been talking past each other for the last 20 minutes
03:32 < theDoc> Your home router isn't internet reachable and you some how have managed to get an active vpn connection going?
03:32 < theDoc> From the public internet?
03:32 < ultramage> yes, by switching vpn sides and doing a reverse connection
03:32 < ultramage> as in, vpn client on router, vpn server on this machine
03:32 < ultramage> so the exact opposite of what you'd normally do
03:33 -!- dazo_afk is now known as dazo
03:33 < theDoc> Are you running dd-wrt or something of that sort?
03:33 < ultramage> so far I've been using ivp6 to connect to my router, ssh from there to my machine, open a reverse socks tunnel, then ssh from my machine through that tunnel back to my router and open a local SOCKS port
03:34 < ultramage> which is crazy stupid and I'm looking for a better way.
03:34 < ultramage> theDoc: freebsd8
03:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:34 < theDoc> You're making this way too complicated.
03:35 < theDoc> and why is your router at home not reachable via the internet?
03:35 < ultramage> because my ISP is cheap shit and won't even assign me a dynamic ip address unless I pay 5$ each month
03:36 < ultramage> which is why I've been using workarounds like tor or ipv6, but they're unreliable
03:36 < ultramage> not to mention slow and ineffective and have all sorts of caveats
03:36 < theDoc> Instead of tearing your hair out, use your money and get a new isp.
03:36 < theDoc> You're just going to support hell by trying the above.
03:37 < ultramage> ...
03:37 < ultramage> thank you for your opinion
03:37 < theDoc> Mainly because if they change something on their end (considering that you're NAT'ed), you're just asking for trouble.
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 < ultramage> I'm not sure you know what you're talking about... unfortunately
03:38 < ultramage> living in ipv4-land must be nice...
03:39 < theDoc> ultramage> What? Are they running ipv6 with nat?
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:39 < ultramage> same solution like with my reverse vpn connection... connect to server and keep connection alive, and voila
03:40 < theDoc> Anyway, thanks for your time explaining your problem. I cbf'ed to be helping you out on this one now.
03:40 < ultramage> I'll try messing with my gateway and route settings... at worst I guess I'll lose all connectivity and will have to restart
03:41 < ultramage> maybe should have tried asking in more general terms from the start... like, assume you have a vpn server and two clients, and want one client to act as the other client's network gateway
03:42 < lkeijser> anyone: is there a known problem with tcp checksum for an openvpn server running in a xen-based vm?
03:42 < ultramage> that way I would have removed the word 'server' entirely and avoided confusion
03:42 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
03:43 < theDoc> lkeijser> Not that I've heard of yet, trying asking the xen folks?
03:44 < ultramage> when I first asked, I was expecting an informed answer, like "that's impossible because of this particular OS design limitation", or "nice idea, but support for that will not be implemented until 2015" or "sure, here's the config file you need to use"... too bad
03:47 < lkeijser> theDoc, thanks
03:49 < lkeijser> xen folk say there's no (known) problem 
03:49 < theDoc> I don't know, I'm not familiar with xen and I haven't heard of any troubles with ovpn and xen.
03:49 < theDoc> Sorry, no help from me there.
03:51 < lkeijser> no worries, it's an interesting problem so i will just keep on searching
03:51  * lkeijser also tried disabling checksum by setting 'ethtool -K eth0 tx off'  but that didn't seem to have much effect
03:52 < theDoc> There was some tcp offloading or something like that which was showing up wrong checksums in wireshark.
03:52 < theDoc> I don't know the exact details or if it was tcp offloading
03:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
04:01 -!- simoinfonet [~msahlaoui@41.250.253.239] has quit [Ping timeout: 240 seconds]
04:01 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
04:01 -!- simoinfonet [~msahlaoui@nat/ibm/x-vwiwgxhogpgbzoyc] has joined ##openvpn
04:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:20 < krzie> [03:47]  <kisom> "openvpn /etc/sr/server &"
04:20 < krzie> kisom, add daemon to the config (see --daemon)
04:21 < krzie> then you dont need to fork to the bg, openvpn will do it itself
04:22 < krzie> ultramage, you said before that you only wanted 2 endpoints
04:22 < krzie> 1 client 1 server
04:22 < krzie> but you need the server to route inet over the client
04:22 < krzie> this actually can be done, but not with client/server
04:23 < krzie> thats a valid reason to use ptp
04:23 < krzie> however, you said a lot more and i didnt read it all
04:25 < ultramage> if I did client-server instead of server-client I could have just used redirect-gateway and be done with it
04:25 < ultramage> what I essentially need is to reproduce the steps that setting does on the server side.. manually
04:25 < kisom> krzie: did not work
04:25 -!- simoinfonet [~msahlaoui@nat/ibm/x-vwiwgxhogpgbzoyc] has quit [Ping timeout: 248 seconds]
04:25 < krzie> kisom, you just added:      daemon   ?
04:25 < kisom> krzie: for some reason openvpn failed to accept connections when using --daemon, but forking it with & works just fine
04:26 < krzie> when using --daemon you also need --config
04:26 -!- simoinfonet [~msahlaoui@41.250.253.239] has joined ##openvpn
04:26 < ultramage> so I guess that involves first setting a static route to my home's apparent public ip address (to allow vpn udp to not die horribly), and then switch my default system gateway.
04:26 < krzie> unless you add it to the config
04:26 < krzie> you can only drop --config if its the only cli option
04:26 < kisom> i still saw the PID running with --daemon, it accepted connections from localhost etc, but not from the network. same config without --daemon worked fine
04:27 < krzie> thats weird, did your log show anything?
04:27 < kisom> no, not at all
04:27 < kisom> was stuck with that problem for a few days until i decided to drop daemon and just fork it
04:27 < krzie> ultramage, try a simple ptp config with redirect-gateway on the machine you want directing its gateway over vpn
04:27 < kisom> (it was a while back tbh, havent tried last years or so)
04:27 < krzie> in ptp style either side can initiate connection
04:28 < ultramage> krzie: I'll look into it
04:28 < krzie> ptp style is with opposing ifconfig statements
04:28 < krzie> its covered in the manual
04:28 < krzie> !man
04:28 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
04:29 < networkn> ok I got the tunnel up, I can ping 10.80.0.1 and 10.80.0.2
04:29 < networkn> but neither side can access anything past that
04:29 < networkn> even though I have route commands in the conf/ovpn files
04:30 < krzie> is it running on the routers for the LANs?
04:30 < krzie> !factoids search outside
04:30 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
04:30 < krzie> if not, see above
04:30 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
04:31 < networkn> [09:30pm] <krzie> is it running on the routers for the LANs? ?? Huh is what running?
04:31 < krzie> openvpn
04:31 < g0tcha> hey guys, does the client key has to be generated from the server itself? or can install a new server and be able to use a client key generated from another openvpn server?
04:32 < networkn> well on the server side yes
04:32 < ultramage> krzie: now openvpn yells at me for trying to use server-client TLS settings without having a server :)
04:32 < krzie> oenvpn is running on the machines which all the LAN the server is on routes their traffic through to reach the internet?
04:33 < ultramage> http://openvpn.net/index.php/open-source/documentation/examples.html
04:33 < vpnHelper> Title: Examples (at openvpn.net)
04:33 < krzie> ultramage, ya, save your server configs and make a ptp attempt, ptp uses a static key
04:33 < ultramage> the manual directed me to this page, but the page is empty
04:33 < networkn> krzie: well I had to read that question 6 times, but I THINK the answer is yes.
04:34 < networkn> and in the server config is a route "push 192.168.17.0 255.255.255.0"
04:34 < krzie> networkn, let me ask it differently... the server is on a LAN, do the machines in that LAN route to the internet through the server?
04:35 < networkn> yes
04:35 < networkn> and that time I did understand completely
04:35 < krzie> ultramage, http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAV
04:35 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
04:36 < networkn> what's more, the other connections seem to be able to access 17.x
04:36 < krzie> skip to example 3
04:36 < krzie> you can remove remote from the one that cant connect out to the other
04:36 < krzie> i was wrong you dont need static key
04:37 -!- simoinfonet [~msahlaoui@41.250.253.239] has quit [Ping timeout: 240 seconds]
04:37 < krzie> and use full paths
04:38 < krzie> networkn, does the server have an ip in 192.168.17.x?
04:38 < krzie> networkn, does the machine you push to have pull in its config?
04:39 < krzie> since you arent using client/server its not implied...
04:39 < krzie> or instead of pushing it you can just use the route command in the machine which should add the command
04:39 < networkn> push "route 192.168.17.0 255.255.255.0"
04:39 < networkn> that's in the server side conf
04:39 < networkn> last line
04:40 < networkn> are you saying to match I need a line called "push" as the last line in the ovpn file?
04:40 < krzie> i dont know WHY you keep calling it a server
04:40 < krzie> remove that line
04:40 < krzie> go to the 'client' conf, add this
04:40 < krzie> route 192.168.17.0 255.255.255.0
04:41 < networkn> krzee: because i need to call it SOMETHING. and it's a SERVER
04:41 < krzie> but its not
04:41  * networkn sighs
04:41 < krzie> openvpn has a server mode, you arent using it
04:41 < networkn> what would you like me to call it sir?
04:41 < krzie> its just the remote machine
04:42 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: brb]
04:42 < krzie> it makes a difference
04:42 < networkn> so you want the pc called client and the other end I call server to be called remote?
04:42 < kisom> networkn: maybe you should buy support on openvpn? ;) just a tought
04:42 < krzie> if i didnt know it wasnt a server ild make certain assumptions based on you calling it a server
04:43 < krzie> \you have a local and a remote endpoint
04:43 < krzie> one of the assumptions i would make it that you could push config options
04:43 < ultramage> Wed Jun 02 11:43:03 2010 WARNING: 'ifconfig' is used inconsistently, local='ifconfig 10.0.0.0 10.0.0.2', remote='ifconfig 10.0.0.1 10.0.0.2'
04:43 < ultramage> is this expected?
04:43 < krzie> because CLIENT configs have --pull implied when they use --client
04:43 < krzie> since you dont have --pull or --client, you cant push
04:43 < networkn> ultramage: change your local end to 10.0.0.1
04:43 < networkn> not 10.0.0.0
04:44 < krzie> which is why i said to remove push and put the route command in local endpoint config
04:44 < ultramage> mine says ifconfig 10.0.0.1 10.0.0.2, other machine says ifconfig 10.0.0.2 10.0.0.1
04:44 < networkn> hmm this connection keeps dropping
04:44 < networkn> the tunnel that is.. works for 30 seconds and then it breaks
04:44 < krzie> ultramage, the side giving that error has 10.0.0.0
04:44 < krzie> in its config
04:44 < ultramage> my windows machine of course
04:44 < ultramage> no, it doesn't
04:44 < ultramage> it has 10.0.0.1
04:44 < networkn> but when it's up with the route command on the local endpoint, I can ping as I should
04:45 < ultramage> openvpn on windows is malfunctioning again -.-
04:45 < networkn> I just need to fix the stability issue
04:45 < networkn> ultramage: one end does have 10.0.0.0
04:45 < networkn> I had this earlier tonight
04:45 < ultramage> Wed Jun 02 11:42:23 2010 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.0.0.0/10.0.0.1/10.0.0.2 [SUCCEEDED]
04:45 < networkn> perhaps it's reading a different config than the one you are
04:46 < ultramage> I have a total of two configs, and neither of them have this...
04:46 < ultramage> when doing pointtopoint, should I set both sides to 'client'?
04:46 < ultramage> or should I omit the 'client' keyword?
04:48 < networkn> krzee: any idea why the tunnel is dropping after 30 seconds?
04:48 < ultramage> did you try making a tcp tunnel?
04:49 < krzie> or did you try looking at your logs?
04:49 < ultramage> in the off chance you're going through a nat and it has an aggressive timeout on udp rules
04:51 < krzie> !rules
04:51 < vpnHelper> krzie: "rules" is http://secure-computing.net/openvpn.php for the channel rules!
04:53 < Chosi> hey krzie :)
04:54 < krzie> werd
04:55 < ultramage> hm, well, until openvpn stops doing stuff like 10.0.0.0, I'm stuck
04:56 < Chosi> krzee: what port do you think is worth a try? 500 is out, you have the following options: 5061, 4500
04:56 < Chosi> :)
04:56 -!- lkeijser [~leon@unaffiliated/lkeijser] has quit [Quit: Leaving]
04:59 < krzie> Chosi, dunno your network dude
04:59 < Chosi> well these 2 ports are the only open ones from behind the no-udp firewall
04:59 < Chosi> :)
05:00 < ultramage> aww, no visual studio project
05:00 < krzie> so either of them
05:01 < Chosi> you could also tell me a way to fake IKE packets on 500
05:01 < Chosi> :p
05:01 < krzie> not gunna happen
05:03 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
05:09 < ultramage> hm, openvpn's code has a few glitches... it's config.h file has stuff like "#define USE_SSL 1", but tests using #if defined() instead of comparing values
05:10 < networkn> so weird. the tunnel stops allowing traffic, then a few seconds later it's back again
05:10 < ultramage> all the small things ^^`
05:11 < ultramage> also there's stuff like #define PACKAGE_NAME OpenVPN, and then printf("something " PACKAGE_NAME " something") (without stringizing operator anywhere)
05:11 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has left ##openvpn ["+++ath0 $$%§$%&"$%"]
05:12 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
05:12 < krzie> ultramage, i have a feeling you'll get further by trying to get your setup working than recoding openvpn
05:12 < networkn> lol wondering
05:12 < networkn> the same thing
05:12 < ultramage> easiest way to find out why openvpn is doing stupid things is to see what it's doing
05:15 -!- Bushmills is now known as Mushbills
05:15 < ultramage> yay, compiled (without lzo or ssl, but it works)
05:15 -!- Mushbills is now known as Bushmills
05:16 < krzie> you were having problems compiling!?
05:16 -!- mode/##openvpn [+o Bushmills] by ChanServ
05:16 -!- mode/##openvpn [-o Bushmills] by Bushmills
05:16 < krzie> yay
05:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:25 < ultramage> krzie: yes, openvpn uses some odd way of glueing string constants together
05:26 < ultramage> either that or the predefined config-win32.h file is not constructed properly
05:26 < ultramage> can you do this with gcc? printf("Version " 2.1.1 "\n");
05:26 < krzie> cool, have fun modding openvpn
05:26 < krzie> bbl
05:26 < ultramage> because until now I thought you need to have the stuff quoted before you start glueing the parts together
05:27 < ultramage> yet openvpn is coded to do just that, which obviously won't compile (so I went and added quotes around the #defined constants where appropriate)
05:27 < ultramage> I did a bit of debug&step, and it seems there's some stack memory corruption going on or something
05:28 < ultramage> the input values clearly say 10.0.0.1 and 10.0.0.2, but after 10.0.0.2 is properly generated, 10.0.0.1 turns into 10.0.0.0
05:28 -!- Russnix [~c2529efa@gateway/web/freenode/x-ptstahbfpdefexpg] has joined ##openvpn
05:28 < ultramage> I'll look into this in more detail after lunch
05:28 < ultramage> the offending statement is:
05:29 < ultramage> buf_printf (&out, "%s %s", print_in_addr_t (tt->local & tt->remote_netmask, 0, gc), print_in_addr_t (tt->remote_netmask, 0, gc));
05:30 < ultramage> oh wait.
05:30 < ultramage> tt->local & tt->remote_netmask ?
05:30 < ultramage> wait what?
05:30 < ultramage> isn't the other machine's ip address supposed to go into the 2nd parameter?
05:30 < ultramage> why is it using the 2nd parameter as a & mask?
05:31 < ultramage> if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET))
05:31 < ultramage> ....yeah. I have topology = subnet set...
05:31 < ultramage> if I hadn't, then it would go into the else{} part which does not do any silly masking
05:31  * ultramage stabs
05:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:51 < ultramage> question - if the client is set to connect to the remote side, and the remote side is down, what is the client's behavior?
05:51 < kisom> ultramage: you can configure it how you want it
05:51 < ultramage> (what sort of method of contacting is used, how often does it send things?)
05:52 < kisom> my clients try to reconnect regardless if the server denies them or is down
05:52 < ultramage> I'm tuning it right now... it doesn't seem to be the ping interval, since I set it to 60 yet it connected after a few seconds
05:52 < kisom> i think the usual behaviour is to retry until connection is established. if the server returns an authentication error the client will shutdown
05:53 < kisom> the ping interval is just to detect a timeout
05:53 < kisom> sec, let me check my conf
05:53 < ultramage> yes please :)
05:53 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:53 < ultramage> all I see is server-poll-timeout
05:53 < kisom> resolv-retry infinite
05:53 < kisom> auth-retry nointeract
05:53 < kisom> check those out
05:54 < ultramage> resolv-retry looks like dns resolution
05:54 < kisom> first one says to keep trying forever, second one says to keep trying even if the server tells us to go to hell :)
05:54 < kisom> hmm
05:54 < kisom> maybe
05:54 < kisom> one sec
05:54 < kisom> no it was correct
05:54 < ultramage> I'm trying to find out what controls the retry interval :)
05:55 < kisom> have you checked man?
05:55 < ultramage> yes, I'm looking at man
05:55 < kisom> i strongly remember reading about it
05:55 < ultramage> it said resolv-retry If hostname resolve fails for --remote, retry resolve for n sec-onds before failing.
05:55 < ultramage> well, freebsd openvpn man page at least :)
05:55  * ultramage looks at website man
05:56 < kisom> --connect-retry n
05:56 < ultramage> maybe they got it wrong
05:56 < kisom> For --proto tcp-client, take n as the number of seconds to wait between connection retries (default=5). 
05:56 < ultramage> oh, there we go :)
05:56 < ultramage> default = 5
05:56 < kisom> not sure if the same goes for UDP
05:56 < ultramage> hammer hammer hammer
05:56 < kraut> moin
05:57 < kisom> you may want to keep auth-retry at its default value
05:57 < ultramage> I found that my freebsd stateful firewall is very aggressive
05:57 < kisom> its good to be able to stop clients from connecting/hammering your server
05:57 < ultramage> 10 seconds timeout on udp
05:58 < kisom> yeah i think its 16 or something in linux
05:58 < ultramage> so I'm fine-tuning stuff
05:58 < kisom> if i remember correctly you have to recompile the kernel to change those values ;)
05:58 < ultramage> for example, let the server side do the fast polling and only when the client is connected... and have the client only poll once in a while just to be sure
05:59 < ultramage> hm, kernel, or ipfw :)
05:59 < kisom> you can always send a ping each 8th second.
05:59 < ultramage> which is a kernel module -.-
05:59 < ultramage> yes, or hardcode a rule :)
05:59 < kisom> yeah i've never really compiled my kernel
05:59 < ultramage> the kernel is fairly quick, but there's a gazillion .so modules to be compiled along with it
05:59 < kisom> and i use iptables
06:00 < ultramage> at least I'm on a good track
06:00 < ultramage> I'll try that gateway changer setting once more when I get back
06:00 < kisom> AND MY FSCKING COMPANY NETWORK BLOCKS OPENVPN MANUAL
06:00 < kisom> how am i suppose to do my job?
06:00 < ultramage> ;o
06:00 < ultramage> manual?
06:00 < kisom> the openvpn.net online manual
06:00 < ultramage> hah
06:01 < ultramage> hidemyass.com
06:01 < kisom> nah
06:01 < kisom> https://ck3r.org/stormroute.php
06:01 < vpnHelper> Title: StormRoute (at ck3r.org)
06:01 < ultramage> ;O
06:02 < hyper_ch> man openvpn :)
06:02 < kisom> then i have to detach or switch screen
06:03 < ultramage> mmm, good stuff
06:03 < ultramage> last time I had to, I used this: http://netvor.sk/~umage/docs/HOWTO_putty_proxytunnel_https.html
06:03 < vpnHelper> Title: HOWTO: tunnel putty ssh connections through an apache https proxy (at netvor.sk)
06:03 < kisom> too bad my server uses port 443 for https ;)
06:04 < kisom> and i'm not allowed to do that anyways
06:04 < ultramage> well, you can always corkscrew your tcp connection through a https webserver :)
06:04 < kisom> i work at a large bank and the policy says no-no about any external proxies or whatever
06:04 < ultramage> what about that stormroute utility then XD
06:04 < Bushmills> kisom: you can configure openvpn to share port with another service
06:04 < kisom> thats a personal project of mine
06:05 < ultramage> doesn't that count as an external proxy too?
06:05 < kisom> Bushmills: i do not even use openvpn, i use stormroute which is a forked openvpn
06:05 < kisom> maybe it does
06:05 < kisom> but at least i can say its my project and i need it for work ;)
06:05 < Bushmills> unless that feature was stripped from it, it should still be available
06:07 < kisom> anyone tried etherpad btw?
06:07 < kisom> open source online text editor
06:09 < Bushmills> i know gobby which may be similar
06:09 < kisom> seems nice, but not web based :)
06:09 < Bushmills> online and multi (concurrent) user 
06:09 < kisom> i've set up a test server at www.livepad.eu
06:10 < kisom> using it for most of my work
06:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:10 < kisom> currently using... 1.12 GiB memory, 3 concurrent users :P
06:10 < kisom> damn java based app
06:13 < Bushmills> slow it is
06:15 < Bushmills> but indeed, a web client for obby is something i am missing
06:16 < Bushmills> otoh, haven't really searched for one for some time now
06:31 < kisom> Bushmills: livepad isn't slow
06:31 < kisom> probably bad routing to whereever in the world you are
06:31 < kisom> in sweden i get almost no lag at all, less than 500ms usually
06:37 -!- d12fk [~heiko@2a01:198:4d7:0:21f:c6ff:fe44:aec8] has quit [Remote host closed the connection]
06:38 -!- d12fk [~heiko@2a01:198:4d7:0:21f:c6ff:fe44:aec8] has joined ##openvpn
06:41 < Bushmills> well, pressing enter takes about that time to show a new line number
06:41 < ultramage> seems that in udp mode, the client uses 'ping' for the connection retry value
07:04 < Bushmills> kisom: i may be spoiled by having 10..15 ms lag to the obby servefr
07:04 < Bushmills> server
07:05 < kisom> Bushmills: etherpad is web based, hence much mroe difficult to get decent response times
07:05 < Bushmills> yes, that's what i mean :)
07:05 < Bushmills> (when i said "slow")
07:23 < ultramage> oh wow, thanks to openvpn I managed to figure out why incoming connections through my ipv6-in-udp tunnel kept having issues after a few seconds of inactivity
07:24 < ultramage> it's been bugging me for months and I just couldn't figure out the answer... and it was all because of ipfw's 10 second dynamic rule expiration
07:29 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
07:40 -!- star314 [~star314@xchg.fiss-oeaw.at] has joined ##openvpn
07:48 < ultramage> question, wouldn't it be nice to add a visual studio project file, to let curious VC++ people build the app?
07:49 < ultramage> I mean, all I did was throw all the .c/.h files into a project, fix up those #defines that were not stringized, disabled one #include and turned off lzo/openssl (since I was impatient), and that was it
07:50 < ultramage> from zip file to live debugging in 5 minutes
07:53 < star314> Any Ubuntu users here? On my Gentoo machine I use different client setups by means of /etc/init.d/openvpn<name> which accesses the associated config file /etc/openvpn/<name.conf>. The problem is that under Ubuntu, the script /etc/init.d/openvpn starts all openvpn connections, i.e., all files of /etc/openvpn/<*.conf>, by default and not on demand.
07:54 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:54 < kisom> star314: start openvpn manually then
07:54 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:56 < Bushmills> or create init scripts as you use them in gentoo
07:59 -!- doug_ndndn [~doug@78-86-178-196.zone2.bethere.co.uk] has quit [Read error: Connection reset by peer]
08:00 -!- doug_ndndn [~doug@78-86-178-196.zone2.bethere.co.uk] has joined ##openvpn
08:02 < star314> Sure, that what be no problem but I was just wondering that standard Ubuntu users don't use different (outgoing) openvpn client connections from the same machine.
08:03 < star314> s/what/would
08:04 < Bushmills> assuming the same mechanism as with debian is used, they'd only have the config files for those connections they want to autostart in the openvpn directory
08:06 < star314> ok, then I have to create a couple of different start scripts because I'm not a fan of the openvpn management using network manager.
08:07 < Bushmills> openvpn configfile   works too
08:07 < Bushmills> of course you can put those two words into a script :)
08:08 < star314> yeah, but I prefer a bit more advanced setup :)
08:08 < Bushmills> if you start openvpn very frequently, say, every 5 minutes, that may even add to your usage experience :)
08:09 < Bushmills> for manually starting clients, there is not need to keep the scripts in /etc/init.d, btw
08:10 < Bushmills> those make most sense for being executed from run level setup
08:12 < star314> Bushmills, the way how it works on gentoo is IMHO very comfortable.
08:13 < Bushmills> could have saved you having to type /etc/init.d - unless you use scripts like  start stop restart  which insert that path for you
08:13 < star314> Just create /etc/openvpn/setup1.conf and then say /etc/init.d/openvpn.setup1 <start,stop,whatever>
08:13 < Bushmills> yeah, that /etc/init.d i meant you could save by keeping the for example in  /usr/local/sbin
08:15 < star314> I haven't tried yet but I guess the gentoo script won't work out-of-the-box on ubuntu. I have to take a closer look and maybe rewrite it. I'll do that later today.
08:16 < Bushmills> coding an init script is luckily not exactly rocket science 
08:18 -!- DrPepper [~DrPepper@88.207.183.72] has quit [Ping timeout: 265 seconds]
08:19 < ultramage> NOTE: unable to redirect default gateway -- Cannot obtain current remote host address
08:19 < ultramage> what is this? ;o
08:26 < kisom> redirect gateway cant be used because openvpn does not know the remote address, and cannot add an exception route to that host for the openvpn traffic
08:27 < kisom> probably because you're running it on your local computer or something like that.
08:28 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:30 < ultramage> hm
08:30 < ultramage> redirect-gateway only works if the --remote setting is defined along with it?
08:31 < ultramage> it can't obtain the remote address of the other side that's connecting?
08:32 < ultramage> http://codepad.org/gYqJiZbS
08:32 < vpnHelper> Title: Plain Text code - 22 lines - codepad (at codepad.org)
08:32 < ultramage> do I have to go debug it again to find the reason?
08:34 < kisom> try doing the routing manually. or maybe skip creating a route for the remote peer, maybe its not needed with ptp
08:34 < kisom> im not sure.
08:34 < kisom> anyways, time to bail work! cya
08:34 < ultramage> I have no experience with rigging routes
08:41 -!- gopp [~gopp@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 260 seconds]
08:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
08:47 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:12 -!- dan08 [~dan08@cpc1-shep1-0-0-cust673.lei3.cable.ntl.com] has joined ##openvpn
09:14 < spiffytech> Up until a few minutes ago, I could connect to my VPN server but couldn't ping it or connect to services on it. I restarted the OpenVPN service, and now everything works. What could have gone wrong? I don't notice anything suspicious in the logs. 
09:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:14 < dan08> Hey. Can anyone help me out. I'm new with OpenVPN and I think I'm going in the right way, well I basically need to access my network at home from my office, so if I set up a VPN, will I be able to access my files and other stuff and will the information transfered be encrypted?
09:25 < ecrist> dan08: basically, yes, depending on how you set things  up.
09:31 -!- JackCorleone [~Jack@187.11.184.68] has joined ##openvpn
09:31 < dan08> @ecrist what things do I need to look at? for client and server side, like portforwarding.
09:34 -!- unimatrix [~unimatrix@93-103-14-47.static.t-2.net] has quit [Ping timeout: 265 seconds]
09:37 < ecrist> all openvpn does is help you link two networks securely
09:37 -!- DrPepper [~DrPepper@88.207.183.72] has joined ##openvpn
09:37 < ecrist> as far as opening ports and such, that's all on your firewall
09:44 < ecrist> dan08: please don't PM me, I don't really have time to give such personal attention.  there are many others here who would be able to help you, as well.
09:45 < dan08> im not too sure because of my internal and external IP, how do i configure openvpn to allow connections on my external IP. im using ubuntu, do i have to portforward? and how do i open the neccessary ports on it?
09:46 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
09:47 < ultramage> ...eek.
09:47 < ultramage> I tried running the redirect-gateway operation... my network blew up, and even after restarting and reinstalling openvpn, the device just won't work
09:51 < dazo> dan08: a pretty decent openvpn setup uses it's own network range, 10.8.0.0/24 is used in the howto ...  if your home network is using 192.168.1.0/24  and your office is using something else .... then you can do: route -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.x   (where X is the VPN IP address of the server side)
09:51 -!- dazo [~dazo@nat/redhat/x-ieefselzacwhedqp] has quit [Read error: Connection reset by peer]
09:51 < ultramage> keeps repeating: TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down, and Route: Waiting for TUN/TAP interface to come up...
09:53 -!- dazo_ [~dazo@nat/redhat/x-pwuexlhljmuonjtn] has joined ##openvpn
09:54 -!- dazo_ is now known as Guest94440
09:54 -!- Guest94440 is now known as dazo
09:59 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:07 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:10 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
10:10 -!- notbrien_ [~notbrien@208.82.13.214] has joined ##openvpn
10:11 -!- notbrien_ [~notbrien@208.82.13.214] has quit [Client Quit]
10:11 -!- notbrien_ [~notbrien@208.82.13.214] has joined ##openvpn
10:11 -!- notbrien [~notbrien@208.82.13.214] has quit [Ping timeout: 276 seconds]
10:11 -!- notbrien_ is now known as notbrien
10:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:14 < dazo> dan08: have you read !howto?
10:14 < dazo> !howto
10:14 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:15 < dan08> thanks everyone. but i dont really know where to start fom, i think im just going to read it through or sothing ;)
10:16 < dazo> dan08: getting basic info first, is the best ... and then it's easier for us to help you here afterwards 
10:18 < ultramage> http://codepad.org/APGQ9LX0
10:18 < vpnHelper> Title: Plain Text code - 370 lines - codepad (at codepad.org)
10:20 < ultramage> I would really appreciate it if someone could tell me why the driver is silently failing to start
10:20 < dazo> dan08: http://www.techimo.com/forum/linux-unix/176687-howto-openvpn-ubuntu-dapper.html .... that seems to be a pretty sensible Ubuntu + OpenVPN writeup
10:20 < ultramage> because I'm at my wit's end
10:20 < ultramage> it's been 10 hours and I'm right where I started
10:21 < ultramage> I tried uninstalling and rebooting and reinstalling, and it still won't start
10:21 < ultramage> after I used that redirect-gateway setting.
10:23 < dan08> dazo: thanks for the link
10:23 < dazo> dan08: you're welcome
10:24 -!- gopp [~gopp@static-71-187-37-35.nwrknj.fios.verizon.net] has joined ##openvpn
10:28 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
10:29 < ultramage> where could I get support for my issue?
10:29 < dazo> dan08: the key point is anyway ... if you don't need bridging and/or to pass OSI layer 2 traffic between the networks, stay away from 'dev tap' .... only use 'dev tun' and routing ..... for some strange reason most Ubuntu howto's love to use bridging, which is really not needed under normal conditions .... bridging might seem simpler at the beginning, but it gives you a lot of other challenges later on
10:31 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:32 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:34 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn []
10:35 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:36 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn []
10:37 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:37 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Client Quit]
10:42 -!- gopp [~gopp@static-71-187-37-35.nwrknj.fios.verizon.net] has quit [Ping timeout: 248 seconds]
10:43 < ultramage> for reference, the issue was that I had the DHCP client service disabled, which took effect on the reboot following my networking failure
10:43 < ultramage> I wish there was a bugtracker or something where I could complain about this stuff
10:43 < ultramage> like, if you absolutely require the service to be there, then at least check for it, goddamnit ><
10:44 < ultramage> feels like the windows part of openvpn was written by trained monkeys
10:48 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:50 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
10:52 -!- star314 [~star314@xchg.fiss-oeaw.at] has quit [Quit: Leaving]
10:54 -!- GNUtoo [~GNUtoo@host187-49-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
10:55 < GNUtoo> hi, how do I do the equivalent of the "ifconfig tun0 192.168.10.1" shell command that would be run on the server in the server configuration file of openvpn?
10:58 < GNUtoo> here's my config: http://pastebin.com/bumjC3bE
11:00 < GNUtoo> I bet as usual I'll have to wait a lot of time
11:00 < GNUtoo> for someone to repond
11:01 < dazo> GNUtoo: --ifconfig, iirc 
11:01 < dazo> !--
11:01 < vpnHelper> dazo: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
11:01 < GNUtoo> hi nice
11:01 < g0tcha> does openvpn encrypt using 256bit or higher?
11:01 < GNUtoo> thanks a lot
11:02 < GNUtoo> so I should run a shell script
11:02 < GNUtoo> there is no directive for that? like ifconfig for non-bridged/non-tap things
11:03 < dazo> g0tcha: openvpn --show-ciphers .... that'll give you what your OpenSSL installation supports in OpenVPN .... then use --cipher to modify that
11:03 < dazo> GNUtoo: read the man page ;-)  search for --ifconfig
11:03 < GNUtoo> ok
11:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:08 < GNUtoo> dazo, thanks a lot!!! with some trial and error + man page reading it works
11:08 < dazo> GNUtoo: perfect :)  the an page is pretty awesome!
11:09 < GNUtoo> I'll try to connect this computer trough openvpn,that will disconnect irc
11:11 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:12 -!- gnutoo_ [~GNUtoo@host187-49-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
11:13 < gnutoo_> thanks a lot now I'm protected with openvpn
11:13 -!- GNUtoo [~GNUtoo@host187-49-dynamic.21-79-r.retail.telecomitalia.it] has quit [Ping timeout: 240 seconds]
11:14 -!- gnutoo_ is now known as GNUtoo
11:15 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn ["Leaving."]
11:16 < Bushmills> g0tcha: can choose. 
11:18 < GNUtoo> hmmm I've some leaks
11:19 < GNUtoo> tcpdump shows things on wlan0
11:19 < GNUtoo> 7231+ AAAA? openvpn.net. (29)
11:19 < GNUtoo> example
11:19 < GNUtoo> which is DNS
11:20 < GNUtoo> ok resolved
11:20 < GNUtoo> ah no
11:26 < Bushmills> you are protected as result of trial and error?
11:26 < Bushmills> interesting logic
11:26 -!- Lenhix [LordChaman@200.119.13.10] has joined ##openvpn
11:28 < Bushmills> how about "i connected this computer to the other with a network cable - this very act renders it cracker-proof"
11:35 -!- GNUtoo [~GNUtoo@host187-49-dynamic.21-79-r.retail.telecomitalia.it] has quit [Read error: Operation timed out]
11:35 -!- GNUtoo [~GNUtoo@host187-49-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
11:39 < dan08> i was reading the howto and i was thinking, the keys and certificates are very important for security and all of that but, is it really neccessary? cant we just skip that keys and cers bit?
11:40 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
11:40 < Bushmills> yes. you can configure password logon
11:41 < Bushmills> but keys are not only more secure, but also more convenient
11:41 < dazo> dan08: if you don't need to the security which SSL certificates and keys (so called PKI) .... then you can use static keys
11:41 -!- ultramage [umage@kurobara.netvor.sk] has left ##openvpn []
11:42 < dazo> dan08: but Bushmills is right, for bigger environments (more than 2-3 clients) it is a lot more convenient to use SSL certs/keys
11:42 < dazo> dan08: but to get you started, start with static keys ... and then move on to SSL stuff when you have the basics
11:43 < dan08> the idea is just use the internet at home from wherever i am, for example from office or caffes sometimes. so i dont learn how to do the keys and certificates for now? kool thanks guys
11:44 < dan08> and btw, why are keys more convenient?
11:45 < Bushmills> easier to replace frequently, no need to enter anything for connecting,...
11:45 < dazo> dan08: when you use certificates, you can revoke access to one client among many ... and if you loose the key files (stolen or just lost) ... you don't have to give all clients new static key files
11:47 < dan08> ok. got it, but its just for personal use really, just trying some new stuff. is the openvpn license free for only 30 days?
11:47 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
11:47 < dazo> dan08: that's the OpenVPN Access Server ... if you take the community version, there are no license keys
11:48 < dazo> dan08: OpenVPN is completely open source .... while Access Server is not
11:49 < Bushmills> "Copyright (C) 2002-2009 OpenVPN Technologies, Inc. This program is free software;  you  can redistribute it and/or modify it under the terms of the GNU General Public License version 2"
11:49 < dan08> ohh right. i got that now, but everything has to be done in the konsole. is it more complicated? or is it just till you get used to it?
11:50 < Bushmills> many people just let it auto-connect during boot, and don't need any user interface for it
11:50 < Bushmills> that reduces the "everything" to "nothing" :)
11:51 < dazo> dan08: For Gnome there are NetworkManager OpenVPN plug-in (which is not that good) ... and then gopenvpn which is a gui on top of openvpn but uses standard openvpn config files
11:51 < dazo> dazo: for windows, you have openvpn-gui ... for MacOSX you have tunnelblick and another one I've forgotten the name of 
11:52 < dazo> dan08: but the thing is that all of these GUI's uses the OpenVPN binary
11:52 < Bushmills> for configuration, there exist advanced interactive configuration frontends, called "editors"
11:52 < dan08> ive read a post in some forum that this guy was saying about supervpn or something lke that and it was for linux, i guess. anyone know about it?
11:52 < dazo> dan08: so the key is .... if you get it to work from console ... it'll work via most of the GUI's you have available, almost immediately
11:53 < dan08> my favourite editor is 'nano' ;) i suppose that's an editor
11:53 < dazo> dan08: not heard about supervpn
11:53 < dan08> maybe it was bs
11:54 < dazo> dan08: supervpn is not openvpn compatible, that's actually IPSec, afaicu ... http://www.satellite-asp.com/supervpn/index.htm
11:54 < vpnHelper> Title: SuperVPN (at www.satellite-asp.com)
11:54 < dan08> im just going to read a little bit more after eating something, thanks again everyone
11:55 < dan08> BRB
12:02 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
12:06  * kisom is implementing two-factor SMS authentication in openvpn :-)
12:07 < kisom> basically you'll need both a certificate and an SMS code to log on
12:07 < dazo> kisom: willing to share the code afterwards?
12:07 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
12:07 < kisom> dazo: sure.
12:08 < dazo> kisom: cool!
12:08 < kisom> you'll need a 3g modem or a phone connected to the server
12:08 < dazo> kisom: understood :)
12:08 < kisom> and preferably a flat-rate SMS contract
12:08 < dazo> heh
12:09 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
12:10 < kisom> cost us about $6 a month for unlimited SMSes
12:10 < kisom> pretty worth it
12:19 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:33 -!- darkscrypt [~darkscryp@216.162.34.42] has joined ##openvpn
12:35 -!- lambrecht [~system@d51A4E044.access.telenet.be] has joined ##openvpn
12:37  * dazo heads out
12:38 -!- dazo is now known as dazo_afk
12:46 < darkscrypt> I am using a routed VPN between 1 client machine and 1 server located behind a nat gateway. 
12:46 < darkscrypt> The connection initiates successfully, and I can ping the tun0 adapter on the server, as well as reach the servers local network address of 192.168.15.3.
12:47 < darkscrypt> However I cannot reach the gateway of 192.168.15.254. 
12:52 < krzie> !route-outside-ovpn
12:52 < vpnHelper> krzie: Error: "route-outside-ovpn" is not a valid command.
12:52 < krzie> !factoids search outside
12:52 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
12:52 < krzie> =]
12:56 < lambrecht> anyone has a good tut sire for homserver vpn  
12:56 < lambrecht> sire = site  :p 
12:56 < krzie> huh?
12:57 < krzie> !goal
12:57 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:57 < Bushmills> !howto
12:57 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:59 -!- EugeneKaway [~EugeneKay@jimbowie.kashpureff.org] has joined ##openvpn
12:59 -!- EugeneKaway [~EugeneKay@jimbowie.kashpureff.org] has quit [Client Quit]
13:09 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 240 seconds]
13:16 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:16 -!- roentgen [~HaRT@miranda/user/roentgen] has left ##openvpn []
13:17 < hyper_ch> http://gizmodo.com/5553428/400-billion-stars-in-a-800000+image-mosaic
13:17 < vpnHelper> Title: Can You Count 400 Billion Stars In This Mind-Blowing Panorama? (at gizmodo.com)
13:27 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
13:46 < darkscrypt> !route
13:47 < vpnHelper> darkscrypt: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:56 -!- b0nn [~this@202-180-91-108.callplus.net.nz] has quit [Ping timeout: 264 seconds]
14:04 -!- doug_ndndn [~doug@78-86-178-196.zone2.bethere.co.uk] has quit [Read error: Connection reset by peer]
14:05 -!- doug_ndndn [~doug@78-86-178-196.zone2.bethere.co.uk] has joined ##openvpn
14:07 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:12 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
14:16 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
14:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:39 < nat2610> After I establish a connection to my vpn on the other side of the world, I'm not able to resolve any dns requests ... how can I troubleshoot that ? Is there a way to add dns parameters to the server config ?
14:40 < krzee> !pushdns
14:40 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
14:48 < nat2610> so I'm pushing as a dns 8.8.8.8 (google dns) to the client but when I do nslookup I get DNS request time out ... is it a firewall issue on the server side ? Is it something realted to the ISP ? 
14:49 < krzee> what OS are you pushing it to?
14:58 -!- lambrecht [~system@d51A4E044.access.telenet.be] has quit []
14:59 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
15:03 < roentgen> krzee: I keep forgeting the devel site
15:03 < roentgen> I google something like git clone git:/
15:03 < roentgen> openvpn.git.sourceforge.net/gitroot
15:03 < roentgen> openvpn/openvpn-testing.git
15:04 < roentgen> Is there something "more" official than
15:04 < roentgen> that?
15:05 < krzee> community.openvpn.net
15:05 < krzee> or the topic in openvpn-devel
15:06 < krzee> [13:09]  * Topic for #openvpn-devel is: OpenVPN testing source tree: git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git | Browse the git tree: http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=summary
15:06 < vpnHelper> Title: SourceForge - openvpn/openvpn-testing.git/summary (at openvpn.git.sourceforge.net)
15:06 < krzee> then for testing branch...
15:06 < krzee> !testing
15:06 < vpnHelper> krzee: "testing" is "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
15:07 < roentgen> I see ... thanks
15:07 < krzee> np =]
15:15 < krzee> !
15:15 < krzee> ! 
15:15 < krzee> !forget as
15:15 < vpnHelper> krzee: Joo got it.
15:15 < krzee> !forget as
15:15 < vpnHelper> krzee: Error: There is no such factoid.
15:16 < krzee> werd
15:16 < Bushmills> !As
15:16 < vpnHelper> Bushmills: Error: "As" is not a valid command.
15:16 < krzee> both caps
15:16 < Bushmills> !AS
15:16 < vpnHelper> Bushmills: Error: "AS" is not a valid command.
15:16 < Bushmills> nope
15:16 < krzee> erm
15:16 < krzee> !AS
15:16 < vpnHelper> krzee: Error: "AS" is not a valid command.
15:16 < Bushmills> thought i remembered that one
15:16 < krzee> !learn AS as [access-server]
15:16 < vpnHelper> krzee: Joo got it.
15:16 < krzee> !as
15:16 < vpnHelper> krzee: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
15:16 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
15:16 < krzee> !AS
15:16 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
15:16 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
15:16 < krzee> !aS
15:16 < vpnHelper> krzee: "aS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
15:17 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
15:17 < krzee> heh
15:17 < krzee> and i totally thought it was case sensitive
15:18 < Bushmills> it may be partially
15:18 < Bushmills> doesn't allow you to learn as, but adding AS is possible. case sensitive there.
15:18 < krzee> tru
15:18 < Bushmills> but when requesting a factoid, it isn't
15:20 < krzee> !bEEr
15:20 < vpnHelper> krzee: "bEEr" is its what's for dinner!
15:22 < krzee> !fprget custom
15:22 < vpnHelper> krzee: Error: "fprget" is not a valid command.
15:22 < krzee> !forget custom
15:22 < vpnHelper> krzee: Joo got it.
15:22 < krzee> (old dupe of !win_rollup)
15:23 -!- pushpop [~marcthesp@pool-173-77-231-215.nycmny.fios.verizon.net] has joined ##openvpn
15:23 < krzee> !forget devel
15:23 < vpnHelper> krzee: Joo got it.
15:23 < krzee> (dupe of !testing / !snapshots)
15:24 < pushpop> Hi all, I have a question.  I'm using openVPN everything works great just the file transfer speeds are very slow and not taking advantage of our connection speeds.  Could somone help me resolve that
15:24 < krzee> are you using UDP?
15:24 < pushpop> OK I just installed it and got it working
15:24 < pushpop> can you be more descriptive
15:24 < krzee> ...?
15:24 < krzee> !configs
15:24 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:25 < agagag> hey is vpnHelper's code available somewhere?
15:25 < krzee> agagag,
15:25 < krzee> !factoids
15:25 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:25 < krzee> the code for the bot itself... its just a supybot
15:25 < krzee> ~version
15:25 < krzee> !version
15:25 < vpnHelper> krzee: The current (running) version of this Supybot is 0.83.4.1.  The newest version available online is 0.83.4.1.
15:25 < agagag> supybot i see, thanks
15:25 < krzee> np
15:27 < agagag> its written in python too. great
15:27 < krzee> !AS
15:27 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
15:27 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
15:27 < krzee> pushpop, read that
15:28 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
15:38 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Disconnected by services]
15:38 -!- roentgen1 [~HaRT@94.62.132.84] has joined ##openvpn
15:38 -!- roentgen1 is now known as roentgen
15:38 -!- roentgen [~HaRT@94.62.132.84] has quit [Changing host]
15:38 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
15:45 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:51 < g0tcha> if openvpn runs from a virtual machine, its still as secure as if its running from a host machine, right?
15:52 -!- [JFET] [~dome@catv-89-133-22-167.catv.broadband.hu] has joined ##openvpn
15:53 < krzee> its as secure as the VM is...
15:54 < krzee> ie: doesnt really change anything
15:54 < [JFET]> hi! Perhaps this is the wrong channel to ask, but i'll give it a try. Is any java-guru here? I am trying to use bouncy castle libs to generate keys for my openvpn connections. Generating is okay, i have problems with signing. I find it really hard to find howtos and tutorials in this specific area.
15:55 < g0tcha> krzee, cool.. thanks
15:56 < Bushmills> if you consider that the host can read files from VM without VM knowing, it would therefore be less secure - the host can steal the keys
15:57 < Bushmills> though you can probably prevent that by encrypting your volumes
15:57 < glguy> The host can read the VM’s memory
15:58 < g0tcha> Bushmills, what i want is this, i travel alot and i do alot of big amount transactions over the internet. so i want to setup an openvpn server in ubuntu VM here at home with SSL
15:58 < krzee> well right, its assumed you trust the host
15:59 < g0tcha> like this, if i travel and connect o unsecure wifi or whatever, i can connect to my home openvpn and do everything safely, right?
15:59 < Bushmills> i think "big amount transactions" and "ubuntu" shouldn't be used in the same sentence
15:59 < krzee> g0tcha, correct, and a common use of openvpn
15:59 < krzee> you will want:
15:59 < g0tcha> Bushmills, what do you suggest then? im only using ubuntu cuz its the only linux distro i know how to use
15:59 < krzee> !redirect
15:59 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:59 < krzee> g0tcha, you can make your configs with this if you wanna
16:00 < krzee> !confgen
16:00 < glguy> If all you want is secure web browser traffic it is probably easier to do a dynamic port forward with SSH
16:00 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
16:00 < Bushmills> i'd suggest something with a more extensive test cycle
16:00 < krzee> glguy, he prolly wants to secure EVERYTHING
16:00 < krzee> such as instant messengers, etc
16:00 < g0tcha> yeah, i want to secure everything.. i work in big projects and i can never be sure who is looking at my traffic in those countries
16:01 < g0tcha> krzee, ill read up on that
16:02 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 240 seconds]
16:03 < glguy> By why inside a VM?
16:03 < glguy> If he runs windows he could just as well run OpenVPN from windows, right?
16:03 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
16:03 < krzee> glguy, correct
16:03 < glguy> then your firewall settings could be set to be draconian at the host and only permit a minimum of traffic
16:03 < glguy> perhaps only dhcp and openvpn or something (outgoing)
16:04 < g0tcha> i dont think im gonna run it on a VM, i was just being curious
16:04 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
16:04 < g0tcha> but im doing my first install and so on on a VM though
16:04  * glguy guesses that Windows was your host
16:04 < g0tcha> ive been only reading so far and didnt run anything
16:04 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
16:04 < g0tcha> nah, i have a new machine i built
16:04 < g0tcha> for less then 350$
16:05 < g0tcha> something small and cheap
16:05 < krzee> the box i built for $650 is a monster
16:05 < krzee> MacPro3,1 CPU: Intel Core2 Quad Q9400 2.66GHz @ 2.4GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/x86_64/PAE/XD/EM64T/VMX/EST/QuadCore] L2: 6144K FSB: 1064MHz Airport:    RAM: 4.1GB/8.0GB Vram: 8.50M/128.00M Disk: 66.93GB/1005.91GB GPU: Unknown nVidia card [512 MB/Stock] 1280x1024@60Hz and 1280x1024@60Hz OS: Mac OS X 10.6.3 (10D573) Kernel: Darwin 10.3.0 Up: 2 days  1:18
16:05 < glguy> What script did you use to generate that?
16:06 < g0tcha> nice
16:06 < krzee> xinfo.py for xchat aqua
16:07 < glguy> Does the OS X tuntap driver only support manual allocation on tun/tap devices? On Linux I know you can open /dev/net/tun and just get the next available device
16:07 < krzee> also has /macmovie /mactunes (for saying info of a movie or song im using)
16:08 < krzee> and /macweather for saying the weather for a US zip code
16:22 -!- Lenhix [LordChaman@200.119.13.10] has quit [Quit: BRB]
16:27 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
16:29 -!- mirco [~mirco@p5B23A80D.dip.t-dialin.net] has joined ##openvpn
16:35 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:37 < g0tcha> hmm if i want ssl i have to install openssl in windows before installing openvpn, correct?
16:38 < g0tcha> ssl is necessary for what i want to do from what i read
16:39 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Ping timeout: 248 seconds]
16:43 -!- JackCorleone [~Jack@187.11.184.68] has quit [Quit: Saindo]
16:50 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
16:53 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
16:53 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
16:54 < nat2610> so I'm pushing as a dns 8.8.8.8 (google dns) to the client but when I do nslookup I get DNS request time out ... is it a firewall issue on the server side ? Is it something realted to the ISP ?  My server is a linux and the client a windows vista
16:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:55 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
16:55 < krzee> 2.1.1 on vista?
16:58 < nat2610> OpenVPN 2.0.9 
16:58 < nat2610> actually
16:59 < nat2610> krzee, for the client I use http://openvpn.se/ 
16:59 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se)
17:01 < g0tcha> i keep getting this error when i run 'build-key-server server' in win2k3 http://pastebin.com/Md0PiCuM
17:06 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:06 -!- pushpop [~marcthesp@pool-173-77-231-215.nycmny.fios.verizon.net] has quit [Read error: Connection reset by peer]
17:06 -!- pushpop [~marcthesp@pool-173-77-231-215.nycmny.fios.verizon.net] has joined ##openvpn
17:07 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:07 -!- pushpop [~marcthesp@pool-173-77-231-215.nycmny.fios.verizon.net] has quit [Read error: Connection reset by peer]
17:07 -!- pushpop [~marcthesp@pool-173-77-231-215.nycmny.fios.verizon.net] has joined ##openvpn
17:09 -!- GNUtoo [~GNUtoo@host187-49-dynamic.21-79-r.retail.telecomitalia.it] has quit [Quit: Leaving]
17:12 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
17:12 -!- dan08 [~dan08@cpc1-shep1-0-0-cust673.lei3.cable.ntl.com] has quit [Remote host closed the connection]
17:13 < grendal_prime> im trying to build a client connect script that looks for a particulare client based on mac address of the hardware.
17:14 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has quit [Ping timeout: 265 seconds]
17:15 -!- dan08 [~dan08@cpc1-shep1-0-0-cust673.lei3.cable.ntl.com] has joined ##openvpn
17:15 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
17:16 < [JFET]> I'm working on a java code that generates key+cert for openvpn. I found out that the private key should be in PEM format. It is okay. My question is that what format should the certificate be in?
17:16 < [JFET]> what is its 3-letter-abbreviation?
17:17 < krzee> if you use pem, it has the key and cert
17:17 < krzee> and ca iirc
17:17 < krzee> otherwise, you can have separate files
17:17 < krzee> why dont you look at what easy-rsa does
17:18 < [JFET]> actually i pretty much miss its theoretical background of cryptography. I have managed to create .pem from the privatekey. But I have the signed public key in an other java object, and the pemwriter won't do anything with it. So I tought it should be in a different format
17:19 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:19 < g0tcha> so any suggestion about this error on win2k3 when i run build-key-server server http://pastebin.com/FMDAjJjr
17:20 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
17:21 < grendal_prime> thats aparently not an enviromental varriable i can get to?
17:24 < grendal_prime> kind a bummer
17:25 < grendal_prime> can i push an ifconfig to the box and then parce through the returned info?
17:28 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:29 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
17:29 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:29 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:31 -!- chantra is now known as chantra_
17:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:31 -!- chantra_ is now known as chantra__
17:31 -!- chantra__ is now known as chantra
17:35 -!- clyons_ [~clyons@unaffiliated/clyons] has joined ##openvpn
17:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:43 < grendal_prime> doesnt look like there is a way of doing this
17:49 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Remote host closed the connection]
17:50 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
17:51 -!- clyons_ [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
17:52 -!- clyons_ [~clyons@unaffiliated/clyons] has joined ##openvpn
17:54 -!- clyons_ [~clyons@unaffiliated/clyons] has quit [Read error: Connection reset by peer]
17:54 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
17:56 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
17:56 < Bushmills> grendal_prime: you could execute a connect script on client which transfers its mac address to server upon connect - but you could probably just as well simply use a ccd script for that client
17:57 < Bushmills> (ccd script meaning, a server side connect script in that specific client's ccd configuration)
17:57 -!- clyons [~clyons@unaffiliated/clyons] has quit [Remote host closed the connection]
17:58 < Bushmills> as soon as client is involved in transferring the mac, it could potentially be spoofed. therefore the mac is not reliable
17:58 < grendal_prime> well all the clients have the same key
17:58 < Bushmills> ah, so that's meant as a work-around for clients using the same key?
17:59 < Bushmills> seems like trying to cure the symptom, rather than the cause, with that mac scheme
17:59 < grendal_prime> well basically we want to see when a specific client logs in.  we know the mac address of the box.
17:59 < Bushmills> give that specific client a different key
17:59 < grendal_prime> we were hoping that when it loged in we would be able to see the physical mac on the box. 
18:00 < grendal_prime> well that would be great.  accet right now we cant identify it
18:00 < grendal_prime> its an appliance in the field.
18:00 < Bushmills> mac has no relevance for delivering packets, unless the sender sits on the same segment
18:00 < grendal_prime> nobody around to touch it. 
18:01 < grendal_prime> so there is no way to get the physical mac of the device that is connected?
18:01 < Bushmills> can't you identify it by its ip address?
18:01 < grendal_prime> dhcp
18:01 < Bushmills> the "physical" mac is also only sent by software
18:01 < Bushmills> read, and transmitted
18:02 < Bushmills> there are ways, but not within the protocol.
18:02 < grendal_prime> so just sniff the external ip
18:03 < Bushmills> the ip address is available to you. if it is known, you can recognise the client from it.  if several clients behind the same NAT router connect, that will be more difficult
18:04 < grendal_prime> these are small like wifi boxes.  they could be anywhere
18:05 < grendal_prime> see i was thinking we could push like an if-config and then pull back the info and parse through that.
18:06 < Bushmills> if they move around, and connect from changing locations, ip address won't do. but - if they can be moved, you can also move them somewhere where you can load them with a different key
18:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:21 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
18:41 < [JFET]> I am getting this error: "X509_check_private_key:key values mismatch" Do you know how to dump .crt and .key files to check the integrity?
18:41 < krzee> !certverift
18:41 < vpnHelper> krzee: Error: "certverift" is not a valid command.
18:41 < krzee> !certverify
18:41 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
18:41 < krzee> !certinfo
18:41 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
18:42 < [JFET]> thanks
18:43 < krzee> yw
18:54 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
18:57 < krzee> !winroute
18:57 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
19:01 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has quit [Ping timeout: 260 seconds]
19:02 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
19:03 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:17 -!- sCOTTo [~sCOTTo@CPE-58-172-250-154.cqzo1.cht.bigpond.net.au] has joined ##openvpn
19:18 < sCOTTo> hey guys - anyone want to talk through OpenVPN & PPTP with me? I have a server running both, I had someone create a tunnel from this server to another but now it is stopped. There --were-- users who were logging in through pptp and now they cant! I think it may be to do with openvpn settings... any advice ?
19:23 -!- dan08 [~dan08@cpc1-shep1-0-0-cust673.lei3.cable.ntl.com] has left ##openvpn ["Konversation terminated!"]
19:26 -!- [JFET] [~dome@catv-89-133-22-167.catv.broadband.hu] has quit [Quit: Leaving]
19:34 < sCOTTo> !def1
19:34 < vpnHelper> sCOTTo: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
19:35 < sCOTTo> !man
19:35 < vpnHelper> sCOTTo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
19:36 < nat2610> so I'm pushing as a dns 8.8.8.8 (google dns) to the client but when I do nslookup I get DNS request time out ... is it a firewall issue on the server side ? Is it something realted to the ISP ?  My server is a linux and runs 2.0.9 and the client a windows vista and run openvpn.se (latest) 
19:39 < sCOTTo> Bushmills:   can you walk me through this - I am not sure I have my head on the right way today - I think I may be wrong on SOMETHINg.
19:40 < sCOTTo> -- I need for clients to be able to log into my server via pptp. They used to be able to - but this guy came in when I wasnt around and access was given where he made a tun from our server to our hosting server overseas. I killed it now - but now my pptp clients cant log in :( I inherited the server - so I really dont know it.
19:41 < Bushmills> check whether your default route is lost when openvpn starts or is killed
19:41 < sCOTTo> this is the syslog on a connection: http://pastebin.com/GD0TEQYN
19:41 < sCOTTo> any ideas
19:59 -!- glguy [~emertens@unaffiliated/glguy] has quit [Quit: glguy]
20:07 -!- sCOTTo [~sCOTTo@CPE-58-172-250-154.cqzo1.cht.bigpond.net.au] has quit [Quit: Leaving]
20:23 -!- mirco [~mirco@p5B23A80D.dip.t-dialin.net] has quit [Quit: mirco]
20:24 -!- mirco [~mirco@p5B23A80D.dip.t-dialin.net] has joined ##openvpn
20:27 -!- crazygir [~jason@li14-82.members.linode.com] has quit [Changing host]
20:27 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
20:35 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
20:37 -!- glguy [~emertens@unaffiliated/glguy] has quit [Read error: Connection reset by peer]
20:37 -!- glguy [~emertens@pool-71-111-48-245.ptldor.dsl-w.verizon.net] has joined ##openvpn
21:08 -!- theDoc [~jaki@173.236.41.34] has joined ##openvpn
21:21 -!- coil [platypus@unaffiliated/coil] has left ##openvpn []
21:26 -!- Netsplit *.net <-> *.split quits: demiurgen, udontknow, Champi
21:28 -!- Netsplit over, joins: demiurgen, udontknow, Champi
21:33 -!- darkscrypt [~darkscryp@216.162.34.42] has quit [Remote host closed the connection]
21:40 -!- pushpop [~marcthesp@pool-173-77-231-215.nycmny.fios.verizon.net] has left ##openvpn []
21:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:28 -!- Russnix [~c2529efa@gateway/web/freenode/x-ptstahbfpdefexpg] has quit [Ping timeout: 252 seconds]
22:40 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
22:46 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has joined ##openvpn
22:52 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
22:52 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
22:56 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
23:04 -!- propagandhi [~propagand@CPE-121-223-206-243.static.nsw.bigpond.net.au] has quit [Remote host closed the connection]
23:14 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
23:15 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
23:16 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Client Quit]
23:16 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
23:17 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Client Quit]
23:20 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
23:31 -!- KnyghtMare [~KnyghtMar@173-22-182-45.client.mchsi.com] has joined ##openvpn
23:32 < KnyghtMare> is there any way to make an openvpn windows client make the vpn network a "trusted" location?
23:32 < KnyghtMare> I'm fed up of having to tell windows time and again that my VPN connection is secure
23:34 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
23:36 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
23:36 -!- mode/##openvpn [+o mattock] by ChanServ
23:38 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
23:46 -!- KnyghtMare [~KnyghtMar@173-22-182-45.client.mchsi.com] has quit [Read error: Connection reset by peer]
23:47 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 245 seconds]
23:48 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
23:58 -!- npmccallum [~npmccallu@76.177.255.171] has joined ##openvpn
23:58 < npmccallum> Can I use IPv6 in the --server declaration and IPv4 everywhere else? (assume both client and server support IPv6)
--- Day changed Thu Jun 03 2010
00:09 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 240 seconds]
00:11 -!- npmccallum [~npmccallu@76.177.255.171] has quit [Ping timeout: 260 seconds]
00:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
00:22 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
00:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:27 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
00:28 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
00:35 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
00:48 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
01:06 < networkn> anyone able to shed light as to why I cannot seem to see my tap adapter in ipconfig on xp on this one pc?
01:21 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
01:26 -!- clyons [~clyons@unaffiliated/clyons] has quit [Client Quit]
01:42 -!- dazo_afk is now known as dazo
01:44 -!- notworkn [networkn@121.98.152.39] has quit [Ping timeout: 240 seconds]
01:57 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
02:04 -!- mirco [~mirco@p5B23A80D.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
02:05 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
02:10 -!- mirco [~mirco@p5B23FBDA.dip.t-dialin.net] has joined ##openvpn
02:11 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has joined ##openvpn
02:12 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 260 seconds]
02:15 -!- tw-oic [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has quit [Read error: Operation timed out]
02:17 -!- tw [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has joined ##openvpn
02:28 -!- meepmeep [meepmeep@212.24.104.229] has joined ##openvpn
02:31 -!- glguy [~emertens@pool-71-111-48-245.ptldor.dsl-w.verizon.net] has quit [Disconnected by services]
02:33 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:34 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
02:41 < fluvvell> networkn, are you still struggling ?
02:42 -!- DrPepper [~DrPepper@88.207.183.72] has quit [Ping timeout: 240 seconds]
02:42 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
02:46 -!- glguy [~emertens@unaffiliated/glguy] has quit [Ping timeout: 240 seconds]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:55 < g0tcha> everytime i create a new client/user i have to run build-dh again?
03:55 < theDoc> No.
03:56 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
03:56 < g0tcha> thanks
04:00 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
04:00 -!- T1w [~jens@node3.survey-it.dk] has joined ##openvpn
04:00 < T1w> hello
04:01 < T1w> has anyone done some performancetests over high speed low latency networks - ie. between 2 GBit internet connections?
04:01 < T1w> I have been unable to locate anything other than performancetests over ADSL-type connections
04:02 < hyper_ch> you have 2 gbit internet conncetions?
04:02 < T1w> yes
04:02 < T1w> or at least I am planning to
04:04 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
04:04 < T1w> I've got the one, and as I'm using openvpn to pull backup-data through on a hourly basis - and with data-amounts that require gbit connectivity - I was wondering what kind of performance I could get out of openvpn
04:12 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:28 < g0tcha> so guys hmm how can i test if my openvpn installation with a client without the need of going out of the house? heheh
04:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
04:59 -!- theDoc [~jaki@173.236.41.34] has quit [Quit: Leaving]
05:10 -!- DrPepper [~DrPepper@88.207.183.72] has joined ##openvpn
05:15 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:15 -!- mode/##openvpn [+o mattock] by ChanServ
05:51 < Chosi> moo
05:52 < Chosi> i'm having this issue that people playing battlefield bad company 2 over my tunnel get disconnected after an hour. almost exactly an hour - is there anything known related to that?
06:29 < Bushmills> that's while traffic is going over the line?
06:29 < Bushmills> or does it disconnect when it is idle?
06:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:37 < networkn> anyone able to shed light as to why I cannot seem to see my tap adapter in ipconfig on xp on this one pc?
06:40 < Chosi> Bushmills: while traffic is going over it
06:44 < Chosi> Bushmills: it's like they start playing and after almost exactly an hour they get disconnected
06:45 < |Mike|> Chosi: maybe your link gets flooded due a lot of bandwidth ?
06:50 < Chosi> nah bandwidthwise it's fine
06:50 < Chosi> propably lots of udp through tcp tunnel tho, but why is it exactly after an hour?
06:52 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:54 < Bushmills> at the full hour?  or just one hour after having started it?
06:54 < Chosi> one hour after they started
06:55 < Bushmills> no idea. you may want to check logs, and set log level higher first
06:55 < Bushmills> maybe the game has a time limited key
06:56 < Chosi> i guess the just disconnected with -1 or something. can't remember i read the logs with verb 5 but couldn't find anything suspicious
06:56 < Chosi> weird
07:06 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
07:17 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
07:18 < networkn> are there forums for openvpn?
07:19 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
07:32 -!- xXx [~chatzilla@82.137.212.155] has joined ##openvpn
07:32 -!- xXx is now known as Guest85363
07:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:34 -!- Guest85363 [~chatzilla@82.137.212.155] has quit [Client Quit]
07:44 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:45 <@mattock> networkn: http://www.ovpnforum.com/
07:45 < vpnHelper> Title: OpenVPN Forum Index page (at www.ovpnforum.com)
07:58 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 252 seconds]
07:59 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
08:01 -!- npmccallum [~npmccallu@76.177.255.171] has joined ##openvpn
08:16 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 260 seconds]
08:16 -!- takamichi [~pri@94.75.217.250] has joined ##openvpn
08:19 -!- zheng [~zheng@114.92.154.249] has joined ##openvpn
08:36 -!- zheng [~zheng@114.92.154.249] has quit [Quit: Leaving]
08:38 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
08:47 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 240 seconds]
08:48 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
08:52 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
08:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:03 < krzie> aka
09:03 < krzie> !forum
09:03 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
09:09 < Chosi> krzie and the triggers :)
09:09 < Chosi> nice name for a band :P
09:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 248 seconds]
09:30 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
09:31 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:46 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
09:48 -!- ahf [ahf@irssi/staff/ahf] has quit [Quit: Bye]
10:04 -!- chantra [~chantra@ns22757.ovh.net] has quit [Changing host]
10:04 -!- chantra [~chantra@unaffiliated/chantra] has joined ##openvpn
10:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
10:19 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:19 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:29 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:31 -!- darkscrypt [~darkscryp@216.162.34.42] has joined ##openvpn
10:31 < darkscrypt> !routed
10:31 < darkscrypt> !route
10:31 < vpnHelper> darkscrypt: Error: "routed" is not a valid command.
10:31 < vpnHelper> darkscrypt: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:53 < kisom> oh wow, i hate dannish people. had to deal with some dannish dude today, and my dannish isn't really at 100%. anyways, he said "seg hai" which means "say hello" in dannish. which i missinterpred as "sieg hail"...
10:55 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
10:58 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:58 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
10:59 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:59 -!- notbrien_ [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
11:00 -!- notbrien_ [~notbrien@208.82.13.214] has joined ##openvpn
11:00 -!- notbrien [~notbrien@208.82.13.214] has quit [Ping timeout: 265 seconds]
11:00 -!- notbrien_ is now known as notbrien
11:02 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:03 -!- brainbox [~uiyhu@CPE0022b0ccad50-CM00169242a0ee.cpe.net.cable.rogers.com] has joined ##openvpn
11:04 < brainbox> anyone know if anybody has considered creating a port for ChromiumOS ... 
11:04 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
11:04 < npmccallum> Can I use IPv6 in the --server declaration and IPv4 everywhere else? (assume both client and server support IPv6).  I essentialy want my IPv4 clients to tunnel into a private IPv6 subnet
11:04 < brainbox> would be nice to see openvpn included in google's new OS 
11:05 < krzee> --server doesnt take ipv6
11:05 < krzee> however, there is a testing branch which has ipv6 support
11:05 < krzee> you can try with that if you like
11:05 < krzee> !testing
11:05 < vpnHelper> krzee: "testing" is "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
11:05 < krzee> for the ipv6 options, see #4 here
11:05 < krzee> !ipv6
11:05 < vpnHelper> krzee: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
11:05 < vpnHelper> krzee: (adds some nice ipv6 options)
11:07 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
11:07 < npmccallum> thanks
11:12 -!- dazo is now known as dazo_afk
11:13 -!- brainbox [~uiyhu@CPE0022b0ccad50-CM00169242a0ee.cpe.net.cable.rogers.com] has left ##openvpn ["Leaving"]
11:22 < darkscrypt> !logs
11:22 < vpnHelper> darkscrypt: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:22 < darkscrypt> !log
11:22 < vpnHelper> darkscrypt: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
11:23 < darkscrypt> where can i find openvpn log files
11:23 < darkscrypt> can i specify where to send them?
11:23 < darkscrypt> need it for debugging
11:27 < krzee> !logfile
11:27 < vpnHelper> krzee: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
11:27 < darkscrypt> sweet
11:42 -!- clyons_ [~clyons@unaffiliated/clyons] has joined ##openvpn
11:44 -!- clyons_ [~clyons@unaffiliated/clyons] has quit [Remote host closed the connection]
11:47 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
11:49 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Client Quit]
11:51 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
11:52 -!- raidz [~Andrew@seance.openvpn.org] has quit [Read error: Connection reset by peer]
11:57 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
12:01 -!- mode/##openvpn [+o raidz] by ChanServ
12:10 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Quit: No Ping reply in 180 seconds.]
12:10 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:18 -!- clyons_ [~clyons@unaffiliated/clyons] has joined ##openvpn
12:20 -!- clyons_ [~clyons@unaffiliated/clyons] has quit [Client Quit]
12:24 -!- mirco [~mirco@p5B23FBDA.dip.t-dialin.net] has quit [Quit: mirco]
12:29 -!- darkscrypt [~darkscryp@216.162.34.42] has quit [Remote host closed the connection]
12:40 -!- mirco [~mirco@p5B23FBDA.dip.t-dialin.net] has joined ##openvpn
12:40 -!- takamichi [~pri@94.75.217.250] has quit [Ping timeout: 260 seconds]
12:41 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
12:51 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
12:57 -!- darkscrypt [~darkscryp@216.162.34.42] has joined ##openvpn
12:57 < darkscrypt> !route
12:57 < vpnHelper> darkscrypt: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:17 -!- Netsplit *.net <-> *.split quits: crazygir, spiffytech, gorkhaan, networkn, raw_, nat2610
13:17 -!- Netsplit over, joins: networkn
13:18 -!- Netsplit over, joins: spiffytech
13:19 -!- Netsplit over, joins: gorkhaan
13:19 < darkscrypt> I'm having trouble with my routed vpn. 
13:19 < darkscrypt> I have 1 client and 1 server. 
13:19 < darkscrypt> I want the server to route the 192.168.15.0/24 network
13:19 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:19 < darkscrypt> i push the 192.168.15.0 network to the client, but I don't see that appear in the client routing table..
13:20 < darkscrypt> I am able to ping the internal openvpn peer from tun0 on both ends
13:20 < darkscrypt> and when i add route 192.168.15.0 to the client config
13:20 < darkscrypt> i am then able to ping 192.168.15.3 which is the servers lan IP address. but I am not able to ping the gateway of that lan which is 192.168.15.254
13:21 < darkscrypt> I added a route to the gateway that says network 10.8.0.0 /24 should go to 192.168.15.3 as the gw and 15.3 should know what to do with it
13:22 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
13:22 -!- crazygir is now known as Guest63918
13:24 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
13:24 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
13:24 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has joined ##openvpn
13:24 -!- raw_ [~raw@chipotle118.server4you.de] has joined ##openvpn
13:24 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn []
13:25 < darkscrypt> I have also checked tcpdumps.. say i'm on my client machine
13:25 < darkscrypt> and i send a ping out to 192.168.15.1 (thats another server on the network not a gateway)
13:25 < darkscrypt> it does not even see a request or a ping 
13:25 < darkscrypt> i can see the requests on the actual tun0 interface with tcpdump
13:26 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
13:30 < darkscrypt> but the requests do not make it over to eth0 on that same machine
13:32 < darkscrypt> might not be forwarding
13:32 < darkscrypt> checking that real quick
13:35 < krzee> ya, make sure to have ip forwarding enabled
13:43 < darkscrypt> still its not pushing the routes
13:43 < darkscrypt> server : push "route 192.168.15.0 255.255.255.0"
13:43 < darkscrypt> does not show up in the client routing table
13:44 < krzee> post the configs?
13:44 < krzee> without comments, like this
13:44 < krzee> !configs
13:44 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:46 < darkscrypt> okay 
13:47 < darkscrypt> http://pastebin.com/EY83bT0E
13:47 < darkscrypt> client ^
13:48 < darkscrypt> http://pastebin.com/Ux80wPVj 
13:48 < darkscrypt> server
13:48 < darkscrypt> the gateway for 15.0/24 is 15.254
13:48 < darkscrypt> the actual openvpn server box is running on 15.3/24
13:49 < krzee> you dont have a client or a server
13:49 < krzee> this is a point to point config
13:49 < darkscrypt> okay.
13:49 < krzee> to be able to push settings, put pull in the "client" config
13:49 < krzee> also, you dont HAVE to use push
13:49 < krzee> !push
13:49 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
13:49 < darkscrypt> is a point to point setting okay for what I am trying?
13:49 < krzee> you could always just put the route command in the other config without push
13:50 < krzee> honestly, i have no idea
13:50 < krzee> !goal
13:50 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:50 < darkscrypt> yeah that makes sense.
13:50 < darkscrypt> i would like to be able to access the subnet 192.168.15.0/24  from the client box
13:50 < krzee> you will ONLY want 1 machine to connect to the server?
13:51 < darkscrypt> i eventually want to use that box as a gateway to route traffic through the vpn.. so that many clients can eventually connect
13:51 < krzee> never multiple "clients"?
13:51 < darkscrypt> yes only one client connection
13:51 < krzee> you said eventually many clients
13:51 < darkscrypt> well..no openvpn clients
13:51 < krzee> just set it up as server/client now then
13:51 < krzee> oh
13:51 < krzee> well if you decide to go client/server
13:51 < darkscrypt> its a tunnel..other clients aren't aware of openvpn being used
13:51 < krzee> !confgen
13:51 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
13:52 < krzee> ok so you just mean then lan (not clients) will communicate over the vpn
13:52 < darkscrypt> yes.
13:52 < krzee> sure, point to point can handle that
13:53 < darkscrypt> thats exactly what I am looking for.
13:53 < darkscrypt> let me try real quick and see if the ip_forwarding kernel param helped
13:53 < krzee> where it breaks is if you want more than 1 machine to connect
13:53 < krzee> (to the vpn)
13:53 < darkscrypt> wont be needed though
13:53 < darkscrypt> its 2 individual gateways connecting to one another
13:53 < krzee> you definitely need ip forwarding
13:53 < darkscrypt> i know i do
13:53 < krzee> ok
13:53 < darkscrypt> but i dont' know if thats all i need
13:53 < darkscrypt> and thanks for all your help
13:54 < darkscrypt> i've been reading through all of the documentation you have written today
13:54 < krzee> you're welcome =]
13:54 < krzee> glad to hear you gave it a read (i assume you mean !route)
13:55 < krzee> your case is easier than !route tho, since its just point to point
13:56 < darkscrypt> yeah. 
13:56 < darkscrypt> i'm actually using openvpn for a massive project.
13:56 < darkscrypt> using it as a failover connection
13:57 < darkscrypt> but yeah your documentation was very clear and concise for the most part
13:58 < darkscrypt> i did find a few things that might need some attention
13:58 < darkscrypt> http://www.secure-computing.net/wiki/index.php/Graph
13:58 < vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
13:58 < darkscrypt> the bottom eth0 of gateway.. should that be 10.10.2.10?
14:06 < krzee> the gateway itself?
14:06 < krzee> very bottom?
14:06 < krzee> or the openvpn server
14:09 -!- xargs [~xargs@69.73.167.236] has quit [Read error: Operation timed out]
14:10 -!- Guest63918 [~jason@li14-82.members.linode.com] has quit [Changing host]
14:10 -!- Guest63918 [~jason@unaffiliated/crazygir] has joined ##openvpn
14:12 -!- xargs [~xargs@69.73.167.236] has joined ##openvpn
14:17 < darkscrypt> the gateway itself in that diagram
14:17 < darkscrypt> i think it has the wrong ip address
14:19 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
14:23 < krzee> it doesnt
14:24 < krzee> .1 is the router, it is correct
14:24 < krzee> .10 is the openvpn server on the lan
14:24 < krzee> (the lan ip of the openvpn server)
14:24 < krzee> so 10.8.0.1 and 10.10.2.10 are the same machine
14:25 < krzee> .1 is its router (gateway)
14:27 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 < darkscrypt> oh ok
14:43 < darkscrypt> i just got confused then =P
14:44 < krzee> hey, im just glad you're reading it!
14:44 < krzee> ;]
14:45 < darkscrypt> can i ask you where you work?
14:45 < darkscrypt> i'm interested to know 
14:46 < krzee> nope
15:00 -!- npmccallum [~npmccallu@76.177.255.171] has quit [Quit: Ex-Chat]
15:02 < darkscrypt> lol
15:02 < darkscrypt> sorry if that offended 
15:07 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
15:09 < networkn> are there forums for openvpn?
15:50 < krzie> !forum
15:50 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
15:53 < nat2610> so I'm pushing as a dns 8.8.8.8 (google dns) to the client but when I do nslookup I get DNS request time out ... is it a firewall issue on the server side ? Is it something realted to the ISP ?  My server is a linux and runs 2.0.9 and the client a windows vista and run openvpn.se (latest). 
15:53 < krzie> set the dns manually on the client machine to that IP and check if it works
15:53 < nat2610> I also tried to force it by hadn
15:53 < nat2610> and same result
15:53 < nat2610> it's kind of odd
15:54 < nat2610> and I don't know windows to well
15:54 < nat2610> but I can ping 8.8.8.8
15:54 < krzie> doesnt seem to be windows then
15:54 < krzie> sounds more like an ISP filtering what NS you use
15:54 < nat2610> but when I do nslookup google.com for example, it says server: unkown then DNS request timed out
15:54 < darkscrypt> 8.8.4.4?
15:54 < krzie> does your client redirect-gateway?
15:54 < krzie> !dns
15:54 < vpnHelper> krzie: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8
15:55 < nat2610> I tried both
15:55 < krzie> ya that was for darkscrypt 
15:55 < krzie> nat2610, 
15:55 < nat2610> Idid push "dhcp-option DNS 8.8.8.8"
15:55 < krzie> does your client redirect-gateway?
15:55 < darkscrypt> krzie what was for me and why?
15:55 < darkscrypt> 8.8.4.4 is googles other public dns
15:55 < krzie> oh
15:55 < krzie> hah i didnt know that ;]
15:55 < darkscrypt> =P
15:55 < darkscrypt> they have them at 2 different geographic locations
15:56 < nat2610> I have push "redirect-gateway def1"
15:56 < darkscrypt> redundancy type of deal
15:56 < krzie> nat2610, so on the server can you do this:    host ircpimps.org 8.8.8.8
15:56 < krzie> run that
15:56 < darkscrypt> or you could just be a jerk and use one of the root dns servers
15:56 < darkscrypt> =P
15:56 < krzie> !forget dns 2
15:56 < vpnHelper> krzie: Joo got it.
15:56 < darkscrypt> i'm sure people would appreciate that
15:57 < darkscrypt> why did you forget dns 2?
15:57 < krzie> !learn dns as Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
15:57 < vpnHelper> krzie: Joo got it.
15:57 < darkscrypt> oh ok lol
15:57 < krzie> ;]
15:57 < darkscrypt> i've had issues with 8.8.8.8
15:57 < darkscrypt> it gets hit alot more than 4.4
15:57 < nat2610> krzie, what do you mean with host ircpimps.org 8.8.8.8
15:57 < krzie> im so used to 4.2.2.1 that ive never used 8.8.8.8
15:57 < darkscrypt> also we run a small isp here where i work 216.162.32.20 and 216.162.47.250 are free to use
15:57 < krzie> nat2610, command to run on the linux server
15:58 < darkscrypt> atl ga
15:58 < nat2610> http://pastie.org/991144
15:59 < nat2610> krzie, ^
16:00 < krzie> hrm
16:00 < krzie> and what did you to do set it on the client by hand?
16:01 < krzie> also, after connecting to the vpn, can the client ping 72.14.253.104 ?
16:03 < networkn> krzee: still can't work out why I can't see this adapter when I do an ipconfig in a command prompt but CAN see it in network control panel > connections
16:04 < krzie> i dunno im not much of a windows guy
16:05 < nat2610> krzie, http://pastie.org/991157 for the client conf
16:06 < krzie> networkn, but that doesnt really matter
16:06 < krzie> i mean
16:07 < krzie> when you set the DNS on the client by hand after connecting
16:07 < krzie> how did you do it, through control panel?
16:07 < krzie> ^ @ nat2610 
16:07 < nat2610> yeah through the network panel, right click on the interface then tcp/ip .. -> dns primary
16:08 < krzie> after connecting to the vpn, can the client ping 72.14.253.104 ?
16:08 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:08 < nat2610> krzie, yeah it's working
16:08 < nat2610> all the ip resolving is fine
16:09 < nat2610> it's really only the DNS that isn't working eyt
16:09 < nat2610> yet
16:10 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:10 < nat2610> is there a way to simulate the equivalent of  host ircpimps.org 8.8.8.8
16:10 < nat2610> in a vista machine ? 
16:11 < krzie> dunno
16:11 < krzie> which interface did you set DNS on?
16:11 < krzie> (when you did it manually)
16:13 < nat2610> krzie, for now both the physical ethernet adapter and the TAP-win32
16:13 < krzie> you dont need to do it on the vpn interface
16:13 < krzie> !pushdns
16:13 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
16:14 < krzie> did you see the windows stuff talked about on that thread?
16:14 < krzie> net stop dnscache
16:14 < krzie> net start dnscache
16:14 < krzie> then try again?
16:18 < nat2610> krzie, I have the feeling that my problem is that the dns server can't be reach to resolve dsn request not so much that's not using it 
16:18 < nat2610> is there anything I can try in the firewall configuration on the server side ?
16:19 < krzie> you told me you could ping it
16:21 < nat2610> krzie, yes
16:21 < nat2610> but does that mean that I can do dns request ?
16:21 < nat2610> isn't it a different port
16:21 < nat2610> that icmp 
16:22 < nat2610> I'm thinking the dns server might refuse the request coming from tun0 toward the port 53
16:23 < krzie> but you use NAT
16:23 < krzie> its not coming from tun0 ip after the NAT
16:23 < krzie> all that stuff is good, proven by the ping working
16:24 < krzie> unless you're blocking it in the firewall, you should be sending the packets out
16:25 < nat2610> that's my fw rules http://pastie.org/991176
16:26 < nat2610> maybe I shoud add something in the forward ? 
16:27 < krzie> its set to accept all
16:27 < krzie> oh wait
16:27 < krzie> no its not
16:28 < krzie> err, maybe it is
16:28 < krzie> ive never personally used iptables, im not sure what order to understand rules
16:28 < krzie> ipfw style or pf style
16:29 < krzie> i dont see a MASQUERADE rule
16:30 < nat2610> krzie, I have it (the masquerade
16:30 < krzie> you said you can ping 8.8.8.8 after connecting to the VPN
16:30 < nat2610> )
16:30 < krzie> ok
16:30 < nat2610> krzie, yes I can ping everything
16:30 < nat2610> (I mean every ip that I would normally be able to ping of course) 
16:30 < krzie> did the dnscache commands i gave you help?
16:31 < nat2610> krzie, no ... but I realized by playing the nslookup
16:31 < nat2610> that it's contacting 8.8.8.8 but time out 
16:31 < krzie> huh?
16:31 < krzie> oh
16:31 < krzie> but you did run those commands, right?
16:31 < nat2610> so the configuration is probably ok on openvpn side 
16:31 < nat2610> krzie, right
16:32 < nat2610> but that didn't change anything
16:32 < krzie> did you try
16:32 < krzie> !iptables
16:32 < vpnHelper> krzie: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
16:32 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Firewall
16:32 < krzie> with just your NAT rule
16:33 < krzie> to test if its firewall
16:36 -!- Lenhix [~lenho@190.146.247.120] has joined ##openvpn
16:36 < Lenhix> Hello!! How can I force a client to always get the same IP?
16:36 < krzie> !static
16:36 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
16:36 < krzie> !ccd
16:36 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
16:39 < Lenhix> wow
16:39 < Lenhix> wait, too much at a time
16:39 < krzie> read it at your own pace ;]
16:39 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
16:44 < Lenhix> I guess I'll be back tonight tomorrow to bother you further :P
16:44 < Lenhix> now, i gotta go
16:44 -!- Lenhix [~lenho@190.146.247.120] has quit [Quit: Mindwall!!]
16:44 < nat2610> I just found ! 
16:45 < nat2610> that was the forward that was wrong
16:45 < nat2610> not wrong ... never set :) 
16:45 < nat2610> FYI ... I just had to do iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT 
16:49 < krzie> ahh werd
16:51 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
16:53 < krzie> bbl
16:54 < julius> I hate that forwarding requires an explicit accept rule instead of just matching the policy…
17:05  * Bushmills 's FORWARD chain on vpn server and masquerading gateway is empty 
17:06 < julius> o.O
17:06 < julius> weird
17:06 < julius> I'm quite sure that was the reason for my system to not route traffic once…
17:06 < Bushmills> you may have forgotten to add a NAT rule
17:07 < julius> uh - I'm fairly sure I did
17:44 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
17:45 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:47 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
17:52 -!- stoned [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
17:53 -!- stoned is now known as Guest37002
17:53 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has quit [Ping timeout: 260 seconds]
18:26 -!- killown [~killown@189.110.193.152] has joined ##openvpn
18:26 -!- killown [~killown@189.110.193.152] has quit [Changing host]
18:26 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:26 -!- killown [~killown@unaffiliated/killown] has quit [Changing host]
18:26 -!- killown [~killown@unaffiliated/geek] has joined ##openvpn
18:36 -!- Guest37002 is now known as g0tcha
18:46 -!- killown [~killown@unaffiliated/geek] has quit [Ping timeout: 265 seconds]
18:55 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
18:55 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
18:55 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
19:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:31 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:45 -!- timburke [tim@ip197.67-202-95.static.steadfast.net] has quit [Quit: Leaving]
20:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
20:31 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 240 seconds]
20:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:47 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has joined ##openvpn
21:17 -!- rosscav [~ross@p10173-ipngn501marunouchi.tokyo.ocn.ne.jp] has joined ##openvpn
21:35 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 240 seconds]
21:43 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
22:35 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has quit [Ping timeout: 264 seconds]
22:35 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has joined ##openvpn
22:41 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Ping timeout: 264 seconds]
22:53 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
23:25 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
23:29 -!- glguy [~emertens@pool-71-111-48-245.ptldor.dsl-w.verizon.net] has joined ##openvpn
23:32 -!- glguy_ [~emertens@pool-71-111-48-245.ptldor.dsl-w.verizon.net] has joined ##openvpn
23:32 -!- glguy_ [~emertens@pool-71-111-48-245.ptldor.dsl-w.verizon.net] has quit [Changing host]
23:32 -!- glguy_ [~emertens@unaffiliated/glguy] has joined ##openvpn
23:35 -!- glguy [~emertens@pool-71-111-48-245.ptldor.dsl-w.verizon.net] has quit [Disconnected by services]
23:35 -!- glguy_ is now known as glguy
23:51 -!- glguy [~emertens@unaffiliated/glguy] has quit [Quit: glguy]
--- Day changed Fri Jun 04 2010
00:01 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
00:23 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 248 seconds]
00:47 -!- mirco [~mirco@p5B23FBDA.dip.t-dialin.net] has quit [Quit: mirco]
00:51 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
00:55 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:04 < T1w> I know I'm repeating myself, but I'm going to try again..
01:04 < T1w> has anyone done some performancetests over high speed low latency networks - ie. between 2 GBit internet connections?
01:04 < T1w> I have been unable to locate anything other than performancetests over ADSL-type connections
01:06 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:06 -!- mode/##openvpn [+o mattock] by ChanServ
01:14 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
01:18 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:34 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
01:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:38 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
01:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:03 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
02:04 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
02:07 < kisom> T1w: OpenVPN does not add much latency in my tests. Haven't tried it on 2Gbit but usually its less than 1ms latency
02:09 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
02:12 < T1w> kisom: I think youre misunderstanding - it's not a question about added latency - it's question of resulting bandwidth
02:12 < T1w> what will be first the limiting factor, CPU or the line?
02:14 < kisom> on 2 Gbit? Probably CPI
02:14 < kisom> CPU
02:14 < kisom> run this on your server: "openssl speed aes"
02:15 < kisom> you may also want to try ciphers such as bf and rc4
02:15 < kisom> rc4 is the fastest one i believe
02:16 < kisom> my 1.6 GHz atom based server does 120 mbytes RC4 per second
02:25 < kisom> 19 Mbyte per second when using AES-256 :)
02:26 < T1w> hm, what's not such a bad idea.. :)
02:26 < kisom> or you could ju turn of encryption
02:27 < T1w> yeah, but as it's over public networks, I'd really like to encrypt it
02:28 < kisom> try using AES 128bit
02:28 < kisom> if that's too slow, go for blowfish or RC4
02:29 < T1w> waiting for results.. 
02:29 < T1w> http://pastebin.com/bYtAVC4t
02:30 < kisom> about 80 mbyte per second then
02:30 < T1w> at least clientside
02:31 < T1w> + on
02:31 < T1w> but it's serverside, that's goind to be sending it
02:31 < kisom> yes but both server and client needs to be equally fast :)
02:31 < T1w> but okay - 128bit is not bad
02:31 < kisom> as the client needs to decrypt it
02:31 < T1w> yeah - and the server is the limiting factor here
02:31 < T1w> the client wont have a problem keeping up
02:32 < kisom> are you going to use just one client and one server?
02:32 < T1w> (hardware-wise the server is smaller than the client anyway)
02:32 < T1w> at the moment, yes - but other clients may be added
02:33 < kisom> OK
02:33 < kisom> well
02:33 < T1w> the server is really a gatewaymachine for other servers behind it, that just know to route data through the server to reach the client
02:33 < T1w> the client is the backupserver
02:33 < kisom> if you're really going for 2 Gbit connections then you probably will need some more high-end hardware
02:34 < T1w> well.. 1GBIt in each end
02:34 < kisom> OK
02:34  * hyper_ch wonders what people need 2 gbit connections for
02:35 < kisom> hyper_ch: my personal server is on gigabit internet fibre
02:35 < T1w> and if I change encryption to 128bit aes the server could still handle ~60MB/s
02:35 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:35 < kisom> T1w: do openssl speed rc4
02:35 < T1w> well.. I've got ~400+GB data to back up
02:35 < hyper_ch> kisom: how much do you pay for it?
02:35 < T1w> kisom: hang on..
02:35 < kisom> hyper_ch: in USD? maybe 40 a month
02:35 < kisom> no caps or limits
02:35 < hyper_ch> kisom: where?
02:35 < kisom> sweden
02:36 < T1w> and 60MB/s over a 1GBit connection is not that bad
02:36 < hyper_ch> but there are no data centers that offer dedi servers at that connection, right?
02:36 < kisom> i dont know, i have it at my apartment
02:36 < hyper_ch> Swedes are lucky bastards :)
02:37 < T1w> http://pastebin.com/jCb9923z
02:37 < T1w> I just have it in my datacenter
02:37 < hyper_ch> crappy 15mbit down/1mbit up here :(
02:37 < T1w> but then again - it's got 40GBit connecitivy there
02:37 < T1w> connectivity even
02:37 < kisom> T1w: 180 mbyte/sec with rc4 then
02:38 < T1w> (damn, my typing it really bad today)
02:38 < kisom> you may want to read up on RC4 tho
02:38 < kisom> its not recommended for any new crypto implementations today
02:38 < T1w> I know
02:38 < kisom> it has a weak scheduler, etc etc
02:38 < kisom> but it still takes a shitload of work to crack
02:38 < kisom> never heard of it being cracked.
02:38 < T1w> hm.. that's strange..
02:39 < T1w> the client (more cpu's and a lot more powerful than the server) is way way slower on rc4 than the server
02:39 < kisom> send a mail to bruce schneier and ask ;)
02:39 < kisom> oh well
02:39 < T1w> heh
02:39 < kisom> you can always add more servers in the future.
02:40 < T1w> well.. I'm sure I could find out other places than bugging him
02:40 < hyper_ch> he likes to be bugged
02:40 < hyper_ch> especially at airports
02:40 < kisom> bruce cant be bugged
02:40 < kisom> its not physically possible
02:40 < hyper_ch> http://www.schneierfacts.com/
02:40 < vpnHelper> Title: Bruce Schneier Facts (at www.schneierfacts.com)
02:41 -!- dazo_afk is now known as dazo
02:41 < kisom> bleh
02:42 < kisom> i use my own crypto
02:42 < kisom> in combination with AES256-CBC
02:42 < kisom> if either gets broken, the other one should still be fine
02:44 < T1w> ah, it makes sense now - openssl is more dependant on single core frequencies than having multiple cores
02:44 < kisom> yes
02:44 < kisom> openvpn as well.
02:44 < T1w> yup
02:44 < kisom> runs on single core
02:44 < T1w> 3GHz vs. 2,27GHz
02:44 < kisom> you can however run multiple instances of it and have clients load balance
02:45 < T1w> too much hassle
02:45 < T1w> but at least I got a general idea of what kind of performance I might expect
02:46 < T1w> 6102 vs 4521 BogoMIPS as dmesg says
02:47 < T1w> thanks kisom 
02:47 < kisom> yeah crypto takes CPU :)
02:47 < kisom> np
02:47 < T1w> oooooh yeah
02:47 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn
02:49 < T1w> it would be cool to see if a soekris vpn1401/1411 would outperform
02:50 < T1w> mote likely would as it's rated as "128/192/256 AES, DES, 3-DES and RC4 at 210 to 460 Mbps"
03:03 < kisom> i love my x100e
03:03 < kisom> mutes the audio when i accedently unplug my headset
03:03 < kisom> = no wierd office situations
03:07 -!- glguy [~emertens@unaffiliated/glguy] has quit [Quit: glguy]
03:13 < T1w> not a problem here - got my own office.. ;)
03:14 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Read error: Connection reset by peer]
03:15 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
04:02 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
04:29 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
04:31 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
04:31 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
04:32 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn
04:33 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
04:36 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 245 seconds]
04:37 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
04:43 -!- ultramage [umage@kurobara.netvor.sk] has joined ##openvpn
04:44 < ultramage> hello, when windows hibernates and then resumes, the server instance will attempt to re-bind before networking comes up, resulting in an error and application exit with no retries... can this be fixed?
04:47 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
04:53 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
04:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:56 -!- corretico__ [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
04:56 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
05:01 < T1w> disconnect before hibernation seems obvious?
05:02 < ultramage> huh, what?
05:03 < ultramage> no, the point being that openvpn has an automated rebind mechanism, as in it's actively trying to handle the situation - and failing.
05:03 < ultramage> also, it exits after a single failed attempt :/
05:03 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
05:04 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
05:15 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
05:17 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
05:20 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Ping timeout: 240 seconds]
05:25 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
05:28 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
05:28 -!- mode/##openvpn [+o mattock] by ChanServ
05:29 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Client Quit]
05:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
05:33 < networkn> krzee: do forum posts require approval?
05:41 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
05:43 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
05:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
06:17 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
06:18 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 248 seconds]
06:18 -!- takamichi [~pri@94.75.217.251] has joined ##openvpn
06:19 -!- corretico__ [~laguilar@201.201.46.106] has quit [Ping timeout: 245 seconds]
06:31 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
06:34 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 252 seconds]
06:39 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
06:42 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 258 seconds]
07:02 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
07:04 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
07:04 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 258 seconds]
07:07 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 265 seconds]
07:08 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
07:10 -!- corretico__ [~laguilar@201.201.46.106] has quit [Ping timeout: 272 seconds]
07:12 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
07:13 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
07:23 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 240 seconds]
07:25 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
07:27 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
07:31 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 260 seconds]
07:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
08:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:16 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
08:20 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
08:20 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 264 seconds]
08:21 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
08:22 -!- takamichi [~pri@94.75.217.251] has quit [Ping timeout: 252 seconds]
08:23 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
08:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:33 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
08:36 -!- corretico__ [~laguilar@201.201.46.106] has quit [Ping timeout: 248 seconds]
08:38 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 264 seconds]
08:45 -!- NinjaScroller11 [~kaveshn@dsl-246-60-90.telkomadsl.co.za] has joined ##openvpn
08:45 < NinjaScroller11> !welcome
08:45 < vpnHelper> NinjaScroller11: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:46 -!- NinjaScroller11 [~kaveshn@dsl-246-60-90.telkomadsl.co.za] has left ##openvpn []
08:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
09:00 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
09:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
09:02 < Chosi> !configs
09:02 < vpnHelper> Chosi: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:03 < Chosi> !sample
09:03 < vpnHelper> Chosi: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
09:11 < kisom> oh i want to graduate once again
09:31 -!- ultramage [umage@kurobara.netvor.sk] has left ##openvpn []
09:31 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit [Quit: Ex-Chat]
09:31 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
09:32 < Chosi> Bushmills?
09:32 < Chosi> any way to get more verbose output of this? :
09:32 < Chosi> Connection reset, restarting [-1]
09:32 < Chosi> SIGUSR1[soft,connection-reset] received, client-instance restarting
09:33 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
09:35 < Bushmills> try   verb 5
09:35 < Bushmills> or verb 10 even
09:36 < Alphanaut> i anyone know the flag to disable the balloon popup in the ovpn gui?
09:36 < Alphanaut> er, -i
09:36 < Chosi> verb 5 doesn't show more
09:36 < Alphanaut> disregard, found it
09:36 < Chosi> only the reads and writes
09:39 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
09:39 < Chosi> Bushmills: does verb 10 exist? :D
09:40 < Bushmills> goes up to 11, iirc
09:40 < Bushmills> !verb
09:40 < vpnHelper> Bushmills: "verb" is (#1) verb command is for setting log verbosity, see --verb in the manual (!man) for more info, or (#2) verb 5 is good for debugging, verb 3 is good for normal usage
09:40 < Chosi> !man
09:40 < vpnHelper> Chosi: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
09:41 < Chosi> yup 11 is max
09:43 < Chosi> any way to apply verb 11 without restarting?
09:43 < Chosi> :)
09:46 < Chosi> too bad i don't have the management console enabled
09:48 -!- Alphanaut [~Alphanaut@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86-2010031920 [Firefox 3.6.3/20100401080539]]
09:48 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 240 seconds]
09:49 < Chosi> eww 10 and 11 is a LOT of debug info :D
10:05 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Ping timeout: 260 seconds]
10:16 -!- nickanderson [~cmdln@17.29.124.24.cm.sunflower.com] has joined ##openvpn
10:20 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:36 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
10:44 -!- mirco [~mirco@p5B23CE42.dip.t-dialin.net] has joined ##openvpn
10:46 -!- mirco [~mirco@p5B23CE42.dip.t-dialin.net] has quit [Client Quit]
10:46 -!- mirco [~mirco@p5B23CE42.dip.t-dialin.net] has joined ##openvpn
10:58 -!- corretico [~laguilar@201.201.46.106] has quit [Quit: Leaving]
10:58 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 248 seconds]
11:08 -!- IceD^ [~iced@live.bn.by] has joined ##openvpn
11:08 < IceD^> heya
11:08 < IceD^> got a problem
11:09 < IceD^> my friend is using the same vpn server as me
11:09 < |Mike|> that's your problem then :0
11:09 < |Mike|> :P
11:09 < IceD^> he got his own keys
11:09 < IceD^> and see following in the log
11:09 < IceD^> http://pastebin.ca/1877323
11:09 < IceD^> I copied his configs to my box - works like a charm
11:09 < IceD^> what can be a problem?!
11:10 < |Mike|> 1) read the error please
11:10 < |Mike|> 2) don't copy over keys
11:10 < |Mike|> 3) see 1
11:10 < IceD^> 1) thank you :)
11:10 < |Mike|> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
11:10 < IceD^> yes
11:11 < IceD^> why the same (config, certs, key - all his) works on my box
11:11 < |Mike|> can the openvpn daemon read the certs etc?
11:12 < IceD^> checking
11:18 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
11:20 < IceD^> looks like access rights are OK
11:21 < IceD^> as when he removes read permissions - he is getting "Cannot load certificate file" in log
11:22 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:25 < Chosi> dammit
11:26 < Chosi> Bushmills i just went through a 200meg logfile
11:26 < Chosi> only to read the same output ;D
11:26 < Bushmills> on both server and client?
11:28 < Chosi> i think i'll let the clients use verb 5 too
11:28 < Chosi> let's see
11:30 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:32 -!- darkscrypt [~darkscryp@216.162.34.42] has quit [Read error: Connection reset by peer]
11:33 -!- darkscrypt [~darkscryp@216.162.34.42] has joined ##openvpn
11:33 < Chosi> i guess you can't read anything from what i pasted you bushmills, right? :)
11:38 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
11:42 -!- IceD^ [~iced@live.bn.by] has quit [Remote host closed the connection]
11:44 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
11:45 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 264 seconds]
11:57 -!- rosscav [~ross@p10173-ipngn501marunouchi.tokyo.ocn.ne.jp] has quit [Quit: rosscav]
12:15 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
12:17 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Read error: Connection reset by peer]
12:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
12:29 -!- mirco [~mirco@p5B23CE42.dip.t-dialin.net] has quit [Quit: mirco]
12:30 -!- mirco [~mirco@p5B23CE42.dip.t-dialin.net] has joined ##openvpn
12:32 -!- mirco_ [~mirco@p5B23CE42.dip.t-dialin.net] has joined ##openvpn
12:35 -!- mirco [~mirco@p5B23CE42.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
12:35 -!- mirco_ is now known as mirco
12:38 -!- dazo is now known as dazo_afk
12:38 -!- mirco [~mirco@p5B23CE42.dip.t-dialin.net] has quit [Quit: mirco]
13:17 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
13:17 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
13:22 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 272 seconds]
13:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:38 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
13:41 < Chosi> Bushmills: nothing in the client log either :(
13:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:03 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
14:03 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
14:04 < Omegadarkest> ok i got a dumb one, using vmplayer and vmware image, all is working i can hit the web ui and get to the login on the vm but i didnt set a user/pass so what do i use to log into the web ui with xD
14:05 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:09 < nickanderson> Are there any good out of the box little SOHO nat routers that would work well as an openvpn client ?
14:11 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
14:13 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Quit: Ex-Chat]
14:14 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
14:18 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Ping timeout: 260 seconds]
14:19 < Bushmills> nickanderson: i'm using a relatively low cost tp-link wr1043nd, and reflashed it with openwrt
14:20 < nickanderson> Yeah, I dont mind re-flashing but the boss wants something out of the box
14:20 < nickanderson> though i still havent gotten my dd-wrt vpn flashed linksys routing working right as an openvpn client
14:20 < Bushmills> http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd  this box
14:22 < nickanderson> yeh, he is also going to want a gui ;)
14:22 < Bushmills> well, i also don't mind reflashing, obviously.
14:23 < Bushmills> if your problem want a router with openvpn preinstalled, that's his problem :)
14:23 < Bushmills> if your boss, i mean
14:23 < nickanderson> heh
14:23 < nickanderson> stuff rolls downhill
14:23 < Bushmills> liquid helium climbs
14:25 < Bushmills> personally I think, if somebody needs a GUI for VPN setup/administration, he better outsources the task
14:25 < Bushmills> (of setup and admin)
14:26 < nickanderson> eh, it is what it is
14:26 < nickanderson> hes just wanting a device to throw in place at home
14:26 < nickanderson> plenty of other options, just not what he wants  :)
14:26 < Bushmills> you may quote me and he can't fire me.
15:04 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
15:40 -!- Otacon22 [~otacon22@93-36-92-0.ip59.fastwebnet.it] has joined ##openvpn
15:40 < Otacon22> Hi
15:40 < Otacon22> I have a vpn server and client
15:40 < Otacon22> wich work in TCP
15:40 < Otacon22> if i change proto to UDP nothing still work
15:40 < Otacon22> the client does not connect
15:41 < Otacon22> and the "Expected Remote Options hash" is different from the local one
15:41 < Otacon22> i don't have firewall problems about UDP
15:41 < Otacon22> so i don't understand where could be the problem
15:42 < Otacon22> just changing the protocol..
15:47 < Otacon22> anyone there?
15:48 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:05 -!- Otacon22 [~otacon22@93-36-92-0.ip59.fastwebnet.it] has left ##openvpn ["Part"]
16:18 -!- nickanderson [~cmdln@17.29.124.24.cm.sunflower.com] has left ##openvpn []
16:19 -!- Kyle__ [~kschmitt@173-165-60-19-Illinois.hfc.comcastbusiness.net] has joined ##openvpn
16:27 < Bushmills> did you change proto to udp on both client and server?
16:39 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:40 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:40 -!- darkscrypt [~darkscryp@216.162.34.42] has quit [Ping timeout: 240 seconds]
16:41 -!- darkscrypt [~darkscryp@216.162.34.42] has joined ##openvpn
16:47 < Kyle__> In the server.conf file, on the ifconfig line, the first IP is the ip of the nic, the second is, the network IP?  Broadcast?
16:48 < Kyle__> Or is it just a different IP used for traffic?
16:56 -!- darkscrypt_ [~darkscryp@216.162.34.42] has joined ##openvpn
16:58 -!- darkscrypt [~darkscryp@216.162.34.42] has quit [Ping timeout: 258 seconds]
17:01  * Kyle__ shurgs
17:01 -!- Kyle__ [~kschmitt@173-165-60-19-Illinois.hfc.comcastbusiness.net] has quit [Quit: leaving]
17:01 -!- gallatin [~gallatin@188.109.157.161] has joined ##openvpn
17:03 -!- gallatin [~gallatin@188.109.157.161] has quit [Client Quit]
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
17:05 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
17:19 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
17:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:50 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has quit [Remote host closed the connection]
18:18 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
18:18 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
18:24 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Excess Flood]
18:25 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
19:24 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
19:40 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:04 -!- glguy [~emertens@unaffiliated/glguy] has quit [Quit: glguy]
20:20 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
21:28 -!- zheng [~zheng@114.92.154.249] has joined ##openvpn
22:04 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Read error: Operation timed out]
22:12 -!- onats [~onats@unaffiliated/onats] has joined ##openvpn
22:34 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
22:43 -!- zheng [~zheng@114.92.154.249] has quit [Quit: Leaving]
23:27 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
--- Day changed Sat Jun 05 2010
01:19 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:32 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 276 seconds]
01:41 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
01:42 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Read error: Connection reset by peer]
01:57 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
02:10 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds]
02:23 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
02:52 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
02:52 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
02:57 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
03:02 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
03:09 -!- mape2k [~mape2k@p5B28691D.dip.t-dialin.net] has joined ##openvpn
03:11 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
03:32 -!- glguy [~emertens@unaffiliated/glguy] has quit [Quit: glguy]
03:35 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
03:36 -!- glguy [~emertens@unaffiliated/glguy] has quit [Client Quit]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:43 -!- mape2k [~mape2k@p5B28691D.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
03:49 -!- takamichi [~pri@78.133.37.89] has quit []
03:54 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
04:01 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
04:05 -!- fluvvell [~barryc@port166-72.ubs.maxnet.net.nz] has quit [Ping timeout: 240 seconds]
04:14 -!- fluvvell [~barryc@port166-72.ubs.maxnet.net.nz] has joined ##openvpn
04:20 < krzie> !certverify
04:20 < vpnHelper> krzie: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
04:20 < krzie> !certinfo
04:20 < vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
04:25 < hyper_ch> hi krzie
04:26 < krzie> hey man
04:26 < krzie> how ya doin
04:27 < hyper_ch> krzie: trying to get freeswitch to work properly
04:27 < krzie> werd
04:27 < hyper_ch> krzie: but with a softphone I can't get any connection
04:28 < krzie> dont even register?
04:28 < hyper_ch> or could the vpn tunnel be a problem?
04:28 < hyper_ch> yes, can't even register
04:28 < krzie> is freeswitch listenin on vpn ip...?
04:29 < hyper_ch> no clue :)
04:29 < krzie> freebsd?
04:29 < hyper_ch> ah, freebsd is for kids... real men use debian stable :)
04:29 < krzie> real men know how to see what their servers are bound to :-p
04:30 < hyper_ch> where's your sense for adventure - you know the one that real men have ;)
04:30 < hyper_ch> just employ enough brute force until it works :)
04:30 < krzie> netstat -l
04:30 < krzie> sockstat -l4 would be cleaner, but freebsd
04:31 < krzie> im gunna crash
04:31 < krzie> nite
04:31 < hyper_ch> bye bye
04:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
05:31 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
05:34 -!- onats [~onats@unaffiliated/onats] has quit [Read error: Connection reset by peer]
05:35 -!- onats [~onats@unaffiliated/onats] has joined ##openvpn
05:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:53 < Bushmills> !firewall
05:53 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
05:54 < Bushmills> ^^^ hyper_ch :D
05:54 < hyper_ch> hi Bushmills
05:54 < Bushmills> SIP?  5060, 5061 open?
05:54 < hyper_ch> if you play with firewalls you can get yourself burnt :)
05:54 < hyper_ch> the problem seems to be with kphone
05:54 < hyper_ch> with linphone it just worked
05:56 < Bushmills> i got me a PAP2 a while ago - was tired of needing the computer for phone calls
05:56 < hyper_ch> Bushmills: well, setting it up for a small business :)
05:57 < kraut> moin
05:57 < Bushmills> ekiga worked for me then
05:58 < hyper_ch> ekiga uses gnome
05:58 -!- mape2k [~mape2k@p5B28447D.dip.t-dialin.net] has joined ##openvpn
05:59 < hyper_ch> and we all know how evil gnome is ;)
06:00 -!- takamichi [~pri@78.133.37.89] has quit []
06:04 < Bushmills> i thought that's what they say about programs with "k" as first letter
06:12 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Quit: Ex-Chat]
06:15 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
06:32 < Bushmills> hyper_ch: btw, here's the list of ekiga depencies - you'll notice that the deps on gnome stuff are rather limited: http://scarydevilmonastery.net/snap/1275737500210139182d.png
06:32 < Bushmills> dependencies...
06:33 < Bushmills> atk and avahi is a bit of a bummer
06:33 < hyper_ch> Bushmills: http://www.pastebin.org/309016
06:34 < hyper_ch> there's a lot to be installed
06:34 < hyper_ch> evolution, gvfs, ....
06:35 < Bushmills> you may want to turn off autoinstallation of suggested packages 
06:36 < hyper_ch> suggested packages won't get auto-installed
06:36 < hyper_ch> line 6-13 are the required dependencies
06:46 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
06:56 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
06:59 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
07:14 < Bushmills> but on your screenshot it lists packages about to be installed which show only under "suggested"
07:14 < Bushmills> and of course, their dependencies will have to be resolved as well 
07:15 < Bushmills> so when they don't get autoinstalled - why do they show on "packages which will be installed" at all?
07:16 < Bushmills> i believe that some of your "required packages" serve only the purpose to resolve dependencies of some of the "suggested" and autoinstalled packages
07:17 < Bushmills> to verify, do "apt-cache depends ekiga" and look at ekiga's dependencies.
07:20 < Bushmills> yes. mine, with recommends autoinstallation disabled, wants to installed only a quarter of what yours does:
07:21 < Bushmills> http://scarydevilmonastery.net/snap/1275740460131383157d.png 
07:21 < Bushmills> note that for example docbook and gnome-doc etc are not on the list
07:21 < Bushmills> (i don't have them installed here, that's not the reason why they don't show)
07:23 < Bushmills> but i notice that kphone is not, what i initially thought, some kde thing
07:23 < Bushmills> i expected it to be worse than ekiga :)
07:39 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has joined ##openvpn
07:42 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has quit [Client Quit]
07:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:48 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
08:35 < takamichi> Anyone got experience building OpenVPN 2.1 on Windows? Followed every bit of advice on the net and still get a compilation error.. 
08:36 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
08:38 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
08:42 < hyper_ch> build it?
08:42 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 258 seconds]
08:44 < takamichi> yes, compiling the openvpn client on windows..
08:45 < hyper_ch> why?
08:46 < takamichi> Because I need to create a custom build
08:46 < hyper_ch> good luck then :)
09:21 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
10:28 -!- me345 [~me345@adsl-75-15-251-189.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:29 -!- me345 [~me345@adsl-75-15-251-189.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:29 -!- me345 [~me345@adsl-75-15-251-189.dsl.bkfd14.sbcglobal.net] has joined ##openvpn
10:29 -!- me345 [~me345@adsl-75-15-251-189.dsl.bkfd14.sbcglobal.net] has left ##openvpn []
10:49 -!- smith43789 [~43b7fbdf@gateway/web/freenode/x-vhpkdgihmgqeklis] has quit [Ping timeout: 252 seconds]
10:56 -!- fti [~ice@pD9E905F4.dip0.t-ipconnect.de] has joined ##openvpn
10:56 < fti> hi
10:58 < hyper_ch> hi fti
10:59 < fti> Are there any possibilities to create a Gbit Link between Windows (TUN Device) and a OpenVPN Server? Got only 10Mbit/s from the Win32 Tun Adapter
11:00 < hyper_ch> no clue about windows
11:01 < fti> hm
11:03 -!- fluvvell [~barryc@port166-72.ubs.maxnet.net.nz] has quit [Ping timeout: 245 seconds]
11:05 < fti> hyper_ch and with two Linux Machines? Gbit possible?
11:06 < hyper_ch> I think so, I have no gb cards
11:07 -!- fluvvell [~barryc@port166-72.ubs.maxnet.net.nz] has joined ##openvpn
11:15 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
11:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:23 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
11:25 -!- KavanS [~KavanS@static-173-50-141-22.ptldor.fios.verizon.net] has joined ##openvpn
11:27 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
11:28 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:28 < KavanS> I'm trying to find a solution to the following problem - I have an existing ipsec connection at home that connects me to the same network as my "road warrior" openvpn connection - my openvpn is initiated on ubuntu via an init script - how could one disable this?
11:29 < KavanS> not disable the init script - just make it so openvpn would not connect while @ home, and then auto-connect everywhere else?
11:35 -!- mape2k [~mape2k@p5B28447D.dip.t-dialin.net] has quit [Read error: Operation timed out]
11:38 < krzie> fti, yes, but you wont get gigabit speeds, there have been threads on the mail list about this
11:39 < krzie> KavanS, some sort of smart script... not really an openvpn question
11:40 < KavanS> krzie, k didn't know if there was a "pre"-script possibility
11:40 < krzie> nope, the script would decide whether or not to start openvpn
11:40 < KavanS> not a big fan of editing the init script - would rather just have something that would be upgrade proof (can reside in /etc/openvpn) and be executed before openvpn goes
11:40 < KavanS> ok
11:42 < krzie> !factoids search script
11:42 < vpnHelper> krzie: '2.1-winpass-script' and 'winscript'
11:42 < krzie> !factoids search execution
11:42 < vpnHelper> krzie: No keys matched that query.
11:44 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
11:44 < krzie> !man
11:44 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:49 -!- KavanS [~KavanS@static-173-50-141-22.ptldor.fios.verizon.net] has quit [Ping timeout: 276 seconds]
11:52 -!- davertron [~Dave@vt-sb-1.logicsupply.com] has joined ##openvpn
11:54 < davertron> hey guys, i have 3 linux boxes that connect to a local network using OpenVPN; they all have tun devices, and I'm wondering how i see which Ip address they get on the VPN network.  If I run ifconfig, i see the that something like this: inet addr:10.8.0.14  P-t-P:10.8.0.13  Mask:255.255.255.255; is one of the 10.8.0.0/24 addresses the actual IP of the interface?
11:58 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
11:58 < Bushmills> tell server to write a status file
11:59 < Bushmills> that shows which clients are connected with their ip address.
11:59 < Bushmills> but, the idea is: either you don't care - then you let assign dynamic addresses from the pool, or you care, in which case you assign static addresses
12:00 < Bushmills> if you care enough to want to look at the addresses, you could just as well assign static addresses through ... 
12:00 < Bushmills> !ccd
12:00 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
12:01 < Bushmills> 10.8.0.14  would be the ip address in your example above
12:01 < Bushmills> (client)
12:03 -!- davertron [~Dave@vt-sb-1.logicsupply.com] has quit [Ping timeout: 265 seconds]
12:05 -!- KavanS [~KavanS@static-173-50-141-22.ptldor.fios.verizon.net] has joined ##openvpn
12:07 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
12:08 < lazarus477> Is it possible to allow broadcasts to go across a routed vpn using tun/tap ?
12:08 < lazarus477> Is there any form of WebGUI for openvpn out yet? Something open source, naturally :-)
12:08 -!- krzee [nobody@hemp.ircpimps.org] has joined ##openvpn
12:09 -!- krzee [nobody@hemp.ircpimps.org] has quit [Changing host]
12:09 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
12:09 < krzee> http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR
12:09 < krzee> thats every place you can run a script
12:09 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net)
12:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:10 < lazarus477> krzee: Refering to my question?
12:12 < lazarus477> Anyhow. I was at the FSCONS conference in Gothenbrug Sweden two years ago and found this: http://ejbca.org/screenshots.html
12:12 < vpnHelper> Title: EJBCA - Open Source PKI Certificate Authority - Screenshots (at ejbca.org)
12:13 < lazarus477> I watched them demonstrate it. Appeared to be a very good web gui for managing certificates and it they told me and demonstrated as well that it worked nicelly with OpenVPN :-)
12:16 -!- davertron [~Dave@vt-sb-1.logicsupply.com] has joined ##openvpn
12:18 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:21 -!- davertron [~Dave@vt-sb-1.logicsupply.com] has quit [Ping timeout: 248 seconds]
12:22 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
12:26 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:32 -!- KavanS [~KavanS@static-173-50-141-22.ptldor.fios.verizon.net] has quit [Quit: Ex-Chat]
12:35 -!- davertron [~Dave@vt-sb-1.logicsupply.com] has joined ##openvpn
13:05 -!- SpyderZ [~SpyderZ@S0106001310f843e2.wp.shawcable.net] has joined ##openvpn
13:07 < SpyderZ> Hi, installing OpenVPN on a fresh Centos 5 64 bit server. (VM on XenServer) I'm having a problem with the config script freezing at "Generating init scripts auto command..." Any ideas?
13:11 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
13:12 < flok420> hi, my openvpn-clients get an ip in the 192.168.11.x range while the windows domain server is in 192.168.0.x. now using a share on this windows server takes forever to start; how can I fix that?
13:13 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
13:18 < krzee> lazarus477, i didnt see your question
13:18 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
13:18 < flok420> oh and the clients in 192.168.11 are masqueraded to the 192.168.0 range
13:18 < krzee> flok420, 
13:18 < krzee> !wins
13:18 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
13:19 < krzee> you dont need or want masquerade for that
13:19 < krzee> !route
13:19 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:19 < flok420> krzee: neither the clients nor the server are using samba. als the routing; for that to work I need to add a route-line to all servers/printers for it to work as the openvpn server is not the default gateway
13:20 < krzee> !learn script as see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
13:20 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
13:20 < krzee> !learn script as see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
13:20 < vpnHelper> krzee: Joo got it.
13:21 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
13:23 < krzee> flok420, 
13:23 < krzee> !factoids search outside
13:23 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
13:23 < krzee> you dont add it to EVERY device, just to the router
13:27 < flok420> ah yes, but I can't: it is a lucent firewall which doesn't let you do advanced things like that
13:33 -!- glguy [~emertens@unaffiliated/glguy] has quit [Remote host closed the connection]
13:33 -!- glguy [~emertens@unaffiliated/glguy] has joined ##openvpn
13:39 -!- glguy [~emertens@unaffiliated/glguy] has quit [Read error: Connection reset by peer]
13:46 < flok420> yes, i verified it; the lucent firewall doesn't let me set a route to this other network via my openvpn gateway as it allows only 1 subnet per vlan
13:54 < krzee> a router that you cant add routes to, lol
13:54 < krzee> doesnt sound like a router to me
13:58 < flok420> well yeah
13:58 < flok420> in the mean time i solved that problem using masquerarding. works fine for webbrowsing (intranet), terminal sessions, etc. but not for opening cifs/smb shares
13:59 < krzee> right, WINS server
13:59 < krzee> or switch to bridge, those are your options
13:59 < krzee> oh wait 1 more option
13:59 < krzee> HOSTS file
14:09 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:10 -!- davertron [~Dave@vt-sb-1.logicsupply.com] has quit [Ping timeout: 260 seconds]
14:11 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:14 < flok420> won't 'bridge' also bridge all broadcasts generating huge amounts of traffic on the vpn?
14:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
14:22 -!- davertron [~Dave@vt-sb-1.logicsupply.com] has joined ##openvpn
14:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:36 -!- davertron [~Dave@vt-sb-1.logicsupply.com] has quit [Quit: Leaving]
14:37 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
14:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:18 -!- lambrecht [~system@d51A4E044.access.telenet.be] has joined ##openvpn
15:54 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
16:06 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
16:22 -!- j03 [~6de08059@gateway/web/freenode/x-tztaylbwsudwgbew] has joined ##openvpn
16:25 < j03> Is there any way of limiting bandwidth usage on a per user basis? By bandwidth usage, i don't mean instantaneous bandwidth usage, I mean... per month
16:30 < krzie> yes, but not from within openvpn
16:31 < krzie> you do it the same way you would if there was no VPN
16:31 < krzie> you will want to use static ips for that..
16:31 < krzie> !static
16:31 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
16:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
16:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:46 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 245 seconds]
16:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:07 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:08 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:11 -!- b0nn [~this@202-180-91-108.callplus.net.nz] has joined ##openvpn
17:14 < b0nn> hmm, why does it take 120 seconds after a connection is made before I can use the openvpn?
17:15 -!- j03 [~6de08059@gateway/web/freenode/x-tztaylbwsudwgbew] has quit [Ping timeout: 252 seconds]
17:21 < Bushmills> what happens in those 120 seconds before?
17:21 < krzie> well said Bushmills 
17:21 < krzie> i was trying to find the words, lol
17:23 < Bushmills> well, my impression is that during that time happens ... nothing :)
17:26 < b0nn> Bushmills: I get Sun Jun  6 10:24:16 2010 us=139531 Initialization Sequence Completed
17:26 < b0nn> and 120 seconds later I have a network connection
17:26 < b0nn> in the mean time, I have no network
17:27 < Bushmills> define "have no network"
17:28 < b0nn> it's consistent, everytime the openvpn renegotiates with the server, there is a 120 second pause before I can use the network
17:28 < b0nn> client cannot ping anything beyond itself
17:28 < Bushmills> check routing table
17:29 < Bushmills> also, try to ping hosts by ip address instead of by host name
17:30 < b0nn> ..it .
17:30 < Bushmills> xlerb
17:31 < b0nn> ?
17:31 < Bushmills> http://forthfreak.net/snap/xlerb.png
17:32 < b0nn> routing table is fine, and I ping by ip
17:32 < Bushmills> then traceroute or mtr packets, see where they get stuck
17:33 < Bushmills> tshark or tcpdump can also be helpful
17:35 < b0nn> they get stuck at the client end of the vpn
17:35 < b0nn> ping 192.168.0.98 -i 0.001
17:37 < Bushmills> check routing table on that client
17:38 < Bushmills> during immediately after connection
17:39 < Bushmills> oh well, i'm out. find it sort of tiring trying to extract information while next to none is provided
17:40 < Bushmills> as your are able to determines that table is "fine" then simply look for a trace of something which is "not fine"
17:46 < b0nn> it's the openvpn configuration.
17:53 -!- lambrecht [~system@d51A4E044.access.telenet.be] has quit []
18:02 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:05 < Bushmills> !confgen
18:05 < vpnHelper> Bushmills: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
18:12 < kisom> drunmk
18:12 < kisom> on mt cellphone
18:12 < kisom> compiling openvpm
18:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:19 -!- fti [~ice@pD9E905F4.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
18:21 < jpalmer> kisom, friends don't let frieds root drunk.  there are probably better things you can do if you re inebriated.
18:32 < ecrist> lol
18:34 < Bushmills> having another beer is one of those things
18:34 < Bushmills> even promilles must suffer from sign overflow, eventually.
18:42 < kisom> compiling openvpmfakerot
18:42 < kisom> fakeroot fyi
18:43 < kisom> ircin at a club... shit
18:43 < kisom> detach
18:43 < krzie> hah
18:52 -!- j03 [~6de08059@gateway/web/freenode/x-eiefwniezyffenax] has joined ##openvpn
18:53 < j03> krzie (i think it was you, anyway...): Thanks for that. Thing is, i'm a bit new to Linux Networking... i dont suppose you could point me in the direction of a guide or anything, could you/.
18:53 < j03> *?
18:53 < krzie> guide for what?
18:54 < ecrist> networking is the same, no matter the OS. ;)
18:54 < j03> Limiting the amount of data transfered every month
18:55 < j03> On a per-user (or Per IP) basis
18:55 < ecrist> !shaper
18:55 < vpnHelper> ecrist: Error: "shaper" is not a valid command.
18:55 < krzie> j03, google it... or ask in a linux channel... basically forget there is a VPN, think of the VPN clients as a LAN
18:55 < ecrist> !shaping
18:55 < vpnHelper> ecrist: Error: "shaping" is not a valid command.
18:55 < krzie> he doesnt want shaper
18:55 < ecrist> oh
18:55  * ecrist gives up
18:55 < krzie> he wants monthly bandwidth quotas
18:55 < krzie> which is far outside the scope of openvpn
18:56 < ecrist> it is/isn't
18:56 < krzie> how so?
18:56 < ecrist> bandwidth utilization is monitored by openvpn
18:56 < ecrist> it would be fairly simply to poll that data with a disconnect script and store it in a database
18:56 < krzie> oh ok /me bows out and pays attention so he can learn too
18:57 < ecrist> when that user reaches limit X, you can disconnect them, or throttle them down to a lower bandwidth
18:57 < ecrist> the throttling would have to be done with shaper or an external shaping tool
18:58 < ecrist> my openvpn-status log has a header of:
18:58 < ecrist> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
18:58 < ecrist> so, as long and you poll that file on a regular basis and store it, and then grab it on disconnect as well, you should be set
18:59 < j03> so a cron job that runs every x minutes
18:59 < ecrist> sure
18:59 < ecrist> make sure you pick it up with a client disconnect script, as well, though.
19:00 < ecrist> otherwise you'll be the transfer between your last check and their disconnect.
19:00 < ecrist> theoretically, if the user was able figure out your check cycle, they could circumvent it with many disconnect/reconnects.
19:01 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
19:01 < j03> ah, i see
19:01 < j03> This is going to have to be a project :D
19:01 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
19:04 < j03> Would it be best to use the OpenVPN Logs, or an iptables rule?
19:06 < ecrist> that's up to you
19:07 < ecrist> if it were me, I'd use the built-in monitor for openvpn
19:07 < ecrist> there was a discussion here about it a while back, don't recall whe, though.
19:07 < ecrist> feel free to check the logs
19:07 < ecrist> !logs
19:07 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
19:08 < ecrist> sorry, wrong link
19:08 < ecrist> !irclogs
19:08 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
19:08 < j03> I'll look into it further in a couple of weeks, once my exams are over. Thanks for the help guys - i'll let you know how I get on.
19:08 < ecrist> ok
19:09 -!- j03 [~6de08059@gateway/web/freenode/x-eiefwniezyffenax] has quit [Quit: Page closed]
19:11 -!- g0tcha1 [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
19:12 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has quit [Ping timeout: 260 seconds]
19:20 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
19:21 -!- g0tcha1 [~efnet@27.9.202.62.fix.bluewin.ch] has quit [Ping timeout: 276 seconds]
19:40 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
19:40 -!- g0tcha1 [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
19:41 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has quit [Ping timeout: 252 seconds]
19:43 -!- notbrien [~notbrien@69.86.1.238] has quit [Client Quit]
19:45 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
19:45 -!- notbrien [~notbrien@69.86.1.238] has quit [Remote host closed the connection]
19:45 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
19:49 -!- notbrien [~notbrien@69.86.1.238] has quit [Client Quit]
19:49 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
19:50 -!- notbrien [~notbrien@69.86.1.238] has quit [Client Quit]
19:55 -!- tjz_ [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
20:07 -!- tjz_ [~pc@bb116-14-142-112.singnet.com.sg] has quit [Quit: bbl.]
20:14 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
20:25 -!- Tominator [~thomas@p5DD2F86E.dip.t-dialin.net] has joined ##openvpn
20:25 < Tominator> hi
20:25 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
20:26 < Tominator> I've got a question about vpn in general: when I use client-to-client in the config file: will the traffic go over the server or directly between the clients?
20:30 < Tominator> !welcome
20:30 < vpnHelper> Tominator: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:30 < Tominator> !wiki
20:30 < vpnHelper> Tominator: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
20:31 < krzie> Tominator, 
20:31 < krzie> !c2c
20:31 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
20:31 < vpnHelper> krzie: behind other clients
20:31 < krzie> traffic ALWAYS passes through the server
20:31 < krzie> above is what client-to-client actually does
20:32 < Tominator> I see... is there the possibility to actually have any sort of encrypted p2p network?
20:33 < Tominator> or better: do you know of any?
20:33 < krzie> ipsec, hamachi
20:33 < krzie> !ipsec
20:33 < vpnHelper> krzie: Error: "ipsec" is not a valid command.
20:33 < krzie> !factoids search --values openswan
20:33 < vpnHelper> krzie: No keys matched that query.
20:33 < krzie> !factoids search --values swan
20:33 < vpnHelper> krzie: No keys matched that query.
20:33 < krzie> !factoids search --values ipsec
20:33 < vpnHelper> krzie: 'notcompat' and 'pptp'
20:34 < krzie> heh
20:34 < krzie> ya, ipsec / hamachi
20:34 < krzie> lol
20:34 < Tominator> thx :)
20:34 < krzie> yw
20:47 -!- Tominator1 [~thomas@p5DD2E998.dip.t-dialin.net] has joined ##openvpn
20:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:48 -!- Tominator [~thomas@p5DD2F86E.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
20:53 -!- Tominator1 [~thomas@p5DD2E998.dip.t-dialin.net] has quit [Quit: Leaving.]
20:58 < lazarus477> I am setting up openVPN on openSUSE 11.2 and have run into a snag. I cannot locate easy-rsa anywhere at /usr/share/doc/packages/openvpn/, this is an rpm install of version 2.1. Do I need to install the source package perhaps?
20:59 < krzie> find / -name easy-rsa
21:00 < lazarus477> searching...
21:00 < lazarus477> ty, found it.
21:01 < krzie> yw
21:01 < lazarus477> Good idea ya had there ;-)
21:01 < krzie> heh
21:13 < lazarus477> Should I copy /usr/share/openvpn/easy-rsa/2.0/*  to /etc/openvpn/ or should I copy /usr/share/openvpn/easy-rsa to /etc/openvpn/ ?
21:24 -!- brenddie [~eddie@mobile-166-214-192-049.mycingular.net] has joined ##openvpn
21:25 < brenddie> hi all, can someone provide link to doc on configuring different access to different vpn users?
21:30 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
21:34 < lazarus477> I think it might be covered in the howto at openvpn.org under community related info.
21:34 < lazarus477> brenddie: By the way. I set it up a few years back, worked like a charm.
21:35 < brenddie> i had a couple links from a while ago when i tried it
21:35 < brenddie> saw a post on the ipcop mailing list and remembered thats soemthing i had almost working
21:36 < brenddie> the howto gives a good overall of how its done
21:36 < brenddie> http://www.openvpn.net/index.php/open-source/documentation/howto.html#policy
21:36 < vpnHelper> Title: HOWTO (at www.openvpn.net)
21:37 < brenddie> trying to find my notes on this now. 
21:37 < lazarus477> Should I keep the contents of the easy-rsa/2.0 directory under /etc/openvpn or under /etc/openvpn/easy-rsa/2.0 or what?
21:46 < b0nn> lazarus477: I cp -r /usr/share/openvpn/easy-rsa /etc/openvpn, however I now think I only needed 2.0 dir
21:47 < b0nn> lazarus477: once the keys had been generated, the keys/ directory was all that was required to be kept permanently
21:47 < b0nn> AIUI
21:47 < b0nn> YMMV
21:47 < b0nn> etc
21:47 < b0nn> also IANAL (needed another acronym to feel good)
22:03 < lazarus477> b0nn: Well I went with placing the directory easy-rsa and its subdir 2.0 as a whole at /etc/openvpn, felt cleanest.
22:04 < lazarus477> If it was wrong I can allways correct it.
22:04 < lazarus477> Ok I am generating the server certificate and getting asked to provide a challenge password, any reason to provide one?
22:05 < lazarus477> I asume it would force connecting clients to also know the servers key passphrase, or am I wrong?
22:05 < lazarus477> Ah I thinks I am wrong...
22:06 < lazarus477> Anyone care to enlighten me?
22:23 < krzee> lazarus477, it doesnt matter where the scripts are
22:23 < krzee> yes, you were wrong
22:24 < krzee> when you put a passphrase on a key, you must know the passphrase to locally access the key (ie: when you start openvpn)
22:25 < lazarus477> krzee: Yep thought so. Guess it works pretty much as ssh when it comes to keys.
22:26 < lazarus477> I set this up twice in the past three years, I am rusty pluss need to learn more about keys.
22:26 < lazarus477> Kinda silly since I use public key based encryption every day, lol.
22:28 < lazarus477> Ok I was building some keys for clients and was asked to supply a PEM Pass Phrase. Later I was asked for a Challenge PAssword. What is the difference?
22:30 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:30 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
22:34 < lazarus477> What exactly is a CSR file (Certificate Request) ?
22:34 < theDoc> It's a request to get a signed certificate.
22:34 < lazarus477> Well what purpose does this file serve?
22:35 < lazarus477> Is it even needed once the crt and key files have been generated? Is it some left over junk data?
22:35 -!- dougy [Douglas@ool-435033e6.dyn.optonline.net] has joined ##openvpn
22:37 < lazarus477> Ok now I think I get the point of the CSR file...
22:37 < lazarus477> It is used for signing of public keys.
22:37 < lazarus477> Something I need to study further but I kinda get it.
22:41 < dougy> studying is win
22:41 < dougy> i should try that some time
22:42 < lazarus477> I know ;-)
22:42 < mwheeler> OpenVPN gods, do I need to have keepalive on both sides?
22:43 < dougy> ive never set it on both
22:46 < mwheeler> Thanks :>
22:46  * theDoc keeps you alive.
22:47 < mwheeler> haha
22:50 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:51 < dougy> hai thedoc
22:55 -!- brenddie [~eddie@mobile-166-214-192-049.mycingular.net] has left ##openvpn ["Leaving."]
23:04 -!- DrJ [Bacon@174.141.224.168] has joined ##openvpn
23:04 < DrJ> little confused ... if openvpn is opensource ... why do you have to pay for more than 2 concurrent connections?
23:07 < theDoc> You're looking at access-server.
23:07 < theDoc> Not the opensource release of openvpn.
23:07 < theDoc> !access-server
23:07 < vpnHelper> theDoc: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
23:07 < vpnHelper> theDoc: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
23:07 < DrJ> in other words only the client is opensource?
23:09 < theDoc> No, in other words, the entire access-server setup is a for profit application.
23:09 < theDoc> What you want is just openvpn, not access server.
23:09 < DrJ> what's the difference between the two then
23:09 < theDoc> One of them requires you to pay.
23:10 < DrJ> got to be more than that
23:10 < DrJ> or no one would ever pay
23:22 < lazarus477> In the server config file I can uncomment a line to select a cryptographic cipher. Does this mean that if I skip uncommenting one of these lines the vpn traffic will go unencrypted?
23:40 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
23:48 < dougy> lazarus477
23:48 < dougy> default is blowfish, iirc
23:49 < dougy> if it is undefined
23:53 -!- hceylan [~hceylan@mail.batoo.org] has joined ##openvpn
23:53 < hceylan> Hello I am trying to use openvpn with android
23:54 < hceylan> all seems to fine and vpn connects
23:54 < hceylan> But somehow ifconfig and route is not getting through
23:54 < hceylan> I get the following error on the log
23:54 < hceylan> Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:1: route (2.1.1)
23:54 < hceylan> Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: ifconfig (2.1.1)
23:54 < hceylan> any idea?
23:55 < hceylan> There seems to be some discussion on finding the ifconfig and route binaries
23:55 < hceylan> If that's the problem, is there a way to tell openvpn the location of these binaries?
23:57 -!- hceylan_ [~hceylan@95.65.137.207] has joined ##openvpn
23:58 -!- dougy [Douglas@ool-435033e6.dyn.optonline.net] has quit []
23:58 < hceylan_> also specifiying the ifconfig X.X.X.X Y.Y.Y.Y in the client.conf gives similar error
23:58 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 272 seconds]
23:59 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
--- Day changed Sun Jun 06 2010
00:00 -!- DrJ [Bacon@174.141.224.168] has quit [Remote host closed the connection]
00:00 -!- hceylan [~hceylan@mail.batoo.org] has quit [Ping timeout: 265 seconds]
00:03 -!- DrJ [Bacon@174.141.224.168] has joined ##openvpn
00:27 -!- hceylan_ [~hceylan@95.65.137.207] has left ##openvpn ["Konversation terminated!"]
00:45 < krzee> !forget access-server 3
00:45 < vpnHelper> krzee: Joo got it.
00:45 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
00:45 < krzee> !forget access-server 3
00:45 < vpnHelper> krzee: Joo got it.
00:45 < krzee> !learn access-server as http://openvpn.net/index.php/access-server/download-openvpn-as.html to download
00:45 < vpnHelper> krzee: Joo got it.
00:46 < krzee> !learn access-server as go to http://openvpn.net/index.php/access-server/support-center.html for support
00:46 < vpnHelper> krzee: Joo got it.
00:46 < krzee> !access-server
00:46 < vpnHelper> krzee: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
00:46 < vpnHelper> krzee: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
00:50 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
00:51 < krzee> mwheeler, from manual
00:51 < krzee> For example, --keepalive 10 60 expands as follows: 
00:51 < krzee>  if mode server:
00:51 < krzee>    ping 10
00:51 < krzee>    ping-restart 120
00:51 < krzee>    push "ping 10"
00:51 < krzee>    push "ping-restart 60"
00:51 < krzee>  else
00:51 < krzee>    ping 10
00:51 < krzee>    ping-restart 60
00:52 < mwheeler> Thanks krzee 
00:52 < krzee> np
00:52 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
00:53 < krzee> DrJ, the difference is #1 and #2 from !access-server
00:54 < krzee> the opensource version can be setup for client and server, depending on the config file
00:54 < krzee> for example:
00:54 < krzee> !sample
00:54 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
00:55 < krzee> and as far as support, access-server comes with support from the company
00:55 < krzee> opensource has documentation (and some people here, who expect you to read it)
00:55 < krzee> ;]
00:55 < krzee> !man
00:55 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
00:55 < krzee> !howto
00:55 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:55 < krzee> !confgen
00:56 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
00:56 < krzee> !forget AS
00:56 < vpnHelper> krzee: Joo got it.
00:56 < krzee> !learn AS as [access-server]
00:56 < vpnHelper> krzee: Joo got it.
00:57 < krzee> lazarus477, the point of a CSR is that i do not need to give you my key for you to sign my certificate
00:58 < krzee> i send you a CSR, you send me a CRT and your ca.crt (for checking your server cert against)
01:10 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
01:50 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
01:50 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
01:50 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
02:07 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Read error: Connection reset by peer]
02:08 -!- SpyderZ [~SpyderZ@S0106001310f843e2.wp.shawcable.net] has quit [Quit: SpyderZ]
02:32 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
02:34 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
02:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:25 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 -!- b0nn [~this@202-180-91-108.callplus.net.nz] has quit [Ping timeout: 276 seconds]
04:02 -!- cool [~cool@unaffiliated/gary4gar] has joined ##openvpn
04:04 < cool> Hi, After two days of trying I have configured OpenVPN server and clients can connect. But there is no response to can't open/ping. Is this a firewall related issue?
04:09 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
04:14 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
04:15 < cool> !welcome
04:15 < vpnHelper> cool: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:16 < cool> !logs
04:16 < vpnHelper> cool: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
04:33 < cool> connect log http://pastebin.com/mW1pyJPc
04:33 < cool> Server.conf --> http://pastebin.com/tg7f6hwk
04:33 < cool> Client.conf http://pastebin.com/DLrwzyr7
04:33 < cool> what else is needed?
04:34 < krzee> verb 5
04:34 < krzee> like it says in !logs
04:35 < krzee> and like it says in !configs, strip comments from configs
04:35 < krzee> !configs
04:35 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
04:36 < krzee> oh, and logs from both sides, from start, to connected, and after trying to ping each side
04:40 < cool> krzee: okay, Thank you sire. I would post the logs
04:40 < cool> sir*
04:41 < krzee> np
04:42 < krzee> and yes, it certainly can be a firewall issue
04:42 < krzee> verb 5 will show it
04:42 < krzee> (so would sniffing tun devices)
04:42 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
04:50 < cool> Client COnnect log with verb 5 http://pastebin.com/0aNMgFxF
04:54 < cool> server & client connect logs --> http://pastebin.com/EMWnZ85n
04:54 < cool> Connectiong there are config files^^
04:56 < cool> Server OS: CentOS 5.5 with OpenVPN 2.0.1
04:56 < cool> CLient OS: Windows Vista with OpenVPN 2.0.1
05:06 < cool> krzee: ^^^
05:09 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:10 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has joined ##openvpn
05:13 < cool> here is server log http://pastebin.com/Dx6MTuFZ
05:15 < cool> !interface
05:15 < vpnHelper> cool: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
05:17 < lazarus477> krzee: Ty for explaining the purpose of the CSR file. I found an answer later on and your reply confirmed my findings which is reasuring :-)
05:17 < lazarus477> Ok folks ta ta. 
05:17 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
05:18 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
05:19 < krzee> cool, clients cant push anything
05:20 < krzee> !ush
05:20 < vpnHelper> krzee: Error: "ush" is not a valid command.
05:20 < krzee> !push
05:20 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
05:22 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
05:26 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
05:28 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
05:28 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
05:29 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
05:30 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
05:32 -!- star314 [~star314@starnet1.sinh.us] has quit [Client Quit]
05:32 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
05:38 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Ex-Chat]
05:38 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
05:40 -!- star314 [~star314@starnet1.sinh.us] has quit [Client Quit]
05:51 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
05:51 -!- star314 [~star314@starnet1.sinh.us] has left ##openvpn []
05:51 < |Mike|> ffs
06:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:12 < kisom> ahhh the pain
06:16 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
06:16 < fahmad> Hello
06:16 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
06:16 < fahmad> can some one tell me how can i setup service similar to hotspotsheild.com ?
06:20 < |Mike|> eh, you can better hire someone for that :)
06:20 < fahmad> |Mike|: but there must be a way :)
06:21 < fahmad> that does not means that people can not do that by them self :)
06:21 < fahmad> its another thing that people trying to hide their work and still claiming that they support Open Source :)
06:26 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 240 seconds]
06:27 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
06:30 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
06:31 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 252 seconds]
06:52 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
06:54 -!- propagandhi [~propagand@CPE-121-223-222-185.static.nsw.bigpond.net.au] has quit [Quit: Leaving...]
07:09 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
07:30 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
07:30 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
07:37 -!- Leilaa [~50bfc236@gateway/web/freenode/x-kazlpouescseusux] has joined ##openvpn
07:44 -!- Leilaa [~50bfc236@gateway/web/freenode/x-kazlpouescseusux] has left ##openvpn []
07:48 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 248 seconds]
07:53 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
07:59 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
08:10 < hyper_ch> hmmm, krzie help :(
08:13 < kisom> hyper_ch: what do you need help with?
08:15 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
08:24 -!- j03 [~6de08059@gateway/web/freenode/x-subxrvrkvyyqaonj] has joined ##openvpn
08:25 < j03> Hi, I've got a bit of a problem. I am unable to connect to my openvpn server. I'm running Windows 7 x64, and the client just tells me "connecting to <name> has failed"
08:26 < kisom> probably your firewall
08:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:28 < j03> Well the thing is
08:28 < j03> It worked one minute, then it stopped working the next
08:28 < j03> (it seemed to be that way, anyway)
08:28 < kisom> are you using redirect-gateway?
08:33 < j03> Not as far as I know
08:33 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
08:34 < j03> Hang on, i'll double check
08:34 < j03> No, i'm not.
08:35 < j03> I'm,not sure if it's a problem with my Client or a problem with my server
08:37 < j03> I'll BRB.
08:42 < j03> I get upto: "Sun Jun 06 14:36:53 2010 VERIFY OK: depth=0, /C=UK/ST=Anglesey/L=..../O=..../OU=Office/CN=vpn1/emailAddress=joseph@re...ern.me "
08:54 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
08:58 < |Mike|> logs
08:59 < |Mike|> tell j03 logs
08:59 < |Mike|> !tell j03 logs
08:59 < |Mike|> !tell |Mike| logs
08:59 < |Mike|> ah okay, that works :)
09:06 < j03> You mean server logs?
09:06 < j03> Or client logs?
09:08 < j03> Because it's as if the client suddenly stop's talking to the server...
09:08 -!- cool [~cool@unaffiliated/gary4gar] has quit [Ping timeout: 264 seconds]
09:08 < j03> if I set up an account, and sent you the config, would you be willing to connect? or is that a big no-no security wise
09:12 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:15 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Remote host closed the connection]
09:15 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
09:25 < kisom> j03: OK, so you get connected for a minute and then loses connection to the VPN?
09:25 < kisom> are you able to ping the server during that time?
09:25 < j03> No, it doesn't connect at all
09:26 < j03> The server logs say something about a TLS auth. timeout?
09:26 < kisom> OK, then you probably have an error related to your certificates
09:26 < j03> But I think that's because the client has disconnected, and not because there is a problem with the TLS
09:26 < kisom> sounds like openvpn is unable to negotiate a secure connection and just timeouts
09:26 < kisom> do you use static keys or PKI?
09:27 < j03> PKI
09:27 < j03> I'll double check that though
09:28 < kisom> well have you generated a certificate authority, a server and client key and set up easy-rsa?
09:28 < j03> Yes
09:28 < kisom> can you paste your config files at http://livepad.eu/openvpn please?
09:28 < kisom> both client and server
09:28 < vpnHelper> Title: EtherPad: openvpn (at livepad.eu)
09:29 < j03> Sure
09:30 < kisom> got it, thanks
09:30 < kisom> sec, i'll look trough
09:31 < j03> OK thanks
09:32 < kisom> what O/S are you running on the client and server?
09:33 < j03> Server: Debian 5.0 x86
09:33 < j03> Client: Windows 7 Ultimate x64
09:34 < kisom> OK, i would recommend setting verb to 7 or something and read the logs
09:34 < kisom> usually you can figure out whats wrong
09:35 < j03> OK, I'l give it a go
09:35 < j03> thanks
09:35 < j03> On both the Client and the Server?
09:35 < kisom> you can start with the client and try to figure it out there
09:36 < j03> yeah
09:36 < kisom> btw
09:36 < kisom> use "ns-cert-type server" on the client.
09:37 < kisom> otherwise your network is vulnerable to MITM-attacks from other clients
09:39 < j03> OK, thanks
09:39 < kisom> you can paste the logs at livepad and I'll have a look :)
09:40 < j03> OK, I've pasted the client logs
09:42 < kisom> and then it just timeouts?
09:43 < j03> Well
09:43 < j03> Hang on, I'll record it
09:43 < kisom> i think i'm gonna need the server logs too
09:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:47 < j03> OK, it's recorded. http://www.screentoaster.com/watch/stUkpQSk1IR15aSF5ZXVpdX19c/openvpn_issue
09:48 < vpnHelper> Title: ScreenToaster - openvpn issue Screencast Video (at www.screentoaster.com)
09:48 < j03> the client doesnt always actually crash
09:48 < j03> at least, I dont think it does..
09:51 < j03> OK,i've got server logs now
09:52 < j03> I've copied and pasted them now. They are pretty big
09:58 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
09:59 < kisom> Sun Jun  6 15:51:21 2010 us=626643 109.224.128.89:57472 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
09:59 < kisom> Sun Jun  6 15:51:21 2010 us=626655 109.224.128.89:57472 TLS Error: TLS handshake failed
09:59 < kisom> i'd still say something is wrong with the way you created your CA
10:06 < j03> OK, I'll try making a new one
10:13 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:16 < j03> I've started from scratch, and i've got the same problem
10:16 < j03> I'm going to re-install the VPN client
10:18 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
10:19 < j03> Well, that fixed it. Why didn't I try that before! :|
10:19 < j03> Thanks for the help!
10:26 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
10:26 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
10:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:56 -!- onats [~onats@unaffiliated/onats] has quit [Read error: Connection reset by peer]
10:56 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has joined ##openvpn
10:56 -!- onats [~onats@unaffiliated/onats] has joined ##openvpn
10:57 -!- onats [~onats@unaffiliated/onats] has quit [Read error: Connection reset by peer]
10:57 -!- onats [~onats@unaffiliated/onats] has joined ##openvpn
11:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:01 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
11:05 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
11:22 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:23 < arcsky> I want to make a openvpn (bridged). Server running ubuntu with just one interface eth0 with WAN IP.
11:23 < arcsky> Im not sure how to conf the bridge. If anyone can tell me how to conf i would be happy.
11:23 < arcsky> I want to conf so my client can go through the openvpn and out on internet from there.
11:24 < arcsky> here are my openvpn.conf and bridge conf http://pastebin.com/693vsv3e
11:34 < Bushmills> !confgen
11:34 < vpnHelper> Bushmills: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
11:35 < Bushmills> is the reason to configure bridge just to use vpn for internet?
11:35 < Bushmills> !tunortap
11:35 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
11:35 < vpnHelper> Bushmills: against you over the vpn, or (#4) lan gaming? use tap!
11:36 < Bushmills> means:  for using vpn server as gateway to internet, it is not only unnecessary to configure as bridge, it is even a bad idea.
11:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:43 -!- j03 [~6de08059@gateway/web/freenode/x-subxrvrkvyyqaonj] has quit [Ping timeout: 252 seconds]
11:46 < arcsky> Bushmills: yeah
11:46 < Bushmills> use a routing setup
11:46 < Bushmills> !redirect
11:46 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:47 < arcsky> i dont need a bridge ? just redirct function in openvpn.conf ?
11:47 < Bushmills> your current interface to internet isn't bridged - and still you have internet
11:48 < Bushmills> openvpn just gives you a new interface where you can route your traffic to
11:49 < Bushmills> and there's a reason, traffic in internet is steered using routers ...
11:50 < Bushmills> consider: why are network hubs hardly seen anymore, and switches have replaced them?
11:50 < Bushmills> (hubs akin to bridges,  switches akin to routers)
12:04 < hyper_ch> Bushmills: I heard you're a voip guru?
12:04 < Bushmills> i haven't heard that
12:05 < hyper_ch> damn :)
12:06 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
12:08 < Bushmills> i am a voip guru as much as you are a automotive engineer because you drive a Honda
12:08 < |Mike|> bushmills++
12:08 < |Mike|> :D
12:09 < hyper_ch> yey, I'm an automotive engineer :) where did I get my degree from?
12:10 < |Mike|> ping6 2001:4018:1000:4::8
12:10 < |Mike|> could someone enter that?
12:10  * |Mike| can't reach it :s
12:10 < Bushmills> or "letting go a fart doesn't make you a rocket scientist" :)
12:21 < hyper_ch> |Mike|: don't you need to have ipv6 support in order to ping that?
12:22 < |Mike|> hyper_ch: yeah that too hehe
12:22 < |Mike|> (i assume that everyone here is ipv6 compatible :P )
12:23 < hyper_ch> I'm not
12:24 < hyper_ch> ipv6 is way overrated :) like hdtv
12:27 < julius> yup
12:27 < julius> sharing one IP with the entire city is quite cool :)
12:34 < hyper_ch> sharing is caring
12:34 < hyper_ch> each one having his/her/its own ip is egositic
12:54 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 272 seconds]
12:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
13:18 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
13:27 < Bushmills> we demand shared door bells for everyone!
13:28 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
13:32 < arcsky> i got problem with my openvpn client config. does anyone know this problem http://pastebin.com/QWhn8VV6
13:34 < Bushmills> looks like corrupted key
13:35 < Bushmills> maybe wrong location or not readable
13:37 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 245 seconds]
13:44 < arcsky> ok Bushmills isnt this correct ./build-key arcsky ?
13:57 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:06 < arcsky> ah it works now ;)
14:19 < kisom> ouch
14:19 < kisom> 314 episodes of stargate
14:19 < kisom> watched all of SG1 and atlantis!
14:19 < Bushmills> last universe aired 2 days agi
14:19 < Bushmills> ago
14:20 < kisom> yeah i know
14:20 < kisom> still got the arc of truth to watch
14:20 < kisom> and that other move
14:23 < hyper_ch> it was not the last universe
14:25 < Bushmills> s/last/most recent/
14:25 < hyper_ch> :)
14:26 < hyper_ch> the second part will air on friday
14:26 < hyper_ch> and the third part will be aired in october :(
14:27 < Bushmills> though i find Serenety - the firefly movie (that's not the double-feature, movie size Season 1 episode 1+2, which is also movie length - better than arc of truth
14:27 < Bushmills> Serenity
14:34 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
14:52 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
14:52 < lazarus477> Any known little problems with running openvpn 2.1 on Windows 7?
14:54 < krzie> [04:24]  <fahmad> its another thing that people trying to hide their work and still claiming that they support Open Source :)
14:54 < krzie> lol
14:54 < krzie> like supporting open source means setting up a business for him
14:54 < lazarus477> I setup the openvpn client with GUI on Windows7 and it complains about fopen, not being able to find the client certificate and something about --script-security setting of 2.
14:55 < krzie> [07:02]  <|Mike|> !tell |Mike| logs
14:55 < krzie> mike, that did NOT work, it just messaged you with "logs"
14:55 < krzie> you need command substitution, aka [logs]
14:55 < krzie> "and something about --script-security setting of 2."
14:56 < krzie> you can ignore that unless you are calling scripts in your configs, in which case you need to read about that option in the manual
14:56 < krzie> as far as not finding the cert...
14:56 < krzie> !fullpath
14:56 < vpnHelper> krzie: Error: "fullpath" is not a valid command.
14:56 < krzie> !path
14:56 < vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
14:57 < krzie> [07:29]  <j03> The server logs say something about a TLS auth. timeout?
14:57 < krzie> [07:29]  <kisom> OK, then you probably have an error related to your certificates
14:57 < krzie> kisom, that is the standard error when no connection is made, not necessarily anything about the certs
14:57 < krzie> example, if the port is closed, it would say that
14:58 < krzie> [07:37]  <kisom> OK, i would recommend setting verb to 7 or something and read the logs
14:58 < krzie> verb 5 is good for troubleshooting, verb 7 will make you swim through too much BS
15:01 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
15:02 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:03 < arcsky> my openvpn client, i want that it can reach the internet what setting to i need in my server.conf ?
15:04 < krzie> !redirect
15:04 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:05 < krzie> or easier
15:05 < krzie> !confgen
15:05 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
15:05 < kisom> krzie: hmm, i'm not sure that's the case when using TCP, it probably would give another error when the TCP session cant be established
15:05 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
15:06 < cron2> |Mike|: your v6 address doesn't ping, traceroute ends somewhere in 2001:4018:0:91
15:08 < krzie> kisom, true for tcp, however the only time tcp should be used is when firewalls force it to be
15:09 < krzie> kisom, more often you will see:
15:09 < krzie> [08:02]  <kisom> Sun Jun  6 15:51:21 2010 us=626643 109.224.128.89:57472 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
15:09 < krzie> which is why the error says to check network connectivity =]
15:09 < kisom> yeah i use TCP, so i'm pretty used to it ;)
15:09 < kisom> my misstake
15:09 < krzie> no problem
15:10 < krzie> im only telling you so next time you see it you know right away what it is
15:10 < kisom> yeah i should have thought of that, in fact i knew it already but i forgot about UDP
15:12 < arcsky> !def1
15:12 < krzie> lazarus477, you seen my answer to you?
15:12 < vpnHelper> arcsky: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
15:12 < hyper_ch> krzie - my dear old friend :)
15:12 < krzie> arcsky, if you use anything with bash (linux/unix) try my confgen
15:12 < hyper_ch> can I blame you?
15:12 < krzie> for what happened to your sister? ;]
15:13 < hyper_ch> no you said to use freeswitch :)
15:13 < ecrist> what's wrong with freeswitch?
15:13 < hyper_ch> well, I can't place calls :(
15:13 < hyper_ch> set it up with freepbx v3
15:13 < krzie> i have used it, but for support i suggest #freeswitch
15:13 < hyper_ch> added extension and numbers
15:13 < kisom> speaking of freeswitch, my asterisk broke down :<
15:14 < hyper_ch> softphones can register, but appear as offline
15:14 < hyper_ch> and can't call each other
15:14 < hyper_ch> krzie: they don't respond in there :(
15:14 < krzie> !notovpn
15:14 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
15:14 < krzie> :-p
15:14 < krzie> yes they do
15:14 < ecrist> hyper_ch: use fusionpbx, or raw freeswitch
15:14 < krzie> they prolly start ignoring you when you say you used some app to configure instead of learning how freeswitch works
15:15 < krzie> kinda like how we ignore access-server users :-p
15:15 < hyper_ch> krzie: oh :(
15:15 < krzie> (ok we dont ignore them, we send them to the access-server place
15:15 < krzie> )
15:15 < hyper_ch> ecrist: fusionpbx... can have a look there
15:15 < krzie> hyper_ch, i cant garuntee thats why you dont get a response, did you try taking a number in their ticketing system?
15:15 < ecrist> they have an irc channel, too
15:16 < ecrist> krzie: his last chat in there was at 12:06 today ( ~3 hours ago) and he *did* have responses.
15:16 < hyper_ch> krzie: not yet
15:16 < arcsky> krzie: yes i know bash 
15:16 < krzie> arcsky, try my confgen! =]
15:16 < krzie> !confgen
15:16 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
15:17 < ecrist> krzie: you started keeping svn up to date yet? ;)
15:17 < arcsky> link seems dead
15:18 < krzie> oh damn thats right
15:18 < krzie> that network is down (very rare)
15:18 < krzie> ecrist, yes svn should be up to date
15:19  * ecrist points krzie to svn
15:19 < ecrist> arcsky: http://www.secure-computing.net/svn/trunk/openvpn-confgen/
15:19 < vpnHelper> Title: svn - Revision 313: /trunk/openvpn-confgen (at www.secure-computing.net)
15:19 -!- krzie is now known as krzee
15:20  * ecrist lols as he reads krzee's last commit message
15:20 < krzee> arcsky, toss those 3 files in a dir with +x, and run confgen
15:20 < krzee> haha, what was it?
15:20 < krzee> something about not wanting ecrist to hurt me?
15:20 < ecrist> krzee: updating so ecrist doesnt smack me
15:20 < krzee> lol ya
15:21 < krzee> hey that svn came in handy today!
15:21 < krzee> glad you started the confgen branch, thanx =]
15:21 < ecrist> np
15:22 < ecrist> don't doubt the rock-solid "ecrist's basement hosting emporium"
15:22 < krzee> well its doing better than the mexico border datacenter today
15:23 < krzee> hemp/joogot sit at the border of san diego / mexico
15:23 < ecrist> ahh
15:23 < ecrist> xxx seems fairly flakey, too
15:23 < krzee> literally, if you pass the exit, you are in mexico
15:23 < krzee> xxx is in a DC that gets hit by ddos
15:24 < ecrist> oh, that's right, you told me that.
15:24 < krzee> hemp/joogot dont normally go down
15:24 < ecrist> *shrug* the price is right.
15:24 < krzee> re xxx, hey the price is right for both of us
15:24 < krzee> lol, beat me to it
15:24 < ecrist> lol
15:25 < ecrist> I was thinking of ircing out of the openvpn forum box for a while.
15:25 < krzee> when i asked my buddy why it was down the other day he appologized
15:25 < ecrist> working on getting that set up.
15:25 < krzee> i lol'ed
15:25 < krzee> he cant appologize to me for that!
15:25 < krzee> for my free box going down from his uplink getting ddos'ed
15:25 < ecrist> heh
15:25 < ecrist> it was probably his fault anyhow.
15:26 < krzee> thats the last thing warranting an apology i can think of
15:26  * ecrist aways, baby crist needs some attention.
15:26 < krzee> not likely, he doesnt do too much more than mirror opensource stuffs
15:26 < krzee> (from that box)
15:28 < lazarus477> If I generate a key and cert for a client then change their filenames, would that be a problem? Does the contents of these files depend on the filenames not being modified?
15:28 < lazarus477> I ask because I have sterange problems with an error that they client.crt file cannot be read, client is windows 7 pro and openvpn gui is set to run as administrator
15:28 < lazarus477> .
15:30 < lazarus477> krzee: Yep saw your responce now on the --script-security 2 thing.
15:30 < lazarus477> krzee: And no I am not running any scripts :-)
15:31 < lazarus477> d 
15:32 < kisom> lazarus477: you may change the file names
15:33 < kisom> windows usually hide the extension of known file names, that may be your problem
15:33 < lazarus477> kisom: ty.
15:33 < lazarus477> kisom: Not a problem. I turned off that silly feature, since I prefer seeing file extentions.
15:34 < arcsky> krzee: i added push "redirect-gateway def1" to my conf but it still doesnt work
15:34 < krzee> did you also setup your NAT and ip forwarding?
15:34 < krzee> ie: the rest of !redirect
15:34 < krzee> s/ie/aka/
15:34 < arcsky> ah nah ok
15:34 < krzee> lol
15:35 < krzee> ya, that stuff wasnt suggestions, it was what you have to do
15:35 < krzee> lazarus477, did you see the rest?
15:35 < krzee> lazarus477, 
15:35 < krzee> !path
15:35 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
15:36 < krzee> !winpath
15:36 < vpnHelper> krzee: "winpath" is Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
15:36 < arcsky> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
15:37 < krzee> you are using 10.0.0.0/24 for you --server command?
15:37 < krzee> that is too common
15:37 < krzee> !samesubnet
15:37 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
15:37 < krzee> when a client comes online from 10.0.0.0/24 in his local lan, things will break
15:37 < arcsky> server 10.0.0.0 255.255.255.0
15:37 < krzee> use something uncommon like 10.8.0.0
15:38 < krzee> (or 10.8.1.0 like my confgen would have suggested)
15:38 < krzee> why dont you try my confgen...?
15:38 < krzee> i made it for you!
15:38 < arcsky> ;D
15:38 < arcsky> why ist bad with 10.0.0.0 ?
15:38 < krzee> [13:40]  <vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
15:38 < krzee> [13:40]  <krzee> when a client comes online from 10.0.0.0/24 in his local lan, things will break
15:39 < arcsky> k
15:43 < arcsky> works
15:44 < krzee> =]
16:03 < lazarus477> krzee: I sorted out my original problems now. It was me not being used to Vista and or Windows7 (Documents and settings) vs (Users) folders...
16:04 < lazarus477> Now I have a more decent issue, hang on while I grab a line of text.
16:04 < lazarus477> I have thiss issue now: VERIFY ERROR: depth=0, error=unsupported certificate purpose:
16:09 < lazarus477> On the server side I see this in the log: Expected Remote Options hash (VER=V4): '41690919'
16:10 < lazarus477> And: Local Options hash (VER=V4): '530fdded'
16:24 < krzee> i take it you use nscerttype
16:24 < krzee> in client config
16:24 < krzee> right?
16:25 < lazarus477> krzee: checking
16:25 < krzee> my guess, you are but you didnt sign the server cert as a server cert
16:25 < lazarus477> yes
16:25 < krzee> or something of that nature
16:26 < lazarus477> on the client set to server
16:26 < krzee> post both configs
16:26 < lazarus477> ns-cert-type server, and this is the Client...
16:26 < krzee> and the client is giving the error"
16:26 < krzee> ?
16:26 < lazarus477> yes
16:26 < lazarus477> and the same error shows on the server as well.
16:27 < krzee> you have nscerttype on your server config too?
16:27 < lazarus477> checking, should be.
16:29 < krzee> actually, should not be
16:30 < lazarus477> krzee: Right, I cannot locate a line with ns-cert-type in the server.conf file
16:30 -!- cool [~cool@unaffiliated/gary4gar] has joined ##openvpn
16:30 < krzee> good
16:30 < krzee> !certverify
16:30 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
16:30 < krzee> !certinfo
16:30 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
16:31 < krzee> verify both, post info from server cert on pastebin
16:32 < lazarus477> Well I ran openssl verify on the client.crt and the ca.crt files, appeared to be ok. Shall recheck.
16:36 < lazarus477> I ran the sugested openssl verify command and got this interesting output: error 20 at 0 depth lookup:unable to get local issuer certificate
16:36 < krzee> erm
16:36 < krzee> you pointed to the ca file correctly...?
16:37 < lazarus477> Is certverify a script or program bundled with openvpn?
16:37 < lazarus477> krzee: I shall double check.
16:37 < krzee> umm niether
16:37 < krzee> its part of openssl
16:37 < krzee> which is why its an openssl command...
16:37 < krzee> openssl verify -CAfile <ca.crt> <client.crt>     for client.crt and server.crt
16:38 < lazarus477> You know what, I did a funny thing. When refering to the ca, cert and key files I typed: ./easy-rsa/2.0/keys/xxx.* 
16:38 < lazarus477> I think this might now work as expected, pointing to a relative location using ./..../..
16:39 < krzee> why would you start ./
16:41 < lazarus477> Good question. I shall provide full pathes and see what happens ;-)
16:41 < krzee> even if you wanted relative, you could just start with next dir, no reason to specify starting from current dir
16:41 < lazarus477> ok
16:41 < lazarus477> good to know
16:41 < krzee> or you can go to the right dir and just point to the file
16:41 < cool> Hi, I am getting the following error in openvpn.log on server. saying  'MULTI: bad source address from client is packet dropped'. Can anyone tell what's the reason?
16:41 < lazarus477> Well I was sorta trying it out to see if it would work.
16:42 < cool> CLient and Server configration files --> http://pastebin.com/5kxzaN9f
16:42 < cool> server log of openvpn --> http://pastebin.com/CPL9KRKF
16:42 < krzee> cool, is a machine on the client side LAN trying to communicate over the vpn (including responding to other side starting it)?
16:42 < cool> krzee: yes
16:43 < krzee> you either are missing an iroute, or your ccd file isnt being read
16:43 < krzee> !iroute
16:43 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
16:43 < krzee> i see you dont have a ccd command... so ya thats the problem
16:43 < cool> Client side logs do not have any errors but can't ping
16:43 < krzee> as explained inL
16:43 < krzee> !route
16:43 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:43 < krzee> s/inL/in:/
16:43 < lazarus477> Nope, did the change and restarted the openvpn deamon, still get errors. I shall pastebin the log.
16:44 < krzee> lazarus477, i didnt tell you anything would change
16:44 < krzee> i said to post certinfo from server cert
16:44 < cool> krzee: should I added client-config-dir ccd to server.conf?
16:44 < krzee> !certinfo
16:44 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
16:44 < krzee> cool, see !route
16:44 < krzee> you didnt setup the client side LAN
16:44 < krzee> yes, a ccd will be needed
16:44 < lazarus477> Na, iroute is not the issue.
16:44 < cool> I googled, and came across this blog post --> http://www.void.gr/kargig/blog/2008/05/17/openvpn-multi-bad-source-address-from-client-solution/
16:44 < krzee> lazarus477, cool's issue is iroute
16:44 < vpnHelper> Title: Openvpn MULTI: bad source address from client solution | Into.the.Void. (at www.void.gr)
16:45 < lazarus477> ah, sorry, hehe.
16:45 < krzee> lazarus477, your issue is likely not having signed the server cert right
16:45 < krzee> cool, if you want to figure it out yourself with google, have fun
16:45 < krzee> cool, but its fully explained in !route
16:45 < krzee> cool, you are missing more than just an iroute btw
16:45 < cool> what else?
16:46 < krzee> fuck that, i spent hours writing a doc explaining what else
16:46 < krzee> if you dont wanna read it, im not explaining it step by step
16:46 < cool> sorry, I would read it
16:46 < krzee> =]
16:46 < cool> just don't get angry with me
16:46 < krzee> not angry
16:47 < krzee> just hate when people ignore the doc and want it spoonfed, happens more than you may think
16:47 < krzee> likewise, i love when someone enters, types !welcome, sees they want !route, and sets everything up without ever talking to anyone
16:47 < krzee> that makes me a happy panda
16:48 < krzee> !route
16:48 < cool> Already, I will read your docs
16:48 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:48  * cool grabs a cup of tea and starts reading
16:48 < krzee> in fact i mention the EXACT error you had in that doc ;)
16:52 < lazarus477> For the interested: http://pastebin.org/313640
16:52 < lazarus477> That is the output from the client.
16:52 < krzee> lazarus477,
16:52 < krzee> [14:47]  <krzee> lazarus477, i didnt tell you anything would change
16:52 < krzee> [14:47]  <krzee> i said to post certinfo from server cert
16:52 < krzee> !certinfo
16:52 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
16:53 < lazarus477> gotcha
16:53 < cool> krzee: you explained it pretty well
16:54 < krzee> cool, thanx, i definitely tried to
16:54 < krzee> before i fully understood iroute i ended up reading the source on it
16:54 < cool> krzee: that digram is worth thousand words
16:55 < krzee> took me awhile to fully understand it all enough to setup what i like to call vpnchains
16:55 < krzee> after that, i decided to write what i hoped would be the best doc around on it
16:55 < krzee> cause i couldnt find any complete docs explaining what AND why
16:56 < cool> yeah, It need understanding about networking. Mine is bit rusty, hence I am having problems
16:59 < lazarus477> Here is the output of certinfo from the client.crt file: http://pastebin.org/313658
17:03 < lazarus477> krzee: I followed the installation howto to the letter.
17:03 < lazarus477> To the best of my knowledge.
17:03 < lazarus477> I wonder where I went wrong.
17:05 < lazarus477> I am re-reading the howto PKI section.
17:06 < krzee> you didnt use build-key-server
17:06 < krzee> !mitm
17:06 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
17:06 < krzee> to test thats it, you can comment out the ns-cert-type in client config
17:06 < krzee> then it should connect
17:06 < krzee> and then you can go back and rebuild your server cert
17:07 < lazarus477> krzee: Well if that is the problem then heck yes, simple to test. I can then only imagine I made a misstype at the keyboard because I knew I was suposed to use build-key-server server.
17:08 < lazarus477> I shall try modifying the client config now.
17:12 < krzee> from mine:
17:12 < krzee>         X509v3 extensions:
17:12 < krzee>             X509v3 Basic Constraints: 
17:12 < krzee>                 CA:FALSE
17:12 < krzee>             Netscape Cert Type: 
17:12 < krzee>                 SSL Server
17:12 < krzee>             Netscape Comment: 
17:12 < krzee>                 ssl-admin (OpenSSL
17:12 < krzee> from yours:
17:12 < ecrist> bah
17:12 < krzee>         X509v3 extensions:                                                                                                                     
17:12 < krzee>             X509v3 Basic Constraints:
17:12 < krzee>                 CA:FALSE
17:12 < krzee>             Netscape Comment:
17:12 < krzee>                 Easy-RSA Generated Certificate
17:12 < krzee> ignore the comment, i use ssl-admin, but you can use easy-rsa
17:13 < lazarus477> Hmm
17:14 < lazarus477> Yea I am missing the line that says "Netscape Cert Type: SSL Server".
17:15 < krzee> right
17:15 < lazarus477> I just did certinfo on server.crt and same thing there.
17:15 < krzee> your paste wasnt from server!?@?
17:15 < lazarus477> Should I use key-build-server on both client and server certs?
17:15 < krzee> lol, no
17:15 < lazarus477> No it was from client.
17:15 < krzee> LOL
17:15 < krzee> [14:56]  <krzee> [14:47]  <krzee> lazarus477, i didnt tell you anything would change
17:15 < krzee> [14:56]  <krzee> [14:47]  <krzee> i said to post certinfo from server cert
17:15 < lazarus477> Ok good. 
17:16 < lazarus477> Oh, god, my mind is not up to specs, must be the heat wave...
17:16 < lazarus477> I swear I usually am not this sloppy....
17:16 < ecrist> what's with all the pasting?
17:16 < lazarus477> ecrist: Me screwing up.
17:16 < krzee> pointing out that ive been telling him the same thing for over 30min ;]
17:16 -!- cool [~cool@unaffiliated/gary4gar] has quit [Ping timeout: 276 seconds]
17:17 < lazarus477> For everyones info I have run two successful vpn setups for two years without this many issues!
17:17 < krzee> anyways, you know what to do
17:17 < lazarus477> krzee: Yep.
17:17 < krzee> time for me to watch a movie on my new iphone
17:17 < lazarus477> kreg: Do I need to regenerate new client certs as well now?
17:17 < krzee> not if certverify worked
17:17 < lazarus477> Ok
17:18 < krzee> the problem is you are telling your client to ONLY connect to a server who has been signed specifically as a server 
17:18 < krzee> yet, you didnt sign it as a server
17:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:21 < lazarus477> krzee: Btw, should I skip using a challange password for the server.crt ?
17:22 -!- cool [~cool@unaffiliated/gary4gar] has joined ##openvpn
17:22 < lazarus477> I asume it is pointless, would require manual intervention?
17:22 < krzee> skip it
17:22 < cool> !welcome
17:22 < vpnHelper> cool: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:22 < cool> !route
17:22 < vpnHelper> cool: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:23 < cool> !redirect
17:23 < vpnHelper> cool: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:23  * krzee happy panda
17:23 < krzee> :-p
17:23 < lazarus477> Netscape Cert Type: SSL Server
17:23 < lazarus477> Now we are cooking.
17:23 < cool> krzee: I am trying, added ccd directive but still I get packet dropped error
17:23 < krzee> does you server drop permissions?
17:24 < krzee> --user --group...
17:24 < krzee> hrm. nope it doesnt
17:24 < cool> krzee: here is the new server log --> http://pastebin.com/NrgB6v3z
17:24 < krzee> be sure the ccd dir has +x
17:24 < cool> krzee: I did 777 to be on safe side
17:25 < cool> it does read the ccd and 'learns' the address
17:25 < krzee> Sun Jun  6 11:12:38 2010 us=733955 home/59.95.166.165:3804 OPTIONS IMPORT: reading client specific options from: ccd/home
17:25 < krzee> Sun Jun  6 11:12:38 2010 us=734006 home/59.95.166.165:3804 Options error: option 'route' cannot be used in this context
17:25 < krzee> i think you are missing an i
17:25 < krzee> iroute, not route, for the ccd file
17:25 < cool> ok
17:26 < krzee> sounds like a simple enough typo
17:26 < lazarus477> yea but I still get the same errors.
17:26 < lazarus477> Could this have anything to do with file permissions?
17:26 < krzee> lazarus477, did you ever try uncommenting that line like i said?
17:26 < krzee> err commenting i t
17:26 < cool> lets restart server and test. Brb
17:27 < lazarus477> I set openvpn to switch over to user nobody and group nobody.
17:27 < lazarus477> krzee: Yes I did try, and with no change.
17:27 < lazarus477> krzee: I commented it.
17:27 < krzee> then theres a different problem
17:27 < krzee> !configs
17:27 < lazarus477> krzee: Also now with a proper server.crt server certificate I tried both commented and uncommented.
17:27 < krzee> !logs
17:27 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:27 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:28 < lazarus477> !luck
17:28 < vpnHelper> lazarus477: Error: "luck" is not a valid command.
17:28 < krzee> double-check you have the exact exact same ca.crt on both sides
17:28 < lazarus477> lol
17:28 < lazarus477> I do
17:28 < lazarus477> I only generated one copy.
17:28 < krzee> i didnt say tell me you do, i said double-check
17:28 < krzee> coulda been in error in transmission
17:28 < lazarus477> This copy I transfered over rsync & ssh to a samba share then copied to the Win7 client.
17:29 < lazarus477> true, although this network has been rock solid for months.
17:30 < krzee> that means very very little to me, double-check it!
17:30 < krzee> (im telling you these things for you, not for me)
17:30 < cool> krzee: I corrected that typo but its still dropping packets
17:31 < lazarus477> krzee: I hear ya. retransfering, now over USB.
17:31 < krzee> cool, paste me the line from ccd/home
17:31 < krzee> err paste me the whole file
17:31 < cool> krzee: here is the log --> http://pastebin.com/VVWd8knU
17:31 < krzee> in here is fine, it should only have 1 line
17:32 < krzee> but dude
17:32 < krzee> what lan is 10.10.1.0
17:32 < cool> # cat ccd/home 
17:32 < cool> iroute 10.10.1.0 255.255.255.0
17:32 < krzee> i have a strong feeling you skimmed my !route doc
17:32 < cool> I am guilty
17:32 < krzee> what is 10.10.1.0 behind... obviously its not the LAN behind home
17:32 < cool> lol
17:33 < krzee> go READ my doc
17:33 < cool> k
17:33 < krzee> you thought youd understand everything from a picture
17:33 < krzee> obviously not
17:33 < krzee> and you'll likely run into another problem if you dont read the rest
17:33 < krzee> and i will refuse to point out what it is
17:33 < krzee> so go READ it ALL
17:34 < cool> krzee: okay, I am thinking of shifting to 192.168.xx.xx series
17:34 < lazarus477> What are .pem files for?
17:34 < cool> that worked the last time
17:34 < lazarus477> I got 01.pem, 02.pem etc.
17:34 < krzee> cool, just remember to keep all networks that route over vpn very uncommon
17:34 < krzee> cool, it has nothing to do with that
17:34 < krzee> lazarus477, its an alternative style for certs
17:34 < krzee> combined files
17:35 < lazarus477> krzee: Well I got these, what am I suposed to do with them?
17:36 < krzee> nothing
17:36 < krzee> you arent using pem style, you're using cert/key
17:36 < lazarus477> ok
17:36 < lazarus477> then I will read up on pem later.
17:37 < krzee> it should all be in the manual...
17:37 < krzee> !man
17:37 < lazarus477> But it explains why easy-rsa asked me to enter a pem passphraze as well.
17:37 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:37 < cool> krzee: just one question, My client has lan(10.8.0.1) and client has (10.8.0.6). Is that correct?
17:38 < krzee> yes, because:
17:38 < krzee> !/30
17:38 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
17:39 < cool> thanks
17:39 < krzee> yw
17:40 < lazarus477> I still get unsuported certificate purpose TLS error with plaintext read error and handshake failed.
17:41 < krzee> something is wrong with your certs
17:41 < lazarus477> I shall try creating a new client cert as well, I might have mixed something up there too.
17:41 < lazarus477> yea
17:41 < krzee> start over from scratch if you can
17:41 < krzee> (ie if you dont have 100 client certs already distributed
17:41 < krzee> )
17:41 < lazarus477> I never ran into this in the past, and like I said, my mind is much. Got plenty going on and this summer heat is a killer.
17:48 -!- qfluid [~mathfeel@cpe-66-75-21-245.san.res.rr.com] has joined ##openvpn
17:49 < krzee> 5002
17:50 < krzee> (wrong vm)
17:54 < lazarus477> Correct me if I am wrong but the prefered setup is to run openvpn over UDP, not TCP since this would end up tunneling TCP over TCP in most cases and cause packet fragmentation?
17:55 < krzee> correct
17:55 < krzee> not because of frag, but the premise is correct
17:55 < krzee> to understand the why (if you care) read this
17:55 < krzee> !tcp
17:55 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
17:56 < krzee> #1 is the technical discussion about it
17:56 < krzee> which the manual points to
17:56 < krzee> #2 is good for explaining to your non-technical boss ;]
17:56 < lazarus477> ty
17:57  * lazarus477 is the boss and he is as technichal as he can be.
17:57 < lazarus477> lol
18:10 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
18:10 < lazarus477> Hey! I notice something very fishy about the error log output from the client.
18:11 < lazarus477> I used Swedish encoded characters and in the log I see the error is showing these characters messed up with a bunch of extra characters.
18:11 < lazarus477> Looks like UTF8 got scrambled by ANSI conversion.
18:11 < lazarus477> Could this be my problem? Foreign language used in the fields of the certificate?
18:12 < krzee> yes
18:12 < lazarus477> Well can I use UTF8 encoding in a  cert at all? Or am I stuck with ANSI?
18:13 < krzee> stick to what us english speakers would use and you'll be fine, otherwise feel free to experiment
18:13 < lazarus477> AI used the same foreign language in both the ca cert, server and client certs.
18:13 < krzee> and how did that work for you...?
18:13 < krzee> heheh
18:13 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:13 < lazarus477> Well then I shall redo my keys from scratch, zeroing out all in the keys dir.
18:14 < lazarus477> I sure wish the whole world would speak a unified language or our computer systems and software were all UTF8 based...
18:15 < Bushmills> how come you wish that, on the one hand, but use swedish in the cert, on the other?
18:16  * krzee notes we have 3 people right now who natively speak different languages, but speak on an agreed language
18:16 < qfluid> hi, I have set up openvpn with a server and two client, each client can ping the server and vise versa, but they cannot ping each other...what am I missing?
18:16 < krzee> qfluid, 
18:16 < krzee> !c2c
18:16 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
18:16 < vpnHelper> krzee: behind other clients
18:17 < Bushmills> "I wish I wouldn't hurt you" *thump thump thump*
18:20 < krzee> qfluid, in other words, try putting client-to-client in your server config
18:20 < qfluid> krzee, so add !client-to-client?
18:20 < qfluid> or put "client-to-client"?
18:20 < qfluid> krzee, got it
18:20 < krzee> my bot explained what client-to-client is
18:20 < krzee> i use !command to make him talk
18:20 < krzee> !bot
18:20 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
18:20 < qfluid> krzee, :)
18:21 < qfluid> krzee, does it have to be before "server net subnet"?
18:21 < qfluid> because according to man, that expand to some conditional regarding client-to-client.
18:21 < krzee> whereever you want
18:21 < krzee> erm does it!?
18:21 < krzee> !man
18:21 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:22 < krzee> i know it can go anywhere, but i dont see what it would change in --server by having client-to-client enabled
18:22 < krzee> its just a matter of how client to client traffic is handled by the server
18:22 < krzee> one way it goes through the process
18:22 < krzee> other way it leaves the process and comes back if told to by the kernel
18:23 < krzee> ya man, --server says nothing about --client-to-client
18:23 < krzee> oh my bad, yes it does
18:24 < krzee> good observation qfluid!
18:24 < krzee> but ya, it can go whereever you like
18:26 -!- cool [~cool@unaffiliated/gary4gar] has quit [Quit: Lost terminal]
18:28 < lazarus477> !certinfo
18:28 < vpnHelper> lazarus477: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
18:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:29 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Quit: Leaving]
18:30 < qfluid> another thing I notice is that the clients are getting ip at increment of 4: 10.8.0.6, then 10.8.0.10...
18:30 < qfluid> anyway to set/config that?
18:30 < lazarus477> Ok I redid everything in the PKI step, got rid of old keys, made new ones. I had also prior to this removed any non english language from the vars file.
18:30 < lazarus477> I edited using vim. Vim is using UTF8 encoding but as far as I know it will be ANSI compatible as long as I stick to english.
18:30 < krzee> !/30
18:30 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
18:30 < krzee> !topology
18:31 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
18:32 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
18:34 < lazarus477> Hmm. For some reason I get TLS errors regarding the server certificate failing verification.
18:35 < krzee> be sure your client has the new ca.crt
18:35 < krzee> try certverify again
18:36 < lazarus477> I did
18:36 < lazarus477> I shall also recheck the new client cert
18:36 < lazarus477> !certinfo
18:36 < vpnHelper> lazarus477: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
18:37 < lazarus477> looks fine
18:38 < krzee> then be sure you made your certs right this time
18:38 < krzee> no spaces in common names, nothing goofy in the cert
18:38 < lazarus477> ran certinfo on the Win7 client end as well, looks good.
18:39 < lazarus477> No spaces..............
18:39 < krzee> !certinfo
18:39 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
18:39 < krzee> from client and server
18:40 < lazarus477> Can I use space in the field named "name" ?
18:40 < krzee> name?
18:40 < krzee> like the common-name...?
18:41 < krzee> no
18:41 < lazarus477> krzee: Check my msg
18:41 < krzee> wow
18:41 < lazarus477> I only used a space in field named "name".
18:41 < krzee> try making your certs way more normal
18:41 < lazarus477> But yea I can see how that might be a problem.
18:42 < lazarus477> Oh great, now I am doing things in a strange way, typical.
18:42 < krzee> your CN is abnormally long too
18:42 < lazarus477> yea
18:42 < krzee> try making things simple
18:42 < lazarus477> that was simple.
18:42 < lazarus477> hehe
18:42 < krzee> mine are simple, and work ;)
18:43 < lazarus477> I plan to tie together several networks from different organisations and different hosts.
18:43 < krzee> you will need !route
18:43 < lazarus477> I figured that naming schema was the most logical.
18:43 < krzee> you only need a single word to describe a lan
18:43 < krzee> "office"
18:43 < krzee> "city_name"
18:43 < krzee> whatever
18:44 < krzee> but like 10 words separated by -'s seems a lil overkill
18:44 < krzee> plus, theres other fields for all that
18:44 < lazarus477> ah
18:45 < lazarus477> I thought the CN field had to be unique between clients making connections?
18:46 < krzee> every CN must be unique
18:46 < krzee> but i think you can get away with far less characters and still have it unique
18:46 < krzee> lol
18:46 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
18:46 < krzee> it doesnt need to be a complete sentence
18:47 < lazarus477> Well if I do not at least include the host name in the cn name then how can things be unique if say two office computers from the same company lan get certs using only one word in the name?
18:47 < krzee> LOL
18:47 < krzee> by not using the same word!
18:47 < krzee> oh and btw
18:47 < krzee> you dont need 2 machines in the same lan connecting
18:47 < krzee> as youd see by reading !route
18:47 < lazarus477> !route
18:47 < vpnHelper> lazarus477: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:48 < krzee> you only need one instance of openvpn per LAN
18:48 < lazarus477> Oh that!
18:48 < lazarus477> That I know. hehehe.
18:48 < lazarus477> But I am not only interconnecting LANs.
18:48 < lazarus477> I am also providing a means for road wariors to connect to home base ;-)
18:48 < krzee> so?
18:48 < lazarus477> Hence the long CN strings.
18:48 < krzee> you can have as many lans and as many road warriors as you want
18:49 < krzee> you dont need complete sentances in your CN, period.
18:49 < lazarus477> Hmm.
18:49 < krzee> im guna watch my movie
18:49 < krzee> bbl
18:49 < lazarus477> Well could you give me a textual example?
18:50 < lazarus477> I shall read that doc.
18:50 < lazarus477> Enjoy the movie
18:51 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Operation timed out]
18:55 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
18:57 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
19:29 -!- qfluid [~mathfeel@cpe-66-75-21-245.san.res.rr.com] has quit [Ping timeout: 240 seconds]
19:41 -!- qfluid [~mathfeel@cpe-66-75-21-245.san.res.rr.com] has joined ##openvpn
19:52 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
20:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:02 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
20:17 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:53 < lazarus477> I feel like a jack ass. I was staring myself blind all over the board and first now I noticed my major blunder.
20:53 < lazarus477> On the client config file I had silly enough set the ca cert line to point to the client cert file, argh.....
20:54 < lazarus477> Now I got a new problem.
20:54 < lazarus477> when connecting I get a message telling me the client cert is not yet valid and to make sure my clock is set right.
20:54 < lazarus477> I run openssl to examine the client cert and sure enough for some odd reason it is not set to be valid until a few hours from now.
20:54 < lazarus477> what causes this?
20:57 -!- qfluid [~mathfeel@cpe-66-75-21-245.san.res.rr.com] has quit [Ping timeout: 265 seconds]
20:57 < lazarus477> !time
20:57 < vpnHelper> lazarus477: Error: "time" is not a valid command.
21:00 -!- qfluid [~mathfeel@cpe-66-75-21-245.san.res.rr.com] has joined ##openvpn
21:06 < qfluid> krzee, I was playing with server config some more. I noticed that when I set "topology subnet", the clients can no longer ping each other even with "client-to-client"
21:12  * theDoc screams and runs to new all the domains
21:12 < theDoc> >_<
21:26 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
21:26 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
21:26 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
22:09 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Remote host closed the connection]
22:14 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
22:40 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
23:27 -!- onats [~onats@unaffiliated/onats] has quit [Remote host closed the connection]
23:32 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
23:32 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Ping timeout: 276 seconds]
23:36 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
--- Day changed Mon Jun 07 2010
00:32 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 240 seconds]
00:48 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
01:04 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
01:09 -!- kala_ [~kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn
01:11 -!- kala [~kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: Operation timed out]
01:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:22 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:37 -!- lambrecht [~system@d51A4E044.access.telenet.be] has joined ##openvpn
01:43 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
01:44 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Ping timeout: 240 seconds]
01:45 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
01:45 < kraut> moin
01:55 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
01:57 -!- kurzweil4 [~someone@24.145.141.56] has joined ##openvpn
01:57 < kurzweil4> how can I log all of the web traffic passing through my server via openvpn?
02:14 < kurzweil4> the web URLs that visitors are using that is
02:17 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
02:20 -!- disposable [disposable@blackhole.sk] has quit [Ping timeout: 276 seconds]
02:20 -!- qfluid [~mathfeel@cpe-66-75-21-245.san.res.rr.com] has quit [Quit: Leaving]
02:24 < |Mike|> krzee: ahem, what's the correct syntax then ? :)
02:24 < Bushmills> kurzweil4: use a web traffic logger
02:25 < Bushmills> or look at web server logs
02:25 < Bushmills> or run a proxy, and look at its logs
02:29 < kurzweil4> anything specific you have in mind for Linux?
02:30 < kurzweil4> the thing I am unsure about ...if I had a squid proxy ...is how to force the HTTP traffic through it
02:36 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:37 < Bushmills> google for forced proxy or transparent proxy
02:37 < kurzweil4> on it ...thanks
02:37 < Bushmills> you'd configure that on server
02:39 -!- lambrecht [~system@d51A4E044.access.telenet.be] has quit [Ping timeout: 240 seconds]
02:42 < kurzweil4> by the way ...is the openvpn log customizable? ...ie ..what gets logged etc
02:43 < kisom> kurzweil4: well, you can set verb
02:43 < Bushmills> well, openvpn is available as source, and with the source, you can customize about everything
02:43 < kurzweil4> ok ...so the logging is hard-coded
02:48 < kisom> yes, as far as i know
02:48 < kurzweil4> ok
02:48 < kisom> haven't really read the logging part of the source code
02:49 < kurzweil4> well guys ...thanks for the info and help ...I am off to bed
02:49 < kurzweil4> later
02:49 -!- kurzweil4 [~someone@24.145.141.56] has quit []
03:03 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:07 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
03:17 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn
03:36 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:36 -!- mode/##openvpn [+o mattock] by ChanServ
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 276 seconds]
03:47 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:49 -!- dazo_afk is now known as dazo
04:26 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
04:27 < freaky[t]> !welcome
04:27 < vpnHelper> freaky[t]: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:28 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
04:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:53 -!- sara2010 [~sara@202.100.181.58.dynamic.max.com.pk] has joined ##openvpn
04:54 -!- sara2010 [~sara@202.100.181.58.dynamic.max.com.pk] has left ##openvpn ["Leaving"]
04:59 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
05:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:02 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
05:18 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:19 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Client Quit]
05:37 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit [Quit: Ex-Chat]
05:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
05:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:55 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:55 -!- Scrufffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
05:56 < Scrufffy> hi
05:56 < Scrufffy> !welcome
05:56 < vpnHelper> Scrufffy: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:57 < Scrufffy> !route
05:57 < vpnHelper> Scrufffy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:57 < Scrufffy> :/*
05:58 < Scrufffy> I have a problem and I havn't a firewall..
05:59 < Scrufffy> i'm plugged into my openvpn, my config works
06:00 < Scrufffy> I can resolve ip of websites but nothing appears, nothing happens
06:01 < Scrufffy> my bind configured properly and I also haven't got a firewall also
06:02 < Scrufffy> sorry for my bad english, but someone should have an idea ?
06:17 < Bushmills> yes. tell what your problem is.,
06:18 < Scrufffy> [12:59:53] <Scrufffy> I can resolve ip of websites but nothing appears, nothing happens
06:18 < Bushmills> here also nothing happens
06:19 < Bushmills> when i resolve them, i only see the ip address
06:19 < Bushmills> that's correct, i don't want to appear anything when resolving them
06:20 < Bushmills> but apart from things which are correct, you also mentioned a problem
06:21 < Scrufffy> so... you understand my problem or not ?
06:22 < Bushmills> what problem?
06:24 < Scrufffy> concretely : my vpn fails to resolve the sites or make request
06:25 < Bushmills> ah. it is not the task of the vpn to resolve anything. it is the task of resolver and a recursive name server. vpn may provide the connection between the two.
06:26 < Bushmills> but it is your task to set things up that resolver can use a recursor which works for it
06:26 < Bushmills> also, vpn doesn't make requests. it can transport them, and transport any replies - if there are any - back.
06:26 < Bushmills> this requires cooperation of local and possibly remote routing
06:26 < Scrufffy> holy shit...
06:27 < Scrufffy> please understand me, i'm french
06:27 < Scrufffy> don't play on my words
06:28 < Scrufffy> is difficult to explain my concern
06:28 < Bushmills> have you set up resolver correctly?
06:29 < Bushmills> consider that if it is difficult to explain, it is also difficult to understand
06:29 < Scrufffy> yes, bind9
06:29 < Bushmills> and even more difficult to provide a solutiuon
06:30 < Bushmills> and without telling about your setup, one must either guess, or pull the details from you. such as, does your name server run on vpn server or on vpn client? has it been configured to allow recursion? if on server, does client use it to resolve?
06:31 < Bushmills> don't assume that if you know, that the rest of the world knows too
06:37 < ecrist> !irclogs
06:38 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days.
06:38 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
06:38 < ecrist> !forget irclogs *
06:38 < vpnHelper> ecrist: Joo got it.
06:38 < ecrist> !irclogs
06:38 < vpnHelper> ecrist: Error: "irclogs" is not a valid command.
06:39 < ecrist> !learn irclogs as Channel logs are available at http://secure-computing.net/logs/openvpn.txt and are updated in real-time while ecrist is online.
06:39 < vpnHelper> ecrist: Joo got it.
06:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
06:40 < Scrufffy> Bushmills can I pm you ?
06:41 < Bushmills> if a problem can't be described in public, why would PM make that any easier?
06:42 < Bushmills> also, with PM you deny others the possibility  to help you
06:43 < Scrufffy> I can give you an access to my dedicated server...
06:44 < Bushmills> that's something you want a consultant for
06:45 < Scrufffy> drops
06:45 < Scrufffy> you mind very closed and bounded
06:46 < ecrist> Scrufffy: we're not consultants, unless you're willing to pay. ;)
06:47 < Bushmills> why would you call my mind closes when I strive to allow solutions to be seen by public?
06:47 < Bushmills> losed
06:47 < Scrufffy> the English you don't know the concept of using
06:48 < Scrufffy> it's different on french channels
06:48 < Bushmills> i am not english. i have learned english like you did
06:48 < Bushmills> only, i don't apologize for it
06:50 < Scrufffy> in any case the way you speak is contemptuous
06:50 < Scrufffy> I hate this
06:50 < Scrufffy> finally, it's ok, just sad
06:50 < Bushmills> well, there are other people here, you may speak english in a way you hate less
06:51 < Bushmills> who
06:51 < Bushmills> maybe they can figure out from the limited information you gave what your problem actually is, and provide a solution.
06:53 < Scrufffy> I could give you sudo on my server just so you understand the problem without solving it myself, I can solve it alone, and if necessary I can pay you through paypal I'm not stingy
06:54 < Scrufffy> but I think you're too stiff to work like that
06:54 < Bushmills> i might have gone for that if the communication had been a bit more friendly, and less accusing. but since i'm closed minded, and using contemptuous english, i have lost interest
06:55 < Scrufffy> it was enough to try to understand my poor English and do not want explain how a VPN because I know
06:57 < ecrist> offering sudo access to your server to someone  you basically just pissed off?  that's funny
06:57  * ecrist chuckles.
06:58 < Scrufffy> no worries there, just to understand and make things happen, I can reinstall it after
06:58 < Bushmills> i'm not pissed off.i simply lost interest.
06:59 < Scrufffy> it's a lowcost dedicated server, I do not care
07:00 < Scrufffy> Bushmills : ok no problem
07:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:56 < |Mike|> hmz, is it possible to use some kind of failover with an asterisk pbx?
07:56 < |Mike|> (over openvpn ofc..)
07:57 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Read error: Operation timed out]
08:10 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
08:15 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
08:15 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Ping timeout: 248 seconds]
08:27 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
08:32 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Ping timeout: 260 seconds]
08:44 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has joined ##openvpn
08:50 -!- Abhishek_Singh [~Abhishek@210.212.20.75] has quit [Ping timeout: 258 seconds]
08:53 -!- fluvvell [~barryc@port166-72.ubs.maxnet.net.nz] has quit [Ping timeout: 276 seconds]
08:56 -!- fluvvell [~barryc@port166-72.ubs.maxnet.net.nz] has joined ##openvpn
09:05 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has joined ##openvpn
09:12 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
09:15 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 272 seconds]
09:18 -!- darkscrypt_ [~darkscryp@216.162.34.42] has quit [Quit: Leaving]
09:21 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
09:24 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:24 < Omegadarkest> have openvpn up on vmware, i can hit the web interface, it accepted the lic key. Testing connectivity fails, unable to connect from a client on the internet to your access server. I have a fortigate 60 router. I have ports 443, 1443(for clients), 943 fwd to the openvpn server but i cant hit it from the outside. am i missing something? 
09:37 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
09:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
09:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:42 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
09:46 < |Mike|> Omegadarkest: yeah
09:46 < |Mike|> !howto
09:46 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:47 < |Mike|> !logs
09:47 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
09:47 < |Mike|> !configs
09:47 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:14 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:14 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
10:15 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:15 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 245 seconds]
10:16 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
10:17 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
10:21 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:26 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
10:29 -!- dgoulet [~dgoulet@smtpin.revolutionlinux.com] has joined ##openvpn
10:30 < dgoulet> !welcome
10:30 < vpnHelper> dgoulet: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:32 < dgoulet> on AUTH_FAILED then SIGTERM[soft,auth-failure] received, is there a way to tell OpenVPN NOT to sigterm and just reconnect on AUTH_FAILED?
10:33 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
10:34 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Client Quit]
10:35 -!- dgoulet [~dgoulet@smtpin.revolutionlinux.com] has quit [Quit: leaving]
10:35 -!- Abhishek_Singh [~Abhishek@220.225.244.114] has quit [Remote host closed the connection]
10:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
10:43 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
11:01 -!- lampliter [~chatzilla@c-76-19-126-1.hsd1.ma.comcast.net] has joined ##openvpn
11:03 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 272 seconds]
11:04 < lampliter> can I, from the client-side configuration, refuse a DNS entry in the DHCP packet?
11:04 < lampliter> More often than not, it's the wrong thing for me to get DNS entries from the far side of the VPN
11:32 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Read error: Connection timed out]
11:32 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
11:33 -!- darkscrypt [~darkscryp@216.162.34.42] has joined ##openvpn
11:33 -!- Kyle__ [~kschmitt@173-165-60-19-Illinois.hfc.comcastbusiness.net] has joined ##openvpn
11:35 < Kyle__> I'm trying to setup two openvpn boxes to connect two private networks, and I'm wondering: where do you put the public keys?
11:35 < Kyle__> The instructions I'm following don't say anything about it...
11:36 < lampliter> pick one side to be a "client" I would guess
11:36 < Kyle__> lampliter: Err, I'm working off of the shorewall "OpenVPN" example, and it had me set them both up as servers...
11:37 < lampliter> ah
11:37 < Kyle__> I used the scripts in the easy-rsa example to build my keys and certs, and openvpn starts up without complaint on both sides.
11:37 < Kyle__> In each log I see a failed attempt to login from the other server (kindof expected that).
11:38 < Kyle__> I figured I just need to exchange keys now, right?
11:38 < lampliter> I expect
11:39 < lampliter> seems to me that there should be some documentation on net to net VPN configuration
11:40 < Kyle__> lampliter: There seems to be more on using a bridge adapter, but those are always alot of work.  Back in the early 2000's I made brdiged wireless-wired networks and bridged firewalls.  Wasn't worth it :) this actually seems much easier (if only it were slightly more documented).
11:40 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
11:40 < lampliter> same for me except back then, I was a sendmail expert
11:41 < Kyle__> I was a student trying to break into linux sysadmin back then, which meant I had all the time in the world to hack that sort of thing.  
11:41 < Kyle__> THen you get real work doing that, and can't do the hackish version for work ;)
11:42 < lampliter> let's see, back in 2000 I was a IT manager for hire running the administration group for a nationwide ISP
11:43 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
11:43 < lampliter> we had a perfectly good infrastructure based on FreeBSD but because they were going IPO, we had to switch to Linux to make things look good for the stockholders
11:43 < theDoc> Heil Loonix!
11:43 < Kyle__> lampliter: Should be 6 of one 00000110 of the other
11:43 < Kyle__> (not saying it always is, just should be)
11:43 < lampliter> for the most part, nothing changed except the login prompt
11:44 < lampliter> and I put the group through hell then apologized for management idiocy
11:44 < lampliter> turned a blind eye when they needed time off
11:44 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
11:45 < lampliter> I will admit, I can be an asshat as a manager but, I try to make up for it
11:45 < Kyle__> lampliter: That's a good manager, especially when you do that to your workers.
11:45 < darkscrypt> Hey guys, having an issue getting packets to go to the right output interface on my vpn server, I diagrammed the issue in hopes it would describe the problem. Let me know what you think, or some ways to solve this.
11:45 < Kyle__> I've seen some who will promise unreasonable deadlines, have the staff work weekends, and not even _call_ on saturday to see how the team is doing.
11:45 < darkscrypt> any help would be great
11:45 < lampliter> I must've done something right because when we had array to array on the mail server fail on Memorial Day weekend
11:45 < darkscrypt> http://img189.imageshack.us/img189/3724/persistentvpnbreakdown.jpg
11:45 < darkscrypt> http://img189.imageshack.us/img189/3724/persistentvpnbreakdown.jpg
11:46 < lampliter> and I had them help me put together parts we needed to rebuild the server, they volunteered to stay with me and they backed me up overnight as their schedules permitted
11:46 < Kyle__> Which is what a good sysadmin will do.  We're not union, we work until the work is done.
11:47 < lampliter> actually, I've seen some unions with the people will work until the work is done
11:47 < lampliter> it's because the union is organize smart and not by stupid rules based on time
11:47 < lampliter> unfortunately, the people who build bad unions seem to be hired by management of the company
11:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:47 < Kyle__> Eh, at my last job things got so contentious, the union wouldn't _let_ union workers work until the work was done.  
11:47 < Kyle__> *sigh* yea.
11:48 < theDoc> lampliter> That's a good manager.
11:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
11:48 < lampliter> is nothing we can do to fix stupidity. All we can do is try to minimize the spread and impact
11:48 < theDoc> lampliter> Stupidity isn't as dangerous as a lazy management.
11:48 < theDoc> or so .. I think ;p
11:48 < lampliter> I'm wondering if I could stand a management job now? I had a stent put in last Friday. I wonder if I can still cope with the stress
11:49 < lampliter> maybe I'm smart enough to not accept the stress or pass it on to my people. :-)
11:50 -!- dunc_ [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
11:50 < lampliter> Management jobs can be horrible but if you have a good group of people, it can be really rewarding
11:50 < darkscrypt> anybody able to help me with this issue http://img189.imageshack.us/img189/3724/persistentvpnbreakdown.jpg ?
11:50 < lampliter> anyway, I'm trying to figure out how to reject the DNS information from the DHCP request initializing the open VPN interface
11:51 < Kyle__> lampliter: I'm actually tempted to take some management classes, since I don't know how to manage, but sure as hell know how bad some managers are (And I never want to be that).
11:51 < Kyle__> Anyway.  Does anyone know where you import public keys on an OpenVPN server?
11:51 < lampliter> that's not a bad idea. I would spend more time with organizational psychology and personal psychology than the classic management course
11:51 < lampliter> most corporations internally replicate either a dysfunctional family or high school
11:52 < lampliter> be able to identify which model they are closest to will help tremendously in navigating
11:52 < lampliter> the second thing I recommend studying is negotiation techniques. It's far better thing to know than "political" crap because you can identify the political but also defuse it
11:53 < Kyle__> lampliter: My last company was the disfunctional family: we had a very controlling, very smart, but coddling and enabling CEO.  She was practically grandma to everyone.
11:53 < lampliter> you don't want to play politics because EV won't be very good and will get hurt or you will become very good which means you are person you do not want to be
11:53 -!- dunc_ [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
11:53 -!- gazl [~gazy@unaffiliated/gazelle] has joined ##openvpn
11:53 < theDoc> Is digg really slow for anyone?
11:53 < Kyle__> I always hated the politics pat of it...
11:54 < lampliter> darkscrypt: it looks to me like a routing problem
11:54 < lampliter> on the target and, can you use some sort of packet sniffer to see if the data is coming out of the VPN interface?
11:55 < lampliter> Plaintext side, obviously
11:58 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 272 seconds]
11:59 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
11:59 -!- gazl is now known as gazl`
12:00 -!- emerica [~emerica@216.13.208.109] has joined ##openvpn
12:00 -!- gazl` is now known as gazl
12:00 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:02 < Kyle__> Err.  In openvpn, if you do a server-to server connection, do you exchange server-certs, or do you have to make client-key/certs for the other server?
12:04 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
12:07 < lampliter> I guess we are not having any luck whatsoever getting our questions answered. :-)
12:07 < Kyle__> :) It happens.  But at least it makes you not feel as bad about it, if a room full of like-minded experts can't answer.
12:10 < ecrist> some of us have jobs, and we're busy making money, rather than helping people on company time looking for a hand-out. ;)
12:10 < lampliter> ecrist: you hit it right on the head why I finish from significant OSS participation.
12:11 < lampliter> I needed to focus on my business and I needed to count on revenue coming in
12:11 < lampliter> what I don't understand is why we don't have a reputation-based framework for letting people pay and get paid
12:11 < ecrist> because it's called socialism, and it doesn't work.
12:11 < theDoc> lampliter> Because if most people can get it for free, they will ;p
12:11 < theDoc> o/ ecrist
12:11 < ecrist> hey, theDoc 
12:12 < theDoc> I should go to bed soon.
12:12 < lampliter> ecrist: socialism? You mean the economic system in which the workers own the means of production?
12:12 < theDoc> and also, maybe get around to setting up a ccie lab for np/ie training.
12:13 < theDoc> http://coto2.files.wordpress.com/2009/11/socialism_vs_capitalism.jpg
12:13 < ecrist> lampliter: sure, isn't OSS basically socialism?
12:13 < lampliter> theDoc: quite right. That's because we set expectations wrong
12:13 < theDoc> lampliter> Yes and unfortunately, that isn't going away.
12:13 < lampliter> OSS is socialism
12:14 < Kyle__> There are certain things you want to be socialized, and certain things you don't.
12:14 < lampliter> because there is no command-and-control structure directing the project or the availability of the source code
12:14  * theDoc feels that political discussion always leads to no where ;p
12:14 < lampliter> good point Doc. I'll comment no further
12:15 < theDoc> It's 1:30am here for me.
12:15 < theDoc> Good morning/afternoon/night/whatever to all of you.
12:15 < lampliter> take care
12:15 < Kyle__> night.
12:15 < lampliter> need to leave as well
12:16 < ecrist> lampliter: there is a command-and-control structure for openvpn
12:17 < ecrist> also, the source code is freely available.
12:17 < lampliter> I use the wrong terms because I was trying to get something out a hurry
12:17 < lampliter> my apologies
12:34 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
12:43 < darkscrypt> anybody able to help me with this issue http://img189.imageshack.us/img189/3724/persistentvpnbreakdown.jpg ?
12:43 < darkscrypt> hey krzee 
12:43 < darkscrypt> krzie, whoops
12:47 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
12:48 < krzie> im both
12:48 < krzie> whats up
12:49 < hyper_ch> hu Bushmills
12:49 < ecrist> darkscrypt: I'm guessing a firewall issue.
12:49 < hyper_ch> hu krzie
12:49 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
12:49 < hyper_ch> hi ecrist
12:49 < ecrist> hello
12:49 < krzie> hi
12:49 < krzie> could be ip forwarding
12:49 < krzie> could be firewall
12:49 < krzie> could be this:
12:49 < krzie> !factoids search outside
12:49 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
12:50 < ecrist> !tell ##openvpn [route]
12:50 < vpnHelper> ecrist: Error: Dude, just give the command.  No need for the tell.
12:50 < ecrist> lol
12:50 < darkscrypt> ecrist, its not a firewall issue
12:50 < krzie> lol
12:50 < darkscrypt> i can ping it successfully from the actual firewall
12:50 < ecrist> then it's a routing issue, darkscrypt 
12:50 < darkscrypt>  router yeah its routing
12:50 < darkscrypt> but i'm not sure quite qht to do
12:51 < ecrist> ip forwarding enabled?
12:51 < krzie> you just said you have 1 directional ping working?
12:51 < krzie> client cant ping router but router can ping client...?
12:51 < darkscrypt> client can ping router... 
12:51 < darkscrypt> take for example if i ping from my desktop
12:51 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:51 < darkscrypt> it correctly goes throught he routers eth0
12:51 < darkscrypt> and goes out the tun0
12:52 < darkscrypt> makes it to the tun0 on the openvpn server
12:52 < darkscrypt> but does not go further
12:52 < krzie> [13:51]  <ecrist> ip forwarding enabled?
12:52 < krzie> on vpn server
12:52 < darkscrypt> if i ping from the router on the 10.8.0.1 address, it goes all the way to the 15.0 subnet
12:52 < darkscrypt> and can reach everything
12:52 < darkscrypt> so from that case, ip forwarding and everything is successfully configured on the server
12:52 < krzie> dont do it from 10.8.0.1
12:53 < darkscrypt> because the client can reach the outside subnet just fine
12:53 < krzie> do it from 10.8.0.2
12:53 < darkscrypt> right
12:53 < darkscrypt> thats what i meant
12:53 < darkscrypt> the client which is also the lan gateway
12:53 < darkscrypt> can reach the other  outside subnet
12:53 < krzie> so 10.8.0.2 can reach everything
12:53 < darkscrypt> yea
12:53 < krzie> but the desktop behind it can not
12:54 < darkscrypt> right
12:54 < krzie> that garuntees its firewall
12:54 < krzie> :-p
12:54 < krzie> well
12:54 < darkscrypt> but..
12:54 < darkscrypt> look at where the red ex
12:54 < darkscrypt> X
12:54 < darkscrypt> is 
12:54 < darkscrypt> traffic from desktop going to tun0 on vpn server
12:54 < krzie> unless you added no route for 192.168.2.0 in vpn server
12:54 < darkscrypt> actually reaches the right place
12:54 < krzie> darkscrypt, so now you know where the firewall is!
12:55 < darkscrypt> might not have
12:55 < krzie> its on vpn server
12:55 < krzie> prolly the forward chain i guess
12:55 < darkscrypt> ok.
12:55  * darkscrypt takes notes
12:55 < darkscrypt> okay so look at iptables forward chains?
12:55 < darkscrypt> but it can be reached from 10.8.0.2 would that still be the forward chains?
12:55 < Kyle__> If openvpn resports local options, then expected options, does that mean it the remote system wasn't using the optinos expected?
12:56 < darkscrypt> would i need to add the routes on the vpn server?
12:56 < darkscrypt> it might not know about it
12:56 < krzie> Kyle__, it always reports both
12:56 < darkscrypt> but then again.. if i try to ping 15.3 from 192.168.2.202, nothing reaches it
12:56 < Kyle__> krzie: thanks.  OK, so that's a red-herring.  Humm.
12:56 < darkscrypt> it should know how to reach a device that is ont he same physical computer from the vpn host
12:57 < darkscrypt> red herring .. like from scooby doo?
12:57 < Kyle__> darkscrypt: as in, leading me down the wrong path, not helping me figure out what to do :)
12:57 < krzie> darkscrypt, ping .2.252 from a machine on vpn_server's lan
12:58 < krzie> also
12:58 < Kyle__> I see it start up, init several things, create a connection between the public IPs, then I get TLS Error: client->client or server->server connection attempted from 173.165.60.19:1194.
12:59 < krzie> your desktop which is 2.252 doesnt need a route for 15.0
12:59 < krzie> because vpn endpoint is its default router
12:59 < darkscrypt> From 192.168.15.3: icmp_seq=1 Redirect Host(New nexthop: 192.168.15.254)
12:59 < darkscrypt> .15.254 is def gateway
12:59 < darkscrypt> 15.3 is vpn server
12:59 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 276 seconds]
13:00 < darkscrypt> redirecting to def gateway which in turn redirects back to 15.3
13:00 < krzie> Kyle__, 
13:00 < krzie> !configs
13:00 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:00 < krzie> darkscrypt,
13:00 < krzie> im talking about the other side
13:00 < darkscrypt> think we are getting closer
13:00 < darkscrypt> that was on the vpn servers lan...
13:00 < darkscrypt> vpn server runs on 192.168.15.0/24
13:00 < krzie> the machine marked desktop on the far left does not need a route for 15.0/24
13:01 < darkscrypt> okay.
13:01 < krzie> because it will route that to its LAN gateway which is its local vpn endpoint either way
13:01 < darkscrypt> it does because actually 15.252 is not default gateway
13:01 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
13:01 < darkscrypt> i just simplified it in the diagram
13:01 < krzie> you only need that route when openvpn does NOT run on the default gateway
13:01 < Kyle__> http://pastebin.com/Y8vQY4aV
13:01 < krzie> im not talking about the 15.x lan
13:01 < darkscrypt> 192.168.2.252 is not default gateway
13:01 < krzie> im talking about on the 2.x lan
13:01 < darkscrypt> sorry got confused
13:01 < darkscrypt> 2.254 is default
13:02 < darkscrypt> but routes go to it destined for 15.0
13:02 < krzie> if 2.252 isnt the default gateway why the hell is it labeled as "LAN Gateway"
13:02 < darkscrypt> simplicity and its making it there
13:02 < darkscrypt> i know what i'm doing up to that point.. so i just simplified it when describing the issue
13:02 < krzie> umm no
13:02 < krzie> i cant help then
13:02 < krzie> bbl
13:03 < darkscrypt> sorry?
13:03 < Kyle__> I freely admit some of it is a cargo-cult config (copy-pasting from a sample without 100% understanding it).
13:03 < krzie> Kyle__, 
13:03 < krzie> !goal
13:03 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:03 < darkscrypt> well thanks for helping me up to this point.. i'm starting to see where the issue is i think
13:04 < Kyle__> krzie: I'm trying to connect two different private networks.  Since the firewalls are running shorewall, I used the examlple on http://www.shorewall.net/OPENVPN.html 
13:04 < vpnHelper> Title: OpenVPN Tunnels and Bridges (at www.shorewall.net)
13:04 < krzie> darkscrypt, the first part of trying to help someone with their networking issue is understanding the layout, being able to trace packets src/dst through each hop, when someone mangles it for any reason when describing it, they make it impossible to help
13:05 < krzie> Kyle__, 
13:05 < krzie> !confgen
13:05 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
13:05 < krzie> my confgen will set it up for you ;)
13:05 < krzie> or for the long way,
13:05 < Kyle__> Ooh, lets take a look...
13:05  * Kyle__ snags
13:05 < krzie> !sample
13:05 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:05 < krzie> !route
13:05 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:05 < krzie> but ya, confgen will make it easy ;)
13:06 < darkscrypt> krzie, i will fix the diagram then. I just did it to help reduce the amount of confusion when i fully believed that it was not the cause of the issue
13:14 < krzie> Kyle__, and with the setup from confgen, you will be able to have road warriors connect to both LANs as well
13:14 < Kyle__> Pretty neat.
13:14 < Kyle__> I'm looking for the output now...
13:15 < krzie> looking for the output?
13:15 < Kyle__> krzie: does it normally put them in it's own directory, or out in /etc/openvpn?
13:16 < krzie> in the dir you ran the scripts in
13:16 < Kyle__> Ahh I see.  
13:16 < darkscrypt> http://img101.imageshack.us/img101/3724/persistentvpnbreakdown.jpg
13:16 < darkscrypt> krzie, there .. fixed it, added more detail
13:17 < Kyle__> And does it normally create the keys, or is that still done manually?  (Just wondering :)
13:17 < krzie> for now it does not create keys
13:17 < krzie> it will at some point
13:18 < krzie> but you already created keys :)
13:19 < Kyle__> krzie: Yup.
13:21 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
13:23 -!- squidly [~squidly@HoodLUG/member/squidly] has left ##openvpn ["So long and thanks for all the fish!"]
13:30 < Kyle__> krzie: Err, I'm getting an error on the topology line.
13:30 < krzie> Kyle__, all sides need to be 2.1
13:30 < krzie> 2.0 is years old, 3 or 4 iirc
13:30 < Kyle__> Ahh.  I was lazy and used rpms, they're 2.0.9
13:30 < krzie> !download
13:30 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
13:31 < krzie> i made my configs 2.1 on purpose to force you to upgrade ;)
13:31 < krzie> some people on the mail list thought i shouldnt, but i am tired of telling everyone to upgrade so i made my confgen do it for me
13:32 < krzie> (you may notice the FIRST thing my confgen says to you is that you need 2.1)
13:33 < Kyle__> Heh, yea I did.
13:33 < darkscrypt> krzie, now i made the whole thing alot more clear and included everything about the configuration
13:34 < darkscrypt> krzie, if you have time and would be willing to give it another look i would be delighted
13:34 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:35 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
13:36 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:39 < darkscrypt> krzie, thinking i probably need route and iroute.
13:39 < krzie> darkscrypt, you are using --server?
13:40 < darkscrypt> no.
13:40 < krzie> then you cant use iroute
13:40 < krzie> thats for client/server
13:40 < darkscrypt> okay.
13:40 < krzie> but yes, both sides need route entries
13:40 < krzie> 'client' needs a route entry for 15.x
13:40 < krzie> 'server' needs one for 2.x
13:41 < krzie> desktop should also have a route entry on it for 10.8.0.x
13:41 < darkscrypt> the client looks like it has the 15.x?
13:41 < krzie> (or both those routes from desktop can be made on the default gateway for its lan
13:41 < darkscrypt> its alot more logical to add that to the default gateway rather than to every machine on my side
13:42 < krzie> yes, it is
13:42 < krzie> [14:41]  <darkscrypt> the client looks like it has the 15.x?
13:42 < krzie> you tell me
13:42 < krzie> heh
13:43 < darkscrypt> yea it does have it
13:43 < krzie> !configs
13:43 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:43 < darkscrypt> its just the plain old route
13:59 -!- gazl [~gazy@unaffiliated/gazelle] has quit [Quit: leaving]
14:03 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:23 -!- Kniggedigge [~Knigge@f049149208.adsl.alicedsl.de] has joined ##openvpn
14:24 < Kniggedigge> hi guys can anyone give me some assistance in configuring a vpn tunnel with a WRT54GL ? i forwarded all the necessary device, activated ip forwarding etc but i cant ping through the tunnel... i can ping the router and enter the web interface but nothing more...
14:24 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 258 seconds]
14:28 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
14:35 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
14:36 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:37 -!- dazo is now known as dazo_afk
14:41 -!- Kniggedigge___ [~Knigge@f048210070.adsl.alicedsl.de] has joined ##openvpn
14:43 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
14:43 -!- Kniggedigge [~Knigge@f049149208.adsl.alicedsl.de] has quit [Ping timeout: 264 seconds]
14:43 -!- Kniggedigge___ is now known as Kniggedigge
14:46 -!- Kniggedigge___ [~Knigge@xdsl-78-35-145-165.netcologne.de] has joined ##openvpn
14:46 -!- Kniggedigge___ [~Knigge@xdsl-78-35-145-165.netcologne.de] has quit [Client Quit]
14:49 -!- Kniggedigge [~Knigge@f048210070.adsl.alicedsl.de] has quit [Ping timeout: 264 seconds]
14:58 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Ping timeout: 240 seconds]
15:07 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
15:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:17 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 252 seconds]
15:44 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
15:58 -!- hron84 [~hron@nxw65lhyry.adsl.datanet.hu] has joined ##openvpn
15:59 < hron84> hi! a quick question: how can i tell to openvpn server to not modify default route on clients?
16:03 < krzee> the client cant have a connection to the server without a route to the vpn ip
16:03 < krzee> unless you're talking about default route, in which case, the server does not change the default route unless you told it to
16:04 < hron84> i commented out line what server config example tells: ;push "redirect-gateway def1 bypass-dhcp"
16:05 < krzee> then your server no longer changes the default route of the client
16:05 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:05 < hron84> but after i connect, the default gateway is modified to vpn server somehow.
16:05 < hron84> I connected with networkmanager
16:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
16:06 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:07 < Bushmills> did you only modify server config, or also reload or restart server?
16:12 -!- hron84 [~hron@nxw65lhyry.adsl.datanet.hu] has quit [Ping timeout: 240 seconds]
16:13 -!- fluvvell [~barryc@port166-72.ubs.maxnet.net.nz] has quit [Read error: Connection reset by peer]
16:17 -!- darkscrypt_ [~darkscryp@216.162.34.42] has joined ##openvpn
16:21 -!- darkscrypt [~darkscryp@216.162.34.42] has quit [Ping timeout: 260 seconds]
16:32 -!- hron84 [~hron@catv-213-222-167-79.catv.broadband.hu] has joined ##openvpn
16:37 < krzee> hron84, [14:10]  <Bushmills> did you only modify server config, or also reload or restart server?
16:37 < hron84> No
16:38 < hron84> krzee: but i solved that problem, networkmanager overrides openvpn server's config, and rewrites force the default gateway
16:38 < hron84> I need tick a checkbox to avoid this. 
16:38 < Bushmills> !ubuntu
16:38 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
16:38 < hron84> This is Gentoo :-)
16:39 < hron84> basically, i use networkmanager because it is a best solution to password-protected wifis
16:39 < chantra> hron84: i had that too....  and actually documented it http://www.debuntu.org/how-to-network-manager-openvpn-overwrites-default-route
16:39 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
16:39 < vpnHelper> Title: How-To: Network-Manager-OpenVPN overwrites default route | Debian/Ubuntu Tips & Tricks (at www.debuntu.org)
16:40 < chantra> hoping it would help people :)
16:40  * chantra dont understand why they do that...
16:41 < chantra> if we wanted the dewfault gateway to be overridden, the server would say it
16:41 < hron84> chantra: i followed exactly this howto :D
16:41  * chantra \o/
16:41 < Bushmills> maybe that's their idea of "management"
16:42 < chantra> yeah, i wonder if this is a bug though
16:42 < chantra> or a feature :)
16:42 < Bushmills> with a checkbox to enable or disable it, i'm tempted to call it a feature
16:42 < hron84> very interest, because usually most openvpn server configured as overwrite default route. I guess because the admins are too lazy to list owned networks...
16:42 < chantra> yeah, but the default behaviour to set it as a default gateway... was kindda unexpected
16:43 < hron84> yes
16:43 < chantra> hron84: my first srt up was to give  access to internal network for the company i work for
16:43 < chantra> it was not set up for internet access :)
16:44 < hron84> :-)
16:44 < chantra> only LAN DNSs forward queries so lan + internet dns work
16:46 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
16:46 < chantra> hron84: https://bugzilla.gnome.org/show_bug.cgi?id=577132
16:46 < vpnHelper> Title: Bug 577132 Bad routes after nm-openvpn connect (compared to regular openvpn) (at bugzilla.gnome.org)
16:47 < lazarus477> Are there any special pitfals when setting up an openvpn server on a virtual machine?
16:47 < chantra> lazarus477: nope, it runs sweet
16:48 < lazarus477> Figured as much.
16:48 < lazarus477> Good then all I got to do is work out issues with my pushed routes.
16:48 < lazarus477> :-)
16:48 < chantra> it might depend on how many user you expect to be connected and data to be transferred
16:49 < lazarus477> If anyone knows of any special issues for OpenVPN and its GUI in Windows7 (Seven) then please drop a line.
16:49 < chantra> lazarus477: run as admin ;)
16:49 < chantra> that might answer your pushed route issue :)
16:50 < chantra> !windows7
16:50 < vpnHelper> chantra: Error: "windows7" is not a valid command.
16:50 < chantra> arg
16:50 < lazarus477> hehe
16:50 < lazarus477> Well I found some info on solving issues on 7 which I implemented while trying to solve unrelated issues.
16:51 < lazarus477> I did things like turning off firewalling of the Win32 tun/tap interface.
16:51 < lazarus477> Set OpenVPN GUI to run as administrator.
16:51 < chantra> then you need to paste your opevpn gui logs
16:51 < chantra> pastebin ;)
16:53 < lazarus477> Me?
16:53 < chantra> you were saying you had issues with pushed route
16:54 < lazarus477> Ah, no. I said I had to configure them.
16:54 < lazarus477> hehe
16:54 < lazarus477> I had issues with certificates earlier and thought it was a Win7 issue, ended up implementing at the time not required tweeks for Win7.
16:54 < chantra> k :)
17:00 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
17:00 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has quit [Quit: notbrien]
17:03 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
17:07 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:29 < lazarus477> I am having some issues.
17:29 < lazarus477> I got openvpn running on openSUSE. Latest stable relase of both.
17:30 < lazarus477> A windows client with a working connection, Win7. It connects fine using OpenVPN GUI and can ping the openvpn server on both its LAN address and its tun/tap address.
17:31 < lazarus477> I have enabled IP forwarding on the server and disabled the firewall completelly.
17:31 < lazarus477> Problem: Win7 client cannot reach LAN side hosts through the vpn tunnel.
17:31 < Bushmills> any masquerading / NAT rules in firewall?
17:31 < lazarus477> If I do ipconfig /all on the client I clearly see pushed DHCP options for LAN side nameserver and wins.
17:32 < lazarus477> Bushmills: masquerading is not enabled on the server.
17:32 < Bushmills> thus a pure routing setup.
17:32 < lazarus477> yup
17:32 < Bushmills> !route
17:32 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:32 < lazarus477> ty, I shall re-read that doc.
17:33 < Bushmills> check whether routing table in win7 client looks ok
17:36 < lazarus477> Checking
17:37 < lazarus477> I see the route for the lan in the routing table of the client and using the vpn servers private address as gateway for the lan route.
17:38 < lazarus477> but!
17:38 < lazarus477> I also see it is using an old address, it is no longer in use. The vpn server has switched addresses and the client has a stale one.
17:39 < lazarus477> I was running the openvpn deamon as user and group nobody but then switched that off and restarted.
17:39 < lazarus477> guess I need to clean up the client routing table. Please advise.
17:42 < Bushmills> can't. no idea what your "stale" ip address is, or how it affects your routing by being in the routing table.
17:42 < Bushmills> you see it, i don't.  you fix it :)
17:42 < lazarus477> Gotcha ;-)
17:42  * lazarus477 picks up a screwdriver and a hammer and itches his head.
17:46 < lazarus477> Funny. Reconnecting the client does not help. Disconnecting removes the pushed routes from the client routing table.
17:46 < lazarus477> Connecting form scratch re-enters the wrong routes into the client routing table.
17:47 < lazarus477> The IPs which once were used by the server and are now stale are not reachable on the server either so why the heck push them.
17:47 < lazarus477> Well investigating on.
17:49 < Bushmills> server pushes non-existing address?
17:49 < lazarus477> Well I shall try rebooting the client.
17:49 < lazarus477> Yea
17:49 < lazarus477> No
17:49 < Bushmills> what server pushes is determined by its config.
17:49 < lazarus477> Ehm
17:49 < lazarus477> hold on
17:49 < Bushmills> except the host route
17:49 -!- Kyle__ [~kschmitt@173-165-60-19-Illinois.hfc.comcastbusiness.net] has quit [Quit: leaving]
17:50 < Bushmills> what server address changed? does your server sit on a dynamic ip address?
17:52 < lazarus477> Ok checked the server config.
17:52 < lazarus477> I am not pushing any strange non-exsistant IP addresses.
17:53 < lazarus477> Also I have not pushed the stale address manually or through some config. It is something which has happned behind the scenes.
17:53 < lazarus477> client now rebooted, shall see if it resolves the issue.
17:54 < Bushmills> i suppose if those strange addresses aren't pushed from server config, and you don't add them, it would be a windows issue?
17:56 < lazarus477> na
17:56 < lazarus477> I think it is the persistant config option on the server.
17:56 < lazarus477> problem remains after reboot.
17:56 < Bushmills> some semi-helpful contraption trying to do the routing table management for you? 
17:57 < lazarus477> Not that I know of.
17:57 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
17:57 < lazarus477> All looks fine. To me it appears as if the server is pushing some cached routing info to the client.
17:57 < lazarus477> These values were in use and valid yesterday but at the moment new IPs are in effect.
17:58  * Bushmills goes watching a movie
18:04 -!- hron84 [~hron@catv-213-222-167-79.catv.broadband.hu] has left ##openvpn []
18:07 < lazarus477> Enjoy
18:13 < lampliter> I need to block the nameserver given to the ovpn client and not let it over write the current nameserver. possible? if so, which option/documentation should I look at?
18:14 < lazarus477> Try push "dhcp-option DNS"
18:14 < lazarus477> in the server config
18:14 < krzee> you have it backwards lazarus477
18:15 < krzee> he has a client, does not control his server
18:15 < lazarus477> ah
18:15 < krzee> and wants to NOT accept the NS being pushed
18:15 < lampliter> right!
18:15 < lazarus477> Gotcha
18:15 < krzee> lampliter, windows i assume...?
18:15 < lampliter> the dns server on the far end is almost always the wrong name server for me
18:16 < lampliter> for today.
18:16 < lampliter> linux toorrow
18:17 < krzee> so you need this done in linux?
18:17 < lampliter> bbs  got to hand out catnip to the neighbors.  
18:17 < lampliter> windows and linux
18:17 < krzee> because in linux just dont use the script
18:17 < krzee> !pushdns
18:17 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
18:17 < krzee> see #4
18:17 < krzee> if you dont use that script, pushing dns to unix doesnt do anything
18:17 < krzee> for windows it would be far more complicated
18:18 < lampliter> right
18:18 < krzee> youd have to ignore all pushed options, and manually set everything the server pushes that you do need
18:24 < krzee> which means you couldnt use pull / client, would have to manually set EVERYTHING normally pushed to you, and also means that if the server changes something like subnet for example your client will break
18:25 < krzee> and if the server uses default topology (net30) youd be fubar unless you have a static ip on the vpn
18:26 < krzee> of course, if you can find a command to change NS from command prompt, you can manually set it back to what you want using an --up script
18:26 < krzee> instead of doing the above stuff
19:03 < lazarus477> Strange issue I got with my routing. The WAN router is running OpenWRT and sees both the openvpn VM server and LAN. Can ping VPN server and LAN but not client.
19:03 < lazarus477> And ignore what I said about stale adresses on the client end in the routing table, I was missinterpreting the printout.
19:04 < krzee> i figured that, had already ignored it
19:04 < lazarus477> That is fine :-)
19:04 < lazarus477> kreg: Last evenings issue was silly. Turned out I had referenced the client cert file rather than the ca cert file... 
19:05 < krzee> lol
19:05 < lazarus477> I think I did the same boo, boo three years back.
19:05 < krzee> as for the current issue, i dont understand what you mean
19:05 < lazarus477> Ok a recap of the current situation.
19:06 < lazarus477> Client connects without problems to VPN server. Client uses Mobile Broadband.
19:06 < lazarus477> VPN server is set to push LAN route to all clients, this also occurs.
19:06 < lazarus477> On client routing table I see the LAN side address range with a route refering to the clients IP.
19:07 < krzee> not likely the clients IP, but do continue
19:07 < lazarus477> The router of the LAN sees the VPN server which exsists inside of a virtual machine.
19:08 < krzee> "sees"?
19:08 < lazarus477> Router can ping VPN server at it's VPN address but cannot ping client.
19:08 < lampliter> back
19:08 < krzee> "router" is behind server or client?
19:08 < lazarus477> Client can ping VPN server but nothing else. Ping success using either the VPN IP or the LAN IP of the server.
19:09 < lazarus477> Router is in-between client and server and has a NAT firewall.
19:09 < krzee> umm
19:09 < krzee> which lan is "router" on?
19:09 < krzee> they are not on the same network...
19:09 < lazarus477> The router is on the LAN hosting the VPN server.
19:09 < krzee> ok
19:09 < lazarus477> The client is a laptop on mobile broadband.
19:09 < krzee> have you manually added any routes to your router?
19:10 < lazarus477> Yes
19:10 < lazarus477> And logging into the router over ssh I can confirm the route exsists.
19:10 < lazarus477> I also enabled IP forwarding on the VPN server.
19:10 < lampliter> krzee: thanks for the info. It seems like what I want to do is, in practice, almost impossible.
19:10 < lazarus477> Router runs linux firmware OpenWRT.
19:10 < lazarus477> VPN server is openSUSE 11.2 with OpenVPN 2.1
19:10 < krzee> the router can ping the vpn ip of server you said?
19:10 < lampliter> I think I what I have to change the server so nobody gets DNS
19:11 < lazarus477> Client is Windows 7 Pro running OpenVPN GUI 2.1
19:11 < krzee> does the server have IP forwarding enabled?
19:11 < lazarus477> Yes
19:11 < krzee> lampliter, you DO control the server?
19:11 < lazarus477> Yes
19:11 < lampliter>  in one case.
19:11 < krzee> then theres a different easier way
19:11 < lampliter> I can advocate for changes on the other cases
19:11 < lazarus477> I am logged into the server over SSH. Sitting in a couch.
19:11 < lazarus477> Server is locate three meters from where I sit.
19:12 < krzee> lampliter, you can move that push dhcp-option to a ccd entry
19:12 < krzee> !ccd
19:12 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
19:12 < krzee> put it in <dir>/DEFAULT
19:12 < krzee> and it will apply to all
19:12 < krzee> then make an empty file matching your clients common-name
19:13 < krzee> everyone without a ccd entry will get whats in DEFAULT
19:13 < lampliter> for what it's worth, this is yet another great example of how DNS is broken when you try to join two different sets of names as a side effect of a VPN changing network topology
19:13 < krzee> everyone with a ccd entry will NOT get whats in DEFAULT
19:13 < krzee> even if its empty
19:13 < lampliter> it's not open VPN problem, it's a fundamental DNS problem
19:14 < lampliter> that CCD entry is really neat
19:14 < lampliter> I like it and I will try to make that work
19:14 < lazarus477> Yep. I used it and loved it.
19:15 < krzee> lazarus477, you mentioned you are using a virtual machine as your server
19:15 < krzee> you may need to do something in the VM software to allow IT to do ip forwarding
19:16 < krzee> i believe in some vm software its called enabling promiscuous mode
19:16 < krzee> and the host itself may also need ip forwarding enabled
19:16 < krzee> i wouldnt know, have never cared to run openvpn from a virtual machine
19:17 < krzee> i only use virtual machines to test things, or in the case of my office: to use software that only runs on windows without being forced to use windows for everything
19:18 < krzee> lazarus477, let me recap to check if i got this right
19:18 < krzee> the router behind server can ping vpn ip of its local vpn node
19:18 < krzee> but can not ping client
19:18 < krzee> the client can ping server, but not LAN ip of server
19:19 < krzee> is this right?
19:19 < lazarus477> wrong
19:20 < lazarus477> Router can ping server not client, correct.
19:20 < lazarus477> Client can ping server on both the LAN based IP and the VPN based IP.
19:20 < krzee> [17:23]  <lazarus477> Router can ping server not client, correct.   <--- by pinging VPN ip
19:20 < krzee> right?
19:21 < lazarus477> right
19:21 < krzee> when pinging client, what is the exact ip you are trying to ping?
19:21 < lazarus477> ping 10.100.0.5 and also tried 10.100.0.6, the client reports making use of both these IPs.
19:22 < krzee> .6 is the client
19:22 < lazarus477> The VPN address range is 10.100.0.0 255.255.0.0
19:22 < krzee> .5 is something internal to openvpn, will NEVER ping
19:22 < krzee> why use such a big subnet?
19:22 < lazarus477> Figured bigger is better.
19:22 < krzee> wrong
19:23 < krzee> and as for why its .6 and what .5 means,
19:23 < krzee> !/30
19:23 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
19:23 < krzee> read that link
19:23 < lazarus477> Well in the end I will study up more on TLS and certificates and subnets and see if I can downscale without loosing flexibility.
19:23 < krzee> just change to 255.255.255.0
19:23 < lazarus477> reading
19:23 < lazarus477> Ok I shall
19:23 < lazarus477> Read first, change after ;-)
19:24 < krzee> if you need more clients connected, you can increase it by 4x by seeing !topology
19:24 < krzee> since i believe you mentioned using 2.1.1 on both client and server
19:24 < lazarus477> yep
19:24 < lazarus477> !typology
19:24 < vpnHelper> lazarus477: Error: "typology" is not a valid command.
19:24 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
19:24 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
19:24 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:24 < krzee> !topology
19:24 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
19:25 < lazarus477> ty
19:25 < krzee> topology subnet
19:25 < krzee> in server config
19:25 < lazarus477> I shall read up on both docs.
19:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
19:26 < lazarus477> krzee: Please keep in mind I setup openvpn twice in the past. On this third go I wanted to try some new things. Also everything is in a new environment for me.
19:27 < krzee> cool
19:27 < krzee> topology subnet is very likely one of those new things you want to try
19:28 < krzee> once you read the link from /30 you can use topology subnet and you wont need to understand the /30 stuff anymore ;]
19:28 < krzee> cause you'll be .1 on server, and clients will get .2 .3 .4 etc
19:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:30 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: This computer has gone to sleep]
19:31 < lazarus477> gotcha
19:31 < lazarus477> ok read the subnets doc. Now reading /30
19:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:38 < lazarus477> Oh how silly of me! I did not realize that all this talk about /30 subnets translates into lamens terms as 255.255.255.252 :-)
19:38 < lazarus477> Now I am getting more of the point.
19:40 < lazarus477> If clients are assigned a /30 subnet IP does this mean only at most 2 clients may make use of the VPN service?
19:42 < krzee> no
19:43 < lazarus477> gotcha
19:43 < krzee> EVERY client gets their own /30 when you use topology net30 (default)
19:43 < lazarus477> I am reading up on subnets.
19:43 < lazarus477> I think i get what you mean
19:47 < lazarus477> Ah now I better understand why my client has 4 different VPN assigned IPs in its routing table.
19:50 -!- redfox [~redfox2@ns351996.ovh.net] has quit [Ping timeout: 258 seconds]
19:52 < lazarus477> Yep.
19:53 < lazarus477> krzee: Do you think my issue might be my use of a VPN address range and subnet of 10.100.0.0 255.255.0.0 ?
19:53 < lazarus477> I am starting to think what I assigned is foobar.
19:54 < krzee> huh?
19:56 < lazarus477> Well I set my server to use 10.100.0.0 255.255.0.0
19:56 < lazarus477> As I now understand things after reading up on subnets this has enabled me to run fewer subnets but with more clients on each net, either that or 255.255.0.0 is total nonsense?
19:58 < krzee> topology subnet makes you not need subnets per client
19:58 < krzee> they all get 1 ip and are all in the same subnet
19:58 < krzee> and yes, 255.255.0.0 is total nonsense
19:58 < lazarus477> Ah
19:58 < lazarus477> When I say total nonsense I am talking about something which would not technichally function.
19:58 < lazarus477> Would 255.255.0.0 be technichally correct?
19:59 < krzee> which is why i told you to use 255.255.255.0 37 minutes ago ;)
19:59 < krzee> i dont remember, i know there is a limit to what works
19:59 < lazarus477> I did not ignore you! I just wanted to study first.
19:59 < lazarus477> ok
19:59 < lazarus477> Well I shall definatly start reconfiguring.
19:59 < krzee> the thing is, with topology subnet there is never a reason to use anything bigger than 255.255.255.0
20:00 < krzee> because a single openvpn process starts having issues after 200 clients anyways
20:00 < krzee> (its not multi-threaded and whatnot_
20:00 < krzee> s/_/)/
20:03 -!- redfox [~redfox2@ns351996.ovh.net] has joined ##openvpn
20:03 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Read error: Connection reset by peer]
20:04 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
20:04 -!- redfox is now known as Guest3687
20:04 < lazarus477> I was not aware of that.
20:04 -!- theDoc [~jaki@173.236.41.36] has joined ##openvpn
20:04 -!- theDoc [~jaki@173.236.41.36] has quit [Changing host]
20:04 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:05 < lazarus477> krzee: Ok some good news. Now when entering the proper netmask into my routers static route list the save action does not result in strange happenings!
20:05 -!- chantra [~chantra@unaffiliated/chantra] has quit [Quit: leaving]
20:05 < krzee> why would it
20:06 < lazarus477> Beats me but it did with a netmask of 255.255.0.0
20:06 < theDoc> Too many hosts? ;p
20:06 < lazarus477> Perhaps
20:07 -!- SpyderZ [~SpyderZ@174.121.222.238] has joined ##openvpn
20:07 < lazarus477> Just to try things out the old fassioned way I decided to use the /30 default setup.
20:07 < SpyderZ> Anyone get APF firewall working with OpenVPN?
20:07 < lazarus477> Looks like I still got issues so I shall head over to #xen to ask if I might be missing some VM hosting settings for IP forwarding, like you mentioned.
20:08 < krzee> !xen
20:08 < vpnHelper> krzee: Error: "xen" is not a valid command.
20:08 < krzee> just checking ;]
20:08 < theDoc> lolxen
20:11 < lazarus477> Xen is a virtualization platform.
20:11 < lazarus477> xen.org
20:11 < lazarus477> brb after talking to the xen masters, haha.
20:16 < SpyderZ> Go to #citrix
20:16 < SpyderZ> That's where you can get Xenserver help.
20:20 < lazarus477> krzee: Should my vpn server need NAT enabled?
20:28 < lazarus477> krzee: If you got the time I would appriciate if you could read this short story http://lists.xensource.com/archives/html/xen-users/2009-05/msg00978.html
20:28 < vpnHelper> Title: Re: [Xen-users] interactions between xen and openvpn - Xen Source (at lists.xensource.com)
20:28 < lazarus477> The fellow answering the post runs a working setup in a Xen VM but uses termonolgy which you are more familiar with than I.
20:28 < lazarus477> I think it might shed a ligt on my problem.
20:29 < krzee> you only need NAT if you plan on redirecting all client traffic over the vpn
20:29 < lazarus477> Also based on official docs from Xen.org I am happy to say that OpenVPN should be fully functional under Xen virtualization.
20:29 < lazarus477> Docs read from xen.org are dated january this year.
20:30 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
20:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
20:33 -!- theDoc [~jaki@173.236.41.34] has joined ##openvpn
20:34 -!- theDoc [~jaki@173.236.41.34] has quit [Changing host]
20:34 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:34 < krzee> fully functional doesnt mean that there may not be a config option to use for allowing ip forwarding, i know some other VM software requires it and calls it promiscuous mode
20:36 < lazarus477> Yep, I understand.
20:36 < lazarus477> Well googling around
20:36 < lazarus477> If google does not pop something up I will instead check the xen networking docs on VMs.
20:37 < krzee> should the docs be the first place to look?
20:37 < krzee> not just for this, but for EVERYTHING
20:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:44 < lazarus477> It is a matter of taste and luck. Sometimes docs are overwhelming at first and reading someone elses rantings sheds a clearer light on the subject.
20:44 < lazarus477> I swing both ways ;-)
20:45  * lazarus477 read 800+ pages of docs to learn to use Bacula, 7 days hard reading... Me no slacker is.
20:46  * lazarus477 was awake for 56 hours straight as a linux rookie setting up a 3000$ server to act as internet gateway, VPN server and firewall.
20:47 < lazarus477> Got it done as well ;-)
20:47 < lazarus477> But the whole experience totally fried my brain.
20:53 -!- freaky[t]_ [alpha@freakyy.de] has joined ##openvpn
20:53 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 240 seconds]
20:53 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 240 seconds]
20:53 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
20:53 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
20:54 < lazarus477> Ok my issue is routing.
20:54 < lazarus477> Confirmed.
20:54 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
20:55 < lazarus477> For fun sake I read the man page for route and setup a static rount on one of my LAN hosts so it would know how to reach the VPN net.
20:55 < lazarus477> Now I can from that host ping both the VPN server and the WAN side connected VPN client.
20:57 < lazarus477> Now what is puzzling me is this: I set the route up on my LAN Internet Gateway device but for some reason traffic is not getting to and from where it needs to go.
20:57 < krzee> pinging wan side of the client doesnt go over the vpn
20:57 < krzee> lol
20:57 < lazarus477> Adding static routes manually on a per host bases works.
20:57 < lazarus477> No no no
20:58 < lazarus477> I did not ping the client WAN IP public address.
20:58 < krzee> if things work as you desire with per host routes, your problem lies here:
20:58 < krzee> !factoids search outside
20:58 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
20:59 < lazarus477> I pinged a VPN client using VPN IP 10.100.0.6. The client is on mobile broadband so it is on a WAN connection/outside my LAN.
20:59 < lazarus477> reading
20:59 < lazarus477> Ah that doc
21:00 < krzee> yup
21:00 < krzee> !route
21:00 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:00 < krzee> see section: ROUTES TO ADD OUTSIDE OPENVPN
21:00 < krzee> for detailed explanation
21:01 < lazarus477> reading
21:01 < krzee> either the route on that router is wrong, or its firewall is blocking stuff
21:01 < krzee> cause thats the only thing that setting a host route does
21:01 < krzee> bypasses the router
21:01 < lazarus477> I have not skimmed anything, I read word for word. Does not mean I understand it properly first time through it...
21:02 < lazarus477> Hmm
21:03 < lazarus477> krzee: You make it sound as if my pings are bypasing the vpn server and roaming out across the internet directly through my wan gateway?
21:03 < krzee> i didnt say you skimmed it, im just pointing out where your problem is documented
21:03 < krzee> thats what happens if the route is wrong
21:04 < krzee> other option is your router is blocking the packets
21:04 < krzee> (firewall)
21:04 < lazarus477> Ok now I get ya, no I do not think the route is wrong, I understand what you are refering to.
21:04 < krzee> but all you did by adding routes to the LAN sitting next to that router for the vpn subnet is bypass the router
21:04 < lazarus477> I already read up on what goes on when the gateways route for VPN traffic is wrong.
21:04 < krzee> so if bypassing the router fixes the problem...
21:04 < krzee> then obviously something on that router is configured to break things
21:05 < krzee> it can happen 1 of 2 ways
21:05 < lazarus477> Well I shall examine my router a bit more.
21:05 < krzee> 1) routes are wrong
21:05 < krzee> 2) firewall is wrong
21:05 < lazarus477> Yep
21:05 < krzee> but from you luckily adding a host route on the lan and seeing it worked, now we know that its the router
21:06 < lazarus477> This is funny
21:07 < krzee> how so?
21:07 < lazarus477> I compared the output from route on both the gateway device and the host which got my manual route settings and they are identical.
21:07 < lazarus477> I shall examine the gateway further.
21:07 < krzee> then check the routers firewall
21:07 < lazarus477> exactly
21:10 < lazarus477> I now also checked letting the vpn client ping the LAN gateway router using its local LAN side address, worked.
21:11 < lazarus477> Ok so these are tied together: VPN Server, LAN Gateway and VPN Client.
21:11 < lazarus477> I think the firewall must be what is wrong.
21:13 < lazarus477> I see my LAN/WAN gateway is set to Not allow Forwarded Trafic.
21:13 < lazarus477> I asume this might be an issue?
21:17 < lazarus477> Problems solved.
21:18 < lazarus477> I enabled Accepting Forwarded Traffic on the internet gateway firewall. Now the VPN client can see everything.
21:18 < lazarus477> Update: SAMBA file sharing is now also working across the VPN. Client can access folders on file server.
21:20 < lazarus477> krzee: Thanks for the help. You were very very very helpful and steared me in the right directions :-)
21:25 < krzee> you're welcome =]
21:26 < krzee> just in time too, time for me to leave the office
21:26 < krzee> bbl
21:28 < lazarus477> krzee: Take care :-)
21:30 < krzee> i lied
21:31 < krzee> got guys here running cables, gunna stick around til they're done
21:31 < krzee> i thought someone else was going to stay, they arent, and i want someone here... so its me
21:49 < lazarus477> haha
21:49 < lazarus477> And For whatever reason the VPN routing just crapped out.
21:50 < lazarus477> I tried transfering a huge file and in the middle of that everything went foobar.
21:50 < lazarus477> rebooted client.
21:50 < lazarus477> rechecked firewall
21:50 < lazarus477> nada
21:50 < lazarus477> I shall try restarting the vpn server
21:54 < lazarus477> Looks like firewall on gateway is funny.
21:55 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
21:55 < lazarus477> I can ping from vpn client to lan hosts but no ping reply goes back out.
21:55 < lazarus477> one way routing
22:00 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 265 seconds]
22:04 < lazarus477> I shall drop out of here and try rebooting the gateway
22:04 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
22:05 -!- Serideru [~GTWebster@24-117-150-192.cpe.cableone.net] has joined ##openvpn
22:12 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
22:17 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Ping timeout: 252 seconds]
22:22 -!- lampliter [~chatzilla@c-76-19-126-1.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
22:28 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
22:29 -!- troy-_ [ac495d3b25@bgp4.us] has quit [Ping timeout: 240 seconds]
22:29 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
22:32 -!- troy- [1ac40acf02@bgp4.us] has joined ##openvpn
22:35 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Ping timeout: 276 seconds]
22:47 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
22:50 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Read error: Operation timed out]
23:04 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
23:04 -!- darkscrypt_ [~darkscryp@216.162.34.42] has quit [Read error: Connection reset by peer]
23:09 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 265 seconds]
23:16 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 260 seconds]
23:17 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
23:21 -!- darkscrypt_ [~darkscryp@216.162.34.42] has joined ##openvpn
23:27 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
23:28 < lazarus477> Anyone here have experience with openvpn traffic passing through a router running openwrt firmware?
23:28 < lazarus477> I got strange problems which appear to be the firewall of the router blocking traffic.
23:28 < lazarus477> It works at one time then craps out at another.
23:28 -!- ayi [~vegar@fou193.telenor.ntnu.no] has joined ##openvpn
23:31 < hyper_ch> lazarus477: using tomato wrt here and runs fine
23:35 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
23:36 < lazarus477> Hmm
23:36 -!- corretico [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
23:36 < lazarus477> hyper_ch: Glad to hear it :-)
23:38 < lazarus477> To recap my setup: I run OpenVPN server inside of a VirtualMachine behind an OpenWRT RouterDevice which uses a linux IP tables firewall.
23:39 < lazarus477> I have a client running Windows7 connected to the VPN server over MobileBroadband.
23:40 < lazarus477> Static routes setup and to and from work as expected. The only thing which I think has caused posetive effect has been tinkering with the routers firewall settings, turning On and Off the setting for Accepting or Denying ForwardedTraffic.
23:43 < lazarus477> I am thinking it might be a problem with me tinkering around with the router device and some sort of connection keep alive feature, perhaps...
23:52 -!- darkscrypt__ [~darkscryp@216.162.34.42] has joined ##openvpn
23:56 -!- darkscrypt_ [~darkscryp@216.162.34.42] has quit [Ping timeout: 258 seconds]
--- Day changed Tue Jun 08 2010
00:02 < lazarus477> Never mind for now.
00:02 < lazarus477> I think I have almost narowed the problem down.
00:02 < lazarus477> Something is foobar with openSUSE 11.2.
00:03 < lazarus477> I try using the suse config tool to enable IP_forwarding and it does not retain the setting. Setting it manually also goes away upon a reboot.
00:03 < lazarus477> I shall ask at #opensuse
00:14 -!- darkscrypt__ [~darkscryp@216.162.34.42] has quit [Remote host closed the connection]
00:17 < lazarus477> Ah now I see the suse firewall is messing with my setting for IP_forwarding, great! Well at least I think I tracked this bug to its source :-)
00:17 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 252 seconds]
00:31 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
00:31 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
00:33 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
00:41 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
00:56 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:56 -!- mode/##openvpn [+o mattock] by ChanServ
01:22 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
01:56 -!- SpyderZ [~SpyderZ@174.121.222.238] has left ##openvpn []
01:58 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Connection reset by peer]
01:59 -!- corretico_ [~laguilar@201.201.46.106] has quit [Quit: Leaving]
02:09 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
02:09 -!- sara2010 [~sara@202.100.181.58.dynamic.max.com.pk] has joined ##openvpn
02:09 -!- sara2010 [~sara@202.100.181.58.dynamic.max.com.pk] has left ##openvpn ["Leaving"]
02:33 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Read error: Operation timed out]
02:45 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:58 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
02:59 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
03:02 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
03:02 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
03:02 -!- dazol [~dazo@nat/redhat/x-zwcrgcciinpjaxdi] has joined ##openvpn
03:04 -!- theneb_ [~theneb@theneb.co.uk] has joined ##openvpn
03:05 -!- fahadsadah_ [fahad@unaffiliated/fahadsadah] has joined ##openvpn
03:06 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 260 seconds]
03:09 -!- Netsplit *.net <-> *.split quits: hyper_ch, julius, krzie, sigius, doug_ndndn, theneb, fahadsadah, g0tcha1, dazo_afk, MJD,  (+1 more, use /NETSPLIT to show all of them)
03:09 -!- hyper__ch is now known as hyper_ch
03:15 -!- Netsplit over, joins: doug_ndndn
03:15 -!- Netsplit over, joins: sigius
03:19 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
03:20 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
03:24 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 252 seconds]
03:28 -!- julius [~julius@217.20.127.15] has joined ##openvpn
03:31 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:34 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:36 -!- Netsplit *.net <-> *.split quits: julius
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:59 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
04:00 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:04 -!- dazol [~dazo@nat/redhat/x-zwcrgcciinpjaxdi] has quit [Read error: Connection reset by peer]
04:08 -!- dazol [~dazo@nat/redhat/x-ekhvdgmhxizwwdpg] has joined ##openvpn
04:12 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
04:22 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
04:29 -!- Netsplit over, joins: julius
04:32 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 265 seconds]
04:33 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
04:33 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
04:39 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 240 seconds]
04:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:39 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
05:03 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:04 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
05:14 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 265 seconds]
05:18 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
05:19 < lazarus477> krzee: So. I got the VPN working, found more issues but all in all it works rather well. 
05:19 < lazarus477> krzee: Now I am focusing on another issue. My past setups were on physical hosts and routing as well as firewalling was much simpler.
05:20 < lazarus477> krzee: Now I am experiencing what appears to be performance issues due to the fact that the VPN server is a VM behind a physical host behind a NAT gateway and my file-server is itself also on another VM, etc, etc.
05:21 < lazarus477> Plenty of firewalls and routs as well as hosts involved.
05:21 < lazarus477> I guess my question goes out to everyone here. It is. What can one do to boost or improve efficiency in the routing and overal boost network performance for the vpn.
05:22 < lazarus477> All tips and sugestions welcome.
05:30 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Quit: Lost terminal]
05:48 -!- dazol is now known as dazo
05:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:03 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
06:10 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
06:16 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:23 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
06:27 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has joined ##openvpn
06:28 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Read error: Connection reset by peer]
06:54 -!- ||arifaX [~ContikiC6@unaffiliated/arifax/x-427475] has quit [Remote host closed the connection]
06:54 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
07:08 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
07:08 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
07:10 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
07:10 -!- diffen3 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
07:11 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has left ##openvpn []
07:11 -!- diffen3 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has left ##openvpn []
07:11 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
07:15 < Bushmills> to improve vpn speed, improve network speed. to improve vpn latency, improve network latency
07:16 < Bushmills> (that assumes that VPSs are not cpu starved, with respect to en/decryption and compression)
07:18 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
07:26 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit []
07:37 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
07:46 -!- DrPepper [~DrPepper@88.207.183.72] has quit [Remote host closed the connection]
07:50 < lazarus477> Bushmills: Thanks for the remarks, noted.
07:50 < lazarus477> It is obviouse to me that I must next five into network tuning and performance testing.
07:56 -!- j03 [~6de08059@gateway/web/freenode/x-nsefkgmtesjwbnno] has joined ##openvpn
07:56 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
07:57 < j03> http://pastebin.com/dtrN23za - Why is this happeneing when I am using ifconfig-push 10.8.0.3 10.8.0.1?
07:58 < j03> I'm trying to give my clients static IP's, but i've not said anything anywhere about a 255.255.255.252 subnet...?
08:00 < Bushmills> push 10.8.0.5 instead of 3
08:00 < Bushmills> !net30
08:00 < vpnHelper> Bushmills: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
08:02 < j03> OK, I'll give that a go. Thanks.
08:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:03 < j03> So I'll have to assign IP's in increments of 4? So.. 10.8.0.1 for the server, 10.8.0.5 for client #1, 10.8.0.9 for client #2 etc?
08:03 < Bushmills> !topology
08:03 < vpnHelper> Bushmills: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
08:04 < j03> OK, I'll look into that
08:04 < Bushmills> "The local and remote VPN endpoints cannot use the first or last address within a given 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info."
08:08 < j03> I tried pushing 10.8.0.5, same problem. 
08:08 < Chosi> are you using client/server mode?
08:08 < Chosi> or p2p?
08:10 < j03> Client/Server
08:11 < Chosi> well you're gonna push 255.255.255.0 then i guess
08:11 < Chosi> 10.8.0.5 255.255.255.0
08:13 < Chosi> and if all clients and the server is up to date you can also use "topology subnet" in your config and assign any ip starting from 2
08:15 < j03> Ah right! Sorry, I read about that but I thought it was a beta thing
08:16 < j03> But it's not any more! I will give it a go. Thanks.
08:18 < hyper_ch> anyone here got a nokia cell phone?
08:18 < j03> Well I've got access to an E63. Why?
08:18 < hyper_ch> j03: does it have calendar and stuff?
08:19 < Chosi> you don't want a nokia phone
08:19 < Chosi> :P
08:19 < j03> Yep
08:20 < hyper_ch> j03: do you synchronize it with a syncml server?
08:20 < j03> I dont, sorry!
08:20 < j03> It's my dad's phone. He uses the calendar, but he doesn't sync it with anything.
08:20 < hyper_ch> damn, I think with the last firmware upgrade that I did, it remove the seperate tasks entry
08:20 < hyper_ch> now I can't sync them anymore :(
08:21 < j03> Couldn't you do a firmware "downgrade"?
08:21 < hyper_ch> that seems not be possible :(
08:22 < j03> Which model is it?
08:23 < j03> Chosi: "topology subnet" works great! Thank you :)
08:23 < hyper_ch> 6210
08:23 < Chosi> yay
08:40 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
08:46 -!- doug_ndndn [~doug@78-86-178-196.zone2.bethere.co.uk] has left ##openvpn ["Leaving"]
08:48 -!- Serideru [~GTWebster@24-117-150-192.cpe.cableone.net] has quit [Remote host closed the connection]
08:51 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
08:59 -!- jave [~user@109.58.57.247.bredband.tre.se] has joined ##openvpn
09:00 < jave> !welcome
09:00 < vpnHelper> jave: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:00 -!- j03 [~6de08059@gateway/web/freenode/x-nsefkgmtesjwbnno] has quit [Ping timeout: 252 seconds]
09:01 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
09:02 < jave> I would like all trafic from my laptop to my 192.168.200.0 net go through openvpn, regardless of other nics that might provide routes there that might be up. 
09:02 < jave> which manpage should I look at?
09:09 -!- ayi [~vegar@fou193.telenor.ntnu.no] has quit [Ping timeout: 264 seconds]
09:12 < ecrist> !man
09:12 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
09:13 < lazarus477> jave: A small tip. Read all the comments in the sample server config file...
09:21 < jave> lazarus477: ok Thanks
09:32 < jave> lazarus477: did you mean the "push" stuff? that didnt quite work because I need to push a route with metric 0 to defeat the other routes
09:33 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:49 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
09:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:19 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
10:40 < Bushmills> !redirect
10:40 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
10:41 < Bushmills> jave: ^^^
10:41 < Bushmills> ehm, nm. i read "all traffic"
10:42 < jave> Bushmills: Thanks anyway
10:43 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Read error: Connection reset by peer]
10:43 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:50 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
10:52 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:03 -!- theDoc [~jaki@173.236.41.36] has joined ##openvpn
11:03 -!- theDoc [~jaki@173.236.41.36] has quit [Changing host]
11:03 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
11:15 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 248 seconds]
11:18 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
11:25 -!- jave [~user@109.58.57.247.bredband.tre.se] has quit [Ping timeout: 248 seconds]
11:33 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
11:51 -!- dazo is now known as dazo_afk
11:57 -!- DrPepper [~DrPepper@88.207.183.72] has joined ##openvpn
12:00 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
12:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:21 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn
12:21 < cj> o/
12:21 < cj> if it seems like my vpn connection resets every hour, what should I look for in the config file to try to make it stop?
12:23 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
12:24 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 264 seconds]
12:28 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
12:31 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Read error: Connection reset by peer]
12:31 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
12:33 < ecrist> !keepalive
12:33 < vpnHelper> ecrist: Error: "keepalive" is not a valid command.
12:34 < hyper_ch> hi ecrist
12:34 < hyper_ch> hi Bushmills
12:43 < ecrist> hi, hyper_ch 
12:43 < hyper_ch> what do you keep alive?
12:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:47 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has left ##openvpn []
13:04 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
13:19 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 276 seconds]
13:58 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Read error: Connection reset by peer]
13:59 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
14:12 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has joined ##openvpn
14:24 -!- STF_ [~chatzilla@dslb-084-061-142-110.pools.arcor-ip.net] has joined ##openvpn
14:24 -!- STF_ is now known as STF
14:32 < Bushmills> hi hyper_ch
14:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:04 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
15:12 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
15:15 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:15 -!- mark____ [~mark@cpc11-shef10-0-0-cust148.barn.cable.virginmedia.com] has joined ##openvpn
15:15 < mark____> if I delete a users key, does that stop them from connecting or do I have to revoke it?
15:18 < krzee> must revoke it
15:18 < krzee> !crl
15:18 < vpnHelper> krzee: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
15:18 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you
15:19 < krzee> the users key doesnt even live on the server
15:19 < krzee> it lives on the CA
15:19 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
15:20 < krzee> its allowed to connect because the server checks the client cert with its ca cert, and sees the user cert was signed by the ca key
15:47 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
15:56 -!- KaiForce [~chatzilla@adsl-70-228-114-90.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
16:20 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Quit: Leaving]
16:49 -!- emerica [~emerica@216.13.208.109] has quit [Remote host closed the connection]
16:50 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:05 -!- dollabill [~mike@207.sub-75-201-17.myvzw.com] has joined ##openvpn
17:10 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:31 -!- dollabill [~mike@207.sub-75-201-17.myvzw.com] has quit [Ping timeout: 276 seconds]
17:33 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
17:38 -!- Niklas- [~niklas@217.116.253.195] has quit [Ping timeout: 264 seconds]
17:39 -!- Niklas- [~niklas@217.116.253.195] has joined ##openvpn
17:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:54 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
17:56 -!- takamichi [~pri@78.133.37.89] has quit []
18:13 -!- DrPepper [~DrPepper@88.207.183.72] has quit [Ping timeout: 265 seconds]
18:22 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
19:05 -!- STF [~chatzilla@dslb-084-061-142-110.pools.arcor-ip.net] has quit [Read error: Connection reset by peer]
19:06 -!- STF [~chatzilla@dslb-084-061-142-110.pools.arcor-ip.net] has joined ##openvpn
19:06 -!- STF [~chatzilla@dslb-084-061-142-110.pools.arcor-ip.net] has quit [Client Quit]
19:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
19:18 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
19:19 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
19:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:25 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
19:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
20:05 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:19 -!- xargs [~xargs@69.73.167.236] has quit [Remote host closed the connection]
20:25 -!- xargs [~xargs@69.73.167.236] has joined ##openvpn
20:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
20:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has left ##openvpn []
20:45 < krzee> this has to be the longest daytime hours ive seen for a long time without speaking in here
20:49 < theDoc> Without a doubt.
21:17 -!- mark____ [~mark@cpc11-shef10-0-0-cust148.barn.cable.virginmedia.com] has quit [Ping timeout: 260 seconds]
21:19 < networkn> krzee: if a tunnel appears to be up but you can't ping the other end of the tunnel or anything beyond it, what is normally the cause? seems like it went so far as to assign the remote end a ip via dhcp
21:20 < krzee> often its a firewall, but verb 5 logs would help know better
21:24 < theDoc> firewall/ip_forward/dns (possibly?) if you're trying to resolve hostnames.
21:25 < krzee> ahh right, i assumed pinging vpn ip
21:27 < krzee> !winipforward
21:27 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
21:33 < krzee> !samesubnet
21:33 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
21:33 < krzee> (im using these somewhere else)
21:34 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
21:35 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:35 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
22:00 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
22:10 < krzie> !hmac
22:10 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
22:10 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
22:29 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 272 seconds]
22:46 < krzie> !pptp
22:46 < vpnHelper> krzie: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
22:46 < vpnHelper> krzie: read about why to not use pptp
22:47 < theDoc> pptp is gud because you only need 1 user name and passs!
22:47 < theDoc> easy to do!
22:47 < theDoc> more pptp! hehehe
22:49  * theDoc thinks that people are mistaken to think that a web-ssl portal to company resources is being considered as a ssl vpn.
22:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:55 < krzie> !iphone
22:55 < vpnHelper> krzie: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion, or (#3) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone
23:44 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
--- Day changed Wed Jun 09 2010
00:05 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
00:11 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 248 seconds]
00:34 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
00:39 -!- ayi [~vegar@fou193.telenor.ntnu.no] has joined ##openvpn
00:53 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
00:58 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:59 -!- mode/##openvpn [+o mattock] by ChanServ
00:59 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 276 seconds]
00:59 -!- takamichi [~pri@dyn-109-169-25-69.connexionplus.com] has joined ##openvpn
01:02 -!- DrPepper [~DrPepper@88.207.183.72] has joined ##openvpn
01:04 < theDoc> tikimachi!
01:29 -!- takamichi [~pri@dyn-109-169-25-69.connexionplus.com] has quit [Ping timeout: 240 seconds]
01:29 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
01:35 -!- RichiH [~richih@freenode/staff/richih] has quit [Remote host closed the connection]
01:35 -!- RichiH [~richih@freenode/staff/richih] has joined ##openvpn
02:43 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:47 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:12 -!- dazo_afk is now known as dazo
03:18 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has joined ##openvpn
03:20 < kraut> moin
03:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:20 < theDoc> Moin'.
03:24 < |Mike|> morning theDoc 
03:25 < theDoc> I was well, actually responding to kraut ;p
03:25 < theDoc> It's like 4:25pm here.
03:25  * theDoc snickers.
03:27 < kraut> moin theDoc 
03:27 < kraut> Mi 9. Jun 10:27:43 CEST 2010
03:27 < theDoc> What's CEST?
03:32 < |Mike|> Wed Jun  9 10:19:19 CEST 2010
03:32 < |Mike|> kraut: woot, another european :)
03:36 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has quit [Ping timeout: 272 seconds]
03:37 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:58 -!- buntfalke [~nobody@openvpn-p0-227.triple-a.uni-kl.de] has joined ##openvpn
03:58 -!- buntfalke [~nobody@openvpn-p0-227.triple-a.uni-kl.de] has quit [Changing host]
03:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:29 -!- mark____1 [~mark@cpc11-shef10-0-0-cust148.barn.cable.virginmedia.com] has joined ##openvpn
04:37 < kisom> all great software is from europe
04:37 < kisom> most of it anyways ;)
04:59 -!- mark____1 [~mark@cpc11-shef10-0-0-cust148.barn.cable.virginmedia.com] has quit [Ping timeout: 258 seconds]
05:17 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:22 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 248 seconds]
05:25 -!- screenn [~screenn@77.222.135.254] has joined ##openvpn
05:26 < screenn> I have a problems with tunnel with this error on client side logs "openvpn TLS Error: Unroutable control packet received from (si=3 op=P_CONTROL_V1)"
05:26 < screenn> and this on server side logs " TLS Error: TLS handshake failed";
05:27 < screenn> I wonder to have this kind of errors, tunnel was working before
05:30 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
05:35 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
05:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:40 -!- juergen_dose [~chroiss@p5798C759.dip0.t-ipconnect.de] has joined ##openvpn
05:44 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
05:45 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
05:45 < juergen_dose> hi is there a possibility that openvpn advertises ipv6 adresses directly ?. like ipv4 using ifconfig-pool in config file. or is it necessary to use a up-script (client and server) ?
05:47 < juergen_dose> !welcome
05:47 < vpnHelper> juergen_dose: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:48 < juergen_dose> !howto
05:48 < vpnHelper> juergen_dose: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:48 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Remote host closed the connection]
05:54 -!- sara2010 [~sara@202.100.181.58.dynamic.max.com.pk] has joined ##openvpn
05:54 < sara2010> hi
05:54 < sara2010> anyone there
05:55 < sara2010> http://pastebin.com/bmRzJgHk
05:56 < sara2010> i have past  server.config
05:56 < sara2010> plzz anyone help me?
05:57 < screenn> it's just was an another ca.crt file :)
05:58 < screenn> everything is good now
05:58 -!- screenn [~screenn@77.222.135.254] has quit [Quit: Leaving]
06:16 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
06:17 < networkn> is there any manual removal instructions to remove all traces of the tap adapter from a Windows xp machine?
06:17 < networkn> !uninstall
06:17 < vpnHelper> networkn: Error: "uninstall" is not a valid command.
06:17 < networkn> !remove
06:17 < vpnHelper> networkn: (remove <name>) -- Removes the command for looking up RSS feeds at <name> from this plugin.
06:23 -!- vaq [~vaq@0x573c2830.vbrnqu1.dynamic.dsl.tele.dk] has joined ##openvpn
06:23 < vaq> Is ifconfig-pool-persist broke in OpenVPN 2.1_rc11 ?
06:24 < |Mike|> no idea
06:24 < |Mike|> see mailing lists ;)
06:24 < vaq> I have "ifconfig-pool-persist ips.txt" within openvpn.conf, but the file remains empty
06:24 < vaq> And yes, I did restart OpenVPN and there is clients connected
06:24 < vaq> verified through openvpn-status.log
06:38 < vaq> I just compiled 2.1.1 same error?
06:39 < vaq> can anyone please clarify, thank you.
06:40 < Chosi> nope it worked for me in 2.1_tc11
06:45 < ecrist> vaq: upgrade to 2.1.1
06:45 < Chosi> *rc
06:45 < sara2010> :(
06:45 < sara2010> i m upset
06:45 < sara2010> why no one going to help me
06:45 < vaq> I'm running 2.1.1 now
06:45 < Chosi> vaq: worked for me as i specified a path to the file
06:45 < vaq> still the same issue
06:46 < vaq> Chosi: So it needs full-path ?
06:46 < Chosi> don't know
06:46 < Chosi> try it :)
06:46 < Chosi> ifconfig-pool-persist /etc/openvpn/ips.txt
06:46 < sara2010> http://pastebin.com/bmRzJgHk
06:46 < Chosi> that's what i used
06:46 < sara2010> i paste server.config
06:46 < sara2010> plzz any one help me
06:46 < sara2010> where should i need to change
06:46 < Chosi> what the fuck is your problem?
06:47 < ecrist> whoa, settle down, Chosi
06:47 < Chosi> -the fuck
06:47 < Chosi> typo!
06:48 < ecrist> typo my ass, just don't do it again.
06:49 < vaq> Chosi: still not working, the file remains empty even when a client connects
06:49 < Chosi> vaq: may i see your config?
06:50 < vaq> sec
06:50 < vaq> Chosi: http://pastebin.ca/1879682
06:51 < Chosi> uhm
06:51 < Chosi> this looks messed up
06:51 < Chosi> :D
06:51 < vaq> ?
06:51 < Chosi> nah just a sec
06:52 < Chosi> tried attaching .txt? just a guess tho
06:52 < Chosi> appending
06:52 < Chosi> whatever
06:52 < vaq> lol
06:52 < vaq> sec
06:53 < vaq> ifconfig-pool-persist /etc/openvpn/ips.txt
06:53 < vaq> still the same
06:53 < vaq> empty file.
06:53 < Chosi> u sure that user has write access to that folder?
06:53 < ecrist> !welcome
06:53 < vpnHelper> ecrist: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:53 < Chosi> oh well but it creates the file?
06:53 < ecrist> readb that, vaq
06:53 < vaq> Chosi: yup
06:54 < vaq> it creates the file upon startup
06:54 < Chosi> just use static ips ;)
06:54 < Chosi> *cough*
06:54 < vaq> ecrist: I did provide config?
06:54 < ecrist> what about logs?
06:55 < Chosi> good point.
06:55 < Chosi> :D
06:55 < vaq> I'm running it in debug mode and there are no errors, i see the clients connecting fine
06:55 < sara2010> vaq,  
06:55 < sara2010> help me 
06:55 < Chosi> ;D
06:55 < ecrist> vaq: I would like to see your logs, or I cannot help you
06:56 < sara2010> ecrist,  can u help me?
06:56 < ecrist> sara2010: what is your problem, and where is your logs?
06:56 < sara2010> ecrist,   paste my server.config file
06:56 < sara2010> http://pastebin.com/bmRzJgHk
06:56 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
06:57 < Bushmills> that's the *sample* config
06:57 < vaq> ecrist: http://pastebin.ca/1879685
06:57 < vaq> oh
06:57 < vaq> oh god
06:58 < vaq> I see the warning now, do'h
06:58 < Chosi> vaq:hehe
06:58 < Chosi> :>
06:58 < vaq> It doesn't state that in the manual :/
06:58 < ecrist> vaq: this is why we like to see logs.
06:58 < vaq> ecrist: I get you.
06:58 < vaq> ecrist: my apologies.
06:58 < sara2010> ecrist,  have you check it ?
07:00 < vaq> hmm
07:00 < vaq> it still doesn't work
07:00 < vaq> after removing duplicate-cn
07:01 < ecrist> sara2010: you still haven't told me your problem.
07:02 < vaq> ecrist: It still doesnt write to ips.txt upon client connecting.
07:02 < ecrist> vaq: you're using a static key setup, which is only a one-to-one vpn
07:02 < sara2010> ecrist,  i told you  i m confusing to configure ..  server.conf  file 
07:02 < sara2010> which i paste you
07:03 < ecrist> sara2010: read the howto and the man page, first
07:03 < ecrist> I'm not willing to configure your vpn for you
07:03 < ecrist> !howto
07:03 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:03 < vaq> ecrist: yes, but how do I provide a static IP to a client then?
07:03 < vaq> ecrist: if I manually set a IP on tun0 on a client, the network drops.
07:03 -!- xro [~a062ef85@gateway/web/freenode/ip.160.98.239.133] has joined ##openvpn
07:04 < xro> hi, i get an error with openvpn and mod ldap...  --> No remote address supplied to OpenVPN LDAP Plugin.... someone knows how to fix it?
07:04 < Chosi> !cd!ccd
07:04 < vpnHelper> Chosi: Error: "cd!ccd" is not a valid command.
07:04 < Chosi> err.
07:04 < Chosi> !ccd
07:04 < vpnHelper> Chosi: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:05 < ecrist> vaq: you need to solve the conflicting subnet issue, first.
07:05 < ecrist> your vpn isn't starting up properly
07:06 < sara2010> ecrist, 
07:06 < sara2010> [root@vpn openvpn]# cd easy-rsa/
07:06 < sara2010> [root@vpn easy-rsa]# ./build-key client1
07:06 < sara2010> you must define KEY_DIR
07:06 < ecrist> sara2010: read the documentation
07:06 < ecrist> it's telling you what you must do.
07:06 < ecrist> set KEY_DIR
07:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:07 < sara2010> how
07:07 < sara2010> where
07:07 < xro> nobody???
07:07 < ecrist> in the easy-rsa directory, there should be a readme file
07:07 < ecrist> read it
07:07 < ecrist> xro: sorry, I've not used that plugin.
07:09 -!- Irssi: ##openvpn: Total of 97 nicks [3 ops, 0 halfops, 0 voices, 94 normal]
07:15 < xro> nobodyelse?
07:16 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:17 < ecrist> xro: more people will be around in a few hours.
07:17 < ecrist> most people in here are in north america, and it's still fairly early in most of the continent.
07:17 < xro> ecrist, ok, but it's on a production environnement... i receive a lot of complaints... :)
07:17 < Bushmills> xro: ist that a pam module?
07:18 < xro> Bushmills, no, a ldap module
07:19 < theDoc> g'evening all.
07:21 < xro> i found that patch --> http://code.google.com/p/openvpn-auth-ldap/issues/attachmentText?id=4&aid=-608153250226553763&name=auth-ldap-remoteAddress.patch&token=4dcf3962184f5c68d550fb23bcb22ca3
07:21 < vpnHelper> Title: auth-ldap-remoteAddress.patch (filesize) - openvpn-auth-ldap - Project Hosting on Google Code (at code.google.com)
07:22 < xro> vpnHelper, is it this patch? did you already tried it?
07:22 < vpnHelper> xro: Error: "is" is not a valid command.
07:22 < ecrist> xro: it's a bot
07:22 < xro> ecrist, ok
07:37 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
08:07 -!- sara2010 [~sara@202.100.181.58.dynamic.max.com.pk] has quit [Quit: Leaving]
08:22 < Chosi> :>
08:22 < theDoc> :>
08:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:46 -!- Warp4 [~os2user@firewall-a.buf.ny.i-evolve.net] has joined ##openvpn
08:48 < Warp4> hi all.  i have a client config file generated by OpenVPN-AS (which is based on OpenVPN, latest version) and for some reason, OpenVPN 2.0.9 crashes on the <ca> line in the config file.
08:48 < Warp4> do i need to find a current build of OpenVPN for my OS?
08:49 < theDoc> Why are you using the opensource vpn client when AS already has a built in client?
08:54 < Warp4> this machine isnt a windows machine
08:55 < Warp4> and its not a mac or linux machine either
08:57 < theDoc> What machine is it?
08:57 < Warp4> OS/2-based
08:57 < Warp4> well, eComStation 2.0 actually
08:57 < theDoc> Try upgrading it to something like, 2.1
08:58 < Warp4> ok ill have to grab the source and build the binaries from that.  no biggie :)
08:58 < xro> hi, i get an error with openvpn and mod ldap...  -->   http://dpaste.com/205171/     can yiou help me?
08:58 < theDoc> <3
09:06 < xro> i have these line on my openvpn server... but the ipp.txt is empty...   is it normal? # Maintain a record of client <-> virtual IP address ifconfig-pool-persist ipp.txt
09:08 < xro> nobody could  help me???
09:10 -!- ayi [~vegar@fou193.telenor.ntnu.no] has quit [Ping timeout: 258 seconds]
09:14  * Warp4 has set away! (auto away after idling [15 min]) [Log:ON] .gz.
09:14 < |Mike|> Warp4: please set that off
09:17 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 260 seconds]
09:18 -!- takamichi [~pri@dyn-109-169-25-92.connexionplus.com] has joined ##openvpn
09:20 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
09:22 < xro> nobody never use auth_ldap.so with openvpn???
09:23 < |Mike|> my experiences are bad with it :P
09:24 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Client Quit]
09:26 < xro> |Mike|, but yould maybe help me a bit? --> http://dpaste.com/205171/
09:29 -!- Warp4 [~os2user@firewall-a.buf.ny.i-evolve.net] has left ##openvpn []
09:30 < |Mike|> xro: i was about to head to the trainstation. Maybe that someone else can help you :)
09:32 < xro> i asked all days for support
09:37 -!- kale [~kale@port711.ds1-soeb.adsl.cybercity.dk] has joined ##openvpn
09:38 < kale> hi i'm thinkking about setting up a vpn server. can i make it work with windows clients?
09:47 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 258 seconds]
09:49 < Bushmills> yes
09:49 < Bushmills> !windows
09:49 < vpnHelper> Bushmills: "windows" is pcs are like air conditioners, they work fine unless you open windows
09:49 < Bushmills> hm
09:50 < theDoc> lol
09:50 < Bushmills> !factoids search windows
09:50 < vpnHelper> Bushmills: "windows" is pcs are like air conditioners, they work fine unless you open windows
09:55 < Bushmills> actually, openvpn works with windows, client and server. but "can i make it work" depends on whether you take the time to look at the manual
09:56 < Chosi> Bushmills: heard any further reports of disconnects after an hours?
09:56 < Chosi> *hour
09:56 < Chosi> couldn't get any info on "why" from neither server or clientlogs
09:58 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
10:09 < Bushmills> Chosi: no, nothing. maybe reconnect after DHCP address expiring and renewing?
10:15 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Ping timeout: 264 seconds]
10:18 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Read error: Connection reset by peer]
10:18 -!- takamichi [~pri@dyn-109-169-25-92.connexionplus.com] has quit [Ping timeout: 258 seconds]
10:19 -!- takamichi [~pri@dyn-109-169-25-92.connexionplus.com] has joined ##openvpn
10:22 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
10:26 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
10:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:37 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
10:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 272 seconds]
10:44 -!- xro [~a062ef85@gateway/web/freenode/ip.160.98.239.133] has left ##openvpn []
10:50 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
10:52 -!- screen-x [~screen-x@91.84.155.61] has joined ##openvpn
10:57 < screen-x> Hi All,  Openvpn is warning of a route conflict, but the route in question is not present according to the os. Relevant output: http://pastebin.com/DG59Edp2
10:58 < theDoc> Read the error message carefully.
10:59 < screen-x> What I dont understand is why openvpn thinks the local lan uses a /24, when it doesn't. 
11:00 < theDoc> Do the subnets overlap?
11:00 < theDoc> The vpn subnet and the local lan subnet.
11:02 < screen-x> nope, they don't over lap 10.187.129.128/26 is local and 10.187.129.192/26 is the vpn subnet 
11:03 < theDoc> Hang on.
11:04 < theDoc> I think you can disregard it, it's warning of a potential conflict.
11:04 < screen-x> theDoc: ok, thanks for looking at it :)
11:05 < theDoc> np.
11:05 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
11:16 < flok420> any news about openvpn & ipv6
11:16 < flok420> ?
11:16 -!- takamichi [~pri@dyn-109-169-25-92.connexionplus.com] has quit [Ping timeout: 272 seconds]
11:17 < hyper_ch> howdy
11:18 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
11:21 -!- roentgen [~HaRT@miranda/user/roentgen] has joined ##openvpn
11:27 < ecrist> flok420: ipv6 is supported in testing.
11:27 < ecrist> !snapshots
11:27 < vpnHelper> ecrist: "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
11:28 -!- roentgen [~HaRT@miranda/user/roentgen] has quit [Quit: Leaving.]
11:33 < flok420> ecrist: and how does that work? will it automatically "bridge" (in server mode!) the router advertisement messages?
11:34 < ecrist> no idea, I've not used it.
11:35 < ecrist> I would suggest trying it.
11:35 < ecrist> fwiw, that's the official development snapshot
11:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
11:56 -!- DrPepper [~DrPepper@88.207.183.72] has quit [Quit: Leaving...]
12:02 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
12:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:02 < grendal_prime> hey can anyone suggest a quick method for authentication against an AD dc?
12:03 < grendal_prime> the ...it dept is not happy with the idea of our openvpn server (for our mac and linux users) having a seperate authentication to maintain.  
12:04 < grendal_prime> we currently have something in place that uses perl but it seem jankety and it seems to have a problem with the 2008 domain controllers.
12:06 < ecrist> !ldap
12:06 < vpnHelper> ecrist: Error: "ldap" is not a valid command.
12:06 < ecrist> !eurphia
12:06 < vpnHelper> ecrist: Error: "eurphia" is not a valid command.
12:07 < ecrist> grendal_prime: there is an ldap plugin for openvpn
12:07 < ecrist> !dazo
12:07 < vpnHelper> ecrist: Error: "dazo" is not a valid command.
12:07 < dazo> !eurephia
12:07 < dazo> ?
12:07 < vpnHelper> dazo: "eurephia" is http://www.eurephia.net/
12:07 < ecrist> there you go
12:07 < ecrist> !learn dazo as [eurephia]
12:07 < vpnHelper> ecrist: Joo got it.
12:07 < ecrist> !dazo
12:07 < vpnHelper> ecrist: "dazo" is "eurephia" is http://www.eurephia.net/
12:08 < ecrist> :)
12:08 < dazo> but eurephia that's not supporting anything else than an SQLite database for authentication right now.  Even though, there are work in progress to enable other forms in the future
12:09 < ecrist> I thought you had an ldap plugin, too
12:09 < dazo> ecrist: I've not had time to develop that yet ... but LDAP is on the TODO list
12:09 < ecrist> dazo--
12:10 < dazo> somehow much of my time has lately been eaten up by maintaining this openvpn-testing.git tree ..... oddly enough ;-)
12:10  * dazo found that a lot more important, though
12:11 < ecrist> indeed.
12:11 < ecrist> impressive progress overall.
12:11 < ecrist> now we just need some more 'official' beta/alpha releases.
12:15 < dazo> oh yeah :)
12:15 < dazo> I'm headed out for 2 weeks holiday on Friday ... but this is something I'm gonna push more in the developer meetings
12:16 < dazo> when coming back, that is
12:18 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
12:20 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
12:20 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Client Quit]
12:30 < krzie> !ad
12:30 < vpnHelper> krzie: Error: "ad" is not a valid command.
12:30 < krzie> !factoids search directory
12:30 < vpnHelper> krzie: "activedirectory" is http://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD
12:31 < krzie> flok420, 
12:31 < krzie> heres how it works
12:31 < krzie> !ipv6
12:31 < vpnHelper> krzie: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
12:31 < vpnHelper> krzie: (adds some nice ipv6 options)
12:32 < krzie> see #3
12:32 < krzie> thats the patch, and how to use it
12:32 < krzie> the patch is already in the devel snapshot
12:33 < grendal_prime> that seems to be the ticket there guys thanks
12:34 < krzie> np
12:35 < grendal_prime> ubuntu 1004 also has a package intstall for it
12:42 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
13:10 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
13:22 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:24 -!- dazo is now known as dazo_afk
13:42 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:48 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
14:01 -!- juergen_dose [~chroiss@p5798C759.dip0.t-ipconnect.de] has left ##openvpn []
14:06 < kisom> https://ck3r.org/StoRo-logon/tunnel/
14:06 < vpnHelper> Title: StormRoute (at ck3r.org)
14:06 < kisom> pretty slick and simple UI to provide clients with the option to enable rerouting ;)
14:38 -!- manicman [~manicman@unaffiliated/manicman] has joined ##openvpn
14:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:53 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has quit [Ping timeout: 260 seconds]
15:07 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:08 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has joined ##openvpn
15:12 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:13 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
15:21 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
15:43 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
15:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
15:56 -!- manicman [~manicman@unaffiliated/manicman] has quit [Remote host closed the connection]
15:58 -!- solid [~nobody@solidclouds.com] has joined ##openvpn
15:58 < solid> !welcome
15:58 < vpnHelper> solid: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:59 < solid> ok
15:59 < krzee> !goal
15:59 < solid> centos + openvpn + manual starting == works
15:59 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:59 < solid> centos + openvpn + init.d == permission denied
16:00 < solid> issue is with selinux
16:00 < solid> this is my issue:
16:00 < krzee> !selinux
16:00 < vpnHelper> krzee: Error: "selinux" is not a valid command.
16:00 < solid> http://www.engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=0285.html&month=2007-05
16:00 < vpnHelper> Title: selinux Re: Centos 5 OpenVPN / SElinux (at www.engardelinux.org)
16:00 < krzee> !factoids search --values selinux
16:00 < vpnHelper> krzee: No keys matched that query.
16:00 < krzee> meh
16:00 < krzee> well if it starts well by hand, its something OS specific as for automated starting
16:00 < krzee> in other words,
16:00 < krzee> !notovpn
16:00 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
16:00 < solid> with selinux if i setenforce 0 and it works
16:01 < solid>  setenforce 1 and it doesnt
16:02 < solid> im gona ask in other chans if anyone knows how to fix it
16:02 < solid> i can turn off selinux for the openvpn daemon but thats not a solution
16:04 < krzee> ya a channel specific to centos/selinux would get you much faster help ild think
16:04 < krzee> im not saying your question is off-topic for here
16:04 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:04 < krzee> just saying for best results, ask it there ;]
16:05 < krzee> and if you tell me what your end fix is, maybe ill add it to my bot for the next guy
16:06 < solid> i turned off selinux for openvpn daemon
16:06 < solid> and it works
16:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:06 < solid> not the best solution for the issue though
16:08 < solid> is there a centos cannel here?
16:10 < krzee> there is #selinux
16:11 < solid> yeah asked there too
16:11 < solid> ill see what comes up
16:18 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
16:19 < Alphanaut> can anyone suggest a good gui for using openvpn in ubuntu?
16:24 < krzee> why do you need a gui?
16:25 < krzee> just to click start and stop?
16:26 < krzee> there exists multiple GUIs for osx and i dont understand why people use them (osx is my primary desktop)... i just made a shortcut to a shell command which i click to start it, then i minimize the window... i close the window to kill the vpn
16:36 < Bushmills> grin - mine start when machines boots, and just keep running
16:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
16:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:51 < solid> 18:36 < Bushmills> grin - mine start when machines boots, and just keep running
16:51 < solid> selinux ever make you mad?
16:52 < Bushmills> nope. that's just in accordance with the way i use openvpn
17:14 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
17:23 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
17:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
18:03 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Remote host closed the connection]
18:08 < cj> so.  how do I get my CA into firefox and chrome?
18:24 < krzee> umm, huh!?
18:24 < krzee> openvpn has nothing to do with any web browser
18:24 < krzee> thus, you dont
18:25 < krzee> solid, Bushmills' comment was directed at me and alphanaut
18:25 < ecrist> cj, you need to import your ca.crt into the browser
18:26 < ecrist> just opening that file in the browser should start the import process.
18:27 < krzee> i dont get it
18:27 < krzee> why would he import ca.crt into his browser...?
18:28 < solid> idk
18:28 < ecrist> krzee: I use my CA at work for more than just VPN connections.
18:29 < krzee> ok thats valid, but i think hes misunderstanding in what way openvpn is a ssl vpn
18:29 < ecrist> we have a single company root CA, and various other purposed certificates, some of those being server certs for internal services, such as LDAP, and other things like Jabber, etc.
18:29 < krzee> or hes using AS
18:29 < krzee> at least thats why *I* bet on
18:30 < krzee> solid, why do you feel you need your ca.crt in your web browser?
18:30 < ecrist> he doesn't, cj does.
18:31 < solid> i use vpn strictly to keep services on internal network
18:34 < krzee> oh my bad
18:34 < krzee> cj, why do you feel you need your ca.crt in your web browser?
18:36 < solid> can always gen another crt
18:36 < solid> no?
18:40 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
19:10 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
19:14 < cj> krzee: to do the bizniz
19:14 < cj> krzee: web hosting, network equipment, etc.
19:16 < cj> ecrist: yeah.  I worked at that company once.  it was called amazon.  nobody knew how to install the certs and it was teh pain.
19:16 < cj> note to self: if you're going to use a CA cert in your business, get it into the cert roots of the software you use
19:23 < solid> amazons cloud is way overpriced >:\
19:23 < solid> aka cant afford =[
19:28 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
19:28 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
19:28 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:32 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has joined ##openvpn
19:33 < cj> solid: yeah.  are you a huge business?  no?  you're not the target market.
19:34 < solid> sucks =[
19:34 < cj> solid: use my client's: http://www.stormondemand.com/cloud-hosting/
19:34 < vpnHelper> Title: Storm Cloud Servers - A Liquid Web Company (at www.stormondemand.com)
19:34 < cj> $50/mo for unmanaged machines
19:34 < solid> i offer the same thing managed
19:35 < cj> well then.  :)
19:36 < cj> oh, wait.  CentOS 5.4 64bit with Cpanel Fully-Managed <- $20
19:37 < cj> oh, that's the template on top of the vm. ;)
19:38 < cj> 2G + 150G + 1CPU for $50
19:38 < cj> anyway. :)
19:38 < solid> sounds about right
19:39 < solid> i was having an issue with selinux and openvpn ealier 
19:39 < solid> fixed it though
19:39 < cj> what OS?
19:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:41 < solid> centos with grsec
19:43 -!- f1assistance [~Carl@cpe-174-097-180-133.nc.res.rr.com] has left ##openvpn []
19:49 < cj> what kernel version does that run?
19:49 < krzee> cj, ahh ok, just assumed you were talking about ca.crt that you made for openvpn (since we're here and all)
19:49 < cj> krzee: yeah.  this is the primary area I use certs at this point, but I'd probably use it on my http, kerberos, ldap and smtp servers if I didn't have to get the CA to all of the machines in question
19:51 < solid> latest 
19:52 < solid> but it was annoying because repos are down 
19:52 < cj> solid: is latest something like 10,000 patches on 2.6.18?
19:54 < solid> ha
19:54 < krzee> cj, if it was signed as a intermediate CA by a CA already in every machines browser, you wont need to
19:54 < krzee> if its a CA you made and signed yourself, you need to
20:03 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:16 < cj> krzee: yeah, well... I've priced it out for Verisign.  It would be easier for me to get it shipped in CA stores than it would be to pay that fee ;)
20:17 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
20:19 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:41 < networkn> anyone have any ideas why when I can establish a connection between a remote pc and the server, and the remote end is getting an ip from the server, why I can't ping the other end of the tunnel from either side?
20:41 -!- benowa [~username@c-71-234-166-222.hsd1.ct.comcast.net] has joined ##openvpn
20:42 -!- benowa [~username@c-71-234-166-222.hsd1.ct.comcast.net] has left ##openvpn []
20:43 < ecrist> !ping
20:43 < vpnHelper> pong
20:51 < Bushmills> !firewall
20:51 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
20:51 < Bushmills> or, "what is other end of tunnel"?
20:51 < Bushmills> p-t-p address?
20:52 < theDoc> For those of you having a bad day: http://www.youtube.com/watch?v=SXmv8quf_xM
20:52 < theDoc> :)
20:52 < vpnHelper> Title: YouTube - How to view someones IP address and connection speed! (at www.youtube.com)
20:52 < theDoc> Enjoy.
20:52 < networkn> what is the default installation path of the linux version of openvpn?
20:52 < networkn> the binaries directory? Where I might find the keymaker?
20:53 < Bushmills> in /usr/sbin/  is the executable usually
20:53 < Bushmills> (of openvpn)
20:54 < networkn> I can't seem to find the tool to build a new key
20:54 < Bushmills> !ssl
20:54 < vpnHelper> Bushmills: Error: "ssl" is not a valid command.
20:54 < Bushmills> !keys
20:54 < vpnHelper> Bushmills: "keys" is http://openvpn.net/howto#pki
20:58 < networkn> I just want a static key I think
20:59 < krzee> theDoc, LOL
20:59 < networkn> ./build-key client1
20:59 < networkn> I can't find where I am supposed to run that command
21:00 < theDoc> krzee> I'm going to start my tracert and see who I can hack with ping and a visual basic gui in a moment.
21:00 < krzee> networkn, 
21:00 < theDoc> feer t3h l33t.
21:00 < krzee> networkn, find / -name easy-rsa
21:00 < krzee> theDoc, i just commented on it
21:01 < krzee> i wonder if he noticed that #1 is always the same...
21:01 < krzee> hey this guy is looking at every site in the world!
21:01 < theDoc> lol
21:02 < theDoc> krzee> Check out this profile, he looks like he's 14 or something.
21:02 < theDoc> I almost feel sorry for him and the glaringly obvious lack of knowledge.
21:02 < theDoc> ;(
21:02 < krzee> im just curious if hes serious or playing around
21:02 < theDoc> I don't know but for his sake, I hope he's kidding.
21:03 < krzee> i mean, if hes playing around he understands more than we're giving him credit for... that vid could go viral
21:03 < theDoc> Yes, I can only hope that's the case.
21:03 < krzee> if not, expect to see him in the american gov in about 30 yrs
21:03 < theDoc> lmao
21:03 < theDoc> You've got to be kidding me.
21:04 < krzee> or working as a BP engineer ;]
21:05 < theDoc> lmao
21:05 < theDoc> I saw a photoshop of BP's logo as the goatse.cx thing ;p
21:05 < theDoc> Stretchy stretchy
21:30 < networkn> krzee: thanks
21:31 < networkn> krzee: i did a search and the only thing it finds is in documentation/examples
21:38 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Quit: Ex-Chat]
21:41 < Bushmills> learn your package installation tool
21:41 < Bushmills> you can usually ask them to show a list of files a package contains, and the locations they are written to
21:55 < networkn> I have no idea what you are talking about :)
21:56 < Bushmills> that may be why you don't know where to find the files
21:57 < Bushmills> or, how
22:05 < networkn> righ t
22:11 < networkn> I have a config issue but I am not sure how to resolve it.
22:11 < networkn> here is the remote end (Windows) http://pastebin.com/5H2rRXnR
22:13 < networkn> log from Windows Client end : http://pastebin.com/p1608qxf
22:14 < networkn> conf from linux end http://pastebin.com/STJ53GeB
22:27 < Bushmills> the way to resolve a config issue is to change the config in such a way that the specific config issue doesn't occur any longer. 
22:32 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
22:36 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 260 seconds]
22:42 < networkn> Bushmills: what changes would you suggest?
22:58 < krzie> you should likely start by figuring out how you know you have a config issue, then you can use that to figure out what it is
22:58 < krzie> lol
22:59 < networkn> ok
22:59 < networkn> well I can't ping the other end from either end
22:59 < networkn> so the linux box can't ping the windows end of the tunnel and vica versa
22:59 < networkn> I am not sure how to tell if the tunnel is even up
23:36 < krzie> firewall
23:36 < krzie> Thu Jun 10 15:07:06 2010 us=703000 UDPv4 WRITE [60] to 222.255.40.216:1257:  DATA len=60
23:36 < krzie> Thu Jun 10 15:07:16 2010 us=578000 UDPv4 WRITE [60] to 222.255.40.216:1257:  DATA len=60
23:36 < krzie> Thu Jun 10 15:07:16 2010 us=578000 UDPv4 WRITE [60] to 222.255.40.216:1257:  DATA len=60
23:36 < krzie> write write write, no reads
23:37 < networkn> ok.. the thing is, I can't find out what is responsible for having port 1257 open.. nor 1256 which is another tunnel that DOES work
23:38 < krzie> disable windows firewal
23:38 < krzie> firewall
23:38 < krzie> for testing
23:38 < networkn> windows firewall isn't enabled
23:38 < krzie> double check
23:39 < krzie> it likes to turn itself back on
23:39 < networkn> I am as sure as I can be
23:39 < krzie> also look at other software like mcafee, norton, etc
23:39 < networkn> I have checked it a mnumber of times.
23:39 < krzie> well the port is open
23:39 < krzie> and 1 side has a firewall of some sort blocking
23:40 < krzie> if you look at other log, see if its getting reads or not
23:40 < krzie> thats all i can tell ya
23:40 < krzie> Your problem is your firewall, really. (as pasted from the topic)
23:40 < networkn> ok
23:47 < krzie> btw whats being blocked isnt 222.255.40.216:1257
23:47 < krzie> it makes that connection
23:47 < krzie> oh wait maybe it doesnt
23:47 < krzie> this is ptp, forgot the logs look different
23:47 < krzie> it could be iptables on the server too
23:48 < krzie> still, firewall
23:48 < krzie> and if there is a NAT, you need to make sure the port is forwarded properly (udp)
23:51 < networkn> and that's the thing. I can't see where 1257 is opened anywhere in any part of the config and so it shouldn't work but it does
23:51 < networkn> basically it's a bit strange this setup.
23:51 < networkn> it's a windows box, 2 nic's, it runs linux etch via vmware
23:52 < krzie> port 1257
23:52 < networkn> the remote end is somehow connecting to the linux box, but I can't see how
23:52 < networkn> rras is in the middle here
23:52 < networkn> no ports open on the rras for 1256 which does work
23:52 < krzie> in linux side config, port 1257
23:52 < networkn> err above I typed 1257 when I meant 1256..
23:53 < networkn> the existing connection which does work is 1256
23:53 < networkn> the new one I created is 1257 and that doesn't work
23:53 < krzie> is 222.255.40.216 behind a router?
23:53 < networkn> no that is the public ip
23:53 < krzie> right
23:53 < krzie> does the machine using it sit behind a router?
23:53 < networkn> and it's connected via cross over to one nic in the windows box
23:53 < krzie> im going with yes
23:53 < networkn> yes
23:54 < networkn> the speedtouch router has it's firewall set to off and upnp enabled
23:54 < krzie> then you need to be sure port forwarding is setup right in that router
23:54 < networkn> everything looks to be forward by default to the windows box
23:54 < krzie> sniff traffic
23:54 < krzie> see where it stops
23:54 < krzie> tcpdump in linux, wireshark in windows
23:56 < networkn> hmm ok thanks
23:57 < krzie> 1 machine is remote, right?
23:57 < krzie> not both on same lan
23:58 < networkn> correct
23:58 < networkn> I wonder if i trace with wireshark and filter 1256/1257 it should show me something
23:58 < krzie> sniff EVERYWHERE
23:58 < networkn> not sure which nic to trace.. I guess the first nice in the first place
23:58 < krzie> then make a connection
23:59 < networkn> nice
23:59 < networkn> nic
23:59 < networkn> damnit
--- Day changed Thu Jun 10 2010
00:00 < networkn> how can I see what ports are listening on linux?
00:00 < networkn> udp then tcp?
00:01 < krzie> while this is not where you should be learning your OS... netstat -l should work
00:01 < networkn> thank you
00:02 < krzie> yw
00:17 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
00:17 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
00:18 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
01:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
01:02 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:02 -!- mode/##openvpn [+o mattock] by ChanServ
01:48 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
02:05 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has quit [Ping timeout: 260 seconds]
02:16 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
02:23 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
02:25 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
02:26 < lazarus477> I have a working OpenVPN setup on openSUSE 11.2. OpenVPN 2.1.
02:26 < lazarus477> I was tweeking a few things. I setup a domain name on the internet and a matching one on my LAN to point to the vpn server.
02:27 < lazarus477> Now when using a linux client to connect to the vpn while still at the local LAN all is well.
02:28 < lazarus477> When connecting using the same setup but from a Windows7 client which otherwise works then http web traffic and pinging is out of function yet SAMBA file sharing sitll works properly.
02:28 < lazarus477> Any ideas as to what is wrong?
02:28 < lazarus477> Also noticed that DNS gets messed up.
02:29 < lazarus477> In this situation the win client cannot browse http, ping vpn servers LAN or VPN based IP and DNS is shot to hell.
02:29 < lazarus477> So why might this occur on a Win client but not a Linux client using the same client config setup?
02:31 < lazarus477> One more question. At first the VPN GUI requested the passphrase for the client cert but now no longer requires this, how come?
02:31 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:31 -!- mode/##openvpn [+o mattock] by ChanServ
02:40 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
02:40 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
02:54 < lazarus477> I will have to return another day ;-)
02:54 < lazarus477> Got to head to the airport.
02:54 < lazarus477> ta ta
02:54 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
03:15 -!- dazo_afk is now known as dazo
03:22 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:23 < Bushmills> why can't  people tell how the problem they have manifests?
03:24 < Bushmills> "Now when using a linux client..all is well.  When connecting using...sitll works properly. ..what is wrong?" ...
03:25 < theDoc> Too g-damn hard to do os.
03:29 < kale> hi i've been asked if we can use windows clients against openvpn. using pptp
03:35 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:43 -!- kale [~kale@port711.ds1-soeb.adsl.cybercity.dk] has left ##openvpn []
03:51 < flok420> krzie: that new ipv6-pool statement will probably only work if your openvpn server is the default gateway as well?
03:51 < kraut> moin
03:53 < Bushmills> kala_: well, you can problaby tunnel a connection between two openvpn machines through pptp
03:54 < Bushmills> but connecting with pptp to openvpn is no go
04:04 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
04:09 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 265 seconds]
04:13 -!- harlan [~harlan@ntp/programmemanager/harlan] has left ##openvpn []
04:22 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
04:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:39 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
04:40 -!- jave [~user@109.58.88.92.bredband.tre.se] has joined ##openvpn
04:40 < jave> blist
04:47 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 260 seconds]
04:51 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:51 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
04:58 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 245 seconds]
05:10 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
05:17 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:27 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:39 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
05:40 -!- d12fk [~heiko@2a01:198:4d7:0:21f:c6ff:fe44:aec8] has quit [Ping timeout: 260 seconds]
05:47 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
05:48 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
06:19 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:44 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
06:47 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
06:58 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
06:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:10 -!- DrPepper [~DrPepper@88.207.183.72] has joined ##openvpn
07:10 -!- DrPepper [~DrPepper@88.207.183.72] has quit [Killed (idoru (This host has violated network policy))]
07:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:59 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has joined ##openvpn
08:00 < SmokeyD> hey people, is it possible to automatically create the password for build-key-pass from pwgen for instance?
08:00 < SmokeyD> I want to create a lot of client keys, with passwords, and write the keyname,password combination to a file.
08:14 < kisom> well
08:14 < kisom> with easy-rsa i do not know
08:15 < kisom> but you should be able to do it with openssl
08:15 < kisom> should probably work with easy-rsa too
08:16 -!- spiffytech [spiffytech@pilot.trilug.org] has left ##openvpn []
08:22 -!- ender1 [~60f14840@gateway/web/freenode/ip.96.241.72.64] has joined ##openvpn
08:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:40 -!- bent_screwdriver [~socain00@74.255.249.66] has joined ##openvpn
08:55 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
09:00 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has quit [Ping timeout: 260 seconds]
09:04 -!- APTX_ is now known as APTX
09:05 < krzee> SmokeyD, the user could always password protect it themselves...
09:06 < krzee> (or un-password protect it)
09:06 < krzee> very easily
09:06 < krzee> but to answer the question, i dont know... youd wanna see if openssl has a way to pass this via commandline
09:07 < krzee> kisom, seems to expect it does, i kinda expect it does not
09:07 < krzee> but the openssl manpage will tell you
09:07 < krzee> all easy-rsa does is openssl commands...
09:11 -!- logyati [~pauloarru@189.106.50.3] has joined ##openvpn
09:11 < logyati> hello! if my lan is 172.16.0.0/24, and the lan of the other site is 172.16.0.0/16, and i try to create a site-to-site VPN, will i have routing problems?
09:12 < Bushmills> possibly
09:12 < SmokeyD> krzee: yeah, but the user would then first know how to un-password protect it. And I don't expect them to know how to do it, and I will tell hem it is their own responsibility not to (it will be their data compromised if they do and lose the key, not mine).
09:12 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has joined ##openvpn
09:12 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 272 seconds]
09:12 < SmokeyD> krzee: openssl should be able to take the password as argument
09:13 < SmokeyD> but I am trying to figure out in pkitool where the key is password protected
09:13 < SmokeyD> so I can put it there
09:13 < SmokeyD> but I can't find it
09:13 -!- nullified [nullfree@66.76.162.103] has joined ##openvpn
09:13 < nullified> !welcome
09:13 < vpnHelper> nullified: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:14 < nullified> !interface
09:14 < vpnHelper> nullified: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
09:14 < SmokeyD> nullified: who are you telling that to?
09:14 < SmokeyD> yourself?
09:14 < nullified> yea is there a way to get it to /notice me
09:14 < nullified> or pm it?
09:15 < krzee> sure
09:15 < krzee> !tell nullified [goal]
09:17 < nullified> erm
09:18 < krzee> oh and
09:18 < krzee> !factoids
09:18 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:32 < SmokeyD> how can I test the password on a private key file?
09:33 < logyati> ??
09:33 < Bushmills> you could test the owner's resolution to not disclose it, by torturing him
09:33 < SmokeyD> :D
09:33 < SmokeyD> what I mean is I have created a private key file which is password protected
09:34 < Bushmills> ok, then you might have to torture yourself
09:34 < SmokeyD> I want to test if the password I have is correct, without having to open up a openvpn connection and stuff
09:35 < SmokeyD> Just to test if the private key generation worked the way I intend it to
09:36 < Bushmills> i don't know of a way to "test" it - consider that that would open the possibility for brute force dictionary attacks.
09:37 < SmokeyD> Bushmills: I mean to just to with the private key file what openvpn also does. Open VPN will ask for the password when the connection is started, can't I simulate that somehow. How else can I test if the key was created correctly?
09:37 < Bushmills> connect with it
09:39 < SmokeyD> Bushmills: ok, then I first need to setup everything else (including firewall access and stuff) :(
09:39 < Bushmills> that's not to say that there isn't such a test - i just don't know of one. but it seems to me that a test better tests what it is supposed to test - namely, whether the key allows you to connect.
09:40 < Bushmills> the "all of that" you probably need anyway, if you want the key to be of any use 
09:41 < SmokeyD> Bushmills: yeah you're right, but I depend on others for that :) So I would like to do as much as possible now. But I will check if the openssl people know a way.
09:41 < SmokeyD> Bushmills: thanks for helping
09:46 < krzee> lol
09:46 < krzee> you can just -in the file, -out to a new one
09:47 < krzee> if you get asked for a pass, it has a pass
09:47 < krzee> ild be surprised if a quick look didnt show too
09:47 < nullified> When creating the client files, can i just name it Client.OVPN and then tranfer to my windows box?  
09:48 < nullified> Trying to see if I am understanding this properly :S
09:51 < Bushmills> yes, possible
09:52 < Bushmills> assuming "client files" means "client configuration file"
09:52 < nullified> yea the configuration file
09:52 < nullified> sorry about that :S
10:01 < SmokeyD> Bushmills: in case you are interested: "openssl rsa -in privatekeyfile.key -check"
10:01 < SmokeyD> that will ask you for the password and if it is correct, it will show the private key
10:01 < Bushmills> ah
10:03 < SmokeyD> cool, I just modified build-key-pass and pkitool so I can use a loop to create client keys, which are password protected, with automatic password generation by pwgen
10:09 < hyper_ch> ecrist: hi there
10:13 < theDoc> I suspect that my vpn setup is leaking something.
10:13 < theDoc> Oddly enough, even after tunneling, google seems to be able to tell I'm in asia as opposed to us.
10:13 < theDoc> Anyone might have an idea what might be causing that?
10:14 < ecrist> hyper_ch: hello.
10:20 < krzee> theDoc, maybe the tz setting on your machine, maybe you leak dns, dunno
10:20 < krzee> i know they cant tell where I am
10:21 < krzee> maybe asia is a manual setting you have in your google preferences 
10:21 < theDoc> I don't think it's a dns leak, I haven't found anyone else that can tell.
10:21 < krzee> maybe from a cookie
10:21 < theDoc> Maybe it's the tz.
10:21 < krzee> more likey one of the last 2
10:21 < krzee> try clearing everything from your browser and trying again
10:22 < krzee> i have 1 browser that is always over vpn, other that is always bypassing vpn
10:22 < theDoc> Ah, ok
10:22 < theDoc> I'm somewhat skeptical that I'm leaking dns.
10:22 < theDoc> Doesn't seem very likely
10:23 -!- zheng [~zheng@114.92.154.249] has joined ##openvpn
10:24 < krzee> [08:24]  <krzee> maybe asia is a manual setting you have in your google preferences 
10:24 < krzee> [08:24]  <krzee> maybe from a cookie
10:24 < theDoc> Yeah.
10:24 < krzee> those were the last 2 i was referring to
10:24 < theDoc> It's likely that those 2 have a higher chance of happening.
10:24 -!- zheng [~zheng@114.92.154.249] has quit [Client Quit]
10:24 < theDoc> Hm.
10:24 < krzee> leaking dns is somewhat common, someone like google detecting you based on that is much much more unlikely
10:26 < theDoc> Still, if I were leaking DNS, I'm quite sure certain filters would be triggered.
10:26 < hyper_ch> ecrist: WTF? why did I get banned from #fusionpbx?
10:26 -!- jave [~user@109.58.88.92.bredband.tre.se] has quit [Ping timeout: 240 seconds]
10:29 < theDoc> Interesting, http://blog.sucuri.net/2010/05/leaking-private-ip-addresses-via-dns.html
10:29 < vpnHelper> Title: Leaking private IP addresses via DNS | Sucuri Security (at blog.sucuri.net)
10:29 < Bushmills> theDoc: try to remove cookies
10:29 < ecrist> hyper_ch: no idea.
10:29  * ecrist looks
10:29 < hyper_ch> ecrist: it's fine
10:30 < hyper_ch> it seem I somehow pasted the mysql.sql file
10:30 < Bushmills> oh. as krzee said
10:30 < theDoc> Bushmills> Yeah, I'll did and it seems ok now
10:30 < theDoc> ;p
10:31 < ecrist> hyper_ch: that would be why.
10:31 < hyper_ch> strange, didn't even appear in Konvi... but it's in the logs... hmmm
10:31 < ecrist> you want me to put a good word in for you?
10:32 < ecrist> you've been unbanned
10:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:35 -!- Guest63918 is now known as crazygir
10:41 -!- mape2k [~mape2k@150.200.116.85.dsl.manitu.net] has joined ##openvpn
10:54 < krzee> crazygir, we know better than to believe a girl came in here :-p
10:59 < theDoc> On irc, anyone can be a girl!
11:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:02 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has quit [Ping timeout: 245 seconds]
11:06 -!- mape2k [~mape2k@150.200.116.85.dsl.manitu.net] has quit [Ping timeout: 276 seconds]
11:08 < crazygir> krzee: maybe you're life would be more enjoyable if you didn't make so many assumptions?
11:09 < crazygir> you know that assumptions just make an ass out of yourself :P
11:09 < theDoc> your as opposed to you're.
11:09 < crazygir> yep
11:11 < krzee> lol, right
11:11 < krzee> yet your ident is "jason"
11:12 < krzee> :-p
11:12 < theDoc> Maybe her name's jasonia or something.
11:17 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has quit []
11:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
11:46 -!- ender1 [~60f14840@gateway/web/freenode/ip.96.241.72.64] has quit [Ping timeout: 252 seconds]
12:03 -!- fkr_ [~fkr@devon.fsck.us] has joined ##openvpn
12:11 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
12:12 < SmokeyD> hey everyone, can I create two openvpn server configs and let the clients from server1 see the clients of server2, but not let the clients of server2 see eachother? I want admin users to see all connected clients (so let them connect to server1) but not let the clients of server 2 see eachother
12:21 < Bushmills> jasonette
12:22 < Bushmills> SmokeyD: yes, possible, but needs some working on the routing and firewalling
12:22 < Bushmills> actually, not much firewalling
12:23 < Bushmills> where do admin users log into?
12:23 < Bushmills> and why 2 servers?
12:38 < krzee> right, you dont even need 2 servers to accomplish that
12:38 < krzee> !factoids search client
12:38 < vpnHelper> krzee: 'someclient2client', 'client-to-client', and 'client-connect'
12:38 < krzee> !someclient2client
12:38 < vpnHelper> krzee: "someclient2client" is "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
12:41 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
12:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:03 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
13:12 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
13:22 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
13:31 -!- fkr_ [~fkr@devon.fsck.us] has quit [Quit: leaving]
13:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
13:36 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
13:36 -!- logyati [~pauloarru@189.106.50.3] has quit [Quit: Ex-Chat]
13:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
13:53 < krzee> !activedirectory
13:53 < vpnHelper> krzee: "activedirectory" is http://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD
13:54 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has quit [Quit: ZNC - http://znc.sourceforge.net]
14:00 < krzee> !AS
14:00 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
14:00 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
14:03 < krzee> !win_rollup
14:03 < vpnHelper> krzee: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
14:14 -!- medum [~kevin@74.205.219.210] has joined ##openvpn
14:15 < medum> !welcome
14:15 < vpnHelper> medum: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:18 < SmokeyD> Bushmills, krzee thanks for the tip on the ccd and two subnets and iptables. That indeed is a way better solution. Thanks
14:19 < krzee> np
14:19 < SmokeyD> now I am wondering if it is possible to start openvpn-gui in windows using a config file in a different folder that the openvpn config dir
14:19 < krzee> you dont even need 2 subnets
14:19 < krzee> if you use --client-connect
14:19 < krzee> !client-connect
14:19 < vpnHelper> krzee: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
14:20 < krzee> you could put each group into a list, and break apart the /24 you use for --server into 2 or more subnets
14:20 < krzee> then firewall rules go based on those subnets
14:20 < krzee> note this
14:20 < krzee> !c2c
14:20 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
14:20 < vpnHelper> krzee: behind other clients
14:20 < krzee> you will NOT want that option, so you can firewall it
14:21 < SmokeyD> krzee: cool. That way I can just let everyone connect and use iptables to configure who can see who
14:21 < SmokeyD> great. 
14:23 < SmokeyD> now for another question: Is it possible to use openvpn-gui on windows with the config files stored in a different folder than program files\OpenVPN\config\
14:23 < krzee> good question, not that i know of
14:23 < krzee> although theres obviously a way, im not sure if its hardcoded and therefor a source mod or not
14:24 < krzee> i do know your keys can go anywhere tho...
14:24 < krzee> as long as your config knows about it
14:24 < SmokeyD> krzee: yeah I know, but then the config file needs absolute paths
14:24 < krzee> OR
14:24 < krzee> a cd command above anything with paths
14:24 < SmokeyD> the thing is that I want the keys on a usb stick that can be stored in a safe
14:24 < krzee> --cd exists ;)
14:24 < krzee> well there ya go
14:25 < krzee> config stays in normal spot
14:25 < krzee> keys go on USB
14:25 < krzee> config has cd /path/to/usb/keysdir
14:25 < krzee> above anything with a filename
14:25 < SmokeyD> krzee: that assumes the usb stick always get's the same drive letter
14:25 < krzee> note, you could also just password protect your .key file
14:25 < SmokeyD> and I have to know it before I write the config file, which I don't
14:26 < SmokeyD> krzee: it already is password protected
14:26 < krzee> then they can safely sit in the normal dir
14:26 < krzee> ahh
14:26 < SmokeyD> so what I did is have the config file also on the memory stick and then I can use relative paths for the key files
14:26 < SmokeyD> but then the config file is not in the correct dir anymore :(
14:31 -!- medum [~kevin@74.205.219.210] has quit [Quit: leaving]
14:36 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:38 < SmokeyD> argh, you can't use the OpenVPN-GUI in windows as a non-privileged user with a password protected key file...
14:39 < krzee> you cant do it even without password proected keys
14:39 < krzee> needs permissions to change routing table
14:40 < SmokeyD> with the service you can I think
14:40 < SmokeyD> there are docs on that
14:51 -!- dazo is now known as dazo_afk
14:58 < SmokeyD> ok, gonna call it a day. Fixed the problem partly. I just created a batch file that starts the commandline openvpn.exe with the --config directive to the current dirs configuration file. Whe a user clicks the batch file, a terminal opens which starts everyting, and the user is also asked for the password to unlock the file
15:04 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has left ##openvpn []
15:06 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
15:24 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:49 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
16:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:25 < oc80z> wdup
16:26 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
16:49 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has joined ##openvpn
17:21 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
17:21 < grendal_prime> grrrrrrrrrrrrrrrr i hate Active Dir
17:22 < grendal_prime> trying to get the openvpn-auth-ldap to work.  not doing well
17:40 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
17:46 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:46 -!- notbrien [~notbrien@2002:d052:dd6:0:5ab0:35ff:fef5:7a5f] has quit [Quit: notbrien]
17:49 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:14 < networkn> in order to use a new tun dev on linux, what is the process for creating it? I have a tun55 and tun56 device
18:15 < networkn> I need to make a tun57
18:15 < networkn> or does it make it when you reference it in a config file dynamically
18:37 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:56 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has quit [Quit: ircN 8.00 for mIRC (20100228) - www.ircN.org]
19:18 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
19:44 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:54 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 260 seconds]
19:55 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
20:11 -!- theDoc [~jaki@119.73.165.162] has joined ##openvpn
20:12 -!- theDoc_ [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:16 -!- theDoc [~jaki@119.73.165.162] has quit [Ping timeout: 240 seconds]
20:30 -!- theDoc_ [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 248 seconds]
20:52 -!- smerz [~daniel@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:57 -!- bent_screwdriver [~socain00@74.255.249.66] has quit []
22:29 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
22:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
22:40 < Bushmills> they are created as needed
22:41 < Bushmills> specify the device name in the config file
22:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:53 -!- STF_ [~chatzilla@dslb-084-061-146-102.pools.arcor-ip.net] has joined ##openvpn
22:54 -!- STF_ is now known as STF
23:09 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
23:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
23:23 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
23:26 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:37 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:52 -!- STF [~chatzilla@dslb-084-061-146-102.pools.arcor-ip.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
23:53 -!- vaq [~vaq@0x573c2830.vbrnqu1.dynamic.dsl.tele.dk] has quit []
--- Day changed Fri Jun 11 2010
00:38 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:38 -!- mode/##openvpn [+o mattock] by ChanServ
00:49 -!- theDoc_ [~jaki@173.236.41.36] has joined ##openvpn
00:49 -!- theDoc_ [~jaki@173.236.41.36] has quit [Changing host]
00:49 -!- theDoc_ [~jaki@unaffiliated/thedoc] has joined ##openvpn
00:51 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
01:14 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
01:20 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:23 -!- kaflowski [~username@95.211.99.92] has joined ##openvpn
02:26 < kaflowski> hello. I have an ovpn tunnel running on my home network to another server that i am paying to access. according to my firewall (at least my interpretation of it), very little traffic is actually going through it. I have this picture of my GUI firewall. If anyone could take a look at it, I would appreciate it very much. http://tinypic.com/r/j965at/6
02:26 < vpnHelper> Title: Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting (at tinypic.com)
02:30 < krzie> !goal
02:30 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
02:31 < krzie> @ kaflowski 
02:33 < kaflowski> Goal: to make sure everything I send and receive on the internet is routed through the ovpn tunnel.
02:34 < hyper_ch> !tell kaflowski [def1]
02:35 < kaflowski> I have had that flag on.
02:36 < krzie> !ip
02:36 < vpnHelper> krzie: Error: "ip" is not a valid command.
02:36 < kaflowski> did anyone see my picture?
02:36 < krzie> !factoids search --values ip.php
02:36 < vpnHelper> krzie: "tools" is https://www.secure-computing.net/ip.php
02:37 < krzie> kaflowski, when you go to https://www.secure-computing.net/ip.php do you see your IP from your ISP or from vpn provider?
02:37 < vpnHelper> Title: SCN: SCN (at www.secure-computing.net)
02:37 < krzie> kaflowski, yes
02:37 < kaflowski> the vpn provider.
02:37 < krzie> so whats the problem
02:38 < kaflowski> according to my firewall, almost none of the traffic is being routed through the vpn.
02:38 < krzie> i doubt you started it immediately after boot, also all your vpn traffic goes over the internet as well
02:40 < kaflowski> I started it immediately after boot. The firewall shows much traffic going through the wireless interface but not all of it is accounted for in tun0
02:41 < hyper_ch> firestarter is not the firewall.... just to clear things up a bit :)
02:44 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
02:45 < krzie> you went to the url, it showed the ip of vpn
02:46 -!- kaflowski [~username@95.211.99.92] has left ##openvpn []
02:46 < krzie> if your problem is the counter, reset it, grab some files over the net, and watch it
02:46 < krzie> lol
02:48 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:59 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:59 -!- mode/##openvpn [+o mattock1] by ChanServ
03:10 < |Mike|> unf!
03:16 < kisom> http://ck3r.org/hack.php
03:16 < vpnHelper> Title: Testing PRIVMSG kisom :test exit quit (at ck3r.org)
03:20 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:22 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Remote host closed the connection]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- Chuwiey [~n@c-71-206-10-232.hsd1.md.comcast.net] has joined ##openvpn
03:40 < Chuwiey> !welcome
03:40 < vpnHelper> Chuwiey: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:40 < Chuwiey> !los
03:40 < vpnHelper> Chuwiey: Error: "los" is not a valid command.
03:40 < Chuwiey> !logs
03:40 < vpnHelper> Chuwiey: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
03:41 < Chuwiey> !configs
03:41 < vpnHelper> Chuwiey: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
03:41 < Chuwiey> !iporder
03:41 < vpnHelper> Chuwiey: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
03:45 < Chuwiey> Hello everyone. A question: I've setup my server and all is working well, apart from a very slow connection. The server machine sits on a 22/4mb line and the client is on 5/0.5mb, average response time is ~250ms. However, when I am connected a speedtest shows me on 0.02/0.07mb ... I'm wondering if it might be something I did incorrectly on setup/config? or is there another reason? - thank you.
03:56 -!- takamichi [~pri@78.133.37.89] has joined ##openvpn
03:57 < Bushmills> using tcp or udp as protocol?
03:59 < Chuwiey> tcp
04:00 < theDoc_> !tcp
04:00 < vpnHelper> theDoc_: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
04:00 < theDoc_> That's why.
04:01 < kisom> tcp isn't optimized to be run over tcp :)
04:01 < kisom> but it works if you want to.
04:01 < kisom> i use openvpn over tcp, no problems at all
04:01 < theDoc_> kisom> Aren't the latencies shit for anything voice/video related?
04:01 < Chuwiey> :) it works... it's just slow...
04:02 < kisom> about 2-3 ms latency on a local network
04:03 < kisom> but yes, udp is better if its possible to use it. but i'm inone of those wierd situations where TCP is my only choise
04:03 < theDoc_> What are you doing where tcp is your only choice?
04:03 < theDoc_> Behind a clever firewall?
04:03 < kisom> yes
04:03 < kisom> im not even suppose to access the internet here
04:03 < kraut> moin
04:03 < theDoc_> hello kraut.
04:04 < Chuwiey> UDP it is then... i'll report back if it imporved...
04:04 < Chuwiey> thanks
04:04 < theDoc_> I'm wondering if one could establish the udp tunnel by encapsulating the initial packets via tcp to bring up the tunnel.
04:04 < theDoc_> Hm.
04:05 < kraut> moin theDoc_ 
04:05 < kisom> theDoc_: why would you want that?
04:05 -!- takamichi [~pri@78.133.37.89] has quit [Ping timeout: 276 seconds]
04:06 < theDoc_> kisom> To get around the above situation.
04:06 < theDoc_> Not sure if that is going to work though
04:08 -!- Wiredtape [~n@bzq-79-178-26-203.red.bezeqint.net] has joined ##openvpn
04:09 < kisom> why cant you just use UDP?
04:09 -!- Chuwiey [~n@c-71-206-10-232.hsd1.md.comcast.net] has quit [Disconnected by services]
04:09 -!- Wiredtape is now known as Chuwiey
04:09 < Chosi> same here btw, just can't use udp
04:09 < Chosi> :)
04:13 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
04:13 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
04:13 < Bushmills> well, a constantly high latency should be no problem for video streaming, when the thoughput is right
04:14 < Bushmills> but in fact, tcp doesn't make a lot of sense for streaming
04:15 < Bushmills> (regardless of tunneling tcp through tcp not being a good idea)
04:15 < theDoc_> It doesn't but when you're streaming across the web, tcp timeouts become a problem.
04:17 < Chosi> people on my tunnel are playing bfbc2 and l4d2 over tcp
04:18 < Chosi> but well they get disconnected in regular intervals
04:18 < Chosi> dunno if this is tcp related tho
04:20 < Bushmills> what's your server uplink speed?
04:20 < Chosi> 100mbit
04:21 < Chosi> they got some open udp ports back for teamspeak and stuff, maybe i can use these
04:24 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:30 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
04:33 < Chuwiey> ok, i've switched to udp - which slightly improved the speed, but I'm still at 0.03/0.06mb/s - any thoughts?
04:34 < Chuwiey> ~230ms rtt
04:46 < Chuwiey> anyone?
04:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
04:50 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:53 -!- dunc_ [~dunc@2a01:348:1d2:12:215:c5ff:fe08:5ca8] has joined ##openvpn
04:54 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
04:56 < Bushmills> try disabling traffic shaping, firewall etc
04:59 < kisom> Chosi: whats your ping timeout set to?
05:00 < Chosi> kisom: nothing
05:00 < Chosi> so propably default
05:00 < Chosi> :)
05:01 < Chosi> kisom: usually they get disconnected after an hour
05:01 < Chosi> or something
05:03 -!- theDoc_ [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:13 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Read error: Operation timed out]
05:13 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
05:15 < Chosi> kisom: what should i set it to?
05:28 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 240 seconds]
05:30 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
05:40 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
05:55 -!- Wiredtape [~n@109.65.17.125] has joined ##openvpn
05:56 -!- Chuwiey [~n@bzq-79-178-26-203.red.bezeqint.net] has quit [Disconnected by services]
05:56 -!- Wiredtape is now known as Chuwiey
06:03 -!- Chuwiey [~n@109.65.17.125] has quit [Ping timeout: 276 seconds]
06:13 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 240 seconds]
06:15 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
06:23 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
06:25 -!- sara2010 [~sara2010@202.100.181.58.dynamic.max.com.pk] has joined ##openvpn
06:35 < kisom> Chosi: does the entire VPN disconnect or only some of the tunneled connections?
07:06 -!- theDoc_ [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:09 -!- theDoc_ is now known as theDoc
07:16 < Chosi> kisom: the individual connections
07:16 < Chosi> well the client to vpn connections
07:16 < Chosi> not sperate connections inside the tunneling connection
07:16 < Chosi> if you get what i mean
07:16 < Chosi> :D
07:21 < ecrist> good morning, folks
07:21 < sara2010> good morning
07:21 < theDoc> moin'.
07:22 < sara2010> how r u guys
07:24 < sara2010> Chosi hi 
07:26 -!- Chuwiey [Chuwiey@bzq-79-179-31-65.red.bezeqint.net] has joined ##openvpn
07:29 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:31 < Chuwiey> Bonjourno (i.e inglourious bastards), I'm getting a very slow connection. Server is on 22/4 mb/s line. Client is on 5/0.5 mb/s. I'm getting 0.03/0.06 mb/s. Latency: 230ms~, UDP, completely disabled firewall, no shaping, just a straight line to see what's going on. Server is running on Win Vista inside vmware virtualization. Client is win 7. I also read a previous post where someone had a problem like this a while back.
07:32 < Chuwiey> When they switched to linux, the connection was good. Someone had mentioned something about BITS. Could it be the problem? Does anyone have any other ideas?
07:33 < Bushmills> is "they" server or client?
07:34 < Chuwiey> they, being the guy who had originally posted his question: Re: [Openvpn-users] Re: Openvpn slow on asymmetric connections | jan 2006
07:34 < Chuwiey> oh, sorry , client
07:37 < Bushmills> i suppose you could try that, connecting from a linux client, to pinpoint the problem spot
07:38 < Chuwiey> i'm waiting for the download to finish. I was hoping however for some other ideas in the meantime... 
07:38 < Bushmills> and i think you might want to decide for either bon jour or bon giorno
07:38 < Chuwiey> hehe
07:40 < kisom> Chosi: then you may want to check your ping values
07:41 < kisom> if your clients have pulling enbled, put this in your server conf: keepalive 60 120
07:41 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 260 seconds]
07:42 < Chosi> do they pull if they have "client" in their config?
07:43 < kisom> no
07:50 -!- Chuwiey [Chuwiey@bzq-79-179-31-65.red.bezeqint.net] has quit []
07:51 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
07:56 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:09 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
08:14 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 252 seconds]
08:18 -!- sara2010 [~sara2010@202.100.181.58.dynamic.max.com.pk] has quit []
08:27 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
08:29 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
09:02 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:04 -!- HanX [~HanX@ks368275.kimsufi.com] has joined ##openvpn
09:04 < HanX> hi
09:05 < HanX> I'm coding a patch for openvpn. But I need some advice.
09:05 < ecrist> you may have more luck in #openvpn-devel
09:05 < HanX> thanks
09:05 < Chosi> kisom: orly?
09:06 < Chosi> how do i tell clients to pull the keepalive stuff then?
09:06 < ecrist> Chosi: they don't pull keepalive, it's set per-config
09:07 < Chosi> so clients need to set it independently?
09:07 < Chosi> apart from the server config?
09:07 < ecrist> yes
09:07 < Chosi> okay
09:07 < Chosi> kisom • if your clients have pulling enbled, put this in your server conf: keepalive 60 120
09:07 < Chosi> that's why i ask
09:08 < ecrist> Chosi: I'd suggest reading the man page.
09:09 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
09:14 < kisom> keepalive pushes the option to the client as well
09:14 < kisom> but yes, you still have to enble pulling
09:14 < kisom> and i'm gonna go down and get a redbull :) brb
09:28 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 272 seconds]
09:30 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
09:34 -!- HanX [~HanX@ks368275.kimsufi.com] has left ##openvpn []
09:38 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Read error: Connection reset by peer]
09:41 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
09:43 -!- gate_ [gate@S01060001802171f4.cg.shawcable.net] has joined ##openvpn
09:44 < gate_> Hi All, I've been stuck on my openvpn problem all night
09:45 < gate_>  MULTI: bad source address from client [192.168.5.18]
09:45 < gate_> this was working at the beginning of the night, but now it's not.  my working configuration did not have the config-dir line in it
09:45 < ecrist> gate_: that issue is well-covered on google.
09:45 < gate_> most of the information on the internet says that's the issue
09:46 < gate_> ecrist, yea, i find that information doesnt apply to my issue
09:47 < gate_> The error is generated on like 1044 in multi.c in the 2.1.1 release
09:48 < gate_> the log level 9 error is "GET INST BY VIRT : 192.168.5.18 [failed]"
09:55 < gate_> I can't fix it by adding in --client-config-dir because i'm using --duplicate-cn
10:02 < ecrist> gate_: how about supplying the data we need?
10:02  * ecrist points to /topic
10:04 < gate_> ecrist, yea, sure, i thought someone would ask me for it gimme sec
10:04 < gate_> !welcome
10:04 < vpnHelper> gate_: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:08 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
10:08 < gate_> ecrist, config file for openvpn and pf here http://pastebin.org/324666
10:09 < gate_> putting up log file separtely
10:13 < gate_> http://dougis.thruhere.net/~gate/openvpn.log
10:14 < gate_> that's a log level 6, is there anything else that you need?
10:16 -!- gate_ [gate@S01060001802171f4.cg.shawcable.net] has quit [Remote host closed the connection]
10:17 -!- gate_ [gate@S01060001802171f4.cg.shawcable.net] has joined ##openvpn
10:23 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 258 seconds]
10:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
10:31  * gate_ will ask again tomorrow - it's time for bed
10:32 < krzie> gate
10:32 < krzie> does a client have a lan behind it trying to communicate over the vpn?
10:32 < gate_> no, the clients are standalones
10:32 < gate_> road warriors if you will
10:34 < krzie> Fri Jun 11 09:11:30 2010 us=648186 Passworded_Dougler/198.162.105.38:1194 WARNING: learn-address command failed: could not execute external program
10:34 < krzie> what does your learn-address script do?
10:34 < gate_> yea, i saw that... it just throws some lines into a log file
10:34 < gate_> so i can see whose been on and off the vpn
10:36 < grendal_prime> hey krzee you ever set up ldap auth against AD?
10:36 < krzie> no
10:36 < grendal_prime> im totally amazed at how...whack it is.
10:36 < krzie> !activedirectory
10:36 < vpnHelper> krzie: "activedirectory" is http://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD
10:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:39 < gate_> :|
10:40 < grendal_prime> ya reading that...but i was hoping someone else could couch 
10:40 < grendal_prime> thanks 
10:40 < gate_> krzee, i fixed that and it works
10:41 < gate_> krzie, i fixed that and it works
10:41 < krzie> =]
10:41 < gate_> ... yea, gawd, it's 9am here, i've been messing around with this since7am
10:42 < gate_> anyways, thanks 
10:42 < krzie> yw
10:44 -!- gate_ [gate@S01060001802171f4.cg.shawcable.net] has quit [Remote host closed the connection]
11:00 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
11:03 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 272 seconds]
11:24 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
11:31 -!- DrPepper [~DrPepper@88.207.166.114] has joined ##openvpn
11:32 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:48 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 260 seconds]
11:50 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
11:54 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
11:55 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Read error: Operation timed out]
11:59 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has joined ##openvpn
11:59 < SmokeyD> hey everyone, is there a way I can give normal users in windows XP permission to add routes with route.exe?
12:01 < Bushmills> you could give them the admin password
12:01 < SmokeyD> Bushmills: not an option
12:01 < Bushmills> maybe there is something like sudo for windows?
12:02 < Bushmills> possibly more appropriately named addo, for admin-do
12:03 < Bushmills> and if from microsoft, it would be maddo
12:04 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:04 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
12:04 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:06 -!- takamichi [~pri@78.133.33.203] has quit []
12:08 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
12:11 -!- DrPepper [~DrPepper@88.207.166.114] has quit [Read error: Connection timed out]
12:11 -!- DrPepper [~DrPepper@88.207.166.114] has joined ##openvpn
12:18 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
12:24 < ecrist> there is a sudo for windows
12:24 < ecrist> !winsudo
12:24 < vpnHelper> ecrist: Error: "winsudo" is not a valid command.
12:24 < ecrist> !sudowin
12:24 < vpnHelper> ecrist: "sudowin" is http://sourceforge.net/projects/sudowin/
12:24 < ecrist> :)
12:24 < ecrist> !learn winsudo as [sudowin]
12:24 < vpnHelper> ecrist: Joo got it.
12:31 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Read error: Connection reset by peer]
12:32 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:32 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 264 seconds]
12:38 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has quit [Quit: Leaving.]
13:00 -!- smerz [~daniel@smerz.demon.nl] has joined ##openvpn
13:08 -!- SDuensin [~Scott@21.sub-97-187-95.myvzw.com] has joined ##openvpn
13:09 < SDuensin> !welcome
13:09 < vpnHelper> SDuensin: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:09 < SDuensin> !route
13:09 < vpnHelper> SDuensin: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:11 < SDuensin> !redirect
13:11 < vpnHelper> SDuensin: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:11 < SDuensin> !def1
13:11 < vpnHelper> SDuensin: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
13:12 < SDuensin> !ipforward
13:12 < vpnHelper> SDuensin: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:12 < SDuensin> !linipforward
13:12 < vpnHelper> SDuensin: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
13:12 < SDuensin> !nat
13:12 < vpnHelper> SDuensin: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
13:13 < SDuensin> !linnat
13:13 < vpnHelper> SDuensin: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:16 < SDuensin> Ok, whoever set up vpnHelper is owed a beer.  That's slick.  I'm now happily VPNing!
14:07 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
14:22 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
14:29 < ecrist> SDuensin: glad to hear it
14:29 < SDuensin> :-)
14:29 < ecrist> that was an effort by myself, and mostly krzee
14:29 < ecrist> !factoids
14:29 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:29 < ecrist> see that URL for all the goodies.
14:29 < SDuensin> Well, it rocks.
14:31 -!- bent_screwdriver [~socain00@74.255.249.66] has joined ##openvpn
14:34 < bent_screwdriver> if i have a site-to-site vpn and i am routing all traffic from the clients, behind the client vpn, through the server vpn, how do i add a route on the server vpn to send all internet traffic out a local fireall on the same net as vpn server  
14:35 < bent_screwdriver> i had to remove the 0.0.0.0 route on the internet side, add the 0.0.0.0 route to route to internet firewall, and add a route for the internet address of the remote vpn client box to get it to work...
14:35 < ecrist> !def1
14:35 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:36 < bent_screwdriver> thanks for the direction vpnHelper!
14:37 < ecrist> vpnHelper is a bot
14:37 < vpnHelper> ecrist: Error: "is" is not a valid command.
14:37 < bent_screwdriver> hehe..
14:38 < bent_screwdriver> ecrist: will any of that assist with my issue. wasnt sure what you meant. do not use def1?
14:39 < bent_screwdriver> or is that how you trigger the bot? that is cool. new to irc....
14:39 < ecrist> bent_screwdriver: def1 was a command to the bot, which spewed forth data that should help you
14:40 < ecrist> !help
14:40 < vpnHelper> ecrist: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
14:40 < ecrist> like that.
14:40 < bent_screwdriver> ecrist: wow. learn somethign new everyday. thank YOU for your help! ;)
14:41 < ecrist> many IRC channels have bots, which are triggered by similar commands, usually prefixed by a special character or word.  our bot is triggered by an exlaimation point, followed by a key word.
14:42 < bent_screwdriver> ecrist: really neat. i was wondering how he typed so fast! ;) thanks for the tips 
14:42 < ecrist> no problem.
14:42 < ecrist> you'll notice in our topic, we provide a command that should get you off to a good start
14:43 < bent_screwdriver> !welcome
14:43 < vpnHelper> bent_screwdriver: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:46 < bent_screwdriver> !redirect
14:46 < vpnHelper> bent_screwdriver: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:48 < ecrist> fast learner. :)
14:49 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 245 seconds]
14:50 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:54 < SDuensin> Well, ecrist, thanks again for the awesome bot.  I'm outta here!  Weekend, here I come!
14:54 < ecrist> np, have a good one
14:54  * ecrist is two beers deep
14:54 < SDuensin> :-)
14:54 < SDuensin> Don't guess you're near St. Louis, eh?
14:54 < ecrist> MO?  no, Mpls, MN
14:55 < SDuensin> Oh well.  I tried!
14:55 < ecrist> indeed
14:55 < SDuensin> *Out!*
14:55 -!- SDuensin [~Scott@21.sub-97-187-95.myvzw.com] has quit [Quit: Leaving]
15:00 < hyper_ch> oh my god, I think one of my carnivors just devoured a wasp
15:04 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit []
15:11 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 248 seconds]
15:19 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
16:01 -!- bent_screwdriver [~socain00@74.255.249.66] has quit []
16:20 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
16:38 -!- gate_ [gate@S01060001802171f4.cg.shawcable.net] has joined ##openvpn
17:02 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:36 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
17:37 -!- Chuwiey [~Chuwiey@95.35.250.118] has joined ##openvpn
17:38 -!- Chuwiey [~Chuwiey@95.35.250.118] has left ##openvpn []
18:00 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
18:25 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
19:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
19:54 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
19:59 -!- g0tcha [~efnet@27.9.202.62.fix.bluewin.ch] has left ##openvpn []
20:01 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 245 seconds]
20:03 -!- kmels [~kmels@3.227.148.190.dsl.intelnet.net.gt] has joined ##openvpn
20:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:06 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:21 -!- Scrufffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit []
20:34 -!- notbrien [~notbrien@208.82.13.214] has quit [Quit: notbrien]
20:56 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
21:10 -!- kmels [~kmels@3.227.148.190.dsl.intelnet.net.gt] has quit [Quit: kmels]
21:22 -!- DrPepper [~DrPepper@88.207.166.114] has quit [Quit: Leaving...]
21:30 -!- solid [~nobody@solidclouds.com] has quit [Quit: Lost terminal]
21:35 -!- smerz [~daniel@smerz.demon.nl] has quit [Remote host closed the connection]
22:30 -!- Netsplit *.net <-> *.split quits: julius, xargs
22:37 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:39 -!- Netsplit over, joins: xargs, julius
22:57 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
23:23 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
23:48 -!- Knio [~Knio@174.0.88.23] has quit [Read error: Connection reset by peer]
23:53 -!- Knio [~Knio@174.0.88.23] has joined ##openvpn
--- Day changed Sat Jun 12 2010
00:05 -!- T1w [~jens@node3.survey-it.dk] has quit [Quit: Leaving]
00:06 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
00:11 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
00:24 -!- kmels [~kmels@3.227.148.190.dsl.intelnet.net.gt] has joined ##openvpn
00:24 -!- mape2k [~mape2k@p5B28409D.dip.t-dialin.net] has joined ##openvpn
01:10 < hyper_ch> krzie: onine?
01:21 < hyper_ch> !udp
01:21 < vpnHelper> hyper_ch: Error: "udp" is not a valid command.
01:22 < hyper_ch> are there problems with upd traffic over openvpn?
01:26 -!- mape2k [~mape2k@p5B28409D.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
01:43 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:44 < kmels> .
01:45 < kmels> This may sound silly but, should the client keys should be in the client or in the server?
01:45 < kmels> .key refers to private key?
01:45 < hyper_ch> !howto
01:45 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
01:46 < kmels> ok ok..
01:46 < hyper_ch> http://openvpn.net/index.php/open-source/documentation/howto.html#pki
01:46 < vpnHelper> Title: HOWTO (at openvpn.net)
01:46 < hyper_ch> scorll a bit own to the key files section
01:46 < hyper_ch> it says what files needs to go where
01:46 < kmels> cheers.
02:01 -!- kmels [~kmels@3.227.148.190.dsl.intelnet.net.gt] has quit [Quit: kmels]
02:26 -!- DrPepper [~DrPepper@88.207.166.114] has joined ##openvpn
02:42 -!- gate_ [gate@S01060001802171f4.cg.shawcable.net] has quit [Quit: Leaving]
02:44 -!- downhill__ [~blood@elegua.za.net] has joined ##openvpn
02:44 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:45 < downhill__> so I'm sure this comes up like 50 times a day, but is there any sane way for Linux clients to handle dhcp-options like DNS and WINS or does every solution just mean maintaining /etc/resolv.conf?
02:45 < downhill__> I'd rather have it Windows-style if that's possible :/
02:45 < downhill__> (per-nic)
02:46 < sigius> I am looking for a commercial embedded linux device (dedicated to) running openvpn , is there such a thing around ?
02:48 < theDoc> Yep, we're in the process of looking at something like that to establish a site to site vpn for customers and our vpn servers.
02:54 < sigius> theDoc, can you provide a name or link , seems google isnt my friend today ?
02:55 < theDoc> sigius> Custom written firmware, we're still experimenting with things.
02:55 < theDoc> So no.
02:59  * downhill__ wanders off and leaves his msg catcher on
03:08 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
03:08 < killermouse0> !welcome
03:08 < vpnHelper> killermouse0: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:09 < killermouse0> !logs
03:09 < vpnHelper> killermouse0: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
03:10 < killermouse0> !sample
03:10 < vpnHelper> killermouse0: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
03:11 < killermouse0> !route
03:11 < vpnHelper> killermouse0: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:12 < killermouse0> ok I think I'm going to get bashed but I have a noob question ...
03:12 < killermouse0> I've a mostly working bridged openvpn config
03:13 < killermouse0> mostly meaning : client can connect through the firewall to reach the openvpn server and can ping a machine on the openvpn server's lan
03:13 < killermouse0> what I can't get to work is the Windows workgroup browsing... the client machine won't see the other computers
03:13 < killermouse0> any pointers for that ?
03:14 < killermouse0> my guess is that it's broadcast based, so I might have to enable something (networking option ?) on the openvpn linux server, but what ?
03:20 < sigius> theDoc: too bad. In the past i've used an openwrt and run openvpn on it. Worked quite well and actually sold it as a vpn (connecting a group of medical doctors wanting to share patient dossiers). Anyway for a larger scale operation I want to reduce the overhead and go with a commercial solution.
03:21 < theDoc> sigius> Must it be openvpn?
03:21 < theDoc> You can look into an ASA or something.
03:29 < sigius> preferably yes. Cisco I prefer too stay away from. I have tried to deploy one of those once (about 4 years ago before i opted for openvpn). Found it a nightmare to work with 
03:30 < sigius> openvpn i understand and is easily understood by any coworker
03:30 < sigius> well fairly easy 
03:32 < sigius> plus i'd like to have something that also does (or can be made to do)  iptables/shorewall,
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
04:05 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 248 seconds]
04:06 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
04:39 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:57 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
04:57 -!- mode/##openvpn [+o mattock] by ChanServ
06:20 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Quit: Ex-Chat]
06:23 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
06:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
07:04 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
07:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:45 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 272 seconds]
07:58 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Ping timeout: 252 seconds]
07:59 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
08:22 -!- Mahrud [~mahrud@91.99.30.151] has joined ##openvpn
08:23 -!- Mahrud [~mahrud@91.99.30.151] has left ##openvpn []
08:26 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 252 seconds]
09:14 -!- teddymills [~teddy@69.158.27.79] has joined ##openvpn
09:15 < teddymills> Want to make a bridged vpn for some window xp clients to their office. Can this be done without openvpn?
09:15 < Bushmills> probably. any working, non-openvpn solution should be fine
09:17 < teddymills> cant be routed..must be bridged..know of any solutions?
09:17 < Bushmills> probably depend on your choice of solution
09:18 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
09:18 < teddymills> trying to keep it under $100
09:18 < Bushmills> try google
09:51 -!- screen-x [~screen-x@91.84.155.61] has quit [Ping timeout: 265 seconds]
09:57 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
10:21 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:31 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
10:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:50 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
10:51 -!- dunc_ [~dunc@2a01:348:1d2:12:215:c5ff:fe08:5ca8] has quit [Ping timeout: 276 seconds]
10:52 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
10:53 -!- kmels [~kmels@3.227.148.190.dsl.intelnet.net.gt] has joined ##openvpn
11:04 -!- screen-x [~screen-x@91.84.155.61] has joined ##openvpn
11:21 < hyper_ch> hi Bushmills
11:21 < Bushmills> 'morning hyper_ch
11:22 < hyper_ch> Bushmills: http://images.sjau.ch/img/4c829e58.jpg
11:24 < Bushmills> http://scarydevilmonastery.net/snap/1276359797547625927d.png  just above the plant container you see the violets shimmer through
11:24 -!- screen-x [~screen-x@91.84.155.61] has quit [Ping timeout: 260 seconds]
11:26 < hyper_ch> Bushmills: what about that?
11:27 < Bushmills> was mean to give orientation clues. but on the wrong channel
11:27 < Bushmills> meant
11:27 < Bushmills> violets as waypoint marker, to match orientation of other pics
11:27 < hyper_ch> ah :)
11:28 < Bushmills> armpill?
11:28 < hyper_ch> :)
11:33 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Read error: Connection reset by peer]
11:49 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn
11:58 -!- kmels [~kmels@3.227.148.190.dsl.intelnet.net.gt] has quit [Quit: kmels]
12:00 -!- DrPepper [~DrPepper@88.207.166.114] has quit [Quit: Leaving...]
12:26 -!- DrPepper [~DrPepper@88.207.166.114] has joined ##openvpn
12:43 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:46 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
12:50 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
12:52 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Client Quit]
12:59 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
13:26 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has joined ##openvpn
13:27 < TDJACR> Two questions:
13:27 < kisom> shoot.
13:27 < TDJACR> 1) How would I attach a routed VPN to an interface alias: ex: eth0:1 instead of just eth0
13:28 < TDJACR> And the second doesn't apply in retrospect :P
13:28 < kisom> create a bridge between your tap interface and your eth0:1 interface
13:28 < kisom> hmm
13:28 < TDJACR> kisom: How would I accomplish that.
13:28 < kisom> im not even sure you can do a bridge with a virtual interface
13:28 < TDJACR> Oh
13:29 < kisom> sounds pretty stupid to do so...
13:29 < kisom> try!
13:29 < kisom> check out brctl
13:29 < TDJACR> The reason I ask is because I use Linux-Vserver which has trouble doing network ops on virtual servers, so I'm doing it on the host, and I want to use the VPN on only one of the virtual addresses.
13:29 < TDJACR> bbl
13:30 < TDJACR> Thanks!
13:30 < kisom> well
13:30 < kisom> i'm pretty unsure of what you want to do really
13:30 < |Mike|> use kvm! :P
14:05 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Read error: Connection reset by peer]
14:05 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
14:13 < TDJACR> |Mike|: Processor doesn't support iirc.
14:21 < Bushmills> TDJACR: use   local   in server config to bind to one single ip address only 
14:45 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
14:45 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 248 seconds]
14:53 < kisom> anyone know if the iptables limit module can count for example "per 30 seconds" and not only per second, minut and hour?
14:54 < kisom> for example, i want to allow a maximum of 1 packets on a dport per 10 second
14:54 < Bushmills> 2 per minute
14:54 < Bushmills> ah.  6 per minute
14:54 < kisom> i know it is possible to do this by allowing 60 packets per minute instead, but that way a burst of 60 packets will lock the port for a whole minute
14:55 < kisom> well yes, 6 now 60, my bad :)
14:55 < kisom> anyways, you still get the idea
14:55 < Bushmills> for finer granularity, you might need to use QoS
14:56 < kisom> i could do it the ugly way and write 6 separate rules in the chain...
14:56 < Bushmills> but, a burst of 6 packets locking for the rest of the minute sounds pretty right for allowing 6 packets per minute :)
14:57 < kisom> yes, but that way the connection would timeout, i want one packet to flow each 10 sec
14:58 < Bushmills> that will teach them
14:58 < kisom> i think -m recent might be able to solve this
15:04 < vpnHelper> New forum entry openvpnforum: Configuration :: TCP bridged connection loses Windows Network Places :: Author upandacross <http://www.ovpnforum.com/viewtopic.php?f=6&t=5167&p=5698#p5698>
15:06 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:27 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
16:30 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
16:46 -!- julius [~julius@217.20.127.15] has quit [Disconnected by services]
16:55 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
16:55 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
17:00 -!- kmels [~kmels@31.185.148.190.dsl.intelnet.net.gt] has joined ##openvpn
17:01 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 276 seconds]
17:02 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
17:03 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:04 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:06 -!- kmels [~kmels@31.185.148.190.dsl.intelnet.net.gt] has quit [Quit: kmels]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:42 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
18:43 -!- intrr [~intrr@time.instinctive.de] has joined ##openvpn
19:31 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
19:43 < intrr> hi, i'm having trouble compiling openvpn 2.1.1 ... i'm getting "socket.c:2772: storage size of `peercred' isn't known" - I already defined _GNU_SOURCE, to no avail. Any ideas?
19:49 < intrr> heh ok, i just copied the definition from the kernel's socket.h into openvpn's socket.c...
19:51 -!- kmels_ [~kmels@191.223.148.190.dsl.intelnet.net.gt] has joined ##openvpn
19:54 -!- intrr [~intrr@time.instinctive.de] has quit [Quit: Leaving]
20:10 -!- kmels_ [~kmels@191.223.148.190.dsl.intelnet.net.gt] has quit [Quit: kmels_]
20:31 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has joined ##openvpn
20:31 -!- tjz [~pc@bb116-14-142-112.singnet.com.sg] has quit [Changing host]
20:31 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:50 -!- pembo13 [~pembo13@70.94.113.230] has joined ##openvpn
20:51 < pembo13> i have open vpn set to use 192.168.2.0 for clients
20:51 < pembo13> the server is to be on 192.168.2.1
20:52 < pembo13> however, in my route (server side), trafic is being directed to 192.168.2.2 is the normal?
20:52 < krzee> !/30
20:52 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
20:53 < krzee> yes, thats why above
20:53 < pembo13> krzee: thanks, i'll read
20:53 < pembo13> krzee: troubleshooting a problem where client connects, but can't reach network
20:53 < pembo13> krzee: client could ping for first few seconds on first attempt
20:53 < pembo13> but not anymore
20:53 < krzee> lan is behind server?
20:54 < pembo13> krzee: yah.. but client can't even ping server 192.168.2.1 anymore
20:55 < krzee> why are you using 192.168.2.x for the vpn?
20:55 < krzee> its a pretty common subnet
20:55 < pembo13> hkk
20:55 < krzee> you could run into problems if you have road warriors
20:55 < pembo13> hmm
20:55 < pembo13> i din't think of that
20:55 < pembo13> hold
20:55 < krzee> !samesubnet
20:55 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
20:55 < krzee> thats the problem you could run into
20:55 < pembo13> i assumed the client was on 192.168.1
20:56 < krzee> if anyone connects, and has a LAN address on 192.168.2.x, you'll run into the problem
20:56 < krzee> also, what is the subnet of the server LAN
20:56 < pembo13> krzee: yah.. i understand
20:56 < pembo13> krzee: 192.168.1.0
20:56 < pembo13> krzee: asking client what their subnet is
20:56 < krzee> umm
20:56 < krzee> your server LAN is 192.168.1.x?
20:57 < pembo13> krzee: yes
20:57 < krzee> thats even worse...
20:57 < pembo13> krzee: do tell
20:57 < krzee> if the client is on 192.168.1.x, you'll also have the samesubnet issue
20:57 < krzee> !samesubnet
20:57 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
20:57 < pembo13> krzee: i haven't had probs with this particular setup before.. so i hadn't considered that
20:57 < pembo13> krzee: ugh... same prob
20:58 < pembo13> krzee: what's the recommended subnet for VPN? it's been a while since i read through all the docs
20:58 < krzee> well in the docs its always 10.8.0.x
20:58 < pembo13> krzee: cool... i'll try that
20:58 < krzee> but really, any 1918 ip that is uncommon
20:59 < krzee> !1918
20:59 < vpnHelper> krzee: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
20:59 < pembo13> krzee: http://openvpn.net/index.php/open-source/faq.html#slash30 seems to use 192.168.1 too
20:59 < vpnHelper> Title: FAQ (at openvpn.net)
20:59 < krzee> heh, so it does
21:00 < krzee> in the sample configs and whatnot its 10.8.0.x ;)
21:00 < pembo13> krzee: wonder if that's a relatively recent change
21:00 < pembo13> oh wlel
21:00 < pembo13> well*.. will try to switcgg
21:00 < krzee> also
21:00 < pembo13> krzee: think i'll try 172.16.1.x
21:00 < krzee> is the server also the router for its LAN?
21:01 < krzee> thats prolly also a common subnet
21:01 < pembo13> krzee: no.. just in the router's DMZ
21:01 < krzee> ok, then you need to add a route to the router
21:01 < krzee> for the vpn subnet
21:01 < krzee> !factoids search outside
21:01 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
21:01 < krzee> also, you need ip forwarding enabled in the servers OS
21:01 < krzee> (all of this is covered in my writeup on openvpn routing)
21:01 < krzee> !route
21:01 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:02 < pembo13> krzee: yah.. this is actually the first time i've had a problem with a client connecting
21:02 < pembo13> krzee: i setup the VPN some time ago
21:02 < krzee> ahh
21:02 < pembo13> krzee: so i'm guess it may be a subnet prob
21:02 < krzee> prolly conflicting subnet then ;]
21:02 < pembo13> thanks for reminding me i need to change the subnet on router too though
21:02 < pembo13> it's set to .2 as wlel
21:03 < krzee> np
21:04 < pembo13> krzee: now.. i wonder what happens if i push my servers subnet to the client if the client is also on the same private subnet
21:04 < pembo13> think i'll not push the subnet for now
21:04 < pembo13> don't want to resubnet my network right now
21:04 < krzee> i told you what will happen
21:04 < krzee> !samesubnet
21:04 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
21:04 < krzee> that ^
21:05 < krzee> the client will lose all network connection until it kills the vpn process
21:05 < pembo13> krzee: ok.. that didn't happen... ineretsing
21:05 < pembo13> krzee: chatting with client via IM
21:05 < pembo13> krzee: thanks dude
21:05 < krzee> what subnet is he on?
21:06 < pembo13> krzee: she said router is supposed to be 192.168.1.1 didn't properly confirm for me however
21:06 < pembo13> krzee: they are using  a netgear router, so i assume 192.168.1.x
21:08 < krzee> its not like its hard to check
21:08 < pembo13> krzee: i know
21:10 < pembo13> krzee: oh well.. thanks
21:11 < pembo13> krzee: it's a person VPN anyways.. not  a high priority
21:11 < krzee> yw
21:11 < krzee> im out for awhile, gl
21:11 < krzee> time to go watch the UFC
21:11 < pembo13> krzee: peace
21:13 -!- pembo13 [~pembo13@70.94.113.230] has quit [Remote host closed the connection]
21:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:27 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Operation timed out]
22:04 -!- kmels [~kmels@191.223.148.190.dsl.intelnet.net.gt] has joined ##openvpn
22:11 < troy-> how can i make openvpn tunnels come up automatically when the daemon starts?
22:14 < troy-> nm
23:02 -!- kmels [~kmels@191.223.148.190.dsl.intelnet.net.gt] has quit [Quit: oraletz]
23:20 -!- DrPepper [~DrPepper@88.207.166.114] has quit [Quit: Leaving...]
--- Day changed Sun Jun 13 2010
00:20 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
00:22 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
00:27 -!- mwheeler [~mwheeler@unaffiliated/theskorm] has quit [Quit: leaving]
00:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:38 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 240 seconds]
02:38 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
02:41 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Ping timeout: 276 seconds]
02:47 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 260 seconds]
02:48 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
02:53 -!- freaky[t]_ is now known as freaky[t]
02:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
03:06 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
03:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:13 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
03:21 -!- Chuwiey [Chuwiey@bzq-79-181-54-114.red.bezeqint.net] has joined ##openvpn
03:22 < Chuwiey> Hello all, is anyone familiar with the vmware openvpn accesss server? I have a very slow connection and would like to install iftop... Anyone know how I can enable apt?
03:31 < hyper_ch> vmware openvpn access server? what's that?
03:32 < Chuwiey> openvpn as running inside a vmplayer... 
03:33 < hyper_ch> and what's so special about it?
03:33 < hyper_ch> works ĵust like any other vpn
03:33 < hyper_ch> well, at least when you use bridged networking
03:34 < Chuwiey> right, well.. nothings special about it... except that i'm getting a slow connection. and since it runs on a barebones ubuntu install, i'm trying to add iftop (like top, but for network), but can't... 
03:38 -!- Chuwiey [Chuwiey@bzq-79-181-54-114.red.bezeqint.net] has quit []
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- Chuwiey [~n@c-71-206-10-232.hsd1.md.comcast.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:40 < Chuwiey> hyper_ch, maybe i'm going about this the wrong way... can you help me figure out why my connection is so slow?
03:41 < hyper_ch> not enough cpu?
03:42 < Chuwiey> checked that.. only using 1%... mem also free
03:50 < Bushmills> !AS
03:50 < vpnHelper> Bushmills: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server
03:50 < vpnHelper> Bushmills: configurations options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
03:58 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
04:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
04:11 -!- Wiredtape [Chuwiey@bzq-79-181-54-114.red.bezeqint.net] has joined ##openvpn
04:15 -!- Chuwiey [~n@c-71-206-10-232.hsd1.md.comcast.net] has quit [Ping timeout: 272 seconds]
04:16 -!- Wiredtape [Chuwiey@bzq-79-181-54-114.red.bezeqint.net] has quit [Client Quit]
04:37 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
04:55 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 252 seconds]
05:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:48 -!- downhill__ [~blood@elegua.za.net] has left ##openvpn ["Leaving"]
06:05 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
06:12 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:28 -!- Lexus45 [~alexey@95.129.162.218] has joined ##openvpn
06:28 < Lexus45> Hi friends.Soon I'll set up a new server, made up of another hardware. I wonder if OpenVPN will still be working well (after a new install) but with old keys/certificates.
06:35 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
06:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:36 -!- mvanderkolff [~mvanderko@r220-101-24-217.cpe.unwired.net.au] has joined ##openvpn
06:37 -!- mvanderkolff [~mvanderko@r220-101-24-217.cpe.unwired.net.au] has left ##openvpn []
06:37 < tjz> worldcup joke: see if you get what the pic mean - http://img8.imageshack.us/img8/790/97231718.jpg
06:39 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
06:40 < Bushmills> means "oil leaks are not they only thing they can't stop"
06:41 < tjz> noooooooooooooooo
06:41 < tjz> it's the match between england and usa yesterday
06:42 < kisom> ah yes, sports
06:42 < tjz> check this gif: http://i48.tinypic.com/2lkw4ci.jpg &  http://i45.tinypic.com/20sshw3.jpg
06:44 < Bushmills> well, it was a dangerous well placed bouncer, after all
06:44 < kisom> the one ok, he missed the ball
06:44 < kisom> so what?
06:44 < kisom> -the one ok,
06:45 < Bushmills> and look how the ball twists and spins.  almost half a revolution on its way
06:45 < kisom> i didn't even think the US cared about soccer
06:45 < Bushmills> but somebody could have told the keeper to have breakfast *before* putting on his gloves
06:48 < Bushmills> kisom: ah, background is that england experienced a string of goalie problems in important matches
06:49 < Bushmills> their previous keeper has been nicknamed "calamity james" :D
06:49 < kisom> well im not really a big sports fan
06:49 < kisom> i rather play the games than watching it
07:08 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
07:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:28 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
07:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:59 -!- g4tsu [~g4tsu@87-98-187-130.kimsufi.com] has joined ##openvpn
07:59 < g4tsu> Hello
08:00 < g4tsu> I've got a problem, my vpn works well but when I go on mon-ip.com with my client PC, I haven't the IP of my server
08:00 < g4tsu> Is somebody have an idea ?
08:01 < Bushmills> what did you expect to see?
08:02 < g4tsu> the ip of my server
08:02 < g4tsu> I already do this but I don't remeber how
08:02 < Bushmills> is your traffic routed through the server?
08:02 < g4tsu> How to see it ?
08:02 < Bushmills> look at client routing table
08:03 < Bushmills> or, run mtr or traceroute to an internet site on your client
08:03 < g4tsu> default         Livebox-xxx   0.0.0.0         UG    0      0        0 wlan0
08:03 < Bushmills> that's not your vpn
08:04 < Bushmills> !redirect
08:04 < g4tsu> yep ...
08:04 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:04 < g4tsu> I have this in my client.conf -> push "redirect-gateway def1"
08:04 < g4tsu> !def1
08:04 < vpnHelper> g4tsu: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:05 < g4tsu> !man
08:05 < vpnHelper> g4tsu: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
08:05 < Bushmills> you don't want to push that in your client conf
08:05 < g4tsu> in my server.cnf *
08:05 < g4tsu> conf*
08:05 < Bushmills> either push it in server conf, or just configure it, no pushing, in your client conf
08:06 < g4tsu> yep done
08:06 < Bushmills> and enable NAT on server
08:06 < Bushmills> and ip forwarding
08:07 < g4tsu> done. It works under windows ...
08:08 < g4tsu> but not under Linux ...
08:08 < g4tsu> Is there an iptables rules to add under Linux ?
08:11 < Bushmills> client? no.  
08:15 < g4tsu> hmm If I pastebin my client.conf could you tell me what is wrong ?
08:19 < Bushmills> you could, for now, add a host route to your server, and set a new default router.  looking at your log file may help.
08:20 < g4tsu> I 'll try
08:20 < Bushmills> route add serverip wlan0; route add default gw your-vpn-server tun0    something like that
08:28 -!- g4tsu [~g4tsu@87-98-187-130.kimsufi.com] has left ##openvpn ["Quitte"]
08:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:02 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
09:10 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:23 -!- VirusTB [~VirusTB@145.116.24.31] has joined ##openvpn
09:40 -!- VirusTB [~VirusTB@145.116.24.31] has quit [Quit: VirusTB]
10:01 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:15 -!- Ep5iloN [~Ep5iloN@89-235-211-148.saturn.infonet.ee] has joined ##openvpn
10:16 < Ep5iloN> Hi. problem with port forwarding on dd-wr to openvpn. If I choose on dd-wrt port that varies form 1194 - I can't establish the connection. Port 1194 is the onlies that works. Why? Any ideas? Thanks/
10:17 -!- Cutties [~None@c83-251-87-35.bredband.comhem.se] has joined ##openvpn
10:17 < Cutties> !welcome
10:17 < vpnHelper> Cutties: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:17 < Cutties> !forum
10:17 < vpnHelper> Cutties: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
10:18 < Cutties> !howto
10:18 < vpnHelper> Cutties: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:19 < Cutties> Anyone there?
10:20 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
10:21 < Cutties> Guess not :(
10:29 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
10:32 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
10:35 < Cutties> Hello?
10:39 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:58 < kisom> Cutties: yeah?
10:59 < kisom> its sunday, people are slacking
10:59  * ecrist never slacks.
11:00 < Cutties> aaah
11:00 < Cutties> I found this irc channel thru facebook and had a few questions about openvpn..
11:00 < kisom> shoot
11:00 < ecrist> Ep5iloN: see #dd-wrt
11:01  * ecrist suggests asking questions 
11:01 < Cutties> I tried to send the question out over the mailinglist but i thought what the hell, maybe someone here knows.
11:01 < ecrist> most of the people that answer questions on the mailing list reside here.
11:02 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
11:02 < kisom> i do not use mailing lists, too old for me :<
11:02 < Cutties> Ok here it comes. I got a stable tunnel connection from my server to 2-3 clients. But the speed is capped to 70kb/s
11:03 < ecrist> Cutties: remember that all client connections go through the server.
11:03 < ecrist> effectively, you'll be limited to the upload speed of the server.
11:03 < kisom> I didn't even see the question... :)
11:04 < Cutties> Hmm
11:04 < Cutties> damn, not use to mIRc..
11:05 < kisom> Is the server on your local network? What exactly is capped? What do you want to accomplish?
11:05 < Cutties> The question is, somehow the speed for my connection is capped. Could it be my config file on the server and client that make the capp or that i use windows as OS?
11:05 < ecrist> Cutties: I just told you.
11:05 < kisom> Cutties: What type of connection do you have? ADSL? Cable?
11:06 < Cutties> THe servers speed is much higher then what i get. 
11:06 < ecrist> the server's upload speed?
11:06 < Cutties> If i would use a ftp connection from server-client i would get almost 100x speed.
11:06 < ecrist> we would need to see configs, and empirical data showing your throttling.
11:07 < Cutties> I can cut and paste the configs here if its ok.
11:07 < kisom> dont
11:07 < kisom> paste them at www.livepad.eu/openvpn
11:07 < ecrist> things were explained in !welcome
11:08 < Cutties> nice page. i shared it on http://www.livepad.eu/openvpnnow
11:08 < vpnHelper> Title: EtherPad: Create a new pad? (at www.livepad.eu)
11:08 < Cutties> ...now.
11:09 < kisom> do you use a local IP address in the client conf? or your WAN address?
11:10 < Cutties> well i use my local ip address on the server behinde a router that got static route.
11:10 < ecrist> Cutties: show your configs, pleaes
11:11 < ecrist> please*
11:11 < kisom> ecrist: he did, www.livepad.eu/openvpn
11:11 < ecrist> that page didn't come up for me
11:11 < ecrist> asked me to create a new on
11:11 < ecrist> one*
11:11 < kisom> press my link.
11:11 < ecrist> sheesh, I can't type
11:11 < ecrist> page times out
11:12 < ecrist> ok, I came up the third time
11:12 < kisom> yes im torrenting
11:12 < kisom> the server is a bit slow
11:12 < ecrist> lame
11:12 < ecrist> pastebin works fine
11:12 < kisom> livepad is real-time ;)
11:12 < ecrist> please recommend pastebin in the future.
11:12 < kisom> pastebin is not
11:13 < kisom> anyways, im gonna eat
11:13  * kisom &
11:13 < Cutties> got the muchis?
11:14 < Cutties> Im not pro at all with OpenVPN so my guess my speedcapp have something with the config file.
11:15  * ecrist gets bored and finds something else to do
11:15 < Cutties> No no no ecrist, stay and try to help me pls.
11:16 < Cutties> I can give you a cookie if you can help..
11:35 < kisom> Cutties: the problem is not in openvpn
11:36 < kisom> its your connection.
11:36 < kisom> openvpn does not have caps unless you define them yourself
11:36 < kisom> my guess is the VPN connection is somehow routed to the internet and then back to your server
11:37 < kisom> I'm having that problem as well with my server, if my ISP is faster to respond to the who-has arp message then the connection is routed over my ADSL and is slower
11:48 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:55 < takamichi> hey chaps, whats the best way to restrict simultaneous logins from same account?
11:55 < krzie> by default only 1 instance of each common-name is allowed
11:56 -!- DrPepper [~DrPepper@88.207.166.114] has joined ##openvpn
11:58 < takamichi> thanx krzie. Im using 'duplicate-cn' since all clients share same certs and radius for authentication. Can openvpn do anything in this config or should I look at freeradius?
11:58 < krzie> sure, your auth script that auths via radius
11:59 < krzie> if the auth script exits bad, the auth fails...
11:59 < takamichi> which auth script?
11:59 < krzie> openvpn doesnt magicly auth to radius... you are using a script
12:00 < takamichi> yes, its a plugin written in c. Are you saying I need to look here?
12:00 < krzie> you can make it check if the person is already logged in
12:00 < krzie> but if you're asking if openvpn has something built in, no
12:00 < takamichi> ok great, thanks dude
12:00 < krzie> well yes, but you chose not to use it
12:01 < krzie> you know, you dont need duplicate-cn, cause you can use common-name as the username from the radius auth
12:01 < krzie> !authpass
12:01 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
12:01 < krzie> --username-as-common-name
12:01 < krzie> so maybe you can use that and get rid of duplicate-cn to accomplish your goal
12:02 < takamichi> very interesting, thank you, i shall look into this right away!
12:02 < krzie> np
12:02 < krzie> lemme know how that goes
12:02 < takamichi> sure
12:05 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
12:08 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 245 seconds]
12:09 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
12:10 < takamichi> hey krzie, that directive worked like a charm!
12:10 < krzie> cool =]
12:11 < takamichi> now, what If one or two people, like the boss need multiple simultaneous logins with a single account? :)
12:11 < krzie> then they need 2 accounts in radius
12:12 < krzie> :-p
12:12 < takamichi> ok cool thought so. cheers mate!
12:12 < krzie> cheers
12:12 < krzie> and thanx, you just reminded me that i miss australia
12:12 < krzie> =/
12:22 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has joined ##openvpn
12:30 < joejc> can anyone here help me setup a openvpn bridge between 2 dd wrt routers. ive been working on it for 3 days and i think ive almost go it but i don know whats wrong
12:36 < joejc> heres my start up scripts: http://pastebin.com/KJN8ZeA0 anything commented out is commented out because for some reason or another it was giving me an error
12:50 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
13:10 -!- Ankhwatcher [~Ankhwatch@86-42-128-189-dynamic.b-ras1.bbh.dublin.eircom.net] has joined ##openvpn
13:12 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has quit [Read error: Connection reset by peer]
13:14 < Ankhwatcher> how difficult is it to set up an openvpn server on ubuntu?
13:17 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has joined ##openvpn
13:29 < Cutties> kisom: Thanks for the help! I was thinking about that also that it could be my ISP.
13:48 -!- Cutties [~None@c83-251-87-35.bredband.comhem.se] has quit []
14:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:11 -!- Lexus45 [~alexey@95.129.162.218] has left ##openvpn ["Ухожу я от вас (xchat 2.4.5 или старше)"]
14:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:29 -!- Ep5iloN [~Ep5iloN@89-235-211-148.saturn.infonet.ee] has quit [Quit: leaving]
15:43 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has quit [Quit: ZNC - http://znc.sourceforge.net]
15:44 -!- killown [~killown@189.110.210.7] has joined ##openvpn
15:44 -!- killown [~killown@189.110.210.7] has quit [Changing host]
15:44 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:47 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has joined ##openvpn
16:33 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
16:38 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has quit [Ping timeout: 248 seconds]
16:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:52 -!- luchs-cc [~luchs-cc@jushiro.luchs.cc] has joined ##openvpn
16:52 < luchs-cc> ls
16:52 < luchs-cc> oh xD
16:53 < luchs-cc> !welcome
16:53 < vpnHelper> luchs-cc: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:53 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
17:00 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has quit [Disconnected by services]
17:01 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has joined ##openvpn
17:01 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has quit [Disconnected by services]
17:01 -!- joe__ [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has joined ##openvpn
17:01 -!- Morporker [~Ankhwatch@86-42-134-24-dynamic.b-ras1.bbh.dublin.eircom.net] has joined ##openvpn
17:03 -!- luchs-cc [~luchs-cc@jushiro.luchs.cc] has quit [Quit: Verlassend]
17:06 -!- Ankhwatcher [~Ankhwatch@86-42-128-189-dynamic.b-ras1.bbh.dublin.eircom.net] has quit [Ping timeout: 276 seconds]
17:06 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has joined ##openvpn
17:48 -!- krzie [nobody@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
17:48 -!- Morporker is now known as Ankhwatcher
17:59 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:45 -!- Ankhwatcher [~Ankhwatch@86-42-134-24-dynamic.b-ras1.bbh.dublin.eircom.net] has quit [Read error: Connection reset by peer]
18:53 < krzee> http://xkcd.com/705/
18:53 < vpnHelper> Title: xkcd: Devotion to Duty (at xkcd.com)
19:21 -!- tjz [~pc@bb220-255-198-56.singnet.com.sg] has joined ##openvpn
19:21 -!- tjz [~pc@bb220-255-198-56.singnet.com.sg] has quit [Changing host]
19:21 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:21 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:40 -!- onats [~onats@unaffiliated/onats] has joined ##openvpn
19:56 -!- bkah [~bkah@CABLE-72-53-79-88.cia.com] has joined ##openvpn
19:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:57 < bkah> !welcome
19:57 < vpnHelper> bkah: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:00 < bkah> Hello, I have OpenVPN running on centos5.5 x64 as the server and a windows 7 client. I am using the private range of 172.16.30.0/24. I can ping from my server to client perfectly and also to my internal and extra nic's on the server. I need to setup routing for my internal 10.0.0.0 network which the vpn will be used to provide remote access. I am thinking i have to setup routing on my centos box to advertise the 172.16.30.0/24 subnet. Am i correct i
20:01 < bkah> Or just NAT overload my 10.x.x.x nic on my server?
20:05 < krzee> no nat needed
20:05 < krzee> did you read this:
20:05 < krzee> !route
20:05 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:06 < bkah> #3 READ IT
20:06 < bkah> :>
20:06 < krzee> good =]
20:06 < krzee> you push a route to the subnet?
20:06 < krzee> you have ip forwarding enabled in the OS?
20:06 < bkah> just one /24 for testing
20:06 < bkah> yes
20:07 < krzee> you have a route added to the vpn subnet in the router of the LAN?
20:07 < bkah> but my centos isnt the gateway for the lan
20:07 < krzee> !route_outside_ovpn
20:07 < vpnHelper> krzee: Error: "route_outside_ovpn" is not a valid command.
20:07 < krzee> !factoids search outside
20:07 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
20:07 < bkah> yes a routed 172.16.29.0 on our management router
20:07 < bkah> a=i
20:07 < krzee> but you said your vpn is using 172.16.30.x
20:07 < bkah> i lied
20:08 < bkah> 29
20:08 < bkah> 30 is a test for site-to-site cisco vpns i am also setting up
20:08 < bkah> sorry for the mistake
20:08 < bkah> anyways i will go read and return with better questions
20:08 < krzee> sniff packets and see where the traffic stops
20:09 < bkah> first to locate my smokes
20:09 < krzee> ohhh i understand now
20:09 < bkah> ?
20:09 < krzee> i thought you meant you did read it
20:10 < bkah> skimmed when i was configuring
20:10 < krzee> yes, #3 READ IT DONT SKIM IT!
20:10 < bkah> smokes brb
20:10 < krzee> heheh
20:16 < bkah> ok would it cause a problem if its coming in eth1 which has a public ip and I want it to access 10.x.x.x via eth0
20:16 < bkah> second whats the differnce between pushing a route from the server
20:16 < bkah> to adding a route in the client config
20:18 < bkah> just less config for the client i am guessing?
20:19 < krzee> !push
20:19 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
20:19 < krzee> no that would not cause a problem, assuming IP forwarding is enabled and your firewall allows it
20:21 < bkah> iptables is off for troubleshooting
20:21 < krzee> make sure forwarding chain is set to allow *
20:22 < bkah> less headaches if i just used a /28 inside my 10.x.x.x network?
20:22 < krzee> nah
20:22 < bkah> i shut iptables off
20:22 < krzee> oh wait, your home lan is /8?
20:22 < krzee> 10/8?
20:23 < bkah> work is a bunch of /24's on 10
20:23 < krzee> thing is
20:23 < krzee> if you push 10/8 to clients...
20:23 < krzee> better hope it doesnt conflict with a connecting client
20:23 < bkah> home is 10.1.10.x actualy lol have my cisco lab setup
20:24  * bkah face in palm
20:24 < bkah> i am doubled nat'ed behind my cable 
20:24 < krzee> are you aiming to have the most confusing topology possible?
20:25 < bkah> lulz
20:25 < bkah> working on to many projects at once 
20:26 < bkah> my desk has 8 ciscos stacked on it
20:27 < bkah> ok so i have a route for 1 /24 on my client config
20:27 < bkah> which doesnt conflict
20:27 < bkah> i swear
20:36 < bkah> progress!
20:37 < zero-__> /lw/lw
20:37 < zero-__> outch
20:41 < bkah> hmm out other boxes on the lan can ping the tap interface .1
20:41 < bkah> but not the client .2
20:42 < bkah> and i am pushing that /24
20:43 < bkah> and the client cant get passed the server
20:43 < bkah> :(
20:54 -!- pembo13 [~pembo13@70.94.113.230] has joined ##openvpn
20:54 < pembo13> does anyone have an example of what a working openvon windows client route table should look like>
20:54 < pembo13> ?
20:55 < pembo13> these are the windows clients routes: http://fpaste.org/5FqU/
20:56 < pembo13> this client cant' seem to reach the network however
20:56 < pembo13> ie. they can't ping the VPN server (once connected) at 172.16.2.1
20:57 < bkah> route subnet mask in client config
20:57 < bkah> dont listen to me tho my shits broken aswell
20:58 < pembo13> bkah: what's the option/setting i need to lookup in the client.opvn file?
20:58 < bkah> "route"
20:58 < pembo13> cool
20:58 < bkah> just add it to bottom
20:58 < bkah> it will mod your windows routing table for you
20:59 < bkah> !route
20:59 < vpnHelper> bkah: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:59 < bkah> dont listen to me blindy iduno what i am doing
21:00 < pembo13> bkah: yah i'm reading
21:03 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
21:08 < bkah> muhahabridge
21:09 < krzie> oh you were bridging?
21:27 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
21:31 < pembo13> krzie: does this Windows client (with OpenVPN conneted) active routes look "right" to you? http://fpaste.org/5FqU/
21:31 < pembo13> I don't see any routes for connections back to the server
21:40 < bkah> krzie i switch to bridge mode
21:40 < bkah> but still no luck.
21:41 < bkah> if i poing a LAN ip on the otherside of the VPN i get my ip(10..fd.23r.2) destest net unreachable
21:41 < bkah> POING@!
21:54 -!- tjz [~pc@bb220-255-198-56.singnet.com.sg] has joined ##openvpn
21:54 -!- tjz [~pc@bb220-255-198-56.singnet.com.sg] has quit [Changing host]
21:54 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
22:15 < krzie> pembo13, not enough information
22:17 < krzie> bkah, you dont need a bridge
22:18 < bkah> Iduno i am at a wall
22:18 < bkah> heh
22:23 < jpalmer> ecrist: ping
22:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:30 -!- joe__ is now known as joejc
22:53 -!- aar0n [~aar0nsky@d47-69-246-113.try.wideopenwest.com] has joined ##openvpn
22:53 < aar0n> 1welcome
22:54 < aar0n> !welcome
22:54 < vpnHelper> aar0n: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:59 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
23:00 < aar0n> !howto
23:00 < vpnHelper> aar0n: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
23:06 < joejc> how do i get my vpn to auto reconnect, when the server connection drops it cant reconnect till i restart openvpn on the server
23:13 -!- pembo13 [~pembo13@70.94.113.230] has quit [Remote host closed the connection]
23:23 -!- bkah [~bkah@CABLE-72-53-79-88.cia.com] has quit []
23:33 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has quit [Read error: Connection reset by peer]
23:34 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has joined ##openvpn
23:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
23:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
--- Day changed Mon Jun 14 2010
00:29 -!- aar0n [~aar0nsky@d47-69-246-113.try.wideopenwest.com] has quit [Quit: Leaving]
00:30 -!- aar0n [~aar0nsky@d47-69-246-113.try.wideopenwest.com] has joined ##openvpn
00:49 -!- ayi [~vegar@fou193.telenor.ntnu.no] has joined ##openvpn
01:12 < kisom> joejc: its all in the manual, search for timeout
01:12 < kisom> would have helped, but i gotta bail :) bbl
01:18 -!- mape2k [~mape2k@p5B284BAB.dip.t-dialin.net] has joined ##openvpn
01:19 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:19 -!- mode/##openvpn [+o mattock] by ChanServ
01:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
01:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:57 -!- onats [~onats@unaffiliated/onats] has quit [Remote host closed the connection]
02:13 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Ping timeout: 260 seconds]
02:14 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has joined ##openvpn
02:14 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn
02:15 < SmokeyD> hey everyone, I see that I can use the openvpn gui as a service in windows with enrypted pyblic keys if I store the certificate in the ms certificatestore. But are there any docs on this?
02:15 < SmokeyD> I foudn the certificate store (I think) through Internet Explorer's internet options
02:16 < SmokeyD> but what now?
03:02 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Ping timeout: 260 seconds]
03:02 -!- alexeic [~alexc@unaffiliated/alexc] has joined ##openvpn
03:04 < alexeic> if i have the error: WARNING: potential route subnet conflict between local LAN [10.88.0.0/255.255.255.0] and remote VPN [10.88.0.0/255.255.255.0]
03:04 < alexeic>  How do i fix the conflict?
03:04 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn
03:07 < alexeic> http://pastebin.fr/8253
03:11 < nullified> anyone up to provide a bit of assistance?
03:14 < nullified> !redirect
03:14 < vpnHelper> nullified: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
03:14 < nullified> !def1
03:14 < vpnHelper> nullified: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
03:15 < nullified> !man
03:15 < vpnHelper> nullified: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
03:16 < nullified> !ipforward
03:16 < vpnHelper> nullified: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
03:16 < nullified> !winipforward
03:16 < vpnHelper> nullified: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
03:17 < nullified> !linipforward
03:17 < vpnHelper> nullified: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
03:19 < SmokeyD> alexeic: the problem is that your vpn has the ip address range 10.88.0.0 as the vpn subnet, while your local network (from which you are connecting), has the same network configured.
03:19 < SmokeyD> alexeic: because of this, you computer won't know where to send it's traffic, into the local network, or over the vpn connection
03:20 < SmokeyD> so you should either configure a different ip address range for you local network (in the router you have there) or in the openvpn server (if you have access to its config)
03:23 < nullified> i get Warning: route gateway is not reachable on any active network adapters: 10.10.10.9 
03:23 < nullified> when trying to connect from client(Vista) to server(Centos 5)
03:23 < nullified> reason for it to be going to that ip and being unreachable?
03:24 < nullified> Previously i was experiencing ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=19] Route addition via IPAPI failed
03:25 < alexeic> fixed
03:25 < alexeic> i think it might have been the missing "def1" in "redirect-gateway"
03:25 < nullified> so i changed net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1
03:31 -!- alexeic [~alexc@unaffiliated/alexc] has quit [Ping timeout: 265 seconds]
03:35 < SmokeyD> !welcome
03:35 < vpnHelper> SmokeyD: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:35 < SmokeyD> is this channel logged somewherE?
03:36 < SmokeyD> I remembering answering my own question a few days ago but I forgot the answer :)
03:36 < nullified> :S
03:36 < nullified> !howto
03:36 < vpnHelper> nullified: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:46 < nullified> hrm
03:48 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
03:54 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
03:56 < caution> on Windows, how do I route my connection over the VPN when the current connection is on-link i.e no gateway?
03:56 < nullified> hrm
03:57 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has left ##openvpn []
03:57 < nullified> I was just able to get my OpenVPN GUI to connect normally to my server.  However when I get that far it doesn't resolve to getting me internet connectivity... 
03:57 < Bushmills> nullified: you're redirecting your traffic through vpn server?
03:58 < caution> !welcome
03:58 < vpnHelper> caution: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:58 < caution> !redirect
03:58 < vpnHelper> caution: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
03:58 < caution> !topology
03:58 < vpnHelper> caution: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
03:58 < nullified> Bushmills: correct.  So that it would appear that i am connecting from the line that my server is at.
03:59 < Bushmills> that'S the reason. your client still tries to use your provider's resolver, and your provider disallows its use from outside its own net
03:59 < nullified> will altering how it uses the DNS fix this?
04:01 < Bushmills> you can use a public dns, a recursor on client, or a recursor on server which is used by client.
04:01 < nullified> how to use recurser on client?
04:01 < Bushmills> you install it, and tell client to use it
04:01 < nullified> k
04:02 < Bushmills> recursor on server may make sense when you have several clients
04:02 < nullified> brb
04:04 < nullified> How would you suggest I go about adding recursor on the server?
04:08 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has joined ##openvpn
04:08 < nullified> hrm
04:09 < Bushmills> installing one? use whatever package management tools your operating system provides
04:11 < nullified> any particular one you prefer or suggest?
04:13 < Bushmills> i think  ports, portage, apt-get, aptitude, yum, pacman, yast, pkgtool  are the most commonly use package managers
04:13 < Bushmills> but which one you use depends on your system
04:14 < Bushmills> (unless you use windows, which has, to my knowledge, no such concept of a package manager)
04:15 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
04:15 < RedT0mt0m> hi all :-)
04:16 < caution> anyone know how strictly the METRIC setting is obeyed on windows?
04:17 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn
04:19 < RedT0mt0m> hum ... it may be a silly question : to access remote lan, we have the choice between tun vpn + route + masquerade // tap vpn 
04:19 < RedT0mt0m> ?
04:22 < nullified> Bushmills: will adding push "dhcp-option DNS 8.8.8.8"
04:22 < nullified> push "dhcp-option DNS 8.8.4.4"
04:22 < nullified> fix the dns issue?
04:23 < Bushmills> nullified: depends on operating system
04:23 < nullified> Vista
04:26 < Bushmills> will probably sufficient
04:26 < SmokeyD> does anyone have any clue how safe the "ms certificate store" is? I want to store my (password protected) client key/crt in it (converted to pkcs#12) to get around the problem that the openvpnservice can't handle password protected key files, while I don't want to have an unencrypted file lying around
04:28 < SmokeyD> no wait! I have a much better idea. I am going to store the key/crt file without a password on an encrypted memorystick for which you need a proper password to unencrypt it...
04:29 -!- caution [~caution@unaffiliated/caution] has quit [Ping timeout: 240 seconds]
04:29  * Bushmills dumps SmokeyD's memory after the key was read from encrypted device to his own hard disk
04:30 < SmokeyD> Bushmills: yeah you're right. That is indeed possible. But that is only possible when the user is actively using the private key file
04:30 < SmokeyD> Bushmills: do you think the ms certificate store is safer?
04:30 < Bushmills> that is, during boot
04:31 < Bushmills> so i need to dump memory simply at boot time :D
04:31 < SmokeyD> Bushmills: the memorystick isn't connected at boot time. Only later on when the user plugs it in
04:31 < Bushmills> i don't think that anything with the letters "ms" can be called "safe"
04:32 < SmokeyD> Bushmills: I agree, that's why I said "safer" not "safe" :)
04:33 < Bushmills> when you connect at boot time, a stolen key won't do much good for who stole it, when you don't allow duplicate CNs on server
04:34 < Bushmills> only one can be connected at the same time. an attempt to use key to connect would be noticed quickly if you haven't noticed its theft before
04:34 < SmokeyD> indeed, but I don't want to connect at boot time. I want the user to actively start the vpn (for policy reasons)
04:35 < Bushmills> hm. "using as service in windows" implied to me "starting at boot"
04:35 < SmokeyD> Bushmills: no you can manually start the service
04:36 < SmokeyD> the openvpngui just starts the service (if you give the user permission to do that)
04:37 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Ping timeout: 260 seconds]
04:38 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
04:38 -!- cj [~cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn
04:39 < SmokeyD> I guess that when I store the key/cert as pkcs#12 file in the certificate store, it is stored somewhere as well on the local machine, and then it is not password protected anymore (you enter the password the first time, when importing the key, not when accessing it afterwards), so I guess you can then also find it on the local computer somehow, at least when the user is signed in and the certificate store is open
04:40 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 276 seconds]
04:40 -!- takamichi [~pri@174-143-208-142.static.cloud-ips.com] has joined ##openvpn
05:00 -!- takamichi [~pri@174-143-208-142.static.cloud-ips.com] has quit [Ping timeout: 258 seconds]
05:01 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
05:10 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 252 seconds]
05:11 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
05:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:25 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
05:33 < nullified> I am getting
05:33 < nullified> PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.10.10.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.10 10.10.10.9'
05:33 < nullified> Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9)
05:33 < nullified> anyone know what the deal is with that?
05:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
06:06 -!- blueboxthief [~None_of_y@86-45-83-157-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
06:31 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has left ##openvpn []
06:37 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 252 seconds]
06:38 -!- takamichi [~pri@dyn-109-169-25-83.connexionplus.com] has joined ##openvpn
07:02 -!- takamichi [~pri@dyn-109-169-25-83.connexionplus.com] has quit [Ping timeout: 240 seconds]
07:02 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
07:11 -!- zero-__ is now known as zero-
07:12 -!- zero- is now known as _zero_
07:19 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has quit [Ping timeout: 265 seconds]
07:22 -!- stein0 [~stein@mail.vgnett.no] has quit [Ping timeout: 276 seconds]
07:29 -!- stein0 [~stein@mail.vgnett.no] has joined ##openvpn
07:31 -!- STF_ [~chatzilla@dslb-084-061-148-223.pools.arcor-ip.net] has joined ##openvpn
07:32 -!- STF_ is now known as STF
07:50 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has joined ##openvpn
07:56 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 240 seconds]
08:01 < krzie> nullified, 
08:01 < krzie> to fix your problem, make sure all clients are 2.1.1
08:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:14 < ecrist> hey, krzie
08:15 < krzie> hey!
08:16 < krzie> hows the baby crist?
08:17 < ecrist> she is still a baby.
08:17 < ecrist> more awesome every day.
08:17 < ecrist> she's going to have a temper, I think.
08:18 < krzie> =]
08:18 < krzie> right, you mentioned she was female ;]
08:20 < ecrist> heh
08:22 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 265 seconds]
08:22 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
08:23 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:23 -!- Irssi: ##openvpn: Total of 88 nicks [3 ops, 0 halfops, 0 voices, 85 normal]
08:46 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
08:48 -!- pielgrzym [~pielgrzym@1str003.multi-play.net.pl] has joined ##openvpn
08:48 < pielgrzym> hi there
08:49 < pielgrzym> I'm not sure about one thing: if I generate keys with easy-rsa scripts in /usr/share/openvpn/easy-rsa, I need to copy them to /etc/openvpn to work? I mean the client keys of course :)
08:49 < ecrist> no
08:52 < pielgrzym> but when I revoke them I *need* to copy the crl.pem to /etc/openvpn and add corresponding line to my config (crl-verify crl.pem), right? otherwise keys will still work?
08:52 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:56 < ecrist> you need to keep the signing request, iirc
08:57 < ecrist> you could use ssl-admin, and let it manage that stuff for you.
08:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 264 seconds]
09:00 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:01 -!- tjz_ [~pc@bb220-255-198-56.singnet.com.sg] has joined ##openvpn
09:04 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 264 seconds]
09:05 < nullified> i keep getting "Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: topology (2.0.9)" 
09:05 < nullified> when i connect through my client
09:05 < nullified> i dont see anything about the topology in either config
09:05 < nullified> ;\
09:14 -!- notbrien [~notbrien@208.82.13.214] has joined ##openvpn
09:15 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
09:16 -!- runa_ [~runa@200.123.168.9] has joined ##openvpn
09:16 < runa_> heyas. I used easy-rsa to generate a client key but the .crt file is empty. Any hints?
09:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
09:20 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
--- Log closed Mon Jun 14 09:24:00 2010
--- Log opened Fri Jun 25 19:14:33 2010
19:14 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
19:14 -!- Irssi: ##openvpn: Total of 88 nicks [2 ops, 0 halfops, 0 voices, 86 normal]
19:15 -!- Irssi: Join to ##openvpn was synced in 32 secs
19:15 < ecrist> stupid storms
19:27 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:28 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
19:40 -!- APTX_ is now known as APTX
19:44 < kisom> heyy guys
19:44 < kisom> im drunk as fuck
19:44 < kisom> trying to get mu alcohole level down so i can sleep
19:59 -!- tjz [~pc@bb116-14-142-7.singnet.com.sg] has joined ##openvpn
19:59 -!- tjz [~pc@bb116-14-142-7.singnet.com.sg] has quit [Changing host]
19:59 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
23:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
23:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:43 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has quit [Quit: Leaving.]
--- Day changed Sat Jun 26 2010
00:16 -!- nickanderson1 [~cmdln@adsl-99-154-106-234.dsl.tpkaks.sbcglobal.net] has joined ##openvpn
00:16 < nickanderson1> Hello
00:19 < ecrist> hello
00:19 < ecrist> Topeka, KS?
00:33 < nickanderson1> google ks
00:33 < nickanderson1> lol
00:33 < nickanderson1> no im in lawrence, rock chalk jay hawk go ku
00:34 < nickanderson1> I need some help with routing from a vpn client to another vpn clients network (the other client is acting as a site to site)
00:36 < nickanderson1> From either side of the site to site accessing the other side is working. Vpn clients can access the lan of the server, but cannot access the an of the vpn client thats acting as a site to site
00:36 < nickanderson1> The traceroute seems to die at the ip (vpn dhcp ip) of the vpn client acting as a the site to site 
00:45 < ecrist> hrm
00:46 < nickanderson1> yeh hrm
00:46 < nickanderson1> thats what ive been sayin
00:46 < ecrist> lol
00:46 < ecrist> !iroute
00:47  * ecrist restarts vpnHelper
00:49 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
00:49 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
00:49 < ecrist> !iroute
00:49 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
00:49 < ecrist> nickanderson1: see that
00:50 < nickanderson1> hurm
00:51 < nickanderson1> access server did most of the heavy lifting
00:51 < nickanderson1> :P
00:51 < nickanderson1> i need to go look and see what kind of configs it generated
00:51 < ecrist> nickanderson1: we cannot support AS yet
00:51 < nickanderson1> ?
00:51 < nickanderson1> whys that
00:51 < ecrist> we were given keys to 'help' support it, but it doesn't support freebsd, which many of the key folks in here use.
00:52 < ecrist> access server is proprietary
00:52 < nickanderson1> ah i c
00:52 < nickanderson1> access server dosnt just wrap openvpn?
00:52 < ecrist> while the openvpn core folks know we're here, we're not a part of the company
00:52 < ecrist> not so directly.
00:52 < nickanderson1> right i know that
00:52 < nickanderson1> not part of the company
00:52 < ecrist> it works natively with openvpn clients.
00:53 < nickanderson1> hum
00:53 < nickanderson1> i thought it was just a web gui that wrapped the config and would shove in routs as needed
00:53 < nickanderson1> s/wrapped/generated/
00:54 < ecrist> nope
00:54 < nickanderson1> well suck
00:54 < ecrist> regardless, you need to specify iroutes
00:56 < nickanderson1> ccd/client file?
00:57 < nickanderson1> the client ovpn config file?
00:58 < nickanderson1> oh i see the part in the wiki i missed
00:58 < nickanderson1> hurm
00:58 < nickanderson1> damnit, i thought AS was going to make my life easier
00:58 < nickanderson1> wel i suppose it did for the first part
00:59 < nickanderson1> im kinda not happy about the fact it isnt just a wrapper for plain old openvpn though
01:06 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 248 seconds]
01:11 < ecrist> nickanderson1: a lot of folks aren't
01:11 < ecrist> that being said, a company needs to be profitable somehow
01:14 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
01:18 < nickanderson1> Of course they do
01:19 < nickanderson1> but I would have paid just the same for the nice frontend
01:19 < nickanderson1> the licensing is so reasonable it dosnt take much convincing
01:19 < nickanderson1> I only found AS a couple months ago, and ive already talked two different people into buying 10 packs
01:20 < nickanderson1> not that its much
01:20 < nickanderson1> but how do i do an iroute when its not standard ovpn :)
01:20 < nickanderson1> i suppose i could give the site to site static addresses on a different subnet
01:21 < nickanderson1> that seems like it would solve that issue
01:21 < nickanderson1> or no
01:22 < nickanderson1> nop still need an iroute i think
01:23 -!- snwbrdr [~xxx@82.114.127.52] has joined ##openvpn
01:27 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
01:30 -!- snwbrdr [~xxx@82.114.127.52] has quit [Ping timeout: 240 seconds]
01:30 -!- snwbrdr [~xxx@82.114.127.52] has joined ##openvpn
01:31 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
01:31 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
01:34 -!- snwbrdr [~xxx@82.114.127.52] has quit [Ping timeout: 260 seconds]
01:41 < krzee> [01:51]  <ecrist> we were given keys to 'help' support it, but it doesn't support freebsd, which many of the key folks in here use.
01:41 < krzee> actually no bro
01:42 < krzee> they dont want us supporting it even after we learn it, they have professional support
01:42 < krzee> thats part of what is paid for when using AS
01:42 < krzee> we just !AS and point them to the real support
01:42 < krzee> we were given keys to provide feedback we may have =]
01:43 < krzee> but ya, i still havnt loaded up linux/windows VMs to play with it either... im osx/freebsd
01:43 < krzee> so nick
01:43 < krzee> !AS
01:43 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
01:43 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
01:43 < krzee> ^ @ nickanderson1
01:43 < krzee> see #4
01:44 < krzee> if you were using open source, the problem could be a missing iroute, missing push route, or missing route on the lan gateway
01:44 < krzee> is AS understands your setup enough to have the openvpn side right, you would want:
01:45 < krzee> !factoids search outside
01:45 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
01:45 < krzee> but i wouldnt know, so go use the professional support you paid for =]
01:51 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Ping timeout: 240 seconds]
01:51 < nickanderson1> thanks
01:52 < nickanderson1> hadnt thoguht of using that support channel, typically head to freenode for most things right after some googling
01:56 < krzee> np
02:08 < kisom> morning
02:09 < krzee> moin
02:10 < krzee> hangover?
02:15 -!- vatts [bouncer@unaffiliated/vatts] has left ##openvpn ["I dropped my mouse and it accidently hit ALT and F4"]
02:39 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
02:54 -!- xargs [~xargs@69.73.167.236] has left ##openvpn []
03:36 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
03:37 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@65.41.216.18] has joined ##openvpn
03:39 -!- n0sq [~quassel@65.41.216.18] has quit [Read error: Connection reset by peer]
03:39 -!- snwbrdr [~xxx@82.114.127.52] has joined ##openvpn
03:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
03:58 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
04:03 -!- Rolybrau [~Rolybrau@53-158.78-83.cust.bluewin.ch] has joined ##openvpn
04:03 -!- Rolybrau [~Rolybrau@53-158.78-83.cust.bluewin.ch] has quit [Changing host]
04:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:07 -!- n0sq_ [~quassel@65.41.216.18] has quit [Quit: No Ping reply in 90 seconds.]
04:08 -!- n0sq [~quassel@65.41.216.18] has joined ##openvpn
04:12 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
04:17 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
04:19 -!- snwbrdr [~xxx@82.114.127.52] has quit [Ping timeout: 265 seconds]
04:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:31 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
04:34 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
05:36 -!- trash [~trash@dump.databerlin.org] has left ##openvpn []
05:39 -!- creack [~creack@gemercom.com] has quit [Ping timeout: 260 seconds]
05:40 -!- creack [~creack@gemercom.com] has joined ##openvpn
05:41 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has joined ##openvpn
06:05 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has quit [Ping timeout: 265 seconds]
06:50 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
07:13 -!- fbh_ [fbh@193.88.14.101] has joined ##openvpn
07:14 -!- fbh [fbh@193.88.14.101] has quit [Ping timeout: 248 seconds]
07:20 -!- Netsplit *.net <-> *.split quits: Sp4rKy, Chosi
07:25 -!- Netsplit over, joins: Chosi, Sp4rKy
08:00 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has joined ##openvpn
08:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:36 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:48 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
09:52 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has left ##openvpn []
10:01 -!- nickanderson1 [~cmdln@adsl-99-154-106-234.dsl.tpkaks.sbcglobal.net] has quit [Ping timeout: 240 seconds]
10:03 < Bushmills> alcohol probe lockout in place :)
10:16 -!- nickanderson [~cmdln@17.29.124.24.cm.sunflower.com] has joined ##openvpn
10:38 -!- sivel [sivel@freenode/staff/sivel] has joined ##openvpn
10:53 < sivel> howdy, I just installed openvpn and for some reason cannot ping the server after establishing the vpn connection.  with verb 5 I see a lot of rw and RW.
10:53 < sivel> Here are the confs, logs and routes
10:53 < sivel> Server Conf: http://sivel.pastebin.com/mwHtACkV   Client Conf: http://sivel.pastebin.com/s4py4P8N   Server Log: http://sivel.pastebin.com/fqrcE7jm   Client Log: http://sivel.pastebin.com/0Aw1wNjL   Routes: http://sivel.pastebin.com/3hKHhNF1
11:01 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
11:02 -!- vegar_ [~vegar@145.227.16.62.customer.cdi.no] has joined ##openvpn
11:02 -!- vegar_ is now known as ayi
11:03 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 240 seconds]
11:04 < ayi> are there any books or documentation which gives an insight on how openvpn works internally?
11:09 < sivel> ok, strange.  I fixed my problem by restarting networking while openvpn was running.  perhaps there is something wrong with my up.sh script, but the routing tables look identical before and after
11:15 < Bushmills> sivel: if you're really connected, then t server blocks vpn net traffic.  check firewall
12:51 -!- BobbyWinston [~Candix@car06-2-82-236-31-134.fbx.proxad.net] has joined ##openvpn
12:51 < BobbyWinston> Hello
12:51 < BobbyWinston> !welcome
12:51 < vpnHelper> BobbyWinston: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:51 < BobbyWinston> !redirect
12:51 < vpnHelper> BobbyWinston: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:52 < BobbyWinston> !def1
12:52 < vpnHelper> BobbyWinston: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
12:52 < BobbyWinston> !man
12:52 < vpnHelper> BobbyWinston: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:53 < BobbyWinston> !ipforward
12:53 < vpnHelper> BobbyWinston: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:53 < BobbyWinston> !linipforward
12:53 < vpnHelper> BobbyWinston: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:58 -!- Candiix [~Candix@car06-2-82-236-31-134.fbx.proxad.net] has joined ##openvpn
12:58 < Candiix> Okay
12:59 -!- Candiix is now known as BobbyWinston`
12:59 -!- BobbyWinston [~Candix@car06-2-82-236-31-134.fbx.proxad.net] has quit [Read error: Connection reset by peer]
12:59 -!- BobbyWinston` is now known as BobbyWinston
13:00 < BobbyWinston> Someone's there ?
13:01 -!- ayi_ [~vegar@145.227.16.62.customer.cdi.no] has joined ##openvpn
13:05 -!- ayi [~vegar@145.227.16.62.customer.cdi.no] has quit [Ping timeout: 260 seconds]
13:05 -!- BobbyWinston [~Candix@car06-2-82-236-31-134.fbx.proxad.net] has quit [Read error: Connection reset by peer]
13:07 < kisom> online pizza is the shit ;)
13:11 -!- joejc [~joe@adsl-69-224-152-61.dsl.irvnca.pacbell.net] has quit [Remote host closed the connection]
13:32 < krzee> JJK's openvpn 2 cookbook is gunna be sweet
13:39 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
13:40 < kish> tunnel seems to add 500ms to every packet
13:40 < kish> watch this
13:40 < kish> 64 bytes from 10.4.0.1: icmp_seq=1 ttl=64 time=1.19 ms
13:40 < kish> thats the tun
13:40 < kish> 64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.495 ms
13:40 < kish> that is the clear chan
13:41 < kish> 0.5ms
13:41 < kish> not 500
13:45 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has joined ##openvpn
13:54 < mgolisch> is there any frontends that can use the management interface yet?
13:54 < mgolisch> like for inputting userauth data when started from the servicewrapper on windows?
13:55 < mgolisch> desperately in search for a way to run openvpnclient on vista/win7 without giving my users admin
13:57 -!- orion [orion@unaffiliated/orion] has joined ##openvpn
13:59 < orion> Hi. Why do people make such a big deal out of client-cert-not-required, when the security provided by auth-user-pass-verify is exactly the same as most other secure services people use?
14:08 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:13 < mgolisch> orion: no idea
14:15 < mgolisch> hm
14:15 < mgolisch> i wonder why no one else than me seems to want to run openvpn as non admin users :(
14:16 < |Mike|> why would you want that?
14:17 < mgolisch> its our security policy, no user gets admin accounts
14:17 < mgolisch> so they cant install junk or change stuff
14:18 < |Mike|> basicly you have to create a tap or tun device on the windows machine
14:18 < |Mike|> and you don't want your users dong that :P
14:18 < |Mike|> *doing
14:23 < mgolisch> it was easy on xp there was a networkconfiguration user group but that doesnt work no more on vista/win7
14:23 < mgolisch> :(
14:25 < mgolisch> it would work using the service wrapper but unfortunatly the firewal appliance we are using doesnt seem to support authentiation using only client certificates
14:25 < mgolisch> so userauth doesnt work using the service wrapper
14:27 < |Mike|> that sucks big time
14:28 < |Mike|> who designed that netwrok? :s
14:30 < mgolisch> also i wonder why the servicewrapper cant start individual connections
14:37 < mgolisch> is there any work planed for an improved service wrapper?
14:39 < mgolisch> like one that would allow a frontend to start/stop individual connections?
14:46 < |Mike|> no idea.
14:54 < mgolisch> !win_noadmin 
14:54 < vpnHelper> mgolisch: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
15:02 < krzie> mgolisch, i attend the dev meetings every week, i have heard nothing of ideas to work on the wrapper
15:02 < krzie> also, no OS allows automated startup of a vpn with the features you are talking about
15:02 < krzie> its basically, code it or work around it
15:03 < krzie> oh and if the problem is you need PW auth
15:03 < krzie> !pwfile
15:03 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
15:14 < mgolisch> thx will look into that
15:18 < mgolisch> also that manifest thing looks promising
15:18 < mgolisch> never saw that before
15:18 < mgolisch> guess i didnt look hard enough
15:40 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Read error: Connection reset by peer]
15:53 -!- sivel [sivel@freenode/staff/sivel] has left ##openvpn []
16:30 < krzie> glad to help =]
16:45 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 260 seconds]
16:52 -!- fbh_ is now known as fbh
17:03 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Read error: Connection reset by peer]
17:04 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
17:19 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
17:21 -!- krzee [nobody@unaffiliated/krzee] has quit [Client Quit]
17:37 -!- qfr [void@unaffiliated/yw] has joined ##openvpn
17:38 < qfr> I run several OpenVPN tun devices on this box with different subnets etc
17:38 < qfr> I use one of those for IPv4 forwarding
17:39 < qfr> I want IPv4 forwarding to be disabled on another net though
17:39 < qfr> What do I need to achieve this?
17:39 < qfr> Just iptables rules?
17:41 -!- nickanderson [~cmdln@17.29.124.24.cm.sunflower.com] has quit [Ping timeout: 260 seconds]
17:44 < Bushmills> or, no iptables rules
17:44 < Bushmills> you need rules for those subnets which you want to forward
17:44 < Bushmills> i.e. you don't disable, but enable by using iptables
17:45 < Bushmills> just enable selectively
17:46 < krzie> isnt that still iptables rules...?
17:46 < krzie> qfr, yes, thats handled in the firewall
17:47 < qfr> Ah ok Bushmills
17:47 < qfr> I only added -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE for the original forwarding
17:48 < Bushmills> -s  does that selection
17:49 < qfr> comp-lzo on or comp-lzo off for ~20 Mbit/s transfers?
17:49 < qfr> We were having problems with TCP getting throttled heavily somehow
17:49 < qfr> On a high RTT connection
17:49 < qfr> Trying to run it through OpenVPN now to gain speed somehow :<
17:49 < krzie> you are tunneling over TCP?
17:49 < krzie> !tcp
17:49 < qfr> Nope
17:49 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
17:49 < qfr> TCP through UDP
17:49 < krzie> oh ok, i misunderstood then
17:50 < krzie> checked the mtu?
17:50 < krzie> !mtu
17:50 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
17:50 < qfr> He has a 20 Mbit/s line but TCP transfers are only 30-50 KiB/s per TCP thread atm :[ (without any OpenVPN)
17:50 < qfr> When we run iperf with UDP I can push 18 Mbit/s to him just fine
17:50 < qfr> Western US <-> Europe
17:51 < qfr> Some hop between him and me is probably TCP throttling us somehow
17:54 -!- katoen [83ec6e0e75@xs8.xs4all.nl] has joined ##openvpn
17:56 < qfr> Hahahaha it works :D
17:56 < qfr> Getting about 4-6 times the speed with OpenVPN :D
17:56 < katoen> when i try to connect to a hostname rather than a IP provided by openvpn, connections are very slow. I can't figure out how DNS could play a role here?
17:56 < qfr> Circumventing ISP TCP throttling with OpenVPN (TM)
18:01 -!- nickanderson [~cmdln@adsl-99-154-106-234.dsl.tpkaks.sbcglobal.net] has joined ##openvpn
18:08 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
18:12 -!- n0sq [~quassel@65.41.216.18] has quit [Quit: No Ping reply in 90 seconds.]
18:14 -!- n0sq [~quassel@65.41.216.18] has joined ##openvpn
18:24 -!- RichiH [~richih@freenode/staff/richih] has left ##openvpn []
18:49 -!- qfr [void@unaffiliated/yw] has quit [Read error: Connection reset by peer]
19:11 < krzie> hah thats a first
19:11 < krzie> normally i see people complaining about speed with openvpn
19:11 < krzie> he was complaining about the speed WITHOUT it, and used openvpn to fix it
19:21 < Bushmills> katoen: probably
19:21 < Bushmills> assuming "connections" means "time to connect"
19:22 < Bushmills> i reckon, first name server in resolv.conf can't be connected to, times out, then next server is tried.
19:31 -!- qfr [void@91.121.18.93] has joined ##openvpn
19:31 -!- qfr [void@91.121.18.93] has quit [Changing host]
19:31 -!- qfr [void@unaffiliated/yw] has joined ##openvpn
19:49 -!- n0sq [~quassel@65.41.216.18] has quit [Remote host closed the connection]
19:50 -!- n0sq [~quassel@65.41.216.18] has joined ##openvpn
19:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
19:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:28 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
20:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
21:28 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
21:30 -!- tjz [~pc@bb116-14-142-7.singnet.com.sg] has joined ##openvpn
21:30 -!- tjz [~pc@bb116-14-142-7.singnet.com.sg] has quit [Changing host]
21:30 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:31 < tjz> anyone used folded bicycle and cycle to work?
21:47 -!- qfr [void@unaffiliated/yw] has left ##openvpn []
21:51 < Bushmills> no, never in folded state
22:00 < tjz> Hello bushmills.. :D
22:06 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:15 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
23:19 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
23:49 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 264 seconds]
23:56 < theDoc> !factoids
23:56 < vpnHelper> theDoc: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
23:58 -!- SeveredCross [~SeveredCr@about/csharp/regular/severedcross] has joined ##openvpn
23:59 < SeveredCross> Hey folks, can OpenVPN be set up to route packets from the VPN to machines on the server's LAN?
23:59 < SeveredCross> Long story short, I want to make LAN machines acessible to anyone on the VPN.
--- Day changed Sun Jun 27 2010
00:01 < theDoc> Sure.
00:03 < SeveredCross> Excellent. Is it as simple as a few configuration stanzas to send the right routes and some iptables rules?
00:05 < theDoc> Pretty much.
00:05 < theDoc> Just make sure that your routing tables are correct and the right routes are pushed to your clients.
00:06 < theDoc> I'm wondering if chaining vpn servers are going to solve this problem of mine.
00:16 < SeveredCross> Excellent, thanks dude.
00:37 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
00:57 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
01:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
01:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:21 -!- ayi_ [~vegar@145.227.16.62.customer.cdi.no] has quit [Ping timeout: 260 seconds]
03:38 -!- n0sq_ [~quassel@65.41.216.18] has joined ##openvpn
03:39 -!- n0sq [~quassel@65.41.216.18] has quit [Read error: Connection reset by peer]
03:56 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 240 seconds]
03:56 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:12 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:49 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
05:52 -!- pasky [pasky@nikam-dmz.ms.mff.cuni.cz] has left ##openvpn []
06:06 -!- ayi [~vegar@145.227.16.62.customer.cdi.no] has joined ##openvpn
06:19 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
06:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
06:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
07:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:31 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
07:32 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
07:50 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
08:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
08:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:17 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Ping timeout: 276 seconds]
08:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:42 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
08:55 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
09:04 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
09:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:13 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
09:55 -!- redfox is now known as Guest32818
10:32 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:19 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Ping timeout: 245 seconds]
11:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
12:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:14 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
12:20 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
12:22 -!- Knoxville_ [~Knox@c-75-73-224-97.hsd1.mn.comcast.net] has joined ##openvpn
12:22 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
12:22 < Knoxville_> can open vpn be setup in a mesh infrastructure?
12:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:35 -!- demiurgen [~demiurgen@nl103-154-253.student.uu.se] has left ##openvpn []
12:44 -!- Guest32818 is now known as redfox
12:45 < ayi> Knoxville_: you could probably set up a static mesh in a bridge configuration. Dynamic mesh, not so sure
12:46 < ayi> I recently discovered having two iroute's/tunnels to one subnet does not work very well
12:46 < ayi> it seems the latest to connect overwrites the previous
12:48 < ayi> i.e it always uses the last link instead of load balancing when in a routed configuration
12:48 < ayi> I would love to be proven wrong though
13:02 -!- King_of_Metal [~thiago@200-180-168-231.paemt705.dsl.brasiltelecom.net.br] has joined ##openvpn
13:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:16 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
13:21 -!- Knoxville_ [~Knox@c-75-73-224-97.hsd1.mn.comcast.net] has left ##openvpn []
13:34 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:34 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
13:42 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:44 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
13:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
13:51 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Read error: Connection reset by peer]
13:54 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:18 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has joined ##openvpn
14:21 -!- n0sq_ [~quassel@65.41.216.18] has quit [Quit: No Ping reply in 90 seconds.]
14:23 -!- n0sq [~quassel@65.41.216.18] has joined ##openvpn
14:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:35 -!- King_of_Metal [~thiago@200-180-168-231.paemt705.dsl.brasiltelecom.net.br] has quit [Ping timeout: 245 seconds]
14:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:45 -!- invisibleman [~theinvisi@74.214.185.91] has joined ##openvpn
14:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:04 -!- King_of_Metal [~thiago@201.47.227.188] has joined ##openvpn
15:18 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:20 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:25 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
15:28 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:31 -!- Abhishek_SIngh [~Abhishek@220.225.244.114] has quit [Ping timeout: 264 seconds]
15:47 -!- troy- [7b5512d9ea@bgp4.us] has joined ##openvpn
15:48 < troy-> how can i tell openvpn to run a script after its brought up a tunnel on startup?
15:48 -!- killown [~killown@unaffiliated/killown] has quit [Changing host]
15:48 -!- killown [~killown@unaffiliated/geek] has joined ##openvpn
15:48 -!- killown is now known as geek
16:16 < krzie> !factoids search script
16:16 < vpnHelper> krzie: '2.1-winpass-script', 'winscript', and 'script'
16:16 < krzie> !script
16:16 < vpnHelper> krzie: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
16:26 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
16:31 -!- DrPepper [~DrPepper@88.207.194.0] has joined ##openvpn
16:35 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
16:44 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Remote host closed the connection]
17:03 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
17:29 -!- invisibleman [~theinvisi@74.214.185.91] has quit [Ping timeout: 265 seconds]
17:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:43 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:56 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
17:57 < troy-> krzie: around?
17:57 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
18:07 -!- DrPepper [~DrPepper@88.207.194.0] has quit [Quit: Leaving...]
18:17 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:27 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has joined ##openvpn
18:44 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
18:46 -!- ayi [~vegar@145.227.16.62.customer.cdi.no] has quit [Ping timeout: 240 seconds]
18:58 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 245 seconds]
19:00 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
19:45 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:55 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:58 -!- invisibleman [~theinvisi@74.214.180.115] has joined ##openvpn
21:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
22:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:39 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Read error: Connection reset by peer]
23:39 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
23:47 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:49 < krzee> mgolisch, was that you the other day talking about the windows service
--- Day changed Mon Jun 28 2010
00:13 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 258 seconds]
00:25 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
00:29 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
00:32 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
00:40 -!- ayi [~vegar@145.227.16.62.customer.cdi.no] has joined ##openvpn
00:51 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
01:02 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
01:07 -!- theDoc [~jaki@173.236.41.36] has joined ##openvpn
01:10 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:27 -!- geek [~killown@unaffiliated/geek] has quit [Quit: Saindo]
01:31 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
01:31 -!- mode/##openvpn [+o mattock] by ChanServ
01:38 -!- Netsplit *.net <-> *.split quits: hyper_ch, julius, SkyX, circut, dazo_afk, fbh, DarthGandalf, ayi
01:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:49 -!- ayi [~vegar@145.227.16.62.customer.cdi.no] has joined ##openvpn
01:58 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:58 -!- fbh [fbh@193.88.14.101] has joined ##openvpn
01:58 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
01:58 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
01:58 -!- dazo [~dazo@nat/redhat/x-pfdongmzktsdnycy] has joined ##openvpn
01:58 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
01:59 -!- invisibleman [~theinvisi@74.214.180.115] has quit [Ping timeout: 260 seconds]
02:04 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
02:09 -!- julius [~julius@217.20.127.15] has joined ##openvpn
02:21 < dazo> mgolisch: Hey, I say your question about OpenVPN-GUI improvements ... iirc, d457k is getting his hands dirty with OpenVPN-GUI stuff
02:26 -!- theDoc [~jaki@173.236.41.36] has quit [Changing host]
02:26 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:36 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:41 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 253 seconds]
02:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:59 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
03:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
03:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:38 -!- n0sq [~quassel@65.41.216.18] has quit [Read error: Connection reset by peer]
03:38 -!- n0sq [~quassel@65.41.216.18] has joined ##openvpn
03:59 -!- blueboxthief [~None_of_y@86-45-82-232-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
04:11 -!- Jin^eLD [~jin@belief.htu.tuwien.ac.at] has joined ##openvpn
04:13 < Jin^eLD> hi, our company network is using some fortinet vpn stuff, they gave me a binary blob of "forticlientsslvpn" which I do not want to use; is it known if openvpn would work with the fortinet vpn server? I could not find a definite answer through googling
04:14 < Jin^eLD> when try I just get Connection reset, restarting [-1] without any additional hints on what might go wrong
04:15 < theDoc> No, I do not think that both products are compatible.
04:16 < Jin^eLD> doh :( 
04:16 < Jin^eLD> thanks
04:18 < theDoc> We can't help on that but would you like a hug?
04:18 < Chosi> :D
04:18 < theDoc> :o
04:18 < theDoc> You lurkers.
04:18 < Jin^eLD> heh :)
04:19 < theDoc> I like german chicks and liquor ;p
04:19 < theDoc> Say, any of you guys from germany?
04:19 < Jin^eLD> I guess you never been to russia then ;> you'd change your mind
04:20 < theDoc> Can't say I have been to Russia, I did Estonia though.
04:20 < theDoc> I can't speak russian or german if that's of any help ;p
04:21 < Jin^eLD> I haven't been to estonia but I'd guess the chicks are still way better than in .at/.de ;>
04:21 < theDoc> Where is .at located on .world?
04:21 < Jin^eLD> .at is austria, I live there now, but originally I am from moscow
04:21 < theDoc> right.
04:22 < theDoc> .de seems to have some pretty girls and all ;p
04:22 < Jin^eLD> well, .de is better than .at
04:22 < Jin^eLD> .at is really bad in that regard
04:22 < theDoc> I don't know, I think of Russian mail order brides each time I look at Russian females.
04:22 < Jin^eLD> :)
04:23 < theDoc> It must be my age catching up with me.
04:23 < Jin^eLD> how old are you?
04:23 < theDoc> 24.
04:23 < Jin^eLD> lol, and you talk about age? :>
04:23 < theDoc> lol
04:24 < theDoc> Funny ;p
04:25 < Jin^eLD> wait till you get over 30, then the "catching up" becomes really bad ;>
04:26 < theDoc> Sounds like you're there already!
04:26  * theDoc is dealing with a german company or something.
04:26 < Jin^eLD> yes.. unfortunately ;> first hard blow was to pass the 20 line, and then 30... I hate getting older 
04:26 < theDoc> Soon it'll be 40!
04:27 < theDoc> That would be the real fml.
04:53 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:53 -!- Jin^eLD [~jin@belief.htu.tuwien.ac.at] has left ##openvpn []
04:57 -!- UnterPerro [~UnterPerr@66.116.112.8] has joined ##openvpn
04:59 -!- UnterPerro [~UnterPerr@66.116.112.8] has quit [Client Quit]
05:00 -!- UnterPerro [~UnterPerr@66.116.112.8] has joined ##openvpn
05:03 -!- Abhishek_SIngh [~Abhishek@210.212.20.75] has quit [Remote host closed the connection]
05:09 -!- UnterPerro [~UnterPerr@66.116.112.8] has quit [Quit: UnterPerro lives to save another day]
05:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
05:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:34 < kisom> theneb_: try .se
05:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:46 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
05:51 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
05:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:14 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Quit: Konversation terminated!]
06:14 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
06:15 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
06:16 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
06:28 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 252 seconds]
06:55 < kish> i'm doing it like the southpark creators
06:55 < kish> the one who said he's instructed his family to shoot him in the head when he hits 30
07:09 -!- mgolisch [~michi@85.93.11.18] has left ##openvpn []
07:19 -!- JackCorleone [~Jack@187.11.184.68] has joined ##openvpn
07:26 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 265 seconds]
07:44 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
08:05 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:06 -!- nickanderson [~cmdln@adsl-99-154-106-234.dsl.tpkaks.sbcglobal.net] has quit [Quit: Leaving.]
08:16 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Remote host closed the connection]
08:25 -!- nickanderson [~cmdln@17.29.124.24.cm.sunflower.com] has joined ##openvpn
08:27 -!- nickanderson [~cmdln@17.29.124.24.cm.sunflower.com] has left ##openvpn []
08:52 -!- Anthro [~kzjdfhfvd@c-68-50-227-86.hsd1.md.comcast.net] has joined ##openvpn
08:54 < Anthro> Some time ago someone pointed me to a very good explanation of why OpenVPN over TCP was undesirable, having to do with TCP connections running over the VPN and not understanding underlying congestion. I've lost that link, unfortunately. Would someone point me to it again, please?
08:54 < dazo> !tcp
08:54 < vpnHelper> dazo: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
08:54 < dazo> Anthro: ^^
08:55 < Anthro> dazo: That's it, thanks!
08:55 -!- Anthro [~kzjdfhfvd@c-68-50-227-86.hsd1.md.comcast.net] has left ##openvpn []
09:16 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:29 -!- Resist0r [~mrresist0@p7132-ipbfp404yamaguchi.yamaguchi.ocn.ne.jp] has joined ##openvpn
09:36 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
09:36 -!- mode/##openvpn [+o mattock] by ChanServ
09:37 < ecrist> ping krzee
09:48 -!- JackCorleone [~Jack@187.11.184.68] has quit [Quit: Saindo]
09:58 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
10:05 -!- n0sq [~quassel@65.41.216.18] has quit [Ping timeout: 265 seconds]
10:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:12 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:21 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
10:23 -!- mape2k [~mape2k@p5B280803.dip0.t-ipconnect.de] has joined ##openvpn
10:30 -!- mape2k [~mape2k@p5B280803.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
10:36 -!- dazo is now known as dazo_afk
10:44 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
10:46 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
10:55 -!- star314 [~star314@starnet1.sinh.us] has quit [Ping timeout: 265 seconds]
10:56 -!- Psi-Jack [psi-jack@about/linux/staff/psi-jack] has joined ##openvpn
10:56 < Psi-Jack> !welcome
10:56 < vpnHelper> Psi-Jack: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:57 < Psi-Jack> !redirect
10:57 < vpnHelper> Psi-Jack: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
10:57 < Psi-Jack> !def1
10:57 < vpnHelper> Psi-Jack: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
10:59 -!- Sp4rKy [~Sp4rKy@freenode/sponsor/sp4rky] has left ##openvpn []
11:01 < Psi-Jack> Curious. Does the order of options in the server.conf matter?
11:11 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:20 -!- King_of_Metal [~thiago@201.47.227.188] has quit [Quit: Leaving]
11:22 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
11:39 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
11:42 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Max SendQ exceeded]
11:43 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
11:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:50 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:52 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
11:54 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:54 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:56 -!- SkyX [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:56 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
12:19 -!- sppadicus [~IceChat7@87.114.107.109.plusnet.thn-ag2.dyn.plus.net] has joined ##openvpn
12:21 -!- sppadicus [~IceChat7@87.114.107.109.plusnet.thn-ag2.dyn.plus.net] has left ##openvpn []
12:23 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:23 -!- blueboxthief [~None_of_y@86-45-82-232-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
12:39 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
12:41 -!- blueboxthief [~None_of_y@86-45-82-232-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
--- Log closed Mon Jun 28 12:55:03 2010
--- Log opened Mon Jun 28 12:55:11 2010
12:55 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined ##openvpn
12:55 -!- Irssi: ##openvpn: Total of 93 nicks [3 ops, 0 halfops, 0 voices, 90 normal]
12:55 -!- Irssi: Join to ##openvpn was synced in 44 secs
13:00 -!- Netsplit *.net <-> *.split quits: stein0, kisom, Resist0r, _zero_, takamichi, crazygir, katoen, Zathraz, raw_, redfox,  (+7 more, use /NETSPLIT to show all of them)
13:00 -!- Netsplit *.net <-> *.split quits: havoc, killermouse0, disco-, Nappy, pa, @raidz, orion, @openvpn2009, RedT0mt0m, vpnHelper,  (+13 more, use /NETSPLIT to show all of them)
13:00 -!- Fragarach87 [~chatzilla@blk-138-58-53.eastlink.ca] has joined ##openvpn
13:01 -!- Netsplit over, joins: vpnHelper, cron2, @openvpn2009, Knio, @raidz, freaky[t], tjz, kisom, mikkel, katoen (+24 more)
13:01 < Fragarach87> !welcome
13:01 < vpnHelper> Fragarach87: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:01 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has joined ##openvpn
13:01 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has quit [Changing host]
13:01 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
13:02 < motd2k> Does anyone have any input on how Oman is detecting OpenVPN traffic (on arbitrary ports)
13:02 < motd2k> (and blocking it)
13:04 < Fragarach87> Anyone know how to add another machine to the vpn network, IE the server is has the ip 192.168.139.1 i want 192.168.139.2 to point to another machine on the servers network server is a windows machine
13:04 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Max SendQ exceeded]
13:04 -!- abeehc_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
13:04 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
13:05 -!- havoc_ [~havoc@neptune.chaillet.net] has joined ##openvpn
13:05 -!- havoc [~havoc@neptune.chaillet.net] has quit [Write error: Broken pipe]
13:05 -!- fremo___ [~fremo@noc.toile-libre.net] has quit [Write error: Broken pipe]
13:05 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Write error: Connection reset by peer]
13:05 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 341 seconds]
13:05 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
13:06 -!- raw_ [~raw@chipotle118.server4you.de] has joined ##openvpn
13:06 -!- Resist0r [~mrresist0@69.31.131.51] has joined ##openvpn
13:07 -!- redfox [~redfox2@ks201831.kimsufi.com] has joined ##openvpn
13:07 -!- atlantic [~atlantic@hok.duf.hu] has joined ##openvpn
13:07 -!- atlantic [~atlantic@hok.duf.hu] has quit [Remote host closed the connection]
13:08 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
13:14 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Ping timeout: 265 seconds]
13:15 -!- Fragarach87 [~chatzilla@blk-138-58-53.eastlink.ca] has left ##openvpn []
13:28 -!- You're now known as ecrist
13:40 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
13:41 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has joined ##openvpn
13:41 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has quit [Changing host]
13:41 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
13:57 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:06 -!- arosen [~arosen@clug.parl.clemson.edu] has joined ##openvpn
14:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
14:18 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
14:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:27 -!- Psi-Jack_ [psi-jack@about/linux/staff/psi-jack] has joined ##openvpn
14:27 -!- Psi-Jack [psi-jack@about/linux/staff/psi-jack] has quit [Ping timeout: 276 seconds]
14:27 -!- Psi-Jack_ is now known as Psi-Jack
14:38 < kish> if compiled with 'allow non-cbc ciphers', will rc4 work?
14:38 < kish> Psi-Jack: yes. order matters
14:38 < Psi-Jack> Hehe. Okay. ;)
14:40 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
14:44 -!- sparkymarkd [~mark@190.242.32.10] has joined ##openvpn
14:46 < sparkymarkd> I have a problem with a vpn server not routing traffic out.. it has 2 tun0 interface routes, 10.8.0.1 and 10.8.0.2
14:46 < sparkymarkd> is that gonna work??  
14:47 < sparkymarkd> How can I remove the .2?
14:48 < sparkymarkd> !welcome
14:48 < vpnHelper> sparkymarkd: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:49 < sparkymarkd> !route
14:49 < vpnHelper> sparkymarkd: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:50 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 264 seconds]
15:11 < krzie> sparkymarkd, 
15:11 < krzie> !/30
15:11 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
15:24 < sparkymarkd> !topology
15:24 < vpnHelper> sparkymarkd: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
15:24 < sparkymarkd> I'm having problems of the server not replying to anything.  wireshare on the server says that the ping arrives via tun adaptor, but no response from server
15:25 < krzie> firewall
15:26 < sparkymarkd> but I dont think there is a firewall on the server..  at least it worked without problems till recently
15:26 < sparkymarkd> on wan side yes, but not tun
15:26 < krzie> what did you change recently
15:26 < krzie> can the server ping the client"?
15:27 < sparkymarkd> I added another vpn config
15:27 < sparkymarkd> no server cannot ping client..  not even in the 10.8.0.x addres
15:27 < krzie> im only talking about the 10.8.0.x address
15:27 < krzie> what 10.8.0.x address are you trying to ping?
15:28 < sparkymarkd> from client to server .1
15:28 < sparkymarkd> on the server, wireshark says client is .10, so I try ping that, and no response
15:28 < krzie> and from server to client...?
15:28 < krzie> !configs
15:28 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:32 < sparkymarkd> http://pastebin.com/GxN9Q7ZH
15:33 < sparkymarkd> server:  OpenVPN 2.1_rc20 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Oct 24 2009
15:33 < sparkymarkd> all clients behave the same way.  windows or linux
15:34 < sparkymarkd> on the server side config theres nothing that has changed..  
15:35 < sparkymarkd> I did add another config - lan-to-lan, but don't see how that could mess it up.. 
15:41 < sparkymarkd> ok, I just confirmed that it is the firewall..  was thinking so too, but still don't know how I can fix it to work.. 
15:41 < sparkymarkd> stopped the firewalll, pings still did not go through..  
15:41 < sparkymarkd> then started it, and pings went through for 2 seconds
15:45 < krzie> cool
15:45 < krzie> im busy at work, dont have time to dig into it with ya
15:45 < sparkymarkd> Ok...  thanks..  for your help..  
15:46 < sparkymarkd> just trying to explain often hellps
15:46 < krzie> right on
15:55 -!- sparkymarkd [~mark@190.242.32.10] has quit [Ping timeout: 240 seconds]
15:59 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:28 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
16:32 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
16:33 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
16:41 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
16:48 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:02 -!- Psi-Jack [psi-jack@about/linux/staff/psi-jack] has quit [Ping timeout: 264 seconds]
17:02 -!- atlantic_ [~atlantic@hok.duf.hu] has quit [Quit: Lost terminal]
17:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
17:30 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:31 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:39 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
17:52 -!- UdontKnow is now known as KnightWhoSaysNI
17:59 -!- blueboxthief [~None_of_y@86-45-82-232-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
18:05 -!- KnightWhoSaysNI is now known as Wowbagger
18:24 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
18:24 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
18:42 -!- jbartus [~jim@li58-157.members.linode.com] has joined ##openvpn
18:42 < jbartus> !welcome
18:42 < vpnHelper> jbartus: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:43 < jbartus> !interface
18:43 < vpnHelper> jbartus: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
18:59 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 248 seconds]
19:02 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
19:07 -!- arosen1 [~arosen@c-174-56-133-172.hsd1.sc.comcast.net] has joined ##openvpn
19:07 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
19:08 < arosen1> Sorry to bother you guys but I have a quick question. 
19:08 < arosen1> I'm getting the following error message " Options error: --ifconfig-pool-persist must be used with --ifconfig-pool"
19:08 < arosen1> But when i add ifconfig-pool to my server.conf it says that ifconfig-pool is an unrecognized option
19:21 < Bushmills> how does the whole line look like?
19:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:25 -!- Bora- [~MS@S0106001c109e98db.no.shawcable.net] has joined ##openvpn
19:25 < Bora-> !welcome
19:25 < vpnHelper> Bora-: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:25 < Bora-> !iporder
19:25 < vpnHelper> Bora-: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
19:27 < Bora-> Hello, I have installed openVPN-AS on a centos server and I was wondering how would I tell openvpn to use one of the secondary ips on the server instead of the default eth0 ip?
19:28 < arosen1> Bushmills: ifconfig-pool
19:28 < arosen1> ifconfig-pool-persist ipp.txt
19:30 < Bushmills> why don't you try using ifconfig-pool like explained in the man page instead?
19:30 < Bushmills> you know, the man page has not just decorative purposes
19:32 < arosen1> fixed thanks
19:32 < Bora-> would my only option be to swap the ips? change eth0:1 with eth0?
19:34 < Bushmills> Bora-: no life is full of options
19:35 < Bushmills> one option is to take advantage of the great support you receive for Access Server
19:36 < Bora-> hmm
19:38 < Bora-> I looked at support center and on google but I couldn't find the answer I am looking for.
19:39 < Bushmills> openvpn can use tun or tap.  tun preferred
19:41 < Bora-> I have no problem connecting to the server
19:41 < Bora-> I am routing all traffic through the server it works perfect.
19:42 < Bora-> I have openvpn listen on a secondary ip on my server 
19:43 < Bora-> but when i access external resources it uses my servers main ip
19:45 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 265 seconds]
19:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
19:51 < Bushmills> openvpn can use tun or tap.  tun preferred. that excludes eth0 or eth0:1
19:52 < Bushmills> ah. listen as in "binding to interface"?
20:02 < arosen1> I have openvpn setup to do bridge ethernet and it seems like that is working. The only thing that i can't seem to figure out is why when i ping a computer why the packet isn't getting fowarded on to the right computer. (If i run tcpdump i see the incoming packets) but they are not getting forwarded on to the right interface. 
20:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:05 < arosen1> I think it has to do with my iptables
20:05 < arosen1> When i add   iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT  and then type iptables -L it doesn't seem like those rules are in there
20:07 < Bushmills> read about --local, that should address you first question
20:08 < arosen1> /--/
20:08 < arosen1> Bushmills: you mean --local host ? 
20:09 < arosen1> (I figured out that ipables thing it did add them i needed -v to seem them)
20:10 < Bushmills> yes, that's the one
20:11 < arosen1> Bushmills: I understand that. I do have local 130.127.62.2 in there
20:11 < arosen1> This computer has two eth card (Both cards are on seperate networks)
20:12 < arosen1> I have clients coming in on the unbridged interface 
20:12 < arosen1> And then the tap is bridged with the other one. 
20:14 < arosen1> I've also done echo 1 > /proc/sys/net/ipv4/ip_forward
20:16 < arosen1> Bushmills: Am i missing some key point here? 
20:17 < Bushmills> i'd prefer to think that you have some key points too many there
20:19 < arosen1> lol
20:19 < Bushmills> but the --local was misdirected.  should have gone to Bora-
20:20 < Bushmills> no wonder that one confused you
20:21 < arosen1> Bushmills: This seems really odd so my pings are getting to the other host (since i'm pinging the second eth card ) but they are not getting ack'ed BUT when i run tcpdump on tap0 of my client its doing arps for the ip address that i'm pinging. 
20:26 < arosen1> Bushmills: Ok i liked it seems like my pings my not be going though i was reading tcpdump incorrectly
20:32 < arosen1> Bushmills: would you mind taking a look at this ? (My routes/ and configs) I think that ifconfig-pool gave me a false sense that things were working
20:33 < Bushmills> no. I'm not of much use with bridging setups
20:34 < arosen1> Bushmills: it seems like my client just pulls an ipaddress from the ifconfig-pool and not the dhcp server thats running
20:36 < Bushmills> how should client be able to reach dhcp server before openvpn server has assigned an ip address to openvpn client?
20:38 < arosen1> Bushmills: I figured the client wouldn't need an ipaddress yet since its a layer 2 tunnel? 
20:38 < krzie> both are possible
20:38 < arosen1> But i guess that can't work with out layer3 ? 
20:38 < krzie> in fact you can even set it up where the vpn endpoints never even have an IP
20:38 < krzie> as im seeing from JJK's OpenVPN Cookbook
20:39 < krzie> unfortunately i suck with bridge / layer2 setups
20:39 < krzie> (because i dont use them)
20:41 < ecrist> krzie: http://www.freebsd.org/doc/en/articles/contributors/contrib-additional.html
20:41 < vpnHelper> Title: Additional FreeBSD Contributors (at www.freebsd.org)
20:41 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
20:41 < ecrist> search Eric F
20:41  * ecrist does a dance
20:41 < krzie> o/
20:42 < krzie> good stuff!
20:43 < arosen1> Would either of you two mind looking at my configs? http://pastebin.com/WAjL8GEn I'm kinda stuck at this point i think :(
20:43 < krzie> lets start with this
20:44 < krzie> !layer2
20:44 < vpnHelper> krzie: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
20:44 < krzie> !tunortap
20:44 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
20:44 < vpnHelper> krzie: against you over the vpn, or (#4) lan gaming? use tap!
20:44 < krzie> answer that please
20:45 < arosen1> krzie: Yes I need layer two. I can explain why if you need me to. 
20:45 < krzie> should be a pretty easy explanation
20:45 < krzie> which layer2 protocol do you need?
20:46 < arosen1> krzie: Pretty much all of them. I'm using this thing called openflow (www.openflowswitch.org) which lets you manipulate traffic flows and it works on layer two as well as 3. 
20:47 < krzie> ok, so you want a full bridge i take it
20:47 < krzie> now, for the configs...
20:47 < krzie> !configs
20:47 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
20:49 < arosen1> krzie: thanks for your help http://pastebin.com/EukUWnrM
20:50 < krzie> you're configuring a routed setup with a tap device, this will not give you all layer2
20:51 < krzie> you likely want a bridge config
20:51 < krzie> !bridge
20:51 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
20:51 < vpnHelper> krzie: (but not samba, see !wins)
20:52 < arosen1> krzie: can you please explain whats wrong there? I followed this part http://openvpn.net/index.php/open-source/faq.html#bridge-addressing
20:52 < vpnHelper> Title: FAQ (at openvpn.net)
20:52 < arosen1> (The second method)
20:52 < arosen1> This way i'm using the dhcp server on the lan and now openvpn to manage it
20:55 < krzie> "The one complexity about this configuration is that you need to modify your DHCP server configuration to differentiate between local clients and VPN clients. The reason for this is that you must not pass out a default gateway to VPN clients."
20:57 < arosen1> krzie: what about this one ?http://pastebin.com/Ai0DWhjr This is using server bridge
20:57 < krzie> honestly im not a bridge/ layer2 guy
20:57 < arosen1> but when i ping a box on the other side the client just does arp 
20:58 < krzie> but now that you've posted your configs without comments maybe someone else will respond
20:58 < krzie> if you wanted a complex layer3/tun setup, im your guy
20:59 < arosen1> krzie: sorry but thanks for giving it a shot for me :D
20:59 < krzie> no problem
20:59 < krzie> maybe you'll catch ecrist with free time, i know he knows bridge configs
21:00 < krzie> too bad JJK's book isnt out yet, hes  got a masterful chapter on layer2 configs
21:01 < arosen1> ecrist: If you get a few sec I would really appricate if you took a look at my configs :D
21:02  * arosen1 appreciate 
21:04  * ecrist will tomorrow, if you're around.
21:04 < ecrist> 7am - 3pm CDT is best for me
21:05 < arosen1> sounds good I'll be around tomorrow  Thanks!
21:05 < ecrist> np
21:10 -!- arosen1 [~arosen@c-174-56-133-172.hsd1.sc.comcast.net] has quit [Quit: Leaving.]
21:47 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
21:56 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
21:58 -!- sparkymarkd [~mark@200.32.232.150] has joined ##openvpn
22:06 -!- arosen1 [~arosen@c-174-56-133-172.hsd1.sc.comcast.net] has joined ##openvpn
22:07 < arosen1> !config
22:07 < vpnHelper> arosen1: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
22:07 < arosen1> !configs
22:07 < vpnHelper> arosen1: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
22:32 -!- abeehc_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 265 seconds]
22:32 < creack> !host
22:32 < vpnHelper> creack: Error: "host" is not a valid command.
22:32 < creack> us ut possible to configure client to tell "hello my name is toto" so other client can use his host?
22:33 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
22:38 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 265 seconds]
22:40 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
22:42 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
22:57 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
22:58 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:11 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
23:40 -!- Bora- [~MS@S0106001c109e98db.no.shawcable.net] has quit [Read error: Connection reset by peer]
23:42 -!- sparkymarkd [~mark@200.32.232.150] has quit [Ping timeout: 240 seconds]
23:47 -!- DrJ [Bacon@174.141.224.168] has quit [Ping timeout: 265 seconds]
23:48 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
23:48 -!- theDoc [~jaki@173.236.41.38] has joined ##openvpn
23:49 -!- DrJ [Bacon@174.141.224.168] has joined ##openvpn
--- Day changed Tue Jun 29 2010
00:21 < creack> !help
00:21 < vpnHelper> creack: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
00:21 < creack> !welcome
00:21 < vpnHelper> creack: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:22 < creack> !mitm
00:22 < vpnHelper> creack: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
00:25 < creack> !iporder
00:25 < vpnHelper> creack: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
00:26 < creack> !sample
00:26 < vpnHelper> creack: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
00:27 < creack> !redirect
00:27 < vpnHelper> creack: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:27 < krzee> there is also
00:27 < krzee> !factoids
00:27 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
00:28 < krzee> thats everything the bot knows =]
00:28 < creack> oki
00:28 < creack> :)
00:28 < creack> krzee: is it possible to attribute a hostname to a client?
00:29 < krzee> if you have an internal NS or wish to maintain host files
00:29 < krzee> then you tell openvpn to use static ips
00:29 < krzee> !static
00:29 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
00:30 < creack> and there is no way with dynamic ips?
00:30 < krzee> openvpn isnt a nameserver
00:31 < creack> I know
00:31 < creack> but it is kind of dhcp server, no?
00:31 < theDoc> What?
00:31 < theDoc> No.
00:31 < creack> there is nothing like "send host-name "<hostname>";" as in dhcp-client
00:31 < theDoc> openvpn isn't a dhcp server either.
00:32 < creack> ok
00:33 < theDoc> brb.
00:33 < theDoc> Customer.
00:34 < creack> I am looking the sample config
00:34 < creack> what the "nobind" command is for?
00:36 < krzee> 1man
00:36 < krzee> err
00:36 < krzee> !man
00:36 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
00:36 < krzee> search for --nobind
00:36 < creack> ^^
00:36 < creack> k
00:37 < creack> hum
00:37 < creack> ok
00:37 < creack> but I still do not understand why is it usefull
00:38 < creack> is it for security reasons?
00:38 -!- theDoc [~jaki@173.236.41.38] has quit [Ping timeout: 245 seconds]
00:42 -!- theDoc [~jaki@173.236.41.35] has joined ##openvpn
00:44 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
00:46 -!- takamichi [~pri@78.133.33.203] has quit [Client Quit]
00:51 < krzee> client have no need of binding an ip to be connected at
00:51 < krzee> its pointless
00:51 < krzee> nothing should connect to them
00:52 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
00:56 < creack> oh
00:56 < creack> ok
00:57 < creack> so even if it is config as client, it still bind a port without this option?
01:10 < hyper_ch> krzee: http://techcrunch.com/2010/06/28/iphone-4-vs-evo-4g/
01:10 < vpnHelper> Title: Video: An EVO 4G Salesman Confronts An iPhone 4 Shopper (NSFW) (at techcrunch.com)
01:14 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:23 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has left ##openvpn []
01:28 -!- dazo_afk is now known as dazo
01:35 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
01:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
01:58 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
01:58 -!- mode/##openvpn [+o mattock] by ChanServ
02:07 -!- scyld [~krajcong@unaffiliated/wasyl] has quit [Ping timeout: 248 seconds]
02:18 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:47 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:47 -!- kraut_ is now known as kraut
02:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:49 -!- theDoc [~jaki@173.236.41.35] has quit [Changing host]
02:49 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
02:54 -!- mape2k [~mape2k@p5B286793.dip.t-dialin.net] has joined ##openvpn
02:58 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:05 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Ping timeout: 264 seconds]
03:09 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:15 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
03:20 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
03:32 -!- UnterPerro [~UnterPerr@cpe-75-84-221-75.socal.res.rr.com] has joined ##openvpn
04:34 -!- SeveredCross [~SeveredCr@about/csharp/regular/severedcross] has quit [Ping timeout: 276 seconds]
04:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:58 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:10 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
05:11 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 264 seconds]
05:12 -!- UnterPerro [~UnterPerr@cpe-75-84-221-75.socal.res.rr.com] has quit [Quit: UnterPerro lives to save another day]
05:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
05:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:34 -!- havoc_ is now known as havoc
05:47 -!- orion [orion@unaffiliated/orion] has quit [Quit: leaving]
06:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:30 -!- italorossi [~kvirc@189.23.15.27] has joined ##openvpn
07:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
07:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:40 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
07:40 < italorossi> Can I use the dev tun to create qdiscs and classes to reserve traffic between my sites?
07:41 -!- sparkymarkd [~mark@200.32.232.150] has joined ##openvpn
07:53 -!- italorossi [~kvirc@189.23.15.27] has left ##openvpn ["No matter how dark the night, somehow the Sun rises once again"]
07:54 -!- flok420 [folkert@keetweej.vanheusden.com] has joined ##openvpn
07:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
07:55 < flok420> hi. iirc openvpn can act like a dhcp-server for the clients. how can I let that dhcp-server inform the clients aobut the wins server/cifs server/pdc/etc?
07:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:02 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
08:07 -!- sparkymarkd [~mark@200.32.232.150] has quit [Ping timeout: 260 seconds]
08:13 < ecrist> !wins
08:13 < vpnHelper> ecrist: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
08:14 < ecrist> flok420: I think it's covered in the manual
08:14 < ecrist> !man
08:14 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
08:38 < flok420> no it is not
08:38 < flok420> i have windows clients, windows clients need their settings via dhcp, not in a samba.conf
08:41 -!- sparkymarkd [~mark@200.32.232.150] has joined ##openvpn
08:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:47 < ecrist> flok420: the openvpn man page
08:47 < ecrist> it *IS* in there, as I'm looking at it now.
08:48 < dazo> flok420: look for --dhcp-option in the man page
08:49 < dazo> --dhcp-option can also be pushed from server to clients with --push
08:49 < dazo> !--
08:49 < vpnHelper> dazo: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
08:49 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
08:58 -!- arosen [~arosen@clug.parl.clemson.edu] has quit [Ping timeout: 264 seconds]
08:58 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Ping timeout: 264 seconds]
09:18 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
09:24 -!- sparkymarkd [~mark@200.32.232.150] has quit [Ping timeout: 260 seconds]
09:27 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has quit [Remote host closed the connection]
09:27 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has joined ##openvpn
09:54 -!- sparkymarkd [~mark@200.32.232.150] has joined ##openvpn
09:55 -!- mape2k [~mape2k@p5B286793.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
09:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
09:59 -!- sparkymarkd [~mark@200.32.232.150] has quit [Ping timeout: 245 seconds]
09:59 -!- sparkymarkd [~mark@200.32.232.150] has joined ##openvpn
10:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:04 -!- sparkymarkd [~mark@200.32.232.150] has quit [Ping timeout: 264 seconds]
10:06 -!- sparkymarkd [~mark@190.242.32.10] has joined ##openvpn
10:09 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
10:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
10:11 -!- sparkymarkd [~mark@190.242.32.10] has quit [Ping timeout: 276 seconds]
10:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:23 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:24 -!- dazo is now known as dazo_afk
10:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:26 -!- WormFood [~wormfood@219.134.136.124] has joined ##openvpn
10:33 -!- sparkymarkd [~mark@200.32.219.18] has joined ##openvpn
10:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
10:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:39 -!- jbartus [~jim@li58-157.members.linode.com] has left ##openvpn []
10:50 -!- sparkymarkd [~mark@200.32.219.18] has quit [Ping timeout: 260 seconds]
10:51 -!- sparkymarkd [~mark@200.32.219.18] has joined ##openvpn
10:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
10:55 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
10:59 -!- plaerzen [~carpe@vip1.tundraeng.com] has joined ##openvpn
11:04 -!- plaerzen [~carpe@vip1.tundraeng.com] has left ##openvpn ["Leaving"]
11:05 -!- sparkymarkd [~mark@200.32.219.18] has quit [Ping timeout: 265 seconds]
11:05 -!- sparkymarkd [~mark@200.32.219.18] has joined ##openvpn
11:11 -!- sparkymarkd [~mark@200.32.219.18] has quit [Read error: Connection reset by peer]
11:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
11:15 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
11:16 -!- sparkymarkd [~mark@200.32.219.19] has joined ##openvpn
11:17 -!- le0_ [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Client Quit]
11:18 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
11:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:23 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:24 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
11:25 -!- sparkymarkd [~mark@200.32.219.19] has quit [Ping timeout: 260 seconds]
11:26 -!- sparkymarkd [~mark@h69-21-196-174.mdsnwi.dedicated.static.tds.net] has joined ##openvpn
11:34 -!- d457k [~heiko@2a01:198:4d7:0:21f:c6ff:fe44:aec8] has quit [Ping timeout: 248 seconds]
11:35 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
11:36 -!- d457k [~heiko@vpn.astaro.de] has joined ##openvpn
11:38 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
11:38 -!- clyons [~clyons@unaffiliated/clyons] has quit [Read error: Connection reset by peer]
11:49 < WormFood> I installed openvpn on a friend's computer (windows XPee), and now none of the network connections work, even after uninstalling openvpn....I'm not convinced openvpn is the problem, but it seems likely since it happened at the same time....anyone experienced this problem before?
12:04 < Bushmills> you broke it
12:11 -!- sppadicus [~IceChat7@87.114.87.22.plusnet.thn-ag2.dyn.plus.net] has joined ##openvpn
12:13 < ayi> I hate Windows
12:24 < hyper_ch> <
12:24 < hyper_ch> ayi: use linux
12:24 < hyper_ch> WormFood: windows broke itself
12:25 < WormFood> windows commonly fucks itself
12:25 < hyper_ch> that's why I don't use it anymore - if possible
12:25 < WormFood> i told my friend, "it looks like windows shit all over itself"
12:25 < WormFood> I also hate windows....pure fuckin' garbage!
12:25 < hyper_ch> install your friend some decent linux distro and add a windows theme and tell him it's windows 8
12:25 < WormFood> *I* DO use Linux....but I can't expect my friends to use that garbage too
12:25 < hyper_ch> he won't know the difference anyway
12:26 < WormFood> until they try to infect their computer with the latest virus
12:26 < sppadicus> these days WormFood with ubuntu, fedora u get very good effects on desktop -better htan windows
12:26 < sppadicus> as long as graphics card supports it that is 
12:27 < WormFood> "your computer appears to be virus free, click here to install the newest virus on your computer".....I saw where someone made a banner ad like that, and people actually clicked on it
12:27 < hyper_ch> and there's even an Linux Genuine Advantage... so that you won't miss that experience either
12:27 < WormFood> you don't need to tell me. I've been running Linux since 1995....I KNOW Linux is so much better than windows....hell, even a heaping pile of steaming dog shit is better than Winblows!
12:28 < hyper_ch> http://www.linuxgenuineadvantage.org/
12:28 < vpnHelper> Title: Linux Genuine Advantage (at www.linuxgenuineadvantage.org)
12:28 < sppadicus> ouch hehe the vitriol hehehe
12:28 < WormFood> I know, I've seen it before
12:28 < WormFood> rather funny
12:29 < WormFood> shit, it is 1:30 am here. I need to go back to bed. I'll see ya'll l8r
12:29 < sppadicus> bb WormFood
12:30 < sppadicus> 7 hours ahead - bloody ell thats a time zone a way then
12:30 < WormFood> UTC+8
12:30 < WormFood> so that means you must be in europe?
12:30 < sppadicus> ditto 
12:30 < sppadicus> or rather bingo
12:30 < sppadicus> even
12:31 < WormFood> yeah. I'm in China
12:31 < sppadicus> and am guessing ur either malaysia or further on?
12:31 < sppadicus> ahh clooose
12:31 < WormFood> 我在深圳市
12:31 < WormFood> I'm in Shenzhen City, just over the border with HK
12:31 < sppadicus> oo niice
12:31 < sppadicus> rite enough chit chat -get to bed!
12:31 < sppadicus> :-P
12:32 < WormFood> I need to respond to an email, then hit the sack
12:40 -!- sparkymarkd [~mark@h69-21-196-174.mdsnwi.dedicated.static.tds.net] has quit [Ping timeout: 264 seconds]
12:49 -!- sparkymarkd [~mark@200.32.219.19] has joined ##openvpn
13:07 -!- sparkymarkd [~mark@200.32.219.19] has quit [Ping timeout: 245 seconds]
13:07 -!- sparkymarkd [~mark@h69-21-196-174.mdsnwi.dedicated.static.tds.net] has joined ##openvpn
13:14 -!- JackCorleone [~Jack@187.11.184.68] has joined ##openvpn
13:19 < sparkymarkd> what should I do if I want to push internet gateway to clients, but clients are going to connect from multiple/unknown subnets - getting this error: MULTI: bad source address from client
13:19 < sparkymarkd> I know I could use the  client-config-dir, but maybe I don't quite understand how that works..  is that IP not the address that the client has - not the vpn interface?
13:26 < ecrist> !logs
13:26 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
13:42 -!- Perun [~perun@2001:6f8:1316:1234:216:3eff:fe05:3160] has quit [Ping timeout: 248 seconds]
13:42 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
13:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 240 seconds]
13:53 -!- WormFood [~wormfood@219.134.136.124] has quit [Ping timeout: 265 seconds]
14:06 -!- WormFood [~wormfood@219.134.136.107] has joined ##openvpn
14:15 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
14:15 -!- mode/##openvpn [+o mattock] by ChanServ
14:19 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe05:3160] has joined ##openvpn
14:20 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
14:23 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
14:40 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
14:43 -!- sppadicus [~IceChat7@87.114.87.22.plusnet.thn-ag2.dyn.plus.net] has quit [Quit: Download IceChat at www.icechat.net]
14:47 -!- EugenMayer [~EugenMaye@dslb-188-099-234-140.pools.arcor-ip.net] has joined ##openvpn
14:48 < EugenMayer> Hello guys. Iam trying to setup a bridging connecting me into the office. We have a router ( hardware router ) and a debian server which will have the openVPN server.
14:49 < EugenMayer> I have setup a br0, bridgin eth0 and tap0, getting a localIP address on br0 in the LAN ( working, can ping anything ).
14:49 < EugenMayer> So i have setup the debian server with br0 192.168.1.10 as a IP adress ( 255.255.255.0 )
14:50 < EugenMayer> thats the openvpn server config: http://pastebin.com/qGwtZ0Hk
14:51 < EugenMayer> LAN is: 192.168.1.0
14:51 < EugenMayer> ROUTER: 192.168.1.1
14:51 < EugenMayer> DEBIAN-SERVER(openVPN): 192.168.1.10
14:52 < EugenMayer> Thats the client config : http://pastebin.com/cfq7SK1b
14:52 < EugenMayer> actually i can connect with the client, i get a IP ( 192.168.1.70 ) and my route seems to be setup just fine. Anyhow i cannot ping / reach any clients in the LAN 192.168.1.0
14:53 < EugenMayer> Would be really great if someone could point my blind nose to the mistake a do. 
14:53 -!- EugenMayer [~EugenMaye@dslb-188-099-234-140.pools.arcor-ip.net] has left ##openvpn []
14:54 -!- AndreU [~AndreU@g230209206.adsl.alicedsl.de] has joined ##openvpn
14:56 < AndreU> hi there
14:56 < AndreU> EugenMayer cannot reconnect to the channel anymore
14:57 < AndreU> we don´t have a clue what happened
14:57 < AndreU> we would be glad if someone could help us
14:59 < ecrist> no idea
14:59 < ecrist> it said he left the channel
14:59 < AndreU> hm :-(
14:59 < AndreU> ah ok
15:00 < ecrist> we have two channel bans, neither of which are for him.
15:00 < AndreU> did you get his questions?
15:00 < ecrist> no, I was working.
15:00 -!- EugenMayer [~EugenMaye@dslb-188-099-234-140.pools.arcor-ip.net] has joined ##openvpn
15:00 < AndreU> Ahhh!
15:01 < EugenMayer> Hi again. Holy - could not reconnect
15:01 < AndreU> welcome back
15:01 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
15:01 < EugenMayer> Thanks for proxiing AndreU
15:01 < EugenMayer> So, did someone answer?
15:02 < EugenMayer> ecrist: http://pastebin.com/qGwtZ0Hk
15:02 < EugenMayer> ecrist: http://pastebin.com/cfq7SK1b
15:02 < EugenMayer> those are the server / clien configurations
15:03 < EugenMayer> We are trying to connect to office locations. We have a ROUTER(192.168.1.1), a Debian Server(192.168.1.10) which is hosting the OPENVPN-Server, and the network itself 192.168.1.0
15:04 < EugenMayer> i have setup a br0, bridging tap0 and eth0, getting a LAN ip: 192.168.1.10. The DEBIAN SERVER can ping the LAN and the clients
15:04 < Bushmills> why bridge?
15:04 < EugenMayer> To also support broadcast
15:04 < EugenMayer> *broadcasts
15:05 < EugenMayer> (e.g. wins etc)
15:05 < Bushmills> !wins
15:05 < vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
15:05 < Bushmills> !tunortap
15:05 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
15:05 < vpnHelper> Bushmills: against you over the vpn, or (#4) lan gaming? use tap!
15:06 < EugenMayer> connecting with a client to that network, i get a 192.168.1.70 IP and the route looks good. But i cant ping any client in the LAN
15:07 < EugenMayer> Bushmills: so you advice to use tun rather tap ( security wise, easy of installation wise) ?
15:08 < Bushmills> yes. also support-wise. more folks here have routing- rather than bridge experience
15:08 < Bushmills> probalby because not many of them are gamers :)
15:08 < EugenMayer> i see. any example configuration for tuns i can use in my case?
15:09 < Bushmills> anything in particular?  sample openvpn configs should be in /usr/share/doc/openvpn/...
15:09 < EugenMayer> AndreU: well were`nt we about to host a "shred and shoot the IE*" tournament in our LAN? :)
15:10 < AndreU> Kill IE yes
15:11 < EugenMayer> Bushmills: looking at the examples, i stumblend opon
15:12 < EugenMayer> tls-office and tls-home
15:12 < EugenMayer> by the name i would use office, but it looks like tls-home is my key, isnt it?
15:12 < Bushmills> tls sounds good. i don't know the particularities of either home or office config
15:13 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
15:13 < EugenMayer> Bushmills: well we need all connected clients to be able to access 192.168.1.0
15:13 < Bushmills> !route
15:13 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:13 < EugenMayer> he has a shortcut for like everything :)
15:14 < EugenMayer> !cookmeal
15:14 < vpnHelper> EugenMayer: Error: "cookmeal" is not a valid command.
15:14 < EugenMayer> damn
15:14 -!- ayi [~vegar@145.227.16.62.customer.cdi.no] has quit [Quit: leaving]
15:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:25 < EugenMayer> Bushmills: http://pastebin.com/0HBNRyHM  .. http://pastebin.com/fZngcBJb
15:25 < EugenMayer> Bushmills: those are the client / server config. Connecting with the client works - route looks fine - cant reach any client in the LAN
15:26 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 265 seconds]
15:26 < Bushmills> !route
15:26 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:27 < EugenMayer> i guess that means my routing is wrong
15:27 < Bushmills> you may be missing the route back from lan to clients
15:28 < EugenMayer> hrm
15:33 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
15:38 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
15:40 < EugenMayer> Bushmills: cant make a clue. what would that route look like
15:43 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 260 seconds]
15:45 < Bushmills> assume a client on one side of the vpn has sent a request, which has been routed through vpn, through vpn server, to a LAN client. that LAN clients replies, the reply being sent to the ip address of the interface which had sent the request. That package reaches the openvpn server. look at routing table there where it is routed to. whether it can reach the requesting client, by routing it back through the vpn
15:46 < krzie> !factoids search outside
15:46 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
15:46 < Bushmills> (you said there is a router, which is probably also the openvpn client,  meaning that the requesting machine has not an openvpn ip address)
15:47 < Bushmills> 'morning krzie
15:47 < krzie> if the client is also the router for its lan he has a route back by default
15:47 < krzie> moinmoin bush
15:48 < krzie> if the client is not also the router for its lan, the router needs a route as explained in the factoid above
15:49 < krzie> (which has a nice diagram thanx to the help of reiffert
15:49 < Bushmills> )
15:49 < krzie> thx =]
15:49 < Bushmills> urw
15:55 < EugenMayer> the router ( 192.168.1.1 ) is not a client of the openVPN network
15:55 < EugenMayer> krzie: is that a problem?
15:55 < krzie> not if you add a new static route to it
15:56 < krzie> as Bushmills said above, and i gave links to info on
15:56 < krzie> [13:30]  <Bushmills> you may be missing the route back from lan to clients
15:56 < EugenMayer> a static route to the LAN of the client connecting to the net?
15:56 < krzie> you are trying to route the client LAN to the vpn, right?
15:56 < EugenMayer> so if the client is in 192.168.176.0 : route 192.168.176.0 255.255.255.0
15:57 < EugenMayer> client <-> VPN <- LAN to reach from client
15:57 < krzie> so the lan is behind the server? and no lan behind the client?
15:57 < EugenMayer> i want the LAN the vpn server is inside ( 192.168.1.0) to be reachable by the clients connecting tot the vpn ( which are generally in 10.0.8.0 )
15:58 < krzie> ok, but note that any client connecting from the subnet of 192.168.1.x will have issues
15:58 < krzie> !samesubnet
15:58 < EugenMayer> the client itself is also in a LAN - but i dont need to make this lan accessable to other clients in the VPN / office lan)
15:58 < vpnHelper> krzie: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
15:58 < krzie> is the server also the router for its own LAN?
15:59 < EugenMayer> now, the server (openvpn, debian) is 192.168.1.10, not the router. The router is 192.168.1.1 ( for the LAN and internet  )
15:59 < krzie> ok, then heres what you need:
16:00 < krzie> in the server config:    push "route 192.168.1.0 255.255.255.0"
16:00 < krzie> then on the router 192.168.1.1 you need a static route
16:00 < krzie> !route_outside_openvpn
16:00 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
16:00 < krzie> as explained there
16:01 < krzie> also, your server must have IP forwarding enabled
16:01 < krzie> !ipforward
16:01 < vpnHelper> krzie: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
16:03 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
16:04 < krzie> if you have road warriors (mobile vpn users) you will want to change the LAN subnet on the server side
16:04 < EugenMayer> krzie: ipforwarding is enabled
16:04 < krzie> because it is very common, and no user can connect if he is also on 192.168.1.x
16:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
16:04 < krzie> thats all you need to know, now do what i said and you're done
16:04  * krzie goes back to work =]
16:10 < EugenMayer> krzie: well, which static route do i need?
16:11 < EugenMayer> i see
16:11 < EugenMayer> so in my case
16:11 < EugenMayer> 10.8.0.0/24 gw 10.0.8.1
16:11 < EugenMayer> ?
16:12 < krzie> i wrote a bunch of docs explaining it
16:12 < krzie> go read them
16:12 < EugenMayer> no
16:12 < krzie> n o?
16:12 < EugenMayer> (no to my suggestion )
16:12 < EugenMayer> not to your "RTFM" :)
16:12 < krzie> ahh ok
16:12 < EugenMayer> 10.8.0.0/24 gw 192.168.1.10
16:12 < krzie> what OS is your router?
16:13 < EugenMayer> hardware..
16:13 < krzie> that looks correct assuming your router is linux
16:13 < EugenMayer> whatever, linksys crap
16:13 < krzie> then where do you think you would type that in?
16:13 < EugenMayer> in the web-interface :) 
16:13 < krzie> go to the admin interface and add a static route
16:13 < EugenMayer> it was just an example
16:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:24 < EugenMayer> krzie: thanks!
16:29 < krzie> yw
16:38 -!- AndreU [~AndreU@g230209206.adsl.alicedsl.de] has quit [Read error: Connection reset by peer]
16:38 -!- AndreU [~AndreU@g230209206.adsl.alicedsl.de] has joined ##openvpn
16:43 -!- EugenMayer [~EugenMaye@dslb-188-099-234-140.pools.arcor-ip.net] has quit [Remote host closed the connection]
16:57 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
17:06 -!- AndreU [~AndreU@g230209206.adsl.alicedsl.de] has quit [Quit: AndreU]
17:32 -!- sparkymarkd [~mark@h69-21-196-174.mdsnwi.dedicated.static.tds.net] has quit [Ping timeout: 240 seconds]
17:34 -!- sparkymarkd [~mark@200.32.219.19] has joined ##openvpn
17:35 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:40 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:48 -!- sparkymarkd [~mark@200.32.219.19] has quit [Ping timeout: 264 seconds]
17:52 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 260 seconds]
18:06 -!- ruied [~ruied@bl14-234-232.dsl.telepac.pt] has joined ##openvpn
18:06 < ruied> hi, is there any openvpn command so I can check the tunnels that are established at a given time?
18:10 < cpm> ifconfig?
18:11 < krzie> it would be a command in thye management interface
18:11 < krzie> or of course you could use the status file
18:11 < krzie> see --status and --management in the manual
18:11 < krzie> !man
18:11 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:12 < krzie> cpm, how would ifconfig show that?
18:12 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:12 < krzie> ohh, i was assuming hes talking about from his server
18:12 < krzie> i see what you meant =]
18:14 < ruied> krzie, checking...
18:21 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Ping timeout: 260 seconds]
18:22 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Remote host closed the connection]
18:23 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
18:39 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
18:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
18:50 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
19:02 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 264 seconds]
19:04 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
20:05 < krzie> god i love openvpn
20:06 < krzie> makes my life so much easier sometimes
20:09 -!- theDoc [~jaki@173.236.41.34] has joined ##openvpn
20:09 -!- theDoc [~jaki@173.236.41.34] has quit [Changing host]
20:09 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:11 -!- sparkymarkd [~mark@190.242.32.10] has joined ##openvpn
20:14 -!- sparkymarkd [~mark@190.242.32.10] has quit [Remote host closed the connection]
21:04 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
21:46 < tjz> krzie, how come?
21:47 < tjz> :D :D
21:48 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
22:19 -!- dazo_afk [~dazo@nat/redhat/x-pfdongmzktsdnycy] has quit [Ping timeout: 276 seconds]
22:20 -!- dazo_afk [~dazo@nat/redhat/x-nqmbonbactwsgsaz] has joined ##openvpn
22:20 -!- dazo_afk is now known as Guest94271
22:38 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
23:06 -!- OldMonk [~raju@122.161.124.180] has joined ##openvpn
23:07 < OldMonk> hi.  given a number of signed certs distributed among a number of clients, is it possible to tell the openvpn server to only accept connections from specific CNs?
23:12 < OldMonk> !welcome
23:12 < vpnHelper> OldMonk: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:12 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 265 seconds]
23:26 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:30 < creack> is it possible to use bridge vpn on osx?
23:41 -!- OldMonk [~raju@122.161.124.180] has quit [Quit: leaving]
--- Day changed Wed Jun 30 2010
00:05 -!- takamichi [~pri@78.133.33.203] has joined ##openvpn
00:20 -!- arosen1 [~arosen@c-174-56-133-172.hsd1.sc.comcast.net] has quit [Ping timeout: 245 seconds]
00:34 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
00:35 -!- AndreU [~AndreU@g224245254.adsl.alicedsl.de] has joined ##openvpn
00:36 -!- AndreU [~AndreU@g224245254.adsl.alicedsl.de] has left ##openvpn []
00:53 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
00:54 -!- mode/##openvpn [+o mattock] by ChanServ
00:58 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 265 seconds]
01:35 -!- Guest94271 is now known as dazo
01:57 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
02:34 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:35 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:59 < macsppadic> morning all 
02:59 -!- ruied [~ruied@bl14-234-232.dsl.telepac.pt] has quit [Ping timeout: 245 seconds]
03:07 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
03:12 -!- ruied [~ruied@89.214.246.13] has joined ##openvpn
03:14 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
03:15 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
03:32 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
03:46 -!- ruied [~ruied@89.214.246.13] has quit [Ping timeout: 240 seconds]
03:46 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Read error: Operation timed out]
03:47 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:49 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
04:03 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
04:06 -!- krzee [nobody@unaffiliated/krzee] has quit [Excess Flood]
04:07 -!- ruied [~ruied@188.140.15.150] has joined ##openvpn
04:16 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
04:20 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
04:29 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
04:29 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
04:37 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
04:58 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:17 < kish> the vpn instance draws a lot of cpu power simply when its forging packets
05:17 < kish> no encryption necessary for that
05:17 < kish> im on an atom but it's stilll unacceptable
05:22 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
05:23 < Bushmills> compression too
05:23 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
05:23 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:24 < Bushmills> i'm on atom as well, but find it acceptable
05:28 -!- geemee [~ocs@mailhost.exterity.com] has joined ##openvpn
05:30 -!- geemee [~ocs@mailhost.exterity.com] has quit [Remote host closed the connection]
05:45 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
05:48 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 260 seconds]
06:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:08 < kish> i was sure to disable compression
06:10 < Bushmills> i'm running all my internet traffic through openvpn, with an atom based machine on my side
06:11 < kish> i run my wireless traffic over it
06:11 < kish> on an unencrypted wlan network
06:12 < kish> have you ever got rc4 to work with openvpn
06:12 < kish> i think a block cipher is too much security for this crap
06:13 < kish> would want something less cpu intensive
06:13 < Bushmills> never tried - i'm using blowfish
06:15 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
06:17 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
06:18 < kish> !cipher
06:18 < vpnHelper> kish: Error: "cipher" is not a valid command.
06:19 -!- dazo [~dazo@nat/redhat/x-nqmbonbactwsgsaz] has quit [Read error: Connection reset by peer]
06:21 -!- dazo [~dazo@nat/redhat/x-blctpzojrtodvqpm] has joined ##openvpn
06:27 -!- dazo [~dazo@nat/redhat/x-blctpzojrtodvqpm] has quit [Read error: Connection reset by peer]
06:28 -!- dazo [~dazo@nat/redhat/x-oujloxioxzanaezs] has joined ##openvpn
06:36 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
06:40 -!- dazo [~dazo@nat/redhat/x-oujloxioxzanaezs] has quit [Read error: Connection reset by peer]
06:41 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
06:41 -!- dazo [~dazo@nat/redhat/x-qspbfqhhsezygbnc] has joined ##openvpn
06:49 -!- dazo [~dazo@nat/redhat/x-qspbfqhhsezygbnc] has quit [Read error: Connection reset by peer]
06:49 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
06:50 -!- dazo [~dazo@nat/redhat/x-erbgnwvbqwoywqqp] has joined ##openvpn
06:50 -!- macsppadic_ [~sonupunno@88.211.55.77] has joined ##openvpn
06:50 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
06:50 -!- macsppadic_ is now known as macsppadic
06:50 -!- dazo is now known as Guest67998
06:52 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: No route to host]
06:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
06:54 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
06:54 -!- Guest67998 is now known as dazo
06:59 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
06:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:01 -!- dazo [~dazo@nat/redhat/x-erbgnwvbqwoywqqp] has quit [Read error: Connection reset by peer]
07:01 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
07:02 -!- dazo [~dazo@nat/redhat/x-blvknqdabitcbnad] has joined ##openvpn
07:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
07:14 -!- dazo [~dazo@nat/redhat/x-blvknqdabitcbnad] has quit [Read error: Connection reset by peer]
07:20 -!- dazo [~dazo@nat/redhat/x-uahnbudavviiigot] has joined ##openvpn
07:21 -!- dazo [~dazo@nat/redhat/x-uahnbudavviiigot] has quit [Read error: Connection reset by peer]
07:22 -!- dazo [~dazo@nat/redhat/x-vbzpcuxiwinzwiza] has joined ##openvpn
07:30 -!- dazo [~dazo@nat/redhat/x-vbzpcuxiwinzwiza] has quit [Write error: Connection reset by peer]
07:32 -!- dazo [~dazo@nat/redhat/x-syopcgtomkelbjeg] has joined ##openvpn
07:38 -!- dazo [~dazo@nat/redhat/x-syopcgtomkelbjeg] has quit [Read error: Connection reset by peer]
07:39 -!- dazo [~dazo@nat/redhat/x-dbfcybqgnkontvst] has joined ##openvpn
07:42 -!- dazo [~dazo@nat/redhat/x-dbfcybqgnkontvst] has quit [Read error: Connection reset by peer]
07:43 -!- dazo [~dazo@nat/redhat/x-gpkodtsjtkxlycwq] has joined ##openvpn
07:43 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has joined ##openvpn
07:43 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has quit [Changing host]
07:43 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
07:44 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
07:46 -!- dazo [~dazo@nat/redhat/x-gpkodtsjtkxlycwq] has quit [Read error: Connection reset by peer]
07:47 -!- dazo [~dazo@nat/redhat/x-kzlsmcsizlgbcded] has joined ##openvpn
07:47 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
07:50 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:52 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 248 seconds]
07:54 -!- dazo [~dazo@nat/redhat/x-kzlsmcsizlgbcded] has quit [Read error: Connection reset by peer]
07:55 -!- dazo [~dazo@nat/redhat/x-ybnpvzhjmdsbydrc] has joined ##openvpn
07:56 -!- dazo [~dazo@nat/redhat/x-ybnpvzhjmdsbydrc] has quit [Read error: Connection reset by peer]
07:57 -!- dazo [~dazo@nat/redhat/x-ikgyfsnujtodgijz] has joined ##openvpn
08:00 -!- dazo [~dazo@nat/redhat/x-ikgyfsnujtodgijz] has quit [Read error: Connection reset by peer]
08:01 -!- dazo [~dazo@nat/redhat/x-bcyxomcwxctaymdb] has joined ##openvpn
08:02 < ecrist> problems, dazo?
08:03 < dazo> ecrist: yeah, might be some nasty troubles with the ISP connection at the office ... I dunno, trying to find people who might know, 
08:04 < dazo> ecrist: but the problems are only against FreeNode ... OFTC is stable (even though I had one disconnect there)
08:04 < dazo> (FreeNode staff claims their services are stable)
08:05 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
08:06 < ecrist> sounds like something they'd say
08:06 < Bushmills> it is here
08:06 < ecrist> the last couple years, efnet is more stable than freenode
08:07 -!- dazo [~dazo@nat/redhat/x-bcyxomcwxctaymdb] has quit [Read error: Connection reset by peer]
08:08 -!- dazo [~dazo@nat/redhat/x-yxgpryostbxpyekl] has joined ##openvpn
08:09 -!- dazo [~dazo@nat/redhat/x-yxgpryostbxpyekl] has quit [Read error: Connection reset by peer]
08:09 -!- dazo [~dazo@nat/redhat/x-uyykcunormuxcxuh] has joined ##openvpn
08:10 -!- dazo [~dazo@nat/redhat/x-uyykcunormuxcxuh] has quit [Read error: Connection reset by peer]
08:16 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Remote host closed the connection]
08:16 -!- motd2k [~motd2k@78.129.221.81] has joined ##openvpn
08:16 -!- motd2k [~motd2k@78.129.221.81] has quit [Changing host]
08:16 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
08:16 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Remote host closed the connection]
08:20 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has joined ##openvpn
08:20 -!- motd2k [~motd2k@87-194-148-242.bethere.co.uk] has quit [Changing host]
08:20 -!- motd2k [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
08:23 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined ##openvpn
08:24 < renihs> hmm i have a win7 box here which and umts usb modem thingie which refuses to add the routes (requires elevated priviliges), this is 2.1-rc19 installed with compat mode to vista sp1 + administrator, and the openvpngui.exe is also run as administrator 
08:24 < renihs> it works on a few other win7 boxes without issues (same install procedure), the only difference, this is a enterprise edition of win7
08:25 < renihs> does anybody have a hint were to dig that it does not allow route addings? could this be because of the usb umts modem?
08:26 < kish> I can't find CA.pl anywhere
08:26 < kish> but I have the manuals for it ;/
08:27 < Bushmills> renihs: it could be because of usb umts modem
08:27 < renihs> Bushmills, :( i was afraid of that since it works anywere else hmm
08:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:28 < Bushmills> i can't tell you why, or how. but i can tell you that it is possible.
08:28 < Bushmills> same happens with my umts modem connection
08:28 < renihs> is there any setting i could adjust to allow this? i think i required to declare this modem as a "public network" according to manual
08:28 < renihs> maybe that is what is interfering
08:29 < Bushmills> connecting to internet through wlan or wire sets routes on client, through umts doesn't
08:29 < renihs> but i am pretty clueless about windows, especially about win7
08:29 < Bushmills> only, i don't use windows
08:29 < renihs> same :(
08:29 < renihs> hmmm will test a thing or 2
08:30 < Bushmills> well, no big issue. redirecting traffic is just a matter of setting a server host route, and a new default route 
08:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:37 < renihs> you mean manually add a route afterwards?
08:37 < renihs> or the routes that should be pushed in first place i mean
08:37 < WormFood> awesome. I just wrote my first connect/disconnect script for openvpn, to record my user's times and bandwidth used....I should have done this months ago....really simple stuff
08:39 < renihs> i doubt that works, since "quick work around for this under windows is to use --route-method exe" 
08:39 < renihs> which i already use
08:43 < Bushmills> renihs: yes, that's what i do when connecting using umts. well, not really manuall, but a script which is executed, adding the necessary routes
08:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:49 < renihs> hmmm
08:49 < renihs> Bushmills, will try that soon, but thats exactly what --route-method exe is supposed to be i thought
08:51 < Bushmills> route add server ppp0; route add default gw vpnserver   # executed from script
08:52 < renihs> hmm will give that a shot
08:52 < Bushmills> using a script, executed during boot, looking at usb ids, and connecting usb modem when found, anyway
08:52 < Bushmills> therefore i merely had to add these commands to modify routing table in the same conditional section
08:53 < renihs> sounds more complex than i have in mind :)
08:54 < Bushmills> i suppose you don't need the automagical modem detection to decide how to connect to the net - this is on a mobile device which is also used at home location
08:54 < Bushmills> booting with modem inserted or removed determines its network configuration
08:55 < renihs> hmm even when i manually open a cli, and try to add the route it says it requires elevated priviliges
08:55 < renihs> any route btw
08:55 < renihs> i am logged in with an admin account...odd
08:55 < Bushmills> well, yes. a non-admin user can't change routes 
08:56 < renihs> y, but i am a admin user....
08:56 < renihs> according to my account (administrator)
08:56 < Bushmills> well, that probably something windows specific. i have no idea about that
08:56 < renihs> y
08:57  * Bushmills googles for that funny term "Windows"
09:00 < renihs> hmm debugging...
09:00 < renihs> seems like uac is interfering
09:00 < renihs> will turn that off
09:08 < kish> i know there is a nice freebsd program that manages certificates for you
09:08 < kish> do you happen to know the name of this util
09:08 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:16 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 248 seconds]
09:24 < renihs> y uac was the cause
09:24 < renihs> i disabled it -> no change -> after reboot it worked
09:27 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
09:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
09:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:36 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
09:40 < kish> Port:   ssl-admin-1.0.3
09:40 < kish> Path:   /usr/ports/security/ssl-admin
09:40 < kish> Info:   OpenSSL certificate manager with OpenVPN support.
09:40 < kish> Maint:  ecrist@secure-computing.net
09:40 < kish> found it!
09:42 < ecrist> :)
09:46 < theDoc> Man, I took like 3 dumps today.
09:46 < theDoc> :\
09:49 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
09:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
10:01 < ecrist> kish, let me know if you run into any issues, or would like additional functionality
10:02 < kish> sure ecrist 
10:08 -!- buntfalke [~nobody@faui02.informatik.uni-erlangen.de] has joined ##openvpn
10:09 -!- buntfalke [~nobody@faui02.informatik.uni-erlangen.de] has quit [Changing host]
10:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:30 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
10:33 -!- mape2k [~mape2k@h251.fem.tu-ilmenau.de] has joined ##openvpn
10:36 < kish> string is too long, it needs to be less than  2 bytes long
10:36 < kish> what's that caused by? 
10:37 < ecrist> no idea.  where/how do you see that?
10:37  * ecrist looks
10:38 < ecrist> I'm guessing you have COUNTRY_NAME longer than two characters
10:38 < ecrist> countryName                     = Country Name (2 letter code)
10:42 < kish> my openssl.cnf sucks
10:48 < kish> nah, i always get this
10:48 < kish> dont know what im doing wrong
10:55 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
11:11 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
11:15 < kish> easy-rsa doesnt really run on bsd at all ;(
11:15 < kish> it works on linux though :D
11:18 -!- dazo is now known as dazo_afk
11:22 < ecrist> kish: it runs with bash
11:23 < kish> im pretty sure i compiled bash just for this occurence
11:27 < kish> bash: ./build-ca: /bin/bash: bad interpreter: No such file or directory
11:27 < kish> odd error
11:29 < ecrist> you need to correct the header to point to /usr/local/bin/bash
11:29 -!- mape2k [~mape2k@h251.fem.tu-ilmenau.de] has quit [Ping timeout: 260 seconds]
11:30 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:55 < kish> holy crap ecrist! :)
11:58 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
12:25 < kish> shit
12:25 < kish> source ./vars fails 
12:27 -!- kish [~o2@unaffiliated/spice] has quit [Quit: leaving]
12:28 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
12:28 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
12:28 -!- RedT0mt0m [~tomtom@82.227.110.8] has joined ##openvpn
12:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
12:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:43 -!- Rolybrau [~Rolybrau@86-150.3-85.cust.bluewin.ch] has joined ##openvpn
12:44 -!- Rolybrau [~Rolybrau@86-150.3-85.cust.bluewin.ch] has quit [Changing host]
12:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:45 -!- Buggaboo [~Buggaboo@535316B2.cable.casema.nl] has joined ##openvpn
13:39 -!- takamichi [~pri@78.133.33.203] has quit [Ping timeout: 240 seconds]
13:39 -!- takamichi [~pri@78.133.36.129] has joined ##openvpn
13:51 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
13:52 -!- takamichi [~pri@78.133.36.129] has quit [Ping timeout: 240 seconds]
13:58 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:32 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:45 -!- Buggaboo [~Buggaboo@535316B2.cable.casema.nl] has quit [Remote host closed the connection]
14:45 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
15:16 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
15:34 -!- gorkhaan_ [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
15:36 -!- gorkhaan_ [~gorkhaan@adsl-101-10.globonet.hu] has quit [Client Quit]
15:36 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
15:47 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-uzgaqsrcpnppeody] has joined ##openvpn
15:48 < HoboSteaux> i have a really simple issue: i need to make more client certificates, but the vpn is run off of an embedded device. is there a simple way of doing this?
15:59 < Bushmills> yes. create certs on a different machine
15:59 < Bushmills> making those is not related to the machine openvpn runs on
15:59 < HoboSteaux> wont they be different cers then though?
16:00 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
16:00 < HoboSteaux> [not associated with the server crts]
16:00 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
16:10 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
16:39 -!- ruied [~ruied@188.140.15.150] has quit [Ping timeout: 260 seconds]
17:01 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:02 -!- zamba [marius@flage.org] has quit [Ping timeout: 245 seconds]
17:04 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:06 -!- Netsplit *.net <-> *.split quits: kloeri, Chosi
17:08 -!- Netsplit over, joins: kloeri, Chosi
17:16 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:21 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Read error: No route to host]
17:27 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
17:36 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Read error: No route to host]
17:49 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:03 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
18:07 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe05:3160] has quit [Read error: Operation timed out]
18:09 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:10 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 260 seconds]
18:17 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
18:20 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe05:3160] has joined ##openvpn
18:22 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
18:27 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe05:3160] has quit [Read error: Operation timed out]
18:30 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
18:41 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe05:3160] has joined ##openvpn
18:42 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
19:15 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 240 seconds]
19:30 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
--- Log opened Wed Jun 30 19:34:18 2010
19:34 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
19:34 -!- Irssi: ##openvpn: Total of 80 nicks [2 ops, 0 halfops, 0 voices, 78 normal]
--- Log closed Wed Jun 30 19:34:20 2010
--- Log opened Wed Jun 30 19:41:59 2010
19:41 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
19:41 -!- Irssi: ##openvpn: Total of 80 nicks [2 ops, 0 halfops, 0 voices, 78 normal]
19:42 -!- Irssi: Join to ##openvpn was synced in 34 secs
19:59 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
20:00 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 260 seconds]
20:02 -!- motd2k_ [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
20:02 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
20:03 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Ping timeout: 260 seconds]
20:04 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Ping timeout: 265 seconds]
20:04 -!- motd2k_ is now known as motd2k
20:05 -!- zamba [marius@flage.org] has joined ##openvpn
20:08 -!- motd2k_ [~motd2k@xbmc/staff/motd2k] has joined ##openvpn
20:09 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
20:10 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 276 seconds]
20:10 -!- motd2k [~motd2k@xbmc/staff/motd2k] has quit [Ping timeout: 264 seconds]
20:10 -!- motd2k_ is now known as motd2k
20:12 -!- theDoc [~jaki@173.236.41.36] has joined ##openvpn
20:12 -!- theDoc [~jaki@173.236.41.36] has quit [Changing host]
20:12 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:12 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
20:14 -!- disco- [disco@andromeda.h4xed.com] has quit [Read error: Operation timed out]
20:16 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
20:16 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Ping timeout: 276 seconds]
20:20 -!- disco-_ [disco@andromeda.h4xed.com] has joined ##openvpn
20:20 -!- disco- [disco@andromeda.h4xed.com] has quit [Ping timeout: 265 seconds]
21:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
21:14 -!- meepmeep [meepmeep@212.24.104.229] has quit [Ping timeout: 260 seconds]
21:16 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
21:35 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
21:37 < WormFood> I wrote a little script to record user's connection stats...connect time, ip, duration, bandwidth used....it is VERY SIMPLE, but works well...if anyone wants a copy, let me know.
22:38 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:57 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
23:38 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:55 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
--- Day changed Thu Jul 01 2010
00:42 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
00:42 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
00:44 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
00:46 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
01:03 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
01:06 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 260 seconds]
01:06 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
01:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:37 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
01:58 -!- _zero__ [~zero@noc.toile-libre.net] has quit [Ping timeout: 260 seconds]
02:02 -!- Netsplit *.net <-> *.split quits: havoc, julius, hyper_ch, circut, dazo_afk, Sky[x], fbh, DarthGandalf
02:04 -!- Netsplit over, joins: hyper_ch, Sky[x], dazo_afk, havoc, julius, fbh, circut, DarthGandalf
02:11 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
02:12 -!- dazo_afk is now known as dazo
02:16 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 260 seconds]
02:32 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
02:34 < kisom> having asterisk call my cellphone is the best wake-up-call ever
02:34 < kisom> "Sorry i'm late"
02:34 < kisom> "what happened?"
02:34 < kisom> "server had a kernel panic"
02:35 < theDoc> What? :o
02:36 < hyper_ch> IF the cellphone still is charged
02:36 < kisom> my phone survives 48+ hours connected to the wifi. fyi.
02:36 < kisom> if it just idles
02:36 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 265 seconds]
02:36 < theDoc> How is wifi pronounced?
02:37 < hyper_ch> so?
02:37 < hyper_ch> if you don't charge it for 48+ h
02:37 < hyper_ch> then the asterisk call won't be any help
02:43 < kisom> the problem was on the server side ;)
02:44 < kisom> phone was up and tried to register, but failed as the server was down
02:45 < hyper_ch> have you tried freeswitch?
02:49 < kisom> how is freeswitch gonna prevent a kernel panic?
02:49 < kisom> the RAM is faulty
02:49 < theDoc> kisom> applications don't prevent kernel panics if the ram is bad.
02:49 < theDoc> You just can't.
02:49 < kisom> well something is wrong with the hardware
02:50 < kisom> well nvm
02:57 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:02 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
03:02 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:06 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 252 seconds]
03:08 -!- cp7 [nebula@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has joined ##openvpn
03:14 -!- dazo_ [~dazo@nat/redhat/x-yzpkubzpfdccecel] has joined ##openvpn
03:14 -!- dazo is now known as Guest24620
03:15 -!- dazo_ is now known as dazo
03:16 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
03:17 < kish> hi
03:17 < kish> i got an issue where the certs and keys are all set
03:17 < kish> and the configuration files all look normal 
03:17 < kish> and both connections initialize
03:17 < kish> but no tun device is opened
03:17 < kish> no ip is assigned
03:20 < dazo> kish: sounds like privilege stuff ... missing root/admin privileges
03:23 -!- Guest24620 [~dazo@scarydevilmonastery.net] has quit [Quit: Leaving IRC - dircproxy 1.0.5]
03:25 < kish> okay, that's fixed. 
03:30 < kish> !ip
03:30 < vpnHelper> kish: Error: "ip" is not a valid command.
03:32 < kisom> kish: enable more verb and check the logs ;)
03:34 < kish> narrowed it down to pull options
03:34 < kish> need to push some ip settings
03:35 < kish> ]/usr/share/doc/openvpn-2.1.1/sample-config-files
03:35 < kish> those are great, btw
03:44 < kish> think it works now
03:45 -!- kish [~o2@unaffiliated/spice] has left ##openvpn []
03:45 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
03:50 < kish>   you happen to know if the cipher keys are transmitted over the tls channel
03:51 -!- ruied [~ruied@89.180.240.144] has joined ##openvpn
03:53 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:56 -!- ruied [~ruied@89.180.240.144] has quit [Ping timeout: 245 seconds]
04:00 < kish> found it
04:03 < dazo> kish: there are several keys involved when using TLS ... the whole SSL/TLS key exchange process is pretty hefty, so it's not a simple answer to it
04:04 < dazo> kish: but basically, the client and server negotiates a symmetric encryption key.  This key is not transferred directly, but parts of keying material is sent over the connection and the "missing pieces" are calculated to get the needed encryption key
04:05 < dazo> kish: the initial traffic is then encrypted using the private and public keys, and that generates the basis for the keying material used for the symmetric encryption key
04:10 -!- ruied [~ruied@89.180.240.144] has joined ##openvpn
04:12 < kish> it sure is hefty :)
04:17 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
04:22 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 260 seconds]
04:40 -!- misterioz [~zoki@80.77.144.66] has joined ##openvpn
04:40 < misterioz> hi everyone
04:40 < misterioz> I need some help here
04:41 < misterioz> I have vpn tunnel that is already configured and is working fine
04:41 < misterioz> but now that I want to add another network with push route in the server.conf
04:41 < misterioz> it's not working
04:44 < misterioz> do you have any idea what can be the problem
04:45 < theDoc> Let me get in touch with my spiritual medium first, I'll get back to you once I manage to get hold of your configs via psychic transmission. ;)
04:47 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
04:52 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Remote host closed the connection]
04:52 < misterioz> theDoc: :D
04:53 < misterioz> I was thinking to put them somewhere but I got too deep that I forgot
04:58 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
04:58 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
05:00 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
05:02 -!- misterioz [~zoki@80.77.144.66] has quit [Remote host closed the connection]
05:10 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has quit [Remote host closed the connection]
05:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:59 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
06:07 -!- theDoc [~jaki@173.236.41.38] has joined ##openvpn
06:07 -!- theDoc [~jaki@173.236.41.38] has quit [Changing host]
06:07 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
06:21 -!- ruied [~ruied@89.180.240.144] has quit [Ping timeout: 240 seconds]
07:04 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
07:05 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
07:36 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
07:38 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
08:07 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:08 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has quit [Quit: Leaving.]
08:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:14 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
08:16 -!- blueboxthief [~None_of_y@86-45-82-222-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
08:22 -!- henk [~henk@netwichtig.de] has joined ##openvpn
08:23 < henk> hi, i am currently debugging a problem with our openvpn. the problem probably is that no more ip addresses are available. i cannot find any ifconfig directives in the server config. is there a default? how do i tell what addresses openvpn will use?
08:24 < henk> d'uh nvm, found the 'server' directive.
08:25 < krzie> also see
08:25 < krzie> !/30
08:25 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
08:25 < krzie> !topology
08:25 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
08:26 < henk> krzie: yup, will probably have to do something like that. thanks :)
08:26 < krzie> np
08:33 -!- macsppadic_ [~sonupunno@88.211.46.105] has joined ##openvpn
08:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
08:35 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Ping timeout: 260 seconds]
08:35 -!- macsppadic_ is now known as macsppadic
08:39 -!- macsppadic [~sonupunno@88.211.46.105] has quit [Ping timeout: 240 seconds]
08:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:07 -!- anebi1 [~anebi@91.207.191.17] has joined ##openvpn
09:11 < anebi1> hi, we have installed openvpn and we have created a bridge. the problem is that when one of our users is at his home, his computer gets its ip address. from another network (the router at his office). what we want to is that his laptop to get ip address from dhcp at home, not from office. we don't want the internet traffic to go thru vpn and go out thru other network. we have this configuration on server side: http://pastebin.org/370328
09:11 < anebi1> how can i block thoses dhcp requests that go thru vpn?
09:11 -!- flok420 [folkert@keetweej.vanheusden.com] has left ##openvpn []
09:28 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
09:28 -!- krzie [~k@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
09:34 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
09:37 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
09:40 < henk> i have a little understanding problem: i have an openvpn server and would like to have two vpns there. one for just being able to get into our internal network, the other is supposed to route all client traffic through the vpn, by setting /1 routes or setting a new default gateway. any hints what directives are important for that? Is There More Than One Way To Do It?
09:40 -!- anebi1 [~anebi@91.207.191.17] has left ##openvpn []
09:40 < havoc> there's more than one way to do everything :)
09:40 < havoc> I do the same thing on three diff servers
09:41 < henk> might be true... but i didn't even found _one_ way to slam a revolving door shut :-/
09:41 < havoc> I use TAP instead of TUN
09:41 < henk> but seriously: can you name the directives relevant for that behaviour?
09:42 < havoc> I use diff subnets for each ovpn server, each running on diff ports
09:42 < havoc> on the redir one the real diff is in the client config
09:42 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
09:43 < havoc> the other difference is on the server machine itself; for redir gw you need to MASQ the Net iface to the VPN
09:44 < havoc> I run 2 ovpns, tcp:443 and udp:1194
09:44 < havoc> I also do port sharing on tcp:443, but that's another story altogether
09:45 < havoc> otherwise there's no real difference between the two server configs other than the port
09:46 < havoc> the diff in the client configs is "redirect-gateway def1" and "route-gateway dhcp" in the redir conf
09:46 < havoc> but it won't work unless you MASQ/share the Net on the host server w/ the VPN clients
09:47 < krzee> !tcp
09:47 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
09:47 < krzee> (for me)
09:47 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
09:48 < havoc> krzee: yeah, except I'm sharing w/ https
09:48 < havoc> so a *little* different
09:49 < havoc> plus the redirgw stuff over tcp:443 is because tcp:443 and tcp:80 are usually the only ports open some of the places my users need access
09:49 < havoc> henk: basically you need to read, try stuff, and be *patient* ;)
09:49 -!- nesta [atsen@x.computer.st] has joined ##openvpn
09:49 < nesta> :)
09:50 < havoc> henk: and don't forget to MASQ/share the Net connection!
09:50 < krzee> havoc, that was actually for me to paste to nesta
09:50 < krzee> just so happens you mentioned tcp prior ;]
09:50 < havoc> krzee: heh, ok :)
09:51 < henk> redirect-gateway could be what i am looking for...
09:51 < henk> havoc: thanks for the info so far, i guess i'll be back tomorrow ;)
09:51 < havoc> henk: good luck :)
09:52 < henk> thanks
09:52 < henk> ah another thing: if i have >1 vpn configs on my server, do they need different ports or ips or can they run on the same port/ip?
09:53 < havoc> henk: a ovpn server can only listen on *one* port:ip
09:53 < havoc> henk: so I have mine on same IP, diff ports
09:54 < havoc> henk: I'd suggest udp:1194 and udp:1195 (the 1195 for redir-gw) to start, tweak later
09:54 < henk> ok, good :) that explains a lot. thanks
09:55 < havoc> *if* you were to use tcp instead of udp there are other issues to address
09:55 < henk> nope, udp
09:55 < havoc> but it will be much easier getting it working on udp first
09:55 < havoc> ok
09:55 < |Mike|> lies! :p
09:55 < havoc> as I said, I'm pretty much forced to use tcp:443
09:55 < havoc> stupid hotels :(
09:57 < henk> had that problem in my school due to an ms isa proxy... using openvpn i could give all pupils in my class uncensored internet :-p
09:57 < |Mike|> i always abuse a ssh tunnel at hotels :)
09:57 < |Mike|> ssh -D 9999 username@box
09:57 < |Mike|> and use it as a proxy :-)
09:57 < havoc> |Mike|: that's great if *anything* other than tcp:80 and tcp:443 are open :(
09:58 < henk> works for tcp:443
09:58 < |Mike|> indeed henk :P
09:58 < havoc> tcp 443 and 80 have been open everywhere we've used it, so far so good
09:58 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
09:59 < henk> an observing admin will notice it anyway. no http (not even https) connection will stay open longer than a few seconds or minutes...
09:59 < henk> but, i gotta go... cu
09:59 < |Mike|> I basicly hate admins which have such kind of firewalls
09:59 < havoc> henk: not usually an issue in hotels :)
09:59 < |Mike|> ltr henk
09:59 < henk> just /away, my nick stays ;)
09:59 < havoc> henk: later :)
09:59 < henk> havoc: ack 'g'
10:00 < |Mike|> altho, my private box also firewalls outside gong traffic :)
10:00 < havoc> I'm setting up a new deb amd64 box w/ proxmox, it's gonna have a VM just to listen/accept ssh on all ports
10:00 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
10:00 < havoc> probably setup DNS tunneling too
10:00 -!- macsppadic is now known as twomtstenmtstwoh
10:01 < krzee> for the dns tunneling, allow me to recommend iodine
10:01 < |Mike|> proxmox = ?
10:01 < krzee> also, you will like my iodine routing script
10:01 < krzee> !google krzee iodine
10:01 < vpnHelper> krzee: NStun.sh - DoesHosting.com - Nobody Does Hosting Better: <http://www.doeshosting.com/code/NStun.sh>; TipsAndTricks – iodine: <http://dev.kryo.se/iodine/wiki/TipsAndTricks>; iodine: <http://dev.kryo.se/iodine>
10:02 < krzee> there ya goes
10:02 < havoc> |Mike|: http://pve.proxmox.com/wiki/Main_Page
10:02 < vpnHelper> Title: Proxmox VE (at pve.proxmox.com)
10:02 < |Mike|> i'm on hsdpa
10:02 < havoc> basically KVM + OpenVZ
10:02 < |Mike|> openvz... eeuwish!
10:02 < havoc> |Mike|: I use all KVM VMs on LVs
10:03 < havoc> but they have their own deb amd64 repo and kernels; very nice
10:03 -!- Perun_ [~perun@2001:6f8:1316:1234:216:3eff:fe05:3160] has quit [Ping timeout: 260 seconds]
10:03 < havoc> also, VZs are fine if used properly
10:03 < havoc> use kvm for production
10:03 < havoc> ...and LVs
10:05 < havoc> VZs are nice for test VMs
10:05 < havoc> but there are some things like Windows Servers that can only be KVM
10:05 < |Mike|> my internet is extreme laggy atm
10:05 < |Mike|> you're using the virtio drivers for windows yet ?
10:06 < havoc> |Mike|: I had older signed ones, but didn't have them for the new LVM
10:06 < havoc> ...new signed ones that is
10:06 < havoc> IDE and e1000 are fine so far
10:06 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:06 < |Mike|> hm
10:09 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-uzgaqsrcpnppeody] has left ##openvpn []
10:21 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
10:28 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 264 seconds]
10:30 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
10:31 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
10:31 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
10:46 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:48 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:56 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 265 seconds]
10:59 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
11:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 260 seconds]
11:14 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
11:26 -!- twomtstenmtstwoh [~sonupunno@88.211.55.77] has quit [Quit: twomtstenmtstwoh]
11:33 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
11:38 -!- dazo is now known as dazo_afk
11:43 -!- geek [~killown@unaffiliated/geek] has joined ##openvpn
11:43 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 276 seconds]
11:43 -!- geek is now known as killown
11:43 -!- killown [~killown@unaffiliated/geek] has quit [Changing host]
11:43 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:52 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
11:52 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
11:53 -!- Otacon22 [~otacon22@93-36-100-124.ip59.fastwebnet.it] has joined ##openvpn
11:54 < Otacon22> Hi, i need to change my openvpn CLIENT configuration so that it adds as default gateway the openvpn server and keeps the old gateway for the connection to the openvpn server..
11:54 < Otacon22> i know that is possible to do that from the server adding the line push "redirect-gateway def1" on the server config
11:54 < Otacon22> but i want to do it on the client, without pushing from the server
11:54 < Otacon22> how can i do that?
11:56 -!- sppadicus [~IceChat7@87.112.52.48.plusnet.ptn-ag1.dyn.plus.net] has joined ##openvpn
11:58 < Bushmills> you can push "redirect-gateway def1" from server config
11:58 < Otacon22> I've just said that i don't want to do that
11:58 < Bushmills> keeps old default, but will be superceded by two /1 routes
11:59 < Otacon22> i want to set it from client
11:59 < Bushmills> ah. don't push it.
11:59 < Bushmills> simply redirect-gateway def1
11:59 < Bushmills> (n client config)
11:59 < Otacon22> i've tried but it doesn't work
11:59 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has joined ##openvpn
11:59 < Otacon22> when openvpn start it says that there is a missing parameter
12:00 < Otacon22> and it goes forward
12:00 < Bushmills> means an error in config
12:00 < Bushmills> fix it
12:04 -!- sppadicus [~IceChat7@87.112.52.48.plusnet.ptn-ag1.dyn.plus.net] has left ##openvpn []
12:29 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
12:29 -!- mode/##openvpn [+o mattock] by ChanServ
12:32 -!- chantra [~chantra@unaffiliated/chantra] has joined ##openvpn
12:36 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:38 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
12:41 -!- dazo_afk is now known as dazo
13:09 -!- notbrien_ [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has joined ##openvpn
13:11 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has quit [Ping timeout: 240 seconds]
13:11 -!- notbrien_ is now known as notbrien
13:16 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
13:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
13:48 -!- WormFood [~wormfood@219.134.136.107] has quit [Ping timeout: 260 seconds]
14:01 -!- WormFood [~wormfood@219.134.136.82] has joined ##openvpn
14:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
14:19 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:20 < vpnHelper> Announcement from my owner (ecrist): #openvpn-devel http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=rss;opt=--no-merges
14:36 -!- APTX_ is now known as APTX
14:49 -!- dazo is now known as dazo_afk
14:56 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 248 seconds]
15:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
15:05 -!- motd2k [~motd2k@xbmc/staff/motd2k] has left ##openvpn []
15:08  * krzee hits vpnHelper for being unfaithful
15:12  * nesta holds vpnHelper down
15:20 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has joined ##openvpn
15:20 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has quit [Read error: Connection reset by peer]
15:54 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
16:19 -!- neoice [~neoice@thule.neoice.net] has joined ##openvpn
16:32 -!- ruied [~ruied@bl6-129-85.dsl.telepac.pt] has joined ##openvpn
16:35 -!- Saar_ [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
16:37 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 260 seconds]
16:39 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:42 -!- Saar_ is now known as Saar
16:46 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
16:59 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 276 seconds]
17:00 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
17:02 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has quit [Quit: notbrien]
17:02 < lazarus477> I have OpenVPN setup and working as server on linux and client on XP and Win7. I am now trying it out in client mode in Linux, starting openvpn from command line with a client.conf style setup.
17:03 < lazarus477> I get connected but then lose any ongoing network activities previously started, such as chat, web browsing and ssh sessions.
17:03 < lazarus477> I think it is because my routes are wrong, a hunch. Also I want to be able to push some DHCP options and as I read it in the docs I need to make an --up script.
17:04 < lazarus477> As I understand the --up script is a custom script not at all related to the typical ifup ifdown networking scripts in the OS?
17:05 < lazarus477> I have run openvpn in client mode in linux in the past but then I allways changed my routing table manually from the command line after connection. I was less capable back then.
17:05 < lazarus477> So any comments, tips or sugestions warmly welcome.
17:06  * ecrist reads the book of lazarus477 
17:06 < ecrist> lazarus477: i would suggest starting with !welcome, as mentioned in /topic
17:12 < lazarus477> !Welcome
17:12 < vpnHelper> lazarus477: "Welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:13 < lazarus477> !sample
17:13 < vpnHelper> lazarus477: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
17:14 < lazarus477> I should add that my vpn is not bridged and runs over UDP.
17:15 < lazarus477> Also I have setup static route on the router at the VPN server end.
17:16 < lazarus477> Firewalls are opened up for vpn traffic. Connections from windows clients works just perfectly.
17:22 < katoen> !welcome
17:22 < vpnHelper> katoen: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:35 -!- sef [~nnnnnsef@69.94.13.17] has joined ##openvpn
17:36 < sef> hi, any current issues with push "redirect-gateway def1" working with openblick?
17:37 < sef> I'm unable to change the default route on the client even though the server config includes that
17:38 < lazarus477> sef: Is the client OS linux, mac or windows?
17:39 < sef> Mac OS 10.6.4
17:39 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Read error: Connection reset by peer]
17:39 < krzie> a) you dont need a gui, you shouldnt use it while testing
17:39 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
17:40 < krzie> b) your server needs NAT and ip forwarding
17:40 < krzie> aka:
17:40 < krzie> !redirect
17:40 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:40 < lazarus477> sef: Is the client OS linux, mac or windows?
17:40 < sef> Mac OS 10.6.4
17:40 < sef> I have nat rules in
17:40 < sef> and the ip forward bit fliped in /proc
17:41 < lazarus477> sef: Then I think you also need a --up script specified. Something I am currently studying up on.
17:41 < sef> I can handle the firewall rules I think, right now, the default route isn't getting changed at all, if the firewalls rules were bad, nothing would route, but the default route would cahnge
17:41 < krzie> and you see your client change default gateway?
17:41 < krzie> lazarus477, not true
17:41 < krzie> but he WOULD need an --up if he was pushing dns
17:41 < lazarus477> In the directory containing sample configs is a subdir containing contributed configs and scripts. Check it out.
17:41 < lazarus477> Ah
17:41 < sef> sudo route -n get default  does not show a change
17:41 < lazarus477> krzie: Yep yep
17:41 < lazarus477> sef: He is right.
17:41 < krzie> sef, 
17:42 < krzie> !configs
17:42 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:42 < sef> ok one sec
17:43 < sef> server:  http://pastebin.com/YMRMTcM4
17:43 < sef> client:  http://pastebin.com/x8zsK4VU
17:49 < krzie> read this again
17:49 < krzie> !configs
17:49 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:49 < krzie> the client side is posted correctly
17:50 < krzie> the server side is not
17:50 < krzie> but actually
17:51 < sef> the server side is the full config I'm using
17:51 < sef> I half wrote it, half copied it in
17:51 < krzie> right, and it says with comments removed
17:51 < krzie> but here, this will make working configs for you
17:51 < krzie> !confgen
17:51 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
17:51 < krzie> then just go make some certificate files
17:51 < krzie> fully explained in the howto
17:52 < sef> do you think using certs will fix my routing issue?
17:52 < sef> vs a static key, like I'm using now
17:53 < krzie> nope, but if you use the configs my confgen makes for you, it will work
17:53 < krzie> assuming your NAT is setup correctly
17:53 < krzie> plus it will fix a few more things which i dont feel like going over
17:55 < sef> ok will take a look at it, thanks
17:56 < krzie> yw
18:03 < krzie> oh and you are running openvpn on the client as root, right?
18:04 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Read error: Connection reset by peer]
18:04 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
18:33 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:33 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
19:00 -!- Netsplit *.net <-> *.split quits: krzie, kraut, arcsky, WormFood, LeRrA, Saar
19:03 -!- Netsplit over, joins: WormFood
19:04 -!- Netsplit over, joins: arcsky
19:05 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
19:11 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
19:11 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined ##openvpn
19:51 -!- Floops [floops@shellium/staff/floops] has joined ##openvpn
19:54 < Floops> !welcome
19:54 < vpnHelper> Floops: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:55 < Floops> !configs
19:55 < vpnHelper> Floops: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
19:59 -!- lazarus477 [~lazarus@host-90-237-133-74.mobileonline.telia.com] has joined ##openvpn
20:00 < lazarus477> My openvpn setup is on linux. Tested and funktioning properly with Windows based clients. Problem with linux. tun interface setup (not bridged). Problem:
20:01 < lazarus477> OpenVPN server running on linux on a dedicated host. The linux client I am connecting from can ping the vpn server but not reach other lan hosts on the vpn end.
20:02 < lazarus477> LAN hosts on the vpn end can ping my linux client through the vpn without problems.
20:03 < lazarus477> checking client routing table it appears that the routes are not being pushed from the server, but they are. So what could be blocking acceptance at the client end?
20:04 < lazarus477> I am using mobile broadband on the linux client to test things. So I have all related hardware right infront of me.
20:04 < lazarus477> Setup works perfectly well for Windows clients.
20:11 -!- Netsplit *.net <-> *.split quits: LeRrA, Saar
20:13 -!- incrediblewoot [cfbd6914@gateway/web/freenode/ip.207.189.105.20] has joined ##openvpn
20:14 < incrediblewoot> I am having an issue setting up forwarding I think on my openvpn server.  I have removed IPtables to narrow out that as an issue. and I have enabled ip_forwarding..still not having any luck getting past my openvpn gateway..anyone have similar issues?
20:15 < incrediblewoot> openvpn network is - 10.8.0.1/24  local network is - 192.168.1.1/24
20:16 < incrediblewoot> I can ping from a openvpn client to the server on the VPN interface. I can also ping the LAN interface of the openvpn server(192.168.1.100), but nothing else past that
20:17 < lazarus477> incrediblewoot: I have the exact same problem.
20:18 < lazarus477> Server runs linux, client runs linux. You too?
20:18 -!- theDoc [~jaki@173.236.41.36] has joined ##openvpn
20:18 -!- theDoc [~jaki@173.236.41.36] has quit [Changing host]
20:18 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
20:18 < incrediblewoot> windows 7 for me
20:18 < incrediblewoot> thing is, I had it working..but server restarted..so something did not stick ;)
20:18 < lazarus477> Oh, strange. I got it working fine on windows 7.
20:19 < lazarus477> incrediblewoot: Re-check that forwarding is still enabled on the server...
20:19 < theDoc> Did you give it a hug and tell it to stay there? ;p
20:19 < lazarus477> theDoc: That might be worth a try.
20:19 < incrediblewoot> I know the VPN is setup fine, routes look correct as well.  I know all traffic is going over it (def1 gateway) 
20:19 < theDoc> Absolutely!
20:19 < incrediblewoot> I am remote..so no hugs! checking for ip_forwarding again
20:20 < lazarus477> incrediblewoot: I had issues earlier where I set up ip forwarding manually from the command line and the server firewall would disable it on startup.
20:20 < incrediblewoot> yep, you can modify it in some other file :P
20:21 < lazarus477> Yep, sysconfig in my case.
20:21 < incrediblewoot> I think you can check current status in /proc/sys/net/ipv4/ip_forward
20:21 < incrediblewoot> it is currently set at 1..so that means it is enabled! ;)
20:21 < incrediblewoot> iptables is not required for forwarding is it?
20:22 < lazarus477> Yes, 1 means it is enabled. And yep I believe the forwarding thing is a kernel specific setting.
20:22 -!- Netsplit over, joins: Saar, LeRrA
20:24 < lazarus477> incrediblewoot: I am re-reading this: http://www.openvpn.net/index.php/open-source/documentation/howto.html#scope
20:24 < incrediblewoot> It must be forwarding correctly then...would make sense if I can hit a web page on the openvpn server with the LAN side IP address(192.168.1.100)
20:24 < vpnHelper> Title: HOWTO (at www.openvpn.net)
20:24 < lazarus477> incrediblewoot: You might want to do so as well.
20:25 < incrediblewoot> re-reading for the millionth time :)  Its a great doc
20:26 < lazarus477> incrediblewoot: I shall go to examine what is going on with my server side firewall...
20:31 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 260 seconds]
20:31 < incrediblewoot> lazarus..think I figured it out ;)
20:32 < incrediblewoot> added a route to my firewall gateway on the server side for my 10.8.0.0/24 network pointing back to the server
20:33 < lazarus477> incrediblewoot: Hmm. I already did that but I think I shall recheck it. I just had my LAN router/gateway reboot a few hours ago, might have lost something...
20:33 < lazarus477> What the hell
20:33 < incrediblewoot> I am still trying to figure out how to get tunnel past my network and out to the internet from there..but I think I am getting closer
20:33 < lazarus477> I can reach LAN side hosts over ssh but not ping them......
20:33 < incrediblewoot> that would be firewall related for sure..iptables installed?
20:34 < lazarus477> incrediblewoot: Well that is not to hard. Do you want web traffic to go over the VPN as well?
20:34 < incrediblewoot> yep yep
20:35 < incrediblewoot> now my traffic is dieing right at the firewall..gets to it and does not forward it out
20:35 < incrediblewoot> I think I need to NAT at the openvpn server(iptables) and have it go that way
20:36 < lazarus477> incrediblewoot: Well not sure about that but in the server config there is a line which forces all client side trafic to go over the vpn.
20:36 < incrediblewoot> yep, I have that checked
20:36 < lazarus477> incrediblewoot: I think it is called redirect gateway.
20:37 < incrediblewoot> but I think openvpn server is throwing the VPN IP's right to my LAN network without NATing it..and its a home consumer FIOS router..so I am sure it is confused on what is going on ;)
20:39 < incrediblewoot> yea this is the issue...hehe
20:39 < lazarus477> incrediblewoot: Hmm. I think the LAN side router should be doing all the NATing that is needed.
20:40 < incrediblewoot> for the 192.168.1.1/24 network, it won't know about the 10.8.0.1/24 network for translation I do not think
20:40 < incrediblewoot> read above the same config line ";push "redirect-gateway" it kind of explained it...now I need to figure out how to get this to NAT with IP tables
20:41 < lazarus477> incrediblewoot: Well for the /24 network I asume you have added a static route in the router so it knows how to reach VPN clients?
20:42 < incrediblewoot> it does
20:42 < lazarus477> incrediblewoot: Your router on the /24 network should take care of nat for wan related traffic. Or so I would think.
20:42 < incrediblewoot> my trace route from client goes over VPN, terminates fine there at the VPN gateway, is then forwarded out to my LAN gateway fine..but once it hits my LAN gateway it dies
20:43 < lazarus477> incrediblewoot: Hmm. My LAN side internet gateway runs linux. I had to set it to accept forwarded traffic.
20:44 < incrediblewoot> thats what I think is going on here..my 10.x traffic hits the LAN gateway(fios router) and then the router is like "uhm..no"
20:44 < incrediblewoot> versus routing it out and NATing like I want
20:44 < incrediblewoot> if I am thinking correctly of course hehe
20:44 < incrediblewoot> should really just throw my juniper firewall on the setup
20:46 < lazarus477> incrediblewoot: I wish I could say. I am still green or wet behind the ears on the more complex issues of networking, haha.
20:46 < incrediblewoot> I am definitely at my limit right now..but just had to take it hop by hop ;)
20:47 < lazarus477> What has me troubled now is that I cannot get pings from VPN client to LAN hosts to go through while doing a ping in the oposit direction works fine.
20:49 < lazarus477> I can ping the /24 address of the vpn server but no other /24 addresses on the lan.
20:49 < lazarus477> Yet I can ssh to lan side hosts...
20:50 < incrediblewoot> thats very strange
20:50 < incrediblewoot> what do the routing tables look like on both?
20:50 < lazarus477> Yea
20:50 < incrediblewoot> side
20:51 < lazarus477> incrediblewoot: They look fine
20:51 < incrediblewoot> and you're gonna hate me..figured out what I needed for iptables ;)
20:51 < incrediblewoot> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
20:51 < lazarus477> incrediblewoot: Hahaha, what was it?
20:51 < lazarus477> Ah
20:51 < lazarus477> NAT
20:51 < incrediblewoot> I was throwing 10.x traffic on my LAN network..now that should work with any decent router..but leave it to the FIOS router to fail :P
20:52 < incrediblewoot> now WHY that did not work after my reboot is beyond me :P
20:52 < lazarus477> incrediblewoot: It is the little things which matter.
20:53 < incrediblewoot> ;)
20:53 < incrediblewoot> so back to your situation
20:53 < incrediblewoot> since you can SSH fine..your routing tables are good
20:53 < incrediblewoot> is iptables in use at all?
20:53 < incrediblewoot> anywhere
20:54 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
20:55 < lazarus477> Yes
20:55 < lazarus477> I am about to drop the firewall on the server to see if that helps
20:55 < lazarus477> I se nothing in the logs.
20:56 < incrediblewoot> is ping all that important? :P
20:58 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
21:00 < lazarus477> incrediblewoot: Funny. I had apparently the server firewall off.
21:00 < lazarus477> incrediblewoot: Turning it back on gives me new results, examining.
21:00 < incrediblewoot> ;)
21:01 < lazarus477> Now ssh gives connection refused
21:01 < lazarus477> And pinging a LAN host gives Destination protocol unreachable.
21:01 < lazarus477> New problems.
21:01 < lazarus477> Guess I have firewall issues.
21:02 < incrediblewoot> yea, thats what I am thinking..since layer 3 is good...something higher is limiting for sure
21:02 < lazarus477> yup
21:02 < incrediblewoot> should be fairly easy to fix though
21:02 < lazarus477> My setup is also a pain to check: Server is a virtual machine, internet gateway is a linux router.
21:02 < lazarus477> Hehe.
21:03 < incrediblewoot> oh damn...
21:03 < incrediblewoot> so you have NAT going between host and guest on the VM?
21:03 < incrediblewoot> or you briding there?
21:03 < lazarus477> Naturally all VPN stuff passes over a virtual network interface on the virtualization host although this appears to have no ill side effects.
21:03 < incrediblewoot> should not, thats how our VPN works here in the office
21:03 < incrediblewoot> couple hundred users at a time..no issues
21:03 < lazarus477> The VMs are bridged, no NAT.
21:04 < incrediblewoot> ah good!  one less layer of BS to deal with haha
21:04 < lazarus477> Yea!
21:04 < lazarus477> lol
21:04 < lazarus477> incrediblewoot: Well no swet. I shall dig into this.
21:04 < incrediblewoot> what VM software you using?
21:06 < lazarus477> Xen
21:06 < incrediblewoot> have not used that one ;)
21:06 < lazarus477> Ah examining the firewall log on the server clearly shows the server was blocking ICMP ping requests while the firewall was turned on. I had it off since last month.
21:07 < lazarus477> Xen is rather nice but I hear KVM is better for linux stuff.
21:07 < lazarus477> I use Xen because my server CPUs do not support virtualization.
21:08 < lazarus477> Also the original idea behind xen is a very romantic and good notion of supporting remote virtual hosting and spreading VMs across the globe using the internet to tie things together.
21:08 < lazarus477> But I do not think the project is anywhere near reaching that goal.
21:10 < incrediblewoot> that sounds liek quite the project
21:12 < lazarus477> Yea
21:13 < lazarus477> The idea behind it all was something like being able to do load balancing and also reduce latency for far away regions.
21:15 < incrediblewoot> so like a CDN?
21:18 < lazarus477> CDN?
21:19 < lazarus477> I wonder if my ICMP ping is canceled out at the client end due to the client being on mobile broadband, hmmm.
21:19 < lazarus477> I shall check the logs for the network manager I am using for the connection.
21:21 < lazarus477> Next thing to do is get these DHCP pushed options into some --up script on the linux client.
21:22 < incrediblewoot> ah thats easy enough for DHCP stuff
21:23 < incrediblewoot> I can get you the lines I am using if you are interested
21:23 < lazarus477> incrediblewoot: The wife is on a trip to beijing china and I am having her test the VPN for me. I want to see what sort of practical problems arise on long distance connections.
21:23 < lazarus477> incrediblewoot: Sure. Would be nice to see some examples.
21:23 < incrediblewoot> well..China is probably not the best way to test..don't they restrict things like crazy out there?
21:24 < lazarus477> incrediblewoot: I found a user contributed script in the vpn examples but these appear to work with IP tables rather than using command line tools.
21:24 < lazarus477> incrediblewoot: They do not restrict VPN traffic, hehehehe.
21:24 < incrediblewoot> nice!
21:24 < incrediblewoot> here is what I am using to get pushed DNS 
21:24 < incrediblewoot> push "dhcp-option DNS 8.8.8.8" 
21:24 < lazarus477> incrediblewoot: Also it apepars proxying of http works.
21:24 < incrediblewoot> ah win!
21:24 < lazarus477> YEa
21:24 < lazarus477> pushing DHCP works for windows clients, not linux, not without scripting.
21:25 < incrediblewoot> ah really?
21:25 < incrediblewoot> hehe..my bad
21:25 < lazarus477> For a linux client all pushed DHCP options end up as user environment variables which can be used inside of a script to actually set the client side needed network settings normally passed as DHCP options.
21:25 < lazarus477> Yep really.
21:26 < lazarus477> It is covered in the howto and in the man page.
21:26 < lazarus477> Just lookup --up --down etc.
21:26 < incrediblewoot> ah yes..I remembered reading that ;)
21:32 < lazarus477> If you can remember everything else I read then you might be able to solve my problem as well, hahaha.
21:32 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
21:49 -!- lazarus477 [~lazarus@host-90-237-133-74.mobileonline.telia.com] has quit [Ping timeout: 276 seconds]
21:51 -!- lazarus477 [~lazarus@host-90-237-132-71.mobileonline.telia.com] has joined ##openvpn
23:05 -!- lazarus477 [~lazarus@host-90-237-132-71.mobileonline.telia.com] has quit [Quit: leaving]
23:12 -!- incrediblewoot [cfbd6914@gateway/web/freenode/ip.207.189.105.20] has quit [Quit: Page closed]
23:13 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
23:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
23:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
--- Day changed Fri Jul 02 2010
00:09 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
00:13 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
00:13 < theDoc> o/
00:28 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
00:30 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
00:40 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 240 seconds]
00:42 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
01:12 -!- mape2k [~mape2k@p5B286944.dip.t-dialin.net] has joined ##openvpn
01:55 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
01:55 -!- mode/##openvpn [+o mattock] by ChanServ
02:03 -!- dazo_afk is now known as dazo
02:06 < kish> is this the case: OpenVPN appears to just use the TLS channel to exchange key material which is hashed to  produce the OpenVPN key.
02:24 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:25 -!- aditsu [~aditsu@061092174198.static.ctinets.com] has joined ##openvpn
02:26 < aditsu> hi, does the client from the main page at http://openvpn.net/ work with the open-source server?
02:26 < vpnHelper> Title: OpenVPN - Open Source VPN (at openvpn.net)
02:30 < henk> hoi
02:30 < aditsu> anybody here?
02:31 < aditsu> oh hi
02:31 < henk> i have another question: my client is behind nat and the server says "bad source address from client". any hints what to do about it?
02:31 < henk> aditsu: just take the opensource client... it's probably on the same page.
02:32 < aditsu> henk: no, it's on the "community software" page
02:32 < aditsu> actually the downloads page in that section
02:33 < henk> hm, i guess i'm not sure what your question is then...
02:33 < aditsu> my question is if the client from the front page works with the "community software" server
02:33 < aditsu> I've never seen that client software before
02:35 < henk> oh, hm... i thought there was only one client... sorry
02:35 < aditsu> I wonder if this one is only for the "access server"
02:36 < henk> why don't you just take the client in the 'community software' section?
02:36 < henk> my guess is, that it will match the _server_ from the 'community software' section just perfectly.
02:37 < henk> is there actually a difference between client and server in openvpn? o_O
02:37 < aditsu> because somebody already installed the other client, and I thought it's easier to keep it rather than replace it
02:39 < aditsu> about the "bad source address", does that cause actual problems?
02:39 < kish> !tls
02:39 < vpnHelper> kish: Error: "tls" is not a valid command.
02:43 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:11 < henk> yes, but we just found that we have other problems (probably routing). i'll fix those first i guess...
03:12 -!- ruied [~ruied@bl6-129-85.dsl.telepac.pt] has quit [Ping timeout: 245 seconds]
03:13 -!- rahman [~rahman@79.123.255.25] has joined ##openvpn
03:15 < rahman> Hi, in our university we have some academic library services that only accessible with the ip addresses of the university. We want the academic stuff to use these services whereever they are, not only from the universit network. But as these services are private we need to do this with user authentication. So, can openvpn  used to achieve this purpose? Or there is some other ways to do this?
03:16 < chantra> rahman: you mean people connect to openvpn server in uni
03:16 < chantra> using authentication?
03:16 < chantra> if so , yes
03:18 < macsppadic> yes rahman - as chantra said u can use openvpn for ur needs- once u setup an openvpn server at the uni- then have required academic staff given their unique certificates to connect to the server 
03:21 -!- aditsu [~aditsu@061092174198.static.ctinets.com] has quit [Quit: ChatZilla 0.9.85 [SeaMonkey 2.0.4/20100428122002]]
03:22 < rahman> chantra: macsppadic: So when we setup all the servers and certs, will they be able to connect our webpage (artvin.edu.tr) via openvpn and there is a link to IEEE Explorer which only works if the user ip address is in our networks ip block? If so can you point me some docs or some keywords to search on google. I never used openvpn or any other vpn before. So any help is greatly welcome
03:24 < macsppadic> http://www.openvpn.net/index.php/open-source/documentation/howto.html
03:24 < vpnHelper> Title: HOWTO (at www.openvpn.net)
03:24 < macsppadic> rahman thats a good place to start 
03:25 < rahman> All our need is this web side nothing more. Thanks for the links. I will work on it. 
03:25 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:26 < macsppadic> rahman: all users on the private network there can get to the IEEE explorer link right?
03:26 < macsppadic> openvpn with bridge shud take care of that as far as i know 
03:26 < macsppadic> well have a look at the docs 
03:31 -!- Abhishek_SIngh [~Abhishek@115.242.101.66] has joined ##openvpn
03:31 < rahman> macsppadic: yes all users can access without any authentication if they are in our ip block
03:31 < macsppadic> yup so if u configure a bridge - in effect the users connecting in will be on your local network at uni ...
03:32 < macsppadic> also will have to check routes and firewall settings but that shud do it 
03:32 < macsppadic> have a look at the docs rahman 
03:32 < rahman> macsppadic: thanks  I will
03:33 < rahman> macsppadic: I will ask if I encounter any problem, have to go now.
03:33 -!- Abhishek_SIngh [~Abhishek@115.242.101.66] has left ##openvpn []
03:33 < macsppadic> this chanel quite good for giving a helping hand 
03:34 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 240 seconds]
03:35 < chantra> rahman: you can simply NAT on the openvpn server and client will be seen as coming from openvpn server (hence your network)
03:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:47 -!- takamichi [~pri@ip-174-142-36-115.static.privatedns.com] has joined ##openvpn
03:56 -!- macsppadic is now known as sambapains
03:57 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
04:02 -!- Buggaboo [~Buggaboo@535316B2.cable.casema.nl] has joined ##openvpn
04:02 < Buggaboo> hi
04:03 < Buggaboo> Is it common to run a openvpn server in a lan and port-forward 1139 to the internet facing interface so client can logon?
04:03 < henk> yes, afair the faq has something on that.
04:03 < Buggaboo> Okay, I thought so too.
04:04 < Buggaboo> hm.
04:04 < Buggaboo> So a vmguest running a openvpn shouldn't be a problem...
04:05 < kraut> moin
04:06 < Buggaboo> I had this error on the client side: TLS Error: Unroutable control packet received and Connection refused (code=111)
04:06 < Buggaboo> but I solved it by syncing with pool.ntp.org
04:06 < Buggaboo> I have a windows xp client and a slackware linux server
04:07 < Buggaboo> I'm checking my firewall logs and the two are communicating with each other.
04:07 < Buggaboo> I have to increase the debug level I think.
04:07 < Buggaboo> I keep getting "Inactivity timeout (--ping-restart(, restarting
04:08 < Buggaboo> well actually, I know that some UDP openvpn packets are getting through my firewall.
04:09 < Buggaboo> my server says: Fri Jul  2 11:08:27 2010 Peer Connection Initiated with ... :1148
04:09 < Buggaboo> I wonder if that's the port.
04:09 < Buggaboo> I have a bridged setup btw.
04:14 < Buggaboo> I have verbose level 7 on the client and server.
04:14 < Buggaboo> crap I'm still getting "unroutable control packet received"
04:15 < kisom> no idea in fact...
04:15 < Chosi> kisom: the dormatory network administration finally gave in to the students and they're now opening any udp ports they wish again
04:16 < Chosi> \o/
04:16 < Chosi> no need for my openvpn anymore
04:16 < kisom> good :)
04:16 < Chosi> yup :)
04:16 < kisom> that way they can monitor you instead
04:16 < kisom> no encrypted traffic
04:17 < Buggaboo> does openvpn send through other UDP ports?
04:17 < Buggaboo> in case the official one fails?
04:17 < kisom> no
04:18 < kisom> it sends on port 1194 by default, unless you say otherwise
04:20 < Buggaboo> server.conf: http://pastebin.com/kPDyRtP5
04:21 < Buggaboo> I did not define a port.
04:21 < kisom> then it is default
04:21 < Buggaboo> I thought: "local 192.168.0.10" would default to 1194
04:22 < Buggaboo> But verbose level 7 says stuff like: Fri Jul  2 11:21:39 2010 us=414515 UDPv4 READ [42] from 83.83.22.180:1159:  DATA len=42
04:22 < kisom> thats your local client port then
04:22 < kisom> it is picked at random by the operative system
04:23 < Buggaboo> eek.
04:23 < Buggaboo> no wonder my client is timing out.
04:23 < kisom> that does not matter
04:24 < Buggaboo> I recall the syntax was local ipaddr port
04:24 < kisom> try adding a keepalive directive
04:24 < kisom> set it to send a keepalive packet each 10 sec or so
04:24 < kisom> that should keep your connection alive in most firewalls
04:25 < Buggaboo> I got: keepalive 10 120
04:26 < Buggaboo> I'm firing up wireshark to diagnose on the winxp client.
04:27 < Buggaboo> still incrementing like noone's business: Fri Jul  2 11:26:50 2010 us=120939 UDPv4 READ [42] from 83.83.22.180:1163:  DATA len=42
04:28 < Buggaboo> This does happen from time to time: Fri Jul  2 11:27:10 2010 us=784251 Peer Connection Initiated with 83.83.22.180:1164
04:28 < kisom> ¨but it does get connected?
04:29 < kisom> and just drops from time to time?
04:29 < Buggaboo> my client says: P_CONTROL_HARD_RESET_CLIENT_V2 blabla
04:30 < kisom> do you get connected at all?
04:30 < kisom> can you ping the server over the VPN?
04:33 < Buggaboo> mmm... how do I do that?
04:33 < kisom> ping 10.0.8.1
04:33 < kisom> or whtever subnet the VPN is on
04:34 < Buggaboo> hm. no joy.
04:35 < Buggaboo> my subnet is 192.168.1.0, the server is on 192.168.0.0
04:35 < kisom> your VPN subnet?
04:36 < Buggaboo> hm, I might have skipped that bit...
04:36 < kisom> you should probably read the guides...
04:36 < kisom> tooks me 7 hours my first time
04:36 < Buggaboo> In my slackware vmguest (qemu/kvm), I have a bridge setup, using uml-utilities brctl, tunctl, anyways, I've done this a million times.
04:37 < Buggaboo> ifconfig gives me tap0 through tapn
04:39 < Buggaboo> Do I set the subnet through the server.conf?
04:39 < kisom> yes
04:39 < Buggaboo> Or do I have to muck around with ifconfig and ip routing?
04:39 < kisom> well
04:39 < kisom> i've never set up a bridge in openvpn in fact.
04:40 < Buggaboo> Hm, I might be doing this the hard way.
04:40 < Buggaboo> Anyways, I aim to provide a vpn for 8 people, all probably using the same ol key.
04:41 < Buggaboo> They need to access a local windows AD server and all its services.
04:41 < hyper_ch> isn't AD evil?
04:41 < kisom> AD sucks
04:42 < kisom> im hacking it right now tho
04:42 < Buggaboo> If it were up to me, I'd have everyone using samba4, but that's besides the point.
04:43 < kisom> I'd have everyone use pen & paper, that way there is less for the IT-department (me) to do
04:44 < kisom> anyways, time f0r f00d
04:44  * kisom &
04:44 -!- takamichi [~pri@ip-174-142-36-115.static.privatedns.com] has quit [Ping timeout: 260 seconds]
04:45 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
04:47 < Buggaboo> kisom, check out pstools, you'll never have to leave your chair.
04:48 < hyper_ch> pstools can beam food to my place?
04:49 < Buggaboo> mmm... nope sorry.
04:49 < hyper_ch> :(
04:50 < Bushmills> hyper_ch: yes, in a way they can.  but only akin to the way the pratchett describes the process of converting lead to gold 
04:51 < Bushmills> that is, indirectly
04:52 < hyper_ch> lead to gold... hmmm... how to do that?
04:52 < Bushmills> rather than bulding a printing press, with letters from lead, and selling printing services (for gold), you'd find a way to offer a paid service using pstools, and convert the profit to pizza delivery service.
04:55 < hyper_ch> why not just getting a magic wand and directly convert lead to gold and bring that to my bank? sounds like a lot less work than the other stuff
04:59 < Bushmills> yes, why not.
05:00 < Bushmills> maybe because technology "printing press" has been developed by now, but technology "magic wand" requires some inventing, prior to use.
05:01 -!- ruied [~ruied@89.180.121.174] has joined ##openvpn
05:01 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:02 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
05:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
05:25 < kisom> Buggaboo: i work at a bank, we have systems built from scratch to do our job
05:25 < kisom> yes, most of them sucks
05:27 -!- ruied [~ruied@89.180.121.174] has quit [Ping timeout: 248 seconds]
05:27  * Bushmills sings "in order to bake an apple pie from scratch, you have to invent a universe first"
05:28 < Bushmills> here is a handful of sand - build a computer from it
05:29 < Buggaboo> If you let millions squared monkeys blow on it, it might magically turn into microchips.
05:30  * Buggaboo disregards the laws of thermodynamics
05:31 < Buggaboo> If someone could pool all the energy from stupidity and chaos from this world alone, we could create a 'perpetuum mobile'
05:33 < kisom> the bank has its own universe
05:33 < kisom> its in a paralell dimention
05:34 < kisom> and we have openvpn access over there
05:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
05:38 < Buggaboo> argh.
05:38 < Buggaboo> I keep getting unroutable packet received
05:39 < krzie> Buggaboo, aste it
05:39 < krzie> paste
05:39 < Buggaboo> then I get p_control_hard_reset_client_v2
05:39 < krzie> !logs
05:39 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
05:39 < Buggaboo> I'm synching the clocks like crazy.
05:40 < Buggaboo> I wrote a wee bash script that: for s in `seq 60`; do sleep 60 && ntpdate nl.pool.ntp.org; done
05:40 < krzie> hah
05:40 < krzie> crontab dude
05:40 < Buggaboo> I know
05:40 < Buggaboo> but the client is being a pain.
05:40 < krzie> if you know why dont you use it
05:41 < Buggaboo> the client is a windows xp.
05:41 < krzie> bash scripts dont run on windows xp
05:42 < krzie> bash3+ you can use for s in {1..60}
05:42 < krzie> brace expansion
05:42 < krzie> but for that youd use crontab instead anyways
05:43 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 245 seconds]
05:43 < krzie> and backticks are the old, sometimes unpredictable way, command expansion is now like $(seq 60)
05:43 < krzie> as for openvpn, ill wait for the logs
05:44 < Buggaboo> okay thanks for offering.
05:45 < Buggaboo> I was trying to figure out how to make "at.exe" work like cron.
05:46 < krzie> you saying that bash script runs on windows?
05:46 < Buggaboo> client config: http://pastebin.org/374446
05:46 < krzie> because windows has a method for syncing to NTP, doesnt need to run from a script
05:46 < krzie> i said
05:46 < krzie> !logs
05:46 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
05:47 < krzie> why are you bridging?
05:48 < Buggaboo> winxp cmd: openvpn user1.ovpn > log.txt # I don't know any other way.
05:48 < krzie> !logfile
05:48 < vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
05:48 < krzie> do not send verb 7
05:48 < krzie> no higher than 5
05:49 < Buggaboo> 4 then?
05:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:49 < krzie> what does !logs say
05:49 < krzie> !logs
05:49 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
05:49 < krzie> its amazing i've had to do that 3 times :-p
05:50 < Buggaboo> I've yet to learn to actually read those... :P sorry.
05:53 < Buggaboo> log: http://pastebin.org/374477
05:56 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
06:02 < krzie> and the other half...
06:03 < krzie> seriously, you need to read what the bot tells you if you want help... at least from me
06:03 < Buggaboo> hm crap, I put "log log.txt" in the server.conf, it keeps turning up empty.
06:04 < Buggaboo> sorry for that, I'll stdout > log.txt
06:04 < krzie> !path
06:04 < vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
06:05 < krzie> also be sure to stop and start the vpn after changing the config
06:08 < Buggaboo> hm, I wonder if I can push txt files to pastebin.org
06:08 < Buggaboo> this log file is huge.
06:12 < Buggaboo> http://pastebin.org/374550
06:13 < Buggaboo> I always thought that the "peer connection initiated with ..." sounded promising
06:13 < krzie> firewall
06:15 < chantra> Buggaboo: do you have more than 1 public IP on your server?
06:15 < krzie> ya, and why do you want a bridge?
06:15 < chantra> i think I had a similar issue
06:16 < Buggaboo> yes.
06:17 < krzie> Fri Jul  2 13:04:16 2010 us=377889 ******* WARNING *******: all encryption and authentication featu$
06:17 < krzie> post your server config without comments pls
06:17 < chantra> ok, and the IP you try to connect to is the second pub ip? or the first one?
06:17 < chantra> try to point your client to the diferent public IPs you have
06:17 < Buggaboo> I want a bridge because my clients need to access the AD and some other services.
06:18 < Buggaboo> namely, filemaker, which is a local db application.
06:18 < chantra> Buggaboo: or use ;local a.b.c.d
06:18 < Buggaboo> the IP I try to connect to is our primary IP.
06:18 < chantra> where a.b.c.d is the ip you use on the client
06:18 < Buggaboo> I direct voip through the other IP.
06:19 < Buggaboo> through shorewall.
06:19 < krzie> post your server config without comments
06:19 < Buggaboo> okelydokely.
06:19 < chantra> Buggaboo: did you tcpdump -i any host "client ip"
06:19 < chantra> any packets going back to client? 
06:20 < Buggaboo> mm, I know they're going to the server, not so sure about the client.
06:20 < krzie> no, because its a firewall problem
06:20 < Buggaboo> I still have tcpdump running.
06:20 < Buggaboo> lemme check.
06:20 < krzie> likely on the windows firewall on tap device
06:20 < krzie> [07:13]  <krzie> firewall
06:20 < krzie> ;]
06:21 < krzie> but i still wanna see server config
06:21 < krzie> cause it looks like there's other issues
06:21 < Buggaboo> http://pastebin.org/374596
06:21 < Buggaboo> server conf: http://pastebin.org/374596
06:22 < krzie> hehe
06:22 < krzie> you never try to give an ip
06:22 < krzie> if you want a bridge, see --server-bridge
06:23 < Buggaboo> and for the kids out there watching, comments removal magic with sed: mode server
06:23 < Buggaboo> local 192.168.0.10 1194 #<your ip address> ## ip/hostname of server port 1194
06:23 < Buggaboo> proto udp
06:23 < Buggaboo> dev tap0
06:23 < Buggaboo> persist-key
06:23 < Buggaboo> persist-tun
06:23 < Buggaboo> ca certs/ca.crt
06:23 < Buggaboo> cert certs/server.crt
06:23 < Buggaboo> key keys/server.key  # This file should be kept secret
06:23 < Buggaboo> dh dh1024.pem
06:23 < Buggaboo> tls-auth keys/ta.key 0
06:23 < Buggaboo> duplicate-cn # prevent death of connections from multiple usage of certs
06:23 < Buggaboo> tls-server
06:23 < chantra> arg
06:23 < Buggaboo> cipher AES-256-CBC        # (default: BF-CBC, Blowfish)
06:23 -!- mode/##openvpn [+o krzee] by ChanServ
06:23 < Buggaboo> comp-lzo
06:23 < Buggaboo> ifconfig-pool-persist ipp.txt
06:23 < Buggaboo> client-to-client
06:23 < Buggaboo> ;max-clients 8
06:23 -!- Floops [floops@shellium/staff/floops] has quit [Remote host closed the connection]
06:23 < Buggaboo> management localhost 7505
06:23 < Buggaboo> user nobody
06:23 < Buggaboo> group nogroup
06:23 < Buggaboo> keepalive 10 60
06:23 < Buggaboo> status /var/log/vpn/openvpn-status.log
06:23 < Buggaboo> log-append /var/log/vpn/openvpn.log
06:23 -!- mode/##openvpn [+o krzie] by ChanServ
06:23 < Buggaboo> verb 7
06:23 < chantra> Buggaboo: what is the purpose of pastebin? :)
06:23 -!- Buggaboo was kicked from ##openvpn by krzie [Buggaboo]
06:23 -!- mode/##openvpn [-o krzee] by krzie
06:24 -!- mode/##openvpn [-o krzie] by krzie
06:24 < krzie> sry that took so long
06:24 -!- Buggaboo [~Buggaboo@535316B2.cable.casema.nl] has joined ##openvpn
06:24 < Buggaboo> sorry guys, I meant to paste this: sed '/^#/d;/^$/d' bridged.server.conf | sed 's/#.*//g'
06:24 < chantra> krzie: he was 1 line away from the end :D
06:25 < krzie> chantra, ya i was way late
06:25 < krzie> thought i was krzee for a sec
06:25 < krzie> Buggaboo, the sed line is also here:
06:25 < krzie> !configs
06:25 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
06:25 < krzie> well grep, but ya
06:26 < krzie> could be shortened with [] but my bot see's [] as command expansion
06:27 < chantra> krzie: wonder if it is something like https://community.openvpn.net/openvpn/ticket/13
06:27 < vpnHelper> Title: #13 (Not using --push on server makes client sending PUSH_REQUEST continuously) – OpenVPN (at community.openvpn.net)
06:27 < krzie> nope
06:27 -!- rahman [~rahman@79.123.255.25] has quit [Remote host closed the connection]
06:27 < krzie> its not
06:28 < Buggaboo> I'm gonna change the "local" directive to where my ip is going to connect.
06:28 < Buggaboo> gonna test now.
06:28 -!- naquad [~naquad@174.142.224.219] has joined ##openvpn
06:29 < naquad> hi
06:29 < krzie> Buggaboo, not gunna fix
06:29 < krzie> Buggaboo, you want a full bridge or not?
06:29 < naquad> what's the minimal size of network that'll work for open vpn?
06:29 < Buggaboo> yes please.
06:29 < krzie> naquad, /30
06:29 < krzie> well, actually peer-to-peer
06:29 < naquad> krzie: thank you
06:30 < krzie> by default topology (net30) even giving a /24 to server directive ends up with clients in their own /30
06:30 < krzie> !/30
06:30 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
06:31 < Buggaboo> krzie, what do you mean by full bridge? I created a bridge on the server, tap0 to tap9, I plugged in eth0 in the bridge, I know it's working, otherwise I wouldn't be logged in through ssh.
06:32 < krzie> Buggaboo, you need --server-bridge command
06:32 < krzie> !man
06:32 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
06:32 < krzie> read about --server-bridge
06:32 < Buggaboo> sorry missed that bit.
06:33 < naquad> the problem is i've got a box with 1 free ip and i would like the only client (me) to get it
06:33 < naquad> is it possible?
06:33 < krzie> naquad, you just want this:?
06:33 < krzie> !redirect
06:33 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:34 < naquad> krzie: w/o nat, ip is available from internet
06:35 < krzie> hrm, possibly but im not sure
06:35 < krzie> i know you can do it when you have more ips
06:35 < krzie> if you can, i would try this...
06:35 < krzie> point-to-point setup
06:36 < krzie> i dont think you bind the IP to an interface
06:36 < krzie> and then you assign it to the client
06:36 < krzie> honestly im not sure if that would work
06:36 < krzie> if you had a /28 or something i know --server can work for that
06:37 < naquad> yeah
06:37 < naquad> i know that too
06:37 < Buggaboo> hm, I want a single windows client per connection
06:37 < naquad> i'm thinking about the following:
06:37 < krzie> also note that your desired result is EASILY achieved with a bidirectional NAT
06:37 < krzie> you will only see a 1918 ip on the interface, but it will basically be the inet routable ip
06:37 < chantra> naquad: point to point and forward all traffic of pub ip to that p2p ip?
06:37 < naquad> let openvpn still use some virtual network, but make use iptables to SNAT all traffic from client and DNAT from server
06:37 < krzie> bidirectional NAT means no port forwarding needed or anything
06:38 < chantra> but without a subnet, might be hard for openvpn to handle that
06:38 < naquad> yeah
06:38 < krzie> im a bsd guy
06:38 < krzie> ipf has binat command
06:38 < krzie> (last time i needed it i was u sing ipf, long long ago)
06:38 < krzie> looks like pf has it too
06:39 < naquad> seems to be working
06:39 < naquad> thank you :)
06:40 < krzie> If you just need a single 1-to-1 NAT: 
06:40 < krzie> iptables -t nat -A PREROUTING -d 1.2.3.4 -j DNAT --to 5.6.7.8 
06:40 < krzie> iptables -t nat -A POSTROUTING -s 5.6.7.8 -j SNAT --to 1.2.3.4
06:40 < krzie> np =]
06:41 < naquad> yeah, did the same
06:46 < krzie> chantra, his problem is even on IP-less setups you need server server-bridge or ifconfig, then you use ifconfig-noexec
06:46 < Buggaboo> The client is still restarting the whole thing after a timeout.
06:46 < krzie> Buggaboo, did you read --server-bridge?
06:47 < krzie> chantra, so with none of that, his client has nothing to do when it connects
06:47 < Buggaboo> ehm, from what I understood, I should've added a few things, lemme repaste my server.conf
06:48 < krzie> and you turned off your windows firewall and any other application firewalls?
06:49 < Buggaboo> In my shorewall-rules I have a rule dNAT to that openvpn server.
06:49 < krzie> im not talking bout a firewall in between
06:49 < krzie> im talking about on the machines themselves
06:49 < krzie> especially windows
06:50 < Buggaboo> eek. stupid me.
06:50 < krzie> which is why i said "windows firewall"
06:50 < Buggaboo> I assumed the windows one was shut down.
06:50 < Buggaboo> assumptions are the mother of all frackups.
06:50 < Buggaboo> I turned it off.
06:51 < henk> i am trying to set up two almost identical vpns. one just pushes the route to an internal network, the other pushes a new default route (or rather more specific routes). can i make the config exactly the same apart from the route push? i.e. can i use the same ip-ranges for both?
06:53 < krzie> henk, do you even want them to be separate VPNs?
06:53 < krzie> they dont have to be really
06:53 < henk> krzie: they don't necessarily need to be, but i thought they need to be because of different configs.
06:53 < krzie> but if you do want them separate, you can
06:53 < krzie> well
06:54 < krzie> !ccd
06:54 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
06:54 < krzie> you can push stuff in ccd entries instead if you wanna
06:54 < krzie> or even
06:54 < krzie> !client-connect
06:54 < vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
06:54 < henk> krzie: sounds like i need two certs for every client that should be able to choose which one he'd like?!
06:55 < krzie> each client will have both?
06:55 < krzie> but only use the one he wants at a given time...?
06:55 < henk> yup, they should be able to choose which one they want.
06:55 < henk> yes.
06:55 < krzie> can they use both at the same time?
06:56 < henk> no need to.
06:56 < henk> so they shouldn't.
06:56 < krzie> then no need for 2 certs
06:56 < krzie> CAN have 2 configs
06:56 < krzie> choose which, both use same certs
06:56 < henk> 2 configs on the server or on the client?
06:56 < krzie> client
06:57 < krzie> one with redirect-gateway option, one without
06:57 < henk> oh, sounds good :) will try that one, thanks!
06:57 < krzie> np
06:58 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:58 < krzie> the other way would leave 2 configs on each client anyways
06:58 < krzie> as well as 2 sets of certs
06:58 < krzie> and 2 servers
06:58 < krzie> but no need in your setup
06:59 < henk> hm, i guess i should remove the 'push "route ..."' from the server config and have one config with 'route ...' and one with 'redirect-gateway ...'?
06:59 < henk> s/have one config/have one client config/
06:59 < krzie> exactly
07:06 < naquad> where can i get torrent client for i2p? saw it yesterday, but forgot :(
07:07 < Buggaboo> dammit, still no joy.
07:07 < naquad> oops wrong channel
07:08 < Buggaboo> I'm going to check the connection, wireshark on the client, tcpdump on the server.
07:11 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
07:12 < Buggaboo> now I get econnrefused code=111
07:12 < Buggaboo> from the server
07:15 < Buggaboo> aha.
07:15  * Buggaboo kisses wireshark
07:16 < Buggaboo> when a ping (ICMP) packet is sent from the client to the server, in physical terms, the client ip.addr to my firewall which port-forwards (symm dNAT) to the openvpn server, the ping never arrives, because I haven't port-forwarded those pings.
07:17 < Buggaboo> which makes the client think the server is unreachable.
07:18 < Buggaboo> the keep-alive pings are sent from port 1194, but they expect to arrive on 1326.
07:20 < Buggaboo> So the keep-alives fail; any 1194 to 1194 stuff survive the trip.
07:22 < Buggaboo> I'm getting unknown opcodes now.
07:24 < Buggaboo> The client is sending pings with increasing port numbers.
07:25 < Buggaboo> when the previous fails.
07:25 < Buggaboo> these are all blocked by my firewall.
07:25 < Buggaboo> so my question is, to which port does the first ping (ICMP) go?
07:27 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:27 < ecrist> !111
07:27 < vpnHelper> ecrist: Error: "111" is not a valid command.
07:27 < ecrist> Buggaboo: code=111 usually indicates a firewall issue
07:28 < Buggaboo> yep, this is what I suspect.
07:46 < Buggaboo> client: tls error: unknown opcode received from server:1194
07:47 < ecrist> we'd need more than that
07:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:54 < Buggaboo> hm, my theory, revised: I shut off the client; I get pinged by the server, but address originates from the firewall; I suspect the firewall is dNATing the icmp packets from the openvpn server.
07:54 < Buggaboo> my machine pings back, no anwer. Server assumed dead.
07:54 < Buggaboo> my client machine even, I turned off the openvpn client.
07:57 -!- sambapains [~sonupunno@88.211.55.77] has left ##openvpn []
08:07 < Buggaboo> hm, now I got: tls error: local/remote tls keys are out of sync: remoteserver:1194 [3]
08:10  * Buggaboo checks the certs and keys
08:18 -!- buntfalke [~nobody@openvpn-p0-219.triple-a.uni-kl.de] has joined ##openvpn
08:19 -!- buntfalke [~nobody@openvpn-p0-219.triple-a.uni-kl.de] has quit [Changing host]
08:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:26 -!- nestea [atsen@x.computer.st] has joined ##openvpn
08:28 -!- nesta [atsen@x.computer.st] has quit [Ping timeout: 260 seconds]
08:33 -!- nestea is now known as nesta
09:02 -!- gamla_kossan [~mjau@c-6440e155.1163-1-64736c10.cust.bredbandsbolaget.se] has joined ##openvpn
09:02 < gamla_kossan> hi people! could someone please help me with how I set what 'domain' and 'search' I want the server to push out?
09:04 < hyper_ch> what do you mean?
09:04 < gamla_kossan> well, in resolv.conf on the client, I right now get 'domain openvpn' as well as 'search openvpn'
09:04 < gamla_kossan> but I'd like to set it to my own domain
09:10 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
09:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
09:29 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
09:45 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Ping timeout: 264 seconds]
09:46 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
09:59 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
10:02 -!- blueboxthief [~None_of_y@86-45-82-222-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
10:07 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has joined ##openvpn
10:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:55 -!- notbrien_ [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has joined ##openvpn
10:57 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has quit [Ping timeout: 260 seconds]
10:57 -!- notbrien_ is now known as notbrien
11:03 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:22 -!- mape2k [~mape2k@p5B286944.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
11:26 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:38 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
11:38 -!- mode/##openvpn [+o mattock] by ChanServ
11:39 < dazo> gamla_kossan: check out --dhcp-options in the man page ... they can also be pushed from the server side
11:52 -!- JackCorleone [~Jack@187.11.184.68] has quit [Quit: Saindo]
12:16 < kish> what happens when i choose blowfish 448 bittis
12:16 < kish> the tls line is only 256 bits. i must be missing something
12:23 < kish> that leaves me with two ciphers that may break
12:23 < dazo> kish: what do you mean?
12:25 < kish> when the certificates validated and the tls encryption key which controls the whole session
12:25 < kish> up until you shut down openvpn 
12:25 < kish> your rekeying is run over this cipher
12:26 < kish> this is it. AES256 with one single key is responsible for protecting your whole session
12:28 < kish> so sorry if i dont get the point in rekeying every hour 
12:28 < kish> Fri Jul  2 18:44:36 2010 us=259883 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-CAMELLIA128-SHA, 2048 bit RSA
12:29 < kish> That's the key securing all other keys
12:29 < kish> So, Why rekey at all? 
12:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
12:50 < dazo> ahh
12:50 < dazo> there are two encryption levels involved here
12:51 < dazo> one is the SSL PKI part ... that is related to RSA or DSS stuff, which can have keys up to 4096bits 
12:52 < dazo> when OpenVPN connects, they use the SSL pub/private keys to initiate a SSL connection.  In this process they will negotiate a temporary key
12:52 < dazo> this key will then be used for encrypting the tunnelled traffic, using symmetric encryption
12:53 < dazo> then after some time, the renegotiation phase comes, and the PKI keys will be used to negotiate a new temporary encryption key
12:54 < dazo> so when you see DHE-RSA-CAMELLIA128-SHA, .... that is the encryption key used for negotiation the temporary key
12:54 < dazo> while the tunnel data itself is using AES256
12:54 < dazo> (if you set --cipher AES-256-something)
12:55 < dazo> the point of the rekeying is to avoid an attacker sniffing the traffic to be able to reveal the temporary encryption key
12:56 < dazo> and if s/he does ... it will go a little while, and the key will be useless
12:58 < dazo> The key exchange algorithm is also pretty complex, where both the client and server side do provide some keying material which is transferred (encrypted via SSL PKI keys), but not all the keying material is transferred .... the missing parts, are calculated based upon some other commonly agreed data and what the other end did send over as keying material
13:01 < dazo> for a demo of the DSS key exchange, check out this one: http://ds9a.nl/tmp/dh.html
13:04 < dazo> Also check out --show-tls, --show-ciphers, --cipher and --tls-cipher ... these arguments lists out the TLS/SSL key exchange ciphers and algorithms supported and the cipher algorithm to use on the tunnel traffic to be encrypted.  The two latter ones is used to set these parameters
13:04 < dazo> kish: ^^
13:05 < dazo> http://www.netip.com/articles/keith/diffie-helman.htm ... gives a not too mathematical explanation
13:05 < vpnHelper> Title: The NetIP Security Resource - Diffie-Helman Article Diffie-Helman (at www.netip.com)
13:06 < kish> dazo: thanks a lot! :)
13:07 < dazo> kish: you're welcome!
13:07  * dazo decides to start the weekend!
13:07 < kish> Heh!
13:07 < kish> have fun
13:07 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
13:08 -!- dazo is now known as dazo_afk
13:17 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
13:19 < ecrist> BOAT = Break Out Another Thousand
13:20 < ecrist> I just dropped another $983 on my friggin boat.
13:38 -!- Otacon22 [~otacon22@93-36-100-124.ip59.fastwebnet.it] has quit [Ping timeout: 252 seconds]
14:11 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has quit [Quit: notbrien]
14:49 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
14:49 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
15:35 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Read error: Operation timed out]
15:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
15:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
16:13 -!- geek [~killown@unaffiliated/geek] has joined ##openvpn
16:14 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 248 seconds]
16:14 -!- geek is now known as killown
16:15 -!- killown [~killown@unaffiliated/geek] has quit [Changing host]
16:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:27 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 245 seconds]
16:29 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:30 -!- somenick [~somenick@c-2acde455.017-474-6c6b701.cust.bredbandsbolaget.se] has joined ##openvpn
16:35 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
16:37 < kisom> OK, my desktop box just broke down
16:37 < kisom> wont boot, no POST
16:37 < kisom> fans are spinning
16:38 < kisom> i believe its either the CPU or the mobo
16:39 -!- swathanthran [~user@unaffiliated/shyam-k/x-8459115] has joined ##openvpn
16:43 < somenick> Hi! I am having some difficulties with my OpenVPN configuration. When the client connects to my server, it does not up the interface. I have to manually up the interface with 'sudo ifconfig tap0 up', and then 'sudo dhclient tap0' to configure it. Would it be possible to some how get this done automatically when I connect?
16:45 < Bushmills> why do you think that the client has connected, without the interface being up?
16:48 < krzee> i take it you are bridging, you should have a bridge script
16:48 < krzee> as shown in every single doc on bridging
16:48 < krzee> !bridge
16:48 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
16:48 < vpnHelper> krzee: (but not samba, see !wins)
16:48 -!- taffynay [~naynay@genkt-056-076.t-mobile.co.uk] has joined ##openvpn
16:48 -!- taffynay [~naynay@genkt-056-076.t-mobile.co.uk] has quit [Client Quit]
16:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:48 < somenick> krzee, I'll have a look
16:49 < swathanthran> whats the license of openvpn? can't see it on openvpn.net, more over the .deb i got from there has license: commercial marked on the copyright file.
16:51 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:51 < Bushmills> swathanthran: http://scarydevilmonastery.net/snap/1278107497239620031d.png
16:52 < krzee> the opensource openvpn is GPL
16:52 < krzee> access server is closed source
16:52 < swathanthran> ok..
16:54  * swathanthran just saw http://sourceforge.net/projects/openvpn/develop 
16:54 < vpnHelper> Title: SourceForge.net: OpenVPN - Develop (at sourceforge.net)
16:55 < somenick> This is not exactly my configuration. I currently have a dhcpd server on the server side assigning the ip addresses. I am guessing there is no built in mechanic in the openvpn client for uping/dhcp when the server isn't using the built in dhcp server?
17:18 < somenick> I think I have found what I was looking for. The up script.
17:18 < somenick> Is it possible to configure that from the configuration file?
17:18 < Bushmills> yes, possible
17:19 < krzee> yes, using --up
17:19 < krzee> lol
17:19 < krzee> hence the name "up script"
17:19 < somenick> yeah, you should have said so =)
17:20 -!- Buggaboo [~Buggaboo@535316B2.cable.casema.nl] has quit [Remote host closed the connection]
17:20 < somenick> But I meant from the --config file.
17:20 < krzee> !--
17:20 < vpnHelper> krzee: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
17:21 < somenick> great
17:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
17:30 -!- swathanthran [~user@unaffiliated/shyam-k/x-8459115] has quit [Remote host closed the connection]
17:30 -!- swathanthran [~user@unaffiliated/shyam-k/x-8459115] has joined ##openvpn
17:35 -!- swathant` [~user@117.204.80.166] has joined ##openvpn
17:35 -!- swathant` [~user@117.204.80.166] has left ##openvpn []
17:36 -!- swathanthran is now known as Guest40471
17:38 -!- Netsplit *.net <-> *.split quits: baffle_, kraut, Fiouz, ike, Bushmills, nesta, Scruffy, |Mike|
17:39 -!- Guest40471 [~user@unaffiliated/shyam-k/x-8459115] has quit [Ping timeout: 252 seconds]
17:40 -!- Netsplit *.net <-> *.split quits: killown, naquad, LeRrA, Saar
17:41 -!- Netsplit over, joins: Fiouz
17:41 -!- Netsplit over, joins: ike, Bushmills, Scruffy, baffle_, |Mike|, kraut, nesta, killown, naquad, Saar (+1 more)
17:43 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Max SendQ exceeded]
17:43 -!- kraut [~kraut@2001:6f8:12a9::4:0] has joined ##openvpn
17:54 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
18:06 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:09 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
18:34 -!- floops [floops@404.not.found.shellium.org] has joined ##openvpn
18:34 -!- floops [floops@404.not.found.shellium.org] has quit [Changing host]
18:34 -!- floops [floops@shellium/staff/floops] has joined ##openvpn
18:35 -!- floops is now known as Floops
18:55 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
18:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:59 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:08 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 260 seconds]
20:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
20:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:26 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
20:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
20:34 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
20:43 -!- Plazma [~Plazma@freenode/staff/plazma] has joined ##openvpn
20:46 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
21:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
22:02 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
22:14 < Plazma> if i were to setup openvpn to do ssl-vpn , is there anyway to make a remote client be persistantly connected ? and if it detects a connection drop, re-connects
22:23 < creack> !tld
22:23 < vpnHelper> creack: Error: "tld" is not a valid command.
22:23 < creack> !tls
22:23 < vpnHelper> creack: Error: "tls" is not a valid command.
22:23 < creack> lokk at the resolv-inf or tls-retry or something like that
22:25 < creack> hum no
22:25 < creack> connect-retry maybe
22:26 < creack> I am behind a proxy with http-rpxy-retry and when the connection is droped it tries to reconnect
22:28 < Plazma> oh cool
22:29 < Plazma> i have yet to muck with openvpn yet, but i wasnted to make sure it had those capabilities before i get deep into it
22:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
22:42 -!- Plazma [~Plazma@freenode/staff/plazma] has left ##openvpn ["Yargh!"]
22:57 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
23:01 -!- corrideat [~tor@CAcert/user/corrideat] has joined ##openvpn
23:01 < corrideat> Howdy
23:02 < corrideat> I have configured a VPN
23:02 < corrideat> and I'd like the server at the vpn subnet to act as a gateway.
23:07 < corrideat> However, route add default gw 10.3.2.1 brings "SIOCADDRT: No such process"
23:07 -!- corrideat [~tor@CAcert/user/corrideat] has quit [Quit: /quit BitchX - http://www.bancoprueba.com:informes/ver.pl?id=@36.25.14.74/login.pl]
23:07 -!- Gentoo_basic [~tor@CAcert/user/corrideat] has joined ##openvpn
23:08 < Gentoo_basic> !welcome
23:08 < vpnHelper> Gentoo_basic: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:08 < Gentoo_basic> !route
23:08 < vpnHelper> Gentoo_basic: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:13 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
23:47 -!- Gentoo_basic [~tor@CAcert/user/corrideat] has quit [Ping timeout: 252 seconds]
23:56 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
23:56 -!- mode/##openvpn [+o mattock] by ChanServ
--- Day changed Sat Jul 03 2010
00:18 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
00:21 -!- shorter [~madtop@c-24-14-240-149.hsd1.il.comcast.net] has joined ##openvpn
00:21 < shorter> trying to figure out openvpn on my maemo device
00:21 < shorter> i just get socket.connection failure - any ideas?
00:23 < krzie> whats maemo
00:25 < shorter> sorry
00:25 < shorter> phone OS
00:25 < shorter> not sure if it matters
00:26 < shorter> like android but more open source
00:43 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 245 seconds]
00:45 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
01:04 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
01:27 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
01:47 -!- zheng [~zheng@114.92.150.154] has joined ##openvpn
02:10 -!- shorter [~madtop@c-24-14-240-149.hsd1.il.comcast.net] has left ##openvpn []
02:36 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
02:36 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
02:41 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
02:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
02:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
03:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:18 -!- zheng [~zheng@114.92.150.154] has quit [Quit: Leaving]
03:20 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
03:38 -!- n0sq_ [~quassel@65.41.216.18] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:43 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:45 -!- theDoc [~jaki@unaffiliated/thedoc] has joined ##openvpn
03:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
03:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
04:06 -!- theDoc [~jaki@unaffiliated/thedoc] has quit [Quit: Leaving]
05:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:22 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:58 -!- mikkel_ [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:00 -!- somenick [~somenick@c-2acde455.017-474-6c6b701.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
06:37 -!- mikkel_ is now known as mikkel
07:07 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
07:51  * hyper_ch is trying to build a drupal page :)
08:02 -!- clyons_ [~clyons@unaffiliated/clyons] has joined ##openvpn
08:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:37 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has joined ##openvpn
08:38 -!- mudassar [~quassel@h85-8-0-70.static.se.alltele.net] has quit [Remote host closed the connection]
08:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:42 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
08:55 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
09:16 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
09:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
09:39 -!- nesta [atsen@x.computer.st] has quit [Quit: leaving]
09:52 -!- DrPepper [~DrPepper@88.207.194.0] has joined ##openvpn
10:48 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
11:19 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
11:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:09 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
12:33 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:41 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
12:43 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
12:43 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
13:05 -!- ljsdofuynsdfufuh [~madtop@c-24-14-240-149.hsd1.il.comcast.net] has joined ##openvpn
13:05 < ljsdofuynsdfufuh> what does socket.connect() failed mean?
13:07 < krzie> just a guess... it probably means there was a problem connecting to a socket
13:07 < krzie> hehehe
13:09 < ljsdofuynsdfufuh> yeah, not sure how to debug it
13:09 < ljsdofuynsdfufuh> that is all I get from the output and I'm not sure where the log file is
13:09 < krzie> it is whereever you tell it to be
13:09 < krzie> !logfile
13:09 < vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
13:09 < ljsdofuynsdfufuh> well, I'm kinda running something different
13:10 < ljsdofuynsdfufuh> openvpn using the applet on maemao
13:10 < ljsdofuynsdfufuh> maemo*
13:10 < krzie> whats maemo
13:10 < ljsdofuynsdfufuh> which is the open source OS on some cell phones
13:10 < krzie> oh nokia
13:10 < ljsdofuynsdfufuh> yeah
13:11 < krzie> what model phone
13:11 < ljsdofuynsdfufuh> n900
13:12 < krzie> http://wiki.maemo.org/OpenVPN
13:12 < vpnHelper> Title: OpenVPN - maemo.org wiki (at wiki.maemo.org)
13:14 -!- ljsdofuynsdfufuh is now known as timetochange
13:16 < krzie> did you download and install the maemo client in addition to the applet?
13:17 < krzie> you dont need any of the config options on that page if you dont push DNS
13:22 < krzie> in all reality, what you're running into might not even be from openvpn... since you need to run a modified openvpn on nokia
13:23 < krzie> but i know their modified version does work, because i started a thread on the mail list talking about different cell phones that can use openvpn, and someone reported their n900 working
13:35  * kisom is at the club
13:35 < kisom> unts unts unts
13:35 < kisom> ssh on the phone is a life saver
13:36 < krzie> no more rooting drunk
13:37 < timetochange> yeah I got both openvpn client and applet
13:37 < kisom> i removed myself from wheel
13:37 < kisom> no worries
13:44 -!- WormFood [~wormfood@219.134.136.82] has quit [Ping timeout: 276 seconds]
13:44 < timetochange> okay, krzie, I finally have some output for you
13:44 < timetochange> "no kernel support for  AF INET6 (tcp)" is all i get when I  netstat -tn | grep 1194
13:45 < krzie> sounds very specific to your device
13:45 < krzie> i suggest the maemo-users mail list
13:46 < krzie> https://maemo.org/mailman/listinfo/maemo-users
13:46 < vpnHelper> Title: maemo-users Info Page (at maemo.org)
13:46 < timetochange> maybe that is just a warning?
13:46 < timetochange> or unrelated to not being able to connect?
13:47 < krzie> no kernel support sounds a lil more serious than a warning
13:47 < krzie> and i know nothing about nokia internals
13:52 < timetochange> http://talk.maemo.org/showthread.php?t=38700 this guy has the same message, but he doesnt seem to mind
13:52 < vpnHelper> Title: Open Ports on Fremantle/N900 - maemo.org - Talk (at talk.maemo.org)
13:56 -!- WormFood [~wormfood@219.134.136.201] has joined ##openvpn
14:19 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
14:25 -!- tehif [~if@169.Red-83-61-142.dynamicIP.rima-tde.net] has joined ##openvpn
14:25 < tehif> !welcome
14:25 < vpnHelper> tehif: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:26 < tehif> Hello all.
14:27 < timetochange> yeah, I've no idea what socket.connect() failed mens
14:27 < timetochange> means*
14:35 < tehif> http://pastebin.com/XpGdfVae
14:36 < tehif> Connection is inicited okay, but I dont have ping from 10.1.0.1 to 10.1.0.2
14:36 < tehif> iniciated*
16:29 -!- DrPepper [~DrPepper@88.207.194.0] has quit [Quit: Leaving...]
17:02 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
17:02 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
17:08 < timetochange> I'm having problems here
17:09 < timetochange> i don't see any openvpn connection in lsof -i
17:09 < krzee> timetochange, didnt i tell you that you should go to the maemo mail list?
17:10 < timetochange> when i try to start one it says: [time] link remote : [undef]
17:10 < krzee> you arent using standard openvpn
17:10 < timetochange> yeah, but i think my problem is due to lack of understanding openvpn
17:10 < timetochange> i found that error to be "regular"
17:10 < krzee> you are using a custom maemo version
17:10 < krzee> ok well i have an understanding of openvpn, and i suggest going to the maemo mail list
17:10 < krzee> lol
17:11 < krzee> or the openvpn-users mail list
17:11 < krzee> since theres nokia users on there
17:11 < krzee> if you choose the openvpn mail list, make sure the topic has the fact its maemo
17:11 < krzee> to catch attention of the nokia users
17:11 < krzee> !mail
17:11 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
17:12 < krzee> tehif,
17:12 < krzee> !logs
17:12 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:12 < krzee> !configs
17:12 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:27 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
17:41 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
17:59 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
18:16 -!- killown is now known as manel
18:16 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
18:18 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:21 -!- manel is now known as geek
18:21 -!- geek [~killown@unaffiliated/killown] has quit [Changing host]
18:21 -!- geek [~killown@unaffiliated/geek] has joined ##openvpn
18:33 -!- geek [~killown@unaffiliated/geek] has quit [Quit: Saindo]
18:34 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:36 -!- Ryuujinx_ [~dewey@64.39.4.132] has joined ##openvpn
19:36 -!- Ryuujinx_ [~dewey@64.39.4.132] has left ##openvpn ["Leaving"]
19:44 < tehif> krzee: just a moment.
20:42 -!- akm2562 [~Andrew@adsl-216-078-201-014.sip.sdf.bellsouth.net] has joined ##openvpn
20:46 < akm2562> i'm having a strange issue with the win client using static keys.  Options error: specify only one of --tls-server, --tls-client, or --secret  Anybody see this before?
20:51 < tehif> and how does look your config ?
20:54 < akm2562> Pretty simple, i think:
20:54 < akm2562> client
20:54 < akm2562> cd C:\\PROGRA~1\\OpenVPN\\bin
20:54 < akm2562> dev tap
20:54 < akm2562> dev-node WDIDataNet-VPN
20:54 < akm2562> proto tcp
20:54 < akm2562> secret static.key
20:54 < akm2562> remote watchdog.snarrow.com 1194
20:54 < akm2562> resolv-retry infinite
20:54 < akm2562> nobind
20:54 < akm2562> persist-key
20:54 < akm2562> persist-tun
20:54 < akm2562> mute-replay-warnings
20:54 < akm2562> cipher BF-CBC
20:59 < akm2562> very sorry
20:59 < akm2562> pasted in wrong window
20:59 < akm2562> http://pastebin.com/4m0hKcsF
21:00 < tehif> sec.
21:01 < tehif> I have a working tun config for windows 7
21:01 < tehif> are you interested to see it ?
21:02 < akm2562> sure
21:04 < tehif> http://pastebin.com/eeZxDkcz
21:04 < tehif> here
21:05 < tehif> with bat file, and read the note.
21:14 < akm2562> where is your key located?
21:14 < akm2562> what dir?
21:29 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
21:35 < tehif> akm2562: at the config dir.
21:35 < tehif> in the config dir*
21:41 < kisom> drunk as hell
21:42 < kisom> cant alepppt eitheyr
21:42 < kisom> cant sleep
21:47 < tehif> :D
22:04 < kisom> what rhw fuck happened tonigt
22:04 < kisom> 5 am over here
22:04 < kisom> im in an apartment somewhere
22:05 < kisom> cant sleep with alvohole in öy blood
22:12 < tehif> it's 5 am here too
22:12 < tehif> I guess I go to sleep.
22:24 < kisom> im in some chicks apartmenr
22:24 < kisom> i shoukd bail
22:25 < kisom> this is the time to bail home so i sont have to face the consiquenses tomorrow
22:25 < kisom> bail it is
22:25 < kisom> bbl
22:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:00 -!- akm2562 [~Andrew@adsl-216-078-201-014.sip.sdf.bellsouth.net] has quit [Ping timeout: 264 seconds]
--- Day changed Sun Jul 04 2010
00:20 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 260 seconds]
00:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
00:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:36 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
00:46 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 276 seconds]
00:47 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
02:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:06 -!- timetochange [~madtop@c-24-14-240-149.hsd1.il.comcast.net] has quit [Quit: Leaving.]
03:07 -!- cp7 [nebula@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@65.41.216.18] has quit [Read error: Connection reset by peer]
03:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
04:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:38 -!- chantra [~chantra@unaffiliated/chantra] has quit [Ping timeout: 260 seconds]
04:56 -!- tehif [~if@169.Red-83-61-142.dynamicIP.rima-tde.net] has quit [Quit: que bueno]
04:58 -!- Abhishek_SIngh [~Abhishek@115.242.4.146] has joined ##openvpn
05:09 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
05:09 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:16 -!- chantra [~chantra@unaffiliated/chantra] has joined ##openvpn
06:40 -!- Abhishek_SIngh [~Abhishek@115.242.4.146] has quit [Ping timeout: 240 seconds]
07:00 -!- chantra [~chantra@unaffiliated/chantra] has quit [Ping timeout: 264 seconds]
07:01 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
07:05 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
07:40 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Ping timeout: 248 seconds]
07:44 -!- mape2k [~mape2k@p5B284CD2.dip.t-dialin.net] has joined ##openvpn
07:47 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
07:49 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Read error: Connection reset by peer]
07:50 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
07:52 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
08:00 -!- Abhishek_SIngh [~Abhishek@115.240.47.50] has joined ##openvpn
08:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:28 -!- Abhishek_SIngh [~Abhishek@115.240.47.50] has quit [Ping timeout: 245 seconds]
08:34 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:47 -!- Abhishek_SIngh [~Abhishek@115.242.16.85] has joined ##openvpn
08:56 -!- Abhishek_SIngh [~Abhishek@115.242.16.85] has quit [Ping timeout: 265 seconds]
09:30 -!- Abhishek_SIngh [~Abhishek@115.240.5.135] has joined ##openvpn
09:36 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
09:38 -!- mape2k [~mape2k@p5B284CD2.dip.t-dialin.net] has quit [Quit: Leaving]
09:44 -!- Abhishek_SIngh [~Abhishek@115.240.5.135] has quit [Ping timeout: 260 seconds]
09:47 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:18 -!- ivenkys [~ivenkys@81.168.100.197] has joined ##openvpn
10:19 -!- ivenkys [~ivenkys@81.168.100.197] has quit [Changing host]
10:19 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
10:49 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:49 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
11:01 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
11:26 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:41 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Operation timed out]
11:42 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
11:42 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
11:46 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:48 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
11:48 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
11:49 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
12:21 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
12:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
12:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
12:40 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
12:41 -!- f1assistance1 [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
12:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
12:45 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has quit [Ping timeout: 265 seconds]
12:45 -!- f1assistance1 [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
12:52 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:05 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
13:10 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has quit [Remote host closed the connection]
13:13 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
13:13 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
13:52 < krzie> !linnat
13:52 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:52 < krzie> !linipforward
13:52 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
14:01 < krzie> whoa i never knew reiffert was involved with macports
14:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:28 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
14:32 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
14:45 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Quit: Leaving]
14:46 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
14:48 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
14:51 < Bushmills> ah. he's using Macs as his portable devices
15:03 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
15:19 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
15:40 -!- gamla_kossan [~mjau@c-6440e155.1163-1-64736c10.cust.bredbandsbolaget.se] has quit [Ping timeout: 252 seconds]
15:56 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
16:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:34 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:51 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
16:53 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
16:53 -!- clyons_ [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
17:01 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
17:44 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
17:47 -!- int_0x80_ [~int_0x80@unaffiliated/int-0x80-/x-6755640] has joined ##openvpn
17:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
18:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
18:14 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 260 seconds]
18:28 < int_0x80_> a french here please ?
18:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
18:33 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
19:21 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
19:29 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
19:29 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
19:59 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
20:07 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:19 -!- tjz [~pc@bb116-14-142-7.singnet.com.sg] has joined ##openvpn
20:19 -!- tjz [~pc@bb116-14-142-7.singnet.com.sg] has quit [Changing host]
20:19 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:34 -!- akm2562 [~Andrew@166.192.122.32] has joined ##openvpn
20:42 < akm2562> hello all. i need some help. my vpn server has a tun address of 10.0.8.1. my client is .2. they can talk fine. tun0 from the server talks to 192.168.1.1 (lan gateway) fine.
20:42 < akm2562> but the client cant see the lan gateway.
20:43 < akm2562> any idea what im missing here?
20:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:53 < krzie> lan is behind server?
20:54 < akm2562> lan gw and vpn server same hardware
20:55 < krzie> virtualized or same install?
20:55 < krzie> !factoids search outside
20:55 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
20:55 < krzie> !learn serverlan as for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn)
20:55 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
20:56 < krzie> !learn serverlan as for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn)
20:56 < vpnHelper> krzie: Joo got it.
20:57 < krzie> !learn serverlan as for a lan behind a server, the client must have ip forwarding enabled (!ipforward), the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn)
20:57 < vpnHelper> krzie: Joo got it.
20:57 < krzie> grr
20:57 < krzie> !forget serverlan 2
20:57 < vpnHelper> krzie: Joo got it.
20:58 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has joined ##openvpn
20:58 < krzie> !learn clientlan as for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn)
20:58 < vpnHelper> krzie: Joo got it.
20:58 < networkn> hi there, dumb question, how do I make openvpn start as service on linux?
20:58 < krzie> !learn serverlan as see !route for a better explanation
20:58 < vpnHelper> krzie: Joo got it.
20:58 < krzie> !learn clientlan as see !route for a better explanation
20:58 < vpnHelper> krzie: Joo got it.
20:59 < krzie> networkn, however your OS does it
20:59 < krzie> not really an openvpn question
20:59 < krzie> more of a <insert your linux distro here> question
20:59 < krzie> !notovpn
20:59 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
20:59 < networkn> krzee: well I would imagine for most popular distros the procedure would largely be the same no?
21:00 < krzie> networkn, no idea
21:00 < krzie> in freebsd you put entries in the rc.conf file
21:00 < networkn> oh you run freebds
21:00 < networkn> oh you run freebsd
21:00 < krzie> and the script in /usr/local/etc/rc.d/ would read those when it runs
21:00 < krzie> but your distro will have a standard way
21:00 < networkn> ok thanks
21:01 < krzie> np
21:01 < krzie> some linux just runs all configs in a dir with .conf extension
21:01 < krzie> but i dunno which or what dir
21:09 < tjz> youtube got hacked...
21:09 < tjz> now they fix the bug
21:09 < tjz> :D
21:10 < tjz> hi krzie
21:10 < tjz> :D
21:12 < krzie> hi
21:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
21:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
21:35 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has quit [Read error: Operation timed out]
21:36 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
21:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
21:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:46 < Bushmills> krzie: debian does.  therefore probably also debian based distributions
22:47 < Bushmills>  *.conf in /etc/openvpn, by default
23:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
23:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:44 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
--- Day changed Mon Jul 05 2010
00:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
00:47 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 265 seconds]
00:49 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
01:16 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:16 -!- mode/##openvpn [+o mattock] by ChanServ
01:22 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Read error: Connection reset by peer]
02:02 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:37 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:58 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:02 -!- TVC [~TVC@115-64-85-159.static.tpgi.com.au] has joined ##openvpn
03:02 < TVC> !howto
03:02 < vpnHelper> TVC: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:04 < kraut> moin
03:04 < Bushmills> grias di
03:08 -!- bergquist [~bergquist@outside.bergnet.se] has joined ##openvpn
03:08 < bergquist> !howto
03:08 < vpnHelper> bergquist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:08 < bergquist> !welcome
03:08 < vpnHelper> bergquist: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:16 < krzie> !goal
03:16 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:29 < TVC> i get this error when trying to run openvpn on debian: "Cannot load certificate file server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CT$" what is the problem?
03:33 < macsppadic> morning all 
03:33 < macsppadic> TVC - permissions all ok ?
03:34 < TVC> i just followed this guide: http://switzernet.com/public/081215-openvpn-server/main.htm
03:34 < vpnHelper> Title: Install openvpn server on debian (at switzernet.com)
03:34 < TVC> openssl is up to date with repo
03:36 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:48 < TVC> macsppadic, any idea?
03:49 < TVC> full log: http://pastebin.com/UqvXhXyq
03:51 < macsppadic> TVC cud u post the config as well 
03:51 < TVC> ok
03:53 < TVC> macsppadic: http://pastebin.com/vyPwG0rY
03:56 < macsppadic> TVC are u running the openvpn as user root then ?
03:56 < TVC> yes
03:57 < macsppadic> just to check u have the .crt files are all right place n right perms
03:57 < TVC> yes, ill take a screenshot of the directory
03:57 < TVC> to make sure
03:58 < macsppadic> that error lookls like a format issue with PEM
03:59 < TVC> macsppadic: http://www.filepak.com/8/6_directory.png
04:01 < macsppadic> TVC just noticed the server.crt file is size 0 ?
04:01 < TVC> oh
04:01 < TVC> odd
04:02 < TVC> macsppadic, i followed this guide: http://switzernet.com/public/081215-openvpn-server/main.htm is there anything else i have to do to get the server certificate
04:02 < vpnHelper> Title: Install openvpn server on debian (at switzernet.com)
04:03 < macsppadic> can u open up the server.crt file 
04:03 < macsppadic> see what its got in there 
04:05 < krzie> TVC,
04:05 < TVC> ?
04:06 < krzie> !fullpath
04:06 < vpnHelper> krzie: Error: "fullpath" is not a valid command.
04:06 < krzie> !path
04:06 < vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
04:06 < TVC> uh
04:06 < TVC> could i use ./<file>
04:06 < krzie> no
04:07 < krzie> but you can use cd in the config
04:07 < krzie> above the other entries
04:12 < krzie> !win_rollup
04:12 < vpnHelper> krzie: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
04:12 < krzie> (not for you)
04:13 < TVC> ok, got the first error gone
04:13 < TVC> Mon Jul  5 09:12:18 2010 ROUTE default_gateway=192.0.2.1
04:13 < TVC> Mon Jul  5 09:12:18 2010 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
04:13 < TVC> Mon Jul  5 09:12:18 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
04:13 < TVC> Mon Jul  5 09:12:18 2010 Cannot allocate TUN/TAP dev dynamically
04:13 < TVC> second error ^
04:13 < TVC> how do i create the /dev/net/tun
04:14 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:20 < krzie> load the kernel module
04:20 < krzie> or compile it into your kernel staticly
04:23 < macsppadic> nice spot on the filename kraut 
04:23 < macsppadic> krzie even
04:24 < macsppadic> or path shud i say 
04:24  * kraut slaps macsppadic 
04:24 < krzie> moin kraut 
04:25 < macsppadic> apologies - tab completion... :-)
04:25 < kraut> grützi!
04:36 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 240 seconds]
04:36 -!- takamichi [~pri@94.75.217.251] has joined ##openvpn
05:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
05:23 -!- takamichi [~pri@94.75.217.251] has quit [Ping timeout: 240 seconds]
05:23 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
06:31 -!- ksk [~ksk@im.knubz.de] has joined ##openvpn
06:31 < ksk> hello 
06:31 < ksk> !welcome
06:31 < vpnHelper> ksk: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:39 < ksk> are openvpn.se related questions welcome in here?
06:43 -!- baffle_ is now known as baffle
06:44 -!- bergquist [~bergquist@outside.bergnet.se] has left ##openvpn []
06:53 -!- JackCorleone [~Jack@187.11.184.68] has joined ##openvpn
07:01 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
07:01 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
07:35 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 245 seconds]
07:38 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
07:57 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
08:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:28 -!- akm2562 [~Andrew@166.192.122.32] has quit [Read error: Connection reset by peer]
08:29 -!- nash [~nash@123.139.28.122] has joined ##openvpn
08:31 < nash> hello... can someone point me in the direction of a howto to get around a firewall: I have server outside, plus a couple of linux + windows 7 boxes inside
08:31 < henk> nash: the firewall admin probably.
08:32 < hyper_ch> just open the according port on that firewall
08:33 < nash> Sorry, I'm not explaining well.. The Firewall is Chinese govs one... they desired result is unfiltered internet access
08:34 < nash> So basically it's machines here (china) -> openvpn server in U.S.
08:34 < nash> no idea how to set up either I'm afraid
08:35 < nash> But I'm sure I'm not the first, I just can't find a howto that is useful
08:35 < Bushmills> !howto
08:35 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:35 < Bushmills> nash: ^^^
08:36 < Bushmills> !redirect
08:36 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:36 < Bushmills> nash: ^^^
08:37 < nash> Bushmills: okay... I'll start reading.
08:37 < nash> Thank you
08:37 < nash> !ipforward
08:37 < vpnHelper> nash: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
08:38 < nash> !linipforward
08:38 < vpnHelper> nash: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
08:45 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has quit [Remote host closed the connection]
08:45 < nash> !winipforward
08:45 < vpnHelper> nash: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
08:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
08:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
09:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:22 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
09:51 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
10:02 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has quit [Remote host closed the connection]
10:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
10:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:17 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
10:18 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
10:20 -!- DJ_HaMsTa [~werwer@unaffiliated/dj-hamsta/x-2342346] has joined ##openvpn
10:21 < DJ_HaMsTa> what is the standard way to retrieve the .ca keys from the server, ftp ?
10:25 < hyper_ch> scp
10:25 < ksk> ftp is not that secure, is it?
10:25 < hyper_ch> ftp is not secure at all
10:26 < Zathraz> it beats a pastebin ;-)
10:26 < ksk> our "openvpn-maintainer" sends the required files via pgp-crypted email
10:26 < DJ_HaMsTa> how to scp ?
10:26 < ksk> man scp
10:27 < hyper_ch> scp file user@remote:/path/to/store/
10:27 < ksk> its similar to "cp"
10:27 < Zathraz> or when on Windows use winscp
10:27 < DJ_HaMsTa> ugh tried to connect via winscp but just wont work
10:27 < ksk> you have sshd running on the server?
10:28 < DJ_HaMsTa> i can connect to it via ssh... 
10:28 < DJ_HaMsTa> donno if its sshd
10:28 < DJ_HaMsTa> wait!
10:28 < DJ_HaMsTa> d is for daemon
10:28 < ksk> :)
10:28 < DJ_HaMsTa> yes, has to be sshd
10:28 < DJ_HaMsTa> received too large error
10:28 < hyper_ch> if you can ssh into the server, then some sshd is running there
10:29 < DJ_HaMsTa> http://winscp.net/eng/docs/message_large_packet
10:29 < DJ_HaMsTa> error i get
10:29 < vpnHelper> Title: WinSCP :: Received too large (... B) SFTP packet. Max supported packet size is 102400 B (at winscp.net)
10:29 < hyper_ch> DJ_HaMsTa: you're on a linux client?
10:29 < DJ_HaMsTa> client is windows, server is centOS
10:29 < hyper_ch> people still use windows? ^^
10:29 < DJ_HaMsTa> i KNOW right!
10:30 < hyper_ch> use filezilla then
10:30 < DJ_HaMsTa> ubuntu 10.4 is enough to put windows out of business
10:30 < hyper_ch> and enter port 22 for the connection
10:30 < DJ_HaMsTa> omfg it works
10:31 < DJ_HaMsTa> awww
10:31 < DJ_HaMsTa> Status:	Connected to 208.94.244.70 / Error:	Connection timed out
10:33 < hyper_ch> you could also copy the file to a webaccessible dir
10:33 < hyper_ch> and download it from there
10:34 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
10:45 < DJ_HaMsTa> cant dl .key files
10:45 < DJ_HaMsTa> via http
10:45 < DJ_HaMsTa> was able to get the rest
10:56 < ksk> u know u can copy`n`paste these files?
10:56 < ksk> btw, why cant u?
10:57 < ksk> are the files accessible by the webserver?
10:57 < ksk> did i mention that downloading them via http is evil?
10:57 < DJ_HaMsTa> yea i placed them in the /www dir and i was able to get all files with diff extentions like .pem / crt but .key just displays a forbiden page
10:58 < ksk> ye
10:58 < DJ_HaMsTa> yea i dont have the fbi after me 
10:58 < theDoc> permissions on the file?
10:58 < ksk> i guess there just accessible by the ohner
10:58 < ksk> and not others..
10:58 < Bushmills> tar them all into one archive
10:58 < Bushmills> that way permissions are kept, and won't disturb downloading
11:07 -!- TVC [~TVC@115-64-85-159.static.tpgi.com.au] has quit [Quit: Server Connection Executed]
11:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
11:25 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:29 -!- nash [~nash@123.139.28.122] has quit [Remote host closed the connection]
11:42 -!- int_0x80_ [~int_0x80@unaffiliated/int-0x80-/x-6755640] has left ##openvpn ["Quitte"]
11:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:51 -!- openvpn2009 [patel@matrix.openvpn.org] has quit [Remote host closed the connection]
11:51 -!- openvpn2009 [root@matrix.openvpn.org] has joined ##openvpn
11:51 -!- openvpn2009 is now known as Guest12047
11:52 -!- Guest12047 is now known as openvpn2009
11:53 -!- openvpn2009 [root@matrix.openvpn.org] has quit [Remote host closed the connection]
11:53 -!- Guest12047 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:53 -!- mode/##openvpn [+v Guest12047] by ChanServ
11:54 -!- Guest12047 is now known as openvpn2009
12:01 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
12:03 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
12:05 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
12:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
12:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:45 -!- theDoc [~link@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
13:02 -!- f1assistance1 [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
13:03 -!- f1assistance1 [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
13:14 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left ##openvpn []
13:14 -!- theDoc [~link@bb121-6-220-19.singnet.com.sg] has joined ##openvpn
13:14 -!- theDoc [~link@bb121-6-220-19.singnet.com.sg] has quit [Client Quit]
13:14 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Read error: Operation timed out]
13:29 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
13:39 -!- WormFood [~wormfood@219.134.136.201] has quit [Ping timeout: 252 seconds]
13:52 -!- WormFood [~wormfood@219.133.100.60] has joined ##openvpn
13:56 -!- JackCorleone [~Jack@187.11.184.68] has quit [Read error: Connection reset by peer]
14:07 < DJ_HaMsTa> i was able to transfer the .key .crt files to 
14:08 < DJ_HaMsTa> i was able to transfer the .key .crt files to \config folder pasted the client.ovpn into there as well (sample config) edited and placed my server's ip address
14:08 < DJ_HaMsTa> using windows openvpn to connect
14:08 < DJ_HaMsTa> get error Cannot load certificate file client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
14:24 < kisom> DJ_HaMsTa: did you read the error message?
14:24 < kisom> fopen:No such file or directory
14:24 < kisom> check your paths
14:25 < krzie> !path
14:25 < vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
14:44 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
15:10 < DJ_HaMsTa> openvpn server never generated a client.key!
15:25 < Bushmills> that's right.  administrator needs to generate it. openvpn will merely use it.
15:33 < kisom> DJ_HaMsTa: openvpn never generates certificates.. :)
15:33 < kisom> read the how-to, its pretty good
15:36 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:49 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Read error: Operation timed out]
15:54 -!- DJ_HaMsTa [~werwer@unaffiliated/dj-hamsta/x-2342346] has quit [Ping timeout: 276 seconds]
15:58 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
16:04 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
16:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
16:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:50 -!- killown [~killown@unaffiliated/killown] has quit [Quit: tudo é informação > decodificação > 'resposta: não necessário', sem informação não tem decodificação e sem decodificação a informação não tem utilidade :D]
16:51 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:07 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 260 seconds]
17:07 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
17:21 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
17:23 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
17:26 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
17:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:55 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
18:00 -!- blueboxthief [~None_of_y@81.34.120.169] has joined ##openvpn
18:01 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
18:16 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:21 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
18:21 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
18:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:03 -!- blueboxthief [~None_of_y@81.34.120.169] has quit [Ping timeout: 276 seconds]
19:22 -!- DJ_HaMsTa [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has joined ##openvpn
19:25 -!- blueboxthief [~None_of_y@81.34.120.169] has joined ##openvpn
19:30 -!- blueboxthief [~None_of_y@81.34.120.169] has quit [Ping timeout: 276 seconds]
19:36 -!- blueboxthief [~None_of_y@81.34.120.169] has joined ##openvpn
19:37 < krzee> !certverify
19:37 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
19:45 -!- blueboxthief [~None_of_y@81.34.120.169] has quit [Ping timeout: 276 seconds]
19:45 -!- blueboxthief [~None_of_y@81.34.120.169] has joined ##openvpn
19:51 < krzee> !confgen
19:51 < vpnHelper> krzee: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
19:58 -!- blueboxthief [~None_of_y@81.34.120.169] has quit [Ping timeout: 276 seconds]
20:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
20:39 -!- blueboxthief [~None_of_y@81.34.120.169] has joined ##openvpn
20:44 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
20:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:01 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
21:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
21:18 -!- tjz [~pc@unaffiliated/tjz] has quit [Read error: Connection reset by peer]
21:24 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:45 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
22:47 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has quit [Ping timeout: 276 seconds]
22:51 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has joined ##openvpn
22:51 -!- Some_Person [~GoodPerso@unaffiliated/someperson/x-249303] has joined ##openvpn
22:52 < Some_Person> !welcome
22:52 < vpnHelper> Some_Person: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:53 < Some_Person> !goal
22:53 < vpnHelper> Some_Person: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:53 < Some_Person> !howto
22:53 < vpnHelper> Some_Person: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
23:02 -!- Some_Person [~GoodPerso@unaffiliated/someperson/x-249303] has quit [Ping timeout: 240 seconds]
23:15 -!- Some_Person [~GoodPerso@99-99-216-226.lightspeed.hstntx.sbcglobal.net] has joined ##openvpn
23:15 -!- DJ_HaMsTa [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has quit [Ping timeout: 260 seconds]
23:16 < Some_Person> I'm confused by the config procedure for a server on Windows
23:17 < Some_Person> My goal is to setup something on port 110 that my Android phone can connect to
23:21 < Some_Person> I just want something simple that my phone can access the internet through
23:24 -!- Some_Person [~GoodPerso@99-99-216-226.lightspeed.hstntx.sbcglobal.net] has quit []
23:24 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:34 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
23:34 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Excess Flood]
23:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
23:43 -!- DJ_HaMsTa [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has joined ##openvpn
23:45 -!- DJ_HaMsTa [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has quit [Changing host]
23:45 -!- DJ_HaMsTa [~werwer@unaffiliated/dj-hamsta/x-2342346] has joined ##openvpn
--- Day changed Tue Jul 06 2010
00:19 < Bushmills> why do people need to state their intentions before setting out to actually do what they intend to?
00:20 < Bushmills> i observe that with little children, that any of their actions is accompanied by a verbal description of what they do
00:41 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:49 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 260 seconds]
00:51 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
01:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:14 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
01:30 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:30 -!- mode/##openvpn [+o mattock] by ChanServ
01:50 < krzie> !windows
01:50 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
02:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
02:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:54 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:01 < kraut> moin
03:02 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:04 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
03:17 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:17 < DJ_HaMsTa> whats the command to build a client key on the server side ?
03:21 < macsppadic> DJ_HaMsTa: ./build-key-pass 
03:21 < macsppadic> shud b in the docs 
03:26 < DJ_HaMsTa> seems simple, install openvpn, make keys, throw them to client, done
03:29 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
03:30 -!- Abhishek_SIngh [~Abhishek@115.240.127.63] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 < batrick> Can someone please help me figure out why I can't set a static IP for my client. Configuration pastey: http://random.pastey.net/138330  Client Log: http://random.pastey.net/138331  Server Log: http://random.pastey.net/138332
03:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
03:56 -!- ergergerg [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has joined ##openvpn
03:56 -!- DJ_HaMsTa [~werwer@unaffiliated/dj-hamsta/x-2342346] has quit [Read error: Connection reset by peer]
03:58 -!- ergergerg [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has quit [Client Quit]
04:14 < Bushmills> what are the permissions of /etc/openvpn/ccd and  /etc/openvpn/ccd/batbytes?
04:21 < macsppadic> morning Bushmills 
04:26 < batrick> http://random.pastey.net/138338
04:26 < batrick> Bushmills: ^
04:26 < batrick> but the permissions on /etc/openvpn are 700
04:30 < batrick> *sigh*
04:30 < batrick> it was permissions on /etc/openvpn
04:31 < batrick> thanks Bushmills !!! :)
04:34 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
04:45 < Bushmills> 'morning macsppadic
04:48 < macsppadic> morning indeed
04:55 -!- batrick [~batrick@batbytes.com] has quit [Quit: leaving]
04:55 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
05:00 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
05:01 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 265 seconds]
05:07 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
05:16 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 260 seconds]
05:25 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
05:26 < batrick> Is it possible to get two clients on the same Gigabit LAN to talk over the LAN instead through the openvpn server on the faraway internet while still using the openvpn tunnel?
05:29 < Bushmills> no, unless you run one of them as client and server at the same time
05:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:59 -!- Netsplit *.net <-> *.split quits: macsppadic
06:02 -!- Netsplit over, joins: macsppadic
06:05 -!- Netsplit *.net <-> *.split quits: macsppadic
06:13 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
06:20 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
06:24 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
06:29 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
07:08 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 240 seconds]
07:08 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 276 seconds]
07:09 -!- takamichi [~pri@94.75.217.251] has joined ##openvpn
07:10 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
07:17 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:21 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has quit [Remote host closed the connection]
07:23 < ksk> hello guys
07:23 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
07:23 < ksk> i got some question about client.ovpn file with win(7)
07:24 < ksk> if i add a statement: "C:\\Users\\user\\AppData\\Local\\openvpn\\vpn.key"
07:24 < ksk> everything is fine
07:25 < ksk> but "key  %LOCALAPPDATA%\\openvpn\\vpn.key" does not work
07:25 < ksk> is there a way to use windows variables inside openvpn(config)?
07:26 < ksk> (the path/variable itself is fine)
07:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:57 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 264 seconds]
08:05 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
08:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:26 < cron2> ksk: as far as I know, no, there is no variable substitution (yet)
08:41 < ksk> okay, thanks
08:41 < ksk> so i need a script to hardcode the path... mhmkay..
08:44 < Bushmills> ksk: or massage the config with a script which does subsitution
08:46 -!- takamichi [~pri@94.75.217.251] has quit [Ping timeout: 248 seconds]
08:46 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
09:06 -!- Abhishek_SIngh [~Abhishek@115.240.127.63] has quit [Ping timeout: 245 seconds]
09:14 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:14 -!- _Tassadar [~tassadar@tassadar.xs4all.nl] has joined ##openvpn
09:14 < _Tassadar> hi
09:15 < _Tassadar> is there a way to use openvpn in a server-like mode (i.e. allowing multiple clients to connect to a single port) -and- use real p2p tunnels at the same time?
09:16 < _Tassadar> if i configure openvpn in server mode with topology p2p, then the server will configure only one tunnel endpoint for all connecting clients, instead of separate endpoints for each client
09:16 < _Tassadar> that way, the remote tunnel endpoint (from server perspective) doesn't match the local endpoint from client perspective
09:16 < _Tassadar> software like quagga doesn't play that game very well..
09:20 < ecrist> not sure what you mean
09:22 < Bushmills> _Tassadar: "multiple clients to single port" - yes
09:22 < Bushmills> "real p2p tunnels" - how do those differ from unreal p2p tunnels?
09:23 < Bushmills> "server will configure" - no. p2p mean, each *client* will configure an endpoint which represents server
09:24 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has joined ##openvpn
09:25 < Bushmills> "remote tunnel endpoint...not match local endpoint" - well, yes. that's what p2p is all about
09:25 < Bushmills> client has a represenation of remote of which remote doesn't know anything about (in the sense of remote not being able to bind services to client representation of remote)
09:33 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
09:39 < _Tassadar> hm
09:40 < _Tassadar> well i mean, in p2p mode, you have two peers, peer 1 has its tunnel configured with IP1/IP2 and peer 2 has its tunnel configured with IP2/IP1
09:40 < _Tassadar> right, those IP's match
09:40 < _Tassadar> now in server mode, you have IP1/IP2 server side, and IP3/IP1 client side
09:40 < _Tassadar> and IP4/IP1 for the next client and so forth
09:41 < _Tassadar> so from client's perspective, the remote IP matches the actual local IP on the server
09:41 < _Tassadar> but on the server-side, the remote IP does not match any client
09:42 < _Tassadar> now if you'd run quagga ospfd on the server, it will actually ignore ospf packets that it receives from any client
09:42 < _Tassadar> because the source IP's don't match the tunnel endpoint IP
09:44 < _Tassadar> now what i would like openvpn to do, is on the server side create a dedicated tunnel for each client separately, with separate tun devices
09:44 < _Tassadar> that way, you get simple p2p tunnels with matching IP's on both sides
09:44 < _Tassadar> this implies a tun device per client, and that way quagga/ospfd will work fine
09:45 < _Tassadar> i can of course already make this happen by configuring different openvpn instances, each with its own listening port; but i cannot / don't want to open multiple listening ports
09:46 < _Tassadar> the only way i see to prevent that is by using server mode
09:46 < _Tassadar> hence my question:
09:46 < _Tassadar> is there a possibility to use real p2p tunnels, just like in p2p-mode (non-server-mode) but still have multiple clients connect to the same port ?
09:47 < _Tassadar> or rephrased: is there a way to use quagga/ospfd with openvpn (without using ethernet bridging)?
09:57 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
09:57 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
10:08 -!- daveborg [~dborg@COX-66-210-91-34-static.coxinet.net] has joined ##openvpn
10:09 < daveborg> !welcome
10:09 < vpnHelper> daveborg: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:09 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
10:11 < daveborg> !howto
10:12 < vpnHelper> daveborg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:13 < daveborg> !route
10:13 < vpnHelper> daveborg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:15 < Bushmills> _Tassadar: to have a tun device for each client, you need to start openvpn for each client - listening to a different port for each started server 
10:20 < daveborg> Hello everyone. Does anyone feel up to helping me troubleshoot a bandwidth throughput issue that just started occuring?
10:21 < daveborg> I am not able to achieve anything over 1Mbps on a 20 Mbps connection that was working fine a couple weeks ago.
10:26 < _Tassadar> Bushmills: yeah, that's what i was afraid of
10:26 < _Tassadar> so in other words, having one listen port and a tun device per client is not a possible combination
10:28 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has quit [Remote host closed the connection]
10:43 -!- daveborg [~dborg@COX-66-210-91-34-static.coxinet.net] has quit [Quit: Leaving]
11:01 < krzie> [06:26]  <batrick> Is it possible to get two clients on the same Gigabit LAN to talk over the LAN instead through the openvpn server on the faraway internet while still using the openvpn tunnel?
11:01 < krzie> [06:29]  <Bushmills> no, unless you run one of them as client and server at the same time
11:01 < krzie> of course it is, you just give them routes bypassing the vpn
11:02 < krzie> to ecachother
11:26 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:26 < Bushmills> hm. i implied "through openvpn"
11:27 < Bushmills> "while still using the openvpn tunnel?"
11:34 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 240 seconds]
11:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
11:42 < krzie> i take that to mean "without disconnecting"
11:53 < batrick> my question was a bit long winded but I did mean that the traffic would still go through the vpn somehow
11:54 < krzie> ahh ok, what Bushmills said
11:56 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:23 -!- JackCorleone [~Jack@187.11.184.68] has joined ##openvpn
12:28 -!- Some_Person [~Sam@unaffiliated/someperson/x-249303] has joined ##openvpn
12:29 < Some_Person> I'm trying to connect my phone to a server I just set up but the connection isn't working. I don't know if the problem is on the server or phone end. I do not have a computer on a different network to test the server with. What should I do?
12:34 < Bushmills> read logs
12:35 < Some_Person> phone has no logs afaik
12:38 < Some_Person> server logs are showing nothing at all (except where it starts up)
12:40 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
12:41 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
12:42 < Some_Person> ah, just realized I only forwarded the port for tcp and the server's using udp
12:42 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
12:46 < Some_Person> still not working
12:53 < Bushmills> can't you enable logs on client? editing the config and starting up the client again should do 
12:58 < Some_Person> but the client is a cell phone
12:59 < Some_Person> the config is edited via a GUI
13:04 < Bushmills> doesn't matter how it is edited, as long as you can specify where to write the logs to
13:04 < Some_Person> nevermind, I got it to work!
13:04 < Some_Person> It doesn't have any options for logs by the way
13:07 -!- JackCorleone [~Jack@187.11.184.68] has quit [Quit: BRB]
13:23 -!- Some_Person [~Sam@unaffiliated/someperson/x-249303] has quit [Quit: Leaving]
13:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
13:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:40 -!- Some_Person [~Sam@99-99-216-226.lightspeed.hstntx.sbcglobal.net] has joined ##openvpn
13:40 < Some_Person> My phone now connects successfully to the openvpn server, but it can't access anything
13:42 < krzee> what should it access?
13:42 < krzee> !goal
13:42 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:42 < krzee> a standard tunnel should only be able to access the vpn server, by its VPN ip... other stuff takes configuring
13:43 < Some_Person> Apps connecting through the VPN fail to connect to any sites
13:44 < krzee> ahh, so your answer to goal is:   "I would like to access the internet over my vpn"
13:45 < krzee> correct?
13:45 < Some_Person> correct
13:45 < krzee> !redirect
13:45 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:45 < krzee> there ya go
13:45 < Some_Person> Already done that
13:45 < Some_Person> The problem is the phone can't ping any servers or anything
13:45 < Some_Person> so I guess there's something wrong with my server config
13:46 < krzee> can you ping the server by its VPN ip?
13:46 < Some_Person> while connected to the vpn?
13:46 < krzee> obviously
13:46 < krzee> the VPN ip isnt internet routable...
13:47 < krzee> get a log from the client as well
13:47 < Some_Person> No, I can't ping 99.99.216.226 (the static IP of my home network/vpn server)
13:47 < krzee> i want to see if it has errors adding routes
13:47 < krzee> dude
13:47 < krzee> the 
13:47 < krzee> VPN IP
13:47 < krzee> not the external ip
13:47 < Some_Person> Ah
13:47 < Some_Person> sorry
13:48 < Some_Person> Yes, I can ping 192.168.10.1
13:50 < Some_Person> I can also ping 192.168.1.64 (server's IP on the home network) but not 192.168.1.254 (home network's router)
13:51 < krzee> ok so you are also wanting to access the LAN behind the server?
13:51 < krzee> if your NAT was configured right that would work
13:51 < Some_Person> well, more importantly, the internet past that
13:51 < krzee> so your NAT is bad
13:51 < krzee> which is the problem for the internet as well
13:52 < Some_Person> ok, so how do I fix this?
13:52 < krzee> and now i dont need your client log anymore, because i know routes are being added, and furthermore i know what your problem is
13:52 < krzee> by fixing your NAT entry on your server
13:52 < krzee> you said you had already made it...
13:52 < krzee> when i said:
13:52 < krzee> !redirect
13:52 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:52 < krzee> !nat
13:52 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
13:53 < krzee> server is linux?
13:53 < Some_Person> windows
13:53 < krzee> windows server or XP/vista?
13:53 < Some_Person> xp
13:53 < krzee> sorry, XP doesnt do nat
13:54 < krzee> which means you did NOT setup NAT
13:54 < krzee> [11:47]  <vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:54 < krzee> [11:47]  <krzee> there ya go
13:54 < krzee> [11:47]  <Some_Person> Already done that
13:54 < krzee> you obviously didnt read the whole thing
13:54 < Some_Person> no, i didn't
13:54 < Some_Person> so is my goal impossible with an XP server?
13:54 < krzee> dont you think that would help you? (to read the whole thing)
13:54 < krzee> yes, because your OS doesnt do NAT
13:54 < krzee> windows server can...
13:55 < krzee> !winnat
13:55 < vpnHelper> krzee: "winnat" is http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows
13:55 < Some_Person> well damn
13:55 < krzee> get a real os ;]
13:55 < krzee> !windows
13:55 < vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
13:56 < Some_Person> Well, this is our only desktop PC, and it's primarily used to run Windows Media Center for our TV
13:56 < krzee> is your router linux/bsd?
13:57 < Some_Person> proprietary :(
13:57 < krzee> or just some netgear/linksys box
13:57 < krzee> some linksys models can run linux, OpenWRT
13:57 < Some_Person> It's an AT&T U-Verse router that runs both internet routing and our telephone
13:57 < krzee> oh
13:58 < krzee> ya, you're screwed unless it can NAT random subnets
13:58 < krzee> in which case you could do the NAT on it
13:58 < krzee> but thats rather unlikely
13:58 < Some_Person> "Public-Private NAT Mappings and Device IP Allocation"?
13:59 < krzee> maybe, but i expect thats for port forwarding and whatnot
13:59 < krzee> if it gives you an area to input a subnet to NAT out to the internet, you are lucky
13:59 < Some_Person> Port forwarding is usually done through "Applications" in the firewall
14:00 < krzee> ive never seen a home dsl/cable router with it, but ive never especially looked either
14:04 < Some_Person> something like this? http://img651.imageshack.us/img651/6117/minefieldk.png
14:06 < Some_Person> yes? no?
14:07 < krzee> no, however you CAN use that to make your setup work for talking to your LAN
14:07 < krzee> err wait
14:07 < krzee> MAYBE that works, maybe not
14:07 < krzee> read your manual to know what thats for
14:07 < krzee> honestly i dunno
14:08 < krzee> for all i know thats for having an extra inet routable subnet from your provider (which is my guess)
14:09 < krzee> which would mean you do not want to use that at all
14:10 < Some_Person> I don't have a true manual for it, just a "quick start guide"
14:11 < krzee> google is your friend
14:13 < Some_Person> I found the service manual provided by 2Wire to ISPs, but the router config doesn't match mine (seems AT&T replaced it with their own)
14:21 < Some_Person> well, what do you suggest I do?
14:21 < krzee> !c2c
14:21 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
14:21 < vpnHelper> krzee: behind other clients
14:27 < Some_Person> I've seen stuff like this that seem to claim that NAT in XP exists: http://forum.codecall.net/tutorials/10175-how-set-up-nat-routing-windows-xp.html
14:27 < vpnHelper> Title: How to set up NAT Routing on Windows XP (at forum.codecall.net)
14:28 < krzee> ok, then go do it
14:28 < krzee> i cant help you with it
14:28 < krzee> i dont do windows
14:29 < krzee> !ipp
14:29 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
14:29 < krzee> (these are for me)
14:29 < krzee> !/30
14:29 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
14:30 < krzee> !topology
14:30 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
14:30 < krzee> !ccd
14:30 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:30 < krzee> !static
14:30 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:37 < Some_Person> got it working!
14:38 < krzee> =]
14:38 -!- Some_Person [~Sam@99-99-216-226.lightspeed.hstntx.sbcglobal.net] has quit [Changing host]
14:38 -!- Some_Person [~Sam@unaffiliated/someperson/x-249303] has joined ##openvpn
14:38 < krzee> !snapshot
14:38 < vpnHelper> krzee: Error: "snapshot" is not a valid command.
14:38 < krzee> !snapshots
14:38 < vpnHelper> krzee: "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
14:39 -!- derekv [~Real@c-68-62-78-203.hsd1.mi.comcast.net] has joined ##openvpn
14:40 < Some_Person> thanks for helping me, now I have $1/day unlimited prepaid internet on my phone
14:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:42 < krzee> Some_Person, what link got you NAT on XP?
14:43 < krzee> ill add it to vpnHelper 
14:44 < Some_Person> I followed this guide: http://www.nanodocumet.com/?p=14
14:44 < vpnHelper> Title: Nano Documet | Real NAT on Windows XP (at www.nanodocumet.com)
14:49 -!- derekv [~Real@c-68-62-78-203.hsd1.mi.comcast.net] has left ##openvpn ["Leaving"]
15:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
15:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:19 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:34 -!- EugeneKay [eugenekay@eugenekay.com] has joined ##openvpn
15:35 -!- EugeneKay [eugenekay@eugenekay.com] has left ##openvpn ["Leaving"]
15:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
16:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:14 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 248 seconds]
16:16 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
16:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:41 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:11 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has quit [Quit: notbrien]
17:14 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:30 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:47 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
17:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
17:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:59 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
17:59 -!- mode/##openvpn [+v Kas] by ChanServ
17:59 -!- Kas [~Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has left ##openvpn []
18:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
18:09 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:39 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
20:19 -!- udk [~evaldo@freenode/staff/udontknow] has joined ##openvpn
20:19 -!- Wowbagger [~evaldo@freenode/staff/udontknow] has quit [Read error: Connection reset by peer]
20:34 < tjz> omg... holland got through to the final!!
20:40 < krzee> !learn winnat as http://www.nanodocumet.com/?p=14 for windows XP
20:40 < vpnHelper> krzee: Joo got it.
20:48 -!- Some_Person [~Sam@unaffiliated/someperson/x-249303] has quit [Quit: Leaving]
21:09 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
22:22 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:39 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:08 -!- MikeW [~MW@ks35441.kimsufi.com] has joined ##openvpn
23:08 < MikeW> Hi guys, just in case anyone was wondering, Windows networking is a whole world of hurt
23:10 < krzie> !windows
23:10 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
23:11 < MikeW> openvpn set up on a linux server as the server, great, two windows clients. Connects, cool. Firewall disabled for that adaptor. ping -I tun0 on server and run wireshark on pc1, I see pings coming in, no responses going out
23:11 < MikeW> and yeah, windows decides that it's an unidentified public network and won't let me change anything. BOO
23:21 < krzie> ahh windows 7
23:21 < MikeW> Yeah. Any of you guys ever tried to get it going with Windows?
23:22 < krzie> well ive ran it a couple times on xp machines
23:22 < krzie> but i quit windows before vista and 7 existed
23:22 < krzie> but that problem isnt so uncommon, i think you should be able to find it on google
23:23 < krzie> (i did know you were on 7 from hearing that problem before, but never heard the solution)
23:23 < krzie> ill google it with you until this openbsd iso is done
23:23 < krzie> then i need to test some stuff in a VM ill be making
23:24 < MikeW> yeah I've been reading piles on the ms support forums about it
23:25 < krzie> i would try to find it in the openvpn mail list if i were you
23:25 < MikeW> sadly even with their hacks like setting default gateways with the static routes, nothing has managed to work
23:25 < MikeW> oh, great idea, thanks
23:25 < krzie> ild imagine swimming through the ms forum would be like jabbing your eyes with needles
23:25 < krzie> np
23:25 < krzie> !mail
23:25 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
23:26 < krzie> theres an ovpn forum too, but i know that doesnt have a solution on it
--- Day changed Wed Jul 07 2010
00:51 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 260 seconds]
00:53 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
01:27 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:27 -!- mode/##openvpn [+o mattock] by ChanServ
01:42 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
01:54 -!- dazo_afk is now known as dazo
01:55 < Bushmills> is it just an impression, or actually true, that the ratio of non-windows openvpn question to questions with windows related problems has shifted towards "many more problems with windows now"?
02:03 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
02:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:15 < krzie> seems to come in waves
02:20 < Bushmills> it's the NSA, requiring from Microsoft to put impediments against using VPN software into Windows
02:20 < Bushmills> hm. I forgot <conspiracy>   ... </conspiracy>
02:25 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has left ##openvpn []
02:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:02 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:12 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn
03:13 < grendal_prime> stupid windows.
03:14 < grendal_prime> i have to test this tun from windows thang and the windows box i was going to use has needs a crapload of updates and .net 3.0?
03:14 < grendal_prime> and man do i need a shower...ill brb
03:16 < krzie> right on cue
03:17 < Bushmills> no, that's over the top
03:17 < Bushmills> no mention of openvpn at all
03:17 < krzie> the windows demons are angry
03:17 < Bushmills> i'l discount this one
03:18 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:18 < krzie> that does hurt the theory tho
03:18 < krzie> so many windows issues that they overflow channels ;]
03:19 < krzie> !windows
03:19 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
03:19 < Bushmills> some years back, it was different on freenode
03:20 < krzie> openvpn doesnt compile on openbsd
03:20 < Bushmills> i remember once i joined the #windows channel, because i wanted something tested in internet explorer
03:20 < Bushmills> only a few people there. found that none of them was running windows :)
03:32 < grendal_prime> its amazing how little you can rely on it. Windows that is.
03:34 -!- TOSTO [~akta@125.160.53.92] has joined ##openvpn
03:34 -!- TOSTO [~akta@125.160.53.92] has left ##openvpn []
03:34 < grendal_prime> shit..how do you install .net 3?  there is no apt like repo to go to...i dont see any source.
03:35 < hyper_ch> Bushmills: you should have called the support line
03:36 < Bushmills> hyper_ch: nah .. my solution then was "fuck internet explorer support"
03:37 < grendal_prime> yes but they are terribly terribly terribly unable to help you
03:37 < Bushmills> it still remains hardly supported , even today :D
03:37 < grendal_prime> at work they usually opt to not call techsupport because it costs us 400 bucks.
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 < grendal_prime> we wind up just banging our heads agains the wall
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 < grendal_prime> gnight guys
03:43 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has quit [Quit: Ex-Chat]
03:53 -!- blueboxthief [~None_of_y@81.34.120.169] has quit [Quit: Leaving.]
04:15 -!- blueboxthief [~None_of_y@81.34.120.169] has joined ##openvpn
04:46 -!- blueboxthief [~None_of_y@81.34.120.169] has quit [Ping timeout: 276 seconds]
04:53 -!- zooz [~zooz@zooz.lt] has joined ##openvpn
04:53 < zooz> hi
04:54 < zooz> is it possible to run openvpn server which allows multiple connections with the same cert/key at the same time?
04:55 < krzie> yes
04:55 < krzie> duplicate-cn
04:55 < krzie> in server config
04:55 < krzie> but you should consider making more certs instead
04:56 < zooz> --duplicate-cn - will it not dissconnet the existing client to allow the new one?
04:56 < henk> o_O that's what you asked, wasn't it?
04:57 < krzie> zooz, 
04:57 < krzie> !man
04:57 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
04:57 < zooz> I asked if it's possible to run an openvpn server to allow multiple clients with the same cert/key at the same time
04:58 < krzie> lol
04:59 -!- zooz [~zooz@zooz.lt] has left ##openvpn []
05:00 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
05:01 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:02 -!- blueboxthief [~None_of_y@81.34.120.169] has joined ##openvpn
05:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:31 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
05:33 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
05:39 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
05:41 -!- macsppadic is now known as sambahater
05:41 -!- Abhishek_SIngh [~Abhishek@115.242.140.51] has joined ##openvpn
05:45 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
05:47 < dazo> "Correction. ccd, not cvs. Not sure why the iphone spellchecker changed it to cvs." ... I know why!  Because Steve Jobs is always right!
05:47  * dazo runs and hides
05:47 -!- Abhishek_SIngh [~Abhishek@115.242.140.51] has quit [Ping timeout: 260 seconds]
05:48 < havoc> dazo: we watched last week's new Futurama last night, holy balls do they stick it to Apple :)
05:50 < dazo> havoc: :) ... Apple seems to (unfortunately!) becoming more and more like a religion with a benevolent dictator in charge 
05:50 < krzie> attack of the killer app
05:50 < krzie> now downloading
05:51 < dazo> krzie: is that openvpn or your openvpn-confgen ;-)
05:51 < havoc> it was almost SouthPark-esq the way they were so direct about it :)
05:51 < havoc> little oblique humor there :)
05:51 < krzie> the na e of the futurama episode
05:51 < krzie> name*
05:52 < krzie> although lately its been attack of the killer krzee...
05:52 < krzie> going on day3 of no smoking cigs
05:52 < havoc> krzie: oh boy, I feel for you :(
05:52 < krzie> ya man
05:52 < dazo> krzie: good job! :)  Hope you'll get through that alive!
05:52  * havoc is a smoker
05:52 < krzie> dazo, thanx
05:52 < havoc> dazo: not just him ;)
05:53 < dazo> heh
05:53 < krzie> haha no kidding
05:53  * dazo wonders if krzie is wearing a t-shirt saying "I'm trying to stop smoking.  Don't argue with me!" :-P
05:53 < krzie> damn good idea
05:54 < krzie> ild need it in spanish too 
05:54 < dazo> :)
05:56 < havoc> we're working on a 1404p RFP for 1750 units w/ initial quotes due in less than 2 weeks right now
05:56 < havoc> I don't think any of us will be quitting any time soon :(
05:57 < havoc> hmm, need VPN component too, but that'll likely be several cisco devices
06:01 -!- Abhishek_SIngh [~Abhishek@115.184.66.8] has joined ##openvpn
06:06 -!- Netsplit *.net <-> *.split quits: agagag, krzie, disco-_, theneb_, troy-, Nappy, udk
06:09 -!- Netsplit over, joins: krzie, udk, Nappy, agagag, disco-_, troy-, theneb_
06:15 -!- Abhishek_SIngh [~Abhishek@115.184.66.8] has quit [Ping timeout: 276 seconds]
06:20 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
06:20 < funkyHat> !welcome
06:20 < vpnHelper> funkyHat: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:22 < funkyHat> Hi, I'm setting up a VPN server tap and server-bridge, but I don't really want OpenVPN to assign IPs, is it possible to let a DHCP server on the server assign IPs for VPN clients instead?
06:22 -!- sambahater is now known as UC2sppadic
06:23 < funkyHat> Or at the least is it possible to assign static IPs for specific clients in the VPN config?
06:24 -!- blueboxthief [~None_of_y@81.34.120.169] has quit [Ping timeout: 276 seconds]
06:24 < funkyHat> !route
06:24 < vpnHelper> funkyHat: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:26 < funkyHat> Oh hang on I don't want route, I want bridge ⢁)
06:27 -!- blueboxthief [~None_of_y@83.41.106.17] has joined ##openvpn
06:27 < funkyHat> !iporder
06:27 < vpnHelper> funkyHat: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
06:29 -!- Abhishek_SIngh [~Abhishek@115.242.218.155] has joined ##openvpn
06:36 -!- Abhishek_SIngh [~Abhishek@115.242.218.155] has quit [Ping timeout: 245 seconds]
06:37 < dazo> funkyHat: yes that's possible!  server-bridge is useful for such things
06:38  * dazo looks up some docs
06:38 < funkyHat> dazo: it looks like I can use client-config-dir to set up a static address for a client?
06:39 < dazo> funkyHat: you can do that as well, yes
06:39 < krzie> !static
06:39 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
06:47 < funkyHat> Actually it looks like I'm stuck with setting up the bridge anyway -_-... I tried using this init script http://www.monkeedev.co.uk/blog/wp-content/uploads/2009/openvpn/bridge.txt which appears to be based on the bridge-start and -stop scripts from http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html#linuxscript 
06:47 < vpnHelper> Title: Ethernet Bridging (at openvpn.net)
06:47 < funkyHat> But after running -start I couldn't make any new connections to the machine on the local network
06:48 < ksk> hello guys
06:48 < ksk> i installed client on both linux/windows
06:48 < ksk> in linux, there is some route delegated from the server, so i have not to set myself
06:49 < ksk> but its not set in windows
06:49 < ksk> any idea whats wrong? ( im able to set routes myself, but it would be nice if they could be delegated from the server)
06:51 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
06:59 -!- Abhishek_SIngh [~Abhishek@115.184.85.109] has joined ##openvpn
07:01 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
07:05 -!- blueboxthief [~None_of_y@83.41.106.17] has quit [Quit: Leaving.]
07:06 -!- Abhishek_SIngh [~Abhishek@115.184.85.109] has quit [Ping timeout: 252 seconds]
07:20 -!- Abhishek_SIngh [~Abhishek@115.184.92.3] has joined ##openvpn
07:25 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:25 -!- UC2sppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
07:27 -!- Abhishek_SIngh [~Abhishek@115.184.92.3] has quit [Ping timeout: 260 seconds]
07:31 < ksk> is "remote-cert-tls" not supported by the windows-client?
07:42 -!- Abhishek_SIngh [~Abhishek@115.242.208.197] has joined ##openvpn
07:48 -!- Abhishek_SIngh [~Abhishek@115.242.208.197] has quit [Ping timeout: 264 seconds]
08:10 -!- takamichi [~pri@78.133.38.201] has quit [Read error: Connection reset by peer]
08:10 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
08:11 -!- Abhishek_SIngh [~Abhishek@115.184.46.162] has joined ##openvpn
08:15 -!- Netsplit *.net <-> *.split quits: meepmeep
08:22 -!- Abhishek_SIngh [~Abhishek@115.184.46.162] has quit [Ping timeout: 240 seconds]
08:22 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:27 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
08:43 -!- Abhishek_SIngh [~Abhishek@115.242.192.188] has joined ##openvpn
08:48 -!- Abhishek_SIngh [~Abhishek@115.242.192.188] has quit [Ping timeout: 260 seconds]
08:54 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has joined ##openvpn
09:01 -!- Abhishek_SIngh [~Abhishek@115.184.28.6] has joined ##openvpn
09:08 -!- Abhishek_SIngh [~Abhishek@115.184.28.6] has quit [Ping timeout: 264 seconds]
09:21 -!- Abhishek_SIngh [~Abhishek@115.184.74.124] has joined ##openvpn
09:26 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Read error: Operation timed out]
09:28 -!- Abhishek_SIngh [~Abhishek@115.184.74.124] has quit [Ping timeout: 240 seconds]
09:31 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
09:39 < funkyHat> dazo: do you know if it's possible to tell openvpn to pass dhcp requests through to the network, I think I've got my tunnel working but I want to let dnsmasq do the dhcp for vpn clients
09:39 < dazo> funkyHat: I know that's doable ...
09:39  * dazo looks up the docs again
09:42 -!- Abhishek_SIngh [~Abhishek@115.242.150.252] has joined ##openvpn
09:42 < funkyHat> At the moment I'm getting: http://bpaste.net/show/7695/ ... "MULTI: no dynamic or static remote --ifconfig address is available for squee.funkyhat.net" is what makes me thing OpenVPN is still trying to serve DHCP itself
09:44 < dazo> funkyHat: you need bridging ... and then in server config ... you need 'server-bridge' without any arguments ... then you also need to do:  push "route 0.0.0.0 255.255.255.255 net_gateway"  (net_gateway is expected to be there, it's a OpenVPN keyword) .. that should basically do it
09:44 < funkyHat> http://pastebin.com/UR4z5V32 is my server config, and http://pastebin.com/jy2s6DjD is my client config
09:45 < funkyHat> I have br0 set up bridging eth0 and tap0 too
09:46 < dazo> funkyHat: I'm suspecting you just need the option-less 'server-bridge' ... and the 'push' with the net_gateway route
09:46 < funkyHat> hm... I don't necessarily want to route all traffic from the client through the VPN... only traffic for 10.0.0.0/24
09:46 < tjz> Germany vs Spain - who will get through to the final.. ?
09:47 < funkyHat> dazo: do I still want the push "route... line to look like that, or should I change it to push "route 10.0.0.0 255.255.255.0 net_gateway"?
09:47 < dazo> funkyHat: IIRC, net_gateway gives you the local LAN gateway, and not the remote .... because without that push, the DHCP will setup the it's default gateway instead, which will confuse things
09:48 < funkyHat> I think you've lost me ⢁)
09:48 < funkyHat> I'll try it
09:49 < dazo> funkyHat: net_gateway should set the local LAN gateway on the client side, so that the client don't loose it's local default gateway .... without it, the DHCP server will tell the client to use the DHCP server default gateway, which will lead to confusion
09:49 < funkyHat> Ahhh
09:49 -!- Abhishek_SIngh [~Abhishek@115.242.150.252] has quit [Ping timeout: 265 seconds]
09:50 < funkyHat> hm... it seems to be working, but I don't see a tap0 device created on the client
09:50 < funkyHat> i.e. it seems to be working looking at syslog
09:51 < funkyHat> Probably means I don't know what to look for, it doesn't appear to be working in any other respect :D
09:54 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:54 < funkyHat> I'm still getting "Jul  7 15:54:40 gaz ovpn-openvpn[3185]: squee.funkyhat.net/92.243.10.23:47127 MULTI: no dynamic or static remote --ifconfig address is available for squee.funkyhat.net/92.243.10.23:47127"
10:01 < dazo> funkyHat: the client is Windows or *nix?
10:01 < funkyHat> dazo: Linux (Debian Stable)
10:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
10:02 < dazo> funkyHat: ahh ... you probably need to start dhclient or dhcpcd on the client after the tunnel has been started
10:02 < dazo> dhclient tap0
10:02 < dazo> (that's not happening automatic on *nix at all, only in Windows)
10:02 < funkyHat> Oh fantastic
10:02 < funkyHat> That did it
10:02 < funkyHat> Is there a way I can make openvpn do that for me though?
10:13 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:15 -!- Abhishek_SIngh [~Abhishek@115.184.10.37] has joined ##openvpn
10:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:15 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
10:16 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:16 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
10:17 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:23 -!- Abhishek_SIngh [~Abhishek@115.184.10.37] has quit [Ping timeout: 260 seconds]
10:23 < dazo> funkyHat: --up probably
10:23  * dazo needs to run
10:23 < funkyHat> dazo: thanks ⢁)
10:24 -!- dazo is now known as dazo_afk
10:25 -!- sef [~nnnnnsef@69.94.13.17] has quit [Read error: Connection reset by peer]
10:28 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
10:42 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:46 -!- Abhishek_SIngh [~Abhishek@115.242.210.216] has joined ##openvpn
10:54 -!- Abhishek_SIngh [~Abhishek@115.242.210.216] has quit [Ping timeout: 240 seconds]
11:08 -!- Abhishek_SIngh [~Abhishek@115.184.120.82] has joined ##openvpn
11:13 -!- Abhishek_SIngh [~Abhishek@115.184.120.82] has quit [Ping timeout: 248 seconds]
11:18 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has quit [Quit: notbrien]
11:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:24 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:25 -!- Abhishek_SIngh [~Abhishek@115.184.42.95] has joined ##openvpn
11:34 -!- Abhishek_SIngh [~Abhishek@115.184.42.95] has quit [Ping timeout: 252 seconds]
11:55 -!- Abhishek_SIngh [~Abhishek@115.242.148.54] has joined ##openvpn
12:03 -!- Abhishek_SIngh [~Abhishek@115.242.148.54] has quit [Ping timeout: 264 seconds]
12:12 -!- notbrien [~notbrien@69.86.1.238] has joined ##openvpn
12:14 < MikeW> Do any of you guys run Windows?
12:18 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
12:27 -!- RedT0mt0m [~tomtom@82.227.110.8] has quit [Read error: Connection reset by peer]
12:28 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
12:31 < |Mike|> MikeW: sometimes
12:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
12:35 < MikeW> |Mike|: Do you have your Windows clients set as dev tun or dev tap?
12:36 < |Mike|> !tunortap
12:36 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
12:36 < vpnHelper> |Mike|: against you over the vpn, or (#4) lan gaming? use tap!
12:37 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
12:39 < MikeW> !wins
12:39 < vpnHelper> MikeW: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
12:43 < MikeW> I'm using a tun on windows 7 and can't do very much with it because windows forces it to be an Unidentified Network
12:44 < MikeW> Windows identifies the network based on the MAC of the default gateway, so I guess I need to get the OpenVPN DHCP server to supply a MAC (surely it does this already?)
12:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:59 < MikeW> does dev tun/tap have to match on the server and client, or just all the clients?
13:01 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
13:02 < MikeW> hmm actually I don't really want a bridged connection at all
13:08 < MikeW> I only want a 192.168.103.0 network I can put my windows machines on and the routes to get me there really
13:24 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
13:29 -!- bent_screwdriver [~socain00@74.255.249.66] has joined ##openvpn
13:30 < bent_screwdriver> i see that when using statick keys, even if the key is 2048, only a small portion is used. Is this also the case with RSA, or is the whole key used?
13:34 -!- WormFood [~wormfood@219.133.100.60] has quit [Ping timeout: 252 seconds]
13:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
13:35 -!- donavan [~donavan@unaffiliated/donavan] has joined ##openvpn
13:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Excess Flood]
13:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:47 -!- WormFood [~wormfood@219.133.101.148] has joined ##openvpn
13:52 -!- donavan [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
14:05 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
14:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:39 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
14:41 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
14:47 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
14:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
14:51 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
15:09 -!- DJ_HaMsTa [~werwer@unaffiliated/dj-hamsta/x-2342346] has joined ##openvpn
15:42 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 276 seconds]
15:46 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 240 seconds]
15:46 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
15:46 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
15:54 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 260 seconds]
15:56 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
16:00 -!- redfox is now known as redfox_
16:08 -!- olouv [~Olivier_L@85-168-59-186.rev.numericable.fr] has joined ##openvpn
16:13 < olouv> !welcome
16:13 < vpnHelper> olouv: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:19 < _Tassadar> !/30
16:19 < vpnHelper> _Tassadar: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
16:19 < _Tassadar> that anchor doesn't exist 
16:20 < _Tassadar> (url gives me the faq but not this specific faq)
16:25 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
16:27 < lazarus477> Howdy. I am experimenting with a VPN between Sweden, China. All works like a charm except for one minor detail. I get a huge amount of TCP Dup ACKs. Server is on ADSL in Sweden and client is also on ADSL but in China. 
16:27 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:27 < lazarus477> I have tried different settings for MTU, mss-fix and with the fragment option. Server is setup for UDP tunnel.
16:28 < lazarus477> It is a routed VPN.
16:28 < lazarus477> I have dissabled all funny firewall features at both ends.
16:28 < lazarus477> Clients in Sweden have no issues with the VPN.
16:47 -!- Netsplit *.net <-> *.split quits: meepmeep
16:49 -!- Netsplit over, joins: meepmeep
16:50 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
16:50 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 260 seconds]
16:51 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
16:53 -!- creack [~creack@gemercom.com] has quit [Ping timeout: 240 seconds]
16:56 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-khyqjopzkaopnurx] has joined ##openvpn
17:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
17:11 -!- olouv [~Olivier_L@85-168-59-186.rev.numericable.fr] has left ##openvpn []
17:20 -!- redfox_ is now known as redfox
17:24 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:39 -!- thiagoc [~thiagoc@unaffiliated/thiagoc] has joined ##openvpn
17:40 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
17:47 -!- thiagoc [~thiagoc@unaffiliated/thiagoc] has left ##openvpn []
17:53 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:56 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
18:21 -!- zamba [marius@flage.org] has quit [Ping timeout: 245 seconds]
18:23 -!- zamba [marius@flage.org] has joined ##openvpn
18:47 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
18:48 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:51 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has joined ##openvpn
18:57 -!- DJ_HaMsTa [~werwer@unaffiliated/dj-hamsta/x-2342346] has quit [Ping timeout: 248 seconds]
19:01 -!- Alphanaut [~chatzilla@c-24-60-103-49.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
19:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
20:02 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
21:15 < HoboSteaux> has anyone here gotten a TAP device working with win7 clients (bcast and all)?
21:37 < lazarus477> HoboSteaux: Well. I have goten a Win7 client working with TAP but I have not yet confirmed broadcasts going through, otherwise it works fine.
21:38 < HoboSteaux> yeah mine works fine (can connect, do basic functions) but no bcast is going through at all. although if i bridge the tap and the eth0 on the client the bcasts can get throught... at the expense of not routing data
21:39 < HoboSteaux> (everything comes through with the host ip of the bridge, which takes the local networks ip... 192.168.1.x does not talk well with 192.168.2.x
21:43 < lazarus477> HoboSteaux: I think bcast going through the tunnel should depend on how the vpn server is setup with its network and firewall settings, me thinks.
21:43 < HoboSteaux> but bridging on the client pushed bcast out on the vpn
21:43 < lazarus477> Yup
21:44 < HoboSteaux> so doesnt that mean its client-side?
21:44 < lazarus477> I think by default all routed traffik gets bcast traffic filtered out for basic bandwidth savings.
21:44 < lazarus477> I have a very strong hunch that it is server side.
21:44 < HoboSteaux> what should i look for?
21:45 < lazarus477> I would check the howto.
21:45 < HoboSteaux> i did
21:45 < HoboSteaux> ive followed them down to the letter
21:45 < HoboSteaux> multiple times
21:45 < lazarus477> And if nothing there explains how to do it then check the servers firewall rules and network inteface settings of the tun interface.
21:46 < lazarus477> Also try googling vpn tun bcast.
21:46 < lazarus477> Or rather, openvpn tun bcast
21:46 < HoboSteaux> its tap
21:47 < HoboSteaux> and i have lol
21:47 < lazarus477> my misstake
21:48 < HoboSteaux> ive gone through about 10 pages of google results now
21:55 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
22:27 < lazarus477> Only 10?
22:27 < lazarus477> That's nothing.
22:27 < HoboSteaux> lol
22:30 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
22:30 < HoboSteaux> i figured theres 'experts' that may know :D
22:31 < lazarus477> So did I a few hours ago when I bosted my problem.
22:31 < HoboSteaux> ive been dealing with this for almost a month
22:32 < HoboSteaux> im tired of it lol
22:32 < lazarus477> The experts are around us but they ain't talking right now. I figure they got lives and jobs to tend to :-)
22:36 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
22:38 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 245 seconds]
22:46 < HoboSteaux> pretty much heh
22:56 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 245 seconds]
22:57 -!- corretico [~laguilar@201.201.46.106] has joined ##openvpn
23:00 < HoboSteaux> okay so some wiresharking later and broadcasts are making it across the vpn, the client application is just not looking for them on multiple adapters
23:37 -!- G [~njones@whio.jnet.net.nz] has joined ##openvpn
--- Day changed Thu Jul 08 2010
00:04 -!- corretico_ [~laguilar@201.201.46.106] has joined ##openvpn
00:06 -!- corretico__ [~laguilar@201.201.46.106] has joined ##openvpn
00:07 -!- corretico [~laguilar@201.201.46.106] has quit [Ping timeout: 264 seconds]
00:10 -!- corretico_ [~laguilar@201.201.46.106] has quit [Ping timeout: 260 seconds]
00:54 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 265 seconds]
00:56 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
01:04 -!- corretico__ [~laguilar@201.201.46.106] has quit [Read error: Connection reset by peer]
01:10 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:11 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:11 -!- mode/##openvpn [+o mattock] by ChanServ
01:17 -!- takamichi [~pri@78.133.38.201] has quit []
01:23 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
01:24 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
01:36 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:44 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
01:48 -!- DJ_HaMsTa [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has joined ##openvpn
01:59 -!- DJ_HaMsTa [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has quit [Ping timeout: 240 seconds]
02:16 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 264 seconds]
02:16 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
02:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:19 -!- dazo_afk is now known as dazo
02:21 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 264 seconds]
02:35 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:42 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
02:42 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Excess Flood]
02:44 -!- WormFood [~wormfood@219.133.101.148] has quit [Remote host closed the connection]
02:52 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:00 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
03:05 < kraut> moin
03:08 < macsppadic> morning kraut 
03:10 < kraut> howdy macsppadic 
03:11 < macsppadic> not bad kraut surviving as they say - how bout u ?
03:12 < kraut> it's ok
03:12 < kraut> to early in the morning
03:12 < kraut> and got a nasty ticket
03:12 < macsppadic> ouch
03:12 < macsppadic> what time is it there?
03:13 < kraut> Do 8. Jul 10:13:34 CEST 2010
03:21 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay]
03:32 -!- xro [a06206c6@gateway/web/freenode/ip.160.98.6.198] has joined ##openvpn
03:34 < xro> hi, my openvpn connection worked fine and today i can't connect... In fact i enter login and password, the certificate, my dns are changed but i dont get a tun0 and a default gateway.... i get this error message (NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing).... Can you help me?
03:35 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- xro [a06206c6@gateway/web/freenode/ip.160.98.6.198] has quit [Ping timeout: 252 seconds]
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:43 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
03:52 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 276 seconds]
03:54 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
03:55 -!- ultramage [umage@kurobara.netvor.sk] has joined ##openvpn
03:56 < ultramage> hello ^^ on windows, is it possible to change one client's internet gateway to point to another client's vpn ip address? :)
03:56 < ultramage> I've tried altering routes, but the changes were completely ignored by the system 
03:57 < ultramage> and it would be cool to just push all traffic through the vpn instead of having to use an extra layer 7 socks tunnel
03:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:03 -!- xro [a062ef85@gateway/web/freenode/ip.160.98.239.133] has joined ##openvpn
04:04 < xro> hi, i have a problem with openvpn... it was working fine and know my clients can't get an ip... i get this error messag --> MULTI: no dynamic or static remote --ifconfig address is available for  can you help me please?
04:05 < henk> xro: the ip address pool seems to be too small afaict.
04:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 260 seconds]
04:05 < xro> henk, i only have to machine cobnnected and i set a /28
04:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:06 < henk> then give the complete error message please...
04:06 < xro> henk, openvpn keep ip - user somewhere? maybe it didn't clean the file and all ip seems used for openvpn?
04:07 < henk> don't know, sorry
04:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Client Quit]
04:10 < dazo> !static
04:10 < vpnHelper> dazo: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
04:10 < xro> henk, there is the error message on server side... http://dpaste.com/215883/
04:12 < dazo> bent_screwdriver: you might find your answer regarding static keys here ... http://openvpn.net/index.php/open-source/faq/77-server/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key.html 
04:12 < vpnHelper> Title: Changed hex bytes in the static key, the key still connects to a remote peer using the original key. (at openvpn.net)
04:25 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 252 seconds]
04:39 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
05:13 -!- takamichi [~pri@78.133.38.201] has quit []
05:16 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
05:17 -!- DJ_HaMsTa [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has joined ##openvpn
05:22 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:27 < ultramage> (asking again) - on windows, is it possible to change the remote openvpn endpoint into my new gateway, directing all internet traffic to it through the vpn connection?
05:29 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
05:45 < Bushmills> !redirect
05:45 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
05:45 < Bushmills> !def1
05:45 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
05:45 < Bushmills> ultramage: ^^^
05:46 < ultramage> :)
05:46 < ultramage> the issue was, I want it client->client, not client->server
05:48 < ultramage> for example in a 1:1 paired connection instead of a server-client setup
05:48 < Bushmills> i suppose client-to-client and manually setting a route (or pushing a new default route) would do
05:48 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
05:48 < ultramage> got exact steps to do that?
05:49 < ultramage> last time I tried, I totally butchered my routing table, even erased all non-vpn routes, and internet still worked, completely ignoring the changes to the routing table
05:50 < Bushmills> i could tell you for unixoids, but not for windows - though i suppose the process is pretty similar
05:50 < Bushmills> either replace the old default route, after having added a host route to vpn server,
05:50 < Bushmills> or (again with host route to server), add two /1 routes
05:52 < ultramage> alright, I'll test again, maybe I messed something up
05:52 < ultramage> yesterday I discovered that a C++ construct that I spent 1 hour testing and determined that it wouldn't work, worked.
06:05 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
06:13 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
06:26 -!- creack [~creack@gemercom.com] has joined ##openvpn
07:00 -!- DJ_HaMsTa [~werwer@c-76-124-85-42.hsd1.nj.comcast.net] has quit [Changing host]
07:00 -!- DJ_HaMsTa [~werwer@unaffiliated/dj-hamsta/x-2342346] has joined ##openvpn
07:17 -!- creack [~creack@gemercom.com] has quit [Quit: WeeChat 0.3.2]
07:18 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
07:29 < bent_screwdriver> dazo: that is wher i got the static key info but i wasn't sure how the RSA compared to that. Does the RSA method use the entire key (whole 2048) is just a portion as well, just like the static key....
07:31 < dazo> bent_screwdriver: depends on what you mean with RSA method .... if you mean SSL PKI based solution (with public/private key pairs), then yes to some degree that is right
07:31 < bent_screwdriver> yeah, thats what i meant. thx!
07:32 < dazo> bent_screwdriver: but that does not give 2kbit encryption on the tunnelled data ... but it is used for negotiating a temporary encryption key for the tunnelled data
07:32 -!- zheng [~zheng@114.92.143.197] has joined ##openvpn
07:33 < bent_screwdriver> dazo: ah, i see. so does the encrypted portion use the cipher level? AES-256, etc?
07:33 < dazo> it's a bit advanced to explain the whole SSL negotiation process ... but the core principles are that asymmetric encryption (pub/private keys) is way slower than symmetric encryption and requires much bigger keys to be as safe as symmetric encryption
07:34 < dazo> bent_screwdriver: yes, --cipher defines the encryption algorithms on the tunnel itself .... --tls-cipher defines the encryption algorithms used for the key negotiations ... to say it simple
07:34 < bent_screwdriver> dazo: okay, that makes sense. We are looking to just use static keys with AES-256 but i just wanted to be sure that we are not loosing any security by using static keys.
07:35 < bent_screwdriver> dazo: ..compared to tls/ssl method
07:36 < dazo> bent_screwdriver: no, not at all ... static keys are just as safe, on the algorithm level as TLS mode .... *but* I am not sure key renegotiation happens with static keys, as it does in TLS mode 
07:38 < dazo> I don't recall if openvpn does setup some kind of temporary encryption key for the tunnelled data when using static keys ... that's what I'm thinking about
07:39 < bent_screwdriver> dazo: gotcha. i think it just always uses a portion of the static key for the encrypt/decrypt. thanks for the info dazo.
07:39 < dazo> bent_screwdriver: you're welcome!
07:42 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
07:47 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:54 -!- creack [~creack@gemercom.com] has joined ##openvpn
08:01 < creack> ño
08:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
08:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:44 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
08:50 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
08:54 < fahmad> hello
08:54 < fahmad> any one arround ?
08:59 < fahmad> http://paste.ubuntu.com/460639/
08:59 < fahmad> can some one look into this and help me out
09:08 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
09:21 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
09:21 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
09:34 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay]
09:45 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
09:54 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay]
09:55 -!- zheng [~zheng@114.92.143.197] has quit [Quit: Leaving]
09:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
09:57 -!- meepmeep [meepmeep@212.24.104.229] has joined ##openvpn
09:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
10:06 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
10:06 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
10:06 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
10:06 < fahmad> any one arround ?
10:06 < fahmad> can some one look into this and help me out
10:06 < fahmad> http://paste.ubuntu.com/460639/
10:08 < fahmad> i see too many people here but no one willing to help
10:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:13 < fahmad> http://paste.ubuntu.com/460639/
10:13 < fahmad> can some one look into this and help me out
10:22 < batrick> fahmad: people idle in IRC. Patience wins you help.
10:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:37 < fahmad> ok
10:37 < fahmad> :)
10:42 < fahmad> batrick: any idea about my senrio ?
10:42 < fahmad> my bad english mistake again :P
11:00 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 265 seconds]
11:02 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
11:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:06 < dazo> !welcome
11:06 < vpnHelper> dazo: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:06 < dazo> fahmad: ^^
11:07 < dazo> fahmad: your pastebin was rather useless ... it didn't say anything at all
11:07  * dazo disappears again ... home for dinner
11:08 -!- qfr [void@unaffiliated/yw] has joined ##openvpn
11:08 < fahmad> dazo:
11:08 < fahmad> what do you need sir
11:08 < fahmad> openvpn configurations ?
11:08 < dazo> !welcome
11:08 < vpnHelper> dazo: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:08 < dazo> fahmad: read the lines above!
11:09 -!- dazo is now known as dazo_gone
11:09 -!- dazo_gone is now known as dazo_gone_afk
11:10 < fahmad> humm
11:15 < hyper_ch> fahmad: so the windows machine (client) works fine with the vpn?
11:15 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
11:17 < hyper_ch> fahmad: pastebin your configs, state what works and state what does not work
11:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 240 seconds]
11:21 < qfr> My ISP at home only gives me an IPv4 address. My server in another country has both global IPv4 and IPv6 addresses under which you can reach it. I have a working OpenVPN setup which IPv4 forwarding which enables the clients on the OpenVPN subnet to access the outside world using the IPv4 of the server. I have no idea how to make it work with IPv6 though - right now ping6 <blah> just gets me "Network unreachable" because ip -6 route doesn't contain any appropr
11:21 < qfr> iate routes yet. What should I do to handle this? Obviously I can't route it through IPv6 only since I don't have a global IPv6 address at home. I suppose I need a local IPv4to6 tunnel on my local Linux box and stuff? I probably also need to set up ip6tables stuff on my server... urgh... there are lots of IPv4 guides, IPv6 is still a rather arcane subject to me.
11:21 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:23 < fahmad> hyper_ch: okay
11:25 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
11:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:28 < fahmad> http://paste.ubuntu.com/460708/
11:28 < fahmad> hyper_ch: http://paste.ubuntu.com/460708/
11:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
11:30 < hyper_ch> what is the routing on that other machine?
11:31 < hyper_ch> and is there a reason why that other machine doesn't act as vpn client itself?
11:31 < fahmad> because its a hardware device ...
11:31 < fahmad> and it does not have vpn capabilities
11:33 < fahmad> and i did not print route ...
11:35 -!- lattera [~lattera@174-27-138-242.slkc.qwest.net] has joined ##openvpn
11:35 < lattera> so we have username/password authentication on our vpn
11:35 < lattera> and I want openvpn to sit in the background
11:36 < lattera> but I can't specify the --daemon option
11:36 < lattera> any workarounds?
11:37 < fahmad> hyper_ch: so any idea ?
11:41 < fahmad> any one else have any idea ?
11:42 < ultramage> qfr: to route ipv6 you need an ipv6 router :)
11:42 < ultramage> not sure if openvpn has capabilities like that
11:42 < lattera> hrmm, `screen pfexec openvpn client.ovpn` and then detaching from screen works, I guess, lol
11:42 < ultramage> if you're running freebsd I can give you a list of stuff to install to get it to work
11:43 < qfr> ultramage: I thought you could just create an IPv6to4 thing first, which then sends it via IPv4
11:43 < qfr> Hmm
11:43 < qfr> Oh boy
11:43 < ultramage> depends on what you're making... didn't read your entire stuf
11:45 < ultramage> you didn't really state what you want
11:45 -!- lattera [~lattera@174-27-138-242.slkc.qwest.net] has left ##openvpn ["Leaving"]
11:45 < ultramage> according to your description, your entire lan is ipv4-tunneled through your remote server.
11:46 < ultramage> if you now want to give your LAN ipv6 connectivity, hanging off of the server's ipv6 address... that could be arranged
11:47 < krzee> hell you could have openvpn just hand out ipv6 as well
11:47 < krzee> in testing branch
11:47 < krzee> with --server-ipv6
11:47 < ultramage> enable ipv6 routing on the server, install a daemon to send out ipv6 router advertisements over the vpn interface, and maybe set up dns
11:47 < ultramage> ...or that =D
11:47 < krzee> !testing
11:47 < vpnHelper> krzee: "testing" is "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
11:47 < krzee> !ipv6
11:47 < vpnHelper> krzee: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar, or (#3) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch
11:48 < vpnHelper> krzee: (adds some nice ipv6 options), or (#4) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
11:48 < ultramage> the first ipv6 url is not responding
11:48 < krzee> !forget ipv6 1
11:48 < vpnHelper> krzee: Joo got it.
11:48 < krzee> !forget ipv6 1
11:48 < vpnHelper> krzee: Joo got it.
11:49 < krzee> !ipv6
11:49 < vpnHelper> krzee: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
11:49 < krzee> there
11:49 < krzee> those first 2 were old
11:49 < krzee> before it could be done within openvpn
11:49 < ultramage> "ipv6 payload patch"
11:49 < ultramage> so it's not implemented yet
11:49 < krzee> thats the patch in testing branch
11:49 < ultramage> so it's cutting-edge fresh :)
11:49 < krzee> not enough feedback yet to move forward
11:50 < krzee> play with it, give feedback, get others to do the same (preferably in other OS's) and you'll see it in stable a lot faster
11:50 < ultramage> but I think taking a standard routing box that is ipv6-enabled and just pointing it at the vpn interface would do
11:50 < ultramage> ...that would require a tap adapter though I think
11:51 < ultramage> OH!@
11:52 < ultramage> netbios doesn't use ip packets
11:52 < krzee> WINS
11:53 < ultramage> hm, mine goes over ipv6/tcp -.-
11:53 < krzee> you mentioned netbios... like smb resolution
11:53 < ultramage> I tunnel from work to home, and windows filesharing (the 'surrounding computers' part) is very wonky
11:53 < krzee> for that i said "wins"
11:53 < krzee> !wins
11:53 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:53 < ultramage> ..ew.
11:54 < ultramage> is that how you set up your stuff when going over openvpn?
11:55 < ultramage> I'm always willing to learn new and useful stuff :)
11:55 < krzee> !pptp
11:55 < vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
11:55 < vpnHelper> krzee: read about why to not use pptp
11:55 < krzee> (thats for someone else)
11:56 < krzee> and no, i dont use windows so dont need WINS
11:56 < fahmad> krzee: can you help me with my problem ...
11:56 < ultramage> ^_^
11:56 < fahmad> http://paste.ubuntu.com/460708/
11:56 < krzee> !goal
11:56 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:57 < ultramage> >I create bridge using OpenVPN TAP and LAN on which device is connected but when i trying to ping its giving respone time out
11:57 < krzee> fahmad, you might want to actually say what your problem is, and what you would like to achieve
11:57 < ultramage> he wrote it at the bottom :)
11:57 < krzee> oh, lol
11:57 < krzee> he must not use IRC much
11:57 < ultramage> what I did when troubleshooting:
11:57 < ultramage> ripping out as much settings as possible
11:57 < ultramage> dropping cert auth and going for a shared file
11:57 < fahmad> krzee: i was using irc but i do not use pb mostly :P
11:58 < fahmad> krzee: so any idea 
11:58 < krzee> shared file changes everything
11:58 < ultramage> try removing as much fluff as possible and see what happens
11:58 < krzee> makes it PTP
11:58 < fahmad> ?
11:58 < fahmad> you talking with me ?
11:58 < ultramage> yeah, but for an initial setup test it's a god-send
11:58 < ultramage> :}
11:58 < ultramage> fahmad: yes
11:59 < krzee> fahmad, why do you want to bridge?
11:59 < ultramage> you have a lot of stuff in those configs
11:59 < ultramage> also, !topic - make sure no firewall is messing with you
11:59 < fahmad> krzee: i have device which is not vpn capable so it has been connected with computer 
12:00 < fahmad> over ethernet and that ethernet card is bridge with openvpn tap adapter ...
12:00 < fahmad> there is no firewall also :)
12:00 < krzee> is your device IP cabable?
12:00 < krzee> capable
12:00 < fahmad> yup
12:00 < krzee> does it need a specific layer2 protocol?
12:00 < fahmad> but you know i can not assign usa ip here in pakistan :D
12:00 < krzee> !tunortap
12:00 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
12:01 < vpnHelper> krzee: against you over the vpn, or (#4) lan gaming? use tap!
12:01 < krzee> !route
12:01 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:01 < krzee> !layer2
12:01 < vpnHelper> krzee: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
12:02 < fahmad> krzee: i know routing ...
12:02 < fahmad> but i need the solution for this specific problem
12:02 < krzee> unless theres a layer2 protocol you need, you dont need a bridge to solve it
12:02 < krzee> you just use routing
12:02 < fahmad> when i use it without bridge i can ping linux using 172.16.0.1 even i can ssh into the box using same ip
12:03 < krzee> you can connect your ENTIRE LAN without bridging
12:03 < fahmad> i need layer2 
12:03 < krzee> what layer2 protocol?
12:03 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
12:03 < fahmad> goal is to ping 8.12.162.150 from device ...
12:04 < fahmad> and from linux (8.12.162.150) to 8.12.162.49
12:04 < fahmad> 8.12.162.149
12:04 < ultramage> ping uses udp, a tun adapter is enough for that
12:04 < krzee> icmp is a layer2 protocol?
12:04 < krzee> ping is icmp, not udp
12:04 < fahmad> i did that if you see my config
12:04 < krzee> but yet, tun can do it
12:04 < ultramage> try keeping it simple and then adding on stuff
12:04 < krzee> well you cant bridge tun devices!
12:04 < fahmad> then what should i use ?
12:04 < fahmad> tap
12:04 < fahmad> ?
12:04 < krzee> (nor do you need to)
12:05  * ultramage doesn't know openvpn well enough to know what bridging does
12:05 < krzee> you dont need a bridge!
12:05 < krzee> you just need routing
12:05 < krzee> bridging isnt an openvpn thing
12:05 < krzee> its a networking thing
12:05 < krzee> it joins broadcast domains more or less
12:05 < fahmad> humm
12:05 < ultramage> ah
12:05 < krzee> fahmad, 
12:05 < krzee> !route
12:05 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:06 < ultramage> darnit, now I forgot what I wanted to do =D
12:06 < fahmad> krzee: then brother how can i connect device which have ip 8.12.162.149 here in pakistan and linux machine having ip 8.12.162.150 in USA
12:06 < krzee> you dont need a bridge, you need to configure routing, and enable ip forwarding on the machine
12:06 < krzee> !winipforward
12:06 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
12:06 < krzee> umm
12:06 < krzee> you mean you want to assign an ipv4 ip over the tunnel?
12:06 < fahmad> krzee: and problem is i do not have static ip ...
12:06 < fahmad> yes :)
12:06 < fahmad> see 
12:07 < krzee> bidirectional NAT
12:07 < fahmad> lemme explain
12:07 < krzee> or if you have extra IPs, you can use --server with a small subnet and just hand out the IPs
12:07 < krzee> but you need extra ips to waste doing that
12:07 < krzee> and you would DEFINITELY want topology subnet in that situation
12:07 < krzee> !/30
12:07 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
12:07 < krzee> !topology
12:07 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
12:08 < krzee> bidirectional nat would be easier
12:08 < krzee> in linux this would be a DNAT AND a SNAT
12:08 < krzee> in bsd it would be a binat
12:08 < fahmad> Linux eth0: (8.12.162.150) tun/tap: 172.16.0.1 --> windows ppp dynamic ip, tun/tap: 172.16.0.6 and lan is connected with device ...
12:08 < krzee> i dont do windows ;]
12:08 < fahmad> which have ip binded 8.12.162.149
12:08 < fahmad> when i connect openvpn 
12:09 < fahmad> then how can i ping 8.12.162.149 from linux box
12:09 < fahmad> simple 
12:09 < fahmad> this is my goal
12:09 < ultramage> check openvpn's logs to see if it established a connection and is doing periodic pings
12:09 < ultramage> and check if both ends created an interface and have an ip address asigned.
12:09 < ultramage> if they don't then something's malfunctioning
12:09 < fahmad> yes its establish connection and assign ip address
12:09 < ultramage> on both sides?
12:09 < fahmad> yup
12:10 < fahmad> on linux its acting as server
12:10 < ultramage> so they are connected but ping from one to the other doesn't?
12:10 < fahmad> 172.16.0.1 -> 172.16.0.6 works 
12:10 < ultramage> and the other direction?
12:10 < fahmad> but when i bridge LAN where device is connect with TAP then it does not work
12:10 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
12:11 < ultramage> oh, so you want to have the vpn packets leave the vpn and go to some neighbouring machine?
12:11 < fahmad> both direction ping working but after bridge it does not work
12:11 < fahmad> yes
12:11 < ultramage> then you need to make the destination machine a router
12:11 < ultramage> because otherwise openvpn will just eat the packets
12:11 < fahmad> sir its hardware device directly connected using cross cable into the machine ...
12:12 < ultramage> openvpn has built-in routing functionality, but you need to turn it on
12:12 < ultramage> if the device is connected via an interface and has an ip address, it needs to be routed to
12:12 < fahmad> and if its capable of being router/vpn server then i wont came here to ask this question
12:12 < fahmad> what should be the route for that ?
12:12 < ultramage> I don't get you.
12:13 < ultramage> hm.
12:13 < ultramage> krzee might know
12:13 < fahmad> i think i could not get help because either i could not explaining you guys in right way or you guys does not get me ..
12:13 < fahmad> :(
12:13 < ultramage> when a packet arrives on the destination vpn interface, and its target is an ip address that doesn't belong to the host, does openvpn pass it to the OS kernel, or does it eat it right there and then?
12:13  * fahmad crying ...
12:14 < fahmad> how can i check it on windows sir
12:14 < ultramage> no idae
12:14 < fahmad> for that i think i need to use wireshak
12:14 < fahmad> :)
12:14 < ultramage> what you need is to router-enable your openvpn server
12:15 < ultramage> it'll not be a bridge, since you're using different subnet addresses for vpn and for lan
12:15 < ultramage> (if I'm not mistaken)
12:15 < fahmad> yes
12:15 < ultramage> so you want... 172.16.0.1->172.16.0.6->192.168.0.55
12:15 < fahmad> yes
12:15 < fahmad> you can say that :)
12:15 < ultramage> then make 172.16.0.6 a router
12:16 < ultramage> open the openvpn man page and look for the 'router' keyword
12:16 < fahmad> ok
12:16 < ultramage> I think krzee also mentioned some stuff earlier... maybe
12:16 < fahmad> ok
12:16 < fahmad> i will read 
12:16 < ultramage> as I said openvpn has built-in packet routing capabilities, just need to turn them on I think
12:16 < fahmad> and if i stuck i will check again
12:17 < Bushmills> fahmad: well, i don't understand because you talk in partial sentences. when i read a line, there's always missing a lot to make it a complete sentence
12:17 < Bushmills> for example  "(19:08:49) fahmad: when i connect openvpn"
12:18 < Bushmills> that's a fragment, not a complete statement
12:18 < krzee> [10:17]  <ultramage> so you want... 172.16.0.1->172.16.0.6->192.168.0.55
12:18 < krzee> aka he wants to read:
12:18 < krzee> !route
12:18 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:18 < krzee> the document i wrote which explains how to share lans behind openvpn nodes
12:19 < fahmad> ok
12:19 < fahmad> Bushmills: sir i am sorry for that i press enter key very frequently which is one of my bad habbit and i need to change it
12:22 < bent_screwdriver> !ifconfig
12:22 < vpnHelper> bent_screwdriver: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
12:22 < ultramage> I can't resist not skimming over the article
12:22 < ultramage> it's why I write HOWTO documents, not guides :P
12:24 < ultramage> hm, you mention the setting 'iroute'... I automatically started looking for the syntax of that setting
12:25 < ultramage> so iroute interface netmask turns the machine into a router for all packets targeting IPs on that subnet... how convenient
12:25 < krzee> skim if you want, just dont come asking for help in here for anything related to it after skimming it
12:26 < krzee> or i will throw a temper tantrum that would make 5yr olds seem tame
12:26 < ultramage> :/
12:26 < ultramage> it's written like someone talking to me... I'd prefer a howto
12:27 < ultramage> thanks for the effort though
12:27 < krzee> feel free to make your own
12:27 < krzee> i didnt copyright helping people ;)
12:28 < krzee> hehe
12:30 < krzee> and if its good, i will for sure link it on my bot
12:34 < ultramage> hm, should mention iroute right at the beginning (show the entire configuration, not fragment it
12:34 < krzee> nope
12:34 < krzee> i dont want users blindly doing shit from my doc
12:34 < krzee> i want them to UNDERSTAND it all
12:34 < krzee> which is why i dont support people who skim my doc
12:35 < ultramage> gah, I don't understand that document at all, the explanation is too chaotic
12:35 < krzee> not if you start at the top and read it ALL
12:35 < krzee> yanno, as in not skim it
12:35 < krzee> its helped thousands of people
12:35 < krzee> but it helps 0 people who skim it
12:35 < ultramage> I can't tell which parts of the text are key facts and which are just fluff
12:35 < krzee> THERE IS NO FLUFF
12:36 < ultramage> "you need to do this, but once you do it breaks, and now I'll explain how we'll repair it" does not flow well for me
12:36 < krzee> then go write your own
12:37 < krzee> you need to understand EVERYTHING on my page before you can set the stuff up
12:37 < krzee> i refuse to hand hold, even in my documentation
12:37 < ultramage> I have to imagine the setup you demonstrate, then digest the part where the setup I'm trying to imagine doesn't work at all, and then understand what the iroute patch will do to the existing settings
12:38 < ultramage> one thing I know, I'm never using 'push' operations
12:38 < krzee> !push
12:38 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
12:39 < krzee> anyways
12:39 < krzee> im too busy to debate this useless conversation
12:39 < krzee> bbl
12:41 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
12:43 < ultramage> not really important, but so far I'm guessing that the whole text is trying to say "we only have one set of push rules and we push too much, so we then have to set up ignore rules on the receiving side to ignore some of the push steps"
12:43 < ultramage> if I'm ever setting up a three-way lan, I'll try reading that doc once more
12:48 < ultramage> Bushmills: the --redirect-gateway setting you're suggesting failed on me last time due to it only working...hm... for clients?
12:49 < ultramage> or was it the server...
12:49 < ultramage> so far I have no persistent server to hang off of to test client-client setups
12:55 -!- DJ_HaMsTa [~werwer@unaffiliated/dj-hamsta/x-2342346] has quit []
12:56 -!- dazo_gone_afk is now known as dazo
12:58 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
12:59 < ultramage> yeah, from the description it looks like it will always target the server machine as the new gateway, and only it
13:00 < ultramage> (1) Create a static route for the --remote address 
13:02 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
13:10 -!- Xen^ [~linux@vpn.server4sale.com] has joined ##openvpn
13:13 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 264 seconds]
13:15 -!- Xen^ is now known as fahmad
13:15 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
13:15 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
13:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:27 < fahmad> ultramage: i am doing testing right now :)
13:33 < krzee> ultramage, you understand wrong, once again because you skimmed
13:33 < krzee> !iroute
13:33 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
13:33 < krzee> the fact that it ignores the push is an after-the-fact bonus of openvpn being smart
13:34 < krzee> that EXACT text is in the document i wrote
13:43 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 260 seconds]
13:46 < ultramage> =.=
13:47 < ultramage> how troublesome
13:47 < ultramage> but if it helps people set up their networks then it's a good thing :)
14:00 -!- sjr_ [~sjr@S0106001ee5027478.vc.shawcable.net] has joined ##openvpn
14:00 < sjr_> For some reason I can connect to openvpn from a linux desktop, but I can't communicate with it. It seemed to work from a Mac I don't have access to. 
14:01 < ultramage> do both machines have the vpn interfaces enabled, pinging each other, and having an ip address assigned?
14:03 < sjr_> http://www.pastebin.ca/1896809
14:03 < sjr_> hmmmm
14:03 < sjr_> yes
14:03 < sjr_> as far as I can tell
14:04 < sjr_> they have ip addresses, but they can't ping
14:06 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
14:06 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
14:06 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
14:08 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-khyqjopzkaopnurx] has left ##openvpn []
14:18 -!- sjr_ [~sjr@S0106001ee5027478.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
14:23 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:39 -!- alexs_ [~alexs@testbed002.grid.ici.ro] has joined ##openvpn
14:40 -!- dazo is now known as dazo_afk
14:41 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
14:57 < fahmad> krzee: you still arround ?
15:08 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
15:11 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
15:19 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
15:34 -!- abeehc_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
15:38 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 252 seconds]
15:56 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
16:00 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
16:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:06 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
16:12 -!- bent_screwdriver [~socain00@74.255.249.66] has quit []
16:34 < krzee> lol @ people who do that
16:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:39 -!- softy [~adas@144.190.93.27] has joined ##openvpn
16:40 < softy> Hello...I am new to openvpn...
16:40 < softy> I tried to setup an openvpn connection using static key on the server and the client
16:41 < softy> There is a tun0 created on both client and server and a connection is established...yet I cannot do a ping
16:41 < softy> any suggestions ? ANy help is highly apprecaited :)
16:43 < softy> !welcome
16:43 < vpnHelper> softy: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:00 -!- allyourbass [~allyourba@76.75.55.89] has joined ##openvpn
17:01 < allyourbass> having trouble creating a tun device with openvpn on freenas (0.7RC1 Sardaukar (revision 4735))
17:01 < allyourbass> logfile says Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
17:01 < allyourbass> i cant seem to use makedev
17:01 < allyourbass> anyone familiar with freenas and/or freebsd?
17:07 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
17:11 < ultramage> allyourbass: maybe you're missing a driver that lets you tunnel... not sure
17:11 < ultramage> default kernel should include that
17:12 < allyourbass> yeah its on freenas, which is hella minimal
17:12 < allyourbass> not even man pages
17:16 < allyourbass> booyeah
17:16 < allyourbass> found it
17:16 < allyourbass> kldload if_tun
17:16 < allyourbass> ran that now it works
17:16  * allyourbass dances like a tard
17:17 < ultramage> =D
17:17 < ultramage> /grat
17:20 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
17:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:32 -!- allyourbass [~allyourba@76.75.55.89] has left ##openvpn ["house is on fire brb"]
17:41 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:17 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:21 -!- ohzie [~ohzie@204.57.79.29] has joined ##openvpn
18:22 < ohzie> Out of curiosity, what is Access Server? I read that and I think "Access isn't a server, it's a lol database from Microsoft, they can't mean that!"
18:38 -!- kraut [~kraut@2001:6f8:12a9::4:0] has quit [Ping timeout: 260 seconds]
18:55 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
18:56 < grendal_prime> hey guys is it possible to run multiple instances of open vpn on the same box listening on the same port?
18:57 < grendal_prime> like a sort of load balance situation.  so i can keep the number of connections to a min on each process?
18:58 < grendal_prime> or set like a max of 200 on each process?
19:11 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
19:26 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:54 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
20:21 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
20:52 -!- notbrien [~notbrien@69.86.1.238] has quit [Quit: notbrien]
21:43 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
21:54 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
21:54 -!- ohzie [~ohzie@204.57.79.29] has quit [Quit: Leaving]
22:09 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
22:23 -!- creack [~creack@gemercom.com] has quit [Read error: Connection reset by peer]
22:32 -!- creack [~creack@gemercom.com] has joined ##openvpn
22:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:06 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Read error: Connection reset by peer]
23:07 -!- creack [~creack@gemercom.com] has quit [Read error: Connection reset by peer]
23:09 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has joined ##openvpn
23:14 -!- udk [~evaldo@freenode/staff/udontknow] has quit [Quit: leaving]
23:16 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:19 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
23:19 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Client Quit]
23:30 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
23:30 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Client Quit]
23:31 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
23:31 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Client Quit]
23:35 -!- creack [~creack@gemercom.com] has joined ##openvpn
23:35 < creack> join #gcj
--- Day changed Fri Jul 09 2010
00:04 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
00:04 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
00:04 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
00:08 -!- DrJ [Bacon@174.141.224.168] has quit [Read error: Operation timed out]
00:31 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:31 -!- mode/##openvpn [+o mattock] by ChanServ
00:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
00:45 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
00:56 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 240 seconds]
00:58 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
01:04 -!- dazo_afk is now known as dazo
01:15 -!- theDoc [~link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
01:19 -!- Abhishek_SIngh [~Abhishek@115.240.29.41] has joined ##openvpn
01:21 -!- Abhishek_SIngh [~Abhishek@115.240.29.41] has left ##openvpn []
01:40 < fahmad> hey
01:40 < fahmad> can some one look into this 
01:40 < fahmad> i provide now as much details as i can http://paste.ubuntu.com/460988/
01:57 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
01:59 < Bushmills> not telling what your problem is can't be called "as much detail as you can"
02:05 < fahmad> Bushmills: basically i could not able to access 8.12.162.149
02:06 < fahmad> my goal is to access device having ip 8.12.162.149 from 8.12.162.150 
02:06 < fahmad> 8.12.162.150 is located in USA and 8.12.162.149 is located in Pakistan
02:06 < Bushmills> !route
02:06 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:06 < fahmad> i did that but still not working :(
02:07 < fahmad> i allowed route in server.conf but same :(
02:07 < Bushmills> if you did, how come that i don't see a route with 8.12.... in your routing table?
02:08 < fahmad> humm
02:08 < fahmad> ok
02:08 < fahmad> hold on 
02:08 < fahmad> lemme add it
02:08 < fahmad> ok
02:08 < Bushmills> and how come that there is no pushing or setting of any 8.12.xxx routes in your logs
02:09 < Bushmills> and how come that while this isn't the case, you say "you did what is written in !route"?
02:09 < fahmad> hold on sir :)
02:11 < fahmad> Bushmills: i could not access windows machine due to some issue 
02:11 < fahmad> but i am adding push route in server.conf
02:12 < fahmad> push "route 8.12.162.145 255.255.255.248 10.1.0.1"
02:13 < fahmad> so that it can ping both 8.12.162.145, 146, 147, 148, 149, 150
02:30 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:38 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:43 < kish> how does one get transparent 
02:44 < kish> netwroking
02:44 < kish> using this vpn and some server
03:04 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 240 seconds]
03:05 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
03:05 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
03:05 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
03:16 -!- takamichi [~pri@78.133.38.201] has quit [Read error: Connection reset by peer]
03:17 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
03:20 -!- takamichi [~pri@78.133.38.201] has quit [Read error: Connection reset by peer]
03:21 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:01 -!- theDoc [~link@119.75.42.2] has joined ##openvpn
04:01 -!- theDoc [~link@119.75.42.2] has quit [Changing host]
04:01 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
04:03 < kraut> moin
04:03 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
04:04 < macsppadic> morning kraut 
04:04 < macsppadic> thank god its the weekend 
04:15 -!- ultramage [umage@kurobara.netvor.sk] has left ##openvpn []
04:31 < Bushmills> kish: by routing traffic to/from "some server" through openvpn
05:03 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: This computer has gone to sleep]
05:03 -!- theDoc [~link@119.75.42.2] has joined ##openvpn
05:03 -!- theDoc [~link@119.75.42.2] has quit [Client Quit]
05:08 -!- Xen^ [~linux@vpn.server4sale.com] has joined ##openvpn
05:09 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 260 seconds]
05:15 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:50 -!- d457k [~heiko@vpn.astaro.de] has quit [Ping timeout: 276 seconds]
05:57 -!- Xen^ is now known as fahmad
05:57 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
05:57 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
06:17 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
06:23 -!- mape2k [~mape2k@p5B286ECE.dip.t-dialin.net] has joined ##openvpn
06:26 < ksk> hello
06:27 < ksk> if u use the openvpn client in windows, no routes are pushed
06:27 < ksk> works with linux-client
06:27 < ksk> any idea whats wrong?
06:36 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
06:36 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
06:38 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
06:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
06:54 < Chosi> ksk: run as admin?
07:00 < ksk> i admin
07:00 < ksk> *i am
07:00 < ksk> but i will try, thanks
07:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:06 < ksk> "ROUTE: route addition failed using CreateIpForwardEntry: Ein oder mehrere Argumente sind ungültig."
07:06 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
07:06 < ksk> from client.log
07:06 < ksk> is says "[...]: one or more arguments are invalid
07:07 < ksk> "route-method exe"
07:07 < ksk> mhmkay
07:08 < ksk> thx
07:10 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
07:18 -!- Resist0r [~mrresist0@69.31.131.51] has quit [Ping timeout: 265 seconds]
07:21 -!- mrresist0r [~mrresist0@69.31.131.51] has joined ##openvpn
07:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Connection reset by peer]
07:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:44 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
07:49 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
07:49 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
07:51 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
07:52 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:56 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
08:00 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
08:06 < ecrist> good morning.
08:14 < macsppadic> morning ecrist 
08:15 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
08:17 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
08:26 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Remote host closed the connection]
08:26 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
08:28 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
08:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:30 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
08:35 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
08:40 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:56 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 276 seconds]
09:07 -!- jonkri [jonkri@dedikerad/admin/jonkri] has joined ##openvpn
09:07 < jonkri> !welcome
09:07 < vpnHelper> jonkri: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:10 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
09:14 < ecrist> horray, someone can read /topic
09:14 < ecrist> :)
09:14 < havoc> heh
09:14 < havoc> that happens occasionally
09:15 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
09:17 < ksk> hello
09:17 < ksk> is there a way to use lladr push-options with a windows(7) client?
09:17 < ksk> "Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS] lladdr"
09:18 < ksk> from the client.log
09:19 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has joined ##openvpn
09:25 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
09:28 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
09:28 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 276 seconds]
09:32 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
09:50 < ksk> no idea?
09:52 < softy> !welcome
09:52 < vpnHelper> softy: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:53 < softy> !wiki
09:53 < vpnHelper> softy: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
09:54 < softy> !man
09:54 < vpnHelper> softy: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
10:11 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:29 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
10:52 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
10:57 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
11:03 -!- softy [~adas@144.190.93.27] has quit [Ping timeout: 276 seconds]
11:05 -!- unixnuub [~unixnuub@188.28.60.49.threembb.co.uk] has joined ##openvpn
11:06 < unixnuub> apologies if this is answered really obviously in a howto somewhere but I'd like to check if something is possible before i start, may i ask a question of the list ?
11:07 < unixnuub> i have a really shit mobile broadband provider (three.co.uk) 
11:07 < unixnuub> they keep blocking arbitrary ports
11:08 < unixnuub> last time it was irc
11:08 < unixnuub> now it smtp 
11:08 < unixnuub> so i was going to get a cheap dedicated server somewhere 
11:08 < unixnuub> and put openvpn on it 
11:08 < unixnuub> and just use that for all my needs 
11:08 < unixnuub> is that something that people do/can do ?
11:08 < unixnuub> oh yeah
11:08 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:09 < unixnuub> i've only got one ip address with that server
11:09 < unixnuub> ok i go play btanks 
11:09 < unixnuub> back in a mo
11:17 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
11:18 -!- softy [~adas@144.190.93.27] has joined ##openvpn
11:19 -!- dazo is now known as dazo_afk
11:20 -!- lazarus477 [~lazarus@78-72-21-171-no191.tbcn.telia.com] has quit [Quit: leaving]
11:22 < krzie> yes
11:22 < krzie> !redirect
11:22 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:22 -!- mape2k [~mape2k@p5B286ECE.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
11:24 < unixnuub> than you
11:29 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
11:41 < krzie> yw
11:42 -!- jwm [jwm@dev.dist.us] has joined ##openvpn
11:42 < jwm> howdy, anyone setup bridging on macos with openvpn
11:43 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
11:43 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
11:43 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
11:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
11:50 < jwm> hmm
11:50 < krzie> !layer2
11:50 < vpnHelper> krzie: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
11:53 < unixnuub> !help
11:53 < vpnHelper> unixnuub: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
11:53 < unixnuub> !openvpn
11:53 < vpnHelper> unixnuub: Error: "openvpn" is not a valid command.
11:53 < unixnuub> !list
11:53 < vpnHelper> unixnuub: Admin, Channel, ChannelLogger, Config, Factoids, Google, Misc, Owner, Seen, Services, User, and Web
11:54 < unixnuub> !ChannelLogger
11:54 < vpnHelper> unixnuub: Error: "ChannelLogger" is not a valid command.
11:54 < unixnuub> !layer2
11:54 < vpnHelper> unixnuub: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
12:00 < krzie> heh
12:00 < krzie> !factoids
12:00 < vpnHelper> krzie: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
12:11 < jwm> krzie: yeah, I already use tap
12:11 < jwm> I've got everything setup and I know I need to use ipnetrouterx
12:11 < jwm> to bridge the interfaces
12:11 < jwm> just wondering what routes I need to also specify
12:12 < jwm> if I do the tap0 and my en0 (ethernet) interface on the same subnet
12:12 < jwm> I lose access to the vpn network
12:12 < jwm> even with bridging turned on in ipnetrouterx
12:13 < jwm> I know in linux with brctl I had to remove the ip from the ethernet interface
12:13 < jwm> and put it on the new bridge interface
12:13 < jwm> but ipnetrouterx doesn't do a new interface
12:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:15 < krzie> you might be losing your gateway
12:15 < jwm> well there are conflicting gateways setup
12:16 < jwm> I guess?
12:16 < jwm> nah that doesn't make sense
12:16 < jwm> hehe
12:16 < jwm> I did read that the ipnetrouterx software doesn't do transparent bridging
12:22 -!- clyons_ [~clyons@unaffiliated/clyons] has joined ##openvpn
12:31 < krzie> a lot of time when you run the script to start the bridge, if you look at your routing table, you have lost a default gateway
12:31 < krzie> i have no idea what ipnetrouterx
12:31 < krzie> and i once did bridge osX to freeBSD a couple yrs ago
12:31 < krzie> but why do you need a bridge? what specific layer2 do you need?
12:33 < krzie> most the time people come here asking for help bridging, they dont need a bridge
12:35 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
12:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:42 -!- unixnuub [~unixnuub@188.28.60.49.threembb.co.uk] has quit [Ping timeout: 248 seconds]
12:42 -!- unixnuub [~unixnuub@188.28.127.70.threembb.co.uk] has joined ##openvpn
12:48 -!- Irssi: ##openvpn: Total of 101 nicks [2 ops, 0 halfops, 1 voices, 98 normal]
12:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
13:13 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
13:14 < krzee> jwm, im still here
13:19 -!- clyons_ is now known as clyons
13:30 -!- unixnuub [~unixnuub@188.28.127.70.threembb.co.uk] has quit [Ping timeout: 252 seconds]
14:12 -!- bent_screwdriver [~socain00@74.255.249.66] has joined ##openvpn
14:14 < bent_screwdriver> im trying to get quagga to send ospf updates accross a openvpn link and they don't connect. The connect correctly on the same lan, and recieve the quagga routes, but not through the vpn tunnel. anything special needed? i can pass traffic throght the tunnel, etc. running statick keys with ifconfig for ip assignment.
14:15 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
14:15 < krzee> !rip
14:15 < vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
14:33 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
14:34 < jwm> krzee: I think the version of iproute software I have needs updated
14:34 < jwm> that is what was doing it
14:34 < jwm> promiscuous support is in the latest
14:36 < krzee> i still dunno why you're even using bridge... but ok
14:36 < krzee> i gotta get some work done
14:40 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
14:49 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
14:59 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
14:59 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
14:59 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
15:04 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
15:10 -!- jonkri [jonkri@dedikerad/admin/jonkri] has quit [Read error: Connection reset by peer]
15:16 -!- softy [~adas@144.190.93.27] has quit [Ping timeout: 245 seconds]
15:20 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
15:21 -!- respisto [~respisto@189.110.241.249] has joined ##openvpn
15:41 -!- respisto [~respisto@189.110.241.249] has quit [Quit: Saindo]
15:42 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:42 -!- softy [~adas@144.190.93.27] has joined ##openvpn
15:44 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
15:45 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
15:47 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:53 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
15:57 -!- DrJ [Bacon@174.141.224.168] has joined ##openvpn
15:57 -!- DrJ [Bacon@174.141.224.168] has quit [Excess Flood]
15:58 -!- DrJ [Bacon@174.141.224.168] has joined ##openvpn
16:06 -!- bent_screwdriver [~socain00@74.255.249.66] has quit []
16:30 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
16:38 < fahmad> hey
16:38 < fahmad> any one arround ?
16:38 < fahmad> http://paste.ubuntu.com/461299/
16:38 < fahmad> i could not able to get it work yet :(
16:40 -!- paulmarchand [~paulmarch@ANantes-553-1-26-109.w92-144.abo.wanadoo.fr] has joined ##openvpn
16:40 < paulmarchand> hie !
16:40 < paulmarchand> hello (sorry i'm french)
16:41 < paulmarchand> so what can i do with a vpn ?
16:42 < hyper_ch> what do you need a vpn for?
16:42 < fahmad> hyper_ch: hey
16:45 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:45 < paulmarchand> it's for a company
16:46 < paulmarchand> i install it on a mac mini sereer
16:46 < paulmarchand> server sorry
16:46 < paulmarchand> i'm at home and i'm connected on this connection
16:46 < paulmarchand> what can i do with that
16:46 < paulmarchand> can i saw computers on local network ?
16:47 < paulmarchand> can i see computers on local network ?
16:47 < hyper_ch> paulmarchand: https://secure.wikimedia.org/wikipedia/fr/wiki/R%C3%A9seau_priv%C3%A9_virtuel
16:47 < vpnHelper> Title: Réseau privé virtuel - Wikipédia (at secure.wikimedia.org)
16:48 < paulmarchand> i saw it but they don't explain really the application they explain how it work.
16:51 < hyper_ch> !howto
16:51 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:53 < fahmad> can any one help me
16:53 < fahmad> *
16:54 -!- paulmarchand [~paulmarch@ANantes-553-1-26-109.w92-144.abo.wanadoo.fr] has left ##openvpn []
16:57 < fahmad> :(
17:01 < fahmad> http://paste.ubuntu.com/461299/
17:01 < fahmad> any one help me with this ?
17:14 -!- notbrien [~notbrien@h-66-134-169-56.nycmny83.static.covad.net] has quit [Quit: notbrien]
17:15 -!- softy [~adas@144.190.93.27] has quit [Ping timeout: 276 seconds]
17:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
17:18 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Quit: :(]
17:30 -!- softy [~adas@144.190.93.27] has joined ##openvpn
17:35 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:36 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
17:53 -!- katoen [83ec6e0e75@xs8.xs4all.nl] has quit [Remote host closed the connection]
18:36 < jwm> so
18:39 < |Mike|> YEAH!
18:40 < jwm> hehe
18:40 < jwm> I got my bridge mode on macos working
18:40 < jwm> happy about that
18:41 < |Mike|> that's o so hard hehe
18:43 < jwm> hehe
18:43 < jwm> yeah
18:48 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:48 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
19:21 -!- Netsplit *.net <-> *.split quits: Zathraz, clyons, kreg, n0sq, killermouse0
19:21 -!- Netsplit over, joins: n0sq
19:25 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
19:36 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
19:37 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
19:41 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
19:48 -!- jeiworth_ [~jeiworth@189.163.186.137] has joined ##openvpn
19:57 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:59 -!- tristannfdn [idk@persephone.phys.columbus.edu] has joined ##openvpn
20:00 < tristannfdn> im having some issues actually telling windows to send traffic through the tunneled interface.
20:00 < tristannfdn> it connects fine, i can see its keepalive via tcpdump on the server, but it seems to  wanna use the regular interface for browsing instead.
20:00 < |Mike|> topic please
20:00 < tristannfdn> ten four
20:00 < tristannfdn> !welcome
20:00 < vpnHelper> tristannfdn: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:01 < tristannfdn> !route
20:01 < vpnHelper> tristannfdn: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:01 < tristannfdn> far as i can tell i have a windows problem :3 but im not sure where else to ask
20:01 < |Mike|> !def1
20:01 < vpnHelper> |Mike|: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:01 < |Mike|> you might want to read that :-)
20:03 < tristannfdn> seems logical.
20:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
20:09 < tristannfdn> will this take priority over other interfaces.
20:09 < tristannfdn> like, will windows attempt to use this gateway by default. im reading the wiki but its confusing me a tad
20:09 < tristannfdn> well, im reading a wiki i should say.
21:46 < tristannfdn> well, its progressed a little.
21:46 < tristannfdn> now seemingly just a ruoting problem. the vpn can send packets but they dont come back.
22:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:32 -!- jeiworth_ [~jeiworth@189.163.186.137] has quit [Ping timeout: 260 seconds]
22:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
23:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:51 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
--- Day changed Sat Jul 10 2010
00:43 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
00:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
00:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
00:58 -!- kish_ [~o2@unaffiliated/spice] has joined ##openvpn
01:00 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 276 seconds]
01:51 < Bushmills> what is the common solution for restoring the previous name server on a windows client, after disconnecting from a vpn server which pushed dhcp-option nameserver and redirect-gateway def1 upon connection? 
01:51 < Bushmills> (i think it is a windows 7 client)
01:52 < hyper_ch> people still use windows? ^^
01:52 < Bushmills> that person does
01:52 < hyper_ch> Bushmills: restarting the network connection probably helps
01:52 < Bushmills> that's the first windows client of nine.
01:53 < Bushmills> so even if it is a very small sample, probably not representative, it appears that 10..12 % of users run windows :) 
01:53 < hyper_ch> so many masochists in the world... I'd never have guessed so
01:54 < Bushmills> (un?)luckily my windows exposure and experience is about zero
01:54 < hyper_ch> did you try restarting the network connection?
01:55  * hyper_ch heard you can catch viruses when you have contact with Windows
01:55 < Bushmills> nothing tried yet, this is preparing for that machine to connect
01:55 < hyper_ch> unprotected contact
01:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
01:59 < hyper_ch> Bushmills: http://support.microsoft.com/kb/299357
02:01 < hyper_ch> Bushmills: http://www.computing.net/answers/windows-xp/restart-network-without-reboot/139589.html
02:01 < vpnHelper> Title: Restart network without reboot (at www.computing.net)
02:05 < Bushmills> thanks, i have forwarded these links. a bit of extra clicking should be fine for now
02:06 < hyper_ch> well the net thingy commands could be put into a batch
02:06 < hyper_ch> I just think restarting the network connection will restore the default ns and routings.... but not sure
02:07 < hyper_ch> it's been a while since I turly used windows
02:07 < Bushmills> sounds like dhcp would be re-requested, which should fix the name server 
02:07 < hyper_ch> that's why I think
02:07 < hyper_ch> but then... it's windows
02:19 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:20 -!- mode/##openvpn [+o mattock] by ChanServ
02:44 -!- mape2k [~mape2k@2001:638:904:ffe2:21f:3bff:fe27:21a9] has joined ##openvpn
02:57 -!- mape2k [~mape2k@2001:638:904:ffe2:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
02:58 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
03:08 -!- mape2k [~mape2k@2001:638:904:ffe2:21f:3bff:fe27:21a9] has joined ##openvpn
03:14 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
03:15 -!- mape2k [~mape2k@2001:638:904:ffe2:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:57 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
03:59 -!- green [~green@dhcp-155-68-115-92.fandm.edu] has joined ##openvpn
03:59 < green> hi
04:00 < green> !welcome
04:00 < vpnHelper> green: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:00 < green> @ topic, most problem probly is my firewall
04:01 < green> at home I can connect to the vpn just fine
04:01 < green> here, i cannot
04:01 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
04:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
04:33 -!- mape2k [~mape2k@2001:638:904:ffe2:21f:3bff:fe27:21a9] has joined ##openvpn
04:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:55 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
05:09 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
05:14 -!- mape2k [~mape2k@2001:638:904:ffe2:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
05:23 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
05:28 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
05:42 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
05:43 < fahmad> hello every one
05:43 < fahmad> can any one now help me with this http://paste.ubuntu.com/461299/
05:45 -!- mape2k [~mape2k@2001:638:904:ffe2:21f:3bff:fe27:21a9] has joined ##openvpn
06:14 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 248 seconds]
06:18 -!- Suzn [~blaquie@cblmdm72-241-148-236.buckeyecom.net] has joined ##openvpn
06:18 -!- Suzn [~blaquie@cblmdm72-241-148-236.buckeyecom.net] has left ##openvpn []
06:19 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
06:37 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
06:50 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 248 seconds]
06:59 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
07:06 < fahmad> hello any one ?
07:09 < jwm> hi
07:10 < fahmad> can any one now help me with this http://paste.ubuntu.com/461299/
07:12 < fahmad> i have server where openvpn is running and it is connected to lan having ip range 192.168.129.0/24 and i want when my windows client connect vpn server it can ping any machine within the network where openvpn server is connected i.e. 192.168.129.0/24
07:12 < fahmad> jwm: can you please help me in this ?
07:17 < jwm> one sec
07:17 < jwm> driving
07:17 < jwm> hehe
07:18 < jwm> tap or tun?
07:23 < fahmad> tap
07:24 < fahmad> jwm: tap
07:35 < jwm> ok
07:35 < jwm> did you bridge the interfaces
07:35 < jwm> http://www.grc.com/vpn/routing.htm
07:35 < vpnHelper> Title: GRC | OpenVPN HOWTO Guide: Routing vs Bridging (at www.grc.com)
07:35 < jwm> here's a nice tutorial
07:35 < jwm> not sure how far along you are
07:48 < fahmad> humm
07:49 < fahmad> ok i will look into that in more details as i have gone through this but again i will look more ...
07:52 < fahmad> jwm: do i need to create bridge on server where openvpn is installed ?
07:52 < fahmad> because i wanted to access lan which is connected with openvpn server
07:52 -!- mape2k [~mape2k@2001:638:904:ffe2:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
07:53 < Bushmills> !tunortap
07:53 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
07:54 < vpnHelper> Bushmills: against you over the vpn, or (#4) lan gaming? use tap!
07:54 < Bushmills> tap is not needed for accessing hosts behind openvpn server
07:54 < fahmad> humm
07:55 < Bushmills> !route
07:55 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:55 < fahmad> ok
07:55 < fahmad> then i need to use tun and then route ...
07:55 < fahmad> right
07:55 < fahmad> hold on
07:55 < fahmad> lemme try
07:55 < fahmad> lemme try it right away
08:10 -!- Xen^ [~linux@vpn.server4sale.com] has joined ##openvpn
08:14 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 248 seconds]
08:18 -!- kish_ is now known as kish
08:32 < Xen^> Bushmills: i did modifcation in configuration and i can ping 192.168.222.1 and 192.168.222.6 but i could not get route for network 192.168.129.0/24 on client side ...
08:34 < Bushmills> find out why you can't. double check that you did what !route tells you to. also check !firewall
08:34 < Xen^> okies checking ...
08:36 -!- jeiworth_ [~jeiworth@189.163.186.137] has joined ##openvpn
08:36 < Xen^> now route add succed
08:37 < Xen^> but i can not ping 192.168.129.254 which is bind on gateway nor 192.168.129.101 which is connected with openvpn server via switch
08:47 < Xen^> Bushmills: fixed
08:48  * Xen^ hugs Bushmills jwm hyper_ch krzee
08:48 -!- Xen^ [~linux@vpn.server4sale.com] has quit [Quit: brb]
09:03 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
09:25 < jwm> hehe
09:25 < jwm> what did I do
09:25 < jwm> :)
09:33 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
09:33 -!- mode/##openvpn [+o mattock] by ChanServ
09:34 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Client Quit]
09:37 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
10:05 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
10:26 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
10:31 -!- jeiworth_ [~jeiworth@189.163.186.137] has quit [Remote host closed the connection]
10:53 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
10:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
11:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:28 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
11:52 -!- avocado [nr@god.isadouchebag.net] has joined ##openvpn
11:56 < avocado> !welcome
11:56 < vpnHelper> avocado: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:01 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:03 < jwm> !redirect
12:03 < vpnHelper> jwm: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:16 -!- buntfalke_ is now known as buntfalke
12:18 < avocado> !ipforward
12:18 < vpnHelper> avocado: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:18 < avocado> !linipforward
12:18 < vpnHelper> avocado: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:19 < avocado> i think my iptables are not correct :\
12:21 < krzee> avocado, for NAT for redirect?
12:29 -!- green [~green@dhcp-155-68-115-92.fandm.edu] has quit [Ping timeout: 260 seconds]
12:30 < avocado> !nat
12:30 < vpnHelper> avocado: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
12:37 < avocado> !linat
12:37 < vpnHelper> avocado: Error: "linat" is not a valid command.
12:37 < avocado> !linnat
12:37 < vpnHelper> avocado: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
12:38 < avocado> hm, that did it
12:38 < jwm> I'm happy with my sexy tap setup
12:38 < jwm> on macos with bridging
12:38 < jwm> hehe
12:38 < jwm> :)
13:06 < buntfalke> Does OpenVPN set the DSCP bits?
13:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
13:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:43 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Remote host closed the connection]
14:13 -!- sircolin [~sircolin@berkshirecomputing.info] has joined ##openvpn
14:16 < sircolin> Hi everyone 
14:16 < sircolin> i wonder if somebody could help me im trying to get open to let me have access the 10.1.1.1 which is local to my openvpn server on 10.1.1.6 i can connect to it from across the net but i can't seem to ping 10.1.1.2 ...
14:18 < sircolin> never mind i see you don't support openvpn-as 
14:18 -!- sircolin [~sircolin@berkshirecomputing.info] has left ##openvpn []
14:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
15:04 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:10 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
16:11 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 240 seconds]
16:14 -!- softy [~adas@144.190.93.27] has quit [Ping timeout: 260 seconds]
16:15 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:32 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
16:33 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
16:46 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
16:47 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
16:52 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
16:59 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
17:08 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
17:18 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
17:30 -!- kloeri_ [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
17:32 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
18:01 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
18:12 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:19 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
18:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
18:25 -!- kloeri_ is now known as kloeri
18:26 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
18:31 -!- ayi [~vegar@164.84-49-181.nextgentel.com] has joined ##openvpn
18:33 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
18:35 < ayi> When using multiple remote's for failover, is it possible to make openvpn retry the first remote automatically for when it comes back up?
18:37 < ayi> or must one restart openvpn?
18:38 < ayi> which is fine, although not awesome :p
18:39 -!- APTX_ is now known as APTX
18:52 -!- green [~green@dhcp-155-68-115-92.fandm.edu] has joined ##openvpn
19:33 -!- green [~green@dhcp-155-68-115-92.fandm.edu] has quit [Ping timeout: 265 seconds]
19:49 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
19:53 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:01 < fahmad> !help
20:01 < vpnHelper> fahmad: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
20:01 < fahmad> !commands
20:01 < vpnHelper> fahmad: Error: "commands" is not a valid command.
20:01 < fahmad> !command
20:01 < vpnHelper> fahmad: Error: "command" is not a valid command.
20:03 < fahmad> !list
20:03 < vpnHelper> fahmad: Admin, Channel, ChannelLogger, Config, Factoids, Google, Misc, Owner, Seen, Services, User, and Web
20:08 -!- DrJ is now known as Bacon
20:08 -!- Bacon is now known as DrJ
20:20 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
20:22 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:27 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 265 seconds]
20:44 -!- clyons [~clyons@unaffiliated/clyons] has quit [Read error: Operation timed out]
20:45 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
20:56 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
20:58 -!- ayi [~vegar@164.84-49-181.nextgentel.com] has quit [Ping timeout: 240 seconds]
21:13 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
21:15 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn
21:15 < grendal_prime> oi
21:15 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Read error: Operation timed out]
21:15 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
21:34 -!- jonkri [jonkri@dedikerad/admin/jonkri] has joined ##openvpn
21:34 < jonkri> how much security do you gain and how much performance do you lose by using 4096 keys (and dh) instead of 2048?
21:36 -!- green [~green@dhcp-155-68-115-92.fandm.edu] has joined ##openvpn
21:44 < grendal_prime> is it possible to run 2 seperate openvpn instances that both listen on the same port...?
21:45 < grendal_prime> like randomeize the active one?  so i can loadballance between processes?
21:47 < theDoc> grendal_prime> No.
21:55 -!- jonkri [jonkri@dedikerad/admin/jonkri] has quit [Quit: sleep]
21:55 -!- ayi [~vegar@164.84-49-181.nextgentel.com] has joined ##openvpn
22:03 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Operation timed out]
22:42 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
22:43 -!- ayi [~vegar@164.84-49-181.nextgentel.com] has quit [Ping timeout: 264 seconds]
22:48 -!- green [~green@dhcp-155-68-115-92.fandm.edu] has quit [Read error: Connection reset by peer]
23:11 -!- jonkri [jonkri@dedikerad/admin/jonkri] has joined ##openvpn
23:12 < jonkri> how much security do you gain and how much performance do you lose by using 4096 keys (and dh) instead of 2048? or 2048 instead of 1024?
23:23 < grendal_prime> theDoc, ok so basically if i want to handle about 1000 connections, i need to have about  5 ip's and something to loadballance between them.  Then i could alias out the nics on the same box i was running openvpn on.
23:24 < grendal_prime> that way i could run 5 different openvpn processes, one for each ip and port 1194 on each ip address.  That should work then correct?
23:24 < theDoc> No.
23:24 < theDoc> You cannot run 5 instances on the same port.
23:24 < grendal_prime> different nics?
23:25 < grendal_prime> one instance per nic.
23:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
23:33 < grendal_prime> sounds to me like i need to bust out a vm and give it a shot
23:36 < jwm> heh
23:38 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
23:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:41 < grendal_prime> well i mean it seems a bit odd that you cant do that with openvpn when you can do it with just about any other program ive run into in the past.
--- Day changed Sun Jul 11 2010
00:06 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
00:14 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has quit [Ping timeout: 258 seconds]
00:15 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
00:17 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn
00:25 < jonkri> i want to have some "internal" domains in my vpn setup (domains that point to a vpn ip). what is the best way of setting this "local" dns?
00:30 -!- jonkri [jonkri@dedikerad/admin/jonkri] has quit [Quit: Java user signed off]
00:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
00:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:01 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 265 seconds]
01:03 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
01:08 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has quit [Ping timeout: 252 seconds]
01:09 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn
01:24 -!- grendal_prime [~sgraham@dsl-12-44-166-053.arpa2.caltel.com] has quit [Quit: Ex-Chat]
01:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:39 -!- mrresist0r [~mrresist0@69.31.131.51] has quit [Ping timeout: 276 seconds]
02:45 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:47 -!- mrresist0r [~mrresist0@69.31.131.51] has joined ##openvpn
02:54 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:36 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
04:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:13 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:18 -!- theDoc [~link@unaffiliated/thedoc] has left ##openvpn ["Leaving"]
05:18 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
05:30 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
05:33 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
05:36 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
05:44 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
05:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:18 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
06:22 -!- ayi [~vegar@164.84-49-181.nextgentel.com] has joined ##openvpn
06:31 -!- fbh [fbh@193.88.14.101] has quit [Changing host]
06:31 -!- fbh [fbh@unaffiliated/fbh] has joined ##openvpn
06:41 < fahmad> hey 
06:59 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
07:02 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
07:21 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:22 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
07:22 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
08:07 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:11 -!- fahmad [~linux@vpn.server4sale.com] has quit []
08:13 -!- jonkri [jonkri@dedikerad/admin/jonkri] has joined ##openvpn
08:14 < jonkri> how much security do you gain and how much performance do you lose by using 4096 keys (and dh) instead of 2048? or 2048 instead of 1024?
08:18 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
09:24 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
09:50 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
09:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:28 -!- EugenMayer [~EugenMaye@frbg-5f731e3a.pool.mediaWays.net] has joined ##openvpn
10:29 < EugenMayer> are there any limitations on how many openVPN networks i can initiate on one machine?
10:30 < EugenMayer> i have a backupserver which should have to openVPN nets. One is for our employees to connect to the office network from remote ( up and running ). One additional net should only be internal, thats where all clients which will be backuped
10:30 < EugenMayer> are connected to. those clients should not be in the office net though, only in this special net where the backup server is able to find the clients
10:32 < julius> I guess you can safely assume that you can run enough instances for your setup
10:34 < EugenMayer> julius: now my question is, how to handle this with the debian starup scripts?
10:34 < EugenMayer> i guess i cant define 2 different servers in one configuration file?
10:35 < julius> you can write multiple config files
10:35 < julius> i.e. external.conf and internal.conf
10:35 < EugenMayer> well, and then?
10:35 < julius> the debian startup script starts openvpn once for every .conf in /etc/openvpn
10:35 < julius> afaik
10:35 < EugenMayer> place them both under /etc/openvpn?
10:35 < EugenMayer> ah!
10:36 < EugenMayer> julius++
10:36 < EugenMayer> Thank you.
10:36 < julius> :P
10:36 < julius> you're welcome
10:38 < EugenMayer> julius: just a question. the clients connecting to this 10.0.1.0 net should be "locked2 in there. Can they simply add a route to be able to route into 192.168.1.0 ?
10:39 < EugenMayer> alos, "client-to-client" removing this, clients would not be able to talk to eachother i guess
10:41 < julius> you can work with client-to-client and can set iptables and/or routes for the tun devices like any other network interface
10:41 < EugenMayer> http://pastebin.com/vUQaSUTS
10:41 < EugenMayer> thats actually my current configuration file
10:41 < EugenMayer> oh i need to remove that push
10:42 < julius> I think I am way to tired to do proper debugging…
10:42 < EugenMayer> Well now i need: every client gets a certificate without passphrase and should always get the same IP.  I guess i can use ifconfig-pool-persist ipp.txt ?
10:42 < julius> sounds reasonable…
10:42 < EugenMayer> julius: no problem. 
10:43 < julius> you may want to limit simultaneus connections with one certificate to one
10:44 < julius> aaaand
10:45 < julius> I don't remember what the setting was called, "float" or something like that
10:45 < julius> and use udp - of course
10:56 < EugenMayer> udp - ?
10:57 < EugenMayer> what you mean is "dublicae"
10:57 < EugenMayer> julius: what is udp - ?
10:58 < julius> seriously?
10:59 < EugenMayer> well iam asking about "-"
10:59 < EugenMayer> (not udp)
10:59 < EugenMayer> it looked like you want me to define "proto udp -"
10:59 < EugenMayer> (or something like that)
11:00 < julius> except for some rare exceptions "proto udp" is much better
11:02 < EugenMayer> well i use udp ?
11:02 < EugenMayer> http://pastebin.com/j5XXzQT1
11:02 < EugenMayer> thats my setup right now. Last thing for me is, how to handle those client keys
11:03 < EugenMayer> i have created a key called webserver.key ( webserver.crt ) Actually where to place those keys (key to the client, but where is the public one actually?)
11:06 < EugenMayer> is this a symetric key?!
11:06 < julius> no
11:06  * EugenMayer pretty confused somehow
11:06 < EugenMayer> i expect a webserver.crt, webserver.key, webserver.key.pub
11:07 < EugenMayer> first 2 to the client (including the ca), last on the server
11:07 < julius> .crt contains a public key
11:07 < julius> .key is the private key
11:07 < EugenMayer> http://www.debian-administration.org/articles/489
11:07 < vpnHelper> Title: Connecting to office network using OpenVPN tunnel (at www.debian-administration.org)
11:08 < EugenMayer> well iam there actually and they wont me to copy the .crt to client. How should that make sense?
11:08 < EugenMayer> .key + .crt to client
11:08 < julius> !google ssl
11:08 < vpnHelper> julius: Transport Layer Security - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Transport_Layer_Security>; Solid State Logic: <http://www.solid-state-logic.com/>; SSL Certificate Information Center - SSL Certificates and SSL from ...: <http://www.verisign.com/ssl/ssl-information-center/index.html>
11:08 < EugenMayer> http://www.ubuntu-pics.de/bild/101951/screenshot_028_Qlbd0N.png
11:09 < EugenMayer> julius: but at least the crt should be in somewhere on the server also?
11:09  * EugenMayer simply dont gets how authentication should work that way
11:09 < julius> it's transmitted every time a connection is made
11:09 < julius> certificates are signed by the ca?
11:10 < EugenMayer> i see.
11:23 < EugenMayer> julius: Sun Jul 11 18:23:29 2010 us=957616 UDPv4 link remote: 82.xx.xx.166:10000 
11:24 < EugenMayer> seems to hang here ( xx.xx inserted by me for obv.)
11:25 < julius> dunno
11:26 < EugenMayer> i hate the router...forgot about the "enable this rule" switch. Well i would so much love to replace those crappy routers by a linux machine..
11:28 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
11:29 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:30 < EugenMayer> LS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
11:30 < EugenMayer> does that mean, that ca.crt on the client is not matching ca.crt on the server?
11:31 < julius> either you system clock is terribly wrong or you made some mistake while creating the certs
11:32 < EugenMayer> date / clock is fine
11:32 < julius> I'm done here *afk*
11:32 < EugenMayer> julius: thank you for your patience anyway. 
11:38 -!- ayi [~vegar@164.84-49-181.nextgentel.com] has quit [Ping timeout: 240 seconds]
11:44 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
11:44 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:58 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
11:59 < fahmad> !welcome
11:59 < vpnHelper> fahmad: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:12 -!- aar0n [~aar0nsky@d47-69-246-113.try.wideopenwest.com] has joined ##openvpn
12:17 < fahmad> hey i have question: If i am running OpenVPN server on Linux and remote client which is connecting OpenVPN server acting as Gateway for LAN client how can openvpn server host ping LAN machines of client connecting to OpenVPN Server
12:25 < fahmad> any one who can answer this question /
12:36 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:37 < SOG> Nice
12:38 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
12:41 -!- krzie [krzee@joogot.noskills.net] has joined ##openvpn
12:41 < krzie> !fbsdjail
12:41 < vpnHelper> krzie: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
12:43 < fahmad> krzie : can you answer one of my query ?
12:43 < fahmad> hey i have question: If i am running OpenVPN server on Linux and remote client which is connecting OpenVPN server acting as Gateway for LAN client how can openvpn server host ping LAN machines of client connecting to OpenVPN Server 
12:43 < krzie> !route
12:43 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:43 < krzie> it came pre-answered, i made a writeup for it ;]
12:44 < krzie> but basically
12:44 < krzie> !clientlan
12:44 < vpnHelper> krzie: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
12:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:46 < fahmad> ok
12:47 < fahmad> !route_outside_openvpn
12:47 < vpnHelper> fahmad: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
12:47 < fahmad> !iroute
12:47 < vpnHelper> fahmad: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:47 < fahmad> !ipforward
12:47 < vpnHelper> fahmad: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:47 < fahmad> !winipforward
12:47 < vpnHelper> fahmad: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
12:49 < fahmad> krzie: okay one more question if you allow
12:50 < krzie> fire away, worst thing that can happen is no answer ;)
12:51 < krzie> (im scripting stuff for a migration i need to oversee this week)
12:51 < fahmad> what if i have a device connected to my computer directly using cross over cable and i create bridge b/w lan adapter and openvpn tap adapter in that case how can client ping ...
12:51 < fahmad> :)
12:51 < krzie> i dont do bridges
12:51 < fahmad> ok
12:51 < krzie> they are rarely needed (only when you need layer2)
12:51 < krzie> !layer2
12:51 < vpnHelper> krzie: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
12:52 < krzie> routing with ip-forwarding enabled will allow your goal if you dont need a specific layer2 protocol
12:52 < fahmad> krzie: okay tell me if i have a server in USA with IPs: 100.200.99.100-102 and i wanted to use ip 100.200.99.102 to my device which is not located in USA then how can i access that device normally ?
12:52 < krzie> aka, if everything you need communicates by IP address
12:53 < krzie> oh i remember answering this question like a week ago
12:53 < fahmad> yes its communicate by ip address
12:53 < krzie> bi-directional NAT
12:53 < fahmad> krzie: but i did not get it working :(
12:53 < fahmad> i stuck at this point but i learn alot things :)
12:53 < krzie> in linux its a DNAT and a SNAT, in fbsd its just "binat"
12:54 < fahmad> i know DNAT and SNAT also binat 
12:54 < krzie> then use it :)
12:54 < fahmad> but that device is connected using Ethernet :(
12:54 < fahmad> thats the wrose part :)
12:54 < krzie> and?
12:54 < fahmad> and i can not ping that device because it have STATIC IP which i do not have :)
12:54 < krzie> how would it be easier with a different connection than ethernet?
12:55 < krzie> you do it over the VPN
12:55 < krzie> its LAN ip and the VPN ips are static
12:55 < fahmad> humm
12:55 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
12:55 < krzie> so basically
12:55 < krzie> you setup a vpn with the windows client
12:55 < fahmad> yes
12:55 < krzie> you setup routing for the device, as if its a lan behind the windows machine
12:56 < krzie> then you BINAT the device IP on the server
12:56 < krzie> the device lan ip
12:56 < fahmad> humm
12:56 < krzie> !sample
12:56 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
12:56 < krzie> lose the bridge
12:57 < krzie> you can start from my cample configs if it makes you warm and fuzzy
12:57 < krzie> sample configs*
12:57 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:57 < krzie> hell, my bash config generator will even do most the routing stuff...
12:57 < fahmad> your site is not working for me 
12:57 < krzie> !confgen
12:57 < vpnHelper> krzie: "confgen" is http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator
12:57 < fahmad> i am from Pakistan ...
12:57 < krzie> oh damn thats right, the server is down
12:57 < fahmad> http://www.doeshosting.com not working
12:57 < krzie> ya you're right
12:57 < fahmad> http://www.ircpimps.org not working :)
12:57 < krzie> thats why im on from this host
12:58 < fahmad> oh
12:58 < krzie> forgot =/
12:58 < krzie> i sent SMS to my friends at the DC, but i dont know if anyone is even there on sunday
12:59 < fahmad> humm
12:59 < fahmad> krzie i can wait :)
12:59 < fahmad> i am not in rush i lost the project due to delay 
12:59 < fahmad> if i make it work i get 200 $
12:59 < krzie> sounds like i should get $200!
12:59 < krzie> ;]
13:00 < fahmad> lol
13:00 < fahmad> krzie: you are in US you can make much much more then that ;)
13:00 < fahmad> i believe 
13:00 < krzie> no im not
13:00 < fahmad> then where are you located 
13:00 < krzie> im in a 3rd world country... but i can still make much more than that
13:00 < krzie> caribbean
13:00 < fahmad> ok
13:00 < fahmad> can i pm you ?
13:01 < krzie> i guess
13:02 < EugenMayer> how would i assign the same ip to the client everytime the client connects?  ifconfig-pool-persist seems to be maintaned by the server
13:02 < EugenMayer> all entries i create are deleted
13:02 < krzie> !static
13:02 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:02 < krzie> and ipp is NOT for static
13:02 < krzie> !ipp
13:02 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
13:02 < EugenMayer> !thank you. That push should be on the client i guess?
13:02 < vpnHelper> EugenMayer: Error: "thank" is not a valid command.
13:02 < krzie> clients cant control ANYTHING
13:02 < krzie> nor can they push ANYTHING
13:03 < EugenMayer> But how to create client-specific pushs?
13:03 < EugenMayer> (iam using key auth)
13:03 < krzie> its explained in !static
13:03 < krzie> !ccd
13:03 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:03 < EugenMayer> i see.
13:04 < EugenMayer> hmm, can i set the directory where those client configs reside by server.conf?
13:04 < EugenMayer> because using that start option would also set the options for the second server ( using debian )
13:04 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
13:04 < krzie> lol
13:05 < krzie> you HAVE TO set the directory
13:05 < krzie> and
13:05 < krzie> !--
13:05 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
13:05 < EugenMayer> well as its up there it defaults to the directory where the server configuration is in
13:05 < krzie> no...
13:05 < EugenMayer> Ok. Thank you.
13:05 < krzie> --client-config-dir <dir>
13:05 < EugenMayer> !ccd @EugenMayer
13:05 < vpnHelper> EugenMayer: Error: "ccd" is not a valid command.
13:05 < krzie> change <dir> to /path/to/dir
13:06 < krzie> !tell ccd EugenMayer 
13:06 < vpnHelper> krzie: Error: I haven't seen ccd, I'll let you do the telling.
13:06 < krzie> !tell EugenMayer ccd
13:06 < krzie> !say
13:06 < vpnHelper> krzie: "say" is NO! you're not the boss of me!
13:06 < EugenMayer> relative dirs are relative to the server.conf i guess
13:06 < krzie> yes i am =]
13:07 < krzie> they are relative to your current path
13:07 < EugenMayer> ok, thanks
13:07 < krzie> your working directory
13:07 < krzie> fullpath
13:07 < krzie> !fullpath
13:07 < vpnHelper> krzie: Error: "fullpath" is not a valid command.
13:07 < krzie> !path
13:07 < vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
13:07 < EugenMayer> !static
13:07 < vpnHelper> EugenMayer: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:08 < EugenMayer> !ccd
13:08 < vpnHelper> EugenMayer: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:10 < EugenMayer> !iporder
13:10 < vpnHelper> EugenMayer: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
13:11 < EugenMayer> hm, getting
13:11 < EugenMayer> /sbin/ifconfig tun0 10.9.0.10 pointopoint 255.255.255.0 mtu 1500
13:11 < EugenMayer> SIOCSIFDSTADDR: Invalid argument
13:11 < EugenMayer> (sorry for multiline)
13:11 < EugenMayer> (on the client)
13:11 < krzie> all good, 2 lines isnt bad =]
13:12 < krzie> show me the server command from server config
13:12 < krzie> --server command
13:12 < EugenMayer> head bacula/clients/webserver
13:12 < EugenMayer> ifconfig-push 10.9.0.10 255.255.255.0
13:12 < krzie> thats the ccd file
13:13 < EugenMayer> hmm, not sure i can follow you
13:13 < krzie> grep server server.conf
13:13 < EugenMayer> ah. ok
13:13 < EugenMayer> server 10.9.0.0 255.255.255.0
13:13 < EugenMayer> --
13:13 < krzie> ohh net30 topology... 1sec
13:13 < EugenMayer> tun1      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
13:13 < EugenMayer>           inet Adresse:10.9.0.1  P-z-P:10.9.0.2  Maske:255.255.255.255
13:13 < krzie> need to change the ifconfig-push
13:14 < krzie> booting my openbsd virtual machine, it has a net30 style ifconfig-push in it
13:14 < EugenMayer> whatever you do your day long, your far above my level :)
13:15  * EugenMayer is a sofware developer / project lead in the normal days :)
13:15 < krzie> well ive been helping people in here for a long time, so i picked up a few things ;]
13:15 < EugenMayer> But on weekends bacula / openvpn waits for me
13:15 < krzie> right on!
13:15  * EugenMayer hates empathy. I will remove it ...enugh.
13:16 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Quit: ...]
13:17 < krzie> ifconfig-push 10.9.0.9 10.9.0.10
13:17 < krzie> btw good job picking .10, i guess you read the doc on what IPs are valid in net30 topology
13:17 < krzie> =]
13:17 < EugenMayer> Well i read to many docs all day.
13:18 < krzie> the mark of a champion ;]
13:18 < EugenMayer> Rather a guy who has to many responsibilities.
13:18 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
13:19 < krzie> grr, has krzee been going down a lot?
13:19 < EugenMayer> krzie: just to get it. p-z-p is the what?
13:19 < krzie> point to point
13:19 < krzie> !/30
13:19 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
13:19 < krzie> !topology
13:19 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
13:20 < krzie> reading the link in topology will explain why it works that way
13:20 < krzie> basically, its a workaround for windows lameness
13:20 < EugenMayer> you mean
13:20 < krzie> they found a better way more recently, which allows subnet style setups
13:20 < EugenMayer> yawfw
13:20 < krzie> so with that option you can use .2 .3 .4 .5 etc for clients
13:20 < EugenMayer> yet another workaround for windows..
13:20 < krzie> hahahah
13:21 < krzie> nice
13:21 < krzie> !windows
13:21 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
13:21 < EugenMayer> hehe
13:21 < EugenMayer> That one is really god
13:21 < EugenMayer> !ie
13:21 < vpnHelper> EugenMayer: Error: "ie" is not a valid command.
13:21 < krzie> no browsers for openvpn, so no mention of any in vpnHelper 
13:22 < EugenMayer> i consider IE being a mark of its own. Should be seperated from each Windows flame. Just to double the flame.
13:22 < krzie> although AS uses browser, but we dont support AS here
13:22 < EugenMayer> AS? 
13:22 < krzie> AS has support that comes with paying for the AS license
13:22 < krzie> !AS
13:22 < vpnHelper> krzie: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
13:22 < vpnHelper> krzie: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
13:22  * EugenMayer feared the A
13:22 < EugenMayer> as the "access directory" A
13:22 -!- aar0n [~aar0nsky@d47-69-246-113.try.wideopenwest.com] has quit [Remote host closed the connection]
13:22 < EugenMayer> or the "domain controller" D
13:23 -!- jonkri [jonkri@dedikerad/admin/jonkri] has quit [Ping timeout: 260 seconds]
13:23 < krzie> its the pay version of openvpn
13:24 < krzie> made for those who need corporate support, a pretty gui for config, or just dont want to learn what they're doing (in my opinion)
13:24 < EugenMayer> same with all the git guis :)
13:24 < EugenMayer> "But i need a GUI for SCM".
13:24 < EugenMayer> "because its faster to work with it then"
13:25 < EugenMayer> Translated: i have no f***** clue what SCM dues. I can press buttons though
13:25 < krzie> i think AS was a good idea tho... some people use ipsec just because cisco offers corporate support
13:25 < krzie> this opens them up to that market
13:25 < EugenMayer> GUIs can help to avoid mistakes
13:26 < krzie> the net manager gui for linux is a cause of mistakes as related to openvpn
13:26 < krzie> !ubuntu
13:26 < vpnHelper> krzie: "ubuntu" is dont use network manager!
13:30 < EugenMayer> krzie: well they get better
13:30 < EugenMayer> iam using it here, its "ok"
13:30 < EugenMayer> until you actually know what to look at when configuring
13:31 < EugenMayer> but i will remove it ASAP. the normal configuration is much better
13:31 < EugenMayer> krzie: thank you very much . You have been very helpfull!
13:31 < krzie> if you want network manager, just make a normal config by hand
13:31 < krzie> then import it
13:31 < EugenMayer> wont work to good :) 
13:31 < krzie> then it wont suck ;]
13:31 < EugenMayer> simply dont use NM at akk ;(
13:32 < EugenMayer> *all
13:32 < krzie> that works
13:32 < krzie> ++ ;]
13:32 < EugenMayer> krzie++
13:32 < krzie> yw
13:35  * EugenMayer is happy
13:35  * krzie is hungover and scripting
13:35 < EugenMayer> finally bacula connects through a tunnel and is secure. All ports closed
13:35 < krzie> thats the best way to secure bacula :)
13:35 < krzie> now... since you care about security
13:35 < krzie> are you using tls-auth
13:36 < krzie> are your clients checking the server cert is signed as a server cert?
13:36 < krzie> are you using DH params?
13:36 < EugenMayer> you mean agains mim, not yet
13:37 < krzie> !mitm
13:37 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
13:37 < krzie> !hmac
13:37 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
13:37 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
13:37 < krzie> !dh
13:37 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
13:37 < krzie> i may have gotten that one wrong, i think its 2048 default
13:38 < EugenMayer> well dh bacula/dh1024.pem
13:38 < krzie> good stuff, 1 of 3 so far
13:38 < jwm> hmm
13:38 < krzie> hmac is also SIMPLE to add to a working setup
13:38 < jwm> can you use client-connect scripts on the client side?
13:38 < jwm> if I set mode server
13:38 < EugenMayer> ca bacula/ca.crt
13:38 < EugenMayer> cert bacula/server.crt
13:38 < krzie> and is something you do want
13:38 < EugenMayer> key bacula/server.key
13:38 < EugenMayer> dh bacula/dh1024.pem
13:38 < EugenMayer> all my keys are signed
13:38 < jwm> up executes before the connection 
13:38 < jwm> as does route-up
13:39 < krzie> !scripts
13:39 < vpnHelper> krzie: Error: "scripts" is not a valid command.
13:39 < krzie> !script
13:39 < vpnHelper> krzie: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
13:39 < jwm> cool
13:39 < jwm> yeah
13:39 < jwm> I know all of those
13:40 < jwm> I was asking if I can use mode server as a client
13:40 < EugenMayer> krzie: well i cant play on the configuration now, started a bacula job for testing purposes right no
13:40 < jwm> so I can use client-connect
13:40 < krzie> hell no you cant use mode server as a client
13:40 < jwm> so I have to put the scripts on the server side
13:40 < krzie> nor would client-connect mean ANYTHING on a client
13:40 < EugenMayer> jwm: i think what you want is a net-to-net connection
13:40 < krzie> which makes sense when you read the line about when --client-connect does
13:41 < jwm> well I just want to do some routes after I am connected
13:41 < jwm> that is all I want
13:41 < krzie> whats your real goal jwm?
13:41 < krzie> --up is commonly used for adding routes
13:41 < jwm> I can do it in a script after openvpn runs
13:41 < jwm> well these routes will kill the connection
13:41 < jwm> if openvpn isn't already connected
13:41 < krzie> OR you can tell the openvpn server to add the routes
13:41 < krzie> --route
13:41 < jwm> chicken and egg
13:41 < krzie> that makes no sense
13:41 < jwm> I'm doing tap bridging 
13:42 < jwm> so I have to change my routes to be across tap0 instead of en0 
13:42 < krzie> you are adding a route for your server's ip address to be reached over the vpn?
13:42 < jwm> yes
13:42 < krzie> that cant work
13:42 < jwm> it does work
13:42 < krzie> you will lose your route to the vpn
13:42 < jwm> I did it in linux too
13:42 < jwm> I bridge en0 and tap0
13:42 < jwm> it works now too
13:43 < jwm> I was just seeing if I can do the routes from openvpn
13:43 < jwm> if not it's no big deal
13:43 < krzie> it shouldnt work, ever
13:43 < krzie> you need IP connectivity to the server to maintain a connection to the VN
13:43 < krzie> VPN
13:43 < jwm> you have it
13:44 < jwm> once it is connected I do a quick route change
13:44 < jwm> the ips don't change just the routes from en0 to tap0
13:44 < jwm> and I bridge the interface
13:44 -!- MikeW [~MW@ks35441.kimsufi.com] has quit [Read error: Operation timed out]
13:44 -!- MikeW [~MW@ks35441.kimsufi.com] has joined ##openvpn
13:44 < jwm> works great
13:44 < jwm> under linux and macos
13:44 < krzie> ok, must be my limited knowledge about bridging
13:44 < jwm> yeah I just wanted to put everything I could in openvpn configuration
13:45 < jwm> if I can't that is cool
13:45 < krzie> ive never found myself with a valid reason to bridge... i dont really use much layer2
13:45 < jwm> I am going to make a launchd script
13:45 < jwm> well there are a ton of multicast apps we'll be using
13:45 < krzie> nor do i trust any network to have layer2 access to my house
13:45 < jwm> and gaming and etc
13:45 < jwm> bah I still use 64bit wep
13:45 < jwm> hehe
13:45 < krzie> hahaha
13:45 < krzie> 52 bit ;]
13:45 < jwm> I'm not worried about security :)
13:45 < jwm> actually I am trying to help out a friend get across his stupid country firewall
13:46 < jwm> UAE puts up a nasty firewall
13:46 < jwm> and also use things like skype and what not
13:46 < jwm> or magicjack
13:46 < krzie> he doesnt need layer2 for that, but you did mention some valid reasons to use it above
13:47 < jwm> yeah that was additive
13:47 < jwm> I need layer 2, he doesn't
13:47 < jwm> just chatting
13:47 < krzie> ahh
13:47 < jwm> so I guess I'll need to do my own script outside of openvpn
13:47 < krzie> sounds like it
13:47 < jwm> btw
13:47 < krzie> you could always have 1 script for starting openvpn and changing the routes
13:47 < krzie> a wrapper script
13:48 < jwm> yeah
13:48 < jwm> that is what I'll do
13:48 < jwm> I have to run IPNetRouterX too
13:48 < krzie> with a nice sleep command after backgrounding openvpn
13:48 < krzie> or better
13:49 < jwm> the only promiscuous mode bridging software for mac atm
13:49 < krzie> oh no, cant wait on it cause it wont finish
13:49 < jwm> hehe
13:49 < krzie> so ya, sleep
13:49 < krzie> umm no
13:49 < krzie> can bridge without the tool
13:49 < krzie> <-- osX user
13:49 < jwm> you can?
13:49 < jwm> have to recompile the kernel?
13:50 < jwm> or do you mean their internet connection sharing stuff
13:50 < krzie> standard cli commands, no recompile of kernel
13:50 < krzie> http://blog.acmelab.org/2008/07/20/mac-os-x-openvpn-bridge-ssh-tunnel-vpn-goodness/
13:50 < krzie> for example
13:51 < vpnHelper> Title: Mac OS X + OpenVPN bridge + SSH Tunnel = VPN goodness | randomnoise (at blog.acmelab.org)
13:51 < krzie> oops thats a debian script
13:51 < jwm> hehe
13:51 < jwm> yeah you can't do it
13:52 < jwm> I've researched it a lot
13:52 < krzie> ive done it
13:52 < krzie> like 3 yrs ago
13:52 < krzie> before i learned to not use bridges when not needing layer2
13:52 < jwm> man I've researched this for weeks
13:52 < jwm> :)
13:52 < jwm> unless my google fu failed me
13:52 < krzie> unless in bridge mode the client doesnt need to bridge
13:53 < jwm> ipnetrouterx works fine though
13:53 < krzie> is that the case? (i dont know much about bridges)
13:53 < jwm> well I am bridging on the client side
13:53 < jwm> if I were bridging on the server side things would be simple
13:53 < jwm> just use brctl under linux
13:53 < jwm> see what I did was consolidate my machines
13:53 < jwm> I was running a (VERY) trusty fujitsu 4yr old laptop
13:53 < jwm> with linux on it
13:53 < jwm> didn't have any problems but I want to save on electricity/heat
13:54 < krzie> ok so if you only need to bridge interfaces on 1 side i may not have bridged in osX
13:54 < jwm> so I decided to move it to the mac and put the mac (mini) into my home theatre case
13:54 < krzie> cause my server was freebsd, and i know i did bridge there
13:54 < jwm> yeah that is super easy to do
13:54 < jwm> brctl addif br0
13:54 < jwm> brctl add br0 eth0 tap0
13:54 < jwm> hehe
13:55 < jwm> etc
13:55 < jwm> mac proved to be challenging
13:55 < jwm> but I finally got it going and it works great :)
13:55 < jwm> 1200 crashes later
13:55 < jwm> macos is very crash prone :P
13:56 < jwm> I can feel some really old networking code in it back when I used bsd in the late 90s
13:56 < jwm> I remember when changing routes excessively would cause out of memory errors and eventually crash the bsd kernel
13:56 < jwm> happened in bsd/os, freebsd, openbsd..
13:56 < krzie> ahh i never ran into that
13:57 < jwm> yeah I've never EVER had a route command crash linux
13:57 < jwm> it was always X/video card or something that fork'd out of control
13:57 < jwm> where do you like to put your scripts?
13:57 < jwm> do you use launchd? (lingon is nice)
13:58 < krzie> i have my scripts in a stack
13:58 < krzie> "stacks"
13:58 < krzie> as .command
13:58 < jwm> hehe I forgot what stacks were
13:58 < jwm> I thought that was a finder/dock thing
13:58 < krzie> but they are actually shortcuts, cause you cant change the icon on .command files, but can on shortcuts
13:58 < krzie> yup, it is
13:59 < jwm> ahh
13:59 < jwm> I make launchd scripts
13:59 < krzie> if i want them on boot, ive used crontab @reboot
13:59 < krzie> was too lazy to learn the osx way ;]
13:59 < jwm> hehe
13:59 < jwm> launchd is real simple
13:59 < jwm> especially with lingon
13:59 < jwm> of course you have to have snow leopard I think
14:00 < jwm> or at least leopard
14:00 < EugenMayer> If Apple would start to free my opertunities with OSX i might consider
14:00 < krzie> my hackintoshes run SL, my 1st gen MBP runs leo
14:00 < EugenMayer> waste 2x money for older hw with a cool OS..
14:00 < krzie> EugenMayer my mac pro costed me about $650 to build
14:00 < krzie> of course its not legit apple, but like i care
14:01 < EugenMayer> Well actually, iam not even considering to hackintosh.
14:01 < krzie> im not cosidering not to ;]
14:01 < EugenMayer> I dont like to be locked in - thats simply it. I like the tools though - but i miss to much
14:01 < EugenMayer> like kdevelop or other things i love linux for
14:02 < krzie> hackintosh with multiboot (or like i do it, virtual machines) is a big win
14:02 < krzie> and i made the install for my hardware stupid simple
14:02 < EugenMayer> well virtualbox has OSX support now. Iam sure i will try once
14:02 < EugenMayer> but yet i have enaugh virtualization to care about
14:02 < krzie> usb dongle does the install, then i run a script i made and im done
14:03 < jwm> I got this mini practically free
14:03 < EugenMayer> 2 ESXI servers, one windows server to run virtualPC on it to run the M4 IE test windows Vms on it
14:03 < jwm> my sister sent me 400 for an ipad
14:03 < krzie> ya i need to ickup a mini one of these days
14:03 < krzie> pickup*
14:03 < jwm> but I wanted to do app dev and apple is a BITCH 
14:03 < jwm> I already have a linux kvm hackintosh going
14:03 < jwm> have/had
14:03 < jwm> worked great except vnc sucks monkeyballs
14:04 < EugenMayer> well i like KVM a lot, but we deploy on vmware / virtualbox for the clients
14:04 < jwm> you have to torrent the damn mac remote desktop software
14:04 < jwm> but I couldn't find it
14:04 < jwm> I love kvm
14:04 < jwm> so simple 
14:04 < EugenMayer> while migration from vmware / virtualbox is ok ( to kvm ) the other way arround is yet to "workarroundish"
14:04 < krzie> only reason im getting a mini is to run my entertainment setup, now that i have an iphone and it can control VLC over the network
14:04 < jwm> I've had an xp session running for 2 months right now
14:04 < krzie> otherwise i would use my hacked wii
14:04 < jwm> I couldn't keep an XP computer running that long
14:04 < jwm> hehe
14:04 < krzie> (since the wii hack can read movies over NFS)
14:05 < jwm> you still need hardware acceleration under the mini though
14:05 < jwm> luckily it's coming out
14:05  * EugenMayer crosss fingers that the bacula sd/fd wont timeout with OpenVPN
14:05 < jwm> 1080p runs like dog on vlc
14:05 < krzie> ohhh tru
14:05 < krzie> but im in a 3rd world country, paying $150/mo for 3mbit down
14:06 < jwm> quicktime is actually better at it
14:06 < jwm> amazingly
14:06 < jwm> time to move?
14:06 < jwm> :)
14:06 < krzie> so i dont get anything above BR rips xvid
14:06 < jwm> I'll send you a plane ticket I have a spare bedroom
14:06 < jwm> two spares
14:06 < jwm> hehe
14:06 < krzie> ;]
14:06 < krzie> they released 20mbit... $450 and only 1mbit up
14:06 < jwm> I want to setup a server where piratebay hosts
14:06 < krzie> and i actually considered it
14:06 < jwm> I rent one on 1and1 and I've already had one C&D letter
14:06 < EugenMayer> ok guys, see you
14:06 < EugenMayer> wife is calling
14:07 < krzie> later EugenMayer 
14:07 < EugenMayer> Thanks for the help !
14:07 < jwm> I figured why pay $80 a month for this when I can go overseas where it is legal
14:07 < jwm> later
14:07 < jwm> better hurry
14:07 < jwm> :)
14:07 < krzie> yw
14:07 -!- EugenMayer [~EugenMaye@frbg-5f731e3a.pool.mediaWays.net] has left ##openvpn []
14:07 < krzie> hosting t that DC is way expensive, isnt it?
14:08 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
14:08 < jwm> I don't know yet
14:08 < jwm> I need to shop around
14:08 < jwm> I want freedom
14:08 < MWinther> !welcome
14:08 < vpnHelper> MWinther: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:09 < jwm> it's not illegal to copy bytes in some countries
14:09 -!- repent [repent@bsdcell.com] has joined ##openvpn
14:09 < repent> !welcome
14:09 < vpnHelper> repent: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:10 < repent> !topology
14:10 < vpnHelper> repent: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
14:10 < repent> !redirect
14:10 < vpnHelper> repent: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:11 < repent> !nat
14:11 < vpnHelper> repent: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
14:11 < repent> !linnat
14:11 < vpnHelper> repent: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:13 < MWinther> Can I be connected to a VPN and still get all the non-intranet traffic to not roundtrip through the server?
14:13 < krzie> umm
14:14 < krzie> i dont understand the question
14:14 < krzie> you just dont want internet traffic going over the vpn?
14:15 < MWinther> Well, basically, I would like a machine to act like it's on my internal net when dealing with internal resources, and act like it's on the local net when doing everything else.
14:16 < repent> sup krzie
14:17 < krzie> MWinther i still dont understand you
14:20 < MWinther> I most likely don't understand the technology good enough to ask the question correctly. It's equally possible I'm asking about something that's just default behavior, or something that's fundamentally impossible. :)
14:20 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:20 < repent> channel got alot bigger since last time i joined
14:20 < repent> hehe
14:20 < krzie> MWinther try explaining it like you're talking to your mom
14:20 < repent> hah
14:20 < krzie> (assuming shes not a tech)
14:20 < repent> krzie: you understand what im trying to do?
14:21 < krzie> yup
14:21 < repent> server is running on a dedi
14:21 < krzie> repent lemme repeat it to check
14:21 < repent> i want to be able to on my freebsd (client) set default routes to certain ips to go thru the server
14:21 < krzie> repent you want to redirect all internet traffic through your server, and have it use a specific IP (and the server has multiple IPs to choose from)
14:21 < krzie> or
14:22 < repent> that will work or some traffic
14:22 < krzie> ohhh
14:22 < repent> you know how freebsd you can define routes in rc.conf
14:22 < repent> ?
14:22 < krzie> you dont want to route ALL traffic over the vpn, just traffic to certain subnets
14:22 < krzie> right?
14:22 < repent> ive done it using the neighbors wifi
14:22 < repent> yeah that will work
14:22 < repent> that and
14:22 < repent> i want the one ip to be like dmz to my client
14:23 < repent> if that makes any sense
14:23 < krzie> and you want all traffic to that IP on your server to actually go to the client
14:23 < krzie> ?
14:23 < MWinther> It seems the functionality I'm asking about is called split tunnelling. Can I set up my openVPN server for that?
14:23 < repent> i will be using it as a samba share locally
14:23 < repent> and i want to host services on that dedi's ip
14:23 < repent> yeah
14:23 < krzie> ok
14:23 < repent> that or at least some ports
14:24 < repent> whichever is easier
14:24 < krzie> you want to do everything from this, except you dont want !def1
14:24 < krzie> !redirect
14:24 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:24 < krzie> THEN
14:24 < krzie> !linnat
14:24 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:24 < krzie> you use #2
14:24 < krzie> THEN
14:24 < repent> yeah on that #2
14:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:24 < repent> IP = the dedi's static ip?
14:24 < krzie> you need a bidirectional NAT, in linux this is done by using a SNAT and a DNAT
14:24 < repent> that i want to use
14:25 < krzie> yes
14:25 < repent> ok well i already did #1
14:25 < repent> how to undo it ?
14:25 < krzie> i dont use linux ;)
14:25 < krzie> read the manual
14:25 < repent> lol
14:25 < repent> i dont either
14:25 < repent> client is freebsd 8 :)
14:25 < krzie> yup
14:26 < krzie> !iptables
14:26 < vpnHelper> krzie: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
14:26 < vpnHelper> krzie: computing.net/wiki/index.php/OpenVPN/Firewall
14:26 < repent> iptables -flush
14:26 < repent> :P
14:26 < krzie> hrm, i thought i had a link to a manual in there
14:26 < krzie> there ya goes
14:26 < repent> its not showing up in iptables -L
14:27 < repent> also use "local IP" in server.conf ?
14:28 < krzie> n
14:28 < jwm> is there any other way rather than sleep to wait for openvpn to finish connecting?
14:28 < krzie> no
14:28 < krzie> you cant use that IP to listen on
14:28 < repent> ok
14:28 < krzie> once you do your bidirectional NAT that would break shit
14:29 < jwm> I wish openvpn had an after connection script command
14:29 < repent> any push's on server.conf ?
14:29 < krzie> jwm i dont think so, the bash way to wait would require openvpn process finnishing
14:29 < jwm> on the client side
14:29 < krzie> jwm, maybe ping?
14:29 < jwm> nah I can't ping until I change the routes
14:29 < jwm> and I can't change the routes until it connects
14:29 < jwm> hehe
14:29 < jwm> :)
14:29 < krzie> a loop with 1 ping testing its exit status
14:29 < krzie> oh
14:29 < jwm> I was going to do that but then I was like ohh crap
14:29 < jwm> I guess I can sleep 10
14:29 < krzie> does it get an IP? maybe you could loop checking if you have the IP
14:30 < jwm> well the ip gets assigned early
14:30 < jwm> when route-up/up get going
14:30 < jwm> ohh wait
14:30 < krzie> theres gotta be something unique to you being up
14:30 < jwm> no it has to connect 
14:30 < krzie> find it, use it
14:30 < jwm> nevermind you are right
14:30 < jwm> I switched to pull
14:30 < jwm> so the ifconfig tap0 192.168.1.2 is happening after the connection
14:30 < jwm> cool
14:30 < krzie> --client has --pull built in
14:30 < krzie> (just to point that out)
14:30 < jwm> I'm using tls-client
14:31 < jwm> and for some reason it doesn't pull
14:31 < jwm> it use to pull
14:31 < krzie> rebuilding the wheel i guess ;)
14:31 < jwm> that was another thing that didn't annoy me too much
14:31 < jwm> but yeah it doesn't pull without me putting pull in there
14:31 < jwm> I don't use any command line options all of my options are in the config
14:31 < krzie> --client 
14:31 < krzie> A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to: 
14:31 < krzie>  pull
14:31 < krzie>  tls-client
14:31 < krzie> !--
14:31 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
14:32 < jwm> so do I just put client in the config?
14:32 < krzie> you can remove pull and tls-client, and just use client
14:32 < jwm> ohh ok
14:32 < krzie> since thats exactly what --client is
14:32 < krzie> hence my "rebuilding the wheel" comment
14:32 < jwm> well I have old docs
14:32 < jwm> still saying mode client
14:32 < jwm> I think
14:32 < jwm> hehe
14:33 < repent> now im getting refused
14:33 < repent> after removing local from server.conf
14:34 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
14:34 < krzie> i didnt say remove
14:34 < krzie> i said dont use the same ip
14:34 < repent> oh
14:34 < repent> :)
14:34 < krzie> use your first IP for openvpn to listen on
14:35 < krzie> use a different IP for your bidirectional NAT
14:35 < jwm> whoa
14:35 < jwm> I just man ifconfig
14:35 < jwm> and it has bridge commands
14:35 < repent> must be something else now
14:36 < repent> do i use redirect gateway or topology?
14:37 < krzie> jwm, you didnt check that before? i was pretty sure it had worked for me...
14:37 < jwm> maybe nobody on google read the ifconfig man page?
14:37 < jwm> hehe
14:37 < krzie> repent you can use topology subnet if you like, no redirect-gateway unless you want ALL traffic to go over the vpn
14:38 < krzie> instead of redirect-gateway you just add route entries to the client for subnets to reach over the vpn
14:38 < krzie> (or push them from server, if you want all clients to do the same)
14:39 < krzie> jwm, quite likely, most osX users you will find on google are scared of the CLI
14:39 < krzie> prolly cause the avg unix savvy osx user isnt asking questions on forums and whatnot
14:40 < krzie> s/prolly/maybe/
14:40 < jwm> krzie: no, unfortunately they are right
14:40 < jwm> it requires a different kernel
14:40 < jwm> the commands are there they just don't work 
14:40 < krzie> weird
14:40 < jwm> kernel doesn't support them
14:41 < krzie> youd think apple would have stripped them from the man page at least
14:41 < jwm> well it just requires a different kernel 
14:41 < krzie> apple--
14:41 < jwm> something I don't want to take the time to learn how to do just yet
14:41 < jwm> heheh
14:41 < jwm> I've compiled kernels on every system just about though
14:41 < krzie> ya ive never compiled an osX kernel
14:42 < jwm> there is a simple tutorial on it
14:42 < jwm> but I don't know.. 
14:42 < krzie> ill have to look into the osX kernel options sometime
14:42 < krzie> could be fun
14:42 < repent> whats code 111
14:42 < krzie> OMG REPENT
14:43 < krzie> 111 means your machine will self destruct
14:43 < krzie> RUN!
14:43 < repent> nm
14:43 < repent> lol
14:43 < repent> still had local commented out
14:43 < krzie> RUNNNNN!
14:43 < krzie> hehe
14:44 < repent> hmz
14:44 < jwm> mini ~ # ifconfig tap0 addm en0
14:44 < jwm> ifconfig: BRDGADD en0: Operation not supported on socket
14:44 < jwm> doh :(
14:44 < repent> :37951 MULTI: bad source
14:44 < repent> address from client [10.10.10.26], packet dropped
14:45 < repent> freebsd client is also behind a router
14:45 < krzie> repent
14:45 < repent> wrt54gs
14:45 < krzie> that is its LAN ip right?
14:45 < repent> 10.x is lan
14:45 < repent> 11.x is for vpn
14:45 < krzie> LOL
14:45 < krzie> dude
14:45 < krzie> 11.x isnt a 1918 ip
14:45 < krzie> you cant just go adding random subnets in a LAN setting
14:45 < krzie> !1918
14:45 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
14:46 < repent> before the port i pasted above was my real ip
14:46 < repent> heh
14:46 < repent> ok
14:47 < repent> still same issue 
14:47 < krzie> right
14:47 < krzie> but i had to stop there
14:47 < repent> using 172.16.0.0 now
14:47 < jwm> ifconfig tap0|grep inet| sed 's/ /,/g'|cut -d , -f2
14:47 < krzie> was laughing too hard
14:47 < jwm> I love unix
14:47 < repent> np
14:47 < repent> lol
14:48 < krzie> jwm, yup!, but instead of sed|cut why not just awk?
14:48 < jwm> I don't know awk :)
14:48 < krzie> ahh
14:48 < jwm> I am shit with regex
14:48 < jwm> you can take my system admin privileges away
14:48 < krzie> does that sed work?
14:48 < jwm> yeah it does
14:48 < krzie> ild expect you would have to escape the space
14:48 < jwm> I'm searching for the space :)
14:48 < jwm> it's in ' '
14:49 < krzie> is that for osx or fbsd?
14:49 < krzie> i feel the need to make it less ugly for you
14:49 < jwm> osx
14:49 < jwm> hah
14:49 < krzie> ifconfig
14:50 < krzie> heh wrong term
14:50 < jwm> I could just use cut
14:50 < krzie> you just want the ip?
14:50 < krzie> bigboy:scripts Jeff$ ifconfig tun0|grep inet|awk '{print $2}'
14:50 < krzie> 10.8.10.4
14:51 < jwm> ifconfig tap0|grep inet| cut -d ' ' -f 2
14:51 < jwm> ahh nice
14:51 < jwm> ours are about the same
14:51 < jwm> yours looks more elite though
14:51 < krzie> wttf repent, i know
14:51 < krzie> nah, yours is better
14:51 < krzie> cut is lighter weight
14:52 < repent> just was showin you full paste
14:52 < krzie> awk is stronger, but we arent using its power
14:52 < jwm> I love the -f command on cut
14:52 < jwm> just learned it a month ago
14:52 < jwm> been doing sysadmin for 12 years too
14:52 < jwm> lol
14:52 < repent> does client need a local also?
14:52 < jwm> I never write my own scripts I wait for others to do them
14:52 < krzie> repent i have no idea WHY your machine is sending packets out tun with its ethernet interface IP
14:52 < krzie> but if its a static IP on the lan, and not a road warrior, i do know how to fix it
14:53 < krzie> well, work around it
14:53 < repent> ya static
14:53 < krzie> jwm, i script a lot
14:53 < krzie> <3 bash
14:53 < krzie> repent, ok
14:53 < krzie> !route
14:53 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:54 < krzie> errr no
14:54 < krzie> !iroute
14:54 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
14:54 < krzie> you need !ccd, and !iroute
14:54 < krzie> skip to the iroute entries in !route for usage example
14:54 < krzie> although you only need 255.255.255.255 not 255.255.255.0
14:55 < krzie> !ccd
14:55 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:57 < repent> !route
14:57 < vpnHelper> repent: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:58 < krzie> for the record, you are the ONLY person i ever told to skim it
15:03 < jwm> http://pastebin.com/GGk7SS36
15:03 < jwm> there is my script now :)
15:03 < jwm> works
15:03 < jwm> well most of the script now I have to do the route commands
15:03 < jwm> which I have in there already 
15:04 < krzie> make sure TAPIP is still "" after trying it without being connected
15:05 < jwm> yeah it is
15:05 < krzie> i would simply 'until' the command, then sleep
15:05 < krzie> it looks funny to me this way
15:05 < krzie> but if it works it works :)
15:06 < jwm> hehe
15:06 < jwm> didn't even know about until
15:06 < krzie> ok, then i would while ! the command ;)
15:06 < krzie> but thats basically what until is
15:08 < jwm> cool
15:08 < jwm> bash 3 introduced =~
15:09 < krzie> you will LOVE the wiki/faq in the topic of #bash
15:09 < jwm> hehe
15:09 < krzie> its sooo full of cool stuff to know
15:10 < jwm> my favorite thing ever was a shell script assembler
15:10 < krzie> eww
15:10 < jwm> that was great
15:10 < jwm> I love assembly language
15:11 < jwm> I know unix types don't
15:11 < jwm> but I am the odd man out 
15:11 < krzie> oh ok i thought you meant a gui that made shell scripts, didnt know you meant it converted shell scripts to ASM
15:11 < jwm> ohh
15:12 < jwm> yeah I use to be big into asm
15:12 < jwm> not ironically I do mostly web stuff with jquery/javascript
15:12 < krzie> too hardcore for me ;]
15:12 < jwm> so my two favorite things are asm and javascript
15:12 < jwm> hah
15:12 < jwm> funny how that goes
15:12 < jwm> what do you do with a vpn?
15:13 < krzie> everything
15:13 < jwm> how's the speed of openvpn compared to say ssh tunneling
15:13 < krzie> !tcp
15:13 < jwm> I was wondering about that
15:13 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
15:13 < krzie> ssh tunneling is TCP, and only tunnels TCP
15:13 < jwm> yeah
15:13 < krzie> so read the link in #1
15:13 < jwm> and I know udp can be quite a bit faster than tcp
15:13 < jwm> less overhead
15:13 < krzie> but ssh tunneling is fine for some stuff
15:14 < krzie> not about overhead
15:14 < krzie> about the issues of its error correction when stacked on itself
15:14 < krzie> read the link :
15:14 < krzie> :p
15:16 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:16 < jwm> hehe
15:17 < krzie> grr 2 of my vpn's are down
15:18 < krzie> well 1 is the entire network, other is entire box
15:18 < krzie> but its putting a damper on my plans
15:19 < jwm> http://pastebin.com/s4PtsdbT
15:19 < jwm> finished with my startvpn script
15:19 < jwm> :)
15:19 < repent> krzie: in the ccd/client for the iroute what goes in there?
15:19 < repent> ive tried 172.16.0.0 255.255.255.255
15:19 < krzie> the iroute entry
15:19 < jwm> just got to add it to launchd
15:19 < krzie> lol
15:19 < krzie> repent, whats the LAN ip of the client?
15:20 < repent> also tried 10.10.10.0 255.255.255.255
15:20 < repent> 10.10.10.26
15:20 < krzie> 10.10.10.26 255.255.255.255
15:20 < repent> oh
15:20 < repent> lol
15:20 < krzie> read up on netmasks sometime ;)
15:21 < jwm> and cidr notation :)
15:21 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:21 < krzie> yupyup
15:21 < jwm> I was having some difficulty with my routes until I realized I had stupid ipv6 on 
15:21 < jwm> hehe
15:21 < krzie> !google cidr cheatsheet
15:21 < vpnHelper> krzie: CIDR SUBNET MASK CHEATSHEET & ICMP TYPE CODES: <http://oav.net/mirrors/cidr.html>; IPv4 CIDR notation cheat sheet: <http://old.tamasrepus.hotnudiegirls.com/pages/IPv4+CIDR+notation+cheat+sheet>; Country IP Blocks » CIDR Cheat Sheet: <http://www.countryipblocks.net/networking/cidr-cheat-sheet/>
15:21 < jwm> and all my routes I am doing are ipv4
15:22 < jwm> I was hitting my head against the desk like what am I doing wrong
15:22 < jwm> hehe
15:22 < krzie> oh dude
15:22 < repent> that seemed to kill the error, but still when it connects all other network traffic is dead until i ctrl+c it locally
15:22 < krzie> since you use ipv6
15:22 < krzie> there is now --server-ipv6 in openvpn
15:22 < jwm> ahh I didn't know that
15:22 < krzie> but only in the testing branch
15:22 < jwm> I don't know if my server can do ipv6
15:22 < krzie> !testing
15:22 < vpnHelper> krzie: "testing" is "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
15:22 < krzie> !ipv6
15:23 < vpnHelper> krzie: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
15:23 < jwm> I know I can do ipv6 here
15:23 < jwm> not worth setting up yet
15:23 < jwm> hehe
15:23 < jwm> but thanks I'll definitely keep that in my mind
15:23 < jwm> whole nother can of worms 
15:23 < jwm> :)
15:23 < krzie> yup
15:24 < jwm> now where to put this startvpn script
15:24 -!- avocado [nr@god.isadouchebag.net] has quit [Ping timeout: 260 seconds]
15:24 < krzie> and when you do, you can report back and help it make it into stable openvn!
15:24 < krzie> openvpn*
15:24 < jwm> hehe :)
15:24 < jwm> we'll probably be landing on mars by that time
15:25 < jwm> I like doing experimental things
15:25 < jwm> I've always run gentoo with ~amd64 :)
15:25 < krzie> user reports are basically whats left for it to get in stable, if i remember right
15:29 < repent> im able to ping the server but nothing else
15:33 < jwm> cool my launchd and openvpn and promiscuous mode bridge all work :)
15:34 < jwm> if my IPNetRouterX software dies the script will continue and kill openvpn
15:34 < jwm> and openvpn has a down script to restore networking back to en0 instead of tap0
15:34 < jwm> :)
15:38 < jwm> cool
15:38 < jwm> works with a reboot
15:38 < jwm> now I have to figure out how to remove the accounts portage created 
15:38 < jwm> from my login list lol
15:45 < krzie> holy shit
15:45 < krzie> i just found out what i did last night
15:45 -!- scoates [~sean@iconoclast.caedmon.net] has joined ##openvpn
15:45 < krzie> a block of a few hours i had completely forgotten
15:45 < krzie> lol
15:45 < jwm> hahah
15:45 < scoates> hello
15:45 < krzie> now bits are coming back, but like a distant memory
15:46 < krzie> brb, someone is dropping off my car
15:47 < scoates> if I have a bunch of nodes (virtual machines) that I want to connect with OpenVPN, all with the same configuration (one VM image), what is the best way to distinguish them, once they've connected? I'm happy to read docs, just not sure exactly what I should read.
15:48 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
15:52 < krzie> you could give them static IPs on the VNP
15:52 < krzie> err VPN
15:52 < krzie> !static
15:52 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
15:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:52 < krzie> then if you want you could make entries in hosts file
15:53 < scoates> krzie: and I can do this from the server side, even though all clients have the same certificate/credentials?
15:54 < krzie> make more certs
15:54 < krzie> its simple
15:54 < krzie> especially simple using ssl-admin
15:54 < krzie> !ssl-admin
15:54 < vpnHelper> krzie: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
15:55 < scoates> each client would have the same cert, though. they're virtual machines with the same credentials. maybe I'm not making sense
15:55 < krzie> make new certs!
15:55 < krzie> they dont HAVE TO have the same cert
15:55 < krzie> mae a cert for each VM
15:55 < scoates> I don't think I've been clear on waht I want to do.
15:55 < krzie> make*
15:56 < repent> ocne your vm is up inject new cert
15:56 < krzie> you are putting an unnecessary restriction in place
15:56 < krzie> give each VM a cert of its own
15:56 < krzie> OR, use password auth, then you can tell them apart by username
15:56 < scoates> krzie: then I can't fire up 10 of the same image and have them connect to the VPN.
15:57 < krzie> !authpass
15:57 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
15:57 < scoates> I want all 10 to use the same VM image. There might be 10 of them. There might be 1000 of them. I don't want to have to manage more than one VM image.
15:57 < krzie> then you need password auth and --username-as-common-name
15:58 < scoates> aha. ok. now we're getting somewhere (-:
15:58 < krzie> if you say you cant do that either, i answer with you cant set static ips and i dunno how you will distinguish them
15:59 < scoates> so the image has a common username and password. I'll use password auth.
15:59 < scoates> once I've done so, is there some way to make the same VM use the same IP each time it connects/disconnects?
15:59 < krzie> !static
15:59 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
16:00 < krzie> ccd entries only exist on the server...
16:00 < krzie> !ccd
16:00 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
16:00 < repent> i believe that will have you entering the pass to initiate the connection
16:00 < repent> seems would be easier with certs
16:00 < krzie> repent, not true
16:00 < krzie> !pwfile
16:00 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
16:00 < krzie> but you will have to make it manually on each VM
16:00 < scoates> ok; I'll read on CCD. thanks.
16:00 < krzie> yw
16:14 < repent> ah
16:25 -!- scoates [~sean@iconoclast.caedmon.net] has left ##openvpn []
16:25 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Remote host closed the connection]
16:36 < repent> now im not sure if its not working because of the server's linux kernel/iptables or if its something else
16:37 < repent> when i iptables -L everything is empty.. but when i typed the cmd i didnt get any error
16:39 < krzie> maybe you need to specify the right table
16:39 < krzie> -t or -T, one of those
16:41 < repent> oh right
16:41 < repent> shows now
16:50 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
16:53 < repent> yo krzie
16:53 < repent> for the dnat that you said i needed
16:53 < repent> same thing , use the dedi's static ip ?
16:53 < krzie> !factoids search lin
16:53 < vpnHelper> krzie: 'linipforward', 'linnat', 'linfw', 'lintrafaccnt', 'allinfo', and 'linportforward'
16:54 < krzie> hrm, i thought i had it in there
16:54 < krzie> !factoids search nat
16:54 < vpnHelper> krzie: 'nat', 'linnat', 'fbsdnat', 'pfnat', 'freebsdnat', 'bsdnat', 'donate', and 'winnat'
16:55 < repent> my wrt54gs has vpn settings , are you familiar with them? would they help any?
16:55 < krzie> lol, no
16:55 < repent> i made sure everything is good for a passthrough
16:55 < krzie> thats for ipsec stuffs
16:55 < krzie> cause ipsec uses its own network protocol
16:56 < repent> im sure all i have is a routing issue somewhere
16:56 < krzie> openvpn uses udp (or tcp if you had to)
16:56 < krzie> you havnt even gotten the first part working and you're trying to do DNAT?
16:56 < krzie> take it at testable steps
16:56 < repent> yeah how i can stop it from changing up my routes when i connect
16:57 < krzie> did you give it redirect-gateway?
16:57 < repent> no
16:57 < repent> i took everything out 
16:57 < krzie> are you using route entries?
16:57 < krzie> (in the configs)
16:57 < repent> just the iroute line u told me
16:58 < repent> in the ccd/client
16:58 < krzie> then its not changing your routes, other than what is needed for openvpn to work
16:58 < repent> may i paste 
16:59 < krzie> when its time for your DNAT, you basically want a rule that would make the vpn client's vpn IP into a DMZ for the server's ip
16:59 < krzie> you may, on pastebin
16:59 < krzie> but ill be headed for food soon
16:59 < krzie> very very soon, waiting for someone to arrive
17:00 < repent> hm..
17:00 < repent> first time using pastebin from lynx
17:00 < repent> how do i get the url
17:00 < repent> lol
17:01 < krzie> shes here, im leaving
17:01 < krzie> btw there are cmdline tools for pastebinning
17:01 < repent> http://pastebin.com/peG7MX2z
17:01 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has joined ##openvpn
17:02 < repent> ok thx for all the help
17:02 < repent> ill keep trying
17:02 < philverb> !welcome
17:02 < vpnHelper> philverb: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:06 < philverb> Greetings.  I'm using openvpn server in "routing" mode rather than "bridging mode" at the moment.  The openvpn is running on a box that has its main interface on a 192.168.12.0 network.  Because I'm using mythtv, I'd like for the vpn client coming from the 10.8.0.0 vpn network to be able to get to the  192.168.12.0 network.  Is this possible without configuring the openvpn server in "bridging mode"?  Is there a recipe that doesn't rhy
17:06 < jwm> ok
17:07 < jwm> now to get routing going through the vpn server :)
17:07 < krzie> im leaving right now, but here
17:07 < krzie> !route
17:07 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:08 < jwm> yeah
17:08 < jwm> I've read that
17:08 < jwm> just need to try it first
17:08 < jwm> before I ask questions
17:08 < jwm> :)
17:08 < jwm> I have a work laptop that has a sprint card
17:08 < jwm> going to set it up on that
17:08 < philverb> I tried to use 'route add -net 192.168.12.0 netmask 255.255.255.0 gw 10.8.0.1' ,but got "SIOCADDRT:  No such process".
17:08 < jwm> and then I will copy the config over to my friend
17:09 < jwm> you don't use gw
17:09 < jwm> crossing nets?
17:10 < philverb> RTFMing.....
17:10 < jwm> ok nm
17:10 < jwm> do you have a 10.8.0 net
17:10 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:11 < philverb> jwm: Hey, are you asking me?  If so, the answer is yes. (and thanks).
17:16 < jwm> can you ping 10.8.0.1
17:19 < philverb> Hey!  I got it by omitting the gw with 'route add -net 192.168.12.0 netmask 255.255.255.0 dev tun0'.
17:19 < philverb> Latency is unbearable, though.  
17:20 < jwm> hehe
17:21 < philverb> Actually, not so bad --that was a fluke, and it seems to be roughly as fast as the 10.8.0.0 network.
17:23 < philverb> jwm: Thanks!
17:23 < philverb> krzie: Thanks!
17:24 < repent> !iroute
17:24 < vpnHelper> repent: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
17:24 < repent> !ccd
17:24 < vpnHelper> repent: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
17:35 -!- codyr [~codyr@vpn.cynical.me] has joined ##openvpn
17:51 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:13 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
18:13 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
18:17 < repent> !def1
18:17 < vpnHelper> repent: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
18:17 < repent> !ipforward
18:17 < vpnHelper> repent: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
18:17 < repent> !nat
18:17 < vpnHelper> repent: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
18:18 < repent> !linipforward
18:18 < vpnHelper> repent: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
18:19 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
18:20 < repent> wo0t
18:22 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:22 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
18:22 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
18:29 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
18:29 -!- SOG [~SOG@n1164868040.netvigator.com] has joined ##openvpn
18:36 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 264 seconds]
18:37 -!- SOG [~SOG@n1164868040.netvigator.com] has quit [Ping timeout: 240 seconds]
18:42 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
18:58 < jwm> does the ccd stuff work off of the commonname?
18:59 < |Mike|> lol
19:01 < Bushmills> yes, it does
19:03 < jwm> wtf was funny
19:03 < jwm> heh
19:03 < jwm> I just haven't used ccd yet
19:03 -!- geek [~geek@unaffiliated/geek] has quit [Remote host closed the connection]
19:03 < jwm> :P
19:11 < jwm> !route
19:11 < vpnHelper> jwm: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:12 -!- disco-_ [disco@andromeda.h4xed.com] has quit [Ping timeout: 240 seconds]
19:12 -!- codyr [~codyr@vpn.cynical.me] has quit [Quit: Lost terminal]
19:14 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
19:31 < jwm> hmm
19:37 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
19:39 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
19:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
19:45 < jwm> crap
19:48 -!- krzie [krzee@joogot.noskills.net] has quit [Quit: BitchX-1.1-final -- just do it.]
19:49 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
19:52 < repent> jwm: sup?
19:53 < repent> you get it working?
19:55 < jwm> nah
19:55 < jwm> I think it's ignoring my ccd stuff
20:02 < jwm> ahah
20:02 < jwm> I forgot I commented it out
20:02 < jwm> jesus
20:28 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:34 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has quit [Quit: ircN 8.00 for mIRC (20100228) - www.ircN.org]
20:42 < repent>  heh
20:43 < repent> i was able to get mine to work but its not entirely how i wanted it
20:47 < jwm> hehe
20:47 < jwm> well I just got routing going
20:47 < jwm> through the vpn
20:47 < jwm> but 2 problems
20:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
20:48 < jwm> 1) push redirect-gateway gives me 192.168.1.0 not 192.168.1.10
20:48 < jwm> 2) I can't access 192.168.1.x lan from the machine when it adds the default route
20:53 < repent> i think you need to iroute
20:53 < repent> iroute on server in ccd file
20:54 < repent> iroute 192.168.1.10 255.255.255.255
20:54 < repent> try that
20:54 < repent> w/o redirect-gateway
20:56 < jwm> well
20:56 < jwm> I screwed up my server-bridge thing
20:59 < jwm> ok
20:59 < jwm> I fixed 1
20:59 < jwm> now I need to fix 2
20:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:00 < jwm> and I never have to look at another ovpn config again
21:00 < jwm> hehe
21:00 < jwm> !welcome
21:00 < vpnHelper> jwm: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:01 < jwm> !route
21:01 < vpnHelper> jwm: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:01 < jwm> damn tun docs
21:01 < jwm> I want tap
21:01 < jwm> :P
21:02 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 258 seconds]
21:04 < jwm> hehe
21:04 < jwm> I didn't have my home lan connected
21:04 < jwm> I bet that will fix it
21:05 < jwm> lol yep
21:29 < jwm> I did everything this channel says not to
21:30 < jwm> 192.168.1 ip
21:30 < jwm> tap0 
21:31 < jwm> bridging in macos
21:31 < jwm> :)
21:32 < repent> lol
21:34 < jwm> it's faster than I thought it would be
21:34 < jwm> actually it might be faster than without the vpn
21:34 < jwm> hehe
21:39 < jwm> what's a good down script for windows 
21:42 < repent> now im having issues trying to figure out how to oidentd 
21:43 < repent> i dunno im in bsd
21:44 < repent> jwm: wanna let me look at ur configs?
21:45 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
21:54 < jwm> hehe
21:54 < jwm> did you need help? :)
21:54 < jwm> I don't need a down script now
21:54 < jwm> I am using redirect-gateway def1
21:54 < jwm> works beautifully
21:59 -!- disco- [disco@andromeda.h4xed.com] has joined ##openvpn
22:05 < repent> just wanted 2 look
22:07 < jwm> my config is like super simple
22:07 < jwm> I just use tap
22:07 < jwm> hehe
22:09 < jwm> home lan & mini (mac vpn client) -> linksys -> internet -> my vpn server -> work laptop vpn client, friend in UAE vpn client
22:10 < jwm> the mini bridges en0 and tap0 to give my home lan, work laptop, and friend all access to each other
22:11 < jwm> the vpn server also routes my friend in UAE through its internet
22:11 < jwm> so he can avoid UAE's shitty firewalls and use USA only services like magicjack
22:11 < jwm> er well google voip and other usa stuff
22:11 < jwm> hulu
22:11 < jwm> dunno if magicjack is usa only but I know uae blocks it
22:12 < jwm> bastards
22:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
22:20 < repent> ah
22:20 < repent> i thought magicjack was crap
22:20 -!- Knio [~Knio@174.0.88.23] has quit [Ping timeout: 264 seconds]
22:24 < jwm> no?
22:24 < jwm> I only hear good things about it
22:25 < jwm> I haven't tried it though
22:26 < jwm> for its price I think it should be good enough
22:26 < jwm> heh
22:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:33 -!- qfr [void@unaffiliated/yw] has quit [Read error: Operation timed out]
22:35 -!- creack [~creack@gemercom.com] has quit [Ping timeout: 245 seconds]
22:36 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 260 seconds]
22:37 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 276 seconds]
22:37 -!- MikeW [~MW@ks35441.kimsufi.com] has quit [Ping timeout: 265 seconds]
22:37 -!- redfox [~redfox2@ks201831.kimsufi.com] has quit [Ping timeout: 258 seconds]
22:40 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
22:49 < repent> ya
22:49 < repent> long as it works
22:57 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
23:01 -!- creack [~creack@gemercom.com] has joined ##openvpn
23:02 -!- qfr [void@91.121.18.93] has joined ##openvpn
23:07 -!- MikeW [~MW@ks35441.kimsufi.com] has joined ##openvpn
23:11 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
23:19 -!- redfox [~redfox2@ks201831.kimsufi.com] has joined ##openvpn
23:19 -!- redfox is now known as Guest31192
23:24 -!- Guest12047 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
23:24 -!- mode/##openvpn [+v Guest12047] by ChanServ
23:25 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 252 seconds]
23:42 < repent> dnat p0w3r!
23:50 -!- Scruffy2 [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
23:50 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
23:52 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 245 seconds]
23:53 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
23:57 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 245 seconds]
23:59 -!- Guest31192 [~redfox2@ks201831.kimsufi.com] has quit [Ping timeout: 258 seconds]
--- Day changed Mon Jul 12 2010
00:00 -!- Scruffy2 [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 260 seconds]
00:00 -!- MikeW [~MW@ks35441.kimsufi.com] has quit [Ping timeout: 245 seconds]
00:01 -!- qfr [void@91.121.18.93] has quit [Ping timeout: 276 seconds]
00:05 -!- creack [~creack@gemercom.com] has quit [Ping timeout: 248 seconds]
00:18 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
00:18 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
00:19 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
00:19 -!- redfox [~redfox2@91.121.133.177] has joined ##openvpn
00:19 -!- MikeW [~MW@ks35441.kimsufi.com] has joined ##openvpn
00:19 -!- redfox is now known as Guest97201
00:22 -!- qfr [void@91.121.18.93] has joined ##openvpn
00:36 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
00:42 -!- Netsplit *.net <-> *.split quits: Guest97201, geek
00:46 -!- Netsplit *.net <-> *.split quits: fremo__, fahmad
00:47 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
00:47 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
00:50 -!- creack [~creack@gemercom.com] has joined ##openvpn
00:51 -!- creack [~creack@gemercom.com] has quit [Client Quit]
00:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:03 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
01:16 -!- oligo [~oligo@vps257.xlshosting.net] has joined ##openvpn
01:21 -!- oligo [~oligo@vps257.xlshosting.net] has left ##openvpn []
01:23 -!- EugenMayer [~EugenMaye@frbg-5f73354d.pool.mediaWays.net] has joined ##openvpn
01:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
01:25 < EugenMayer> Good morning, iam really. Helpless. Iam getting a pipe error on FD clients with more then 1.5GB backup job. I have added hearbeats to FD / SD, checked IMCP functinality and finally using openvpn tunnel now. But still no changes. I also tried to disable md5 sigantures and compression - still no luck
01:29 < hyper_ch> !welcome
01:29 < vpnHelper> hyper_ch: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:31 < EugenMayer> hyper_ch: i see i have asked in the wrong channel :/
01:31 < EugenMayer> hyper_ch: should go into the bacula channel actually. Anyway, can a VPN tunnel be affected by a crappy router canceling connections (state conenctions) ?
01:32 < EugenMayer> (e.g. maybe there is a "hearbeat" option in VPN
01:32 < hyper_ch> no clue what a heartbeat option is
01:32 < hyper_ch> and if the router can't handle the connection the a tunnel will be affected also - I think
01:33 < EugenMayer> htm
02:09 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
02:26 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:40 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
02:43 -!- redfox [~redfox2@91.121.133.177] has joined ##openvpn
02:45 -!- redfox is now known as Guest78881
02:48 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:49 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has joined ##openvpn
02:49 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
02:49 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
02:54 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
02:54 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:22 -!- qfr [void@91.121.18.93] has quit [Changing host]
03:22 -!- qfr [void@unaffiliated/yw] has joined ##openvpn
03:24 -!- G [~njones@whio.jnet.net.nz] has quit []
03:24 -!- G [~njones@whio.jnet.net.nz] has joined ##openvpn
03:27 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:27 -!- mode/##openvpn [+o mattock] by ChanServ
03:37 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:54 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 240 seconds]
03:54 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
04:07 < kraut> moin
04:27 -!- macsppadic [~sonupunno@88.211.46.99] has joined ##openvpn
04:48 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 267 seconds]
04:52 < EugenMayer> hello. I have a strange problem
04:53 < EugenMayer> iam using key auth. When i fresh restart the vpn server, all clients can connect
04:53 < EugenMayer> after some time ( 1-2 minutes ) all clients fail to connect ( and timeout ) due to tls negotiation erros. I can let the clients connect only after the restart of the openvpn server
04:53 < EugenMayer> any ideas?
04:55 < EugenMayer> http://pastebin.com/kc0BefpM those are my clients ip configurations
04:55 < EugenMayer> (cat *)
04:59 < EugenMayer> !topology
04:59 < vpnHelper> EugenMayer: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
05:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:07 -!- macsppadic [~sonupunno@88.211.46.99] has quit [Quit: macsppadic]
05:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
05:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:48 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 264 seconds]
05:56 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
05:57 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
05:57 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:01 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
06:01 < creack> hello
06:01 < creack> is it possible to make a client retry x times then quit?
06:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
06:07 -!- dazo_afk is now known as dazo
06:09 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
06:09 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
06:09 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
06:15 < creack> !retry
06:15 < vpnHelper> creack: Error: "retry" is not a valid command.
06:18 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
06:25 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
06:25 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
06:26 -!- geek is now known as killown
06:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:33 -!- fahmad [~linux@vpn.server4sale.com] has quit [Ping timeout: 252 seconds]
06:34 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:38 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
06:42 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
06:42 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:07 -!- alexs_ [~alexs@testbed002.grid.ici.ro] has left ##openvpn []
07:11 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
07:14 -!- disco- [disco@andromeda.h4xed.com] has quit [Remote host closed the connection]
07:16 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:21 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: No route to host]
07:24 -!- freaky[t] [alpha@freakyy.de] has quit [Read error: Connection reset by peer]
07:26 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:33 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
07:35 -!- theDoc [~lnk@unaffiliated/thedoc] has joined ##openvpn
07:35 -!- theDoc [~lnk@unaffiliated/thedoc] has quit [Client Quit]
07:43 -!- bent_screwdriver [~socain00@74.255.249.66] has joined ##openvpn
07:44 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
07:47 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
07:52 -!- JackCorleone [~Jack@187.11.184.68] has joined ##openvpn
08:07 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
08:08 -!- SOG [~SOG@n1164868040.netvigator.com] has joined ##openvpn
08:13 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:16 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
08:18 -!- SOG [~SOG@n1164868040.netvigator.com] has quit [Ping timeout: 265 seconds]
08:23 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
09:00 -!- JackCorleone [~Jack@187.11.184.68] has quit [Ping timeout: 265 seconds]
09:11 -!- magglass1 [~m@unaffiliated/magglass1] has joined ##openvpn
09:12 < magglass1> anyone have any ideas? http://fpaste.org/OBe6/
09:13 < ecrist> ideas on what?
09:14 < theDoc> o/ ecrist
09:14 < ecrist> hey, theDoc 
09:14 < magglass1> ecrist: I can't connect to my openvpn vpn
09:14 < Chosi> !configs
09:14 < vpnHelper> Chosi: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:15 < ecrist> magglass1: see !welcome
09:15 < magglass1> !welcome
09:15 < vpnHelper> magglass1: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:16 < magglass1> !X_X
09:16 < vpnHelper> magglass1: Error: "X_X" is not a valid command.
09:16 < ecrist> !networkmanager
09:16 < vpnHelper> ecrist: Error: "networkmanager" is not a valid command.
09:16 < ecrist> !ubuntu
09:16 < vpnHelper> ecrist: "ubuntu" is dont use network manager!
09:16 < Chosi> !kickban
09:16 < vpnHelper> Chosi: Error: "kickban" is not a valid command.
09:16 < Chosi> :)
09:16 < magglass1> I don't use ubuntu
09:17 < magglass1> also I don't have a config for my server afaik
09:17 < magglass1> it's just started with cmd line options
09:17 < ecrist> show us your configs, and logs from server and client, please
09:18 < ecrist> then, all the options you use for your server (i.e. show us the command)
09:18 < magglass1> server has no output while connecting, even with verb 11
09:18 < magglass1> /usr/sbin/openvpn --daemon --verb 3 --status /opt/vyatta/etc/openvpn/status/vtun0.status 30 --dev-type tun --dev vtun0 --mode server --tls-server --topology subnet --keepalive 10 60 --ca /root/keys/ca.crt --cert /root/keys/server.crt --key /root/keys/server.key --dh /root/keys/dh1024.pem --server 192.168.2.0 255.255.255.0 --client-config-dir /opt/vyatta/etc/openvpn/ccd/vtun0
09:18 < magglass1> output of client was in my fpaste
09:20 < Chosi> magglass1: client config please
09:20 < magglass1> /usr/sbin/openvpn --remote my.server --nobind --dev tun --proto udp --port 1194 --auth-nocache --syslog nm-openvpn --script-security 2 --up /usr/libexec/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --route-noexec --client --ca /home/user/.vpnkeys/ca.crt --cert /home/user/.vpnkeys/user.crt --key /home/user/.vpnkeys/user.key
09:21 < Chosi> remote-cert-tls server
09:21 < Chosi> this seems to be be missing in client config
09:22 < Chosi> (i guess that's where the warning comes from too)
09:23 < magglass1> hmm
09:23 < Chosi> --remote-cert-tls server
09:23 < magglass1> what exactly do I pass to it?
09:23 < Chosi> exactly what i pasted
09:23 < Chosi> server as is
09:23 < Chosi> :D
09:23 < magglass1> ah, okay :)
09:23 < magglass1> was thinking it was a variable
09:24 < Chosi> this should fix this: "WARNING: No server certificate verification method has been enabled."
09:25 < ecrist> that's just a warning.
09:26 < Chosi> mhm
09:26 < jwm> hi
09:27 < Chosi> ecrist: i thought there might be a possible relation to the following tls errors
09:27 < Chosi> no linux clients here so i guess i'm out ;)
09:28 < magglass1> any other suggestions?
09:28 < ecrist> magglass1: there's no output for the server command since you're daemonizing and don't ahve a logfile defined.
09:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
09:28 < magglass1> someone suggested it might be a problem with the tls implementation
09:28 < ecrist> define a logfile, or don't daemonize while testing.
09:28 < magglass1> ecrist: that's not the command I used
09:28 < magglass1> to test
09:28 < magglass1> that's the one that is normally ran
09:29 < ecrist> that's what you osted, so that's all I can assume
09:29 < magglass1> when I tested it it output plenty of other messages
09:29 < magglass1> just nothing when I tried connecting
09:31 < magglass1> but the thing is that this USED to work
09:31 < magglass1> before upgrading the router from Vyatta 5 to 6 and upgrading my computer from Fedora 12 to 13
09:31 < ecrist> odd
09:32 < magglass1> the client/server configs are all the same
09:32 < magglass1> so it's more likely, as someone suggested, some incompatibility with the implementation of tls or something
09:32 < ecrist> seems reasonable.
09:32 < ecrist> your config doesn't look wrong
09:34 < magglass1> yeah, I doubted that it was
09:35 < magglass1> the server is OpenVPN 2.1_rc21 and the client is OpenVPN 2.1.1
09:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:37 < magglass1> does openvpn rely on some external library for the tls stuff?
09:40 < Chosi> well upgrading to 2.1.1 sounds like something to try
09:40 < magglass1> not sure how safe that'd be though
09:40 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
09:41 < magglass1> don't want to break something on the router
09:41 < jwm> hehe
09:41 < jwm> openvpn is pretty simple
09:41 -!- EugenMayer [~EugenMaye@frbg-5f73354d.pool.mediaWays.net] has left ##openvpn []
09:41 < jwm> as far as a package
09:41 < jwm> very few files involved so upgrades should be simple
09:41 < Chosi> just get the sources and compile 2.1.1
09:41 < Chosi> :)
09:41 < jwm> but if you are running it on a router you probably have to wait
09:42 < jwm> what is the problem
09:42 < magglass1> I doubt I'll have that req'd packages on the router to compile it
09:42 < jwm> what is the error you are getting
09:43 < magglass1> jwm: http://fpaste.org/OBe6/ 
09:47 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
09:48 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
09:49 < magglass1> jwm: any ideas?
09:52 < jwm> well
09:52 < jwm> definitely tls missmatch
09:52 < jwm> but you may just have the wrong type in your configs
09:53 < jwm> compare cipher
09:53 < jwm> in your configs
09:57 < jwm> if that isn't it then downgrade your client
09:57 < jwm> I've had that error before
09:57 < jwm> it's usually been mismatch of protocols or versions
09:58 < magglass1> jwfwhere do I check that? I don't have a config for openvpn; it just passes cmd line args
09:58 < magglass1> I pasted them up above if you scroll up
09:58 < magglass1> jwm*
09:58 < jwm> also
09:58 < jwm> how did you create your key/crt
09:58 < jwm> what tools did you use
09:59 < magglass1> does that matter if they used to work just fine?
09:59 < jwm>  possibly
09:59 < jwm> things could be corrupted
10:00 < magglass1> things worked then stopped working after upgrading the router from Vyatta 5 to 6 and upgrading my laptop from Fedora 12 to 13
10:00 < jwm> seriously try everything
10:00 < jwm> first off learn what cipher your server uses
10:00 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
10:00 < jwm> well then you might need to redo your keys
10:00 < jwm> all of them
10:00 < jwm> I'd start there and try to get a matching cipher
10:00 < jwm> look up vyatta 6's cipher method
10:02 < jwm> maybe read up on pkcs
10:02 < magglass1> so just find out what cipher it uses and set it on my client?
10:03 < magglass1> have to run, but I'll give this a try later
10:03 < magglass1> thanks for the help
10:03  * magglass1 idles
10:04 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
10:08 < Bushmills> magglass1: server logs
10:09 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Ping timeout: 265 seconds]
10:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:25 -!- theDoc [~link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
10:41 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has quit [Ping timeout: 240 seconds]
11:00 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
11:06 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Operation timed out]
11:07 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
11:12 -!- caution [~caution@unaffiliated/caution] has joined ##openvpn
11:12 < caution> is openvpn compatible with the windows built in vpn?
11:13 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
11:15 < Bushmills> no, it isn't
11:24 < jwm> more like the windows built in isn't compatible with openvpn
11:24 < jwm> :)
11:26 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has joined ##openvpn
11:28 -!- softy [~adas@144.190.93.27] has joined ##openvpn
11:28 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:30 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 245 seconds]
11:31 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
11:42 -!- dazo is now known as dazo_afk
11:46 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
11:56 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
12:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:11 -!- softy [~adas@144.190.93.27] has quit [Ping timeout: 260 seconds]
12:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:19 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
12:24 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
12:26 -!- softy [~adas@144.190.93.28] has joined ##openvpn
12:33 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
12:33 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
12:39 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Ping timeout: 258 seconds]
12:39 -!- Guest12047 is now known as openvpn2009
12:39 -!- mode/##openvpn [+o openvpn2009] by ChanServ
12:45 -!- Guest78881 is now known as redfox
12:45 -!- redfox is now known as Guest97035
12:50 -!- Guest97035 is now known as redfox
13:08 < fahmad> !seen krzie
13:08 < vpnHelper> fahmad: krzie was last seen in ##openvpn 20 hours, 1 minute, and 14 seconds ago: <krzie> !route
13:09 < fahmad> !seen krzee
13:09 < vpnHelper> fahmad: krzee was last seen in ##openvpn 2 days, 0 hours, 47 minutes, and 27 seconds ago: <krzee> avocado, for NAT for redirect?
13:14 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
13:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 245 seconds]
13:17 -!- DrPepper [~DrPepper@78.141.145.123] has joined ##openvpn
13:18 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
13:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:29 -!- laieman [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has joined ##openvpn
13:30 < laieman> Hi. Is there a way to use OpenVPN on clients without using a certificate, and still get a secure connection?
13:40 < ecrist> no
13:40 < ecrist> unless you use static keys, but that's a one-to-one setup
13:40 < ecrist>  (i.e. not a server -> many clients)
13:41 < laieman> Hmm okay.
13:41 < laieman> So I need to issue one certificate for each client.
13:44 < ecrist> you can do that, or issue the same certificate to all clients.
13:44 < ecrist> and authenticate using username/password
13:44 < laieman> Can the authenticate username and password be provided via command line argument?
13:45 < ecrist> !man
13:45 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
13:45 < laieman> ecrist: So basiclly I can use the same certificate for all clients, running one server - but authenticate the clients via username and password?
13:49 < ecrist> yup
13:49 < laieman> Cool. Thanks.
13:52 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
14:03 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
14:13 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
14:25 -!- kantlivelong [4a200754@gateway/web/freenode/ip.74.32.7.84] has joined ##openvpn
14:26 < kantlivelong> hey all.. is there a way on the windows openvpn client to specify the ip?
14:27 < cron2> the IP of what?
14:27 < kantlivelong> cron2: the clients machine.. instead of DHCP
14:27 < kantlivelong> i tried adding ifconfig 10.1.100.10 10.1.100.1 to the config file with no luck
14:28 < cron2> point-to-point or point-to-multipoint-server mode?
14:28 < cron2> in multipoint-server mode, the server needs to know which client has what address
14:28 < kantlivelong> uh?
14:28 < kantlivelong> just an openvpn server
14:28 < kantlivelong> with a windows software client
14:29 < cron2> there's at least 4 different ways to run an openvpn server :-)
14:29 < kantlivelong> instead of openvpn issuing an IP within the VPN i wanna specifiy a static
14:29 < Bushmills> was that the literal error message? "sorry, out of luck" or such?
14:29 < cron2> tun, multipoint tun, tap, multipoint tap
14:29 < kantlivelong> tun
14:29 < cron2> kantlivelong: if it's multipoint tun (which is the most likely setup), the server needs to assign the client address, even if it is a static address - otherwise the server won't know which address to send to which client
14:30 < kantlivelong> cron2: :/
14:30 < kantlivelong> cron2: i mean the internal assigned address
14:30 < kantlivelong> theres no way??
14:30 < Bushmills> not a message like "due to limitations of the windows tun driver etc etc  ... need to be in x.x.x.x/252 subnet"?
14:31 < cron2> kantlivelong: that *is* the way: tell the server "client kantlivelong is to receive that address 10.1.100.10"
14:31 < kantlivelong> hmm
14:31 < cron2> (ifconfig-push directive in the per-client config file on the server)
14:31 < kantlivelong> hmm
14:31 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
14:31 < kantlivelong> so ill need to copy a client config for each session??
14:32 < cron2> the server can have multiple clients, so the server needs to know which (internal) address goes to which client
14:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:32 < cron2> so either the server uses its pool, or you tell the server which client gets what address
14:32 < kantlivelong> hmm
14:32 < kantlivelong> so i can copy the client config
14:32 < cron2> kantlivelong: no, you just add a per-client config file to the server config
14:32 < kantlivelong> hmm
14:32 < kantlivelong> how does it know the client?
14:33 < kantlivelong> ah
14:33 < kantlivelong> wait i see
14:33 < cron2> the client identifies itself by a certificate, the cert has a distiguished name, and that is used to read a file with that name
14:33 < cron2> --client-config-dir and --ifconfig-push on the server side
14:33 < kantlivelong> ah
14:33 < kantlivelong> i see
14:33 < kantlivelong> sorry
14:34 < kantlivelong> using pfsense :P
14:40 < cron2> what is pfsense?
14:40 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Ping timeout: 265 seconds]
14:41 < kantlivelong> cron2: router software
14:41 < kantlivelong> so
14:42 < kantlivelong> ifconfig-push 10.1.100.10 10.1.100.1
14:42 < kantlivelong> that look right?
14:42 < kantlivelong> IP ROUTE?
14:42 < cron2> yes
14:42 < cron2> as long as the address is in the existing pool range, no extra routing is needed
14:43 < kantlivelong> hmm
15:05 -!- laieman [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has quit [Ping timeout: 240 seconds]
15:05 -!- laieman [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has joined ##openvpn
15:13 -!- kantlivelong [4a200754@gateway/web/freenode/ip.74.32.7.84] has quit [Quit: Page closed]
15:34 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:57 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
16:05 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
16:05 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
16:05 -!- geek is now known as killown
16:25 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
16:25 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
16:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:29 -!- softy [~adas@144.190.93.28] has quit [Ping timeout: 258 seconds]
16:30 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
16:43 -!- softy [~adas@144.190.93.27] has joined ##openvpn
16:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:47 -!- tuv [~tuv@unaffiliated/tuv] has joined ##openvpn
16:47 < tuv> i have two machines behind a NAT router. whenever openvpn client is running on machine 1, i can access that machine from machine 2 (LAN), but not from an external machine through NAT
16:47 < tuv> why is that? and is there a way around this? (access machine 1 from outside regardless of openvpn)
16:57 < Bushmills> !route
16:57 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:57 -!- mw [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
16:58 < Bushmills> !firewall
16:58 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
16:58 < Bushmills> tuv: ^^^^
16:59 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Ping timeout: 240 seconds]
17:07 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
17:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:18 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
17:22 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
17:42 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
17:57 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
18:02 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
18:07 -!- softy1 [~adas@2002:90be:5d1c:0:20d:56ff:fee7:fe5f] has joined ##openvpn
18:08 -!- softy [~adas@144.190.93.27] has quit [Ping timeout: 276 seconds]
18:10 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
18:13 -!- Rolybrau [~Rolybrau@181-42.3-85.cust.bluewin.ch] has joined ##openvpn
18:14 -!- Rolybrau [~Rolybrau@181-42.3-85.cust.bluewin.ch] has quit [Changing host]
18:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:15 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Remote host closed the connection]
18:27 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 246 seconds]
18:47 < tuv> if the router can ssh the machine running the openvpn client, why can't it forward to it (using the origianl local ip, not the vpn-assigned ip)
18:58 < tuv> my setup is: vpn-client <-LAN-> firewall/router <-internet-> openvpn-server. then, there is an external machine on the internet from which i'm trying to access vpn-client
18:59 < tuv> other machines on LAN have no trouble accessing vpn-client, including the router itself, which already has a port forwarding rule for, say ssh to the LAN-local ip of vpn-client
18:59 < tuv> however, this forwarding rule works only when vpn-client is not running openvpn
19:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
19:02 < tuv> i don't care whether the external node connects over the vpn tunnel or not
19:08 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has quit [Ping timeout: 264 seconds]
19:13 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
19:29 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
19:32 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
19:36 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 276 seconds]
19:48 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
19:59 -!- theDoc [~link@bb119-74-211-17.singnet.com.sg] has joined ##openvpn
20:04 -!- theDoc [~link@bb119-74-211-17.singnet.com.sg] has quit [Ping timeout: 265 seconds]
20:07 -!- geek [~geek@unaffiliated/geek] has quit [Quit: Saindo]
20:22 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
20:25 -!- geek [~geek@unaffiliated/geek] has quit [Client Quit]
20:36 -!- IceD^ [~iced@mm-7-192-84-93.dynamic.pppoe.mgts.by] has joined ##openvpn
20:36 < IceD^> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - it's because of CA cert?
20:40 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
21:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:27 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has joined ##openvpn
22:36 -!- IceD^ [~iced@mm-7-192-84-93.dynamic.pppoe.mgts.by] has quit [Remote host closed the connection]
22:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
22:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:01 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
23:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
23:13 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
23:14 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
23:14 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
23:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:36 -!- caution [~caution@unaffiliated/caution] has quit [Ping timeout: 258 seconds]
--- Day changed Tue Jul 13 2010
00:16 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:16 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
00:22 < repent> anyone around
00:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:43 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
00:46 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 245 seconds]
00:49 -!- fahmad [~linux@vpn.server4sale.com] has joined ##openvpn
00:49 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
00:49 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
01:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
01:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:45 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
01:47 < creack> Do someone know if it is possible to make a client close (or just set back default routes) after a certain amount of successives connection failure?
01:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:55 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
02:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:31 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has quit [Ping timeout: 260 seconds]
02:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
02:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:43 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:43 -!- mode/##openvpn [+o mattock] by ChanServ
03:08 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
03:09 < kraut> moin
03:10 < creack> ?
03:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:22 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:23 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:48 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
03:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
03:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:09 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:21 -!- dazo_afk is now known as dazo
04:35 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
04:39 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
04:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
04:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:05 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has quit [Quit: Távozom]
05:07 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
05:22 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Read error: Connection reset by peer]
05:32 -!- ScriptFanix [vincent@2001:910:100b::1] has quit [Read error: Connection reset by peer]
05:34 -!- xro [a062ef85@gateway/web/freenode/ip.160.98.239.133] has quit [Quit: Page closed]
05:44 -!- rrrrrrrrrrrrr [~Jesus@190.1.174.4] has joined ##openvpn
05:44 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
05:54 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:02 -!- kyle__ [~kyle@80.67.12.170] has joined ##openvpn
06:03 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
06:03 -!- SOG [~SOG@n1164868040.netvigator.com] has joined ##openvpn
06:03 < kyle__> Hi, is it possible to make a openvpn process to listen on 2 ports on the same time?
06:03 -!- SOG [~SOG@n1164868040.netvigator.com] has quit [Client Quit]
06:05 < Bushmills> no. needs two processes, at the moment
06:05 < creack> no
06:06 < Bushmills> you may use port redirection facility of your firewall software
06:06 < Bushmills> may be able to
06:07 < kyle__> sounds like it will slow down the system to redirect the port from fw?
06:08 < Bushmills> examining packet destinations should be slower than resending to different port 
06:09 < Bushmills> but it is true, firewalls in general increase packet latency slightly
06:10 < kyle__> okey, thanks
06:10 < Bushmills> though consider that a packet has a certain length, over a finite speed connection. getting it transferred tends to be much slower than examining headers and patching it
06:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
06:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:12 < kyle__> alright
06:23 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:38 -!- Niklas- [~niklas@217.116.253.195] has quit [Ping timeout: 265 seconds]
06:51 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 260 seconds]
06:51 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
07:15 -!- rrrrrrrrrrrrr [~Jesus@190.1.174.4] has quit [Quit: Saliendo]
07:19 -!- Niklas- [~niklas@217.116.253.195] has joined ##openvpn
07:20 -!- laieman [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has quit [Ping timeout: 260 seconds]
07:21 -!- laieman [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has joined ##openvpn
07:45 -!- mw [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Read error: Operation timed out]
07:46 -!- pif [~ldm@zenon.apartia.fr] has joined ##openvpn
07:47 < pif> hi, under debian/sid resolvconf now conflicts with gnome, how do I change my /etc/resolv.conf without it?
07:48 < pif> I need the dns options from the server
07:57 < Bushmills> --up script which read pushed name server and writes to /etc/resolv.conf
07:59 < pif> ok, and how do I launch my openvpn client after pppd connects?
08:00 < Bushmills> through interface/if_up.d or up script in interfaces
08:00 < pif> ok
08:00 < Bushmills> ehm,, through network/if_up.d
08:00 < Bushmills> if-up.d, even
08:06 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
08:22 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
08:49 -!- SOG [~SOG@n1164868040.netvigator.com] has joined ##openvpn
08:55 -!- SOG [~SOG@n1164868040.netvigator.com] has quit [Quit: SOG]
09:00 -!- geek [~geek@unaffiliated/geek] has quit [Read error: Connection reset by peer]
09:01 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
09:07 -!- mtoledo [~user@189.121.191.183] has joined ##openvpn
09:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:08 -!- mtoledo [~user@189.121.191.183] has left ##openvpn []
09:09 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
09:09 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
09:09 -!- geek is now known as killown
09:20 < ecrist> mbuf corruption vulnerability in FreeBSD 7.x and later: http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc
09:25 -!- laieman [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has quit [Remote host closed the connection]
09:27 -!- notbrien [~notbrien@69.60.16.242] has joined ##openvpn
09:38 -!- pif [~ldm@zenon.apartia.fr] has quit [Ping timeout: 240 seconds]
09:40 -!- pif [~ldm@zenon.apartia.fr] has joined ##openvpn
09:57 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
09:59 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:00 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
10:19 -!- APTX_ is now known as APTX
10:23 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
10:35 -!- pif [~ldm@zenon.apartia.fr] has quit [Ping timeout: 248 seconds]
10:36 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:38 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
10:43 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
10:44 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
10:45 -!- APTX_ is now known as APTX
10:47 -!- notbrien [~notbrien@69.60.16.242] has quit [Ping timeout: 260 seconds]
10:49 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:49 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
10:50 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:50 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
10:52 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:52 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
10:52 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
10:53 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:54 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
10:54 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:55 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
10:56 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
10:56 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
10:57 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
11:02 < kyle__> is it also possible to change the local port in the OpenVPN client?
11:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:16 < Bushmills> yes, you can. 
11:17 < kyle__> ah just change port xxx, the Iran goverment blocks port 1194 for my customers
11:17 < Bushmills> --bind ...
11:17 < kyle__> not port xxx ?
11:18 < Bushmills> but you may need to change destination port
11:18 < kyle__> I'm going to try to change local port first if it not works I will try to change remote port to 53/udp
11:18 < Bushmills> "change the local port in client" is what you asked. that's done with --bind
11:19 < Bushmills> that's result in source port as given in --bind option, and destination port as specified with --remote option
11:20 < kyle__> but seems like port xx works to?
11:20 < Bushmills> for client, probably better to use  --nobind
11:20 < kyle__> but I don't want to define any ip just port
11:20 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
11:20 < Bushmills> means, source port while be randomized
11:21 < kyle__> ouh yes then nobind is better
11:21 < Bushmills> will be ...
11:22 < kyle__> thanks allot
11:22 < Bushmills> but filtering is probably done on destination port, not source port
11:23 < kyle__> what do you think of running openvpn on port 53/udp?
11:23 < kyle__> most firewalls will allow traffic on that port?
11:23 < jpalmer> depends on the organization.  many will.  many won't.
11:23 < Bushmills> fine. though it is easy to block it too
11:24 < jpalmer> for instance,  on my network,  I don't allow outbound connections to port 53/udp, except from my internal nameserver machines.
11:24 < kyle__> I having problems with customers in China and Iran seems like they block 1194 by default down there
11:24 < jpalmer> (then internal clients use my internal nameservers)
11:24 < Bushmills> outgoing china allows 1194
11:24 < jpalmer> china in particular blocks many ports.
11:24 < Bushmills> (destination port)
11:25 -!- softy1 [~adas@2002:90be:5d1c:0:20d:56ff:fee7:fe5f] has quit [Ping timeout: 276 seconds]
11:25 < Bushmills> though it may depend on region, and provider
11:25 < kyle__> Yes I will try some diffrent ports and see what works best
11:26 < Bushmills> shenzen/hongkong can use dest udp/1194
11:26 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
11:27 < kyle__> Okey
11:31 -!- roothorick [~fgsfds@CPE-72-129-147-218.new.res.rr.com] has joined ##openvpn
11:32 < roothorick> so what the heck is a .ovpn file? I can't find the example or any documentation on it
11:32 < Bushmills> just an openvpn config file
11:32 < Bushmills> extension as windows seems to prefer it
11:32 < krzee> in windows it uses .ovpn
11:32 < roothorick> so... the same thing as the .confs in /etc on my server?
11:32 < krzee> yupyup
11:32 < roothorick> okay then, next question
11:33 < Bushmills> possibly CR+LF line end
11:33 < roothorick> the client is an XP Pro netbook
11:33 < roothorick> no matter what I try, when I go to start the connection it just gives me "Process started and then immediately exited: []" with no other explanation. What?
11:33 < krzee> hey ecrist whats the svn for the confgen? my webserver is down =[
11:33 < krzee> !logfile
11:33 < vpnHelper> krzee: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
11:34 < roothorick> that doesn't do me any good (Windows, remember?)
11:34 < krzee> yes it does
11:34 < krzee> windows supports --log
11:34 < Bushmills> roothorick: you may possibly set properties of openvpn and openvpn-gui to "compatibility mode" and "run as Admin"
11:34 < Bushmills> need to
11:34 < roothorick> I'm already logged in as Administrator
11:35 < krzee> manually specify a logfile
11:35 < krzee> note,
11:35 < krzee> !winpath
11:35 < vpnHelper> krzee: "winpath" is Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key"
11:35 < roothorick> so the GUI just doesn't work?
11:35 < krzee> the gui works fine
11:35 < krzee> specify a logfile!!!
11:37 < roothorick> okay, there's one gotcha
11:37 < krzee> !learn winpath as also, you can use forward slashes to avoid needing  double backslashes, but you still need quotes, e.g.: \"C:/Program Files/OpenVPN/config/foo.key\"
11:37 < vpnHelper> krzee: Joo got it.
11:37 < krzee> !winpath
11:37 < vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: \"C:/Program Files/OpenVPN/config/foo.key\"
11:37 < krzee> grr
11:37 < krzee> !forget winpath 2
11:37 < vpnHelper> krzee: Joo got it.
11:37 < krzee> !learn winpath as also, you can use forward slashes to avoid needing  double backslashes, but you still need quotes, e.g.: "C:/Program Files/OpenVPN/config/foo.key"
11:37 < vpnHelper> krzee: Joo got it.
11:37 < krzee> !winpath
11:37 < vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key
11:37 < krzee> how the hell did i get those quotes in there for #1
11:37 < krzee> !forget winpath 2
11:38 < vpnHelper> krzee: Joo got it.
11:38 < roothorick> the frontpage download link and the community software / downloads version seem to be substantially different
11:38 < krzee> !learn winpath as also, you can use forward slashes to avoid needing  double backslashes, but you still need quotes, e.g.: ""C:/Program Files/OpenVPN/config/foo.key""
11:38 < vpnHelper> krzee: Joo got it.
11:38  * Bushmills has been to hell and returned unscathed
11:38 < krzee> !winpath
11:38 < vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.:  C:/Program Files/OpenVPN/config/foo.key""
11:38 < krzee> lol
11:38 < krzee> !download
11:38 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
11:38 < roothorick> right on http://www.openvpn.net/
11:38 < vpnHelper> Title: OpenVPN - Open Source VPN (at www.openvpn.net)
11:39 < krzee> the website tries to get you to the non-opensource non-free download link
11:39 < roothorick> interesting
11:39 < krzee> you would need to navigate there through "open-source" link
11:39 < roothorick> that's probably pretty much the source of all my confusion
11:39 < krzee> that changed when they started offering this:
11:39 < krzee> !AS
11:39 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
11:39 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
11:40 < Bushmills> but the need to download is mostly an issue for windows users
11:40 < krzee> thats true now, for awhile most package managers had old versions... that should be universally fixed now tho
11:40 < Bushmills> modern operating systems usually feature an integrated package management system
11:41 < roothorick> say what you will about Windows, but 7 is modern by any sane yardstick
11:41 < roothorick> and it doesn't have a real package management system
11:41 < Bushmills> if you say so :)
11:42 < roothorick> hey, I never said it was *good*
11:42 < Bushmills> so by the sane yardstick of package management, windows isn't modern, right?
11:42 < krzee> MacPro3,1 CPU: Intel Core2 Quad Q9400 2.66GHz @ 2.4GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/x86_64/PAE/XD/EM64T/VMX/EST/QuadCore] L2: 6144K FSB: 1064MHz Airport:    RAM: 3.7GB/8.0GB Vram: 20.03M/128.00M Disk: 63.8GB/931.39GB GPU: Unknown nVidia card [512 MB/Stock] 1280x1024@60Hz and 1280x1024@60Hz OS: Mac OS X 10.6.4 (10F569) Kernel: Darwin 10.4.0 Up: 20:49 4 
11:42 < roothorick> "modern" and "package management" have little to do with each other, so the yardstick isn't sane ;)
11:43 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:43 < Bushmills> ok. scalability? ability to use it on a wide spectrum of host cpus?
11:43 < krzee> meh no need to do our os-war
11:44 < krzee> we can leave it at:
11:44 < krzee> !windows
11:44 < vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
11:44 < krzee> ;]
11:44 < roothorick> hahahaha
11:44 < Bushmills> we don't. we simply try to get grips on the term "modern operating system"
11:44 < krzee> as long as we can all agree that openvms sucks, im happy
11:45 < krzee> lol
11:45 < roothorick> hah, so it's picky about what IP the packets come from, huh?
11:46 < krzee> yup, you trying to route the client lan?
11:46 < roothorick> I'm testing it over my wifi
11:46 < roothorick> but the server is my router
11:46 < krzee> with redirect-gateway?
11:46 < roothorick> eh? no
11:46 -!- softy [~adas@2002:90be:5d1c:0:20d:56ff:fee7:fe5f] has joined ##openvpn
11:47 < krzee> oh, maybe the issue is the server being your router then
11:47 < krzee> oh, you are not using dev tap, right?
11:47 < roothorick> tun
11:48 < roothorick> is tap bad?
11:48 < roothorick> well, time to punch a hole in the firewall. What ports do I need?
11:49 < krzee> whichever port you used
11:49 < krzee> default being 1194 udp
11:49 < roothorick> didn't specify... there, thanks
11:49 < krzee> dunno if tap is "bad" but its definitely not needed unless you need layer2
11:49 < krzee> !tunortap
11:49 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
11:49 < vpnHelper> krzee: against you over the vpn, or (#4) lan gaming? use tap!
11:49 < roothorick> whoa, my INPUT table is *huge*
11:50 < Bushmills> sounds like firewall builder
11:50 < roothorick> no, I craft iptables by hand
11:50 < krzee> meh, i used to have huge ipfw / ipf / pf rules... it happens
11:50 < roothorick> and actually, it's almost all just individual ports being opened
11:50 < Bushmills> and still huge?
11:51 < krzee> cant iptables group opening ports into 1 rule?
11:51 < roothorick> well... 16 rules
11:51 < roothorick> can it?
11:51 < krzee> no idea, i use fbsd
11:51 < krzee> but ild expect it to
11:51 < krzee> bush would know
11:51 < roothorick> anyway, I got some cleaning to do
11:51 < krzee> (i think)
11:51 < roothorick> I have some ports open I don't want open
11:51 < Bushmills> well, 16 rules isn't tiny, but also far from "huge"
11:57 < krzee> !forget winpath 2
11:57 < vpnHelper> krzee: Joo got it.
11:57 < krzee> !learn winpath as also, you can use forward slashes to avoid needing  double backslashes, but you still need quotes, e.g.: """C:/Program Files/OpenVPN/config/foo.key"
11:57 < vpnHelper> krzee: Joo got it.
11:57 < krzee> !winpath
11:57 < vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.:  C:/Program Files/OpenVPN/config/foo.key
11:57 < krzee> heh
11:58 < krzee> !forget winpath 2
11:58 < vpnHelper> krzee: Joo got it.
11:58 < krzee> !learn winpath as also, you can use forward slashes to avoid needing  double backslashes, but you still need quotes, e.g.: '"C:/Program Files/OpenVPN/config/foo.key"'
11:58 < vpnHelper> krzee: Joo got it.
11:58 < krzee> !winpath
11:58 < vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: '"C:/Program Files/OpenVPN/config/foo.key"'
11:58  * krzee kicks vpnHelper's ass
11:58 < krzee> i wonder if i had eric inject winpath 1 into the db by hand
11:59 < krzee> !forget winpath 2
11:59 < vpnHelper> krzee: Joo got it.
12:04 < krzee> !learn winpath as also, you can use forward slashes to avoid needing  double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
12:04 < vpnHelper> krzee: Joo got it.
12:04 < krzee> lol
12:04 < krzee> screw it, that'll work
12:07 < Bushmills> exercising the bot a bit?
12:07 < Bushmills> or is that exorcising?
12:09 < krzee> would seem the second is more appropriate
12:14 < roothorick> so... VPN is set up, the server can ping the client
12:14 < roothorick> and the server is already a router, and routing things normally....
12:14 < roothorick> but my desktop can't ping the client
12:14 < roothorick> I can ping the server side of the tunnel though
12:16 < Bushmills> check route, check firewall
12:16 < Bushmills> ah. server can - route is probably ok
12:16 < roothorick> ...you know
12:16 < Bushmills> "desktop" ... "client" 
12:16 < Bushmills> no idea what is what
12:17 < roothorick> let me explain
12:17 < roothorick> I have a server with three NICs (four actually, but only three are used)
12:17 < roothorick> eth0 is outside (DHCP assigned, my IP)
12:18 < Bushmills> good. using 4 nics on a server with 3 is inherently difficult
12:18 < roothorick> eth1 is a secured subnet, 192.168.1.x/24, connected to my open wireless AP
12:18 < roothorick> eth2 is my private, wired-only network, 192.168.0.x, on which my desktop computer resides (.2)
12:18 < roothorick> the laptop is on the wifi, and also connected to the VPN
12:19 < roothorick> the VPN is 192.168.254.1 server, 192.168.254.2 client
12:19 < Bushmills> what is your --topology ?
12:19 < roothorick> what do you mean?
12:20 < Bushmills> net30? subnet? p2p?
12:20 < roothorick> point to point I believe
12:20 < Bushmills> ah. no. scratch p2p
12:21 < roothorick> uh...
12:21 < roothorick> I'm just trying to get two computers connected
12:21 < Bushmills> " Only use when none of the connecting  clients are Windows systems."
12:22 < krzee> roothorick, 
12:22 < krzee> is "desktop" a machine not running openvpn?
12:22 < Bushmills> with net30, client address should collide with server p2p address
12:22 < roothorick> correct
12:22 < krzee> is it on the lan of server or client?
12:22 < roothorick> the expected behavior is, ping packet goes through physical network from .0.2 to .0.1 which is also .254.1 (the VPN) which sends the packet over the VPN to .254.2
12:22 < roothorick> and then back again
12:23 < roothorick> on the LAN of the server
12:23 < krzee> !serverlan
12:23 < Bushmills> do you set client ip address explicitely in your config?
12:23 < vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
12:23 < krzee> you can ignore ip forwarding and the route outside openvpn
12:23 < krzee> since it happens to be the router
12:23 < krzee> so really, you just need to push the route to clients
12:24 < roothorick> shouldn't it be handled by default route?
12:24 < roothorick> I mean, .0.1 is the default gateway for .0.2
12:24 < Bushmills> also, 192.168.1.0/24 is not the most ideal subnet for openvpn
12:24 < krzee> your clients default route over the vpn...?
12:24 < krzee> if not, no
12:24 < krzee> !push
12:24 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
12:25 < krzee> pushing the route to server lan will result in clients having a route for the server's lan subnet to go over the VPN
12:25 < roothorick> Bushmills: it's not. .1.x is the WiFi subnet. .1.1 is eth1 on the server and connected directly to a wireless AP
12:25 < roothorick> ohhhhhh
12:25 < roothorick> the VPN client doesn't have the .0.x routes! duh!
12:26 < Bushmills> oh sorry, 192.168.254.0 that is. misread
12:27 < roothorick> curious, can I do DHCP assignment of VPN clients' IPs?
12:27 < roothorick> or otherwise "push" IPs to them?
12:27 < krzee> openvpn does, kinda
12:27 < krzee> !static
12:27 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
12:27 < krzee> also, you may like:
12:27 < krzee> !topology
12:27 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions.
12:28 -!- tmkd_ [user-448@91.121.140.63] has joined ##openvpn
12:31 < krzee> !learn topology as this results in clients getting addresses .2 .3 .4 .5 etc
12:31 < vpnHelper> krzee: Joo got it.
12:31 < roothorick> so, I just have the two machines, but I want to make sure I can add a third later
12:31 < roothorick> static key isn't gonna cut it?
12:33 < krzee> nope
12:33 < krzee> need client/server, and certs
12:34 < roothorick> sticky. How hard is this to do?
12:35 < krzee> pretty simple
12:35 < krzee> ild show you my sample configs, or give you my config generator, but my webserver is down =[
12:36 -!- yakub [~www-data@unaffiliated/yakub] has joined ##openvpn
12:37 < roothorick> that's the PKI stuff talked about in the HOWTO?
12:38 < ecrist> http://www.secure-computing.net/svn/trunk/openvpn-confgen/
12:38 < vpnHelper> Title: svn - Revision 313: /trunk/openvpn-confgen (at www.secure-computing.net)
12:39 < krzee> correct
12:39 < krzee> nice thanx
12:39 < ecrist> assuming you've kept it up to date...
12:39 < krzee> !learn confgen as you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
12:39 < vpnHelper> krzee: Joo got it.
12:39 < krzee> i didnt want to face the wrath of the ecrist ;)
12:39 < krzee> plus there havnt been any updates for awhile, lol
12:40 < krzee> roothorick, lazier config generating and cer generating:
12:40 < ecrist> no wrath, just trying to help you out.
12:40 < krzee> !confgen
12:40 < vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
12:40 < krzee> !ssl-admin
12:40 < vpnHelper> krzee: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
12:40 < krzee> ecrist, i know im just playin
12:40 < krzee> how you been man
12:42 < ecrist> working hard, or something.
12:42 < tmkd_> hi, i have external ip adress. But in my home i have LAN, i want to connect to openvpn server from my home lan. it is possible without some special modification in my router?
12:42 < ecrist> shooting sporting clays over the weekend, had a good time.
12:43 < ecrist> used my uncle's Ruger Gold Label side-by-side
12:43 < ecrist> nice gun
12:44 < krzee> nice man
12:44 < Bushmills> tmkd_: yes, lest it lets you contact your remote openvpn server
12:44 < krzee> im all pumped up for a tournament im gunna be in, in like 2 months
12:45 < krzee> i mentioned it in the dev channel a few mins ago
12:45 < tmkd_> but openvp still shows 'connecting'
12:45 < Bushmills> hm ... lest , lets .... like  eats meast wets
12:45 < tmkd_> Bushmills: what can be wrong
12:45 < krzee> tmkd_, kinda
12:45 < krzee> !route_outside_openvpn
12:45 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
12:45 < Bushmills> in general?  colour, taste, temperature, speed
12:45 < krzee> if you cant do that route on your home router, you need routes on every machine in the lan, as mentioned in !route
12:47 < tmkd_> krzee: ?
12:47 < krzee> tmkd_, ?
12:47 < krzee> i just answered your question...
12:47 < tmkd_> i didnt change any route rules
12:48 < tmkd_> it us neccesary?
12:48 < krzee> you do need a route on your router of the LAN, if that is impossible you have a workaround
12:48 < tmkd_> is it.>?
12:48 < krzee> did you click the link i gave you? or read my writeup?
12:48 < krzee> cause if not, you shouldnt be asking that
12:48 < krzee> you should be too busy reading the stuff i made to answer your question :p-
12:48 < krzee> :-p
12:49 < tmkd_> krzee: yes i have read 
12:50 < tmkd_> but it only shows mechanism
12:50 < krzee> umm
12:50 < krzee> !route
12:50 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:50 < krzee> section: ROUTES TO ADD OUTSIDE OPENVPN
12:51 < krzee> it tells you what to do, and why, and the workaround if you are unable to do that
12:51 < krzee> if both of those are impossible, you can use the NAT hack, but you really should find a better way
12:51 -!- kantlivelong [3f8bce12@gateway/web/freenode/ip.63.139.206.18] has joined ##openvpn
12:51 < krzee> you dont have access to your *home* router!????
12:52 < kantlivelong> hey all. what would make openVPN connect but not be able to send/recv any traffic (IE ping/web/etc...)
12:52 < Bushmills> kantlivelong: not having set a route through openvpn
12:52 < Bushmills> alternatively, firewall
12:52 < kantlivelong> Bushmills: Bushmills im using the vpn client
12:53 < kantlivelong> firewall rules seem okay
12:53 < Bushmills> that works usually better than trying to connect using a slice of toasted bread
12:53 < kantlivelong> lolz
12:54 < kantlivelong> i mean it connects fine
12:54 < kantlivelong> i just cant ping anything at all
12:54 < kantlivelong> not even the GW
12:54 < Bushmills> is "GW" same as openvpn server?
12:54 < kantlivelong> the GW the openvpn server pushes 
12:55 < Bushmills> is that an openvpn client too?
12:56 < krzee> kantlivelong, 
12:56 < krzee> !configs
12:56 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:58 < krzee> but basically...
12:58 < krzee> !redirect
12:58 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:58 < krzee> oh also, if you do not run the server, we can not help you
12:58 < krzee> whoever runs the server would need to help you
13:21 -!- dazo is now known as dazo_afk
13:25 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
13:26 < kantlivelong> hmm
13:26 < kantlivelong> krzee: you have any idea why i cant assign a static to a vpn client user?
13:28 -!- notbrien [~notbrien@69.60.16.242] has joined ##openvpn
13:28 -!- softy [~adas@2002:90be:5d1c:0:20d:56ff:fee7:fe5f] has left ##openvpn []
13:29 -!- kantlivelong [3f8bce12@gateway/web/freenode/ip.63.139.206.18] has quit [Quit: Page closed]
13:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:31 < ksk> hi. is there a way so set routes in client.ovpn (windows)?
13:37 < krzee> same as any other os
13:37 < krzee> --route
13:37 < Bushmills> config may need addition of   route-method exe
13:37 < krzee> true
13:38 < krzee> !winroute
13:38 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
13:38 < krzee> those are the possibly gotchyas with windows
13:38 < krzee> however, normally a simple --route works
13:38 < ksk> cool, thx!
13:40 -!- kantlivelong [3f8bce12@gateway/web/freenode/ip.63.139.206.18] has joined ##openvpn
13:40 < kantlivelong> meh.. can anyone explain how to assign static IPs to remote vpn client users? i tried 10.1.100.9/30 to get 10.1.100.10 but it keeps giving me .9!
13:42 < krzee> !static
13:42 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:42 < krzee> if you use net30 (default) then
13:43 < krzee> ifconfig-push 10.8.0.9 10.8.0.10
13:43 < krzee> in a ccd file for the client of course
13:43 < krzee> but really there shouldnt be a reason to need net30 anymore
13:43 < krzee> !topology
13:43 < kantlivelong> hmm
13:43 < vpnHelper> krzee: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
13:44 < kantlivelong> hmmm
13:44 < kantlivelong> the push doesnt seem to work on the client in windows
13:45 < krzee> you put it on the server, in a ccd file
13:45 < krzee> !ccd
13:45 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:45 < kantlivelong> yeah
13:45 < kantlivelong> i did that
13:45 < krzee> check server logs to see if it read the ccd file
13:45 < Bushmills> client connection transcript may be more useful here
13:46 < Bushmills> something like "due to a limitation of the win tun driver ... need to be in a /252 subnet"
13:46 < kantlivelong> it does
13:46 < kantlivelong> but tis getting .9 instead of .10
13:47 < Bushmills> it doesn't work, but it does?
13:47 < roothorick> can I have e.g.
13:47 < Bushmills> interesting concept
13:48  * Bushmills passes to roothorick an e.g.
13:48 < kantlivelong> hmm
13:48 < roothorick> ifconfig 192.168.254.0 255.255.255.0
13:48 < roothorick> and then some clients get static IPs via ifconfig-push in that range but others are dynamically assigned
13:48 < roothorick> is that safe?
13:49 < Bushmills> that's what you use ccd for
13:49 < roothorick> yes, but can ifconfig-push static IPs and dynamic IPs be on the same subnet?
13:49 < roothorick> without risk of collisions?
13:49 < Bushmills> though i'd probably split address ranges into two /25 subnets
13:50 < Bushmills> one for ccd static addresses, one for dynamically assigned addresses
13:50 < Bushmills> makes it also easier to run different firewall rules on them
13:50 < roothorick> as a group you mean?
13:50 < roothorick> don't particularly care about that
13:51 < roothorick> besides, I can always change them later, without client reconfiguration
13:51 < Bushmills> pool with addresses x.x.x.128...254, and ccd for  x.x.x.x...127
13:51 < roothorick> how would that look in the config?
13:51 < Bushmills> similar to the previous line
13:51 < roothorick> ifconfig 192.168.254.128 255.255.255.128 ish?
13:52 < Bushmills> no. check man page for "pool"
13:52 < roothorick> screw it, I'm just gonna do all-static for now
13:55 < roothorick> okay, what the
13:55 < roothorick> "Error: private key password verification failed"
13:55 < roothorick> I didn't set a password....?
13:58 < roothorick> ah, dumb conf typo
13:59 < kantlivelong> odd
13:59 < kantlivelong> i cant install TAP to windows 2003 :(
14:02 < roothorick> so how do I push static IPs in a not-point-to-point way?
14:04 -!- kantlivelong [3f8bce12@gateway/web/freenode/ip.63.139.206.18] has quit [Quit: Page closed]
14:05 < roothorick> or.... do I need to use tap to do that with windows clients?
14:07 < Chosi> !ccd
14:07 < vpnHelper> Chosi: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:07 < roothorick> I'm aware of ccd
14:08 < roothorick> I want the VPN to act as its own full-fledged subnet with clients able to talk to each other
14:08 < Chosi> ifconfig-push 10.0.0.6 255.255.255.0
14:08 < Chosi> that's how i push
14:08 < Chosi> and client-to-client goes to config to enable "to talk to each other"
14:08 < roothorick> so I *do* need to use tap?
14:08 < jwm> clients should be able to talk to each other automatically
14:08 < jwm> if you are on the same subnet
14:08 < Chosi> i'm using tun.
14:08 < roothorick> that doesn't work here
14:09 < jwm> how many vpn clients are you using
14:09 < roothorick> I'm working on getting one going
14:09 < Chosi> so it's either your firewall rule setup
14:09 < roothorick> then I'll add the others once I have this one working
14:09 < Chosi> or something else
14:09 < roothorick> no, it doesn't initialize
14:09 < roothorick> it gives me an error about win32 driver limits
14:09 < Chosi> ah alright, let me see them logs again
14:10 < Chosi> i just rejoined ;)
14:10 < jwm> how do you know if they can see each other if you just have one going
14:10 < jwm> or not even one going
14:10 < roothorick> I have a server and one client
14:11 < jwm> and you have it working?
14:11 < roothorick> and I have direct (as in, non-VPN) access to both
14:11 < roothorick> so I can see what each is doing
14:11 < jwm> ok
14:11 < jwm> so you add another client and it fails?
14:11 < roothorick> no
14:11 < roothorick> I can't get the first client working
14:11 < Chosi> !logs
14:11 < vpnHelper> Chosi: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:11 < Chosi> !config
14:11 < vpnHelper> Chosi: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
14:11 < Chosi> +s
14:11 < Chosi> whatever
14:12 < Chosi> i need that :>
14:16 < ecrist> ping krzee 
14:16 < ecrist> or krzie
14:16 < roothorick> client: http://pastebin.com/T5d0C7LR
14:16 < ecrist> !configs
14:16 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:17 < Chosi> alright i had that too
14:17 < Chosi> now let's figure out what it was
14:17 < Chosi> hehe
14:18 < roothorick> it says right there in the error "This is a limitation of --dev tun when used with the TAP-WIN32 driver"
14:18 < roothorick> makes me think I should be using dev tap
14:18 < Chosi> i'll find out when i see your server config
14:18 < Chosi> yeah roothorick, disregard that
14:18 < Chosi> :P
14:19 < roothorick> !tunvstap
14:19 < vpnHelper> roothorick: Error: "tunvstap" is not a valid command.
14:19 < roothorick> !tapvstun
14:19 < vpnHelper> roothorick: Error: "tapvstun" is not a valid command.
14:19 < roothorick> what is it?
14:19 < Chosi> roothorick: server config please?
14:19 < roothorick> alright, hold on
14:19 < Chosi> client would be fine too
14:19 < Chosi> :)
14:21 < roothorick> http://pastebin.com/FuYBeXQc
14:21 < roothorick> ccd/momspinky is just one line, I've tried "ifconfig-push 192.168.254.3 255.255.255.0" and "ifconfig-push 192.168.254.3 192.168.254.1" and neither worked
14:22 < roothorick> the client is windows.... I don't have grep on there
14:22 < Chosi> add topology subnet
14:22 < Chosi> to your server config
14:23 < roothorick> and the ccd file should be?
14:23 < Chosi> based on the users' common name
14:23 < Chosi> client-config-dir /etc/openvpn/ccd
14:23 < Chosi> goes to server config
14:23 < Chosi> something like this
14:23 < roothorick> no, what should it contain?
14:23 < Chosi> and you place files with the users' common name inside that folder
14:24 < Bushmills> !tunortap
14:24 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
14:24 < vpnHelper> Bushmills: against you over the vpn, or (#4) lan gaming? use tap!
14:24 < Bushmills> roothorick: ^^^
14:24 < roothorick> "Acquiring network address" uhoh
14:24 < roothorick> ah, it worked
14:24 < Chosi> :)
14:25 < roothorick> still can't ping it though
14:25 < roothorick> actually the server can't ping it either
14:25 < roothorick> oh lovely
14:26 < kisom> roothorick: what O/S are you using on client and server?
14:26 < roothorick> server is Gentoo
14:26 < roothorick> client is XP Pro
14:27 < kisom> never used gentoo. checked iptables if it is blocking ICMP?
14:27 < roothorick> anyway, the VPN came up, but Windows didn't get the memo about the IP
14:27 < kisom> does the client get an ip address in the same subnet as tap/tun0?
14:27 < roothorick> the TUN/TAP driver was given.... 169.254.38.225 by Windows
14:27 < kisom> thats bad
14:27 < cpm> very
14:28 < jwm> gentoo doesn't modify or firewall anything by default
14:28 < kisom> are you using certificates or static keys?
14:28 < roothorick> cert/PKI
14:28 < roothorick> just like the howto
14:28 < jwm> yeah do you know your commonname
14:28 < jwm> for the client
14:28 < roothorick> momspinky
14:28 < roothorick> does it have to line up with anything in the OS?
14:28 < Chosi> nah
14:29 < kisom> does it work if you set a static IP address on the client side?
14:29 < jwm> so you used easy-rsa to make them
14:29 < kisom> im lagging a bit btw, in a car in northen sweden :)
14:29 < jwm> ./build-key momspinky
14:29 < roothorick> okay. I manually assigned it the right IP through the properties panel, but obviously that'll blow up if I have to move computers around later
14:29 < roothorick> it does ping that way though
14:30 < Chosi> i think you may want redirect-gateway too
14:30 < kisom> do you have windows installed onto C:\windows?
14:30 < kisom> or any other path/drive?
14:30 < roothorick> believe so
14:30 < kisom> can you check?
14:30 < roothorick> Chosi: the issue now is Windows is giving its own IP to the VPN interface instead of the IP pushed by the server
14:30 < Chosi> are you sure it's pushing it?`
14:30 < Chosi> (client log)
14:31 < Chosi> i think your ccd may not work yet
14:31 < Chosi> :)
14:31 < jwm> yeah
14:31 < jwm> did you use easy-rsa roothorick 
14:31 < roothorick> yeah
14:32 < roothorick> I don't see the IP in the routing table
14:32 < roothorick> err
14:32 < roothorick> in the log
14:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:32 < jwm> look in your crt file for a CN
14:32 < Chosi> does your client config say "client" in the very first line?
14:32 < jwm> line 10
14:32 < Chosi> well this should suffice anyways
14:32 < jwm> yeah make sure it says client at the beginning too
14:33 < roothorick> it spends a lot of time "Waiting for TUN/TAP interface to come up"
14:34 < roothorick> yeah, client config starts with "client"
14:35 < Chosi> so your client config says cert momspinky.crt
14:35 < Chosi> and so on?
14:35 < roothorick> yeah
14:35 < roothorick> the link is up
14:35 < jwm> line 10 has CN=momspinky
14:35 < jwm> check that
14:36 < roothorick> as I said, if I manually change the adapter's IP to what it should be, it works
14:36 < jwm> that doesn't matter
14:36 < jwm> we just need to confirm the CN is momspinky
14:36 < jwm> because your ccd isn't picking it up
14:36 < jwm> client-config-dir ccd
14:36 < jwm> /etc/openvpn/ccd
14:37 < jwm> you can also put the ip in ipp.txt
14:37 < jwm> gentoo
14:37 < jwm> that line is commented out
14:37 < roothorick> I uncommented it
14:37 < jwm> ifconfig-pool-perist
14:37 < jwm> ok what is in your ipp.txt
14:37 < jwm> momspinky,IP
14:37 < roothorick> wait, does momspinky.crt need to be in /etc/openvpn ?
14:38 < jwm> no that just needs to be on your client config side
14:39 < roothorick> ipp.txt is empty
14:39 < jwm> well you need to put momspinky,IPYOUWANT 
14:39 < jwm> in there
14:39 < Chosi> he doesn't need to.
14:39 < roothorick> it's not done by the ccd?
14:40 < jwm> it's nicer this way imo
14:40 < Chosi> yeah roothorick, it should be
14:40 < Chosi> !ipp
14:40 < vpnHelper> Chosi: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
14:40 < Chosi> #1
14:40 < Chosi> :p
14:40 < roothorick> yeah, it was my understanding that was basically like a DHCP cache
14:40 < jwm> openvpn has too many options
14:42 < roothorick> the IP is being pushed
14:42 < roothorick> there's something wrong with the TUN/TAP driver
14:42 < roothorick> I just spotted this in the log:
14:43 < jwm> what version of openvpn do you have
14:43 < jwm> I missed it
14:43 < jwm> and do you have gay norton or any other stupid filter stuff
14:43 < roothorick> "Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.254.3/192.168.254.1 on interface"....
14:43 < roothorick> hey wait a second
14:44 < roothorick> man, there's no error checking on this stuff huh?
14:44 < jwm> it's a pretty simple config
14:44 < jwm> :P
14:44 < Chosi> uhm what did you push?
14:45 < jwm> I loved back when I didn't understand the server-bridge directive
14:45 < jwm> I was passing 192.168.1.0 to the first parameter
14:45 < roothorick> now it works
14:45 < jwm> hehe
14:45 < roothorick> ...still can't ping it
14:45 < jwm> do you have a route to it
14:45 < Chosi> !redirect-gateway
14:46 < vpnHelper> Chosi: Error: "redirect-gateway" is not a valid command.
14:46 < Chosi> :\
14:46 < roothorick> oh, I know why
14:46 < Chosi> dunno if it's required
14:46 < roothorick> it's actually on the subnet
14:46 < Chosi> but i have push "redirect-gateway"
14:46 < Chosi> in my server config
14:46 < jwm> hehe
14:46 < roothorick> I had it plugged into the very wired network I was trying to ping its VPN interface from
14:46 < jwm> redirect-gateway is for routing through the vpn
14:46 < jwm> to the internet
14:46 < jwm> you don't want it unless you want to do that
14:46 < roothorick> yeah, don't want that
14:47 < Chosi> yeah i do that :p
14:47 < roothorick> this will be primarily for VNC and SMB
14:47 < roothorick> slash CIFS
14:47 < jwm> you want redirect-gateway def1 if you do that
14:47 < jwm> it's a lot nicer
14:47 < jwm> if your openvpn stops you don't have to reset your internet interface
14:48 < roothorick> yesh I can pingsh it
14:48 < jwm> I use vpn for smb/cifs and helping out someone in UAE to get past their stupid firewall
14:48 < roothorick> that's some miserable pings for travelling less than a mile though
14:48 < roothorick> 70s
14:48 < roothorick> oh well
14:49 < roothorick> now, if I enable the service, it'll start the VPN when Windows boots, right?
14:50 < jwm> potentially
14:50 < jwm> :)
14:50 < roothorick> "it's supposed to but..." eh?
14:53 < roothorick> the next test, naturally, is accessing VNC over the tunnel
15:00 < roothorick> that worked perfectly :) I'm in business
15:00 < jwm> what do you use vnc for
15:01 < jwm> check out remote desktop if you use it to connect to windows
15:01 < jwm> much better/faster
15:01 < jwm> rdesktop
15:01 < Chosi> he doesn't
15:01 < jwm> connecting to unix
15:01 < jwm> check out nxmachine 
15:01 < jwm> better than vnc
15:01 < Chosi> dunno why he has x on the server box
15:01 < Chosi> but well
15:01 < Chosi> :D
15:01 < jwm> well there are some apps that require X
15:01 < jwm> even server oriented
15:01 < Chosi> name one
15:02 < jwm> hardware accelerated crap
15:02 < Chosi> hardware accelerated...server...
15:02 < Chosi> uhm no.
15:02 < Chosi> :P
15:02 < jwm> times are changing
15:02 < jwm> hardware accelerationg for ssl is nice
15:02 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has joined ##openvpn
15:02 < jwm> anything that requires math acceleration 
15:02 < jwm> cuda support stuff
15:03 < jwm> remote X support is nice
15:03 < jwm> Xnest 
15:03 < jwm> I like to use a server to run different X test apps for unix
15:03 < jwm> it's useful
15:04 < Chosi> usually you don't have useful graphics hardware inside a server.
15:04 < Chosi> not at all
15:05 < jwm> we're of course not talking about the usual circumstances
15:05 < jwm> :)
15:07 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has quit [Ping timeout: 252 seconds]
15:10 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has joined ##openvpn
15:10 -!- michal|3s [~michal@host851485250.static.tkplan.3s.pl] has joined ##openvpn
15:10 < michal|3s> hey!
15:10 < michal|3s> question: is there any openvpn client for windows mobile 6?
15:10 < michal|3s> does it actualy work?
15:12 < jwm> no idea
--- Log opened Tue Jul 13 19:52:09 2010
19:52 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
19:52 -!- Irssi: ##openvpn: Total of 100 nicks [2 ops, 0 halfops, 0 voices, 98 normal]
19:52 -!- Irssi: Join to ##openvpn was synced in 34 secs
--- Log closed Tue Jul 13 19:52:51 2010
--- Log opened Tue Jul 13 19:53:03 2010
19:53 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
19:53 -!- Irssi: ##openvpn: Total of 100 nicks [2 ops, 0 halfops, 0 voices, 98 normal]
19:53 !brown.freenode.net [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp
19:53 -!- Irssi: Join to ##openvpn was synced in 34 secs
19:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
20:05 -!- Prez00 [~fmedina@190.212.23.129] has quit [Ping timeout: 240 seconds]
20:05 < nuser> I am not getting packets when my client connects to the server
20:05 < nuser> I get the default gw
20:05 < nuser> and dns info
20:05 < nuser> plus and Ip
20:05 < nuser> address
20:06 < nuser> Ip tables was congfigure with the active interface
20:13 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:14 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
20:18 -!- Prez00 [~fmedina@69.162.79.11] has joined ##openvpn
20:24 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:24 -!- Prez00 [~fmedina@69.162.79.11] has quit [Ping timeout: 260 seconds]
20:28 -!- Prez00 [~fmedina@69.162.79.11] has joined ##openvpn
20:41 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:44 -!- Prez00 [~fmedina@69.162.79.11] has quit [Ping timeout: 265 seconds]
20:46 -!- curiosityorg [~curiosity@curiosity.org] has joined ##openvpn
20:49 -!- mrresist0r [~mrresist0@69.31.131.51] has quit [Ping timeout: 265 seconds]
20:49 -!- curiosityorg [~curiosity@curiosity.org] has quit [Client Quit]
21:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
21:22 < Bushmills> thus, it doesn't connect. without getting any packets, authentication must fail.
21:27 -!- theDoc [~link@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
21:29 < krzee> thats not true
21:29 < krzee> firewall could be screwed for tun device
21:29 < krzee> then it connects, but vpn doesnt work
21:29 < krzee> it would connect, get all settings (as he mentions), but not get any packets (over the vpn)
21:31 -!- theDoc [~link@173.236.41.38] has joined ##openvpn
21:32 -!- theDoc [~link@173.236.41.38] has quit [Changing host]
21:32 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
21:37 < Bushmills> that may be the cause. but the effect is: not getting any packets -> no connection
21:37 < Bushmills> to connect, clients needs to get (some) packets
21:39 < Bushmills> and receiving default gw, ip address etc must be an illusion
21:41 < krzee> you really expect to get a good explanation of problems in here?
21:41 < krzee> you've been here too long to expect that ;)
21:41 < Bushmills> well, that's the point i am actually trying to make
21:42 < Bushmills> "with a problem description lacking that much detail, anything is possible"
21:42 < Bushmills> "even misunderstanding the problem"
21:46 < Bushmills> reply was meant to work like a mirror
21:55 < nuser> I need it connect in the logs files
21:55 < nuser> so I see my host grap a connection and the server returns a ip address
21:56 < nuser> The dchp server get pushed
21:57 < nuser> to the client 'PUSH_REPLY,dhcp-option DNS 66.75.164.90,dhcp-option DNS 66.75.164.89,route-gateway 192.168.1.1,ping 10,ping-restart 120,ifconfig 192.168.1.221 255.255.255.0' (status=1)
21:58 < nuser> The vpn waits for the connection to come up .. then it connects
21:59 < nuser> I don't think the connection is fake, because it leases a IP from the VPN
22:01 < theDoc> You can't fake one of those, unless your certs are compromised and if that's the case, you have bigger issues on the horizon.
22:01 < nuser> ueaj
22:02 < nuser> yeah
22:02 < nuser> so I don't know why I can't reslove
22:02 < nuser> my firewall is alreays set to nat
22:02 < nuser> ooops
22:02 < nuser> my firewall is already set to nat
22:04 < nuser> NO shit.. if my certs are compromised ... We are PUCKED
22:05 -!- Prez00 [~fmedina@69.162.79.11] has joined ##openvpn
22:12 -!- Prez00 [~fmedina@69.162.79.11] has quit [Ping timeout: 240 seconds]
22:23 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
22:24 < troy-> krzee: around?
22:26 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
22:27 < troy-> i have a point to point tunnel setup but the push route command isnt working
22:27 < troy-> any thoughts
22:28 < troy-> connects just fine but the routes arent added to table
22:47 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:14 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has quit [Read error: Operation timed out]
23:21 -!- Prez00 [~fmedina@69.162.79.11] has joined ##openvpn
--- Day changed Wed Jul 14 2010
00:13 -!- Prez00 [~fmedina@69.162.79.11] has quit [Ping timeout: 252 seconds]
00:22 < kraut> moin
00:36 -!- Prez00 [~fmedina@69.162.79.11] has joined ##openvpn
00:46 -!- takamichi [~pri@78.133.38.201] has quit []
00:57 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:57 -!- mode/##openvpn [+o mattock] by ChanServ
01:18 -!- Prez00 [~fmedina@69.162.79.11] has quit [Ping timeout: 258 seconds]
01:29 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
01:34 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
01:36 -!- tristannfdn [idk@persephone.phys.columbus.edu] has left ##openvpn []
01:42 -!- Prez00 [~fmedina@69.162.79.11] has joined ##openvpn
01:42 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
01:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:59 -!- sezuan [bouncer@irc.scheff32.de] has joined ##openvpn
02:16 -!- Prez00 [~fmedina@69.162.79.11] has quit [Ping timeout: 252 seconds]
02:22 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
02:22 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
02:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:56 -!- dazo_afk is now known as dazo
03:03 -!- SOG [~SOG@61.144.230.241] has left ##openvpn []
03:10 -!- backupsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:29 -!- plutarco [c1cd3f34@gateway/web/freenode/ip.193.205.63.52] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:40 < plutarco> hi
03:40 < plutarco> newbie here, sorry for the basic question
03:40 < plutarco> i'm in a private lan (don't have access to gateway) and i'd like to permit access to my linux laptop (via ssh) from a private network over the internet (they have an openvpn server configured). Is this possible? (i only have root access to my own laptop)
03:41 < Chosi> so you want others from the internet to be able to VPN to your laptop and so gain access to your private lan?
03:42 < dazo> plutarco: if you can have access to a server on the outside of  that LAN, where you can install an OpenVPN server ... then yes, this is doable
03:42 < plutarco> dazo: yes, they have openvpn up and root acces to their servers
03:43 < plutarco> i'd like to allow them to ssh to my laptop, but i'm behind a private lan
03:43 < dazo> plutarco: then it's just a matter of configuration ... when having access to configure and start an OpenVPN server - the world^Wnetwork is open for you
03:44 < plutarco> thanks. what should i do? configure an openvpn client?
03:44 < dazo> no matter direction ... you just need to be able to access the OpenVPN server ... and that server will need to be allowed to access the internal LAN 
03:44 < dazo> plutarco: yeah, configure the client is good starter ... but you also need to know a little bit about the server side as well
03:44 < dazo> !howto
03:44 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:47 -!- backupsppadic is now known as vicksppadic
03:47 < plutarco> sorry for the stupid questions. I'll read the docs as soon as i rouglhy understand what should i do. What about them? How can i allow them to access my network?
03:47 < dazo> plutarco: then you'll need to dig into routing
03:47 < dazo> !route
03:47 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:47 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
03:49 < dazo> plutarco: that routing doc is comprehensive, it states a few scenarios in the same document ... so you need to extract the parts which fits your need ... but basically, allowing access from the server side to the client side usually involves --iroute - which the !route document covers
03:50 -!- oboyo [3ee827eb@gateway/web/freenode/ip.62.232.39.235] has joined ##openvpn
03:52 < oboyo> Good morning, I got an email saying that OpenVPN now does host checking, but I can't seem to find any info about it, anyone shed any light? Thanks in advance!
03:53 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:54 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
03:54 < oboyo> I assume it's built into the new client?
03:55 -!- plutarco [c1cd3f34@gateway/web/freenode/ip.193.205.63.52] has left ##openvpn []
03:55 < oboyo> !welcome
03:55 < vpnHelper> oboyo: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:57 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
03:59 < oboyo> does anyone use the host checker?
04:01 < oboyo> is anyone actually active here?
04:02 < Chosi> uuh
04:02 < Chosi> new client
04:02 < Chosi> didn't notice :)
04:03 < oboyo> yeah, it looks really nice actually :)
04:03 < Chosi> where's my edit config button?
04:03 < Chosi> ffs
04:03 < Chosi> :D
04:06 < oboyo> yeah it has changed quite a bit
04:07 < batrick> I wonder why no one recommends the 172.16.0.0/12 for openvpn
04:08 < batrick> It's always somewhere in 10.0.0.0/8 or 192.168.0.0/16 :)
04:09 < oboyo> batrick: I thought the 192xxxx wasn't recommened for fear of it conflicting or something
04:10 < batrick> well 10.0.0.0/8 conflicts with almost any institional network
04:10 < batrick> e.g. universities
04:10 < batrick> my point is that I've never seen 172.16.0.0/12 used in any network I've seen. So it was perfect for my small openvpn network :)
04:11 < oboyo> true
04:12 < Chosi> ugh
04:13 < Chosi> where do i put certs now?
04:13 < Chosi> i hate changes
04:13 < Chosi> :D
04:21 < Chosi> http://choseh.de/~chosi/screens/OpenVPN_Client-2010-07-14_11.20.56.png
04:21 < Chosi> things are somewhat broken :D
04:21 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:26 < oboyo> Chosi: ouch!
04:26 < oboyo> Chosi: needs some work I guess!
04:27 < oboyo> so then, sorry to go on but I take it no one knows about these new host checker functions?
04:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:45 < oboyo> I don't want to resort to grepping the source code :p
04:45 < oboyo> ah well
04:46 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:58 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
05:08 < Chosi> so
05:08 < Chosi> the new client is asking for credentials but i'm using certs
05:08 < Chosi> where do i place them, what do i enter? do i have to enter anything at all?
05:09 < ksk> u can import ur old config?
05:09 < ksk> cmon..
05:09 < ksk> *you *your
05:09 < Chosi> http://choseh.de/~chosi/screens/OpenVPN_Client-2010-07-14_11.20.56.png that's what happens when i try that :P
05:09 < Chosi> ah and it doesn't work
05:09 < Chosi> so where do i have to place my certs?
05:10 < ksk> wherever you want.. just set the right path in client.ovpn
05:10 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
05:10 < ksk> i imported my config - worked
05:10 < ksk> but display is buggy anyway (this "§%"§% stuff)
05:14 < Chosi> so basically i place the certs next to the imported config
05:14 < Chosi> ?
05:14 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:15 < ksk> if you dont specify a path - yes
05:16 < ksk> then you have to instert "ca   ca.crt" in your config - for example
05:16 < Chosi> yeah it
05:16 < Chosi> it's already in
05:18 < Chosi> !paths
05:18 < vpnHelper> Chosi: Error: "paths" is not a valid command.
05:18 < Chosi> !configs
05:18 < vpnHelper> Chosi: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
05:18 < Chosi> gnurl
05:21 < Chosi> Cannot load certificate file. okay. it's supposed to be elsewhere then
05:21 < Chosi> that client is a total mess
05:22 < Chosi> status is showing whatever it likes
05:22 < Chosi> mouseover balloon tips won't go away
05:22 < Chosi> has anybody even tested this?
05:33 -!- oboyo [3ee827eb@gateway/web/freenode/ip.62.232.39.235] has quit [Quit: Page closed]
05:37 < dazo> Chosi: which kind of client are you testing?=
05:38 < Chosi> http://choseh.de/~chosi/screens/OpenVPN_Client-2010-07-14_11.20.56.png
05:38 < Chosi> that mess
05:39 < Chosi> i don't care much bout the variables not being displayed correctly but there's so many more that's just wrong
05:39 < Chosi> tsk
05:40 < ksk> i guess the client from openvpn.net
05:41 < Chosi> yup
05:49 < dazo> Chosi: where did you get that client? ... it doesn't look like anything I've seen before
05:50 < Chosi> it's right on the frontpage
05:50 < Chosi> http://swupdate.openvpn.net/downloads/openvpn-client.msi
05:50 < dazo> ahh ... it's the Access Server client ...
05:51 < dazo> !accessserver
05:51 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
05:51 < vpnHelper> dazo: Error: "accessserver" is not a valid command.
05:51 < dazo> gah
05:51 < dazo> !access-server
05:51 < vpnHelper> dazo: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
05:51 < vpnHelper> dazo: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
05:51 < dazo> Chosi: ^^ 
05:52 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Quit: narf]
05:52 < dazo> you can rather try the more known OpenVPN OpenSource version ... http://www.openvpn.net/index.php/open-source/downloads.html
05:52 < vpnHelper> Title: Downloads (at www.openvpn.net)
05:55 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
05:56 -!- laieman [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has joined ##openvpn
05:57 < laieman> Hi. Does anyone know a tutorial how to setup a server which allows multiple clients to connect using one client certficate, but authoricate with username and password?
06:06 < Chosi> dammit. why is it called openvpn then?
06:06 < Chosi> :D
06:06 < Chosi> okay completely my fault then
06:06 < Bushmills> !howto
06:06 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:06 < Chosi> anyways - this client is rubbish
06:06 < Chosi> ;D
06:18 < cpm> laieman, multiple clients on one certificate is kinda what ssl is supposed to prohibit. I know folks have come up with hacks to allow this, but it's a bad practice. The certificate identifies a host. 
06:19 < laieman> The thing is that the clients is over 1.000 access points, so that would be hard to manage. 
06:20 < laieman> The idea is to make a VPN network of these 1000+ APs, using the same certificate to simply, but use username and password for the authutication.
06:21  * cpm boggles, 
06:21 < cpm> 1 access point is hard to manage? Or did you mean 1,000
06:21 < laieman> 1,000
06:22 < laieman> And issue certificates for these and distribute.
06:22 < cpm> and thousand plus aps is going to be hard to manage regardless, further, I'm skeptical of a given vpn server to handle a thousand vpn connections well. 
06:22 < cpm> I think you need to revisit your design criteria. 
06:23 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
06:23 < laieman> cpm: We're going to load balance these ofcorce .
06:28  * cpm chuckles
06:29 -!- eoke [~eoke@109.170.137.203] has joined ##openvpn
06:30 < cpm> anyway, the short answer is no. 
06:30 < eoke> !welcome
06:30 < vpnHelper> eoke: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:31 < cpm> anyway, the short answer is no. Put your time into developing key management rather than trying to force ssl to do something it's designed precisely NOT to do. 
06:31 < cpm> for that matter, you might want to brush up on your ssl skills. 
06:36 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has joined ##openvpn
06:41 -!- JackCorleone [~Jack@201-68-37-126.dsl.telesp.net.br] has joined ##openvpn
06:44 < laieman> !route
06:44 < vpnHelper> laieman: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:46 -!- JackCorleone [~Jack@201-68-37-126.dsl.telesp.net.br] has quit [Ping timeout: 265 seconds]
06:58 < ecrist> morning
07:34 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:36 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
07:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
07:40 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
07:44 < troy-> my vpn initializes but i cant ping the opposite endpoint
07:45 < troy-> so far i've enabled ipforwarding on the server and masquerade
07:49 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
07:49 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
07:55 < dazo> laieman: have a look at http://www.eurephia.net/ ... that supports one certificate and different user accounts + dynamic firewall updates if you're using iptables on the server
07:55 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
08:29 -!- vicksppadic is now known as macsppadic
08:32 -!- MacMelon [~MacYET2@dslb-084-056-130-063.pools.arcor-ip.net] has joined ##openvpn
08:33 < MacMelon> what is the official by to replace auth-user-pass with something automatic
08:33 < MacMelon> ?
08:34 < hyper_ch> MacMelon: you mean like keyfile?
08:34 < MacMelon> jup
08:34 < hyper_ch> then use them :)
08:34  * MacMelon checks once again :)
08:35 < hyper_ch> MacMelon: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
08:35 < vpnHelper> Title: HOWTO (at openvpn.net)
08:39 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Ping timeout: 265 seconds]
08:53 -!- MacMelon [~MacYET2@dslb-084-056-130-063.pools.arcor-ip.net] has left ##openvpn []
08:53 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
08:57 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Ping timeout: 252 seconds]
09:20 < ecrist> I wish VPNHelper worked more consistently with RSS feeds.
09:20 < ecrist> :\
09:27 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
09:30 < Bushmills> troy-: for pinging the remote point, neither ip forwarding nor masquerading is needed
09:30 -!- notbrien [~notbrien@69.60.16.242] has joined ##openvpn
09:31 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:37 < vpnHelper> New forum entry openvpnforum: Off Topic, Related :: My Introduction :: Author ParkCavanaugh <http://www.ovpnforum.com/viewtopic.php?f=1&t=6145&p=6680#p6680>
10:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
10:12 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
10:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:12 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
10:25 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
10:41 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has quit [Ping timeout: 265 seconds]
10:43 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
--- Log opened Wed Jul 14 11:10:42 2010
11:10 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
11:10 -!- Irssi: ##openvpn: Total of 106 nicks [3 ops, 0 halfops, 0 voices, 103 normal]
11:11 < kantlivelong> dazo: i tried that also
11:11 -!- Irssi: Join to ##openvpn was synced in 38 secs
11:11 < dazo> kantlivelong: but we really need better configs and possibly also logs ... or else our help here is really in the blind
11:12 < kantlivelong> meh
11:12 < dazo> kantlivelong: but I have a feeling it is the routing which is wrong ... normally you wouldn't need that route statement if you have a global route statement
11:12 < jwm> meh = lame
11:12 < jwm> passive aggressive bs
11:12 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
11:13 < kantlivelong> srry m8 but ive got no way in this damn router at the moment other then web ui
11:13 < dazo> kantlivelong: what kind of router is it?
11:14 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
11:14 < kantlivelong> pfsense
11:14 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
11:14 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
11:14 -!- geek is now known as killown
11:15 < kantlivelong> if i was on the local network i could get in
11:15 < kantlivelong> i dont have full access to it on webui
11:15 < dazo> kantlivelong: http://doc.pfsense.org/index.php/HOWTO_enable_SSH_access  ?
11:15 < vpnHelper> Title: HOWTO enable SSH access - PFSenseDocs (at doc.pfsense.org)
11:15 < kantlivelong> ^
11:22 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Quit: Leaving]
11:28 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
11:30 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:32 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
11:35 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
11:42 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
11:44 -!- IRConan [~conan@unaffiliated/rconan] has joined ##openvpn
11:45 < IRConan> hi there... is it possible to make openvpn client get an IP from a dhcp server on the host side?
11:46 < IRConan> basically I want to have all clients get their IPs from my central dnsmasq instance
11:47 < krzee> you would need a bridge
11:47 < krzee> and use server-bridge with no options
11:47 < krzee> see --server-bridge in the manual
11:47 < krzee> !man
11:47 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:48 < IRConan> ok... that's what I've got currently
11:48 < IRConan> I guess the openvpn client doesn't include a dhcp client?
11:48 < ecrist> it *is* a dhcp client of sorts
11:48 < krzee> sure, but you said you want them handed out by YOUR dhcp client
11:48 < ecrist> though, it handles ip assignment differently
11:48 < IRConan> from my dhcp *server*
11:48 < krzee> err dhcp server*
11:48 < IRConan> if openvpn could handle the client side that would be a bonus
11:49 < krzee> --server-bridge can hand out IPs
11:49 < ecrist> IRConan: have you even read the docs?
11:49 < IRConan> ecrist: some of them
11:49 < krzee> !bridge
11:49 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses.
11:49 < krzee> !man
11:49 < vpnHelper> krzee: (but not samba, see !wins)
11:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:50 < krzee> meh, i need to fix !bridge, i hate when links are the last part of a factoid, screws up some IRC clients ability to click them
11:50 < IRConan> because of the ,s
11:50 < IRConan> ?
11:50 < krzee> makes the , separator part of the link
11:50 < krzee> yup
11:50 < krzee> if yours does that, remove the ,
11:51 < krzee> !forget bridge *
11:51 < vpnHelper> krzee: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
11:51 < krzee> !forget bridge *
11:51 < vpnHelper> krzee: Joo got it.
11:51 < krzee> !learn bridge http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc
11:51 < vpnHelper> krzee: (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
11:51 < krzee> !learn bridge as http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc
11:51 < vpnHelper> krzee: Joo got it.
11:52 < IRConan> krzee: neither of those links cover the client side dhcp stuff... can the openvpn client do it itself or do I need to run a separate client?
11:53 < ecrist> IRConan: openvpn server can assign addresses to openvpn as a client
11:53 < krzee> !learn bridge as http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ 
11:53 < vpnHelper> krzee: Joo got it.
11:53 < krzee> [12:47]  <krzee> see --server-bridge in the manual
11:53 < krzee> go read  it
11:54 < krzee> !learn bridge as also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
11:54 < vpnHelper> krzee: Joo got it.
11:55 < IRConan> oh... so the openvpn server proxies to the DHCP server... my DHCP server was bound only on tap0 so I guess that's why it wasn't working
11:55 < dazo> IRConan: it's doable ... but dhcp on the client side only works out-of-the-box on Windows .... on *nix, you'll need to kick off a local dhcp client via --up script or similar ... but server-bridge is the way to go in such a setup
11:56 -!- nate [~nate@unaffiliated/nate] has joined ##openvpn
11:56 < dazo> IRConan: openvpn does not parse dhcp server responses itself ... even though it has been discussed how to solve this situation for *nix as well
11:56 < nate> would I be able to get assistance with openvpn running on a dd-wrt device in here?
11:57 < IRConan> dazo: so my best bet is to just run a dhcp client locally when it's done?
11:57 < IRConan> dhcpcd or similar
11:57 < dazo> IRConan: yeah ... exactly ... make a little script which kicks of dhcpcd or dhclient .... --up is often used, afair
11:59 < dazo> nate: basically yes, but if it is very dd-wrt oriented it might be more challenging
12:00 < dazo> nate: but we can sure help you here to get the basic configs working ... and then you can work further on putting configs into NVRAM an such stuff afterwards
12:00 < ecrist> nate: to a degree.  they lock things down in funny ways, so don't be surprised when, at some point, we point you to them.
12:01 < nate> server logs: http://pastebin.com/egQyb0hV --- server conf: http://pastebin.com/b5CMZWqL --- client conf (dd-wrt): http://pastebin.com/ZLjMy6DR
12:01 < nate> server is OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on May  8 2009
12:01 < nate> client is: OpenVPN 2.1.1 mips-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 23 2010
12:02 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
12:02 < nate> verb on server logs are at 6 right now.
12:02 < dazo> nate: please consider to upgrade away from rc7 ... iirc, rc7 and rc11 are really nasty in regards to compatibility
12:02 < nate> server side? okay. I have a linux-->server tunnel that is working
12:03 < nate> it's just the dd-wrt that won't connect (it did on old hardware, but I bought a new device today and this one won't link)
12:03 < dazo> nate: I just know I had some issues with people running rc7 and rc11 against rc15 .... and when they upgraded all to rc15 ... all problems disappeared
12:03 < ecrist> we cannot support less than 2.1-rc21 or so
12:03 < nate> I was using the default ubuntu package server side for my openvpn server
12:04 < nate> I will start with a server side upgrade and let you guys know
12:04 < dazo> nate: yeah, those other poor guys were using the ubuntu packages ...
12:06 < IRConan> why are people using -rc versions?
12:06 < ecrist> debian, for example, never upgraded beyond rc21 because rc22 and rc23 we windows-specific
12:07 < nate> this is an older LTS version of ubuntu, I'm sure newer releases have newner versions of openvpn
12:07 < IRConan> urgh... debian has rc11 which you just recommended against :S
12:08 < IRConan> I'll bear that in mind if I run into issues
12:08 < kantlivelong> ping dazo 
12:08 < dazo> ecrist: Maemo5 is using the Debian packaging work ... and I got 2.1.1 there, but I think it's the testing repo
12:08 < dazo> kantlivelong: pong
12:08 < kantlivelong> dazo: http://pastebin.ca/1900542
12:09 < IRConan> maemo is based on sid isn't it?
12:09 < dazo> IRConan: I dunno, tbh ... I know it's Debian based :-P
12:09 < kantlivelong> dazo: then in the CCD for the client i have ifconfig-push 10.1.100.9 10.1.100.10
12:10 < dazo> kantlivelong: and please also the configs inside /var/etc/openvpn_csc
12:10 < dazo> kantlivelong: that's the only thing in that file?
12:10 < kantlivelong> dazo: http://pastebin.ca/1900544
12:10 < kantlivelong> yes
12:11 < kantlivelong> its driving me mad
12:11 < kantlivelong> lol
12:11 < dazo> kantlivelong: I still believe ifconfig-push is <ip> <netmask>, though
12:11 < dazo> so shouldn't the last arg be 255.255.255.252?
12:12 < dazo> might be I confuse it, as it's a while since I played with p-t-p tun
12:13 < kantlivelong> let me see
12:13 < kantlivelong> dazo: nah it didnt like that.. 
12:14 < nate> is there no init.d script with the official release?
12:14 < dazo> nate: that's usually distro specific ... double check in contrib/ ... but normally not
12:14 < kantlivelong> dazo: its weird.. the client claims it gets 10.1.100.9 but the acctual TAP says 10.1.100.6
12:15 < dazo> kantlivelong: client configs and client logs please
12:16 < nate> k I'm on OpenVPN 2.1.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] built on Jul 14 2010
12:16 < dazo> kantlivelong: you can consider to use 'topology subnet' ... to avoid all these /30 subnets
12:16 -!- repent [repent@bsdcell.com] has quit [Read error: Operation timed out]
12:16 < nate> and I get the same errors it appears
12:17 < kantlivelong> dazo: http://pastebin.ca/1900546
12:17 < nate> here is an update of the server log: http://pastebin.com/C0KLrHTy
12:18 < kantlivelong> dazo: http://pastebin.ca/1900547
12:19 < kantlivelong> :/
12:19 < nate> what is really odd is on verb 5: http://pastebin.com/MaxC3g6A
12:20 < nate> its sending a really strange packet or something
12:20 < nate> "WRRWWWWRWRWRWWRWRWRWRWRWRWRWRWRWRWRWRWRWWed"
12:20 < dazo> kantlivelong: you *NEED* to change ifconfig-push ... you do not send a netmask
12:20 < kantlivelong> dazo: hmm?
12:20 < kantlivelong> dazo: sending a netmask makes the client say config failed
12:20 < dazo> kantlivelong: PUSH: Received control message: 'PUSH_REPLY,route 10.1.1.0 255.255.255.0,dhcp-option DISABLE-NBT,route 10.1.100.1,ping 10,ping-restart 60,ifconfig 10.1.100.9 10.1.100.10'
12:21 < dazo> extract: ifconfig 10.1.100.9 10.1.100.10
12:21 < dazo> it should say 10.1.100.9 255.255.255.252
12:21 < dazo> unless I really do remember things wrong
12:22 < krzee> dazo, what he did is good for net30 (at least worked in my testing of topology net30 in obsd)
12:22 < kantlivelong> dazo: http://pastebin.ca/1900550
12:22 < kantlivelong> :/
12:23 < dazo> krzee: kantlivelong:  Ahh, thanks for correction!  It's me mixing it with subnet topology and subnet net30
12:23 -!- eoke [~eoke@109.170.137.203] has quit [Quit: leaving]
12:23  * dazo was wrong
12:23 < kantlivelong> so before was ok?
12:23 < kantlivelong> then what else could the problem be :/
12:24 < kantlivelong> gawd i hate windows :P why must i be forced to deal with these peices of dung
12:24 < dazo> seems so ... but I'm just wondering ... http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
12:24 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
12:24 < dazo> kantlivelong: not directly related ... but it has the ptp setup
12:25 < kantlivelong> hmmm
12:25 < dazo> kantlivelong: you might need to have the last argument then as 10.1.100.1
12:25 < dazo> hmm
12:25 < kantlivelong> im so confused hah
12:26 < krzee> dazo, i think i know why we havnt gotten chapter 4 yet... jjk is still writing the book (so the publisher is prolly not past chapter 4 yet)
12:26 < kantlivelong> am i doing something wrong?
12:26 < dazo> krzee: I got feedback from Leena the other day, and jjk got a deadline around the 27th for the 6th chapter ... so it's probably on the way
12:27 < krzee> ya he mentioned to me that he was on chapter 6 right now
12:27 < dazo> kantlivelong: you want to redirect the traffic to the vpn server ... which, with --server 10.1.100.0 255.255.255.0 ... the server ip is 10.1.100.1
12:27 < kantlivelong> so where do i add this?
12:27 < krzee> i had emailed him to suggest something i forgot about in my feedback, that the TUN chapter could mention handing out public IPs
12:28 < dazo> kantlivelong: in the ccd file ... ifconfig-push 10.1.100.9 10.1.100.1
12:28 < dazo> kantlivelong: I noticed another issue in server config ... push "route 10.1.1.0 255.255.255.0"  ... this should probably be   push "route 10.1.100.0 255.255.255.0"
12:30 < nate> okay this is insane
12:30 < nate> the problem seemed to be a cert issue
12:30 < nate> I can access the server's single IP, but not the subnet
12:30 < nate> yet, the server shows no intereface open for my home network
12:30 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
12:30 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
12:30 -!- geek is now known as killown
12:30 < nate> I can connect up to the server, but not from the server to my home.
12:31 < kantlivelong> meh
12:31 < kantlivelong> i think im SOL
12:31 < dazo> nate: then you're over to routing and/or firewalling
12:31 < nate> but how is there no device server side?
12:31 < dazo> kantlivelong: ??
12:31 < nate> there's not tun device
12:31 < dazo> nate: ouch ... that's odd
12:32 < nate> and I'm seeing tons of these "RwrWRwrWWWRRwrWRwrWRwrWR" messages in my server side log
12:32 -!- kyrix [~ashley@194.48.133.8] has quit [Ping timeout: 258 seconds]
12:32 < dazo> nate: yeah ... can you share configs on both sides and server log?
12:33 < kantlivelong> dazo: no luck
12:33 < dazo> nate: R and W means read/write from one side ... and r and w means the same on the other side ... I've forgotten which was local and which was remote
12:34 < dazo> nate: but seeing both sides communicating ... that's usually a good sign
12:34 < dazo> nate: it now might be related to the missing tun interface on your server side
12:34 < nate> is this a new thing from my ugprade?
12:34 < dazo> nate: it's comes when you have verb 5, iirc
12:37 < kantlivelong> any other ideas dazo ?
12:37 < nate> maybe it is a routing issue now
12:37 < nate> which makes no sense as this was working before buying new hardware
12:38 < nate> how that could cause the firewall/routes to change is beyond me
12:38 < nate> but home-->server are connected
12:38 < nate> but server can't talk to home, and can't hit any other systems on the subnet
12:38 < dazo> nate so you can ping from home to the server, but not beyond?
12:38 < nate> nor could my other client (work) hit anything at home
12:38 < dazo> nate: check if you have enabled ip_forward
12:38 < nate> so it sounds like the server isn't routing properly and/or firewalling as well
12:38 < nate> where? at the server?
12:38 < dazo> nate: yeah
12:38 < nate> or my home router?
12:39 < dazo> nate: your home router probably works fine ... as you're on the Internet
12:39 < nate> yes I do have that set to 1 on my server(colo)
12:39 < nate> the ultimate goal here is for my work machine to be able to tunnel through the colo and hit my entire home network
12:39 < nate> as of right now, the work machine can hit the colo
12:39 < nate> the home can hit the colo
12:40 < nate> the colo cannot talk to home (can't ping, hit ports, etc)
12:40 < nate> and the work machine can't talk to home either
12:40 < nate> nothing changed in the firewall since this was last working, so I don't know why it's broken now just from a new router at home and a new version of openvpn
12:40 < dazo> nate: sounds like routing then ... have a look at !route ... just to be sure
12:40 < dazo> !route
12:40 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:41 < nate> what really makes no sense is how there is no tun device for the home link
12:41 < nate> I see the one for my work machine, but nothing for home
12:41 < nate> so there is an invisible tunnel apparently
12:42 < dazo> nate: is it a physical box, Xen/KVM virt box?  Or openVZ stuff?
12:42 < nate> shouldn't there be one for both?
12:42 < nate> it's a Xen VPS
12:43 < nate> my colo is
12:43 < nate> server_config: http://pastebin.com/b5CMZWqL
12:43 < nate> client_config: http://pastebin.com/ZLjMy6DR
12:43 < nate> server should be 192.168.30.1
12:43 < nate> (config not shown, link working) is my work machine, which is 192.168.30.5
12:44 < nate> my home should be 192.168.12.0/24
12:44 < nate> home router is 12.1
12:44 < nate> server_config contains the ccd/ entry for home
12:44 < dazo> nate: you could try out --client-to-client
12:44 < dazo> on the server
12:45 < nate> the only interface up right now is this
12:45 < nate> tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:192.168.30.1  P-t-P:192.168.30.2  Mask:255.255.255.255
12:45 < nate> yet both home and work can hit the server
12:45 < dazo> nate: that's good! that's all you need
12:45 < nate> so it's all via single tunnel? it's not one per device? I think I'm used to old ways or I'm confusing this with something else
12:45 < dazo> that really looks good ... it's one tun/tap device per openvpn process
12:46 < nate> so even though I have 2 clients (home/work) it's still one interface on the server?
12:46 < dazo> yes
12:46 < dazo> no magic here :)
12:46 < nate> k
12:46 < nate> so does the ccd config look right and all?
12:47 < nate> I can't ping the colo from home, but I can hit port 80.
12:47 < dazo> the thing is that now ... openvpn client packets hits the openvpn server which puts the traffic out on the tun device ... then the kernel will route those packets, it will go back to openvpn server and push it to the corresponding client
12:47 < nate> so the tunnel is live and fetches data, even if icmp is broken (likely my firewall)
12:47 < dazo> by using --client-to-client ... openvpn will route traffic from one openvpn client to another one internally, and not send it to the kernel stack
12:48 < dazo> nate: that you can't ping, but gets response on port 80 ... that sounds like firewall issue .... try to use tcpdump or similar tools on the tunnel interface on the server, and you might see what happens
12:49 < nate> I just don't get why the routing/firewall used to work and suddenly is broken. but alas, I'll take what I got and work on it.
12:50 < nate> to confirm, the routing within openvpn looks okay? my ccd/ config for my homenet and everything?
12:50 < dazo> kantlivelong: no, I'm sorry I don't really catch what's happening in your setup ... you say things don't work ... but we don't know what doesn't work, as we don't see your logs (on server and client)
12:50 < nate> it's likely just the firewall @ the server?
12:51 < dazo> nate: I'm just wondering if something is not good with you mixing in this one ifconfig-push 192.168.12.1 192.168.12.2
12:51 < dazo> that's a different subnet than the tunnel interface ... the vpn clients needs to be on that subnet
12:52 < kantlivelong> dazo: hmm another interesting problem.. with dhcp its working for the client.. but the internal nertwoek cant see them :/
12:53 < nate> okay I removed that ifconfig-push line. no change subnet wise. still can't hit anything outbound. I'll jsut have to dig into this at a packet level and find out what isn't making it where
12:53 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:54 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:54 < nate> well it's not the firewall
12:54 < nate> I flushed it and tried to hit my home net from the colo, still nothing.
12:55 < dazo> nate: tcpdump is probably the next natural step to take now
12:55 < nate> 192.168.30.0    192.168.30.2    255.255.255.0   UG    0      0        0 tun0
12:55 < nate> 192.168.12.0    192.168.30.2    255.255.255.0   UG    0      0        0 tun0
12:55 < nate> everything _looks_ okay, no
12:55 < dazo> nate: where is this?  on the server?
12:55 < nate> yeah
12:56 < krzee> make sure your dhc server doesnt give gateway to the vpn dhcp clients :)
12:56 < krzee> dhcp*
12:56 < dazo> hmm ... I think that this is a bit tricky  ... as 192.168.30.2  could be either clients
12:56 < krzee> this can be done because TAP adapter starts with a predictable MAC address
12:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Excess Flood]
12:57 < nate> dazo: http://pastebin.com/uahUT1Yp
12:57 < krzee> FF:00 or something like that
12:57 < dazo> this is tun adapters, though
12:57 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:57 < krzee> i meant kantlivelong 
12:57 < dazo> ahh :(
12:57 < dazo> :)
12:57 < krzee> it was a gotchya i forgot to mention
12:57 < kantlivelong> hmm
12:58 < dazo> nate: which IP does your clients have?  home and work?
12:58 < dazo> VPN ip
12:58 < nate> home: 192.168.12.1 (supposed to route the entire /24 up to the colo)
12:58 < kantlivelong> ugh
12:58 < nate> colo: 192.168.30.1
12:59 < nate> work: 192.168.30.5 (single IP, not subnet behind it))
12:59 < kantlivelong> this stinks.. 
13:00 < kantlivelong> is there anyway to write the assigned IP to a hosts file or something?
13:00 < dazo> nate: yeah, the home router needs to have an 192.168.30/24 IP address as well on its tun adapter
13:00 < kantlivelong> i need a server on the internal network to talk to the vpn client
13:00 < dazo> kantlivelong: look up --status in the man page
13:00 < nate> dazo: here is the ccd/ for the work machine -- http://pastebin.com/4sHiFqKp
13:01 < nate> dazo: why? since when? this all worked on 2.1-rc7 yesterday
13:01 < kantlivelong> igj
13:01 < Bushmills> kantlivelong: assign a static address, edit hosts once
13:01 < dazo> nate: I dunno ... it shouldn't have been working :-P ... basically because the routing becomes a little mess
13:02 < nate> so how does this work. I give my home router a 30.x address just for the vpn? but still route all the 12.0/24 behind it?
13:02 < dazo> the VPN tunnel should be its own separate IP segment ... then you route other networks via the endpoints on that VPN tunnel
13:02 < kantlivelong> Bushmills: ive been trying to do static.. it refuses to work
13:02 < dazo> nate: exactly
13:02 < nate> so I route the home network similar to the work machine, as a single IP?
13:02 < Bushmills> got bind running somewhere?  --up  or --client-connect to nsupdate zonefile
13:03 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
13:03 < Bushmills> alternatively, use --up or --client-connect scripts to modify your hosts file
13:03 < dazo> nate: yes, basically
13:04 < dazo> nate: on the workvpn.mvn ... try using push "route 192.168.12.0 255.255.255.0 vpn_gateway"
13:04 < dazo> that will setup a route to your home network on the work client via the VPN tunnel
13:04 < kantlivelong> Bushmills: any idea why static ip assignments wont work on PKI? im using the windows client
13:04 < dazo> then you'll need a similar route on the server
13:05 < Bushmills> it works - impossible to tell you why it doesn't
13:06 < nate> ugh, I am so confused now what to change in the configs
13:06 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
13:07 < kantlivelong> Bushmills: ive posted logs and configs.. its very weird
13:08 < dazo> nate: a simple map ....    <home:192.168.12/24>--[ovpn client home: 192.168.30.x]------[openvpn server: 192.168.30.1]------[ovpn client work: 192.168.30.y]------<work net: z.z.z.z>
13:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:09 < dazo> nate: so on the work client ... you need a route saying:    route 192.168.12.0 255.255.255.0 vpn_gateway  .... this you can push via the ccd/workvpn.mvn
13:09 < Bushmills> my guess is, the client config file in ccd directory isn't named after the common name of client 
13:09 < dazo> nate: on the openvpn server  you need a route in the openvpn saying:  route 192.168.12.0 255.255.255.0 ... which you do
13:10 < dazo> Bushmills: good point ... I didn't reflect on that, as he said it worked yesterday before hw upgrade
13:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
13:10 < nate> dazo: server: http://pastebin.com/b5CMZWqL  -- server ccd: http://pastebin.com/NbGSN13g 
13:10 < nate> that's where I'm at now.
13:11 < kantlivelong> dazo: Bushmills i got it!!
13:11 < nate> ignore the ccd/ at the bottom of the first link 
13:12 < dazo> nate: and you must change the ifconfig-push 192.168.12.1 192.168.12.2  to something else inside the 192.168.30/24 segment 
13:12 < kantlivelong> dazo: Bushmills i had to release/renew the virtual device then reconnect... thats weird....
13:12 < nate> I'm sorry but I don't fully understand how to translate that to openvpn's configs. my brain is fried at this point :-/
13:13 < nate> the route to the work client, I have in the ccd all ready
13:13 < Bushmills> one problem down. fifteen hundred to go.
13:13 < kantlivelong> odd
13:14 < dazo> nate: okay ... change  ifconfig-push 192.168.12.1 192.168.12.2  to   ifconfig-push 192.168.30.13 192.168.30.1
13:14 -!- IRConan [~conan@unaffiliated/rconan] has left ##openvpn []
13:14 < dazo> nate: that's in the ccd/mauvenet
13:15 < nate> and leave the iroute for 192.168.12.0 in there?
13:15 < kantlivelong> odd
13:15 < dazo> nate: yes ... because you want this client to help with internal routing to that net
13:15 < nate> k
13:15 < kantlivelong> now the blasted internal server cant see me
13:15 < nate> so in server.conf I change what?
13:15 < kantlivelong> @#%$^3
13:16 < dazo> nate:   take out this line: push "route 192.168.0.0 255.255.0.0"
13:16 < nate> well I need 192.168.0.0/16 routed across every client
13:16 -!- VenomX [~venomx@187.56.151.95] has joined ##openvpn
13:16 < nate> my VPN links to a larger VPN that spans 192.168.0.0/16
13:17 < kantlivelong> keeps going up and down tho
13:18 < dazo> nate: okay ... then you might face some challenges with overlapping network segments (as 192.168.12/24 and 192.168.30/24 is covered by that big range)
13:18 < dazo> nate: but routing table wise, it should be fine for now
13:18 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:18 < dazo> nate: (ideally, moving the VPN tunnel to f.ex. 10.8.0.0/24 might rescue you later on ... but not needed right now)
13:19 < nate> the entire VPN darkent will be re-IP'd soon
13:19 < nate> but that's another project
13:19 < dazo> yeah
13:19 < nate> so the last reference to 192.168.12.0 is in server.conf
13:19 < nate> the route
13:19 -!- kantlivelong [40484186@gateway/web/freenode/ip.64.72.65.134] has quit [Quit: Page closed]
13:20 < dazo> nate: that's basically it ... so now you can try to restart the openvpn server ... and the one of the clients at the time ... then lets have a look at the routing tables
13:20 < dazo> nate: on server and on cilents
13:20 < nate> so I still leave the global route for 12.0/24 in server.conf?
13:21 < dazo> nate: now you made me doubt myself .... :-P   lets try with that one first
13:22 < nate> dazo: server routing: http://pastebin.com/iHeV7FLv
13:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:23 < dazo> nate: according to !route ... you need the route, so that is correct
13:23 < dazo> nate: looking good ... and now the routing tables on the client sides?
13:24 < nate> home routing: http://pastebin.com/kqpgs9Uz
13:24 < nate> that's on a dd-wrt router
13:25 < dazo> nate: yeah, looks good as well
13:25 < dazo> now ... can you ping 192.168.30.1?
13:25 < dazo> from the client
13:25 < nate> nope
13:25 < nate> but I can hit port 80
13:26 < dazo> okay, it might be ping is filtered then ... if you get something you would expect on port 80 of the vpn server
13:26 < nate> yeah I do
13:26 < dazo> and then try to connect the work client
13:26 < nate> but the server can't hit any ports on home machines
13:27 < nate> crap, I have to run to work. I have a meeting in 30 mins. I'll be back on from there if we can continue this. I know we're close
13:27 < dazo> nate: I'm about out from work ... I'm already late, I see :-P
13:27 < dazo> krzee: you have time to help out nate further?  I think we're on a good track now
13:27 < VenomX> Hi. Someone mind to help me to understand why the build-key script allows me to create as many instances of certificates for the same CN as I want? Like this: http://pastebin.com/uWc9Smyw
13:28 < dazo> nate: krzee is the guy who wrote the !route document ... so he knows routing quite well :)
13:28 < ecrist> 1:15PM  up 787 days,  3:17, 11 users, load averages: 0.00, 0.04, 0.07
13:29 < jpalmer> what do you guys use to manage large numbers of self-signed certs?  I'm adding more and more systems that require openssl certs,  and need to find a better way to manage them (currently, I'm doing it manually)
13:29 < dazo> VenomX: It's nothing in the PKI structure not forbidding duplicate CN
13:29 < ecrist> ssl-admin
13:29 < ecrist> it's in ports
13:29 < dazo> jpalmer: I'm using TinyCA2 on one site ... just because it's quick and seems to work nice and easy 
13:30 < jpalmer> each machine I bring up needs a total of 4 SSL certs,  all self-signed. I have about 3000 machines  so, realistically I'm looking at maintaining about 12,000 certs (and climbing)
13:30 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
13:30 < VenomX> dazo: Is it normal behaviour? ( I'm not much into general Certificate issuing yet )
13:31 < dazo> VenomX: yeah ... look at certificates as with persons ... it's nothing forbidding two persons to be called David Smith 
13:31 < dazo> VenomX: what creates a unique identity of a certificate is actually the SSL certificate fingerprint (aka certificate digest)
13:33 < VenomX> dazo: Hmmm.... So let's say my mistake is not to move the certificate files before creating another one with the same CN ( this overwrites the key files ), right?
13:33 < krzee> unfortunately i have no time, doing both migrations today (phone and network)
13:33 < ecrist> jpalmer: ssl-admin is perl, can be deployed for multiple configurations
13:33 < dazo> VenomX: try: openssl x509 -noout  -fingerprint -subject -in <certfile>
13:33 < ecrist> krzee: did you see the freebsd SA?
13:33 < dazo> krzee: ahh ... sorry, no worries ... I'm sure there are others here as well!
13:34 < dazo> VenomX: it can, for sure
13:34 < jpalmer> ecrist: perl based,  so should work on centOS.   I'll take a look.
13:34 < ecrist> !ssl-admin
13:34 < vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
13:35 < jpalmer> ecrist: each machine I bring up needs a pub/priv keypair for bacula, openvpn, a proprietary piece of software, and a webserver.  key management (and deployment) is by biggest "issue" right now.
13:36 < ecrist> jpalmer: you may need/want to use ssl-admin as a starting point, then, and tweak it to your needs.
13:36 < ecrist> it's menu-driven now, you probably don't need that
13:36 < jpalmer> if it needs any tweaks, I'll send patches.
13:36 < ecrist> sweet
13:36 < jpalmer> I'll take it for a spin here in a few minutes.
13:37 < ecrist> krzee: http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc
13:37 < jpalmer> oh.  it'll work with pre-existing certs, right?  I don't need to generate all new certs?
13:38 < ecrist> right
13:38 < ecrist> you just need to put things in the right place
13:38 < VenomX> dazo: Thanks, I guess that's good enough for me. I believe now that I should really remove the generated certificate files once I provide the user a copy of it, as a security measure ( Since I'm not yet deploying production setups, I don't erase the certificate files after I generate them ).
13:38 < ecrist> you're a smart guy, so you should be able to figure it out
13:38 < jpalmer> *nod*  cool.
13:38 < jpalmer> seems I've used ssl-admin before, but I can't quite place it.
13:39 < jpalmer> anyway,  I'll get it setup, and check it out.   Thanks a ton.
13:39 < krzee> nah havnt seen bro, but will see later
13:39 < krzee> thanx for the link, saved
13:39 < ecrist> krzee: it's kind of a MAJOR deal
13:39 < ecrist> as in, I've been updating production boxes in the middle of the work day for two days
13:39 < dazo> VenomX: the keys, and especially the CA key should really be unavailable via a network, only accessible when you intend creating/signing new certificates
13:39 < jpalmer> yeah, that thing is nasty.
13:40 < jpalmer> ecrist: building world? spot-patching? or freebsd-update?
13:40 < ecrist> what's funny about it, for how bad it is, the fix is a one-liner
13:40 < krzee> oh right
13:40 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
13:40 < ecrist> building kernel
13:40 < krzee> i knew about that 0day but was sworn to secrecy, my main servers run fbsd6 ;)
13:40 < jpalmer> err. s/world/kernel/
13:41 < krzee> i know someone who must be pissed they found that one
13:43 < VenomX> dazo: (I've already read about the CA key) That makes (almost) everything clear. Thank you very much :)
13:43 < dazo> VenomX: you're welcome :)
13:43  * dazo calls this a day
13:44 < ecrist> no love, krzee
13:44 < ecrist> :\
13:44 -!- dazo is now known as dazo_afk
13:46 < krzee> i will never tell anything i promise you not to tell either
13:52 < ecrist> you're dead to me
13:52 < ecrist> lol
13:52 -!- trumee [~nobody@cpc5-cmbg14-0-0-cust982.know.cable.virginmedia.com] has joined ##openvpn
13:52 < krzee> lol
13:52 < trumee> Is it possible to install openvpn access server on gentoo?
13:52 < ecrist> *cough* butters.secure-computing.net 7.2-RELEASE
13:52 < VenomX> Another question: How worried about security should I be without using the tls-auth with ta.key ? (Roadwarrior setup)
13:53 -!- michal|3s [~michal@host851485250.static.tkplan.3s.pl] has left ##openvpn []
13:53 < trumee> I dont see any .tar.bz2/.tar.gz distro agnostic software "access server"  on openvpn.net
13:53 < ecrist> and xxx is running 8.0-RELEASE
13:53 < ecrist> trumee: you won't
13:53 < ecrist> we also don't support access server here.
13:53 < ecrist> the channel entry message indicates such
13:54 < trumee> ecrist: so there is now way to install access server on gentoo?
13:54 < ecrist> access server isn't open-source
13:54 < trumee> ecrist: ah ok.
13:54 < trumee> is there any other gui for openvpn then?
13:54 < ecrist> there are lots
13:55 < ecrist> really, a gui is silly, though
13:55 < ecrist> it's really simply
13:55 < ecrist> !howto
13:55 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:55 < VenomX> I'm building my setup based on Securepoint SSL VPNClient ( I MUST make user's life easy ); this allow me to create a simple file to be imported into the client. AFAIK this client doesn't support tls-auth (Further testing pending)
13:55 < trumee> i have setup openvpn on my machine reading that how to. and it works fine generally. However i have one problem
13:56 < krzee> ecrist, i said main servers ;]
13:56 < trumee> i have router called xx.dyndns.org which port forwards to my openvpn/asterisk server on 172.16.1.20
13:56 < ecrist> krzee: if you want, I'd be happy to upgrade both those
13:58 < trumee> i have openvpn working properly at the client side (Nokia N900 phone). The web traffc all goes through openvpn server. However, my voip client also points to xx.dyndns.org. The voip calls dont go through openvpn. Is it because both openvpn and asterisk server are on the same machine.
13:59 < trumee> so there you go. i am stuck here. So was wondering if i should be using some gui.
14:01 < trumee> ecrist: any idea?
14:09 -!- kantlivelong [3f8bce12@gateway/web/freenode/ip.63.139.206.18] has joined ##openvpn
14:09 < kantlivelong> im back
14:09 < kantlivelong> how can i tell the vpn client to ALWAYS keep the session alive?
14:10 -!- privacy2p [~chatzilla@99.66.37.128] has joined ##openvpn
14:11 < krzee> ecrist, that would be awesome man, thank you!
14:12 < ecrist> krzee: no problem.  I'm doing about 60 other servers anyhow, so what's two more. :)
14:12 < privacy2p> vpn noob
14:13 < privacy2p> looking for help
14:14 < kantlivelong> sup privacy2p 
14:15 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
14:17 -!- Progressor [~progresso@ip32-41-208-87.adsl2.static.versatel.nl] has joined ##openvpn
14:19 < jpalmer> are there any factoids in the bot for failover?
14:20 < Progressor> Hello
14:20 < kantlivelong> hi
14:20 < Progressor> I could use a hand
14:20 < Progressor> I followed a manual provided by the university.
14:20 < Progressor> In OpenVPN Adv settings you need to sellect 'Use custom gateway'. But this one automatically deselect itsself. (I click ok and apply, but when I return it's deselected) (about step 6 in http://www.snt.utwente.nl/handleidingen/1/84 )
14:21 < vpnHelper> Title: Studenten Net Twente :: handleidingen (at www.snt.utwente.nl)
14:22 < Progressor> I assume he is a bot? :P
14:23 < kantlivelong> yeah :P
14:24 < Progressor> I assume AI hasnt't progressed as far that he can help me connect to the network of my university...
14:24 < Progressor> Can you?
14:24 < Progressor> (Or anyone else here?)
14:25 < kantlivelong> im not that good with openvpn yet :P
14:26 < jpalmer> Progressor: I'm not familiar with that gui interface, but it's not part of OpenVPN,  so I doubt you'll find much help here.  your best bet is probably to call the university support staff
14:27 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:28 < Progressor> The gui is from a linux network manager.
14:28 < krzee> !ubuntu
14:28 < vpnHelper> krzee: "ubuntu" is dont use network manager!
14:29 < jpalmer> Progressor: exactly.  it's not "openVPN" it's some 3rd party utility
14:31 < Progressor> Ah well...
14:31 < Progressor> Nothing wrong with hoping someone here happens to know the problem
14:36 < nuser> I have a firewall.. with one public IP address. I am using IPtables to nat the 192*
14:36 < nuser> internet connection is working great..
14:36 -!- privacy2p [~chatzilla@99.66.37.128] has left ##openvpn []
14:36 < nuser> but when I connect with the vpn and get a 192* I get the default gateway 192.168.1.1 the DNS servers
14:36 < nuser> but I can't surf or connect to serverrs
14:37 < nuser> nor can I ping anything..
14:37 < nuser> any idea ?
14:37 < kantlivelong> where can i download the latest tap driver for windows 2003?
14:38 -!- MDO [~ich@dslb-088-076-121-091.pools.arcor-ip.net] has joined ##openvpn
14:38 < nuser> I didn't open a hole in the firewall for my vpn address of 192.168.1.220
14:39 < nuser> so I can hit port 1194 from teh outside.
14:39 < MDO> hello everybody - I am a total newby to irc - so pleas apologize any misbehaviour if it happens.
14:40 < MDO> is this channel a place to discuss my current issues with openvpn?
14:43 < kantlivelong> MDO: sure.. 
14:44 < Bushmills> !redirect
14:44 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:45 < Bushmills> nuser: ^^^^
14:47 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
14:47 < MDO> thanks. I'll start descriping the problem: I run OpenVPN w. GUI in Windows. It works fine in WinXP. Now I want to move to Win7. I installed OpenVPN and copied the config directory from the xp to the Win7 box. I thought that would be all there is to it. Now startinge the GUI and connecting to the VPN-Server works fine. But then I cannot use any of my services at the remote site - mainly that is using rdp to work on remote servers.
14:49 < MDO> Is that enough to describe the issue? Can I provide any more information? Is there a clue as to what's going wrong?
14:50 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
14:52 < bvierra_> what does the log say?
14:52 < bvierra_> when you double click on the gui it will show it
14:53 < hyper_ch> yey, rain :)
14:54 < kantlivelong> weird.. i cant install the tap drivers on win2k3 :(
14:56 < kantlivelong> are there any requirements for the driver?
14:58 < MDO> @bvierra_ thanks - It says something about "route add failed". I suppose some userrights are missing. I'll try to run the GUI as admin - and come back with the results. that will take a minute.
14:58 < bvierra_> thats the exact issue :)
14:58 < bvierra_> also you can try it without the GUI
14:58 < kantlivelong> :/
14:58 < bvierra_> just right click on the config file and its an option
14:59 < bvierra_> sorry that was for MD0
14:59 < Bushmills> MDO: right click on openvpn and openvpn-gui. set to compatibility mode vista. also set to run as administrator
14:59 -!- bvierra_ is now known as bvierra|h
14:59 < Bushmills> for route, add   route-method exe  to client config
14:59 < bvierra|h> kantlivelong, I honestly dont know :)
15:00 < kantlivelong> bvierra|h: hmm... its weird... it just says tapinstall failed.. i got it to work on another windows install so...
15:01 < bvierra|h> kantlivelong, google brought me this http://openvpn.net/index.php/open-source/faq/79-client/281-what-to-do-if-the-installation-of-the-tap-win32-driver-fails.html
15:01 < vpnHelper> Title: What to do if the installation of the TAP-Win32 driver fails? (at openvpn.net)
15:01 -!- nate [~nate@unaffiliated/nate] has left ##openvpn []
15:03 < kantlivelong> bvierra|h: PHAHAHA!! good find.. i musta skipped it.. totally fixed the issue.. THANKS
15:03 < bvierra|h> kantlivelong, :)
15:04 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
15:04 < kantlivelong> bvierra|h: not too often you install new drivers on a server :P
15:04 < bvierra|h> very true
15:04 -!- kyle__ [~kyle@80.67.12.170] has quit [Disconnected by services]
15:04 < bvierra|h> luckily I have a linux router in front of my windows 2k8 server so I just did it on that :)
15:05 < MDO> thanks for helping. admin mode did it.
15:05 < bvierra|h> wow 2 for 2 today
15:06 < MDO> @Bushmills: why compatibility mode vista?
15:06 < bvierra|h> must be a good day, I should probably do some work
15:07 < Bushmills> MDO: because you want it to run
15:08 < Bushmills> maybe not needed with 32 bit win7 - but i'm not sure about that
15:09 -!- trumee is now known as zzztrumee
15:13 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
15:14 < MDO> It works fine in win7 32bit and in win7 64bit for the moment - without the vista compatibility mode. But I keep that in mind - just in case. Thanks @ all for your help - it was a nice first irc experience. Bye
15:15 < Bushmills> !winroute
15:15 < vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
15:19 < MDO> !bye
15:19 < vpnHelper> MDO: Error: "bye" is not a valid command.
15:19 < MDO> .bye
15:19 < MDO> sry - trying to leave here
15:20 < VenomX> Thak you all, bye
15:20 -!- VenomX [~venomx@187.56.151.95] has quit [Quit: Leaving]
15:20 < MDO> quit
15:20 < MDO> .quit
15:20 < Bushmills> ctrl-alt-delete
15:20 < MDO> nice try
15:21 -!- MDO [~ich@dslb-088-076-121-091.pools.arcor-ip.net] has quit [Quit: found it in the manual]
15:27 -!- kantlivelong [3f8bce12@gateway/web/freenode/ip.63.139.206.18] has quit [Quit: Page closed]
15:38 -!- kantlivelong [3f8bce12@gateway/web/freenode/ip.63.139.206.18] has joined ##openvpn
15:39 < kantlivelong> anyone know why my internal server(not the openvpn server itself) cant ping a vpn client but the client can ping the server?
15:41 < hyper_ch> routes
15:41 < kantlivelong> hyper_ch: thats what i thought.. but its on and off.. sometimes it works.. sometimes it doesnt
15:46 < Bushmills> kantlivelong: your vpn clients redirect all traffic through vpn server, including the echo replies
15:46 < kantlivelong> Bushmills: hmm yeah.. weird now i cann ping .249 but not .245 :/
15:46 < Bushmills> route, not redirect
15:46 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
15:47 < kantlivelong> but client->server is fine
15:47 < kantlivelong> meh
15:47 < hyper_ch> Bushmills: so I was right?
15:47 < Bushmills> oh. 249 is probably special. look whether there's a RFC which says that hosts with ip address endign in 249 are not VPN routable :D
15:48 < kantlivelong> 10.1.1.51(INTERNAL) -> 10.1.100.249(VPN CLIENT) = WORKS
15:48 < kantlivelong> 10.1.1.51(INTERNAL) -> 10.1.100.245(VPN CLIENT) = FAILS
15:48 < kantlivelong> 10.1.100.249(VPN CLIENT) -> 10.1.1.51(INTERNAL) = WORKS
15:48 < kantlivelong> 10.1.100.245(VPN CLIENT) -> 10.1.1.51(INTERNAL) = WORKS
15:48 < kantlivelong> :/
15:48 < kantlivelong> i am rather confused
15:50 < kantlivelong> ah ha!
15:50 < kantlivelong> weird.. my load balancer is trying to redirect lan traffic for some reason...
15:50 < Bushmills> hyper_ch: i suppose you were, yes
15:50 < hyper_ch> yey
15:50  * hyper_ch likes being right
15:51 < kantlivelong> thats rather confusing
15:55 < kantlivelong> fixed it :)
15:55 < kantlivelong> weird how my load balancer was trying to direct it elsewhere
15:56 < kantlivelong> bbl thanks all
15:56 -!- kantlivelong [3f8bce12@gateway/web/freenode/ip.63.139.206.18] has quit [Quit: Page closed]
15:56 -!- Progressor [~progresso@ip32-41-208-87.adsl2.static.versatel.nl] has left ##openvpn []
16:01 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
16:05 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
16:07 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
16:34 -!- zzztrumee is now known as trumee
16:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:58 -!- notbrien [~notbrien@69.60.16.242] has quit [Quit: notbrien]
17:06 < nuser> hey
17:07 < nuser> so I connect to the vpn from my labtop and I get the ipaddress gw and subnet 
17:07 < nuser> but I can't ping 192.168.1.1
17:07 < nuser> I can ping the assign ip 192.168.1.221
17:08 < nuser> any ideas
17:11 -!- trumee [~nobody@cpc5-cmbg14-0-0-cust982.know.cable.virginmedia.com] has quit [Remote host closed the connection]
17:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:26 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
17:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:43 < nuser> I have a question anyone around  ?
17:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:53 -!- nate [~nate@unaffiliated/nate] has joined ##openvpn
17:53 -!- nuser [~unixtoy@rrcs-76-79-204-178.west.biz.rr.com] has quit [Quit: My damn controlling terminal disappeared!]
17:53 < nate> if I enable client-to-client should I remove all the extra route's that I was pushing out to enable all the clients to see each other previously?
17:57 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
17:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
18:05 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
18:05 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
18:08 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:13 -!- STF_ [~chatzilla@dslb-084-061-143-082.pools.arcor-ip.net] has joined ##openvpn
18:13 -!- STF_ is now known as STF
18:21 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
18:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
18:26 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
18:28 < nate> anyone alive to try and help a broken man
18:28 < nate> instead of trying to fix what I have, I think it's best to start fresh and try it a different way
18:30 < kisom> nate: shoot
18:31 < kisom> i'm compiling my O/S, got all night
18:31 < nate> so this is the setup
18:32 < nate> colo(linux server), home(/24 subnet, dd-wrt client), work(single linux client), laptop(single win7 client)
18:32 < nate> the colo, work client and laptop are all on 30.0/24
18:32 < kisom> right
18:32 < nate> home is 12.0/24
18:32 < nate> how can I do this with client-to-client to make it easier and not have 50 million routes.
18:33 < nate> I had it almost working, but could never get the win7 client to route. in the process of trying to fix that, I broke everything else.
18:33 < nate> so probably best to start over, cleanly.
18:33 < kisom> you want your boxes to be able to speak to each others, and they are on different subnets, am i right?
18:33 < nate> yup
18:33 < kisom> then routing is probably the only way.
18:34 < kisom> i have a similar setup, in fact.
18:34 < nate> I had everything but the windows box working
18:34 < nate> sort of
18:34 < kisom> but i have openvpn installed on all machines
18:34 < nate> the colo couldn't ping/ssh any of the clients
18:34 < nate> but the clients (home & work) could communicate with each other
18:35 < nate> I have openvpn on everything too (except the subnet behind the home router (12.0/24)
18:35 < nate> so will client-to-client only work really in a setup that doesn't have a subnet behind one of the machines?
18:35 < nate> or is the problem the split network
18:36 < kisom> are you using tun or tap?
18:36 < nate> tun on linux, tap on the win7
18:36 < kisom> as far as i know, you cannot mix tun and tap
18:36 < kisom> if i remember man correctly...
18:36 < nate> well tun doesn't work on windows, right?
18:36 < kisom> it does
18:37 < kisom> hold on
18:37 < nate> if it does than my openvpn installer on windows has nothing for it
18:37 < nate> only "add a tap interface" and what not
18:37 < nate> the whole point of moving to openvpn was for windows support
18:37 < nate> other wise vtund is a billion times easier for linux--to--linux
18:38 < nate> but I'd like to have support for windows laptops
18:38 < kisom> have you considered using an all-tap network?
18:38 < nate> I hadn't, I'm used to tun on linux from my vtun days
18:38 < nate> so I stuck with that
18:39 < nate> I'm just at such a loss at this point on how to make it all work.
18:39 < kisom> the easiest way is probably to just go for tap all the way
18:40 < nate> isn't tap for bridging?
18:40 < kisom> but hold on, im still looking for that article about tun on windows
18:40 < kisom> no
18:40 < kisom> its layer 2 instead of layer 3
18:40 < nate> yeah that's sort of what I meant
18:40 < nate> I mean routing is on layer 3
18:43 < kisom> i think i have to leave that question for someone else...
18:44 < kisom> tun *should* be working fine in windows
18:44 < kisom> but I've only used tap so far
18:44 < nate> my win7 conencts
18:44 < nate> but can't route or access anything
18:45 < kisom> do you have "dev tun" in the windows config file?
18:46 < nate> no 'dev tap'
18:46 < kisom> try to change it to tun and see what happens.
18:47 < nate> it explodes in a firey mess
18:47 < nate> let me play with the error, see where I get
18:50 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
18:52 < nate> k so I got it connected 
18:52 < nate> but still can't hit anything
18:52 < nate> granted, I don't think any of the clients can hit anything on the server
18:52 < nate> oh wait, no. home can hit the colo on port 80
18:52 < nate> the laptop (win7) cannot hit the colo on port 80
18:55 < nate> nor can it hit anything on the home subnet
18:55 < nate> nor do I see routes for the home subnet on the win7 laptop
18:56 -!- UdontKnow is now known as KnightWhoSaysNi
18:59 < nate> manually adding routes on the win7 box doesn't do anything either
19:23 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
19:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:31 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
19:31 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
19:31 -!- geek is now known as killown
19:32 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has joined ##openvpn
19:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:37 -!- KnightWhoSaysNi is now known as root
19:41 -!- killown [~geek@unaffiliated/killown] has quit [Remote host closed the connection]
19:43 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
19:46 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:47 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
19:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
19:57 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
19:57 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
19:57 -!- geek is now known as killown
19:58 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:08 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
20:20 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:23 -!- STF is now known as Guest76020
20:26 -!- Guest76020 [~chatzilla@dslb-084-061-143-082.pools.arcor-ip.net] has quit [Ping timeout: 258 seconds]
20:43 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
20:47 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
20:48 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
20:51 -!- krzee [nobody@unaffiliated/krzee] has quit [Excess Flood]
20:52 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
21:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
21:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
22:21 -!- theDoc_ [~theDoc@119.234.0.18] has joined ##openvpn
22:22 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
22:57 -!- brah [~asdofp@190.183.62.68] has joined ##openvpn
22:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:09 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
23:10 < joako> I setup IPSEC VPN and it is very unreliable despite having reliable internet connections. Is it the same way with openVPN?
23:27 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
23:37 < nate> unreliable how?
23:37 -!- theDoc_ [~theDoc@119.234.0.18] has quit [Quit: theDoc_]
23:37 < nate> mines been solid for years
23:38 < joako> nate, Well I have 2 reliable internet connections. I put openswan IPSEC VPN and it won't stay up 24 hours. If it goes down it won't auto-reconnect
23:39 < nate> ah yeah never have that problem
23:39 < joako> I need something reliable to link 2 entire offices
23:39 < nate> mine runs as long as the host is up
23:39 < nate> over cable at home, over works 100mb line, and over a 10mb line at a colo
23:39 < nate> all stay up 24/7
23:40 < joako> Ok, so to setup openvpn server that is ok. But how do I setup a client for the entire LAN?
23:40 < nate> at home I have dd-wrt on my router which routes the entire /24
23:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
--- Day changed Thu Jul 15 2010
00:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:52 -!- tuvyz [~tuv@unaffiliated/tuv] has joined ##openvpn
00:53 -!- tuv [~tuv@unaffiliated/tuv] has quit [Ping timeout: 265 seconds]
01:02 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 276 seconds]
01:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:06 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
01:08 -!- tuvyz is now known as tuv
01:18 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
02:02 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:05 -!- dazo_afk is now known as dazo
02:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
02:16 -!- jmm is now known as jww
02:20 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
02:20 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 240 seconds]
02:21 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
02:30 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
02:35 -!- philverb [~david@c-67-180-198-84.hsd1.ca.comcast.net] has quit [Ping timeout: 265 seconds]
02:48 -!- theDoc [~theDoc@119.234.0.16] has joined ##openvpn
02:52 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
02:52 < kraut> moin
02:53 -!- kyrix [~ashley@194.48.133.8] has joined ##openvpn
02:54 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:00 < creack> plus
03:27 -!- macsppadic_ [~sonupunno@88.211.55.77] has joined ##openvpn
03:27 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
03:27 -!- macsppadic_ is now known as macsppadic
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:55 -!- theDoc [~theDoc@119.234.0.16] has quit [Quit: theDoc]
04:10 -!- theDoc [~theDoc@119.234.0.16] has joined ##openvpn
04:12 -!- Netsplit *.net <-> *.split quits: funkyHat, Zathraz, clyons, MikeW, ike, Bushmills, fahadsadah, baffle, naquad, batrick,  (+4 more, use /NETSPLIT to show all of them)
04:15 -!- Netsplit over, joins: Zathraz
04:17 -!- fitzdsl [~fitzdsl@88.191.116.97] has joined ##openvpn
04:17 < fitzdsl> hello everybody
04:17 < fitzdsl> i'm trying to understand how to use learn-address
04:18 < fitzdsl> does anyone know a website with exemple ?
04:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:18 -!- MikeW [~MW@ks35441.kimsufi.com] has joined ##openvpn
04:18 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
04:18 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
04:18 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
04:18 -!- ike [ike@unaffiliated/ike] has joined ##openvpn
04:18 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
04:18 -!- baffle [baffle@shell.eunet.no] has joined ##openvpn
04:18 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
04:18 -!- naquad [~naquad@174.142.224.219] has joined ##openvpn
04:18 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
04:18 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined ##openvpn
04:19 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
04:19 -!- theDoc [~theDoc@119.234.0.16] has quit [Ping timeout: 243 seconds]
04:23 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
04:27 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
04:29 < dazo> fitzdsl:  Learn address is pretty simple ... create a little script which dumps all environment variables and $* to a file ... add this to your server config using --learn-address dump.sh ... and connect a client ... then you see all you get ... and you can do what you pleases with these variables.  The script has to exit with 0 to be considered OK, or exit with 1 if you want to reject this client
04:30 < fitzdsl> ok, that's what i thought
04:30 < dazo> fitzdsl:  look at the man page as well. both the --learn-address and the "SCRIPTING AND ENVIRONMENTAL VARIABLES" section
04:31 < fitzdsl> I did, but I had a doubt about how to use it
04:31 < fitzdsl> thx dazo 
04:31 < dazo> fitzdsl:  you're welcome!
04:50 < fitzdsl> dazo: I got something weird in my log : "WARNING: learn-address command failed: external program fork failed"
04:51 < dazo> fitzdsl:  you probably need --script-security 2 
04:52 < fitzdsl> dazo: thx i'll look to that
04:53 < fitzdsl> dazo: ok it works
04:55 -!- dazo is now known as dazo_afk
05:05 -!- kyrix [~ashley@194.48.133.8] has quit [Quit: Leaving]
05:21 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
05:32 -!- dazo_afk is now known as dazo
05:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:41 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
05:50 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
05:50 -!- SOG [~SOG@n1164868040.netvigator.com] has joined ##openvpn
05:54 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
05:55 -!- SOG [~SOG@n1164868040.netvigator.com] has quit [Ping timeout: 245 seconds]
06:46 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
06:46 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:24 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
07:25 -!- APTX_ is now known as APTX
07:47 < mosno> is it just me, or was 2.1.1 NOT announced on openvpn-announce mailing list? the most recent announcement i see is for 2.1.0
07:48 < mosno> !welcome
07:48 < vpnHelper> mosno: "welcome" is Start with ! goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:48 < mosno> !goal
07:48 < vpnHelper> mosno: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:49 < mosno> ps.: possible typo in the !welcome output ("! goal")
07:53 < ecrist> !forget welcome
07:53 < vpnHelper> ecrist: Joo got it.
07:54 < ecrist> !learn welcome as Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:54 < vpnHelper> ecrist: Joo got it.
07:54 < ecrist> !welcome
07:54 < vpnHelper> ecrist: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:58 < dazo> mosno: 2.1.1 and 2.1.0 is practically the same release ... the only difference is an update to openvpn.spec to fix building openvpn on rpm based systems
07:58 < mosno> ecrist: thanks
07:59 < mosno> dazo: ok. it just made me feel uneasy not seeing it formally announced. thanks
08:00 < dazo> mosno: yeah, I don't recall how the announcements went ... it might not have gone to -announce, but I think it did to -devel and/or -users ... but it's over 6 months ago, I don't recall details now
08:00 < mosno> fair enough.
08:01 < mosno> if there was a security vulnerability discovered, would the fix be backported to the 2.0 series?
08:01 < mosno> s/backported/applied/
08:01 < dazo> mosno: most likely not ... the 2.1 base is where all development happens nowadays
08:02 < mosno> dazo: ok. according to the FAQ, there are no known vulns anyway. if there was one, would it be announced on -user as well as -devel ?
08:02 < mosno> or maybe even -announce
08:02 < mosno> (ie. i don't see a -security list)
08:02 < dazo> mosno: it would really have to be a very extreme vulnerability, I think, to make that happen .... upgrading to 2.1 is anyway a lot better
08:03 < mosno> dazo: okay. i am a sysadmin, so i am just wondering if it's worth subscribing to -announce to hear about security vulns, or if there's a better place to subscribe to
08:03 < mosno> (or a place at all)
08:03 < dazo> mosno: I know there are some security fixes in 2.1, which came in during the beta and rc cycles ... but I don't know if they are related to 2.1 only ... anyway, 2.1 is a better bet in the long run
08:04 < mosno> dazo: i'd have to see what my distributor's policy is, too
08:04 < dazo> mosno: that's a fair question ... I don't know ... but we're having a developers meeting on #openvpn-devel today @18:00 UTC ... so I'll see if we can get that to today's agenda
08:04 < mosno> dazo: ie. openvpn came bundled with the system, so i wonder if/when they'll update to 2.1
08:04 < dazo> mosno: which distro?
08:04 < mosno> dazo: that would be fantastic
08:06 < mosno> dazo: X-Wrt (based on OpenWrt)
08:06 < dazo> mosno: ahh ... I'm not sure how they do that
08:07 < mosno> dazo: the latest X-Wrt is based on OpenWrt 8.09.2; however, OpenWrt recently released 10.03, which includes 2.1.1
08:08 < mosno> (OpenWrt 8.09.2 uses OpenVPN 2.0.9)
08:08 < mosno> dazo: is that what you meant?
08:08 < dazo> mosno: 8.09 is whiterussian?
08:08 < mosno> dazo: kamikaze
08:09 < dazo> wow ... I'm really outdated on openwrt then!
08:10 < mosno> dazo: hehe. i manage a whiterussian that also has 2.0.9, but perhaps another sysadmin updated openvpn on that host (i am new)
08:10 < dazo> mosno: out of curiosity ... on what hardware are you running kamikaze?
08:10 < mosno> dazo: WRT54GS
08:11 < mosno> dazo: so what is the best way for me to determine if my 2.0.9 is vulnerable?
08:11 < dazo> mosno: nope, whiterussian is still 2.0.9 ... I'm using it on my personal wrt54gl ... not sure how well kamikaze will run on it, and haven't had time to risk downtime on my network yet
08:12 < dazo> mosno: I dunno ... search for CVE's concerning OpenVPN ... and see if what's labelled vulnerable for 2.1 might be vulnerable on 2.0 as well by either poking into the source code and/or try to exploit the vulnerability yourself
08:13 < mosno> i knew this would involve source code :( ;-)
08:13 < dazo> heh :) ... unfortunately, there's seldom a way around it when doing such analysis
08:16 < mosno> "Unspecified vulnerability in OpenVPN 2.1-beta14 through 2.1-rc8" -- i guess this means 2.0.9 isn't affected
08:16 < mosno> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3459
08:16 < vpnHelper> Title: National Vulnerability Database (NVD) National Vulnerability Database (CVE-2008-3459) (at web.nvd.nist.gov)
08:18 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
08:19 -!- havoc [~havoc@neptune.chaillet.net] has joined ##openvpn
08:20 < mosno> well, i think i'm safe, looking at the CVEs
08:20 < mosno> thanks again dazo 
08:27 -!- sunta [~cw@achilles.raytion.com] has joined ##openvpn
08:28 < dazo> mosno: I've been looking at that CVE ... that contains a big re-factoring some generic infrastructure used by the script execution code ... I've not compared it against the 2.0 tree ... but James' comment is not clear about which release this started in ... he just says "2.1_rc8 and earlier " ... and here he changes from system() to execve()/CreateProcess() infrastructure ... which means, 2.0 might be at risk as well
08:29 < sunta> hello. I have an openvpn running for road-warriros on tun0. now I want to add a bridged network. http://www.shorewall.net/OPENVPN.html says tun0 for the bridged network. can I use tun0 again or do I need to use tun1?
08:29 < vpnHelper> Title: OpenVPN Tunnels and Bridges (at www.shorewall.net)
08:29 < dazo> sunta: you need tap to use bridging
08:29 < sunta> bah sorry, didnt read properly!!
08:30 < dazo> mosno: but you're *only* vulnerable if you're executing scripts via openvpn, and in particular the --lladdr hook
08:30 < ecrist> unless you're running an OS whose kernel is vuln to that mbuf exploit
08:31 < dazo> mosno: (svn revision 3311 / git commit b8fb090c167ff500a8d .... http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commit;h=b8fb090c167ff500a8d702f612a42914d4f0bb03)
08:31 < vpnHelper> Title: SourceForge - openvpn/openvpn-testing.git/commit (at openvpn.git.sourceforge.net)
08:31 < dazo> ecrist: been bitten hard lately?
08:32 < ecrist> I have not, but it's a nasty bug.
08:32 < dazo> ecrist: freebsd issue?
08:33 < mosno> dazo: (...digesting...)
08:33 < ecrist> http://security.FreeBSD.org/advisories/FreeBSD-SA-10:07.mbuf.asc
08:33 < ecrist> dzo ^^
08:34 < jpalmer> nasty nasty
08:35 < ecrist> I've been upgrading boxes for two days straight.
08:35 < ecrist> we use CARP a lot, and that means a lot of kernel building
08:36 < ecrist> that, and multiple routing tables, which requires a kernel option
08:36 < jpalmer> I've actually never used CARP. though, I have a few projects that I think it'd be hugely helpful for.
08:36 < mosno> dazo: how do you know that only the --lladdr hook is vulnerable? i assume you read the diff on that git commit?
08:37 < ecrist> jpalmer: freebsd + CARP + PF = win
08:37 < ecrist> my other admin wrote a perl script that does WAN failover between DSL and cable at our office, it's pretty sweet.
08:37 < jpalmer> ecrist: my problem mainly is:  we're not just fbsd here.  we're a mix of OSX, FreeBSD, and CentOS.
08:38 < jpalmer> ecrist: I had one to using pf's route-to magic.  good stuff.
08:38 < ecrist> the only thing I've been able to completely upgrade during the work day has been our firewalls because they're all redundant use CARP, so I can reboot one and the network doesn't care.
08:38 < dazo> mosno: this vulnerability was found via --lladdr hook ... and it this is where the client is most able to trick the server into running arbitrary code ... like forging the MAC address to something else which is not a MAC address
08:39 < jpalmer> ecrist: if I were to buy a book on openvpn (I know the basics,  but would like to get my hands ona  book for some of the advanced stuff)  is there one in particular you'd recommend?  particularly interested in failover/redundancy, and such.
08:40 < ecrist> there isn't one, really, I would recommend.
08:40 < mosno> dazo: ok. thankfully i don't think we use --lladdr; also, according to the CVE, the server (not the client) has to be malicious/compromised, so i am not so worried. at some stage i will check if/when the X-Wrt project are upgrading to the newer OpenWrt base
08:41 < ecrist> there isn't much you can do in terms of redundancy and failover with openvpn at this point, aside from run two servers that share certificates, issue different blocks of IPs in the same subnet, and use a bridged mode.
08:41 < dazo> mosno: yeah ... I would classify it as important but low possibility for exploit
08:41 < ecrist> through some network foo, you can make it run as a TUN, with crafty subnetting
08:42 < ecrist> our solution here has been to run openvpn one a single machine, and pray.
08:42 < ecrist> we keep ssh open on our firewalls in the event of a vpn failure
08:42 < mosno> dazo: there are so many bigger configuration vulnerabilities i have to take care of first it's not funny
08:42 < dazo> :)
08:42 < mosno> gotta love inheriting another sysadmin's setup 
08:43 < jpalmer> ecrist: right now,  my thought is to simply have ovpn server A running,  and B not running.  rsyncing occasionally from A to B.  then if A fails,  manually bring B up with the exact same configs.   clients are installed with two "remote" lines.
08:43 < mosno> on the other hand, he's already done the "throwaway implementation" for me :)
08:44 < ecrist> jpalmer: with CARP, you can have openvpn running on both, but only one will actually accept connections, set a short timeout in the config, and when the primary fails, the other with 'just work'
08:44 < ecrist> openvpn really needs something like pfsync to share state tables
08:44 < ecrist> then it would be 'really' seamless
08:44 < jpalmer> ecrist: nah, CARP wouldn't work here.   the main ovpn server is running in texas,  the secondary is in columbus
08:44 < ecrist> oh, then it wouldn't
08:44 < ecrist> sounds like your plan would work, though
08:45 < jpalmer> we're not using ovpn for the normal use.   our ovpn server is basically just a hub where client machines connect 24/7,  and admins connect to it as needed to tunnel into remote machines at client offices.
08:49 -!- notbrien [~notbrien@69.60.16.242] has joined ##openvpn
08:57 -!- macsppadic is now known as embarasppadic
09:12 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
09:14 -!- newmember_ [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
09:15 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
09:16 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 265 seconds]
09:16 -!- newmember_ is now known as newmember
09:17 -!- EvilMachine [~navid@dslb-188-100-192-146.pools.arcor-ip.net] has joined ##openvpn
09:18 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit]
09:19 < EvilMachine> hello, quick question: what is still missing when route-up is called, that would prevent a dhcp running inside it, from succeeding? When I do that, it always times out. And only after route-up, openvpn says "Initialization Sequence Completed"
09:22 < jpalmer> EvilMachine: when you say a dhcp running inside it,  can you clarify that?
09:24 -!- root is now known as UdontKnow
09:27 < EvilMachine> to be exact: i run gentoo, and they have a re-entrant init script. (i modified it a bit, so now:) on start, the init script runs openvpn . which later runs the shell script defined via --route-up. that script then re-enters the init script, to toggle it to the "fully initialized" state. that causes the bridge init script to run, which bridges the openvpn interface with one of a virtual machine. then it runs dhcp on that bridge 
09:28 < EvilMachine> so then i have no ip adress.
09:28 < fitzdsl> i have a trouble with learn script
09:28 < EvilMachine> when i then re-start the bridge (stop and start via the bridge init script), it succeeds
09:28 < fitzdsl> I don't have it executed with the arg : delete when I stop a client
09:30 < EvilMachine> i have the logs and everything nicely in detail in this gentoo bug: http://bugs.gentoo.org/show_bug.cgi?id=297153 but when i created that, everything was still called via --up, not via --route-up. (trying --route-up was only an experiment, but did exactly the same thing, so both cases are the same)
09:30 < vpnHelper> Title: Gentoo Bug 297153 - openvpn init script finishes before openvpn is up, causing depening services to fail. (at bugs.gentoo.org)
09:31 < fitzdsl> when i restart the client I have an "update" but never a "delete" 
09:41 -!- theneb_ [~theneb@theneb.co.uk] has quit [Ping timeout: 240 seconds]
09:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:52 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
09:56 -!- sunta [~cw@achilles.raytion.com] has left ##openvpn ["Verlassend"]
09:57 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
10:08 < EvilMachine> jpalmer: enough clarification? :)
10:08 -!- Optic [~Optic@miso.capybara.org] has quit [Quit: ZNC - http://znc.sourceforge.net]
10:09 -!- Optic [~Optic@67.205.74.218] has joined ##openvpn
10:11 -!- Optic [~Optic@67.205.74.218] has quit [Client Quit]
10:12 -!- Optic [~Optic@67.205.74.218] has joined ##openvpn
10:14 -!- Netsplit *.net <-> *.split quits: magglass1, oc80z, DrJ, @raidz
10:14 -!- magglass1 [~m@cpe-72-183-201-118.satx.res.rr.com] has joined ##openvpn
10:14 -!- Netsplit over, joins: oc80z
10:14 -!- magglass1 [~m@cpe-72-183-201-118.satx.res.rr.com] has quit [Changing host]
10:14 -!- magglass1 [~m@unaffiliated/magglass1] has joined ##openvpn
10:14 -!- Netsplit over, joins: raidz
10:14 -!- Netsplit over, joins: DrJ
10:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
10:52 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
11:02 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
11:03 -!- theDoc_ [~theDoc@119.234.0.21] has joined ##openvpn
11:04 -!- killown [~geek@unaffiliated/killown] has quit [Read error: Operation timed out]
11:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
11:08 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
11:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:14 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
11:14 -!- theDoc_ is now known as theDoc
11:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:18 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
11:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:22 < bent_screwdriver> can you create and use variables in the open vpn config files?
11:23 < ecrist> http://searchenterprisewan.techtarget.com/tip/0,289483,sid200_gci1348343,00.html
11:23 < vpnHelper> Title: Advanced OpenVPN configuration (at searchenterprisewan.techtarget.com)
11:23 < ecrist> that article popped up in a quick google search
11:24 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
11:24 < bent_screwdriver> ecrist: yeah saw that but it wanted a login...
11:24 < ecrist> didn't ask me for a login...
11:26 < bent_screwdriver> it did for me, to read more of the article it asks me to become a member. Are you a member of the site and perhaps already logged in?
11:26 < bent_screwdriver>  To continue reading for free, register below or login  
11:26 < bent_screwdriver>                        ^^^^
11:27 < bent_screwdriver> guess it can do a quick 10 second test ;)
11:28 < ecrist> I'm not logged in, or a member of that site.
11:29 < ecrist> they obscure the article.  experts exchange does the same thing.  for me, if I scroll down below that, the rest of the article is there.
11:30 -!- embarasppadic [~sonupunno@88.211.55.77] has quit [Quit: embarasppadic]
11:30 < ecrist> bent_screwdriver: http://pastebin.com/wEvuxx0p
11:30 < bent_screwdriver> ecrist: thx. i just put in a fake email and hit back on their info form, and the article was there. time to read now.. 
11:30 < ecrist> ok
11:31 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
11:43 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Max SendQ exceeded]
11:48 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
11:49 < ecrist> krzee: hola
11:50 < ecrist> xxx is updated to 8.1-RC2 and butters is on it's way to 7.3pSOMETHING
12:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:10 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:17 < krzee> right on thanx man
12:17 < krzee> the sky has been falling since the office opened, will continue to most the day i think
12:18 < krzee> luckily most the BS involved is scriptable ;)
12:20 < EvilMachine> jpalmer: no solution then?
12:24 -!- mode/##openvpn [+o raidz] by ChanServ
12:31 -!- nate [~nate@unaffiliated/nate] has quit [Read error: Operation timed out]
12:34 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
12:35 -!- dazo is now known as dazo_afk
12:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
12:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
12:49 -!- Chosi [osxchosi@choseh.de] has quit [Remote host closed the connection]
12:50 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
12:55 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote host closed the connection]
12:57 -!- dazo_afk is now known as dazo
13:01 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
13:03 -!- abeehc_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
13:06 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
13:12 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
13:13 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:22 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
13:34 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
13:37 -!- DrPepper [~DrPepper@78.141.145.123] has quit [Ping timeout: 260 seconds]
13:38 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:40 -!- DrPepper [~DrPepper@78.141.145.123] has joined ##openvpn
13:48 -!- batrick [~batrick@batbytes.com] has quit [Remote host closed the connection]
13:48 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
13:49 -!- EvilMachine [~navid@dslb-188-100-192-146.pools.arcor-ip.net] has quit [Quit: leaving]
13:50 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
14:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:17 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
14:27 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
14:30 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:33 -!- theDoc [~theDoc@119.234.0.21] has quit [Remote host closed the connection]
14:36 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
14:36 -!- magglass1 [~m@unaffiliated/magglass1] has quit [Read error: Operation timed out]
14:36 -!- magglass1 [~m@unaffiliated/magglass1] has joined ##openvpn
14:37 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: Connection reset by peer]
14:38 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
14:38 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 240 seconds]
14:38 -!- Guest12047 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
14:38 -!- mode/##openvpn [+v Guest12047] by ChanServ
14:42 -!- troy- [7b5512d9ea@bgp4.us] has quit [Ping timeout: 240 seconds]
14:42 -!- troy- [e0fe3580d1@bgp4.us] has joined ##openvpn
14:51 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
15:05 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
15:09 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
15:17 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
15:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
15:35 -!- brah [~asdofp@190.183.62.68] has quit [Remote host closed the connection]
15:35 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
15:40 -!- trumee [~nobody@cpc5-cmbg14-0-0-cust982.know.cable.virginmedia.com] has joined ##openvpn
15:40 < trumee> anybody uses sip over vpn?
15:41 < trumee> my sip uri is 11@xx.dyndns.org, whenever i use openvpn i have to change it to xx@192.168.1.10
15:42 < trumee> is there any way i dont have to specify the private server name after connecting with openvpn.
15:42 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
15:42 < Bushmills> yes. specify its ip address
15:43 < trumee> you mean xx.dyndns.org public ip address, e.g. xx@82.xx.xx.xx
15:43 < trumee> but i have a dynamic dns, and ip address will change all the time
15:44 < trumee> Bushmills: without openvpn, i simply set the server as xx.dyndns.org and it works well
15:44 < trumee> oops, too many xx there but i guess you know what i mean :)
15:46 < trumee> why doesn openvpn resolve my 11@xx.dyndns.org  sip uri. What it should so is as follows. Once inside the network, it should connect to xx.dyndns.org which is my router, it should then forward the connection (port 5060 is forwarded) to 192.168.10 which hosts the asterisk server.
15:47 < Bushmills> well, i don't understand why you would specify 192.168.x.x addresses, or what the private server is.  but the "technique" of using ip addresses, instead of host names, is mostly applicable, special cases like virtual web hosts and such exempted
15:47 < Bushmills> openvpn doesn't resolve anything. name servers usually do.
15:48 < trumee> Bushmills: i guess i am talking all rubbish.
15:48 < Bushmills> openvpn resolves as much as a network cable does.
15:49 < Bushmills> i guess - albeit not fully understanding your problem - that your solution could be found in proper routing
15:51 < trumee> Bushmills: ok, this is what i did now. i started openvpn to the server xx.dyndns.org. Now when i ping xx.dyndns.org, the public ip address of xx.dyndns.org is resolved, but i get a 100% packet loss
15:52 < Bushmills> can you leave out the dyndns bit for now, and use ip addresses for outlining the problem?
15:53 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
15:54 < Bushmills> after all, nobody has any idea whether xx.dyndns.org resolves to the vpn client, the server, or to the white house
15:54 < trumee> Bushmills: i can certainly change the client.conf and replace "remote xx.dyndns.org 1184" with " remote mypublicip 1184". i will then start the client connection, and then ping to mypublicip. 
15:55 < Bushmills> your vpn server is on a dynamic ip address?
15:55 < trumee> yes
15:56 < Bushmills> minimum TTL of dyndns A records are 300 secs, afaik
15:57 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
15:58 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:58 < trumee> Bushmills: uggh, ping was blocked on my router. i have enabled that now.
15:59 < trumee> Bushmills: the pings to mypublic ip is returned now even when i am inside vpn
15:59 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
16:00 < trumee> so now if i have the sip server defined as 11@mypublicip, will that work?
16:01 < trumee> "traceroute mypublicip" isnt going through the vpn server. 
16:01 < Bushmills> if vpn server has been set up to route incoming packets on sipport to client, probably
16:01 < trumee> so that means 11@mypublicip will also no go through the vpn server?
16:02 < Bushmills> it won't if there is no reason for it
16:03 < trumee> Bushmills: this is my server.conf http://pastebin.com/47XNrhcU
16:03 < trumee> and on the vpnserver i also have, iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE and echo 1 > /proc/sys/net/ipv4/ip_forward
16:04 < Bushmills> has server any reason to route incoming sip traffic to client?
16:05 < trumee> Bushmills: I use the same server for asterisk and openvpn. So the server should route the traffic to client too.
16:06 < Bushmills> that conclusion is not evident to me, but if you say so - you know your setup, i don't
16:07 < trumee> Bushmills: oh crap! sorry i am probably wrong :)
16:07 < trumee> Bushmills: i simply dont want to change my sip uri from 11@xx.dyndns.org to 11@172.16.1.11 everytime i use openvpn :(
16:08 < Bushmills> why don't you let incoming sip traffic handle by asterisk on same machine as openvpn server then, and not bother about routing incoming traffic through vpn at all? 
16:09 < trumee> Bushmills: how can i do that?
16:09 < Bushmills> result is that incoming traffic will have to reach the same machine always, no matter whether openvpn is on or not
16:09 < Bushmills> about the how, you're probably better of asking on #asterisk
16:10 < trumee> i think this is something i want. i have forwarded the port 5060 from the router to the asterisk server.
16:10 < trumee> when i dont use openvpn, the voip client connects to the router which is portforwarded to the internal asterisk server and everything works.
16:10 < trumee> i dont know what happens when i use openvpn.
16:11 < Bushmills> so you have two asterisk server?
16:11 < trumee> No, just one asterisk server.
16:11 < Bushmills> one on the vpn server machine, and one internal astrerisk server?
16:12 < trumee> I have a router at 172.16.1.1 and asterisk server at 172.16.1.11
16:12 < trumee> The vpn server and asterisk server are the same 172.16.1.11
16:13 < trumee> The vpn client is a Nokia N900 phone which also has a voip software.
16:14 < trumee> Bushmills: does that make sense?
16:14 < Bushmills> no, because 172.16.1.11 isn't routed to through internet
16:14 < trumee> The router 172.16.1.1 has the dyndns client and it gets a public ip address
16:15 < trumee> 172.16.1.1 forwards the port 1194 onto 172.16.1.11
16:15 < trumee> for openvpn
16:16 < trumee> i dont understand "172.16.1.11 isn't routed to through internet", as it is indeed connected to the router. and internet works on 172.16.1.11
16:17 < Bushmills> that's an rfc1918 address, a private address. can't be connected to from outside
16:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:17 < trumee> Bushmills: yes, that is correct.
16:17 < trumee> Bushmills: so where is the setup wrong?
16:19 < Bushmills> my guess is, routes on the machine with the 172.16.1.11 address, or routing on the  172.16.1.1 machine.  
16:21 < Bushmills> maybe x.x.1.11 sends to x.x.1.1 not using vpn, and x.x.1.1 has default route through vpn, including traffic to 172.16.x.x
16:21 < trumee> The routes on 172.16.1.11 is here http://pastebin.com/XNsiJneS
16:22 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
16:22 < Bushmills> check log on vpn server whether it drops packets because of bad source address
16:24 < trumee> Bushmills: my log is pretty small on the vpn server, i use "status openvpn-status.log" "verb 3", how can i increase the log size?
16:25 < Bushmills> status isn't log
16:25 < trumee> Bushmills: ah, ok. sorting that out
16:34 < trumee> Bushmills: any idea what this means , http://pastebin.com/wSTbzRc4
16:34 < trumee> http://pastebin.com/frSn5TYA
16:35 < trumee> The sip connection to 11@xx.dyndns.org is failing on the phone
16:39 -!- sofia [90be5d1b@gateway/web/freenode/ip.144.190.93.27] has joined ##openvpn
16:40 < trumee> Bushmills: never mind. i will give this a go again tomorrow. thanks for your help
16:43 < sofia> !welcome
16:43 < vpnHelper> sofia: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:44 < sofia> hello, I have some questions on lan-to-lan openvpn...
16:45 < sofia> I have 2 computers which are connected to 2 different routers and I can talk between the two using openvpn. I have followed the instructions from http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
16:45 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
16:46 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
16:47 < sofia> Can anyone tell me how I can now add more clients to the subnet so that they are visible to the remote vpn endpoint
16:47 < sofia> ?
16:49 < sofia> I could not achieve this even though I did  echo "1" > /proc/sys/net/ipv4/ip_forward  on both vpn endpoints
16:50 -!- Floops [floops@shellium/staff/floops] has quit [Read error: Operation timed out]
16:50 < sofia> Also, I added a route to the remote subnet with vpnendpoint as the gateway
16:50 < sofia> Does anyone know what I might be missing ?
16:50 < sofia> Plz advice
16:53 -!- trumee [~nobody@cpc5-cmbg14-0-0-cust982.know.cable.virginmedia.com] has quit [Remote host closed the connection]
17:09 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
17:13 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
17:23 -!- corretico [~laguilar@201.201.44.82] has joined ##openvpn
17:26 -!- Guest12047 is now known as openvpn2009
17:26 -!- mode/##openvpn [+o openvpn2009] by ChanServ
17:27 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
17:27 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
17:27 -!- dazo is now known as dazo_afk
17:29 -!- floops [floops@404.not.found.shellium.org] has joined ##openvpn
17:31 -!- notbrien [~notbrien@69.60.16.242] has quit [Quit: notbrien]
17:43 -!- corretico [~laguilar@201.201.44.82] has quit [Read error: Connection reset by peer]
17:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:45 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
17:46 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
18:29 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:50 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
19:08 -!- theDoc [~theDoc@119.234.0.21] has joined ##openvpn
19:09 -!- geek [~banana@189.110.232.78] has joined ##openvpn
19:09 -!- killown [~geek@unaffiliated/killown] has quit [Ping timeout: 245 seconds]
19:09 -!- geek is now known as Guest73845
19:09 -!- Guest73845 [~banana@189.110.232.78] has quit [Read error: Connection reset by peer]
19:10 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:18 -!- theDoc [~theDoc@119.234.0.21] has quit [Quit: theDoc]
19:26 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:26 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
19:26 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
19:57 -!- theDoc [~theDoc@119.234.0.21] has joined ##openvpn
19:58 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
20:02 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
20:03 -!- killown [~geek@unaffiliated/killown] has quit [Changing host]
20:03 -!- killown [~geek@unaffiliated/geek] has joined ##openvpn
20:14 -!- killown is now known as geek
20:17 -!- theDoc [~theDoc@119.234.0.21] has quit [Remote host closed the connection]
20:23 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
20:23 -!- geek [~geek@unaffiliated/geek] has quit [Quit: Saindo]
20:29 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
22:03 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
22:24 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
22:29 -!- tuv [~tuv@unaffiliated/tuv] has left ##openvpn []
22:30 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
22:42 -!- yakub [~www-data@unaffiliated/yakub] has quit [Quit: leaving]
23:13 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
23:14 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
23:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:36 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
23:36 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
--- Day changed Fri Jul 16 2010
00:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
00:22 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
00:48 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
00:56 -!- dunc [~dunc@2001:960:7bd:1194::1] has joined ##openvpn
01:01 -!- DrPepper [~DrPepper@78.141.145.123] has quit [Quit: Leaving...]
01:11 -!- dunc [~dunc@2001:960:7bd:1194::1] has quit [Quit: Leaving]
01:12 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:12 -!- mode/##openvpn [+o mattock] by ChanServ
02:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
02:17 -!- DrPepper [~DrPepper@78.141.145.123] has joined ##openvpn
02:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:22 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:36 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 246 seconds]
02:36 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
02:43 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Ping timeout: 248 seconds]
02:46 -!- NoReflex [~ionut@86.34.232.55] has joined ##openvpn
02:46 < NoReflex> hello! I have a problem with rdesktop (on ArchLinux) through OpenVPN. From time to time (sometimes right after login, sometimes after a few minutes) rdesktop hangs and I must kill it and reopen it (this happens when I connect to both a XP machine and a Vista machine). after rdesktop hangs and can't even ping the machine for a few minutes so I suspect a networking issue
02:46 < NoReflex> I tried changing the MTU for tap0 but I don't think that is the problem - I tested the max MTU with ping -s 8000 -M do IP_Address and it works; currently the MTU is 1500; I'm using UDP
02:49 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:50 < NoReflex> I tried mtu-test as well - it gave 1573 - tried that but it still hangs after some time
02:57 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
03:10 -!- dazo_afk is now known as dazo
03:30 < kraut> moin
03:35 < NoReflex> !welcome
03:35 < vpnHelper> NoReflex: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:36 < NoReflex> !mitm
03:36 < vpnHelper> NoReflex: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 258 seconds]
03:41 -!- takamichi [~pri@94.75.217.249] has joined ##openvpn
03:48 -!- le0 [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
03:49 -!- le0 [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Changing host]
03:49 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
04:11 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
04:13 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
04:24 < NoReflex> any idea?
04:27 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
04:27 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
04:27 -!- Chosi [osxchosi@choseh.de] has quit [Changing host]
04:27 -!- Chosi [osxchosi@unaffiliated/chosi] has joined ##openvpn
05:03 -!- theDoc [~link@unaffiliated/thedoc] has quit [Quit: Leaving]
05:20 < dazo> NoReflex: I've been using OpenVPN 2.1.1 and rdesktop against XP, Win2003srv and Win2008srv without any issues at all
05:22 < dazo> NoReflex: It most likely is connected to some network issues, but not easy to tell where now
05:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
05:28 < NoReflex> dazo, I'm using OpenVPN 2.1_rc7 on the router (server) and  OpenVPN 2.1.1 on my notebook (cleint)
05:29 < dazo> NoReflex: Try updating your server ... 2.1_rc7 is lacking a lot of bugfixes ... including one important security fix
05:33 -!- takamichi [~pri@94.75.217.249] has quit [Ping timeout: 258 seconds]
05:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:10 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:36 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 245 seconds]
06:37 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
06:43 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
06:44 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
06:51 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
06:56 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Read error: Operation timed out]
06:57 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
07:08 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
07:18 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
07:19 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
07:22 < ecrist> good morning
07:23 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:23 < macsppadic> good afternoon ecrist
07:40 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Connection reset by peer]
07:48 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
07:55 < jwm> good next day to you
07:55 < jwm> heh
07:55 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
07:56 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 265 seconds]
08:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:19 -!- NoReflex [~ionut@86.34.232.55] has quit [Quit: Leaving]
08:21 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:25 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
08:36 -!- geek [~geek@unaffiliated/geek] has quit [Quit: Saindo]
08:36 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:45 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
08:53 -!- henk [~henk@netwichtig.de] has left ##openvpn []
09:08 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
09:25 -!- ksk [~ksk@im.knubz.de] has quit [Quit: leaving]
09:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
09:43 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
09:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
09:49 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
09:54 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
09:59 -!- Blues-Man [~bluesman@host80-107-dynamic.23-79-r.retail.telecomitalia.it] has joined ##openvpn
10:05 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
10:13 -!- krzie [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
10:20 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
10:21 -!- notbrien [~notbrien@69.60.16.242] has joined ##openvpn
10:29 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
11:00 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
11:03 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:06 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:08 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
11:09 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 4.0b1/20100630132354]]
11:10 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:17 < krzee> !ping
11:17 < vpnHelper> pong
11:17  * Blues-Man good blues bye
11:17 -!- Blues-Man [~bluesman@host80-107-dynamic.23-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
11:30 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:32 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
11:34 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
11:34 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
11:38 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
11:38 -!- krzee [~k@unaffiliated/krzee] has quit [Read error: Connection timed out]
11:39 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 276 seconds]
11:39 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
11:39 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
12:00 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 240 seconds]
12:00 -!- notbrien [~notbrien@69.60.16.242] has quit [Read error: Connection reset by peer]
12:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:02 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:03 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:04 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:04 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:04 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:05 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:05 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:06 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:07 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:08 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:08 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:09 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:09 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:10 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:10 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:10 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Ping timeout: 252 seconds]
12:11 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:11 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:12 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:12 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:13 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:14 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:14 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:15 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:15 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:16 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:18 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
12:18 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:18 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:18 -!- joako [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined ##openvpn
12:19 -!- joako [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
12:19 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
12:20 < takamichi> Hey chaps, I know this a hard question but do you think a 'dual core ATOM 330' CPU could handle 30 concurrent connections?
12:20 < ecrist> probably
12:20 < ecrist> though the dual-core part won't help
12:20 < hyper_ch> depends what those 30 connections do
12:20 < ecrist> openvpn isn't threaded
12:21 < takamichi> The new openvpnAS does take advantage of multi-core though right?
12:21 < krzee> its not new
12:21 < krzee> its just openvpn with a frontend
12:22 < ecrist> no, it doesn't
12:22 < takamichi> sorry, I know its not new, I meant the latest version
12:22 < takamichi> "Multi-daemon mode allows AS to scale up to the capabilities of multi-core
12:23 < takamichi> hardware by load-balancing incoming client connections across multiple
12:23 < takamichi> OpenVPN daemons. "
12:23 < takamichi> according to http://openvpn.net/index.php/access-server/download-openvpn-as/407-release-notes-v152.html
12:23 < vpnHelper> Title: Release Notes v1.5.2 (at openvpn.net)
12:24 < takamichi> What would the effect be to the client when the CPU starts to buckle? Does it reject new connections? Slow down?
12:25 < takamichi> hey krzee, thanks for your help!
12:25 < takamichi> krzee: you seem to always be around, do you live here?
12:27 < ecrist> takamichi: no, it slows down.
12:27 < ecrist> the load comes from the encryption, coupled with the max bandwidth the server can accomodate
12:28 < takamichi> ok, thanks that makes perfect sense
12:30 < krzee> im always in 17 channels if im home on my computer or at work (like now)
12:30 < krzee> across 4 networks
12:30 < krzee> but i pay the most attention to this channel and 1 on a different network
12:32 < ecrist> krzee is an IRC whore
12:33 < takamichi> wow wee!
12:34 < krzee> well i been on irc since the early 90's
12:34 < krzee> lol
12:36 < havoc> same here, plus IM (via bitlbee)
12:36 < hyper_ch> me only since '96
12:37 < havoc> which FYI, new bitlbee released last month
12:45 < havoc> damn, commercial SSL VPN is pricey
12:45 < havoc> ASA 5550 w/ 5,000 SSL licenses: $60,000USD
12:51 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:08 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
13:40 -!- dazo is now known as dazo_afk
13:56 -!- sofia [90be5d1b@gateway/web/freenode/ip.144.190.93.27] has quit [Ping timeout: 252 seconds]
14:05 -!- frW [~frW@smartit.se] has joined ##openvpn
14:06 < frW> When I connect to my OpenVPN server I have to manually do a ipconfig /renew to make the dhcp in that network give me an IP. Any particular reason why it doesnt try to fetch one itself?
14:15 < krzee> you are getting an IP from the dhcp server on other side of the bridge or from openvpn itself?
14:25 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
14:26 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
14:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:27 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
14:27 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
14:28 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
14:28 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
14:29 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
14:29 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
14:30 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
14:31 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Read error: Connection reset by peer]
14:31 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
14:32 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
14:34 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
14:35 -!- notbrien [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
15:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
15:32 < frW> kraut, from a server / router on the bridged network
15:40 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:50 < krzee> then its not an openvpn question ;)
15:53 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
16:00 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
16:04 < krzee> however, you could easily put ipconfig/renew in a script and toss it at --up
16:06 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:11 -!- bent_screwdriver [~socain00@74.255.249.66] has quit [Ping timeout: 246 seconds]
16:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:20 < frW> kraut,mhm, thanks
16:21 < frW> krzee *
16:21 -!- mza- [~adam@hypnos.fscker.com] has joined ##openvpn
16:21 < mza-> !welcome
16:21 < vpnHelper> mza-: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:22 < mza-> is there a problem with pam_mysql and openvpn on FreeBSD? I've gotten authentication to work properly using pamtester but, when I use the auth-pam module in openvpn, i get errors about not being able to load pam_mysql.so
16:29 -!- lor [~lor@95.236.70.252] has joined ##openvpn
16:29 -!- lor [~lor@95.236.70.252] has left ##openvpn []
16:30 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Excess Flood]
16:36 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
16:52 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
17:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
17:10 -!- Chosi [osxchosi@unaffiliated/chosi] has quit [Read error: Operation timed out]
17:11 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:11 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
17:15 -!- geek [~geek@unaffiliated/geek] has quit [Remote host closed the connection]
17:16 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
17:43 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:07 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
18:08 -!- smerz [~smerz@smerz.demon.nl] has quit [Client Quit]
18:08 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has joined ##openvpn
18:09 < kazagistar> !welcome
18:09 < vpnHelper> kazagistar: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:16 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
18:18 < kazagistar> ok, I am going through the setup of a VPN for the first time, but I am unable to find a tutorial or configuration that does what I want... I want to create a VPN where all connected computers see each other as if they were connected to the same physical LAN, but that is NOT connected to my actual LAN. Basically, I want a isolated vpn server my friends can log into to play lan games, but prevents access to all my local s
18:21 < kazagistar> from what I understand, I should configure a tap interface as if I was planning to bridge it, and then just not make a bridge?
18:56 -!- Netsplit *.net <-> *.split quits: jfkw, hyper_ch, jpalmer, qfr, UdontKnow, freaky[t], Champi, raw_, Scruffy
18:57 -!- th1 [~th@pdpc/supporter/professional/th1] has joined ##openvpn
18:57 < th1> !welcome
18:57 < vpnHelper> th1: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:59 < th1> Is it possible to have multiple simultaneous connections with openvpn ala multi-session FTP to boost throughput over a VPN?
18:59 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
18:59 -!- Netsplit over, joins: freaky[t], jfkw, qfr, Scruffy, hyper_ch, UdontKnow, jpalmer, raw_, Champi
19:14 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
19:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:27 -!- curiosityorg [~curiosity@curiosity.org] has joined ##openvpn
19:27 < curiosityorg> howdy
19:28 < curiosityorg> anyone available for a question?
19:31 < th1> don't ask to ask .. but ask your question ;) .. anyway I asked and I didn't get an answer, if I know the one to yours I'll try to help
19:31 < curiosityorg> cool, I appreciate it - I'm only here since there's no one in #vyatta :(
19:32 < curiosityorg> I'm trying to do a remote access vpn.  I have the server setup on a vyatta box and the client I'm testing with is a mac.  The tunnel comes up but from the Mac I cannot ping the tunnel ip it gets, or it's gateway at the vyatta server
19:33 < th1> I don't even know what vyatta is .. 
19:33 < curiosityorg> reading forums, double-checking available docs and even watching some walkthroughs on vimeo/youtube aren't much help
19:33 < th1> if one end was a Linux box I would probably know a few commands you could try ;)
19:34 < curiosityorg> fair enough - www.vyatta.org/.com if you're bored :)
19:34 < curiosityorg> well vyatta is a linux-based router distro basically
19:35 < th1> so the tunnel comes up you say
19:35 < curiosityorg> yep
19:35 < curiosityorg> I can see packets passing, the options I push show up on the Mac (dns and route)
19:35 < th1> what does ifconfig tun0 on the vyatta box say? assuming tun0 is the device
19:36 < th1> oh ok
19:36 < curiosityorg> yeah they call it vtun, but yeah - lemme fire it up
19:36 < th1> can you ping the mac from the vyatta
19:39 < curiosityorg> <still setting up> - gonna re-check that in a sec
19:40 < th1> is it a tunnel or a bridge setup?
19:40 < th1> (from the mac's point of view)?
19:43 < curiosityorg> sorry, ok - you'll have to bear with me on the nomenclature
19:44 < curiosityorg> originally the openvpn client was creating a tun0 on the mac, but last night in desperation I switched it to a tap with no significant change
19:44 < curiosityorg> i assume tun vs. tap is tunnel vs. bridge?
19:46 < th1> not sure but that sounds plausible
19:46 < th1> if your mac gets its ip address with dhcp it's probably bridged
19:46 < th1> the main thing is if you can ping the mac (on the address it got on that interface) from the gateway box
19:47 < curiosityorg> yeah I don't seem to be able to even though the vyatta software has a 'show openvpn server-status' command that shows my client is connected, it's remote ip, it's tunnel ip, etc.
19:48 < curiosityorg> 100% packet loss when I try
19:48 < curiosityorg> server -> client
19:48 < th1> ok
19:48 < th1> but since the Mac got the IP address etc
19:48 < th1> some traffic must have gone through
19:48 < th1> so I suspect the problem is on the Mac side
19:49 < th1> some firewall or permission thing? sorry but I don't know nothing about macs
19:49 < curiosityorg> fair enough - I made sure to disable the built-in mac firewall just to be safe
19:50 < curiosityorg> the one change I noticed changing the client config from tun to tap was now when I do an ifconfig I see two inet addresses listed - the one I'm trying to set up for the tunnel (i'm using 172.16.101.0/24 addresses) and one of those 169.254.x.x addresses which I didn't see when I had the client configured for tun
19:56 < curiosityorg> well sorry you didn't get your answers but thanks for trying to help me find mine
19:57 < curiosityorg> cheers
19:57 -!- curiosityorg [~curiosity@curiosity.org] has quit [Quit: [BX] Check out the sexy BitchX pr0n at http://127.0.0.1/bx-pron.html]
20:05 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 245 seconds]
20:09 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has quit [Read error: Operation timed out]
20:13 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
20:21 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has joined ##openvpn
20:21 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has left ##openvpn []
20:24 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 265 seconds]
20:24 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
20:36 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 264 seconds]
20:48 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
20:54 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
20:55 -!- sezuan [bouncer@irc.scheff32.de] has quit [Ping timeout: 240 seconds]
20:59 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
21:11 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
21:25 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has joined ##openvpn
21:28 < kazagistar> I want to create an isolated VPN that is not connected to any other networks, and simply allows bridged connections between clients... anyone knows what options might be useful in server.conf and client.conf to make this work?
22:22 < kazagistar> if I just take a bridging tutorial configuration, and replace server-bridge with server (and then dont create a bridge in iptables) will that do what I want?
22:37 < UdontKnow> iptables is totally unable to create a bridge :)
22:41 < kazagistar> well, not that, but you know what I mean
22:41 < kazagistar> I dont want a bridge, so it is OK that I am unsure of how to make one :P
22:42 -!- sezuan [bouncer@irc.scheff32.de] has joined ##openvpn
22:43 < UdontKnow> just dont create it and all is fine
22:45 < kazagistar> should I use "server" instead of "server-bridge", then? this is the tutorial I was following (and want to deviate from): http://www.thebakershome.net/openvpn_tutorial
22:45 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net)
22:46 < kazagistar> (slick bot function)
23:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:28 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 258 seconds]
23:33 -!- krzie [nobody@hemp.ircpimps.org] has joined ##openvpn
23:34 -!- krzie [nobody@hemp.ircpimps.org] has quit [Changing host]
23:34 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
--- Day changed Sat Jul 17 2010
00:57 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:12 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
01:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:18 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
01:24 -!- mape2k [~mape2k@p5B283770.dip.t-dialin.net] has joined ##openvpn
01:29 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
01:31 -!- meepmeep [meepmeep@212.24.104.229] has quit [Ping timeout: 245 seconds]
01:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
01:37 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
02:20 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has left ##openvpn []
02:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:36 -!- trumee [~nobody@cpc5-cmbg14-0-0-cust982.know.cable.virginmedia.com] has joined ##openvpn
02:37 < trumee> guys, i have setup openvpn on my mobile device and it is working well. My only worry is that if my device is stolen and somebody copies the client cert/keys then they could login into my server.  Is there any way of adding a password as well?
02:46 -!- trumee [~nobody@cpc5-cmbg14-0-0-cust982.know.cable.virginmedia.com] has quit [Read error: Connection reset by peer]
02:47 -!- trumee [~nobody@cpc5-cmbg14-0-0-cust982.know.cable.virginmedia.com] has joined ##openvpn
02:53 -!- mape2k [~mape2k@p5B283770.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:36 -!- trumee is now known as zzztrumee
03:37 -!- zzztrumee is now known as trumee
03:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:56 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
03:56 -!- DrPepper [~DrPepper@78.141.145.123] has quit [Remote host closed the connection]
04:01 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay]
04:01 < krzie> trumee, depends on if your phone supports it (iphone does not)
04:02 < krzie> if it does, you password protect your private key
04:04 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
04:07 < julius> there's still a possibility of using CRLs
04:23 -!- trumee is now known as zzztrumee
04:30 -!- SOG [~SOG@n1164868040.netvigator.com] has joined ##openvpn
04:30 -!- DrPepper [~DrPepper@78.141.145.123] has joined ##openvpn
04:31 -!- zzztrumee is now known as trumee
04:48 -!- SOG [~SOG@n1164868040.netvigator.com] has quit [Quit: SOG]
04:50 -!- DrPepper [~DrPepper@78.141.145.123] has quit [Remote host closed the connection]
04:54 -!- gallatin [~gallatin@188.109.201.255] has joined ##openvpn
04:58 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
05:02 -!- trumee is now known as zzztrumee
05:12 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
05:13 < tmkd_> hi
05:13 < tmkd_> i have this in syslog 
05:13 < tmkd_> Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]
05:13 < tmkd_> what is the reason?
05:26 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has joined ##openvpn
05:27 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 276 seconds]
05:27 -!- takamichi [~pri@67.159.55.231] has joined ##openvpn
05:30 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
05:33 -!- takamichi [~pri@67.159.55.231] has quit [Ping timeout: 265 seconds]
05:33 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has left ##openvpn []
05:33 -!- takamichi [~pri@94.75.217.247] has joined ##openvpn
05:38 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 276 seconds]
05:52 < batrick> tmkd_: apparently your config didn't properly specify the push option?
05:59 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
06:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
06:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:18 -!- gallatin [~gallatin@188.109.201.255] has quit [Ping timeout: 265 seconds]
06:24 -!- takamichi [~pri@94.75.217.247] has quit [Ping timeout: 240 seconds]
06:25 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
06:26 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
06:34 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 258 seconds]
06:35 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
06:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
07:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:24 -!- zzztrumee is now known as trumee
08:08 -!- trumee is now known as zzztrumee
08:09 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
08:35 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
08:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:00 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
09:12 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Read error: Connection reset by peer]
09:19 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: Connection reset by peer]
09:23 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
09:31 -!- sezuan [bouncer@irc.scheff32.de] has quit [Quit: ...]
09:42 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:00 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
10:05 -!- SOG [~SOG@n112118165032.netvigator.com] has joined ##openvpn
10:06 -!- sezuan [bouncer@irc.scheff32.de] has joined ##openvpn
10:21 -!- geek [~geek@unaffiliated/geek] has quit [Quit: Saindo]
10:21 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
10:32 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
10:40 -!- manchot1 [~tux@67.23.167.150] has joined ##openvpn
10:42 -!- manchot1 [~tux@67.23.167.150] has quit [Read error: Connection reset by peer]
10:48 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
11:05 -!- mripguru [~NOYB@vpn1.hspheredns.com] has joined ##openvpn
11:05 < mripguru> !welcome
11:05 < vpnHelper> mripguru: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:06 < mripguru> Hello, when using OpenVPN - is it possible to selectively send traffic over it vs. my real connection?
11:12 < mripguru> !redirect
11:12 < vpnHelper> mripguru: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:12 < mripguru> !def1
11:12 < vpnHelper> mripguru: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:12 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
11:32 -!- optix [~NOYB@cpe-66-65-113-156.nyc.res.rr.com] has joined ##openvpn
11:33 -!- geek [~geek@unaffiliated/geek] has quit [Remote host closed the connection]
11:36 -!- mripguru [~NOYB@vpn1.hspheredns.com] has quit [Ping timeout: 258 seconds]
11:39 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 264 seconds]
11:39 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
11:40 -!- optix [~NOYB@cpe-66-65-113-156.nyc.res.rr.com] has quit [Ping timeout: 265 seconds]
11:40 -!- optix [~NOYB@vpn1.hspheredns.com] has joined ##openvpn
11:40 -!- optix [~NOYB@vpn1.hspheredns.com] has quit [Remote host closed the connection]
11:43 -!- sezuan [bouncer@irc.scheff32.de] has quit [Read error: Operation timed out]
11:44 -!- sezuan [bouncer@irc.scheff32.de] has joined ##openvpn
11:52 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 252 seconds]
12:02 -!- hyper_ch [~hyper@adsl-62-167-116-178.adslplus.ch] has joined ##openvpn
12:02 < hyper_ch> hi there
12:03 < hyper_ch> !resolv
12:03 < vpnHelper> hyper_ch: Error: "resolv" is not a valid command.
12:03 < hyper_ch> !nameserver
12:03 < vpnHelper> hyper_ch: Error: "nameserver" is not a valid command.
12:04 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
12:04 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
12:06 < hyper_ch> hmmm, why can't I resolve any domains anymore :(
12:12 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
12:13 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
12:17 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 258 seconds]
12:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:19 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
12:22 < hyper_ch> krzee: online?
12:29 < krzee> yes but way too busy to help
12:30 < hyper_ch> hmmm, for some reasons, after reboot, I can't resolve any domains anymore when openvpn is started
12:30 < hyper_ch> really weird
12:36 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
12:38 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 276 seconds]
12:39 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
12:44 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
12:57 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 276 seconds]
12:59 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
12:59 -!- geek [~geek@unaffiliated/geek] has quit [Remote host closed the connection]
12:59 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:05 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
13:07 -!- fitzdsl [~fitzdsl@88.191.116.97] has quit [Quit: leaving]
13:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:25 -!- zzztrumee is now known as trumee
13:37 -!- trumee is now known as zzztrumee
13:58 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
14:10 -!- zzztrumee is now known as trumee
14:21 -!- trumee is now known as zzztrumee
14:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
14:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
--- Log closed Sat Jul 17 14:30:15 2010
--- Log opened Sat Jul 17 14:33:39 2010
14:33 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
14:33 -!- Irssi: ##openvpn: Total of 90 nicks [2 ops, 0 halfops, 0 voices, 88 normal]
14:37 -!- Irssi: Join to ##openvpn was synced in 346 secs
14:41 -!- hyper_ch [~hyper@adsl-62-167-116-178.adslplus.ch] has quit [Remote host closed the connection]
14:55 -!- zzztrumee is now known as trumee
15:05 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
15:45 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
15:47 < hyper_ch> I'm online again :)
15:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:53 -!- trumee is now known as zzztrumee
16:07 -!- zzztrumee is now known as trumee
16:21 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 4.0b1/20100630132354]]
16:43 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
16:44 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:47 -!- abeehc_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
16:47 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
16:55 -!- abeehc_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 245 seconds]
17:35 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
17:36 -!- roothorick [~fgsfds@CPE-72-129-147-218.new.res.rr.com] has joined ##openvpn
17:37 < roothorick> am I doing this right? XP Pro client, the VPN tested out fine. I want it to be running in the background all the time as a system service
17:39 < roothorick> so the home.ovpn is in C:\Program Files\OpenVPN\config along with the certs and keys. So then all I have to do is set the OpenVPN service to Automatic, or is there an extra step?
17:40 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 276 seconds]
17:45 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
17:53 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
17:53 < roothorick> bizarre... one swift reboot and both the VPN and VNC services kicked in
18:07 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
18:17 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
18:21 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
18:23 < kisom> nfdskm
18:25 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
18:27 -!- tw [~silverfis@c-98-223-105-100.hsd1.in.comcast.net] has quit [Ping timeout: 265 seconds]
18:27 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
18:35 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 252 seconds]
18:37 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
18:37 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
18:43 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 276 seconds]
--- Log closed Sat Jul 17 18:49:39 2010
--- Log opened Sat Jul 17 18:49:44 2010
18:49 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
18:49 -!- Irssi: ##openvpn: Total of 89 nicks [2 ops, 0 halfops, 0 voices, 87 normal]
18:50 -!- Irssi: Join to ##openvpn was synced in 29 secs
18:50 -!- roothorick [~fgsfds@CPE-72-129-147-218.new.res.rr.com] has quit [Quit: Wow! What a great client! Bersirc 2.2 [ http://www.bersirc.org/ - Open Source IRC ]]
19:13 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
19:18 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 265 seconds]
19:35 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:02 -!- SOG_ [~SOG@n1192361076.netvigator.com] has joined ##openvpn
20:04 -!- SOG [~SOG@n112118165032.netvigator.com] has quit [Ping timeout: 276 seconds]
20:04 -!- SOG_ is now known as SOG
20:16 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
20:21 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
20:32 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
20:37 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
20:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
20:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
20:47 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
20:47 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
20:49 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
20:55 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 248 seconds]
21:15 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Read error: Connection reset by peer]
21:18 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
21:29 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
21:33 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
21:41 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
21:48 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 240 seconds]
21:51 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
22:05 -!- trumee [~nobody@cpc5-cmbg14-0-0-cust982.know.cable.virginmedia.com] has quit [Remote host closed the connection]
22:27 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
23:01 -!- SOG_ [~SOG@n112118135168.netvigator.com] has joined ##openvpn
23:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:04 -!- SOG [~SOG@n1192361076.netvigator.com] has quit [Ping timeout: 240 seconds]
23:04 -!- SOG_ is now known as SOG
23:20 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer]
23:21 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
23:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
--- Day changed Sun Jul 18 2010
00:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:24 -!- bvierra_ [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has joined ##openvpn
02:28 -!- bvierra|h [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
02:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:31 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
03:40 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
04:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:06 -!- SOG [~SOG@n112118135168.netvigator.com] has quit [Remote host closed the connection]
05:06 -!- SOG [~SOG@n112118135168.netvigator.com] has joined ##openvpn
05:17 -!- SOG_ [~SOG@n112118141141.netvigator.com] has joined ##openvpn
05:18 -!- SOG [~SOG@n112118135168.netvigator.com] has quit [Ping timeout: 240 seconds]
05:18 -!- SOG_ is now known as SOG
05:30 -!- SOG [~SOG@n112118141141.netvigator.com] has quit [Ping timeout: 265 seconds]
05:31 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:53 -!- Netsplit *.net <-> *.split quits: funkyHat, th1, clyons, MikeW, ike, Bushmills, krzee, fahadsadah, dunc, nb,  (+9 more, use /NETSPLIT to show all of them)
05:54 -!- Netsplit over, joins: krzee, @openvpn2009, @raidz, APTX, nb, dunc, th1, floops, fahadsadah, MikeW (+9 more)
05:55 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
07:18 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
08:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:43 -!- creack [~charme_g@163.5.84.215] has quit [Ping timeout: 240 seconds]
09:09 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
09:25 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 276 seconds]
09:26 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
09:50 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 252 seconds]
09:52 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
09:54 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Excess Flood]
09:55 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
10:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
11:52 -!- takamichi [~pri@78.133.38.201] has quit [Ping timeout: 258 seconds]
11:53 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
12:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:13 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
12:14 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
12:21 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
12:34 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:48 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
12:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
12:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
13:04 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection reset by peer]
13:06 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
13:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:52 -!- qfr [void@unaffiliated/yw] has left ##openvpn []
14:17 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
14:18 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:18 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:27 -!- joako_ [~joako@opensuse/member/joak0] has joined ##openvpn
14:35 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
14:36 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer]
15:16 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
16:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
17:08 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
17:44 -!- znh [~hans@unaffiliated/znh] has joined ##openvpn
17:44 < znh> Hello :-)
17:44 < znh> i'm kinda stuck with redirect-gateway. Traffic is received and send to eth0 on server. but no replies from remote end
17:46 < znh> if i ping to 4.2.2.3 (internet ip) its send to it, with correct source addres. no reply back though.
17:58 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
18:21 < Bushmills> !redirect
18:21 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:22 < Bushmills> note the   ip forward and nat parts
18:23 < znh> !nat
18:23 < vpnHelper> znh: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
18:23 < znh> !linnat
18:23 < vpnHelper> znh: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:23 < znh> !winnat
18:23 < vpnHelper> znh: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
18:24 < znh> yep. did the nat thing and ip forward boolean to 1
18:24 < znh> redirect-gateway is in the client conf
18:24 < Bushmills> !firewall
18:24 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
18:25 < znh> not a firewall issue
18:25 < znh> tcpdump shows tun0 -> eth0 -> remote host   but only one direction
18:27 < Bushmills> you're saying that requests are sent from the other interface to the destination hosts?
18:29 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
18:29 < znh> yes
18:29 < Bushmills> thus, if you ping me, i should see your echo requests'?
18:30 < znh> tcpdump shows the request being send
18:30 < Bushmills> so when they're sent, they should arrive at destiniation.
18:31 < Bushmills> ping, through openvpn and redirect,  scarydevilmonastery.net
18:31 < Bushmills> i have tshark running, watching icmp
18:31 < znh> hold on
18:32 < znh> ignore first two requests
18:33 < Bushmills> what was the originating ip address (or part of)?
18:33 < znh> 178.21.112
18:34 < Bushmills> i see the requests. replies were sent too
18:35 < znh> more than two?
18:35 < Bushmills> but - you say "ignore the first two requests"
18:35 < Bushmills> i only got two
18:36 < znh> those were send from gateway to verify network from me to you
18:36 < Bushmills> then your nat or ip forward or firewall doesn't seem to be right
18:37 < Bushmills> because those requests aren't sent
18:37 < znh> tcpdump -i eth0 icmp shows:
18:37 < znh> 01:35:38.300849 IP my-IP > scarydevilmonastery.net: ICMP echo request, id 1, seq 942, length 40
18:40 < znh> i did the masquerade thing and echo 1 to /proc file.. is there more?
18:42 < Bushmills> assuming firewall allows traffic out, and replies in, no. that's all what's needed
18:43 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:44 < znh> thanks for debug :)
18:47 < Bushmills> np
19:09 -!- trefn [~tim@cpe-98-154-37-53.socal.res.rr.com] has joined ##openvpn
19:10 -!- znh [~hans@unaffiliated/znh] has quit [Quit: Lost terminal]
19:11 < trefn> if I set up a gateway, will my client have access to internal ips of the eth0 of the gateway server? or does each other server that i'd like to be able to connect to have to be a client of the gateway?
19:12 < Bushmills> !route
19:12 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:12 < trefn> thanks
19:34 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
19:54 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
19:57 -!- kyuubi [~kyuubi@unaffiliated/kyuubi] has joined ##openvpn
20:07 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Remote host closed the connection]
20:17 -!- kyuubi [~kyuubi@unaffiliated/kyuubi] has quit [Quit: Saindo]
20:17 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:34 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:41 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
20:43 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
20:56 -!- trefn [~tim@cpe-98-154-37-53.socal.res.rr.com] has quit [Quit: trefn]
21:07 -!- trefn [~tim@cpe-98-154-37-53.socal.res.rr.com] has joined ##openvpn
21:47 -!- tjz [~pc@bb116-14-167-197.singnet.com.sg] has joined ##openvpn
21:47 -!- tjz [~pc@bb116-14-167-197.singnet.com.sg] has quit [Changing host]
21:47 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
22:03 -!- creack [~charme_g@163.5.84.215] has quit [Ping timeout: 240 seconds]
22:15 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
22:15 < SuperMiguel> after i do a --config and want to reissue a --config how do i turn it off?
22:16 < SuperMiguel> getting Sun Jul 18 23:15:57 2010 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
22:27 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has left ##openvpn ["Leaving"]
22:33 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
22:54 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
22:57 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
22:57 < SuperMiguel> how secure is openvpn when using a static key?
22:59 -!- highvolt [~Jeremy@67.232.48.125] has joined ##openvpn
23:00 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
23:01 -!- miguel_ [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
23:02 -!- miguel_ is now known as Guest68490
23:04 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
23:07 -!- Guest68490 [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Ping timeout: 276 seconds]
23:31 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
23:32 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
23:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
23:45 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:46 -!- trefn [~tim@cpe-98-154-37-53.socal.res.rr.com] has quit [Quit: trefn]
--- Day changed Mon Jul 19 2010
00:11 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
00:15 -!- trefn [~tim@cpe-98-154-37-53.socal.res.rr.com] has joined ##openvpn
00:21 -!- highvolt [~Jeremy@67.232.48.125] has quit [Read error: Connection reset by peer]
00:22 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
00:23 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
00:28 -!- creack [~charme_g@163.5.84.215] has quit [Ping timeout: 240 seconds]
00:32 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
00:35 < joako> How do I setup openvpn for network to network. All I seem to find is network to clients examples
00:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
00:48 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
00:54 -!- creack [~charme_g@163.5.84.215] has quit [Ping timeout: 240 seconds]
00:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:08 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
01:14 -!- creack [~charme_g@163.5.84.215] has quit [Ping timeout: 265 seconds]
01:17 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
01:20 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer]
01:20 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
01:20 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
01:22 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
01:23 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:23 -!- mode/##openvpn [+o mattock] by ChanServ
01:31 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
01:36 -!- creack [~charme_g@163.5.84.215] has quit [Ping timeout: 240 seconds]
01:51 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
02:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:22 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:33 < kisom> heh, love it when your colleagues does your work when on vacation
02:33 < kisom> NOT
02:33 < kisom> 120 damn incidents i have to do this week :D
02:34 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
02:49 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:54 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 258 seconds]
02:55 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:06 -!- foobarz [1000@unaffiliated/foobarz] has joined ##openvpn
03:23 -!- dazo_afk is now known as dazo
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:05 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
04:18 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
04:25 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
04:25 -!- creack [~charme_g@163.5.84.215] has quit [Ping timeout: 240 seconds]
04:25 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
04:25 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Client Quit]
04:38 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
05:00 -!- theDoc [~link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
05:07 -!- zamba [marius@flage.org] has quit [Ping timeout: 276 seconds]
05:10 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
05:22 < kraut> moin
05:23 < tmkd_> hi
05:29 -!- zamba [marius@flage.org] has joined ##openvpn
05:49 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:08 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
06:15 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
06:20 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
06:23 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
06:26 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
06:32 -!- theDoc [~link@173.236.41.34] has joined ##openvpn
06:32 -!- theDoc [~link@173.236.41.34] has quit [Changing host]
06:32 -!- theDoc [~link@unaffiliated/thedoc] has joined ##openvpn
06:33 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 252 seconds]
06:35 -!- vici0us [foobar@91.176.74.196] has joined ##openvpn
06:42 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
06:46 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
06:47 -!- ksk [~ksk@im.knubz.de] has joined ##openvpn
06:52 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:56 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:58 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
07:15 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
07:17 -!- trefn [~tim@cpe-98-154-37-53.socal.res.rr.com] has quit [Quit: trefn]
07:22 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
07:27 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:39 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Write error: Broken pipe]
07:46 -!- angelete2 [~costa_ang@212.183.206.162.static.user.ono.com] has joined ##openvpn
07:46 < angelete2> hi
07:48 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
07:48 -!- macsppadic_ [~sonupunno@88.211.55.77] has joined ##openvpn
07:48 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
07:48 -!- macsppadic_ is now known as macsppadic
07:48 < angelete2> i've configured my server to work as bridge
07:48 < angelete2> this server is also my lan dns server
07:51 < angelete2> http://pastebin.com/bbjKfcrT <- This is my sever.conf
07:52 < angelete2> my server is ubuntu and now i want to connect my windows clients
07:52 < angelete2> i've generated certs using build-key client1 and copied client1.crt client1.key and ca.crt into my windows folder
07:55 -!- bent_screwdriver [~socain00@74.255.249.66] has joined ##openvpn
07:57 < angelete2> http://pastebin.com/9C8bnuNf <- This is my client config file
08:08 -!- raidz [~Andrew@seance.openvpn.org] has quit [Read error: Connection reset by peer]
08:08 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
08:09 < angelete2> my client can't get ip
08:23 < angelete2> any help?
08:25 < angelete2> !welcome
08:25 < vpnHelper> angelete2: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:25 < angelete2> !howto
08:25 < vpnHelper> angelete2: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:26 < angelete2> !redirect
08:26 < vpnHelper> angelete2: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:26 < angelete2> !ipforward
08:26 < vpnHelper> angelete2: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
08:26 < angelete2> !linipforward
08:26 < vpnHelper> angelete2: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
08:30 < angelete2> !mitm
08:30 < vpnHelper> angelete2: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
08:32 -!- SOG_ [~SOG@222.125.202.173] has joined ##openvpn
08:33 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
08:35 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 265 seconds]
08:35 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
08:37 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:38 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
08:38 -!- SOG_ [~SOG@222.125.202.173] has quit [Ping timeout: 240 seconds]
08:40 -!- SOG_ [~SOG@222.125.202.173] has joined ##openvpn
08:41 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 260 seconds]
08:41 -!- angelete2 [~costa_ang@212.183.206.162.static.user.ono.com] has quit []
08:41 -!- SOG_ is now known as SOG
08:46 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 260 seconds]
08:46 -!- SOG_ [~SOG@222.125.202.173] has joined ##openvpn
08:46 -!- SOG_ is now known as SOG
08:48 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
08:55 -!- yakub [~www-data@unaffiliated/yakub] has joined ##openvpn
08:56 -!- [cannibalera] [~Bersirc@201.22.86.124.static.gvt.net.br] has joined ##openvpn
08:57 < [cannibalera]> somebody brazilian?
09:08 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
09:12 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
09:12 < hyper_ch> [cannibalera]: there are millions of brazilians out there
09:30 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
09:31 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
09:32 < SuperMiguel> i have two servers at work, one is running openvpn.. I can vpn to it with no problem, but how can i get access to serverB when i vpn to server A?
09:33 < Bushmills> connect to it
09:33 < hyper_ch> !tell SuperMiguel [config]
09:33 < hyper_ch> damn, I fogot how it works :)
09:33 -!- raidzxx [~Andrew@seance.openvpn.org] has joined ##openvpn
09:34 < Bushmills> ik think that's ok
09:34 < Bushmills> maybe no !
09:34 < Bushmills> oh well, maybe with !
09:34 < SuperMiguel> like on the config file i put an ifconfig that is on the same subnet of my routers dhcp adress, 
09:34 < Bushmills> !route
09:34 < SuperMiguel> but i can only ping the machine im vpn to.. not the others in the network
09:34 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:34 < hyper_ch> !config
09:35 < vpnHelper> hyper_ch: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
09:35 < hyper_ch> !welcome
09:35 < vpnHelper> hyper_ch: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:36 -!- raidz [~Andrew@seance.openvpn.org] has quit [Ping timeout: 246 seconds]
09:37 < SuperMiguel> ok let me try that thanks
09:37 < hyper_ch> !tell
09:37 < vpnHelper> hyper_ch: (tell <nick> <text>) -- Tells the <nick> whatever <text> is. Use nested commands to your benefit here.
09:40 < SuperMiguel> also when i change the config file on the server.. every time that i rerun the command config it tells me that is beeing used already, so i have to kill the process and run the --config.. is there an easier way?
09:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:55 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
09:55 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:03 < SuperMiguel> so, i have 2 servers, SA ip address is 192.168.0.2, SB ip address is 192.168.0.4 (SB is running OpenVPN) in the config file i only have dev tun0, ifconfig 192.168.0.15 192.168.0.16, secret static.key... How can i tell my client that to get to 192.168.0.1 he can use 192.168.0.15 ???
10:03 < SuperMiguel> i tried the routing wiki but no go ;(
10:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:05 < krzee> no kidding, you have conflicting subnets
10:05 < krzee> try using subnets that are not =
10:05 < krzee> !samesubnet
10:05 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
10:06 < SuperMiguel> ok let me make my ifconfig 10.0.0.1 10.0.0.2
10:06 < krzee> i cant help more, its insane migration week, part 2
10:07 < krzee> but i did help in advance, use a cert setup and use  !route... if you read it good enough it does work
10:08 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:11 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:14 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 248 seconds]
10:15 -!- LeRrA [~lerra@ua-213-114-152-155.cust.bredbandsbolaget.se] has joined ##openvpn
10:16 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
10:22 -!- SuperMiguel [~miguel@166-116.94-24.tampabay.res.rr.com] has joined ##openvpn
10:23 -!- cj [~cjac@karma.colliertech.org] has joined ##openvpn
10:23 < cj> hey folks
10:23 < cj> if I wanted to push a route to a client when it connects, what would I change?
10:26 < Bushmills> the clients' routing table
10:28 -!- strangebrewaway [strangebre@nlayer.us] has joined ##openvpn
10:28 < strangebrewaway> !welcome
10:28 < vpnHelper> strangebrewaway: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:29 < cj> thanks, strangebrewaway
10:29 -!- SuperMiguel [~miguel@166-116.94-24.tampabay.res.rr.com] has quit [Ping timeout: 260 seconds]
10:29 < cj> is there a line I can add to my /etc/openvpn/ccd/newhost file in order to tell the host to route all traffic to 172.16.10.0/24 through the vpn?
10:31 -!- SuperMiguel [~miguel@166-116.94-24.tampabay.res.rr.com] has joined ##openvpn
10:36 -!- SuperMiguel [~miguel@166-116.94-24.tampabay.res.rr.com] has quit [Ping timeout: 248 seconds]
10:36 -!- theDoc [~link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
10:37 < Bushmills> !redirect
10:37 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
10:38 < Bushmills> oh. all *to net* . yes.  push route to that net
10:38 -!- SuperMiguel [~miguel@166-116.94-24.tampabay.res.rr.com] has joined ##openvpn
10:39 < cj> push "route 172.16.10.0 255.255.255.0"
10:39 < cj> like that? :)
10:39 < Bushmills> for example, yes
10:39 < cj> and a single IP would just be push "route 172.16.10.42 255.255.255.255" ?
10:40 < Bushmills> no netmask needed
10:40 < cj> ah, thanks
10:44 -!- SuperMiguel [~miguel@166-116.94-24.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
10:46 -!- strangebrewaway [strangebre@nlayer.us] has quit [Excess Flood]
10:47 -!- _Strangebrew [strangebre@nlayer.us] has joined ##openvpn
10:47 < cj> hurm.  I'm doing something wrong.
10:49 < cj> 172.16.10.42/32  172.16.9.0         UGSc            1        0    tap0
10:49 < cj> hurm.  172.16.9.0 is probably not the right gateway.  can I tell it to route packets for that IP through 172.16.9.30 ?
10:49 -!- _Strangebrew is now known as Strangebrew
10:49 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
10:49 < SuperMiguel> So i have an OpenVPN server which ip is 192.168.0.4, is a network with few computers on 192.168.0.0 255.255.255.0, i have a laptop and from outside i want to communicate with the systems inside the network... this are my conf files http://pastebin.com/3P57xTGw
10:51 < Bushmills> cj, add gateway as next parameter.  btw, man page tells you too
10:51 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
10:53 < cj> Bushmills: I can't find the right man page, I guess
10:53 < Bushmills> SuperMiguel:  (17:05:08) krzee: no kidding, you have conflicting subnets
10:53 < Bushmills> cj, man page is "openvpn"
10:53 < Bushmills> and you look at "route"
10:54 < cj> Bushmills: nice.  'push "route 172.16.10.42 255.255.255.255 172.16.9.30"' should do, then...
10:54  * cj tries
10:55 < SuperMiguel> Bushmills, what you mean conflicting subnets? which ip/subnet i need to change??
10:55 < Bushmills> OpenVPN server which ip is 192.168.0.4 -  few computers on 192.168.0.0 255.255.255.0
10:56 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
10:56 < Bushmills> give openvpn its own net
10:56 < SuperMiguel> Bushmills, isnt that what the ifconfig 10.0.0.1 10.0.0.2 does?
10:57 < Bushmills> it would, but then your openvpn server had 10.x.x.x, not 192.168.x.x 
10:57 < cj> that did it.  thx
10:58 < SuperMiguel> well my eth0 is 192.168.0.4 and my tan0 (OpenVPN ip) is 10.0.0.1
10:58 < Bushmills> wtf is tan?
10:58 < SuperMiguel> tun*
10:59 < Bushmills> then proceed with:
10:59 < Bushmills> !route
10:59 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:00 < SuperMiguel> Bushmills, i read it, but i cant use client-to-client, since i need server, and i cant use server since im using static keys
11:00 < SuperMiguel> or secret*
11:01 < Bushmills> client-to-client is optional. it merely takes a shortcut, instead of going through OS routing
11:01 < SuperMiguel> so i added to my server conf route 192.168.0.1 255.255.0
11:01 < SuperMiguel> push "route 192.168.0.1 255.255.255.0"
11:02 < SuperMiguel> anything i need to add to my client?
11:03 < SuperMiguel> instead of a 1 at the end of both ips is a 0 
11:04 < Bushmills> when routing to a net, you'd want a net address as destination, not a host address
11:05 < SuperMiguel> so route 192.168.0.0 255.255.255.0 and push "route 192.168.0.0 255.255.255.0
11:05 < Bushmills> looks better
11:05 < SuperMiguel> anything in my client?
11:06 < SuperMiguel> still looks like this http://pastebin.ca/1903737
11:07 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
11:07 < Bushmills> as client is on same subnet as lan behind vpn server, you may run into problems with that
11:08 < krzee> !pfnat
11:08 < vpnHelper> krzee: "pfnat" is nat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
11:08 < Bushmills> consider: where to should vpn server route packets with destination, say, 192.168.0.10
11:10 -!- repent [repent@69.197.60.247] has joined ##openvpn
11:10 < repent> !pfnat
11:10 < vpnHelper> repent: "pfnat" is nat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
11:10 < repent> !ipfwnat
11:10 < vpnHelper> repent: Error: "ipfwnat" is not a valid command.
11:11 < SuperMiguel> how secure is OpenVPN when using static keys????
11:12 < repent> !na
11:12 < repent> !nat
11:12 < vpnHelper> repent: Error: "na" is not a valid command.
11:12 < vpnHelper> repent: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
11:12 < repent> !fbsdnat
11:12 < vpnHelper> repent: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD
11:13 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:13 < Bushmills> single client? ok. multiple clients? suckish as you can't keep track of all keys, or ensure they haven't been accessed without authorisation.
11:14 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Remote host closed the connection]
11:18 -!- Strangebrew is now known as StrangebrewAway
11:23 < SuperMiguel> Bushmills, ya only me
11:24 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:26 < Bushmills> then security is proportional to the care you take not allowing others to get hold of the key
11:33 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
11:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Remote host closed the connection]
11:38 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
11:39 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
11:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
11:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:48 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
11:50 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
11:57 -!- mjk64 [~mjk@p4FDAD3CF.dip.t-dialin.net] has joined ##openvpn
11:58 < mjk64> !welcome
11:58 < vpnHelper> mjk64: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:01 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
12:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
12:10 < mjk64> Scenario: OpenVPN server in the office, a few clients and a server at home. When running the openvpn-client on any machine at home, it works. But I want to run an openvpn-client on my home server, so that all machines in the LAN can access the office's OpenVPN server without any config needed for the clients. Alas, it doesn't work. Packets reach my server, but don't get forwarded to the office's OpenVPN server. --- Is there any option like ...
12:10 < mjk64> ... "Listen to *all* incoming packets, not just local packets" in the openvpn-client?
12:10 < mjk64> OS is Debian GNU/Linux everywhere (office + home).
12:11 < Bushmills> configure your home openvpn client as gateway for your home network machines
12:12 < Bushmills> !ipforward
12:12 < vpnHelper> Bushmills: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:12 < mjk64> 8-)
12:13 < mjk64> IP forwarding is enabled on my home server
12:14 < mjk64> Let me check the manpage for "gateway"
12:14 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:16 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
12:16 -!- MikeW [~MW@ks35441.kimsufi.com] has left ##openvpn []
13:08 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
13:08 -!- [cannibalera] [~Bersirc@201.22.86.124.static.gvt.net.br] has quit [Ping timeout: 258 seconds]
13:13 -!- [cannibalera] [~Bersirc@201.22.86.124.static.gvt.net.br] has joined ##openvpn
13:28 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
13:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 246 seconds]
13:40 -!- dazo is now known as dazo_afk
13:43 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Quit: This computer has gone to sleep]
14:00 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
14:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:24 -!- dollabill [~mike@97.66.26.10] has quit []
14:26 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:46 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer]
14:46 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
15:26 -!- JackCorleone [~Jack@201-26-13-95.dsl.telesp.net.br] has joined ##openvpn
15:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:59 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Quit: This computer has gone to sleep]
16:05 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
16:07 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
16:09 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
16:26 < yakub> i want in my client config to use a vpn server, but use another one if the first one is down.  how do i do that?
16:29 < repent> make a ping script
16:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
16:30 < repent> with perhaps symbolic links to your configuration files
16:30 < yakub> are you talkign to me?  there's some client config setting for this, i can't find it though
16:30 < repent> relink it to a diff one and cycle the vpn process
16:30 < repent> yes
16:30 < repent> oh
16:30 < yakub> nah that's not the way
16:30 < repent> im not sure
16:30 < repent> i'm telling you a way using bash scripting
16:30 < yakub> that sounds... kind of weird
16:32 < yakub> i guess you just add more remote lines
16:32 < yakub> The OpenVPN client configuration can refer to multiple servers for load balancing and failover. For example:
16:32 < yakub> remote server1.mydomain
16:32 < yakub> remote server2.mydomain
16:32 < yakub> remote server3.mydomain
16:32 < yakub> will direct the OpenVPN client to attempt a connection with server1, server2, and server3 in that order. If an existing connection is broken, the OpenVPN client will retry the most recently connected server, and if that fails, will move on to the next server in the list.
16:41 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Quit: This computer has gone to sleep]
17:02 -!- raidzxx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
17:02 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:03 -!- raidzxx [~Andrew@seance.openvpn.org] has joined ##openvpn
17:03 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
17:04 -!- mode/##openvpn [+o raidz] by ChanServ
17:07 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
17:11 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
17:20 < Bushmills> yakub: simply use multiple remote statements in your config
17:20 < yakub> yeah i figured it out, i pasted in the relevant stuff for posterity
17:22 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Quit: This computer has gone to sleep]
17:29 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has joined ##openvpn
17:34 -!- SuperMiguel [~miguel@cpe-173-169-39-75.tampabay.res.rr.com] has quit [Quit: This computer has gone to sleep]
17:45 -!- raidzxx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
18:03 -!- SuperMiguel [~miguel@173.169.39.75] has joined ##openvpn
18:04 -!- samu [s@unaffiliated/samaelszafran] has joined ##openvpn
18:04 < samu> Hello, I've got a weird question.
18:04 < samu> I'm connecting to my openvpn server through tcp
18:04 < samu> I've routed all gtraffic, works fine
18:05 < samu> Ive also routed some ports from the server to me
18:05 < samu> it works fine, for tcp
18:05 < samu> but not for udp.
18:05 < samu> so, is it openvpn which can't do this correctly, or my routing screwed up?
18:05 < samu> using ipnat for this, rdr rule
18:05 < Bushmills> the only person who can tell is you
18:06 < Bushmills> rest of the world lacks information
18:06 < Bushmills> well, actually, it is your config
18:07 < Bushmills> because openvpn can transmit udp and tcp
18:08 < Bushmills> !tcp
18:08 < vpnHelper> Bushmills: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
18:09 -!- SuperMiguel [~miguel@173.169.39.75] has left ##openvpn ["Leaving"]
18:43 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
18:43 -!- mjk64 [~mjk@p4FDAD3CF.dip.t-dialin.net] has quit [Quit: leaving]
19:06 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:14 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:35 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has quit [Read error: Operation timed out]
19:35 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has joined ##openvpn
19:35 -!- killown [~killown@unaffiliated/killown] has quit [Changing host]
19:35 -!- killown [~killown@unaffiliated/geek] has joined ##openvpn
19:35 -!- killown is now known as geek
19:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
19:59 -!- geek [~killown@unaffiliated/geek] has quit [Changing host]
19:59 -!- geek [~killown@unaffiliated/killown] has joined ##openvpn
19:59 -!- geek is now known as killown
20:12 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:35 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:35 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
20:35 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:44 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
21:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:17 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 619 seconds]
21:23 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has joined ##openvpn
21:24 < trefn> Can someone explain what IP forwarding is? my google-fu is failing me
21:24 < trefn> the docs tell me to enable it
21:24 < trefn> but i don't like doing it without knowing what exactly it's for
21:27 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
21:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
21:51 < ecrist> trefn: it allows a machine to forward IP packets between interfaces
21:51 < ecrist> otherwise the kernel won't forward them on.
21:52 < trefn> ecrist: interfaces meaning tun0 -> eth1 for example?
21:52 < ecrist> yep
21:52 < trefn> excellent thanks
21:52 < ecrist> no problem.
22:31 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has quit [Quit: trefn]
22:34 -!- krzee [~k@unaffiliated/krzee] has quit [Remote host closed the connection]
22:50 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
22:58 -!- pagec [~chatzilla@96.57.210.34] has joined ##openvpn
23:18 -!- pagec [~chatzilla@96.57.210.34] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6/20100115144158]]
23:22 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
23:31 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 240 seconds]
--- Day changed Tue Jul 20 2010
00:28 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
00:34 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
00:44 -!- foobarz [1000@unaffiliated/foobarz] has quit [Ping timeout: 260 seconds]
01:01 -!- foobarz [1000@unaffiliated/foobarz] has joined ##openvpn
01:48 -!- sezuan [bouncer@irc.scheff32.de] has left ##openvpn []
01:57 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:57 -!- mode/##openvpn [+o mattock] by ChanServ
02:01 -!- Rene [~Rene@cs181081047.pp.htv.fi] has joined ##openvpn
02:02 < Rene> Good morning all!
02:02 < Rene> !welcome
02:02 < vpnHelper> Rene: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:05 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined ##openvpn
02:06 < kraut> moin
02:06 < hid3> Good morning everyone. I'm using an OpenVPN client on my laptop to connect to my OpenVPN server (HOME network). Is there any possibility to create as weakest encryption certificate as possible in order to save some laptop battery (will not use much resources for encryption of traffic when under load)?
02:06 < hid3> I don't care much about security/encryption
02:07 < hyper_ch> why then use a vpn?
02:07 < hid3> To access Samba, FTP and other services which are closed by my router and other ISPs firewalls
02:08 < Rene> could someone point me into an centos-howto for openvpn? One of the servers i'm maintaining got centos installed, and i most likely got in trouble with it's firewall..
02:08 < hid3> I had a straight question. Is there any straight answer to it without those 'why' and 'you'd better ...' ?
02:09 < Rene> hid3, sorry, i can't help you.. no clue about your things..
02:09 < hid3> Rene, thanks.
02:09 < hid3> I guess I'll need to relook the HOW-TO again and see if I can somehow make lower encryption certs...
02:09 < Rene> hid3, but i guesss that it probably should be possible..
02:10 < Rene> what kind of traffic are you routing?
02:10 < Rene> samba?
02:10 < hid3> Video
02:10 -!- repent [repent@69.197.60.247] has quit [Ping timeout: 240 seconds]
02:10 < Rene> stream?
02:10 < hid3> you know, it uses much bandwidth and encryption is practically useless here
02:10 < hid3> yeah, video stream through samba
02:10 < Rene> try with disabling lzo
02:11 < hid3> lzo is compression, right?
02:11 < Rene> yep
02:12 < hid3> thanks
02:12 < hyper_ch> Rene: whta's not working on there?
02:14 < hid3> !welcome
02:14 < vpnHelper> hid3: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:14 < Rene> hyper_ch, i'm trying to use centos default firewall-tool (system-config-securitylevel-tui) for just opening ports, but it seems to me that it can't handle multiple networkdevices, like tap0
02:14 < hid3> where's the quickstart guide for linux? :(
02:14 < hyper_ch> Rene: well, what makes you think the vpn isn't working?
02:15 < hid3> !configs
02:15 < vpnHelper> hid3: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
02:15 < hid3> !howto
02:15 < vpnHelper> hid3: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:15 < hyper_ch> Rene: did you enable ipv4 forward?
02:15 < Rene> hyper_ch, vpn works, but it's the firewall that i would need to tune for letting samba through
02:15 < hid3> oh here it is...
02:15 < Rene> hyper_ch, i'll check that
02:15 < hyper_ch> Rene: so you can't access the vpned samba from a non vpn-machine?
02:16 < Rene> hyper_ch, btw, disabing the firewall with system-config-securitylevel-tui lets me samba through..
02:16 < Rene> hyper_ch, yes
02:16 < Rene> my other debian-server has a physical firewall outside, so on that machine i don't run any firewall
02:16 < Rene> hyper_ch, that works like a charm :-)
02:18 < hyper_ch> Rene: those ar the iptables rules I load to (a) forward certain ports to a given vpn client and (b) enable dns queries from the vpn clients [the last rule) -> http://www.pastebin.ca/1904262
02:18 < hyper_ch> you just need to make the samba port to go the right machine I tend to think
02:19 < Rene> hyper_ch, you don't do anything for the tun/tap device?
02:19 < hyper_ch> !tunortap
02:19 < vpnHelper> hyper_ch: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
02:19 < vpnHelper> hyper_ch: against you over the vpn, or (#4) lan gaming? use tap!
02:19 < hyper_ch> Rene: nope, nothing special there for me
02:19 < hyper_ch> but then, I don't use samba
02:29 < Rene> hyper_ch, :-)
02:29 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
02:30 -!- dazo_afk is now known as dazo
02:30 < Rene> !wins
02:30 < vpnHelper> Rene: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
02:31 -!- skillet [~skillet@178.33.25.214] has joined ##openvpn
02:31 < skillet> hi all
02:31 < skillet> !welcome
02:31 < vpnHelper> skillet: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:32 < skillet> simple question
02:32 < skillet> does openvpn support elliptic curve
02:32 < hyper_ch> what's elliptic curve?
02:32 < skillet> !wiki
02:32 < vpnHelper> skillet: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
02:33 < skillet> a class of key
02:33 < skillet> with related algorithms
02:34 < skillet> i see some stuff on mailing lists about submitted patches vbut cant tell if they were accepted
02:34 < skillet> i want to do ecdh
02:40 < skillet> http://osdir.com/ml/network.openvpn.devel/2008-06/msg00008.html
02:40 < vpnHelper> Title: Re: OpenVPN and ECC support - msg#00008 - network.openvpn.devel (at osdir.com)
02:42 < skillet> im guessing the patch wasnt accepted?
02:43 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:47 < hyper_ch> don't know
03:29 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:32 -!- angelete2 [~costa_ang@212.183.206.162.static.user.ono.com] has joined ##openvpn
03:32 < angelete2> hi
03:33 < angelete2> i think i need a little advise
03:33 < angelete2> i want my laptop which is connected directly to internet to work as it wolud be inside my lan
03:33 < angelete2> for that, my openvpn server has to work as bridge, am i correct?
03:35 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
03:36 < hyper_ch> !bridge
03:36 < vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 < angelete2> thanks, now other question (i was right, lol!!)
03:39 < angelete2> !pam
03:39 < vpnHelper> angelete2: Error: "pam" is not a valid command.
03:40 < angelete2> i've created my certificates for both my server and clients, i'm trying to configure also vpn with pam, and i've typed plugin auth-openvpn-pam.so login
03:41 < angelete2> but it allows any existant user in my server to login using any certificate
03:41 < angelete2> i want to direct link any certificate to any user, is it possible?
03:41 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
03:58 < angelete2> nobody alive...
04:04 -!- samu [s@unaffiliated/samaelszafran] has left ##openvpn []
04:07 < macsppadic> hello angelete2 
04:09 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
04:12 < skillet> ok cool
04:12 < skillet> Tue Jul 20 21:08:31 2010 Cannot load certificate file predacus-host-cert.pem: error:0D09B0A3:asn1 encoding routines:d2i_PublicKey:unknown public key type: error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 lib: error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib
04:13 < skillet> does that mean the openssl it was compiled against is braindead?
04:31 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn
04:43 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
04:54 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:13 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
05:13 -!- BoomSie [~gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit [Quit: Ex-Chat]
05:22 -!- vici0us [foobar@91.176.74.196] has quit [Read error: Connection reset by peer]
05:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:27 -!- vici0us [foobar@91.176.141.31] has joined ##openvpn
05:43 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:49 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
05:54 -!- jwm [jwm@dev.dist.us] has quit [Read error: Operation timed out]
06:01 -!- Netsplit *.net <-> *.split quits: Rene, havoc, cj, macsppadic, Chosi, killermouse0, nb, takamichi, n0sq, f1assistance,  (+88 more, use /NETSPLIT to show all of them)
06:04 -!- jwm [jwm@dev.dist.us] has joined ##openvpn
06:04 -!- Netsplit over, joins: freaky[t], @mattock, mape2k, @raidz, ScriptFanix, @openvpn2009, vpnHelper, dazo, cron2, f1assistance (+88 more)
06:20 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:22 -!- macsppadic is now known as browsesppadic
06:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:47 -!- swilde [~wilde@aktaia.intevation.org] has joined ##openvpn
06:48 < swilde> hi *, I'm looking for cheap hardware (appliance) vpn routers with openvpn support.
06:49 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 252 seconds]
06:50 < swilde> Is something like this available, without reflashing with *wrt of some sort?
06:51 < swilde> The only thing I found so far is the Mini-VPN-Router by lyconsys.com
06:52 < swilde> It would be nice to know of some alternatives, especially as I wasn't able to reach anyone at lyconsys...
06:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:55 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
06:56 < Bushmills> how much is "cheap"?
06:59 < hyper_ch> hi Bushmills
06:59 < Bushmills> hi hyper_ch
07:00 < hyper_ch> swilde: what's wrong about putting some proper firmware on it?
07:00 < skillet> hey all
07:01 < skillet> any developers here
07:01 < skillet> and why is the #openvpn invite only
07:01 < Bushmills> to keep you from joining, maybe?
07:01 < skillet> well in that case
07:02 < skillet> why are EC ciphers blacklisted from openvpn cipher list
07:02 < skillet> when they are supported by openssl
07:03 < skillet> eg
07:04 < hyper_ch> skillet: you could implement them into openvpn
07:04 < skillet> $ openssl ciphers -v ECDHE-ECDSA-AES128-SHA
07:04 < skillet> ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
07:05 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
07:06 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:06 < skillet>  /usr/sbin/openvpn --show-tls |grep ECDHE-ECDSA-AES128-SHA -c
07:06 < skillet> 0
07:06 -!- JackCorleone [~Jack@201-26-13-95.dsl.telesp.net.br] has quit [Remote host closed the connection]
07:06 < skillet> hyper_ch: i shouldnt have to
07:06 < skillet> its linking the openssl library
07:07 < hyper_ch> skillet: why should anyone to do it for you?
07:07 < skillet> it should already be enabled 
07:07 < skillet> i think its a bug
07:07 < skillet> i dont know the code
07:07 < hyper_ch> apt-source :)
07:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:12 -!- skillet is now known as jmg
07:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:32 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
07:39 < hid3> How do I generate server and client servificates? My OpenVPN is installed via Debian repositories...
07:40 < swilde> hyper_ch: nothing is "wrong" with it, only that I have an customer, who wands some existing boxed solution...
07:40 < ecrist> hid3: there is easy-rsa included with openvpn
07:41 < hyper_ch> hid3: read the howto
07:42 < hyper_ch> hi ecrist
07:42 < ecrist> hello. :)
07:52 < hid3> hyper_ch, ecrist: thanks. It seems to be hidden well.. I was generating it half a year ago but now forgot. Anyway, I found it. Re-generated the certs down to 384 bit RSA to save some cpu/power...
07:53 < hid3> turning off LZO also save cpu/power, right?
07:54 < ecrist> yes, but uses more bandwidth
07:55 < hid3> well...
07:55 < hid3> Any ideas which is better for a VPN on a Laptop (battery powered)? LZO which uses CPU/power of no LZO and more power used by WiFi or LAN card?
07:56 < ecrist> I don't use LZO on my vpns.
07:56 < ecrist> for whatever that's worth
07:57 < hid3> I love Lenovo's WiFi tools. It connects to my VPN as soon as I connect to a network..
07:59 -!- JackCorleone [~Jack@201-26-13-95.dsl.telesp.net.br] has joined ##openvpn
08:04 -!- angelete2 [~costa_ang@212.183.206.162.static.user.ono.com] has quit []
08:32 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
08:38 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
08:43 -!- Rene [~Rene@cs181081047.pp.htv.fi] has quit [Ping timeout: 240 seconds]
08:52 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:54 -!- le0 [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has joined ##openvpn
08:54 -!- le0 [~fin@cpc4-bele7-2-0-cust381.know.cable.virginmedia.com] has quit [Changing host]
08:54 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
09:07 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
09:22 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 252 seconds]
09:38 -!- DrJ [Bacon@174.141.224.168] has left ##openvpn []
09:40 -!- Rene [~Rene@power205.adsl.netsonic.fi] has joined ##openvpn
09:47 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
09:48 -!- kantxx [4a200565@gateway/web/freenode/ip.74.32.5.101] has joined ##openvpn
09:48 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
09:48 < kantxx> hey all.. im using openvpn client on a windows server. Is there any way to avoid doing a "ping -t IPADDR" to keep the connection ALWAYS alive?
09:50 < rawDawg> can anyone tell me why i might be getting "Interrupted system call"
09:51 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
09:51 -!- foobarz [1000@unaffiliated/foobarz] has quit [Quit: Leaving]
09:53 < Bushmills> kantxx: read about keepalive
09:53 < kantxx> Bushmills: i figured that.. but it doesnt stay "alive"
09:53 < Bushmills> it does here
09:54 < Bushmills> "alive" as in not disconnecting as result of idle timeout
09:54 < Bushmills> not sure what you call "alive"
09:54 < kantxx> just not disconnecting
09:54 < kantxx> hmm
09:54 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 276 seconds]
09:54 < kantxx> so i guess 5 360 would be better?
09:55 < Bushmills> is it on server or on client that you use keepalive?
09:55 < kantxx> client right now
09:56 < Bushmills> well, keepalive is a macro, doing http://scarydevilmonastery.net/snap/1279637759876502784d.png, and is therefore sensitive for client or server use
09:57 < Bushmills> i let my server do the alivekeeping, that way pushing instructions to clients to keepalive the other way too
09:57 < kantxx> i can do that same rule?
09:58 < Bushmills> same rules as?  as in client, but on server instead?
09:58 < kantxx> that img
09:58 < Bushmills> that's what is done when using keepalive
09:59 < kantxx> oh
09:59 < kantxx> :P
09:59 < Bushmills> http://scarydevilmonastery.net/snap/1279637960847551765d.png   here is the whole section
10:00 < kantxx> Bushmills: so i can just specify it on the server?
10:00 < Bushmills> right
10:00 < Bushmills> when you do, no need to specify it on client as well
10:01 < kantxx> ah cool
10:03 < kantxx> thx Bushmills 
10:07 -!- kantxx [4a200565@gateway/web/freenode/ip.74.32.5.101] has left ##openvpn []
10:08 -!- gnurbs [~foo@77-58-110-217.dclient.hispeed.ch] has joined ##openvpn
10:08 < gnurbs> hi
10:09 < gnurbs> openvpn keeps my harddrive busy, since it keeps writing to logfiles
10:09 < Bushmills> reduce log level
10:10 < gnurbs> !welcome
10:10 < vpnHelper> gnurbs: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:10 < rawDawg> i hate to repeat myself but could anyone shed some light on "Interrupted system call", in the client log when trying to connect?
10:11 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:26 < gnurbs> hm have now in my conf files:
10:26 < gnurbs> verb 3; mute 5
10:26 < gnurbs> iotop shows still writes, though tail -f does not show anything new
10:29 < gnurbs> ok, there are changes, but more writes than changes, though it's possible i failed to read iotops output
10:31 < gnurbs> my setup is about 6 p2p tunnels, which are not really reliable, some remotes are down for days
10:32 < gnurbs> seems like openvpn tries to reconnect with only 2s pauses inbetween, is there a way to set this pause, maybe to sth like 1 day?
10:43 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
10:49 < Bushmills> connect-retry n
10:53 < gnurbs> there is no connect-retry on udp, right?
10:53 < Bushmills> seems so. but udp is connectionless
10:54 < Bushmills> (on protocol level, that is. i suppose you can still call openvpn authentication "connecting")
10:54 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
10:56 < Bushmills> alternatively, terminate on disconnect, sleep 86400,  throw it into a loop
10:58 < gnurbs> allright, thx
11:00 < krzee> my udp client tries to reconnect forever
11:01 < krzee> the protocol is connectionless, that doesnt mean apps that use it are
11:02 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:11 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:15 -!- browsesppadic [~sonupunno@88.211.55.77] has quit [Quit: browsesppadic]
11:21 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
11:24 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
11:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
11:44 < bent_screwdriver> !tun
11:44 < vpnHelper> bent_screwdriver: Error: "tun" is not a valid command.
11:44 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
11:45 < bent_screwdriver> !dev
11:45 < vpnHelper> bent_screwdriver: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list
11:52 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
11:56 -!- gnurbs [~foo@77-58-110-217.dclient.hispeed.ch] has quit [Ping timeout: 276 seconds]
12:01 -!- Rene [~Rene@power205.adsl.netsonic.fi] has quit [Ping timeout: 240 seconds]
12:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:03 -!- dazo is now known as dazo_afk
12:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:22 -!- Columbo0815 [~foobar@HSI-KBW-085-216-116-089.hsi.kabelbw.de] has joined ##openvpn
12:24 < Columbo0815> hi, i have a openvpn-server and a client. both on freebsd-8.0. the connection is over the internet. i can reach every address in the server-lan from the client. but i cant reach the client with the local ip in the client-lan.
12:24 < Columbo0815> the configs: http://bsdforen.pastebin.com/SsN0YqvA
12:24 < rawDawg> !route
12:25 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:25 < rawDawg> Columbo0815 ^
12:26 < Columbo0815> :) i check it, thank you
12:34 < rawDawg> !welcome
12:34 < vpnHelper> rawDawg: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:34 < rawDawg> !forum
12:34 < vpnHelper> rawDawg: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
12:34 < Columbo0815> ok... i read it. it seems to be complete
12:38 -!- JackCorleone [~Jack@201-26-13-95.dsl.telesp.net.br] has quit [Quit: Saindo]
12:38 < Columbo0815> nestat -rn on both machines: http://bsdforen.pastebin.com/inVMTRbd
12:39 < Columbo0815> ip forwarding is enabled on server and client.
12:40 < krzie> Columbo0815, 
12:40 < krzie> !route_outside_ovpn
12:40 < vpnHelper> krzie: Error: "route_outside_ovpn" is not a valid command.
12:40 < krzie> !factoids search outside
12:40 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
12:40 < krzie> you did that on the client side router?
12:40 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:40 < krzie> you setup the iroute entry in a ccd file for the client, on the server?
12:41 < krzie> and, can you ping the LAN ip of the client?
12:41 < Columbo0815> yes. ccd is done: iroute 192.168.1.0 255.255.255.0
12:42 < krzie> uhhh ohhh
12:42 < krzie> common subnet alert
12:42 < krzie> make sure nothing else ever connects from 192.168.1.x, or you will have problems
12:42 < krzie> !samesubnet
12:42 < vpnHelper> krzie: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
12:43 < Columbo0815> the server subnet is 192.168.126.0
12:43 < krzie> will you have road warriors?
12:43 < Columbo0815> no. only 2 networks should be connected
12:43 < krzie> you will not be out connecting from a laptop?
12:44 < Columbo0815> ?
12:44 < Columbo0815> there is no laptop that will connect to the server
12:44 < krzie> the client with 192.168.1.x will be the ONLY client ever connecting?
12:44 < Columbo0815> yes, i promise :)
12:44 < krzie> ok, you're fine then
12:44 < Columbo0815> the client is the only client that will connect
12:45 < krzie> and can you ping the client lan ip from the server?
12:45 < Columbo0815> i can ping the vpn-ip of the client. i cannot ping the client lan ip
12:45 < Columbo0815> i can ping EVERY client in the server lan from the client 
12:46 < krzie> cool
12:46 < krzie> have you added a route to the client's router?
12:47 < Columbo0815> no. the clients router is a "you cant change it" router :(
12:47 < krzie> ok, thats not your problem yet, but it is a problem
12:47 < Columbo0815> is it necessary? the client knows the vpn and the source-lan
12:47 < Columbo0815> yes, its a problem for other clients. :)
12:47 < krzie> if you cant add a route to it, you will get no further than the lan ip of the client
12:47 < Columbo0815> but i want to ping (at first) the vpn-client
12:47 < krzie> no, its a problem for ANYTHING
12:48 < krzie> the src ip of all packets over the vpn will either be the server lan or the vpn subnet
12:48 < krzie> unless you want to add a route to every machine in the client LAN
12:48 < krzie> as i talked about in !route
12:48 < krzie> in section "ROUTES TO ADD OUTSIDE OPENVPN"
12:49 < krzie> anyways, your problem points to either a firewall on client machine or ip forwarding... what OS is the client?
12:49 < Columbo0815> oh.. i think i got my braindamage:
12:50 < Columbo0815> no.. second.. thats not my problem:
12:51 < krzie> fyi, i wrote !route
12:51 < Columbo0815> i tcpdump on the server-tun. IP 10.8.0.1 > 192.168.1.160
12:51 < Columbo0815> i tcpdump on the client-tun: nothing
12:51 < krzie> firewall
12:51 < krzie> client side firewall
12:51 < Columbo0815> there is no firewall running
12:51 < krzie> linux?
12:51 < Columbo0815> freebsd
12:52 < krzie> didnt compile in any firewall?
12:52 < Columbo0815> no firewall running.
12:52 < krzie> my question was if you compiled one in
12:52 < Columbo0815> no
12:53 < rawDawg> krzie is there any doc that explains easy-rsa in depth? i.e. how to test if a .cer is bad or has been revoked?
12:53 < krzie> sysctl -a|grep net.inet.ip.forwarding
12:53 < krzie> show me the output
12:53 < krzie> rawDawg, easy-rsa doesnt do that
12:53 < krzie> !certverify
12:53 < vpnHelper> krzie: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
12:53 < rawDawg> coolio
12:53 < Columbo0815> sysctl net.inet.ip.forwarding
12:53 < Columbo0815> net.inet.ip.forwarding: 1
12:53 < Columbo0815> on both machines
12:54 < krzie> easy-rsa is just a script for using openssl to do common stuff for openvpn
12:54 < krzie> but its all just openssl commands
12:55 < rawDawg> gotcha
12:56 < rawDawg> openssl returned OK
12:56 < rawDawg> so this cert seems good
12:56 < rawDawg> !paste
12:56 < vpnHelper> rawDawg: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
12:56 < krzie> rawDawg, 
12:56 < krzie> !logs
12:56 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
12:56 < rawDawg> right
12:56 < rawDawg> sec
12:57 < krzie> Columbo0815, 
12:58 < krzie> when you said this:
12:58 < krzie> [10:53]  <Columbo0815> i tcpdump on the server-tun. IP 10.8.0.1 > 192.168.1.160
12:58 < krzie> [10:53]  <Columbo0815> i tcpdump on the client-tun: nothing
12:58 < krzie> is 192.168.1.160 the client IP itself?
12:58 < Columbo0815> yes
12:58 < krzie> when client pings server, use -S 192.168.1.160
12:59 < krzie> see if replies make it
12:59 < rawDawg> server log: http://www.pastebin.ca/1904635
12:59 < rawDawg> i cant get to the client :\
12:59 < rawDawg> client has the same key i just tested
12:59 < Columbo0815> ok.. no replie
13:00 < Columbo0815> reply.. 
13:00 < krzie> rawDawg, client is windows?
13:00 < rawDawg> yessir
13:00 < krzie> rawDawg, make sure windows firewall is disabled for the TAP adapter
13:01 < krzie> or disabled all together just to test
13:01 < krzie> then configure it to not be on tap adapter
13:01 < rawDawg> its disabled. i always disable windows firewall and uncheck all adapters
13:03 -!- takamichi [~pri@78.133.38.201] has quit []
13:03 -!- bent_screwdriver [~socain00@74.255.249.66] has quit [Ping timeout: 248 seconds]
13:03 < krzie> but you arent there
13:03 < Columbo0815> tcpdump on clients tun0 (!) says: IP 192.168.1.160 > 192.168.126.2: ICMP echo request
13:04 < krzie> and windows has a habit of re-enabling it (seen it too many times)
13:04 < krzie> Columbo0815, do the same ping but to the servers VPN ip
13:04 < krzie> 10.8.0.1 iirc from your config
13:04 < Columbo0815> no reply
13:05 < krzie> and also tcpdump on server, we wanna be sure the server is sending a reply out tun0
13:05 < rawDawg> an update could have reenabed it somehow
13:05 < Columbo0815> tun0 client is sending (tcpdump see it). server tcpdump is mute
13:05 < krzie> rawDawg, ive even seen it re-enable without updates, no rhyme or reason that ive come up with
13:06 < Columbo0815> IP 192.168.1.160 > 10.8.0.1: ICMP echo request (no reply)
13:06 < krzie> server has a firewall?
13:06 < rawDawg> pesky bugger
13:06 < Columbo0815> no firewall
13:06 < krzie> your problem really seems to point to one
13:06 < Columbo0815> no firewall compiled in
13:06 < krzie> hrm
13:07 < krzie> oh
13:07 < krzie> change verb to 4
13:07 < krzie> reload both sides
13:07 < Columbo0815> on server? or client?
13:07 < krzie> i will want server log
13:07 < krzie> so just server is fine
13:07 < krzie> then ill want you to ping -S again
13:08 < krzie> and gimme server log
13:08 < krzie> i think i will find something like MULTI: bad source address from client [IP ADDRESS], packet dropped
13:08 < krzie> in fact if you see that, you dont need to send me the log
13:08 < krzie> because ill know where to look
13:08 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
13:09 < krzie> you can swim through the log as is, but with verb 6 its gunna be full of other BS too
13:09 < krzie> verb 5 helps with finding firewall issues
13:10 < Columbo0815> server log last line: openvpn[61117]: Initialization Sequence Completed
13:10 < Columbo0815> just a second. have to restart the client
13:10 < krzie> yup
13:10 < krzie> and you will need to ping -S with lan IP before that error will pop up
13:10 < Columbo0815> MULTI: bad source address from client [192.168.1.160], packet dropped :-D
13:11 < krzie> =]
13:11 < krzie> your CCD is either named wrong, or has bad permissions
13:11 < krzie> the file must be named EXACTLY as the client common-name
13:11 < Columbo0815> CCN is client, isnt it?
13:12 < Columbo0815> permissions are: rw-r--r--
13:12 < krzie> if you paste your server log from start to that error ill tell you
13:12 < krzie> how bout DIR permissions?
13:12 < krzie> if it is -x files inside cant be read
13:12 < Columbo0815> xxx x-x x-x
13:12 < krzie> huh?
13:12 < krzie> ohhh
13:12 < krzie> i gotchya, 755
13:13 < krzie> then its the filename
13:13 < Columbo0815> oh... i think.. its the filename
13:13 < krzie> i can tell you EXACTLY what it should be if you show me the log
13:14 < krzie> cause it should be EXACTLY (case sensitive of course) what the client common name is
13:15 < Columbo0815> i search the log...
13:16 < krzie> ok, well it will say the client common-name a ton of times
13:17 < krzie> Tue Jul 20 09:50:29 2010 us=496473 jeff/IP:port PUSH: Received control message: 'PUSH_REQUEST'
13:17 < Columbo0815> it works!
13:17 < krzie> there, jeff is the common-name
13:17 < Columbo0815> it was the name... :-)
13:17 < Columbo0815> thank you VERY much!
13:17 < krzie> you're welcome =]
13:17 < krzie> also, since you use freebsd
13:17 < krzie> you may enjoy playing with ssl-admin from ports
13:17 < krzie> made by one of the admins here
13:18 < krzie> i NEVER use easy-rsa anymore
13:18 < krzie> !ssl-admin
13:18 < vpnHelper> krzie: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
13:18 < Columbo0815> i thought the name has to be the same as the certificate
13:18 < Columbo0815> the CN is different
13:18 < krzie> ahh no, the filename of the cert means nothing at all
13:18 < krzie> its all about:
13:18 < krzie> !certinfo
13:18 < vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
13:18 < krzie> whats in there =]
13:18 < Columbo0815> :)
13:19 < krzie> so now...
13:19 < krzie> you still should only be able to ping the client lan IP
13:20 < Columbo0815> iam able to ping the client lan ip
13:20 < krzie> until you add routes back (for the server lan subnet and the vpn subnet) on each client lan machine
13:20 < Columbo0815> yes..
13:20 < krzie> right, the client lan ip, but not the client lan machines themselves
13:20 < krzie> however
13:20 < Columbo0815> thats ok (for now)
13:20 < krzie> your router probably supports adding static routes on its GUI
13:20 < krzie> most do
13:21 < krzie> even the lame ass routers they give with DSL in the 3rd world country im in support it
13:21 < Columbo0815> just for the log: 64 bytes from 192.168.1.160: icmp_seq=43 ttl=64 time=25.808 ms
13:21 < Columbo0815> :-D
13:21 < krzie> nice ping!
13:22 < Columbo0815> nice is that i get a reply :)
13:23 < krzie> im so used to my 3rd world inet, 25ms over vpn is sexy to me
13:30 < rawDawg> krzie im goin on site
13:30 < rawDawg> to check that damn windows client
13:30 < rawDawg> wish me luck
13:31 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:31 < krzie> damn, sucks he doesnt have someone there
13:33 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
13:34 < Bushmills> krzie: http://scarydevilmonastery.net/snap/1279650840488018728d.png    off site server :)
13:34 < krzie> not sure i even wanna look, you guys have good inet out there
13:34 < krzie> hah, i KNEW it
13:55 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Remote host closed the connection]
14:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
14:06 -!- bent_screwdriver [~socain00@74.255.249.66] has joined ##openvpn
14:28 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:33 -!- Rene [~Rene@cs181081047.pp.htv.fi] has joined ##openvpn
14:34 -!- Zenac [~xD@74-136-220-65.dhcp.insightbb.com] has joined ##openvpn
14:34 < Zenac> Tue Jul 20 15:34:31 2010 Cannot allocate TUN/TAP dev dynamically
14:34 < Zenac> Tue Jul 20 15:34:31 2010 Exiting
14:34 < Zenac> What is this and how do i fix it
14:38 < julius> it is an error
14:38 < julius> And I'd suggest to enable verbose logging
14:39 < ecrist> or, try running as root, or have the tun/tap kernel module enabled.
14:40 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
14:40 -!- Zenac [~xD@74-136-220-65.dhcp.insightbb.com] has quit [Ping timeout: 276 seconds]
14:41 < julius> tehehe
15:13 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:16 -!- Columbo0815 [~foobar@HSI-KBW-085-216-116-089.hsi.kabelbw.de] has quit [Quit: Verlassend]
15:19 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
15:20 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
15:20 < rawDawg> krzie my problem was my firewall, really.
15:21 < krzie> =]
15:21 < krzie> glad you didnt take that trip to the location for no reason
15:22 < rawDawg> i feel like i did... i disabled the service
15:22 < krzie> it will re-enable
15:22 < rawDawg> i added the exception (and tested) for openvpn, just in case it somehow re-enables it self
15:24 < rawDawg> did you ever fix that last guys problem?
15:27 < Bushmills> the last guys problem? is that related to the traveling salesman problem?
15:28 < rawDawg> i dont know if he was a salesman or not, but he sure had some problems
15:30 < Bushmills> the salesman could also have been a bailiff, or a federal library inspector.
15:34 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:41 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
16:13 -!- adxp [~user@c-24-23-136-38.hsd1.ca.comcast.net] has joined ##openvpn
16:14 -!- StrangebrewAway is now known as Strangebrew
16:14 < adxp> hey -- when I use build-ca (& co) from easy-rsa in a shell script, I'm being prompted to enter values for KEY_COUNTRY etc. Is there some way I can force these to be non-interactive?
16:15 < adxp> (the variables are present and exported correctly)
16:17 < adxp> never mind, discovered --batch
16:18 -!- Strangebrew is now known as StrangebrewAway
16:23 -!- blueboxthief [~None_of_y@86-45-82-222-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
16:23 -!- blueboxthief [~None_of_y@86-45-82-222-dynamic.b-ras2.srl.dublin.eircom.net] has left ##openvpn []
16:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:35 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
16:50 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 276 seconds]
17:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
17:19 -!- adxp [~user@c-24-23-136-38.hsd1.ca.comcast.net] has quit [Remote host closed the connection]
17:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
17:36 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 246 seconds]
17:46 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
17:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:51 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:00 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:01 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 260 seconds]
18:09 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:11 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 264 seconds]
18:16 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:16 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 276 seconds]
18:20 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
18:22 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 276 seconds]
18:26 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:34 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:35 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 240 seconds]
18:40 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:41 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has quit [Ping timeout: 240 seconds]
18:42 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:43 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Client Quit]
18:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:07 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 248 seconds]
19:07 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:08 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
19:14 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
19:47 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
19:50 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:10 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
20:34 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:58 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:08 -!- bvierra [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has joined ##openvpn
22:10 -!- bvierra_ [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
22:12 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has joined ##openvpn
22:15 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
22:16 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
22:16 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
22:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:24 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
22:29 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
22:32 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
22:39 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Read error: Connection reset by peer]
22:39 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
22:45 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Remote host closed the connection]
22:46 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
23:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
23:15 -!- joako_ [~joako@opensuse/member/joak0] has joined ##openvpn
23:17 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 265 seconds]
23:18 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
23:18 -!- mode/##openvpn [+o mattock] by ChanServ
23:23 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
23:23 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
23:23 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
23:34 < trefn> hey folks, i'm having trouble getting my packets forwarded 
23:34 < trefn> i've turned on IP forwarding
23:34 < trefn> and i'm pushing routes to the client - the request is hitting the vpn server
23:34 < trefn> but it's disappearing
23:37 < krzee> !route
23:37 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:38 < trefn> krzee: thanks, i've read that quite thoroughly
23:39 < trefn> i don't have a lan persay, rather i'm just using the default internal ips the rackspace cloud has set up
23:52 < [intra]lanman> oh, awesome... !route was what i need too :-)
23:57 < krzee> [intra]lanman, wassup!!!
23:58 < krzee> i see you all the time in fs chan
23:58 < [intra]lanman> working on connecting my house with my aunt's house
23:58 < [intra]lanman> yeah, i'm always there
23:58 < [intra]lanman> i only come here when i need something ;-)
23:58 < krzee> ;]
23:58 < krzee> my confgen will do most the work
23:58 < krzee> !confgen
23:58 < vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
23:58 < krzee> besides that all you need is:
23:58 < krzee> !factoids search outside
23:58 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
23:59 < krzee> or of course, theres !route
23:59 -!- jmg [~skillet@178.33.25.214] has left ##openvpn []
23:59 < krzee> but !route and !redirect are handled right in the confgen
--- Day changed Wed Jul 21 2010
00:01 < [intra]lanman> i have no idea what any of that means just yet
00:01 < krzee> the confgen is a script which will build your configs for you
00:02 < krzee> bash script, asks you questions and outputs your configs
00:02 < [intra]lanman> oh, cool
00:02 < krzee> #####                 by krzee @ Freenode #OpenVPN                  #####
00:02 < krzee> #####       Just run ./confgen            chmod +x all 3 files      #####
00:02 < krzee> #####                                                               #####
00:02 < krzee> # This is a bash script To help you generate configuration files for
00:02 < krzee> # some of the most commonly desired vpn setups.  You can setup lans
00:02 < krzee> # behind server / clients, or redirect client internet through the server
00:09 < [intra]lanman> oh, the directory questions aren't defaults? they're just suggestions?
00:09 < [intra]lanman> lol
00:09 < krzee> damn, good point
00:10 < [intra]lanman> i just hit enter... and it asked me again
00:10 < krzee> oh ok good
00:10 < [intra]lanman> so i was like "what am i doing wrong?!?"
00:10 < krzee> although for windows i should make it a default
00:10 < krzee> since there is actually a default dir in windows
00:10 < [intra]lanman> maybe linux too... i like the /etc/openvpn/ path that it came up with
00:11 < [intra]lanman> i just copied/pasted as if it were a default anyway :-)
00:11 < krzee> ya i guess linux does normally get packaged in a way that starts all conf files in some dir
00:11 < krzee> i think thats the dir ;]
00:11 < krzee> (<-- fbsd / osx user)
00:12 < jpalmer> I prefer fbsd's directory hierarchy
00:12 < [intra]lanman> yeah, i'm a mac/linux user
00:13 < [intra]lanman> i think it's funny when bsd users put source in /usr/src... and linux users put stuff in /usr/local/src... 
00:15 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
00:15 < [intra]lanman> krzee: do i need to run all 3 of these scripts?
00:16 < jpalmer> s/funny/annoying/ lol
00:16 < [intra]lanman> oh, or confgen runs the other two?
00:16 < [intra]lanman> nm, i'll look at them
00:16 < [intra]lanman> i swore i was gonna stop being so lazy
00:17 < krzee> just read the header
00:18 < krzee> it'll tell you to +x all 3, then just run confgen
00:18 < krzee> i split it into 3 in case someone else feels like making a frontend
00:19 < [intra]lanman> i'm guessing you can run genclient over and over for multiple clients too?
00:19 < krzee> well confgen will prompt you until you tell it not to
00:19 < krzee> 1 run will make as many clients as you want
00:20 < krzee> but yes, if you feel like using genclient directly it can be done
00:20 < krzee> it doesnt do much if any error checking tho
00:20 < krzee> the frontend handles that
00:20 < [intra]lanman> yeah, i was just considering adding more new clients in the future, etc
00:20 < krzee> for the most part client configs stay the same
00:22 < krzee> you basically change a path, and some filenames
00:22 < krzee> most stuff is handled in the server config
00:22 < krzee> at least in most my setups its like that
00:22 < krzee> the VPN i made for the office would be an exception
00:24 < krzee> in that one i make all route entries on each client, so each client only has the routes it is allowed (of course this is also handled by the firewall, but some people dont need to even know there is multiple lans)
00:24 < jpalmer> I add on average, 8 new clients per day.  All of which are connected 24/7
00:24 < krzee> one of the other lans would be the cudatel's lan =]
00:25 < jpalmer> I wonder at what point a VPN accelerator would be useful.
00:25 < [intra]lanman> that reminds me... if this thing is connected 24/7... 
00:26 < [intra]lanman> how much bandwidth would you guess it'd use in a month? if it were just idle teh whole time
00:27 < jpalmer> Not much.  Don't have hard numbers but I'd guess under 10 meg
00:28 < jpalmer> Session expire every hour by default, so it had to renegotiate.  That's about it
00:28 < [intra]lanman> yeah, just curious... cus home is on a 3g air card with a 5g cap... $0.49/meg over the cap
00:29 < [intra]lanman> so just making sure this isn't going to raise my overhead dramatically
00:30 < jpalmer> It's the traffic you send over the link..  That's what you should worry about.
00:30 < krzee> ya its basically some pings and hourly renegotiate
00:30 < krzee> the frequency of the pings depends on your --keepalive setting
00:30 < krzee> note, when i talk in --
00:31 < krzee> !--
00:31 < vpnHelper> krzee: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
00:31 -!- [cannibalera] [~Bersirc@201.22.86.124.static.gvt.net.br] has quit [Ping timeout: 258 seconds]
00:31 < krzee> i say things like --keepalive to point out how to find them in the manual, but they can be in the config (and normally are)
00:47 < krzee> if i had a 5g monthly cap ild come up with some firewall rules to kill it at 5g
00:48 < krzee> since $.50/meg is too much for me
00:48 < jpalmer> Indeed
00:49 < [intra]lanman> yeah, that's next on my agenda
00:49 < [intra]lanman> actually, pretty high on my agenda
00:50 < [intra]lanman> especially since i went over last month by about 250M
00:50 < krzee> you work on cudatel stuff at all or just FS?
00:50 < [intra]lanman> both
00:50 < krzee> OUCH @ 250M
00:50 < [intra]lanman> i do most of the cudatel provisioning
00:50 < krzee> such small bw, but thats sooo much $
00:51 < krzee> $125 for half a gig
00:51 < [intra]lanman> yeah, it's stupid
00:51 < krzee> err 1/4 a gig
00:51 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
00:51 < [intra]lanman> speaking of stupid... i'm missing some keys... is there a tutorial on generating those?
00:52 < krzee> !ssl-admin
00:52 < vpnHelper> krzee: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
00:52 < krzee> thats the easiest way
00:52 -!- frW [~frW@smartit.se] has left ##openvpn []
00:52 < krzee> if you wanna use easy-rsa, its packaged with openvpn, and explained in the howto
00:52 < krzee> !howto
00:52 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:53 < [intra]lanman> ahh, a howto.. that's helpful
00:53 < krzee> can skip right to: http://openvpn.net/index.php/open-source/documentation/howto.html#pki
00:53 < vpnHelper> Title: HOWTO (at openvpn.net)
00:53 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
00:53 < krzee> my confgen also references some other files you will want
00:53 < krzee> !dh
00:53 < vpnHelper> krzee: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
00:53 < krzee> !hmac
00:53 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
00:54 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
00:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
01:04 < tjz> BP photoshops fake photo of crisis command center, posts on main BP site 
01:04 < tjz> http://www.americablog.com/2010/07/bp-photoshops-fake-photo-of-command.html
01:04 < vpnHelper> Title: AMERICAblog News: BP photoshops fake photo of crisis command center, posts on main BP site (at www.americablog.com)
01:35 -!- dazo_afk is now known as dazo
01:35 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
01:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:04 -!- th1 [~th@pdpc/supporter/professional/th1] has quit [Ping timeout: 260 seconds]
02:04 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has joined ##openvpn
02:07 -!- Rene1 [~Rene@cs181081047.pp.htv.fi] has joined ##openvpn
02:10 -!- Rene [~Rene@cs181081047.pp.htv.fi] has quit [Ping timeout: 258 seconds]
02:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 265 seconds]
02:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
02:40 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
02:41 -!- dazo is now known as dazo_afk
02:44 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
02:51 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:53 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
02:57 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Remote host closed the connection]
03:12 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Quit: WeeChat 0.3.2]
03:13 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
03:21 -!- dazo_afk is now known as dazo
03:35 -!- Netsplit *.net <-> *.split quits: meepmeep
03:36 -!- Netsplit over, joins: meepmeep
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 < krzee> hey Bushmills 
03:41 < krzee> wanna see something fucking craaaaazy?
03:41 < Bushmills> 'morning krzee
03:41 < krzee> g'mornin
03:42 < jpalmer> krzee,  got a sec?
03:42 < krzee> im helping a friend with his vpn, and im seeing some seriously insane stuff
03:43 < Bushmills> movies?
03:43 < jpalmer> WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want <-- is this purely informational?  or does it indicate one ption is going to override another (becuase,  it is what I want.)
03:43 < Bushmills> behavioural patterns?
03:44 < Bushmills> with duplicate-cn there's single CN for multiple clients
03:44 < jpalmer> Bushmills: right
03:44 < Bushmills> but ccd files are selected according CN
03:44 < jpalmer> Bushmills: also right ;)
03:44 < jpalmer> let me explain my goal..
03:44 < krzee> jpalmer, its informational, but usually correct
03:45 < krzee> knowing you, you probably found some sort of exception ;]
03:46 < jpalmer> I'm adding an average of 8 new vpn clients daily.  they are connected 24/7.  I want to script it,  so new machines are created, and a default "temporary" key added. Then, later, go in and manually add new keys with ccd entries for the permanent settings.  so,  99.999% of my clients will use ccd's,  but one cn in particular,  won't and I want to allow multiple instances 
03:47 < jpalmer> (this way,  I can script the whole thing via pxeboot/kickstart scripts. and have them instantly on the management network.
03:47 < krzee> the one that is duplicated has nothing in its ccd?
03:47 < krzee> if that is correct, you are fine
03:47 < jpalmer> right
03:48 < jpalmer> ok. awesome.  just wanted to make sure it was really a warning,  and not going to blow the world up ;)
03:51 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
03:55 -!- anisfarhana [~anis@unaffiliated/anisx] has joined ##openvpn
03:55 < Bushmills> hm .. ssh brute force attacks have been seriously losing intensity during the past 2 weeks or so - i'm down do about 25% of the general level
03:55 < anisfarhana> hello.
03:56 < krzee> Bushmills, that sucks =[
03:56 < anisfarhana> This is first time i tested the OpenVPN , but after doing some reading and googling , i failed.
03:56  * Bushmills feels negelcted
03:56 < Bushmills> failed testing it?
03:56 < anisfarhana> I used OpenVPN on IPcop here , its connected , but im not able to ping the ip address at site.
03:57 < krzee> !goal
03:57 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:57 < Bushmills> !route
03:57 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:57 < Bushmills> !tunortap
03:57 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
03:57 < vpnHelper> Bushmills: against you over the vpn, or (#4) lan gaming? use tap!
03:58 < Bushmills> !firewall
03:58 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
03:58  * anisfarhana blinks.
03:58 < Bushmills> your problem is probably addressed in one of those
03:59 < anisfarhana> Bushmills: this OpenVPN embedded in the firewall , and i'm suing Host-to-Net (RoadWarrior) to connect.
04:00 < Bushmills> then 1 and 3 might apply
04:00 < krzee> anisfarhana, are you editing the openvpn config file directly?
04:00 < krzee> or from some web gui?
04:00 < anisfarhana> Bushmills: i'm referring to this site though , http://thinkhole.org/wp/2006/03/28/ipcop-openvpn-howto/
04:00 < vpnHelper> Title: HOWTO: IPCop-OpenVPN | Thinkhole Labs (at thinkhole.org)
04:00 < anisfarhana> krzee: from some web-gui sir.
04:01 < krzee> it sounds like you need support from the IPCop guys then
04:01 < krzee> cause openvpn doesnt come with a web gui
04:01 < Bushmills> forgive me, but i'm not going to read all that. nice pictures, though.
04:01 < anisfarhana> http://pastebin.ws/xe329
04:01 < anisfarhana> Here is the logs though
04:01 < anisfarhana> (Which i completely don't understand about it)
04:02 < Bushmills> clients connects.  fine.
04:02  * anisfarhana nods
04:02 < anisfarhana> By right , i'm able to ping the local ip address at site , yes ?
04:02 < Bushmills> that what you got the link to
04:03 < Bushmills> !route
04:03 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
04:03 < Bushmills> for
04:03 < Bushmills> you must be a fairly quick reader indeed
04:04 < anisfarhana> oh Routing , it's hard for me to mess with the live firewall :/
04:04 < anisfarhana> Bushmills: i was on that site before.
04:04 < Bushmills> i'm sure there are consultants, doing that for you for a substantial fee
04:04  * anisfarhana shows her firefox to Bushmills 
04:05 < anisfarhana> But this is default ip / subnet mask for OpenVPN in web-gui - 10.116.189.0/255.255.0.0
04:05 < Bushmills> alternatively, use a second installation, to experiment with, and try out your config changes
04:06 < Bushmills> but i commend you on a sensible choice for ip addresses of the vpn net
04:06 < anisfarhana> Bushmills: does ip range need to be same with site ip range ?
04:06 < Bushmills> no. not at all
04:06 < Bushmills> rather the contrary
04:06 < anisfarhana> If not , how they are going to communicate ? (ping for example)
04:07 < anisfarhana> i even read about the UDP and TCP for OpenVPN
04:07 < Bushmills> by routing packages to destination net through vpn interface
04:07 < anisfarhana> But still i didn't get it.
04:07 < Bushmills> packets
04:08 < Bushmills> like internet routers route your local traffic, without needing to have an ip address of your local subnet
04:08 < anisfarhana> Right.
04:08 < Bushmills> instead they have rules, saying "traffic to that destination goes to that interface"
04:09  * jpalmer still waits to see the craziness from krzee;'s friends vpn
04:09 < anisfarhana> Bushmills: how about UDP and TCP ? When i change to use TCP , client-to-site failed to connect.
04:09 < anisfarhana> But works well on UDP.
04:10 < Bushmills> !tcp
04:10 < vpnHelper> Bushmills: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
04:10 < Bushmills> you possibly neglected to change to tcp on both server and client side. or, firewall issue. but - don't change to tcp
04:10 < anisfarhana> Right.
04:11 < anisfarhana> Bushmills: Then my problem is whether with routing or ip/subnet mask on OpenVPN.
04:11 < Bushmills> most likely. or, alternatively,
04:11 < Bushmills> !firewal
04:11 < krzee> ahh
04:11 < vpnHelper> Bushmills: Error: "firewal" is not a valid command.
04:11 < Bushmills> !firewall
04:11 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
04:11 < krzee> the craziness
04:12 < krzee> he is getting a MULTI error saying his client is sending traffic over the vpn with SRC address of his server
04:12 < krzee> he showed me the log and a routing table from his server, i saw same subnet so asked what an IP was... and he told me its his server external IP
04:12 < anisfarhana> krzee: she and her.
04:13 < krzee> im talking about something else anisfarhana 
04:13 < anisfarhana> ok
04:13 < anisfarhana> SOrry for that.
04:13 < Bushmills> but anis is a male tunesian name
04:14 < anisfarhana> Bushmills: I'm not Tunesian.
04:15 < anisfarhana> Maybe anis yes , but not anisfarhana
04:15 < Bushmills> ?the trailing "a" denotes the female sense of the name
04:15 < Bushmills> as opposed to, say, farhanis?
04:16 < anisfarhana> Bushmills: there is no first and last name , just anisfarhana
04:17 < jpalmer> krzee: intersting.
04:19 < krzee> and now we backed it up
04:19 < krzee> made it to this:
04:19 < krzee> his iroute entry is read
04:19 < Bushmills> krzee: that's something which could be called "metarouting"?
04:19 < krzee> but he still gets a MULTI error when pinging from that subnet
04:20 < jpalmer> there has to be a routing table goofed up somewhere
04:20 < Bushmills> or, the problem is not exclusively due to what you though it is
04:21 < jpalmer> is this site-to-site,  or client-to-server?
04:21 < krzee> MULTI errors are from the internal routing table
04:21 < krzee> server/client
04:21 < anisfarhana> I'm done for OpenVPN , this is just frustating.
04:21 < krzee> the way to lose MULTI errors is iroute
04:21 < krzee> when iroute is correctly read and added, you shouldn get a MULTI on that same subnet!
04:22 < krzee> anisfarhana, you never used openvpn, you use ipcop
04:22 < anisfarhana> Right.
04:22 < anisfarhana> krzee: but i see "OpenVPN" in ipcop.
04:22 < jpalmer> no, you see their bastardization of openvpn.
04:23 < krzee> exactly
04:23 < Bushmills> fancy config dialogs :)
04:23 < anisfarhana> krzee: your statement is just like "I don't use keyboard to write , i use my fingers"
04:23 < krzee> kinda like how you see bind in cpanel... but you wont get cpanel help in a bind help channel
04:24 < anisfarhana> krzee: i come here if you guys can advise or help me , if you are not willing to help , just say it
04:24 < krzee> run openvpn and we will be able to help you
04:24 < jpalmer> anisfarhana: to put it simply,  if you want help from the openvpn community,  use an unmolested version of openvpn.  if you want to use something like ipcop,   then you need to ask the ipcop community for help.
04:24 < anisfarhana> Ok right.
04:25 < krzee> im sure ipcop has support too if you prefer to use them
04:25 < jpalmer> the version of openvpn in ipcop has been modified to the pont where,  we can't really help with it.  it's not the same openvpn we know and use.
04:25 -!- anisfarhana [~anis@unaffiliated/anisx] has left ##openvpn ["this is not the right channel then , thanks Bushmills , krzee , jpalmer "]
04:26 < Bushmills> "it doesn't work and it is all your fault"
04:26 < krzee> either wasnt the right channel, or the right program, 1 of those was true
04:26 < krzee> =/
04:28 < jpalmer> I just wrote a quick script to parse the stats file...  I start my clients at 10.14.1.2,  and use topology subnet.  I have every IP in use, all the way through 10.16.0.69
04:29 < krzee> damn
04:30 < krzee> err no way
04:30 < krzee> 10.14 - 10.16
04:30 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
04:30 < krzee> thats more than any single openvpn server can handle i believe
04:30 < jpalmer> yea
04:31 < krzee> its single threaded and known to die after a couple hundred
04:31 < krzee> (fixes planned for 3.0)
04:31 < jpalmer> I've got tons of servers, too.  hence why I'm so concerned about redundancy.
04:32 < krzee> ahh ok
04:32 < krzee> you running some sort of botnet?
04:32 < jpalmer> lol
04:32 < krzee> hacking the planet?
04:32 < jpalmer> no,  these are all systems inside hospitals
04:32 < krzee> planethacker
04:33 < krzee> :-p
04:33 < jpalmer> krzee:  what got you into openvpn?   you and bushmills (and ecrist too)  seem to know it insanely well.
04:33 < Bushmills> essentially, british telecom and quorm
04:34 < jpalmer> I thought I had a pretty good bead on it.  but you three teach me something new all the time.  hehe
04:34 < krzee> hrm
04:34 < krzee> i like tunneling stuff ;]
04:35 < jpalmer> are you hacking the gibson through those tunnels, sir?
04:35  * krzee gets his shovel
04:35 < jpalmer> lol
04:35 < krzee> Bushmills IS the gibson
04:35 < jpalmer> re you a coyote? smuggling immigrants back and forth across the us/mexico border?
04:36 < krzee> i dont live on the north american continent
04:36 < jpalmer> a likely story.
04:36 < jpalmer> thats what all the coyotes say!
04:36 < krzee> although i do have 2 servers right on the mexico california border
04:36 < krzee> 1 exit away from mexico
04:37 < jpalmer> I lived in El Paso for 2 years.   we went to mexico about twice a month.
04:38 < jpalmer> (a horrible 2 years, that was.  El Paso has *nothing* going on in the technology field.)
04:39 < jpalmer> anywho,  it's 5:30, and I'm headed to bed.
04:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
04:45 < krzee> jpalmer, 
04:45 < krzee> i was talking bout [intra]lanman's setup
04:46 < krzee> [04:32]  <krzee> Jul 21 04:18:56 localhost openvpn[2818]: router/166.231.49.56:52934 MULTI: internal route 192.168.77.0 -> router/166.231.49.56:52934
04:46 < krzee> [04:32]  <krzee> Jul 21 04:18:59 localhost openvpn[2818]: router/166.231.49.56:52934 MULTI: bad source address from client [192.168.77.254], packet dropped
04:47 < krzee> Bushmills, crazy isnt it!
04:48 < krzee> he has the iroute, it sees the iroute, then it drops packets even tho they match the iroute
04:48 < krzee> however
04:48 < Bushmills> hm
04:48 -!- anisfarhana [~anis@unaffiliated/anisx] has joined ##openvpn
04:48 < anisfarhana> it works!!!
04:48 < anisfarhana> :D
04:49 < krzee> good job =]
04:49 -!- Chosi [osxchosi@choseh.de] has quit [Changing host]
04:49 -!- Chosi [osxchosi@unaffiliated/chosi] has joined ##openvpn
04:49 < Bushmills> glad that the folks on that other channel were better able to help you
04:49 < anisfarhana> Bushmills: nobody helping me
04:49 < anisfarhana> Bushmills: just try and error
04:50 < [intra]lanman> heh, i've been through a little of that tonight
04:50 < anisfarhana> Took me almost 7 hours to solve this :)
04:52 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
04:55 < [intra]lanman> yeah, i've been at this for about that long... and this is supposed to be an easy setup
04:55 < [intra]lanman> that said... i think i'll see if i can sleep for an hour or two before i have to get up and work for another 12 hours :-\
04:56 < krzee> 7 hours... my very first setup took more than that
04:56 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
04:56 < krzee> and the help channel was tiny, dead, and un-maintained back then
04:56 < kisom> my first setup also took 7 hours :)
04:56 < kisom> read the whole man
04:56 < kisom> anyways, t1me f0r f00d
04:57 < krzee> yup
04:57 < krzee> read the man, the howto, and a ton of docs
04:57 < krzee> which honestly confused me more
04:58 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
04:58 < krzee> i had to dig into code before i fully understood what iroute was for
05:00 -!- anisfarhana [~anis@unaffiliated/anisx] has left ##openvpn ["Leaving"]
05:04 -!- znh [~hans@unaffiliated/znh] has joined ##openvpn
05:05 -!- xLP [~test@mail-out.lpcorp.fr] has joined ##openvpn
05:05 < znh> Howdy! I have multiple IPs on server, can I use one IP explicit for openvpn's outbound connections?
05:07 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 276 seconds]
05:08 < Bushmills> znh:  http://scarydevilmonastery.net/snap/1279706915221308080d.png
05:09 < znh> that's for incoming
05:10 < Bushmills> that's for binding to
05:10 < znh> or would it use the bound ip as default gateway?
05:10 < znh> ^
05:10 < Bushmills> my openvpn have all both incoming and outgoing traffoc
05:10 < Bushmills> ic
05:16 -!- znh [~hans@unaffiliated/znh] has quit [Quit: Lost terminal]
05:16 < xLP> if I'm not mistaken... you can choose the IP OpenVPN server will listen on
05:16 < xLP> regarding the IP OpenVPN client uses to connect, it's a routing issue
05:17 < xLP> might be solved using iptables and or routes
05:17 -!- Rene1 [~Rene@cs181081047.pp.htv.fi] has quit [Ping timeout: 258 seconds]
05:18 < xLP> mmm... could also be that you can choose a device used by OpenVPN, could be
05:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:25 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
05:55 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:14 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
06:22 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:49 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
06:55 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 252 seconds]
06:56 -!- Champi [Champi@damn.e-leet.be] has quit [Remote host closed the connection]
06:59 -!- Champi [Champi@damn.e-leet.be] has joined ##openvpn
06:59 -!- takamichi [~pri@78.133.38.201] has joined ##openvpn
07:01 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
07:03 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
07:18 < ecrist> !snapshot
07:19 < vpnHelper> ecrist: Error: "snapshot" is not a valid command.
07:19 < ecrist> !snapshots
07:19 < vpnHelper> ecrist: "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
07:23 -!- JackCorleone [~Jack@201-26-13-95.dsl.telesp.net.br] has joined ##openvpn
07:25 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
07:26 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 252 seconds]
07:30 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
07:32 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 276 seconds]
07:37 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
07:38 < ecrist> 04:36 < krzee> i dont live on the north american continent
07:38 < ecrist> actually, you *do*
07:39 < ecrist> the continent consists of more than what's above the surface of the ocean. :)
07:40 < kraut> moin
07:44 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
07:49 -!- LeRrA [~lerra@ua-213-114-152-155.cust.bredbandsbolaget.se] has quit [Ping timeout: 248 seconds]
07:49 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined ##openvpn
08:00 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
08:03 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
08:07 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
08:11 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
08:12 -!- tjz_ [~pc@bb116-14-167-197.singnet.com.sg] has joined ##openvpn
08:14 -!- JackCorleone [~Jack@201-26-13-95.dsl.telesp.net.br] has quit [Remote host closed the connection]
08:14 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
08:16 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 260 seconds]
08:26 -!- xLP [~test@mail-out.lpcorp.fr] has quit [Ping timeout: 248 seconds]
08:27 -!- floops [floops@404.not.found.shellium.org] has quit [Read error: Connection reset by peer]
08:29 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:30 -!- xLP [~test@mail-out.lpcorp.fr] has joined ##openvpn
08:33 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
08:34 -!- floops [floops@404.not.found.shellium.org] has joined ##openvpn
08:39 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
08:44 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
08:46 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection reset by peer]
08:46 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
08:46 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.6/20100625231939]]
09:01 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
09:01 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
09:04 -!- tjz_ is now known as tjz
09:04 -!- tjz [~pc@bb116-14-167-197.singnet.com.sg] has quit [Changing host]
09:04 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
09:12 -!- xLP [~test@mail-out.lpcorp.fr] has quit [Ping timeout: 240 seconds]
09:50 -!- xLP [~test@mail-out.lpcorp.fr] has joined ##openvpn
09:52 < xLP> !welcome
09:52 < vpnHelper> xLP: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:53 < xLP> !/30
09:53 < vpnHelper> xLP: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
09:53 < xLP> interesting... on Windows I have the /30, on Linux I had a client with IP 10.5.0.2 (and server 10.5.0.1)
09:54 < xLP> !topology
09:54 < vpnHelper> xLP: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
10:01 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
10:06 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:06 -!- Rene [~Rene@jumbo52.adsl.netsonic.fi] has joined ##openvpn
10:12 -!- joako_ [~joako@opensuse/member/joak0] has joined ##openvpn
10:14 -!- Rene [~Rene@jumbo52.adsl.netsonic.fi] has quit [Quit: I would like to die in my sleep just like my grandfather, not screaming and yelling like his passengers.]
10:26 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:29 -!- gnurbs [~foo@hg-public-dock-149-dhcp.ethz.ch] has joined ##openvpn
10:31 -!- gnurbs [~foo@hg-public-dock-149-dhcp.ethz.ch] has quit [Client Quit]
10:51 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection reset by peer]
10:51 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
11:08 < kisom> Conclusion: Yellowjackets do get drunk if fed with vodka. They do not sting when drunk either
11:09 < [intra]lanman> good to know... but how do you get them to drink the vodka?
11:09 < kisom> put them in the bottle.
11:09 < [intra]lanman> oic
11:10 < kisom> lol i have it crawling in the palm of my hand
11:10 < kisom> kinda creepy
11:10 < [intra]lanman> yeah, i don't think i'd feel comfortable doing that
11:15 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:16 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection reset by peer]
11:16 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
11:20 -!- dazo is now known as dazo_afk
11:30 < ecrist> I had to do a doubletake
11:31 < ecrist> how goes, [intra]lanman 
11:31 < [intra]lanman> not so well
11:31 < ecrist> o.O
11:31 < [intra]lanman> running on very little sleep... was working on connecting my home with my office until about 6am
11:31 < [intra]lanman> never was completely successful
11:32 < [intra]lanman> krzee: says i'm not retarded or anything... there's something weird happening :-\
11:32 < [intra]lanman> aside from that.... i'm awesome
11:32 < [intra]lanman> working on moving some freeswitch services into a new DC
11:36 < ecrist> stuff you host/work with, or freeswitch.org stuff?
11:39 < [intra]lanman> freeswitch.org stuff
11:39 < [intra]lanman> the conference server, jira, fisheye, etc
11:42 < ecrist> ah
12:00 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:07 -!- nido_ [~nido@wardenscat.foxserver.be] has joined ##openvpn
12:07 < nido_> !welcome
12:07 < vpnHelper> nido_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
12:10 < nido_> !goal
12:10 < vpnHelper> nido_: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:10 < nido_> !interface
12:10 < vpnHelper> nido_: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
12:16 < nido_> I have two servers running openvpn and have an udp tunnel between both. Then I have my other computers, which will connect to either server via tcp or udp, depending how well the ISP can handle udp traffic. On the servers, tap0 and tap1 (both tap devices obviously :p) are bridged to eachother, linking the clients connecting to server A and server B. This all works fine and dandy.
12:17 < nido_> My problem is, every time something connects (whch happens a lot some clients are on very unstable connections), it gives me a line in my logs saying "MULTI: no dynamic or static remote --ifconfig address is available for [host]/[ip]:[port"
12:20 < nido_> hence my question is, how can i stop it from producing these messsages, as I know and expect no ifconfig configuration to be done (since half of these ethernet tunnels are going to be bridged)
12:28 -!- nido_ is now known as nido
12:31 -!- oryxtec [~as@109.169.28.42] has joined ##openvpn
12:31 < oryxtec> hi all
12:31 < oryxtec> i m unable to use 
12:31 < oryxtec> crl-verify crl.pem
12:31 < oryxtec> when ever i try to do this
12:31 < oryxtec> i get error msg  -bash: crl-verify: command not found
12:32 < oryxtec> please help me on this
12:32 < oryxtec> even i can't find crl-verify file in open vpn folder
12:33 < oryxtec> ?
12:37 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
12:38 < Bushmills> http://scarydevilmonastery.net/snap/1279733841979513744d.png - that's a config option, not an external command
12:38 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 276 seconds]
12:38 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
12:41 < oryxtec> rite
12:41 < oryxtec> how can i revoke user license
12:42 < Bushmills> !revoke
12:42 < vpnHelper> Bushmills: Error: "revoke" is not a valid command.
12:43 < Bushmills> do you use  easy-rsa?
12:44 < oryxtec> yes
12:44 < Bushmills> check out the script revoke-crt, part of easy-rsa
12:45 < oryxtec> yeh i have checked that
12:45 < oryxtec> i have used these commands
12:45 < oryxtec>  ./vars
12:45 < oryxtec> ./revoke-full client2
12:45 < oryxtec> and then
12:45 < oryxtec> crl-verify crl.pem
12:45 < oryxtec> its not working
12:46 < Bushmills> crl-verify is an openvpn option, not a command or script
12:46 < Bushmills> and revoke-full is not revoke-crt
12:47 < oryxtec> i m new to open vpn.. please can you guide me how can remove those user licese which i don't need
12:48 < Bushmills> no i can't guide you through it, but i can direct you to the ssl docs
12:49 < Bushmills> http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x195.html  that should do
12:49 < vpnHelper> Title: Certificate management (at tldp.org)
12:50 < oryxtec> let me try
13:04 < oryxtec> could not get any idea from it.. its ssl doc... i m usng openvpn
13:05 < oryxtec> bushmils: 
13:13 < Bushmills> openvpn uses ssl
13:14 < Bushmills> had you really looked at those revoke script of easy-rsa, you had found that those use openssl command as well
13:14 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:16 < oryxtec> http://pastebin.com/NnJemCwn    revoke-crt plz can u check if this is correct?
13:17 < oryxtec> and this is revoke-full  http://pastebin.com/izZtsjgV
13:30 -!- oryxtec [~as@109.169.28.42] has quit []
13:32 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
13:38 < Bushmills> your problems is probably that the crl-verify  option is not part of your server config
13:39 -!- xLP [~test@mail-out.lpcorp.fr] has quit [Ping timeout: 240 seconds]
13:45 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
13:59 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
14:00 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:12 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has left ##openvpn []
14:15 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:33 -!- Columbo0815 [~foobar@HSI-KBW-085-216-116-089.hsi.kabelbw.de] has joined ##openvpn
14:33 < Columbo0815> !welcome
14:33 < vpnHelper> Columbo0815: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:34 < Columbo0815> !route
14:34 < vpnHelper> Columbo0815: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:34 -!- penrod [~pattonb@S01060016b6b53bd9.cg.shawcable.net] has joined ##openvpn
14:34 < Columbo0815> !forum
14:34 < vpnHelper> Columbo0815: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
14:40 < Columbo0815> !ssl-admin
14:40 < vpnHelper> Columbo0815: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
14:51 -!- Columbo0815 [~foobar@HSI-KBW-085-216-116-089.hsi.kabelbw.de] has quit [Quit: Verlassend]
14:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Remote host closed the connection]
15:05 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
15:05 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has quit [Ping timeout: 260 seconds]
--- Log closed Wed Jul 21 15:05:30 2010
--- Log opened Wed Jul 21 15:05:35 2010
15:05 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
15:05 -!- Irssi: ##openvpn: Total of 95 nicks [2 ops, 0 halfops, 0 voices, 93 normal]
15:05 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
15:06 -!- Irssi: Join to ##openvpn was synced in 29 secs
15:07 -!- ksk [~ksk@im.knubz.de] has joined ##openvpn
15:08 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
15:08 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
15:10 -!- 30BAAT88O [~evaldo@freenode/staff/udontknow] has joined ##openvpn
15:11 -!- 30BAAT88O [~evaldo@freenode/staff/udontknow] has quit [Read error: Connection reset by peer]
15:24 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
15:43 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
15:58 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
16:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
16:04 -!- krzie [~k@unaffiliated/krzee] has left ##openvpn ["Leaving"]
16:07 -!- oryxtec [~as@109.169.28.42] has joined ##openvpn
16:09 -!- oryxtec [~as@109.169.28.42] has left ##openvpn []
16:09 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
16:40 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:43 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:56 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
17:00 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
17:13 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
17:17 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:25 -!- vici0us [foobar@91.176.141.31] has quit [Ping timeout: 240 seconds]
17:27 -!- vici0us [foobar@91.176.92.2] has joined ##openvpn
17:29 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:53 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:45 -!- joako_ [~joako@opensuse/member/joak0] has joined ##openvpn
18:47 < krzee> ecrist, re intralanman's setup
18:47 < krzee> weird weird stuff
18:47 < krzee> when we enable the iroute via ccd, we can see it gets read  upon client connect
18:48 < krzee> ping -S lan_ip vpn_endpoint is success
18:49 < krzee> but a ping from a lan machine to same endpoint gets a MULTI error, about that the lan_ip (which is inside iroute's subnet)
18:50 < krzee> and when we have a matching push route from server (which should be 100% ignored due to the matching iroute) all sorts of stuff shows up in MULTI errors(even his traffic to freenode)
18:50 < krzee> but hes not redirecting gateway
18:50 < krzee> im gunna work on it more with him tonight if he has time
18:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
19:01 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
19:04 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
19:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
19:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 265 seconds]
19:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
19:41 < krzie> !snapshots
19:41 < vpnHelper> krzie: "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
20:00 -!- vici0us [foobar@91.176.92.2] has quit [Quit: Lost terminal]
20:13 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:14 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:18 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
--- Log opened Thu Jul 22 02:18:14 2010
02:18 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
02:18 -!- Irssi: ##openvpn: Total of 95 nicks [2 ops, 0 halfops, 0 voices, 93 normal]
--- Log closed Thu Jul 22 02:18:23 2010
--- Log opened Thu Jul 22 02:18:32 2010
02:18 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
02:18 -!- Irssi: ##openvpn: Total of 95 nicks [2 ops, 0 halfops, 0 voices, 93 normal]
02:19 -!- Irssi: Join to ##openvpn was synced in 35 secs
02:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
02:33 -!- floops [floops@404.not.found.shellium.org] has quit [Read error: Operation timed out]
02:45 -!- dazo_afk is now known as dazo
02:45 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:15 -!- yakub [~www-data@unaffiliated/yakub] has quit [Quit: leaving]
03:24 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 -!- dunc_ [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:46 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
04:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:07 < DeathWolf> Bushmills: well, compression's hardly of any use when transferring binary content
05:08 < DeathWolf> but even 12+8+8 doesn't match at all my experience
05:08 < DeathWolf> which was more like 80bytes of overhead
05:08 < DeathWolf> and always puzzled me
05:20 -!- floops [floops@404.not.found.shellium.org] has joined ##openvpn
05:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:38 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:40 < Bushmills> binary content can compress well, unless it has been compressed already. not as well as text, though, generally
05:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:44 < DeathWolf> most of my transfer is alredy compressed binary
05:44 < DeathWolf> but anyway, my issue was figuring what makes the overhead:)
05:45 < DeathWolf> urgh... 41 bytes security layer overhead (includes packet tag (1), HMAC-SHA1 signature (20), initialization vector (16), sequence number (4)) + 28 bytes of ip+udp... ouch
06:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:06 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:19 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:20 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection reset by peer]
06:20 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:32 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
06:32 -!- dunc_ [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 260 seconds]
06:34 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: Operation timed out]
06:44 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
06:47 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
06:54 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has joined ##openvpn
07:03 -!- ivenkys_ [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
07:06 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
07:06 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 276 seconds]
07:08 -!- gorkhaan [~gorkhaan@adsl-101-10.globonet.hu] has quit [Ping timeout: 276 seconds]
07:16 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
07:26 -!- boswarrior [~mrnice@78.142.173.114] has joined ##openvpn
07:27 -!- boswarrior is now known as tjuxer
07:33 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
07:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:47 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
07:52 -!- error404notfound [77999788@gateway/web/freenode/ip.119.153.151.136] has joined ##openvpn
07:59 < error404notfound> I setup openvpn on a windows 7 machine. I am pushing the DNS hosted on openvpn server as options but this windows machine doesn't seem to pick those settings,  gives multiple errors during connection and can't reach dns probably due to route issue. http://pastebin.com/MtwwtYJt
08:03 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:08 < error404notfound> anyone?
08:10 < Bushmills> error404notfound: set properties of openvpn - maybe, not sure, also of openvpn-gui - as "run as admin", and compatibility mode "vista"
08:10 < Bushmills> also set in config "route-method exe"
08:10 < Bushmills> possible route-delay 2
08:10 < Bushmills> !winroute
08:10 < vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
08:10 < Bushmills> ah. that one.
08:20 < error404notfound> Bushmills: thanks, seems like "route-delay 5" works :)
08:23 -!- error404notfound [77999788@gateway/web/freenode/ip.119.153.151.136] has quit [Quit: Page closed]
09:07 -!- funkyHat [~m@funkyhat.org] has quit [Ping timeout: 260 seconds]
09:15 -!- tjuxer [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
09:19 -!- bvierra [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has quit [Ping timeout: 248 seconds]
09:23 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
09:52 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
09:52 -!- Blues-Man [~bluesman@host251-116-dynamic.27-79-r.retail.telecomitalia.it] has joined ##openvpn
10:04 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:15 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:15 < kraut> moin
10:16 < krzie> moinmoin
10:18 < hyper_ch> moinmoinmoin
10:19 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:23 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
10:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:42 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
10:43 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
10:44 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:51 -!- dazo is now known as dazo_afk
10:57 -!- bob368 [~bob@166.205.143.235] has joined ##openvpn
11:05 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:05 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
11:05 -!- Chosi [osxchosi@unaffiliated/chosi] has quit [Remote host closed the connection]
11:06 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
11:11 < bob368> If I have a system that is 500mhz and may have the capacity of 20-50Mbs max throughput. How will setting up an open vpn on this firewall effect the throughput
11:15 -!- bob368 [~bob@166.205.143.235] has quit [Read error: Connection reset by peer]
11:15 < krzie> you're likely to get less throughput over the vpn
11:15 < krzie> heh, nice driveby
11:16 -!- bob368_ [~bob@166.205.10.146] has joined ##openvpn
11:18 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:27 -!- bob368_ [~bob@166.205.10.146] has quit [Quit: Colloquy for iPhone - http://colloquy.mobi]
11:27 -!- bob368 [~bob@166.205.10.146] has joined ##openvpn
11:39 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
11:43 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
11:45 -!- bob368 [~bob@166.205.10.146] has quit [Ping timeout: 258 seconds]
11:49 < Bushmills> i might start to put nicks of people who wait less than 5 min for a reply on /ignore, so that i'm not tempted to reply when i encounter them again
11:50 < Bushmills> with joins and parts disabled, it happens all too often what one talks against a void
11:50 -!- Blues-Man [~bluesman@host251-116-dynamic.27-79-r.retail.telecomitalia.it] has quit [Read error: Connection reset by peer]
11:50 < Bushmills> that
11:57 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
11:58 -!- SOG [~SOG@n1164870107.netvigator.com] has joined ##openvpn
12:00 -!- swilde [~wilde@aktaia.intevation.org] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
12:01 < kisom> i usually hate everything microsoft...
12:01 < kisom> but damn, gadgets in W7 are sweet
12:14 -!- SOG [~SOG@n1164870107.netvigator.com] has quit [Ping timeout: 265 seconds]
12:16 < krzie> ya, they took some good ideas from osx ;]
12:16 < krzie> !windows
12:16 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
12:17 < cpm> doh!
12:20 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:26 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
12:49 -!- dazo_afk is now known as dazo
12:58 -!- funkyHat [~m@funkyhat.org] has quit [Ping timeout: 265 seconds]
13:00 -!- funkyHat [~m@cpc1-nthc3-0-0-cust308.nrth.cable.ntl.com] has joined ##openvpn
13:00 -!- bob368 [~bob@166.205.143.249] has joined ##openvpn
13:05 -!- bob368 [~bob@166.205.143.249] has quit [Ping timeout: 258 seconds]
13:08 -!- weeHat [~matt@cpc1-nthc3-0-0-cust308.nrth.cable.ntl.com] has joined ##openvpn
13:09 < weeHat> I seem to be having connectivity issues with my VPN client. I'm not *sure* it's related to the VPN but I can't see anything else...
13:10 < weeHat> Does this routing table look OK? http://bpaste.net/show/8178/
13:18 < weeHat> !welcome
13:18 < vpnHelper> weeHat: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:18 < weeHat> !route
13:18 < vpnHelper> weeHat: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:21 < [intra]lanman> !conf-gen
13:21 < vpnHelper> [intra]lanman: Error: "conf-gen" is not a valid command.
13:21 < [intra]lanman> !confgen
13:21 < vpnHelper> [intra]lanman: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
13:24 < weeHat> It seems line 7 on my paste could be the culprit... 
13:26 < weeHat> http://bpaste.net/show/8180/ here's my server and client configs
13:32 -!- funkyHat [~m@cpc1-nthc3-0-0-cust308.nrth.cable.ntl.com] has quit [Ping timeout: 276 seconds]
13:33 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
13:58 -!- bvierra [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has joined ##openvpn
14:16 -!- unixtoy [~unixtoy@rrcs-76-79-204-178.west.biz.rr.com] has joined ##openvpn
14:16 -!- unixtoy is now known as nihga
14:16 < nihga> any one around with a simple VPN question
14:18 < krzie> depends... you're best to just ask and find out
14:18 < nihga> when my labtop connects to the vpn it gets a ip address gateway and DNS servers
14:19 < nihga> but I can't connect or browse ?
14:19 < krzie> connect or browse how
14:20 < nihga> I connect via wireless
14:20 < nihga> firefox will not work
14:20 < nihga> nor can I ping any of the internal or external ips
14:20 < krzie> ok so you are trying to redirect inet traffic over the vpn?
14:20 < nihga> Yeah
14:20 < krzie> !redirect
14:20 < nihga> I have iptables setup
14:20 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:21 < krzie> !linipforward
14:21 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:21 < krzie> !linnat
14:21 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:21 < nihga> iptables works because I configured it for our internal network of 192.168
14:21 < nihga> let me check but I think I have --redirect-gateway set
14:21 < nihga> one sec..
14:22 < krzie> !def1
14:22 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:27 < nihga> push "redirect-gateway 192.168.1.1"
14:27 < nihga> that's what I have
14:27 < krzie> umm
14:28 < krzie> have you read the manual for redirect-gateway?
14:28 < krzie> !man
14:28 -!- bjh4 [~chatzilla@ool-18bbdf6a.static.optonline.net] has joined ##openvpn
14:28 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
14:28 < nihga> nop
14:28 < nihga> nope
14:28 < krzie> go do it
14:28 < nihga> sorry.. I didn't know they had one
14:29 < krzie> a very very extensive manual
14:29 < bjh4> I have done a bunch of reading and I am getting the feeling that I cannot use tun and dictate what ips i want my clients to have with the ifconfig-push command.  does this sound correct?
14:30 < bjh4> clients are windows
14:31 < krzie> nope, not correct
14:31 < krzie> you may just need to use ifconfig-push differently in your ccd file
14:31 < krzie> !static
14:31 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:32 < krzie> if you have it in a ccd, and are using it like that, but not using topology subnet, you may want to use 10.8.0.5 10.8.0.6
14:33 < bjh4> krzie: so  as long as i declare ifconfig-push 10.8.0.5 10.8.0.6  the client will still route to 10.8.0.1?
14:35 < bjh4> i am doing this in the ccd file. 10.8.0.1 is the server.  I have 5 clients that need to be able to connect to one server instance.
14:37 < krzie> sure, the ifconfig-push doesnt change the route
14:37 < krzie> but
14:37 < krzie> thats only if not using net30
14:37 < krzie> err
14:37 < krzie> not using topology subnet i mean
14:37 < bjh4> net30?
14:37 < krzie> if not using topology subnet, you are using topology net30 (the default)
14:37 < bjh4> what does topology subnet look like when declared in the config
14:38 < krzie> !/30
14:38 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
14:38 < bjh4> ok
14:38 < krzie> it would look like "topology subnet" in the server config
14:38 < bjh4> !topology
14:38 < vpnHelper> bjh4: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
14:38 < bjh4> vpnHelper: I am committed to whatever version pfsense is running.  I need to double check that.
14:38 < vpnHelper> bjh4: Error: "I" is not a valid command.
14:38 < krzie> so, if you use topology subnet, your ifconfig-push should be like 10.8.0.6 255.255.255.0
14:38 < krzie> vpnHelper, bot
14:39 < vpnHelper> krzie: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
14:39 -!- krzie is now known as krzee
14:39 < bjh4> o a bot
14:39 < bjh4> ok 
14:39 < bjh4> krzie: so in essence each client eats 3 IPs?
14:39 < krzee> 4
14:39 < bjh4> right
14:40 < krzee> as explained in the link at !/30
14:40 < bjh4> forgot about the network address
14:40 < krzee> !/30
14:40 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
14:40 < bjh4> network,client,client,broadcast
14:40 < bjh4> hence .252
14:40 < bjh4> in a nutshell i guess
14:40 < krzee> aka, /30
14:41 < bjh4> word up. thx for the info.  i caused one hell of a mess over here. time for some cleanup!
14:41 < krzee> its a workaround for windows lamesauce, before they found a better way and made topology subnet
14:41 < krzee> np =]
14:42 < bjh4> windows is def extra lame sauce
14:42 < krzee> !windows
14:42 < vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
14:42 < bjh4> lol
14:50 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Ping timeout: 264 seconds]
14:51 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
14:56 -!- nihga [~unixtoy@rrcs-76-79-204-178.west.biz.rr.com] has quit [Ping timeout: 240 seconds]
15:05 -!- rawDawg [~rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:11 -!- nihga [~unixtoy@rrcs-76-79-204-178.west.biz.rr.com] has joined ##openvpn
15:33 < [intra]lanman> !viscosity
15:33 < vpnHelper> [intra]lanman: Error: "viscosity" is not a valid command.
15:33 < [intra]lanman> figured i'd try...
15:34 < [intra]lanman> anyone have an example of a .conf file that can be imported into viscosity? namely, i seem to have the wrong paths to my keys and have to manually add them after the import
15:37 < [intra]lanman> nm, got it
15:43 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 260 seconds]
15:45 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Remote host closed the connection]
15:58 -!- kraut [~kraut@cl-677.ham-01.de.sixxs.net] has joined ##openvpn
15:59 -!- kraut [~kraut@cl-677.ham-01.de.sixxs.net] has quit [Quit: Reconnecting]
15:59 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
16:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
16:07 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has joined ##openvpn
16:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:09 -!- dazo is now known as dazo_afk
16:13 -!- magglass1 [~m@unaffiliated/magglass1] has quit [Ping timeout: 265 seconds]
16:13 < kazagistar> I am trying to connect remote computers into a LAN for the purposes of an old game... I have managed to get it working, but only if I use 'push "redirect-gateway def1"' to force all traffic into the VPN, which is undesirable... is there some way to force a particular program to talk to the VPN, while maintaining Internet connectivity?
16:14 -!- magglass1 [~m@unaffiliated/magglass1] has joined ##openvpn
16:19 -!- bent_screwdriver [~socain00@74.255.249.66] has quit []
16:28 -!- Champi [Champi@damn.e-leet.be] has quit [Remote host closed the connection]
16:30 -!- Champi [Champi@damn.e-leet.be] has joined ##openvpn
16:33 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
16:48 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
17:00 < weeHat> kazagistar: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing might be helpful
17:00 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
17:03 < kazagistar> weeHat: so is my problem that I have no routes in my VPN? also, I am using tap, which I think I need for the broadcast based communication
17:09 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:16 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
17:16 -!- kazagistar [~kazagista@host-174-45-73-153.bzm-mt.client.bresnan.net] has left ##openvpn []
17:16 < grendal_prime> hey guys.  If im using a tun device i burn an ip at each end of the tunnel.  Someone mentionied that i will actually burn 4 ip's per connection is that right?
17:17 < grendal_prime> and i understand topology subnet addresses that but these boxes in the field are still running on 2.0 and its not supported.
17:23 < Bushmills> depends.  read  !topology
17:23 < Bushmills> ah. upgrade
17:24 < Bushmills> !net30
17:24 < vpnHelper> Bushmills: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
17:32 -!- APTX_ is now known as APTX
17:38 < grendal_prime> ya these boxes will have to be upgraded to utilize topology and they are embeded devices.  kinda a bummer.
17:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:49 < grendal_prime> i dont think that link points to what i need to know
17:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:55 < grendal_prime> actually i think i found what i need...it was there just deeper than i though..
17:55 < grendal_prime> so if i have  a server running 2.1 and a ton of clients..(talking like 600 or so.
17:56 < grendal_prime> non of them windows boxes ) i can use --ifconfig-pool-linear
17:56 < grendal_prime> is that about right?
17:58 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:15 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
18:24 -!- nihga [~unixtoy@rrcs-76-79-204-178.west.biz.rr.com] has quit [Read error: No route to host]
19:08 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 246 seconds]
19:13 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
19:19 -!- Unirgy [~Unirgy@unaffiliated/unirgy] has joined ##openvpn
19:20 < Unirgy> hi, the openvpn gui client offers open to import connection from the server. how would i configure the server to provide this configuration? thanks :)
19:34 < Unirgy> nm, installed openvpn AS 
19:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
19:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:59 < networkn> I can't seem to get this tap adapter added to my Windows 7 PC.
20:00 < networkn> Updating drivers for tap0901 from C:\Program Files\OpenVPN\driver\OemWin2k.inf.
20:00 < networkn> sits in the batch file doing that indefiniately
20:00 < networkn> I am an administrator on this computer
20:15 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:34 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:58 -!- notbrien_ [~notbrien@69.60.16.242] has joined ##openvpn
21:01 -!- notbrien_ is now known as notbrien
21:07 < networkn> weirdest thing.. Have set up a tunnel, client server with certifcates, local endpoint is 10.0.0.7 with tunnel ip of 192.168.100.6, server endpoint 10.0.110.211, tunnel 192.168.100.1, can ping from client to anywehre on the server end, but from the server can ping remote endpoint ip, but not local ip 10.0.0.7
21:07 < networkn> firewall is off on both ends
22:05 -!- kyuubi [~kyuubi@unaffiliated/kyuubi] has joined ##openvpn
22:06 -!- kyuubi [~kyuubi@unaffiliated/kyuubi] has quit [Read error: Connection reset by peer]
22:06 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
22:07 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:16 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
22:18 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:21 < networkn> no-one?
22:29 -!- weeHat [~matt@cpc1-nthc3-0-0-cust308.nrth.cable.ntl.com] has quit [Quit: WeeChat 0.3.2]
22:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:05 -!- bob368 [~bob@166.205.8.169] has joined ##openvpn
23:22 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
23:26 -!- bob368 [~bob@166.205.8.169] has quit [Remote host closed the connection]
23:47 -!- iateadonut [~dan@123.234.80.197] has joined ##openvpn
23:48 < iateadonut> i'd like my users to use the server as their DNS.  how do i know if my server can do that?
23:57 -!- iateadonut [~dan@123.234.80.197] has quit [Ping timeout: 240 seconds]
--- Day changed Fri Jul 23 2010
00:00 -!- iateadonut [~dan@123.234.80.197] has joined ##openvpn
00:04 -!- iateadonut [~dan@123.234.80.197] has quit [Ping timeout: 258 seconds]
00:07 -!- bvierra [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
00:07 -!- bvierra [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has joined ##openvpn
00:14 < networkn> weirdest thing.. Have set up a tunnel, client server with certifcates, local endpoint is 10.0.0.7 with tunnel ip of 192.168.100.6, server endpoint 10.0.110.211, tunnel 192.168.100.1, can ping from client to anywehre on the server end, but from the server can ping remote endpoint ip, but not local ip 10.0.0.7
00:14 < networkn> anyone able to assist please?
00:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:31 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has quit [Ping timeout: 246 seconds]
00:31 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has joined ##openvpn
01:17 -!- slibuntu [~slibuntu@frink.nuigalway.ie] has joined ##openvpn
01:17 < slibuntu> !welcome
01:17 < vpnHelper> slibuntu: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:25 -!- slibuntu [~slibuntu@frink.nuigalway.ie] has quit [Quit: leaving]
01:54 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:00 -!- dazo_afk is now known as dazo
02:17 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:38 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
02:40 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
02:48 < kraut> moin
02:59 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 252 seconds]
03:19 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:23 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Read error: Connection reset by peer]
03:33 -!- dunc_ [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
03:35 < hyper_ch> hmmm, is there something like a decentralized vpn?
03:36 < hyper_ch> so that only authentication goes through the server but then you can access the other clients directly without being required to go through the server?
03:36 < Chosi> client-to-client
03:36 < Chosi> !client-to-client
03:36 < vpnHelper> Chosi: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
03:36 < vpnHelper> Chosi: other clients
03:37 < Chosi> oh well
03:37 < Chosi> not quite what you want
03:37 < Chosi> :)
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- nameless` [~nameless`@lav35-1-82-236-136-20.fbx.proxad.net] has joined ##openvpn
03:39 < nameless`> hi
03:39 < hyper_ch> Chosi: :)
03:39 < hyper_ch> hi nameless`
03:39 < hyper_ch> nameless`: can you tell me your name?
03:41 < nameless`> ?
03:42 < nameless`> i've got a problem with openvpn : http://paste.geeknode.org/89802279 apparently it's because the certificate is self signed, is there an option i can give to openvpn to ignore this issue ?
03:54 -!- dunc_ is now known as dunc
04:06 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 265 seconds]
04:07 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 240 seconds]
04:09 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
04:09 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
04:26 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
04:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:05 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
05:06 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
05:14 -!- meepmeep [meepmeep@212.24.104.229] has quit [Ping timeout: 265 seconds]
05:19 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
05:51 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:09 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:18 -!- kajl [~kyle@80.67.14.16] has joined ##openvpn
06:18 -!- Alocado [~matthias@dslb-088-068-062-227.pools.arcor-ip.net] has joined ##openvpn
06:18 < Alocado> hello! can me anyone please point to a good tutorial for configuring openvpn in a way which let connections through vpn alive during a ip change of the vpn client?
06:51 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
07:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:16 -!- StrangebrewAway is now known as Strangebrew
07:18 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
07:20 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
07:29 < Bushmills> Alocado: nothing to do. client reconnects, session through vpn simply continue
07:30 < Alocado> i thought there was a special option to keep running connections open if a client reauthenticates
07:30 < Bushmills> unless disconnect detect and reconnect time is too long, so that sessions through vpn have timed out by then
07:31 < Bushmills> no. for vpn connections, it looks like the was a temporary network congestion
07:34 < Alocado> oh ok, thy :)
07:40 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:41 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
08:16 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
08:16 -!- macsppadic_ [~sonupunno@88.211.55.77] has joined ##openvpn
08:20 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
08:21 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Ping timeout: 248 seconds]
08:21 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 265 seconds]
08:21 -!- Strangebrew is now known as StrangebrewAway
08:23 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
08:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:28 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
08:34 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
08:46 -!- apt_get [~dennis@200.180.32.50] has joined ##openvpn
08:47 < apt_get> Hi
08:49 -!- krion [~seb@unaffiliated/krion] has joined ##openvpn
08:49 < krion> hi
08:52 < apt_get> Can I create a key with 512? not 1024?
08:52 < krion> i've an openvpn who doesn't recreate the tunnel when the ppp goes up after going down
08:52 < krion> looks like persist-tun isn't enough
09:00 < krion> looks like ping-restart is what i need
09:10 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
09:12 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
09:40 -!- bjh4 [~chatzilla@ool-18bbdf6a.static.optonline.net] has quit [Ping timeout: 264 seconds]
09:52 -!- bvierra_ [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has joined ##openvpn
09:54 -!- bvierra [~bvierra@cpe-76-167-245-163.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
09:56 -!- gour [~gour@93-136-79-181.adsl.net.t-com.hr] has joined ##openvpn
10:05 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
10:05 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 276 seconds]
10:06 -!- takamichi [~pri@94.75.217.247] has joined ##openvpn
10:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:13 -!- gour1 [~gour@78-0-254-163.adsl.net.t-com.hr] has joined ##openvpn
10:14 -!- gour [~gour@93-136-79-181.adsl.net.t-com.hr] has quit [Ping timeout: 248 seconds]
10:15 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
10:15 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
10:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
10:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:21 -!- gour1 is now known as gour
10:30 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 260 seconds]
10:35 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
10:54 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
10:55 -!- Blues-Man [~bluesman@95.238.119.75] has joined ##openvpn
10:55 -!- StrangebrewAway is now known as strangebre
10:56 -!- strangebre is now known as Strangebrew
10:57 -!- takamichi [~pri@94.75.217.247] has quit [Ping timeout: 260 seconds]
10:58 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
11:09 -!- macsppadic_ [~sonupunno@88.211.55.77] has left ##openvpn []
11:13 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
11:15 < apt_get> Can I create a key with 512? not 1024?
11:21 -!- Strangebrew is now known as StrangebrewAway
11:28 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
11:34 -!- gour1 [~gour@78-0-214-231.adsl.net.t-com.hr] has joined ##openvpn
11:36 -!- gour [~gour@78-0-254-163.adsl.net.t-com.hr] has quit [Ping timeout: 264 seconds]
11:39 -!- krion [~seb@unaffiliated/krion] has quit [Quit: leaving]
11:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:50 -!- reber [~reber@78.250.235.60] has joined ##openvpn
11:50 < reber> !welcome
11:50 < vpnHelper> reber: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:08 < reber> !push
12:08 < vpnHelper> reber: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
12:16 -!- dazo is now known as dazo_afk
12:25 -!- StrangebrewAway is now known as strangebre
12:26 -!- strangebre is now known as Strangebrew
12:35 -!- reber [~reber@78.250.235.60] has quit [Ping timeout: 240 seconds]
12:36 -!- reber [~reber@91-121-61-152.ovh.net] has joined ##openvpn
12:37 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:41 -!- reber [~reber@91-121-61-152.ovh.net] has quit [Ping timeout: 265 seconds]
12:45  * Blues-Man good blues bye
12:45 -!- Blues-Man [~bluesman@95.238.119.75] has quit [Read error: Connection reset by peer]
12:46 -!- Strangebrew is now known as Moshmush
12:46 -!- Moshmush is now known as Strangebrew
12:47 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:57 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:00 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
13:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
13:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:10 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:35 -!- apt_get [~dennis@200.180.32.50] has quit [Quit: Ex-Chat]
13:36 -!- Strangebrew is now known as StrangebrewAway
13:36 -!- bimbo1 [~emerino@poseidon.etesa.com.mx] has joined ##openvpn
13:37 < bimbo1> hello, I would like to know if it's possible to configure openvpn to authenticate users based only on username/password (using pam)
13:37 < bimbo1> but without requiring a different key for each client
13:38 -!- gour1 [~gour@78-0-214-231.adsl.net.t-com.hr] has left ##openvpn ["WeeChat 0.3.2"]
13:38 -!- bimbo1 is now known as bimbo
13:42 < bimbo> I'll be around in case anyone has an answer, thanks in advance
13:57 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
13:57 -!- mode/##openvpn [+o openvpn2009] by ChanServ
14:18 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:30 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
14:30 -!- mode/##openvpn [+o mattock] by ChanServ
14:30 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
14:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:42 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:44 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Read error: Operation timed out]
14:49 -!- meepmeep [meepmeep@212.24.104.229] has joined ##openvpn
14:56 -!- StrangebrewAway [strangebre@nlayer.us] has quit [Quit: changing servers]
14:56 -!- StrangebrewAway [strangebre@nlayer.us] has joined ##openvpn
15:00 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:10 -!- Alocado [~matthias@dslb-088-068-062-227.pools.arcor-ip.net] has quit [Ping timeout: 260 seconds]
15:31 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
15:46 -!- ordex [~linuxaro@gentoo/user/ordex] has joined ##openvpn
15:46 < ordex> h all
15:46 < ordex> how can i instruct openvpn to modify the dns in the way i want? or also to avoid openvpn modifing my dns?
15:46 < krzee> it doesnt modify dns unless you ask it to
15:47 < krzee> and it will modify it in the way you ask it
15:47 < krzee> unless you dont run the server, in which case its a pain in the ass
15:48 < krzee> because you cant ignore only some pushs, you would have to use no-pull and manually set every little thing... if in default topology this means setting the correct IP or not having a connection
15:51 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Ping timeout: 265 seconds]
15:59 < ordex> krzee: you mean that i could only ignore "dhcp" at all? 
15:59 < ordex> so if i use no-pull i won't get an ip?
15:59 < ordex> i'm in the client sure. i have no control over the server
15:59 < ordex> the problem is that i don't want that openvpn ovverride all my dns already present
16:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:07 < jwm> I just use ip pool config
16:08 < jwm> in server
16:08 < jwm> but you said you don't have server control
16:08 < krzee> its not dhcp
16:08 < krzee> well not normally
16:08 < krzee> are you using dev tun?
16:09 < krzee> really, the easiest thing you could do is have openvpn call a script to set your DNS how you want it after connecting
16:09 < krzee> that would be the least pain in the ass
16:10 < jwm> yeah that is what I do :)
16:10 < jwm> actually I use it just for down to clear routes
16:11 < krzee> shouldnt need to clear routes, when the devices closes the routes disappear
16:11 < krzee> s/devices/device/
16:17 -!- meepmeep [meepmeep@212.24.104.229] has quit [Ping timeout: 260 seconds]
16:22 < jwm> tap
16:22 < jwm> I have to reset the routes for a different interface
16:22 < jwm> when tap comes out default route goes through tap bridged
16:22 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
16:23 < ordex> krzee: probably the script is the better solution :P does openvpn have an option to specify the script to call? or should I do that by my init script?
16:36 < krzee> !script
16:36 < vpnHelper> krzee: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
16:37 < krzee> jwm
16:37 < krzee> !def1
16:37 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
16:41 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 260 seconds]
16:42 < bimbo> hello, I would like to know if it's possible to configure openvpn to authenticate users based only on username/password (using pam)
16:42 < bimbo> but without requiring a different key for each client
16:43 < bimbo> or is it possible to use the same client key for each client for encryption of the channel and rely on pam authentication only?
16:43 < krzee> bimbo, 
16:43 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:43 < krzee> !authpass
16:43 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
16:43 < krzee> both are possible
16:44 < krzee> if you want to use the same key AND passes, you need the duplicate key option
16:44 < krzee> lemme see what its called?
16:44 < krzee> --duplicate-cn
16:45 < bimbo> krzee: I'm currently testing using the same key for all clients and using pam for authentication, but somehow I feel this is not right
16:45 < krzee> !learn dupe as see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended)
16:45 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
16:45 < krzee> !learn dupe as see --duplicate-cn in the manual (!man) to see how to allow multiple clients to use the same key (NOT recommended)
16:45 < vpnHelper> krzee: Joo got it.
16:46 < bimbo> krzee: ok, I'm looking at it
16:46 < bimbo> thank you krzee
16:46 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
16:47 < krzee> yw
16:50 < bimbo> krzee: why is it not recommended? is it only because the layer of security provided by certs is screwed?
16:50 < krzee> yup
16:50 < krzee> you're using passes, so thats better
16:50 < krzee> (better than if you were not)
16:51 < krzee> some people use that option and dont add passes, in which case they cant stop individuals from logging in, and there is no accountability
16:52 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:54 < bimbo> krzee: I see, thanks for the explanation, now I need to find a way to provide an already-configured openvpn client for windows users, one that already includes a default configuration to connect to the vpn and the ca.crt and client.key/crt
16:54 < krzee> !win_rollup
16:54 < vpnHelper> krzee: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
16:55 < krzee> or you could have them install like normal, and give them a zip with a bat file to move stuff into place
16:55 < bimbo> krzee: I think I can't thank you enough :) 
16:55 < krzee> =] np
16:57 < bimbo> one more question, would it be possible to use static key instead of client keys and certs? and would this be better?
17:02 < krzee> no, no
17:04 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
17:08 < bimbo> krzee: may I ask why not? my boss thinks it would  be better to use only static keys and get rid of server/client keys, but somehow that doesn't feel right to me
17:08 < krzee> your boss doesnt know what hes talking about
17:08 < krzee> static keys are not for client/server
17:08 < krzee> only for PTP
17:09 < krzee> aka, 2 endpoints, nothing more
17:12 < bimbo> krzee: ahh I see, so that means that'll work for one client only, but then how is it possible that the same static key can be used with tls-auth?
17:13 < krzee> tls-auth is only:
17:13 < krzee> !hmac
17:13 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
17:13 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
17:13 -!- nido [~nido@wardenscat.foxserver.be] has left ##openvpn []
17:13 < bimbo> krzee: ok, thank you again!
17:20 -!- brah [~asdofp@190.183.62.65] has joined ##openvpn
17:21 < krzee> =]
17:21 < |Mike|> KRAZY !
17:21 < |Mike|> ahoy skipper
17:22 < krzee> wassup!
17:22 < |Mike|> chillin, enjoying my first cold beer of this week
18:06 < bimbo> as far as I know, openvpn will open only one virtual interface (tun0) for the server, even if there are 1000 clients connecting to it
18:07 < bimbo> is there any way to make it spawn a new tun0 for each client? (this doesn't make sense to me, but my boss again says it should do that)
18:09 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Ping timeout: 276 seconds]
18:12 -!- brah [~asdofp@190.183.62.65] has quit [Ping timeout: 260 seconds]
18:21 -!- brah [~asdofp@190.7.0.81] has joined ##openvpn
18:23 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
18:42 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
18:43 -!- ordex [~linuxaro@gentoo/user/ordex] has left ##openvpn []
18:52 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 276 seconds]
18:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:04 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
19:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
19:48 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
19:48 -!- bimbo [~emerino@poseidon.etesa.com.mx] has quit [Remote host closed the connection]
19:48 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
19:49 -!- bimbo [~emerino@poseidon.etesa.com.mx] has joined ##openvpn
19:50 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
19:57 -!- bimbo [~emerino@poseidon.etesa.com.mx] has left ##openvpn []
20:11 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
20:31 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 258 seconds]
20:38 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
20:51 -!- shootgun [~shootgun@c-67-161-188-18.hsd1.ca.comcast.net] has joined ##openvpn
20:53 < shootgun> do you have an faq somewhere?
21:03 -!- me345 [~me345@75.15.180.91] has joined ##openvpn
21:03 -!- me345 [~me345@75.15.180.91] has left ##openvpn []
21:03 -!- me345 [~me345@75.15.180.91] has joined ##openvpn
21:03 -!- me345 [~me345@75.15.180.91] has left ##openvpn []
21:05 < shootgun> !welcome
21:05 < vpnHelper> shootgun: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:05 < shootgun> !howto
21:05 < vpnHelper> shootgun: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
21:06 < shootgun> !redirect
21:06 < vpnHelper> shootgun: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
21:10 < shootgun> !ipforward
21:10 < vpnHelper> shootgun: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
21:10 < shootgun> !linipforward
21:10 < vpnHelper> shootgun: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
21:20 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
21:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
21:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
21:56 < shootgun> hello
22:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
22:14 -!- buntfalke [~nobody@openvpn-p0-ipv6-100a.triple-a.uni-kl.de] has joined ##openvpn
22:14 -!- buntfalke [~nobody@openvpn-p0-ipv6-100a.triple-a.uni-kl.de] has quit [Changing host]
22:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
22:41 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 240 seconds]
22:44 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
22:46 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
23:34 -!- Unirgy [~Unirgy@unaffiliated/unirgy] has quit [Quit: KVIrc 4.0.0 Insomnia http://www.kvirc.net/]
--- Day changed Sat Jul 24 2010
00:00 -!- mape2k [~mape2k@p5B285D51.dip.t-dialin.net] has joined ##openvpn
00:11 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
00:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
00:21 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
00:23 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:47 < shootgun> i have a question about using openvpn with a public key (key for my dedicated server). Is there anybody who can help me?
00:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
00:54 < Bushmills> not unless you ask
01:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
01:26 < hyper_ch> !metaquestion
01:26 < vpnHelper> hyper_ch: Error: "metaquestion" is not a valid command.
01:27 < hyper_ch> there should be a factoid entry for that :)
01:30 < shootgun> thanks, here is the question. 
01:30 < shootgun> I have some public crt files. I got these for my dedicated server. 
01:30 < shootgun> they are valid. 
01:31 < shootgun> Is it possible to use those crt files with openvpn?
01:31 < shootgun> all of the tutorials i have seen explains how to create a server and client crt files. 
01:32 < shootgun> I am trying to use the server crt files (from my web page) without creating any crt files for the client. Client will connect and then login with previously created user name and password. 
01:33 < shootgun> It will be just like how Cisco VPN works on schools and jobs today. 
01:33 < shootgun> I could not find any tutorials to do this. 
01:34 < shootgun> Thanks in advance in case i am googling the answer. :-)
01:34 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Read error: Operation timed out]
01:40 -!- G [~njones@whio.jnet.net.nz] has quit [Quit: leaving]
01:41 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
02:17 -!- mape2k [~mape2k@p5B285D51.dip.t-dialin.net] has quit [Ping timeout: 248 seconds]
02:53 -!- StrangebrewAway is now known as strangebre
02:55 -!- strangebre is now known as Strangebrew
03:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
03:21 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
03:24 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
03:30 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
03:34 -!- shootgun [~shootgun@c-67-161-188-18.hsd1.ca.comcast.net] has quit [Quit: Leaving]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
04:25 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
04:50 -!- Strangebrew is now known as StrangebrewAway
05:00 -!- creack [~charme_g@163.5.84.215] has quit [Ping timeout: 240 seconds]
05:07 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
05:07 -!- creack [~charme_g@163.5.84.215] has joined ##openvpn
05:12 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn
05:56 -!- dunc [~dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
06:02 < Bushmills> if you have "some" crt files, you may or may not be able to use them with openvpn
06:03 < Bushmills> openvpn uses openssl keys and certificates
06:04 < Bushmills> !ssl
06:04 < vpnHelper> Bushmills: Error: "ssl" is not a valid command.
06:04 < Bushmills> !openssl
06:04 < vpnHelper> Bushmills: Error: "openssl" is not a valid command.
06:04 < Bushmills> !keys
06:04 < vpnHelper> Bushmills: "keys" is http://openvpn.net/howto#pki
06:05 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
06:09 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:30 < networkn> weirdest thing.. Have set up a tunnel, client server with certifcates, local endpoint is 10.0.0.7 with tunnel ip of 192.168.100.6, server endpoint 10.0.110.211, tunnel 192.168.100.1, can ping from client to anywehre on the server end, but from the server can ping remote endpoint ip, but not local ip 10.0.0.7
06:31 < networkn> anyone able to assist please?
06:33 < Bushmills> can you ping 10.0.0.7 from server when openvpn is not running?
06:34 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
06:44 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
06:48 < networkn> err no
06:49 < Bushmills> can you ping  192.168.100.6 from server with openvpn running?
06:53 < networkn> yes
06:57 < Bushmills> what did you configure, so that you can ping 10.0.0.7 when openvpn has been started?
06:57 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
07:02 < networkn> well .7 is locally connected lan so it shouldn't need anything? If it does, then what do I need to configure?
07:03 < networkn> something like route add -net 10.0.0.0 gw 192.168.0.6 mask 255.255.255.0
07:08 < Bushmills> server has no reason to send packets with destiniation 10.0.0.6 through vpn unless you explicitely tell it to do so.
07:09 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Ping timeout: 246 seconds]
07:09 < Bushmills> essentially, what applies for networks behind vpn, applies for destination non-von interface as well:
07:09 < Bushmills> !route
07:09 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:09 < Bushmills> but - why bother. just use 192.168.100.6 as destination
07:11 < networkn> well when I tried to make a route like I posted, I got "no process"
--- Log closed Sat Jul 24 07:12:21 2010
--- Log opened Sat Jul 24 07:49:55 2010
07:49 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
07:49 -!- Irssi: ##openvpn: Total of 88 nicks [2 ops, 0 halfops, 0 voices, 86 normal]
07:50 -!- Irssi: Join to ##openvpn was synced in 31 secs
07:50 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
07:58 -!- Robuster [~0px0@91.194.85.4] has quit [Quit: 0]
08:03 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Read error: Connection reset by peer]
08:16 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
08:22 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Read error: Connection reset by peer]
08:32 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
08:41 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 276 seconds]
08:47 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
08:57 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 276 seconds]
09:14 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
09:30 < Bushmills> install openvon
09:30 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Read error: Operation timed out]
09:35 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
09:41 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
09:57 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
10:04 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
10:14 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
10:14 < kisom> roentgen_: depends on your distro.
10:15 < kisom> roentgen_: nvm, wrong nickname.
10:16 < Bushmills> debian, he said, before he lost patience 
10:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:16 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
10:19 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
10:19 -!- mode/##openvpn [+o mattock] by ChanServ
10:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:39 -!- grapsus [~grapsus@guise.no-ip.fr] has joined ##openvpn
10:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:49 -!- grapsus [~grapsus@guise.no-ip.fr] has quit [Quit: Quitte]
11:09 -!- CaBa [caba@unique-inter.net] has joined ##openvpn
11:09 < CaBa> hi
11:10 < CaBa> i am using a plain tunnel with tun (v6) interfaces without any push / dhcp-like features
11:11 < CaBa> i assigned ip addresses to the tun devices on each sides and they can talk to eachother
11:11 < CaBa> however, from the client i cannot reach any ips behind the server, even though the server is configured to route to them
11:11 < CaBa> any idea what could go wrong here?
11:16 < krzee> !factoids search outside
11:16 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
11:16 < krzee> !ipforward
11:16 < vpnHelper> krzee: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
11:19 < CaBa> ip forwarding is enabled, the routes are configured
11:19 < CaBa> but i just realised, that the ip the server holds on the tun interface is not reachable from the internet, only the ones from the eth0 interface. why is that? 
11:59 < krzee> !configs
11:59 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:04 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 245 seconds]
12:05 < Bushmills> CaBa: because that's the address openvpn clients talk to the server through the tunnel
12:06 < CaBa> Bushmills: so? its a regular ip address assigned to the tun device. 
12:06 < CaBa> Bushmills: it also works as expected with v4 addresses, but somehow it doesnt work with v6 addresses...
12:07 < CaBa> Bushmills: if i take a v4 address, it doesnt matter if i assign it to eth0 or tun0 - its always reachable from the internet
12:07 < CaBa> Bushmills: however, with a v6 address that only works with eth0 for some reason
12:07 < CaBa> Bushmills: if i assign the v6 address to tun0 the v6 is reachable from the other side of the tunnel - but not from the internet
12:07 < Bushmills> my 10.x.x.x openvpn subnet is not reachable from the internet
12:08 < CaBa> yes, of course, thats because its a local subnet :P
12:08 < Bushmills> but i think in ipv4 terms, not in terms of ipv56
12:08 < Bushmills> v6
12:09 < CaBa> i really wonder whats going on there...
12:09 < Bushmills> 10.x.x.x mentioned to put your "always reachable" into perspective
12:10 < CaBa> hm?
12:11 < krzee> CaBa, you are using the iv6 patch or the devel snapshot?
12:11 < Bushmills> "if i take a v4 address, it doesnt matter if i assign it to eth0 or tun0 - its always reachable from the internet" - "10.x.x.x openvpn not reachable"
12:11 < krzee> s/iv6/ipv6/
12:11 < CaBa> krzee: no, regular openvpn that comes with debian stable
12:11 < krzee> the one which cant assign ipv6 addresses?
12:11 < krzee> hehe
12:11 < CaBa> yes
12:12 < CaBa> i use openvpn only for the tunnel with the --tun-ipv6 option
12:12 < krzee> !ipv6
12:12 < vpnHelper> krzee: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
12:12 < krzee> there is --server-ipv6 in devel snapshot
12:12 < CaBa> i am aware that better support is avaiable in other versions, however, i want to stick to that version
12:12 < krzee> it may be more to your liking
12:13 < CaBa> Bushmills: well of course only if the ip is a regular ip and routed to that computer
12:13 < krzee> i dont believe its supposed to do what you are trying to make it do
12:13 < krzee> while the other version is supposed to
12:14 < CaBa> i have the v6 addresses assigned to both ends of the tunnel and i can also *use* v6 accross the tunnel
12:14 < CaBa> so it is indeed working... however, the tun device on the server side is not reachable from the internet via v6
12:16 < krzee> ipv6 forwarding, and ipv6 routing will need to be configured correctly
12:16 < krzee> i have no idea why you also insist on doing the setup the hard way, when openvpn devel snapshot has --ifconfig and --server for ipv6, and needs people with your interest to test them and report back
12:16 < krzee> but ok
12:16 < krzee> bbl
12:17 < krzee> oh btw, it's net.inet6.ip6.forwarding on my box, not the same tunable
12:17  * Bushmills grabs some darts and heads out, bbl
12:17 < krzee> Bushmills, 
12:17 < krzee> discworld is cool =]
12:17 < Bushmills> ah
12:18 < Bushmills> glad you like it
12:18 < krzee> glad i saved it!
12:18 < krzee> but ya, headed to work
12:18 < CaBa> krzee: well i used /proc/sys/net/ipv6/conf/all/forwarding
12:18 < Bushmills> the recent ones i watched and liked are  Ink, Happy Accidents, and two i forgot the title
12:18 < CaBa> so i think that enabled forwarding for v6
12:18 < krzee> couple hrs early, gunna work on my script, the configs and queries need a ton of modding now that we migrated
12:23 < CaBa> http://pastebin.com/JdbrN28R << here is a short example that illustrates the problem
12:25 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 248 seconds]
12:29 < krzee> tbh i have no desire to help with an ipv6 setu where the person refuses to help test the openvpn ipv6 code, ill be back later
12:29 < krzee> adios
12:29 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
12:30 < CaBa> lol
12:30 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:31 < CaBa> "help me test unstable code on a production system or i won't assist!"
12:55 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
13:09 -!- redfox [~redfox2@91.121.133.177] has quit [Ping timeout: 258 seconds]
13:09 -!- tmkd_ [user-448@91.121.140.63] has quit [Ping timeout: 240 seconds]
13:10 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
13:14 -!- tmkd [user-448@clients.shells.eofnet.lt] has joined ##openvpn
13:14 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:20 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
13:20 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:20 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:23 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
13:25 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 260 seconds]
13:25 -!- redfox [~redfox2@91.121.133.177] has joined ##openvpn
13:26 -!- redfox is now known as Guest30320
13:38 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has left ##openvpn []
13:43 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 265 seconds]
13:43 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 248 seconds]
13:43 -!- Guest30320 [~redfox2@91.121.133.177] has quit [Ping timeout: 258 seconds]
13:44 -!- DeathWolf [yggdrasil@saber.kawaii-shoujo.net] has quit [Ping timeout: 265 seconds]
13:45 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
13:47 -!- DeathWolf [yggdrasil@saber.kawaii-shoujo.net] has joined ##openvpn
13:51 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
13:51 -!- Guest30320 [~redfox2@91.121.133.177] has joined ##openvpn
13:51 -!- StrangebrewAway is now known as strangebre
13:52 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
13:57 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 265 seconds]
14:00 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:03 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
14:04 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Read error: Operation timed out]
14:11 -!- strangebre is now known as StrangebrewAway
14:11 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Read error: Operation timed out]
14:14 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
14:22 -!- GoGi [~gogi@pippo.9.6.gogi.tv] has joined ##openvpn
14:39 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
14:42 -!- StrangebrewAway is now known as strangebre
14:49 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
14:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:00 < krzie> !windows
15:00 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
15:01 -!- nesta [atsen@x.computer.st] has joined ##openvpn
15:02 < krzie> !pptp
15:02 < vpnHelper> krzie: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
15:02 < vpnHelper> krzie: read about why to not use pptp
15:03 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 265 seconds]
15:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:11 -!- strangebre is now known as StrangebrewAway
15:14 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:52 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
16:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:05 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Remote host closed the connection]
16:13 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
16:14 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
16:39 -!- krzie [~k@unaffiliated/krzee] has quit [Ping timeout: 248 seconds]
16:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:47 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 265 seconds]
16:47 -!- DeathWolf [yggdrasil@saber.kawaii-shoujo.net] has quit [Ping timeout: 265 seconds]
16:48 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 260 seconds]
16:49 -!- DeathWolf [yggdrasil@saber.kawaii-shoujo.net] has joined ##openvpn
16:49 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
16:53 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
16:59 -!- krzee [~k@ftp.secure-computing.net] has joined ##openvpn
16:59 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
16:59 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
17:19 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
17:29 -!- ordex [~linuxaro@gentoo/user/ordex] has joined ##openvpn
17:29 < ordex> hi there
17:29 < ordex> does openvpn support ipv6?
17:29 < ordex> i mean the client and the server
17:29 < ordex> not the tunnel
17:29 < |Mike|> not yet.
17:32 < networkn> I can't seem to get this tap adapter added to my Windows 7 PC.
17:33 < networkn> it just hangs at Updating drivers for tap0901 from C:\Program Files\OpenVPN\driver\OemWin2k.inf.
17:33 < networkn> weirdest thing.. Have set up a tunnel, client server with certifcates, local endpoint is 10.0.0.7 with tunnel ip of 192.168.100.6, server endpoint 10.0.110.211, tunnel 192.168.100.1, can ping from client to anywehre on the server end, but from the server can ping remote endpoint ip, but not local ip 10.0.0.7
17:33 < networkn> I can't seem to create a route on the linux endpoint to the 10.0.0.0 network with 192.168.100.6 as the endpoint
17:33 < ordex> |Mike|: thanks
17:34 < |Mike|> ordex: dev version supports ipv6 tho
17:36 < ordex> |Mike|: nice, so is it planned ot be inserted in the next stable?
17:36 < |Mike|> i'm not tracking the changes etc, so i can't tell.
17:36 < kisom> 2010 and it does not support ipv6.. :)
17:36 < ordex> :P
17:37 < ordex> ehehe
17:37 < ordex> tnaks you :)
17:39 < ordex> is not so simple to reach the repo from the site..is it?
17:39 < kisom> what repo?
17:40 < ordex> of the code, to have a look 
17:40 < kisom> http://openvpn.net/release/openvpn-2.1.1.tar.gz
17:40 < ordex> sure, but there is no scm?
17:41 < kisom> i have no idea
17:41 < kisom> i usually download the tar.
17:41 < ordex> thanks anyway :)
17:41 < ordex> sure, but as |Mike| suggested me, it would be nice to have a look at the dev code
17:43 -!- ordex [~linuxaro@gentoo/user/ordex] has left ##openvpn []
17:43 < |Mike|> i'm not sure if there's a svn / git repos
17:43 < kisom> http://svn.openvpn.net/
17:43 < vpnHelper> Title: OpenVPN Subversion Repository (at svn.openvpn.net)
17:45 < |Mike|> hehe
17:48 < kisom> trying to figure out a smart way to port share with an FTP server...
17:49 < kisom> im thinking something like a 5 second timeout, if no data has been passed from the client the server assumes it is an FTP client and not a VPN client
18:22 -!- krzee [~k@unaffiliated/krzee] has quit [Read error: Operation timed out]
18:22 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
18:27 -!- brah [~asdofp@190.7.0.81] has quit [Remote host closed the connection]
19:21 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
20:47 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:53 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
21:09 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Remote host closed the connection]
21:30 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
22:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:12 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:34 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
22:34 -!- kc8pxy [~gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn
22:35 < kc8pxy> !welcome
22:35 < vpnHelper> kc8pxy: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:35 < troy-> hey krzee 
22:36 < kc8pxy> !goal
22:36 < vpnHelper> kc8pxy: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:39 < kc8pxy> i am trying to figure out why my vpn seems to have gone into "lights are on, and nobody's home" mode. a client who connected earlier and could access servers on the pushed route's subnet,  now cannot access them
22:41 < kc8pxy> troy-:  might you have some insights?    theclient seems to connect,  per the console output on the server. and client shows an ip address.
22:43 < troy-> krzee: can you ping the endpoint?
22:43 < troy-> err kc8pxy :)
22:47 < kc8pxy> troy-: server is 192.168.64.1 (in the config), client is getting 64.10 client cannot ping 64.9 or 64.1
22:48 < troy-> kc8pxy: potential firewall issue?
22:49 < troy-> are you using TCP?
22:49 < kc8pxy> troy-:  no firewall changes,  that i recall..  well..  one that catualy made the firewall MORE permissive,  but that's it.
22:49 < kc8pxy> troy-: udp
22:49 < troy-> with UDP the connection state might not reset if one side hangs
22:49 < kc8pxy> guh
22:50 < troy-> that isnt necessarily the issue - just mentioning it
22:50 < kc8pxy> troy-:  just saying that it might be screwed up, and not correctly let the other end know it :)
22:50 < troy-> pretty much.. yeah.
22:51 < troy-> does the client see the required subnets in their route table?
22:52 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:52 < troy-> kc8pxy: i really hope you have access to both endpoints :P
22:53 < troy-> else figuring this out will be a bitch
22:54 < kc8pxy> troy-:  getting info from client
22:54 < troy-> kc8pxy: do you have a configurating like the one in use in production elsewhere?
22:54 < krzie> whats the prob?
22:54 < troy-> krzee: connection is initialized but no traffic can be passed
22:55 < troy-> s/configurating/configuration
22:55 < krzie> other clients are working?
22:55 < troy-> i just asked him that :)
22:55 < kc8pxy> troy-: this IS my production install.   it's been in place and working for about a year now..  and all of the sudden,, this client can't connect.
22:55 < troy-> do you have others like this one that are still working?
22:56 < krzie> client is windows?
22:56 < kc8pxy> krzie:  vista.
22:56 < krzie> tell windows firewall to not filter tap device
22:56 < troy-> if not, its worth it to take the clients existing configuration and deploy it on a machine you have access to just to verify it works
22:56 < troy-> if it does it could be something the ISP has done to block VPN connectivity
22:56 < kc8pxy> troy-: can't tell..  noone but me and the problem client are available,  and my systems that could client in are down.
22:57 < krzie> [23:54]  <troy-> krzee: connection is initialized but no traffic can be passed
22:57 < krzie> that means its not the ISP
22:57 < krzie> there would be no connection in the first place
22:57 < troy-> they could be sending resets and he wouldnt know?
22:57 < krzie> that problem points to routing or firewall, in this case i bet firewall
22:57 < krzie> UDP resets?
22:57 < troy-> good point :<
23:02 < kc8pxy> http://pastebin.com/YbQYe3aX
23:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:03 < krzie> kc8pxy, did you try the firewall thing i suggested?
23:04 < kc8pxy> krzie: working on it.
23:11 < kc8pxy> krzie:  got insruction on the how? i've never done it,  and neither has the client..  and it's seeming to not be intuitive.
23:12 < krzie> !google disable windows firewall interface
23:12 < vpnHelper> krzie: How can I turn on or turn off the firewall in Windows XP Service ...: <http://support.microsoft.com/kb/283673>; Turn Windows Firewall On or Off for a Specific Connection: Windows ...: <http://technet.microsoft.com/en-us/library/cc778253(WS.10).aspx>; Disabling a Firewall Per Interface (Windows): <http://msdn.microsoft.com/en-us/library/dd339605(VS.85).aspx>
23:13 < krzie> =]
23:13 < krzie> brb, need to go turn on the vpn at my office, forgot to re-enable it earlier
23:14 -!- bimbo [~dev@200.92.145.77] has joined ##openvpn
23:15 < bimbo> hello, I've managed to create an executable using a modified version of the nsis script found at https://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 , however I'm still missing an option where OpenVPN GUI will remember the user credentials to connect to the server, is such thing possible?
23:15 < vpnHelper> Title: OpenVPN/HowTo for Windows 2 - Secure Computing Wiki (at www.secure-computing.net)
23:16 < bimbo> without having to recompile the windows openvpn binary
23:26 < kc8pxy> bimbo:  ......... if you are using a connection that requires connection-time credentials to be input, why the heck would you want to save them?  if it's ease of client useage, drop the creds. if it's security, don't store cred!
23:28 < bimbo> kc8pxy: the thing is I'm relaying on auth-user-pass in the client side (using pam to authenticate on the server), but clients will complain if they have to type in their usernames and passwords each time they want to connect to the vpn
23:29 < bimbo> if it were for me, I'll go using key/cert authentication only, but clients are people that have little knowleadge about computers so things have to be done as easy as possible for them
23:31 < kc8pxy> bimbo:  i go key/cert only, and use vpn-gui, it's run vpn-gui, connect,  and it's done..   seemless.
23:32 < bimbo> kc8pxy: I know, but creating 1000+ keys/cert for each client and handing those to them would be hell
23:33 < krzie> !pwfile
23:33 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
23:35 < krzie> if you're big enough for 1000+ users, im sure you could afford to go with OTP tokens
23:35 < bimbo> krzie: I found a tool called AutoHotkey which seems to solve the issue
23:54 < nesta> 8
--- Day changed Sun Jul 25 2010
00:06 < kc8pxy> if I'm having udp resets,   if i switch client and server to tcp,  will i need to change anything else?
00:12 < krzie> kc8pxy, theres no such thing as a UDP reset
00:12 < krzie> did you do what i said with your firewall?
00:16 < kc8pxy> krzie:  client can't find it
00:16 < krzie> lol
00:17 < krzie> have him disable the firewall altogether
00:17 < krzie> oh and learn howto use google
00:17 < kc8pxy> krzie:  and I'm a linuxite..  i avoid windows whenever i can,  so I'm not much help :)
00:17 < krzie> !google vista disable firewall interface
00:17 < vpnHelper> krzie: Disable Windows Firewall For Network Connection In Vista « Windows ...: <http://www.lockergnome.com/windows/2006/10/19/disable-windows-firewall-for-network-connection-in-vista/>; Vista: Enable or Disable Firewall | Microsoft Vista | Tech-Recipes: <http://www.tech-recipes.com/rx/2450/vista_enable_disable_firewall/>; Turn Windows Firewall on or off: <http://windows.microsoft.com/en-US
00:17 < vpnHelper> krzie: /windows-vista/Turn-Windows-Firewall-on-or-off>
00:17 < krzie> so do i, but i know howto use google too ;]
00:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:18 < krzie> !windows
01:18 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
01:25 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
01:30 < kc8pxy> krzie:  i usually don't trust my ability to google with intelligent search words.
01:32 < krzie> its quite likely the most useful skill one can have
01:35 -!- floops is now known as Floops
01:36 -!- Floops [floops@404.not.found.shellium.org] has quit [Changing host]
01:36 -!- Floops [floops@shellium/staff/floops] has joined ##openvpn
01:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
01:46 -!- Floops [floops@shellium/staff/floops] has left ##openvpn ["Leaving"]
01:50 -!- nesta [atsen@x.computer.st] has quit [Ping timeout: 240 seconds]
02:02 -!- nesta [atsen@x.computer.st] has joined ##openvpn
02:03 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 264 seconds]
02:03 -!- hyper__ch [~hyper_ch@static.2.139.40.188.clients.your-server.de] has joined ##openvpn
02:03 -!- hyper__ch is now known as hyper_ch
02:08 -!- nesta [atsen@x.computer.st] has quit [Ping timeout: 240 seconds]
02:09 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 260 seconds]
02:13 -!- bimbo [~dev@200.92.145.77] has left ##openvpn []
02:31 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
02:31 -!- hyper_ch [~hyper_ch@static.2.139.40.188.clients.your-server.de] has quit [Ping timeout: 276 seconds]
02:31 -!- hyper__ch is now known as hyper_ch
02:37 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
02:42 -!- batrick [~batrick@batbytes.com] has quit [Client Quit]
02:50 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
02:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:43 < Bushmills> some would say that most useful skill would be leading a sandwich to your mouth, taking a bite, chewing and swallowing it.
03:53 < krzie> nope, google can show you how
03:53 < krzie> along with how to make it
03:53 < krzie> ;]
03:54 < krzie> do you have more discworld?
03:54 < hyper_ch> discworld if fun
03:54 < krzie> i just finished color of magic 1&2
03:54 < hyper_ch> I've seen three movies but haven't had a chance to read the novels yet :(
03:55 < krzie> i have wyrd sisters 1&2
03:55 < krzie> and hogfather
03:55 < hyper_ch> hogfather, colour of magic and one other novel was put into a movie
03:56 < krzie> ahh ok
03:56 < krzie> then thats wyrd sisters
03:56 < krzie> so i must have all 3
03:57 < hyper_ch> :)
03:57 < hyper_ch> Death is fun
03:57 < hyper_ch> lol, my cat tries to go through the curtain onto the 'cat-tree' and she isn't succeeding
04:03 < krzie> haha
04:03 < krzie> sounds like a lolcat
04:03 < hyper_ch> she gave up now
04:04 < hyper_ch> she could put the front feet onto the cat tree with the curtain in between but then she couldn't get on....
04:04 < hyper_ch> she tried like 10 min
04:11 < Bushmills> krzie: yes, i do
04:18 < Bushmills> not to forget Soul Music, also an animation, like Wyrd Sisters
04:27 -!- tristanC [~toor@funtoo/user/tweety] has joined ##openvpn
04:27 < tristanC> !welcome howdee
04:27 < vpnHelper> tristanC: Error: "welcome" is not a valid command.
04:29 < tristanC> !help 
04:29 < vpnHelper> tristanC: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
04:30 < tristanC> well well well, topic seems outdated ^^
04:33 < hyper_ch> !welcome
04:33 < vpnHelper> hyper_ch: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:33 < hyper_ch> seems not to be outdated
04:34 < tristanC> damn, I read too quickly, skiped "before asking".  /me hides
04:35 < tristanC> !goal
04:35 < vpnHelper> tristanC: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:35 < tristanC> !goal how to make openvpn server use client's certificate CN to set client's IP in tunnel mode ?
04:35 < vpnHelper> tristanC: Error: "goal" is not a valid command.
04:36 < tristanC> !help goal
04:36 < vpnHelper> tristanC: Error: There is no command "goal".
04:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:41 -!- mape2k [~mape2k@2a01:198:23f:10ff:c8fa:71ff:fed0:3bc7] has joined ##openvpn
04:42 < tristanC> Remote computer host a dns with a properly zone setup for vpn clients (A and PTR) and openvpn is running in tunnel mode. Clients can connect to the server, give him certificate with correct CN, but they receive wrong ip address. Everythings configured using documentation/howto.html and same configuration files
04:42 < networkn> Wondering if someone could assist.. Have set up a tunnel, client server with certifcates, local endpoint is 10.0.0.7 with tunnel ip of 192.168.100.6, server endpoint 10.0.110.211, tunnel 192.168.100.1, can ping from client to anywehre on the server end, but from the server can ping remote endpoint ip, but not local ip 10.0.0.7
04:42 < tristanC> I am not sure if this is possible, and google didn't help to solve this inconsistency
04:43 < networkn> I can't seem to create a route on the linux endpoint to the 10.0.0.0 network with 192.168.100.6 as the endpoint
04:45 < tristanC> networkn: your server can't ping himself ?
04:45 < networkn> No I can't ping from 10.0.110.211 to 10.0.0.7
04:46 < tristanC> did you try turning off your firewall ?
04:46 < networkn> yes
04:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
04:49 < tristanC> openvpn client print /sbin/ip command it use to route the tunnel. It might help you to route the tunnel on the server side
04:49 < krzie> !static
04:49 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
04:49 < tristanC> !ccd
04:49 < vpnHelper> tristanC: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
04:50 < tristanC> thanks you very much krzie
04:50 < krzie> yw
04:51 < networkn> tristanC: strangely it won't even let me create the route, but it will let me create the route if gw is 100.1
04:54 < tristanC> networkn: fyi, I setup my first vpn few minutes ago ^^ Maybe your problem is related to kernel network stack, or your tun device isn't properly initialized.
04:55 < tristanC> sorry, i can't help you much.
04:55 < krzie> and im too busy to wrap my head around that setup
04:55 < krzie> make a drawing with gliffy or something maybe?
04:56 < krzie> gliffy.com, its what i used to diagram !route and the vpnchains writeup on SCN
05:03 < tristanC> alright \o/. I just add 'client-config-dir ccd' to server.conf and 'echo ifconfig-push ip netmask > ccd/ClientCN'
05:03 < tristanC> #openvpn rocks
05:03 < krzie> may or may not be netmask depending on your setup
05:04 < krzie> but if netmask doesnt work it's more like 10.8.0.5 10.8.0.6
05:04 < krzie> something like that, im too tired/busy to look at docs
05:04 < tristanC> I prefer seting netmask, easer to scale larger network afterward
05:04 < krzie> been up all night modding my script to work for the new migrated system
05:05 < krzie> ok, then you also want topology subnet
05:05 < krzie> for the same larger network idea
05:05 < krzie> which requires 2.1 on all nodes
05:05 < krzie> !topology
05:05 < vpnHelper> krzie: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
05:05 < tristanC> cool :)
05:06 < krzie> and netmask style ifconfig-push will work then
05:06 < tristanC> well, I am now able to perform production test of this simple client-to-client setup
05:06 < tristanC> will dive into complex network topology later
05:06 < krzie> !c2c
05:06 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
05:06 < krzie> !route
05:06 < vpnHelper> krzie: behind other clients
05:06 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:07 < krzie> those are things you may want to know for future coolness
05:07 < tristanC> thanks a lot ;)
05:07 < krzie> np
05:07 < krzie> oh and for locking it down, you may want these
05:07 < krzie> !dh
05:07 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
05:07 < krzie> !hmac
05:07 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
05:07 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
05:07 < krzie> !mitm
05:07 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
05:08  * krzie goes back to finishing touches on the all night script modding
05:08 < tristanC> anyway openvpn is straightforward, very easy to use. just run program and read output. I like that very much, no underhood yoda magic feeling
05:09 < krzie> theres a lil magic tucked away in there ;]
05:09 < hyper_ch> krzie: there is no p2p way for openvpn where not the traffic will pass through the server again?
05:09 < krzie> huh?
05:09 < krzie> "where not the traffic will pass through"
05:09 < krzie> lost me there
05:10 < hyper_ch> as of now, all traffic, even between vpned clients, will pass through the server, right?
05:10 < krzie> oh like how client to client ALWAYS goes through the server?
05:10 < krzie> you're asking if that can be changed?
05:10 < hyper_ch> yes
05:11 < krzie> nope, but i did post to the wishlist about it
05:11 < krzie> and it has been talked of in dev meetings
05:11 < krzie> but its not likely to happen any time soon
05:11 < hyper_ch> is that somehow feasable?
05:11 < krzie> too much code craziness
05:11 < hyper_ch> that would really rock
05:11 < krzie> !wishlist
05:11 < vpnHelper> krzie: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
05:11 < hyper_ch> you're not a dev?
05:11 < krzie> my idea of how it could be done is in there
05:11 < krzie> nah man, im no good with real code
05:11 < krzie> just scripting and whatnot
05:12 < hyper_ch> hehehe :)
05:13 < krzie> i understand principals of coding, just never find time to learn the language well enough
05:13 < krzie> i can read easy code (aka, not bushmills' magic)
05:13 < krzie> hes a ninja :-p
05:14 < hyper_ch> bushmills is one of the devs?
05:15 < krzie> nope, but hes welcome to if he likes
05:15 < hyper_ch> ah
05:15 < krzie> i just meant that ive seen his code
05:15 < krzie> the force is strong in him
05:15 < krzie> http://ovpnforum.com/viewtopic.php?f=10&t=141
05:15 < vpnHelper> Title: OpenVPN Forum View topic - Idea for direct connections (at ovpnforum.com)
05:16 < hyper_ch> yeah, just read it
05:25 < krzie> heres the kinda crap that happens when i stay up all night
05:25 < krzie> |sed -e s,\ 13453\ ,13454,g -e s,\ 13455\ ,13454,g -e s,\ 13456\ ,13454,g -e s,\ 13457\ ,13454,g -e s,\ 13458\ ,13454,g -e s,\ 13459\ ,13454,g
05:27 < dunc> heh
05:29 < tristanC> try to pipe into   tr ',' '/' | tr '\\' ','
05:30 < tristanC> no, looks better but not what you want
05:31 < tristanC> beware of echo eval $( ` "$( \" )"` ) nightmare
05:31 < tristanC> and upcomming gray hairs ;)
05:32 < tristanC> may the force be with you
05:32 < tristanC> see ya
05:32 < CaBa> krzie: to get back to what you said yesterday... you must understand that i am not willing to use non-stable code on a production system. i use packages from the debian stable repository only on that machine - so i will not have the newest ipv6 implementations available
05:33 -!- tristanC [~toor@funtoo/user/tweety] has left ##openvpn []
05:41 < krzie> gotchya, im pretty sure i wont be of much help
05:54 < networkn> krzee: are you by chance able to offer some insight into my issue?
05:54 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:20 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
06:20 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:22 < krzie> networkn, 
06:22 < krzie> [05:55]  <krzie> and im too busy to wrap my head around that setup
06:22 < krzie> [05:55]  <krzie> make a drawing with gliffy or something maybe?
06:22 < krzie> [05:56]  <krzie> gliffy.com, its what i used to diagram !route and the vpnchains writeup on SCN
06:22 < krzie> that was at you
06:22 < krzie> ill be crashing soon tho, but will be back later
06:38 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
06:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:25 -!- mape2k [~mape2k@2a01:198:23f:10ff:c8fa:71ff:fed0:3bc7] has quit [Ping timeout: 252 seconds]
07:29 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
07:52 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
08:10 < krzee> werlp, didnt sleep
08:10 < krzee> welp*
08:11 < |Mike|> good morning krazy person :-)
08:12 < krzee> gmornin
08:15 < kisom> morning
08:27 -!- Robuster [~0px0@213.155.29.16] has joined ##openvpn
08:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
08:28 < Robuster> hello, i've read a tutorial about openvpn on how to make the dns resolving on the vpn server rather than through my router, and it said to install 'dnsmasq
08:28 < Robuster> dnsmasq, and add push "dhcp-option DNS 10.8.0.1"
08:28 < Robuster> to the server config, and restart it, but still my dns requests are made through my router
08:30 -!- crim_ [~0px0@213.155.29.16] has joined ##openvpn
08:30 -!- Robuster [~0px0@213.155.29.16] has quit [Read error: Connection reset by peer]
08:30 -!- crim_ [~0px0@213.155.29.16] has quit [Remote host closed the connection]
08:32 -!- Robuster [~0px0@213.155.29.16] has joined ##openvpn
08:33 -!- Robuster [~0px0@213.155.29.16] has quit [Client Quit]
08:43 < krzee> could answer if he didnt leave immediately...
08:44 < |Mike|> yep
09:12 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
09:13 < Bushmills> dnsmasq is on option, though it does more than just offering a recursor.  maradns is another, small-footprint solution, which can additionally be set up as "full" recursive server, not requiring an upstream server, but querying, when needed, root servers instead.
09:15 < Bushmills> depends on where it is used. on a router, i prefer dnsmasq. on a client, i prefer maradns
09:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
09:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:49 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
09:49 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
10:03 < kisom> Bushmills: any idea if dnsmasq supports returning an A record of my choise regardless of what domain i'm querying?
10:04 < kisom> i want to create a "catch" page for domain names that do not exist, so when a user types in an invalid domain name he will get my page.
10:05 < kisom> i know its not best practice, but i still want to try it out :)
10:06 < Bushmills> no, i don't
10:20 < kyrix> kisom, yes it does
10:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:26 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:56 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
10:58 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Remote host closed the connection]
11:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
11:30 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 240 seconds]
11:31 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
11:40 -!- bimbo [~dev@200.92.145.77] has joined ##openvpn
11:40 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:41 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 240 seconds]
11:41 < bimbo> hello, is it possible that some configuration directive on the server side is making my linux box reset the kernel parameter net.ipv4.ip_forward to 0?
11:41 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
11:43 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:50 -!- wwalker [~wwalker@208.92.232.27] has joined ##openvpn
11:50 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 246 seconds]
11:50 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
11:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:57 -!- StrangebrewAway is now known as strangebre
12:00 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
12:11 -!- saidi [~saidi@unaffiliated/boussouira] has joined ##openvpn
12:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:12 < saidi> hi, is there any free vpn server ?
12:13 < wwalker> saidi: yes
12:13 < wwalker> at least for linux
12:14 < saidi> where can i find it?
12:14 < wwalker> openvpn.net -> Community Software -> Downloads -> 
12:15 < wwalker> saidi: what OS
12:15 < Chosi> i guess he wants a ready to connect one.
12:15 < saidi> Chosi, yes
12:23 -!- _zoom_ [~zoom@41.218.33.220] has joined ##openvpn
12:24 < saidi> some thing like http://poptop.org
12:27 < saidi> my ISP block all ports, and i want to use VPN to get over that, is that possible?
12:27 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:29 -!- saidi [~saidi@unaffiliated/boussouira] has quit [Quit: 0]
12:29 -!- ir8 [~elange@studdr.com] has joined ##openvpn
12:30 < ir8> I have a question all.
12:30 < ir8> Can use use openvpn to connect to a service via RDP
12:30 < ir8> If so, what are issues i would come accross?
12:31 < _zoom_> ir8: what is RDP
12:31 < _zoom_> ?
12:32 < Chosi> remote desktop i guess
12:32 < ir8> windows remote desktop
12:32 < ir8> Chosi that is correct
12:32 -!- strangebre is now known as StrangebrewAway
12:34 < Chosi> but unfortunately i don't know ;) read some german forum posts of people having issues with it, so just wait for Bushmills or someone to clarify that
12:34 < ir8> im able to connect to the server however unable to anything on the private lan
12:35 < _zoom_> thu vpn ?
12:35 < ir8> yeah
12:36 < _zoom_> have checked routing table?
12:37 < _zoom_> "route print" on cmd
12:39 < ir8> hmm yeah
12:40 < ir8> It physically connects, I can some addresses not the others.
12:40 < ir8> From inside the network rdp between servers.
12:40 < ir8> Hmm this is pissing me off lol
12:40 < _zoom_> do u thing you vpn network may conflict with your lan address?
12:41 < Bushmills> ir8: you can connect to rdp through openvpn, yes
12:44 < ir8> Bushmills: can you assist me?
12:44 < ir8> or point me in the correct direction of where i am failing?
12:45 < Bushmills> private lan is behind server?
12:47 < ir8> I have two nics, interface 1 is on a public ip and  interface 2 on a private lan
12:48 < ir8> two seperate switches and everything else.
12:51 < ir8> from the other internal boxes everything can be accessed
12:51 < ir8> Via the machine with openvpn i have issues with it
12:51 < ir8> makes really sense to me :/
12:52 < ir8> Just need some assist with the debugging of the issue.
13:06 < Bushmills> doesn't really tell me whether private lan is behind vpn server
13:06 < Bushmills> try this:
13:06 < Bushmills> !route
13:06 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:10 < ir8> okay.
13:11 < ir8> Bushmills: all machines have 192.168.3.0/24 and my client machines should configured for 192.168.3.0/24 as well according to my config.
13:29 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 260 seconds]
13:36 < Bushmills> ir8: sorry, i can't diagnose your problem due to a complete lack of understanding your network topology
13:36 < Bushmills> my machines are on 192.168.1.0/24. what is the problem?
13:42 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
13:45 -!- StrangebrewAway is now known as strangebre
13:49 < ir8> Bushmills: what information did you need?
13:52 < hyper_ch> name, address, credit card info :)
14:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:14 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Quit: leaving]
14:22 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
14:26 -!- _zoom_ [~zoom@41.218.33.220] has quit [Quit: Leaving]
14:30 -!- strangebre is now known as StrangebrewAway
14:39 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
14:48 -!- ir8 [~elange@studdr.com] has left ##openvpn []
14:54 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
14:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
15:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
15:20 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
15:51 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
--- Log opened Sun Jul 25 21:39:06 2010
21:39 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined ##openvpn
21:39 -!- Irssi: ##openvpn: Total of 98 nicks [2 ops, 0 halfops, 0 voices, 96 normal]
21:39 !wolfe.freenode.net [freenode-info] why register and identify? your IRC nick is how people know you. http://freenode.net/faq.shtml#nicksetup
21:39 -!- Irssi: Join to ##openvpn was synced in 34 secs
21:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
21:53 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 258 seconds]
22:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:01 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
23:03 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
23:35 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
23:45 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
--- Day changed Mon Jul 26 2010
00:11 -!- roentgen [~hart@miranda/user/roentgen] has joined ##openvpn
00:23 -!- roentgen [~hart@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
00:31 -!- roentgen [~hart@miranda/user/roentgen] has joined ##openvpn
00:58 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:05 -!- bimbo [~dev@200.92.145.77] has left ##openvpn []
01:27 -!- oc80z [oc80z@blea.ch] has quit [Read error: Connection reset by peer]
01:27 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
01:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:07 -!- EugenMayer [~EugenMaye@frbg-5f731723.pool.mediaWays.net] has joined ##openvpn
02:12 < EugenMayer> good moring. After restart a openvpn server clients seem not to reconnect right away. Does this take some time or are additional settings needed?
02:36 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
02:43 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:52 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:59 -!- creack [~charme_g@163.5.84.215] has quit [Quit: WeeChat 0.3.2]
03:08 -!- dazo_afk is now known as dazo
03:09 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Remote host closed the connection]
03:11 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
03:13 -!- mattock [~samuli@gprs-prointernet-ffc4c200-83.dhcp.inet.fi] has joined ##openvpn
03:14 -!- mode/##openvpn [+o mattock] by ChanServ
03:19 -!- reber [~reber@78.250.151.92] has joined ##openvpn
03:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 < kraut> moin
03:56 < macsppadic> morning kraut 
04:18 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
04:44 -!- GoGi [~gogi@pippo.9.6.gogi.tv] has quit [Quit: Leaving]
05:04 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:13 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 260 seconds]
05:14 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
05:36 -!- sulor [~sulor@dslb-088-073-127-155.pools.arcor-ip.net] has joined ##openvpn
05:40 < sulor> hi ppl. i need some advice with easy-rsa 2. i created DH, CA and openvpn.crt with easy-rsa. changed my server.conf. afterwards i created a cleint.crt/key pair. unfortunatly my cleint isn't able to connect now. is there something importent i missed with easy-rsa?
05:47 -!- sulor [~sulor@dslb-088-073-127-155.pools.arcor-ip.net] has quit [Quit: I was using TinyIRC! Visit http://www.tinyirc.net/ for more information.]
06:01 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 246 seconds]
06:01 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
06:03 -!- arcsky [~arcsky@2a01:48:100:1:1::1c2] has quit [Read error: Operation timed out]
06:11 -!- reber [~reber@78.250.151.92] has quit [Ping timeout: 240 seconds]
06:12 -!- reber [~reber@78.250.151.92] has joined ##openvpn
06:17 -!- EugenMayer [~EugenMaye@frbg-5f731723.pool.mediaWays.net] has left ##openvpn ["http://drupal-wiki.com"]
06:27 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Disconnected by services]
06:29 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
06:37 -!- mattock1 [~samuli@gprs-prointernet-ffcac200-53.dhcp.inet.fi] has joined ##openvpn
06:37 -!- mode/##openvpn [+o mattock1] by ChanServ
06:39 -!- mattock [~samuli@gprs-prointernet-ffc4c200-83.dhcp.inet.fi] has quit [Ping timeout: 276 seconds]
06:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
06:57 -!- reber [~reber@78.250.151.92] has left ##openvpn ["Leaving"]
07:08 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:33 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
07:33 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
08:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
08:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:33 -!- mattock1 [~samuli@gprs-prointernet-ffcac200-53.dhcp.inet.fi] has quit [Ping timeout: 246 seconds]
08:44 -!- MZXGiant [~mzxgiant@cpe-72-225-27-82.rochester.res.rr.com] has joined ##openvpn
08:45 < MZXGiant> G'morning, everyone. I was hoping I could get help with an "Authenticate/Decrypt packet error: packet HMAC authentication failed" error I'm getting. Steps I've taken already: Rotate keys on both client and server, check firewall settings, disable firewall entirely.
08:48 < MZXGiant> What makes this problem a little bizarre is that as of yesterday, the connection was working just fine and I hadn't made any changes since.
08:50 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
08:53 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
09:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:30 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
09:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:32 -!- roentgen [~hart@miranda/user/roentgen] has quit [Quit: Konversation terminated!]
09:32 -!- roentgen [~hart@miranda/user/roentgen] has joined ##openvpn
09:45 -!- wwalker [~wwalker@208.92.232.27] has left ##openvpn []
09:56 -!- MZXGiant [~mzxgiant@cpe-72-225-27-82.rochester.res.rr.com] has quit [Read error: Connection reset by peer]
09:56 -!- imoutomoe [~mzxgiant@cpe-72-225-27-82.rochester.res.rr.com] has joined ##openvpn
09:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:06 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:08 -!- deadeyes [~gvm@109.236.132.104] has joined ##openvpn
10:08 < deadeyes> hi all
10:09 < deadeyes> I wonder if a certificate is expired if I can revoke it and create a new one or if there is a procedure to change the expiry day of the certificae
10:09 < deadeyes> s/certificae/certifcate/
10:10 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
10:10 < imoutomoe> By design, the PKI infrastructure requires that you create a new certificate upon expiration
10:11 < deadeyes> imoutomoe: ok, thanks!
10:11 < imoutomoe> Anytime.
10:12 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
10:12 -!- ivenkys_ [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 240 seconds]
10:14 -!- imoutomoe [~mzxgiant@cpe-72-225-27-82.rochester.res.rr.com] has quit [Quit: Rock on.]
10:15 < krzie> actually
10:15 < krzie> you can just resign the old csr
10:15 < krzie> no revoke, no new csr, just resign
10:16 -!- roentgen [~hart@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
10:16 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
10:25 < ecrist> which is why ssl-admin stores/saves CSR, for future re-signing.
10:25 < ecrist> :)
10:33 -!- roentgen [~hart@miranda/user/roentgen] has joined ##openvpn
10:34 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:43 -!- roentgen [~hart@miranda/user/roentgen] has quit [Remote host closed the connection]
11:03 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
11:13 -!- Champi [Champi@damn.e-leet.be] has quit [Remote host closed the connection]
11:13 -!- CaBa [caba@unique-inter.net] has left ##openvpn []
11:22 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection timed out]
11:22 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
11:25 -!- Blues-Man [~bluesman@host190-113-dynamic.43-79-r.retail.telecomitalia.it] has joined ##openvpn
11:28  * Blues-Man hola
11:28 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:38 -!- Champi [Champi@damn.e-leet.be] has joined ##openvpn
11:47 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 258 seconds]
12:01 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
12:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:33 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 276 seconds]
12:34 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
12:44 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has quit [Ping timeout: 264 seconds]
12:47 -!- dazo is now known as dazo_afk
12:48 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has joined ##openvpn
12:50 < krzee> networkn, 
12:51 < krzee> still having your problem?
13:00 < ecrist> krzee: OT, do you know postscript?
13:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:01 < krzee> nope, never even seen postscript code... thats related to printers right?
13:02 < ecrist> yeah, also PDF generation, since is simple to go PS -> PDF
13:02 < ecrist> I've got an image I'm embedding and I need to change the anchor/reference from the lower left to the lower right corner
13:03 < krzee> ahh
13:03 < krzee> fax to email?
13:04 < ecrist> no, we generate fax cover sheets for users to fax us data (we generate a data matrix which we decode when we receive the fax) and I just want to clean up some alignment.
13:05 < ecrist> I can do some things in PHP to calculate the size of the image, etc, but it's a bit of a pain.
13:05 < ecrist> GD doesn't seem to be able to determine info about an EPS the way it can a PNG or JPG, so I'd have to drop the image to disk, just to calculate it's size.
13:06 < ecrist> oh!  sweet, the EPS puts the dimensions in plain-text in the header of the file
13:06 < krzee> not sure what an EPS is, but a fax is merely a tiff image
13:12 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:26 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
13:27 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
13:27 -!- Cain` is now known as Cain
13:54 -!- a1fa [~a1fa@unaffiliated/a1fa] has joined ##openvpn
13:54 < a1fa> hello
13:55 < a1fa> how bad can time drift affect ipsec?
13:56 < ecrist> krzee: EPS is a post script friendly image
13:57 < ecrist> sure, but the users get our cover sheet from the website, and they print it, then faxing it (and their other paperwork) to us
13:57 < ecrist> we use the barcode to sort/process it.
14:00 -!- Blues-Man [~bluesman@host190-113-dynamic.43-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
14:08 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:15 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 240 seconds]
14:16 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
14:18 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:19 -!- JackCorleone [~Jack@187.74.19.235] has joined ##openvpn
14:42 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
14:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
14:51 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
14:51 < kish> these packets are huge
15:09 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
15:25 < kish> i feel kind of 
15:25 < kish> eh, i run irssi over ssh that goes over wireless cloaking with your vpn on a udp port
15:25 < kish> and sometimes i get the impression irssi malfunctions
15:26 < kish> so im wondering if there is any mechanism that would prevent silly things such as lost packets
15:26 < kish> do packets get retransmitted properly over udp?
15:33 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
15:43 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
15:43 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
15:46 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
15:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
15:51 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
15:56 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds]
16:04 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
16:07 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:27 < krzee> irc itself is tcp
16:27 < krzee> as is the ssh you run it over
16:30 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:31 < kisom> kish: tcp packets do get retransmitted if lost, yes.
16:32 < kish> no no im worried about the openvpn packets
16:32 < kish> or am i missing something here
16:33 < kisom> both TCP and openvpn packets get retransmitted.
16:33 < kisom> openvpn uses its own method for retransmitting UDP packets, while TCP has it built-in
16:41 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has joined ##openvpn
16:52 -!- JackCorleone [~Jack@187.74.19.235] has quit [Remote host closed the connection]
17:01 -!- a1fa [~a1fa@unaffiliated/a1fa] has left ##openvpn []
17:09 -!- JackCorleone [~Jack@187.74.19.235] has joined ##openvpn
17:43 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:43 -!- rtyler [~tyler@63-246-20-94.contegix.com] has joined ##openvpn
17:43 < rtyler> afternoon guys, I'd like to kindly request help debugging an apparent routing issue
17:44 < rtyler> the client is properly getting routes from openvpn, but the only internal IP it can ping is the openvpn server's internal IP
17:44 < rtyler> everything else returns:
17:44 < rtyler> Request timeout for icmp_seq 0
17:45 < krzee> !factoids search outside
17:45 < vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
17:46 < rtyler> the most confusing part of this, is that this setup was working, then we changed ISPs :P
17:47 < krzee> i hear that all the time, but it something else was always changed, which people forget matters
17:47 < krzee> in your case, the router
17:47 < krzee> which likely came with the new isp ;)
17:54 < krzee> rtyler, the above was to you
17:54  * rtyler nods
17:54 < krzee> k
17:54 < rtyler> I found a static route in the old router that I brought over
17:55 < krzee> and is the server the same internal LAN ip as it was before...?
17:55 < krzee> (including same subnet)
17:55 < rtyler> yes
17:55 < krzee> check the route, follow the packets
17:55 < krzee> think about this... how did i know you got a new router?
17:56 < krzee> you said the problem, i gave you info on adding a route to your router
17:56 < krzee> then you mentioned you changed nothing but the ISP, and i knew you got a new router
17:56 < rtyler> I was thinking you could potentially be a witch
17:56 < krzee> hahaha
17:56 < krzee> nice
17:56 < rtyler> but I don't have any ducks to compare your weight too
17:57 < rtyler> krzee: I have confirmation from my colleague outside the network that the new route has resolved the issues appropriately
17:57 < krzee> ohhh you meant you did that AFTER i said it
17:57 < krzee> i thought you were saying it couldnt be the problem
18:21 -!- plundra [404@article.se] has quit [Ping timeout: 265 seconds]
18:40 -!- bob368 [~bob@166.205.11.105] has joined ##openvpn
18:44 -!- takamichi [~pri@76.73.39.170] has quit [Ping timeout: 245 seconds]
18:44 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
18:50 -!- bob368 [~bob@166.205.11.105] has quit [Remote host closed the connection]
18:55 -!- networkn [networkn@smtp.sapphiresolutions.co.nz] has quit [Ping timeout: 265 seconds]
18:57 -!- dunc [~dunc@fenchurch.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
19:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:30 -!- plundra [404@article.se] has joined ##openvpn
20:09 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
20:13 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:21 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 276 seconds]
20:46 -!- TimothyA [~TimothyA@sub-27ip207.onenet.an] has joined ##openvpn
20:46 < TimothyA> where should I go for AS support?
20:47 < krzee> !AS
20:47 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
20:47 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
20:47 < krzee> see #4
20:49 < TimothyA> but I do have a general question which probably has the same answer for the both of them, can I still ask it?
20:50 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:55 < krzee> you can try
20:58 < TimothyA> how do I make OpenVPN act as an tunnel? e.g. tunnel all my TCP/UDP traffic through the server that openVPN is running on, and sending it to the internet
20:58 < krzee> !redirect
20:58 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:58 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 260 seconds]
20:59 < krzee> thats most certainly a question you need to ask of their support
20:59 < TimothyA> well, yeh, 'push' is an unrecognized command :|
20:59 < krzee> besides, you paid for real support
20:59 < krzee> may as well use it
20:59  * TimothyA is using the free license :P
21:01 < krzee> surely you plan on paying for it tho
21:01 < krzee> otherwise, you are aware there is a fully functional FREE version
21:01 < krzee> haha
21:02 < TimothyA> krzee: ....the free fully functional version has me stumbling across the same block
21:02 < TimothyA> plus not accepting any connections...
21:02 < TimothyA> and crashing the server multiple times...
21:02 < TimothyA> and flooding /var/log
21:03 < krzee> well this is the right place for help with that
21:03 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
21:03 < TimothyA> I'm talking about the community version one, this is the place for that one, right? :P
21:03 < krzee> but im about to get off work, which means im on my way outta here for the day
21:03 < krzee> this is the place for the opensource one
21:03 < krzee> yes
21:04 < krzee> AS support is the link i gave you earlier
21:05 < TimothyA> I don't care which one I'm using :P
21:06 -!- Lantizia [~Lantizia@erebus.seaquake.net] has joined ##openvpn
21:07 < Lantizia> Hey on linux I can choose if I want OpenVPN to use the connection for all traffic or just those available via it using the GNOME or KDE GUI's
21:07 < Lantizia> is there a similar option on the Windows GUI? because I can't find it
21:07 < krzee> Lantizia, 
21:07 < krzee> !redirect
21:07 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
21:08 < Lantizia> krzee, and how can I do that from a GUI perspective?
21:08 < krzee> there is no GUI
21:09 < krzee> not to mention, no GUI would go configure your firewall on the server for NAT
21:10 < krzee> and if that gui enabled ip forwarding for you when you choose an openvpn option, ild consider it a bad thing
21:10 < Lantizia> well unless you check the box saying you only want to to use it for routes available on it under GNOME or KDE's network manager gui's - then it assumes all traffic go via it when connected
21:11 < Lantizia> can I put --redirect-gateway in the ovpn file some how?
21:11 < krzee> dunno, those GUIs arent part of openvpn
21:11 < krzee> !--
21:11 < vpnHelper> krzee: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
21:11 < Lantizia> yeah I get where it is meant to go - it's just TOTALLY unusable from a gui perspective
21:11 < krzee> i agree, dont use those GUIs
21:12 < Lantizia> customers like pretty gui's - they've only just mastered the mouse
21:13 < krzee> you are the customer?
21:14 < Lantizia> I am not, I am the person setting this up for the customer
21:14 < krzee> the customer shouldnt need to change settings via some gui... just run your config file
21:16 < TimothyA> using the OpenVPN GUI from openvpn.se ... how long does it take to create a TAP adapter?
21:17 < TimothyA> it's been idling for 2 hours :|
21:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
21:22 -!- nesta [atsen@x.computer.st] has joined ##openvpn
21:25 < Lantizia> krzee, --redirect-gateway doesn't do anything
21:28 < Lantizia> traffic is not going via the vpn
21:28 -!- batrick [~batrick@batbytes.com] has quit [Quit: leaving]
21:30 < Lantizia> !ipforward
21:30 < vpnHelper> Lantizia: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
21:30 < Lantizia> !winipforward
21:30 < vpnHelper> Lantizia: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
21:31 < Lantizia> pointless - this is win7
21:32 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:38 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
21:39 < Lantizia> ok this is just plain stupid
21:40 < Lantizia> it's not just mind boggling easy without any extra config needed for openvpn on linux - it's the default!
21:40 < Lantizia> but on windows... theres a million and one hurdles
21:49 -!- TimothyA [~TimothyA@sub-27ip207.onenet.an] has quit [Ping timeout: 264 seconds]
21:50 < Lantizia> !def1
21:50 < vpnHelper> Lantizia: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
21:52 < Lantizia> OK I'd like to point out at the this moment in time that this is all...
21:52 < Lantizia> Crap
21:52 < Lantizia> Utter... *hit
21:53 -!- rawDawg2 [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:55 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 276 seconds]
21:56 -!- TimothyA [~TimothyA@sub-27ip207.onenet.an] has joined ##openvpn
21:56 < TimothyA> okay, i've got to the point where I can access the server, and make connections
21:56 < TimothyA> now, UDP...
21:56 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:58 < TimothyA> !linipforward
21:58 < vpnHelper> TimothyA: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
21:59 < TimothyA> got that
21:59 < TimothyA> !nat
21:59 < vpnHelper> TimothyA: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
21:59 < TimothyA> !linnat
21:59 < vpnHelper> TimothyA: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
22:17 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:17 -!- TimothyA [~TimothyA@sub-27ip207.onenet.an] has quit [Ping timeout: 258 seconds]
22:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:44 -!- nesta [atsen@x.computer.st] has quit [Quit: bye]
22:56 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 248 seconds]
22:57 -!- Guest12047 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
22:57 -!- nesta [atsen@x.computer.st] has joined ##openvpn
22:58 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:00 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 260 seconds]
23:01 -!- Netsplit *.net <-> *.split quits: Niklas-, magglass1
23:01 -!- circut_ [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
23:01 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
23:01 -!- mode/##openvpn [+v Guest12047] by ChanServ
23:02 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
23:03 -!- Netsplit over, joins: magglass1, Niklas-
23:03 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
23:04 -!- Netsplit *.net <-> *.split quits: magglass1
23:04 -!- Netsplit *.net <-> *.split quits: Niklas-, krzie
23:05 -!- Netsplit *.net <-> *.split quits: rtyler, killown, stein0, fremo__, agagag, crazygir, _zero_, DeathWolf, Chosi, hyper_ch,  (+8 more, use /NETSPLIT to show all of them)
23:05 -!- Netsplit *.net <-> *.split quits: batrick
23:05 -!- Netsplit *.net <-> *.split quits: tmkd, blackpenguin, mza-, takamichi, troy-, pa, nameless`, n0sq_, kish, _Tassadar,  (+1 more, use /NETSPLIT to show all of them)
23:05 -!- Netsplit *.net <-> *.split quits: penrod, cron2, jwm
23:06 -!- Netsplit over, joins: krzie, vpnHelper, cron2, Niklas-, magglass1, rawDawg2, batrick, Lantizia, plundra, takamichi (+26 more)
23:09 -!- Netsplit *.net <-> *.split quits: krzie, rtyler, killown, stein0, tmkd, blackpenguin, mza-, fremo__, agagag, crazygir,  (+26 more, use /NETSPLIT to show all of them)
23:09 -!- RedT0mt01 [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
23:09 -!- blackpenguin [~bp@gnuffy.net] has joined ##openvpn
23:09 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
23:09 -!- DeathWol1 [yggdrasil@saber.kawaii-shoujo.net] has joined ##openvpn
23:09 -!- Netsplit over, joins: krzie, vpnHelper, cron2, Niklas-, magglass1, rawDawg2, batrick, Lantizia, plundra, takamichi (+25 more)
23:10 -!- Netsplit over, joins: Lantizia
23:10 -!- Netsplit *.net <-> *.split quits: krzie, rtyler, killown, stein0, tmkd, mza-, fremo__, agagag, crazygir, _zero_,  (+25 more, use /NETSPLIT to show all of them)
23:10 -!- nesta [atsen@x.computer.st] has left ##openvpn []
23:11 -!- Netsplit over, joins: kloeri
23:11 -!- Cain [~Geek@41.141.252.98] has joined ##openvpn
23:11 -!- Netsplit over, joins: fremo__
23:14 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
23:14 -!- cj [~cjac@karma.colliertech.org] has joined ##openvpn
23:14 -!- ksk [~ksk@im.knubz.de] has joined ##openvpn
23:14 -!- rtyler_ [~tyler@63-246-20-94.contegix.com] has joined ##openvpn
23:14 -!- DeathWol1 [yggdrasil@saber.kawaii-shoujo.net] has joined ##openvpn
23:14 -!- Niklas- [~niklas@217.116.253.195] has joined ##openvpn
23:14 -!- magglass1 [~m@unaffiliated/magglass1] has joined ##openvpn
23:14 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:14 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
23:14 -!- plundra [404@article.se] has joined ##openvpn
23:14 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
23:14 -!- rtyler [~tyler@63-246-20-94.contegix.com] has joined ##openvpn
23:14 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
23:14 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
23:14 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
23:14 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
23:14 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
23:14 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
23:14 -!- Guest30320 [~redfox2@91.121.133.177] has joined ##openvpn
23:14 -!- tmkd [user-448@clients.shells.eofnet.lt] has joined ##openvpn
23:14 -!- nameless` [~nameless`@lav35-1-82-236-136-20.fbx.proxad.net] has joined ##openvpn
23:14 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
23:14 -!- penrod [~pattonb@S01060016b6b53bd9.cg.shawcable.net] has joined ##openvpn
23:14 -!- jwm [jwm@dev.dist.us] has joined ##openvpn
23:14 -!- mza- [~adam@hypnos.fscker.com] has joined ##openvpn
23:14 -!- troy- [e0fe3580d1@bgp4.us] has joined ##openvpn
23:14 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
23:14 -!- 84XAALR61 [~fremo@noc.toile-libre.net] has joined ##openvpn
23:14 -!- _Tassadar [~tassadar@tassadar.xs4all.nl] has joined ##openvpn
23:14 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
23:14 -!- stein0 [~stein@mail.vgnett.no] has joined ##openvpn
23:14 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
23:15 -!- krzie [nobody@unaffiliated/krzee] has quit [Excess Flood]
23:15 -!- 84XAALR61 [~fremo@noc.toile-libre.net] has quit [Write error: Broken pipe]
23:15 -!- rtyler [~tyler@63-246-20-94.contegix.com] has quit [Write error: Broken pipe]
23:15 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Write error: Broken pipe]
23:16 -!- Netsplit *.net <-> *.split quits: Sky[x], Optic, rawDawg, kisom, meepmeep, RedT0mt01, blackpenguin, Fiouz, Nappy, fremo__,  (+36 more, use /NETSPLIT to show all of them)
23:17 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Excess Flood]
23:17 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
23:17 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
23:18 -!- Netsplit over, joins: fremo__, Cain, kloeri, Lantizia, blackpenguin, RedT0mt01, rawDawg, SOG, circut_
23:18 -!- Guest12047 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
23:18 -!- Netsplit over, joins: UnterPerro, JackCorleone, MJD, kraut, Champi, Sky[x]
23:18 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
23:18 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
23:18 -!- Netsplit over, joins: oc80z, tjz, nb, kc8pxy
23:18 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
23:18 -!- Netsplit over, joins: Scruffy, meepmeep, StrangebrewAway, kajl, DarthGandalf
23:18 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
23:18 -!- Netsplit over, joins: funkyHat, abeehc, UdontKnow, kisom, zamba, raw_, jpalmer, Optic, havoc, Zathraz (+3 more)
23:18 -!- dazo_afk [~dazo@nat/redhat/x-yzpkubzpfdccecel] has joined ##openvpn
23:18 -!- Netsplit over, joins: fbh, julius, Typone
23:18 -!- ServerMode/##openvpn [+v Guest12047] by wolfe.freenode.net
23:19 -!- Cain [~Geek@41.141.252.98] has quit [Ping timeout: 252 seconds]
23:19 -!- kloeri is now known as Guest6908
23:23 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
23:25 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:41 < tjz> banana split :D
23:52 -!- JackCorleone [~Jack@187.74.19.235] has quit [Ping timeout: 265 seconds]
23:52 -!- JackCorleone [~Jack@187.74.19.235] has joined ##openvpn
--- Day changed Tue Jul 27 2010
00:00 -!- rtyler_ is now known as rtyler
00:05 -!- blackpenguin [~bp@gnuffy.net] has quit [Changing host]
00:05 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
00:06 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
00:07 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
00:41 -!- Irssi: ##openvpn: Total of 91 nicks [1 ops, 0 halfops, 1 voices, 89 normal]
00:42 -!- mode/##openvpn [-v Guest12047] by ChanServ
00:42 < ecrist> that's just not right...
00:50 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
00:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
00:52 -!- mode/##openvpn [+o dazo_afk] by ChanServ
00:53 -!- mode/##openvpn [+v vpnHelper] by ChanServ
00:53 -!- Irssi: ##openvpn: Total of 91 nicks [2 ops, 0 halfops, 1 voices, 88 normal]
01:20 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:31 < tjz> ecrist, lol
02:02 -!- dazo_afk is now known as dazo
02:18 -!- mattock [~samuli@gprs-prointernet-ff796a00-115.dhcp.inet.fi] has joined ##openvpn
02:19 -!- mode/##openvpn [+o mattock] by ChanServ
02:31 -!- kale [~kale@port711.ds1-soeb.adsl.cybercity.dk] has joined ##openvpn
02:32 < kale> hi, i need to add openvpn to logrotate, as it stops whne the log exeeds 2GB. What do i use for postrotate command?
02:39 -!- Guest6908 is now known as kloeri
02:40 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:51 -!- mattock [~samuli@gprs-prointernet-ff796a00-115.dhcp.inet.fi] has quit [Ping timeout: 260 seconds]
03:00 -!- mattock [~samuli@gprs-prointernet-ffc6c200-145.dhcp.inet.fi] has joined ##openvpn
03:00 -!- mode/##openvpn [+o mattock] by ChanServ
03:34 < kraut> moin
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
04:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:09 -!- blueboxthief [~None_of_y@86-45-95-101-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
05:09 -!- blueboxthief [~None_of_y@86-45-95-101-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Client Quit]
05:31 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:51 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:54 -!- candyban [~candyban@ip-83-134-87-234.dsl.scarlet.be] has joined ##openvpn
05:54 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:55 < candyban> Hi guys, I have openvpn on both nodes of my firewall cluster and when I connect to the IP address of the individual node, I am able to connect, but when I connect to the Virtual IP, I get ECONNREFUSED
05:55 < candyban> What am I doing wrong?
05:58 < candyban> Or can openvpn only handle traffic on the primary interface?
05:58 < Bushmills> a: you don't explain well what you try to do. b: you don't look into your logs, which might tell you what the problem is
05:58 < Bushmills> "when i connect to the ip i get xxrefused"  is not descriptive at all
05:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
05:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:59 < Bushmills> sounds like openvpn connects, but an app you try to use won't
05:59 < Bushmills> !firewall
05:59 <+vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
06:01 < candyban> Bushmills, I have 2 openvpn servers, server A and server B, they have a Virtual IP C. When I connect to A or B, I get proper access, when I connect to C, I get ECONNREFUSED (code 111) at the server side (which currently has IP C)
06:02 < Bushmills> what does "connecting" mean.  connecting with openvpn client to openvpn server?
06:02 < candyban> Bushmills, firewall is not a issue as the server is logging the connection refused. (ps. I did look in the logs, and it says ECONNREFUSED)
06:02 < candyban> Bushmills, yes
06:02 < candyban> Bushmills, how is it called in openvpn terms?
06:03 < Bushmills> you don't want to connect with openvpn client to an address in the openvpn subset. you also don't need to, because the interfaces, having those address, come online on client only when connection to server has already been successful 
06:04 < Bushmills> you don't need to first connect, and then connect to the vpn again through the vpn
06:04 < Bushmills> you simply connect.
06:05 < candyban> Bushmills, I just changed the "remote" option from IP A to IP C (which are both on server A) on the client (after stopping and seeing in the logs that the client exited)
06:05 < Bushmills> why? if you can connect, why would you want to change that?
06:06 < candyban> Bushmills, because I need my vpn client to connect to the "primary" firewall (as otherwise I have routing issues)
06:07 < Bushmills> when you can connect to one openvpn server but not to another, because of routing/firewall/different host whatever, the problem does not seem to be an openvpn problem, but a routing/firewall/whatever issue
06:08 < Bushmills> if your problem is binding to specific interfaces, look at  --local  in the man page
06:09 < candyban> Bushmills, I have 2 firewalls which share a virtual IP (uCARP) ... everything is routed to that virtual IP, so when I connect to firewall B when firewall A is active, the reply will go to firewall A rather than firewall B.
06:09 < candyban> so the return path will be "lost"
06:09 < Bushmills> then you might want to change your firewall/routing/whatever so that openvpn client can reach openvpn server, and packets are returned to client
06:10 < Bushmills> maybe the support channel of your firewall, or your virtualisation software, can be of help
06:12 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
06:14 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:15 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
06:15 -!- mattock1 [~samuli@gprs-prointernet-ffc4c200-153.dhcp.inet.fi] has joined ##openvpn
06:15 -!- mode/##openvpn [+o mattock1] by ChanServ
06:15 < candyban> Bushmills, I can't solve properly it with routing. That would mean networks on different interfaces would be mixed
06:16 < candyban> Bushmills, I'll try to draw/explain the situation on pastebin
06:16 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
06:16 < Bushmills> how would you want openvpn do be of help when client doesn't receive returned packets? 
06:17 -!- mattock [~samuli@gprs-prointernet-ffc6c200-145.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
06:17 -!- Irssi: ##openvpn: Total of 98 nicks [3 ops, 0 halfops, 1 voices, 94 normal]
06:27 -!- TimothyA [~TimothyA@sub-27ip207.onenet.an] has joined ##openvpn
06:27 < TimothyA> so, kind of stuck how I set up the iptables to allow TCP...I forgot :x but now I also need to do it for UDP
06:35 < Bushmills> !iptables
06:35 <+vpnHelper> Bushmills: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
06:35 <+vpnHelper> Bushmills: computing.net/wiki/index.php/OpenVPN/Firewall
06:40 < TimothyA> well, adding those rules didn't do much...
06:42 < Bushmills>  /j #iptables
06:42 < TimothyA> ....we just established that iptables is not the problem :|
06:44 < Bushmills> if you continue to decribe your problem with the same level of detail and accuracy as you've done as far, you can be confident that the next suggestion will exactly tell you what you need to do
06:45 < candyban> http://www.pastebin.org/421950
06:47 < Bushmills> !route
06:47 < candyban> my ascii-art skills are rather poor, so forgive me if it is not clear enough
06:47 < TimothyA> I *think* I have to re-route the incoming traffic from eth0 to the virtual adapter...
06:47 <+vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:48 < candyban> Bushmills, ?
06:52 < candyban> Bushmills, "route add -net X/24 gw B-eth1" will get you the problem I described when connecting to MGMT
06:53 < candyban> Bushmills, the route problems are not on the vpn client, but on the way back
06:53 < candyban> Bushmills, the routes on the client X are setup correctly
06:54 < TimothyA> http://pastebin.com/BU6rP0AA This is what I should do on the host machine to route incoming traffic to my virtual adapter, right?
06:56 < candyban> TimothyA, is your server running on both tcp and udp? (and on ports 27022 and 12082 ?)
06:57 < TimothyA> candyban: no, the OpenVPN server is running just fine. Right now I want to route incoming traffic that arrives on those ports to be forwarded to an client
06:58 < candyban> 10.8.0.6 is a VPN client ? (and these rules are on the vpn server?)
06:59 < TimothyA> yes
06:59 < candyban> can you do cat /proc/sys/net/ipv4/ip_forward ?
07:00 < candyban> ps. replace the INPUT with FORWARD
07:00 < TimothyA> it's set to 1
07:02 < candyban> http://pastebin.com/0Mqc0nFh
07:02 < candyban> TimothyA, why do you allow only NEW (aka SYN) packets?
07:02 < TimothyA> it was in the manual :/
07:03 < candyban> TimothyA, do you also accept ESTABLISHED ?
07:03 < TimothyA> I would like to :D
07:03 < candyban> TimothyA, iptables -A FORWARD -p tcp -m state --state ESTABLISHED -j ACCEPT
07:04 < TimothyA> also for the UDP, I assume?
07:04 < candyban> TimothyA, There is no need to split it out between NEW and ESTABLISHED
07:05 < TimothyA> k
07:05 < candyban> TimothyA, it is useful when you do rate limiting (where you want to limit only NEW connections, but not interfere with existing ones)
07:05 < TimothyA> http://pastebin.com/aCRt0q7W current rules
07:06 < candyban> TimothyA, use "iptables-save"
07:06 < TimothyA> but... I still don't receive any data :|
07:07 < candyban> TimothyA, can you paste the output of iptables-save ?
07:08 < TimothyA> crap, the top scrolled off my screen
07:08 < TimothyA> http://pastebin.com/CNawkfvC
07:11 < TimothyA> so what am I doing wrong, doc?
07:11 < candyban> TimothyA, I don't know where to start :p
07:11 < TimothyA> that much?! :|
07:15 < candyban> TimothyA, why do you do masquerading?
07:15 < TimothyA> it was in the tutorial to allow for internet traffic to pass through the VPN
07:15 < TimothyA> http://library.linode.com/XcgHsd
07:15 <+vpnHelper> Title: VPN Services - Secure Communications with OpenVPN on Ubuntu 9.10 (Karmic) - Linode Library (at library.linode.com)
07:15 < candyban> TimothyA, so you have clients which connect through this vpn server to the internet?
07:15 < TimothyA> yes, me
07:15 < candyban> ok
07:16 < candyban> TimothyA, what is this "fail2ban-ssh" ?
07:17 < TimothyA> that's for fail2ban to keep an counter on bruteforce attempts on the ssh service
07:21 < TimothyA> need more?
07:21 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
07:22 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
07:23 -!- zheng [~zheng@114.92.141.242] has joined ##openvpn
07:28 < candyban> TimothyA, http://pastebin.com/9VCJqC7p
07:29 < TimothyA> where do I put that?
07:29 < candyban> put this in a file (you can keep the comments in) and load it using iptables-restore filename
07:30 -!- mattock1 [~samuli@gprs-prointernet-ffc4c200-153.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
07:30 < candyban> TimothyA, btw. You know your vpn box is wide open, right?
07:30 < TimothyA> yes
07:31 < TimothyA> I'm not running any other services on it other than the OpenVPN and webserver
07:31 < candyban> TimothyA, to test if it is working, you can use nc (netcat)
07:31 < candyban> TimothyA, run "netstat -ntplu"
07:32 -!- mattock [~samuli@gprs-prointernet-ffbb6a00-37.dhcp.inet.fi] has joined ##openvpn
07:32 -!- mode/##openvpn [+o mattock] by ChanServ
07:33 < TimothyA> and now....it doesn't work at all anymore
07:33 < TimothyA> can't connect to anything through the VPN: I'm back at where I was yesterday :P
07:35 < candyban> TimothyA, what doesn't work what worked before?
07:35 < TimothyA> reaching the internet: e.g. opening a web page
07:36 < candyban> TimothyA, can you post iptables-save again?
07:36 < TimothyA> http://pastebin.com/62E2JQut
07:37 -!- mattock [~samuli@gprs-prointernet-ffbb6a00-37.dhcp.inet.fi] has quit [Ping timeout: 245 seconds]
07:37 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Ping timeout: 265 seconds]
07:38 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
07:39 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
07:41 < TimothyA> please tell me i am doing something horribly horribly wrong
07:42 < candyban> The cleaned up firewall rules should allow the same as it allowed before
07:42 < TimothyA> but they don't :/
07:44 < TimothyA> uncommented those 2 fields, and internetting works again
07:44 -!- dazo is now known as dazo_afk
07:45 < candyban> TimothyA, then your source is not 10.8.0.0/24
07:46 < TimothyA> then I wonder what it is, because I'm only going through the server with that address :x
07:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:47 < candyban> TimothyA, can you run tcpdump -n -i tun0 icmp (replace tun0 with whatever is your tunneling device) and ping 4.2.2.1 from your pc (through the vpn)?
07:48 < TimothyA> see PM, it suddendly miraciously works :x
07:51 < TimothyA> it is a shame though that my download is suddendly the same speed as my upload speed :/
07:51 < TimothyA> oh well, it's better than having to phone  my ISP one more time for them just to give me the password of the router (A war which has been waged for over 5 years now, and has involved several unrelated fires)
07:52 < TimothyA> building fires that is, coincidentily of the ISP offices and their most-paid staff that sit on their arses all day twiddling their thumbs for 40 grand a month
07:52  * TimothyA now goes into hiding ;>_>
07:57 -!- zheng [~zheng@114.92.141.242] has quit [Quit: Leaving]
08:16 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Ping timeout: 265 seconds]
08:21 < candyban> Can't openvpn listen on multiple IPs on the same interface? I have "fixed" my issue by forcing it to listen on the virtual IP only
08:22 -!- cablop [~chatzilla@190.84.225.244] has joined ##openvpn
08:22 < cablop> !route
08:22 <+vpnHelper> cablop: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:23 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Read error: Operation timed out]
08:24 -!- cheche [cheche@188.85.213.151] has joined ##openvpn
08:26 < cheche> !route
08:26 <+vpnHelper> cheche: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:26 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
08:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:32 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Remote host closed the connection]
08:32 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
08:49 -!- dazo_afk is now known as dazo
08:51 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
09:00 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
09:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:06 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
09:07 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
09:08 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:18 -!- JackCorleone [~Jack@187.74.19.235] has quit [Ping timeout: 240 seconds]
09:30 -!- JackCorleone [~Jack@187.57.71.69] has joined ##openvpn
09:31 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 258 seconds]
09:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:35 -!- JackCorleone [~Jack@187.57.71.69] has quit [Ping timeout: 245 seconds]
09:39 -!- Blues-Man [~bluesman@95.239.114.57] has joined ##openvpn
09:41 -!- cablop [~chatzilla@190.84.225.244] has quit [Read error: Connection reset by peer]
09:44 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
09:48 -!- Jackkk [~Jack@189.111.19.31] has joined ##openvpn
09:53 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
09:56 -!- cablop [~chatzilla@190.84.225.244] has joined ##openvpn
10:00 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Read error: Operation timed out]
10:07 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
10:09 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
10:15 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
10:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:22 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:39 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
10:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Operation timed out]
10:43 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
10:54 -!- plaerzen [~carpe@vip1.tundraeng.com] has joined ##openvpn
10:55 -!- roentgen [~hart@miranda/user/roentgen] has joined ##openvpn
10:58 < plaerzen> Hey guys.  krzee, ecrist.  Long time no talk.  I think I might actually need your help today :P  Is it possible to have a VPN tunnel that multiple clients connect to - but we want to limit access for one client to only connect to one IP address once vpn'd in.  We don't want them to have access to our whole LAN
11:00 -!- cablop [~chatzilla@190.84.225.244] has quit [Read error: Connection reset by peer]
11:01 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:01 < Bushmills> well, clients connect to the server, not to a tunnel. limiting clients after connecting to specific addresses is not task of openvpn but of, for example, a firewall. yes, you can have firewall rules for specific clients
11:03 < plaerzen> right
11:03 < Bushmills> i have the /24 vpn subnet split into two /25 subnets with different privileges
11:04 < krzie> ya man, firewall
11:04 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
11:04 < krzie> and static ips or subnets
11:04 < krzie> !iporder
11:04 <+vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
11:05 < krzie> #1 would give you the ability to use dynamic IPs in a static subnet
11:06 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
11:12 < ecrist> plaerzen: yeah, firewall.
11:12 < plaerzen> lol ok I got it
11:12 < plaerzen> I can just restrict him access to everything except one IP address
11:18 -!- varm1nt [~Kalboun@212.36.210.21] has joined ##openvpn
11:19 < varm1nt> !welcome
11:19 <+vpnHelper> varm1nt: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:20 < varm1nt> hello guys
11:22 -!- varm1nt [~Kalboun@212.36.210.21] has quit []
11:22 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
11:23 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
11:26 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:27 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
11:27 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:36 -!- roentgen [~hart@miranda/user/roentgen] has quit [Remote host closed the connection]
11:38 -!- roentgen [~hart@miranda/user/roentgen] has joined ##openvpn
11:43 -!- Blues-Man [~bluesman@95.239.114.57] has quit [Quit: Sto andando via]
11:48 -!- StrangebrewAway [strangebre@nlayer.us] has quit [Remote host closed the connection]
11:55 -!- cablop [~chatzilla@190.84.225.244] has joined ##openvpn
12:08 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:09 -!- cablop [~chatzilla@190.84.225.244] has quit [Read error: Connection reset by peer]
12:10 -!- cablop [~chatzilla@190.84.225.244] has joined ##openvpn
12:17 -!- yakub [~www-data@unaffiliated/yakub] has joined ##openvpn
12:20 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
12:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
12:26 -!- candyban [~candyban@ip-83-134-87-234.dsl.scarlet.be] has quit [Ping timeout: 276 seconds]
12:26 -!- candyban [~candyban@ip-83-134-87-234.dsl.scarlet.be] has joined ##openvpn
12:29 -!- lmk [~lmk@28-dom-20.acn.waw.pl] has joined ##openvpn
12:30 < lmk> newbie question - i can connect to the ovpn server ok but cant to any other device on that network and my routes look ok
12:33 < krzie> !route
12:33 <+vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:33 < krzie> !serverlan
12:33 <+vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
12:34 -!- dazo is now known as dazo_afk
12:36 < cablop> cab i use certificate autorithy and server and client keys and cetificates with tap mode?
12:37 < cablop> what must i use as ca... ca.crt or ca.key?
12:41 < lmk> omg - ip_forward - of course - thanks krzie
12:41 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
12:49 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
12:53 < krzie> yw
12:54 -!- rtyler [~tyler@63-246-20-94.contegix.com] has left ##openvpn []
12:54 < krzie> cablop, that stuff is independent of tun or tap
12:54 < krzie> follow the PKI section of !howto
12:54 < krzie> !pki
12:54 <+vpnHelper> krzie: Error: "pki" is not a valid command.
12:54 < krzie> !howto
12:54 <+vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:55 < cablop> thanks krzie   i think the problem is the vpn is starting up, but the system is not showing me it is up :S
12:55 < krzie> !learn pki as http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
12:55 <+vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
12:55 < krzie> cablop, what do you want the system to do?
12:55 < krzie> (to show you its up)
12:56 < krzie> !learn pki as http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
12:56 <+vpnHelper> krzie: Joo got it.
12:56 < cablop> i was running openvpn inside a router
12:57 < cablop> i wanted for the router interface to show me that the vpn was up and running... but dunno why, it was not doing that
12:57 < cablop> but i tested it and i see it's working
12:57 < krzie> cool
12:58 < cablop> the hard part is i was not able to make the bridge work, but maybe this is related to firewall ir iptables
12:58 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 264 seconds]
12:58 < krzie> lan gaming over vpn?
12:58 < cablop> nope
12:58 < cablop> willing to access some services on my linux fron a netbook from wan
12:58 < krzie> !layer2
12:58 <+vpnHelper> krzie: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
13:00 < cablop> yup, i'm routing a few services, but things like shared folders an so on are a real pain... in fact i need to have access to a very very big work shared folder :S
13:00 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
13:00 < krzie> !wins
13:00 <+vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
13:01 < krzie> also, you can mount based on IP without WINS
13:01 < krzie> !tunortap
13:01 <+vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
13:01 <+vpnHelper> krzie: against you over the vpn, or (#4) lan gaming? use tap!
13:02 < cablop> this is what i want, cause i'm trying to bridge, i don't need for people in the lan to mount files on the remote clients, but for people in the wan to be able to access the file folder... this is simpler in the LAN, cause that machine has an static ip now
13:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:02 < krzie> you dont need a bridge for that
13:02 < krzie> you havnt mentioned if its smb,nfs,afp,whatever
13:02 < cablop> afaik i'm able to see the LAN machines with their own ips
13:03 < krzie> btu i assume its smb, in which case you have 2 options without bridging
13:03 < krzie> 1) wins
13:03 < krzie> 2) mount by IP
13:03 < cablop> well... it's samba
13:03 < cablop> also i'm planning to forward the remote desktop of this ubuntu over vpn
13:04 < krzie> remote desktop is plain ol ip traffic
13:04 < cablop> but not willing to deal with ssh and a lot of things
13:04 < cablop> ammm
13:04 < cablop> then, from your point of view tun would be a better option
13:04 < krzie> i have used remote desktop, vnc, apple screen sharing over tun
13:04 < krzie> yup, you dont need anything which requires layer2, so tun is the way to go
13:05 < cablop> i see
13:05 < cablop> mmmm, now what to do... my remote client is connected via the tap now, and the router is working now... mmm
13:06 < cablop> can i assign static ips with the tap?
13:06 < cablop> or better with tun?
13:06 < krzie> same
13:06 < krzie> !static
13:06 <+vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
13:06 < cablop> ok, nice
13:07 < cablop> afaik i need to place entries this way
13:07 < cablop> mmm
13:08 < cablop> .   /etc/openvpn/ccd/client1 and give client1 the client1 cert and key... is it?
13:08 < krzie> !ccd
13:08 <+vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:08 < cablop> common-name?
13:08 < krzie> assuming you have client-config-dir /etc/openvpn/ccd and client1 is the common name in the cert
13:08 < krzie> !certinfo
13:08 <+vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
13:09 < krzie> common-name is a field in the certificate
13:09 < krzie> you named it when making the cert
13:09 < cablop> wow... the more i see openvpn the less simple i doscover it is.... but the more powerful i see it is, also
13:09 < krzie> actually thats normal stuff in openssl certs
13:09 < krzie> not very openvpn specific
13:10 < cablop> how can i check the common-name on an existing cert?
13:10 < krzie> i told you above
13:10 < krzie> !certinfo
13:10 <+vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
13:10 < cablop> ah
13:10 < cablop> sorry
13:10 < krzie> in fact ild say 90% of openvpn issues are related to not understanding networking/pki (more often networking)
13:11 < krzie> openvpn itself int very complicated, but it requires knowledge of other stuff to use
13:11 < krzie> depending on the goal thats often: routing, firewalls, pki
13:12 < cablop> yes, indeed
13:12 < cablop> my knowdledge in networking is not bad... but not a guru, so laying in the middle i got confusion and stress
13:12 < cablop> XD
13:13 < krzie> hehe
13:13 < krzie> and unlike most programs, using google to find your info re: openvpn configs is more hindersome than helpful
13:13 < cablop> brb, i'll  restart the router, and if tap is working i'll leave as is for a few days and go back to work :(
13:13 < krzie> theres a million and 1 walkthroughs, and they just confuse/mislead people
13:14 < cablop> not mentioning how bad very bad people use to redact things on forums
13:14 < cablop> they look like children trying to explain a movie
13:14 < krzie> haha
13:14 < krzie> time for me to get some food and show up to work
13:15 -!- roentgen [~hart@miranda/user/roentgen] has quit [Quit: Konversation terminated!]
13:19 < cablop> back
13:23 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
13:26 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
13:27 -!- Guest12047 is now known as openvpn2009
13:27 -!- mode/##openvpn [+o openvpn2009] by ChanServ
13:27 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
13:27 -!- Cain` is now known as Cain
13:28 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:38 -!- lmk [~lmk@28-dom-20.acn.waw.pl] has quit [Ping timeout: 260 seconds]
13:43 < grendal_prime> is there a way to push a change to clients...like a reconnect ?  like disconnect and reconnect on a new port? 
13:55 -!- circut_ is now known as circut
14:03 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 240 seconds]
14:03 < krzee> nope
14:03 < krzee> unless you can ssh to it or remote desktop to it
14:03 < krzee> but no openvpn way
14:04 < krzee> in fact everything which you can push is done on connect
14:05 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
14:07 < cablop> i have this setting: a router with this running on it: dhcp and openvpn, i want for the dhcp to asign ips to the openvpn clients instad of the openvpn to assign them... is that possible?
14:08 < krzee> !man
14:08 <+vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
14:08 < krzee> see --server-bridge
14:08 < krzee> however, theres really no need for that
14:08 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
14:08 < krzee> 99% of people who use a bridge just for that are doing it because they dont understand routing
14:08 < krzee> the other 1% have something special like a tftp server pushed via dhcp
14:09 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
14:10 < cablop> i just want to give the same ip address to the same client
14:10 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
14:11 < cablop> !server-bridge
14:11 <+vpnHelper> cablop: Error: "server-bridge" is not a valid command.
14:12 < krzee> same ip to same client
14:12 < krzee> you dont need dhcp for that
14:12 < krzee> !static
14:12 <+vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:12 < krzee> [11:08]  <krzie> !static
14:12 < krzee> [11:08]  <vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:12 < krzee> [11:08]  <cablop> ok, nice
14:12 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:13 < cablop> yup, i remember it... but i just have 4 vpn addreses left...
14:13 < cablop> mmm
14:13 < cablop> wait
14:13 < cablop> my conf on the server bridge thing is
14:14 < cablop> 192.168.1.1 255.255.255.0 192.168.1.251 192.168.1.254
14:14 < cablop> i think i can change it to
14:14 < cablop> 192.168.1.1 255.255.255.0 192.168.2.251 192.168.2.254... isn't it?
14:15 < krzee> i dont do bridges
14:15 < cablop> ok
14:17 < McBoingbo> we use openvpn for our vpn at work, I know little about it, but I notice a slowdown when on the vpn when surfing the web, is there a way to configure openvpn to only route traffic to the vpn when its absolutely needed so that when on the vpn I can surf the web on my own network?
14:18 < krzee> McBoingbo, thats the normal configuration
14:18 < krzee> unless the vpn is configured to do more, that is what it does
14:18 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:20 < cablop> what is your Os McBoingbo ?
14:20 < McBoingbo> Windows 7
14:20 < krzee> that has no impact on your question
14:21 < cablop> yup
14:21 < cablop> cause win7 and the lastest winvista sp have an issue
14:21 < cablop> both only support just one gateway for all networks
14:21 < krzee> all windows have issues
14:21 < krzee> !windows
14:21 <+vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
14:22 < grendal_prime> krzee well i can ssh into it.
14:22 < cablop> dunno whym but theyŕe doing things that way, i have a similar issue but with a virtual machine, and windows trying to use it as a gateway
14:22 < grendal_prime> i could do that i guess and then restart the vpn.
14:22 < krzee> grendal_prime, then change the config, and restart
14:22 < krzee> yup
14:22 < grendal_prime> krzee, not that easy..the config is constructed on the system boot..(its embeded thing)
14:23 < grendal_prime> very frustrating.
14:23 < cablop> Mc
14:23 < grendal_prime> still..something to think about..
14:23 < krzee> grendal_prime, the config was made at some point, it can be changed as well
14:23 < cablop> McBoingbo: try typing ipconfig in your cli and see if the openvpn has a default gateway, if that's true you can ask the openvpn admin to not to push you the gateway
14:24 < cablop> or maybe (i never tried) just open the openvpn settings and remove the gateway
14:24 < krzee> either way you can ask the vpn admin to not push the default gateway
14:24 < grendal_prime> ya thats what i thought..dev is giveing me some interesting story.
14:24 < krzee> cablop, if he has it in his config, he can remove it (comment it out)
14:25 < krzee> cablop, but if his admin pushes it, he needs his admin not to
14:25 < McBoingbo> if I remove default gateway, what happens?
14:25 < grendal_prime> I just need the clients to connect with a tun device, the device time is hardcoded into the appliance.
14:25 < McBoingbo> side question, anyone setup openvpn on a mac?
14:25 < cablop> just the default gateway on that connection, i mean only in the vpn
14:25 < krzee> and easy fix for the admin would be to move the push from server config, put it in ccd/default, and make an empty ccd file for the users not wishing to have it pushed
14:25 < grendal_prime> sorry device type that is.
14:25 < krzee> however, since the admin isnt here i cant really help him
14:26 < cablop> then windows 7 will switch to another gateway, maybe your local network or other device and stick top it
14:26 < krzee> MacPro3,1 CPU: Intel Core2 Quad Q9400 2.66GHz @ 2.4GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/x86_64/PAE/XD/EM64T/VMX/EST/QuadCore] L2: 6144K FSB: 1064MHz Airport:    RAM: 3.6GB/8.0GB Vram: 16.78M/128.00M Disk: 72.27GB/931.39GB GPU: Unknown nVidia card [512 MB/Stock] 1280x1024@60Hz and 1280x1024@60Hz OS: Mac OS X 10.6.4 (10F569) Kernel: Darwin 10.4.0 Up: 2 days 21:29
14:26 < krzee> cablop, thats not true
14:26 < cablop> if you are in windows xp this won't be a problem,
14:26 < krzee> if you remove your default route, you will have no access to networks you dont have specific routes to
14:26 < cablop> no no the default route
14:26 < krzee> until you re-add the default route (can re-add it to be your LAN gateway)
14:27 < cablop> just the default gateway on an specific interface
14:27 < McBoingbo> I got my ca.crt username.key and username.crt in the configurations directory for this macbook I am setting up, but I keep getting error #242, stating the config has a problem, any ideas?
14:27 < krzee> he means the default route, thats what he would care to remove
14:27 < krzee> thats the only thing relevant to his goal
14:28 < cablop> in my case, win win7 also, i had the ethernet network and a virtual machine virtualbox host-only adapter, both had gateways, but Windows7 just used one as the default route, the latest i opwened, in fact the virtualbox one
14:28 < krzee> McBoingbo, paste the error
14:28 < cablop> i had to go and remove the gateway from the virtualbox adapter and never changed the eheternet settings
14:29 < cablop> so, cause thereś still a gateway, in the ethernet, win7 uses it as the default route
14:29 < krzee> interesting... windows sucks
14:29 < krzee> lol
14:29 < cablop> yes
14:29 < cablop> so much
14:29 < cablop> i was very very very happy using win7
14:30 < cablop> but two things made me uninstall it and move to linux last week
14:30 < cablop> one, win7 demands TOO much CPU just to move, rename or add permissions to files
14:31 < cablop> and this network issue, you can define the gateway to only one network, all other networks can't have gateways
14:31 < cablop> but, if you have a network with no gateway in windows 7, then you can't set this as a terusted network, so... guess what.... you can't share files or printers....
14:32 < McBoingbo> krzee: pastebin.org/422964
14:32 < cablop> just remembering that you will face a problem McBoingbo , with no default gateway in that vpn network you will be able to access remote files, but nobody can access your shared folders
14:33 < McBoingbo> this setup is on a mac btw
14:33 < cablop> you cannot force win7 to trust a network if it does not have a gateway and you can only have just one gateway, so just only trusted network at a time or set all as dhcp
14:34 < cablop> !static
14:34 <+vpnHelper> cablop: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
14:34 < cablop> brb
14:35 -!- bob368 [~bob@166.205.11.245] has joined ##openvpn
14:36 -!- cablop [~chatzilla@190.84.225.244] has quit [Read error: Connection reset by peer]
14:37 -!- cablop [~chatzilla@190.84.225.244] has joined ##openvpn
14:40 < McBoingbo> omg I figured it out, so blind
14:41 < cablop> !ccd
14:41 <+vpnHelper> cablop: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:49 -!- Lantizia [~Lantizia@erebus.seaquake.net] has quit [Ping timeout: 276 seconds]
14:50 < krzee> McBoingbo, you figured out the mac thing?
14:50 < krzee> i just looked at the pastebin, and see its telling you to look somewhere else for the real errors
14:50 < kisom> cablop: i use win7 fine with openvpn... no idea about file permissions, but they change pretty quick over here.
14:50 -!- Lantizia [~Lantizia@erebus.seaquake.net] has joined ##openvpn
14:51 < kisom> only thing that bothers me in windows 7 is that active TCP connections does not get routed into the VPN if they are created prior to the VPN is set up ;)
14:51 -!- bob368 [~bob@166.205.11.245] has quit [Ping timeout: 258 seconds]
14:52 -!- shi-tianlong [~chatzilla@190.84.225.244] has joined ##openvpn
14:52 -!- cablop [~chatzilla@190.84.225.244] has quit [Ping timeout: 240 seconds]
14:52 -!- shi-tianlong is now known as cablop
14:58 < cablop> well... now i have a custom ip on a client, but it can reach the lan clients anymore... sigh... how can i push the lan to it?
15:00 -!- DeathWol1 is now known as DeathWolf
15:02 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
15:02 < cablop> i was reading... i can't set a static ip for bridge... sigh...
15:02 -!- Jackkk [~Jack@189.111.19.31] has quit [Ping timeout: 265 seconds]
15:03 < cablop> well, i can deal with that... not going to die for this :(
15:03 -!- DeathWolf [yggdrasil@saber.kawaii-shoujo.net] has left ##openvpn []
15:06 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 248 seconds]
15:11 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Ping timeout: 248 seconds]
15:12 -!- bob368 [~bob@166.205.9.116] has joined ##openvpn
15:13 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
15:14 < cablop> well
15:14 -!- Jackkk [~Jack@201-43-250-165.dsl.telesp.net.br] has joined ##openvpn
15:15 < cablop> it was a real pain, but it's working now, except for the static thing, but i don need it :P XD just 4 devices... except if i increase that size :P
15:18 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
15:24 -!- Netsplit *.net <-> *.split quits: n0sq, Sky[x], Optic, killown, kisom, RedT0mt01, blackpenguin, Fiouz, fremo__, Nappy,  (+40 more, use /NETSPLIT to show all of them)
15:24 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Ping timeout: 248 seconds]
15:26 -!- Netsplit over, joins: le0, Diffen2, McBoingbo, Cain, grendal_prime, yakub, killown, Sky[x], [intra]lanman
15:26 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
15:26 -!- Netsplit over, joins: TimothyA, n0sq, kale, blackpenguin, fremo__, kloeri, RedT0mt01, circut
15:26 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:26 -!- Netsplit over, joins: MJD, kraut, Champi
15:26 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
15:26 -!- Netsplit over, joins: oc80z, tjz, nb, kc8pxy
15:26 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
15:26 -!- Netsplit over, joins: Scruffy, kajl, DarthGandalf
15:26 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
15:26 -!- Netsplit over, joins: funkyHat, abeehc, UdontKnow, kisom, zamba, raw_, jpalmer, Optic, havoc, Zathraz (+3 more)
15:26 -!- ServerMode/##openvpn [+o openvpn2009] by wolfe.freenode.net
15:26 -!- dazo_afk [~dazo@nat/redhat/x-yzpkubzpfdccecel] has joined ##openvpn
15:26 -!- Netsplit over, joins: fbh, julius, Typone
15:26 -!- ServerMode/##openvpn [+o dazo_afk] by wolfe.freenode.net
15:27 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
15:28 -!- Netsplit *.net <-> *.split quits: n0sq, Sky[x], Optic, killown, kisom, RedT0mt01, blackpenguin, Fiouz, fremo__, Nappy,  (+38 more, use /NETSPLIT to show all of them)
15:28 -!- Netsplit over, joins: freaky[t], [intra]lanman, le0, Diffen2, McBoingbo, grendal_prime, yakub, killown, Sky[x], d12fk (+38 more)
15:30 -!- Netsplit *.net <-> *.split quits: n0sq, Optic, killown, kisom, RedT0mt01, blackpenguin, fremo__, Nappy, @openvpn2009, d12fk,  (+19 more, use /NETSPLIT to show all of them)
15:30 -!- Netsplit *.net <-> *.split quits: Fiouz, kale, krzee, nb, kraut, circut, ScriptFanix, abeehc, laieman, Typone
15:31 -!- Netsplit over, joins: le0, Diffen2, McBoingbo, grendal_prime, killown, [intra]lanman
15:31 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
15:31 -!- Netsplit over, joins: TimothyA, n0sq, kale, blackpenguin, fremo__, kloeri, RedT0mt01, circut
15:31 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:31 -!- Netsplit over, joins: MJD, kraut, Champi
15:31 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
15:31 -!- Netsplit over, joins: oc80z, tjz, nb, kc8pxy
15:31 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
15:31 -!- Netsplit over, joins: Scruffy, kajl, DarthGandalf
15:31 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
15:31 -!- Netsplit over, joins: abeehc, UdontKnow, kisom, raw_, jpalmer, Optic, laieman, Nappy, Fiouz, Typone
15:31 -!- ServerMode/##openvpn [+o openvpn2009] by wolfe.freenode.net
15:31 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Read error: Connection reset by peer]
15:32 -!- fahadsadah_ [fahad@unaffiliated/fahadsadah] has joined ##openvpn
15:33 -!- cablop [~chatzilla@190.84.225.244] has quit [Remote host closed the connection]
15:33 -!- cheche [cheche@188.85.213.151] has quit [Ping timeout: 382 seconds]
15:34 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
15:34 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 276 seconds]
15:34 -!- cheche [cheche@188.85.213.151] has joined ##openvpn
15:35 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
15:42 -!- WebFooL [~WebFooL@untangle/contributor/WebFooL] has joined ##openvpn
15:45 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit []
16:07 -!- Jackkk [~Jack@201-43-250-165.dsl.telesp.net.br] has quit [Quit: Saindo]
16:20 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
16:23 -!- brah [~asdofp@190.7.0.81] has joined ##openvpn
16:25 -!- cheche [cheche@188.85.213.151] has left ##openvpn []
16:46 -!- deadeyes [~gvm@109.236.132.104] has quit [Ping timeout: 260 seconds]
16:47 -!- deadeyes [~gvm@77.109.78.240] has joined ##openvpn
16:55 -!- WebFooL is now known as WebFooL|A
17:10 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
17:25 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
17:41 -!- bob368 [~bob@166.205.9.116] has quit [Ping timeout: 258 seconds]
17:45 -!- bob368 [~bob@166.205.11.43] has joined ##openvpn
17:47 -!- bob368 [~bob@166.205.11.43] has quit [Client Quit]
17:54 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:59 -!- WebFooL|A is now known as WebFooL
18:03 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:09 -!- WebFooL is now known as WebFooL|A
18:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:32 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
18:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
19:35 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
19:46 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
19:55 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
19:55 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
19:56 -!- SOG [~SOG@222.125.202.173] has quit [Client Quit]
20:01 -!- penrod [~pattonb@S01060016b6b53bd9.cg.shawcable.net] has quit [Ping timeout: 245 seconds]
20:18 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Read error: Connection reset by peer]
20:19 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has joined ##openvpn
20:19 -!- MWinther [~mw@213-66-50-34-no166.tbcn.telia.com] has quit [Remote host closed the connection]
20:41 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:07 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
21:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
21:22 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has quit [Quit: Leaving.]
21:49 -!- eatnumber1 [eatnumber1@haku.eatnumber1.com] has joined ##openvpn
21:50 < eatnumber1> if you're using auth-user-pass-verify without client certificates or username-as-common-name, what is the client's cn when it connects?
21:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:03 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:14 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 240 seconds]
22:46 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
22:48 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:52 -!- killown [~killown@unaffiliated/killown] has left ##openvpn []
23:16 < tjz> ChiChis: Big Boobs Prank  - http://www.youtube.com/watch?v=U2AAX1fYPxE&feature=player_embedded
23:16 <+vpnHelper> Title: YouTube - Broadcast Yourself. (at www.youtube.com)
23:16 < tjz>  :D :D
23:18 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:21 < eatnumber1> !welcome
23:22 <+vpnHelper> eatnumber1: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:22 < eatnumber1> !goal
23:22 <+vpnHelper> eatnumber1: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:37 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
23:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:51 -!- yakub [~www-data@unaffiliated/yakub] has quit [Quit: leaving]
23:57 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
23:58 -!- killown is now known as darklee
--- Day changed Wed Jul 28 2010
00:02 -!- darklee is now known as killown
00:46 -!- takamichi [~pri@78.133.39.143] has quit [Read error: Connection reset by peer]
00:47 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
00:52 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 260 seconds]
01:08 -!- mape2k [~mape2k@p5B285F44.dip.t-dialin.net] has joined ##openvpn
01:18 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
01:20 -!- Guest30320 [~redfox2@91.121.133.177] has quit [Ping timeout: 258 seconds]
01:32 -!- redfox [~redfox2@91.121.133.177] has joined ##openvpn
01:33 -!- redfox is now known as Guest62915
01:53 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:59 -!- mattock [~samuli@gprs-prointernet-fffcc200-6.dhcp.inet.fi] has joined ##openvpn
01:59 -!- mode/##openvpn [+o mattock] by ChanServ
02:08 -!- mattock [~samuli@gprs-prointernet-fffcc200-6.dhcp.inet.fi] has quit [Quit: Leaving.]
02:13 -!- mattock [~samuli@gprs-prointernet-ffc06a00-65.dhcp.inet.fi] has joined ##openvpn
02:14 -!- mode/##openvpn [+o mattock] by ChanServ
02:20 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:21 -!- kale [~kale@port711.ds1-soeb.adsl.cybercity.dk] has left ##openvpn []
03:13 -!- eatnumber1 [eatnumber1@haku.eatnumber1.com] has left ##openvpn []
03:23 -!- dazo_afk is now known as dazo
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 < kraut> moin
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:47 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
04:03 -!- kaushal [~kaushal@125.22.61.162] has joined ##openvpn
04:03 < kaushal> hi
04:03 < kaushal> is there a way to configure openvpn client on blackberry ?
04:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
04:16 <@mattock> hi, is it possible to authenticate users using --auth-user-pass _or_ client certificate ... so that if a client cert is found, openvpn does not ask for username/password
04:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
04:40 < kaushal> can someone please guide me about my query ?
04:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:57 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
04:58 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
04:58 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
05:15 -!- dazo is now known as dazo_afk
05:20 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:21 <@mattock> dazo: do you want to be my OpenVPN LDAP auth guinea pig? :) 
05:25 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:30 <@mattock> oh, forget it... the 3g connection starts falling apart again. Like clockwork, around 13:20 local time
05:30 <@mattock> -> later today or tomorrow again
05:35 < kisom> mattock: may be cell breathing ;)
05:35 < kisom> the more users on one cell tower the less range it has
05:36 <@mattock> yep, something like that
05:36 <@mattock> I got to get up earlier to get some work done :(
05:36 <@mattock> :D
05:36 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:36 <@mattock> anyways, I'm off
05:37 < kisom> g'night
05:40 -!- mattock [~samuli@gprs-prointernet-ffc06a00-65.dhcp.inet.fi] has quit [Ping timeout: 245 seconds]
05:44 -!- zamba [marius@flage.org] has quit [Ping timeout: 276 seconds]
05:52 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
05:53 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
06:11 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has joined ##openvpn
06:12 -!- dazo_afk is now known as dazo
06:12 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
06:13 < unknown> i'm writing a script which must start openvpn and then test if the vpn has been connected
06:14 < unknown> the --daemon option forks openvpn to the background, but it does so before the connection succeeded or failed
06:14 < unknown> so i'd like to know how to check if openvpn has established the vpn
06:15 < unknown> who can give any hints?
06:30 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
07:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:12 -!- JackCorleone [~Jack@201-43-250-165.dsl.telesp.net.br] has joined ##openvpn
07:17 < nameless`> unknown: just an idea but maybe with --log ? or try to ping the end host ?
07:19 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
07:24 < Bushmills>  unknown:   /etc/init.d/openvpn start; sleep 5;  ifconfig tun0 && echo "yes, connected"
07:25 < Bushmills> there's also an --up script hook
07:27 -!- brah [~asdofp@190.7.0.81] has quit [Remote host closed the connection]
07:27 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 258 seconds]
07:27 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
07:31 -!- cpm is now known as OPINIONMAN
07:31 -!- OPINIONMAN is now known as cpm
07:49 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:12 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
08:18 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:27 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has joined ##openvpn
08:28 < arejay> hello everyone, having a problem connecting to my openvpn server from windows 7 using openvpn-2.1_rc15-install.exe. I get the error error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
08:28 < arejay> i've tried making my key over and over
08:28 < arejay> no luck
08:29 < krzie> a) rc15 is old, update to 2.1.1
08:29 < krzie> !download
08:29 <+vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
08:29 < krzie> b) use full paths
08:29 < krzie> !path
08:29 <+vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
08:29 < krzie> !winpath
08:29 <+vpnHelper> krzie: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
08:32 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 258 seconds]
08:32 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
08:40 -!- mape2k [~mape2k@p5B285F44.dip.t-dialin.net] has quit [Ping timeout: 258 seconds]
08:41 < arejay> still receving the same error
08:41 < arejay> Cannot load private key file C:\Program Files (x86)\Ope
08:41 < arejay> or:0906D06C:PEM routines:PEM_read_bio:no start line: err
08:41 < arejay> :SSL_CTX_use_PrivateKey_file:PEM lib
08:41 < arejay> Error: private key password verification failed
08:41 < arejay> Wed Jul 28 09:41:28 2010 Cannot load private key file C:\Program Files (x86)\OpenVPN\config\rob.key: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
08:41 < arejay> Wed Jul 28 09:41:28 2010 Error: private key password verification failed
08:48 < arejay> it seems to be a common problem on google, no answers
08:48 < arejay> this just plain sucks
08:48 < arejay> error:0906D06C
08:48 < arejay> :/
08:50 < arejay> Wed Jul 28 21:49:33 2010 Insufficient key material or header text not found in file 'rob.key' (0/128/256 bytes found/min/max)
08:50 < arejay> its not generating the key correctly
08:50 < arejay> openvpn --test-crypto --secret rob.key
08:52 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
08:53 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
08:55 < krzie> !certinfo
08:55 <+vpnHelper> krzie: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
08:55 < krzie> oh lol
08:55 < krzie> thats just a static key
08:56 < krzie> are you using it in --key or --secret?
08:56 < krzie> !pki
08:56 <+vpnHelper> krzie: "pki" is http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
08:56 < krzie> it says private key, which means you are using it in --key, but you arent using a real key
08:56 < krzie> you have a static key, not a cert/key
08:57 < krzie> static keys are only good in --secret, for PTP connections
08:57 < krzie> for client/server you need !pki
09:04 < arejay> ok
09:05 < arejay> so how do i build a client key, i thought it as as simple as ./build-req rob
09:05 < arejay> does the name "rob" need to be the computers name for the client
09:06 < krzie> !pki
09:06 <+vpnHelper> krzie: "pki" is http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
09:06 < krzie> millions of people of followed that no problem, you can do it
09:06 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
09:07 < arejay> damn it
09:07 < arejay> ive follo that guide 500 times
09:16 < arejay> must be my openssl
09:16 < arejay> is all i can think
09:16 < arejay> (10:12 PM):(root@cube)/usr/local/etc/openvpn/keys$ openssl x509 -in client1.key -noout -text
09:16 < arejay> unable to load certificate
09:16 < arejay> 5003:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
09:20 -!- star314 [~star314@xchg.fiss-oeaw.at] has joined ##openvpn
09:27 < unknown> Bushmills: using ...sleep 5; ifconfig... is unreliable since perhaps 5 seconds is not enough, or maybe its too high, depending on connection
09:27 < unknown> i now use the management interface and an expect script
09:44 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
09:45 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
09:45 -!- star314 [~star314@xchg.fiss-oeaw.at] has quit [Quit: Leaving]
09:50 -!- dazo is now known as dazo_afk
09:57 -!- macsppadic is now known as embarassment
10:08 -!- jww_ [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
10:08 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: Connection reset by peer]
10:11 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:11 -!- embarassment is now known as macsppadic
10:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
10:46 -!- blueboxthief [~None_of_y@86-45-95-101-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
10:54 -!- macsppadic is now known as guesswhoagain
10:54 -!- penrod [~pattonb@S01060016b6b53bd9.cg.shawcable.net] has joined ##openvpn
11:07 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
11:09 -!- guesswhoagain is now known as macsppadic
11:17 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:38 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
12:10 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has joined ##openvpn
12:10 -!- candyban [~candyban@ip-83-134-87-234.dsl.scarlet.be] has quit [Ping timeout: 260 seconds]
12:19 -!- JackCorleone [~Jack@201-43-250-165.dsl.telesp.net.br] has quit [Remote host closed the connection]
12:25 -!- dazo_afk is now known as dazo
12:38 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has quit [Read error: Connection reset by peer]
12:39 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has joined ##openvpn
13:00 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 245 seconds]
13:03 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
13:27 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
13:28 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
13:28 -!- Cain` is now known as Cain
14:22 -!- sharp15 [~stop_look@HW-ESR1-208-102-33-103.fuse.net] has joined ##openvpn
14:22 < sharp15> !welcome
14:22 <+vpnHelper> sharp15: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:27 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
14:45 < kisom> !goal
14:45 <+vpnHelper> kisom: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:45 < kisom> !goal "surf on porn sites at work"
14:45 <+vpnHelper> kisom: Error: "goal" is not a valid command.
14:49 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
14:53 < Fiouz> ROFL
14:56 < sharp15> any issues with openvpn and windows 7?
14:57 < Fiouz> client works fine here
14:58 < sharp15> Fiouz: any special intervention required to use samba/printer sharing over it?  if you don't use linux then nevermind.
14:59 < ecrist> nope
15:00 < kisom> i use samba and windows 7 clients, works great.
15:00 < sharp15> cool. :)
15:01 < sharp15> thanks guys.
15:02 < ecrist> we do too
15:02 < ecrist> pretty heavily now
15:12 -!- dazo is now known as dazo_afk
15:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
15:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
15:40 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
15:41 < McBoingbo> question about isolation LAN traffic away from the VPN tunnel, by default will everything be tunneled to the VPN or just your company's internal network IP's?
15:42 < McBoingbo> isolation = isolating
15:43 < Fiouz> depends on how you setup your routes
15:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:44 < McBoingbo> no routes were setup, its pretty much default everything
15:44 < McBoingbo> I simply add the keys, and point remote to the appropriate vpn server
15:45 -!- arejay is now known as arejay|elsewhere
15:46 < Fiouz> if running in client mode with "client" or "pull", the server is able to push routes to your client (except if you have route-nopull)
15:47 < Fiouz> also, using redirect-gateway make (almost) all your client traffic go through the VPN
15:48 < McBoingbo> what I want is to avoid pushing too much traffic over the VN
15:48 < McBoingbo> VPN
15:49 < McBoingbo> so fir instance web browsing while connected via VPN, I do not want this traffice included
15:51 < Fiouz> is your client running Linux? policy routing might achieve that using iptables mangle + ip rule + FWMARK
15:54 < Fiouz> (provided you want to filter according to TCP port 80)
15:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:58 -!- arejay|elsewhere is now known as arejay
16:04 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:14 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:16 -!- sharp15 [~stop_look@HW-ESR1-208-102-33-103.fuse.net] has left ##openvpn []
16:18 -!- Strangebrew [~alon@unaffiliated/strangebrew] has joined ##openvpn
16:35 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 260 seconds]
16:40 -!- Irssi: ##openvpn: Total of 94 nicks [3 ops, 0 halfops, 1 voices, 90 normal]
16:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
16:43 -!- Strangebrew [~alon@unaffiliated/strangebrew] has quit [Quit: Ex-Chat]
16:49 -!- sharp15 [~stop_look@HW-ESR1-208-102-33-103.fuse.net] has joined ##openvpn
16:52 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has quit [Quit: trefn]
17:07 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has quit [Ping timeout: 265 seconds]
17:08 -!- sharp15 [~stop_look@HW-ESR1-208-102-33-103.fuse.net] has quit [Quit: leaving]
17:14 -!- blueboxthief [~None_of_y@86-45-95-101-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
17:19 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 245 seconds]
17:28 -!- WebFooL|A is now known as WebFooL
17:32 -!- drue [~drue@173-8-105-225-Minnesota.hfc.comcastbusiness.net] has joined ##openvpn
17:33 < arejay> anyone can help debug this http://pastebin.com/YK5rLaGq
17:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
17:41 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has joined ##openvpn
17:42 -!- MWinther [~mw@238-197-96-87.cust.blixtvik.se] has joined ##openvpn
17:51 -!- Lantizia [~Lantizia@erebus.seaquake.net] has left ##openvpn ["Leaving"]
17:54 < ecrist> arejay: see /topic, please
17:55 < arejay> no firewall
17:55 < arejay> !welcome
17:55 < ecrist> specifically, I'm looking for !configs
17:55 <+vpnHelper> arejay: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:55 < arejay> !configs
17:55 <+vpnHelper> arejay: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:59 < krzee> emailAddress=rj@dawnshosting.com
17:59 < krzee> haha
17:59 < krzee> i own doeshosting.com
18:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:00 < arejay> lol
18:00 < krzee> arejay, its an issue with your certs
18:00 < krzee> !certverify
18:00 <+vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
18:00 < arejay> i fixed that
18:00 < arejay> no im getting
18:00 < arejay> TLS Error: cannot locate HMAC in incoming packet
18:00 < arejay> :/
18:00 < krzee> !hmac
18:00 <+vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
18:00 <+vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
18:00 -!- TimothyA [~TimothyA@sub-27ip207.onenet.an] has quit [Ping timeout: 240 seconds]
18:00 < arejay> i made that
18:01 < krzee> either its not the EXACT same on both sides, or you got the 0/1 thing wrong
18:02 < arejay> ok no im getting the same crap about my certs
18:03 < krzee> hahah
18:03 < arejay> (07:02 AM):(root@cube)/usr/local/etc/openvpn/keys$ openssl verify -CAfile ca.crt server.crt
18:03 < arejay> server.crt: OK
18:03 < krzee> rinse and repeat
18:03 < arejay> (07:02 AM):(root@cube)/usr/local/etc/openvpn/keys$ openssl verify -CAfile ca.crt me.crt
18:03 < arejay> me.crt: OK
18:03 < krzee> i cant help but to notice they are on the same server
18:04 < krzee> which doesnt garuntee the correct ca.crt or other certs or correct on the places they are being used
18:04 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 276 seconds]
18:07 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:07 < arejay> C:\Program Files (x86)\OpenVPN\bin>openssl verify -CAfile ca.crt me.crt
18:07 < arejay> me.crt: OK
18:07 < arejay> let me post my configs
18:11 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
18:12 < arejay> ok got it working
18:12 < arejay> now having issues with route
18:12 < arejay> etc
18:12 < krzee> heheh
18:12 < krzee> are you trying things before claiming to "have problems" ?
18:13 < arejay> Wed Jul 28 19:13:24 2010 CreateFile failed on TAP device: \\.\Global\{6AF3C5DE-3576-41BB-BC0D-86294A409A21}.tap
18:13 < arejay> Wed Jul 28 19:13:24 2010 All TAP-Win32 adapters on this system are currently in us
18:15 < arejay> yay it works
18:17 < arejay> now i need to setup some firewall rules
18:18 -!- vici0us [foobar@91.176.194.59] has joined ##openvpn
18:20 < ecrist> I wonder what kinds of awesome vpn stuff will be built once websockets takes off
18:28 -!- nameless` [~nameless`@lav35-1-82-236-136-20.fbx.proxad.net] has left ##openvpn []
18:29 -!- WebFooL is now known as WebFooL|A
18:30 < arejay> http://pastebin.com/GDy6E1WY
18:31 < arejay> any idea why come my internet wont work with this config once im connected
18:31 < arejay> do i need to do some firewall rules?
18:38 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has quit [Disconnected by services]
18:38 -!- arejay|elsewhere [arejay@i.got.more.packets.byte4byte.com] has joined ##openvpn
18:38 -!- arejay|elsewhere is now known as arejay
18:42 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 240 seconds]
18:45 < krzee> !redirect
18:45 <+vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:45 < arejay> !nat
18:45 <+vpnHelper> arejay: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
18:45 < arejay> !fbsdnat
18:45 <+vpnHelper> arejay: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD
18:47 < arejay> !def1
18:47 <+vpnHelper> arejay: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
19:02 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
19:10 -!- arejay_ [arejay@i.got.more.packets.byte4byte.com] has joined ##openvpn
19:12 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has quit [Read error: Operation timed out]
19:13 -!- arejay_ is now known as arejay
19:16 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
19:16 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit]
19:17 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
19:18 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
19:22 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
19:23 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 246 seconds]
19:23 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
19:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 246 seconds]
19:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:37 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:51 -!- kish [~o2@unaffiliated/spice] has quit [Remote host closed the connection]
19:51 -!- kish [~o2@unaffiliated/spice] has joined ##openvpn
20:09 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:10 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
21:12 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:12 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
22:14 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:33 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:40 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:56 -!- troy- [e0fe3580d1@bgp4.us] has quit [Quit: leaving]
23:02 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has quit [Read error: Operation timed out]
23:04 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has joined ##openvpn
23:16 -!- penrod [~pattonb@S01060016b6b53bd9.cg.shawcable.net] has quit [Quit: I don't like you. But Bersirc 2.2 does. Try it out now. [ http://www.bersirc.org/ - Open Source IRC ]]
23:44 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has left ##openvpn []
23:59 -!- tjz [~pc@bb116-14-173-251.singnet.com.sg] has joined ##openvpn
23:59 -!- tjz [~pc@bb116-14-173-251.singnet.com.sg] has quit [Changing host]
23:59 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
--- Day changed Thu Jul 29 2010
00:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:16 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Read error: Operation timed out]
01:19 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
01:24 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:34 -!- mattock [~samuli@gprs-prointernet-ff016a00-62.dhcp.inet.fi] has joined ##openvpn
01:34 -!- mode/##openvpn [+o mattock] by ChanServ
01:37 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
02:12 -!- mattock1 [~samuli@gprs-prointernet-ffb16a00-34.dhcp.inet.fi] has joined ##openvpn
02:12 -!- mode/##openvpn [+o mattock1] by ChanServ
02:14 -!- mattock [~samuli@gprs-prointernet-ff016a00-62.dhcp.inet.fi] has quit [Ping timeout: 240 seconds]
02:23 -!- mattock [~samuli@gprs-prointernet-ff556a00-70.dhcp.inet.fi] has joined ##openvpn
02:23 -!- mode/##openvpn [+o mattock] by ChanServ
02:24 -!- mattock1 [~samuli@gprs-prointernet-ffb16a00-34.dhcp.inet.fi] has quit [Ping timeout: 260 seconds]
02:54 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:56 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:10 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 252 seconds]
03:15 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
03:17 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:52 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has joined ##openvpn
03:57 -!- dazo_afk is now known as dazo
04:22 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
04:25 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
04:36 -!- mattock [~samuli@gprs-prointernet-ff556a00-70.dhcp.inet.fi] has quit [Ping timeout: 276 seconds]
04:44 <@dazo> !as
04:44 <+vpnHelper> dazo: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
04:44 <+vpnHelper> dazo: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
04:56 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
05:01 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:39 -!- blueboxthief [~None_of_y@86-45-95-101-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
05:57 -!- scyld [~krajcong@unaffiliated/wasyl] has joined ##openvpn
05:58 < scyld> !welcome
05:58 <+vpnHelper> scyld: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:00 < scyld> Simple question - is it possible to replace client cert without stoping openvpn? 
06:00 < scyld> something like replace file and send signal to daemon...
06:04 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
06:27 -!- Mark22 [~mark@unaffiliated/mark21] has joined ##openvpn
06:28 < Mark22> !welcome
06:28 <+vpnHelper> Mark22: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:28 < Mark22> !sample
06:28 <+vpnHelper> Mark22: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
06:40 -!- unkie__ [~unknown@105-65-ftth.onsneteindhoven.nl] has joined ##openvpn
06:40 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has quit [Read error: Connection reset by peer]
06:45 -!- unkie__ is now known as unknown
07:00 -!- blueboxthief [~None_of_y@86-45-95-101-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Ping timeout: 276 seconds]
07:01 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
07:05 -!- blueboxthief [~None_of_y@86-40-176-16-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
07:17 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
07:23 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
07:24 < ecrist> good morning.
07:41 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 276 seconds]
07:42 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:51 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:56 -!- kish [~o2@unaffiliated/spice] has quit [Quit: fuck irc]
08:08 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has quit [Ping timeout: 260 seconds]
08:09 -!- takamichi [~pri@78.133.39.143] has quit []
08:10 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
08:21 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has joined ##openvpn
08:29 -!- blueboxthief [~None_of_y@86-40-176-16-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
08:45 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
08:49 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
09:08 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
09:13 < krzee> g'mornin
09:15 < ecrist> howdy
09:15 < hyper_ch> krzee: already finished SC2?
09:16 < krzee> SC2?
09:16 < hyper_ch> starcraft2
09:28 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
09:30 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
09:41 -!- funkyHat [~m@funkyhat.org] has left ##openvpn []
09:42 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 265 seconds]
09:49 < krzee> never watched it
09:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
09:55 < ecrist> krzee: it's a video game
09:56 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
10:00 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:05 -!- Blues-Man [~bluesman@host225-116-dynamic.27-79-r.retail.telecomitalia.it] has joined ##openvpn
10:13 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:19 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:25 -!- intralanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined ##openvpn
10:27 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
10:27 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:29 < intralanman> where's krzee today?
10:30 < ecrist> he's around
10:35 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Quit: pof]
10:40 -!- MWinther [~mw@238-197-96-87.cust.blixtvik.se] has quit [Quit: Leaving...]
10:42 -!- MWinther [~mw@238-197-96-87.cust.blixtvik.se] has joined ##openvpn
10:43 -!- MWinther [~mw@238-197-96-87.cust.blixtvik.se] has quit [Remote host closed the connection]
10:44 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has quit [Quit: /quit]
10:47 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has joined ##openvpn
10:58 -!- kisom_ [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
10:58 -!- kisom_ is now known as Guest96825
11:03 -!- Guest96825 [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Quit: leaving]
11:03 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
11:04 -!- WebFooL|A is now known as WebFooL
11:20 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:21 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined ##openvpn
11:22 < blackxored> hello guys, i've just setup openvpn on debian lenny i can ping my vpn address, now i want to ask
11:22 < |Mike|> ask what
11:22 < |Mike|> (read the topic please)
11:22 < blackxored> i go trough a proxy server, all outbound traffic for my ip allowed, how can I forward all traffic
11:22 < blackxored> to the vpn 
11:22 < blackxored> i mean internet access to go through the vpn and use just the proxy for connecting to the vpn server
11:23 < blackxored> and let me add, although i'm netadmin, the policy forbids me from creating "another" VPN on that proxy server, although i can do it on my machine
11:23 < blackxored> so any clues???
11:23 < blackxored> i pushed route defl, but i still have my main route and no route for tun0
11:24 < ecrist> !def1
11:24 <+vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
11:24 < ecrist> route "redirect-gateway def1"
11:24 < ecrist> not
11:24 < ecrist> route def1
11:25 < blackxored> snip: push "redirect-gateway defl"
11:25 < blackxored> on the server right?
11:25 < blackxored> is def-one or def- "ell"
11:25 < blackxored> BTW
11:25 < blackxored> since i wrote defl
11:25 < blackxored> lol
11:26 < ecrist> def-one
11:26 < blackxored> ecrist, damn it, restarting
11:31 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 240 seconds]
11:36 -!- penrod [~pattonb@S01060016b6b53bd9.cg.shawcable.net] has joined ##openvpn
11:37 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
11:44 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined ##openvpn
11:51 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:53 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
12:02 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
12:03 -!- SOG [~SOG@119.237.140.75] has joined ##openvpn
12:07 -!- bluegene [~unknown@awesomo.iodev.org] has joined ##openvpn
12:07 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: mosno]
12:07 -!- dazo is now known as dazo_afk
12:07 < bluegene> hi everyone. is there a possibility to set the expiration date for a client key?
12:07 -!- SOG [~SOG@119.237.140.75] has quit [Ping timeout: 265 seconds]
12:12 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:17 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
12:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:41 -!- mattock [~samuli@gprs-prointernet-fffa8900-64.dhcp.inet.fi] has joined ##openvpn
12:41 -!- mode/##openvpn [+o mattock] by ChanServ
12:49 -!- brah [~asdofp@190.7.0.81] has joined ##openvpn
12:50 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
12:59 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
13:05 -!- dazo_afk is now known as dazo
13:19 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has quit [Quit: /quit]
13:28 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
13:28 -!- arejay|elsewhere [arejay@i.got.more.packets.byte4byte.com] has joined ##openvpn
13:28 -!- arejay|elsewhere is now known as arejay
13:30 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
13:30 -!- Cain` is now known as Cain
13:31 -!- Blues-Man [~bluesman@host225-116-dynamic.27-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
13:34 -!- bandini [~bandini@host142-26-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
13:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
13:58 -!- bandini [~bandini@host142-26-dynamic.20-79-r.retail.telecomitalia.it] has quit [Quit: Ex-Chat]
14:02 -!- bandini [~bandini@host142-26-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
14:04 -!- mattock [~samuli@gprs-prointernet-fffa8900-64.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
14:06 -!- mattock [~samuli@gprs-prointernet-ff0d6a00-230.dhcp.inet.fi] has joined ##openvpn
14:06 -!- mode/##openvpn [+o mattock] by ChanServ
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:34 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
14:38 -!- vici0us [foobar@91.176.194.59] has quit [Ping timeout: 240 seconds]
14:39 -!- vici0us [foobar@91.176.195.132] has joined ##openvpn
14:45 -!- dazo is now known as dazo_afk
14:48 -!- mattock [~samuli@gprs-prointernet-ff0d6a00-230.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
15:12 -!- bandini [~bandini@host142-26-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
15:28 -!- boswarrior [~mrnice@84.115.26.221] has joined ##openvpn
15:40 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
15:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
15:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:01 -!- boswarrior [~mrnice@84.115.26.221] has quit [Remote host closed the connection]
16:11 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 265 seconds]
16:16 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 245 seconds]
16:18 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
16:23 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
16:23 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
16:32 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Remote host closed the connection]
16:33 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
16:38 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Remote host closed the connection]
16:40 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
16:44 -!- WebFooL is now known as WebFooL|A
16:45 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Read error: Connection reset by peer]
16:45 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
16:59 -!- bluegene [~unknown@awesomo.iodev.org] has quit [Remote host closed the connection]
17:13 -!- WebFooL|A [~WebFooL@untangle/contributor/WebFooL] has quit [Ping timeout: 252 seconds]
17:15 -!- Haraken [ryuk@unaffiliated/haraken] has joined ##openvpn
17:16 < Haraken> is it possible to use a vpn connection as a proxy, ie your whole internet goes through that ip once connected?
17:21 < ecrist> yep
17:21 < ecrist> !redirect-gateway
17:21 <+vpnHelper> ecrist: Error: "redirect-gateway" is not a valid command.
17:21 < ecrist> !def1
17:21 <+vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
17:27 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined ##openvpn
17:27 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has quit [Client Quit]
17:34 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has quit [Read error: Operation timed out]
17:41 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 240 seconds]
17:49 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
17:57 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:00 < penrod> !welcome
18:00 <+vpnHelper> penrod: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:52 < penrod> greetings, I don't seem to be able to get a tunnel started from the client. I can see the packets enter (eth0) on the openvpn server, I have port1194 forwarded to the virtual ip address on the server, yet they don't seem to get beyond eth0 any ideas on where I should start ?
19:10 -!- guiremach [~guiremach@187.39.131.91] has joined ##openvpn
19:12 -!- guiremach [~guiremach@187.39.131.91] has left ##openvpn []
19:17 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 240 seconds]
19:31 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
19:59 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 240 seconds]
20:00 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
20:11 -!- ohzie [~ohzie@204.57.79.29] has joined ##openvpn
20:11 < ohzie> Hey, does anyone have a guide on how to set up openvpn to use a single shared key for all users and allow multiple users to connect with that key?
20:12 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:25 < Bushmills> penrod: start by checking log file
20:36 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:53 < ecrist> ohzie: you can't do that.
21:21 -!- ohzie [~ohzie@204.57.79.29] has quit [Quit: Leaving]
21:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
21:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
22:24 -!- rasengan [~rasengan@96.43.136.14] has joined ##openvpn
22:24 < rasengan> !welcome
22:24 <+vpnHelper> rasengan: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:26 < rasengan> I have a quick question, what kind of system would be required for a small office with approximately 100 people, in order to provide vpn access to an Intranet located elsewhere?
22:29 < ecrist> rasengan: probably any desktop you'd have in the org would handle it
22:30 < ecrist> but, really, it depends on what you're pushing
22:30 < rasengan> ecrist: Oh okay, sounds good.
22:31 < rasengan> Mostly, to access localnetwork filesystems and their webbrowsing will be filtered as well through the network and should be very minimal
22:31 < ecrist> should be OK for the most part
22:31 < ecrist> we push boat-loads of traffic at times without issue
22:32 < rasengan> great :) so a 2gb memory system should have no problem? :)
22:32 < ecrist> you should do fine
22:32 < rasengan> ecrist: thank you :)
23:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:22 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 265 seconds]
23:23 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
23:39 -!- jww_ [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Remote host closed the connection]
23:39 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
--- Day changed Fri Jul 30 2010
00:39 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
01:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:06 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
02:07 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
02:15 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:25 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
02:30 -!- boswarrior [~mrnice@78.142.173.114] has joined ##openvpn
02:51 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
02:53 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:05 < kraut> moin
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:46 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
03:46 -!- SOG [~SOG@119.237.140.75] has joined ##openvpn
03:46 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
03:50 -!- SOG [~SOG@119.237.140.75] has quit [Ping timeout: 265 seconds]
03:50 -!- SOG_ is now known as SOG
03:55 -!- vici0us [foobar@91.176.195.132] has quit [Quit: Lost terminal]
03:58 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has joined ##openvpn
04:01 -!- unknown [~unknown@105-65-ftth.onsneteindhoven.nl] has left ##openvpn []
04:09 -!- dazo_afk is now known as dazo
04:32 <@dazo> !as
04:32 <+vpnHelper> dazo: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
04:33 <+vpnHelper> dazo: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
04:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:39 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
04:43 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 276 seconds]
04:43 -!- SOG_ is now known as SOG
04:44 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 246 seconds]
04:45 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:56 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:56 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
05:02 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:03 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:23 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
05:24 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
05:34 -!- takamichi [~pri@76.73.39.170] has quit [Ping timeout: 240 seconds]
05:34 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
05:40 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
05:42 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
05:43 -!- killown is now known as darklee
05:47 -!- darklee is now known as killown
06:45 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:50 -!- macsppadic is now known as INURFACE
07:37 <@dazo> hmmm ... yet another reason to stay away from dd-wrt ... http://pauldotcom.com/2009/07/using-metasploit-dd-wrt-exploi.html
07:37 <+vpnHelper> Title: PaulDotCom: Archives (at pauldotcom.com)
07:37 <@dazo> Especially noticing this sentence: "It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface." ... yeah, right!  That makes things safer ...
08:12 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
08:23 -!- boswarrior [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
08:40 -!- rasengan [~rasengan@96.43.136.14] has quit [Quit: brb]
08:48 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:48 -!- rasengan [~rasengan@96.43.136.14] has joined ##openvpn
08:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:32 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
09:44 -!- swente [0ZaCwIv7ex@unaffiliated/swente] has joined ##openvpn
09:45 -!- APTX_ [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
09:45 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
09:48 < swente> 'lo. my oVPN has multiple endpoints. on the central server, there's "just" one tun-device with "addr: 10.1.2.1 p-t-p:10.1.2.2". problem: i want to add a route on central server, and can't address the endpoint of a vpn-node [e.g. 10.1.2.5], as that address is not visible from central node. do i *have* to configure that route in the connection's config, or do i miss some ip-route-feature to get this done?
09:49 -!- takamichi [~pri@76.73.39.170] has quit [Ping timeout: 264 seconds]
09:49 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
10:10 -!- mechbangirc [~mechbangi@mbl-82-58-1.dsl.net.pk] has joined ##openvpn
10:10 < mechbangirc> hello
10:14 < mechbangirc> currently i have a setup like [vpn-service-provider --> home-router --> windows-PC(as vpn gateway --> linux-server(vpn client)]. I want to remove windows-PC from the equation, can anybody give me some hint or related howto or tutorial, will be very helpfull
10:15 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:28 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
10:28 -!- Cain [~Geek@41.141.252.98] has joined ##openvpn
10:28 -!- Cain [~Geek@41.141.252.98] has quit [Changing host]
10:28 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
10:29 -!- INURFACE is now known as macsppadic
10:32 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Quit: Lost terminal]
10:33 -!- mechbangirc [~mechbangi@mbl-82-58-1.dsl.net.pk] has left ##openvpn ["Leaving"]
10:33 -!- mechbangirc [~mechbangi@mbl-82-58-1.dsl.net.pk] has joined ##openvpn
10:34 < mechbangirc> hi i prepared a diagram for what i intend to do  need a guide or hint on this http://img820.imageshack.us/img820/5515/vpni.jpg
10:34 -!- APTX is now known as APTX_
10:34 -!- APTX_ is now known as APTX
10:39 -!- takamichi [~pri@78.133.39.143] has quit [Read error: Operation timed out]
10:40 -!- takamichi [~pri@83.170.104.47] has joined ##openvpn
10:43 -!- mechbangirc [~mechbangi@mbl-82-58-1.dsl.net.pk] has quit [Ping timeout: 265 seconds]
10:44 -!- mechbangirc [~mechbangi@mbl-65-157-52.dsl.net.pk] has joined ##openvpn
10:49 -!- mechbangirc [~mechbangi@mbl-65-157-52.dsl.net.pk] has quit [Ping timeout: 276 seconds]
10:50 -!- mechbangirc [~mechbangi@mbl-82-58-18.dsl.net.pk] has joined ##openvpn
10:57 -!- mechbangirc [~mechbangi@mbl-82-58-18.dsl.net.pk] has quit [Ping timeout: 260 seconds]
11:01 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:03 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
11:09 -!- mechbangirc [~mechbangi@mbl-82-58-12.dsl.net.pk] has joined ##openvpn
11:15 -!- julius [~julius@217.20.127.15] has quit [Quit: waaah er muss wirklich mal neu starten o.O]
11:17 -!- julius [~julius@217.20.127.15] has joined ##openvpn
11:19 -!- mechbangirc [~mechbangi@mbl-82-58-12.dsl.net.pk] has quit [Quit: Leaving]
11:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:28 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
11:28 -!- mode/##openvpn [+o mattock] by ChanServ
11:49 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
11:58 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
12:07 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:09 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
12:40 -!- IceGuest_75 [~IceChat7@d173-180-26-167.bchsia.telus.net] has joined ##openvpn
12:40 -!- IceGuest_75_ [~IceChat7@d173-180-26-167.bchsia.telus.net] has joined ##openvpn
12:42 -!- IceGuest_75 [~IceChat7@d173-180-26-167.bchsia.telus.net] has left ##openvpn []
12:43 -!- dazo is now known as dazo_afk
12:51 -!- mechbangirc [~mechbangi@115-186-140-40.nayatel.pk] has joined ##openvpn
12:51 < mechbangirc> hi
13:04 -!- mechbangirc [~mechbangi@115-186-140-40.nayatel.pk] has quit [Quit: Leaving]
13:06 -!- clone [~IceChat7@173.180.26.167] has joined ##openvpn
13:06 -!- clone [~IceChat7@173.180.26.167] has left ##openvpn []
13:07 -!- derik [~derik@unaffiliated/derik] has joined ##openvpn
13:07 < derik> how much ram consum openvpn on debian ?
13:07 -!- IceGuest_75_ [~IceChat7@d173-180-26-167.bchsia.telus.net] has quit [Quit: If you think nobody cares, try missing a few payments]
13:10 < ecrist> derik: no idea.
13:10 < ecrist> generally, it's not enough to matter to most people who ask.
13:18 < derik> ecrist openvpn have a web interface?
13:19 < ecrist> nope
13:19 < ecrist> I think there are some, though.
13:22 -!- derik [~derik@unaffiliated/derik] has quit [Quit: Good bye]
13:25 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
13:28 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
13:30 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
13:30 -!- Cain` is now known as Cain
13:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:41 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:54 -!- SOG [~SOG@n112118164214.netvigator.com] has joined ##openvpn
13:59 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Quit: Leaving]
14:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:23 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined ##openvpn
14:24 < blackxored> hi guys, my notebook works fine, but my phone  (android) somehow gets timeouts so i have to opt for re-connecting. Clues?
14:35 -!- SOG [~SOG@n112118164214.netvigator.com] has quit [Ping timeout: 240 seconds]
14:35 -!- RedT0mt01 [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:36 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:40 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
14:41 < grendal_prime> im continually amazed at the apparent lack of documentation about client connect scripts.
14:41 < grendal_prime> how would i grab the ip address of a machine that is connected...
14:42 < grendal_prime> i was thinking...something like..this in a bash script would do it  echo ${ifconfig_pool_local_ip} > /etc/openvpn/vpn-ip-found.txt;
14:43 < grendal_prime> now it writes the file and fills it with nothing...so im pretty sure im not getting the varriable information.
14:46 < grendal_prime> wich blows
14:46 < grendal_prime> cause thats how its documented..(what i can find anyway)
15:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
15:12 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
15:18 -!- cj [~cjac@karma.colliertech.org] has quit [Ping timeout: 260 seconds]
15:20 -!- r4tune [~r4tune@87.115.92.209] has joined ##openvpn
15:21 < r4tune> hello, is all traffic in openvpn routed though a router or does it allow peer to peer transmissions?
15:21 < r4tune> it seems a mega waste of bandwidth to have a vps somewhere for me and my friends to have our own little support net
15:24 < Bushmills> traffic goes through server
15:24 < r4tune> any plans to ever add a "VPN ARP table" for want of a better word to allow peer to peer?
15:24 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
15:25 < Bushmills> grendal_prime: environment variables. those are documented in the man page
15:25 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 260 seconds]
15:26 < Bushmills> for example, server executed connect script can use variable $trusted_ip  
15:26 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
15:27 < Bushmills> while you are continually amazed by lack of information, i am by the apparent lack to look up that info in the manpage
15:27 < grendal_prime> do you have a link anyhere?  everthing i find looks like this  ${ifconfig_pool_local_ip}
15:27 < grendal_prime> do i need the brackets?
15:27 < Bushmills> not needed. 
15:27 < grendal_prime> and ya it is being executed on the server.
15:28 < Bushmills> unless you want to append or prepend a string to the variable substitution value 
15:28 -!- cj [~cjac@karma.colliertech.org] has joined ##openvpn
15:28 < Bushmills> no. append only. not prepend
15:29 < grendal_prime> hmm i still get nothing
15:29 < Bushmills> try running a connect script which redirects  set > file_of_your_choice
15:29 < Bushmills> also check  -script-security
15:29 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
15:30 < Bushmills> --script-security
15:30 < Bushmills> !script-security
15:30 <+vpnHelper> Bushmills: Error: "script-security" is not a valid command.
15:30 < Bushmills> !up
15:30 <+vpnHelper> Bushmills: Error: "up" is not a valid command.
15:30 < Bushmills> !client-connect
15:30 <+vpnHelper> Bushmills: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
15:31 < grendal_prime> hmm that gives me the gateway ip address of the client..i need the tap ip address.
15:35 < Bushmills> check section Environment Variables.  there's  ifconfig_remote
15:39 -!- SOG [~SOG@n1164869128.netvigator.com] has joined ##openvpn
15:39 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
15:47 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
15:54 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 276 seconds]
15:54 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
15:57 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:00 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:01 -!- dazo_afk [~dazo@nat/redhat/x-yzpkubzpfdccecel] has quit [Ping timeout: 276 seconds]
16:02 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
16:02 -!- dazo_afk [~dazo@nat/redhat/x-qsbdlznwtfijydfx] has joined ##openvpn
16:02 -!- mode/##openvpn [+o dazo_afk] by ChanServ
16:02 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:05 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Quit: Leaving]
16:10 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 240 seconds]
16:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:29 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:29 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
16:34 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
16:40 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
16:41 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Read error: Connection reset by peer]
16:42 -!- kreg [~kreg@208-98-188-95.directcom.com] has joined ##openvpn
16:51 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Ping timeout: 600 seconds]
16:54 -!- evan``` [~odigo@82.1.185.166] has joined ##openvpn
16:56 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 276 seconds]
16:56 -!- evan``` [~odigo@82.1.185.166] has left ##openvpn ["WeeChat 0.3.0"]
16:58 -!- takamichi [~pri@83.170.104.47] has quit [Ping timeout: 240 seconds]
16:58 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
16:59 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
17:01 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:01 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:02 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
17:07 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
17:20 -!- codehotter [~ogd@ip47-132-212-87.adsl2.static.versatel.nl] has joined ##openvpn
17:21 < codehotter> !welcome
17:21 <+vpnHelper> codehotter: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:21 < codehotter> !goal
17:21 <+vpnHelper> codehotter: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:26 < codehotter> Can I run a vpn server on one ip address, one port, that lets clients say "I want to connect to network x" and have the host connect it to a different network than if the client says "I want to connect to network y" ?
17:28 < krzie> codehotter, server can push things at the client
17:28 < krzie> and does not have to allow clients to do anything it doesnt want done
17:30 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 260 seconds]
17:32 < codehotter> krzie: can I decide what to push to the client based on the credentials supplied?
17:32 < krzie> based on which client it is
17:32 < krzie> !ccd
17:32 <+vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
17:33 < codehotter> so, I can send four different clients to one person, and which client he starts up, decides which network he gets connected to, even though he's making a connection to the same vpn server same port each time?
17:34 < krzie> umm
17:34 < krzie> if thats your goal, stop pushing things and start using diff configs for the end-user instead
17:34 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
17:34 < krzie> he can have 1 config, and comment/uncomment based on needs
17:35 < Bushmills> codehotter: four configs would do
17:35 < krzie> sup bush =]
17:36 < Bushmills> checking ...
17:36 < codehotter> Right. So technically, this is possible, based on client config, you get a different network, even though you connect to the same vpn server, same port
17:36 < Bushmills> clouds
17:36 < krzie> codehotter, sure
17:36 < codehotter> I'd just have to find a userfriendly way to change client config
17:36 < krzie> the most non-technical guy at my office was able to handle putting a # in front of a line when he doesnt want X
17:37 < Bushmills> codehotter: "different network" means what?
17:37 < codehotter> Bushmills: meaning, different firewall rules, so different hosts reachable, based on the way the client is authenticating
17:38 < krzie> different firewall rules would require different certs
17:38 < krzie> !static
17:38 < Bushmills> ah.  s/four configs/four keys/
17:38 <+vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
17:38 < Bushmills> (provided server determines what ip addresses and routes client gets)
17:39 < codehotter> thanks! 
17:39 -!- codehotter [~ogd@ip47-132-212-87.adsl2.static.versatel.nl] has quit [Quit: Lost terminal]
17:39 < Bushmills> seems the replies left no questions
17:40 -!- joren [~j@66.206.86.190] has joined ##openvpn
17:40 < krzie> lol
17:48 < joren> Hey, just as a heads up, It looks like if you update to windows 7 from vista(and an old version of openvpn) things arn't happy. I kept getting the error "all tap-win32 devices on this system are in use"  and had to remove the old driver before it would successfully install the new one. Not sure if this is documented, or if it should be, but I wouldn't mind documenting it a bit better in a few days if it's desired. 
17:57 < krzie> feel free to document it on the wiki
17:57 < krzie> !wiki
17:57 <+vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
18:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:07 -!- kreg [~kreg@208-98-188-95.directcom.com] has quit [Quit: Leaving]
18:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:14 -!- joren [~j@66.206.86.190] has quit [Ping timeout: 240 seconds]
18:19 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has joined ##openvpn
18:31 -!- cjae [~quassel@142-165-27-211.estv.hsdb.sasknet.sk.ca] has quit [Remote host closed the connection]
18:40 -!- EmperorTom [~Emperor@184-97-178-149.mpls.qwest.net] has joined ##openvpn
18:42 < EmperorTom> any idea what would cause openvpn traffic to work from server to client, but not in reverse? If I run tcpdump on tap0 at the client and server I see broadcasts from the server LAN, but the server doesn't see any traffic from the client, even though it is being received [apparently]? FreeBSD server, Debian client.
18:44 < EmperorTom> Firewall on the server does not report that it is dropping any relevant packets.
19:01 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
19:24 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
19:40 -!- joren [~j@65.102.27.140] has joined ##openvpn
20:24 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
20:30 -!- swente [0ZaCwIv7ex@unaffiliated/swente] has left ##openvpn []
20:44 -!- r4tune [~r4tune@87.115.92.209] has quit [Remote host closed the connection]
20:50 -!- Guest62915 is now known as redfox
21:45 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
23:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:41 -!- Netsplit *.net <-> *.split quits: jfkw, krzee, nb, d12fk
23:42 -!- Netsplit *.net <-> *.split quits: Typone
23:42 -!- Netsplit over, joins: krzee
23:42 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
23:44 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
23:50 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
23:52 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has joined ##openvpn
--- Day changed Sat Jul 31 2010
00:14 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
00:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
00:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
00:50 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
01:05 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:08 -!- zheng [~zheng@114.92.141.242] has joined ##openvpn
01:16 -!- zheng [~zheng@114.92.141.242] has quit [Quit: Leaving]
01:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:26 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:27 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
02:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:41 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:41 -!- mode/##openvpn [+o mattock] by ChanServ
03:24 -!- arejay is now known as arejay|elsewhere
03:30 -!- arejay|elsewhere is now known as arejay
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:52 -!- arejay [arejay@i.got.more.packets.byte4byte.com] has left ##openvpn []
05:25 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
05:51 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
05:58 -!- deadeyes [~gvm@77.109.78.240] has left ##openvpn []
06:28 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
07:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:28 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 260 seconds]
07:31 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
07:40 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
08:04 -!- ruied [~ruied@62.28.165.222] has joined ##openvpn
08:51 -!- ruied [~ruied@62.28.165.222] has quit [Ping timeout: 240 seconds]
08:55 -!- ruied [~ruied@62.28.165.222] has joined ##openvpn
09:07 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
09:08 -!- benedikt [~benedikt@agurka.sudo.is] has joined ##openvpn
09:09 -!- ruied [~ruied@62.28.165.222] has quit [Ping timeout: 240 seconds]
09:10 < benedikt> Hi! I keep getting this in my the log "MULTI: bad source address from client [10.10.1.11], packet dropped". This happens after a dsl router got reset and every client trying to connect from there is unable to browse the internet through the VPN
09:11 < benedikt> They are able to browse anything the server doesnt have to route to. The server is 130.208.251.252/24 and the clients in trouble can access everything in 130.208.251.0/24 
09:11 < benedikt> The home network used to be 192.168.2.0/24 but after the router was reset by accident it is 192.168.1.0/24
09:12 < benedikt> I have tried installing openvpn on another server, completely fresh but the problem persists. 
09:12 < benedikt> And the house in question is my mothers hose, quiete a bit away from me. Any help is appriciated :-)
09:15 < benedikt> my guess is something went wrong when the router was reset and it is still using 192.168.2.0/24 in some packets, while really being 192.168.1.0/24 and this is screwing things up. 
09:21 -!- ruied [~ruied@89.181.127.90] has joined ##openvpn
09:25 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
09:40 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
09:56 -!- joren [~j@65.102.27.140] has quit [Ping timeout: 260 seconds]
09:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
10:15 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:22 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
10:24 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
10:24 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 258 seconds]
10:24 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
10:31 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:38 < krzie> benedikt, the packets being dropped in that MULTI are from 10.10.1.11
10:40 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
10:40 < benedikt> I accidentally copied from a website i found while googling my error. My VPN netowrk is 10.133.1.0/24
10:40 < benedikt> but yes, the packets from those clients are being dropped
10:41 < benedikt> i can't figoure out why
10:43 < krzie> lol
10:43 < krzie> you pasted me an error from google
10:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:43 < krzie> and its because you dont have an iroute for the network that is being dropped
10:44 < krzie> as to why your network is the subnet it is, its your settings (outside of openvpn)
10:44 < benedikt> krzie: it's the same error message. Instead of digging through roughly 100 lines of syslog, i found the open tab with the exact same message, but forgot to alter the ip net :-)
10:44 < benedikt> I didn't need an iroute before, why would i need it now? 
10:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <-]
10:45 < krzie> grep MULTI <log>
10:45 < krzie> :-p
10:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:45 < krzie> because you seem to be sharing a client LAN over openvpn
10:45 < krzie> is that the case?
10:46 < JPeterson> has anyone used 'Use a proxy server for VPN connections' in the 1.5.4 windows client?
10:46 < benedikt> nope.. at least thats not the intent. 
10:46 < krzie> in windows, no
10:46 < JPeterson> I have no internet access besides a socks proxy
10:46 < benedikt> the intent is to route the internet traffic thorugh the VPN and access other clients in the same vpn
10:47 < krzie> benedikt, well thats the only reason MULTI errors come up, some lan machine is sending traffic over the VPN
10:47 < benedikt> connecting to the same VPN works fine for me. 
10:47 < krzie> turn off ip forwarding on the client if you dont need to share its LAN
10:47 < krzie> !c2c
10:47 <+vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
10:47 <+vpnHelper> krzie: behind other clients
10:47 < krzie> !redirect
10:47 <+vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
10:48 < JPeterson> does it support a socks proxy?
10:48 < krzie> JPeterson, --socks
10:48 < JPeterson> or is it http only?
10:48 < benedikt> isnt client-to-client to allow different VPN clients to talk to each other?
10:48 < krzie> also some --proxy options
10:48 < krzie> see manual
10:48 < krzie> !man
10:48 <+vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
10:48 < krzie> benedikt, yes, "and access other clients in the same vpn"
10:48 < JPeterson> krzie:  I mean for the 1.5.4 windows client
10:48 < benedikt> krzie: that is enabled and has ben functioning for a little over a year
10:49 < benedikt> it just stopped working when the dsl router was reset
10:49 < benedikt> for those behind that router
10:49 < benedikt> works fine for me
10:49 < krzie> jpalmer, the windows client just reads a config
10:50 < krzie> the config options stay valid :-p
10:50 < benedikt> so the MULTI error occurs because some computer is trying to forward traffic through the client connected to the VPN?
10:51 < benedikt> or the (windows) client might have "internet connection sharing" enabled (or whatever it is called)
10:52 < benedikt> just checking if i understand you correctly
10:54 < benedikt> these are windows clients and im not very well aquiented with windows. This would mean to turn off "internet conncetion sharing" in windowsland?
10:56 < krzie> server has an internal routing table
10:56 < krzie> as controled by iroute
10:56 < krzie> !iroute
10:56 <+vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:57 < krzie> this is so the openvpn server can have clients with lans (foreign subnets) behind it
10:57 < krzie> otherwise it wouldnt know what lan is behind what client
10:57 < krzie> MULTI errors are when packets come from a foreign subnet and is not in that internal routing table
10:58 < krzie> openvpn doesnt know what it's supposed to do with those packets
10:58 < krzie> hrm, time for me to check if thats in the FAQ or not, it will be if it is not
10:59 < benedikt> this is starting to explain things
10:59 < benedikt> but the only entries with MULTI in the syslog of the new server with the new openvpn is just the server learning the clients
11:00 < krzie> then you dont have that problem
11:00 < krzie> which you pasted from google, not from your logs
11:01 < benedikt> the old server with the old vpn has it, a lot. 
11:01 < krzie> we cant fix an old vpn
11:02 < krzie> do you need help with something...?
11:02 < benedikt> its not old, its just not the one i set up fresh today. and yes i need help with figuring out why these clients can only ping and do dns lookups through the VPN while it works fine for me
11:04 < krzie> you setup NAT on the server?
11:05 < benedikt> yes. everything works fine for everybody except the clients behind the newly-reset dsl router
11:05 < benedikt> im using the vpn right now as we speak
11:05 < krzie> are those machines all connecting to the VN individually?
11:06 < krzie> VPN*
11:06 < benedikt> yes
11:06 < krzie> weird for multiple machines in a LAN to all connect
11:06 < krzie> they could all use a single machine on the LAN and route through it
11:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:06 < benedikt> not really. they are all laptops mostly connecting at different times 
11:06 < krzie> in which case you would have had a special route on the router that would be needed
11:07 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:10 < benedikt> yup. but all clients are conecting individually and these clients can connect, send ping packets and recieve replies, and do dns lookups. nothign else. 
11:11 < krzie> doesnt sound like a problem with that router tho
11:12 < krzie> sounds like bad firewall stuff on the vpn server
11:12 < benedikt> everything works fine if the disconnect the vpn, the router nats and routes just fine. 
11:12 < benedikt> you'd think. but the server hasnt changed and it works fine for me. 
11:12 < krzie> sniff packets
11:12 < krzie> see where they get dropped
11:12 < benedikt> wait, ill pastebin the iptables for the nat table
11:12 -!- ruied [~ruied@89.181.127.90] has quit [Ping timeout: 258 seconds]
11:12 < krzie> look at the client logs
11:13 < krzie> make sure they get their default gateway bypassed
11:13 < krzie> see their routing table as well
11:13 < benedikt> they get it passed, ive checked
11:13 < benedikt> routing table looks normal, also checked
11:13 < krzie> but mainly, sniff packets
11:13 < benedikt> tcpdump?
11:13 -!- brah [~asdofp@190.7.0.81] has quit [Read error: Connection reset by peer]
11:13 < krzie> aye
11:13 < krzie> tun0
11:13 < krzie> and on server tun0
11:14 < benedikt> http://pastebin.com/fKQB97dx
11:15 < benedikt> just about as simple as it gets
11:15 < krzie> oh also
11:15 < krzie> you cant say:
11:15 < krzie> "nothing else has changed"
11:15 < krzie> when you also say "i re-made the vpn today"
11:15 < benedikt> ..
11:15 < krzie> "the old vpn has this error, new one does not"
11:15 < benedikt> the router was reset the day before yesterday. the vpn stopped working for them. server didnt change, config didnt change, nat on server didnt change. 
11:16 < krzie> but now the entire VPN changed
11:16 < benedikt> yes, now. 
11:16 < benedikt> i have reverted the settnigs from backup
11:16 < krzie> so the errors from now are separate from the errors AND topology of the old vpn 
11:17 < benedikt> made everything the same way as 3 days ago. 
11:20 < benedikt> yes, you are right though :-)
11:21 < benedikt>  http://pastebin.com/4uH9LeER ← tcpdump of client failing to access facebook.com. 192.168.2.0/24 is the VPN network now
11:21 < benedikt> seems to me like the NAT doesnt route back the packets that facebook.com answers with. 
11:22 < Chosi> benedikt: if you like your client
11:22 < Chosi> use -n for tcpdump.
11:22 < Chosi> :)
11:24 < benedikt> Why ? Man page says "dont convert addresses to names"
11:24 < Chosi> it's something about ethics
11:24 < Chosi> nevermind.
11:25 < benedikt> theres nothing there you cant find out from whoising the domain im ircing from :P guess i didnt think there was a need to hid any of that info
11:25 < benedikt> :-)
11:26 < Chosi> nah it's just about when you're monitoring more than just one destination domain ;)
11:26 < Chosi> as i said, nevermind
11:26 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:26 < benedikt> ah, id take more care in that case :-) 
11:26 < benedikt> this didnt wualify as sensitive iformation in my mind. Wasnt trying to be a dick or anything though. 
11:27 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:32 < benedikt> any suggestions why the NAT would return the packets to me and not to these clients?
11:42 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
11:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:46 < Bushmills> !firewall
11:46 <+vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
11:46 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
11:46 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:04 < benedikt> http://pastebin.com/KKEC0xg7 ← flushed iptables, and tcpdump (with -n ;-)
12:04 < benedikt> still deosnt work for 192.168.3.10 but works for 192.168.3.6 (me)
12:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
12:06 < benedikt> the packets are defenently being sent to 192.168.3.10
12:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
12:07 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:20 < Bushmills> firewall on 192.168.3.10
12:21 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
12:25 < benedikt> Bushmills: there isnt any
12:26 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
12:27 < Bushmills> when packets are definitely sent to 192.168.3.10, and that machine doesn't see them, they are apparently blocked by 192.158.3.10
12:27 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
12:28 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
12:28 < benedikt> my guess is that the dsl router somehow fucked up when it was reset and some part of it still thinks it has the 192.168.2.0/24 subnet instead of the 192.168.1.0/24 it has now
12:28 < Bushmills> i have no idea how 192.168.2.0 or 1.0 subnet relate to the machine with 192.168.3.x
12:30 < benedikt> 192.168.3.0/24 is the VPN subnet
12:30 < benedikt> 192.168.1.0/24 is the internal subnet that the client with the VPN address 192.168.3.0 sits on 
12:30 < benedikt> a local network
12:30 < Bushmills> can vpn server ping 192.168.3.x client?
12:30 -!- Qantourisc [~Qantouris@d54C49D91.access.telenet.be] has joined ##openvpn
12:31 < benedikt> that used to be 192.168.2.0/24 before the Thompson rotuer decided it should resset itself
12:31 < krzie> do you get a MULTI error?
12:31 < benedikt> yes, icmp packets work. 
12:31 < Qantourisc> Does anyone know a channel i can ask Ipsec/racoon questions in ?
12:31 < benedikt> tcp packets donðt. 
12:31 < benedikt> don't*
12:31 < krzie> Qantourisc, nope
12:31 < Qantourisc> dang
12:31 < benedikt> krzie: not any more. i turned of ipv4 forwarding. turned it was is a separate issue that has existed for months, i just never checked the logs. 
12:31 < Qantourisc> racoon/ipsec is not easy
12:32 < Qantourisc> and the error messages are ... cryptic
12:32 < krzie> !notovpn
12:32 <+vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
12:33 < Qantourisc> krzie: yes i know, mainly here to ask for a channel :p
12:33 < Qantourisc> thanks in any case
12:33 < krzie> benedikt, why do you think something is happening with 192.168.2.X?
12:36 < benedikt> krzie: because that used to be the local subnet before the dsl router was reset. I'm thinking that the routers local nat table is soemhwo inconsistent
12:36 < benedikt> somehow*
12:37 < krzie> nope
12:37 < krzie> do you have this enabled?
12:37 < krzie> !ccd
12:37 <+vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
12:37 < benedikt> nope
12:38 < krzie> lemme see server config, and client configs from a client that works and one that does not
12:38 < benedikt> im using network-manager to connect to the vpn, it doesnt generate a typical openvpn config file
12:38 < krzie> !netman
12:38 <+vpnHelper> krzie: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
12:39 < krzie> i wont be heling any further with it while its using netman
12:40 < benedikt> http://pastebin.com/m7s6u9ni ← server
12:41 < benedikt> http://pastebin.com/13ZhgF1R ← client not working
12:41 < benedikt> fine, ill put together a config for my client
12:43 < benedikt> i have been meaning to do it anyways :-)
12:46 < benedikt> http://pastebin.com/FLA488HT ← client working
12:46 < benedikt> there you go
12:47 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
12:48 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
12:51 < benedikt> krzie: see anything abnormal?
13:00 < krzie> http://secure-computing.net/wiki/index.php/OpenVPN/FAQ#Why_does_my_server_log_have_MULTI_errors.3F__They_look_like_this:_MULTI:_bad_source_address_from_client_.5BLAN_IP.5D.2C_packet_dropped.__Also.2C_.22What_is_iroute.3F.22
13:00 <+vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at secure-computing.net)
13:00 < krzie> added to FAQ =]
13:00 < |Mike|> !tunortap
13:00 <+vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
13:00 <+vpnHelper> |Mike|: against you over the vpn, or (#4) lan gaming? use tap!
13:00 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:00 < |Mike|> tata vpnHelper :)
13:00 < |Mike|> ohai krzie :)
13:01 < krzie> hey =]
13:01 < |Mike|> brb, need to roll some stuff :)
13:02 < krzie> benedikt, my fault, but can you repaste the configs like this
13:02 < krzie> !configs
13:02 <+vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:03 -!- fbh [fbh@unaffiliated/fbh] has quit [Ping timeout: 276 seconds]
13:04 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:04 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:05 < benedikt> krzie: my bad, didnt think of the comments. hang on. 
13:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
13:07 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
13:08 < benedikt> krzie: http://pastebin.com/V0w5MgAn failing client
13:08 < benedikt> http://pastebin.com/jWu1mhuN server
13:09 < benedikt> http://pastebin.com/qjGFjD4g working client
13:09 < krzie> !path
13:09 <+vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
13:10 < benedikt> ill keep that in mind next time but this works
13:11 < krzie> lol
13:11 < krzie> if it worked you wouldnt be posting configs
13:11 < benedikt> hurr... the only thing needing paths are the key locations. and obviulsy it finds the keys
13:12 < krzie> only difference between the clients is ns-cert-type server
13:13 < krzie> which checks the server cert to see if it was correctly signed as a server
13:13 < krzie> i see you used: bypass-dhcp
13:13 < krzie> in redirect-gateway
13:13 < benedikt> i tired both with and without. the example config had it, thats why i kept it. 
13:13 < krzie> did you have problems before adding that, which were fixed by adding it?
13:14 < benedikt> none whatsoever. 
13:14 < krzie> !ipp
13:14 <+vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
13:14 < benedikt> the ipp.txt has served me well
13:14 < krzie> just be sure you understand what it does
13:15 < benedikt> i do
13:15 < krzie> it does NOT give you static ips
13:15 < benedikt> i know
13:15 < krzie> they can change from what ipp.txt has any time they feel like it
13:15 < benedikt> ive noticed. but it doesnt bother me
13:15 < krzie> are you using your old ipp.txt?
13:16 < benedikt> not right now. i moved it a while ago to see if it made any difference
13:16 < krzie> what OS are the clients?
13:17 < benedikt> the failing one is windows vista
13:17 < benedikt> the working is ubuntu lucid
13:17 < krzie> change client verb to 5 and show me the log
13:17 < benedikt> failing?
13:17 < krzie> the working client doesnt get the DHCP options
13:17 < krzie> yes'
13:18 < benedikt> thats because you cant push dns to a linux client since it really isnt a dhcp feature
13:18 < benedikt> i think he has left and isnt coming back until tomrrow.. but ill check the verbosity and read the logs better. 
13:18 < krzie> yes you can
13:18 < krzie> requires an up script
13:18 < benedikt> not using dhcp
13:18 < krzie> !pushdns
13:18 <+vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
13:18 < krzie> see #4
13:19 < benedikt> i know. thats what i explained to you. pushing DNS isnt a dhcp option, except in the way that microsoft implemented dhcp
13:19 < benedikt> which isnt the proper way
13:19 < krzie> but you can still use the options
13:20 < benedikt> i know. network manager takes care of it for me as is, and the other linux client on the vpn uses a script when the vpn is up client-side. 
13:20 -!- JodaZ [~JodaZ@ns302312.ovh.net] has joined ##openvpn
13:23 < JodaZ> i kinda forgot how i setup openvpn, and now i need to add another user, i have a client.p12 and a .opvn file i can connect with, but only one user can at once, in ipp.txt on the server i have client,10.8.0.4, how would i make a new client2.p12 file for a new client which could connect at the same time as the first client ?
13:25 < benedikt> do you mean having two clients connected at the same time with the same certs?
13:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
13:26 < JodaZ> benedikt, well, either that, or creating a new client2.p12 file
13:27 < benedikt> what os is the server on?
13:27 < JodaZ> linux
13:27 < benedikt> distro?
13:27 < JodaZ> debian
13:27 < JodaZ> lenny i think
13:27 < benedikt> (linux is just the kernel)
13:27 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
13:27 < benedikt> do you have /etc/openvpn/easy-rsa ?
13:27 < JodaZ> benedikt, i should have said gnu/linux to annoy you ^_^
13:28 < benedikt> actually that would have been a proper answer :P
13:28 < JodaZ> benedikt, i remember following some tutorial, keys and stuff are in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
13:28 < benedikt> great
13:28 < benedikt> cp -r /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
13:28 < benedikt> if you cd into /etc/openvpn/easy-rsa/2.0/
13:29 < benedikt> there are scripts to create and sign a new cert for a new client
13:29 < benedikt> assuming you created the ca with the same tools
13:29 < benedikt> but you seem to have done that
13:29 < benedikt> its probably called build-client
13:29 < JodaZ> no build-client there
13:30 < benedikt> build-key 
13:30 < JodaZ> yes
13:30 < benedikt> i think thats the one
13:30 < benedikt> source ./vars
13:30 < benedikt> ./clean-all (just make sure there are no keys in keys/, copy them elsewhere, this will delete them)
13:30 < benedikt>  ./build-key <client name>
13:31 < JodaZ> what does source do, there seems to be no man for that
13:31 < JodaZ> eh, but i want to keep my current set of keys
13:31 < benedikt> copy them elsewhere, build-key wont run if clean-all hasnt been run
13:32 < benedikt> http://www.manpagez.com/man/1/source/
13:32 <+vpnHelper> Title: man page source section 1 (at www.manpagez.com)
13:32 < JodaZ> hmm, why don't i just try running ./build-key newclient ?
13:32 < benedikt> my system deosnt have the man page wither. no idea why. 
13:32 < benedikt> it will tell you that you need to run clean-all and source first :P
13:32 < benedikt> but feel free to try
13:33 < benedikt> i have to run along now, you should be able to build a new key now :)
13:33 < JodaZ> >_>
13:35 < krzie> its plainly spelt out in 
13:35 < krzie> !pki
13:35 <+vpnHelper> krzie: "pki" is http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
13:37 < JodaZ> it seemed to work without clean-all
13:37 < JodaZ> i have 04.pem client2.crt client2.csr client2.key new now
13:37 < JodaZ> how do i make a .p12 out of them ?
13:38 < krzie> the pem is combined
13:38 < krzie> but ive never done that
13:38 < krzie> i just use ca / crt / key
13:39 < JodaZ> well, its slightly more comfortable combined
13:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
13:47 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
13:55 < JodaZ> the first line of the .ovpn file is client, that isn't the name of the client, is it ?
13:57 < krzie> no
13:57 < krzie> you can know what it is here:
13:57 < krzie> !man
13:57 <+vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
13:58 < krzie> look for --client
13:58 < krzie> !--
13:58 <+vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
13:58 < JodaZ> huge manual is huge
14:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
14:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
14:16 -!- Qantouri1c [~Qantouris@d54C490DC.access.telenet.be] has joined ##openvpn
14:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
14:19 -!- Qantourisc [~Qantouris@d54C49D91.access.telenet.be] has quit [Ping timeout: 258 seconds]
14:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
14:33 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:38 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
14:38 -!- Qantouri1c is now known as Qantourisc
14:39 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
14:42 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:51 -!- magglass1 [~m@unaffiliated/magglass1] has quit [Quit: leaving]
14:57 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
14:58 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 248 seconds]
14:59 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:00 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
15:16 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 264 seconds]
15:18 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:18 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
15:18 < krzee> ecrist, http://www.mystagic.com/albino-squirrel-wars.png
15:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:20 -!- buntfalke_ is now known as buntfalke
15:36 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:37 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:39 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:19 -!- fbh [fbh@lucifer.frands.net] has joined ##openvpn
16:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
16:21 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:26 -!- fbh [fbh@lucifer.frands.net] has quit [Changing host]
16:26 -!- fbh [fbh@unaffiliated/fbh] has joined ##openvpn
16:27 -!- ruied [~ruied@62.28.165.222] has joined ##openvpn
16:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:42 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:01 -!- ruied [~ruied@62.28.165.222] has quit [Ping timeout: 265 seconds]
17:01 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Read error: Operation timed out]
17:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
17:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:03 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
17:17 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:20 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
17:23 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:46 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
17:47 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:56 -!- ruied [~ruied@62.28.165.222] has joined ##openvpn
18:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
18:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
18:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
18:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:33 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
18:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:35 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
18:35 < ecrist> interesting
18:36 < |Mike|> y
18:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
18:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
19:11 -!- ruied [~ruied@62.28.165.222] has quit [Ping timeout: 240 seconds]
19:12 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
19:13 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
19:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
19:37 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
19:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:57 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
19:58 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
20:18 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
20:19 -!- ruied [~ruied@89.214.112.67] has joined ##openvpn
20:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
20:27 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
20:33 -!- cpm is now known as urban_spaceman
20:35 -!- urban_spaceman is now known as cpm
20:35 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
20:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
20:42 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
20:54 -!- ruied [~ruied@89.214.112.67] has quit [Ping timeout: 258 seconds]
20:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
20:55 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
21:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
21:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
21:35 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
21:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
21:45 -!- boswarrior [~mrnice@84.115.26.221] has joined ##openvpn
21:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
21:51 -!- abeehc [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Quit: leaving]
21:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
21:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:12 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
22:13 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:18 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
22:22 -!- krzee [krzee@unaffiliated/krzee] has quit [Remote host closed the connection]
22:23 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
22:28 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
22:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
22:52 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 248 seconds]
23:10 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:11 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
23:29 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:30 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
23:49 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:50 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
--- Day changed Sun Aug 01 2010
00:07 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:08 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
00:26 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:27 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Read error: Operation timed out]
00:28 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
00:46 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:47 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
01:07 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:08 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
01:24 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
01:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
01:46 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:24 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:40 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Like it?  Visit #hydrairc on EFNet]
02:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
02:57 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:59 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
03:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
03:21 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
03:55 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:13 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:14 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:33 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:49 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Read error: Operation timed out]
04:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:58 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
05:11 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
05:21 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Read error: Operation timed out]
05:24 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
05:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
05:50 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
05:50 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:00 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
06:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:10 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:11 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:29 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:29 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:31 < |Mike|> JPeterson: buy some real intarnetz
06:50 -!- SOG [~SOG@n1164869128.netvigator.com] has quit [Quit: SOG]
06:52 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:04 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
07:11 -!- ruied [~ruied@62.28.165.222] has joined ##openvpn
07:13 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
07:13 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:17 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
07:23 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
07:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:26 -!- ruied [~ruied@62.28.165.222] has quit [Ping timeout: 260 seconds]
07:26 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
07:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
07:33 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
07:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:59 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
08:01 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
08:06 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Remote host closed the connection]
08:06 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
08:08 < kisom> i dont remember who i was arguing RC4 security with earlier, but...
08:08 < kisom> http://blog.ivanristic.com/2009/08/is-rc4-safe-for-use-in-ssl.html
08:08 <+vpnHelper> Title: Ivan Ristić: Is RC4 safe for use in SSL? (at blog.ivanristic.com)
08:09 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:10 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:25 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:45 -!- ruied [~ruied@62.28.165.222] has joined ##openvpn
08:46 -!- ruied [~ruied@62.28.165.222] has quit [Remote host closed the connection]
08:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:52 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:10 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
09:11 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:17 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
09:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
09:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:34 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
09:39 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Remote host closed the connection]
09:40 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
09:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
09:52 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:58 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
10:10 -!- pod_ [521df500@gateway/web/freenode/ip.82.29.245.0] has joined ##openvpn
10:12 < pod_> can users connect to openvpn using standard mac/windows add vpn connextion?
10:12 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
10:13 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:13 -!- pod_ [521df500@gateway/web/freenode/ip.82.29.245.0] has quit [Client Quit]
10:24 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
10:25 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:28 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
10:34 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
10:34 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:38 -!- rawDawg [~rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
10:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
10:49 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
10:53 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:56 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
10:57 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:58 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
10:58 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
11:08 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
11:09 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
11:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 248 seconds]
11:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:38 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
11:40 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:42 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:49 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- It'll be on slashdot one day...]
11:56 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:02 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection reset by peer]
12:03 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:03 -!- SOG [~SOG@222.125.202.173] has quit [Client Quit]
12:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:19 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:44 -!- newmember [~chatzilla@98-125-82-139.dyn.centurytel.net] has joined ##openvpn
13:12 -!- newmember [~chatzilla@98-125-82-139.dyn.centurytel.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
13:22 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 240 seconds]
13:23 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
14:27 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
14:34 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
14:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
14:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
14:48 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
14:52 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Quit: Távozom]
14:53 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
14:54 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Client Quit]
14:54 -!- gorkhaan_ [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
14:55 -!- gorkhaan_ [~gorkhaan@adsl-101-194.globonet.hu] has quit [Remote host closed the connection]
14:55 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
15:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:21 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:23 -!- mbrevda [~mbrevda@unaffiliated/mbrevda] has joined ##openvpn
15:24 < mbrevda> im trying to set up an openvpn server. Im having a hard time figuring out what I need to set in the server option. Is that supposed to be my local ip address? Should that be a virtual ip address?
15:24 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
15:24 < hyper_ch> !howto
15:24 <+vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:25 < mbrevda> I read it, and a bunch of other guides, couldnt get a clear answer on that one
15:28 < Bushmills> man page says  "--server network netmask"  and explains "...This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask."  what part of that gives you a hard time to figure out?
15:29 < mbrevda> Bushmills:  I took that to mean (in correlation to my question) that I need to assign  NEW ip address for the openvpn tun. However, doing so I get: ptions error: --server directive network/netmask combination is invalid
15:30 < mbrevda> I used: server 192.168.100.254 255.255.255.0
15:31 < krzee> ahh, you must not have continued to where it tells you how --server expands
15:31 < mbrevda> krzee:  feel free to point it out and Ill go read it!
15:32 < Bushmills>  192.168.100.254 is not a valid network address
15:32 < krzee> a good common example would be: 10.8.0.0 255.255.255.0
15:32 < krzee> !man
15:32 <+vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
15:32 < krzee> --server
15:32 < mbrevda> so - nothing in 192.168.x.x?
15:32 < mbrevda> krzee:  I read that part of the man
15:33 < krzee> 192.168.x.x is fine
15:33 < krzee> but it must be a NETWORK address
15:33 < krzee> not the ip
15:33 < mbrevda> 192.168.100.254 is NOT my current ip address
15:33 < krzee> the ip is the --ifconfig that exists when --server expands
15:33 < krzee> i understand its not your current ip
15:34 < krzee> its also not a network address
15:34 < mbrevda> ah - I see
15:35 < Bushmills> check wikipedia for CIDR
15:35 < krzee> the first ip in the network you give to openvpn will be taken for the server
15:36 < mbrevda> yup - now it /seems/ to be working. is the a cli or the like where I can see status? (like clients connected, etc?)
15:36 < krzee> see --status
15:36 < krzee> in the manual =]
15:36 < mbrevda> k
15:37 < krzee> or --management depending what you want to see
15:37 < krzee> but for debugging, you would want
15:37 < krzee> !logfile
15:37 <+vpnHelper> krzee: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
15:37 < mbrevda> I see. So no way to query the daemon then?
15:37 < krzee> query the daemon interactively would be --management
15:38 < krzee> but it was made for people to write frontends for, while humans can interact with it, that wasnt its main purpose
15:38 < krzee> so it wasnt made to be overly user-friendly
15:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:42 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:00 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:01 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:21 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:39 -!- boswarrior [~mrnice@84.115.26.221] has quit [Remote host closed the connection]
16:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:43 -!- mbrevda [~mbrevda@unaffiliated/mbrevda] has quit [Ping timeout: 260 seconds]
16:50 -!- mbrevda [~mbrevda@109.160.144.180] has joined ##openvpn
16:50 -!- mbrevda [~mbrevda@109.160.144.180] has quit [Changing host]
16:50 -!- mbrevda [~mbrevda@unaffiliated/mbrevda] has joined ##openvpn
16:50 -!- mbrevda [~mbrevda@unaffiliated/mbrevda] has quit [Client Quit]
16:54 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 252 seconds]
17:10 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
17:11 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:18 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 260 seconds]
17:30 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
17:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
17:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:37 -!- benedikt [~benedikt@agurka.sudo.is] has left ##openvpn []
17:38 -!- crazed [~cr4z3d@unaffiliated/cr4z3d] has joined ##openvpn
17:38 < crazed> so i can get a tunnel up between two boxes, but i can't ping around the local network
17:39 < crazed> i can ping the local network ip for my vpn end point, but no where else
17:39 < crazed> i know it's got to be a routing rule but i can't figure out which one
17:39 < crazed> (net.ipv4.ip_forward is set to 1)
17:39 < crazed> on the end point
17:50 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
17:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:54 < Bushmills> !route
17:54 <+vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:55 < Bushmills> in case it's wan, not lan, behind vpn server, look at:
17:55 < Bushmills> !redirect
17:55 <+vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:58 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:03 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has joined ##openvpn
18:03 < sylar> hello
18:03 < sylar> I am noob
18:04 < sylar> please tell me how difficult is it to learn to setup a vpn?
18:04 < sylar> difficult=time for noob
18:06 < sylar> is there a windows server, or just a linux server?
18:10 -!- Tachycek [~tach@81.200.61.23] has joined ##openvpn
18:10 < Tachycek> Hi
18:11 < Tachycek> Is there any way to have openvpn work in such mode that it uses as many p2p connections as possible?
18:11 < Tachycek> I have one ovpn server and some clients
18:12 < Tachycek> but some of the clients have public ip
18:12 < Tachycek> so i would like to have them p2p connected
18:13 < Tachycek> !welcome
18:13 <+vpnHelper> Tachycek: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:14 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
18:14 < Bushmills> sylar: openvpn runs under many operating systems. including windows.  
18:14 < Bushmills> there is no difference between client and server program. the configuration determines the role
18:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
18:15 < Bushmills> Tachycek: i have no idea what you want to achieve
18:15 < Tachycek> Bushmills: i try to explain :)
18:15 < Bushmills> you can connect many clients to one openvpn server, at the same time too, if that's what you ask
18:16 < Tachycek> now, if i send a message from client1 to client2
18:16 < Tachycek> and the message goes this way
18:16 < Tachycek> client1 -> internet -> server -> internet -> client2
18:16 < Tachycek> but i know that client1 and client2 have both public IP
18:16 < Tachycek> so i would like to go the message this way
18:16 < Tachycek> client1 -> internet -> client2
18:16 < sylar> Bushmills, do I neeed to read lots of man pages to know how to use it?
18:17 < Tachycek> sylar: if you're going to use it on windows, then download openvpngui and go trough some manual
18:17 < Bushmills> unless you run openvpn server on one client and connect with another instance of openvpn to that server, all traffic will go through the one server
18:17 < Tachycek> it is easy
18:18 < Tachycek> Bushmills: and there is no other way around ?
18:18 < Bushmills> not with openvpn
18:18 < Tachycek> :/
18:23 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has quit [Ping timeout: 260 seconds]
18:33 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
18:34 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
18:36 < Tachycek> Bushmills: do you know, if somethin should improve in the future about this?
18:48 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:50 < Tachycek> Rundll32.exe user.exe,ExitWindows
18:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
18:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
18:57 < Bushmills> Tachycek: that's something frequently asked about, and those who ask are often invited to add it to the code
18:58 < Tachycek> Bushmills: well actually beyond my current programming skills
18:59 < Tachycek> and even if it wasn't i would have to get used to the openvpn and i assume i would have to change the protocol a littlebit and do some other changes to the way it works now
18:59 < Tachycek> i really doubt that such change would be included from some stranger like mne
19:00 < Bushmills> i suppose somebody else would have to modify openvpn in a similar way
19:00 < Bushmills> why? you need it, you code it
19:00 < Tachycek> well yea, but somebody, who is more trusted and knows, what changes to the draft could be accepted and which not
19:00 < Tachycek> which
19:01 < Bushmills> whether code is accepted or not, doesn't affect that you can use it
19:01 < Tachycek> well it affect it
19:01 < Tachycek> because i need other people who use openvpn to use it
19:01 < Tachycek> if they connect to my ovpn server
19:02 < Bushmills> you can pass them a copy of your version
19:02 < Tachycek> i really doubt somebody would accept and run application from mne without even knowing mne
19:02 < Tachycek> :)
19:02 < Tachycek> me 
19:03 < Bushmills> it would be enough to read the code. no need to know you :)
19:03 < Tachycek> openvpn.net/vpn.zip is good tachycek.net/vpn.zip is not good :)
19:03 < Tachycek> :)))))
19:03 < Tachycek> Nevertheless, it is beyond my skills anyway
19:03 < Bushmills> do you know the openvpn authors?
19:03 < Tachycek> nope
19:04 < Tachycek> but i trust them
19:04 < Tachycek> ovpn is well known product
19:06 < Bushmills> but for all you know, it could also be an elaborate scheme to create internet's largest botnet
19:07 < Tachycek> no that is not possible :)
19:07 < Tachycek> many people use it
19:07 < Tachycek> and many have checked it
19:08 < Tachycek> and there would be great alarm if there was something suspicious about it :)
19:08 < Bushmills> it even includes firewall piercing :)
19:09 < Tachycek> ovpn is too big to have such features
19:09 < Tachycek> well it could have a backdoor
19:09 < Tachycek> but about that one can never be sure so i don't bother about it :)
19:12 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
19:13 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
19:24 < krzee> [16:37]  <Tachycek> Bushmills: do you know, if somethin should improve in the future about this?
19:24 < krzee> its in the wishlist
19:24 < krzee> its not likely any time remotely soon
19:25 < krzee> (nobody is working on it)
19:25 < krzee> and nobody with the skills desires to work on it
19:25 < krzee> it would be a HUGE undertaking
19:25 < krzee> !wishlist
19:25 <+vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
19:25 < krzee> feel free to read / comment on it there
19:28 < Tachycek> krzee: it is this one, right?
19:28 < Tachycek> http://ovpnforum.com/viewtopic.php?f=10&t=141&sid=bfa56cfa52df59923d167131d30591ce
19:28 <+vpnHelper> Title: OpenVPN Forum View topic - Idea for direct connections (at ovpnforum.com)
19:29 < Tachycek> I agree that it is really great deal to do it
19:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
19:33 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
19:35 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:36 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
19:40 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
19:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
19:44 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
19:50 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
19:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
19:56 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:14 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
20:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
20:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:28 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
20:29 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
20:29 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
20:44 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
21:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
21:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
21:16 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Remote host closed the connection]
21:16 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
21:24 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
21:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
21:46 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
21:47 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:09 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
22:09 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:21 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
22:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:40 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
22:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:52 -!- tjz [~pc@bb116-14-173-251.singnet.com.sg] has joined ##openvpn
22:52 -!- tjz [~pc@bb116-14-173-251.singnet.com.sg] has quit [Changing host]
22:52 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
23:00 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:01 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
23:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:23 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
23:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
23:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
23:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
--- Day changed Mon Aug 02 2010
00:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
00:12 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:13 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
00:33 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:34 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
00:41 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 276 seconds]
01:22 < Qantourisc> Tachycek: download the source, read it, and compile yourself ?
01:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:23 < Qantourisc> http://openvpn.net/index.php/open-source/downloads.html
01:23 <+vpnHelper> Title: Downloads (at openvpn.net)
01:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
01:36 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
01:39 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Operation timed out]
01:39 -!- SOG_ is now known as SOG
01:50 -!- SOG [~SOG@61.144.230.241] has quit [Quit: I will be back!]
01:56 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:56 -!- mode/##openvpn [+o mattock] by ChanServ
02:01 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:08 -!- takamichi [~pri@78.133.39.143] has joined ##openvpn
02:24 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:27 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
02:28 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
02:29 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:29 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:35 -!- dazo_afk is now known as dazo
02:36 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:48 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:49 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:55 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
02:56 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:04 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
03:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:18 < kraut> moin
03:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
03:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:56 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
03:57 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:13 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
04:17 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:39 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:40 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:58 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:59 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
05:10 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
05:18 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
05:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
05:27 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
05:28 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
05:32 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Read error: Operation timed out]
05:35 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
05:35 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
05:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
05:40 -!- Blues-Man [~bluesman@95.239.112.84] has joined ##openvpn
05:55 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
05:56 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:00 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:05 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:06 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:06 -!- Cain` is now known as Cain
06:07 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has joined ##openvpn
06:08 < sylar> is there a conf with public/private RSA keys like in ssh-keys?
06:14 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:24 < sylar> unable to write random state?
06:26 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
06:28 < sylar> is openvpn package on debian also the client? (it say daemon in the comment)
06:29 < Bushmills> yes, it is
06:30 < Bushmills> only config determines what is client and what is server
06:30 < sylar> aha, ok
06:31 < sylar> Bushmills, I get this in the output when trying to do the ca stuff
06:31 < sylar> : "unable to write random state"
06:32 < Bushmills> find out why. permissions?
06:34 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:34 < sylar> its windows, and I am admin
06:34  * Bushmills googles that funny term "windows"
06:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:35 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:35 < sylar> well... if you can't beat them, join them
06:35 < sylar> its a time pressure thingy, can't move the other party to linux, before the deadline
06:35 < Bushmills> when they're beaten, you're joined the losers :)
06:36 < sylar> I am dancing in two weddings
06:36 < Bushmills> then you need someone more windows savvy than me
06:37 < sylar> k
06:37 < sylar> I'll lurk
06:38 < sylar> after it is done , what happens? I get another subnet, and IP, and can directly communicate with the remote computer, on that subnet?
06:38 < sylar> UDP + TCP and everything?
06:38 < Bushmills> right
06:38 < Bushmills> udp, tcp, icmp
06:38 -!- Netsplit *.net <-> *.split quits: fremo__, gorkhaan, Typone
06:39 < sylar> btw, is it possible to make the tunnel go on tcp 443?
06:39 < Bushmills> yes, it is
06:39 < sylar> pointer?
06:39 < Bushmills> man page
06:39 < sylar> k
06:39 -!- Netsplit over, joins: fremo__
06:39 < Bushmills> different prot, and different port
06:40 -!- macsppadic is now known as centresppadic
06:40 < sylar> which prot ssL?
06:40 < Bushmills> tcp
06:40 < Bushmills> !tcp
06:40 <+vpnHelper> Bushmills: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
06:41 < sylar> Bushmills, that reminds me, when it installed it installed zrtp miniport
06:42 < sylar> does it means that it use zrtp for voice chats?
06:42 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Read error: Connection reset by peer]
06:42 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
06:42 < Bushmills> eh?
06:42 < Bushmills> what is "it"?
06:42 < sylar> it =openvpn
06:42 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
06:43 < Bushmills> openvpn creates a tunneled connection between two host. it does not do voice chats.  you can run voice chats, using apps of your choice, to make use of that tunnel
06:44 < sylar> ok, so waht is zrtp for?
06:44 < Bushmills> openvpn uses one single port
06:44 < Bushmills> which one, you determine
06:46 < Bushmills> http://en.wikipedia.org/wiki/ZRTP
06:46 <+vpnHelper> Title: ZRTP - Wikipedia, the free encyclopedia (at en.wikipedia.org)
06:46 < Bushmills> not related to openvon
06:46 < Bushmills> vpn
06:49 < sylar> yes that is the one. For some reason when I installed openvpn, windows asked me about installing an zrtp miniport driver which is not signed
06:51 < Bushmills> i don't have zrtp lib installed. openvpn doesn't care
06:51 < sylar> maybe widnows reinstalled an already existing driver ,, I never seen that happen before for other drivers
06:51 < sylar> k
06:52 < sylar> so it is probably zrtp related
06:52 < sylar> ie the zrtp I have caused it
06:53 < sylar> so what is the conclusion from that TCP over TCP is a bad idea? it won't work?
06:53 < sylar> And if I use UDP over TCP?
06:53 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
06:54 < Bushmills> you can chose prot for the tunnel, but not for most network apps you intend to use
06:54 < Bushmills> using a webbrowser will result in tcp packets, whether you like it or not.
06:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:54 < sylar> I know. I have a voice chat prog that use UDP
06:55 < Bushmills> for streaming, tcp makes no sense
06:55 -!- Blues-Man [~bluesman@95.239.112.84] has quit [Remote host closed the connection]
06:55 < Bushmills> well, only little sense
06:55 < sylar> its for passing the firewall
06:55 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:55 < Bushmills> you skip errors, and don't correct them
06:56  * sylar compiles
06:56 < sylar> which error was skipped?
06:57 < sylar> ah streaming ok
06:57 < sylar> I thought you meant that I missed some point you made
06:58 < sylar> ok, thanks Bushmills , will go to try some stuff now
07:13 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:14 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
07:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:18 -!- _Tassadar [~tassadar@tassadar.xs4all.nl] has left ##openvpn []
07:31 -!- Tachycek [~tach@81.200.61.23] has quit [Read error: Connection reset by peer]
07:31 -!- Tachyx [~tach@81.200.61.23] has joined ##openvpn
07:33 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
07:34 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:40 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Quit: Távozom]
07:40 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
07:56 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Read error: Connection reset by peer]
07:59 -!- takamichi [~pri@78.133.39.143] has quit [Ping timeout: 264 seconds]
07:59 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
08:01 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:21 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
08:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:23 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:29 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
08:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
08:32 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:32 -!- mode/##openvpn [+o mattock] by ChanServ
08:38 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
08:39 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
08:42 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
08:48 -!- cpm_ is now known as cpm
08:54 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
09:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
09:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
09:26 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
09:27 < Bushmills> krzee: iphone jailbreak per web page:  http://www.jailbreakme.com
09:29 < Bushmills> supposed to work in these models: http://www.redmondpie.com/jailbreak-iphone-4-3gs-3g-on-ios-4-4.0.1-and-ipad-on-ios-3.2.1-with-jailbreakme/
09:29 <+vpnHelper> Title: Jailbreak iPhone 4, 3GS, 3G on iOS 4 / 4.0.1 and iPad on iOS 3.2.1 with JailbreakMe 2.0 | Redmond Pie (at www.redmondpie.com)
09:39 -!- dazo is now known as dazo_afk
09:39 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:49 -!- mjk64 [~mjk@p4FDAC8F2.dip.t-dialin.net] has joined ##openvpn
09:50 < mjk64> !welcome
09:50 <+vpnHelper> mjk64: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:50 < mjk64> !route
09:50 <+vpnHelper> mjk64: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:07 < sylar> is it possible to firewall the VPN?
10:08 < sylar> i.e. to decide which ports of the local network will have access, or will be accessed by the remote party?
10:09 < krzee> Bushmills, yup =
10:09 < krzee> =]
10:09 < krzee> im in the iphone devteam channel
10:09 < krzee> comex hangs in there
10:09 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:09 < krzee> but still thanx for the heads up
10:10 < Bushmills> old news for you
10:11 < krzee> actually no, it just came out and i look at this channel first
10:11 < krzee> i knew SOMETHING was coming
10:12 < krzee> but i did hear it from you first, then i looked at the topic there and saw it for second time ;)
10:12 -!- Tachyx [~tach@81.200.61.23] has quit [Read error: Connection reset by peer]
10:12 -!- Tachycek [~tach@81.200.61.23] has joined ##openvpn
10:14 -!- Tachyx [~tach@81.200.61.23] has joined ##openvpn
10:14 -!- Tachycek [~tach@81.200.61.23] has quit [Read error: Connection reset by peer]
10:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
10:26 -!- Tachyx [~tach@81.200.61.23] has quit [Read error: Connection reset by peer]
10:27 -!- Tachycek [~tach@81.200.61.23] has joined ##openvpn
10:28 -!- JeremyR [~JeremyR@c-67-166-100-177.hsd1.ut.comcast.net] has joined ##openvpn
10:30 < JeremyR> !welcome
10:30 <+vpnHelper> JeremyR: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:55 -!- Tachyx [~tach@81.200.61.23] has joined ##openvpn
10:55 -!- Tachycek [~tach@81.200.61.23] has quit [Read error: Connection reset by peer]
10:56 -!- Tachycek [~tach@81.200.61.23] has joined ##openvpn
10:56 -!- Tachyx [~tach@81.200.61.23] has quit [Read error: Connection reset by peer]
10:57 < krzee> anyone here have openvpn on autostart in osX?
10:58 < krzee> i tried to crontab a sh script @reboot, but it seems my 10.6.4 doesnt run cron on boot
10:58 < krzee> (which i consider to be extremely lame...)
10:58 < krzee> i know the other way, but it someone already did it i get to be extra lazy ;]
11:02 < hyper_ch> doesn't OSX not have upstart or init.rd scripts?
11:07 < ecrist> krzee: gimme a sec
11:07 < ecrist> http://www.secure-computing.net/wiki/index.php/Leopard_Static_Routes
11:07 <+vpnHelper> Title: Leopard Static Routes - Secure Computing Wiki (at www.secure-computing.net)
11:07 < ecrist> krzee ^^^^^
11:07 < ecrist> while you're not doing static routes, that tells you how to start something on boot
11:07 < ecrist> ala rc scripts
11:08 < ecrist> feel free to send beer. :)
11:09 < hyper_ch> beer? where?
11:09  * hyper_ch turns on the beer sensors
11:11 < Bushmills> krzee: try  @boot, not @reboot action in crontab
11:11 < hyper_ch> hi Bushmills
11:11 < Bushmills> grias di oida
11:11 < hyper_ch> what language is that?
11:12 < Bushmills> bavarian
11:12 < hyper_ch> you know bavarian?
11:12 < hyper_ch> ozopft is
11:12 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
11:12 < Bushmills> lets say i understand it
11:13 < hyper_ch> so you're not bavarian?
11:13 < Bushmills> nope
11:13 < hyper_ch> Ba-Wü?
11:13 < krzee> actually im also doing static routes ;)
11:13 < Bushmills> munich, ogau, kohlgrub
11:14 < krzee> currently in the same shell script that starts openvpn =]
11:14  * hyper_ch just wonders when Bavaria will leave the German Republic
11:14 < Bushmills>  but Ba-Wü too. not as long as bavaria.
11:14 < Bushmills> i'm rhineland-palatinate :)
11:15 < hyper_ch> hehehe :)
11:15 < hyper_ch> well, Ba-Wü will join Switzerland soon and Bavaria will leave the German Republic and become an own state....
11:15 < krzee> thanx ecrist 
11:16 < Bushmills> their laws have still provisions for capital punishment
11:16 < Bushmills> leftover of the dark ages, me seems
11:16 < hyper_ch> which? Bavarian?
11:16 < Bushmills> yes
11:17 < krzee> whats wrong with capital punishment?
11:17 < hyper_ch> if I'm not mistaken Bavaria still has a special status in the Grundgesetz with the option of leaving the BRD at their will
11:17 < Bushmills> that it is state policy murder
11:17 < hyper_ch> krzee: are you god?
11:17  * krzee petitions for refusing to read the manual to be a capital punishment worthy offense
11:18 < hyper_ch> hehehe
11:18 < hyper_ch> but then you couldn't RTFM anymore
11:18 < Bushmills> i'm in favor of capital punishment for everyone who demands it
11:18 < hyper_ch> Bushmills: it's called euthanasia
11:18 < krzee> i dunno bout your area, but many MANY people in usa prisons should just be killed
11:19 < Bushmills> i mean, for those who demand it to be applied to others
11:19 < hyper_ch> doesn't the US have one of the highest prisoner per capita quote world wide?
11:19 < hyper_ch> so much for the land of the brave and "free" :)
11:20 < hyper_ch> and I also wonder what the USes problem is with Iran
11:20 < krzee> hyper_ch, its all about $, which is BS
11:20 < krzee> (re: iran)
11:21 < krzee> as far as the prisoner situation... much of that is victimless crimes, which i dont believe should land people in jail, but my comment about capital punishment was more targeting the gangs that run the prisons in much of USA
11:21 < hyper_ch> well, I don't recall that Iran did any real thing to offend one of its neighbours.... achmadinechad talks a lot about it but I tend to think it's more for iran's population than real threads
11:21 < ecrist> np krzee 
11:22 < hyper_ch> krzee: victimless crimes?
11:22 < krzee> they kill tons of people with their own hands, and then tax payers pay for them to be in prison for life
11:22 < hyper_ch> maybe you shouldn't put them so long into prison :)
11:23 < hyper_ch> go, Pino, go... catch that annoying fly
11:23 < krzee> victimless crimes, as in drug related for a large portion
11:23 < hyper_ch> legalize drugs
11:23 < krzee> agreed
11:23 < hyper_ch> without black market of drugs
11:23 -!- centresppadic [~sonupunno@88.211.55.77] has quit [Quit: centresppadic]
11:23 < hyper_ch> there won't be so much a problem anymore
11:24 < hyper_ch> didn't you learn from the prohibition in the 20s?
11:24 < hyper_ch> or 30s or when was it?
11:24 < krzee> hey man i fully agree
11:25 < krzee> heres something interesting, since you mention the prohibition
11:25 < krzee> back then they knew that they couldnt ban substances like that without amending the constitution
11:25 < krzee> so they did amend it
11:25 < hyper_ch> well, I don't say you should be able to buy coke in a conveniant store.... but if your addicted, get it at a pharmacy for a reasonable price
11:25 < krzee> the current prohibition did not get an amendment, because they dont care so much about the constitution
11:26 < hyper_ch> the constitution is just there to keep the sheeples happy
11:26 < krzee> it used to be respected =/
11:26 < hyper_ch> there was a time when tortured was called tortured
11:26 < hyper_ch> and where not everyone was called a terrorist
11:27 < hyper_ch> and when people actually had freedoms
11:27 < krzee> yup
11:27 < hyper_ch> and I still think that introdcution of Miranda was a really great step to do... 
11:28 < krzee> i got arrested, they never read me my rights, nor did they have permission to search me... but nobody cared
11:28 -!- Doug1 [Doug@173.208.89.156] has joined ##openvpn
11:28 < Doug1> roar
11:28 < Doug1> o.O
11:28 -!- Doug1 is now known as Dougy
11:29 < hyper_ch> well, we finally get a "miranda" right in the new federal criminal procedure law coming in effect on 01.01.2011 and it will replace all state ones
11:33 < hyper_ch> krzee: isn't pot legalized in jamaica?
11:33 < krzee> dunno
11:34 < krzee> ive never been there
11:34 < krzee> i know they smoke it like its legal...
11:34 < hyper_ch> :)
11:34 < krzee> then again we did that in california and it was illegal ;)
11:34 < hyper_ch> hehehe
11:36 < krzee> ok time to test my openvpn startup
11:37  * hyper_ch presses all three thumbs of his
11:37 -!- krzee [~k@unaffiliated/krzee] has quit [Remote host closed the connection]
11:40 -!- JeremyR [~JeremyR@c-67-166-100-177.hsd1.ut.comcast.net] has quit [Ping timeout: 276 seconds]
11:47 < sylar> which cipher is the best?
11:47 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
11:47 < Bushmills> define "best"
11:47 < sylar> most secure
11:48 < Bushmills> key length is probably the most important factor
11:49 < Bushmills> aes is pretty secure but not the fastest.  blowfish is fast and secure alternative
11:49 < sylar> what is the command on linux openvt?
11:50 < ecrist> what command?
11:50 < Bushmills> "the" command?   linux has many of them
11:50 < hyper_ch> truecrypt supports now the aes stuff in some i5 and i7 cpus
11:50 < hyper_ch> making them a lot faster with encryption
11:50 < sylar> I see I get as root openvpn completion
11:50 < hyper_ch> man the
11:51 < ecrist> man the bitches are hot in here.
11:51 < sylar> ok
11:51 < ecrist> man the snozzberries taste like snozzberries
11:51 < ecrist> man the winters get cold in Minnesota
11:52 < sylar> Is it noticable the speed of the cipher?
11:52 < sylar> I mean I am on P4 3Ghz
11:53 < sylar> I see there are 4 kinds of AES256
11:53 < sylar> which should I choose?
11:56 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
11:56 < krzee> works perfect
11:56 < krzee> thanx again ecrist =]
11:57 < krzee> pretty cool that you happened to have that on your wiki already
11:58 < krzee> !learn osxboot as http://www.secure-computing.net/wiki/index.php/Leopard_Static_Routes for how to run commands on boot in osX, you can change a single line in StaticRoutes file to make it start OpenVPN
11:58 <+vpnHelper> krzee: Joo got it.
11:59 < krzee> Bushmills, http://www.iphodroid.com/
11:59 <+vpnHelper> Title: IPHODROID Download and Install - iPhone with Android (at www.iphodroid.com)
12:00 < sylar> which of these is the most secure? AES-256 CBC OFB  CFB  or CFB8 ?
12:01 < krzee> depends on your definition of secure
12:01 < krzee> most common answer will likely be AES-256
12:02 < krzee> however there have been rumors of a backdoor in it inserted by us gov
12:02 < krzee> *shrug*
12:02 < krzee> i use the default, blowfish
12:02 < sylar> there are 4 types of AES 256
12:02 < sylar>  CBC OFB  CFB   CFB8
12:03 < krzee> ahh i misread the question
12:03 < sylar> k
12:05 < krzee> theres actually a paper from this month on AES
12:05 < krzee> http://eprint.iacr.org/2010/337.pdf
12:05 < krzee>  "Practical-Titled Attack on AES-128 Using Chosen-Text Relations"
12:05 < krzee> i dont have a good answer to your question tho
12:05 < krzee> and no, the info in that pdf does not mean AES is broken
12:06 < krzee> they still have a long way to go for that
12:09 < sylar> k
12:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
12:20 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:25 < Bushmills> man the harpunes
12:28 -!- JeremyR [~JeremyR@c-98-202-161-43.hsd1.ut.comcast.net] has joined ##openvpn
12:35 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
13:11 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
13:38 -!- PampersBomba [~bomba@unaffiliated/pampersbomba] has joined ##openvpn
13:38 < PampersBomba> hey guys
13:38 < PampersBomba> i have a little problem ;) i have setup a little openvpn with 3-4 clients. thats works fine, but all traffic goes over the server, client-to-client is on (sry for my bad english)
13:39 < Dougy> what do you want, direct connectivity between clients without going through the server?
13:39 < PampersBomba> yes
13:39 < Dougy> how do you expect that to work
13:39 < Dougy> the vpn is on the server
13:40 < Dougy> the traffic has to go through it
13:40 < PampersBomba> yes
13:41 < PampersBomba> http://pastebin.de/8766 thats my config
13:41 < Dougy> what im saying is
13:41 < Dougy> you cant do it without going through the server with openvpn
13:41 < PampersBomba> hmm .. i stil remember, that works without through the server
13:41 < PampersBomba> long time ago ;)
13:41 < Dougy> no its not possible
13:41 < Dougy> with openvpn
13:41 < PampersBomba> hmm okay
13:41 < Dougy> they are priatve ips
13:42 < Dougy> there is no physical way to connect to an external private ip like you want to
13:42 < Dougy> if you find it, please show me
13:42 < Dougy> a way to do it*
13:42 < PampersBomba> okay, i though, i build a "p2p-vpn"
13:42 < PampersBomba> with tinc-vpn it is possible? Automatic full mesh routing Regardless of how you set up the tinc daemons to connect to each other, VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops. 
13:44 < sylar> got an error on windows that it can't open the dh1024.pem but I have that file
13:44 < Dougy> path is wrong then
13:45 < krzee> !path
13:45 <+vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
13:46 < Dougy> hi jeff
13:46 < krzee> hey there dougy
13:46 < krzee> how ya doin/
13:47 < sylar>  what path?
13:47 < sylar> should I put openvpn in the env var path?
13:47 < krzee> no
13:47 < krzee> your config file
13:47 < krzee> !path
13:47 <+vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
13:47 < sylar> k
13:48 < krzee> !winpath
13:48 <+vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
13:49 < sylar> which keys should the client have? client.crt client.key client.csr and ca.crt??
13:50 -!- PampersBomba [~bomba@unaffiliated/pampersbomba] has left ##openvpn []
13:53 < sylar> load balancing? can I load balance with openvpn? is that full load balancing or one tcp session would go to one server and other to the other?
13:57 < sylar> what is the format for path in conf file?
13:57 < sylar> I did "path "c:/...""
13:57 < sylar> didn't work
13:57 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
13:59 < sylar> !winpath format
13:59 <+vpnHelper> sylar: Error: "winpath" is not a valid command.
13:59 < sylar> !winpath
13:59 <+vpnHelper> sylar: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
13:59 < Dougy> jeff, im ok
13:59 < Dougy> sorry
14:00 < Dougy> whats new
14:04 < sylar> ok, I put the full path in the file names, but still get error
14:05 < sylar> Cannot load certificate file c:/program files/openvpn/easy-rsa/keys/clientX1.crt: error:02001003:system library:fopen:No such process: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
14:06 < sylar> sorry, wrong hd
14:08 < sylar> didn't help, I still get the same error with the correct hd name
14:10 -!- elc0 [~elc0@12.68.11.2] has joined ##openvpn
14:11 < sylar> cert   "T:\\Program Files\\OpenVPN\\easy-rsa\\keys\\clientX1.crt"
14:11 < sylar> What is wrong with it ^ ?
14:11 < krzee> maybe the file isnt in that location...
14:11  * Dougy wavesto krzee
14:11 < Dougy> am back now
14:12 < elc0> I was thinking of scripting openvpn as sort of a heartbeat to verify the VPN gateway is up and listening.  Is this something openvpn should be able to do without too much work?  is there a much easier solution I am overlooking?
14:12 < krzee> elc0, i dont understand...
14:12 < krzee> couldnt you just netcat the udp port to see its open, or ping the vpn gateway via vpn address?
14:13 < elc0> krzee, I didnt want to rely on ping i guess since I want to make sure the client vpn connection is being accepted
14:14 < elc0> I am not familiar with netcat, I will have to look at that.  I need to do this from a remote machine though.
14:15 < sylar> is the password important?
14:15 < sylar> I did it on one machine with one password and copied the files to an other machine with a different password
14:18 < krzee> password on the key files? yes thats important
14:18 < krzee> elc0, i guess you could do it with openvpn if you want
14:19 < krzee> you could give the client an --up script which would report the vpn as working
14:19 < krzee> that same up script could kill the vpn after reporting it as working
14:20 < elc0> krzee, I just started looking into netcat.  that may work also.  I will have to play with it a bit.  I guess I could get away with knowing the VPN server is listening on the correct port
14:20 < elc0> if netcat is capable of telling me that
14:20 < krzee> yup
14:20 < krzee> thats basically all it is capable of
14:21 < krzee> but that wont work if you use --tls-auth
14:21 < krzee> because:
14:21 < elc0> hah.  Thanks :)
14:21 < krzee> !hmac
14:21 <+vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
14:21 <+vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
14:22 < elc0> krzee, thanks.  looks like I have a couple options.  openvpn method would work if --tls-auth was used?
14:22 < sylar> ok the server runs, the client have a problem
14:24 < krzee> elc0, yes
14:24 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Operation timed out]
14:27 < sylar> hello?
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:30 < krzee> sylar,
14:30 < krzee> !configs
14:30 <+vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:30 < krzee> !logs
14:30 <+vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:30 < Dougy> jeff, really? what about !all
14:30 < krzee> i dont want the rest
14:31 < Dougy> isnt !all just !config sand !logs?
14:31 < krzee> but thanx for the concern ;)
14:31 < krzee> no
14:31 < krzee> its also !interface
14:31 < Dougy> ah
14:31 < Dougy> so i need to ship you your server cuz the dc space is gone
14:31 < Dougy> once i can walk
14:32 < krzee> can walk!?
14:33 < Dougy> i had corrective surgery 7/6/
14:33 < Dougy> 7/6*
14:33 < Dougy> http://sphotos.ak.fbcdn.net/hphotos-ak-snc4/hs044.snc4/34571_1471539704205_1105017460_31434229_1196451_n.jpg
14:37 < krzee> fuck
14:37 < krzee> you alright?
14:38 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
14:39 < sylar> krzee, http://pastebin.com/im4mS5zH
14:39 < Dougy> yea
14:39 < Dougy> im fine
14:39 < Dougy> i just cant walk
14:40 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:40 < Dougy> i can walk on crutches now, and i can start putting weight august 17 but that shit dont come off till october
14:40 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:40 < sylar> krzee, I also have this error when generating the key: "unable to write 'random state'
14:44 < krzee> when generating the key...
14:45 < krzee> thats way earlier in the process than the other error...
14:47 < ecrist> hey Dougy, long time no see
14:47 < Dougy> howdy man
14:48 < ecrist> rough looking surgery, dude
14:48 < Dougy> ya 
14:48 < Dougy> its nasty shit
14:48 < Dougy> http://sphotos.ak.fbcdn.net/hphotos-ak-snc4/hs201.snc4/38404_1485304168308_1105017460_31469598_4959580_n.jpg
14:49 < Dougy> the big things that look like they going through my leg are part of the brace
14:49 < Dougy> but that screw is actually in me
14:49 < Dougy> http://sphotos.ak.fbcdn.net/hphotos-ak-ash2/hs028.ash2/34765_1485355049580_1105017460_31469739_8217636_n.jpg and then you can see what they did to my bones on the left
15:16 -!- mjk64 [~mjk@p4FDAC8F2.dip.t-dialin.net] has quit [Quit: leaving]
15:25 < sylar> it say it can't load the cert file
15:25 < sylar> when the path was wrong it said can't open
15:26 < sylar> hmm
15:26 < sylar> changed the path , it still say can't load
15:26 < sylar> crap
15:27 < sylar> ah, in the rest of the error message it say can't open
15:27 < sylar> ok
15:28 < sylar> now with the right path it say:
15:28 < sylar> error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
15:29 < sylar> I think the error is: "no start line"
15:29 < sylar> it hate my client crt?
15:30 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
15:32 < sylar> the crt file is empty
15:33 < sylar> why is it empty?
15:34 < krzee> lol
15:34 < krzee> because it was not correctly made
15:34 < krzee> !pki
15:34 <+vpnHelper> krzee: "pki" is http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs)
15:34 < sylar> I made it according to these instructions
15:36 < sylar> build-key keyname
15:36 < sylar> and follow the rest
15:36 < sylar> it isn't so difficult
15:36 < krzee> did you source vars file first?
15:36 < sylar> I;ll do it agan
15:37 < krzee> ya, start over on your PKI
15:37 < sylar> sourced vars, still 0bytes
15:38 < sylar> what to do? vars clean-all?
15:38 < sylar> and then build-key client?
15:39 < sylar> did it, now it created only csr, and key, and no crt
15:40 < sylar> again it create only that.. maybe build-ca?
15:41 < krzee> follow the instructions until there are no more
15:41 < sylar> I thought for client I just need the server crt no?
15:41 < sylar> k
15:42 < krzee> you cant possibly make a crt without a ca
15:42 < krzee> since a crt is a csr, signed by the ca key
15:46 < krzee> oh and btw, you want to follow the directions IN ORDER
15:46 < sylar> oh, now it works
15:46 < sylar> now I'll test
15:47 < sylar> I did, and created the keys on the server
15:47 < sylar> the server work
15:47 < sylar> hmmm
15:47 < sylar> it should have a ca
15:47 < sylar> now I created it again on the client
15:47 < krzee> lol
15:47 < krzee> you need to create them on the same box
15:48 < krzee> because they need to be made with the same ca
15:48 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
15:48 < krzee> aka, follow the instructions completely and in order... not skipping around on different machines
15:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
15:50 < sylar> aha
15:51 < sylar> I guess I didn't understand fully that "The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the ke
15:51 < sylar> y-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated"
15:54 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
15:56 < sylar> In the client I don't see an 10.8.x.x IP
15:58 < krzee> ya, dont try that advanced stuff until you understand what it going on
15:59 -!- elc0 [~elc0@12.68.11.2] has quit []
15:59 < krzee> remote 10.0.0.103 1194
15:59 < krzee> these machines are already on the same lan?
15:59 < krzee> also, you didnt paste the server config
16:00 < krzee> Dougy, wtf happened to your leg man?
16:01 < sylar> krzee, yes they are on the same lan
16:01 < sylar> krzee, it is a test
16:01 < Dougy> krzee
16:01 < Dougy> birth defect
16:02 < krzee> damn dude
16:02 < krzee> sylar, still waiting on server config
16:02 < sylar> o
16:04 < sylar> http://pastebin.com/f7MptRJx
16:04 < sylar> krzee, ^
16:05 < krzee> i see you have ipp.txt...
16:05 < krzee> make sure you know this:
16:05 < krzee> !ipp
16:05 <+vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
16:05 < krzee> your server doesnt have a key entry
16:08 < sylar> key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\server.key" 
16:09 < krzee> it wasnt in the pastebin
16:09 < sylar> krzee, I have key, it was just removed by the grep
16:10 < krzee> windows has grep?
16:11 < Bushmills> grep removes files?
16:11 < krzee> the line from the config ;]
16:11 < sylar> http://pastebin.com/vQyHRxmF
16:11 < sylar> yes, i did with cigwin
16:11 < sylar> but I remvoed #
16:11 < sylar> and that line had a #
16:12 < krzee> ahh, had you used my grep in !configs it wouldnt have ;)
16:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:12 < krzee> since the ^ before it says only lines STARTING with #
16:13 < sylar> yea, I forgot the ^
16:14 < sylar> ping 10.8.0.1 timeout
16:15 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:15 < sylar> the window gui on client has a yellow color
16:16 < Bushmills> that might look nice with a blue background
16:16 < sylar> Tue Aug 03 00:15:35 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
16:17 < krzee> !logs
16:17 <+vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
16:19 < sylar> http://pastebin.com/EDjXEDs8
16:19 < sylar> krzee, 
16:19 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
16:20 < krzee> ok thats 1 of them...
16:20 < krzee> and the other...?
16:20 < krzee> also you may notice !logs says verb set to 5
16:20 < grendal_prime> hey guys.  im managing another openvpn server.  On this particular box it has been a practice to remove keys from the box for users that should not be able to connect anymore. is this ok or is there some sort of drawback to not "revoking" them through the normal process?
16:21 < sylar> http://pastebin.com/W2BxizgV
16:21 < sylar> krzee, ^ server
16:21 < sylar> krzee, the first was the client
16:24 < sylar> ok, ill change it
16:25 < krzee> grendal_prime, yes there is a big drawback...
16:25 < krzee> it wont do ANYTHING
16:25 < krzee> lol
16:25 < krzee> grendal_prime, the server doesnt check for client certs locally whatsoever
16:25 < krzee> it checks that their cert was signed by the same ca.key as the ca.cert it has in its config
16:26 < krzee> so removing some file locally will do NOTHING
16:26 < krzee> you must add it to a CRL
16:26 < krzee> sylar, your problem is your certs
16:26 < krzee> you likely didnt replace the ca.crt file on 1 side
16:27 < krzee> when you rebuilt the certs, you needed to rebuild the ENTIRE pki
16:27 < krzee> not just 1 side
16:27 < sylar> but the server side works
16:27 < sylar> why to rebuild it?
16:27 < krzee> LOL
16:28 < krzee> because you dont understand PKI
16:28 < sylar> so lets see
16:28 < krzee> basically for the reason i just gave to grendal_prime 
16:28 < sylar> there is a CA on the serverf
16:28 < krzee> but in slightly different context
16:28 < sylar> I generate some client keys there
16:29 < sylar> it sign it with its CA key, right?
16:29 < sylar> then I give it to the client, and it use it to respond to chalenges?
16:29 < sylar> right?
16:30 < sylar> hmm
16:31 < krzee> when the client connects to the server, each checks that the other was signed by the ca that the side has in its config
16:31 < krzee> so the server checks the client was signed by its ca
16:31 < krzee> the client checks the server was signed by its ca
16:31 < krzee> this is why they must have the same ca
16:32 < krzee> aka, follow the directions!
16:32 < grendal_prime> i was wondering
16:32 < grendal_prime> seemed a little odd them doing this
16:33 < krzee> hehe yup
16:37 < grendal_prime> alright well that means some more work fo me.
16:37 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Read error: Connection reset by peer]
16:41 < sylar> connected
16:42 < sylar> thanks krzee 
16:42 < krzee> yw
16:42 < sylar> seems like I made the keys and ca on both PCs
16:42 < krzee> yup
16:43 < sylar> why ping doesn't work?
16:44 < krzee> !logs
16:44 <+vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
16:44 < krzee> what are you pinging?
16:45 < sylar> I ping 10.8.0.1 from the client
16:46 < sylar> I see in IP config that there is no default gateway the 10.8.0.5 ip
16:46 < krzee> .5 IS the gateway
16:46 < krzee> .6 is the client IP
16:46 < krzee> try disabling the windows firewall for testing
16:47 < krzee> if thats the problem, disable it just for the tap adapter
16:47 < sylar> right, .6 is the IP .5 is the dhcp, no gateway
16:47 < krzee> you plan on doing:
16:47 < krzee> !logs
16:47 <+vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
16:47 < krzee> ?
16:49 < sylar> ok
16:50 < Dougy> bored
16:52 < sylar> ok, it was the firewall
16:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:53 < sylar> ok, it is good
16:53 < sylar> thanks again krzee 
16:53 < krzee> yw again =]
16:54 < sylar> :)
16:59 < Dougy> m
16:59 < Dougy> hm
17:00 < krzee> Dougy, you arent gunna do colos anymore./
17:00 < krzee> ?
17:01 < Dougy> i might, dont know yet
17:01 < Dougy> probably not for a long itme
17:01 < Dougy> hey jeff, what browser do you use
17:01 < krzee> opera
17:01 < Dougy> how does www.zoomvps.com look
17:01 < Dougy> is it distorted
17:02 < krzee> ahh, still gunna do vps?
17:02 < Dougy> yeasir
17:02 < Dougy> thats brand new site launched about 6hrsago
17:02 < Dougy> hows itlook
17:02 < krzee> looks good
17:02 < Dougy> the jquery is nice
17:03 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
17:09 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has quit [Ping timeout: 276 seconds]
17:28 < Dougy> http://www.reagan.com/emailintro.htm
17:28 <+vpnHelper> Title: Reagan Email | Conservative Email Service by Reagan.com (at www.reagan.com)
17:39 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
18:04 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
18:05 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 260 seconds]
18:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:14 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
18:14 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:22 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 276 seconds]
18:26 -!- JeremyR [~JeremyR@c-98-202-161-43.hsd1.ut.comcast.net] has quit [Quit: Leaving]
18:29 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
18:33 -!- Tachycek [~tach@81.200.61.23] has quit [Read error: Connection reset by peer]
18:33 -!- Tachycek [~tach@81.200.61.23] has joined ##openvpn
18:34 -!- EmperorTom [~Emperor@184-97-178-149.mpls.qwest.net] has quit [Ping timeout: 260 seconds]
18:34 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
18:36 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
18:43 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
18:46 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
19:06 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
19:08 < bewst> I can't get my openvpn server to even hear my client knocking to get in (the output is silent when run un-daemonized after startup).  What's my next step?
19:09 < krzee> check your firewall on your server
19:09 < krzee> if it is behind a NAT, check the port forwarding
19:09 < krzee> check the protocol/port match on both
19:10 < bewst> krzee: I checked all that, thanx.
19:10 < bewst> krzee: except maybe "protocol/port match" because I don't know what you mean by that
19:10 < krzee> a, in the firewall/NAT
19:10 < krzee> b, in the configs
19:11 < bewst> krzee, yeah, they match
19:11 < bewst> I even have the NAT forwarding UDP and TCP for all those ports, just to be sure
19:11 < krzee> if you are connecting to the right IP/proto/port, then your server either has a firewall blocking or is behind a NAT without the port/proto forwarded correctly
19:11 < krzee> period.
19:12 < bewst> krzee, makes sense.  I'll look harder
19:13 < bewst> krzee, is there any test I can do with telnet that would be instructive?
19:13 < krzee> nope
19:13 < bewst> okey
19:13 < krzee> your server log will see it connecting when you dont have the problem anymore
19:13 < bewst> krzee unless there's something else wrong on the client or server end :-)
19:14 < bewst> krzee: Hm, I have lots of ports forwarded.  It's just 1194 that we care about, right?
19:15 < krzee> well that actually IS another option... your client's ISP could be blocking that port outbound
19:15 < bewst> krzee: I mean, with the default config
19:15 < krzee> only the port you use in your config
19:15 < krzee> there is no default config
19:15 < bewst> krzee, OK
19:15 < krzee> but there is a default port
19:15 < krzee> if you dont specify anything, it would use 1194 udp
19:16 < bewst> well, it doesn't even work when connecting via LAN, so probably not the ISP blocking anything
19:16 < krzee> and ya, only 1 port matters
19:16 < krzee> then its the server
19:16 < krzee> firewall on the server
19:16 < krzee> that limits the problems down to 1
19:19 < bewst> Duh!  Having all those ports forwarded distracted from the fact that the right one wasn't forwarded.
19:20 < krzee> ;]
19:20 < krzee> that still shouldnt have made this true:   
19:20 < krzee> <bewst> well, it doesn't even work when connecting via LAN, so probably not the ISP blocking anything
19:21 < krzee> in the lan = no port forwarding being used
19:22 < bewst> Now having other issues.  Tunnelblick started spewing and is now unresponsive
19:22 < bewst> krzee, oh, better get outside the lan then :-)
19:24 < krzee> i dont bother with tunnelblick
19:24 < krzee> im still confused why people do
19:24 < krzee> is a gui really that important to people!?
19:25 < krzee> i start my osx vpn via clicking a .command in my stacks
19:25 < bewst> krzee: I did it because that's what the openvpn site tells me to use for MacOSX
19:25 < krzee> i close it by closing the command window (in the vpns which i choose to be closable)
19:25 < bewst> krzee: stacks?
19:25 < krzee> osx stacks are the directories at the bottom right, by the garbage
19:26 < krzee> you click the dir, it expands and you can clicks one of the contents
19:26 < krzee> if you name a shell script with .command it becomes clickable to run in osX
19:26 < krzee> and you can run openvpn via commandline without tunnelblick or viscosity
19:27 < krzee> if you so choose
19:27 < bewst> krzee: but how do you install it?
19:27 < krzee> via source, or from macports
19:27 < krzee> if you have macports, it would be:
19:27 < krzee> sudo port install openvpn2
19:27 < krzee> it grabs the dependancies, compiles, and installs
19:28 < bewst> Oh, yeah, I could do that. 
19:28 < bewst> but I've got blick installed so unless there's something wrong with it I'll use it for the time being
19:29 < krzee> whichever you like
19:29 < krzee> but you did say it crashed on you
19:29 < krzee> if it continues to, you may decide to ditch it
19:29 < krzee> now you know the alternatives =]
19:31 < bewst> krzee: I don't think I said it crashed
19:31 < krzee> oh ok
19:31 < bewst> Still not working though: http://gist.github.com/505584#file_open_vpn%20server%20log  and http://gist.github.com/505584#file_open_vpn%20client%20log
19:31 <+vpnHelper> Title: gist: 505584 - GitHub (at gist.github.com)
19:31 < krzee> [17:23]  <bewst> Now having other issues.  Tunnelblick started spewing and is now unresponsive
19:31 < krzee> i read unresponsive as crashed
19:32 < bewst> krzee: no, just couldn't get into the UI
19:32 < bewst> krzee: I killed it instead
19:32 < krzee> i call that a crash
19:32 < krzee> ui unresponsive, fix is to forcibly kill
19:34 < bewst> krzee: OK.  Could you have a look at those logs?
19:34 < krzee> solaris...?
19:34 < krzee> what OS is server and what OS is client?
19:34 < krzee> and what versions of openvpn on each
19:35 < bewst> client=OSX server=opensolaris
19:35 < bewst> versions at top of each log: client 2.1.1 server 2.0.9
19:36 < bewst> I can shorten those logs; everything repeats
19:36 < bewst> Let me post a more manageable gist
19:37 < krzee> on the one that claims to be client log in url
19:37 < krzee> OpenVPN 2.0.9 i386-pc-solaris2.8
19:37 < krzee> that is old as sin
19:37 < krzee> 3 yrs old
19:37 < krzee> update it
19:38 < bewst> krzee: was afraid you'd say that.  OK, getting openvpn on OSOL is a bit of a trial, but I'll give it a shot
19:39 < krzee> should compile just fine
19:39 < bewst> Hah, we'll see
19:39 < bewst> that's not what THE GOOGLE tells me
19:40 < bewst> btw, I think the old one really is the one that claims to be the server.  In case it matters.  Look again
19:40 < krzee> weird, you're right
19:41 < krzee> i must be goin nuts
19:41 < krzee> thats actually a good thing
19:41 < krzee> server is acting weird, server is a 3 yr old version
19:41 < krzee> maybe it wont act weird after you update it =]
19:43 < krzee> oh i see what was messing me up
19:43 < krzee> both are on each post
19:43 < krzee> so i was looking at url in address bar  saying client while reading the config of server
20:11 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:32 -!- tjz [~pc@unaffiliated/tjz] has quit [Read error: Connection reset by peer]
20:36 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:37 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has joined ##openvpn
20:37 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has quit [Changing host]
20:37 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:39 -!- manchot [~tux@d9c58098-954c-495b-b18d-3f80a19a01be.static.grokthis.net] has joined ##openvpn
20:41 < manchot> I connected to the VPN server ( a new setup), I can ping 10.8.0.1, but I can't access any other IP or domain name. 
20:42 < manchot> the log file is in here    http://pastebin.com/mf1gHy8e
20:43 -!- Dougy [Doug@173.208.89.156] has quit []
20:44 < krzee> manchot, 
20:44 < krzee> !goal
20:44 <+vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:45 < manchot> krzee, my bad. I want to tunnel the traffic through that VPN to access the Internet
20:46 < krzee> ahh
20:46 < krzee> !redirect
20:46 <+vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:46 < manchot> I see. 
20:47 < manchot> krzee, can you also look at the log file, it says "unroutable control package from .." 
20:47 < manchot> does this TLS error matter?
20:47 < manchot> !def1
20:47 <+vpnHelper> manchot: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:48 < manchot> !man
20:48 <+vpnHelper> manchot: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:49 < manchot> !ipforward
20:49 <+vpnHelper> manchot: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
20:50 < manchot> !linipforward
20:50 <+vpnHelper> manchot: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
20:52 < manchot> krzee, is reading factoids like this allowed in the server? 
20:52 < krzee> !factoids
20:52 <+vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
20:52 < krzee> like that?
20:52 < manchot> yes
20:52 < krzee> cool =]
20:53 < manchot> if I do too many factoids, is it allowed? 
20:53 < krzee> doesnt bother me...
20:53 < krzee> especially with the fact that you're the only one looking for help right now
20:53 < manchot> krzee, thank you for your help. 
20:53 < krzee> yw
20:54 < manchot> !nat
20:54 <+vpnHelper> manchot: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
20:55 < manchot> !linnat
20:55 <+vpnHelper> manchot: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
20:55 < krzee> !lannat
20:56 <+vpnHelper> krzee: Error: "lannat" is not a valid command.
20:58 < krzee> hehe
20:58 < krzee> !ping
20:58 <+vpnHelper> pong
21:00 < manchot> krzee, it is easy to set up LAN access, but I think I need some extra work on Internet access. 
21:03 < krzee> just a NAT rule, a config option, and enabling ip forwarding
21:03 < krzee> hell, that's arguably easier than lans
21:05 < manchot> krzee, I just did echo 1 > /proc/sys/net/ipv4/ip_forward
21:06 < manchot> !linnat
21:06 <+vpnHelper> manchot: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
21:06 < manchot> shall I just copy the NAT rule listed above? #1
21:07 < krzee> are you using 10.8.0.0 in your server config option?
21:07 < krzee> is eth0 your internet device?
21:07 < manchot> yes
21:07 < manchot> yes
21:07 < krzee> yes
21:07 < manchot> and I put --redirect-gateway  in the conf file on the server side?
21:07 < manchot> how can I enable --redirect-gateway  option?
21:08 < krzee> as long as you push it
21:08 < krzee> you either put redirect-gateway def1 in the client
21:08 < manchot> push?
21:08 < krzee> or push "redirect-gateway def1" in the server
21:08 < krzee> !push
21:08 <+vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
21:10 < manchot> I don't hav push installed, is it package "ussp-push"?
21:12 < manchot> ok, I found it. heimdal-clients:
21:12 < krzee> its a config option
21:12 < krzee> !man
21:12 < krzee> see --push
21:12 <+vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
21:13 < manchot> I see. so I can just put    push "redirect-gateway def1"  into the server config?
21:17 < krzee> correct
21:19 -!- manchot1 [~tux@static.219.254.63.178.clients.your-server.de] has joined ##openvpn
21:20 -!- manchot2 [~tux@static.219.254.63.178.clients.your-server.de] has joined ##openvpn
21:21 -!- manchot [~tux@d9c58098-954c-495b-b18d-3f80a19a01be.static.grokthis.net] has quit [Ping timeout: 258 seconds]
21:21 -!- manchot2 is now known as manchot
21:21 < manchot> krzee, now I am using my VPN
21:22 < krzee> =]
21:22 < krzee> good job
21:22 < krzee> bbiaf, getting out of work
21:22 < krzee> ill be back as krzie
21:22 < manchot> OK. Thank you again..... 
21:26 -!- manchot1 [~tux@static.219.254.63.178.clients.your-server.de] has quit [Quit: 暂离]
21:34 -!- manchot [~tux@static.219.254.63.178.clients.your-server.de] has quit [Ping timeout: 260 seconds]
21:36 -!- manchot [~tux@d9c58098-954c-495b-b18d-3f80a19a01be.static.grokthis.net] has joined ##openvpn
21:38 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
21:39 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 265 seconds]
21:41 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
21:41 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
21:45 < oc80z> hullo
21:50 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Quit: Leaving.]
22:04 -!- plum [~chatzilla@cpe-75-82-165-93.socal.res.rr.com] has joined ##openvpn
22:04 < plum> !welcome
22:04 <+vpnHelper> plum: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:05 < plum> !goal
22:05 <+vpnHelper> plum: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:06 < plum> I want a secure connection that I can access from my Android phone for VNC and remote file management, and to be able to access the internet over my vpn
22:07 < plum> !howto
22:07 <+vpnHelper> plum: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
22:11 -!- jwm [jwm@dev.dist.us] has quit [Ping timeout: 245 seconds]
22:18 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 265 seconds]
22:18 -!- jwm [jwm@dev.dist.us] has joined ##openvpn
22:18 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
22:25 < Bushmills> !redirect
22:25 <+vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
22:27 -!- manchot [~tux@d9c58098-954c-495b-b18d-3f80a19a01be.static.grokthis.net] has quit [Ping timeout: 245 seconds]
22:43 -!- plum [~chatzilla@cpe-75-82-165-93.socal.res.rr.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
22:53 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 276 seconds]
23:16 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:17 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
23:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
--- Day changed Tue Aug 03 2010
00:23 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:24 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
00:32 -!- dazo_afk is now known as dazo
00:44 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
01:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:28 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Read error: Connection reset by peer]
01:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
01:31 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:31 -!- mode/##openvpn [+o mattock] by ChanServ
01:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:21 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
02:33 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:34 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:39 -!- nardul [~kse@212.37.141.188] has joined ##openvpn
02:43 < nardul> Morning. Is there a way to publish a metric when pushing a route?
02:53 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:54 < nardul> That is, giving a specific route a metric when pushed from the server
02:55 < Fiouz> yes, you can
02:55 < Fiouz> push "route xxx 255.255.255.248 vpn_gateway 2"
02:55 < Fiouz> 2 being the metric
02:57 < Fiouz> however I remember having trouble with the iroute directive: didn't cope well with metric
02:57 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:57 < hyper_ch> what is that metric for'
02:57 < hyper_ch> ?
02:58 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:59 < Fiouz> it's like route priorities
03:00 < hyper_ch> ah
03:02 < Fiouz> http://en.wikipedia.org/wiki/Routing#Comparison_of_routing_algorithms
03:02 <+vpnHelper> Title: Routing - Wikipedia, the free encyclopedia (at en.wikipedia.org)
03:02 < nardul> Fiouz, If i wrote vpn_gateway i got a route error. So i wrote (push "route-metric 100") instead. This worked
03:03 < Fiouz> yeah, route-metric sets the default route, that was what I used to workaround the iroute problem I had
03:03 < Fiouz> default metric*
03:04 < Fiouz> I think I added that for the vpn_gateway error: push "route-gateway A.B.C.D" where A.B.C.D is the server VPN IP
03:06 < Fiouz> might be because I have a subnet typology
03:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
03:06 < nardul> Fiouz, It's not perfect, i would like to control all metrics. But it'll do. If i try adding (push "route 10.0.0.0 255.255.255.0. 10.1.1.1 20") it fails with Aug  3 10:04:07 kse openvpn[16582]: ERROR: Linux route add command failed: external program exited with error status: 7
03:07 < Fiouz> you have an extra dot (.)
03:07 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:13 < nardul> Fiouz, It wasn't that, i retyped this where, didn't copy paste.
03:14 < Fiouz> ok, AFAIC, I use iproute2 instead of the old ifconfig/route commands
03:16 < Fiouz> (I think it's a compilation directive)
03:16 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: rebooting]
03:30 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
03:33 -!- oo [~oo@dsl-207-112-56-186.tor.primus.ca] has joined ##openvpn
03:36 -!- oo [~oo@dsl-207-112-56-186.tor.primus.ca] has left ##openvpn []
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:46 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
03:47 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has left ##openvpn []
03:58 -!- cherva [~cherva@93.152.158.160] has joined ##openvpn
04:01 < cherva> if I have a openvpn network with ip 10.8.0.0/24 ( the server is on 10.8.0.1 ) if I add push "route 10.8.0.0 255.255.255.0 " to the conf file will this make all the clients have their gateway for 10.8.0.0 to be 10.8.0.1
04:08 < Fiouz> usually yes, unless you don't use the server helper directive and don't specify push "route-gateway ..."
04:21 -!- takamichi [~pri@78.133.14.166] has quit []
04:27 < cherva> Fiouz, thanks ... can you tell me is there a GUI that I can monitor who is connected to the vpn and his ip-address ... like in hamachi ?
04:27 < cherva> or I have to write a program that parses the log files and shows the info
04:28 < Fiouz> using the "status" option is simpler than parsing the logs
04:29 < Fiouz> !status
04:29 <+vpnHelper> Fiouz: Error: "status" is not a valid command.
04:29 < Fiouz> --status file [n] Write operational status to file every n seconds.
04:31 < Fiouz> it's not a GUI but it's understandable enough
04:31 -!- peepingtom [~oo@dsl-207-112-56-186.tor.primus.ca] has joined ##openvpn
04:32 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
04:32 -!- redirectsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
04:46 < cherva> Fiouz, thanks again
04:54 < Fiouz> :)
05:09 < Bushmills> cherva: --status file
05:09 < Bushmills> show that file in an updating file viewer
05:09 < cherva> Bushmills, thanks I found if in the manual
05:10 < cherva> it*
05:10 < Bushmills> oh, right. seeing that status was hinted to you already
05:36 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 240 seconds]
05:42 -!- peepingtom [~oo@dsl-207-112-56-186.tor.primus.ca] has quit [Quit: Lost terminal]
06:06 -!- Cain` [~Geek@41.141.252.98] has joined ##openvpn
06:06 -!- Cain` [~Geek@41.141.252.98] has quit [Changing host]
06:06 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:07 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:07 -!- Cain` is now known as Cain
06:12 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has joined ##openvpn
06:15 < cherva> can I revoke certificates with pkitool ?
06:19 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined ##openvpn
06:19 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:24 < cherva> hmm I got it... i need revoke-full but why do I need to distribute the file to the other systems ? 
06:48 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
07:04 -!- benomatic [~ben@5353CE36.cable.casema.nl] has joined ##openvpn
07:04 < benomatic> i have been reading through openvpn man page, and trying all sort of variations, but can get nothing to work so far.  Is there a portable variant (ie, works in win) for this:
07:05 < benomatic> route-delay 2
07:05 < benomatic> route-up "/bin/sh -c '/sbin/route change default $route_net_gateway; /sbin/route add -net 209.150.224.0/24 $route_vpn_gateway'"
07:05 < benomatic> for basic split routing, plus a single after-the-fact static route addition
07:05 < benomatic> (client side conf, btw)
07:09 < sylar> say, how does proxy work?
07:09 < sylar> do I keep the server on UDP, and just set the proxy on the client?
07:12 -!- duke- [sb@red.cubewerk.de] has joined ##openvpn
07:12 < duke-> hi folks, what's the difference between the community openvpn-client and the one on the webpage as a .msi package?
07:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
07:14 -!- nardul [~kse@212.37.141.188] has quit [Quit: Leaving]
07:17 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
07:18 < sylar> why does the openvpn server need to be restarted after change of the dynamic IP address?
07:28 -!- duke- [sb@red.cubewerk.de] has left ##openvpn []
07:35 < ecrist> good morning, kids.
07:35 -!- Irssi: ##openvpn: Total of 93 nicks [4 ops, 0 halfops, 1 voices, 88 normal]
07:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
07:36 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has quit [Ping timeout: 276 seconds]
07:49 -!- readmanr [~Robert@static-87-102-39-78.karoo.KCOM.COM] has joined ##openvpn
07:50 < benomatic> btw, should i have used pastebin for that 2-line bit?  (i considered, and rejected, but saw the info thing afterward.)
07:52 < ecrist> benomatic: no, you were fine
07:52 < ecrist> we mostly try to avoid the nasty ones
07:52 < benomatic> yeah, if more than 3-4 i usually pastebin, but thought it a bit silly.
07:52 < ecrist> it's one of those things where, if we say 5 lines is ok, then someone pastes 6, because it's close to 5
07:53 < benomatic> heh.  indeed.  i always try to use "good judgement"... whatever that means :)
07:53 < ecrist> this way, we can say policy is 0, so die!
07:54 < benomatic> is that openvpn forum really the place to go?  all my searches either yield "your term is too damned frequent", a la 'route', or 0 hits.  and i wouldn't think that client-side split routing would be so strange a topic.
07:55 < ecrist> yes, it is.
07:56 < ecrist> there aren't that many posts, yet, to be honest.
07:57 < benomatic> ah, so it's new i take it
07:57 < ecrist> relatively
07:58 < havoc> "split routing"?
07:59 < benomatic> dunno what else to call it.  my server reset default gateway.  i don't want it to.  i always think of split horizon dns, and abuse the term split.
07:59 < benomatic> if i had control over the server conf, i'm pretty sure this would be a trivial change.  but i don't.
07:59 < ecrist> benomatic: you can reset push in a client config
08:00 < havoc> yeah, the default gateway is on the client, not the server
08:00 < havoc> i.e. you have control on the client side
08:01 < benomatic> i haven't figured out how to prevent it from setting the gateway w/o also failing to set all the needed route info.  i never thought it would be so tricky, so i assume my skull is simply impenetrable, or that i'm not reading/googling the right things.
08:04 < havoc> you basically want to ignore the "push redir-gateway" I think
08:04 < ecrist> search the man page for push-reset
08:04 < havoc> ecrist: you know if it's possible to ignore a specific "push" in the client config?
08:04 < ecrist> no, iirc, it's all or nothing
08:05 < ecrist> if you have control of the server, setup a ccd that omits the redirect but has all the other routes
08:06 < benomatic> yeah, i did the route-noexec, and tried to simulate all the routes it was pushing by hand, but no luck.  i seemed to have an ordering issue with that attempt.  i will check out push-reset.
08:08 < benomatic> perhaps just better to convince admin to have 2 confs.
08:13 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined ##openvpn
08:23 < benomatic> does this imply that my 'route' commands aren't allow client-side?  Options error: option 'redirect-gateway' cannot be used in this context
08:31 < ecrist> they should be allowed without issue
08:34 < benomatic> i just figured out that i was using CIDR notation instead of subnet notation.  (dumb pasto.)  worked like a charm!
08:36 < benomatic> hrm.  actually, the log is a bit confusing.  perhaps it was working in cidr too?  (i only watched verbose logs.)  it first complains about the context, but then later shows the route cmds working.  anywaiz, WFM now.  thanks!
08:40 -!- EdwardIII [~Edward@unaffiliated/edward123] has joined ##openvpn
08:40 < EdwardIII> hey, just to clarify a point
08:40 < EdwardIII> if your machine is an openvpn server, you need to bridge the tap adapter and the real adapter, right?
08:52 < ecrist> depends
08:52 < ecrist> if you want VPN clients to access the real adapter's network, yes
08:53 < ecrist> if you just want to create a LAN that's all on the VPN, then no.
09:03 -!- macsppadic [~sonupunno@88.211.46.105] has joined ##openvpn
09:05 -!- redirectsppadic [~sonupunno@88.211.55.77] has quit [Ping timeout: 240 seconds]
09:06 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Ping timeout: 248 seconds]
09:07 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has joined ##openvpn
09:08 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
09:10 < EdwardIII> ecrist, the former
09:11 < EdwardIII> the thing is, i'm looking at an old setup here from years ago (win2k8 std) - it has a network bridge and a tap adapater, but the only thing in the bridge in the real network adapter
09:14 < EdwardIII> mmm.... openvpn actually handles the bridging of adapters itself, doesn't it?
09:20 < ecrist> nope
09:20 < ecrist> you have to do that outside the openvpn main config
09:20 < ecrist> usually done with an 'up' script
09:21 -!- readmanr [~Robert@static-87-102-39-78.karoo.KCOM.COM] has quit [Quit: Leaving]
09:24 < sylar> how do I start a client on linux?
09:24 < sylar> is that howto: openvpn [client config file]
09:24 < sylar> mean 
09:24 < sylar> openvpn [clientConfigFile]
09:28 < EdwardIII> ecrist, i do? i'm looking through the configuration document, it says you need to bridge the adapaters in windows, which i'm working on
09:28 < EdwardIII> sylar, that looks good yes?
09:35 < sylar> ok it got connected
09:36 < sylar> but it took it lots of time before any telnet worked to the remote site
09:36 < sylar> what do I do to expire a key?
09:37 < sylar> I sent a key to a client over an insecure connection
09:37 < sylar> now I want to expire it
09:39 < sylar> ok found it in the howto
09:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
09:45 -!- macsppadic_ [~sonupunno@88.211.55.77] has joined ##openvpn
09:47 < benomatic> follow up: this conf works fully on mac, and works on linux (ubuntu 10.04) w/ 1 flaw: it doesn't update resolv.conf/dns.  any suggestions?   http://pastebin.com/20HtphiP
09:48 < benomatic> only notable difference; mac is 2.1.1, ubuntu 2.1.0.  but changelog doesn't indicate anything like this.
09:50 -!- macsppadic [~sonupunno@88.211.46.105] has quit [Ping timeout: 276 seconds]
09:50 -!- macsppadic_ is now known as macsppadic
09:50 -!- macsppadic is now known as centresppadic
09:52 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
09:56 < EdwardIII> hrm i'm trying to check if the udp port for openvpn is available outside of the network
09:56 < EdwardIII> nc -vzu [remote ip] 1194 <- this shows success, but it does for any port i try heh
10:07 -!- JPeterso2 [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
10:10 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: brb]
10:11 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Ping timeout: 260 seconds]
10:12 -!- JPeterso2 [~JPeterson@c213-100-62-9.swipnet.se] has quit [Ping timeout: 240 seconds]
10:38 -!- dazo is now known as dazo_afk
10:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
10:39 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
10:42 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:48 < EdwardIII> hrm how can i find the openvpn protocol specification?
10:52 < ecrist> in the source
10:54 < julius> tehehe
11:04 -!- thomaschaaf [c1af1a44@gateway/web/freenode/ip.193.175.26.68] has joined ##openvpn
11:04 < thomaschaaf> Hey guys,
11:05 < thomaschaaf> I am thinking of putting 2 openvpns behind oneanother one lowerrisk vpn and one more sensitif is this possible?
11:14 -!- centresppadic [~sonupunno@88.211.55.77] has quit [Quit: centresppadic]
11:35 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
11:50 -!- thomaschaaf [c1af1a44@gateway/web/freenode/ip.193.175.26.68] has quit [Quit: Page closed]
11:51 < SOG> Um....
11:51 < SOG> Do you mean ... oh, he quit
11:57 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
12:01 < cpm> sounds like a bad/poorly thought out idea. 
12:07 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
12:08 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
12:08 -!- Bombo [~bombo@dslb-084-062-237-244.pools.arcor-ip.net] has joined ##openvpn
12:08 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Client Quit]
12:09 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
12:13 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Client Quit]
12:17 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
12:21 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
12:30 < Bombo> i'm trying to install openvpn on win7 64bit but the tap driver installer says 'cannot run 32bit driver on 64bit os'
12:30 < Bombo> tried the versions on openvpn.se and .net
12:35 < sylar> I had a bsod today
12:35 < sylar> after standby
12:35 < sylar> I wonder if it is related to the new TAP driver I installed :/
12:41 -!- nb [~nb@fedora/pdpc.monthlygold.nb] has quit [Changing host]
12:41 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
12:42 < cpm> what did the bsod say?
12:51 -!- kc8pxy [~gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: Connection reset by peer]
12:55 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 245 seconds]
12:55 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:59 -!- SOG_ [~SOG@222.125.202.173] has joined ##openvpn
13:03 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 265 seconds]
13:03 -!- SOG_ is now known as SOG
13:06 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
13:10 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 276 seconds]
13:11 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
13:15 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
13:17 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Quit: Leaving.]
13:24 -!- blueboxthief [~None_of_y@86-40-176-16-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
13:25 -!- naquad [~naquad@174.142.224.219] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:27 -!- naquad [~naquad@174.142.224.219] has joined ##openvpn
13:30 -!- hfrhryu34 [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
14:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:16 -!- benomatic [~ben@5353CE36.cable.casema.nl] has quit [Quit: reboot fun]
14:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:34 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Read error: Connection reset by peer]
14:46 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:50 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 276 seconds]
14:51 < sylar> cpm it said 0xF4 (0x03,somthing,something)
14:51 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
14:53 -!- benomatic [~ben@5353CE36.cable.casema.nl] has joined ##openvpn
14:53 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:56 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 248 seconds]
14:58 -!- JackCorleone [~Jack@187.10.76.207] has joined ##openvpn
15:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
15:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:08 < krzee> [08:50]  <EdwardIII> hrm how can i find the openvpn protocol specification?
15:08 < krzee> its on the page somewhere
15:09 < krzee> !security
15:09 <+vpnHelper> krzee: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview
15:09 < krzee> link #2
15:09 < krzee> thats as close as you're getting, afaik
15:34 -!- crazygir [~jason@unaffiliated/crazygir] has left ##openvpn []
15:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
16:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
16:00 < sylar> the VPN worked for a short while, and then it stopped working, the gui on yellow on the client, and green at the server
16:02 < krzee> look at log files
16:02 < sylar> I am pastbining it
16:02 < sylar> http://pastebin.com/DhLWixSP
16:02 < sylar> client ^
16:03 < krzee> and the server...
16:04 < sylar> i upped the verb just now, will let it run a bit
16:05 -!- JackCorleone [~Jack@187.10.76.207] has quit [Quit: Saindo]
16:06 < sylar> lol
16:06 < sylar> I stepped on the LAN cable
16:06 < sylar> the main network was unplugged physically
16:08 < krzee> hahaha
16:09 -!- Diffen2 [~diffen2@m83-185-82-233.cust.tele2.se] has joined ##openvpn
16:11 < sylar> nice, now it works
16:12 < sylar> I wonder if it make sense to use zrtp inside an openvpn tunnel?
16:13 < krzee> depends
16:13 < krzee> is the voip endpoint also in the vpn?
16:13 < sylar> yes
16:13 < krzee> is it the server?
16:13 < sylar> both should be in the vpn
16:13 < krzee> or a different client
16:14 < sylar> both server and client are in the vpn
16:14 < krzee> so you are considering using zrtp between vpn client and vpn server?
16:14 < sylar> i want to put ekiga and call using the ip 10.8.0.6
16:15 < sylar> yes
16:15 < sylar> I am crazy
16:15 < krzee> its pointless but shouldnt hurt anything
16:16 < sylar> I kind of thinking,,, and maybe ekiga will send stuff also through other ports/interfaces
16:16 < sylar> and then I will get no security
16:16 < krzee> packet sniffing should tell you that
16:16 < sylar> I dont' get it, 
16:16 < sylar> in the end íll use skype
16:16 < sylar> it will tell on my end
16:17 < sylar> what about the other end, and packets that don't arrive to mẻ
16:17 < krzee> what dont you get
16:18 < krzee> sniffing outbound traffic is enough to tell you what exits from where
16:19 < sylar> but I can't sniff the other party
16:21 < krzee> and you dont need to
16:21 < krzee> lol
16:21 < krzee> it either leaves from your adapter going over the vpn, or you see it leaving
16:21 < krzee> when you tunnel everything, all you see on your external adapter is the vpn
16:21 < krzee> !vpn
16:21 <+vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal
16:21 < krzee> read that
16:21 < sylar> i know that
16:22 < sylar> I just am afraid that ekiga will output udp like a network HUB
16:22 < sylar> ie echo everyting on all interfaces
16:22 < sylar> and then it will also broadcast  to the internet
16:22 < sylar> it doesn't make sense 
16:22 < krzee> and if it does, you will see it!
16:23 < krzee> how does that not make sense to you
16:23 < krzee> lol
16:23 < sylar> it doesn't make sense to think so
16:23 < krzee> ok
16:23 < krzee> im gunna do other stuff
16:23 < krzee> bbl
16:23 < sylar> k
16:23 < sylar> thanks
16:30 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
16:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:41 -!- Diffen2 [~diffen2@m83-185-82-233.cust.tele2.se] has quit [Ping timeout: 240 seconds]
16:47 -!- Diffen2 [~diffen2@m83-185-132-83.cust.tele2.se] has joined ##openvpn
17:09 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has quit [Ping timeout: 260 seconds]
17:09 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
17:25 -!- Mathis [~Mathis@p4FEE4C64.dip.t-dialin.net] has joined ##openvpn
17:25 < Mathis> hello
17:26 < Mathis> trying to create a VPN and found OpenVPN-AS-Appliance - what role does this have in creating my own VPN?
17:26 < Mathis> do I even need it?
17:28 < krzee> !AS
17:28 <+vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
17:28 <+vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
17:28 < krzee> we dont support AS here, see #4
17:28 < Mathis> its okay, thanks
17:28 < krzee> np
17:28 < Mathis> so I dont need it, right?
17:28 < Mathis> just the openvpn-client.msi
17:29 < krzee> i have no idea
17:29 < krzee> we only support the opensource openvpn here
17:29 < krzee> which is not what you are talking about
17:29 < krzee> (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
17:29 <+vpnHelper> Title: Support Center (at openvpn.net)
17:29 < Mathis> I also wanted to use the opensource openvpn
17:30 < krzee> then you have the wrong files
17:30 < krzee> !download
17:30 < Mathis> maybe I have misunderstood something
17:30 <+vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
17:30 < Mathis> thank you, the home screen offered the .msi package
17:30 < krzee> ya, you had to click opensource to get the opensource version
17:31 < krzee> but i see why youd do what you did, it confused me when they changed the site too
17:32 < Mathis> and they provided absolutely no information about the differences anywhere, or I havent seen them
17:32 < krzee> not sure, havnt looked for it
17:33 < krzee> but if you want to know the differences, my bot told you above
17:33 < krzee> or you can type !AS to see them again
17:33 -!- Diffen2 [~diffen2@m83-185-132-83.cust.tele2.se] has quit [Ping timeout: 258 seconds]
17:33 < Mathis> the VPN topic is rather new to me, so I can be confused easily
17:33 < krzee> but basically, with opensource version you have to know / learn what you are doing
17:34 < krzee> with AS, not really the case
17:34 < Mathis> thats always the price of having opensource
17:34 < krzee> AS isnt free, and comes with real support
17:34 < krzee> opensource is, and does not
17:34 < Mathis> yeah, I suppose that
17:34 < krzee> opensource comes with us here, and the maillist
17:35 < Mathis> and you can connect only 2 free clients to it
17:35 < krzee> i still have not been able to play with it
17:36 < krzee> been meaning to, but i have to run windows and linux for that
17:36 < krzee> whereas i run osx and freebsd
17:36 < Mathis> the OpenVPN GUI is rather useless somehow, not many options setable
17:37 < krzee> you are not supposed to config the opensource through the GUI
17:37 < krzee> you are supposed to manually setup your config file
17:37 < krzee> if you have bash, you can use this
17:37 < krzee> !confgen
17:37 <+vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
17:37 < Mathis> I am in Win7
17:38 < Mathis> brb, reboot, security update
17:38 -!- Mathis [~Mathis@p4FEE4C64.dip.t-dialin.net] has quit []
17:38 < krzee> lol
17:42 -!- acerna [~acerna@docs.poweredbyamp.com] has joined ##openvpn
17:42 < acerna> !welcome
17:42 <+vpnHelper> acerna: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:43 -!- Mathis [~Mathis@p4FEE4C64.dip.t-dialin.net] has joined ##openvpn
17:43 < acerna> !route
17:43 <+vpnHelper> acerna: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:46 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:46 -!- raw_ [~raw@chipotle118.server4you.de] has quit [Ping timeout: 265 seconds]
17:51 < acerna> I have a routing openvpn server setup.  I am able to connect and ping both ways without issue.  I am also able to access windows file shares over the vpn link without an issue.  The only problem I have left is I am not able to RDP to the same box I am able to ping and access file shares over.  The only port I have opened up on my external firewall that is in front of my openvpn server is UDP 1194
17:52 < acerna> !forums
17:52 <+vpnHelper> acerna: Error: "forums" is not a valid command.
17:52 < acerna> !forum
17:52 <+vpnHelper> acerna: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
17:52 -!- raw_ [~raw@chipotle118.server4you.de] has joined ##openvpn
17:53 < krzee> acerna, try accessing it by VPN ip
17:54 < acerna> I am rdping by it's internal LAN IP there is no VPN ip for it because I have NAT setup on my openvpn box to foward the traffic
17:55 < krzee> thats broken as hell
17:55 < krzee> !route
17:55 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:55 < krzee> lose the NAT and do it right
17:55 < krzee> might fix your problem to do it correctly
17:55 < acerna> how is it incorrect to use NAT? it's the same as a typical road warrior setup
17:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:56 < krzee> no, its not
17:56 < krzee> you're using the NAT hack as the first choice
17:56 < krzee> where it should actually be the last resort
17:56 < krzee> typical road warrior setup is !route
17:56 < krzee> using routing
17:57 < acerna> i'm pushing all the routes to my vpn client
17:57 < acerna> to route through my vpn endpoint and then I have a static route on the machine to get back through
17:58 < krzee> then why the NAT?
17:59 < acerna> I think I misspoke
17:59 < acerna> I just enabled fowarding
17:59 < krzee> ok, so you are not using NAT...?
17:59 < acerna> right just the routing
17:59 < acerna> and the foward line
17:59 < krzee> ok
18:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
18:00 < krzee> and the machine is part of the lan, not the vpn endpoint... which is why you said it does not have a VPN IP
18:00 < acerna> exactly
18:00 < krzee> ok
18:01 < krzee> and you said ping works, filesharing works, on that same machine
18:01 < krzee> right?
18:01 < acerna> yes same machine
18:01 < krzee> ok, then its something on that machine
18:02 < acerna> I put some pretty broad ip tables rules for the tun devices I think it should be able to pass fine
18:02 < krzee> maybe in the windows firewall
18:02 < krzee> ya its not anything to do with tun device
18:02 < krzee> well most likely not
18:02 < krzee> easy to check tho
18:02 < acerna> i'll try disabling hte firewall service
18:03 < acerna> it's off already but it's 2008 so there is more to it 
18:03 < krzee> wireshark on the target machine would show if it gets the packets
18:03 < krzee> ya i hate windows firewall
18:03 < krzee> in fact
18:03 < krzee> !windows
18:03 <+vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
18:05 < krzee> ;]
18:05 < acerna> totally disabled the widnows firewall service still same thing service
18:06 < krzee> sniff traffic
18:06 < krzee> see that its hitting the machine
18:06 < acerna> let me try that
18:11 < acerna> all the filesharing traffic I see
18:11 < acerna> I don't see anything that looks like the RDP
18:11 < krzee> ahh
18:11 < krzee> well if thats the case, it must be a firewall
18:12 < krzee> now sniff on the vpn node
18:25 -!- EdwardIII [~Edward@unaffiliated/edward123] has quit [Read error: Connection reset by peer]
18:25 -!- EdwardIII [~Edward@unaffiliated/edward123] has joined ##openvpn
18:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
18:46 < acerna> got it working, turns out the amazon ec2 machine didn't like trying to rdp to that machine works great from a different box, thanks fo much for your help
18:48 < krzee> np
18:54 -!- blueboxthief [~None_of_y@86-40-176-16-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
18:58 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:08 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
19:10 -!- Edward123 [~Edward@unaffiliated/edward123] has joined ##openvpn
19:12 -!- EdwardIII [~Edward@unaffiliated/edward123] has quit [Ping timeout: 265 seconds]
19:21 < acerna> quit
19:21 -!- acerna [~acerna@docs.poweredbyamp.com] has quit [Quit: leaving]
19:38 -!- Tachyx [~tach@81.200.61.23] has joined ##openvpn
19:38 -!- Tachycek [~tach@81.200.61.23] has quit [Read error: Connection reset by peer]
19:43 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 260 seconds]
19:43 -!- Mathis [~Mathis@p4FEE4C64.dip.t-dialin.net] has quit []
19:44 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:05 -!- benedikt [~benedikt@agurka.sudo.is] has joined ##openvpn
20:05 < benedikt> is it possible to ignore reject-gateway on the client side?
20:06 < krzee> not really
20:07 < krzee> maybe if you have a static VPN ip
20:07 < krzee> you would have to ignore EVERYTHING and then do everything manually
20:07 < krzee> like set your ip and everything
20:07 < krzee> but if its not the same ip the server gave you, you'll have problems
20:08 < krzee> assuming net30 topology (default)
20:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
20:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
20:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
20:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:09 < krzee> thats basically why i say not really
20:10 < krzee> the stars have to align perfect for it to even be possible
20:10 < krzee> and then, its a giant pain in the ass
20:10 < krzee> so basically, no
20:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
20:10 < benedikt> well obviously you can do it manually or script it.. I asked if was an option in openvpn to ignore the redirect-gateway statement
20:10 < krzee> how exactly would you script that...?
20:10 < krzee> you would manually define EVERYTHING in the config
20:11 < krzee> and no, not an option to ignore a single push
20:11 < krzee> it's all or none
20:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
20:12 -!- mode/##openvpn [+o krzee] by ChanServ
20:14 <@krzee> suuuure, now his connection becomes stable
20:15 <@krzee> lol
20:15 -!- mode/##openvpn [-o krzee] by krzee
20:31 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:16 -!- Edward123 [~Edward@unaffiliated/edward123] has quit [Read error: Connection reset by peer]
21:52 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:56 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Quit: Leaving.]
22:19 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:38 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
22:45 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:49 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
23:35 -!- fate_t_harlaown [Bardiche@cg4l3001.smb.curriegrad2004.ca] has joined ##openvpn
23:35 < fate_t_harlaown> !welcome
23:35 <+vpnHelper> fate_t_harlaown: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:35 < fate_t_harlaown> !goal
23:35 <+vpnHelper> fate_t_harlaown: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:35 < fate_t_harlaown> hm...
23:36 < fate_t_harlaown> just have a quick question here: It's about the client on OpenVPN.net's site
23:36 < fate_t_harlaown> does the MSI package support connecting to an OpenVPN that uses certificates to connect?
23:36 < fate_t_harlaown> oops
23:37 < fate_t_harlaown> forgot to add the OpenVPN server part
23:38 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 264 seconds]
23:51 < krzie> that is a question for #4 here
23:51 < krzie> !AS
23:51 <+vpnHelper> krzie: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
23:51 <+vpnHelper> krzie: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
23:52 < fate_t_harlaown> oh
23:53 < fate_t_harlaown> !AS
23:53 <+vpnHelper> fate_t_harlaown: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server
23:53 <+vpnHelper> fate_t_harlaown: configurations options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
--- Day changed Wed Aug 04 2010
00:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:13 -!- nanoha [Bardiche@cg4l3001.smb.curriegrad2004.ca] has joined ##openvpn
00:13 -!- fate_t_harlaown [Bardiche@cg4l3001.smb.curriegrad2004.ca] has quit [Ping timeout: 252 seconds]
00:13 -!- nanoha is now known as fate_t_harlaown
00:38 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
00:40 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
00:48 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has joined ##openvpn
01:00 -!- dazo_afk is now known as dazo
01:01 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:01 -!- mode/##openvpn [+o mattock] by ChanServ
01:03 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 260 seconds]
01:07 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
01:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:16 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
01:16 -!- cherva [~cherva@93.152.158.160] has quit [Ping timeout: 246 seconds]
01:17 -!- cherva [~cherva@93.152.158.160] has joined ##openvpn
01:17 -!- cherva [~cherva@93.152.158.160] has quit [Read error: Connection reset by peer]
01:19 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
01:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:36 -!- cherva [~cherva@93.152.158.160] has joined ##openvpn
02:12 -!- groundnuty [~orzech@elj74.internetdsl.tpnet.pl] has joined ##openvpn
02:13 < groundnuty> hey I've openvpn config that works ok from home and fails while trying to pass through corporate proxy 
02:14 < groundnuty> the problem seems to be proto udp setting
02:14 < krzie> not many proxies can handle udp traffic
02:15 < krzie> a real socks daemon can, ssh tunneling can not
02:15 < groundnuty> that works from home, but since proxy is http based - as stated on openvpn faq I tried to change it to tcp
02:15 < krzie> web proxies can not
02:15 < krzie> http proxies can not ;)
02:15 < groundnuty> hmm so if server requires udp and http proxy tcp there is no way to make them cooperate? :(
02:15 < krzie> correct
02:16 < krzie> gotta get tcp server going
02:16 < krzie> try port 443
02:16 < krzie> just in case ;)
02:16 < krzie> (tcp)
02:16 < krzie> the good news, you can just run 2 vpn services on the same server, with different subnets
02:17 < groundnuty> 1) 443 with tcp doesn't fly 
02:17 < groundnuty> well I was tryign to connect to my university openvpn :)
02:17 < krzie> over the even proxy?
02:17 < krzie> err
02:18 < krzie> even over the proxy 443 tcp as server listen port doesnt work?
02:18 < krzie> or you dont run the vpn?
02:18 < groundnuty> well I work in place where to get out of their intranet one has to get through thsi stupid http proxy
02:18 < groundnuty> I did try it
02:18 < groundnuty> remote vpn.agh.edu.pl 443, proto tcp
02:19 < groundnuty> the effect is the same as in previous case
02:19 < krzie> and the server listens on that as well?
02:19 < krzie> and you also have the http-proxy settings in right?
02:19 < groundnuty> to be honest - no idea - I will need to email admin - but I figured if that is some kind of default port, was worth a shot ;)
02:19 < krzie> !man
02:19 <+vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
02:20 < krzie> its not default
02:20 < krzie> its only for people who add it to bypass firewalls
02:20 < groundnuty> yes I set http proxy correctly the client says it established connection
02:20 < krzie> then whats the problem?
02:21 < groundnuty> momento, searching for log
02:22 < groundnuty> CP connection established with 10.136.87.17:80
02:22 < groundnuty> recv_line: TCP port read timeout expired
02:22 < groundnuty> SIGTERM[soft,init_instance] received, process exiting
02:23 < groundnuty> my conclusion was that it passes through firewall but serwer seems nto like the tcp connection
02:24 < krzie> lol
02:24 < krzie> ya if you dunno the server is listening you cant know what to connect at
02:24 < krzie> ask the admin if they have a tcp port
02:24 < groundnuty> I will, as soon as he wakes up :)
02:24 < krzie> cool
02:24 < groundnuty> anyway thx for all your help ;)
02:31 < krzie> np
02:38 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
02:47 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
02:53 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:54 -!- kisom [~kisom@c-f9dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
03:05 < benomatic> i've got a working ovpn client, w/ one problem: nameserver isn't getting set, despite the debugging line 'PUSH_REPLY' including "dhcp-option DNS A.B.C.D".  same conf gets NS on mac client, but fails to get nameserver on ubuntu linux.  suggestions on how to debug further?
03:05 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
03:14 < krzie> !pushdns
03:14 <+vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
03:14 < krzie> #4
03:28 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Read error: Operation timed out]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:40 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:42 -!- smerz [~smerz@smerz.demon.nl] has quit [Read error: Connection reset by peer]
03:43 < benomatic> krzie: thanks.  i will check it out.
03:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
03:47 < krzie> np
03:47 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:49 < benomatic> that + resolvconf package == bingo.  thanks!
03:56 < krzie> np
04:03 -!- cherva [~cherva@93.152.158.160] has quit [Quit: Leaving]
04:05 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
04:28 -!- HackeMate [~HackeMate@73.Red-88-26-66.staticIP.rima-tde.net] has joined ##openvpn
04:28 < HackeMate> hello
04:29 < HackeMate> i am getting an error with openvpn client like this: ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
04:29 < HackeMate> is because of tun?
04:30 < HackeMate> or client.conf
04:35 < benomatic> i dunno anything about tun, or openvpn really.  but i assume you're running as root?
04:36 < HackeMate> yes, i am running as root
04:37 < benomatic> there ends the utility that i can provide.
04:37 < HackeMate> thanks for the try though
04:37 < HackeMate> it was appreciated
04:42 < benomatic> basic networking thought: if you increase verbosity, (a) can you see the raw ifconfig line [i think i have before], (b) is it trying to assign an address that already exists on another if?
04:43 < HackeMate> i am not this network admin, but i know it is a dhcpd mac address bassed
04:44 < HackeMate> i short question you may know, the part of the certificate file, should contain a full path?
04:44 -!- benedikt [~benedikt@agurka.sudo.is] has left ##openvpn []
04:44 < HackeMate> or it will check it at same directory where the .ovpn is
04:47 < benomatic> i think it may need full path, but not sure.  TunnelBlick explicitly does a chdir, and I believe on linux I had to set full path.
05:01 < krzie> !path
05:01 <+vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
05:02 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
05:05 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:36 -!- macsppadic is now known as telnetsppadic
05:39 < HackeMate> well, finally i get it working, at least i fixed all error messages 
05:39 < HackeMate> i get success on autenthication, and getting an ip 
05:40 < HackeMate> but the problem now is i cant still surf
05:47 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:53 < grishnav> HackeMate: can you elaborate?
05:54 < HackeMate> well, this is a special case, im trying to get openvpn working at iphone
05:54 < HackeMate> if i am able to elaborate i will
05:54 < grishnav> what do you mean by "i can't stlil surf"?
05:56 < HackeMate> executing ifconfig i can see my new vpn ip, all seems ok
05:57 < HackeMate> but if i open webbrowser it gets timeout
05:58 < grishnav> are you getting DHCP over the VPN tunnel?
05:59 < HackeMate> hm, i dont know how to check this
05:59 < grishnav> how are you getting an IP on the VPN? are you statically assigning it?
05:59 < HackeMate> i have the pp0 interface created 
05:59 < HackeMate> ah, yes i get a dhcp ip
06:00 < grishnav> okay, is it openvpn providing the DHCP or the remote network?
06:01 -!- MWinther [~mw@238-197-96-87.cust.blixtvik.se] has joined ##openvpn
06:01 < grishnav> anyway, two things to check: 1. make sure your default gateway isn't getting overwritten by the DHCP, and 2. make sure your DNS resolvers aren't getting overwritten by the remote DHCP
06:05 < Bushmills> trying to use vpn server as gateway?
06:05 < HackeMate> let me check those steps grishnav, thanks for the patience and the help
06:11 < HackeMate> grishnav: if it helps, when a openvpn connection succeeded, iphone executes this script: http://www.chandraonline.net/files/iphone_vpn/update-resolv-conf
06:11 < HackeMate> i dont find if the default gateway is really overwritten
06:15 < grishnav> HackeMate: can you try pinging something, like 4.2.2.2?
06:21 < HackeMate> http://pastebin.com/8wgZCwv5
06:22 < HackeMate> oh that error persists again, sec
06:25 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:38 < grishnav> is 10.150.54.1 a valid gateway to the internet?
06:41 < grishnav> also, i'm not sure exactly how you would use OpenVPN with a PPP device, but I'm pretty sure for a PPP device to work the endpoints have to have different IPs. It looks like yours are the same?
07:07 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
07:10 -!- MWinther [~mw@238-197-96-87.cust.blixtvik.se] has quit [Remote host closed the connection]
07:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
07:35 < HackeMate> sorry grishnav, i got internet down
07:35 < HackeMate> 10.150.54.1 is a valid gateway internet
07:36 < HackeMate> it suppose the new interface should be named tun0, thing i dont see too, but it could be because of my unkowneldge
07:38 -!- JackCorleone [~Jack@201-92-54-167.dsl.telesp.net.br] has joined ##openvpn
07:40 -!- HackeMate [~HackeMate@73.Red-88-26-66.staticIP.rima-tde.net] has quit [Remote host closed the connection]
07:44 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:53 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
08:06 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:09 -!- sylar [~sylarrrr@bzq-79-177-48-232.red.bezeqint.net] has quit [Quit: Leaving]
08:22 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 260 seconds]
08:29 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
08:41 -!- HackeMate [~HackeMate@73.Red-88-26-66.staticIP.rima-tde.net] has joined ##openvpn
08:49 -!- tr4sk [~tr4sk@alfred.biboum.fr] has joined ##openvpn
08:51 < tr4sk> Hi
08:54 -!- straterra [~straterra@fuhell.com] has joined ##openvpn
08:55 < straterra> Has a decent OpenVPN web interface been written yet?
09:09 < Bushmills> yes. there are decent scripts for init.d 
09:09 < Bushmills> oh. "web"
09:09  * Bushmills wonders what a web interface would help with openvpn operation
09:10 < straterra> It would let me give Jr admins the ability to set up a new user with VPN
09:10 < straterra> Instead of having them log in to the server, use easy rsa, copy the files, etc
09:10 < Bushmills> make a script
09:11 < straterra> The idea is not have to log in to the server via a shell..at all
09:11 < Bushmills> packing the files into an archive after generation isn't a big task
09:11 < straterra> No, its not..but again, I'd like a web interface simple enough the CIO could use it.
09:11 < Bushmills> why would the cert server have a web interface at all?
09:12 < straterra> What?
09:12 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
09:13 < Bushmills> the machine where you generate and sign keys - why would there be a web server on that machine?
09:13 < straterra> There wouldn't be otherwise
09:13 < straterra> The only reason it would run a web server is for the web interface for OpenVPN
09:13 < straterra> Not that a web server on that machine would take very many resources..I'd use lighttpd
09:14 < Bushmills> i fail to see the advantage of starting a web browser, and running a web server, to execute a remote program/script over using ssh for that
09:15 < straterra> Because using ssh requires installing extra software on a machine..and require more than 2 brain cells
09:15 < Bushmills> if that's need for junior admins, because a shell login is beyond their capability, maybe those junior admins are too junior
09:15 < straterra> Regardless, it doesn't matter if you think its a good idea or not..does such a project exist?
09:16 < Bushmills> rather than attermpting to fix he symptom, fix the root of the problem
09:16 < straterra> The problem is that I want a web interface for OpenVPN
09:16 < straterra> If it doesn't exist, I'll write my own
09:17 < Bushmills> i can't say for sure that there isn't one. but it's a more unusual request
09:17 < Bushmills> there are text mode admin tools. but those may require evil shell
09:18 < straterra> A shell is not evil to me. The particular IT person I am talking about I don't trust with her own computer..but management refuses to get rid of her.
09:19 < straterra> So, I have to accomidate
09:20 < Bushmills> give her access, and let her mess up. maybe she'll be sacked then
09:20 < straterra> Along with me for giving it to her
09:21 < Bushmills> if management didn't ask to give her admin of vpn. why would you do that?
09:21 < Bushmills> especially if giving her access seems to affect your job security
09:22 < straterra> No offense, but I don't feel like explaining it all. I can't find a decent web interface for OpenVPN, so I guess I'm going to write my own.
09:22 < straterra> Thanks.
09:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:38 -!- Tachyx [~tach@81.200.61.23] has quit [Quit: De omnibus dubitandum est.]
09:47 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 4.0b2/20100720180617]]
10:00 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
10:02 < bewst> unable to get local issuer certificate (logs at http://gist.github.com/505584).  Any help?
10:02 <+vpnHelper> Title: gist: 505584 - OpenVPN Heck- GitHub (at gist.github.com)
10:03 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
10:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:26 -!- dazo is now known as dazo_afk
10:32 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Remote host closed the connection]
10:32 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
10:32 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:32 < krzee> bewst, 
10:32 < krzee> !certverify
10:32 <+vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
10:33 < krzee> [07:23]  <straterra> No offense, but I don't feel like explaining it all. I can't find a decent web interface for OpenVPN, so I guess I'm going to write my own.
10:33 < krzee> i agree, there isnt one
10:33 < krzee> see --management for stuff to put in the interface
10:33 < krzee> it was made for such a project
10:33 < krzee> pls release back to community =]
10:37 < bewst> krzee: I get "ok" for both
10:37 < krzee> check they have the EXACT same ca file
10:38 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:40 < bewst> krzee: verified
10:41 < bewst> is it strange that the client has no certificate for the server; just the ca?
10:42 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined ##openvpn
10:43 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:47 < ecrist> nope
10:47 -!- benomatic [~ben@5353CE36.cable.casema.nl] has left ##openvpn []
10:53 < krzee> !learn pki as Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key.  The server and client use the ca.crt to check that eachother were signed by the right ca.key.  Optionally, the client also checks that the server cert was signed specially as a server (see !servercert)
10:53 <+vpnHelper> krzee: Joo got it.
10:53 < krzee> !pki
10:53 <+vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
10:53 <+vpnHelper> krzee: was signed specially as a server (see !servercert)
10:53 < krzee> ecrist, if you have a better way to say it, pls feel free
10:54 < bewst> !servercert
10:54 <+vpnHelper> bewst: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm
10:54 < bewst> I just used easy-rsa
10:54 < bewst> shouldn't that "just work?"
10:55 < krzee> as long as you follow the directions in !pki #1, yes
10:55 < krzee> thats why server cert gets made with a different script
10:55 < krzee> thats the only difference
10:55 < ecrist> krzee: check out the remaining three items in the moderation queue on the forums
10:56 < ecrist> spammers are getting creative
10:56 < bewst> I followed exactly those directions
10:56 < bewst> except for naming of the files
10:57 < bewst> there's nothing special about the name "server," is there?
10:57 < krzee> nope
10:57 < krzee> in fact thats what i use
10:57 < krzee> are you 100% sure that the ca.crt is = on both sides?
10:57 < krzee> 2010-08-04 10:58:01 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
10:58 < krzee> because !certverify should have a problem if it is
10:58 < bewst> yeah, although I have a relative path on the client side
10:58 < krzee> !path
10:58 <+vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
10:58 < bewst> !certverify
10:58 <+vpnHelper> bewst: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
11:00 < bewst> it was !path  !!!
11:01 < krzee> ahh sweet
11:05 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Remote host closed the connection]
11:06 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
11:07 -!- bewst1 [~bewst@mobile-166-137-138-046.mycingular.net] has joined ##openvpn
11:10 < bewst1> OK, so now I'm connected… but nothing works
11:10 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Ping timeout: 240 seconds]
11:10 < bewst1> Server log sez: Wed Aug  4 12:14:21 2010 dave@zreba.luannocracy.com/166.137.138.46:13990 Authenticate/Decrypt packet error: bad packet ID (may be a replay): 
11:11 < krzee> you on wireless?
11:12 < bewst1> heh, yeah (cellphone)
11:14 < krzee> !wireless
11:14 <+vpnHelper> krzee: Error: "wireless" is not a valid command.
11:14 < krzee> !learn wireless as if you are getting replay errors while on wireless, see --mute-replay-warnings in the manual (!man)
11:14 <+vpnHelper> krzee: Joo got it.
11:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:15 < krzee> !learn wireless as if you are securing your wireless using openvpn, see !local
11:15 <+vpnHelper> krzee: Joo got it.
11:15 < bewst1> krzee: yeah, I see that I can mute the warnings
11:15 < bewst1> my replays might be due to this bug (http://opensolaris.org/jive/thread.jspa?messageID=494991)
11:15 <+vpnHelper> Title: OpenSolaris Forums : [networking-discuss] aggregation ... (at opensolaris.org)
11:15 < bewst1> !local
11:15 < krzee> but did you see that they are common in wireless?
11:15 <+vpnHelper> bewst1: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
11:15 < krzee> --mute-replay-warnings 
11:15 < krzee> Silence the output of replay warnings, which are a common false alarm on WiFi networks. This option preserves the security of the replay protection code without the verbosity associated with warnings about duplicate packets.
11:16 < bewst1> I'm not on WiFi
11:16 < bewst1> I'm on cellular
11:16 < krzee> [09:13]  <krzee> you on wireless?
11:16 < krzee> [09:14]  <bewst1> heh, yeah (cellphone)
11:16 < krzee> i took that to mean your cell was using wifi
11:16 < krzee> it's still likely the same thing
11:16 < bewst1> sorry.  It was for a while.
11:16 < krzee> unless someone started replay attacking you EXACTLY when you finally got your vpn working
11:16 < bewst1> but in any case, that's the only feedback I'm getting.
11:16 < krzee> highly unlikely
11:17 < bewst1> so the _real_ problem is…? 
11:18 < krzee> are you getting the same results re: ping time?
11:18 < krzee> as the link you gave
11:18 < bewst1> krzee, interesting question.  Hang on
11:19 < krzee> if not, i venture to say there IS no problem, and that you have the exact same thing mentioned in --mute-replay-warnings re:wireless, for the same reasons
11:19 < krzee> and would solve it the same way ;)
11:19 < bewst1> well, not so interesting actually.
11:20 < bewst1> anyway, there IS some kinda problem because I can't reach any of my local net resources
11:20 < krzee> !goal
11:20 <+vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:21 < bewst1> I would like to access the lan behind the server
11:23 < krzee> !serverlan
11:23 <+vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
11:25 < bewst1> yowch; much to learn.  Again
11:25 < krzee> actually its very very simple
11:25 < krzee> what OS is the server?
11:25 < bewst1> OpenSolaris 2009.06
11:25 < krzee> oh
11:26 < bewst1> hahaha
11:26 < krzee> well figure out how to enable IP forwarding
11:26 < krzee> lol
11:26 < krzee> what is the server's lan subnet?
11:26 < bewst1> 192.168.188.0/24
11:26 < krzee> nice, uncommon is good
11:27 < krzee> in server config:
11:27 < krzee> push "route 192.168.188.0 255.255.255.0"
11:27 < bewst1> I've had the common collision before and learnt that lesson before setting up my own vpn
11:27 < krzee> is the server also the router for its LAN?
11:27 < bewst1> krzee: not ATM
11:28 < bewst1> the router is a D-Link box
11:28 < krzee> ok then you need to add a route to it
11:28 < krzee> what subnet is the VPN using?
11:28 < krzee> and what is the LAN ip of your server?
11:28 < bewst1> 1sec
11:29 < bewst1> VPN= 172.27.0.0/16
11:30 < bewst1> server= 192.168.188.10
11:31 < krzee> you need to go into your router config
11:31 < krzee> give it a static route
11:31 < bewst1> hmm...
11:31 < krzee> wait, first of all
11:31 < krzee> your vpn subnet does NOT need to be so huge
11:31 < krzee> you really plan on having that many thousands of clients...?
11:31 < krzee> cause if so, your server wont be able to do it
11:31 < bewst1> krzee: no, I don't.  I just wanted to avoid collisions
11:32 < krzee> after a couple hundred clients openvpn will come to a painful screeching hault
11:32 < krzee> to avoid collisions better, use a smaller subnet 
11:32 < krzee> then it will collide with less ;)
11:32 < bewst1> so, e.g. /24 it?
11:32 < krzee> yup
11:32 < krzee> that will make it much smaller
11:32 < bewst1> I tried but ovpn barfed on the config
11:33 < bewst1> that was with an older version tho
11:33 < krzee> now i will explain what to do, pretending your vpn subnet is 10.8.1.x
11:34 < krzee> go into router config
11:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:34 < krzee> make a static route for 10.8.1.x to be reached at 192.168.188.10
11:34 < krzee> explanation here:  
11:34 < krzee> !route_outside_openvpn
11:34 <+vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
11:40 -!- telnetsppadic [~sonupunno@88.211.55.77] has quit [Quit: telnetsppadic]
11:41 < bewst1> Hmm, the router sez Route gateway IP 192.168.188.8 is not in interface subnet
11:41 < bewst1> incidentally, I got the VPN server address wrong it's …8
11:42 < krzee> you put that in the wrong area
11:42 < krzee> if i ts looking for a subnet in that field, it wanted the VPN subnet there
11:42 < krzee> and the gateway for it is 192.168.188.8
11:43 < krzee> not knowing your interface i cant help much more than that
11:43 < bewst1> well, check it: there's a popup menu called interface with only one entry: wan
11:43 < krzee> if you wanna screenshot it feel free
11:43 < bewst1> isn't that a little creepy?
11:43 < krzee> you may not even be in the right area
11:43 < krzee> what model router?
11:44 < bewst1> dir-655
11:47 < krzee> !google dir-655 static route
11:47 <+vpnHelper> krzee: DIR-655 1.31 Firmware available - dslreports.com: <http://www.broadbandreports.com/forum/r22310851-DIR655-131-Firmware-available>; Reaching DSL modem through WAN port on DIR655 - dslreports.com: <http://www.dslreports.com/forum/r24212971-Reaching-DSL-modem-through-WAN-port-on-DIR655>; (in)Secure IT: D-Link DIR-655: Static Routes to LAN ... not WAN!:
11:47 <+vpnHelper> krzee: <http://areyousecure.blogspot.com/2009/01/d-link-dir-655-static-routes-to-lan-not.html>
11:47 < krzee> http://www.broadbandreports.com/forum/r20846217-Help-Me-Need-help-with-setting-up-static-route-in-DIR655
11:47 <+vpnHelper> Title: [Help Me] Need help with setting up static route in DIR-655 - dslreports.com (at www.broadbandreports.com)
11:48 < bewst1> doh!
11:49 < krzee> ahh now i see the issue
11:49 < krzee> you were right, the WAN dropdown is a problem
11:49 < krzee> you will need to change firmwares like ckraimer says
11:49 < bewst1> f'ers.
11:49 < krzee> sounds like a pain in the ass, make sure to thank dlink ;)
11:49 < bewst1> Maybe I should be running my own router after all :(
11:50 < krzee> depending on your FW version you may have to flash it 2x
11:50 < krzee> well its not a big deal
11:50 < krzee> you just download and downgrade firmware 1 or 2 times, and the firmware is available from a link in that forum entry i gave you
11:50 < bewst1> Yeah.  IF I have the right hardware version
11:51 < bewst1> otherwise /me is screwed
11:51  * bewst1 is screwed :(
11:51 < bewst1> bbs.  Actually I also have a time capsule; not sure what you can do with those
11:52 < bewst1> bbs
11:54 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
11:55 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Read error: Connection reset by peer]
11:58 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 248 seconds]
11:59 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
11:59 -!- bewst1 [~bewst@mobile-166-137-138-046.mycingular.net] has quit [Remote host closed the connection]
12:00 < krzee> oops forgot to tell him theres also a workaround
12:06 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 245 seconds]
12:08 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
12:10 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
12:11 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
12:11 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
12:19 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
12:35 < bewst> I read somewhere that I could use PPTP to get around not being able to make a static LAN route?
12:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:36 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
12:37 < krzee> you dont need pptp for that
12:37 < krzee> !route
12:37 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:37 < krzee> see ROUTES TO ADD OUTSIDE OPENVPN
12:37 < krzee> it tells you the workaround
12:37 < krzee> oh and by the way
12:37 < krzee> !pptp
12:37 <+vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
12:37 <+vpnHelper> krzee: read about why to not use pptp
12:37 < bewst> I know
12:38 < bewst> I mean that PPTP sux
12:38 < krzee> however, if you spent the time you wasted reading about pptp, youd already be done changing your router firmware and fully finished with your setup
12:38 < krzee> the workaround is to add the static route to every machine in the LAN which needs to communicate with machines on the VPN
12:39 < bewst> krzee, you forget I have A3 hardware and /me is screwed
12:39 < bewst> can't downgrade the firmware
12:39 < krzee> lol
12:39 < krzee> it says EXACTLY what to do in that forum
12:39 < krzee> very last post
12:39  * bewst reads forum again
12:40 < krzee> If you got A3 hardware you can't downgrade pass 1.10. A1 and A2 you can.
12:40 < krzee> boy i struggled with this for quite a while - then tried downloading to 1.10 firmware, then downloaded 1.03 from
12:40 < krzee> ?driverscollection.com/?file_cid=???cf883c5f
12:40 < krzee> and IT WORKED!
12:40 < krzee> so you downgrade to 1.10
12:40 < krzee> THEN to 1.03
12:40 < bewst> Yes, but no evidence that guy has A3 HW
12:40 < bewst> anyway, I could try it
12:40 < krzee> yes there is, he wouldnt have needed to go to 1.10 first otherwise
12:40 < krzee> LOL
12:41 < bewst> OK, stop LOL'ing. I only got 3 hrs sleep :-)
12:41 < krzee> as did i
12:41 < bewst> I wonder what breaks if I downgrade that far
12:50 < bewst> Hmm… The uploaded firmware file may not be correct. You may have uploaded a file that is not intended for this device, or the uploaded file may be corrupted.
12:51 < krzee> how many machines on the LAN need communications with the VPN?
12:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:01 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Ping timeout: 260 seconds]
13:09 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
13:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:16 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Quit: Reconnecting]
13:16 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
13:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
13:30 < bewst> krzee: it's hack upon hack upon hack:  http://lizzi555.dyndns.org/655/StaticRoute.html
13:30 <+vpnHelper> Title: Unbenanntes Dokument (at lizzi555.dyndns.org)
13:32 < krzee> oh lol
13:32 < krzee> good find
13:46 < krzee> !learn dlink_static_route as http://lizzi555.dyndns.org/655/StaticRoute.html for the workaround for issues adding static route into d-link router with A3 firmware
13:46 <+vpnHelper> krzee: Joo got it.
14:03 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Ping timeout: 240 seconds]
14:34 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 276 seconds]
14:37 -!- Agin [~Agin@greenzone.copyleft.no] has joined ##openvpn
14:39 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:51 -!- donavan` [~donavan@unaffiliated/donavan] has joined ##openvpn
14:56 -!- Qantourisc [~Qantouris@d54C490DC.access.telenet.be] has left ##openvpn []
14:58 -!- ultramage [umage@kurobara.netvor.sk] has joined ##openvpn
14:58 < ultramage> hello, just a small thing - does openvpn allow clients to choose their vpn ip address (and if so, how to achieve that?)
15:00 < ultramage> I did a naive attempt using ifconfig, however I keep ending up using the same old address
15:09 < krzee> no
15:09 < krzee> clients dont control anything
15:09 < krzee> (basically)
15:09 < krzee> they can specify options, but the anything pushed by server will trump that
15:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:19 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 276 seconds]
15:25 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
15:29 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
15:36 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:37 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 264 seconds]
15:39 < ultramage> hm, so any ip address assignment has to be handled by the server?
15:40 < ultramage> (I noticed that there's an "ifconfig" setting, however the server seems to push stuff during connection time)
15:40 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 276 seconds]
15:42 -!- bewst [~bewst@mobile-166-137-139-212.mycingular.net] has joined ##openvpn
15:44 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
15:46 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
15:47 < bewst> krzee: router seemed to take my changes, but nothing appears to be routing
15:47 < krzee> dunno dude
15:47 < krzee> i cant troubleshoot your router
15:47 < krzee> only openvpn :-p
15:47 < bewst> I know
15:47 < bewst> thanks for all your help so far
15:47 < krzee> but you can bypass the router all together on a machine to see if thats your only issue
15:48 < bewst> howzat?
15:49 < krzee> [10:40]  <krzee> the workaround is to add the static route to every machine in the LAN which needs to communicate with machines on the VPN
15:49 < krzee> then the machine i tself has a route to the vpn, and will bypass the router
15:49 < bewst> arph, will try that.
15:49 < krzee> we add it to the router so we dont need to change anything on the lan machines
15:49 < bewst> Thank you.
15:50 < krzee> yw
15:54 < hyper_ch> krzee: you're US American, right?
15:55 < krzee> i am
15:55 < krzee> dont live there anymore, but am from there
15:55 < krzee> was born there, etc
15:55 < hyper_ch> krzee: got 20 min to spare?
15:56 < krzee> not sure about 20 uninterrupted minutes, but im not swamped at the moment
15:56 < krzee> whats up?
15:56 < krzee> im just playing with an htc diamond2, learning how to get android on it and unlock it and all that good stuff
15:56 < krzee> lotsa reading
15:57 < hyper_ch> krzee: a nice talk by Lawrence Lessig ->  http://www.netzpolitik.org/2010/lawrence-lessig-uber-bugs-in-der-us-demokratie/   thought you might be interested in
15:57 <+vpnHelper> Title: Lawrence Lessig über Bugs in der US-Demokratie : netzpolitik.org (at www.netzpolitik.org)
15:57 < krzee> (im also at work)
15:57 < hyper_ch> you use the eeeeks-word :(
15:57 < krzee> ahh, is that re: the voting machines?
15:58 < hyper_ch> no
15:58 < krzee> ahh
15:58 < bewst> I think my client needs a static IP
15:58 < hyper_ch> it's mostly about campaign sponsoring
15:58 < krzee> ahh
15:58 < krzee> even worse than that is the voting machines
15:58 < krzee> blackboxvoting.org for more info
15:59 < hyper_ch> not so sure if voting machines is worse
15:59 < krzee> they are purposely insecure
15:59 < krzee> which has been proven
16:00 < krzee> the votes dont matter because the ability to tamper with the vote is more of a feature than a security hole
16:00 < hyper_ch> it does not matter who wins elections if they do the bidding for the corps anyway
16:00 < krzee> right
16:01 < krzee> but even if the people woke up and voted for someone who would not, they would not win the election
16:01 < krzee> even if they technically should
16:01 < hyper_ch> :)
16:01 < hyper_ch> is it about Diepold?
16:02 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:02 < bewst> err, I think client needs to "pull"
16:06 -!- bewst [~bewst@mobile-166-137-139-212.mycingular.net] has quit [Remote host closed the connection]
16:07 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
16:12 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Ping timeout: 265 seconds]
16:13 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
16:15 < ultramage> umm, so, what are the options of controlling ip assignment?
16:15 -!- JackCorleone [~Jack@201-92-54-167.dsl.telesp.net.br] has quit [Read error: Connection reset by peer]
16:16 < ultramage> found another candidate, --ifconfig-push, but not sure if that's the right way to go
16:17 < krzee> from the server, sure
16:17 < krzee> !static
16:17 <+vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
16:17 < krzee> [14:06]  <hyper_ch> is it about Diepold?
16:17 < krzee> yes
16:17 < hyper_ch> :)
16:17 < krzee> diebold, but they changed their name
16:17 < ultramage> erm, can ifconfig-push distinguish between individual clients? >>
16:17 < hyper_ch> well, having "die" in the name doesn't help
16:17 -!- King_of_Metal [~thiago@189.27.247.233.dynamic.adsl.gvt.net.br] has joined ##openvpn
16:18 < ultramage> !ccd
16:18 <+vpnHelper> ultramage: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
16:18 < krzee> i believe the video about it is called "hacking democracy"
16:18 < krzee> its a good watch if you get the time
16:19 < ultramage> what method do you use for controlling your ip address assignment?
16:20 < hyper_ch> did you listen to lessig?
16:20 < krzee> me personally, i just let it assign whatever
16:20 < krzee> but if i needed static, i would use --ifconfig-push in a ccd entry
16:21 < krzee> hyper_ch, cant, at work
16:21 < krzee> but im hoping to remember to watch it when i get home
16:21 < ultramage> alright, it looks reasonable enough, I'll try it
16:21 < hyper_ch> :)
16:21 < hyper_ch> send yourself an email :)
16:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:22 < krzee> i would, but i dont check those ;)
16:23 < hyper_ch> set your alarm on your cell phone
16:23 < krzee> still need to install an alarm app, lol
16:24 < krzee> oh shit
16:24 < krzee> i got a new chapter of jjk's book july 22 to review
16:24 < krzee> but as i mentioned i havnt been checking my email
16:24 < krzee> just saw that, dammit
16:25 < krzee> im supposed to rock through these in like 5 days, lol
16:25 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 245 seconds]
16:26 < hyper_ch> :(
16:26 < krzee> Hi Jeff,
16:26 < krzee> I am sending you chapter 5 for review.
16:26 < krzee> Do acknowledge the receipt of the chapters.
16:26 < krzee> Let me know if you can send it reviewed by 26th July.
16:26 < krzee> lol
16:26 < krzee> i think july 26th is out of the question ;)
16:27 < krzee> im glad you mentioned email!
16:28 < ultramage> hmm, this is interesting: if I remove the 'client' directive (thus avoiding 'pull'), and use 'ifconfig', I am able to set my ip clientside and the server will see it
16:28 < krzee> ahh you must be using dev tap or topology subnet
16:29 < ultramage> correct
16:29 < ultramage> oh, does the server do an arp broadcast to discover the rogue client?
16:30 < ultramage> for some reason I get the feeling that this might not be the most proper way to handle this :)
16:30 < hyper_ch> btw, you like pretty pictures?
16:31 < krzee> as in sexy nekkid girls>?
16:31 < krzee> ultramage, it isnt
16:31 < ultramage> although if a client can do this, then there's no real security benefit in having the server deal out the ip addresses
16:31 -!- JackCorleone [~Jack@187.74.18.108] has joined ##openvpn
16:31 < krzee> ultramage, the client cant do it in net30
16:32 < krzee> so when security deems it necessary to give them static ips, use net30
16:32 < ultramage> O.o
16:32 < krzee> !/30
16:32 <+vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
16:32 < hyper_ch> krzee: sort of sex nekkid girls:  http://www.gifbin.com/bin/1232024489_The_size_of_planets.gif --> replace sexy nekkid girls with planets
16:33 < ultramage> I think 'subnet' is more suitable
16:33 < krzee> well, they do call it "mother" earth
16:33 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
16:33 < krzee> ultramage,in net30 the client CAN NOT possibly change its IP
16:33 < ultramage> and no, there's no need for that sort of security right now... just speaking some of my thoughts out loud :)
16:33 < krzee> ahh ok
16:36 < ultramage> hm, allowing 'pull' lets me auto-set things like ping and routes, so I'll go with the server-side assignment... it might simplify client configuration
16:36 < ultramage> although not by much~
16:37 -!- JackCorleone [~Jack@187.74.18.108] has quit [Ping timeout: 265 seconds]
16:38 < krzee> yes by much
16:38 < krzee> a ton
16:38 < krzee> in fact, if you run the server why would you care about over-riding the server?
16:39 < krzee> you should just do everything on the server, then all client configs are =
16:39 < krzee> and all settings are managed from 1 place
16:39 < krzee> thats the way to do it
16:45 < ultramage> :)
16:48 -!- JackCorleone [~Jack@187.101.51.112] has joined ##openvpn
16:49 -!- HackeMate [~HackeMate@73.Red-88-26-66.staticIP.rima-tde.net] has quit [Quit: Saliendo]
16:59 -!- donavan` [~donavan@unaffiliated/donavan] has left ##openvpn ["Leaving"]
17:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:04 < ultramage> aw geez... so openvpn cannot negotiate ad-hoc client2client connections yet, can it
17:05 < krzee> not only can it not, but nobody is working on it
17:05 < krzee> so dont expect it to happen any time soon, if ever
17:05 < krzee> it is on !wishlist tho
17:05 < ultramage> aw, darnit
17:36 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:46 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
17:48 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
17:48 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:04 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
18:19 < krzee> !learn windows_mobile as http://ovpnppc.ziggurat29.com/ovpnppc-files.htm for windows mobile builds of openvpn
18:19 <+vpnHelper> krzee: Joo got it.
18:39 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
19:13 -!- ultramage [umage@kurobara.netvor.sk] has left ##openvpn ["hamachi will do (unfortunately)"]
20:04 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:09 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
20:12 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
20:12 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:25 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:26 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
20:27 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:29 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 246 seconds]
20:30 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
20:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
21:11 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:22 < oc80z> hey whats good
21:22 < oc80z> i put together a routerboard with a couple upstreams to 3g/cdma
21:24 -!- UdontKnow is now known as E
21:25 < oc80z> so yeah, multi homed... going across a few state lines 
21:26 < oc80z> any ideas on keeping tcp streams not broke? ;]
21:26 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
21:27 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
21:55 -!- E is now known as UdontKnow
21:55 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
22:14 -!- geek [~geek@unaffiliated/geek] has quit [Quit: Saindo]
22:26 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 240 seconds]
22:27 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
22:43 -!- fate_t_harlaown [Bardiche@cg4l3001.smb.curriegrad2004.ca] has quit []
22:43 -!- fate_t_harlaown [Bardiche@cg4l3001.smb.curriegrad2004.ca] has joined ##openvpn
22:59 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:09 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
23:10 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
23:18 -!- fate_t_harlaown [Bardiche@cg4l3001.smb.curriegrad2004.ca] has quit [Ping timeout: 252 seconds]
23:37 -!- JackCorleone [~Jack@187.101.51.112] has quit [Ping timeout: 265 seconds]
23:49 -!- JackCorleone [~Jack@201-68-34-73.dsl.telesp.net.br] has joined ##openvpn
--- Day changed Thu Aug 05 2010
00:08 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
00:10 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
00:37 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
00:43 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 246 seconds]
00:45 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
00:49 -!- buntfalke [~nobody@openvpn-p0-053.triple-a.uni-kl.de] has joined ##openvpn
00:49 -!- buntfalke [~nobody@openvpn-p0-053.triple-a.uni-kl.de] has quit [Changing host]
00:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:56 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:56 -!- mode/##openvpn [+o mattock] by ChanServ
01:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
01:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:43 -!- King_of_Metal [~thiago@189.27.247.233.dynamic.adsl.gvt.net.br] has quit [Ping timeout: 245 seconds]
01:48 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
01:50 < Gud> Hi, I have a question about tunnelblick. I have set up openvpn on my server and I can connect just fine using tunnelblick. However I wonder if it's possible to route all traffic trough tunnelblick? I am currently in a country with very strict laws regarding pornography etc and I know they monitor all internet traffic.
01:51 < Gud> I suppose I need to configure IPFW in OSX somehow, if anyone has any pointers that would be great
01:51 < kraut> moin
01:55 -!- dazo_afk is now known as dazo
01:56 -!- King_of_Metal [~thiago@189.27.231.89.dynamic.adsl.gvt.net.br] has joined ##openvpn
02:31 < Bushmills> !redirec
02:31 <+vpnHelper> Bushmills: Error: "redirec" is not a valid command.
02:31 < Bushmills> !redirect
02:31 <+vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:31 < Bushmills> Gud: ^^^^
02:32 < Bushmills> !def1
02:32 <+vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
02:32 < Bushmills> that too
02:33 < Bushmills> optionally, if you want to be able to turn redirection off without your old default route lost
03:30 -!- Missy [~chatzilla@5354ADDF.cable.casema.nl] has joined ##openvpn
03:32 -!- Missy [~chatzilla@5354ADDF.cable.casema.nl] has quit [Client Quit]
03:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
03:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
04:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:38 < tr4sk> Hi
04:43 < tr4sk> I have a problem with my openvpn
04:44 < tr4sk> I think it's an Iptables problem (not sure)
04:46 < Bushmills> thinking is good
04:46 < tr4sk> I can't ping the openvpn server but I'm able to ping two openvpn client 
04:46 < Bushmills> !firewall
04:46 <+vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
04:47 < tr4sk> Ok thx, i try this one
04:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:51 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 246 seconds]
04:54 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
04:56 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
04:58 < tr4sk> Bushmills: disabling firewall doesn't work : same problem
04:59 < tr4sk> In fact, we are able to ping between two openvpn client connected to the openvpn server
05:00 < Bushmills> therefore it looks like a firewall problem on server
05:00 < tr4sk> but we can't ping no more computer, for example the openvpn server or any other computer on the network beside the server
05:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
05:00 < Bushmills> ah.
05:00 < Bushmills> !route
05:00 <+vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:00 < tr4sk> ok :)
05:05 < tr4sk> Bushmills: our openvpn configuration files: http://pastebin.com/2NPMRL8V
05:06 < Bushmills> there are strong indications that the problem won't be found there. after all, your clients appear to be able to connect
05:06 < tr4sk> yes
05:07 < tr4sk> now, this is our bridge script: http://pastebin.com/9PuiYFNr
05:07 < Bushmills> !tunortap
05:07 <+vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
05:07 <+vpnHelper> Bushmills: against you over the vpn, or (#4) lan gaming? use tap!
05:09 < tr4sk> Bushmills: we want to use roadwarrior vpn style
05:09 < Bushmills> i can't tell you anything about a bridged config
05:09 < tr4sk> The client must be able to connect to the compagny's local network
05:09 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:09 < Bushmills> you don't need bridging for that
05:10 < Bushmills> that's what this was about:
05:10 < Bushmills> !route
05:10 <+vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:10 < Bushmills> company lan is lan behind server
05:12 < tr4sk> Our provider doesn't allow us to edit the route setting for access to another network, so I think the bridge solution is the only one don't you think?
05:14 -!- blueboxthief [~None_of_y@86-44-102-228-dynamic.b-ras2.bbh.dublin.eircom.net] has joined ##openvpn
05:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:31 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
05:31 < tr4sk> Bushmills: If you find any error in this conf files, can you tell me please?
05:31 < tr4sk> http://pastebin.com/4z7aCAvf
05:33 < tr4sk> The route print with the functionnal server (our first one running under Windows Vista) and the second route print is the client one
05:34 < tr4sk> And in the second part of the file, the route print of the server which doesn't work follow by the route print of the client connected
05:41 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
05:49 -!- bewst1 [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
05:53 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Ping timeout: 265 seconds]
05:59 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:05 < bewst1> krzee: good news, I guess it's not a router problem?  I went to a machine behind the VPN server and did a "route add <vpn-subnet> -netmask <vpn-netmask> <vpn-server>.  Still can't view that machine's webpage or ping it from the client
06:06 < bewst1> !explain remote-cert-tls
06:06 <+vpnHelper> bewst1: Error: "explain" is not a valid command.
06:06 < bewst1> !help
06:06 <+vpnHelper> bewst1: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
06:07 < bewst1> !describe remote-cert-tls
06:07 <+vpnHelper> bewst1: Error: "describe" is not a valid command.
06:08 < bewst1> !remote-cert-tls
06:08 <+vpnHelper> bewst1: Error: "remote-cert-tls" is not a valid command.
06:09 < bewst1> !remote_cert_tls
06:09 <+vpnHelper> bewst1: Error: "remote_cert_tls" is not a valid command.
06:09 < Bushmills> http://docs.verhau.de/cgi-bin/dwww/usr/share/man/man8/openvpn.8.gz?type=man   :)
06:09 <+vpnHelper> Title: openvpn(8) - Man pages (at docs.verhau.de)
06:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
06:23 -!- Netsplit *.net <-> *.split quits: cpm, raw_, Nappy
06:28 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
06:29 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
06:30 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:31 -!- raw_ [~raw@chipotle118.server4you.de] has joined ##openvpn
06:47 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 264 seconds]
06:48 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
06:48 -!- bewst1 [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has quit [Remote host closed the connection]
06:49 -!- blueboxthief [~None_of_y@86-44-102-228-dynamic.b-ras2.bbh.dublin.eircom.net] has quit [Quit: Leaving.]
06:57 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has joined ##openvpn
07:10 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
07:12 < tr4sk> Bushmills: Ok i fix my problem. Thx for taking time for me
07:14 -!- Optic [~Optic@67.205.74.218] has left ##openvpn []
07:23 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:28 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
07:31 -!- HackeMate [~HackeMate@73.Red-88-26-66.staticIP.rima-tde.net] has joined ##openvpn
07:31 < HackeMate> hello
07:32 < HackeMate> I have a mac 10.5.8 (powerpc), I try to run openvpn and this is the log http://pastebin.com/N2v1nEWM
07:32 < HackeMate> I had the same problem with an iPhone: it connect, get an valid IP and suppose should work
07:33 < HackeMate> but I get timeout in everywhere
07:33 < HackeMate> where can I read a log or debug mode to find a clue?
07:34 < HackeMate> sorry for the pastebin, aparently I also pasted the previous attempt where the certificate name was wrong
07:47 < krzie> pastebin is good... check your firewall
07:48 < krzie> also i see you are using redirect-gateway def1
07:48 < krzie> check your NAT and make sure server has ip forwarding on
07:48 < krzie> !redirect
07:48 <+vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
07:49 < krzie> also, your vpn subnet is huge, consider making it smaller
07:49 < krzie> if you really plan on thousands of clients, openvpn will poop out after a couple hundred anyways
07:50 < HackeMate> I am in a university network, it is huge sadly for me
07:51 < krzie> lol
07:51 < krzie> are you telling your VPN to hand out IPs that already exist in your current subnet?
07:51 < krzie> you need to give the vpn its own subnet to use
07:51 < krzie> in --server
07:51 < krzie> like server 10.8.0.0 255.255.255.0      for example
07:51 < krzie> !samesubnet
07:51 <+vpnHelper> krzie: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
07:52 < HackeMate> we have wired and wireless connection, wifi is for non-employee so they have many ports closed, if some vip need to use all ports, they should use vpn
07:52 < krzie> thats fine, still cant be same subnet
07:52 < krzie> the vpn needs its uniq subnet
07:52 < HackeMate> I see - sorry for my unknowneldge on this thing 
07:53 < HackeMate> ok, so my first step is fix the subnet, right
07:53 < krzie> yup
07:53 < krzie> could explain why you lose connection
07:53 < HackeMate> I guess it's the external script that tunnelblick executes 
07:53 < HackeMate> those /sbin/route command
07:53 < krzie> openvpn does that
07:54 < HackeMate> configured from?
07:54 < krzie> tunnelblicks u script does things like accept pushed dns entries
07:54 < krzie> configured from your configs
07:54 < krzie> you have redirect-gateway def1
07:54 < krzie> you have server
07:54 < krzie> both of those will give routes
07:55 < krzie> as each is defined in
07:55 < krzie> !man
07:55 <+vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
07:55 < krzie> 2010-08-05 14:29:30 /sbin/route add -net 130.206.31.230 10.173.0.1 255.255.255.255
07:55 < krzie> 2010-08-05 14:29:30 /sbin/route add -net 0.0.0.0 10.150.0.17 128.0.0.0
07:55 < krzie> 2010-08-05 14:29:30 /sbin/route add -net 128.0.0.0 10.150.0.17 128.0.0.0
07:56 < krzie> those 3 come from redirect-gateway def1
07:56 < krzie> 2010-08-05 14:29:28 /sbin/ifconfig tun0 10.150.54.1 10.150.54.1 netmask 255.255.0.0 mtu 1500 up
07:56 < krzie> 2010-08-05 14:29:28 /sbin/route add -net 10.150.0.0 10.150.54.1 255.255.0.0
07:56 < krzie> those come from server
07:57 < krzie> as in --server
07:59 < HackeMate> I should find this in client.up.osx.sh then
07:59 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
08:00 < krzie> lol
08:00 < krzie> its not in there
08:00 < krzie> its your configs!
08:00 < krzie> !configs
08:00 <+vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:01 < krzie> you followed some howto from google, didnt you
08:01 < krzie> ill be back in a few, headed to work after i stop by the computer store
08:01 < HackeMate> my admin network gave me the openvpn.conf
08:02 < HackeMate> note the "admin network" heh
08:02 < HackeMate> www.pastebin.com/EyPyz4rM
08:02 < krzie> oh you dont even run the vpn server?
08:02 < HackeMate> no, I am only a slave 
08:02 < HackeMate> someone set up it, and I should make it working
08:02 < HackeMate> sounds stupid, yes
08:02 < krzie> a) you didnt follow configs
08:02 < krzie> !configs
08:02 <+vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:02 < krzie> read that again
08:03 < HackeMate> ok
08:03 < krzie> b) if you dont run the server i cant really help ya
08:03 < krzie> but that does explain why you thought the script was doing things
08:03 < HackeMate> in their defence, they say that config file and the server works perfectly under linux - I didn't checked it
08:03 < krzie> your server is pushing those routes at you
08:03 < HackeMate> aha
08:04 < krzie> and btw, osX is unix
08:04 < HackeMate> that's why i thought it were easy
08:05 < krzie> and openvpn configs for the most part are = across OS
08:05 < krzie> i say pretty much cause windows has some extra options
08:05 < krzie> and slight differences for windows paths and stuff
08:05 < HackeMate> right
08:05 < HackeMate> my surprise was it worked like a charm in iPhone
08:05 < krzie> but ya, cant help ya =/
08:05 < krzie> you need support from the server admins
08:06 < HackeMate> anyway, you gave me a clue and I can follow that way
08:06 < HackeMate> when I have some argument to them, they should at least verify it
08:06 < krzie> tell them to come here
08:06 < HackeMate> so its already not my problem by the moment
08:06 < krzie> ;]
08:06 < HackeMate> hehe :)
08:06 < krzie> if you're both here we can help
08:07 < HackeMate> sadly, they have no idea about what how chats powerful are
08:07 < krzie> anyways, bbiam
08:07 < HackeMate> I have to go and will come back soon - thanks for your help / grishnav thanks to you too from yesterday
08:15 < bewst> krzee: my last step in proof-of-concept is complete.  Needed to enable ipv4 forwarding on the VPN server
08:16 < grishnav> no prob HackeMate. sorry we didn't get it going
08:19 < bewst> err, krzie: my last step in proof-of-concept is complete.  Needed to enable ipv4 forwarding on the VPN server
08:27 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
08:30 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
08:35 -!- bewst [~bewst@207-172-223-249.c3-0.smr-ubr3.sbo-smr.ma.static.cable.rcn.com] has left ##openvpn []
08:43 < krzee> proof-of-concept...?
09:12 -!- King_of_Metal [~thiago@189.27.231.89.dynamic.adsl.gvt.net.br] has quit [Quit: Leaving]
09:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:45 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
09:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
09:54 < ecrist> I might be a pround iphone owner soon
09:55 < ecrist> mt, sorry
09:59 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
10:00 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
10:00 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
10:00 -!- geek is now known as killown
10:04 < krzee> nice
10:18 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 240 seconds]
10:19 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
10:22 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
10:37 -!- krzee [~k@unaffiliated/krzee] has left ##openvpn ["Leaving"]
10:38 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
10:43 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
10:48 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
11:00 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:15 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:21 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
11:27 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:52 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:15 -!- dazo is now known as dazo_afk
12:17 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Read error: Connection reset by peer]
12:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:51 -!- dazo_afk is now known as dazo
13:15 -!- takamichi [~pri@78.133.14.166] has quit [Read error: Connection reset by peer]
13:16 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
13:18 -!- Rolybrau [~Rolybrau@4-175.3-85.cust.bluewin.ch] has joined ##openvpn
13:19 -!- Rolybrau [~Rolybrau@4-175.3-85.cust.bluewin.ch] has quit [Changing host]
13:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:22 -!- geek [~geek@unaffiliated/geek] has quit [Changing host]
13:22 -!- geek [~geek@unaffiliated/killown] has joined ##openvpn
13:22 -!- geek is now known as killown
13:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:40 -!- HackeMate [~HackeMate@73.Red-88-26-66.staticIP.rima-tde.net] has quit [Quit: Saliendo]
14:01 -!- killown [~geek@unaffiliated/killown] has quit [Remote host closed the connection]
14:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
14:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:11 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
14:20 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Ping timeout: 276 seconds]
14:24 -!- Cephalon [~Cephalon@cephalon.teilar.gr] has joined ##openvpn
14:27 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:28 < Cephalon> hello ppl, i have a openvpn server with two clients, i can ping one client from another and the server but server can't ping the clients, any ideas??
14:29 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
14:31 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 265 seconds]
14:31 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has joined ##openvpn
14:36 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
14:37 < krzee> what ip are you trying to ping
14:41 -!- dazo is now known as dazo_afk
14:42 < Cephalon> krzee: i try to ping the openvpn clients
14:42 < Cephalon> from server
14:42 -!- geek [~geek@unaffiliated/geek] has quit [Quit: Saindo]
14:43 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
14:43 < krzee> thats not an ip
14:43 < Cephalon> ok
14:43 < Cephalon> server 10.10.20.1
14:44 < Cephalon> client1 10.10.20.6
14:44 < Cephalon> client2 10.10.20.10
14:44 < krzee> ok
14:44 < krzee> making sure you didnt get confused by the net30 =]
14:44 < Cephalon> i try from 10.10.20.6 to ping 1 and 10
14:44 < Cephalon> and i get response 
14:45 < Cephalon> from 10 i can ping 6 and 1 successfully 
14:45 < Cephalon> but from 1 i can't ping anyone
14:45 < Cephalon> what do you mean confused by net??
14:46 < Cephalon> if you need configs or routing tables let me pastebin for you
14:46 < Cephalon> just tell me
14:48 < krzee> i just meant that some people get confused with each client having a /30 and try to ping .5, etc
14:48 < krzee> i would say it sounds like a firewall issue
14:49 < Cephalon> firewall from witch side??
14:49 < krzee> turn openvpn debug up to 5
14:49 < krzee> verb 5
14:49 < krzee> it will show all reads and writes as RW
14:50 < krzee> very helpful in answering that question
14:50 < Cephalon> i will try
15:12 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
15:12 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
15:14 -!- bandini [~bandini@host184-104-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn
15:15 < Cephalon> krzee: i try with tcpdump and i have seen tha the server try to send to icmp packet with the real ip address not the 10.10.20.1
15:16 < Cephalon> why is that
15:16 < Cephalon> :S:S
15:16 < krzee> ahh
15:17 < krzee> no idea, something wrong in the os somewhere
15:17 < krzee> ive only seen the reverse happen
15:17 < krzee> you can work-around by sharing the server lan if you want
15:17 < krzee> !serverlan
15:17 <+vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
15:18 < krzee> if you find the setting in your OS that is making that happen, ild be interested to know it
15:20 < Cephalon> krzee: okzz i ll inform you
15:20 < Cephalon> ;)
15:25 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:26 < Cephalon> krzee: do you have any example config that the ping between server and client works to see??
15:29 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 276 seconds]
15:30 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
15:44 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
15:48 -!- xenol [~xenol@leandra.ynet.sk] has joined ##openvpn
15:49 < xenol> hello, i am trying tunnel ipv6 over tap device. i assign ipv6 addresses on both endpoints of tunnel, but i cannot ping the other v6 address of the endpoint. any advices/howtos to do it (i have tried and looked, but tun is used with sit, which i don't want)
15:50 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
15:59 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
16:01 -!- Cephalon [~Cephalon@cephalon.teilar.gr] has quit [Ping timeout: 265 seconds]
16:02 -!- Cephalon [~Cephalon@cephalon.teilar.gr] has joined ##openvpn
16:02 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 258 seconds]
16:02 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
16:06 -!- bandini [~bandini@host184-104-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:06 -!- xenol [~xenol@leandra.ynet.sk] has left ##openvpn []
16:15 -!- scyld [~krajcong@unaffiliated/wasyl] has quit [Ping timeout: 265 seconds]
16:15 -!- scyld [~krajcong@unaffiliated/wasyl] has joined ##openvpn
16:16 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 276 seconds]
16:18 -!- JackCorleone [~Jack@201-68-34-73.dsl.telesp.net.br] has quit [Ping timeout: 265 seconds]
16:22 -!- boswarrior [~mrnice@84.115.26.221] has joined ##openvpn
16:30 -!- JackCorleone [~Jack@187.57.70.117] has joined ##openvpn
16:35 -!- intralanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Ping timeout: 264 seconds]
16:39 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
16:40 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 276 seconds]
16:43 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
16:46 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
16:47 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
17:11 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:23 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 4.0b2/20100720180617]]
17:31 -!- Optic [~Optic@67.205.74.218] has joined ##openvpn
17:34 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Quit: Leaving.]
17:37 -!- boswarrior [~mrnice@84.115.26.221] has quit [Remote host closed the connection]
17:52 -!- JackCorleone [~Jack@187.57.70.117] has quit [Ping timeout: 245 seconds]
17:58 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.know.cable.virginmedia.com] has joined ##openvpn
17:59 < ax_> Having some problems setting up openvpn on ubuntu (IOCADDRT: File exists -- Thu Aug  5 23:57:59 2010 ERROR: Linux route add command failed: external program exited with error status: 7) -- have set it up fine on other distros so I know it's not a problem with my config...
18:00 < ax_> any ideas how to fix this? googling has lead me to believe it's very common, but i cannot find a solution...
18:00 < kajl> are you running openvpn as root?
18:01 -!- Anton1 [~aaaa@93.178.71.110] has joined ##openvpn
18:02 < ax_> kajl - yes
18:04 < ax_> kajl - ah just fixed it.
18:04 -!- JackCorleone [~Jack@187.101.52.88] has joined ##openvpn
18:04 < ax_> Apparently "openvpn whatever.conf" caused the problem, but running "service openvpn start" seems to work fine
18:04 < kajl> great
18:05 < ax_> I always test the connection first by using "openvpn <configfile>" as I get the useful debug output
18:05 < ax_> ah well, that's that then, thanks anyway.
18:07 -!- tkonto [~tkonto@cpe-77-83-205-49-dsl.netone.gr] has joined ##openvpn
18:08 < tkonto> hello all... any links to the following...?   two groups of clients... all of them with certificates... I need group A to receive DHCP from one network range and group B to receive DHCP from another network range... all with one openvpn instance... 
18:30 -!- tkonto [~tkonto@cpe-77-83-205-49-dsl.netone.gr] has left ##openvpn []
18:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
18:56 -!- Irssi: ##openvpn: Total of 95 nicks [2 ops, 0 halfops, 1 voices, 92 normal]
18:57 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || 2.2beta on the horizon || Your problem is your firewall, really. || Type  !welcome  before asking your questions. || Web Forum: http://ovpnforum.com || Developers: #openvpn-devel
19:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:27 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.know.cable.virginmedia.com] has quit [Ping timeout: 245 seconds]
19:35 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
19:37 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
20:13 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:37 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:25 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has joined ##openvpn
21:39 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has quit [Ping timeout: 265 seconds]
21:39 -!- rawDawg [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
21:53 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
22:13 -!- rawDawg [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
22:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:58 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:58 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has joined ##openvpn
23:07 -!- Cephalon [~Cephalon@cephalon.teilar.gr] has quit [Ping timeout: 240 seconds]
23:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:37 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 265 seconds]
--- Day changed Fri Aug 06 2010
00:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 276 seconds]
01:15 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:15 -!- mode/##openvpn [+o mattock] by ChanServ
01:29 -!- dazo_afk is now known as dazo
01:29 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
01:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
01:40 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
01:41 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
01:41 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
01:42 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
01:50 -!- Cephalon [~Cephalon@cephalon.teilar.gr] has joined ##openvpn
01:50 -!- Cephalon [~Cephalon@cephalon.teilar.gr] has quit [Read error: Connection reset by peer]
01:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:09 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Ping timeout: 265 seconds]
02:12 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
03:02 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:02 -!- mode/##openvpn [+o mattock1] by ChanServ
03:02 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:25 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
04:39 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:50 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
05:02 -!- blueboxthief [~None_of_y@86-44-102-228-dynamic.b-ras2.bbh.dublin.eircom.net] has joined ##openvpn
05:04 -!- quagsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
05:45 -!- JackCorleone [~Jack@187.101.52.88] has quit [Ping timeout: 245 seconds]
05:45 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:48 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:57 -!- JackCorleone [~Jack@201-92-44-12.dsl.telesp.net.br] has joined ##openvpn
06:07 -!- HackeMate [~HackeMate@73.Red-88-26-66.staticIP.rima-tde.net] has joined ##openvpn
06:07 < HackeMate> morning
06:08 < HackeMate> if I have a openvpn server (that I can't admin) sending a wrong script commands, can I fix it with another script adding the proper route parameters?
06:09 < hyper_ch> HackeMate: what do you mean?
06:10 -!- star314 [~star314@beigelbeck-nb.isas.tuwien.ac.at] has joined ##openvpn
06:10 < HackeMate> when I connect to vpn server I get this debug: www.pastebin.com/r609uzBx - some guy from this channel told me there is an error in its configuration because the server is not properly configured
06:11 < HackeMate> the fact is I can't surf, seems a dns error
06:11 < HackeMate> so my question is if I can resolv it without modify the openvpn server
06:11 < HackeMate> in network preferences i see a new search domain: 'openvpn'
06:14 < HackeMate> sorry for my english
06:16 < hyper_ch> that pastebin is empty
06:17 < HackeMate> http://pastebin.com/qiTd48VK
06:19 < hyper_ch> no clue
06:20 < HackeMate> :)
06:20 < HackeMate> plan b: can I change the vpn port?
06:24 < Bushmills> yes. port is specified in both client and server config
06:31 < HackeMate> can be changed on client too?
06:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:38 -!- JackCorleone [~Jack@201-92-44-12.dsl.telesp.net.br] has quit [Quit: Saindo]
06:49 < Bushmills> it has to
06:50 < Bushmills> destination port, that is.  for source port, check out the --nobind option
06:52 < HackeMate> starting the service it says my local uses uses common subnet, shall I reconfigure my router?
06:52 < HackeMate> its only for personal use with iphone
06:58 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 264 seconds]
07:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:33 -!- HackeMate [~HackeMate@73.Red-88-26-66.staticIP.rima-tde.net] has quit [Remote host closed the connection]
07:54 -!- dazo is now known as dazo_afk
08:01 < krzie> i didnt say it was an error in the server, i said we cant help you by only seeing the client, and that you need to get help from the guys who run the server, or get them in here too
08:06 -!- quagsppadic is now known as borgsppadic
08:12 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 265 seconds]
08:27 -!- sigi [~sigius@93.125.185.45] has joined ##openvpn
08:29 -!- JackCorleone [~Jack@201-92-44-12.dsl.telesp.net.br] has joined ##openvpn
08:30 -!- RedShift [~glenn@apollo.webmind.be] has joined ##openvpn
08:30 < RedShift> hi all
08:30 < RedShift> !welcome
08:30 <+vpnHelper> RedShift: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:32 < RedShift> Hi all
08:32 < RedShift> I have a problem with clients connecting to my openvpn server
08:32 < RedShift> this is my configuration: http://www.pastebin.org/450933
08:33 < RedShift> I'm getting the following messages on the client log: Fri Aug 06 15:33:11 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) (repeats infinitely)
08:33 < RedShift> on the server I get the opposite: Aug  6 15:33:31 fcs1 openvpn[2086]: PUSH: Received control message: 'PUSH_REQUEST'
08:34 < RedShift> these messages repeat untill I break the connection
08:34 < RedShift> the vpn connection does not work
08:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:39 < krzie> ahh we've seen this
08:39 < krzie> it got patched in newer versions
08:40 < krzie> comes from you pulling, but not pushing anything
08:40 < krzie> dazo made the NO SOUP FOR YOU patch to fix it
08:40 < RedShift> yeah the pull option wasn't there earlier, added it to try and test if that would solve my problem
08:40 < krzie> if you remove pull and client, and add tls-client you should be fine
08:41 < krzie> nope, client implies --pull
08:41 < krzie> so adding pull changed nothing, you alread had it
08:41 < krzie> already*
08:41 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
08:41 < RedShift> what versions of openvpn have this bug?
08:41 < krzie> all but dev branch
08:42 < krzie> !snapshots
08:42 <+vpnHelper> krzie: "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
08:42 < krzie> soon 2.2 beta will come out, which will not have it
08:42 < RedShift> ah thanks
08:42 < krzie> np
08:42 < RedShift> replaced client with tls-client and it works
08:42 < krzie> yup =]
08:42 < RedShift> been search for this problem for two days now... 
08:43 < RedShift> searching with google was a pain because those messages pop up frequently as they're part of the normal process
08:43 < RedShift> thanks for the help
08:44 < krzie> ahh ya that sounds like a PITA
08:44 < krzie> no problem =]
08:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:57 -!- star314 [~star314@beigelbeck-nb.isas.tuwien.ac.at] has quit [Quit: Leaving]
09:03 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
09:08 -!- JackCorleone [~Jack@201-92-44-12.dsl.telesp.net.br] has quit [Quit: Saindo]
09:12 < Optic> have any of you guys messed with Coyote Point load balancers?
09:12 -!- Bombo [~bombo@dslb-084-062-237-244.pools.arcor-ip.net] has left ##openvpn []
09:32 -!- SOG [~SOG@183.1.154.83] has joined ##openvpn
09:38 -!- Anton1 [~aaaa@93.178.71.110] has quit []
09:46 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
09:55 -!- SOG_ [~SOG@183.1.148.111] has joined ##openvpn
09:56 -!- fbh [fbh@unaffiliated/fbh] has quit [Remote host closed the connection]
09:58 -!- SOG [~SOG@183.1.154.83] has quit [Ping timeout: 276 seconds]
09:58 -!- SOG_ is now known as SOG
10:04 -!- krzy [nobody@hemp.ircpimps.org] has joined ##openvpn
10:04 -!- krzie [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
10:05 -!- krzy [nobody@hemp.ircpimps.org] has quit [Remote host closed the connection]
10:05 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
10:05 < kisom> once again, i have free internet thanks to openvpn ;)
10:07 < krzie> =]
10:14 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has joined ##openvpn
10:14 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has quit [Changing host]
10:14 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
10:18 < krzie> i was at a girls house fixing her wireless (her roommate got her neighbors WEP)... so i cracked the wep and got in the router, then saw that her MAC was on a block list
10:18 < krzie> unblocked her, changed the router PW
10:18 < krzie> (it was her roommate who blocked her, because she didnt wanna have sex with him, lol)
10:18 < krzie> then i blocked him, but he changed his MAC
10:19 < krzie> then i notice that he is trying to scan me, but of course that was not working (i only made an exception in my proxification for the router, not for the entire lan, so his scans were being answered over my proxy, so just disapeering)
10:20 < krzie> next day he tells her that i am famous... i guess he saw that all my traffic was going over port 1194 udp, so he checked it out, read about openvpn, and found my routing paper
10:20 < krzie> that was lulz
10:20 < krzie> now that i know he is laying with peoples traffic like that i need to go back over there some day and really play with him
10:22 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
10:32 -!- Thorn [~thorn@unaffiliated/thorn] has joined ##openvpn
10:32 < Thorn> hello
10:33 < Thorn> how do I disable all pki/key auth for testing? 
10:34 < Thorn> (mode server)
10:34 < krzie> !authpass
10:34 <+vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
10:34 < krzie> maybe that what you want
10:34 < krzie> if not, and you want NO security
10:34 < krzie> just dont use the pki config options
10:35 < krzie> but you cant for mode server iirc
10:35 < krzie> just ptp i believe
10:36 < Thorn> that's right, it complains of missing --dh
10:37 < Thorn> will try that in a second thanks
10:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
10:42 < kisom> holy shit i have to turn off ssh this weekend
10:43 < kisom> 70cl 80% alcohol vodka
10:43 < kisom> no port 22 after 19 oclock
10:48 < krzie> lol
10:49 < Thorn> nope, still asks for dh / ca / etc even with auth-user-pass-verify and client-cert-not-required
10:50 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
10:52 -!- borgsppadic is now known as macsppadic
10:53 < Thorn> ah there're some sample certs, good
10:53 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
11:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
11:05 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
11:07 -!- blueboxthief [~None_of_y@86-44-102-228-dynamic.b-ras2.bbh.dublin.eircom.net] has quit [Quit: Leaving.]
11:07 -!- killown [~geek@unaffiliated/killown] has quit [Quit: Saindo]
11:14 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:33 < Thorn> ok so my windows client doesn't work
11:33 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
11:33 -!- mode/##openvpn [+o openvpn2009] by ChanServ
11:33 < Thorn> just connected from linux, thought that was a server firewall problem but it's not
11:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:40 -!- JackCorleone [~Jack@201-92-44-12.dsl.telesp.net.br] has joined ##openvpn
11:40 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:43 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Remote host closed the connection]
11:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:44 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
11:45 < krzie> could be windows firewall
11:47 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 4.0b2/20100720180617]]
11:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:50 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
11:51 < Thorn> it asks for login/password and times out, tcpdump shows no traffic on server
11:52 < Thorn> but my linux connection also has problems, I can't ping vpn server (10.8.0.1) from client, tcpdump on server shows port 1194 traffic from client but not back
11:52 < krzie> login/password before a connection is when you passphrase protect your private key of your certs
11:52 < Thorn> no shorewall messages on server and police has ACCEPT
11:53 < Thorn> there is no passphrase, I use sample client.crt
11:53 < krzie> i know nothing of the sample cert, but i do know what i told you
11:53 -!- killown [~geek@unaffiliated/killown] has quit [Client Quit]
11:54 < krzie> did you enable passwords with auth-user-pass-verify?
11:54 < Thorn> well linux client does connect using it and it doesn't ask for any passphrase
11:54 < Thorn> no I did not
11:54 < krzie> (which you would not be prompted for until connection was begun)
11:54 < krzie> ok, then the only password you can be asked for is for the private key
11:54 < krzie> oh unless you need to auth to root to start it
11:55 < Thorn> I'm currently more worried about my linux connection because it does get established but doesn't ping
11:55 < Thorn> linux / linux connection that is, the server is linux
11:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
11:58 < krzie> !configs
11:58 <+vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
12:02 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
12:03 < Thorn> krzee: http://pastebin.com/3vq9i8eV
12:09 -!- killown [~geek@unaffiliated/killown] has joined ##openvpn
12:11 < Thorn> oops, tab completion fail
12:20 < Thorn> I started tcpdump -i tun0 on both ends, when I ping server from client, only client shows traffic (echo requests) and vice versa
12:26 < Bushmills> what do you ping?
12:27 < Thorn> 10.8.0.x (vpn interfaces)
12:28 < Bushmills> x is not a valid part of an ip address.  try pinging 10.8.0.1
12:29 < Thorn> um that's what I do. from client, ping 10.8.0.1 . from server, ping 10.8.0.6
12:30 < Bushmills> the resulting echo requests you don't see on server tun0?
12:30 < Thorn> the echo requests don't make it to the other end in either case but I do see port 1194 traffic on the other end though
12:30 < Bushmills> check client route, or firewall
12:31 < Thorn> routes seem ok, no firewall messages in logs
12:32 < Bushmills> did client obtain that 10.8.0.6 ip address from server, when connecting to it?
12:32 < Thorn> yes it did
12:33 < Thorn> this is from client /sbin/ip addr: inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0
12:33 < Bushmills> how many rules are in your client routing table, with tun0 as destination interface?
12:34 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
12:34 < grendal_prime> hey guys anyone know of a good way to simulate hundreds of connections to a box?  Like a honey pot type app or streasstest type deal?
12:36 < grendal_prime> i have a really nice virtual enviroment...i was looking at honeyd but..well figured id ask here first.
12:36 < Bushmills> grendal_prime: offer free keys for accessing your openvpn server as gateway into the net
12:37 < grendal_prime> ya. well i really dont ummm hmm not that i disslike that approach...but ..ya others..well they will say no.. We already do that in the production enviroment hahaha
12:38 < Bushmills> convince them that test condition on the test server need to be similar to identical
12:38 < Thorn> Bushmills: 3, one for 10.8.0.5, one for 10.8.0.1, and one for 192.168.2.0/24 (server config has a push line for that)
12:38 < Bushmills> "for"?
12:39 < Bushmills> or "to"?
12:39 < Bushmills> oh well, doesn't matter. route to 10.8.0.1 is there, that's important for now
12:40 < Bushmills> increase log verbosity, restart, reconnect, check logs
12:40 < Thorn> it is there, 10.8.0.1 via 10.8.0.5 dev tun0
12:40  * Bushmills needs to run
12:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:40 < Thorn> verbosity is 4, nothing interesting
12:40 < Thorn> need more?
12:42 < krzie> and one for 192.168.2.0/24 (server config has a push line for that)
12:43 < krzie> are you on the same lan during testing?
12:43 < Thorn> no
12:43 < Thorn> the server is remote
12:43 < krzie> ok
12:43 < krzie> and the client lan uses a different subnet, right?
12:44 < Thorn> my lan here only has 192.168.1.0/24
12:44 < Thorn> the server has 3 lan segs connected to it, .1.0/24, .2.0/24 and .3.0/24
12:45 < Thorn> so there's 192.168.1.0/24 at both ends but I can't see if this is the prob
12:46 < Thorn> the serverside .1.0 segment has .1.1 (DSL modem = default gateway) and .1.2 (server interface) btw
12:56 -!- brah [~asdofp@190.7.0.81] has joined ##openvpn
12:59 < Thorn> I wonder why the problem is symmetrical
13:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:03 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:03 < Thorn> lots of this in the logs: Bad LZO decompression header byte: 42
13:06 < Thorn> huh
13:06 < Thorn> comp-lzo was the culprit
13:07 < Thorn> I hate myself
13:15 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
13:25 -!- fbh_ [fbh@lucifer.frands.net] has joined ##openvpn
13:26 -!- killown is now known as geek
13:26 -!- geek [~geek@unaffiliated/killown] has quit [Changing host]
13:26 -!- geek [~geek@unaffiliated/geek] has joined ##openvpn
13:36 -!- geek [~geek@unaffiliated/geek] has quit [Quit: Saindo]
13:36 -!- kyuubi [~kyuubi@unaffiliated/kyuubi] has joined ##openvpn
13:37 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
13:38 < Thorn> is there no negotiation in the protocol btw?
13:40 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
13:49 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 260 seconds]
13:50 < Thorn> I've got this error when importing a config file in the windows client: http://pastebin.com/hRNCEKmH
13:50 < Thorn> and it's not called as.conf either
13:50 < Thorn> same config file works in linux
13:51 < Thorn> (I renamed it from .conf to ,ovpn for windows)
13:54 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
14:02 < kisom> druuunk!!
14:03 < kisom> shit, tahtst 80% alcohole volume vodka was DAMN strong
14:03 < kisom> krzie: 
14:08 < Thorn> it can't be vodka
14:14 -!- hello [~unixtoy@rrcs-76-79-204-178.west.biz.rr.com] has joined ##openvpn
14:15 < hello> my labtop gets a IP address 
14:15 < hello> as show in the logs 
14:15 < hello> FCONFIG POOL: base=192.168.1.222 size=4
14:15 < hello> I get dns entries via ipconfig
14:16 < hello> I can ping 192.168.1.222 
14:16 < hello> from the labtop 
14:16 < hello> but I can't ping any other public or private ips
14:16 < hello> bridge has been create
14:16 < hello> br0
14:16 < hello> and tap0
14:16 < hello> device was also create
14:16 < hello> I don
14:16 < hello> I don't see why I can't ping
14:17 < hello> I even did the firewall configuration
14:17 < hello> any idea
14:17 < hello> ?
14:18 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
14:18 < hello> ivenkys are you any good with openvpn
14:19 < ivenkys> hello: depends on the question
14:19 < ivenkys> i run openvpn on openbsd and use it everyday , so there
14:19 < hello> ok
14:19 < hello> on my labtop I get a ip address
14:19 < hello> it also shows in the logs
14:19 < hello> IFCONFIG POOL: base=192.168.1.222 size=4
14:20 < hello> i use ipconfig on my labtop and it shows the right gateway 192.168.1.1
14:20 < hello> corrects dns entries..
14:20 < hello> correct netmask
14:20 < hello> but I can't ping anything except the ip address I was assign
14:21 < ivenkys> you can't ping anything behind the VPN network .. right ?
14:21 < hello> right
14:21 < ivenkys> routes.. 
14:21 < ivenkys> thats the first thing you need to look for
14:21 < hello> I did the sample routes for the firewall
14:22 < hello> because the firewall MASQUADE and VPN are all on the same host
14:22 < ivenkys> not for the firewall - but for your laptop - 
14:22 < hello> it's DHCP..
14:22 < hello> no firewall
14:23 < ivenkys> sorry - thats not what i am saying -.. 
14:23 < ivenkys> i am assuming that your laptop gets its initial IP from some other addess .. is that correct ?
14:23 < hello> it does and everything works fine.. Until I connect to the vpn..
14:24 < hello> then the connection dies
14:24 < hello> so I know the connection to the internet is good 
14:24 < hello> from that point
14:25 < ivenkys> so now you have 2 connections , one the original which gives you an IP address in a specified range and you have the VPN connection which needs to give you a different IP address 
14:25 < hello> correct
14:26 < ivenkys> when you receive a packet from the VPN connection you have to setup ur iptables to know how to route the packets back to that connection
14:26 < ivenkys> this is obviously after all the firewall etc. are setup correctly
14:26 < hello> I use these
14:26 < hello> iptables -A INPUT -i tap0 -j ACCEPT
14:26 < hello> iptables -A INPUT -i br0 -j ACCEPT
14:26 < hello> iptables -A FORWARD -i br0 -j ACCEPT
14:27 < hello> the firewall has one public ip ..
14:27 < ivenkys> do route show on the command prompt
14:27 < hello> and handles the internal private ip's fine
14:28 < hello> If I do routes 192.168.1.0     *               255.255.255.0   U     0      0        0 br0
14:28 < hello> and it has my default gw
14:28 < hello> everything looks OK
14:28 < hello> one thing ...
14:29 < ivenkys> nope that doesn;'t look ok - where are the routes for your VPN connection
14:30 < ivenkys> you should be having 2 different routes there - one for the VPN connection and the other for the "normal" connection both with different IP's
14:30 < hello> so I need to add a route for br0 ?
14:31 < ivenkys> i dont know what br0 is  - 
14:31 < hello> it's for  Ethernet bridge
14:31 < ivenkys> but conceptually you have 2 interfaces with 2 different IP address range - both need to know how to communicate 
14:32 < hello> I am using the same network ip range
14:32 < ivenkys> whatever for .. ?
14:32 < hello> k
14:33 < hello> thought it would be easier
14:34 < hello> just keep everything the same
14:34 < ivenkys> i suggest this document - http://blog.innerewut.de/2005/07/04/openvpn-2-0-on-openbsd
14:34 <+vpnHelper> Title: BlogFish: OpenVPN 2.0 on OpenBSD (at blog.innerewut.de)
14:34 < hello> thanks
14:34 < hello> I will look over it now
14:34 < ivenkys> hello: if you have keep everything same then how are the packets to know where to go -
14:34 < ivenkys> think of it as 2 different houses with the same address - where is your postman going to go
14:35 < hello> true..
14:35 < hello> Ok gotcha
14:35 < hello> thanks
14:35 < hello> :-)
14:35 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:36 < ivenkys> np
14:41 < kisom> oh shit
14:41 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
15:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:33 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:50 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
15:55 -!- dougy [Douglas@ool-435033e6.dyn.optonline.net] has joined ##openvpn
15:55 < dougy> howto
15:55 < dougy> howdy
16:23 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined ##openvpn
16:23 < grendal_prime> ok doing something werid here
16:23 < dougy> oh
16:24 < |Mike|> TEH DOUGY !
16:24 < grendal_prime> making one machine conect to the server like 5 times..(5 clients basically) now i need to use each one of those connections to randomely send data to.
16:24 < dougy> ohi
16:24 < grendal_prime> the server..
16:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:24 < grendal_prime> now im using config-persist-pool
16:25 < grendal_prime> sorry
16:25 < grendal_prime> ifconfig-pool-linear
16:25 < grendal_prime> only one of the connections (tun0) on the client is going to work of course
16:33 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
16:36 -!- Bloodsong [~Nimbus@bas2-toronto02-1177972072.dsl.bell.ca] has joined ##openvpn
16:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:54 < krzie> lol @ wanting 5 connections to 1 vpn server
16:57 < dougy> lol
16:57 < dougy> hey jeff
16:57 < krzie> hey dougy
16:57 < dougy> what up
16:57 < krzie> you see the forum is moving?
16:57 < dougy> yea
16:57 < krzie> http://ovpnforum.com/viewtopic.php?f=1&t=6790
16:57  * dougy shrugs
16:57 <+vpnHelper> Title: OpenVPN Forum View topic - OpenVPN Forums Moving! (at ovpnforum.com)
16:57 < dougy> Total posts 506 | Total topics 166 | Total members 3894 | Our newest member Ferloattblers
16:58 < krzie> hey man its a good thing =]
16:58 < dougy> 40 actual users
16:58 < dougy> 3850 spam bots
16:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:58 < |Mike|> cute.
17:30 -!- SOG [~SOG@183.1.148.111] has quit [Quit: SOG]
17:52 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 246 seconds]
17:55 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
17:56 -!- RedShift [~glenn@apollo.webmind.be] has quit [Ping timeout: 246 seconds]
17:56 -!- RedShift [~glenn@apollo.webmind.be] has joined ##openvpn
17:56 -!- Netsplit *.net <-> *.split quits: RedShift
18:02 -!- Netsplit over, joins: RedShift
18:04 < krzie> !android
18:04 <+vpnHelper> krzie: Error: "android" is not a valid command.
18:04 < dougy> yo
18:04 < dougy> dawg
18:05 < dougy> im bored
18:05 < krzie> cool, go find me info on openvn on android
18:05 < krzie> ;]
18:06 < dougy> http://android.modaco.com/content/software/291919/openvpn-on-android/
18:06 <+vpnHelper> Title: OpenVPN on android - Android @ MoDaCo (at android.modaco.com)
18:06 < dougy> http://googleads.sgdoubleclick.net/pagead/nclk?sa=L&ai=1&fadurl=googleads.g.doubleclick.net&u=http%3A%2F%2Fwww.androidzoom.com%2Fandroid_applications%2Fcommunication%2Fopenvpn-installer_epia.html&aclck=http%3A%2F%2Fwww.fullsearchengine.net%2Findex.php%3Fsearch%3Dopenvpn%2Bfor%2Bandroid
18:07 <+vpnHelper> Title: OpenVPN Installer for Android (at googleads.sgdoubleclick.net)
18:07 < dougy> er
18:07 < dougy> http://www.androidzoom.com/android_applications/communication/openvpn-installer_epia.html
18:07 <+vpnHelper> Title: OpenVPN Installer for Android (at www.androidzoom.com)
18:07 < krzie> lol
18:07 < dougy> the androidzoom.com looks good
18:12 < krzie> that one costs
18:14 -!- kyuubi [~kyuubi@unaffiliated/kyuubi] has quit [Quit: Saindo]
18:15 < dougy> welll
18:15 < dougy> i dunno
18:15 < dougy> lol
18:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:17 < krzie> no worries ;]
18:17 < krzie> you'll see the final solution in !android later
18:17 < krzie> hehe
18:18 < dougy> my fukn foot hurts
18:20 < krzie> =[
18:21 < krzie> those pictures hurt me just to look at
18:23 < krzie> http://github.com/fries/android-external-openvpn/downloads
18:23 < krzie> =]
18:23 <+vpnHelper> Title: Downloads for fries's android-external-openvpn - GitHub (at github.com)
18:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:30 -!- SOG [~SOG@183.1.148.111] has joined ##openvpn
19:42 -!- sigi [~sigius@93.125.185.45] has quit [Ping timeout: 264 seconds]
19:55 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
20:29 -!- Bloodsong [~Nimbus@bas2-toronto02-1177972072.dsl.bell.ca] has quit [Ping timeout: 265 seconds]
20:51 -!- Bloodsong [~Nimbus@bas2-toronto02-1177972072.dsl.bell.ca] has joined ##openvpn
21:02 -!- Bloodsong [~Nimbus@bas2-toronto02-1177972072.dsl.bell.ca] has quit [Ping timeout: 265 seconds]
21:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
21:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:08 -!- brah [~asdofp@190.7.0.81] has quit [Remote host closed the connection]
22:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
22:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:55 -!- rasengan [~rasengan@96.43.136.14] has quit [Quit: WeeChat 0.3.2]
22:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
23:06 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:34 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
--- Day changed Sat Aug 07 2010
00:03 -!- dougy [Douglas@ool-435033e6.dyn.optonline.net] has quit []
00:38 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
01:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:57 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
03:06 -!- chendry [~chendry@173-203-99-175.static.cloud-ips.com] has joined ##openvpn
03:10 -!- chendry [~chendry@173-203-99-175.static.cloud-ips.com] has quit [Client Quit]
03:13 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:52 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:52 -!- mode/##openvpn [+o mattock] by ChanServ
03:59 -!- grapsus [~grapsus@233.161.194-77.rev.gaoland.net] has joined ##openvpn
04:28 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
04:41 < takamichi> Hey guys, we have a network with about 20 servers that connect to each other (host-host) over about 30 ipsec tunnels. We're expierencing major IKE problems with racoon and are considering moving these tunnels over to openvpn. Is there anything major we should be considering?
05:02 -!- fr00d [fr00d@unaffiliated/fr00d] has joined ##openvpn
05:02 < fr00d> Hello!
05:03 < fr00d> I setup an openvpn server and client but when connecting I get VERIFY ERROR: depth=1, error=self signed certificate in certificate on serverside. Can somebody tell me what's wrong?
05:03 < fr00d> I used easy-cas pkitool to generate certificates.
05:03 < fr00d> CN of server certificate is set to fqdn.
05:04 < fr00d> Do I need to add my ca.crt to my trusted certificates? If so, how to do that?
05:07 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 265 seconds]
05:08 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
05:08 < reiffert> Moin
05:08 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
05:27 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 240 seconds]
05:28 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
05:33 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 245 seconds]
05:33 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
05:35 < takamichi> Ciao, anyone home?
05:37 < takamichi> Im configuring one server and 3 clients. Each client must have a static IP. Is the easiest way to achieve this by using a ccd and ifconfig-push. Would it be easier to just assign the ip on the client side? Can this ne done?
05:47 < hyper_ch> nobody's at home
05:48 < takamichi> every1's snoooooooooozing...
05:50 < hyper_ch> with static ips use ccd and and push
05:55 -!- SOG_ [~SOG@183.1.152.146] has joined ##openvpn
05:57 -!- fr00d [fr00d@unaffiliated/fr00d] has left ##openvpn []
05:58 -!- SOG [~SOG@183.1.148.111] has quit [Ping timeout: 265 seconds]
05:58 -!- SOG_ is now known as SOG
06:19 < takamichi> thanks hyper_ch!
06:26 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
06:45 -!- Thorn [~thorn@unaffiliated/thorn] has quit [Ping timeout: 265 seconds]
06:59 -!- Thorn [~thorn@unaffiliated/thorn] has joined ##openvpn
07:06 -!- SOG [~SOG@183.1.152.146] has quit [Quit: I will be back!]
07:07 -!- SOG [~SOG@183.1.152.146] has joined ##openvpn
07:13 -!- sparc-kly [~mubex@adsl-72-50-103-16.prtc.net] has joined ##openvpn
07:18 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
07:34 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
07:38 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 240 seconds]
07:39 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
08:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:14 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
08:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
08:20 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:20 -!- mode/##openvpn [+o mattock] by ChanServ
08:25 -!- JackCorleone [~Jack@201-92-44-12.dsl.telesp.net.br] has quit [Remote host closed the connection]
08:27 -!- rasengan [~rasengan@96.43.136.14] has joined ##openvpn
08:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:36 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
09:01 -!- Diffen2 [~diffen2@m83-185-123-225.cust.tele2.se] has joined ##openvpn
09:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
09:35 -!- SOG [~SOG@183.1.152.146] has quit [Quit: SOG]
09:38 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
09:52 -!- grapsus [~grapsus@233.161.194-77.rev.gaoland.net] has quit [Read error: Operation timed out]
10:16 -!- grapsus [~grapsus@233.161.194-77.rev.gaoland.net] has joined ##openvpn
10:29 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has quit [Ping timeout: 245 seconds]
10:47 -!- Bloodsong [~Nimbus@CPE0018396e5672-CM00223a697927.cpe.net.cable.rogers.com] has joined ##openvpn
10:47 -!- Bloodsong [~Nimbus@CPE0018396e5672-CM00223a697927.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
11:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:23 -!- chendry [~chendry@c-98-193-79-121.hsd1.il.comcast.net] has joined ##openvpn
11:24 -!- chendry [~chendry@c-98-193-79-121.hsd1.il.comcast.net] has quit [Client Quit]
11:27 -!- chendry [~chendry@c-98-193-79-121.hsd1.il.comcast.net] has joined ##openvpn
11:33 < chendry> I'd like to restrict network access (to a bunch of slicehost VPNs) based on openvpn group.  It seems the best way to do that is to have OpenVPN assign users IPs in separate ip ranges based on their group, and then use iptables to lock down access.  However, when I establish the VPN connection and SSH to the internal IP of one of my slices, it always appears as though I'm connecting from the VPN server, not the IP i'm assigned
11:34 < chendry> I'm a programmer by trade and not terribly network savvy, so I'm not looking so much for a technical solution, but rather the concepts I need to study up on to figure this one out myself.  Any ideas?
11:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 248 seconds]
11:43 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:48 -!- DrPepper [~DrPepper@88.207.164.177] has joined ##openvpn
11:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:54 -!- takamichi [~pri@78.133.14.166] has quit [Read error: Connection reset by peer]
11:54 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
11:59 -!- takamichi [~pri@76.73.39.170] has quit [Ping timeout: 248 seconds]
11:59 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
12:05 -!- DrPepper [~DrPepper@88.207.164.177] has quit [Remote host closed the connection]
12:13 -!- takamichi [~pri@76.73.39.170] has quit [Ping timeout: 276 seconds]
12:14 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
12:15 -!- grapsus [~grapsus@233.161.194-77.rev.gaoland.net] has quit [Read error: Operation timed out]
12:15 -!- grapsus [~grapsus@233.161.194-77.rev.gaoland.net] has joined ##openvpn
12:18 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 245 seconds]
12:19 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
12:24 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 240 seconds]
12:24 -!- chendry [~chendry@c-98-193-79-121.hsd1.il.comcast.net] has quit [Quit: chendry]
12:24 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
12:34 -!- DrPepper [~DrPepper@88.207.164.177] has joined ##openvpn
12:38 -!- crazed [~cr4z3d@unaffiliated/cr4z3d] has left ##openvpn []
12:55 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:00 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
13:02 -!- Diffen2 [~diffen2@m83-185-123-225.cust.tele2.se] has quit [Quit: This computer has gone to sleep]
13:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:08 -!- Diffen2 [~diffen2@m90-130-212-39.cust.tele2.se] has joined ##openvpn
13:30 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:32 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:38 < krzee> too bad he left before he got his answer
13:45 < hyper_ch> hi krzee
13:48 < krzee> werd
13:48 < krzee> hows it goin
13:48 < hyper_ch> good... yourself?
13:48 < hyper_ch> listened to lessig's talk?
13:48 < krzee> very very very ready for vacation
13:48 < krzee> ahh no i forgot
13:49 < hyper_ch> you're just ready for vacation or will you actually go on vacation?
13:49 < krzee> i leave on tuesday
13:49 < hyper_ch> where to?
13:49 < krzee> california
13:50 < hyper_ch> krzee: then here's a song for you http://www.youtube.com/watch?v=dN3GbF9Bx6E
13:50 <+vpnHelper> Title: YouTube - The Mamas & The Papas: California Dreamin' (at www.youtube.com)
13:50 < krzee> same deal, at work
13:50 < krzee> otherwise ild listen to that talk now ;)
13:50 < hyper_ch> :)
13:51 < krzee> you ever complete the config webgen?
13:51 < hyper_ch> no, not yet
13:51 < hyper_ch> other things to do :(
13:52 < krzee> ya i hear ya
13:52 < hyper_ch> and if you don't like mamas and papas, then I got this video for you:  http://www.youtube.com/watch?v=FWOsbGP5Ox4
13:52 <+vpnHelper> Title: YouTube - 2Pac - California Love (at www.youtube.com)
13:53 < hyper_ch> how long will you go on vacation?
13:53 < krzee> 2 weeks
13:53 < krzee> 2nd link is good, i like tupac
13:53 < hyper_ch> :)
13:53 < hyper_ch> too bad he died
13:55 < hyper_ch> why did he have to walk into bullets
14:02 < krzee> thats known to happen when you whoop a crips ass in public
14:03 < krzee> common side-effect
14:05 < hyper_ch> so he should better have done that in private?
14:06 < krzee> would have increased his chances of living
14:06 < krzee> definitely not garunteed them, but increased them
14:06 < hyper_ch> ^^
14:14 < hyper_ch> krzee: so, you're also gonna mess with some crips on your vacation?
14:31 -!- xbox360 [~soares@189.110.206.33] has joined ##openvpn
14:33 -!- xbox360 [~soares@189.110.206.33] has quit [Client Quit]
14:36 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
14:39 < krzee> nope
14:50 < hyper_ch> wise choice
15:21 < krzee> i did do some networking for one of the crip sets in LA before tho
15:21 < krzee> really they're some cool guys, mostly just care about their business
15:22 -!- grapsus [~grapsus@233.161.194-77.rev.gaoland.net] has quit [Ping timeout: 240 seconds]
15:25 -!- grapsus [~grapsus@233.161.194-77.rev.gaoland.net] has joined ##openvpn
15:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:44 < hyper_ch> krzee is a crip
15:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
16:10 -!- ZEKnox [~knoxville@c-98-240-188-7.hsd1.mn.comcast.net] has joined ##openvpn
16:10 < ZEKnox> anyone here use zerina for smoothwall?
16:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
16:12 -!- DrPepper [~DrPepper@88.207.164.177] has quit [Quit: Leaving...]
16:12 < krzee> not i
16:13 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
16:16 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
16:16 -!- ZEKnox [~knoxville@c-98-240-188-7.hsd1.mn.comcast.net] has quit [Quit: leaving]
16:18 -!- Thorn [~thorn@unaffiliated/thorn] has quit [Quit: Leaving]
16:26 -!- Diffen2 [~diffen2@m90-130-212-39.cust.tele2.se] has quit [Ping timeout: 276 seconds]
16:29 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:41 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:18 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:29 -!- Diffen2 [~diffen2@m90-130-224-57.cust.tele2.se] has joined ##openvpn
17:52 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
17:53 < Raccoon`> Would someone agree that OpenVPN would be the ideal solution for securely connecting two Windows machines over the internet, for the sake of Windows File/Printer Sharing securely?
17:54 < Raccoon`> while also allowing both machines to independantly access the internet from their own endpoint
18:01 < krzee> absolutely
18:02 < krzee> "ideal solution" can lead you to differing answers based on who you ask
18:02 < krzee> but you did ask in ##openvpn
18:03 < krzee> if you ask an ipsec channel, maybe they would say ipsec is the "ideal" solution ;]
18:06 < Raccoon`> well, the last time i connected a windows machine to a campus vpn, for instance, all internet traffic was routed to the campus network from the windows machine
18:06 < Raccoon`> in this case, we simply want to enable secure file/printer sharing without affecting any other network traffic
18:09 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Wibbly Wobbly IRC]
18:25 < ecrist> Raccoon`: just two boxes?
18:26 -!- Diffen2 [~diffen2@m90-130-224-57.cust.tele2.se] has quit [Quit: This computer has gone to sleep]
18:26 < Raccoon`> yes
18:26 < ecrist> just setup openvpn in bridged mode with static keys
18:26 < ecrist> !static
18:26 <+vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
18:27 < ecrist> hrm, there's an example on the man page
18:27 < Raccoon`> what makes static keys benificial in this case?
18:27 < ecrist> they're quicker, in general, to set up than ssl certificates
18:27 < ecrist> !ssl-admin
18:27 <+vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
18:28 < ecrist> that makes it considerably easier, though
18:28 < Raccoon`> alright, thanks.
18:37 < krzee> however
18:38 < krzee> make note of the following:
18:38 < krzee> if you decide you want another client at some point, you need certs
18:38 < krzee> if you do use static keys, if they key is ever found, any previously captured traffic can be decrypted
18:42 < Raccoon`> static keys will not even function if a 2nd client is added?
18:46 < krzee> correct
18:48 < Raccoon`> does setting up an SSL certificate involve an autenticating service like vertisign or anything?
18:48 < krzee> nope
18:49 < krzee> you make and sign with your own CA
18:49 < krzee> !pki
18:49 <+vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
18:49 <+vpnHelper> krzee: was signed specially as a server (see !servercert)
18:49 < krzee> #2
18:54 < ecrist> I really should get around to C-ifying ssl-admin
18:54 < ecrist> and push it to replace easy-rsa
18:56 < krzee> +1
18:56 < krzee> as soon as you do that i will build it into the confgen too
18:57 < krzee> especially if you do it before some of my upcoming plane flights!
18:57 < krzee> heheh
19:08 < krzee> my macbook pro is waiting for me in california
19:22 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
19:25 -!- grapsus [~grapsus@233.161.194-77.rev.gaoland.net] has quit [Ping timeout: 240 seconds]
19:28 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:24 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has joined ##openvpn
20:30 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
20:30 -!- Raccoon- [bismuth@unaffiliated/raccoon] has joined ##openvpn
20:47 < ecrist> I wonder if the documentation for the openssl c library is as good as it is for the CLI
20:48 < ecrist> i.e. non-existent
20:49 < ecrist> it doesn't seem to be very good, but IBM has some docs they wrote
21:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
22:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:02 -!- Raccoon- [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
23:02 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
23:04 < Raccoon`> what's the difference between the Windows Access Server (VHD Download) and the Community Download, Server?
23:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
--- Day changed Sun Aug 08 2010
00:14 -!- sparc-kly [~mubex@adsl-72-50-103-16.prtc.net] has quit [Ping timeout: 240 seconds]
00:27 -!- sparc-kly [~mubex@adsl-64-237-248-6.prtc.net] has joined ##openvpn
00:54 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:00 -!- Raccoon- [bismuth@unaffiliated/raccoon] has joined ##openvpn
01:00 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
01:00 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 264 seconds]
01:00 -!- hyper__ch [~hyper_ch@static.2.139.40.188.clients.your-server.de] has joined ##openvpn
01:00 -!- hyper__ch is now known as hyper_ch
01:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:12 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
01:40 < Bushmills> access server is not supported here. community version is.
02:17 -!- hyper_ch [~hyper_ch@static.2.139.40.188.clients.your-server.de] has quit [Ping timeout: 240 seconds]
02:18 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
02:35 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:35 -!- mode/##openvpn [+o mattock] by ChanServ
--- Log closed Sun Aug 08 02:49:00 2010
--- Log opened Sun Aug 08 02:49:05 2010
02:49 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
02:49 -!- Irssi: ##openvpn: Total of 95 nicks [4 ops, 0 halfops, 1 voices, 90 normal]
02:49 -!- Irssi: Join to ##openvpn was synced in 29 secs
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
03:46 -!- Gud_ [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
03:46 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has quit [Read error: Connection reset by peer]
03:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:56 < hyper_ch> hi krzee
04:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:13 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 265 seconds]
04:46 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
05:03 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
05:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:11 < takamichi> hey chaps
05:12 < takamichi> My ovpn logs are spewing out "WrWrWrWrWRrWRWRWRWRWRWRWRWRWRWRWRWRWRWR".. Just to confirm, this indicates reads and writes - Is that correct?
05:14 < hyper_ch> did you set it up to log?
05:15 < takamichi> yes, verb 5
05:16 < hyper_ch> I think my logs look different, but haven't look at them for ages
05:17 < takamichi> It seems to only happen at verb 5, I think its just shorthand for reads and writes. Just wanted to confirm
05:17 < takamichi> Thanks hyper_ch
05:17 < hyper_ch> tried a different log level?
05:18 < takamichi> Yes, but I like the verbosity of 5, its just right!
05:18 < hyper_ch> no clue
05:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
05:32 -!- fbh_ is now known as fbh
05:32 -!- fbh [fbh@lucifer.frands.net] has quit [Changing host]
05:32 -!- fbh [fbh@unaffiliated/fbh] has joined ##openvpn
05:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
06:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:14 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Read error: Connection reset by peer]
06:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
06:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:25 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has quit [Ping timeout: 276 seconds]
06:48 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Chicks dig it]
07:01 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
07:09 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
07:10 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:10 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
07:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
07:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
07:24 -!- buntfalke [~nobody@openvpn-p0-053.triple-a.uni-kl.de] has joined ##openvpn
07:24 -!- buntfalke [~nobody@openvpn-p0-053.triple-a.uni-kl.de] has quit [Changing host]
07:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:28 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 240 seconds]
07:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:31 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
08:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:38 -!- psycho_weazle [~Wiesel@HSI-KBW-109-192-164-186.hsi6.kabel-badenwuerttemberg.de] has joined ##openvpn
08:40 < psycho_weazle> hi, anyone knows a good tutorial for a host-to-host (2 vpn server) openvpn network?
08:41 < hyper_ch> !bridge
08:41 <+vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
08:41 < hyper_ch> !tunortap
08:41 <+vpnHelper> hyper_ch: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
08:41 <+vpnHelper> hyper_ch: against you over the vpn, or (#4) lan gaming? use tap!
08:42 < hyper_ch> !layer2
08:42 <+vpnHelper> hyper_ch: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
08:44 < psycho_weazle> thx
08:47 < hyper_ch> not sure if that's what you need
08:51 < psycho_weazle> what i don't understand, is, one of the 2 "server" must be the client, connecting to the other server, right? if both servers want to provide a vpn server, one of them must be a vpn client AND server in one?
08:53 < psycho_weazle> !welcome
08:53 <+vpnHelper> psycho_weazle: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:53 < psycho_weazle> !goal
08:53 <+vpnHelper> psycho_weazle: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:53 < psycho_weazle> !howto
08:53 <+vpnHelper> psycho_weazle: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:55 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
09:19 -!- Diffen2 [~diffen2@m83-188-237-195.cust.tele2.se] has joined ##openvpn
09:45 < Bushmills> psycho_weazle: no, but you can run two instances
09:46 < Bushmills> i.e. one, running as server, using the server config, and the other with client config as client.  they'll have two interfaces, tun0 and tun1.  also, on the client part you want to use  --nobind
09:47 < Bushmills> psycho_weazle: ^^
09:48 < psycho_weazle> ok, thank you, i will have a lot to read :D
10:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
11:05 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 260 seconds]
11:25 < takamichi> I have a server with three openvpn tunnels. Is there a way to startup/shutdown those tunnels independantly using the standard init scripts?
11:27 < krzie> takamichi, that question depends on your OS's init scripts
11:27 < krzie> but probably no
11:29 < takamichi> sorry krzie, yes I should have mentioned that - Im on RHEL
11:30 < krzie> never used it, but still i would assume not
11:30 < krzie> look at the script, should be obvious one way or the other
11:44 < takamichi> Hey Krzie, have you ever noticed the logs filling up with 'RWWRWRWRWRRWWRWRWRWRRWRWRWRWRWRWRWRWRW' on verb 5?
11:46 < krzie> yup
11:46 < krzie> !log
11:46 <+vpnHelper> krzie: An error has occurred and has been logged. Please contact this bot's administrator for more information.
11:46 < krzie> !logfile
11:46 <+vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
11:46 < krzie> 5 is only good for debugging, not everyday usage
11:46 < krzie> those RWRW will help find firewall issues ;]
11:47 < takamichi> What does the RW stand for read/write?
11:47 < krzie> yes
11:48 < takamichi> Thank you
11:48 < krzie> yw
11:54 < krzie> !learn management as read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN
11:54 <+vpnHelper> krzie: Joo got it.
12:07 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection reset by peer]
12:09 -!- Diffen2 [~diffen2@m83-188-237-195.cust.tele2.se] has quit [Ping timeout: 276 seconds]
12:11 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
12:20 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has joined ##openvpn
12:25 -!- Scruffy [~Scruffy@ip1.srv2.scrufffy.eu] has quit [Ping timeout: 265 seconds]
12:25 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
12:31 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
12:53 < krzie> lol
12:53 < krzie>  openvpn (1337)
12:53 < krzie> i hapen to have 1337 unread messages in my openvpn inbox
12:53 < krzie> purely coincidence
12:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
13:05 < kisom> microsoft are funny some times
13:05 < kisom> https://ck3r.org/windows.jpg
13:10 < krzie> lol
13:10 < krzie> catastrophic!
13:14 < hyper_ch> hi krzie
13:15 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
13:15 -!- WindowsNT [~t7x64@cpe-77-83-145-6-dsl.netone.gr] has joined ##openvpn
13:17 < WindowsNT> question: Is it wrong for openvpn server to configure static IPs in the same subnet as the server itself ?
13:19 < hyper_ch> what do you mean?
13:20 < WindowsNT> I 've installed OpenVPN server in my ubuntu. My lan is generally 192.168.1.*. I 've configured openvpn to accept a client and give it a static ip in the same subnet
13:20 < WindowsNT> is that a mistake ?
13:20 < WindowsNT> because my client can connect to me, but after that he doesn't have internet access
13:21 < WindowsNT> or, do I have to setup for him a default gateway somewhere ?
13:21 < hyper_ch> !configs
13:21 <+vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:23 < WindowsNT> hmmm I have to find server.conf first
13:23 < WindowsNT> configuration is done through the web interface so far
13:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
13:35 < krzee> hey hyper_ch 
13:35 < hyper_ch> krzee: still working?
13:36 < kisom> krzee: i run openvpn on port 1337 :)
13:36 < kisom> deja vu!
13:43 < krzee> WindowsNT, you are using access server it sounds like
13:43 < krzee> !AS
13:43 <+vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
13:43 <+vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
13:43 < krzee> see #4
13:43 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:43 < krzee> openvpn doesnt come with a web interface
13:44 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
13:48 < WindowsNT> thx
13:48 -!- WindowsNT [~t7x64@cpe-77-83-145-6-dsl.netone.gr] has left ##openvpn []
13:52 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
13:56 -!- killown [~killown@unaffiliated/killown] has quit [Client Quit]
14:00 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:03 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
14:04 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
14:04 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has joined ##openvpn
14:04 < linuxviewer> !welcome
14:04 <+vpnHelper> linuxviewer: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:05 < linuxviewer> !howto
14:05 <+vpnHelper> linuxviewer: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:06 < linuxviewer> What ar ethe main differences between the community software and access software (I am setting up one server and one client vpn)
14:12 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
14:13 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 245 seconds]
14:13 < hyper_ch> !AS
14:13 <+vpnHelper> hyper_ch: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server
14:13 <+vpnHelper> hyper_ch: configurations options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
15:16 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
15:22 < takamichi> I have a server which is a client to 2 other OpenVPN servers. When I start it, it routes both networks out the same tun intefface. I have to manually change the routing interface to it to work every time I restart. Whats the best solution?
15:28 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 248 seconds]
15:30 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
15:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
15:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:34 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
15:36 -!- Diffen2 [~diffen2@m90-130-200-131.cust.tele2.se] has joined ##openvpn
15:36 -!- WindowsNT [~t7x64@cpe-77-83-145-6-dsl.netone.gr] has joined ##openvpn
15:38 < WindowsNT> ok i dropped AS and reverted to plain openvpn
15:38 < |Mike|> plain, unencrypted you mean?
15:38 < WindowsNT> im trying to setup it under Windows and in the server.ovpn I have push "redirect-gateway def1"  , but what the clients get is 192.168.1.1 which is not my home network's default gw
15:39 < WindowsNT> i mean without AS
15:39 < WindowsNT> a) can i tell it to give my correct gw or b) can i setup it in bridge mode ?
15:40 < |Mike|> !def1
15:40 <+vpnHelper> |Mike|: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
15:48 < WindowsNT> !server-bridge 
15:48 <+vpnHelper> WindowsNT: Error: "server-bridge" is not a valid command.
15:49 < hyper_ch> !bridge
15:49 <+vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
15:52 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:58 -!- adxp [~user@67-207-136-81.static.cloud-ips.com] has joined ##openvpn
15:59 < adxp> anyone around that can help debug a routing issue? (or tell me where to look)
15:59 < adxp> packets being received by other end (as shown by "verb 6"), but can't tell what's going wrong after that
15:59 < adxp> (ping to other end of p2p not being returned; no firewall on other end)
16:00 < adxp> *ptp, rather
16:00 < hyper_ch> ipforward enable on linux?
16:02 < adxp> sysctl -a 2>/dev/null | grep forward
16:02 < adxp> net.ipv4.conf.all.forwarding = 1
16:02 < adxp> (not sure if there's anything else I should be setting)
16:02 < hyper_ch> !forward
16:02 <+vpnHelper> hyper_ch: Error: "forward" is not a valid command.
16:02 < hyper_ch> !ipforward
16:02 <+vpnHelper> hyper_ch: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
16:03 < hyper_ch> !linipforward
16:03 <+vpnHelper> hyper_ch: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
16:03 < adxp> thx, just did that, same result
16:03 < hyper_ch> then I can't really help
16:03 < adxp> ok. any suggestions on kind of things to look at/useful tools for debugging? don't mind doing lots of digging myself
16:04 < WindowsNT> ok i am trying the server-bridge
16:04 < WindowsNT> client can connect and gets correct IP and GW values
16:04 < WindowsNT> but he can't ping my gw or connect anywhere
16:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
16:05 < hyper_ch> adxp: I don't really know anything about routing
16:05 < hyper_ch> adxp: did you do a traceroute?
16:06 < WindowsNT> server-bridge 192.168.1.20 255.255.255.0 192.168.1.200 192.168.1.230
16:06 < WindowsNT> the first one is the server ip or the default gw i must have ?
16:06 < adxp> hyper_ch: no, good point, will investigate w/ that
16:07 < hyper_ch> now I know who killed laura palmer
16:07 < hyper_ch> good luck 
16:08 < hyper_ch> !bridge
16:08 <+vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
16:09 < hyper_ch> WindowsNT: local server ip according to the howto
16:09 < adxp> http://pastebin.com/G8GrCmtr
16:10 < adxp> hyper_ch: do you know if the 192.168.0.5/6 addresses are "magic" in any way? (I don't see 5/6 explicitly specified anywhere, either on server or client)
16:10 < hyper_ch> so, I'm off to bed... nighty night
16:11 < adxp> hyper_ch: nm, fixed it. thanks!
16:13 -!- adxp [~user@67-207-136-81.static.cloud-ips.com] has left ##openvpn ["ERC Version 5.2 (IRC client for Emacs)"]
16:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:26 -!- WindowsNT [~t7x64@cpe-77-83-145-6-dsl.netone.gr] has left ##openvpn []
16:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!]
16:40 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:41 -!- Diffen2 [~diffen2@m90-130-200-131.cust.tele2.se] has quit [Ping timeout: 252 seconds]
16:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:46 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
16:47 -!- Diffen2 [~diffen2@m83-188-253-147.cust.tele2.se] has joined ##openvpn
17:01 -!- Diffen2 [~diffen2@m83-188-253-147.cust.tele2.se] has quit [Ping timeout: 246 seconds]
17:04 -!- psycho_weazle [~Wiesel@HSI-KBW-109-192-164-186.hsi6.kabel-badenwuerttemberg.de] has quit [Quit: Verlassend]
17:21 -!- ghostknife [~quintin@iburst-41-213-31-210.iburst.co.za] has joined ##openvpn
17:23 < ghostknife> I want to listed for the same VPN/subnet/etc on both TCP+UDP. I got all this running, but am having a weird problem. For UDP, traffic comes in on tun1, gets SNATed and reaches the destination. Response comes back, gets translated again, but now it sends it out on tun0 (since tun1 and tun0 are on the same subnet). Is this at all possible or am I forced to subnet tcp/udp separately?
17:23 < ghostknife> s/listed/listen/
17:27 < ghostknife> If at all possible I would prefer them to share a subnet since we have strictly assigned subnet ranges and to have to divide this in 2 purely for protocol isn't desired. Many clients will potentially connect (expectng up to 200 concurrent connections MAX) and this would mean the benefit of having a choice between protocols could cause limits to be reached.
17:28 < krzee> you cant
17:29 < krzee> am I forced to subnet tcp/udp separately?
17:29 < krzee> yes
17:30 < krzee> consider putting the TCP / UDP on different machines
17:30 < krzee> oh actually n/m you should not need to do that
17:30 < krzee> different processes will be fine, given that you are on a dual core+ machine
17:30 < krzee> reason being, after ~200 concurrent connections openvpn starts to have issues
17:31 < krzee> it is single threaded, so only runs on a single core
17:33 < ghostknife> hmm
17:33 < ghostknife> if all goes well everyone should be using UDP
17:33 < ghostknife> which is why I'm worried about having only 128 IPs
17:34 < ghostknife> but the single core thing is worrying as well
17:34 < ghostknife> how does this load balancing thing work. do they inter-communicate? meaning I can give a pool of IPs and they'll sort it out amongs themselves?
17:34 < ghostknife> then I can put an load balancer in front of them?
17:35 < ghostknife> oh darn. I guess I'm just going to have to request more IPs
17:35 < ghostknife> But before that, this load caveat... thanks for telling me
17:36 < ghostknife> single thread for 200 connections sounds disastrous
17:42 < ghostknife> Oh well. We'll sort this out. I'll request 6 full subnets and run 5xUDP instances, each on it's own subnet and 1 TCP subnet for those who are having problems. Then i'll load balance them.
17:42 < ghostknife> Are there any web based management interfaces for OpenVPN, more specifcally for managing/distributing certificates/etc. similar to the OpenVPN Access Server one?
17:43 < ghostknife> I wrote a simple one a few years back, but for another company. I would prefer not to write one again
17:58 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- The alternative IRC client]
18:04 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:29 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
18:38 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
18:43 < ghostknife> I'm trying to reuse a certificate/ca/key we are using for Apache to do client base authentication. I have the ca.crt, server.crt, server.key and a working client.p12 for ssl-client cert authentication. Though I can't get these 4 to work with OpenVPN
18:43 < ghostknife> Is the dh1024.pem file required?
18:43 < ghostknife> and how does this fit in, I can't find such a file in apache
18:56 -!- Raccoon- [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 245 seconds]
19:05 < krzee> it doesnt exist in apache
19:05 < krzee> and you are doing very very unnecessary work
19:05 < krzee> there is NO point to using the same cert as apache
19:14 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Operation timed out]
19:14 -!- straterra [~straterra@fuhell.com] has quit [Read error: Operation timed out]
19:17 -!- straterra [~straterra@fuhell.com] has joined ##openvpn
19:18 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Remote host closed the connection]
19:18 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
19:26 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
19:39 < ghostknife> krzee: the reason for doing so is because every employee is issued with a cert to authenticating with common services. everything that can authenticate by cert is done in this way. simplifies many things. I found the problem and fixed it. So now all that remains is to build an msi installer which contains everything except your cert file. You install it, get prompted for the cert file, pick it and 
19:39 < ghostknife> you're set. Makes things much easier for everyone since we don't have technicians to help people
19:40 < ghostknife> No need to generate new certs
19:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
19:41 < ghostknife> I can't believe I even concidered PPTP at first.
19:41 < ghostknife> OpenVPN is so much better
19:41 < ghostknife> Even with the overhead of requiring to install a non-default client.
19:42 -!- ghostknife [~quintin@iburst-41-213-31-210.iburst.co.za] has quit [Quit: WeeChat 0.3.0]
19:50 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
19:50 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
20:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
20:10 < linuxviewer> Hello everyone.  I am using a openvpn on CentOS server which is running Asterisk (VOIP).  I am getting one way audio.  Can someone help me figure out why?
20:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
21:06 < linuxviewer> hello?
21:07 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
21:29 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:39 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 276 seconds]
21:39 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
22:07 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
22:07 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
22:40 < blackpenguin> hi linuxviewer 
22:43 < blackpenguin> linuxviewer: I wonder if the problem is actually openvpn related or if it might be more asterisk related. or even sound setup related (mic enabled as source channel?)
23:01 -!- SOG [~SOG@61.144.230.241] has quit [Quit: I will be back!]
23:11 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
23:28 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has quit [Ping timeout: 265 seconds]
23:31 -!- linuxviewer [~linuxview@173.153.3.15] has joined ##openvpn
23:35 -!- linuxviewer [~linuxview@173.153.3.15] has quit [Ping timeout: 240 seconds]
23:35 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has joined ##openvpn
23:38 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
23:42 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 240 seconds]
23:43 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has quit [Ping timeout: 265 seconds]
23:43 -!- linuxviewer [~linuxview@173-147-162-44.pools.spcsdns.net] has joined ##openvpn
23:47 -!- linuxviewer` [~linuxview@ip72-222-249-220.ph.ph.cox.net] has joined ##openvpn
23:48 -!- linuxviewer [~linuxview@173-147-162-44.pools.spcsdns.net] has quit [Ping timeout: 258 seconds]
23:48 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
23:51 < linuxviewer`> How can I see the entire subnet of a VPN I connect into?  What line goes in the server.conf?
23:57 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 4.0b2/20100720180617]]
--- Day changed Mon Aug 09 2010
00:02 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
00:11 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
00:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
00:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
00:38 -!- Raccoon- [bismuth@unaffiliated/raccoon] has joined ##openvpn
00:38 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
00:41 -!- tessier_ [~treed@kernel-panic/copilotco] has joined ##openvpn
00:41 < tessier_> Hello all!
00:41 -!- tessier_ is now known as tessier
00:43 < tessier> hmm....when entering the challenge password for establishing my key server it echos the password back in the clear. That is odd.
00:48 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
00:57 < linuxviewer`> How can I see the entire subnet of a VPN I connect into?  What line goes in the server.conf?
01:02 -!- linuxviewer` is now known as linuxviewer
01:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:03 -!- mode/##openvpn [+o mattock] by ChanServ
01:19 < linuxviewer> Anyone around tonight?
01:32 -!- adxp [~user@67-207-136-81.static.cloud-ips.com] has joined ##openvpn
01:32 < adxp> quick question - does openvpn ever automatically touch iptables?
01:33 < Chosi> nope
01:33 < Chosi> not that i know of
01:35 < adxp> cool, thx
01:35 < adxp> (I found one of my servers (correctly) has a NAT masquerade rule for the vpn, but I have no idea how it got there)
01:35 < adxp> perhaps I give my past self too little credit
01:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:43 < linuxviewer> I am having an issue where information from my routed setup isn't getting the data across the VPN appropriately from the server.  Can someone assist me in diagnosing so that I don't have to do a bridge setup if unnecessary?
01:48 < tessier> Weird. If my openvpn client has a gateway of 10.9.8.5 then shouldn't I have a 10.9.8.5 interface on my openvpn server?
01:48 < tessier> Perhaps not. But my routing is broken and I don't understand why. I cannot ping the gateway.
01:50 -!- linuxviewer` [~linuxview@173-147-239-183.pools.spcsdns.net] has joined ##openvpn
01:52 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has quit [Ping timeout: 240 seconds]
01:53 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has joined ##openvpn
01:55 -!- linuxviewer` [~linuxview@173-147-239-183.pools.spcsdns.net] has quit [Ping timeout: 260 seconds]
02:01 -!- sparc-kly [~mubex@adsl-64-237-248-6.prtc.net] has quit [Ping timeout: 264 seconds]
02:10 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has joined ##openvpn
02:13 -!- sparc-kly [~mubex@adsl-72-50-28-199.prtc.net] has joined ##openvpn
02:22 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:33 -!- linuxviewer` [~linuxview@68-29-17-108.pools.spcsdns.net] has joined ##openvpn
02:35 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has quit [Ping timeout: 245 seconds]
02:37 -!- linuxviewer` [~linuxview@68-29-17-108.pools.spcsdns.net] has quit [Ping timeout: 265 seconds]
02:38 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:42 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:43 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
03:00 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
03:13 -!- dazo_afk is now known as dazo
03:14 -!- Diffen2 [~diffen2@m90-130-206-122.cust.tele2.se] has joined ##openvpn
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:07 -!- Diffen2 [~diffen2@m90-130-206-122.cust.tele2.se] has quit [Ping timeout: 240 seconds]
04:08 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has quit [Ping timeout: 252 seconds]
04:28 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
04:29 -!- Raccoon- [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
04:54 -!- groundnuty [~orzech@elj74.internetdsl.tpnet.pl] has quit [Ping timeout: 260 seconds]
04:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
05:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:16 -!- RichiH [~richih@freenode/staff/richih] has joined ##openvpn
05:17 < RichiH> i know that this Must Not be a long-term solution but as a quick hack, it would be very helpful if i could make openvpn server & client accept an expired certificate for a few more days. is there any way to do this without recompiling?
05:21  * RichiH pokes cron2, ecrist, fahadsadah_, kloeri, kraut and UdontKnow for good measure
05:26 < RichiH> or would i need to ask this in an open_ssl_ channel?
05:31 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
05:37 -!- Ned [~martyn@202-61-3-148.cable5.acsdata.co.nz] has joined ##openvpn
05:38 < Ned> I have openvpn 2 working fine, I can ping the client PTP addr from the server, but I don't appear to be able to route any other traffic to the client
05:38 < Ned> in my case, the client has a subnet behind it I'd like to route to/from, but despite being able to hit the client on the PTP IP, I can't seem to route traffic to it :-(
05:38 < Ned> anyone know what might be up there ?
05:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:45 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:08 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 265 seconds]
06:15 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:20 < ecrist> RichiH: sure, change the date on both systems
06:22 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
06:26 < RichiH> ecrist: other than that ;)
06:27 < ecrist> nope
06:29 < ecrist> if you're not willing to hack the date on the systems for a couple days, it must not be that big of a deal...
06:30 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:40 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 260 seconds]
06:44 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
06:59 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)]
07:01 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 265 seconds]
07:06 < RichiH> ecrist: it's not a problem of willingness, but of feasibility
07:07 < RichiH> thankfully, i planned ahead and gave the customer a new set of hardware tokens etc a year ago (yay me) and now they will need to do things faster than usual
07:08 < RichiH> ecrist: i did not forget the GRF, btw
07:12 < ecrist> the GRF?
07:13 < RichiH> group contact. moving to #openvpn, cloaks, etc
07:13 < ecrist> ah, I've sorta given up on all that.
07:14 < RichiH> i did not, but unfortunately, i am unable to change much
07:16 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
07:16 -!- smerz [~smerz@smerz.demon.nl] has quit [Read error: Connection reset by peer]
07:19 < ecrist>  understood
07:20 < RichiH> ecrist: see your /query
07:27 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
07:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:31 -!- gbit [~gbti@unaffiliated/gbit] has joined ##openvpn
07:34 < gbit> !welcome Im looking for a good how to, for multiple clients and subnets..
07:34 <+vpnHelper> gbit: Error: "welcome" is not a valid command.
07:38 < gbit> I´m not sure if I should use one openvpn instance for eatch client, or if is possible to connect all clients using tun in the same port
07:39 -!- ultramage [umage@kurobara.netvor.sk] has joined ##openvpn
07:39 < ultramage> hi, is there someone who I could talk to about openvpn's MTU juggling ?
07:41 < ultramage> I've been testing one other vpn utility, and noticed that some sites would just hang... apparently it's a MTU issue, but apparently when openvpn is used with lzo compression, the issue does not occur
07:42 < ultramage> I know it's the servers' fault for not handling all MTUs properly, but that other app also uses lzo compression... but whereas its packets arrive ip-fragmented, openvpn's don't :/
07:53 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:02 < ecrist> !mtu
08:02 <+vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
08:08 < Optic> moo
08:12 < ultramage> hm
08:12 < ultramage> that's not exactly what I was asking about ._.
08:14 < ecrist> ultramage: perhaps you need to speak on a lower level, in #openvpn-devel
08:20 < ultramage> I can try
08:21 -!- SOG_ [~SOG@222.125.202.173] has joined ##openvpn
08:21 -!- gbit [~gbti@unaffiliated/gbit] has left ##openvpn []
08:23 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 264 seconds]
08:23 -!- SOG_ is now known as SOG
08:47 < kisom> there was some discussion about "virtual hosting" on one instance of openvpn some day ago
08:48 < kisom> it is possible to host two totally different openvpn networks on one port, just redirect 50% of the connections to one server and the rest to another
08:48 < kisom> yes, its ugly, but clients will connect to the right server after a while :)
09:35 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
09:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
10:11 -!- ultramage [umage@kurobara.netvor.sk] has left ##openvpn []
10:52 -!- groundnu1y [~orzech@elj74.internetdsl.tpnet.pl] has joined ##openvpn
11:00 -!- cleguevara [~cleguevar@88-134-68-186-dynip.superkabel.de] has joined ##openvpn
11:02 -!- han9 [~a9@91-67-60-39-dynip.superkabel.de] has joined ##openvpn
11:05 -!- han9 [~a9@91-67-60-39-dynip.superkabel.de] has quit [Quit: Leaving]
11:25 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:31 -!- gbit [~gbti@unaffiliated/gbit] has joined ##openvpn
11:32 -!- julius [~julius@217.20.127.15] has quit [Quit: Es war einmal, südlich der Grasplantagen von Mittelerde...]
11:32 -!- julius [~julius@217.20.127.15] has joined ##openvpn
11:34 -!- dazo is now known as dazo_afk
11:52 -!- fr00d [fr00d@unaffiliated/fr00d] has joined ##openvpn
11:55 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
12:00 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
12:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
12:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:26 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 246 seconds]
12:29 < fr00d> Hello!
12:29 < hyper_ch> hello fr00d
12:30 < fr00d> How can I give openvpn more rights to let it set routes within win7.
12:30 < fr00d> Oh, hey hyper_ch.
12:30 < fr00d> This is a long time ago since we met in a irc channel...
12:31 < hyper_ch> we did?
12:31 < hyper_ch> the easiest way is to replace Win7 with Linu
12:31 < hyper_ch> openvpn must be run as admin on windows
12:35 < fr00d> Yes, of course. Linux is much easier, but I have a ATI X1300 in my notebook which isn't provided anymore by fglrx, and radeon is to old and vesa produces strange graphics errors. But that's another problem.
12:36 < hyper_ch> oh :(
12:36 < fr00d> I get into configuration for the exe and turned on executing with administration right. But that didn't solve the problem.
12:36 < hyper_ch> don't much about windows, sorry
12:37 < fr00d> Hmm, ok, then I'll go on googling for the problem.
12:38 < hyper_ch> hmm, the x1300 seems to run fine on ubuntu karmic
12:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:39 < hyper_ch> the radeon and radeonhd drivers should work fine... just don't use fglrx
12:39 < hyper_ch> (at least on ubuntu)
12:40 -!- hfrhryu34 is now known as abeehc
13:17 -!- gbit [~gbti@unaffiliated/gbit] has left ##openvpn []
13:18 -!- cleguevara [~cleguevar@88-134-68-186-dynip.superkabel.de] has left ##openvpn []
13:23 < fr00d> No, my card is too new for radeon and too old for radeonhd.
13:31 -!- takamichi [~pri@78.133.14.166] has quit []
13:45 -!- corrideat [~tor@CAcert/user/corrideat] has joined ##openvpn
13:46 < corrideat> !welcome
13:46 <+vpnHelper> corrideat: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:46 < corrideat> Hello
13:47 < corrideat> I'd like to know whether it's possible to set a custom interface name for the VPN on Linux.
13:47 < corrideat> E.g., serv1 rather than tunX
13:58 -!- abeehc is now known as abeehc-
14:10 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
14:21 -!- blueboxthief [~None_of_y@prod05.pptp.lon.witopia.net] has joined ##openvpn
14:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:27 -!- corrideat [~tor@CAcert/user/corrideat] has quit [Remote host closed the connection]
14:28 < krzee> sure it is
14:28 < krzee> oh he left
14:37 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 264 seconds]
14:42 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
14:59 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:11 < straterra> I'm getting this error using some of the easy-rsa scripts.. error:0E065068:configuration file routines:STR_COPY:variable has no value
15:11 < straterra> any ideas what variable its looking for?
15:17 < krzee> you didnt source the VARS file
15:17 < krzee> the leading . is important
15:24 -!- bjh4 [~chatzilla@ool-18bbdf6a.static.optonline.net] has joined ##openvpn
15:26 < bjh4> If I have 4 clients attached to 1 server and 1 client has a network of interest say client 1.  What methods are needed to successfully pass traffic through client 1 to the network?
15:27 < krzee> !clientlan
15:27 <+vpnHelper> krzee: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
15:28 < bjh4> !route
15:28 <+vpnHelper> bjh4: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:41 -!- blueboxthief [~None_of_y@prod05.pptp.lon.witopia.net] has quit [Ping timeout: 276 seconds]
15:47 -!- blueboxthief [~None_of_y@86-40-176-16-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
15:57 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:58 -!- fsw [~BOT@britannia.0xj.info] has joined ##openvpn
16:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
16:31 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:47 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
16:47 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:48 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Ping timeout: 245 seconds]
16:52 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.bele.cable.virginmedia.com] has joined ##openvpn
16:54 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
16:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
17:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:09 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
17:09 -!- bob368 [~bob@166.205.8.107] has joined ##openvpn
17:09 < miris> !welcome
17:09 <+vpnHelper> miris: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:11 < miris> !redirect
17:11 <+vpnHelper> miris: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:11 < miris> !nat
17:11 <+vpnHelper> miris: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
17:12 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Read error: Connection reset by peer]
17:13 < miris> Hello guys. I need an openvpn guru's help, if there is one. I am suffering in configuring my server+router (LAN1) and other LAN's.
17:14 < miris> I read tons of forum posts, mailing lists ... I am basically flooded with information but that still prevents me from creating something that works as desired.
17:17 -!- Netsplit *.net <-> *.split quits: reiffert, JPeterson
17:18 -!- Netsplit over, joins: JPeterson, reiffert
17:21 < fsw> miris, what's your problem exactly?
17:24 < miris> I am trying to make a "bridge" but cannot find a way to ping hosts on the subnets. I successfully managed to connect server router and host router but that is it. Server is on 172.17.1.0/24 and host on 172.17.3/24. VPN clients are (including the host) are on 172.17.1.220 - 229.
17:24 -!- bob368_ [~bob@166.205.10.172] has joined ##openvpn
17:25 -!- bob368 [~bob@166.205.8.107] has quit [Ping timeout: 258 seconds]
17:26 < miris> While I can ping the host (172.17.1.220) from the server (172.17.1.1) and vice versa, I cannot do the same for the host having address 172.17.3.1. To my understaning, while bridging, this should work without any issues.
17:26 < fsw> miris, which OS are you using on the server router?
17:27 < miris> Both are running linux. Those are regular routers with integrated OpenVPNs.
17:28 < miris> One is DD-WRT (D-LINK DIR-825) and the other one (Asus WL-500gp) has a special firmware with its OpenVPN installation on a USB flash disk.
17:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:30 < miris> D-Link is my server and Asus is the host. As I said, they correctly connect to each other and can ping themselves. That is the furthest I managed to got after 5 days.
17:32 < fsw> ok
17:34 < miris> fsw, got maybe some hints I could possibly try? I am totally out of any further ideas. I certainly can send my config files and whatever else is needed.
17:36 < miris> I found some ways through "route" but that only seems to be valid for "routing" (TUN) while I am trying to configure a "bridge".
17:37 < fsw> I'm thinking about it
17:38 < fsw> any particular reasons for wanting to bridge?
17:39 < miris> Have not found much information for my specific issue but I would like to create a VPN connecting 4 networks where all the clients would be able to ping each other. Routing does not seem to be, as far as I understand it, very suitable for this.
17:42 < fsw> miris, I think it is if you setup it correctly.
17:43 < fsw> can I see your output of brctl list?
17:43 < fsw> brctl show, not list
17:45 < miris> If it's about the interfaces included, all are: eth0, ath0, ath1, tap0. I don't have STP enabled.
17:46 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
17:46 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
17:48 < fsw> miris, the thing with bridging is... I don't know how to handle many ranges...
17:48 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 240 seconds]
17:49 < fsw> I mean, the bridge has a single address, shared among all four interfaces
17:51 < miris> Do you mean it's IP address?
17:51 < fsw> yes
17:52 < fsw> That's why routing probably suits better your needs.
17:54 < miris> Can I connect 4 subnets using the "route" in the server's conf file? I am failing to understand how to connect the networks transparently in the routing mode.
17:57 < fsw> miris, the first thing would be to get the both server to talk to each other. That apparently works, doesn't it?
17:58 < miris> Yes, that works as expected.
18:06 < fsw> try adding on the host router (the one on 172.17.3/24) this setting 'push "route 172.17.1.0 255.255.255.0" ' 
18:07 -!- bob368_ [~bob@166.205.10.172] has quit [Read error: Connection reset by peer]
18:07 < miris> I read various manuals and it is said that "server" and "push" should be disabled for TAP.
18:08 -!- bob368 [~bob@166.205.10.172] has joined ##openvpn
18:11 < fsw> that's right
18:11 < fsw> You'd rather use tun
18:12 < fsw> Bridging disadvantages: Less efficient than routing, and does not scale well.
18:13 < miris> I was a little more worried about functionality, rather than performance.
18:13 -!- bob368 [~bob@166.205.10.172] has quit [Quit: Colloquy for iPhone - http://colloquy.mobi]
18:15 < fsw> miris, I'll tell you what you must add
18:16 < fsw> http://pastebin.com/v35b2LCL
18:16 < fsw> There are the four statements to add to your host router
18:17 < fsw> use dev tun instead of dev tap in the router and its clients
18:17 < fsw> you can switch back to dev tap later if it doesn't work
18:19 < miris> Could it be more like this? http://pastebin.com/PnJuX2By
18:22 < miris> This is the server config file for now (with TUN). Does it seem to be correct?
18:22 < miris> http://pastebin.com/c2KPtDWs
18:22 < fsw> miris, you needn't set up tun in the server router
18:23 < fsw> look
18:24 < fsw> route sets the kernel routing tables
18:25 < fsw> iroute tells the openvpn server that it should handle those destinations
18:25 < fsw> push "..." is sent to the clients so that they set it
18:29 < miris> Sorry, I am not following what that would mean in my situation. AFAIK, "route" and "push route" should be used in the server's config and "iroute" in the CCD file for specific network (also lying on the server). Correct?
18:29 < fsw> I'd guess it would be like this: http://pastebin.com/MfRK4gmG
18:30 < fsw> correct
18:30 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.bele.cable.virginmedia.com] has quit [Quit: Leaving]
18:30 < miris> Co the "iroute" should also be set in the host's config file?
18:31 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
18:31 < fsw> Yep
18:31 < fsw> 'cause it is for its clients to connect
18:32 < fsw> we're talking about the routers, right?
18:32 < miris> Yes, both are routers.
18:32 < fsw> right
18:33 < fsw> let me see if I got you right
18:33 < miris> I can send a scheme of my network ...
18:34 < fsw> sure
18:34 < krzee> no
18:34 < krzee> iroute can NOT be in the client config
18:34 < krzee> it must be in the ccd file for the client in the server
18:34 < krzee> !iroute
18:34 <+vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
18:35 < krzee> iroute is NOT for the client, it is for the server to know which client has that foreign subnet behind it
18:35 < miris> So if I got it right, "iroute", "route" and "push route" should only be in the server's config while clients' configs should be pretty basic and all the same.
18:36 < krzee> iroute does not go in the server config either
18:36 -!- Pyrrho [~Pyrrho@94.200.43.132] has joined ##openvpn
18:36 < krzee> it goes in the ccd entry, on the server, for the client it matches
18:36 < krzee> !push
18:36 <+vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
18:36 < fsw> krzee, I know it doesn't go in the client config...
18:37 < krzee> and anything you push, technically IS in the client config, you just dont see it there ;)
18:37 < krzee> so you have the option of pushing from the server or putting it in the clients without push
18:37 < krzee> if it is for all clients, it makes more sense to push from the server
18:37 < fsw> krzee, the thing is that it's a router connected to another network itself
18:38 < Pyrrho> krzee, Typically, though, you can only push options that make sense after the session is active, correct?
18:38 < fsw> both configs went to the server setup of all of them
18:38 < fsw> which is why I included iroute in all of them
18:39 < krzee> Pyrrho, you cant push anything to an already established connection
18:39 < krzee> gotta reconnect to get new config options
18:39 < krzee> fsw, iroute is ONLY valid in ccd entries
18:39 < Pyrrho> krzee, What I mean is that you can't push any options vital for the connection itself, like cipher or auth directives, et cetera.
18:40 < krzee> fsw, have a good read of my OpenVPN/Routing doc
18:40 < krzee> !route
18:40 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:40 < krzee> Pyrrho, ahh, a list of what is valid to push is in the manual at --push
18:40 < krzee> !man
18:40 <+vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:40 < Pyrrho> krzee, I know, just making the statement so that it's out there.
18:40 < krzee> ahh ok =]
18:41 < Pyrrho> krzee, That and I experienced firsthand the "wait, I can't push that. Oops." syndrome.
18:41 < krzee> gotchya, i mistook it for more of a question
18:42 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
18:45 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
18:46 < Pyrrho> I am having a bit of a strange issue myself, though. OVPN will connect just fine, establish the session, everything's great... until about 30 seconds later when it tries to ping. Suddenly, it can't resolve the server's hostname. So, it times out, and does a ping-restart as directed. Except that now, it still can't resolve the hostname. I have to manually disconnect, wait, then reconnect. Pertinent information: I do have a push redirect-gateway def1 bypass
18:46 < Pyrrho> -dhcp in the server, so the DNS query for the ping is going through the tunnel. However, I did an nslookup on the server's hostname with the tunnel active, and it DOES resolve just fine.
18:47 < miris> Guys, for this network, would it be better to use bridging or routing? http://xn--abrahm-tta.eu/LAN.jpg
18:48 < miris> Each VPN branch is one network.
18:49 < Pyrrho> Of course, naturally, now that I've got it set to verb 9 so I can log everything, it's not exhibiting the behavior I'm looking for.
18:50 < krzee> miris, do you need any specific layer2 protocol?
18:50 < krzee> i dont need to see a picture to answer that
18:51 < Pyrrho> THERE it is.
18:52 < miris> Unless webcams are using specific protocols I am not aware of .... no would be the answer.
18:52 < fsw> krzee, since each network is local to the vpn servers in 172.16.X, I don't see I was wrototally wrong
18:54 < miris> Just for the reference, VPN server also the router of the 172.17.1.0/24 network which is the biggest one (on the bottom).
18:54 < krzee> if you need a specific layer2 protocol you want tap, if not you want tun
18:54 < krzee> your topology doesnt influence it ;]
18:54 < krzee> whoa, actually yes it does
18:54 < krzee> you want tun
18:54 < krzee> lol
18:54 < krzee> unless you really need a layer2 protocol
18:54 < krzee> connecting that much broadcast domains would result in a lot of layer2 chatter
18:54 < krzee> !tunortap
18:54 < krzee> miris, you will want to become VERY familiar with my routing doc
18:54 <+vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
18:54 < krzee> like, able to write one yourself familiar
18:54 <+vpnHelper> krzee: against you over the vpn, or (#4) lan gaming? use tap!
18:55 -!- fbe^ [~becker@xdsl-87-78-1-87.netcologne.de] has joined ##openvpn
18:55 < fbe^> hi
18:56 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
18:56 < miris> krzee, I don't need and Windows shares (using FTP server
18:56 < krzee> miris, even if you did, you would just need a WINS server
18:56 < fbe^> i'm using openvpn with the network manager applet. i configured my openvpn server and i can ping the server after connecting to the vpn. also the vpn/nm sets a default route which routes over the vpn. i don't want that. can i prevent setting the default route to the vpn device with some push options?
18:56 < krzee> windows sharing (smb) isnt layer2, only its lookup method (netbios) is
18:57 < krzee> and netbios is a secondary method to lookup, with WINS being first
18:57 < Pyrrho> krzee, Is there anything overtly sensitive in a verb-9 log, anything I'd want to remove prior to pastebin?
18:58 < krzee> you found a bug and are trying to have a dev debug it?
18:59 < krzee> normal verb for troubleshooting is verb 5
18:59 < miris> krzee, am i likely to make all my PCs in all subnets visible to each other with tun as well? The configuring scares me a little bit because I am not that strong in linux that I could debug the whole traffic myself. I am planning to use those "route" and "iroute" methods to make those PCs appear for everyone. Is it the way to go?
18:59 < krzee> i personally wouldnt want to see a verb 9 log, wayyyyy too much crap to surf through
19:00 < miris> I read through so many configs and manuals that all I have in my head now is a total mess.
19:02 < fsw> miris, I believe you
19:03 < krzee> miris, forget all the rest
19:03 < krzee> google can be EXTREMELY confusing for that stuff
19:04 < krzee> thats what led to me writing the doc i wrote...
19:04 < krzee> hell, i had to dig into the code before i understood iroute
19:04 < krzee> (thank god for good comments in the code)
19:04 < krzee> err
19:04 < krzee> s/god/James/
19:05 < krzee> miris, yours is going to be a rather advanced setup
19:06 < krzee> but the principals in my routing doc remain true
19:06 < krzee> you just happen to have multiple lans behind some of the clients, which should not be a problem
19:07 < miris> krzee, I can imagine but somehow failing to manage. I have certificates, I have written down the server.conf, the client.conf files .... but wondering whether it's going to do what I expect it to do in the end.
19:07 < krzee> basically:
19:07 < krzee> !sample
19:07 <+vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
19:07 < krzee> plus the stuff in !route
19:07 < fsw> miris, for that...
19:08 < krzee> sucks im so busy right now
19:08 < fsw> you should use virtualized guests
19:08 < fsw> to try your setup
19:08 < krzee> i leave for vacation tomorrow, need to make sure the other techs understand our phone system and stuff
19:08 < fsw> I'm trying to remember the name of one
19:09 < fsw> which is particularly useful for networks...
19:09 < krzee> fsw, vmware, parallels, virtualbox, xen
19:09 < miris> Likely to be error-resistant? http://pastebin.com/MQi5RNRZ
19:09 < krzee> miris, if you wanna post your configs to pastebin ill take a look and see if anything jumps out at me... if you do, do it like this:
19:09 < krzee> !configs
19:09 < fsw> krzee, yeah, but those are general-purpose ones
19:09 <+vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
19:10 < krzee> fsw, any would be fine... put each on a diff subnet and see if you can make openvpn ping that subnet
19:10 < krzee> the only thing outside of that test would be:
19:10 < krzee> !factoids search outside
19:10 <+vpnHelper> krzee: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
19:11 < miris> krzee, the CCD entries are created dynamically on the boot (it's a router with openvpn).
19:11 < fsw> krzee, I am not saying those are bad... only that this one simulaters transparently and easily complex networks
19:11 < miris> I saw that graph and it was the first thing I understood in a few days actually.
19:11 < krzee> i still need them
19:11 < krzee> fsw, cool
19:11 < krzee> miris, thanks man =]
19:12 < krzee> reiffert showed me how to make that... our wiki software actually does it
19:12 < fbe^> krzee: du bist nicht geboren von mudda natur, du bist geboren von mudda mülltonne
19:12 < miris> krzee, and these are the CCD files: http://pastebin.com/ZbzkKMhC
19:12 < krzee> fbe^, we have a lot of germans here, but i am not one of them =]   moin moin
19:12 < fbe^> krzee: don't worry. it was just a really silly joke :D
19:13 < krzee> miris, one immediate problem, client is using tap
19:14 < miris> Yeah, OK, you're right. I forgot to modify that one.
19:14 < krzee> but im sure you're mostly concerned with the routing stuff
19:14 < krzee> so lemme dig in for a sec
19:15 < miris> I guess yes, because pinging from the host (directly connected) and server (and vice versa
19:15 < miris> ) seems to be working (at least for TAP)
19:15 < krzee> it looks good to me
19:15 < krzee> i didnt zoom in, but it looks like you have further subnetting inside some of those tho
19:16 < krzee> ohhh ok you do subnet but you stay in the same /24
19:16 < krzee> so theres not much more to do
19:16 < krzee> [17:15]  <miris> I saw that graph and it was the first thing I understood in a few days actually.
19:16 < miris> Yes, all the subnets are using the same range: 172.17.X.0/24
19:16 < krzee> thats good, cause thats the only thing outside of those configs to do
19:17 < krzee> hell, maybe not
19:17 < krzee> since im guessing those border routers are the default gateways for the internal routers
19:17 < krzee> and those border routers actually are the VPN endpoints
19:18 -!- blueboxthief [~None_of_y@86-40-176-16-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
19:18 < krzee> good job on making your network topology in a sane way... i dont see that done very often =]
19:19 < miris> 172.17.1.1 is the VPN server and gateway for 172.17.1.0/24. All the other routers (172.17.2.1, 172.17.3.1 and 172.17.4.1) are running OVPN clients to connect to the server (172.17.1.1).
19:19 < miris> krzee, thanks. :-)
19:20 < krzee> since you have the hard stuff done
19:20 < hello> quit
19:20 -!- hello [~unixtoy@rrcs-76-79-204-178.west.biz.rr.com] has quit [Quit: hello has no reason]
19:20 < krzee> heres something else you will want
19:20 < krzee> !hmac
19:20 <+vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the
19:20 <+vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
19:20 < krzee> and use tun
19:20 < krzee> oh and for your clients
19:20 < krzee> !path
19:20 <+vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
19:21 < krzee> if you have a sandbox user, you can use --user and --group
19:22 < krzee> oh and just be 100% sure that the filenames used for the CCD files are the same as the client common-name in the certs you make for the clients
19:23 < krzee> you can see that in
19:23 < krzee> !certinfo
19:23 <+vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
19:23 < miris> Thanks for that HMAC tip. I will give it a try.
19:23 < krzee> the full path tip will be important upon reboot
19:24 < krzee> because if it worked as is, its because you happened to be in that dir when you ran openvpn
19:24 < miris> I rebooted like 50 times just today and it worked fine all the time. :-)
19:24 < krzee> i dunno, maybe the person who compiled your copy of openvpn patched it to have that as a default dir
19:25 < krzee> but normal openvpn certainly wouldnt have known where your certs were
19:25 < krzee> trust me and use full paths
19:25 < krzee> otherwise one day maybe you upgrade and everything breaks
19:25 < miris> I will, thanks. Just for th reference, one router is running DD-WRT and the other does have a special patched OVPN version. You're right.
19:26 < krzee> =]
19:27 < miris> Since I have all these good tips, I hope to manage the goal in less than 5 days, unlike now. :-D
19:27 < krzee> you should be able to do it tonight given that you are able to try tonight
19:28 < krzee> hell, your configs are already good
19:28 < krzee> and you dont need to add routes outside openvpn
19:28 < miris> Thanks for the feedback. I will give it a try tonight.
19:28 < fbe^> tschüss, ne?
19:28 -!- fbe^ [~becker@xdsl-87-78-1-87.netcologne.de] has left ##openvpn []
19:32 < Pyrrho> Well, I fixed ONE part of the problem. It no longer gives me the error after the reconnect. I'm still getting odd ping timeouts, though...
19:34 < krzee> ahh sorry, got all caught up in his
19:34 < krzee> (thats sorta my specialty ;] )
19:35 < Pyrrho> No, I've been looking through logs.
19:35 < Pyrrho> And you're right, a verb 9 log is... heinous. :P
19:36 < krzee> hehe yup
19:36 < krzee> 5 is good for finding fw issues
19:36 < krzee> cause of the RWRWR stuff
19:37 < Pyrrho> Well, the problem that I'm having now is this: When it tries to connect, most of the time, it never receives an initial packet. But then, it does, and connects just fine.
19:37 < Pyrrho> Then, after it's connected, it seems to ping-timeout, restart, and cycle all over again.
19:39 < miris> krzee, one last thing please, is "mode server" required in my server config? Somewhere I do see it, elsewhere I don't.
19:40 < krzee> --server implies it
19:44 < krzee> so you actually do have it :)
19:45 < krzee> server 172.17.10.1 255.255.255.0
19:45 < krzee> that line expands to a LOT of stuff
19:46 < krzee> you can see in the manual as --server
19:46 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has quit [Read error: No route to host]
19:47 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
19:48 < krzee> miris, you see my answer?
19:48 < krzee> Pyrrho, paste your configs (no comments) and logs (verb 5)?
19:48 < miris> Yes, I do. The server for some reason does not like the config. It did not start up.
19:48 < Pyrrho> krzee,  On it.
19:49 < krzee> miris, try dev tun instead of dev tun0
19:50 < krzee> unless you made static tun devices
19:50 < Pyrrho> krzee, http://pastebin.com/xTHYeSWq
19:50 < krzee> and be sure tun module is loaded
19:51 < krzee> Pyrrho, while connected are you able to ping the VPN ip?  im guessing windows firewall is enabled on the tap devic e
19:51 < krzee> device*
19:51 < Pyrrho> krzee, Windows firewall is entirely disabled, actually.
19:52 < krzee> and how about <insert security software name here> ?
19:52 < krzee> norton, mcafee, etc etc
19:52 < Pyrrho> krzee, Removed for testing. I use Avast for AV anyway.
19:53 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has quit [Read error: Connection reset by peer]
19:54 -!- Bogus8 [~Nunya@ip68-226-131-28.lf.br.cox.net] has joined ##openvpn
19:54 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
19:57 < Pyrrho> krzee, And when I ran it on verb 9, there WERE pings going back and forth. Then, they just... stopped.
19:57 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has quit [Read error: Connection reset by peer]
19:58 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
19:59 < krzee> can you ping the VPN ip while connected...?
19:59 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has quit [Read error: Connection reset by peer]
19:59 < Bogus8> !welcome
19:59 <+vpnHelper> Bogus8: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:59 < Bogus8> !goal
19:59 <+vpnHelper> Bogus8: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:59 < Pyrrho> krzee, Assuming that you're taking the server's tun interface IP, yes.
20:00 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
20:00 < krzee> Pyrrho, and the clients from server
20:00 < Bogus8> !howto
20:00 <+vpnHelper> Bogus8: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:00 < krzee> Bogus8, so whats the goal?
20:00 < Pyrrho> krzee, Yup.
20:00 < krzee> Pyrrho, well that is interesting...
20:00 < krzee> !configs
20:00 <+vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
20:01 < Bogus8> ok... looking to set up a seemless network between a computer and my network at home.  Server at home is running Ubuntu 8.04 client trying to connect is a windows XP machine (it is behind TWO residential routers if that matters, 192.168.0.x and 192.168.9.x... home LAN is 192.168.8.x)
20:02 < Bogus8> I am getting connection timed out with the windows client software
20:02 < Pyrrho> krzee, Server: http://pastebin.com/Z8VJA6VT
20:02 < Bogus8> followed the howto on setting up my server
20:02 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has quit [Read error: Connection reset by peer]
20:02 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
20:02 < Pyrrho> krzee, Client: http://pastebin.com/DiLrhape
20:02 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has quit [Client Quit]
20:03 < krzee> Bogus8, good stuff, do you plan on using LAN gaming or anything?  do you plan on sharing the entire LANs?
20:04 < Bogus8> krzee: no gaming... just some file sharing and browsing of the network.. maybe some printing
20:04 < krzee> smb file sharing?
20:04 < Bogus8> krzee: yes, samba
20:04 < krzee> ok, you want to enable wins
20:04 < krzee> !wins
20:04 <+vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
20:04 < Bogus8> krzee: do I "need" wins?  if I'm using TAP?
20:05 < krzee> nope, not if you're using tap
20:05 < krzee> but i also cant help you in that case
20:05 < Bogus8> krzee: that is how I am attempting to set it up (guess I should have stated that... sorry)
20:05 < krzee> im not very versed in tap setups
20:05 < Bogus8> krzee: LOL.. thanks
20:05 < krzee> but you dont need tap unless you need layer2
20:05 < krzee> and if smb is the only layer2 you need, you should just use WINS
20:06 < Bogus8> I don't feel like I am even hitting the server... because if I was shouldn't I be getting a different error than "timed out"?
20:06 < krzee> correct
20:06 < krzee> check your NAT rule on the server router
20:06 < krzee> and any relevant firewalls
20:06 < Bogus8> I have set up the port forwarding... no FW on the server
20:06 < krzee> (on the server, before the server)
20:07 < krzee> was the port forwarding done on the right ip/port/protocol
20:07 < Bogus8> only other FW would be the router
20:07 < krzee> thats worth checking, assuming your server log doesnt show ANY activity from the client trying to connect
20:07 < Bogus8> would the double router situation on the client side have any relation?
20:07 < krzee> you either have mismatching configs, a broken NAT rule, or a firewall blocking it
20:08 < krzee> not if the client can reach the internet
20:08 < Bogus8> krzee: I'm running from CLI as suggested on the howto... nothing is being outputted to console during attempts
20:08 < krzee> nice, you read the howto well ;]
20:08 < Bogus8> krzee: client can definitely reach the internet... I actually have a VNC one-click connection from there to me at the server's location right now
20:09 < Bogus8> krzee: I only come in here crying after I have done a good deal of homework ;)
20:10 < krzee> [18:12]  <krzee> you either have mismatching configs, a broken NAT rule, or a firewall blocking it
20:10 < krzee> it is one of those
20:10 < Bogus8> krzee: :(  ok... wait... configs... I'm using the windows client... there are no "configs" that I know of
20:11 < Bogus8> just put in "IP" and then it prompts for user/pass (which honestly I don't know what to put in there.... but like I said, I don't thinkn that is my problem yet)
20:12 < Pyrrho> Bogus8, that would be your problem, methinks.
20:12 < Bogus8> Pyrrho: agreed... but none of the howto's on the client software talk about anything beyond just very basics
20:13 < krzee> umm
20:13 < krzee> there certainly are configs
20:13 < krzee> where do you put the IP...?
20:13 < krzee> ohhhh Bogus8 did you config via something web based?
20:13 < Bogus8> http://openvpn.net/index.php/openvpn-client/howto-openvpn-client/397-how-to-connect-to-a-vpn-server-with-the-openvpn-client.html
20:13 <+vpnHelper> Title: How to connect to a VPN Server with the OpenVPN Client (at openvpn.net)
20:14 < Bogus8> krzee: no... I work via commandline on myserver exclusively
20:14 < krzee> ok cool
20:14 < krzee> thought maybe you had AS
20:14 < Bogus8> What is AS? ;)
20:14 < krzee> !AS
20:14 <+vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
20:14 <+vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
20:15 < Bogus8> nope definitely not that... ubuntu apt-get openvpn
20:24 < krzee> whats that client...?
20:25 < krzee> ohhh thats an access-server client
20:25 < krzee> hahah
20:25 < krzee> you need the client from here
20:25 < krzee> !downloads
20:25 <+vpnHelper> krzee: Error: "downloads" is not a valid command.
20:25 < krzee> !download
20:25 <+vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
20:29 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
20:30 < miris> krzee, to what address can I send you a thank you card? Your feedback was very helpful and I arrived at the destination "success". Thanks a lot!
20:30 < krzee> right on man!
20:31 < krzee> glad to help, but it seems you did most the work without me
20:31 < krzee> im sure it took you awhile
20:31 < krzee> especially if you hadnt found my routing doc
20:31 < miris> Well, 5 days 15 hours/day. :-D
20:31 < krzee> ahh, sounds about right!
20:31 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:31 < krzee> hehe
20:31 < Bogus8> krzee: ok... so I need to install the full package
20:32 < miris> There are pros and noobs. I obviously still belong to the 2nd group.
20:32 < Bogus8> is there no simple way to do a dun style connection from windows?
20:32 < krzee> Bogus8, ya you need the opensource client to connect to your opensource server =]
20:33 < miris> Anyway, once again, thanks a lot. Especially your document I found was helpful. What helped the most was the info at the bottom about an existing IRC channel. ;-)
20:34 < Bogus8> gotcha... i do some work with an off shore communication company and they gave me VPN access that consisted of a DUN style connection that gives me access to their 10.x.x.x network so I can hop on my platforms from the beach... I thought there might be something simple like that for openvpn
20:35 < Bogus8> no matter I will be using openvpn... just wasn't sure of all my connection options
20:35 < krzee> miris, ahh, i never even realized the positive benefit of putting the IRC channel on that doc
20:35 < krzee> miris, maybe ill add the word IRC to it as well for google purposes
20:36 < krzee> my doc is heavily linked to, so i can use that to help people find here now that you bring up that side benefit
20:36 < miris> krzee, it was the most useful information in a few days for sure.
20:36 < krzee> Bogus8, heres how easy it can be
20:36 < krzee> !confgen
20:36 <+vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
20:36 < krzee> i wrote a config file generator ;)
20:36 < miris> You barely find a forum about openvpn, just some threads but nothing dedicated to OpenVPN that would be stuffed with information.
20:37 < krzee> !forum
20:37 <+vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
20:37 < krzee> soon that forum will be moved to openvpn.net and made official =]
20:37 < Bogus8> krzee: I'll be checking it out... and guess what happened... my vnc connection went down and my wife just walked in the door... so now I'm disconnected from the client side till I go back to my office. ;)
20:38 < miris> I looked at both but it does not seem to be very up to date. IRC channel is much more lively.
20:38 < krzee> ya
20:38 < krzee> the mods from that forum are all here
20:38 < krzee> and cause we had SOOOOO much spam we have to manually accept a newcomers first 3 forum posts
20:39 < krzee> i think now that its going to openvpn.net we'll get some better spam prevention and not need that rule
20:39 < miris> Ah, I see. Anyway, I bet I would not make it work anytime soon posting in the forum.
20:40 < krzee> it would have taken longer... usually the case with forum vs IRC
20:40 < miris> IRC channel would deserve more promotion, IMHO
20:42 < krzee> thanx
20:43 < krzee> Pyrrho, did i miss you posting your configs?
20:43 < miris> Does anyone know whether RTSP can pass through TUN?
20:43 < krzee> is it IP traffic?
20:44 < miris> That is the question... But I guess it should be since it is concerning an "IP" cam.
20:44 < krzee> (i know RTP, dont know of RTSP)
20:44 < Pyrrho> krzee, Yes, hold on.
20:44 < miris> http://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol
20:44 <+vpnHelper> Title: Real Time Streaming Protocol - Wikipedia, the free encyclopedia (at en.wikipedia.org)
20:44 < Pyrrho> krzee, Server: http://pastebin.com/Z8VJA6VT
20:44 < Pyrrho> krzee, Client: http://pastebin.com/DiLrhape
20:45 < krzee> The default transport layer port number is 554.
20:45 < krzee> so yes
20:45 < krzee> (layer2 doesnt have ports)
20:46 < miris> Oh, one another learnt thing today. :-)
21:00 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has left ##openvpn []
21:17 < Pyrrho> krzee, See anything funky?
21:18 < krzee> it got busy and now its time to go
21:18 < krzee> but ill take a quick look first
21:21 < krzee> one thing i see:
21:21 < krzee> !path
21:21 <+vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
21:21 < krzee> !winpath
21:21 <+vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
21:22 < krzee> but thats not part of your problem from what you said...
21:22 < krzee> (change it anyways)
21:22 < krzee> but no, i dont see anything twords what your problem is
21:22 < krzee> make sure you dont have some sort of stateful firewall or something involved
21:22 < krzee> that could reset the udp connection
21:23 < krzee> (keeping-state on UDP definitely is less than perfect)
21:23 < krzee> hope that helps
21:23 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
21:59 -!- jacky_bro [cb51a61b@gateway/web/freenode/ip.203.81.166.27] has joined ##openvpn
22:00 < jacky_bro> Hi morning
22:01 < jacky_bro> i'm trying to install and configure openvpn on freebsd
22:01 < ecrist> ok
22:01 < ecrist> easy enough
22:02 < jacky_bro> after i installed from port collection , i found some sample config file and key file  in /usr/local/share/doc/openvpn/
22:02 < jacky_bro> when i read some guide , server config file must be in /usr/local/etc/openvpn/  
22:03 < ecrist> jacky_bro: on freebsd, read /usr/local/etc/rc.d/openvpn to see what defaults are
22:03 < ecrist> you can set your config in /etc/rc.conf
22:03 < jpalmer> if I have 2 openvpn servers running on a centos server,  can I just push routes to have the traffic flow between the two subnets?  or will I need to enable ip forwarding on the host?
22:03 < ecrist> openvpn_enable="YES" and openvpn_configfile="/path/to/config"
22:04 < ecrist> jpalmer: if you're passing traffic between the openvpn interfaces, you need to enable ip forwarding
22:04 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has joined ##openvpn
22:04 < jpalmer> ok, thought so.  was hoping that wasn't the case though cuz the machine is very remote :P   hate messing with this stuff remotely.  heh
22:04 < jpalmer> thanks
22:04 < ecrist> np
22:05 < ecrist> if you're doing it all within one instance of openvpn, you can get away with it
22:05 < jpalmer> nah,  I still need to re-architect the whole management network.  so for now,  it's 2 openvpn servers.  one for clients,  one for management.
22:06 < jpalmer> eventually, I'll rearchitect it to use one,  and the OS's firewalling software to control what traffic goes where.
22:11 < linuxviewer> Hello everyone.  I have setup a bridge mode and I get the same subnet ip address as the openvpn server, but for whatever reason i cannot even ping the same subnet ip address of the openvpn server (nor the router).  Any assistance on how to diagnose what is going on?
22:14 < jpalmer> linuxviewer: have you checked the routes on the client machine?
22:15 < linuxviewer> japlmer - what do you mean routes on client machine?  like the client fconfig?
22:15 < linuxviewer> the client machine is a windows machine
22:16 < jpalmer> windows machiens have a routing table too ;)
22:17 < linuxviewer> what would I be looking for?  When I didn't use the bridge mode I could ping the different subnet ip of openvpn just fine
22:18 < linuxviewer> so for example, the ip of openvpn server (linux) is 192.168.5.5.  When connecting in using openvpn on windows machine the windows machine would get a 192.168.5.200 ip address, but wouldn't be able to ping 192.168.5.5 (OpenVPN server) nor 192.168.5.1 (router).  Strange?
22:18 < jpalmer> linuxviewer: ok,  let me approach this another way.  without the VPN,  what is the IP and subnet of the windows machine?
22:18 < linuxviewer> it was a direct public ip
22:18 < linuxviewer> not a local ip subnet
22:18 < linuxviewer> the primary nic card, whereas the openvpn ipconfig was showing a 192.168.5.200 ip
22:19 < jpalmer> it's not connected with a local IP at all?  just a public IP?
22:19 < linuxviewer> yes, it was connecting to the openvpn through the internet
22:19 < jpalmer> again,  ignoring openvpn for a minute.  does the windows machine have a local IP at all?
22:21 < linuxviewer> no
22:21 < linuxviewer> public
22:21 < jpalmer> ok.  what response do you get from the windows machine, when you tracert the IP of the openvpn server?
22:21 < linuxviewer> I did it like that so that I could fully test through a true environment (going to openvpn through internet only)
22:22 < linuxviewer> hrrmm, didnt do tracert, only ping
22:22 < linuxviewer> jpalmer - maybe you can guide me in the right direction
22:22 -!- jacky_bro [cb51a61b@gateway/web/freenode/ip.203.81.166.27] has quit [Ping timeout: 252 seconds]
22:22 < linuxviewer> the reason why i am looking at doing the bridge mode is because when I do the normal tunnel mode i could ping the openvpn server just fine, but it was on a different subnet
22:22 < jpalmer> thats kinda what I'm doing.  giving you the steps to troubleshoot with.
22:22 < linuxviewer> and couldn't connect to any other services on the true local subnet that the openvpn server is one
22:22 < linuxviewer> *on
22:23 < linuxviewer> i tried the client-to-client in the server.conf but I still couldnt ping any of the true local ip subnet on the openvpn side
22:23 < jpalmer> what other services?  I'll be honest..  you really really don't want a bridged VPN if you can help it
22:23 < linuxviewer> so for example, if the local ip of the openvpn is 192.168.5.5..... and with TUN it was giving out 192.168.6.X  (diff subnet) then I could ping 192.168.6.X (the openvpn server) but not the 192.168.5.5 (OpenVpn server)
22:24 < linuxviewer> jpalmer - other services - Asterisk (VOIP_
22:24 < linuxviewer> I was getting one way audio when connecting into the Asterisk (and OpenVPN on same machine) through the openvpn subnet, not the local subnet
22:24 < jpalmer> ok, stop for a second.  you're throwing out bits of random info that aren't making sense.    what is 192.168.5.5?  is that the LAN IP address of your openvpn server?
22:25 < linuxviewer> yes.
22:25 < linuxviewer> and when I did the TUN version of OpenVPN I would have to specify a different subnet, so for example, lets just say 192.168.6.X
22:25 < jpalmer> ok,  and 192.168.6.1 is the openvpn IP of your openvpn server?
22:25 < linuxviewer> (I think it was a 10.8.0.X though)
22:25 < jpalmer> stop getting ahead of me,  you're just confusing things ;)
22:25 < linuxviewer> yes, lets just say it was 192.168.6.1 for the openvpn side
22:25 < linuxviewer> haha okay
22:25 < linuxviewer> :)
22:26 < jpalmer> ok,  when you were configured originally and getting 192.168.6.x,  you were seeing 1 way audio?
22:26 < linuxviewer> correct, as if the openvpn (and asterisk) wasnt routing properly back to the client machine which got a 192.168.6.X IP
22:27 < jpalmer> ok,  that sounds like a routing issue on the asterisk side.  yes.  
22:27 < linuxviewer> jpalmer - I believe so, but I disabled iptables and still same outcome.  Of course, if i plug in locally with the same local ip subnet (192.168.5.X) then I connect in fine and two way audio (everything perfect)
22:27 < jpalmer> what you likely need to do,  is go back to that config.  then,  setup a static route to send 192.168.6.x traffic back to your VPN server
22:27 < linuxviewer> that is why i thought maybe i should go a bridge mode.  so that I was on the same subnet.
22:27 < jpalmer> again.  stop getting ahead of me.
22:28 < linuxviewer> gotcha, when you say static route to send 192.168.6.x traffic back to the vpn server, are you talking about a linux routing table right?  Nothing to do with openvpn?
22:28 < jpalmer> the traffic coming from your phone was working.  asterisk just didn't know how to send the data back across the VPN, to your phone.  if you setup a static route,  that problem goes away
22:29 < jpalmer> you probably need to do it on your gateway router.  but I don't know your network setup well enough to say
22:29 < jpalmer> is your openvpn server also your default gateway for lan clients?
22:29 < linuxviewer> negative
22:29 < jpalmer> ok.  
22:29 < linuxviewer> 192.168.5.1 is (Cisco router)
22:30 < jpalmer> when your asterisk tries to send to 192.168.6.x,  it's going to your cisco.  your cisco has no idea where it needs to go, so drops it.
22:30 < linuxviewer> hrrrmmmmmm, yes, that makes more sense
22:30 < jpalmer> you need to tell your cisco,  anything destined for 192.168.6.x needs to be sent over here (to your openvpn server)
22:30 < linuxviewer> hrrmmmmmmmm
22:30 < jpalmer> then ovpn will route it back to the clinet
22:30 < linuxviewer> which is through the ovpn
22:30 < linuxviewer> or to the ovpn
22:31 < linuxviewer> i see
22:31 < linuxviewer> let me try that, brillent :)
22:31 < jpalmer> it sounds like you had 90% of the configs done,  and just missed a static route
22:31 < jpalmer> ecrist: ping
22:31 < linuxviewer> yes, the static route of all 192.168.6.X (ovpn subnet) to go to the 192.168.6.1 (openvpn ovpn ip)
22:32 < Pyrrho> Does anyone know of any performance differences between AES and Blowfish for OpenVPN purposes?
22:32 < linuxviewer> which then the ovpn server knows how to handle the traffic (no dropped packets)
22:32 < jpalmer> linuxviewer: sounds correct, yes
22:32 < jpalmer> your asterisk just didn't know how to contact the remote voip endpoint.
22:33 < jpalmer> (a common cause of 1way audio over VPN's)
22:33 < jpalmer> linuxviewer: another option (possibly) is to use your asterisk server as your openvpn server also.  cuz then, openvpn will handle the routing automagically. (assuming asterisk is the only service you're using openvpn for)
22:34 < linuxviewer> jpalmer - the astrisk and openvpn server are on the same server
22:34 < linuxviewer> same instance of linux
22:35 < jpalmer> wait,  asterisk and openvpn server are on the same machine?
22:35 < linuxviewer> jpalmer - that is correct.
22:35 < jpalmer> Pyrrho: sorry, never measured the performance differences.
22:36 < Pyrrho> jpalmer, Do you think it would be significant, at any rate?
22:36 < jpalmer> linuxviewer: I was working on the assumption they were two different servers. 
22:36 < jpalmer> linuxviewer: can you go back to that config (with the 1 way audio) and then pastebin the output of route -an (on your asterisk machine)
22:37 < jpalmer> Pyrrho: I don't kno enough about blowfish to make any comments about the impact
22:37 < linuxviewer> yes one moment
22:40 < linuxviewer> actually its going to take me prob 10 minutes because i have to set it back up
22:40 < linuxviewer> i've changed a few things for getting bridge mode to semi-work
22:41 < jpalmer> linuxviewer: thats ok,  go for it.  and I said route -an,  but I meant netstat -r
22:57 -!- Pyrrho [~Pyrrho@94.200.43.132] has quit [Quit: Leaving]
22:59 -!- fsw [~BOT@britannia.0xj.info] has quit [Ping timeout: 240 seconds]
23:01 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:06 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
23:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:11 -!- jacky_bro [cb51a61b@gateway/web/freenode/ip.203.81.166.27] has joined ##openvpn
23:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:21 -!- tjz_ [~pc@bb116-14-173-172.singnet.com.sg] has joined ##openvpn
23:25 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 248 seconds]
23:27 < linuxviewer> okay jpalmere
23:28 < linuxviewer> http://pastebin.com/7PBazZ2s
23:28 < linuxviewer> the 10.8.0.X is the openvpn subnet.  with the 10.8.0.1 being the openvpn ip address
23:29 < linuxviewer> with the client ip address being 10.8.0.6
23:29 < linuxviewer> It is strange, I can from the client side through the openvpn tunnel register a SIP extension, and make a call, but if I hangup on either side (cell phone dialing or clientside softphone) the server doesnt seem to pick it up that it was hungup.  Very weird
23:35 -!- tjz_ [~pc@bb116-14-173-172.singnet.com.sg] has quit [Quit: bbl.]
23:35 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has joined ##openvpn
23:35 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has quit [Changing host]
23:35 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
23:46 -!- jacky_bro [cb51a61b@gateway/web/freenode/ip.203.81.166.27] has quit [Ping timeout: 252 seconds]
23:54 < linuxviewer> jpalmer are you still around?
23:56 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 240 seconds]
--- Day changed Tue Aug 10 2010
00:04 -!- Mark22 [~mark@unaffiliated/mark21] has quit [Ping timeout: 260 seconds]
00:05 -!- Mark22 [~mark@195.184.64.194] has joined ##openvpn
00:07 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
00:08 -!- linuxviewer` [~linuxview@ip72-222-249-220.ph.ph.cox.net] has joined ##openvpn
00:09 -!- linuxviewer [~linuxview@ip72-222-249-220.ph.ph.cox.net] has quit [Read error: Connection reset by peer]
00:34 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
00:37 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
00:44 -!- linuxviewer` [~linuxview@ip72-222-249-220.ph.ph.cox.net] has quit []
01:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:03 -!- mode/##openvpn [+o mattock] by ChanServ
01:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
01:42 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 265 seconds]
01:49 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
02:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:17 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
02:25 -!- dazo_afk is now known as dazo
02:29 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Read error: Operation timed out]
02:29 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
02:30 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
02:33 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
02:38 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has joined ##openvpn
02:39 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 265 seconds]
02:42 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
02:44 -!- mattock [~samuli@gprs-prointernet-ffd5c200-76.dhcp.inet.fi] has joined ##openvpn
02:44 -!- mode/##openvpn [+o mattock] by ChanServ
02:50 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
02:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
02:56 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
03:31 -!- blueboxthief [~None_of_y@86-40-176-16-dynamic.b-ras2.srl.dublin.eircom.net] has joined ##openvpn
03:36 -!- mattock1 [~samuli@gprs-prointernet-ff326a00-126.dhcp.inet.fi] has joined ##openvpn
03:37 -!- mode/##openvpn [+o mattock1] by ChanServ
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- mattock [~samuli@gprs-prointernet-ffd5c200-76.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
03:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:45 -!- mattock1 [~samuli@gprs-prointernet-ff326a00-126.dhcp.inet.fi] has quit [Ping timeout: 246 seconds]
04:04 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:12 -!- blueboxthief [~None_of_y@86-40-176-16-dynamic.b-ras2.srl.dublin.eircom.net] has quit [Quit: Leaving.]
05:08 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:10 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:21 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
05:53 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 248 seconds]
05:54 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
05:55 -!- Netsplit *.net <-> *.split quits: kisom, RedShift
05:56 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 252 seconds]
05:57 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
05:59 -!- Netsplit over, joins: kisom
06:03 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 240 seconds]
06:03 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:04 -!- RedShift [~glenn@apollo.webmind.be] has joined ##openvpn
06:17 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
06:38 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
06:42 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
07:05 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:07 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
07:46 -!- zheng [~zheng@114.92.134.236] has joined ##openvpn
07:54 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
08:00 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has quit [Ping timeout: 240 seconds]
08:01 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
08:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:14 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
08:24 -!- zheng [~zheng@114.92.134.236] has quit [Quit: Leaving]
08:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:28 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Ping timeout: 265 seconds]
08:33 -!- Thomas_Ludwig [~Thomas@ert6rf01.gm.FH-Koeln.DE] has joined ##openvpn
08:33 -!- Thomas_Ludwig [~Thomas@ert6rf01.gm.FH-Koeln.DE] has left ##openvpn []
08:33 -!- Mark22 [~mark@195.184.64.194] has quit [Changing host]
08:33 -!- Mark22 [~mark@unaffiliated/mark21] has joined ##openvpn
08:40 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined ##openvpn
08:51 -!- scyld [~krajcong@unaffiliated/wasyl] has quit [Disconnected by services]
08:51 -!- scyld [~krajcong@unaffiliated/wasyl] has joined ##openvpn
08:51 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:08 -!- bjh4 [~chatzilla@ool-18bbdf6a.static.optonline.net] has quit [Quit: ChatZilla 0.9.85 [Firefox 3.5.10/20100622204750]]
09:28 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
09:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
09:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:48 -!- sparc-kly [~mubex@adsl-72-50-28-199.prtc.net] has quit [Ping timeout: 240 seconds]
10:16 -!- jetole [~Joe@irc.fossl.net] has joined ##openvpn
10:16 < jetole> Hey guys. Does anyone know how I can test if a key has been revoked or see a list of revoked keys from the openvpn server?
10:21 < jetole> nevermind! I just figured it out from looking at the revoke script
10:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
10:58 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 252 seconds]
11:00 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
11:03 -!- snL20 [~irssi@194.81-166-79.customer.lyse.net] has joined ##openvpn
11:12 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: Leaving]
11:14 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:14 -!- dazo is now known as dazo_afk
11:18 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
11:33 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:47 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:15 -!- lamba [~Sirex@unaffiliated/lamba] has joined ##openvpn
12:15 < lamba> !welcome
12:15 <+vpnHelper> lamba: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:16 < lamba> !redirect
12:16 <+vpnHelper> lamba: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:17 < lamba> !ipforward
12:17 <+vpnHelper> lamba: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:17 < lamba> .. how can i use this bot without spamming the room ? - !welcome in priv msg isnt working
12:18 < lamba> !linipforward
12:18 <+vpnHelper> lamba: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:19 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
12:20 < lamba> nvm. bot fixed it :) awesome
12:20 -!- lamba [~Sirex@unaffiliated/lamba] has left ##openvpn []
12:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:28 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
12:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Remote host closed the connection]
12:36 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
12:44 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Quit: Leaving]
12:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:54 -!- JackCorleone [~Jack@201-92-44-12.dsl.telesp.net.br] has joined ##openvpn
12:58 -!- nclx [~nclx@97.103.253.226] has joined ##openvpn
13:02 < nclx> I have openvpn2.1 running on Win2008 R2 and a FreeBSD TLS client connected to it using Certs/keys.  I can ping the server's vpn IP (10.8.0.1) but the subnet behind my FreeBSD client (10.10.10.0/24) cannot reach 10.8.0.1.  I setup the client file in ccd, and normal packet forwarding through the bsd machine does work.  Any suggestions?
13:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:04 < ecrist> nclx: you need one of two things going on, either a route for the vpn server side to route to that network behind the freebsd server, or you  need to nat connections from the freebsd lan out to the vpn
13:04 < ecrist> !ccd
13:04 <+vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:04 < ecrist> !route
13:04 <+vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:04 < ecrist> see those links for more information
13:05 < nclx> ecrist I'll go review the ccd and route info again, I am not NAT'ing the FreeBSD LAN, I would like it directly routed over the VPN if possible
13:07 < ecrist> it's possible, just need to complete the missing parts.
13:09 < nclx> okay, I just verified my server config file does have: client-config-dir ccd and route 10.10.10.0 255.255.255.0, and my ccd/fbsd.txt has: iroute 10.10.10.0 255.255.255.0, I'll reread those now though to see if those statements are messed up
13:09 < ecrist> ok, but do machines on the server side know to route 10.10.10/24 to the vpn server, or is that being routed to the default gateway?
13:10 < ecrist> also, is the freebsd server routing properly (i.e. is net.inet.ip.forwarding =1)
13:11 < nclx> yes net.inet.ip.forwarding=1, and at this point on the windows server side I am only trying to access that server itself 10.8.0.1, not even trying to get to anything else on its subnet
13:12 -!- louis [~chatzilla@ip-83-134-37-90.dsl.scarlet.be] has joined ##openvpn
13:12 < louis> Hi everybody
13:12 < nclx> hello
13:12 < louis> Is there someone to help me about configuring openVPN on WindowsMobile?
13:13 < ecrist> I don't understand what you mean, nclx 
13:13 < nclx> okay rephrasing...
13:14 < nclx> 10.10.10.7 --> 10.10.10.1(FreeBSD ovpn client) ----> (10.8.0.1 ovpn endpoint ip/Windows 2k8r2  ovpn server)
13:15 < nclx> I have several clients on the 10.10.10.0/24 subnet that need to cross the vpn and reach a server application on the win2k8 server
13:16 < nclx> they could access it on its vpn ip 10.8.0.1 as assigned by openvpn, or by its actual IP 192.168.0.50
13:16 < ecrist> ok, on one of those, traceroute to that 10.8.0.1 ip
13:16 < nclx> from the freebsd box or the client behind it?
13:17 < ecrist> the client behind it
13:19 -!- ivenkys_ [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
13:21 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 265 seconds]
13:24 < nclx> goes to 10.10.10.1, then keeps timing out past that
13:25 < ecrist> nclx: does the server have ip fowarding enabled?
13:26 < nclx> # sysctl net.inet.ip.forwarding ... net.inet.ip.forwarding: 1
13:26 < nclx> I can access other subnets through the freebsd box just not over the vpn
13:26 < nclx> yet
13:30 < nclx> okay from the client behind the bsd box I can ping 10.10.10.1 (bsd box's LAN IP), I can also ping 10.8.0.6 which must be the VPN IP which is being assigned to the FreeBSD box
13:31 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
13:37 < nclx> if I do tcpdump -ni tun0 on the FreeBSD box while trying to ping 10.8.0.1 from a client behind the bsd box (10.10.10.7) I can see those ICMP echo request packets being put onto tun0, but no reply coming back
13:39 < krzee> without knowing anything... i say firewall
13:40 < ecrist> nclx: on the SERVER the windows server
13:40 < nclx> yes
13:40 < ecrist> firewall, more than likely
13:41 < nclx> okay I'll check that out to eliminate it
13:44 < krzee> im in an airport
13:45 < krzee> and this airport was cool enough to give free wifi, so i dont have to play games with them
13:45 < nclx> if it turns out to be firewall....there is a windows sysadmin here that will have to do penance for this
13:46 -!- bandini [~bandini@host23-106-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn
13:48 < nclx> w2k8r2 firewall tries to oversimplify things so much with its gui and hiding technical names for things with profile names that it really becomes difficult to see a clear picture of what it is filtering quickly
13:49 < krzee> nclx,
13:49 < krzee> !windows
13:49 <+vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
13:49 < krzee> ;]
13:49 < nclx> lol yeah
13:53 -!- louis [~chatzilla@ip-83-134-37-90.dsl.scarlet.be] has quit [Ping timeout: 246 seconds]
13:55 -!- louis [~chatzilla@ip-83-134-37-90.dsl.scarlet.be] has joined ##openvpn
13:58 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
14:02  * hyper_ch is just removing himself from all social network sites
14:03 < krzee> even the russian bride ones?
14:03 < hyper_ch> that's not a social network site :)
14:04 < hyper_ch> that's like a merchandise / online shop one
14:05 < krzee> ;]
14:07 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.bele.cable.virginmedia.com] has joined ##openvpn
14:08 < krzee> http://www.techdirt.com/articles/20100808/22161110540.shtml
14:08 <+vpnHelper> Title: Congress About To Pass 'The ______Act of____' (These Are The People We Elect?) | Techdirt (at www.techdirt.com)
14:09 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
14:10 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
14:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:18 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:23 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
14:23 -!- mode/##openvpn [+o mattock] by ChanServ
14:28 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:29 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
14:30 -!- louis [~chatzilla@ip-83-134-37-90.dsl.scarlet.be] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100723084720]]
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:38 < Bogus8> ok... trying to connect again with the correct client ;)  getting "connection reset by peer" error
14:41 < Bogus8> and how do you stop the command line when running in windows
14:42 < nclx> Ctrl+C or F9
14:42 < nclx> I believe
14:42 < nclx> connection reset by peer is indicative of openvpn not listening on the specified interface/port or being firewalled
14:43 < Bogus8> I of course tried F9 but that didn't do it... I am accessing the client via VNC so maybe it's not translating
14:44 < Bogus8> nclx: I have several services running on that service and I can hit them from that client (including http)... but this one isn't happening... possible cox is blocking port 1194?
14:45 < Bogus8> quick google search says cox isn't blocking that port
14:49 < Bogus8> only odd thing in my network is that I'm going through two routers on the client side (192.168.0.x is the one connected to the internet and then I have 192.168.9.x connected to that router then my client)
14:54 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:59 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
15:03 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 265 seconds]
15:11 -!- bandini [~bandini@host23-106-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
15:11 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
15:27 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
15:48 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
15:50 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
15:51 < Bogus8> nclx: I'm an idiot.... I forgot I had shut down the server side when I gave up yesterday
15:51 < Bogus8> so... now I'm connecting and getting an IP... but I can't ping anything
16:09 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
16:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:42 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Remote host closed the connection]
16:52 -!- nclx [~nclx@97.103.253.226] has quit [Quit: My damn controlling terminal disappeared!]
16:54 -!- Raccoon- [bismuth@unaffiliated/raccoon] has joined ##openvpn
16:55 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:11 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
17:35 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.bele.cable.virginmedia.com] has quit [Quit: Leaving]
17:40 < ksk> hello guys
17:40 < ksk> i got some problems running openvpn client on windows
17:40 < ksk> on linux (debian) everything works fine - eg the routes i get pushed
17:41 < ksk> on windows it says "everything okay" but i cant reach any network through openvpn
17:42 < ksk> "route print" show me some routes - im afraid i dont know exactly how they have to look like on win, but so far theyre okay
17:42 < ksk> any idea whats wrong?
17:43 < ksk> if i tracert an internal system it goes through my isp's routers - but not openvpn device
17:43 < ecrist> that would indicate a problem in my book
17:44 < ksk> pardon?
17:46 < ksk> *windows 7 btw..
18:05 -!- JodaZ [~JodaZ@ns302312.ovh.net] has quit [Ping timeout: 245 seconds]
18:07 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:13 -!- takamichi [~pri@78.133.14.166] has quit [Read error: Connection reset by peer]
18:13 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
18:23 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 260 seconds]
18:25 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
18:31 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 264 seconds]
18:31 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
18:41 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
18:41 < barfster> Anyone feel like helping me understand VPN?
18:41 < barfster> I have the subnet in my house 10.10.11.0/24
18:41 < krphop> ok...
18:42 < barfster> I have installed openvpn on 10.10.11.4
18:42 < krphop> ok...
18:42 < barfster> I would like to configure my MacBook VPN
18:42 < barfster> to login to that ubuntu box back home
18:43 < krphop> ok...
18:43 < barfster> But first I have to understand something about another IP range for transport?
18:43 < barfster> Or I have to assign one or some IPs on my LAN that will be my MacBook when logged in from a remote location?
18:45 < barfster> Or how does that work?
18:47 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 265 seconds]
18:48 < krphop> well, you can have it setup a fwe ways
18:48 < krphop> one case, you connect to your openVPN server at home, and all the traffic routed through the VPN just looks like its coming from the 10.10.11.4 address
18:49 < krphop> however, tehre is a subnet you'll have allocated to just openvpn hosts on that box
18:49 < rasengan> Hi, I have 1 IP and would like to share internet access through the 1 IP w/ several friends using OpenVPN.  Is this possible using routed OpenVPN?
18:49 < barfster> rasengan: the 1 IP? meaning your 1 WAN/legal IP? or 1 LAN IP?
18:50 < rasengan> 1 WAN /  legal IP
18:50 < barfster> Sounds like what I have started krphop about, I am just one though...
18:51 < rasengan> Is there a good tutorial online that you may know of?
18:51 < rasengan> o.o;
18:51 < krphop> yeah - http://www.openvpn.net/index.php/open-source/documentation/howto.html
18:51 < krphop> :-)
18:51 <+vpnHelper> Title: HOWTO (at www.openvpn.net)
18:52 < krphop> barfster: does that make sense?
18:53 < barfster> krphop: Well, what I am missing here is what I have to configure, I assume I have to configure a tunx?
18:53 < barfster> and this has to be a new subnet?
18:53 < krphop> there will be a subnet of openvpn addresses available on your openvpn server
18:53 < krphop> but only your openvpn server and clients will know about them
18:54 < krphop> the openvpn server will essentially be a router, doing nat back to your network
18:54 < barfster> So is that a part of configuring openVPN?
18:54 < krphop> yes
18:54 < barfster> This is probably the part I need explained
18:55 < barfster> Do I need three subnets? LAN at home, WAN at home, and a transport network for VPN?
18:55 < krphop> define 'need'
18:55 < barfster> To get it working
18:56 < krphop> you're not going to be doing anythign with these 'subnets' on anythign but the openvpn server
18:56 < krphop> nothing else will know about it
18:56 < krphop> so its not like you need to 'setup' a subnet on anything
18:56 < barfster> But OpenVPN will have to know about it?
18:57 < krphop> yeah, you'll say in the openvpn config a line that will say, 'hey openvpn clients, when you connect to me, you're going to get a XXX.XXX.XXX.XXX address mkay?'
18:57 < barfster> routed VPN?
18:57 < krphop> it will essentially be a dhcp server
18:57 < rasengan> krphop: yeahhh - how do i do that lol - like i want ppl to get a 'local' ip from my vpn serv when they connect over Wan
18:57 < rasengan> krhpop: yeahh - how do you do that :D
18:58 < krphop> thats what openvpn will do.
18:59 -!- JodaZ [~JodaZ@ns302312.ovh.net] has joined ##openvpn
18:59 < barfster> I am here: http://www.openvpn.net/index.php/open-source/documentation/howto.html#examples is this: server 10.8.0.0 255.255.255.0 the "dhcp" network in our discussion? That will essentially be used as the transport network for VPN?
18:59 <+vpnHelper> Title: HOWTO (at www.openvpn.net)
18:59 < krphop> barfster: correct
19:00 < barfster> And that could be whatever?
19:00 < krphop> given there's no other routing conflicts, yes
19:00 < barfster> And is only used by the participating nodes?
19:00 < krphop> right
19:00 < barfster> 10.10.12.0/24 in my case then
19:01 < krphop> but say you're on a 192.168.0.0/24 on your mac, and you have that same subnet setup on your openvpn server, shit will break once you connect
19:01 < krphop> make sense?
19:01 < barfster> Ahh
19:01 < barfster> I see the potential conflict
19:01 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:01 < barfster> But can I pick 1.1.1.1/24 as OpenVPN network?
19:02 < barfster> or 1.0.0.0/24?
19:02 < barfster> Or does it have to be those nonroutable subnets?
19:02 < krphop> that may be against RFC 1918, but i assume you 'could'
19:03 < krphop> but really, you can just use some obscure private subnet
19:03 < krphop> like, 192.168.254.0 or something
19:03 < barfster> Does it have to be these? 10.0.0.0	10.255.255.255	(10/8 prefix) 172.16.0.0	172.31.255.255	(172.16/12 prefix) 192.168.0.0	192.168.255.255	(192.168/16 prefix)
19:03 < krphop> and really, if it becomes a conflict, just log into your openvpn server, change the subnet, and restart
19:03 < krphop> barfster: why?
19:04 < barfster> I’ll try 1.0.0.0/24 then
19:04 < krphop> why not just use a private subnet?
19:04 < rasengan> krphop: Is this tutorial good? http://www.ventanazul.com/webzine/articles/openvpn-ubuntu-and-hulu
19:04 <+vpnHelper> Title: Install OpenVPN on Ubuntu, Hulu Outside the US and Network Security | Ventanazul (at www.ventanazul.com)
19:04 < krphop> rasengan: i have no idea
19:05 < barfster> rasengan: Try this one: http://www.openvpn.net/index.php/open-source/documentation/howto.html#examples all the literature makes me crazy, however I see there is an example
19:05 <+vpnHelper> Title: HOWTO (at www.openvpn.net)
19:08 < barfster> krphop: ;push "route 192.168.10.0 255.255.255.0" Which IP addresses are these?
19:08 < barfster> LAN?
19:08 < barfster> LAN at home?
19:09 < krphop> well if you want to access the other hosts on your network from your VPN, yes, your at home LAN
19:09 < krphop> so in your case 10.10.12.0/24
19:10 < barfster> push "route 10.10.11.0 255.255.255.0"
19:10 < barfster> ?
19:10 < barfster> my LAN is 10.10.11.0/24
19:10 < barfster> I picked 10.100.78.0/24 for transport
19:10 < krphop> yeah, that should work then
19:11 < krphop> that will tell your openvpn client that anything on 10.10.11.0/24 is also available from your VPN
19:11 < barfster> Nice
19:11 < barfster> Do I need to set up more to get it running?
19:11 < krphop> keys
19:11 < krphop> port forwards
19:12 < barfster> port forwards?
19:12 < barfster> from router to 10.10.11.4:1194?
19:12 < krphop> sure, how are you giong to get to your openvpn server from the internet?
19:15 < krphop> and do you have ip tables setup on your openvpn server?
19:15 -!- Mark22 [~mark@unaffiliated/mark21] has left ##openvpn []
19:16 < krphop> if so, that will take some tweaking
19:16 -!- barfster [~barf@74.7.197.50] has quit [Read error: Connection reset by peer]
19:16 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
19:18 < barfster> krphop: I am used to iptables and ssh
19:18 < barfster> I will try to replace ssh tunnelling with openvpn
19:23 < barfster> 1194 is OK?
19:23 < barfster> Or should I pick a ridonkulus port?
19:24 < barfster> !welcome
19:24 <+vpnHelper> barfster: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:26 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
19:31 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
19:40 < takamichi> Does anyone know why my windows client is thinking it should receive a .252 netmask instead of the one configured on the server
19:44 -!- barfster [~barf@74.7.197.50] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
19:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:08 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:14 < Bogus8> Ok... so I have server set up (TAP) and client set up... I get connected and the server hands me an IP on my client but I can't seem to ping either direction
20:32 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:43 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 258 seconds]
20:43 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
20:45 -!- takamichi [~pri@76.73.39.170] has quit [Read error: Connection reset by peer]
20:47 -!- takamichi [~pri@83.170.104.47] has joined ##openvpn
20:52 -!- takamichi [~pri@83.170.104.47] has quit [Ping timeout: 240 seconds]
20:53 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
20:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Client Quit]
20:59 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
21:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
21:41 < Bogus8> still here if anyone was afk.
22:30 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 252 seconds]
22:32 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
22:46 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
22:48 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
22:54 -!- takamichi [~pri@76.73.39.170] has quit [Read error: No route to host]
22:54 < Bogus8> should I have an adapter showing up on the server when I type ifconfig?
22:54 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
22:56 < Bogus8> hmm, ifconfig -a shows tap0 but ifup tap0 says ignoring unkown interface
23:13 -!- Bogus8 [~Nunya@ip68-226-131-28.lf.br.cox.net] has quit [Ping timeout: 248 seconds]
23:16 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
23:26 -!- Bogus8 [~Nunya@ip68-226-131-28.lf.br.cox.net] has joined ##openvpn
23:59 < jpalmer> takamichi: ping?
--- Day changed Wed Aug 11 2010
00:00 < jpalmer> !topology
00:00 <+vpnHelper> jpalmer: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
00:00 < jpalmer> !/30
00:00 <+vpnHelper> jpalmer: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
00:10 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:35 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:35 -!- mode/##openvpn [+o mattock] by ChanServ
00:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 258 seconds]
00:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:11 -!- abeehc- [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 264 seconds]
01:13 -!- abeehc- [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
01:15 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:22 -!- Ruby[Fan] [c2673f9a@gateway/web/freenode/ip.194.103.63.154] has joined ##openvpn
01:41 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has joined ##openvpn
01:44 < Ruby[Fan]> I am woundering if anyone here could tell me what it might be I am looking for... I woundering how to connect a VPS server via either a tunnel or a bridge (don't know what I need here) to my home network. So it is possible to mount a NFS share on my home network on the VPS server. What would be the best solution for this?
01:49 < Bushmills> depends on the virtualisation technology you're using. generally, vps has an own ip address, and can run openvpn without regard to the host. 
01:51 -!- tjz_ [~pc@bb116-14-173-172.singnet.com.sg] has joined ##openvpn
01:52 < Ruby[Fan]> Yes, I belive it should be possible... But I need to do the setup between these machines. But unsure of what way to go
01:53 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 240 seconds]
01:58 < Bushmills> all traffic to ip addr of vps should be routed to vps anyway, therefore no need to do some extra setup for openvpn. make sure though that host doesn't firewall openvpn
01:58 < Bushmills> once the client can connect to server successfully, host has no more say about tunneled traffic
02:04 < Ruby[Fan]> should the host be in my home network or are we talking about the vps as a host?
02:05 < Ruby[Fan]> Because I thought that the vps server should be client but I am unsure of this
02:10 < Bushmills> doesn't really matter
02:10 < Bushmills> home machine as client may make more sense
02:12 < Bushmills> server is probably turned on all the time, and as client it would need to be setup such that it retries reconnect to server infinitely when home machine is off. also, vps as server is static ip address, not sure if home connection is static too.
02:32 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:41 < ksk> hello again :>
02:42 < ksk> i have some problem with openvpn/win/routes
02:42 < ksk> i get some routes pushed - on linux(debian) everything works fine
02:42 < ksk> but on win i cannot even ping my gateway
02:42 < ksk> tracert $gateway-ip goes through my ISP - not the VPN
02:42 < ksk> any idea whats wrong?
02:45 < Bushmills> !winroute
02:45 <+vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
02:46 < Bushmills> "any idea whats wrong?" seems to be windows
02:48 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
02:54 < ksk> ye, what else? ;P
02:54 < ksk> i have the routes added
02:54 < ksk> (i used the exe method)
02:54 < ksk> "route PRINT" shows them
02:54 < ksk> they are pusheb by the server and work on linux clients..
02:54 < ksk> *pushed
02:55 < Bushmills> delay. admin.
02:55 < ksk> and im afraid i have no idea why it does not work on win
02:55 < ksk> i do :>
02:56 < Bushmills> route added? but not used? can't imagine
02:56 < ksk> im afraid im at work right now, ill create some pastebin later - maybe some of u can tell me about it
02:57 < ksk> thanks for your time so far, Bushmills 
02:58 < Bushmills> what is "gateway-ip"?  the address in the vpn subnet, or the ethernet interface address of vpn machine?
03:00 < ksk> gateway is the gateway in the vpn subnet
03:01 < ksk> and "schnittstelle" ( i guess its interface ) is my vpn ip
03:02 < Bushmills> so you can't ping your openvpn server? as you're supposedly using unroutable rfc1918 addresses for your vpn subnet
03:02 < Bushmills> s/unroutable/unrouted/
03:03 < ksk> i can ping the external ip address of my openvpn server
03:03 < ksk> i think pasting "route print" this evening might be a better idea - as i can hardly remember what it "said" yesterday
03:03 < Bushmills> you can do that even with openvpn not running at all
03:05 < ksk> yes, ofc.
03:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 -!- dazo_afk is now known as dazo
03:44 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
03:46 -!- Raccoon- [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 245 seconds]
03:58 -!- takamichi [~pri@76.73.39.170] has quit [Ping timeout: 252 seconds]
04:00 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
04:10 < Ruby[Fan]> Bushmills: Thanks for taking your time to assist me earlier today, I had to run before so I could't thank you befor. But I see your point in havingt he server beeing the vpn server and not the client, very good point indeed! Thank you once again!
04:49 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
04:51 < snL20> do anyone have a client.conf they could share that would work with vyprvpn ?
04:52 < snL20> hmmm
04:52 < snL20> !welcome
04:52 <+vpnHelper> snL20: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:54 < snL20> the 192.168.0.0/24 is that for the server or the client.. cause I am using 192.168.0.0/24 on my lan connecting a pc on it via openvpn to vyprvpn.. it seems to fail at AUTH though...
04:55 < snL20> !howto
04:55 <+vpnHelper> snL20: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:05 < Bushmills> !factoids search confgen
05:05 <+vpnHelper> Bushmills: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
05:06 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:06 < Bushmills>  /24  is a subnet. probably for both client and server
05:07 < Bushmills> but 192.168.0.0/24 is not a good choice for the openvpn subnet
05:08 < Bushmills> ah, as !welcome told you already
05:09 < takamichi> Hi, whats permissions should I apply to the key files - .crt and .key on the server? After openvpn drops to user nobdy, does it need to be able to read them? 
05:10 < takamichi> @jpalmer - Thank you for your help earlier about the netmask issue. sorted.
05:18 < snL20> Bushmills: well i'm just trying to connect using client mode... I havent set 192.168.0.0/24 for the subnet I just use it locally on eth0
05:19 < snL20> Bushmills: I mean its not set in the client.conf for tap0
05:19 < Bushmills> increase log verbosity, then consult your logs why connection fails
05:19 < Bushmills> !tunortap
05:19 <+vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
05:19 <+vpnHelper> Bushmills: against you over the vpn, or (#4) lan gaming? use tap!
05:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:21 < snL20> Bushmills: sorry I mean tun0 :)
05:21 < snL20> Bushmills: it seems to fail on AUTH so maybe I'll try again after changing the pass of the service provider
05:22 < Bushmills> you don't specify tun address on client, but leave it to the server to give client an ip address
05:22 < snL20> Bushmills: ttyl :)
05:22 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 265 seconds]
05:23 -!- takamichi [~pri@194.126.175.218] has joined ##openvpn
05:23 < snL20> Bushmills: right it looks like its failing on auth
05:27 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
05:28 < krzee> !factoids
05:28 <+vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
05:30 < krzee> !kiss
05:30 <+vpnHelper> krzee: "kiss" is Keep It Simple Stupid
05:32 -!- takamichi [~pri@194.126.175.218] has quit [Ping timeout: 276 seconds]
05:32 -!- takamichi [~pri@194.126.175.218] has joined ##openvpn
05:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:39 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:47 -!- krzee [nobody@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
05:48 -!- takamichi [~pri@194.126.175.218] has quit [Ping timeout: 240 seconds]
05:48 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
05:52 -!- Ruby[Fan] [c2673f9a@gateway/web/freenode/ip.194.103.63.154] has quit [Quit: Page closed]
06:02 -!- takamichi [~pri@76.73.39.170] has quit [Ping timeout: 248 seconds]
06:03 -!- takamichi [~pri@76.73.39.170] has joined ##openvpn
06:04 -!- Ruby[Fan] [c2673f9a@gateway/web/freenode/ip.194.103.63.154] has joined ##openvpn
06:08 -!- takamichi [~pri@76.73.39.170] has quit [Ping timeout: 240 seconds]
06:09 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
06:16 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
06:20 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:29 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
07:40 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
07:49 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:04 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
08:34 -!- killown [~killown@189.110.242.22] has joined ##openvpn
08:34 -!- killown [~killown@189.110.242.22] has quit [Changing host]
08:34 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
08:35 -!- tjz_ [~pc@bb116-14-173-172.singnet.com.sg] has quit [Ping timeout: 245 seconds]
08:36 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has joined ##openvpn
08:36 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has quit [Changing host]
08:36 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
08:59 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
08:59 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has quit [Ping timeout: 260 seconds]
09:04 -!- SOG_ [~SOG@222.125.202.173] has joined ##openvpn
09:07 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 248 seconds]
09:07 -!- SOG_ is now known as SOG
09:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:38 < snL20> anyone around ?
09:41 < snL20> anyone know why this wont work http://pastie.org/1086102 ?
09:43 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
09:54 <@dazo> snL20: Wed Aug 11 16:38:11 2010 AUTH: Received AUTH_FAILED control message ... the server rejected the connection due to auth failure
09:54  * dazo hides again
10:00 < snL20> dazo: so it didnt accept my username password combo ?
10:00 <@dazo> snL20: yeah
10:01 < snL20> dazo: ok.. so the firewall is letting it through.. I use a net4501 that i've set up myself with linux and iptables...
10:02 <@dazo> yeah, you have communication with the openvpn server ... and the server responds with AUTH_FAILED
10:03 < snL20> dazo: ok.. thanks for the help.. I'll yell at my provider :D
10:05 <@dazo> no prob!
10:11 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
10:41 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:48 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 240 seconds]
10:50 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:55 -!- Raccoon` [bismuth@71-222-218-177.albq.qwest.net] has joined ##openvpn
11:07 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection timed out]
11:08 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
11:18 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:42 -!- takamichi [~pri@78.133.14.166] has quit []
11:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:59 -!- Raccoon` [bismuth@71-222-218-177.albq.qwest.net] has quit [Ping timeout: 276 seconds]
12:17 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 276 seconds]
12:25 -!- Raccoon` [bismuth@71-222-218-177.albq.qwest.net] has joined ##openvpn
12:43 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
13:21 -!- takamichi [~pri@78.133.14.166] has joined ##openvpn
13:48 -!- dazo is now known as dazo_afk
13:52 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
13:52 < barfster> Where can I put the server.conf?
13:53 < barfster> $ ls -lAh /etc/openvpn/
13:53 < barfster> -rwxr-xr-x 1 root root 1.4K Jan 26  2010 update-resolv-conf
13:55 < barfster> I copied this one: http://openvpn.net/index.php/open-source/documentation/howto.html#examples and edited it in my home directory
13:55 < barfster> But where should I put it now?
13:55 <+vpnHelper> Title: HOWTO (at openvpn.net)
13:56 < hyper_ch> barfster: linux?
13:56 < barfster> ubuntu
13:56 < hyper_ch> is that linux?
13:56 < barfster> yes
13:56 < hyper_ch> :)
13:56 < hyper_ch> ->  /etc/openvpn/server.conf
14:01 < barfster> Where will this file be?
14:01 < barfster> openvpn-status.log
14:01 < barfster> /var/log folder?
14:01 < hyper_ch> it will be where you tell it to be
14:02 < hyper_ch> and if you don't specify anything I think it'll be in the /etc/openvpn folder
14:06 < barfster> That’s right
14:06 < barfster> I made /var/log/openvpn/
14:07 -!- JackCorleone [~Jack@201-92-44-12.dsl.telesp.net.br] has quit [Quit: retry :)]
14:13 < barfster> How can I build all the keys?
14:18 < hyper_ch> !howto
14:18 <+vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:18 < hyper_ch> there's a key section there with easy-rsa
14:24 < barfster> I have a folder full of keys now
14:28 < straterra> I have a tunnel for users..but for some reason, openvpn made this tunnel a point to point tunnel
14:28 < straterra> inet 10.10.200.1 peer 10.10.200.2/32 scope global tun1
14:28 < kisom> straterra: try tap instead of tun :)
14:29 < straterra> Is there any way to just have 10.10.200.0/24 on this tunnel? It's jacking up ospf
14:29 < straterra> Tap, eh
14:29 < kisom> yes, tap will do layer 2 while tun is layer 3
14:30 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:30 < barfster> I have a folder full of keys
14:30 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
14:30 < barfster> Where should I put the keys folder?
14:31 < barfster> OR should I put the files in the keys folder in several places?
14:32 < kisom> barfster: depends on what type of keys.
14:35 < barfster> all of them
14:35 < ecrist> the server doesn't need access to client keys/certs
14:35 < ecrist> just the signing CA certificate, and it's own cert/key pair
14:36 -!- JackCorleone [~root@201-92-44-12.dsl.telesp.net.br] has joined ##openvpn
14:37 < barfster> http://openvpn.net/index.php/open-source/documentation/howto.html#pki The table: Key files
14:37 <+vpnHelper> Title: HOWTO (at openvpn.net)
14:37 < barfster> ecrist: is there a best practice? Should i do mv keys /etc/openvpn/
14:37 < barfster> ?
14:39 < barfster> pwd
14:39 < barfster> /usr/share/doc/openvpn/examples/easy-rsa/2.0
14:41 < barfster> My sentence is regarding this statement in the howto: The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.
14:41 < ecrist> well, best practice is to generate/store keys on a system that's unplugged from any network
14:41 < barfster> Not which machines needs them, but which folders
14:42 < ecrist> put them anywhere, send client certs/keys to the clients, etc
14:42 < barfster> Well I think server.conf has to point to these files somehow
14:42 < ecrist> it only points to the ca, and the server's own certificate/key
14:42 < barfster> Is /etc/openvpn a good spot for ca.key?
14:42 < ecrist> sure
14:43 < barfster> So which key files should go in /etc/openvpn?
14:43 < ecrist> the ca, and the certicate and key for the openvpn server
14:44 < ecrist> how many times do i have to say that
14:44 < barfster> ca.crt an ca.key?
14:45 < barfster> What to do with 01.pem 02.pem 03.pem and dh1024.pem?
14:45 < ecrist> dh1024 needs to go in, as well
14:45 < kisom> the 3 pem files should be on clients
14:45 < barfster> The folder looks like this: http://paste.pocoo.org/show/249021/
14:45 < ecrist> 01.epm, etc go to the clients
14:45 < barfster> I only made 2 clients
14:47 < barfster> Update: http://paste.pocoo.org/show/249022/
14:48 < kisom> OK
14:48 < kisom> the server needs server.crt, server.key, dh1024.pem
14:48 < kisom> clients need client.crt and client.key
14:48 < kisom> and the CA cert
14:49 < kisom> (the server needs the CA cert too)
14:49 < kisom> in fact, there is no where you do not need the CA cert, so use it everywhere
14:49 < barfster> ca for everyone?
14:49 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has joined ##openvpn
14:49 < barfster> what about serial?
14:49 < trefn> hey, i'm confused about revoking access to the vpn
14:49 < kisom> yes, but ONLY the certificate, not the CA key, that would be very bad
14:49 < barfster> and index.txt?
14:50 < kisom> serials you can skip, as well as index.txt
14:50 < kisom> those are only for easy-rsas internal workings, i think
14:50 < trefn> the howto says only the client needs client.crt, but ./revoke-full seems to require the .crt
14:50 < barfster> So those are caches? or temp stuff?
14:50 < ecrist> they're needs for openssl, in general
14:50 < kisom> i haven't really tried easy-rsa that much, only used it once :)
14:50 < ecrist> the revoke needs the certificate in-hand in order to revoke it
14:51 < ecrist> I hated it and wrote ssl-admin
14:51 < kisom> heh, i wrote my own software too
14:51 < trefn> ecrist: so if a crt gets deleted on teh server, but not on the client, it can never be revoked?
14:51 < ecrist> I think that's the case, yeah
14:52 < ecrist> been a while since I poked at it.
14:52 < trefn> that seems unfortunate
14:52 < kisom> well
14:52 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
14:52 < kisom> imo, you dony need to revoke certificates
14:52 < kisom> just use client config dir files
14:53 < kisom> that way you just delete the clients CN and voila, it's denied access
14:53 < barfster> Now it looks like something is working: http://paste.pocoo.org/show/249027/
14:53 < ecrist> a revokation is permanent, unless you lose the CRL
14:53 < kisom> yes, thats bad too, if you want to reactivate a certificate ;)
14:53 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
14:53 < barfster> I have not touched tun or tap
14:53 < barfster> But there is a tun0
14:53 < trefn> kisom: what do you suggest then, in the case of firing an employee for example
14:53 < barfster> with the linknet I made up
14:54 < trefn> kisom: should i use client config dirs?
14:54 < ecrist> i'm an advocate for revoking the certificate.
14:54 < kisom> trefn: remove his CCD file or use custom client connect scripts. first one is more simple.
14:54 < barfster> What do I have to do to test this now? I have done the iptables thing
14:54 < kisom> well either way is fine, personally i find it more simple to use CCD files.
14:55 < barfster> I would like to connect from a MacBook
14:55 < trefn> ecrist: I was deleting the crt on the server side, since the howto says *only* the client needs it
14:55 < barfster> What can I send to the client computer?
14:55 < ecrist> openvpn doesn't concern itself with certificate chain management
14:56 < barfster> I have these 3: client1.crt client1.csr client1.key
14:56 < barfster> Does the client need them all?
14:56 < trefn> barfster: you also need ca.crt
14:56 < barfster> Client needs: client1.crt client1.csr client1.key ca.crt?
14:56 < trefn> well not the csr but the other ones, yes
14:57 < barfster> Client needs: client1.crt client1.key ca.crt
14:57 < trefn> yes
14:58 < kisom> barfster: think hamachi may suit your needs? :)
14:58 < barfster> What is hamachi?
14:58 < kisom> zero-konf propetary VPN
14:58 < kisom> conf*
14:58 < barfster> Nah
14:59 < barfster> kisom: What would I do with that?
14:59 < barfster> When there is nothing to learn...
14:59 < kisom> well it does what openvpn does, exept openvpn is free and has no 256-user-limit
14:59 < barfster> zero-conf = retardation
15:00 < ecrist> also, openvpn requires he read the docs. 
15:02 < kisom> the openvpn docs are nice.
15:02 < barfster> I can not read that much
15:02 < kisom> spending a lot of time at work reading them
15:02 < kisom> just for the fun of it
15:02 < barfster> I think the docs include to much literature
15:02 < kisom> why not?
15:02 < kisom> takes less than one hour
15:03 < barfster> Haha
15:03 < barfster> Will take me 3 days
15:03 < barfster> I can read math formulas...
15:03 < barfster> But literature...
15:03 < kisom> but then at least you will know how openvpn works...
15:03 < barfster> gives me a headache
15:03 < ecrist> !server
15:03 <+vpnHelper> ecrist: Error: "server" is not a valid command.
15:03 < ecrist> barfster: you're giving me a headache
15:04 < barfster> Sorry
15:04 < barfster> It was not intentional
15:04 < ecrist> well, at least TRY to read the docs
15:04 < ecrist> !wiki
15:04 <+vpnHelper> ecrist: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
15:04 < ecrist> that might be easier for you, 
15:05 < barfster> I think I am through now
15:05 < barfster> I would also like to change the how to a bit
15:05 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:05 < barfster> Is it a wiki?
15:06 < barfster> I would like to add a column to the key files
15:06 < kisom> barfster: you could just buy some access-server licenses you know...
15:06 < kisom> if you dont have time to learn the software
15:07 < barfster> Time I have
15:07 < ecrist> the link above is a wiki, the 'official' howto is not
15:10 < barfster> I did something wrong
15:10 < barfster> I did not key in a general password
15:10 < barfster> I think VPN has a genereal password
15:10 < barfster> and a pr user password?
15:11 < barfster> also in the mac environment there is something called account
15:11 < barfster> is that client1 ?
15:14 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- It'll be on slashdot one day...]
15:15 < kisom> barfster: you seriously need to sit down and read the guides and documentation :)
15:15 < kisom> take AT LEAST 5 hours to try and set up your first network
15:15 < kisom> i spent 7 hours just trying to get it all to work
15:17 < barfster> I have spent like 45 hrs so far
15:17 < kisom> i have spent several hundreds of hours...
15:17 < kisom> but yes, you should be able to get it up and running in 45 hours
15:18 -!- adxp [~user@67-207-136-81.static.cloud-ips.com] has left ##openvpn ["ERC Version 5.2 (IRC client for Emacs)"]
15:23 < barfster> I think I am almost there now
15:23 < barfster> Just need to do some keychain stuff on my Mac
15:24 < barfster> I find this GUI stuff to be redonkulus
15:31 < barfster> It claims I have no certs of appropriate type...
15:36 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
15:41 < barfster> Anyone here using MacOS X Network interface to connect to OpenVPN?
15:43 < barfster> I have imported ca.crt and client1.crt into Keychain Access
15:43 < barfster> And both look OK
15:44 < barfster> But the system preferences Network VPN L2TP interface does not allow me to use those two files for authentication
15:46 < barfster> It tells me the following: http://paste.pocoo.org/show/249075/
15:48 < barfster> Ofcourse there is some Applecrippulation
15:49 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:53 < barfster> How can I convert my key files to pkcs12 format?
15:54 < ksk> hello
15:54 < ksk> i still have problems with openvpn/win7/routes
15:55 < ksk> i got some route like " 10.20.3.0    255.255.255.0   Auf Verbindung        10.20.3.29    286"
15:55 < barfster> or is that an openssl question?
15:55 < ksk> but if i tracert for example 10.20.3.1 it takes the wrong way (tough my ISP's routers)
15:55 < ksk> any idea whats wrong here?
15:57 < barfster> Perhaps Convert PEM to PFX is what I am looking for...
16:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:04 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:05 < barfster> openssl pkcs12 -export -out Client1VPNClient.pfx -inkey keys/client1.key -in keys/client1.crt -certfile ca.crt
16:06 -!- JackCorleone [~root@201-92-44-12.dsl.telesp.net.br] has quit [Quit: Saindo]
16:07 < barfster> Now it accepted the certificates
16:07 < barfster> From the Mac network interface
16:07 < barfster> as pfx
16:09 < barfster> It takes for ever and then tells me: The L2TP-VPN server did not respond.
16:11 < barfster> How can I verify if L2TP is running?
16:19 -!- scyld [~krajcong@unaffiliated/wasyl] has quit [Ping timeout: 264 seconds]
16:23 < barfster> Is there a way to test the connection from the command line?
16:24 < barfster> similar to telnet 10.0.0.12 5900
16:45 < barfster> Hmm... http://paste.pocoo.org/show/249099/
16:45 < barfster> That is the output of tunnelblick
16:50 -!- Netsplit *.net <-> *.split quits: RedShift, Rolybrau
16:51 -!- Netsplit over, joins: Rolybrau
16:52 < jpalmer> ecrist: ping?
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:02 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:05 -!- RedShift [~glenn@apollo.webmind.be] has joined ##openvpn
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:07 -!- Netsplit *.net <-> *.split quits: RedShift
17:08 < kisom> barfster: You cannot test connectivity with telnet, unless you are awesomely good at writing a non-human readable protocol
17:08 < kisom> Anyways, time to sleep. night everyone.
17:11 -!- Netsplit over, joins: RedShift
17:23 < barfster> kisom: obviously there would be an equivilent tool... openssl?
17:24 -!- barfster [~barf@74.7.197.50] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
17:27 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
17:28 < barfster> Is there a way I can run OpenVPN bidirectionally?
17:28 < barfster> meaning that the client get access to the server like normal, and the server get access to the client?
17:29 < barfster> This is between me and a friend’s house
17:29 < barfster> we both have 40/40 Viken Energy line
17:30 < ecrist> jpalmer: pong
17:30 < jpalmer> ecrist: can I message?
17:30 < ecrist> sure, any time
18:03 < blackpenguin> barfster: once you have established the connection it's just a network connection, there is no specific direction. I mean... if the "client" offers services on the VPN ip, of course the server can connect to these 
18:04 < barfster> So it’s a tunnel after it’s open?
18:05 < barfster> So I can see his files
18:05 < barfster> and he mine?
18:05 < barfster> Do I have to turn on some sort of broadcast?
18:05 < barfster> For bonjour to work?
18:06 < barfster> I would like to link his 10.10.11.0/24 to my 10.10.12.0/24 using transport network 10.0.0.0/24
18:06 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:09 -!- barfster [~barf@74.7.197.50] has quit [Ping timeout: 252 seconds]
19:11 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
19:16 -!- barfster [~barf@74.7.197.50] has quit [Read error: Connection reset by peer]
19:37 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
19:40 -!- snL20 [~irssi@194.81-166-79.customer.lyse.net] has quit [Ping timeout: 240 seconds]
19:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:50 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
19:53 -!- snL20 [~irssi@194.81-166-79.customer.lyse.net] has joined ##openvpn
20:06 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:06 -!- Raccoon` is now known as raccoon
20:07 -!- raccoon is now known as Raccoon
20:07 -!- Raccoon [bismuth@71-222-218-177.albq.qwest.net] has quit [Changing host]
20:07 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
20:21 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 265 seconds]
20:27 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
21:05 < tjz> Hello
21:05 < tjz> I have a question
21:05 < tjz> is it possible to restrict users from accessing certain sites within the openvpn tunnel?
21:49 -!- barfster [~barf@75-148-144-153-Houston.hfc.comcastbusiness.net] has joined ##openvpn
22:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
22:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:16 < ecrist> tjz: only with a firewall, or with routes you push
22:16 < ecrist> you can opt to not push routes to a given client, or specify extra routes to a given client, but there's nothing stopping them from adding it manually and gaining access.
22:17 < ecrist> the only good way is to use a firewall
22:23 < tjz> hey ecrist
22:23 < tjz> :D
22:23 < tjz> hmm
22:23 < ecrist> :)
22:23 < tjz> any firewall for linux platform?
22:23 < tjz> hmm
22:23 < tjz> do you mean iptables?
22:23 < tjz> :D :D
22:23 < ecrist> iptables/chains
22:23 < tjz> ok
22:23 < tjz> :D
22:23 < ecrist> I know nothing of how to use them, so switch to freebsd
22:31 < tjz> lol~~
22:31 < tjz> i am a freebsd noob
22:31 < tjz> serious
22:31 < tjz> been on centos/redhat OS for all these while
22:31 < tjz> lol
22:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:02 -!- barfster [~barf@75-148-144-153-Houston.hfc.comcastbusiness.net] has quit [Quit: Computer has gone to sleep]
23:02 -!- barfster [~barf@75-148-144-153-Houston.hfc.comcastbusiness.net] has joined ##openvpn
23:16 -!- barfster [~barf@75-148-144-153-Houston.hfc.comcastbusiness.net] has quit [Quit: Computer has gone to sleep]
23:25 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
23:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
--- Day changed Thu Aug 12 2010
00:31 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
00:34 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has joined ##openvpn
00:38 < eN_Joy> newbie seems to close to finish but one question please: the server is connected to the internet on eth1 with ip 10.254.219.15, what do i put in the push "route x.x.x.x 255.255.255.0" line so that my openvpn client could connect to the internet? thanks
00:39 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
00:41 < Bushmills> 10.x.x.x are rfc1918 addresses, not routed over internet
00:42 < eN_Joy> it's behind a fw, but can reach internet
00:42 < blackpenguin> if I understood him right 10.254.219.15 is the server side VPN IP, and he wants his client to connect to the internet using this IP as gateway.
00:42 < eN_Joy> blackpenguin: exactly
00:43 < eN_Joy> now my windows client gets 10.8.0.6 vpn ip, but says now internet access
00:43 < Bushmills> "connected to the internet on eth1 with ip 10.254.219.1"
00:44 < eN_Joy> Bushmills: i may have phrased wrong;-)
00:44 < Bushmills> client won't have internet automatically, just by connecting to vpn server
00:44 < Bushmills> !redirect
00:44 <+vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:45 < blackpenguin> that's why he asks what to put in client's config
00:46 < eN_Joy> thanks, obviously i am not even close;-) anyway the purpose eventually to tweak tmobile prepaid...
00:53 < eN_Joy> did these two lines to no avail yet: push "redirect-gateway def1" and iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
01:02 -!- Raccoon` [bismuth@71-222-232-136.albq.qwest.net] has joined ##openvpn
01:04 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 265 seconds]
01:04 -!- Raccoon` is now known as Raccoon
01:08 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:08 -!- mode/##openvpn [+o mattock] by ChanServ
01:38 -!- dazo_afk is now known as dazo
01:51 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
01:57 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
01:58 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
02:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:03 -!- mode/##openvpn [+o mattock] by ChanServ
02:03 < eN_Joy> !nat
02:03 <+vpnHelper> eN_Joy: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
02:32 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has joined ##openvpn
02:39 < Bushmills> !ipforward
02:39 <+vpnHelper> Bushmills: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
02:40 < Bushmills> eN_Joy: you didn't say you did that too
02:56 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has quit [Quit: trefn]
03:11 < ksk> hello / morning folks
03:12 < ksk> might it be a problem, that win7 says the openvpn adapter is a "unidentified network"?
03:17 < reiffert> /channel rename openvpn7
03:35 -!- Gud_ is now known as Gud
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 < ksk> how do i use certs using the latest openvpn-client version??
03:41 < ksk> this GUI just asks me for user/pass
03:49 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:50 -!- MetalWolf [~barry@92.236.100.252] has joined ##openvpn
03:53 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 276 seconds]
03:55 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
04:01 <@dazo> ksk: I presume you're using the OpenVPN Access Server Client .... that's not supported here, you need to download the community version 
04:01 <@dazo> !as
04:01 <+vpnHelper> dazo: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
04:01 <+vpnHelper> dazo: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
04:03 < ksk> ah okay, thanks!
04:28 < kisom> i've started to enjoy working as a programmer...
04:29 < kisom> thought it would be boring as hell
04:31 < Bushmills> i just notice that among the questions for linux certification by the LPI are also openvpn questions.  example: http://scarydevilmonastery.net/snap/1281605401677305510d.png
04:45 -!- takamichi [~pri@78.133.14.166] has quit [Ping timeout: 264 seconds]
04:45 -!- takamichi [~pri@c7-97-123.keyworld.net] has joined ##openvpn
04:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:51 < ksk> cool :)
04:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:58 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:12 -!- protien [~pro@ppp118-210-196-25.lns20.adl6.internode.on.net] has quit [Read error: Connection reset by peer]
05:20 -!- Haraken [ryuk@unaffiliated/haraken] has quit [Remote host closed the connection]
05:49 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 245 seconds]
05:51 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:04 -!- barfster [~barf@12.53.212.74] has joined ##openvpn
06:29 -!- barfster [~barf@12.53.212.74] has quit [Quit: Computer has gone to sleep]
06:47 -!- barfster [~barf@75-148-144-125-Houston.hfc.comcastbusiness.net] has joined ##openvpn
06:51 -!- barfster [~barf@75-148-144-125-Houston.hfc.comcastbusiness.net] has quit [Client Quit]
07:05 -!- JackCorleone [~root@201-92-44-12.dsl.telesp.net.br] has joined ##openvpn
07:06 -!- barfster [~barf@75-148-144-153-Houston.hfc.comcastbusiness.net] has joined ##openvpn
07:15 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
07:20 -!- barfster [~barf@75-148-144-153-Houston.hfc.comcastbusiness.net] has quit [Quit: Computer has gone to sleep]
07:21 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
07:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:52 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:05 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has quit [Ping timeout: 258 seconds]
08:11 -!- ksk [~ksk@im.knubz.de] has quit [Remote host closed the connection]
08:14 -!- dougy [Douglas@ool-435033e6.dyn.optonline.net] has joined ##openvpn
08:14 < dougy> !forum
08:14 <+vpnHelper> dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
08:15 < dougy> ecrist tomorrows the day right
08:15 < ecrist> yes sir
08:17 < dougy> cool
08:17 < dougy> so
08:18 < dougy> ecrist i have a question for you
08:19 < ecrist> ok
08:20 < dougy> im looking at getting voip with 7960g cisco phones. i want 2 phones to just ring straight through when someone calls, id ont need the menu and press1 etc
08:20 < ecrist> ok
08:20 < dougy> 2 diff phone numbers (so 2 diff lines i guess)
08:21 < dougy> whats best way to do so
08:21 < dougy> you seem to know pbx's and stuff
08:21 < ecrist> setup a freeswitch box, get sip service from someone, and set those phones up on that freeswitch server
08:21 < dougy> i was expecting to hear that
08:21 < dougy> i know you like freeswitch - do you hate trixbox and * ?
08:22 < ecrist> at my $job, we have a freeswitch box that rings our support extenion group for 20 seconds, then offers a menu
08:22 < ecrist> it appears to our users that we answer the phone right away, then.
08:22 < ecrist> yet, if nobody answers, we can help the user get to who they want to speak with.
08:22 < ecrist> I only use freeswitch because it was recommended to me, and it's worked really well.
08:23 < ecrist> I've never used asterisk, so I have no real opinion there.
08:23 < dougy> ah
08:23 < dougy> dont you code for freeswitch
08:23 < ecrist> that being said, problems that have been reported with asterisk, I don't have with freeswitch.
08:23 < ecrist> no, I maintain some of the freebsd ports for freeswitch, though.
08:26  * dougy wonders if viatalk is good
08:26 < ecrist> ask in #freeswitch, they'd have good recommendations
08:26 < ecrist> we use a PRI at work, so I don't know about good sip providers
08:43 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
08:44 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
08:44 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
08:44 < barfster> I just installed openvpn in ubuntu for client use
08:46 < dougy> !ubuntu
08:46 <+vpnHelper> dougy: "ubuntu" is dont use network manager!
08:51 < barfster> ?
08:51 < barfster> !debian
08:51 <+vpnHelper> barfster: Error: "debian" is not a valid command.
08:51 < barfster> !fedora
08:51 <+vpnHelper> barfster: Error: "fedora" is not a valid command.
08:52 < barfster> !mint
08:52 <+vpnHelper> barfster: Error: "mint" is not a valid command.
08:52 < barfster> !linuxmint
08:52 <+vpnHelper> barfster: Error: "linuxmint" is not a valid command.
08:53 < barfster> What does this: "On most systems, the VPN will not function unless you partially or fully disable the firewall for the TUN/TAP interface." mean?
08:53 <@dazo> where do you find that info?
08:53 < barfster> It might be a good observation, but it’s not very detailed
08:54 < barfster> In client.conf example
08:54 <@dazo> that's not entirely wrong ... but it's not the way to do it
08:54 < barfster> http://openvpn.net/index.php/open-source/documentation/howto.html#examples
08:54 <+vpnHelper> Title: HOWTO (at openvpn.net)
08:54 <@dazo> that's a rather poorly written sentence, but never mind ... it basically means
08:55 <@dazo> iptables -I FORWARD -i tun+ -o <internal interface> -j ACCEPT
08:55 <@dazo> iptables -I FORWARD -i <internal interface> -o tun+ -j ACCEPT
08:55 <@dazo> or something similar
08:56 <@dazo> this "disables" firwalling between your internal network and all tun devices ... if you use TAP, replace tun+ with tap+
08:57 < barfster> Are both lines for the server side?
09:03 < barfster> Or is that both directions of traffic on each firewall
09:10 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.cmbg.cable.virginmedia.com] has joined ##openvpn
09:13 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
09:21 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 260 seconds]
09:52 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has joined ##openvpn
10:02 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Ping timeout: 246 seconds]
10:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:05 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.cmbg.cable.virginmedia.com] has quit [Ping timeout: 260 seconds]
10:06 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.cmbg.cable.virginmedia.com] has joined ##openvpn
10:14 -!- roentgen_ [~hart@miranda/user/roentgen] has joined ##openvpn
10:15 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
10:15 -!- roentgen_ [~hart@miranda/user/roentgen] has quit [Remote host closed the connection]
10:16 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
10:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:35 -!- SOG_ [~SOG@222.125.202.173] has joined ##openvpn
10:38 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 276 seconds]
10:38 -!- SOG_ is now known as SOG
10:51 -!- dazo is now known as dazo_afk
11:05 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
11:10 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
11:14 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
11:47 -!- eeble|work [~andy@wsip-70-169-162-125.dc.dc.cox.net] has joined ##openvpn
11:48 < eeble|work> Hi, I got my tap vpn working fine yesterday, but I want to tie it into my existing DHCP server (so I can do dynamic DNS stuff).  the problem is, if I just do what the faq says and add 'mode server' I get: Options error: --mode server requires --tls-server
11:49 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
11:59 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
12:01 -!- barfster [~barf@74.7.197.50] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
12:03 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
12:04 -!- snL20 [~irssi@194.81-166-79.customer.lyse.net] has quit [Ping timeout: 276 seconds]
12:05 -!- JackCorleone [~root@201-92-44-12.dsl.telesp.net.br] has quit [Remote host closed the connection]
12:05 -!- snL20 [~irssi@194.81-166-79.customer.lyse.net] has joined ##openvpn
12:07 -!- xrx [~xrx@94.59.249.231] has joined ##openvpn
12:34 < eeble|work> nm, I figued it out...
12:35 < eeble|work> is it possible to have openvpn specify the MAC of the TAP interface?
12:35 < ecrist> no, but I generally have the OS configure the TAP device for such things before openvpn is figured in
12:49 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
12:49 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:50 < LowKey> hello, i having some problem when i try to use openvpn , i got some error on fedora , "Fri Aug 13 01:47:29 2010 Cannot allocate TUN/TAP dev dynamically" what i must do?
12:52 -!- dazo_afk is now known as dazo
13:03 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
13:09 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
13:16 -!- eeble|work [~andy@wsip-70-169-162-125.dc.dc.cox.net] has quit [Remote host closed the connection]
13:38 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:52 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Remote host closed the connection]
14:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:04 -!- SVD [SVD@93-97-41-44.zone5.bethere.co.uk] has joined ##openvpn
15:04 < SVD> HI
15:05 < SVD> anyone awake?
15:08 -!- dazo is now known as dazo_afk
15:10 < dougy> no
15:17 < hyper_ch> I'm sure somewhere in this almost endless universe there is a being that is awake
15:27 < Bushmills> not me
15:28 < Bushmills> but the question was incorrect. it should have been "anybody *else* awake?"
15:30 < SVD> loool
15:47 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
15:47 < barfster> How does openvpn coexist with iptables?
15:55 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:59 < barfster> Is the clue for openvpn to reside on a linux router?
16:17 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:17 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:23 -!- xrx [~xrx@94.59.249.231] has quit [Quit: Leaving]
16:30 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
16:31 -!- batrick_ [~batrick@batbytes.com] has joined ##openvpn
16:31 -!- jetole_ [~Joe@irc.fossl.net] has joined ##openvpn
16:31 -!- Niklas-_ [~niklas@217.116.253.195] has joined ##openvpn
16:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Would you like to know more?]
16:34 -!- Netsplit *.net <-> *.split quits: Niklas-, jetole, nb, batrick, meepmeep, RichiH, plaerzen
16:34 -!- Netsplit over, joins: RichiH, nb
16:35 -!- Netsplit *.net <-> *.split quits: nb, RichiH
16:35 -!- Netsplit over, joins: RichiH, nb
16:36 -!- Netsplit *.net <-> *.split quits: batrick_, RedShift, Nappy, Ruby[Fan]
16:36 -!- Netsplit *.net <-> *.split quits: reiffert, Niklas-_, abeehc-
16:37 -!- Netsplit *.net <-> *.split quits: Optic, killown, fahadsadah_, Raccoon, MadTBone, Fiouz, @openvpn2009, agagag, rasengan, UdontKnow,  (+25 more, use /NETSPLIT to show all of them)
16:38 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Ping timeout: 240 seconds]
16:40 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
16:40 -!- plaerzen [~carpe@vip1.tundraeng.com] has joined ##openvpn
16:40 -!- Netsplit over, joins: Niklas-_, batrick_, meepmeep_, snL20, circut, [intra]lanman, Nappy, Raccoon, eN_Joy, Rolybrau (+7 more)
16:40 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
16:40 -!- Netsplit over, joins: Chosi, reiffert, UdontKnow, straterra, rasengan, grishnav, fbh
16:40 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
16:40 -!- Netsplit over, joins: Optic, raw_, Agin, Typone
16:40 -!- dazo_afk [~dazo@nat/redhat/x-qsbdlznwtfijydfx] has joined ##openvpn
16:40 -!- Netsplit over, joins: Saar, fahadsadah_, kloeri, MJD, Champi, oc80z, kajl
16:40 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
16:40 -!- Netsplit over, joins: laieman, Fiouz
16:40 -!- ServerMode/##openvpn [+oo openvpn2009 dazo_afk] by zelazny.freenode.net
16:40 -!- fahadsadah_ [fahad@unaffiliated/fahadsadah] has quit [Max SendQ exceeded]
16:41 -!- Netsplit *.net <-> *.split quits: fremo__, fr00d, cj, _zero_, n0sq_, RedT0mt0m
16:41 -!- Netsplit over, joins: fremo__, _zero_, RedT0mt0m
16:42 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Excess Flood]
16:42 -!- fr00d [~andi@unaffiliated/fr00d] has joined ##openvpn
16:42 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
16:42 -!- jpalmer [~jpalmer@208.51.3.136] has joined ##openvpn
16:42 -!- jpalmer [~jpalmer@208.51.3.136] has quit [Changing host]
16:42 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
16:43 -!- hyper__ch is now known as hyper_ch
16:45 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
16:45 -!- cj [~cjac@karma.colliertech.org] has joined ##openvpn
16:50 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
16:53 < barfster> Which logs to check when /etc/init.d/openvpn start returns: ...fail!
16:56 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.cmbg.cable.virginmedia.com] has quit [Ping timeout: 252 seconds]
17:00 -!- chendry [~chendry@173-203-99-175.static.cloud-ips.com] has joined ##openvpn
17:01 < chendry> Hey guys!  Does OpenVPN have some sort of make-the-client-periodically-re-authenticate feature?
17:04 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:07 < ecrist> chendry: what do you mean.
17:08 < ecrist> if you're using ssl, they pretty much authenticate every packet
17:08 -!- batrick_ is now known as batrick
17:09 < chendry> ecrist: my client after an hour or so tries to re-authenticate and fails (because we're using one-time passwords is why it fails...)
17:09 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:09 < chendry> ecrist: it's probably just that the connection is dropping for one reason or another, i just figured there might be an off chance that it's intentional
17:10 < ecrist> !man
17:10 <+vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:10 < ecrist> check that, may be something in there.
17:10 < dougy> howdy eric
17:11 < dougy> can you do a sweeping spambot cleanup on the forum one more time before it goes live? :)
17:11 < chendry> yeah, i def. need to rtfm a little more :)
17:15 < barfster> Which logs to check when /etc/init.d/openvpn start returns: ...fail! 
17:15 < barfster> It does not say WHY it fails.
17:18 < dougy> well
17:18 < dougy> did you set it to log to a log file?
17:18 < dougy> heh
17:19 < barfster> Yes
17:19 < barfster> All of them are empty
17:20 -!- chendry [~chendry@173-203-99-175.static.cloud-ips.com] has quit [Quit: Leaving]
17:35 -!- killermouse0 [~killermou@gsv95-1-82-233-12-23.fbx.proxad.net] has quit [Read error: Connection reset by peer]
17:41 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
17:45 < barfster> http://paste.pocoo.org/show/249571/
17:49 < barfster> TCP/UDP: Socket bind failed on local address [AF_INET]192.168.1.1:1194: Cannot assign requested address
17:49 < barfster> I found that in syslog
17:49 < barfster> 192.168.1.1:1194 is nowhere in my configs
17:49 < barfster> 192.168.1.1:1194 is nowhere in /etc/openvpn/server.conf
17:51 < barfster> I set: local 10.12.0.1
17:51 < barfster> and it still says the same
17:51 < barfster> # ls -lAh /etc/openvpn/server.conf 
17:51 < barfster> -rw-r--r-- 1 root root 9.9K 2010-08-13 00:45 /etc/openvpn/server.conf
17:53 < barfster> Now with: local 10.12.0.1, but still it says: TCP/UDP: Socket bind failed on local address [AF_INET]192.168.1.1:1194: Cannot assign requested address in syslog
18:07 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:25 -!- SOG [~SOG@222.125.202.173] has quit [Read error: Connection reset by peer]
18:29 -!- SOG_ [~SOG@222.125.202.173] has joined ##openvpn
18:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
18:30 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:59 -!- barfster [~barf@74.7.197.50] has quit [Quit: Computer has gone to sleep]
19:06 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
19:06 -!- barfster [~barf@74.7.197.50] has quit [Client Quit]
19:23 -!- ivenkys_ [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 276 seconds]
19:25 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has joined ##openvpn
19:25 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
19:26 < nat2610> anyone familiar with installing a openvpn server on windows 7. I'm all good except for the tap32 adapter ... for some reason I can create some, it doesn't seem to be a problem (is see them and can remove them) but openvpn says they are all used (while non of them are)
19:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:01 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: brb]
20:07 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
20:07 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
20:11 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
20:12 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
20:13 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
20:14 -!- SOG_ [~SOG@222.125.202.173] has quit [Quit: SOG_]
20:45 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:58 -!- rasengan [~rasengan@96.43.136.14] has quit [Quit: WeeChat 0.3.2]
20:58 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.cmbg.cable.virginmedia.com] has joined ##openvpn
20:59 -!- killown [~killown@unaffiliated/killown] has quit [Remote host closed the connection]
21:01 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
21:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
21:47 -!- yakub [~www-data@unaffiliated/yakub] has joined ##openvpn
21:50 -!- yakub [~www-data@unaffiliated/yakub] has quit [Quit: leaving]
22:04 < Bushmills> change openvpn properties to run as admin
22:17 < reiffert> moin :)
22:17 < reiffert> Running the openvpn GUI with admin rights is enough for win7.
22:18 < reiffert> and/or can be seen as an alternative approach.
22:18 < dougy> hiiiiiiii
22:19 < reiffert> moin douggggggy
22:19 < dougy> howdy
22:19 < reiffert> life is getting back to normal, I was moving to another town
22:19 < dougy> nice
22:21 < reiffert> trillions on the todo list and customers snitching my motivation :)
22:22 < reiffert> slept 28 hours in the last two days, so today I'm fresh at least 
23:12 -!- barfster [~barf@75-148-144-125-Houston.hfc.comcastbusiness.net] has joined ##openvpn
23:35 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:38 -!- barfster [~barf@75-148-144-125-Houston.hfc.comcastbusiness.net] has quit [Ping timeout: 276 seconds]
23:54 -!- cshaiku [~cshaiku@cshaiku.com] has joined ##openvpn
--- Day changed Fri Aug 13 2010
01:23 -!- dazo_afk is now known as dazo
01:23 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:23 -!- mode/##openvpn [+o mattock] by ChanServ
01:25 -!- harsha [~harsha@203.92.58.162] has joined ##openvpn
01:26 < harsha> Hi folks! Can I ask OpenVPN-AS questions here?
01:27 < harsha> I want to migrate an existing OpenVPN server to a different host. We have a lincense that supports 10 concurrent users. 
01:33 < krzee> !AS
01:33 <+vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
01:33 <+vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
01:33 < krzee> see #4
01:34 < krzee> you get real support :)
01:59 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
02:52 < krzee> !route
02:52 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:52 < krzee> !confgen
02:52 <+vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
02:56 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
03:02 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:04 -!- mrak [~mrak@248.217.broadband14.iol.cz] has joined ##openvpn
03:04 < mrak> hello there
03:05 -!- tjz_ [~pc@bb116-14-173-172.singnet.com.sg] has joined ##openvpn
03:05 < macsppadic> hello mrak 
03:07 < mrak> i have tried to build tunnel between two location with bridge device on server site and it works from first look client made device tap1 and its ok but when i have tried to ping or make some connection from client to server it doenst work
03:07 < mrak> do u have any idea where should be problem 
03:07 < mrak> ?
03:07 < macsppadic> firewall ?
03:08 < macsppadic> paste ur configs mrak 
03:08 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
03:17 < mrak> port 1194
03:17 < mrak> proto tcp-server 
03:17 < mrak> dev tap
03:17 < mrak> ca ssl/ca2.crt
03:17 < mrak> cert ssl/fw_server.crt
03:17 < mrak> key ssl/fw_server.key
03:17 < mrak> crl-verify ssl/crl.pem
03:17 < mrak> dh ssl/dh1024.pem
03:17 < mrak> server-bridge 192.168.9.254 255.255.255.0 192.168.9.210 192.168.9.220
03:18 < mrak> client-config-dir ccd
03:18 < mrak> ifconfig-pool-persist ipp.txt
03:18 < mrak> keepalive 10 120
03:18 < mrak> comp-lzo
03:18 < mrak> user nobody
03:18 < mrak> group nobody
03:18 < mrak> persist-key
03:18 < mrak> persist-tun
03:18 < macsppadic> mrak use dpaste.com
03:18 < mrak> status openvpn-status.log
03:18 < mrak> verb 5
03:18 < macsppadic> http://dpaste.com/
03:18 < macsppadic> pls paste there n send url- best not to clog up the channel 
03:19 < mrak> ok 
03:19 < krzee> wow
03:20 < mrak> http://dpaste.com/228377/
03:20 < mrak> http://dpaste.com/228378/
03:29 < macsppadic> sorry mrak gota a meeting - will be back in a bit 
03:29 < mrak> if i have tried to ping from server to client or another way it looks like those subnets dont see together but it should be one subnet
03:30 < mrak> macsppadic: ok thx
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:55 -!- st_iron [~iron@bint.dirtyslag.org] has joined ##openvpn
03:55 < st_iron> hello
03:55 < st_iron> i installed openvpn on a debian lenny server, generated the server keys
03:56 < st_iron> now i have to use the auth-ldap plugin for it
03:56 < st_iron> can anyone help me in this?
04:03 < Fiouz> I didn't know there was one
04:10 < st_iron> btw i prefer the key based auth
04:10 < st_iron> but my customer want ldap auth from the samba's ldap
04:13 -!- trefn [~tim@c-98-248-40-254.hsd1.ca.comcast.net] has quit [Quit: trefn]
04:17 < Fiouz> then, what problem do you encounter? An LDAP-specific one?
04:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:05 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
05:17 -!- st_iron [~iron@bint.dirtyslag.org] has left ##openvpn []
05:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:43 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
05:49 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
05:51 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
05:57 -!- Ruby[Fan] [c2673f9a@gateway/web/freenode/ip.194.103.63.154] has quit [Quit: Page closed]
06:21 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
06:22 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:25 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:27 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:27 -!- Cain` is now known as Cain
07:16 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 252 seconds]
07:39 -!- dazo is now known as dazo_afk
07:53 -!- barfster [~barf@75-148-144-153-Houston.hfc.comcastbusiness.net] has joined ##openvpn
08:03 -!- takamichi [~pri@c7-97-123.keyworld.net] has quit [Ping timeout: 240 seconds]
08:03 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
08:32 -!- snL20 [~irssi@194.81-166-79.customer.lyse.net] has quit [Ping timeout: 240 seconds]
08:32 < dougy> yo
08:32 < ecrist> oy
08:33 < ecrist> sup d00d?
08:34 -!- snL20 [~irssi@194.81-166-79.customer.lyse.net] has joined ##openvpn
08:34 < dougy> hey
08:34 < dougy> whens the official move today
08:34 < ecrist> already done
08:34 < dougy> win
08:34 < dougy> is openvpn gonna make an official announcement?
08:34 < ecrist> yes
08:34 < dougy> when/where :P
08:34 < ecrist> there's a ton of stuff coming down the pipe today
08:35 < dougy> why a friday thats so weird
08:35 < dougy> lol
08:35 < dougy> seems like a monday = better
08:35 < ecrist> about 6 hours from now
08:35 < ecrist> the man who's posting the announcement is enroute to Helsinki
08:36 < dougy> http://www.vwforum.com/forums/335548-post10.html
08:36 < dougy> wow
08:36 < dougy> lol
08:38 -!- barfster [~barf@75-148-144-153-Houston.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
08:40 -!- jetole_ is now known as jetole
08:40 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
08:42 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 252 seconds]
08:42 -!- takamichi [~pri@c7-97-123.keyworld.net] has joined ##openvpn
08:43 -!- bbtrb [~tom@64.134.180.240] has joined ##openvpn
08:44 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:44 < bbtrb> hi all! Is there a way to setup an openvpn server as a standard user in *nix based environments? Couldn
08:44 < bbtrb> 't find anything in the docs ...
08:44 < dougy> what does that mean exactly
08:44 < dougy> and hey [intra]lanman!
08:45 < bbtrb> Our admin refuses to install ...
08:45 < [intra]lanman> hey
08:47 < ecrist> bbtrb: not without difficulty
08:47 < ecrist> openvpn can downgrade it's permissions after start, but it needs to be able to modify network interfaces to do it's work.
08:47 < dougy> Oh that just made sense, whoops
08:47 < bbtrb> ecrist: sounds like: no. crap 
08:48 -!- mode/##openvpn [+o dougy] by ChanServ
08:49 -!- dougy changed the topic of ##openvpn to: OpenVPN 2.1.1 Most Current || 2.2beta on the horizon || Your problem is your firewall, really. || Type  !welcome  before asking your questions. || Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel
08:49 < bbtrb> ecrist: His argument is that we all just use socks for browsing and different ssh tunnels for mail etc. Works, sure, but is awful when you are on a laptop in the wild
08:49 < ecrist> that's too baad
08:49 < ecrist> bad*
08:49 < ecrist> !forum
08:49 <+vpnHelper> ecrist: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com
08:49 < ecrist> !forget forum
08:49 <+vpnHelper> ecrist: Joo got it.
08:49 < ecrist> !learn forum The official OpenVPN support forum is available at http://forums.openvpn.net
08:50 <+vpnHelper> ecrist: (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
08:50 < ecrist> !learn forum as The official OpenVPN support forum is available at http://forums.openvpn.net
08:50 <+vpnHelper> ecrist: Joo got it.
08:53 < Fiouz> bbtrb: http://openvpn.net/index.php/open-source/documentation/howto.html#security
08:53 <+vpnHelper> Title: HOWTO (at openvpn.net)
08:56 < bbtrb> Fiouz: I've seen that, but it still requires root to give users the permission to manage tun. Taboo for our admin
08:56 < bbtrb> Fiouz: thanks anyway
08:56 <@dougy> linux laptop?
08:59  * dougy pokes baffle
08:59 <@dougy> er
08:59  * dougy pokes bbtrb
08:59 < bbtrb> sure linux :P
09:00 <@dougy> boot a livecd
09:00 <@dougy> and use a flash drive and compile openvpn on it
09:01 < mrak> macsppadic: well thx a lot i found it ...shorewall dont will be my friend anymore
09:02 < macsppadic> oh crap sorry mrak totally forgot about ur pasted configs from this morning 
09:02 < macsppadic> just been hectic today sorry mte 
09:02 < macsppadic> mate
09:02 < macsppadic> ahh so was it the firewall then?
09:02 < bbtrb> actually, the server should run on a workstation that is used for computation by others, so this is not really an option
09:02 < mrak> macsppadic: it ok :)
09:02 < bbtrb> thanks for the advice, but I'll have to live with ssh tunnels, ugh 
09:02 < macsppadic> oh ok hehe 
09:03 < mrak> macsppadic: yeap :( bad deffinition of interfaces and zones 
09:03 < macsppadic> as it says in the topic here  more often than not it s the firewall :-) 
09:03 < mrak> hehe
09:03 < macsppadic> not had too many issues with shorewall myself 
09:03 < mrak> yeap 
09:03 < macsppadic> well atleast its sorted heheh 
09:12 < jpalmer> krzee: ping
09:16 -!- Irssi: ##openvpn: Total of 108 nicks [5 ops, 0 halfops, 1 voices, 102 normal]
09:16 < mrak> fyi: interface deff. as - br0 where i must deff. hosts  br0:tap0 and br0:eth0 
09:27 -!- takamichi [~pri@c7-97-123.keyworld.net] has quit [Ping timeout: 240 seconds]
09:27 -!- takamichi [~pri@c7-97-123.keyworld.net] has joined ##openvpn
09:37 -!- dazo_afk is now known as dazo
09:46 -!- barfster [~barf@74.7.197.50] has joined ##openvpn
09:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
09:50 <@dougy> ecrist msg me when the announcement is made
09:53 < ecrist> about 5 hours from now
09:53 < ecrist> but will do
09:55 <@dougy> i know you said around 3pm est
09:55 <@dougy> but still i will not be paying attention to time
09:55 <@dougy> so just msg me :D
09:57 -!- bbtrb [~tom@64.134.180.240] has quit [Ping timeout: 248 seconds]
10:09 -!- mrak [~mrak@248.217.broadband14.iol.cz] has quit [Quit: Leaving]
10:13 -!- bbtrb [~tom@dhcp-132.hep.fsu.edu] has joined ##openvpn
10:15 -!- snL20 [~irssi@194.81-166-79.customer.lyse.net] has quit [Quit: leaving]
10:18 < jpalmer> which announcement?  new ovpn version release?
10:19 <@dougy> nope
10:19 -!- km2010 [~chris@209.250.146.220.tor.pathcom.com] has joined ##openvpn
10:19 <@dougy> the forum moving @ jpalmer
10:19 < ecrist> jpalmer: openvpn2.2 beta today
10:19 <@dougy> officially sponsored by openvpn project now
10:19 <@dougy> but i gues that too
10:19 <@dougy> lol
10:20 <@dougy> ecrist they should post the announcement in the forum and email about it
10:20 <@dougy> with forum link
10:20 <@dougy> ahaha
10:20 < ecrist> dougy, an announcement will be coming later today, chill man.
10:20 < jpalmer> you're laughing, but thats probably not a bad idea
10:20 <@dougy> jpalmer: i know its not a bad idea
10:20 <@dougy> i usually have good ideas
10:21 < jpalmer> dougy: maybe you have an idea where krzee is?  I been trying to get ahold of him for..  YEARS (ok, really since like yesterday but still)
10:21 < jpalmer> make it a GOOD idea. :P
10:22 < ecrist> he's travelling, I think.
10:22 < Bushmills> (15:16:26) krzee: [09:19] wow.   2 hours ago
10:22 < ecrist> should be around later.
10:22 < jpalmer> thats not an acceptable answer!
10:22 < jpalmer> lol
10:22 < ecrist> dammit
10:22 < km2010> hey guys.. justa super quick question...
10:23 < km2010> is it possible to setup OpenVPN server (I'm using version 2.1) to have per user log?
10:23 < Bushmills> ehm .. no. that was when my bouncer sent the log after i reconnected.  
10:23 < Bushmills> mesage was 8 hours ago
10:23 < ecrist> km2010: not easily
10:23 < ecrist> you'd have to do some tcpdump magic
10:23 < km2010> ecrist: but doable?
10:23 < ecrist> openvpn does log traffic utilization and some other bits
10:24 < ecrist> km2010: with some client connect scripts and some other things, sure
10:24 < km2010> ecrist: any documen anywhere that i could reference to?
10:24 < ecrist> nope
10:24 < ecrist> !man
10:24 <+vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
10:24 < ecrist> and go from there.
10:25 < km2010> OK, I'll look into it, thanks
10:25 < ecrist> no problem
10:25 < ecrist> if you have specific questions, feel free to ask, but we can't design the whole thing for you.
10:26 < km2010> sure thing, i was just wondering if there is an "option" that i'm missing
10:26 < barfster> I followed the howto and I need help to find out what to do when openvpn says fail!!!
10:26 < barfster> I have found in the syslog
10:26 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
10:27 < Bushmills> you'd read, behind "fail" what caused it to fail, and fix the reason.
10:28 < barfster> TCP/UDP: Socket bind failed on local address [AF_INET]192.168.1.1:1194: Cannot assign requested address
10:28 < barfster> The only thing after "fail" is !
10:28 < barfster> That IP address is not in my server.conf
10:28 < ecrist> !configs
10:28 < ecrist> !logs
10:28 <+vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:28 <+vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:28 < ecrist> barfster: ^^^^
10:29 < Bushmills> check that you don't have an interface with address 192.168.1.1 already assigned
10:29 < barfster> I dont
10:29 < barfster> And I do not want to use that IP
10:30 < Bushmills> so specify in the config which subnet you want to use
10:31 < barfster> http://paste.pocoo.org/show/249820/
10:32 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
10:34 -!- km2010 [~chris@209.250.146.220.tor.pathcom.com] has left ##openvpn []
10:37 < Bushmills> run  as root openvpn /path/to/your/config
10:38 <@dougy> have you guys cleaned your balls today
10:38 <@dougy> http://www.youtube.com/watch?v=F0AlcVU-de4
10:38 <+vpnHelper> Title: YouTube - Clean Your Balls with Axe - LOL (HIGH QUALITY!) (at www.youtube.com)
10:39 < Bushmills> also, check your openvpn log instead of he syslog
10:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
10:44 < barfster> openvpn /etc/openvpn/server.conf
10:44 < barfster> ran just fine
10:44 < barfster> logs in the right place
10:45 < Bushmills> fix your startup script, or remove other .conf files from /etc/openvpn directory
10:47 < barfster> Now I have a tun
10:47 < Bushmills> or edit your /etc/default/openvpn, comment out to start all configs, and put in to start your server config only
10:47 < barfster> http://paste.pocoo.org/show/249824/
10:48 -!- dazo is now known as dazo_afk
10:48 < Bushmills> for donations, don't hesitate to request my paypal address :)
10:49 < barfster> What about SWIFT/IBAN?
10:50 < Bushmills> i'd need to charge tax for donations on those om top
10:52 < barfster> tax is just a part of what you receive, nothing that comes on top.
10:53 < Bushmills> that's an example of the law of diminishing returns in full operation
10:53 < barfster> If you receive €10 and have a 50% tax rate
10:53 < barfster> €5 is for you and €5 is for tax
10:54 < Bushmills> crooks, they are, aren't they?
10:54 < barfster> As always
10:56 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:56 < Bushmills> ecrist: the factoid concerning configs may need fixing. it doesn't take into account that some linux distributions try to start a daemon for each found config by default
10:57 < ecrist> reword and I'll commit
10:58 < Bushmills> or, maybe don't. when folks can fix their problems simply by reading the factoid, the chance to beg for donations would be gone
10:58 <@dougy> if anyone here needs WD RE3 drives they are on sale now
11:00 < Bushmills> dougy: you donate me one?
11:00 < ecrist> dougy: no adverts here, please
11:01 <@dougy> alrighty
11:01 <@dougy> just was saying newegg has them cheap
11:01  * dougy shrug
11:02 <@dougy> oh, i never did say newegg when i first mentioned it
11:02 <@dougy> my fault
11:09 < krzee> [11:22]  <Bushmills> (15:16:26) krzee: [09:19] wow.   2 hours ago
11:09 < krzee> [11:22]  <ecrist> should be around later.
11:09 < krzee> [11:22]  <jpalmer> thats not an acceptable answer!
11:09 < krzee> !seen krzee
11:09 <+vpnHelper> krzee: krzee was last seen in ##openvpn 7 seconds ago: <krzee> [11:22]  <jpalmer> thats not an acceptable answer!
11:10 < krzee> jpalmer, im in the USA, vacation
11:10 < Bushmills> !seen krzee
11:10 <+vpnHelper> Bushmills: krzee was last seen in ##openvpn 24 seconds ago: <krzee> jpalmer, im in the USA, vacation
11:11 < Bushmills> see, the bot lied
11:11 < krzee> interesting
11:11 -!- dazo_afk is now known as dazo
11:11 < krzee> !seen krzee
11:11 <+vpnHelper> krzee: krzee was last seen in ##openvpn 19 seconds ago: <krzee> interesting
11:11 < krzee> !seen krzee
11:11 <+vpnHelper> krzee: krzee was last seen in ##openvpn 1 second ago: <krzee> !seen krzee
11:11 < krzee> ahh cool
11:12 < Bushmills> user names, starting with "!", are probably illegal
11:12 < Bushmills> pity :)
11:16 < krzee> jpalmer, pong
11:23 -!- mattock [~samuli@gprs-prointernet-fffb6a00-172.dhcp.inet.fi] has joined ##openvpn
11:23 -!- mode/##openvpn [+o mattock] by ChanServ
11:26 < barfster> Is it OK to run openvpn on a linux router?
11:27 < Bushmills> like, a wlan or home router?
11:28 <@dougy> oh
11:28 <@dougy> hey jeff
11:36 < krzee> hey dougy 
11:36 < krzee> barfster, certainly
11:42 < barfster> Do I have to do anything to iptables?
11:43 <@dougy> sup krzee
11:43 < barfster> #iptables -I FORWARD -i tun+ -o eth0 -j ACCEPT
11:43 < barfster> #iptables -I FORWARD -i eth0 -o tun+ -j ACCEPT
11:43 < barfster> ?
11:44 < barfster> Or is that only when openvpn runs on a node that only has LAN IP?
11:44 < krzee> depends on your current config
11:44 < krzee> but basically
11:44 < krzee> you want to allow forwarding, yes
11:45 < krzee> you want to allow the port/proto you run openvpn on as well
11:48 <@dougy> where are you in the states krzee
11:49 < krzee> cali
11:49 <@dougy> word
11:49 <@dougy> goods tuff
11:49 <@dougy> good stuff
11:49 < krzee> hows the leg?
11:49 <@dougy> ok, i wiped out on it yesterday pretty badly
11:50 < krzee> damn they already got you trying?
11:50 <@dougy> walking? no, thats next wednesday
11:50 <@dougy> i had to go to school to take senior portraits yesterday, and it was raining.. freshly waxed floor, one shoe that is wet, and wet crutches = epic wipe out
11:51 < krzee> lol
11:51 <@dougy> am lucky i didnt break my other leg
11:53 -!- mattock [~samuli@gprs-prointernet-fffb6a00-172.dhcp.inet.fi] has quit [Ping timeout: 248 seconds]
11:54 -!- mattock [~samuli@gprs-prointernet-ff336a00-109.dhcp.inet.fi] has joined ##openvpn
11:54 -!- mode/##openvpn [+o mattock] by ChanServ
11:55 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:56 < Hypnoz> so apparently pushing DNS through vpn only work nicely on windows machines. Mac / Linux you have to jump through more hoops?
11:56 < ecrist> yes/no
11:57 < ecrist> Tunnelblick claims to be able to setup DNS 
11:57 < Hypnoz> hmmm
11:57 < Hypnoz> maybe there is a setting in tunnelblick I missed
11:57 < Hypnoz> or I should restart the app
11:57 < ecrist> in tunnelblick, open detail, check the box for your connection that reads 'Set nameserver'
11:58 < barfster> OK
11:58 < barfster> Now I am ready to set up a client
11:59 -!- mode/##openvpn [+o-o ecrist ecrist] by dougy
11:59 <@dougy> hmm
11:59 <@dougy> wtf
11:59 <@dougy> sorry o.O
11:59 < barfster> This is from ubuntu 10.04 Mini ssh server install to another machine with ubuntu 10.04 Mini ssh server install
11:59  * dougy mirc scripting gone buggy
11:59 < barfster> I believe the server side runs OK now
12:06 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
12:10 < barfster> When I made the keys, I had to key in a pass phrase
12:10 < barfster> When should I key that in again?
12:13 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 245 seconds]
12:15 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
12:18 < barfster> Hmm
12:18 < barfster> Looks to me like the client runs
12:18 < barfster> How can I access the tunnel?
12:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:20 < krzee> ping the vpn i
12:20 < krzee> ip
12:21 < barfster> I can ping the other side from the linux router
12:21 < barfster> But not from the other nodes on the LAN
12:21 < barfster> Do I need to add a rule in the routing table of the linux router perhaps?
12:22 < krzee> !route
12:22 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:22 < krzee> how many LANs in your setup?
12:23 < barfster> 2 at the moment for testing and 1 for transport
12:23 < krzee> so 2 clients and a server
12:23 < barfster> 1 client and a server
12:24 < krzee> ahh
12:24 < barfster> but the client is my linux router
12:24 < krzee> well !route is still perfect for ya
12:24 < krzee> is the server also on a router?
12:24 < barfster> Yes
12:24 < barfster> But from my router here
12:24 < barfster> I can ping all the nodes on the other side
12:24 < barfster> So the tunnel is obviously open
12:25 < krzee> which lan is responding to pings over the vpn?
12:25 < barfster> I am now on 10.10.11.0/24
12:25 < barfster> I can ping 10.225.90.7
12:25 < barfster> and it responds
12:26 < barfster> I us 10.80.100.0/24 or something like that for transport
12:26 < barfster> *use
12:26 < krzee> is .7 running openvpn?
12:26 < barfster> No
12:26 < krzee> cool
12:26 < krzee> what is not working?
12:26 < barfster> VPNserver is on: 10.225.90.1
12:26 < barfster> vpnclient is running on 10.10.11.1
12:27 < barfster> and from the 10.10.11.1 I can type ping -nc 1 10.225.90.7 and I get a reply
12:27 < barfster> and my setup is tun routed
12:27 < barfster> I will start reading the text from link now
12:27 < barfster> Thanks
12:28 < krzee> sounds like everything is working
12:28 < krzee> right?
12:30 < jpalmer> krzee: when is the vacation over?
12:30 < krzee> ~2weeks
12:31 < jpalmer> oh.  hrm.  we can talk after that then.   
12:31 < krzee> we can talk now
12:31 < jpalmer> is this a working vacation then?  lol
12:31 < barfster> krzee: from 10.10.11.30 I type ping -nc 1 10.225.90.7 but not get a reply...
12:32 < barfster> But I guess that is my local routing table here?
12:32 < krzee> ahh
12:32 < krzee> barfster, and is 11.30 the lan behind openvpn client or server?
12:32 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:32 < Hypnoz> baftster: try running this on your openvpn server
12:32 < Hypnoz> echo 1 > /proc/sys/net/ipv4/ip_forward
12:33 < barfster> 11.30 is behind the client linux router
12:33 < krzee> Hypnoz, his server is a router
12:33 < Hypnoz> hmm good point
12:34 < Hypnoz> krzee: are you familiar with pushing dns through the vpn tunnel?
12:34 < krzee> sure
12:34 < krzee> !pushdns
12:34 <+vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
12:35 < barfster> Hmm
12:35 < Hypnoz> So I did that, and windows client works fine
12:35 < barfster> I can not ping from the server to the nodes on the client side...
12:35 < krzee> !clientlan
12:35 <+vpnHelper> krzee: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
12:35 < krzee> do you have this?
12:35 < krzee> !iroute
12:35 <+vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:36 < Hypnoz> barfster: is the openvpn server the default gateway for the nodes?
12:36 < barfster> affirmative
12:36 < barfster> on both sides actually
12:37 < Hypnoz> just as a test, can you do    cat /proc/sys/net/ipv4/ip_forward     it should return "1"
12:38 < barfster> Of course that is 1
12:38 < barfster> or iptables does not work
12:38 < barfster> for what I need iptables to do anyways...
12:38 < Hypnoz> is it possible iptables needs a rule to allow traffic between the vpn subnet and internal subnet?
12:39 < barfster> Ahh
12:39 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
12:39 < barfster> Maybe I did not uncomment the tun rule on one of the sides.
12:41 < barfster> Are there only issues with windows computers?
12:41 < barfster> I have mainly macs in my house
12:41 < barfster> and some linux boxes
12:41 < barfster> Windows is only inside virtual machines.
12:42 < Hypnoz> what issues are you referring to?
12:42 < krzee> barfster, so you have iroute for the client lan in a file on the server in the ccd dir?
12:42 < krzee> !ccd
12:42 <+vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
12:44 <@dougy> boredom
12:45 < barfster> I have no ccd stuff yet
12:45 < barfster> Hypnoz: I see at the bottom of ever 3 page or so there are caveats
12:46 < krzee> barfster, thats why you have no client lan
12:47 < krzee> go ahead and read !route
12:47 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
12:47 < krzee> !route
12:47 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:50 -!- nclx [~nclx@97.103.253.226] has joined ##openvpn
12:52 -!- dougy is now known as D
12:53 -!- D is now known as Guest8675
13:05 -!- mattock [~samuli@gprs-prointernet-ff336a00-109.dhcp.inet.fi] has quit [Ping timeout: 252 seconds]
13:08 -!- nclx [~nclx@97.103.253.226] has quit [Quit: My damn controlling terminal disappeared!]
13:10 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 248 seconds]
13:12 < barfster> !ccd
13:12 <+vpnHelper> barfster: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:12 < krzee> !iroute
13:12 <+vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
13:12 < barfster> So I should make /etc/openvpn/ccd/ folder?
13:12 < krzee> its explained in !route as well
13:14 <@Guest8675> -psyBNC> Fri Aug 13 18:14:24 :User me (fn) trying irc.freenode.net port 6666 ().
13:14 <@Guest8675> <-psyBNC> Fri Aug 13 18:14:24 :User me got disconnected from server.
13:14 <@Guest8675> freenode hates me
13:15 < barfster> There are too many letters of fine literature in there, will something along these lines do? echo "client-config-dir /etc/openvpn/ccd/local.conf" >> /etc/openvpn/openvpn.conf ?
13:16 -!- dazo is now known as dazo_afk
13:17 -!- nclx [~nclx@226.253.103.97.cfl.res.rr.com] has joined ##openvpn
13:18 < nclx> http://pastebin.com/2ZmNqkdN - OpenBSD TLS-client to OpenBSD TLS-server setup, /w routing, not working, lots of details posted to pastebin, would greatly appreciate any assistance or ideas.
13:19 < krzee> client-config-dir /etc/openvpn/ccd
13:20 < nclx> let me check that
13:20 < krzee> nclx, that was at barfster 
13:20 < krzee> first thing that jumps out at me in yours is
13:20 < krzee> !path
13:20 <+vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
13:20 < barfster> ccd is a folder?
13:21 < barfster> How to name the files inside?
13:21 < krzee> !ccd
13:21 -!- doug_ [me@208.99.80.128] has joined ##openvpn
13:21 <+vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:21 -!- doug_ is now known as Dougy
13:21 < Dougy> gah
13:21 < krzee> the filename must match the common-name of the client's cert
13:21 < Dougy> bitchX is so ugly
13:21 -!- Dougy [me@208.99.80.128] has quit [Client Quit]
13:21 < barfster> client.crt ?
13:21 < krzee> nclx, 
13:21 < krzee> !lan
13:21 <+vpnHelper> krzee: Error: "lan" is not a valid command.
13:22 < krzee> err
13:22 < krzee> !route
13:22 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:22 -!- doug_ [me@208.99.80.128] has joined ##openvpn
13:22 -!- doug_ is now known as Dougy
13:22 < krzee> barfster, 
13:22 < krzee> !certinfo
13:22 <+vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
13:22 -!- mode/##openvpn [+o Dougy] by Guest8675
13:22 -!- Guest8675 [Douglas@ool-435033e6.dyn.optonline.net] has quit []
13:22 <@Dougy> woot
13:24 < nclx> vpnHelper when looking at the output of openvpn command on each side I have verified it finds all certs and keys okay with the relative paths, in the pastebin I show that I can ping across the vpn using the 10.8.0.0/24 subnet but from the client to the server side, but not back from the server to the client.
13:24 <+vpnHelper> nclx: Error: "when" is not a valid command.
13:25 < krzee> !bot
13:25 <+vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
13:25 < nclx> oh lol
13:25 < nclx> oops
13:25 < krzee> im still reading it
13:26 < krzee> but thats the first thing that jumped out at me, trust me you want full paths
13:26 < nclx> okay, I have read and followed the Routing guide on that page you sent.
13:26 < nclx> I will go ahead and change those and restart just to be safe
13:27 < krzee> ok so you have 2 lans behind the client, and a lan behind the server
13:27 < krzee> right?
13:28 < krzee> client-config-dir ccd
13:28 < krzee> you especially need that to be a full path
13:28 < krzee> and in your pastebin you dont have your ccd entries
13:30 < krzee> you and barfster have the same problem
13:30 < nclx> yes
13:30 < nclx> okay I'll go double check everything in my ccd dir
13:30 < krzee> the client with the 2 lans
13:30 < nclx> thanks will return in a few with info on if I was able to fix it with that
13:30 < nclx> yes
13:30 < krzee> needs a ccd entry with the iroutes
13:31 < nclx> ccd/client1 should say iroute 10.10.10.0 255.255.255.0 and iroute 192.168.29.0 255.255.255.0, going to check it
13:31 < krzee> yup
13:31 < krzee> and client1 should EXACTLY match the clients common-name in his cert
13:32 < nclx> right
13:33 < nclx> krzee, my ccd was messed up, I fixed it now and can ping both ways, now to test from perspective of behind each router, thanks very very much. 
13:33 < krzee> yw
13:34 < krzee> but also
13:34 < krzee> if you have other clients
13:34 < krzee> you want to add push routes for the route entries in server config
13:35 < krzee> the client who owns them will not get them pushed because of the matching iroute entries
13:46 < barfster> Can I find the common name by grepping syslog? cat /var/log/syslog |grep "CN="
13:47 < kisom> barfster: Depends on what you want to do. The CNs of the connected clients?
13:47 < barfster> ccd/client1 should say what? iroute? or push "route?
13:47 < barfster> to find the name of the file to go in ccd
13:47 < kisom> Are you using easy-rsa?
13:47 < barfster> yes
13:48 < barfster> is it in vars?
13:48 < kisom> Then keys are found in easy-rsa/keys/
13:48 < barfster> I have keys
13:48 < kisom> Yes, they will be named as the CN
13:48 < barfster> I just don’t know what to name the config file to put in ccd
13:48 < barfster> The keys I already put in /etc/openvpn/
13:48 < barfster> and appears to work?
13:49 < kisom> Check your certificate files, easy-rsa embedds the CN if i remember correctly
13:49 < barfster> also I get the error Options error: --client-to-client requires --mode server
13:49 < kisom> Yes, you need to have a server which can forward packets between clients :)
13:50 < Bushmills>  your /var/log/openvpn/openvpn-status.log shows the CNs of the clients connected
13:50 < kisom> Depends on how openvpn is configured...
13:50 < Bushmills> i took it from his server config
13:50 < barfster> Is this it? /CN=server/
13:50 < kisom> Yes, it is
13:51 < kisom> but the server does not need a CCD file
13:51 < Bushmills>  status /var/log/openvpn/openvpn-status.log    # a line of his config
13:53 < kisom> Have you read about the status directive in the manual?
13:54 < Bushmills> who do you ask?
13:54 < kisom> Because it explains it pretty good :)
13:54 -!- SVD [SVD@93-97-41-44.zone5.bethere.co.uk] has quit []
13:55 < kisom> Hmm, any documentation regarding --status-version btw? Haven't seen that one before
13:57 < nclx> krzee: it works perfect now, again your help is much appreciated, you rock
14:00 < barfster> So the file with iroute should be named client1 or client1.conf?
14:00 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
14:00 -!- mode/##openvpn [+o mattock] by ChanServ
14:00 -!- bbtrb [~tom@dhcp-132.hep.fsu.edu] has quit [Quit: Lost terminal]
14:01 < barfster> kisom: I have problems enough reading the pages you send me links to, how should I have read one that I do not even know of?
14:01 < kisom> type "man openvpn" in your terminal :)
14:02 < kisom> That's pretty much all you need...
14:05 < kisom> I wrote a simple "control panel" btw...
14:05 < kisom> https://ck3r.org/status.php
14:05 <+vpnHelper> Title: Status (at ck3r.org)
14:05 < kisom> If anyone is interested, i may as well open source it.
14:14 <@Dougy> do it kisom 
14:14 < kisom> i think i have to clean up the code first, quite messy at the moment :) and contains lots of features nobody but me will ever use...
14:14 < kisom> Ok, a good weekend project then.
14:16 <@Dougy> Post it on..
14:16 <@Dougy> !forum
14:16 <+vpnHelper> Dougy: "forum" is The official OpenVPN support forum is available at http://forums.openvpn.net
14:16 <@Dougy> when done
14:16 < kisom> Will do.
14:18 <@Dougy>  will play with it
14:18 <@Dougy> the traffic counting look snice
14:19 <@Dougy> kisom: can you make a monthly traffic counter
14:19 <@Dougy> or something of the sort?
14:20 < kisom> Currently it uses no database at all, does not store anything. It just reads the status file and parses it to HTML
14:20 <@Dougy> if you could make it do some kind of traffic accounting itd be popular methinks
14:21 < kisom> Yeah, probably.. But then it would require some script running in the background all the time
14:21 <@Dougy> how so
14:21 <@Dougy> couldnt you just make a script to log their total usage into a text file or db or something when they discoount
14:21 <@Dougy> disconnect even
14:22 < kisom> Hmm, yeah, that's true
14:22 < kisom> I'll see what i will do
14:22 <@Dougy> i realize i am turning this into a huge undertaking
14:22 <@Dougy> hehe
14:22 <@Dougy> sorry
14:22 <@Dougy> people would probably even pay for it
14:22 < Bushmills> Dougy: you can take that info from the status fie
14:22 < Bushmills> file
14:22 < kisom> Well the script is pretty old, need some pimpin up ;)
14:22 <@Dougy> Bushmills: it keeps it for the lifetime?
14:22 <@Dougy> or just for the current connection
14:23 < Bushmills> no, that's why you take it from there
14:23 < kisom> Besides, we use the thing at work so my boss wuld probably like some more features
14:23 < barfster> So how do I go¨
14:23 < barfster> I have made on the server mkdir /etc/openvpn/ccd/
14:23 < barfster> I still do not know what to name the file in that folder...
14:24 < barfster> should I go cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/client.* /etc/openvpn/ccd/ ?
14:24 < barfster> or just look at the filenams in /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
14:24 < barfster> and choose one of the client keys I made?
14:25 < barfster> like client and do echo "iroute 10.10.1.0 255.255.255.0" > /etc/openvpn/ccd/clientTest
14:25 < barfster> like clientTest and do echo "iroute 10.10.1.0 255.255.255.0" > /etc/openvpn/ccd/clientTest
14:28 < barfster> In the example it says: ccd/client1
14:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
14:29 < barfster> Is client1 the same as the name of the key file before the dot and the extension?
14:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:30 < Bushmills> Dougy: also popular is adding stub firewall accounting rules. those may need periodic polling, because traffic counters are not guranteed to be 64 bits 
14:34 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:40 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:44 < barfster> Is there something I can put in ccd/client1 similar to echo "Hello World" just to check if the name of the config file is correct?
14:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
14:45 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
14:45 < krzee> that actually should work
14:45 < krzee> lol
14:45 < kisom> barfster: no, but if you can connect from the client the name is correct.
14:45 < krzee> i believe --echo exists
14:45 < barfster> connect from the client?
14:45 < kisom> oh yeah. nvm.
14:45 < kisom> (never used echo)
14:45 < barfster> It has been connected all day
14:45 < krzee> nor have i
14:46 < barfster> The client is connected
14:46 < krzee> barfster, has to reconnect for ccd entry to take effect
14:46 < barfster> My problem is how to connect the rest of my computers
14:46 < krzee> only read on connect
14:46 < barfster> And that could be done using command line like openvpn /etc/openvpn/openvpn.conf instead of using a script?
14:47 < krzee> huh?
14:50 < Bushmills> krzee: probably relating to http://scarydevilmonastery.net/snap/1281729011480096880d.png
14:56 < kisom> krzee: Are you one of the openvpn-devs btw?
14:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
14:57 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
14:57 < barfster> It now runs
14:58 < barfster> I can connect to the nodes on the remote end of the tunnel from any workstation here
14:58 < barfster> However the computers do not show up as local... however that might be a smart thing.
14:58 < barfster> However the remote computers do not show up as local... now that might be a smart thing.
14:59 < kisom> Enable client-to-client...
14:59 < barfster> So that the kids do not start watching movies from their cousins house...
14:59 < kisom> I assume you are talking about windows SMB or similar
14:59 < barfster> I have enabled cliet-to-client
14:59 < kisom> Then your clients should be able to talk to each other over the VPN
14:59 < barfster> There is no windows here or in the other location
15:00 < barfster> The workstation on the client side can talk to any machine on the server side
15:00 < barfster> However any machine on the server side can not talk to any machine on the client side :-(
15:01 < kisom> Are you using masquerade?
15:02 < barfster> Yes
15:02 < barfster> But that should not affect tun?
15:02 < barfster> MASQ is on for packets travelling from the internal NIC to the WAN NIC
15:03 < barfster> MASQ is not in use when connecting from client side to server side
15:04 < kisom> If you are using masquerade, then computers outside the VPN will not be able to connect to services inside the VPN.
15:04 < kisom> Unless you do a port forward.
15:07 < kisom> http://livepad.eu/openvpn
15:07 <+vpnHelper> Title: EtherPad: openvpn (at livepad.eu)
15:07 < kisom> Those commands may be used to port forward
15:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:08 < kisom> just edit the port and host you want to be accessible outside the network
15:08 < kisom> in this case, it will forward port 8000 on the VPN server towards 10.11.0.2:80 on the VGPN
15:08 < kisom> VPN*
15:20 < krzee> kisom, nope, not much of a coder
15:58 -!- Raccoon [bismuth@71-222-232-136.albq.qwest.net] has quit [Ping timeout: 265 seconds]
16:01 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
16:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:27 -!- nclx [~nclx@226.253.103.97.cfl.res.rr.com] has quit [Quit: [BX] I theenk I need a beeger box!]
16:33 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 276 seconds]
16:33 < barfster> Now I can connect to any of the machines on the server side from any of the machines on the client side, but not the other way around. 
16:39 < barfster> What did I do wrong?
16:39 < krzee> barfster, no more talking til you fully read this
16:39 < krzee> !route
16:39 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:40 < barfster> I did that and it made alle nodes from the client side able to connect to all nodes on the server side...
16:40 < krzee> isnt that what you anted?
16:41 < krzee> wanted
16:42 < barfster> Yes
16:43 < barfster> But I would also like all the nodes from the server side to be able to connect to the client side vpn
16:43 < barfster> But I would also like all the nodes from the server side of the vpn to be able to connect to the client side of vpn
16:47 < jetole> Hey guys. I am trying to setup a new openvpn connection. On the same server that is a openvpn server in our office for the tech department, I am also trying to make a client to the openvpn server at our data center but I keep getting "unsupported certificate" errors and "TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed". I have done a clean-all on the server and started again ...
16:47 < jetole> ... from scratch again and I am getting the same thing. I am using rsa certificates with tls authentication and I am not sure where to begin looking to solve this
16:47 < jetole> Can anyone please help?
16:48 < jetole> barfster: that should work. I have that now with TUN and I know it should work with TAP too
16:48 < barfster> tun ourt
16:48 < barfster> tun routed is my setup
16:49 < barfster> jetole: and you follow this howto?  http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 
16:49 <+vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
16:49 < jetole> barfster: k. to be honest, I'm more concerned with my own issues at the moment 
16:49 <@Dougy> hmm
16:49 <@Dougy> i see the announcementw ent out ecrist
16:49 -!- witon [~witon@i.left.my.gf.for.gshellz.org] has joined ##openvpn
16:49 < jetole> barfster: I setup my first openvpn setup over a year ago and I forget the details
16:50 < jetole> barfster: a lot of trial and error
16:50 < barfster> Now it works
16:50 < barfster> Superb!
16:50 < jetole> great. I'm happy for you
16:50 < barfster> Just took about 2 hrs to kick in
16:50 < barfster> I have been shopping last 2 hrs
16:50  * jetole is still scratching his brain over what is wrong with my setup
16:51 < barfster> and some time in between it started to work
16:51 < jetole> amazing
16:51 < barfster> jetole: I am just a noob in this
16:51 < jetole> I noticed. 
16:51 < jetole> I wasn't asking you per se for a solution though if you had one I would be very appreciative
16:51 <@Dougy> krzee: our forum has gone official now
16:52 < jetole> Can anyone help me figure out why I would get "TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL  routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
16:52 < barfster> jetole: But from a logical point of view... I’d say starting all over on making the keys, but more important might be to stop and start the service, probably server first, then the clients
16:52 < jetole>  from a client?
16:53 < jetole> barfster: started over on making the keys a already and I am not running it as a service yet
16:53 < jetole> I am executing it from the console via `openvpn --config file.conf` and disabled logging so I can see the results in real time to the console
16:54 < barfster> jetole: Oh, that’s a neat option.
16:55 <@Dougy> mattock: howdy
16:55 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
16:55 < jetole> barfster: you can in fact run all options from the console without a config file. Take a look at the man page
16:56 < jetole> barfster: if you have logging though, disable it when you run it from the console otherwise it sends it all to the log
17:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:02 < krzee> Dougy, yup
17:03 < jetole> well now I built my client keys on the client and transferred them to the server and ... oh s    , I forgot about the csr
17:04 < krzee> csr doesnt matter
17:04 < krzee> !pki
17:04 <+vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
17:04 <+vpnHelper> krzee: was signed specially as a server (see !servercert)
17:05 <@Dougy> ok woo
17:05 <@Dougy> bought a ps3
17:06 < jetole> krzee: well thats good to know but in this case they were signed by the wrong key since this "client" is also an openvpn server for another scenario
17:07 < krzee> haha
17:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:17 <@Dougy> hey JPeterson 
17:17 < JPeterson> hi
17:18 < hyper_ch> hi krzee 
17:19 <@Dougy> hey hyper_ch 
17:19 < hyper_ch> hi Dougy
17:19 < hyper_ch> one question: can SonicWall Global VPN Client be used together with an OpenVPN server?
17:19 < hyper_ch> (on windows) or is openvpn client
17:27 < krzee> !notcompat
17:27 <+vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn
17:27 < krzee> #2
17:29 <@Dougy> In total there are 22 users online :: 4 registered, 0 hidden and 18 guests (based on users active over the past 5 minutes)
17:29 <@Dougy> Most users ever online was 24 on 18 Sep 2009 16:06
17:29 <@Dougy> winsauce
17:29 <@Dougy> jesus
17:30 <@Dougy> 27 online now
17:30 <@Dougy> 28
17:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:33 < hyper_ch> krzee: :(
17:35 < jetole> Does anyone know what it means if you run `openssl verify -CAfile ca.crt cert.crt` and you are told "error 20 at 0 depth lookup:unable to get local issuer certificate"
17:42 < krzee> means the cert was not signed by that ca
17:45 < |Mike|> re.
17:47 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
17:57 < jetole> krzee: how am I supposed to create the cert and key used by the server? Am I supposed to use ./build-key in easy-rsa?
17:58 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
17:58 < krzee> !pki
17:58 <+vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
17:58 <+vpnHelper> krzee: was signed specially as a server (see !servercert)
17:58 < krzee> #1
17:59 < krzee> you do that all at once
17:59 < |Mike|> pain killer incidents!
18:01 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 248 seconds]
18:04 < krzee> !snapshots
18:04 <+vpnHelper> krzee: "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
18:05 <@Dougy> lets see
18:05 <@Dougy> 148 members right now
18:05 <@Dougy> curious how many there are in 12 hours
18:08 -!- barfster [~barf@74.7.197.50] has quit [Quit: Computer has gone to sleep]
18:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:15 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Quit: krzee]
18:32 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 260 seconds]
18:36 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
18:43 -!- witon is now known as witon\aw
18:45 -!- witon\aw is now known as witon
18:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:05 -!- Ned [~martyn@202-61-3-148.cable5.acsdata.co.nz] has quit [Ping timeout: 240 seconds]
19:05 -!- Ned [~martyn@202-61-3-148.cable5.acsdata.co.nz] has joined ##openvpn
19:38 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Quit: Ctrl-C at console.]
19:38 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
20:07 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Quit: foo]
20:08 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
20:26 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
20:30 -!- witon is now known as witon\yey
20:31 -!- witon\yey is now known as witon
21:51 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
21:55 < jetole> krzee: thats what I was doing wrong before, I was using build-key instead of build-key-erver
21:55 < jetole> *build-key-server
22:34 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
22:35 -!- Raccoon` [bismuth@unaffiliated/raccoon] has quit [Client Quit]
22:35 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
22:35 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
22:35 -!- Raccoon` is now known as Raccoon
22:46 -!- witon [~witon@i.left.my.gf.for.gshellz.org] has left ##openvpn []
22:49 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined ##openvpn
22:49 < darkwind> Hiya folks.
22:51 < darkwind> I looked a little while back (still this year), and it wasn't exactly possible then...
22:51 < darkwind> Regarding IPv6, is it possible to create a remote-access IPv6 VPNwith OpenVPN at this time?
22:51 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
23:14 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
23:14 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
23:15 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
23:28 < krzee> over ipv6 transport layer or giving out ipv6 ips?
23:28 < krzee> --server-ipv6 and friends exist in testing branch
23:29 < krzee> !snapshots
23:29 < vpnHelper> krzee: "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
23:29 < krzee> !ipv6
23:29 < vpnHelper> krzee: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
23:35 -!- harsha [~harsha@203.92.58.162] has quit [Ping timeout: 276 seconds]
23:36 -!- harsha [~harsha@122.181.19.210] has joined ##openvpn
23:38 -!- tjz_ [~pc@bb116-14-173-172.singnet.com.sg] has quit [Quit: bbl.]
23:38 -!- barfster [~barf@12.53.212.74] has joined ##openvpn
23:41 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
23:46 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 272 seconds]
23:49 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
23:51 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
--- Day changed Sat Aug 14 2010
00:08 < hyper_ch> !easyrsa
00:08 < vpnHelper> hyper_ch: Error: "easyrsa" is not a valid command.
00:09 < hyper_ch> !easy-rsa
00:09 < vpnHelper> hyper_ch: Error: "easy-rsa" is not a valid command.
00:09 < hyper_ch> !howto
00:09 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:19 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
01:13 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
01:24 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has joined ##openvpn
01:25 < Varazir> !welcome
01:25 < vpnHelper> Varazir: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:26 < Varazir> Is this channel only for the community version ? 
01:28 < Varazir> Second question the new forum do I have to create a new account or can I login with the one I'm using on http://www.openvpn.net/ ? 
01:28 < vpnHelper> Title: OpenVPN - Open Source VPN (at www.openvpn.net)
01:28 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 258 seconds]
01:31 < Bushmills> Varazir: yes
01:31 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
01:31 < Bushmills> Varazir: 2nd: no idea
01:32 < Bushmills> !as
01:32 < vpnHelper> Bushmills: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server
01:32 < vpnHelper> Bushmills: configurations options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
01:32 < Varazir> Bushmills: okay thanks 
01:34 < Varazir> I tried the community version some time back but I feelt was pain to setup new accounts etc so when I saw AS started to use it due to it was easy to setup and admin 
01:34 < Varazir> Well I was to ask for mattock or ecrist  if I hade problem loging in to the new forum 
01:40 < ecrist> hola
01:40 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
01:40 < ecrist> Varazir: did you register for new account?
01:40 < ecrist> https://community.openvpn.net/pwm/
01:40 < vpnHelper> Title: OpenVPN user account management service (at community.openvpn.net)
01:41 < Varazir> ecrist: no I haven't I thought I could use the one from the main site 
01:41 < Varazir> after some reading 
01:41 < Varazir> I have a account on openvpn.net/pwm/
01:41 < Varazir> -pwm 
01:41 < ecrist> ok
01:41 < ecrist> no, make sure  your account exists at pwm
01:42 < Varazir> so I have to create a new account for the forum ? 
01:43 < Varazir> the forum isn't connected to http://www.openvpn.net/ ? 
01:43 < vpnHelper> Title: OpenVPN - Open Source VPN (at www.openvpn.net)
01:43 < ecrist> no, it's connected to all the 'community' stuff
01:43 < Varazir> ahh ok 
01:45 -!- tessier [~treed@kernel-panic/copilotco] has quit [Ping timeout: 265 seconds]
02:36 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
03:00 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
03:00 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
03:03 -!- dazo_afk [~dazo@nat/redhat/x-qsbdlznwtfijydfx] has quit [Ping timeout: 265 seconds]
03:06 -!- dazo_afk [~dazo@nat/redhat/x-xbhewlxohgxsnmuo] has joined ##openvpn
03:06 -!- mode/##openvpn [+o dazo_afk] by ChanServ
03:28 -!- barfster [~barf@12.53.212.74] has quit [Quit: Computer has gone to sleep]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:44 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 255 seconds]
03:50 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
03:59 -!- Raccoon [bismuth@71-222-232-136.albq.qwest.net] has joined ##openvpn
03:59 -!- Raccoon [bismuth@71-222-232-136.albq.qwest.net] has quit [Changing host]
03:59 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
03:59 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:10 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
04:30 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
04:30 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
04:44 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
04:44 -!- mode/##openvpn [+o mattock] by ChanServ
04:57 -!- takamichi [~pri@c7-97-123.keyworld.net] has quit [Read error: Connection reset by peer]
04:57 -!- takamichi [~pri@c7-97-123.keyworld.net] has joined ##openvpn
06:18 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 248 seconds]
06:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:26 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:28 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:28 -!- Cain` is now known as Cain
06:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
06:52 -!- dazo_h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn
06:52 -!- dazo_h [~dazo@ip4-83-240-69-215.cust.nbox.cz] has quit [Read error: Connection reset by peer]
07:03 -!- barfster [~barf@12.53.212.74] has joined ##openvpn
07:05 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
07:05 -!- mode/##openvpn [+o mattock] by ChanServ
07:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:15 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
07:19 -!- takamichi [~pri@c7-97-123.keyworld.net] has quit [Ping timeout: 240 seconds]
07:21 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
07:24 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
07:27 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 240 seconds]
07:30 -!- barfster [~barf@12.53.212.74] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
07:46 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 246 seconds]
07:49 -!- blackpenguin [~bp@gnuffy.net] has joined ##openvpn
07:49 -!- blackpenguin [~bp@gnuffy.net] has quit [Changing host]
07:49 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
07:51 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
07:52 < miris> Hello guys. Could anyone give me a hint on how to set static virtual IP addressed for connecting clients?
07:53 < miris> I tried doing it the "ipp.txt" way but it does not seem to be working. My clients are getting different virtual IP addresses.
07:55 < Bushmills> !ccd
07:55 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:55 < Bushmills> push "ifconfig.."
07:56 < miris> Oh, alright. So the syntax would be, I assume:
07:56 < miris> push "ifconfig 172.17.10.2 255.255.255.0"
07:56 < miris> right?
07:58 < Bushmills> sorry,  ifconfig-push , i meant
07:59 < miris> I also found some info about the syntax being different for Windows and Linux clients but I guess it is all the same: ifconfig-push [desired IP address] [netmask]
08:00 < Bushmills> that looks right
08:00 < miris> No matter whether using TAP or TUN?
08:00 < Bushmills> though it should be   ifconfig-push <ip addr> <netmask>
08:01 < Bushmills> parameters are not optional
08:01 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
08:01 < miris> cool, thank you for your help
08:13 -!- miris1 [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
08:13 -!- miris1 [~Miris@217-112-164-88.cust.avonet.cz] has left ##openvpn []
08:15 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has quit [Ping timeout: 246 seconds]
08:24 -!- bluethundr [~bluethund@pool-98-109-86-20.nwrknj.fios.verizon.net] has joined ##openvpn
08:28 < bluethundr> when I try to start openvpn client on the command line (linux) it fails: http://pastie.org/1092014
08:28 < bluethundr> I'm pretty sure I setup my conf file correctly, but I seem to be missing something: http://pastie.org/1092013
08:29 < bluethundr> can someone point me to what I need to add to this conf file to get it working?
08:31 < Bushmills> just read again what you typed (and pasted)
08:32 < Bushmills> also, the error message on second line makes it rather clear, IMHO, what the problem is
08:34 < Bushmills> and yes, you seem to be missing something, indeed: the capacity to figure out what the problem is before shouting for help
09:25 -!- BrainBox [ashghg@CPE0022b0ccad50-CM00169242a0ee.cpe.net.cable.rogers.com] has joined ##openvpn
09:26 < BrainBox> hey is it possible to force people connecting to my vpn server to go to a certain webpage or portal ?
09:39 < Bushmills> you can't force people to use a web browser at all
09:39 < Bushmills> what if somebody only connects to ping your vpn server?
09:41 < kisom> BrainBox: yes, it is.
09:42 < kisom> its called a captive portal, and openvpn itself has no built-in support for it. you need to use your operative systems firewall to do so
09:42 < kisom> mine looks like this -> https://ck3r.org/StoRo-logon/
09:42 < vpnHelper> Title: StormRoute (at ck3r.org)
09:51 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
10:15 < BrainBox> pfsense might be a good idea then 
10:15 < BrainBox> has built in captive portal i believe
10:16 < BrainBox> and it uses openvpn 
10:16 < kisom> pfsense is bad.
10:16 < kisom> i've found several critical bugs in their code, even submitted patches
10:16 < kisom> they didn't care.
10:17 < kisom> i wouldn't use pfsense for any critical systems
10:32 < BrainBox> hmm what would u recommend?
10:32 < BrainBox> needs to be simple
10:33 < kisom> As far as I know, there are no "out of the box" captive portals.
10:35 < kisom> Using netfilter, you can easily write your own captive portal in a few hours...
10:39 < BrainBox> hmm
10:40 < BrainBox> Ill play with it see what i can come up with i guess
10:40 -!- BrainBox [ashghg@CPE0022b0ccad50-CM00169242a0ee.cpe.net.cable.rogers.com] has quit []
10:43 -!- Dhaber [435033e6@gateway/web/freenode/ip.67.80.51.230] has joined ##openvpn
10:43 < Dhaber> ecrist: 
10:43 < Dhaber> alarm alarm alarm
10:43 < Dhaber> ping
10:44 < kisom> Dhaber: Whats up?
10:44 < kisom> Or rather, what broke? :)
10:44 < Dhaber> foru
10:44 < Dhaber> m
10:44 < Bushmills> chilispot / pepperspot may do, though they're targetted for wlan hotspots
10:44 < Dhaber> actually
10:44 < Dhaber> appears to have semi self corrected
10:45 < kisom> Chilispot is not supported as far as i know, dead projekt...
10:45 < kisom> Last update 2007 :)
10:45 < Dhaber> projekt
10:45 < Dhaber> kisom: german?
10:45 < kisom> Swedish.
10:45 < Dhaber> damnit
10:45 < Dhaber> close
10:46 < kisom> Yeah, I do mix words together some times.
10:46 < Dhaber> hehe]
10:47 < Dhaber> !forum @ all
10:47 < vpnHelper> Dhaber: Error: "forum" is not a valid command.
10:47 < Dhaber> !forum
10:47 < vpnHelper> Dhaber: "forum" is The official OpenVPN support forum is available at http://forums.openvpn.net
10:47 < Dhaber> @ all
10:47 < Dhaber> wow freenode's webchat is actually pretty nice..
10:49 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Quit: Távozom]
10:58 -!- Dhaber [435033e6@gateway/web/freenode/ip.67.80.51.230] has quit [Ping timeout: 252 seconds]
10:58 -!- kajl [~kyle@80.67.14.16] has quit [Remote host closed the connection]
11:00 -!- kyle___ [~kyle@80.67.14.16] has joined ##openvpn
11:36 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 255 seconds]
11:38 -!- killown [~killown@unaffiliated/killown] has quit [Read error: Connection reset by peer]
11:44 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
11:45 -!- mmu_screen [~revol@ns366953.ovh.net] has joined ##openvpn
11:45 -!- mmu_screen [~revol@ns366953.ovh.net] has left ##openvpn []
12:02 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
12:03 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:10 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
12:10 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
12:24 -!- mmu_screen [~revol@ns366953.ovh.net] has joined ##openvpn
12:24 -!- mmu_screen [~revol@ns366953.ovh.net] has left ##openvpn []
12:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:44 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
12:45 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:20 -!- spq` [spq@user.unregistered.de] has joined ##openvpn
13:21 < spq`> hello, i use openvpn to connect to a remote network - this network provides a default route - but i only want to use it for one subnet - else my open connections are closed
13:21 < spq`> how to configure this on client side (no control over server side)
13:22 < Bushmills> insert or remove   redirect-gateway  in client config.  don't let server push it 
13:22 < Bushmills> ah.  remove the route, after it was pushed.  reinstate the previous default route
13:23 < spq`> hmm
13:23 < spq`> can this be done with a script?
13:23 < Bushmills> yes
13:23 < spq`> (client is windows)
13:23  * Bushmills googles this funny term "windows"
13:24 < spq`> :)
13:25 < Bushmills> ah.  with version 3.11 or windows 95, so called "batch files" can be used as scripts.
13:25 < spq`> ;)
13:25 < spq`> i think they still support it in later versions :P
13:26 < spq`> i have dev tap in my cconfig - that means i have real ethernet frames exchanged - right?
13:27 < spq`> so i got the ip data from an real dhcp server not openvpn itself, right?
13:27 < Bushmills> that should be the case. but i don't run any bridged config myself, so my hypothesis is as good as yours
13:29 < spq`> i hate that my university only provides this damn config where all my open connections get closed when i have to access a service only available from university network
13:29 < spq`> well good that they use openvpn instead of some closed stuff
13:33 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
13:42 < hyper_ch> hi Bushmills
13:43 < Bushmills> hi hyper_ch
13:44 < hyper_ch> Bushmills: trying to get a win7 client into the openvpn netwrok and I'm failing at http://pastebin.com/3iFCnVMy
13:44 < Bushmills> route? or tap refusing to come up?
13:45 < hyper_ch> Bushmills: what do you mean?
13:45 < Bushmills> ah. try  10.0.8.3 and 10.0.8.2,for example
13:45 < Bushmills> .3 and .4 are not in the same /30 net
13:45 < hyper_ch> ah ok :)
13:46 < Bushmills> or  .4 and .5
13:47 < hyper_ch> Bushmills: still no luck
13:47 < hyper_ch> Bushmills: the linux clients use 4,5  and 6,7  and 8,9
13:48 < hyper_ch> tried now 2,3 and 10,11 on windows
13:48 < Bushmills> i push ifconfig-push 10.86.80.130 10.86.80.129  to a win7 client successfully
13:49 < hyper_ch> hmmm
13:49 < hyper_ch> Bushmills: 130,129
13:49 < hyper_ch> worked
13:49 < hyper_ch> maybe the bigger one must come first for win7?
13:50 < Bushmills> i don't think so. but when i got win to accept the addresses, i stopped changing it and left it the way it was
13:51 < hyper_ch> well, those work for me now also
13:53 < Bushmills> those addresses are that high because i have divided the /24 vpn subnet into two /25 nets packet filter side
13:54 < Bushmills> the division essentially distinguishes own machines from foreign machines
13:56 < hyper_ch> well, setup a hp proliant dl360 server with ubuntu and got openvpn to run on windows :)
13:56 < hyper_ch> I think I've done enough work for today :)
14:12 < kisom> Anyone else noticed that sometimes Windows 7 machines does not get a correct ip address assigned on the TAP adapter? It gets one of those 169.254 private addressess...
14:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:36 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Ping timeout: 252 seconds]
14:51 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:58 -!- bluethundr [~bluethund@pool-98-109-86-20.nwrknj.fios.verizon.net] has quit [Remote host closed the connection]
15:07 < jetole> Hey guys. I have openvpn working as a client on one machine and that machine already does packet forwarding since it's currently also another vpn server and a firewall for several vlans however, none of my hosts on the lan who use this machine as a default gateway are able to send to the other side of the vpn link. Can someone post a link on what I should read?
15:13 < jetole> nevermind. found it: http://openvpn.net/index.php/open-source/documentation/howto.html#scope
15:13 < vpnHelper> Title: HOWTO (at openvpn.net)
15:21 -!- brah [~brah@186.125.74.117] has joined ##openvpn
15:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:40 -!- brah [~brah@186.125.74.117] has quit [Remote host closed the connection]
15:42 -!- dst_ [~dst@186.125.74.117] has joined ##openvpn
15:42 -!- dst_ [~dst@186.125.74.117] has quit [Client Quit]
15:43 -!- brah [~brah@186.125.74.117] has joined ##openvpn
15:53 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 240 seconds]
16:03 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
16:18 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 255 seconds]
16:23 -!- Raccoon [bismuth@71-222-232-136.albq.qwest.net] has joined ##openvpn
16:40 -!- Dougy_ [435033e6@gateway/web/freenode/ip.67.80.51.230] has joined ##openvpn
16:40 < Dougy_> hm
16:40 < Dougy_> ecirst around?
16:40 < Dougy_> ecrist
16:41 -!- Raccoon [bismuth@71-222-232-136.albq.qwest.net] has quit [Ping timeout: 240 seconds]
16:44 < kisom> INJ SOVIET RUSSIA...
16:44 < kisom> in*
16:44 < kisom> http://www.youtube.com/watch?v=GTvHwlmuxgs
16:44 < vpnHelper> Title: YouTube - алкоголик drunk bird alcoholic (at www.youtube.com)
16:58 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
17:21 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 258 seconds]
17:22 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
18:01 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has quit [Read error: Operation timed out]
18:02 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
18:11 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 265 seconds]
18:21 -!- Dougy_ [435033e6@gateway/web/freenode/ip.67.80.51.230] has quit [Ping timeout: 252 seconds]
18:30 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
19:37 -!- p3rror [~Ali@2001:0:53aa:64c:c08:6156:3b31:a7be] has joined ##openvpn
19:37 < p3rror> hello
19:38 < p3rror> i setup a openvpn server on a VPS
19:38 < kisom> Hey
19:38 < p3rror> and i've set redirect-gateway def1
19:38 < p3rror> in the client side
19:39 < p3rror> i still enable to route traffic to the openvpn server and i get this error message "NOTE: unable to redirect default gateway -- Cannot read current default gateway from system"
19:39 < kisom> I'm not 100% sure, but im most certain that redirect-gateway can only be set on the server side and pushed to clients
19:40 < p3rror> right that what i did
19:41 < p3rror> no need to set redirect-gateway in client side !!
19:41 < kisom> does your clients pull from the server?
19:43 < p3rror> what do you mean, can you explain
19:43 < p3rror> all i need is to set defaut gateway on client
19:43 < p3rror> and that what redirect-gateway def1 does
19:44 < kisom> your clients should have "pull" in their config files, while the server should have "redirect-gateway def1"
19:45 < p3rror> i never use pul directive
19:47 < p3rror> kisom,  still have the same error
19:48 < p3rror>  NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
19:48 < kisom> do you have a default gateway in your routing table?
19:49 < p3rror> in which side 
19:49 < kisom> the client
19:49 < p3rror> in client side yep, default dev ppp0
19:50 < kisom> OK, i have no idea about point to point and openvpn...
19:51 < p3rror> kisom, OK thanks 
19:51 < kisom> (i spent most of the time playing WoW when we were reading about PPP in university :)
19:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
20:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
20:23 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
20:29 -!- p3rror [~Ali@2001:0:53aa:64c:c08:6156:3b31:a7be] has quit [Ping timeout: 248 seconds]
20:32 -!- p3rror [~Ali@2001:0:53aa:64c:c08:6156:3b31:a7be] has joined ##openvpn
20:36 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has joined ##openvpn
20:36 < barfster> How can I add more client certificates?
20:37 < barfster> I tried to go into the easy-rsa/2.0 folder and type: ./build-key client2
20:38 < barfster> But it gives me an error
20:38 < barfster> of some kind
20:39 < barfster> http://paste.pocoo.org/show/250291/
20:40 -!- WormFood [~wormfood@183.38.15.252] has joined ##openvpn
20:44 < WormFood> why would I have suddenly started getting messages that say "OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options" on a system that was previously working fine? (neither the server nor the client have changed, and other clients continue to work fine with the server)
20:45 < WormFood> and of course, google is no help to my problem
20:47 -!- pegg [~pegg@208.73.74.116] has joined ##openvpn
20:47 < pegg> what would happen if the client IP changes?   
21:01 -!- naquad [~naquad@174.142.224.219] has quit [Ping timeout: 245 seconds]
21:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
21:28 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has quit [Quit: Computer has gone to sleep]
21:57 -!- pegg [~pegg@208.73.74.116] has quit [Ping timeout: 260 seconds]
22:33 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
22:41 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has joined ##openvpn
22:56 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote host closed the connection]
22:57 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Read error: Operation timed out]
22:57 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Read error: Operation timed out]
22:57 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
23:00 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
23:27 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
--- Day changed Sun Aug 15 2010
00:23 -!- p3rror [~Ali@2001:0:53aa:64c:c08:6156:3b31:a7be] has quit [Ping timeout: 248 seconds]
00:23 -!- p3rror [~Ali@2001:0:53aa:64c:c08:6156:3b31:a7be] has joined ##openvpn
00:53 -!- p3rror [~Ali@2001:0:53aa:64c:c08:6156:3b31:a7be] has quit [Ping timeout: 248 seconds]
00:54 -!- p3rror [~Ali@2001:0:53aa:64c:c08:6156:3b31:a7be] has joined ##openvpn
01:04 -!- p3rror [~Ali@2001:0:53aa:64c:c08:6156:3b31:a7be] has quit [Ping timeout: 248 seconds]
01:15 -!- p3rror [~Ali@2001:0:53aa:64c:34c8:6156:26e8:fb0d] has joined ##openvpn
02:51 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
02:52 -!- mode/##openvpn [+o mattock] by ChanServ
03:04 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
03:07 < miris> Hi guys. I have issues setting my VPN. It works on my server but for some reason I cannot force my Windows client to connect on 172.17.10.100 while my server is at 172.17.10.1. The log says I am out of range and need to be using the subnet mask 255.255.255.252. I don't understand the intsructions though. Is there a way to be able to use the IP 172.17.10.100 even for the Windows client?
03:08 < miris> On the server I have a CCD file for my client which says this: "ifconfig-push 172.17.10.100 172.17.10.1"
03:11 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 252 seconds]
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:46 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has left ##openvpn []
03:55 -!- jwm [jwm@dev.dist.us] has quit [Ping timeout: 245 seconds]
04:07 -!- jwm [jwm@74.208.185.36] has joined ##openvpn
04:13 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
04:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
04:26 < theDoc> raidz, if you're around. ^^
04:26 < theDoc> Need to file a possible bug report on AS.
04:32 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
05:04 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:04 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
05:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:42 -!- JodaZ_ [~JodaZ@ns302312.ovh.net] has joined ##openvpn
05:43 -!- JodaZ [~JodaZ@ns302312.ovh.net] has quit [Ping timeout: 245 seconds]
05:56 -!- buk [~buk@opensuse/member/bukhi] has joined ##openvpn
05:57 < buk> Hey folks, anyone running the openvpn-gui within win7/32?
05:57 < buk> having issues adding routes when connecting
06:03 < reiffert> I'm launching the openvpn-gui with administrative rights, so openvpn can add routes etc.
06:04 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:04 < buk> reiffert: I'm doing that as well
06:04 < reiffert> Ah, the /30 problem?
06:07 < buk> ok, fixed it: add some arguments to the config file
06:07 < buk> route-method exe and route-delay 2
06:07 < reiffert> Welcome
06:08 < kisom> http://games.slashdot.org/story/10/08/15/046250/Blizzard-Sues-Private-Server-Company-Awarded-88M
06:08 < vpnHelper> Title: Slashdot Games Story | Blizzard Sues Private Server Company, Awarded $88M (at games.slashdot.org)
06:08 < kisom> Sick
06:09 < kisom> Only in the US... over here they would have just gotten a slap on their fingers and "dont do it again"
06:10 < buk> 85 millions in damages?
06:12 < kisom> For running a reverse engineered server
06:12 < kisom> With not a single line of code stolen from blizzard...
06:13 < reiffert> http://www.google.de/search?hl=de&client=firefox-a&hs=qAH&rls=org.mozilla:de:official&&sa=X&ei=xctnTN2kIM-fONmQwbgF&ved=0CBUQBSgA&q=intellectual+property+blizzard&spell=1
06:13 < vpnHelper> Title: intellectual property blizzard - Google-Suche (at www.google.de)
06:13  * buk heads off, bye
06:13 -!- buk [~buk@opensuse/member/bukhi] has left ##openvpn ["*fump*"]
06:15 < kisom> If blizzard just did some public/private crypto in the client it would be a lot harder :)
06:16 < kisom> Besides, the WoW client is pretty insecure. It allows remote code execution without any type of validation that it is talking to blizzard
06:16 < reiffert> Harder finding function adresses where they get back the decoded stuff with a kernel debugger? No.
06:17 < kisom> Well as of now, you do not need to modify your game in any way to play on private servers... Just connect to another IP address than blizzards and you are on.
06:18 < kisom> But yes, it would be possible to change the public key supplied in the binaries, but it would still make it harder ;)
06:21 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:27 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:28 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:28 -!- Cain` is now known as Cain
06:58 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
07:39 -!- SOG [~SOG@222.125.202.173] has quit [Ping timeout: 276 seconds]
07:53 -!- Ruby{Fan} [4f88791e@gateway/web/freenode/ip.79.136.121.30] has joined ##openvpn
07:55 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Quit: Távozom]
08:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
08:06 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has joined ##openvpn
08:30 -!- Ruby{Fan} [4f88791e@gateway/web/freenode/ip.79.136.121.30] has quit [Quit: Page closed]
08:31 -!- Ruby{Fan} [4f88791e@gateway/web/freenode/ip.79.136.121.30] has joined ##openvpn
08:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
09:01 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
09:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:13 < ecrist> Dougy: I've resolved those post issues.
09:15 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
09:24 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
09:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection reset by peer]
09:53 -!- sparc-kly [~mubex@adsl-64-237-249-170.prtc.net] has joined ##openvpn
09:59 -!- Ruby{Fan} [4f88791e@gateway/web/freenode/ip.79.136.121.30] has quit [Ping timeout: 252 seconds]
10:05 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
10:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:53 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:58 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
11:07 -!- p3rror [~Ali@2001:0:53aa:64c:34c8:6156:26e8:fb0d] has quit [Ping timeout: 248 seconds]
11:07 -!- icewaterman [sjduUO@unaffiliated/icewaterman] has joined ##openvpn
11:08 < icewaterman> hi, i have a question about my openvpn setup. i have setup a bridged vpn, the connection gets established, the tap device is attached to the bridge, but i cannot ping to hosts on the other side. no iptables filter is interfering
11:08 < icewaterman> any idea what else might go wrongß
11:09 <@Dougy> hi
11:09 <@Dougy> ecrist: thank you sir
11:10 <@Dougy> ecrist: i spoke to someone from the openvpn team, they emailed me and were like yo change the forum email so i set it to forums@openvpn.net instead of my personal
11:10 < |Mike|> smart choise :-)
11:12 < icewaterman> any idea how i could debug my bridge-vpn issue?
11:20 -!- p3rror [~Ali@2001:0:53aa:64c:28b4:6156:3b31:b344] has joined ##openvpn
11:20 <@Dougy> hm
11:26 -!- p3rror [~Ali@2001:0:53aa:64c:28b4:6156:3b31:b344] has quit [Ping timeout: 248 seconds]
11:34 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:45 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
11:45 < icewaterman> found the problem myself
11:46 -!- star314 [~star314@starnet1.sinh.us] has quit [Remote host closed the connection]
11:47 -!- icewaterman [sjduUO@unaffiliated/icewaterman] has left ##openvpn []
12:01 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
12:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
12:07 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has joined ##openvpn
12:10 < barfster> Is it hard to make an interface in the network interface setup of System Preferences in Mac OS X? Is there a sample code anywhere? I would like to add OpenVPN
12:14 < barfster> I have seen TunnelBlick and question why it’s a separate application and not just an interface in Mac OS X.
12:22 < barfster> I would like to port Tunnelblick( http://code.google.com/p/tunnelblick/ ) to a Mac OS X network interface either to add OpenVPN to this list of interfaces ( https://hdc.tamu.edu/files/book/6/932/02-106-vpn.jpg ) or to this this list of VPN flavours( https://hdc.tamu.edu/files/book/6/932/03-106-vpn.jpg )
12:22 < vpnHelper> Title: tunnelblick - Project Hosting on Google Code (at code.google.com)
12:23 < barfster> That part of the source is available
12:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
12:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
12:36 < barfster> Anyone awake?
12:36 < barfster> I need to make more keys for my setup
12:38 < barfster> But it tells me some sort of error: 
12:38 < barfster> Do I have to make all the keys all over when I want new keys?
12:39 < kisom> no
12:39 < kisom> you can make new keys with build-key
12:41 < barfster> But it’s telling me: source it with "source ./vars".
12:41 < barfster> And I did that a week ago
12:41 < barfster> And then: ./clean-all"
12:41 < barfster> If I do . ./vars
12:42 < barfster> it runs 
12:42 < barfster> but are these keys still valid?
12:42 < kisom> you need to do . ./vars each time you log on.
12:42 < kisom> it will set up your environmental variables
12:42 < barfster> Thanks
12:42 < barfster> Then if I skip clean-all
12:42 < barfster> I will be able to add keys?
12:42 < kisom> dont run clear-all
12:42 < barfster> I did not
12:42 < barfster> I just made client2
12:42 < kisom> ok, good :)
12:42 < kisom> then it should be working
12:43 < barfster> My question is if client2 will run with client1 and sever?
12:43 < barfster> SUperb!
12:43 < barfster> Thanks
12:43 < kisom> uh
12:43 < kisom> im pretty lost on what you mean
12:43 < kisom> the server will accept as many client as connects
12:43 < barfster> I made server and client1 keys 3 days ago
12:43 < barfster> and now I am out travelling
12:43 < barfster> and would like to make myself a travelkey: client2
12:43 < kisom> ok, go ahead
12:44 < barfster> I guess what I am doing now . ./vars
12:44 < barfster> and build key will still be of the same seed
12:44 < barfster> as the previously made keys
12:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:12 -!- bandini [~bandini@host247-25-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
13:32 -!- Chaze [~Chase@dslb-084-059-063-250.pools.arcor-ip.net] has joined ##openvpn
13:34 < Chaze> Hi there. I want to use openvpn to tunnel through http.
13:34 < Chaze> i'm using push "redirect-gateway"
13:34 < Chaze> pinging the server works fine, but for some reason i cannot get out
13:34 < Chaze> is there anything i need to have set for "redirect-gateway"?
13:38 < Chaze> i guess i'm being very vague here, i'd be glad if you could point me to some resource that tells me how to set up a server that works as a gateway to the internet
13:41 < Bushmills> !redirect
13:41 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:41 < Bushmills> Chaze: ^^^
13:41 < Chaze> thanks
13:41 < Chaze> !def1
13:41 < vpnHelper> Chaze: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
13:45 < Chaze> btw, is OpenVPN a good choice when I only need to do this, or is there something more suitable out there, for this task?
13:47 < Chaze> i'm going to try some more, don't answer if i'm gone :P
13:51 < Chaze> !ipforward
13:51 < vpnHelper> Chaze: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:52 < Chaze> !winipforward
13:52 < vpnHelper> Chaze: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
13:53 < kisom> oh
13:53 < kisom> i didn't even know xp supported packet forwarding
13:53 < Chaze> do i need IP forwarding on the server or client?
13:53 < Chaze> i'm running the openvpn server on linux
13:53 < Chaze> with windows clients connecting to it
13:54 < kisom> on the server only.
13:54 < Chaze> ok
13:54 < Chaze> !linipforward
13:54 < vpnHelper> Chaze: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
13:55 < Chaze> still nothing :(
13:56 < Chaze> !nat
13:56 < vpnHelper> Chaze: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
13:56 < Chaze> !linnat
13:56 < vpnHelper> Chaze: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:57 < Chaze> is this irc bot the only resource for this?
14:00 < Chaze> i can't believe it, that did the trick
14:00 < Chaze> whoever wrote that bot, kudos :)
14:01 < kisom> Chaze: There's lots in the documentation and tutorials on the site
14:02 < Chaze> kisom: i probably just didn't know what to search for
14:02 < Chaze> the valuable piece of information here was in !redirect
14:02 < Chaze> so yeah, thanks for that
14:02 < kisom> :)
14:04 < Chaze> does openvpn need to run as root?
14:04 < kisom> Both yes and no
14:05 < kisom> You need to run it as root in order to create the TUN/TAP interface
14:05 < Chaze> !root
14:05 < vpnHelper> Chaze: Error: "root" is not a valid command.
14:05 < kisom> Other than that, it does not need to run as root.
14:05 < Chaze> there's some option to revoke root rights, i think
14:05 < Chaze> i remember something like that
14:05 < kisom> yeah, sec
14:05 < kisom> Set "user" and "group"
14:05 < kisom> and it will downgrade to that account once the interface is set up
14:06 < kisom> !user
14:06 < vpnHelper> kisom: (user [<channel>] <name>) -- Returns the last time <name> was seen and what <name> was last seen saying. This looks up <name> in the user seen database, which means that it could be any nick recognized as user <name> that was seen. <channel> is only necessary if the message isn't sent in the channel itself.
14:06 < Chaze> i found it in the sample config
14:07 < Chaze> it said something about revoking the rights of the daemon. didn't set it because i'm not running it as a daemon atm
14:07 < kisom> hmm
14:07 < kisom> neither am i...
14:07 < kisom> "Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process."
14:08 < Chaze> well, now that i am all set up, i can rent a v-server
14:08 < Chaze> any recommendations on servers in the US?
14:08 < kisom> No ideas, i host my own servers :)
14:08 < Chaze> physically?
14:08 < kisom> Yes
14:09 < kisom> We have somewhat better internet backbone over here in sweden so its fine having servers at home :)
14:09 < Chaze> i though about setting up some old machine for this purpose
14:09 < kisom> yeah, do it
14:09 < Chaze> but i'm located in germany. and i need to tunnel to the free internet from japan
14:09 < Chaze> it's not really ping-efficient
14:09 < Chaze> US sits nicely in the middle
14:10 < kisom> Unless you are going to play FPS games it will do just fine imo.
14:10 < Chaze> nah, i just want proper internet. they enforce a proxy that restricts me to HTTP
14:11 < kisom> Well if the proxy check the request for HTTP headers you are screwed :)
14:12 < Chaze> well i found some http-proxy options on openvpn
14:12 < Chaze> a friend said he did the same thing with it
14:12 < kisom> OK, fair enough
14:12 < kisom> I had the exact same problem with openvpn
14:12 < Chaze> http-proxy-option AGENT Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-GB;+rv:1.7.6)+Gecko/20050226+Firefox/1.0.1
14:13 < Chaze> to them it will look all like requests from firefox
14:13 < kisom> Well, no.
14:13 < kisom> But it may still work.
14:13 < Chaze> what will look different?
14:13 < Chaze> i was assuming it would build proper HTTP headers and all
14:13 < kisom> The tunneled data contains no HTTP headers at all
14:14 < kisom> It's pseudo-random data.
14:15 < Chaze> i thought the tunneled data was embedded in some GET strings
14:15 < kisom> No, its not.
14:15 < Chaze> can't i do that somehow?
14:15 < kisom> I do it all the time...
14:15 < kisom> Problem is i've written that software myself :)
14:15 < kisom> And for various reasons i cannot share the source code of it.
14:16 < Chaze> alright..
14:16 < kisom> Your best bet is probably to use port 443 and tunnel OpenVPN over it.
14:16 < Chaze> google yields this http://http-tunnel.sourceforge.net/
14:16 < vpnHelper> Title: HTTPTunnel - Tunnel Connections Through Restrictive Proxies (at http-tunnel.sourceforge.net)
14:17 < kisom> Yeah, that looks like a similar way to do what my software does.
14:17 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
14:18 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
14:18 -!- mode/##openvpn [+o mattock] by ChanServ
14:19 < Chaze> do you create some network adapter for this?
14:19 < kisom> No, its a fork of openvpn
14:20 < Chaze> really interesting. why can't you share it?
14:21 < ecrist> Dougy: cool.  we had changed that in the test DB, but not the current production one
14:23 < kisom> Chaze: PM :)
14:30 -!- brah [~brah@186.125.74.117] has quit [Remote host closed the connection]
14:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:59 -!- fr00d [~andi@unaffiliated/fr00d] has quit [Ping timeout: 240 seconds]
15:06 -!- fr00d [fr00d@unaffiliated/fr00d] has joined ##openvpn
15:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
15:54 -!- buntfalke [~nobody@openvpn-p0-147.triple-a.uni-kl.de] has joined ##openvpn
15:54 -!- buntfalke [~nobody@openvpn-p0-147.triple-a.uni-kl.de] has quit [Changing host]
15:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:01 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
16:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
16:11 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:17 -!- JodaZ_ [~JodaZ@ns302312.ovh.net] has quit [Ping timeout: 276 seconds]
16:19 -!- JodaZ [~JodaZ@ns302312.ovh.net] has joined ##openvpn
16:21 -!- adent [~adent@blk-224-191-155.eastlink.ca] has joined ##openvpn
16:21 < adent> !welcome
16:21 < vpnHelper> adent: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:34 -!- orion [orion@unaffiliated/orion] has joined ##openvpn
16:34 < orion> Hi. How can a user accept all push/pull options EXCEPT for the DNS server?
16:54 < reiffert> orion: you create him an batch/shell script that ignores that value and adjust his config file to use that shell script.
16:58 < Bushmills> orion: on linux: don't do anything. ignored by default, unless extra action taken.
16:59 < orion> I found an snwer for myself: Have the client add "dhcp-option DNS ..." to their configuration file.
16:59 < orion> (specifying their own DNS server)
17:15 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
17:40 < jwm> !welcome
17:40 < vpnHelper> jwm: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:40 < jwm> !redirect
17:40 < vpnHelper> jwm: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:40 < jwm> hehe
17:40 < jwm> !wiki
17:40 < vpnHelper> jwm: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
17:41 < orion> Well, it's working now.
17:42 < orion> So I guess I'm good.
17:42 -!- orion [orion@unaffiliated/orion] has left ##openvpn []
17:42 < jwm> heh
17:42 < jwm> he didn't thank you
17:58 <@Dougy> https://forums.openvpn.net/viewtopic.php?p=7558
17:58 < vpnHelper> Title: OpenVPN Forum View topic - Auto-tune mtu (at forums.openvpn.net)
17:58 <@Dougy> this looks intersting
17:58 <@Dougy> jeff are you out there
18:04 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit []
18:04 -!- adent [~adent@blk-224-191-155.eastlink.ca] has quit [Quit: adent]
18:36 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
18:36 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 258 seconds]
18:36 -!- Raccoon` is now known as Raccoon
18:58 -!- rasengan [~rasengan@96.43.136.10] has joined ##openvpn
18:59 < rasengan> If you run openVPN with user-pass-verify and client-cert-not-required does that mean no keys/certs need to be exchanged prior and you can just login with user/pass?
19:13 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
19:15 -!- adent [~adent@blk-224-191-155.eastlink.ca] has joined ##openvpn
19:17 -!- sparc-kly [~mubex@adsl-64-237-249-170.prtc.net] has quit [Read error: Connection reset by peer]
19:19 -!- Martz^ [~Martz@unaffiliated/martz] has joined ##openvpn
19:34 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has joined ##openvpn
19:34 -!- tjz [~pc@bb116-14-173-172.singnet.com.sg] has quit [Changing host]
19:34 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
19:39 -!- Chaze [~Chase@dslb-084-059-063-250.pools.arcor-ip.net] has quit [Quit: Chaze]
19:42 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
19:51 -!- adent [~adent@blk-224-191-155.eastlink.ca] has quit [Quit: adent]
20:02 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
20:05 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has quit [Ping timeout: 276 seconds]
20:05 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has joined ##openvpn
20:06 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 240 seconds]
20:07 -!- Champi [Champi@damn.e-leet.be] has joined ##openvpn
20:20 -!- SOG [~SOG@222.125.202.173] has quit [Quit: SOG]
20:25 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has quit [Quit: Computer has gone to sleep]
20:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:34 < Bushmills> -
20:58 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:13 < jwm> right now I am using 192.168.1.x for my vpn and two separate lans
21:13 < jwm> I was wondering if there would be a benefit to going to a different lan ip range 
21:29 < blackpenguin> jwm: the main reason why I use different network-addresses for LAN and VPN is routing. How is your machine supposed to know which interface to use for a given address? sure, you could do this with a per host routing table entry, but if you use a different network-adress the situation is much easier (IMHO)
21:29 < blackpenguin> you could however bridge the interfaces to solve this problem, too
21:30 < blackpenguin> still I prefer the different network-adresses.
21:32 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
21:53 < jwm> I bridge
22:00 -!- Raccoon` [bismuth@unaffiliated/raccoon] has joined ##openvpn
22:03 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 240 seconds]
22:03 -!- Raccoon` is now known as Raccoon
22:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:13 -!- rasengan [~rasengan@96.43.136.10] has quit [Quit: WeeChat 0.3.2]
22:27 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
22:28 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
22:53 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 240 seconds]
23:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer]
23:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
23:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
23:50 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
--- Day changed Mon Aug 16 2010
01:19 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has joined ##openvpn
01:20 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has quit [Client Quit]
01:32 -!- abeehc-_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined ##openvpn
01:36 -!- abeehc- [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 276 seconds]
01:42 < kisom> morning
01:42 < kisom> yees another day at work! yey
02:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:03 -!- naquad [~naquad@174.142.224.219] has joined ##openvpn
02:07 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
02:12 -!- jmm is now known as jww
02:13  * jww shoot kisom .
02:24 -!- dazo_afk is now known as dazo
02:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:40 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
02:47 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:58 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:03 -!- RichiH_ [~richih@freenode/staff/richih] has joined ##openvpn
03:04 -!- RichiH [~richih@freenode/staff/richih] has quit [Read error: Operation timed out]
03:16 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:16 -!- mode/##openvpn [+o mattock] by ChanServ
03:26 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
03:29 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:29 -!- mode/##openvpn [+o mattock] by ChanServ
03:44 -!- mattock1 [~samuli@gprs-prointernet-ff556a00-20.dhcp.inet.fi] has joined ##openvpn
03:44 -!- mode/##openvpn [+o mattock1] by ChanServ
03:45 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
03:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
03:48 -!- mattock1 [~samuli@gprs-prointernet-ff556a00-20.dhcp.inet.fi] has quit [Ping timeout: 276 seconds]
03:56 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
03:57 -!- mape2k [~mape2k@p5B28687E.dip.t-dialin.net] has joined ##openvpn
04:08 -!- ultramage [umage@kurobara.netvor.sk] has joined ##openvpn
04:10 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
04:11 < ultramage> hi, my wireshark recording says for openvpn traffic "1470 bytes on wire, data: 1428 bytes", compared to normal packets' "1514 bytes on wire, data: 1460 bytes"
04:11 < ultramage> what values do I need to adjust to max out the packet sizes?
04:12 < Chosi> smells like mtu. just a guess tho :)
04:12 < ultramage> could be mss clamping at work again, too
04:13 < ultramage> just asking if anyone knows the exact settings and values to use, before I start screwing with my only means of connectivity :>
04:19 < ultramage> interesting... my syn packet has mss 1460, reply has mss 1333... so I guess the clamping happens after the packet arrives on the tap adapter
04:20 < ultramage> it's unfortunate that googling "openvpn <number>" results in total garbage, like line numbers
04:21 < ultramage> yeah, google's hitting trac file listings which have a line number for every line.
04:22 < ultramage> so anyways, if anyone knows the best value to use without breaking tcp/udp (not sure if I need to account for encapsulated protocol overhead or anything), just highlight me
04:30 -!- RichiH_ is now known as RichiH
04:56 < kisom> ultramage: Does the connection not work?
04:59 < ultramage> no, I just feel like squeezing the max. bandwidth out of it :)
04:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:59 < ultramage> at first sight it seems there's room for a 2.5% improvement
04:59 < ultramage> there might be a reason why the packets don't reach their physical max... but that reason might be something totally useless for my type of connection
05:00 < ultramage> and since I'm not familiar with this problem, I decided to ask here :)
05:02 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
05:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:42 < kisom> ultramage: well, there will always be an overhead on VPN connections
05:42 < kisom> deal with it :)
05:42 < kisom> you can turn of HMAC if you want faster speeds
05:43 < kisom> indeed, it will make your connection more insecure.
05:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:51 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
06:01 < kisom> Any crypto geeks in here?
06:02 < kisom> I was thinking of writing an encryption algorithm based on SHA1.. Take the secret key, take a counter, SHA1 them together and XOR with the plain text
06:02 < kisom> I don't see how that would be insecure...
06:11 -!- VirusTB [~VirusTB@thetouch.demon.nl] has joined ##openvpn
06:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
06:27 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:28 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:28 -!- Cain` is now known as Cain
06:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:48 < JodaZ> how do i revoke a key ?
06:50 < JodaZ> kisom, the counter represents partitially known plaintext, who knows if sha1 is sufficiently secure against that
06:51 -!- groundnu1y [~orzech@elj74.internetdsl.tpnet.pl] has quit [Ping timeout: 248 seconds]
06:55 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
06:55 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
07:11 -!- naquad [~naquad@174.142.224.219] has quit [Ping timeout: 264 seconds]
07:18 -!- naquad [~naquad@174.142.224.219] has joined ##openvpn
07:19 -!- VirusTB [~VirusTB@thetouch.demon.nl] has quit [Quit: VirusTB]
07:35 -!- mrak [~mrak@248.217.broadband14.iol.cz] has joined ##openvpn
07:35 < mrak> hello all
07:36 < mrak> !welcome
07:36 < vpnHelper> mrak: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:36 < ecrist> good morning
07:39 < mrak> !route
07:39 < vpnHelper> mrak: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:43 < mrak> Can i setup another static routes for each client separately?
07:43 < ecrist> yes
07:43 < ecrist> ccd
07:43 < ecrist> !ccd
07:43 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:44 < mrak> ecrist: ok thx
07:45 < mrak> ecrist: Is it directive iroute for each static route?
07:45 < ecrist> iroute is for the reverse-routing
07:45 < ecrist> i.e. lans behind clients
07:45 < ecrist> !route
07:45 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:47 < mrak> ecrist: ok thx again
07:48 -!- debianix [~debianix@unaffiliated/debianix] has joined ##openvpn
07:51 < debianix> hi is it possible to run openvpn as server and connect to it as client on same pc ?
08:02 < krphop> i'm curious as to why you would want to do that?
08:03 < mrak> debianix: yes it's possible
08:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
08:04 < debianix> testing
08:04 < mrak> debianix: u just make config for server and for client
08:04 < debianix> thx mrak
08:04 < debianix> just to have an idea of the working environment
08:04 < debianix> can't see to find any free openvpn servers around
08:05 < debianix> s/see/seem
08:05 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:22 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Quit: No Ping reply in 180 seconds.]
08:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
08:33 < ultramage> kisom: no, the point is that it seems that there is room for another 44 bytes
08:33 < ultramage> the outer udp packets that are being sent on the wire are 44 bytes smaller than the maximum size
08:34 < ultramage> now the question is - is this on purpose, or is it just the fault of some default one-fits-all magic value being used?
08:39 -!- debianix [~debianix@unaffiliated/debianix] has quit [Quit: Leaving]
08:42 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has joined ##openvpn
08:43 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has quit [Client Quit]
08:44 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:44 -!- mode/##openvpn [+o mattock] by ChanServ
08:57 <@Dougy> .
08:57 <@Dougy> good morning
08:58 -!- mape2k [~mape2k@p5B28687E.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
09:17 < ecrist> howdy
09:19 <@Dougy> how are you ecrist 
09:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:24 < ecrist> it goes
09:32 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
09:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
09:57 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
10:01 -!- WormFood [~wormfood@183.38.15.252] has quit [Ping timeout: 240 seconds]
10:02 -!- WormFood [~wormfood@183.39.100.174] has joined ##openvpn
10:04 -!- frnknstn [~peter@204.12.227.75] has joined ##openvpn
10:09 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
10:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:14 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
10:21 < kisom> JodaZ: thats true, but combined with the key itself, the counter should not matter. as far as i know, even MD5 has not been broken to that extent
10:22 < JodaZ> kisom, why not use a trusted cipher ?
10:34 < frnknstn> !welcome
10:34 < vpnHelper> frnknstn: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:35 -!- mrak [~mrak@248.217.broadband14.iol.cz] has quit [Quit: Leaving]
10:36 < frnknstn> !wiki
10:36 < vpnHelper> frnknstn: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
10:37 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
10:41 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
10:44 -!- killown [~killown@189.110.242.22] has joined ##openvpn
10:44 -!- killown [~killown@189.110.242.22] has quit [Changing host]
10:44 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
10:45 < frnknstn> I am running a OpenVPN server with many clients, but very little actual traffic sent on it. However, I have three or so IP addresses that seem to be attempting to connect repeatedly
10:46 < frnknstn> so much so that the replies to those IP addresses eat up about 200kbps
10:46 < frnknstn> The units show up in the openvpn-status.log with UNDEF common names
10:47 < frnknstn> What is the likely cause, dodge NAT on the remote side?
10:47 -!- JiBz [5c869a9f@gateway/web/freenode/ip.92.134.154.159] has joined ##openvpn
10:47 < JiBz> Hi there !
10:48 < JiBz> I wonder if openVPN is able to do http tunneling ?
10:49 -!- krzee [~k@ftp.secure-computing.net] has joined ##openvpn
10:50 < JiBz> nobody knows ??
10:51 < krzee> JiBz, whats the question?
10:52 < ecrist> 10:48 < JiBz> I wonder if openVPN is able to do http tunneling ?
10:52 -!- krzee [~k@ftp.secure-computing.net] has quit [Client Quit]
10:52 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
10:52 < krzee> it can tunnel over a http proxy
10:52 < JiBz> I wonder if openVPN is able to do http tunneling ?
10:53 < JiBz> ok so I must set up my own proxy and then tell openvpn to pass through
10:53 < krzee> you can also have openvpn share a port with a https server
10:54 < JiBz> in fact I have to bypass a firewall that allow only http protocol...
10:59 -!- JiBz [5c869a9f@gateway/web/freenode/ip.92.134.154.159] has quit [Quit: Page closed]
11:00 -!- mape2k [~mape2k@f053196084.adsl.alicedsl.de] has joined ##openvpn
11:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
11:05 -!- WormFood [~wormfood@183.39.100.174] has quit [Ping timeout: 265 seconds]
11:18 -!- WormFood [~wormfood@183.38.15.182] has joined ##openvpn
11:21 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:24 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:26 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:35 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
11:38 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:07 <@Dougy> http://www.upload3r.com/serve/160810/1281978401.jpg
12:08 < hyper_ch> Dougy: looks like someone got the leg broken and wants to stretch it
12:08 < kisom> Does it run openvpn?
12:08 < krzee> LOL
12:09 < hyper_ch> pretty common in china to break ones legs in order to make them 2-3cm longer$
12:09 < kisom> sick
12:10 < hyper_ch> kisom: well, people do a lot to literally "stand out" from the crowd :)
12:10 < kisom> Well, with 1 billion people maybe its hard to stand out...
12:10 < hyper_ch> that's why they have to use other means :)
12:11 < kisom> I should move to china
12:11 < kisom> would stand out sooo much
12:11 < kisom> = money
12:11 < hyper_ch> you're a red-head?
12:11 < kisom> Nah
12:12 < hyper_ch> red-heads stand out in china :)
12:12 < kisom> http://sphotos.ak.fbcdn.net/hphotos-ak-snc3/hs612.snc3/32202_130080253676215_100000227225815_346490_1940711_n.jpg
12:12 < kisom> thats me to the left
12:12 < kisom> (red hat gave us unlimited beer that night btw)
12:12 < hyper_ch> not red hair but red hat :)
12:13 < kisom> :)
12:14 < kisom> sucks i didn't get a job over there
12:14 < kisom> would have been awesome
12:15 < hyper_ch> over in china or over at red hat?
12:15 < kisom> red hat
12:15 < hyper_ch> why not canonical?
12:15 < kisom> do they have an office in sweden?
12:15 < hyper_ch> or google?
12:15 < hyper_ch> dunno :)
12:15 < kisom> probably not :)
12:16 < hyper_ch> google probably has
12:16 < kisom> probably... but well
12:16 < kisom> kinda hard to get a job at google
12:16 -!- rasengan [~rasengan@96.43.136.14] has joined ##openvpn
12:16 < rasengan> How do you get the list of currently logged in users?
12:16 < kisom> rasengan: check the status directive
12:16 < kisom> or use the management console
12:17 < rasengan> kisom: k cool, thank you
12:17 <@Dougy> hyper_ch: lol nah
12:17 <@Dougy> its a corrective brace
12:17 < hyper_ch> corrective brace for too short legs
12:17 <@Dougy> kisom:  lookin good
12:17 <@Dougy> no
12:18 <@Dougy> corrective brace for leg bone angled ---> that wy
12:18 <@Dougy> http://www.upload3r.com/serve/120710/1278956757.png
12:18 <@Dougy> there
12:18 <@Dougy> perfect description
12:18  * Dougy doesnt need lengthening just straigtening
12:19 < hyper_ch> that is you?
12:28 < rasengan> kisom: In the status directive log output, how come the username doesn't disappear from CLIENT LIST upon disconnection?
12:37 < krzee> shit thats all it was?
12:37 < krzee> why did you even get it fixed?
12:44 -!- dazo is now known as dazo_afk
12:52 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
12:52 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
12:53 -!- krzie is now known as krzee
12:53 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
12:56 < krzee> !windows
12:56 < vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
13:18 <@Dougy> krzee:  its debilitating
13:19 < krzee> the leg or windows?
13:19 < krzee> both could be true
13:19 <@Dougy> i love windwos
13:19 <@Dougy> windows
13:19 <@Dougy> so the leg
13:20 <@Dougy> !factoids search windows 2008
13:20 < vpnHelper> Dougy: No keys matched that query.
13:20 <@Dougy> !factoids search windows
13:20 < vpnHelper> Dougy: 'windows' and 'windows_mobile'
13:20 <@Dougy> bah
13:20 -!- fipu [~fipu@ulul.ch] has joined ##openvpn
13:20 < krzee> !factoids seach win
13:20 < vpnHelper> krzee: Error: The "Factoids" plugin is loaded, but there is no command named "seach" in it.  Try "list Factoids" to see the commands in the "Factoids" plugin.
13:20 < krzee> !factoids search win
13:20 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'windows', 'winpath', 'winsudo', and 'windows_mobile'
13:20 < fipu> hi @ all
13:20 < krzee> hey fipu 
13:20 <@Dougy> krzee:  am searching for tap and 2k8 if there is anything about it
13:20 < krzee> Dougy, not really... theres nothing specific about it
13:21 <@Dougy> https://forums.openvpn.net/viewtopic.php?p=7568&sid=b911ec4c72b35ff920a15e8380cf2b67#p7568
13:21 < vpnHelper> Title: OpenVPN Forum View topic - TAP adapter won't install on Windows Server 2008 (at forums.openvpn.net)
13:21 < fipu> I have a question, I use openvpn on a windows server 2003
13:21 < fipu> 32 bit
13:21 < fipu> and it does not connect correctly
13:21 -!- mape2k [~mape2k@f053196084.adsl.alicedsl.de] has quit [Ping timeout: 258 seconds]
13:21 < fipu> The TAP interface is hanging @ get IP adress
13:21 < krzee> openvpn.se is WAY old
13:21 < fipu> on my netbook I can connect to the server with the same config
13:22 < fipu> the windows server 2003 is the client
13:22 < krzee> !winroute
13:22 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
13:22 < krzee> try those fipu 
13:28 -!- Mick27 [~Mick27@host-85-27-57-3.brutele.be] has joined ##openvpn
13:28 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
13:28 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
13:31 < fipu> krzee: ok I try
13:31 < fipu> one moment ;)
13:32 <@Dougy> krzee: i had to give up front row tickets to a fight :(
13:32 <@Dougy> boxing not ufc or any of that
13:33 < fipu> krzee: what is " try route-method exe in your config file" ?
13:33 < fipu> How can I do that?
13:33 < krzee> route-method exe
13:33 < fipu> only add this line?
13:33 < krzee> correct
13:33  * Dougy sighs
13:34 < krzee> Dougy, which fight?
13:35 <@Dougy> adamek vs grant
13:35 < krzee> ahh, hasnt happened yet
13:35 <@Dougy> nah, saturday
13:35 <@Dougy> did you watch adamek vs estrada?
13:36 <@Dougy> i had front row to that fight alos
13:36 <@Dougy> also
13:42 < krzee> right on
13:43 < krzee> your family friends with adamek
13:43 < krzee> ?
13:47 <@Dougy> my aunt is friends with his promoter
13:47 <@Dougy> she is a geico manager and deals w/his garages
13:48 <@Dougy> adamek gave my cousin 250 for his bday and promoter 500 and a first day of school gift (im so jealous of said gift)
13:48 < krzee> cool
13:48 <@Dougy> hes giving my aunt his ferrari california for the day
13:48 <@Dougy> :/
13:49 <@Dougy> lucky fuckin people
13:49 <@Dougy> lol
13:50 < fipu> krzee: it does not work..
13:50 < fipu> It's hanung @ to getting up
13:50 < fipu> *hanging
13:51 < krzee> !configs
13:51 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:51 < krzee> !logs
13:51 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
13:51 < krzee> both sides
13:53 < fipu> thats the server config
13:53 < fipu> http://pastebin.com/UcjSTYn3
13:53 < fipu> Debian 5 lenny
13:55 < fipu> and here the client: http://pastebin.com/LYq1chiz
13:55 < Mick27> hey guys on a simple setup, apart from activating ip_forward is there anything to do on the host ?
13:55 < krzee> on a simple setup you dont need ip forwarding
13:55 < krzee> !goal
13:55 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:56 < krzee> fipu, 4 is WAY WAY too short for route-delay
13:56 < krzee> default is 30 (if you dont put how long)
13:57 < fipu> ah
13:57 < fipu> ok
13:57 < fipu> Should I set it to 40?
13:57 < krzee> just remove the number
13:57 < Mick27> krzee by simple I mean 1 server multiple client (and PKI but that part is working)
13:57 < krzee> by "default" i meant IF you have route-delay
13:59 < krzee> Mick27, still dont need ip forwarding for that unless you choose to not use --client-to-client
13:59 < krzee> if that is exactly your goal
13:59 < krzee> !configs
13:59 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:59 < krzee> errr
13:59 < krzee> i mean
13:59 < krzee> !sample
13:59 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
14:00 < fipu> krzee: ah ok :P 
14:00 < krzee> those configs are for multi-client, and do not require ip forwarding
14:00 < fipu> Missunderstood (default)
14:00 < fipu> I try
14:00 < Mick27> I don't want to user client to client 
14:01 < Mick27> just want multiple client to access the net via my server
14:01 < krzee> well thats not what you said!
14:01 < krzee> you said simple multi-client setup :-p
14:01 < krzee> !redirect
14:01 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:02 < Mick27> now that you tell me I wonder why I didn't think about nat before
14:02 < Mick27> that's one good point thanks
14:02 < krzee> np
14:02 < krzee> which os?
14:02 < Mick27> however since yesterday I cannot ping the server anymore inside the vpn, I need to troubleshoot this first
14:02 < Mick27> client is seven
14:02 < Mick27> server is
14:02 < Mick27> ubuntu
14:03 < krzee> !linnat
14:03 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:03 < Mick27> thx
14:03 < fipu> krzee, here is my client log: http://pastebin.com/BmFeCG1s
14:03 < fipu> krzee: It's just hanging @ to come up
14:03 < fipu> also with route-delay
14:03 < krzee> fipu, did i miss the server log?
14:04 < krzee> actually
14:04 < krzee> Mon Aug 16 20:56:52 2010 us=291166 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
14:04 < krzee> Mon Aug 16 20:56:52 2010 us=291357 Route: Waiting for TUN/TAP interface to come up...
14:04 < Mick27> lol the logs on the server side say that my client is getting 10.8.0.4, but my client says he gets 10.8.0.6
14:04 < krzee> does that still repeat over and over after you added 
14:04 < krzee> route-method exe
14:04 < krzee> route-delay
14:04 < Mick27> w*f
14:05 < krzee> Mick27, 
14:05 < krzee> !/30
14:05 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
14:05 < Mick27> krzee you're the man
14:05 < krzee> ;]
14:05 < Mick27> !topology
14:05 < vpnHelper> Mick27: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
14:07 < reiffert> hi krzee, sorry no time here, guess all's fine for you?
14:07 < jpalmer> !Iwantaccesstothebot!
14:07 < krzee> hey reif!!
14:07 < vpnHelper> jpalmer: Error: "Iwantaccesstothebot!" is not a valid command.
14:07 < fipu> krzee: right
14:07 < fipu> It's repeating
14:07 < fipu> I get the server log for you
14:07 < fipu> mom
14:07 < krzee> reiffert, ya im on vacation so im pretty happy right now... good to hear from ya
14:08 < Mick27> for those lazy who want a uick vpn ovh.net is leasing some at 1c an hour
14:08 < Mick27> quick*
14:11 < Mick27> am I still connected ?
14:12 < reiffert> Mick27: no.
14:12 < krzee> nope
14:12 < krzee> haha
14:12 < reiffert> :)
14:13 < Mick27> lol
14:13 < reiffert> whats your current location, caribian?
14:13 < Mick27> I wonder why "topology subnet" is not by default nowadays ?
14:14 < reiffert> it's windows ninteyyy fiiive, it's sucking up my drive
14:16 < Mick27> so next question krzee, why is the server not able to ping a client ? I believe a reverse route is needed but I haven't seen any word about that
14:16 < Mick27> !reverse ?
14:16 < vpnHelper> Mick27: Error: "reverse" is not a valid command.
14:16 < Mick27> ?help
14:17 < Mick27> shit what is the starting point of that bot
14:17 < krzee> Mick27, 1-way ping?
14:17 < Mick27> yep
14:18 < Mick27> client can ping server
14:18 < krzee> pinging .1 and .6?
14:18 < Mick27> yes
14:18 < krzee> firewall
14:18 < Mick27> inside the vpn ?
14:19 < fipu> krzee: sorry but I can't get the server log. But I think it's not crucial.
14:19 < fipu> On an other client it works :P
14:21 < Mick27> krzee since I don't want to bother you too much what is the first command to talk to the bot ?
14:21 < krzee> first command?
14:21 < krzee> here
14:21 < krzee> !factoids
14:21 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:22 < Mick27> like ?help 
14:22 < Mick27> ah cool
14:22 < Mick27> thx
14:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:26 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
14:29 < Mick27> so
14:29 < Mick27> if I want to get a level harder
14:29 < Mick27> what should I try
14:29 < Mick27> I'm bored
14:31 < krzee> *shrug*
14:31 < krzee> could try vpnchains
14:32 < Mick27> lol
14:32 < Mick27> the fact that I might need to install several vms
14:32 < kisom> vpnchains?
14:32 < Mick27> google it
14:32 < kisom> i did
14:33 < kisom> reading the wiki atm
14:33 < Mick27> brb I need to apply something new on my vpn
14:33 < krzee> kisom, i did not add the second layer to the drawing
14:33 < kisom> oh NOW i get it
14:35 < krzee> the insane part was my findings with iperf
14:35 < Mick27> hmm the new route is not pushed
14:35 < krzee> Mick27, why try for higher levels if you are asking every step of the way?
14:36 < Mick27> lol I am not asking just saying
14:36 < Mick27> I'll find it
14:38 < krzee> fipu, see if this helps you, http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
14:43 -!- mape2k [~mape2k@f053196084.adsl.alicedsl.de] has joined ##openvpn
14:45 -!- Mick27 [~Mick27@host-85-27-57-3.brutele.be] has quit [Ping timeout: 258 seconds]
14:51 -!- Mick27 [~Mick27@host-85-27-57-3.brutele.be] has joined ##openvpn
14:52 < Mick27> stupid UAC that prevents route from being create
14:52 < Mick27> d
14:54 < fipu> krzee: I'm re
14:54 < fipu> can you help me with my Problem? ;)
14:55 < krzee> [12:38]  <krzee> fipu, see if this helps you, http://openvpn.net/index.php/open-source/faq/79-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html
14:55 -!- HA1DFO [~dome@catv-89-133-22-167.catv.broadband.hu] has joined ##openvpn
14:56 < fipu> krzee: ah thx
14:56 < fipu> Can I add these commands @ config file?
14:56 < fipu>     * ip-win32 netsh
14:56 < fipu>     * ip-win32 ipapi
14:56 < fipu>     * ip-win32 manual
14:56 < fipu> or how can I manual configure the IP of the TAP interface?
14:57 -!- Meliorator [m@dunnington.eu] has joined ##openvpn
14:58 < Meliorator> !welcome
14:58 < vpnHelper> Meliorator: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:58 < HA1DFO> hi all. Do you know how is the windows installer built? Where can I find documentation about this? I'd like to repack openvpn with some postinstall scripts. Does the licence allow this? Or I should ask this in the #openvpn-devel channel?
14:59 < krzee> fipu, yes
14:59 < Meliorator> hello, is it possible to configure both a OpenVPN server and client on the same machine?
14:59 < jpalmer> Meliorator: yes
15:00 < Meliorator> then, i think Gentoo fails
15:00 < krzee> HA1DFO, 
15:00 < krzee> !win_rollup
15:00 < vpnHelper> krzee: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
15:00 < HA1DFO> tnx
15:00 < krzee> np
15:00 -!- Mick27 [~Mick27@host-85-27-57-3.brutele.be] has quit []
15:02 < krzee> Meliorator, seperate processes
15:04 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 276 seconds]
15:10 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Quit: Távozom]
15:10 < jpalmer> krzee: let me know when you have time to discuss those 2 pdf's
15:11 < krzee> ahh right
15:11 < krzee> 1min lemme just check if a patch works
15:11 < jpalmer> take your time.  no rush, I know you're on vacation.
15:11 < krzee> this seems to be the only occasion i actually 
15:11 < krzee> actually have time
15:12 < jpalmer> ok, /msg me when you're ready then
15:14 -!- Raccoon [bismuth@71-222-252-68.albq.qwest.net] has joined ##openvpn
15:24 -!- mape2k [~mape2k@f053196084.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
15:27 -!- jaminja [~jaminja@74.81.170.4] has joined ##openvpn
15:36 < fipu> krzee: which of these three commands I need to add?
15:37 < krzee> trial and error
15:38 < fipu> ip-win32 netsh
15:38 < fipu> [21:56] <fipu>     * ip-win32 ipapi
15:38 < fipu> [21:56] <fipu>     * ip-win32 manual
15:40 < krzee> fipu, you understand what trial and error is?
15:43 -!- jaminja [~jaminja@74.81.170.4] has quit [Ping timeout: 255 seconds]
15:44 < fipu> mhhh
15:44 < fipu> I'm not sure
15:46 < Meliorator> krzee: i meant that the gentoo init script doesn't seem to be dealing with spawning the seperate processes
15:48 < Meliorator> basically, i had a client setup and working. i then wanted to run a server, so i renamed the client files and ammended conf file accordingly. i created the server conf and keys/certs/etc, then restarted the init script. the server started but the client did not. i don't even see it attempt to start the client in the syslog
15:49 < krzee> Meliorator, oh, why dont you just use your own script then?
15:50 < Meliorator> well, if it is fault of the init script, best to fix that and share it with the world imo!!!
15:50 < krzee> Meliorator, debian's will start all configs
15:50 < krzee> may want to adapt that one
15:50 < Meliorator> i'm sure that's right for all distro's
15:50 < Meliorator> perhaps there is some percularity of gentoo that i have missed
15:51 < krzee> nah each distro makes their own scripts
15:52 < krzee> its specific to the OS, not openvpn
15:53 < Meliorator> i meant that all distro's will attempt to start all conf's afaik
15:54 < Meliorator> s/start all conf's/start a process for each conf/
15:55 < krzee> that is not true
15:55 < Meliorator> it is true
15:55 < Meliorator> it's what i know
15:55 < krzee> EACH distro handles the issue of starting apps its own way
15:55 < krzee> and how they choose to package things like a startup script for openvpn is up to each of them, individually
15:56 < Meliorator> all of them will start a process for each conf
15:56 < Meliorator> please name one that does not
15:57 < HA1DFO> Guys, I just finished the building of my own installer. But I still have some problems, i'd like to change the link the normal installer puts on my desktop (insert --connect  and --silent tags) and would also like to link it in to my startup folder. Do you have any ideas how can i do it?
15:58 < Bushmills> gentoo :P
15:58 < Meliorator> this in Windows?
15:58 < Meliorator> Bushmills: haha, good call
15:58 < Meliorator> (although, it should, according to documentation)
15:59 < Bushmills> in fact, it is untrue that debian init script start all confs.  it merely does so because it has been set in one config file
15:59 < HA1DFO> yeas, this is a windows installer...
15:59 < Bushmills> but by editing that config file, you can set the inti script to start a specific config only
15:59 < Bushmills> nit
16:00 < Meliorator> HA1DFO: any reason why you don't want to run it as a service?
16:00 < Bushmills> so it does them all by default, but at your discretion
16:00 < HA1DFO> Hmm. Can I automate it somehow? I'm not really familiar with windows, i just have to create some nice and automatid installpack to customers
16:01 < Meliorator> Start Menu -> Control Panel -> Administrative Tools -> Services
16:01 < Meliorator> select OpenVPN service and hit Start
16:01 < Meliorator> job should be a good un :)
16:02 -!- DrPepper [~DrPepper@88.207.164.177] has joined ##openvpn
16:02 < Martz^> im impressed with openvpn... im a complete noob, read the docs and stuff.. and it works Good job :)
16:03 < HA1DFO> thanks, this looks pretty good
16:03 < Meliorator> one slight caveat ... everyone on the box has access to the VPN ...
16:04 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:04 < Meliorator> if you want it per user, you'll have to go the Startup folder route, but if you're using UAC, have fun, it's a pain in the a*** :p
16:05 < Bushmills> afternoon?
16:05 < Meliorator> evening.
16:05 < Meliorator> ;p
16:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:06 -!- jaminja [~jaminja@74.81.170.4] has joined ##openvpn
16:08 < fipu> krzee: what I have todo now? :P
16:08 < krzee> fipu, have you tested those?
16:08 < fipu> add ip-win32 netsh and ip-win32 ipapi ip-win32 manual @ config file?
16:08 < krzee> not all 3
16:08 < krzee> try each of them 1 by 1
16:08 < fipu> ah ok
16:09 < krzee> theres also a suggestion above that in the same FAQ response
16:12 < fipu> krzee: It works!!!
16:12 < fipu> Thank you!!!
16:12 < fipu> ip-win32 ipapi does the thing
16:12 < fipu> :P
16:13 < fipu> what does ip-win32 ipapi do?
16:13 < krzee> !man
16:13 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
16:27 -!- Bleupomme [~manu@ip-88-207-237-169.dyn.luxdsl.pt.lu] has joined ##openvpn
16:27 < Bleupomme> hello, can I use openvpn for ipsec?
16:31 -!- bandini [~bandini@host247-25-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:33 < Bushmills> nope
16:33 < Bleupomme> bushmills: thanks
16:34 < Bushmills> you'd rather use something like freeswan, for example
16:34 < Bushmills> openswan
16:35 < Bleupomme> BushmiIlls:tried openswan, but I'm stuck at the moment. So I'll probably need some help from their channel
16:35 < Bleupomme> thx anyway
16:36 < Bushmills> seems to be quite a task to set it up properly
16:37 < Bleupomme> Bushmills: actually it's not that difficult. But my problem is that I don't have a private network
16:37 < Bleupomme> I only have a server and I would like to use it as secure surfing gateway
16:37 < Bushmills> i don't speak from own experience, only relaying what others reported on their effort to do so
16:38 < Bushmills> for using the server as gateway for your client traffic, openvpn works nicely
16:39 < Bushmills> !redirect
16:39 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:40 < Bleupomme> Yes, I heard. Therefore I was asking about the ipsec stuff. My phone (android) only supports l2tp/ipsec
16:40 < krzee> android supports openvpn
16:40 < Bleupomme> krzee: does it?
16:40 < Bleupomme> krzee: I don't have the option
16:41 < krzee> 3rd party app
16:41 < krzee> search the android market for openvpn
16:41 < Bleupomme> krzee: thx I am going to check this
16:42 < Bleupomme> krzee: Do I need root?
16:42 < krzee> i would assume so
16:43 < Bushmills> without root, routes on android would be difficult to get adjusted
16:43 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:43 < Bushmills> and without doing that, traffic won't use a different route
16:43 < krzee> http://code.google.com/p/android-openvpn-settings/
16:43 < vpnHelper> Title: android-openvpn-settings - Project Hosting on Google Code (at code.google.com)
16:43 < krzee> that seems to be it
16:44 <@Dougy> bored as fuckkkkkk
16:44 < Bushmills> one can tell
16:45 < Bushmills> a pen and some sheet of papers can be a good remedy
16:47 < Bleupomme> krzee: thx, unfortunately the phone needs to be rooted. I did not want to do this quite yet. So I'm stuck
16:49 -!- ultramage [umage@kurobara.netvor.sk] has left ##openvpn []
16:49 < krzee> http://code.google.com/p/android-openvpn-settings/
16:49 < vpnHelper> Title: android-openvpn-settings - Project Hosting on Google Code (at code.google.com)
16:53 < Bleupomme> thx for the help. Going to bed.
16:53 -!- Bleupomme [~manu@ip-88-207-237-169.dyn.luxdsl.pt.lu] has quit [Quit: Ex-Chat]
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 245 seconds]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:15 -!- HA1DFO [~dome@catv-89-133-22-167.catv.broadband.hu] has quit [Quit: Leaving]
17:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:25 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 255 seconds]
17:26 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
17:36 -!- Chaze [~Chase@dslb-088-068-103-058.pools.arcor-ip.net] has joined ##openvpn
17:37 < Chaze> hey, will 64 MB be fine if I plan to use OpenVPN with one client, the server worknig as an endpoint to the internet?
17:38 < Bushmills> i run openvpn on a system with 8 MiB flash and 32 MiB RAM
17:40 -!- Raccoon [bismuth@71-222-252-68.albq.qwest.net] has quit [Read error: Connection reset by peer]
17:40 -!- Raccoon [bismuth@71-222-252-68.albq.qwest.net] has joined ##openvpn
17:42 < Bushmills> (same system is runs also sshd, name server, web server, is a pxe boot server, ntpd, runs avahi, monit, xinetd, dhcpd, a munin node and some things i have probably missed now)
17:43 < Bushmills> pub
17:44 < Bushmills> http://scarydevilmonastery.net/snap/1281998632602810820d.png
17:48 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:48 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:57 -!- Raccoon` [bismuth@71-222-252-68.albq.qwest.net] has joined ##openvpn
17:57 -!- Raccoon [bismuth@71-222-252-68.albq.qwest.net] has quit [Read error: Connection reset by peer]
17:58 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined ##openvpn
17:58 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
18:42 < krzee> !windows
18:42 < vpnHelper> krzee: "windows" is pcs are like air conditioners, they work fine unless you open windows
18:57  * jpalmer thought the regulars in this channel were above such narrowminded comments :P
18:57  * jpalmer ducks
18:58 < krzee> haha
18:59 < krzee> actually i keep pasting that in other places
18:59 < krzee> that one was prompted by this:
18:59 < krzee> [16:39]  <Fishman> Pinchiukas: windows isn't supported.  if you don't already know how to make it work there, no one here can (or will) help
18:59 < krzee> [16:39]  <AaronM> you can do w/e you want with your windows, except get support
19:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:07  * Bushmills googles this funny term "windows"
19:07 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!]
19:08 < Bushmills> oh my .. a program loader :)
19:18 < krzee> !AS
19:18 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
19:18 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
19:21 -!- APTX_ is now known as APTX
19:31 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
19:51 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 248 seconds]
20:04 -!- notbrien_ [~notbrien@user-12lc0fe.cable.mindspring.com] has joined ##openvpn
20:06 < nat2610> how do I get the option redirect-gateway def1 to work when the vpn server is windows ? do I have to create a bridge network between my tap-win32 and network card interface ?
20:07 -!- notbrien_ is now known as notbrien
20:10 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 245 seconds]
20:15 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
20:27 < krzee> nat2610, nothing special about it in windows
20:27 < krzee> and no, you do not need a bridge
20:27 < krzee> !tunortap
20:27 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
20:27 < vpnHelper> krzee: against you over the vpn, or (#4) lan gaming? use tap!
20:36 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
20:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:44 -!- dcode [~quassel@72-161-50-248.dyn.centurytel.net] has joined ##openvpn
20:46 < dcode> I've been playing with OpenVPN on pfSense firewall (testing-cee388313521) build date 2 Jul 2010. I've gotten LDAP username/password authentication working...I want to take it one step further and authenticate against certificates published in the LDAP directory. Is this possible?
20:46 < dcode> it looks like maybe I can only authenticate based on the fact that my cert and the server cert were signed by the same CA
20:46 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:47 < dcode> more specifically (and perhaps more complicated), the end result is that I want to be able to authenticate my users based upon the US DoD Common Access Smartcard tokens...
20:48 -!- Raccoon` [bismuth@71-222-252-68.albq.qwest.net] has quit [Read error: Connection reset by peer]
20:48 < dcode> if I could make a white-list in the OpenVPN configuration of the certs to accept...that'd be fine too
20:48 -!- Raccoon [bismuth@71-222-252-68.albq.qwest.net] has joined ##openvpn
20:48 < dcode> anyone have any ideas on how to go about this?
20:51 < dcode> and if I had to run a separate ovpn instance on a different box that'd be fine too
20:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
21:07 <@Dougy> hi [intra]lanman 
21:07 < [intra]lanman> hiya Dougy 
21:09 <@Dougy> how goes
21:17 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:39 -!- Chaze [~Chase@dslb-088-068-103-058.pools.arcor-ip.net] has quit [Quit: Chaze]
21:58 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
22:00 -!- DrPepper [~DrPepper@88.207.164.177] has quit [Ping timeout: 264 seconds]
22:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:43 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
22:45 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:49 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
22:49 < Kurogane> Any1 knows if i'm connected to vpn i get slow conection to internet?
22:59 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
23:01 -!- theDoc [~Link@unaffiliated/thedoc] has left ##openvpn []
23:20 < krzee> Kurogane, depends... but if you are redirecting your gateway it's certainly possible
23:21 -!- Hypnoz [~X@adsl-99-19-50-73.dsl.pltn13.sbcglobal.net] has joined ##openvpn
23:21 -!- Raccoon [bismuth@71-222-252-68.albq.qwest.net] has quit [Read error: Connection reset by peer]
23:35 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
23:45 < Kurogane> krzee: redirecting what you mean?
23:48 -!- cj [~cjac@karma.colliertech.org] has quit [Ping timeout: 255 seconds]
23:53 < krzee> !redirect
23:53 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
23:53 -!- Hypnoz [~X@adsl-99-19-50-73.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 276 seconds]
23:53 < krzee> i mean that
23:55 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
--- Day changed Tue Aug 17 2010
00:39 < Kurogane> !def1
00:39 < vpnHelper> Kurogane: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
00:42 -!- harsha [~harsha@122.181.19.210] has left ##openvpn []
00:49 < Kurogane> !ipforward
00:49 < vpnHelper> Kurogane: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
00:52 < Kurogane> !nat
00:52 < vpnHelper> Kurogane: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
01:02 < kisom> ugh
01:02 < kisom> rainy morning
01:03 < kisom> i hate rain, bad for ze laptop
01:08 -!- Martz^^ [~Martz@unaffiliated/martz] has joined ##openvpn
01:10 -!- JodaZ_ [~JodaZ@ns302312.ovh.net] has joined ##openvpn
01:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
01:11 -!- Martz^ [~Martz@unaffiliated/martz] has quit [Ping timeout: 255 seconds]
01:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:11 -!- JodaZ [~JodaZ@ns302312.ovh.net] has quit [Ping timeout: 255 seconds]
01:11 -!- nat2610_ [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has joined ##openvpn
01:13 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 264 seconds]
01:15 -!- Raccoon [bismuth@unaffiliated/raccoon] has quit [Ping timeout: 255 seconds]
01:24 -!- Raccoon [bismuth@unaffiliated/raccoon] has joined ##openvpn
01:33 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:37 < kisom> !pki
01:37 < vpnHelper> kisom: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
01:37 < vpnHelper> kisom: was signed specially as a server (see !servercert)
01:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:51 -!- dazo_afk is now known as dazo
03:08 -!- frnknstn [~peter@204.12.227.75] has quit [Ping timeout: 260 seconds]
03:17 -!- d12fk [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
03:31 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:32 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:33 -!- mode/##openvpn [+o mattock] by ChanServ
03:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
03:53 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
03:53 < Rienzilla> !welcome
03:53 < vpnHelper> Rienzilla: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:53 -!- Kurogane [~kuro@190.87.69.217] has quit [Remote host closed the connection]
03:53 < Rienzilla> !goal
03:53 < vpnHelper> Rienzilla: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
03:54 < Rienzilla> Greetings everyone.
03:56 < krzee> werd
03:57 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
03:58 < Rienzilla> I am debating whether to use a routed or bridged vpn solution for the following case. I have mobile offices driving around which have a number of computers and printers built in. These are attached to an appliance which will run openvpn (the appliance in turn is connected to the internet). The appliance should connect the mobile office to a central datacenter where servers are located. Now I'm contemplating whether I should use a routed or bridged vpn.
04:00 < Rienzilla> (to clarify, there are a dozen of these mobile offices, and they have 4-5 devices each. Bandwidth to the mobile offices is relatively small)
04:03 -!- Raccoon [bismuth@unaffiliated/raccoon] has left ##openvpn []
04:03 -!- Rolybrau [~Rolybrau@91-72.79-83.cust.bluewin.ch] has joined ##openvpn
04:04 -!- Rolybrau [~Rolybrau@91-72.79-83.cust.bluewin.ch] has quit [Changing host]
04:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:07 < cron2> Rienzilla: use routed
04:07 < krzee> Rienzilla, 
04:07 < krzee> always routed, unless you need layer2
04:08 < krzee> hehe beat me to it ;]
04:08 < cron2> bridged has somewhat higher overhead in the protocol itself (needs to carry around ethernet headers) and you also need to carry all the broadcasts, which can make quite a difference if there are many windows machines
04:08 < cron2> :)
04:09 < krzee> oh man i love california weed
04:10 < Rienzilla> well
04:11 < Rienzilla> I don't necessarily _need_ layer2, but if I use routed vpn's, I also need to install (and manage) separate dhcp server or relay agent on the vpn appliance. I wonder if it's worth the hassle.
04:11 < krzee> no
04:12 < krzee> openvpn hands out the IPs
04:12 < Rienzilla> yes, to the appliance
04:12 < krzee> and you setup routing to do the rest
04:12 < krzee> !route
04:12 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
04:12 < Rienzilla> but not to the machines behind it. Those just do a dhcprequest
04:12 < krzee> they only send a dhcp request if they believe the address belongs on their LAN
04:13 < krzee> otherwise they check their routing table, send to the most specific entry
04:13 < cron2> rienzilla: well, yes.  do dhcp on the appliance, use separate subnets for each location.
04:13 < Rienzilla> if I turn on my printer, it will use dhcp to get its address
04:13 < krzee> ohh i see
04:13 < krzee> yes what cron2 said
04:13 < Rienzilla> cron2: yes I understand that would be the routed setup. Small routingblocks for the p2p link, and somewhat larger ip blocks for the machines in the ofices
04:13 < Rienzilla> but it seems considerably more errorprone to me
04:14 < cron2> yes.  that would be my recommendation.
04:14 < krzee> error prone how?
04:14 < cron2> it's a bit more work to setup, but it's easier to diagnose (because you can use standard techniques like "traceroute"), and it's more efficient
04:14 < Rienzilla> 13 dhcpd's instead of 1
04:14 < cron2> but the advantage is that each location can print even if the central office is down...
04:15 < Rienzilla> risk of traffic routing to the wrong place because I can't configure routers :P
04:15 < Rienzilla> that's not really relevant because the offices use thin clients
04:15 < Rienzilla> they can't work if they're not connected
04:15 < cron2> in that case, the administrative ease of "bridged" might be worth the extra overhead - I'd still do routed, but that's just me :-)
04:15 < krzee> thin clients work over layer3?
04:16 < Rienzilla> yes they do
04:16 < krzee> cool
04:16 < Rienzilla> they just need two dhcp options sent to them
04:16 < Rienzilla> the rest is ftp for configuration, and then rdp or ica (all tcp)
04:16 < krzee> normal dhcp options or custom ones?
04:17 < Rienzilla> custom 
04:17 < krzee> oh ya you may actually want a bridge
04:17 < krzee> dunno if cron is good with them, i havnt run one in a long long time... can point to the good reading material
04:18 < Rienzilla> I am quite ok with configuring openvpn
04:18 < krzee> ahh cool
04:18 < Rienzilla> I was just wondering how large the overhead was
04:18 < Rienzilla> on a 100mbit link I wouldn't blink and just type 'tap'
04:18 < Rienzilla> but the links are small
04:18 < krzee> how many machines on the broadcast domain?
04:18 < Rienzilla> around a hundred maybe
04:19 < Rienzilla> a little less
04:19 < krzee> ooo, could get ugly
04:19 < Rienzilla> yeah
04:19 < krzee> you may want to go routed and build a tool to manage the servers from headquarters
04:19 < krzee> thats what ild do
04:19 < Rienzilla> on our campus network (which is admittedly several thousand pc's) the broadcast overhead on ethernet was already several mbit
04:20 < Rienzilla> but several 100kbit would already be prohibitive for a hsdpa link
04:20 < Rienzilla> mmmh
04:21 < krzee> routed
04:21 < Rienzilla> good, I'll try to set up routed ones, with as little configuration on the client as humanly possible :)
04:21 < krzee> the client can be bare
04:21 < Rienzilla> do dhcp relay agents communicate to the dhcp server over tcp?
04:22 < krzee> just routes/push routes /iroutes on the server
04:22 < krzee> the clients all with same config, just changed dir for the files
04:22 < Rienzilla> hmmyes. but dhcp configuration will still be a little ugly
04:23 < Rienzilla> i'll give it a shot
04:23 < krzee> ya, thats what ild make a tool to automate
04:29 < Rienzilla> thanks so far guys
04:30 < cron2> dhcp relay goes over udp
04:30 < Rienzilla> udp is fine too
04:52 -!- frnknstn [~peter@204.12.227.75] has joined ##openvpn
05:04 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:08 < krzee> https://forums.openvpn.net/viewtopic.php?f=4&t=7002
05:08 < vpnHelper> Title: OpenVPN Forum View topic - OpenVPN-GUI registry entries on Windows 7 Pro (at forums.openvpn.net)
05:08 < krzee> too windows specific for me
05:31 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 245 seconds]
05:33 -!- dcode [~quassel@72-161-50-248.dyn.centurytel.net] has quit [Ping timeout: 240 seconds]
05:34 -!- frnknstn [~peter@204.12.227.75] has left ##openvpn ["Konversation terminated!"]
05:56 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 260 seconds]
05:56 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
05:59 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 245 seconds]
06:03 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
06:10 < kisom> Anyone know how i log off a user from a windows 2003 server?
06:10 < kisom> need to access the box but it has 2 people already logged on
06:11 < kisom> mstsc.exe /admin
06:12 < kisom> *writing down*
06:21 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
06:28 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:29 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:29 -!- Cain` is now known as Cain
06:35 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:16 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
07:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: leaving]
07:20 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
07:22 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
07:27 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
07:28 -!- manevra [5f8fc057@gateway/web/freenode/ip.95.143.192.87] has joined ##openvpn
07:37 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
07:37 -!- SOG [~SOG@n1192365104.netvigator.com] has joined ##openvpn
07:38 -!- SOG [~SOG@n1192365104.netvigator.com] has quit [Client Quit]
07:44 -!- Chaze [~Chase@dslb-084-059-056-056.pools.arcor-ip.net] has joined ##openvpn
07:44 -!- manevra [5f8fc057@gateway/web/freenode/ip.95.143.192.87] has quit [Quit: Page closed]
07:44 < Chaze> !nat
07:45 < vpnHelper> Chaze: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
07:45 < Chaze> !linnat
07:45 < vpnHelper> Chaze: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
07:45 < Chaze> this worked fine with my own box. now i have a VPS, and it's missing the adapter eth0
07:46 < Chaze> it has venet0, but iptables refuses to work with that
07:47 < Chaze> iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o venet0 -j MASQUERADE
07:47 < Chaze> iptables: No chain/target/match by that name
07:47 < Chaze> any clues?
08:03 < kisom> iptables -t nat -A POSTROUTING -o venet0 -s 10.8.0.0/24 -j SNAT --to x.x.x.x
08:03 < kisom> --to is the IP of your VPS
08:06 < Chaze> ok, that worked
08:06 < Chaze> i have almost no idea what i'm doing
08:06 < Chaze> so yeah, thanks
08:09 < kisom> :) np
08:09 -!- SOG [~SOG@n1192365104.netvigator.com] has joined ##openvpn
08:11 -!- clyons [~clyons@unaffiliated/clyons] has quit [Ping timeout: 240 seconds]
08:21 < Chaze> this is amazing, i'm up and runnig
08:25 < Chaze> is iptables persistant after a restart?
08:25 -!- clyons [~clyons@unaffiliated/clyons] has joined ##openvpn
08:29 < hyper_ch> Chaze: no
08:30 < Chaze> so i just put those in a startup script of my choice?
08:31 < hyper_ch> they are just simple commands to be run as root
08:31 < hyper_ch> so basically, make a file, add shebang like #!/bin/bash or so
08:31 < hyper_ch> write the commands in there
08:32 < hyper_ch> and have it executed at boot up
08:54 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 252 seconds]
08:57 < kisom> Most distros have their own way to save iptables rules.
08:57 < kisom> Personally i just throw them into rc.local
09:01 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:03 -!- tmkd [user-448@clients.shells.eofnet.lt] has quit [Remote host closed the connection]
--- Log opened Tue Aug 17 09:11:54 2010
09:11 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
09:11 -!- Irssi: ##openvpn: Total of 108 nicks [5 ops, 0 halfops, 0 voices, 103 normal]
09:12 -!- Irssi: Join to ##openvpn was synced in 34 secs
09:31 < Meliorator> if i have a working windows installation of openvpn, can i make a backup of the install folder along with some unique conf/keys on to a usb stick, to use remotely on any windows pc i might need to connect from?
09:32 < hyper_ch> should work
09:33 < hyper_ch> problem might be if you tried to use the same keys from two different locations
09:33 < Meliorator> yeah, i'd create a set of "remote" keys + conf
09:33 < hyper_ch> that should work
09:34 < hyper_ch> the client.conf shouldn't have anything unique except for the key names
09:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
09:34 < hyper_ch> can't have two keys with the same name in the same location :)
09:35 < Meliorator> mmm, it might actually be useful to have a backup of both linux and windows versions on a usb stick
09:35 < Meliorator> could be super handy sometime
09:36 < Meliorator> would openvpn store anything on the machine i ran it on though?
09:36 < Meliorator> anything in syslogs or whatever?
09:36 < Meliorator> i'm guessing it would
09:37 < hyper_ch> possibly
09:37 < Meliorator> i wouldn't want anyone to be able to gain access to the vpn once i had killed the process and removed the usb stick
09:37 < hyper_ch> but don't you fully encrypt your system anyway?
09:37 < hyper_ch> the key shouldn't be stored in the logs or anywhere
09:37 < hyper_ch> so if you use keys nobody should be able to re-connect once you remove the stick
09:38 < Meliorator> yea, it shouldn't ... but i'd like to know 100% :p
09:38 < jpalmer> Meliorator: depending on the OS,  the keys and the passphrase could be stored in ram (and eventaully, saved to swap on disk)
09:38 < Meliorator> mmm true
09:38 < hyper_ch> what OS would do such a horrible thing?
09:38 < Meliorator> linux
09:38 < Meliorator> windows
09:38 < Meliorator> most
09:38 < hyper_ch> linux? LIES!!!!
09:38 < jpalmer> hyper_ch: many, if not most.   all OS's store data in memory.
09:39 < hyper_ch> well, storing data in ram is fine... but in swap
09:39 < jpalmer> almost all OS's have a "save unused RAM to swap" ability.
09:39 < Meliorator> swap is erm well swap gdamnit!!!
09:39 < hyper_ch> well, everything's encrypted here :)
09:39 -!- autoditac [~autoditac@p5DDC367C.dip.t-dialin.net] has joined ##openvpn
09:39 < Meliorator> that won't necessarily keep your data sage
09:39 < Meliorator> *safe
09:39 < jpalmer> hyper_ch: the decryption key is stored *somewhere*.   just food for thought.
09:40 < hyper_ch> it's stored in my brainz
09:40  * Meliorator nods and giggles
09:40 < Meliorator> *at jpalmer
09:40 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
09:40 < hyper_ch> and brainz is yummy
09:40 < jpalmer> hyper_ch: you had to give the *machine* the password at some point.  which means the computer is storing it somewhere too.
09:40 < hyper_ch> jpalmer: in the ram
09:40 < hyper_ch> which could be extracted by a cold-boot attack
09:40 < Meliorator> there's that issue
09:40 < jpalmer> ding ding ding.  circular conversation!
09:41 < Meliorator> but also, if i compromised a machine remotely, chances are the encrypted fs is already mounted for me
09:41 < Meliorator> more food for thought :)
09:41 < hyper_ch> linux machines don't get compromised :)
09:41 < Meliorator> buhhahahaha
09:41 < autoditac> hi. i remember that there is an option to make openvpn 2.1 check that the username submitted via auth-user-pass and the common name of the clients certificate match but i can't find it anywhere. does anybody here know?
09:41 < Meliorator> there are only 2 secure o/s's in this world right now
09:41 < Meliorator> and neither of them are linux
09:41 < hyper_ch> and you'll just need to have a kill switch that fries your ram modules if the police is knocking on your doors
09:42 < hyper_ch> linux is secure-ish
09:42 < Meliorator> acid, use acid!!!
09:43 < hyper_ch> just have a very strong EMP emitter on standby
09:43 < hyper_ch> doesn't matter if you EMP a couple of square kilometers just upon the knocking on your door
09:43 < Meliorator> must grab one of those next time i go to the supermarket
09:44 < hyper_ch> I still wonder, how can you protect your stuff from being EMPed?
09:44  * jpalmer wonders what hyper_ch is doing that he needs disk encryption AND a way to destroy ram if the police knock.  then decides it's best to not know.
09:45 < Meliorator> faranday cage
09:45 < hyper_ch> jpalmer: I could tell you... but then... I'd have to kill you :)
09:45 < hyper_ch> faraday works against EMPs?
09:45 < hyper_ch> it thought it only works against lightnings
09:45 < Meliorator> it stops lightning, so i'm guessin yes
09:45 < Meliorator> or at least must be possible, using same principle
09:46 < Meliorator> the fine chaps in #electronics will know
09:46 < hyper_ch> or google for an answer: http://www.aussurvivalist.com/nuclear/empprotection.htm
09:47 < vpnHelper> Title: AusSurvivalist - EMP Protection (at www.aussurvivalist.com)
09:47 < Meliorator> One mistaken idea is that EMP is like a powerful bolt of lightning. While the two are alike in their end results--burning out electrical equipment with intense electronic surges--EMP is actually more akin to a super-powerful radio wave. Thus, strategies based on using lightning arrestors or lightning-rod grounding techniques are destined to failure in protecting equipment from EMP.
09:47 < Meliorator> ok ok
09:47 < Meliorator> i was WRONG
09:47 < Meliorator> :|
09:48 < jpalmer> a faraday cage would (potentially) protect against an EMP.  being tht the cage is designed to block radio waves and such.
09:48 < Meliorator> the actual solution sounds relatively straight forward
09:49 < Meliorator> grrr
09:49 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:49 < Meliorator> i should have read the *whole* document
09:49 < Meliorator> A Faraday box is simply a metal box designed to divert and soak up the EMP. If the object placed in the box is insulated from the inside surface of the box, it will not be effected by the EMP travelling around the outside metal surface of the box. The Faraday box simple and cheap and often provides more protection to electrical components than "hardening" through circuit designs
09:49 < Meliorator> which can't be (or haven't been) adequately tested. 
09:49 < Meliorator> *sigh*
09:50 < Meliorator> so, it's a just a faraday box, rather than cage
09:50 < hyper_ch> so when I construct my home I should first make it a bit metal cage and then build around it
09:51 < jpalmer> they refer to both as the same thing.  the primary difference is a faraday box also covers the floor.
09:52 < Meliorator> though, if the box can have no gaps, there will be no air ciculation .... thus equipment will overheat ... so you'd need to refrigerate it!!
09:52 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
09:53 < hyper_ch> well, you can put holes in there for the windows and the doors
09:53 < hyper_ch> that would still absorb a lot of the emp thingy thingy
09:54 < hyper_ch> these boxes do NOT have to be airtight due to the long wave length of EMP; boxes can be made of wire screen or other porous metal.
09:55 < Meliorator> ehm, see under "Some initial thoughts on EMP protection from the US military packaging division."
09:57 < Meliorator> i guess if you made a building out of some hard metal that conducts well and made that double lined ... then put a cage in the middle, with the pc in that ... it would probably survive :p
10:00 < hyper_ch> and you could have a small metal mesh for the windows (benefit that flies and mosquitos can't enter) and also use some kind of metal mesh for the door somehow
10:01  * hyper_ch must protect his beloved netbook from the evils of an EMP
10:02 < jpalmer> hyper_ch: thats not exactly correct
10:03 < Meliorator> you should really join #electronics
10:03 < hyper_ch> what's not exactely correct?
10:03 < Meliorator> the guys are firing off the answers
10:03 < hyper_ch> I don't want anyone fire at me :(
10:03 < jpalmer> a faraday cage CAN be "not airtight" but the whole doors/windows thing isn't quite accurate.  the mesh of the cage has to be smaller than the wavelength you are trying to defend against.  a window or a door would allow the waves in.
10:03 < hyper_ch> how big are those wavelengths?
10:04 < jpalmer> smaller than a windows ;)
10:05 < jpalmer> hyper_ch: to give you an idea,  you're microwave uses the faraday principles to stop the waves from getting out.   ever notice the wire mesh in the front viewing glass of the microwave?
10:05 < hyper_ch> yeah
10:05 < jpalmer> that's essentially a faraday cage designed to keep the 2.4ghz wavelength inside the microwave.
10:05 < hyper_ch> so meshing the windows is not a big problem
10:06 < jpalmer> right, you have to have the window and doors meshed.
10:06 < hyper_ch> as said, additional benefits are that no flies and mosquitos can enter
10:06 < hyper_ch> you can have a mesh for the door either... like a second door
10:06 < Meliorator> nor can any human without compromising the 100% EMP protection
10:06 < hyper_ch> that also keeps out flies and mosquitos and stuff
10:06 < Meliorator> you better get your SLA right ;p
10:07 < hyper_ch> SLA?
10:07 < Meliorator> service level arrangement
10:07 < hyper_ch> :)
10:08 < Meliorator> ehm
10:08 < Meliorator> but we could actually go with Plan A
10:08 < Meliorator> the simple box
10:08 < Meliorator> as kindly pointed out in #electronics ... the heat could be conducted away through the box itself
10:09 < Meliorator> stick some HSF's on the outside and a few fans blowing on it ... job done
10:09 < jpalmer> Meliorator: that is usually handled by having a double faraday setup.    kinda like double doors.  the stuff you want to protect is inside the second door.   you open the first door,  walk in and shut it.  THEN open the second door to get to the goodies.
10:09 < hyper_ch> Meliorator: so, you're in #electronics?
10:09 < Meliorator> they say that's all well and good, but you can't actually ever achieve it, as there will always need to be a gap to allow electricty in, network connection etc
10:10 < hyper_ch> fiber optics is no carrier for emp
10:10 < Meliorator> all you can do is minimise how much gets through
10:10 < jpalmer> right.  you can't eliminate all.
10:10 < hyper_ch> and you can have your own power generator
10:10 < Meliorator> hyper_ch: no, but the hole in the box for the cable is
10:10 < Meliorator> ok
10:10 < Meliorator> yea
10:10 < hyper_ch> if it comes in from the ground of the earth
10:11 < Meliorator> so we have a hydrogen fuel cell in the box...
10:11 < Meliorator> or a nuclear reactor...
10:11 < Meliorator> some power source that'll last a hundred years say...
10:11 < hyper_ch> hmmm, running my own nuclear reactor
10:11 < hyper_ch> not if they invent holodecks first
10:11 < Meliorator> what will the pc do? ...it's gonna need to connet to the outside world to be useful
10:12 < hyper_ch> and replicators
10:12 < hyper_ch> Meliorator: I guess you don't have an inimate relationship with your netbook?
10:12 < Meliorator> both have kinda been done actually
10:12 < hyper_ch> 3d printers
10:12  * hyper_ch would download cars if he could
10:12 < Meliorator> holographics and replication of particles, both done
10:13 < Meliorator> i guess you could call some the plastics manufacturing processes something similar to being a 3d printer of sorts
10:13 < hyper_ch> wget Lamborhini > parking lot
10:14 < jpalmer> Lamborhini is the generic chinese knockoff of a lamborghini.  don't download the knockoff. get the real thing.
10:15 < hyper_ch> lol
10:15 < Meliorator> haha
10:34 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:42 -!- Kurogane [~kuro@190.87.69.217] has quit [Remote host closed the connection]
10:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:48 < ecrist> perhaps he doesn't have enough bandwidth for the real thing?
10:49 < jpalmer> maybe he's not man enough to handle the real thing :P
10:50 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
10:54 < hyper_ch> you're all so mean :(
10:54 < ecrist> at least we didn't compare it to downloading gay porn
10:57 < MetalWolf> !welcome
10:57 < vpnHelper> MetalWolf: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:59 < MetalWolf> !logs
10:59 < vpnHelper> MetalWolf: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:59 -!- killown [~killown@unaffiliated/killown] has quit [Ping timeout: 265 seconds]
11:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
11:02 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
11:05 -!- WormFood [~wormfood@183.38.15.182] has quit [Ping timeout: 265 seconds]
11:09 -!- mattock [~samuli@dyn55-11.yok.fi] has left ##openvpn []
11:15 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
11:15 -!- mode/##openvpn [+o mattock] by ChanServ
11:18 -!- WormFood [~wormfood@183.38.15.24] has joined ##openvpn
11:21 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:25 < grishnav> /20/2
11:44 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:55 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
12:02 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Read error: Connection reset by peer]
12:04 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
12:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
12:15 -!- WormFood [~wormfood@183.38.15.24] has quit [Quit: out to play with my CPU]
12:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:25 -!- dazo is now known as dazo_afk
12:30 < nat2610_> Should I tun or tap if I want the internet traffic to go through my vpn ? I just want a client in Europe to appear to be in the US where my vpn server (it's for a desktop application that uses geolocation to filter stuff) 
12:32 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
12:36 < nat2610_> other quesiton. I can connect to my vpn server but I can't ping the remote machine frome either side ... 
12:36 < nat2610_> like the server can't ping the ip of the client and the client can't ping the ip of the server (I'm talking about the tap-win32 ip and both the client and the server are windows)
12:40 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:41 -!- autoditac [~autoditac@p5DDC367C.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
12:51 < kisom> nat2610_: disable the windows firewall
12:51 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
12:51 < kisom> and check the logs
12:51 < kisom> usually its some key related problem
12:54 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
12:56 -!- autoditac [~autoditac@p5DDC20BE.dip.t-dialin.net] has joined ##openvpn
13:07 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
13:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:10 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
13:11 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
13:13 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
13:24 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
13:30 -!- JackCorleone [~root@187.101.55.26] has joined ##openvpn
13:39 < nat2610_> ok I'm 1 step after that I can ping correctly the server from the client, the client from the server, now when I do ping google.com, I see the dns resolution but the request times out, basically it doesn't go through I think
13:40 < nat2610_> I think I see the issue ...the gateway in the route is wrong
13:43 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
13:47 -!- Chaze [~Chase@dslb-084-059-056-056.pools.arcor-ip.net] has quit [Quit: Chaze]
13:49 -!- dazo_afk is now known as dazo
13:52 < nat2610_> something doens't look right; http://pastie.org/1098316 the 192.168.13.0 is my lan network. on my vpn I use the 10.8.0.0 netowkr
13:53 < nat2610_> but I have nothing at 10.8.0.9
13:53 < nat2610_> .1 is the gateway and .10 is the client ip
13:53 < nat2610_> where does that .9 comes from 
14:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:30 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
14:31 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has left ##openvpn []
14:31 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
14:37 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:37 < aguynamedben> hello, I have a somewhat noob-ish question, I have some fancy new-fangled fully distributed software running on say, 10 nodes, across different points on the internet.  Can OpenVPN, or an analogous distributed version, provide secure point-to-point connection between all 10 of the servers without routing the traffic through a server?  with OpenVPN, isn't all traffic proxied from the sending client to the remote OpenVPN ser
14:39 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.2 Most Current || 2.2beta2 Released 17-Aug-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel
14:40 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.2 Most Current || 2.2-beta2 Released 17-Aug-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel
14:47 -!- cj_ [~cjac@router0.colliertech.org] has joined ##openvpn
14:48 -!- WebFooL [~WebFooL@untangle/contributor/WebFooL] has joined ##openvpn
15:06 -!- dazo is now known as dazo_afk
15:42 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:45 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
15:46 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
15:50 -!- Martz^^ [~Martz@unaffiliated/martz] has quit [Quit: Leaving]
15:57 -!- autoditac [~autoditac@p5DDC20BE.dip.t-dialin.net] has left ##openvpn []
16:16 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
16:49 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 240 seconds]
16:49 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
16:51 <@Dougy> hey jeff or eric
16:51 <@Dougy> either of you around
16:52 -!- dKingston [~logic@unaffiliated/dkingston] has joined ##openvpn
16:52 < dKingston> yes hi
16:52 < dKingston> this is dkingston
16:52 <@Dougy> hi
16:53 <@Dougy> this is dougy
16:53 < dKingston> hello person-i-do-not-know
16:53 < dKingston> lulz
16:54 <@Dougy> meh
17:00 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:02 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 264 seconds]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:25 <@Dougy> ecrist: 
18:08 < agagag> ls
18:15 -!- jaminja [~jaminja@74.81.170.4] has quit [Quit: "eternal trails in netvoid"]
18:51 < nat2610_> anyone to help me with my weired route 10.8.0.9 ?
18:51 -!- MWinther [~mw@78-70-197-141-no166.tbcn.telia.com] has joined ##openvpn
18:57 -!- MWinther [~mw@78-70-197-141-no166.tbcn.telia.com] has quit [Ping timeout: 252 seconds]
19:01 -!- MWinther [~mw@78-70-197-141-no166.tbcn.telia.com] has joined ##openvpn
19:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:06 -!- cj_ is now known as cj
19:55 -!- dcode [~dcode@72-161-50-248.dyn.centurytel.net] has joined ##openvpn
20:16 < ecrist> Dougy: what's up?
20:17 -!- jaminja [~jaminja@74.81.170.4] has joined ##openvpn
20:17 < dcode> Is it possible to use OpenVPN with X.509 certificate authentication with multiple CAs?
20:18 < dcode> I have a smartcard which I cannot change (DoD CAC), but I have a self-signed certificate in the OpenVPN server
20:19 < ecrist> dcode: you may be able to concat multiple CAs into a single PEM
20:19 < dcode> ecrist: hmmm...but I just need the CA certificates, right? Fat chance of getting a copy of the DOD CA keys
20:20 < dcode> :D
20:21 < ecrist> :)
20:22 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:24 -!- SOG [~SOG@n1192365104.netvigator.com] has quit [Quit: SOG]
20:27 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
20:32 < jaminja> strange issue which I've worked around: when ping-restart causes a "soft" reset the new connection hangs at TLS negotiation - if I then kick the process with USR1 it reconnects fine? Does the ping-restart send USR1 as well.. I can't seem to find a permanent fix for this
20:33 -!- brah [~brah@186.125.74.117] has joined ##openvpn
20:39 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 265 seconds]
20:47 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:52 < ecrist> jaminja: #openvpn-devel
20:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:14 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
21:14 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:16 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
21:16 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:20 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
21:21 -!- SOG [~SOG@n1192365104.netvigator.com] has joined ##openvpn
21:22 -!- SOG [~SOG@n1192365104.netvigator.com] has quit [Client Quit]
21:24 < jaminja> ecrist: ok thanks...
22:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
22:02 -!- dcode [~dcode@72-161-50-248.dyn.centurytel.net] has quit [Quit: Leaving]
22:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
22:10 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
22:23 -!- ubbuntu [~ubbuntu@c-71-234-166-222.hsd1.ct.comcast.net] has joined ##openvpn
22:24 < ubbuntu> are the instructions in the 11th post (the first post on THAT page) https://forum.perfect-privacy.com/showthread.php?t=1823&page=2 good ?
22:24 < tjz> BBC weatherman gives the finger - http://www.youtube.com/watch?v=t2OcxFc48qA
22:24 < vpnHelper> Title: YouTube - BBC Weatherman Caught Giving The Middle Finger on LIVE TV (at www.youtube.com)
22:29 < ubbuntu> to be honest, i dont know what he's telling you to edit in the second box of code.
22:42 -!- ubbuntu [~ubbuntu@c-71-234-166-222.hsd1.ct.comcast.net] has quit [Quit: Leaving]
23:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
23:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
23:35 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: Changing server]
23:49 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
23:57 -!- gh0st3r [~danielh@66.197.206.8] has joined ##openvpn
--- Day changed Wed Aug 18 2010
00:16 < gh0st3r> crap day
00:17 < gh0st3r> ok... how do i change openvpn from tunnel mode ipsec to transport mode?
00:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
00:41 -!- rawDawg [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn
00:47 -!- ubbuntu [~ubbuntu@c-71-234-166-222.hsd1.ct.comcast.net] has joined ##openvpn
00:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:54 <@Dougy> fook
00:55 <@Dougy> ecrist:  theres a forum post somewhere i need u to do tomorrow
00:55 <@Dougy> someone looking for some info on a 'james' on the ovpn team
00:55 <@Dougy> ttyl
01:00 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
01:09 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
01:09 -!- ubbuntu [~ubbuntu@c-71-234-166-222.hsd1.ct.comcast.net] has quit [Ping timeout: 265 seconds]
01:11 -!- rawDawg [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
01:16 -!- mape2k [~mape2k@f053193044.adsl.alicedsl.de] has joined ##openvpn
01:29 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
01:33 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:33 -!- mode/##openvpn [+o mattock] by ChanServ
01:45 -!- killown [~killown@unaffiliated/killown] has joined ##openvpn
01:54 < gh0st3r> is there a decent "beginners" tutorial to openvpn anywhere? 
01:54 < gh0st3r> i can only find road warrior tutorials
01:58 < hyper_ch> !howto
01:58 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:06 -!- _zero__ [~zero@noc.toile-libre.net] has joined ##openvpn
02:06 -!- fremo___ [~fremo@noc.toile-libre.net] has joined ##openvpn
02:07 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 265 seconds]
02:07 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 265 seconds]
02:07 -!- tjz_ [~pc@bb119-74-160-180.singnet.com.sg] has joined ##openvpn
02:11 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
02:11 < gh0st3r> what im trying to do is create a management network... so i have 3 servers
02:13 < gh0st3r> one vpn server and two vpn clients... what i want to be able to do is install snmp polling software (cacti) on the vpn server then have it be sent across the vpn and poll the other two servers...
02:13 < gh0st3r> do i need to create loopback addresses on each of the servers and then conncet to those or can i use tunnel addresses or?
02:21 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:27 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has joined ##openvpn
02:27 < barfster> What will happen if 2 subnets overlap?
02:29 < gh0st3r> barfster, of the loopback?
02:30 -!- gh0st3r [~danielh@66.197.206.8] has quit [Quit: Lost terminal]
02:30 < barfster> if I use 10.0.0.0 for transport
02:30 < barfster> and 10.0.0.0/24 is also the local network where I connect from
02:31 < barfster> I know this is redonkulus, but I just make an obvious example.
02:32 < Bushmills> routing your vpn subnet through tun will interrupt the connection (as it attempted to route transport through its own tunnel)
02:32 < Bushmills> after disconnect, client will reconnect, if set so, disconnect again, etc
02:45 -!- Ned [~martyn@202-61-3-148.cable5.acsdata.co.nz] has quit [Disconnected by services]
02:45 < barfster> But will that bring down the rest of the configuration?
02:51 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:52 -!- dazo_afk is now known as dazo
02:52 -!- mrak [~mrak@ip-85-161-159-21.eurotel.cz] has joined ##openvpn
02:53 < mrak> hello all
02:55 < mrak> !route
02:55 < vpnHelper> mrak: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:02 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
03:08 -!- barfster [~barf@0127ahost2.starwoodbroadband.com] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
03:13 -!- mrak [~mrak@ip-85-161-159-21.eurotel.cz] has quit [Quit: Leaving]
03:24 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
03:24 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:48 -!- jaminja [~jaminja@74.81.170.4] has quit [Ping timeout: 240 seconds]
03:50 -!- jaminja [~jaminja@74.81.170.4] has joined ##openvpn
03:58 -!- mape2k [~mape2k@f053193044.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
04:04 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 276 seconds]
04:04 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
04:05 -!- reiffert [~thomas@mail.webersheim.de] has quit [Ping timeout: 276 seconds]
04:16 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
04:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
04:35 -!- reiffert [~thomas@mail.webersheim.de] has joined ##openvpn
04:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:44 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 245 seconds]
04:44 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
04:55 -!- Kurogane [~kuro@190.87.69.217] has quit [Read error: Connection reset by peer]
05:02 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
05:51 -!- MWinther [~mw@78-70-197-141-no166.tbcn.telia.com] has quit [Ping timeout: 246 seconds]
06:00 -!- Aurelius [Sexy@cpc1-sgyl20-0-0-cust510.sgyl.cable.virginmedia.com] has joined ##openvpn
06:00 < Aurelius> !welcome
06:00 < vpnHelper> Aurelius: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:00 < Aurelius> !howto
06:00 < vpnHelper> Aurelius: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:07 -!- penrod [~pattonb@S01060016b6b53bd9.cg.shawcable.net] has quit [Ping timeout: 264 seconds]
06:09 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
06:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:12 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:29 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:30 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:30 -!- Cain` is now known as Cain
06:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 248 seconds]
06:46 -!- JackCorleone [~root@187.101.55.26] has quit [Ping timeout: 265 seconds]
06:55 -!- circut [~circut@c-71-57-110-244.hsd1.il.comcast.net] has quit [Ping timeout: 276 seconds]
07:49 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Read error: Connection reset by peer]
07:50 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
08:04 < havoc> so, getting openvpn on win7 requires disabling driver signing?
08:05 < ecrist> don't think so
08:05 < ecrist> a signed driver should be available in beta2
08:05 < havoc> "compatibility mode"?
08:05 < havoc> I was gonna use the latest stable
08:06 < ecrist> that would be beta2, wouldn't it?
08:06 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Quit: airree]
08:06 < havoc> don't think so
08:06 < havoc> beta != stable in any language I'm aware of
08:07 < havoc> 2.1.2 was it
08:07 < havoc> hmm, 3 days old, wow
08:08 < ecrist> havoc: take freebsd, for example.  they have a STABLE branch, which is less stable than their release candidates (which could be called beta releases)
08:08 < havoc> ok
08:38 < havoc> gah, TAP adapter will not install w/ 2.1.2
08:49 < ecrist> dazo: ^^^^
08:51 <@dazo> havoc: 2.1.2 has been released with not correctly signed drivers ... it's an issue James is looking into and trying to fix ... so for the moment 2.1.1/2.1.0 is the latest stable versions
08:52 < havoc> dazo: ah, very helpful, thanks :)
08:52 <@dazo> the 2.2-beta2 is about to be released soon too, with signed drivers as well ... but first James focuses on 2.1.2 issues
08:54 < havoc> so openvpn-2.1.1-install.exe should get me going then
08:55 -!- MetalWolf [~barry@92.236.100.252] has quit [Ping timeout: 245 seconds]
08:56 -!- MetalWolf [~barry@92.236.100.252] has joined ##openvpn
08:56 < havoc> WOOHOO!
08:57 < havoc> 2.1.1 worked
09:07 < havoc> now to fix the windows firewall
09:21 < hyper_ch> windows? firewall? fix? aren't those terms mutually exlusive to one another?
09:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:27 < gorkhaan> ty for the new openvpn version. :) best open source app ever.
09:32 < hyper_ch> new version?
09:33 < hyper_ch> openvpn --version
09:33 < hyper_ch> OpenVPN 2.1.0 
09:33 < hyper_ch> oh :(
09:35 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined ##openvpn
09:36 < pushpop> is there any way possible to connec to a openvpnas from a cisco vpn client?
09:37 < hyper_ch> does cisco use ssl?
09:39 < ecrist> openvpn and cisco SSL vpn are completely different.
09:39 < pushpop> so thats a big no?
09:39 < hyper_ch> sounds like it
09:40 < ecrist> yeah, big no
09:40 < hyper_ch> or ecrist could do some of his magic thingy stuff and then it would work together
09:46 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Remote host closed the connection]
09:46 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
09:46 -!- mode/##openvpn [+o mattock1] by ChanServ
09:46 -!- tjz_ [~pc@bb119-74-160-180.singnet.com.sg] has quit [Quit: bbl.]
09:46 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
09:51 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:01 < vpnHelper> New forum entry forum: Server Administration :: Server IP :: Author baris <https://forums.openvpn.net/viewtopic.php?f=4&t=7018&p=7601#p7601> || Server Administration :: Re: Server IP :: Reply by Douglas <https://forums.openvpn.net/viewtopic.php?f=4&t=7018&p=7602#p7602>
10:14 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
10:14 < funkyHat> !welcome
10:14 < vpnHelper> funkyHat: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:14 < funkyHat> !route
10:14 < vpnHelper> funkyHat: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:20 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:31 < vpnHelper> New forum entry forum: Server Administration :: Re: LDAP Auth and Groups :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=4&t=7003&p=7603#p7603>
10:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
10:42 -!- Aurelius [Sexy@cpc1-sgyl20-0-0-cust510.sgyl.cable.virginmedia.com] has left ##openvpn []
11:02 < vpnHelper> New forum entry forum: Wishlist :: Re: Auto-tune mtu :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=10&t=624&p=7605#p7605>
11:05 -!- macsppadic_ [~sonupunno@88.211.55.77] has joined ##openvpn
11:05 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
11:05 -!- macsppadic_ is now known as macsppadic
11:09 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:10 -!- Dougy [me@208.99.80.128] has left ##openvpn []
11:10 -!- Dougy [me@208.99.80.128] has joined ##openvpn
11:10 < Dougy> fuck
11:10 < Dougy> lost my ops
11:10 < funkyHat> Don't you have an access list?
11:10 < Dougy> nope
11:10 < Dougy> ecrist gave me ops once
11:10 < Dougy> :p
11:11 < funkyHat> heh
11:15 -!- dazo is now known as dazo_afk
11:32 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:32 < vpnHelper> New forum entry forum: Wishlist :: Re: Auto-tune mtu :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=10&t=624&p=7606#p7606>
11:39 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
11:52 -!- WebFooL is now known as WebFooL|A
12:01 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
12:01 -!- batrick [~batrick@batbytes.com] has quit [Quit: leaving]
12:09 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
12:13 -!- batrick [~batrick@batbytes.com] has quit [Client Quit]
12:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:15 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
12:22 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 276 seconds]
12:25 < havoc> yeah, my problem is the firewall, no kidding ;)
12:25  * havoc stabs win7
12:40 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
12:41 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
12:46 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
12:58 < havoc> ecrist: beta2 is relatively stable then?
12:58 < ecrist> yes, it should be.
12:58 < ecrist> it's from the testing git tree which was, for the most part, usable.
12:59 < ecrist> the point of a beta is to be stable, and to get people to use it and report problems.
12:59 < ecrist> however, keep in mind it's a beta, so expect some issues.
13:01 < havoc> hmm, would that fact that I'm on 64b win7 matter?
13:02 < ecrist> don't know why it would.
13:02 -!- yakub [~www-data@unaffiliated/yakub] has joined ##openvpn
13:02 < havoc> either the win7 FW on it or the routes on it
13:02 < havoc> or the TAP is choking
13:02 < havoc> on 2.1.1 right now
13:03 < havoc> I guess I'll try beta2
13:04 < havoc> I shouldn't have to allow anything through the FW other than openvpn.exe for *everything*, right?
13:06 < yakub> im trying to revoke a key, what am i doing wrong? http://pastebin.com/ryTwqVvY
13:08 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
13:10 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:16 < havoc> ok, where is beta2?
13:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
13:23 -!- WebFooL|A is now known as WebFooL
13:24 < havoc> I'm not seeing it on the website
13:25 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
13:26 < ecrist> no idea, I'll ask.
13:26 < ecrist> i updated freebsd yesterday
13:32 < havoc> ok
13:32 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
13:40 < yakub> how do i require an openvpn client need an entry in /ccd on the server to connect ?
13:40 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 265 seconds]
13:41 < kisom> yakub: ccd-exclusive
13:42 < kisom> no ccd file == connection rejected
13:46 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
13:57 < yakub> so what is ipp.txt used for?  the ip of my openvpn client is not in there
13:57 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
13:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:59 < yakub> i fixed my problem in http://pastebin.com/ryTwqVvY by commenting out the pkcs engine section in openssl.cnf
14:32 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Quit: Távozom]
14:32 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
14:33 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
14:47 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
14:52 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:13 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
15:31 -!- killown [~killown@unaffiliated/killown] has quit [Quit: Saindo]
15:31 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 248 seconds]
15:38 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
15:48 -!- herr [~brah@186.125.74.117] has joined ##openvpn
15:56 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
15:56 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:57 -!- laieman_ [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has joined ##openvpn
15:57 -!- herr [~brah@186.125.74.117] has quit [Quit: Leaving]
15:57 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Disconnected by services]
15:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
15:58 -!- laieman [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has quit [Write error: Broken pipe]
15:58 -!- straterra [~straterra@fuhell.com] has quit [Read error: Operation timed out]
15:58 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
15:58 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
15:58 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 252 seconds]
15:58 -!- Fiouz_ [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
15:58 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
15:58 -!- Cain` is now known as Cain
15:58 -!- straterra [~straterra@fuhell.com] has joined ##openvpn
15:59 < nat2610_> I created a vpn connection "redirect-gateway def1" between a server and client on windows7 and I'm almost there: I can connect, I can ping the both the tap-win32 and ehternet controller over the tunnel, now when I do ping google.com, I can see the dns reosltuion but it doesn't ping 
15:59 < nat2610_> I get some time out
15:59 < nat2610_> what should I check ? 
15:59 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
16:01 -!- Fiouz_ is now known as Fiouz
16:03 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 240 seconds]
16:06 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
16:22 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:31 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
16:52 < havoc> bah
16:54 < havoc> so, is there a windows installer for 2.2beta2?
16:55 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has joined ##openvpn
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:04 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has quit [Quit: This computer has gone to sleep]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:15 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:15 -!- brah [~brah@186.125.74.117] has quit [Quit: Leaving]
17:33 < vpnHelper> New forum entry forum: Annoucements :: OpenVPN 2.1.2 Released :: Author Andrew <https://forums.openvpn.net/viewtopic.php?f=20&t=7021&p=7609#p7609>
17:35 -!- Friar [~nathan@188-193-248-101-dynip.superkabel.de] has joined ##openvpn
17:37 < Friar> I'm getting an error from kvpnc saying something about scrip security setting could this be why I'm not logging in? my host is on a clearOS box and my client is on ubuntu. I'm using kvpnc
17:38 < Bushmills> warning? ignore
17:39 < Bushmills> unless you want your client to execute scripts on openvpn events
17:40 < Friar> i think it is a warning, but then the window just hangs there and says Conecting...   about a minute later is pops up the same error again.
17:40 < Bushmills> that problem is unrelated to the script security warning
17:41 < Friar> so is there a way to figure out why I'm not getting logged in? I copied 4 files from my server for open vpn configuration.
17:41 < Friar> ca-cert.pem
17:42 < Friar> client-nathan-cert.pem
17:42 < Friar> client-nathan-key.com
17:42 < Bushmills> yes. studying the logs, both server and client, is a good start
17:42 < Friar> and server.neezer.poweredbyclear.com.ovpn
17:43 < Friar> ok.
17:53 -!- Friar [~nathan@188-193-248-101-dynip.superkabel.de] has quit [Quit: Leaving]
17:58 -!- silverFox [~guess@189-19-51-134.dsl.telesp.net.br] has joined ##openvpn
17:58 < silverFox> !welcome
17:58 < vpnHelper> silverFox: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:58 -!- dKingston [~logic@unaffiliated/dkingston] has quit [Quit: due to my rather large weechat windows size (55), i'm going to restart weechat to put myself back to sanity]
17:58 < silverFox> !howto
17:58 < vpnHelper> silverFox: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:59 < silverFox> !route
17:59 < vpnHelper> silverFox: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:03 < vpnHelper> New forum entry forum: Server Administration :: Re: Upgrade from 2.09 gone bad :: Reply by Rival <https://forums.openvpn.net/viewtopic.php?f=4&t=7016&p=7604#p7604> || Server Administration :: Issues with the new 2.1.2 client and driver signature. :: Author shawntech <https://forums.openvpn.net/viewtopic.php?f=4&t=7019&p=7607#p7607> || Server Administration :: Re: Server IP :: Reply by Andrew <https://forums.openvpn.net/viewtopic.php
18:03 < silverFox> g'evening guys, is there anyone that can help with a quick setup question?
18:06 < silverFox> nope?
18:06 < Bushmills> unsufficient information. answer unknown.
18:06 < abeehc-_> question unknown
18:07 < Bushmills> my guess would be "no, nobody knows"
18:07 < abeehc-_> i'd guess it's your firewall
18:08 < Bushmills> i amend my answer.  abeehc-_knows
18:08 < silverFox> basically I have the following, a ubuntu machine which is direcly connect to the internet (having a public address) <-- running openVPN server
18:09 < silverFox> and behind a router (in a lan), i got a bunch of clients...
18:09 < havoc> so that 2.1.2 release, is that the fixed release?
18:09 < havoc> ...the whole signed driver problem thing?
18:10 -!- silverFox [~guess@189-19-51-134.dsl.telesp.net.br] has quit []
18:22 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
18:24 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
18:25 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
18:35 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
18:42 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
18:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined ##openvpn
19:03 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
19:06 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Client Quit]
19:08 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
19:09 -!- jaminja [~jaminja@74.81.170.4] has quit [Quit: Reconnecting]
19:09 -!- jaminja [~jaminja@74.81.170.4] has joined ##openvpn
19:19 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:25 < nat2610_> I created a vpn connection "redirect-gateway def1" between a server and client on windows7 and I'm almost there: I can connect, I can ping the both the tap-win32 and ehternet controller over the tunnel, now when I do ping google.com, I can see the dns reosltuion but it doesn't ping, it times out... anyone can help me to troubleshoot that ? Is it an issue with the route ? 
19:25 -!- gh0st3r [~gh0st@72.52.127.185] has joined ##openvpn
19:26 < gh0st3r> ok, i have an openvpn server setup, i have an openvpn client setup
19:26 < gh0st3r> they connect, i can see the client in ipp.txt on the server...
19:26 < gh0st3r> but i can't ping between the two... the openvpn client shows http://pastebin.com/N9eiKaYn
19:27 < gh0st3r> but the server shows... houndras.poweredsecurity.com,10.232.40.4
19:27 < gh0st3r> so it seems the client thinks its 10.232.40.6 but the server thinks the client is 10.232.40.4 how do i solve this?
19:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
19:57 -!- gh0st3r [~gh0st@72.52.127.185] has quit [Quit: leaving]
20:41 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
20:41 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
20:41 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
21:01 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 265 seconds]
21:29 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
21:37 -!- Hypnoz [~X@adsl-99-19-50-73.dsl.pltn13.sbcglobal.net] has joined ##openvpn
21:39 -!- Squillis [~Squillis@asciipr0n.com] has joined ##openvpn
21:39 < Squillis> evening
21:49 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:51 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
21:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
21:56 -!- SOG [~SOG@n1192365104.netvigator.com] has joined ##openvpn
22:01 -!- SOG [~SOG@n1192365104.netvigator.com] has quit [Ping timeout: 255 seconds]
22:04 -!- SOG [~SOG@n1192365104.netvigator.com] has joined ##openvpn
22:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:10 -!- Hypnoz [~X@adsl-99-19-50-73.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 264 seconds]
22:12 -!- SOG [~SOG@n1192365104.netvigator.com] has quit [Ping timeout: 240 seconds]
22:16 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
22:49 -!- Squillis [~Squillis@asciipr0n.com] has left ##openvpn []
22:52 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
23:07 < jetole> Does anyone know what can cause "TLS Error: local/remote TLS keys are out of sync: 192.168.0.203:1088 [0]". I seem to be getting it constantly on windows laptop and I have used this identical setup on a dozen windows laptops all with unique crt and key files for the client
23:22 -!- corretico [~laguilar@201.201.44.82] has joined ##openvpn
23:32 < jetole> agh I don't get this. I created new crt and key files for this client and I am getting AUTH_FAIL followed by "TLS Error: local/remote TLS keys are out of sync: 192.168.0.203:1088 [0]" and I reinstalled the ta.key file and the ca.crt file and I then did an identical setup on another windows laptop now using the identical client installer and it's working fine and it's driving me nuts here
23:42 -!- jaminja [~jaminja@74.81.170.4] has left ##openvpn [""branch reality rc = 0""]
--- Day changed Thu Aug 19 2010
00:34 < vpnHelper> New forum entry forum: Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7019&p=7611#p7611> || Server Administration :: Re: I'm having an issue with OpenVPN v2.1.1 :: Reply by Douglas <https://forums.openvpn.net/viewtopic.php?f=4&t=7009&p=7612#p7612>
00:39 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
00:43 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
00:50 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
00:51 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
00:59 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:59 -!- mode/##openvpn [+o mattock] by ChanServ
01:37 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has joined ##openvpn
01:41 -!- rainer_ [~rainer@84.112.207.219] has joined ##openvpn
01:45 -!- Kurogane [~kuro@190.87.69.217] has quit [Remote host closed the connection]
01:47 < rainer_>  Hello, I kindly please for your help. I have openvpn running on my laptop (client) and my server (server).  I would like to use my laptop as if I would connect it by a cable to my LAN, when the tunnel is established. Well, I have access to my LAN, but I have to manually edit /etc/resolv.conf then to enforce my office's DNS, and then I still cannot resolve addresses other then my local/internal domain's ones.    Can somebody, please, help?   CFurrently I 
01:47 < rainer_> have to open and close the tunnel repeatedly, depending on if I want to access the Internet or my local LAN. -- nasty.
01:50 < rainer_> I think it will be the best that really everything is routed through the tunnel into my office as long as the tunnel is open.
02:01 < theDoc> rainer_, Your internal DNS server is not handled to process external queries.
02:03 -!- gorkhaan [~gorkhaan@adsl-101-194.globonet.hu] has quit [Remote host closed the connection]
02:05 < rainer_> That is not true.   It is configured to answer queries from all hosts, I restrict access by closing the DNS-port in the firewall.   It also answers/resolves queries to local machines (in the LAN).
02:06 < rainer_> If it would not allow queries, it would also not answer the local machines?
02:08 < theDoc> rainer_, I meant it as, your internal DNS servers do not resolve external domains.
02:09 < rainer_> Sure, they do that, too. All my workstations use this DNS I also want to use from outdoors through openvpn.
02:10 < rainer_> (This is because I stored the IPs of my customers in my internal DNS, too. Makes life easier.
02:11 < theDoc> rainer_, First off, why are you having to manually edit /etc/resolv.conf to enforce your office DNS? Use the --push options to push DNS settings to the client.
02:12 < rainer_> I am not very familiar with openvpn configuration. I'd be happy if everything would work automatically, but that exceeded my knowledge.
02:12 < theDoc> and if you *CANNOT* handle external domains after using your *internal* DNS, it is *NOT* an openvpn problem. The problem now lies with your DNS server.
02:13 < rainer_> Can you, please, tell me how to add this push option to my openvpn server?
02:13 < theDoc> !howto
02:13 < vpnHelper> theDoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:13 < theDoc> Sec, checking.
02:14 < theDoc> For example, suppose you would like connecting clients to use an internal DNS server at 10.66.0.4 or 10.66.0.5 and a WINS server at 10.66.0.8. Add this to the OpenVPN server configuration:
02:14 < theDoc> push "dhcp-option DNS 10.66.0.4"
02:14 < theDoc> push "dhcp-option DNS 10.66.0.5"
02:14 < theDoc> push "dhcp-option WINS 10.66.0.8"
02:16 < rainer_> Can I also push the local domain to be used? (This is an internal, inofficial name.)
02:17 < rainer_> This is, because I get all those settings initially set by the WLAN in the hotel, and so I have to change them after opening the tunnel.
02:18 < theDoc> rainer_, Sorry, no idea about the domain name.
02:22 < rainer_> Ok. Another minor thing:   In my weekend house, the current setting works fine, as I have there (again) a local DNS with the local domain there. It uses my office's DNS as follow-up, who in turn uses the Internet.   My weekend house also uses openvpn, and there it works.   This "push" will possibly harm that, so I must exclude this one vpn-client. Is this possible? 
02:26 < theDoc> rainer_, look into ccd
02:26 < theDoc> !google ccd openvpn
02:26 < vpnHelper> theDoc: OpenVPN 2.0 HOWTO: <http://www.openvpn.net/howto.html>; [Openvpn-users] Fixed IP / ccd problem.: <http://openvpn.net/archive/openvpn-users/2005-07/msg00283.html>; OpenVPN riseup labs: <http://riseuplabs.org/grimoire/networking/openvpn/>
02:32 -!- rainer_ [~rainer@84.112.207.219] has quit [Read error: Connection reset by peer]
02:44 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has joined ##openvpn
02:50 -!- dazo_afk is now known as dazo
03:02 -!- Netsplit *.net <-> *.split quits: Optic, meepmeep, MadTBone, pushpop, Nappy, agagag, aguynamedben, JodaZ_, rasengan, Niklas-_,  (+25 more, use /NETSPLIT to show all of them)
03:06 -!- Netsplit over, joins: jpalmer
03:17 -!- dazo [~dazo@nat/redhat/x-jctdhsbbptdppozu] has joined ##openvpn
03:17 -!- mode/##openvpn [+o dazo] by ChanServ
03:44 -!- WebFooL [~WebFooL@untangle/contributor/WebFooL] has quit [Remote host closed the connection]
03:45 -!- reiffert [~thomas@mail.webersheim.de] has quit [Quit: leaving]
03:48 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined ##openvpn
03:48 -!- plaerzen [~carpe@vip1.tundraeng.com] has joined ##openvpn
03:48 -!- Optic [~Optic@67.205.74.218] has joined ##openvpn
03:48 -!- Agin [~Agin@greenzone.copyleft.no] has joined ##openvpn
03:48 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
03:48 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
03:51 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has joined ##openvpn
03:51 -!- straterra [~straterra@fuhell.com] has joined ##openvpn
03:54 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:57 -!- yakub_ [~www-data@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn
03:58 -!- naquad_ [~naquad@174.142.224.219] has joined ##openvpn
03:58 -!- fr00d [fr00d@unaffiliated/fr00d] has quit [Disconnected by services]
03:58 -!- fr00d [fr00d@unaffiliated/fr00d] has joined ##openvpn
03:59 -!- Champi_ [Champi@damn.e-leet.be] has joined ##openvpn
04:04 -!- Netsplit *.net <-> *.split quits: Optic, Visual`, Fiouz, pushpop, sno, julius, havoc, takamichi, d12fk, Champi,  (+33 more, use /NETSPLIT to show all of them)
04:04 -!- Champi_ is now known as Champi
04:04 < vpnHelper> New forum entry forum: Installation Help :: Re: Is it a problem with openvpn or virtualbox ? :: Reply by cakemaker <https://forums.openvpn.net/viewtopic.php?f=5&t=7012&p=7613#p7613>
04:07 -!- theDoc [~Link@173.236.41.36] has joined ##openvpn
04:07 -!- theDoc [~Link@173.236.41.36] has quit [Changing host]
04:08 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
04:10 -!- Netsplit over, joins: krphop
04:12 -!- dazo [~dazo@nat/redhat/x-jctdhsbbptdppozu] has joined ##openvpn
04:12 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
04:12 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
04:12 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.cmbg.cable.virginmedia.com] has joined ##openvpn
04:12 -!- julius [~julius@217.20.127.15] has joined ##openvpn
04:12 -!- cron2 [~gert@kirk.greenie.muc.de] has joined ##openvpn
04:12 -!- tr4sk [~tr4sk@alfred.biboum.fr] has joined ##openvpn
04:12 -!- havoc [~havoc@neptune.chaillet.net] has joined ##openvpn
04:12 -!- ServerMode/##openvpn [+o dazo] by zelazny.freenode.net
04:13 -!- RedT0mt01 [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
04:13 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
04:13 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
04:13 -!- laieman_ [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has joined ##openvpn
04:13 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
04:13 -!- Dougy [me@208.99.80.128] has joined ##openvpn
04:13 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
04:13 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn
04:13 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
04:13 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
04:13 -!- Bogus8 [~Nunya@ip68-226-131-28.lf.br.cox.net] has joined ##openvpn
04:13 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
04:13 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
04:13 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
04:13 -!- baffle [baffle@shell.eunet.no] has joined ##openvpn
04:13 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
04:13 -!- ike [ike@unaffiliated/ike] has joined ##openvpn
04:13 -!- ServerMode/##openvpn [+o raidz] by zelazny.freenode.net
04:14 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined ##openvpn
04:14 -!- plaerzen [~carpe@vip1.tundraeng.com] has joined ##openvpn
04:14 -!- Optic [~Optic@67.205.74.218] has joined ##openvpn
04:14 -!- Agin [~Agin@greenzone.copyleft.no] has joined ##openvpn
04:14 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
04:14 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
04:14 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has joined ##openvpn
04:14 -!- straterra [~straterra@fuhell.com] has joined ##openvpn
04:15 -!- Netsplit *.net <-> *.split quits: Optic, Visual`, RedT0mt01, pushpop, sno, julius, takamichi, havoc, d12fk, Dougy,  (+23 more, use /NETSPLIT to show all of them)
04:17 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
04:17 -!- Netsplit over, joins: straterra, mape2k, oc80z, kloeri, Agin, Optic, plaerzen, pushpop, ike, Bushmills (+23 more)
04:19 -!- JodaZ_ [~JodaZ@ns302312.ovh.net] has joined ##openvpn
04:19 -!- kyle___ [~kyle@80.67.14.16] has joined ##openvpn
04:19 -!- cshaiku [~cshaiku@cshaiku.com] has joined ##openvpn
04:19 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
04:19 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
04:19 -!- raw_ [~raw@chipotle118.server4you.de] has joined ##openvpn
04:20 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined ##openvpn
04:20 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
04:20 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
04:20 -!- RichiH [~richih@freenode/staff/richih] has joined ##openvpn
04:20 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
04:20 -!- Niklas-_ [~niklas@217.116.253.195] has joined ##openvpn
04:20 -!- fbh [fbh@unaffiliated/fbh] has joined ##openvpn
04:20 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
04:20 -!- 94SAAGLDN [bnc00026@user.unregistered.de] has joined ##openvpn
04:20 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:20 -!- jwm [jwm@74.208.185.36] has joined ##openvpn
04:20 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
04:20 -!- RedShift [~glenn@apollo.webmind.be] has joined ##openvpn
04:21 -!- Cain [~Geek@41.141.252.98] has joined ##openvpn
04:21 -!- MetalWolf [~barry@92.236.100.252] has joined ##openvpn
04:21 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has joined ##openvpn
04:21 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
04:21 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
04:21 -!- Meliorator [m@dunnington.eu] has joined ##openvpn
04:21 -!- rasengan [~rasengan@96.43.136.14] has joined ##openvpn
04:21 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
04:21 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
04:21 -!- Netsplit *.net <-> *.split quits: th1, grishnav, @dazo
04:22 -!- Netsplit *.net <-> *.split quits: julius, funkyHat, havoc, cron2, tr4sk, ivenkys, Cain, Meliorator, rasengan, meepmeep
04:22 -!- Netsplit *.net <-> *.split quits: MetalWolf, freaky[t], eN_Joy, Saar
04:22 -!- Netsplit *.net <-> *.split quits: Optic, Visual`, RedT0mt01, MadTBone, Fiouz, pushpop, sno, Nappy, agagag, takamichi,  (+35 more, use /NETSPLIT to show all of them)
04:23 -!- naquad_ [~naquad@174.142.224.219] has quit [Quit: ZNC - http://znc.sourceforge.net]
04:23 -!- naquad [~naquad@174.142.224.219] has joined ##openvpn
04:35 -!- Netsplit over, joins: Cain
04:35 -!- nb [~nb@sanjose01.nb.tc] has joined ##openvpn
04:35 -!- Netsplit over, joins: ivenkys, meepmeep, rasengan, Meliorator, freaky[t], Saar, eN_Joy, MetalWolf, RedShift, Nappy (+51 more)
04:36 -!- 94SAAGLDN is now known as spq`
04:36 -!- Cain is now known as Guest92688
04:36 -!- nb is now known as Guest14138
04:39 -!- Guest92688 [~Geek@41.141.252.98] has quit [Ping timeout: 240 seconds]
04:41 -!- Cain [~Geek@41.141.252.98] has joined ##openvpn
04:41 -!- Cain [~Geek@41.141.252.98] has quit [Changing host]
04:41 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
04:50 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
05:10 <@dazo> gee ... not a good day for FreeNode ....
05:18 < kisom> as always
05:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:52 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
05:54 -!- SOG_ [~SOG@61.144.230.241] has quit [Client Quit]
05:55 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:55 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 252 seconds]
06:06 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
06:09 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
06:29 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:30 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 240 seconds]
06:30 -!- Cain` is now known as Cain
06:41 -!- Chaze [~Chase@dslb-084-059-142-154.pools.arcor-ip.net] has joined ##openvpn
06:42 < Chaze> hey. is it possible to monitor traffic per client? I'd just like a total number of bytes per connection
06:45 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
06:49 < hyper_ch> as each client has it's own IP you should be able to monitor their traffic
06:49 < Chaze> hyper_ch: but their ips are assigned dynamically right?
06:50 < hyper_ch> you can give them static ips
06:50 < Chaze> how do i know which client (which i can identify by their key file), gets which ip
06:50 < Chaze> i see
06:50 < hyper_ch> !ccd
06:50 < vpnHelper> hyper_ch: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
06:50 < Chaze> so how do i measure traffic in general?
06:52 < hyper_ch> there are tools to do that, but I haven't really used them
06:52 < hyper_ch> you're on linux or windows?
06:52 < Chaze> linux
06:53 < hyper_ch> maybe something here helps:  http://www.ubuntugeek.com/bandwidth-monitoring-tools-for-linux.html
06:53 < vpnHelper> Title: Bandwidth Monitoring Tools For Linux | Ubuntu Geek (at www.ubuntugeek.com)
06:53 < hyper_ch> Bandwidthd - this one looks interesting
06:54 < hyper_ch> . Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods
06:54 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
06:54 < Chaze> indeed, looks neat
06:56 < hyper_ch> well, go through that list and read description and thest it out
06:56 < hyper_ch> :) with the client config dirs you can bind keys to ips
06:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
07:02 < Chaze> just what i needed hyper_ch, cheers!
07:02 < hyper_ch> enjoy
07:03 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has joined ##openvpn
07:06 < havoc> morning
07:06 -!- ivenkys_ [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
07:09 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 276 seconds]
07:10 < havoc> is the signed driver in 2.1.2 fixed yet, or is a 2.2beta2 windows installer available?
07:13 < ecrist> Chaze: openvpn does this for you in the status log
07:13 < ecrist> no need for another program
07:13 < ecrist> if you want to save the data, you need to save the values with a client disconnect script
07:15 < Chaze> ecrist: do i need some special log level?
07:16 < ecrist> status /var/openvpn/openvpn-status.log15
07:17 < ecrist> see --status in the man page
07:17 -!- engrxyz [~adfadf@82-68-236-158.dsl.in-addr.zen.co.uk] has joined ##openvpn
07:17 < hyper_ch> :)
07:17 < ecrist> the header is: Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
07:17 < Chaze> ecrist: no /var/openvpn
07:17 < ecrist> you can log all that data with a disconnect script
07:17 < ecrist> Chaze: read the man page
07:18 < ecrist> that's the config line out of my server config
07:18 < Chaze> right
07:37 < Chaze> just so i don't make a mistake: i use openvpn as an endpoint to the internet. those bytes sent/received is only the communication from client to server
07:37 < Chaze> if the server relays connections to the internet, that's not in there
07:37 < Chaze> correct?
07:37 < ecrist> right
07:37 < Chaze> so i better double that number
07:40 -!- sgtarr [~sgt@grim.rasterburn.org] has joined ##openvpn
07:41 < sgtarr> Ok this may be a silly question. I created an OpenVPN server (routed), and now a client has connected to it. He got IP 10.8.0.6.  The server-side LAN runs IP range 192.168.1.0/24. And..
07:41 < sgtarr> He can access 192.168.1.0/24, but the other hosts on the server side LAN need to access 10.8.0.6.  
07:43 < sgtarr> I've enabled IP forwarding on the OpenVPN machine (192.168.1.2), and I've set the server-side hosts (e.g. 192.168.1.50) routing tables to find 10.8.0.0 network via 192.168.1.2
07:43 < sgtarr> What else do I need to do?
07:44 < Chaze> sgtarr: got started with openvpn just yesterday, but did you enable "client-to-client" ?
07:45 < sgtarr> I didn't...
07:45 < Chaze> try putting the line "client-to-client" in your server config. from what i remember reading, this allows clients to see each other
07:46 < sgtarr> Chaze: should server-side LAN hosts be able to ping 10.8.0.1 (the openvpn tun interface) in that way?  I've set their route up so that the 10.8.0.0 is routed through the openvpn's ip (192.168.1.2)
07:47 < sgtarr> Chaze: and I tried that now, they just can't ping even 10.8.0.1.  Can you test on your setup?
07:47 < Chaze> you should be able to ping 10.8.0.1 no matter what
07:48 < Chaze> something's wrong then, someone else here might be able to help you
07:48 < sgtarr> Chaze: I can frmo the openvpn machine, but not from the server-side LAN where they use 192.168.1.0 network
07:48 < sgtarr> I can ping both the 10.8.0.1 and the client on 10.8.0.6 from the openvpn machine, in fact
07:52 < sgtarr> Actually - I can ping 10.8.0.1 (the openvpn server's tun interface) from the server side LAN, just not the 10.8.0.6 (the client that connected)
08:26 < sgtarr> Ok, solved it.
08:26 < sgtarr> Turns out I thought that routeadm -e ipv4-forwarding would enable IP forwarding
08:27 < sgtarr> That is only partly true, I also needed ndd -set /dev/ip ip_forwarding 1
08:27 < sgtarr> (This is Solaris)
08:35 < vpnHelper> New forum entry forum: Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7019&p=7614#p7614>
09:03 -!- sgtarr [~sgt@grim.rasterburn.org] has left ##openvpn []
09:07 -!- corretico [~laguilar@201.201.44.82] has quit [Read error: Connection reset by peer]
09:13 < Dougy>  /win 2
09:13 < Dougy> er
09:13 < Dougy> ok
09:13 < Dougy> hi guys
09:40 < ecrist> hello, dougy
09:40 < ecrist> dougy - did you test, make sure you still have admin on new forum?
09:41 < havoc> dazo: any word on that driver signing fix for the 2.1.2 release?
09:41 <@dazo> havoc: I've not heard anything :( ... hopefully James will show up at the developers meeting today at 18:00 UTC
09:42 < havoc> hmm, 18:00 UTC is 12:00 here I think
09:42 <@dazo> http://www.timeanddate.com/
09:42 < vpnHelper> Title: timeanddate.com (at www.timeanddate.com)
09:42 <@dazo> :)
09:43 < havoc> 13:00 UTC, we're in summer time :(
09:43 < havoc> dazo: what about the 2.2b2, is there a windows installer for that somewhere?
09:45 <@dazo> havoc: nope, that's the next on James todo list, when the 2.1.2 issue is solved ... as the current situation is that it would still mess up the wintap driver in 2.2b2 as well
09:47 < havoc> ah, ok
09:47 < havoc> dazo: thanks for the info :)
09:47 <@dazo> havoc: you're welcome ... sorry to not be able to bring happier news!
09:48 < havoc> eh, I guess I'll wait to hear how th dev meeting goes in a few hours
09:48 -!- reiffert [~thomas@mail.reifferscheid.org] has joined ##openvpn
09:48 < reiffert> moin
09:49 -!- corretico [~laguilar@201.201.44.82] has joined ##openvpn
09:53 -!- RichiH [~richih@freenode/staff/richih] has left ##openvpn []
10:04 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
10:05 < Dougy> hiya dazo
10:05 < Dougy> ecrist: yo
10:05 <@dazo> Hiya!
10:06 < Dougy> i am so glad openvp nfinally took the forums seriously
10:06 < Dougy> i think its gonna be a huge success
10:08 < reiffert> beginning of doom!
10:12 <@dazo> reiffert: you're always so cheerful and optimistic! ;-)
10:13 < reiffert> we could help the situation with a forum <-> gateway!
10:13 < reiffert> sms gateway that is
10:14 < ecrist> lol
10:14 < havoc> may as well go twitter at that point ;)
10:14 < reiffert> of course, let's use brand new stuff here.
10:17  * reiffert goes out for shopping of some enclosures for my new pigeons...
10:20 -!- bartjol [~bartjol@kantoor.procolix.com] has joined ##openvpn
10:23 < bartjol> !welcome I'm installing openvpn on windows 7, running it as administrator and in compatability mode (windows vista) also tried to run the tapinstall batch file, but the "all adapters are in use" mention. I did it before and it worked back than, are there any changes for the settings I should use?
10:23 < vpnHelper> bartjol: Error: "welcome" is not a valid command.
10:25 < bartjol> I am using the latest (from sunday) version from http://openvpn.net/index.php/open-source/downloads.html
10:25 < vpnHelper> Title: Downloads (at openvpn.net)
10:27 < Dougy> 2.1.2?
10:27 < reiffert> bartjol: check the mailinglists, I've seen something about tapinstall.exe fails...
10:28 < bartjol> it was 2.1.2 yes
10:28 < Dougy> there is a lot of windows issues with 2.1.2 and 2.1.1
10:29 -!- tjz_ [~pc@bb119-74-160-180.singnet.com.sg] has joined ##openvpn
10:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:32 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
10:38 <@dazo> Dougy: what do you mean with lot of issues with 2.1.1 on Windows?  that should be a stable windows version, not?
10:38 < Dougy> driver issues
10:38 < Dougy> unsigned drivers or what have you
10:38 < Dougy> its on the forum
10:39 < darkwind> Heya -- does anyone know of a guide showing how to configure OpenVPN server for u/p auth only?  I've found snippets, but nothing complete.
10:41 < reiffert> I believe that there is a pam auth plugin somewhere. You might sue that.
10:43 < bartjol> mmm, going for the quick option and taking an old version, for time issues, thanks, I'll read the forums
10:44 < reiffert> mailing list >> forum
10:45 < Dougy> ecrist:  pong
10:48 < ecrist> sup?
11:10 <@dazo> Dougy: 2.1.1 should not have any particular issues ... but Win7 may be more tricky, due to new security schemes ... but 2.1.1/2.1.0 (basically the same version) is known to work decently, at least from what I've seen on the -users ML
11:13 <@dazo> darkwind: configure OpenVPN to use PAM and make that work, using --auth-user-pass enabled on the client side .... then check out --client-cert-not-required (for the server side) - then you should be able to take away the cert stuff on the clients
11:24 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:29 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
11:32 < Dougy> dazo maybe its 2.1.2
11:33  * dazo suspects so
11:34 < Dougy> https://forums.openvpn.net/viewtopic.php?f=4&t=7019&sid=13b9a02dbad43cbcc1fe46efc7c41b0f
11:34 < vpnHelper> Title: OpenVPN User Forum View topic - Issues with the new 2.1.2 client and driver signature. (at forums.openvpn.net)
11:35 < Dougy> https://forums.openvpn.net/viewtopic.php?f=5&t=7014&sid=13b9a02dbad43cbcc1fe46efc7c41b0f
11:35 < vpnHelper> Title: OpenVPN User Forum View topic - Problem with TAP-Driver in 2.1.2 on Win7 x64 (at forums.openvpn.net)
11:35 < Dougy> https://forums.openvpn.net/viewtopic.php?f=5&t=7011&sid=13b9a02dbad43cbcc1fe46efc7c41b0f
11:35 < vpnHelper> Title: OpenVPN User Forum View topic - TAP adapter won't install on Windows Server 2008 (at forums.openvpn.net)
11:35 < Dougy> https://forums.openvpn.net/viewtopic.php?f=5&t=7008&sid=13b9a02dbad43cbcc1fe46efc7c41b0f
11:35 < vpnHelper> Title: OpenVPN User Forum View topic - Issue with TAP driver on Windows 7 (32-bit) (at forums.openvpn.net)
11:35 < Dougy> lol
11:41 < reiffert> http://sourceforge.net/mailarchive/forum.php?thread_name=4C6AB2F2.30501%40topphemmelig.net&forum_name=openvpn-devel
11:41 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net)
11:42 < reiffert> search for "tapinstall"
11:44 < reiffert> I guess there is no list <> forum sync?
12:00 < Dougy> what does that mean reiffert 
12:00 < Dougy> no
12:00 < Dougy> there is no ocnnection
12:00 < Dougy> connection
12:01 -!- bartjol [~bartjol@kantoor.procolix.com] has left ##openvpn []
12:02 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
12:02 < darkwind> dazo: thanks
12:02 < darkwind> dazo: i'll check it out
12:13 < takamichi> When running multiple openvpn server processes on the same server, is there a way to fix a particular tun adapter to a particular server? It seems to assign them in the order it starts them
12:14 -!- dazo is now known as dazo_afk
12:14 < reiffert> takamichi: dev tunX   with X = 0,1,2,3,4,5...
12:15 < ecrist> reiffert: no.  there is/was a plugin for vbulletin, but it was decided a while back that would be a pain.
12:15 < ecrist> there are people that hate forums but love mailing lists, and vice versa.
12:15 < reiffert> I know of one ;)
12:15 < ecrist> while the advantage of integration is recognized, we figured it would cause more problems than it was worth.
12:15 < takamichi> @reiffert, thank you.
12:28 < nat2610_> I created a vpn connection "redirect-gateway def1" between a server and client on windows7 and I'm almost there: I can connect, I can ping the both the tap-win32 and ehternet controller over the tunnel, now when I do ping google.com, I can see the dns reosltuion but it doesn't ping, it times out... anyone can help me to troubleshoot that ? Is it an issue with the route ? 
12:32 < kisom> nat2610_: can you surf the web? any page at all?
12:36 < vpnHelper> New forum entry forum: Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7019&p=7615#p7615>
12:44 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
12:46 < darkwind> ok... so, with the windows client, how does one specify a port under server address?  I tried x.x.x.x:1195, but that doesn't seem to work.
12:46 < Dougy> !configs
12:46 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:47 < darkwind> Don't have a config.. just downloaded the client.
12:47 < darkwind> Says the serve ris actively refusing my connection.  When I use the standard port on the server, it connects.
12:48 < darkwind> Just wanted to know how to specify a port on the stnadard client in the server line..
12:50 -!- Chaze [~Chase@dslb-084-059-142-154.pools.arcor-ip.net] has left ##openvpn []
12:51 < nat2610_> kisom, no I can't surf the web
12:52 < darkwind> Can you not use the plain gui client from the non-community side?
12:54 -!- ibrahim [~ibrahim@213.140.59.46] has joined ##openvpn
12:54 < kisom> uh
12:55 < kisom> tbh, I've never used the GUI, i think it sucks
12:55 < nat2610_> also server side, there is a router, I redirect the port udp 1194 to the server and it works but I was wondering if I need to do something about the network 10.8.0.0 since the vpn client get an ip from that network. Also tall the firewall are disabled
12:55 < kisom> whats your DNS server?
12:55 < ibrahim> any help to use openvpn server
12:55 < kisom> is it on the openvpn-server?
12:55 < ibrahim> how i 
12:55 < ibrahim> can configure it
12:56 < kisom> ibrahim: read the documentation, lots of guides on the site.
12:56 < ibrahim> i read but it was fail
12:56 < kisom> worked the first time i tried it out.
12:57 < ibrahim> can you give me some etape 1  2  3  4
12:57 < kisom> hold on
12:57 < ibrahim> $i use ubuntu
12:57 < kisom> !pki
12:57 < vpnHelper> kisom: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
12:57 < vpnHelper> kisom: was signed specially as a server (see !servercert)
12:57 -!- dazo_afk is now known as dazo
12:57 < ibrahim> yes
12:57 < kisom> http://openvpn.net/index.php/open-source/documentation/howto.html Have you read this one?
12:57 < vpnHelper> Title: HOWTO (at openvpn.net)
12:58 < kisom> nat2610_: do you run a DNS server at the openvpn server or are you using some external DNS server?
12:58 < nat2610_> kisom, I'm using google (8.8,8.8)
12:58 < nat2610_> s/,/.
12:59 < kisom> that's really odd
12:59 < kisom> try this as root:
12:59 < kisom> iptables -F FORWARD; iptables -P FORWARD ACCEPT
12:59 < nat2610_> It's windows on both side ...
12:59 < nat2610_> I did enabled the ip forwarding
12:59 < kisom> okay
12:59 < nat2610_> like it's said in the FAQ of openvpn somewhere
13:00 < kisom> then i have no idea tbh. routing in windows seems to randomly work and not work in my experience
13:00 < nat2610_> and I can ping the ethernet ip of the vpn server so I beleive the forwarding is working
13:00 < kisom> that does not matter
13:01 < kisom> any traffic to the openvpn server IP address is not tunneled
13:04 -!- ibrahim [~ibrahim@213.140.59.46] has quit [Quit: Ex-Chat]
13:05 < nat2610_> kisom, so does that mean that the internet traffic might not be forwarded by the vpn server ? 
13:05 < kisom> no, its most likly an issue with windows and packet forwarding
13:05 < kisom> what version of windows are you running?
13:06 < nat2610_> kisom, it's windows 7 for the server 
13:06 < vpnHelper> New forum entry forum: Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7019&p=7616#p7616>
13:06 < kisom> nat2610_: OK
13:06 < kisom> i seriously suggest that you reinstall the server computer with some type of linux based O/S
13:06 < kisom> I dont even know if windows supports routing in its client versions
13:07 < nat2610_> kisom, I know but I can't it's not my computer ... and being a vpn server isn't the 1st use of that computer :/
13:07 < kisom> virtualbox may solve your problem
13:07 < nat2610_> kisom, that's a good idea !
13:08 < nat2610_> cool I'll do that 
13:08 < nat2610_> thanks
13:08 < kisom> :)
13:08 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 240 seconds]
13:08 < kisom> go for arch linux!
13:08 < nat2610_> kisom, agreed 
13:09 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Ping timeout: 276 seconds]
13:10 < kisom> heh, i used to work at this company that used windows xp home edition on all their servers
13:10 < Dougy> lol
13:11 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
13:11 < kisom> i thought the boss was joking with me when he introduced their setup
13:11 < kisom> i didn't stay there long...
13:12 < kisom> now i'm stuck on windows 2k8 at work :<
13:12 < nat2610_> yeah I have 50 centos here
13:12 < nat2610_> I fell comfortable 
13:13 < kisom> well i work at a bank
13:13 < kisom> microsoft, AD and smb all the way
13:13 < kisom> exept the part where the real action is happening, we run rhel on those servers
13:13 < kisom> but im not allowed to touch them :)
13:18 < nat2610_> I used to work in a bank, it was all os2warp4 ... 
13:18 < nat2610_> that was like welcome to 1990 ! 
13:30 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
13:31 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
13:39 -!- Guest93243 [~Geek@41.141.252.98] has joined ##openvpn
13:42 -!- Guest93243 [~Geek@41.141.252.98] has quit [Client Quit]
14:04 -!- manevra [59eeadf3@gateway/web/freenode/ip.89.238.173.243] has joined ##openvpn
14:08 -!- manevra [59eeadf3@gateway/web/freenode/ip.89.238.173.243] has left ##openvpn []
14:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:47 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
14:50 -!- Cain [~Geek@41.141.252.98] has joined ##openvpn
14:50 -!- Cain is now known as Guest99377
14:51 -!- Guest99377 [~Geek@41.141.252.98] has quit [Client Quit]
14:52 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
14:53 -!- mape2k [~mape2k@2001:638:904:ffc4:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
14:59  * kisom &
15:37 -!- dazo is now known as dazo_afk
15:41 < havoc> bah
15:42 < havoc> was just gonna ask dazo how the dev meeting went
15:49 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:50 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Ping timeout: 240 seconds]
15:50 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
15:56 < Dougy> lol
15:58 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
16:03 -!- Guest14138 is now known as nb
16:04 -!- nb [~nb@sanjose01.nb.tc] has quit [Changing host]
16:04 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
16:06 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
16:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:43 < ecrist> havoc: why not just participate?
16:43 < ecrist> every thursday, 1800 UTC in #openvpn-devel
16:55 < havoc> I did not know that :)
17:04 < Dougy> hiya eric
17:07 < vpnHelper> New forum entry forum: Server Administration :: poor uploading speed in Openvpn :: Author ajayan <https://forums.openvpn.net/viewtopic.php?f=4&t=7022&p=7618#p7618> || Off Topic, Related :: Re: VPN and ISP routing :: Reply by zander <https://forums.openvpn.net/viewtopic.php?f=1&t=7005&p=7617#p7617>
17:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:07 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Quit: leaving]
17:10 < Dougy> ecrist: can we add a feature to vpnHelper ?
17:18 -!- manevra [manevra@213.229.87.19] has joined ##openvpn
17:20 < manevra> does openvpn encrypts entire internet traffic ? if i connect to a server through openvpn and send emails through that server's local smtp, will my isp see the content of my emails or if i send emails at all ?
17:22 < Dougy> what are you trying to hide? :)
17:22 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
17:23 < manevra> Dougy, nothing
17:23 < manevra> i just want to know what privacy i will get with openvpn
17:23 < manevra> that's all
17:23 < Dougy> why do you want to hide emails then?
17:23 < manevra> privacy reasons... my isp is a local neighbourhood network and the admin is a thief
17:23 < manevra> :)
17:23 < manevra> so ... you know what i am trying tosay
17:23 -!- Martz [~Martz@unaffiliated/martz] has joined ##openvpn
17:24 < Dougy> yes traffic over the vpn is encrypted
17:24 < manevra> 100%?
17:26 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Remote host closed the connection]
17:48 < Dougy> test it and find out!:)
17:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
18:07 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:10 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 246 seconds]
18:11 -!- manevra [manevra@213.229.87.19] has quit [Quit: Leaving]
18:12 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:17 -!- oxi [~oxi@unaffiliated/oxi] has joined ##openvpn
18:17 < oxi> hi
18:17 < oxi> is it easily possible to create a "transportable server" which connects to a vps through ssl vpn and has full control over the public ip, so that it can be used as dns, mail, .... server? 
18:18 < oxi>  the "transportable server" is planted anywhere in a firewall protected and NATed corporate network and connects via ssl vpn to a vps in a cloud
18:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
18:30 < Bushmills> i use a netbook. it runs services, and is very transportable.
18:36 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 240 seconds]
18:37 < vpnHelper> New forum entry forum: Server Administration :: Compiling OpenVPN v2.1.2 with enable-password-save option :: Author Zero3K <https://forums.openvpn.net/viewtopic.php?f=4&t=7023&p=7619#p7619>
18:47 -!- oxi [~oxi@unaffiliated/oxi] has quit [Remote host closed the connection]
18:48 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
18:48 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:12 < Dougy> hmm
19:40 -!- Martz^ [~Martz@unaffiliated/martz] has joined ##openvpn
19:44 -!- Martz [~Martz@unaffiliated/martz] has quit [Ping timeout: 252 seconds]
20:01 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
20:14 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
20:16 -!- Martz^ [~Martz@unaffiliated/martz] has quit [Read error: Connection reset by peer]
20:16 -!- Martz^ [~Martz@unaffiliated/martz] has joined ##openvpn
20:19 < ecrist> Dougy: what veature do you wnat?
20:21 < ecrist> s/v/f/
20:24 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 260 seconds]
20:29 -!- hix-nix [~tommy@fu/infra/hix-nix] has joined ##openvpn
20:29 < hix-nix> !welcome
20:29 < vpnHelper> hix-nix: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:30 < hix-nix> !howto
20:30 < vpnHelper> hix-nix: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:31 -!- hix-nix [~tommy@fu/infra/hix-nix] has left ##openvpn ["Leaving"]
20:37 < vpnHelper> New forum entry forum: Testing branch :: Re: Snapshots :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=23&t=7001&p=7620#p7620> || Wishlist :: Compiling OpenVPN v2.1.2 with enable-password-save option :: Author Zero3K <https://forums.openvpn.net/viewtopic.php?f=10&t=7023&p=7619#p7619>
20:42 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Remote host closed the connection]
20:44 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
20:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
20:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:53 -!- hix-nix [~tommy@fu/infra/hix-nix] has joined ##openvpn
20:54 < hix-nix> hey guys... so, im a royal noob to VPN's... ive already looked up most information and it seems like ive configed openvpn and got it setup just fine...
20:54 < hix-nix> is there a way locally to see if the vpn is up and running and ready to accept new users?
21:06 < rasengan> hix-nix: unix process management can show you if openvpn is running or not.
21:16 < hix-nix> i understand, what i mean, is if it capable of accepting clients to see if i did the whole config correctly
21:22 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
21:23 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
21:26 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Client Quit]
21:26 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
21:31 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Ping timeout: 246 seconds]
21:45 -!- tjz_ [~pc@bb119-74-160-180.singnet.com.sg] has quit [Quit: bbl.]
21:45 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:58 < Dougy> ecrist: 
21:58 < Dougy> a !recentposts ors omething to show last 5 posts on forum
22:22 < hix-nix> holy shit...
22:23 < hix-nix> griz... you should see these damn switches that the neighbors got for 200 bucks...
22:23 < hix-nix> http://www.google.com/products/catalog?q=90+port+lc-ef-ge-90m&oe=utf-8&rls=org.mozilla:en-US:official&client=firefox-a&um=1&ie=UTF-8&cid=9385639699287011810&ei=a-xtTKzrFoq-sAPgyZCVCw&sa=X&oi=product_catalog_result&ct=result&resnum=4&ved=0CCYQ8wIwAw#
22:23 < vpnHelper> Title: Force10 Series EF 90-port High Density 10/100/1000Base-T Line Card Expansion module - 90 ports (at www.google.com)
22:23 < hix-nix> 200 bucks doh
22:23 < hix-nix> wrong channel, sorry guys
22:27 < Dougy> hix-nix: 200?!?!?!???!
22:27 < hix-nix> Dougy, yeah
22:27 < hix-nix> 20 of them
22:27 < Dougy> what the fuck
22:27 < Dougy> he hit a gold mine
22:27 < Dougy> seriously
22:27 < hix-nix> i was like O.o
22:27 < hix-nix> holy.....
22:28 < hix-nix> going to pick up the rest of them tomorrow, he brought this over for me to check out and tell him if theyre worth a damn
22:28 < hix-nix> i saw it and dropped my jaw
22:28 < Dougy> lokl
22:28 < Dougy> lol
22:28 < Dougy> be liike
22:28 < Dougy> dude
22:28 < Dougy> thousand bucks each if u sell me them right now
22:28 < hix-nix> pretty much
22:28 < hix-nix> going to post them on ebay
22:29 < Dougy> hehe
22:30 < hix-nix> although, the dip ripped one apart...
22:30 < hix-nix> mass fail
22:30 < Dougy> where did he get them
22:30 < hix-nix> albiet one of 20 woudlnt concern you much, but they also go the cisco switch that controls them
22:30 < hix-nix> some company in the area replaced their network, sold them off as "old technology"
22:31 < hix-nix> and its all legit, i saw the reciept for sale
22:31 < Dougy> http://www.nwrusa.com/force10-lcefge90m-p-13707.html?zenid=c0322357b25902d2c9b11340187680d0
22:31 < hix-nix> im still astounded
22:31 < vpnHelper> Title: Force10 LC-EF-GE-90M : NorthWest Remarketing , Salem Oregon Juniper Cisco Alcatel Extreme (at www.nwrusa.com)
22:31 < hix-nix> yeah, expensive little buggers
22:32 < hix-nix> ill post them on ebay for about 3K a piece
22:32 < Dougy> damn
22:32 < Dougy> wish i had that kind of luck
22:32 < hix-nix> me too
22:32 < hix-nix> although, Sun closed one of their offices a few years ago and was throwing away all their old servers
22:32 < Dougy> http://newyork.craigslist.org/mnh/cpg/1908649229.html lmfao
22:32 < vpnHelper> Title: Internet Cafe Hiring (125 St. & Lexington Area) (at newyork.craigslist.org)
22:32 < hix-nix> i recovered all of them and 20 terra of SATA drives
22:33 < tjz> O_o
22:33 < tjz> 20 terra..
22:33 < Dougy> o.o
22:33 < Dougy> jesus
22:33 < hix-nix> yeah
22:33 < hix-nix> all 750 GB drives
22:33 < hix-nix> it was nice
22:33 < Dougy> i was lucky tho too i guess
22:33 < tjz> good catch 
22:33 < tjz> :D
22:33 < Dougy> but i gave it back
22:33 < hix-nix> the servers, i still have a few of them, are Sunfire v60x's
22:33 < hix-nix> and a few v65x
22:34 < Dougy> i found 6 X5570 xeons NIB on the groudn some guy dropped
22:34 < Dougy> but i gave them back to him
22:34 < hix-nix> damn
22:34 < hix-nix> good karma
22:34 < Dougy> i felt bad stealing 10k of processors
22:34 < hix-nix> and you really cant just be a douche and watch someone drop something and not be like, "hey dude"
22:35 < hix-nix> yeah
22:35 < Dougy> oh
22:35 < Dougy> sure i could
22:35 < Dougy> i was right next to a door i coulda been gone
22:35 < Dougy> and he wouldnt of ever seen it
22:35 < hix-nix> wow. i want to take this switch to sleep with me, scared someone will steal it in this 'hood.
22:35 < hix-nix> ouch
22:35 < Dougy> lol
22:35 < hix-nix> that still would just be all bad
22:36 < Dougy> good god
22:36 < Dougy> i just farted and it smells like someone died
22:36 < hix-nix> those guys came up though. theres also 15 Cisco Catalyst 2960 switches
22:36 < Dougy> 2960s are nice
22:37 < hix-nix> and a few Cisco Proxy servers, Cisco Content Engine 560's
22:37 < hix-nix> they are
22:37 < hix-nix> whats better? a 2960 or a 3500XL?
22:37 < hix-nix> of the catalyst switches
22:38 < hix-nix> i dont know how their model numbering works
22:39 < hix-nix> where are you from anyway Dougy
22:39 < Dougy> new jersey
22:39 < Dougy> 3500xl are pieces of shit
22:39 < Dougy> what is the model of the 2960
22:39 < Dougy> some of them are worth thousands
22:39 < hix-nix> just a sec, let me grab it
22:40 < hix-nix> mfg 2007/01/06 Switch/WS-c2960-48TT-L
22:41 < Dougy> ya
22:41 < Dougy> tahts worth a few thousand
22:41 < hix-nix> e-e011-05-4733 (A)
22:41 < hix-nix> really!?
22:41 < Dougy> new anyway
22:41 < Dougy> used upper 3 digits
22:41 < Dougy> http://www.google.com/products/catalog?q=WS-c2960-48TT-L&oe=utf-8&client=firefox-a&hl=en&cid=9676405474344439000&ei=XPltTNzUFY6-ygW3_cz7AQ&sa=button&ved=0CA4QgggwATgA#p
22:41 < vpnHelper> Title: Cisco Catalyst 2960-48TT Switch - EN, Fast EN (at www.google.com)
22:41 < hix-nix> noice
22:41 < Dougy> lucky
22:42 < hix-nix> they're not mice...
22:42 < hix-nix> mine
22:42 < hix-nix> fam dingers
22:42 < Dougy> i want
22:42 < Dougy> steal themLOL
22:42 < hix-nix> i can probably get you one cheap if you want it
22:43 < hix-nix> if i tell him i get sell one for 50 bucks, im sure he'd jump on it
22:43 < hix-nix> i already plugged this one in and tested it, works great. has a passed on the console...
22:43 < hix-nix> passwd
22:44 < hix-nix> im sure cicso has a boot flag that you can edit during the boot process
22:44 < hix-nix> i know you can do it on the proxy servers to reset the root pw
22:50 < Dougy> gah
22:50 < Dougy> wtf did i eat to make me gassy
22:50 < Dougy> if you can hook me up on the 2960
22:50 < Dougy> im on it
22:50 < Dougy> lol
22:50 < Dougy> is there receipts for that ish or something?
22:51 < hix-nix> ill talk to the neighboor
22:51 < hix-nix> hes a good guy, and he owes me some favors... im sure i can swing something
22:51 < hix-nix> im going with them to look at some more stuff tomorrow
22:52 < Dougy> good stuff man
22:52 < hix-nix> i just sent him a text
22:52 < hix-nix> i know, next door and im texting... lazy
22:52 < hix-nix> :P
22:53 < Dougy> lol
22:53 < Dougy> where are you at
22:53 < hix-nix> san jose
22:53 < hix-nix> ca
22:53 < hix-nix> the armpit of america
22:54 < hix-nix> neighboors coming outside
22:54 < hix-nix> give me a few
22:54 < hix-nix> im going to talk to him
22:54 < hix-nix> see what i can get it for
22:54 < Dougy> win
22:54 < Dougy> go for it
23:02 < hix-nix> he says 70
23:02 < hix-nix> i talked him into it
23:02 < hix-nix> :P
23:02 < hix-nix> before anything is set in stone, were supposed to pick up the rest of the stuff tomorrow
23:03 < hix-nix> lat me make sure those are the same model first
23:03 < hix-nix> let*
23:04 < Dougy> 70 bucks?
23:04 < Dougy> for a 2960 48 port?
23:05 < hix-nix> yeah
23:05 < Dougy> fuck yes
23:05 < Dougy> sold
23:05 < hix-nix> hahaha
23:05 < hix-nix> ok
23:05 < hix-nix> like i said, were supposed to go pickup the rest of the stuff tomorrow
23:06 < hix-nix> this one here, its spoken for already, they brought it to me to see what it is and so such
23:06 < hix-nix> so, ill make sure those are the same model
23:06 < hix-nix> i have a reputation to keep and im known on IRC, in the gentoo channels :P
23:07 < hix-nix> and the friendly-coders channel
23:07 < hix-nix> and a few others...
23:07 < hix-nix> :P
23:07 < Dougy> hehe
23:07 < hix-nix> ill be sure to try it out first too, i would feel bad about sending a POS
23:07 < Dougy> full output of sh ver would be cool
23:07 < hix-nix> and im sure youd be pissed about getting one
23:07 < Dougy> yea well lol
23:08 < hix-nix> hey, since your a vpn geek....
23:08 < hix-nix> mind giving me a hand with a problem im having?
23:08 < hix-nix> well, not really sure its a problem at this point...
23:08 < hix-nix> but im attempting to setup my first VPN
23:09 < hix-nix> the distro is debian based, Untangle
23:09 < hix-nix> know of it at all?
23:09 < Dougy> to be honest, i am not a VPN geek for shit
23:09 < Dougy> i just help the forum go
23:09 < hix-nix> ah
23:09 < Dougy> that said, no, i've never touched untangle
23:09 < hix-nix> hehehe
23:09 < hix-nix> ok
23:09 < hix-nix> its a router/firewall setup
23:09 < Dougy> i have very minimal openvpn exerptise
23:09 < Dougy> expertise
23:10 < Dougy> but the least i can do si try to help
23:10 < Dougy> is
23:10 < hix-nix> really nifty... i just installed it a few weeks ago
23:10 < hix-nix> anyway, it installs openVPN and configs some of the stuff for you
23:10 < hix-nix> all GUI
23:10 < Dougy> ok, it fails already
23:10 < Dougy> GUI's are not fun
23:10  * Dougy is a cli man
23:10 < hix-nix> abliet you still have access to the term
23:10 < hix-nix> HAHAHA
23:10 < Dougy> cli(t)
23:10 < Dougy> tehehe
23:10 < hix-nix> i dont really prefer GUI's either
23:11 < hix-nix> the gui is for the simple settings it looks like
23:11 < hix-nix> im not sure how to generate the keys though
23:11 < hix-nix> ive read the docs, and you have to have client keys for people to log on to the VPN
23:11 < Dougy> unfortunately, i believe i have to point you to this one
23:11 < Dougy> !notopenvpn
23:11 < vpnHelper> Dougy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
23:11 < Dougy> if you are using their gui
23:11 < Dougy> unless you are using cli?
23:11 < hix-nix> hehehe, yeah, i read that
23:12 < hix-nix> i have access to the cli
23:12 < hix-nix> of course...
23:12 < hix-nix> but the setup was done all through the gui
23:12 < hix-nix> just seemed easier at the time
23:13 < Dougy> so where and what exactly are you at right now
23:13 < hix-nix> i /believe/ i have everything ready for a client to logon
23:13 < hix-nix> just need to get them a key
23:14 < Dougy> have you looked at 
23:14 < Dougy> !howto
23:14 < vpnHelper> Dougy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
23:14 < Dougy> for keymaking?
23:14 < Dougy> it doesnt get any more detialed then that
23:14 < Dougy> detailed*
23:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:29 < Dougy> hmm
23:29 < Dougy> hix-nix: pm me on here tomorow
23:29 < Dougy> night
23:30 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
23:35 < hix-nix> night
23:36 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
23:40 -!- yakub_ [~www-data@i.dont.get.mad.i.get.stabby.net] has quit [Quit: leaving]
23:49 < SOG> Um... I am wondering OpenVPN and ptpp are basically the same thing right? I mean they can do the same thing ?
23:51 < SOG> only the connection and security are different ?
23:58 < Dougy> SOG: http://www.how-to-hide-ip.info/2009/09/17/whats-the-difference-between-pptp-vpn-and-openvpn/
23:58 < Dougy> ok /gone
23:59 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
--- Day changed Fri Aug 20 2010
01:12 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has quit [Read error: Connection reset by peer]
01:12 -!- mape2k [~mape2k@p5B285B4C.dip.t-dialin.net] has joined ##openvpn
01:12 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
01:34 -!- rasengan [~rasengan@96.43.136.14] has quit [Quit: WeeChat 0.3.2]
01:36 -!- rasengan [~rasengan@96.43.136.14] has joined ##openvpn
01:47 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:47 -!- mode/##openvpn [+o mattock] by ChanServ
01:58 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
02:02 -!- dazo_afk is now known as dazo
02:03 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
02:08 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:08 -!- mode/##openvpn [+o mattock] by ChanServ
02:28 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
02:29 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:52 -!- Run32dll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:54 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
02:55 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
03:02 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
03:20 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has joined ##openvpn
03:24 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has quit [Read error: Connection reset by peer]
03:24 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
03:36 -!- hix-nix [~tommy@fu/infra/hix-nix] has quit [Ping timeout: 272 seconds]
03:42 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has quit [Ping timeout: 255 seconds]
03:42 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
03:44 -!- Kurogane [~kuro@190.87.69.217] has quit [Read error: Connection reset by peer]
03:44 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Remote host closed the connection]
03:44 -!- agagag [~anton@eudaimonia.goto10.org] has joined ##openvpn
04:02 -!- hix-nix [~tommy@fu/infra/hix-nix] has joined ##openvpn
04:09 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
04:11 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:14 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has quit [Read error: Connection reset by peer]
04:32 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has joined ##openvpn
04:33 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has quit [Client Quit]
04:49 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has joined ##openvpn
05:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:33 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
05:44 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has quit [Quit: This computer has gone to sleep]
06:02 < jetole> Hey guys. Does anyone know a way I can test an openvpn connection where it connects, immediately disconnects and some way I can read wether the connection attempt was succesful or not? I am looking to test several openvpn servers from nagios and no plugins exist (at least not in the nagios exchange) that offer a way to test this so I am hoping I can set this up manually with the native clients. Any advice would greatly be appreciated 
06:10 < kisom> jetole: verb 7 will probably do it
06:11 < kisom> its most likly a bad setup with your certificates
06:23 < jetole> kisom: what?
06:24 < jetole> what is most likely a bad setup? 
06:25 < jetole> kisom: http://en.wikipedia.org/wiki/Nagios
06:25 < vpnHelper> Title: Nagios - Wikipedia, the free encyclopedia (at en.wikipedia.org)
06:28 < kisom> Never used nagios
06:28 < kisom> Your PKI is probably badly set up if the connection fails right away
06:29 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:30 < Bushmills> he described his intended test procedure, not a problem ...
06:31 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 253 seconds]
06:31 -!- Cain` is now known as Cain
06:31 < ecrist> Dougy: I think if people want to know what's going on on the forum, they can just go to the site.
06:31 < ecrist> they can follow the same RSS feed the bot here uses.
06:31 < Bushmills> jetole: connect, ping the remote.
06:31 < Bushmills> disconnect
06:34 < kisom> OK, void what I just said
06:34 < kisom> miss-read it.
06:45 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:57 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
07:09 < vpnHelper> New forum entry forum: Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7019&p=7621#p7621>
07:29 < ecrist> !forum
07:29 < vpnHelper> ecrist: Server Administration :: poor uploading speed in Openvpn :: Author ajayan || Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... || Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... || Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... || Server Administration :: Re: Issues
07:29 < vpnHelper> ecrist: with the new 2.1.2 client and driver signature. ... || Off Topic, Related :: Re: VPN and ISP routing :: Reply by zander || Testing branch :: Re: Snapshots :: Reply by ecrist || Wishlist :: Compiling OpenVPN v2.1.2 with enable-password-save option :: Author Zero3K
07:29 < ecrist> Dougy: there ARE commands setup for the forums/tickets/etc
07:30 < ecrist> it's only going to show cached results, though.
07:30 < ecrist> it already checks every 5 minutes.
07:30 < ecrist> vpnHelper: plugins.RSS.feeds
07:30 < vpnHelper> ecrist: Error: "plugins.RSS.feeds" is not a valid command.
07:30 < ecrist> vpnHelper: config plugins.RSS.feeds
07:30 < vpnHelper> ecrist: tickets testtrac forum
07:30 < ecrist> those are the current RSS feeds we're monitoring
07:30 < ecrist> !tickets
07:30 < vpnHelper> ecrist: #18: Make "auto-proxy" use HTTP_PROXY environment variable on *NIX platforms || #30: Improve man page - scripting and environmental variables section || #17: build failure on OpenBSD 4.7 IFF_MULTICAST || #5: Fix OpenSSL-1.0.0 compilation warnings || #31: [PATCH] openvpn-plugin.h documentation is not correct || #20: Multiple --up scripts and no error || #14: [PATCH] Handle non
07:30 < vpnHelper> ecrist: standard subnets in PF grammar || #13: Not using --push on server makes client sending PUSH_REQUEST continuously || #10: Solaris tun/tap support || #42: Default gateway not found on darwin 10.6 x86_64 || #6: VLAN-Tagging (Pull Request) || #43: BSOD on hibernate in Windows Vista || #7: Unpackaged Windows binaries || #8: MacOSX Keychain Certificate support || #9: MacOSX making
07:30 < vpnHelper> ecrist: .dmg/.pkg || #11: --passtos feature || #27: Automated testing infrastructure || #28: Defect --multihome feature? || #29: push-reset should not reset topology and route-gateway from global config || #32: BSOD hangs when is TAP- enabled. Hyperthreaded or dual core. || #33: openvpn client cannot load certificate using "THUMB" || #34: OpenVPN Install and the Windows Path Environment (4 more messages)
07:37 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
07:46 -!- julius [~julius@217.20.127.15] has quit [Ping timeout: 276 seconds]
07:47 -!- julius [~julius@217.20.127.15] has joined ##openvpn
07:59 < havoc> bah
08:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
08:21 -!- SOG [~SOG@n1192365222.netvigator.com] has joined ##openvpn
08:27 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:35 -!- Meliorator [~m@dunnington.eu] has joined ##openvpn
08:40 -!- Meliorator [~m@dunnington.eu] has quit [Ping timeout: 276 seconds]
08:45 -!- mape2k [~mape2k@p5B285B4C.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
08:49 -!- ksk [~ksk@im.knubz.de] has joined ##openvpn
08:49 < ksk> hello there
08:49 < ksk> is there a way to set the mac-address of the tap-device running windows-clients?
09:03 -!- manevra [manevra@109.123.79.56] has joined ##openvpn
09:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:20 -!- dazo is now known as dazo_afk
09:21 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Ping timeout: 265 seconds]
09:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:41 -!- Meliorator [m@dunnington.eu] has joined ##openvpn
09:47 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:25 < havoc> yo
10:25 < havoc> figured out my win7 problems
10:25 < havoc> was routing and the way win7 handles route metrics :(
10:33 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:47 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:03 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
11:33 -!- spq` [bnc00026@user.unregistered.de] has quit [Quit: Serverwechsel]
11:34 -!- spq` [bnc00026@user.unregistered.de] has joined ##openvpn
11:47 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn
12:14 -!- oryxtec [oryxtec@119.152.10.202] has joined ##openvpn
12:16 < oryxtec> hi all i hve few question... regarding openvpn encription... i want to use sip traffic but my career does not allow me to use sip trafic so i configured openvpn on my server and on my desktop machine. but my question is... is there any chance that my career or any one else can snif my packet and see if i m using SIP trafic
12:16 < oryxtec> please guide me on this
12:17 < oryxtec> my career means my internet provider........
12:19 < Bushmills> oryxtec: only chance i see is if your dns requests don't go through vpn, and from the resolved ip addresses it could be seen what you (may be) connecting to.
12:22 < oryxtec> yup that is why.. i m sending dns info over the vpn
12:23 < oryxtec> rite now i m only connected with my server with IP address.. soo i can ping it and send those packets i want...
12:24 < oryxtec> i m not routing gateway and dns to my openvpn server
12:24 < oryxtec> soo in this case no one can see that i m sending sip traffic on my vpn
12:24 < oryxtec> correcT??
12:25 < Bushmills> i'd say so, yes
12:25 < oryxtec> humm nice
12:25 < Bushmills> ehm .. wait ...
12:25 < oryxtec> ok?
12:25 < Bushmills> you send your voip traffic to the same machine which is your vpn server?
12:25 < oryxtec> yesw
12:26 < Bushmills> to the address of its tun interface?
12:27 < oryxtec> i didn't get it wht u mean by the
12:27 < oryxtec> that
12:28 < Bushmills> traffic to public interface ip address of your vpn server will not go through openvpn. 
12:29 < Bushmills> vpn can't tunnel its own tunnel, after all
12:30 < oryxtec> but it is working for me.. 
12:31 < oryxtec> i m using it rite now :S
12:31 < oryxtec> how is working for me
12:32 < Bushmills> say, the public ip address of your vpn server is 12.12.12.12, and the address of your tun interface is 10.10.10.10.  traffic sent to 10.10.10.10 will go through openvpn.  traffic sent to 12.12.12.12 won't,
12:33 < Bushmills> as remote is probably the server, make it 10.10.10.1
12:34 < Bushmills> type of traffic to 12.12.12.12 is visible to provider.  type of traffic to 10.10.10.1 isn't
12:34 < oryxtec> yup that correct... if i send trafic to my tun interface which 10.8.0.1 it go through my openvpn.. 
12:35 < oryxtec> i m sending all sip trafic to tun interface 10.8.0.1 soo they can't snif my trafic.. correct
12:36 < Bushmills> ok. that's mostly a concern when you redirect all traffic through vpn server, and forget that traffic to server itself does not go through tunnel
12:37 < Bushmills> (because there's a route table entry, telling traffic to go through your - most likely - ethernet interface)
12:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:38 < oryxtec> humm what iptable entry do i need to make?
12:39 < oryxtec> and i didn't get ur point ------ most likely eth interface?
12:39 < oryxtec> wht do u mean by that?
12:39 < oryxtec> i have only 2 interface. one is eht0 2nd one is vpn tunl
12:40 < Bushmills> could be wlan or ppp instead. so i guessed your interface to wan would be eth
12:40 < oryxtec> yes
12:40 < Bushmills> you didn't tell me, after all
12:40 < oryxtec> only eth0
12:40 < oryxtec> ooh ok..
12:40 < oryxtec> soo in that case
12:40 < oryxtec> i don't have to make any entry
12:40 < oryxtec> correct
12:41 < Bushmills> should be correct. as you sepecifed the vpn ip address of your server
12:41 < Bushmills> specified
12:43 < oryxtec> yup
12:44 < oryxtec> soo as i have explan u my all senrio .... now are you sure my internet provider can't sinf my sip trafic over vpn
12:45 < oryxtec> corrct no metter if they have good snifing hardware
12:47 < oryxtec> ??
12:55 < oryxtec> Bushmilla: u there?
13:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:20 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
13:20 -!- Zero3K [Zero3K@216.59.18.195] has joined ##openvpn
13:22 < Zero3K>  could someone please compile a Windows version of OpenVPN v2.1.2 (with the enable-password-save option) for me?
13:24 -!- picard1400 [~chatzilla@ip70-181-112-218.oc.oc.cox.net] has joined ##openvpn
13:24 < picard1400> howdy guys..
13:24 < picard1400> so im a new user to this whole vpn thing.. i pay for a vpnservice from a website called
13:24 < picard1400> anonyproz.com ... how do i set this up with openvpn on ubuntu 10.04? i have done sudo apt-get install openvpn and that is about it ... (;
13:25 < picard1400> they have config files but i sitll have no idea w ht to do
13:26 < Bushmills> !readme
13:27 < vpnHelper> Bushmills: Error: "readme" is not a valid command.
13:27 < Bushmills> !hosto
13:27 < vpnHelper> Bushmills: Error: "hosto" is not a valid command.
13:27 < Bushmills> !howto
13:27 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:28 < ecrist> silly question, is there a way to reread the openvpn config without killing all the clients, but pushing new config to new client connections?
13:29 < Dougy> hm
13:29 < Dougy> hi
13:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
13:32 < hix-nix> *yawn*
13:32 < Dougy> yi
13:32 < Dougy> yo
13:33 < hix-nix> im still tired....
13:33 < Dougy> sup hix-nix 
13:33 < hix-nix> watching youtube, freddiew
13:33 < Dougy> how was that trip to look at the gear
13:33 < hix-nix> havent gone yet
13:33 < Dougy> op
13:33 < Dougy> o
13:33 < Dougy> did you fix your vpn issues?
13:34 < Dougy> im freakin stupid. i built a box to serve as a dhcp server / router for this office building, and i completely forgot about m0n0wall and pfsense.. i just used cnetos
13:34 < Dougy> centos
13:34  * Dougy facepalm
13:34 < hix-nix> dude, Untangle
13:34 < hix-nix> its done before you finish
13:34 < Dougy> m0n0wall looks perfect
13:34 < hix-nix> 30 mins and the dhcp server is setup configged and all that
13:34 < abeehc-_> m0n0 is perfect
13:35 < Dougy> took me 5 minutes to get dhcpd setup and running
13:35 < Dougy> but fixing the little bugs now is a pain in the ass and nobody that works in the building is tech savvy
13:35 < Dougy> and my guy who took the machine there and racked it is now away
13:36 < ecrist> !management-interface
13:36 < vpnHelper> ecrist: Error: "management-interface" is not a valid command.
13:36 < Dougy> hi eric!!
13:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:37 < ecrist> hi Dougy 
13:39 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
13:41 < hix-nix> Dougy, http://www.youtube.com/watch?v=vy5saRyMymM
13:41 < vpnHelper> Title: YouTube - Apple computers are more racist than HP computers (at www.youtube.com)
13:41 < hix-nix> HAHAHAHA
13:43 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
13:44 < Dougy> hix-nix: http://www.youtube.com/watch?v=tgSienhtm3o
13:44 < vpnHelper> Title: YouTube - Difference Between American & British Culture (at www.youtube.com)
13:44 < hix-nix> hahaha
13:44 < hix-nix> thats awesome
13:45 < hix-nix> PWND
13:45 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
13:49 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
13:55 -!- Azhax [~MyAzhax@60.51.94.220] has joined ##openvpn
13:55 < Zero3K>  could someone please compile a Windows version of OpenVPN v2.1.2 (with the enable-password-save option) for me?
13:56  * Bushmills googles this funny term "Windows"
14:00 < Zero3K> I guess that's a no then
14:01 < hyper_ch> Bushmills: that's the holes in the walls of your dwellings that enable you to see what's going on outside
14:05 < Zero3K> heh
14:05 < Zero3K> then where could I ask?
14:06 < Bushmills> google says "a program loader, popular with a certain class of game computers"
14:10 -!- detys [~detys@ks31179.kimsufi.com] has joined ##openvpn
14:10 < detys> Hi
14:10 < detys> I saw in the Docu that there is a --shaper can it be applied to each user? like each user gets 5Mbit/s or is it only global?
14:12 < hyper_ch> Bushmills: seems google is wrong
14:12 < nat2610_> I'd like to check that the port 1194 is open from the internet
14:12 < nat2610_> is there a way to check that ? 
14:12 < detys> use grc security port probe
14:12 < detys> google it
14:12 < detys> "grc security port probe"
14:13 < detys> No one can help me with bandwith limit?
14:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
14:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:29 < nat2610_> ok I've something odd going on ... I established a vpn connection between my server and client I can ping things like google but when I try to open the page it fails
14:29 < nat2610_> how do I troubleshoot that ? 
14:30 < nat2610_> there is no noticable error in the log
14:30 < nat2610_> and the same conf works with a different server in a different location.. 
14:34 -!- RedT0mt01 [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:34 -!- Azhax_ [~MyAzhax@60.51.94.220] has joined ##openvpn
14:35 -!- Azhax_ [~MyAzhax@60.51.94.220] has quit [Read error: Connection reset by peer]
14:36 < Dougy> Zero3K: here is the place ot ask
14:36 < Dougy> to
14:36 < Dougy> i like windows unlike the majority of those in this channnel however i dont compile stuff
14:38 -!- Azhax [~MyAzhax@60.51.94.220] has quit [Ping timeout: 265 seconds]
14:39 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:45 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
14:48 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:57 < Zero3K> ok
14:57 < Zero3K> hmm
14:57 < Zero3K> I tried to compile it
14:57 < Zero3K> but is not that easy...
14:58 < Zero3K> *its
15:04 < detys> what Os do you have an why do you need to compile it?
15:05 < Zero3K> Windows 7
15:05 < Zero3K> so I can enable the saving of passwords
15:05 < detys> oh
15:05 < detys> don't lol
15:05 < detys> you can find it precompiled
15:05 < Zero3K> well
15:06 < Zero3K> its not the latest version though
15:06 < detys> yes
15:06 < detys> i have 2.1
15:06 < Zero3K> I mean.
15:06 < Zero3K> 2.1.2
15:06 < detys> 2.1.1 final
15:06 < detys> ah ok
15:06 < detys> whats new in 2.1.2?
15:06 < Zero3K> a whole bunch of stuff
15:06 < detys> you sure you need that stuff?
15:06 < Zero3K> hmm
15:07 < Zero3K> well
15:07 < Zero3K> I like being up-to-date
15:07 < detys> oh they fixed a vulnerability
15:08 < detys> can you share your compilation when your done?
15:08 < Zero3K> heh
15:08 < Zero3K> I'm not doing it
15:09 < detys> here's a howto lol http://botsikas.blogspot.com/2008/10/building-openvpn-with-enable-password.html
15:09 < vpnHelper> Title: Botsikas' Blog: Building openvpn with enable-password-save on windows (at botsikas.blogspot.com)
15:10 < Zero3K> I know about that
15:11 < detys> oO
15:11 < detys> TAP-Win32 adapter can now be opened from non-administrator mode.
15:11 < detys> oh bummer
15:11 < detys> "Option with open TAP adater in Windows as non-administrator not working properly on Windows 7 64 bit. TAP adapter can not be signed in Windows 64bit so its unavalable.
15:11 < detys> During installation new build dont ask to “allow” intall TAP adapter as it was with OpenVPN 2.1.1"
15:14 -!- Zero3K [Zero3K@216.59.18.195] has quit [Quit: Zero3K]
15:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
15:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:41 < nat2610_> I'm setting up a vpn I have the  vpn connection between my server and client I can ping things like google but when I try to open the page it fails Anyone know what I could be checking ? 
15:49 < Bushmills> !redirect
15:49 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:50 < Bushmills> turn off proxy in web browser. or use a proxy which is in your route. or set a host route to your proxy
15:50 < Bushmills> !firewall
15:50 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
16:06 -!- tessier [~treed@kernel-panic/copilotco] has joined ##openvpn
16:07 < tessier> Hello all! Does the linux command line openvpn client come with the openvpn server source? I want to use a Linux box as an openvpn client to connect to another openvpn server.
16:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:16 < Bushmills> there is no client.  there is openvpn, and its config determines whether it works as client or server
16:18 < nat2610_> Bushmills, thanks ! it was something missing in my fw config
16:27 < rasengan> client-connect script -- if exit returns 0 should auth_success and if exit returns a non 0 number (like 1) it should auth_fail ? o_O
16:31 -!- oryxtec [oryxtec@119.152.10.202] has quit []
16:36 < kisom> fyll som ett djur :dd
16:36 < kisom> partyyyy
16:37  * kisom -> drunk_on_ssh()
16:37 -!- detys [~detys@ks31179.kimsufi.com] has quit [Ping timeout: 252 seconds]
16:44 -!- detys [~detys@193.48.172.6] has joined ##openvpn
16:52 -!- detys [~detys@193.48.172.6] has quit [Ping timeout: 252 seconds]
17:14 -!- Zero3K [Zero3K@216.59.18.195] has joined ##openvpn
17:16 -!- Zero3K [Zero3K@216.59.18.195] has left ##openvpn []
17:17 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
17:37 -!- Raccoon` [~bismuth@71-222-220-78.albq.qwest.net] has joined ##openvpn
17:39 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
17:42 < tessier> Bushmills: Got it installed and running already, thanks!
17:43 < tessier> I am connecting two networks. I want to tell the server that this client has a whole network behind it. I have added iroute 10.0.2.0 255.255.255.0 to the ccd/name file. Shouldn't I be seeing that as a route on the server?
17:49 < Raccoon`> i've installed  openvpn-2.1.1-install.exe  for windows, and i'm reading through the README and build-*.bat files to generate the security certificates, et al
17:50 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:50 < Raccoon`> but the batch files are assuming non-existant variables, and i have no idea what inputs the openssl.exe is actually looking for.
17:50 < Raccoon`> could someone direct me to a page with step-by-step examples?
17:51 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:53 < vpnHelper> RSS Update: forum: Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7019&p=7622#p7622>
18:07 < tessier> hmm...I seem to have the routing working on both sides of the two networks I am connecting up to the openvpn client which seems to be refusing to route between the LAN and the tunnel.
18:09 < ecrist> !config plugins.RSS.announcementPrefix RSS Update - 
18:09 < vpnHelper> ecrist: Joo got it.
18:09 < ecrist> !forum
18:09 < vpnHelper> ecrist: Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... || Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... || Testing branch :: Re: Snapshots :: Reply by ecrist || Wishlist :: Compiling OpenVPN v2.1.2 with enable-password-save option :: Author Zero3K
18:16 < Dougy> h gyus
18:17 < tessier> Do I have to do anything special to make the openvpn client route between the tunnel and the local lan as far as openvpn config goes?
18:17 < tessier> I have appropriate net routes on each side of the client and it can ping hosts in the networks on either end.
18:17 < ecrist> tessier: ip.forwarding = 1
18:17 < tessier> But nobody can ping through the client.
18:17 < tessier> ecrist: That was the first thing I checked.
18:17 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
18:17 < tessier> [root@gw openvpn]# cat /proc/sys/net/ipv4/ip_forward 
18:17 < tessier> 1
18:17 < ecrist> that should be all you need, otherwise see stanza 3 in /topic
18:18 < ecrist> ;)
18:18 < tessier> There is no firewall running on the client machine.
18:18 < tessier> Machines on either network can ping the client machine but not through it. The client machine can ping anything in either network.
18:18 < ecrist> do both ends know how to route?
18:18 < ecrist> !route
18:18 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:19 < ecrist> that document will likely aid you
18:20 < tessier> The problem seems to be the tun0 interface on the client. The local network cannot ping it. But can ping the eth0 on the openvpn client. The remote network can ping the tun0 interface on the client.
18:20 < tessier> Thanks, I'll read up on that...
18:22 < tessier> Actually, it makes sense that the local network cannot ping the 192.168.10.0/24 network. That is just for routing the vpn. The gateway on that network has a network route for my 10.0.2.0/24 pointing at the openvpn client which is 10.0.2.2.
18:22 < tessier> The remote network can ping the tun0 on the client because the gateway on that network runs the openvpn server.
18:23 < ecrist> tessier: does a traceroute on the client's LAN for a VPN IP show a proper route?
18:24 < jpalmer> ecrist: is there a way to bridge multiple openvpn servers,  so that a client can connect to any of them.. get a static IP (ccd) and be accisble from a client on any of the others?
18:24 < ecrist> sure, just put all the tap interfaces on the same bridge interface
18:24 < jpalmer> well,  the openvpn servers would be in different datacenters
18:24 < ecrist> ifconfig bridge0 addm tap0 addm tap1 addm tap2 addm tap3
18:25 < ecrist> jpalmer: what you'd need is two VPN setups, really
18:25 < ecrist> one network between the VPN server, and then the instance for all the clients to connect to.
18:25 < jpalmer> *nod*   thats kinda what I was thinking.  but haven't determined the best way to do it
18:25 < ecrist> that being said, we sort of do the same thing at $job now
18:26 < ecrist> look at it in terms of an IRC network.
18:26 < ecrist> you have hubs and leafs
18:26 < ecrist> the leafs are the clients, the hubs are the vpn servers
18:26 < ecrist> some hubs connect to other hubs, some leafs connect to parent hubs, etc
18:27 < jpalmer> can I send you a diagram,  it may help you visualize what I'm hoping to accomplish
18:28 < tessier> ecrist: I just added a route on the client's local gateway pointing my vpn network to the vpn client. Now everyone can ping the client's tun0.
18:28 < ecrist> tessier: if you had read that route document I linked you, it would have helped.
18:28 < tessier> ecrist: But nobody can as yet ping through it. Even though the client can ping everything. I'm reading it now.
18:28 < tessier> But you keep asking questions which I want to respond to. :)
18:29 < ecrist> tessier: most of my recent statements have been directed at jpalmer 
18:30 < tessier> ecrist: Right but they were made while I was testing: < ecrist> tessier: does a traceroute on the client's LAN for a VPN IP show a proper route?
18:30 -!- Raccoon- [~bismuth@71-222-220-78.albq.qwest.net] has joined ##openvpn
18:30 < ecrist> ah
18:30 -!- Raccoon` [~bismuth@71-222-220-78.albq.qwest.net] has quit [Read error: Connection reset by peer]
18:30 < tessier> hmm...I don't have client-to-client enabled. I am going to be needing that anyway.
18:31 < ecrist> it's friday, I'm starting my rum+coke install, you may note certain memory checksum errors
18:31 < tessier> That leads to a crash. :)
18:34 < ecrist> only if the file system gets full
18:34 < ecrist> which can result in the uninstall of dinner
18:36 < ecrist> gah!
18:37 < ecrist> afk a few
18:40 -!- manevra [manevra@109.123.79.56] has quit [Quit: Leaving]
18:45 < tessier> In this diagram: http://www.secure-computing.net/wiki/images/9/90/Ovpn_routing.jpg if the server pushes a route for 10.10.1.0 to Client1 won't that send 10.10.1.0 over the vpn and break client1's connectivity to the local lan?
18:47 < tessier> Fri Aug 20 16:47:38 2010 WARNING: potential route subnet conflict between local LAN [10.0.2.0/255.255.255.0] and remote VPN [10.0.2.0/255.255.255.0]
18:47 < tessier> Yep. Seems to...
18:48 < tessier> and I can't talk locally
18:49 < tessier> Seems like maybe the iroute should prevent that. 
18:54 -!- Hypnoz [~X@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Ping timeout: 265 seconds]
18:59 -!- gh0st3r [~gh0st@123.243.120.136] has joined ##openvpn
18:59 < gh0st3r> Got a OpenVPN server setup, got a couple of clients connected... I can ping through the VPN and make TCP connections through it
18:59 < gh0st3r> I can't seem to get SNMP or other UDP protocols working...
18:59 < gh0st3r> Is there some conf line im missing?
19:02 < ecrist> gh0st3r: if traffic is flowing, the only thing to look at is the firewall
19:17 < tessier> ecrist: Any comment on my subnet conflict above? I have the iroute 10.0.2.0 255.255.255.0 in my ccd/client file
19:20 < tessier> Maybe it isn't seeing my ccd/client file somehow...
19:35 < tessier> Well holy shit
19:36 < tessier> That explains why a whole lot of things haven't worked as expected.
19:36 < tessier> All of the docs show: client-config-dir ccd
19:36 < tessier> So I thought it was relative to where openvpn was running from.
19:36 < tessier> I change it to client-config-dir /etc/openvpn/ccd and everything just works.
19:36 < ecrist> it's relative to your config file
19:36 < ecrist> or cwd
19:36 < tessier> My config file is in /etc/openvpn
19:37 < tessier> so....I expected specifying just ccd to work
19:49 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has joined ##openvpn
19:56 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
20:04 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
20:08 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
20:27 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 255 seconds]
20:34 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
20:35 -!- Chaze [~Chase@dslb-084-059-140-206.pools.arcor-ip.net] has joined ##openvpn
20:38 < Chaze> right now, i have my server config file in the same directory as all key files. i start the process from that directory, and everything works
20:38 < Chaze> but what if i want to run openvpn on startup: i'd have to put the config in /etc/openvpn so it gets executed
20:39 < Chaze> how can i set the correct directory for the key files?
21:07 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
21:08 < Chaze> for the record, rather obviously: with "--cd /my/path"
21:30 < gh0st3r> Got a OpenVPN server setup, got a couple of clients connected... I can ping through the VPN and make TCP connections through it
21:30 < gh0st3r> I can't seem to get SNMP or other UDP protocols working...
21:30 < gh0st3r> Is there some conf line im missing?
21:30 < gh0st3r> sorry guys to repost... but i got kicked off :(
21:30 < gh0st3r> hoping someone can answer
21:34 -!- Chaze [~Chase@dslb-084-059-140-206.pools.arcor-ip.net] has quit [Quit: Chaze]
21:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
21:51 < ecrist> wow, he waited long enough.
21:51 < ecrist> gh0st3r: I answered your question earlier.
21:52 < ecrist> you're still tolking on the same connection...
21:53 < gh0st3r> ecrist, sorry
21:53 < gh0st3r> ecrist, the firewall... there isn't a firewall currently between them
21:53 < gh0st3r> ecrist, they make the connection
21:54 < ecrist> ok, there's nothing in OpenVPN that would allow TCP and not UDP or ICMP
22:16 -!- naquad [~naquad@174.142.224.219] has quit [Quit: ZNC - http://znc.sourceforge.net]
22:21 -!- naquad [~naquad@174.142.224.219] has joined ##openvpn
22:36 -!- SOG [~SOG@n1192365222.netvigator.com] has quit [Ping timeout: 276 seconds]
22:38 -!- SOG [~SOG@n1192365222.netvigator.com] has joined ##openvpn
22:52 -!- SOG [~SOG@n1192365222.netvigator.com] has quit [Ping timeout: 252 seconds]
22:57 -!- corretico [~laguilar@201.201.44.82] has quit [Read error: Connection reset by peer]
23:04 -!- gh0st3r [~gh0st@123.243.120.136] has quit [Read error: Connection reset by peer]
23:16 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:20 -!- gh0st3r [~gh0st@123.243.120.136] has joined ##openvpn
--- Day changed Sat Aug 21 2010
00:08 -!- SOG [~SOG@n1192365222.netvigator.com] has joined ##openvpn
00:19 -!- gh0st3r [~gh0st@123.243.120.136] has quit [Read error: Connection reset by peer]
00:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:33 -!- gh0st3r [~gh0st@123.243.120.136] has joined ##openvpn
00:45 -!- SOG_ [~SOG@n112118141015.netvigator.com] has joined ##openvpn
00:48 -!- SOG [~SOG@n1192365222.netvigator.com] has quit [Ping timeout: 258 seconds]
00:48 -!- SOG_ is now known as SOG
00:48 < tessier> Now that my vpn is all working I need to make sure the systems install all of the correct routes when they get rebooted etc.
00:49 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:49 -!- mode/##openvpn [+o mattock] by ChanServ
00:58 < rasengan> anyone know anythign about client-connect script, the path to the script, and using it w/ chroot dirtive
00:58 < rasengan> directive*
01:18 -!- detys [~detys@193.48.172.6] has joined ##openvpn
01:18 < detys> Hi
01:18 < detys> has anyone been able to impliment per user speed limit? like 5mbit/s per user?
01:30 < hyper_ch> hi there
01:52 -!- Raccoon- [~bismuth@71-222-220-78.albq.qwest.net] has quit [Ping timeout: 265 seconds]
01:55 -!- rasengan [~rasengan@96.43.136.14] has quit [Quit: WeeChat 0.3.2]
02:20 -!- gh0st3r [~gh0st@123.243.120.136] has quit [Quit: Leaving]
02:38 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection reset by peer]
02:56 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:48 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
03:52 < kisom> morning
03:56 < hyper_ch> hi kisom
03:56 < hyper_ch> your nickname always reminds me of someone else
04:12 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:22 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 258 seconds]
04:30 -!- detys [~detys@193.48.172.6] has quit [Ping timeout: 252 seconds]
05:18 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
05:43 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
06:11 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has joined ##openvpn
06:15 < kisom> :)
06:16 < hyper_ch> kisom: you know Ephraim Kishon?
06:18 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has left ##openvpn ["Leaving"]
06:25 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:30 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:32 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:32 -!- Cain` is now known as Cain
07:00 -!- SOG [~SOG@n112118141015.netvigator.com] has quit [Quit: SOG]
07:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:39 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 245 seconds]
08:17 -!- SOG [~SOG@n112118141015.netvigator.com] has joined ##openvpn
08:24 -!- Chaze [~Chase@dslb-084-059-038-030.pools.arcor-ip.net] has joined ##openvpn
08:25 < Chaze> i have set the status log with "status /my/logfile"
08:25 < Chaze> any idea why it doesn't contain any entries?
08:25 < Chaze> just the header
08:27 < ecrist> because nobody's logged in to the vpn?
08:27 < hyper_ch> hi ecrist
08:27 < hyper_ch> happy saturday to you
08:28 < ecrist> indeed. :)
08:28 < hyper_ch> care for some beer?
08:28 < ecrist> heh, it's only 8:28am
08:28 < hyper_ch> you're in the wrong timezone
08:28  * hyper_ch rolls a keg in the room
08:28 < hyper_ch> beer time :)
08:36 < Chaze> ecrist: oh, it writes *live* connections in that file!
08:36 < ecrist> yes
08:36 < Chaze> ecrist: can i someone store this permanently?
08:36 < ecrist> yes, but you need to capture that data with a client disconnect script, or a scraper
08:36 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
08:38 < Chaze> ecrist: any resources on that?
08:38 < ecrist> nope
08:40 < Dougy> http://img153.imageshack.us/img153/617/birdhair.jpg
08:42 < LowKey> nice hair
08:45 < Dougy> win
08:45 < Chaze> ecrist: is it the --down parameter?
08:49 < ecrist> --client-disconnect
08:49 < Chaze> i see. what's --down?
08:49 < ecrist> read the man page
08:49 < Chaze> --down Executed after TCP/UDP and TUN/TAP close.
08:49 < Chaze> don't see the difference
08:50 < Chaze> is it on server shutdown?
08:50 < ecrist> now read the secont for --client-disconnect
08:50 < Chaze> yeah, i get that one
08:51 -!- Raccoon- [~bismuth@71-222-220-78.albq.qwest.net] has joined ##openvpn
08:51 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Read error: Connection reset by peer]
08:51 < ecrist> down is used in a connection-specific context.  i.e. on a client system, say you want to send an email with the vpn goes downf
08:52 < ecrist> or in a server instance, you want to close holes in your firewall when the server shuts down openvpn
08:52 < Chaze> i have a sample script that contains "down /etc/openvpn/update-resolv-conf"
08:52 < ecrist> also, read the section of the man page regarding environment variables
08:52 < Chaze> ecrist: will do
09:20 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:28 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:51 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
10:01 -!- rasengan [~rasengan@96.43.136.14] has joined ##openvpn
10:02 < rasengan> If you generate a certificate, is the only way to stop the certificate from being used to connect by revoking?  Is there another way to completely remove it from the database so it does not work anymore?
10:10 < Chaze> this is weird: when i add a "client-connect" script, clients get queried for a name and password..
10:10 < Chaze> the script does nothing but "exit 0"
10:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:35 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:43 < Meliorator> hi all, are there any buffers or anything that i can play with to try to improve transfer times over openvpn?
10:43 < Meliorator> i'm transfering a large file over cifs in the vpn...
10:44 < Meliorator> doing the same, outside of the vpn, is litteraly 10x faster
10:51 < Bushmills> Meliorator: using udp for vpn?
10:51 < Meliorator> cifs is TCP
10:51 < Meliorator> oh
10:51 < Meliorator> for vpn
10:51 < Meliorator> uhm
10:51 < Meliorator> let me see...
10:52 < Meliorator> proto tcp
10:53 < Bushmills> try udp
10:53 < Bushmills> !tcp
10:53 < vpnHelper> Bushmills: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
10:54  * Meliorator takes some time to read and digest over a cuppa
10:55 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
10:58 < Meliorator> it's the classic situation of "sucks itself up it's own a***hole"
11:04 -!- Chaze [~Chase@dslb-084-059-038-030.pools.arcor-ip.net] has quit [Quit: Chaze]
11:09 -!- manevra [manevra@95.154.230.206] has joined ##openvpn
11:12 < Meliorator> that's faster than it was, but still only ~ 40% of the speed it should be
11:14 < Meliorator> thanks Bushmills, any other suggestions?
11:16 < Bushmills> tun or tap?
11:17 < Meliorator> tun
11:22 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
11:23 -!- LowKey [noc@unaffiliated/lowkey] has joined ##openvpn
11:24 < manevra> i have 2 ips how do i configure open vpn to give every user that connects a single public ip so he can browse the internet?
11:24 < hyper_ch> manevra: two ips where? user connect from?
11:25 < manevra> on the vpn server i have 2 ips... user connects from another computer in a different location
11:26 < hyper_ch> just let that user run openvpn client and connect him to the vpn network
11:28 < manevra> yes and what ip will he have when he browses the internet
11:28 < manevra> from his computer
11:28 < manevra> while connected to the vpn
11:28 < hyper_ch> depends
11:29 < manevra> can't i set to have a single one?
11:29 < manevra> from the 2 i have
11:29 < manevra> a default one
11:29 < hyper_ch> if def1 is used, then everything goes through the vpn
11:29 < hyper_ch> if not, it depends on the routing
11:29 < hyper_ch> I think
11:30 < manevra> there must be a setting in openvpn where i can choose the ip for clients
11:30 < manevra> i will look better
11:31 < hyper_ch> !howto
11:31 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:31 -!- LowKey [noc@unaffiliated/lowkey] has quit [Remote host closed the connection]
11:34 -!- LowKey [rhel@forgotten.serv.my] has joined ##openvpn
11:34 -!- LowKey [rhel@forgotten.serv.my] has quit [Changing host]
11:34 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
11:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
11:34 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Remote host closed the connection]
11:35 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
11:43 < Bushmills> manevra: your users don't need public ip addresses to browse the internet
11:43 < Bushmills> they'd need public ip addresses if they were to offer services
11:44 < Bushmills> !ccd
11:44 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
11:44 < Bushmills> use that with ifconfig-push to specify instead of automatically assign ip addresses
11:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
11:48 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:52 -!- Martz [~Martz@unaffiliated/martz] has joined ##openvpn
11:54 -!- Martz^ [~Martz@unaffiliated/martz] has quit [Ping timeout: 240 seconds]
12:01 < LowKey> how to stop openvpn process on centos?
12:05 < Bushmills> LowKey: try on #centos:  "how can i stop a process"
12:07 -!- fr00d [fr00d@unaffiliated/fr00d] has quit [Quit: leaving]
12:13 -!- detys [~detys@193.48.172.6] has joined ##openvpn
12:30 -!- manevra [manevra@95.154.230.206] has quit [Quit: Leaving]
12:51 -!- detysd [~detys@ks31179.kimsufi.com] has joined ##openvpn
12:53 -!- detys [~detys@193.48.172.6] has quit [Ping timeout: 252 seconds]
12:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
13:00 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
13:05 < rasengan> how do i delete a client/key/etc. altogether rather than revoke a key?
13:06 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
13:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:13 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
13:13 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
13:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Disconnected by services]
13:27 -!- intralanman [~lanman@117.205.233.166.in-addr.arpa] has joined ##openvpn
13:30 -!- straterra [~straterra@fuhell.com] has left ##openvpn []
13:37 -!- detysd [~detys@ks31179.kimsufi.com] has quit [Ping timeout: 252 seconds]
13:38 -!- detys [~detys@ks31179.kimsufi.com] has joined ##openvpn
13:40 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Ping timeout: 260 seconds]
13:46 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
13:49 -!- intralanman [~lanman@117.205.233.166.in-addr.arpa] has quit [Quit: This computer has gone to sleep]
13:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
14:04 -!- detys [~detys@ks31179.kimsufi.com] has quit [Ping timeout: 252 seconds]
14:08 -!- detys [~detys@193.48.172.6] has joined ##openvpn
14:10 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D]
14:49 -!- brah [~brah@186.125.74.117] has joined ##openvpn
15:05 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
15:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:10 -!- detys [~detys@193.48.172.6] has quit [Ping timeout: 252 seconds]
15:30 -!- detys [~detys@193.48.172.6] has joined ##openvpn
15:42 -!- Raccoon- [~bismuth@71-222-220-78.albq.qwest.net] has quit [Ping timeout: 276 seconds]
15:43 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Read error: Operation timed out]
15:51 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
15:58 -!- dazo_h [~dazo@212.71.72.138] has joined ##openvpn
16:02 -!- detys [~detys@193.48.172.6] has quit []
16:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:15 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has joined ##openvpn
16:15 < in^> will openvpn run native as a server on a mac?
16:17 < dazo_h> in^:  yes it will
16:18 < in^> I installed from macports...
16:18 < in^> do you know how do I get bridge-utils installed?
16:18 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:19 < dazo_h> in^:  I don't know how OSX does bridging ... but I rather ask you if you know why you need bridging?
16:20 < in^> b/c i am vpning from work...  need to funnel all my web activity through home vpn
16:21 < dazo_h> but you can do that via pure routing, you don't need bridging
16:22 < dazo_h> there is a --redirect-gateway option, which takes care of that
16:22 < in^> oh i thought I had to bridge to use --redirect-gateway
16:23 < dazo_h> and by using tun instead of tap, you'll get less overhead (meaning: better speed), as you only transport IP packets over the VPN tunnel and not complete ethernet frames
16:23 < in^> nice
16:23 < dazo_h> nope, --redirect-gateway should work fine with tun devices as well
16:24 < in^> what is the command line to create tun devices?
16:24 < dazo_h> openvpn usually takes care of that automatically
16:24 < dazo_h> if you want it static, you can look up the --mktun option in the man page
16:24 < dazo_h> (openvpn man page, that is)
16:25 < in^> get an error when I use mktun
16:25 < dazo_h> are you doing it as root?
16:25 < in^> ahhh
16:25 < dazo_h> openvpn needs to be started as root/administrator ... no way around that
16:26 < in^> k
16:26 < in^> tun dev was not created by install
16:27 < dazo_h> on which platform?
16:27 < in^> maybe b/c it was done by macports
16:27 < in^> osx 10.64
16:27 < dazo_h> nope ... tun dev isn't created on any other OS during install than Windows
16:27 < in^> k
16:27 < dazo_h> *nix in general will create this device on-the-fly
16:27 < dazo_h> as long as the kernel supports tun devices
16:28 < in^> would openvpn2 -mktun --dev work?
16:28 < dazo_h> so just add --dev tun   in your config ... and you'll get f.ex tun0 when you start OpenVPN
16:28 < dazo_h> that could work ... but you normally don't need to use the --mktun at all
16:29 < in^> gotcha
16:29 < dazo_h> --mktun is mostly used when you need to prepare a bridge *before* the OpenVPN connection is established .... and as you're aiming for the routed path (--dev tun), you shouldn't need to worry about --mktun at all
16:30 < in^> k, well let me work on my server config then.... thanks for clearing all that up...I appreciate you!
16:31 < dazo_h> you're welcome! :)
16:38 < in^> would push "redirect-gateway def1 bypass-dhcp" work?
16:38 < in^> in my server config?
16:50 -!- dazo_h [~dazo@212.71.72.138] has quit [Ping timeout: 265 seconds]
16:52 -!- dazo_h [~dazo@212.71.72.138] has joined ##openvpn
16:53 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
16:54 -!- Nrg_ [pk@reaktio.net] has joined ##openvpn
16:58 -!- dazo_h [~dazo@212.71.72.138] has quit [Ping timeout: 246 seconds]
17:01 < Dougy> dazo_afk: ping
17:10 -!- Typone [~nnnnnnnit@195.197.184.87] has quit [Excess Flood]
17:12 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
17:31 -!- corretico [~laguilar@201.201.44.82] has joined ##openvpn
17:35 -!- corretico [~laguilar@201.201.44.82] has quit [Read error: Connection reset by peer]
18:07 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
18:17 -!- corretico [~laguilar@201.201.44.82] has joined ##openvpn
18:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:55 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
19:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
19:14 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
19:15 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
19:26 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 265 seconds]
20:04 -!- Cain` [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
20:06 -!- Cain [~Geek@41.141.252.98] has joined ##openvpn
20:06 -!- Cain is now known as Guest9451
20:10 < picard1400> hey anyone here
20:10 < picard1400> is there a good guide showing or video tutorial about setting up openVPN on ubuntu?
20:10 -!- Guest9451 [~Geek@41.141.252.98] has quit [Client Quit]
20:10 < in^> have you checked youtube?
20:10 < in^> the HOWTO is pretty straight forward
20:11 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
20:13 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
20:16 -!- brah [~brah@186.125.74.117] has quit [Ping timeout: 265 seconds]
20:17 < picard1400> in^ here is my problem./..
20:17 < picard1400> http://www.fcmspro.com/
20:17 < vpnHelper> Title: Flash Content Management System - fCMSPro - Flash CMS (at www.fcmspro.com)
20:17 < picard1400> sorry
20:17 < picard1400> ok here
20:17 < picard1400>  http://www.anonyproz.com/config.rar
20:18 < picard1400> i need to install those config files.. it has the .crt the .ovpn files etc.. for all the VPN servers i can connect too... how do i install that onto openVPN in ubuntu 10.04
20:18 < picard1400> also the .key files... i want to copy all of those over to my ubuntu machine and install them to use with openVPN.. how do i go about doing that?
20:23 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
20:24 < in^> just copy the files into your config folder
20:25 < in^> are all the keys generated already?
20:25 < in^> is your ubuntu machine a client or server?
20:26 < in^> you'll need to install openvpn using your prefered install method
20:27 < in^> i.e. your package manager
20:31 < picard1400> yes
20:32 < picard1400> sorry i was away in^
20:32 < picard1400> my ubuntu is a server edition
20:32 < Dougy> dazo_afk: 
20:32 < picard1400> i did 
20:32 -!- Martz^ [~Martz@unaffiliated/martz] has joined ##openvpn
20:32 < picard1400> sudo apt-get install openvpn im not sure where to put the .opvn files .key and .crt files
20:32 < picard1400> .ovpn no .opvn
20:35 < vpnHelper> RSS Update - forum: Server Administration :: Re: Multiple connection on the server :: Reply by andrea <https://forums.openvpn.net/viewtopic.php?f=4&t=7007&p=7624#p7624> || Server Administration :: OpenVPN for windows 2003 clients :: Author blakelharris <https://forums.openvpn.net/viewtopic.php?f=4&t=7026&p=7625#p7625>
20:35 -!- Martz [~Martz@unaffiliated/martz] has quit [Ping timeout: 276 seconds]
21:21 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has left ##openvpn []
21:54 -!- Hypnoz [~X@184-194-134-26.pools.spcsdns.net] has joined ##openvpn
22:13 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
22:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
22:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:27 -!- hix-3 [~tommy@c-71-198-201-93.hsd1.ca.comcast.net] has joined ##openvpn
22:27 -!- hix-3 [~tommy@c-71-198-201-93.hsd1.ca.comcast.net] has quit [Changing host]
22:27 -!- hix-3 [~tommy@fu/infra/hix-nix] has joined ##openvpn
22:30 -!- hix-nix [~tommy@fu/infra/hix-nix] has quit [Ping timeout: 240 seconds]
22:35 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
22:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
22:39 < picard1400> so anyone im back
22:39 < picard1400> how do i install those files
22:39 < picard1400> i have the .crt the .ovpn and .key files in a rar and what do i do to install them in open VPN
22:42 -!- Hypnoz [~X@184-194-134-26.pools.spcsdns.net] has quit [Ping timeout: 265 seconds]
22:54 -!- brah [~asdofp@190.183.62.66] has joined ##openvpn
22:57 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
22:58 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
23:18 -!- engrxyz [~adfadf@82-68-236-158.dsl.in-addr.zen.co.uk] has quit [Remote host closed the connection]
23:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
23:40 < Dougy> hmmm
23:41 < Dougy> picard1400: they go anywhere you wnat.
23:41 < Dougy> want
23:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
23:44 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
--- Day changed Sun Aug 22 2010
00:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
00:24 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
00:36 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:44 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
01:03 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
01:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:07 -!- corretico [~laguilar@201.201.44.82] has quit [Read error: Connection reset by peer]
01:16 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 240 seconds]
01:21 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
01:22 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
01:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:24 -!- Kurogane [~kuro@190.87.69.217] has quit [Read error: No route to host]
01:26 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
01:31 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:38 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:38 -!- mode/##openvpn [+o mattock] by ChanServ
01:41 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
01:42 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:43 -!- SOG [~SOG@n112118141015.netvigator.com] has quit [Quit: SOG]
01:44 < hyper_ch> !howto
01:44 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
01:51 -!- asdfl [~asdofp@190.183.62.66] has joined ##openvpn
01:51 -!- brah [~asdofp@190.183.62.66] has quit [Disconnected by services]
01:52 -!- asdfl [~asdofp@190.183.62.66] has quit [Client Quit]
01:52 -!- brah [~asdofp@190.183.62.66] has joined ##openvpn
01:52 -!- asdfl [~asdofp@190.183.62.66] has joined ##openvpn
01:52 -!- asdfl [~asdofp@190.183.62.66] has quit [Read error: Connection reset by peer]
01:53 -!- brah [~asdofp@190.183.62.66] has quit [Disconnected by services]
01:53 -!- asdfl [~asdofp@190.183.62.66] has joined ##openvpn
01:53 -!- brah [~asdofp@190.183.62.66] has joined ##openvpn
01:56 -!- asdfl [~asdofp@190.183.62.66] has quit [Client Quit]
02:02 < hyper_ch> !ccd
02:02 < vpnHelper> hyper_ch: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
02:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:19 -!- Kurogane [~kuro@190.87.69.217] has quit [Remote host closed the connection]
02:26 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:27 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:28 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
02:46 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
02:49 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
03:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
03:06 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:18 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
03:23 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
03:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
03:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:28 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:35 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:44 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
03:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:46 -!- buntfalke_ is now known as buntfalke
03:57 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:35 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
04:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
04:55 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
05:06 -!- brah [~asdofp@190.183.62.66] has quit [Read error: Operation timed out]
05:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
05:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
05:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
05:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
05:56 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
05:57 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:03 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has quit [Ping timeout: 245 seconds]
06:03 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined ##openvpn
06:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:17 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:35 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:37 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:45 -!- dupondje [~dupondje@d51A55126.access.telenet.be] has joined ##openvpn
06:50 < dupondje> I got a working VPN setup, to connect 2 internal networks together. This week I got an additional external IP on the VPN server, and now the VPN doesn't work when enabling the additional IP... Any idea what could cause this ?
06:50 < dupondje> it gives TLS negotiation error when 2 external IP's are active
06:51 < reiffert> !same
06:51 < vpnHelper> reiffert: Error: "same" is not a valid command.
06:51 < reiffert> !duplicate
06:51 < vpnHelper> reiffert: Error: "duplicate" is not a valid command.
06:51 < reiffert> --duplicate-cn
06:54 < dupondje> adding that will solve it ?!
06:56 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
06:56 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
06:57 -!- error404notfound [779936fc@gateway/web/freenode/ip.119.153.54.252] has joined ##openvpn
06:59 < error404notfound> I am using windows 7 and i get http://pastebin.com/MFfAhDAi when i try to connect to openvpn, i am connected but i can't ping openvpn server, my config is: http://pastebin.com/Nz1NuWSv and openvpn is force to be run as Windows 200 environment and by administrator privileges.
07:00 < error404notfound> last time i got it fixed from here by using a guys's advice, too bad i can't remember his name.
07:02 < reiffert> server config?
07:03 < error404notfound> reiffert: server config is fine, linux boxes can connect without any issues
07:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
07:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:06 < error404notfound> i even added route-delay of 10 in client config file.
07:12 < error404notfound> its actually "TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up,  route ADD 192.168.50.0 MASK 255.255.255.0 192.168.50.17, ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=13], Route addition via IPAPI failed" which is causing it.
07:13 < hyper_ch> error404notfound: why do you run it in a w2k environment?
07:14 < hyper_ch> works fine on win7
07:16 < error404notfound> i was missing "route-method exe" in config, adding that fixed it :)
07:16 -!- error404notfound [779936fc@gateway/web/freenode/ip.119.153.54.252] has quit [Quit: Page closed]
07:16 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
07:16 < hyper_ch> whatever that is
07:23 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
07:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
07:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
07:44 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:05 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
08:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:17 < vpnHelper> RSS Update - forum: Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7025&p=7626#p7626>
08:20 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:23 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:24 -!- simplechat_ [~simplecha@123-243-79-139.tpgi.com.au] has joined ##openvpn
08:24 -!- simplechat_ [~simplecha@123-243-79-139.tpgi.com.au] has quit [Changing host]
08:24 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:24 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:27 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:32 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
08:36 < kisom> major screwup weekend :(
08:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
08:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
08:40 -!- Irssi: ##openvpn: Total of 102 nicks [3 ops, 0 halfops, 0 voices, 99 normal]
08:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:44 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
09:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:10 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
09:11 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:14 -!- ankk [58f86c43@gateway/web/freenode/ip.88.248.108.67] has joined ##openvpn
09:14 < ankk> hi
09:14 < ankk> i'm running openvpn server on linux machine
09:14 < ankk> and i can connect it successfully
09:15 < ankk> but it clients doesnt get right gateway
09:15 < ankk> in fact they doesnt get any gateway information so they cannot connect internet over remote machine
09:15 < ankk> i tried some different push lines on configuration file but they didnt change anything on client side
09:16 < ankk> what should i do?
09:17 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
09:18 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:25 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
09:28 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:33 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
09:34 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:34 < Dougy> dazo_afk: gah
09:35 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
09:36 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Operation timed out]
09:36 < ankk> Traffic: 28.8 KB in, 896.8 MB out
09:36 < ankk> is this normal?
09:36 < ankk> in just 10-15 seconds
09:37 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
09:37 < Dougy> ankk: no
09:37 < Dougy> someone pushing a lot of andwidth?
09:37 < Dougy> bandwidth
09:37 < Dougy> the vpn itself wont do that
09:37 < ankk> it do itself
09:37 < Dougy> no way jose
09:37 < Dougy> counter must be wrong
09:37 < ankk> i'm just installing new and noone use it
09:38 < ankk> in fact i've a gateway problem
09:38 < ankk> openvpn dont put right gateway on clients
09:38 < ankk> also a detail: i'm connecting openvpn on local network
09:47 < ecrist> ankk: /topic
09:50 < ankk> ah
09:54 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
09:55 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:14 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
10:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:18 -!- miris [~Miris@ip-85-160-76-119.eurotel.cz] has joined ##openvpn
10:20 < miris> Hi guys. My VPN connection seems to be very slow. Searching the internet I discovered that I may have badly set my MTU. The highest non-fragmented value is 1472. Now I am trying to discover the way to tell my server and clients to use this value instead of the default 1500. However, whatever I set, nothing seemed to do the trick. Could someone give me a hint?
10:34 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
10:39 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
10:40 -!- ankk [58f86c43@gateway/web/freenode/ip.88.248.108.67] has quit [Ping timeout: 252 seconds]
10:40 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:41 -!- miris [~Miris@ip-85-160-76-119.eurotel.cz] has quit [Quit: Leaving.]
10:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 246 seconds]
10:59 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:00 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:04 < picard1400> hey so i am back from last night
11:04 < picard1400> how do i set that up
11:04 < picard1400> like i said... i have my .ovpn files.... my .key files and my .crt files..
11:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:07 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
11:09 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
11:10 < picard1400> anyone?
11:10 < picard1400> is there a folder i put them in?
11:18 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:21 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
11:36 < picard1400> hey anyone in the channel how do i check my status
11:36 < picard1400> to see if openVPN is working?
11:38 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:39 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:39 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
11:45 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has quit [Quit: Leaving.]
11:56 -!- Kurogane [~kuro@190.87.69.217] has quit [Read error: Connection reset by peer]
11:57 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
12:04 -!- simplechat_ [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:09 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 260 seconds]
12:11 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
12:28 -!- dupondje [~dupondje@d51A55126.access.telenet.be] has quit [Quit: Ik ga weg]
12:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
12:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:54 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
12:54 < miris> Hi guys. What could be the reason why my VPN connection is too slow while my internet connection works fast enough?
13:00 < reiffert> !mtu
13:00 < vpnHelper> reiffert: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
13:01 < miris> reiffert, thanks. I actually did test my mtu and I am using tun-mtu 1472 instead of the default 1500.
13:04 < miris> From my client to the server I was able to use 1472 without defragmenting. That's why I set that value on the server and client as well.
13:05 < miris> Sorry if I am using bad terminology. I am not an IT geek.
13:14 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
13:14 -!- uyegxiuhwjeoxijw [~ftcgvybhj@89.204.153.191] has joined ##openvpn
13:16 < |Mike|> looks like spam
13:17 -!- JPeterso2 [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
13:18 < uyegxiuhwjeoxijw> Hey fella-me-lads, I have a machine A, firewalled, and I want to ssh into it. I have another machine, a server, machine B, so if I vpn them up, then I can use any other machine to join the VPN on machine B and then ssh or vnc into the machine A?
13:18 < uyegxiuhwjeoxijw> would that mean machine B has to "run" the VPN?
13:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Ping timeout: 272 seconds]
13:19 -!- dupondje [~dupondje@d54C014E8.access.telenet.be] has joined ##openvpn
13:20 < dupondje> I got a working VPN setup, to connect 2 internal networks together. This week I got an additional external IP on the VPN server, and now the VPN doesn't work when enabling the additional IP... Any idea what could cause this ?
13:21 -!- JPeterso2 is now known as JPeterson
13:30 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
13:40 -!- brah [~asdofp@190.183.62.66] has joined ##openvpn
13:40 -!- brah is now known as Guest35468
13:40 -!- Guest35468 [~asdofp@190.183.62.66] has quit [Client Quit]
13:41 -!- asdfl [~asdofp@190.183.62.66] has joined ##openvpn
13:44 -!- asdfl [~asdofp@190.183.62.66] has quit [Client Quit]
13:45 -!- brah [~asdofp@190.183.62.66] has joined ##openvpn
13:51 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
14:05 -!- uyegxiuhwjeoxijw [~ftcgvybhj@89.204.153.191] has quit [Ping timeout: 240 seconds]
14:07 < kisom> hey guys
14:31 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
14:38 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has left ##openvpn []
14:45 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- IRC with a difference]
15:00  * Dougy pokes dazo_afk with a cattle prod
15:02 -!- dupondje [~dupondje@d54C014E8.access.telenet.be] has quit [Read error: Connection reset by peer]
15:05 -!- dupondje [~dupondje@d54C014E8.access.telenet.be] has joined ##openvpn
15:09 -!- Davidian1024 [~Davidian1@cpe-98-27-192-193.neo.res.rr.com] has joined ##openvpn
15:11 < Davidian1024> hello, i have an openvpn issue, i was hoping i could get some help with
15:12 < Bushmills> !firewall
15:12 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
15:12 < Davidian1024> basically this error is my issue:
15:13 < Davidian1024> Sun Aug 22 12:50:10 2010 RESOLVE: Cannot resolve host address: hostname: [HOST_NOT_FOUND] The specified host is unknown.
15:14 < Davidian1024> what's confusing to me is that i can resolve the "hostname" fine
15:14 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
15:14 < Davidian1024> only openvpn can't
15:14 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
15:14 < Davidian1024> if i give it the IP address it works fine
15:19 < Dougy> !configs
15:19 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:21 < Davidian1024> the configs involved are super simple
15:22 < Davidian1024> here's the client: http://pastebin.com/AcH2tSaV
15:24 < Davidian1024> and the server: http://pastebin.com/1uv14RTp
15:25 < Davidian1024> when i set remote to the IP the client is able to connect
15:25 < Davidian1024> when i use a hostname i get the error about not being able to resolve
15:26 < Davidian1024> which makes no sense to me because i can get the ip resolved with stuff like ping, dig, etc...
15:29 < Bushmills> strange that it works with "xxx.xxx.." as ip address,  because that's not a legal ip address. try to use a full hostname, like hostname.domain.tld
15:31 < Davidian1024> ok, i just replaced those because i'm being paranoid
15:31 < Davidian1024> the hostname is sblair.endofinternet.net
15:31 < Bushmills> try to write it without double quotes
15:32 < Davidian1024> and the ip is 99.189.185.198
15:32 < Davidian1024> i didn't actually have double quotes
15:33 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
15:42 < Davidian1024> geez i feel dumb
15:42 < Davidian1024> i had a type in the hostname
15:42 < Davidian1024> i was so sure i had it right
15:44 -!- manevra [manevra@95.154.230.54] has joined ##openvpn
15:56 -!- dupondje [~dupondje@d54C014E8.access.telenet.be] has quit [Ping timeout: 255 seconds]
15:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
16:02 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:15 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 252 seconds]
16:17 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
16:18 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:21 < Bushmills> strange, i checked, and "hostname" was written correctly
16:49 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
17:10 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
17:31 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 252 seconds]
17:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:54 -!- manevra [manevra@95.154.230.54] has quit [Quit: Leaving]
18:02 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
18:05 -!- agagag_ [~anton@eudaimonia.goto10.org] has joined ##openvpn
18:05 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 246 seconds]
18:05 -!- jwm [jwm@74.208.185.36] has quit [Ping timeout: 246 seconds]
18:07 -!- jwm [jwm@74.208.185.36] has joined ##openvpn
18:25 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
18:45 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
19:10 -!- Davidian1024 [~Davidian1@cpe-98-27-192-193.neo.res.rr.com] has left ##openvpn []
19:45 -!- Netsplit *.net <-> *.split quits: RedShift
20:18 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has joined ##openvpn
20:18 < in^> "OpenVPN 2.1 requires '--script-security 2' or higher" Any ideas?
20:21 < ecrist> yeah, if you're going to execute external scripts, add --script-security 2 or higher to your config
20:21 < ecrist> !script-security
20:21 < vpnHelper> ecrist: Error: "script-security" is not a valid command.
20:21 < ecrist> !search script*
20:21 < vpnHelper> ecrist: There were no matching configuration variables.
20:22 < ecrist> !factoids search script*
20:22 < vpnHelper> ecrist: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
20:30 -!- selmoatse [selmo200@otaku.freeshell.org] has joined ##openvpn
20:32 -!- selmoatse [selmo200@otaku.freeshell.org] has quit [Client Quit]
20:47 < in^> k
20:57 < in^> addes script-security 2 to my server config... still getting an error
20:57 < in^> Options error: Unrecognized option or missing parameter(s) in /Users/daflores/config/server.ovpn:22: script-secuity (2.1.1)
20:58 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
20:58 < fahmad> hello
20:58 < fahmad> every one
20:58 < fahmad> can some one tell me is there any way to assign more then one ip pool in server configuration of openvpn 
20:59 < fahmad> server 172.16.1.0 255.255.255.0 and server 172.16.2.0 255.255.255.0
20:59 < fahmad> but i tried it will only pick 172.16.2.1 in tun0
21:05 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
21:11 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit []
21:23 < vpnHelper> RSS Update - forum: Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7025&p=7627#p7627>
21:25  * ecrist tries hard to avoid blowing up his mail server
21:26 < Dougy> lol
21:26 < Dougy> how would you do that
21:26 < ecrist> I'm setting up sieve
21:26 < Dougy> sieve
21:26 < Dougy> ?
21:27 < fahmad> can any one give me an idea how can i give multiple ip ranges to openvpn clients 
21:27 < Dougy> why do you want to do that
21:27 < fahmad> e.g. 172.16.0.1, 172.16.1.1 ...
21:27 < fahmad> well i have many clients ...
21:28 < Dougy> do you mean
21:28 < Dougy> like
21:28 < Dougy> have more then 255 usable ips in the vpn?
21:28 < Dougy> or do you mean give like 10 ips to each end user
21:28 < fahmad> and you know only 63 users can connect using openvpn ...
21:28 < Dougy> only 63 can?
21:28  * Dougy doesnt know 
21:28  * Dougy never had that many
21:28 < fahmad> 5 6 will be assianged to client ...
21:28 < fahmad> windows ...
21:28 < fahmad> i am using dynamic ip assignment 
21:29 < Dougy> ecrist: do you know what this guy is asking?
21:29 < Dougy> it doesnt make sense to me
21:29 < fahmad> when ever client tries to connect to openvpn 
21:29 < fahmad> it will use ip/30
21:30 < fahmad> which means user will use 4 ips ...
21:30 < fahmad> 2 for server and 2 for client :$
21:30 < fahmad> can i paste my configuration ?
21:31 < fahmad> when i run openvpn --show-valid-subnets then i get like this [  1,  2] [  5,  6] [  9, 10] [ 13, 14] [ 17, 18]
21:31 < fahmad> which means i can not use 1,2 which is assigned to tun0 at server side
21:32 < fahmad> i can use 5, 6
21:32 < fahmad> 5 will be gateway for client and 6 is the client ip address
21:36 < fahmad> any idea ?
21:39 < vpnHelper> RSS Update - forum: Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7025&p=7628#p7628>
21:45 < ecrist> fahmad: you can change that behavior in 2.1
21:45 < ecrist> !/30
21:45 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
21:50 < in^> "Cannot allocate TUN/TAP dev dynamically"..... any ideas?
21:58 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has left ##openvpn []
22:46  * Dougy rubs chin
22:47 < Dougy> ohh thats what fahmad wanted
23:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Mon Aug 23 2010
00:08 -!- RedShift [~glenn@apollo.webmind.be] has joined ##openvpn
01:07 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:07 -!- mode/##openvpn [+o mattock] by ChanServ
01:08 -!- hix-3 [~tommy@fu/infra/hix-nix] has quit [Remote host closed the connection]
02:06 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Ping timeout: 255 seconds]
02:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
02:11 < fahmad> !topology
02:11 < vpnHelper> fahmad: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
02:39 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:48 -!- Kurogane [~kuro@190.87.69.217] has quit [Remote host closed the connection]
02:49 -!- Netsplit *.net <-> *.split quits: tessier, Meliorator, naquad, meepmeep
02:52 < vpnHelper> RSS Update - forum: Configuration :: Re: MULTI: bad source address from client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7015&p=7629#p7629> || Installation Help :: Re: can't see server machine after running bridge start scri :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7020&p=7630#p7630>
02:57 -!- Netsplit over, joins: Meliorator
03:00 -!- naquad [~naquad@174.142.224.219] has joined ##openvpn
03:00 -!- tessier [~treed@kernel-panic/copilotco] has joined ##openvpn
03:00 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
03:08 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
03:14 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined ##openvpn
03:15 < hid3> Hello everyone. When I'm starting my openvpn daemon, I get this warning message to console: WARN: could not open database for 384 bits. Skipped
03:15 < hid3> What's wrong?
03:16 < hid3> (BTW< I've re-generated the RSA keys to be 384 bits instead of 1024 but everything seemed to work nice until I had my system rebooted a few days ago)
03:21 < hid3> Any ideas?
03:29 -!- Dougy [me@208.99.80.128] has quit [Read error: Connection reset by peer]
03:30 -!- Dougy [~doug@208.99.80.128] has joined ##openvpn
03:35 < reiffert> hid3: restore your backup.
03:37 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Homebrew Web Interface to manage users/certificates etc :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7013&p=7631#p7631>
03:42 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 240 seconds]
03:43 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
03:50 < hid3> reiffert: why should I? I don't make/have any backups, it's trivial.
03:50 < hyper_ch> you don't make backups?
03:50 < reiffert> problem solved. next.
03:51 < hid3> no, I don't
03:51 < hyper_ch> that's stupid
03:51 < hid3> why? it wastes your space
03:51 < hyper_ch> q.e.d.
03:52 < hid3> yeah.
03:52 < hid3> during my work experience (10+ years) I have never had to restore any backups
03:53 < hid3> Well, all I had to do was to touch /usr/share/...../blacklist.RSA-384
03:53 < hid3> So much of your backups and support stuff...
03:54 < hid3> Thanks. Problem solved. Next.
03:55 < reiffert> hid3: this file is not part of openvpn.
04:01 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN-GUI registry entries on Windows 7 Pro :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7002&p=7632#p7632>
04:03 < kisom> hid3: Why 384 bit RSA?
04:04 < kisom> Want your keys to get factored?
04:14 -!- laieman_ [~elsn@global-se-vxj-91-198-48-25.static.host.s9.se] has quit [Read error: Connection reset by peer]
04:25 < vpnHelper> RSS Update - forum: Installation Help :: Re: Problem with TAP-Driver in 2.1.2 on Win7 x64 :: Reply by Intruder73 <https://forums.openvpn.net/viewtopic.php?f=5&t=7014&p=7633#p7633>
04:31 < vpnHelper> RSS Update - forum: Installation Help :: Re: TAP adapter won't install on Windows Server 2008 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7011&p=7634#p7634>
05:29 -!- AbyBeats [~AbyBeats@117.206.32.84] has joined ##openvpn
05:29 < AbyBeats> !welcome
05:29 < vpnHelper> AbyBeats: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:30 < AbyBeats> !howto
05:30 < vpnHelper> AbyBeats: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:08 < kraut> moin
06:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:44 < reiffert> moin kraut
07:23 -!- dazo_afk is now known as dazo
07:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
07:29 -!- Gud_ [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
07:29 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has quit [Read error: Connection reset by peer]
07:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:43 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
07:52 -!- gorkhaan [~gorkhaan@54033E6D.catv.pool.telekom.hu] has joined ##openvpn
08:13 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
08:14 -!- SOG [~SOG@n1192365024.netvigator.com] has joined ##openvpn
08:46 -!- mrak [~mrak@248.217.broadband14.iol.cz] has joined ##openvpn
08:59 -!- SOG [~SOG@n1192365024.netvigator.com] has quit [Ping timeout: 240 seconds]
09:02 < vpnHelper> RSS Update - forum: Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7025&p=7636#p7636>
09:04 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
09:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:31 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has joined ##openvpn
09:34 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has quit [Remote host closed the connection]
09:34 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has joined ##openvpn
09:35 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
09:35 -!- SOG [~SOG@n1192365024.netvigator.com] has joined ##openvpn
09:35 < in^> "Cannot allocate TUN/TAP dev dynamically" any ideas?
09:54 -!- SOG [~SOG@n1192365024.netvigator.com] has quit [Ping timeout: 265 seconds]
09:58 <@dazo> Dougy: you pinged?
09:59 < Dougy> dazo: 
09:59 < Dougy> wow
09:59 < Dougy> i have good freakin timing
09:59 < Dougy> i was like i wonder if dazo is there, and i attached to this screen session
09:59 <@dazo> heh
09:59  * dazo sensed it
09:59  * Dougy win
09:59 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
09:59 < Dougy> dazo: you pm'd me
09:59 <@dazo> Dougy: ahh true!
10:07 -!- SOG [~SOG@222.125.202.173] has quit [Quit: I will be back!]
10:11 < in^> how do I create a TUN interface on OS X?
10:13 < ecrist> !mac
10:13 < vpnHelper> ecrist: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
10:14 < in^> Tunnelblick is client only, no?
10:15 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
10:15 < in^> I'm trying to run openvpn as a server on OS X
10:16 < Dougy> hi eric
10:19 -!- mrak [~mrak@248.217.broadband14.iol.cz] has quit [Quit: Leaving]
10:19 < vpnHelper> RSS Update - forum: Configuration :: first time in OpenVPN can't make the connection :: Author Teo <https://forums.openvpn.net/viewtopic.php?f=6&t=7027&p=7635#p7635>
10:21 -!- SlayerXP [~martin@olga.hinterlands.org] has joined ##openvpn
10:24 < SlayerXP> hello.  does any version of openvpn support the dhcp "code 119" option to get around windows (and macs it seems) not handling multiple search domains?
10:24 < SlayerXP> windows 7 allegedly handles code 119, but only if openvpn presents it as an option
10:26 < in^> ahhhh opened Tunnelblick... then ran server config from command line... success!
10:26 < in^> @vpnHelper thanks for the trigger... I appreciate you! 
10:29 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has quit [Remote host closed the connection]
10:36 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 240 seconds]
10:37 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
11:16 -!- manevra [manevra@67-231-254-22.turnkeyinternet.net] has joined ##openvpn
11:18 -!- funkyHat [~m@funkyhat.org] has quit [Ping timeout: 276 seconds]
11:20 -!- funkyHat [~m@cpc1-nrte3-0-0-cust308.8-4.cable.virginmedia.com] has joined ##openvpn
11:25 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:29 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:31 -!- funkyHat [~m@cpc1-nrte3-0-0-cust308.8-4.cable.virginmedia.com] has quit [Ping timeout: 272 seconds]
11:32 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
11:55 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
12:02 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has joined ##openvpn
12:03 < in^> is push "route 192.168.20.0 255.255.255.0" in my server config enough to allow clients access to the subnet or am i missing something?
12:13 < ecrist> should be, provided that subnet knows how to route to the vpn clients.
12:16 < in^> is that something I would setup on that subnets router?
12:16 < ecrist> yes
12:17 < in^> so I would have to setup a staic route back to the vpn servers tun adapter ipaddress?
12:18 < ecrist> yes
12:18 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:18 < ecrist> well, back to the local ethernet interface for the openvpn server
12:18 < ecrist> you can only route to your next hop.
12:18 < in^> ahhh
12:18 < in^> gotcha
12:18 < in^> lemme give it a try
12:27 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
12:29 < SlayerXP> hello.  any thoughts on my question above?
12:37 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
12:43 -!- krzee [krzee@joogot.noskills.net] has joined ##openvpn
12:44 -!- krzee [krzee@joogot.noskills.net] has quit [Changing host]
12:44 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
12:48 < ecrist> SlayerXP: tunnelblick can handle some things in regards to DNS, but I don't think anything works with with code 119
12:48 < ecrist> it's been a beef of mine, as well.
12:48 < in^> anything on an OS X openvpn sever that could be hindering me connecting to resources behind vpn? clients are connecting but not able to connect to local resources
12:49 < SlayerXP> ecrist: thanks
12:50 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:52 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:53 < ecrist> in^: define 'local resources'
12:53 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has joined ##openvpn
12:53 < in^> host machines, printers on lan subnet
12:54 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fe80:9b4b] has quit [Remote host closed the connection]
12:54 < in^> can't ping them, ftp, smb etc...
12:54 < ecrist> return routing would be my guess, or firewall
12:54 < |Mike|> pkill -HUP irssi
12:54 < |Mike|> err
12:55 < in^> firewall is off for testing... static route on router in place....
12:55 < in^> i can't even ping the lan ip address of the vpn server
12:56 < ecrist> in^: go to a machine on the lan with other 'local resources' and try a traceroute to the vpn
12:56 < ecrist> see what happens
12:57 < in^> k
12:58 < krzee> in^, could also be ip forwarding, in osX that is a sysctl
13:01 < in^> traceroute hopped right through router
13:02 < in^> i think it is a ip forwarding issue on OS X
13:07 < ecrist> do you have ip forwarding enabled?
13:08 < in^> just now checking how to do that....
13:08 < ecrist> sysctl net.inet.ip.forwarding=1
13:08 < ecrist> may need a sudo in there.
13:09 < in^> that did the trick...
13:09 < in^> you guys ROCK!
13:14 < in^> be right back from my vpn connection!
13:14 -!- in^ [~chatzilla@unaffiliated/in/x-7550183] has left ##openvpn []
13:17 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:21 -!- AbyBeats [~AbyBeats@117.206.32.84] has quit []
13:26 -!- picard1400_ [~chatzilla@ip70-181-112-218.oc.oc.cox.net] has joined ##openvpn
13:27 -!- picard1400 [~chatzilla@ip70-181-112-218.oc.oc.cox.net] has quit [Read error: Connection reset by peer]
13:27 -!- picard1400_ is now known as picard1400
13:34 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:50 -!- Chosi [osxchosi@choseh.de] has quit [Read error: Operation timed out]
13:56 -!- picard1400 [~chatzilla@ip70-181-112-218.oc.oc.cox.net] has quit [Read error: Connection reset by peer]
13:56 -!- picard1400 [~chatzilla@ip70-181-112-218.oc.oc.cox.net] has joined ##openvpn
13:58 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
14:03 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 272 seconds]
14:03 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
14:08 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 272 seconds]
14:16 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
14:16 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
14:23 -!- Typone [~nnnnnnnit@195.197.184.87] has quit [Excess Flood]
14:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Operation timed out]
14:25 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
14:26 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 276 seconds]
14:31 -!- Chosi [fitchosi@choseh.de] has joined ##openvpn
14:42 -!- ponty [~ponty@84-72-228-194.dclient.hispeed.ch] has joined ##openvpn
14:43 -!- Chosi [fitchosi@choseh.de] has quit [Ping timeout: 240 seconds]
14:46 < ponty> hi. i have a problem with auth-user-pass. i made a file containing "user/pass" but it says " Sorry, 'Auth' password cannot be read from a file" . anybody knows what i made wrong. according to the manpage this should work
14:47 -!- krzee [krzee@unaffiliated/krzee] has quit [Read error: Connection reset by peer]
14:49 <@dazo> ponty: make sure the file is accessible for the user running openvpn ... try using full path to the file ... use --verb 6 to see more details, which might give you some more clues
14:52 < ponty> i made the file 777 and verb 6 doesnt tell me more then the sentence above
14:54 < Dougy> hello dazo
14:59 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:05 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
15:14 -!- ponty [~ponty@84-72-228-194.dclient.hispeed.ch] has quit [Ping timeout: 258 seconds]
15:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
15:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
15:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:24 <@dazo> Dougy: hi!
15:24 < Dougy> hi
15:24 < Dougy> O.O
15:24 < Dougy> i just opened this to see if oyu answered
15:24 < Dougy> thats twice now
15:24 < Dougy> creepy
15:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 240 seconds]
15:24 <@dazo> heh ... well, you were lucky ... as I'm just about to leave work :)
15:25 < Dougy> ah
15:25 < Dougy> you only come online here at work?
15:25 <@dazo> mostly ... and I'm in Europe, so I'm just working late today 
15:26 < Dougy> who do you work for
15:26 <@dazo> Red Hat
15:28  * dazo decides to head home :)
15:28 <@dazo> c'yall!
15:29 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined ##openvpn
15:29 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Changing host]
15:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
15:29 -!- dazo is now known as dazo_afk
15:29 -!- ponty [~ponty@80.74.157.216] has joined ##openvpn
15:31 < Dougy> red hat
15:31 < Dougy> yuck
15:31 < Dougy> see ya dazo
15:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 272 seconds]
15:36 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 258 seconds]
15:42 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
15:45 -!- manevra [manevra@67-231-254-22.turnkeyinternet.net] has quit [Quit: Leaving]
15:53 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
15:57 -!- gorkhaan [~gorkhaan@54033E6D.catv.pool.telekom.hu] has quit [Quit: Távozom]
16:03 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
16:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:05 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
16:05 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has joined ##openvpn
16:06 < cofffee> !welcome
16:06 < vpnHelper> cofffee: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:09 < vpnHelper> RSS Update - forum: Server Administration :: OpenVPN with Windows 2008 x64 R2 :: Author cyres <https://forums.openvpn.net/viewtopic.php?f=4&t=7029&p=7638#p7638> || Configuration :: Routing / IP-Tables problem :: Author suisse <https://forums.openvpn.net/viewtopic.php?f=6&t=7031&p=7640#p7640>
16:16 < cofffee> Any obvious reason a client won't/can't get an IP from a DHCP server on the same host as the openvpn server?  the same-host DHCP server is known to work, and the client will successfully from different DHCP server on the subnet (router, when enabled)...
16:16 < cofffee> perhaps a dhcp3 config issue?
16:28 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
16:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 258 seconds]
16:34 < Dougy> http://openvpn.net/archive/openvpn-users/2005-11/msg00266.html may help
16:34 < vpnHelper> Title: [Openvpn-users] External DHCP server (at openvpn.net)
16:41 -!- ponty [~ponty@80.74.157.216] has quit [Quit: ponty]
16:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
16:43 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 276 seconds]
16:44 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
16:48 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 252 seconds]
16:50 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 276 seconds]
16:50 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
16:54 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
16:56 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Read error: Connection reset by peer]
16:56 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
16:57 < cofffee> I don't think thats it... it works fine if (client gets IP) if I leave router dhcp enabled
16:57 < cofffee> which means dhcp requests/answers do work through the bridge...
17:01 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
17:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Excess Flood]
17:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:26 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
17:30 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:35 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
17:47 -!- nat2610_ [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has quit [Read error: Connection reset by peer]
17:51 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
18:04 -!- notbrien_ [~notbrien@2002:453c:10f2:0:5ab0:35ff:fef5:7a5f] has joined ##openvpn
18:04 -!- Davidian1024 [~Davidian1@cpe-98-27-192-193.neo.res.rr.com] has joined ##openvpn
18:07 -!- notbrien_ is now known as notbrien
18:30 -!- Kage [~chuck@unaffiliated/kage] has joined ##openvpn
18:31 < Kage> Hey.  How do I get the cert from the server?
18:34 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has quit [Read error: Connection reset by peer]
18:43 -!- Kage [~chuck@unaffiliated/kage] has quit [Read error: Connection reset by peer]
18:44 -!- Kage [~chuck@h52.40.16.98.dynamic.ip.windstream.net] has joined ##openvpn
18:44 -!- Kage [~chuck@h52.40.16.98.dynamic.ip.windstream.net] has quit [Changing host]
18:44 -!- Kage [~chuck@unaffiliated/kage] has joined ##openvpn
18:46 < Kage> ???
19:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
19:20 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
19:25 -!- e1ven [~Cdavis@pool-173-76-239-123.bstnma.fios.verizon.net] has joined ##openvpn
19:25 < e1ven> Is there a guide or list of settings, to set up an OpenVPN server to use RSA SecureID Keyfobs? I 
19:26 -!- KageJittai [~chuck@h52.40.16.98.dynamic.ip.windstream.net] has joined ##openvpn
19:26 -!- Kage [~chuck@unaffiliated/kage] has quit [Ping timeout: 240 seconds]
19:26 -!- KageJittai is now known as Kage
20:04 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
20:17 -!- KageJittai [~chuck@8.2.122.52] has joined ##openvpn
20:17 -!- Kage [~chuck@h52.40.16.98.dynamic.ip.windstream.net] has quit [Ping timeout: 260 seconds]
20:46 -!- Serideru [~GTWebster@69-92-242-72.cpe.cableone.net] has joined ##openvpn
20:48 < Dougy> e1ven: let me look
20:50 < Dougy> e1ven: there?
20:50 < e1ven> I am.
20:50 < Dougy> http://readlist.com/lists/lists.sourceforge.net/openvpn-users/0/1615.html
20:50 < vpnHelper> Title: Openvpn and SecurID - ReadList.com (at readlist.com)
20:50 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 272 seconds]
20:52 < e1ven> Dougy- Thanks.. I don't like thdiea of using the same session key for the whole thing, but I can if I need to.
20:52 < Dougy> looks like PAM might help
20:52 < Dougy> i have never worked with rsa in my time
20:52 < Dougy> rsa securid that is
20:52 < e1ven> Boss wants 2-factor auth.
20:52 < Dougy> nice
20:52 < Dougy> http://openvpn.net/archive/openvpn-users/2007-01/msg00236.html
20:52 < vpnHelper> Title: [Openvpn-users] OpenVPN + SecurID OTP PAM Issues (at openvpn.net)
20:52 < Dougy> im honestly not readin it
20:53 < Dougy> its just whatl ooks like it could be useful
20:53 < e1ven> I'd just use the IPSEC VPN built into my ASAs, but.. ;)
20:55 < Dougy> why not use it
20:56 < e1ven> The ASA IPsec doesn't support the external Auth I'd need.
20:56 < vpnHelper> RSS Update - forum: Scripting and Customizations :: MAC Set Up :: Author taz101 <https://forums.openvpn.net/viewtopic.php?f=15&t=7032&p=7642#p7642> || Wishlist :: Re: Compiling OpenVPN v2.1.2 with enable-password-save optio :: Reply by ian darke <https://forums.openvpn.net/viewtopic.php?f=10&t=7023&p=7641#p7641>
21:06 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
21:15 -!- KageJittai [~chuck@8.2.122.52] has left ##openvpn ["Konversation terminated!"]
21:22 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:45 -!- Serideru [~GTWebster@69-92-242-72.cpe.cableone.net] has quit [Ping timeout: 264 seconds]
22:02 < vpnHelper> RSS Update - forum: Wishlist :: Re: Compiling OpenVPN v2.1.2 with enable-password-save optio :: Reply by Zero3K <https://forums.openvpn.net/viewtopic.php?f=10&t=7023&p=7644#p7644>
22:20 < vpnHelper> RSS Update - forum: Server Administration :: Re: Issues with the new 2.1.2 client and driver signature. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7019&p=7643#p7643>
22:35 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote host closed the connection]
22:40 -!- fahmad [~linux@unaffiliated/fahmad] has joined ##openvpn
--- Day changed Tue Aug 24 2010
00:31 -!- Netsplit *.net <-> *.split quits: LowKey, Cain, rasengan
00:32 -!- Netsplit over, joins: LowKey, rasengan
00:33 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:33 -!- mode/##openvpn [+o mattock] by ChanServ
00:35 -!- Cain [~Geek@41.141.252.98] has joined ##openvpn
00:36 -!- Cain [~Geek@41.141.252.98] has quit [Changing host]
00:36 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
00:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:37 -!- picard1400 [~chatzilla@ip70-181-112-218.oc.oc.cox.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.3/20100401080539]]
02:00 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
02:16 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
02:25 < fahmad> hey
02:25 < fahmad> can some one tell me how can i connect more then 100 clients to single openvpn server
02:27 < |Mike|> !howto
02:27 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:27 < |Mike|> there ya go
02:28 < fahmad> ok
02:37 < kraut> moin
02:39 < reiffert> |Mike|: guess that the howto will end up in 64 simultaneous client connections.
02:39 < reiffert> 63
02:42 < fahmad> humm
02:42 < fahmad> yes
02:43 < fahmad> 1 2 is reserved by server
02:49 -!- dazo_afk is now known as dazo
03:06 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
03:08 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
03:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:26 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
04:28 -!- Gud_ [~erik@78-70-22-214-no94.business.telia.com] has quit [Read error: Connection reset by peer]
04:28 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
04:39 -!- Netsplit *.net <-> *.split quits: Gud, tessier, jpalmer, naquad, meepmeep, Diffen2
04:40 -!- Netsplit over, joins: Gud, Diffen2, jpalmer, naquad, tessier, meepmeep
04:43 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:48 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
04:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
05:00 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
05:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:12 -!- Utopic [~Blau@213.148.194.16] has joined ##openvpn
05:12 < Utopic> hi all
05:12 < hyper_ch> hi single one
05:13 < Utopic> lol
05:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:13 < Utopic> I've setup an openvpn, and both server and client can't ping each other
05:13 < Utopic> but I can't reach the other machines of the network behind the openvpn server
05:13 < Utopic> as far as I know, the routes are ok
05:14 < hyper_ch> pinging does work or does not work?
05:14 < hyper_ch> !bridge
05:14 < vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
05:14 < Utopic> ping to the server, it works
05:14 < Utopic> shold I setup a bridge?
05:14 < hyper_ch> !tunortap
05:14 < Utopic> should
05:14 < vpnHelper> hyper_ch: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
05:14 < vpnHelper> hyper_ch: against you over the vpn, or (#4) lan gaming? use tap!
05:15 < hyper_ch> depends what you want to do
05:15 < Utopic> bridge is for broadcasting and others, I don't need it by now
05:15 < Utopic> I can ping from client to server and vice-versa
05:16 < hyper_ch> so what does not work?
05:20 < Utopic> ping machines behind the openvpn server
05:21 -!- d12fk [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
05:21 < Utopic> and from the network behind openvpn and clients
05:22 < hyper_ch> tough question
05:22 < hyper_ch> I leave that to the smart people
05:23 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
05:25 < Utopic> this are my routes: http://pastebin.ca/1924104
05:25 < Utopic> and some pings
05:36 < Utopic> ok, solved
05:36 < Utopic> the problem was that the openvpn server is inside an openvz and there's some trick I should do
05:38 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
05:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:45 -!- Utopic [~Blau@213.148.194.16] has left ##openvpn ["Me'n vaig"]
05:45 -!- Utopic [~Blau@213.148.194.16] has joined ##openvpn
05:46 < Utopic> ops
05:47 -!- Chaze [~Chase@dslb-092-072-136-150.pools.arcor-ip.net] has joined ##openvpn
05:47 < Chaze> hey! I'm running an openvpn windows client here, but i can't remember it's actual name - and i can't find a download. here's a screenshot
05:47 < Chaze> http://dl.dropbox.com/u/1293419/ovpnclient.png
05:50 < Utopic> is there any other way to enable dns lookups over openvpn than redirecting _all_ trafic to openvpn server?
05:52 < hyper_ch> iptables make port 53 using a specific ip address for outoing maybe?
05:58 < Utopic> don't think so
05:59 < Chaze> !nat
05:59 < vpnHelper> Chaze: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
05:59 < Chaze> !linnat
05:59 < vpnHelper> Chaze: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
06:00 < Chaze> what do i do about nat when i have no static IP?
06:00 < Chaze> can i put a domain there?
06:01 < Chaze> what i want to do: set up a VPN endpoint on my home machine that lets me connect to the internet
06:02 < Chaze> but it's behind a gateway itself (my router)
06:13 < Chaze> ..my theory is, that i have to put my local ip (in this case something like 192.168.2.10) there. can anyone confirm this?
06:35 < takamichi> Im running about 12 ovpn instances on a single machine - Is there a way to put the .conf files into directories to organize things a bit better?
06:43 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:45 -!- kyrix [~ashley@mail.ic-vienna.at] has joined ##openvpn
06:55 -!- star314 [~star314@beigelbeck-nb.isas.tuwien.ac.at] has joined ##openvpn
07:11 -!- SlayerXP [~martin@olga.hinterlands.org] has left ##openvpn ["Leaving"]
07:12 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 258 seconds]
07:31 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
07:36 -!- star314 [~star314@beigelbeck-nb.isas.tuwien.ac.at] has quit [Quit: Leaving]
07:37 -!- Utopic [~Blau@213.148.194.16] has quit [Quit: Me'n vaig]
07:53 -!- Overlord [~Overlord@ka17185.dedidemon.com] has joined ##openvpn
07:57 < Overlord> Hello, currently TRYING to decipher a problem I'm currently having with Openvpn connection setup. Have the server running on a W2k8 box, and using a VMWare to connect as a client to it to mask my internet travels etc. Everythings been working fine for months, now I've recently just setup an IRC server on the same box as my OpenVPN server and for whatever reason when I connect to the IRC from my VM Client (who is connecting to OpenVPN server) i
07:57 < Overlord> ts displaying MY REAL IP when I /whois. HOWEVER, when I connect to any other IRC (this one included) my OpenVPN obtained IP is in my WHOIS.
07:59 < Overlord> !welcome
07:59 < vpnHelper> Overlord: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:20 < ecrist> Overlord: because you can't route the openvpn server's own IP via the openvpn tunnel, that's going to be the case
08:20 < ecrist> however, you could put the IRC server on a different IP addess in the same subnet and push a route for that IP to the vpn, and you should be OK.
08:24 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
08:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:28 < vpnHelper> RSS Update - forum: Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7025&p=7647#p7647>
08:29 < Overlord> ecrist: Ah, so it is indeed an OpenVPN rather than the IRC server software - well that narrows it down somewhat - when you say put the IRC on a different IP, how do you mean - server is on a Static IP
08:35 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:35 < ecrist> overlord, you cannot encapsulate the traffic for the server IP within the tunnel
08:36 < ecrist> so, put the IRC server on an IP on the VPN and connect to it that way
08:36 < ecrist> i.e. have the IRC server listed to both a VPN IP AND your public server IP
08:41 < vpnHelper> RSS Update - forum: Installation Help :: OpenVPN with Windows 2008 x64 R2 :: Author cyres <https://forums.openvpn.net/viewtopic.php?f=5&t=7029&p=7638#p7638> || Installation Help :: Re: OpenVPN with Windows 2008 x64 R2 :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=5&t=7029&p=7648#p7648>
08:47 < vpnHelper> RSS Update - forum: Server Administration :: Inet Gateway with AS :: Author VampireD <https://forums.openvpn.net/viewtopic.php?f=4&t=7033&p=7645#p7645> || Server Administration :: Re: Inet Gateway with AS :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=4&t=7033&p=7650#p7650> || Installation Help :: TAP Driver Install Problem in 2.1.2 - KNOWN ISSUE :: Author ecrist <https://forums.openvpn.net/viewtopic.php?f=5&t=7035&p
08:52 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: MAC Set Up :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=15&t=7032&p=7652#p7652>
09:16 -!- zheng [~zheng@114.92.134.236] has joined ##openvpn
09:23 -!- funkyHat [~m@funkyhat.org] has quit [Ping timeout: 272 seconds]
09:24 -!- funkyHat [~m@cpc1-nrte3-0-0-cust308.8-4.cable.virginmedia.com] has joined ##openvpn
09:29 -!- funkyHat [~m@cpc1-nrte3-0-0-cust308.8-4.cable.virginmedia.com] has quit [Ping timeout: 276 seconds]
09:30 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
09:35 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN for windows 2003 clients :: Reply by blakelharris <https://forums.openvpn.net/viewtopic.php?f=4&t=7026&p=7646#p7646>
09:45 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
09:49 < funkyHat> !route
09:49 < vpnHelper> funkyHat: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:53 -!- Chaze [~Chase@dslb-092-072-136-150.pools.arcor-ip.net] has quit [Read error: Connection reset by peer]
09:55 -!- zheng [~zheng@114.92.134.236] has quit [Quit: Leaving]
09:59 < funkyHat> http://bpaste.net/show/8992/ here's the output of route on my client, as well as the client and server configs for my VPN. Is it possible to get rid ouf the default route for tap0 (line 6)?
09:59 < funkyHat> It sometimes causes weirdness if the client has temporary loss of connectivity 
10:02 -!- yakub [~www-data@unaffiliated/yakub] has joined ##openvpn
10:21 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 252 seconds]
10:36 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has left ##openvpn []
10:36 -!- kyrix [~ashley@mail.ic-vienna.at] has quit [Quit: Leaving]
10:37 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
10:42 -!- fercher [~fercher@gateway.pti.org.br] has joined ##openvpn
10:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
11:01 -!- Webhostbudd [~Webhostbu@isr6906.urh.uiuc.edu] has joined ##openvpn
11:04 < Webhostbudd> Anyone mind helping me out with troubleshooting a bridged vpn between a windows client and freebsd server? I honestly can't figure out why the windows client acquires an IP from the dhcp server as well as some arp requests, but is unable to send or maybe recieve any other network traffic.
11:07 < Webhostbudd> !welcome
11:07 < vpnHelper> Webhostbudd: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:07 < Webhostbudd> !howto
11:07 < vpnHelper> Webhostbudd: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:07 < Webhostbudd> !goal
11:07 < vpnHelper> Webhostbudd: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:08 < Webhostbudd> !goal I would like to be able to bridge my private lan to a roaming road warrior
11:08 < vpnHelper> Webhostbudd: Error: "goal" is not a valid command.
11:08 < Webhostbudd> !logs
11:08 < vpnHelper> Webhostbudd: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:09 < krzee> Webhostbudd, why bridge?
11:10 < Webhostbudd> I would like to be able to access all of the resources available and figured that would be the easiest method
11:10 < krzee> !tunortap
11:10 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
11:11 < vpnHelper> krzee: against you over the vpn, or (#4) lan gaming? use tap!
11:15 < jpalmer> krzee: you aren't back from vacation yet, are you?
11:15 < Webhostbudd> So, does anyone know why the ovpn server always assigns the same address to every client connecting on a tun network, but over tap it actually assigns them properly?
11:20 < Dougy> ioh hey
11:20 < Dougy> its jeff
11:20 < Dougy> wsup dood
11:23 -!- e2ven [~Cdavis@pool-173-76-239-123.bstnma.fios.verizon.net] has joined ##openvpn
11:23 < krzee> jpalmer, nope
11:23 < krzee> i go back today
11:23 < krzee> oh damn i was supposed to talk to you more
11:24 < krzee> lol, its been a good vacation
11:24 -!- Webhostbudd [~Webhostbu@isr6906.urh.uiuc.edu] has quit [Quit: Leaving]
11:24 < krzee> much needed
11:26 -!- e1ven [~Cdavis@pool-173-76-239-123.bstnma.fios.verizon.net] has quit [Ping timeout: 252 seconds]
11:49 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
11:52 < meh3> !welcome
11:52 < vpnHelper> meh3: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:54 < meh3> hey guys, this is my first vpn im trying to run.. i get this error when i run it http://pastebin.com/TUT73s01
12:02 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
12:06 < fercher> Hi, i am install the centos 5.5 with openvpn, but when i try /revoke-full maiquel show-me that error: http://pastebin.com/LxxgDZ9R
12:06 < fercher> someone help?;
12:09 < Dougy> hm
12:09 < Dougy> what is /revoke-full
12:09 < Dougy> nevermind
12:16 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
12:33 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:53 -!- dazo is now known as dazo_afk
13:00 < yakub> so one of my openvpn clients is Windows Vista.  on my openvpn server, i have files in /ccd where i try to give everyone an ip address.  it works for everyone BUT windows vista clients.  what am i doing wrong?
13:07 < meh3> i fixed that error, now i keep gettin another error.. it says the server.key is vuln and i have to run openssl-vulnkey and it passes, the log is here: http://pastebin.com/FmZQcJvf
13:07 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
13:07 < meh3> any reason why it keeps giving that error if the server key is not blacklisted?
13:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
13:10 < krzee> meh3, just use new keys
13:11 < meh3> just generate new keys for the server and thats it?
13:11 < meh3> let me try that
13:11 < meh3> so i delete them and recreate, right?
13:11 < krzee> !pki
13:11 < vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
13:11 < vpnHelper> krzee: was signed specially as a server (see !servercert)
13:15 < meh3> hmm this is the first time i try to run openvpn and still didnt get it to run. so its all a bit new to me and a little confusing.
13:15 < meh3> in my case, all i need to do is generate a new server1.key and not the ca, is that right?
13:16 < meh3> krzee ^^
13:16 < krzee> no idea, would it hurt to just do the whole process over? no
13:16 < krzee> may as well do it all
13:20 < meh3> i guess i could.. i created those keys just 3hrs ago.. hopefuly it will b different this time
13:20 < meh3> let me try it out
13:22 < Dougy> !tcp
13:22 < vpnHelper> Dougy: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
13:23 < Dougy> !udp
13:23 < vpnHelper> Dougy: Error: "udp" is not a valid command.
13:27 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
13:28 < meh3> i got the same error again with a new set of ca and keys
13:30 < krzee> 1 thing i just noticed...
13:30 < krzee> why are you using such an old openvpn?
13:30 < krzee> !download
13:30 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
13:31 < krzee> yours is over 2 yrs old
13:31 < meh3> honestly i dont know.. like i said im still learning this so im just following a guide for now and once i get it up and running i was planning to do it all over properly
13:32 < meh3> i guess the guides version i downloaded was old.. i dont know why i downloaded it from there.. i usually download from the source
13:32 < krzee> !goal
13:32 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:33 < Dougy> sup krzee
13:33 < Dougy> u crazy foo
13:33 < krzee> sup dougy
13:33 < Dougy> startin to walk a little
13:33 < Dougy> next tuesday i can walk on my leg entirely supposedly.. no crutches
13:33 < krzee> fercher, sounds like it is revoking, does the CRL allow that client still?
13:34 < meh3> krzee, im planning to run openVPN from home for 2 reasons: 1) to be able to access my LAN 2) for safe surfing if i connected to an unsecure network for any reason (like public wifi)
13:34 < fercher> krzee, when i execute the revoke show error
13:34 < krzee> yakub, what does the ifconfig-push line look like? are you using topology subnet or not?
13:34 < krzee> yakub, and are you using tun or tap?
13:35 < krzee> meh3, ok so you want to redirect all internet over the vpn?
13:35 < meh3> yes, thats my plan
13:36 < krzee> fercher, the error kinda looks like its the expected result... looks like output from openssl to me
13:36 < yakub> krzee: ifconfig-push line only contains: 'ifconfig-push 10.200.103.11 10.200.103.12' . dunno what topology subnet is.  in server config i defined: 'server 10.200.103.0 255.255.255.0' . tun.
13:36 < krzee> did it output a CRL?
13:36 < krzee> !/30
13:36 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
13:36 < krzee> thats not valid ips to push
13:37 < krzee> thats the problem =]
13:39 < meh3> krzee, if i want to install the new version, i can just cp /etc/openvpn /etc/openvpn.old and then install the new version on /etc/openvpn fine, right?
13:40 < krzee> no need
13:40 < krzee> just install the new version
13:40 < krzee> old config stuff is still valid
13:41 < yakub> krzee: like this?: http://pastie.org/1112990
13:41 < krzee> meh3, btw my config generator can do that kind of setup if you use bash
13:42 < krzee> !confgen
13:42 < vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
13:45 < krzee> yakub, try it
13:46 < Dougy> jeff how was vaca
13:46 < krzee> on the last day
13:46 < meh3> thanks for all the info krzee
13:46 < krzee> was good
13:46 < krzee> meh3, np
13:46 < krzee> meh3, also:
13:46 < krzee> !redirect
13:46 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:46 < krzee> !route
13:46 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:46 < krzee> !serverlan
13:46 < vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
13:47 < meh3> thanks dude
13:47 < krzee> yw
13:48 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
13:51 -!- e1ven_ [~Cdavis@pool-173-76-239-123.bstnma.fios.verizon.net] has joined ##openvpn
13:54 < Dougy> ah
13:54 < Dougy> what country are you living in these days
13:54 -!- e2ven [~Cdavis@pool-173-76-239-123.bstnma.fios.verizon.net] has quit [Ping timeout: 265 seconds]
13:57 < krzee> carib
14:01 -!- Raccoon` is now known as RACcoon
14:09 -!- e1ven_ is now known as E1ven
14:09 -!- E1ven [~Cdavis@pool-173-76-239-123.bstnma.fios.verizon.net] has quit [Changing host]
14:09 -!- E1ven [~Cdavis@SQ7/ProjectLead/E1ven] has joined ##openvpn
14:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:40 < meh3> root@Server-lap:/etc/openvpn# openvpn --version
14:40 < meh3> OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Feb 20 2008
14:40 < meh3> Developed by James Yonan
14:40 < meh3> Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
14:40 < meh3> root@Server-lap:/etc/openvpn#
14:40 < meh3> crap.. i was plnning to paste the pastebin address :/
14:40 < meh3> planning*
14:41 < meh3> sorry about that
14:45 -!- dollabill [~mike@97.66.26.10] has quit []
14:52 -!- yakub [~www-data@unaffiliated/yakub] has quit [Quit: leaving]
15:04 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Ping timeout: 258 seconds]
15:04 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
15:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:25 -!- Martz^ [~Martz@unaffiliated/martz] has quit [Quit: Leaving]
15:31 -!- RACcoon [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 255 seconds]
15:45 < fercher> when i connect with windows client show that error in server.. "CRL: cannot read: crl.pem: No such file or directory (errno=2)", but file exist 
15:49 < fercher> TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL
15:49 < fercher> ??
15:58 < kisom> fercher: You have no crl.pem file on the client.
15:58 < kisom> simple as that
16:00 < fercher> crl.pem in client.. i dont have =\ 
16:00 < kisom> i know, thats why you get the error "crl.pem: No such file or directory"
16:01 < fercher> i have in server.conf  crl-verify /etc/openvpn/crl.pem
16:01 < kisom> and hence openvpn fails
16:01 < kisom> ...in a windows client?
16:01 < fercher> windows client i dont have.. 
16:02 < fercher> i dont add this line crl-verify /etc/openvpn/crl.pem in conf
16:02 < fercher> in server.
16:04 < fercher> kisom, http://pastebin.com/NpjAj7gu
16:05 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
16:06 < fercher> kisom,  error: http://pastebin.com/7nyZwJaT
16:12 -!- fercher [~fercher@gateway.pti.org.br] has quit [Ping timeout: 252 seconds]
16:28 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
16:38 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
16:40 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:46 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
16:47 -!- meh3 [~efnet@103-19.77-83.cust.bluewin.ch] has joined ##openvpn
16:48 -!- stoner [~efnet@103-19.77-83.cust.bluewin.ch] has joined ##openvpn
16:52 -!- meh3 [~efnet@103-19.77-83.cust.bluewin.ch] has quit [Ping timeout: 255 seconds]
16:56 -!- stoner [~efnet@103-19.77-83.cust.bluewin.ch] has quit [Ping timeout: 276 seconds]
17:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:10 -!- eightfold [~eightfold@c213-89-115-197.bredband.comhem.se] has joined ##openvpn
17:37 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 260 seconds]
17:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:08 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
18:17 < vpnHelper> RSS Update - forum: Installation Help :: Re: OpenVPN with Windows 2008 x64 R2 :: Reply by cyres <https://forums.openvpn.net/viewtopic.php?f=5&t=7029&p=7653#p7653>
18:17 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
18:20 -!- tjz_ [~pc@bb119-74-160-180.singnet.com.sg] has joined ##openvpn
18:23 < meh3> hey guys, i managed to run the server with no errors finally. but im facing another problem, while its running i dont see port 1194 open.. what could cause this?
18:23 < meh3> i mean on ubuntu where im running the server netstat -pant for example doesnt list port 1194
18:24 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
18:34 -!- stoner [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
18:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
18:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Remote host closed the connection]
18:57 -!- stoner [~efnet@27-9.202-62.fix.bluewin.ch] has left ##openvpn []
19:17 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
19:18 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
19:18 -!- Cain` is now known as Cain
20:52 -!- manevra [manevra@95.154.230.239] has joined ##openvpn
20:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:58 -!- manevra [manevra@95.154.230.239] has quit [Quit: Leaving]
21:34 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has joined ##openvpn
21:45 -!- buswellj [~buswellj@cpe-184-57-74-160.columbus.res.rr.com] has joined ##openvpn
21:45 < buswellj> !welcome
21:45 < vpnHelper> buswellj: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:45 < buswellj> !redirect
21:45 < vpnHelper> buswellj: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
21:46 < buswellj> !nat
21:46 < vpnHelper> buswellj: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
21:46 < buswellj> !linnat
21:46 < vpnHelper> buswellj: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
21:46 < buswellj> !defl
21:46 < vpnHelper> buswellj: Error: "defl" is not a valid command.
21:46 < buswellj> !def1
21:46 < vpnHelper> buswellj: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
21:47 < buswellj> !man
21:47 < vpnHelper> buswellj: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
22:15 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has quit [Read error: Connection reset by peer]
22:27 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 252 seconds]
--- Day changed Wed Aug 25 2010
00:48 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:48 -!- mode/##openvpn [+o mattock] by ChanServ
01:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
01:50 -!- eightfold [~eightfold@c213-89-115-197.bredband.comhem.se] has quit [Read error: Connection reset by peer]
01:51 -!- eightfold [~eightfold@c213-89-115-197.bredband.comhem.se] has joined ##openvpn
02:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:17 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
02:23 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
02:37 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Ping timeout: 245 seconds]
03:19 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
03:29 -!- dazo_afk is now known as dazo
03:36 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
04:38 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
04:44 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
05:10 < hyper_ch> hi there
05:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:52 -!- manevra [manevra@95.154.230.239] has joined ##openvpn
06:01 -!- manevra [manevra@95.154.230.239] has quit [Quit: Leaving]
06:07 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
06:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:40 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:40 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:40 -!- Cain` is now known as Cain
06:52 -!- dcyber09 [~ew@unaffiliated/dcyber09] has joined ##openvpn
06:52 < dcyber09> !welcome
06:52 < vpnHelper> dcyber09: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:55 < dcyber09> !wiki
06:55 < vpnHelper> dcyber09: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
06:57 < dcyber09> uhm :( i got problem creating access server where i can ask :(
07:02 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:04 < dcyber09> ecrist : can i pm you
07:04 < ecrist> why?
07:04 < ecrist> I can't help with access server
07:05 < dcyber09> :(
07:06 < ecrist> you need to go through the support channels - access server is a commercial project
07:06 < dcyber09> oh
07:07 < ecrist> http://www.openvpn.net/index.php/access-server/support-center.html
07:07 < dcyber09> thanks
07:07 < ecrist> !as
07:07 < vpnHelper> Title: Support Center (at www.openvpn.net)
07:07 < vpnHelper> ecrist: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server
07:07 < vpnHelper> ecrist: configurations options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
07:09 < dcyber09> many thanks 
07:16 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
07:31 -!- litilu_ [5287f6fa@gateway/web/freenode/ip.82.135.246.250] has joined ##openvpn
07:31 -!- litilu_ [5287f6fa@gateway/web/freenode/ip.82.135.246.250] has quit [Client Quit]
07:32 -!- litilu [5287f6fa@gateway/web/freenode/ip.82.135.246.250] has joined ##openvpn
07:34 -!- batrick [~batrick@batbytes.com] has quit [Quit: leaving]
07:34 -!- batrick [~batrick@batbytes.com] has joined ##openvpn
07:40 -!- brah [~asdofp@190.183.62.66] has quit [Ping timeout: 265 seconds]
07:51 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
07:51 < theDoc> raidz> Do you happen to be around?
08:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
08:12 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:21 -!- dcyber09 [~ew@unaffiliated/dcyber09] has quit []
08:23 -!- litilu_ [5287f6fa@gateway/web/freenode/ip.82.135.246.250] has joined ##openvpn
08:23 -!- litilu [5287f6fa@gateway/web/freenode/ip.82.135.246.250] has quit [Ping timeout: 252 seconds]
08:28 -!- litilu_ [5287f6fa@gateway/web/freenode/ip.82.135.246.250] has quit [Client Quit]
08:31 -!- dcyber09 [~ew@unaffiliated/dcyber09] has joined ##openvpn
08:32 -!- litilu [5287f6fa@gateway/web/freenode/ip.82.135.246.250] has joined ##openvpn
08:37 < vpnHelper> RSS Update - forum: Server Administration :: Question about tun/tap (remote DHCP addresses being handled :: Author simon <https://forums.openvpn.net/viewtopic.php?f=4&t=7037&p=7654#p7654>
08:44 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 272 seconds]
08:47 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
08:49 -!- litilu [5287f6fa@gateway/web/freenode/ip.82.135.246.250] has left ##openvpn []
08:51 -!- manevra [manevra@109.123.99.32] has joined ##openvpn
08:53 -!- dcyber09 [~ew@unaffiliated/dcyber09] has quit [Ping timeout: 265 seconds]
08:58 -!- dcyber09 [~ew@110.137.239.113] has joined ##openvpn
09:12 -!- Overlord [~Overlord@ka17185.dedidemon.com] has quit [Quit: Leaving]
09:14 -!- dcyber09 [~ew@110.137.239.113] has quit []
09:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:29 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn
09:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:34 -!- DrPepper [~DrPepper@88.207.164.177] has joined ##openvpn
09:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
09:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:51 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 258 seconds]
10:09 < Dougy> i donno who is awake and in the USA but
10:09 < Dougy> a store called micro center has some pretty slick deals on macs 
10:13 < ecrist> microcenter is meh
10:13 < Dougy> oh i love micro center
10:13 < Dougy> b etween me and my biz ive probably spent in excess of 10 grand there since a year or so ago
10:13 < Dougy> maybe year and a half
10:14 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:44 < vpnHelper> RSS Update - forum: Configuration :: Question about tun/tap (remote DHCP addresses being handled :: Author simon <https://forums.openvpn.net/viewtopic.php?f=6&t=7037&p=7654#p7654> || Off Topic, Related :: OpenVPN client :: Author simon <https://forums.openvpn.net/viewtopic.php?f=1&t=7038&p=7655#p7655> || Off Topic, Related :: openvpn 2.1.2 Windows 7 64 bit :: Author zensistemi <https://forums.openvpn.net/viewtopic.php?f=1&t=7040&p=7
10:45 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
10:55 -!- E1ven [~Cdavis@SQ7/ProjectLead/E1ven] has quit [Read error: Connection reset by peer]
11:00 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
11:08 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
11:13 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
11:34 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
11:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:53 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: Leaving]
11:55 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Max SendQ exceeded]
12:01 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:13 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
12:21 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
12:21 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
12:23 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:40 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
12:42 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:00 -!- dazo is now known as dazo_afk
13:17 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:25 -!- hellburn3r [~hellburn3@131.247.244.192] has joined ##openvpn
13:28 < hellburn3r> is it possible to see what IP's an openvpn server has put out?
13:28 < kisom> yes
13:28 < kisom> ifconfig-pool-persist /dev/shm/VPN-Leases <number>
13:29 < kisom> where <number> is the time, in seconds, how often openvpn should rewrite the file
13:36 < hellburn3r> hmmm, the server lacks a ifconfig-pool-persist
13:39 -!- dollabill [~mike@97.66.26.10] has quit []
13:39 -!- hellburn3r [~hellburn3@131.247.244.192] has left ##openvpn []
14:09 -!- dunc [~dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Remote host closed the connection]
14:25 -!- MetalWolf [~barry@92.236.100.252] has quit [Ping timeout: 240 seconds]
14:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
14:47 -!- BrixSat [~Cesar@bl15-82-182.dsl.telepac.pt] has joined ##openvpn
14:47 < BrixSat> hello 
14:47 < BrixSat> !welcome
14:47 < vpnHelper> BrixSat: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:48 < BrixSat> !redirect
14:48 < vpnHelper> BrixSat: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:48 < BrixSat> !ipforwarding
14:48 < vpnHelper> BrixSat: Error: "ipforwarding" is not a valid command.
14:48 < BrixSat> !ipforward
14:48 < vpnHelper> BrixSat: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
14:49 < BrixSat> !inipforward
14:49 < vpnHelper> BrixSat: Error: "inipforward" is not a valid command.
14:49 < BrixSat>  !linipforward
14:49 < BrixSat> !linipforwarp
14:49 < vpnHelper> BrixSat: Error: "linipforwarp" is not a valid command.
14:50 < BrixSat> !linipforward
14:50 < vpnHelper> BrixSat: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:51 < BrixSat> i still dont have internet when connected to the vpn server :s
14:52 < BrixSat> !winipforward
14:52 < vpnHelper> BrixSat: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
14:58 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
15:00 -!- DrPepper [~DrPepper@88.207.164.177] has quit [Quit: Leaving...]
15:01 -!- BrixSat [~Cesar@bl15-82-182.dsl.telepac.pt] has quit [Ping timeout: 258 seconds]
15:03 -!- zoobab [zoobab@vic.ffii.org] has joined ##openvpn
15:03 < zoobab> hi
15:03 < zoobab> I need to log whether the VPN tunnel is activ
15:03 < zoobab> active
15:03 < zoobab> I put a:
15:03 < zoobab> status /var/log/openvpn-status.log
15:03 < zoobab> verb 15
15:03 < zoobab> in  my openvpn.conf
15:03 < zoobab> but it does not tell me if the VPN is OK
15:04 < zoobab> anyway to find out?
15:14 < Bushmills> when is vpn ok? when server runs, or when clients can connect to it?
15:15 < Bushmills> server alone is not a vpn. only an endpoint for one.
15:24 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:31 -!- tishammer [~hammer@95.237.105.3] has joined ##openvpn
15:31 < tishammer> hello
15:32 < tishammer> i'm having some problems with self-signed certificates
15:33 < tishammer> i basically have a pkcs12 certificate and the client config. the tls handshake failes like this: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
15:33 < tishammer> what am i missing?
15:34 < tishammer> !welcome
15:34 < vpnHelper> tishammer: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:34 < tishammer> !goal
15:34 < vpnHelper> tishammer: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:53 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:02 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:03 < Dougy> brix will be shat
17:00 -!- zoobab [zoobab@vic.ffii.org] has left ##openvpn []
17:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:04 -!- DrPepper [~DrPepper@88.207.164.177] has joined ##openvpn
17:07 -!- fremo___ [~fremo@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
17:07 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Read error: Connection reset by peer]
17:07 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
17:09 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
17:19 -!- manevra [manevra@109.123.99.32] has quit [Quit: Leaving]
17:21 -!- Cheard [Osjli@unaffiliated/cheard] has joined ##openvpn
17:21 -!- montana [~montana@212.117.173.72] has joined ##openvpn
17:23 < Cheard> i have windows 7 enterprise 64-bit. and it's not liking the unsigned tap-win32 driver in the new openvpn installer. i've had openvpn working on this machine before 2.1.2 but not since i upgraded.
17:24 < Cheard> i've also changed the settings in windows 7 to allow unsigned drivers to be installed
17:25 < Cheard> i still get an error saying that no tap-win32 devices are available on the system 
17:25 < Cheard> oops. 
17:25 < Cheard> !welcome
17:25 < vpnHelper> Cheard: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:26 < Cheard> !goal
17:26 < vpnHelper> Cheard: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:27 < Cheard> !howto
17:27 < vpnHelper> Cheard: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:30 -!- DrPepper [~DrPepper@88.207.164.177] has quit [Quit: Leaving...]
17:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:40 -!- Cheard [Osjli@unaffiliated/cheard] has quit [Quit: Leaving]
17:59 -!- notbrien_ [~notbrien@69.60.16.242] has joined ##openvpn
17:59 -!- notbrien_ is now known as notbrien
18:37 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 276 seconds]
18:38 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
18:43 -!- tishammer [~hammer@95.237.105.3] has quit [Quit: Lost terminal]
18:44 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
19:05 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 255 seconds]
19:25 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
19:27 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn
19:46 -!- Splex [~splex@unaffiliated/splex] has joined ##openvpn
19:47 < Splex> !welcome
19:47 < vpnHelper> Splex: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:48 < Splex> !route
19:48 < vpnHelper> Splex: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:15 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
20:16 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit []
20:38 < Splex> i have two openvpn servers, A and B.  I want the servers to connect to eachother so that the clients on A can talk to B and the clients on B can talk to A.  Is it possible to have the openvpn daemon act as both server and client?  or do i need to run 2 instances and modify routing & iptables?
21:16 -!- SOG [~SOG@n1164869195.netvigator.com] has joined ##openvpn
21:22 < Splex> where do i set up post-connection config directives such as iptables, etc
21:22 < Splex> config to be executed after an interface is brought up
21:22 < Splex> in linux
--- Log opened Wed Aug 25 21:23:32 2010
21:23 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined ##openvpn
21:23 -!- Irssi: ##openvpn: Total of 101 nicks [3 ops, 0 halfops, 0 voices, 98 normal]
21:23 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined ##openvpn
--- Log closed Wed Aug 25 21:23:40 2010
21:23 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has quit [Client Quit]
22:03 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Connection reset by peer]
22:06 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
22:06 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
22:07 -!- SOG_ [~SOG@61.144.230.241] has quit [Client Quit]
22:10 -!- SOG [~SOG@n1164869195.netvigator.com] has quit [Ping timeout: 265 seconds]
22:22 < vpnHelper> RSS Update - forum: Installation Help :: Re: Is it a problem with openvpn or virtualbox ? :: Reply by cakemaker <https://forums.openvpn.net/viewtopic.php?f=5&t=7012&p=7659#p7659>
22:33 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
22:58 < rasengan> Is there a way for OpenVPN to detect a user disconnection faster?  The openvpn-status log doesn't seem to update until minutes after a user disconnection...
23:19 -!- cartes [cartes@116.193.170.2] has joined ##openvpn
23:19 < cartes> !welcome
23:19 < vpnHelper> cartes: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:21 < cartes> hi all
23:23 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
23:38 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
23:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
--- Day changed Thu Aug 26 2010
00:07 < Bushmills> Splex: --up  on client
00:09 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
00:11 -!- tjz_ [~pc@bb119-74-160-180.singnet.com.sg] has quit [Quit: bbl.]
00:11 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
00:16 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
00:24 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
01:34 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
01:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
02:05 -!- dazo_afk is now known as dazo
02:24 -!- Ghent [~ghent@unaffiliated/ghent] has joined ##openvpn
02:38 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Read error: Operation timed out]
02:40 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
02:43 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
02:51 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
02:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:05 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:05 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
03:05 -!- danci1973 [~kvirc@router.agenda.si] has joined ##openvpn
03:05 < danci1973> Hello...
03:06 < danci1973> I was just trying out OpenVPN (2.0.9) and got this error: /lib/libssl.so.0.9.6: undefined symbol: X509_STORE_CTX_set_verify_cb
03:06 < danci1973> According to INSTALL file the 0.9.6 version of OpenSSl is sufficient... So what's missing there?
03:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
03:25 -!- macsppadic is now known as schoolfeasthis
03:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:39 -!- schoolfeasthis is now known as macsppadic
04:04 < danci1973> FYI - updated 0.9.6g to 0.9.6m and it works now.
04:10 -!- danci1973 [~kvirc@router.agenda.si] has left ##openvpn []
04:32 -!- SOG [~SOG@n1164869195.netvigator.com] has joined ##openvpn
04:32 < Ghent> Hello, I'm having trouble finding documentation on how to push options to only certain clients.  I'd like a few of my clients to get the gateway but others not to.  Can anyone point me in the right direction, please?
04:34 < reiffert> !ccd
04:34 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
04:36 < Ghent> Thank you reiffert 
04:36 < reiffert> welcome
04:37 < Ghent> so I can put push directives in the client specific files?  I saw that in the sample configs but since they only had routes in them I thought maybe it wasn't the sam thing
04:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:10 < Splex> can an OpenVPN client process connect to multiple OpenVPN servers simultaneously?
05:25 -!- krzee [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
05:42 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
06:11 -!- Ghent [~ghent@unaffiliated/ghent] has left ##openvpn []
06:13 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
06:14 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
06:14 -!- SOG [~SOG@n1164869195.netvigator.com] has quit [Ping timeout: 272 seconds]
06:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Ping timeout: 240 seconds]
06:22 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
06:22 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
06:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
06:35 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
06:40 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:42 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
06:42 -!- Cain` is now known as Cain
06:52 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:11 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
07:13 < Splex> how do I configure the openvpn server to avoid allocating certain reserved ip ranges?
07:22 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
07:33 -!- JackCorleone [~root@201-68-39-124.dsl.telesp.net.br] has joined ##openvpn
07:36 -!- allquixotic [~allquixot@static.3.122.63.178.clients.your-server.de] has joined ##openvpn
07:38 < allquixotic> Hi, I currently have OpenVPN running in TCP mode, where all UDP and TCP traffic to/from the client gets tunneled through the VPN (I set the VPN as the default route). I'd like to relax that a little, so that all traffic gets routed through the VPN unless it's on port 80 TCP, 443 TCP, or 53 TCP or UDP. Is this possible?
07:48 < ecrist> no
07:49 < ecrist> your only option is to use policy-based routing, and that would have to be done on each client.
07:52 < allquixotic> ecrist: Ok.. I've only got one client (me)... so is this an OS-dependent feature that has nothing to do with OpenVPN?
07:52 < allquixotic> policy-based routing, that is
07:53 < ecrist> yes
07:53 < ecrist> policy-based routing is generally done in a firewall confing
07:53 < ecrist> config*
07:54 < ecrist> I know pf can do it, not sure about ipchains/iptables
07:54 < ecrist> I'm sure iptables can do it, but I'm not familiar with the config
07:54 < allquixotic> the client is a Windows Server 2008 R2 box...
07:55 < ecrist> good luck. :)
07:55 < allquixotic> I'll probably find something on google though
07:55 < allquixotic> thanks :)
08:07 -!- redfox [~redfox2@91.121.133.177] has quit [Ping timeout: 258 seconds]
08:09 -!- barfster [~barf@193.69.144.166] has joined ##openvpn
08:11 -!- redfox [~redfox2@91.121.133.177] has joined ##openvpn
08:12 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
08:12 -!- redfox is now known as Guest77758
08:14 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
08:28 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
08:28 -!- krzee [nobody@unaffiliated/krzee] has quit [Remote host closed the connection]
08:43 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined ##openvpn
08:44 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Changing host]
08:44 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:03 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 276 seconds]
09:13 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Read error: Operation timed out]
09:22 < vpnHelper> RSS Update - forum: Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7025&p=7662#p7662>
09:34 < vpnHelper> RSS Update - forum: Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7025&p=7663#p7663> || Installation Help :: Is it a problem with openvpn or virtualbox ? :: Author cakemaker <https://forums.openvpn.net/viewtopic.php?f=5&t=7043&p=7659#p7659>
09:40 < vpnHelper> RSS Update - forum: Installation Help :: Can't get Openvpn 2.1.2 to start :: Author Oral Deckard <https://forums.openvpn.net/viewtopic.php?f=5&t=7042&p=7660#p7660> || Installation Help :: Re: Include username and psswd in the config file :: Reply by Oral Deckard <https://forums.openvpn.net/viewtopic.php?f=5&t=2424&p=7661#p7661> || Installation Help :: Is it a problem with openvpn or virtualbox ? :: Reply by cakemaker <https://forums
09:44 -!- rasengan [~rasengan@96.43.136.14] has left ##openvpn ["WeeChat 0.3.2"]
09:47 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:00 -!- krzee [nobody@unaffiliated/krzee] has joined ##openvpn
10:16 -!- OOo [OOo@c-83-233-176-176.cust.bredband2.com] has joined ##openvpn
10:16 < OOo> Hii Room .. 
10:17 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
10:17 < OOo> i am new in this VPN/LINux field
10:17 < OOo> well, i have one website which can't be access from out side of USA, if i want to allow to this website to certain users from around the world then
10:18 < OOo> then i have to setup open vpn on webserver ? and the through vpn they can can access to that website ? ok ?
10:18 < ecrist> yes, that sounds sensible to me
10:19 < OOo> hmm.. open vpn also have its own vpn client or it can easily connect through built in Windows vpn connection ?
10:20 < OOo> can we connect to OPEN VPN Server through windows built in vpn created connection?
10:20 < ecrist> no, you have to use the openvpn application 
10:21 < OOo> hmm..
10:21 < OOo> well thanks alot, i work on this vpn setup.. 
10:22 < ecrist> no problem
10:22 < ecrist> !howto
10:22 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:22 < ecrist> that may help
10:22 < OOo> yes one more tiny thing.. can we install open vpn web interface for managing it through web interface ?
10:23 < OOo> i meant that openvpn server also install its web interface for managing it ?? or only have to work through command line ?
10:24 < ecrist> openvpn does not have a web interface
10:24 < ecrist> if you really need one, you can use the commercial product, access server
10:24 < ecrist> we don't suppor that here, though.
10:29 < OOo> hmm.. 
10:30 < OOo> well thanks again bye !!
10:30 -!- OOo [OOo@c-83-233-176-176.cust.bredband2.com] has left ##openvpn []
10:30 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
11:08 -!- krzie [nobody@unaffiliated/krzee] has joined ##openvpn
11:09 -!- krzee [nobody@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
11:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:11 -!- kr_eten [~quick@ip-161-16.powernet.bg] has joined ##openvpn
11:12 < kr_eten> hi, i need my client to reconnect without asking for username and pass once i have entered them once
11:12 < kr_eten> (linux)
11:12 < kr_eten> there was an option to cache them internally, but i forgot it and lost my old configs
11:13 < kr_eten> !welcome
11:13 < vpnHelper> kr_eten: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:16 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:16 -!- dazo is now known as dazo_afk
11:16 < kr_eten> hi, i need my client to reconnect without asking for username and pass once i have entered them once (linux). there was an option to cache them internally, but i forgot it and lost my old configs
11:17 < kr_eten> oops, sorry if double posted, just thought that it did not reach the channel because i was not identified :(
11:19 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn
11:20 -!- kr_eten [~quick@ip-161-16.powernet.bg] has quit [Quit: Leaving]
11:34 -!- eightfold [~eightfold@c213-89-115-197.bredband.comhem.se] has left ##openvpn ["I quit."]
11:36 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined ##openvpn
11:39 -!- ivenkys_ [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 252 seconds]
12:04 -!- bbtrb [~tom@dhcp-116.hep.fsu.edu] has joined ##openvpn
12:04 < bbtrb> hi, I'
12:05 < bbtrb> ve set up VPN for the first time and everything works great, including redirecting all traffic from a client thorugh VPN.
12:05 < bbtrb> How would you guys set things up to make the redirect optional and configurable from the client?
12:07 < bbtrb> !welcome
12:07 < vpnHelper> bbtrb: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:07 < bbtrb> !redirect
12:07 < vpnHelper> bbtrb: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:15 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 252 seconds]
12:17 < Bushmills> bbtrb: don't push redirect-gateway from server. insert, or leave out, redirect-gateway on client. alternatively, set and delete  the needed routes yourself on gateway, even after server pushed them
12:19 -!- Guest77758 is now known as redfox
12:19 < vpnHelper> RSS Update - forum: Installation Help :: Re: Can't get Openvpn 2.1.2 to start :: Reply by Oral Deckard <https://forums.openvpn.net/viewtopic.php?f=5&t=7042&p=7665#p7665>
12:19 -!- redfox is now known as Guest43737
12:20 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
12:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
12:31 -!- SOG [~SOG@222.125.202.173] has joined ##openvpn
12:38 < bbtrb> Bushmills: ok, I'll try that. The NATing on the server stays as it is for the usual redirect? (sry, real noob here ...)
12:39 < Bushmills> no changes there. 
12:39 < bbtrb> ok thanks. let's see how it goes ...
12:39 < Bushmills> sry. mistake. meant to say "on client" rather than "on gateway"
12:40 < bbtrb> bbtrb: understood :)
12:45 -!- dazo_afk is now known as dazo
12:49 -!- SOG [~SOG@222.125.202.173] has quit [Remote host closed the connection]
12:49 -!- SOG [~SOG@n1164869195.netvigator.com] has joined ##openvpn
12:50 -!- SOG [~SOG@n1164869195.netvigator.com] has quit [Read error: Connection reset by peer]
12:53 < bbtrb> Bushmills: hmmm, what should route-gateway point to? I get:
12:53 < bbtrb> Thu Aug 26 13:49:47 2010 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.0.1.101
12:53 < bbtrb> SIOCADDRT: No such process
12:53 < bbtrb> Thu Aug 26 13:49:47 2010 ERROR: Linux route add command failed: external program exited with error status: 7
12:54 < Bushmills> try netmask 255.255.255.0
12:54 < Bushmills> there is probably no other route to 10.0.1.101
12:55 < Bushmills> oh.  10.0.x.x - is that right?
12:55 < Bushmills> why is client in a different subnet than server?
12:56 < bbtrb> that's why i'm asking... I tried 10.8.0.1 as gateway (*that* should be it, right?), but I got no route to the outside worl
12:56 < bbtrb> d
12:57 < Bushmills> you also need a host route to the server ethernet address, or openvpn on client doesn't know how to reach openvpn server
12:58 < Bushmills> with default route through vpn, you can't route the vpn itself through itself
12:58 < bbtrb> oh makes sense. but what is a host route to the server ? Sry I can't follow you, man
13:00 < Bushmills> route add server.ethernet.address interface   # (not the vpn interface)
13:01 < Bushmills> probably your 10.0.1.101
13:01 < Bushmills> and probably eth0
13:02 < Bushmills> host route means, a route to a /32 address, instead of a -net with netmask 
13:06 < bbtrb> ok, now I got the route, but no redirect. 
13:15 < Bushmills> now you either replace the default route, or add two net routes to 0.0.0.0/1 and 128.0.0.0/1, using the vpn server address as gateway 
13:16 < Bushmills> the two routes is preferable because you can delete them, to switch back to your former default route
13:16  * Bushmills gone now
13:21 < bbtrb> Bushmills: thanks! that did it!!
13:21 -!- bbtrb [~tom@dhcp-116.hep.fsu.edu] has quit [Quit: Lost terminal]
13:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
13:33 < vpnHelper> RSS Update - forum: Off Topic, Related :: Re: OpenVPN client :: Reply by Oral Deckard <https://forums.openvpn.net/viewtopic.php?f=1&t=7038&p=7666#p7666>
13:35 -!- dollabill [~mike@97.66.26.10] has quit []
13:42 -!- fr00d [~andi@unaffiliated/fr00d] has joined ##openvpn
13:42 < fr00d> Hello!
13:43 < fr00d> I've setup an openvpn network the clients can reach each other, but when I try to ping a client from the server I get: Destination Port Unreachable
13:43 < fr00d> Can somebody tell me what's wrong?
13:44 < fr00d> Is this problem related to my server configuration or is this an iptables issue?
13:44 < krzie> firewall
13:49 < fr00d> But server and client are both in 192.168.111.0/24. Is there any firewall passed if a connection between the server and the client is created?
13:49 < ecrist> the firewall on the server and the firewall on the client
13:50 < fr00d> But the firewall on the client should be an issue, because client to client connections are working.
13:50 < fr00d> So it needs to be the server firewall which let the connection fail.
13:51 < krzie> well ya
13:52 < fr00d> http://pastebin.ca/1926135 These are my firewall rules at the moment. Can somebody tell me what's wrong?
13:53 < krzie> dunno
13:54 < krzie> but its your firewall :)
13:55 < fr00d> So what's the problem with that?
13:55 < krzie> not sure, i troubleshoot openvpn stuff not iptables stuff
13:55 < fr00d> hmm, ok.
13:57 < fr00d> It can't be the firewall. When turning the firewall off I'm getting the same error.
13:59 < vpnHelper> RSS Update - forum: Off Topic, Related :: Re: OpenVPN client :: Reply by Oral Deckard <https://forums.openvpn.net/viewtopic.php?f=1&t=7038&p=7668#p7668>
14:05 < krzie> Your problem is your firewall, really.
14:08 < krzie> (this is for another place)...
14:08 < krzie> !factoids search outside
14:08 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
14:09 < kisom> im home in 20 minutes
14:10 < vpnHelper> RSS Update - forum: Configuration :: Unable to access servers on vpn network. :: Author mnickerson <https://forums.openvpn.net/viewtopic.php?f=6&t=7044&p=7667#p7667> || Off Topic, Related :: Re: OpenVPN client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7038&p=7669#p7669>
14:15 < vpnHelper> RSS Update - forum: Configuration :: Re: Unable to access servers on vpn network. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7044&p=7670#p7670>
14:30 -!- krzie [nobody@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:58 -!- tiberius_ [~tiberius@2001:470:8:3d8::16] has joined ##openvpn
15:00 -!- hacim [~micah@debian/developer/micah] has joined ##openvpn
15:00 < hacim> is there kerberos support for client-side openvpn?
15:00 < hacim> i know that I can setup pam to do it on the server side, but the password is then passed
15:06 < tiberius_> I have some public static addresses available on a hosted server that will be used for VPN and I'd like to assign these to clients... am I correct in understanding that 3 out of every 4 addresses will be "wasted" in a routed configuration for the network, broadcast, and endpoint addresses?
15:36 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:45 -!- JackCorleone [~root@201-68-39-124.dsl.telesp.net.br] has quit [Quit: Saindo]
16:00 -!- Guest43737 is now known as redfox
16:00 -!- redfox is now known as Guest21004
16:01 -!- manevra [manevra@109.123.79.23] has joined ##openvpn
16:24 -!- Guest21004 is now known as redfox
16:34 -!- manevra_ [manevra@static.22.231.63.178.clients.your-server.de] has joined ##openvpn
16:37 -!- manevra [manevra@109.123.79.23] has quit [Ping timeout: 272 seconds]
16:47 -!- Spines [~Steven@24-176-82-169.dhcp.hckr.nc.charter.com] has joined ##openvpn
16:48 -!- Darkclaw66 [~Darkclaw@unaffiliated/darkclaw66] has joined ##openvpn
16:49 < Darkclaw66> is it possible to rebuild keys or do I have to revoke it and create a completely new one?
16:49 < Darkclaw66> I didn't have a backup of the keys
16:49 < reiffert> the latter.
16:49 < Darkclaw66> even if I have the .pem file?
16:51 < reiffert> "rebuild key" ??? "have the .pem file"
16:51 < Splex> is it possible to specify a specific range of ips available to allocate to the clients? I would like to allocate 10.100.100.2 - 10.100.255.254 to clients,  how would i configure openvpn to do this?
16:51 < Darkclaw66> I lost the .csr, .key, and .cer 
16:52 < Darkclaw66> but I had a backup of the .pem
16:53 < reiffert> .pem is supposed to be what?
16:53 < reiffert> Splex: tun or tap setup?
16:53 < Splex> reiffert: tun
16:53 < Darkclaw66> sorry, .pem is the certificate
16:54 < Darkclaw66> so I have the certificate but nothing else
16:54 < reiffert> Splex: man openvpn, have a close look to:
16:54 < reiffert> --server 10.8.0.0 255.255.255.0
16:54 < Splex> reiffert: using 'topology subnet'
16:54 < reiffert> expands to the following:
16:54 < reiffert> " "
16:54 < reiffert> Darkclaw66: the latter
16:54 < Darkclaw66> I need the corresponding csr and .key file
16:55 < Darkclaw66> can I rebuild the csr and .key file if I provide the certificate
16:55 < reiffert> Darkclaw66: no.
16:55 < Darkclaw66> so even if I have the certificate its garbage?
16:55 -!- manevra_ [manevra@static.22.231.63.178.clients.your-server.de] has quit [Quit: Leaving]
16:55 < Splex> reiffert: i see that, what does '!nopool' mean? i couldn't find a definition in the man page.
16:56 < reiffert> Splex: damn, thats a quite good question.
16:56 < reiffert> !nopool
16:56 < vpnHelper> reiffert: Error: "nopool" is not a valid command.
16:58 < Darkclaw66>  certificate routines:X509_check_private_key:key values mismatch
16:58 < reiffert> 		<field>
16:58 < reiffert> 			<fieldname>nopool</fieldname>
16:58 < reiffert> 			<fielddescr>Use static IPs</fielddescr>
16:58 < reiffert> 			<description>If this option is set, IPs won't be assigned to clients. Instead, the server will use static IPs on its side, and the clients are expected to use this same value in the 'Address pool' field.</description>
16:58 < reiffert> 			<required/>
16:58 < reiffert> 			<type>checkbox</type>
16:58 < reiffert> 		</field>
16:59 < reiffert> !learn nopool as someone definitly should document this option.
16:59 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
16:59 < reiffert> vpnHelper: die.
16:59 < vpnHelper> reiffert: Error: "die." is not a valid command.
16:59 < reiffert> vpnHelper: die now
16:59 < vpnHelper> reiffert: Error: "die" is not a valid command.
17:00 -!- straterra [~straterra@fuhell.com] has joined ##openvpn
17:01 < straterra> !welcome
17:01 < vpnHelper> straterra: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:01 < straterra> Does the Windows 2.1.2 installer contain a signed driver for Windows x64?
17:01 < Darkclaw66> how do I revoke a certificate if I don't have the certificate
17:02 < straterra> Because..I could have sworn it used to..but now it doesn't. I just tried to install it on a Windows 7 Home x64 machine, and it rejected the unsigned driver
17:02 < reiffert> straterra: check out the latest -devel list, there is a topic on there.
17:02 -!- tiberius_ [~tiberius@2001:470:8:3d8::16] has quit [Quit: Leaving]
17:02 < reiffert> Darkclaw66: see openssl for details. Think revoking common names is enough here.
17:02 < Darkclaw66> it's asking for the pem file
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:06 < reiffert> dazo: !nopool = no docs in the manpage?!
17:07 <@dazo> reiffert:  might be possible ... I've never used nopool anywhere, so I don't know about it
17:08 < Splex> reiffert: i looked at the sourcecode...
17:08 < reiffert> dazo: it's right next to "see what's --server expands to" in the middle of manpage.
17:08 <@dazo> yeah, I see that ... it seems to be related to --server
17:09 < Splex> reiffert: appears you can do this: server 10.8.0.0 255.255.255.0 nopool
17:09 < Splex> and then add another line
17:09 < Splex> ifconfig-pool
17:09 <@dazo> Splex:  is right
17:09 <@dazo> * Fixed some ifconfig-pool issues that precluded it from being combined
17:09 <@dazo>   with --server directive.
17:09 <@dazo>   Now, for example, we can configure thusly:
17:09 <@dazo>     server 10.8.0.0 255.255.255.0 nopool
17:09 <@dazo>     ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
17:09 <@dazo>   to have ifconfig-pool manage only a subset
17:09 <@dazo>   of the VPN subnet.
17:09 <@dazo> introduced in 2.1_rc14
17:09 < reiffert> dazo: yow, hell good stuff of an explanation :p
17:10 < Splex> i just tested it, it works
17:10 < straterra> reiffert: Do you know which month, to make my search easier?
17:10 <@dazo> If somebody cares enough to update the man page with this info, I'll gladly accept patches and pull them into the tree
17:10 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
17:10 < reiffert> straterra: this month, maybe dazo knows of any details, he looks to be involved into the recent -devel talk.
17:11 <@dazo> straterra:  openvpn 2.1.3?
17:11 < reiffert> dazo: Lemme think about creating a ticket.
17:11 <@dazo> reiffert:  works as well :)
17:11 < straterra> dazo: 2.1.2
17:11 < straterra> Doesn't have a signed driver for Windows x64
17:12 <@dazo> straterra:  2.1.2 is old stuff ... that's fixed in 2.1.3
17:12 < ecrist> ugh
17:12 <@dazo> it's being rolled out soon
17:12 < straterra> how soon?
17:12 <@dazo> very soon, hopefully
17:12 < ecrist> !forums
17:12 < straterra> And is there a snapshot I can download?
17:12 < vpnHelper> ecrist: Error: "forums" is not a valid command.
17:12 < ecrist> !forum
17:12 < vpnHelper> ecrist: Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... || Configuration :: Re: "could not execute external program" (chroot-ed environm :: ... || Configuration :: Unable to access servers on vpn network. :: Author mnickerson || Configuration :: Re: Unable to access servers on vpn network. :: Reply by krzee || Installation Help :: Re: Include username and
17:12 < reiffert> !define very soon
17:12 < vpnHelper> ecrist: psswd in the config file :: Reply by Oral Deckard || Installation Help :: Is it a problem with openvpn or virtualbox ? :: Reply by cakemaker || Installation Help :: Re: TAP Driver Install Problem in 2.1.2 - KNOWN ISSUE :: Reply by ecrist || Installation Help :: Can't get Openvpn 2.1.2 to start :: Author Oral Deckard || Installation Help :: Re: Can't get Openvpn 2.1.2 to start :: Reply
17:12 < vpnHelper> ecrist: by Oral Deckard || Off Topic, Related :: Re: OpenVPN client :: Reply by Oral Deckard || Off Topic, Related :: Re: OpenVPN client :: Reply by Oral Deckard || Off Topic, Related :: Re: OpenVPN client :: Reply by krzee
17:12 < vpnHelper> reiffert: Error: "define" is not a valid command.
17:12 < ecrist> reiffert: in next couple of days
17:13 < straterra> dazo: should I download an older release then?
17:13 < straterra> rc15 works perfectly for me in this regard
17:13 <@dazo> straterra:  2.1.1/2.1.0 is working very fine ....
17:13 < straterra> ..
17:13 < straterra> err, kk
17:13 < Darkclaw66> where can I get instructions on how to make a new certificate
17:14 < reiffert> ecrist: thanks!
17:14 < reiffert> Darkclaw66: 
17:14 < reiffert> !howto
17:14 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:14 <@dazo> it's just that Microsoft updated the WDK / DDK kits when 2.1.2 was built ... which broke stuff
17:14 < straterra> Gotcha
17:14 < ecrist> 2.1.1 was functional
17:14 <@dazo> yupp!
17:15 < straterra> I'll grab that then
17:16 < Darkclaw66> how can I view all the certificates that are authorized?
17:16 < ecrist> cat index
17:16 < ecrist> cat index.txt
17:16 < Darkclaw66> ah so if I did clean-all I would lose that info?
17:16 < ecrist> yep
17:17 < Darkclaw66> if there is an R in front of it, that means its revoked?
17:21 <@dazo> yupp
17:24 < Darkclaw66> do I need to backup any of these things on the server or its all on the client's end/
17:25 <@dazo> the CA files should ideally not be on neither server nor client ... it should be a separate unit
17:28 < Darkclaw66> how do i set a password for a client to login
17:28 <@dazo> password on the certificate or username/password authentication?
17:35  * dazo calls this a day
17:35 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
17:36 -!- dazo is now known as dazo_afk
17:39 < Darkclaw66> pass on the certificate
17:40 < Darkclaw66> like when a client logs in it asks for a password
17:40 < krzee> Darkclaw66, you asking how to add a pass to an existing cert? how to make a new one?
17:40 < Darkclaw66> pass to an existing crt
17:44 < Darkclaw66> ?
17:45 < reiffert> !
17:45 < reiffert> !!
17:45 < vpnHelper> reiffert: Error: "!" is not a valid command.
17:45 < reiffert> :)
17:45 < Darkclaw66> I dontremember how to do it
17:46 -!- Serideru [~GTWebster@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: Connection reset by peer]
17:46 < Darkclaw66> woot I figured it out good bye
17:46 -!- Darkclaw66 [~Darkclaw@unaffiliated/darkclaw66] has quit []
18:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:17 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:32 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:39 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
18:40 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Client Quit]
18:40 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
18:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:47 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
18:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
18:53 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
19:03 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
19:15 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
19:17 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
19:58 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:00 -!- Cisien [~chris@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
20:06 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
20:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
20:28 < Cisien> is there an option to specify the ifconfig command to use?
20:39 < Cisien> hmm
20:39 < Cisien> Thu Aug 26 18:38:47 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:7: ifconfig (2.1.1)
20:40 < Cisien> what would be causing this?
20:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:41 < theDoc> Does it connect fine and does it work the way you want it to? If it does, it's fine ;p
20:42 < Cisien> yeah, it connects, but the problem is assigning an ip
20:42 < Cisien> can an ip be assigned directly to a tap device?
20:43 < theDoc> Pastebin your config? :)
20:43 < Cisien> http://98.232.115.192/client.conf
20:44 < Cisien> client is an android phone :)
20:45 < theDoc> Cisien> server config please.
20:45 < Cisien> http://98.232.115.192/server.conf
20:46 < theDoc> Cisien> No clue man, not sure why it's throwing up an ifconfig error. :|
20:47 < Cisien> hrm.
20:47 < Cisien> does it use the system's ifconfig command?
20:50 < Cisien> using ifconfig to set the address manually worked...
20:52 < Cisien> is there a way to have the system's ifconfig utility set the ip addresses?
21:04 < Cisien> how does this work: --ifconfig-noexec
21:04 < Cisien>     Don't actually execute ifconfig/netsh commands, instead pass --ifconfig parameters to scripts using environmental variables. 
21:07 -!- hacim [~micah@debian/developer/micah] has left ##openvpn []
21:14 < Cisien> holy crap ...
21:14 < Cisien> ifconfig 1.42 (2001-04-13)
21:14 < Cisien> and ya wonder why it's yelling at me
21:15 < Cisien> wait... i'm retarded...
22:07 < Cisien> it appears it's a bad openwrt executable causing my headaches
22:07 < Cisien> openvpn
22:09 < Cisien> and that was it.
22:10 < theDoc> Hmm.
22:16 -!- Cisien [~chris@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer]
22:23 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
22:24 < Cisien> well, it's not giving the alert anymore, but still isn't working.
22:25 < theDoc> What still isn't working?
22:25 < Cisien> connectivity over the tunnel
22:26 < theDoc> Cisien> How do you know that it's not working?
22:26 < Cisien> pinging ips
22:27 < Cisien> from vpn server -> client ip addr, and client ipaddr -> vpn server
22:27 < theDoc> 1) firewall dropping packets?
22:27 < theDoc> 2) There's a config option to prevent clients in the vpn subnet from communicating with each other
22:28 < theDoc> 3) Are you routing to subnets behind the vpn server?
22:28 < Cisien> it's setup for a tap, which is bridged to my 'lan' bridge
22:28 < ecrist> blah blah blah. :)
22:29 < theDoc> ecrist> o/
22:29 < ecrist> dhcp-option doesn't work on most/all/almost-any system
22:29 < ecrist> theDoc: o/
22:29 < theDoc> Cisien> You really just need to answer the above 3.
22:35 < Cisien> 1) from what i can see, no. 2) client->server communication, so n/a 3) tap tunnel, bridged to the 'lan' bridge, so n/a
22:36 < theDoc> Cisien> If they're all in the same vpn pool, I'm guessing that it's most likely a firewall issue. Try tcpdumping the target host and see if you're getting hit by icmp packets.
22:37 < Cisien> arp packets from the broadcast addr when i attempt to ping
22:38 < Cisien> from the tun0 device
22:39 < theDoc> Strange, you're seeing that from the target computer
22:39 < theDoc> ?
22:39 < Cisien> who has 192.168.1.1 tell 192.168.1.255
22:40 < Cisien> not sure where it's coming from
22:40 < Cisien> I see arp request for my phone's wan ip, too
22:40 < Cisien> who has 192.168.1.1 tell ...myvzw.com
22:42 < theDoc> 192.168.1.1 is an rfc-1918 address and should never appear on the wan. :o
22:42 < theDoc> What ips are your devices having?
22:42 < Cisien> 192.168.1.1 is my router's bridge address, and 192.168.1.151 is the ip the phone's tap0 was assigned
22:43 < theDoc> brb, meeting.
22:43 < theDoc> One sec.
22:44 < Cisien> i see a lot of outbound traffic on the phone, but nothing coming back
22:45 < Cisien> am i missing some kinda arp relay?
22:45 < Cisien> saw some multicast packets form 192.168.1.1
23:09 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:48 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Ping timeout: 276 seconds]
23:52 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
23:59 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
--- Day changed Fri Aug 27 2010
00:04 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
00:11 < Cisien> pretty sure there's something blocking arp
00:12 < Cisien> routing tables look fine, firewall looks fine, even according to this: http://www.shorewall.net/OPENVPN.html (all the way at the bottom)
00:12 < vpnHelper> Title: OpenVPN Tunnels and Bridges (at www.shorewall.net)
00:20 -!- Spines [~Steven@24-176-82-169.dhcp.hckr.nc.charter.com] has quit [Ping timeout: 245 seconds]
00:21 -!- Spines [~Steven@24-176-82-169.dhcp.hckr.nc.charter.com] has joined ##openvpn
00:41 < theDoc> raidz> I'm around, drop me a message when you're available.
00:57 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
00:59 -!- Spines [~Steven@24-176-82-169.dhcp.hckr.nc.charter.com] has quit [Ping timeout: 265 seconds]
01:00 -!- Spines [~Steven@24-176-82-169.dhcp.hckr.nc.charter.com] has joined ##openvpn
01:35 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
01:42 -!- SOG [~SOG@n1164869195.netvigator.com] has joined ##openvpn
01:47 -!- SOG [~SOG@n1164869195.netvigator.com] has quit [Ping timeout: 265 seconds]
02:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:12 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Read error: Operation timed out]
02:29 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
02:37 -!- dazo_afk is now known as dazo
03:07 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:46 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 265 seconds]
03:46 -!- hjjg [hjjg@cl-518.cgn-01.de.sixxs.net] has joined ##openvpn
03:46 < hjjg> hi
03:46 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
03:46 -!- jetole [~Joe@irc.fossl.net] has quit [Ping timeout: 252 seconds]
03:47 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:47 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
03:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
03:48 -!- jetole [~Joe@66.165.165.169] has joined ##openvpn
03:48 < hjjg> I want to build a new PKI with pkitool from easy-rsa 2.0. why is there no way to secure the key within the pkcs12-file?
03:48 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Ping timeout: 255 seconds]
03:49 < hjjg> or am I too paranoid.
03:50 -!- ike [ike@unaffiliated/ike] has quit [Ping timeout: 260 seconds]
03:52 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
03:52 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:57 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
04:06 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
04:07 -!- jetole [~Joe@66.165.165.169] has quit [Ping timeout: 252 seconds]
04:08 <@dazo> hjjg: if you use the build-p12 script (which uses pkitool) ... then you'll get asked for a password for the .p12 file ... and that password is used to encrypt certificates and keys, afaik
04:08 -!- jetole [~Joe@irc.fossl.net] has joined ##openvpn
04:08 <@dazo> hjjg: sorry ... build-key-pkcs12 ... I mixed it
04:14 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
04:15 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
04:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:23 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
04:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:46 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
05:54 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
06:01 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
06:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:41 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
06:42 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Operation timed out]
06:42 -!- Cain` is now known as Cain
06:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:06 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
07:22 < hyper_ch> hmmm, tvrage has an api
07:22 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:26 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Client Quit]
07:31 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:31 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Client Quit]
07:32 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:32 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Client Quit]
07:34 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:35 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Client Quit]
07:36 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:36 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Remote host closed the connection]
07:37 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:37 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Client Quit]
07:41 -!- JPeterso2 [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:42 -!- JPeterso2 [~JPeterson@c213-100-62-9.swipnet.se] has quit [Client Quit]
07:47 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
07:58 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:58 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Remote host closed the connection]
07:59 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:59 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Client Quit]
07:59 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
07:59 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Client Quit]
08:21 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
08:27 < vpnHelper> RSS Update - forum: Off Topic, Related :: Re: OpenVPN client :: Reply by simon <https://forums.openvpn.net/viewtopic.php?f=1&t=7038&p=7674#p7674>
08:32 < vpnHelper> RSS Update - forum: Configuration :: Losing route to LAN :: Author Caesar <https://forums.openvpn.net/viewtopic.php?f=6&t=7045&p=7671#p7671> || Configuration :: Re: Unable to access servers on vpn network. :: Reply by mnickerson <https://forums.openvpn.net/viewtopic.php?f=6&t=7044&p=7672#p7672> || Configuration :: Re: Unable to access servers on vpn network. :: Reply by mnickerson <https://forums.openvpn.net/viewtopic.php?f=6&t=7044
08:39 < vpnHelper> RSS Update - forum: Off Topic, Related :: Re: OpenVPN client :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=1&t=7038&p=7676#p7676>
09:13 -!- buntfalke [~nobody@openvpn-p0-ipv6-1026.triple-a.uni-kl.de] has joined ##openvpn
09:14 -!- buntfalke [~nobody@openvpn-p0-ipv6-1026.triple-a.uni-kl.de] has quit [Changing host]
09:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:18 -!- tifflor [~chatzilla@ppp-88-217-23-58.dynamic.mnet-online.de] has joined ##openvpn
09:20 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
09:38 < tifflor> can someone help me to find out why I get this log from the openvpn client: http://pastebin.com/e8W0qWPg despite the fact, that the vpn is connected I can't ping the internal network, anyone some idea why
09:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:42 < ecrist> tifflor: looks like routes aren't getting added on the windows machine
09:42 < ecrist> are you running openvpn as an administrator?
09:42 < ecrist> line 38 of your pastebin explains exactly what your problem is
09:44 < tifflor> ecrist: wait, I think it not the real problem but one
09:45 < ecrist> well, fix that issue first, and we can work on your other problems.
09:46 < tifflor> ok, fixed, still no ping
09:46 < ecrist> pastebin your log, please
09:51 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:58 < tifflor> ecrist: here http://pastebin.com/HHLGXacY
10:06 < ecrist> great, and what IP are you trying to ping?
10:13 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
10:19 -!- tifflor [~chatzilla@ppp-88-217-23-58.dynamic.mnet-online.de] has quit [Ping timeout: 240 seconds]
10:41 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
10:53 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
11:10 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:14 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
11:16 < theDoc> raidz> Are you around yet? ;p
11:18 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
11:34 < vpnHelper> RSS Update - forum: Configuration :: Routing problem with OpenVPN on Linux :: Author AMG <https://forums.openvpn.net/viewtopic.php?f=6&t=7046&p=7677#p7677>
11:39 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 265 seconds]
11:42 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
11:49 <@dazo> \o/  http://openvpn.net/index.php/open-source/downloads.html   2.1.3 has finally arrived!
11:49 < vpnHelper> Title: Downloads (at openvpn.net)
11:49 -!- dazo changed the topic of ##openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta2 Released 17-Aug-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel
11:50 < theDoc> YAY!
11:50 < theDoc> \o/
11:52 < vpnHelper> RSS Update - forum: Installation Help :: Re: Can't get Openvpn 2.1.2 to start :: Reply by Oral Deckard <https://forums.openvpn.net/viewtopic.php?f=5&t=7042&p=7678#p7678>
11:54 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:03 < vpnHelper> RSS Update - forum: Configuration :: Re: Unable to access servers on vpn network. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7044&p=7679#p7679>
12:05 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
12:19 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
12:20 < BrixSat> hello
12:20 < BrixSat> can i implement a openvpn server that alows windows users to connect without extra software? (like pptp
12:20 < |Mike|> nope.
12:20 < |Mike|> !windows
12:20 < vpnHelper> |Mike|: "windows" is pcs are like air conditioners, they work fine unless you open windows
12:20 < |Mike|> lol :p
12:21 < BrixSat> so i would need some kind of software on the client side?
12:21 < BrixSat> openvpn client
12:21 < BrixSat> :(
12:22 < BrixSat> for windows users |Mike| what is the best option? without a extra software
12:24 < Bushmills> openvpn
12:25 < Bushmills> is server or client, determined by config alone
12:25 < BrixSat> but with openvpn i need some extra software
12:26 < BrixSat> and i dont want that
12:26 < Bushmills> no, nothing besides openvpn
12:26 < BrixSat> this is for wifi access, with pptpd they configure vpn and voila internert,  wirh openvpn they would have to download and install openvpn
12:27 < Bushmills> i don't think you mean to say "i want functionality of program x without having program x"
12:27 < Bushmills> you can't, for example, run a pptp tunnel without having pptp
12:28 < Bushmills> !pptp
12:28 < vpnHelper> Bushmills: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml
12:28 < vpnHelper> Bushmills: to read about why to not use pptp
12:28 -!- BrixSat1 [~Cesar@79.143.184.2] has joined ##openvpn
12:29 < BrixSat1> Bushmills:  from what i understood i can have openvpn act as a pptpd server=
12:29 < Bushmills> that's not right
12:29 < BrixSat1> but a windows user would not need the openvpn client?
12:29 < Bushmills> no, a windows user doesn't need openvpn client
12:30 < Bushmills> he only needs it when he wants to connect to an openvpn server
12:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
12:31 < BrixSat1> can you teach me how to make a a openvpn server and allow windows users to connect to it without openvpn client?
12:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:31 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has quit [Ping timeout: 260 seconds]
12:31 < Bushmills> yes. easy: they can't
12:32 < BrixSat1> :(
12:32 < BrixSat1> can openvpn lease static ips to the same mac?
12:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:33 < BrixSat1> the server has public ip and the clients have dynamic ips from isp's
12:33 < Bushmills> rephrase
12:34 < BrixSat1> i have a vps with a public ip, and my clients (usualy routers) have dynamic ip
12:34 < BrixSat1> i would like to know if openvpn can give always the same ip to a certain mac
12:35 < Bushmills> openvpn gives them an additional interface, with an ip address the server/the server config determines. dynamic or static, your choice
12:35 < BrixSat1> nice
12:35 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:35 < BrixSat1> do you know if pptpd can do that?
12:35 < Bushmills> no idea
12:35 < BrixSat1> ok thanks :) for your time 
12:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:36 < Bushmills> np
12:37 < BrixSat1> i may not choose openvpn cause my mikrotik routers do not have the openvpn client, only ipsec, pptp lp2t
12:37 < Bushmills> !ipsec
12:37 < vpnHelper> Bushmills: Error: "ipsec" is not a valid command.
12:39 -!- katoen [e38f4c5ed4@xs8.xs4all.nl] has joined ##openvpn
12:42 -!- BrixSat1 [~Cesar@79.143.184.2] has quit [Ping timeout: 276 seconds]
12:42 < katoen> hello #openvpn, i realize i might have to ask this in #dd-wrt, but it's pretty much openvpn related as well, so here goes. I have dd-wrt run as a openvpn client. From another client, i would like to access a host which is connected to one of the router's LAN ports. Should i be tinkering with openvpn or the router's routing table?
12:44 < fr00d> Hello!
12:45 < fr00d> I'd like to use one of my openvpn clients as a gateway what do I need to add to my routing table to get this work?
12:45 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  Try HydraIRC -> http://www.hydrairc.com <-]
12:46 < fr00d> sudo ip route add 10.10.10.0/24 via 192.168.111.55 This is what I tried but I'm getting the error RTNETLINK answers: No such process. What's wrong?
12:46 < fr00d> katoen: Maybe we have nearly the same problem. ;)
12:47 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
12:48 < katoen> fr00d: wow indeed :-) that should double our chances of getting the answer
12:48 < BrixSat> sorry my isp is crazy today
12:49 < fr00d> Maybe, but if no one is in here who can answer these question?
12:49 < fr00d> +s
12:49 < katoen> fr00d: i tried "route add -host 192.168.170.202 gw 10.8.0.82 dev tun0" but no love
12:50 < fr00d> Me too. That was what I tried before ip route. But then I read on the net that ip route has the more readable error messages.
12:50 < fr00d> But I can not share this opinion with the poster...
12:51 < katoen> i figured that the router's iptables config will only allow to forward packages coming from the LAN -> WAN, not LAN <-> (V)LAN (openvpn)
12:51 < katoen> got a link?
12:53 < BrixSat> where can i get a nice tutorial to ser up openvpn server?
12:54 < katoen> BrixSat: i thought the tutorial on openvpn's website was pretty straight forward
12:54 < BrixSat> katoen: i did not see it, sorry (i seem a newbie)
12:55 < fr00d> BrixSat: http://www.openvpn.net/index.php/open-source/documentation/howto.html
12:55 < vpnHelper> Title: HOWTO (at www.openvpn.net)
12:55 < fr00d> But everything is really good explained at the example config files.
12:56 < BrixSat> :) thanks
13:03 < katoen> fr00d: i think the message "No such process" comes from the fact that 192.168.111.55 is not the local IP on your host, but probably on the remote end
13:04 < katoen> you should try the IP which is configured at the host you're working on
13:06 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
13:07 < fr00d> But how should my localhost know the net 10.10.10.0/24 to route to that net?
13:07 < fr00d> I think the problem is that there's a tunnel: 192.168.111.0 dev tun0  proto kernel  scope link  src 192.168.111.23 and a separate net routing: 192.168.111.0/24 via 192.168.111.0 dev tun0
13:07 -!- Meliorator [m@dunnington.eu] has joined ##openvpn
13:15 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 264 seconds]
13:15 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:20 < Bushmills> !redirect
13:20 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:20 < Bushmills> ^^^ frood
13:20 < Bushmills> !howto
13:20 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:20 < Bushmills> ^^^ BrixSat
13:21 < fr00d> Bushmills: But it's not the server where the net I want to reach is behind. It's one of the clients.
13:22 < Bushmills> so your traffic goes from client1 -> server -> client2 -> internet  and back?
13:25 < fr00d> client 1 -> server -> client 2 -> intranet yes.
13:25 < Bushmills> can client 1 ping client 2?
13:25 < fr00d> yes.
13:25 < fr00d> I have a client-to-client vpn.
13:25 < fr00d> maybe I need to nat on client 2.
13:26 < Bushmills> client 2 needs to to NAT and ip forwarding.  client 1 needs a default route with client 2 as gateway.  
13:26 < fr00d> why a default route?
13:26 < fr00d> Can't I just use a route for this single net?
13:27 < Bushmills> a default route is a route to a single net
13:27 < fr00d> I only need to reach the intRAnet net not intERnet through this client.
13:27 < Bushmills> just, it is "all ip addresses"
13:27 < reiffert> hi fr00d :)
13:27 < Bushmills> oh. misread
13:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
13:28 < fr00d> So there's the problem. ;)
13:29 < katoen> (and it so happens that i'm facing a very similar situation, except the client2 here is a dd-wrt box)
13:29 < Bushmills> you'd need a route on client1, with client2 as gateway to your destination host, and a route on client 2 for return traffic
13:29 < Bushmills> also, ip forwarding on client 2
13:30 < Bushmills> ehm. route on client 2 not needed. you have one already
13:31 < katoen> Bushmills: but how would client2 know where to send the packets back at, if the source IP is not anything its connected with? oh right, it has a default gw...
13:31 < fr00d> No, this does not work, because I can't add client2 as router on client1.
13:31 < Bushmills> client 2 can ping client 1.  along the same route
13:32 < fr00d> Maybe it's easier to setup a tunnel in tunnel setup.
13:36 < katoen> i'm trying to reach a host with IP "192.168.170.202". I entered the following routing rule where "10.8.0.34" is the local IP of tun0
13:37 < katoen> netstat -rn shows me
13:37 < katoen> 192.168.170.202 10.8.0.34       255.255.255.255 UGH       0 0          0 tun0
13:38 < katoen> ip_forward is active so i figured i should be able to ping 192.168.170.202
13:38 < Bushmills> katoen: and the route back to the echo requesting machine? where do the replies go to?
13:40 < katoen> hmm, they (should?) pass yet another router (192.168.58.1)
13:40 < katoen> nah they should come back through the tunnel
13:41 < Bushmills> try a traceroute on 192.168.170.202 to the ip address of your requesting machine
13:41 < Bushmills> that'd be the same route the echo replies would take
13:41 < katoen> the thing is, 192.168.170.202 is a network security camera :/
13:41 < BrixSat> how can i debug an open vpn server?
13:41 < katoen> i don't have another host on that network to work on
13:43 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
13:43 < Bushmills> 10.8.0.34 supposedly also have an interface with an ip address in the 192.168.170.0 net
13:45 < katoen> no, 10.8.0.34 is my workstation. the host 192.168.170.202 is behind a different internet connection.
13:45 < katoen> i told route to pass through 10.8.0.34 dev tun0 since it is a p-t-p connection. Am i wrong here?
13:45 < Bushmills> then traceroute to requesting machine from the gateway to  192.168.170.202 
13:46 < katoen> if i would do "route add -host 192.168.170.202 gw 10.8.0.82 dev tun" i would the a error "no such process"
13:47 < Bushmills> i suppose the machine where you tried to add that route doesn't know how to reach 10.8.0.82
13:48 < katoen> i tried to add the route on my workstation. It can ping the other client with IP 10.8.0.82 just fine. 
13:48 < Bushmills> the camera is connected to your workstation?
13:49 < katoen> no, the camera is connected to a linksys router. the linksys router is another openvpn client.
13:49 < Bushmills> (20:45:59) Bushmills: then traceroute to requesting machine from the gateway to  192.168.170.202
13:49 < Bushmills> doesn't mean, that it isn't great that you can ping your client from machine which has nothing to do with it
13:51 < katoen> i understand correct that i should run traceroute from the dd-wrt shell to "192.168.170.202"?
13:52 < katoen> which seems to just time-out
13:52 < vpnHelper> RSS Update - forum: Installation Help :: Re: TAP Driver Install Problem in 2.1.2 - KNOWN ISSUE :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=5&t=7035&p=7680#p7680> || Installation Help :: Re: Can't get Openvpn 2.1.2 to start :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=5&t=7042&p=7681#p7681>
13:52 < Bushmills> no idea what and where your dd-wrt is now. i heard about desktop, dd-wrt, camera, and " host 192.168.170.202 is behind a different internet connection."
13:53 < katoen> :P 
13:53 < Bushmills> as camera is connected to a gateway, you an supposedly traceroute from there
13:53 < Bushmills> whether it is your desktop, your dd-wrt, or an entirely different machine doesn't really make a huge difference
13:56 < kisom> Hey, i'm not drunk!
13:56 < kisom> and its friday night
13:56 < kisom> amazing
13:57 < katoen> the two openvpn clients can talk to eachother. I would like to access another host behind 1 client.
13:57 < Bushmills> everybody needs something to be proud of, from time to time
13:57 < kisom> thats not all, been to the gym too!
13:57 < vpnHelper> RSS Update - forum: Off Topic, Related :: Re: OpenVPN client :: Reply by Andrew <https://forums.openvpn.net/viewtopic.php?f=1&t=7038&p=7682#p7682>
13:59 -!- dazo is now known as dazo_afk
13:59 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:08 < vpnHelper> RSS Update - forum: Wishlist :: Re: Compiling OpenVPN v2.1.2 with enable-password-save optio :: Reply by Andrew <https://forums.openvpn.net/viewtopic.php?f=10&t=7023&p=7683#p7683>
14:11 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
14:12 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Client Quit]
14:23 < fr00d> Maybe routing through another client was much to complex to reach one single client behind. ssh tunnel works great! :D
14:23 < ecrist> !route
14:23 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:29 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 246 seconds]
14:33 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:34 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:49 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
14:51 < vpnHelper> RSS Update - forum: Installation Help :: Re: Can't get Openvpn 2.1.2 to start :: Reply by Oral Deckard <https://forums.openvpn.net/viewtopic.php?f=5&t=7042&p=7684#p7684>
14:53 -!- buntfalke_ is now known as buntfalke
14:56 -!- BrixSat1 [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
15:00 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has quit [Ping timeout: 264 seconds]
15:02 < BrixSat1> where do i create users able to connect to  openvpn?
15:02 < vpnHelper> RSS Update - forum: Installation Help :: Re: Can't get Openvpn 2.1.2 to start :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=5&t=7042&p=7685#p7685>
15:02 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: Leaving]
15:25 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
15:26 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
15:29 -!- BrixSat1 [~Cesar@bl18-52-144.dsl.telepac.pt] has quit [Ping timeout: 245 seconds]
15:39 -!- dextone [dextone@fedora/dextone] has joined ##openvpn
15:40 < dextone> !welcome
15:40 < vpnHelper> dextone: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:42 < dextone> Hi all, it seems the changelog page needs to update http://openvpn.net/changelog-beta.html
15:42 < dextone> its still 2010.08.09 -- Version 2.1.2
15:44 < BrixSat> how can i define that openvpn will use  system users to login in openvpn?
15:46 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
15:48 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:55 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 264 seconds]
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:05 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
17:30 < jetole> Hey guys. I am getting auth failed errors on new certs I create however I have been using this server for a long time and it seems only new certs are causing this issue. I compared the md5 check sums of the ca.crt, dh1024.pem, ta.key from the ones on the server and the ones on a known working client and I have about a dozen known working clients on this openvpn server at the moment, I took one of them and replaced the crt and key files though with new ...
17:30 < jetole> ... ones from a new CN and now I am getting this error.
17:30 < jetole> Does anyone know where I can look and what may cause it?
17:31 -!- tifflor_ [~chatzilla@ppp-88-217-23-58.dynamic.mnet-online.de] has joined ##openvpn
17:35 -!- tifflor_ is now known as tifflor
17:38 -!- Rolybrau [~Rolybrau@229-181.3-85.cust.bluewin.ch] has joined ##openvpn
17:39 -!- Rolybrau [~Rolybrau@229-181.3-85.cust.bluewin.ch] has quit [Changing host]
17:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
17:40 < BrixSat> im on windows and when i connect on the openvpn client nothing happens :S
17:46 < |Mike|> !logs
17:46 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:55 < jetole> ah I found my issue. I require a ccd and forgot to set one up for this new user
18:11 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has joined ##openvpn
18:13 < miris> Hello guys. Could anyone give me a hint on how I could make my printer work over VPN? I am using a Samsung printer. The administration should be accessible on port 631 but I cannot even ping the printer over VPN.
18:15 < ecrist> miris: start by being able to ping the printer.
18:15 < ecrist> :)
18:16 < |Mike|> i wonder if his printer is using the vpn :)
18:16 < miris> ecrist: That would definitely by nice. :-) I can ping it from the local router (on the printer's subnet) but I am failing to ping it over VPN. So I assume it must be an iptables issue.
18:18 < miris> I am not sure whether questions related to iptables could be asked here as well even though it is not 100 % VPN thing.
18:18  * |Mike| doubts it :p
18:19 -!- tifflor [~chatzilla@ppp-88-217-23-58.dynamic.mnet-online.de] has quit [Read error: Connection reset by peer]
18:19 -!- tifflor [~chatzilla@ppp-88-217-23-58.dynamic.mnet-online.de] has joined ##openvpn
18:19 < miris> Well, Samsung is running its gui on the port 631. Maybe that could be it? I allowed incoming connections on port 631 but that solved nothing.
18:25 < ecrist> miris: ping has nothing to do with port 631
18:25 < ecrist> !route
18:25 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:25 < ecrist> read that
18:26 < miris> I am actually routing already. Every other machine on the network can be pinged BUT the printer.
18:28 < miris> ecrist, that is the document I started with while writing my config files. I am using route and push in the configs in the meantime.
18:30 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
18:34 -!- BrixSat1 [~Cesar@79.143.184.2] has joined ##openvpn
18:35 -!- BrixSat2 [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
18:36 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has quit [Ping timeout: 276 seconds]
18:37 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
18:37 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
18:39 -!- BrixSat1 [~Cesar@79.143.184.2] has quit [Ping timeout: 264 seconds]
18:41 -!- BrixSat [~Cesar@79.143.184.2] has joined ##openvpn
18:42 -!- BrixSat2 [~Cesar@bl18-52-144.dsl.telepac.pt] has quit [Ping timeout: 240 seconds]
18:46 -!- BrixSat1 [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
18:50 -!- BrixSat [~Cesar@79.143.184.2] has quit [Ping timeout: 260 seconds]
18:52 -!- miris [~Miris@217-112-164-88.cust.avonet.cz] has left ##openvpn []
18:53 -!- BrixSat1 [~Cesar@bl18-52-144.dsl.telepac.pt] has quit [Ping timeout: 240 seconds]
18:53 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
19:12 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
19:15 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
19:19 < vpnHelper> RSS Update - forum: Configuration :: Routing problem with OpenVPN on Linux :: Author AMG <https://forums.openvpn.net/viewtopic.php?f=6&t=7046&p=7677#p7677>
19:40 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has quit [Ping timeout: 245 seconds]
19:45 -!- manevra [manevra@94.100.17.38] has joined ##openvpn
19:50 -!- manevra [manevra@94.100.17.38] has quit [Quit: Leaving]
19:52 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
19:56 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has quit [Ping timeout: 240 seconds]
19:58 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
20:04 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has joined ##openvpn
20:04 -!- BrixSat [~Cesar@bl18-52-144.dsl.telepac.pt] has left ##openvpn []
20:05 -!- pmatulis [~peter@mail.papamike.ca] has joined ##openvpn
20:06 < pmatulis> i have used ovpn between linux clients and a linux gateway.  i would now like to set up a winxp client.  how do i do this?  can i use the same client.conf?
20:07 < ecrist> yep, same client.conf
20:07 < ecrist> just need the windows openvpn binary
20:08 -!- tifflor [~chatzilla@ppp-88-217-23-58.dynamic.mnet-online.de] has quit [Ping timeout: 276 seconds]
20:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:13 -!- Squidy_at_Home [~quassel@189.73.211.71] has joined ##openvpn
20:13 < Squidy_at_Home> hello..
20:13 < Squidy_at_Home> Does OpenVPN support windows client with Active Directory authentication?
20:27 < ecrist> Squidy_at_Home: what do you mean?
20:27 < ecrist> !lda
20:27 < vpnHelper> ecrist: Error: "lda" is not a valid command.
20:27 < ecrist> !ldap
20:27 < vpnHelper> ecrist: Error: "ldap" is not a valid command.
20:28 < Squidy_at_Home> ecrist: I want to set up a VPN server authenticating clients in Active Directory..
20:28 < Squidy_at_Home> Clients will run windows xp/7
20:29 < Squidy_at_Home> Is it possible?
20:30 < ecrist> yes
20:30 < ecrist> you just need to setup some sort of authentication plugin on the server
20:32 < Squidy_at_Home> ecrist: is there a documentation about that?
20:32 < pmatulis> ecrist: ty
20:33 < ecrist> http://www.google.com/url?sa=t&source=web&cd=1&ved=0CBYQFjAA&url=http%3A%2F%2Fcode.google.com%2Fp%2Fopenvpn-auth-ldap%2F&ei=RWd4TKW_I479ngeXtJydCw&usg=AFQjCNEC7lUkrnNUtsiaOx3STegJEjC1Bw
20:33 < vpnHelper> Title: openvpn-auth-ldap - Project Hosting on Google Code (at www.google.com)
20:33 < ecrist> that's a starter, Squidy_at_Home 
20:33 < ecrist> http://www.google.com/url?sa=t&source=web&cd=4&ved=0CC0QFjAD&url=http%3A%2F%2Fopenvpn.net%2Farchive%2Fopenvpn-users%2F2006-08%2Fmsg00158.html&ei=RWd4TKW_I479ngeXtJydCw&usg=AFQjCNEO61MevnrZf2dPhG-wKUZmNCZieg
20:33 < vpnHelper> Title: [Openvpn-users] Active Directory LDAP Authentication for OpenVPN (at www.google.com)
20:33 < Squidy_at_Home> ecrist: thank you
20:36 < vpnHelper> RSS Update - forum: Configuration :: Connect Success - now what :: Author BiloxiBoy <https://forums.openvpn.net/viewtopic.php?f=6&t=7047&p=7686#p7686>
20:42 < vpnHelper> RSS Update - forum: Wishlist :: Re: Compiling OpenVPN v2.1.2 with enable-password-save optio :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7023&p=7687#p7687>
21:03 < Splex> is there any particular reason for 'status' file to be in /tmp?
21:35 -!- Squidy_at_Home [~quassel@189.73.211.71] has quit [Remote host closed the connection]
21:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
21:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
22:05 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:18 < vpnHelper> RSS Update - forum: Configuration :: Re: Connect Success - now what :: Reply by BiloxiBoy <https://forums.openvpn.net/viewtopic.php?f=6&t=7047&p=7688#p7688>
22:29 -!- sparc-kly [~mubex@adsl-72-50-101-214.prtc.net] has joined ##openvpn
22:36 < pmatulis> yay, got a winxp client to connect to my openvpn linux machine
22:56 -!- pmatulis [~peter@mail.papamike.ca] has quit [Quit: leaving]
23:28 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
23:32 -!- Spines [~Steven@24-176-82-169.dhcp.hckr.nc.charter.com] has quit [Quit: Leaving]
23:42 -!- pcard [~pc@unaffiliated/jl-picard] has joined ##openvpn
23:42 -!- szr [~SR@unaffiliated/szr] has joined ##openvpn
23:43 < pcard> hi, got a quick question I can't seem to find the answer to in the documentation, openvpn.net, nor general google searching
23:44 < pcard> does `openvpn --mktun --dev tap0` need to be in the init script (ie, does it need to be run everytime on boot, or is it a one time deal?
23:53 -!- SOG [~SOG@n1164869195.netvigator.com] has joined ##openvpn
--- Day changed Sat Aug 28 2010
00:14 < Bushmills> that's what openvpn has config files for
00:30 < reiffert> moin
00:30 < Bushmills> jo grias di
00:31 < reiffert> wo schausten du Fuba nachher?
00:31 < Bushmills> noch nix geplant
00:32 < Bushmills> gegen die radkappen
00:32 < reiffert> bist in Woe?
00:32 < Bushmills> jo
00:35 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
00:36 < Bushmills> außer müller und simak wieder komplett 
00:37 < Bushmills> wobei bei letzterem selbst das fraglich ist, evtl könnt er sogar auch
00:38 < reiffert> vorsicht, wenn wir zu optimistisch ins Spiel sind "was fuers torverhaeltnis tun", ging das oft in die Hose..
00:39 -!- cartes [cartes@116.193.170.2] has left ##openvpn []
00:48 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 272 seconds]
01:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:05 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined ##openvpn
01:53 -!- payam_ [~payam@109.109.44.59] has joined ##openvpn
01:54 -!- payam_ [~payam@109.109.44.59] has left ##openvpn []
01:54 -!- payam_ [~payam@109.109.44.59] has joined ##openvpn
01:54 < payam_> hi. i have a problem in configuring openvpn
01:54 < payam_> can anybody help me?
01:58 < Bushmills> how should anybody know whether they can?
01:58 < Bushmills> i suppose the safe answer is to say "no"
02:00 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
02:02 -!- Raccoon` [~bismuth@71-222-220-59.albq.qwest.net] has joined ##openvpn
02:06 -!- Raccoon` [~bismuth@71-222-220-59.albq.qwest.net] has quit [Ping timeout: 265 seconds]
02:24 -!- payam_ [~payam@109.109.44.59] has left ##openvpn []
02:39 -!- sparc-kly [~mubex@adsl-72-50-101-214.prtc.net] has quit [Ping timeout: 276 seconds]
02:52 -!- sparc-kly [~mubex@adsl-64-237-249-253.prtc.net] has joined ##openvpn
02:55 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
03:01 -!- sparc-kly [~mubex@adsl-64-237-249-253.prtc.net] has quit [Ping timeout: 240 seconds]
03:15 -!- sparc-kly [~mubex@adsl-72-50-105-234.prtc.net] has joined ##openvpn
03:22 -!- sparc-kly [~mubex@adsl-72-50-105-234.prtc.net] has quit [Ping timeout: 252 seconds]
03:35 -!- sparc-kly [~mubex@adsl-64-237-249-236.prtc.net] has joined ##openvpn
03:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:04 -!- sparc-kly [~mubex@adsl-64-237-249-236.prtc.net] has quit [Ping timeout: 255 seconds]
04:11 -!- m0hm0h [m0hm0h@kapsi.fi] has joined ##openvpn
04:16 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
04:18 -!- sparc-kly [~mubex@adsl-64-237-249-236.prtc.net] has joined ##openvpn
04:35 < Splex> is there a way to define different cert files for alternate servers in a config file?
04:35 < Splex> for a client config file
04:40 < hyper_ch> make a different client config file
04:40 < hyper_ch> and use that then
04:40 < Splex> i want to have the connection use a backup server if the server is down
04:41 < hyper_ch> write a bash script to run throught those configs
04:41 < hyper_ch> start one, check if it's working, if not use the second config etc.
04:42 < Splex> actually, i just saw in the man page there is 'client connection profile' to group options for a given server.
04:43 < Splex> <connection>
04:43 < hyper_ch> good :)
04:43 < Splex> im loving openvpn
04:43 < Splex> btw, thanks for your suggestion
04:44 < Splex> useful for something that doesn't have such support integrated
04:44  * hyper_ch loves shell scripts
04:44 < Splex> they are great
04:45 < hyper_ch> and I still know way too little about shell scripting
04:45 < Splex> still have much to learn though..  like how to use some of the commonly used utils like awk, etc
04:45 < Splex> do you use vim?
04:45 < hyper_ch> however I discovered the beauty of multi-threading :)
04:45 < hyper_ch> nano or kate usually
04:45 < hyper_ch> vim is way too complicated for my simple brain
04:45 -!- sparc-kly [~mubex@adsl-64-237-249-236.prtc.net] has quit [Ping timeout: 276 seconds]
04:45 < Splex> my gf has no problem with it :)
04:46 < Splex> had her go through vimtutor
04:46 < |Mike|> gf, ##openvpn ? ehhhhhhhhh
04:46 < Splex> lol
04:46 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left ##openvpn []
04:47 < Splex> run the command 'vimtutor' after installing vim, very simple and effective
04:48 < hyper_ch> nano and kate server my needs
04:57 -!- sparc-kly [~mubex@adsl-72-50-106-24.prtc.net] has joined ##openvpn
05:03 -!- sparc-kly [~mubex@adsl-72-50-106-24.prtc.net] has quit [Ping timeout: 272 seconds]
05:13 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
05:15 -!- sparc-kly [~mubex@adsl-64-237-246-139.prtc.net] has joined ##openvpn
06:12 -!- sparc-kly [~mubex@adsl-64-237-246-139.prtc.net] has quit [Ping timeout: 245 seconds]
06:26 -!- sparc-kly [~mubex@adsl-64-237-246-139.prtc.net] has joined ##openvpn
06:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:47 -!- sparc-kly [~mubex@adsl-64-237-246-139.prtc.net] has quit [Ping timeout: 240 seconds]
07:01 -!- sparc-kly [~mubex@67.224.244.232] has joined ##openvpn
07:01 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
07:08 -!- sparc-kly [~mubex@67.224.244.232] has quit [Ping timeout: 258 seconds]
07:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:23 -!- sparc-kly [~mubex@adsl-72-50-96-153.prtc.net] has joined ##openvpn
07:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:42 -!- vatts [bouncer@unaffiliated/vatts] has joined ##openvpn
07:42 < vatts> !welcome
07:42 < vpnHelper> vatts: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:43 < vatts> *doh*
07:43 < vatts> tho i'm old here, i'm wondering something - anyone here got a deal with PFSense as CLIENT?
07:45 < vatts> !goal
07:45 < vatts> rofl
07:45 < vpnHelper> vatts: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:45 < vatts> well.. how to set up PFSense's openvpn packadge so i connect to a server somewhere on the internet
07:45 < vatts> :)
08:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:21 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:47 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
08:48 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
08:57 < Splex> i have multiple servers as part of my vpn..  if i want to use the same CA for all servers, do i just use one dh.pem file for all the servers?
08:59 < |Mike|> !ca
08:59 < vpnHelper> |Mike|: Error: "ca" is not a valid command.
09:03 < vatts> *sights around*
09:03 < vatts> ping?
09:17 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
09:39 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 252 seconds]
09:40 -!- ghostknife [~quintin@iburst-41-213-93-138.iburst.co.za] has joined ##openvpn
09:41 < ghostknife> Is it possible to do cert+username/password authentication ?
09:43 < ghostknife> !welcome
09:43 < vpnHelper> ghostknife: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:43 < ghostknife> !iporder
09:43 < vpnHelper> ghostknife: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
09:50 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
09:51 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:01 < kisom> !static
10:01 < vpnHelper> kisom: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
10:05 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
10:06 < vatts> *slaps ##openvpn*
10:24 < kisom> vatts: needed help?
10:25 < kisom> vatts: openvpn does not come with a "server" and "client" version, its the same code for both
10:25 < kisom> just use the same binary with a client config file
10:25 < vatts> whats .csr file for?
10:26 < kisom> certificate signing request, you may ignore those files
10:26 < vatts> aha
10:26 < vatts> thx
10:26 < theDoc> Well, if you ignore the .csr, the certificate doesn't get signed, does it? :P
10:26 < kisom> true, but easy-rsa takes care of that
10:26 < vatts> well, if i dont use CSR for PFSense's OVPn...?
10:27 < kisom> there is no need to use the CSR files after the cert is signed
10:35 < vatts> where is OVPN file installed @ linux (i'm talkin about PFS?
10:35 < vatts> )
10:36 < vatts> kisom, theDoc?
10:37 < theDoc> I'm sorry? What was the issue?
10:37 < vatts> <vatts> where is OVPN file installed @ linux (i'm talkin about PFS?
10:37 < vatts> Conf files?
10:37 < theDoc> pfsense is for bsd, isn't it?
10:38 < vatts> yeah, based on bsd =)
10:38 < vatts> not an app, its distro ;)
10:39 < vatts> so theDoc where would it be? =|
10:39 < theDoc> vatts> I'm sorry, no idea about bsd.
10:40 < vatts> found it
10:40 < vatts> /var/etc
10:40 < vatts> .keys and .certs are there =)
10:48 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
10:48 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:49 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
10:52 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:04 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
11:06 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
11:23 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
11:45 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
11:46 < dxtr> Hey guys!
11:46 < dxtr> http://dpaste.com/235348/ <- How come that configuration works in Linux but not in OpenBSD?
11:47 < dxtr> In openbsd it connects and everything (It even sets the routes and stuff) but I can't access anything
11:47 < dxtr> According to tcpdump -i stuff doesn't even arrive at tun0
12:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
12:04 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
12:07 < Bushmills> Splex: multiple remote statements in client config will do, shell script not needed
12:08 < Splex> Bushmills: what if each server requires a different cert?
12:09 < Bushmills> then clients can only connect to the server with the cert the client key has been signed with
12:10 < Bushmills> vatts: they're not "installed". they'll be where you out them
12:10 < Bushmills> put them ...
12:11 < Splex> Bushmills: so, if i want all servers to be usable in the same config file, i must use the same CA for all servers?
12:12 < Bushmills> Splex: that's the simplest way to allow clients to connect to any
12:13 < Splex> Bushmills: what about the dh file? do all the servers use the same one?
12:19 < barfster> I have successfully set up openvpn client and server, what next? Which other features does OpenVPN have to offer? So far I have noticed a ping of 8ms "internally" while pinging the IP address externally is like 150ms
12:22 -!- fr00d [~andi@unaffiliated/fr00d] has quit [Ping timeout: 264 seconds]
12:25 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
12:26 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
12:31 -!- fr00d [~andi@unaffiliated/fr00d] has joined ##openvpn
12:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:35 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
12:35 -!- fr00d [~andi@unaffiliated/fr00d] has quit [Ping timeout: 240 seconds]
12:50 -!- manevra [manevra@94.100.17.38] has joined ##openvpn
12:54 -!- manevra [manevra@94.100.17.38] has quit [Client Quit]
12:57 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:15 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
13:20 -!- sigi [~sigius@93.125.185.45] has joined ##openvpn
13:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
13:23 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
13:32 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
13:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
13:45 -!- talcite [~Matthew@bas4-toronto21-2925504527.dsl.bell.ca] has joined ##openvpn
13:47 < talcite> hi guys. I'm having trouble setting up a routed VPN connection. Could someone help me out please? I can't reach any machines on the internal subnet behind the VPN server
13:47 -!- nicholas [~nicholas@68-119-80-155.dhcp.mtgm.al.charter.com] has joined ##openvpn
13:47 < talcite> I've set up the packet forwarding on the server. I've also set a static route on the gateway pointing back to the VPN subnet
13:47 -!- nicholas is now known as Guest2326
13:48 < talcite> I'm still not getting anything though.
13:48 -!- Guest2326 is now known as diamondice
13:48 -!- diamondice is now known as diamond_ice
13:50 -!- hjjg [hjjg@cl-518.cgn-01.de.sixxs.net] has left ##openvpn [""part message here""]
13:50 < diamond_ice> im curious if anyone has ever tried running two tunnels on a server and trying to route from a client on one vpn through their tunnel to the server in the middle and back out the other tunnel to another client on the other vpn tunnel
13:51 < diamond_ice> could anyone help with with trying to do this?
13:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
13:54 < barfster> Any mac developers here?
13:55 < hyper_ch> does that exist?
13:55 < barfster> Is it possible to tweak tunnelblick to become an interface and not an app? I found something here: http://tuntaposx.sourceforge.net/ that might be a starting point
13:55 < vpnHelper> Title: TunTap - Home (at tuntaposx.sourceforge.net)
13:56 < barfster> Or a complete replacement?
14:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
14:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
14:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
14:24 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
14:35 -!- Cisien_laptop [~Cisien_la@c-24-16-64-124.hsd1.wa.comcast.net] has joined ##openvpn
14:35 < Cisien_laptop> so what's the difference between community and access server?
14:35 < Cisien_laptop> support?
14:53 < Dougy> that is a biggie
14:53 < Dougy> !stats
14:53 < vpnHelper> Dougy: I have 3 registered users with 2 registered hostmasks; 2 owners and 0 admins.
14:54 < Dougy> ecirst whats url to stats
14:54 < Dougy> ecrist
14:54 < Dougy> !factoids search stats
14:54 < vpnHelper> Dougy: No keys matched that query.
14:54 < Dougy> !factoids search *stats*
14:54 < vpnHelper> Dougy: No keys matched that query.
14:54 < Dougy> !factoids search forum
14:54 < vpnHelper> Dougy: "forum" is The official OpenVPN support forum is available at http://forums.openvpn.net
15:00 < Bushmills> !route
15:00 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:00 < Bushmills> talcite: ^^^^
15:02 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
15:03 -!- Cisien__laptop [~Cisien_la@79.sub-97-50-172.myvzw.com] has joined ##openvpn
15:04 < Cisien> hrm... same config i'm using on my phone, works on my win7 laptop
15:05 < Cisien> i have a feeling it's another "feature" of the android ovpn client
15:06 -!- Cisien_laptop [~Cisien_la@c-24-16-64-124.hsd1.wa.comcast.net] has quit [Ping timeout: 264 seconds]
15:07 -!- Cisien__laptop [~Cisien_la@79.sub-97-50-172.myvzw.com] has quit [Client Quit]
15:07 -!- Cisien_laptop [~Cisien_la@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
15:09 < Bushmills> Cisien, openvpn client configs are rather platform agnostic. except a bit of routing pettyness of windows, usually they can be used on most platforms
15:10 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
15:16 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined ##openvpn
15:16 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
15:17 < Cisien_laptop> yeah, the config doesn't work on my android phone though
15:17 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
15:17 < Cisien_laptop> i think the phone does something unexpected
15:17 < Cisien_laptop> it appears arp traffic isn't being properly routed over the tap interface
15:18 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
15:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:23 < ecrist> Dougy: I haven't been generating stats
15:23 < ecrist> last time they were generated was Apr 29, 2010
15:23 < ecrist> !ircstats
15:23 < vpnHelper> ecrist: Error: "ircstats" is not a valid command.
15:23 < ecrist> http://www.secure-computing.net/logs/openvpn-last30.html
15:23 < vpnHelper> Title: ##openvpn stats from ecrist! (at www.secure-computing.net)
15:24 < ecrist> I suppose I *could* generate them.  I'd have to fire that box up again, though.
15:27 -!- Cisien__laptop [Cisien_lap@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
15:30 -!- Cisien_laptop [~Cisien_la@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Ping timeout: 264 seconds]
15:36 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
15:39 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:40 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
15:40 -!- Cisien_laptop [~Cisien_la@c-24-16-64-124.hsd1.wa.comcast.net] has joined ##openvpn
15:43 -!- Cisien__laptop [Cisien_lap@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
15:44 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
15:46 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
15:46 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
15:52 -!- mmbeck [mmbeck@home.akausal.de] has joined ##openvpn
15:52 < mmbeck> hi
15:56 < mmbeck> is there some "post-up" mechanism for .conf files to exec some "ip rule" and "ip route" commands after a connection is established?
15:57 < Cisien> up /script/to/run ... i think
15:58 < Cisien> http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html (look for --up cmd) about 1/3 the way down the page
15:58 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
15:59 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
15:59 < mmbeck> thanks, i just didn't see that command when scrolling through the man page
15:59 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:00 < Cisien> the manual is better, /me thinks
16:00 < Cisien> http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html -- 2.1 manual ... same thing regarding the up script, but might as well give you current info
16:00 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net)
16:01 < Dougy> ow
16:01 < Dougy> fucking head hurts
16:01 < mmbeck> thanks again
16:01 < Cisien> fun night?
16:06 < gorkhaan> what's the changelog for Ovpn 2.1.3? :)
16:16 -!- Cisien_laptop [~Cisien_la@c-24-16-64-124.hsd1.wa.comcast.net] has quit [Ping timeout: 252 seconds]
16:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:20 -!- Cisien_laptop [~Cisien_la@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
16:31 -!- Cisien__laptop [~Cisien_la@79.sub-97-50-172.myvzw.com] has joined ##openvpn
16:32 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Quit: Távozom]
16:33 -!- Cisien_laptop [~Cisien_la@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Ping timeout: 272 seconds]
16:33 -!- Cisien_laptop [~Cisien_la@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
16:33 -!- Cisien_laptop [~Cisien_la@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Client Quit]
16:35 -!- Cisien__laptop [~Cisien_la@79.sub-97-50-172.myvzw.com] has quit [Ping timeout: 240 seconds]
16:35 < ecrist> grapsus: there isn't one
16:47 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
16:47 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
16:49 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
16:56 -!- barfster [~barf@193.69.144.166] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
17:05 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has quit [Quit: leaving]
17:09 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has joined ##openvpn
17:10 < slava_dp> !welcome
17:10 < vpnHelper> slava_dp: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:12 < slava_dp> hi people. does openvpn support broadcasts in a tun-type network with a central server and many clients?
17:14 < slava_dp> !/30
17:14 < vpnHelper> slava_dp: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
17:14 < slava_dp> !topology
17:14 < vpnHelper> slava_dp: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
17:16 < slava_dp> !route
17:16 < vpnHelper> slava_dp: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:18 -!- diamond_ice [~nicholas@68-119-80-155.dhcp.mtgm.al.charter.com] has quit [Ping timeout: 276 seconds]
17:19 < reiffert> dazo_afk: your emails hit my spamassassin spam filter.
17:20 < reiffert> dazo_afk: especially URIBL_BLACK hits and adds 15 points
17:20 < reiffert> dazo_afk: running spamc manually shows up the bad guy:
17:20 < reiffert> 	*   15 URIBL_BLACK Contains an URL listed in the URIBL blacklist
17:20 < reiffert> 	*      [URIs: configure.ac]
17:28 < reiffert> configure.ac: Added to Delist Queue for Review 
17:28 < Cisien> what was the uri it's cryin about?
17:28 < reiffert> Cisien: 00:20 < reiffert> I*      [URIs: configure.ac]
17:28 < Cisien> odd one
17:28 < Cisien> unless that was an attachment
17:34 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
17:37 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
17:39 -!- mmbeck [mmbeck@home.akausal.de] has left ##openvpn []
17:43 < slava_dp> !goal
17:43 < vpnHelper> slava_dp: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:45 -!- ghostknife [~quintin@iburst-41-213-93-138.iburst.co.za] has quit [Quit: WeeChat 0.3.0]
18:01 < slava_dp> I'd like to create a server-to-multiclient vpn setup (172.16.0.0/24), and need to be able to use broadcasts in this network. can I use broadcasts with tun?
18:01 < ecrist> no
18:01 < ecrist> well, yes and no
18:01 < ecrist> !topology
18:01 < vpnHelper> ecrist: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
18:02 < ecrist> tun creates a bunch of point to point tunnels.
18:02 < ecrist> broadcast won't span multiple networks.
18:03 < slava_dp> ecrist, if I use topology subnet, will I still not be able to use broadcasts?
18:03 < ecrist> never used it.  you may be able to
18:03 < ecrist> what are you trying to broadcast?
18:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:04 < reiffert> running broadcast relay might work.
18:05 < slava_dp> my co-worker uses a special piece of software that only works on local LAN via broadcasting/multicasting. so I'm trying to figure out if it will work if he connects his box to the vpn server.
18:05 < ecrist> multicast works across subnets
18:05 < ecrist> broadcast (without a helper) does not
18:06 < reiffert> tap will solve this.
18:06 -!- Serideru [~GTWebster@69-92-242-72.cpe.cableone.net] has joined ##openvpn
18:06 < slava_dp> so there's some hope if I use tun + topology subnet?
18:07 < reiffert> create a bridge with your lan adapter and the tap adapter openvpn is binding to.
18:08  * ecrist would just use tap
18:08 < ecrist> actually $job uses tap now
18:08 < reiffert> right, briding is optional
18:10 < slava_dp> my office LAN is 192.168.0.0/24. if I use tap, what network address should I use for the vpn? I'm only familiar with tun and net30 so far.
18:11 < ecrist> change your office lan address space, to start
18:11 < ecrist> !1918
18:11 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
18:11 < slava_dp> what will I gain from this?
18:12 -!- openbsdnoob is now known as openbsdnoob|na
18:12 < ecrist> slava_dp: perhaps you need to spend some time figuring out what you actually need
18:13 < slava_dp> :)
18:15 < slava_dp> right now, I have a vpn server in the office, 192.168.0.180, that is a vpn server and serves two clients, that connect to it from the outside. the vpn network is 172.25.0.0/16. the server also acts as a gateway from the office network to the VPN network, doing NAT. what doesn't work, is my co-worker's software, that he would use to connect to those two clients.
18:16 < slava_dp> he can't connect to them, because they aren't on the office network.
18:16 < slava_dp> what would be the best way to approach this issue?
18:19 < Cisien> isn't 172.25.0.0/16 outside the private block?
18:19 < Cisien> nope, nm, it's inside
18:19 < Cisien> but the mask is /20, not 16
18:20 < reiffert>      172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
18:20 < Cisien> yeah, 12 ... i was reading this wrong .. 20 bit block (12 bit network)
18:21 < slava_dp> .25 is inside, surely
18:24 < slava_dp> so, in order to use tap, what kind of addressing should I use on the office and the vpn network?
18:24 < Cisien> with tap
18:24 < Cisien> you bridge the vpn interface to your internal network interface
18:24 < Cisien> and use the same address scheme as the rest of your internal network
18:25 < slava_dp> oh, now I get it.
18:25 < Cisien> so if your internetwork is 192.168.0.0/24, you'd assign those clients ip's from that block
18:26 < slava_dp> thanks for the explanation
18:26 < Cisien> server-bridge 192.168.0.1 255.255.255.0 192.168.0.151 192.168.0.200
18:26 < Cisien> is an example from my config
18:27 < Cisien> 192.168.0.1 is the gateway, .151 and .200 are ip's that aren't part of your dhcp scope that openvpn assigns to clients
18:36 < slava_dp> will I be able to route traffic to LANs behind vpn clients in tap mode? I'm just thinking about the possibility.
19:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Po-ta-to, boil em, mash em, stick em in a stew.]
19:08 < reiffert> jup
19:27 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 276 seconds]
19:28 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
19:58 -!- tthelp [~chatzilla@213.167.9.199] has joined ##openvpn
20:04 < tthelp> hallo, i'd want to ask: I want ot make a vpn tunnel between my laptop in the university and my lan network with real IPs. My server (win7) is on the LAN network and i've bridged the NIC with a TAP device and my question is: Can the VPN work since i'll use the same subnet for the remote/local IP and for the TAP device itself. 
20:04 < tthelp> in the manual it says there will  be a routing loop
20:06 < tthelp> and ... i don't know whether i'm  having a routing loop, but when my laptop at the uni connects to the server i can't ping the server.
20:15 < tthelp> anyone?
20:16 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has quit [Quit: Ухожу я от вас (xchat 2.4.5 или старше)]
21:31 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
21:39 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
21:42 < Dougy> ayo
21:49 < vpnHelper> RSS Update - forum: Configuration :: Connection dies after 4-7 minutes. Client :: Author medleev <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7689#p7689>
22:19 < Cisien> tthelp, in tap mode, the interface behaves like a layer 2 device. the interface on the server needs no ip as long as it's bridged to an interface that has an ip
22:28 < Cisien> (router - 10.1.11.1/192.168.1.x (tap interface, 192.168.1.x -> vpn -> 192.168.1.0/24)) does a good job of confusing ovpn's routing
22:29 < Cisien> there's nat happening between the 10 network and the 192 network, i wonder if i can bind it to the 10 network interface, if it will get nat'd and avoid that interesting routing loop
22:36 -!- Serideru [~GTWebster@69-92-242-72.cpe.cableone.net] has quit [Ping timeout: 264 seconds]
22:56 -!- tthelp [~chatzilla@213.167.9.199] has quit [Ping timeout: 240 seconds]
22:57 -!- sparc-kly [~mubex@adsl-72-50-96-153.prtc.net] has quit [Remote host closed the connection]
22:57 -!- tthelp [~chatzilla@213.167.9.199] has joined ##openvpn
23:06 < talcite> hey guys, I'm in running a IP routed openvpn server, and there's a few strange routes showing up in the server's routing table. Could someone help explain them to me please?
23:06 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
23:07 < talcite> I've set aside the 10.0.2.0/24 subnet for the VPN clients, so in the routing table, so I'd expect the gateway for 10.0.2.0/24 to be 10.0.2.1 (the ovpn server's IP)
23:07 < talcite> however, I have this instead: 10.0.2.0        10.0.2.2        255.255.255.0   UG    0      0        0 tun0
23:07 < talcite> meaning 10.0.2.2 is the gateway. What's going on?
23:18 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Leaving]
23:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
--- Day changed Sun Aug 29 2010
00:06 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
00:09 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:24 -!- Raccoon- [~bismuth@71-222-254-228.albq.qwest.net] has joined ##openvpn
00:24 -!- Raccoon- [~bismuth@71-222-254-228.albq.qwest.net] has quit [Changing host]
00:24 -!- Raccoon- [~bismuth@unaffiliated/raccoon] has joined ##openvpn
00:25 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 240 seconds]
00:27 -!- pyrofallout [~pyrofallo@166.205.13.178] has joined ##openvpn
00:27 < pyrofallout> can anyone confirm server-bridge is not compatible with dev tun?
00:30 < hyper_ch> !bridge
00:30 < vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
00:31 < hyper_ch> !server-bridge
00:31 < vpnHelper> hyper_ch: Error: "server-bridge" is not a valid command.
00:42 -!- pyrofallout_ [~pyrofallo@166.205.13.178] has joined ##openvpn
00:42 -!- pyrofallout [~pyrofallo@166.205.13.178] has quit [Read error: Connection reset by peer]
00:42 -!- pyrofallout_ is now known as pyrofallout
00:49 -!- pyrofallout [~pyrofallo@166.205.13.178] has quit [Read error: Connection reset by peer]
00:50 -!- pyrofallout [~pyrofallo@166.205.13.178] has joined ##openvpn
01:12 -!- Webhostbudd [~Webhostbu@isr6493.urh.uiuc.edu] has joined ##openvpn
01:12 -!- pyrofallout [~pyrofallo@166.205.13.178] has quit [Ping timeout: 265 seconds]
01:16 < pcard> !tunortap
01:16 < vpnHelper> pcard: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
01:16 < vpnHelper> pcard: against you over the vpn, or (#4) lan gaming? use tap!
01:18 < pcard> errm, isn't tap needed if you want to bridge two networks (so that it effectively comes one LAN)
01:19 < pcard> ie, you have two locations locations that use the same subnet for addressing on either side
01:20 < pcard> ie 255.0.0.0 on either end, I'd do something like start IPs at location 1 with 10.1.0.0 and at location 2 start them with 10.2.0.0
01:22 < pcard> then use OpenVPN using tap to bridge them so they can fully see each other, as if you ran an insanely long network cable between them
01:22 < szr> yes that would be tap
01:22 < szr> I just deployed pretty much exactly that type of scenario today and worked beautifully
01:22 -!- Splex [~splex@unaffiliated/splex] has quit [Quit: leaving]
01:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:24 -!- openbsdnoob|na is now known as openbsdnoob
02:25 < Webhostbudd> Anyone mind enlightening me on how to deploy the seemless bridge
02:25 < Webhostbudd> I mean, I've got most of it setup so far, I just can't figure out why traffic doesn't flow from the lan over the bridge
02:26 < Webhostbudd> apparently dhcp is working though
02:29 < Webhostbudd> !help
02:29 < vpnHelper> Webhostbudd: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
02:30 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
02:30 -!- Kurogane [~kuro@190.87.69.217] has quit [Remote host closed the connection]
02:43 -!- Webhostbudd [~Webhostbu@isr6493.urh.uiuc.edu] has quit [Quit: Leaving]
02:46 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
02:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:46 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
03:59 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
04:07 -!- barfster [~barf@193.69.144.166] has joined ##openvpn
04:07 < barfster> Anyone awake?
04:08 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:08 < Fiouz> yep
04:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:10 < barfster> I have successfully set up OpenVPN client and server
04:11 < barfster> this works sooo nice, are there any additional features of OpenVPN that I should know about? I have set up sharing of all client nodes with the server side.
04:11 < barfster> Most amazing is the ping inside the VPN opposed to outside, I have no clue how that is possible, but inside the VPN the ping is 18ms and outside the ping is like 150ms
04:13 < Fiouz> there may be some traffic shaping involved causing your outside ping to be low-prioritized
04:16 < barfster> One of the ISPs involved are Singstar
04:16 < barfster> No Starhub
04:16 < barfster> Starhub in Singapore
04:16 < barfster> Brutally slow
04:16 < barfster> I will set up a client in Singapore alos
04:16 < barfster> also
04:17 < barfster> for now ping to the node in Singapore is like 600ms
04:26 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
04:34 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
04:34 -!- mode/##openvpn [+o mattock] by ChanServ
04:49 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
04:52 -!- tthelp [~chatzilla@213.167.9.199] has quit [Ping timeout: 272 seconds]
04:52 -!- tthelp [~chatzilla@213.167.9.199] has joined ##openvpn
04:56 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
05:02 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
05:02 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
05:20  * krzee taps vpnHelper 
05:22 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN for windows 2003 clients :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7026&p=7690#p7690>
05:30 -!- SOG [~SOG@n1164869195.netvigator.com] has quit [Quit: SOG]
05:46 -!- SOG [~SOG@n1164869195.netvigator.com] has joined ##openvpn
05:47 -!- SOG [~SOG@n1164869195.netvigator.com] has quit [Client Quit]
06:07 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Remote host closed the connection]
06:09 -!- mape2k [~mape2k@2a01:198:23f:10ff:9031:81ff:fe5c:8d94] has joined ##openvpn
06:12 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
06:16 < openbsdnoob> hi
07:06 < kisom> hey
07:28 -!- mape2k [~mape2k@2a01:198:23f:10ff:9031:81ff:fe5c:8d94] has quit [Ping timeout: 252 seconds]
07:31 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
08:07 -!- g0tcha [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
08:07 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined ##openvpn
08:08 < g0tcha> hey guys.. i have some questions on how vpn works and how secure it is
08:09 < g0tcha> my brother is a banker and he travels alot, hes limited to not using any public wifi and cant access some sensitive details in some countries cuz of a risk of ISP sniffing,
08:10 < g0tcha> so what im asking is, if some ISP is sniffing his data, and when he connects to the internet and then to a VPN thats hosted in the US, everything he does through it is protected from that ISP, right?
08:11 < g0tcha> i setup openvpn for him on a server in the US and it works fine, but he doent trust and it says its still unsecure and wont stop the isp from sniffing the data.. is that true?
08:15 -!- tthelp [~chatzilla@213.167.9.199] has quit [Ping timeout: 258 seconds]
08:16 -!- tthelp [~chatzilla@213.167.9.199] has joined ##openvpn
08:22 < g0tcha> anyone?
08:41 -!- Miland3r [~mnk@196-210-181-43.dynamic.isadsl.co.za] has joined ##openvpn
08:44 < kisom> hold on, let me read
08:45 < kisom> g0tcha: Provided that your VPN is correctly set up, no ISP will be able to sniff in on his data
08:45 < kisom> I work at a bank too, we use VPN all the time to access senseive data when out of office
08:46 < g0tcha> kisom, thats very good to hear.. hmm do you think its safer to use something like vyprVPN from Goldenfrog and set it up with openVPN client?
08:46 < g0tcha> since i dont have much background on installing openvpn myself im afraid of getting it up and running but not secure enough
08:47 < kisom> I have no idea what vyprVPN is...
08:47 < g0tcha> its a paid vpn service from goldenfrog.com
08:47 < kisom> i would not trust a 3rd party VPN provider with banking data at all
08:47 < g0tcha> https://www.goldenfrog.com/vyprvpn/vpn-service-provider
08:47 < vpnHelper> Title: VPN Service Provider: Online Privacy and Internet Security | Golden Frog (at www.goldenfrog.com)
08:47 < kisom> we use our own VPN servers at barclay bank
08:48 < kisom> that way all data is encrypted from start to end
08:48 < g0tcha> hmm fair enough.. this makes me wonder, how can i test openvpn to make sure its properly secure?
08:48 < kisom> read the documentation, and understand it :)
08:49 < kisom> you need to properly set up your own certificate authority and keep the keys secure
08:49 < g0tcha> i did.. and like i said i have it up and running on ubuntu here but like i said, im afraid its not as secure as it should be :/
08:50 < kisom> Well
08:50 < kisom> if you provide me with your config files i'll be happy to point out any security issues
08:59 -!- a1ex [a1ex@tnix.de] has joined ##openvpn
09:05 < a1ex> I'd like to know if it is possible to limit the possible target ips or protocols that can be adressed through the vpn connection
09:06 < kisom> a1ex: iptables maybe?
09:11 < a1ex> which would affect all connections from the server, wouldnt it?
09:11 < kisom> not if you use the --source argument
09:11 < Miland3r> g0tcha, if you have permission, you could also use something like nexsus as a basis for pointing out possible security issues.
09:11 < kisom> iptables -I FORWARD --source 10.0.8.3 -p tcp --dport 1234 -j DROP
09:12 < kisom> for example.
09:12 < a1ex> ah thank you kisom 
09:12 < a1ex> i'll look into it then
09:24 < Miland3r> I'm currently exploring, replacing our citrix instances with openvpn.
09:24 < Miland3r> The site we want to vpn back "home" is Mircrosoft based and uses AD authentication
09:24 < Miland3r> with only said users having internet access via websense proxy.
09:25 < Miland3r> I've already set up an Openvpn instance on a server at our main site, but the websense proxy / AD authentication is proving troublesome.
09:25 < kisom> Miland3r: Citrix is bad. No real encryption or security at all
09:26 < Miland3r> I know, thus the reason to replace
09:26 < kisom> But i dont quite understand what problems you are having? :)
09:26 < Miland3r> but the AD auth / Websense proxy is proving troublesome...
09:26 < kisom> Hmm
09:26 < Miland3r> sorry I type slow :/
09:26 < kisom> Never did AD authentication over openvpn...
09:29 < kisom> OK, now i got confused
09:29 < Miland3r> the client site proxy requires AD auth  before it allows internet access.  
09:29 < kisom> do you want to connect openvpn to the AD, so clients use the same login?
09:30 < kisom> never worked with websense...
09:30 < Miland3r> not exactly, I want openvpn client to use proxy to connect to internet and back to our main site 
09:30 < kisom> how does the authentication work? what kind of proxy is it?
09:31 < Miland3r> authentication is ntlm2, AD security group to provide Internet access via websense proxy.
09:33 < kisom> OK, i dont think i'll be able to help you with this, sorry :)
09:33 < Miland3r> thanks anyways :D... If I manage, I'll report back... back to google rtfm then
09:34 < kisom> Cant you just put your VPN clients in the same subnet as your "normal" network?
09:34 < kisom> create a bridge
09:38 < Miland3r> afraid that will not be possible... enforced remote access policy...
09:41 -!- mape2k [~mape2k@2a01:198:23f:10ff:6c8d:4dff:fec7:7957] has joined ##openvpn
09:48 -!- SOG [~SOG@222.125.226.58] has joined ##openvpn
09:57 -!- SOG [~SOG@222.125.226.58] has quit [Quit: I will be back!]
10:04 -!- mape2k [~mape2k@2a01:198:23f:10ff:6c8d:4dff:fec7:7957] has quit [Read error: Operation timed out]
10:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
10:35 < jwm> I'm trying to fix magicjack for a friend
10:35 < jwm> anyone know what iptables commands I should do
10:35 < jwm> it was working and then he got an update and it stopped
10:35 < jwm> heh
10:53 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
11:24 -!- g0tcha [~efnet@27-9.202-62.fix.bluewin.ch] has quit []
11:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
11:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:43 -!- SOG [~SOG@222.125.226.58] has joined ##openvpn
12:16 -!- katoen is now known as bramgn
12:26 -!- SlimG [~SlimG@83.89-20-249.enivest.net] has joined ##openvpn
12:26 < SlimG> !welcome
12:26 < vpnHelper> SlimG: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:27 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer]
12:27 < SlimG> !route
12:27 < vpnHelper> SlimG: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:30 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
12:31 < SlimG> Can someone help me get my OpenVPN client traffic routed past the OpenVPN server? here is the client and server OpenVPN config, server network config and both client and server route table -> http://pastebin.com/m4Ei2iNU
12:32 < SlimG> I can connect and access the OpenVPN server from my OpenVPN client, but I can't get past the OpenVPN server
12:36 < SlimG> I've changed the config so the IPs in the topology matches the ones in the config -> http://pastebin.com/WhVAxqTc
12:52 -!- tthelp [~chatzilla@213.167.9.199] has left ##openvpn []
13:03 < krzee> SlimG, 
13:03 < krzee> !redirect
13:03 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:05 < krzee> SlimG, that help?
13:05 < vpnHelper> RSS Update - forum: Configuration :: Connection dies after 4-7 minutes. Client :: Author medleev <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7689#p7689> || Configuration :: Can't ping client from server :: Author skrech <https://forums.openvpn.net/viewtopic.php?f=6&t=7050&p=7692#p7692> || My VPN :: OpenVPN Site to Site Connection Using DD-WRT Capable Routers :: Author somms <https://forums.openvpn.net/viewtopic.php?f=13&t
13:09 < SlimG> krzee: I'm using ethernet bridging
13:10 < krzee> you need a layer2 protocol over the vpn...?
13:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
13:14 < openbsdnoob> the last link in the rss-update is not complete
13:14 < krzee> ooo, good call
13:14 < openbsdnoob> ^^
13:15 < krzee> i wonder if thats freenode or the bot... lets check
13:15 < krzee> RSS Update - forum: Configuration :: Connection dies after 4-7 minutes. Client :: Author medleev <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7689#p7689> || Configuration :: Can't ping client from server :: Author skrech <https://forums.openvpn.net/viewtopic.php?f=6&t=7050&p=7692#p7692> || My VPN :: OpenVPN Site to Site Connection Using DD-WRT Capable Routers :: Author somms <https://forums.openvpn.net/viewtopic.php?f=13&t test test
13:15 < vpnHelper> Title: OpenVPN Support Forum View topic - Connection dies after 4-7 minutes. Client (at forums.openvpn.net)
13:15 < krzee> openbsdnoob, thanx =]
13:16 < openbsdnoob> np .... i would read this post but the link is ending in trouble ^^
13:17 < krzee> ahh 1 sec
13:17 < krzee> https://forums.openvpn.net/viewtopic.php?f=13&t=7049
13:17 < vpnHelper> Title: OpenVPN Support Forum View topic - OpenVPN Site to Site Connection Using DD-WRT Capable Routers (at forums.openvpn.net)
13:19 < openbsdnoob> thx :)
13:19 < krzee> np
13:19 < krzee> SlimG, you need a specific layer2 protocol over your VPN...?
13:20 < Cisien> layer 3 protocol?
13:20 < krzee> Cisien, ??
13:21 < Cisien> bridging would enable other layer 3 protocols
13:21 < krzee> umm
13:21 < krzee> !layer2
13:21 < vpnHelper> krzee: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
13:22 < Cisien> maybe i'm just confused about the topic
13:22 < krzee> he is using ethernet bridging, he is having issues getting his default route going over his vpn, my first question to him is to be sure he really wants a bridge
13:23 < krzee> mosyt often when people are using a bridge it is because they saw some walkthrough that uses it... not because they need a layer2 protocol to flow over the vpn
13:23 < krzee> most*
13:23 < krzee> at least that has been my experience
13:24 < Cisien> I've used both tun and tap for my vpns, i'm just kinda curious why you wouldn't use tap/bridging?
13:24 < Cisien> more control over access, i guess?
13:24 < krzee> i would for the right situations
13:24 < krzee> !tunortap
13:24 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
13:24 < vpnHelper> krzee: against you over the vpn, or (#4) lan gaming? use tap!
13:25 < krzee> extra overhead, i dont like to open up my broadcast domain
13:25 < Cisien> I can see that
13:26 < Cisien> my latest setup uses tap because it was easy.
13:26 < krzee> routing is easier imo
13:27 < Cisien> i guess they are both easy
13:27 < SlimG> The question isn't wether I should use routing og ethernet bridging, the question is how to make my ethernet bridging work the way I want
13:28 < vpnHelper> RSS Update - forum: Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7693#p7693>
13:28 < krzee> SlimG, ok, gl then
13:29 < Cisien> bridge tap0 to <lanif>, server-bridge <lanifgw> mask start-pool-ip stop-pool-ip, win
13:29 < krzee> also, you didnt tell your vpn to change your gateway
13:29 < krzee> so i wouldnt expect it to do so
13:31 < Cisien> yeah, you're missing 'push "redirect-gateway def1 bypass-dhcp"'
13:33 < Cisien> your server-bridge should be server-bridge 10.0.0.1 255.255.255.0 10.0.0.230 10.0.0.254
13:33 < Cisien> 10.0.0.1 is the ip that your _normal_ clients use as a gateway
13:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:33 < Cisien> you would use the same subnet you use for the rest of your network
13:34 < jwm> anyone used magicjack across openvpn?
13:34 < jwm> I need to figure out iptables I believe on how to get this thing to work
13:35 < krzee> jwm, not personally, but its just voip (layer3) traffic so should be extremely easy
13:35 < jwm> yeah
13:35 < jwm> I am trying to figure it out for a friend using my openvpn on my 1and1 server
13:35 < jwm> so I bought one and am connecting through the vpn
13:35 < jwm> and sure enough it doesn't connect
13:35 < jwm> I wonder what network traffic tools I can use to diagnose why
13:35 < krzee> is he directing all traffic over the vpn?
13:36 < Cisien> 1) does the traffic get routed to the vpn, 2) where does it get blocked?
13:36 < jwm> yep
13:36 < jwm> I am too
13:36 < jwm> routing is working fine
13:36 < krzee> jwm, and when he goes to secure-computing.net/ip.php it shows your servers ip...?
13:36 < jwm> yep
13:36 < jwm> or whatismyip.com
13:36 < krzee> k
13:36 < jwm> he can get to websites he couldn't in uae
13:36 < krzee> as Cisien says, use tcpdump to figure that out
13:36 < jwm> I know his traffic is going across the vpn :)
13:37 < krzee> or wireshark or whatever
13:37 < jwm> ok
13:37 < jwm> I have iptraf
13:37 < jwm> which side do I monitor
13:37 < jwm> the windows or nix side
13:37 < Cisien> both
13:37 < krzee> all
13:37 < jwm> ok
13:37 < jwm> what's a good windows util for it then
13:37 < krzee> wireshark
13:37 < jwm> k
13:37 < jwm> I want to learn this stuff 
13:38 < jwm> I've been doing nix admin for 13 years and still suck with networking
13:38 < jwm> hehe
13:38 < krzee> hehe
13:38 < jwm> I can setup routes and stuff I just don't know what I am doing as far as firewall rules
13:38 < Cisien> also, you can use 'iptables -L -v' and 'iptables -L -v -t nat' to see the counts for packets/bytes that are matching rules
13:38 < jwm> and setting up ovpn was a breeze
13:38 < jwm> yeah I already do that
13:38 -!- SlimG [~SlimG@83.89-20-249.enivest.net] has quit [Read error: Operation timed out]
13:38 < jwm> I was using a global -L and didn't know you had to do -t nat at first
13:38 < jwm> to see the rules
13:38 < jwm> hehe
13:38 < jwm> the funny thing is that mj worked before the update
13:39 < Cisien> what update?
13:39 < krzee> worked over the vpn before the update?
13:39 < jwm> an update to the mj
13:39 < jwm> yeah
13:39 < jwm> and I can't figure out what they changed
13:39 < krzee> well thats an interesting point...
13:39 < Cisien> did they change their port/protocol?
13:39 < jwm> yeah I don't know yet
13:39 < krzee> do you even know if it works at all now...?
13:39 < jwm> that is why I was hoping to find someone who has one and has done this
13:39 < krzee> could it be fried...
13:39 < jwm> it doesn't work I just bought one
13:39 < jwm> to try and get it working here in the states across the vpn
13:39 < jwm> and it doesn't connect
13:40 < krzee> ok so yours works without vpn, but not with
13:40 < jwm> yep
13:40 < krzee> alright
13:40 < krzee> ya you need to dump packets and see what the magicjack is doing
13:40 < jwm> now I guess I just need to learn wireshark and tcpdump/iptraf heh
13:40 < jwm> hopefully it's not too confusing
13:41 < krzee> its like anything else... once you do it a bit you'll understand it ;)
13:41 < jwm> lol
13:41 < jwm> yeah but I've put this off for a decade
13:41 < krzee> like me and C
13:41 < jwm> and everything else I've put off in life for a long time was a BITCH :)
13:41 < jwm> hehe
13:41 < krzee> ive read books, ive read code, but for some reason i never actually do anything in it... been putting it off forever
13:41 < jwm> lol I love the wireshark motto.. go deep
13:42 < jwm> ahh
13:42 < jwm> I am an asm and c coder
13:42 < jwm> and javascript funny enough :)
13:42 -!- Miland3r [~mnk@196-210-181-43.dynamic.isadsl.co.za] has quit [Remote host closed the connection]
13:42 < jwm> I'm also a system admin that doesn't know networking worth a damn
13:42 < jwm> hah
13:42 < jwm> and I love networking!
13:42 -!- SlimG [~SlimG@83.89-20-249.enivest.net] has joined ##openvpn
13:43 < jwm> we're using tap instead of tun btw
13:43 < krzee> ahh right, we;ve talked a bit in the past i remember now
13:43 < jwm> yeah we have
13:43 < Cisien> ok, the problem is likely on your 1and1 box's firewall
13:43 < jwm> yeah that is what I was thinking but I have it open right now
13:43 < krzee> lol everyone here today is all about tap
13:43 < jwm> it's a dedicated server
13:43 < krzee> i leave for a couple weeks and tap takes over!
13:43 < Cisien> krzee, lol
13:43 < jwm> well we're running some broadcast apps
13:44 < jwm> I know you guys are tun addicts :)
13:44 < Cisien> i have no real reason for using tap, except to keep my options open
13:44 < jwm> I am very crappy at security
13:44 < jwm> I've been hacked 5 times
13:44 < Cisien> lol
13:44 < jwm> so I might as well keep up my image
13:45 -!- Miland3r [~mnk@196-210-181-43.dynamic.isadsl.co.za] has joined ##openvpn
13:45 < jwm> I get all these ssh connection attempts
13:45 < jwm> never block them
13:45 < jwm> I have a vpn setup but I don't bother doing ssh and other secure utilities over the vpn
13:45 < jwm> I keep the ports open on the server and still connect directly
13:45 < jwm> lol
13:45 < jwm> I guess lazy admin
13:46  * Cisien has no sympathy
13:46 < jwm> never asked for any :)
13:46 < Cisien> so, what bank did you say you work for?
13:46 < jwm> too bad you guys don't have mj setup
13:46 < jwm> lol
13:46 < jwm> too bad noone has written an openvpn mj article
13:46 < jwm> I'd be done by now
13:46 < jwm> hehe
13:51 < pcard> I have a little question about tap adapters in Windows, is that even thouhg it's connected and working otherwise perfectly, the status of the tap0 shows as cable unplugged. Is this be design, or is there a way to at least get rid of the icon from the task tray?
13:52 < Cisien> can you post your client/server ovpn configs, netstat -a (on the client), route print (on the client) route/iptables [-t nat] -L -v, on the server -- to pastebin?
13:53 < Cisien> pcard, doesn't windows have an option to hide that status?
13:53 < jwm> yeah it does
13:53 < jwm> he has to do properties on the interface
13:53 < jwm> and then go in there and find the checkmark that says show status 
13:53 < krzee> [14:46]  <Cisien> so, what bank did you say you work for?
13:53 < krzee> LOL
13:54 < krzee> [14:46]  <jwm> too bad noone has written an openvpn mj article
13:54 < pcard> Cisien: no, just to hide the icon when connected
13:54 < krzee> feel free to be the first
13:54 < pcard> Cisien: to hide the red-x icon you need to disable the adpater, and that would sort of defeat the purpose
13:54 < Cisien> *shrug*
13:54 < Cisien> use win7
13:55 < pcard> I've seen the same thing IN win 7 just as in XP
13:55 < jwm> hehe
13:55 < jwm> you can hide the icon also
13:55 < pcard> Cisien: it looks like it's the tap driver openvpn installs that doesn't reprot the right status
13:55 < jwm> in start menu settings
13:55 < Cisien> my tap interface doesn't show disconnected on the icon
13:55 < pcard> jwm: how then?
13:55 < jwm> dude there are only two areas you can check
13:55 < jwm> one is the start menu preferences
13:56 < jwm> the other is the network connections preferences
13:57 < pcard> hiding "inactive icons" is not the same. I'd be nice if the tap adpater report itself as connected when openvpn sucessfully connects to a report openvpn server
13:57 < krzee> thats weird, in my experience once connected the unplugged notification goes away
13:57 < Cisien> i'm kinda confused why you're seeing that. I used openvpn for a year in Iraq 24x7 without anything like that bothering me
13:57 < krzee> although my windows experience stopped at XP
13:57 < pcard> krzee: consider yourself lucky
13:57 < krzee> well i did make that choice ;)
13:59 < pcard> I hate Win 7 (aka Vista R2) with all my heart
13:59 < Cisien> win7 is awesome
13:59 < pcard> no man should be subjected to such cruelity
14:00 < pcard> I survived the gulags in Siberria, but I'd gladly go back then to use Windows 7 as my main OS
14:00 < Cisien> yeah, it does show as disconnected
14:00 < pcard> Cisien: then by all means use it if you really like it
14:01 < Cisien> go to the adapter properties in device manager
14:01 < Cisien> advanced tap
14:01 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
14:01 < Cisien> media status
14:01 < Cisien> always connected
14:01 < pcard> I'm in no position to tell anyone what OS to use, I can only go by my own experiences and of those I know and make recommendations accordingly. But if you like it, then that's your choice.
14:02 < pcard> Cisien: yeah, looks like they never coded that part of the driver to report any other status. 
14:02 < Cisien> default is application controlled
14:02 < pcard> Cisien: it's the same thing with many printer drivers that don't show many statues
14:02 < Cisien> there may be another flag to toss into the client config for windows, but i dunno
14:02 < Cisien> there's your workaround tho
14:03 < pcard> Cisien: oh I just reread that, where exactly do you get to "advanced tap" from?
14:03 < Cisien> advanced tab
14:03 < jwm> windows 7 is nice
14:03 < pcard> is this in Dev Manager -> Network Adapters -> $tap-device
14:04 < pcard> -> properties
14:04 < pcard> ?
14:04 < jwm> sure
14:04 < jwm> look in there
14:04 < jwm> try to find it
14:04 < pcard> thanks
14:06 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined ##openvpn
14:16 < krzee> [14:44]  <jwm> I've been hacked 5 times
14:16 < krzee> i got hacked 1 time, guy got in through a user account
14:16 < krzee> caught him in the act, tracked him down by the next day
14:16 < krzee> became pretty good friends
14:16 < krzee> lol
14:17 -!- SlimG [~SlimG@83.89-20-249.enivest.net] has quit [Quit: Lost terminal]
14:21 < pcard> why would anyone setup OpenVPN to use user/pass type auth?
14:22 < Cisien> simplicity?
14:23 < pcard> it's infinately more difficult to brute force a 2048 (or even a 1024) bit client key
14:23 < pcard> and the attempts will stand out quite a bit in the logs (even more if you use something like LogWatch to get a view every morning in your email)
14:24 < Cisien> an example i guess would be a point to point connection that you don't need to enter the password for very often, you can use a long password to provide adequate brute force protection without the hassle of creating certificates
14:25 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
14:26 < pcard> true, although it's not a hassel to create certs. By hand, setting up a new server, doing the certs took less then 5 min (counting the .pem generation which is what takes the longest) 
14:26 < pcard> generating client keys (.key and .crt) takes 5 sec at the most
14:26 < Cisien> yah
14:27 < Cisien> but it's thre as an option, i guess
14:27 < pcard> if you have user/pass auth, please PLEASE tell me you have TLS turned on
14:27 < Cisien> maybe for two factor authentication?
14:27 < pcard> (well, TLS should be on reguarless)
14:27 < pcard> two factor?
14:28 < Cisien> password + somethign else
14:28 -!- barfster [~barf@193.69.144.166] has left ##openvpn []
14:28 < pcard> you can already have passwords (ahem, pass-phrase) on client keys
14:29 < Cisien> but if that key and password are compromised, you'd still need to know the pass phrase on the vpn link
14:29 < pcard> it's an openssl key, any openssl key can have a pass phrase added to it. I use that quote commonly with ssh keys
14:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:29 < pcard> Cisien: err, you'd have to first somehow guess a valid client key, and THEN you'd have to some how manage to guess the right pass phrase
14:30 < pcard> sounds like a solid two-factor auth to me, no?
14:30 < Cisien> i'm just throwing cards into the wind here, i have no clue why someone would use a password-based authentication
14:30 < pcard> Cisien: np
14:31 < pcard> Cisien: I can see how that could work too, although I don't really see much difference between key w/ pass-phrase auth and key auth + user/pass auth, seems like you get the same effect (the latter just maybe having an extra username thrown in, could possible be useful)
14:32 < Cisien> depends on paranoia level, i guess
14:33 < pcard> agreed
14:35 < jwm> heh
14:49 < kisom> At work we use certificate + login + RSA token
14:51 < Cisien> do your certs use a password?
14:51 < kisom> nope
14:51 < Cisien> login = changeable password
14:51 < kisom> enforced change every 30 day
14:51 < Cisien> evil
14:51 < Cisien> bank?
14:51 < kisom> yep.
14:52 < Cisien> makes more sense now
14:52 < jwm> weird
14:52 < jwm> magicjack works now
14:52 < Cisien> you fixed it, congrats
14:52 < jwm> I didn't do anything though
14:53 < jwm> maybe the guy in uae didn't try enough
14:53 < jwm> heh
14:53 < jwm> my friend/the guy
14:53 < Cisien> lol
14:53 < jwm> lol
14:53 < jwm> I was getting the same thing he got
14:53 < jwm> it said connect to the internet and try again
14:53 < jwm> I tried it a few times
14:53 < jwm> didn't work
14:53 < jwm> I unplugged it and plugged it in and a few minutes later it was up
14:55 -!- SlimG [~SlimG@83.89-20-249.enivest.net] has joined ##openvpn
14:56 < Cisien> there are lists of mj servers on the 'net, you can always and those routes/rules specifically to your vpn box
14:57 < jwm> yeah
14:57 < jwm> I just don't know
14:57 < jwm> it could have something to do with the update
14:57 < jwm> and the device needing you to try a few times
14:58 < jwm> and maybe the mac version isn't working right
14:58 < jwm> :/
14:58 < jwm> I'll try on the mac next
15:00 < Cisien> i should decom my vps box. I'm not going over seas anymore, so i don't really need it
15:07 < jwm> hehe
15:07 < jwm> do you have any dedicated servers hosted anywhere?
15:07 < jwm> I want to get one in sweden :)
15:07 < jwm> I have one with 1and1
15:09 < Cisien> i have one in denver on spry hosting
15:09 < Cisien> just a vps box
15:09 < Cisien> don't use it, don't really need it
15:09 < Cisien> my 22 down 5 up cable service is plenty fast enough to host the random file i need to send to a friend.
15:11 < jwm> hehe
15:11 < jwm> I love having a server
15:11 < jwm> lets me experiment
15:11 < jwm> and host anything reliably :)
15:11 < jwm> including my irc sessions
15:11 < jwm> 20:11 -!- Irssi: Uptime: 122d 5h 6m 50s
15:11 < jwm> hehe
15:12 < Cisien> hehe
15:12 < Cisien> up 101 days,  1:43
15:12 < Cisien> only reason it's 101 days and not more is because the host changed datacenters
15:13 < Cisien> would of been too much downtime to pause the xen host, copy over the network, and resume, for x thousand of users, so they probably fedex'd the mirror hard drives, or something
15:15 < jwm> heh
15:15 < jwm> I don't know if those would of been up to date enough though?
15:16 < Cisien> who knows
15:16 < Cisien> they did it, i didn't notice
15:16 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:17 < jwm> pretty impressive
15:17 < Cisien> fedex overnight is probably faster than copying x tb
15:18 < ecrist> *cough*
15:18 < ecrist> ecrist@puma:~-> uptime 3:18PM  up 833 days,  5:20, 4 users, load averages: 0.00, 0.00, 0.00
15:18 < jwm> hehe
15:18 < jwm> what kernel version is that
15:18 < jwm> probably can be remote exploited :)
15:18 < ecrist> freebsd 4.11
15:18 < Cisien> 2.6.25?
15:18 < Cisien> ahh
15:18 < jwm> only reason I reboot is for kernel updates
15:18 < Cisien> you don't need to anymore
15:19 < jwm> yeah I know
15:19 < jwm> kexec
15:19 < jwm> :)
15:19 < jwm> I'm too lazy for that
15:19 < Cisien> wonder if the 2.6.35 kernel will be in testing soon in debian
15:20 < jwm> hehe
15:20 < jwm> I love gentoo
15:20 < jwm> :)
15:21 < Cisien> the only thing i like about gentoo is how up to date it is
15:21 < Cisien> but it's WAY more work than i have time for
15:23  * ecrist works slowly at blowing up $job network.
15:23 < jwm> it's more work initially
15:24 < jwm> but then once it is going I think it's less work in some cases :)
15:24 < jwm> since you can use the latest without having to go out and build from source and find all the latest packages related
15:24 < jwm> I work at a cable company right now
15:24 < jwm> too big to blow up
15:24 < jwm> hehe
15:25 < Cisien> cable company?
15:25 < Cisien> and you've been hacked 5 times?
15:25 < jwm> hah
15:26 < jwm> I'm just a dumb service tech
15:26 < Cisien> marketing department, right?
15:26 < Cisien> lol
15:26 < jwm> haha
15:26 < jwm> god not that bad
15:26 < jwm> that was mean :)
15:26 < jwm> cable company and marketing go together like fire and ice
15:26 < jwm> hehe
15:26 < jwm> we have the most bandwidth coming to anyones house
15:27 < jwm> the lowest latency even better than fibre
15:27 < jwm> and yet people still go out and get shittier tech
15:27 < jwm> just because they hate us
15:27 < jwm> our equipment usually sucks ass because nobody can pull their head out of their ass and try to do any r&d
15:27 < jwm> what's this thing the internut?
15:28 < Cisien> cisco gear :p
15:28 < jwm> heh
15:29  * Cisien wants to be a network engineer when he grows up
15:29 < jwm> blah
15:29 < jwm> networking is weak :P
15:29 < Cisien> love it
15:29 < jwm> plug a few wires in and it works
15:29 < jwm> get some routes right
15:30 < Cisien> haha
15:30 < Cisien> way to over-simplify it
15:30 < Cisien> other than the stuff i did while in the army. I've never really done any network engineering work professionaly
15:31 < Cisien> but i'm "that guy" who always managed to provide everyone with internet connectivity
15:31 < jwm> hehe
15:31 < jwm> you've been to the army and you're still growing up? :)
15:31 < jwm> makes me feel safe :)
15:32 < Cisien> only internet in 30 miles (or more) was a government-paid for/run satellite system.
15:32 < Cisien> only like 6 computers and a few phones on it
15:32 < Cisien> i threw a router on there using NAT, and openvpn to hide my traffic, and presto, instant internet access to anyone who didn't piss me off
15:33 < Cisien> i'm pretty much just starting my career now .... 8 years after i finished college, hah
15:34 < jwm> yeah I am working a dead end job right now
15:34 < jwm> pays the bills
15:34 < Cisien> ya
15:35 < jwm> while I keep gaining more knowledge
15:35 < jwm> I want to do distributed computing stuff
15:35 < jwm> I started a biz a few years ago
15:35 < jwm> haven't paid taxes for it yet though hehe
15:35 < jwm> I've had the domains since 1999
15:35 < Cisien> tisk tisk
15:36 < jwm> heh
15:36 < jwm> I'd like to do web based p2p stuff
15:37 < jwm> to try and avoid firewall tech
15:50 -!- Nuxro [~nux@unaffiliated/nuxro] has joined ##openvpn
15:50 < Nuxro> hi guys, anyone knows how I could authenticate openvpn users against a postgresql db?
15:51 < Cisien> radius?
15:55 < Nuxro> Cisien: radius might work, never used it, though. I was hoping for direct access to postgre :-)
15:55 < Nuxro> Thanks 
15:57 < Cisien> i don't know that openvpn supports that
15:57 < Cisien> maybe as a module or script of some kind?
15:57 < Nuxro> yeah, google didn't return anything meaningful, figured there is no such thing yet
15:58 < Cisien> tap device, hostapd (doesn't that allow 802.1x over wired ethernet?)
16:03 < Nuxro> hm, a script base dauth might just be easier/simpler than radius, thanks for all the ideas :-)
16:03 < Nuxro> cheers
16:03 -!- Nuxro [~nux@unaffiliated/nuxro] has left ##openvpn []
16:10 < jwm> great
16:11 < jwm> now my mac vpn is broken
16:11 < jwm> hehe
16:14 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
16:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:33 < jwm>   ok
16:33 < jwm> weird
16:33 < jwm> openvpn on the mac doesn't add a static route to the vpn server when doing def1
16:34 < jwm> I wonder if tunnelblick is for my friend
16:45 < ecrist> tunnelblick is nice
16:47 -!- star314 [~star314@starnet1.sinh.us] has joined ##openvpn
16:58 < kisom> Anyone else not having a TV at home?
16:58 < kisom> Yeah, a bit off topic...
16:58 < kisom> haven't had one for 5-6 years now
17:01 < reiffert> kisom: does it help?
17:01 < reiffert> jwm: check the "set nameserver" option in tunnelblick -> details
17:02 < kisom> reiffert: What do you mean by "help"?
17:02 < reiffert> kisom: some kind of improvement.
17:02 < kisom> Well, yeah
17:03 < kisom> I hate commercial TV, ads every 5 minute
17:03 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 240 seconds]
17:04 < kisom> Even more, I hate PAYING to be able to watch ads
17:05 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:10 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
17:14 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Quit: Távozom]
17:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
17:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:24 < SlimG> kisom: I'm soon celebrating my first year without TV (active choice), gives me a lot more productive time in front of the computer :)
17:25 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
17:25 < SlimG> Thanks to a nice internet connection I can choose to watch the TV programs I like without wasting my life on ads
17:30 -!- SlimG [~SlimG@83.89-20-249.enivest.net] has quit [Quit: <madness>]
17:49 < kisom> I rarely watch TV programs...
18:10 -!- redd [~unknown@unaffiliated/redd] has joined ##openvpn
18:11 < redd> !welcome
18:11 < vpnHelper> redd: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:24 -!- b166r [~b166er@83-131-44-140.adsl.net.t-com.hr] has joined ##openvpn
18:25 < b166r> hi, i am always geting "RESOLVE: Cannot resolve host address: my-server-1" errors, anyone here got an idea what could that be? 
18:34 -!- Miland3r [~mnk@196-210-181-43.dynamic.isadsl.co.za] has quit [Ping timeout: 265 seconds]
18:49 -!- b166r [~b166er@83-131-44-140.adsl.net.t-com.hr] has quit []
19:02 -!- redd [~unknown@unaffiliated/redd] has quit []
19:15 -!- oblivionissalvat [~ELD@ool-4571334f.dyn.optonline.net] has joined ##openvpn
19:15 < oblivionissalvat> !welcome
19:15 < vpnHelper> oblivionissalvat: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:15 < oblivionissalvat> ah fuck this
19:15 < oblivionissalvat> ill just figure it out
19:15 -!- oblivionissalvat [~ELD@ool-4571334f.dyn.optonline.net] has left ##openvpn []
20:04 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:05 -!- SOG [~SOG@222.125.226.58] has quit [Quit: SOG]
20:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
20:29 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:52 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote host closed the connection]
20:52 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
21:14 < oc80z> !netmap
21:14 < vpnHelper> oc80z: Error: "netmap" is not a valid command.
21:14 < oc80z> !help netmap
21:14 < vpnHelper> oc80z: Error: There is no command "netmap".
21:15 < oc80z> !wiki
21:15 < vpnHelper> oc80z: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
21:15 < oc80z> hey new wiki up?
21:15 < oc80z> netmap configs, tnx.
21:16 < oc80z> i am 96% through, 
21:26 < jwm> I have several eth0 ip aliases
21:26 < jwm> how do I tell iptables to use only one specific one
21:27 < jwm> I guess an iptables question
21:27 < jwm> hehe
21:29 < Cisien> can't you reference the interface alias, or even by ip address?
21:29 < jwm> in the ruleset?
21:29 < jwm> well you'd figure 10.0.0.1 would go through the main first ip eth0
21:29 < jwm> not eth0:0
21:29 < theDoc> You will want to reference it by ip.
21:29 < jwm> Chain POSTROUTING (policy ACCEPT)
21:29 < jwm> target     prot opt source               destination         
21:29 < jwm> MASQUERADE  all  --  10.0.0.0/24          anywhere   
21:30 < jwm> that's my setting atm
21:30 < jwm> I don't quite understand why sometimes it is the main eth0 ip and sometimes it is eth0:0
21:30 < jwm> hehe
21:35 < jwm> hmm
21:56 -!- Raccoon- [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 240 seconds]
22:01 -!- Miland3r [~mnk@196-210-159-26.dynamic.isadsl.co.za] has joined ##openvpn
22:06 < jwm> cool I learned it
22:06 < jwm> I was using masquerade instead of SNAT
22:12 -!- Miland3r [~mnk@196-210-159-26.dynamic.isadsl.co.za] has quit [Quit: Leaving]
22:17 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
22:19 < mosno> i have revoked a certificate so that ClientA cannot connect to ServerA. after the revocation, the openvpn client connection status hangs after verification of the server cert. is this normal? i would have expected some rejection message instead of just a hang.
22:19 < mosno> ie. the procedure stalls with status "connecting" 
22:20 < mosno> instead of saying "the server rejected your certificate"
22:20 < mosno> ps. this is openvpn 2.0 server
22:25 < mosno> the openvpn howto says "Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped."
22:49 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
23:05 -!- joako [~joako@opensuse/member/joak0] has joined ##openvpn
23:06 < joako> I have openvpn working but there are two subnets on the LAN, how do I make the clients aware of this?
23:06 < theDoc> !lans
23:06 < vpnHelper> theDoc: "lans" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
23:07 < joako> So I just add push route option?
23:07 < theDoc> Yes.
23:11 < joako> When I add it and restart openvpn the option is removed
23:12 < Cisien> openvpn doesn't modify it's config file, to my knowledge
23:14 < theDoc> You specify it as a config option in the server.
23:15 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
23:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:18 < joako> Well I edit the config file and do /etc/init.d/openvpn restart or reload and it removes the line I added
23:19 < theDoc> It shouldn't.
23:19 < theDoc> That's odd.
23:21 < joako> So how do I edit my configuration
23:24 < Cisien> theDoc, still can't pass traffic to my android phone. same configs work everywhere else though -- openwrt router, win7 laptop
23:25 < Cisien> i'm guessing it's some bit i need to flip somewhere in /proc/sys on the phone
23:26 < joako> Now after I tried to edit the config file the entire openvpn will not route traffic
23:28 < Cisien> joako, what distro?
23:28 < joako> Cisien, CentOS 5
23:28 < Cisien> hrm..
23:28 < Cisien> sounds like you hozed something, toss it on pastebin
23:29 < joako> Cisien, All I did was added push "route 192.168.1.0 255.255.255.0"
23:29 < joako>  in clients.conf and when I restart the service it goes away. And now I can connect but not passing traffic
23:29 < Cisien> i've never used a split config, except a ccd conf file for specific clients
23:30 < Cisien> unless clients.conf is on the client....
23:30 < joako> Cisien, then which is the file I need to edit?
23:30 < Cisien> server
23:30 < joako> But I think that is right because I need to push a route to the client
23:31 < joako> I don't have a file named server
23:31 < Cisien> i gotta head into work. i might be back on soonish if i don't have a steamer waiting for me
23:31 < Cisien> whatever your server config file is called
23:32 < joako> in /etc/openvpn all i have is clients.conf auth-ldap and keys
23:32 < Cisien> are you running the server?
23:32 < joako> Yes
23:33 < Cisien> well, i'm not sure how you have things setup then. I gotta head into work, good luck
23:34 < joako> How can I see more info in the client like what routes are pushed to it?
--- Day changed Mon Aug 30 2010
00:06 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Read error: Operation timed out]
00:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:12 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
00:14 < mosno> roughly how long does build-dh take for a 2048-bit long safe prime on a Core i5 running Windows 7 64-bit?
00:32 < reiffert> hours.
00:39 -!- skae [~skae@CPE001217be77bd-CM00122583cda0.cpe.net.cable.rogers.com] has joined ##openvpn
00:45 -!- skae [~skae@CPE001217be77bd-CM00122583cda0.cpe.net.cable.rogers.com] has left ##openvpn []
00:45 -!- skae [~skae@CPE001217be77bd-CM00122583cda0.cpe.net.cable.rogers.com] has joined ##openvpn
01:16 -!- skae [~skae@CPE001217be77bd-CM00122583cda0.cpe.net.cable.rogers.com] has quit [Quit: skae]
01:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 246 seconds]
01:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:48 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:48 -!- mode/##openvpn [+o mattock] by ChanServ
01:50 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
02:01 < mosno> reiffert, thankfully it finished before i went insane =)
02:01 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: Leaving]
02:09 -!- talcite [~Matthew@bas4-toronto21-2925504527.dsl.bell.ca] has quit [Quit: Ex-Chat]
02:12 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
02:17 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer]
02:22 -!- Kurogane [~kuro@190.87.69.217] has quit [Remote host closed the connection]
02:31 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
02:42 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
02:44 -!- skae [~skae@CPE001217be77bd-CM00122583cda0.cpe.net.cable.rogers.com] has joined ##openvpn
02:44 -!- skae [~skae@CPE001217be77bd-CM00122583cda0.cpe.net.cable.rogers.com] has quit [Client Quit]
03:06 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has quit [Read error: Connection reset by peer]
03:06 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
03:32 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
03:36 -!- zplinux [~zplinux@213.8.57.217] has joined ##openvpn
03:36 < zplinux> hi all
03:36 < zplinux> is it possible to have many clients connect to one server and not have them talk to each other?
03:37 < zplinux> and I dont mean the client-to-client option
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:11 < vpnHelper> RSS Update - forum: Installation Help :: Re: Problem with TAP-Driver in 2.1.2 on Win7 x64 :: Reply by Intruder73 <https://forums.openvpn.net/viewtopic.php?f=5&t=7014&p=7696#p7696>
04:15 < ksk> hello
04:16 < ksk> do you guys know a way to set the MAC of the TAP device in win7 via cmd or sth similar?
04:18 -!- SOG [~SOG@61.144.230.241] has quit [Quit: I will be back!]
04:22 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
04:28 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
04:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
04:43 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Operation timed out]
04:57 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
04:57 -!- dazo_afk is now known as dazo
05:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:23 -!- slava_dp| [d46fc15a@gateway/web/freenode/ip.212.111.193.90] has joined ##openvpn
05:24 < slava_dp|> hi guys. I have a 192.168.23.0/25 network at a remote place with a linux router, and I'd like to openvpn to it, and to be able to see it's windows shares. but the less traffic goes over the vpn link, the better, because traffic is limited there. if I bridge vpn and LAN, all broadcasts will go over the VPN. what about proxy arp, any thoughts? also, should I use tun or tap? I've seen examples using both on the net.
05:44 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:45 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined ##openvpn
05:54 -!- zzattack [zzattack@21-78-ftth.onsneteindhoven.nl] has joined ##openvpn
05:54 < zzattack> !welcome
05:54 < vpnHelper> zzattack: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:56 < zzattack> !howto
05:56 < vpnHelper> zzattack: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:09 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
06:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:27 -!- hawken [hawken@250.84-48-212.nextgentel.com] has joined ##openvpn
06:27 < hawken> Hello :)
06:28 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
06:28 < hawken> I have a routed VPN at my server.
06:28 < hawken> And I am trying to set up a certificate VPN but the route thing is weird.
06:28 < hawken> Say, 10.159.2.0/24 is routed at layer 2 (using server-bridge)
06:29 < hawken> But 10.159.0.0/16 is supposed to be routed through the VPN as well, but with the server as gateway
06:29 < hawken> Any ideas?
06:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
06:37 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
06:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
06:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
06:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
06:58 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
06:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:02 -!- seraphim [~seraphim@Talustus-2-pt.tunnel.tserv6.fra1.ipv6.he.net] has joined ##openvpn
07:02 < seraphim> hi
07:03 -!- hawken [hawken@250.84-48-212.nextgentel.com] has left ##openvpn []
07:03 < seraphim> got some problem, i´m using openvpn server and openvpn win32 precompiled and if i set a static ip + gateway at the network adapter tcp/ip settings it gets dropped if i reconnect to the server
07:03 < seraphim> it only happens on one machine, on another it works fine
07:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
07:13 < seraphim> noone in here?
07:13 < seraphim> all gone ^^
07:14 -!- seraphim [~seraphim@Talustus-2-pt.tunnel.tserv6.fra1.ipv6.he.net] has quit [Quit: There is no quit message]
07:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:14 -!- seraphim [~seraphim@unaffiliated/seraphim] has joined ##openvpn
07:14 < seraphim> re
07:22 < seraphim> it´s strange
07:22 < seraphim> it always dropps the settings...
07:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:27 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:44 < seraphim> got some problem, i´m using openvpn on windows as client, every time i connect it drops the tcp/ip settings i configured for the adapter which causes the loose of the gateway information
07:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
07:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
07:54 <@dazo> seraphim:  chill ... please be patient ... there are several windows users here with a lot of knowledge ... they're just busy with other things ... they show up here eventually if they have some clues
07:54 <@dazo> seraphim:  in the mean time ... please check out !welcome
07:54 <@dazo> !welcome
07:54 < vpnHelper> dazo: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:55 < seraphim> *sigh* client and server config?
07:56 <@dazo> we don't like to work in blindness
07:56 < seraphim> ok ^^
07:57 < seraphim> what if i say they are similar to the configs at the tutorial except the IP bind for the server and the paths for the certs?
07:57 <@dazo> !logs
07:57 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:58 < seraphim> logs are on the way
07:58 <@dazo> but be prepared to share the configs, according to !configs 
07:58 <@dazo> !configs
07:58 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:59 <@dazo> please *note* the grep command line ...
08:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:00 < seraphim> http://pastebin.com/2Vk1Tiyz <--logfile
08:01 <@dazo> seraphim:  you gotta be kidding me!!!!
08:01 <@dazo> OpenVPN 2.1_beta7 Win32-MinGW [SSL] [LZO2] built on Nov 12 2005
08:02 < seraphim> ?
08:02 <@dazo> 2.1_beta7!?!?!?  please go an update!  2.1.3 was released a few days ago
08:02 < seraphim> oO
08:02 < seraphim> ok... sry then
08:02 < seraphim> got the version today from zdnet.de
08:02 < seraphim> lets try...
08:03 <@dazo> *always* go for the official download places ... not such lame download-collector places like zdnet, tuccows or similar ... they're always lagging
08:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:04 < seraphim> lol now .net framework is missing... lets install it, too...
08:04 <@dazo> seraphim:  not that one
08:05 <@dazo> you need to go to the community pages
08:05 < seraphim> ok
08:05 < seraphim> a bit confusing for a newbie to openvpn ^^
08:06 <@dazo> the openvpn is confusing its users with a Access Server client on the front page ... that's no good for you, as that's their commercial product
08:06 < seraphim> the first time i thought "what the hell" as i read about licenses...
08:06 <@dazo> yeah, completely agree!  And we're trying to get this mess sorted out
08:08 < ksk> ah, cool you are aware of that
08:09 < seraphim> k lets try..
08:10 < seraphim> again dropped...
08:10 <@dazo> then new log files - both server and client
08:11 <@dazo> ksk:  yeah ... it's was quickly mentioned in one of the previous devel meetings, and I intend to bring it up again with James
08:11 < seraphim> http://pastebin.com/aDr6vVDq client
08:12 < seraphim> /etc/openvpn/openvpn-status.log ?
08:13 <@dazo> seraphim:  nope ... whatever log file configured with 'log' in the server config
08:13 <@dazo> seraphim:  and this is not with --verb 5 
08:13 <@dazo> please, logs again - both sides with 'verb 5' in the config files
08:14 < seraphim> ok
08:16 < seraphim> i´ll notice the link to the paste to you because of more or less private informations ok?
08:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
08:18 < seraphim> both sent via notice
08:19 < ksk> thats kinda fail imho *G*
08:19 < seraphim> ?
08:19 < ksk> u trust him because of this "@" infront of his nick?
08:19 < seraphim> ksk it´s easier to trust a single person than 116 persons
08:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:20 < seraphim> u see?
08:20 < ksk> nope. its sensitive information given to an unknown person or its not
08:21 < ksk> ./topic closed for me
08:21 < seraphim> ^^
08:21 < ksk> didnt want to disturb you
08:23 < seraphim> if anything happens it should take only 10 minutes and the data he got is useless
08:28 < seraphim> dazo got any idea?
08:28 < seraphim> on desktop it works fine
08:29 < seraphim> on eeepc it drops the settings
08:29 < seraphim> for some reason
08:31 < ksk> people often do not like personal messages, too ;)
08:31 < seraphim> but he doesn´t even complain ^^
08:32 < ecrist> seraphim: for proper support in this channel, it's best if you either post your config as-is, or remove your server address and such.
08:32 < ecrist> using PM for pastebin is frowned upon
08:34 < seraphim> http://pastebin.com/G15XN1kj status log of the server
08:35 <@dazo> seraphim:  the status log is useless ... I want the server log ... if you don't have a 'log' statement in the server config ... put one there and pastebin that file
08:36 < seraphim> http://pastebin.com/ta2DKtkj
08:36 < seraphim> ok
08:37 <@dazo> seraphim:  sending pastebin links as notice, that's fine ... but don't ever dare to PM me a complete log file ... then I'll haunt you badly! ;-)
08:38 < seraphim> http://pastebin.com/7DhCrP6h
08:38 <@dazo> seraphim:  the last pastebin ... is that server or client? ... looks like client once again .... we need to see the server side now
08:38 < seraphim> first client last server
08:39  * dazo looks at the last link
08:40 <@dazo> seraphim:  you're running old server version as well ... not the worst one, but please update that one as well to 2.1.2 or 2.1.3
08:40 < seraphim> i´ve used apt-get install openvpn
08:40 <@dazo> and is that the complete log file?
08:40 < seraphim> that´s it
08:40 <@dazo> seraphim:  it's debian system?
08:40 < seraphim> yes
08:40 < seraphim> the version can´t be the problem
08:41 < seraphim> on my desktop pc it works fine
08:41 < seraphim> on my eeepc it resets the config
08:41 < seraphim> same OS same service pack
08:41 < seraphim> same FW same AV
08:41 <@dazo> seraphim:  as I said, rc11 isn't the worst version ... but its still old ... anyhow, this server log is still not --verb 5
08:42 < seraphim> hmm
08:42 < seraphim> may i should try force reload
08:42 <@dazo> force restart, please
08:46 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:47 < seraphim> http://pastebin.com/rpzuxmyr
08:47 < seraphim> what the hell... where are those rW´s from?
08:49 <@dazo> the r/R and w/W indicates the read/write to/from the client/server
08:49 <@dazo> they appear with --verb 5
08:49 < seraphim> ah ok
08:49 <@dazo> what does the server log say when the client disconnects?
08:50 <@dazo> (you might need to wait some minutes before the server registers the connection as dead)
08:52 < seraphim> k
08:53 <@dazo> and I also don't see the client log when the you're dropped .... from what I see here, is a perfectly normal and healthy connection setup ... and data are transported
08:53 < seraphim> yeah
08:54 < seraphim> but if i connect it resets the tcp/ip configuration for the tap network adapter set to a static ip + gateway
08:54 < seraphim> only on one system
08:55 < seraphim> that´s really strange...
08:56 <@dazo> then you need to show server (including client-config-dir config) and client configs 
08:56 < seraphim> ok...
08:57 <@dazo> and remember to *remove* all comments
08:57 <@dazo> we want to see the "core" config file
08:58 <@dazo> but I begin to wonder whats your problem ... I got the impression in the beginning that you lost connection to the OpenVPN server after a little while ... what exactly happens?
08:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
08:59 < seraphim> i think you didn´t get my problem ^^
08:59 <@dazo> obviously :)
09:00 < krzee> moin moin
09:01 < seraphim> i´ve configured the tcp/ip settings under windows xp for the VPN adapter to IP 10.8.0.10 subnet 255.0.0.0 gateway 10.8.0.1, works fine on my desktop pc, but if i connect with the openvpn client on my eepc the openvpn sets the tcp/ip options back to "retrieve automatically" (DHCP) and i´ve got no gateway configured for the network adapter
09:01 < seraphim> both pc´s got same OS, same firewall
09:03 < seraphim> of course the desktop pc got an different ip
09:03 < seraphim> i´m not that dumb ^^
09:03 <@dazo> krzee:  moin!
09:04 < seraphim> hmm warum zum teufel schreib ich eigentlich auf englisch kann mir das einer sagen?
09:04 < seraphim> ^^
09:05 < hyper_ch> seraphim: because most people in here know only english as common languagne denominator?
09:05 < seraphim> indeed
09:05 < seraphim> ^^
09:05 <@dazo> seraphim:  how is the client configs different from the clients?  and do you use client-config-dir on the server?
09:06 < seraphim> the client config at eeepc just differs in the paths to the certs
09:06 < seraphim> client-config-dir?
09:06 -!- slava_dp| [d46fc15a@gateway/web/freenode/ip.212.111.193.90] has quit [Quit: Page closed]
09:06 < hyper_ch> !ccd
09:06 < vpnHelper> hyper_ch: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
09:06 < hyper_ch> seraphim: pastebin your client config
09:06 < seraphim> if it helps: i followed the howto http://openvpn.net/index.php/open-source/documentation/howto.html#install to set it up
09:06 < vpnHelper> Title: HOWTO (at openvpn.net)
09:06 < seraphim> ok
09:07 < hyper_ch> someone actually reads the howto? oO
09:07 < hyper_ch> is the world going down?
09:07 < seraphim> http://pastebin.com/Q2bQ8NMH <-- client config
09:08 < seraphim> hyper_ch yes some people are that crazy ^^
09:08 < seraphim> i´ve read it ´cause the other howtos i´ve found suck
09:09 < hyper_ch> wanna read my howto?
09:09 < hyper_ch> ^^
09:09 < seraphim> ^^
09:09 < seraphim> too late hyper_ch :P
09:09 < hyper_ch> I wonder, do I still have the wrong config in there
09:10 < hyper_ch> yeah, my howto is still buggy
09:10 < seraphim> congratulations
09:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:10 < seraphim> you don´t want to know how many potential users of openvpn you frightened :P
09:10 < hyper_ch> not many
09:11 < hyper_ch> according to PiWiK
09:14 < krzee> whats piwik?
09:14 < hyper_ch> it's a stats analyzer
09:14 < hyper_ch> http://piwik.org/
09:14 < vpnHelper> Title: Piwik - Web analytics - Open source (at piwik.org)
09:15 <@dazo> it's a pretty nice one actually
09:15 < hyper_ch> well, it's good that you can use it on multiple sites
09:15 < hyper_ch> otherwise I'd use slimstats
09:15 -!- bramgn is now known as Cmdr_W_T_Riker
09:16 < krzee> ahh cool
09:16 < krzee> i use awstats
09:17 < krzee> (aka i only analyze logs)
09:18 < zzattack> i'm having a bit of trouble getting openvpn to create a tap device in a freebsd jail. could anyone assist me with that?
09:18 < krzee> !fbsdjail
09:18 < vpnHelper> krzee: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
09:18 < krzee> =]
09:19 < zzattack> ah. i must be close then 
09:21 < reiffert> moin
09:21 < krzee> moinmoin buddy
09:22 < reiffert> busy like hell is getting down to busy these days
09:22 < reiffert> guess what I've had a free weekend recently
09:23 < reiffert> switching off the phones had helped a lot :)
09:23 < zzattack> krzee: do you know how creation of the tun0 device, is done in rc.conf?
09:24 < reiffert> krzee: I remember our last conversation and that I didnt read about your current location, just something with you on holidays.. still there?
09:31 < ksk> are the community installer packages for win created with NSIS?
09:31 < zzattack> yeah
09:32 < ksk> is it possible to get the used scriptfiles?
09:33 < krzee> reiffert, nah im back on the island now
09:37 < ksk> at openvpn.net is a document from 2005 - no chance for an update?
09:39 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
09:44 -!- le0 [~fin@unaffiliated/le0] has quit [Read error: Connection reset by peer]
09:45 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
09:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
09:49 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 272 seconds]
10:04 < krzee> ksk, 
10:04 < krzee> !win_rollup
10:04 < vpnHelper> krzee: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
10:04 < Dougy> yo jeff
10:04 < Dougy> whats up
10:05 < hyper_ch> the ceiling
10:05 < krzee> sup Dougy, walking yet?
10:05 < Dougy> nope
10:05 < krzee> zzattack, not sure
10:05 < Dougy> as a matter of fact
10:06 < Dougy> i am going to try for the first time in about one hour
10:06 < krzee> gl
10:06 < Dougy> its gonna fuckin hurt
10:06 < Dougy> lol
10:07 < Dougy> i start school thursday too. so i have a lot of work to do..
10:07 < krzee> werd
10:07 < krzee> ill bbiaf
10:07 < Dougy> k
10:07 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: Leaving]
10:12 < vpnHelper> RSS Update - forum: Configuration :: Configure OpenVPN Client as default gateway :: Author fuzzie <https://forums.openvpn.net/viewtopic.php?f=6&t=7051&p=7695#p7695> || Configuration :: connecting 192.168.1.x to 192.168.1.x :: Author emrandle <https://forums.openvpn.net/viewtopic.php?f=6&t=7052&p=7697#p7697> || Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by medleev <https://forums.openvpn.net/viewtopic.php
10:15 -!- dazo is now known as dazo_afk
10:15 -!- dazo_afk is now known as dazo
10:17 < Dougy> hey dazo
10:17 <@dazo> Dougy:  hey!
10:17 < Dougy> how goes
10:17 <@dazo> fast! :)
10:17 <@dazo> u?
10:19  * dazo need to restart irc client again
10:20 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:22 -!- a1ex [a1ex@tnix.de] has left ##openvpn []
10:29 < Dougy> dazo:  ok i guess
10:29 < Dougy> sore today
10:30 -!- Jay2k1 [~J@85.183.203.242] has joined ##openvpn
10:30 <@dazo> sore? .... not sure I want to know where and why!
10:30 < Dougy> my leg
10:30 <@dazo> heh :)
10:30 < Jay2k1> hello
10:31 < Dougy> hi
10:31 < Jay2k1> i have a corporate network. now i want to allow road warriors to connect to it. insite our network, only registered computers get an IP address by the DHCP (registered as in the DHCP server knows the client's MAC address)
10:32 < Jay2k1> i thought it'd be smart and a bit of increased security if i'd create a bridging vpn where our regular DHCP server would also assign IPs to VPN clients
10:33 < Jay2k1> it took me some time until i realised that they connect with their TAP device - which has a different MAC address than the LAN adapter
10:33 < Jay2k1> i guess there's no way to clone that MAC to the TAP adapter right?
10:34 < Jay2k1> besides, i guess that wouldn't even make sense
10:35 < ksk> may it be that your newest installer does not remove registry entries in uninstalling?
10:35 < ksk> it breaks if you try to install (another) openvpnclient in an different location
10:35 < ksk> after deleting these entries everything is fine
10:43 < ksk> mhm. should have been my mistake
10:58 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
11:12 < Cisien> Jay2k1, the certificate doesn't provide an equiv level of security?
11:15 < Jay2k1> well, i guess it does
11:15 < Jay2k1> i just thought, users with some more knowledge might be able to just copy it to another computer
11:16 < Jay2k1> imagine some developer who has a corporate notebook with VPN access
11:16 < Jay2k1> at home he thinks "my desktop machine is way faster, i have three screens and whatnot, i'll use that one to work"
11:17 < Jay2k1> i want to avoid that non-corporate computers dial in to the VPN, they don't have our internet security software, they might be infected with trojans from warez etc
11:17 < Cisien> Jay2k1, any joker can learn how to clone a MAC too
11:18 < Jay2k1> true, but - although that's security by obscurity - the jokers don't necessarily know why they won't get an IP address with other computers
11:18 < Cisien> you can always add the tap adapter's mac address
11:19 < jpalmer> Jay2k1: you'll need some software in addition to your VPN solution then.   I've seen software that has VPN clients sandboxed until they verify the appropriate software is installed.  it was all done with login scripts.
11:19 < Jay2k1> heh yeah, microsoft has that
11:19 < Cisien> is your network windows based or *nix?
11:19 -!- zplinux [~zplinux@213.8.57.217] has quit [Quit: Leaving]
11:20 < Jay2k1> checks for forefront security, that its signatures are up to date and that windows updates are installed
11:20 < Cisien> yeah
11:20 < Jay2k1> servers are debian, clients are winXP/win7/mac os x
11:20 < jpalmer> you can do the same using up/down scripts on openvpn.  write an up-script that queries the client for software.  if it's not found, you don't allow them past that point on the firewall.   if they do,  allow access
11:22 < Jay2k1> i didn't know you could do such things with openvpn :o
11:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
11:25 -!- seraphim [~seraphim@unaffiliated/seraphim] has left ##openvpn []
11:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:29 < Cisien> can you push an up script?
11:29 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:30 < Cisien> i suppose you can mount a network share from a box that lives in the sandbox
11:34 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
11:35 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
11:51 < ksk> is there a way to make windows openvpn client set the MAC of the used TAP device?
12:08 < zzattack> !fbsdjail
12:08 < vpnHelper> zzattack: "fbsdjail" is <thei0s> krzie: if you are interested in the solution: I needed to add to hosts rc.conf the creation of tun0 device, create a special devfs ruleset with tun0 unhiden, configure that it is used in the devfs mount point inside chroot in my jail and specify openvpn --dev tun0 parameter and it seems that this is it... so, thank you for assistance and ideas
12:15 -!- Jay2k1 [~J@85.183.203.242] has quit []
12:17 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
12:24 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:31 < hyper_ch> krzie: http://www.nature.com/news/2010/100829/full/news.2010.436.html
12:31 < vpnHelper> Title: Hackers blind quantum cryptographers : Nature News (at www.nature.com)
12:34 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
12:37 < krzie> holy shit
12:38 < krzie> i didnt even know anyone figured out how to MAKE quantum encryption, much less hack it
12:39 < hyper_ch> krzie: I've enlightened you :)
12:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
12:40 < krzie> in 2 months!?!?
12:40 < krzie> WOW
12:41 < krzie> nice man, thanx for the link
12:42 < hyper_ch> will you refer to me in future as your god?
12:42 < krzie> negative
12:42 < krzie> it has taken you FAR longer than god to make a web based confgen ;)
12:43 < hyper_ch> dammit :(
12:46 < Dougy> 2months
12:46 < Dougy> i walked in 2months
12:47 < Dougy> first time
12:47 < Dougy> wootoototwotottotow
12:47  * Dougy fist pump
12:48 -!- dazo is now known as dazo_afk
12:48 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Read error: Operation timed out]
12:48 < hyper_ch> what did you do for the last 2 months?
12:49 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
12:55 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined ##openvpn
12:55 < zzattack> krzie: i'm having some trouble getting either tun0 or tap0 exported to my jail. how did you get it working?
12:57 < Dougy> hyper_ch: sat on my ass
12:58 < Dougy> and walked on crutches, no use of right leg
12:58 < Dougy> lol
12:58 < zzattack> :(
12:58 < Dougy> WOOT my knives shipped today!!!!!!!!
12:58 < hyper_ch> crutches... good too to beat other people up
12:58 < Dougy> dude i know
12:58 < Dougy> i can stand and kinda walk now but imma take em to school with me and walk on them
12:58 < Dougy> first person that busts my balls
12:58 < Dougy> im gonna be like watch this
12:58 < Dougy> and stand up w/o them and smash them in the face
13:00 -!- pcard [~pc@unaffiliated/jl-picard] has quit [Remote host closed the connection]
13:08 < Dougy> http://www.de-cix.net/content/network.html
13:08 < vpnHelper> Title: DE-CIX - Network (at www.de-cix.net)
13:08 < Dougy> damn 0_0
13:23 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
13:25 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
13:26 -!- krzie [~k@unaffiliated/krzee] has quit [Ping timeout: 252 seconds]
13:29 -!- ghostknife [~quintin@wbs-41-208-199-253.wbs.co.za] has joined ##openvpn
13:29 < ghostknife> How would one use a script like this: https://community.openvpn.net/openvpn/browser/contrib/OCSP_check/OCSP_check.sh?rev=cfed13cf2b8c8a16587fb48d77d64e50ee020a6d
13:29 < vpnHelper> Title: /contrib/OCSP_check/OCSP_check.sh – OpenVPN Community (at community.openvpn.net)
13:30 < ghostknife> Are there any ways to hook shell scripts into the OpenVPN service, to (for instance) aid in the authentication of a user
13:31 < ghostknife> For example, if the script determines the client cert to have certain properties, then instruct OpenVPN to resort to username/password authentication, etc.
13:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:50 < Bushmills> ghostknife: --client-connect server side
13:51 < Bushmills> but client will have to have connected already for that
13:55 < Bushmills> --auth-user-pass-verify might be helpful at pre-connect time
13:56 < ghostknife> hmmm
13:56 < ghostknife> thanks
13:56 < ghostknife> I assume if you do client cert auth, then it will verify the cert before it gets to auth-user-pass ?
13:56 < ghostknife> let me test though
13:56 < ghostknife> just a slow conn
13:57 < Bushmills> what do you need a connect helper script if client does key auth?
13:57 < havoc> yay! looks like a new/fixed openvpn for download :)
13:58 < ghostknife> We have the problem that some of ours certs have been shared by people. To filter through these certain certs will require username/password as well
13:58 < ghostknife> if possible
13:58 < ghostknife> else we'll just have to force these people to get a new cert
13:59 < ghostknife> problem is just that we want as little possible maintenance for this specific VPN connection, because it's purely for accessing a mail server
13:59 < ghostknife> and besides, the ability to do either/and/or can always help
14:01 -!- zpm [~cpm@pool-173-79-225-195.washdc.fios.verizon.net] has joined ##openvpn
14:02 < ghostknife> in fact, thinking about it, we should prompt for a username all the time. having a cert alone means if the PC gets stolen the theif has easy access to the network. if he's smart enough
14:03 < zpm> hello all
14:03 < zpm> I have tried maybe 3-6 configs and I am stumped
14:03 < zpm> i have a network with router/nat/gateway at 192.168.1.1
14:03 < zpm> and i have a openvpn server at 192.168.1.222
14:04 < zpm> and I would like clients from other 192.168.1.x networks to connect to my server
14:04 < zpm> and have it give them a 10.x.x.x address
14:04 < zpm> I am not able to figure this out
14:04 < zpm> I am open to any and all suggestions
14:05 < ghostknife> how do i specify the user/pass on the client
14:05 < ghostknife> I don't see the option in --help
14:06 < ghostknife> oh wait, I see now. auth-user-pass is a client side option
14:06 < ghostknife> I thought it was server side. my bad
14:08 < zpm> ._.
14:10 -!- Dougy [~doug@208.99.80.128] has quit [Ping timeout: 260 seconds]
14:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
14:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:18 < zpm> fuck it
14:18 < zpm> this piece of shit is too difficult to configure
14:20 -!- zpm [~cpm@pool-173-79-225-195.washdc.fios.verizon.net] has left ##openvpn ["Leaving"]
14:22 -!- plaerzen [~carpe@vip1.tundraeng.com] has quit [Remote host closed the connection]
14:26 < ghostknife> shame
14:26 < ghostknife> if only he knew it wasn't
14:27 < ghostknife> err, i didn't even notice his message. sorry dude.
14:32 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:36 -!- zzattack [zzattack@21-78-ftth.onsneteindhoven.nl] has quit []
14:36 -!- sigi [~sigius@93.125.185.45] has quit [Ping timeout: 240 seconds]
14:43 -!- Dougy [me@208.99.80.128] has joined ##openvpn
14:43 < Dougy> .
14:49 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
14:52 -!- nickelnick [~nickelnic@168.103.65.93] has joined ##openvpn
14:52 < nickelnick> hello all
14:52 < nickelnick> i am trying to find a good guide online to install for suse11
14:53 < nickelnick> or maybe someone could tell me why i am not able to obtain ip address with my win client
14:53 < Bushmills> !howto
14:53 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:53 < Bushmills> because you did something wrong
15:07 < KipMacy> I got topology subnet working finally, life is good
15:11 < ghostknife> nice
15:11 < ghostknife> got a nice username/password thing going
15:11 < KipMacy> maybe non topology subnet should be phased out
15:12 < nickelnick> using the basic static setup...if network is 192.168.237.0, while tun creates 10.8.0.2 for server and .1 for client . if i have also added "route 192.168.237.0 255.255.255.0" on my client config. what could i be missing since the client cannot ping 10.8.0.1
15:12 < ghostknife> problem with username/password is that it needs to be preconfigured. lots of maintenance. now the user can just log in with a cert/user/pass. cert is primary authentication. thereafter the user/pass is remembered and consecutive ones need to supply the same user+pass, or is not authenticated. so it's like the user setting it up himself
15:13 < KipMacy> nickelnick: server is .2 or .1 ?
15:13 < ghostknife> so it's the technicians job to setup the account >
15:13 < ghostknife> :>
15:13 < nickelnick> server is .2
15:13 < nickelnick> client is 1
15:13 < KipMacy> weird, in my setup its almost always the other way around
15:13 < KipMacy> guess it doesn't matter
15:13 < nickelnick> what do you eman?
15:13 < nickelnick> mean?
15:13 < nickelnick> this is pretty new to me
15:14 < nickelnick> so i'm just following the steps in the guide
15:14 < KipMacy> pastebin in your server config file
15:14 < Bushmills> nickelnick: "route 192.168.237.0 255.255.255.0"  what's that?
15:14 < Bushmills> route through what?
15:15 < nickelnick> thats just exactly by the guide
15:15 < nickelnick> bottom of static key mini how to
15:16 < nickelnick> i need to setup another route on my server dont i
15:16 < Bushmills> what's ip address of your vpn server?  
15:16 < nickelnick> local?
15:16 < Bushmills> ethernet
15:16 < KipMacy> paaaaaaaaaaaaastebiiiiiiiiiiiiiiiiiiiiiiiiin your server config file
15:17 < nickelnick> ip address of vpn server is 192.168.237.40
15:17 < Bushmills> reread howto. doesn't make sense
15:17 < nickelnick> i read the mini how to on static key
15:17 < nickelnick> i followed it step...by step
15:17 < nickelnick> so...
15:18 < Bushmills> !howto
15:18 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:19 < nickelnick> well for the sake of a simple start...i used http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
15:19 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
15:19 < nickelnick> so bushmills....i read you the first time
15:19 < nickelnick> thanks for reminding me that i'm blind
15:19 < Bushmills> good. so you understand now why your routing doesn't make sense?
15:21 < nickelnick> yea, it never looked right to begin with
15:22 < nickelnick> i was just following the directions
15:22 < nickelnick> i just matched my config to the subnet 237
15:22 < Bushmills> directions in what document?
15:22 < nickelnick> gave it 80 and 85
15:22 < nickelnick> the mini how to
15:22 -!- ghostknife [~quintin@wbs-41-208-199-253.wbs.co.za] has quit [Quit: WeeChat 0.3.0]
15:22 < nickelnick> for static key..quickstart
15:22 < Bushmills> so, in spite of your claim, you must be blind
15:23 < nickelnick> why?
15:23 < Bushmills> did you notice that the howto i pointed out is *not* the static key mini howto?
15:23 < nickelnick> yea...so
15:23 < nickelnick> why cant i use the static key one?
15:23 < nickelnick> its labeled as a damn quickstart...sheesh
15:23 < Bushmills> because you followed it step by step, and as result, your routing doesn't make snese
15:24 < nickelnick> i'm fixing it
15:24 < Bushmills> well, good luck. use whatever tutorial you like.
15:26 -!- zzattack [zzattack@21-78-ftth.onsneteindhoven.nl] has joined ##openvpn
15:26 < zzattack> !welcome
15:26 < vpnHelper> zzattack: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:26 < zzattack> !route
15:26 < vpnHelper> zzattack: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:28 < zzattack> !howto
15:28 < vpnHelper> zzattack: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:32 < zzattack> i'm not completely sure my setup if correct but I've followed the guides.. i can connect to my openvpn server, and my client receives an ip, but i think my routing isn't correct yet
15:32 < zzattack> here's my config and logs: http://dpaste.org/Nsr7/
15:32 < zzattack> could someome please take a look?
15:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:35 < Bushmills> !winroute
15:35 < vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
15:36 < zzattack> thanks
15:36 < Dougy> man
15:36 < Dougy> iptables is skullfunking me
15:36 < zzattack> i hope it wont make u throw up then
15:37 < Dougy> :(
15:37 < Dougy> i cant figure it out
15:37 < Dougy> two of these SNAT rules work, the other 2 dont
15:45 < zzattack> Bushmills: seems like the route is now added, but i doubt my server does any routing for the client yet
15:46 < Bushmills> server for client? what route do you need, except client reaching the server?
15:47 < zzattack> server -> rest of lan
15:47 < Bushmills> you tried to ping the server from client before. that should be handled with those windows specifics
15:47 < zzattack> but from the client i can't even ping the server after connecting
15:47 < Bushmills> !route
15:47 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:47 < zzattack> i read that a couple of times
15:47 < Bushmills> don't start with rest of lan as long you can't ping server
15:48 < zzattack> ok
15:48 < zzattack> so my server is on 10.31.45.10, and the rest is on /24 too
15:48 < zzattack> i'm using server-bridge 10.31.45.10 255.255.255.0 10.31.45.200 10.31.45.250
15:48 < Bushmills> sorry, can't help you with bridge
15:48 < zzattack> client-to-client, and push "route 10.31.45.0 255.255.255.0"
15:49 < Bushmills> o
15:49 < Bushmills> your 10.31.x.x is your LAN?
15:49 < zzattack> yes
15:50 < Bushmills> why do you try to route LAN traffic through VPN?
15:50 < zzattack> huh? no, i'm connecting from another box that's on 10.5.0.0/24
15:51 < zzattack> to my openvpn server on 10.31.45.10/24
15:51 < Bushmills>  push "route 10.31.45.0 255.255.255.0"
15:51 < Bushmills> tells your clients to route LAN traffic through VPN
15:51 < Bushmills> means, they can't reach vpn server anymore
15:51 < zzattack> huh? that's confusing
15:52 < zzattack> how would the client otherwise reach, say, 10.31.45.123?
15:52 < Bushmills> through ethernet.
15:53 < Bushmills> if you really want to send lan traffic through vpn, you need at least a host route to vpn server, which goes through lan interface
15:53 < Bushmills> openvpn can't send its own traffic through itself. the tunnel must be built first
15:54 < Bushmills> and it can't if you route it through vpn
15:54 < zzattack> i see. so i should lose the whole route push alltogether?
15:54 < Bushmills> probably
15:55 < Bushmills> you're trying the equivalent of transporting a train in its own freight compartments
15:55 < zzattack> yeah i see
15:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:03 < zzattack> thanks, Bushmills, it's working fine now
16:04 < Bushmills> preceed with:
16:04 < Bushmills> !route
16:04 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:04 < Bushmills> proceed ...
16:05 < zzattack> i can access all pc's in my server's lan from the client now
16:05 < Bushmills> if hosts behind server are all openvpn clients, check out client-to-client instead
16:06 < zzattack> hmm that's gonna be a little harder
16:06 < zzattack> would this be a good test if i use 2 clients both in the same lan?
16:06 < zzattack> to a server in another lan thati s
16:07 < Bushmills> anything would do, as long as you make sure the route is the intended one.  mtr or traceroute
16:07 < zzattack> even if i connect with 1 client in the same lan as the server?
16:07 < Bushmills> even then
16:07 < Bushmills> more like, especially then
16:07 < zzattack> hmm, that'd be easiest for me
16:08 < zzattack> oh, this confuses me too btw: can i use the same client certificate on say, both my laptops?
16:09 < KipMacy> you could, i think you should make two
16:09 < zzattack> i did make two for now
16:09 < Bushmills> yes. but two keys (signed by same cert) may make more sense, as it makes it easier to, for example, set up differnent configs server side for them
16:10 < zzattack> but i guess that, if i quickly wanna connect from another place, i won't prefer making another client cert just for that occasion
16:10 < KipMacy> make two. less hassle
16:10 < Bushmills> such as, each one its own static ip address, for when they're online at the same time
16:10 < zzattack> ok, i see
16:11 < Bushmills> also, get one stolen, leaves the other access still safe
16:11 < zzattack> yep
16:11 < zzattack> okay.. pinging from .200->.201, both clients, doesn't work yet
16:12 < Bushmills> !client-to-client
16:12 < vpnHelper> Bushmills: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
16:12 < vpnHelper> Bushmills: other clients
16:12 < zzattack> then again, .200 is in the same lan as the server
16:12 -!- nickelnick [~nickelnic@168.103.65.93] has left ##openvpn []
16:13 < Bushmills> short circuits OS routing
16:13 < Bushmills> and remove the route which lets them access each other through the LAN interface
16:14 < zzattack> hm, weird - i suppose the priority rules for my desktop client indicate that my nat router provides the gateway to the remainder of my home lan
16:15 < Bushmills> putting them in two different, say, /28 subnets may be easier, instead of having them all, as well as the server, in the same /24
16:15 < zzattack> yeah, exactly
16:16 < zzattack> so i can now ping from an external client to 10.31.45.197 which is some random client in the same lan as the openvpn server
16:16 < zzattack> but not the other way around yet
16:17 < Bushmills> on the openvpn subnet, the distinction between "internal" and "external" fades
16:17 < zzattack> indeed it does
16:17 < zzattack> my .197 client tries to access .200 (vpn client) through my gateway on .1
16:17 < zzattack> it won't even try to ask .10 (vpn server)
16:18 < zzattack> and the only solution i see would be to have a permanent route for e.g. /28 to go through .10 instead
16:18 < Bushmills> there's no route through vpn for it
16:18 < zzattack> what is /28? 240-255?
16:19 < zzattack> ah yes
16:19 < Bushmills> you deleted that one before, because it also inhibited reaching the server through LAN interface
16:19 < Bushmills> yes
16:19 < zzattack> yes, but on a /28 subnet it would be fine, right?
16:19 < zzattack> i just gotta change the bridge ip range
16:20 < Bushmills> pushing x.x.x.x/255.255.255.255 should work too 
16:20 < zzattack> x.x.x.x being what?
16:20 < Bushmills> other client
16:20 < zzattack> for each client?
16:21 < Bushmills> yes
16:21 < zzattack> hm that'd be bothersome
16:22 < zzattack> i think i will want to push a route for 10.31.45.240/255.255.255.240 through 10.31.45.10 then
16:41 -!- zzattack` [~zz@21-78-ftth.onsneteindhoven.nl] has joined ##openvpn
16:45 -!- zzattack [zzattack@21-78-ftth.onsneteindhoven.nl] has quit [Ping timeout: 276 seconds]
16:52 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
16:54 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
16:54 -!- Cain` is now known as Cain
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
17:05 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:14 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined ##openvpn
17:22 < Gokee2> I want to setup a openvpn server to allow one client to connect and give that client full access to the server.  Basically I want webdav, ssh, voip, and web access to the server to work from a netbook connecting from a unsecured network.  Whats the best way to go about doing this?  I have looked at the static-key howto but don't understand what the ifconfig ip's should be.  Should the first ip be the real ip of the server?  Or the IP the cli
17:22 < Gokee2> ent tries to connect to to get to the server?  Do they have to be the same?  And what configuration file do I put that stuff in?  Debian only put a file called update-resolv-conf in /etc/openvpn
17:23 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
18:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:03 < zzattack`> if i connect two different clients, both from the same ip (external to the openvpn server), they both receive the same ip from openvpn. what causes this?
18:03 < jpalmer> are the client certs using the same common name?
18:03 < zzattack`> yeah
18:04 < jpalmer> bingo
18:04 < zzattack`> guess so then :)
18:04 < jpalmer> generate a second cert,  with a different common name
18:04 < zzattack`> will do
18:09 < zzattack`> ok, that did it
18:10 < Gokee2> So I made up some config as talked about here http://wiki.debian.org/HowTo/openvpn substituting 10.15.108.(servers's X) for the servers external ip.  Now I can start openvpn but it does not give my any error's and does not work....   I get one odd message on the client UDPv4 link local (bound): [undef]:1194 and the server has a simpler one Mon Aug 30 16:08:41 2010 UDPv4 link local (bound): [undef]:1194
18:10 < vpnHelper> Title: HowTo/openvpn - Debian Wiki (at wiki.debian.org)
18:10 < zzattack`> ok, so i'm using a bridge, but my clients can't communicate client-to-client yet
18:20 -!- TheRealJeanLuc [~jcrawford@dhcp-west-60.resnet.nmt.edu] has joined ##openvpn
18:20 < TheRealJeanLuc> !welcome
18:20 < vpnHelper> TheRealJeanLuc: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:21 < TheRealJeanLuc> !redirect
18:21 < vpnHelper> TheRealJeanLuc: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:24 < jpalmer> !client-to-client
18:24 < vpnHelper> jpalmer: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind
18:24 < vpnHelper> jpalmer: other clients
18:24 < jpalmer> ^^ zzattack` 
18:25 < zzattack`> thanks, not sure about it though
18:25 < zzattack`> i have it enabled, but it shouldn't matter for me since there's no firewall involved
18:27 < jpalmer> zzattack`: so in your servers config file, you have client-to-client enabled?   can each client ping the openvpn servers IP?
18:28 < TheRealJeanLuc> I kind of hate to bring up what is apparently a very common issue, but here's the trouble: I want to have all internet traffic directed through the tunnel. I added the push "redirect-gateway def1" to the server configuration. When my Windows 7 client connects, the routes are pushed succesfully, but internet traffic is still travelling through the ethernet interface, not through the VPN. here's the top of the routing table: http://
18:28 < TheRealJeanLuc> pastie.org/1127835
18:28 < zzattack`> jpalmer: yes each client can ping the openvpn server's ip
18:29 < TheRealJeanLuc> to clarify, I'm using OpenVPN 2.1 rc15 with OpenVPN GUI (running as administrator) on Windows 7 Professional 64-bit
18:29 < zzattack`> not the other way around though. also, each client can ping all ip's on the server's lan
18:36 -!- TheRealJeanLuc [~jcrawford@dhcp-west-60.resnet.nmt.edu] has quit [Quit: Leaving]
18:38 < jpalmer> zzattack`: temporarily disable the firewall on each client.  they are blocking inbound packets from the vpn interface.
18:38 < zzattack`> let me try
18:40 < zzattack`> damn. 
18:40 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:41 < zzattack`> yep, that's it exactly.
18:41 < zzattack`> jpalmer: u ever added a firewall exception on a windows client for this before?
18:42 < jpalmer> zzattack`: not in a *long* time.  so, I wouldn't be comfortable trying to tell you how.
18:43 < zzattack`> okay. well thanks a lot anyway
18:43 < zzattack`> i was quite used to receiving messages for when the firewall blocks stuff
18:44 < krzee> just disable it for the tap interface
18:45 < zzattack`> i remember that option from winxp, but it's not as visible on win7
18:45 < jpalmer> krzee: yeah,  thats all he needs.  I just don't remember how to do it in windows.
18:45 < zzattack`> i'll find it
18:45 < krzee> !google disable firewall interface windows 7
18:45 < jpalmer> zzattack`: I'm pretty sure you have to go to network conenction settings, and right click the tun adapter
18:45 < vpnHelper> krzee: Turn Windows Firewall on or off: <http://windows.microsoft.com/en-US/windows-vista/Turn-Windows-Firewall-on-or-off>; how do I disable the firewall on a single interface in Windows 7 ...: <http://serverfault.com/questions/116149/how-do-i-disable-the-firewall-on-a-single-interface-in-windows-7>; Windows Firewall - Turn On or Off - Windows 7 Forums: <http://www.sevenforums.com/tutorials/522
18:45 < vpnHelper> krzee: -windows-firewall-turn-off.html>
18:45 < krzee> ;)
18:45 < zzattack`> jpalmer: yeah, that's where i first looked.. :P
18:46 < zzattack`> ah perfect, thanks krzee
18:46 < krzee> np
18:46 < jpalmer> don't turn it completely off.  just disable it from the ovpn interface.
18:46 < zzattack`> yep
19:13 -!- zzattack` [~zz@21-78-ftth.onsneteindhoven.nl] has quit []
19:21 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
19:27 -!- Squidy_at_Home [~quassel@189.73.211.71] has joined ##openvpn
19:31 < Gokee2> !logs
19:31 < vpnHelper> Gokee2: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
19:47 -!- therealjeanluc [~jcrawford@dhcp-west-60.resnet.nmt.edu] has joined ##openvpn
19:48 < therealjeanluc> hey, I'm having trouble routing all traffic through OpenVPN. The connection opens succesfully and the log indicates that the route is pushed succesfully. The route appears in the routing table but the client computer (Windows 7) still uses the direct route rather than putting internet traffic through the tunnel.
20:14 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:15 < krzee> therealjeanluc, 
20:15 < krzee> !redirect
20:15 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:15 < krzee> what OS is the server?
20:15 < Dougy> ayoooooooooooooooooooooooooooooooooooooo
20:15 < Dougy> holla
20:15 < krzee> Dougy, congrats on walking
20:16 -!- RedShift [~glenn@apollo.webmind.be] has quit [Ping timeout: 255 seconds]
20:17 -!- RedShift [~glenn@apollo.webmind.be] has joined ##openvpn
20:30 < jpalmer> !nat
20:30 < vpnHelper> jpalmer: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
20:30 < jpalmer> !linnat
20:30 < vpnHelper> jpalmer: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
20:41 < Dougy> krzee: 
20:41 < Dougy> thx
20:41 < Dougy> i lovedddddddddddddddd that ish
20:41 < Dougy> krzee: i made a ghetto office firewall with iptables
20:50 < krzee> whats ghetto about an iptables firewall?
20:50 -!- Gomex [~rafael.go@fedora/Gomex] has joined ##openvpn
20:50 < Gomex> hi guis
20:50 < Gomex> guys
20:51 < Gomex> I am trying push route config to windows client
20:51 < Gomex> what is the correct parameter to push this config?
20:53 < Dougy> !route
20:53 < vpnHelper> Dougy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:53 < Dougy> !iroute
20:53 < vpnHelper> Dougy: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
20:53 < krzee> Gomex, what exactly are you trying to do?
20:54 < krzee> Dougy, you just giving random factoids with the word "route" in them?
20:54 < vpnHelper> RSS Update - forum: Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7699#p7699> || Configuration :: Re: connecting 192.168.1.x to 192.168.1.x :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7052&p=7700#p7700>
20:54 < Gomex> kraut, trying send route config to client
20:54 < Gomex> krzee,  trying send route config to client
20:54 < krzee> Gomex, that means nothing what "route config"
20:54 < krzee> !goal
20:54 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:55 < Gomex> krzee, I tried push "route add 10.0.10.0 255.255.255.0"
20:55 -!- Tapkation [~root@home.tapke.eu] has joined ##openvpn
20:55 < Tapkation> anyone alive?
20:55 < Tapkation> :-D
20:56 < Tapkation> My problem is my firewall?
20:56 < Tapkation> ;-))
20:56 < Tapkation> !welcome
20:56 < vpnHelper> Tapkation: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:56 < Tapkation> !route
20:56 < vpnHelper> Tapkation: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:01 < Cisien> so, what's your question Tapkation?
21:01 < krzee> Gomex, remove the "add"
21:01 < Gomex> hum
21:02 < Gomex> krzee, I will try
21:02 < Gomex> krzee, thanks
21:02 < krzee> np
21:02 < krzee> Gomex, since you refuse to state your real goal, read my routing writeup
21:02 < krzee> !route
21:02 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:02 -!- pcard [~pc@unaffiliated/jl-picard] has joined ##openvpn
21:03 < Gomex> krzee, I already save this link
21:03 < krzee> =]
21:03 < Gomex> krzee, I will read
21:03 < Gomex> krzee, thanks again
21:03 < pcard> sorry if this is an insanely stupid-obvious question, but seeing as openvpn is udp based, one cannot just use netstat on a box (linux in my case) running openvpn server to see what clients are presently connected
21:03 < Tapkation> Cisien: you see...
21:03 < pcard> is there a way to see what clients are connected to an openvpn server instance?
21:03 < Tapkation> i've done all the routing/irouting
21:04 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
21:04 < Tapkation> everything connects
21:04 < Tapkation> client subnets can ping servers subnet
21:04 < Tapkation> BUT, the server subnet (as the server itself) can't ping the clients' subnets
21:05 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit]
21:05 < Tapkation> it just throws something about MUTLI: learn ip ->  ip:port
21:05 < Tapkation> but no ping at all :/
21:06 < Tapkation> the server should take 10.242.2.1 as stated in the conf server 10.242.2.0 255.255.255.0
21:06 < Tapkation> however all the routes on server apear showing to 10.242.2.2
21:07 < Tapkation> Cisien: any ideas?
21:09 < Tapkation> I've been messing with this dd-wrt for damn 3 nights...
21:09 < Tapkation> and bridging is not an option
21:14 < jpalmer> pcard: you're looking for a status file.
21:14 < jpalmer> !status
21:14 < vpnHelper> jpalmer: Error: "status" is not a valid command.
21:15 < jpalmer> pcard:  google for openvpn status file.   openvpn can be configured to write a file with info for currently conencted clients.  including the common name, remote IP, vpn IP, and such
21:15 < Tapkation> does anyone have anything to say, that might help me? ;/
21:15 < jpalmer> ecrist / krzee  !status doesn't have any info about the status file.
21:17 < jpalmer> Tapkation: other than dd-wrt molests and bastardizes the hell out of openvpn,  the only two things I can suggest:  #1) make sure the clients each have a unique common name in the certificate.  and #2) make sure the clients have the firewall disabled for the openvpn tun/tap interface.
21:17 < krzee> jpalmer: remind me later and ill add it, for now im leaving work
21:17 < jpalmer> krzee: will do.  thanks
21:19 < Tapkation> jpalmer: the clients can ping the servers subnets ip, no duplicate-cn is used, but the server can't ping clients subnets ips
21:20 < jpalmer> Tapkation: the client firewalls only block inbound, not outbound.   hence, clients being able to ping the server, but not server -> clients
21:20 < Tapkation> ok. so... 
21:21 < Tapkation> iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
21:21 < Tapkation> iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
21:21 < Tapkation> doesn't help?
21:21 < jpalmer> without context, I wouldn't know ;)
21:21  * jpalmer doesn't know iptables that well, either.  I'm a BSD guy
21:22 < Tapkation> :-))
21:22 < Tapkation> i'm not good on them either...
21:22 < Tapkation> But I know how to copypaste :-)))
21:23 < jpalmer> Tapkation: basic networking tells me it's not a route problem.. because if it were, you wouldn't get the echo replies to your ICMP to the server.   so,  it stands to reason that the problem is client side.   I'm 99% positive it's your firewall.   try disabling the whole iptables.
21:23 < Tapkation> ok. http://pastebin.com/qxNvLZ2T server and http://pastebin.com/np6BcWhP is client conf
21:24 < Tapkation> disabling the iptables.. thats not good. as they're wifi AP's
21:24 < Tapkation> ant they must do the NATing
21:24 < Tapkation> *and
21:25 -!- Tapkation is now known as Tapke
21:26 < pcard> jpalmer: I thought some BSDs used iptables? (I don't believe iptables is limited to just linux)
21:26 < jpalmer> pcard: you'd be incorrect.
21:26 < jpalmer> BSD uses ipfw, pf, or ipf.
21:26 < pcard> which part?
21:27 < jpalmer> iptables sntax makes me sick,   literally.
21:27 < Tapke> me too :/
21:27 < Tapke> i'm used to real routers
21:27 < pcard> then don't use it..
21:28 < pcard> iptables is a real router softwawre... many router boxes use such software
21:28 < Tapke> :-))
21:28 < Tapke> Ever seen Cisco?
21:28 < Tapke> Juniper?
21:28 < pcard> yes
21:28 < Tapke> Seen any iptables there?
21:29 < pcard> not on most, but I've seen some interesting custom setups
21:29 < Tapke> Ok. Some embed-linux systems like Astaro, are quite good on it...
21:29 < jpalmer> you've seen custom setups where someone is running iptables on a cisco or juniper?  sorry..  but bullshit.
21:30 < pcard> cisco, juniper, good stuff of course, but you can't deny that iptables too is quite powerful to anyone who knows how to weild it
21:30 < pcard> jpalmer: where did I say someone put iptables on one?
21:30 < Tapke> Those two are BSD based.
21:30 < pcard> jpalmer: please don't put words in my mouth, thank you
21:30 < theDoc> iptables on juniper or cisco?
21:30 < pcard> again, I never said that
21:30 < Tapke> ;-)
21:30 < Tapke> Ok. So how speaks iptables?
21:31 < jpalmer> nobody here has said iptables wasn't good, either.   so as for the "putting words in my mouth" comment,  you are pot. feel free to call me kettle.
21:31 < Tapke> #iptables -> #netfilter seems to be sleeping..
21:31 < pcard> that's what happens when you make stupid assumptions..
21:31 < jpalmer> the only comment about iptables is that the syntax is horrid.
21:31 < pcard> jpalmer: wrong, I never made an assertion that anyone claimed it was bad, YOU just made THAT assumption just now
21:31 < Tapke> :-)
21:31 < pcard> jpalmer: please think first
21:31 < Tapke> I say they're bad.
21:32 < jpalmer> pcard: go fuck yourself.
21:32 < pcard> jpalmer: wow, great retort
21:32 < Tapke> Ouch...
21:32 < Tapke> Hey!
21:32 < pcard> jpalmer: you have a bad habit of making premature presumptions, just calm down, don't deny, and just get on with life
21:32 < Tapke> Oh grow up already...
21:33 < pcard> jpalmer: just don't claims that someone said something they didn't
21:33 < Tapke> You too.
21:33 < jpalmer> I don't know who thought up the /ignore command on IRC,  but I should paypal them a donation.
21:33 < pcard> Tapke: where?
21:33 < Tapke> Nothing.. nothing...
21:33 < pcard> lol
21:33 < pcard> whatever
21:33 < Tapke> Please, help ME!
21:33 < Tapke> Or I'm gonna kill someone. :/
21:33 < pcard> for what it's worth, I've seen jpalmer in other channels pulling the same old shit with coiuntless people, so I'm used to seeing it
21:33 < Tapke> I can't spead iptables :/
21:33  * theDoc hands Tapke a knife.
21:33 < Tapke> *speak
21:34  * Tapke throws the knife at theDoc 
21:34 < Tapke> Catch
21:42 < Tapke> Please, help! :/
21:44 -!- Squidy_at_Home [~quassel@189.73.211.71] has quit [Remote host closed the connection]
22:09 < Tapke> jpalmer: perhaps you have a configured routing server and client to show? :/
22:09 < jpalmer> Tapke: it's our firewall.
22:09 < Tapke> OUR?
22:09 < jpalmer> s/our/your/
22:09 < Tapke> :-)
22:10 < Tapke> so perhaps you have any firewall config extract for ovpn?
22:10 < jpalmer> 02:21 <jpalmer doesn't know iptables that well, either.  I'm a BSD guy
22:11 < jpalmer> I'm sure the channel for your distro can give you some info on setting up a specific interface to be trusted/allowed.
22:11 < Tapke> :/
22:11 < Tapke> dd-wrt? :-D
22:12 < jpalmer> thats where I'd start, yes.
22:16 < Tapke> !welcome
22:16 < vpnHelper> Tapke: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:16 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
22:26 -!- Tapke [~root@home.tapke.eu] has quit [Read error: Connection reset by peer]
22:27 -!- Tapke [~root@home.tapke.eu] has joined ##openvpn
22:28 -!- tessier [~treed@kernel-panic/copilotco] has quit [Ping timeout: 276 seconds]
22:28 -!- tessier [~treed@mail.copilotco.com] has joined ##openvpn
22:29 -!- troy- [~tab@bgp4.us] has joined ##openvpn
22:29 < troy-> in a point to point config is it possible to push routes?
22:39 -!- Tapke [~root@home.tapke.eu] has quit [Ping timeout: 276 seconds]
22:43 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
22:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:50 < Dougy> hai troy- 
22:56 -!- Gomex [~rafael.go@fedora/Gomex] has quit [Remote host closed the connection]
23:04 < Bushmills> troy-: yes. server can push routes.  p-t-p is also server and client
23:13 < troy-> hai Dougy 
23:24 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Ping timeout: 260 seconds]
23:39 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
23:45 < therealjeanluc> krzee, are you still around? sorry I was gone when you responded to my question.
23:48 -!- Jean-Luc [~jcrawford@129.138.220.4] has joined ##openvpn
23:50 -!- therealjeanluc [~jcrawford@dhcp-west-60.resnet.nmt.edu] has quit [Ping timeout: 245 seconds]
23:54 -!- Jean-Luc is now known as TheRealJeanLuc
--- Day changed Tue Aug 31 2010
00:01 < TheRealJeanLuc> hey, I'm having trouble routing all traffic through OpenVPN. The connection opens succesfully and the log indicates that the route is pushed succesfully. The route appears in the routing table but the client computer (Windows 7) still uses the direct route rather than putting internet traffic through the tunnel.
00:36 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
00:36 -!- mode/##openvpn [+o mattock] by ChanServ
00:37 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: Operation timed out]
00:41 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
00:46 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
00:46 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:57 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Read error: Operation timed out]
00:59 -!- Bebop_ [ca3b29eb@gateway/web/freenode/ip.202.59.41.235] has joined ##openvpn
00:59 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined ##openvpn
01:00 < Bebop_> Quick question, currently have a Server setup which I openVPN into from home on my VMWare image to use FTP. On my server I can see my home address - should this be? Should it show the address of my server?
01:03 < kisom> Bebop_: how do you "see" the address?
01:03 < kisom> the openvpn daemon does indeed see the real IP address from which the connection is comming from
01:14 < Bebop_> kisom: Within IIS - under 'Current sessions' mate
01:15 < Bebop_> kisom: Not a problem - this is only due to the fact that it is between MY client and MY server - if I was connected to a Public FTP they would only see my Servers IP (the OpenVPN address) correct?
01:23 -!- Jean-Luc_ [~jcrawford@129.138.220.4] has joined ##openvpn
01:23 -!- TheRealJeanLuc [~jcrawford@129.138.220.4] has quit [Read error: Connection reset by peer]
01:29 < Bebop_> kisom: ?
01:40 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has quit [Ping timeout: 252 seconds]
01:41 -!- Bebop_ [ca3b29eb@gateway/web/freenode/ip.202.59.41.235] has quit [Quit: Page closed]
01:49 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
01:52 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
02:07 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 240 seconds]
02:08 -!- Jean-Luc_ [~jcrawford@129.138.220.4] has quit [Quit: Leaving]
02:15 -!- Bebop_ [76d0b97b@gateway/web/freenode/ip.118.208.185.123] has joined ##openvpn
02:15 < Bebop_> Sorry DC'd before
02:16 < Bebop_> Question still stands; am I only seeing my home connections IP on my Server as they're within the tunnel. If i was connected to a Public/PC not in my OpenVPNs tunnel, they would only see my Servers IP (where OpenVPN server is installed)?
02:21 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
02:21 -!- kuttan_ [~ops@114.79.140.215] has joined ##openvpn
02:27 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
02:36 -!- kuttan_ [~ops@114.79.140.215] has quit [Quit: Ex-Chat]
02:49 -!- dazo_afk is now known as dazo
02:54 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
02:54 < macsppadic> morning all
02:57 -!- Diffen2 [~diffen2@c-2875e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds]
03:16 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined ##openvpn
03:30 -!- tessier [~treed@mail.copilotco.com] has quit [Changing host]
03:30 -!- tessier [~treed@kernel-panic/copilotco] has joined ##openvpn
03:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:37 < kraut> moin
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: No route to host]
03:40 < macsppadic> morning kraut 
03:49 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
03:56 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
04:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
04:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:36 < Bebop_> Question still stands; am I only seeing my home connections IP on my Server as they're within the tunnel. If i was connected to a Public/PC not in my OpenVPNs tunnel, they would only see my Servers IP (where OpenVPN server is installed)?
04:44 -!- gallatin [~gallatin@178.1.124.27] has joined ##openvpn
05:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
05:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:45 -!- gallatin [~gallatin@178.1.124.27] has quit [Ping timeout: 260 seconds]
05:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:04 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:16 < kisom> Bebop_: Do you use redirect-gateway?
06:16 < kisom> does your client pull?
06:18 < Bebop_> kisom: Pull is in the clienf.conf and 'push "redirect-gateway def1"' is in server.conf
06:18 < kisom> if you check http://ip.nu, what do you see? your client IP or your server IP?
06:21 < Bebop_> kisom: Shows server IP, thats all fine, done tests like that before on a number of sites. My only concern was when I FTP to my server, it lists my HOME IP - is that due to it being in the tunnel - should that be?
06:21 < kisom> its most likly because of your routes
06:21 < Bebop_> or is my openVPN not properly doing masking of my IP across the board
06:21 < kisom> is the FTP server on the same server as the openvpn server?
06:22 < Bebop_> yes
06:22 < kisom> thats the problem then
06:22 < kisom> redirect-gateway adds a route to your server out your physical network interface, any packets routed to that IP will not pass the VPN
06:22 < Bebop_> but if I was to connect to another Public FTP, or anythin outside of something hosted on the same server as the OpenVPN it would be fine?
06:22 < kisom> yes, it will be fine then
06:23 < kisom> any connection to the openvpn server IP will not be passed down the VPN tunnel
06:24 < kisom> just connect to the servers VPN address instead, or set up your own DNS server
06:27 -!- Squidy_at_Home [~quassel@189.73.211.71] has joined ##openvpn
06:30 < Bebop_> kisom: Ah awesome - so connecting to the openvpn provided IP (10.x.x.x or 192.x.x.x depending on how you set it up) will still allow for it to hide the address - or through a DNS such as provided by DynDNS etc?
06:36 -!- Squidy_at_Home [~quassel@189.73.211.71] has quit [Remote host closed the connection]
06:40 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Ping timeout: 255 seconds]
06:41 < kisom> Bebop_: connecting to 10.0.8.1 will do the trick, if you set up your VPN in that subnet
06:42 < kisom> I run my own DNS service on the VPN network so my domain names are pointed towards 10.11.0.0/24, which is my openvpn network
06:45 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
06:51 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:54 < ksk> hello there
06:54 < ksk> i get this message "There are no TAP-Win32 adapters on this system."
06:55 < ksk> but there is a tap-win32 adapter on my system
06:55 < ksk> ( not the offical installer, bulding my own)
06:55 < ksk> any idea whats wrong?
06:56 < ksk> log entry before this error is "WARNING: potential TUN/TAP adapter subnet conflict between local LAN"
06:56 < ksk> so it does see the tap device?
06:56 < ksk> (the conflict is not the problem, and its just there in my testing env)
06:59 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds]
07:04 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
07:05 < ecrist> jpalmer: do you have a suggestion on what to put in !status?
07:13 -!- Bebop_ [76d0b97b@gateway/web/freenode/ip.118.208.185.123] has quit [Quit: Page closed]
07:15 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
07:31 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has left ##openvpn ["Leaving"]
07:49 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 245 seconds]
07:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:55 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:12 -!- Gud_ [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
08:12 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has quit [Read error: Connection reset by peer]
08:20 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
08:25 <@dazo> ksk:  have you built the wintap driver yourself as well?  That might be the issue, as that driver needs to be signed ... try to not build that one yourself and use the binary version instead
08:27 < ksk> okay
08:27 < ksk> it was because the .cat and .sys files are named tap0901 now, not tap0801
08:28 < ksk> just forgot to edit it in my nsis skript (i build the package with it)
08:28 < ksk> thanks for your help anyways
08:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:41 < Dougy> dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo dazo
08:41 < Dougy> dazo dazo dazo dazo dazo dazo dazo dazo
08:41 < Dougy> dazo dazo dazo dazo dazo dazo dazo dazo
08:41 < Dougy> dazo dazo dazo dazo dazo dazo dazo dazo
08:41 < Dougy> hi
08:41 <@dazo> Dougy:  gee ... whzup?
08:43 < Dougy> b0red
08:44 <@dazo> Dougy:  I wish I could share some of my work to you then :-P
08:45 < Dougy> :P
08:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:03 < kisom> ever missed an exit on the highway, put on reverse and take it anyways?
09:05 < ksk> not yet, no
09:14 < ecrist> kisom: yep.  usually I don't use reverse, I just drive in the grass
09:15 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:19 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
09:20 -!- sigi [~sigius@93.125.185.45] has joined ##openvpn
09:51 < Dougy> kisom: i did it once
09:51 < Dougy> i popped my e brake, drifted through the grass
09:51 < Dougy> it was great
09:51 < Dougy> lol
09:51 < Dougy> nearly died, but it was great
09:54 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:12 -!- phrack23 [phrack@cgn.sq23.de] has joined ##openvpn
10:22 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Quit: Leaving]
10:25 < phrack23> !welcome
10:25 < vpnHelper> phrack23: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:27 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
10:29 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
10:31 < phrack23> !/30
10:31 < vpnHelper> phrack23: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
10:39 -!- kai_office [~kai@asa-2.fbp.ore.fiber.net] has joined ##openvpn
10:39 < kai_office> !welcome
10:39 < vpnHelper> kai_office: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:40 < kai_office> !goal
10:40 < vpnHelper> kai_office: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:40 < kai_office> !interface
10:40 < vpnHelper> kai_office: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
10:41 < kai_office> Cool bot :)
10:46 < kai_office> I have a working OpenVPN server that has no issues. I'm more interested in a feature that I can't find much information about. I'm interested in a web-based VPN client, perhaps something written in Java, that could connect to my OpenVPN server.
10:46 < kisom> wont happen
10:47 < kai_office> kisom: Why not?
10:47 < kisom> because openvpn is, and wont be, web based.
10:47 < kisom> isn't*
10:48 < kai_office> I'm not entirely sure I agree that the client shouldn't or can't be done in a web browser, but I'm happy to learn :)
10:49 < kisom> well technically it would be possible to get java to install a VPN client, but there is no suck solution with openvpn
10:50 < kai_office> Oh, I see. This channel is more for the server, not necessarily for specific clients that may have been written to connect to the server.
10:50 < kai_office> or something... :)
10:50 < kisom> this channel is about openvpn :)
10:50 < kisom> https://ck3r.org/StoRo-logon/tunnel/
10:50 < vpnHelper> Title: StormRoute (at ck3r.org)
10:50 < kisom> Just something i put together
10:51 < kisom> well its all server side, PHP tells openvpn to push redirect gateway to the client requesting that page
10:51 < kisom> you still have to get the VPN client installed somehow
10:51 < kai_office> Oh, cool :)
10:52 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
10:52 < kai_office> that's a great idea :) 
10:53 < kisom> openvpn access server can build install packages on-the-go if i remember correctly
10:54 < kisom> give the end user a login, he logs on to a website, downloads the exe installer and then its all done
11:05 < kai_office> kisom: I think I was originally asking about "Clientless VPN" solutions. As I search around for information about them, it quickly becomes obvious why they aren't the best idea.
11:06 < kai_office> A one-click install for the client, bundled with the config, is probably the best idea. Thanks :)
11:06 < kai_office> We'll look into openvpn access server. Looks great
11:06 < kisom> well openvpn-as isn't free ;)
11:07 < kai_office> Yup, I'm aware :)
11:07 < kai_office> Neither is my time, haha :)
11:07 < kai_office> Sorry, that sounded bad... I meant that to mean, I'm the contractor 
11:07 < kai_office> Researching a solution for somebody, haha.
11:07 < kisom> ah well well
11:08 < kisom> yeah i think its $5 per concurrent connection, one time fee
11:08 < kisom> which is really cheap compared to the big players like cisco etc
11:08 < kai_office> So each new client is $5 one-time fee?
11:08 < kisom> no
11:08 < kisom> each concurrent client is $5
11:09 < kai_office> got a link for me to read up on what they consider "concurrent clients"?
11:09 < kisom> http://openvpn.net/index.php/access-server/pricing.html
11:09 < vpnHelper> Title: OpenVPN Access Server - Pricing Guide (at openvpn.net)
11:09 < kai_office> thanks :)
11:11 < ksk> hello phrack23 
11:11 < ksk> how are you?
11:12 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has joined ##openvpn
11:21 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
11:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:35 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:40 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 258 seconds]
11:49 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer]
11:52 -!- Raccoon` [~bismuth@unaffiliated/raccoon] has quit [Ping timeout: 252 seconds]
11:56 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
11:57 -!- Svedrin [svedrin@glint.funzt-halt.net] has joined ##openvpn
11:57 < Svedrin> is there an easy way to change the metric of the route to 255.255.255.255/32 on windows?
11:58 < Svedrin> I need to change it in order for broadcasts to go through the VPN instead of local LANs
12:03 -!- kai_office [~kai@asa-2.fbp.ore.fiber.net] has left ##openvpn []
12:03 < vpnHelper> RSS Update - forum: Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by medleev <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7705#p7705>
12:07 -!- dazo is now known as dazo_afk
12:07 -!- Cisien_ [~chris@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
12:11 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Ping timeout: 258 seconds]
12:19 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:22 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
12:39 -!- mmerlone [bb3af392@gateway/web/freenode/ip.187.58.243.146] has joined ##openvpn
12:40 < mmerlone> good afternoon, greetings from Brazil!
12:41 < mmerlone> I am having a hard time to route two client networks trough my ovpn server.
12:41 < mmerlone> My server eth0 is 192.168.0.213/24, and the clients are on 10.1.0.0/16 and 10.2.0.0/16 respectively
12:42 < mmerlone> I want to route from 10.1.0.0/16 to 192.168.0.0/24 and to 10.2.0.0/16; and vice-versa
12:43 < mmerlone> or, simpy put, I want each 10.x.0.0/16 net to see each other
12:43 < mmerlone> my server conf is here: http://pastebin.com/TvMGcNcz
12:44 < mmerlone> can anybody help me? I already set a dev tun vpn, but routing is not working. I can only ping the servers vpn address, but not the real one
12:52 < kisom> mmerlone: have you enabled ip forwarding?
12:53 < Dougy> !ipforwarding
12:53 < vpnHelper> Dougy: Error: "ipforwarding" is not a valid command.
12:53 < Dougy> !ipforward
12:53 < vpnHelper> Dougy: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
12:53 < Dougy> !linipforward
12:53 < vpnHelper> Dougy: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:55 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
12:57 -!- kyle___ [~kyle@80.67.14.16] has quit [Read error: Connection reset by peer]
12:58 -!- kyle___ [~kyle@80-67-14-16.cust.vpntunnel.se] has joined ##openvpn
13:00 -!- kyle___ [~kyle@80-67-14-16.cust.vpntunnel.se] has quit [Read error: Connection reset by peer]
13:05 -!- kyle___ [~kyle@80-67-14-16.cust.vpntunnel.se] has joined ##openvpn
13:05 -!- SOG [~SOG@222.125.226.58] has joined ##openvpn
13:08 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has joined ##openvpn
13:08 < mmerlone> yes, /proc/sys/net/ipv4/ip_forward = 1
13:08 < mmerlone> i've adjusted sysctl as well too, it was already at first.
13:10 < ecrist> firewall.
13:10 < mmerlone> nope
13:10 < mmerlone> clean iptables
13:15 < kisom> try a traceroute on client1 towards client 2
13:15 < kisom> may give you a clue
13:17 -!- mmerlone [bb3af392@gateway/web/freenode/ip.187.58.243.146] has quit [Ping timeout: 252 seconds]
13:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
13:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
13:20 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
13:25 -!- jaminja [~jaminja@74.81.170.4] has joined ##openvpn
13:39 -!- jaminja_ [~jaminja@95.211.4.12] has joined ##openvpn
13:40 -!- jaminja [~jaminja@74.81.170.4] has quit [Ping timeout: 265 seconds]
13:43 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
13:45 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
13:45 -!- mode/##openvpn [+o mattock] by ChanServ
13:45 < jpalmer> ecris,  for the !status thing,  I was thinking of a quick blurb describing the status file, and how it records common name, remote IP, vpn IP, etc.
13:46 < jpalmer> ecrist: I was thinking that just about each option in the config file, should be a bot command (and, I'd be willing to help add the missing ones if you want)
13:49 < ecrist> jpalmer: two options, I can give you bot access, or you can write a command/description, and I'll add them myself.
13:50 < jpalmer> ecrist: I'm ok with the second option, if you tell me the syntax.
13:50 < jpalmer> is it an infobot with the "foo is blah" syntax?
13:51 < ecrist> supybot
13:51 < ecrist>  learn foo as blah bleep bloop blargh
13:51 < ecrist> creates a !foo command
13:51 < jpalmer> gotcha.   that works.
13:51 -!- jaminja [~jaminja@74.81.170.4] has joined ##openvpn
13:52 < jpalmer> it'll give me a chance to go over config file options again.. and re-learn things I've forgotten, or see any new options I've missed.  so, it's a win/win.
13:52 < ecrist> !factoids
13:52 < vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:52 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
13:52 < ecrist> that's the current dump
13:53 -!- jaminja_ [~jaminja@95.211.4.12] has quit [Ping timeout: 265 seconds]
13:54 -!- WinstonSmith [~true@f052096162.adsl.alicedsl.de] has joined ##openvpn
13:55 -!- manevra [manevra@188.72.227.89] has joined ##openvpn
13:55 < ecrist> jpalmer: it would actually be easier if you send me a file with key:value or key,value pairs
13:55 < ecrist> then I can just dump directly to the database.
13:56 < ecrist> rather than using IRC to send privmsgs to the bot
13:56 < WinstonSmith> hi all :) i have a ubuntu opnvpn client and when i connect to the server it adds a route so that ALL my traffic is routed through the vpn. that is not desired. i got around it by using the vpn control panel from ubuntu but i would like to know if there is some option i can put in the .conf ? thx
13:57 < ecrist> !no-pull
13:57 < vpnHelper> ecrist: Error: "no-pull" is not a valid command.
13:57 < ecrist> !push-reset
13:57 < vpnHelper> ecrist: "push-reset" is Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level.
13:59 < WinstonSmith> ecrist, but i am not pushing any explicit routes from the server ? but if i add this to the .conf im alright ? thank you for your time
14:02 < ecrist> if you're entire connection is being sent over the vpn, then it's likely the VPN server is setting the default gateway
14:02 < ecrist> !config
14:02 < vpnHelper> ecrist: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
14:02 < ecrist> !configs
14:02 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:02 < ecrist> WinstonSmith: ^^^
14:04 < WinstonSmith> ecrist, this does not work i still get the route : "0.0.0.0         10.8.0.5" added 
14:04 -!- Q|noob [~Unknown@p50829034.dip0.t-ipconnect.de] has joined ##openvpn
14:04 < WinstonSmith> ecrist, the behavior i was looking far is that the vpn is JUST used to connect to the machines inside the vpn ... no other traffic routed through it
14:04 < WinstonSmith> ecrist, will do 1 min
14:04 < ecrist> WinstonSmith: please paste your config here
14:04 < ecrist> if I can't see your config, I can only guess at what is done.
14:04 < Q|noob> !welcome
14:04 < vpnHelper> Q|noob: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:05 -!- WinstonSmith [~true@f052096162.adsl.alicedsl.de] has quit [Remote host closed the connection]
14:05 -!- Q|noob is now known as Q|
14:05 -!- WinstonSmith [~true@f052096162.adsl.alicedsl.de] has joined ##openvpn
14:06 -!- mmerlone [bb3af392@gateway/web/freenode/ip.187.58.243.146] has joined ##openvpn
14:06 < Q|> !howto
14:06 < vpnHelper> Q|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:09 < WinstonSmith> ecrist, plz look here : http://pastebin.com/q1kLU39a
14:09 < mmerlone> hi, got disconnected by inactivity.
14:10 < mmerlone> so, what can be wrong with my routing?
14:10 < WinstonSmith> ecrist sorry ubuntu 10.04 OpenVPN 2.1.0 i486-pc-linux-gnu 
14:11 < WinstonSmith> ecrist and yes obviously it is setting the default gateway but why im not pushing routes
14:13 < Q|> !logs
14:13 < vpnHelper> Q|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:18 < mmerlone> http://pastebin.com/1B6ViMpv
14:19 < mmerlone> I am unable to route trough all nets with this config, can anybody help me?
14:20 -!- mmerlone_ [bb3af392@gateway/web/freenode/ip.187.58.243.146] has joined ##openvpn
14:20 < Q|> Ok, just to be sure, if I try to telnet to my machine and the UDP-Port OpenVPN is running as a server, I should see something in the tcpdump-output of tun0, right?
14:23 -!- mmerlone [bb3af392@gateway/web/freenode/ip.187.58.243.146] has quit [Ping timeout: 252 seconds]
14:24 -!- mmerlone_ [bb3af392@gateway/web/freenode/ip.187.58.243.146] has quit [Client Quit]
14:33 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Quit: Leaving.]
14:33 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
14:33 -!- mode/##openvpn [+o mattock] by ChanServ
14:39 < WinstonSmith> ecrist, you still with me?
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:42 < WinstonSmith> hi all :) i have a ubuntu opnvpn client and when i connect to the server it adds a route so that ALL my traffic is routed through the vpn. that is not desired. i got around it by using the vpn control panel from ubuntu but i would like to know if there is some option i can put in the .conf so it does not push a default route? thx http://pastebin.com/q1kLU39a
14:50 < krzee> you dont control the server?
14:51 < krzee> errr
14:51 < krzee> i just saw your configs... you are not pushing a default route
14:51 < krzee> unless it is in the CCD entry, which you did not paste
14:52 < krzee> also
14:52 < krzee> !path
14:52 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
14:52 < krzee> get into that habit as to not have future problems
14:53  * ecrist does not use full paths in client configs.
14:53 < krzee> nor do i, i use --cd
14:53 < krzee> but in case you forgot, you are the one who set the policy of !path :-p
14:55 < ecrist> was I drunk?
14:55 < ecrist> prolly safe bet
14:58 < WinstonSmith> yes im not pushing a default route ... but 1 get added anyway ... so in the ubuntu network manager applet there is a option for IPv4 settings > routes > use this connection only for resources on its network which fixes the problem but i would like to know what exactly is going on /me puzzled
14:59 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Read error: Connection reset by peer]
14:59 < WinstonSmith> krzee, the configs i pasted are all there is ....
15:09 < WinstonSmith> oh yeah and from a win client i can ping thw server but not the other way around :8
15:09 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 265 seconds]
15:10 < vpnHelper> RSS Update - forum: Server Administration :: OpenVPN using OpenSSL w/Intel's AES-NI Engine-- Performance? :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7053&p=7701#p7701> || Server Administration :: Internet routing :: Author jcrawfordor <https://forums.openvpn.net/viewtopic.php?f=4&t=7054&p=7702#p7702> || Configuration :: crl-verify causes server to crash when client connects :: Author Fosters <https://forums.openvp
15:11 -!- Q| [~Unknown@p50829034.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
15:15 -!- Q| [~Unknown@p50828050.dip0.t-ipconnect.de] has joined ##openvpn
15:18 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
15:19 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Read error: Connection reset by peer]
15:22 < krzee> WinstonSmith,  that is not true... you use ccd-exclusive
15:22 < krzee> which means if you didnt have a ccd entry, you wouldnt connect
15:22 < krzee> and 1 way ping means firewall
15:23 < WinstonSmith> krzee, but idont have any ccd entry and the win client runs on vbox on top of my ubuntu and is pingable from the host ... with a bridged connection so it should work
15:24 < WinstonSmith> or is the ccd in a different conf file?
15:27 < krzee> !ccd
15:27 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:27 < krzee> you should know this if you are using it in your configs...
15:28 < WinstonSmith> krzee,  i used a webmin plugin to generate the configs there is a ccd option there but i left it blank. so is there no command like example --no-default-route or so?
15:32 < krzee> oh god
15:33 < WinstonSmith> krzee, but ccd-exclusive just means if the config for that client is not found on the server to refuse connection... so it should not be related to my gateway problem?
15:33 < WinstonSmith> krzee, just asking
15:33 < krzee> it means you have ccd entries
15:33 < krzee> and may be pushing a new gateway from there
15:33 < krzee> which is why !configs says to include any ccd entries :-p
15:33 < WinstonSmith> "--ccd-exclusive : Refuses the conn when its custom client config is not found
15:34 < WinstonSmith> but this client conf is the one you roll out to the client .... it has no special commands for the server in it
15:35 < krzee> false
15:35 < krzee> !ccd
15:35 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:35 < WinstonSmith> krzee, soooory you are right
15:36  * WinstonSmith blushes and ducks away
15:36 < WinstonSmith> but i just did a less /etc/openvpn/servers/SJVPN/ccd/lappie and its empty
15:36 < krzee> ls /etc/openvpn/servers/SJVPN/ccd/
15:37 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
15:37 < WinstonSmith> lappie  mors  win2ktest
15:37 < WinstonSmith> which are my 3 clients
15:37 < krzee> cat all 3
15:38 < WinstonSmith> and the are all empty
15:38 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
15:38 < krzee> then why use ccd-exclusive
15:39 < WinstonSmith> thats the webmin it adds it by default... ok ill edit by hand and take it out ... but they being empty they should not influence it no?
15:40 < krzee> right, but you also have nothing in those configs that messes with gateway
15:40 < krzee> !interface
15:40 < vpnHelper> krzee: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
15:48 -!- jaminja [~jaminja@74.81.170.4] has quit [Read error: Operation timed out]
15:49 < WinstonSmith> krzee, look here http://pastebin.com/1JKU2T5z and thank you for your time !
15:51 < krzee> how are you starting them?
15:51 < krzee> also through webmin?
15:51 < WinstonSmith> yes
15:53 -!- jaminja [~jaminja@95.211.4.12] has joined ##openvpn
15:54 -!- manevra_ [~manevra@86.121.76.162] has joined ##openvpn
15:55 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Read error: Connection reset by peer]
15:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
15:56 -!- manevra [manevra@188.72.227.89] has quit [Ping timeout: 240 seconds]
15:57 -!- Q| [~Unknown@p50828050.dip0.t-ipconnect.de] has left ##openvpn []
16:02 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:07 < WinstonSmith> but i can just do it with service openvpn start
16:07 < WinstonSmith> with the same results
16:07 < WinstonSmith> :(
16:11 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
16:14 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Read error: Connection reset by peer]
16:17 -!- WinstonSmith_ [~true@f052096162.adsl.alicedsl.de] has joined ##openvpn
16:17 -!- WinstonSmith [~true@f052096162.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
16:20 < krzee> you are probably starting different configs than you are pasting
16:20 < krzee> actually, not probably
16:20 < krzee> you ARE
16:21 < krzee> kill all instances of openvpn, then start it from commandline
16:21 < krzee> openvpn --config <configfile>
16:21 < WinstonSmith_> i just did : Autostarting VPN 'SJVPN'
16:21 < WinstonSmith_> so it should be using the same config
16:22 < WinstonSmith_> i did service openvpn start
16:22 < krzee> [14:24]  <krzee> kill all instances of openvpn, then start it from commandline
16:22 < krzee> [14:24]  <krzee> openvpn --config <configfile>
16:22 < WinstonSmith_> also did a tail -f logfile and connected with client to see if he pushes some GW
16:22 < WinstonSmith_> ok i will
16:24 < WinstonSmith_> ok did that connected with client same prob
16:24 < WinstonSmith_> should i give you a log with verbosity = 5?
16:26 < WinstonSmith_> and it is the same config file  i only have 1
16:26 < WinstonSmith_> since it says Autostarting VPN 'SJVPN a quick locate SJVPN took care of that
16:26 < pcard> Is there a way to revoke a key, or otherwise prevent a key you've issued a client from being used?
16:27 < krzee> !crl
16:27 < vpnHelper> krzee: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
16:27 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you
16:28 < pcard> ah, many thanks
16:28 < krzee> np
16:31 < krzee> WinstonSmith_, you did start it manually?  it is possible that webmin is starting it with additional options given at commandline
16:32 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
16:32 < WinstonSmith_> yes i did start it manually and i also tried the service openvpn start which starts all vpns configured in /etc/openvpn to no avail
16:34 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Read error: Connection reset by peer]
16:34 < WinstonSmith_> krzee, please enlighten myself : the configs i posted they are minimal but they should work no? 
16:34 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
16:40 -!- magic_1 [~magic@unaffiliated/magic1/x-836121] has quit []
16:41 < krzee> they arent really minimal
16:41 < krzee> you just want a basic vpn where you can reach only the vpn machines, right?
16:41 < WinstonSmith_> yes exactly sorry was afk
16:41 < krzee> you answered within seconds ;)
16:42 < WinstonSmith_> so no bridge etc
16:42 < krzee> try these (just change the filenames for certs and stuff)
16:42 < krzee> !sample
16:42 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
16:44 < WinstonSmith_> ok will try and get back later. thanks for the patience :D
16:45 < krzee> yw
16:52 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
16:55 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Read error: Connection reset by peer]
16:56 < WinstonSmith_> krzee, just on quick question : you dont have the float parameter ... inst that good if the clients change their ip while connected?
16:56 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
16:56 < krzee> yes, when would that happen?
16:56 < krzee> it has certainly never happened for me
16:58 < WinstonSmith_> i mean it references to their outside (internet ip) and that could change and if the gain a new ip before the timeout of the vpn? or is that BS?
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
17:04 < WinstonSmith_> krzee, i changed both configs, restarted services... nothing still same problem
17:04 < WinstonSmith_> krzee, the it hit me ..... AAAAAAAARGH
17:05 < WinstonSmith_> krzee, its the fu******** network manager from gnome ... it adds a route bi itself UNLESS you explicitly prohibit it !!!!
17:06 < WinstonSmith_> by*
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:06 < WinstonSmith_> aaarrrgh hours lost
17:06  * WinstonSmith_ will never again use GUI if theres a way on the CLI !!!!
17:07 < WinstonSmith_> krzee, thank you again for the help & have a VERY nice day!!
17:08 < krzee> you said you were starting it manually from cli
17:08 < krzee> i said openvpn --config <config>
17:08 < krzee> you said you did it
17:08 < WinstonSmith_> the server but not the client :(
17:08 < krzee> had you said network manager i would have said
17:08 < krzee> !ubuntu
17:08 < vpnHelper> krzee: "ubuntu" is dont use network manager!
17:08 < krzee> or
17:08 < WinstonSmith_> i thought you were referring to theserver sry
17:08 < krzee> !netman
17:08 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
17:09 < krzee> ;)
17:09 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
17:09 < WinstonSmith_> i am a burned child now for sure ... vade retro satanas !!!
17:10 < WinstonSmith_> now ill just configure a nice sweet service that autostarts and will be in heaven
17:12 < WinstonSmith_> krzee, well the link is not accurate ... it did import all the files correctly etc ... the only issue was that stupid gateway it added
17:13 < WinstonSmith_> maybe ill file a suggestion that the gateway thing is NOT default ... than it would have worked perfectly from the start
17:15 < krzee> werd
17:15 < krzee> i will stick with the stance that network manager is pointless to use
17:15 < krzee> (for openvpn)
17:16 < krzee> (but thats just my opinion)
17:28 -!- WinstonSmith_ [~true@f052096162.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
17:39 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
17:41 -!- manevra_ [~manevra@86.121.76.162] has quit [Quit: Leaving]
17:41 -!- WinstonSmith_ [~true@f052099009.adsl.alicedsl.de] has joined ##openvpn
17:46 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:55 -!- cshaiku [~cshaiku@cshaiku.com] has left ##openvpn []
18:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:15 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 255 seconds]
18:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:26 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
18:35 < Dougy> krzee: 
18:35 < Dougy> https://forums.openvpn.net/viewtopic.php?f=4&t=7053
18:35 < vpnHelper> Title: OpenVPN Support Forum View topic - OpenVPN using OpenSSL w/Intel's AES-NI Engine-- Performance? (at forums.openvpn.net)
18:35 < Dougy> seen that yet/
18:35 < Dougy> ?
18:39 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
18:56 -!- Squidy_at_Home [~quassel@189.73.211.71] has joined ##openvpn
19:17 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
19:18 -!- Cisien_ [~chris@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Ping timeout: 252 seconds]
19:26 -!- WinstonSmith_ is now known as WinstonSmith
19:34 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
19:35 -!- jaminja [~jaminja@95.211.4.12] has quit [Disconnected by services]
19:35 -!- jaminja_ is now known as jaminja
19:49 -!- mosno [~mosno@unaffiliated/mosno] has joined ##openvpn
19:51 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
20:16 -!- zzattack [zzattack@21-78-ftth.onsneteindhoven.nl] has joined ##openvpn
20:20 -!- SOG [~SOG@222.125.226.58] has quit [Quit: SOG]
20:22 -!- SOG [~SOG@222.125.226.58] has joined ##openvpn
20:25 -!- SOG [~SOG@222.125.226.58] has quit [Client Quit]
20:30 -!- TheRealJeanLuc [~jcrawford@129.138.220.4] has joined ##openvpn
20:32 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:32 < TheRealJeanLuc> Hello. I'm having trouble setting up internet routing through OpenVPN. The Windows Server machine acting as the server is probably not acting as a gateway properly, but I'm having trouble finding info on setting this up properly.
20:34 < krzee> !redirect
20:34 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:34 < krzee> !winipforward
20:34 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
20:34 < krzee> !winnat
20:34 < vpnHelper> krzee: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
20:35 < krzee> Dougy, no, interesting stuff!
20:42 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:46 < TheRealJeanLuc> krzee, thanks for the second link. I'm trying it out now.
20:51 -!- zzattack [zzattack@21-78-ftth.onsneteindhoven.nl] has quit []
20:54 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
20:55 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
20:55 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Client Quit]
20:55 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
21:00 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Ping timeout: 245 seconds]
21:06 < Dougy> wat
21:07 < Dougy> krzee: i thought so
21:26 < pcard> is it ok to run two openvpn server instances? I have one that running for tap currently, bridging two networks into one large network, works really well. I want to add another instance for tun, for clients without tap support (such as those using openvpn-iphone on jail broken iphones) and do apple with the pptp server
21:26 < pcard> *do away with the pptpd server
21:27 < pcard> is it ok to tun both a tap based server and a tun based sever?
21:27 < pcard> (the second one, for tun, would obviously run on another port, and I'd make a config for it accordingly, I just want to know if it's ok to run both tap and tun on the same server box [linux] )
21:32 -!- jaminja [~jaminja@74.81.170.4] has quit [Changing host]
21:32 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
21:35 < jpalmer> pcard: yes,  it'd be ok.
21:41 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit []
21:41 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
21:41 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Client Quit]
21:42 -!- Squidy_at_Home [~quassel@189.73.211.71] has quit [Remote host closed the connection]
21:43 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has joined ##openvpn
21:43 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
21:45 -!- SOG_ [~SOG@61.144.230.241] has quit [Remote host closed the connection]
21:45 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
21:45 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
21:45 -!- SOG_ is now known as SOG
21:46 -!- Cisien [Cisien@c-98-232-115-192.hsd1.wa.comcast.net] has quit [Client Quit]
21:56 -!- Cisien [Cisien@2001:1938:277:0:57d:b27:bfb1:56f8] has joined ##openvpn
21:56 < pcard> jpalmer: thanks, so now I can finally be rid of pptp
21:57 -!- Cisien [Cisien@2001:1938:277:0:57d:b27:bfb1:56f8] has quit [Client Quit]
21:57 -!- Cisien [Cisien@2001:1938:277:0:57d:b27:bfb1:56f8] has joined ##openvpn
21:58 -!- pgarman [6273baa3@gateway/web/freenode/ip.98.115.186.163] has joined ##openvpn
21:59 < pgarman> Hello -- I'm not as familiar with OpenVPN and have spent all day trying to get all traffic to route through the VPN but am stumped. Anyone free to take a look at my configs any maybe point me in the right direction?
22:01 < jpalmer> pgarman: are the clients seeing the default route being pushed down?
22:02 < pgarman> I keep changing configs, and the two scenarios I keep getting are either full internet access not being routed, or no internet access but can access the VPN server by IP
22:02 < jpalmer> it's generally going to be one of 3 things.  so,   first question:  do the clients see the default route being pushed?
22:02 < pgarman> Not sure if that answers the question or not... I see most docs are pointing to add "redirect-gateway def1" but that has not helped
22:03 < jpalmer> ok, what OS are the clients?
22:03 < pgarman> clients on Win7 using OpenVPN GUI
22:04 < jpalmer> ok,  before we start.. change the configs back to the "full access to VPN, but no internet access"  because thats the one that is probably closer to being correct.
22:04 < pgarman> Ok. one sec
22:04 < jpalmer> when thats done,  we'll do some troubleshooting.
22:05 < pgarman> Ok, have to switch comps so I'm going to leave and be back in a sec...
22:05 < jpalmer> k
22:06 < Cisien> i enabled ipv6 on my network, and my tap-based vpn just ... worked!
22:09 < pcard> one more quick question, when running two openvpn servers on the same box, is it ok to use the same ca, server.crt/key and dh*.pem files?
22:10 -!- pgarman [6273baa3@gateway/web/freenode/ip.98.115.186.163] has quit [Ping timeout: 252 seconds]
22:10 < jpalmer> I'd suggest not doing so.  from a security aspect.  having said that,  there is nothing technically stopping you from using the ame keys.
22:10 -!- pgarman [~pgarman@pool-98-115-186-163.chi01.dsl-w.verizon.net] has joined ##openvpn
22:10 < pgarman> woo finally loaded
22:11 < pgarman> Ok the Win7 PC is up, connected through VPN, no internet access but full VPN server access
22:11 < pcard> ok thanks
22:11 < jpalmer> pgarman: ok, connect your windows client to the openvpn.   then go into the command line and type 'netstat -rn'
22:11 < jpalmer> cut and paste the output you get,  to pastebin.ca
22:12 < pgarman> ok just a sec.
22:12 < jpalmer> pgarman: you may need to open the command line as admin.  I forget if netstat requires privs.
22:12 < pcard> isn't that the same output as 'route print' or is there a difference?
22:14 < jpalmer> pgarman: I'm going to wash my dinner dishes before my fiancee gets home.  I'll be back in maybe 10 minutes or so.  just post the output, and let us know the link.
22:14 < pgarman> http://pastebin.com/Yuyi71rD
22:14 < pgarman> Just posted :) take your time.
22:16 < jpalmer> pgarman: wasn't expecting the paste yet.
22:16 < jpalmer> what OS is your openvpn server?
22:16 < pgarman> CentOS5
22:16 < jpalmer> ok,  do you have ip_forwarding enabled?
22:16 < pgarman> Yep
22:16 < pgarman> I got an error doing the -p ? but network restarted OK
22:16 < jpalmer> ok, do you have iptables set to MASQ your traffic from tun0/tap0 (whichever you use)
22:17 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
22:17 < pgarman> I did do the IPtables masq off the OpenVPN doc, changed the IP to 10.8.1.0 (clients should access and get a 10.8.1.x IP)
22:17 < pgarman> Assumed that was correct to change?
22:18 < jpalmer> on the centos server,   what do you get from 'sysctl net.ipv4.ip_forward'
22:20 < pgarman> Almost got it... have to get into SSH on this comp now
22:20 < jpalmer> ok, gonna do dishes. brb
22:21 < pgarman> net.ipv4.ip_forward = 1
22:27 -!- tazmania [~tazmania@74.46.49.60.kmr01-home.tm.net.my] has joined ##openvpn
22:33 < mosno>  why is my openvpn client not being pushed the correct client tap IP? in the server log i see "OPTIONS IMPORT: reading client specific options from" and " PUSH: Received control message: 'PUSH_REQUEST'", however, the client tap doesn't get the IP specified in the options import file.
22:35 < tazmania> I've got the basic OpenVpn up and running in both server and client by following this link http://fedoraproject.org/wiki/Openvpn.  Now, I would like to implement a more secure vpn by forcing users to login in with assigned username and password.  How can I do that?  Is that an FAQ or doc in achieving that?
22:35 < mosno> oh, a restart of the server helped. i'm not sure why exactly.
22:41 < jpalmer> pgarman: from the client,  can you paste the output of tracert 4.2.2.2
22:41 < pgarman> i can do a tracert and then disconnect VPN :) one sec
22:41 < jpalmer> no
22:42 < jpalmer> wait.   I need the vpn connected, when you do the traceroute.
22:43 < pgarman> Yes it is connected during the tracert. but to post pastebin disconnect
22:43 < jpalmer> gotcha.  thats fine.
22:43 < pgarman> wont even bother, first hop to 10.8.1.1 took forever but showed 40ms
22:43 < pgarman> after that timeouts
22:44 < jpalmer> ok, so it is using the correct route.  you have ip forwarding enabled..  so,  it's your firewall
22:44 < pgarman> at hop 3 when I walked away from that desk, but I'm sure still timing out at that rate
22:44 < jpalmer> it's fine.  kill it
22:44 < pgarman> on the server?
22:44 < jpalmer> no, cancel the tracert
22:44 < pgarman> Ok.
22:46 < jpalmer> so here is the problem.  it's definately your firewall.  the other problem is,  I'm a BSD guy.  I don't know a thing about iptables.  so my suggestion at this point would be to ask #RHEL or #CentOS how to enable NAT so that traffic from tun0 can be passed out eth0
22:46 < pgarman> Well there is no firewall (that I know of) at all on this connection, server is clean install of CentOS with Webmin and OpenVPN only so far. PC is Win7 with hardly anything else.
22:46 < pgarman> Ok.
22:46 < pgarman> I will check into that, at least thats an answer and I spent a ton of time finding none ha
22:47 < jpalmer> if you ask now,  I'm in both channels and will listen to the responses you get, because..  this actually is a common question, that I help people with constantly.. and when we get to this point,  I have to stop helping.
22:47 < jpalmer> I'd like to actually get an answer to the iptables portion of this.
22:48 < pgarman> I'll jump into centos
22:57 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:59 < jpalmer> pgarman: looks like we won't be getting the answer tonight.  sorry.  fiancee is home, so I'ma spend some time with her.  good luck though.
23:00 < pgarman> Thanks, enjoy your night. Thanks for the help
23:01 < pgarman> Once I figure out the issue I will check back and let you know
23:12 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Read error: Connection reset by peer]
23:26 -!- pgarman [~pgarman@pool-98-115-186-163.chi01.dsl-w.verizon.net] has quit [Quit: pgarman]
23:27 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
23:43 -!- brah [~brah@186.109.248.235] has joined ##openvpn
--- Day changed Wed Sep 01 2010
00:35 -!- Four2zero [Four2zero@cpe-76-94-31-248.socal.res.rr.com] has joined ##openvpn
00:41 -!- krzee [~k@unaffiliated/krzee] has quit [Read error: Operation timed out]
00:50 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
00:51 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has quit [Ping timeout: 240 seconds]
00:53 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
00:53 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined ##openvpn
01:14 < pcard> setting up a tun based openvpn server instance, in that server instance's conf file, I set `topology subnet` (do I also need that in a push statement?), and if I understand correctly, I can use ifconfig to set <ip> and <mask> for the local end point. Can this be the same as the local lan IP/mask of the server?
01:16 < pcard> in other words, if the server's eth0 (br0 in my case, as I also run a tan based openvpn server) is 192.168.1.4/255.255.0.0, can the I set ifconfig 192.168,1,4 255.255.0.0 ?
01:16 < pcard> or does it have to be a different IP from the host's lan nic's IP ?
01:20 -!- jaminja_ [~jaminja@95.211.4.12] has joined ##openvpn
01:20 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 245 seconds]
01:24 -!- Four2zero [Four2zero@cpe-76-94-31-248.socal.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com ) Nuked Internet !]
01:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
01:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
01:57 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
02:01 -!- szr [~SR@unaffiliated/szr] has joined ##openvpn
02:08 < pcard> anyone?
02:09 < reiffert> might work.
02:12 < pcard> Yeah it seems to work. I'm trying to test connect from my iphone (yes with wifi disabled), I get on the client log file on the iphone, UDPv4 link local: [undef]   UDPv4 link remote <wan-ip>:1195   and then a whole lot of write UDPv4: No route to host (code=65)
02:12 < pcard> not sure what I could be doing wrong
02:13 -!- dazo_afk is now known as dazo
02:16 < pcard> bah stupid att, it wasn
02:16 < pcard> 't get an ipaddress on 3g for some reason
02:20 -!- WinstonSmith [~true@f052099009.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
02:27 < pcard> ok now it is
02:31 -!- TheRealJeanLuc [~jcrawford@129.138.220.4] has quit [Quit: Leaving]
02:36 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Ping timeout: 260 seconds]
02:41 < kraut> moin
02:42 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
02:43 -!- vexorg [~vexorg@h216-18-7-221.gtconnect.net] has joined ##openvpn
02:47 < pcard> ok, on my tun server, I have ifconfig-pool 192.168.0.150 192.168.0.199 255.255.0.0, but I also want to be able to overide this, that is, to specifiy an ip/mask in the client config. I thought this was also done with ifconfig <ip> 255.255.0, but it's not work, it still gets an ip from the pool
02:48 < reiffert> iphone + wifi = bad idea?
02:48 < reiffert> moin moin kraut
02:48 < pcard> no I have wifi turned off. I'm using it to test
02:48 < reiffert> pcard: ah, I can see now ;)
02:48 < pcard> I'm testing via 3G only
02:49 < pcard> I can connect just fine now (had to run as root), right now I'm asking how I can manually specify an ip in the client's conf so it doesn't get one from the pool ?
02:50 < pcard> basically I want any client that doesn't manually specify an ip in it's client conf to get one from from the pool, but only if it doesn't specify
02:51 < reiffert> !ccd
02:51 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
02:52 < pcard> I would much rather just be able to set an ip/mask in the client-side conf file, not on the server side, is this possible? 
02:52 < reiffert> pcard: the procedure you are describing sounds like the default.
02:52 < pcard> to allow client the ability to set their own ip
02:53 < pcard> I was able to connect from iphone and it got one from the pool (the first one), 192.168.0.150, but I want to set it to 192.168.0.7 instead
02:53 < reiffert> pcard: personally I dislike the client to be able to do anything. Clients are stupid wannabes. I like to control them from my personal controlling center.
02:53 < pcard> reiffert: I understand, and I agree, but this is for my own personal test. Although I may still go with your suggestion and do the client-config-dir method
02:54 < pcard> I just want to know if it's possible
02:54 < reiffert> Think it's best if you just *try* it out
02:55 < pcard> I have
02:55 < pcard> that's why I'm asking
02:55 < pcard> I already said what I did and what happened
02:56 < pcard> in the client side conf file I put ifconfig 192.168.0.7 255.255.0.0
02:56 < pcard> and it seemed to just be ignored
02:56 < reiffert> you wrote: "but I want to set it ... instead" did you do it actually?
02:56 < pcard> in the client side conf file I put ifconfig 192.168.0.7 255.255.0.0
02:56 < pcard> but it still got 192.168.0.150
02:56 < reiffert> Try to set the interface address manually after connecting and see if communication is still possible.
02:57 < pcard> how exactly would I do it with the server side (client-config-dir) method, to always give it a specific ip
02:57 < reiffert>  use --client-config-dir <dir> to enable it,
02:57 < reiffert>                    then put the config options for the client in <dir>/common-name
02:58 < pcard> I understand that much. I'm asking what option(s) would I put in there exactly to give said client the desired ip?
02:59 < reiffert> Have a look here: http://www.openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html
02:59 < vpnHelper> Title: OpenVPN 2.1 (at www.openvpn.net)
02:59 < reiffert> searching for --client-config- brings up (among other things)
02:59 < reiffert> --ifconfig-push local remote-netmask Push virtual IP endpoints for client tunnel, overriding the --ifconfig-pool dynamic allocation. 
03:00 < reiffert> also intresting: --ifconfig-pool-persist
03:00 < reiffert> be sure to check
03:00 < reiffert> For example, --server 10.8.0.0 255.255.255.0 expands as follows: 
03:01 < reiffert> the expansion
03:03 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:14 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:39 -!- tazmania [~tazmania@74.46.49.60.kmr01-home.tm.net.my] has quit [Quit: Leaving]
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
04:00 -!- mosno [~mosno@unaffiliated/mosno] has quit [Quit: Leaving]
04:05 -!- montana [~montana@212.117.173.72] has quit [Read error: Operation timed out]
04:05 -!- montana [~montana@212.117.173.72] has joined ##openvpn
04:10 -!- simple1 [b2d830b3@gateway/web/freenode/ip.178.216.48.179] has joined ##openvpn
04:11 < simple1> hello...
04:11 < simple1> is there a way to traffic shaping per ip/host  ?
04:11 < simple1> each ip should hase for example 5mb up/down speed
04:12 < reiffert> simple1: yes, there is.
04:13 < simple1> may you give tips
04:13 < reiffert> simple1: I may. Read the manual:
04:13 < reiffert> !man
04:13 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
04:14 < reiffert> or better: find the search terms in there, e.g. "shape"
04:16 < simple1> it can do per ip or whole network ?
04:16 < reiffert> it can do as written in the manpage.
04:28 -!- drue [~drue@173-8-105-225-Minnesota.hfc.comcastbusiness.net] has quit [Ping timeout: 265 seconds]
04:31 < simple1> but i dont see per ip
04:31 < simple1> also i did install openvpn-as directly....should i install another thing ?
04:34 < vexorg> i have my openvpn server setup, clients can connect to the vpn and to each other (i enabled client-to-client), but none of the clients can ping/ssh/etc the server and the server can't ping/ssh/etc to any of the clients... suggestions on what i might have missed for troubleshooting?
04:36 < simple1> vexorg: did you setup traffic shaping per host ?
04:37 < vexorg> simple1, i dont use traffic shaping, my vpn is fairly simple
04:38 -!- star314 [~star314@xchg.fiss-oeaw.at] has joined ##openvpn
04:38 < simple1> i see
04:42 < vexorg> simple1, that shaper option that reiffert mentioned looks like what you want
04:42 < vexorg> is it not?
04:46 < reiffert> simple1: openvpn-as is a commercial product, please ask openvpn for support.
04:47 < simple1> correct me if i am wrong but is this option for per host or for whole interface ?
04:48 -!- Alocado [~matthias@2001:6f8:10e8:0:225:d3ff:fe1a:a837] has joined ##openvpn
04:48 < Alocado> hello!
04:49 < Alocado> does anybody know how many memory is needed for a vpn connection?
04:49 < Alocado> so.. if i wish to hold 100 or 200 vpn connections, how much ram should my machine have?
04:50 <@dazo> Alocado:  I don't have any number ... but not much is needed.  If you have a standard server with 2GB+, you're more than safe enough for that
04:50 < Alocado> thy :)
04:50 <@dazo> allquixotic:  Even 1GB might be more than sufficient
04:51 <@dazo> Alocado:  ^^ 
04:51 <@dazo> allquixotic:  (sorry, wrong nick)
04:51 < Alocado> so 5-10MB per connections is enough?
04:51 <@dazo> Alocado:  what you need to be aware of is if you have some extra plug-ins in addition on the server side ... they might eat some memory
04:51 < Alocado> s/connections/connection
04:51 <@dazo> Alocado:  I'm guessing < 300kb per connection
04:51 < Alocado> WOW!
04:52 <@dazo> Alocado:  And I feel I'm exaggerating there
04:52 <@dazo> Alocado:  openvpn is a pure C program .... it's not Java ;-)
04:52 < Alocado> i'm setting up a accounting server (freeradius, pgsql database, ..) and the only fear i had was VPN :D
04:54 < Alocado> which will limit the capacity to 200 NAS (which are connected via VPN to get access to the radius server) .. but if you are right (and i think so, i've no experience with large openvpn systems) .. we can have 1000+ :)
04:54 <@dazo> Alocado:  OpenVPN is running on a lot of embedded devices, both as client and server .... and I can't recall having heard anyone complain about the memory footprint OpenVPN needs .... the binary executable might be a tad too big for some embedded devices, that's the only thing
04:55 <@dazo> Alocado:  what *is* an issue with OpenVPN is that it is not a threaded application ... so having too many clients my decrease the overall performance
04:55 <@dazo> Alocado:  but what people do is to start more OpenVPN processes, pin them to separate CPU cores and have some kind of round-robin features to load-balance them
04:56 <@dazo> Alocado:  some reports are around 150-200 clients ... below that, it performs very well
04:56 <@dazo> (that's one single process)
04:56 < Alocado> ok... we only have little auth traffic through the VPN
04:56 < Alocado> and some website clicks for authenticating ;) not the whole traffic from all clients
04:57 <@dazo> Alocado:  then you probably won't notice much issues at all ... this was with more bandwidth requiring clients
04:57 < Alocado> very nice :)
04:59 -!- drue [~drue@173-8-105-225-Minnesota.hfc.comcastbusiness.net] has joined ##openvpn
05:05 -!- simple1 [b2d830b3@gateway/web/freenode/ip.178.216.48.179] has quit [Quit: Page closed]
05:07 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
05:12 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
05:30 < kraut> moinsen reiffert 
05:30 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:35 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
05:36 -!- jaminja_ [~jaminja@95.211.4.12] has quit [Ping timeout: 245 seconds]
05:44 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Quit: ca va trancher]
05:59 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
06:11 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:14 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
06:14 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
06:14 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
06:14 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
06:26 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
06:26 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined ##openvpn
06:37 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
07:04 -!- nutz [~nutz@178.63.10.188] has joined ##openvpn
07:04 < nutz> hi all
07:04 < ecrist> sup?
07:04 < nutz> i'm trying to set up openvpn in bridge mode with a bunch of clients
07:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
07:05 < nutz> two or more of those clients are gonna be windows and i just got the "yadda yadda 255.255.255.252 subnet" message. does this mean when my server is 10.0.0.5 i can only have ONE windows client and it needs to be 10.0.0.6?
07:06 < ecrist> sounds to me like you're using routed mode
07:08 < nutz> hm maybe - how do i check for that? or: how do i change that?
07:08 < ecrist> !configs
07:08 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:09 < nutz> http://pastebin.com/v6UPuh6i  it's gentoo linux 2.1.0
07:10 < nutz> (openvpn 2.1.0 on gentoo linux)
07:10 < ecrist> !logs
07:10 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:11 < nutz> ^^ kinda hard to get the client-logs due to this remote computer
07:12 < ecrist> we can't help without the logs
07:12 -!- JackCorleone [~root@187.10.70.18] has joined ##openvpn
07:12 -!- pcard [~pc@unaffiliated/jl-picard] has quit [Ping timeout: 252 seconds]
07:13 < nutz> workin on them - however can you tell me if there is an alternative to "routed mode" with bridging?
07:13 < ecrist> the difference is the adapter you use 
07:13 < nutz> http://pastebin.com/XwydUmpU this is ther server's log when the client connects
07:13 < ecrist> the server config leads me to believe you're using bridged mode
07:13 < nutz> yeah - that's what i said
07:14 < ecrist> well, that log leads me to think you've a firewall issue
07:14 -!- pcard [~pc@bujumbura.dreamhost.com] has joined ##openvpn
07:15 < nutz> hm i think around this time 14:12:28  the client already disconnected due to this 255.255.255.252 problem
07:15 < nutz> i tried the same config from a mac and it worked like a charm (with tunnelblick)
07:15 < ecrist> that netmask isn't a problem
07:15 < ecrist> the server disconnected due to connection refusal
07:16 < nutz> so you mean a firewall issue  on the server or client side?
07:16 < nutz> coz the server has no firewall
07:16 < ecrist> client side
07:16 < nutz> okay let me check
07:17 < nutz> hm - nope seems to be disabled there as well
07:17 < ecrist> let me rephrase.  you have a firewall problem.
07:17 < ecrist> there is no doubt
07:17 < ecrist> your log explains it 
07:18 < ecrist> 90% of people who come here for help have firewall issues
07:19 < nutz> hm.. i will look into that
07:19 < nutz> (it's weird that the os x connects though.. so it must be windows' firewall)
07:20 < ecrist> that's what I'm thinking
07:30 < nutz> lol .. nevermind - it was complete PEBKAC. i was so busy fixing the wrong <CR>s in windows, i completely forgot to change from tun to tap.
07:30 < nutz> d'oh.
07:30 < nutz> ecrist: thanks a bunch for helping me though :)
07:31  * nutz is gonna go over there to that corner and think about his actions for a while
07:31 < nutz> again thanks and have a nice day
07:31 < ecrist> np
07:31 -!- nutz [~nutz@178.63.10.188] has left ##openvpn ["WeeChat 0.3.2"]
07:57 -!- boswarrior [~mrnice@78.142.173.114] has joined ##openvpn
07:59 -!- SOG [~SOG@222.125.226.58] has joined ##openvpn
08:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
08:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
08:34 < jpalmer> ecrist: ping
08:37 -!- boswarrior [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
08:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:47 < ecrist> pong
08:50 < jpalmer> ecrist: I've worked out a plan for redundancy/scalability for our openvpn network.   would you be interested in giving it a lookover to make sure I'm not misinformed about anything,  or if you have a better thought/idea for any aspect of it? I've got it in a google doc and can share it with you.
08:50 -!- star314 [~star314@xchg.fiss-oeaw.at] has quit [Quit: Leaving]
09:00 -!- Svedrin [svedrin@glint.funzt-halt.net] has left ##openvpn ["Verlassend"]
09:05 < ecrist> sure, would love to
09:12 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
09:24 -!- Seb [~Seb@untangle/dev/seb] has joined ##openvpn
09:24 < Seb> hi fellows
09:24 < Seb> can a given openvpn instance support more than one cipher ?
09:25 < Seb> basically, I have legacy clients with a "cipher foo" hardcoded in their configs, and I'd like not to change them one by one, but yet be able to propose the default blowfish cipher to newly generated clients
09:26 < Seb> I guess my problem can also be solved if the openvpn server can be told to ignore the "cipher" directive from the client altogether, but I couldn't find how to do that either
09:30 < Seb> !welcome
09:30 < vpnHelper> Seb: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:30 < Seb> heh
09:30 < Seb> so, any idea ? :)
09:43  * cron2 doesn't know the crypto handshake bits well enough to say whether this can be done or not (but *I* do *not* know a way)
09:45 < Seb> apparently supporting several ciphers can't be done
09:45 < Seb> i've tried about all the combination in my conf file :)
09:45 < Seb> combinations*
09:47 < cron2> Seb: maybe someone on the -devel mailing list knows
09:47 < Seb> that's probably why the option is called cipher, not ciphers, heh
09:47 < Seb> cron2: i guess I should ask there, yes
09:48 < Seb> cron2: -devel rather than -user, you think ?
09:49 < cron2> well, on -user, you could encounter another user that had the same issue and found a way to solve it - and on -devel, you could find someone who understands the SSL stuff well enough to give a definite answer :-)
09:49 < Seb> heh, -devel it is then
09:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:01 < Seb> hmm, the ./configure STRICT_OPTIONS_CHECK option could be interesting
10:05 < Seb> actually not
10:15 <@dazo> Seb: it's not possible to override or dynamically change the cipher in OpenVPN ... only way to do that, is to configure a new server and point clients to the new server - updating client configs one by one
10:17  * cron2 points to dazo: he's da SSL man
10:18  * dazo throws a lot of SSL ciphers at cron2
10:18  * cron2 avoides to get hit by refusing to negotiate
10:19 <@dazo> heh
10:20 < Seb> so, one instance <=> one cipher ?
10:20 < jpalmer> dazo: I think he just called you a terrorist.  he doesn't negotiate with terrorists.  I'd be offended, personally.
10:20 < Seb> I guess that puts and end to that 1st way of solving my problem, heh
10:21 <@dazo> jpalmer: doesn't matter ... I'm the one who merges in his IPv6 code into the -testing tree ... so he'd better be nice to me anyway ;-)
10:21 <@dazo> Seb: that's correct
10:22 < cron2> jpalmer: don't put words into my mouth :-) - that was just the "we don't do SSL cipher negotiaton" play of words
10:22 <@dazo> cron2: getting nervous? :-P
10:23 < Seb> well, ignoring the cipher directive from the client sounds like a better option then
10:23 < cron2> dazo: progress is slow enough as it is, I'm not risking anything :)
10:23 <@dazo> lol
10:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:25 < Seb> dazo: would the whole idea of "in case of mismatch, enforce server choice" be of general use to the public ?
10:25 < Seb> dazo: or should I just keep that patch, whenever I get to write it, to myself ? :)
10:25 <@dazo> Seb: well, there are many ways how to see this ... some might claim that forcing 1:1, rejecting everything else is a security feature
10:25 < cron2> another approach could be "do SSL negotiation", but that might be completely incompatible as well
10:26 < Seb> dazo: true
10:26 <@dazo> Seb: but if you write something which can fixes that ... please send it to -devel ... there it will be discussed and either ACKed or NAKed
10:27 <@dazo> Seb: whatever you do ... make sure it is configurable ... and look at how OpenSSL does this ... as the SSL protocol *can* auto-negotiate the strongest cipher which both sides supports
10:28 < jpalmer> cron2: I know,  I caught the ssl negotiation joke.  I further spun the joke using the common "we don't negotiate with terrorists" quote from many movies.   sorry if that wasn't apparent ;)
10:28 < jpalmer> jokes suck, when you have to explain them
10:28 < cron2> :)
10:28 <@dazo> Seb: however, what makes this tricky in OpenVPN ... that's that the SSL protocol is *strictly* TCP bound ... so OpenVPN does quite some trickery to get UDP support, and which makes OpenVPN not a "proper" SSL protocol application when using TCP
10:28 < Seb> oh, i was talking about the patch to plain ignore *some* client directives
10:29 < Seb> i don't think i'd be able to write something to sort-of auto-negotiate... at least not in a near future
10:29 <@dazo> Seb: ahh ... but how would you do that?  As --cipher and --tls-cipher can't be pushed ... how will the client ignore those arguments which are needed to establish a connection to begin with?
10:30 < Seb> well, client configs not specifying a cipher at all work just fine (as in, they use the one supplied by the server)
10:30 < Seb> that's the behavior i'd like
10:30 <@dazo> Seb: not specifying cipher implies --cipher CBC-BF  (iirc)
10:30 < Seb> ooooooh
10:31 < Seb> k, then I'm basically f*cked :)
10:31 <@dazo>       --cipher alg
10:31 <@dazo>               Encrypt  packets  with  cipher algorithm alg.  The default is BF-CBC, an abbreviation
10:31 <@dazo>               for Blowfish in Cipher Block Chaining mode.
10:31 <@dazo> (from the man page)
10:31 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Ping timeout: 276 seconds]
10:32 < Seb> yeah, i now realize i should have run my test with somethign else than the default encryption
10:32 <@dazo> :)
10:32 < Seb> (my server was using "BF-CBC" for all my tests)
10:32 <@dazo> yupp
10:33 < Seb> all right; well, thanks all for your help, I really appreciate you sorting me out :)
10:33 <@dazo> sure, no prob!
10:34 < Seb> have a good day fellows !
10:34 -!- Seb [~Seb@untangle/dev/seb] has left ##openvpn []
10:39 -!- SOG [~SOG@222.125.226.58] has quit [Remote host closed the connection]
10:39 -!- SOG [~SOG@n1164869057.netvigator.com] has joined ##openvpn
10:40 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
10:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:43 -!- gorkhaan [~gorkhaan@adsl-101-70.globonet.hu] has joined ##openvpn
10:44 < pcard> ok I've been doing a lot of reading, i nthe man and the openvpn website and via google searches, but I'm still not sure how to use the 'ifconfig' option for a tun server
10:44 < pcard> I see examples like ifconfig 10.8.0.1 10.8.0.2, and a mention in the man mapge that it should be reversed on the remote end?
10:45 -!- SOG_ [~SOG@222.125.226.58] has joined ##openvpn
10:45 < pcard> What I want to do is be able ot have one or more tun clients connect and be able to see the while 255.255.0.0 network
10:45 -!- SOG_ [~SOG@222.125.226.58] has quit [Client Quit]
10:45 < cron2> pcard: then "don't use ifconfig" :)
10:45 < cron2> just use "server 10.8.0.0 255.255.0.0"
10:45 < cron2> this is a macro that will setup ifconfig, route, ifconfig-pool etc. right
10:46 < pcard> yes but it depends on what topology is used
10:46 < cron2> so?
10:46 < pcard> I tried subnet, it doesn't seem to work with my openvpn-iphone
10:46 < pcard> I want to test a more basic setup make sure it works at all
10:46 < pcard> I mena it connect but I can't ping in either direction
10:46 < cron2> I have no experience with "subnet" - the most basic thing that works with the very oldest openvpn versions is "net30"
10:48 -!- SOG [~SOG@n1164869057.netvigator.com] has quit [Ping timeout: 240 seconds]
10:48 < pcard> how do I setup a net30 topology where the client can see the whole remote network
10:48 < cron2> configure "server ..." and that's it
10:48 < cron2> (and do *not* configure "topology ...")
10:48 < pcard> and if possible I'd like the server's end point ip to be the same as it's eth0 ip
10:48 < cron2> that is not possible with tun
10:48 < cron2> period
10:49 < pcard> what isn't?
10:49 < cron2> you can't have the same IP address on the tun and the eth0
10:49 < cron2> if you just want "openvpn to listen on the eth0 ip address", configure "listen <eth0-ip>" in the server config
10:49 < pcard> well it can be a different one then. Can it be something like 192.168.0.200 (and the pool .150-199)
10:50 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
10:50 < cron2> that might work, but don't even go there before you really understand how the kernel and userland routing bits play together
10:50 < cron2> !route
10:50 < vpnHelper> cron2: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:50 < pcard> (no what I meant, til now I've been running pptpd (poptop) and it had no problem having the same server sideend point (ie, of ppp0) being the same ip as eth0)
10:51 < cron2> pcard: pptpd is not openvpn, and is not using tun interfaces
10:51 -!- gorkhaan [~gorkhaan@adsl-101-70.globonet.hu] has quit [Read error: Connection reset by peer]
10:51 < pcard> right
10:51 < pcard> I get that
10:51 < cron2> the model is different - openvpn gets the linux side to route a whole network down the "tun" interface, and that network must be different from the eth0 network, otherwise funny things will happen
10:51 < pcard> so I would set ifconfig-pool 192.168.0.150 192.168.0.199  and then server 192.168.0.200 ?
10:52 < cron2> what's so hard about "don't even go there"?
10:52 < pcard> and route 192.168.0.0 255.255.0.0 ?
10:52 < pcard> what would I put as the second param to server?
10:52 < cron2> if you specifically want to use just part of the network for the pool, then you cannot use "server"
10:53 < cron2> server is for "this is the network, use the first 4 IPs for the server-tun and all the rest for the pool"
10:53 < cron2> to get startet: pick an *unused* subnet, like "192.168.49.0", and set up "server 192.168.49.0 255.255.255.0".  Don't use addresses that you have on eth0 or anywhere else.
10:54 < pcard> oh
10:54 < pcard> and then use route (and/or push "route ..." ???) to expose the whole 192.168.0.0/255.255.0.0 network ?
10:55 < cron2> use "route" to tell the linux side "this network is under openvpn control"
10:55 < cron2> use "push route..." to tell the *clients* "this network is reached via openvpn"
10:55 < cron2> what numbers you need to put there depends on which networks you have chosen
10:55 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
10:56 < pcard> ok the whole network is 192.168.0.0/255.255.0.0, so in server.conf I'd have route 192.168.4.0 255.255.255.0 and push "route 192.168.0.0 255.255.0.0" ?
10:56 < pcard> do I need to put a gw entry in any of those?
10:57 < cron2> that sounds like a good plan, yes.  No gw entry is needed, it will default to "the other side"
10:58 < cron2> (with gw entry, you can play more interesting tricks)
10:59 < pcard> and server 192.168.4.0 255.255.255.0 ? or 255.255.0.0 ?
11:00 < cron2> 255.255.255.0 - otherwise you'll claim the whole 255.255.0.0 for OpenVPN
11:00 < pcard> ah
11:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:05 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
11:05 < pcard> and do I understand correctly that I only need to push "route 192.168.0.0 255.255.0.0" to the client, I don't need to set it on the server side too?
11:05 < cron2> yes
11:05 < pcard> ok thank you very much, going to test now
11:06 < cron2> the server will send everything it doesn't know via the tun to the linux side of things
11:06 < cron2> and then the kernel routing will take over
11:06 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 255 seconds]
11:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
11:25 <@dazo> !factoid
11:25 < vpnHelper> dazo: Error: "factoid" is not a valid command.
11:25 <@dazo> !factoids
11:25 < vpnHelper> dazo: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:25 <@dazo> !confgen
11:25 < vpnHelper> dazo: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
11:25 <@dazo> pcard: ^^
11:25 <@dazo> (might be an option, if you have a bash shell handy)
11:28 < pcard> thanks
11:29 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:30 < pcard> ok I have my client connected but I can't ping anything. I can ping 192.168.4.1 just fine but I can't ping anything else it seems. The pushed routes are showing up in netstat -rn
11:31 < pcard> or rather I can ping the server's eth0 ip but I cna't ping anything else that lan
11:31 < pcard> what could I be missing
11:31 -!- dazo is now known as dazo_afk
11:34 < pcard> in the client's routing table I see 192.168.0.0 255.255.0.0 192.168.4.5  (why 4.5 ? the server's end point for tun0 is 192.168.4.1, or am I not understanding something????)
11:38 < pcard> ?
11:47 < pcard> anyone?
11:48 < pcard> it seem it's almsot there, just can't ping the rest of the lan
11:48 < pcard> and rest of the lan can't ping 192.168.4.6 (client's ip), only server box can
11:48 < pcard> why is this?
11:48 < ecrist> pcard: 
11:48 < ecrist> !/30
11:48 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
11:49 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 255 seconds]
11:49 < pcard> I get that much, but I have the route, so why can't I ping anything?
11:50 < ecrist> those IPs aren't 'really' in use
11:50 < ecrist> you should be able to ping the .1 address
11:50 < pcard> yes
11:50 < ecrist> then you're fine
11:50 < pcard> I can ping 192.168.4.1 from client just fine
11:51 < pcard> but I need to be able to get to anything on the remote network
11:51 < pcard> I thought that's the whole point of usign a vpn
11:51 < pcard> " <C-3PO> I'm so confused "
11:52 < ecrist> ping the .6 address
11:52 < pcard> yes I can ping .6 and .1 just fine
11:52 < ecrist> as far as 'rest of lan' you need to enable kernel ip forwarding
11:52 < pcard> I do have ip forwarding enabled
11:53 < ecrist> then it should work
11:53 < ecrist> unless you have a firewall blocking things
11:53 < pcard> nope
11:53 < ecrist> the .6 address needs to know how to route back to the lan, as well
11:53 < ecrist> otherwise, it cannot send the packets back
11:53 < pcard> filter table is empty
11:54 < pcard> is it better to use topology subnet?
11:55 < ecrist> maybe, if you need all the ips
11:55 < ecrist> your routing problem doesn't go away
11:55 < pcard> is that supported on os-x based clients?
11:56 < ecrist> afaik, yes, provided they have 2.1+
11:56 < pcard> yes
11:57 < pcard> client is running 2.1_rc22
11:59 < pcard> ok in server.conf I set topology to subnet, now it says server 192.168.4.0 255.255.0.0 "--server directive network/netmask combination is invalid"
11:59 < pcard> why is that invalid? I still want to use the 192.168.4.1-254 pool
12:01 -!- openbsdnoob [~openbsdno@f052204093.adsl.alicedsl.de] has joined ##openvpn
12:05 -!- fleish [~fleish@c-24-130-114-23.hsd1.ca.comcast.net] has joined ##openvpn
12:06 < cpm> pcard, 192.168.4.0 255.255.0.0 is 192.168/16. NOT 192.168.4/24
12:10 < fleish> I'm having a very weird problem. I'm on a new 27" imac and migrated everything over from an old 24" imac - including my openvpn files. I've always had 1 server & 1 client running on the imac. Post move - they both still work fine. However, when I go to start up a second client for a new location I have - it connects and then immediately my machine freaks out - meaning I can't open any new terminals & attempts to do simple things like s
12:10 < fleish> from the imac to another system result in weird errors like cannot open /dev/null. GUI apps continue to work. The new openvpn connection also seems to disconnect shortly thereafter. I've tried upgrading my openvpn client from 2.0.9 to 2.1.3 w/no luck. Setting up the client on my Macbook pro (running the same versions of OSX & OVPN) don't show any such problems. There I get a connection that doesn't drop & no "terminal weirdness"
12:10 < fleish> curious if anyone else has seen something like this or has any ideas in general
12:16 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
12:22 < pcard> ok topology subnet, ifconfig 192.168.4.1 255.255.0.0, ifconfig-pool 192.168.4.2 192.168.4.254 255.255.0.0, push "route-gateway 192.168.0.4"
12:22 < pcard> when I try to ping from server, ping 192.168.4.2, I get From 192.168.0.4 icmp_seq=1 Destination Host Unreachable [... ad nausem]
12:23 < pcard> or should I be using ifconfig 192.168.0.4 255.255.0.0, or do I need push "route 192.168.0.0 255.255.0.0" still?
12:25 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has joined ##openvpn
12:27 -!- Gomex [~rafael.go@fedora/Gomex] has joined ##openvpn
12:27 < Gomex> hi
12:28 < Gomex> I put this configuration "push "route 10.10.2.0 255.255.255.0" " in my openvpn
12:28 < Gomex> but when the client start the VPN don't get that route
12:29 < Gomex> I already read http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
12:29 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
12:29 < Gomex> but don't solve my problem
12:30 < pcard> what am I doing wrong?
12:30 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has quit [Ping timeout: 276 seconds]
12:32 < Gomex> Is there a tip to config that?
12:32 < Gomex> The cliente is windows 7
12:32 < Gomex> client*
12:35 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Read error: Operation timed out]
12:35 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
12:37 < kisom> Gomex: are your clients pulling?
12:40 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:41 < Gomex> kisom, yes
12:41 < Gomex> I got this error: "ROUTE: route addition failed using CreateIpForwardEntry"
12:41 < Gomex> kisom, I put verb 11 to see this
12:44 < pcard> can anyone please help me
12:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:49 < kisom> Gomex: does your client have windows installed in any other location than C:\windows\?
12:50 < Bushmills> !winroute
12:50 < vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
12:51 < Bushmills> Gomex: ^^^
12:52 < Gomex> Bushmills, this options "route-delay" and "route-method" should I put in client conf or server?
12:52 < Gomex> Bushmills, client!
12:52 < Bushmills> client, if there's only one
12:52 < Gomex> Bushmills, works here
12:52 -!- fleish [~fleish@c-24-130-114-23.hsd1.ca.comcast.net] has left ##openvpn []
12:53 < Gomex> Bushmills, if there is more than one?
12:53 < Bushmills> let server push those to client
12:57 -!- hobodave [~hobodave@pdpc/supporter/professional/hobodave] has joined ##openvpn
12:57 < hobodave> hey guys
12:57 < hobodave> !welcome
12:57 < vpnHelper> hobodave: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:57 < pcard> can someone please tell me what I'm doing wrong here??? http://www.pastebin.ca/1930658
12:58 < hobodave> !goal
12:58 < vpnHelper> hobodave: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:59 < pcard> I noticed on the client end, ifconfig shows the local end point to be 192.168.4.1 (ok), and the remote end to be 255.255.0.0 (wtf??) with mask of 255.255.255.255 (errr...)
12:59 < pcard> hobodave: I have network 192.168.0.0/16, want to use 192.168.4.1-254 for pool
12:59 < pcard> so 192.168.4.1/255.255.0.0 should be first from pool
13:00 < hobodave> pcard: I'm not helping you, just reading
13:00 < pcard> I'm not sure why the client is getting 255.255.0.0 as the remote end point ip
13:00 < pcard> can anyone please tell me what I'm doing wrong? http://www.pastebin.ca/1930658
13:03 < pcard> I have ifconfig 192.168.0.4 255.255.0.0 which is why it might be using the 255.255.0.0 as an end point, which is bizarre, since the man page says if topology is subnet, then it's treated as a mask, not en end point ip
13:06 < pcard> anyone?
13:15 -!- straterra [~straterra@fuhell.com] has left ##openvpn []
13:24 -!- openbsdnoob_ [~openbsdno@g225109231.adsl.alicedsl.de] has joined ##openvpn
13:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:26 -!- openbsdnoob [~openbsdno@f052204093.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
13:26 -!- openbsdnoob_ is now known as openbsdnoob
13:35 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
13:35 -!- Ghent [~ghent@unaffiliated/ghent] has joined ##openvpn
13:36 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Client Quit]
13:36 < Ghent> Can openvpn connect to multiple vpns at once?  I'd like to run an openvpn server on my vps but also have it connect as a client to another openvon
13:37 < Bushmills> you can start multiple instances of openvpn
13:38 < Ghent> ok
13:39 < Ghent> Thank you.
13:39 < Bushmills> pcard: if you want 192.168.4.x addresses for your vpn subnet - why do you use a /16 instead of a /24 netmask?
13:40 < hyper_ch> how many instances are needed to achieve world domination? :)
13:41 < pcard> Bushmills: ok right now I'm using just  topology subnet, server 192.168.4.0 255.255.255.0   in server.conf, and in the client ccd file, push "route 192.168.0.0 255.255.0.0"
13:42 < pcard> Bushmills: I can ping 192.168.0.4 (the eth0 ip on the server) from my client now, but I can't ping anything else on the lan for some reason
13:42 < pcard> likewise, I can ping 192.168.4.2 just fine from the server box, but not from any machine on the lan
13:42 < Bushmills> why would you be able to ping anything on the lan?
13:42 < pcard> the lan is 192.168.0.0/255.255.0.0 (16)
13:42 < pcard> Bushmills: I thought that was the entire point ?
13:42 < pcard> Bushmills: I need to be able to see the whole network
13:43 < pcard> the client in question doesn't support tap, which is what I wanted to use from the get go
13:43 < Bushmills> you can configure it - but you have to.  the entire point to start with is to have a secure tunnel
13:43 < Bushmills> !route
13:43 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:46 < ecrist> pcard: why not just use bridged mode, if you're trying to put everyone on the same lan?
13:48 < pcard> I already said, the client itself lacks tap support
13:48 < pcard> otherwise I would have used it no questions asked
13:52 < pcard> ecrist: in fact I already have a primary openvpn server (on port 1194) for tap bridging a remote lan with ours. I wanted to connected a couple clients too, but they don't have tap on their systems
13:52 < ecrist> part of your issue is the overlapping subnets, I think.
13:52 < ecrist> create a separate subnet for those routed vpn clients
13:54 < pcard> I already have
13:54 < ecrist> looks to me your separate subnet isn't
13:54 < ecrist> 192.168.4.0/24 is inside the 192.168.0.0/16 subnet
13:54 < pcard> the main lan is 192.168.0.0/16, in server.conf I have topology subnet, server 192.168.4.0 255.255.255.0
13:55 < pcard> ecrist: yeah, but why would that be a problem?
13:55 < pcard> the main lan needs to be /16
13:55 < ecrist> conflicting routes
13:55 < ecrist> lan machines aren't going to know to go through the vpn to get to those vpn clients
13:57 < pcard> should I add a static route on our main router for 192.168.4/16 to point to 192.168.0.4 or is there a better way?
13:59 < pcard> when I was using pptpd I could vpn into that and see the whole lan just fine and vice versa
13:59 -!- Ghent [~ghent@unaffiliated/ghent] has quit [Ping timeout: 255 seconds]
13:59 < hyper_ch> hello ecrist
14:00 -!- Ghent [~ghent@unaffiliated/ghent] has joined ##openvpn
14:01 < ecrist> pcard: I would put vpn users outside your current subnet
14:02 < pcard> that isn't really an option in this case though. I mean what subnet would you suggest when the main lan is 192.168.0.0.16
14:02 < krzee> err
14:02 < krzee> 10.8.0.x would be fine
14:02 < krzee> btw, only 4 octets in an ipv4 ip ;)
14:02 < ecrist> anything in !1918 outside your current lan
14:03 < pcard> and add a static route for 10.8.0.0/24 gw 192.168.0.4 on the router (192.168.0.4 is the vpn server box)
14:03 < ecrist> yep
14:04 < krzee> there is !serverlan and !clientlan
14:04 < krzee> if you need both, you want !route
14:04 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has joined ##openvpn
14:04 < pcard> I'll try that, but one client, my iphone, usually gets an ip that starts with 10 (10.2. right now) when on 3G (cell network)
14:04 < krzee> i highly doubt your cell network uses 10/8
14:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:05 < pcard> krzee: it does within it's network, obviously not on the world-side though
14:05 < pcard> that's how at&t does it
14:06 < krzee> you are saying it uses /8 or just that it happens to start with 10.
14:06 < krzee> and btw, there is another subnet in 1918
14:06 < krzee> !1918
14:06 < vpnHelper> krzee: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
14:06 -!- Ghent [~ghent@unaffiliated/ghent] has quit [Ping timeout: 245 seconds]
14:07 < pcard> presently ifconfig on the iphone shows it's ip to be 10.2.36.132/32
14:08 -!- Ghent [~ghent@unaffiliated/ghent] has joined ##openvpn
14:08 < krzee> that means nothing...
14:08 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has quit [Ping timeout: 240 seconds]
14:08 < pcard> meaning at&t on it's cell data network doesn't hand out public Internet ip's, it's more like being behind a router
14:09 < pcard> things like vpn work just fine though
14:15 < pcard> ok thanks all
14:18 < krzee> also be aware of this
14:18 < krzee> !iphone
14:18 < vpnHelper> krzee: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion, or (#3) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone
14:18 < krzee> #3
14:18 < krzee> personally, for me thats enough to where i dont VPN from my iphone
14:20 -!- jaminja_ [~jaminja@95.211.4.12] has joined ##openvpn
14:21 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 265 seconds]
14:24 < Ghent> is there also a way to prevent the server from pushing me a default gateway as a client?  I don't want all my traffic going through the vpn?
14:25 < hyper_ch> Ghent: use ccd and don't set the def1 for that ccd client entry
14:25 < Ghent> I don't have control of the server
14:25 < Ghent> I'm only a client :)
14:25 < Ghent> but I think changing from 'client' to 'tls-client' would achieve what I want?
14:25 < hyper_ch> don't think you can prevent it
14:25  * Ghent is about to test
14:26 < hyper_ch> but you can change it again
14:26 < hyper_ch> but then, what do I know :) krzee is the openvpn god
14:28 < krzee> it can be done, but then configuring the vpn must be done 100% manually
14:28 < krzee> you would need to reject EVERYTHING being pushed, including ip and all
14:28 < krzee> then you would need to set all of those manually
14:29 < Ghent> ah okay.
14:29 < krzee> if they use the default topology of net30 then i am certain you must specify the right IP or your vpn would not work
14:29 < krzee> however...
14:30 < krzee> you could always allow them to overwrite your route, then overwrite it manually ;)
14:30 < krzee> (overwrite it back)
14:32 < Ghent> that gets painful and not worth the effort for what little I want their vpn for :P
14:33 < krzee> maybe, maybe not... seems pretty script-able
14:33 < krzee> then you could toss the script in an openvpn hook...
14:33 < krzee> hrm, never thought of that before...
14:34 < krzee> maybe ill write a script for that one day
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:44 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
14:47 -!- szr [~SR@unaffiliated/szr] has joined ##openvpn
14:55 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
14:56 -!- jaminja_ [~jaminja@95.211.4.12] has quit [Ping timeout: 258 seconds]
14:58 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has joined ##openvpn
15:06 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Operation timed out]
15:06 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Read error: Operation timed out]
15:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
15:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
15:08 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
15:08 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 240 seconds]
15:09 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has quit [Ping timeout: 252 seconds]
15:10 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
15:14 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
15:22 < pcard> is there something that could be added to the ccd file for a client that could reduce the idle timeout for that particular client?
15:22 < pcard> seem right now it takes too long for it to timeout and be removed from the list in the status file
15:36 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has joined ##openvpn
15:36 < krzie> pcard, im pretty sure keepalive is just a global setting
15:37 < pcard> well I can just change it in server.conf then. I want a good setting where clients wont disconnect too quickly, but what I don't want is it to take too long for them to finally timeout when they disconnect manually on their end
15:40 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:41 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
15:42 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 245 seconds]
15:45 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has quit [Ping timeout: 240 seconds]
15:46 -!- oracle [~o2@unaffiliated/spice] has joined ##openvpn
15:46 < oracle> should it be much easier to setup openvpn routing in linux than freebsd
15:47 < reiffert> oracle: no.
15:47 < pcard> actually yes
15:47 < oracle> how about a little bit easier
15:48 < oracle> !routing
15:48 < vpnHelper> oracle: Error: "routing" is not a valid command.
15:48 < oracle> !route
15:48 < vpnHelper> oracle: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:48 < pcard> in my experience freebsd can typically take a bit mroe work, especially if you don't have tun/tap support already
15:49 < reiffert> not having tun/tap support already makes routing more difficult eh?
15:49 < pcard> linux usually has tun support in kernel (either built into the kernel or as a module) so it's rather easy to get that part going
15:49 < oracle> let me try...
15:50 < oracle> one box with ip 10.0.0.3 connects to 10.0.0.2 and wants a way to access the internet from there. how's that done on freebsd
15:50 < pcard> if I had to make a recommendation between the two, I'd go Linux. It's overall more modern then most (non heavily customized) BSDs 
15:50 < pcard> but it IS certainally doable on bsd, how hard depends on what you're starting with
15:51 < oracle> i dont need clients to communicate behind a lan, i just need the server to act as a freakin gateway
15:51 < oracle> that guide tells you about lan communication
15:55 -!- jaminja_ is now known as jaminja
15:55 -!- jaminja [~jaminja@74.81.170.4] has quit [Changing host]
15:55 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
15:55 < krzie> i completely disagree pcard 
15:55 < krzie> in fact i could not possibly disagree more
15:56 < krzie> plus, his question is about openvpn routing, which is 100% the same
15:56 < krzie> the EXACT same config will work on linux and freebsd
15:56  * hyper_ch <3 linux more than bsd
15:57 < hyper_ch> bsd seems so... geeky *ggg*
15:57 < krzie> and i like freebsd more, but that wasnt his question
15:58 < krzie> his question was regarding the differences in openvpn routing, and there is NO difference
15:58 < krzie> so it is impossible to say 1 is easier to do openvpn routing with than the other, because it is the same
15:58 < hyper_ch> krzie: I didn't see that...
15:59 < krzie> (i was more targeting pcard with my rant ;) )
15:59 < hyper_ch> I know
15:59 < krzie> oracle, you dont want routing, you want to redirect gateway
15:59 < hyper_ch> btw, I finished my confgen tool... I even gave it intelligence
15:59 < hyper_ch> and I call it krzie :)
16:00 < krzie> as i now see...
16:00 < krzie> its still no easier or harder, unless you find one of the firewalls easier to use
16:00 < krzie> because:
16:00 < krzie> !redirect
16:00 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:01 < krzie> hyper_ch, lol... i am your new confgen? :-p
16:01 < hyper_ch> krzie: yes.. isn't that a genious idea?
16:02 < krzie> haha
16:02 < hyper_ch> I mean you're online like 24/7
16:02 < hyper_ch> you have an interactive and problem-sovling mode
16:03 -!- Gomex [~rafael.go@fedora/Gomex] has quit [Quit: Saindo]
16:04 < krzie> ;]
16:04 -!- benspaulding [~benspauld@169.69.124.24.cm.sunflower.com] has joined ##openvpn
16:05 < krzie> im getting my sqlninjary on
16:05 < hyper_ch> krzie: so, when is Cali calling?
16:05 < krzie> i just got back from cali
16:05 < krzie> jpalmer, hey bud you around?
16:05 < hyper_ch> oh... great... you survived cali :)
16:05 < hyper_ch> hope you had a good time
16:05 < jpalmer> krzie: yea,  whats up?
16:06 < krzie> ya man, i think ill be high for a few more weeks based on how much i smoked out there
16:06 < krzie> jpalmer, you wanted me to look at some stuff before but i was somewhat flakey during vacation
16:06 < krzie> if you still want, im at work now so im not going anywhere ;)
16:07 < jpalmer> krzie: I think I have most of it figured out.  but if you want to discuss the two diagrams I sent,  I can share a google doc with you of my plan.  you can look it over and tell me if it's decent, or if you'd change anything?
16:07 < krzie> the laptop you sent them to has died
16:07 < krzie> that was its last day of life =[
16:07 < jpalmer> ahh.  well,  I can probably resend
16:08 < krzie> luckily it died RIGHT after i got my new one =]]
16:09 < hyper_ch> did it get a proper burial?
16:09 < krzie> not yet, need to rape some hardware from its corpse
16:09 < jpalmer> krzie: I forwarded the diagrams again.   do you want to /msg me your google docs account, so I can share the doc?
16:09 < hyper_ch> don't you have any morals?
16:10 < krzie> i dont use google services
16:10 < krzie> im not on board with their databasing of my life ;]
16:10 < hyper_ch> krzie: whom would you the prefer databasing your life if not google?
16:10 < jpalmer> yeah yeah yeah.  *everyone* databases your life.  google just tells you about it :P
16:10 < hyper_ch> s/the/then
16:10 < krzie> hyper_ch, nobody =]
16:11 < jpalmer> krzie: I guess I can send the doc to you via email.  word ok?
16:11 < hyper_ch> wait... you ask for... privacy?
16:11 < KipMacy> email is not secure
16:11 < krzie> jpalmer, word is good
16:11 < hyper_ch> don't you know that sharing is caring?
16:11 < KipMacy> when will non topology subnet be banned
16:12 < hyper_ch> KipMacy: the email can be encrypted :)
16:12 < jpalmer> KipMacy: hopefully never.  many of us use it.
16:12 < krzie> KipMacy, re: topology, the other topologies have uses
16:12 -!- openbsdnoob [~openbsdno@g225109231.adsl.alicedsl.de] has quit [Quit: openbsdnoob]
16:12 < krzie> i would not mind seeing topology subnet become the default at some point tho
16:13 < hyper_ch> what's a topology subnet
16:13 < krzie> !topology
16:13 < vpnHelper> krzie: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
16:13 < krzie> !/30
16:13 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
16:13 < jpalmer> oh, I misread.   you said "non"  and I missed that one little piece.  hehe
16:13 < KipMacy> what use is not running topology subnet ?
16:13 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:13  * jpalmer uses topology subnet
16:13 < KipMacy> maybe im fooling myself but it seems like everything runs faster and smoother and with less drop offs, now that i use topology subnet
16:14 < krzie> KipMacy, i would think topology subnet would allow users to change their IPs and still have access
16:14 < krzie> topology net30 that is impossible
16:14 < krzie> topology ptp is needed for ptp style connections ;)
16:15 < pcard> jpalmer: yeah I got topology subnet working too for non tap clients today too :)
16:15 < krzie> KipMacy, dont get me wrong, i like topology subnet and i use that as well
16:18 < jpalmer> krzie: sent
16:18 < jpalmer> krzie: look it over for a few minutes..  then I'll describe the entire thing.  it's not a typical client/server or site-site VPN architecture.
16:19 < jpalmer> krzie: and we'll discuss in /msg ;)
16:21 < krzie> sounds good
16:21 < jpalmer> let me know when you've read it over.  I'm semi-afk right now bringing up a freeswitch server
16:23 < krzie> right on
16:23 < krzie> those guys have been doing some MAJOR work
16:23 < krzie> i love the FS team
16:25 < jpalmer> yeah.   and I work with one of the sharpest minds in voip.
16:25 < jpalmer> he speaks almost every year at cluecon (the big FS conference)
16:26 < reiffert> anyone using roundcubemail in here?
16:30 < krzie> reiffert, nope
16:30 < krzie> jpalmer, oh cool, who is it?
16:31 -!- Alocado [~matthias@2001:6f8:10e8:0:225:d3ff:fe1a:a837] has quit [Quit: Ex-Chat]
16:35 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Read error: Connection reset by peer]
16:36 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
16:40 < ecrist> krzie/jpalmer: OT, either of you use Snom phones with BLF on FS?
16:45 < jpalmer> ecrist: not on FS,  on asterisk though.  whats up?
16:46 < jpalmer> (keeping in mind, my FS knowledge is kinda limited at this point)
16:46 < ecrist> trying to get BLF working, seems the phone sends subscribe, phone works fine for about 1 minutes, then ignores NOTIFY messages after that
16:47 -!- manevra [manevra@212.78.230.229] has joined ##openvpn
16:47 < manevra> question: I want to send emails from my local smtp server through vpn. does any application need to be installed on the vpn server or it should only have port 25 open?
16:49 < jpalmer> ecrist: ahh.  I had a similar issue on asterisk.  I don't recall how I solved it.  I'd suggest research how to fix it in asterisk (as there is more docs for that solution)  then apply those principles to your FS install
16:50 < jpalmer> manevra: you'll need t configure your openvpn server to accept relayed mail from the clients..  then on the clients, you'll need to set those mailserver to smarthost through it (each mailserver software calls smarthost something different)
16:50 < ecrist> I will try my google-foo
16:50 < manevra> jpalmer, thanks
16:50 < jpalmer> ecrist: sorry I can't be more help.   I did my last snom install like 3-4 years ago
16:51 < ecrist> we're looking to possibly switch to snom, specifically for the BLF, from Polycom
16:51 < krzie> ecrist, i use cudatel, so im not too strong under the hood
16:51 < ecrist> you gave me the suggestion to look to asterisk, which is something I didn't even consider earlier.
16:52 < krzie> its freeswitch, but it 'just works'
16:52 < ecrist> krzie: we do too much custom stuff under the hood with fs to use a boxed solution
16:52 < krzie> this is true
16:52 < krzie> just your fax stuff that i know of demands that
16:52 < ecrist> 30,000 + faxes per week is more than enough demand to rule out most appliances
16:53 < krzie> especially with the badass barcode scanning you do on the faxes
16:53 < krzie> i love that part =]
16:54 < ecrist> yeah, now that it's all moving 'real' data, the boss STILL is tickled with the magic of a client submitting a claim, printing a barcode, attaching to a fax, and having it show up on the website immediately upon faxing it in
16:54 < ecrist> and THEN having us forward that fax based on data in the claim, AFTER the payer has acknowledged receipt of the claim (so we're sure they get both pieces of data in a timely manner)
16:54 -!- Four2zero [~nnscript@cpe-76-94-31-248.socal.res.rr.com] has joined ##openvpn
16:55 < ecrist> are you the *real* Four2zero?
16:55 < Four2zero> Yes.
16:55 < jpalmer> ecrist: insurance?  or other?
16:55 < ecrist> jpalmer: health insurance
16:55 < Four2zero> not "Fourzerotwo"
16:56 < ecrist> blast, I always transpose those two.
16:56 < krzie> ecrist, i bet your customers are amazed with that as well
16:56 < ecrist> krzie: what's funny, most of them don't want the service, until we go demo it for them.
16:57 < ecrist> 'you mean we can track the attachment WITH the claim???'
16:57 < krzie> hah
16:57 < krzie> ahh, they dont understand what it actually does until they see it
16:57 < ecrist> yeah
16:57 < Four2zero> i have openvpn gui running on xp-machine and the client running on win7, now when i access the vpn, i get this message: Unable to obtain Session ID from 192.168.10.1:443: XML-RPC: ConnectError: 10013: An attempt was made to access a socket in a way forbidden by its access permissions
16:57 < ecrist> we already do all their claim submission, they handle the attachments themselves.  until they know we can do it, and how we do it
16:57 < jpalmer> ecrist: ahh.  the company I work for is in the healthcare field as well.
16:58 < ecrist> yeah, one of our former admins worked for the same company.
16:58 < jpalmer> ecrist: the barcodes,  are you using the nokia style block barcodes (I forget the name)  or standard barcodes?
16:58 < ecrist> we're using datamatrix
16:58 < ecrist> vanilla dmtx
16:58 < jpalmer> wait,  one of your former admins worked for my company?
17:00 < ecrist> yeah, either the one you work for now, or one you recently worked for.
17:00 < ecrist> we've talked about this.
17:00 < jpalmer> refresh my memory!  /msg me
17:00 < jpalmer> <-- mind like swiss cheese
17:01 < jpalmer> ok, now I remember the conversation,  and yup
17:02 < ecrist> small world
17:02 < ecrist> the guy who wrote/develops the dmtx library we use is actually from the twin cities, too.
17:02 < jpalmer> ecrist: the company I work for now, is also in healthcare.. in a very different capacity.  we write a communications app for smartphones,  used in hospitals.
17:03 < ecrist> HIPAA compliant jabber apps?
17:03 < ecrist> :)
17:03 < jpalmer> in fact,  th freeswitch servers I bring up,  are trunked tot he hospitals PBX to enable hospital PBX <-> iphone (SIP) comms
17:03 < ecrist> neat.
17:04 < ecrist> FS is really easy to bring up in a vanilla capacity, where all you're using is SIP and you don't need custom IVR and such.
17:05 < ecrist> it gets much more involved when TDM hardware and integrating other phone systems is required.
17:05 < Four2zero> i have openvpn gui running on xp-machine and the client running on win7, now when i access the vpn, i get this message: Unable to obtain Session ID from 192.168.10.1:443: XML-RPC: ConnectError: 10013: An attempt was made to access a socket in a way forbidden by its access permissions
17:05 < jpalmer> well,  we do IVR in some cases.
17:06 < jpalmer> we don't do any TDM currently.   in all cases, we're either native SIP to the PBX..  or we're SIP to a media gateway that does PRI to the PBX
17:06 < krzie> oh btw i have a T1 card for sale which works for freeswitch
17:06 < jpalmer> I've done TDM on asterisk.
17:06 < ecrist> is it a good one, krzie?
17:06 < krzie> its whatever comes with cudatel
17:06 < ecrist> *shrug*
17:06 < krzie> i thought we needed it but turns out we got a sip trunk from our local provider
17:07 < krzie> in fact i have 2 of them
17:07 < ecrist> we're using OpenVox DE210E cards, which are clones of Digium T210P or some such
17:07 < krzie> i can open one of the boxen and see what it is one of these days if you like
17:07 < jpalmer> I was never real impressed with the digium gear.  sangoma was my preference
17:07 < ecrist> nah, we have all we need, now.
17:07 < krzie> ahh werd
17:07 < ecrist> sangoma isn't supported on bsd anymore
17:07 < Four2zero> wow, not one reply about this error !
17:07 < jpalmer> especially..  back when libsangoma was native to FreeBSD
17:08 < jpalmer> ecrist: gmta
17:08 < ecrist> Four2zero: sounds like a firewall issue
17:08 < ecrist> gmta?
17:08 < krzie> i have never heard of that error 420
17:08 < Four2zero> firewall is disabled on the xp machine
17:08 < ecrist> are you running as root?
17:08 < ecrist> s/root/Administrator/
17:08 < krzie> 443... 
17:08 < krzie> sounds like access server
17:09 < krzie> which would explain why none of us are familiar with that error ;)
17:09 < ecrist> XML-RPC...
17:09 < krzie> right, that too
17:09 < ecrist> Four2zero: are you using access server?
17:10  * ecrist kicks proftpd
17:10 < Four2zero> no, just openvpn-gui and i do have admin rights on xp-machine.
17:10 < jpalmer> ecrist: gmta = great minds think alike (referring to the sangoma's not being BSD anymore)
17:10 < krzie> Four2zero, you downloaded it HERE:?
17:10 < krzie> !download
17:10 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
17:10 < krzie> or from the link on the front of www.openvpn.net ?
17:11 < ecrist> jpalmer: ah, gotcha.  we're 100% freebsd at $work.
17:11 < Four2zero> Yes.
17:11 < ecrist> I'm split 50/50 Mac/FreeBSD at home.
17:11 < krzie> because it is confusing, but the link on the front of openvpn.net is access server
17:11 < krzie> you MUST get from www.openvpn.net/download in order to not be using access server (assuming you download from the web)
17:11 < krzie> the "openvpn client" is access server
17:12 < Four2zero> I have downloaded the openvpn client for my win7 machine
17:12 < Four2zero> from openvpn.com
17:13 -!- madsage [044fb821@gateway/web/freenode/ip.4.79.184.33] has joined ##openvpn
17:13 < madsage> hello
17:13 < Four2zero> on xp-machine the server the openvpn-gui is running " Initialization Sequence Completed "
17:14 < krzie> Four2zero, exactly
17:14 < krzie> "openvpn client" is only for access server
17:14 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has left ##openvpn []
17:14 < krzie> you need the windows file from here:
17:14 < krzie> www.openvpn.net/download
17:14 < krzie> in the open source version there is no difference between server and client
17:14 < jpalmer> ecrist: I'm Mac, windows, centos, freebsd.  and you know from other channels which I prefer in my spare time.
17:15 < ecrist> right
17:15 < krzie> not just from other channels... i know which you prefer from here =]
17:15 < madsage> trying to revoke a cert and getting errors about invalid revocation date in openssl.cnf  tried to google this, no luck  :\
17:15 < jpalmer> krzie: true enough  lol
17:15 < madsage> any ideas?
17:15  * ecrist goes to get the children
17:16 < Four2zero> I haev OpenVPN 2.1.3 Windows Installer running on the xp-machine
17:16 < Four2zero> already !
17:16 < jpalmer> krzie: heading home.  back in about an hour.  let me know when you're done reviewing that info.
17:19 < madsage> anybody have a clue about whats going on with my openssl and cert that it would complain about revocation dates?  I'm trying to revoke a cert using "revoke-full  common-name"
17:21 < Four2zero> right now, i have OpenVPN Server on the xp-machine but when i try to connect to it via win7 client it will not connect, i get this error: Unable to obtain Session ID from 192.168.10.1:443: XML-RPC: ConnectError: 10013: An attempt was made to access a socket in a way forbidden by its access permissions..
17:26 < krzie> jpalmer, you got it =]
17:27 < Four2zero> http://pastebin.ca/1930813
17:28 < krzie> Four2zero, you have "openvpn client" on the win7 machine
17:28 < krzie> and thats the problem!~
17:28 < reiffert> ovpn on win7 works great for me btw.
17:29 < Four2zero> oh...am not suppose to have openvpn on win7
17:29 < krzie> reiffert, openvpn client is access server
17:29 < krzie> he needs the open source openvpn on his win7
17:29 < reiffert> krzie: uhhh, commercial stuff.
17:29 < krzie> this has been confusing SOOOO many people
17:29 < krzie> on the mail list, forum, and here
17:30 < Four2zero> it is confusing....i agree !
17:30 < Four2zero> :)
17:30 < krzie> Four2zero, i totally dont blame you
17:30 < reiffert> 7topic AS-Server support: there, open source openvpn here....
17:30 < Four2zero> k, so i need to uninstall the openvpn client on win7
17:30 < Four2zero> correct
17:30 < reiffert> I'm sooo tired.
17:30 < reiffert> n8
17:30 < krzie> correct, and install the same openvpn you have on xp machine on your win7 machine =]
17:30 < krzie> 2.1.3
17:31 < Four2zero> okay.
17:31 < krzie> http://www.openvpn.net/release/openvpn-2.1.3-install.exe
17:34 < madsage> ok i fixed some of my issues. index.txt was bad
17:35 < madsage> is there way to revoke a cert from pem if the cert isnt present?
17:35 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined ##openvpn
17:35 < manevra> openvpn encrypts 100% the traffic by default or should it be set up manually  when configuring?
17:36 < madsage> like revoke a user if his cert was moved off the server?
17:37 < oracle> !ipforward
17:37 < vpnHelper> oracle: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:38 < oracle> !linipforward
17:38 < vpnHelper> oracle: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
17:38 < oracle> !fbsdipforward
17:38 < vpnHelper> oracle: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
17:38 < oracle> is that it? 
17:38 < oracle> all packets are magically forwarded?
17:38 < oracle> !def1
17:38 < vpnHelper> oracle: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
17:39 < manevra> jpalmer, do you know if openvpn latest vers. encrypts 100% the internet traffic by default, or should it be set up when configuring the openvpn server ?
17:40 < Four2zero> Okay,i uninstalled the openvpn-client and now how do i access the xp-machine vpn ?
17:40 < krzie> !sample
17:40 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
17:40 < Four2zero> and installed the openvpn installer you provided onto win7
17:42 < krzie> Four2zero, you run it the same as you run the server, but with a different config
17:42 < Four2zero> so i now need to add my client config into the the client folder
17:42 < krzie> the only difference between a client and server is the config file =]
17:43 < Four2zero> okay.
17:43 < Four2zero> gotcha
17:43 < krzie> oracle, thats it for ip forwarding, but your server must also NAT packets from the openvpn subnet to the internet ip
17:43 < krzie> !fbsdnat
17:44 < vpnHelper> krzie: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD
17:44 < krzie> !linnat
17:44 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
17:44 < oracle> krzie, crap
17:44 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Operation timed out]
17:44 < oracle> linux would make it much easier
17:47 -!- oracle_ [~o2@unaffiliated/spice] has joined ##openvpn
17:49 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 240 seconds]
17:51 < madsage> hey, if i have duplicate CN in index.txt. when i revoke it seems to revoke the last entry and ignores the first. can the user still access vpn with the old cert?
17:52 < madsage> or does the last entry superceed
17:54 < madsage> hey, if i have duplicate CN in index.txt. when i revoke it seems to revoke the last entry and ignores the first. can the user still access vpn with the old cert? or does the last entry superceed.
17:54 < madsage> anybody please? tia
17:56 < krzie> madsage, why would you have 2 entries for the same CN
17:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:56 < krzie> i have no idea, that should have never even happened
17:56 < hobodave> Hey guys
17:58 < hobodave> My office network is 192.168.1.0/24, which I know is stupid. Is there a way to configure OpenVPN to use a different "virtual" subnet so that it doesn't conflict with home networks. I want to avoid changing the actual office network.
17:59 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
17:59 < krzie> nope
17:59 < krzie> its possible to use the nat hack, but you really should just change the subnet
17:59 < hobodave> so I _have_ to renumber?
18:00 < krzie> you have a bunch of stuff on static ips or something?
18:00 < hobodave> yes
18:00 < hobodave> an entire active directory domain, crap that is beyond my comfort level to mess with
--- Log closed Wed Sep 01 18:03:00 2010
--- Log opened Thu Sep 02 07:13:17 2010
07:13 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
07:13 -!- Irssi: ##openvpn: Total of 119 nicks [2 ops, 0 halfops, 0 voices, 117 normal]
07:13 -!- Irssi: Join to ##openvpn was synced in 33 secs
07:15 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
07:28 < HackeMate> Cisien: This is the ifconfig debug http://pastebin.com/w5ZriX2h
07:28 < HackeMate> sorry if I can't help with the route output
07:28 < theDoc> HackeMate> netstat -nr to get the routing table.
07:28 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Read error: Connection reset by peer]
07:29 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
07:30 < HackeMate> http://pastebin.com/Hnjh1pXJ
07:30 < theDoc> Not sure what I'm supposed to be looking at there, it's an empty paste.
07:30 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Read error: Connection reset by peer]
07:31 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
07:31 < HackeMate> aw sorry
07:32 < HackeMate> http://pastebin.com/E1TSTXNu
07:32 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined ##openvpn
07:34 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Read error: Connection reset by peer]
07:35 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
07:36 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Read error: Connection reset by peer]
07:37 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
07:37 < Cisien> looks like the routes are there...
07:38 < Cisien> whats up with this line? 10.173.0.1         0:9:f:9:0:8        UHLWI           2        0     en1   1195
07:38 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Read error: Connection reset by peer]
07:39 < Cisien> what is 0:9:f:9:0:0?
07:39 < ecrist> looks like a mac address
07:39 < HackeMate> well, no idea, what suppose to be, a mac address?
07:39 < HackeMate> a strange one
07:39 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
07:39 < theDoc> I don't think that's a mac.
07:40 < Cisien> well, 1) route is layer 3 and doesn't care about mac addresses, 2) it's not the right format for a mac
07:40 < ecrist> wow, 121 people in here
07:40 < HackeMate> could be a ipv6 
07:40 < Cisien> it's not v6 either
07:40 < HackeMate> so that could be the problem?
07:40 < Cisien> 2001:470:e883:0:8142:b92f:89fb:11c9 is v6
07:41 < Cisien> well, without knowing what the flags mean, i don't know
07:41 < HackeMate> seems a server configuration error?
07:41 < HackeMate> not my client
07:41 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Read error: Connection reset by peer]
07:42 < Cisien> unless the server's firewall is blocking you, it seems fine...
07:43 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
07:45 < Cisien> ...or your firewall
07:49 < HackeMate> i checked it, its disabled 
07:50 < HackeMate> but i know there is a portrange blocked in wify connections
07:50 < HackeMate> so that could be a start point
07:50 < HackeMate> wifi*
08:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:37 -!- manevra [manevra@212.78.230.229] has quit [Ping timeout: 252 seconds]
08:44 -!- WinstonSmith [~true@e177089191.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
08:47 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
08:48 -!- WinstonSmith [~true@e177089191.adsl.alicedsl.de] has joined ##openvpn
08:50 -!- jaminja_ [~jaminja@74.81.170.5] has joined ##openvpn
08:50 < krzie> https://forums.openvpn.net/viewtopic.php?f=6&t=7048
08:51 < vpnHelper> Title: OpenVPN Support Forum View topic - Connection dies after 4-7 minutes. Client (at forums.openvpn.net)
08:51 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 240 seconds]
08:51 -!- Four2zero [Four2zero@cpe-76-94-31-248.socal.res.rr.com] has joined ##openvpn
08:51 < krzie> im out of ideas there
08:53 < hyper_ch> krzie: no way :)
08:53 < krzie> Four2zero, im here now
08:53 < hyper_ch> krzie: could the ISP intervene?
08:53 < krzie> lol hyper_ch, im not the oracle or anything... its just that most people have the same problem over and over
08:53 < krzie> hyper_ch, absolutely, it could be the isp
08:54 < krzie> hrm, it could also be a "stateful firewall"
08:54 < Four2zero> hey, good morning. can you take all look at my server.conf ?
08:54 < hyper_ch> stateful firewall sounds like a good thing
08:54 < krzie> i say "stateful" because udp doesnt actually have state
08:54 < hyper_ch> Four2zero: does really everybody has to look at it?
08:54 < krzie> so sometimes trying to keep state on udp screws up stuff
08:54 < krzie> Four2zero, 
08:54 < krzie> !configs
08:54 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:55 < hyper_ch> krzie: I have no clue for in that regard
08:56 < jpalmer> krzie: I'm around all day today (working from home)  so whenever you are ready to discuss,  yell at me
08:58 < krzie> now is best
08:59 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
09:01 < Four2zero> http://pastebin.ca/1931133
09:02 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined ##openvpn
09:04 < vpnHelper> RSS Update - forum: Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7716#p7716>
09:04 < hyper_ch> Your problem is your firewall, really.  --> :)
09:05 < theDoc> !tcp
09:05 < vpnHelper> theDoc: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
09:05  * theDoc has a beer.
09:06 < krzie> theDoc, =]
09:06 < krzie> theDoc, dont forget !vpn
09:06 < theDoc> !vpn
09:06 < vpnHelper> theDoc: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal
09:06 < theDoc> krzie> Awesome, thanks!
09:06 < krzie> np
09:07 < krzie> awww, one of the rebuilds of the site lost it
09:07 < krzie> you want What is the principle behind OpenVPN tunnels?
09:07 < krzie> from that page
09:07 < theDoc> Yes, I have that.
09:07 < theDoc> ;)
09:07 < theDoc> Thanks for that snippet, krzie 
09:07 < krzie> !forget vpn
09:07 < vpnHelper> krzie: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
09:08 < jpalmer> speaking of openvpn forums..   anyone here have administrative access to them?
09:08 < krzie> !forget vpn
09:08 < vpnHelper> krzie: Joo got it.
09:08 < krzie> jpalmer, yes
09:08 < krzie> !learn http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html  for a basic rundown of what a vpn is
09:08 < vpnHelper> krzie: (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
09:08 < jpalmer> krzie: every time I try to signup,  I get that my email address is invalid.
09:08 < krzie> !learn vpn as http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html  for a basic rundown of what a vpn is
09:08 < vpnHelper> krzie: Joo got it.
09:09 < krzie> jpalmer, =[ for that part you need mattock
09:09 < krzie> odd hes not on at the moment, he usually is
09:09 < krzie> see if you can signup for trac, its the same login/pass
09:09  * theDoc is virtualizing xen over virtualbox.
09:09 < theDoc> :o
09:09 < theDoc> A couple of xen images in virtual box running openvpn + quagga off a macbook
09:09 < jpalmer> krzie: just on a hunch,  i tried something else.  apparently,  if your email address has an uppercase letter,  it's invalid.
09:09 < theDoc> Let's hope it doesn't fry.
09:10 < Four2zero> where it stats "build-key-server server" do i change the server to "vpn-server" to justify the common name or leave as is ?
09:11 < krzie> Four2zero, 
09:11 < krzie> !pki
09:11 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
09:11 < vpnHelper> krzie: was signed specially as a server (see !servercert)
09:11 < krzie> just follow that exactly
09:11 < Four2zero> Im there reading it now
09:11 < krzie> #1
09:11 < Four2zero> !servercert
09:11 < vpnHelper> Four2zero: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm
09:11 < krzie> i dont even use easy-rsa... and dont feel like reading the howto again, gunna be reading jpalmer's doc
09:12 < Four2zero> okay.jpalmer's doc on what ?
09:12 < krzie> he is planning to make his setup more awesome
09:13 < Four2zero> hmm.!
09:13 < jpalmer> Four2zero: I can't give out specific details for this particular setup.  BUT:   since HA/failover seems to a pretty common question,  I'm planning on documenting it generically as I implement, for others.
09:14 < krzie> nice jpalmer, very cool of ya
09:14 < jpalmer> then,  we'll have an !ha factoid!
09:14 < krzie> if you put it on our wiki we'll get i t on the official one (under openvpn.net) when its all ready and rockin
09:15 < krzie> that would be a great writeup
09:15 < jpalmer> Four2zero: krzie is essentially looking over my plan, to make sure it's solid,  or if he knows any better ways to acheieve some of these goals.
09:15 -!- krzie is now known as krzee
09:15 < jpalmer> krzee: sounds good.
09:18 < krzee> Four2zero, read this again
09:18 < krzee> !configs
09:18 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:19 < krzee> i will not dig through 1000 lines of comments for 10 lines of configuration
09:19 < Four2zero> hahah...alright.
09:20 < Four2zero> just making sure if I was configuring it properly.
09:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
09:29 < Four2zero> when starting up the openvpn server, im getting TAP-Win32 adapter 'Local' not found, i changed it to the "Local Area Connection 2" is this not correct to do so ?
09:30 < Four2zero> and i have disabled the windows firewall and 2nd party firewall as well.
09:30 -!- dazo is now known as dazo_afk
09:36 -!- dazo_afk is now known as dazo
09:37 -!- benedikt [~benedikt@earth.sudo.is] has joined ##openvpn
09:37 < benedikt> wasn't there an option in the client config to run a script when the connection is up?
09:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:48 < krzee> !rip
09:48 < vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
09:52 < krzee> !donate
09:52 < vpnHelper> krzee: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
10:14 -!- theDoc [~Link@173.236.41.38] has quit [Quit: There's nothing to boo in boobies.]
10:17 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
10:17 < krzee> benedikt, yes, --up
10:17 < krzee> can run on client or server
10:18 -!- oc80z [oc80z@blea.ch] has joined ##openvpn
10:18 < Zathraz> Hi. when I run openvpn server it logs connections in /var/log/openvpn.log however I do not see a thing in /var/log/openvpn-status.log
10:18 < Zathraz> besides this: Win OpenVPN client says: connected. But no IP/interface is offered
10:19 < Zathraz> LInux client keeps on WWWWWW
10:19 < Zathraz> yet I see the attempt(?) in /var/log/openvpn.log
10:19 < Zathraz> not clear what goes wrong. Especially as it worked sometime correctly before iirc
10:20 < Zathraz> what should I be looking for in logs?
10:20 < Zathraz> could be that openvpn has had a minor versionupdate in the meantime
10:20 < Zathraz> I did get a: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
10:21 < Zathraz> I added a configline for that to the server, but nothing changes so it seems
10:23 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Ping timeout: 260 seconds]
10:25 -!- HackeMate [~HackeMate@75.Red-88-12-201.dynamicIP.rima-tde.net] has quit [Remote host closed the connection]
10:28 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined ##openvpn
10:29 < krzee> Zathraz, there are 2 options
10:29 < krzee> --log and --status
10:30 < krzee> [08:24]  <Zathraz> I did get a: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
10:30 < krzee> [08:24]  <Zathraz> I added a configline for that to the server, but nothing changes so it seems
10:30 < jpalmer> oh this quagga stuff looks like it's going to be FUN.  heh
10:30 < krzee> a server can not verify itself, the config option goes in clients
10:30 < krzee> jpalmer, thedoc is playing with it right now, and !rip breaks it down with a script and whatnot as well
10:31 < jpalmer> yeah,  I'm reading the !rip guide now.
10:31 < jpalmer> thanks again, btw.
10:31 < krzee> np man
10:32 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:32 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Ping timeout: 260 seconds]
10:33 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Quit: WeeChat 0.3.2]
10:35 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
10:35 < Zathraz> krzee, ty. But isn't this mitm not an optional thing?
10:36 -!- jaminja_ [~jaminja@74.81.170.5] has quit [Ping timeout: 240 seconds]
10:38 -!- buswellj [~buswellj@cpe-184-57-74-160.columbus.res.rr.com] has quit [Quit: Leaving]
10:44 -!- gorkhaan [~gorkhaan@adsl-101-70.globonet.hu] has joined ##openvpn
10:48 < krzee> Zathraz, it is optional... hell even encryption is optional
10:48 < krzee> one could optionally use cipher none to have no encryption ;)
10:48 < krzee> but i recommend keeping encryption, and protecting against mitm
10:48 < krzee> take that for what it is worth to you =]
10:50 -!- eN_Joy [~eN_Joy@jindan.chem.ou.edu] has quit [Quit: leaving]
10:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
10:52 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has left ##openvpn []
10:54 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has left ##openvpn []
10:56 < Zathraz> currently I have the safest VPN possible: it's inaccessible :-(
10:58 < Zathraz> something for tomorrow
11:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:02 < ecrist> lol
11:02 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
11:14 < benedikt> krzee: thanks
11:15 -!- dazo is now known as dazo_afk
11:15 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined ##openvpn
11:17 -!- JackCorleone [~root@187.10.70.18] has joined ##openvpn
11:19 -!- Four2zero_ [~nnscript@cpe-76-94-31-248.socal.res.rr.com] has joined ##openvpn
11:20 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
11:22 -!- Four2zero [Four2zero@cpe-76-94-31-248.socal.res.rr.com] has quit [Ping timeout: 258 seconds]
11:24 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:25 -!- gorkhaan [~gorkhaan@adsl-101-70.globonet.hu] has quit [Remote host closed the connection]
11:26 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:27 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined ##openvpn
11:29 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
11:30 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Remote host closed the connection]
11:42 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
11:43 -!- le0 [~fin@unaffiliated/le0] has quit [Client Quit]
12:04 < havoc> hmm, I should upgrade ovpn on this win7 machine now that new version is fixed
12:18 < krzee> yes
12:22 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined ##openvpn
12:36 -!- hobodave [~hobodave@pdpc/supporter/professional/hobodave] has joined ##openvpn
12:37 -!- hobodave [~hobodave@pdpc/supporter/professional/hobodave] has left ##openvpn []
12:44 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
12:44 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:47 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
12:47 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
12:47 < krzee> benedikt, np
12:49 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn
12:49 -!- mode/##openvpn [+o mattock] by ChanServ
12:50 -!- Four2zero_ [~nnscript@cpe-76-94-31-248.socal.res.rr.com] has quit [Read error: Connection reset by peer]
12:50 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:54 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.cmbg.cable.virginmedia.com] has quit [Changing host]
12:54 -!- th1 [~th@pdpc/supporter/professional/th1] has joined ##openvpn
12:58 -!- Four2zero [~nnscript@cpe-76-94-31-248.socal.res.rr.com] has joined ##openvpn
13:04 -!- dazo_afk is now known as dazo
13:07 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
13:08 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
13:08 < vpnHelper> RSS Update - forum: Server Administration :: Help routing two networks :: Author mmerlone <https://forums.openvpn.net/viewtopic.php?f=4&t=7059&p=7712#p7712> || Server Administration :: strange 2.1.3 routing table at WinXP Pro :: Author dhpark <https://forums.openvpn.net/viewtopic.php?f=4&t=7061&p=7714#p7714> || Configuration :: services :: Author heberrio <https://forums.openvpn.net/viewtopic.php?f=6&t=7062&p=7715#p7715> || Exampl
13:17 < krzee> !confgen
13:17 < vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
13:20 < vpnHelper> RSS Update - forum: Server Administration :: Re: Help routing two networks :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7059&p=7718#p7718>
13:22 < krzee> !def1
13:22 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
13:25 < vpnHelper> RSS Update - forum: Configuration :: Re: Configure OpenVPN Client as default gateway :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7051&p=7719#p7719>
13:30 < vpnHelper> RSS Update - forum: Configuration :: Re: MULTI: bad source address from client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7015&p=7720#p7720>
13:39 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Read error: Operation timed out]
13:39 -!- ab0oo [~johng@c-76-17-7-28.hsd1.ga.comcast.net] has joined ##openvpn
13:40 < ab0oo> is there a way to be more efficient with IP addresses with large numbers of clients?  We have 375 clients that all need to be simultaneously connected, and it looks like each client takes 4 ip addresses
13:42 < krzee> !topology
13:42 < vpnHelper> krzee: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
13:42 < krzee> yes there is =]
13:42 < ab0oo> krzee: tyvm.  can I use 2.0 clients with a 2.1 server to get this effect?
13:43 < krzee> negative, must upgrade
13:43 < ab0oo> my clients are embedded debian boxes and upgrading glibc to get us to openvpn 2.1 is too dangerous
13:43 < ab0oo> hosed.
13:43 -!- RedShift [~glenn@apollo.webmind.be] has quit [Quit: leaving]
13:43 < krzee> you can do it
13:43 < krzee> just use a testbed first
13:43 < ab0oo> I'm testbedding right now.
13:45 -!- bostik_ [~bostik@213-209-160-195.ip.skylogicnet.com] has quit [Quit: Sto andando via]
13:45 < krzee> good =]
13:45 < ab0oo> I'll even report back here with my success or failure
13:46 < krzee> cool
13:47 < ab0oo> I was trying to use dhsmasq/dhcp over the tunnel, and having no luck.  I think it will work over tap, but not tun
13:49 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
13:51 < hyper_ch> !configs
13:51 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:01 < ab0oo> krzee: doesn't look good for the home team.  the 2.0.x client isn't getting an IP addressed pushed from the server
14:01 < krzee> well right... dhcp is layer2
14:01 < krzee> ab0oo, i told you it would not work
14:02 < krzee> [11:46]  <krzee> negative, must upgrade
14:02 < ab0oo> <sigh>
14:04 -!- jaminja_ [~jaminja@74.81.170.5] has joined ##openvpn
14:05 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 240 seconds]
14:11 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 255 seconds]
14:13 < ab0oo> the remote devices are are built on debian etch, which is obsolete to the point I can't find a c-compiler easily.
14:14 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has joined ##openvpn
14:14 < krzee> heh
14:14 < krzee> maybe its time to update them
14:15 < bayer> hi, i'm trying to set up a bridged vpn with openvpn, and would like to know what the routing table on the client should look like in order to route all traffic through the vpn
14:15 < krzee> bayer
14:15 < krzee> !def1
14:15 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:16 < ab0oo> krzee: the pain would be extremely high
14:16 < krzee> ab0oo, then live with net30?
14:16 < krzee> seems to be your 2 options
14:16 < ab0oo> you're a bright, shining ray of hope in my otherwise dreary and rainy day.
14:16 < ab0oo> :p
14:17 < bayer> thx krzee 
14:19 < krzee> bayer, yw
14:27 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has quit [Ping timeout: 260 seconds]
14:33 -!- jaminja_ [~jaminja@74.81.170.5] has quit [Quit: "eternal trails in netvoid"]
14:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- stein0_ [~stein@mail.vgnett.no] has joined ##openvpn
14:43 -!- jwm_ [jwm@74.208.185.36] has joined ##openvpn
14:44 -!- manevra [manevra@95.154.230.239] has joined ##openvpn
14:45 -!- reiffert_ [~thomas@mail.reifferscheid.org] has joined ##openvpn
14:45 -!- udk [~evaldo@freenode/staff/udontknow] has joined ##openvpn
14:47 < ab0oo> krzee: 30 minutes and change to run ./configure on my x486 dx2-66 dev board, only to see I forgot the openssl headers
14:47 -!- UdontKnow [~evaldo@freenode/staff/udontknow] has quit [Remote host closed the connection]
14:47 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Remote host closed the connection]
14:47 -!- stein0 [~stein@mail.vgnett.no] has quit [Remote host closed the connection]
14:47 -!- plundra [404@article.se] has quit [Remote host closed the connection]
14:47 -!- jwm [jwm@74.208.185.36] has quit [Remote host closed the connection]
14:51 -!- plundra [404@article.se] has joined ##openvpn
14:53 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has joined ##openvpn
15:00 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has quit [Ping timeout: 276 seconds]
15:15 <@dazo> ab0oo:  you're in for a lot of pain, compiling on such ancient stone age devices ...
15:16 < ab0oo> they work perfectly for their intended purpose, and are actually quite capable of running openvpn with about 50kb/s throughput
15:18 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:25 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
15:29 -!- mattock [~samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit [Ping timeout: 272 seconds]
15:42 < Cisien> painful
15:43 < Cisien> i should run a test one of these days to see what my router's routing speed and openvpn speeds are without my cable modem being the bottleneck
15:44 < Cisien> 1.66ghz atom cpu
15:50 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined ##openvpn
15:51 < grendal_prime> hey guys..im trying to figure out if i can..push an ip to a client based on its ip of origin
15:52 -!- WinstonSmith [~true@e177089191.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
16:01 -!- szr [~SR@unaffiliated/szr] has joined ##openvpn
16:08 <@dazo> grendal_prime:  yeah, that's possible with some clever scripting with --client-connect or --plugin (as a C based plugin, adding a hook to CLIENT_CONNECT) ... IIRC, it is CLIENT_CONNECT which gives you the possibility to add server config options "on-the-fly", which can contain "push" statements
16:08 < grendal_prime> hmmm where is the list of things i can push?
16:08 < grendal_prime> i would love to be able to push a bunch of things to these boxes.
16:10 -!- WinstonSmith [~true@e177089191.adsl.alicedsl.de] has joined ##openvpn
16:10 <@dazo> grendal_prime:  check the man page
16:10  * dazo calls this a day
16:11 -!- dazo is now known as dazo_afk
16:11 -!- WinstonSmith [~true@e177089191.adsl.alicedsl.de] has quit [Client Quit]
16:11 -!- WinstonSmith [~true@e177089191.adsl.alicedsl.de] has joined ##openvpn
16:20 -!- SOG [~SOG@222.125.226.58] has joined ##openvpn
16:21 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
16:26 -!- raidzxx [~Andrew@2002:adc0:e0ad::adc0:e0ad] has joined ##openvpn
16:29 -!- raidz [~Andrew@seance.openvpn.org] has quit [Ping timeout: 260 seconds]
16:30 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:33 -!- SOG [~SOG@222.125.226.58] has quit [Remote host closed the connection]
16:33 -!- SOG [~SOG@n1164871167.netvigator.com] has joined ##openvpn
16:34 -!- SOG [~SOG@n1164871167.netvigator.com] has quit [Client Quit]
16:35 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Read error: Operation timed out]
16:35 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
16:36 < Dougy> bitches
16:39 -!- manevra [manevra@95.154.230.239] has quit [Quit: Leaving]
16:40 < grendal_prime> hoes...
16:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:03 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Quit: Ex-Chat]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:08 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 276 seconds]
17:10 -!- Cisien_ [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has joined ##openvpn
17:10 -!- Four2zero [~nnscript@cpe-76-94-31-248.socal.res.rr.com] has quit [Read error: Connection reset by peer]
17:11 -!- raidzxx [~Andrew@2002:adc0:e0ad::adc0:e0ad] has quit [Ping timeout: 240 seconds]
17:12 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
17:13 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has quit [Ping timeout: 272 seconds]
17:14 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has joined ##openvpn
17:15 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
17:18 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Read error: Connection reset by peer]
17:18 -!- stoned [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
17:19 -!- stoned is now known as Guest44037
17:24 -!- Ghent [~ghent@unaffiliated/ghent] has quit [Read error: Operation timed out]
17:25 -!- Ghent [~ghent@unaffiliated/ghent] has joined ##openvpn
17:26 -!- montana [~montana@212.117.173.72] has quit [Ping timeout: 272 seconds]
17:26 -!- montana [~montana@212.117.173.72] has joined ##openvpn
17:31 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
17:39 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Read error: Operation timed out]
17:40 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
17:47 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
17:51 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 276 seconds]
17:53 -!- oracle [~o2@unaffiliated/spice] has joined ##openvpn
18:03 -!- benedikt [~benedikt@earth.sudo.is] has left ##openvpn []
18:13 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
18:13 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 240 seconds]
18:16 -!- nb is now known as i
18:16 -!- i is now known as i_
18:16 -!- i_ is now known as nb_
18:16 -!- nb_ is now known as nb|away
18:16 -!- nb|away is now known as nb
18:20 -!- jaminja_ is now known as jaminja
18:20 -!- jaminja [~jaminja@74.81.170.4] has quit [Changing host]
18:20 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
18:22 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has quit [Remote host closed the connection]
18:23 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Read error: Connection reset by peer]
18:50 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
18:59 -!- Guest44037 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Ping timeout: 272 seconds]
19:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:03 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:25 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 252 seconds]
19:30 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
19:49 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
19:58 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:00 -!- jaminja_ [~jaminja@74.81.170.5] has joined ##openvpn
20:00 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Disconnected by services]
20:01 -!- jaminja_ is now known as jaminja
20:01 -!- jaminja [~jaminja@74.81.170.5] has quit [Changing host]
20:01 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
20:27 -!- WinstonSmith [~true@e177089191.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
20:38 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 245 seconds]
20:39 -!- WinstonSmith [~true@e177090208.adsl.alicedsl.de] has joined ##openvpn
20:40 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
21:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
21:04 -!- jwm_ is now known as jwm
21:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:31 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
21:33 -!- benspaulding [~benspauld@169.69.124.24.cm.sunflower.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
21:34 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
21:39 -!- benspaulding [~benspauld@169.69.124.24.cm.sunflower.com] has joined ##openvpn
21:44 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
22:14 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
22:19 -!- Some-body_ [~Vetinari@delta.cluenet.org] has joined ##openvpn
22:21 -!- plndra [404@article.se] has joined ##openvpn
22:21 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has quit [Read error: Operation timed out]
22:22 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined ##openvpn
22:25 -!- plndra [404@article.se] has quit [Ping timeout: 245 seconds]
22:29 -!- Netsplit *.net <-> *.split quits: plundra, DarthGandalf, raidz
22:31 -!- Netsplit over, joins: plundra
22:31 -!- Some-body_ is now known as DarthGandalf
22:31 -!- DarthGandalf [~Vetinari@delta.cluenet.org] has quit [Changing host]
22:31 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
22:37 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
22:41 < theDoc> raidz! o/
22:55 -!- spbogie [~spbogie@155.92.106.192] has joined ##openvpn
23:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:57 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
23:58 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
--- Day changed Fri Sep 03 2010
00:00 -!- oracle [~o2@unaffiliated/spice] has quit [Quit: turning bsd server into ubuntu]
00:17 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
00:18 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
00:39 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Ping timeout: 240 seconds]
00:47 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
00:49 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
01:02 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection timed out]
01:03 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
01:11 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
01:17 -!- spbogie [~spbogie@155.92.106.192] has quit [Quit: Leaving]
01:22 -!- krzie [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
01:33 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined ##openvpn
01:34 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
01:52 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
02:03 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Read error: Operation timed out]
02:04 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined ##openvpn
02:04 -!- WinstonSmith [~true@e177090208.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
02:06 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
02:08 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
02:11 -!- ScriptFanix [~vincent@cl-53.mrs-01.fr.sixxs.net] has quit [Client Quit]
02:11 -!- ScriptFanix [~bofh@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
02:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:22 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
02:24 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
02:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:27 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
02:36 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
02:41 -!- dazo_afk is now known as dazo
02:50 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 260 seconds]
02:52 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
03:00 -!- krzie [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
03:07 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
03:09 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 272 seconds]
03:09 -!- jaminja_ is now known as jamina
03:10 -!- jamina is now known as jaminja
03:10 -!- jaminja [~jaminja@74.81.170.4] has quit [Changing host]
03:10 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
03:14 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
03:32 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Read error: Operation timed out]
03:33 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
03:43 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
03:49 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
03:50 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
04:18 -!- ultramage [umage@kurobara.netvor.sk] has joined ##openvpn
04:19 < ultramage> hello, I've got a problem sort of related to openvpn; I started using pf, and I have trouble referencing the openvpn gif interface, since it's not there yet when pf starts. Any tips on that?
04:25 < ksk> pf?
04:45 < ultramage> openbsd's packet firewall (I think) :)
04:53 < ksk> ah okay, im out then :>
05:11 -!- jaminja_ [~jaminja@74.81.170.5] has joined ##openvpn
05:12 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 276 seconds]
05:20 -!- dazo is now known as dazo_afk
05:23 -!- dazo_afk is now known as dazo
05:26 < vpnHelper> RSS Update - forum: Off Topic, Related :: Re: OpenVPN client :: Reply by simon <https://forums.openvpn.net/viewtopic.php?f=1&t=7038&p=7721#p7721>
05:34 -!- Guest44037 [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
05:47 < ksk> hello
05:48 < ksk> is there a way to enable not-admin users on win7 use openvpn?
05:48 < ksk> got problem with wrinting the logfile ( i can solve if if give them write-access - this can be done kinda easily)
05:49 < ksk> another topic are the routes i want to be set by openvpn
05:49 < ksk> is there a way to make non-admin users to in an actual version of openvpn?
05:49 < ksk> s/to/able to set routes/
05:53 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
06:02 -!- SOG [~SOG@61.144.230.241] has quit [Quit: SOG]
06:11 -!- ultramage [umage@kurobara.netvor.sk] has left ##openvpn []
06:31 -!- barfster [~barf@193.69.144.162] has joined ##openvpn
06:31 < barfster> Anyone got an OpenVPN client for iPad/iPhone?
06:47 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
06:51 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
07:21 -!- manevra [manevra@89.238.173.234] has joined ##openvpn
07:24 -!- ab0oo [~johng@c-76-17-7-28.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
07:29 <@dazo> !iphone
07:29 < vpnHelper> dazo: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion, or (#3) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone
07:29 <@dazo> barfster: ^^
07:31 -!- manevra [manevra@89.238.173.234] has quit [Quit: Leaving]
07:35 < barfster> dazo does this security stuff mean that iPhones should not be using a VPN connection at all?
07:37 <@dazo> barfster: well ... if you use password protected SSL keys or PKCS#12 with password ... then it's "safer" ... but in general ... this security stuff, completely circumvents any pin/pad lock ... just by plug-in the USB cable ... so it's up to you in the end if that's considered bad enough or not
07:37  * dazo is not an iPhone user ... and will stay away from Apple products as long as he can
07:40 < barfster> BSD and Linux is usually nice
07:43 < barfster> But Apple has a way of crippling stuff... MacOS X Server in particular is a nightmare, compared to Ubuntu
07:44 < barfster> After all Apple is just a window manager and a set of desktop applications and not reall an OS
08:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:41 < barfster> Is there a way to broadcast services across a vpn connection? I know there is: http://www.macupdate.com/info.php/id/11315/network-beacon but I would prefer a daemon in linux doing this service rather than an application in GUI
08:41 < vpnHelper> Title: Download Network Beacon for Mac - Publish/serve Bonjour services on network. MacUpdate Mac Software Downloads (at www.macupdate.com)
08:43 < barfster> Haha, it told me what I already said :-p
08:43 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!]
08:43 < barfster> avahi
09:02 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
09:03 < barfster> Does avahi-daemon serve the same purpose as beacon? 
09:11 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Ping timeout: 272 seconds]
09:11 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:21 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn
09:21 < ksk> hello
09:21 < ksk> is there a way to make users add routes?
09:21 < ksk> or the openvpn client running as user
09:22 < mort_gib> ksk: What are you trying to do??
09:22 < ksk> i want users without admin rights to run openvpn client
09:22 < ksk> and there are some routes pushed by openvpn server
09:22 < ksk> which does work with admin rights
09:22 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
09:22 < ksk> but right now not without.. i thought there might be a way..
09:23 < mort_gib> are you running OpenVPN client on Windows??
09:24 < ksk> yessir
09:24 < ksk> win7
09:25 < ksk> didnt mention that - wtf - sry
09:35 < ksk> ah found sth
09:36 < ksk> you have to add them to a specific group - dont know its english name
09:37 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined ##openvpn
09:43 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 264 seconds]
09:44 -!- SOG [~SOG@n1164871167.netvigator.com] has joined ##openvpn
10:01 -!- JPeterso2 [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
10:02 -!- fremo___ [~fremo@noc.toile-libre.net] has joined ##openvpn
10:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:05 -!- fbh [fbh@unaffiliated/fbh] has quit [Ping timeout: 276 seconds]
10:05 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Ping timeout: 276 seconds]
10:05 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 276 seconds]
10:05 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 276 seconds]
10:05 -!- Typone [~nnnnnnnit@195.197.184.87] has quit [Ping timeout: 276 seconds]
10:05 -!- Nrg_ [pk@reaktio.net] has quit [Ping timeout: 276 seconds]
10:05 -!- Nrg_ [pk@reaktio.net] has joined ##openvpn
10:05 -!- SOG [~SOG@n1164871167.netvigator.com] has quit [Quit: I will be back!]
10:05 -!- fbh [fbh@lucifer.frands.net] has joined ##openvpn
10:07 -!- Typone [~nnnnnnnit@195.197.184.87] has joined ##openvpn
10:07 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
10:10 < Zathraz> Hi. Does anyone uses: http://sourceforge.net/projects/openvpn-status
10:10 < vpnHelper> Title: OpenVPN-Status | Download OpenVPN-Status software for free at SourceForge.net (at sourceforge.net)
10:10 < Zathraz> I see an empty index.html !
10:10 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined ##openvpn
10:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:14 < blackpenguin> Zathraz: something is wrong on your side then.
10:14 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
10:16 < blackpenguin> Zathraz: if you just want to download it, you might try http://switch.dl.sourceforge.net/project/openvpn-status/openvpn-status/0.1/openvpn-status.tgz  (as this is what the download link downloads here)
10:16 < vpnHelper> Title: Download OpenVPN-Status from SourceForge.net (at switch.dl.sourceforge.net)
10:17 < Zathraz> uhm. openvpn-status.tgz contains a zero-byte index.html in my download
10:17 < blackpenguin> oh, okay, I didn't check this
10:17 -!- JodaZ [~JodaZ@ns302312.ovh.net] has joined ##openvpn
10:17 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
10:18 < Zathraz> just issued a wget on that exact url. Same thing
10:21 < blackpenguin> first of all the creator of this archive should be put into a cage for a few days for creating an archive that doesn't put file in a subdir but directly into the current workdir. beside that. yes, the index.html in that is empty. 
10:22 < blackpenguin> I'm not sure if it is supposed to be empty as it might be created later though. at least the conten of main.py looks like it would create a html-page
10:26 < Zathraz> the install instruction can be improved too imho
10:26 < Zathraz> for instance: when is main.py to be run and how?
10:26 < Zathraz> when ran manually it want a module called _apache
10:26 < Zathraz> which is not on my system....
10:27 < Zathraz> probably there needs to be an apache config file to handle things
10:27 < Zathraz> I kind of understand why this is labeled as version 0.1
10:28 < Zathraz> but thanks for checking blackpenguin 
10:28 < blackpenguin> it says it needs modpython in apache, I guess that will provide the _apache module, too
10:28 < Zathraz> yes. modpython is on my system. But Apache loads index.html by default which is empty
10:29 < Zathraz> so there must be an handler which runs main.py somehow so index.html can be generated before it is served to a browser
10:29 < Zathraz> (wild guess)
10:30 < blackpenguin> maybe the empty index.html files are just to prevent listing the directory content if someone tries.
10:30 < blackpenguin> so it's possible you are supposed to call main.py instead. but as I never used this, this is only a guess, of course.
10:32 < blackpenguin> especially as there are empty index.html files in img/ and css/ too, it's probably just to prevent dirlistings
10:41 < Zathraz> nasty way to do that. But that might be the case
10:44 < Zathraz> it seems the author has made further developments available through github
10:45 < Zathraz> http://github.com/mezgani/ovpnview
10:45 < vpnHelper> Title: mezgani's ovpnview at master - GitHub (at github.com)
10:47 < ksk> is there a way to remove added routes when stopping openvpn?
10:47 < ksk> *pushed routes
10:47 < ksk> they vary, i dont know them exactly
10:48 < ksk> btw thx for all the support you offer :)
10:51 -!- jake__ [~chatzilla@173-161-69-124-Illinois.hfc.comcastbusiness.net] has joined ##openvpn
10:52 < jake__> hello
10:52 < jake__> !welcome
10:52 < vpnHelper> jake__: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:53 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
10:53 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
10:54 < jake__> I am having a problem with certificate based authentication and open-vpn 
10:55 < ksk> tell us more!
10:55 < jake__> I have a network 10.1.0.x that I want to vpn into.  The vpn server is openvpn.
10:56 < jake__> Its configuration is: local 10.1.0.1
10:56 < jake__> port 1194
10:56 < jake__> proto udp
10:56 < jake__> dev tun0
10:56 < hyper_ch> !easy-rsa
10:56 < jake__> tls-server
10:56 < vpnHelper> hyper_ch: Error: "easy-rsa" is not a valid command.
10:56 < jake__> ca /tmp/openvpn/ca.crt
10:56 < jake__> cert /tmp/openvpn/cert.pem
10:56 < jake__> key /tmp/openvpn/key.pem
10:56 < hyper_ch> !easyrsa
10:56 < jake__> dh /tmp/openvpn/dh.pem
10:56 < vpnHelper> hyper_ch: Error: "easyrsa" is not a valid command.
10:56 < jake__> keepalive 10 60
10:56 < jake__> persist-tun
10:56 < jake__> persist-key
10:56 < jake__> verb 3
10:57 < jake__> My client is on the 10.100.159.x network.
10:57 < jake__> The openvpn server has a "public" ip of 10.100.159.9.
10:57 < jake__> My client config is:
10:57 < jake__> client
10:57 < jake__> dev tun
10:57 < Zathraz> blackpenguin, that new version is extremely slow but at least there is something to see
10:57 < jake__> proto udp
10:57 < jake__> remote 10.100.159.9 1194
10:57 < jake__> resolv-retry infinite
10:57 < jake__> nobind
10:58 < jake__> persist-key
10:58 < jake__> persist-tun
10:58 < jake__> remote-cert-tls server 
10:58 < jake__> ca ca.crt
10:58 < jake__> cert sj-pc1.crt
10:58 < jake__> key sj-pc1.key
10:58 < jake__> ns-cert-type server
10:58 < jake__> verb 3
10:58 < hyper_ch> !configs
10:58 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:58 < jake__> I followed the directions in generating the keys using ubuntu
10:58 < jake__> !configs
10:58 < vpnHelper> jake__: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:59 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
10:59 -!- jaminja_ is now known as jaminja
10:59 -!- jaminja [~jaminja@74.81.170.5] has quit [Changing host]
10:59 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
11:02 < jake__> When I try to connect I keep getting Fri Sep 03 11:03:13 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
11:02 < jake__> Fri Sep 03 11:03:13 2010 TLS Error: TLS handshake failed
11:02 < jake__> my config are at http://pastebin.com/HKbUNbLH
11:03 < jake__> When I generated my client certificate for the common name I used the netbios name of my computer.  Was this correct?
11:05 -!- barfster [~barf@193.69.144.162] has quit [Quit: Computer has gone to sleep]
11:08 -!- JackCorleone [~root@187.10.70.18] has quit [Quit: Saindo]
11:08 < Cisien_> jake__, is the port your trying to use blocked?
11:08 < Cisien_> also, waht is the latency of the connection your trying to use?
11:09 < jake__> No.  I have  iptables -I INPUT -p tcp --dport 1194 -j ACCEPT in my firewall script.
11:09 < |Mike|> apt-get install ferm
11:10 < jake__> The latency is quite small as the vpn server plugs into the same switch as I am plugged into.
11:11 < Cisien_> that doesn't mean there's not a firewall on the vpn server, or even the client, that's blocking communication
11:11 < jake__> the firewall script I showed is from the openvpn server.
11:12 < jake__> My PC does have a firewall but I allowed all traffic from my PC to the VPN server.
11:12 < Cisien_> well, i guess the next step is to run tcpdump against the server to see what the traffic is doing
11:12 < jake__> I take it that my configs are correct then?
11:14 < jake__> I will try a tcpdump this afternoon. 
11:19 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Ping timeout: 240 seconds]
11:24 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
11:26 < Zathraz> blackpenguin, it works great provided(!) you are not logged onto the management console manually(!)
11:26 -!- Cisien_ is now known as Cisien
11:32 -!- gorkhaan [~gorkhaan@adsl-101-70.globonet.hu] has joined ##openvpn
11:36 <@dazo> ecrist: looks like you have some issues with Trac on your SCN box .... was looking up ssl-admin over there ...
11:37 < ecrist> yeah, it sucks
11:37 < ecrist> trac is a piece of shit
11:37 <@dazo> heh
11:37 < ecrist> it does this every so often.
11:37 < ecrist> you're the first one to complain.
11:37 < ecrist> what were you looking to see?
11:37 <@dazo> ssl-admin
11:38 < ecrist> what about it?  the source?
11:38 < ecrist> svn co https://secure-computing.net/svn/trunk/ssl-admin <foo>
11:38 < vpnHelper> Title: svn - Revision 315: /trunk/ssl-admin (at secure-computing.net)
11:38 <@dazo> I googled it, as I wanted to reference it in an e-mail I'm writing
11:38 < ecrist> fine, I guess I'll fix trac
11:38 < ecrist> I should create a page that's non-trac for it, though
11:39 <@dazo> that'd be great
11:39  * ecrist dives into the trench that is his web server
11:39 <@dazo> for now, I just point at the SVN tree directly
11:39 -!- nickels [~nickels@168.103.65.91] has joined ##openvpn
11:40 < nickels> hey all, having some issues with a bridged setup using dev tap
11:41 < nickels> is it okay to use proto udp when bridge?
11:41 <@dazo> nickels: yes, that's no problem
11:41 < nickels> or do i have to use proto tcp-server & proto tcp-client...or is it just tcp
11:41 < nickels> okay sweet so that must not be it
11:41 < nickels> its getting stuck obtaining information on the windows clients gui side
11:41 < nickels> i see on server last thing about pushing the route
11:42 <@dazo> but some network connections sucks with UDP ... due to firewall stuff or a sucky ISP ... then you're forced to use TCP
11:42 < nickels>  'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
11:42 < nickels> this warning an issuhe?
11:43 <@dazo> that's config issue ... check client and server configs ... you have --dev tun on one side and --dev tap on the other
11:43 < nickels> i have checked both sides conf and neither are tun
11:43 < nickels> that's where i'm a little confused
11:43 <@dazo> non-sense ... then you edit the wrong config
11:43 < nickels> no way, i'm looking right at it
11:43 < nickels> server, dev tap0
11:43 < nickels> client dev tap0
11:44 <@dazo> 'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'  == erroneous config .... no way around that
11:44 <@dazo> if your configs are fine ... you would never ever see that error
11:44 < nickels> i get you man...but im telling you...im looking right at both configs
11:44 < nickels> i know it sounds stupid
11:45 <@dazo> yeah, but one of the sides are using the wrong config file then ... guaranteed
11:45 < nickels> but i swear to you that i'm using the same configs i was using earlier non bridged
11:45 <@dazo> nickels: this is a PEBKAC for sure
11:46 < nickels> haha
11:46 < nickels> wierd
11:46 < nickels> weird
11:46 < nickels> i deleted the profile from the gui
11:47 < nickels> and then readded the same ovpn file
11:47 < nickels> now it seems to read correct
11:47 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
11:47 < nickels> ahh now i get
11:47 < nickels>  'dev-type' is used inconsistently, local='dev-type tap', remote='dev-type tun'
11:48 < nickels> oops
11:48 < nickels> wrong
11:48 < nickels> [client2] Peer Connection Initiated with 108.105.97.133:59586
11:48 < nickels> Fri Sep  3 10:46:04 2010 MULTI: new connection by client 'client2' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
11:49 < nickels> here we go
11:49 < nickels> it sticks at same spot tho
11:49 < nickels> [client2] Peer Connection Initiated with 108.105.97.133:59586
11:49 < nickels> Fri Sep  3 10:46:04 2010 MULTI: new connection by client 'client2' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
11:49 < nickels> dangit
11:49 < nickels> stupid copy paste
11:49 <@dazo> "Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect."
11:49 < nickels> [client2] Peer Connection Initiated with 108.105.97.133:54825
11:49 < nickels> Fri Sep  3 10:49:33 2010 client2/108.105.97.133:54825 PUSH: Received control message: 'PUSH_REQUEST'
11:49 < nickels> Fri Sep  3 10:49:33 2010 client2/108.105.97.133:54825 SENT CONTROL [client2]: 'PUSH_REPLY,route 192.168.237.0 255.255.255.0,route-gateway 10.8.0.4,ping 10,ping-restart 120,ifconfig 10.8.0.50 255.255.255.0' (status=1)
11:50 < nickels> i got that part
11:50 <@dazo> ^^^please read the one .... I'll give you a hint: server config
11:50 <@dazo> but it seems you're up'n'running now, though
11:50 < nickels> its not saying duplicate-cn option now
11:50 < nickels> the win gui says obtaining config...not all the way thru 
11:50 < nickels> just stuck
11:50 < nickels> is my server-bridge wrong?
11:51 <@dazo> exactly, and you have more clients using the same client certificate (CN/common name identical) at the same time ... to make that work, you need duplicate-cn in the server config
11:51 < nickels> i dont have more clients using the same cert...it must have timed out that 
11:52 <@dazo> the server is complaining about it ... and it usually can detect when a client is reconnecting, so you got some more issues
11:52 < ecrist> dazo: trac is a lost cause for the time being
11:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
11:52 < nickels> okay so i added duplicate-cn to the server.conf
11:52 < ecrist> point to svn for now, and I'll write up a page this weekend that's not inside trac
11:52 <@dazo> ecrist: sure, no prob!
11:53 <@dazo> perfect!
11:53 < nickels> restarted the server, and tried to connect..same thing...stuck at...
11:53 < nickels> [client2] Peer Connection Initiated with 108.105.97.133:56459
11:53 < nickels> Fri Sep  3 10:52:28 2010 client2/108.105.97.133:56459 PUSH: Received control message: 'PUSH_REQUEST'
11:53 < nickels> Fri Sep  3 10:52:28 2010 client2/108.105.97.133:56459 SENT CONTROL [client2]: 'PUSH_REPLY,route 192.168.237.0 255.255.255.0,route-gateway 10.8.0.4,ping 10,ping-restart 120,ifconfig 10.8.0.50 255.255.255.0' (status=1)
11:53 < nickels> the vpn should get 10.8.0.1 right and then i ran the bridge to tap0 br0 script
11:54 < nickels> well, i ran that before is tarted the vpnserver
11:54 <@dazo> !confgs
11:54 < vpnHelper> dazo: Error: "confgs" is not a valid command.
11:54 <@dazo> !logs
11:54 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:54 <@dazo> !configs
11:54 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:57 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
11:58 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:59 < nickels> http://pastebin.org/810706
11:59 < nickels> oops
11:59 < nickels> server.conf http://pastebin.org/810706
12:00 < krzie> a) verb 9 is too much
12:01 < krzie> verb 5 is good for debugging
12:01 < krzie> b) why are you bridging?
12:01 < nickels> okay
12:01  * dazo expected question b) from krzie :)
12:01 < krzie> =]
12:01 < nickels> i need the vpn to be able to access the eth1 192.168.237.0
12:01 < krzie> layer2 or layer3?
12:02 < nickels> from the 10.8.0.x
12:02 < krzie> routing can have foreign subnets accessed just fine
12:02 < Chosi> ops in my ##openvpn?
12:02 < Chosi> what's wrong with you guys?
12:02 < krzie> in fact i wrote a doc on it
12:02 < nickels> i'm not sure what layer
12:02 < krzie> !route
12:02 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:02 < krzie> nickels, 
12:02 < krzie> !layer2
12:02 < vpnHelper> krzie: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
12:02 < nickels> oh well when i set it to tcp, turn offf the fw...it doesnt even log in
12:03 < nickels> id rather do the better of the two
12:03 -!- mode/##openvpn [+o krzie] by ChanServ
12:03 -!- mode/##openvpn [+o Chosi] by krzie
12:03 <@krzie> happy
12:03 <@Chosi> ;)
12:03 <@krzie> ?
12:03 -!- mode/##openvpn [-o krzie] by krzie
12:03 <@Chosi> no it implies that i know stuff
12:03 -!- mode/##openvpn [-o Chosi] by Chosi
12:03 < krzie> ok
12:03 < Chosi> :)
12:03 < krzie> theres just no pleasing you! ;]
12:04 < Chosi> i was very pleased by your support, it's fine
12:04 < Chosi> ;)
12:04 <@dazo> nickels: if you only need to pass TCP/IP traffic between your networks ... then you most probably do not need bridging at all ... then tun with routing (see !route, from krzee) is more than enough in 99.9999% of all cases
12:04 < krzie> nickels, if you need a specific layer2 protocol (proto that communicates by MAC address) bridging is better, otherwise tun routing is better
12:04 <@dazo> bridging might sound quicker and easier ... but it introduces a lot of other issues instead
12:05 < nickels> okay i see
12:05 < krzie> if you dont know, tun routing
12:05 < nickels> but using proto udp should be fine right?
12:05 < krzie> yes
12:05 < krzie> !tcp
12:05 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
12:05 < nickels> do i set the routing on the machine itself or in the conf
12:06 < nickels> okay thank you!
12:06 < Chosi> btw i'm back in the place where my udp-crippled mates are
12:06 < nickels> you guys rock
12:06 -!- mode/##openvpn [-o dazo] by ChanServ
12:06 < Chosi> now i'm in the same position BUT they added an option to request udp ports ;)
12:06 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:06 < krzie> whoa, havnt seen thisn chan opless in awhile
12:06 < dazo> krzie: I was surprised I was op'ed ... not sure when that happened
12:07 < krzie> haha
12:07 < krzie> i think we set you to auto-op
12:07 < dazo> aha
12:07 < |Mike|> lies.
12:07  * dazo wonders where raidz, openvpn2009 and the other guys are hiding .... gone fishing?
12:07 < |Mike|> raidz: 
12:08 < |Mike|> he's here? :P
12:08 -!- mode/##openvpn [+o raidz] by ChanServ
12:08 < |Mike|> 2010/08/17 19:17:06 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
12:08 < |Mike|> 2010/09/03 18:51:48  * dazo wonders where raidz, openvpn2009 and the other guys are hiding .... gone fishing?
12:08 < dazo> now I see him!
12:08 < |Mike|> holidays?
12:08 < dazo> |Mike|: you're logging too much :-P
12:09 < krzie> !irclogs
12:09 < vpnHelper> krzie: "irclogs" is Channel logs are available at http://secure-computing.net/logs/openvpn.txt and are updated in real-time while ecrist is online.
12:09 < krzie> ;]
12:09 < Chosi> you should also log with -n
12:09 < dazo> krzie: details details details
12:09 < |Mike|> scroll buffer is way to huge :)
12:09 < Chosi> so names don't resolve to...names
12:09 < Chosi> :D
12:09 < |Mike|> mike  3295  0.0 42.5 545812 217144  p1  S+    3Jun09 748:13.80 irssi
12:09 < |Mike|> 545 mb.. :x
12:09 < |Mike|> lol
12:10 < dazo> ouch
12:10  * krzie doesnt log, on any apps
12:10 < krzie> old habits
12:10 < dazo> |Mike|: I told you ... you're logging too much ;-)
12:10 < krzie> where i come from logging stuff is a violation of trust, lol
12:10 < |Mike|> jawohl!
12:11 < krzie> (except of course in a channel like this where its for the public)
12:11 < |Mike|> krzie: bladiebla :P
12:11 < krzie> |Mike|, you dont log that other channel do you?
12:11 < nickels> I got it!
12:11 < |Mike|> krzie: nopes
12:11 < nickels> pushed my route
12:11 < krzie> good man
12:11 < nickels> and its working
12:12 < krzie> nickels, can the other machines in the lan get ping too?
12:12 < |Mike|> You're talking about #2,000 right? :)
12:12 < krzie> if not you may be missing a single route
12:12 < krzie> |Mike|, of course
12:13  * dazo hides behind his stone and begins parsing log files again
12:13 < krzie> !route_outside_ovpn
12:13 < vpnHelper> krzie: Error: "route_outside_ovpn" is not a valid command.
12:13 < krzie> !factoids search outside
12:13 < vpnHelper> krzie: "route_outside_openvpn" is http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route
12:14 < krzie> !learn route_outside_openvpn as you do not need this if the vpn node IS the gateway for its lan
12:14 < vpnHelper> krzie: Joo got it.
12:14 < krzie> !learn route_outside_ovpn as [route_outside_openvpn]
12:14 < vpnHelper> krzie: Joo got it.
12:15 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
12:16 -!- mode/##openvpn [+o krzie] by ChanServ
12:16 -!- mode/##openvpn [+v vpnHelper] by krzie
12:16 -!- mode/##openvpn [+ooo Bushmills reiffert_ ecrist] by krzie
12:17 -!- mode/##openvpn [-o krzie] by krzie
12:17 < krzie> muahaha
12:17 < Chosi> silence
12:17 < Chosi> we finally get dn4ever
12:17 < krzie> :x
12:17 < Chosi> http://twitter.com/GearboxSoftware/status/22904222245
12:17 <+vpnHelper> Title: Twitter / Gearbox Software: ALL HAIL THE KING!! Duke ... (at twitter.com)
12:17 < Chosi> this is so unreal
12:18 < krzie> there is only 1 duke imo
12:18 -!- JPeterso2 [HydraIRC@c213-100-62-9.swipnet.se] has quit [Ping timeout: 265 seconds]
12:18 < krzie> the cannabis cowboy of northern california
12:19 < krzie> http://www.medicalmarijuanaofamerica.com/cannabis-cowboy.html
12:19 <+vpnHelper> Title: Cannabis Cowboy (at www.medicalmarijuanaofamerica.com)
12:19 < nickels> haha
12:20 < krzie> i drove the tractor for the crop on the cover
12:20 < krzie> that was just a piece of it, the actual crop was acres
12:21 < krzie> in the book he goes by his real name, Robert, but everyone knows him as the Duke
12:21 < nickels> well crap, it worked that one time...then it stopped routing to 192.168.237.40
12:21 < krzie> nickels, did you add a route to the lan gateway?
12:22 < krzie> is the lan behind the server?
12:22 < nickels> vpn on same server as the lan
12:22 < krzie> umm
12:23 < krzie> is the lan behind the vpn server or client?
12:23 < nickels> basically 10.8.0.x needs to hit 192.168.237.0 on eth1
12:23 < nickels> server
12:23 < krzie> !serverlan
12:23 <+vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
12:23 < nickels> i am connected thru my cell phone on the vpn
12:23 < krzie> what LAN ip is the server?
12:23 < nickels> 192.168.237.40
12:24 < krzie> what OS is the server?
12:24 < nickels> i think i need to restart my network
12:24 < nickels> suse 11
12:24 < krzie> !linipforward
12:24 <+vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:24 < nickels> yea my eth1 wasnt showing iip
12:25 < krzie> did you add a route to the gateway of the LAN?
12:25 < nickels> i believe so
12:25 < nickels> there we go
12:25 < nickels> it was just my nic got jacked from stopping bridge
12:25 < nickels> restarte network and im golden
12:25 < krzie> ahh
12:26 < krzie> however
12:26 < krzie> you are pinging .40, right?
12:26 < krzie> can you also reach other machines on the lan...?
12:26 < nickels> yea
12:26 < nickels> no i cant
12:26 < nickels> dang
12:26 < krzie> right
12:26 < nickels> i can hit the 40 tho
12:26 < krzie> !route_outside_ovpn
12:26 <+vpnHelper> krzie: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
12:26 < krzie> thats the problem
12:28 < nickels> okay so did
12:28 < nickels> route add -net 10.8.0.0/24 gw 10.10.2.10
12:28 < nickels> oops
12:28 < krzie> on the router!
12:28 < krzie> and ummm you arent using 10.10.2.10
12:28 < nickels> route add -net 192.168.237.0/24 gw 192.168.237.2
12:29 < nickels> previous copy paste
12:29 < nickels> sorry
12:29 < krzie> you cant just copy and paste, must also think!
12:29 < krzie> hehehe
12:29 < nickels> haha
12:29 < nickels> soryr
12:29 < krzie> your router is linux?
12:29 < nickels> yea
12:29 < krzie> like .1
12:29 < nickels> .2
12:29 < nickels> ohh\
12:29 < krzie> the default gateway for the LAN
12:29 < nickels> the hardware router?
12:29 < krzie> quite often a hardware router (ie linksys / netgear)
12:30 < krzie> not always...
12:30 < nickels> according to network settings my default gateway is 168.103.65.94
12:30 < nickels> but thats pub not lan
12:30 < krzie> ermmm
12:30 < nickels> eth0 is the pub network
12:30 < nickels> connected dmz to cisco 678
12:30 < nickels> eth1 is the lan
12:30 < nickels> 192.168.237
12:31 < krzie> what machine are you trying to ping?
12:32 < nickels> .202
12:32 < krzie> when you netstat -rn on that machine, what address is default route
12:33 < krzie> THAT machine needs a route back to the VPN
12:33 < nickels> does not say
12:33 < krzie> bullshit it doesnt
12:33 < nickels> i dont see a default
12:33 < krzie> 0.0.0.0 is default route
12:33 < krzie> ;]
12:33 < nickels> ahh
12:33 < nickels> its the 65.94
12:33 < nickels> pub ip
12:34 < krzie> ok, so add a route back to VPN on that host if that fits in to your goal (it may allow more machines than you want to access your vpn, im not sure)
12:34 < krzie> alternatively, you can add the route to each host on the LAN you wish to communicate with the VPN
12:34 < krzie> as explained in detail in !route  section "ROUTES TO ADD OUTSIDE VPN"
12:34 < krzie> !route
12:34 <+vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:35 < nickels> so route add -net 10.8.0.0/24 gw 10.8.0.1
12:35 < nickels> liek that?
12:35 < krzie> if thats how your OS handles adding routes
12:35 < krzie> i believe thats good for linux
12:35 < nickels> okay
12:35 < krzie> oh wait no
12:35 < krzie> not 10.8.0.1
12:35 < krzie> the .40 ip
12:36 < nickels> oooh
12:36 < nickels> but stll -net 10.8...
12:36 < nickels> with gw of .40?
12:36 < krzie> you are telling the routing table that to reach 10.8.0.0/24 to send traffic to .40
12:36 < krzie> yes
12:37 < nickels> so
12:37 < nickels>  route add -net 10.8.0.0/24 gw 192.168.237.40
12:37 < nickels> added...still nothin different
12:37 < nickels> im not sure 40 is the gw...i think its .2
12:37 < krzie> pastebin the routing table
12:37 < krzie> .40 is the VPN node
12:37 < krzie> which makes it the gw for 10.8.0.0/24
12:37 < nickels> yea
12:37 < nickels> okay
12:38 < krzie> (vpn subnet)
12:38 < nickels> makes sense
12:38 < nickels> http://pastebin.org/811555
12:38 < nickels> i dont see that route in there
12:39 < krzie> wtf is patriot.237.168
12:39 < krzie> did you use netstat -rn or just -r?
12:39 < krzie> -rn please
12:39 < nickels> oops
12:39 < krzie> n = no resolve
12:40 < nickels> http://pastie.org/1136402
12:40 < nickels> pb was being slow
12:41 < nickels> but now .40 times out from the client
12:41 < krzie> does 10.8.0.1 still ping from client?
12:42 < nickels> fak no
12:42 < krzie> its probably disconnected
12:42 < krzie> ya, it is
12:42 < nickels> sec
12:42 < nickels> oh yea dumb
12:42 < krzie> make sure openvpn is not running 2x on the client
12:42 < krzie> that will make it battle against itself
12:42 < nickels> im running fromcommand and killing it
12:43 < nickels> okay now im connected...still no 10.8.0.1
12:43 < krzie> umm
12:43 < krzie> whats the server ip then
12:43 < nickels> i musta fibbed something
12:43 < nickels> sec
12:43 < nickels> 10.8.0.1 on the tun0
12:43 < krzie> pastebin me the server config again
12:44 < krzie> so .40 pings and 10.8.0.1 does not...??
12:45 < nickels> http://pastie.org/1136414
12:45 < nickels> neither do now
12:45 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has joined ##openvpn
12:45 < nickels> must have jacked something with that route
12:45 < krzie> ok well while 1 does the other should
12:45 < nickels> heres what i have now
12:45 -!- MadTBone [~MadTBone@gw.msmnyc.edu] has joined ##openvpn
12:45 < krzie> when you added that route, it was not on the VPN machine, right?>
12:45 < nickels> yes it was
12:46 < nickels> its all on the same machine
12:46 < krzie> lol
12:46 < nickels> two nics
12:46 < nickels> one pub, one lan
12:46 < nickels> http://pastie.org/1136418
12:46 < krzie> well ya, that was wrong =[
12:46 < nickels> thats the routing
12:47 < krzie> i did not mean to add it on the vpn machine
12:47 < krzie> the vpn machine did not need a route added, it was working fine
12:47 < nickels> oh
12:47 < MadTBone> is it possible to push a redirect gateway to vpn clients, but *exclude* a specific IP range (without knowing about their normal default gateway)?
12:47 < krzie> nickels, undo that
12:47 < krzie> nickels, then reconnect
12:47 < nickels> okay so were now..
12:48 < nickels> http://pastie.org/1136422
12:48 < krzie> MadTBone, normal default gateway has a variable, i think it is explained in --route
12:48 < krzie> nickels, now restart all sides of the vpn
12:48 < krzie> you will regain ping to 10.8.0.1 / .40
12:48 < nickels> okay
12:49 < krzie> then add that route to a machine on the LAN, and try to ping it from the vpn
12:49 < nickels> true i am
12:49 < nickels> did i want to add that route to tun0?
12:49 < krzie> no no no
12:49 < krzie> a different computer
12:49 < MadTBone> krzie: ahh.... net_gateway!  exactly what I'm looking for
12:49 < nickels> what do you mean?
12:50 < krzie> nickels, you know how right now you want to ping other machines on the LAN, but can not...?
12:50 < nickels> why a different computer...doesn't the route need set on the server itself?
12:50 < krzie> MadTBone, =]
12:50 < nickels> yes
12:50 < nickels> so i need to add the route to each client?
12:50 < krzie> nickels, that is because the other computer has no route to respond to the vpn at, so it goes out to the internet
12:50 < nickels> the client?
12:50 < krzie> nickels, not each client, each LAN machine that should communicate over the vpn (or their default gateway)
12:51 < krzie> i explain this great in 2 places
12:51 < krzie> you need to read my writings
12:51 < nickels> dude i got one machine
12:51 < nickels> i dont get what your saying
12:51 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:51 < nickels> one client...one sserver
12:51 < nickels> two nics on the server
12:51 < nickels> eth0- pub eth1 lan
12:51 < krzie> nickels, there are no more machines in the LAN?
12:51 < nickels> thats it
12:51 < nickels> oh the 202?
12:51 < nickels> yea we need to reach the 202
12:51 < krzie> those machines in the lan dont know about the VPN
12:51 < krzie> they need to!@
12:51 < nickels> oh
12:51 < nickels> i see
12:52 < nickels> gotcha
12:52 < krzie> !route_outside_ovpn
12:52 <+vpnHelper> krzie: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
12:52 < nickels> so 
12:52 < nickels> route del -net 10.8.0.0/24 gw 192.168.237.40
12:52 < nickels> but on that machine
12:52 < nickels> oops add
12:52 < krzie> on the machine in the lan (not running the vpn process) which you want to ping
12:53 < krzie> alternatively it can be on your router for the LAN
12:53 < krzie> if a linksys/netgear that would be called a static route
12:53 < krzie> well ok thats what its called either way ;]
12:54 -!- MadTBone [~MadTBone@gw.msmnyc.edu] has quit [Read error: Operation timed out]
12:54 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
12:55 < snwbrdr> Hi  I have a special group in my LDAP which contains a list of users  who allowed to connect to my VPN server, I use <group> tag in my <authorization> script to filter logging users but unfortunately it doesn't work...
12:55 < MadTBone> krzee: perfect!  thanks
12:55 < nickels> okay i added that route to the .202
12:55 < nickels> still not getting anything
12:56 < krzie> !factoids search ldap
12:56 <+vpnHelper> krzie: "ldap_iptables" is see http://planetjoel.com/viewarticle/638/OpenVPN%3A+Dynamically+create+IPtables+rules+based+on+LDAP+group+membership for a cool script for setting iptables rules based on LDAP membership (currently only handles TCP rules, but an easy fix to support UDP)
12:56 < snwbrdr> http://pastie.org/1136427
12:56 < krzie> snwbrdr, maybe reading that script can help, if not maybe checking out euphoria would help
12:56 < krzie> i cant help much more than that
12:57 < krzie> however maybe dazo would know =]
12:57 < krzie> MadTBone, could you post about that in bragging rights section of the forum?
12:58 < krzie> how you did redirect-gateway but not for certain subnets
12:58 < nickels> i can ping 10.0.8.1 from the.202
12:58 < nickels> oops i mean 10.8.0.1
12:58 < krzie> i bet people would gain from it =]
12:58 < nickels> but cannot ping .40 from there
12:58 < krzie> huh?
12:58 < nickels> nor can i ping the client at 10.8.0.6
12:59 < krzie> the 202 is in the same subnet as .40?  as in 192.168.whatever
12:59 < nickels> nbvm i take that back
12:59 < nickels> i can ping 40 from 202
12:59 < nickels> had to repair the connection
12:59 < nickels> but still cannot ping 202 from the client
12:59 < MadTBone> krzie: sure.
13:00 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Ping timeout: 255 seconds]
13:01 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
13:02 < dazo> snwbrdr: are you issues LDAP filtering?
13:05 < krzie> snwbrdr, talk in the channel, not msg
13:05  * dazo is not familiar with LDAP ... but are working on the eurephia project, which does access control
13:05 < krzie> especially because i dont know about LDAP stuffs, nor have i ever coded an auth script for ovpn
13:06 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
13:06 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
13:07 < dazo> krzie: https://community.openvpn.net/openvpn/wiki/RelatedProjects  ... here you can find even more resources for people, not sure how to tag it in vpnHelper ... but I'm sure that can be valuable there
13:07 <+vpnHelper> Title: RelatedProjects – OpenVPN Community (at community.openvpn.net)
13:09 < MadTBone> krzie: done... waiting for moderator approval.
13:09 < nickels> dang
13:09 < snwbrdr> dazo: I use a RequireGroup command, but dont know what to write in <group> tag
13:10 < dazo> snwbrdr: which plugin/script, how? where?  
13:13 -!- mode/##openvpn [-o Bushmills] by Bushmills
13:14 < krzie> !learn otherprojects as https://community.openvpn.net/openvpn/wiki/RelatedProjects for links to other projects
13:14 <+vpnHelper> krzie: Joo got it.
13:14 < krzie> good call dazo 
13:14 < krzie> mod approval, cool lemme go do that =]
13:15 < snwbrdr> I use openvpn-ldap-auth thats my config http://pastie.org/1136486, if I put RequireGroup to false everything works perfectly otherwise it doesnt work
13:16 < dazo> snwbrdr: ahh ... I don't know that module at all, but I believe chantra is the developer behind it ... you can try to ping him ... he usually is here, but he is definitely on #openvpn-devel now (_afk unfortunately)
13:17 < nickels> krzie so i am stuck at my client is able to ping .40, but not 202 after adding that route to the other lan machine .202
13:17 < dazo> snwbrdr: just a silly question ... you are sure RequireGroup is boolean?  or that it is True and not true?
13:18 < nickels> my routes look like this on the server: http://pastie.org/1136491
13:18 < krzie> nickels, what is the entire ip of .202?
13:18 < nickels> 192.168.237.202
13:18 < nickels> can ping 237.40 all day long from the client machine 
13:18 < krzie> pastebin the routing table on .202
13:19 < nickels> from the other lan at 202, i can ping the 10.8.0.
13:19 < nickels> k sec
13:19 < nickels> i gotta go down there
13:19 < nickels> i dont know that machine has irc
13:19 < nickels> brb
13:22 -!- barfster [~barf@193.69.144.162] has joined ##openvpn
13:22 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
13:23 < nickels> http://pastie.org/1136500
13:23 < nickels> thats .202
13:23 < krzie> [14:19]  <nickels> from the other lan at 202, i can ping the 10.8.0.
13:24 < krzie> so 202 can ping 10.8.0.6?
13:24 < nickels> nope
13:24 < krzie> but not the other way around...?
13:24 < nickels> can ping 10.8.0.1
13:24 < nickels> but not .6
13:24 < krzie> and 6 to it?
13:24 -!- barfster [~barf@193.69.144.162] has quit [Client Quit]
13:24 < krzie> what OS is .6 and .202?
13:25 < nickels> win7 .6
13:25 < nickels> 202 xop
13:25 < nickels> xp
13:25 < krzie> try disabling their firewalls, jut for testing
13:25 <+vpnHelper> RSS Update - forum: Server Administration :: [Advanced Problem] Help bypassing very restrictive network :: Author nothsa <https://forums.openvpn.net/viewtopic.php?f=4&t=7064&p=7722#p7722> || Configuration :: Re: Routing / IP-Tables problem :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7031&p=7724#p7724> || Braggin' Rights :: Excluding an IP range from redirect gateway :: Author MadTBone <https://forums.openvpn.ne
13:25 < krzie> just*
13:25 < nickels> okay
13:26 < nickels> both already off
13:28 < nickels> although its saying 202's gateway is .2
13:28 < nickels> which is the linksys wifi router
13:28 < nickels> so maybe i need to forward something?
13:28 -!- JPeterso2 [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
13:28 < krzie> add the route to the vpn to the linksys router
13:29 < krzie> and remove it from .202
13:30 < nickels> so 10.8.0.1 destination lan IP?
13:30 < nickels> or .1 gateway
13:30 < krzie> umm no
13:30 < krzie> .40
13:30 < nickels> oh yea
13:30 < nickels> duhn
13:30 < krzie> 10.8.0.0 255.255.255.0 is destionation network, gateway is .40
13:31 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Ping timeout: 260 seconds]
13:33 < nickels> okay done...still no change
13:33 < nickels> repaired the connection to reset the route on xp machine
13:34 < nickels> double checked route doesnt exist on 202 anymore
13:35 -!- jake__ [~chatzilla@173-161-69-124-Illinois.hfc.comcastbusiness.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
13:35 < krzie> !linnat
13:35 <+vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:35 <+vpnHelper> RSS Update - forum: Server Administration :: Re: [Advanced Problem] Help bypassing very restrictive netwo :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7064&p=7725#p7725>
13:37 < nickels> so do iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
13:37 < nickels> ?
13:37 < nickels> err well eth1
13:37 < nickels> i suppose
13:38 < krzie> no no
13:38 < krzie> that was for a forum post
13:38 < krzie> sorry
13:39 < nickels> oh okay
13:39 < nickels> so i took out that route on 202 and input it on the router
13:39 < krzie> although that could actually work, lol
13:40 < nickels> im confused
13:40 < krzie> its the nathack to this type of setup haha
13:40 < krzie> but its not the 'right way'
13:41 < krzie> 237.2?
13:41 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Internet routing :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7054&p=7726#p7726>
13:41 < krzie> err
13:41 < krzie> can .6 ping 237.2?
13:41 < nickels> no
13:41 < nickels> cannot
13:42 < krzie> !winnat
13:42 <+vpnHelper> krzie: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
13:43 < nickels> is that for me or waht?
13:43 < jpalmer> !rip
13:43 <+vpnHelper> jpalmer: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
13:43 < krzie> nope
13:43 < nickels> ok
13:43 < krzie> im not sure bout yours
13:43 < krzie> it should be working
13:43 < krzie> if you did those things right
13:44 < nickels> i did just what you said
13:44 < nickels> input 10.8.0.0/24 192.168.40 on the route
13:44 < nickels> took out the one on the 202
13:44 < krzie> whatever gateway goes to your internet needs to have a route to 10.8.0.x via 192.168.237.40
13:44 < krzie> and firewalls should be disabled for testing
13:44 < krzie> at that point, your setup should be working
13:46 < nickels> i think 168.103.65.94 is the gateway to the dmz on eth0
13:46 < krzie> assuming that gateway and all target machines of the LAN are in 192.168.237.x
13:46 < krzie> if that is the case, you need to also push a route in the vpn config to that ip
13:46 < nickels> ah k
13:47 < krzie> unless that is the ip that clients connect to
13:47 < krzie> if you could draw a diagram of your network it would make things easier maybe
13:47 < krzie> gliffy.com is good for a quick one
13:47 < krzie> (or any software you already use for that)
13:48 < nickels> okay
13:48 < nickels> push "route 168.103.65.94 255.255.255.0"
13:48 < nickels> or push "route 168.103.65.94 255.255.255.248
13:50 < krzie> how many IPs do you want to reach?
13:50 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined ##openvpn
13:50 < krzie> if ONLY .94 you can use 255.255.255.255
13:52 < jpalmer> krzie: I spent a few hours in my lab last night.  I have steps one and two (of that implementation doc) completed.
13:52 < nickels> yea that didnt help
13:52 < nickels> i'll have to messa round with it i guess
13:53 -!- JPeterso2 [HydraIRC@c213-100-62-9.swipnet.se] has quit [Ping timeout: 260 seconds]
13:54 < nickels> would 
13:54 < nickels> route add -net 192.168.237.40 netmask 255.255.255.255 gw 192.168.237.2
13:54 < nickels> help?
13:54 < nickels> on the .40
13:54 < nickels> machine
13:55 < nickels> guess not hehe
13:57 < krzie> jpalmer, nice =]
14:01 -!- dazo is now known as dazo_afk
14:07 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has quit [Ping timeout: 265 seconds]
14:16 <+vpnHelper> RSS Update - forum: Configuration :: Re: Solution Please!!! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7056&p=7728#p7728> || Wishlist :: Re: Define one or more networks on one OpenVPN instance :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7057&p=7729#p7729>
14:19 < nickels> yo rkzie
14:19 < nickels> http://www.gliffy.com/publish/2226045/
14:19 <+vpnHelper> Title: Gliffy Public Diagram - precis (at www.gliffy.com)
14:19 < nickels> oh wait
14:19 < nickels> i forgot a computer
14:20 < krzie> omg confusion
14:21 < nickels> try now
14:21 < nickels> http://www.gliffy.com/publish/2226045/
14:21 <+vpnHelper> Title: Gliffy Public Diagram - precis (at www.gliffy.com)
14:22 < nickels> does not make sense?
14:23 < krzie> i get it
14:23 < krzie> need the route on both gw
14:24 < nickels> i have the 10.8.0.0 gw 192.68.237.40
14:24 < nickels> on the linksys
14:24 < nickels> so i need to add the same to the cisco?
14:24 < krzie> other too
14:25 < krzie> yes
14:25 < krzie> and vpn client needs a route to the cisco
14:26 < nickels> so on client add 168.103.65.95 255.255.255.255 gw 168.103.65.94
14:26 < nickels> correct?
14:26 < krzie> no
14:26 < krzie> just route 168.103.65.95 255.255.255.255
14:27 < nickels> its saying my mask is invalid
14:27 < krzie> err i meant
14:28 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has joined ##openvpn
14:28 < krzie> well first i was talking about your config
14:28 < krzie> but still, not sure if we should even be doing this
14:28 < krzie> arent these networks seperated for a reason?
14:31 < nickels> i didn't set it up, kinda walked into it
14:31 < nickels> i have to run to the dmv
14:31 < nickels> i;ll be back
14:33 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:39 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:42 -!- seaoflove [starfish@modemcable055.33-81-70.mc.videotron.ca] has joined ##openvpn
14:42 < seaoflove> hello
14:43 < seaoflove> i am trying to connect an openvpn client to a server using a static key. the key imported successfully. when i click on it the client hangs while connecting, it never connects. the log has the message OpenVPNAS 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables.... then it disconnects
14:44 < seaoflove> i am using windows xp
14:44 < seaoflove> what is script-security 2
14:44 < krzie> says OpenVPNAS?
14:45 < seaoflove> that is the error message
14:45 < seaoflove> yes
14:46 < seaoflove> i put the key in OpenVPN Client\etc\profile
14:46 < seaoflove> is the the correct location or once imported is it not relevent
14:46 < krzie> sounds like you're using AS
14:47 < krzie> did you download "OpenVPN client" from the front page at www.openvpn.net?
14:47 < seaoflove> yes i believe so
14:47 < krzie> thinking that it would work with your open source server...?
14:47 < seaoflove> yes
14:47 < krzie> nope
14:47 < krzie> !download
14:47 <+vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
14:47 < krzie> the client and server for the open source version are one in the same
14:47 < seaoflove> thank you very much!
14:47 < krzie> np
14:48 < krzie> common issue lately, page will be changed soon
14:54 < kisom> DRUNIK
14:54 < kisom> drunk as an animal
14:55 < kisom> im in an unknown town
14:55 < kisom> drunk
14:55 < kisom> shiit im onna die
14:56 < seaoflove> it appears to connect and in ipconfig the target server is listed
14:56 < seaoflove> but i do not see anything in explorer
14:57 < seaoflove> shoudl i not have a node locally
15:01 -!- mode/##openvpn [+o Bushmills] by ChanServ
15:02 -!- mode/##openvpn [-o Bushmills] by Bushmills
15:02 -!- mode/##openvpn [+o Bushmills] by ChanServ
15:02 -!- mode/##openvpn [-o reiffert_] by Bushmills
15:02 -!- mode/##openvpn [-o Bushmills] by Bushmills
15:04 -!- seaoflove [starfish@modemcable055.33-81-70.mc.videotron.ca] has quit [Ping timeout: 260 seconds]
15:14 -!- nutz [~nutz@178.63.10.188] has joined ##openvpn
15:14 < nutz> hi alll
15:15 -!- Ghent [~ghent@unaffiliated/ghent] has left ##openvpn []
15:16 < nutz> so I created a tun0 device and successfully connected with a client to my server. my tun0 has 10.10.0.0/24, my regular "br0" (which uses eth0) is 10.0.0.0/10.  how can i access e.g. 10.0.0.243 from 10.10.0.12? i tried to google a bit but i found solutions that seem to use iptables and others that use ip from iproute2. is there an easy way
15:18 -!- MadTBone [~MadTBone@160.39.238.196] has joined ##openvpn
15:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:20 -!- nickelnick [~nickelnic@63-253-113-218.ip.mcleodusa.net] has joined ##openvpn
15:20 < nickelnick> okay im back...having some lunch at panera still trying to figure out this routing prob while in line at the dmv 50 numbers away
15:21 < nickelnick> what a day...
15:26 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
15:27 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 258 seconds]
15:28 -!- nickelnick_ [~nickelnic@108.105.97.133] has joined ##openvpn
15:30 -!- nickelnick [~nickelnic@63-253-113-218.ip.mcleodusa.net] has quit [Ping timeout: 265 seconds]
15:31 -!- manevra [manevra@89.238.173.234] has joined ##openvpn
15:36 -!- nickelnick_ [~nickelnic@108.105.97.133] has left ##openvpn []
15:45 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
15:46 -!- barfster [~barf@ip-205-12-149-91.dialup.ice.no] has joined ##openvpn
15:49 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
15:52 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
15:58 -!- jaminja_ is now known as jaminja
15:58 -!- jaminja [~jaminja@74.81.170.4] has quit [Changing host]
15:58 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
16:00 < krzie> kisom, whatever you do, do not su to root
16:01 -!- RAWRwins254 [~DHT..wut@c-66-41-3-29.hsd1.mn.comcast.net] has quit [Ping timeout: 265 seconds]
16:01 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
16:04 -!- RAWRwins254 [~DHT..wut@c-66-41-3-29.hsd1.mn.comcast.net] has joined ##openvpn
16:05 < |Mike|> krzie: lal :P
16:07 -!- manevra [manevra@89.238.173.234] has quit [Quit: Leaving]
16:25 -!- nutz [~nutz@178.63.10.188] has left ##openvpn ["WeeChat 0.3.2"]
16:39 -!- snwbrdr [~xxx@85-142-54-74.well-com.net] has left ##openvpn []
16:40 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
16:46 -!- krzie [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
16:47 -!- gorkhaan [~gorkhaan@adsl-101-70.globonet.hu] has quit [Ping timeout: 276 seconds]
16:49 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:51 -!- gorkhaan [~gorkhaan@adsl-101-70.globonet.hu] has joined ##openvpn
16:56 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
16:57 < nickels> okay back krzie
16:57 < nickels> stupid dmv.....ugh that was a long couple hours
17:05 -!- barfster [~barf@ip-205-12-149-91.dialup.ice.no] has quit [Ping timeout: 240 seconds]
17:11 < nickels> route add -net 192.168.237.40 netmask 255.255.255.255 gw 10.8.0.2
17:11 < nickels> route
17:11 < nickels> like that?
17:11 < nickels> yiou think?
17:12 -!- gorkhaan [~gorkhaan@adsl-101-70.globonet.hu] has quit [Quit: Távozom]
17:32 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
17:43 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
17:49 < krzie> no
17:49 < krzie> i gave you the line to put in your config file
17:50 < krzie> in the client config
17:50 < krzie> or in the server config as push "route 168.103.65.94 255.255.255.255"
17:50 < krzie> but dude, is this a work network or your house?
17:51 < nickels> oh 
17:51 < nickels> work network
17:51 < nickels> at home
17:51 < nickels> lol
17:52 < |Mike|> network at home.
17:52 -!- oracle [~oracle@unaffiliated/spice] has joined ##openvpn
17:54 < oracle> so i setup my vpn tunnel 
17:54 < oracle> manually.
17:54 < oracle> then i reboot.
17:54 < oracle> ubuntu has the vpn tunnel running again, somehow
17:55 < nickels> check your rc.d mebe
17:55 < |Mike|> i aim for rc.* stuff
17:56  * nickels agrees
17:56 < oracle> i ranmy own config files
17:56 < oracle> didnt mess with any daemonization
17:56 < oracle> it just resumed the connection.
17:56 < oracle> i dont really mind that just curious how it happened
17:57 < oracle> !linroute
17:57 <+vpnHelper> oracle: Error: "linroute" is not a valid command.
17:57 < |Mike|> ..
17:57 < oracle> !routing
17:57 <+vpnHelper> oracle: Error: "routing" is not a valid command.
17:57 < oracle> !linrouting
17:57 <+vpnHelper> oracle: Error: "linrouting" is not a valid command.
17:57 < |Mike|> if you enter apt-get install openvpn and configure it, it will start automatic at a reboot
17:58 < |Mike|> !linrout
17:58 < oracle> i didnt configure anything
17:58 <+vpnHelper> |Mike|: Error: "linrout" is not a valid command.
17:58 < |Mike|> !linroute
17:58 <+vpnHelper> |Mike|: Error: "linroute" is not a valid command.
17:58 < |Mike|> !route?
17:58 <+vpnHelper> |Mike|: Error: "route?" is not a valid command.
17:58 < |Mike|> !route
17:58 <+vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:58 < |Mike|> !linnat
17:58 <+vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
17:58 < oracle> og yeah, nat
17:58 < nickels> crap i messed something up
17:59 < |Mike|> shitm crap, nat?!
17:59 < nickels> now when i ping .202 i get reply from 168.103.65.91 (eth0) destination host unreachable
17:59 < |Mike|> lol
17:59 < |Mike|> arp!
18:00 -!- oracle [~oracle@unaffiliated/spice] has quit [Quit: leaving]
18:01 < nickels> restarted the network itworks again
18:05 < nickels> but now i cant ping 10.8.0.1 from client...fuuuk
18:05  * Dougy headdesks
18:05 < Dougy> trixbox is trippin me up
18:05 < nickels> tun0 is down shit
18:07 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:07 < |Mike|> nickels: amature :P
18:08 < nickels> wayyyy
18:08 < nickels> lol
18:09 < nickels> okay im back to where i was
18:09 < nickels> can ping the 237.40 but not the 237.202 from the vpn tunnel
18:09 < nickels> i don't get it
18:21 -!- Trollfjoll [~Martin@c-7d55e253.4616439--62697410.cust.bredbandsbolaget.se] has joined ##openvpn
18:21 -!- nickels [~nickels@168.103.65.91] has quit [Quit: Leaving]
18:22 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 276 seconds]
18:22 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
18:26 -!- Trollfjoll [~Martin@c-7d55e253.4616439--62697410.cust.bredbandsbolaget.se] has quit [Quit: Obducted by FRAliens]
18:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
18:30 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
18:34 < Bushmills> why should you be able to ping 202?
18:39 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
19:21 -!- crazygir [~jason@unaffiliated/crazygir] has joined ##openvpn
19:22 < crazygir> hiya, I've been getting a lot of [vpn] Inactivity timeout (--ping-restart), restarting
19:22 < crazygir> while connected to a system via rdp over my vpn connection
19:22 < crazygir> this has been persistent for the last few hours, it'll cut out the rdp connection after about 30 seconds
19:32 < Cisien> bad internet connection?
19:54 < crazygir> nope, rdp works flawlessly for other sessions not over the vpn
19:58 < crazygir> I've got a good pipe here on both ends
20:09 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
20:16 -!- sedstapler [~sed@2001:41d0:2:46c1::1] has joined ##openvpn
20:18 < sedstapler> Is it possible to have a "peer to peer" OpenVPN? Let's say I have N clients and 1 server but would like the clients that are close to each other to communicate directly.
20:18 < sedstapler> How would one solve this?
20:32 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has joined ##openvpn
21:21 < crazygir> !welcome
21:21 <+vpnHelper> crazygir: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:32 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!]
22:01 < crazygir> what is the benefit to running in UDP move over TCP?
22:01 < crazygir> or vice versa?
22:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 276 seconds]
22:20 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
23:17 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Ping timeout: 252 seconds]
23:23 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
--- Log closed Fri Sep 03 23:26:28 2010
--- Log opened Fri Sep 03 23:26:32 2010
23:26 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
23:26 -!- Irssi: ##openvpn: Total of 108 nicks [1 ops, 0 halfops, 0 voices, 107 normal]
23:27 -!- Irssi: Join to ##openvpn was synced in 34 secs
23:28 -!- oracle [~oracle@unaffiliated/spice] has joined ##openvpn
23:28 < oracle> !linat
23:29 < vpnHelper> oracle: Error: "linat" is not a valid command.
23:29 < oracle> !linnat
23:29 < vpnHelper> oracle: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
--- Log closed Fri Sep 03 23:35:22 2010
--- Log opened Sat Sep 04 00:08:42 2010
00:08 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
00:08 -!- Irssi: ##openvpn: Total of 109 nicks [1 ops, 0 halfops, 0 voices, 108 normal]
00:09 -!- Irssi: Join to ##openvpn was synced in 64 secs
--- Log closed Sat Sep 04 00:14:41 2010
--- Log opened Sat Sep 04 00:20:15 2010
00:20 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
00:20 -!- Irssi: ##openvpn: Total of 109 nicks [1 ops, 0 halfops, 0 voices, 108 normal]
00:20 -!- Irssi: Join to ##openvpn was synced in 33 secs
01:12 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
01:20 < oracle> i dont seem to get any route setup
01:20 < oracle> doing route doesnt show me a gateway by the name i need
01:21 < oracle> is there a command that will do something like `route add default gw 10.4.0.1` ? ?
02:00 -!- tjz [~pc@unaffiliated/tjz] has quit [Read error: Connection reset by peer]
02:00 -!- tjz_ [~pc@bb219-74-47-138.singnet.com.sg] has joined ##openvpn
02:05 -!- tjz_ [~pc@bb219-74-47-138.singnet.com.sg] has quit [Client Quit]
02:21 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
02:26 < oracle> wow. works
02:26 < oracle> finally. vpn works as it should
02:37 < oracle> all it took was ditching freebsd in favor of the simpler ubuntu
02:37 < oracle> iptables worked. life is good
02:40 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined ##openvpn
02:40 < bashusr> hi, can i do "redirect-gateway def1" with TAP
02:40 < bashusr> ?
02:41 < bashusr> or is that a TUN specific command?
02:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:49 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
02:49 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Read error: Connection reset by peer]
03:19 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has joined ##openvpn
03:27 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:27 -!- reiffert_ is now known as reiffert
03:28 < reiffert> bashusr: yes you can do.
03:30 < krzie> reiffert!!!
03:30 < krzie> moin
03:33 < krzie> sedstapler, not an option with openvpn
03:34 < krzie> crazygir, 
03:34 < krzie> !tcp
03:34 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
03:34 < krzie> oracle, that just means you couldnt figure out pf
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:45 -!- bandini [~bandini@94.198.77.237] has joined ##openvpn
03:57 < sedstapler> Thank you krzie. I wonder how I could approach that.
03:58 < sedstapler> I'll probably just setup 2 OpenVPN servers, one at each location
04:02 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 272 seconds]
04:03 < reiffert> moin krzie!
04:04 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
04:07 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined ##openvpn
04:10 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined ##openvpn
04:11 < gorkhaan> Hi, does anyone using munin to generate some graph about vpn clients?  default munin's openvpn plugin doesnt wanna show my clients, the graph is okay.
04:13 < gorkhaan> " status-version 1"  option was placed to my vpnserver config.
04:13 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has quit [Quit: Computer has gone to sleep]
04:14 -!- chantra_afk [~chantra@unaffiliated/chantra] has joined ##openvpn
04:19 < gorkhaan> Anyone? :)
04:23 < gorkhaan> hm its workin'
04:31 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:41 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has joined ##openvpn
04:42 -!- plundra [404@article.se] has quit [Ping timeout: 240 seconds]
04:44 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has quit [Client Quit]
04:47 -!- plundra [404@article.se] has joined ##openvpn
04:50 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
04:56 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has joined ##openvpn
05:00 -!- dfas [~whatup@c213-89-100-61.bredband.comhem.se] has joined ##openvpn
05:01 < dfas> a general question, does anyone know of any company that sells "openvpn on demand"? Ie OpenVPN as an enterprise service, with api etc for creating/removing accounts etc..
05:09 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has quit [Quit: Computer has gone to sleep]
05:09 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has joined ##openvpn
05:09 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:09 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has quit [Client Quit]
05:51 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
05:52 -!- jaminja_ [~jaminja@74.81.170.4] has quit [Ping timeout: 240 seconds]
05:54 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 272 seconds]
06:04 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
06:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:12 -!- dfas` [~whatup@c213-89-100-61.bredband.comhem.se] has joined ##openvpn
06:13 -!- dfas [~whatup@c213-89-100-61.bredband.comhem.se] has quit [Ping timeout: 260 seconds]
06:13 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:16 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
06:16 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 252 seconds]
06:39 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 276 seconds]
06:40 -!- havoc [~havoc@neptune.chaillet.net] has joined ##openvpn
06:43 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
06:47 -!- vatts [bouncer@unaffiliated/vatts] has left ##openvpn ["WIrc 0.8 RC1 [[Kill ordinary clients!]] - CHpart"]
07:12 -!- jaminja_ [~jaminja@74.81.170.4] has quit [Ping timeout: 258 seconds]
07:24 < Bushmills> well, i know of companies who rent out dedicated servers
07:27 < Bushmills> gorkhaan: i monitor the number of connected openvpn clients with munin 
07:29 < Bushmills> here is a simpler implementation of a plugin, doing the same as the one coming with munin:  http://scarydevilmonastery.net/munin-plugins/local/openvpnconnections
07:47 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
07:50 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
08:01 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
08:13 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
08:32 -!- cast [~cast@fsf/member/cast] has joined ##openvpn
08:40 -!- cast [~cast@fsf/member/cast] has quit [Ping timeout: 240 seconds]
08:41 -!- cast [~cast@fsf/member/cast] has joined ##openvpn
08:42 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:00 -!- JPeterso2 [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
09:02 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has joined ##openvpn
09:02 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has quit [Read error: Connection reset by peer]
09:02 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Ping timeout: 276 seconds]
09:02 -!- JPeterso2 is now known as JPeterson
09:07 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has joined ##openvpn
09:07 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has joined ##openvpn
09:08 -!- WinstonSmith_ [~true@f052099243.adsl.alicedsl.de] has joined ##openvpn
09:10 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has quit [Client Quit]
09:11 -!- dfas` [~whatup@c213-89-100-61.bredband.comhem.se] has quit []
09:14 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Ping timeout: 276 seconds]
09:14 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
09:14 -!- WinstonSmith_ [~true@f052099243.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
09:15 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has joined ##openvpn
09:17 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has quit [Client Quit]
09:19 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has joined ##openvpn
09:23 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has quit [Client Quit]
09:23 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has joined ##openvpn
09:43 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
09:51 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has joined ##openvpn
09:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:31 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
10:38 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has joined ##openvpn
11:06 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
11:07 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 245 seconds]
11:08 -!- cast [~cast@fsf/member/cast] has quit [Quit: Reconnecting]
11:08 -!- cast [~cast@fsf/member/cast] has joined ##openvpn
11:10 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
11:14 -!- cast [~cast@fsf/member/cast] has left ##openvpn []
11:24 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
11:42 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has joined ##openvpn
12:06 -!- jaminja_ [~jaminja@74.81.170.4] has quit [Ping timeout: 276 seconds]
12:12 -!- bandini [~bandini@94.198.77.237] has quit [Remote host closed the connection]
12:14 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
12:19 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has quit [Quit: Computer has gone to sleep]
12:27 -!- RAWRwins254 [~DHT..wut@c-66-41-3-29.hsd1.mn.comcast.net] has quit [Ping timeout: 252 seconds]
12:32 -!- RAWRwins254 [~DHT..wut@c-66-41-3-29.hsd1.mn.comcast.net] has joined ##openvpn
12:36 < krzie> Bushmills, that would make a good post in the scripts section of the forum if you get  chance
12:36 < krzie> a chance*
12:43 -!- bandini [~bandini@94.198.77.237] has joined ##openvpn
12:45 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
13:07 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
13:18 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has joined ##openvpn
13:20 -!- bandini [~bandini@94.198.77.237] has quit [Remote host closed the connection]
13:23 -!- bandini [~bandini@94.198.77.237] has joined ##openvpn
14:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:20 -!- manevra [manevra@95.143.192.106] has joined ##openvpn
14:27 -!- manevra [manevra@95.143.192.106] has quit [Ping timeout: 240 seconds]
14:31 -!- krzie [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:40 -!- SOG [~SOG@n1164871167.netvigator.com] has joined ##openvpn
14:41 -!- WinstonSmith [~true@f052099243.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
14:50 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
15:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:33 -!- barfster [~barf@ip-243-14-149-91.dialup.ice.no] has quit [Quit: Computer has gone to sleep]
16:00 -!- bandini [~bandini@94.198.77.237] has quit [Ping timeout: 252 seconds]
16:00 -!- bandini [~bandini@94.198.77.237] has joined ##openvpn
16:08 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Quit: Távozom]
16:27 -!- oracle_ [~oracle@unaffiliated/spice] has joined ##openvpn
16:31 -!- oracle [~oracle@unaffiliated/spice] has quit [Ping timeout: 272 seconds]
16:32 -!- benspaulding [~benspauld@169.69.124.24.cm.sunflower.com] has left ##openvpn []
16:33 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
16:34 -!- RAWRwins254 [~DHT..wut@c-66-41-3-29.hsd1.mn.comcast.net] has quit [Quit: BOOM!]
16:34 -!- bandini [~bandini@94.198.77.237] has quit [Ping timeout: 252 seconds]
16:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
17:06 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined ##openvpn
17:09 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
17:21 -!- manevra [~manevra@188.27.111.221] has joined ##openvpn
17:32 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
17:44 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
17:46 < oracle_>  < krzie> oracle, that just means you couldnt figure out pf
17:46 < oracle_> kind of
17:46 < oracle_> it means something else
17:47 < oracle_> actually, pf and iptables are similar 
17:47 < oracle_> im pretty sure i made the right pf rule
17:47 -!- oracle_ [~oracle@unaffiliated/spice] has quit [Quit: leaving]
18:04 -!- manevra [~manevra@188.27.111.221] has quit [Quit: Leaving]
18:13 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
18:16 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
18:35 -!- cast [~cast@fsf/member/cast] has joined ##openvpn
20:58 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
20:58 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 255 seconds]
20:59 -!- jaminja_ is now known as jaminja
20:59 -!- jaminja [~jaminja@74.81.170.4] has quit [Changing host]
20:59 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
21:16 -!- steve3030 [~steve3030@pool-96-248-222-248.nrflva.fios.verizon.net] has joined ##openvpn
21:48 -!- SOG [~SOG@n1164871167.netvigator.com] has quit [Remote host closed the connection]
21:48 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
21:48 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
21:49 -!- jaminja_ [~jaminja@74.81.170.5] has joined ##openvpn
21:49 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Disconnected by services]
21:49 -!- jaminja_ is now known as jaminja
21:49 -!- jaminja [~jaminja@74.81.170.5] has quit [Changing host]
21:49 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
21:59 -!- steve3030 [~steve3030@pool-96-248-222-248.nrflva.fios.verizon.net] has quit [Ping timeout: 272 seconds]
22:16 -!- steve3030 [~steve3030@pool-96-248-222-248.nrflva.fios.verizon.net] has joined ##openvpn
22:22 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Ping timeout: 260 seconds]
22:31 -!- gh0zt [~adam@unaffiliated/gh0zt] has joined ##openvpn
22:31 < gh0zt> !welcome
22:31 < vpnHelper> gh0zt: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:32 < gh0zt> anyone familiar with bridging on rackspace cloud?
22:34 < gh0zt> !configs
22:34 < vpnHelper> gh0zt: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
22:34 < gh0zt> !sample
22:34 < vpnHelper> gh0zt: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
22:46 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
22:46 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Disconnected by services]
22:47 -!- jaminja_ is now known as jaminja
22:47 -!- jaminja [~jaminja@74.81.170.4] has quit [Changing host]
22:47 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
23:18 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 272 seconds]
23:25 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Remote host closed the connection]
23:25 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
23:30 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
23:38 < cast> with a basic config like #1, presumably each client wouldn't be able to access any other network hanging off the server? [in particular i'm thinking about the internet]
23:41 -!- WinstonSmith [~true@f052096117.adsl.alicedsl.de] has joined ##openvpn
23:41 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Quit: "eternal trails in netvoid"]
--- Day changed Sun Sep 05 2010
00:18 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
00:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
00:31 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
00:35 < gh0zt> you would just have access to the private subnet until you added NAT
00:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
00:54 < cast> :)
01:34 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
01:38 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
01:56 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
02:10 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 246 seconds]
02:10 -!- krzie [~k@unaffiliated/krzee] has left ##openvpn ["Leaving"]
02:21 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:29 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 272 seconds]
02:31 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
02:34 -!- jellow_ [~jellow@178.63.127.231] has joined ##openvpn
02:37 < jellow_> hello, can anyone recommend any simple logins mechanisms ( think hamachi )
02:38 < jellow_> as i currently have (TLS) certificates but my windows clients are at a lose of what to do.
02:39 < Bushmills> cert signed key.  connecting to openvpn server with those is free of any interaction
02:39 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
02:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
02:43 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
02:43 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
02:46 -!- Chosi [osxchosi@choseh.de] has quit [Remote host closed the connection]
02:47 < jellow_> Bushmills: are they not limited to just one user?
02:48 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
02:48 < Bushmills> no. one could use them on several machines at at the same time, but it is recomended to use one unique key per machine.
02:51 -!- steve3030 [~steve3030@pool-96-248-222-248.nrflva.fios.verizon.net] has quit [Remote host closed the connection]
03:15 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:15 -!- mode/##openvpn [+o mattock] by ChanServ
03:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:34 -!- Kurogane [~kuro@190.87.69.217] has quit [Remote host closed the connection]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:54 -!- bashusr [~bashusr@unaffiliated/bashusr] has quit [Ping timeout: 265 seconds]
03:55 -!- bashusr [~bashusr@unaffiliated/bashusr] has joined ##openvpn
04:28 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
05:11 < cast> well, i'm happy. my server/client vpn is working fine, and pkitool removed a ton of complication :)
05:14 -!- barfster [~barf@ip-81-26-149-91.dialup.ice.no] has joined ##openvpn
05:18 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:18 -!- barfster [~barf@ip-81-26-149-91.dialup.ice.no] has quit [Client Quit]
05:35 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
06:11 -!- cast [~cast@fsf/member/cast] has quit [Quit: Reconnecting]
06:12 -!- cast [~cast@fsf/member/cast] has joined ##openvpn
06:38 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
06:39 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
06:39 -!- manevra [~manevra@188.27.108.187] has joined ##openvpn
06:42 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
06:50 -!- oxi [~oxi@unaffiliated/oxi] has joined ##openvpn
06:50 < oxi> hi
06:50 < oxi> can anyone please help me with my openvpn connection?:
06:52 -!- cast_ [~cast@fsf/member/cast] has joined ##openvpn
06:52 -!- cast_ [~cast@fsf/member/cast] has left ##openvpn []
06:52 -!- buntfalke_ is now known as buntfalke
06:53 < oxi> http://pastebin.com/uZs4HcQh
06:53 -!- cast [~cast@fsf/member/cast] has quit [Ping timeout: 272 seconds]
06:53 < oxi> I've tried the same config in OS X and in Windows, but I'm having trouble to get it to work in Ubuntu
06:54 < oxi> I have trouble to get the outbound traffic to work
06:56 < Bushmills> what does "getting outbouind traffic to work" mean?
06:56 < oxi> http://pastebin.com/xg3eUgjn
06:56 < Bushmills> !redirect
06:56 < oxi> Bushmills: ping google.com or wget checkip.dyndns.org for example
06:56 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:57 < oxi> Bushmills: thanks!
07:00 < oxi> Bushmills: hmm, but the exact same scripts work on OS X and Windows
07:01 < Bushmills> why is there a route   10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 eth0  when you also have a route  10.8.0.0        10.8.0.21       255.255.255.0   UG    0      0        0 tun0  ?
07:10 < oxi> Bushmills: good question :-)
07:10 < oxi> I don't know
07:10 < oxi> when I delete it, then it doesn't even resolve anymore:
07:11 < oxi> route del -net 10.0.0.0 netmask 255.0.0.0 dev eth0
07:11 < oxi> root@core ~# wget checkip.dyndns.org -> can't resolve
07:17 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
07:18 < oxi> Bushmills: http://pastebin.com/gXc89dCX
07:19 < Bushmills> what names server does your client use?   that's in the file  /etc/resolv.conf
07:19 < oxi> Bushmills: very good question
07:19 < oxi> Bushmills: bingo!
07:20 < oxi> Bushmills: 10.0.0.1, which is wrong
07:22 < Bushmills> there's probably no route to 10.0.0.0/24 anymore after 10.0.0.0/8 was deleted
07:25 < oxi> Bushmills: maybe the script http://pastebin.com/bZXKae24 was causing it - not sure - ... however I set it to chmod -x and I updated /etc/resolv.conf to 10.8.0.21. But it's still not working
07:26 < oxi> Bushmills: Is there anything I need to do to "activate" the new /etc/resolv.conf setting? (Or maybe putting 10.8.0.21 there was wrong)
07:26 < Bushmills> nothing needed
07:28 < Bushmills> just watch out for resolvconf which has the habit to overwrite resolv.conf with a name server it finds more suitable. 
07:28 < Bushmills> never mind whether it can be reached or not
07:28 < oxi> okay - thank you very much!
07:44 < oxi> Bushmills: whats the proper way to update resolv.conf manually?
07:45 < Bushmills> manually? by editing it
07:47 < oxi> ah, I thought it should be done using some "resolvconf" command and not by manually editing
07:47 < Bushmills> when you add programs like resolvconf, you will have to bend over and heed their requirements
07:48 < Bushmills> other example of programs potentially modifying resolv.conf are dhcp clients
07:50 -!- oxi_ [~oxi@unaffiliated/oxi] has joined ##openvpn
07:50 -!- oxi [~oxi@unaffiliated/oxi] has quit [Read error: Connection reset by peer]
07:51 -!- oxi [~oxi@unaffiliated/oxi] has joined ##openvpn
07:55 -!- oxi_ [~oxi@unaffiliated/oxi] has quit [Ping timeout: 272 seconds]
07:59 < oxi> Bushmills: I still coun't get it working :-)
07:59 < Bushmills> mtr or traceroute should help
08:07 < oxi> thanks a lot!
08:43 -!- oxi [~oxi@unaffiliated/oxi] has quit [Ping timeout: 272 seconds]
08:44 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 276 seconds]
08:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
08:53 -!- jaminja_ [~jaminja@74.81.170.5] has joined ##openvpn
08:54 < gh0zt> anyone got openvpn running in bridged mode between home and rackspace cloud?  
08:56 -!- oxi [~oxi@adsl-84-227-58-204.adslplus.ch] has joined ##openvpn
08:56 -!- oxi [~oxi@adsl-84-227-58-204.adslplus.ch] has quit [Changing host]
08:56 -!- oxi [~oxi@unaffiliated/oxi] has joined ##openvpn
08:58 -!- seon [~godel@91.9.98-84.rev.gaoland.net] has joined ##openvpn
08:58 < seon> hello
08:58 < gh0zt> hello
08:59 < seon> i have ubuntu lucid and i want to configure openvpn client to manage my tunnel to my company server
08:59 < seon> i have 4 files (hostname.key hostname.crt hostname.csr ca.crt)
08:59 < seon> how can i do it
09:03 < seon> and i have an openvpn client.ovpn
09:03 -!- jaminja_ [~jaminja@74.81.170.5] has quit [Quit: "eternal trails in netvoid"]
09:03 < seon> cause one guy configure it to me on windows
09:03 < seon> but i prefer to use ubuntu
09:04 -!- pa [~pa@unaffiliated/pa] has quit [Remote host closed the connection]
09:06 < hyper_ch> seon: rename the client.ovpn to client.conf
09:06 < hyper_ch> put it plus the keys into /etc/openvpn
09:06 < hyper_ch> run sudo apt-get install openvpn
09:07 < hyper_ch> that could already be all
09:07 < seon> i have ever installed openvpn
09:07 < kisom> sorry for any drunk messages this weekend (if any)
09:08 < seon> ok
09:08 < kisom> turns out i woke up in another part of the country
09:08 < kisom> wild weekend indeed
09:08 -!- pa [~pa@host102-7-dynamic.57-82-r.retail.telecomitalia.it] has joined ##openvpn
09:09 < seon> hyper_ch> and what about the ca.crt
09:09 -!- pa [~pa@host102-7-dynamic.57-82-r.retail.telecomitalia.it] has quit [Changing host]
09:09 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
09:09 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer]
09:09 < hyper_ch> seon: what about it?
09:09 < Bushmills> yes, alcohol and irc don't blend
09:09 < Bushmills> better try some system administration
09:09 < hyper_ch> alcohol blends with everything
09:10 < seon> hyper_ch> i have from my ms windows configuration the following files : 
09:10 < seon> hyper_ch> hostname.key hostname.crt hostname.csr ca.crt
09:10 < seon> hyper_ch> which are the keys which are not useful
09:10 < hyper_ch> !howto
09:10 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:11 < hyper_ch> check the pki part there for they keys needed on the client
09:14 < seon> why i have a csr files
09:14 < seon> in the how to nothing explained it
09:22 < gh0zt> try this
09:22 < gh0zt> http://library.linode.com/networking/vpn-services/openvpn-ubuntu-10.04-lucid
09:22 < vpnHelper> Title: VPN Services - Secure Communications with OpenVPN on Ubuntu 10.04 (Lucid) - Linode Library (at library.linode.com)
09:22 < gh0zt> i can't get it working but you might
09:22 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
09:25 < gh0zt> oh well, here's goes Day #3 openvpn configuration attempt 5
09:25 < gh0zt> :)
09:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:38 < oxi> Bushmills: I can't figure it out :-(
09:38 < oxi> Bushmills: would you mind have a quick look at the box?
09:42 < oxi> can anyone please have a look at a box of mine, why I can't do name resolving?
09:42 < oxi> I'm stuck
09:43 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
09:44 < gh0zt> can you even ping external ip's ?
09:45 < seon> hyper_ch> thanks i am now connect
09:45 < seon> hyper_ch> do you know where i can associate an ip to a hostname
09:46 < oxi> gh0zt: I can ping internal ip's, yes
09:46 < oxi> seon: hosts file
09:46 < gh0zt> external ip's i said
09:47 < gh0zt> using the ip address, not the name
09:47 < oxi> gh0zt: ah, sorry - nope I can't ping external ips
09:47 < oxi> gh0zt: aha - right - I didn't try that
09:48 < gh0zt> i thought so
09:48 < gh0zt> lol
09:48 < oxi> gh0zt: thanks - I didn't think of checking that ... :-)
09:48 < gh0zt> it's easy to get tunnel vision when having problems, forgive the pun
09:49 < oxi> gh0zt: nope, I can't ping an external ip
09:49 < oxi> gh0zt: would you mind logging into the box and debug it?
09:50 < oxi> gh0zt: I'll spend you a beer, if you got a paypal account
09:50 < oxi> I've tried anything I could think of
09:51 < gh0zt> i'm no openvpn expert or i would, i am having major headaches myself
09:51 < oxi> I see
09:51 < oxi> I'm not yet sure if I'm facing openvpn trouble or just linux networking trouble
09:54 < gh0zt> if your tunnel up when you do an ifconfig?
09:54 < gh0zt> is*
09:54 < gh0zt> i've had a problem where my tunnel dies after connecting to it
10:13 < oxi> gh0zt: it is
10:13 < oxi> gh0zt: I can log into the box through ssh
10:13 < oxi> gh0zt: so - the tunnel is up :-)
10:13 < oxi> gh0zt: but I can't wget or ping the outside from it
10:14 -!- oxi_ [~oxi@unaffiliated/oxi] has joined ##openvpn
10:17 -!- oxi__ [~oxi@unaffiliated/oxi] has joined ##openvpn
10:17 < seon> i have connected well in the server using the http , and ping but now i need to connect using the https protocol what do i need to provide to my client?
10:17 -!- oxi [~oxi@unaffiliated/oxi] has quit [Read error: Connection reset by peer]
10:17 -!- oxi__ is now known as oxi
10:20 -!- oxi_ [~oxi@unaffiliated/oxi] has quit [Ping timeout: 240 seconds]
10:22 -!- oxi_ [~oxi@unaffiliated/oxi] has joined ##openvpn
10:24 -!- oxi__ [~oxi@unaffiliated/oxi] has joined ##openvpn
10:24 -!- oxi [~oxi@unaffiliated/oxi] has quit [Read error: Connection reset by peer]
10:24 -!- oxi__ is now known as oxi
10:27 -!- oxi_ [~oxi@unaffiliated/oxi] has quit [Ping timeout: 240 seconds]
10:30 -!- Kurogane [~kuro@190.87.69.217] has quit [Ping timeout: 264 seconds]
10:32 -!- barfster [~barf@193.69.144.162] has joined ##openvpn
10:39 -!- seon [~godel@91.9.98-84.rev.gaoland.net] has left ##openvpn []
10:45 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <-]
11:09 -!- theDoc [~Link@173.236.41.35] has joined ##openvpn
11:09 -!- theDoc [~Link@173.236.41.35] has quit [Changing host]
11:09 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
11:21 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
11:31 -!- Darkclaw66 [~Darkclaw@unaffiliated/darkclaw66] has joined ##openvpn
11:31 -!- Darkclaw66 [~Darkclaw@unaffiliated/darkclaw66] has left ##openvpn []
11:37 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
11:42 < gh0zt> anyone know where the source code is for the openvpn windows client? i can find it for linux but not win
11:44 < hyper_ch> there's a windows client and people actually use windows?
11:45 < gh0zt> well, i couldn't get it working on an ubuntu virtualbox client, tried a win 7 one and it worked first time
11:57 -!- oxi [~oxi@unaffiliated/oxi] has quit [Read error: Connection reset by peer]
11:58 -!- oxi [~oxi@unaffiliated/oxi] has joined ##openvpn
12:17 -!- oxi [~oxi@unaffiliated/oxi] has quit [Read error: Connection reset by peer]
12:18 -!- oxi [~oxi@unaffiliated/oxi] has joined ##openvpn
12:23 -!- krzie [krzee@unaffiliated/krzee] has joined ##openvpn
12:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
12:26 -!- gh0zt [~adam@unaffiliated/gh0zt] has quit [Remote host closed the connection]
12:35 -!- oxi [~oxi@unaffiliated/oxi] has quit [Remote host closed the connection]
12:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
12:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:01 -!- krzie [krzee@unaffiliated/krzee] has quit [Quit: Leaving]
13:01 -!- krzie [krzee@unaffiliated/krzee] has joined ##openvpn
13:34 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
13:47 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
13:56 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
14:00 -!- jwm [jwm@74.208.185.36] has left ##openvpn []
14:01 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
14:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
14:20 -!- krzie [krzee@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
14:25 -!- Kurogane [~kuro@190.87.69.217] has quit [Ping timeout: 272 seconds]
14:43 -!- ScriptFanix [~bofh@cl-53.mrs-01.fr.sixxs.net] has quit [Quit: WeeChat 0.3.2]
14:48 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
14:50 -!- BlackBishop [~dexter@d3xt3r01.tk] has joined ##openvpn
14:50 < BlackBishop> Sun Sep 05 22:50:14 2010 Options error: unknown --redirect-gateway flag: bypass-dhcp
14:51 < BlackBishop> that's on my client's console :/
14:51 < BlackBishop> the server has "push "redirect-gateway def1 bypass-dhcp"
14:51 < BlackBishop> without the first quote .. 
14:51 < BlackBishop> anyone any ideas ?
14:51 < krzee> what version ovpn on the client
14:51 < BlackBishop> 2.0.9
14:52 < krzee> join us in 2010 =]
14:52 < BlackBishop> :)
14:52 < BlackBishop> damn
14:52 < BlackBishop> yeah
14:52 < BlackBishop> one sec...
14:52 < krzee> 2.0.9 has
14:52 < krzee> --redirect-gateway [local] [def1]
14:53 < BlackBishop> neh .. I'll upgrade first :D
14:53 < krzee> exactly
14:54 -!- Kurogane [~kuro@190.87.69.217] has joined ##openvpn
14:56 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
14:57 < BlackBishop> asasSun Sep 05 22:58:34 2010 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
14:57 < BlackBishop> Sun Sep 05 22:58:34 2010 Route: Waiting for TUN/TAP interface to come up...
14:58 < BlackBishop> hmm .. should it do this ?
14:58 < BlackBishop> http://d3xt3r01.pastebin.com/240JSJqj
14:58 < BlackBishop> doesn't look right :/
14:59 < BlackBishop> the vpn is on the same network I am .. 
15:00 -!- spq` [bnc00026@user.unregistered.de] has quit [Ping timeout: 276 seconds]
15:01 < barfster> Is there a way to publish services between LANs?
15:07 < krzee> !local
15:07 < vpnHelper> krzee: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
15:07 < krzee> barfster, publish services??
15:07 < barfster> Similar to that of beacon on the mac
15:08 < krzee> barfster, you mean simply accessing services which are on other lans?
15:08 -!- spq` [spq@user.unregistered.de] has joined ##openvpn
15:08 < barfster> No
15:08 < krzee> i use osx, never heard of beacon
15:08 < barfster> The broadcast thing
15:08 < krzee> well you could use beacon
15:08 < krzee> lol
15:08 < krzee> without knowing what it is, i know you can use it
15:08 < barfster> There is an app on Mac: http://www.macupdate.com/info.php/id/11315/network-beacon but I would prefer a linux daemon
15:08 < vpnHelper> Title: Download Network Beacon for Mac - Publish/serve Bonjour services on network. MacUpdate Mac Software Downloads (at www.macupdate.com)
15:09 < krzee> !notovpn
15:09 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
15:09 -!- allquixotic_ [~allquixot@static.3.122.63.178.clients.your-server.de] has joined ##openvpn
15:09 < krzee> openvpn is for connecting the networks, what you do after is up to you
15:09 < barfster> :-)
15:10 < barfster> Problem is that Beacon is a client app, I would like to find a server one that does the same
15:11 < Bushmills> sounds like zeroconf/mdns -> avahi for linux
15:11 -!- grishnav_ [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
15:12 -!- manevra [~manevra@188.27.108.187] has quit [Quit: Leaving]
15:12 -!- stein0_ [~stein@mail.vgnett.no] has quit [Ping timeout: 272 seconds]
15:16 -!- Netsplit *.net <-> *.split quits: grishnav, pa, allquixotic, Cmdr_W_T_Riker, WinstonSmith, raw_
15:17 < BlackBishop> krzee: just add "local" to my .ovpn client conf ?
15:22 -!- Netsplit over, joins: raw_
15:23 -!- Netsplit over, joins: WinstonSmith
15:23 -!- Netsplit over, joins: pa
15:24 < krzee> [13:03]  <BlackBishop> the vpn is on the same network I am .. 
15:24 < krzee> push "redirect-gateway local def1 bypass-dhcp"
15:25 < krzee> only if all clients are in the same lan as the server
15:25 < BlackBishop> well .. they're not ! :/
15:25 < BlackBishop> only me and someone else ..
15:25 < krzee> otherwise you want to either put the push redirect-gateway in a ccd entry or in the client config without push
15:25 < krzee> because the person outside the lan should not have local flag
15:25 < krzee> !ccd
15:25 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:26 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Quit: WeeChat 0.3.4-dev]
15:27 < BlackBishop> so delete the push line from the server
15:27 < BlackBishop> and add "redirect-gateway local def1 bypass-dhcp" to my ovpn file ?
15:27 < krzee> yes
15:27 < krzee> and your friend outside the lan adds it without local
15:27 < krzee> (no quotes tho)
15:28 < BlackBishop> like this: http://d3xt3r01.pastebin.com/7T8pb8FN ?
15:29 < barfster> Bushmills: Thanks, I looked at avahi and it could be what I am looking for
15:30 -!- stein0 [~stein@mail.vgnett.no] has joined ##openvpn
15:30 < krzee> !path
15:30 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
15:31 < krzee> !learn duplicate as the option duplicate-cn should not be u sed in most situations, with main exceptions being if you also use !authpass or if just testing
15:31 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
15:34 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:35 < BlackBishop> krzee: http://d3xt3r01.pastebin.com/c6QDfqDa
15:35 < BlackBishop> ( pasted the client config twice .. :/ )
15:36 < BlackBishop> still doesn't look right
15:37 < BlackBishop> grr .. deleted the duplicate keep-alive line
15:37 < BlackBishop> still doesn't look right .. 
15:40 < BlackBishop> !authpass
15:40 < vpnHelper> BlackBishop: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
15:41  * BlackBishop doesn't get it ..
15:43 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:46 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
15:53 < krzee> !learn duplicate as the option duplicate-cn should not be u sed in most situations, with main exceptions being if you also use !authpass or if just testing
15:53 < vpnHelper> krzee: Joo got it.
15:55 < BlackBishop> also those lines of waiting for the tun to get up were caused by the dhcp client being stopped
15:59 -!- barfster [~barf@193.69.144.162] has left ##openvpn []
15:59 < BlackBishop> http://d3xt3r01.pastebin.com/9CEx5s2W is more clean now .. but still doesn't look right !
16:12 < BlackBishop> shouldn't I have a 10.8... gateway ?
16:13 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:32 < krzee> !forget duplicate
16:32 < vpnHelper> krzee: Joo got it.
16:33 < krzee> !learn duplicate as the option duplicate-cn is for allowing the same cert to login more than once.  It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing
16:33 < vpnHelper> krzee: Joo got it.
16:58 < reiffert> did anyone play around with layer-3-roaming for 802.11 (wireless lan) yet?
17:04 < krzee> like wifi mesh?
17:07 < reiffert> like http://www.ciscopress.com/articles/article.asp?p=102282&seqNum=3
17:07 < vpnHelper> Title: Wireless LAN Fundamentals: Mobility > Layer 3 Roaming (at www.ciscopress.com)
17:31 -!- WinstonSmith [~true@f052096117.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
17:42 -!- WinstonSmith [~true@f052096208.adsl.alicedsl.de] has joined ##openvpn
17:46 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
17:50 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:57 < krzee> reiffert, ok ya im pretty sure thats talking about what i meant
17:57 < krzee> and i have JUST begun playing with that
17:57 < krzee> a friend moved to the country, so he stays at my house, and my walls are made of concrete
17:58 < krzee> so i needed to hookup a wifi bridge
17:58 < krzee> i havnt finished setting it up yet
17:59 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:28 -!- gh0zt [~adam@unaffiliated/gh0zt] has joined ##openvpn
18:28 < gh0zt> anyone know how to make dnsmasq only listen on tun0 interface?  i tried setting listen-address=tun0 but it fails
18:35 -!- gh0zt [~adam@unaffiliated/gh0zt] has quit [Read error: Connection reset by peer]
18:35 -!- gh0zt [~adam@unaffiliated/gh0zt] has joined ##openvpn
18:38 < krzee> gh0zt, does that fail because you start it before you start openvpn?
18:39 < gh0zt> well dnsmasq works fine, but it is binding to ALL interfaces and i only want it to bind to 10.8.0.1
18:40 < gh0zt> i tried specifying interface=tun0 and listen-address=10.8.0.1 but it still binds to 0.0.0.0
18:40 < krzee> dunno
18:41 < gh0zt> i suppose i could put bind9 at S14 startup so it grabs the addresses it wants first
18:50 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:55 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
18:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
18:58 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
19:01 -!- Guest44037 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Ping timeout: 272 seconds]
19:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 245 seconds]
19:07 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
19:26 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
19:56 -!- krzie [krzee@unaffiliated/krzee] has joined ##openvpn
19:57 -!- gh0zt [~adam@unaffiliated/gh0zt] has quit [Remote host closed the connection]
20:11 -!- jellow [~jellow@unaffiliated/jellow] has joined ##openvpn
20:14 < jellow> Hello i'm running (or trying) to get openvpn 2.0 to not require cert but only user/password. up to now i've been using auth-pam.pl
20:14 < jellow> But not sure how to use it , could you look at my config file and give me some hints on where i'm messing up 
20:15 -!- theDoc [~Link@119.75.42.2] has joined ##openvpn
20:15 -!- theDoc [~Link@119.75.42.2] has quit [Read error: Connection reset by peer]
20:15 < krzie> !authpass
20:15 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
20:17 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:18 < jellow> i'm running open vpn a deamon so how do i add the option , take off "--" and add to config file?
20:18 < krzie> right
20:18 < krzie> !--
20:18 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
20:20 < jellow> this is my config file http://pastebin.com/mMkys86S 
20:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
20:22 < krzie> see --auth-user-pass-verify in the manual
20:22 < krzie> !man
20:22 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:22 < krzie> also, upgrade to 2.1.3
20:22 < krzie> 2.0 is hella old
20:24 < jellow> Got it in repo debian lenny. 
20:24 < krzie> then your repo is old as hell
20:25 < krzie> !download
20:25 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
20:39 < tjz> Evil Google (video) LOL~!!! - http://www.youtube.com/watch?v=Ouof1OzhL8k
20:39 < vpnHelper> Title: YouTube - Our new "Don't Be Evil?" video - Final Version (at www.youtube.com)
20:53 -!- Gud_ [~erik@78-70-22-214-no94.business.telia.com] has quit [Ping timeout: 264 seconds]
21:09 -!- grishnav_ [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
21:09 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
21:43 -!- brah [~asdofp@190.183.62.66] has joined ##openvpn
21:43 < jellow> Do the config options in .conf file need to be in any specific order ? 
21:58 < Cisien> no
22:00 < jellow> I'm having a hard time explaing to windows users how to connect with TFL certificates?
22:00 < jellow> Is there a one click install and connect sort of thing? 
22:02 < jellow> i know it's a bit vague but i don't any idea of what windows has for vpn clients. 
22:03 < jpalmer> jellow:  not that this is going to immediately help you.. but in the long run it will:
22:04 < jpalmer> befor eyou try to support people about something,  it's probably wise to get familiar with it.  if you're not sure how to config a vpn client on windows, you probably should do it a few times before helping another.
22:05 < jellow> well yes in a perfect work :P 
22:05 < jpalmer> I realize that sounds a little snotty or dickish, but is serious advice.
22:06 < jpalmer> a perfect world?  hardly.  in fact, trying to tell other people how to do something without knowing it,  is one of the fastest ways to make it an even LESS perfect world
22:07 < Cisien> can't you push out the certs/conf files when they log on the domain? Set that up, and have them log on locally once before connecting to the vpn
22:09 < krzie> no
22:09 < krzie> however
22:09 < krzie> !win_rollup
22:09 < vpnHelper> krzie: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
22:09 < krzie> or you can go use access server, which we do not support here
22:09 < krzie> !as
22:09 < vpnHelper> krzie: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
22:09 < vpnHelper> krzie: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
22:10 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
22:10 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
22:11 < krzie> but jpalmer's advice is not only great, but true for any software
22:18 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has joined ##openvpn
22:27 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has quit [Ping timeout: 276 seconds]
22:27 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined ##openvpn
22:35 -!- Gud [~erik@78-70-22-214-no94.business.telia.com] has left ##openvpn []
22:45 -!- UnterPerro [~UnterPerr@166.192.39.247] has joined ##openvpn
23:05 -!- jellow [~jellow@unaffiliated/jellow] has quit [Quit: leaving]
23:06 -!- jellow_ [~jellow@178.63.127.231] has quit [Quit: leaving]
23:18 -!- jaminja_ [~jaminja@74.81.170.4] has joined ##openvpn
23:18 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 258 seconds]
23:19 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Disconnected by services]
23:19 -!- jaminja_ is now known as jaminja
23:19 -!- Kurogane [~kuro@190.87.69.217] has quit [Read error: Connection reset by peer]
23:19 -!- jaminja [~jaminja@74.81.170.4] has quit [Changing host]
23:19 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
23:32 < kraut> moin
--- Day changed Mon Sep 06 2010
00:00 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
00:13 -!- oracle [~oracle@unaffiliated/spice] has joined ##openvpn
00:52 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Read error: Operation timed out]
00:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:13 -!- BB` [~Bam_Bam@209.123.128.131.reshall.uri.edu] has joined ##openvpn
01:13 -!- BB` [~Bam_Bam@209.123.128.131.reshall.uri.edu] has quit [Changing host]
01:13 -!- BB` [~Bam_Bam@unaffiliated/bambam/x-942313] has joined ##openvpn
01:14 < BB`> If I connect the VPN with the sample config file after connection I have a local-link only network, but when I use network-manager it connects fine.. what is the reason for this?
01:16 < BB`> or maybe local-link only is normal but as far as I can tell there are no differences between my setting for the VPN connection but I can't get out to the internet if I use the conf file in /etc/openvpn
01:16 < BB`> whereas I can whilst using the network-manager-openvpn package
01:18 < BB`> I'm going to go to bed now but if anyone knows why please private message it because I don't even know what to google for this one
01:20 < hyper_ch> !configs
01:20 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
01:20 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:20 < BB`> right, that makes sense
01:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:25 < BB`> client: http://pastebin.com/JsALjw72 server: http://pastebin.com/aEvkQDEY
01:25 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
01:26 < BB`> hyper_ch, those are them (it's obvious but I didn't highlight)
01:28 -!- UnterPerro [~UnterPerr@166.192.39.247] has quit [Quit: UnterPerro lives to save another day]
01:28 < BB`> oh... ubuntu lucid 10.04 and OpenVPN 2.0
01:30 < hyper_ch> BB`: looks fine to me
01:30 < hyper_ch> I guess the problem is the network manager... it might override other stuff
01:31 < hyper_ch> but it's just a guess
01:31 < BB`> yeah that's my guess too
01:31 < BB`> but I wanted someone to check the confs
01:31 < BB`> because it didn't make sense to me
01:32 < BB`> I can't find the network manager conf file either for this so I bet it does it by just running the command
01:33 < BB`> oh, and thank you hyper_ch 
01:33 -!- BB` [~Bam_Bam@unaffiliated/bambam/x-942313] has quit [Quit: Leaving]
01:37 < theDoc> Just out of curiosity, how many of you folks here consider an ssl portal that gives access to organization resources an ssl vpn?
01:37 < theDoc> You know, the kind where you go to https://some.place.here/ and after logging in, you get access to certain resources via the web interface.
01:40 < hyper_ch> IMHO that's by definition not a VPN
01:41 < theDoc> hyper_ch> I'm just wondering after looking at a couple of vendors that advertise ssl vpn as such.
01:42 < theDoc> It's misleading at best and at worst, asking to get one's ass spanked after someone decides to login at a netcafe.
01:43 < hyper_ch> hmm, maybe I'm wrong: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1201867,00.html
01:43 < vpnHelper> Title: What is SSL VPN? - Definition from Whatis.com - see also: TLS VPN (at searchsecurity.techtarget.com)
01:43 < theDoc> hyper_ch> It seems to be a multitude of "definitions" on what the ssl vpn is.
01:44 < theDoc> hyper_ch> I remember reading somewhere on a white paper that explicitly talks about these web apps over ssl providing a false sense of security.
01:44 < theDoc> Let me see if I can pull it up.
01:45 < theDoc> hyper_ch> http://www.sans.org/reading_room/whitepapers/vpns/openvpn-ssl-vpn-revolution_1459
01:45 < hyper_ch> well, someone mentioned the other day that ISPs can actually snoop your SSL traffic
01:45 < hyper_ch> and as you will connect through that webpage by SSL and only the stuff between the remote server and the resources behined are VPNed... it seems that ISPs could then snoop the "vpn" stuff also
01:46 < hyper_ch> but I really don't know about those things
01:46 < theDoc> hyper_ch> Not possible. I don't see how they're going to be able to decrypt it on the fly. 
01:46 < hyper_ch> intercept the handshake?
01:47 < theDoc> I don't think that's going to be possible with openvpn at least, I'm not overly familiar with that area.
01:48 < hyper_ch> well, as SSL is based (mostly) on public certificates I think ISPs could do a MIM attack... but don't really know
01:48 < hyper_ch> http://cryptogon.com/?p=14505
01:49 < theDoc> Lets see.
01:49 < hyper_ch> http://www.schneier.com/blog/archives/2010/09/uae_man-in-the-.html
01:49 < vpnHelper> Title: Schneier on Security: UAE Man-in-the-Middle Attack Against SSL (at www.schneier.com)
01:50 < theDoc> hyper_ch> Yeah, this explicitly deals with SSL portals. I don't think they're going to be able to replicate this as yet towards the openvpn platform unless, they have your server keys then you've got bigger problems than that.
01:51 < hyper_ch> as said, probably doesn't work on that openvpn thingy behind
01:51 < hyper_ch> but your connection to the vpn network is going through a ssl webconnection
01:52 < hyper_ch> so it means they can MIM the VPN actually with that SSL VPN setup
01:52 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote host closed the connection]
01:52 < theDoc> Are you referring to the openvpn context or the web ssl vpn portals?
01:52 < hyper_ch> the web ssl vpn portals
01:52 < hyper_ch> the vpn might be safe
01:53 < hyper_ch> but not the ssl connection between you and the portal
01:53 < theDoc> Definitely.
01:53 < theDoc> Maybe that would finally put the nail in the coffin for ssl portals or whatever fancy term it's given now.
01:53 < hyper_ch> hence you lower the security by the vpn when employing such ssl vpon portals
01:53 < theDoc> hyper_ch> No one should be using those anyway, imo. :p
01:53 < hyper_ch> but krzee might know more about this stuff
01:55 < theDoc> Yeah, I'm actually interested in hearing what ecrist/krzee has to say on this topic :p
02:18 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:18 -!- mode/##openvpn [+o mattock] by ChanServ
02:20 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 260 seconds]
02:21 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 258 seconds]
02:21 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 260 seconds]
02:22 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined ##openvpn
02:24 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
02:24 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
02:27 -!- dazo_afk is now known as dazo
02:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
02:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:34 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
02:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 246 seconds]
02:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:38 -!- bandini [~bandini@host248-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
03:07 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
03:19 -!- krzie [krzee@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: Connection reset by peer]
03:39 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
03:46 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
03:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
03:50 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:55 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
04:16 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
04:20 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
04:22 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
04:38 -!- bandini [~bandini@host248-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
04:48 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
04:56 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
05:09 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:44 -!- oracle [~oracle@unaffiliated/spice] has quit [Read error: Connection reset by peer]
05:45 -!- oracle [~oracle@unaffiliated/spice] has joined ##openvpn
05:54 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:56 -!- Cmdr_W_T_Riker [e38f4c5ed4@xs8.xs4all.nl] has joined ##openvpn
06:58 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
07:00 -!- david [Guest45639@unaffiliated/mtrh] has joined ##openvpn
07:00 < david> how does openvpn accept: route IP... subnet ?
07:01 < david> I'm working to get this to work under pfsense, but it seems I kill ovpn with syntax?
07:02 < david> I've tried without citation, with " and with '
07:03 < theDoc> david> That's not an openvpn problem, you just throw the routes into your kernel's routing table.
07:07 < david> hmm.. ok
07:09 < david> wait.. do I make a gateway from LAN IP (router with tunnel) or the tunnel IP of the router?
07:11 < david> in the end it feels like non GUI setups of ovpn is way easier
07:32 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
07:47 -!- WinstonSmith [~true@f052096208.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
08:11 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit []
08:21 -!- david [Guest45639@unaffiliated/mtrh] has quit [Ping timeout: 276 seconds]
08:23 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
08:24 -!- Guest45639 [Guest45639@m90-130-221-195.cust.tele2.se] has joined ##openvpn
08:24 -!- Guest45639 is now known as mtrh
08:24 -!- mtrh [Guest45639@m90-130-221-195.cust.tele2.se] has quit [Changing host]
08:24 -!- mtrh [Guest45639@unaffiliated/mtrh] has joined ##openvpn
08:54 < krzee> [05:14]  <david> in the end it feels like non GUI setups of ovpn is way easier
08:54 < krzee> he's starting to understand
09:00 < dxtr> Hmm. Can I somehow tell openvpn that I still want to use ipv6?
09:00 < dxtr> Because right now it messes with my ipv6 routes too
09:00 < dxtr> And I don't want that
09:00 < dxtr> I want to route ipv6 as normally and ipv4 through my openvpn tunnel
09:01 < dxtr> s/normally/usual/
09:01 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
09:01 -!- mode/##openvpn [+o mattock] by ChanServ
09:03 < mtrh> krzee I'm using pfsense and fristratingly few switches and options seem to correlate to ovpn documentation
09:06 < krzee> [23:59]  <theDoc> Yeah, I'm actually interested in hearing what ecrist/krzee has to say on this topic :p
09:06 < krzee> theDoc, does not effect OpenVPN connections, since you only trust your own CA, not some list of unknown companies
09:07 < krzee> mtrh, configure it without pfsense
09:07 < krzee> if you really need to generate it, use my confgen
09:07 < krzee> !confgen
09:07 < vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
09:08 < krzee> dxtr, but the thing is, ipv6 goes over ipv4
09:08 < krzee> unless your ISP natively accepts it (some do...)
09:08 < dxtr> krzee: I get my ipv6 addresses from my router
09:08 < dxtr> So no
09:08 < theDoc> krzee> I realized, the question which started it all was, how many of you guys consider the ssl portal as a ssl vpn.
09:09 < krzee> theDoc, what ssl portal?
09:09 < theDoc> krzee> The kind which claims to be a ssl vpn and having the users login via a web browser usually through a java interface and getting remote access to internal resources.
09:10 < krzee> theDoc, those would be vuln to a ssl mitm attack
09:10 < theDoc> krzee> Yeah but those services, are they really considered an ssl vpn?
09:11 < krzee> yes
09:11 < krzee> they just arent NEAR as good as openvpn
09:11 < theDoc> krzee> Reason I asked because there was an article on SANS that disputed that. 
09:11 < krzee> interesting, got link?
09:12 < theDoc> It was somewhere above in the logs but I can find it.
09:12 < theDoc> Give me a moment.
09:12 < krzee> ahh i got it
09:12 < krzee> i didnt scroll that high'
09:12 < theDoc> krzee> http://www.sans.org/reading_room/whitepapers/vpns/openvpn-ssl-vpn-revolution_1459
09:12 < theDoc> This one here.
09:12 < theDoc> It's a little outdated but still a good read.
09:13 < krzee> ya mostly talks about 1.x
09:13 < krzee> mentions new stuff in 2.0
09:13 < krzee> still cool
09:14 < theDoc> I think the underlying/fundamental points he makes in the presentation are still very relevant.
09:14 < krzee> ok i see their argument
09:14 < krzee> and it is valid...
09:15 < krzee> basically he says those are not VPN because you can not route arbitrary traffic over it, therefore the ' private network' portion of it does not exist
09:15 < theDoc> Pretty much yes.
09:15 < theDoc> However, what does everyone think about it?
09:15 < krzee> i can see both sides of the argument
09:16 < krzee> i guess i agree with the whitepaper's stance on it... but i would not feel the need to correct people on the other side
09:16 < krzee> before hearing their argument, i was ok with agreeing that they ARE a vpn
09:17 < theDoc> krzee> I feel it's a rather compelling statement from the article.
09:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
09:20 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
09:27 < Zathraz> Hi. On a routed VPN I can ping the server from the client on it's LAN ip as well as on it's VPN IP. But I cannot ping any other machines on the network, so routing is likely an issue. Also the route command on the server takes like forever. What config aspects on the server should I look at (ip forwarding is enabled) please?
09:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:34 < vpnHelper> RSS Update - forum: Server Administration :: Re: [Advanced Problem] Bypass restrictive network via HTTPS :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7064&p=7738#p7738>
09:45 < dazo> theDoc: krzee: I do see that paper as pretty accurate ... VPN is a 'virtual private NETWORK' ... it should not be limited/restricted to only encrypting a subset of ports to particular server ... and the security aspect regarding MITM attacks is of course yet another related topic
09:47 < dazo> thus, the need of installing and/or configuring the VPN is actually a security feature.  Everyone can browse to an SSL based web-site ... but being able to configure the tunnel correctly, having the correct certificates *and* having the needed passwords available with VPN, raises the security bar quite a bit
09:47 < dazo> (but of course, the weakest part is always the configuration)
09:48 < krzee> ya, i have to agree with you
09:52 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
09:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:56 < vpnHelper> RSS Update - forum: Configuration :: Re: Solution Please!!! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7056&p=7739#p7739>
10:17 -!- barfster [~barf@193.69.144.162] has joined ##openvpn
10:17 < barfster> What is the reason for pings being 1/3 inside the OpenVPN, opposed to pinging the external node?
10:18 < barfster> VPN is slow through external connection
10:19 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
10:20 < Zathraz> LAN @ serverside is 172.19.0.0/24 and VPN range is 10.8.0.0/24. From client: ping 10.8.0.1 ok. ping 172.19.0.75 (the openvpnserver): ok. Traceroute 172.19.0.72 stops at 10.8.0.1
10:21 < Zathraz> So something is missing on the serverside as a routing rule. I fail to find docs on that
10:21 < Zathraz> any pointers welcomed
10:22 < krzee> Zathraz, you are trying to redirect gateway over the vpn?
10:22 < hyper_ch> hi krzee
10:22 < Zathraz> no. Remote client should use internet access using it's own connection
10:23 < Zathraz> it's one of the things I hated on PPTP networks
10:23 < hyper_ch> krzee: can you go in your backlog back for about 9h 10min and give us your thoughts on SSL VPN websites?
10:23 < Zathraz> it's just that a client can reach the vpnserver but not the LAN behind it
10:23 -!- barfster is now known as krtek
10:24 < krtek> lack of routing?
10:24 < krtek> or the client directives are missing?
10:24 < hyper_ch> oh, you already did krzee :)
10:25 < Zathraz> yes. So in /etc/network/interfaces on Debian I created a tun interface starting the openvpn server giving VPN IPs 10.8.0.0. Client connects ok and gets an IP 10.8.0.4
10:25 < vpnHelper> RSS Update - forum: Configuration :: Re: Solution Please!!! :: Reply by fernando <https://forums.openvpn.net/viewtopic.php?f=6&t=7056&p=7740#p7740>
10:26 < Zathraz> routing works fine based on ping both the OpenVPN-servers LAN (172.19.0.75) as well as it's VPN (10.8.0.1) address. Issue is that the client cannot access any other machine in th 172.19.0.0/24 range except the vpnserver
10:27 < Zathraz> issuing a traceroute on 172.19.0.72 it gets to 10.8.0.1 so routing at the client is ok
10:27 < Zathraz> the server is a different story as the routing stops there
10:29 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:30 < krzee> Zathraz, oh ok, lan behind server or client?
10:30 < Zathraz> lan behind server
10:30 < krzee> ahh server
10:30 < krzee> !serverlan
10:30 < vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
10:30 < krzee> you likely need !route_outside_openvpn
10:30 < krzee> !route_outside_openvpn
10:30 < vpnHelper> krzee: "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
10:32 < Zathraz> I added: push "route 172.19.0.0 255.255.255.0" to the config already
10:32 < Zathraz> ip_forwarind ipv4 was already enabled
10:32 < krzee> then i guessed right
10:33 < krzee> although it wasnt much of a guess, since you said you could ping the lan ip of the server
10:33 < krzee> if you didnt have the right route, or ip forwarding was disabled, you couldnt do that
10:33 < Zathraz> so indeed I most like need to add the route
10:33 < Zathraz> ty
10:33 < krzee> yw
10:34 < krzee> cool little graph in !route_outside_openvpn isnt it =]
10:34 -!- spo0nman [~pankajk@122.172.27.116] has joined ##openvpn
10:35 < spo0nman> Hi ... is there a way to configure openvpn in server mode without using user auth. I want key based auth while using "server 192.168.10.0 255.255.255.0" directive if i use secret secret.key ... I get the error "cannot use --server and --secret together" 
10:35 -!- Elwell [~elwell@freenode/staff/elwell] has joined ##openvpn
10:36 < krzee> correct
10:36 < krzee> --server requires certs unless you say otherwise
10:36 < krzee> !authpass
10:36 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
10:37 < krzee> using --secret is only for point-to-point
10:38 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
10:39 < Zathraz> krzee, it's a cool graph ;-)
10:39 < Zathraz> however I still have the issue: http://pastebin.com/TSiRRTpD
10:40 < krzee> !learn static-key as when you use --secret, you are using a static key.  this is only valid for point-to-point setups.  Static keys are less secure in that they never change.  If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic.  Setups that use certs re-key every hour by default
10:40 < vpnHelper> krzee: Joo got it.
10:40 < krzee> Zathraz, you added the route to your gateway?
10:40 < krzee> (ie: your router)
10:41 < krzee> quite often a lil linksys / netgear device...
10:41 < krzee> aka, 192.168.178.1
10:41 < Zathraz> I added the route to the openvpn server which is also the main gateway etc
10:41 < krzee> umm no its not
10:41 < krzee> 192.168.178.1 is
10:41 < Zathraz> it is behind a modem
10:41 < Zathraz> ok.
10:41 < Zathraz> I will do it there
10:41 < Zathraz> ty
10:41 < krzee> your LAN uses 192.168.178.1 as the main gateway
10:42 < Zathraz> true. that's the adsl modem
10:42 < Zathraz> as usual: lan uses this server as gateway and the server uses the modem as gateway
10:42 < krzee> then it needs to know that the VPN network 10.8.0.0/24 is behind whatever LAN ip the server uses
10:42 < krzee> umm
10:43 < krzee> show me the routing table of a machine you are trying to ping that is on the LAN
10:44 < krzee> oh wait you're the guy with the tripped out home network with wifi on a different lan than wired, arent you
10:45 < krzee> iirc i spoke with you re this setup before... you made the most confusing gliffy diagram in the history of diagrams... (is that you?)
10:45 < Zathraz> nope. I am not
10:46 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:46 < krzee> ok, my mistake then
10:46 < Zathraz> I do not use wifi
10:46 < krzee> in that case, show me the routing table of a machine you are trying to ping that is on the LAN
10:46 < krzee> =]
10:47 < Zathraz> see bottom of: http://pastebin.com/xLxjH3gv
10:47 < Zathraz> I know the routing sucks there (gw 72 vs 75)
10:48 < krzee> and what machine is  172.19.0.72
10:48 < Zathraz> but if I give you the machine I tried to reach the routing table is big and partly not very informative
10:48 < krzee> [08:35]  <Zathraz> I added: push "route 172.19.0.0 255.255.255.0" to the config already
10:49 < krzee> but you are trying to ping something outside that /24
10:49 < krzee> it shouldnt work
10:49 < Zathraz> 172.19.0.72 -> old server with gw to internet
10:49 < krzee> you have a /16 not a /24
10:49 < Zathraz> uhmmm. You are right.....
10:49 < Zathraz> uhmmm
10:49 < Zathraz> sorry
10:50 < Zathraz> oeps. made an error in relaying to irc
10:50 < Zathraz> actually the route pushed is 172.19.0.0 255.255.0.0
10:51 < Zathraz> so that is actually correct
10:51 < Zathraz> 172.19.0.75 -> new server to replace the old one. This one has the openvpnserver installed
10:51 < Zathraz> also has a gw to the internet
10:52 -!- hugodu59 [~chatzilla@orc59-1-88-166-162-251.fbx.proxad.net] has joined ##openvpn
10:52 < hugodu59> !welcome
10:52 < vpnHelper> hugodu59: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:53 < hugodu59> !goal
10:53 < vpnHelper> hugodu59: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:57 < hugodu59> !howto
10:57 < vpnHelper> hugodu59: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:57 < Elwell> !redirect
10:57 < vpnHelper> Elwell: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
10:57 < Zathraz> now it works. played a bit with gw-s which kind of screwed up things
10:57 < Zathraz> ty
10:59 < Elwell> ok - I have a client on my linux box at home, server remote. I have added a second IP address (eth0:1) to client, which I want *any* host on my local lan to use as its defauly gateway (trivial - done with the dhcp lease). any tips for setting the iptables rules?
11:00 < Elwell> ie traffic to eth0 -- get services local on client. traffic to eth0:1 goes over vpn
11:00 -!- mtrh [Guest45639@unaffiliated/mtrh] has quit [Ping timeout: 260 seconds]
11:01 < hugodu59> Hi guys!
11:02 < hugodu59> I've installed OpenVPN in client mode on my linux machine, but my server blocks few ports (like IRC x) )
11:02 < |Mike|> mkay
11:03 < hugodu59> How can I route only few hosts throw VPN ?
11:03 < hugodu59> I've heard that "route" can exclude hosts, but I want Include hosts
11:07 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
11:10 < |Mike|> !route
11:10 < vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:11 -!- gh0zt [~adam@unaffiliated/gh0zt] has joined ##openvpn
11:15 < funkyHat> !dns
11:15 < vpnHelper> funkyHat: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
11:17 < krzee> hugodu59, you just issue route commands for those hosts
11:17 < krzee> (ip/subnets i mean)
11:18 < krzee> but you still need ip forwarding and NAT
11:18 < krzee> basically you !redirect, but without !def1
11:18 < hugodu59> ok
11:18 < gh0zt> i have openvpn clients running perfectly on dedicated ubuntu 10.04 and win 7 pc's but i can't get it running on an ubuntu 10.04 (desktop) virtualbox machine, any ideas?
11:18 < hugodu59> For the moment i'm on windows ^^
11:18 < krzee> then you add routes for the subnets you DO want, as opposed to changing default
11:19 < krzee> hugodu59, the server is windows?
11:19 < hugodu59> no, it's a client, on linux and windows
11:19 < krzee> doesnt matter
11:20 < hugodu59> so it's with the route command ?
11:20 < krzee> route ip subnet
11:20 < krzee> in the config
11:20 < krzee> OR
11:20 < krzee> push "route ip subnet" in server config
11:20 < krzee> !push
11:20 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
11:22 < hugodu59> OK, it's a commercial server, so i don't need push
11:22 < hugodu59> and what's a subnet ?
11:22 < hugodu59> I'm gonna read the route manual ^^
11:23 < hugodu59> Thank you krzee for your help =)
11:23 < krzee> you're welcome
11:23 < funkyHat> feh. I have 2 different hosts, both Xen DomUs on different VPS hosting services, both running Debian 5 x64, with identical openvpn configs connecting to the same server, but one of them overwrites /etc/resolv.conf when it connects (and ∴ breaks) and the other doesn't. I'm at a loss to figure out where the difference is :/
11:24 < hugodu59> =)
11:24 < |Mike|> search domains are different?
11:24 < hugodu59> Bye!
11:24 -!- hugodu59 [~chatzilla@orc59-1-88-166-162-251.fbx.proxad.net] has left ##openvpn []
11:25 < krzee> lol
11:25 < krzee> now he mentions it is a commercial server, makes me think he doesnt run it
11:26 < krzee> in which case, very different
11:27 < funkyHat> |Mike|: squee (the one that doesn't break) has no search domain defined in resovl.conf, dib (which does break) has none defined before openvpn connects, but afterwards the search and domain lines are both funkyhat.net, and the only nameserver left in the file is my local (VPN) nameserver, 10.0.0.2
11:27 < funkyHat> *resolv.conf
11:28 < krzee> funkyHat, so you do not want resolv.conf overwritten?
11:28 -!- spo0nman [~pankajk@122.172.27.116] has quit [Ping timeout: 252 seconds]
11:28 < krzee> either comment out the --up script, or stop using gay network manager
11:28 < krzee> because gay network manager is gay
11:28 < funkyHat> krzee: correct, and I can't figure out why it's overwritten on one host but not the other
11:28 < krzee> !netman
11:28 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
11:29 < funkyHat> krzee: network-manager is not installed, and I have a custom up script which just runs /sbin/dhclient tap0 &
11:29 < funkyHat> That's also the same on both hosts, hence my confusion ⢁(
11:29 < krzee> oh its tap
11:30 < krzee> so its not an up script, its your actual dhcp server
11:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:34 -!- spo0nman [~pankajk@122.172.27.116] has joined ##openvpn
11:34 < gh0zt> anyone know where i can get the full windows client source code / build info ?
11:36 < ksk> on sf.net
11:36 < ksk> iirc
11:36 < funkyHat> krzee: ah, that makes sense, thanks. Still I don't have anything specific set up for either squee or dib in the dhcp config (besides a permanent IP), so I'm still stuck :D
11:36 < krzee> !win_rollup
11:36 < vpnHelper> krzee: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
11:36 < krzee> funkyHat, unfortunately im only useful helping with tun configs
11:37 < gh0zt> thanks krzee
11:37 < krzee> someone else will have to help with that
11:37 < krzee> gh0zt, yw
11:37 < funkyHat> Well thanks for your help so far anyway ⡈)
11:38 < ksk> gh0zt: i prefer this one: http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html
11:38 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se)
11:38 < krzee> ksk, ya, if you happen to be using something very very very old
11:38 < krzee> openvpn.se is in desperate need of updating
11:39 < ksk> yes, i know
11:39 < krzee> ksk, you arent the admin of that, are you???
11:39 < ksk> but u can updates it with the latest openvpn software - works fine 
11:39 < ksk> no, im not
11:39 < krzee> damn
11:39 < ksk> *G*
11:39 < funkyHat> I've "fixed" it temporarily by putting the VPN server's IP rather than hostname in --remote, but I don't want the system not to be able to perform lookups if the VPN is down for whatever reason (also there's absolutely no need for DNS to be done over the VPN)
11:40 < ksk> but this nsis skript openvpn.se offers is a good point to start at
11:40 < ksk> *script
11:40 < krzee> werd
11:41 < krzee> i have never used either, i like dazo's because it allows for changing the configs after handing out the install package
11:41 < krzee> however, whichever works for you =]
11:42 < ksk> ye, i like to change configs before i build the installer :>
11:42 < krzee> right, but then if you want to change them again, you need to hand it out again
11:42 < ksk> mhm, yes
11:42 < krzee> with his you just say "reinstall that"
11:42 < ksk> i see
11:42 < ksk> ill take a closer look at it :)
11:43 < krzee> but like i said, i have not used either
11:43 < dazo> the script I've pulled together is just a wrapper around the stock OpenVPN installer ... so you don't need to do anything else around it ... and my installer will ask for a ZIP file, which should contain config files and certificates, and they'll get extracted in the proper place
11:43 < ksk> ye, i wont make u personally responsible for anything that will happen :P
11:43 < dazo> which means, that the official signature for OpenVPN is still intact, and can be validated separately
11:44 < krzee> ooo good point there dazo 
11:44 < krzee> i hadnt thought of that
11:46 < dazo> Actually the script will download the official OpenVPN installer from a web site defined in the script, together with a MD5 sum of the installer and quickly validate it on-the-fly ... unfortunately, I haven't found and GPG/PGP signature verification stuff for NSIS ... if I had that, I'd be happy to do that instead
11:47 < ksk> did u asked on their channel at "lol"?
11:48 < ksk> kinda helpful ppl over there
11:48 < dazo> nope, I've just been looking at their plug-ins list ... which is so comprehensible, I would expect GPG/PGP stuff to be mentioned there already
11:48 < dazo> (and that list is pretty well updated, afair)
11:53 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
12:01 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
12:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
12:08 < gh0zt> hmm nice document about rolling own installer krzee but i still can't find the windows client source code / build instructions and the windows zip download has no executables
12:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:08 < gh0zt> clearly openvpn windows client is not open
12:08 < gh0zt> lol
12:09 < gh0zt> it's firmly closed
12:13 < dazo> gh0zt: nonsense ... if you pull down the source code ... you there are building instructions there .... unless you're looking at the OpenVPN Access Server Client, that's closed
12:15 < dazo> but it seems building the windows client, is a bit harder ... as you need to install the proper tools for it ... which is not as easily available as on most *BSD, Linux or Solaris
12:15  * dazo heads out for a little party
12:16 -!- dazo is now known as dazo_afk
12:17 < gh0zt> is this the closed one http://openvpn.net/release/openvpn-2.1.3-install.exe ?
12:25 < gh0zt> nevermind, i understand now - basically there is no open source windows client
12:25 < gh0zt> because they are using it to market the paid version
12:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:44 -!- theDoc [~Link@unaffiliated/thedoc] has left ##openvpn ["Leaving"]
12:52 -!- krzie [krzee@unaffiliated/krzee] has joined ##openvpn
12:59 < kisom> gh0zt: the client is open source for all O/Ses
13:00 < kisom> check under the community section
13:01 < gh0zt> i wanted the source code for http://swupdate.openvpn.net/downloads/openvpn-client.msi
13:01 < gh0zt> but i don't think it's available
13:01 < kisom> i dont know, i've never used that installer on windows
13:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:12 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
13:41 -!- BrokenAnimator [~bobnunchu@216.180.254.114] has joined ##openvpn
13:42 < BrokenAnimator> Noob question: Is there a way to configure openVPN to only route certain programs, and leave others?
13:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:53 < gh0zt> what programs?
13:58 < hyper_ch> BrokenAnimator: there are ways
13:58 < hyper_ch> if you can bind those programs to a given ip
13:59 < BrokenAnimator> hmm..like say IRC I would want through Open VNC but not say windows media player
13:59 < hyper_ch> BrokenAnimator: well, I assume you have an openvpn server?
14:00 < hyper_ch> BrokenAnimator: get a irc bouncer e.g. znc
14:00 < Bushmills> irc server has a different destination address than the streaming server your using with media player
14:00 < hyper_ch> BrokenAnimator: which handles the actual connections to the irc servers
14:00 < hyper_ch> and then let your client connect ot the bouncer through the vpn
14:00 < Bushmills> different destinations are routable through different interfaces/routes
14:01 < Bushmills> what is openvnc?
14:01 < hyper_ch> Bushmills: you disagree with the    IRC Server <-> Bouncer <-vpn-> Local machine
14:01 < BrokenAnimator> sadly I kind of only know what a bouncer is
14:01 < Bushmills> hyper_ch: no, i don't. i use such a setup myself
14:02 < hyper_ch> same here
14:02 < hyper_ch> znc?
14:02 < Bushmills> dircproxy
14:03 < BrokenAnimator> but is there a way to tell open VPN to route this program..and not another?
14:04 < BrokenAnimator> instead of doing it at the specific application level?
14:04 < Bushmills> as you tell your irc client to connect with an irc server - which is the bouncer - yes: you just give the host name or ip address of the vpn server
14:04 < hyper_ch> either bind it to the vpn address or use your firewall to direct a port through the vpn... that could work but don't really know
14:09 < BrokenAnimator> k, I'll give it a shot..see what happens
14:12 < gh0zt> i use ssh portforwarding to do specific ap is much easierps
14:13 < gh0zt> or socks 5 proxying
14:14 < gh0zt> the best windows ssh client i hav e found is bitvise tunnelier http://www.bitvise.com/tunnelier
14:14 < vpnHelper> Title: Tunnelier (Bitvise) (at www.bitvise.com)
14:14 < gh0zt> and it works on linux using wine
14:21 -!- spo0nman [~pankajk@122.172.27.116] has quit [Quit: spo0nman]
14:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:38 < funkyHat> I'm amazed anyone would consider using a windows ssh client on Linux
14:43 < krzee> [10:28]  <gh0zt> nevermind, i understand now - basically there is no open source windows client
14:43 < krzee> gh0zt, that msi is closed source, it is access server
14:43 < krzee> !download
14:43 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
14:43 < krzee> you can grab the source code to the open source version there
14:44 < gh0zt> yeah, i can't find an open source client anywhere
14:44 < gh0zt> that was last updated in 2005
14:44 < gh0zt> doesn't work well
14:44 < krzee> dude
14:44 < krzee> link #1
14:44 < krzee> not the second link where it says "dont bother with this anymore"
14:45 < krzee> http://www.openvpn.net/release/openvpn-2.0.9.tar.gz
14:45 < krzee> thats the source code
14:45 < krzee> for all OS
14:47 < gh0zt> i compiled that, there were no windows executables
14:48 < krzee> you didnt compile it for windows
14:50 < gh0zt> looking for docs to compile it for windows
14:50 < krzee> like
14:50 < krzee> INSTALL-win32.txt
14:51 < krzee> oh wait thats not for compile
14:55 < krzee> gh0zt, you doing the building in windows as well?
14:55 < gh0zt> no
14:55 < gh0zt> on Ubuntu 10.04
14:56 < gh0zt> i put the LZO libraries on and it compiles ok, just no client gui for windows
14:56 < gh0zt> want to create a custom gui client
15:00 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 264 seconds]
15:01 -!- hyper_ch [~hyper_ch@static.2.139.40.188.clients.your-server.de] has joined ##openvpn
15:06 < troy-> i have openvpn setup as a vpn gateway for multiple users with interface: inet addr:172.16.17.33  P-t-P:172.16.17.34  Mask:255.255.255.255 
15:07 < troy-> one client connects with .38 and i want to make that his static ip - how would i do that in the ccd file
15:08 < troy-> not sure what the first ip would be: ifconfig-push 172.16.17. 172.16.17.38
15:20 < troy-> krzee: around? :)
15:42 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn
15:56 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
16:01 -!- hyper_ch [~hyper_ch@static.2.139.40.188.clients.your-server.de] has quit [Ping timeout: 264 seconds]
16:01 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
16:03 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
16:18 -!- TeKoS [~joya@91.210.106.246] has joined ##openvpn
16:18 < TeKoS> !welcome
16:18 < vpnHelper> TeKoS: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:18 < TeKoS> hi
16:20 < TeKoS> i try to configure openvpn with cert and login/passwd with checkpsw.sh
16:22 < TeKoS> but the client doesnt send correctly login/pass and my log say : User does not exist: username="", password="".
16:22 < TeKoS> dont know why...
16:22 < TeKoS> someone can help me plz ?
16:24 < TeKoS> !interface
16:24 < vpnHelper> TeKoS: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
16:24 < TeKoS> !/30
16:24 < vpnHelper> TeKoS: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
16:25 < TeKoS> ...
16:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
16:46 -!- sim0n [sim0n@je.je] has joined ##openvpn
16:46 < sim0n> !welcome
16:46 < vpnHelper> sim0n: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:48 -!- dabb [~dabb@213.190.119.109] has joined ##openvpn
16:49 < sim0n> Hello, forgive me if this has already been asked a million times but... OpenVPN within windows 7, is there ANY way to run it without having to be/run as an administrator. I understand why its needed, for the routes to be added, but i have some users i really REALLY dont trust with admin rights.
16:49 < sim0n> Im already checking the forums, but IRC is sometimes quicker, so, hopefully im not stepping on toes or anything.
16:50 -!- TeKoS [~joya@91.210.106.246] has quit [Ping timeout: 276 seconds]
16:52 < gh0zt> hmm i just read about that somewhere, i think there's a way to do it using a portable app on usb key type config
16:54 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:54 < sim0n> I'd be thankful for a guide or link gh0zt :)
16:55 < gh0zt> i havei haven't tried it but ... https://sourceforge.net/projects/ovpnp/files/
16:55 < vpnHelper> Title: Browse OpenVPN Portable Files on SourceForge.net (at sourceforge.net)
16:55 < gh0zt> haven't
16:55 < gh0zt> but it would be cool if a portable openvpn client worked
17:02 < ecrist> sim0n: I cant' find the link off-hand, but there is a way to allow them to use it with sudo for windows.
17:02 < ecrist> !sudo
17:02 < vpnHelper> ecrist: Error: "sudo" is not a valid command.
17:02 < ecrist> !factoids search sudo*
17:02 < vpnHelper> ecrist: "sudowin" is http://sourceforge.net/projects/sudowin/
17:02 < ecrist> there you go
17:04 < sim0n> Yea, the problem is, you'd need admin rights to install THAT into the system :|
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 265 seconds]
17:04 < sim0n> The problem is my boss is soooo paranoid that people cant do things on these laptops, that they are running with only user rights, which really "retards" a windows 7 machine
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:06 < ecrist> sim0n: sounds like you have an unsolvable problem
17:06 < ecrist> you cannot run openvpn without some level of admin rights, obtained in one way or another.
17:07 -!- BrokenAnimator [~bobnunchu@216.180.254.114] has quit [Quit: BrokenAnimator]
17:07 < sim0n> i can install openvpn, that aint a problem, its once they leave my admin-cave
17:07 < sim0n> even that sudowin has the potential for them to run other things :(
17:08 < ecrist> not if it's configured correctly
17:09 < ecrist> and really, if you don't control physical access to a machine, you don't control ANY access to the machine
17:09 < sim0n> laptops
17:09 < ecrist> so, my statement stands
17:09 < sim0n> its controlled in terms of fingerprint (as secure as that is) and login passwords
17:09 < ecrist> no, you don't understand.
17:10 < sim0n> so far it works in that, they cant install crappy apps themselves, but openVPN is now causing me headaches
17:10 < ecrist> if you allow someone to remove a machine for a protected space, they CAN obtain admin rights.  if you guys are that paranoid, you need to be aware of that.
17:10 < ecrist> sudowin is your solution.
17:10 < sim0n> and it really needs to be something a idiot can understand "click here, put in password, your now 'at work'"
17:11 < sim0n> hmm, i wonder if sudowin can be set to run it witout them having to right click and run as
17:11 < sim0n> maybe some kind of hacked up batch script
17:12 < ecrist> you can just run openvpn as a service.
17:13 < sim0n> doesnt that mean that it will run as the machine starts up, every time ?
17:13 < ecrist> sure
17:13 < ecrist> what's wrong with that?
17:14 < sim0n> nothing i can think of, im just thinking aloud
17:14 < sim0n> Any idea if the user would get any error messages, say they visit a customer who has a restrictive firewall ?
17:15 < sim0n> moaning that it cant connect every 2 minutes or some such ?
17:15 < ecrist> don't think so.
17:16 < sim0n> I'll need to have a play with that, the laptop i brought home kinda lost its charge and im charger-less *rolleyes*
17:16 < sim0n> Thanks for the help so far tho dude.
17:20 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
17:22 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 276 seconds]
17:53 < gh0zt> use tcp port 443 and the firewall isn't a problem
17:54 < gh0zt> usually
17:55 -!- oracle_ [~oracle@unaffiliated/spice] has joined ##openvpn
17:58 -!- oracle [~oracle@unaffiliated/spice] has quit [Ping timeout: 252 seconds]
18:12 -!- oracle_ is now known as oracle
18:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
18:22 < oracle> my vpn goes down and the frackin connections are then routed over the open internet
18:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:24 -!- sim0n [sim0n@je.je] has quit [Quit: Lost terminal]
18:26 -!- pcard [~pc@bujumbura.dreamhost.com] has quit [Changing host]
18:26 -!- pcard [~pc@unaffiliated/jl-picard] has joined ##openvpn
18:30 < oracle> !linnat
18:30 < vpnHelper> oracle: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
18:58 -!- jaminja_ [~jaminja@74.81.170.5] has joined ##openvpn
18:59 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 255 seconds]
19:02 -!- fipu [~fipu@ulul.ch] has quit [Ping timeout: 264 seconds]
19:05 -!- raw_ [~raw@chipotle118.server4you.de] has quit [Ping timeout: 272 seconds]
19:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:11 -!- fipu [~fipu@62.75.187.155] has joined ##openvpn
19:13 -!- raw_ [~raw@chipotle118.server4you.de] has joined ##openvpn
19:45 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
20:02 < krzee> [16:26]  <oracle> my vpn goes down and the frackin connections are then routed over the open internet
20:02 < krzee> oracle, you can stop using def1
20:03 < krzee> def1 allows your routing to still work when you get disconnected
20:03 < krzee> without it, you will lose connectivity if your vpn drops
20:03 < krzee> if no connection is considered better than open connection, you do not want def1
20:03 < krzee> !def1
20:03 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:10 -!- oracle_ [~oracle@unaffiliated/spice] has joined ##openvpn
20:13 -!- oracle [~oracle@unaffiliated/spice] has quit [Ping timeout: 265 seconds]
20:20 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:21 -!- oracle_ [~oracle@unaffiliated/spice] has quit [Quit: leaving]
20:32 -!- jaminja_ [~jaminja@74.81.170.5] has quit [Quit: "eternal trails in netvoid"]
20:32 < vpnHelper> RSS Update - forum: Server Administration :: Re: [Advanced Problem] Bypass restrictive network via HTTPS :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7064&p=7742#p7742>
20:38 -!- krzee [~k@unaffiliated/krzee] has quit [Remote host closed the connection]
20:43 -!- Elwell [~elwell@freenode/staff/elwell] has quit [Ping timeout: 240 seconds]
20:52 < tjz> have a question
20:53 < tjz> does traffic flow through openvpn will 'nuke' the entire server(running openvpn)  down ?
20:55 < theDoc> tjz> Yes, if you are throwing more traffic at it than it can handle.
20:56 < theDoc> but under normal operating circumstances? Probably not.
20:59 < tjz> there is some kernel message
21:00 < tjz> maybe the traffic 'nuke' down the kernel..
21:00 < tjz> and bring whole server down :(
21:00 < theDoc> Some kernel message? Do you have the message?
21:00 < tjz> don't have any :(
21:02 -!- pcard [~pc@unaffiliated/jl-picard] has quit [Remote host closed the connection]
21:20 < theDoc> tjz> Would you like a cookie in the meantime?
21:31 < Dougy> WOT
21:31 < Dougy> theDoc: msn me
21:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:33 < Dougy> why am i on bsd 7.2
21:38 < vpnHelper> RSS Update - forum: Server Administration :: Connecting to different servers from one client. :: Author sathuli <https://forums.openvpn.net/viewtopic.php?f=4&t=7070&p=7735#p7735> || Configuration :: Bridge kills LAN interface which handles DHCP and internet :: Author huntly001 <https://forums.openvpn.net/viewtopic.php?f=6&t=7069&p=7734#p7734> || Configuration :: Configure Openvpn without certificate :: Author julien.c <https://forum
21:38 < tjz> theDoc, no.. lol!!
21:43 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
21:43 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
21:48 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Client Quit]
21:49 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
21:53 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Client Quit]
21:53 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
21:53 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Client Quit]
21:54 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
22:06 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
22:06 -!- UnterPerro [~UnterPerr@32.161.254.66] has joined ##openvpn
22:07 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
22:19 < krzie> !route
22:19 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:19 < vpnHelper> RSS Update - forum: Server Administration :: Re: Connecting to different servers from one client. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7070&p=7743#p7743> || Server Administration :: Re: Adapter Speed :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7066&p=7745#p7745> || Scripting and Customizations :: Re: Automatic reconnection of OpenVpn in Windows XP ? :: Reply ... <https://forums.open
22:26 < vpnHelper> RSS Update - forum: Server Administration :: Re: strange 2.1.3 routing table at WinXP Pro :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7061&p=7747#p7747> || Configuration :: Re: Routing problem with OpenVPN on Linux :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7046&p=7746#p7746>
22:28 < krzie> !as
22:28 < vpnHelper> krzie: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
22:28 < vpnHelper> krzie: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
22:29 -!- krzie is now known as krzee
22:32 < vpnHelper> RSS Update - forum: Configuration :: Re: services :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7062&p=7748#p7748> || Configuration :: Re: services :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7062&p=7749#p7749>
22:36 < krzee> gh0zt, are you adam on the forum?
22:38 < vpnHelper> RSS Update - forum: Server Administration :: Re: 2.1.1 Hangs with General protection rip error :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7067&p=7750#p7750>
22:49 < krzee> [14:42]  <BrokenAnimator> Noob question: Is there a way to configure openVPN to only route certain programs, and leave others?
22:49 < krzee> !someroute
22:49 < vpnHelper> krzee: Error: "someroute" is not a valid command.
22:49 < krzee> !factoids search route
22:49 < vpnHelper> krzee: 'winroute', 'iroute', 'router', 'route', 'routebyapp', 'route_outside_openvpn', 'dlink_static_route', and 'route_outside_ovpn'
22:49 < krzee> !routebyapp
22:49 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
22:50 < krzee> !authpass
22:50 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
22:50 < vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Connexion to Openvpn Server without Openvpn Client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7071&p=7752#p7752>
23:03 < vpnHelper> RSS Update - forum: Configuration :: Re: Solution Please!!! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7056&p=7753#p7753>
23:04 -!- fbh [fbh@lucifer.frands.net] has quit [Changing host]
23:04 -!- fbh [fbh@unaffiliated/fbh] has joined ##openvpn
23:05 < krzee> if anyone is skilled in the art of MTU play, i woiuld be interested in reading the response to this one...
23:05 < krzee> https://forums.openvpn.net/viewtopic.php?f=4&t=7017
23:05 < vpnHelper> Title: OpenVPN Support Forum View topic - MTUs, fragment, mssfix (at forums.openvpn.net)
23:09 < vpnHelper> RSS Update - forum: Configuration :: Re: Connect Success - now what :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7047&p=7754#p7754>
23:19 < kraut> moin
23:52 -!- WinstonSmith [~true@e179005050.adsl.alicedsl.de] has joined ##openvpn
23:53 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
--- Day changed Tue Sep 07 2010
00:12 -!- WinstonSmith [~true@e179005050.adsl.alicedsl.de] has quit [Remote host closed the connection]
00:20 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
00:35 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 240 seconds]
00:36 < dabb> !welcome
00:36 < vpnHelper> dabb: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:36 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined ##openvpn
00:36 < dabb> !redirect
00:36 < vpnHelper> dabb: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:57 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 276 seconds]
00:58 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined ##openvpn
01:43 -!- UnterPerro [~UnterPerr@32.161.254.66] has quit [Quit: UnterPerro lives to save another day]
01:55 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote host closed the connection]
02:06 -!- Invis2 [~jim@81.187.253.171] has joined ##openvpn
02:07 < Invis2> !welcome
02:07 < vpnHelper> Invis2: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:13 < Invis2> I'm thinking of bonding a few internet connections together using openvpn... I have access to a server in a datacenter with a fat pipe and a few wifi connections nearby, is it possible to bond these connections together at this end (either connecting to them with a wifi ethernet bridge or usb adapters) and connect them to the server at the other end to get better throughput?
02:54 -!- dazo_afk is now known as dazo
02:56 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:24 < reiffert> Invis2: bonding is a matter of the operating system.
03:35 < Invis2> reiffert: So assuming I can bond the interfaces (I will be using linux at each end) it should work?  I've been googling for a bit and it seems people have had throughput issues when bonding openvpn connections.
03:36 < reiffert> be aware of how bonding actually works.
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 < Invis2> well, I think I know how it works but am not 100% on it which is why I thought I'd ask, can you shed any light on what the issues might be?
03:39 -!- jimbo [~jimbo@r74-192-149-9.gtwncmta01.grtntx.tl.dh.suddenlink.net] has joined ##openvpn
03:40 < jimbo> Er.. so is OpenVPN no longer free as in beer?  What's all this about license keys?
03:42 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
03:43 < jimbo> !welcome
03:43 < vpnHelper> jimbo: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:51 < reiffert> Invis2: bonding does not add bandwidth, but instead work as a multilink. One connection will use one link, another connection will use the other.
03:52 < reiffert> Invis2: the thing you can choose is the "what is a connection", e.g. using HP Switches, a connection is a pair of "SRC DST Mac Address"
03:52 < reiffert> (always regarding at bonding)
03:53 < reiffert> Invis2: expensive cisco hardware handles "SRC DST IP" pairs
03:54 < reiffert> Invis2: where as linux got somthing similar, at least what I was reading about in 2.2 kernels.
03:54 < reiffert> Invis2: no idea how bonding connection pairs get determined with recent linux kernels.
03:55 < reiffert> My guess is, that "SRC DST Mac Address" Pairs will be the default.
03:59 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
04:04 < Invis2> I'm under the impression the packets are load balanced and sent down each pipe, similar to MLPPP (which is supported by the linux kernel). You obviously understand the technical details better than me but it seems there has been some success increasing the throughput (even for single connections) but the speed increase doesn't seem to equal the total bandwith of the connections minus the VPN overhead for some reason.
04:14 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined ##openvpn
04:18 < d12fk> morning all. is there a way to tell openvpn to set a host route to the server on the client?
04:20 < dazo> d12fk: you only have --route and --iroute which needs to be added on the client side, which of course can be --push'ed from the server
04:23 < dazo> Invis2: I don't see the real issue, to be honest ... if OpenVPN listens/connects to the bonded interface ... the rest of the infrastructure should make sure the packets are transported correctly, the kernel will put these packets together and send them properly to the OpenVPN process ... but I'm not sure I've understood your issue perfectly
04:23 < jimbo> "Access Server" is optional, yes?  We can't pay.
04:23 < dazo> jimbo: yeah, go for the community version to use the 100% open source version
04:24 < jimbo> dazo: Cool, I set ovpn up a few years ago and it looks the entire landscape changed..
04:24 < d12fk> dazo: that won't do the trick as --route always routes into the tunnel, the peer should be reached via the default gw or whatever
04:25 < d12fk> this is needed when a pushed  remote subnet contains the public IP address the client connected to
04:26 < dazo> d12fk: --route modifies the system routing table ... and should support setting whatever gateways you have ... it should also support 'macros' like vpn_gateway, net_gateway and remote_host
04:26 < dazo> --route network/IP [netmask] [gateway] [metric]
04:27 < dazo> so you can do:  --route 0.0.0.0 0.0.0.0 net_gateway
04:27 < d12fk> dazo: thanks, I overraed the "special keywords" part. I stand corrected. Thanks for the help!
04:27 < dazo> d12fk: no prob :)
04:29 < dazo> jimbo: well, OpenVPN Technologies have done quite some stuff with their Access Server ... but the Community version is practically the same as before, just probably enhanced since last time you checked ... but if you used OpenVPN 1.x last time, a lot has happened indeed
04:31 < Invis2> dazo: thats my understanding but I'm yet to try it so was wondering if anybody had experience with the setup as I have read there have been issues getting decent speeds, I guess there's only one way to find out...
04:32 < reiffert> Invis2: you are wrong (MLPPP)
04:32 < reiffert> Invis2: no bonding dismantles and reassembles a tcp connection.
04:33 < dazo> Invis2: well, in my setups I'm often getting 95-97% of the max connection speed when putting stuff via a OpenVPN tunnel ... so it's definitely a configuration issue ... but the reasons might be diverse
04:37 < Invis2> reiffert: then how does MLPPP increase a TCP session's throughput?
04:37 -!- Kasanoba [~Kasanoba@121.1.41.148] has joined ##openvpn
04:39 < Kasanoba> how to make openvpn fast.?
04:39 < Kasanoba> what i mean my lan speed max speed is 2mbs
04:39 < theDoc> Aha, that's a good question. I usually start by getting a good uplink to the internet and perhaps, not using 2 tin cans and a string would help pretty much too.
04:40 < theDoc> If you're on a local lan, why on earth would you need a vpn server for localized clients?
04:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:41 < Kasanoba> is it mean that if what my real connection speed, is what my max connection in vpn.?
04:41 < theDoc> You're not making sense.
04:41 < theDoc> There are plenty of things which can affect connectivity to the vpn server and beyond.
04:42 < theDoc> Going from speeds on the NIC to global internet traffic loads to uplink speeds.
04:42 < theDoc> Kasanoba> What's the problem that you're facing?:)
04:43 < Kasanoba> thedoc, my real lan speed max is 2mbs
04:43 < theDoc> Kasanoba> Where is your vpn server located?
04:43 < theDoc> Hang on, you're only able to push 2mbit/s on a local lan?!?
04:43 < Kasanoba> is it mean even what vpn fast server, my max connection is 2mbs.?
04:44 < Kasanoba> us thedoc
04:44 < theDoc> Yes, generally it takes the lowest speed across the entire path.
04:44 < Kasanoba> yeah, im using smartbro
04:44 < Invis2> reiffert: http://bsdtips.org/index.php/Mersault/MultiLink_PPP thats how I read it.
04:44 < vpnHelper> Title: Mersault/MultiLink PPP - Bsdtips (at bsdtips.org)
04:44 < theDoc> ergh, philippines.
04:45 < Kasanoba> yeah
04:45 < Kasanoba> but when i see other, in speedtest, their using vpn same as me, but the speed is going 20mb
04:45 < theDoc> Kasanoba> Yes, as a rule of thumb, your fastest speed is the slowest link in the entire path.
04:48 < Kasanoba> so the doc
04:48 < Kasanoba> even i rent a vpn server using 1gb of speed, still the max of it is 2mbs because my real lan max speed is 2mbs
04:49 < theDoc> Kasanoba> I really do not understand why you only get 2mb/s across a local LAN. Are you talking about the local LAN or your internet uplink?
04:49 < Kasanoba> mmmm
04:49 < Kasanoba> my net connection max 2mbs
04:50 < Kasanoba> my isp
04:50 < theDoc> Then yes, you're stuck to 2mb/s.
04:50 < theDoc> No more than that.
04:50 < theDoc> Most likely lower even.
04:50 < Kasanoba> is it vpn can do help.?
04:51 < theDoc> No, the vpn is not going to help you on that.
04:51 < Kasanoba> why is that my friend same as me the isp
04:52 < Kasanoba> but when he use vpn, his speed going 40+mb
04:52 < theDoc> Kasanoba> If anyone is going to sell you a vpn service that claims to be able to "bypass" link throttles, it doesn't work that way.
04:52 < theDoc> That's what I can assure you.
04:53 < Kasanoba> i thought vpn makes my browsing fast, because the server is fast
04:53 < theDoc> The moment you dial up to your ISP, they *already* send the CIR that you are assigned to.
04:53 < theDoc> You aren't going to be bypassing that. If everyone could do that, ISP's would go out of business.
04:54 < Kasanoba> yeah
04:54 < theDoc> Kasanoba> Is he testing speed test in an area where the vpn server is located?
04:54 < Kasanoba> thanks 
04:54 < Kasanoba> he download in torrent, watching youtube without stopping
04:54 < Kasanoba> something like that
04:55 < Kasanoba> real very fast in browsing
04:55 < theDoc> Kasanoba> I do that too, and maybe it's because he has more than a 2mbit connection.
04:55 < Kasanoba> were same using smartbro
04:55 < Kasanoba> but he not want to share
04:56 < Kasanoba> thats why i go here and ask 
04:56 < theDoc> Kasanoba> I'm sorry to hear that he doesn't want to share and all but I can safely assure you that the vpn isn't going to turn your 2mbit line into a 200mbit line.
04:57 < Kasanoba> ok Thanks
04:57 < Kasanoba> :)
04:58 < theDoc> Time to go.
04:58 < theDoc> o
04:58 -!- theDoc [~Link@unaffiliated/thedoc] has left ##openvpn ["Leaving"]
04:58 -!- Kasanoba [~Kasanoba@121.1.41.148] has quit []
05:01 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 264 seconds]
05:01 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
05:06 < krtek> I have set up ccd for another client
05:06 < krtek> But I can not see his other nodes...
05:08 < krtek> /etc/init.d/openvpn restart perhaps?
05:12 < krtek> That worked
05:13 < krtek> Thanks krtek
05:15 < hyper_ch> ???
05:15 < reiffert> Invis2: MLPPP is not bonding.
05:15  * krtek thinks both Kasanoba and theDoc should learn that bandwidth and speed is 2 different things.
05:16 < reiffert> Invis2: bonding works the way I was describing above.
05:21 < Invis2> reiffert: I'm not concerned with the semantics, just want something that works :)
05:21 < jimbo> How do I assign static IPs to my clients?  Is this done at the client end (like usual when not discussing VPNs) or at the server?
05:23 < Invis2> jimbo: I think you can do it either way, I put it in the clients config if I remember correctly (haven't setup openvpn for about a year)
05:24 < jimbo> Invis2: I would think so too, however all I found so far is "ifconfig-push" which pushes stuff from server to client
05:25 < jimbo> I suppose it's fine.  Doesn't hurt to keep my addressing scheme centralized
05:25 < reiffert> Invis2: "zero care" means "pay for it"
05:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:31 -!- krzee [krzee@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
05:39 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 245 seconds]
05:39 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
05:40 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
06:00 < hyper_ch> reiffert: hi there
06:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
06:10 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
06:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:13 -!- mohi666 [~yaaic@c-24-130-216-80.hsd1.ca.comcast.net] has joined ##openvpn
06:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
06:24 -!- fremo___ [~fremo@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
06:24 -!- _zero__ [~zero@noc.toile-libre.net] has quit [Ping timeout: 245 seconds]
06:27 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
06:29 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
06:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:02 -!- mohi666 [~yaaic@c-24-130-216-80.hsd1.ca.comcast.net] has quit [Quit: Yaaic - Yet another Android IRC client - http://www.yaaic.org]
07:12 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has joined ##openvpn
07:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
07:14 < Capkirk> would it be possible to bridge two geographical locations in a road warrior setup style (hence one point connects to the other) ?
07:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
07:16 < reiffert> Capkirk: when road warriors are "openvpn clients", then it is not possible.
07:17 < reiffert> Capkirk: what you can do is to bridge them using the help of a openvpn server.
07:17 < Capkirk> reiffert: ok maybe my question was not very clear :)
07:19 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
07:19 < Capkirk> reiffert: i have 2 geographical locations i want to bridge so i get the same lan prefix both places lets say 192.168.10.1/24 but the one firewall/vpn box is behind a firewall i dont control hence the initializing needs to come from this box to the other firewall/vpn
07:19 < Capkirk> in a normal bridging setup this can't be done since both vpnservers need to know each others global ipadresse
07:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:20 < Capkirk> so the question is; is this neccesary?
07:20 < reiffert> you are wrong for "in a normal ... setup"
07:20 < Capkirk> aha
07:21 < Capkirk> i just read the bridging setup guide on openvpn.net and here it seems both entrypoints is configured with each others global ipadresse?
07:21 < reiffert> and if your bridge isnt the subnet gateway, it will work as well.
07:22 < reiffert> Capkirk: you will have a tap device on each side. once you are here, build a bridge with the LAN Adapter
07:22 < reiffert> building bridges with lan adapters look like this:
07:22 < reiffert> before:
07:22 < reiffert> lan-if: 1.2.3.4
07:22 < reiffert> after:
07:22 < reiffert> bridge: 1.2.3.4
07:22 < reiffert> bridge-members: lan-if, tap0
07:23 < Capkirk> aha
07:23 < reiffert> you can have a bridge with a single member of course and add the tap interfaces after the openvpn connection has been established.
07:23 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
07:23 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Read error: No route to host]
07:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
07:27 < reiffert> sorry, I meant: add the tap interface once the openvpn process is running (on the server side)
07:29 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
07:29 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
07:34 -!- Invis2 [~jim@81.187.253.171] has quit [Quit: Leaving.]
07:34 -!- Invis2 [~jim@81.187.253.171] has joined ##openvpn
07:39 -!- Invis2 [~jim@81.187.253.171] has quit [Ping timeout: 245 seconds]
07:50 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
08:12 -!- km2010 [~chris@209.250.146.220.tor.pathcom.com] has joined ##openvpn
08:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:30 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has quit [Quit: leaving]
09:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:04 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
09:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
09:12 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
09:19 -!- mattock [~samuli@gprs-prointernet-ffebc200-197.dhcp.inet.fi] has joined ##openvpn
09:19 -!- mode/##openvpn [+o mattock] by ChanServ
09:26 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has quit []
09:26 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has joined ##openvpn
09:44 -!- WinstonSmith [~true@e179005050.adsl.alicedsl.de] has joined ##openvpn
09:46 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has quit []
09:46 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has joined ##openvpn
10:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:18 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:20 -!- SOG_ [~SOG@222.125.226.128] has joined ##openvpn
10:20 -!- SOG_ [~SOG@222.125.226.128] has quit [Remote host closed the connection]
10:21 -!- SOG_ [~SOG@n1164871214.netvigator.com] has joined ##openvpn
10:22 -!- SOG_ [~SOG@n1164871214.netvigator.com] has quit [Client Quit]
10:24 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 255 seconds]
10:26 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has quit []
10:26 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has joined ##openvpn
10:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 276 seconds]
10:34 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
10:34 -!- mode/##openvpn [+o mattock1] by ChanServ
10:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:36 -!- mattock [~samuli@gprs-prointernet-ffebc200-197.dhcp.inet.fi] has quit [Ping timeout: 252 seconds]
10:37 -!- Invis1 [~jim@81.187.253.171] has joined ##openvpn
10:45 -!- Muty [~amir@unaffiliated/muty] has joined ##openvpn
10:45 < Muty> !welcome
10:45 < vpnHelper> Muty: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
10:45 < Muty> !route
10:45 < vpnHelper> Muty: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:47 < Muty> Hey people, question (I am not a networking pro and I dont do this professionally): I have a openvpn server for private usage, works perfect. Now I have some friends who want to join the vpn. But I dont want to give them access to my private network. How would you solve this? Create a new openvpn server instance? Create custom rules with client-config-dir?
10:56 -!- Synthead [~max@69.15.218.1] has joined ##openvpn
10:57 < Synthead> I'm having a problem with compiling openvpn.  It's complaining about not seeing LZO headers, although I have the latest LZO packages installed
10:57 < Synthead> checking for lzo1x.h... no
10:57 < Synthead> LZO headers were not found
10:57 < Synthead> LZO library available from http://www.oberhumer.com/opensource/lzo/
10:57 < Synthead> configure: error: Or try ./configure --disable-lzo
10:57 < vpnHelper> Title: oberhumer.com: LZO real-time data compression library (at www.oberhumer.com)
10:57 < Synthead> local/lzo2 2.03-1 (base)
10:57 < Synthead>     Portable lossless data compression library written in ANSI C
10:59 < reiffert> and you --configure options are?
11:00 < Synthead> ../configure --host=armv5b-softfloat-linux --prefix=/home/max/simplifymd/projects/faxfinder/sources/openvpn-2.1.3/build/compiled
11:00 < Synthead> I ma cross compiling
11:00 < reiffert> check the configure script for what it needs here.
11:00 < Synthead> does this mean that I need to compile lzo for my other arch first?
11:00 < reiffert> of course.
11:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:19 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
11:28 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:39 < Synthead> okay, I switched the paths up a bit and compiled some stuff, but I'm running into another issue:
11:39 < Synthead> checking for lzo1x.h... yes
11:39 < Synthead> checking for lzo1x_1_15_compress in -llzo... no
11:39 < Synthead> configure: error: LZO headers were found but LZO library was not found
11:43 -!- Muty [~amir@unaffiliated/muty] has left ##openvpn []
11:48 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
11:49 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
11:52 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:57 -!- km2010 [~chris@209.250.146.220.tor.pathcom.com] has left ##openvpn []
11:57 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
11:57 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
12:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: Leaving]
12:22 -!- krzee [krzee@unaffiliated/krzee] has joined ##openvpn
12:24 -!- dazo is now known as dazo_afk
12:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Client Quit]
12:43 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:44 -!- fahadsadah [fahad@equal.cluenet.org] has joined ##openvpn
12:44 -!- fahadsadah [fahad@equal.cluenet.org] has quit [Changing host]
12:44 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
13:10 -!- foristh [~michal@178-36-106-244.adsl.inetia.pl] has joined ##openvpn
13:11 < foristh> !welcome
13:11 < vpnHelper> foristh: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:11 < foristh> !/30
13:11 < vpnHelper> foristh: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
13:18 -!- foristh [~michal@178-36-106-244.adsl.inetia.pl] has quit [Quit: Lost terminal]
13:20 -!- mattock [~samuli@gprs-prointernet-ff666a00-89.dhcp.inet.fi] has joined ##openvpn
13:20 -!- mode/##openvpn [+o mattock] by ChanServ
13:24 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
13:28 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
13:29 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
13:33 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined ##openvpn
13:33 -!- mode/##openvpn [+o mattock1] by ChanServ
13:33 < jimbo> !topology
13:33 < vpnHelper> jimbo: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
13:38 -!- mattock [~samuli@gprs-prointernet-ff666a00-89.dhcp.inet.fi] has quit [Ping timeout: 272 seconds]
13:38 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
13:53 < jimbo> Is setting static IPs with ipp.txt and "topology subnet" strong enough to use ip-based authentication in my applications?
13:53 < hyper_ch> jimbo: I don't think so
13:53 < jimbo> In other words, can a client ignore what ipp.txt suggests and take some other address in the subnet?
13:53 < hyper_ch> better use ccds
13:54 < jimbo> yeah, I suppose I will
13:54 < jimbo> Does the actual client `hostname` have to match what the ccd says
13:54 < jimbo> or can it be whatever's mentioned in the config files?
13:54 < jimbo> I've got some clients with the same hostname :\
13:55 < hyper_ch> no, the generated key file needs to match the ccde file name
13:55 < hyper_ch> so if you named the client key file like:  client1    then use the ccd file "client1" for that client
13:55 < jimbo> gotcha, okay cool
13:55 < jimbo> So that enables me to make them unique without changing a bunch of hostnames
13:56 < hyper_ch> I think so
13:56 < hyper_ch> and I also think it prevents the same key file being used on two clients
13:56 < hyper_ch> but not sure about that
13:59 < jimbo> yes indeed, that much is true without enabling it specifically
14:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 258 seconds]
14:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
14:13 < montana> Hi, what am I doing wrong? I try to access a samba share over openvpn but it is's possible, it worked when I didn't force samba to listen to only the openvpn ip
14:13 < montana> so hard to get any real debugging information
14:14 -!- deadowl [~deadowl@132.198.220.231] has joined ##openvpn
14:14 < jimbo> montana: how can the server accept incoming clients without listening on some interface other than the VPN?
14:14 < jimbo> oh you said samba, I misunderstood :)
14:16 < montana> well I can ping etc, everything works just fine, I have added 10.8.0.0/24 to allowed hosts in samba
14:16 < Jarpse> bridged or routed?
14:16 < hyper_ch> montana: why samba and not nsf?
14:16 < montana> routed
14:16 < Jarpse> can the 10.8 part access your normal network?
14:16 < montana> because it's easier for the windows users
14:17 < montana> Jarpse: how do you mean?
14:17 < Jarpse> as in, can it access your 'other' subnet
14:17 < hyper_ch> oh... the W-word
14:17 < Jarpse> hyper_ch: shush :)
14:17 < hyper_ch> you lost me there... W-networking is always so complicated
14:17 < Jarpse> windows bashers, linux bashers, apple bashers, bsd bashers ;P
14:18 < montana> I don't really have another subnet, just the openvpn + public ip
14:19 < hyper_ch> well, networking on *nix systems seems to be much easier
14:20 < montana> inet addr:10.8.0.1  P-t-P:10.8.0.2 what does the second address mean?
14:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:22 < vpnHelper> RSS Update - forum: Server Administration :: Re: strange 2.1.3 routing table at WinXP Pro :: Reply by dhpark <https://forums.openvpn.net/viewtopic.php?f=4&t=7061&p=7755#p7755> || Configuration :: Re: Routing problem with OpenVPN on Linux :: Reply by AMG <https://forums.openvpn.net/viewtopic.php?f=6&t=7046&p=7751#p7751> || Scripting and Customizations :: OpenVPN on Laptop and automatically connect/disconnect :: ... <https://forums.op
14:25 < montana> I do't see port 139 open when scanning with nmap
14:26 -!- deadowl [~deadowl@132.198.220.231] has quit [Ping timeout: 265 seconds]
14:34 < montana> wireshark gives me icmp error, port unreachable for the netbios port
14:35 < Jarpse> montana: the other IP is the IP on the other side, iirc
14:35 < Jarpse> hyper_ch: depends :)
14:36 < Jarpse> windows-heads think the same about 'doze
14:36 < Jarpse> although I have to agree for a bit
14:39 < hyper_ch> Jarpse: well, I've used windows for 11 years and linux for 4 years and I think networking on linux is much simpler
14:41 < Jarpse> hyper_ch: yeah, well, comes down to own taste :)
14:41 < Jarpse> some things are _much_ easier on linnie to do quick
14:45 < Jarpse> either way, other people have problems with the openvpn client on windoze machines? (7)
14:55 < jimbo> Can I "bounce" openvpn without disconnecting clients?  I want to allow logrotate to do its thing each night.
15:12 < reiffert> jimbo: use syslog;
15:14 -!- WinstonSmith [~true@e179005050.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
15:20 -!- manevra [manevra@94.46.8.88] has joined ##openvpn
15:24 -!- jlpmorgan [~pc@unaffiliated/jl-picard] has joined ##openvpn
15:26 -!- WinstonSmith [~true@e179002218.adsl.alicedsl.de] has joined ##openvpn
15:27 < jimbo> reiffert: Is there any way I can do it and still keep a separate logfile for openvpn?
15:31 -!- WinstonSmith [~true@e179002218.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
15:40 < vpnHelper> RSS Update - forum: Server Administration :: Re: Adapter Speed :: Reply by Andrew <https://forums.openvpn.net/viewtopic.php?f=4&t=7066&p=7759#p7759> || Off Topic, Related :: openvpn 2.1.3 will not install in windows 7 64 bit :: Author pkinc <https://forums.openvpn.net/viewtopic.php?f=1&t=7075&p=7757#p7757>
15:44 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
15:48 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:09 < krtek> How does a routed setup work on a /24 net with 253 used local nodes and 2 openvpn clients?
16:15 < Bushmills> by having the two openvpn clients in an own, seperate subnet for their tun interfaces, in addition to the /24 net they're in anyway.
16:17 < Bushmills> just the same if you had only two local machines instead of 253
16:17 < krzie> you dont need 2 openvpn clients in the same lan
16:17 < krzie> !route
16:17 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:09 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has quit []
17:09 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has joined ##openvpn
17:11 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
17:13 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
17:21 -!- brah [~asdofp@190.183.62.66] has quit [Read error: Connection reset by peer]
17:37 -!- brah [~asdofp@190.183.62.66] has joined ##openvpn
17:42 -!- brah [~asdofp@190.183.62.66] has quit [Read error: Connection reset by peer]
17:58 -!- brah [~asdofp@190.183.62.66] has joined ##openvpn
18:04 -!- brah [~asdofp@190.183.62.66] has quit [Ping timeout: 252 seconds]
18:09 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Quit: Leaving]
18:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:12 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:19 -!- UnterPerro [~UnterPerr@166.194.42.169] has joined ##openvpn
18:33 -!- OuTFiT [~outfit@85.131.129.176] has joined ##openvpn
18:33 < OuTFiT> hoefy
18:33 < OuTFiT> *howdy
18:35 < OuTFiT> im having a problem with my vpn connection.. ive looked it up on google, and thought i figured it out, but it didnt work.. every hour or so I can a username/password prompt and lose my vpn connection.. i added 'reneg-sec 0' to my config file and i still get it.. any suggestions?
18:44 < vpnHelper> RSS Update - forum: Server Administration :: Re: Connecting to different servers from one client. :: Reply by sathuli <https://forums.openvpn.net/viewtopic.php?f=4&t=7070&p=7760#p7760> || Installation Help :: Connection stalls :: Author markr <https://forums.openvpn.net/viewtopic.php?f=5&t=7076&p=7758#p7758>
18:48 -!- UnterPerro [~UnterPerr@166.194.42.169] has quit [Quit: UnterPerro lives to save another day]
18:49 < krzie> OuTFiT, persist-key
18:49 < krzie> you probably also want persist-tun
18:52 < OuTFiT> krzie: those are already in my config
19:11 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 245 seconds]
19:16 -!- OuTFiT [~outfit@85.131.129.176] has quit [Quit: Peace and Protection 4.22.2]
19:50 -!- manevra [manevra@94.46.8.88] has quit [Ping timeout: 240 seconds]
20:05 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
20:05 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
20:08 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has quit [Excess Flood]
20:08 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
20:20 -!- Invis1 [~jim@81.187.253.171] has left ##openvpn []
20:24 -!- cyntek [~nnscript@cpe-76-94-31-248.socal.res.rr.com] has joined ##openvpn
20:25 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:27 < cyntek> I have some question before i install openvpn for my home network. Is openvpn suitable for home network and if so, running openvpn on windows systems such as xp and win7, how problematic is the configuration for a home network ?
20:31 < theDoc> Depends on what you intend to do with openvpn.
20:36 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
20:37 < cyntek> theDoc well generally, only for home use security safer web browsing and banking would be preferred
20:40 < cyntek> and running appache to learn.
20:43 < theDoc> I fail to see how setting up an openvpn server at home is going to increase security for "web browsing and banking".
20:43 < theDoc> I could see the point if you're connecting out of an untrusted network but on the same local LAN?
20:44 < cyntek> so, no go with openvpn would be not worth running.
20:44 < cyntek> k, thanks.
21:33 < vpnHelper> RSS Update - forum: Installation Help :: OpenVPN tries to start before WiFi up, so no IP available :: Author AMG <https://forums.openvpn.net/viewtopic.php?f=5&t=7077&p=7761#p7761>
21:34 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
21:35 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
21:36 -!- SOG_ [~SOG@61.144.230.241] has quit [Client Quit]
21:42 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
21:43 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
21:43 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Client Quit]
21:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
21:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
22:09 -!- riversky [~neo@c-68-63-239-8.hsd1.fl.comcast.net] has joined ##openvpn
22:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
22:14 < riversky> I'm having this issue http://pastebin.com/7SRDSZPL can anybody help me out?
22:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:53 -!- cyntek [~nnscript@cpe-76-94-31-248.socal.res.rr.com] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com ) Nuked Internet !]
23:05 < Bushmills> that's not an openvpn error message
23:11 < Cisien> as a co worker of mine once stated... "Fix your script."
23:12 < reiffert> moin
23:12 < Bushmills> grias di
23:15 -!- gh0zt [~adam@unaffiliated/gh0zt] has quit [Remote host closed the connection]
23:17 -!- UnterPerro [~UnterPerr@166.132.161.136] has joined ##openvpn
23:25 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
23:36 < reiffert> Bushmills: early wake up?
23:36 < Bushmills> late, actually
23:37 < reiffert> :)
23:37 < reiffert> I'm late 15 minutes as well...
23:37 < Bushmills> got to catch the train
23:37 < reiffert> cuuu
23:54 -!- MrPocketz [~JimmyCrac@unaffiliated/mrpockets] has joined ##openvpn
23:54 < MrPocketz> Ello1
23:55 < MrPocketz> Every time i try to install OpenVPN GUI, the tap nic doesn't install
23:55 < MrPocketz> can someone shove me in the right direction? ran it in compatability mode @ Vista, ran it as admin. using 4 bit win7
23:55 < MrPocketz> 64, even
--- Day changed Wed Sep 08 2010
00:15 -!- MrPocketz [~JimmyCrac@unaffiliated/mrpockets] has quit [Read error: Connection reset by peer]
00:26 -!- UnterPerro [~UnterPerr@166.132.161.136] has quit [Quit: UnterPerro lives to save another day]
00:30 -!- riversky [~neo@c-68-63-239-8.hsd1.fl.comcast.net] has quit [Ping timeout: 245 seconds]
00:36 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
00:46 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
01:21 -!- WinstonSmith [~true@f052100087.adsl.alicedsl.de] has joined ##openvpn
01:24 -!- WinstonSmith [~true@f052100087.adsl.alicedsl.de] has quit [Client Quit]
01:25 -!- WinstonSmith [~true@f052100087.adsl.alicedsl.de] has joined ##openvpn
01:26 -!- WinstonSmith [~true@f052100087.adsl.alicedsl.de] has quit [Client Quit]
01:26 -!- WinstonSmith [~true@f052100087.adsl.alicedsl.de] has joined ##openvpn
01:44  * krtek does not know windows
01:50 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Ping timeout: 252 seconds]
02:11 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has joined ##openvpn
02:13 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:17 -!- krzee [krzee@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
02:24 < theDoc> Windows!
02:25 < Capkirk> is it possible to bridge more than one network on the same physical network interfaces? Fx i have 2 servers with openvpn and need to bridge 2 networks 192.168.10.1/24 and 172.20.20.1/24 ?
02:27 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
02:33 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
02:39 < reiffert> Capkirk: yes.
02:40 < reiffert> Capkirk: yes as in: it is possible to bridge more than one ***INTERFACE*** on the same physical ***BRIDGE***"
02:40 < reiffert> Capkirk: and no: bridging is not about bridging networks.
02:41 < reiffert> Capkirk: before briding:
02:41 < reiffert> interface eth0, ip: 1.2.3.4
02:41 < reiffert> after briding:
02:41 < reiffert> interface bridge0, ip: 1.2.3.4
02:41 < reiffert> bridge-members: eth0, tap0, whatever0, andsoon
02:42 < krzee> hehe that reads 'and soon' to me
02:42 < krzee> moin moin reiffert =]
02:42 < Capkirk> reiffert: thank you for taking the time to explaing it to me
02:42 < reiffert> moin moin moin, and soon his bridge explodes.
02:43 < reiffert> Capkirk: you are welcome
02:44 -!- isti [~isti@dhcp66.neptun.vein.hu] has joined ##openvpn
02:44 < krtek> Capkirk: I have 7 openVPN clients, hooking to the same OpenVPN Server
02:44 < reiffert> krtek: ?
02:45 < isti> !welcome
02:45 < vpnHelper> isti: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:45 < reiffert> stable rsync 3.0.7 is broken.
02:45 < reiffert> -HEAD is as well.
02:45 < krtek> reiffert: Capkirk asked about putting more LANs together, right? I have 8 LANs hooked together using one linknet
02:45 < isti> !interface
02:45 < vpnHelper> isti: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
02:46 < reiffert> krtek: you said: I have 7 openvpn clients.
02:46 < krtek> all connecting to the same openvpn server
02:46 < reiffert> krtek: further you said: I have 8 Local Area Networks using one linknet
02:46 < reiffert> krtek: Capkirk instead is talking about building layer 2 bridges. Thanks.
02:47 < krtek> OK, I used ccd
02:48 < reiffert> krtek: still on the confusing people path? ;)
02:48 < krtek> But what is the bridging about?
02:48 < krtek> reiffert: No, I am the one who is confused apparently
02:48 < reiffert> krtek: it's about briding ***INTERFACES*** (so layer 2).
02:49 < Capkirk> reiffert: yes that was what i tried to ask about in my inadequate technical language
02:49 < reiffert> you know, multicast and broadcast and such.
02:49 < krtek> broadcast I know
02:49 < reiffert> krtek: broadcast and layer 3, what do you think about this?
02:49 < krtek> multicast I assume is when there are several broadcasts?
02:49 < reiffert> krtek: or to be explicit, broadcast and openvpn tunnels?
02:49 < krtek> The layer numbers I have no clue about
02:50 < reiffert> krzee: operator, I need an exit.
02:50 < krzee> theres a phone booth around the corner
02:50 < krtek> when you say broadcast and openvpn tunnels I think about avahi
02:50 < reiffert> krzee: "hang on" :)
02:51 < krtek> Or was that to broadcast through ssh tunnel?
02:51 < isti> does openvpn support ipv6? (for ex. broadcast addresses with radvd, or routing)
02:51 < krzee> isti, 
02:51 < krzee> !ipv6
02:51 < vpnHelper> krzee: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
02:51 < reiffert> krzee: when people "hang up" the phone we say "aufhangen". "auf" can be translated as "on"
02:52 < reiffert> nevermind.
02:52 < krzee> haha i get it
02:52 < krzee> instead of goodbye you say hangon
02:53 < krzee> i need to get out that way sometime
02:53 < krtek> German humour
02:53 < krtek> reiffert: So what is the deal with broadcast and openvpn?
02:54 < krtek> Is there a howto? Or headline I can go search for?
02:54 < krzee> krtek, you can run a bcrelay with tun or bridge and its a layer2 vpn
02:54 < krzee> !bcrelay
02:54 < vpnHelper> krzee: Error: "bcrelay" is not a valid command.
02:54 < krzee> heh
02:54 < krzee> !bridge
02:54 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
02:55 < krtek> Well now I am running a routed network
02:55 < krtek> will this bridging break the routed part?
02:55 < krtek> or will this bridging be run on top of the route?
02:55 < isti> !ipv6
02:55 < vpnHelper> isti: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
02:55 < krzee> its the opposite or=f running a routed vpn
02:55 < krzee> of*
02:56 < reiffert> krzee: well .. not instead of a goodbye but the action itself is called "to hang on the phone"
02:56 < krzee> ohhh so instead of hang up you hang on
02:56 < reiffert> yeah :)
02:56 < krtek> Hang the phone on the fork
02:57 < krtek> and then that kills the signal...
02:57 < krzee> if we hang on after the conversation ends... it is a long wait
02:57 < krzee> heheh
02:57 < reiffert> so, where's that phone around the cornen ...
02:57 < reiffert> corner
02:57 < krtek> krzee: I think reiffert is cracking austrian jokes on us now...
02:58 < krzee> im uploading the map to you now
02:59 < reiffert> bzbzzzzzztzttttzz
03:05 -!- crazygir [~jason@unaffiliated/crazygir] has quit [Ping timeout: 240 seconds]
03:06 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
03:07 -!- crazygir is now known as Guest54812
03:11 -!- Guest54812 [~jason@li14-82.members.linode.com] has quit [Ping timeout: 240 seconds]
03:12 -!- crazygir_ [~jason@li14-82.members.linode.com] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:40 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has left ##openvpn ["Leaving"]
03:41 -!- isti [~isti@dhcp66.neptun.vein.hu] has quit [Quit: leaving]
03:43 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
04:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
04:03 -!- dazo_afk is now known as dazo
04:10 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined ##openvpn
05:05 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
05:13 -!- droutin [~droutin@gw.theralys.com] has joined ##openvpn
05:13 < droutin> eloooooooo!
05:15 < droutin> i have a bloody problem with openvpn :) i have set up client-connect and client-disconnect script to allow auto dns update, the problem is that my openvpn runs under vpn acount (wich have no shell) and i need a shell to run these commands!!! so the only way i founded was to make it run as root :(, so what should i do ???
05:20 < Capkirk> droutin: i don't know if this is secure but u could always give vpn account a shell?
05:21 < Capkirk> i guess its better than root?
05:33 < krtek> Can I run openvpn client and server on my home office firewall?
05:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:35 < krtek> server for me to login from my laptop to my dev environment
05:35 < krtek> client for me to have direct access to the main office
05:37 -!- krtek is now known as barfster
05:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
05:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:18 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
06:18 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
06:21 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
06:23 < Capkirk> barfster: if your firewall is something you can install things on then yes
06:25 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
06:25 -!- mode/##openvpn [+o mattock] by ChanServ
06:50 -!- JackCorleone [~root@187.10.70.18] has joined ##openvpn
06:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:55 < vpnHelper> RSS Update - forum: Server Administration :: tun device was closed when starting daemon (ver2.1.3) :: Author shakemid <https://forums.openvpn.net/viewtopic.php?f=4&t=7078&p=7763#p7763>
07:00 < barfster> Capkirk: What to look out for?
07:05 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
07:37 -!- SOG [~SOG@61.144.230.241] has quit [Quit: I will be back!]
07:39 -!- deadowl [~deadowl@132.198.220.231] has joined ##openvpn
07:39 < Capkirk> barfster: you can change the shell in /etc/passwd
07:42 < barfster> I was asking about potential cavears
07:42 < barfster> caveats?
07:44 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has quit []
07:44 -!- Cisien [~chris@desktop.cisien.com] has joined ##openvpn
07:46 -!- deadowl [~deadowl@132.198.220.231] has quit [Remote host closed the connection]
07:48 < Capkirk> barfster: ahh as i said before i dont really know
07:48 < Capkirk> barfster: beside the obviuse the account will now have access to shell
08:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:04 < Capkirk> trying to do some bridging if i have 2 physical interfaces in one box one is the interface facing internet (eth0) and one is facing internal network (eth1) isn't it only the interface eth1 which i need to bridge to with the tap device?
08:29 < barfster> Capkirk: I have not clue, but your reasoning sounds reasonable.
08:34 < Capkirk> :)
08:34 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has quit [Quit: leaving]
09:03 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:10 -!- geemee [~ocs@mailhost.exterity.com] has joined ##openvpn
09:11 < geemee> Hi there, Curious if someone answer questions I have about OpenVPN to see if it is suitable for me. 
09:11 < Synthead> I'm compiling openvpn on an embedded device, and I'm not sure that it has openssl headers on it.  What can I do?
09:11 < geemee> Essentially we are wanting an SSL VPN to therefore make it easier for remoter users at hotspots / hotels to connect since 80/443 should be availible.
09:12 < geemee> Is it clientless? can it simply run in the browser ? or is an app allways downloaded? 
09:13 < geemee> I have also read about SSL sharing which I am interested in
09:18 -!- swilde [~wilde@aktaia.intevation.org] has joined ##openvpn
09:24 -!- droutin [~droutin@gw.theralys.com] has quit [Quit: WeeChat 0.3.0]
09:24 < swilde> Hi *,  I'm confused by a (seemingly?) contradiction in the documentation of ifconfig-push in the man page and the HowTo:
09:24 < swilde> The man page states: "ifconfig-push local remote-netmask" while the HOWTO says: "Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints"
09:24 < swilde> so the question is: is ought the secend argument to be an netmask or another host ip address?
09:25 < Synthead> any thoughts about the ssl headers?
09:28 < kisom> geemee: There is no "web" in openvpn at all
09:29 < kisom> geemee: And it's heavily based on openssl, hence you need the headers
09:29 < geemee> kisom: sorry can you clarify on no "web"
09:29 < kisom> geemee: It cannot run in the browser.
09:29 < geemee> I thought there was a "login page" similar to aventail ssl
09:29 < geemee> Hmmm what am I thinking of then !
09:29 < kisom> Huh?
09:30 < vpnHelper> RSS Update - forum: Server Administration :: Client fails to start on Win7 x64 - Entry point not found :: Author vva <https://forums.openvpn.net/viewtopic.php?f=4&t=7079&p=7764#p7764>
09:30 < kisom> You mean a captive portal? Those wont allow SSL or HTTP traffic to bypass without paying
09:30 < kisom> at least not on commercial hotspots
09:31 < geemee> Kisom: Paying isnt the problem.. It appears some places restrict access to just web, hence pptp wont work
09:31 < kisom> Okay, well.. What type of hardware are we talking about that openssl does not support?
09:33 < geemee> kisom: I think we have crossed lines.. I am wanting to make VPN more accessible by using ssl vpn. currently some places users experience pptp vpn problems since the hotel / hotspot doesnt allow "full internet" just broswing
09:33 < kisom> geemee: Sorry, mixed you together with someone else... Yes, you can do that
09:34 < kisom> Just run the openvpn server on TCP/443 and it should work fine
09:34 < geemee> and ssl sharing?
09:34 < kisom> Haven't tried that. I'd recommend putting up the VPN on another IP address
09:35 < kisom> openvpn does support sharing a single port with SSL, but i think all requests would appear to come from localhost in your web server logs.
09:35 < geemee> I think seperate IP will ultimatly be easier. 
09:35 < kisom> Yes, I agree.
09:36 < geemee> cheers for your help.... off to a phone meeting
09:36 -!- geemee [~ocs@mailhost.exterity.com] has quit [Remote host closed the connection]
09:41 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
09:41 -!- riversky [~neo@c-68-63-239-8.hsd1.fl.comcast.net] has joined ##openvpn
09:42 -!- funkyHat [~m@funkyhat.org] has quit [Ping timeout: 276 seconds]
09:44 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
09:44 -!- d12fk [~heiko@vpn.astaro.de] has quit [Ping timeout: 258 seconds]
09:47 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
09:58 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
10:01 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:15 -!- crazygir_ [~jason@li14-82.members.linode.com] has quit [Changing host]
10:15 -!- crazygir_ [~jason@unaffiliated/crazygir] has joined ##openvpn
10:19 -!- grapsus [~grapsus@rai21-4-88-179-127-17.fbx.proxad.net] has joined ##openvpn
10:20 -!- crazygir_ is now known as crazygir
10:26 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
10:27 -!- pif [~ldm@zenon.apartia.fr] has joined ##openvpn
10:33 < pif> hi, how can I use openvpn to appear to use an IP of a host that has only one public IP?
10:40 < jpalmer> I'm not sure I understand the question, pif.
10:42 < pif> I have a remote host with one public IP, and I'd like to use that host as my default route, so that my packets appear to come from it
10:42 < pif> can I do that with ovpn?
10:47 < jpalmer> yes.
10:48 < jpalmer> !route
10:48 < vpnHelper> jpalmer: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:49 < jpalmer> thats not the one I was looking for.   one sec.
10:49 < pif> sure
10:50 < jpalmer> !redirect-gateway
10:50 < vpnHelper> jpalmer: Error: "redirect-gateway" is not a valid command.
10:51 < jpalmer> pif:  try this link http://schinckel.net/2008/04/30/openvpn-and-default-gateway/
10:51 < vpnHelper> Title: Paint the Tiger, Carve the Swan » OpenVPN and default gateway (at schinckel.net)
10:51 < jpalmer> pif: on the openvpn server,  you'll have to setup NAT on the VPN interface.
10:52 < pif> ok, I have to select a 'private' IP for the tunX device, right?
10:52 < pif> on the server
10:54 < jpalmer> you connect your client to the openvpn daemon running on the server, via the public IP.   the openvpn server then assigns a VPN (private) IP.
10:54 < pif> i see
10:55 < jpalmer> I have to run for about 2 hours. but hopefully that is enough to get you started.
10:55 < pif> thanks!
11:07 -!- pumkinhed [~pumkinhed@72.45.85.159] has joined ##openvpn
11:08 < pumkinhed> hi, i am using the community version of openvpn, is this the right place?
11:08 -!- grapsus [~grapsus@rai21-4-88-179-127-17.fbx.proxad.net] has quit [Quit: Quitte]
11:10 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
11:12 < pumkinhed> well ever since my company upgraded to windows 7 openvpn has turned into kind of a lemon.
11:12 < jpalmer> a lemon how?
11:12 < pumkinhed> I am pusing dhcp options through vpn server via push "route 10.0.0.0 255.255.255.0" push "dhcp-option DNS 10.0.0.2" push "dhcp-option DOMAIN mydomain.local", when a user puts their laptop to sleep, and then ultimately wakes it up, these options remain in effect, and the computer cannot DNS because the VPN is down and providing DNS...
11:12 < pumkinhed> those are in server config btw
11:14 < pumkinhed> 2nd problem is that when the computer gets back on the LAN the user has to stop the openvpn service because even after the existing VPN conn times out (via keepalive 10 120), the routes/config stay active, and the adapter stays active
11:14 < pumkinhed> if the keepalive times out, why not take the adapter into the offline state?
11:15 < pumkinhed> the DNS issue was not present in XP, so really it just meant that I have to change from using DNS to using an IP for the remote 1.2.3.4 config line.
11:16 < pumkinhed> but the keepalive issue/routing issue has always been there.... Anyone else run in a similar config, road warriors in and out of the office?
11:16 < pumkinhed> would it help if i pasted my configs?
11:17 < pumkinhed> or are these known issues?
11:21 < pumkinhed> !welcome
11:21 < vpnHelper> pumkinhed: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:22 < pumkinhed> !route
11:22 < vpnHelper> pumkinhed: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:23 < pumkinhed> !forum
11:23 < vpnHelper> pumkinhed: Server Administration :: Re: Adapter Speed :: Reply by Andrew || Server Administration :: Re: Connecting to different servers from one client. :: Reply by sathuli || Server Administration :: tun device was closed when starting daemon (ver2.1.3) :: Author shakemid || Server Administration :: Client fails to start on Win7 x64 - Entry point not found :: Author vva || Installation Help
11:23 < vpnHelper> pumkinhed: :: Connection stalls :: Author markr || Installation Help :: OpenVPN tries to start before WiFi up, so no IP available :: Author AMG || Off Topic, Related :: openvpn 2.1.3 will not install in windows 7 64 bit :: Author pkinc
11:24 < pumkinhed> !wiki
11:24 < vpnHelper> pumkinhed: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
11:25 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
11:26 < pumkinhed> hmm, i expected !forum to give me a link to something!?
11:27 < ecrist> forums.openvpn.net
11:28 < pumkinhed> rgr thanks
11:28 < ecrist> forum command actually polls rss for the forum
11:31 < ecrist>  /msg chanserv info ##openvpn lists it too
11:45 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:47 -!- swilde [~wilde@aktaia.intevation.org] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
11:49 < Synthead> I'm compiling openvpn on an embedded device, and I'm not sure that it has openssl headers on it.  What can I do?
11:49 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
11:53 < dazo> Synthead: install those headers, that's what you need to do
11:53 < Synthead> dazo: from where?  there is no package manager for this device
11:54 < dazo> Synthead: I dunno ... if you can compile on that box, you need to install the needed development headers and have libraries available ... or else you're not going anywhere ... openssl is another project
11:56 < Synthead> dazo: is this something that I can compile without reinstalling openssl, or will I only get the headers during the compilation alongside my configuration flags, etc?
11:57 < dazo> Synthead: you need the header files (usually installed under /usr/include or /usr/local/include) ... that's the key point ... normally you don't need to re-install openssl if it is sanely installed ... *but* the header files *must* match the same version of the installed library
11:57 -!- d12fk [~heiko@vpn.astaro.de] has quit [Ping timeout: 265 seconds]
11:58 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
11:58 < Synthead> dazo: ah, okay, so I assume that I can do a regular cross-compile of the _exact_ version, do a make install DESTDIR=$(temprary directory), and compile openvpn against those headers?
11:59 < dazo> Synthead: that can work
11:59 < Synthead> dazo: alright, I'm on it!  I'll let you know what happens.  Thank you very much, this is a real help.
11:59 < dazo> no prob!
12:04 -!- BrokenAnimator [~bobnunchu@74.115.208.59] has joined ##openvpn
12:05 < BrokenAnimator> hello, how would a person go about binding apps to certain network adapters on Mac osx or windows..noob friendly as possible :)
12:05 < BrokenAnimator> using openvpn of course...as one of the adapters
12:07 < Synthead> dazo: are the headers architecture-specific?  can I compile them on my native arch and use them with openvpn (compiling for another arch)?
12:08 < dazo> Synthead: nope ... header files are noarch ... they just describe which functions are available in libraries and their API
12:08 < Synthead> dazo: excellent then, I'll just compile this as native stuff and dump 'em in
12:09 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
12:12 < BrokenAnimator> anyone..? have tried bindip but it kinda works
12:15 < Synthead> dazo: after I compile openvpn, these headers won't be needed anymore, right?
12:16 < dazo> Synthead: nope, that's only for building
12:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 258 seconds]
12:16 < Synthead> BrokenAnimator: I'm sorry, I'm not sure how to make applications bind to a specific interface
12:17 < BrokenAnimator> ok, so when you guys use openvpn on a computer, everything goes through it?
12:19 < dazo> BrokenAnimator: what do you mean when you say "binding apps to certain network adapters"?
12:20 < BrokenAnimator> Well, example: I want IRC to go through VPN, and firefox to not go throught the vpn...how would I do that
12:21 < dazo> BrokenAnimator: use route ... you route a particular IP address or network range through a gateway ... that gateway can be the OpenVPN server or your default gateway for normal internet connections
12:21 < dazo> BrokenAnimator: but OpenVPN is not a proxy, where you tell each application individually to use a proxy to do its connections
12:22 < BrokenAnimator> j, how would I use route?
12:22 < BrokenAnimator> j=k
12:22 < BrokenAnimator> I am a noob, but I learn quick
12:23 -!- traceback0 [~traceback@c-67-180-32-92.hsd1.ca.comcast.net] has joined ##openvpn
12:23 < dazo> BrokenAnimator: http://tinyurl.com/2w88p9q
12:23 < traceback0> upvote? http://news.ycombinator.com/item?id=1672538 =)
12:23 < vpnHelper> Title: Let me google that for you (at tinyurl.com)
12:23 < vpnHelper> Title: Hacker News | Secure your code: OpenVPN in the cloud (at news.ycombinator.com)
12:24 -!- [intra]lanman [~lanman@12.200.95.45] has joined ##openvpn
12:24 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
12:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:24 < Synthead> D:
12:24 < Synthead> http://codepad.org/vSR1b4v6
12:24 < vpnHelper> Title: Plain Text code - 23 lines - codepad (at codepad.org)
12:24 < Synthead> oops :x
12:24 < Synthead> checking for C compiler default output file name...
12:24 < Synthead> configure: error: C compiler cannot create executables
12:24 < Synthead> I'm moving right along though
12:24 < Synthead> this is my issue now :)
12:26 < BrokenAnimator> dazo? anything with a gui?
12:27 < dazo> BrokenAnimator: I'm not an osx user, sorry ... I only know how to use google
12:27  * dazo decides to start his holiday 
12:27 < BrokenAnimator> well I need it for windows
12:27 < dazo> BrokenAnimator: ahh ... then google for windows instead
12:28 < BrokenAnimator> I did, but i am looking for someone that uses it with openvpn
12:28 < Synthead> BrokenAnimator: the command line is the most powerful tool on your computer; the more you learn on the command line, the more you can do as a whole
12:28 < BrokenAnimator> and that has doen it before
12:28 -!- dazo is now known as dazo_afk
12:28 < BrokenAnimator> not just google references
12:29 < BrokenAnimator> I know that synthead, I use the command line, I just need something fast and quick
12:30 < BrokenAnimator> sometimes technical people want ease of use too..lol
12:32 < vpnHelper> RSS Update - forum: Server Administration :: Ip phone behind openvpn vpn client :: Author julien.c <https://forums.openvpn.net/viewtopic.php?f=4&t=7080&p=7765#p7765> || Configuration :: Re: Question about tun/tap (remote DHCP addresses being hand :: Reply by huntly001 <https://forums.openvpn.net/viewtopic.php?f=6&t=7037&p=7762#p7762>
12:34 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:36 < krzee> BrokenAnimator, there is tunnelblick for openvpn needs on osx with gui... but first get it working right in CLI
12:36 < krzee> because you need to configure it by hand
12:36 < krzee> then if you feel you need a gui for starting/stopping...
12:36 < krzee> !osx
12:36 < vpnHelper> krzee: "osx" is (#1) http://www.viscosityvpn.com/ (PAY), or (#2) http://www.tunnelblick.net/ (FREE)
12:39 < BrokenAnimator> yeah, I use tunnelbrick now
12:39 < BrokenAnimator> it works great
12:39 < BrokenAnimator> but I don't know how to only have it route select apps
12:39 < BrokenAnimator> it just does everything
12:40 -!- Volatility [~Votality@ppp118-208-10-228.lns20.bne1.internode.on.net] has joined ##openvpn
12:40 < Volatility> hi guys
12:40 < Volatility> im running an openvpn server on windows
12:40 < Volatility> but when i use log-append mylogname.log
12:40 < Volatility> and run openvpn as a service it doesnt log to it at all
12:41 < Volatility> when i had no log-append directive it did atleast log... any ideas
12:41 < Volatility> also it created the file without permissions by default
12:41 < Volatility> when i deleted the log file
12:42 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
12:43 -!- trans [~trans@117.192.116.247] has joined ##openvpn
12:43 < krzee> !routebyapp
12:43 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
12:44 < trans> hello everyone, just heard about openvpn, need little help configuring it
12:44 < krzee> openvpn routes by routing table only
12:44 < krzee> i too wanted to route by app instead (torrents go over local, most everything goes over vpn... 2 web browsers, 1 for local 1 for vpn)
12:45 < krzee> so i use !routebyapp =]
12:45 < BrokenAnimator> cool
12:46 < BrokenAnimator> thanks krzee
12:46 < krzee> yw
12:46 < krzee> trans
12:46 < krzee> !confgen
12:46 < vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
12:46 < trans> yeah krzee
12:46 < Volatility> anyone
12:47 < krzee> trans, i made that config file generator =]
12:47 < krzee> also
12:47 < krzee> !sample
12:47 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
12:47 < BrokenAnimator> !sockd
12:47 < vpnHelper> BrokenAnimator: "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
12:48 < Volatility> this is the log line i have log-append subway_storexxx_server.log
12:48 < krzee> Volatility, with log-append did you use a full path?
12:48 < krzee> ahh
12:48 < krzee> !path
12:48 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
12:48 < Volatility> no just a filename
12:48 < trans> so I need to replace existing conf file with yours?
12:48 < krzee> !winpath
12:48 < vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
12:48 < krzee> trans, 
12:48 < krzee> !goal
12:48 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:48 < Volatility> every other option for logs doesnt need a path
12:48 < krzee> Volatility, 
12:48 < krzee> !path
12:48 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
12:48 < Volatility> andn it does recognise the filename
12:49 < Volatility> as it creates the file
12:49 < Volatility> just adds nothing to it
12:49 < krzee> Volatility, do you have a line starting with verb?
12:49 < Volatility> verb 3
12:49 < krzee> Volatility, try log
12:49 < Volatility> but it was logging stuff at 3 before i tried append
12:50 < krzee> i dont have a vpn running on windows so i cant test log-append
12:50 < krzee> =[
12:52 < trans> krzee I'm not a total computer freak, did not understand anything, I just want to encrypt my connection, any simple methods
12:53 < Volatility> well thats weird
12:53 < krzee> your connecting to the internet? your connection just to the machine you connect to? your connection to an entire lan?
12:53 < Volatility> its working
12:53 < Volatility> but in the config dir
12:53 < Volatility> which is what i want anyway
12:54 < Volatility> but it does create a blank file in the log dir
12:54 < Volatility> weird
12:54 < Volatility> with no permissions
12:54 < krzee> Volatility, if you used full path you wouldnt have the issue of knowing where it goes ;)
12:54 < Volatility> thats not whats weird
12:54 < Volatility> its creating 2 files
12:54 < krzee> *shrug*
12:55 < krzee> if you used full path it would go where you said
12:55 < krzee> and nowhere else
12:55 < Volatility> me thinks the code be broke
12:55 < krzee> me thinks you should
12:55 < krzee> !path
12:55 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
12:55 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
12:56 < Volatility> are certs >1024 just paranoia
12:56 < Volatility> i have the extra HMAC check
12:56 < Volatility> the ta.key
12:56 < krzee> up to you... i use 4096
12:57 < krzee> with dh, or ta.key, above 1024 is unnecessary
12:57 < krzee> with certs, it actually uses the full 4096 if you made them that way
12:57 < Volatility> i just followed the guide
12:57 < krzee> but 1024 should be fine too
12:57 < Volatility> to make the certs using easy rsa
12:57 < krzee> theres nothing wrong with using 1024
12:57 < krzee> like i said, up to you
12:58 < krzee> but with ta.key and dh, above 1024 wont be used anyways
12:59 < BrokenAnimator> hey just a thought
12:59 < Volatility> i wonder how much i should chage a mate for setting up openvpn
12:59 < Volatility> er charge
13:00 < Volatility> he wants me to set it up for his business so he can watch his security cams at home
13:00 < BrokenAnimator> what if I told my firewall to block all outgoing incoming from adapter B, would it defalut to adapter A?
13:00 < Volatility> im assuming hes getting me to do it as he wants mates rates and doenst just get a local it firm to do it
13:01 < Volatility> local I.T firm i mean
13:01 < krzee> BrokenAnimator, packets dont route around firewalls unless you make them... if you block their path, it is just blocked
13:02 < BrokenAnimator> k
13:02 < krzee> Volatility, all depends what your time is worth and how good of a friend it is
13:02 < krzee> especially since you are getting help for free here...
13:02 < Volatility> hey it works... just asking about logging
13:03 < krzee> ;]
13:03 < Volatility> and i'll say this hes never given me free subways
13:03 < Volatility> i always pay full price
13:03 < krzee> maybe it is time he does!
13:03 < krzee> "ill do it free, but will work for food" ;)
13:04  * krzee normally prefers barter to $
13:05 < krzee> not to say i dont like $... but i can make $ any day, i prefer when people can do other things for me instead
13:05 < Volatility> damn straight he shouild
13:06 < Volatility> i'll say this the I.T firms must have wanted to charge a bit as i told him i didnt want to do it 12 months ago
13:06 < Volatility> and he said he was getting a local place to do it
13:07 < Volatility> but most i.t joints chage 100-150 to just get in the door
13:08 < krzee> yup
13:08 < krzee> i charged $50-$100 / hr when i did tech work independantly
13:08 < Volatility> then they usually reccomend a hardware vpn as they can sell you a $500 vpn router that they make $50 on
13:09 < krzee> haha that sucks, especially cause openvpn is often better
13:09 < Volatility> truth be known the ssl based ones probably are openvpn
13:09 < krzee> unless its those weaksauce web ssl vpns
13:10 < Volatility> i think a lot a just some cgi slapped onto a tiny http server
13:10 < Volatility> controlling something backend
13:10 < krzee> openvpn is gpl, so to be legal they need to give the openvpn source with the hardware vpn device
13:10 < krzee> if its http, its not openvpn
13:11 < Volatility> they just make an interface to configure and control it
13:11 < krzee> if its openvpn, they must distribute the source to be legal
13:13 -!- manevra [manevra@94.46.8.66] has joined ##openvpn
13:13 < traceback0> Hey guys: http://news.ycombinator.com/item?id=1672538
13:13 < vpnHelper> Title: Hacker News | Secure your code: OpenVPN in the cloud (at news.ycombinator.com)
13:17 < krzee> traceback0, ?
13:17 < trans> krzee I run confgen.sh is it enough
13:17 < traceback0> krzee: we just wrote a post about open vpn
13:17 -!- manevra_ [~manevra@188.26.135.45] has joined ##openvpn
13:18 < trans> or should I do more
13:18 < krzee> trans, depends what you want to you, you never answered my question
13:18 < traceback0> krzee: may be worth pointing people that come here to it as a reference since we did it from scratch
13:18 < krzee> traceback0, do you have a question?
13:18 < trans> which question
13:18 < traceback0> krzee: uh no?
13:18 -!- traceback0 [~traceback@c-67-180-32-92.hsd1.ca.comcast.net] has left ##openvpn []
13:18 < krzee> oh ok
13:18 < krzee> [13:52]  <trans> krzee I'm not a total computer freak, did not understand anything, I just want to encrypt my connection, any simple methods
13:18 < krzee> [13:53]  <krzee> your connecting to the internet? your connection just to the machine you connect to? your connection to an entire lan?
13:19 < krzee> lol @ traceback0 just plugging his website because he posted something about openvpn
13:19 < trans> I'm connecting to internet
13:19 < krzee> trans, what os is your server?
13:19 < trans> suse
13:19 < krzee> and you used the confgen?
13:20 < trans> yes
13:20 < krzee> so when it asked if clients should connect to the internet over the vpn, you said yes...?
13:20 < trans> oh yes
13:20 < krzee> so then the confgen told you what to do on the server outside of the openvpn configs, right?  (a NAT rule in the firewall and enable ip forwarding)
13:21 < krzee> like this:
13:21 < krzee> !linnat
13:21 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:21 < krzee> !linipforward
13:21 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
13:21 < trans> no it did not
13:21 < krzee> let me look at my code, i believe it did
13:21 -!- manevra [manevra@94.46.8.66] has quit [Ping timeout: 272 seconds]
13:22 < trans> I mostly answered with default values, do u think I have gone wrong some where
13:22 < krzee> [14:20]  <krzee> so when it asked if clients should connect to the internet over the vpn, you said yes...?
13:23 < krzee> [14:20]  <trans> oh yes
13:23 < krzee> when you say yes to that, and no to running windows on your server, it should tell you those
13:23 < trans> well then I'll run it again
13:23 < krzee> of course... you do have to READ the output :-p
13:23 < trans> I guess I did not read the output
13:24 < trans> was just answering
13:24 -!- manevra_ [~manevra@188.26.135.45] has quit [Quit: Leaving]
13:25 < trans> it asked a question " do u want all users to guide traffic through vpn, default no" what supposed to be my answer
13:25 < krzee> echo "Do you want clients to send all their internet traffic through the server?"
13:25 < trans> yes
13:25 < krzee> do you notn understand that question...?
13:25 < trans> partially
13:25 < krzee> do you want the clients to send all their internet traffic over the vpn?
13:26 < trans> yes thats the question
13:26 < krzee> i dont know how to ask it more clearly
13:27 < trans> u have asked the question correctly
13:27 < krzee> when a client surfs the web, should they appear as if they are the server...?
13:27 < trans> I'm the only client
13:27 < krzee> ok, so answer it for yourself
13:28 < trans> did I say anything wrong
13:28 < krzee> you want your client's traffic to the internet to appear as if it is located at the server, right?
13:28 < trans> yes
13:29 < krzee> so they you DO want all client traffic to go through the server =]
13:29 < trans> yes of-course
13:29 < krzee> then answer yes to that question
13:30 < trans> I said no, I'll run that config again
13:30 < krzee> how should i better ask that question in such a way that you would have known to say yes?
13:31 < trans> sorry for my dumb things
13:31 < krzee> im not calling you dumb
13:31 < krzee> im wondering if i could ask it better
13:31 -!- funkyHat [~m@funkyhat.org] has quit [Ping timeout: 276 seconds]
13:31 < krzee> when i already understand it all, its not always easy to ask things the easiest way for others
13:32 < trans> no you were right from the beginning, I have too little knowledge about the things
13:32 < trans> but yet to configure it
13:32 < trans> something out of my reach yet u want it
13:33 -!- funkyHat [~m@cpc1-nrte3-0-0-cust308.8-4.cable.virginmedia.com] has joined ##openvpn
13:35 < trans> What subnet will the VPN hand out? ie: 10.8.1.0 255.255.255.0
13:35 < trans> what should I answer
13:36 < krzee> default is fine
13:36 < trans> ok
13:36 < trans> No will allow you to firewall client to client traffic
13:36 < trans> y or n
13:37 < krzee> you only have 1 client, doesnt matter
13:37 -!- Volatility [~Votality@ppp118-208-10-228.lns20.bne1.internode.on.net] has quit [Quit: Leaving]
13:37 < trans> Will the server share its LAN with the VPN?
13:38 < krzee> do you know what a LAN is?
13:38 < trans> I guess yes
13:38 < krzee> do you understand the question...?
13:38 < trans> no
13:39 < krzee> is there a word in the question you do not understand?
13:39 < trans> "Will the server share its LAN"
13:39 < krzee> does the client need to access machines on the server's LAN...?
13:40 < krzee> are you asking me all the questions without trying to understand them?
13:40 -!- tr4sk [~tr4sk@alfred.biboum.fr] has quit [Ping timeout: 276 seconds]
13:40 < krzee> i coded the confgen so i would not need to do what we are doing right now...
13:40 < trans> actually we have networks subject just started in our class, so too confusing now
13:41 < krzee> is this a class assingment?
13:41 < trans> kind of, not particularly
13:41 < krzee> just answer no
13:42 -!- funkyHat [~m@cpc1-nrte3-0-0-cust308.8-4.cable.virginmedia.com] has quit [Ping timeout: 276 seconds]
13:43 < Synthead> I'm cross-compiling openvpn to armv5b from x86_64, and I'm having an issue
13:43 < trans> yeah done everything. now
13:43 < Synthead> I get this when running ./configure (and other flags)
13:44 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
13:44 < Synthead> checking for C compiler default output file name...
13:44 < Synthead> configure: error: C compiler cannot create executables
13:44 < Synthead> See `config.log' for more details.
13:44 < Synthead> config.log looks like this
13:44 < Synthead> http://codepad.org/snmVOa0I
13:44 < vpnHelper> Title: Plain Text code - 322 lines - codepad (at codepad.org)
13:44 < Synthead> the most interesting lines is where it reads "crtend.o uses FPA instructions, whereas a.out does not"
13:44 < Synthead> and "crtend.o uses hardware FP, whereas a.out uses software FP"
13:45 -!- manevra [manevra@94.46.8.69] has joined ##openvpn
13:45 < Synthead> I asked about this in ##workingset, and they said:
13:45 < Synthead> <penguinece> Synthead, you should check the configure options to newlib to see if you need to tell newlib that it can't use hardware floating point.
13:45 < Synthead> Synthead> penguinece: would it be likely that many packages would compile fine until now though?  I've cross-compiled maybe about 6-10 packages successfully up to this point.
13:45 < trans> I guess I need to configure browser right?
13:45 < Synthead> <penguinece> Synthead, hmm probably not, crt* stuff is in everything that gets compiled. So it's probably something with this particular package. my bad.
13:46 < Synthead> any idea about this one? :s
13:47 -!- Joelio [~joel@lcw-212-23-5-1.zen.co.uk] has joined ##openvpn
13:50 < Joelio> Hi all, I've been testing out ubuntu 10.10 (ships with 2.1.0-3) but having difficulty connecting to the openvpn server. I keep getting timeouts  VPN Issue (IP Config Get) timeout exceeded
13:50 < Joelio> I am however tryping this connected to openvpn on 10.4 (same machine, same settings)
13:51 < trans> krzee are you still there
13:51 < manevra> hello somebody gaved me a openvpn server with slackware os installed on it, but i don't know how to control or connect to the vpn there, can anyone help me ?
13:51 < Joelio> Anyone aware of anything that could be stopping outgoing UDP packets, I broke out wireshark and all I could see were successive packets being sent to the openvpn server, but nothing returning
13:53 < Joelio> A local listening udp port gets created too on a high port range when I'm trying to connect
13:54 < manevra> ?
14:05 < krzee> trans
14:06 < krzee> you need to configure the server right
14:06 < krzee> !linnat
14:06 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:06 < krzee> !linipforward
14:06 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:06 < trans> yeah
14:06 < krzee> and you need to make certificates, as shown in
14:06 < krzee> !pki
14:06 < vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
14:06 < vpnHelper> krzee: was signed specially as a server (see !servercert)
14:08 < Bushmills> manevra: did that someone also give you a config file and keys for authenticating?
14:14 < krzee> Joelio, either a firewall or your ISP blocking stuff
14:15 < trans> krzee I did what you said but my browser saying connection timed out
14:15 < Bushmills> Joelio: logs. could be that compression is enabled on one side, but not on the other
14:25 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:28 -!- trans [~trans@117.192.116.247] has quit [Quit: Leaving]
14:40 < manevra> Bushmills, no :(
14:41 < manevra> it just gave me server ip and password for root
14:41 < Bushmills> good opportunity for you to learn how to set client and access up yourself then
14:42 < Bushmills> !howto
14:42 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:43 < manevra> :))
14:43 < manevra> thanks man
14:43 < manevra> i hope i can manage it
14:43 < manevra> i am newbie
15:07 -!- karlpinc [~kop@meme-net.meme.com] has joined ##openvpn
15:07 < karlpinc> !pptp
15:07 < vpnHelper> karlpinc: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml
15:07 < vpnHelper> karlpinc: to read about why to not use pptp
15:07 -!- karlpinc [~kop@meme-net.meme.com] has left ##openvpn []
15:07 -!- johnfg [~johnfg@spirit.org] has joined ##openvpn
15:08 < johnfg> !pptp
15:08 < vpnHelper> johnfg: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
15:08 < vpnHelper> johnfg: read about why to not use pptp
15:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 265 seconds]
15:09 < Joelio> krzee: No firewall, no egress filtering.. and I'm a system's administrator at the ISP, so I know it's not that :)
15:10 < Joelio> Bushmills: Last thing I see in syslog is AF_CONNECT to the IP of the vpn server, a pause, then an exit of " VPN Issue (IP Config Get) timeout exceeded" 
15:11 < Joelio> I'm using the network-manager applet too if that's pertinent
15:12 < manevra> i have openvpn server installed on a slackware machine. how do i set it so i can access the vpn control panel from internet browser ?please urgent 
15:12 < manevra> i have browsed the howto page from openvpn but couldn't find
15:13 < manevra> i have root ssh access to server
15:13 < Bushmills> Joelio: look at openvpn log - you an specify file name, location and verbosity of both server and client log in the config files
15:13 < Bushmills> can
15:14 < manevra> Bushmills, i have my hopes in you :))
15:14 < Bushmills> internet browser vpn control panel? sounds alien to me 
15:15 < manevra> i don't know if it's called control panel
15:15 < manevra> an interface where you can make settings, add users, etc.
15:15 < Bushmills> i use an interactive configuration management frontend, called "editor", to manage openvpn configurations
15:15 < Joelio> Bushmills: Does openvpn log to another place in addition to /var/log/syslog.. the syslog stuff is pretty verbose
15:16 < Bushmills> Joelio: yes, if you instruct it to
15:17 < Joelio> ok, sure.. I'll break out into the shell then
15:17 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
15:19 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
15:19 < manevra> Bushmills, any ideea how can i do it ?
15:19 < johnfg> !howto
15:19 < vpnHelper> johnfg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:20 < Bushmills> manevra: i'd start with what johnfg is just consulting
15:21 < manevra> :(
15:21 < manevra> i can't find 
15:23 < Bushmills> i don't know of any web based openvpn setup facility. doesn't mean that there aren't, that's just outside of my expertise
15:25 < Bushmills> though i'd say, try the quick setup, and bother about web interface when you have at least a working connection going
15:34 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:47 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined ##openvpn
15:59 < ecrist> krzee: if you hadn't seen this, btw: http://wiki.snom.com/Networking/Virtual_Private_Network_(VPN)
16:00 < Joelio> Bushnills: Pushed up the verbosity, seeing this.. 
16:00 < Joelio> Wed Sep  8 21:59:08 2010 us=63165 UDPv4 WRITE [14] to [AF_INET]redacted:1337: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
16:01 < Joelio> just repeasting every second or so during connect
16:01 -!- th1 [~th@pdpc/supporter/professional/th1] has quit [Ping timeout: 276 seconds]
16:01 -!- funkyHat [~m@funkyhat.org] has quit [Ping timeout: 276 seconds]
16:02 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:03 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
16:03 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Ping timeout: 276 seconds]
16:03 -!- dazo_afk [~dazo@nat/redhat/x-jctdhsbbptdppozu] has quit [Ping timeout: 276 seconds]
16:03 -!- dazol [~dazo@nat/redhat/x-ojptkhlwjfkjcgpi] has joined ##openvpn
16:03 -!- th__ [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has joined ##openvpn
16:04 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Automatic reconnection of OpenVpn in Windows XP ? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7068&p=7766#p7766>
16:04 -!- funkyHat_ [~m@funkyhat.org] has joined ##openvpn
16:05 -!- funkyHat_ is now known as funkyHat
16:05 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined ##openvpn
16:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
16:06 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
16:09 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Remote host closed the connection]
16:10 < Joelio> Just been digging and it seems like diabling EPOLL might fix this?
16:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:15 -!- RichiH [~richih@freenode/staff/richih] has joined ##openvpn
16:16 < RichiH> ecrist, cron2: we never got a follow-up wrt the GRF, btw
16:16 < RichiH> i forgot who was supposed to email us, but they did not
16:16 < ecrist> RichiH: I think I've about given up caring.
16:17 < RichiH> pity. from our side, we "merely" need official confirmation and we would be good to go
16:17 < ecrist> it's less hassle to get a mortgage than register a group on freeswitch
16:18 < RichiH> ecrist: overall, i think i had more work getting to this point than you did ;)
16:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
16:19 < ecrist> I'm sure.
16:19 < ecrist> the work *is* appreciated
16:20 < ecrist> running IRC and the forums for ~3 years isn't enough, though.
16:20 < RichiH> yah, no problem
16:21 < KipMacy> My server is linux, openvpn, centos, latest update ( 2.1.2?  i forget ) .   my client is mac osx , latest beta of Tunnelblick ( even tried stable) . i get this error on client: Wed Sep  8 12:57:46 2010 Cannot allocate TUN/TAP dev dynamically
16:21 < KipMacy> what am i doing wrong
16:23 < RichiH> ecrist: if it was solely my decission, cron2's word would suffice
16:25 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
16:26 < ecrist> :)
16:30 -!- Stasik [~chatzilla@dslb-084-063-044-144.pools.arcor-ip.net] has joined ##openvpn
16:30 < Stasik> hello
16:30 < Stasik> somwhere  there?
16:32 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:33 < abeehc-_> SOMEWHERE WHERE
16:40  * ecrist does a dance
16:41 < Stasik> here
16:41 < Stasik> hi
16:41 < Stasik> my university gives me a config for openvpn
16:41 < Stasik> now i'd like to connect to my server using precasched username/pass
16:41 < Stasik> and then disconnect again
16:41 < Stasik> by some shell script
16:41 < Stasik> how do i do so_
16:43 < ecrist> !save-password
16:43 < vpnHelper> ecrist: Error: "save-password" is not a valid command.
16:43 < ecrist> !facoids search pass*
16:43 < vpnHelper> ecrist: Error: "facoids" is not a valid command.
16:44 < ecrist> !factoids search pass*
16:44 < vpnHelper> ecrist: "password-only" is http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html
16:44 < ecrist> hrm
16:44 < ecrist> Stasik: you need openvpn compiled with password-save
16:44 < ecrist> the config you need is covered in the man page
16:44 < ecrist> !man
16:44 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
16:45 < Stasik> and then once connnected
16:45 < Stasik> how do i disconnect?
16:45 < ecrist> quit openvpn
16:46 < Stasik> pkill openvpn works :(
16:47 < Stasik> i do not have man
16:47 < ecrist> Stasik: follow the link above.
16:47 < Stasik> can some1 help me with save-passwrod?
16:47 < ecrist> Stasik: I AM helping you.
16:48 < Stasik> i ended up here
16:48 < Stasik> http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
16:48 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
16:48 < Stasik> nothing about save-password
16:49 < ecrist> I said password-save
16:49 < Stasik> do you mean? --enable-password-save
16:49 < ecrist> yep
16:50 -!- BrokenAnimator [~bobnunchu@74.115.208.59] has quit [Quit: BrokenAnimator]
16:50 < Stasik> openvpn --enable-password-save fulltunnel
16:50 < Stasik> does not work
16:51 < ecrist> the --enable-password-save is an argument to configure for compile time
16:51 < ecrist> please read the manual
16:52 < Stasik> omg
16:52 < Stasik> i did install it via apt-get
16:53 < Stasik> apt-get install openvpn
16:53 < Stasik> any idea how i can get it compiled or reconfigured?
16:54 < ecrist> you probably need to compile for source, or look in the repository for one that has it enabled.
16:54 < ecrist> it's disabled by default.
16:57 < Stasik> lol
16:57 < Stasik> its so lave
16:57 < Stasik> kame
16:57 < Stasik> i can not find the source
16:57 < ecrist> http://openvpn.net/index.php/open-source/downloads.html
16:57 < vpnHelper> Title: Downloads (at openvpn.net)
16:57 < ecrist> that was pretty easy
17:00 < Stasik> untaring takes too much time
17:02 < barfster> untaring what?
17:02 < Stasik> ok i have the source now
17:02 < ecrist> source
17:02 < Stasik> should i run ./configure --enable-save-password?
17:03 < ecrist> yes
17:03 < Stasik> how do i specify install path?
17:03 < Stasik> or whats the default?
17:04 < ecrist> ./configure --help
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
17:07 -!- Irssi: ##openvpn: Total of 124 nicks [1 ops, 0 halfops, 0 voices, 123 normal]
17:09 -!- discern [20a14d2d@gateway/web/freenode/ip.32.161.77.45] has joined ##openvpn
17:10 < discern> !welcome
17:10 < vpnHelper> discern: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:11 < discern> hello everyone
17:11 -!- discern [20a14d2d@gateway/web/freenode/ip.32.161.77.45] has quit [Client Quit]
17:12 -!- Synthead [~max@69.15.218.1] has quit [Quit: Leaving]
17:12 < Stasik> i am still here
17:12 < Stasik> )
17:12 < Stasik> installing dependencies
17:12 -!- discern [20a14d2d@gateway/web/freenode/ip.32.161.77.45] has joined ##openvpn
17:13 < discern> welcome
17:13 < discern> is there anyone that can help me with openvpn running on ubuntu with ebox?
17:15 -!- discern [20a14d2d@gateway/web/freenode/ip.32.161.77.45] has quit [Client Quit]
17:16 -!- discern [20a14d2d@gateway/web/freenode/ip.32.161.77.45] has joined ##openvpn
17:17 < discern> is anyone there? blank screen
17:18 -!- discern [20a14d2d@gateway/web/freenode/ip.32.161.77.45] has quit [Client Quit]
17:18 < mikkel> How do tell openvpn not to use ipv6 ?
17:18 < mikkel> Only connect with ipv4 ?
17:19 < mikkel> I mean only use ipv4 though the tunnel ?
17:20 < Stasik> ecrist: doing make now
17:20 < Stasik> ecrist: are u still there?
17:25 -!- barfster [~barf@193.69.144.162] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
17:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:27 < Joelio> Ok, I've done some more diagnostics and it seems as though the TLS auth is failing
17:37 -!- WinstonSmith [~true@f052100087.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
17:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
18:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
18:19 -!- Stasik [~chatzilla@dslb-084-063-044-144.pools.arcor-ip.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.8/20100722155716]]
18:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:36 -!- Cisien [~chris@desktop.cisien.com] has quit [Ping timeout: 240 seconds]
18:42 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has joined ##openvpn
18:50 -!- Cisien_ [~chris@desktop.cisien.com] has joined ##openvpn
18:52 -!- Cisien_ [~chris@desktop.cisien.com] has quit [Client Quit]
18:52 -!- Cisien_ [~chris@desktop.cisien.com] has joined ##openvpn
18:53 -!- Cisien [~chris@2001:470:e883:0:d862:7ca4:b940:22b3] has quit [Ping timeout: 240 seconds]
18:59 -!- Cisien_ [~chris@desktop.cisien.com] has quit []
18:59 -!- Cisien [~chris@desktop.cisien.com] has joined ##openvpn
19:15 -!- manevra [manevra@94.46.8.69] has quit [Quit: Leaving]
19:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
19:24 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
19:35 -!- fipu [~fipu@62.75.187.155] has quit [Ping timeout: 245 seconds]
19:35 -!- fipu [~fipu@62.75.187.155] has joined ##openvpn
19:36 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has joined ##openvpn
19:37 < salbito> hello all
19:37 < salbito> hoping i can get some answers from here...i am using openvpn on my router and i have been unable to connect to the computers on the other side of the vpn. All computers on the router side have addresses of 192.168.1.1** and the vpn subnet is 192.168.66.0/24 yet i can't communicate with the computers on the 192.168.1.1** side. I am currently using the routed vpn setup...should i be using bridged?
19:43 -!- salbito1 [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has joined ##openvpn
19:43 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has quit [Read error: Connection reset by peer]
19:44 -!- salbito1 [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has quit [Client Quit]
19:44 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has joined ##openvpn
19:45 < salbito> !welcome
19:45 < vpnHelper> salbito: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:47 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has quit [Read error: Connection reset by peer]
19:47 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has joined ##openvpn
19:50 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has quit [Read error: Connection reset by peer]
19:51 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has joined ##openvpn
19:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
20:10 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has quit [Ping timeout: 272 seconds]
20:29 < krzie> wow, nice connection
20:42 < vpnHelper> RSS Update - forum: Server Administration :: Re: strange 2.1.3 routing table at WinXP Pro :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7061&p=7767#p7767>
21:00 -!- salbito [~salbito@cpe-67-252-160-100.buffalo.res.rr.com] has joined ##openvpn
21:04 -!- allquixotic_ is now known as allquixotic
21:05 -!- salbito [~salbito@cpe-67-252-160-100.buffalo.res.rr.com] has quit [Ping timeout: 255 seconds]
21:10 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has joined ##openvpn
21:13 -!- salbito1 [~salbito@rrcs-24-103-203-213.nys.biz.rr.com] has joined ##openvpn
21:15 -!- salbito [~salbito@cpe-67-252-186-70.buffalo.res.rr.com] has quit [Ping timeout: 272 seconds]
21:16 -!- salbito [~salbito@cpe-67-252-162-51.buffalo.res.rr.com] has joined ##openvpn
21:18 -!- salbito1 [~salbito@rrcs-24-103-203-213.nys.biz.rr.com] has quit [Ping timeout: 272 seconds]
21:19 -!- salbito [~salbito@cpe-67-252-162-51.buffalo.res.rr.com] has quit [Read error: Connection reset by peer]
21:53 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
21:57 -!- UnterPerro [~UnterPerr@32.163.58.1] has joined ##openvpn
21:58 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
23:04 -!- rtcg [~justdizgu@mail.richardthecomputerguy.com] has joined ##openvpn
23:06 -!- bashusr [~bashusr@unaffiliated/bashusr] has left ##openvpn []
23:14 -!- nickelnick [~nickelnic@71-208-48-83.hlrn.qwest.net] has joined ##openvpn
23:14 -!- nickelnick [~nickelnic@71-208-48-83.hlrn.qwest.net] has left ##openvpn []
23:18 < rtcg> Is it mandatory to use Static Key Mode to connect all the clients of LAN-A to all the clients on LAN-B over an openvpn tunnel?
23:24 < rtcg> okay.. well static key seems super simple.  I'll go that way.
23:24 -!- rtcg [~justdizgu@mail.richardthecomputerguy.com] has quit [Quit: Crosses fingers]
23:24 < johnfg> Bushmills, You still here?
23:24 < johnfg> Just got back from a church meeting.
23:25 < johnfg> I'm following the Howto, but debian lenny's install is a bit different.
23:32 < Bushmills> no. i am here *again*  :)
23:33 < Bushmills> debian config is about the same.  startup may vary:  edit /etc/default/openvpn to enable starting openvpn during boot 
23:34 < Bushmills> config and key go into /etc/openvpn
23:35 < Bushmills> rtcg, no. not only not mandatory, but also not suited. use !pki and !route 
23:35 < johnfg> Bushmills, OK, I generated everything per the Howto, and will be working on the config stuff.
23:36 < johnfg> Gonna have to change the port to the one openvpn uses.
23:36 < Bushmills> config file is just the same as a list of command line options arguments, but without the leading --
23:37 < Bushmills> {options|arguments} ... chose one
23:38 < johnfg> I'll probably wait until tomorrow to get openvpn installed on the win xp boxes.
23:40 -!- UnterPerro [~UnterPerr@32.163.58.1] has quit [Quit: UnterPerro lives to save another day]
23:43 < johnfg> Bushmills, Gonna have to hit the sack, but thanks for the help and directing me to some good information.  I'll be back tomorrow.  Have a great night!
23:47 < krzee> !--
23:47 < vpnHelper> krzee: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
23:54 -!- UnterPerro [~UnterPerr@32.163.58.1] has joined ##openvpn
23:57 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
23:57 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
--- Day changed Thu Sep 09 2010
00:02 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Ping timeout: 246 seconds]
00:17 -!- krzee [~k@unaffiliated/krzee] has left ##openvpn []
00:17 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
00:30 -!- real1adam [~real1adam@224.247.95.24.cfl.res.rr.com] has joined ##openvpn
00:31 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined ##openvpn
00:32 -!- invurse [447147d7@gateway/web/freenode/ip.68.113.71.215] has joined ##openvpn
00:32 -!- real1adam [~real1adam@224.247.95.24.cfl.res.rr.com] has left ##openvpn []
00:33 < invurse> anyone have time to help a noob running openvpn in ubunty?
00:33 -!- Loshki [~chatzilla@unaffiliated/losher] has joined ##openvpn
00:33 -!- Loshki [~chatzilla@unaffiliated/losher] has left ##openvpn []
00:34 -!- invurse [447147d7@gateway/web/freenode/ip.68.113.71.215] has left ##openvpn []
00:36 -!- riversky [~neo@c-68-63-239-8.hsd1.fl.comcast.net] has quit [Ping timeout: 245 seconds]
00:39 -!- WinstonSmith [~true@f052096230.adsl.alicedsl.de] has joined ##openvpn
00:47 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
00:49 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
00:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:57 < SOG> ha ha I finally get the log working
01:08 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
01:09 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:09 -!- mode/##openvpn [+o mattock] by ChanServ
01:11 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 272 seconds]
01:11 -!- SOG_ is now known as SOG
01:22 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
01:32 -!- SOG [~SOG@61.144.230.241] has quit [Read error: Connection reset by peer]
01:33 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
01:34 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
01:42 -!- Champi [Champi@damn.e-leet.be] has quit [Quit: Quit]
01:47 -!- Champi [Champi@damn.e-leet.be] has joined ##openvpn
01:49 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
02:01 -!- UnterPerro [~UnterPerr@32.163.58.1] has quit [Quit: UnterPerro lives to save another day]
02:10 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has joined ##openvpn
02:34 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
02:57 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:09 -!- WinstonSmith [~true@f052096230.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
03:19 -!- WinstonSmith [~true@e177093137.adsl.alicedsl.de] has joined ##openvpn
03:31 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 276 seconds]
03:32 -!- d12fk [~heiko@vpn.astaro.de] has joined ##openvpn
03:35 -!- WinstonSmith [~true@e177093137.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- WinstonSmith [~true@e177093137.adsl.alicedsl.de] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:46 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
03:53 -!- WinstonSmith [~true@e177093137.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
04:11 -!- VirusTB [~VirusTB@ip-145-93-222-93.fontys.nl] has joined ##openvpn
04:19 < Capkirk> followed the tutorial on bridging ethernet with openvpn here : http://ubuntuforums.org/showthread.php?t=752127
04:19 < vpnHelper> Title: HOWTO: Using openvpn to bridge networks - Ubuntu Forums (at ubuntuforums.org)
04:19 < Capkirk> the tunnel is working
04:20 < Capkirk> but something is wrong i cant ping hosts from either side of the bridge
04:20 < Capkirk> ill post my config from server and client
04:22 < Capkirk> server : http://pastebin.com/RiDDnVRg
04:23 < Capkirk> client : http://pastebin.com/AZpnWFcz
04:24 < Capkirk> iptables is as it should be
04:24 < Capkirk> all chains is set to ACCPET
04:24 < Capkirk> any ideas?
04:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:58 -!- WinstonSmith [~true@e177093137.adsl.alicedsl.de] has joined ##openvpn
04:58 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:06 -!- VirusTB [~VirusTB@ip-145-93-222-93.fontys.nl] has quit [Quit: VirusTB]
05:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
05:58 -!- WinstonSmith [~true@e177093137.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
06:13 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
06:19 < Capkirk> any openvpn wizz here today?
06:32 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
06:57 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
07:01 -!- BlackBishop [~dexter@d3xt3r01.tk] has left ##openvpn ["maybe next time."]
07:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
07:50 < Capkirk> can openvpn bridge 2 networks so i can have clients with adresses in the same iprange talk to each other?
07:51 < ecrist> Capkirk: yes, it can
07:51 < ecrist> I am currently doing that with my home users and two different data centers
07:59 < Capkirk> ecrist: i've allmost pulled all of my hair out trying to make this happen for 2 days now :)
07:59 < ecrist> that's no good.
08:00 < ecrist> do you have your lan interfaces bridged with your tap interfaces?
08:00 < Capkirk> yes
08:00 < Capkirk> both on server and client
08:00 < Capkirk> i can ping br0 interfaces from each box
08:00 < ecrist> can you draw (ascii/whatever) a diagram of what you have setup and what's not working?
08:01 < Capkirk> i can try :)
08:01 < Capkirk> i can explain as well?
08:01 < Capkirk> i have network 172.20.184.0/22
08:01 < Capkirk> which i want to bridge
08:01 < ecrist> diagram is better
08:01 < Capkirk> ok sec
08:02 < Capkirk> or give me some minuts :)
08:11 < Capkirk> ecrist: http://www.mediabits.org/picture/vpn.png
08:11 < Capkirk> pretty basic
08:12 < ecrist> that diagram confuses me.
08:12 < Capkirk> try agin
08:12 < Capkirk> ive changed it
08:12 < ecrist> Eth0 connects to the internet for both servers, right?
08:13 < ecrist> oh, I think I understand
08:14 < Capkirk> ecrist: yes
08:14 < ecrist> why is the client bridging, and what network on the vpn server are you trying to bridge?
08:14 < Capkirk> im trying to bridge 172.20.184.0/22
08:16 < Capkirk> i guess the client is bridging because i need to forward trafic from tap0 to eth1
08:16 < Capkirk> through br0 on client?
08:16 < Capkirk> eth1 is the interface the workstations will be connected on on client
08:17 -!- d12fk is now known as d000k
08:18 < ecrist> unless there is a network segment behind the client you need to give access to the whole lan, you don't need to bridge any interfaces on the client
08:18 < ecrist> lets start talking about the server
08:18 < ecrist> br0 is a bridge interface
08:18 < ecrist> what is the physical interface the LAN resides on?  Eth1?
08:18 < Capkirk> server : http://pastebin.com/4F5sVeXd
08:18 < Capkirk> yes
08:19 < ecrist> can you pastebin an ifconfig from the server?
08:19 < ecrist> with the VPN running?
08:19 < Capkirk> u see the server config?
08:20 < Capkirk> client config : http://pastebin.com/68ZQ4YvA
08:20 < ecrist> yes, I see the server config
08:23 < Cisien> that server config scares me
08:24 -!- krzee [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
08:25 < Capkirk> hehe its not very beautifull but ive been working on it for long time now :)
08:25 < Cisien> http://www.cisien.com/server.conf
08:25 < Cisien> my tap bridge server config
08:26 < ecrist> Capkirk: http://pastebin.com/E10C0k9e
08:26 < ecrist> your server config is pretty nasty
08:26 < ecrist> that paste will clean some things up
08:26 < ecrist> you may need to change line 12
08:26 < Capkirk> ecrist: i dont use up.sh
08:26 < ecrist> the last two IPs are the start/stop range of IPs to hand out to vpn clients
08:27 < ecrist> you need to use something.
08:27 < Capkirk> i use /etc/network/interfaces
08:27 < ecrist> you should be able to get the idea
08:27 < ecrist> I'm guessing if you look at your ifconfig output, you'll notice that tap0 interface isn't in an 'up' state
08:28 < Capkirk> why do i need server-bridge?
08:29 < Cisien> because your adding your tap interface to your bridge?
08:29 < ecrist> because you're running a bridge
08:29 < ecrist> Capkirk: it'll be easier if you follow my direction and we work through any issues after it's all working.
08:29 < Capkirk> hehe sure 
08:30 < Capkirk> ecrist: i'll work with u
08:30 < ecrist> that config is pretty close to what i use in production now
08:30 < Capkirk> im just trying to understand as we work ;-)
08:30 < ecrist> with ~15 users, an office LAN and two data centers.
08:30 < ecrist> potentially soon, our voip phones will be using that, as well.
08:30 < Capkirk> and only one master dhcp server handing out ips on both networks?
08:31 < Cisien> using server-bridge, openvpn hands out the ip's
08:31 < Capkirk> ah
08:31 < Capkirk> i dont want that
08:31 < Cisien> you do
08:31 < Cisien> some operating systems don't assign dhcp addresses to the tap interface
08:31 < Capkirk> ahh ok u misundterstood me
08:31 < Capkirk> sorry
08:32 < Capkirk> my engrish no good
08:32 < Capkirk> :)
08:32 < Capkirk> what i meant
08:32 < ecrist> there is a way to get it to work with pushing DHCP from the lan DHCP server, but it can be problematic.
08:32 < Capkirk> the workstations on the other side of vpnclient needs to get dhcp from dhcpserver and not from vpnclient
08:32 < Cisien> server-bridge (gateway ip) (netmask) (start address) (end address)
08:32 < Capkirk> hmm yeah i get that
08:32 < ecrist> it's easier to carve a small space out of your network block and allow openvpn to manage those IPs
08:33 < ecrist> we have 3 different DHCP servers on two LANs, but hand out IPs to VPN clients from OpenVPN
08:33 < ecrist> it hands out as special range.
08:33 < Capkirk> damn well not i my case i need to be able to control which devices get which adress we use mac filtering
08:34 < Cisien> you do that through certificates, with openvpn
08:34 < ecrist> in our case, 10.0.0.0/24 is the office, 10.0.5.0 is the datacenter, 10.0.3.0 is the VPN, and they all really share the /16 netmask
08:34 < Cisien> each client is issued a unique certificate
08:34 < ecrist> Capkirk: you cannot mac filter tap interfaces
08:34 < Capkirk> ecrist: i get the idea but its not gonna work here
08:34 < ecrist> they have a randomly generated MAC address
08:34 < ecrist> also, mac filtering is retarded
08:35 < ecrist> anyone can set their mac address to anything they want.
08:35 -!- mroth- [gop1@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
08:35 < Capkirk> ecrist: i control the 2 vpn servers so no worries about them its the clients behind the vpnclient side 
08:35 < mroth-> is open vpn an alternative to sonicwall ssl vpn
08:35 < ecrist> mroth-: yes/no
08:35 < mroth-> what the difference
08:35 < ecrist> it's an alternative VPN, but it's not compatible with sonic wall
08:35 < mroth-> do I get a vpn portal page
08:35 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:36 < mroth-> like the sonicwall and a link to download the vpn client if I needed to
08:36 < Capkirk> ecrist: hehe yeah you could argue that but im not trying to revolutionize our hole system now im just trying to get openvpn bend around what we allready have sorry :(
08:36 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 240 seconds]
08:36 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
08:36 -!- d000k is now known as d12fk
08:36 < ecrist> Capkirk: I don't think it's going to work the way you're configured now.
08:36 < Capkirk> so the question is : is it possible at all?
08:37 < mroth-> ecrist do I get a portal hompage per user, that is tied to active directory user data base
08:37 < mroth-> so if I user want to logon to open vpn, he does thru the ssl portal page
08:37 < Capkirk> will workstations/printers etc behind vpn client be able to make dhcp request through the tunnel to the master dhcp database?
08:37 < Capkirk> http://www.mediabits.org/picture/vpn.png
08:38 < Capkirk> the workstations and printers are connected to br0 via physical swich
08:38 < ecrist> mroth-: no
08:38 < Cisien> Capkirk, pretty sure they won't be able to.
08:38 < ecrist> Capkirk: they can, if you bridge things properly
08:38 < Capkirk> ecrist: enlighten me?
08:38 < mroth-> how does a user who is a network monkey (the regular get open vpn isntalled on his laptop)?
08:39 < Cisien> bridge two interfaces?
08:40 < mroth-> ig
08:40 < mroth-> oh
08:41 < ecrist> mroth-: the download openvpn and install it, then install the config files you give them.
08:46 -!- johnfg_ [~johnfg@spirit.org] has joined ##openvpn
08:46 < johnfg_> howdy folks
08:46 -!- johnfg [~johnfg@spirit.org] has quit [Quit: Leaving]
08:47 -!- johnfg_ [~johnfg@spirit.org] has quit [Client Quit]
08:47 -!- mroth- [gop1@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 265 seconds]
08:48 -!- johnfg [~johnfg@spirit.org] has joined ##openvpn
08:50 < johnfg> Wanted to make sure about something from the Howto: When I issue the command, ./build-key-server <server>, and ./build-key <client1>, am I supposed to enter the name of the openvpn server for server and the machine name of client1, client2, etc.?
08:50 < johnfg> I.e., the actual hostname for server?
08:51 < jpalmer> are you talking about for the common name?
08:52 < johnfg> jpalmer, No, what you enter on the cli itself when creating the certs.
08:52 < jpalmer> it asks for several things.  which one *specifically* are you referring to?
08:53 < johnfg> Or do I actually issue ./build-key-server server, or ./build-key-server church.spirit.org?
08:53 < jpalmer> oh,  you mean the argument to the command itself?  yes.  thats the 'common name'
08:54 < jpalmer> and the answer tot hat is entirely up to you.  It should be something that makes sense, AND is unique to each server.
08:54 < jpalmer> hostnames work well, as long as you take into account that you may have several servers in a cluster.. and use the unique hostname of each, rather than the cluster hostname.
08:55 < johnfg> So, when I make the certificate, I'd issue from the cli, ./build-key-server <my.server.name> then enter my responses to the rest of the questions.
08:55 < jpalmer> that sounds correct.  yes.
08:59 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 252 seconds]
09:12 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 240 seconds]
09:12 -!- takamichi [~pri@pm303-98-27.keyworld.net] has joined ##openvpn
09:14 -!- macsppadic [~sonupunno@88.211.55.77] has left ##openvpn []
09:15 -!- Chaze [852c01dd@gateway/web/freenode/ip.133.44.1.221] has joined ##openvpn
09:17 < Chaze> hi there. i'm using openvpn to tunnel out of a very restricting network. the proxy i have to use only allows http traffic
09:17 < Chaze> it all works fine except DNS lookups
09:17 < Chaze> when i use the VPN, i cannot resolve domains
09:18 -!- d12fk is now known as d000k
09:18 < Chaze> usually, the domain lookup should also be tunneled.. right?
09:18 -!- manevra [manevra@94.46.8.76] has joined ##openvpn
09:28 -!- d000k is now known as d12fk
09:29 < Chaze> this network doesn't allow any other dns requests but those to their own server. but still, when openvpn is running, it shouldn't even appear as DNS requests right?
09:30 -!- riversky [~neo@c-68-63-239-8.hsd1.fl.comcast.net] has joined ##openvpn
09:34 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has quit [Quit: leaving]
09:35 -!- Chaze [852c01dd@gateway/web/freenode/ip.133.44.1.221] has quit [Ping timeout: 252 seconds]
09:45 < krzie> meh, he needs to !pushdns
09:57 -!- nickelnick [~nickelnic@168.103.65.93] has joined ##openvpn
09:57 < nickelnick> i setup openvpn and the shit works fine on my linux box connected via windows client (client 10.8.0.6, server 10.8.0.1) and can ping local network eth1 ip 192.168.237.40...but not 192.168.237.2 (the gateway) or .202 (another windows machine on the wifi)
09:58 < nickelnick> any thoughts?
09:59 < nickelnick> my network looks like this
09:59 < nickelnick> http://www.gliffy.com/publish/2226045/
09:59 < vpnHelper> Title: Gliffy Public Diagram - precis (at www.gliffy.com)
09:59 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Quit: Leaving]
10:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
10:11 < johnfg> Things seem to be working on the server fine after initial startup with, "openvpn server.conf".
10:12 < nickelnick> yes
10:12 < nickelnick> my tunnel is working great...i can hit the 10.8.0.1
10:12 < johnfg> Does my win xp client 'have' to use openvpn or will the standard work?
10:12 < nickelnick> can hit 192.168.237.40 from the client
10:13 < nickelnick> but cannot hit 237.202
10:13 < nickelnick> and then from 202 i can ping 10.8.0.1
10:13 < nickelnick> but cannot hit the client at 10.8.0.6
10:13 < nickelnick> johng what do you mean
10:13 < nickelnick> you cant just use the winxp built in pptp deal
10:13 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
10:14 < nickelnick> thats for IPsec setup i thought
10:14 < nickelnick> however, you can run openvpn client without the gui
10:14 < nickelnick> in win
10:14 < nickelnick> you would just have to run it in a dos window
10:14 < johnfg> nickelnick, Ok, I'll remote download/install it.
10:14 < nickelnick> or you COULD make it a service
10:14 < nickelnick> and have it start with the comp as a daemon
10:15 < nickelnick> wouldn't reccomend it unless you will always need it
10:15 -!- aranax [~aranax@unaffiliated/aranax] has joined ##openvpn
10:16 < nickelnick> yea your using certs on openvpn vs ipsec on windows (or like a netgear firewall/vpn device)
10:16 < nickelnick> i would much rather use ipsec for what we need, but...
10:16 < nickelnick> i couldn't get a simple pptpd server going right
10:16  * nickelnick is semi-noobish
10:18 < aranax> hi! how I can resolve names in a windows network whit open vpn
10:19 < aranax> i can do ping 172.x.x.x, but no ping nameInAnotherNetwork
10:21 -!- krzie is now known as krzee
10:23 < nickelnick> linux openvpn or windows
10:23 < nickelnick> and linux client or windows client?
10:23 < nickelnick> krzie!
10:23 < nickelnick> dude
10:24 < nickelnick> you busy?
10:24 < krzee> sup man
10:24 < nickelnick> aranax: i would say check your windows32\drivers\etc\host file (windows) or /etc/hosts (linux)
10:24 < nickelnick> make sure you have that hostname and ip to resolve
10:25 < aranax> nickelnick: linux openvpn server and clients windows
10:25 < nickelnick> yea so add
10:25 < nickelnick> hostname    172.x.x.x
10:25 < nickelnick> to /etc/hosts
10:25 < nickelnick> then i think you need to restart the network, i cant remember
10:26 < nickelnick> krzee man i am still stuck on this route to 202
10:26 < nickelnick> not sure where we left off last
10:26 < nickelnick> i setup openvpn and the shit works fine on my linux box connected via windows client (client 10.8.0.6, server 10.8.0.1) and can ping local network eth1 ip 192.168.237.40...but not 192.168.237.2 (the gateway) or .202 (another windows machine on the wifi)
10:26 < nickelnick> remember that?
10:27 < nickelnick> from .202, i can hit 10.8.0.1, but not the client at 10.8.0.6
10:27 < aranax> nickelnick: question, the dns don't have to resolved that?
10:27 < krzee> nickelnick, you were the guy with a lan subnet and different wifi subnet?
10:27 < nickelnick> yea tahts me
10:28 < nickelnick> i am pretty dissapointed in myself not being able to overcome this
10:28 < ecrist> bah, colored text
10:28 < krzee> im still unsure exactly how you should be doing it... like if wifi and wired SHOULD be able to route to eachother...
10:28 < nickelnick> aranax: do you have it resolving that A?
10:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:28 < ecrist> nickelnick: for what it's worth, all that text you're forcing to black is invisible to those who use a black background.
10:28 < krzee> i have colors turned off
10:29 < nickelnick> forcing black?
10:29 < nickelnick> i'm just using the basic
10:29 < krzee> ahh hes using trillian
10:29 < nickelnick> :)
10:30 < nickelnick> yea im unsure also, i have tried a number of things been recomended
10:30 < aranax> nickelnick: ?
10:30 < nickelnick> sup
10:31 < vpnHelper> RSS Update - forum: Server Administration :: Re: strange 2.1.3 routing table at WinXP Pro :: Reply by Douglas <https://forums.openvpn.net/viewtopic.php?f=4&t=7061&p=7768#p7768>
10:47 -!- johnfg [~johnfg@spirit.org] has quit [Quit: Leaving]
10:48 -!- WinstonSmith [~true@g225028059.adsl.alicedsl.de] has joined ##openvpn
10:55 -!- WinstonSmith [~true@g225028059.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
10:59 -!- nickelnick [~nickelnic@168.103.65.93] has quit [Read error: No route to host]
10:59 -!- nickelnick [~nickelnic@168.103.65.93] has joined ##openvpn
10:59 -!- nickelnick [~nickelnic@168.103.65.93] has quit [Client Quit]
11:08 -!- bandini [~bandini@host248-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
11:22 -!- pif [~ldm@zenon.apartia.fr] has quit [Read error: Connection reset by peer]
11:25 -!- WinstonSmith [~true@g225028059.adsl.alicedsl.de] has joined ##openvpn
11:25 -!- aranax [~aranax@unaffiliated/aranax] has left ##openvpn []
11:28 < Zathraz> hi. I know pushing DNS etc can be a bit tricky. nevertheless:
11:29 < Zathraz> connecting 2 LANs on an occasional basis. Both running a DNS server
11:29 < Zathraz> so server A connecting to server B does it's nameresolving via 127.0.0.1
11:29 < Zathraz> how can temp "add" DNS+WINS to this machine?
11:30 < Zathraz> *how can I add
11:31 < Zathraz> I could add server B's DNS IP to server A but that would slow down DNS resolving of server A when there is no connection to B
11:31 < Zathraz> is there a more elegant way to do so?
11:45 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
11:48 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
11:50 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
11:55 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
11:56 -!- Kurogane [~kuro@190.87.68.43] has joined ##openvpn
11:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
12:08 < ecrist> !pushdns
12:08 < vpnHelper> ecrist: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
12:16 < Dougy> hi eric
12:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:23 -!- mroth- [~gopp@ool-ad03878c.dyn.optonline.net] has joined ##openvpn
12:23 < mroth-> how much resources does openvpn appliance tae
12:24 < mroth-> take
12:24 < mroth-> secondly
12:24 < mroth-> hwo does one backup openvpn
12:25 < mroth-> HOW Much resources does
12:26 < mroth-> open virtual machien for vmware take
12:31 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
12:39 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has joined ##openvpn
12:40 < krzee> mroth-, how many clients do you plan on having connected, what os
12:40 < Varazir> Hello , have anyone tried open vpn on a Android phone ? 
12:40 < krzee> i dont have exact numbers
12:40 < krzee> Varazir, i tried a tiny bit, but never took my attempts very far because i was using xdandroid and had other issues with it
12:40 < krzee> !android
12:40 < vpnHelper> krzee: Error: "android" is not a valid command.
12:40 < krzee> =/
12:41 < Varazir> ok 
12:41 -!- ksk_ [~ksk@im.knubz.de] has joined ##openvpn
12:41 -!- mroth [~gopp@ool-44c07f7c.dyn.optonline.net] has joined ##openvpn
12:41 < Varazir> I can see the client try to connect and getting config but after that it failes 
12:42 -!- stein0_ [~stein@mail.vgnett.no] has joined ##openvpn
12:42 < Varazir> -try to 
12:43 < Varazir> Well I have to see if I can get hold of the dev who made the client 
12:43 -!- mroth- [~gopp@ool-ad03878c.dyn.optonline.net] has quit [Ping timeout: 276 seconds]
12:44 < krzee> and the same config works from a diff OS...?
12:45 < krzee> if you do happen to contact him, let him know he's welcome in the dev channel =]
12:47 -!- cj_ [~cjac@router0.colliertech.org] has joined ##openvpn
12:47 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
12:47 -!- stein0 [~stein@mail.vgnett.no] has quit [Ping timeout: 255 seconds]
12:48 -!- ksk [~ksk@im.knubz.de] has quit [Ping timeout: 255 seconds]
12:48 < KipMacy> i get this in error of client, what am i doing wrong?: Cannot allocate TUN/TAP dev dynamically
12:48 -!- mroth [~gopp@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 265 seconds]
12:50 < Varazir> the same conf worked on my laptop 
12:50 < Varazir> I have to add that I'm using openvpnAS, I hope that isn't going to make truble :P 
12:52 < Varazir> I know you don't support that here :) 
12:52 < Dougy> !factoids search openvpnas
12:52 < vpnHelper> Dougy: No keys matched that query.
12:52 < Dougy> !factoids search openvpn access server
12:52 < vpnHelper> Dougy: No keys matched that query.
12:53 < Dougy> !factoids search access
12:53 < vpnHelper> Dougy: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
12:53 < vpnHelper> Dougy: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
12:55 < Varazir> sould prob setup a normal openvpn server and try it 
12:56  * Varazir loves ESXi
12:57 < Varazir> gtg thanks for the info 
13:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
13:33 < vpnHelper> RSS Update - forum: Server Administration :: "Reclaim" VPN IP addresses :: Author george <https://forums.openvpn.net/viewtopic.php?f=4&t=7081&p=7769#p7769>
14:03 -!- le0_ [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Quit: Leaving]
14:04 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
14:12 -!- solars [~solars@194.48.133.8] has joined ##openvpn
14:12 < solars> !howto
14:12 < vpnHelper> solars: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:28 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
14:34 < vpnHelper> RSS Update - forum: Server Administration :: Forward Traffic through VPN to Home Gateway :: Author kcghost <https://forums.openvpn.net/viewtopic.php?f=4&t=7082&p=7770#p7770>
14:43 -!- Rolybrau [~Rolybrau@248-10.3-85.cust.bluewin.ch] has joined ##openvpn
14:44 -!- Rolybrau [~Rolybrau@248-10.3-85.cust.bluewin.ch] has quit [Changing host]
14:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
14:50 -!- d303k [~heiko@i59F79E70.versanet.de] has joined ##openvpn
14:52 -!- d303k [~heiko@i59F79E70.versanet.de] has left ##openvpn ["Konversation terminated!"]
14:57 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
15:04 -!- Alocado [~matthias@2001:6f8:10e8:0:225:d3ff:fe1a:a837] has joined ##openvpn
15:05 < Alocado> hello! if i have a vpn connection during several days and the client IP (not the inner vpn ip) changes... can i track these client ips / is there any script called on client ip change?
15:17 -!- Jarpse [~jarpse@cluon.soleus.nu] has quit [Ping timeout: 276 seconds]
15:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
15:28 -!- WinstonSmith [~true@g225028059.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
15:29 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Remote host closed the connection]
15:42 -!- WinstonSmith [~true@e179004175.adsl.alicedsl.de] has joined ##openvpn
15:43 < Dougy> Varazir: meh
15:43 < vpnHelper> RSS Update - forum: Server Administration :: OpenVPN startup fails :: Author NiQ <https://forums.openvpn.net/viewtopic.php?f=4&t=7083&p=7771#p7771>
15:43 < Dougy> esxi doesnt impress me any more
15:43 -!- Alocado [~matthias@2001:6f8:10e8:0:225:d3ff:fe1a:a837] has quit [Quit: Ex-Chat]
15:45 < Varazir> Well it works for me 
15:45 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
15:46 -!- bandini [~bandini@host248-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
15:48 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
15:50 < Varazir> Well bed time G'night 
15:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
15:57 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:08 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
16:14 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN startup fails :: Reply by NiQ <https://forums.openvpn.net/viewtopic.php?f=4&t=7083&p=7772#p7772>
16:25 -!- solars [~solars@194.48.133.8] has quit [Quit: WeeChat 0.3.0]
16:38 < vpnHelper> RSS Update - forum: Server Administration :: Re: Forward Traffic through VPN to Home Gateway :: Reply by NiQ <https://forums.openvpn.net/viewtopic.php?f=4&t=7082&p=7773#p7773>
16:50 < vpnHelper> RSS Update - forum: Server Administration :: Re: Client fails to start on Win7 x64 - Entry point not foun :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7079&p=7774#p7774>
17:00 -!- UnterPerro [~UnterPerr@32.163.162.104] has joined ##openvpn
17:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
17:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:13 -!- takamichi [~pri@pm303-98-27.keyworld.net] has quit [Ping timeout: 264 seconds]
17:13 -!- _spq` [bnc00026@user.unregistered.de] has joined ##openvpn
17:16 -!- takamichi [~pri@78.133.38.220] has joined ##openvpn
17:20 -!- spq` [spq@user.unregistered.de] has quit [Ping timeout: 246 seconds]
17:35 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 240 seconds]
17:36 -!- Sky[XX] [~SkyB0x@212.235.177.25] has joined ##openvpn
17:39 -!- WinstonSmith [~true@e179004175.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
17:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
17:44 -!- UnterPerro [~UnterPerr@32.163.162.104] has quit [Quit: UnterPerro lives to save another day]
17:52 -!- WinstonSmith [~true@f052103214.adsl.alicedsl.de] has joined ##openvpn
18:00 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:03 -!- riversky [~neo@c-68-63-239-8.hsd1.fl.comcast.net] has quit [Ping timeout: 265 seconds]
18:34 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
18:34 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
18:35 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:48 -!- Sky[XX] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:53 -!- Chaze [~Chase@74.117.157.254] has joined ##openvpn
18:54 < Chaze> ok, here is an interesting problem: my vpn tunnel is the only way for me to connect to the internet. now i need to restart openvpn. but as soon as it shuts down, i wont't be able to continue my ssh session to the server
18:54 < Chaze> what do i do? :)
18:54 < |Mike|> man tcp !
18:55 < |Mike|> the host appears to be down?
18:55 < Chaze> |Mike|: was that a reply to me?
18:56 < |Mike|> y
18:57 < Chaze> no, the server is up and runnig
18:57 < Chaze> but i need to change it's config. so usally i'd just kill the process and start it again
18:57 < Chaze> but i can't do that, when i kill the process, i lose my connection to the outside world
19:01 -!- manevra_ [~manevra@188.27.111.57] has joined ##openvpn
19:03 < |Mike|> Chaze: sounds like you want to setup another openvpn server for such cases :)
19:03 < Chaze> heh, oh great
19:04 < |Mike|> is that possible?
19:04 < Chaze> you mean another physical server?
19:04 < Chaze> no
19:04 -!- manevra [manevra@94.46.8.76] has quit [Ping timeout: 272 seconds]
19:04 < Chaze> another instance won't work either, as i need a specific port
19:05 < |Mike|> virtual or physical doesn't really mather
19:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 240 seconds]
19:05 < Chaze> no, i can't just have two instances running on the same port of the same machine
19:07 < |Mike|> doh.
19:07 < Chaze> oh well, i'll leave for now. might ask again later :)
19:07 -!- Chaze [~Chase@74.117.157.254] has quit [Quit: Chaze]
19:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
19:07 < |Mike|> heh
19:20 -!- adiala [5927ae4a@gateway/web/freenode/ip.89.39.174.74] has joined ##openvpn
19:20 -!- takamichi [~pri@78.133.38.220] has quit [Ping timeout: 258 seconds]
19:20 -!- takamichi [~pri@78.133.38.220] has joined ##openvpn
19:21 < adiala> hello, i have  openvpn client on a windows xp machine, any ideea why the tap adapter has 10mbps speed when my network connection has 1gbps speed ?
19:21 < adiala> can i increase it in any way ?
19:23 < adiala> Bushmills: 
19:23 < |Mike|> don't hilight people.
19:25 < adiala> nobody answers my question
19:26 < adiala> is it that difficult
19:26 < |Mike|> adiala: You're using the opensource OpenVPN server/client?
19:27 < adiala> yes
19:27 < adiala> downloaded from openvpn.net
19:28 < |Mike|> Basically 'OpenSource' means no support unless there's a community behind the product.
19:29 < adiala> are you an idiot ?
19:29 < adiala> what is this channel for
19:29 < adiala> i have never hurd anything so stupid in my life
19:29 < adiala> get the fuck out of here
19:30 < adiala> ignore
19:30 < |Mike|> adiala: go suck a dick, seriously.
19:30 < adiala> i don`t know who the hell asked you anything.. you suffer for ignoration or what ? you didn`t had toys when you were little
19:31 < adiala> first you are telling me not to highlight people, when i wasn't highlighted you
19:31 < adiala> lool
19:31 < |Mike|> For fuck sake, this is the first person in years what I ignored :S
19:31 < adiala> i think you wanna lick my pussy and you don know how
19:31 < |Mike|> `/n
19:31 < adiala> you are a total idiot. i am betting my life that you sucked a dick or were fucked in the ass when you were a little kid
19:31 < adiala> i bet my life on it
19:32 < adiala> because of how you are acting
19:32 < adiala> you dumb monkey
19:34 < |Mike|> I adore silence after ignoring something :)
19:36 < adiala> you adore  changing your diper
19:36 < adiala> you stupid ass drilled monkey
19:37 < adiala> your ass is so drilled that when you need to take a shit, you can't hold yourself until you get home
19:37 < adiala> you shit in your pants because of the large hole you have
19:37 < adiala> due to the big number of kilometers of penis that were introduced in your ass
19:43 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
19:44 -!- adiala [5927ae4a@gateway/web/freenode/ip.89.39.174.74] has left ##openvpn []
19:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
20:19 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Read error: Operation timed out]
20:27 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
20:46 -!- duplexer [~duplexer@c-76-125-30-90.hsd1.ga.comcast.net] has joined ##openvpn
20:49 < vpnHelper> RSS Update - forum: Configuration :: Using dynamic public IP addresses for clients :: Author mindframe <https://forums.openvpn.net/viewtopic.php?f=6&t=7084&p=7775#p7775>
21:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
21:07 -!- duplexer [~duplexer@c-76-125-30-90.hsd1.ga.comcast.net] has quit [Read error: Connection reset by peer]
21:08 -!- duplexer [~duplexer@c-76-125-30-90.hsd1.ga.comcast.net] has joined ##openvpn
21:11 -!- duplexer [~duplexer@c-76-125-30-90.hsd1.ga.comcast.net] has quit [Read error: Connection reset by peer]
21:12 -!- duplexer [~duplexer@c-76-125-30-90.hsd1.ga.comcast.net] has joined ##openvpn
21:17 -!- p3rror [~mezgani@2001:0:53aa:64c:182b:6d9d:3b31:a65d] has joined ##openvpn
21:31 -!- WinstonSmith [~true@f052103214.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
21:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:41 -!- danley [5f73e5a5@gateway/web/freenode/ip.95.115.229.165] has joined ##openvpn
21:56 < danley> hello everyone. I've got a problem with OpenVPN. i was trying to connect to networks.  now i am a bit confused because some machines can reach each other, some can't. i've written it down here: http://pastebin.com/Ai1qP7i6 can anybody help?
22:01 < vpnHelper> RSS Update - forum: Configuration :: Re: Using dynamic public IP addresses for clients :: Reply by mindframe <https://forums.openvpn.net/viewtopic.php?f=6&t=7084&p=7776#p7776>
22:09 < danley> anyone?
22:17 -!- brah [~brah@host228.190-31-221.telecom.net.ar] has joined ##openvpn
22:27 -!- duplexer [~duplexer@c-76-125-30-90.hsd1.ga.comcast.net] has quit [Read error: Connection reset by peer]
22:39 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
22:57 -!- p3rror [~mezgani@2001:0:53aa:64c:182b:6d9d:3b31:a65d] has quit [Ping timeout: 272 seconds]
23:04 -!- Votality [~Votality@ppp118-208-10-228.lns20.bne1.internode.on.net] has joined ##openvpn
23:04 < Votality> hi guys
23:04 < Votality> if im using openvpn with certificates to authenticate clients
23:04 < Votality> how do i add two factor login
23:04 < Votality> i.e cert + login + pass
23:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:10 < crazygir> the login is authenticated by the cert, the cert is authenticated by the passphrase
23:10 < crazygir> yes, that is one way
23:11 < crazygir> you could use an RSA key or something too
23:11 < crazygir> and plenty of other options
23:12 < Votality> so you must make a certificate with a passphrase ?
23:12 < Votality> its just ive made some certificates and can login
23:13 < Votality> but ive decided i want a username and password prompt aswell
23:13 < Votality> so the user must have the correct client certificate and l & p
23:14 -!- UnterPerro [~UnterPerr@32.163.162.104] has joined ##openvpn
23:14 -!- jY [jy@photoblog.com] has joined ##openvpn
23:15 < jY> i'm trying to do a server-bridge  i have a lan 192.168.71.0/24 and i want 60-70 for vpn.. when I setup the bridged interface in redhat.. i can only connect to it from computers on the lan.. not via the public IP which is natted
23:15 < Bushmills> or scripts password checking, using  auth-user-pass and auth-user-pass-verify
23:23 < Votality> Bushmills, to use just a flat file what do i add to client/server end
23:23 < Votality> auth-user-pass to client
23:23 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
23:24 < danley> hi! i've set up a client and a server like in the examples of OpenVPN. i want the client do be able to cennect to machines in the subnet of the server. this does not work. machines from the server's subnet can ping the client, the client cant ping them. what am i doing wrong?
23:25 < Votality> im assuming ip routing is enabled then
23:25 < danley> it is
23:25 < Votality> im assuming the client has a route required to connect to the server network
23:26 < Votality> check what mask it added to the client
23:26 < Votality> oh wait
23:26 < Votality> this is routed 
23:26 < Votality> any firewall on the server
23:26 < danley> iptables are all empty
23:27 < danley> what confuses me is that a ping from the machine in the servers subnet goes to the client and back again but not the other way
23:27 < Votality> if you traceroute to the machine on the server subnet where does it stop
23:29 < danley> Votality: http://pastebin.com/F2wSBADh
23:29 < jY> I have the following "server 192.168.72.0 255.255.255.0"  how come when a client connects in it pushes a route of 192.168.72.5 ?
23:29 < jY> shouldn't it be .1?
23:29 < jY> my tun0 has .1 as an ip
23:31 < Votality> so it gets to the server and stops
23:33 < danley> jup. the servers ip_forward is set and the routing table looks fine to me:
23:33 < danley> http://pastebin.com/mduxdSSq
23:33 < danley> i dont know why it stops there
23:36 < danley> with tcp dump i can see the udp paket arriving at the server and then it says 10.8.0.6 > 192.168.220.109: ICMP echo request and that's it
23:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds]
23:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
23:43 < danley> OH!
23:43 < danley> now i can see why
23:46 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has joined ##openvpn
23:47 < danley> in the default gateway i only entered the client's network route, not the route to the VPN network with 10.8.... the paket arrives at the host and he sends it back to the adress 10.8.0.6. the default gw know nothing about a net like that and sends it to its default gw or throws it away or whatever.
23:47 < danley> there was a missing route in the default gateway of the servers subnet
23:47 < danley> thanks for your help Votality 
23:49 < danley> jY: if you give a more precise description of your problem i may be able to help you
23:50 < jY> danley, when the client connects.. i get a default route of .5
23:50 < jY> i can ping .1 and my ip assigned to the client of .6
23:50 < danley> waht...5?
23:50 < jY> but not .5
23:50 < jY> let me pastebin my route table
23:51 < jY> http://pastebin.com/cRtEfaCG
23:51 < jY> PUSH: Received control message: 'PUSH_REPLY,route 192.168.72.1,ifconfig 192.168.72.6 192.168.72.5'
23:53 < danley> do you have the server and client config file for me?
23:53 < jY> ya
23:54 < jY> http://pastebin.com/mDxj2260 server
23:54 < jY> http://pastebin.com/bm3Dr0iD client
23:57 < danley> why is that one line in the server config commented out?
23:59 < jY> that is my main lan
23:59 < jY> just commented out to get this route issue working first
--- Day changed Fri Sep 10 2010
00:00 < danley> so you can reach the server by pinging 192.168.72.1
00:00 < jY> yes
00:00 < danley> and ofc your own machine which is 192.168.72.6
00:01 < jY> correct
00:01 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has quit [Ping timeout: 276 seconds]
00:02 < danley> if you type "ifconfig" is there something like inet Adresse:192.168.72.6  P-z-P:192.168.72.5 at the tun device?
00:04 -!- UnterPerro [~UnterPerr@32.163.162.104] has quit [Quit: UnterPerro lives to save another day]
00:04 < jY> yes there is
00:04 < jY> so its working as should then?
00:04 < danley> yup
00:05 < danley> that has to do with the point-to-point connection
00:05 < jY> ok so then it sounds like its iptables rules on my server that i can't ping anything on 192.168.71.0/24
00:05 < jY> if i uncomment that push line that is?
00:07 < jY> i can ping a .71.15 but that is attached to the server 
00:07 < jY> but no other ip on that subnet
00:08 < danley> does the host you're trying to ping has a route to the VPN server?
00:09 < danley> that's the same mistake i just did^^
00:11 < jY> ya
00:11 < jY> i can ping the vpn server just fine
00:11 < danley> wait
00:13 < danley> e.g. your client with the ip 192.168.72.6 sends a ping to 192.168.71.123. 192.168.71.123 recieves it and wants to send it back to 192.168.72.6 but has no entry for the net 192.168.72.0/24 in it's routing table
00:13 < danley> then the ping can't get back to your client and it fails
00:13 < jY> ok
00:13 < danley> you have to add a rounting entry with the subnet 192.168.72.0/24 or 192.168.72.6/32 and the gateway is you vpn server
00:13 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has joined ##openvpn
00:13 < jY> so each server needs the .72.0 in the routing rules
00:13 < kraut> moin
00:13 < jY> ok thanks
00:14 < danley> each server
00:14 < danley> or
00:14 < danley> you add that entry in the router that is the default gateway for all the servers
00:14 < danley> that should work too
00:14 < jY> ok
00:14 < jY> thanks for the help!
00:16 < danley> i hope that works for you ;)
00:16 < danley> could still be a firewall or ip_forwarding though
00:16 < jY> looks like it might be the router
00:16 < jY> looks like .72 is our phones.. so that'll cause all sorts of issues
00:17 < jY> plus a route is already setup for that subnet so i'll switch and setup another route
00:17 < jY> thanks for the help
00:17 < danley> np, i'm glad i could help :)
00:20 -!- voxter [~voxter@macpro.daytonhome.voxter.net] has joined ##openvpn
00:23 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has quit [Read error: Connection reset by peer]
00:25 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has joined ##openvpn
00:28 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has quit [Read error: Connection reset by peer]
00:29 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has joined ##openvpn
00:40 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has quit [Ping timeout: 276 seconds]
00:50 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has joined ##openvpn
01:09 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:15 -!- SOG [~SOG@61.144.230.241] has quit [Quit: I will be back!]
01:15 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
01:36 < hyper_ch> how to deploy openvpn on a large scale as vpn provider? ^^
01:42 < SOG> Large Scale ?
01:46 < hyper_ch> you know, now that Switzerland did expressily forbid to log ip addresses by private companies in order to track down alleged file-caring people, I tend to think it would be a good opportunity to offer the Swiss IP Secrecy to other people also by providing them with a VPN access here :)
02:04 -!- Votality [~Votality@ppp118-208-10-228.lns20.bne1.internode.on.net] has quit [Quit: Leaving]
02:06 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
02:07 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:07 -!- mode/##openvpn [+o mattock] by ChanServ
02:15 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
02:22 -!- manevra_ [~manevra@188.27.111.57] has quit [Quit: Leaving]
02:31 -!- WinstonSmith [~true@e179001190.adsl.alicedsl.de] has joined ##openvpn
02:34 < vpnHelper> RSS Update - forum: Annoucements :: OpenVPN 2.2-beta3 released :: Author samuli <https://forums.openvpn.net/viewtopic.php?f=20&t=7085&p=7777#p7777>
02:37 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
02:37 -!- SOG [~SOG@61.144.230.241] has quit [Quit: I will be back!]
02:44 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
02:47 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
02:47 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn
03:01 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
03:04 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
03:07 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
03:12 -!- ScriptFanix [~bofh@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
03:17 -!- ksk_ is now known as ksk
03:22 < ksk> test
03:22 < ksk> works, thx
03:28 -!- SOG__ [~SOG@61.144.230.241] has joined ##openvpn
03:29 -!- SOG__ [~SOG@61.144.230.241] has quit [Client Quit]
03:31 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
03:32 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 252 seconds]
03:32 -!- SOG_ is now known as SOG
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- WinstonSmith [~true@e179001190.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
03:53 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:53 -!- WinstonSmith [~true@e179001190.adsl.alicedsl.de] has joined ##openvpn
04:18 -!- autoditac [~autoditac@port-87-193-217-30.static.qsc.de] has joined ##openvpn
04:20 < autoditac> hi. how do i check that the username passed via auth-pass-verify matches the common name of the also passed client certificate, i.e that the user authenticating aginast my ldap shows the right certificate?
04:23 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Ping timeout: 259 seconds]
04:31 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
04:34 -!- Kurogane [~kuro@190.87.68.43] has quit [Read error: Connection reset by peer]
04:35 -!- Kurogane [~kuro@190.87.68.43] has joined ##openvpn
04:52 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 240 seconds]
04:58 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Ping timeout: 255 seconds]
05:03 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 272 seconds]
05:04 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
05:06 -!- theDoc [~Link@173.236.41.36] has joined ##openvpn
05:07 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
05:10 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined ##openvpn
05:11 -!- theDoc [~Link@173.236.41.36] has quit [Ping timeout: 240 seconds]
05:16 -!- theDoc [~Link@173.236.41.37] has joined ##openvpn
05:20 -!- SOG [~SOG@61.144.230.241] has quit [Remote host closed the connection]
05:21 -!- SOG [~SOG@n112118134202.netvigator.com] has joined ##openvpn
05:21 -!- SOG [~SOG@n112118134202.netvigator.com] has quit [Client Quit]
05:30 -!- theDoc [~Link@173.236.41.37] has quit [Quit: There's nothing to boo in boobies.]
05:35 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 258 seconds]
06:11 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined ##openvpn
06:11 -!- ScriptFanix [~bofh@cl-53.mrs-01.fr.sixxs.net] has quit [Quit: WeeChat 0.3.2]
06:11 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
06:26 -!- autoditac [~autoditac@port-87-193-217-30.static.qsc.de] has quit [Ping timeout: 240 seconds]
07:09 < vpnHelper> RSS Update - forum: Announcements :: OpenVPN 2.2-beta3 released :: Author samuli <https://forums.openvpn.net/viewtopic.php?f=20&t=7085&p=7777#p7777>
07:15 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
07:18 -!- jY [jy@photoblog.com] has quit [Ping timeout: 245 seconds]
07:18 -!- jY [jy@photoblog.com] has joined ##openvpn
07:19 -!- szr [~SR@unaffiliated/szr] has joined ##openvpn
07:20 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
07:32 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has joined ##openvpn
07:34 < Capkirk> ive worked with openvpn for some days now but i cant get it to work the way i want which is transparent bridging between to lan segments with same ip subnet?? Can it be true that openvpn can not be configured like fx tinc : http://www.tinc-vpn.org/examples/bridging/
07:34 < vpnHelper> Title: bridging Ethernet segments using tinc under Linux (at www.tinc-vpn.org)
08:07 < reiffert> Capkirk: openvpn bridges the same way like tinc does.
08:07 < reiffert> look
08:07 < reiffert> hamburg:/var/log# brctl show
08:07 < reiffert> bridge name	bridge id		STP enabled	interfaces
08:07 < reiffert> br0		8000.001b21569b80	no		motion tap0
08:08 < reiffert> hrmnpf.
08:08 < reiffert> http://pastebin.ca/1937238
08:09 < reiffert> ifhttp://pastebin.ca/1937240
08:21 -!- autoditac [~autoditac@port-87-193-217-30.static.qsc.de] has joined ##openvpn
08:22 < Capkirk> reiffert: ok
08:22 < Capkirk> then it should be possible
08:22 < Capkirk> strange
08:22 < Capkirk> my openvpn version from ubuntu is 2.1.rc7
08:22 < Capkirk> but it dosn't understand server-bridge nogw ?
08:26 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:30 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
08:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
08:37 < Capkirk> reiffert: im trying to configure a server and a client to transparent bridge a ethernet segment to another physical location. The client has a lan interface with ipadresse from this ethernet segment but workstations that are connected to this interface does not get dhcpadresse from the master dhcp server behind the vpn server....
08:37 < Capkirk> the strange thing is i can see dhcprequests and replys on vpn servers br0 interface
08:37 < Capkirk> so the workstations requests are travling the tunnel
08:38 < Capkirk> maybe what im trying to do is impossible?
08:39 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
08:41 < Capkirk> strange it works now?
08:47 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has quit [Quit: leaving]
09:14 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Remote host closed the connection]
09:21 < vpnHelper> RSS Update - forum: Configuration :: Re: connecting 192.168.1.x to 192.168.1.x :: Reply by Jirv311 <https://forums.openvpn.net/viewtopic.php?f=6&t=7052&p=7778#p7778>
09:28 -!- manevra [~manevra@188.27.111.57] has joined ##openvpn
09:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:36 -!- pmatulis [~peter@64.34.151.178] has joined ##openvpn
09:37 < pmatulis> let's say i have a client connected to my ovpn server.  now i want to allow machines on the same network as my client to also have access to the tunnel.  what would be the simplest way to do this?
09:47 < kisom> pmatulis: a bridge.
09:48 < kisom> well, depends on your config really
09:49 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
09:49 < kisom> If all clients should be in the same subnet as your VPN network a bridge will do the trick, otherwise you need to set up routing
09:50 < kisom> and now i'm gonna say a grand f you to work and hit the gym, laters :)
09:51 < pmatulis> kisom: i already have a bridge
09:52 < pmatulis> kisom: but the 2nd "client" machine just sets up the main client as it's gateway for the vpn network?
10:12 -!- johnfg [~johnfg@spirit.org] has joined ##openvpn
10:12 < johnfg> hi folks
10:13 < johnfg> Everything's working fine between debian lenny as server and win xp client1.
10:15 < johnfg> However, in running the ./build-key client2 script, it returns like I need to rerun everything, from sourcing . ./vars, ./clean-all, etc.
10:16 < johnfg> Although I installed all the keys where they were supposed to go I haven't removed them yet, so why am I being asked to redo everything?  Will this mess the certs keys up for my client2?
10:16 < johnfg> I.e., I copied them to the right place, but didn't delete the originals.
10:18 < autoditac> hi. how do i check that the username passed via auth-user-pass matches the common name of the also passed client certificate, i.e that the user authenticating against my ldap backend shows the certificate belonging to him, not another users password?
10:19 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
10:24 < johnfg> So, anyway to generate the key/cert for client2 without redoing everything?
10:29 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: Connection reset by peer]
10:30 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
10:30 -!- mode/##openvpn [+o mattock] by ChanServ
10:31 < ecrist> ignore the ./clean-all step
10:31 < johnfg> ecrist, But do the rest?
10:36 < johnfg> Do the build-ca?
10:36 < ecrist> shouldn't need to buld-ca, either
10:36 < ecrist> imho, easy-rsa sucks
10:37 < johnfg> ecrist, Probably does.  Yeah, once i did the . ./vars,  I was able to build the key/cert.  Thanks!
10:38 < ecrist> no problem
10:38 < ecrist> !ssl-admin as an alt
10:38 < vpnHelper> ecrist: Error: "ssl-admin" is not a valid command.
10:38 < ecrist> !ssl-admin
10:38 < vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
10:39 < johnfg> ecrist, What distro are you running?
10:39 < ecrist> freebsd
10:40 < johnfg> OK, maybe I'll give the ssl-admin a try on debian.
10:40 < ecrist> if you pull from svn, there is a configure script that should allow it to install
10:40 < johnfg> I use kerberos though for some of my authentication, in conjunction with ldap and afs.
10:41 < ecrist> not sure why that matters
10:42 < johnfg> Probably doesn't.  I still use ssl within ldap.
10:43 -!- mattias [~mattias@95.209.11.177.bredband.tre.se] has joined ##openvpn
10:43 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
10:44 -!- mattias is now known as Guest54888
10:45 -!- johnfg [~johnfg@spirit.org] has quit [Quit: Leaving]
10:47 -!- Guest54888 [~mattias@95.209.11.177.bredband.tre.se] has left ##openvpn []
10:48 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
10:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:58 < vpnHelper> RSS Update - forum: Server Administration :: --port-share on Windows Server :: Author graufl <https://forums.openvpn.net/viewtopic.php?f=4&t=7088&p=7779#p7779>
11:01 -!- _spq` is now known as spq`
11:01 -!- spq` is now known as 77CAA62FZ
11:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
11:01 -!- 77CAA62FZ is now known as spq`
11:03 -!- SOG [~SOG@n112118134202.netvigator.com] has joined ##openvpn
11:04 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
11:05 -!- danley [5f73e5a5@gateway/web/freenode/ip.95.115.229.165] has quit [Quit: Page closed]
11:05 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:10 -!- autoditac [~autoditac@port-87-193-217-30.static.qsc.de] has left ##openvpn []
11:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
11:13 -!- pie_time [~pie_time@unaffiliated/pie-time/x-2751356] has joined ##openvpn
11:13 < pie_time> could anyone let me know what the ubuntu-linux equivalent of c:/program files/openvpn/log is?
11:13 < pie_time> !welcome
11:13 < vpnHelper> pie_time: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:14 < pie_time> !logs
11:14 < vpnHelper> pie_time: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:14 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Ping timeout: 265 seconds]
11:16 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
11:18 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Quit: migrating /home]
11:21 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
11:34 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
11:36 -!- aguynamedben [~Adium@cpe-66-74-222-16.san.res.rr.com] has joined ##openvpn
11:38 < pie_time> !goal
11:38 < vpnHelper> pie_time: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:40 < pie_time> I'm following the instructions of the vpn server administrator. He want's me to provide logs. What are the equivalent logs of c:/program files/openvpn/log in ubuntu linux?
11:41 -!- pie_time [~pie_time@unaffiliated/pie-time/x-2751356] has quit [Quit: Leaving]
11:42 < jY> If i setup a server-bridge.. should my eth0 and br0 device have the same IP?
11:42 < jY> cause my bridge-start script is doing that
11:45 < Cisien> jY, br0 contains eth0, right?
11:45 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
11:45 < vpnHelper> RSS Update - forum: Server Administration :: Re: Forward Traffic through VPN to Home Gateway :: Reply by kcghost <https://forums.openvpn.net/viewtopic.php?f=4&t=7082&p=7781#p7781>
11:45 < Cisien> or, a better question, what interfaces are you trying to bridge openwrt with?
11:45 < Cisien> openvpn
11:46 < jY> Cisien, yes
11:46 < Cisien> so, br0 and tap0?
11:46 < Cisien> err, eth0/tap0
11:47 < Cisien> coffee must be wearing off
11:47 < Cisien> ... if that's the case, you would assign an IP only to br0
11:53 < jY> Cisien, when i run my bridge-start it assigns the ip to br0 but the same ip is still assigned to eth0
11:53 < jY> i wonder if it has to do with my eth0:0 alias
11:56 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:00 < Cisien> that won't hurt anything
12:02 < Cisien> you can manually remove the ip with 'ip address del x.y.z.a dev eth0' (i think that's the proper command syntax
12:06 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has joined ##openvpn
12:11 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
12:16 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:25 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Ping timeout: 240 seconds]
12:25 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Quit: Lost terminal]
12:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 265 seconds]
12:37 -!- johnfg [~johnfg@spirit.org] has joined ##openvpn
12:37 < johnfg> Well, things aren't working from client2.
12:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:40 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
12:40 < johnfg> Getting an error message OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
12:42 < johnfg> Also this: Cannot load private key file <myclient.key>: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
12:42 < johnfg> Error: private key password verification failed.
12:44 < johnfg> I'm using the ca.crt, ca.key that are on my server and client1, and the client keys I generated for client2.  Anyone know what's wrong?
12:46 < johnfg> Anyone here?
12:47 < johnfg> I'm wondering if I should generate all new keys/certs, then see if things work.
12:47 < reiffert> "19:42 < johnfg> Error: private key password verification failed.
12:47 < reiffert> "
12:48 < johnfg> I didn't do a password for any of the certs/keys.
12:52 < johnfg> It looks fine and appears to be the same, except for the common name, as that for client1.
12:52 < johnfg> You think I should regenerate the whole bunch, as per the HOWTO?
12:54 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:57 < johnfg> What do you think?  An error when I made the key for client2?  Regnerate all?
13:04 < Bushmills> johnfg: "requires '--script-security 2'" is not an error, merely informative.  if - and only if - you attempt to execute event scripts, unsuccessfully, there'll be the reason why they arent't executed
13:05 -!- alexbobP [~alex@ppp-70-253-65-239.dsl.austtx.swbell.net] has joined ##openvpn
13:05 < alexbobP> !welcome
13:05 < vpnHelper> alexbobP: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:05 < alexbobP> wow... tree of factoids...
13:05 < alexbobP> !redirect
13:05 < vpnHelper> alexbobP: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:05 < alexbobP> !def1
13:05 < vpnHelper> alexbobP: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
13:06 < alexbobP> oh that's neat, I've been setting up the routes by hand XD
13:06 < alexbobP> --redirect-gateway.  good to know.
13:07 < johnfg> Bushmills: So, any idea why the client isn't starting from what I entered previously?
13:07 < alexbobP> Does anybody know how to do that on windows?  I actually set up the vpn on my house's server because one of my housemates needs to surf the internet unencumbered by his work's draconian filtering
13:07 < Bushmills> sounds like wrong passphrase
13:07 < alexbobP> he was able to connect with the windows openvpn gui, but it didn't redirect traffic
13:07 < Bushmills> !winroute
13:07 < vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
13:08 < alexbobP> Bushmills: okay.  so does the windows ovpn client try to redirect traffic by default?
13:08 < alexbobP> are you sure it's a problem and not just that we need to tell it to do that?
13:08 < Bushmills> nope.
13:08 < Bushmills> !redirect
13:08 < alexbobP> ah
13:08 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:09 < alexbobP> hmm... so would running the gui executable with the "--redirect-gateway" switch work?  I thought that was just for linux!
13:09 < alexbobP> !ipforward
13:09 < vpnHelper> alexbobP: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:09 < hyper_ch> hi Bushmills
13:09 < alexbobP> ooh
13:09 < Bushmills> not instructed to redirect traffic, it won't do it. not by any default
13:09 < alexbobP> !winipforward
13:09 < vpnHelper> alexbobP: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
13:09 < Bushmills> hi hyper_ch
13:10 < alexbobP> actually, will teh cisco vpn client work for connecting to openvpn servers?
13:10 < Bushmills> you're looking at server config
13:10 < hyper_ch> Bushmills: you know what's needed to use roll out openvpn as a large vpn provider?
13:10 < alexbobP> I might just use that, I remember using cisco vpn client in the past and it'll probably be easier on windows
13:10 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Quit: pumkinhed]
13:10 < Bushmills> hyper_ch: qualified staff
13:10 < hyper_ch> Bushmills: hmmm
13:11 < Bushmills> you're hiring?
13:11 < Bushmills> :D
13:11 < alexbobP> oh, the cisco vpn client isn't free
13:13 < hyper_ch> Bushmills: nah, after the judgement by the Swiss Federal Court regarding Logistep I think I should start as VPN provider here :)
13:15 < johnfg> Bushmills: Any ideas for me?
13:15 < Bushmills> johnfg: (20:07:31) Bushmills: sounds like wrong passphrase
13:16 -!- pmatulis [~peter@64.34.151.178] has quit [Quit: leaving]
13:20 -!- Synthead [~max@69.15.218.1] has joined ##openvpn
13:21 < johnfg> Nevermind.  After regenerating the keys/certs I'm getting a lot further.
13:21 < Synthead> hey so I have an embedded device that I cross compiled openvpn for.  It's complaining that it can't access /dev/net/tun dynamically, and it's right, it can't (I made it myself), but I'm wondering if there are is any way I can make this work otherwise
13:21 < johnfg> Bushmills: As above, not using passphrases.
13:24 < Bushmills> " Cannot load private key file " that seems to be the problem.  i don't know why it can't.
13:25 -!- Omegadarkest [~omegadark@li101-162.members.linode.com] has quit [Remote host closed the connection]
13:26 -!- prasenjeetp [~chatzilla@59.93.130.11] has joined ##openvpn
13:26 < prasenjeetp> !welcome
13:26 < vpnHelper> prasenjeetp: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:29 < prasenjeetp> i am new to using openvpn and have this strange issue ... the client can not connect most times and it works fine if i stop the server and start it again 
13:29 < prasenjeetp> any pointers 
13:30 < Bushmills> prasenjeetp: a look at your log files might be informative
13:30 < prasenjeetp> i tried but didnt find anything helpful
13:31 < Bushmills> increase log verbosity
13:31 < prasenjeetp> btw, i have APF installed but since that seemed to cause trouble, i have deactivated that
13:31 < prasenjeetp> ok, let me look how to increase the verbosity
13:32 -!- prasenjeetp [~chatzilla@59.93.130.11] has quit [Read error: Connection reset by peer]
13:32 -!- prasenjeetp [~chatzilla@59.93.130.11] has joined ##openvpn
13:39 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:43 -!- prasenjeetp [~chatzilla@59.93.130.11] has quit [Ping timeout: 265 seconds]
13:46 < manevra> Bushmills, in windows 7 can i increase the tap adaptor speed more than 10mbps ? 10mbps seams to small speed :)
13:47 < Bushmills> let me google first what this funny thing you mention, "windows 7", might be
13:48 < hyper_ch> Bushmills: windows are those things you have in walls in order to see through
13:48 < Bushmills> why does one need higher speed for looking through something?
13:48 < hyper_ch> Bushmills: don't know
13:50 < jY> my server is pushing dhcp-option but my client never gets them
13:50 < jY> i see this
13:50 < jY>  openvpn[15300]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
13:50 < johnfg> Bushmills: without a reboot, how do I restart the server on lenny>?
13:51 < Bushmills>  /etc/init.d/openvpn start  (or restart)
13:51 < Bushmills> for change of config, reload might do
13:55 < johnfg> Bushmills: I'm a little closer, but can't figure out why client1, a win xp box connected with no problems, but not client2, also a win xp box.
13:56 < Bushmills> neither can I (figure it out)
13:56 < johnfg> Should there be a problem in doing all the certs in the HOWTO, starting with . ./vars over?
13:56 < johnfg> Then reinstalling/recopying them?
13:57 < Bushmills> there should be no need to re-generate keys and sign them for those clients which can connect
13:57 < Bushmills> but regenerating them for a client which can't may make sense
13:57 < johnfg> But would that hurt anything?
13:58 < Bushmills> apart from your fingers? not, as far as i can tell.
13:58 < johnfg> OK, will let you know outcome later.  Thanks for the help!
13:58 -!- johnfg [~johnfg@spirit.org] has quit [Quit: leaving]
14:08 < Bushmills> |Mike|: ping
14:32 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has quit [Read error: Connection reset by peer]
14:33 -!- RedT0mt0m [~tomtom@bro67-2-82-227-110-8.fbx.proxad.net] has joined ##openvpn
14:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
14:35 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
14:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
14:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:38 -!- dabb [~dabb@213.190.119.109] has left ##openvpn ["Leaving"]
14:42 < kisom> I'm having a small problem with the new openvpn client... If it has several remote directives, auth-retry enabled and gets denied by the first server in the list, it keeps hammering that server instead of trying another one...
14:46 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
15:24 < Bushmills> not sure whether "denied" is reason to try the next one. if it can't be reached, or doesn't reply, it should go on in the list
15:45 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 276 seconds]
16:01 -!- UnterPerro [~UnterPerr@166.192.109.17] has joined ##openvpn
16:05 -!- ^scott^ [~scott@stthom.org] has joined ##openvpn
16:13 < ^scott^> I'm using dev tap, and I want to use the DHCP server that's already running on the bridged network
16:13 < ^scott^> I can see the DHCP requestion go down the client tap, and I can see network traffic, but I don' the the DHCP request on the server tap, nor do I see it on the bridge device, or the server's Ethernet interface.
16:13 < ^scott^> I've put my configs here: http://tinypaste.com/59ba0
16:14 < ^scott^> This is my first time setting up a tap, so I'm hoping I'm missing something simple.
16:25 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
16:27 -!- UnterPerro [~UnterPerr@166.192.109.17] has quit [Read error: Connection reset by peer]
16:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
16:32 -!- UnterPerro [~UnterPerr@166.192.109.17] has joined ##openvpn
16:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:40 -!- UnterPerro [~UnterPerr@166.192.109.17] has quit [Quit: UnterPerro lives to save another day]
16:46 -!- fifer [~fifer@67.208.108.228] has joined ##openvpn
16:47 < fifer> I'm working on an ovpn setup on Windows, latest stable version downloaded today, and when I generate the server key even though I gave it a common name of "server" the file names then generated are just .crt etc
16:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 240 seconds]
16:57 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
17:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
17:06 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 245 seconds]
17:08 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
17:11 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
18:13 -!- SOG [~SOG@n112118134202.netvigator.com] has quit [Quit: SOG]
18:14 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
18:20 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 276 seconds]
18:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
18:44 -!- thylacine222 [63380a31@gateway/web/freenode/ip.99.56.10.49] has joined ##openvpn
18:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
18:53 < thylacine222> Hi, I'm able to connect to my server just fine but once I connect I can only connect to IPs on the same subnet. Here's my log from openvpn gui: http://pastebin.com/2qqEiti6 client config: http://pastebin.com/rz0bRxGw and server conf: http://pastebin.com/NnckQnjW
18:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:02 -!- oxi [~oxi@unaffiliated/oxi] has joined ##openvpn
19:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
19:07 < oxi> Has anyone else had trouble with permanent vpn connections?
19:07 < oxi> I'm trying to setup a permanent connection with Tunnelblick on OSX
19:08 < oxi> I can't achieve that when I remove the network cable and plug it in again, ... that the vpn connection automatically gets up and running again
19:33 -!- thylacine222 [63380a31@gateway/web/freenode/ip.99.56.10.49] has quit [Quit: Page closed]
19:54 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
20:21 -!- LowKey [rhel@unaffiliated/lowkey] has joined ##openvpn
20:38 -!- sedstapler is now known as sedulous
21:40 -!- WinstonSmith [~true@e179001190.adsl.alicedsl.de] has quit [Ping timeout: 276 seconds]
21:54 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Wibbly Wobbly IRC]
21:59 -!- WinstonSmith [~true@f052098036.adsl.alicedsl.de] has joined ##openvpn
22:04 -!- WinstonSmith [~true@f052098036.adsl.alicedsl.de] has quit [Ping timeout: 276 seconds]
22:25 -!- WinstonSmith [~true@f052096056.adsl.alicedsl.de] has joined ##openvpn
22:35 -!- WormFood [~wormfood@183.39.105.39] has joined ##openvpn
22:35 -!- WinstonSmith [~true@f052096056.adsl.alicedsl.de] has quit [Ping timeout: 276 seconds]
22:38 -!- WinstonSmith [~true@f052096056.adsl.alicedsl.de] has joined ##openvpn
22:39 < WormFood> am I correct in my understanding, that the client's 'CCD' file, will be loaded and appended to the main configuration? If that is so, how do I unset pushing the default gateway for a specific client? (the default config pushes the default gateway to clients, and I want one client that does not redirect it's default gateway through the vpn)
22:43 < WormFood> push "redirect-gateway def1 bypass-dhcp"
22:55 < WormFood> nobody knows?
22:55 < WormFood> I don't want to make a ccd file for everyone, just because one client does not need the default gateway pushed to it.
23:19 -!- duplexer [~duplexer@c-76-125-17-136.hsd1.ga.comcast.net] has quit [Quit: Leaving]
23:23  * WormFood beats his head against google
23:42 -!- manevra [~manevra@188.27.111.57] has quit [Quit: Leaving]
23:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:49 -!- WinstonSmith [~true@f052096056.adsl.alicedsl.de] has quit [Remote host closed the connection]
23:49 -!- WinstonSmith [~true@f052096056.adsl.alicedsl.de] has joined ##openvpn
23:54 -!- johnfg [~johnfg@spirit.org] has joined ##openvpn
23:54 < johnfg> hi guys
23:54 < WormFood> 你好 johnfg 
23:54 < johnfg> Only have a few minutes, but I think my problem with the 2 clients is with a router (brand new) limitation.
23:55 < johnfg> client1 is 192.168.0.2 on the subnet.  client2 is 192.168.0.3 on the subnet.
23:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:56 < johnfg> This netgear dsl modem/router only allows port forwarding for one ip.  When it's client1, then no problem, but client2 can't connect. when its client2 no problem, but client1 can't connect.
23:56 < johnfg> Is there any way around this?
23:56 < WormFood> why do you need to forward a port for the client?
23:57 < johnfg> WormFood, How else would I deal with requests coming in or going out from port 1194.
23:57 < johnfg> WormFood, What would you suggest?
23:57 < WormFood> the client connects OUT
23:58 < WormFood> the firewall/router should return the packets just fine, without special rules
23:58 < WormFood> you only need to open/forward a port on the firewall to accept inbound connection
23:58 < johnfg> so, don't use port forwarding at all?
23:58 < WormFood> right
23:59 < johnfg> WormFood, OK, let me try that...
23:59 < WormFood> not on the client site
23:59 < WormFood> if the server is behind a firewall, it should work ok
23:59 < WormFood> and 2 clients behind the same firewall/router, connect fine to the same server (I do it here all the time)
23:59 < WormFood> and I've NEVER had to forward a port for openvpn
--- Day changed Sat Sep 11 2010
00:01 < WormFood> except on the server side
00:03 < johnfg> OK, in the process of trying now...
00:08 < WormFood> BTW, I've been waiting for close to 90 minutes for help with my questions
00:08 < WormFood> johnfg, what did you find?
00:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:11 < johnfg> WormFood, Thanks for helping me right away.  Slow, because I'm having to go from client2 to client1 via vnc and it's pretty slow.
00:11 < WormFood> ouch...that sounds painful
00:12 < WormFood> have you tried "teamviewer" for remote control?
00:14 < johnfg> Uhuh.  What's teamviewer?
00:16 < WormFood> it is remote control software, like vnc
00:16 < WormFood> runs on Linux, Mac, and of course Winblows
00:16 < johnfg> I'm running debian lenny for server.
00:17 < WormFood> I was controling osx from Linux earlier today
00:17 < WormFood> isn't that old?
00:17 < WormFood> no, that is current release
00:19 < WormFood> http://teamviewer.com/download/index.aspx <-- I like it, because of the "QuickSupport"...I can tell my customer to download/run that program. It is very small, and does not need to be installed.
00:19 < vpnHelper> Title: TeamViewer Download (at teamviewer.com)
00:20 < WormFood> I like vnc because it is (or was) open source (at least the protocol should be open source), but I like teamviewer because it works well, and "QS"
00:22 < WormFood> fuck! I can't figure out how to do what I need done, other than make a CCD file for every user
00:33 -!- johnfg [~johnfg@spirit.org] has quit [Quit: Leaving]
01:11 -!- WinstonSmith [~true@f052096056.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
01:18 -!- mayhem- [~sdfgdsg@r124-19-3-205.cpe.unwired.net.au] has joined ##openvpn
01:18 < mayhem-> !welcome
01:18 < vpnHelper> mayhem-: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:19 < mayhem-> any idea why I can connect on UDP/123 but not any other port? Firewall rules look ok and unlikely isp is blocking other ports.
01:19 < mayhem-> config file is basically the same with appropriate port and proto changed
01:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
01:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:28 < mayhem-> I dont know how common it is for udp/123 to be open and since it works perfectly I may just settle with that..
01:42 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Quit: Lost terminal]
01:45 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
02:19 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
02:19 -!- mode/##openvpn [+o mattock] by ChanServ
02:23 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
02:55 -!- crazygir [~jason@unaffiliated/crazygir] has quit [Ping timeout: 272 seconds]
02:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
03:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:01 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
03:01 -!- crazygir is now known as Guest95077
03:19 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 258 seconds]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:57 -!- Chosi [osxchosi@choseh.de] has quit [Remote host closed the connection]
03:58 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
04:22 -!- Guest95077 [~jason@li14-82.members.linode.com] has quit [Ping timeout: 265 seconds]
04:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
04:28 -!- crazygir [~jason@li14-82.members.linode.com] has joined ##openvpn
04:29 -!- crazygir is now known as Guest40030
04:30 -!- SOG [~SOG@n112118134202.netvigator.com] has joined ##openvpn
04:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:52 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
04:55 -!- SOG [~SOG@n112118134202.netvigator.com] has quit [Remote host closed the connection]
04:56 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
04:56 -!- SOG [~SOG@61.144.230.241] has quit [Client Quit]
05:54 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Ping timeout: 276 seconds]
06:03 < WormFood> AAARRRGGGHHH!!!
06:03 < WormFood> when is the openvpn god going to arrive?
06:06 -!- oxi_ [~oxi@unaffiliated/oxi] has joined ##openvpn
06:06 -!- mayhem- [~sdfgdsg@r124-19-3-205.cpe.unwired.net.au] has quit []
06:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:06 -!- oxi [~oxi@unaffiliated/oxi] has quit [Read error: Connection reset by peer]
06:06 -!- oxi_ is now known as oxi
06:07 -!- oxi [~oxi@unaffiliated/oxi] has quit [Client Quit]
06:13 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:13 -!- manevra [~manevra@188.26.131.181] has joined ##openvpn
06:30 < vpnHelper> RSS Update - forum: Server Administration :: SAP B1 over OpenVPN :: Author gorav <https://forums.openvpn.net/viewtopic.php?f=4&t=7090&p=7782#p7782>
06:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
06:47 < Cisien> SAP can die in a fire
06:59 -!- weirdo [sthalik@sthalik.broker.freenet6.net] has joined ##openvpn
06:59 < weirdo> hey
06:59 < weirdo> is it possible to open a separate TAP interface for each openvpn client in server mode?
07:04 < weirdo> basically, i need a separate MAC for each client
07:05 < kisom> no
07:05 < kisom> try arp -a
07:07 < kisom> if you by MAC meant Media Access Control, and not message authentication check.
07:08 < weirdo> looks like i'll have to run a separate instance for each connection, hmm
07:08 < kisom> Why?
07:08 < kisom> What do you need to do?
07:08 < weirdo> aggregate many VPN connections into one tunnel
07:08 < weirdo> so that the bandwidth from many interfaces counts as one
07:08 < weirdo> with a round-robin scheduler
07:08 < weirdo> it works with multiple instances, but not with just one
07:09 < kisom> oh well, you lost me there. iptables should be able to do it. but i dont know how.
07:09 < weirdo> there's linux thing called 'bonding'
07:10 < weirdo> but that's not a simple link like this, it's routed over the internet so i need to use a vpn
07:10 < weirdo> and i use BSD 
07:11 < kisom> i'm reading about it atm. never tried it
07:35 -!- Cisien_ [~chris@desktop.cisien.com] has joined ##openvpn
07:37 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
07:37 -!- Cisien [~chris@desktop.cisien.com] has quit [Ping timeout: 260 seconds]
07:42 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:50 -!- Cisien_ is now known as Cisien
07:52 < vpnHelper> RSS Update - forum: Configuration :: Example for single client with access to server's LAN? :: Author len_m <https://forums.openvpn.net/viewtopic.php?f=6&t=7089&p=7780#p7780>
08:18 -!- Esteth [b2616093@gateway/web/freenode/ip.178.97.96.147] has joined ##openvpn
08:20 < Esteth> Does anyone have any experience with load-balancing openVPN servers? I'd like to use a kind of reverse proxy server, but just to provide the address of the openVPN server to connect to, I don't want all the traffic to go through the reverse proxy server itself.
08:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
08:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
08:48 -!- Danskmand1 [~Danskmand@tmo-101-155.customers.d1-online.com] has joined ##openvpn
08:49 < Danskmand1> Howdy :-) - How can I iuncrease logging (or switch it on / off in the windows-version ? (maybe even from the gui....
08:52 < Esteth> Could anyone tell me roughly how many users an openVPN server would support at once? is it a function of the amount of traffic, or the number of users?
08:53 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 272 seconds]
09:01 < Cisien> more users = more traffic (and encryption)
09:01 < Cisien> there's a possiblity you can hit a cpu cap because of crypto, but it's more likely you'll cap out your wan connection first, unless you have something crazy
09:02 < Cisien> Esteth, you can cluster your openvpn servers though, address them by the same domain name. So if CPU is an issue, you can throw more hardware at it
09:04 < WormFood> am I correct in my understanding, that the client's 'CCD' file, will be loaded and appended to the main configuration? If that is so, how do I unset pushing the default gateway for a specific client? (the default config pushes the default gateway to clients, and I want one client that does not redirect it's default gateway through the vpn)
09:04 < vpnHelper> RSS Update - forum: Configuration :: Help config problem ! :: Author maun <https://forums.openvpn.net/viewtopic.php?f=6&t=7091&p=7783#p7783>
09:05 < Cisien> the ccd config is pushed out after the main config, so any changes in the ccd overwrite the main config
09:05 < hyper_ch> WormFood: put the defalut gateway push in every client's ccd except the ones you don't want to have it
09:05 < WormFood> hyper_ch, is that the only way? I only have one client that does not need the default gateway pushed. It seems silly to make a ccd for every client just because of that one thing
09:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:06 < hyper_ch> that's a way that works
09:06 < hyper_ch> don't know if there's other ways
09:06 < WormFood> that is the only way I can think of to do it
09:07 < WormFood> but I was hoping there was some other way
09:07 < Esteth> Cisien: You mean round-robin-DNSing them together?
09:07 < Cisien> unless there's a way to remove the default gateway directive, then i don't see another way
09:07 < Cisien> Esteth, yes
09:08 < WormFood> hyper_ch, yeah, I know, I should try before asking, but thought maybe you'd know....can the ccd files be symlinks?
09:09 < Cisien> i'm pretty sure they can, as long as openwrt has access to them
09:09 < hyper_ch> WormFood: no clue if the can be symlinks... I don't see why they can't
09:09 < weirdo> there's much overhead when transferring packets; what's the cipher with the smallest overhead?
09:09 < WormFood> Cisien, I've looked and looked, and I see no obvious way to remote it, except for maybe running it as part of a custom script (which in my mind, is just as bad as making a ccd file for every client)
09:09 < weirdo> is it like, the weaker, smaller the overhead?
09:09 < hyper_ch> s/openwrt/openvpn
09:10 < Cisien> haha, hyper_ch :p
09:10 < Cisien> i typo that a lot
09:10 < WormFood> when compression is turned on, is the bytes uploaded/downloaded reported by openvpn before or after compression/decompression?
09:10 < Cisien> weirdo, no cipher :p
09:10 < WormFood> on other words, does openvpn report the bytes on the wire, or the interface?
09:11 < Cisien> err, WormFood &&
09:11 < Esteth> Cisien: I think I'll go down that route at first, yeah. If I start to get lots of users, I might need to try something more complex with a cloud service of some kind, provisioning more or less servers depending on load. I guess for now round-robin DNS will do though :) Any recommendation for a DNS provider?
09:11 < weirdo> Cisien, there's no "no cipher" option, is there?
09:12 < Cisien> weirdo, yes
09:12 < Cisien> cipher none
09:12 < Cisien> Esteth, not sure you need anything specific. I use opendns customdns for my dns service, or a local bind server works
09:12 < weirdo> Cisien, thanks!
09:13 < Cisien> handy if you're running openvpn on a limited device
09:15 < Cisien> WormFood, just remember, each server needs a unique server certificate, i think there's some additional config on the client side... what kind of bandwidth do you have for your openvpn project?
09:15 -!- Danskmand1 [~Danskmand@tmo-101-155.customers.d1-online.com] has quit [Ping timeout: 264 seconds]
09:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
09:19 < WormFood> i have plenty of bandwidth
09:20 -!- Danskmand1 [~Danskmand@dslb-088-069-242-159.pools.arcor-ip.net] has joined ##openvpn
09:20 < Cisien> i wonder how well openvpn handles multiple cores
09:21 < Cisien> if each session is it's own thread (i would assume so..)
09:21 < Cisien> anyway, work time (yay)
09:29 -!- Danskmand1 [~Danskmand@dslb-088-069-242-159.pools.arcor-ip.net] has quit [Quit: Leaving.]
09:30 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
09:39 -!- Esteth [b2616093@gateway/web/freenode/ip.178.97.96.147] has quit [Quit: Page closed]
09:39 -!- ordex [~linuxaro@gentoo/user/ordex] has joined ##openvpn
09:39 < ordex> hi guys
09:40 < ordex> how can I add an ipv6 to a point-to-point tun link?
09:40 < ordex> I'm tring but I'm getting invalid argument
09:40 < ordex> !welcome
09:40 < vpnHelper> ordex: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:40 < ordex> wow :)
09:45 < ordex> it seems that I must patch my opevpn installation to use ipv6 endpoint :(
09:55 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: Operation timed out]
09:58 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
09:58 -!- gallatin [~gallatin@178.1.121.26] has joined ##openvpn
10:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:11 -!- Esteth [b2616093@gateway/web/freenode/ip.178.97.96.147] has joined ##openvpn
10:12 < Esteth> Hello again :) I'm wondering if there's a way that I can measure the bandwidth each user of my openVPN server is using/has used? There doesn't seem to be any way to do it, since the users authenticate with openVPN instead of unix, so traiditional unix tools don't work
10:13 < weirdo> iftop
10:16 -!- ordex [~linuxaro@gentoo/user/ordex] has left ##openvpn []
10:17 < Esteth> OK, that'll tell me the bandwidth usage for the whole connection, but if multiple users are connected, I'll only get a combined total. Ideally, I'd like to see individual figures for each uesr
10:17 < Esteth> s/uesr/user
10:29 < weirdo> no, iftop shows individual udp/tcp connections
10:31 < Esteth> weirdo: Right, but how would I associate a connection with a particular client?
10:35 < weirdo> by parsing log files, i suppose :(
10:35 < weirdo> the information can be requested through netstat as well, if you need to make a batch utility
10:46 -!- SOG [~SOG@n11649233180.netvigator.com] has joined ##openvpn
10:47 -!- Esteth [b2616093@gateway/web/freenode/ip.178.97.96.147] has quit [Ping timeout: 252 seconds]
10:57 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
11:26 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
11:29 -!- sirfifer [~fifer@67.208.108.228] has joined ##openvpn
11:31 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:31 -!- fifer [~fifer@67.208.108.228] has quit [Ping timeout: 276 seconds]
11:31 -!- sirfifer is now known as fifer
11:53 -!- p3rror [~mezgani@2001:0:53aa:64c:8cb:6ec9:3b31:bfc0] has joined ##openvpn
11:55 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Quit: kernel downgrade]
12:32 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
12:34 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Client Quit]
12:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:37 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined ##openvpn
12:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:37 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Quit: Leaving]
13:42 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
13:57 < manevra> i want to trace somebody who is using openvpn to connect to the internet. openvpn server is in hungary any possible way to trace the real IP of the client who connected to that openvpn and through it to the internet ?
14:06 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
14:06 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
14:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
14:17 < vpnHelper> RSS Update - forum: Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by medleev <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7784#p7784>
14:24 -!- gallatin [~gallatin@178.1.121.26] has quit [Quit: Client exiting]
14:31 -!- Synthead [~max@69.15.218.1] has quit [Remote host closed the connection]
14:43 < krzee> manevra, possibly through their DNS queries, depending on the setup
14:43 < krzee> would trace to what NS they use, assuming the vpn doesnt push new dns info
15:12 < kisom> manevra: Everything is possible depending on how much time and money you put into it ;)
15:12 < kisom> If the VPN is correctly configured, your best bet is to somehow gain access to the VPN server or its network
15:32 < manevra> kisom, yes i know that. but i assume the ip address i can see is not the address on which the vpn server listens too
15:55 -!- p3rror [~mezgani@2001:0:53aa:64c:8cb:6ec9:3b31:bfc0] has quit [Ping timeout: 272 seconds]
15:55 -!- WinstonSmith [~true@e179003189.adsl.alicedsl.de] has joined ##openvpn
16:00 < krzee> the answer is basically no, except the possibility of dns leakage
16:04 -!- Davidian1024 [~Davidian1@cpe-98-27-192-193.neo.res.rr.com] has quit [Ping timeout: 264 seconds]
16:10 < kisom> manevra: You will most likely not find out who is behind the address. If it is really important, i recommend contacting the police.
16:10 < kisom> Then again, they probably wont care.
16:10 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:11 < manevra> kisom, no it's not. nobody did anything going against the law i was just curios if the tunnels of openvpn are secure
16:11 < manevra> you are so right, they won't care :) not at all
16:12 < kisom> Ok, great.
16:12 < kisom> Just for the record, the cops knocked on my door a few years back :)
16:12 -!- p3rror [~mezgani@2001:0:53aa:64c:9b:6ec9:3b31:9de1] has joined ##openvpn
16:13 < kisom> p3rror: Didn't you hang on the aprelium forums a while back?
16:13 < kisom> I recall your nickname
16:15 < manevra> kisom, did that incident had anything to do with internet like I am now trying to find out a real location of an user? :)
16:15 < kisom> Yes, but it did not involve a VPN connection :)
16:16 < kisom> wish i had used one...
16:16 < manevra> :)))))
16:16 < manevra> i think you and I have a lot in common
16:16 < manevra> don't know why I get this feeling
16:16 < kisom> I dont think so
16:17 -!- p3rror [~mezgani@2001:0:53aa:64c:9b:6ec9:3b31:9de1] has quit [Read error: Operation timed out]
16:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
16:21 < WormFood> my default gateway is being pushed in my main server config. Is there any way to turn that off in a ccd file?
16:26 < kisom> WormFood: hmm, i think so
16:26 < kisom> sec
16:27 < WormFood> I've searched and searched, and I can't figure out anything
16:27 < kisom> WormFood: check --push-reset
16:27 < WormFood> and other people here said there is no way to do it....so if you know how that would be great.
16:27 < kisom> heh, took 10 seconds in the manual :)
16:28 < kisom> Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level. 
16:28 < WormFood> yeah, but you know what to look for ;)
16:28 < WormFood> I'm checking it out
16:29 < WormFood> but how to add to a ccd file?
16:29 < kisom> just type push-reset in a new line
16:31 -!- p3rror [~mezgani@2001:0:53aa:64c:cd1:6ec9:3b31:9d9d] has joined ##openvpn
16:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:50 < WormFood> kisom, works great! THANKS! I overlooked that option in the man file.
16:50 < WormFood> hyper_ch, was suggesting I make a ccd file for everyone, and just not push that directive to the one client
16:51 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
17:07 -!- manevra_ [~manevra@188.26.131.181] has joined ##openvpn
17:11 -!- manevra [~manevra@188.26.131.181] has quit [Ping timeout: 272 seconds]
17:12 -!- p3rror [~mezgani@2001:0:53aa:64c:cd1:6ec9:3b31:9d9d] has quit [Quit: Leaving]
17:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:31 -!- jaminja [~jaminja@95.211.4.12] has joined ##openvpn
17:32 -!- jaminja [~jaminja@95.211.4.12] has quit [Changing host]
17:32 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
17:54 -!- manevra_ [~manevra@188.26.131.181] has left ##openvpn ["Leaving"]
17:56 -!- manevra [~manevra@188.26.131.181] has joined ##openvpn
17:57 < manevra> if i don't have the option chiper (for cryptography) written neither in the server.conf or client.conf , will the traffic from client to server be encrypted (by default) ?
18:07 < manevra> Bushmills, any chance you know?
18:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
18:12 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Quit: "eternal trails in netvoid"]
18:13 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
18:19 < krzee> manevra, dont highlight people unless they start talking to you first
18:19 < krzee> and to answer the question, yes by default it will use blowfish
18:20 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
18:23 < manevra> thank you krzee and sorry for highlighting
18:23 < krzee> yw, np
18:40 < |Mike|> Bushmills: ping
19:06 -!- apedongle [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined ##openvpn
19:33 -!- weirdo [sthalik@sthalik.broker.freenet6.net] has quit [Quit: leaving]
20:02 -!- jaminja_ [~jaminja@74.81.170.5] has joined ##openvpn
20:03 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 245 seconds]
21:09 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
21:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
21:32 -!- jaminja_ is now known as jaminja
21:32 -!- jaminja [~jaminja@74.81.170.5] has quit [Changing host]
21:32 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
22:09 -!- Nicholas||| [~Nicholas@75-170-226-18.desm.qwest.net] has joined ##openvpn
22:09 < Nicholas|||> !welcome
22:09 < vpnHelper> Nicholas|||: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:10 < Nicholas|||> hi anyone here?
22:11 < Nicholas|||> !interface
22:11 < vpnHelper> Nicholas|||: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
22:11 < Nicholas|||> pfft anyone here?
22:12 -!- aguynamedben [~Adium@cpe-66-74-222-16.san.res.rr.com] has quit [Quit: Leaving.]
22:13 -!- Nicholas||| [~Nicholas@75-170-226-18.desm.qwest.net] has quit [Client Quit]
22:44 < krzee> heh, left too soon
23:00 -!- Nach0z [48981be6@gateway/web/freenode/ip.72.152.27.230] has joined ##openvpn
23:00 -!- allquixotic_ [~allquixot@static.3.122.63.178.clients.your-server.de] has joined ##openvpn
23:00 < Nach0z> uh.... no access server support? where can i go to get help setting it up?
23:01 < Nach0z> !welcome
23:01 < vpnHelper> Nach0z: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:01 < Nach0z> !goal
23:01 < vpnHelper> Nach0z: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:01 < Nach0z> !howto
23:02 < vpnHelper> Nach0z: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
23:02 -!- kisom_ [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
23:03 -!- jpalmer_ [~jpalmer@208.51.3.136] has joined ##openvpn
23:03 < Nach0z> !goal i would like to set up a VPN. :|
23:03 < vpnHelper> Nach0z: Error: "goal" is not a valid command.
23:03 -!- kisom_ is now known as Guest67273
23:03 < Nach0z> i dont get ur bot.
23:09 -!- allquixotic [~allquixot@static.3.122.63.178.clients.your-server.de] has quit [Write error: Broken pipe]
23:13 -!- Nach0z [48981be6@gateway/web/freenode/ip.72.152.27.230] has left ##openvpn []
23:17 -!- UnterPerro [~UnterPerr@166.192.170.2] has joined ##openvpn
23:23 -!- Netsplit *.net <-> *.split quits: jpalmer, ping-pong, kisom, redfox
23:24 < krzee> you just type !goal
23:24 < krzee> then you read it
23:24 < krzee> then you state your goal
23:24 < krzee> oops, he left, lol
23:36 -!- redfox [~redfox2@ks201831.kimsufi.com] has joined ##openvpn
23:37 -!- Netsplit over, joins: ping-pong
23:37 -!- redfox is now known as Guest65042
23:37 -!- Guest65042 is now known as redfocx
23:37 -!- redfocx is now known as redfox
23:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:50 -!- baffle_ [baffle@shell.eunet.no] has joined ##openvpn
23:50 -!- jimbo_ [~jimbo@r74-192-149-9.gtwncmta01.grtntx.tl.dh.suddenlink.net] has joined ##openvpn
23:51 -!- kraut_ [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
23:51 -!- Bogus8_ [~Nunya@ip68-226-131-28.lf.br.cox.net] has joined ##openvpn
23:56 -!- _LowKey [rhel@forgotten.serv.my] has joined ##openvpn
--- Day changed Sun Sep 12 2010
00:01 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Write error: Broken pipe]
00:01 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Write error: Broken pipe]
00:01 -!- Bogus8 [~Nunya@ip68-226-131-28.lf.br.cox.net] has quit [Write error: Broken pipe]
00:01 -!- baffle [baffle@shell.eunet.no] has quit [Write error: Broken pipe]
00:01 -!- th__ [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has quit [Excess Flood]
00:01 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
00:02 -!- th__ [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has joined ##openvpn
00:02 -!- |Mike| [mike@2001:1af8:2:444::2] has joined ##openvpn
00:17 -!- aguynamedben [~Adium@cpe-66-74-222-16.san.res.rr.com] has joined ##openvpn
00:19 -!- Netsplit *.net <-> *.split quits: jimbo, fipu, freaky[t], |Mike|, sedulous
00:24 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
00:36 -!- Netsplit over, joins: freaky[t]
00:38 -!- fipu [~fipu@62.75.187.155] has joined ##openvpn
00:44 -!- UnterPerro [~UnterPerr@166.192.170.2] has quit [Quit: UnterPerro lives to save another day]
00:51 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:06 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
01:52 -!- UnterPerro [~UnterPerr@166.192.170.2] has joined ##openvpn
02:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:15 -!- UnterPerro [~UnterPerr@166.192.170.2] has quit [Quit: UnterPerro lives to save another day]
02:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:59 -!- Visual` [~visualsta@ip-80-236-243-218.dsl.scarlet.be] has joined ##openvpn
02:59 -!- Visual` [~visualsta@ip-80-236-243-218.dsl.scarlet.be] has quit [Changing host]
02:59 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
03:08 -!- CrazyFurry [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has joined ##openvpn
03:08 < CrazyFurry> hi
03:08 -!- CrazyFurry is now known as x-demon
03:09 < x-demon> how i can specify another ip address as external?
03:09 < x-demon> for example i connect to 1.2.3.4
03:09 < x-demon> but external ip should be 4.3.2.1
03:20 -!- SOG [~SOG@n11649233180.netvigator.com] has quit [Ping timeout: 276 seconds]
03:21 -!- SOG [~SOG@n11649233180.netvigator.com] has joined ##openvpn
03:22 -!- WinstonSmith [~true@e179003189.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
03:22 -!- WinstonSmith [~true@e179003189.adsl.alicedsl.de] has joined ##openvpn
03:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:34 -!- X-Raimo [~asmpub@opensuse/member/raimoschmidt] has joined ##openvpn
03:35 < X-Raimo> Hello. I have problem running openVPN at Arch Linux: http://paste.org.ru/?jmhjqh
03:36 < Chosi> you should first resolve the error in line 4 i guess
03:36 < X-Raimo> Chosi: ok. I will
03:37 -!- bandini [~bandini@host248-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn
03:37 < Chosi> but well basically that's only for the management interface
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 < Chosi> are you running openvpn as root?
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 < Chosi> if not, do so. it needs root privileges on initialization
03:39 < Chosi> you can specify a user to which it should fall back after
03:40 < X-Raimo> Chosi: After reload I have: http://paste.org.ru/?9rcsvf
03:40 < Chosi> so? this looks good from here
03:40 < Chosi> :)
03:41 < Chosi> Sun Sep 12 01:05:29 2010 us=303388 Initialization Sequence Completed
03:41 < X-Raimo> Chosi: I run openvpn with nobody. 
03:41 < X-Raimo> Chosi: The same config works well at another server (Fedora).
03:42 < Chosi> yeah, it looks pretty much working in the 2nd log
03:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:13 < X-Raimo> Chosi: my problem solved/
04:13 < X-Raimo> Chosi: thanx
04:13 < Chosi> yw, whatever it was :)
04:17 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
04:17 -!- mode/##openvpn [+o mattock] by ChanServ
04:17 < X-Raimo> one more question: how setup openVPN connection in KNetworkManager based on X.509 certs with Keys with password? It works with non-passworded keys.
04:23 < reiffert> !route
04:23 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
04:28 < Bushmills> reiffert: it lied.  at branch alzey/wörrstadt, turn right.  then the irish pub on the left.
04:32 -!- SOG [~SOG@n11649233180.netvigator.com] has quit [Ping timeout: 276 seconds]
04:34 < reiffert> :)
04:34 < manevra> how come i am able to connect i have in my config folder only c.crt and .csr (no .key) and I am also not required for any passwords, how come i am able to connect is this normal ?
04:35 -!- SOG [~SOG@n11649233180.netvigator.com] has joined ##openvpn
04:35 -!- SOG [~SOG@n11649233180.netvigator.com] has quit [Read error: Connection reset by peer]
04:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
05:01 -!- X-Raimo [~asmpub@opensuse/member/raimoschmidt] has left ##openvpn []
05:18 < Guest67273> manevra: Check your config files.
05:18 < Guest67273> the hell
05:18 -!- Guest67273 is now known as kisom
05:18 < manevra> Guest40030, i have checked them
05:18 < manevra> nothing about .key files in them
05:18 < manevra> i mean the client one, i don't have access to the server config file
05:21 -!- WinstonSmith [~true@e179003189.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
05:32 -!- jaminja [~jaminja@unaffiliated/jaminja] has left ##openvpn [""branch reality rc = 0""]
05:35 -!- Danskmand1 [~Danskmand@dslb-088-069-208-143.pools.arcor-ip.net] has joined ##openvpn
05:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
05:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
05:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
05:57 -!- WinstonSmith [~true@e179003189.adsl.alicedsl.de] has joined ##openvpn
06:00 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
06:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:33 -!- Danskmand1 [~Danskmand@dslb-088-069-208-143.pools.arcor-ip.net] has quit [Quit: Leaving.]
06:54 -!- Cisien [~chris@desktop.cisien.com] has quit [Ping timeout: 276 seconds]
06:57 -!- Cisien [~chris@desktop.cisien.com] has joined ##openvpn
07:13 -!- Saar__ [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 240 seconds]
07:15 -!- Saar__ [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
07:22 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
07:37 < makomi> hi there. I´ve got a problem after enabling "topology subnet" in a existing operating openvpn-server. I couldn´t ping the client network. Before enabling its running. Anybody know why?
07:38 -!- WinstonSmith [~true@e179003189.adsl.alicedsl.de] has quit [Read error: Connection reset by peer]
07:39 -!- WinstonSmith [~true@e179003189.adsl.alicedsl.de] has joined ##openvpn
08:12 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
08:13 -!- freaky[t]_ [alpha@freakyy.de] has joined ##openvpn
08:15 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 272 seconds]
08:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:07 -!- ice [bc1aea1c@gateway/web/freenode/ip.188.26.234.28] has joined ##openvpn
09:09 -ice:##openvpn- i wanna fuck you in the ass !
09:09 -!- ice [bc1aea1c@gateway/web/freenode/ip.188.26.234.28] has left ##openvpn []
09:12 < kisom> one month to go, suit up day!
09:13 < kisom> I'm even gonna sleep in a suit :)
09:24 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Would you like to know more?]
09:32 -!- manevra [~manevra@188.26.131.181] has quit [Quit: Leaving]
10:30 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
10:41 < ecrist> lol
10:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
10:49 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
10:50 -!- UnterPerro [~UnterPerr@166.192.170.2] has joined ##openvpn
10:52 < krzie> ARE YOU READY FOR SOME FOOTBALL!?
10:53 < ecrist> the Vikings played on Thursday, the worst fucking day you could pick to have football games
10:54 < krzie> they also lost
10:54 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
10:57 < ecrist> horrible, horrible, loss
10:57 < ecrist> at least they don't disappoint.
10:57 < ecrist> :\
10:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:02 < Chosi> serves them right
11:03 < Chosi> for playing on a tuesday!
11:05 -!- SOG [~SOG@1-36-193-252.static.netvigator.com] has joined ##openvpn
11:12 < ecrist> who played on tuesday?
11:12 < Chosi> *thursday
11:12 < Chosi> http://i.imgur.com/IOBPq.jpg
11:12 < Chosi> :)
11:13 < ecrist> so, today, we're going to migrate a FreeBSD 4.11 box between data centers, 10 miles apart, without rebooting the machine, to preserve it's uptime.
11:13 < ecrist> ecrist@puma:~-> uptime
11:13 < ecrist> 11:13AM  up 847 days,  1:16, 4 users, load averages: 0.00, 0.00, 0.00
11:14 < ecrist> we're going to use a hefty APC 2200XL as battery backup for the trip.
11:14 < Chosi> hope you have enough UPSs
11:14 < Chosi> ah okay battery
11:14 < Chosi> :)
11:15 < ecrist> as an emergency, we're also going to use a spaller 600VA model.
11:15 < Chosi> just use the car battery
11:15 < Chosi> :D
11:17 -!- SOG_ [~SOG@222.125.214.137] has joined ##openvpn
11:17 -!- SOG_ [~SOG@222.125.214.137] has quit [Client Quit]
11:18 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
11:18 -!- mode/##openvpn [+o mattock] by ChanServ
11:20 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
11:21 -!- SOG [~SOG@1-36-193-252.static.netvigator.com] has quit [Ping timeout: 245 seconds]
11:22 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
11:23 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
11:23 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
11:36 -!- UnterPerro [~UnterPerr@166.192.170.2] has quit [Quit: UnterPerro lives to save another day]
11:50 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:51 -!- SOG [~SOG@1-36-193-252.static.netvigator.com] has joined ##openvpn
11:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:54 -!- SOG_ [~SOG@222.125.214.137] has joined ##openvpn
11:54 -!- SOG_ [~SOG@222.125.214.137] has quit [Client Quit]
11:57 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:57 -!- SOG [~SOG@1-36-193-252.static.netvigator.com] has quit [Ping timeout: 276 seconds]
11:58 < troy-> krzie: around?
11:59 < WormFood> can I set the duplicate-cn option in a client's ccd file, to allow them multiple logins with the same key, or is that a system wide setting? (I'm thinking it will work, but haven't tried it yet)
11:59 -!- SOG [~SOG@1-36-193-054.static.netvigator.com] has joined ##openvpn
12:08 < krzee> WormFood, server only
12:08 < WormFood> ok, thanks krzee 
12:09 < WormFood> krzee, how ya doing?
12:11 < WormFood> I'm guessing you're busy
12:12 < troy-> krzee = krzie?
12:13 -!- SOG [~SOG@1-36-193-054.static.netvigator.com] has quit [Ping timeout: 245 seconds]
12:13 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn
12:19 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Read error: Operation timed out]
12:28 -!- zerk [~dracon@71-219-207-41.clsp.qwest.net] has joined ##openvpn
12:36 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
12:42 < krzee> yes
12:42 < krzee> and whats up WormFood 
12:42 < krzee> yes, busy as hell, on and off
12:42 < WormFood> same here
12:43 < WormFood> feast or famine
12:44 -!- manevra [~manevra@188.27.110.142] has joined ##openvpn
12:45 < krzee> troy-, wassup man
12:46 < troy-> having fun with openvpn of course!
12:46 < troy-> how ya been?
12:46 < krzee> been doing well
12:46 < troy-> good weather in costa rica?
12:47 < troy-> (hopefully i got the country right :P)
12:47 < krzee> lots of rain, but the beaches have been beautiful
12:47 < troy-> i'm jealous
12:47 < troy-> haven't had a vacation in 2 years now :)
12:48 < krzee> damn
12:48 < krzee> i would go postal
12:48 < krzee> i take 2 / yr
12:48 < troy-> haha, this december hopefully :P
12:49 < troy-> i want to go out west for snowboarding with some buddies
12:49 < krzee> usually like 6 weeks each
12:49 < troy-> self-employed?
12:49 < krzee> no
12:50 < troy-> its hard to get 3 months of vacation a year here
12:50 < krzee> when i was self employed my life was a vacaction
12:50 < krzee> vacation*
12:50 < troy-> sounds like you've still got a great deal
12:50 < troy-> fantastic weather year round, laid bad culture, etc
12:50 < krzee> ya it could certainly be worse ;)
12:51 < troy-> and fresh fruit man
12:51 < troy-> i'd die for that
12:51 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Quit: Leaving]
12:53 < troy-> i remember you told me awhile ago if i have a point to point ovpn (shared-key) that i can redirect the gateway on one side to the other - is that right?
12:53 < krzee> wasnt likely me who said it... since ive never run a ptp vpn
12:53 < troy-> damn :<
12:54 < krzee> but if redirect-gateway works in ptp, then yes
12:54 < troy-> it doesnt seem to :P
12:54 < krzee> then make some certs
12:54 < troy-> argh!
12:55  * troy- goes to make certs
13:06 -!- zerk [~dracon@71-219-207-41.clsp.qwest.net] has quit [Ping timeout: 272 seconds]
13:08 < kisom> hey guys
13:13 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
13:17 < krzee> troy-, when you tried it, did you try pushing it, or just using redirect-gateway?
13:17 < krzee> since ptp is not client/server, and --client implies --pull, you cant push unless you pull on the other side
13:17 < troy-> push "redirect-gateway def1"
13:18 < troy-> on one side
13:18 < troy-> and push "redirect-gateway"
13:18 < troy-> on the other
13:18 < troy-> what should it be?
13:19 < krzee> lol you are trying to have each redirect through the other?
13:19 < troy-> no :/
13:19 < krzee> what is your goal...?
13:20 < troy-> have the gateway on one side redirected to the other
13:21 < troy-> should i push on one side and pull on the other?
13:21 < krzee> you can only push if the other side pulls
13:21 < krzee> otherwise, you cannot push
13:23 -!- zerk [~dracon@71-219-207-41.clsp.qwest.net] has joined ##openvpn
13:24 -!- zerk [~dracon@71-219-207-41.clsp.qwest.net] has quit [Client Quit]
13:24 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
13:36 < Bushmills> you don't even need to push that at all.  just adding  redirect-gateway def1  to client config is fine too
13:47 < krzee> exactly
14:08 -!- alexbobP is now known as nabog
14:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
14:14 -!- nabog is now known as Guest31337
14:16 -!- Guest31337 is now known as nabog
14:26 < hyper_ch> facebook is evil:  http://gizmodo.com/5636025/robbers-used-facebook-to-see-when-people-werent-home
14:26 < vpnHelper> Title: Robbers Checked Facebook Status Updates To See When People Weren't Home (at gizmodo.com)
14:43 < manevra> if push "redirect-gateway" is in the server.conf , does it matter if it isn't in client.conf  ? will it work will the client browse the internet through the vpn?
14:45 < kisom> manevra: the client must have pull enabled.
14:46 < manevra> kisom, is it something which i should add in the client.conf ?
14:48 < kisom> yes
14:49 < manevra> can you output the line for me so i can add it
14:49 < manevra> please, if you can it will be very helpfull
14:50 < kisom> pull
14:50 < kisom> or, if using CLI, --pull
14:50 < kisom> its all in the manual :)
14:51 < manevra> just pull or pull "redirect-gateway"
14:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
15:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:04 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has joined ##openvpn
15:06 < nabog> hyper_ch: I agree that facebook is evil, but that article doesn't seem relevant
15:06 < nabog> it could have happened just as easily with twitter!  and twitter isn't evil.  (just stupid.)
15:08 < slava_dp> as far as I understood, sample-scripts/bridge-start will reassign the address from eth0 to br0. what about the sample-scripts/bridge-stop script, will it reassign the br0 address back to eth0? I don't see this functionality, but maybe I oversee something automatic?
15:08 -!- nabog is now known as alexbobP
15:09 < slava_dp> I'm on my server via ssh on eth0, and I just don't want to lose connectivity during my tests, that's why I'm asking.
15:12 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 252 seconds]
15:17 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Ping timeout: 240 seconds]
15:19 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
15:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
15:26 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
15:28 < kisom> slava_dp: shutdown -r 10 in a screen before doing any testing ;)
15:28 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
15:30 < slava_dp> kisom, lol
15:31 < slava_dp> that's a useful tip
15:32 < kisom> thats usually what i do when messing with firewalling or network interfaces
15:32 < kisom> saved me quite a few runs to the server
15:39 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
15:40 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
15:53 -!- WinstonSmith [~true@e179003189.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
16:00 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:05 -!- WinstonSmith [~true@f052099228.adsl.alicedsl.de] has joined ##openvpn
16:12 < slava_dp> now I'm cut out. that bridging thing is a bit tricky. I've ran bridge-start, and the box doesn't respond any longer :/
16:12 < slava_dp> but I was wise and had a planned reboot, so will have another go in 2 mins
16:15 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
16:16 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
16:18 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
16:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
16:25 -!- manevra [~manevra@188.27.110.142] has left ##openvpn ["Leaving"]
16:32 -!- SOG [~SOG@1-36-193-057.static.netvigator.com] has joined ##openvpn
16:33 -!- brah [~brah@host228.190-31-221.telecom.net.ar] has quit [Ping timeout: 276 seconds]
16:44 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:46 -!- brah [~brah@host232.190-31-30.telecom.net.ar] has joined ##openvpn
16:59 -!- p3rror [~mezgani@2001:0:53aa:64c:2494:6ec9:3b31:9243] has joined ##openvpn
17:04 -!- SOG_ [~SOG@222.125.214.137] has joined ##openvpn
17:04 -!- SOG_ [~SOG@222.125.214.137] has quit [Client Quit]
17:06 -!- SOG [~SOG@1-36-193-057.static.netvigator.com] has quit [Ping timeout: 240 seconds]
17:22 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined ##openvpn
17:22 -!- cj_ is now known as cj
17:29 -!- sedulous [~sed@2001:41d0:2:46c1::1] has joined ##openvpn
17:29 -!- sedulous [~sed@2001:41d0:2:46c1::1] has quit [Excess Flood]
17:29 -!- sedulous [~sed@2001:41d0:2:46c1::1] has joined ##openvpn
17:29 -!- sedulous [~sed@2001:41d0:2:46c1::1] has quit [Excess Flood]
17:30 -!- sedulous [~sed@2001:41d0:2:46c1::1] has joined ##openvpn
17:30 -!- sedulous [~sed@2001:41d0:2:46c1::1] has quit [Excess Flood]
17:32 < krzee> slava_dp, why do you need a bridge?
17:35 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
17:44 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has quit [Quit: Ухожу я от вас (xchat 2.4.5 или старше)]
17:45 -!- p3rror [~mezgani@2001:0:53aa:64c:2494:6ec9:3b31:9243] has quit [Quit: Leaving]
17:46 -!- p3rror [~mezgani@2001:0:53aa:64c:2494:6ec9:3b31:9243] has joined ##openvpn
17:54 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 276 seconds]
18:40 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.9/20100824153629]]
19:16 -!- aguynamedben [~Adium@cpe-66-74-222-16.san.res.rr.com] has quit [Quit: Leaving.]
19:30 -!- jpalmer_ [~jpalmer@208.51.3.136] has quit [Quit: leaving]
19:31 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined ##openvpn
19:39 -!- ethos5 [~stewart@74.81.170.4] has joined ##openvpn
19:39 < ethos5> !welcome
19:39 < vpnHelper> ethos5: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:42 < ethos5> Question: I've got a machine that is currently redirecting all traffic on interface eth0 through the VPN. I need to have it SSH-accessible on the same interface. Is there a way to have OpenVPN ignore all traffic on certain port numbers?
19:47 < ethos5> To reprase, I want my VPN client to ignore the redirect instruction for traffic on certain ports
19:49 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:51 < krzee> not possible
19:51 < krzee> it is all handled by routing
19:52 < krzee> routing tables dont understand the concept of ports
19:52 < krzee> ssh over the vpn
19:52 < ethos5> OK, so there isn't a way to poke a hole on incoming data for client, then.
19:52 < krzee> if there is multiple IPs, sure
19:53 < krzee> err wait no
19:53 < ethos5> Can't, its a VPN service, no external IP
19:53 < ethos5> OK, i'll set up an internal machine for the VPN service
19:53 < ethos5> Just requires more hardware, wanted to avoid if possible. Thanks for the help.
19:53 < krzee> you can bypass the redirect for certain subnets
19:53 < krzee> but not for certain ports
19:53 < ethos5> Right
19:54 < ethos5> I knew how to do it for subnets, but wasn't sure if it was possible the way I was thinking about
19:54 < krzee> gotchya
19:54 < krzee> there is 1 more option
19:54 < krzee> !routebyapp
19:54 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
19:54 < krzee> instead of redirecting gateway, you could setup a sockd on the server inside the vpn
19:55 < krzee> then you can send whatever you want over that socks server
19:55 < krzee> and have whatever you want not go over it
19:55 < ethos5> Mmm, I could probably hack it together, but it'd be easier to set up a dedicated VM and route all my internal net traffic through that to the VPN
19:55 < ethos5> I don't have access to the server, so I'm somewhat limited in what I can do
20:01 < krzee> oh
20:09 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
20:27 < ethos5> Alright, figured out a work around, thanks.
20:27 -!- ethos5 [~stewart@74.81.170.4] has left ##openvpn []
20:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:59 -!- WormFood [~wormfood@183.39.105.39] has quit [Ping timeout: 276 seconds]
21:09 -!- WinstonSmith [~true@f052099228.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
21:12 -!- WormFood [~wormfood@183.39.106.222] has joined ##openvpn
21:26 -!- jimbo_ is now known as jim---
22:08 -!- UnterPerro [~UnterPerr@166.192.170.2] has joined ##openvpn
22:18 -!- brah [~brah@host232.190-31-30.telecom.net.ar] has quit [Remote host closed the connection]
22:34 -!- UnterPerro [~UnterPerr@166.192.170.2] has quit [Quit: UnterPerro lives to save another day]
22:39 -!- SOG [~SOG@1-36-193-057.static.netvigator.com] has joined ##openvpn
22:59 -!- UnterPerro [~UnterPerr@166.192.170.2] has joined ##openvpn
23:01 -!- SOG [~SOG@1-36-193-057.static.netvigator.com] has quit [Read error: No route to host]
23:05 -!- SOG [~SOG@1-36-193-057.static.netvigator.com] has joined ##openvpn
23:06 -!- SOG [~SOG@1-36-193-057.static.netvigator.com] has quit [Client Quit]
23:12 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN tries to start before WiFi up, so no IP availabl :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7077&p=7785#p7785>
23:18 < vpnHelper> RSS Update - forum: Server Administration :: Re: tun device was closed when starting daemon (ver2.1.3) :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7078&p=7786#p7786>
23:22 -!- krzie changed the topic of ##openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel
23:24 < vpnHelper> RSS Update - forum: Server Administration :: Re: Ip phone behind openvpn vpn client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7080&p=7787#p7787> || Server Administration :: Re: "Reclaim" VPN IP addresses :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7081&p=7788#p7788>
23:36 < vpnHelper> RSS Update - forum: Server Administration :: Re: --port-share on Windows Server :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7088&p=7789#p7789>
23:36 -!- severnaya [~severnaya@unaffiliated/severnaya] has joined ##openvpn
23:37 < severnaya> on my server i have "push "dhcp-option DNS 4.2.2.1", and when my cilent connects it recieves this, but /etc/resolve.conf never changes. is there any reason why the client would fail to respect this dns option?
23:37 < krzie> !pushdns
23:37 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
23:37 < krzie> see #4
23:38 < severnaya> kk ill check it out
23:38 < severnaya> where do i get the update-resolve-conf script?
23:38 < krzie> the source
23:38 < krzie> !download
23:38 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
23:38 < severnaya> i have to run it manually? is there anywhere i can read about this in the documentation?
23:39 < krzie> it runs from --up
23:39 < severnaya> ahh ok
23:39 < severnaya> ill try to find it
23:39 < severnaya> weird that its not packaged by my distro
23:40 < krzie> https://community.openvpn.net/openvpn/browser/contrib/pull-resolv-conf/client.up
23:40 < vpnHelper> Title: /contrib/pull-resolv-conf/client.up – OpenVPN Community (at community.openvpn.net)
23:41 < krzie> https://community.openvpn.net/openvpn/browser/contrib/pull-resolv-conf/client.down
23:41 < vpnHelper> Title: /contrib/pull-resolv-conf/client.down – OpenVPN Community (at community.openvpn.net)
23:41 < krzie> read --up and --down in this
23:41 < krzie> !man
23:41 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
23:43 < severnaya> thanks krzie 
23:43 < krzie> yw
23:45 < severnaya> i wish this was all set up automatically :3 oh well 
23:45 -!- UnterPerro [~UnterPerr@166.192.170.2] has quit [Quit: UnterPerro lives to save another day]
23:46 < krzie> maybe your os DID put it somewhere
23:46 < krzie> but if it did, i dont know
--- Day changed Mon Sep 13 2010
00:02 < severnaya> ya they did
00:02 < severnaya> just in some random place ;)
00:02 < severnaya> ok it says it won't execute unless i set script-security 2 or 3
00:03 < severnaya> is 3 safer/
00:03 < krzie> see --script-security in manual
00:03 < krzie> in 2.1 manual =]
00:03 < vpnHelper> RSS Update - forum: Configuration :: Re: Example for single client with access to server's LAN? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7089&p=7790#p7790>
00:08 -!- severnaya [~severnaya@unaffiliated/severnaya] has quit [Ping timeout: 276 seconds]
00:10 < vpnHelper> RSS Update - forum: Server Administration :: Re: SAP B1 over OpenVPN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7090&p=7791#p7791> || Configuration :: Re: Help config problem ! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7091&p=7792#p7792>
00:22 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Automatic reconnection of OpenVpn in Windows XP ? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7068&p=7793#p7793>
00:28 < vpnHelper> RSS Update - forum: Configuration :: Re: connecting 192.168.1.x to 192.168.1.x :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7052&p=7794#p7794>
00:38 -!- katyl [~katyl@adsl-074-170-246-249.sip.gnv.bellsouth.net] has joined ##openvpn
00:40 < katyl> Hey everyone. Having a little trouble with connecting some clients. Connecting using Network Manager works beautifully, but when connecting at the command line I get P_CONTROL_HARD_RESET_CLIENT_V2, so I assume my client. conf has an issue. Anyone able to help out?
00:42 < katyl> http://pastebin.com/LwtTff9A Here's the configs
00:47 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:47 -!- mode/##openvpn [+o mattock] by ChanServ
00:53 -!- katyl [~katyl@adsl-074-170-246-249.sip.gnv.bellsouth.net] has quit [Ping timeout: 245 seconds]
00:53 -!- katyl [~katyl@74.117.158.151] has joined ##openvpn
00:53 < krzie> katyl,
00:53 < krzie> !netman
00:53 < vpnHelper> krzie: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
00:54 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Quit: Leaving]
00:54 < krzie> get it working from CLI, then deal with network manager if you must
00:55 < katyl> Fair enough. but it still works, in the pinch that I'm in... I'd much rather get the CLI working so I can edit a couple of routes, and get it working for the entire network... Any advice on the config files I posted?
00:55 < krzie> change verb to 4 and post logs pls
00:56 < krzie> route-delay 2
00:56 < krzie> default is 30, 2 is much much too short
00:56 < krzie> default as in if you dont put a number
00:57 < krzie> if server does thisL
00:57 < krzie> push "redirect-gateway"
00:57 < krzie> client doesnt need this:
00:57 < krzie> redirect-gateway def1
00:57 < krzie> and you should decide which you want... and if you want def1 or not
00:57 < krzie> !push
00:57 < vpnHelper> krzie: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
00:58 < katyl> http://pastebin.com/khjxeK57
00:58 < vpnHelper> RSS Update - forum: Server Administration :: Re: Forward Traffic through VPN to Home Gateway :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7082&p=7795#p7795>
00:59 < katyl> that's the log with this conf: http://pastebin.com/vQtpCcnx 
00:59 < krzie> interesting
00:59 < krzie> show me your NAT rules
00:59 < katyl> IP tables?
00:59 < krzie> yes
00:59 < krzie> and what version is it
01:00 -!- bandini [~bandini@host248-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Ping timeout: 265 seconds]
01:00 < katyl> iptables v1.3.5:
01:00 < krzie> i mean ovpn
01:00 < krzie> !linnat
01:00 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
01:00 < krzie> if you have other nat rules in regards to openvpn, remove them
01:01 < krzie> seems maybe you have one backwards
01:02 < katyl> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE is the rule that I've been trying to setup
01:02 < krzie> dump all your tables
01:03 < katyl> How would I...
01:04 < krzie> is this all the firewall is configured for?
01:04 < katyl> y
01:04 < krzie> !linfw
01:04 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info
01:05 < krzie> and iptables -L -t nat
01:06 < katyl> Looks like this is the only rule I have configured anywhere that isn't allow MASQUERADE  all  --  10.8.0.0/24          anywhere        
01:07 < katyl> http://pastebin.com/3msqukQH is a full list of rules
01:08 < krzie> try removing push "route 10.8.0.0 255.255.255.0"
01:08 < krzie> remove ifconfig-pool-linear
01:08 < krzie> remove ifconfig-pool-persist ipp.txt
01:08 < krzie> add topology subnet
01:08 < katyl> all from server
01:08 < krzie> yes
01:09 < krzie> what version of openvpn
01:09 < krzie> on client and server
01:09 < krzie> remove push redirect-gateway from server
01:09 < katyl> 2.0.9 centOS
01:09 < krzie> leave it in client without push
01:09 < krzie> update openvpn
01:09 < krzie> that is years old
01:10 < katyl> latest version I have in my distro
01:10 < krzie> !download
01:10 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
01:12 -!- bandini [~bandini@host94-106-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn
01:13 -!- katyl [~katyl@74.117.158.151] has quit [Read error: Operation timed out]
01:27 -!- katyl [~katyl@74.117.158.151] has joined ##openvpn
01:39 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
02:01 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
02:05 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
02:06 -!- katyl [~katyl@74.117.158.151] has quit [Ping timeout: 240 seconds]
02:06 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
02:06 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
02:08 -!- ryanrhee90 [~Adium@rrcs-71-42-216-143.sw.biz.rr.com] has joined ##openvpn
02:12 < ryanrhee90> hi guys. i have a bridged openvpn running on a remote private server that has a public IP. (The server's br0 has a public IP, not a 192/172/10 address.) How should I accomplish this? I have everything set up, but I don't know what I should put for the server-bridge directive (or if that should be there at all — I cam lease out IPs of the public subnet.)
02:12 < ryanrhee90> **can't
02:21 -!- katyl [~katyl@adsl-074-170-246-249.sip.gnv.bellsouth.net] has joined ##openvpn
02:25 -!- Kurogane [~kuro@190.87.68.43] has quit [Remote host closed the connection]
02:26 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:29 < ryanrhee90> hi guys — nvm. i got it. i just made the server-bridge directive give out a private subnet despite the br0's IP being a public one. Clients can connect to each other with the route pushed out for the private LAN established thru the "server-bridge" directive. Thanks!
02:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
02:31 -!- ryanrhee90 [~Adium@rrcs-71-42-216-143.sw.biz.rr.com] has left ##openvpn []
02:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:45 -!- WinstonSmith [~true@f052097212.adsl.alicedsl.de] has joined ##openvpn
02:58 -!- kraut_ is now known as kraut
03:06 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
03:18 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Quit: "eternal trails in netvoid"]
03:26 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:31 < vpnHelper> RSS Update - forum: Configuration :: Re: Help config problem ! :: Reply by maun <https://forums.openvpn.net/viewtopic.php?f=6&t=7091&p=7796#p7796>
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 -!- euthymos [~chatzilla@93-40-89-218.ip38.fastwebnet.it] has joined ##openvpn
03:41 < euthymos> I've access to a VPN service based on OpenVPN protocol Is there any way I can store ONLY the username in the config file?
03:42 < euthymos> server has an username/password authentication method
03:44 < euthymos> nobody knows?
03:45 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
03:47 -!- euthymos [~chatzilla@93-40-89-218.ip38.fastwebnet.it] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.9/20100824153629]]
03:52 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:53 -!- baffle_ is now known as baffle
04:00 -!- voxter [~voxter@macpro.daytonhome.voxter.net] has quit [Ping timeout: 276 seconds]
04:05 -!- voxter [~voxter@76.77.73.130] has joined ##openvpn
04:14 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
04:30 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
04:36 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:46 -!- manevra [~manevra@188.27.110.142] has joined ##openvpn
04:46 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
04:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:11 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined ##openvpn
05:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
05:17 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
05:25 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Disconnected by services]
05:25 -!- xinaFtpircS [~bofh@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
05:25 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
05:27 -!- xinaFtpircS [~bofh@cl-53.mrs-01.fr.sixxs.net] has quit [Client Quit]
05:35 -!- mario__ [~mario@projekte.imos.net] has joined ##openvpn
05:35 < mario__> Hello!
05:35 -!- krzie [~k@unaffiliated/krzee] has quit [Quit: This computer has gone to sleep]
05:35 < mario__> do you need to have the tun as a module in the linux kernel?
05:35 < mario__> i have it statically compiled in and openvpn still complains:
05:35 < mario__> Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
05:39 < kisom> mario__: Does modprobe tun work?
05:39 < mario__> i have it statically compiled in
05:39 < mario__> in 2.6.35-4
05:40 < kisom> well for some reason you do not have /dev/net/tun
05:40 < kisom> just for the sake of it, try modprobing 
05:41 < mario__> FATAL: Module tun not found. :-)
06:01 -!- macsppadic is now known as embarassmnet
06:01 -!- embarassmnet is now known as embarassment
06:12 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:24 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
07:13 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Ping timeout: 276 seconds]
07:30 -!- SOG [~SOG@n11649233015.netvigator.com] has joined ##openvpn
07:41 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Ping timeout: 245 seconds]
07:43 -!- SOG [~SOG@n11649233015.netvigator.com] has quit [Ping timeout: 264 seconds]
07:44 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
07:48 -!- Guest40030 [~jason@li14-82.members.linode.com] has quit [Changing host]
07:48 -!- Guest40030 [~jason@unaffiliated/crazygir] has joined ##openvpn
07:48 -!- Guest40030 is now known as crazygir
08:00 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Quit: Leaving]
08:40 -!- jhirley [~jhirley@mail.mmdlaw.com] has joined ##openvpn
08:42 < vpnHelper> RSS Update - forum: Server Administration :: Re: "Reclaim" VPN IP addresses :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7081&p=7798#p7798>
08:50 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
08:50 -!- mode/##openvpn [+o mattock] by ChanServ
08:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
08:59 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
09:16 -!- katyl [~katyl@adsl-074-170-246-249.sip.gnv.bellsouth.net] has quit [Read error: Connection reset by peer]
09:17 -!- katyl [~katyl@adsl-074-170-246-249.sip.gnv.bellsouth.net] has joined ##openvpn
09:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
09:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
09:40 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has joined ##openvpn
09:40 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Quit: WeeChat 0.3.4-dev]
09:40 < SmokeyD> hey everyone, I saw somewhere once that it is possible to combine the client.crt, client.key and client.ovpn into one file for a windows openvpn client. Are there docs on this somewwere?
09:42 < vpnHelper> RSS Update - forum: Server Administration :: Re: tun device was closed when starting daemon (ver2.1. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7078&p=7799#p7799>
09:59 -!- embarassment is now known as crazyhorse
10:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:10 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:20 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
10:23 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: No route to host]
10:23 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
10:37 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
10:38 -!- Cisien [~chris@desktop.cisien.com] has quit [Ping timeout: 252 seconds]
10:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:45 -!- crazyhorse is now known as macsppadic
10:50 -!- katyl [~katyl@adsl-074-170-246-249.sip.gnv.bellsouth.net] has quit [Ping timeout: 265 seconds]
10:54 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
10:57 -!- takamichi [~pri@78.133.38.220] has quit [Ping timeout: 272 seconds]
10:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
10:57 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
11:03 -!- katyl [~katyl@74.117.158.151] has joined ##openvpn
11:04 -!- mario__ [~mario@projekte.imos.net] has quit [Quit: Ex-Chat]
11:05 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
11:15 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:20 -!- p3rror [~mezgani@2001:0:53aa:64c:2494:6ec9:3b31:9243] has quit [Ping timeout: 272 seconds]
11:20 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:24 < vpnHelper> RSS Update - forum: Configuration :: OpenVPN client , could not read Auth username from stdin :: Author strukelj <https://forums.openvpn.net/viewtopic.php?f=6&t=7092&p=7800#p7800>
11:25 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 264 seconds]
11:25 -!- takamichi [~pri@78.133.38.220] has joined ##openvpn
11:26 -!- p3rror [~mezgani@2001:0:53aa:64c:2494:6ec9:3b31:9243] has joined ##openvpn
11:40 -!- alexbobP is now known as nabog
11:45 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
11:46 < s34n> !welcome
11:46 < vpnHelper> s34n: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:50 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
11:50 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Client Quit]
11:50 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
11:51 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
12:04 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
12:06 -!- p3rror [~mezgani@2001:0:53aa:64c:2494:6ec9:3b31:9243] has quit [Ping timeout: 272 seconds]
12:20 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
12:28 -!- fipu [~fipu@62.75.187.155] has quit [Quit: Reconnecting]
12:28 -!- fipu [~fipu@swissvps.net] has joined ##openvpn
12:30 < jpalmer> !ubuntu
12:30 < vpnHelper> jpalmer: "ubuntu" is dont use network manager!
12:31 < jpalmer> ecrist: ping
12:31 < jpalmer> krzee: ?
12:31 < hyper_ch> the network manager in kubuntu is nice
12:32 < hyper_ch> I use that one...
12:32 < jpalmer> hyper_ch: I'm just curious what the reasoning is for that factoid.    is it a preference,  a technical reason,  etc.
12:32 < hyper_ch> I think pre-Lucid the network manager was really horrible
12:33 < jpalmer> so it's probably an old factoid?
12:33 < hyper_ch> might be
12:34 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
12:38 < s34n> If I run my own CA for ovpn, I don't need to have a CA server responding to verification requests if each host has a copy of the CA cert, right?
12:39 < hyper_ch> I think so
12:44 < ecrist> jpalmer: pong
12:45 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:51 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
12:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:08 < kisom> s34n: I dont even think openvpn can do revocation lists, if that is what you mean
13:08 < kisom> By that i mean like browsers do today, download revoced certificates every once in a while.
13:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
13:09 < s34n> kisom: the docs say it can
13:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:10 < kisom> OK, never seen it. Anyways, to anwser your question: OpenVPN will not ask a server for verification, it verifies against the local CA file
13:10 < s34n> kisom: but it is really just using opsnssl, right?
13:10 < s34n> kisom: great. thx
13:12 -!- Gandelf [~bp@unaffiliated/blackpenguin] has joined ##openvpn
13:12 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Disconnected by services]
13:12 -!- Gandelf is now known as blackpenguin
13:12 -!- nabog is now known as alexbobP
13:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
13:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
13:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
13:18 < ecrist> kisom: openvpn does handle revokation
13:18 < kisom> I know
13:19 < kisom> but it does not support OCSP or similar, right?
13:19 < ecrist> what is OCSP?
13:19 < kisom> http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
13:19 < vpnHelper> Title: Online Certificate Status Protocol - Wikipedia, the free encyclopedia (at en.wikipedia.org)
13:20 < ecrist> sure it can, you just have to write a script that does the right thing
13:20 < kisom> Basically each CA out there has a revocation list which your browser downloads every once in a while. If a private key is leaked to a certificate signed by that CA, they just block the certificate serial number and issue a new one.
13:21 < kisom> Yes, everything can be done with scripts but then it is not supported by openvpn but rather by your own setup ;)
13:21 < ecrist> if you're asking if openvpn natively handles OCSP, no, it doesn't.  but it DOES handle CRLs
13:23 < kisom> But using CRLs on the client side is hard because the list must be updated often.
13:23 < kisom> OK, you can just cron wget, fine.
13:23 < kisom> But I don't consider that a good solution.
13:23 < ecrist> why is the client using the CRL?
13:23 < kisom> The server certificate may be compromised...
13:24 < ecrist> um, if the server certificate is compromised, and someone's gone to the effort of revoking it, they likely changed the certificate the server is using.
13:25 < kisom> Yes, but the old certificate will still be valid for a peroid of time, in which an attacker may perform MITM attacks on clients.
13:25 < ecrist> bah, I think your thought process is flawed
13:25 < kisom> Well I work at a bank ;)
13:26 < kisom> I'm just saying it is possible.
13:26 < kisom> Yes, very unlikely to happen. But still possible.
13:27 < ecrist> if you're that worried about it, just cron wget. ;)
13:27 < kisom> No, because wget is even more vulnerable to MITM
13:28 < abeehc-_> http://www.ubuntu.com/usn/USN-842-1
13:28 < vpnHelper> Title: USN-842-1: Wget vulnerability | Ubuntu (at www.ubuntu.com)
13:28 < abeehc-_> robots need love too
13:28 < ecrist> kisom: the CRL is signed by the CA
13:29 < kisom> I know
13:29 < kisom> But I still dont want people to be able to write to the CRL file ;)
13:29 < ecrist> that's a pretty tinfoil hat you have there.
13:30 < kisom> Nah, I have a good solution up and running.
13:36 < kisom> Hmm, I wonder what the penalty for using a GSM/UMTS jammer is...
14:11 < vpnHelper> RSS Update - forum: Configuration :: Re: Example for single client with access to server's LAN? :: Reply by len_m <https://forums.openvpn.net/viewtopic.php?f=6&t=7089&p=7797#p7797>
14:11 -!- redfox [~redfox2@ks201831.kimsufi.com] has left ##openvpn []
14:17 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
14:23 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has quit [Quit: Leaving.]
14:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
14:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:33 -!- voxter [~voxter@76.77.73.130] has left ##openvpn ["Leaving"]
14:34 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
14:40 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Ping timeout: 240 seconds]
14:41 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
14:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:44 -!- p3rror [~mezgani@2001:0:53aa:64c:cee:46a6:3b31:9189] has joined ##openvpn
14:45 -!- Kurogane [~kuro@190.87.75.229] has joined ##openvpn
15:07 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Ping timeout: 276 seconds]
15:09 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:09 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
15:11 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
15:16 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Ping timeout: 240 seconds]
15:16 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
15:25 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
16:03 -!- Martin` [martin@shell.ipv6.octocore.net] has joined ##openvpn
16:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
16:10 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
16:13 < Martin`> hi
16:13 < Martin`> I have a simple question i Hope :P
16:13 < Martin`> can I ask? :P
16:13 < Martin`> !welcome
16:13 < vpnHelper> Martin`: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:14 < Martin`> no I have a other question :P
16:14 < Martin`> :P
16:15 < Martin`> I have 2 openvpn configs, different port, and 1 with redirect internet traffic and one without 
16:15 < Martin`> but I want that it act like 1 network
16:15 < Martin`> both servers same subnet
16:16 < Martin`> is that possible? or routing needed?
16:17 < kisom> Martin`: create a bridge
16:18 < kisom> A bridge between your two TAP/TUN devices
16:18 < kisom> and make sure both servers use different IP ranges, but in the same subnet
16:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:26 < Martin`> kisom: hmm ok, easy to create bridge?
16:26 < Martin`> then I need to use the bridge tools?
16:31 < Martin`> ok found it lets try :D
16:33 < Martin`> hmm how can I configure that he only uses a part of subnet?
16:34 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
16:35 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
16:37 < Martin`> hmm or do I need to config bridge inside one of the both configs?
16:40 < Martin`> hmm I think I understand 
16:40  * Martin` tries
16:50 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
16:54 < Martin`> ok works i Think
17:03 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
17:04 < s34n> should I put my certs into /etc/pki/tls/certs/ on my linux clients?
17:10 < krzee> put them whereever you want, just make sure your configs know where they are
17:21 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
17:22 -!- funkyHat [~m@funkyhat.org] has quit [Ping timeout: 272 seconds]
17:23 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
17:23 -!- funkyHat [~m@cpc1-nrte3-0-0-cust308.8-4.cable.virginmedia.com] has joined ##openvpn
17:29 -!- funkyHat [~m@cpc1-nrte3-0-0-cust308.8-4.cable.virginmedia.com] has quit [Ping timeout: 276 seconds]
17:34 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
17:34 -!- funkyHat [~m@funkyhat.org] has joined ##openvpn
17:44 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
17:45 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Operation timed out]
17:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:56 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
17:59 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
18:00 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Remote host closed the connection]
18:10 < vpnHelper> RSS Update - forum: Authentication Scripts :: Automatically fill in username and password :: Author mikesteffler <https://forums.openvpn.net/viewtopic.php?f=16&t=7093&p=7801#p7801>
18:25 < krzee> !pwfile
18:25 < vpnHelper> krzee: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
18:27 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
18:27 < vpnHelper> RSS Update - forum: Authentication Scripts :: Re: Automatically fill in username and password :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=16&t=7093&p=7802#p7802>
18:34 < vpnHelper> RSS Update - forum: Configuration :: Re: OpenVPN client , could not read Auth username from stdin :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7092&p=7803#p7803>
18:39 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
18:43 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
18:53 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Quit: "eternal trails in netvoid"]
19:04 -!- fremo__ [~fremo@noc.toile-libre.net] has quit [Ping timeout: 265 seconds]
19:04 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 272 seconds]
19:06 -!- fremo__ [~fremo@noc.toile-libre.net] has joined ##openvpn
19:07 -!- _zero_ [~zero@noc.toile-libre.net] has joined ##openvpn
19:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:18 -!- jhirley [~jhirley@mail.mmdlaw.com] has quit [Ping timeout: 276 seconds]
19:28 < vpnHelper> RSS Update - forum: Authentication Scripts :: Re: Automatically fill in username and password :: Reply by mikesteffler <https://forums.openvpn.net/viewtopic.php?f=16&t=7093&p=7804#p7804>
19:33 -!- oryxtec [~asda@119.158.4.173] has joined ##openvpn
19:33 < oryxtec> hello world
19:33 < oryxtec> how is every one ..
19:33 < oryxtec> i m trying to install openvpn on centos through
19:33 < oryxtec> yum install openvpn
19:33 < oryxtec> but it says no package found
19:33 < oryxtec> any idea wht to do?
19:35 < krzee> !download
19:35 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
19:36 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Operation timed out]
19:36 < oryxtec> krzee: let me check this out plz hold
19:38 < oryxtec> krzee: if i have to download and compile it from source file then it requir too many things.
19:38 < oryxtec> can't we install openvpn from yum command?
19:39 < oryxtec> ??
19:40 < krzee> dunno, i dont use your OS
19:40 < krzee> but i know it will work from source
19:40 < oryxtec> hum
19:41 < oryxtec> ok let me try
19:44 < s34n> openvpn does not automatically create routes on the client for the subnet behind the server
19:46 < krzee> of course not, you must configure it to do that
19:46 < krzee> !route
19:46 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:47 < s34n> krzee: thx
19:49 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
19:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:00 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 272 seconds]
20:03 -!- manevra- [~manevra@188.27.110.142] has joined ##openvpn
20:07 -!- manevra [~manevra@188.27.110.142] has quit [Ping timeout: 272 seconds]
20:08 -!- WinstonSmith [~true@f052097212.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
20:13 -!- pa [~pa@unaffiliated/pa] has joined ##openvpn
20:22 < oryxtec> !route
20:22 < vpnHelper> oryxtec: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:22 -!- oryxtec [~asda@119.158.4.173] has left ##openvpn []
20:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
21:08 -!- p3rror [~mezgani@2001:0:53aa:64c:cee:46a6:3b31:9189] has quit [Ping timeout: 272 seconds]
21:25 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
21:54 -!- Cisien [~chris@desktop.cisien.com] has joined ##openvpn
22:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
23:01 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:44 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
23:59 -!- krzie [~k@ftp.secure-computing.net] has joined ##openvpn
23:59 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
23:59 -!- krzie [~k@unaffiliated/krzee] has joined ##openvpn
--- Day changed Tue Sep 14 2010
00:03 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 276 seconds]
00:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
00:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
00:51 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
00:58 -!- projectAlarum [~wircer@173-139-21-94.pools.spcsdns.net] has joined ##openvpn
00:59 -!- projectAlarum [~wircer@173-139-21-94.pools.spcsdns.net] has left ##openvpn []
01:03 -!- UnterPerro [~UnterPerr@166.192.37.187] has joined ##openvpn
01:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
01:14 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:14 -!- mode/##openvpn [+o mattock] by ChanServ
01:42 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Ping timeout: 240 seconds]
01:45 -!- UnterPerro [~UnterPerr@166.192.37.187] has quit [Quit: UnterPerro lives to save another day]
01:45 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
01:55 < vpnHelper> RSS Update - forum: Server Administration :: Create a VPN conection without loosing internet cntion :: Author slzd <https://forums.openvpn.net/viewtopic.php?f=4&t=7094&p=7805#p7805>
02:01 -!- Cisien [~chris@desktop.cisien.com] has quit [Ping timeout: 252 seconds]
02:02 -!- Cisien [~chris@desktop.cisien.com] has joined ##openvpn
02:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
02:07 -!- UnterPerro [~UnterPerr@166.192.37.187] has joined ##openvpn
02:08 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
02:10 -!- Kurogane [~kuro@190.87.75.229] has quit [Remote host closed the connection]
02:32 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
02:38 < kraut> moin
02:44 -!- UnterPerro [~UnterPerr@166.192.37.187] has quit [Quit: UnterPerro lives to save another day]
02:54 -!- _LowKey [rhel@forgotten.serv.my] has left ##openvpn ["Leaving"]
02:56 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
03:10 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
03:23 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:37 -!- manevra- [~manevra@188.27.110.142] has quit [Ping timeout: 276 seconds]
03:37 -!- ScriptFanix [~bofh@cl-53.mrs-01.fr.sixxs.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 < vpnHelper> RSS Update - forum: Configuration :: 2 gateways :: Author pcavego <https://forums.openvpn.net/viewtopic.php?f=6&t=7095&p=7806#p7806>
03:50 -!- WinstonSmith [~true@e179003004.adsl.alicedsl.de] has joined ##openvpn
03:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
04:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:30 -!- montana [~montana@212.117.173.72] has quit [Ping timeout: 272 seconds]
04:37 -!- montana [~montana@212.117.173.72] has joined ##openvpn
05:05 -!- ac [~sbu_ac_ir@79.127.100.1] has joined ##openvpn
05:06 -!- ac [~sbu_ac_ir@79.127.100.1] has left ##openvpn []
05:15 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 272 seconds]
--- Log closed Tue Sep 14 05:37:24 2010
--- Log opened Tue Sep 14 05:49:11 2010
05:49 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
05:49 -!- Irssi: ##openvpn: Total of 116 nicks [1 ops, 0 halfops, 0 voices, 115 normal]
--- Log closed Tue Sep 14 05:53:58 2010
--- Log opened Tue Sep 14 06:11:29 2010
06:11 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
06:11 -!- Irssi: ##openvpn: Total of 116 nicks [1 ops, 0 halfops, 0 voices, 115 normal]
06:11 -!- Irssi: Join to ##openvpn was synced in 31 secs
06:14 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
06:29 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
07:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
07:08 -!- pie_time [~pie_time@unaffiliated/pie-time/x-2751356] has joined ##openvpn
07:11 < pie_time> Hi I don't have any errors or problems thus have no logs nor configs to post, I'm fairly sure. I just wanted to know: I'd like to set up a machine for watching TV from several countries using vpns to the respective countries, is there a way to setup multiple vpns on a PC to separate countries without creating virtual machines on a computer?
07:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
07:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:35 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
07:38 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
07:40 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Client Quit]
07:41 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined ##openvpn
07:47 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
07:49 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
07:53 -!- WinstonSmith [~true@e179003004.adsl.alicedsl.de] has quit [Read error: Connection reset by peer]
07:54 -!- WinstonSmith [~true@e179003004.adsl.alicedsl.de] has joined ##openvpn
07:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
08:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
08:29 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined ##openvpn
08:29 < blackxored> hi guys
08:29 < blackxored> I'm having an error about can't add routes
08:29 < blackxored> is any of you willing to help me on this one"?
08:31 < blackxored> it says it can't add route, and isn't redirecting the default gw
08:32 < blackxored> anyone?
08:33 < JodaZ> blackxored, is it vista ?
08:33 < JodaZ> or win7 ?
08:34 < JodaZ> blackxored, if it is, quick google helped me with adding
08:34 < JodaZ> route-method exe
08:34 < JodaZ> route-delay 2
08:34 < blackxored> JodaZ, neither ;)
08:34 < JodaZ> to the config
08:34 < JodaZ> aw damn
08:34 < blackxored> is ubuntu lucid
08:34 < blackxored> i have route-delay 10 
08:34 < JodaZ> hmm, run it as root, lols
08:34 < blackxored> on my client, but I can't remember needing it
08:34 < blackxored> run what as root?
08:34 < JodaZ> well, whats the exact error ?
08:35 < blackxored> cant' tell for sure, the only thing odd is that some route can't be pushed
08:35 < blackxored> error 7
08:36 < blackxored> anyone???
08:36 < blackxored> I have lots of read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
08:36 < blackxored> on the server
08:37 < JodaZ> fiarwall
08:37 < JodaZ> use tcp to have a bettar fiarwall experience
08:37 < blackxored> no way 
08:38 < JodaZ> yes way
08:38 < blackxored> i don't think is the firewall, i have just flushed rules and still the same
08:39 < blackxored> wait let me test this, there might be a delay on my conn
08:40 < JodaZ> blackxored, its never the machines firewall, its them routers
08:42 < blackxored> the error is this ovpn-client[7475]: ERROR: Linux route add command failed: external program exited with error status: 7
08:43 < JodaZ> hmm, man route ? grep -Rni 7 route-src ?
08:43 < JodaZ> oh, yeah, or just google the error
08:44 < blackxored> it's just odd, on this same machine worked about a month ago
08:44 < JodaZ> hmm, there might be something above the error
09:01 < blackxored> i removed the routing error
09:01 < blackxored> it seems like it was a duplicate route
09:01 < blackxored> now
09:01 < blackxored> I have redirect-gateway def1 on the server, and the client conf is just the example one with some mods
09:01 < blackxored> I can't traceroute to gmail, any clues?
09:01 < blackxored> also i'm pushing dns option and still is using my network's dns
09:01 < blackxored> any clues on this my /etc/network/interfaces is just the basic iface eth0 inet dhcp
09:03 < blackxored> hehehhe this is gonna kill me, ip forwarding disabled on the server, where i can find a good iptables script
09:04 < blackxored> ?
09:12 < kisom> !forwarding
09:12 < vpnHelper> kisom: Error: "forwarding" is not a valid command.
09:12 < kisom> blah cant remember the command
09:12 < kisom> iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -o eth0 -j MASQUERADE
09:12 < kisom> echo 1 > /proc/sys/net/ipv4/ip_forward
09:12 < kisom> That will do it.
09:13 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 252 seconds]
09:13 < kisom> Or not.
09:15 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
09:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:23 -!- manevra [~manevra@188.27.109.174] has joined ##openvpn
09:24 -!- brah [~brah@host232.190-31-30.telecom.net.ar] has joined ##openvpn
09:34 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined ##openvpn
10:02 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Remote host closed the connection]
10:13 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
10:18 -!- Visual` [~visualsta@unaffiliated/visualstation] has left ##openvpn []
10:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:26 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:57 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
11:15 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 245 seconds]
11:21 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
11:23 < s34n> I just added my first windows client (vista)
11:24 < s34n> The icon shows up down in the system tray, but becomes unresponsive
11:24 < s34n> regular clicking or right clicking does nothing
11:25 < s34n> it never displays a GUI, but if you click the icon again in the start menu it says the GUI is already running.
11:25 < s34n> there doesn't seem to be any way to disconnect
11:26 < s34n> something is obviously not right with my setup
11:27 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined ##openvpn
11:42 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 272 seconds]
11:53 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
12:02 -!- jhirley [~jhirley@c-75-74-13-194.hsd1.fl.comcast.net] has joined ##openvpn
12:04 -!- SOG [~SOG@n11649233015.netvigator.com] has joined ##openvpn
12:16 < krzie> !windows
12:16 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
12:17 < krzie> s345, what version openvpn?
12:25 -!- krzie [~k@unaffiliated/krzee] has quit [Ping timeout: 272 seconds]
12:28 -!- aar0n [~aar0nsky@d47-69-246-113.try.wideopenwest.com] has joined ##openvpn
12:28 < Bushmills> usually people have problems with connecting, not with disconnecting
12:30 -!- SOG [~SOG@n11649233015.netvigator.com] has quit [Remote host closed the connection]
12:30 -!- SOG [~SOG@222.125.214.137] has joined ##openvpn
12:30 -!- SOG [~SOG@222.125.214.137] has quit [Client Quit]
12:41 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 276 seconds]
12:42 -!- ScriptFanix [~bofh@cl-53.mrs-01.fr.sixxs.net] has quit [Quit: WeeChat 0.3.2]
12:43 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
12:51 < vpnHelper> RSS Update - forum: Server Administration :: Is this type of vpn configuration possible? :: Author ghurty <https://forums.openvpn.net/viewtopic.php?f=4&t=7096&p=7807#p7807>
12:52 -!- reactor16 [~eza@41.105.40.114] has joined ##openvpn
12:53 < reactor16> hi all
12:53 < kisom> Hello
12:53 < reactor16> is there gui configuration tool for openvpn ?
12:54 < kisom> A few.
12:55 < kisom> http://openvpn.net/index.php/open-source/documentation/graphical-user-interface.html
12:55 < vpnHelper> Title: Graphical User Interface (at openvpn.net)
12:55 < reactor16> those are for connecting and editing
12:56 < reactor16> i'm talking about configuration files clients and server
13:00 < Bushmills> !confgen
13:00 < vpnHelper> Bushmills: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
13:00 < Bushmills> not really gui but interactive
13:01 < reactor16> why there is no gui configuration wizard for openvpn
13:01 < Optic> cause you haven't written one yet :)
13:03 < Bushmills> because most people find an interactive configuration frontend called a "text editor" sufficient
13:03 < kisom> reactor16: Because people who generally use open source software tend to like the CLI ;)
13:04 < reactor16> i know cli is the best place of linux users but gui is also good because it save time
13:04 < reactor16> understand what i mean
13:04 < Bushmills> not quite. what time?
13:04 < Bushmills> time to read about what you're configuring?
13:05 < reactor16> i pend about 20min to create configuration files for openvpn
13:05 < kisom> I find CLI much faster than GUI...
13:05 < reactor16> but i i have a gui i will take 10min
13:05 < kisom> Well, then buy some other VPN product with a GUI :)
13:05 < reactor16> not all users are fast in cli :)
13:05 < reactor16> i like free 
13:05 < jpalmer> erm,  once you have 1 config file,  that should be used for almost all of your clients.  You aren't doing 1-off's for each client are you?
13:06 < Bushmills> i have a script which, when it runs, creates a config, signed keys etc, and packs it, in 3 seconds 
13:06 < jpalmer> Bushmills: but does it scp those files to the box and put them in the appropriate location?  :P
13:07 < Bushmills> jpalmer: it moves it into a net accessable place
13:07 < jpalmer> hah!  thats exactly what I do.
13:07 < Bushmills> it is up to the client to fetch it
13:08 < jpalmer> though,  since I only deal with unix machines as clients..  and I build them locally.. I'm thinking about having the script scp it, rather than make it an additional step to fetch it.
13:08 < Bushmills> clients may be behind firewalls, or ip address not known
13:08 < kisom> I have a simple program for my windows clients which will install openvpn, pull the certificate from the cert server and then set the service to auto start :)
13:35 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn
--- Log closed Tue Sep 14 13:42:55 2010
--- Log opened Tue Sep 14 16:03:27 2010
16:03 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
16:03 -!- Irssi: ##openvpn: Total of 119 nicks [1 ops, 0 halfops, 0 voices, 118 normal]
16:04 -!- Irssi: Join to ##openvpn was synced in 40 secs
16:07 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
16:07 < lhunath> I've got a server with one physical interface; I'm VPN'ing into it (using tap) and I want any tcp traffic to port 80 to get rdr'ed to a local proxy server.  Problem is, with my current configuration; many requests get through to the proxy and on to the destination just fine; while others never reach the proxy; resulting in my browser saying the server isn't responding.  When I turn off the VPN and ssh 
16:07 < krzee> lhunath, not especially...
16:07 < lhunath> tunnel the proxy server's port to my local machine and set my browser to use localhost:8118 as a http proxy; all is fine, no drops, no nothing.
16:07 < lhunath> uck. ;x
16:07 < lhunath> err.
16:08 < lhunath> I totally typo'ed openbsd as openvpn
16:08  * lhunath hides.
16:09 -!- lhunath [~lhunath@unaffiliated/lhunath] has left ##openvpn ["In the beginning the universe was created. This has made many people very angry and has been widely regarded as a bad move."]
16:11 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Ping timeout: 276 seconds]
16:21 -!- WinstonSmith [~true@e179003004.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
16:22 -!- WinstonSmith [~true@e179003004.adsl.alicedsl.de] has joined ##openvpn
16:43 -!- UnterPerro [~UnterPerr@32.163.198.45] has joined ##openvpn
16:48 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:55 -!- aar0n [~aar0nsky@d47-69-246-113.try.wideopenwest.com] has quit [Read error: Operation timed out]
17:01 -!- kyle___ [~kyle@80-67-14-16.cust.vpntunnel.se] has quit [Quit: leaving]
17:22 -!- UnterPerro [~UnterPerr@32.163.198.45] has quit [Quit: UnterPerro]
17:22 -!- Cain [~Geek@unaffiliated/cain] has joined ##openvpn
17:24 -!- UnterPerro [~UnterPerr@32.163.198.45] has joined ##openvpn
17:25 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
17:28 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
17:30 -!- UnterPerro [~UnterPerr@32.163.198.45] has quit [Quit: UnterPerro lives to save another day]
17:33 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
17:34 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
17:34 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
17:37 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: Connection reset by peer]
18:10 -!- nb_ [~nb@fedora/GSWoT.Member.nb] has joined ##openvpn
18:12 -!- nb_ is now known as nb
--- Log closed Tue Sep 14 18:36:45 2010
--- Log opened Tue Sep 14 19:11:26 2010
19:11 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
19:11 -!- Irssi: ##openvpn: Total of 114 nicks [1 ops, 0 halfops, 0 voices, 113 normal]
19:11 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
19:11 < vpnHelper> RSS Update - forum: Authentication Scripts :: Re: Automatically fill in username and password :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=16&t=7093&p=7808#p7808> || Authentication Scripts :: Re: Automatically fill in username and password :: Reply by mikesteffler <https://forums.openvpn.net/viewtopic.php?f=16&t=7093&p=7809#p7809>
19:12 -!- Irssi: Join to ##openvpn was synced in 40 secs
--- Log closed Tue Sep 14 19:18:06 2010
--- Log opened Tue Sep 14 19:41:14 2010
19:41 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
19:41 -!- Irssi: ##openvpn: Total of 115 nicks [1 ops, 0 halfops, 0 voices, 114 normal]
19:41 -!- Irssi: Join to ##openvpn was synced in 39 secs
19:42 -!- UnterPerro [~UnterPerr@32.163.198.45] has quit [Quit: UnterPerro lives to save another day]
19:46 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
--- Log closed Tue Sep 14 19:50:35 2010
--- Log opened Tue Sep 14 19:56:25 2010
19:56 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
19:56 -!- Irssi: ##openvpn: Total of 113 nicks [1 ops, 0 halfops, 0 voices, 112 normal]
19:57 -!- Irssi: Join to ##openvpn was synced in 40 secs
20:01 -!- WinstonSmith [~true@e179003004.adsl.alicedsl.de] has quit [Remote host closed the connection]
20:02 -!- WinstonSmith [~true@e179003004.adsl.alicedsl.de] has joined ##openvpn
20:11 < vpnHelper> RSS Update - forum: Installation Help :: Client HELP :: Author Rockyuk <https://forums.openvpn.net/viewtopic.php?f=5&t=7097&p=7810#p7810>
20:11 -!- mroe [~ladmin@unaffiliated/roe] has joined ##openvpn
20:13 < mroe> I am working on a simple openvpn testbed.  I am using a routed subnet for vpns.  and I am trying to push a route out to a test client using the "push" directive in the server config file.  I am copying it from the wiki, but when the client connects, it doesn't have a route to the other subnet
20:15 < mroe> http://pastebin.com/LNMqSNeY
20:15 < mroe> that is my server conf
20:41 < krzee> client config too pls
20:42 < krzee> you likely just need to add pull to the 'client'
20:42 < krzee> in your setup, there i s no real server or client
20:42 < krzee> but the other side does need pull, or it will not accept pushed things
20:43 < mroe> ah.. so like 'pull route'
20:44 < krzee> nope
20:44 < krzee> just pull
20:45 < krzee> like 'pull'
20:45 < krzee> ;)
20:45 < mroe> I'm looking at: http://openvpn.net/index.php/open-source/documentation/howto.html#examples
20:45 < vpnHelper> Title: HOWTO (at openvpn.net)
20:45 < mroe> and it says I need to use 'client'
20:46 < krzee> only if the other side uses --server
20:46 < krzee> you dont
20:46 < mroe> ah gotcha
20:46 < krzee> but --client implies --pull
20:46 < krzee> since you dont need the rest of what --client is, just use --pull
20:46 < krzee> (assuming you really only want a point to point vpn)
20:47 < mroe> --pull can only be specified in TLS-mode <--so says my log
20:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
20:48 < krzee> then you cant push in the setup you are using
20:48 < krzee> remove the push route from that side, put it on the other side without push or quotes
20:48 < mroe> ah, that's interesting, ok
20:48 < krzee> well it IS just a little ptp vpn
20:49 < krzee> which is no good for real server / client type setups
20:49 < krzee> with a ptp link like that, i would expect you run both sides
20:50 < mroe> right, I do expect to deploy a fully functional multi-client setup, but before I spend too much time working with openvpn I would like to make sure smb/cifs works
20:51 < krzee> !wins
20:51 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
20:51 < krzee> but by IP, it just works
20:51 < mroe> well... not yet it doesn't ;)
20:52 < krzee> ;)
20:52 < mroe> ifconfig
20:52 < mroe> oops
20:52 < krzee> since you will be reading and playing, i recommend reading the man page a LOT
20:53 < krzee> i also recommend using certs, and server mode
20:53 < mroe> yes, I have someone working in parallel to me setting up a CA and the like
20:53 < krzee> !ssl-admin
20:53 < vpnHelper> krzee: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
20:53 < krzee> OR
20:53 < krzee> !pki
20:53 < vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
20:53 < vpnHelper> krzee: was signed specially as a server (see !servercert)
20:53 < krzee> =]
20:54 < mroe> but the 'secret' way seemed like a good way to get up and running quickly to test routing and connectivity
20:54 < mroe> you're good
20:54 -!- WormFood [~wormfood@183.39.106.222] has quit [Ping timeout: 240 seconds]
20:54 < krzee> routing can be different in server mode than ptp mode
20:54 < krzee> depending on what you want to do
20:54 < krzee> if you just have 1 lan, behind the server, then its the same
20:54 < mroe> the thing that is getting me atm is that I don't see the 10.0.30.1 interface 'up' on the server at all
20:54 < krzee> when you add more, it changes
20:55 < krzee> when you add more, you want to read !route
20:55 < mroe> !route
20:55 < vpnHelper> mroe: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:56 < mroe> haha
20:56 < krzee> i hate when people skim it ;)
20:59 -!- Rolybrau [~Rolybrau@232-87.3-85.cust.bluewin.ch] has joined ##openvpn
20:59 -!- Rolybrau [~Rolybrau@232-87.3-85.cust.bluewin.ch] has quit [Changing host]
20:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
21:01 < mroe> ok, I guess I'm gonna have to invest a bit more time to see how well it will work
21:04 < mroe> hrm, ssl-admin isn't packaged in debian...
21:07 -!- WormFood [~wormfood@183.39.107.251] has joined ##openvpn
--- Log closed Tue Sep 14 21:13:33 2010
--- Log opened Tue Sep 14 21:13:37 2010
21:13 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn
21:13 -!- Irssi: ##openvpn: Total of 114 nicks [1 ops, 0 halfops, 0 voices, 113 normal]
21:14 -!- Irssi: Join to ##openvpn was synced in 39 secs
21:18 < krzee> nope, but it installs there fine
21:18 < krzee> its just a perl script
21:19 -!- UnterPerro [~UnterPerr@32.163.198.45] has joined ##openvpn
21:42 < mroe> hey hey... we have it working and routing
21:42 < mroe> but...no smb/cifs
21:50 -!- UnterPerro [~UnterPerr@32.163.198.45] has quit [Quit: UnterPerro lives to save another day]
22:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:44 -!- mroe [~ladmin@unaffiliated/roe] has quit [Remote host closed the connection]
22:48 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
22:50 -!- hell_razer [~HellRaise@62-3-179-94.pool.ukrtel.net] has joined ##openvpn
22:52 < hell_razer> my pptpd has brokes, and its works so bad. now i want setup openvpn - is it has auth type for clients without ssl keys?
22:58 -!- johnfg [~johnfg@spirit.org] has joined ##openvpn
22:58 -!- johnfg [~johnfg@spirit.org] has quit [Client Quit]
23:00 -!- roe [~roe___@unaffiliated/roe] has joined ##openvpn
23:03 -!- WinstonSmith [~true@e179003004.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
23:24 -!- UnterPerro [~UnterPerr@32.163.198.45] has joined ##openvpn
23:58 -!- takamichi [~pri@78.133.38.220] has quit [Ping timeout: 276 seconds]
23:58 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
--- Day changed Wed Sep 15 2010
00:20 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
00:27 -!- Ademus [Ademus@cm197.omega144.maxonline.com.sg] has joined ##openvpn
00:28 < Ademus> !welcome
00:28 < vpnHelper> Ademus: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:28 < Ademus> !howto
00:28 < vpnHelper> Ademus: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:28 < Ademus> !goal
00:28 < vpnHelper> Ademus: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:34 < Ademus> hi uh
00:34 < Ademus> as far as i can tell my problem isn't in the documentation/how to
00:35 < Ademus> i'm getting Cannot load CA certificate file despite the file being exactly where the config lists it as
00:36 < Ademus> most of the googling i've done has consisted of solutions where people just put the file where the config file needs it to be, or adding/removing quotes to the directory listing in the config file, but that hasn't worked for me
00:36 < Ademus> any help would be greatly appreciated!
00:51 -!- UnterPerro [~UnterPerr@32.163.198.45] has quit [Quit: UnterPerro lives to save another day]
00:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
01:09 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
01:13 < SOG_> um... does anyone know how to install a pppoe modules? or we can't do it on our own ?
01:15 < SOG_> OH, sorry wrong channel :D
01:32 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:37 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
01:49 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
01:53 -!- szr [~SR@unaffiliated/szr] has joined ##openvpn
01:54 -!- Ademus` [Ademus@cm197.omega144.maxonline.com.sg] has joined ##openvpn
01:55 -!- Ademus [Ademus@cm197.omega144.maxonline.com.sg] has quit [Ping timeout: 265 seconds]
02:05 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
02:33 -!- Damascene [~alsayed@unaffiliated/uaa] has joined ##openvpn
02:34 < Damascene> hi, I have NATed machine. I want to connect it remotely. Can openVPN help me if I installed it on un-NATed machine?
02:41 -!- Damascene [~alsayed@unaffiliated/uaa] has quit [Ping timeout: 240 seconds]
03:19 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
03:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:54 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:54 -!- mode/##openvpn [+o mattock] by ChanServ
03:57 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Quit: WeeChat 0.3.4-dev]
04:07 < hyper_ch> !configs
04:07 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
04:13 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
04:29 -!- hell_razer [~HellRaise@62-3-179-94.pool.ukrtel.net] has quit [Remote host closed the connection]
04:45 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
04:55 < theDoc> !tcp
04:55 < vpnHelper> theDoc: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
04:56 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:05 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
05:10 -!- alexbobP [~alex@ppp-70-253-65-239.dsl.austtx.swbell.net] has quit [Ping timeout: 252 seconds]
05:15 -!- SOG_ [~SOG@61.144.230.241] has quit [Remote host closed the connection]
05:15 -!- SOG [~SOG@n11649233015.netvigator.com] has joined ##openvpn
05:17 -!- Cisien [~chris@desktop.cisien.com] has quit []
05:18 -!- alexbobP [~alex@ppp-70-253-89-214.dsl.austtx.swbell.net] has joined ##openvpn
05:20 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:22 -!- SOG [~SOG@n11649233015.netvigator.com] has quit [Quit: I will be back!]
05:26 < Martin`> can the openvpn server give ipv6 adresses to clients like it does for ipv4?
05:38 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 240 seconds]
05:39 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
05:45 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
05:46 -!- havoc [~havoc@neptune.chaillet.net] has joined ##openvpn
05:53 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
06:09 -!- _|Nix|_ [~schulhof@unaffiliated/nix/x-562542] has joined ##openvpn
06:10 < _|Nix|_> Hi! Is there a URL that contains the full documentation of all options that can go into a openvpn conf file?
06:12 < _|Nix|_> OK, well, it looks like all the command line parameters can also be added to the conf file without the initial -- ...
06:12 < _|Nix|_> so far ...
06:27 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
06:28 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
06:37 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:40 -!- WinstonSmith [~true@f052103021.adsl.alicedsl.de] has joined ##openvpn
06:53 -!- JonTheNiceGuy [c2b0c10a@pdpc/supporter/active/jontheniceguy] has joined ##openvpn
06:53 < JonTheNiceGuy> !welcome
06:53 < vpnHelper> JonTheNiceGuy: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:55 < JonTheNiceGuy> Hi all. I'm making some changes to the OpenVPN configurator for the FON 2.0n routers. I wanted to check whether there was an implicit KeepAlive value on the OpenVPN values (as we're not configuring one by-default on the OpenVPN startup scripts), and what will happen if the server has the config value --keepalive 10 120 and the client has --keepalive 20 240? Which takes precident?
06:59 < JonTheNiceGuy> Is it the lowest value?
07:12 < JonTheNiceGuy> Also, if I set --push "keepalive 0 0" will it force the client not to use keepalives?
07:13 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 252 seconds]
07:14 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined ##openvpn
07:17 < x-demon> hello, i can't get openvpn to work
07:17 < x-demon> i can connect to network, but i can't actually access web
07:17 < x-demon> debian 6, btw
07:20 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:20 < ecrist> x-demon: /topic
07:21 < x-demon> oh
07:21 < x-demon> !redirect
07:21 < vpnHelper> x-demon: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
07:21 < x-demon> well, it have been done
07:21 < x-demon> !nat
07:21 < vpnHelper> x-demon: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
07:21 < x-demon> i use SNAT, btw
07:22 < x-demon> !linnat
07:22 < vpnHelper> x-demon: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
07:22 < x-demon> well, absolutely the same.
07:22 < x-demon> except my subnet is 192.168.76.0/24
07:23 < x-demon> can it cause problems?
07:23 < JonTheNiceGuy> !keepalive
07:23 < vpnHelper> JonTheNiceGuy: Error: "keepalive" is not a valid command.
07:23 < JonTheNiceGuy> Curses! :)
07:25 < JonTheNiceGuy> !goal
07:25 < vpnHelper> JonTheNiceGuy: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:26 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Operation timed out]
07:26 < x-demon> and yes, i need access web from my VPN
07:27 < x-demon> i tried SNAT, MASQUERADE ways
07:27 < x-demon> still no luck
07:28 < theDoc> !firewall
07:28 < vpnHelper> theDoc: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
07:28 < theDoc> !linnat
07:28 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
07:28 < x-demon> firewall completely opened
07:28 < x-demon> maybe try with 10. subnet...
07:29 < theDoc> Your subnet doesn't matter as long as you don't have overlapping subnets AND it stays within RFC1918.
07:29 < x-demon> well my home subnet is 192.168.42.0/24
07:29 < theDoc> What's your vpn subnet?
07:30 < x-demon> 192.168.76.0/24
07:31 < theDoc> You probably is most probably NAT.
07:31 < theDoc> s/you/your/probably/problem
07:32 < x-demon> eek?
07:32 < x-demon> what's a problem?
07:32 < theDoc> !ipforward
07:32 < vpnHelper> theDoc: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
07:32 < theDoc> 2 things, ipforward and NAT.
07:32 < theDoc> Have you configured either?
07:33 < x-demon> !linipforward
07:33 < vpnHelper> x-demon: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
07:33 < x-demon> yes, definitely.
07:33 < x-demon> from very start
07:34 < x-demon> http://pastebin.com/WQcNDkKc
07:34 < x-demon> server config
07:34 < theDoc> x-demon> Hang on for a second, I'm fixing something as well.
07:34 < theDoc> x-demon> From your vpn client, can you ping 8.8.8.8?
07:38 < x-demon> no
07:38 < x-demon> i see from tcpdump that packets going from VPN
07:38 < x-demon> but there is no reply
07:38 < x-demon> at all
07:38 < x-demon> on tun0 interface
07:41 < x-demon> iptables is clean except SNAT rules
07:42 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
07:48 < theDoc> x-demon> I'm almost sure that it's a problem with your NAT rules.
07:48 < theDoc> !linnat
07:48 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
07:48 < theDoc> That or you didn't turn on ipforward.
07:48 < theDoc> Check if you have turned on ipforwarding first.
07:48 < theDoc> If you haven't, iptables.
07:48 < x-demon> lex:/home/mark# cat /proc/sys/net/ipv4/ip_forward 1
07:49 < theDoc> You want to check your NAT rules now.
07:49 < x-demon> i flushed it again, will try masquerade
07:49 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Quit: WeeChat 0.3.4-dev]
07:49 < theDoc> x-demon> Just follow !linnat
07:51 < x-demon> lex:/home/mark# iptables -t nat -A POSTROUTING -s 192.168.76.0/24 -o eth0:16 -j MASQUERADE
07:51 < x-demon> still no luck =/
07:52 < x-demon> well okay, eth0:16 was a problem. with -o eth0 all working
07:52 < theDoc> I don't think iptables handles virtual interfaces.
07:52 < theDoc> eth0:16 isn't going to work.
07:52 < theDoc> From memory.
07:53 < x-demon> okay, so there is another question. How i can use one interface for daemon, but route traffic via another interface?
07:53 < theDoc> I specify ip addresses that it should listen/route on
07:54 < x-demon> i know it possible with SNAT
07:54 < x-demon> but since iptables can't work with virtual interfaces...
07:54 < theDoc> Doesn't matter, just assign them by ip addresses.
07:54 < x-demon> you mean, bind openvpn to interface i need?
07:55 < theDoc> Yes.
07:55 < x-demon> hah i found a way
07:56 < x-demon> iptables -t nat -A POSTROUTING -s 192.168.76.0/24 -j SNAT --to <dest.ip>
07:56 < x-demon> -o interface not needed
07:56 < theDoc> That's exactly what I was referring to.
07:56 < x-demon> oh, sorry
07:56 < x-demon> thanks for help
07:59 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has joined ##openvpn
08:01 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
08:04 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
08:10 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
08:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
08:13 -!- SOG [~SOG@222.125.214.137] has joined ##openvpn
08:13 -!- SOG [~SOG@222.125.214.137] has quit [Remote host closed the connection]
08:14 -!- SOG [~SOG@n11649233015.netvigator.com] has joined ##openvpn
08:16 < Martin`> hmm ipv6 support on tun or tap?
08:16 < Martin`> I read different things on the web :P
08:16 < Martin`> on te openvpn site
08:17 -!- SOG_ [~SOG@61.144.230.241] has joined ##openvpn
08:18 -!- SOG__ [~SOG@222.125.214.137] has joined ##openvpn
08:19 -!- SOG__ [~SOG@222.125.214.137] has quit [Remote host closed the connection]
08:20 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
08:20 -!- SOG__ [~SOG@61.144.230.241] has joined ##openvpn
08:21 -!- SOG [~SOG@n11649233015.netvigator.com] has quit [Ping timeout: 272 seconds]
08:21 -!- SOG__ is now known as SOG
08:22 -!- SOG_ [~SOG@61.144.230.241] has quit [Ping timeout: 240 seconds]
08:24 -!- SOG_ [~SOG@222.125.214.137] has joined ##openvpn
08:24 -!- SOG_ [~SOG@222.125.214.137] has quit [Remote host closed the connection]
08:25 -!- theDoc [~Link@unaffiliated/thedoc] has left ##openvpn ["Leaving"]
08:28 -!- SOG [~SOG@61.144.230.241] has quit [Ping timeout: 264 seconds]
08:29 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
08:32 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
08:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
08:46 -!- Ademus [Ademus@cm197.omega144.maxonline.com.sg] has joined ##openvpn
08:46 -!- Ademus` [Ademus@cm197.omega144.maxonline.com.sg] has quit [Ping timeout: 276 seconds]
08:51 -!- bhavamitra [~bhavamitr@201.82.131.222] has joined ##openvpn
08:54 < bhavamitra> hello, i'm trying to setup openvpn server on my tomato router and a cyanogenmod android client. i'm pretty newbie on openvpn and openssl stuff. i could generate the key with openvpn --genkey and put it on the tomato openvpn as the static key. but now the openvpn client settings on android ask for a certificate. so should I generate a certificate from this key? how?
08:55 < hyper_ch> !howto
08:55 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:55 < hyper_ch> check out the easy-rsa link in there
08:57 < bhavamitra> hyper_ch: too long... couldn't understand many things...
08:58 < bhavamitra> hyper_ch: also don't take tomato firmware in consideration
09:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
09:07 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client HELP :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=5&t=7097&p=7811#p7811>
09:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 264 seconds]
09:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:22 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
09:32 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client HELP :: Reply by Rockyuk <https://forums.openvpn.net/viewtopic.php?f=5&t=7097&p=7812#p7812>
09:32 -!- ScriptFanix [vincent@Hanaman.riquer.fr] has quit [Ping timeout: 252 seconds]
09:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:37 -!- bhavamitra_ [~bhavamitr@187.106.55.82] has joined ##openvpn
09:39 -!- WinstonSmith [~true@f052103021.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
09:39 -!- bhavamitra [~bhavamitr@201.82.131.222] has quit [Ping timeout: 276 seconds]
09:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:45 -!- WinstonSmith [~true@f052103021.adsl.alicedsl.de] has joined ##openvpn
10:00 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Remote host closed the connection]
10:01 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
10:03 -!- JonTheNiceGuy [c2b0c10a@pdpc/supporter/active/jontheniceguy] has left ##openvpn []
10:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:14 -!- WinstonSmith [~true@f052103021.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
10:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
10:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:35 -!- bhavamitra_ [~bhavamitr@187.106.55.82] has quit [Ping timeout: 245 seconds]
10:35 -!- bhavamitra_ [~bhavamitr@187.106.55.82] has joined ##openvpn
10:36 -!- WinstonSmith [~true@f052103021.adsl.alicedsl.de] has joined ##openvpn
10:47 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
11:02 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
11:07 -!- bhavamitra_ [~bhavamitr@187.106.55.82] has quit [Ping timeout: 240 seconds]
11:08 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client HELP :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=5&t=7097&p=7813#p7813>
11:14 < vpnHelper> RSS Update - forum: Server Administration :: Re: Is this type of vpn configuration possible? :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7096&p=7814#p7814>
11:18 -!- johnfg [~johnfg@75-175-133-27.blng.qwest.net] has joined ##openvpn
11:20 < johnfg> hi folks
11:25 < vpnHelper> RSS Update - forum: Server Administration :: Re: Is this type of vpn configuration possible? :: Reply by ghurty <https://forums.openvpn.net/viewtopic.php?f=4&t=7096&p=7815#p7815>
11:26 < johnfg> I've got OpenVPN Service Startup Type as Automatic in Services.  It starts alright.  However, when I start OpenVPN GUI, which doesn't start automatically, then it tells me I can't use it because I probably don't have Administrator privileges (which I do), running xp pro.
11:26 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
11:31 < johnfg> I can't even get status with the gui for that reason.
11:35 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
11:36 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
11:36 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
11:36 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
11:40  * Dougy donkey punches krzee 
11:40 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
11:48 -!- EmperorTom [~EmperorTo@174-30-246-22.mpls.qwest.net] has joined ##openvpn
11:50 -!- EmperorTom [~EmperorTo@174-30-246-22.mpls.qwest.net] has quit [Client Quit]
11:52 < johnfg> Any idea on the GUI?  BTW...it does work fine, as expected, when I don't have the openvpn service started automatically.
11:53 < kisom> johnfg: Skip the UI imo. Tried it once, never used it since.
11:54 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:55 -!- EmperorTom [~EmperorTo@174-30-246-22.mpls.qwest.net] has joined ##openvpn
11:59 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
11:59 < johnfg> kisom: Yeah, as long as it's starting.  What's the easy way, from my server, which is debian lenny, to see what ip's have been assigned?
11:59 < johnfg> To the clients, i.e.
12:00 < kisom> ifconfig-pool-persist /tmp/ips 60
12:02 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
12:03 < johnfg> kisom: Thanks!
12:04 < kisom> np
12:05 < kisom> you may also write to that file yourself if you want your clients to get a predefined IP address.
12:06 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 276 seconds]
12:07 < Dougy> .
12:16 < roe> what is the opinion of the for-pay version in here?
12:20 < roe> does the $5 per user help support the project or encourage the dual-licensing setup
12:21 < Bushmills> johnfg:   --status file   ;  then look at file
12:27 < hyper_ch> hi Bushmills
12:27 < Bushmills> hi hyper_ch
12:28 < hyper_ch> Bushmills: I hope you've had a pleasant day
12:29 < Bushmills> had you hoped earlier, maybe it would have improved it :)
12:29 < hyper_ch> isn't it early day still for you?
12:30 < Bushmills> i got up 13:30 hours ago
12:37 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
12:46 -!- takamichi [~pri@78.133.38.192] has quit []
12:48 -!- johnfg [~johnfg@75-175-133-27.blng.qwest.net] has left ##openvpn []
12:58 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
13:16 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:17 -!- jhirley [~jhirley@mail.mmdlaw.com] has joined ##openvpn
13:21 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
13:27 -!- julius [~julius@217.20.127.15] has quit [Disconnected by services]
13:29 < hyper_ch> !howto
13:29 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:29 < hyper_ch> !configs
13:29 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:54 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
13:57 < makomi> hi! there must I set up what for creating a route on server by connecting a client?
13:58 < makomi> is this "iroute" in ccd-file?
14:00 < krzee> please re-state the question
14:00 < krzee> are you trying to say "how do i allow my server to access a lan behind a client?"
14:01 < makomi> thanks krzee: I´ve got a NAT-network behind a client and I want to "publish" this network to server if the client connect
14:01 < makomi> so all other clients could "see" this network
14:02 < krzee> !route
14:02 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:02 < krzee> !clientlan
14:02 < vpnHelper> krzee: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
14:04 < makomi> !route_outside_openvpn
14:04 < vpnHelper> makomi: "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
14:05 < krzee> !forget clientlan
14:05 < vpnHelper> krzee: Error: 2 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
14:05 < krzee> !forget clientlan
14:05 < vpnHelper> krzee: Error: 2 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
14:05 < krzee> !forget clientlan *
14:05 < vpnHelper> krzee: Joo got it.
14:05 < krzee> !learn clientlan as for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn)
14:05 < vpnHelper> krzee: Joo got it.
14:06 -!- Martin` [martin@shell.ipv6.octocore.net] has joined ##openvpn
14:06 < krzee> !learn clientlan as see !route for a better explanation
14:06 < vpnHelper> krzee: Joo got it.
14:07 < makomi> !iroute
14:07 < vpnHelper> makomi: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
14:08 < makomi> !ccd
14:08 < vpnHelper> makomi: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:08 < krzee> read my writeup at !route
14:10 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined ##openvpn
14:10 < makomi> !route
14:10 < vpnHelper> makomi: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:10 < makomi> thanks krzee
14:20 < krzee> yw
14:22 < Dougy> hi jeff
14:27 < krzee> hihi
14:29 -!- katyl [~katyl@74.117.158.151] has quit [Quit: Ex-Chat]
14:34 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
14:34 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
14:48 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Ping timeout: 240 seconds]
14:49 -!- NoReflex [~ionut@86.34.4.14] has joined ##openvpn
14:49 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:50 < NoReflex> hello! I'm having some issues with a openvpn setup. I have e server / router that is the VPN server and I connect to it from my archlinux machine. It seems to work ok but rdesktop to a machine in the network hangs after some time. If I start a continuous ping before connecting rdesktop it does not hang.
14:53 < makomi> krzee: Do you know why after setting route/push route/iroute with "topology subnet" no route for clientlan was set but after disable topology it works?
14:54 < makomi> I´ve use OpenVPN 2.1.0 on Debian Lenny
14:58 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
15:04 < hyper_ch> what's rdesktop?
15:05 < roe> hyper_ch, remote desktop
15:05 < roe> used to connect to windows machines
15:05 < hyper_ch> iiieeeks
15:06 < NoReflex> hyper_ch, I know...but not everyone (MS) uses SSH :)
15:07 < hyper_ch> they should start using some sane OS :)
15:07 < roe> I install a copy of cygwin and openssh server on all of the windows images I deploy
15:07 < hyper_ch> :)
15:07 < hyper_ch> you can even use rsync that way
15:08 < NoReflex> roe, I remember there were some ssh server for windows (native) - winsshd?
15:08 < roe> really? that would be pretty worthless I imagine... were you dropped in a dos shell or something?
15:08 < NoReflex> roe, yup - dos shell only
15:09 < roe> awesome... I love working in a shell that has only been losing features for the past 15 years
15:09 < hyper_ch> I thought the powershell finally offers some real shell capabilites
15:11 < roe> let me know when MS implements bash
15:11 < NoReflex> hyper_ch, I gave that powershell thing a try but the only things I could find were ls and grep :)
15:13 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined ##openvpn
15:13 < blackxored> hi guys
15:13 < hyper_ch> ls? isn't that "dir"?
15:13 < hyper_ch> well, grep is very powerful command :)
15:13 < blackxored> i've setup dnsmasq in my vpn server, and i'm pushing dns server through dhcp option in config file, but still it appears i'm using my company's name server, why's so?
15:14 < hyper_ch> I wonder when windows will turn its back on the registry and move forward to config files
15:14 < hyper_ch> !configs
15:14 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:27 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:45 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:58 -!- allquixotic_ is now known as allquixotic
16:01 -!- NoReflex [~ionut@86.34.4.14] has quit [Quit: Leaving]
16:06 < Ademus> hi i'm getting Cannot load CA certificate file despite the file being exactly where the config lists it as
16:06 < Ademus> most of the googling i've done has consisted of solutions where people just put the file where the config file needs it to be, or adding/removing quotes to the directory listing in the config file, but that hasn't worked for me
16:07 < Ademus> any help would be greatly appreciated!
16:11 -!- Kurogane [~kuro@190.87.75.229] has joined ##openvpn
16:20 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
16:20 < Dougy> f[psgdljkhdla;fgjdhaldfgsdalghsdlghfsdaghjsdlfhfsdahla
16:27 < krzee> Ademus, please paste the line from your config which starts with CA
16:28 < Ademus> ca C:\\Program\ Files\\OpenVPN\\keys\\ca.crt
16:30 < krzee> you need " around the path
16:30 < krzee> !winpath
16:30 < vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
16:30 < krzee> and do not escape the space
16:32 < Ademus> hrm, tried it with both ca "C:/Program Files/OpenVPN/keys/ca.crt" and ca "C:\\Program\ Files\\OpenVPN\\keys\\ca.crt", got the same error
16:33 < Dougy> howdy guys
16:34 < Ademus> hi there
16:35 < krzee> go back to using the first one
16:35 < krzee> then show me the error
16:35 < Ademus> k
16:36 < krzee> makomi, still here?
16:36 < Ademus> Thu Sep 16 05:35:53 2010 Cannot load CA certificate file C:\Program Files\OpenVPN\keys\ca.crt (SSL_CTX_load_verify_locations) (OpenSSL)
16:36 < krzee> makomi, are you sure the client that did not get the route was also on 2.1?
16:36 < krzee> makomi, also, we are on 2.1.3 now =]
16:37 < krzee> Ademus, sounds like your file is corrupt
16:37 < Ademus> ugh
16:37 < Ademus> i've reinstalled it twice?
16:37 < krzee> re-transfer it
16:37 < krzee> reinstalled?  im just talking bout the certs
16:38 < krzee> !certverify
16:38 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
16:38 < Ademus> roger that
16:38 < Ademus> i'll start trying that now
16:38 < Ademus> thanks krzee!
16:39 < krzee> yw
16:46 < Ademus> hrm krzee, when running it in cmd i'm unable to load the ca.crt, but able to load the .crt i was given fine
16:46 < Ademus> could you tell me more about retransferring please?
16:47 < Ademus> i've uninstalled and reinstalled openvpn gui twice under the assumption that it gives me a fresh ca.crt each time
16:47 < krzee> it doesnt do ANYTHING about certs
16:47 < krzee> you make certs seperately
16:47 < krzee> do you run the server / ca?
16:48 < krzee> or better yet... where did you get your certs?
16:48 < Ademus> heh, friend of mine runs the server and i connect to it
16:48 < krzee> he needs to give you the CA again
16:48 < krzee> ca.crt that is
16:48 < Ademus> ahhh i see
16:49 < Ademus> is there any way i can generate it on my own? 
16:49 < krzee> no
16:49 < krzee> well you can make one, but it wont do you any good on his vpn ;)
16:49 < Ademus> hahaha
16:49 < Ademus> roger that then
16:50 < Ademus> thanks muchly dude
16:50 < krzee> np
16:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 276 seconds]
17:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
17:04 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 240 seconds]
17:05 < makomi> krzee: not the client don´t get the route, the server don´t get it. In log file stands: " OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options"
17:05 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
17:06 < makomi> after i enable "topology subnet"
17:06 < makomi> but i don´t know where I should what to set up
17:08 < makomi> the client has 2.1.1 - fyi
17:22 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 240 seconds]
17:33 -!- montana [~montana@212.117.173.72] has quit [Ping timeout: 240 seconds]
17:33 -!- montana [~montana@212.117.173.72] has joined ##openvpn
17:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:41 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:42 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
17:43 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:45 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
17:45 < apedongle> h
17:54 < krzee> makomi, post your server config?
17:55 < krzee> !configs
17:55 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:55 < apedongle> krzee: boo Jason is watching joo
17:56 < krzee> ?
17:56 < krzee> oh its mikeh
17:56 < krzee> heh wassup
17:57 < apedongle> space dongles krzee
17:57 < apedongle> space dongles!
17:57 < apedongle> krzee: Yap :)
17:58 < apedongle> sup sir?
17:59 < krzee> playing with sql
17:59 < krzee> monkey work
17:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
18:00 < apedongle> drop database * ;
18:00 < apedongle> or something spectacular?
18:00 < krzee> hah
18:00 < makomi> krzee: please have a look at http://pastebin.com/yXcE4EEs
18:00 < krzee> nah more like setting up queries to grab all sorts of shit, and brainstorming the scripts that will datamine them
18:02 < makomi> this is without "topology subnet"
18:02 < apedongle> krzee: sounds like you're grabbing the fifth oct of a cookie :-)
18:02 < krzee> you can remote both of these
18:02 < krzee> tls-server
18:02 < krzee> mode server
18:02 < krzee> using server implies both of those
18:03 < apedongle> krzee: I was wondering, when are you in NL again?
18:03 < krzee> makomi, verb 4 logs with and without topology subnet please
18:03 < krzee> apedongle, soon i hope... i loved it there, would like to come out for longer
18:04 < krzee> but in feb im doing columbia / brazil / argentina... so maybe next summer =/
18:08 < makomi> krzee: verb 4 without topology subnet: http://pastebin.com/erKN8zUB
18:10 < krzee> and with?
18:10 < apedongle> krzee: let me know when you're visiting NL again, would be fun to meet up :-)
18:10 < krzee> apedongle, cool, i will\
18:11 < makomi> and krzee: verb 4 with topology subnet: http://pastebin.com/SQ8e69yZ
18:11 < makomi> sorry for delay :)
18:12 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 240 seconds]
18:12 < krzee> interesting
18:12 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
18:13 < krzee> makomi, that sounds like a bug... make an entry at trac
18:13 < krzee> !trac
18:13 < vpnHelper> krzee: Error: "trac" is not a valid command.
18:13 < krzee> community.openvpn.net
18:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
18:14 < makomi> thanks krzee: i have to doubt on me :)
18:19 < krzee> !learn bugs as https://community.openvpn.net/openvpn if we tell you that you found a bug.  go there, open an account, and file a bug report in trac  (your forum login is good for the trac too)
18:19 < vpnHelper> krzee: Joo got it.
18:24 < Ademus> krzee: problem solved and everything is up and running
18:24 < Ademus> thanks so much dude
18:26 -!- Ademus [Ademus@cm197.omega144.maxonline.com.sg] has left ##openvpn []
18:27 -!- jhirley [~jhirley@mail.mmdlaw.com] has quit [Ping timeout: 240 seconds]
18:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
18:30 < makomi> !ticket
18:30 < vpnHelper> makomi: Error: "ticket" is not a valid command.
18:30 < krzee> it's there
18:30 < makomi> Trac: https://community.openvpn.net/openvpn/ticket/55
18:30 < krzee> [16:32]  <vpnHelper> RSS Update - tickets: #55: After enabling "topology subnet" no route settings for server <https://community.openvpn.net/openvpn/ticket/55>
18:30 < vpnHelper> Title: #55 (After enabling "topology subnet" no route settings for server) – OpenVPN Community (at community.openvpn.net)
18:30 < vpnHelper> Title: #55 (After enabling "topology subnet" no route settings for server) – OpenVPN Community (at community.openvpn.net)
18:31 < krzee> heh
18:31 < makomi> :)
18:31 < makomi> thanks for your help and have a good night
18:33 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
18:37 < Dougy> krzee: might be doing nyc colo again
18:37 < Dougy> o.O
18:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
18:41 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:02 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:06 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:22 -!- montana [~montana@212.117.173.72] has quit [Read error: Operation timed out]
19:24 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 246 seconds]
19:26 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
19:30 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
19:30 -!- montana [~montana@212.117.173.72] has joined ##openvpn
19:34 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Ping timeout: 264 seconds]
19:34 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
19:43 -!- manevra_ [~manevra@188.27.109.174] has joined ##openvpn
19:43 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:46 -!- manevra [~manevra@188.27.109.174] has quit [Ping timeout: 240 seconds]
19:48 -!- manevra_ [~manevra@188.27.109.174] has quit [Quit: Leaving]
19:59 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Ping timeout: 240 seconds]
20:06 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
20:18 -!- WinstonSmith [~true@f052103021.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
20:20 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
20:22 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:35 -!- borgatron [63e3065d@gateway/web/freenode/ip.99.227.6.93] has joined ##openvpn
20:35 < borgatron> hi
20:49 -!- borgatron [63e3065d@gateway/web/freenode/ip.99.227.6.93] has quit [Quit: Page closed]
21:03 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Ping timeout: 240 seconds]
21:03 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
21:04 < s34n> my ovpn client seems to keep killing my default route
21:09 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Ping timeout: 240 seconds]
21:09 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined ##openvpn
21:10 < s34n> ip route sh says my default hasn't changed
21:11 < s34n> but I lose internet connectivity evertime I connect to the vpn
21:11 < s34n> diconnecting vpn restores internet connection
21:14 < krzee> you probably have a conflicting subnet or something
21:14 < krzee> !samesubnet
21:14 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
21:42 < s34n> krzee: I don't think so
21:43 < s34n> the closest I have is a 10.x.0.0/24 where x!=8
21:44 < s34n> my default gateway is on that subnet, so it attracts my attention there on this problem
21:44 < s34n> but I don't see the conflict
21:45 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 252 seconds]
21:46 < s34n> also, on the server setting, up snat to one of its subnets doesn't seem to work
21:47 < s34n> but that's a problem for tomorrow
21:47 < s34n> The client problem is for tonight, but I am baffled
21:49 < s34n> hang on, I'm going to connect the vpn again for a sec. it will probably cut me off this channel momentarily...
21:50 < s34n> ok, back
21:51 < s34n> the client set up this interface: inet 10.8.0.6 peer 10.8.0.5/32 brd 10.8.0.6 scope global tun0
21:53 < s34n> I'm not sure what that means
22:04 < s34n> rather, I'm not sure where 10.8.0.5/32 is. I would guess the server, but it is 10.8.0.1, right?
22:22 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
22:38 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
22:51 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Ping timeout: 255 seconds]
23:19 -!- johnfg [~johnfg@spirit.org] has joined ##openvpn
23:20 < johnfg> hi guys
23:20 < johnfg> I'd been in the room earlier from the xp box, and what I wrote down for what to do to find out what ips my openvpn server is giving out to the xp clients isn't right.
23:21 < johnfg> How do I find that out from debian lenny?
23:30 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 255 seconds]
23:33 -!- johnfg [~johnfg@spirit.org] has quit [Remote host closed the connection]
23:42 < Bushmills> s34n: 10.8.0.5 is the peer to peer endpoint address on the client - the clients idea of what the remote end is
23:43 < Bushmills> nowhere else is that address known, the client only refers to it when it means to say "other end"
23:54 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
--- Day changed Thu Sep 16 2010
00:06 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:26 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
00:53 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:53 -!- mode/##openvpn [+o mattock] by ChanServ
01:16 < theDoc> mattock> You there?
01:16 <@mattock> theDoc: yes
01:17 < theDoc> mattock> Any chance I can get you for a second in private?
01:17 <@mattock> yep
01:17 < theDoc> Thanks.
02:11 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
02:24 -!- UnterPerro [~UnterPerr@32.160.200.77] has joined ##openvpn
02:37 < vpnHelper> RSS Update - forum: Off Topic, Related :: Help convince a large water company :: Author travelmanics <https://forums.openvpn.net/viewtopic.php?f=1&t=7098&p=7816#p7816>
02:41 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
02:46 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
02:59 -!- Kurogane [~kuro@190.87.75.229] has quit [Remote host closed the connection]
03:03 -!- UnterPerro [~UnterPerr@32.160.200.77] has quit [Quit: UnterPerro lives to save another day]
03:05 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:08 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:09 -!- le0 [~fin@82.132.136.133] has joined ##openvpn
04:09 -!- le0 [~fin@82.132.136.133] has quit [Changing host]
04:09 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
04:14 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Read error: Connection reset by peer]
04:16 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
04:18 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Read error: Connection reset by peer]
04:19 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
04:20 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
04:24 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Read error: Connection reset by peer]
04:26 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
04:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:29 < vpnHelper> RSS Update - forum: Server Administration :: ethernet tunnel (not bridge) PING problem :: Author enjoyjoy <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=7817#p7817>
04:32 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Quit: Leaving]
04:33 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
04:34 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
04:45 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 272 seconds]
04:46 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
04:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:49 -!- sebuccino [~seb@89.246.75.78] has joined ##openvpn
04:49 < sebuccino> !welcome
04:49 < vpnHelper> sebuccino: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:53 < sebuccino> hi, what would be a clean setup for having enc traffic between three servers. All three need to be able to speak to each other directly. in 2.0 server mode the traffic would always be routed over the server right? what are the alternatives?
04:58 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:06 -!- sebuccino [~seb@89.246.75.78] has quit [Changing host]
05:06 -!- sebuccino [~seb@unaffiliated/sebuccino] has joined ##openvpn
05:08 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
05:09 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:11 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
05:13 -!- sebuccino [~seb@unaffiliated/sebuccino] has left ##openvpn []
05:17 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has joined ##openvpn
05:20 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
05:35 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
05:42 -!- julius [~julius@217.20.127.15] has joined ##openvpn
05:57 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
06:03 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
06:04 -!- sebcc [~seb@unaffiliated/sebuccino] has joined ##openvpn
06:24 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
06:27 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
06:45 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
07:06 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
07:11 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
07:14 -!- sebcc [~seb@unaffiliated/sebuccino] has quit [Quit: off]
07:20 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
07:22 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
07:22 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
07:24 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 276 seconds]
07:28 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined ##openvpn
07:33 < kraut> moin
07:39 < hyper_ch> huhu kraut
07:42 -!- EmperorTom [~EmperorTo@174-30-246-22.mpls.qwest.net] has quit [Quit: leaving]
07:42 -!- EmperorTom [~EmperorTo@174-30-246-22.mpls.qwest.net] has joined ##openvpn
08:01 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
08:08 -!- jhirley [~jhirley@c-75-74-13-194.hsd1.fl.comcast.net] has joined ##openvpn
08:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
08:11 -!- jhirley_ [~jhirley@c-75-74-13-194.hsd1.fl.comcast.net] has joined ##openvpn
08:15 -!- jhirley [~jhirley@c-75-74-13-194.hsd1.fl.comcast.net] has quit [Ping timeout: 240 seconds]
08:17 -!- screenn [~screenn@users-nat.more.com.ua] has joined ##openvpn
08:18 < screenn> how to configure client for connect with two different server's 
08:19 < ecrist> screenn: you use two different configuration files
08:19 < screenn> client1.conf and client2.conf for example?
08:31 < ecrist> sure
08:31 < vpnHelper> RSS Update - forum: Scripting and Customizations :: help in openvpn configuration :: Author anteelsayed <https://forums.openvpn.net/viewtopic.php?f=15&t=7100&p=7818#p7818>
08:32 -!- johnfg [~johnfg@spirit.org] has joined ##openvpn
08:32 < johnfg> hi guys
08:32 < theDoc> hi!
08:33 < johnfg> The ipconfig command recommended for me yesterday doesn't work on debian lenny.
08:33 < theDoc> Well, that's not really an openvpn question, more like a debian problem?
08:33 < johnfg> I'm openvpn server on lenny and wanted to know how to check what ip addresses are being given out to clients.
08:33 < ecrist> ifconfig
08:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
08:34 < johnfg> ecrist, I thought so, but I'm not giving it the right arguments, I guess.
08:34 < ecrist> just entering 'ifconfig' will give you all interface information
08:35 < theDoc> Strangely, I'm not seeing that either.
08:36 < johnfg> ecrist, Yeah, of course, it gives me the server: 10.8.0.1.  But what flags/options can I give it to find out what addresses my clients have?
08:36 < ecrist> ifconfig -a
08:37 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
08:40 < johnfg> ecrist, Thanks for the try, but that doesn't do it either.
08:40 -!- k12linux [~k12linux@schools.dce.k12.wi.us] has joined ##openvpn
08:42 < k12linux> I have a (someone unique?) challenge and wanted to know if it is something I can do with openvpn or not...
08:42 < hyper_ch> k12linux: until you actually state your problem, we'll never know
08:42 < k12linux> lol.. getting there.  got a call. sorry
08:43 < k12linux> I have several VLANs at one site and a remote site with three VLANs.  
08:43 < k12linux> Two of the remote sites vlans need to be bridged to the main site
08:43 < k12linux> the 3rd can just be routed
08:44 < k12linux> In fact I'd prefer that the 3rd was routed but could bridge if I must.
08:44 < k12linux> Endpoints are Linux
08:45 < hyper_ch> !bridge
08:45 < vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
08:48 < k12linux> I did find bridging info but not much specifically on dealing with VLANs
08:48 < k12linux> !layer2
08:48 < vpnHelper> k12linux: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
08:50 < hyper_ch> no clue
08:50 < hyper_ch> but there are smart people in here like krzee that maybe can help
08:50 < k12linux> I'll lurk for a while jic
08:54 < johnfg> Anyone running server on debian?
08:54 < ecrist> man ifconfig
08:54 < johnfg> I'm still not finding out where openvpn server keeps track of the ip addresses it gives out to clients.
08:55 < ecrist> ah, that's what you're asking
08:55 < ecrist> !config
08:55 < vpnHelper> ecrist: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
08:55 < ecrist> !configs
08:55 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:55 < ecrist> I'm only interested in your server config
08:56 < johnfg> Here's the output of ifconfig: http://paste.debian.net/89906/
08:56 < johnfg> I'll paste the server.conf, too.
08:58 < johnfg> Here's server.conf: http://paste.debian.net/89907/
08:58 < ecrist> ugh
08:58 < ecrist> you don't read directions.
08:59 < johnfg> ecrist, OK, please enlighten me...
08:59 < ecrist> there's two places you can go to look up what IP is assigned to who
09:00 -!- foxdan [~maiden@minerva.redbrick.dcu.ie] has joined ##openvpn
09:00 < johnfg> OK, I think I might have found it (typed with chagrin).
09:01 < foxdan> Hi, wondering if someone can help me, I have openvpn set up and working, I can ping the server from the client but can't seem to ping the client from the server, is there a way to enable this I'm missing?
09:02 < johnfg> ecrist, I don't have ifconfig-pool-persist, and ipp.txt is empty.
09:02 < ecrist> 1) openvpn-status.log, 2) ifconfig-pool-persist
09:04 < vpnHelper> RSS Update - forum: Server Administration :: Re: Is this type of vpn configuration possible? :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7096&p=7819#p7819>
09:06 < johnfg> ecrist, Thanks. Sorry I'm so dense this morning :=(
09:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:22 < vpnHelper> RSS Update - forum: Server Administration :: Re: Forward Traffic through VPN to Home Gateway :: Reply by kcghost <https://forums.openvpn.net/viewtopic.php?f=4&t=7082&p=7820#p7820>
09:28 < s34n> Bushmills: so the client has two addresses? 0.5 and 0.6?
09:29 < s34n> Bushmills: ah. sorry. just read the rest of your comment.
09:30 < s34n> the client thinks that it's address is 0.6 and it thinks that the other end's address is 0.6?
09:31 < s34n> but the other end doesn't think its own address is 0.6?
09:32 < s34n> I don't quite get that.
09:34 < s34n> er.. I meant the client thinks that the other end's address is 0.5
09:34 < s34n> but the server on the other end doesn't think that its own address is 0.5
09:36 -!- screenn [~screenn@users-nat.more.com.ua] has quit [Quit: Leaving]
09:37 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Read error: Operation timed out]
09:37 -!- Meliorator [m@dunnington.eu] has joined ##openvpn
09:37 -!- Meliorator [m@dunnington.eu] has quit [Excess Flood]
09:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 276 seconds]
09:38 -!- Meliorator [m@dunnington.eu] has joined ##openvpn
09:40 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: help in openvpn configuration :: Reply by anteelsayed <https://forums.openvpn.net/viewtopic.php?f=15&t=7100&p=7821#p7821>
09:46 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
09:48 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined ##openvpn
09:51 -!- johnfg [~johnfg@spirit.org] has quit [Quit: Leaving]
09:52 -!- pumkinhed [~pumkinhed@72.45.85.159] has joined ##openvpn
09:52 < pumkinhed> hello #openvpn, on windows clients what will persist-tun do?
09:53 < pumkinhed> and persist-key
09:56 -!- brah [~brah@host232.190-31-30.telecom.net.ar] has quit [Ping timeout: 252 seconds]
09:57 < s34n> pumkinhed: from 2004: http://openvpn.net/archive/openvpn-users/2004-10/msg00419.html
09:57 < vpnHelper> Title: [Openvpn-users] --persist-tun on the client (at openvpn.net)
09:59 < s34n> I need my ovpn server to provide access to the various subnets on which it resides, for most of which it is not the default gateway
09:59 < pumkinhed> yes that is from 2004 :-( basically i think that using that option on a windows 7 client is breaking resume from hibernation, i havent had a chance to remove the option and test, but there is something causing openvpn not to reconnect (even with keepalive and resolv-retry-infinite), after it resumes from hibernation openvpn just sits there, doesn't reconnect, no messages in log
09:59 < s34n> I can't affect the routing on those various subnets
09:59 < pumkinhed> s34n: what you mean to say is your client needs to have routes pushed to it?
09:59 < s34n> So I figured I could snat
10:00 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
10:00 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Quit: Leaving]
10:00 < pumkinhed> s34n: or does your openvpn server not have the routes?
10:00 < s34n> pumkinhed: I have to do more than push routes. responseses have to get routed back through the ovpn server
10:01 < pumkinhed> s34n: hmm, yes, are you running in a tun or tap config?
10:01 < s34n> tun
10:01 < s34n> hence my problem
10:01 < pumkinhed> whats the problem?
10:01 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
10:02 < ecrist> pumkinhed: your issue is going to be discussed in the developer meeting today
10:02 < ecrist> we're thinking it's a bug
10:03 < s34n> the various subnets on which the server sits don't have routing that sends traffic back to this server for 10.8.x.x traffic
10:03 < ecrist> s34n: you have to do that, then.
10:03 < pumkinhed> thanks ecrist 
10:04 < s34n> ecrist: right. but I can't affect the routing on those subnets
10:04 < ecrist> openvpn can't do magical things that affect systems
10:04 < s34n> right
10:04 < ecrist> s34n: if you can't, why do you expect us to?
10:04 < s34n> But I figured I could have the ovpn server snat
10:04 -!- brah [~brah@186.124.228.244] has joined ##openvpn
10:05 < ecrist> s34n: you can, a bit, but that's done with a firewall, not with openvpn
10:05 < pumkinhed> yes thats exactly what happens.... for instance my ovpn server is also the default gateway for my network, any time any traffic goes off my subnet it goes to my default gw which is also my ovpn server, so when i try to contact clients off my network (ie on the other side of the tunnel) my gw routes me there via its routes
10:05 < s34n> ecrist: understood
10:06 < s34n> pumkinhed: right. and that is working great for the subnets on which my ovpn server is the gateway
10:06 < pumkinhed> so on those other gateways, set the routes up to point to your ovpn server, (which should also be in gw mode, but not the default gw for your LAN)
10:07 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
10:07 < s34n> but when I snat -s 10.8.0.0/24 traffic on the server to the various subnet interfaces, it doesn't work
10:07 < jpalmer> when will software start using SRV records for DNS?  it'd make life soo much better.
10:08 < s34n> meh. this is probably more a "learn iptables" issue. not ovpn
10:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:08 < pumkinhed> true
10:08 < pumkinhed> i use freebsd, so i dont use iptables
10:09 < pumkinhed> besides it sounds like you want to use dnat...
10:09 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
10:10 < k12linux> !tunortap
10:10 < vpnHelper> k12linux: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
10:10 < vpnHelper> k12linux: against you over the vpn, or (#4) lan gaming? use tap!
10:11 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:11 < pumkinhed> !wins
10:11 < vpnHelper> pumkinhed: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
10:12 < pumkinhed> hmm, !wins doesnt talk about openvpn config at all.... maybe it should say something about push "dhcp-option WINS IP.OF.WINS.SERVER"
10:15 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
10:15 < s34n> traffic coming from the client will be seen by the ovpn server as originating from a 10.8.0.0/24 address, right? (using default config)
10:17 < pumkinhed> s34n: yes
10:19 < pumkinhed> ecrist: will the developer meeting be occurring in the chan?
10:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:24 -!- mode/##openvpn [+o dazol] by ChanServ
10:24 -!- dazol is now known as dazo
10:28 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
10:31 < s34n> ok. the snat'ing works out just fine. I had a flawed test.
10:31 < s34n> thanks ecrist, pumkinhed 
10:33 < s34n> now I need to figure out why my linux ovpn client is crunching my default gateway routing
10:33 < s34n> whenever I connect to the vpn, I lose routing to the internet out my default route
10:33 < ecrist> sounds like conflicting IP space
10:33 < s34n> disconnecting from the vpn restored internet connectivity.
10:33 < ecrist> or a misconfigured push
10:34 < s34n> the vpn uses a unique subnet
10:34 < s34n> and does not push any conflicting routes that I can tell.
10:35 < s34n> without the vpn, I sit on a 10.1.0.0/24 subnet. The vpn uses 10.8.0.0/24 and pushes various 172.x.x.x routes to me
10:36 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
10:38 < s34n> ok. got it.
10:39 < s34n> when connected to vpn, my default route does change: default via 10.8.0.5 dev tun0  proto static
10:40 < s34n> why is my client changing my default route?
10:42 < pumkinhed> you have redirect-gateway set?
10:42 < pumkinhed> s34n: ^^
10:42 < s34n> pumkinhed: set in client.conf?
10:43 < pumkinhed> yeah
10:43 -!- barfster [~barf@193.69.144.162] has joined ##openvpn
10:44 < barfster> What is wrong when I do /etc/init.d/openvpn start
10:44 < s34n> pumkinhed: I'm using nm-applet. I haven't found a setting for that
10:44 < barfster> and there is no tun0 when I do ifconfig?
10:44 < s34n> barfster: on your server?
10:44 < pumkinhed> barfster: what os?
10:44 < barfster> linux
10:44 < barfster> client
10:45 < barfster> It has been running for a month or so
10:45 < barfster> but today
10:45 < barfster> no action
10:46 < pumkinhed> strange
10:47 < barfster> [  499.452856] tun0: Disabled Privacy Extensions
10:47 < pumkinhed> s34n: wait a minute, you aren't editing the openvpn.conf file directly?
10:47 < barfster> is what I find in the log that is not normal
10:47 < barfster> ?
10:47 < s34n> pumkinhed: no I am not in this case
10:47 < s34n> pumkinhed: I found it.
10:48 < pumkinhed> s34n: so is redirect-gateway set?
10:48 < pumkinhed> barfster: i can't help without more info...
10:48 < s34n> pumkinhed: I thinks so. The setting in the GUI is "Use this connection only for resources on its network"
10:48 < barfster> pumkinhed: like what?
10:49 < s34n> pumkinhed: buried a bit in the GUI
10:49 -!- k12linux [~k12linux@schools.dce.k12.wi.us] has quit [Quit: Leaving]
10:49 < pumkinhed> s34n: hmmm, i dont knwo what that means but you dont want redirect-gateway
10:49 < pumkinhed> barfster: like what OS you are using, damnit linux is not an OS, its a half description, if i ask what v of windows and you say windows i would kick you in the teeth, lol
10:50 < s34n> pumkinhed: right. I think that the nm-applet plugin sets redirect-gateway be default unless you check that setting
10:50 < s34n> pumkinhed: thanks for the lead. problem is now solved.
10:50 < pumkinhed> s34n: simply dont use it, edit the file directly.
10:52 < barfster> ubuntu 10.04
10:52 < barfster> pumkinhed: http://pastie.org/1163063
10:53 < pumkinhed> looks normal to me
10:53 < krzee> [06:46]  <k12linux> I have several VLANs at one site and a remote site with three VLANs.  
10:53 < krzee> he needs !route
10:54 < pumkinhed> umm, that was 3 hrs ago?
10:55 < krzee> *shrug*
10:56 < pumkinhed> its like last night i woke up, thinking of the funniest joke, i bolted up, scribbled it down and literally laughed myself to sleep
10:56 < pumkinhed> now this morning i can't read my dang handwriting....
11:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:10 < jetole> Hey guys. I have a new field in my openvpn logs which is us=xxxxx where xxxxx is a number. Could someone please tell me what that means?
11:11 < barfster> pumkinhed: now there is connection again.
11:11 < barfster> I have not done anything
11:11 < barfster> Perhaps a router was down with an involced ISP?
11:11 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
11:26 < jpalmer> !factoid search tcp
11:26 < vpnHelper> jpalmer: Error: "factoid" is not a valid command.
11:27 < pumkinhed> barfster: glad it resolved itself :-)
11:27 < barfster> Very wired
11:27 < pumkinhed> arent we all
11:27 < pumkinhed> :-)
11:28 < barfster> weird
11:28 < pumkinhed> oooh
11:28 < pumkinhed> yes arent we all...
11:28 -!- avar [~avar@wikipedia/avar] has joined ##openvpn
11:28 -!- avar [~avar@wikipedia/avar] has left ##openvpn []
11:29 -!- avar [~avar@wikipedia/avar] has joined ##openvpn
11:36 < ecrist> !factoids search tcp
11:36 < vpnHelper> ecrist: 'win_tcplimit' and 'tcp'
11:37 -!- dollabill [~mike@97.66.26.10] has joined ##openvpn
11:51 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
11:54 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
11:59 -!- mmestnik [~mmestnik@173-160-118-149-Minnesota.hfc.comcastbusiness.net] has joined ##openvpn
12:01 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
12:01 < mmestnik> Hello, My server is giving me an error of connection from my client.  This is only when using socks5(httptunnel) software.  Directly it's working fine.  "Bad encapsulated packet length from peer"
12:05 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has joined ##openvpn
12:06 < mmestnik> I can post my config files as in http://openvpn.net/archive/openvpn-devel/2003-12/msg00004.html
12:06 < vpnHelper> Title: RE: [Openvpn-devel] TCP tunnel problem on Windows (at openvpn.net)
12:09 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
12:09 < mmestnik> C5: New SOCKS tunnel established 127.0.0.1 -> 127.0.0.1:1194 C5: Disconnect on request server C5: Sent 151 bytes, received 28 bytes
12:10 < mmestnik> These counters are on part of the client, so the server sends 28bytes then quits.
12:11 < jpalmer> !tcp
12:11 < vpnHelper> jpalmer: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
12:12 < mmestnik> Hmm, well now I'm not sure of that.  The server's logs indicate the same(not reversed) counters.
12:12 < mmestnik> jpalmer: I can do UDP over socks5...  but that should be less efficient then using TCP?
12:15 < mmestnik> read UDPv4 [ECONNREFUSED]: Connection refused
12:16 < apedongle> firewall firewall firewall
12:17 -!- dollabill [~mike@97.66.26.10] has quit []
12:18 -!- krzee [~k@unaffiliated/krzee] has quit [Ping timeout: 276 seconds]
12:20 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
12:21 < mmestnik> ...wouldn’t openvpn be able to mitigating these issues when it uses TCP?  It can ack any data it's receved an ack for, that is once it's left the sending buffer.  The other end would need to know to retransmit anything it hasn't got an ack for.
12:24 -!- JackCorleone [~root@187.10.70.88] has joined ##openvpn
12:24 < mmestnik> apedongle: It's all being done on a single device, for now, in a controlled test environment.  strace shows several UDP packets in both directions.
12:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:26 < mmestnik> sweet, that's it.
12:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
12:36 -!- dazo is now known as dazo_afk
12:38 <@mattock> forums and community will be migrated to a new hardware node in ~2 hours 30 mins: https://forums.openvpn.net/viewtopic.php?f=20&t=7102&sid=b0782e4d6dfee756ece17982b9509c4f
12:38 < vpnHelper> Title: OpenVPN Support Forum View topic - Community and forums migration today (at forums.openvpn.net)
12:38 -!- avar [~avar@wikipedia/avar] has left ##openvpn []
12:41 < vpnHelper> RSS Update - forum: Announcements :: Community and forums migration today :: Author samuli <https://forums.openvpn.net/viewtopic.php?f=20&t=7102&p=7823#p7823> || Configuration :: OpenVPN, routing & Amazon EC2 :: Author MarkRobinson <https://forums.openvpn.net/viewtopic.php?f=6&t=7101&p=7822#p7822>
12:43 -!- dazo_afk is now known as dazo
12:46 -!- btwotch [~btwotch@p5DC4A278.dip0.t-ipconnect.de] has joined ##openvpn
12:46 < btwotch> Hi, I am running linux in linux via user mode linux; the problem is, that I can't create a tun/tap device inside uml; but I want to run openvpn in it
12:47 < btwotch> is there any possible solution?
12:48 < mmestnik> My socks5 server reads the data from the openvpn client, but then ever sends the response off to the openvpn server.
12:49 -!- dazo is now known as dazo_afk
12:49 < mmestnik> btwotch: Can you load kernel modules?
12:50 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has joined ##openvpn
12:50 < btwotch> no
12:50 < btwotch> but I can create eth* devices
12:50 -!- dazo_afk is now known as dazo
12:50 < btwotch> is it possible to abuse them?
12:50 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:52 < mmestnik> tun/tap devices connect an interface to a char device or file.  As eth devices are already attached to a device they can't be abused as you suggest.  Though I'm sure they can be abused in other ways.
12:52 < s34n> I just installed a win7 client that tells me "all tap-win32 adapters on this system are currently in use"
12:52 < s34n> using v2.1.3
12:57 < btwotch> ah, I've just another question; if the server pushes the default route (here at university), is it possible to configure the client that it doesn't change the route?
13:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
13:13 -!- btwotch1 [~btwotch@p5DC49EF3.dip0.t-ipconnect.de] has joined ##openvpn
13:15 -!- btwotch [~btwotch@p5DC4A278.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
13:16 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
13:16 -!- btwotch [~btwotch@p5DC49E66.dip0.t-ipconnect.de] has joined ##openvpn
13:19 -!- btwotch1 [~btwotch@p5DC49EF3.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
13:29 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
13:29 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
13:30 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
13:55 <@dazo> btwotch: --route-nopull
13:55 <@dazo>        --route-nopull
13:55 <@dazo>               When used with --client or --pull, accept options pushed by server EXCEPT for routes.
13:55 <@dazo>               When used on the client, this option effectively bars the server from adding routes to the
13:55 <@dazo>               client’s routing table, however note that this option still allows the server to  set  the
13:55 <@dazo>               TCP/IP properties of the client’s TUN/TAP interface.
13:56 <@dazo> (from the man page)
14:02 -!- manevra [~manevra@86.121.76.162] has joined ##openvpn
14:05 < manevra> hy, my isp blocks port 25, i connect to vpn where port 25 is unblocked, but the application doesn't work on my windows machine. how do i bind it to the vpn's ip or conenction ?
14:06 < btwotch> dazo: thanks a lot :)
14:08 < btwotch> thx to mmestnik too 
14:10 -!- manevra [~manevra@86.121.76.162] has quit [Ping timeout: 252 seconds]
14:11 -!- manevra [manevra@86.55.242.59] has joined ##openvpn
14:11 < manevra> back
14:11 < mmestnik> I have 3 straces of a socat placed in different parts of my tunnel.  The only thing I can determine is that every thing -but- openvpn is doing what it should be.
14:16 < mmestnik> http://paste.factorcode.org/paste?id=1964
14:18 < mmestnik> http://paste.factorcode.org/paste?id=1966
14:21 < alexbobP> The Many Straces of Socat
14:22 < mmestnik> http://paste.factorcode.org/paste?id=1967
14:23 < mmestnik> How can I disable this "Bad encapsulated packet length" check?
14:28 < mmestnik> The more I learn about httptunnel the less I think I'll need openvpn.
14:28 -!- brah [~brah@186.124.228.244] has quit [Ping timeout: 252 seconds]
14:29 -!- dazo is now known as dazo_afk
14:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:36 -!- manevra [manevra@86.55.242.59] has quit [Quit: Leaving]
14:47 -!- brah [~brah@186.124.228.244] has joined ##openvpn
14:51 -!- brah [~brah@186.124.228.244] has quit [Ping timeout: 245 seconds]
15:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
15:12 < mmestnik> Is there something I can do/test/try?
15:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
15:20 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has joined ##openvpn
15:20 < mmestnik> What happens after "UDPv4 link remote: [AF_INET]127.0.0.1:1194"?
15:20 < Gnewt> I can't ping from my server to any of my clients
15:21 < mmestnik> I get: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
15:21 < Gnewt> oh, firewall ;P
15:25 < mmestnik> This trace I've made with udp is interesting to me.  It dosen't give up, but then it dosen't succeed ether.
15:26 < mmestnik> The trace made with the socks5 side of a udp connection is interesting.  It seams blank.
15:26 < mmestnik> ...Does openvpn use more then one connection?
15:27 < mmestnik> Where can I get details about it's operation?
15:28 < mmestnik> !welcome
15:28 < vpnHelper> mmestnik: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:42 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:42 -!- mode/##openvpn [+o openvpn2009] by ChanServ
15:49 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
15:51 < mmestnik> !goal
15:51 < vpnHelper> mmestnik: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:53 < mmestnik> I just want a secure connection between 2 computers, over HTTPTunnel by Sebastian Weber.
16:07 -!- mmestnik [~mmestnik@173-160-118-149-Minnesota.hfc.comcastbusiness.net] has quit [Quit: Leaving]
16:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:11 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 255 seconds]
16:13 -!- barfster [~barf@193.69.144.162] has quit [Quit: Computer has gone to sleep]
16:20 -!- JackCorleone [~root@187.10.70.88] has quit [Quit: Saindo]
16:25 -!- barfster [~barf@193.69.144.162] has joined ##openvpn
16:26 -!- barfster [~barf@193.69.144.162] has left ##openvpn []
16:37 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has joined ##openvpn
16:37 < slava_dp> hi. is it possible to push a route to a selected client? I don't want all clients to install the route, just this single one. that possible?
16:49 < pumkinhed> yes
16:49 < pumkinhed> ccd
16:50 < pumkinhed> http://www.openvpn.net/index.php/open-source/documentation/howto.html search for ccd
16:50 < vpnHelper> Title: HOWTO (at www.openvpn.net)
17:02 < slava_dp> pumkinhed, thank you, it worked.
17:02 < pumkinhed> yw
17:04 -!- btwotch [~btwotch@p5DC49E66.dip0.t-ipconnect.de] has left ##openvpn []
17:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:12 < slava_dp> another question. can I assign static ip addresses to clients in tap mode via ccd?
17:15 < slava_dp> ok, found something, trying.
17:20 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 276 seconds]
17:20 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
17:23 -!- montana [~montana@212.117.173.72] has quit [Ping timeout: 240 seconds]
17:25 -!- montana [~montana@212.117.173.72] has joined ##openvpn
17:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
17:54 -!- znull [emi@unaffiliated/znull] has joined ##openvpn
17:54 < znull> heya, any ideea /usr/sbin/openvpn --config /etc/openvpn/openvpn.conf --writepid /var/run/openvpn.pid --daemon --cd /etc/openvpn Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/openvpn.conf ( my openvpn.conf works in other server ) 
18:31 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has quit [Quit: Ухожу я от вас (xchat 2.4.5 или старше)]
18:33 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Remote host closed the connection]
18:56 -!- UnterPerro [~UnterPerr@32.160.206.60] has joined ##openvpn
19:01 -!- [intra]lanman [~lanman@24.192.55.68] has joined ##openvpn
19:01 -!- [intra]lanman [~lanman@24.192.55.68] has quit [Changing host]
19:01 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
19:16 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Remote host closed the connection]
19:16 -!- UnterPerro [~UnterPerr@32.160.206.60] has quit [Quit: UnterPerro]
19:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
20:21 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.5.9/20100330072020]]
20:23 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
20:47 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your questions. ||  Web Forum: http://forums.openvpn.net ||  Developers: #openvpn-devel
20:48 -!- ecrist changed the topic of ##openvpn to: We have #openvpn back - expect a move in coming weeks! || OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your questions. ||  Web Forum: http://forums.openvpn.net ||  Developers: #openvpn-devel
20:49 -!- WormFood [~wormfood@183.39.107.251] has quit [Ping timeout: 255 seconds]
20:49 -!- jhirley_ [~jhirley@c-75-74-13-194.hsd1.fl.comcast.net] has quit [Ping timeout: 240 seconds]
20:50 < Gnewt> /wc
20:50 < Gnewt> er
20:50 -!- Gnewt [~hackerlet@li57-94.members.linode.com] has left ##openvpn []
21:02 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer]
21:02 -!- UnterPerro [~UnterPerr@32.160.206.60] has joined ##openvpn
21:02 -!- WormFood [~wormfood@183.39.106.199] has joined ##openvpn
21:21 -!- UnterPerro [~UnterPerr@32.160.206.60] has quit [Quit: UnterPerro lives to save another day]
22:07 -!- alexbobP [~alex@ppp-70-253-89-214.dsl.austtx.swbell.net] has quit [Quit: leaving]
23:35 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
23:38 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
23:44 -!- WormFood [~wormfood@183.39.106.199] has quit [Ping timeout: 272 seconds]
23:47 -!- WormFood [~wormfood@183.38.13.70] has joined ##openvpn
--- Day changed Fri Sep 17 2010
00:11 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving.]
00:12 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
00:17 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
00:58 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
00:58 -!- mode/##openvpn [+o mattock] by ChanServ
01:05 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
01:12 -!- Holister [~ryan@static-173-210-8-130.ngn.onecommunications.net] has joined ##openvpn
01:15 < Holister> I currently have a setup for a tunnel between the home office and roadwarriors using userauth. Is it possible to add a second tunnel that connects a remote office to the home office using static keys in the same server config, or do i need to run a separate instance?
01:20 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
01:32 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has joined ##openvpn
01:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
01:49 < kraut> moin
01:52 -!- dazo_afk is now known as dazo
02:09 -!- mattock1 [~samuli@93.106.136.138] has joined ##openvpn
02:09 -!- mode/##openvpn [+o mattock1] by ChanServ
02:11 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 272 seconds]
02:31 -!- WinstonSmith [~true@e179004000.adsl.alicedsl.de] has quit [Remote host closed the connection]
02:49 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has joined ##openvpn
03:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
03:20 -!- bandinia [~bandini@host247-5-dynamic.6-79-r.retail.telecomitalia.it] has quit [Quit: Ex-Chat]
03:21 -!- bandini [~bandini@host247-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
03:59 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
04:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:30 -!- aguynamedben [~Adium@c-24-130-140-141.hsd1.ca.comcast.net] has quit [Quit: Leaving.]
04:34 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
04:35 -!- g4tsu [~g4tsu@41.146.194-77.rev.gaoland.net] has joined ##openvpn
04:35 < g4tsu> Hello
04:38 < g4tsu> I've got a problem with openvpn on debian
04:38 < g4tsu> I always get this message-> Connection reset, restarting [0]
04:39 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
04:39 -!- mode/##openvpn [+o mattock] by ChanServ
04:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
04:41 -!- mattock1 [~samuli@93.106.136.138] has quit [Ping timeout: 240 seconds]
04:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
04:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
05:03 -!- ggonzalez [~ggonzalez@83.39.74.67] has joined ##openvpn
05:03 < ggonzalez> hello
05:05 < ggonzalez> I have the following net config [computer1]-- 192.168.2.132 ----[ openvpn-as ]---- 192.168.2.133 -[computer2]---10.0.1.1 --- 10.0.1.2--[computer3]
05:06 < ggonzalez> I wanna be able to acces from computer1 to computer3 so I have first set route add 10.0.1.2/32 192.168.2.133 but when capturing packets in computer2 I can't see anything coming from the openvpn device :\
05:06 -!- macsppadic is now known as YAHHAAAA
05:07 < ggonzalez> I first realized that the openvpn-as was sending packets through 0.0.0.0 but I added another route in openvpn-as to packets keep not appearing at computer2
05:07 < ggonzalez> any idea?
05:11 -!- g4tsu [~g4tsu@41.146.194-77.rev.gaoland.net] has quit [Ping timeout: 265 seconds]
05:44 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
05:54 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined ##openvpn
05:54 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
05:54 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
06:22 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
06:43 -!- YAHHAAAA is now known as macsppadic
06:44 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined ##openvpn
07:00 -!- JackCorleone [~root@187.10.70.88] has joined ##openvpn
07:16 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
07:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
07:20 < ecrist> ggonzalez: we don't support access server here, sorry
07:21 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
08:28 < ggonzalez> ok, sorry. Anyway I am currently setting up an openvpn server, openvpn-as seemed a cool idea but it turned to be a waste of time
08:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
08:33 -!- jhirley_ [~jhirley@mail.mmdlaw.com] has joined ##openvpn
08:34 -!- foxdan [~maiden@minerva.redbrick.dcu.ie] has quit [Ping timeout: 240 seconds]
08:58 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
08:59 < jpalmer> ecrist: new suggestion for the development roadmap meeting:   in v3.0,   we need to support SRV records!
09:01 < ecrist> jpalmer: log in to the forum, add it to the official wish list
09:01 < jpalmer> no bounties yet :/
09:02 < jpalmer> ecrist: ahh,  I forgot about the forums.  for the longest time, it wouldn't let me signup.   good thinking
09:03 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined ##openvpn
09:03 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
09:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
09:05 <@dazo> !configs
09:05 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:41 -!- mroe [~anon__@unaffiliated/roe] has joined ##openvpn
09:41 < mroe> anyone have any thoughts why smb/cifs works fine through openvpn using the windows client but not with tunnelblick (I'm using dns or IP to mount the drive)
09:56 -!- obiyoda [~jared@97-117-63-7.slkc.qwest.net] has joined ##openvpn
09:57 < obiyoda> I'm having issues connecting a mac to a windows share. When the mac is onsite it connects fine to the share but when connecting through openvpn it doesn't connect. I can ping the box the share is on so I know openvpn is working but get an error message when trying to connect. Any ideas where I can check?
09:59 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Ping timeout: 264 seconds]
10:10 < vpnHelper> RSS Update - forum: Wishlist :: Symbian^3 support :: Author kilroy238 <https://forums.openvpn.net/viewtopic.php?f=10&t=7105&p=7824#p7824>
10:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:11 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
10:11 < gyyrog> I am trying to connect to an openVPN server through two layers of NAT. Will I need to do any port forwarding?
10:13 < gyyrog> !welcome
10:13 < vpnHelper> gyyrog: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:16 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
10:21 < ecrist> obiyoda: sounds like a WINS issue
10:21 < ecrist> !wins
10:21 < vpnHelper> ecrist: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
10:22 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
10:22 < gyyrog> !goal
10:22 < vpnHelper> gyyrog: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:23 < gyyrog> I want to connect to a open vpn server through two layers of nat. will I need to port forward?
10:24 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has joined ##openvpn
10:25 < Bushmills> gyyrog: unlikely. when i experimented with two NAT'ting routers in series, openvpn client connected to server and was usable through both routers.  
10:25 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
10:25 < Bushmills> excellent timing
10:30 -!- WinstonSmith [~true@e179016139.adsl.alicedsl.de] has joined ##openvpn
10:32 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
10:33 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
10:35 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
10:41 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
10:43 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
10:46 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
10:47 -!- pie_time [~pie_time@unaffiliated/pie-time/x-2751356] has quit [Quit: Leaving]
10:50 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
10:52 -!- manevra [~manevra@ACBECC32.ipt.aol.com] has joined ##openvpn
10:52 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
10:57 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
10:59 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
11:01 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
11:03 -!- WormFood [~wormfood@183.38.13.70] has quit [Read error: Connection reset by peer]
11:03 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
11:07 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
11:10 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
11:12 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:16 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
11:18 -!- WormFood [~wormfood@183.38.12.8] has joined ##openvpn
11:18 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
11:18 -!- han9 [~a9@91-64-198-3-dynip.superkabel.de] has joined ##openvpn
11:24 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
11:26 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
11:29 -!- xattack [~enrique@dsl-200-67-222-214-sta.prod-empresarial.com.mx] has joined ##openvpn
11:30 < han9> hab ein problem mit dem einrichten des vpn-clients über einer bridge... der vpn-server funzt so weit ich es beurteilen kann... der client will nicht starten...
11:31 <@dazo> han9: try English ... 
11:31  * dazo heads out for a weekend
11:32 -!- dazo is now known as dazo_afk
11:33 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
11:35 < han9> have a problem with the configu1
11:35 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
11:35 < hyper_ch> !bridge
11:35 < vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
11:35 < hyper_ch> han9: using windows?
11:36 < han9> no
11:36 < han9> linux
11:37 < hyper_ch> so, what do you try to do?
11:39 < han9> try to start the client
11:41 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has joined ##openvpn
11:44 -!- gyyrog [~mall@66-227-134-70.dhcp.trcy.mi.charter.com] has quit [Read error: Connection reset by peer]
11:49 < hyper_ch> han9: what distro?
11:52 < han9> backtrack 4 on the client and ubuntu 8.10 on the server
11:54 -!- xattack [~enrique@dsl-200-67-222-214-sta.prod-empresarial.com.mx] has quit [Quit: leaving]
11:55 < hyper_ch> no clue about backtrack
11:55 < hyper_ch> !configs
11:55 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:57 < reiffert> "Whether you’re hacking wireless, exploiting servers, performing a web application assessment, learning, or social-engineering a client, BackTrack is the one-stop-shop for all of your security needs."
11:58 -!- manevra [~manevra@ACBECC32.ipt.aol.com] has quit [Quit: Leaving]
11:58 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
11:59 < hyper_ch> reiffert: you hack wireless?
12:01 < reiffert> hyper_ch: no, I paste what's written on that backtrack homepage.
12:01 < hyper_ch> hehehe
12:04 -!- gyyrog [~mall@24-231-158-154.static.trcy.mi.charter.com] has joined ##openvpn
12:10 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:13 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:18 <@mattock> hi all, forums and community will be down for a while, we need to continue yesterday's migration  
12:19 < hyper_ch> will you also take freenode down?
12:21 -!- openvpn2009 [~admin@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
12:21 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:21 -!- openvpn2009 [patel@vortex.openvpn.net] has joined ##openvpn
12:22 -!- mode/##openvpn [+o openvpn2009] by ChanServ
12:24 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:24 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:25 -!- han9 [~a9@91-64-198-3-dynip.superkabel.de] has left ##openvpn ["Leaving"]
12:26 <@mattock> btw. I'm having an issue with clients not reconnecting if the server goes down... would using --ping-restart fix this?
12:26 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:26 <@mattock> hyper_ch: I wish I had the power to do that :D
12:26 < hyper_ch> why do you wish to have the power to take freenode down? :(
12:27 <@mattock> let me rephrase that: if I could do that without any access to Freenode servers, I could probably do other very interesting things also
12:28 <@mattock> Freenode is excellent, I wouldn't want it to go down ever
12:29 < hyper_ch> mattock: could you fill up my bank account with an awesome amount of money?
12:30 < hyper_ch> so, time for Shichinin no samurai
12:30 <@mattock> hyper_ch: _if_ I had the Freenode powers, I definitely would :)
12:30  * hyper_ch hopes mattock gets the Freenode powers soon
12:31 <@mattock> likewise
12:31 < hyper_ch> anybody knows Shichinin no samurai?
12:40  * reiffert nods
12:42 < hyper_ch> reiffert: how do you know it?
12:43 < kisom> hyper_ch: I happen to work at a bank
12:43 < kisom> Depending on whats in it for me...
12:44 < hyper_ch> kisom: great :) can you just add like 6  Zeros to my balance?
12:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
12:44 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:44 < ecrist> heh, I'd be happy with half that many zeros
12:45 < ecrist> a few years back, I'd have been happy with a single zero
12:45 < hyper_ch> as a zero is nothing, it doesn't matter if you add a couple of them to my balance
12:45 < hyper_ch> hi ecrist
12:47 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:47 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:47 < kisom> hyper_ch: i dont know, do you have a barclay bank account?
12:47 < hyper_ch> kisom: not yet
12:48 < hyper_ch> but if you're going to add zeroes to my balance, I'd open an acc :)
12:48 < kisom> i've never even peaked at someones account i'm not supposed to ;(
12:48 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
12:49 < hyper_ch> :)
12:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:50 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:50 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined ##openvpn
12:51 < blackxored> Hi guys, what I must do to once I connect to my vpn, the dns resolution it's set to get the dns info from my dnsmasq installed server there
12:51 < blackxored> ?
12:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
12:52 < hyper_ch> !configs
12:52 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:53 < kisom> blackxored: push "dhcp-option DNS 8.8.8.8"
12:53 < blackxored> kisom, that's not google?
12:53 < kisom> it is
12:53 < kisom> chagne it to whatever's yours
12:53 < blackxored> kisom I already have that setting
12:53 < blackxored> /etc/resolv.conf wasn't updated
12:54 < blackxored> and although it might not need to, my dns queries are being handled by my company's dns
12:54 < blackxored> i don't want that
12:55 < blackxored> I have this line on the server config
12:55 < blackxored> push "dhcp-option DNS 172.16.0.1"
12:55 < blackxored> along with 
12:55 < blackxored> push "redirect-gateway def1"
12:55 < blackxored> which does work
12:55 < kisom> openvpn wont update resolv.conf as far as i know
12:55 < blackxored> the latter, the former ain't working
12:56 < blackxored> when i do nslookup google.com, my company dns responds 
12:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
12:56 < hyper_ch> blackxored: does your server do dns?
12:56 < kisom> well tbh, i dont know about linux and DNS :) I use a hackish way...
12:56 < blackxored> hyper_ch, has dnsmasq installed
12:56 < kisom> -t nat -A PREROUTING --source 10.11.0.0/24 -p udp --dport 53 -j DNAT --to 10.11.0.1:53
12:56 < kisom> ;)
12:56 < blackxored> that's a hack i don't like it that much ;)
12:57 < fipu> hi @ all
12:57 < kisom> hello fipu 
12:57 < fipu> how can I specify the interface in the server config?
12:57 < fipu> hi kisom
12:58 < blackxored> hyper_ch, kisom clues????
12:58 < kisom> use my iptables hack
12:58 < kisom> it works.
12:58 < hyper_ch> blackxored: no clue what dnsmasq is
12:58 < kisom> hyper_ch: its a DNS server more or less
12:58 < hyper_ch> I have very limited knowledge on iptables and stuff
12:58 < kisom> i use it as well
12:58 < hyper_ch> ah... I use bind9
12:58 < blackxored> hyper_ch, a small caching dns server, so for your question, does my server do dns? yes it does
12:59 < blackxored> if i manually edit /etc/resolv.conf to point to it it works smoothly, but i don't want to have to do that
12:59 < hyper_ch> well, no clue
12:59 < hyper_ch> you'll figure it out
12:59 < kisom> blackxored: Use a connect script on linux clients then. send the DNS server as an environmental variable
13:00 < kisom> and have the script replace resolv.conf
13:00 < kisom> but remember that once it has been replaced, you need to reset it with the old DNS addresses once the VPN is disconnected
13:00 < blackxored> kisom, is better with connection hooks, but still should the simpler solution just work
13:01 < blackxored> if i'm pushing the option from the server why isn't work
13:01 < blackxored> working?
13:01 < kisom> because openvpn does not want to modify resolv.conf
13:01 < fipu> anyone an idea for my interface problem?
13:01 < blackxored> should I go for something like resolvconf I don't know this used to work
13:01 < kisom> i've only run into this problem one time, i mainly use windows clients for my VPN network
13:02 < fipu> or better, a solution ;)
13:02 < blackxored> so, there's anybody else which knows linux that can help me
13:02 < blackxored> btw thanks so much
13:02 < blackxored> fipu, what's your problem?
13:02 < fipu> how can I specify the interface in the server config?
13:02 < kisom> fipu: why would you want to rename your interface?
13:02 < fipu> my VPN server has multiple interfaces
13:03 < fipu> I don't want to rename it
13:03 < blackxored> and so?
13:03 < fipu> I want to select one
13:03 < fipu> I have eth0, eth0:1 etc.
13:03 < kisom> select one for what?
13:03 < blackxored> fipu, you actually have aliases
13:03 < fipu> and since I have more than one interface, I have problems to connect to the server
13:03 < blackxored> isn't needed 
13:03 < blackxored> you just dev tun
13:03 < blackxored> or dev tap
13:03 < kisom> oh well
13:03 < blackxored> anyone can help me on this dns stuff
13:04 < kisom> time to get painfully drunk and hit the town, cya.
13:04  * kisom &
13:04 < fipu> just one moment, I give you some more information
13:05 < blackxored> fipu, I believe you will do it with tap and selecting your right eth for the bridge
13:17 < fipu> mhhh
13:17 < fipu> the problem is
13:17 < fipu> the VPN does work
13:17 < fipu> but the client does block the packages because they don't come from the same IP
13:17 < fipu> client does connect to 4.4.4.4 for example
13:18 < fipu> but get "answer" from 8.8.8.8
13:18 < fipu> and so client blocks the packages
13:18 < fipu> if I use verb 5
13:18 < fipu> I see that in the log
13:19 -!- steelnwool [~jmacdonal@209.29.221.245] has joined ##openvpn
13:19 < steelnwool> Good day.
13:19 < steelnwool> Does the GUI work well on windows 7, or is the standalone 2.1 recommended?
13:21 < fipu> openVPN GUI works fine
13:21 < fipu> I use it also on win 7
13:21 < steelnwool> i'm getting "route addition failed using CreateIpForwardEntry
13:21 < fipu> You only need to run it as administrator
13:21 < steelnwool> i am an admin.
13:21 < steelnwool> i'm the only user on a machine less than 10 minutes old :)
13:22 < fipu> Did you try: right click on the openVPN GUI icon and select "Run as Administrator" ?
13:22 < steelnwool> nope. i will tho.
13:23 < steelnwool>  ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=19]
13:24 < fipu> I created a hidden Interface on win server 2003
13:24 < fipu> how can I change adapter settings of this hidden interface?
--- Log closed Fri Sep 17 13:26:17 2010
--- Log opened Fri Sep 17 13:37:55 2010
13:37 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined ##openvpn
13:37 -!- Irssi: ##openvpn: Total of 121 nicks [4 ops, 0 halfops, 0 voices, 117 normal]
13:38 -!- Irssi: Join to ##openvpn was synced in 27 secs
13:40 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
--- Log closed Fri Sep 17 13:43:06 2010
--- Log opened Fri Sep 17 14:00:25 2010
14:00 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined ##openvpn
14:00 -!- Irssi: ##openvpn: Total of 122 nicks [4 ops, 0 halfops, 0 voices, 118 normal]
14:00 -!- Irssi: Join to ##openvpn was synced in 29 secs
--- Log closed Fri Sep 17 14:05:09 2010
--- Log opened Fri Sep 17 14:11:10 2010
14:11 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined ##openvpn
14:11 -!- Irssi: ##openvpn: Total of 123 nicks [4 ops, 0 halfops, 0 voices, 119 normal]
14:11 -!- Irssi: Join to ##openvpn was synced in 30 secs
14:16 -!- ecrist_mac1 [~ecrist@ms.choksondik.secure-computing.net] has joined ##openvpn
14:17 -!- ecrist_mac [~ecrist@pdpc/supporter/professional/ecrist] has quit [Ping timeout: 265 seconds]
14:19 -!- p3rror [~mezgani@2001:0:53aa:64c:3c33:7403:3b31:bf95] has joined ##openvpn
14:34 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
14:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:44 -!- ecrist_mac1 [~ecrist@ms.choksondik.secure-computing.net] has left ##openvpn []
14:48 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 272 seconds]
14:48 -!- Dave2 [~Dave2@freenode/staff/dave2] has joined ##openvpn
14:48 < ecrist> !tell Dave2 new vhost, please! (ecrist)
14:49 < ecrist> did that work?
14:49 < ecrist> !tell ecrist go to h-e-double-hockey-sticks
14:49 < jpalmer> !tell ecrist stop playing!
14:49 < ecrist> heh
14:55 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote host closed the connection]
14:55 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn
14:58 -!- vpnHelper [~vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Changing host]
14:58 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined ##openvpn
15:02 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Ping timeout: 240 seconds]
15:22 -!- gyyrog [~mall@24-231-158-154.static.trcy.mi.charter.com] has quit [Ping timeout: 240 seconds]
15:23 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
15:23 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:26 -!- gyyrog [~mall@24-231-158-154.static.trcy.mi.charter.com] has joined ##openvpn
15:27 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
15:28 -!- gyyrog [~mall@24-231-158-154.static.trcy.mi.charter.com] has quit [Client Quit]
15:33 -!- aguynamedben [~Adium@173-164-219-53-SFBA.hfc.comcastbusiness.net] has left ##openvpn []
15:56 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 276 seconds]
16:01 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Disconnected by services]
16:03 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined ##openvpn
--- Log closed Fri Sep 17 16:20:47 2010
--- Log opened Fri Sep 17 17:51:06 2010
17:51 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined ##openvpn
17:51 -!- Irssi: ##openvpn: Total of 119 nicks [4 ops, 0 halfops, 0 voices, 115 normal]
17:51 -!- Irssi: Join to ##openvpn was synced in 37 secs
17:52 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:54 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
17:57 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
17:58 -!- cj [~cjac@router0.colliertech.org] has quit [Client Quit]
17:58 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
--- Log closed Fri Sep 17 18:06:29 2010
--- Log opened Fri Sep 17 18:23:52 2010
18:23 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined ##openvpn
18:23 -!- Irssi: ##openvpn: Total of 118 nicks [4 ops, 0 halfops, 0 voices, 114 normal]
18:24 -!- jhirley_ [~jhirley@mail.mmdlaw.com] has quit [Remote host closed the connection]
18:24 -!- Irssi: Join to ##openvpn was synced in 37 secs
18:25 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined ##openvpn
18:52 -!- nijotz [~nick@72.14.181.106] has joined ##openvpn
18:53 < nijotz> !welcome
18:53 < vpnHelper> nijotz: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:55 < nijotz> !forum
18:55 < vpnHelper> RSS Update - forum: Announcements :: Re: Community and forums migration today :: Reply by iosgeek <https://forums.openvpn.net/viewtopic.php?f=20&t=7102&p=7825#p7825>
18:55 < vpnHelper> nijotz: Announcements :: Community and forums migration today :: Author samuli || Announcements :: Re: Community and forums migration today :: Reply by iosgeek || Server Administration :: Re: Is this type of vpn configuration possible? :: Reply by george || Server Administration :: Re: Forward Traffic through VPN to Home Gateway :: Reply by kcghost || Configuration :: OpenVPN, routing & Amazon EC2
18:55 < vpnHelper> nijotz: :: Author MarkRobinson || Scripting and Customizations :: Re: help in openvpn configuration :: Reply by anteelsayed || Wishlist :: Symbian^3 support :: Author kilroy238
19:08 -!- manevra [~manevra@ACBEC7F9.ipt.aol.com] has quit [Quit: Leaving]
19:14 < nijotz> So, I want to disable the ifconfig/route commands from being run in my openvpn client because it's a vserver and those commands fail
19:14 < nijotz> I use ifconfig-noexec and route-noexec, but the openvpn client still fails to start
19:15 < nijotz> Cannot ioctl TUNSETIFF tun: Operation not permitted
19:15 < nijotz> Do the *-noexec options work on clients as well?
19:37 < vpnHelper> RSS Update - forum: Installation Help :: File path with Office 2007 and openvpn / Samba server :: Author neilmcgrory <https://forums.openvpn.net/viewtopic.php?f=5&t=7106&p=7826#p7826>
19:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
19:50 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
19:54 < Tukaro> in my client if i put ip adress of vpn server, my client can joind a server but if i put dyndns adress connexion dont work , i dont know where a problem anyone can help me please 
19:55 < nijotz> doing an nslookup on the dyndns address matches the ip address?
19:55 < Tukaro> i think i have a problem with my public ip isp
19:56 < Tukaro> nijotz, ok
19:58 < Tukaro> nijotz, i will get an ip adress ??
20:06 < Tukaro> nijotz, i dont understan what i must do after $nslookup
20:20 -!- krphop_ [~krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn
20:21 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Quit: Leaving]
20:33 -!- Tukaro [~Tukaro@41.201.240.155] has quit [Quit: Quitte]
20:39 < tjz> what happen to the channel?!
20:53 < vpnHelper> RSS Update - forum: Scripting and Customizations :: openvpn through port 443 ? :: Author anteelsayed <https://forums.openvpn.net/viewtopic.php?f=15&t=7107&p=7827#p7827>
20:54 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Ping timeout: 240 seconds]
22:11 -!- jim--- [~jimbo@r74-192-149-9.gtwncmta01.grtntx.tl.dh.suddenlink.net] has quit [Remote host closed the connection]
22:11 -!- jim--- [~jimbo@r74-192-149-9.gtwncmta01.grtntx.tl.dh.suddenlink.net] has joined ##openvpn
22:25 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined ##openvpn
22:27 -!- d12fk [~heiko@vpn.astaro.de] has quit [Ping timeout: 265 seconds]
23:10 -!- EmperorT1m [~EmperorTo@184-97-149-30.mpls.qwest.net] has joined ##openvpn
23:12 -!- EmperorTom [~EmperorTo@174-30-246-22.mpls.qwest.net] has quit [Ping timeout: 264 seconds]
23:13 -!- p3rror [~mezgani@2001:0:53aa:64c:c65:7403:3b31:b76a] has quit [Read error: Operation timed out]
23:15 -!- p3rror [~mezgani@2001:0:53aa:64c:c65:7403:3b31:b76a] has joined ##openvpn
23:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
23:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
23:47 -!- hive [hive@gateway/shell/xzibition.com/x-mhwfwcmwwphsqgwj] has joined ##openvpn
23:47 < hive> Is there any really easy way for a novice like myself who has a Xen VPS (root of course) running Ubuntu to quickly set up a VPN I can connect to in Windows to encrypt all of my traffic?
23:47 < hive> Something like the RELAKKS pay service
23:47 < hive> I think it runs lptd or pptp or something
23:47 < hive> all the "guides" look incredibly over complicated, and need editing of files and so on
--- Day changed Sat Sep 18 2010
00:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
00:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
00:51 < Bushmills> of course the popular opinion in this channel is "use anything, as long as it isn't openvpn"
01:03 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Quit: Leaving]
02:05 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
02:17 -!- WinstonSmith [~true@e179016139.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
02:22 < Holister> I have a route to the 10.168.44.0/24 subnet, which works, then I have a route to 10.136.44.0/24 which should use 10.168.44.1 as a gateway...why doesn't it work? http://pastebin.com/H350nK30
02:48 -!- avar [~avar@wikipedia/avar] has joined ##openvpn
02:49 < avar> !welcome
02:49 < vpnHelper> avar: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:49 < avar> !redirect
02:49 < vpnHelper> avar: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:49 < avar> !ipforward
02:49 < vpnHelper> avar: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
02:49 < avar> !linipforward
02:49 < vpnHelper> avar: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
02:50 -!- bandini [~bandini@host247-5-dynamic.6-79-r.retail.telecomitalia.it] has quit [Ping timeout: 276 seconds]
02:52 < avar> Hrm, I'm trying to forward a OpenVPN connection through an ssh tunnel equivalent (a tun* interface on linux). I can access the remote IP, but when OpenVPN is started I think the routes it set are such that my box can't access the network it needs for the tunnel anymore.
02:53 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
02:53 < avar> this is what the routes are like: http://privatepaste.com/7f7105d7e0
03:10 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
03:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:19 -!- p3rror [~mezgani@2001:0:53aa:64c:c65:7403:3b31:b76a] has quit [Ping timeout: 272 seconds]
04:46 < Bushmills> avar: is your client setting the default route (or is it pushed by server)?
04:48 < avar> my client is doing it
04:49 < avar> at least I only push dhcp info out: http://github.com/avar/linode-etc/blob/master/openvpn/tun0.conf and only DOMAIN/DNS info
04:49 < vpnHelper> Title: openvpn/tun0.conf at master from avar's linode-etc - GitHub (at github.com)
04:49 < Bushmills> does the openvpn server forward packets sent to it to the networks behind its other interfaces?
05:00 < avar> It does that normally yeah, i.e. I can access the Internet through it if I *don't* tunnel the vpn port and just connect to nix.is directly
05:15 -!- openvpn2009 [patel@vortex.openvpn.net] has quit [Quit: ircN 8.00 for mIRC (20100904) - www.ircN.org]
05:18 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
05:22 < Bushmills> why is there no route through the mentioned tun interface of the other, non-openvpn tunnel?
05:28 < avar> It's just a dumb tunnel. here's some docs I wrote about it: http://github.com/avar/linode-etc/blob/master/iodine/README.md
05:28 < vpnHelper> Title: iodine/README.md at master from avar's linode-etc - GitHub (at github.com)
05:28 < avar> it just sets up this route: "10.0.0.0        0.0.0.0         255.255.255.224 U     0      0        0 dns0"
05:29 < avar> i.e. you can ssh to 10.0.0.1 to access the remote with it, and to get a "real" network connection you have to do something like "ssh -D ..." or something like that to set up a socks proxy.
05:30 < avar> hrm, it /could/ be that this is working but my MASQUERADE rule at the firewall doesn't work. I just have:
05:30 < avar> iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE
05:30 < avar> which covers the VPN network, but not the dns0 interface..
05:50 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
05:57 < avar> hrm, it doesn't screw up my connection if I connect with "ignore automatically obtained routes" and "use this connection only for routes on this network"
05:57 < avar> which connects, but doesn't alter the routens
05:57 < avar> *routes
06:05 -!- p3rror [~mezgani@2001:0:53aa:64c:308d:7403:3b31:a686] has joined ##openvpn
06:08 < avar> Bushmills: Some more info about my routes: http://news.ycombinator.com/item?id=1703642
06:08 < vpnHelper> Title: Hacker News | This same logic could apply to everyone; everyone should be hackers.I really bel... (at news.ycombinator.com)
06:08 < avar> gah, silly paste
06:08 < avar> this : http://github.com/avar/linode-etc/commit/55d99bf
06:08 < vpnHelper> Title: Commit 55d99bf21849150e2d639c66e81cf7152dc7f043 to avar's linode-etc - GitHub (at github.com)
06:10 < Bushmills> does openvpn server need to be connected to through 192.168.x.x?
06:11 < avar> No, what I'm doing is creating a tunnel that shows up as an IP at 10.0.0.1, I can connect to openvpn *there*. This tunnel should be the only thing that needs to access 192.168.2.0/24 at all.
06:12 < avar> But the issue is (probably) that I can't figure out how to direct 0.0.0.0 traffic at the wildcard route to the VPN tunnel *without* screwing up the 192.168.2.0/24 route that the tunnel itself needs
06:12 < Bushmills> if you redirect all traffic, by default route, through tun2, can openvpn server still be reached through a different route?
06:12 < Bushmills> !redirect
06:12 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:13 < Bushmills> you probably need a host route to the openvpn server.   --redirect-gateway adds one, next to routing default traffic through vpn
06:19 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:25 < kisom> there we go, i have now voted like a real grown-up :)
06:27 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
06:27 < kisom> karlgus: sverigedemokraterna!
06:31 < avar> Bushmills: I can reach 192.168.2.1 (the external gw) under the tunnel + vpn setup. But I can't ping the tunnel.
06:32 < avar> I think the problem is that I can't figure out how to set up a route such that 0.0.0.0 traffic goes through the vpn *but* that traffic goes through the 10.0.0.1, but all traffic from there uses 192.168.2.1 instead of using the 0.0.0.0 route again
06:32 < avar> presumably with the routes I have it goes vpn -> tunnel -> vpn infinitely or something
06:34 < Bushmills> having a route to 10.0.0.1 should take care of that - default route is after all only for those destiniations for which doesn't exist another route
06:35 < Bushmills> i'd start tracerouting or mtr'ing to determine the actual problem, rather than guessing which routes may be wrong 
06:39 < hyper_ch> good afternoon Bushmills
06:39 < Bushmills> hi hyper_ch
06:40 < hyper_ch> Bushmills: I hope you had a pleasant morning this far?
06:40 < Bushmills> given that most of it consisted of sleeping, i'd say i had
06:40 < hyper_ch> well, you could have had terrible nightmares
06:41 < Bushmills> not that you wished me any, of course :)
06:43 < avar> Bushmills: What options to traceroute would suggest in what order my routes are being used? I can't get it past just saying "starting trace to XYZ" where XYZ is some external IP I give it
06:44 < Bushmills> avar: start with some ip addresses in your LAN
06:44 < Bushmills> then maybe some a hop away, or such
06:45 < avar> *nod*
06:45 -!- p3rror [~mezgani@2001:0:53aa:64c:308d:7403:3b31:a686] has quit [Ping timeout: 272 seconds]
06:45 < Bushmills> the external ip address of your openvpn server would be rather interesting
06:45 < avar> Yeah, I don't get anything from that :)
06:46 < Bushmills> without a route to it, no vpn
06:46 < avar> Anyway, I'll look at this later I think. I've been staring at this too long to make anything of it, and in any case just using ssh -D works for 99% of what I need this tunnel for.
06:59 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 276 seconds]
07:08 -!- spq` [bnc00026@user.unregistered.de] has quit [Ping timeout: 240 seconds]
07:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
07:16 -!- spq` [bnc00026@user.unregistered.de] has joined ##openvpn
07:19 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined ##openvpn
07:19 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
07:19 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
07:49 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
08:09 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
08:16 -!- WinstonSmith [~true@e179016217.adsl.alicedsl.de] has joined ##openvpn
08:31 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
08:37 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
08:55 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 276 seconds]
09:11 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
09:30 < avar> blist
09:30 < avar> bah!
09:31 < hyper_ch> huhu
09:33 -!- Cain` [~Geek@unaffiliated/cain] has joined ##openvpn
09:33 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
09:33 -!- Cain` is now known as Cain
09:34 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 240 seconds]
09:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
09:42 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 240 seconds]
09:51 -!- WinstonSmith [~true@e179016217.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
09:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:54 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Ping timeout: 240 seconds]
09:56 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
10:02 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
10:04 -!- WinstonSmith [~true@e179003108.adsl.alicedsl.de] has joined ##openvpn
10:14 < RichiH> ecrist: did you get my reply?
10:18 -!- Kurogane [~kuro@190.87.75.229] has joined ##openvpn
10:22 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Remote host closed the connection]
10:40 -!- nijotz [~nick@72.14.181.106] has left ##openvpn ["WeeChat 0.3.0"]
10:40 -!- nijotz [~nick@72.14.181.106] has joined ##openvpn
10:41 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
10:59 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
11:03 -!- nijotz [~nick@72.14.181.106] has quit [Quit: WeeChat 0.3.0]
11:04 -!- nijotz [~nick@72.14.181.106] has joined ##openvpn
11:05 -!- WormFood [~wormfood@183.38.12.8] has quit [Ping timeout: 252 seconds]
11:08 -!- nijotz [~nick@72.14.181.106] has quit [Client Quit]
11:12 -!- nijotz [~nick@72.14.181.106] has joined ##openvpn
11:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:18 -!- WormFood [~wormfood@183.39.102.103] has joined ##openvpn
11:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:19 -!- reber [~reber@91-121-61-152.ovh.net] has joined ##openvpn
11:19 < reber> hi all
11:24 < reber> I'm trying to build a OpenVPN connection through a transparent proxy via TCP over port 443. But this doesn't work. I tried the whole configuration (certificates, keys etc) at home: it worked. But when trying to connect from work to the home computer it doesn't.
11:35 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:36 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:37 -!- hive [hive@gateway/shell/xzibition.com/x-mhwfwcmwwphsqgwj] has quit [Quit: leaving]
11:40 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:42 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:42 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:44 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
11:51 -!- reber [~reber@91-121-61-152.ovh.net] has quit [Ping timeout: 240 seconds]
11:54 -!- reber [~reber@91-121-61-152.ovh.net] has joined ##openvpn
12:00 -!- Kurogane [~kuro@190.87.75.229] has quit [Ping timeout: 272 seconds]
12:02 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
12:04 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
12:06 -!- reber [~reber@91-121-61-152.ovh.net] has quit [Ping timeout: 240 seconds]
12:08 -!- reber [~reber@91-121-61-152.ovh.net] has joined ##openvpn
12:13 -!- SOG [~SOG@n11649233015.netvigator.com] has joined ##openvpn
12:17 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
12:17 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
12:18 -!- reber [~reber@91-121-61-152.ovh.net] has quit [Quit: Leaving]
12:24 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
12:37 < vpnHelper> RSS Update - forum: Announcements :: Re: Community and forums migration today :: Reply by Andrew <https://forums.openvpn.net/viewtopic.php?f=20&t=7102&p=7828#p7828>
12:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
12:41 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:41 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
12:44 -!- n0sq_ is now known as n0sq
13:02 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
13:03 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
13:11 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
13:13 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
13:13 -!- cj [~cjac@router0.colliertech.org] has joined ##openvpn
13:16 -!- roe [~roe___@unaffiliated/roe] has quit [Ping timeout: 240 seconds]
13:20 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:22 -!- Guest43770 [~roe___@207-172-39-210.c3-0.eas-ubr15.atw-eas.pa.cable.rcn.com] has joined ##openvpn
13:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
13:29 -!- Guest43770 [~roe___@207-172-39-210.c3-0.eas-ubr15.atw-eas.pa.cable.rcn.com] has quit [Quit: Leaving]
13:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:42 -!- Tukaro [~Tukaro@41.201.205.195] has joined ##openvpn
14:01 < Tukaro> in my client when i put ip address for vpn server, my client can joind a server but if i put dyndns address connexion dont work , i dont know where is a problem anyone can help me please !!!
14:04 < pasik> not based on that info
14:05 < Tukaro> i think i have a problem with my public ip isp
14:07 -!- openvpn2009 [patel@vortex.openvpn.net] has joined ##openvpn
14:07 -!- mode/##openvpn [+o openvpn2009] by ChanServ
14:25 < Bushmills> do you also have an openvpn problem?
14:42 -!- openvpn2009 [patel@vortex.openvpn.net] has quit [Ping timeout: 252 seconds]
14:47 -!- p3rror [~mezgani@2001:0:53aa:64c:38e9:4523:d606:a829] has joined ##openvpn
14:53 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
14:55 -!- openvpn2009 [patel@vortex.openvpn.net] has joined ##openvpn
14:55 -!- mode/##openvpn [+o openvpn2009] by ChanServ
15:10 < kisom> Tukaro: Then your DNS address is not correctly set up.
15:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
15:27 -!- Kurogane [~kuro@190.87.75.229] has joined ##openvpn
15:32 -!- SOG [~SOG@n11649233015.netvigator.com] has quit [Read error: Connection reset by peer]
15:32 -!- SOG [~SOG@n11649233015.netvigator.com] has joined ##openvpn
15:32 -!- SOG [~SOG@n11649233015.netvigator.com] has quit [Client Quit]
15:38 < Tukaro> kisom, thanks i will try to set up it correctly
17:04 -!- p3rror [~mezgani@2001:0:53aa:64c:38e9:4523:d606:a829] has quit [Ping timeout: 272 seconds]
17:21 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
17:22 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Read error: Connection reset by peer]
17:22 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 265 seconds]
17:22 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
17:23 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
17:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:28 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer]
17:37 -!- avar [~avar@wikipedia/avar] has left ##openvpn []
17:59 -!- Tukaro [~Tukaro@41.201.205.195] has quit [Quit: Quitte]
18:01 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 240 seconds]
18:21 -!- jion [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
19:00 -!- jion is now known as ji0n
19:23 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:32 < Holister> I have 10.168.44.0/24 on one side, and 10.136.44.0/24 on the other, and 10.136.44.1 can talk to anything on 10.168.44.0, however, it won't forward packets from other computers on the 10.136.44.0 network over to the 10.168.44.0 network... regular IP forwarding to the internet is working just fine...but it won't forward over the tunnel...what do I need to add?
20:02 < Holister> ok, I got the forwarding working between 10.168.44.0/24 and 10.136.44.0/24, but, 10.169.0.0/16 can't talk to 10.136.44.0 (routes through 10.168.44.1). So basically it isn't forwarding between tun0 and tun1. tun0->eth0 goes fine, tun1->eth0 goes fine, but tun0->tun1 doesn't work...
20:16 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
20:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
20:48 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
21:15 < theDoc> raidz/mattock, either of you guys around?
21:38 -!- WinstonSmith [~true@e179003108.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
21:52 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
23:45 -!- Chosi [osxchosi@choseh.de] has quit [Ping timeout: 245 seconds]
--- Day changed Sun Sep 19 2010
00:01 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 272 seconds]
00:06 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
01:18 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
01:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
01:29 -!- louve [~louve@irc.darchoods.net] has joined ##openvpn
01:37 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Ping timeout: 245 seconds]
01:37 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
01:38 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined ##openvpn
01:38 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
01:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
01:58 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 252 seconds]
02:19 -!- Kurogane [~kuro@190.87.75.229] has quit [Remote host closed the connection]
02:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
02:38 -!- freaky[t]_ is now known as freaky[t]
02:57 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
02:57 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 272 seconds]
03:14 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:54 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:58 -!- Chosi [osxchosi@choseh.de] has joined ##openvpn
04:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:13 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Ping timeout: 240 seconds]
04:39 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has joined ##openvpn
04:52 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
04:54 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:54 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
06:15 -!- akm22562 [~akm22562@99-119-36-109.lightspeed.lsvlky.sbcglobal.net] has joined ##openvpn
06:18 < akm22562> Hi all.  Can somebody please help me understand what http://pastebin.com/HRwivvam means?
06:19 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
06:52 -!- WinstonSmith [~true@e179010026.adsl.alicedsl.de] has joined ##openvpn
07:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
07:15 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 252 seconds]
07:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
07:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
07:45 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
07:51 -!- akm22562 [~akm22562@99-119-36-109.lightspeed.lsvlky.sbcglobal.net] has quit [Ping timeout: 252 seconds]
08:14 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
08:14 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
08:37 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
08:45 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
08:46 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has joined ##openvpn
08:53 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
08:55 < slava_dp> does a tun interface in subnet mode support broadcasts?
--- Log closed Sun Sep 19 09:08:18 2010
--- Log opened Sun Sep 19 09:54:36 2010
09:54 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined ##openvpn
09:54 -!- Irssi: ##openvpn: Total of 117 nicks [4 ops, 0 halfops, 0 voices, 113 normal]
09:55 -!- Irssi: Join to ##openvpn was synced in 37 secs
09:57 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined ##openvpn
10:13 -!- akm22562 [~akm22562@99-119-36-109.lightspeed.lsvlky.sbcglobal.net] has joined ##openvpn
10:30 -!- Client_ [~akm22562@99-119-36-109.lightspeed.lsvlky.sbcglobal.net] has joined ##openvpn
10:30 -!- akm22562 [~akm22562@99-119-36-109.lightspeed.lsvlky.sbcglobal.net] has quit [Ping timeout: 245 seconds]
10:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
10:32 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
10:36 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 255 seconds]
10:37 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
11:03 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
11:05 -!- WormFood [~wormfood@183.39.102.103] has quit [Ping timeout: 265 seconds]
11:07 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
11:18 -!- WormFood [~wormfood@183.38.12.36] has joined ##openvpn
11:29 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 276 seconds]
11:41 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn
11:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 265 seconds]
11:48 -!- dxtr [dxtr@unaffiliated/dxtr] has quit [Ping timeout: 240 seconds]
11:53 -!- Martin` [martin@shell.ipv6.octocore.net] has joined ##openvpn
11:58 -!- dxtr [dxtr@unaffiliated/dxtr] has joined ##openvpn
12:01 -!- krzee [~k@unaffiliated/krzee] has joined ##openvpn
12:07 -!- WinstonSmith [~true@e179010026.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
12:08 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
12:22 -!- WinstonSmith [~true@e177095023.adsl.alicedsl.de] has joined ##openvpn
12:23 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 252 seconds]
12:24 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
12:27 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
12:28 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:57 < vpnHelper> RSS Update - forum: Server Administration :: High latency with openvpn. :: Author 200120022003 <https://forums.openvpn.net/viewtopic.php?f=4&t=7108&p=7830#p7830>
13:58 -!- Blues-Man [~bluesman@95.239.112.213] has joined ##openvpn
14:00 -!- WinstonSmith [~true@e177095023.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
14:18 -!- Blues-Man [~bluesman@95.239.112.213] has quit [Ping timeout: 272 seconds]
14:28 -!- Blues-Man [~bluesman@95.239.112.213] has joined ##openvpn
14:34 -!- WinstonSmith [~true@e177095023.adsl.alicedsl.de] has joined ##openvpn
14:47 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has quit [Quit: Ухожу я от вас (xchat 2.4.5 или старше)]
14:53 -!- WinstonSmith [~true@e177095023.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
15:02 -!- dazo_afk [~dazo@nat/redhat/x-durkvshrnuzhhtvn] has quit [Changing host]
15:02 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has joined ##openvpn
15:02 -!- ServerMode/##openvpn [+o dazo_afk] by jordan.freenode.net
15:03 -!- krzee [~k@unaffiliated/krzee] has quit [Changing host]
15:03 -!- krzee [~k@openvpn/community/support/krzee] has joined ##openvpn
15:15 -!- Blues-Man [~bluesman@95.239.112.213] has quit [Ping timeout: 272 seconds]
15:18 -!- Blues-Man [~bluesman@95.239.112.213] has joined ##openvpn
15:19 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host]
15:19 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined ##openvpn
15:23 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: leaving]
15:28 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
15:29 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Client Quit]
15:29 -!- Blues-Man [~bluesman@95.239.112.213] has quit [Ping timeout: 272 seconds]
15:29 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
15:38 -!- WinstonSmith [~true@e179013249.adsl.alicedsl.de] has joined ##openvpn
15:43 < grishnav> hi
15:45 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:49 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:50 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined ##openvpn
15:55 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
15:59 -!- WinstonSmith [~true@e179013249.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
16:00 -!- WinstonSmith [~true@e179013249.adsl.alicedsl.de] has joined ##openvpn
16:10 -!- jaminja_ [~jaminja@95.211.4.12] has joined ##openvpn
16:10 -!- WinstonSmith [~true@e179013249.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
16:10 -!- WinstonSmith [~true@e179013249.adsl.alicedsl.de] has joined ##openvpn
16:10 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 240 seconds]
16:12 < vpnHelper> RSS Update - forum: Configuration :: Push DNS to a linux client. :: Author oakdene <https://forums.openvpn.net/viewtopic.php?f=6&t=7109&p=7831#p7831>
16:15 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
16:15 -!- jaminja_ [~jaminja@95.211.4.12] has quit [Ping timeout: 240 seconds]
16:19 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has quit [Quit: brb short reboot]
16:20 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:28 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
16:31 -!- karlgus [~karlgus@h-104-168.A251.priv.bahnhof.se] has quit [Remote host closed the connection]
16:41 -!- krzee [~k@openvpn/community/support/krzee] has left ##openvpn []
16:41 -!- krzee [~k@openvpn/community/support/krzee] has joined ##openvpn
16:48 -!- WinstonSmith [~true@e179013249.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
16:49 -!- WinstonSmith [~true@e179013249.adsl.alicedsl.de] has joined ##openvpn
16:53 -!- plarsen [~plarsen@fedora/plarsen] has joined ##openvpn
16:53 < plarsen> !welcome
16:53 < vpnHelper> plarsen: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:53 < plarsen> !route
16:53 < vpnHelper> plarsen: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:56 < plarsen> !howto
16:56 < vpnHelper> plarsen: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:02 < krzee> whats up plarsen 
17:03 < plarsen> Loosing the last of the hairs I've got ;)
17:03 < plarsen> I get a VPN connection established but the tunnel isn't working
17:03 < krzee> nice! gunna save on haircuts
17:03 < plarsen> not sure if it's a openvpn problem.
17:03 < plarsen> On my server a tunnel is setup from 10.8.0.1 (the local IP) to 10.8.0.2 which I cannot find defined anywhere. Pinging it fails.
17:04 < plarsen> On the client their tunnel address is 0.0.0.0 which DEFINITELY wont' work.
17:04 < plarsen> Yeah - haircuts are easy.
17:04 < krzee> !configs
17:04 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:04 < plarsen> Combining the morning is even better. Not needed ;)
17:05 < plarsen> krzee, server only?
17:05 < krzee> negative
17:05 < krzee> bth
17:05 < krzee> both*
17:07 < plarsen> krzee, server: http://fpaste.org/QcUc/
17:09 < krzee> br0...?
17:10 < plarsen> ups - hangon. Using the same box for libvirtd (which is stopped while I do this).
17:10 < krzee> ok, so you are not trying to use openvpn in bridge mode... right?
17:10 < plarsen> krzee, I've updated the paste with brctl show
17:11 < plarsen> nope. Well, I did try that earlier. How that's supposed to work with a switch I don't know. So I went back to routed/hosted mode and maybe a MASQ if needd
17:11 < plarsen> krzee, it puts the interfaces in promisq. mode; that won't do didledi on a switch. 
17:11 < krzee> well you dont want a bridge anyways unless you specificly need a layer2 protocol over the vpn
17:12 < plarsen> krzee, right
17:12 < plarsen> I started out simple. I managed to be able to ping the local VPN clients; I just couldn't get them out.
17:12 < plarsen> Started tampering and well, fail on my part I guess.
17:12 < krzee> ohhh so your vpn is pinging back and forth via vpn IP...?
17:13 < plarsen> krzee, It WAS - not now. 
17:13 < plarsen> hang on. Trying to get my client online so I can paste from it ;)
17:14 < plarsen> y
17:14 < plarsen> http://fpaste.org/x9vd/  <-- NetworkManager vpn conf
17:15 < krzee> !netman
17:15 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
17:16 < plarsen> A 2008 note is about as up to date as a 2.4 kernel complain?? :D
17:16 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Read error: Operation timed out]
17:17 < plarsen> Was the wrong file anyway :(
17:17 < plarsen> http://fpaste.org/DAMY/
17:17 < plarsen> Same client.
17:18 < plarsen> brctl show
17:18 < plarsen> bridge name	bridge id		STP enabled	interfaces
17:18 < plarsen> br0		8000.001676bbda7a	yes		eth1
17:18 < plarsen> 							eth0
17:18 < plarsen> virbr0		8000.000000000000	yes		
17:18 < plarsen> ups
17:18 < plarsen> Sorry
17:19 < plarsen> here's the "ps" running openvpn on the client: http://fpaste.org/2iaf/
17:19 < plarsen> Tried to paste that from a wrong clipboard. Sorry about the big paste earlier.
17:21 < plarsen> and this time correctly: http://fpaste.org/FmSq/
17:21 < plarsen> host of "peter.famlarsen.homelinux.com" resolves to 192.168.11.10
17:24 < plarsen> Removing --dev tap gave me a tunnel addy on the client. Addy is non-pingable though.
17:49 < plarsen> Problem solved.
17:49 -!- plarsen [~plarsen@fedora/plarsen] has left ##openvpn ["Leaving"]
18:24 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined ##openvpn
18:31 < oc80z> http://www.soekris.com/vpn1401.htm
18:31 < vpnHelper> Title: Soekris Engineering > vpn14x1 (at www.soekris.com)
18:40 < vpnHelper> RSS Update - forum: Configuration :: Re: Push DNS to a linux client. Solved!!! :: Reply by oakdene <https://forums.openvpn.net/viewtopic.php?f=6&t=7109&p=7832#p7832>
18:48 < oc80z> i think ill use that eh
18:48 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
19:40 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
20:04 -!- tjz [~pc@bb219-74-47-138.singnet.com.sg] has joined ##openvpn
20:04 -!- tjz [~pc@bb219-74-47-138.singnet.com.sg] has quit [Changing host]
20:04 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
20:07 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Disconnected by services]
20:07 -!- intralanman [~lanman@227.84.229.166.in-addr.arpa] has joined ##openvpn
20:53 < vpnHelper> RSS Update - forum: Server Administration :: windows 7 issue :: Author billgod <https://forums.openvpn.net/viewtopic.php?f=4&t=7110&p=7833#p7833>
20:55 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:26 -!- JackCorleone [~root@187.10.70.88] has quit [Read error: No route to host]
21:26 -!- barnex [~barnex@191-mi2-3.acn.waw.pl] has joined ##openvpn
21:31 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
21:51 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer]
21:52 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
21:59 -!- distort [~irc@216.168.1.32] has joined ##openvpn
22:06 -!- ji0n is now known as ji0n|shower
22:36 -!- ji0n|shower is now known as ji0n
22:48 -!- WinstonSmith [~true@e179013249.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
23:22 -!- UnterPerro [~UnterPerr@32.161.9.226] has joined ##openvpn
23:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Mon Sep 20 2010
00:13 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Quit: Leaving]
01:02 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:19 -!- UnterPerro [~UnterPerr@32.161.9.226] has quit [Quit: UnterPerro lives to save another day]
01:25 -!- cj [~cjac@router0.colliertech.org] has quit [Ping timeout: 255 seconds]
01:32 -!- kartooon [~kartoon@unaffiliated/kartooon] has joined ##openvpn
01:32 < kartooon> hello
01:45 -!- dazo_afk is now known as dazo
01:47 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:47 -!- mode/##openvpn [+o mattock] by ChanServ
01:47 < vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=7834#p7834>
02:39 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:42 < kraut> moin
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
03:43 -!- d457k is now known as d12fk
03:44 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
04:02 -!- raidz [~Andrew@seance.openvpn.org] has quit [Read error: Connection reset by peer]
04:02 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
04:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
04:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
04:48 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
04:51 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined ##openvpn
04:51 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
04:51 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:59 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
06:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
06:08 -!- Rienzilla [rien@sinas.rename-it.nl] has joined ##openvpn
06:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:08 < Rienzilla> good afternoon, #openvpn
06:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:32 -!- apedongle [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Remote host closed the connection]
07:09 < Rienzilla> Hmm. Can anyone enlighten me on the fucntionality of ifconfig and ifconfig-push statements? I have a routed openvpn server, with a couple of clients connecting each with a fixed ip address configured in a ccd file. If I understand it correctly, openvpn wants addresses from /30 blocks used for server and client. If I configure each client with an ifconfig-push statement, do I still need an ifconfig statement in my server config file? 
07:09 < reiffert> !/30
07:09 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
07:09 < reiffert> !ccd
07:09 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:10 < reiffert> !subnet
07:10 < vpnHelper> reiffert: "subnet" is http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork
07:10 < reiffert> !topology
07:10 < vpnHelper> reiffert: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
07:10 < reiffert> !ifconfig
07:10 < vpnHelper> reiffert: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to.
07:10 < reiffert> !ifconfig-push
07:10 < vpnHelper> reiffert: Error: "ifconfig-push" is not a valid command.
07:10 < reiffert> !search push
07:10 < vpnHelper> reiffert: There were no matching configuration variables.
07:10 < reiffert> !search --values push
07:10 < vpnHelper> reiffert: (search <word>) -- Searches for <word> in the current configuration variables.
07:10 < reiffert> !search --value push
07:10 < vpnHelper> reiffert: (search <word>) -- Searches for <word> in the current configuration variables.
07:10 < reiffert> !factoids search push
07:10 < vpnHelper> reiffert: 'push', 'push-reset', and 'pushdns'
07:10 < reiffert> !push
07:10 < vpnHelper> reiffert: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
07:11 < reiffert> !factoids search --value push
07:11 < vpnHelper> reiffert: 'push', 'push-reset', 'static', 'pushdns', 'pushdns', 'static', 'samesubnet', 'serverlan', and 'clientlan'
07:11 < reiffert> !static
07:11 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
07:11 < reiffert> !iporder
07:11 < vpnHelper> reiffert: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
07:11 < Rienzilla> ...
07:13 < Rienzilla> I understand that there is documentation. I read it, and I guess I don't understand it exactly
07:14 < reiffert> !goal
07:14 < vpnHelper> reiffert: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:14 < Rienzilla> I would like to understand how it works :)
07:15 < reiffert> !howto
07:15 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
07:15 < Rienzilla> lol, are you able to type anything else besides !-commands? :)
07:15 < reiffert> !no
07:15 < vpnHelper> reiffert: Error: "no" is not a valid command.
07:15 < reiffert> :)
07:15 < Rienzilla> hehe
07:19 < Rienzilla> seriously, I read the documentation quite extensively. My vpn works more or less, but I just would like to know how openvpn manages the routing table... If my server will be assigned an ip in a separate /30 for every client I configure, will it need yet another ip address set by --ifconfig? And if so, why?
07:29 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
07:31 -!- WinstonSmith [~true@e179003125.adsl.alicedsl.de] has joined ##openvpn
07:41 < reiffert> openvpn does not handle routing tables.
07:41 < reiffert> it's part of the operating system.
07:42 < Rienzilla> I know that, but it manipulates them
07:43 < reiffert> I dont see any reason for the latter.
07:43 < Rienzilla> well, in order for your OS to actually route something through a tunnel, one would need to add routing table entries 
08:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
08:19 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
08:27 -!- intralanman [~lanman@227.84.229.166.in-addr.arpa] has quit [Quit: This computer has gone to sleep]
08:30 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
08:33 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
08:36 -!- jhirley [~jhirley@c-75-74-13-194.hsd1.fl.comcast.net] has joined ##openvpn
08:56 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
08:59 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:59 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 265 seconds]
09:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:38 <@dazo> Rienzilla: openvpn will add a route for the each --route statement ... the OS will in most cases add the route of the net segment used for VPN when the tun/tap interface is configured
09:39 <@dazo> Rienzilla: openvpn don't do any extra routing magic anywhere
09:39 < Rienzilla> ok...
09:41 < Rienzilla> so suppose I divide a /24 (say 10.0.0.0/24) up into /30's, and ifconfig-push the middle two addresses of that /30 to each client. And then I'll tell my server to 'route 10.0.0.0 255.255.255.0' so traffic for 10.0.0.0/24 will be routed into the vpn interface. Should that be enough to have a working configuration?
09:42 <@dazo> Rienzilla: yeah, the routing table would then first list the /30 net and then the /24 net afterwards ... I suspect most OSes accept such routing tables
09:42 < Rienzilla> yeah most (all?) implementations will use the most specific route iirc
09:43 <@dazo> yeah, and the most specific routes are listed first when you dump the routing table
09:44 <@dazo> I just did a test on Linux (Fedora 13) now ... with tunctl
09:44 <@dazo> # tunctl -t tun9 
09:44 <@dazo> ifconfig tun9 192.168.100.1 netmask 255.255.255.252
09:44 <@dazo> # route -n | grep tun9
09:44 <@dazo> 192.168.100.0   0.0.0.0         255.255.255.252 U     0      0        0 tun9
09:44 < Rienzilla> hmm, but if I do it this way, openvpn complains that it needs a gateway parameter for --route, and that it's missing --route-gateway or --ifconfig
09:45 <@dazo> you can use some special keywords for that
09:45 <@dazo> vpn_gateway, IIRC
09:45 < Rienzilla> ahh
09:45 < Rienzilla> thanks
09:46 <@dazo> you're welcome
10:02 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Quit: Leaving]
10:31 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
10:38 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
10:38 -!- ksk [~ksk@im.knubz.de] has quit [Quit: leaving]
10:38 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined ##openvpn
10:43 < vpnHelper> RSS Update - forum: Installation Help :: Certificates from Microsoft CA :: Author mjpedras <https://forums.openvpn.net/viewtopic.php?f=5&t=7111&p=7835#p7835>
10:52 -!- SOG [~SOG@n11649233015.netvigator.com] has joined ##openvpn
11:02 -!- SOG [~SOG@n11649233015.netvigator.com] has quit [Quit: I will be back!]
11:05 -!- WormFood [~wormfood@183.38.12.36] has quit [Ping timeout: 245 seconds]
11:06 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
11:19 -!- WormFood [~wormfood@183.38.15.9] has joined ##openvpn
11:21 -!- ksk [~ksk@im.knubz.de] has joined ##openvpn
11:29 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:30 -!- dazo is now known as dazo_afk
11:32 -!- ss0 [~Adium@208.86.167.248] has joined ##openvpn
11:34 < ss0> Hello, I was wondering if anyone could answer a few simple questions about ip address configuration with bridging, I have an internal range I want to bridge with, my first thought (and how I originally setup the machine) was to give it an address in the same class C, but remove that address and the ones I wanted to hand out from dhcp. Then I could have the firewall nat to the openvpn box. My boss is telling me he wants a public ip assigned to the vpn box now, 
11:35 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
11:44 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
12:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 264 seconds]
12:00 -!- ss0 [~Adium@208.86.167.248] has quit [Quit: Leaving.]
12:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
12:24 -!- buntfalke [~nobody@openvpn-p0-ipv6-1082.triple-a.uni-kl.de] has joined ##openvpn
12:24 -!- buntfalke [~nobody@openvpn-p0-ipv6-1082.triple-a.uni-kl.de] has quit [Changing host]
12:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:25 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:37 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
12:50 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
12:51 -!- WinstonSmith [~true@e179003125.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
13:12 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:14 < vpnHelper> RSS Update - forum: Configuration :: Re: Example for single client with access to server's LAN? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7089&p=7836#p7836>
13:22 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
13:23 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Read error: Connection reset by peer]
13:23 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
13:38 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined ##openvpn
13:39 -!- ss0 [~Adium@208.86.167.248] has joined ##openvpn
13:49 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
13:49 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
13:53 < ss0> Well from my research it seems you cannot bridge a public ip with an internal network.
13:53 < ss0> So we will go with my original plan to nat. 
14:04 -!- openvpn2009 [patel@vortex.openvpn.net] has quit [Changing host]
14:04 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has joined ##openvpn
14:04 -!- ServerMode/##openvpn [+o openvpn2009] by anthony.freenode.net
14:15 -!- DarkFly [~DarkFly@ip-109-42-246-80.web.vodafone.de] has joined ##openvpn
14:15 < DarkFly> Hi
14:15 < krzee> hey
14:15 < DarkFly> I've got a question
14:15 < krzee> ok so "openvpn-client" is access-server
14:15 < DarkFly> mh
14:15 < krzee> which we dont support on IORC
14:15 < DarkFly> mh
14:16 < hyper_ch> hi crazy krzee
14:16 -!- openvpn2009 is now known as patel
14:16 < DarkFly> Well, i want to use IPv6 on my PC but i don't know how to get the tunnel broker working
14:16 -!- patel [patel@openvpn/corp/admin/patel] has left ##openvpn []
14:17 < DarkFly> I'm using Linux 2.6.27.27-IPv6 with the gogoWARE client but after the gogoWARE-client is connected i cant ping ipv6.google.com
14:17 -!- patelx [patel@openvpn/corp/admin/patel] has joined ##openvpn
14:17 -!- mode/##openvpn [+o patelx] by ChanServ
14:17 < DarkFly> I couldn't find our why its not working
14:17 < DarkFly> So i thought OpenVPN makes it possible to use IPv6 with an VPN-tunnel
14:17 < DarkFly> Does it?
14:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:22 -!- mode/##openvpn [+o raidz] by ChanServ
14:24 -!- orion [orion@unaffiliated/orion] has joined ##openvpn
14:26 < orion> Hi. I have a FreeBSD server running OpenVPN, and I want to associate multiple IPs to one interface for use on the server.
14:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:26 < orion> For example, I want to have one openvpn instance running which would give me access (the ability to bind to) to 10.3.0.1 through 10.3.0.10. 
14:27 < orion> And then I want to bind (for example) my web server to those IPs.
14:27 < orion> What's the best way to go about doing this?
14:28 < Bushmills> have you tried multiple --local  with parameter?   i actually don't know whether openvpn allows multiple local statements, but if it does, that would be one way
14:29 < hyper_ch> Bushmills: http://i.imgur.com/BlMm6.jpg
14:30 < Bushmills> moinmoin hyper_ch
14:30 < hyper_ch> iieeeks... it speaks German
14:33 < Bushmills> now with a bicycle up there, that would be impressive :)
14:38 < DarkFly> mh
14:38 < DarkFly> German is cool :p
14:38 < DarkFly> Was geht ab? *lol*
14:38 < hyper_ch> bicycle? I thought everybody uses ebikes now
14:38 < hyper_ch> DarkFly geht ab
14:39 -!- ss0 [~Adium@208.86.167.248] has left ##openvpn []
14:40 < Bushmills> yes, the language in which you fail to hit people over ear if they are heavy on wire.
14:41 < DarkFly> :D
14:41 < DarkFly> Nee, hyper_ch geht ab o.O :P
14:41 < DarkFly> lol
14:41 < DarkFly> Bushmills: what do you mean? o.O
14:41 < DarkFly> I can say everything you say in english also in german lawl
14:41 < DarkFly> << from germany
14:42 < hyper_ch> Bushmills: stay on the running
14:43 < Bushmills> DarkFly: so when you can, your should be able to translate what i just wrote into german. hint: translate it literally
14:43 < hyper_ch> one has to stay on the running
14:44 < hyper_ch> and I think we're good at english for runaways
14:44 < Bushmills> visits a swabian london, around christmas time, and says "attention please"
14:46 < Bushmills> hint again: a green conifer
14:47 < DarkFly> mh
14:47 < DarkFly> :P
14:47 < DarkFly> i've to go off from here
14:47 < DarkFly> cya later!^^
14:48 -!- DarkFly [~DarkFly@ip-109-42-246-80.web.vodafone.de] has quit [Quit: Leaving]
14:48 < hyper_ch> oh, he's gone
14:51 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
15:00 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
15:00 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined ##openvpn
15:00 -!- ServerMode/##openvpn [+o raidz] by asimov.freenode.net
15:01 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit: VirusTB]
15:23 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 252 seconds]
15:23 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
15:24 -!- WinstonSmith [~true@e179003125.adsl.alicedsl.de] has joined ##openvpn
15:25 -!- brah [~brah@host97.190-136-164.telecom.net.ar] has joined ##openvpn
15:47 -!- patelx [patel@openvpn/corp/admin/patel] has quit [Ping timeout: 245 seconds]
15:47 -!- p3rror [~mezgani@41.249.95.139] has joined ##openvpn
15:51 -!- patelx [patel@vortex.openvpn.net] has joined ##openvpn
15:51 -!- mode/##openvpn [+o patelx] by ChanServ
16:06 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:13 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 276 seconds]
16:15 < krzee> [12:31]  <Bushmills> have you tried multiple --local  with parameter?   i actually don't know whether openvpn allows multiple local statements, but if it does, that would be one way
16:15 < krzee> does not work
16:15 < krzee> currently you would have to run an openvpn instance for each proto/ip/port
16:16 < krzee> that feature will not exist until openvpn 3
16:17 < krzee> too bad darkfly left, he just needed !ipv6
16:18 < Bushmills> alternatively, binding to all addresses, and firewalling the unwanted ones
16:18 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
16:18 < krzee> true
16:20 -!- patelx [patel@vortex.openvpn.net] has quit [Changing host]
16:20 -!- patelx [patel@openvpn/corp/admin/patel] has joined ##openvpn
16:20 -!- ServerMode/##openvpn [+o patelx] by pratchett.freenode.net
16:20 < krzee> nice cloak patel =]
16:24 < jpalmer> haha  I want one!
16:30 <@patelx> you can have mine
16:32 <@raidz> weeeee
16:49 -!- manevra [~manevra@66.199.231.250] has joined ##openvpn
16:50 -!- manevra [~manevra@66.199.231.250] has left ##openvpn []
17:21 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Ping timeout: 612 seconds]
17:22 -!- p3rror [~mezgani@41.249.95.139] has quit [Ping timeout: 255 seconds]
17:56 -!- jhirley [~jhirley@c-75-74-13-194.hsd1.fl.comcast.net] has quit [Ping timeout: 245 seconds]
18:08 -!- smerz [~smerz@smerz.demon.nl] has quit [Read error: Connection reset by peer]
18:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:19 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:20 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 272 seconds]
18:21 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
18:30 -!- barnex [~barnex@191-mi2-3.acn.waw.pl] has quit [Ping timeout: 265 seconds]
18:30 -!- kartooon [~kartoon@unaffiliated/kartooon] has quit [Ping timeout: 264 seconds]
18:31 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
18:31 -!- ksk [~ksk@im.knubz.de] has quit [Ping timeout: 255 seconds]
18:31 -!- barnex [~barnex@191-mi2-3.acn.waw.pl] has joined ##openvpn
18:31 -!- kartooon [~kartoon@unaffiliated/kartooon] has joined ##openvpn
18:32 -!- ksk [~ksk@im.knubz.de] has joined ##openvpn
18:44 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
19:10 -!- theDoc [~Link@unaffiliated/thedoc] has left ##openvpn ["Leaving"]
19:17 -!- WinstonSmith [~true@e179003125.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
19:19 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
19:20 -!- WinstonSmith [~true@e179003125.adsl.alicedsl.de] has joined ##openvpn
19:31 -!- WinstonSmith_ [~true@e179003125.adsl.alicedsl.de] has joined ##openvpn
19:32 -!- WinstonSmith [~true@e179003125.adsl.alicedsl.de] has quit [Read error: Connection reset by peer]
19:42 -!- WinstonSmith_ [~true@e179003125.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
20:00 -!- WinstonSmith_ [~true@f052100214.adsl.alicedsl.de] has joined ##openvpn
20:22 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
21:54 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 252 seconds]
21:55 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
22:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
22:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 272 seconds]
22:56 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Quit: Leaving]
23:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
23:18 -!- APTX [~APTX@phpBB/developer/APTX] has joined ##openvpn
23:20 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:25 -!- UnterPerro [~UnterPerr@32.160.5.107] has joined ##openvpn
--- Day changed Tue Sep 21 2010
00:03 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
00:39 -!- krzie [krzee@hemp.ircpimps.org] has joined ##openvpn
00:39 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
00:39 -!- krzie [krzee@openvpn/community/support/krzee] has joined ##openvpn
01:14 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:20 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
01:27 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
01:28 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Ping timeout: 265 seconds]
01:32 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
01:35 -!- UnterPerro [~UnterPerr@32.160.5.107] has quit [Quit: UnterPerro lives to save another day]
01:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
01:56 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
01:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
02:03 < vpnHelper> RSS Update - forum: Installation Help :: Two problems, one with routing, and one with SIGTERM on Win7 :: Author ... <https://forums.openvpn.net/viewtopic.php?f=5&t=7112&p=7837#p7837>
02:09 < vpnHelper> RSS Update - forum: Configuration :: client-to-client help :: Author junker10 <https://forums.openvpn.net/viewtopic.php?f=6&t=7113&p=7838#p7838>
02:21 < kraut> moin
02:36 -!- SOG [~SOG@61.144.230.241] has joined ##openvpn
02:39 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined ##openvpn
02:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
02:48 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined ##openvpn
03:02 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 240 seconds]
03:02 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
03:13 -!- kartooon [~kartoon@unaffiliated/kartooon] has quit [Quit: WeeChat 0.3.2]
03:18 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
03:21 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
03:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:54 -!- HackeMate [~HackeMate@206.Red-88-26-64.staticIP.rima-tde.net] has joined ##openvpn
03:54 < HackeMate> hello
03:55 < HackeMate> its the 3rd time i try to install openvpn server on my debian stable, so I beg help before than give up :)
03:55 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
03:55 < HackeMate> i followed many tutorials and noone worked for me
03:56 < hyper_ch> HackeMate: apt-get install openvpn
03:57 < HackeMate> how to configure now
03:58 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:58 -!- mode/##openvpn [+o mattock] by ChanServ
04:22 -!- dazo_afk is now known as dazo
04:43 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: This computer has gone to sleep]
04:48 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
05:00 < Jarpse> HackeMate: even I could do it with the manuals.
05:01 < HackeMate> heh
05:01 < HackeMate> not my case
05:01 < Jarpse> copy the pki tools to some folder, eg your home directory
05:01 < HackeMate> nevermind though, I have mapped some ports and I think that's the problem
05:01 < Jarpse> right
05:01 < Jarpse> ah
05:01 < Jarpse> you already have a server running etc?
05:02 < Jarpse> that starts without problems
05:03 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn
05:04 < HackeMate> yes it starts, the problem is my dns configuration and that stuff, but I can't fix it until I go to home
05:04 < HackeMate> I natted port 80 and now I can't access to router, heh
05:05 < Jarpse> right
05:05 < Jarpse> connecting at IP should work
05:05 < Jarpse> if it doesn't, check port mappings
05:05 < Jarpse> if it still doesn't, check if the port isn't blocked at the other side
05:13 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 252 seconds]
05:14 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
05:28 -!- codertux [~codertux@92.86.222.150] has joined ##openvpn
05:34 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined ##openvpn
05:34 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
06:04 -!- SOG [~SOG@61.144.230.241] has quit [Quit: I will be back!]
06:11 -!- codertux is now known as codertux_
06:13 -!- codertux_ is now known as codertux
06:15 -!- codertux [~codertux@92.86.222.150] has quit [Remote host closed the connection]
06:22 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 240 seconds]
06:43 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn
06:44 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
06:56 -!- enlight22 [~zodono@reykjavik.dreamhost.com] has joined ##openvpn
06:56 < enlight22> Hello
06:56 < enlight22> anyone know an option for the client config will will force it to ignore a provided default gateway?
07:08 -!- le0 [~fin@82.132.248.214] has joined ##openvpn
07:08 -!- le0 [~fin@82.132.248.214] has quit [Changing host]
07:08 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
07:21 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
07:22 -!- SOG [~SOG@222.125.214.137] has joined ##openvpn
07:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 264 seconds]
08:02 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn
08:08 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
08:11 -!- Cmdr_W_T_Riker [7fbb8bddee@xs8.xs4all.nl] has quit [Remote host closed the connection]
08:25 -!- stefanlsd [~stefan@ubuntu/member/stefanlsd] has joined ##openvpn
08:25 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:26 < stefanlsd> hihi. Anyone have a suggestion, i have a TAP driver under windowsxp in bridge mode that says - aquiring network address and never gets it. The log shows thou -  Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.0.202/255.255.255.0 on interface {6A9C2D19-5BEA-4F16-BF52-7C65CFB3D971} [DHCP-serv: 192.168.0.0, lease-time: 31536000]
08:32 < enlight22> stefanlsd: noone seems to be around
08:32 < enlight22> i asked a question like an hour ago and no answer
08:32 < enlight22> which is odd cuase there is like 100 ppl in here
08:32 < Rienzilla> It's a quiet channel
08:33 < Rienzilla> and maybe people are unable to answer your question and keep quiet :)
08:33 < stefanlsd> heh. yeah. i cleared the firewall rules to make sure :P
08:33 < Rienzilla> stefanlsd: does your connection work if you manually set an IP? 
08:34 < enlight22> perhaps i should reask my question as well
08:35 < stefanlsd> Rienzilla: yeah. it works
08:35 -!- SOG [~SOG@222.125.214.137] has quit [Quit: I will be back!]
08:37 < enlight22> why is my client.crt comming out as 0kb
08:37 < enlight22> and the cert refuses to work with my linux client
08:37 < Rienzilla> hmm that is odd
08:38 < krzie> stefanlsd, 
08:38 < krzie> !configs
08:38 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:38 < krzie> enlight22, 
08:38 < krzie> !pki
08:38 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
08:38 < vpnHelper> krzie: specially as a server (see !servercert)
08:38 < Rienzilla> hmm maybe it doesn't like 192.168.0.0 as a server in 192.168.0.0/24
08:39 < krzie> Rienzilla, it has no problem with that, however it is a very bad choice for VPN subnet
08:39 < krzie> it spits out a warning, but doesnt stop you
08:39 < enlight22> krzie: im aware, i did all of this
08:40 < Rienzilla> maybe windows doens't like it, it's pretty annoying when it comes to setting ip addresses :)
08:40 < krzie> enlight22, but something went wrong... do it again and pay attention to output
08:40 < Rienzilla> (you can also not set an ip address inside a range smaller than /30)
08:40 < Rienzilla> but I can't say much given just one log line :)
08:40 < enlight22> krzie: ive done it 3 times, there are no errors...
08:41 < krzie> Rienzilla, (unless you use topology subnet)
08:42 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
08:42 < Rienzilla> (are you sure? :-))
08:43 < stefanlsd> Rienzilla: thanks. config -> http://pastebin.com/PGnFHu0Z
08:43 < krzie> Rienzilla, 
08:43 < enlight22> krzie: ?
08:44 < krzie> !/30
08:44 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
08:44 < krzie> !topology
08:44 < vpnHelper> krzie: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
08:44 < Rienzilla> krzie: I'm not talking specifically about openvpn, windows just refuses to set an ip address on any interface with a netmask smaller than /30 (so /31 or /32).
08:45 < krzie> there is no such thing as /31
08:45 < Rienzilla> sure there is
08:45 < krzie> 32 is a single ip
08:45 < Rienzilla> yes
08:45 < Rienzilla> 31 is two ip's
08:45 < krzie> no, in ipv4 there is not
08:45 < krzie> !google cidr cheatsheet
08:45 < vpnHelper> krzie: CIDR SUBNET MASK CHEATSHEET & ICMP TYPE CODES: <http://oav.net/mirrors/cidr.html>; IPv4 CIDR notation cheat sheet: <http://old.tamasrepus.hotnudiegirls.com/pages/IPv4+CIDR+notation+cheat+sheet>; Country IP Blocks » CIDR Cheat Sheet: <http://www.countryipblocks.net/networking/cidr-cheat-sheet/>
08:45 < Rienzilla> there is, although it's not very useful
08:45 < Rienzilla> setting a /32 ip address can be useful though under certain circumstances
08:46 < krzie> 255.255.255.254  11111111.11111111.11111111.11111110  /31  Unuseable
08:46 < krzie> a /30 is 2 usable
08:46 < krzie> and i agree with the /32 statement
08:47 < enlight22> ok, i did it a 4th time, still no errors, still not working
08:47 < krzie> enlight22, what os?
08:47 < krzie> stefanlsd, is there a reason you want a bridge?
08:47 < krzie> !layer2
08:47 < vpnHelper> krzie: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
08:47 < enlight22> krzie: windows server 2003,   ubuntu 10.04 client
08:47 < enlight22> generating the key on windows
08:48 < krzie> enlight22, try making the keys on ubuntu instead?
08:48 < krzie> !windows
08:48 < vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
08:48 < krzie> ;)
08:48 < Rienzilla> argh I hate this bot :)
08:48 < enlight22> krzie: that is very helpful... thanks
08:48 < krzie> Rienzilla, 
08:48 < krzie> !factoids
08:48 < vpnHelper> krzie: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
08:49 < enlight22> krzie: and while i am aware of that... there is a release of openvpn for windows, and presumably... it should generate a working key
08:49  * jpalmer wants to destroy that bot every time I see that !windows factoid.
08:49 < krzie> enlight22, it does, i personally have used it, but since you have linux handy give that a try (unless you want to do this one:
08:49 < krzie> !insane
08:49 < vpnHelper> krzie: Error: "insane" is not a valid command.
08:49 < Rienzilla> yes, I know that this bot has a lot of factoids programmed. But it reduces most discussions to channel regulars spamming factoids instead of talking :)
08:49 < krzie> !crazy
08:49 < vpnHelper> krzie: Error: "crazy" is not a valid command.
08:49 < krzie> grr
08:50 < Rienzilla> it's like 'Hi, is the word "difficult" spelt correctly', and then answering !dictionary :)
08:50 < krzie> !insanity
08:50 < vpnHelper> krzie: "insanity" is doing the same thing over and over expecting different results
08:50 < enlight22> krzie: cause the windows box needs to be the server
08:50 < krzie> Rienzilla, its because we end up saying the same things 1000x / week
08:50 < stefanlsd> krzie: mm. no amazingly good reason.  found its normally just easier. 
08:51 < krzie> enlight22, false, normally the CA machine is niether the server nor the client
08:51 < Rienzilla> I understand that (i'm in several other support channels), but I don't really think it helps to make the channel more helpful or enjoyable
08:51 < krzie> stefanlsd, from experience or from finding some walkthrough?  i find routing much easier personally
08:51 < enlight22> normally the CA machine is whatever machine gernated the CA, server,client, or other
08:52 < stefanlsd> krzie: routing normally works (tm). routing you need to reconfig firewalls, also, when the gateway of the server is not the openvpn servers, you need other routes
08:52 < stefanlsd> krzie: bleh. bridging ^
08:52 < jpalmer> Rienzilla: I guess we all have opinion.  personally,  I think it's insanely helpful as long as it's not chock full of useless factoids (like the !windows one here)
08:52 < enlight22> i hate this certificate bullshit anyways, why cant it at least have the option for some traditional authentication method, like prompting for a username and password
08:53 < Rienzilla> jpalmer: hehe yes, this was certainly a personal opinion :-)
08:53 < jpalmer> enlight22: because openvpn is an "SSL based VPN"  and SSL requires..  certificates
08:53 < enlight22> jpalmer: i suppose... 
08:53 < stefanlsd> enlight22: maybe good look at pptp
08:53 < jpalmer> if you want user/pass authentication, it's certainly possible.  with pptp and other options
08:53 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
08:53 < Rienzilla> but it also doesn't really help the few people who have actually read the manual and still don't have success
08:54 -!- krzy [krzee@hemp.ircpimps.org] has joined ##openvpn
08:54 < enlight22> stefanlsd: im already running pptp, and l2tp... and the problem is this one isp is packet shaping them, but it doesnt seem to do it to SSL, so im going to try openvpn
08:54 < Rienzilla> by the way, enlight, there are several very small certificate helperprograms to manage a certificate tree
08:55 < Rienzilla> for example tinyca2
08:55 < enlight22> hmm
08:55 < Rienzilla> they make it pretty easy to make certificates and generate zip files with all relevant files in them
08:55 < enlight22> i just need one working client server pair... only one user needs to use this bs
08:55 < enlight22> let me give that a shit
08:55 < enlight22> shot
08:55 < enlight22> lol
08:55 < Rienzilla> well it works fine for that purpose too :)
08:55 < krzy> you may not even need certs if its only 1 user
08:56 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn
08:56 < krzy> although they do make things a lil more secure than static key
08:56 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
08:56 < Rienzilla> oh yeah you can use preshared keys?
08:56 -!- krzy [krzee@hemp.ircpimps.org] has quit [Client Quit]
08:56 -!- krzie [krzee@openvpn/community/support/krzee] has joined ##openvpn
08:56 < kisom> What was the openvpn dev channel called again?
08:57 < Zathraz> hmm. My OPenVPN works, but only the openvpn server can be reached not the rest of the network. How can I debug this pls?
08:57 < enlight22> krzy: when u say static key, u mean like a PSK, like a password right
08:57 < krzie> kisom, its in the topic
08:57 < enlight22> that would own
08:57 < krzie> enlight22, or a key file... see --secret
08:57 < enlight22> krzie: would rather just use a long string in the config file
08:58 < enlight22> Zathraz: ip routing and NAT on the host if u need it
08:58 < reiffert> anyone ever got in contact with sis190/sis191?
08:59 < enlight22> hmm, installed this tinyca, lets see what it does
08:59 < krzie> enlight22, both work, although you really should use a key file over some password if using --secret.  also note that your traffic will always use the same key, so if someone captures your traffic then gets the key later they can decrypt
09:00 < krzie> reiffert, moinmoin!
09:00 < enlight22> krzie: well considering i am in the peoples republic of capitolism that might actually be a concern
09:00 < Zathraz> enlight22, already got that afaik. My network is 172.19.x.y and the openvpn network is 10.8.x.y. I added on the server: route add -net 10.8.0.0/24 gw 172.19.0.75
09:01 < Zathraz> where 172.19.0.75 is the LANs gateway as well as the openvpn server itself
09:01 < krzie> Zathraz, 
09:01 < krzie> !serverlan
09:01 < vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
09:02 < Zathraz> ipf is enabled
09:02 < enlight22> Zathraz: u need to add the route on the client, not the server. and u need IP forwarding
09:02 < enlight22> oh
09:02 < krzie> and the router of the servers lan has a route to the vpn
09:02 < enlight22> i see krzie said that, in a much more convenient way
09:02 < krzie> ;]
09:03 < enlight22> lol
09:03 < Zathraz> I *think* I have matched all criteria
09:03 < krzie> Zathraz, 
09:03 < krzie> !configs
09:03 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:05 < reiffert> krzie: yesterday someone was asking me if I could chat other than typing ! commands ;)
09:05 < enlight22> Rienzilla: yo, what digest do i want in this tinyca2, which looks fucking sweet btw
09:05 < krzie> reiffert, if they asked me i would make a !no for them ;)
09:05 < enlight22> idk why openvpn doesnt just state in the man page, forget our bullshit tools, use tinyca2
09:05 < Rienzilla> you can just create a new CA, and within that CA create and sign two certificates
09:06 < Rienzilla> and the you can export those in a zip
09:06 < enlight22> Rienzilla: yes, im making the CA now, it wants to know what digest i wanna use, SHA-1 MD2 etc etc
09:06 < krzie> lol enlight22... i actually plan on building in cert generation to my config file generator
09:06 < Rienzilla> oh I always use the default
09:07 < enlight22> krzie: your config generator ehh, that sounds highly usefull
09:07 < enlight22> krzie: where might this be obtained
09:07 < krzie> enlight22, any should work, openssl handles all of that... openvpn just passes it
09:07 < krzie> !confgen
09:07 < vpnHelper> krzie: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
09:07 < enlight22> krzie: it has no gui?
09:08 < krzie> one day it should be html as well, it the other guy ever finishes
09:08 < reiffert> krzie: Indeed I was answering with "!no", but unfourtunatly the bot doesnt like me ;)
09:08 < krzie> but nope, no gui in that one
09:08 < krzie> lol reiffert 
09:08 < enlight22> :(
09:08 < enlight22> what is the advantage of it, may as well do it with vim?
09:09 < krzie> it correctly sets up routing / redirect configs
09:09 < krzie> and tells you about the things to do outside of openvpn
09:09 < enlight22> sounds sweeet, ima check it out from the svn
09:09 < krzie> but ya, no giant advantage (although a gui would not change that)
09:09 < Zathraz> http://pastebin.com/KkRcycJR
09:10 < enlight22> yay, ca is created, now to make some keyz
09:10 < enlight22> ahh
09:10 < enlight22> fuck
09:10 < krzie> rc11!?
09:10 < krzie> Zathraz, your version of openvpn has known bugs, pls consider upgrading
09:11 < Zathraz> it is the "latest" version in Debian stable :-(
09:11 < enlight22> if i use s 2048 bit key, how taxing is that gonna be on modern hardware
09:11 < krzie> enlight22, not taxing at all
09:11 < enlight22> can i use 4096 bit?
09:11 < krzie> i use 4096 on old antiquated hardware with no issue
09:12 < Zathraz> besides the point of bugs, Does the config itself look ok?
09:12 < enlight22> hmm, why all the warning about pure insanity in the man pages then
09:12 < krzie> just dont make your tls-auth key 4096 or your dh key
09:12 < enlight22> i dont recall making a tls key
09:12 < krzie> !hmac
09:12 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static
09:12 < vpnHelper> krzie: key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
09:13 < enlight22> hmm, wonder if that is really necessary
09:14 < krzie> Zathraz, you didnt paste your client config
09:14 < krzie> im gone in 15min... headed to gym
09:16 < krzie> enlight22, necessary no... but pretty awesome yes
09:17 < Zathraz> http://pastebin.com/HM7Q7Nte
09:17 < Zathraz> sorry
09:18 < krzie> what machine did you add this to
09:18 < krzie> route add -net 10.8.0.0/24 gw 172.19.0.75
09:18 < Zathraz> server
09:18 < krzie> but server shouldnt have it
09:18 < krzie> server IS the gateway for 10.8.0.0/24
09:18 < krzie> that gets added to the router of the lan
09:18 < Zathraz> server = router
09:18 < krzie> quite possibly (but not certainly) .1
09:19 < Zathraz> server has 3 nics, 1 inet, 1 lan, 1 dmz
09:19 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
09:19 < krzie> umm, your entire lan has 172.19.0.75 as their default gateway?
09:19 < Zathraz> yes
09:20 < krzie> then you dont add any route like that
09:20 < krzie> !route_outside_ovpn
09:20 < vpnHelper> krzie: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
09:20 < krzie> #2
09:20 < Zathraz> aaaah
09:20 < Zathraz> ty
09:20 < krzie> yw
09:21  * krzie wonders if Rienzilla likes my bot yet
09:22 < enlight22> only thing i dont like about ur bot
09:22 < enlight22> is
09:22 < enlight22> people dont like prepackaged answers
09:22 < enlight22> so
09:22 < enlight22> u should issue out of band commands to it
09:22 < enlight22> so people dont realize it is a bot
09:22 < jpalmer> enlight22: right,  they expect us to retype all of the info already available on google, or countless thousands of web pages ;)
09:23 < krzie> and people that spend yrs here dont like repeating themselves either... if i didnt make that bot i would have left and stopped helping long ago
09:24 < krzie> instead, i give that bot any info we think of that people seem to always need
09:24 < enlight22> im just saying, it would be cooler if you commanded the bot in a way where ppl didnt see, so they just thought it was a person answering them
09:24 < jpalmer> basically,  it's a matter of "don't bite the hand that feeds"  be glad the information is available, and that someone went to the effort of helping you,  rather than bitching about it ;)
09:24 < krzie> !tell enlight22 !bot
09:24 < krzie> !tell krzie !bot
09:24 < enlight22> and most of the info on google and the openvpn website seems to either be scattered, complete crap, out of date, or otherwise wrong
09:24 < krzie> !tell krzie [bot]
09:24 < Rienzilla> :)
09:24 < krzie> !tell enlight22 [bot]
09:25 < krzie> enlight22, too true, over half what you'll find on google is guides that completely suck
09:25 < enlight22> lol
09:25 < enlight22> Rienzilla: tinyca seems to only be exporting pem files
09:25 < krzie> and the website has become a place to sell access-server (hard to blame them for wanting to make a buck tho)
09:25 < enlight22> can i just rename them or something
09:26 < krzie> pem files are combined crt/key
09:26 < krzie> you can split them by hand, or i bet tinyca has a setting for that
09:26 < enlight22> then why are there three of them in the zip?
09:26 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Ping timeout: 276 seconds]
09:26 < Rienzilla> italso exports separate .pems for cert, key and ca
09:26 < krzie> ohh
09:26 < Rienzilla> you can feed this files to the ca, cert and key options of openvpn
09:26 < vpnHelper> RSS Update - forum: Server Administration :: Remote Desktop via OpenVPN on Windows 2003 Server :: Author kuzmabruk <https://forums.openvpn.net/viewtopic.php?f=4&t=7114&p=7839#p7839>
09:26 < krzie> then yes you can rename if you like
09:27 < enlight22> okies, now to securely get them to the server (im rolling my eyes)
09:27 -!- Bogus8_ [~Nunya@ip68-226-131-28.lf.br.cox.net] has quit [Remote host closed the connection]
09:28 < krzie> !tell ##openvpn dont hate me cause im beautiful
09:28 < vpnHelper> krzie: Error: Dude, just give the command.  No need for the tell.
09:28 < krzie> lol
09:28 < krzie> bbl, gym
09:28 < ecrist> shirley, don't call me gym
09:28 < enlight22> later mang
09:28 < ecrist> you should get that looked at
09:29 < jpalmer> enlight22: scp is a decent (and secure) transport
09:30 < enlight22> i wish this bullshit ISP didnt shape pptp
09:31 < enlight22> but they shape everything, except ssl and http it seems  :(
09:32 < jpalmer> in the time you've been spending to learn about, install, and configure openvpn..  you probably could have called a different ISP, and switched  ;)
09:33 < jpalmer> that sounded worse than I intended.  I'm not saying anything against your ability.  My point was,  rather than bend over backwards to work with an ISP..  you could save yourself a lot of headache (now and in the future) be going with a different ISP.
09:33 < enlight22> well, unfortunatly, i am stuck with china telecom for the remainder of the year, because its already paid... but u can bet next year i will be canceling their ass and getting china unicom, which is what i wanted, but my girlfriend didnt listen to me
09:34 < enlight22> jpalmer: my abilities havent had any problem with pptp, or l2tp, or any other networking related thing i have ever done... and i dont think my abilities are causing my openvpn headaches
09:34 < jpalmer> again,  I wasn't attacking your abilities.  it came out wrong. which is why I preemptively clarified the comment.
09:34 < enlight22> i had less dificulty setting up pptp with radius, and using TC to throttle my users.. actually not really any dificulty
09:35 < enlight22> jpalmer: yes, i know you werent, i didnt take it that way... 
09:35 < enlight22> i was merely turning it around to express the hatred i am beginning to develop toward openvpn, lol
09:35 < enlight22> it says on the website, powerful, easy to use, etc
09:35 < enlight22> the powerful part im sure is accurate
09:37 < ecrist> enlight22: openvpn *is* easy to use, it's assumed that someone configuring a server understands basic networking, however.
09:37 < ecrist> very rarely are the problems addressed in this channel specific to openvpn, rather silling things, like pointing people to their firewall
09:37 < enlight22> ecrist: well, i understand basic networking, and i think it might be easy to use, if it werent such a piece of shit
09:38 < ecrist> he
09:38 < ecrist> what is your problem?
09:38 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
09:38 < enlight22> i mean, generating a key pair is pretty much crucial to its functionality
09:39 < enlight22> and its integrated tools for performing that function, are utter crap
09:41 < enlight22> my problem is the client.crt generated on the server is comming out to 0kb
09:41 < enlight22> and i have done it 3 times, read the output, etc etc, it refuses to work
09:41 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
09:44 < ecrist> I agree, easy-rsa is complete crap.
09:45 < reiffert> I like easy-rsa, it works.
09:45 < enlight22> except it doesnt work
09:45 < reiffert> enlight22: probably your fault. did you edit openssl.cnf?
09:45 < ecrist> !ssl-admin
09:45 < vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
09:46 < reiffert> right, debugging sucks, enjoy ssl-admin.
09:46 < enlight22> why the fuck should i need to edit anything.... 
09:46 < kisom> enlight22: then get windows.
09:46 < enlight22> im trying to get tinyca to work now, if it doesnt ill move on to this ssl admin
09:46 < kisom> and stop crying
09:47 < enlight22> kisom: this is on windows, and client on linux
09:47 < enlight22> and im not crying
09:47 < reiffert> enlight22: please be aware, that the *DEFAULT OPENVPN CONFIGURATION FILE* needs *EDITING*.
09:47 < enlight22> reiffert: is openssl.cnf the default openvpn configuration file?
09:47 < enlight22> no...
09:47 < enlight22> didnt think so
09:48 < enlight22> obviously the configuration file needs editing...
09:48 < kisom> enlight22: being rude will get you nowhere on IRC.
09:48 < reiffert> enlight22: openssl.cnf is the default easy-rsa config file. and it needs editing as well.
09:48 < enlight22> how nice of it to say that on the key generation man page...
09:49 < enlight22> kisom: not really getting anywhere anyway... we are just talkin here...
09:53 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Read error: Operation timed out]
09:54 < kisom> well first of all
09:55  * ecrist suggests enlight22 correct his attitude
09:55 < kisom> yes, sencond of all, use linux on the server.
09:55 < kisom> i have never used openvpn on windows as a server
09:55 < kisom> i most people use it on linux too
09:55 < kisom> i believe*
09:56 < kisom> and i just got a critical incident at work i have to take care of
09:56  * kisom &
09:58 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Remote host closed the connection]
09:58 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined ##openvpn
09:59 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Changing host]
09:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:59 -!- Zathraz [~Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn
10:01 -!- oryxtec [~oryxtec@116.71.178.60] has joined ##openvpn
10:01 < oryxtec> i guys i have installed openvpn on my server but i m having one issue..
10:01 < oryxtec> ping is not getting satyable
10:01 < oryxtec> stay able..
10:02 < oryxtec> its going up and down
10:06 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
10:06 -!- oryxtec [~oryxtec@116.71.178.60] has quit [Ping timeout: 264 seconds]
10:07 -!- oryxtec [~oryxtec@119.152.75.62] has joined ##openvpn
10:07 < oryxtec> any help please?
10:09 <@dazo> !welcome
10:09 < vpnHelper> dazo: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:09 <@dazo> oryxtec: ^^^
10:09 < oryxtec> thanks let me give you all configs.. from where i can collect logs?
10:09 < oryxtec> under which folder is it
10:09 < oryxtec> ?
10:10 -!- helmut [helmut@subdivi.de] has joined ##openvpn
10:11 <@dazo> !logs
10:11 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:11 < helmut> hi. is there a reason for openvpn to try to "resolve" ip addresses? I tried entering a hostname first and it says NO_DATA even though I can resolve the name. when I try with an ip address it says HOST_NOT_FOUND.
10:11 < ecrist> !tell dazo !logs
10:11 <@dazo> oryxtec: you'll mostly find them according to how your config is configured
10:11 <@dazo> ecrist: exactly ;-)
10:11 < helmut> uhm. v6 of course. %-)
10:12 < ecrist> dazo: you should have gotten a PM from vpnHelper with !logs
10:12 <@dazo> helmut: which openvpn version
10:13 < helmut> dazo: good question. 
10:13 < helmut> dazo: 2.1~rc19-1 from debian sid
10:13 < helmut> dazo: a bit outdated due to other problems
10:13 < ecrist> !say [!logs]
10:13 < vpnHelper> ecrist: Error: "!logs" is not a valid command.
10:13 < ecrist> !say [!factoids logs]
10:13 < vpnHelper> ecrist: Error: "!factoids" is not a valid command.
10:14 < ecrist> *shrug*
10:14 <@dazo> helmut: that one won't support IPv6 ... except maybe only be able to listen/connect to IPv6 .... might not do the IPv6 resolving properly
10:14 <@dazo> (Debian 2.1.x do have limited IPv6 support, not sure about the earlier ones)
10:14 < helmut> dazo: hardcoding ips is not a real problem.
10:14 < helmut> dazo: so I should probably upgrade, right?
10:15 <@dazo> helmut: we only support the latest version here anyway ;-)
10:15 < helmut> well I stopped upgrading it after I experienced frequent disconnects. :-/
10:15 < helmut> like once a minute
10:15 <@dazo> helmut: did you report a bug somewhere?
10:16 < reiffert> enlight22: btw, it's written in the howto to edit the openssl.cnf file.
10:16 < helmut> dazo: I had no time to triage and needed a working solution "now". it is a place I go to infrequently, so cannot reproduce or debug either.
10:17 < helmut> dazo: when I go there next, I'll try the most recent version and hope it works.
10:17 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
10:17 <@dazo> helmut: you know, if we get some bug reports and are able to reproduce issues ... we might actually fix things ... so that you won't need to stay blocked on an old version ;-)
10:18 < helmut> dazo: only my bug report would have been much too unprecise for you to deduce anything
10:19 <@dazo> helmut: that would have been a problem ... but providing some scaled down config files which can reproduce the issue and share it with us, that's usually a good starter
10:20 < helmut> dazo: sorry, I didn't have the time when I had the problem. really normally I do take the time to debug things and provide detailed reports.
10:20 <@dazo> helmut: anyhow this resolving issue is interesting ... so I'd like to get more info on that one .... the resolver code has been rewritten in 2.1.3, but that's mostly for IPv4 ... if we have IPv6 issues, then we need to fix that
10:21 < helmut> dazo: the most recent version in debian is 2.1.0. has that a chance to work with ipv6?
10:23 <@dazo> helmut: I believe agi have added the IPv6 transport patches .... so, it got limited IPv6 support on Deb .... however, that code is not that much different from 2.1_rc19
10:23 <@dazo> especially not in the resolving part, as far as I remember
10:23 < helmut> thanks
10:24 < helmut> dunno how much you know about ipv6, but to reproduce yourself you can bind openvpn to ::1 or to the link local address of your ethernet interface (fe80:something) and then try to connect from another machine from the same network segment.
10:25 < helmut> the fe80:something addresses are automatically configured if your kernel supports ipv6.
10:25 <@dazo> helmut: I presume that I'd have to bind to fe80:: to be able to connect from the local network ...
10:25 < helmut> dazo: yeah the ::1 would only work if you start client and server on the same machine
10:25 <@dazo> yeah, localhost :)
10:25 < helmut> often called ip6-localhost
10:26 <@dazo> I'm going to try that at some point ... after I've resolved some issues with the git tree :)
10:26 < helmut> thank you very much
10:26 < jpalmer> I have a few VPS's.  all have native ipv6
10:26 < helmut> I'll probably use a socat-style approach for now. %-)
10:29 < helmut> sometimes being an ipv6 pioneer is hard...
10:30 < helmut> (background: I have two internet links. my ipv4 link has about 50mbit, my ipv6 link has about 300mbit)
10:34 < helmut> uhm. is there something like ssh's ProxyCommand for openvpn?
10:35 < helmut> (I found only http and socks proxy)
10:36 <@dazo> helmut: no, I don't think so ... only possible hooks can be found under the "SCRIPTING AND ENVIRONMENTAL VARIABLES" section in the man page
10:36 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
10:38 < helmut> just out of curiosity: would you accept a patch if I find some time for that? (proxycommand sounds like a damn useful feature)
10:44 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
10:44 -!- HackeMate [~HackeMate@206.Red-88-26-64.staticIP.rima-tde.net] has quit [Quit: Saliendo]
10:44 < helmut> uhm... when I git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn I get an empty repository. any ideas about what I'm doing wrong?
10:45 < helmut> uhm. looks like wrong url to me.
10:46 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
10:48 < helmut> got it. :-)
10:52 -!- oryxtec [~oryxtec@119.152.75.62] has quit [Ping timeout: 272 seconds]
10:53 -!- enlight22 [~zodono@reykjavik.dreamhost.com] has quit [Remote host closed the connection]
10:53 -!- JackCorleone [~root@187.101.48.25] has joined ##openvpn
10:54 < helmut> uhhh. socket.c is quite monolithic... hacking a proxycommand in there would not improve the situation we already have with http and socks
10:54 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
10:57 <@dazo> helmut: heh ... openvpn in general is very monolithic 
10:57 < helmut> uhm... "if(false) ;\n#ifdef something\nelse if(...)"
11:00 <@dazo> helmut: in general, regarding patches .... we accept a lot of patches, as long as they've been on the -devel mailing list and have been reviewed and ACKed ... if that happens, it's getting included into the allmerged branch and then further into a major release if testing no complaints from allmerged users
11:01 < helmut> dazo: thanks for the information. so it's unlike openssh where all non-trivial patches are denied, because theo de raat knows everything better. :-)
11:01 <@dazo> :)
11:02 < helmut> let me see whether I can work this out providing patches against git (or a pull request ;-).
11:05 -!- WormFood [~wormfood@183.38.15.9] has quit [Ping timeout: 264 seconds]
11:08 <@dazo> helmut: git format-patch will be your most important friend in that regards ;-)
11:09 < helmut> dazo: -devel don't like pull requests? (just a question, no offence)
11:09 <@dazo> helmut: we do that as well, but that's more for bigger projects ... like complete IPv6 support, where there are continuously development
11:10 <@dazo> helmut: for a starter, I'd prefer patches to the ML, easier to review for most people
11:10 -!- oryxtec [~oryxtec@119.152.75.62] has joined ##openvpn
11:10 < oryxtec> hi. sorry i got DC from IRC chanl
11:10 < helmut> dazo: ah ok. good to know.
11:11 < oryxtec> please have alook to my config files
11:11 < oryxtec> /msg NickServ identify 
11:11 < oryxtec> http://pastebin.com/YUhqztJ6
11:11 < oryxtec> this is my server.conf
11:11 <@dazo> oryxtec: !configs
11:11 <@dazo> !configs
11:11 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:11 < oryxtec> http://pastebin.com/79BfHXHD
11:11 <@dazo> oryxtec: please notice the part of the sentence which says:  with comments removed .....
11:12 < oryxtec> and this is my client.conf
11:12 < oryxtec> @dazo: what do u mean by with comments removed ??
11:12 < oryxtec> i didn't get please can u explain me again
11:12 < oryxtec> thanks
11:13 <@dazo> oryxtec: without all # lines .... that's a lot of noise
11:13 <@dazo> grep -vE '^#|^;|^$' server.conf
11:13 <@dazo> that gives you something worth pasting
11:15 < oryxtec> rite soo u mean i should only use this http://pastebin.com/wpwXv3kV
11:16 -!- WormFood [~wormfood@183.38.15.193] has joined ##openvpn
11:17 < oryxtec> ??
11:18 <@dazo> oryxtec: yupp ... that's all what openvpn cares about
11:19 < oryxtec> rite..
11:19 < oryxtec> wht else could coz that issue?
11:23 < oryxtec> @dazo: should i leave client.conf file as it it
11:23 < oryxtec> is
11:23 < oryxtec> or i should change that one as well
11:23 < oryxtec> ??
11:23 <@dazo> please change it, it's much more easier to help with only the core config file
11:24 <@dazo> (with a file having 100+ lines, you forget what was on line 14 when hitting the end)
11:24 -!- jY [jy@photoblog.com] has left ##openvpn ["Leaving"]
11:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:37 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
11:40 -!- jack77 [~jack77@178.0.108.202] has joined ##openvpn
11:42 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
11:56 < oryxtec> one more question which protocol is best to use for openvpn is it tcp or udp?"
11:59 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
12:01 < oryxtec> guys please help me.. i have done all config file as u told me..
12:01 < oryxtec> but here is ping reply
12:01 < oryxtec> to my vpn server 
12:01 < oryxtec> http://pastebin.com/v6GMphg3
12:02 < oryxtec> and here is ping reply with out VPN server
12:02 < oryxtec> http://pastebin.com/Jk3JtjGf
12:12 < oryxtec> guys any help on this?
12:13 -!- krzie [krzee@openvpn/community/support/krzee] has joined ##openvpn
12:13 < krzie> [10:55]  <kisom> yes, sencond of all, use linux on the server.
12:13 < krzie> [10:55]  <kisom> i have never used openvpn on windows as a server
12:13 < krzie> kisom, openvpn can run on windows server just fine
12:14 < krzie> of course NAT is a pita if you need !redirect, but !winnat should help with that
12:17 < oryxtec> krzie; i m using openvpn server on a linux machine.
12:17 -!- raidzxx [~Andrew@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
12:17 -!- mode/##openvpn [+v raidzxx] by ChanServ
12:18 < krzie> oryxtec, and what is the problem?
12:18 -!- jack77 [~jack77@178.0.108.202] has quit [Quit: Leaving]
12:19 < oryxtec> ping is not satyable
12:20 < oryxtec> its going up and down
12:20 < oryxtec> i m using sip trafic over the openvpn.. and i m having voice issue.
12:20 < oryxtec> on vpn
12:20 < krzie> you using tcp as your transport?
12:20 < oryxtec> no UDP
12:21 < krzie> checked your MTU?
12:21 < oryxtec> nop
12:21 < krzie> !mtu
12:21 < oryxtec> how can i check MTU
12:21 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
12:23 < oryxtec> --mtu-test i will write this in client.conf file?
12:23 < krzie> !--
12:23 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
12:25 < oryxtec> i ve placed and option in client.conf file now wht? how can i check MTU
12:25 < oryxtec> ?
12:26 < oryxtec> krzie:
12:26 -!- raidzxx [~Andrew@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: Leaving]
12:27 -!- Chosi [osxchosi@choseh.de] has quit [Changing host]
12:27 -!- Chosi [osxchosi@unaffiliated/chosi] has joined ##openvpn
12:27 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
12:27 -!- raidzxx [~Andrew@tor-exit.greyunknown.com] has joined ##openvpn
12:27 < krzie> by connecting
12:27 < krzie> when it connects it will run the tests
12:28 -!- raidzxx [~Andrew@tor-exit.greyunknown.com] has quit [Client Quit]
12:31 -!- codertux [592832d5@gateway/web/freenode/ip.89.40.50.213] has joined ##openvpn
12:34 -!- dazo is now known as dazo_afk
12:35 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has joined ##openvpn
12:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:39 < vpnHelper> RSS Update - forum: Server Administration :: Re: windows 7 issue :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7110&p=7840#p7840>
12:42 -!- oryxtec [~oryxtec@119.152.75.62] has quit []
12:46 -!- p3rror [~mezgani@217.23.4.242] has joined ##openvpn
13:05 -!- codertux [592832d5@gateway/web/freenode/ip.89.40.50.213] has quit [Quit: Page closed]
13:10 -!- codertux [~codertux@89.40.50.213] has joined ##openvpn
13:21 -!- codertux is now known as codertux_
13:34 -!- codertux [592832d5@gateway/web/freenode/ip.89.40.50.213] has joined ##openvpn
13:34 -!- distort [~irc@216.168.1.32] has quit [Ping timeout: 245 seconds]
13:37 < codertux> hi, I'm trying to set up a bridged server on windows xp. I'm using the latest version from openvpm.net. the config file is here: http://openvpn.pastebin.com/hJSAxN6Q The issue is that the tap32 adapter doesn't come up when it's bridged.  Any ideas how to fix this?
13:44 -!- codertux [592832d5@gateway/web/freenode/ip.89.40.50.213] has quit [Ping timeout: 252 seconds]
13:45 < vpnHelper> RSS Update - forum: Wishlist :: Re: Windows Client Source Code + Build Instructions :: Reply by shawnlower <https://forums.openvpn.net/viewtopic.php?f=10&t=7073&p=7841#p7841>
13:49 -!- distort [~irc@ip-174-142-36-115.static.privatedns.com] has joined ##openvpn
13:52 -!- codertux_ is now known as codertux
13:56 < codertux> any ideas, somebody?
14:07 < ecrist> not I, sorry.
14:07 < krzie> sry, i dont help with bridges
14:09 < krzie> ecrist, ircstats isnt updated automagicly?
14:09 < ecrist> heh, it hasn't been since ~April, you're the first to notice.
14:09 < ecrist> that used to run on a windows machine, a Dell 2550 that I shut down because that's all it was doing.
14:11 < ecrist> if people started caring again, I'd fire it back up
14:11 < krzie> ahh, lol
14:11 < krzie> ive noticed a few times, this is the first time i mentioned anything
14:14 -!- barnex [~barnex@191-mi2-3.acn.waw.pl] has left ##openvpn ["WeeChat 0.3.0"]
14:14 < ecrist> I'll probably try to find a different windows machine to run that on.
14:18 -!- bandini [~bandini@host23-27-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn
14:32 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 272 seconds]
14:33 -!- mezgani_ [~mezgani@41.140.225.101] has joined ##openvpn
14:36 -!- p3rror [~mezgani@217.23.4.242] has quit [Ping timeout: 252 seconds]
14:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- mezgani_ [~mezgani@41.140.225.101] has quit [Quit: Leaving]
14:43 < vpnHelper> RSS Update - forum: Configuration :: Multi-client vpn :: Author talis <https://forums.openvpn.net/viewtopic.php?f=6&t=7115&p=7842#p7842>
14:46 -!- JackCorleone [~root@187.101.48.25] has quit [Remote host closed the connection]
14:51 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: brb]
14:56 < jpalmer> !route
14:56 < vpnHelper> jpalmer: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:56 < jpalmer> !factoid
14:56 < vpnHelper> jpalmer: Error: "factoid" is not a valid command.
14:57 < jpalmer> !factoids
14:57 < vpnHelper> jpalmer: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:59 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
15:16 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Quit: Leaving]
15:20 -!- bandini [~bandini@host23-27-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
15:28 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
15:42 -!- raidz [~Andrew@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn
15:42 -!- mode/##openvpn [+v raidz] by ChanServ
15:46 -!- raidz [~Andrew@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Changing host]
15:46 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined ##openvpn
15:46 -!- ServerMode/##openvpn [+v raidz] by zelazny.freenode.net
15:46 -!- mode/##openvpn [+o raidz] by ChanServ
15:46 < codertux> ok, got the tap connection up, but I still can't ping anything from the other side of the vpn... I followed this guide: http://www.dslreports.com/forum/remark,15752402
15:46 < vpnHelper> Title: Re: Windows 2003 VPN - dslreports.com (at www.dslreports.com)
15:54 -!- distort [~irc@ip-174-142-36-115.static.privatedns.com] has quit [Ping timeout: 252 seconds]
15:57 < codertux> ok, one last chance. I've got it partially working. Can't ping across the vpn, but strangely, dhclient on the remote end does retrieve an ip from the DHCP server on the local network...
15:57 < codertux> the remote end = the client
15:58 < codertux> so, can someone help?
16:07 -!- distort [~irc@ip-174-142-36-115.static.privatedns.com] has joined ##openvpn
16:07 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined ##openvpn
16:10 -!- KaiForce [~chatzilla@adsl-70-228-79-226.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.10/20100914125854]]
16:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:20 -!- codertux is now known as codertux_
16:31 -!- codertux_ is now known as codertux
16:36 -!- agagag_ is now known as agagag
16:37 -!- codertux_ [~codertux@86.127.164.143] has joined ##openvpn
16:40 -!- codertux [~codertux@89.40.50.213] has quit [Ping timeout: 240 seconds]
16:46 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
16:49 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Read error: Connection reset by peer]
16:49 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
16:52 < fipu> hello
16:53 < fipu> how can I change settings from a hidden TAP device on windows?
16:53 < fipu> I selected hidden device and now I changed the IP from the VPN and tha TAP device wouldn't come up...
16:54 < fipu> anyone an idea?
16:56 -!- UnterPerro [~UnterPerr@166.193.241.204] has joined ##openvpn
16:59 -!- jeev [~email@unaffiliated/jeev] has joined ##openvpn
17:03 -!- codertux_ [~codertux@86.127.164.143] has quit [Ping timeout: 240 seconds]
17:05 -!- UnterPerro [~UnterPerr@166.193.241.204] has quit [Quit: UnterPerro lives to save another day]
17:15 < jpalmer> !linipforward
17:15 < vpnHelper> jpalmer: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
17:24 < fipu> There is a problem in your selection of --ifconfig endpoints [local=10.0.0.10, remote=10.0.0.1].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
17:24 < fipu> is it not possible to give the server 10.0.0.1 and local 10.0.0.10?
17:30 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 272 seconds]
17:30 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
17:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:32 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Quit: Leaving]
17:32 -!- raidz [~Andrew@seance.openvpn.org] has joined ##openvpn
17:32 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
17:32 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined ##openvpn
17:32 -!- mode/##openvpn [+o raidz] by ChanServ
17:32 -!- louve [~louve@irc.darchoods.net] has left ##openvpn ["oh noez, I couldn't pong back"]
17:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
17:35 -!- troy- [~tab@bgp4.us] has quit [Quit: leaving]
17:35 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 272 seconds]
17:36 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
17:36 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:45 -!- bayer [~bayer@I6I-I86.static.anw.at] has joined ##openvpn
17:55 < bayer> hi, i have set up a (open)vpn - now that there are machines whose names are only resolved by our internal DNS, i would like to push the DNS to the vpn clients. i found that dns-push directive, but the client (ubuntu) doesnt simply replace the DNS - where can i configure openvpn to do this automatically?
18:08 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
18:17 -!- bayer [~bayer@I6I-I86.static.anw.at] has quit [Ping timeout: 272 seconds]
18:24 < krzee> meh
18:24 < krzee> all he needed was !pushdns =/
18:31 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has joined ##openvpn
18:33 < jpalmer> !pushdns
18:33 < vpnHelper> jpalmer: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
18:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
18:53 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has quit [Ping timeout: 265 seconds]
19:01 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
19:05 -!- bayer [~bayer@I6I-I86.static.anw.at] has joined ##openvpn
19:07 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
19:08 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 272 seconds]
19:08 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 240 seconds]
19:08 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
19:08 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 276 seconds]
19:08 -!- reiffert [~thomas@mail.reifferscheid.org] has joined ##openvpn
19:09 -!- sno [~sno@85-10-202-144.clients.your-server.de] has joined ##openvpn
19:10 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
19:10 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined ##openvpn
19:11 -!- helmut [helmut@subdivi.de] has quit [Remote host closed the connection]
19:11 -!- helmut [helmut@subdivi.de] has joined ##openvpn
19:14 -!- sno [~sno@85-10-202-144.clients.your-server.de] has quit [Ping timeout: 276 seconds]
19:14 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn
19:20 < krzee> hah nice jpalmer 
19:20 < krzee> good reaction time!
19:21 -!- bayer [~bayer@I6I-I86.static.anw.at] has quit [Ping timeout: 265 seconds]
19:34 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 265 seconds]
19:34 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 252 seconds]
19:34 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined ##openvpn
19:35 < jpalmer> I'm having an odd issue with redirect-gateway.  I can ping through the gateway/vpn,  but..  no other services work. 
19:35 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
19:36 < jpalmer> dig www.google.com @4.2.2.2 as an example..  fails.   but I can ping and traceroute to 4.2.2.2 (and it goes through the openvpn server as expected)
19:37 -!- distort [~irc@ip-174-142-36-115.static.privatedns.com] has quit [Ping timeout: 252 seconds]
19:48 -!- WinstonSmith_ [~true@f052100214.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
20:02 -!- WinstonSmith_ [~true@f052099053.adsl.alicedsl.de] has joined ##openvpn
20:20 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
20:22 -!- phantomcircuit_ [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
20:40 -!- phantomcircuit_ [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
20:53 -!- phantomcircuit_ [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
20:59 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined ##openvpn
21:01 -!- phantomcircuit_ [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
21:04 < krzee> jpalmer, sounds like firewall
21:04 < jpalmer> krzee: on which side?  the client has no firewall.  the server.. oh, you know what..
21:04 < jpalmer> hmm
21:04 < krzee> server
21:04 < jpalmer> I hate iptables.  :P   I really need to get better with it.
21:05 < jpalmer> I thought i had it disabled,  but I just checked and nope.
21:05 < krzee> if you had it disabled you wouldnt be NAT'ing the traffic and even the ping would fail
21:10 < jpalmer> fiar enough.  but I meant I thought I had it defaulting to allow traffic.
21:28 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:39 -!- E3b [~E3b@unaffiliated/e3b] has joined ##openvpn
21:39 < E3b> hello all, someone can help me please?
21:40 -!- theDoc [~Link@unaffiliated/thedoc] has joined ##openvpn
21:48 < abeehc-_> !welcome
21:48 < vpnHelper> abeehc-_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:54 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
22:13 -!- WormFood [~wormfood@183.38.15.193] has quit [Ping timeout: 252 seconds]
22:32 -!- WormFood [~wormfood@183.39.106.246] has joined ##openvpn
22:38 -!- phantomcircuit_ [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
22:39 -!- phantomcircuit_ [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Client Quit]
22:39 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
22:46 -!- E3b [~E3b@unaffiliated/e3b] has quit [Quit: Leaving]
22:56 -!- WinstonSmith_ [~true@f052099053.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
23:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
23:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
23:08 < vpnHelper> RSS Update - forum: Configuration :: Two problems, one with routing, and one with SIGTERM on Win7 :: Author thylacine222 <https://forums.openvpn.net/viewtopic.php?f=6&t=7116&p=7843#p7843>
23:10 -!- ji0n [~john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Ping timeout: 276 seconds]
23:13 -!- UnterPerro [~UnterPerr@166.192.226.81] has joined ##openvpn
23:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
23:53 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Wed Sep 22 2010
00:00 -!- m0hm0h [m0hm0h@kapsi.fi] has quit [Read error: Connection reset by peer]
00:17 < kraut> moin
00:42 < jeev> jpalmer, you should've read the topic. i should dock you your OP status in windows
01:11 -!- tjz [~pc@unaffiliated/tjz] has joined ##openvpn
01:13 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:13 -!- mode/##openvpn [+o mattock] by ChanServ
01:24 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
01:30 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined ##openvpn
01:35 -!- dazo_afk is now known as dazo
02:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 272 seconds]
02:12 -!- UnterPerro [~UnterPerr@166.192.226.81] has quit [Quit: UnterPerro lives to save another day]
02:27 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:54 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
03:21 -!- lolipop [~soontak@209.247.95.219.cbj02-home.tm.net.my] has joined ##openvpn
03:23 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 240 seconds]
03:23 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined ##openvpn
03:25 -!- lolipop [~soontak@209.247.95.219.cbj02-home.tm.net.my] has quit [Client Quit]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:38 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:43 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
03:43 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
03:48 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
03:54 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
03:54 -!- mode/##openvpn [+o mattock] by ChanServ
04:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
04:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
05:09 -!- b_52light [~b_52light@41.248.169.199] has joined ##openvpn
05:09 < b_52light> hi guys
05:09 < b_52light> plz is it possible to check all the certificate that have been created
05:11 -!- brah [~brah@host97.190-136-164.telecom.net.ar] has quit [Remote host closed the connection]
05:30 -!- woshty [~woshty@no3.woshty.de] has joined ##openvpn
05:32 < woshty> hello there. i am trying to set a dns server for a windows tap device via the client config (no push) .. everything that came to mind failed .. any ideas? if i could run a simple command on the client after connect, it would do the trick
05:40 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
05:52 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
05:57 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left ##openvpn []
06:32 < woshty> got it working, found --up, --down .. %path% does not seem to be set
06:34 -!- borcky [~borcky@xdsl-188-155-117-95.adslplus.ch] has joined ##openvpn
06:48 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
06:55 -!- kotique [~kotique@bluemile.vps.deepunix.net] has joined ##openvpn
06:56 < kotique> hey guys, is it possible to retrieve user certificates from an ldap server? 
06:56 < kotique> i want to have cenntral management, with user settings (routes, ips) stored in ldap too
06:59 -!- VirusTB [~VirusTB@ip-145-93-222-72.fontys.nl] has joined ##openvpn
07:05 < ecrist> b_52light: yes, if you have your index.txt which was created by openssl
07:06 < kotique> is it possible to push options that are output by a script?
07:06 < ecrist> such as?
07:07 < kotique> client connects, server executes a script and that script returns options that should be pushed to clietn
07:07 < ecrist> not sure, but it should be easy to test it out.
07:07 < ecrist> create a client connect script and attempt it.
07:07 < kotique> should I send the output directly to stdout?
07:07 < ecrist> I imaged what you'd have to do is use that script to generate a ccd entry for the connecting user.
07:08 < kotique> oh, well, I wanted to stay dynamic
07:08 < ecrist> that is dynamic
07:08 < kotique> will it be executed in case client disconnects and reconnects again?
07:08 < ecrist> should be, yes.
07:08 < kotique> in case of ip renewal or whatever
07:08 < kotique> okay
07:09 < kotique> thanks for help!
07:09 < ecrist> np
07:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn
07:18 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
07:25 -!- VirusTB [~VirusTB@ip-145-93-222-72.fontys.nl] has quit [Quit:  has left the bulding]
07:25 -!- VirusTB [~VirusTB@ip-145-93-222-72.fontys.nl] has joined ##openvpn
07:28 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
07:43 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
07:45 -!- waynerr [~waynerr@109.75.17.130] has joined ##openvpn
07:46 < waynerr> hi there, i would like to understand my openvpn server log abit better, i have entrys which look like: USER/IP:PORT TCPv4_SERVER WRITE [] to P_DATA_V1 kid=1 DATA len= ????
07:47 < waynerr> is 'len=' measured in byte or bit ? 
07:49 < waynerr> the background is i want to measure how much traffic one user made over the vpn
07:50 < ecrist> waynerr: openvpn tracks that already
07:50 < ecrist> it's output  in the status log
07:51 < ecrist> Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
07:51 < ecrist> dunc,XXX.YYY.ZZZ.QQQ:39809,2618562,167941351,Fri Sep 17 17:22:06 2010
07:52 < ecrist> the 'real address' field contains the port number they're connecting from, as well
07:52 < waynerr> so i should find entrys like that in my logfile then, iam gonna search now
07:52 < ecrist> there are two logs.
07:52 < ecrist> there's the actual log, then there's a status file
07:52 < ecrist> you need to enable it in the server config
07:53 < ecrist> status /var/openvpn/openvpn-status.log15
07:53 < ecrist> there should be a space between the file and the '15' there.
07:53 < waynerr> problem is i use an application with openvpn server
07:53 < ecrist> what do you mean?
07:53 < waynerr> but i got shell access, so i will have a look if it is activated
07:54 < waynerr> its astaro security gateway, they use openvpn server for roadwarrior vpn
07:55 < waynerr> and i look to find out about past connections, not for the future ones
07:55 < ecrist> ah, I don't think there's any way to know about past connections.
07:55 < ecrist> even with status log, you need to poll that file and update things properly.
07:56 < ecrist> also, you can track this data with a client disconnect script, as all that data is available upon disconnect within the environment.
08:01 < Rienzilla> hey everyone
08:01 < Rienzilla> I still havent figured out my routing exactly. Any idea on http://pastebin.org/1078396 ? 
08:01 < Rienzilla> (the error is listed last)
08:03 < woshty> i am using route-gateway and redirect-gateway to send all traffic through the vpn .. however after some time my windows computer starts using the non-vpn gateway again (but keeps using the tap dev dns)
08:03 < waynerr> ecrist, there is a status.log but only one for the actual day
08:04 < ecrist> yeah, I said that.
08:04 < ecrist> the status log is going to only track currently active connections.
08:04 < waynerr> ecrist, so my best hope still is to find out what "len=" in the log means and that just parse the logfile with a selfwritten scripts
08:04 < waynerr> my grammar is bad atm sorry
08:05 < ecrist> Rienzilla:
08:05 < ecrist> !logs
08:05 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:07 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
08:10 -!- VirusTB [~VirusTB@ip-145-93-222-72.fontys.nl] has quit [Ping timeout: 272 seconds]
08:11 < Rienzilla> ecrist: http://pastebin.org/1078504
08:13 -!- dearka [~marley@200.253.157.13] has joined ##openvpn
08:13 < dearka> !welcome
08:13 < vpnHelper> dearka: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:14 < ecrist> Rienzilla: fwiw, I would suggest upgrading to 2.1.3 (you're running 2.1-rc11
08:15 < Rienzilla> it's debian's default version
08:15 < Rienzilla> if there's no compelling reason to upgrade I would rather stick with it
08:16 < dearka> when windows clients try to connect i my server, i see this mensage in my server log: "date: write error: Permission denied", what could be this? 
08:17 < ecrist> Rienzilla: the compelling reason would be, technically, we don't support release candidates for something that's actually been released
08:17 < ecrist> and it was released about 9 months ago
08:18 < Rienzilla> debian tends to be (very) slow in that respect
08:18 < ecrist> rc11 was released on Sept 14, 2008, there were 23 release candidates for 2.1, and the current version of openvpn is 2.1.3.
08:19 < ecrist> the fact that you're on debian isn't an excuse, though.  not saying your problem is related to your version, but you should upgrade.
08:19 < Rienzilla> that would be a major pain in the ass :(
08:20 < ecrist> I find it hard to believe rc11 is still 'default' in debian, as the guy who does the debian distribution is active in the openvpn-devel channel.
08:20 < ecrist> regardless, what line of that log is the problem one?
08:21 < Rienzilla> It is, the software for debians latest version has been frozen a long time ago
08:21 < Rienzilla> anyway
08:21 < Rienzilla> it is the fact that the routes arent set
08:21 < ecrist> which line of that pastebin?
08:21 < Rienzilla> Sep 22 13:00:27 vpnbox-ctz-ebw ovpn-renameit-ctz[1363]: OpenVPN ROUTE: vpn_gateway undefined
08:21 < Rienzilla> Sep 22 13:00:27 vpnbox-ctz-ebw ovpn-renameit-ctz[1363]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.7.2.128
08:21 < Rienzilla> uhm
08:21 < Rienzilla> let me find
08:21 < ecrist> line number, please
08:22 < Rienzilla> 490
08:22 < Rienzilla> to 493
08:22 -!- le0 [~fin@82.132.248.215] has joined ##openvpn
08:22 -!- le0 [~fin@82.132.248.215] has quit [Changing host]
08:22 -!- le0 [~fin@unaffiliated/le0] has joined ##openvpn
08:23 < ecrist> Rienzilla: the problem is line 38 of your first post, vpn_gateway isn't set any where
08:23 < ecrist> the error is pretty clean
08:23 < ecrist> clear*
08:24 < Rienzilla> how would I set it?
08:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined ##openvpn
08:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
08:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined ##openvpn
08:25 < Rienzilla> dazo told me the other day that it was a builtin keyword
08:25 < vpnHelper> RSS Update - forum: Server Administration :: OpenVPN and WINS problem :: Author Mimiko <https://forums.openvpn.net/viewtopic.php?f=4&t=7117&p=7844#p7844> || Installation Help :: TAP-Win32 adapter does not show up under ipconfig :: Author geziefer <https://forums.openvpn.net/viewtopic.php?f=5&t=7118&p=7845#p7845>
08:27 < ecrist> Rienzilla: it may be, but not until recently, I'm guessing.
08:27 < ecrist> either way, the log file is telling you it's not
08:27 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
08:28 < Rienzilla> I can read that, but that doesn't really help
08:28 < Rienzilla> (there is by the way documentation dating back to 2005 using this keyword)
08:29 < Rienzilla> hmmwait
08:29 < ecrist> if you want to use the vpn gateway, just omit the last part
08:30 < ecrist> so, instead of: route 10.7.2.0 255.255.255.0 vpn_gateway
08:30 < ecrist> use: route 10.7.2.0 255.255.255.0
08:30 < Rienzilla> that won't work as well
08:31 < ecrist> why not?
08:31 < Rienzilla> irt seems I have to manually specify an address with --ifconfig, or with --route-gateway
08:31 < Rienzilla> it will tell me this if I use route without vpn_gateway: Sep 22 13:31:25 vpnbox-ctz-ebw ovpn-renameit-ctz[1457]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
08:32 < ecrist> odd, I've been using 'route <network> <mask>' in my configs for years.
08:33 < ecrist> both inside a push, and not
08:33 < Rienzilla> did all those configs include an --ifconfig?
08:33 < ecrist> no
08:35 < Rienzilla> if I add ifconfig with 2 bogus addresses from my range, it will more or less work
08:36 < Rienzilla> but it should just be able to add a route to 10.7.2.0/24 via its vpn interface, without specifying a gateway
08:40 < Rienzilla> it's weird. manually adding a route with ip ro add 10.7.2.0/24 dev renameit-ctz will make it work
08:40 < Rienzilla> (as expected)
08:43 < Rienzilla> if anyone else has an idea i'd appreciate it
08:43 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Quit: Leaving]
08:47 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:48 < woshty> !redirect
08:48 < vpnHelper> woshty: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:49 < woshty> !def1
08:49 < vpnHelper> woshty: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:50 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
09:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
09:15 < Martin`> is there already a --redirect-gateway like thing for ipv6? :P
09:32 -!- borcky [~borcky@xdsl-188-155-117-95.adslplus.ch] has quit [Quit: fertig lustig]
09:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
09:41 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Excess Flood]
09:45 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined ##openvpn
09:55 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined ##openvpn
09:55 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Changing host]
09:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:57 -!- waynerr [~waynerr@109.75.17.130] has quit [Read error: Connection reset by peer]
10:24 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined ##openvpn
10:24 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Client Quit]
10:24 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
10:28 -!- WinstonSmith [~true@g230123178.adsl.alicedsl.de] has joined ##openvpn
10:45 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined ##openvpn
11:05 -!- WormFood [~wormfood@183.39.106.246] has quit [Ping timeout: 272 seconds]
11:17 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
11:18 -!- WormFood [~wormfood@183.38.15.170] has joined ##openvpn
11:18 -!- krzee [~k@openvpn/community/support/krzee] has joined ##openvpn
11:21 -!- darkdrgn2k3 [~darkdrgnk@bas2-toronto44-1176438035.dsl.bell.ca] has joined ##openvpn
11:21 < darkdrgn2k3> hey all
11:22 < darkdrgn2k3> when i try to access a computer over a OPENVPN TUN connection (XP) i ekeep getting "network path not found"
11:23 < darkdrgn2k3> "The network path was not found"
11:23 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 276 seconds]
11:34 < hyper_ch> !tell
11:34 < vpnHelper> hyper_ch: (tell <nick> <text>) -- Tells the <nick> whatever <text> is. Use nested commands to your benefit here.
11:34 < hyper_ch> !tell darkdrgn2k3 "factoids config"
11:34 < hyper_ch> dammit
11:34 < hyper_ch> I forgot it again
11:35 < hyper_ch> !configs
11:35 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:35 < hyper_ch> !factoid
11:35 < vpnHelper> hyper_ch: Error: "factoid" is not a valid command.
11:35 < hyper_ch> !factoids
11:35 < vpnHelper> hyper_ch: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:35 < hyper_ch> !tell hyper_ch "factoids configs"
11:36 < darkdrgn2k3> lol
11:36 < darkdrgn2k3> 1 sec
11:36 < darkdrgn2k3> pastebinnin
11:36 < hyper_ch> !tell hyper_ch factoids configs
11:36 < hyper_ch> !tell hyper_ch "!factoids configs"
11:37 < darkdrgn2k3> http://pastebin.ca/1946629
11:37 < darkdrgn2k3> this client also has a route defined in cCD
11:37 < darkdrgn2k3> push "route 192.168.50.0 255.255.255.0"
11:37 < darkdrgn2k3> pings work.. mstsc works everything SEEMS to work
11:37 < darkdrgn2k3> but any smb messages fail
11:38 < darkdrgn2k3> (like joining the domain.. or browsing shares)
11:38 < darkdrgn2k3> everythign works if its NOT vpened
11:38 < hyper_ch> 2/3 of the configs are missing
11:39 < hyper_ch> !tell hyper_ch [!factoids configs]
11:39 < vpnHelper> hyper_ch: Error: "!factoids" is not a valid command.
11:39 < hyper_ch> !tell hyper_ch [factoids configs]
11:39 < vpnHelper> hyper_ch: Error: The "Factoids" plugin is loaded, but there is no command named "configs" in it.  Try "list Factoids" to see the commands in the "Factoids" plugin.
11:39 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 272 seconds]
11:39 < kotique> make a pastebin that removes comments for user
11:40 < darkdrgn2k3> what you mean they are missing?
11:40 < hyper_ch> !configs
11:40 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:40 < darkdrgn2k3> that IS my FULL config
11:40 < darkdrgn2k3> http://pastebin.ca/1946631 <- with not comments
11:41 < darkdrgn2k3> whats missing?
11:41 < hyper_ch> !tell hyper_ch [configs]
11:41 < darkdrgn2k3> oo
11:41 < darkdrgn2k3> client
11:41 < darkdrgn2k3> sorry
11:41 < darkdrgn2k3> my bad
11:41 < hyper_ch> ha, I got it :)
11:41 < hyper_ch> and ccd
11:41 < darkdrgn2k3> http://pastebin.ca/1946634
11:41 < darkdrgn2k3> ccd is ONLY  push "route 192.168.50.0 255.255.255.0"
11:45 < hyper_ch> darkdrgn2k3: can you pint the other clients in the vpn?
11:45 < darkdrgn2k3> no
11:45 < darkdrgn2k3> but i can ping them
11:45 < darkdrgn2k3> everythign else SEEMS to work
11:45 < darkdrgn2k3> except SMB like transactions
11:46 < hyper_ch> isn't the samba server listening on the vpn ip?
11:46 < darkdrgn2k3> no
11:46 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:46 < hyper_ch> could you have it restricted just to your normal lan?
11:46 < darkdrgn2k3> its routed
11:46 < hyper_ch> no clue then
11:46 < darkdrgn2k3> Argv!
11:46 < darkdrgn2k3> with microsoft came with a -vvvvv
11:48 < darkdrgn2k3> ok.. its somethign in my firewall :( god damit
11:48 < darkdrgn2k3> now WHAT coudl it be LOL
11:50 < hyper_ch> you did not enable upnp ^^
11:50 < hyper_ch> but then, I don't recommend anyone to enable upnp
11:50 < darkdrgn2k3> :-D
11:54 < ecrist> upnp is good for some things.
11:54 < darkdrgn2k3> like not being standardized
11:55 < ecrist> it's getting there, though.
11:55 < ecrist> works fine on my airport extremem
11:56 -!- Blues-Man [~bluesman@host146-107-dynamic.23-79-r.retail.telecomitalia.it] has joined ##openvpn
12:01  * cpm wonders what exactly is so extreme about those things. 
12:04 < ecrist> they're magical.
12:04 < ecrist> heh
12:11 -!- WinstonSmith [~true@g230123178.adsl.alicedsl.de] has quit [Ping timeout: 264 seconds]
12:13 -!- dearka [~marley@200.253.157.13] has quit [Quit: Saindo]
12:15 -!- bent_screwdriver [~socain00@74.255.249.66] has joined ##openvpn
12:18 < hyper_ch> isn't UPNP the numbe 1 nightmare for security minded people?
12:21 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined ##openvpn
12:21 -!- dazo is now known as dazo_afk
12:21 < bent_screwdriver> just cut over 14 long distance frame-relay sites to internet t-1's running openvpn on soekris boxes and the're running beautifully. thanks for the help here and all of the available documentation!
12:23 -!- WinstonSmith [~true@g230123178.adsl.alicedsl.de] has joined ##openvpn
12:23 < hyper_ch> bent_screwdriver: enjoy :)
12:29 -!- krzie [krzee@openvpn/community/support/krzee] has joined ##openvpn
12:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:39 -!- WinstonSmith [~true@g230123178.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
12:46 -!- kotique [~kotique@bluemile.vps.deepunix.net] has quit [Quit: жопа диридай диридиридай]
12:56 -!- Blues-Man [~bluesman@host146-107-dynamic.23-79-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
13:13 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
13:16 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:16 -!- manevra [~manevra@86.121.76.217] has joined ##openvpn
13:22 < ecrist> hyper_ch: yes/no
13:22 < ecrist> for any sort of service provider, nat is the enemy
13:22 < ecrist> upnp allows reasonable nat traversal for two way connections.
13:22 -!- WinstonSmith [~true@g230123178.adsl.alicedsl.de] has joined ##openvpn
13:24 < kisom> bent_screwdriver: Hope you set it all up correctly ;)
13:29 -!- unkmar [~unkmar@adsl-074-183-061-041.sip.cha.bellsouth.net] has joined ##openvpn
13:29 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has joined ##openvpn
13:30 -!- JackCorleone [~root@187.101.48.25] has joined ##openvpn
13:45 -!- phantomcircuit [~phantomci@adsl-99-170-147-253.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 240 seconds]
13:45 -!- manevra [~manevra@86.121.76.217] has quit []
13:46 < unkmar> so, um.  You don't install openvpn onto windows?
13:46 < unkmar> Not the server?
13:54 -!- p3rror [~mezgani@217.23.4.242] has joined ##openvpn
13:58 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has joined ##openvpn
14:07 < fipu> Hi
14:08 < fipu> in the openvpn howto is written that the easy-rsa is in /usr/share/doc/openvpn-2.0
14:09 < fipu> but I have only one @ /usr/share/doc/openvpn/examples/easy-rsa/2.0/
14:09 < fipu> is that the right folder?
14:10 < ecrist> sure
14:11 < hyper_ch> ecrist: for you:  http://farm5.static.flickr.com/4086/4998417812_d1dfe077fa_o.jpg
14:12 < ecrist> hyper_ch: for you: http://img5.rajce.idnes.cz/d0501/3/3975/3975171_2296dbe2eb08b41dab6eb7727b2569a6/images/295.jpg
14:13 < hyper_ch> ecrist: :(
14:13 < ecrist> ;)
14:20 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
14:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:26 < phantomcircuit> fipu, it's distro dependent
14:27 < fipu> ok, thx
14:27 < fipu> other question
14:27 < fipu> I use now certificates because I have multiple clients and this does not work with a PSK...
14:28 < fipu> how can I sepcify the IP-Adress that a client get
14:28 < fipu> server site
14:28 < fipu> so I want that the clients can not change the IP that they get
14:30 < bent_screwdriver> kisom: yeah, even had a pen test company hit it and didn't even see it. setup ospf with quagga so my failover to alternate sites and connections is just as fast as frame was with eigrp
14:31 < phantomcircuit> bent_screwdriver, pentesting is 99% worthless
14:31 < phantomcircuit> they're only going to find the most obvious flaws
14:33 < bent_screwdriver> phantomcircuit: i know, mostly for our auditors. Its a pretty crafty company that is linux savy. and i have them what i was using and port just to see what they could find...but it is locked down pretty tight with iptables, external routes only to each other, etc.
14:34 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
14:35 < phantomcircuit> the good old bullshit paper work
14:35 < phantomcircuit> i assume auditors provide paper work for insurance
14:35 < phantomcircuit> and the pentesters provide paperwork for the auditors
14:36 < bent_screwdriver> auditors provide paperwork for other auditors
14:36 < phantomcircuit> who eventually provide paperwork for ...?
14:36 < bent_screwdriver> they are gov auditors
14:37 < phantomcircuit> oh so they're completely useless
14:37 < phantomcircuit> gotcha
14:37 < bent_screwdriver> that work with our internal auditors that drill us continuosly, and yes, they all are. ;)
15:01 < unkmar> Why should I bridge?  What is the reason.  What is the benefit?
15:01 < unkmar> I don't believe I can bridge is one reason I need to know.
15:04 < fipu> I use ifconfig-pool-persist ips.txt, is it possible to set an IP for a client that he not can change? I want that it is never possible for a client to change it's IP @ VPN
15:04 < fipu> is that possible?
15:05 < phantomcircuit> fipu, nope
15:05 < phantomcircuit> you might be able to block clients who have changed their ip
15:06 < phantomcircuit> but i've got no idea where to even start with that
15:06 < fipu> How can I do that?
15:06 < fipu> I want block all Clients that changed they'r IP
15:07 < fipu> and how can I set a static IP for client? with ifconfig-pool-persist ips.txt?
15:07 < fipu> in this file set the client certificate name and the IP?
15:10 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
15:11 < Bushmills> !ccd
15:11 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:11 < Bushmills> fipu: ^^^
15:12 < Bushmills> !ifconfig-push
15:12 < vpnHelper> Bushmills: Error: "ifconfig-push" is not a valid command.
15:12 < Bushmills> well, ifconfig-push is what you'd use in the ccd client specific files
15:17 < krzee> !static
15:17 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
15:21 -!- b_52light_ [~b_52light@41.249.23.112] has joined ##openvpn
15:21 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
15:24 < fipu> Bushmills: how can I "push" the IP to a Client?
15:24 < fipu> and be sure that the client is not able to use a self specified IP?
15:25 -!- b_52light [~b_52light@41.248.169.199] has quit [Ping timeout: 272 seconds]
15:26 < krzee> fipu, do not use tap, do not use topology subnet, and use !static
15:26 < Bushmills> "how can I "push""  ... reading might be helpful
15:26 -!- bent_screwdriver [~socain00@74.255.249.66] has quit []
15:29 < Bushmills> i *think* client can only talk to server with that pushed address. when client attempts to specify a different one, either remote side simply won't reply.
15:30 < fipu> Bushmills: ok
15:30 < fipu> other question, how can I "unsign" a client certificate so that this certificate can not longer connect to the server?
15:31 < krzee> Bushmills, actually with tap or topology subnet i think the client can actually change IPs
15:31 < krzee> i havnt tested the topology subnet, but i dont see why it would not work
15:33 -!- p3rror [~mezgani@217.23.4.242] has quit [Quit: Leaving]
15:34 < fipu> Anyone an idea? Is it possible to "deactivate" a client?
15:34 < fipu> that it can no longer connect to the server?
15:34 < krzee> with default topology, changing IPs would result in being outside the right /30
15:34 < krzee> fipu, 
15:34 < krzee> !crl
15:34 < vpnHelper> krzee: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will
15:34 < vpnHelper> krzee: create the CRL file for you. ssl-admin will also build a crl for you
15:37 < krzee> fipu, that is the permanent method
15:38 < krzee> if you need a temporary method, like some do with off-site support, you would use disable in a ccd entry
15:39 < krzee> but you want to use the CRL when it is for security reasons such as a fired employee or a lost/compromised key
15:40 -!- b_52light_ [~b_52light@41.249.23.112] has quit [Read error: No route to host]
15:40 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
15:44 < fipu> krzee: thank you :) I want to use it if a friend leave the group. So I think a CRL list is good.
15:44 < fipu> what do mean with CCD?
15:48 < hyper_ch> !ccd
15:48 < vpnHelper> hyper_ch: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:49 < fipu> ah ok
15:49 < fipu> and the common name can not be changed by client in the ertificate?
15:52 -!- p3rror [~mezgani@217.23.4.242] has joined ##openvpn
15:58 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
16:00 -!- p3rror [~mezgani@217.23.4.242] has quit [Remote host closed the connection]
16:02 -!- p3rror [~mezgani@217.23.4.242] has joined ##openvpn
16:02 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined ##openvpn
16:04 -!- vexorg [~vexorg@h216-18-7-221.gtconnect.net] has quit [Quit: idclip]
16:08 -!- nebula [patel@vortex.openvpn.net] has joined ##openvpn
16:08 -!- mode/##openvpn [+o nebula] by ChanServ
16:09 < fipu> mhhh
16:09 < fipu> problem, that does not work with the CCD
16:09 -!- patelx [patel@openvpn/corp/admin/patel] has quit [Ping timeout: 276 seconds]
16:09 < fipu> because it wants a ifconfig like in a PSK mode
16:10 < fipu> it sais that it must be in the same 255.255.255.252 network
16:10 < fipu> *said
16:10 < fipu> I don't want to create virtual IP's, I only want to give the Clients a static IP in the same subnet
16:10 < fipu> 10.2.2.0
16:11 < fipu> server has 10.2.2.1
16:11 < fipu> client should have 10.2.2.5 (static and not changeable)
16:17 < fipu> krzee: Can you help me?
16:17 < fipu> Or anyone else an idea?
16:25 < fipu> ah ok
16:25 < fipu> it works
16:25 < fipu> I always need two IP's to give a client an IP
16:25 < fipu> if I want give 10.2.2.5 to the client I need to assign 10.2.2.4 too
16:25 < fipu> omg
16:25 < fipu> is that right?
16:26 < fipu> for each client openVPN needs two IP's?
16:28 < krzee> !/30
16:28 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
16:29 < krzee> you dont want to avoid that behavior, you want that behavior
16:29 -!- p3rror [~mezgani@217.23.4.242] has quit [Ping timeout: 245 seconds]
16:29 < krzee> because with that, nobody can change their IP manually
16:29 < krzee> (they can, but it will break their connection until they change it back)
16:30 < krzee> im at work, so i go away and come back a bit throughout the day
16:36 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has joined ##openvpn
16:40 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has quit [Client Quit]
16:41 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has joined ##openvpn
16:42 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has quit [Client Quit]
16:47 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has joined ##openvpn
16:47 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has quit [Client Quit]
16:48 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has joined ##openvpn
16:48 -!- cofffee [~quassel@c-76-26-209-236.hsd1.sc.comcast.net] has quit [Client Quit]
16:51 < vpnHelper> RSS Update - forum: Configuration :: Routing working in 2.09 but not in 2.1.1 with my config file :: Author laughingguff <https://forums.openvpn.net/viewtopic.php?f=6&t=7119&p=7846#p7846>
17:03 < vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Help convince a large water company :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7098&p=7847#p7847>
17:20 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
17:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: Leaving]
17:49 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined ##openvpn
17:49 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Changing host]
17:49 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
17:50 -!- WinstonSmith [~true@g230123178.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
17:51 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has joined ##openvpn
17:52 < Shazzamy> hello
17:52 < Shazzamy> so i just read that dd-wrt supports hosting a openvpn server
17:53 < Shazzamy> is it hard to setup? is there much cli work or more gui?
17:54 < Shazzamy> an openvpn*
17:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:00 -!- phantomcircuit_ [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has joined ##openvpn
18:03 -!- phantomcircuit_ [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has quit [Client Quit]
18:03 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has joined ##openvpn
18:04 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has quit [Quit: Shazzamy]
18:06 -!- Shazzamy [~Shazzamy@d161-184-139-209.abhsia.telus.net] has joined ##openvpn
18:06 -!- Shazzamy [~Shazzamy@d161-184-139-209.abhsia.telus.net] has quit [Changing host]
18:06 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has joined ##openvpn
18:08 < Shazzamy> back
18:09 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has joined ##openvpn
18:09 < zzattack> say I have an openvpn server on box A, a local client B, and a remote client named C. if on B a bridged vmware adapter is used for network access in a virtual machine, would it be possible to connect to the remote client C from the virtual machine? outside the VM is works fine from B, and the VM adapter is in bridge mode.
18:18 < oc80z> ofc.
18:19 < Shazzamy> does anyone in this watch?
18:20 < oc80z> yes.
18:20 < Shazzamy> or is it just uniformed people that don't know to answer a specific question
18:20 < Shazzamy> Like I
18:20 < oc80z> its 7:20pm, eastern.
18:20 < oc80z> (dunno if everyone is here)
18:21 < Shazzamy> okay
18:21 < oc80z> zzattack yes it will work.
18:21 < zzattack> just like thaT?
18:21 < zzattack> should work right waya?
18:21 < Shazzamy> what is ofc oc80z 
18:21 < Shazzamy> ?
18:22 < zzattack> away*
18:22 < oc80z> if the route tables are OK, yes.
18:22 < zzattack> are route tables even involved with bridging?
18:23 < krzee> ofc = of course
18:23 < Shazzamy> Oh, never knew that before, thanks 
18:23 < krzee> np
18:23 < krzee> (no problem)
18:23 < oc80z> well the openvpn server IP address is 10.10.10.1 , is B and C 10.10.10.*
18:24 < zzattack> nope not the case, C has a different subnet than A and B
18:24 < zzattack> but, connecting from B to C works just fine. just not from the VM on B to C
18:24 < krzee> oc80z, he mentioned the VM is in bridge mode, said nothing about the mode of the vpn
18:24 < krzee> assuming it is routed mode, you have some routes to add
18:24 < zzattack> ah, the vpn is tap
18:24 < krzee> if its bridge mode, im useless to you
18:26 < Shazzamy> has anyone set up an openvpn server on their router?
18:30 < oc80z> yes Shazzamy
18:31 < Shazzamy> cool, was it relatively simple or a lot of fiddling around with it?
18:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:32 < oc80z> i suggest using the UCI system in OpenWRT 
18:32 < oc80z> it also has a GUI, luci. 
18:32 < oc80z> ..buying a good router, too.
18:33  * Bushmills runs openvpn as client under openwrt
18:33 < oc80z> i didnt spin any special boards for my @home thing, but the router is mimo, dd-wrt.
18:33 < oc80z> then again, the monopoly ISP in the city restricts bandwidth to 250GB/month
18:34 < Bushmills> relatively easy to set it up.  using "foreign" config, i.e. not the openwrt uci stuff, but a straight openvpn config file
18:34 < oc80z> i just got back to the states and saw the usage while i was away, geeesh. 
18:34 < Shazzamy> i have a linksys wrt54g v5
18:34 < Bushmills> tp-link wr1043nd here
18:34 < Bushmills> 8 MiB flash, 32 MiB RAM
18:34 < oc80z> Bushmills nice. Shazzamy you got any $ to spend? 
18:35 < Shazzamy> yes
18:35 < Shazzamy> but i don't really want to have to but if i must, i may
18:35 < oc80z> i hid a wrt54g in a serverroom. 
18:36 < Shazzamy> hid?
18:36 < Shazzamy> i see
18:36 < Shazzamy> well i dont know if i'll have time to set this up this evening
18:36 < oc80z> heh. the dhcp-client table is dunno, 55 now? mostly ipods..
18:37 < Shazzamy> oh
18:37 < oc80z> i just make the net free for some ppl, its OK. 
18:37 < Shazzamy> sweet
18:37 < Shazzamy> i was basically wanting to do that, help some certain people out
18:37 < Shazzamy> what's your upload speed?
18:38 < oc80z> 30mbits
18:39 < Bushmills> openvpn on router uses about 2.5 ... 3 MiB RAM. executable uses about 170 kB flash, but that's not including ssl libs
18:39 < oc80z> ...i was just at a embedded systems conference in boston today
18:39 < oc80z> nice stuffs there.
18:39 < Shazzamy> damn
18:39 < Shazzamy> download speed?
18:40 < oc80z> depends on what you want to buy
18:40 < oc80z> there are hardware acceleration options, mini-pci 
18:40 < Shazzamy> yeah but what do you actually get on average?
18:41 < Shazzamy> from the line coming to your house/apartment... etc..
18:41 < oc80z> enough to stream mpeg2 overseas.
18:42 < oc80z> or mp3 
18:42 < Shazzamy> wow, that's decent
18:42 < oc80z> not hdtv. 
18:42 < Shazzamy> wayy better than what i have
18:46 < Shazzamy> aroudn ~12mbits down and 0.8mbits up
18:53 < oc80z> for...?
18:54 < Shazzamy> nevermind
18:54 < oc80z> keep in mind that a wrt54G processor is what, 200mhz?
18:54 -!- jaminja_ [~jaminja@95.211.4.12] has joined ##openvpn
18:55 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Ping timeout: 240 seconds]
18:56 < Shazzamy> okay
18:56 < Shazzamy> i just need it for up to 5 clients
18:56 < Shazzamy> not at a time though
18:56 < Shazzamy> max 5 clients
18:57 < Shazzamy> probably only gonna be 2 at a time
18:57 < Shazzamy> i need to be able to control who connects as well from a remote location
18:58 < oc80z> heh.
18:59 < oc80z> some times i give out certificates + dh over email
18:59 < oc80z> and they i tell them their username and password over skype.
19:01 < oc80z> Shazzamy you good with linux?
19:01 < Shazzamy> about average
19:01 < Shazzamy> I'm not a CLI maniac that knows almost every command
19:02 < Shazzamy> but i can handle it
19:02 < oc80z> you could always trunk your router to a linux-firewall computer, for wifi access.
19:03 -!- jaminja_ is now known as ghost
19:03 -!- ghost is now known as jaminja
19:04 -!- jaminja [~jaminja@95.211.4.12] has quit [Changing host]
19:04 -!- jaminja [~jaminja@unaffiliated/jaminja] has joined ##openvpn
19:05 < Shazzamy> i guess
19:06 < oc80z> will you be streaming video/music to friends?
19:06 < Shazzamy> i was thinking at first using my linux box to host an openvp server
19:06 < oc80z> it wouldnt hurt your linux skills. 
19:06 < oc80z> i would do that.
19:07 < Shazzamy> but then i just read about it on a dd-wrt router
19:07 < Shazzamy> and i have one packed away right now
19:07 < oc80z> im workin on a xeon one now.
19:07 < Shazzamy> WOW!
19:07 < Shazzamy> those are pretty nice processors
19:07 < Shazzamy> intel xeon..
19:08 < oc80z> loud as a jet.
19:09 < oc80z> some new 6mbit drives too
19:10 < Shazzamy> it's loud?
19:10 < Shazzamy> what machine is it? or is it custom built?
19:10 < oc80z> http://www.frys.com/product/6298540
19:10 < vpnHelper> Title: FRYS.com | WDFRYS.com (at www.frys.com)
19:11 < oc80z> some resold pizzabox
19:15 < oc80z> er.. auctioned.
19:21 < Shazzamy> nice
19:21 < oc80z> but yeah, its a wtf box. because it might not handle the 6mbit/s drives, miight have to jumper them to 3mbit/sec
19:22 < oc80z> none the less, boards i saw today can do that and fit in the palm of your hand. 
19:28 < oc80z> cmon get started! 
19:28 < oc80z> box wont set it self up.
19:30 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has quit [Quit: Shazzamy]
19:34 < oc80z> ^--- started
19:34 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 252 seconds]
19:35 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
19:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
19:41 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 255 seconds]
19:45 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 276 seconds]
19:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined ##openvpn
20:07 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has joined ##openvpn
20:07 < Shazzamy> oc80z: 
20:07 < Shazzamy> were you talking to me previously?
20:13 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has quit [Ping timeout: 265 seconds]
20:18 -!- nb is now known as i
20:19 -!- i is now known as Fedora17
20:19 -!- Fedora17 is now known as i
20:21 < oc80z> i dont know
20:39 < Shazzamy> oc80z: but yeah, its a wtf box. because it might not handle the 6mbit/s drives, miight have to jumper them to 3mbit/sec
20:39 < Shazzamy> [6:22pm] oc80z: none the less, boards i saw today can do that and fit in the palm of your hand.
20:39 < Shazzamy> [6:28pm] oc80z: cmon get started!
20:39 < Shazzamy> [6:28pm] oc80z: box wont set it self up.
20:51 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has quit [Quit: Shazzamy]
20:56 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has joined ##openvpn
21:05 -!- [intra]lanman [~lanman@166.183.223.166.in-addr.arpa] has joined ##openvpn
21:05 -!- [intra]lanman [~lanman@166.183.223.166.in-addr.arpa] has quit [Changing host]
21:05 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
21:39 -!- orion [orion@unaffiliated/orion] has left ##openvpn []
21:46 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
21:52 < oc80z> later.
21:56 -!- darkdrgn2k3 [~darkdrgnk@bas2-toronto44-1176438035.dsl.bell.ca] has left ##openvpn []
21:58 -!- krzie [krzee@hemp.ircpimps.org] has joined ##openvpn
21:58 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
21:58 -!- krzie [krzee@openvpn/community/support/krzee] has joined ##openvpn
22:30 < unkmar> sooner
22:30 -!- unkmar [~unkmar@adsl-074-183-061-041.sip.cha.bellsouth.net] has left ##openvpn []
23:22 -!- UnterPerro [~UnterPerr@166.192.43.250] has joined ##openvpn
23:44 -!- krphop_ is now known as krphop
--- Day changed Thu Sep 23 2010
00:02 -!- jaminja [~jaminja@unaffiliated/jaminja] has quit [Read error: Operation timed out]
00:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:32 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has joined ##openvpn
00:51 -!- Nephfl [~Nephfl@rrcs-67-78-149-118.se.biz.rr.com] has joined ##openvpn
00:51 < Nephfl> hello
01:04 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: Leaving]
01:04 -!- krzie [krzee@hemp.ircpimps.org] has joined ##openvpn
01:04 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
01:04 -!- krzie [krzee@openvpn/community/support/krzee] has joined ##openvpn
01:07 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has joined ##openvpn
01:26 -!- UnterPerro [~UnterPerr@166.192.43.250] has quit [Quit: UnterPerro]
01:36 -!- dazo_afk is now known as dazo
01:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
01:48 -!- mattock [~samuli@dyn55-11.yok.fi] has joined ##openvpn
01:48 -!- mode/##openvpn [+o mattock] by ChanServ
02:07 -!- roe [~roe___@unaffiliated/roe] has joined ##openvpn
02:13 -!- UnterPerro [~UnterPerr@166.192.43.250] has joined ##openvpn
02:19 < kraut> moin
02:34 < krzie> moin
02:39 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
02:45 -!- krzie is now known as krzee
03:03 -!- WinstonSmith [~true@e179009060.adsl.alicedsl.de] has joined ##openvpn
03:12 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
03:29 -!- montana [~montana@212.117.173.72] has quit [Ping timeout: 276 seconds]
03:29 -!- montana [~montana@212.117.173.72] has joined ##openvpn
03:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined ##openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 252 seconds]
03:42 -!- UnterPerro [~UnterPerr@166.192.43.250] has quit [Quit: UnterPerro lives to save another day]
03:43 -!- stefanlsd [~stefan@ubuntu/member/stefanlsd] has quit [Ping timeout: 272 seconds]
03:44 -!- stefanlsd [~stefan@ecstasy.lsd.co.za] has joined ##openvpn
03:45 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
03:47 -!- macsppadic [~sonupunno@88.211.55.77] has joined ##openvpn
04:04 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
04:16 -!- guest [~guest@178.0.119.241] has joined ##openvpn
04:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
05:08 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
05:35 < vpnHelper> RSS Update - forum: Installation Help :: Installing Open VPN --CLIENT-- in Windows Server 2008 :: Author jbosch <https://forums.openvpn.net/viewtopic.php?f=5&t=7120&p=7848#p7848>
05:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined ##openvpn
05:46 -!- stefanlsd [~stefan@ecstasy.lsd.co.za] has quit [Ping timeout: 252 seconds]
05:53 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
06:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined ##openvpn
07:06 -!- Client_ [~akm22562@99-119-36-109.lightspeed.lsvlky.sbcglobal.net] has quit [Ping timeout: 264 seconds]
07:18 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
07:33 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
07:46 -!- stefanlsd [~stefan@ecstasy.lsd.co.za] has joined ##openvpn
07:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
08:00 -!- smerz [~smerz@smerz.demon.nl] has joined ##openvpn
08:02 -!- krzee [krzee@openvpn/community/support/krzee] has joined ##openvpn
08:12 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has joined ##openvpn
08:14 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
08:15 -!- takamichi [~pri@94-23-148-250.ovh.net] has joined ##openvpn
08:15 -!- WebW0rkX [~WebDawg@200.sub-75-201-242.myvzw.com] has joined ##openvpn
08:16 < WebW0rkX> !welcome
08:16 < vpnHelper> WebW0rkX: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:16 < WebW0rkX> wow
08:16 < WebW0rkX> nice.
08:16 < WebW0rkX> !goal
08:16 < vpnHelper> WebW0rkX: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:17 < WebW0rkX> !goal I would like to link up every asset I admin and own.
08:17 < vpnHelper> WebW0rkX: Error: "goal" is not a valid command.
08:17 < WebW0rkX> What the hell?
08:17 < WebW0rkX> What is the max cert size for RSA with openVPN.
08:22 < krzee> you dont need to state your goal to the bot
08:22 < krzee> we see your goal and respond ;)
08:23 < krzee> max cert size, whatever openssl can handle
08:23 < krzee> i wouldnt go higher than 4096 tho
08:24 < WebW0rkX> But what is the therotical limit with infinate computing.  I am basically asking what restrictions have been put on cert/key size"?
08:24 < krzee> openvpn does not do any of the encryption, it hands it off to openssl
08:24 < WebW0rkX> with infinite computing resources
08:24 < WebW0rkX> So openSSL.
08:24 < krzee> honestly i dont know
08:25 < krzee> but yes, the limit would be in openssl
08:25 < krzee> but either way, the security could actually break down with higher untested bit sizes
08:25 < krzee> theres no garuntee that some high bit size is actually more secure
08:27 < WebW0rkX> Yeh.  Good point.  I know that protocal and actually what you are moving has alot to do with it.
08:28 < WebW0rkX> How the software handels the encryption.
08:28 < WebW0rkX> Etc.
08:28 < WebW0rkX> Why do they not use AES instead of RSA?
08:29 < krzee> you can choose AES for the cipher if you wish
08:29 < WebW0rkX> OpenSSL handle that?
08:29 < krzee> yup
08:29 < krzee> you can use any algorythms that openssl uses
08:29 < WebW0rkX> I still have to read up on alot but I want to get a general sence of what I am dealing with here...so pardon for the questions.
08:30 < krzee> see --cipher in the manual
08:30 < krzee> !man
08:30 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
08:31 < WebW0rkX> I just did openssl ciphers -v
08:31 -!- WinstonSmith [~true@e179009060.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
08:33 < krzee> time for me to get to work
08:33 < krzee> brb from krzie
08:34 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
08:42 -!- takamichi [~pri@94-23-148-250.ovh.net] has quit [Ping timeout: 265 seconds]
08:42 -!- takamichi [~pri@78.133.38.192] has joined ##openvpn
08:43 -!- WinstonSmith [~true@e179009060.adsl.alicedsl.de] has joined ##openvpn
08:43 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
08:44 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
08:46 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
08:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
08:53 -!- freaky[t] [alpha@freakyy.de] has joined ##openvpn
08:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
09:00 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined ##openvpn
09:00 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Changing host]
09:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
09:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined ##openvpn
09:02 < WebW0rkX> NIST key management guidelines further suggest that 15360-bit RSA keys are equivalent in strength to 256-bit symmetric keys.
09:04 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has joined ##openvpn
--- Log closed Thu Sep 23 09:07:28 2010
--- Log opened Thu Sep 23 09:30:37 2010
09:30 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined ##openvpn
09:30 -!- Irssi: ##openvpn: Total of 122 nicks [4 ops, 0 halfops, 0 voices, 118 normal]
09:31 -!- Irssi: Join to ##openvpn was synced in 42 secs
09:31 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined ##openvpn
09:31 < vpnHelper> RSS Update - forum: Installation Help :: VMWare Linux client and the big bad host :: Author CTorporWork <https://forums.openvpn.net/viewtopic.php?f=5&t=7121&p=7849#p7849>
09:32 <@dazo> keyhive: you're getting far into a path where you'll only have troubles, headache and miserable users who get into troubles ... fix the problem the correct way, and have it solved forever ... if your CTO can't understand that, then that's an incompetent person and you should tell that person to do this job alone
09:34 <@dazo> There are simply no happy ending trying to make overlapping network segments work painlessly ... if you think that, you need to take the basic network routing course again
09:34 < ecrist> krzie: irc stats are updated again.
09:35 < ecrist> bridged mode vpn is about the only thing, and you still need to ensure you're not using conflicting IPs on either end.
09:35 <@dazo> Yes, you might be able hack around it ... but it will only work for a little while .... and when conflicting clients (with the same IP) on two different segments needs to access information across the network bridge ... then hell breaks loose
09:38 < ecrist> dazo - you can do such things sanely, as long as there is a method.
09:38 < ecrist> proper DHCP server configs on each end, for example.
09:39 <@dazo> ecrist: you might have missed a few lines ...
09:39 < ecrist> probably did.
09:39 <@dazo> <keyhive> it's an iptables issue.  I need to set up static NAT so the clients can ping the office gateway [192.168.0.1] as another address [e.g. 192.168.8.1]
09:39 <@dazo> <keyhive> and translate the whole office subnet from 192.168.0/16 to 192.168.8/24
09:39 <@dazo> <keyhive> that is what the client would see.
09:39 < ecrist> oh, yuk
09:39 < ecrist> wtf, that'll never work.
09:39 <@dazo> <keyhive> There must be a way to have remote clients ping the office address space without renumbering either LAN.
09:39 <@dazo> <keyhive> i.e. 192.168.0/24 on clients
09:39 <@dazo> <keyhive> 192.168.0/16 in the office
09:40 < ecrist> you could use binat in pf to accomplish this, but it's super kludgy.
09:41 <@dazo> I don't say it's impossible ... but, its more work to make it work somehow, than the do the crappy work of rearranging the network
09:41 < ecrist> judging by the fact that you're using 192.168.0/23, you're using home gateway appliances, so you likely don't have so many devices you can't renumber one network or another.
09:42 <@dazo> yup
09:43 < keyhive> Thanks guys.
09:45 -!- Irssi: ##openvpn: Total of 123 nicks [4 ops, 0 halfops, 0 voices, 119 normal]
09:55 < vpnHelper> RSS Update - forum: Configuration :: Re: OpenVPN client , could not read Auth username from stdin :: Reply by strukelj <https://forums.openvpn.net/viewtopic.php?f=6&t=7092&p=7850#p7850>
09:56 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
09:56 < ecrist> !stats
09:56 < vpnHelper> ecrist: I have 3 registered users with 2 registered hostmasks; 2 owners and 0 admins.
09:56 < ecrist> !ircstats
09:56 < vpnHelper> ecrist: Error: "ircstats" is not a valid command.
09:56 < ecrist> !learn ircstats as 30-Day Stats: http://www.secure-computing.net/logs/openvpn-last30.html
09:56 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
09:57 < ecrist> !learn ircstats as 30-Day Stats: http://www.secure-computing.net/logs/openvpn-last30.html
09:57 < vpnHelper> ecrist: Joo got it.
09:58 < ecrist> !learn ircstats as All-Time Stats: http://www.secure-computing.net/logs/openvpn.html
09:58 < vpnHelper> ecrist: Joo got it.
09:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
10:00 -!- Meliorator [m@dunnington.eu] has joined ##openvpn
10:00 -!- Meliorator [m@dunnington.eu] has quit [Excess Flood]
10:01 -!- Meliorator [m@dunnington.eu] has joined ##openvpn
10:03 -!- _AxS_ [~axs@gentoo/user/axs] has joined ##openvpn
10:03 < _AxS_> !welcome
10:03 < vpnHelper> _AxS_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:03 < _AxS_> !topology
10:03 < vpnHelper> _AxS_: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
10:04 < _AxS_> !/30
10:04 < vpnHelper> _AxS_: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
10:39 -!- WormFood [~wormfood@183.38.15.170] has quit [Ping timeout: 240 seconds]
10:46 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
10:47 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined ##openvpn
10:47 -!- [intra]lanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Changing host]
10:47 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined ##openvpn
10:47 -!- WinstonSmith [~true@e179009060.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
10:49 < vpnHelper> RSS Update - forum: Installation Help :: network access prob(can access r.PC via Hostname but not ip) :: Author mexus <https://forums.openvpn.net/viewtopic.php?f=5&t=7122&p=7851#p7851>
11:01 -!- WormFood [~wormfood@183.38.13.112] has joined ##openvpn
11:05 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has quit [Quit: Leaving]
11:07 < vpnHelper> RSS Update - forum: Configuration :: openvpn Linux server, windows 7 64 client, certificate auth :: Author techguy <https://forums.openvpn.net/viewtopic.php?f=6&t=7123&p=7852#p7852>
11:13 -!- manevra [~manevra@66.199.231.250] has joined ##openvpn
11:19 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has joined ##openvpn
11:20 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
11:25 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
11:26 -!- nebula is now known as openvpn2009
11:26 -!- openvpn2009 [patel@vortex.openvpn.net] has quit [Changing host]
11:26 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has joined ##openvpn
11:26 -!- ServerMode/##openvpn [+o openvpn2009] by kornbluth.freenode.net
11:38 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
12:02 -!- Dougy [me@208.99.80.128] has quit [Read error: Operation timed out]
12:09 -!- Dougy [me@208.99.80.128] has joined ##openvpn
12:29 < krzie> thx ecrist 
12:29 < krzie> !ircstats
12:30 < vpnHelper> krzie: "ircstats" is (#1) 30-Day Stats: http://www.secure-computing.net/logs/openvpn-last30.html, or (#2) All-Time Stats: http://www.secure-computing.net/logs/openvpn.html
12:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined ##openvpn
12:53 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined ##openvpn
12:53 < grendal_prime> cant log rotate for some reason.
12:54 < grendal_prime> runing this on ubuntu servers.  8.04  
12:54 < grendal_prime> werid. i guess i need a sigup in the post_rotate?
12:56 < ecrist> yes
12:57 < hyper_ch> grendal_prime: you don't wanna upgrade to 10.04?
12:57 < grendal_prime> cant on these
12:57 < hyper_ch> hola ecrist
12:57 < grendal_prime> not for a while
12:57 < grendal_prime> yet
12:58 < hyper_ch> 10.04 server runs fine here
12:58 < hyper_ch> :)
12:58 < hyper_ch> but then, I only run 1 ubuntu server
12:58 < hyper_ch> and a couple more debian servers
12:59 < Nephfl> hello, I can't seem to get a route to add to my system
13:00 < grendal_prime> these boxes handle clost to a terra a week each.  I cant even restart the service without getting approval.
13:00 < Nephfl> can anyone give me some ideas why this might be the case?
13:00 < hyper_ch> a tera each week? nice
13:00 < Nephfl> im not getting any errors with route add, just doesnt show in routes
13:00 < hyper_ch> Nephfl: you're running windows and don't try to add the routes as admin?
13:00 < grendal_prime> Nephfl, persistant?  on linux?
13:00 < Nephfl> this is on a dd-wrt
13:01 < Nephfl> wanting persistant route to route across tunnel
13:01 < grendal_prime> have you thought about pushing it from the server?
13:01 < grendal_prime> thats how we do it.
13:01 < Nephfl> how do you mean?
13:02 < grendal_prime> then you dont have to do that for each box..
13:02 < grendal_prime> hold on ill get server.conf needed
13:02 < Nephfl> i had it working before with a static route
13:02 < grendal_prime> and then you reboot the box and it doesnt work?
13:02 < Nephfl> it isnt even coming up on the routes list
13:03 < grendal_prime> werid.  hmm looking push route on openvpn.net.
13:03 < grendal_prime> ill get it
13:03 < Nephfl> ok
13:03 < ecrist> krzie: just remember the server that generates those stats costs me about $10/mo to run. :)
13:05 < grendal_prime> ;push "route 192.168.10.0 255.255.255.0"
13:05 < grendal_prime> it should be in your server.conf commented
13:05 < Nephfl> im using a very simple conf
13:06 < Nephfl> shouldnt it also need the gw?
13:06 < grendal_prime> whenever a client connects it pushes that rout by default. nice cause then if it changes,,, you dont need to change it on every client.
13:07 < grendal_prime> you want to change the clients gw as well
13:07 < Nephfl> and right now, im trying to add a route to the host
13:07 < grendal_prime> the server?
13:07 < Nephfl> well they are both dd-wrt on cheap router/access points
13:08 < grendal_prime> your using access point for vpn?
13:08 < grendal_prime> server?
13:08 < Nephfl> yes
13:08 < grendal_prime> wow
13:08 < Nephfl> i had it working well for awhile
13:08 < grendal_prime> let me know how that works out for ya.
13:08 < Nephfl> but my end had flash reset
13:08 < Nephfl> now i cant seem to recreate my steps
13:09 < grendal_prime> seems like an odd thing to do.
13:09 < Nephfl> and i cant seem to add a route for the remote subnet to the host
13:09 < Nephfl> odd how?
13:09 < grendal_prime> vpn is for securing to the server..
13:09 < grendal_prime> through the internet.  
13:09 < Nephfl> many people do site-site hardware vpn
13:10 < Nephfl> using small routers...or client device to vpn concentrator
13:10 < grendal_prime> or unsecured enviro..  Ya. with cisco vpn concentror maybe...i mean something that has enough meat to...
13:10 < grendal_prime> well nevermind.
13:10 < Nephfl> ive had no problem with basic linksys devices...but this isnt a normal config...
13:10 < grendal_prime> I dont know how to do what your needing to do man sorry.
13:11 < Nephfl> any "security" enabled ap/router will work natively
13:11 < Nephfl> what i am doing is using a stripped down linux with openvpn to connect the two devices
13:12 < Nephfl> and the connection is up...but i dont have a route on the host device
13:21 -!- Nephfl [~Nephfl@rrcs-67-78-149-118.se.biz.rr.com] has quit [Ping timeout: 240 seconds]
13:24 -!- bodom [~quassel@2001:470:1f0b:ac0::2] has quit [Read error: Connection reset by peer]
13:25 < grendal_prime> also look at the man page for        --push option
13:25 < grendal_prime> you an gateway as well
13:25 < grendal_prime> as far as the box acting as a server..
13:25 < grendal_prime> not sure about that man.
13:26 -!- Nephfl [~Nephfl@rrcs-67-78-149-118.se.biz.rr.com] has joined ##openvpn
13:26 < grendal_prime> if its a debian distro /etc/networking/interfaces file should have your interface settings.
13:26 < grendal_prime> Nephfl,
13:26 < grendal_prime> also look at the man page for        --push option
13:26 < grendal_prime>  you an gateway as well
13:26 < grendal_prime>  as far as the box acting as a server..
13:26 < grendal_prime>  not sure about that man.
13:27 -!- Nephfl [~Nephfl@rrcs-67-78-149-118.se.biz.rr.com] has quit [Client Quit]
13:45 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
13:50 -!- bjh4 [~chatzilla@ool-18bbdf6a.static.optonline.net] has joined ##openvpn
13:50 < bjh4> is there anyway to build client keys in a faster manner than described in the howto?
13:52 < hyper_ch> bjh4: faster?
14:00 < bjh4> hyper_ch: by faster i mean in bulk without having to confirm all the parameters.
14:00 < hyper_ch> I'm sure you could write a script to automate that
14:02 < bjh4> yea i'm not in the scripting spirit today. maybe some other time
14:04 < hyper_ch> of course there's also the option of waving a magic want and automagically mass create keys :)
14:05 < bjh4> my wand doesn't get here until tomorrow. guess i'lll have to wait
14:13 -!- DammitJim [~Elive_use@99-75-58-21.lightspeed.dybhfl.sbcglobal.net] has joined ##openvpn
14:13 < DammitJim> how can I change openvpn to use tun1 instead of tun0?
14:15 -!- phantomcircuit [~phantomci@adsl-99-20-128-179.dsl.pltn13.sbcglobal.net] has joined ##openvpn
14:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:24 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has quit [Ping timeout: 252 seconds]
14:24 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has joined ##openvpn
14:30 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined ##openvpn
14:32 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
14:35 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined ##openvpn
14:38 -!- meh2 [~efnet@27-9.202-62.fix.bluewin.ch] has joined ##openvpn
14:43 -!- dazo is now known as dazo_afk
14:46 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Quit: Ex-Chat]
14:49 -!- _AxS_ [~axs@gentoo/user/axs] has quit [Quit: gone]
14:56 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined ##openvpn
15:00 -!- Netsplit *.net <-> *.split quits: blackpenguin, Champi, @dazo_afk, funkyHat, stein0_
15:00 -!- stein0 [~stein@mail.vgnett.no] has joined ##openvpn
15:01 -!- Netsplit over, joins: funkyHat
15:01 -!- Netsplit over, joins: dazo_afk
15:01 -!- mode/##openvpn [+o dazo_afk] by ChanServ
15:01 -!- Netsplit over, joins: blackpenguin
15:02 -!- Netsplit over, joins: Champi
15:06 < RichiH> ecrist: you are officially invited to move to #openvpn btw
15:06 < RichiH> now that you can :)
15:07 < ecrist> yeah, I just haven't gotten off my butt to do it yet.
15:07 < ecrist> there's like *6* entries in the access list to move.
15:07 < RichiH> also, after a bit of fooling around, i don't suppose there is a way to _start_ openvpn as a user unless someone creates a tun or tap device for me?
15:07 < ecrist> compare that to the millions of grunts and Elites on halo reach that need killing.
15:08 < RichiH> ecrist: thankfully, that is not a concern as FPS on consoles suck, anyway :p
15:08 < ecrist> RichiH: sure, so long as you're not good at them.
15:09 < ecrist> my younger brother squeaked that line quite a bit, and invited me over to play MW2 with him and his frat brothers on the PC
15:09 < ecrist> I soundly stomped all of them (by a LARGE margin) despite my never having played MW2 on a PC
15:09 < ecrist> RichiH: http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html
15:09 < vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at openvpn.se)
15:10 < RichiH> ecrist: i know exactly one person personally that is better than me at FPS
15:10 < RichiH> IRL, that is
15:11 < RichiH> ecrist: that seems to be for windows ;)
15:11 < RichiH> (the "Windows" in the title makes me suspect this)
15:11 < ecrist> I was going to say, wait ~30 mins when the kids get out of school, then there will be many.
15:12 < ecrist> sorry, usually that non-admin question comes up relating to windows.
15:12 < ecrist> as a regular user, you'll need access to change the network interface and to modify the routing tables.
15:12  * RichiH feared as much
15:13 < ecrist> sudo is your friend.
15:13 < RichiH> don't have that
15:13  * RichiH will need to find another exit node to access pandora.com, then
15:13 < RichiH> oh well
15:16 -!- EmperorTom [~EmperorTo@174-30-212-130.mpls.qwest.net] has joined ##openvpn
15:17 -!- EmperorT1m [~EmperorTo@184-97-149-30.mpls.qwest.net] has quit [Ping timeout: 240 seconds]
15:21  * ecrist works on moving ##openvpn to #openvpn
15:21 < ecrist> RichiH: tor?
15:22 < jpalmer> ecrist: you filling out a GFC for it?
15:22 < jpalmer> err GCF
15:22 < ecrist> jpalmer: already have it
15:22 < jpalmer> nice.
15:22 < ecrist> I just need to actually move the channel
15:23  * ecrist points to his cloak, and krzee/dazo's too
15:23 < jpalmer> tell me when, I'll jump now.
15:23 < ecrist> need to finish the access list and unlock that channel
15:24 < jpalmer> well, then.  I'll sit patiently  for the word.
15:26 < ecrist> RichiH: what is mode P
15:27 < ecrist> you should be able to join #openvpn now
15:29 < jpalmer> ecrist: P is a permanent channel.  set by fn staff only
15:29 < ecrist> ah, ok, so I don't want to -P the mode, then.
15:30 < jpalmer> I don't think you can.
15:30 < ecrist> no, I cannot
15:31 < jpalmer> you can ask people to move willingly.  or set the channel +r #openvpn,  and then make it +i
15:31 < jpalmer> then kick them.  when they attempt to rejoin, they'll be redirected.
15:32 < jeev> ecrist
15:32 < jeev> jpalmer, did you see what i said to you the other day? :D
15:32 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
15:32 < jpalmer> jeev: which?   
15:32 < jeev> jpalmer, you should've read the topic. i should dock you your OP status in windows
15:32 < jeev> when you had a firewall problem :)
15:32 < jpalmer> jeev:  oh, yeah.  hehe
15:33 < krzie> [13:35]  <jeev> jpalmer, you should've read the topic. i should dock you your OP status in windows
15:33 < krzie> lol
15:33 < krzie> thats in the !ircstats
15:33 < krzie> i saw it there today
15:33  * jpalmer is famous.
15:33 < jeev> the coffee shop i'm at right now is lagging. some numbskull is slowing it down
15:33 < jeev> im tired of seeing people on facebook
15:34 < jpalmer> I'm playing with HE.net's free ipv6 certifications.   have a bit of fun with it.
15:35 < jpalmer> ecrist: you can set this channelmode +ir #openvpn
15:35 < ecrist> not ready yet
15:36 < jpalmer> ahh,  gotcha
15:39 -!- ecrist changed the topic of ##openvpn to: We've moved!  Please join us in #openvpn.
15:39 -!- mode/##openvpn [+o ecrist] by ChanServ
15:40 -!- mode/##openvpn [+irf #openvpn] by ecrist
15:40 -!- mode/##openvpn [+o krzie] by ChanServ
15:41 <@krzie> yay for s/##/#/
15:41 < jpalmer> now kick them all!
15:42 <@ecrist> I need to move vpnHelper, first
15:42 <@ecrist> that could be a bit hairy
15:42 < jpalmer> I dunno if I'd really kick, too.  if the clients aren't set to auto-rejoin,  the user wouldn't know what happened.
15:43 <@ecrist> I am going to mute the channel at that time, though.
15:43 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
15:44 < jpalmer> I'ma update my client,  and when the channel is muted,  /part
15:55 -!- naquad [~naquad@174.142.224.219] has quit [Quit: ZNC - http://znc.sourceforge.net]
15:55 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:56 -!- jeev [~email@unaffiliated/jeev] has left ##openvpn []
16:07 -!- mode/##openvpn [+m] by ecrist
16:07 <@ecrist>  
16:07 <@ecrist>  
16:07 <@ecrist>  
16:07 <@ecrist> EVERYONE PLEASE MOVE TO #openvpn -- THIS CHANNEL IS CLOSED.
16:07 <@ecrist>  
16:07 <@ecrist>  
16:07 <@ecrist>  
16:07 <@ecrist>  
16:16 -!- manevra [~manevra@66.199.231.250] has quit []
16:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
16:32 < RichiH> ecrist: now that you guys are moving into #openvpn we don't need to keep the +P on #openvpn any more
--- Log opened Thu Sep 16 10:40:57 2010
10:40 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has joined #openvpn
10:40 -!- Irssi: #openvpn: Total of 1 nicks [0 ops, 0 halfops, 0 voices, 1 normal]
10:40 -!- mode/#openvpn [+o ecrist] by ChanServ
10:40 -!- Irssi: Join to #openvpn was synced in 1 secs
10:41 -!- ecrist changed the topic of #openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your  questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel
14:06 -!- ecrist [~ecrist@pdpc/supporter/professional/ecrist] has left #openvpn []
--- Log closed Thu Sep 16 14:06:12 2010
--- Log opened Thu Sep 23 15:23:48 2010
15:23 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has joined #openvpn
15:23 -!- Irssi: #openvpn: Total of 1 nicks [0 ops, 0 halfops, 0 voices, 1 normal]
15:23 -!- mode/#openvpn [+o ecrist] by ChanServ
15:23 -!- Irssi: Join to #openvpn was synced in 1 secs
15:24 -!- mode/#openvpn [+o ecrist] by ChanServ
15:24 -!- mode/#openvpn [-i] by ecrist
15:24 -!- mode/#openvpn [-f] by ecrist
15:24 -!- mode/#openvpn [-cmt+s] by ecrist
15:24 -!- mode/#openvpn [-s+tc] by ChanServ
15:26 -!- mode/#openvpn [-ct] by ecrist
15:28 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
15:28 < jpalmer> yay!
15:29 -!- mode/#openvpn [+s] by ecrist
15:33 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
15:35 < jpalmer> hola krzee
15:38 < krzie> hola... no sabia que hablas espanol tambien
15:40 -!- mode/#openvpn [+o krzie] by ChanServ
15:41 <@ecrist> krzie: did you op yourself?
15:41 <@krzie> aye
15:41 <@ecrist> ok
15:41 <@ecrist> I'm going to mute the other channel as soon as I get vpnHelper moved
15:44 <@krzie> just join and part him
15:44 <@krzie> oh that
15:45 <@krzie> im curious if his DB needs to be changed now or not
15:45 <@krzie> if he will see #openvpn and ##openvpn as the same
15:46 <@ecrist> I'm fixing all that right now, too.
15:46 <@krzie> ahh coolness
15:46 <@ecrist> then I need to fix the script that exports it all to my website.
15:48 <@krzie> ahh good point
15:49 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
15:49 <@ecrist> !ircstats
15:49 < vpnHelper> ecrist: "ircstats" is (#1) 30-Day Stats: http://www.secure-computing.net/logs/openvpn-last30.html, or (#2) All-Time Stats: http://www.secure-computing.net/logs/openvpn.html
15:49 <@ecrist> the db move was clean
15:49 <@krzie> damn, nice
15:49 <@ecrist> moving my logging will probably not be, though.
15:51 -!- ipv6hermit [~ipv6hermi@186.160.40.20] has joined #openvpn
15:51 -!- ipv6hermit [~ipv6hermi@186.160.40.20] has left #openvpn []
15:51 <@krzie> heh
15:56 -!- jeev [~email@unaffiliated/jeev] has joined #openvpn
15:57 -!- naquad [~naquad@174.142.224.219] has joined #openvpn
16:05 -!- ss0 [~Adium@208.86.167.248] has joined #openvpn
16:05 < ss0> !welcome
16:05 < vpnHelper> ss0: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:12 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
16:18 < ss0> !redirect
16:18 < vpnHelper> ss0: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:18 < ss0> !topology
16:18 < vpnHelper> ss0: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
16:19 < ss0> Could someone explain to me the correct methodology of forwarding traffic from an interface with a public ip address to a bonded interface that has a nat ip ? 
16:19 < ss0> Is it just IP masq, with iptables?
16:20 -!- mode/#openvpn [-o ecrist] by ecrist
16:21 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has joined #openvpn
16:22 -!- mode/#openvpn [+o openvpn2009] by ChanServ
16:28 -!- naquad [~naquad@174.142.224.219] has quit [Excess Flood]
16:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:30  * ecrist goes to fix factoids page
16:31 < ecrist> that was easy
16:31 < ecrist> now to fix the logging on my client.
16:31 -!- naquad [~naquad@174.142.224.219] has joined #openvpn
--- Log opened Thu Sep 23 16:53:39 2010
16:53 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
16:53 -!- Irssi: #openvpn: Total of 10 nicks [2 ops, 0 halfops, 0 voices, 8 normal]
16:53 -!- mode/#openvpn [+o ecrist] by ChanServ
16:54 -!- Irssi: Join to #openvpn was synced in 34 secs
16:56 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
17:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
17:03 -!- UnterPerro [~UnterPerr@166.193.165.182] has joined #openvpn
17:10 -!- meh2 [~efnet@27-9.202-62.fix.bluewin.ch] has joined #openvpn
17:21 -!- fipu [~fipu@swissvps.net] has joined #openvpn
17:21 < fipu> Hi @ all
17:21 < fipu> I have a big problem
17:21 < fipu> I use 10.2.2.0/24 for VPN
17:21 < fipu> and some clients get a statis IP
17:21 < fipu> I made this with CCD
17:21 < fipu> so that works fine
17:22 < fipu> but on my win7 client I get always the error that the IP's are not in the same 255.255.255.252 subnet
17:22 <@ecrist> !configs
17:22 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:22 <@ecrist> krzee: I've corrected the statistics, as well
17:23 < fipu> ifconfig-push 10.2.2.25 10.2.2.24
17:23 < fipu> that's my CCD file that does not work
17:23 < fipu> all other things work
17:23 < fipu> 2 clients that can connect to the server and client to client works
17:23 -!- UnterPerro [~UnterPerr@166.193.165.182] has quit [Quit: UnterPerro lives to save another day]
17:25 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has joined #openvpn
17:26 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has quit [Client Quit]
17:27 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has joined #openvpn
17:30 -!- mode/#openvpn [-o ecrist] by ecrist
17:45 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
17:45 < havoc> hi?
17:45 < havoc> why the change?
17:45 < havoc> why the change?
17:45 < havoc> ack
17:49 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
17:49 < Martin`> ?
17:50 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
17:50 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
17:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
17:52 -!- manevra [~manevra@86.121.76.217] has joined #openvpn
17:53 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
17:53 < reiffert> ?
17:54 < reiffert> ?
18:02 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
18:07 -!- UnterPerro [~UnterPerr@166.193.165.182] has joined #openvpn
18:20 -!- ss0 [~Adium@208.86.167.248] has quit [Quit: Leaving.]
18:21 <@krzie> havoc, because official chans use 1 #
18:22 < havoc> krzie: yeah, I knew that, so I'm assuming that now it's officially supported by the project?
18:23 <@krzie> ya everyone has been working together for awhile now
18:23 < havoc> ah
18:23 < havoc> so it was really just long overdue?
18:24 <@krzie> theres a waiting process in freenode, wasnt a main priority
18:24 < havoc> I'll be putting openvpn on my new Epic soon, after I root it
18:24 < havoc> :)
18:26 -!- Dougy [me@208.99.80.128] has joined #openvpn
18:26 < Dougy> ecrist: why is ##openvpn closed
18:27 <@openvpn2009> dougy, do you know how to dougie?
18:27 <@openvpn2009> </joke>
18:27 < Dougy> yes
18:27 < Dougy> dont ask me to teach you
18:27 <@openvpn2009> hahahaha!
18:27 < Dougy> ONE IS NOT SIMPLY TAUGHT HOW TO DOUGIE
18:27 <@openvpn2009> EPIC!
18:27 <@openvpn2009> ##openvpn is closed because of two ##'s in the channel name I believe.
18:28 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
18:28 -!- mode/#openvpn [+o raidz] by ChanServ
18:28 < Dougy> i gathered that much
18:28 < Dougy> but isnt this a community run channel
18:28 < Dougy> i guess openvpn project leaders commadeered it
18:28 < Dougy> comadeered whatver sljhdfksdlgdkhad
18:29 <@openvpn2009> haha
18:29 < Dougy> well
18:29 <@openvpn2009> ecrist will be able to answer your question when he comes around
18:29 < havoc> yes, Epic on Sprint network, Android 2.1 thing
18:29 < Dougy> i will most likely be departing here once and for all soon enough
18:29  * Dougy will just stick to the forums.
18:29 < havoc> Galaxy S I should say
18:29 <@openvpn2009> that phone is the worst ever
18:29 <@openvpn2009> havoc, you ever hangout on efnet?
18:30 < havoc> openvpn2009: not for well more than a decade
18:33 < havoc> need vpn to access SIP server
18:33 < havoc> would also be nice for accessing home network
18:34 < havoc> but need rooted phone for openvpn, which I'm waiting on til 2.2 android upgrade
18:35 <@openvpn2009> havoc: what do you have now?
18:35 <@openvpn2009> phone wise
18:35 < meh2> what does 'dns leak' means exactly?
18:35 < havoc> openvpn2009: the Samsung Galaxy S (Epic 4G on Sprint)
18:35 <@openvpn2009> oh man!
18:35 <@openvpn2009> had that for two days to be exact
18:36 < meh2> they can see what websites im browsing but not what im doing on the website?
18:36 <@openvpn2009> build quality on that phone is horrible.
18:36 < havoc> openvpn2009: hmm, so far so good, almost got the Samsung Intercept but it had really bad reviews
18:36 < havoc> mostly hardware issues
18:36 < havoc> epic has been fine so far
18:36 < havoc> FYI, this is coming from a Treo 755p
18:37 < havoc> I figured it was time to move to something with a little more longevity (Android vs. PalmOS)
18:37 < havoc> ...as I greatly dislike change ;)
18:38 < havoc> there are definitely some things I don't like about the phone itself but it was a choice between only the Epic and the Intercept
18:38 < havoc> ...based on having Android, touchscreen, and QWERTY keyboard
18:39 <@openvpn2009> ahh that's why
18:39 <@openvpn2009> i went to EPIC from EVO
18:39 < havoc> ...and staying with sprint (due to my unlimited data plan on my laptop)
18:39 <@openvpn2009> and I basically buy anything that's new
18:39 <@openvpn2009> :)
18:39 < havoc> openvpn2009: I have little to no feeling in my hands so I need a hardware keyboard
18:39 < havoc> and this one kinda sucks, but still better than touchscreen only (for me)
18:40 < meh2> isnt a vpn pointless if there is a dns leak?
18:40 <@openvpn2009> i agree hardware keyboards are great
18:40 <@openvpn2009> tht's why I can't let go of my BB bold
18:41 < havoc> I tried a Pearl, didn't like it
18:41 < havoc> tried a Windows Mobile one too
18:42 < havoc> went back to Palm
18:42 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has quit [Ping timeout: 255 seconds]
18:42 < havoc> now it's time to move on :(
18:42 < havoc> so far it's OK; ConnectBot, K-9 Mail
18:42 < havoc> I need little else
18:43 < havoc> but openvpn would give me SIP access and then they'd *never* know where I am at work ;)
18:43 -!- Squidy [~quassel@189-31-49-2.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
18:47 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
18:49 < Dougy> openvpn2009: i got the tour
18:49 < Dougy> its good
18:59 < meh2> can openvpn-admin work as a client for linux?
18:59 < meh2> as a GUI client for linux
19:17 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has joined #openvpn
19:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
19:23 -!- UnterPerro [~UnterPerr@166.193.165.182] has quit [Quit: UnterPerro lives to save another day]
19:24 < ecrist> Dougy: pong
19:25 -!- WebW0rkX [~WebDawg@135.sub-75-200-247.myvzw.com] has joined #openvpn
19:25 < vpnHelper> RSS Update - forum: Scripting and Customizations :: OpenVPN Setup :: Author ldelacruz <https://forums.openvpn.net/viewtopic.php?f=15&t=7124&p=7853#p7853>
19:25 -!- Irssi: #openvpn: Total of 24 nicks [3 ops, 0 halfops, 0 voices, 21 normal]
19:27 < Shazzamy> hello
19:27 < Shazzamy> i was here yesterday around this time
19:27 < ecrist> congrats. :)
19:28 < Shazzamy> i read that dd-wrt on router supports openvpn
19:28 < Shazzamy> so now i'm just treading
19:28 < ecrist> it does.
19:28 < Shazzamy> reading*
19:28 < Shazzamy> does it actually host it's over server or does it use a server on and existing box?
19:29 < Shazzamy> own server*
19:29 < ecrist> it hosts its own
19:30 < Shazzamy> okay good
19:32 < Shazzamy> according to here: http://www.dd-wrt.com/wiki/index.php/OpenVPN 
19:32 < vpnHelper> Title: OpenVPN - DD-WRT Wiki (at www.dd-wrt.com)
19:32 < Shazzamy> im using that guide
19:32 < Shazzamy> i will be back later though, i will have a few more questions
19:32 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has quit [Quit: Shazzamy]
19:35 -!- ss0 [~Adium@cpe-72-190-122-22.tx.res.rr.com] has joined #openvpn
19:37 -!- ss0 [~Adium@cpe-72-190-122-22.tx.res.rr.com] has quit [Client Quit]
19:37 < vpnHelper> RSS Update - forum: Server Administration :: OpenVPN Network issues :: Author greggk <https://forums.openvpn.net/viewtopic.php?f=4&t=7125&p=7854#p7854>
19:37 -!- ss0 [~Adium@cpe-72-190-122-22.tx.res.rr.com] has joined #openvpn
19:38 -!- ss0 [~Adium@cpe-72-190-122-22.tx.res.rr.com] has quit [Client Quit]
19:43 < vpnHelper> RSS Update - forum: Configuration :: Routing problem :: Author Plasmadog <https://forums.openvpn.net/viewtopic.php?f=6&t=7126&p=7855#p7855>
19:51 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has joined #openvpn
19:53 -!- manevra [~manevra@86.121.76.217] has quit []
20:04 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has quit [Quit: Shazzamy]
20:05 -!- Shazzamy [~Shazzamy@d161-184-139-209.abhsia.telus.net] has joined #openvpn
20:05 -!- Shazzamy [~Shazzamy@d161-184-139-209.abhsia.telus.net] has quit [Changing host]
20:05 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has joined #openvpn
20:07 -!- meh2 [~efnet@27-9.202-62.fix.bluewin.ch] has left #openvpn []
20:07 < Dougy> rawr
20:07 < ecrist> wb
20:07 < Dougy> howdy
20:08 < ecrist> channel move was my decision.
20:08 < Dougy> why?
20:08 < Dougy> and what is a GCF
20:08 < ecrist> we're a properly registered group with freenode now, so we're "official"
20:08 < ecrist> hence, the ability to lose one of the hashes
20:09 < ecrist> openvpn corporate has in no way taken over, and they will not take over.
20:09 < ecrist> we're all working together now, and have been since ~February of this year.
20:09 < ecrist> which is why we were able to move the forum to one of their boxes.
20:13 < Dougy> hm
20:14 < Dougy> do i get a cool tag too?
20:15 -!- WebW0rkX [~WebDawg@135.sub-75-200-247.myvzw.com] has quit [Ping timeout: 252 seconds]
20:15 < ecrist> sure, if you want one.
20:16 -!- WebW0rkX [~WebDawg@135.sub-75-200-247.myvzw.com] has joined #openvpn
20:16 -!- meh2 [~efnet@27-9.202-62.fix.bluewin.ch] has joined #openvpn
20:16 < ecrist> I put in the request
20:18 < Dougy> neato
20:18 < Dougy> cheers
20:18 < Dougy> :)
20:18  * Dougy feels useful
20:18 < Dougy> oh it's a cool feeling
20:18 < Dougy> hah
20:18 < Dougy> so ecrist i got my pbx done finally
20:18 < ecrist> oh yeah?
20:18 < Dougy> yeah
20:19 < Dougy> got some money and got an account @ vitelity and set up asterisk
20:19 < meh2> to add another server all i need is another server.conf file and run that, correct?
20:19 < Dougy> i went for freeswitch first but that config style just pisses me off
20:19 < Dougy> i cant' standl it
20:19 < Dougy> stand*
20:19 < Dougy> i also had a bit of asterisk exp
20:19 < Dougy> meh2: kinda.
20:19 < Dougy> i'm pretty sure you need to name specific devices at that point
20:19 < Dougy> ie
20:19 < ecrist> meh2: correct
20:19 < Dougy> tun0 tun1 tun2
20:19 < Dougy> or not
20:20  * Dougy runs
20:20 < Dougy> does openvpn auto do it, ecrist ?
20:20 < ecrist> yep
20:20 < Dougy> ahh
20:20 < Dougy> win
20:20 < meh2> neat
20:20 < meh2> yeah
20:20 < Dougy> well i had the right idea, but it does it the more intelligent way
20:20 < meh2> does windows machines support IPSEC?
20:20 < Dougy> ecrist: i am 18 now
20:20 < meh2> with openvpn
20:20 < Dougy> wo0t
20:20 < ecrist> yes, but not natively, they need something else to do it.
20:21 < ecrist> openvpn != ipsec
20:21 <@krzie> !notcompat
20:21 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn
20:21 < Dougy> gogo jeff
20:21 < Dougy> lol
20:21 < Dougy> im contemplating picking up a rack of colo and offering some brocolo to people in here
20:22 < Dougy> colo here is so freakin expensive tho
20:23 < meh2> so openvpn uses its own thing
20:23 < meh2> cool
20:23 < Dougy> yeah
20:23 < ecrist> openvpn uses openssl and some fancy networking
20:23 < Dougy> openvpn is l33t
20:23 < Dougy> ecrist: how do i get that tag once its assigned? just uath to nickserv?
20:23 < Dougy> auth
20:23 < krzee> its ipsec that does its down thing
20:24 < meh2> one more thing, for openvpn gui to work over the internet, i have to connect to a public wifi for example first and then to openvpn, some programs like mozilla thunderbird or an auto refresh site will try to sync even if the connection to openvpn has dropped
20:24 < ecrist> RichiH will possibly confirm you want it, then it will be automatic
20:24 < meh2> is there a way to not allow that to happen?
20:24 < krzee> ipsec is its own network protocol, openvpn uses normal IP and normal routing or bridging with virtual devices and hooks for openssl to do its thing
20:25 < Dougy> meh2: probably
20:25 < meh2> a way to not allow the system to do anything before it confirms there is an openvpn connection
20:25 < meh2> Dougy, how?
20:25 < meh2> any ideas?
20:26 < krzee> !def1
20:26 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
20:26 < krzee> if you use def1, you will have routing when openvpn dies
20:26 < krzee> if you dont, you wont
20:26 < Dougy> i swear to god
20:26 < Dougy> i am going to blow up every college that emails me if they keep sending me 5 messages each a day
20:27 < krzee> does he swear back?
20:27 < Dougy> i get about 750 emails a day
20:27 < Dougy> from colleges
20:27 < Dougy> fzdgxvcbnhsgdjfgadghfjsadhgjh
20:27  * Dougy creates spamfilter rule to autoreject anything with college in it
20:27 < meh2> krzee, so like this the connection can b established to the public wifi but wont let me browse unless i connect to openvpn?
20:27 < meh2> thats cool
20:28 < krzee> once you connect, --redirect-gateway would override your default gateway
20:28 < krzee> if openvpn goes down, your default gateway goes down
20:28 < Dougy> Michael Senzer really wishes his balls weren't so hairy :(
20:29 < krzee> if you dont use def1, you have no route to the internet at that point, but still have a route to the vpn
20:29 < Dougy> facebook is really lols
20:29 < Dougy> but its more lol when its down for hours on end
20:29 < Dougy> krzee: have they changed it?
20:29 < Dougy> when i used to def1, as soon as it dc'd it reverted my route
20:29 < Dougy> instantly
20:29 -!- WebW0rkX [~WebDawg@135.sub-75-200-247.myvzw.com] has quit [Ping timeout: 255 seconds]
20:29 < meh2> krzee, thats amazing
20:29 < krzee> def1 doesnt revert anything, it makes routes without wiping out the defaut route
20:30 < krzee> so when they go away, theres still a default
20:30 < Dougy> ahha
20:30 < Dougy> righto
20:30 < krzee> without def1, there wouldnt be
20:30 < Dougy> god damnit I WANT THIS METAL OUT OF MY LEG
20:30 < krzee> so he just doesnt want to use def1
20:31 < meh2> doesnt use?
20:31 < meh2> i thought im supposed to use def1 and connect with --redirect-gateway .... :/
20:31 < krzee> correct 
20:31 < krzee> nope
20:31 < krzee> no def1, you DONT want it to keep a route
20:32 < krzee> you said you want it to not connect if the vpn goes down
20:32 < meh2> yeah i just re-read what you wrote the first time again and got it
20:32 < krzee> (right?)
20:32 < meh2> exactly yes
20:32 < krzee> then ya, no def1 for you
20:32 < meh2> bad def1!
20:32 < krzee> its more of a feature to be ABLE to still connect ;]
20:32 < meh2> its a Great feature
20:32 < meh2> ive been googling about it nearly the whole day
20:33 < krzee> you run the server?
20:34 < meh2> krzee, yes, im trying to run it from home
20:34 -!- WebW0rkX [~WebDawg@135.sub-75-200-247.myvzw.com] has joined #openvpn
20:43 < krzee> cool
20:43 < krzee> what OS is the server?
20:44 < meh2> freebsd or ubuntu server.. im testing with ubuntu server so i guess im just gonna use that
20:45 < meh2> the client im still debating about ubuntu 10.04 or windows 7
20:45 < krzee> both work fine
20:45 < krzee> but heres for ubuntu
20:45 < krzee> !redirect
20:45 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:45 < krzee> !linipforward
20:45 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
20:45 < krzee> !linnat
20:45 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
20:47 -!- Shazzamy [~Shazzamy@unaffiliated/shazzamy] has quit [Quit: Shazzamy]
20:48 < meh2> thats great, thanks dude
20:48 < krzee> np
20:48 < krzee> once that is done, basically its just:
20:48 < krzee> !sample
20:48 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
20:48 < krzee> and redirect-gateway in the client config
20:48 < meh2> and def1?
20:48 < meh2> server side i assume?
20:49 < krzee> no def1!
20:49 < meh2> so its not defined by default?
20:49 < meh2> i dont have to disable it?
20:49 < krzee> btw, def1 would be a flag sent to redirect-gateway, if you wanted it
20:49 < krzee> no, you would need to define it IF you wanted it
20:49 < meh2> thats good
20:50 < krzee> so a client could use it if they want
20:50 < krzee> if they dont, you dont use it
20:51 < krzee> if you dont want them to be ABLE to decide that, you put it in server config with push
20:51 < krzee> !push
20:51 < vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
20:53 < meh2> is there a way to add redirect-gateway in the client config file?
20:53 < krzee> thats the first thing i said
20:53 < krzee> [21:48]  <krzee> and redirect-gateway in the client config
20:54 < krzee> you only push it to client if you dont want to give the client a decision
20:54 < krzee> think of it as if you had 10 users
20:54 < krzee> ;]
20:56 < meh2> yeah true.. im going over the client config file in the HOW-TO to try and find out where to add these commands
20:59 < krzee> !sample
20:59 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
21:01 < meh2> yeah i read that earlier and added the link to my notes.. do i just add any extra option/flag i want anywhere in the config file?
21:02 < krzee> yes
21:04 < meh2> you've been a great help dude
21:04 < meh2> id invite you for a joint but i dont want to see a shoe flying my way heheh
21:12 < krzee> i love weed but doubt you're in my area ;]
21:12 < krzee> but im not against grabbing my pipe now while you hit yours
21:12 < krzee> lol
21:20 < meh2> lol done deal
21:22 < Dougy> hah
21:22  * Dougy is clean
21:22  * Dougy goes away
21:23 < meh2> hmm im wondering, how will the OS know not to use its local gateway if openvpn is disconnected?
21:23 < meh2> the app has to be running and thats all that matters?
21:37 -!- WebW0rkX [~WebDawg@135.sub-75-200-247.myvzw.com] has quit [Ping timeout: 252 seconds]
21:49 -!- abeehc-_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined #openvpn
21:50 < meh2> the page http://www.secure-computing.net/wiki/index.php/OpenvPN/Routing is empty
21:52 < meh2> !nat
21:52 < vpnHelper> meh2: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
21:53 < meh2> !route
21:53 < vpnHelper> meh2: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:53 -!- WebW0rkX [~WebDawg@135.sub-75-200-247.myvzw.com] has joined #openvpn
22:09 -!- p3rror [~mezgani@adsl196-19-68-206-196.adsl196-3.iam.net.ma] has joined #openvpn
22:10 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
22:24 < krzee> [22:50]  <meh2> the page http://www.secure-computing.net/wiki/index.php/OpenvPN/Routing is empty
22:24 < krzee> cap V in VPN
22:24 < krzee> [22:23]  <meh2> hmm im wondering, how will the OS know not to use its local gateway if openvpn is disconnected?
22:24 < krzee> it doesnt "know" anything
22:25 < krzee> redirect-gateway removes the default gateway, and re-adds it using the VPN
22:25 < krzee> VPN goes down, no default gateway exists to route traffic to and you lose connectivity
22:26 -!- p3rror [~mezgani@adsl196-19-68-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 265 seconds]
22:26 < theDoc> or alternatively, why not inject 0/1 and 0/128? That way you don't override your default gw and still tunnel all traffic via the vpn?
22:32 -!- Squidy [~quassel@189-31-49-2.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
22:41 -!- p3rror [~mezgani@adsl196-192-71-206-196.adsl196-3.iam.net.ma] has joined #openvpn
23:05 -!- UnterPerro [~UnterPerr@166.193.165.182] has joined #openvpn
23:13 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has joined #openvpn
23:28 -!- meh2 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Ping timeout: 240 seconds]
23:50 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
23:51 < hyper_ch> krzee: what happened?
23:57 < krzee> moved from ##openvpn to #openvpn
23:58 < krzee> theDoc, he chooses to not want the connection if the VPN happens to drop
23:58 < krzee> browsing on public wifi and whatnot
23:59 < hyper_ch> why that move? I felt so much more comfy in ##openvpn
--- Day changed Fri Sep 24 2010
00:01 < krzee> ## means just community
00:02 < krzee> # means community and the corp
00:02 < krzee> more official i guess
00:04 -!- mode/#openvpn [+o krzee] by ChanServ
00:06 -!- mode/#openvpn [-oo krzee krzie] by krzee
00:07 -!- mode/#openvpn [+o Bushmills] by ChanServ
00:07 -!- mode/#openvpn [-o Bushmills] by Bushmills
00:18 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
00:25 -!- UnterPerro [~UnterPerr@166.193.165.182] has quit [Quit: UnterPerro lives to save another day]
00:27 -!- WormFood [~wormfood@183.38.13.112] has joined #openvpn
01:41 -!- WinstonSmith [~true@e179005075.adsl.alicedsl.de] has joined #openvpn
--- Log closed Fri Sep 24 01:47:42 2010
--- Log opened Fri Sep 24 01:47:47 2010
01:47 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
01:47 -!- Irssi: #openvpn: Total of 28 nicks [2 ops, 0 halfops, 0 voices, 26 normal]
01:47 -!- mode/#openvpn [+o ecrist] by ChanServ
01:48 -!- Irssi: Join to #openvpn was synced in 30 secs
01:59 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
02:08 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has joined #openvpn
02:09 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn
02:09 -!- mode/#openvpn [+o cron2] by ChanServ
02:09 <@cron2> re
02:09 -!- karlgus [~karlgus@c-89-160-34-86.cust.bredband2.com] has quit [Read error: Connection reset by peer]
02:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:24 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:27 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn
02:28 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
02:28 -!- mode/#openvpn [+o dazo] by ChanServ
02:29 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Read error: Operation timed out]
02:29 -!- mode/#openvpn [-o dazo] by ChanServ
02:29 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
02:35 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
02:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:35 -!- meh2 [~efnet@176-218.1-85.cust.bluewin.ch] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:44 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
03:45 < ksk> hello
03:45 < ksk> why did u change channel / why was it "##openvpn" (2x#) before actually?
03:45 < ksk> (just smalltalk :> )
03:54 < meh2> i think this question is answered in the freenode faq on the site
04:03 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
04:03 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
04:03 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:22 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has joined #openvpn
04:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Excess Flood]
04:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:29 -!- mape2k [~mape2k@2001:638:904:ffe0:21f:3bff:fe27:21a9] has quit [Remote host closed the connection]
04:47 -!- bayer [~bayer@chello062178075222.26.11.tuwien.teleweb.at] has quit [Ping timeout: 240 seconds]
04:53 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
05:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: This computer has gone to sleep]
05:00 -!- bayer [~bayer@I6I-I86.static.anw.at] has joined #openvpn
05:43 -!- bayer [~bayer@I6I-I86.static.anw.at] has quit [Ping timeout: 272 seconds]
05:44 -!- meh2 [~efnet@176-218.1-85.cust.bluewin.ch] has quit [Ping timeout: 255 seconds]
06:08 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has joined #openvpn
06:13 -!- Tapke [~Tapkis@home.tapke.eu] has joined #openvpn
06:14 < Tapke> Ok. If myvpn server is NOT the gateway of the foreign LAN. what extra routes do I need? 
06:18 -!- alice|wl [~helo@wl-1-pt.tunnel.tserv6.fra1.ipv6.he.net] has joined #openvpn
06:18 < alice|wl> hello, my server is pushing redirect-gateway. how can I as a client ignore that?
06:20 < Tapke> add your own routes
06:22 < alice|wl> sounds not like a good solution
06:23 < alice|wl> I d have to delete the default route set by openvpn and add one based on the local gateway wich i have to read route somehow
06:34 -!- manevra [~manevra@66.199.231.250] has joined #openvpn
06:35 -!- Dougy [me@208.99.80.128] has quit [Changing host]
06:35 -!- Dougy [me@openvpn/community/user/dougy] has joined #openvpn
06:35 -!- Hien [7b1446af@gateway/web/freenode/ip.123.20.70.175] has joined #openvpn
06:35 < Tapke> ok. why OH why if i push route 10.80.11.0 255.255.255.0, the client takes 255.255.255.252 mask?
06:35 <@ecrist> !/30
06:35 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
06:36 -!- manevra [~manevra@66.199.231.250] has quit [Client Quit]
06:45 -!- Hien [7b1446af@gateway/web/freenode/ip.123.20.70.175] has quit [Quit: Page closed]
06:53 -!- p3rror [~mezgani@adsl196-192-71-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 265 seconds]
06:59 -!- alice|wl [~helo@wl-1-pt.tunnel.tserv6.fra1.ipv6.he.net] has left #openvpn []
07:04 -!- p3rror [~mezgani@adsl196-18-96-206-196.adsl196-4.iam.net.ma] has joined #openvpn
07:29 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
07:34 -!- p3rror [~mezgani@adsl196-18-96-206-196.adsl196-4.iam.net.ma] has quit [Read error: Connection reset by peer]
07:45 -!- meh2 [~efnet@176-218.1-85.cust.bluewin.ch] has joined #openvpn
07:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:51 -!- star314 [~star314@beigelbeck-nb.isas.tuwien.ac.at] has joined #openvpn
07:54 -!- p3rror [~mezgani@196.206.86.231] has joined #openvpn
08:13 -!- p3rror [~mezgani@196.206.86.231] has quit [Ping timeout: 245 seconds]
08:29 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
08:33 -!- star314 [~star314@beigelbeck-nb.isas.tuwien.ac.at] has quit [Remote host closed the connection]
08:43 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
08:43 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
08:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
08:50 -!- ss0 [~Adium@208.86.167.248] has joined #openvpn
08:55 -!- Tapke [~Tapkis@home.tapke.eu] has left #openvpn []
09:17 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
09:18 < grendal_prime> hey guys..im really killing myself here with this log rotatioin problem here. anyone have a second to put a second set of eyes on this?
--- Log opened Fri Sep 24 09:45:25 2010
09:45 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has joined #openvpn
09:45 -!- Irssi: #openvpn: Total of 41 nicks [3 ops, 0 halfops, 0 voices, 38 normal]
09:45 -!- mode/#openvpn [+o ecrist] by ChanServ
09:46 -!- Irssi: Join to #openvpn was synced in 47 secs
09:47 -!- meh2 [~efnet@176-218.1-85.cust.bluewin.ch] has quit [Ping timeout: 272 seconds]
10:03 < ss0> Can someone explain to me how client-cert-not-required works? I know the cient still needs ca.crt regardless because openvpn is two authentication, but my client is still crying about "Cannot load certificate file client.crt:" even with that parameter specified in the conf file.
10:03 < ss0> sorry that should have been two way not just two.
10:05 < grendal_prime> dazo, 
10:05 < grendal_prime> ok thanks
10:05 < dazo> you're welcome!
10:06 < ss0> Maybe I'm not asking my question the right way, is key less authentication possible? If so other than the vague reference on the openvpn sight does anyone have a howto or some advice?
10:06 < grendal_prime> so basically i need to specify in syslog that i want to sort out the openvpn stuff to a diff log file right?
10:06 < dazo> grendal_prime: that's right
10:06 < grendal_prime> hmm im using syslog-ng ok..something new to learn
10:07 < ss0> grendal_prime:  any reason you chose that over rsyslog?
10:07 < dazo> grendal_prime: with syslog-ng ... you can even let syslog-ng do the rotation automatically for you
10:07 < dazo> destination openvpnlog { file("/$YEAR/$MONTH/$DAY/$YEAR$MONTH$DAY-openvpn.log"
10:07 < dazo>                                 owner(syslog) group(syslog) perm(0640) dir_perm(0750) dir_group(syslog) create_dirs(yes));};
10:08 < dazo> filter f_openvpn { facility(daemon) and match(".*openvpn\\[.*\\].*"); };
10:08 < dazo> log { source(src); filter(f_openvpn); destination(openvpnlog); };
10:08 < dazo> that's basically what you need in your syslog-ng.conf  ;-)
10:09 < dazo> ss0: syslog-ng lets you use regexp on the log data to filter log data to different destinations
10:10 < ss0> dazo:  I thought rsyslog supports regex as well but I can see why that would be an advantage. 
10:10 < dazo> syslog-ng is so flexible, it's almost too flexible sometimes
10:11 < ss0> dazo thanks for the info!
10:11 < ss0> dazo:  can i ask you a question about openvpn?
10:11 < dazo> ss0: I'm looking at your question right now :)
10:11 < ss0> dazo:  you rock!
10:13 < Bushmills> ss0: that's doubtful that you can. you may have tried but didn't succeed
10:14 < dazo> it is possible, I'm looking up the solution right now
10:14 < ss0> yeah pretty much, however the mailling list had someone do it in 2005. the problem may be that tunnelblick can't do no key auth...
10:15 < dazo> ss0: You basically have --client-cert-not-required ... and in the client config, you just need --client and --ca ... nothing else
10:15 < dazo> well, nothing else related to --key, --cert, etc etc
10:16 < dazo> and you need OpenVPN 2.1 at least for this
10:16 < dazo> (that's what I've been using)
10:16 < grendal_prime> dazo..found a bunch of syslog-ng templates.
10:16 < dazo> :)
10:16 < ss0> ok let me test the client config with only those parameters
10:16 < grendal_prime> http://gentoo-overlays.zugaina.org/wschlich/portage/app-admin/syslog-ng/files/syslog-ng.conf
10:16 < ss0> dazo:  dosnt —client turn tls tunneling on?
10:17 < dazo> ss0: it does, but if you want encryption without client certificate, you need tls
10:17 < ss0> dazo:  good point.
10:19 < dazo> grendal_prime: nice one!  but remember that syslog-ng will do the logrotate, on-the-fly without a logrotate cron job, by using $YEAR, $MONTH, $DAY, etc in the file names as well ... so that's kind of a good thing about syslog-ng as well
10:25 < ss0> dazo:  http://pastebin.com/C9BauHPP   this is my config now
10:26 < dazo> ss0: --username-as-common-name doesn't make sense in this context
10:27 < ss0> dazo:  I grabbed that from openvpn's blurb on alternative login methods, can you explain further? I will remove it and try again.
10:27 < dazo> ss0: that statement is also only for the server side, iirc
10:27 < ss0> also this is what my clients logs say when i try currently. http://pastebin.com/VXcAQmBh
10:29 < dazo> ss0: it sounds like your config is not being used by Tunnelblick ... try starting openvpn from the command line directly, just to see that it works
10:29 < ss0> dazo:  good idea!
10:30 < ss0> Options error: --client-cert-not-required requires --mode server
10:30 < ss0> dazo:  so to me this means thats not the right option on the client.
10:30 -!- p3rror [~mezgani@217.23.4.242] has joined #openvpn
10:30 < dazo> ss0: yeah, you need that one on the server
10:31 < dazo> sorry, I probably confused things
10:31 < ss0> dazo:  no worries it is on the server
10:31 < dazo> :)
10:32 < dazo> ss0: the only authentication related option you might need on the client is --auth-user-pass
10:32 < ss0> yes! that was it!
10:32 < dazo> (if you enable username/password authentication)
10:35 < ss0> dazo:  yeah this setup wasn't my choice, my boss wants user/pass only against my protests. but he signs the checks :D
10:35 < dazo> ss0: you wanted a VPN setup without any kind of authentication scheme?
10:36 < ss0> dazo:  no just user and pass rather than true pki
10:36 < dazo> ahh
10:36 < ss0> dazo:  still requires ca.cert to prevent man in the middle but no per user key
10:37 < ss0> dazo:  which is complete fail in my opinion but as long as I have my protest in an email if anything happens not my problem.
10:37 < dazo> well, you could have something a little bit stronger .... the same client cert/keys on all openvpn clients
10:37 < ss0> dazo:  that's true and it's the same amount of trouble as having ca.cert on each system.
10:37 < dazo> exactly
10:38 < ss0> dazo:  I wan to thank you so much for your help.
10:38 < dazo> but the security is just marginally safer, I'd say ... unless the passwords are RSA tokens or similar ... more static passwords will anyway be more prune to brute-force attacks
10:38 < dazo> ss0: you're very welcome!
10:40 < dazo> on second thought .... it is quite more stronger, with static client key/certs ... as an attacker would need to have the key and cert available before being able to start bruteforce attacks on the passwords
10:41 < dazo> now, he basically need just the ca.crt .... which should be possible to extract with some trickery, as that cert is also passed to the client during SSL establishment ... at least normally
10:41 < ss0> dazo:  i agree. 
10:41 < ss0> dazo:  my vpn at home uses a different key pair for each user. 
10:41 < ss0> dazo:  so much easier to setup too!
10:41 < dazo> I'm using individual key/certs + user/passwords :)
10:42 < ss0> dazo:  brute force is not possible, I setup an iptables rule if you attempt to many connections block your ip, DOS using my own firewall however...
10:42 < dazo> ss0: if you're interested ... you can check out http://www.eurephia.net/ 
10:42 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
10:42 < dazo> ss0: ahh, clever!
10:43 < ss0> dazo:  what is this module?
10:43 < ss0> dazo:  ahhh i read it. very cool.
10:43 < ss0> dazo:  bookmarked
10:43 < dazo> ss0: it's to authenticate users with username/password ... but it also integrates with iptables
10:53 -!- dazo is now known as dazo_afk
11:05 -!- WormFood [~wormfood@183.38.13.112] has quit [Ping timeout: 252 seconds]
11:17 -!- WormFood [~wormfood@183.38.12.227] has joined #openvpn
11:19 < Dougy> RAWR
11:30 -!- WebW0rkX [~WebDawg@135.sub-75-200-247.myvzw.com] has quit []
11:34 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
11:40 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:48 -!- oc80z [oc80z@blea.ch] has joined #openvpn
12:00 < Dougy> pft ecrist i see how it is
12:00 < Dougy> stick me with /user/
12:00 < Dougy> :P
12:03  * hyper_ch feels scared in #openvpn ....
12:03 < Dougy> why, hyper_ch ?
12:03 < hyper_ch> ##openvpn was very comfy and felt like home
12:04 < jeev> because Dougy is a looser.
12:04 < hyper_ch> but #openvpn is.... different... sterile... weird
12:06 <@ecrist> sterile?
12:07 < hyper_ch> untainted
12:07 < hyper_ch> clean
12:07 < hyper_ch> new
12:07 < hyper_ch> unused
12:07 < hyper_ch> well... sterile :)
12:09 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
12:09 < openbsdnoob> hi
12:10 < Dougy> hi openbsdnoob, jeev, and ecrist
12:10 < Dougy> and hyper_ch i guess
12:11 < hyper_ch> hi Dougy
12:11 < hyper_ch> I'm already a celebrity in here?
12:11  * hyper_ch feels at home now
12:12 < openbsdnoob> is there a way to restart a openvpn-server?
12:12 < openbsdnoob> i have change something in the server.conf
12:13 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D]
12:13 <@ecrist> kill -1 <pid>
12:14 < openbsdnoob> the server run as daemon
12:14 < openbsdnoob> would pkill openvpn works too?
12:15 < openbsdnoob> im on openbsd
12:15 <@ecrist> no idea.  
12:19 < openbsdnoob> i can kill the server but the server cannot restart ....cannot read server.conf   ...strange
12:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
12:20 -!- WinstonSmith [~true@e179005075.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
12:24 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
12:27 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
12:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:34 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
12:37 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
12:41 -!- WinstonSmith [~true@e179005075.adsl.alicedsl.de] has joined #openvpn
12:45 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
12:46 < kraut> gah
12:46 < kraut> hi
12:46 < kraut> i'm using openvpn on my rootserver. i connect to a virtual ip on it (eth0:1 f.e.). the client is using this as default gateway. the outgoing ip in the internet after the tunnel has been established is the ip of eth0 f.e..
12:46 < kraut> how could i change this behavoiur?
12:52 < krzee> in the NAT
12:52 < krzee> if linux:
12:52 < krzee> !linnat
12:52 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
12:52 < krzee> #2
12:55 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
13:05 < ss0> I have a bonded rather than routed vpn. I am able to get connected now, however I am getting an error of bad source address from the client.  http://pastebin.com/CHAcTNWc
13:05 <@ecrist> bonded vpn?
13:06 <@ecrist> gah
13:06 -!- mode/#openvpn [-o ecrist] by ecrist
13:06 < ecrist> I think you're thinking of T1s
13:06 < ecrist> I have bonded T1s, but no boded VPNs.
13:06 -!- Irssi: #openvpn: Total of 45 nicks [3 ops, 0 halfops, 0 voices, 42 normal]
13:07 < ss0> sorry i should have said bridged.
13:08 < ss0> Thanks for the correct ecrist.
13:08 < ss0> correction even. Left my glasses at home today and I'm practically blind without them.
13:08 < ss0> ecrist:  to me this seems to be a situation where the client is reporting back with it's original ip, and the vpn server is expecting the ip it handed out.
13:10 < ecrist> ss0: sounds like IP conflict between VPN net and client local subnet
13:10 < ecrist> !configs
13:10 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
13:11 < kraut> re
13:11 < kraut> krzee: any tip how do to that with shorewall?
13:12 < kraut> i tried DNAT, but that seems to be wrong
13:12 < kraut> GAH
13:12 < kraut> SNAT
13:12 < kraut> one moment
13:12 < ecrist> kraut: unfortunately, we can't support odd firmware and all the possible combinations of.
13:15 < kraut> firmware?
13:15 < kraut> is linux a firmware?
13:15 < ecrist> it can be, yes
13:16 < ecrist> dd-wrt uses it, not sure about shorewall
13:16 < kraut> meh, it's more complicated then i thought
13:16 < kraut> i know what dd-wrt is and how it works
13:18 < hyper_ch> looked at Tomato WRT?
13:18 < kraut> lunchtime
13:18 < hyper_ch> tomato wrt is not edible
13:19 < ss0> ecrist:  The configs are here now. http://pastebin.com/kuMe54ZL
13:21 < ecrist> lol @ hyper_ch 
13:28 < ecrist> ss0: are the client and server on the same lan?
13:29 < ss0> currently yes. the client is on the portion handed out via dhcp, the server is handing out lower address that have until now been reserved.
13:29 < ss0> would being on the same lan cause that error?
13:29 < ecrist> what's the lan subnet?
13:30 < ss0> 172.16.1.xxx so 255.255.255.0
13:30 < ecrist> that's the problem.
13:30 < ss0> so it should not happen if the client is on a public ip correct?
13:30 < ecrist> correct
13:31 < ss0> (I was just trying to test before opening up 1194) Thank you for your help. if you saw anything you would correct, I would appreciate your input.
13:31 < ss0> I just started work here, we currently don't manage the firewall so I will have to wait to test.
13:34 < ecrist> ugh
13:34 -!- EV1 [4e325860@gateway/web/freenode/ip.78.50.88.96] has joined #openvpn
13:35 < EV1> Hey everybody. Is it possible to build a bridged vpn with a host having just a single interface? (on linux)
13:36 < ss0> That's an interesting question, the openvpn faq says that bridging with the interface that is bridged to tap0 is a security risk.
13:36 < ss0> in other words including the public ip in the bridge is a no no. 
13:37 < EV1> there is a plan behinde it :-)
13:37 < EV1> transport public ips of a root server in a datacenter to another location where is only dynamic ip 
13:38 < szr> why the hell would anyone want to add a wan interface to a lan/tap bridge ??
13:38 < ecrist> vlans
13:38 < szr> ah
13:38 < ecrist> there are good reasons to do it, just not many of them.
13:38 < szr> still..
13:38 -!- akm22562 [~akm22562@99-119-36-109.lightspeed.lsvlky.sbcglobal.net] has joined #openvpn
13:38 < szr> for example?
13:38 < EV1> let my explain why
13:38 < ss0> Well unfortunately to the best of my knowledge the only way to do bridged mode,  is to use iptables to reroute packets from one ip to another. 
13:38 < EV1> we have 1 wan connection with static ips
13:39 < EV1> and we need ab backup line. for same resons we need the secound line indipendet
--- Log closed Fri Sep 24 13:40:08 2010
--- Log opened Fri Sep 24 13:40:13 2010
13:40 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has joined #openvpn
13:40 -!- Irssi: #openvpn: Total of 46 nicks [3 ops, 0 halfops, 0 voices, 43 normal]
13:40 -!- mode/#openvpn [+o ecrist] by ChanServ
13:40 < ss0> but the server itself still has two interfaces yeah?
13:40 -!- Irssi: Join to #openvpn was synced in 44 secs
13:41 < EV1> the root server has just 1 interface. the other site where die static ips are needed has several interfaces
13:41 < EV1> 1 connected to the dynamic wan
13:41 -!- vpnHelper [~vpn@butters.secure-computing.net] has joined #openvpn
13:41 -!- vpnHelper [~vpn@butters.secure-computing.net] has quit [Changing host]
13:41 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
13:41 < EV1> an another to simulate(bridge) the public interface of the root server
13:43 < EV1> arg ... where is my visio chart ...
13:43 <@ecrist> apparently I wasn't fast enough
13:46 -!- tigertv69_ [~chatzilla@markley-137242.reshall.umich.edu] has joined #openvpn
13:46 < tigertv69_> hey guys im trying to to install openvpn on busybox?
13:46 < tigertv69_> how do i go about doing that?
13:47 < Bushmills> "on" ?
13:47 < Bushmills> just like when using any other shell
13:51 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:52 -!- tigertv69_ [~chatzilla@markley-137242.reshall.umich.edu] has quit [Ping timeout: 240 seconds]
13:54 -!- EV1 [4e325860@gateway/web/freenode/ip.78.50.88.96] has quit [Ping timeout: 252 seconds]
13:55 -!- EV2 [4e325860@gateway/web/freenode/ip.78.50.88.96] has joined #openvpn
13:55 < EV2> arg. firefox ...
13:55 < EV2> OpenVPN bridge with just 1 interface => http://pitload.org/2194
13:55 < vpnHelper> Title: PittrieLoad: File details for "Idea.pdf" (at pitload.org)
13:56 < EV2> Possible? The right way?
13:58 <@ecrist> ugh, pdf
13:58  * ecrist will look when it's a text file
13:58 < EV2> hehe
13:59 < EV2> A text file? .. this could take amoment :-P
14:02 -!- tigertv69 [~chatzilla@markley-136120.reshall.umich.edu] has joined #openvpn
14:02 < tigertv69> hey guys im trying to figure out how do i get openvpn on busybox
14:02 -!- tigertv69 [~chatzilla@markley-136120.reshall.umich.edu] has quit [Client Quit]
14:02 < kraut> ffs
14:03 <@ecrist> wtf
14:03 < kraut> SNAT is working fine, but still packets to the first ip will be dropped from a vpn client
14:03 <@ecrist> dammit
14:03 -!- mode/#openvpn [-o ecrist] by ecrist
14:03 < kraut> openvpn in busybox?
14:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 265 seconds]
14:04 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Read error: Connection reset by peer]
14:05 -!- raidz [~Andrew@seance.openvpn.org] has joined #openvpn
14:07 < EV2> text is not as easy as it sounds
14:16 < Bushmills> !pptp
14:16 < vpnHelper> Bushmills: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
14:16 < vpnHelper> Bushmills: read about why to not use pptp
14:17 -!- DelphiWorld [~Delphi@41.200.4.184] has joined #openvpn
14:17 < DelphiWorld> !pptp
14:17 < vpnHelper> DelphiWorld: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml
14:17 < vpnHelper> DelphiWorld: to read about why to not use pptp
14:17 < DelphiWorld> Bushmills: ;)
14:18 < Bushmills> oh, sry. didn't notice
14:18 < DelphiWorld> lol Bushmills thank you anyway!
14:19 < DelphiWorld> !install
14:19 < vpnHelper> DelphiWorld: Error: "install" is not a valid command.
14:19 -!- ChanServ changed the topic of #openvpn to: append Cloaks available, ask ecrist.
14:19 < ecrist> rargh
14:19 < DelphiWorld> hi ecrist! you there! #freeswitch friend;)
14:19 -!- ecrist changed the topic of #openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your  questions. ||  Web Forum: http://forums.openvpn.net || rs: #openvpn-devel
14:20 < DelphiWorld> !welcome
14:20 < vpnHelper> DelphiWorld: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:20 -!- ecrist changed the topic of #openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your  questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel || Cloaks available, ask ecrist.
14:22 < EV2> ecrist: now its a text file => http://pitload.org/2195
14:22 < vpnHelper> Title: PittrieLoad: File details for "idea.txt" (at pitload.org)
14:22 -!- phantomcircuit [~phantomci@adsl-99-35-134-127.dsl.pltn13.sbcglobal.net] has joined #openvpn
14:23 < ecrist> EV2: create a vlan interface on that root server, bridge tap0 and the vlan interface.
14:23 < ecrist> simple enough.
14:23 < ecrist> :)
14:24 -!- phantomcircuit [~phantomci@adsl-99-35-134-127.dsl.pltn13.sbcglobal.net] has quit [Client Quit]
14:25 -!- phantomcircuit [~phantomci@adsl-99-35-134-127.dsl.pltn13.sbcglobal.net] has joined #openvpn
14:26 < EV2> ecrist: whats about the openvpn traffic itself. there will be 1 ip i do not want to be bridged. solved with a iptables rule?
14:26 < ecrist> yeah
14:27 < EV2> there was someone who said there would be a security risk?
14:28 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn
14:28 < ecrist> if you bridge the wan interface, perhaps
14:28 < ecrist> that's why you bridge the vlan interface
14:29 < DelphiWorld> !rpm
14:29 < vpnHelper> DelphiWorld: Error: "rpm" is not a valid command.
14:29 < DelphiWorld> ecrist: any rpm?
14:30 < ecrist> for openvpn?
14:30 < kisom> isn't openvpn in almost all repositories?
14:30 < ecrist> perhaps, in the redhat repo
14:30 < ecrist> I don't think openvpn provides one, directly.
14:30 < kisom> heh, i love the red hat guys
14:30 -!- p3rror [~mezgani@217.23.4.242] has quit [Remote host closed the connection]
14:30 < DelphiWorld> kisom: so help me;)
14:31 < EV2> ecrist: i have ni access to the switch were the root server is connected to. so i have to setup a vlan that uses untagged frames right? iam not realy familiar with vlans.
14:31 < kisom> we wanted some red hat gear, called them from the bank where I work and said we're looking into switching our current cluster into all-redhat, but we needed some red hat gear to show off for the company board
14:31 < kisom> got a box to pick up at the post office ;)
14:31 < EV2> ni=no
14:35 -!- WinstonSmith [~true@e179005075.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
14:36 -!- WinstonSmith [~true@e179005075.adsl.alicedsl.de] has joined #openvpn
14:38 -!- phantomcircuit_ [~phantomci@adsl-99-175-103-3.dsl.pltn13.sbcglobal.net] has joined #openvpn
14:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:40 -!- phantomcircuit_ [~phantomci@adsl-99-175-103-3.dsl.pltn13.sbcglobal.net] has quit [Client Quit]
14:42 -!- phantomcircuit [~phantomci@adsl-99-35-134-127.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 276 seconds]
14:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
14:54 -!- dferris [~dferris@216-243-150-87.static.iphouse.net] has joined #openvpn
14:54 -!- DelphiWorld [~Delphi@41.200.4.184] has left #openvpn ["I'm a happy Miranda IM user! Get it here: http://miranda-im.org"]
14:54 -!- EV2 [4e325860@gateway/web/freenode/ip.78.50.88.96] has quit [Quit: Page closed]
14:56 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
14:59 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
15:02 < Dougy> rawr
15:08 -!- EmperorTom [~EmperorTo@174-30-212-130.mpls.qwest.net] has joined #openvpn
15:08 -!- ss0 [~Adium@208.86.167.248] has quit [Quit: Leaving.]
15:13 < ecrist> EmperorTom: EV2 has vlan questions, you're the linux/vlan expert, could you help him when you have time, please?
15:14  * EmperorTom doesn't see EV2
15:14 < ecrist> 14:54 -!- EV2 [4e325860@gateway/web/freenode/ip.78.50.88.96] has quit [Quit: Page closed
15:14 < ecrist> oops
15:15 < ecrist> *shrug*
15:15 < ecrist> it's what I get for trying to help 'em out
15:15 < EmperorTom> well if he sticks his head in again, point him my way
15:16 < ecrist> ok
15:16 < ecrist> thanks
15:27 -!- [intra]lanman [~lanman@51.182.231.166.in-addr.arpa] has joined #openvpn
15:27 -!- [intra]lanman [~lanman@51.182.231.166.in-addr.arpa] has quit [Changing host]
15:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
15:52 -!- manevra [~manevra@86.121.76.217] has joined #openvpn
15:59 -!- manevra [~manevra@86.121.76.217] has quit []
16:00 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
16:03 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has joined #openvpn
16:03 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has quit [Changing host]
16:03 -!- th1 [~th@pdpc/supporter/professional/th1] has joined #openvpn
16:14 < kisom> "omg G18 noob, noobtoob!!!"
16:14 < kisom> haha
16:16 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:21 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
16:31 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
16:37 -!- p3rror [~mezgani@2001:0:53aa:64c:3412:5457:3b31:9085] has joined #openvpn
16:39 < jeev> fuck g18 users
16:39 < jeev> fuck noob tubers
16:46 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN Network issues :: Reply by greggk <https://forums.openvpn.net/viewtopic.php?f=4&t=7125&p=7856#p7856> || Server Administration :: Openvpn connection to server but mail fails to open :: Author jerry <https://forums.openvpn.net/viewtopic.php?f=4&t=7127&p=7857#p7857>
16:53 < ecrist> ?
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 240 seconds]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:23 < kisom> jeev: i'm dual-wielding G18 and tubing at the same time ;)
17:29 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
17:31 < krzee> 46 users, reminds me of a little while back
17:48 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined #openvpn
17:49 -!- Serideru [~GTWebster@69-92-242-131.cpe.cableone.net] has joined #openvpn
17:49 -!- Serideru [~GTWebster@69-92-242-131.cpe.cableone.net] has left #openvpn []
17:52 -!- Joelio [~joel@lcw-212-23-5-1.zen.co.uk] has joined #openvpn
18:04 -!- UnterPerro [~UnterPerr@32.161.225.34] has joined #openvpn
18:06 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has quit [Ping timeout: 265 seconds]
18:16 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has joined #openvpn
18:17 -!- ksk [~ksk@im.knubz.de] has quit [Remote host closed the connection]
18:19 -!- p3rror [~mezgani@2001:0:53aa:64c:3412:5457:3b31:9085] has quit [Read error: Operation timed out]
18:20 -!- freaky[t] [alpha@freakyy.de] has quit [Read error: Connection reset by peer]
18:21 -!- UnterPerro [~UnterPerr@32.161.225.34] has quit [Quit: UnterPerro lives to save another day]
18:22 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
18:34 -!- p3rror [~mezgani@2001:0:53aa:64c:3412:5457:3b31:9085] has joined #openvpn
18:36 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 245 seconds]
18:38 -!- Saar [~Saar@216.156.80.182.ptr.us.xo.net] has left #openvpn ["Leaving"]
18:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
19:04 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
19:29 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined #openvpn
19:56 -!- phantomcircuit [~phantomci@adsl-99-40-52-155.dsl.pltn13.sbcglobal.net] has joined #openvpn
20:00 -!- jim--- [~jimbo@r74-192-149-9.gtwncmta01.grtntx.tl.dh.suddenlink.net] has joined #openvpn
20:09 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined #openvpn
20:09 -!- phantomcircuit_ [~phantomci@adsl-99-37-227-123.dsl.pltn13.sbcglobal.net] has joined #openvpn
20:10 < meh3> hey guys, what is opevpn access server virtual appliance exactly?
20:12 -!- phantomcircuit [~phantomci@adsl-99-40-52-155.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 265 seconds]
20:12 < jim---> A virtual machine image already set up to act as a server
20:12 < jim---> I really don't see the point of AS personally.  "Enterprisey" junk
20:14 < meh3> and running as a VM its as secure as if it was running on a physical machine?
20:20 < phantomcircuit_> uh it's got a larger attack surface, but is more likely to be properly setup
20:22 < meh3> i might try it out sometime to see how it works.. i find it interesting and a good idea
20:23 -!- phantomcircuit_ [~phantomci@adsl-99-37-227-123.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
20:23 < meh3> anyways, i got a little problem, i installed the gui on my windows7 netbook, it connects to the vpn fine but i cannot get online
20:23 < meh3> im getting a weird error msg as well
20:25 < meh3> this error keeps on repeating: Authenticate/Decrypt packet error: cipher final failed
20:45 < Dougy> !configs
20:45 < Dougy> !logs
20:45 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
20:45 < vpnHelper> Dougy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
20:47 < Dougy> http://www.youtube.com/watch?v=UDTZCgsZGeA&feature=related
20:47 < vpnHelper> Title: YouTube - BUDWEISER WASSUP ORIGINAL + PIZZA GUY (at www.youtube.com)
20:51 < jeev> it's obvious we've got a rapist in LINCOLN PARK
20:51 < jeev> he's climbin up your windows.. snatching your people up
20:51 < jeev> so you better hide your kids, hide your wives
20:51 < jeev> and hide your husbands cause he's rapin errbody out here too
20:51 < jeev> have you seen that douglass ?
20:57 < meh3> Dougy, here are the config files http://4-fun.info/vpn/
20:57 < vpnHelper> Title: Index of /vpn (at 4-fun.info)
21:01 < meh3> i added both log files too
21:07 -!- techfury90 [~techfury9@unaffiliated/techfury90] has joined #openvpn
21:07 < techfury90> I need some help configuring openvpn... and I'm really lost, and I can't seem to find guides on my specific case
21:09 < techfury90> basically, i have a machine sitting behind a NAT that i want to access
21:09 < techfury90> and a server with a static IP that i want to use to connect to it with, if that makes sense
21:09 < techfury90> basically, i'm looking to create a VPN where i can connect to said static IP server, and then access that machine behind the NAT
21:27 -!- techfury90 [~techfury9@unaffiliated/techfury90] has left #openvpn []
21:34 < Dougy> jeev: yers
21:34 < Dougy> its lol
22:33 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
22:57 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
23:46 -!- p3rror [~mezgani@2001:0:53aa:64c:3412:5457:3b31:9085] has quit [Read error: Operation timed out]
--- Day changed Sat Sep 25 2010
00:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 276 seconds]
00:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
00:20 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:22 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Read error: Connection reset by peer]
01:10 -!- box2 [~box2@zaibat.su] has joined #openvpn
01:11 < box2> !welcome
01:11 < vpnHelper> box2: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:11 < box2> !howto
01:11 < vpnHelper> box2: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
01:11 < box2> !route
01:11 < vpnHelper> box2: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:13 < box2> this bot just defeated 2 hours of googling
01:13 < box2> a) i suck at using google, b) best bot ever, c) both
01:15 < box2> !redirect
01:15 < vpnHelper> box2: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
01:17 -!- WinstonSmith [~true@e179005075.adsl.alicedsl.de] has quit [Remote host closed the connection]
01:17 < box2> !def1
01:17 < vpnHelper> box2: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
01:22 < krzee> =]
02:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:43 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
03:20 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
03:24 -!- phantomcircuit [~phantomci@adsl-99-50-122-79.dsl.pltn13.sbcglobal.net] has joined #openvpn
03:36 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:46 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
03:47 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has joined #openvpn
03:48 < HoboSteaux> hey im having problems on an optware based intstallation of openvpn on a ddwrt based router
03:48 < HoboSteaux> i keep getting the error: script failed: external program exited with error status: 7
03:49 < HoboSteaux> and i dont know what script is failing (verbose is at 9)
03:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
04:02 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has left #openvpn []
04:48 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
05:29 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:50 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
06:07 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:28 < vpnHelper> RSS Update - forum: Configuration :: ifconfig-pool-persist is not working. :: Author fire-fly <https://forums.openvpn.net/viewtopic.php?f=6&t=7128&p=7858#p7858>
07:09 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
07:10 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
07:11 < ecrist> hi mattock
07:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:24 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
07:30 -!- WinstonSmith [~true@e179006119.adsl.alicedsl.de] has joined #openvpn
07:37 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: Leaving]
07:51 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 264 seconds]
07:56 < meh3> !config
07:56 < vpnHelper> meh3: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
07:57 < meh3> !config server
07:57 < vpnHelper> meh3: Error: 'supybot.server' is not a valid configuration variable.
07:57 < meh3> !help
07:57 < vpnHelper> meh3: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
08:04 < meh3> !sample
08:04 < vpnHelper> meh3: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
08:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
08:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:45 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
08:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
08:52 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
09:13 -!- WinstonSmith [~true@e179006119.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
09:31 -!- WinstonSmith [~true@g225025215.adsl.alicedsl.de] has joined #openvpn
09:46 -!- Blues-Man [~bluesman@host14-79-dynamic.182-80-r.retail.telecomitalia.it] has joined #openvpn
09:48 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Quit: Lost terminal]
09:53 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
10:21 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
10:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
10:53 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
11:02 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Quit: Lost terminal]
11:02 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
11:02 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Client Quit]
11:02 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
11:05 -!- WormFood [~wormfood@183.38.12.227] has quit [Ping timeout: 245 seconds]
11:09 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Quit: Lost terminal]
11:09 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
11:18 -!- WormFood [~wormfood@183.38.13.217] has joined #openvpn
11:32 -!- akm22562 [~akm22562@99-119-36-109.lightspeed.lsvlky.sbcglobal.net] has quit [Quit: Leaving]
11:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:43 -!- WinstonSmith [~true@g225025215.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
11:55 -!- WinstonSmith [~true@e179006119.adsl.alicedsl.de] has joined #openvpn
12:15 < Dougy> woot
12:15 < Dougy> another huge toyot recall coming
12:16 < Dougy> toyota*
12:18 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
12:23 -!- WinstonSmith [~true@e179006119.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
12:25 < zzattack> whats wrong this time?
12:42 -!- WinstonSmith [~true@g225025215.adsl.alicedsl.de] has joined #openvpn
12:43 -!- _zero__ [~zero@noc.toile-libre.net] has joined #openvpn
12:47 -!- WinstonSmith [~true@g225025215.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
12:52 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
12:52 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
12:52 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
13:07 -!- traceroute [~tracerout@190.38.233.183] has joined #openvpn
13:08 < traceroute> hello to all
13:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
13:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
13:35 -!- WebDawg [~WebDawg@officialg0d.com] has joined #openvpn
13:36 < WebDawg> !welcome
13:36 < vpnHelper> WebDawg: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:36 < WebDawg> !goal
13:36 < vpnHelper> WebDawg: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:37 < WebDawg> I have a openvpn server setup on a remote host and I can use it to connect trhrough its internet connection find using push redirectgateway and such
13:38 < WebDawg> Can i use my pfsense box to do the same.  That is I would like pfsense  to tunnel me internet out to that server.
13:38 < WebDawg> I set it up.  pfsense connects but does not route the packets to the server.
13:42 -!- Blues-Man [~bluesman@host14-79-dynamic.182-80-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
13:49 < traceroute> is that a problem ?
13:50 < traceroute> !wiki
13:50 < vpnHelper> traceroute: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
13:50 < WebDawg> ??
13:54 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
14:36 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
14:43 -!- phantomcircuit [~phantomci@adsl-99-50-122-79.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 265 seconds]
14:49 -!- phantomcircuit [~phantomci@99.50.122.79] has joined #openvpn
14:51 -!- phantomcircuit [~phantomci@99.50.122.79] has quit [Excess Flood]
14:51 -!- phantomcircuit [~phantomci@adsl-99-50-122-79.dsl.pltn13.sbcglobal.net] has joined #openvpn
14:53 < traceroute> !sample
14:53 < vpnHelper> traceroute: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
14:54 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 265 seconds]
14:57 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Remote host closed the connection]
15:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
15:02 < vpnHelper> RSS Update - forum: Wishlist :: FIPS-compliant OpenVPN :: Author artiegold <https://forums.openvpn.net/viewtopic.php?f=10&t=7129&p=7859#p7859>
15:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:10 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:10 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has joined #openvpn
15:11 < HoboSteaux> hey im getting a script error message when i try to start ovpn, verbose is at 9 and it doesnt tell me what script it is
15:17 -!- me345 [~me345@adsl-75-15-177-27.dsl.bkfd14.sbcglobal.net] has joined #openvpn
15:26 -!- EmperorT1m [~EmperorTo@174-30-243-42.mpls.qwest.net] has joined #openvpn
15:27 -!- EmperorTom [~EmperorTo@174-30-212-130.mpls.qwest.net] has quit [Ping timeout: 265 seconds]
15:32 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: OpenVPN Setup :: Reply by artiegold <https://forums.openvpn.net/viewtopic.php?f=15&t=7124&p=7860#p7860>
15:42 -!- p3rror [~mezgani@2001:0:53aa:64c:2c:706f:3b31:be46] has joined #openvpn
15:42 -!- g33km3 [~g33km3@71-80-128-219.dhcp.hspr.ca.charter.com] has joined #openvpn
15:42 < g33km3> Hello.
15:43 < g33km3> !welcome
15:43 < vpnHelper> g33km3: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:43 < g33km3> Does openvpn allow bittorrent?
15:44 < HoboSteaux> look at !redirect
15:44 < g33km3> !redirect
15:44 < vpnHelper> g33km3: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:45 < g33km3> Hrm...have 4 computers but only one is active for torrents and i only want that one to be under vpn..Do i really need to forward my traffic?
15:46 -!- bandini [~bandini@host45-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
15:46 < HoboSteaux> whats yournetwork topology?
15:46 < HoboSteaux> and wheres the ovpn server?
15:47 < g33km3> i have modem-->belkin N+---> computers.
15:47 < g33km3> its on ethernet into the router.
15:47 < krzie> you only want the torrent machine to send its inet over the vpn?
15:47 < g33km3> Correct.
15:47 < krzie> and you want all of its inet to flow over the vpn?
15:48 < g33km3> yes
15:48 < krzie> HoboSteaux was correct
15:48 < krzie> you want openvpn running on the torrent machine
15:48 < g33km3> yes.
15:48 < krzie> your vpn server needs to be setup with NAT and ip forwarding, your client machine needs to redirect-gateway
15:48 < g33km3> ah
15:49 < g33km3> so its not as simple as flipping on open vpn and torrenting?
15:49 < g33km3> Well, time to bust out the toolkit.
15:49 < krzie> nope, a simple vpn is not for redirecting internet traffic, its for a link between 2 machines
15:50 < g33km3> true.
15:50 < krzie> but with redirect-gateway you can accomplish changing your default route to the vpn server
15:50 < krzie> but then you are using a 1918 ip, so your server must NAT it
15:50 < krzie> and for it to flow between the 2 different interfaces (tun and eth0, or whatever) ip forwarding must be enabled
15:51 < g33km3> yeah. i know that bit.
15:51 < krzie> what OS is your server?
15:51 < g33km3> one sec.
15:51 < krzie> based on your handle im guessing linux
15:52 < HoboSteaux> lolo
15:52 < g33km3> actually. i got ip forwaring on it now. and its windows.
15:52 < krzie> !winnat
15:52 < vpnHelper> krzie: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
15:52 < g33km3> Yeah, i have nat setup.
15:52 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 255 seconds]
15:53 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
15:53 < krzie> ok then it is just a matter of flipping on the vpn, with correct settings
15:53 < krzie> !sample
15:53 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
15:53 < krzie> !def1
15:53 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
15:53 -!- g33km3 [~g33km3@71-80-128-219.dhcp.hspr.ca.charter.com] has quit [Quit: Im higher than jet airliner]
15:53 < krzie> heh
15:53 < HoboSteaux> that was quick lol
15:54 < HoboSteaux> you have any experience with optware ovpn installs?
15:55 < krzie> optware=?
15:56 < HoboSteaux> its a package addon system for routers
15:56 < HoboSteaux> btu i think it doesnt inlude everything in it
15:58 < krzie> oh, nah no idea
15:58 < krzie> but once you have openvpn installed, the configs should be basically the same
15:59 < HoboSteaux> yeah before i did it via dd-wrt's super friendly gui so now im going back and actually learning everything i can about it
15:59 < krzie> thats true whether its android,linux,windows,bsd,pocketpc,solaris,whatever
15:59 < krzie> ahh good man
16:00 < krzie> any specific questions?
16:00 < krzie> if i can answer, i will ;]
16:01 < HoboSteaux> none yet, going through the routes documentation and such for nix
16:01 < HoboSteaux> im sure some will pop up :p
16:03 < krzie> you read this yet?
16:03 < krzie> !route
16:03 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:04 < HoboSteaux> yeah a while ago
16:04 < krzie> ahh cool
16:05 < HoboSteaux> always worth more reads tho lol you can only get so much each time
16:05 < HoboSteaux> im getting:
16:05 < HoboSteaux> SIOCADDRT: No such process
16:05 < HoboSteaux> yet the sdcript thats running is correct [im fairly sure
16:06 < krzie> try starting it manually at first
16:06 < krzie> then worry about getting a script to do it for you
16:11 < HoboSteaux> yeah i think it was trying to dynamically declare the default gateway ip and that want working. but now its gwetting closer
16:21 < HoboSteaux> well see if people can connect but i think its working O.o
16:40 < meh3> i think im having a problem with routing myself
16:41 < meh3> i can connect to the vpn and get a virtual ip but i cant connect to the internet
16:41 -!- me345 [~me345@adsl-75-15-177-27.dsl.bkfd14.sbcglobal.net] has quit [Read error: Connection reset by peer]
16:46 < HoboSteaux> my suggestion: use wireshark
16:46 < HoboSteaux> thats what i did to see what i was getting from where
16:46 < HoboSteaux> and then nmap to try to ping an ip, see where it dies
16:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
16:53 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
16:54 -!- WinstonSmith [~true@e179006119.adsl.alicedsl.de] has joined #openvpn
17:11 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:23 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
17:42 -!- McWhite [~kvirc@p4FDE61CD.dip0.t-ipconnect.de] has joined #openvpn
17:43 < McWhite> hello guys
17:43 < McWhite> !welcome
17:43 < vpnHelper> McWhite: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:43 < McWhite> !logs
17:43 < vpnHelper> McWhite: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:43 < McWhite> !configs
17:43 < vpnHelper> McWhite: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:43 < McWhite> !interface
17:43 < vpnHelper> McWhite: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
17:43 < McWhite> !goal
17:43 < vpnHelper> McWhite: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:43 < McWhite> spam *g*
17:44 < McWhite> at first, is still anyone online who could help me?
17:46 < McWhite> :/
17:46 < McWhite> strange to see that many people here
17:55 -!- bandini [~bandini@host45-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: Operation timed out]
18:00 -!- McWhite [~kvirc@p4FDE61CD.dip0.t-ipconnect.de] has quit [Quit: Anime is my drug, internet my cigaret, music my alcohol and talking to friends seriously and honest my sexual satisfaction... so what?]
18:27 < traceroute> yeah that is life
18:50 -!- phantomcircuit [~phantomci@adsl-99-50-122-79.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
18:54 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
18:58 -!- phantomcircuit [~phantomci@adsl-99-50-122-79.dsl.pltn13.sbcglobal.net] has joined #openvpn
19:01 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
19:17 -!- srk9 [~richard@unaffiliated/srk9] has joined #openvpn
19:19 < srk9> Hi. I want to setup a bridged VPN on my home network so that I can connect to it from the internet and not have to worry about people being able to intercept my communications. I am thinking of using a Linksys router running OpenWRT 10.03.1 as an OpenVPN server and then expose it to the internet through port forwarding. I have never done this until now. Are there any security concerns that I should have about this?
19:21 < srk9> E.g. If I connect to public Wi-Fi somewhere and the access point is a rogue access point someone setup for the purpose of collecting data on people, what is the worst that its operator can do? If someone is port scanning and happens to find my OpenVPN server, how concerned should I be about him being able to hack it?
19:47 -!- traceroute [~tracerout@190.38.233.183] has quit []
19:49 -!- Smirnov [~igor@about/csharp/ms/clrjit/smirnov] has joined #openvpn
19:50 < Smirnov> anyone know if i need a 'tun' interface in ifconfig in order to use openvpn as a client?
19:51 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
19:59 < srk9> Smirnov: http://openvpn.net/index.php/open-source/documentation.html
19:59 < vpnHelper> Title: Documentation (at openvpn.net)
19:59 < srk9> Smirnov: I joined this channel to get information about setting up OpenVPN in the most secure manner possible, but no one has been very helpful to me. Since I am a first-time user to OpenVPN, all I can do is send you to the documentation.
20:00 < Smirnov> i see
20:01 < srk9> Smirnov: Actually, no one replied to me. :/
20:02 < srk9> Smirnov: What distribution do you use?
20:03 < Smirnov> ubuntu
20:03 < srk9> Smirnov: You might want to ask in the #ubuntu channel, although my experience with #ubuntu is that they will yell at you if they do not think your question is on-topic enough.
20:04 < srk9> Here is some unofficial documentation for Gentoo Linux that talks about setting up OpenVPN: http://en.gentoo-wiki.com/wiki/OpenVPN
20:04 < vpnHelper> Title: OpenVPN - Gentoo Linux Wiki (at en.gentoo-wiki.com)
20:04 < srk9> How is vpnHelper so insightful?
20:05 < srk9> Unfortunately, it is wrong in that the website in question is not owned by the Gentoo Linux Foundation and is fan-run, so it is unofficial.
20:06 < Smirnov> i think kvpnc corrupted my vpn install
20:06 < Smirnov> never did trust that super bloated piece of software
20:06 < Smirnov> i think i'll just blow away ubuntu and re-install it..
20:08 < srk9> Smirnov: I don't use kvpnc. It never worked well for me.
20:08 < srk9> I wish it did. It is a shame. :/
20:09 < Smirnov> yeah i had it working once and then it stopped
20:09 < Smirnov> well it sorta worked, anytime you disconnected it blew away the networking till i did a reboot, i never bothered investigating why
20:10 < srk9> Smirnov: Routing table issues
20:10 < srk9> Smirnov: That is my guess.
20:10 -!- perlsyntax [~perlsynta@71-87-125-99.dhcp.mdsn.wi.charter.com] has joined #openvpn
20:11 < Smirnov> well it just sorta doesnt work if i reboot into mac and use tunnelblk it works 
20:11 < perlsyntax> How do i install openvpn i did that with yum but not sure what to do next.
20:11 < Smirnov> but i need to be on ubuntu if i want to get work done so thats not helpful
20:12 < srk9> Smirnov: Have you tried the commandline?
20:12 < srk9> Smirnov: That is what I do on Gentoo when I have issues.
20:12 < perlsyntax> ?
20:12 < srk9> perlsyntax: Neither myself nor Smirnov have any idea what we are talking about. We are both here for help ourshelves.
20:13 < perlsyntax> i want to install openvpn for linux and i did with yum
20:13 < perlsyntax> Not sure how to set it up
20:14 < srk9> perlsyntax: What distribution are you using?
20:14 < perlsyntax> is there like a gui for it i need to install.
20:14 < perlsyntax> fedora 13
20:14 < srk9> Try #fedora. No one who understands OpenVPN very well is actually talking in this channel.
20:15 -!- perlsyntax [~perlsynta@71-87-125-99.dhcp.mdsn.wi.charter.com] has left #openvpn []
20:15 < srk9> Smirnov: I guess I did not inspire much confidence in him, but honestly, it seems like we are both fiddling around with things ourshelves. :/
20:16 < srk9> Smirnov: And at least I have a little experience with Ubuntu. I have no knowledge of Fedora. :/
20:17 < box2> there is also an #openvpn channel with a very helpful bot
20:18 < box2> ... i thought i was in another channel
20:20 < srk9> box2: It happens.
20:20 < srk9> box2: May I ask which channel did you think this was?
20:31 < box2>  #linux
20:50 -!- srk9 [~richard@unaffiliated/srk9] has quit [Quit: leaving]
21:04 < oc80z> yella
21:12 -!- WinstonSmith [~true@e179006119.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
21:19 -!- fbh [fbh@unaffiliated/fbh] has joined #openvpn
21:19 -!- Meliorator [m@dunnington.eu] has joined #openvpn
21:19 -!- ^scott^ [~scott@stthom.org] has joined #openvpn
21:19 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
21:19 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
21:19 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has joined #openvpn
21:19 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined #openvpn
22:00 -!- phantomcircuit [~phantomci@adsl-99-50-122-79.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 255 seconds]
22:12 -!- phantomcircuit [~phantomci@adsl-99-157-74-87.dsl.pltn13.sbcglobal.net] has joined #openvpn
22:24 -!- phantomcircuit [~phantomci@adsl-99-157-74-87.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
23:29 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:47 -!- p3rror [~mezgani@2001:0:53aa:64c:2c:706f:3b31:be46] has quit [Ping timeout: 272 seconds]
--- Day changed Sun Sep 26 2010
00:03 < HoboSteaux> hey so i know my firewall is blocking ovpn but dont know how to fix it
00:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
00:14 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Disconnected by services]
00:14 -!- intralanman [~lanman@150.106.236.166.in-addr.arpa] has joined #openvpn
00:20 < HoboSteaux> !welcome
00:20 < vpnHelper> HoboSteaux: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:22 < HoboSteaux> !!goal
00:22 < vpnHelper> HoboSteaux: Error: "!goal" is not a valid command.
00:22 < HoboSteaux> !goal
00:22 < vpnHelper> HoboSteaux: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:22 < HoboSteaux> !route
00:22 < vpnHelper> HoboSteaux: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:22 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
00:22 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
00:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
00:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:14 -!- Optic [~Optic@67.205.74.218] has joined #openvpn
01:21 -!- phantomcircuit [~phantomci@adsl-99-40-55-67.dsl.pltn13.sbcglobal.net] has joined #openvpn
01:41 -!- bandini [~bandini@host45-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
02:03 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
02:17 -!- pif [~ldm@zenon.apartia.fr] has joined #openvpn
02:17 < pif> hi, is there a way I can route only bittorent traffice through an openvpn link?
02:17 < pif> er, traffic
02:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:26 < kisom> pif: no
02:26 < kisom> well, yes
02:26 < kisom> depends on your O/S
02:26 < pif> linux
02:26 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
02:26 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn
02:26 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host]
02:26 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
02:27 < kisom> if i remember correctly you should be able to add an iptables rule for your bittorrent client PID
02:27 < pif> oh, interesting
02:27 < krzee> kisom, you talking about routing by app?
02:28 < krzee> !routebyapp
02:28 < vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
02:28 < kisom> yes. well pif is.
02:28 -!- bandini [~bandini@host45-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 265 seconds]
02:28 < krzee> =]
02:28 < kisom> is there any TCP wrapper programs for linux like proxifier?
02:28 < krzee> socksify
02:29 < kisom> ok
02:29 < kisom> pif: check --uid-owner
02:29 < kisom> *may* be possible with iptables too :)
02:30 < krzee> if it is possible via iptables, ild like to see how... or even a writeup on the wiki or a post in forum section "bragging rights"
02:32 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
02:36 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
02:38 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
02:43 -!- bandini [~bandini@host45-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
02:46 < hyper_ch> pif: yes, you can route traffic through it... that's what I do 
02:47 < pif> with iptables?
02:48 < hyper_ch> yes
02:48 < hyper_ch> what torrent client?
02:48 < pif> transmission
02:48 < pif> you?
02:48 < hyper_ch> no clue about that
02:49 < hyper_ch> but rtorrent can be bound to an ip -  the openvpn ip
02:49 < hyper_ch> and on the server you'd just have to add the rules then
02:49 < pif> oh, right binding to an ip might work as well
02:49 < hyper_ch> and also set serever ip to announce 
02:50  * pif has to go and thanks all, later
02:52 < hyper_ch> pif and on the server use soemthign like this:  http://www.pastebin.ca/1948690
02:52 < hyper_ch> sorry, this here:  http://www.pastebin.ca/1948692 @ pif
02:53 < hyper_ch> of course replace SERVERIP, ports, and vpn client ip accordingly
02:53 < hyper_ch> (and interface if there's more than one)
02:53 < pif> I'll try that as soon as I return from my sunday morning jogging :)
03:07 < vpnHelper> RSS Update - forum: Server Administration :: Connect to server before logging in on client :: Author stevebouffe <https://forums.openvpn.net/viewtopic.php?f=4&t=7130&p=7861#p7861>
03:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:21 -!- McWhite [~kvirc@p4FDE631B.dip0.t-ipconnect.de] has joined #openvpn
03:21 < McWhite> yoho
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:57 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:09 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 250 seconds]
04:13 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:21 -!- intralanman [~lanman@150.106.236.166.in-addr.arpa] has quit [Quit: This computer has gone to sleep]
05:21 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
05:50 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has joined #openvpn
05:50 -!- WinstonSmith [~true@e179007048.adsl.alicedsl.de] has joined #openvpn
05:50 < slava_dp> does anyone here have openvpn running in "topology subnet" mode?
05:55 < hyper_ch> whats a topology subnet mode?
06:06 -!- McWhite [~kvirc@p4FDE631B.dip0.t-ipconnect.de] has quit [Read error: Connection reset by peer]
06:15 -!- EmperorTom [~EmperorTo@184-97-166-249.mpls.qwest.net] has joined #openvpn
06:15 -!- EmperorT1m [~EmperorTo@174-30-243-42.mpls.qwest.net] has quit [Read error: Operation timed out]
06:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
06:54 -!- bandini [~bandini@host45-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 265 seconds]
06:56 -!- test_ [~test@luhy.skylan.sk] has joined #openvpn
06:57 < test_> hi, can somebody help me how can i have and use multiple configs in openvpn to different servers?
06:57 < test_> in linux
07:01 < test_> ok i found the way
07:08 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has quit [Quit: Ухожу я от вас (xchat 2.4.5 или старше)]
07:11 < meh3> the routing is conusing me here
07:12 < meh3> the network the openvpn server is running on is using 192.168.1.X and the network for the client is using the same 192.168.1.X
07:12 < meh3> i can get it to connect to the vpn and get its virtual ip 10.8.0.6 but i cant get online or ping other machines on the network
07:25 < test_> hei i have problem with start one from multiple configs
07:26 < test_> i use openvpn --config path_to_file 
07:26 < test_> but after authentificate openvpn dont start
07:26 < test_> i dont see any show outputs with fail connection 
07:26 < test_> but if i try ps aux | grep openvpn 
07:27 < test_> I dont see process
07:27 < test_> openvpn start good if i have just configs and certs in /etc/openvpn
07:27 < test_> to one server
07:27 < test_> can somebody help me with multiple configs?
07:28 < Bushmills> !logs
07:28 < vpnHelper> Bushmills: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:50 < hyper_ch> pif: back?
07:51 < pif> yep, configuring
07:52 < pif> ovpn link now up
07:55 < pif> but I can't ping the P-t-P address on either machine...
08:11 < hyper_ch> ping th ptpt address?
08:13 < Bushmills> there is no service, responding to your echo requests, on the ptp address
08:14 < Bushmills> ping the vpn address of remote machine instead
08:15 < pif> yes, that works
08:15 < hyper_ch> you use def1 redirect?
08:16 < pif> no, I only want the bittorrent traffic to go through ovpn
08:16 < hyper_ch> bind your torrent client then to the vpn ip
08:16 < hyper_ch> that should work
08:16 < hyper_ch> rtorrent has nice options for it
08:16 < hyper_ch> like bind to what ip
08:16 < pif> i did that and now the bittorrent client complains "transmission-daemon[7937]: Couldn't set source address 10.9.0.13 on 291: Resource temporarily unavailable (net.c:299)"
08:16 < hyper_ch> and what ip it shall report to the tracker
08:17 < hyper_ch> use rtorrent
08:17 < hyper_ch> bind = 10.8.0.4
08:17  * pif : apt-get install rtorrent
08:17 < hyper_ch> ip = 91.xx.xx.xx
08:18 < hyper_ch> pif: debian?
08:18 < pif> ack
08:18 < hyper_ch> etch?
08:18 < pif> sid
08:18 < hyper_ch> good, fairly new version in there
08:18 < hyper_ch> on etch/lenny I'd have made you compile it :)
08:18 < pif> no way :)
08:18 < hyper_ch> it's simple - on debian
08:19 < pif> let me find my way  around rtorrent
08:19 < pif> never used it before
08:19 < hyper_ch> pif: it's raher smle
08:19 < pif> will it run headless?
08:19 < hyper_ch> pif: actually, I'd sill compile it
08:19 < hyper_ch> because it can have coloured ncurses interface
08:19 < hyper_ch> just run rtorrent in a screen session
08:19 < pif> kay
08:20 < hyper_ch> --> http://jmcpherson.org/screen.html
08:20 < vpnHelper> Title: GNU Screen - Jonathan McPherson (at jmcpherson.org)
08:20 < pif> oh, I know screen very well and love it
08:20 < hyper_ch> rtorrent quick start:  https://kmandla.wordpress.com/2007/05/02/howto-use-rtorrent-like-a-pro/
08:20 < vpnHelper> Title: Howto: Use rtorrent like a pro « Motho ke motho ka botho (at kmandla.wordpress.com)
08:21 < hyper_ch> and you want to have a look at this:  http://libtorrent.rakshasa.no/wiki/RTorrentCommonTasks --> especially for the watch folders
08:21 < vpnHelper> Title: RTorrentCommonTasks – The libTorrent and rTorrent Project (at libtorrent.rakshasa.no)
08:21 < pif> I like console apps, and am wary of anying in python so rtorrent seems cool
08:22 < hyper_ch> just run it inside a screen session :)
08:22 < pif> can I send it some torrent files remotely? through ssh?
08:23 < hyper_ch> that's what watch folders are for
08:23 < hyper_ch> just somehow drop a .torrent file in there, and it will auto-start it :)
08:23 < pif> nice
08:23 < hyper_ch> as said, have a look through the common tasks page also :)
08:23 < pif> because I have a firefox helper bash script than can do just that
08:23 < hyper_ch> :)
08:24 < hyper_ch> and if you want to compile it yourself (with colour patch), check my howto:  http://howtoforge.com/how-to-compile-rtorrent-from-svn-in-ubuntu-10.04-lucid-lynx-debian-5-lenny-with-coloured-interface
08:24 < vpnHelper> Title: How To Compile rTorrent From SVN In Ubuntu 10.04 Lucid Lynx / Debian 5 Lenny With Coloured Interface | HowtoForge - Linux Howtos and Tutorials (at howtoforge.com)
08:25 < hyper_ch> and use a session folder :)
08:26 < pif> you swiss?
08:26 < hyper_ch> how did you figure?
08:27 < pif> wondering if torrent downloading are allowed if I get a VPS in .ch
08:27 < hyper_ch> downloading is generally accepted
08:27 < hyper_ch> except for software for which you have no licence
08:28 < pif> ok, no problem there I only use debian :)
08:28 < hyper_ch> and except for hard pr0n (child pr0n/bestiality/excrements)....
08:28 < pif> sure
08:28 < hyper_ch> and you're even allowed to share that stuff with family members and friends
08:28 < hyper_ch> (close) friends
08:29 < pif> so a .ch VPS provider will not forward me takedown notices if I share film torrents?
08:29 < hyper_ch> also, data collected by entities like Logistep, Digiprotect etc. can't be used anymore to disclose your identity
08:29 < hyper_ch> in cases related to copyright infringement
08:29 < theDoc> Neither will I :)
08:29  * theDoc snickers.
08:29 < pif> hail .ch
08:30 < hyper_ch> I was at the Federal Court's hearin in the Logistep case :)
08:30 < hyper_ch> collecting IP addresses for copyright infringement notices is a violation of the personality rights that cannot be outweighted by the interested of the rights holders according to swiss privacy laws
08:31 < hyper_ch> so ISPs must not give out data like that
08:32 < hyper_ch> however in serious criminal cases (there's an enumerated list of crimes), the prosecution can order ISPs to hand over data of the clients
08:32 < pif> i see
08:32 < pif> no hadopi shit like in .fr
08:32 < pif> fuck that
08:32 < hyper_ch> but as said before, copyright infringement is not in that list
08:32 < hyper_ch> I wonder if hadopi will have any effect
08:33 < hyper_ch> it's time for a new revolution in france :)
08:33 < theDoc> viva la revolushion?
08:33 < theDoc> o/
08:33 < hyper_ch> what did Mary Antoinette say? If the people are starving because they have not enough bread, the should eat cake instead?
08:34 < pif> yep, brioche
08:34 < hyper_ch> I like brioche
08:34 < hyper_ch> but it's not that healthy :)
08:34 < hyper_ch> althought here's much worse food
08:34 < pif> bad carbs
08:35 < hyper_ch> and I really like Cantadou :)
08:36 < hyper_ch> you got a swiss vpn provider?
08:38 < pif> no yet, canadian
08:38 < hyper_ch> :)
08:38 < pif> so the ip reported to the tracker is my ovpn server's public ip ?
08:38 < hyper_ch> there are no cheap vpn provides in Switzerland as far as I know
08:38 < theDoc> hyper_ch> What's your idea of cheap?
08:38 < hyper_ch> yes, set ip = PUBLIC VPN SERVER IP
08:39 < pif> got a linux kvm with 20Gb for 12$/month
08:39 < hyper_ch> like € 20 / M for a dedicated server
08:39 < theDoc> $20/mth for a dedicated?!
08:40 < pif> http://perfohost.com/vps.kvm.html
08:40 < vpnHelper> Title: KVM VPS Packages - PerfoHost - Virtualization specialists – KVM virtualization solutions (at perfohost.com)
08:40 < pif> hmm, had it cheaper than 19.55 with a coupon
08:40 < hyper_ch> theDoc: kimsufi
08:41 < hyper_ch> theDoc: http://www.kimsufi.com/ks/
08:41 < vpnHelper> Title: Kimsufi - votre gamme de serveurs dédiés à partir de 14.99 Euros/mois ! (at www.kimsufi.com)
08:41 < hyper_ch> currently € 14.99 + VAT
08:41 < theDoc> Celeron, really..?
08:41 < pif> pretty good deal
08:42 < pif> where are they located
08:42 < hyper_ch> france
08:42 < pif> bummer
08:42 < pif> bad for hadopi
08:42 < theDoc> Interestingly, they don't say if they're multihomed.
08:43 < hyper_ch> www.kimsufi.co.uk --> only it costs there £ 14.99
08:44 < hyper_ch> well, not sure what effect hadopi will have
08:45 < hyper_ch> they say they plan to send out 150'000 notices a day
08:45 < hyper_ch> that means within one year quite a large population of france would be cut off from the internet
08:45 < hyper_ch> and I don't think hadopi would hold up if challenged at the ECHR
08:46 < pif> rtorrent: Could not open/bind port for listening: Cannot assign requested address
08:46 < pif> permission problem?
08:47 < pif> ah, never mind
08:47 < hyper_ch> :)
08:52 < pif> what does "schedule = watch_directory,5,5,load_start=./watch/*.torrent" mean?
08:54 < hyper_ch> schedule means it shall be added to the scheduler
08:54 < hyper_ch> it checks every 5 seconds for new .torrent files
08:54 < pif> got it
08:55 < hyper_ch> and then loads and starts those torrents automagically
08:55 < hyper_ch> dunno what you wanna do, but very likely you want to use more than one watch folder
08:55 < hyper_ch> check the common tasks how to set them up
08:55 < pif> why more than one?
08:56 < hyper_ch> having them then stored at different locations when you're done
08:56 < hyper_ch> e.g. seperating movies and music
08:56 < hyper_ch> just as an example
09:28 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has joined #openvpn
09:28 < Varazir> Hello 
09:31 -!- Blues-Man [~bluesman@host14-79-dynamic.182-80-r.retail.telecomitalia.it] has joined #openvpn
09:31 < Varazir> when I start the clinet on windows I get this in a window http://varazir.pastebin.com/ufVGkJZ8
09:38 < pif> hyper_ch: I still policy routing to have rtorrent go through the tunnel, right?
09:38 < pif> er, I still need
09:38 < hyper_ch> no, use bind
09:38 < hyper_ch> bind = 10.8.0.4
09:38 < hyper_ch> or whatever the local vpn ip is
09:39 < pif> but your default route is through the vpn?
09:39 < hyper_ch> I route everythign through the vpn
09:40 < pif> ah, that's why, I don't
09:41 < pif> so I need policy routing
09:41 < hyper_ch> but binding rtorrent through an IP should use that IP for routing
09:41 < pif> nope
09:41 < pif> it just sets the source address
09:41 < hyper_ch> no, there's the bind and the ip command
09:42 < hyper_ch> # The ip address the listening socket and outgoing connections is
09:42 < hyper_ch> # bound to
09:42 < hyper_ch> bind = 10.8.0.4
09:58 < Varazir> nm posted on the support center site 
09:58 < Varazir> the community client worked 
09:58 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
10:22 < pif> all I needed was source policy routing and not bittorent works fine
10:22 < pif> and _now_ 
10:26 -!- buntfalke_ is now known as buntfalke
10:31 -!- phantomcircuit [~phantomci@adsl-99-40-55-67.dsl.pltn13.sbcglobal.net] has quit [Read error: Operation timed out]
10:44 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
10:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:53 < hyper_ch> pif: enjoy
10:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
10:58 < hyper_ch> pif: did you also set the iptable rules on the server ?
11:00 -!- muzy [~muzy@shells.chaosdorf.de] has joined #openvpn
11:00 < pif> no need
11:01 < muzy> hello everyone
11:01 < pif> all the RELATED stuff is done by my fw
11:02 < hyper_ch> ???
11:02 < muzy> I have the following problem: my vpn is running just fine, but now I want to to add a second vpn - can someone explain me where to add the config for the second vpn? I'm running OpenVPN 2.1.0 under debian squeeze.
11:03 < hyper_ch> on the vpn server you'll have to have rules also
11:03 < hyper_ch> otherwise the forwarding won't really work
11:03 -!- WormFood [~wormfood@183.38.13.217] has quit [Read error: Connection reset by peer]
11:06 < muzy> has someone a hint for me?
11:06 < pif> hyper_ch: but you forward only 30000 and 6881 ?
11:06 < hyper_ch> well, you'll have to route incoming requests to the client
11:06 < muzy> I'd appreciate it :)
11:06 < pif> that's 30000 ?
11:06 < hyper_ch> pif: 6881 for dht and 30000 for the port rtorrent runs on
11:07 < pif> right
11:07 < hyper_ch> I don't know what ports you setup for rtorrent
11:07 < pif> actually I reverted to transmission
11:07 < pif> which runs as a daemon
11:07 < hyper_ch> lol
11:08 < pif> my problems were: 1) routing, 2) NAT, 3) firewall setup
11:08 < pif> not really bittorent
11:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:15 < meh3> pif, how did you fix the first 2 problems?
11:15 < meh3> ive been stuck in this routing thing for like 2 days because i cant understand how that works
11:17 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
11:18 -!- WormFood [~wormfood@183.38.15.137] has joined #openvpn
11:20 < pif> meh3: using source policy routing
11:20 < pif> for NAT a good firewall or manual iptable rules
11:21 -!- muzy [~muzy@shells.chaosdorf.de] has left #openvpn []
11:34 -!- McWhite [~kvirc@p4FDE631B.dip0.t-ipconnect.de] has joined #openvpn
11:35 < McWhite> hello again
11:35 < McWhite> anyone here?
11:37 -!- test_ [~test@luhy.skylan.sk] has quit [Quit: leaving]
11:46 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:47 < Bushmills> !nat
11:47 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
11:47 < Bushmills> ^^^ meh3
11:48 < Bushmills> !redirect
11:48 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
12:24 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined #openvpn
12:33 < Optic> hmm
12:34 -!- Optic [~Optic@67.205.74.218] has left #openvpn []
12:37 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
12:46 -!- Blues-Man [~bluesman@host14-79-dynamic.182-80-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
12:53 -!- WormFood [~wormfood@183.38.15.137] has quit [Ping timeout: 240 seconds]
12:54 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
12:58 -!- WormFood [~wormfood@183.38.15.137] has joined #openvpn
13:09 < meh3> Bushmills, im not supposed to use def1, right?
13:09 < Bushmills> why not?
13:10 < meh3> hmm i want the OS not to be able to connect to the internet except after the openvpn connection has been established, and to do that i was told not to use def1
13:10 < Bushmills> depends on your needs whether you'd want it or not
13:11 < meh3> Bushmills, what i need is for the OS which is win7 at the moment, to not be able to conenct to the internet unless i connect to openvpn first
13:11 < Bushmills> with that requirement, i'd invoke firewall instead of routing alone to prevent packets to go through non-vpn interfaces
13:11 < meh3> so if the openvpn connection drops, theres no internet even if im still connected to the public wifi
13:12 < meh3> Bushmills, well im doing it all over again now
13:12 < meh3> so mayb ill look you up after i configure and setup everything and its time to test
13:15 < Bushmills> for example, i'd set up a firewall rule denying packets not coming from or going to openvpn servedr
13:15 < Bushmills> (while allowing traffic from/to tun adapter)
13:16 -!- WormFood [~wormfood@183.38.15.137] has quit [Ping timeout: 276 seconds]
13:18 < Bushmills> though take care of the services which are commonly provider provided. such as name resolution
13:18 < Bushmills> though if you --redirect-gateway, you must have taken care of those already
13:19 -!- WormFood [~wormfood@183.38.15.137] has joined #openvpn
13:35 -!- GerhardSchr [~GerhardSc@89.144.18.130] has joined #openvpn
13:35 < GerhardSchr> hi
13:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:36 < GerhardSchr> !welcome
13:36 < vpnHelper> GerhardSchr: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:37 < GerhardSchr> Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)   <--- as vpn ip or lan ip?
13:38 < GerhardSchr> sorry I am a openvpn beginner
13:46 < GerhardSchr> !howto
13:46 < vpnHelper> GerhardSchr: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:05 < kisom> GerhardSchr: as your VPN subnet
14:07 < meh3> kisom, so if both networks, the one running the server and the one running the client are using 192.168.1.*, the vpn subnet should b 10.8.0.0 right?
14:07 < meh3> which route should i push for the vpn clients to use?
14:12 < smerz> add the route to whichever private network you want to be reachable
14:13 < smerz> !route
14:13 < vpnHelper> smerz: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:14 -!- plundra [404@article.se] has joined #openvpn
14:14 < plundra> Uhm
14:17 < meh3> smerz, in that example i should jsut replace the 10.10.1.0 to my private lan which is 192.168.1.0 ?
14:18 < smerz> possibly
14:18 < smerz> i cannot say without all info :)
14:18 -!- plundra [404@article.se] has quit [Ping timeout: 245 seconds]
14:18 < meh3> smerz, let me use pastebin to lay it out real quick
14:19 < smerz> nah sorry mate. i'm not in the mood :(
14:19 < smerz> maybe someone else can give you 1 or 2 more hints
14:19 < meh3> alright
14:20 -!- plundra [404@article.se] has joined #openvpn
14:21 < plundra> 1) Noticed the mass-kick which was a bit harsh 2) Join this one 3) /window closed the old one 4) Got timed out, because of irssi being so swappad away and closing windows are memory-intensive :-)
14:30 -!- bandini [~bandini@host45-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
14:31 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:32 -!- krzee [~k@openvpn/community/support/krzee] has quit [Client Quit]
14:33 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
14:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Excess Flood]
14:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
14:54 < GerhardSchr> thx kisom 
15:37 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
15:39 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Openvpn on Openwrt :: Author Maverick923 <https://forums.openvpn.net/viewtopic.php?f=15&t=7131&p=7862#p7862>
15:48 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:52 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
16:29 -!- DarkWell [~Senso@unaffiliated/phantom-x] has joined #openvpn
16:29 < DarkWell> hello there
16:29 < DarkWell> im curious is anyone of you tried to run openvpn on an android telephone
16:31 < krzee> i have very very briefly
16:32 < krzee> whats your real question...?
16:36 < DarkWell> i wonder if its simple to rig it up working
16:37 -!- DarkWell [~Senso@unaffiliated/phantom-x] has quit [Quit: Quit]
16:38 -!- zzattack [~zz@21-78-ftth.onsneteindhoven.nl] has quit []
16:41 -!- bandini [~bandini@host45-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Quit: Ex-Chat]
16:46 -!- manevra [~manevra@188.26.131.26] has joined #openvpn
17:47 -!- McWhite [~kvirc@p4FDE631B.dip0.t-ipconnect.de] has quit [Quit: Anime is my drug, internet my cigaret, music my alcohol and talking to friends seriously and honest my sexual satisfaction... so what?]
17:48 < meh3> krzee, yous till around?
17:48 < meh3> still*
17:54 < meh3> !ipforward
17:54 < vpnHelper> meh3: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:55 < meh3> !linipforward
17:55 < vpnHelper> meh3: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
18:03 -!- arejay [arejay@i.write.shellcode.eu] has joined #openvpn
18:03 < arejay> is it possible to setup a openvpn, without having a internal net? just a wan ip
18:04 < arejay> this is for a debian box
18:04 < ecrist> no
18:04 < arejay> but i dont have a bunch of wan ips to assign for each vpn connection
18:04 < ecrist> so assign internal IPs
18:05 < arejay> hrm, the box is a vps, with only a eth0 interface
18:05 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
18:05 < arejay> not sure how i would do that
18:05 < ecrist> create a vlan
18:15 < meh3> if openvn is running in 192.168.1.X and the client network is 192.168.1.X, how can i make it work?
18:15 < meh3> so far i can connect to the vpn and ping the other machine fine but there is no internet
18:23 < smerz> redirect default gateway + NAT is what you need
18:25 < ecrist> meh3: you can't
18:25 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
18:26 < ecrist> unless you're using a bridged vpn
18:26 < ecrist> but that will cause lots of problems if your client is connecting from a network that's using that same address space
18:27 < meh3> so the network running the VPN has to be different then 192.168.1.X ..
18:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:30 -!- manevra [~manevra@188.26.131.26] has quit []
18:31 < ecrist> yes
18:34 < vpnHelper> RSS Update - forum: Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by medleev <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=7863#p7863>
18:43 -!- takamichi [~pri@78.133.38.192] has quit []
18:50 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:18 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
19:31 < Rienzilla> you might be able to use two way nat
19:32 < Rienzilla> if you really want to
19:37 -!- WinstonSmith [~true@e179007048.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
20:15 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:26 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 276 seconds]
21:26 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
22:51 -!- arejay is now known as arejay|elsewhere
22:59 -!- arejay|elsewhere is now known as arejay
23:03 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
23:35 -!- Optic [~Optic@67.205.74.218] has joined #openvpn
--- Day changed Mon Sep 27 2010
00:36 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
00:42 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
00:54 -!- pif [~ldm@zenon.apartia.fr] has quit [Ping timeout: 255 seconds]
01:00 -!- raidzxx [~Andrew@seance.openvpn.org] has joined #openvpn
01:04 -!- raidz [~Andrew@seance.openvpn.org] has quit [Ping timeout: 240 seconds]
01:14 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
01:20 -!- jeev_ [~jeev@unaffiliated/jeev] has joined #openvpn
01:20 -!- jeev [~email@unaffiliated/jeev] has quit [Remote host closed the connection]
01:20 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
01:21 -!- jeev_ is now known as jeev
01:27 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined #openvpn
01:28 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
01:34 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
01:39 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
01:43 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
01:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
02:09 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
02:13 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
02:14 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
02:21 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
02:22 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:24 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:26 -!- mape2k1 [~jabber@2a01:4f8:120:5121:6::5222] has joined #openvpn
02:31 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
02:35 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
02:40 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
02:44 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
02:48 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
02:52 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
02:55 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
02:55 -!- dazo_afk is now known as dazo
02:58 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has left #openvpn []
02:59 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
03:18 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
03:23 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
03:37 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:49 -!- WormFood [~wormfood@183.38.15.137] has quit [Ping timeout: 265 seconds]
03:57 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
04:01 -!- WormFood [~wormfood@183.39.107.144] has joined #openvpn
04:02 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
04:24 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
04:27 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
04:51 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
04:55 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
04:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:01 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
05:06 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
05:08 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
05:12 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
05:16 < kraut> moin
05:22 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
05:32 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
05:38 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
05:42 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
05:42 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
05:47 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
05:57 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
06:06 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
06:16 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
06:20 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
06:22 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
06:26 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
06:27 -!- mape2k1 [~jabber@2a01:4f8:120:5121:6::5222] has quit [Quit: Leaving.]
06:31 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
06:34 -!- Irssi: #openvpn: Total of 63 nicks [2 ops, 0 halfops, 0 voices, 61 normal]
06:35 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
06:48 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
06:52 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
06:54 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
06:54 -!- mape2k1 [~jabber@jabber.pennewiss.de] has joined #openvpn
06:58 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
07:00 -!- zoobab [zoobab@vic.ffii.org] has joined #openvpn
07:00 < zoobab> hi
07:01 < zoobab> I have an openvpn server running, but I need to add routes to servers which are the LAN
07:01 < zoobab> any example of that?
07:08 -!- pif [~ldm@zenon.apartia.fr] has joined #openvpn
07:08 < pif> hi, what is the configuration directive to execute a script on vpn start?
07:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
07:08 < pif> I want to "ip route add default dev tun0 table ovpn" when vpn is up
07:12 < kisom> pif: either use a connect script on the client or do a redirect-gateway
07:14 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
07:14 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
07:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:14 < dazo> !route
07:14 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:15 < dazo> zoobab: ^^^
07:15 < dazo> pif: --up on the client side
07:15 < pif> no, --up adds stuff after
07:16 < pif> I just want to execute a simple command with nothing passed to it
07:16 < pif> --route-up maybe
07:16 < dazo> pif: you don't need to care for the arguments if you don't need it ... --up is called when the tunnel is established ... --route-up is called after --up, iirc
07:17 < dazo>        --up cmd
07:17 < dazo>               Shell command to run after successful TUN/TAP device open (pre --user UID change).  The up script is useful  for
07:17 < dazo>               specifying  route  commands  which route IP traffic destined for private subnets which exist at the other end of
07:17 < dazo>               the VPN connection into the tunnel.
07:17 < pif> right, but if --up 'ip rule add from 10.9.0.13 table ovpn' it will break
07:17 < pif> because of extra args
07:17 < pif> must put in script then
07:18 < dazo> that's the point of it
07:18 < dazo> it's a _script_ interface
07:20 < pif> guess I could up "/bin/sh -c 'my command'"
07:21 < pif> I want everyting self contained in my opvn.conf, no addtional 'script' needed
07:22 < dazo> that probably won't work ... it is a *script* interface ... no way around it ... to quote more from the man page ... "Typically, cmd will run a script to add routes to the tunnel."
07:23 < dazo> if you want another behaviour, you need to write your own C plug-in which works as you expect
07:23 < pif> works fine
07:23 < pif> /bin/sh -c 'cmd' is a script
07:24 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
07:28 < dazo> pif: it might work now, but the code path doing these scripts expects only one argument ... so I wouldn't be surprised if it does explode at some point
07:28  * dazo is parsing the code path now
07:28 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
07:36  * pif is standy by :)
07:38 < pif> er, standing
07:38 -!- mape2k1 [~jabber@jabber.pennewiss.de] has left #openvpn []
07:39 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
07:43 < dazo> As the code stands now, it will work ... as it does special parsing on the argument, splitting it up into an array ... but I'm not giving you any guarantee that it will work like this forever, if the cmd argument parsing needs to be improved
07:43 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
07:44 < pif> thanks for the info
07:44 < dazo> (that splitting into an array is the crucial part, as OpenVPN uses  the execve() function do the execution ... which expects the first argument to *only* be the binary or script file)
07:47 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 276 seconds]
07:54 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
07:57 -!- mape2k [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Ping timeout: 276 seconds]
08:07 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
08:12 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
08:20 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
08:24 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
08:29 -!- pif [~ldm@zenon.apartia.fr] has quit [Remote host closed the connection]
08:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
08:38 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has joined #openvpn
08:39 < slava_dp> hi people. from what I've read, the option 'client-to-client' directly routes traffic between clients without passing it up to the kernel routing table. but from what I see here, I had to allow packets coming from VPN to pass on to the same VPN interface in the FORWARD iptables chain. is that normal?
08:40 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
08:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:45 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
08:51 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
08:55 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
08:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
09:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:04 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
09:07 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
09:08 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
09:13 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
09:17 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
09:21 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
09:23 -!- _AxS_ [~axs@76.70.18.33] has joined #openvpn
09:23 -!- arejay [arejay@i.write.shellcode.eu] has quit [Ping timeout: 240 seconds]
09:24 -!- arejay|elsewhere [arejay@i.write.shellcode.eu] has joined #openvpn
09:24 < _AxS_> Hey all - this is actually a windows question more than an openvpn question, but since openvpn is the only thing i'm trying to use.. :)  I've got a laptop running Windows 7 and I'd like to get it to auto-start OpenVPN-GUI (whether it auto-connects or not i don't care)....
09:26 < _AxS_> ...i've added a shortcut to the Startup folder, no go.  Tried both with and without "Run As Adiminstrator".  I hacked it into the registry also, at which point it -did- start but it prompted a security question, which is annoying and I'd like to get rid of.  I expect this security question is also in part what's keeping the Startup method from working
09:26 < _AxS_> Any ideas / suggestions?  I haven't found anything during my google searches that pertains to anything after Windows XP, unfortunately, and I'm pretty sure this is a Win7 issue..
09:26 < ecrist> during install, you should have been able to install it as a services, then just set the service to auto start.
09:26 -!- arejay|elsewhere is now known as arejay
09:27 < _AxS_> ecrist: ..actually i didn't see that option when i installed (it was whatever the latest stable version was on the website, probably 2.1.x)..  but does enabling the service give the gui icon?
09:28 < _AxS_> ...or is it that the service is not started at boot the reason for the security question?
09:31 < _AxS_> (service is installed, btw, according to the services list on the system)
09:35 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
09:39 < ecrist> is it set to auto-start?
09:39 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
09:43 < _AxS_> the service?  it wasn't, just did though..  right now i'm trying to get openvpn-gui to interface with it (supposedly it will via the 'management interface')
09:47 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
09:59 -!- _AxS_ [~axs@76.70.18.33] has quit [Changing host]
09:59 -!- _AxS_ [~axs@gentoo/user/axs] has joined #openvpn
10:01 -!- slava_dp [~slava@unaffiliated/slava-dp/x-9423217] has quit [Read error: No route to host]
10:01 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
10:04 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
10:04 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
10:09 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
10:10 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
10:14 -!- szr [~SR@64.85.235.207] has joined #openvpn
10:14 -!- szr [~SR@64.85.235.207] has quit [Changing host]
10:14 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
10:19 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
10:20 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
10:28 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:33 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:39 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
10:48 < _AxS_> ecrist: right, so it seems that openvpn-gui-1.0.3 just doesn't support what i want yet.  :)  Thanks for all your help, though!
10:48 -!- _AxS_ [~axs@gentoo/user/axs] has left #openvpn ["Leaving"]
11:05 -!- WormFood [~wormfood@183.39.107.144] has quit [Ping timeout: 276 seconds]
11:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:06 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:06 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:15 -!- GerhardSchr [~GerhardSc@89.144.18.130] has quit [Changing host]
11:15 -!- GerhardSchr [~GerhardSc@unaffiliated/gerhardschr] has joined #openvpn
11:16 < krzie> LOL
11:16 < krzie> no wonder
11:16 < krzie> hes using some seriously oldsauce
11:18 < ecrist> yeah, he didn't say that until immediately before he left.
11:18 < ecrist> I was going to point him to the current beta.
11:18 -!- WormFood [~wormfood@183.38.12.134] has joined #openvpn
11:18 < krzie> i messaged him about it *shrug*
11:19 < dferris> .wc
11:19 -!- dferris [~dferris@216-243-150-87.static.iphouse.net] has left #openvpn []
11:19 -!- Irssi: #openvpn: Total of 68 nicks [2 ops, 0 halfops, 0 voices, 66 normal]
11:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
11:27 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has joined #openvpn
11:28 < HoboSteaux> krzee: thank you for the routing guite its just plain magic
11:30 < krzie> you're welcome, and thanx for saying that =]
11:30 < krzie> i know a lot of people use it, but i love hearing people say that
11:30 < HoboSteaux> i figure credits due for that, i think it just solved a bunch of problems ive been having
11:31 < krzie> ya it can be a pain the first time around... thats why i documented the stuff after i figured it out
11:32 < HoboSteaux> haha yeah i thing once i get a working gaming topology i may document it, it seems to be a mystical thing that people have only heard of in some far off place :P
11:34 < ecrist> krzie: 1672 unique page views of the routing wiki page this month alone.
11:35 -!- _AxS_ [~axs@gentoo/user/axs] has joined #openvpn
11:36 < _AxS_> krzie: tnx for the /msg -- the actual package i installed was OpenVPN-2.1.3 (current stable on the Community Software page on openvpn.net) ; should I have grabbed a different version?
11:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:39 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
11:39 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
11:39 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
11:45 < ecrist> _AxS_: try the latest beta
11:45 < ecrist> new gui in there.
11:48 < _AxS_> has it been relatively stable? 
11:48 < HoboSteaux> on linux how can i debug client connectivity?
11:49 < Bushmills> log files, to start with
11:49 < HoboSteaux> /etc/openvpn?
11:49 < _AxS_> HoboSteaux: depends on your distro  but usually in /var/log/
11:49 < Bushmills> wherever you have chosen to have them written
11:50 < HoboSteaux> alright ty
11:54 -!- mmestnik [~mmestnik@173-160-118-149-Minnesota.hfc.comcastbusiness.net] has joined #openvpn
11:54 < HoboSteaux> heh it would help to have an output file for logs :P
11:55 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
11:55 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
11:55 < _AxS_> ecrist: ...the gui version in 2.2_beta3 is still 1.0.3 ..?
11:59 < Bushmills> HoboSteaux: not just help, could even be considered a precondition for looking at logs
12:00 < HoboSteaux> hahah yeah kinda makes it hard i dont think you can read /dev/null
12:00 < Bushmills> depends. do you have a null device with a LED built in?
12:03 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
12:03 < dazo> _AxS_: yes, it most probably is ... http://sf.net/projects/openvpn-gui  ... you might find a newer version here
12:03 < vpnHelper> Title: OpenVPN GUI | Download OpenVPN GUI software for free at SourceForge.net (at sf.net)
12:04  * dazo heads out
12:09 < mmestnik> Hello, does any one here use puppet to configure openvpn clients?  I'm looking to configure a many clients to one server for the purpose of using Nagios.  Clients may server out the networks they are on or even near and nonuniq networks will need to be nated.
12:10 -!- dazo is now known as dazo_afk
12:10 < mmestnik> The goal was to use puppet to configure all the nodes involved.
12:12 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
12:12 < mmestnik> Clients can implicitly be trusted and/as puppet is assumed to be the only thing configuring them.  I would not be apposed to a more restrictive configuration as long as puppet does the configuring(where puppet in turn is configured by sql/postgres).
12:17 -!- severnaya [~severnaya@unaffiliated/severnaya] has joined #openvpn
12:18 < severnaya> when i run addtap.bat it says this version of windows is not supported, but on your site it says windows vista is supported
12:19 -!- _AxS_ [~axs@gentoo/user/axs] has quit [Remote host closed the connection]
12:21 -!- _AxS_ [~axs@gentoo/user/axs] has joined #openvpn
12:33 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:35 < mmestnik> Hello, I'm looking to do something like http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing
12:35 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
12:36 < mmestnik> What can I do if all 3 networks are 192.168.5.0/24?  Can I configure many to many nat?
12:37 < mmestnik> Such that the same effect is given, clients on the same network as client2 will be nated to come from 10.10.3.0 when connecting to 10.10.1.0 addresses?
12:39 < mmestnik> Source nat used when entering the VPN and destination NAT used when leaving.
12:39 < mmestnik> Would I have to configure this using puppet instead of openvpn?
12:42 < _AxS_> mmestnik: i think you would probably most likely want to bridge instead of route in this particular case.  note that you'll have to be very careful in terms of your address assignments (DHCP server or whatnot)
12:43 -!- severnaya [~severnaya@unaffiliated/severnaya] has quit [Quit: Leaving]
12:43 < mmestnik> _AxS_:  This would cause address collisions.
12:44 < mmestnik> The idea here it to be able to script around admins who never thought about the networks being connected.
12:45 < _AxS_> changing the base address on two of those networks isn't an option, i take it?
12:45 < mmestnik> This is for future deployments and we'd like to avoid suggesting that.
12:47 < _AxS_> you could NAT each on the server they're all connected to, but that's going to be messy..  essentially to pass back services you're going to have to port-forward.  you won't be able to access (in a regular manner) the machines of one network from the other..
12:48 < _AxS_> doing a one-to-one NAT map might solve your issue, but i have no idea how you would set that up -- i'm not familiar with that type of configuration..
12:49 < mmestnik> Could openvpn do it or would it have to be one with iptables commands?
12:50 < _AxS_> mmestnik: depends on how you want this to work -- do you want to combine all of the networks together at their routers or are each individual computer/user going to connect via openvpn?
12:51 < _AxS_> mmestnik: if the former, i expect you would have to do it via iptables and link the various commands to the openvpn network up/network down scripts
12:53 < mmestnik> _AxS_:  The goal is to give an instance of Nagios(running on the openvpn server) access to all of the networks and hosts.  OpenVPN clients will be deployed at each location responsible for routing(NAT can be used here to simplify this) the networks at that location.
12:53 < _AxS_> right, so you're doing it on each network's gateway.  makes sense
12:54 < _AxS_> so each network's gateway would need to do one-to-one NAT into its particular 10.x.y.0/24 network, so that all hosts in that network can be accessed.
12:56 < _AxS_> and the openvpn server i think would take care of itself.  Of course you need to be sure that it's routing table builds correctly (ie, maps the whole 10.x.y.0/24 network instead of just the /252 or /255 that it usually does when a client connects)
12:56 < _AxS_> s/maps/routes/
12:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
12:58 < mmestnik> I'd like to use whatever openvpn can give me, but if it comes down to me doing it then it'll likely look like this...
13:00 < mmestnik> The gateway will dnat from 10.9.x.z to 192.168.5.z where 10.8.0.z is used to build the VPNs.  x is the network id marking the identifier for each location.
13:01 < _AxS_> mmestnik: i would highly doubt that openvpn would support this type of thing; esp. given that all the documentation i've read on it so far says to make sure all your networks don't overlap before you try to use it
13:02 < _AxS_> mmestnik: you have openvpn doing that already?  don't you want to snat?  (iptables calls one-to-one NAT "static nat")
13:03 < mmestnik> snat == source nat
13:03 < _AxS_> ah, my misatake..
13:04 < mmestnik> Thank you for the term, I was having trouble finding one to one nat using netfilter.
13:06 < mmestnik> Obviously I'm looking for a short-cut that would avoid me having to add 256 rules.  That would get ugly quick if there was also support for class B subnets.
13:07 < _AxS_> mmestnik: should be scriptable though -- a simple 'up' script could handle setting up the iptables rules for the static nat based on whatever the network was that the openvpn client connected to
13:07 < _AxS_> (and likewise, a down script to remove the mapping rules)
13:09 < mmestnik> Ahh, it's just done using the normal NAT rules.
13:11 < HoboSteaux> when you ssh in as root, what the command to edit read only file systems?
13:11 < mmestnik> HoboSteaux: "mount -o remount,rw"
13:11 < HoboSteaux> ty
13:12 < _AxS_> mmestnik: hey, have you found any examples that will do static nat on a whole subnet at once?  all i've found so far is individual address commands...
13:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
13:13 < HoboSteaux> "mount -o /opt/etc/init.d,rw"?
13:13 < mmestnik> HoboSteaux: "mount /opt/etc/init.d -o remount,rw"
13:13 < HoboSteaux> :P ty
13:15 < HoboSteaux> still read only
13:18 < _AxS_> HoboSteaux: is it on read-only media?
13:18 < mmestnik> NETMAP target.
13:19 < krzee> [10:39]  <mmestnik> What can I do if all 3 networks are 192.168.5.0/24?  Can I configure many to many nat?
13:19 < krzee> re-address your LANs
13:19 < _AxS_> mmestnik: found it ---  nice..  
13:19 < HoboSteaux> there fixed it... router filesystem its all weirdly _AxS_
13:19 < HoboSteaux> ty
13:20 < krzee> even if you hack it up to work as is, it will be an administration nightmare
13:20 < krzee> as hard as you think it will be to readdress the LANs, it will be worse to NOT do it
13:21 < mmestnik> krzee: Unfortunately this is for my customers, so I can't even suggest it.
13:21 < krzee> sure you can
13:22 < krzee> if they want to join the LANs, they need to do it
13:22 < krzee> ive had to deliver news that people did things wrong many times...
13:22 < krzee> they dont usually like hearing it, but they do like when i make things right ;]
13:23 < krzee> unless you setup those LANs, it is not your fault
13:23 < _AxS_> krzee: if the networks are being joined at the router, and the router does static nat from the VPN network to the local network, it should work though shouldn't it?
13:23 < _AxS_> (router = vpn client)
13:23 < mmestnik> It's not about joining the lans.  It's about monitoring the resources on each lan.  Apparently our software is broken if it can't work if every network is not connected.
13:24 < _AxS_> mmestnik: ...does it work via broadcasting?  if that's the case, then you might have issues anyways due to needing to broadcast on each subnet..
13:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
13:25 < _AxS_> (which may not be fully supported)
13:25 < _AxS_> (in your software)
13:25 < mmestnik> Having multiple broadcast domains should not be a problem.
13:25 < _AxS_> ..dynamically?
13:26 < _AxS_> actually nvm; you could have it set up to broadcast to them all anyhow, and since its broadcast if they aren't there it shouldn't cause any issues..
13:41 < HoboSteaux> aright so i can connect to the vpn but i am not able to communicate with anything on it
13:41 < HoboSteaux> i assuming my tables are incorrect
13:41 < HoboSteaux> its there a simple way to isolate if its a route that i need to push?
13:45 < _AxS_> HoboSteaux: what's the routing table on the client look like, and what's the routing table on the server look like?
13:45 < _AxS_> HoboSteaux: also, i assume you're routing and not bridging, right?
13:45 < HoboSteaux> bridging its for games _AxS_
13:47 < _AxS_> ahh.. hm.. ok, i'm unfamiliar with how bridging works in terms of openvpn  (which address is given to what)..  i assume that the client should have the same ip address as the server?
13:47 < _AxS_> (ie, client side of pipe and server side of pipe have the same address)?
13:47 < HoboSteaux> thats what i did before, but it was tough with some networks and ip confilcts
13:48 < HoboSteaux> this time around im trying a 10.x bridge network
13:48 < _AxS_> HoboSteaux: is each client connecting in via openvpn, or are you connecting whole networks together at the router?
13:49 < HoboSteaux> client ala roadwarior style:
13:49 < HoboSteaux> network -> router/ovpn server <-clients (multiple)
13:51 < _AxS_> gotchya.  ok that should make things easier... 
13:52 < _AxS_> ..although tbh i would expect that going routed with the 'topology subnet' option would work just as well...?
13:52 < _AxS_> ..err, maybe not..  
13:52 < HoboSteaux> the main descision factor behind bridged was breadcast packets for games
13:53 < HoboSteaux> if it can do broadcasts with little hacking im all for it
13:53 < HoboSteaux> but from my understanding only taps can
13:53 < _AxS_> right, but with 'topology subnet' all clients are on the same subnet, so broadcasting should (i believe) work...  just lemme check to confirm this
13:54 -!- bazoka [zoka@as4-22.qualitynet.net] has joined #openvpn
13:54 < bazoka> !welcome
13:54 < vpnHelper> bazoka: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:55 < bazoka> !howto
13:55 < vpnHelper> bazoka: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:55 < _AxS_> HoboSteaux: my system adds the route to 10.8.0.0/24 , and similarly on the client.  so a broadcast via 10.8.0.255 should go to all clients.  try a 'ping -b' and see how many responses you get
13:56 < bazoka> any reason why my openvpn is slow with streaming video sites like youtube?
13:56 < _AxS_> HoboSteaux: mind you, for games that are using non-tcpip protocols you might have an issue..
13:56 < bazoka> its fast for everything except for streaming sites
13:57 < HoboSteaux> yeah but every good game (besides starcraft1 ) is a tcpip nowdays
13:58 < HoboSteaux> pinging any ip with -b is non responsive
13:58 < _AxS_> HoboSteaux: give it a shot?  all i've got in my client configs is 'topology subnet' and 'ip-win32 dynamic' instead of my old 'ifconfig 10.whatever.2 10.whatever.1'
13:59 < _AxS_> HoboSteaux: ping -b x.y.z.255 i think is how you use it..
14:00 < HoboSteaux> yeah doing my vpn bcast and my local bcast (via vpn) returns nothing
14:00 < HoboSteaux> ill look into it
14:00 < _AxS_> HoboSteaux: oh, and you'll obviously have to turn off any firewalls that block ping responses.. :)
14:00 < HoboSteaux> heh there off :P
14:00 < _AxS_> HoboSteaux: as for the broadcast method, you should not need any extra routing at all.
14:01 < _AxS_> HoboSteaux: err, s/broadcast/bridged/
14:01 < HoboSteaux> alright thats what i thought i think somewhere in my configs stuff is getting foobared
14:01 < HoboSteaux> thank you for all the help!
14:01  * HoboSteaux digs through configs
14:01 < _AxS_> HoboSteaux: np, wish i could've done more
14:02 < HoboSteaux> when i get a working gaming solution ill document it for the future this seems to be a gray area
14:08 -!- bazoka [zoka@as4-22.qualitynet.net] has quit []
14:20 < _AxS_> HoboSteaux: are you letting openvpn handle the ip addresses or is your openvpn-server's dhcp server doing it?
14:21 < HoboSteaux> i think ovpn right now, its server-bridge [gateway] [netmask] [start ip] [end ip]
14:22 < _AxS_> HoboSteaux: ok, so the server should be handling it.  clients are getting ips from that range, yes?  ie, the server's dhcp server isn't assigning others?
14:22 < HoboSteaux> yeah i have the right ip, im getting lots of rwr... action in the client log and no errors
14:22 < _AxS_> HoboSteaux: what about forwarding rules on the server -- all good there?  
14:23 < HoboSteaux> im going to fint the firewall rules real fast
14:24 < krzee> http://www.wired.co.uk/news/archive/2010-09/24/sweden-election-hack
14:24 < krzee> LOL
14:24 < vpnHelper> Title: Hacking Swedens election with pen and paper (at www.wired.co.uk)
14:25 < _AxS_> HoboSteaux: you also probably want 'client-to-client' enabled ..  if that is, i think the clients should be able to talk to each other even if the server's firewall isn't set up right
14:25 < HoboSteaux> it is already
14:25 < _AxS_> (since this is an ethernet thing and the firewall is above that at the ip level)
14:26 < HoboSteaux> yeah :P
14:26 < _AxS_> ..but two clients can't talk to eachother yet either, can they?
14:26 < HoboSteaux> i cant talk to the server theres only one client active tright now (me)
14:27 < _AxS_> ah.  so no way to test client-to-client ...  your issue might be this:  "The addresses used for local and remote should not be part of the bridged subnet -- otherwise you will end up with a routing loop."
14:28 < _AxS_> ..but i can't really say as i'm not 100% sure what that's supposed to mean..
14:28 < HoboSteaux> lol yeah seems fairly mystical
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:30 < _AxS_> HoboSteaux: you're not using an 'ifconfig' directive on the server right?
14:30 < _AxS_> (in the openvpn config file on the server)
14:30 < HoboSteaux> the documentation said to with a bridge
14:30  * HoboSteaux comments it out
14:31 < _AxS_> it says specifically not to on the one i'm reading -- that you should configuure it within the OS itself
14:31 < hyper_ch> howdy
14:32 < _AxS_> HoboSteaux: ..the config i'm reading is the one on ethernet bridging ..  i assume that's the one you're doing? 
14:33 < HoboSteaux> alright restarting it right now. and yes _AxS_
14:33 < _AxS_> 'k good, we're on the same page then
14:38 < HoboSteaux> hrmppnh the service dissapeard too thank you ddwrt
15:01 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
15:01 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined #openvpn
15:03 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
15:08 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:24 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
15:41 -!- _AxS_ [~axs@gentoo/user/axs] has quit [Quit: gone]
15:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
15:55 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 265 seconds]
15:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:59 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
16:00 < vpnHelper> RSS Update - forum: Configuration :: Multiple non-contiguous client IP ranges. :: Author MrWetsnow <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7864#p7864>
16:06 < vpnHelper> RSS Update - forum: Configuration :: Multi factor authentication :: Author MrWetsnow <https://forums.openvpn.net/viewtopic.php?f=6&t=7133&p=7865#p7865>
16:21 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 252 seconds]
16:30 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
16:31 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Ping timeout: 252 seconds]
16:38 -!- estr [~eastr@ti0013a380-dhcp2018.bb.online.no] has joined #openvpn
17:01 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:05 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:06 -!- estr [~eastr@ti0013a380-dhcp2018.bb.online.no] has quit []
17:22 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 255 seconds]
17:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
17:28 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 272 seconds]
17:43 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 252 seconds]
17:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
17:48 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Remote host closed the connection]
17:51 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 245 seconds]
17:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Disconnected by services]
18:00 -!- intralanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has joined #openvpn
18:08 -!- Gokee2_ [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
18:10 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Read error: Operation timed out]
18:24 -!- Netsplit *.net <-> *.split quits: krzee, nb, Martin`
18:24 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Read error: Connection reset by peer]
18:25 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined #openvpn
18:28 -!- Netsplit over, joins: krzee
18:28 -!- 14WAA8VP1 [martin@shell.ipv6.octocore.net] has joined #openvpn
18:28 -!- Netsplit over, joins: nb
18:37 -!- intralanman [~lanman@va-67-76-163-226.sta.embarqhsd.net] has quit [Quit: This computer has gone to sleep]
19:22 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:46 -!- WormFood [~wormfood@183.38.12.134] has quit [Ping timeout: 240 seconds]
19:48 -!- Floops [~baihu@shellium/staff/floops] has joined #openvpn
20:00 -!- Sky[XX] [~SkyB0x@212.235.177.25] has joined #openvpn
20:00 -!- WormFood [~wormfood@183.38.14.10] has joined #openvpn
20:03 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
20:04 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
20:05 -!- Sky[XX] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
20:06 -!- ss0 [~Adium@cpe-72-190-122-22.tx.res.rr.com] has joined #openvpn
20:07 < ss0> Anyone have a moment to assist me with understanding how the push route directive works?
20:07 < ss0> I currently have a ccd directory with a directive to push route 172.16.1.0 255.255.255.0
20:08 < ss0> however I also want 208.86.167.0/24 to be routed to via the gateway on the 172 network.
20:08 < ss0> so should I simply add a route 208.86.167.0 255.255.255.0 172.16.1.1 ?
20:11 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:11 < ss0> Well that didn't work, how do i force the 208 range to use the vpns connection while still allowing everything else to route outside the tunnel. This is a bridged configuration btw. 
20:17 < vpnHelper> RSS Update - forum: Server Administration :: Website SSL Cert :: Author lee.todis <https://forums.openvpn.net/viewtopic.php?f=4&t=7134&p=7866#p7866>
20:19 -!- ss0 [~Adium@cpe-72-190-122-22.tx.res.rr.com] has quit [Quit: Leaving.]
20:30 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
20:44 -!- ss0 [~ss0@cpe-72-190-122-22.tx.res.rr.com] has joined #openvpn
20:45 < ss0> I'm trying to force anything going to a /24 of public ips to go through the vpn rather than out directly is that possible? If so could anyone give me a pointer on how to do it?
20:47 < theDoc> iptables is what you want.
20:49 < ss0> Thanks theDoc
20:49 < ss0> I assume you mean iptables on the client?
20:50 < theDoc> Pretty much.
20:53 < ss0> hmm not very workable in my situation. I guess I will have to try to find some other way to force traffic for that ip range over the vpn.
20:54 < ss0> I couldnt do something like. push "route xxx.xxx.xxx.xxx 255.255.0.0 yyy.yyy.yyy.yyy" where yyy = gateway of the private vpn range
20:56 -!- ss01 [~Adium@cpe-72-190-122-22.tx.res.rr.com] has joined #openvpn
20:56 -!- ss01 [~Adium@cpe-72-190-122-22.tx.res.rr.com] has quit [Client Quit]
21:04 -!- blackpenguin is now known as sebastiantoby
21:04 -!- sebastiantoby is now known as blackpenguin
23:13 -!- ss0 [~ss0@cpe-72-190-122-22.tx.res.rr.com] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- IRC with a difference]
--- Day changed Tue Sep 28 2010
00:00 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
00:14 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined #openvpn
00:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:42 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
01:06 -!- paco|Away [~pacorocks@c-71-205-18-165.hsd1.mi.comcast.net] has joined #openvpn
01:07 < paco|Away> Hi there is there a way to get openvpn server working on windows server 2003? iv'e tried multiple guides, but have been un-successful. D:
01:07 < paco|Away> !welcome
01:07 < vpnHelper> paco|Away: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:12 < HoboSteaux> yuck windows routing + ovpn
01:12 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
01:12 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
01:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
01:12 < paco|Away> :)
01:12 < paco|Away> wish i would of bought a linux vps but hey, whats done is done ;)
01:13 < HoboSteaux> haha touche
01:14 < HoboSteaux> whats your issue?
01:14 < paco|Away> well, i just had to do a reinstall, just looking for a 'correct' tut atm D:
01:15 < HoboSteaux> lol that is an issue ive never done windows intalls but can help with basic troubleshooting
01:16 < paco|Away> http://www.runpcrun.com/howtoopenvpn i followed that guide last time, and was un-successful o.o
01:16 < vpnHelper> Title: OpenVPN Windows HowTo | runPCrun - IT Support for London (at www.runpcrun.com)
01:17 < paco|Away> care to check if that seems alright before i follow it again? o,o
01:18 < HoboSteaux> yeah for sure
01:21 < HoboSteaux> the steps seem right but the config is wonky
01:21 < HoboSteaux> you will only have one client per interface
01:22 < HoboSteaux> !welcome
01:22 < vpnHelper> HoboSteaux: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:22 < HoboSteaux> !howto is sup[er helpful and more up to date than that website
01:22 < vpnHelper> HoboSteaux: Error: Missing "]".  You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands.
01:23 < HoboSteaux> "!howto" lol
01:23 < HoboSteaux> dooo it.... nope damn bots
01:23 < HoboSteaux> !howto
01:23 < vpnHelper> HoboSteaux: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
01:24 < HoboSteaux> you thiink it would be smart enouch to search for a string :P
01:33 -!- vot [debian-tor@gateway/tor-sasl/vot] has joined #openvpn
01:33 < vot> whats the story with openvpn access server ?
01:33 < vot> is it free for home use or does it require a license to operate at all?
01:39 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 264 seconds]
02:19 < atan> "2010-09-28 04:18:25 *Tunnelblick: openvpnstart status #242: Error: OpenVPN returned with status 1. Possible error in configuration file. See "All Messages" in Console for details" keeps showing up for me but I don't see any errors in my config =(
02:21 -!- atan [~atan@unaffiliated/atan] has left #openvpn []
02:26 < vot> forget it btw i saw the 2 free connections bit
02:28 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Read error: Operation timed out]
02:32 < HoboSteaux> i find ssh to be all i need :)
02:32 < HoboSteaux> but i only have one server lol
02:32 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
02:32 < atan> Hey guys, when I use apt-get to install OpenVPN on ubuntu where is my default config file hiding that it uses when it starts up?
02:33 < HoboSteaux> mines  in /etc/openvpn
02:33 < atan> I get this, err
02:34 < atan> # openvpn status
02:34 < atan> Options error: In [CMD-LINE]:1: Error opening configuration file: status
02:34 < atan> Oh wait, that makes sense, err
02:34  * atan is complete noob who shouln't even be using this
02:34 < HoboSteaux> hahahahaha
02:34 < HoboSteaux> gotta start somewhere
02:34 < atan> What is it looking for? server.conf inside /etc/openvpn?
02:34 < atan> My /etc/openvpn folder is empty
02:35 < HoboSteaux> are you trying to run the server or the client?
02:35 < atan> Unless the linux shell did some 'hidden files' dick Windows move on me
02:35 < atan> Trying to configure the server
02:35 < atan> Had the static key I need made (I believe) but need to start up the server
02:35 < atan> s/had/have
02:35 < HoboSteaux> try vi /etc/init.d/S20openvpn
02:35 < HoboSteaux> see where the service script points to
02:36 < atan> # cat /etc/init.d/S20openvpn
02:36 < atan> cat: /etc/init.d/S20openvpn: No such file or directory
02:36 < HoboSteaux> ls /etc/init.d/
02:36 < HoboSteaux> oh youll prolly have to sudo
02:37 < atan> There is openvpn inside there
02:37 < atan> Just no S20 thinger
02:37 < HoboSteaux> oh lol
02:37 < HoboSteaux> open it with vi or your text editor of choice
02:37 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by controlc.de <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7867#p7867>
02:37 < atan> It shows this inside it... CONFIG_DIR=/etc/openvpn
02:38 < HoboSteaux> oh well make that folder :D
02:38 < HoboSteaux> whats the config name?
02:38 < atan> There is no config folder or name... so, err, I guess 'default' ?
02:38 < HoboSteaux> prolly openvpn.conf but save a headache now and check
02:38 < atan> So I just make default.conf ?
02:38 < atan> How do I check? =)
02:38 < HoboSteaux> near the bottom it will launch openvpn
02:38  * HoboSteaux digs
02:39 < atan> the docs hsow it as openvpn.conf, I now see =D
02:39 < HoboSteaux> mines: /opt/sbin/openvpn --daemon --cd /opt/etc/openvpn --config openvpn.conf 
02:40 < HoboSteaux> so the first path is the bin, then the daemon command, then it changes to the config dir and loads the --config xxxxxx.xxx
02:41 < HoboSteaux> daemon btw, makes it run in the background as a service essentially
02:41 < atan> woah.... I think it worked!! ;D
02:41  * atan is so stoked right now
02:41 < HoboSteaux> :D
02:42 < HoboSteaux> in your conf file do you have a log output?
02:42 < atan> now I need to figure out how to setup the client side to force all traffic over the VPN + assign a non-local DNS server
02:42 < atan> No, my config is small
02:42 < atan> three lines
02:42 < HoboSteaux> oh i havent done one of those 
02:42 < HoboSteaux> !redirect
02:42 < vpnHelper> HoboSteaux: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:44 < HoboSteaux> good luck tho its bed time, class in el manana
02:44 < HoboSteaux> ill be around if you need help
02:46 < atan> =)
02:46 < atan> peace
02:52 < atan> Oh, heck, you still here?
02:55 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
02:56 -!- 14WAA8VP1 [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 276 seconds]
02:56 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Ping timeout: 276 seconds]
02:56 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
02:57 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
02:59 -!- HackeMate [~HackeMate@83.49.39.199] has joined #openvpn
02:59 < HackeMate> hello, I have this configuration http://pastebin.com/uye5jAsN
02:59 < HackeMate> i cant access, if i try telnet port 1194 it also fail
03:00 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
03:01 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined #openvpn
03:02 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
03:29 -!- atan [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
03:29 < atan> I'm stumped. I am using everyting they say here: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect but I can't push all my traffic through the vpn =( anyone know where I might have gone wrong?
03:29 < vpnHelper> Title: HOWTO (at openvpn.net)
03:32 < Rienzilla> is any traffic getting through?
03:33 < atan> It connects, but nothing that I can tell is
03:34 < atan> If I add push "redirect-gateway def1" into my server config I can still connect, but websites like whatismyip.com still show mine
03:34 < atan> http://pastie.org/1186029 is my client config
03:35 < atan> sorry, server
03:35 < atan> http://pastie.org/1186031 is my client
03:36 < atan> I am so confused about it because all the guides I read seem to say this is how it's done
03:36 < atan> I would think if it were messed up on the server routing level then it wouldn't even let me view pages, but =\
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:43 -!- Cmdr_W_T_Riker [a90f7ee7dd@xs8.xs4all.nl] has joined #openvpn
04:06  * atan pounds sand
04:06 < atan> http://openvpn.net/index.php/open-source/documentation/howto.html#redirect just isn't working =\
04:06 < vpnHelper> Title: HOWTO (at openvpn.net)
04:06 < atan> Perhaps I should use a different OS
04:06 < hyper_ch> linux makes openvpn easy
04:07 < atan> Right now it's running on ubuntu but I can't get all my traffic to route though it for some reason
04:08 < hyper_ch> !configs
04:08 < atan> I have followed the guide step-by-step and it's still not working as I would expect
04:08 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
04:08 < atan> http://pastie.org/1186090 are my configs
04:10 < hyper_ch> that's all?
04:10 < hyper_ch> and what is the ifconfig supposed to do?
04:10 < hyper_ch> and what do you actually want to achieve?
04:11 < atan> I want all my client web traffic to route over the vpn, so websites, etc, ceom from the remote IP
04:11 < atan> I subscribed to another VPN provider and it worked for them, so I assume the issue here is on the server side of things
04:12 < atan> Not routing things correctly or something
04:13 < hyper_ch> and you use those configs?
04:13 < atan> Yep
04:16 < atan> Hmm, forum post says "Okay, I solved my problem! I had to add a default gateway, and it works now."
04:16 < atan> I wonder about this default gateway
04:25 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
04:33 -!- paco|Away [~pacorocks@c-71-205-18-165.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
04:46 < HackeMate> somebody can help me please
04:48 < hyper_ch> HackeMate: let me fetch my magic crystall ball and divine what your problem is and then I shall answer with yes or no - depending on whether I see myself fit to help you with that yet-to-divine problem
04:49 < Bushmills> needs social security or a lawyer?
04:49 < HackeMate> [09:59:47] «HackeMate» hello, I have this configuration http://pastebin.com/uye5jAsN / [10:00:02] «HackeMate» i cant access, if i try telnet port 1194 it also fail
04:50 < theDoc> Um, telnetting to it will make it fail.
04:51 < HackeMate> but like connection refused?
04:51 < HackeMate> i wanted to see if at least the socket is opened
04:51 < theDoc> Who knows, I don't telnet to it.
04:51 < Bushmills> ping the remote.
04:51 < HackeMate> i am the remote
04:51 < HackeMate> is this computer
04:51 < Bushmills> the remote, from your point of view
04:52 < hyper_ch> Bushmills: everybody needs an overpriced lawyer :)
04:52 < Bushmills> i.e., from client, ping server.  from server, ping client
04:52 < HackeMate> well, currently i am using a nxmachine connection, is like a vnc, 
04:53 < Bushmills> hyper_ch: i forgot to say "hang an, we're sending an ambulance"
04:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
04:53 < Bushmills> so, ping the remote
04:56 < Bushmills> HackeMate: are you aware of that, for an openvpn connection, you need both openvpn server and openvpn client?
04:57 < HackeMate> yes Bushmills, but with the tunnelblick i get timeout, so i try to find where is the error, a telnet was an experiment to see if at least i can open a socket in that port
04:57 < HackeMate> i cant make ping, i think network admin has blocked this packets
04:57 < HackeMate> im trying other things now
04:58 < atan> Well I'm stumped. I just cannot get all my traffic to tunnel properly. I tried CentOS, and debian.... for whatever reason I can't get all my traffic to tunnel through the VPN
04:58 < atan> No doubt it's something stupid I overlooked.
04:58 < Bushmills> network admin can't block pings through openvpn tunnel - unless all openvpn is blocked and there is no tunnel
04:59 < Bushmills> !redirect
04:59 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:59 < Bushmills> atan ^^^
04:59 < atan> !ipforward
04:59 < vpnHelper> atan: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
04:59 < atan> !nat
04:59 < vpnHelper> atan: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
05:01 < atan> So I have my ipv4 forwarding on
05:01 < atan> still no go
05:01 < atan> I think I'm stuck at this nat thing
05:01 < Bushmills> you  also need nat
05:01 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:01 < Bushmills> !linnat
05:01 < vpnHelper> Bushmills: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
05:02 < Bushmills> or  http://scarydevilmonastery.net/masq
05:03 < atan> Even when I run iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, restart the openvpn server, and reconnect, I still don't tunnel verything
05:04 < atan> and of course /proc/sys/net/ipv4/ip_forward    is 1
05:04 < Bushmills> windows client?
05:04 < atan> Tunnelblick, OS X
05:04 < atan> debian server
05:04 < Bushmills> added  redirect-gateway to client config (or pushed it from server)?
05:05 < atan> it's on the server
05:05 < atan> http://pastie.org/1186090
05:05 < Bushmills> pushing to client?
05:05 < atan> not sure? should I just add it to the client config?
05:05 < Bushmills> either way
05:05 < Bushmills> check client routing table
05:05 < Bushmills> better, pastebin it
05:10 -!- atan [~atan@blk-222-132-103.eastlink.ca] has quit [Ping timeout: 245 seconds]
05:11 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:11 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:11  * Bushmills afk now
05:14 -!- atan [~atan@vpn.mattmercer.ca] has joined #openvpn
05:14 < atan> Hey Bushmills, thank you
05:14 < atan> Connection dropped out while changed were going but the problem was the "push" was not making it to the client for some reason
05:14 < atan> I added it to the client config without the "push" part and it works beautifully
05:15 < atan> Thanks =)
05:15 < atan> gotta run though, will pop back later to get the little bugs worked out
05:15 < atan> Peace
05:15 -!- atan [~atan@vpn.mattmercer.ca] has left #openvpn []
05:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
05:46 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
05:48 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has joined #openvpn
05:59 -!- mape2k1 [~jabber@jabber.pennewiss.de] has joined #openvpn
06:05 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 272 seconds]
06:25 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
06:39 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by Douglas <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7868#p7868>
08:14 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:18 -!- vot [debian-tor@gateway/tor-sasl/vot] has quit [Ping timeout: 245 seconds]
08:19 -!- vot [debian-tor@gateway/tor-sasl/vot] has joined #openvpn
08:21 < vpnHelper> RSS Update - forum: Configuration :: Re: ifconfig-pool-persist is not working. :: Reply by fire-fly <https://forums.openvpn.net/viewtopic.php?f=6&t=7128&p=7869#p7869>
08:30 -!- vot [debian-tor@gateway/tor-sasl/vot] has quit [Remote host closed the connection]
09:10 -!- arejay is now known as arejay|elsewhere
09:12 < vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn connection to server but mail fails to open :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7127&p=7870#p7870>
09:42 -!- lolmaus [~lolmaus@178.236.241.96] has joined #openvpn
09:42 < lolmaus> !welcome
09:42 < vpnHelper> lolmaus: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:43 -!- mape2k1 [~jabber@jabber.pennewiss.de] has left #openvpn []
09:43 < lolmaus> !route
09:43 < vpnHelper> lolmaus: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:45 -!- mape2k [~mape2k@2001:6f8:133b:0:21f:3bff:fe27:21a9] has quit [Quit: Leaving]
09:52 < lolmaus> My VPN connection sets up well, the client can access Samba share on the server. But i can't set up routing. I've got push "route 192.168.0.0 255.255.255.0", and client does receive this route. But it is assigned to 10.8.0.5 gateway whereas server is 10.8.0.1 and client is 10.8.0.6.
09:52 < lolmaus> Firewall disabled everywhere.
09:54 < lolmaus> I believe the same issue is described here: https://forums.openvpn.net/viewtopic.php?f=6&t=7119
09:54 < vpnHelper> Title: OpenVPN Support Forum View topic - Routing working in 2.09 but not in 2.1.1 with my config file (at forums.openvpn.net)
09:57 < lolmaus> And here https://forums.openvpn.net/viewtopic.php?f=6&t=7126
09:57 < vpnHelper> Title: OpenVPN Support Forum View topic - Routing problem (at forums.openvpn.net)
09:57 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
10:00 < Bushmills> lolmaus: that's ok, that is the P-t-P address, the clients idea of "remote"
10:00 < Bushmills> for routing, you want to use the actual server vpn address
10:01 < Bushmills> do  ifconfig tun0  on client, and you see that P-t-P address
10:02 < lolmaus> Bushmills, client is Windows
10:02 < Bushmills> ipconfig, it may be there
10:03 < Bushmills> !wins
10:03 < vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
10:03 < lolmaus> Bushmills, ifconfig on server shows tun0 10.8.0.1 with p-t-p 10.8.0.2 and ipconfig on client shows tun 10.8.0.6 with dhcp 10.8.0.5 (?!) which is not pingable
10:04 < Bushmills> that is correct. there is nothing listening on 10.8.0.5 to reply to your echo requests
10:04 < Bushmills> !net30
10:04 < vpnHelper> Bushmills: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
10:04 < lolmaus> Bushmills, but why is route written so that 10.8.0.5 is the gateway?
10:05 < lolmaus> Bushmills, hey, i've just downgraded client 2.2-beta3 to 2.1.3 and everything worked immediately!
10:05 < Bushmills> when your clients routes to 10.8.0.5, it routes to "remote end of vpn link"
10:06 < lolmaus> Ahhh sorry it won't
10:06 < lolmaus> :(
10:06 < lolmaus> Bushmills, so where the problem is?
10:07 < Bushmills> not enough information to tell you. also, windows is nothing i'm authoritative on
10:07 < Bushmills> !winroute
10:07 < vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
10:07 -!- Irssi: #openvpn: Total of 71 nicks [2 ops, 0 halfops, 0 voices, 69 normal]
10:07 < lolmaus> Route is added successfully
10:09 -!- HackeMate [~HackeMate@83.49.39.199] has quit [Remote host closed the connection]
10:12 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by MrWetsnow <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7871#p7871>
10:36 < vpnHelper> RSS Update - forum: Configuration :: Re: Routing problem :: Reply by lolmaus <https://forums.openvpn.net/viewtopic.php?f=6&t=7126&p=7872#p7872>
10:38 -!- arejay|elsewhere [arejay@i.write.shellcode.eu] has quit [Ping timeout: 240 seconds]
10:38 -!- lolmaus [~lolmaus@178.236.241.96] has quit []
10:45 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:53 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:05 -!- WormFood [~wormfood@183.38.14.10] has quit [Ping timeout: 245 seconds]
11:17 -!- WormFood [~wormfood@183.38.13.227] has joined #openvpn
11:39 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
11:39 -!- Floops [~baihu@shellium/staff/floops] has quit [Ping timeout: 255 seconds]
11:40 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
11:46 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 240 seconds]
11:49 -!- Visual` [~visualsta@ip-80-236-230-209.dsl.scarlet.be] has joined #openvpn
11:49 -!- Visual` [~visualsta@ip-80-236-230-209.dsl.scarlet.be] has quit [Changing host]
11:49 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
11:49 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
11:53 -!- Floops [~baihu@64.210.44.2] has joined #openvpn
12:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
12:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:43 -!- |Mike| [mike@2001:1af8:2:444::2] has joined #openvpn
12:43 < |Mike|> window move 9
12:47 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has left #openvpn []
12:48 < jpalmer> no,  thats my #RHEL channel.  I'll keep it at 7 where it belongs, thanks :P
12:48 < |Mike|> okay j palmer :-)
12:48 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has joined #openvpn
12:49 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has left #openvpn []
12:49 -!- Floops [~baihu@64.210.44.2] has quit [Ping timeout: 240 seconds]
12:49 < |Mike|> I wonder when my ecologic friendly (hoodlamb) jacket arrives
12:50 < |Mike|> eco-friendly *
12:50 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has joined #openvpn
12:54 < vpnHelper> RSS Update - forum: Configuration :: Can´t generate the master Certificate Authority (CA) :: Author pppiscis7 <https://forums.openvpn.net/viewtopic.php?f=6&t=7135&p=7873#p7873>
13:00 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
13:03 -!- Floops [~baihu@64.210.44.2] has joined #openvpn
13:07 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 264 seconds]
13:18 < vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn connection to server but mail fails to open :: Reply by jerry <https://forums.openvpn.net/viewtopic.php?f=4&t=7127&p=7874#p7874>
13:41 -!- Floops [~baihu@64.210.44.2] has quit [Ping timeout: 252 seconds]
13:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
13:54 -!- Floops [~baihu@64.210.44.2] has joined #openvpn
14:00 -!- plundra [404@article.se] has quit [Ping timeout: 240 seconds]
14:04 -!- plundra [404@article.se] has joined #openvpn
14:08 -!- jeev [~jeev@unaffiliated/jeev] has quit [Ping timeout: 245 seconds]
14:11 -!- lolmaus [lolmaus@home-pool-178-112.com2com.ru] has joined #openvpn
14:11 < lolmaus> Hey everybody, can you help me with this one please? https://forums.openvpn.net/viewtopic.php?f=6&t=7126&p=7872#p7872
14:11 < vpnHelper> Title: OpenVPN Support Forum View topic - Routing problem (at forums.openvpn.net)
14:11 -!- metze [~metze@samba/team/metze] has joined #openvpn
14:12 < metze> hi 
14:12 < vpnHelper> RSS Update - forum: Off Topic, Related :: Fun with Avahi :: Author squarooticus <https://forums.openvpn.net/viewtopic.php?f=1&t=7136&p=7875#p7875>
14:12 < metze> can someone tell me how I configure a tcp-server to keep listen for incoming connections after the connection to the client died?
14:13 < lolmaus> metze, does it not?
14:13 < metze> no
14:15 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
14:15 < krzee> metze, 
14:15 < krzee> !configs
14:15 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:15 < krzee> also:
14:15 < krzee> !tcp
14:15 < vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
14:17 < metze> at least with not with openvpn 2.1~rc7-1ubuntu3.5 on ubuntu
14:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:17 < krzee> metze, dont use rc7
14:17 < krzee> use 2.1.3 or the latest beta
14:17 < metze> ok, I'll try that
14:17 < krzee> you're using a version with known bugs
14:18 < krzee> also, see the bot's info above
14:18 < krzee> lolmaus, 
14:18 < krzee> !serverlan
14:18 < vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
14:19 < krzee> ecrist, i saw you said something about unique hits on the routing page... what was that again?
14:20 -!- plundra [404@article.se] has quit [Ping timeout: 255 seconds]
14:20 < krzee> !/30
14:20 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
14:24 < lolmaus> !ipforward
14:24 < vpnHelper> lolmaus: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
14:25 < lolmaus> !linipforward
14:25 < vpnHelper> lolmaus: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:27 < lolmaus> krzee, hey that seems to be the thing!
14:28 < lolmaus> But #1 gives permission denied even with sudo
14:28 < krzee> and the .2 / .5 thing you mention is part of the default topology of openvpn
14:28 < krzee> im trying to reply to your forum post, but when i login it redirects me to the index =/
14:29 < krzee> what section is the post in?
14:29 < krzee> lolmaus, do this:
14:29 < krzee> cat /proc/sys/net/ipv4/ip_forward
14:29 < lolmaus> krzee, YOU ROCK
14:29 < lolmaus> I've got pings to LAN
14:29 < krzee> ahh, already fixed?  cool =]
14:29 < lolmaus> krzee, ever going to Moscow? :)
14:30 < krzee> since im having a tough time finding your post once logged in, can you reply to it giving the solution please =/
14:30 < krzee> lolmaus, no plans on it... but hopefully one day
14:30 < lolmaus> krzee, yessir!
14:32 < krzee> if you were just missing ip forwarding... you found all the hard stuff on your own
14:33 < krzee> =]
14:33 < lolmaus> krzee, that's when IRC rocks. You helped me out with a single word
14:33 < krzee> ya, we've taught that bot a lot =]
14:38 < lolmaus> krzee https://forums.openvpn.net/viewtopic.php?f=6&t=7126&p=7876
14:38 < vpnHelper> Title: OpenVPN Support Forum View topic - Routing problem (at forums.openvpn.net)
14:38 < vpnHelper> RSS Update - forum: Configuration :: Re: Routing problem :: Reply by lolmaus <https://forums.openvpn.net/viewtopic.php?f=6&t=7126&p=7876#p7876>
14:38 < lolmaus> Haha :)
14:40 -!- plundra [404@article.se] has joined #openvpn
14:48 < ecrist> krzee: let me look
14:48 < ecrist> krzee: 1756 unique page views this month
14:48 < krzee> wow
14:48 < ecrist> about 1/4 my total traffic.
14:53 < krzee> \o/
14:54 -!- manevra [~manevra@66.199.231.250] has joined #openvpn
15:03 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
15:08 -!- manevra [~manevra@66.199.231.250] has quit []
15:11 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:18 -!- jeev [~jeev@206.217.223.151] has joined #openvpn
15:24 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:36 < Dougy> fuck
15:36 < Dougy> why did i have milk when i woke up
15:38 < box2> milk is never a happy thing
15:51 -!- lolmaus [lolmaus@home-pool-178-112.com2com.ru] has quit []
16:19 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has joined #openvpn
16:43 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
16:46 -!- bandini [~bandini@host153-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Ping timeout: 245 seconds]
16:51 < vpnHelper> RSS Update - forum: Configuration :: Re: Routing problem :: Reply by Plasmadog <https://forums.openvpn.net/viewtopic.php?f=6&t=7126&p=7877#p7877> || Pay OpenVPN Service Provider Reviews/Comments :: [Free VPN] VPN Steel :: Author Zero3K <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=7878#p7878>
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 276 seconds]
17:05 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:27 -!- mmestnik [~mmestnik@173-160-118-149-Minnesota.hfc.comcastbusiness.net] has quit [Ping timeout: 252 seconds]
17:31 -!- mmestnik [~mmestnik@173-160-118-149-Minnesota.hfc.comcastbusiness.net] has joined #openvpn
17:40 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
17:52 -!- arejay [arejay@i.write.shellcode.eu] has joined #openvpn
18:11 -!- arejay is now known as arejay|elsewhere
18:13 < |Mike|> arejay|elsewhere: we really don't care about your afk/gone/shitting status :-)
18:14 < reiffert> moin
18:14 < |Mike|> ohai reiffert !
18:17 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
18:19 < krzee> moin!
18:19 < |Mike|> hey j
18:21 -!- Floops [~baihu@64.210.44.2] has quit [Changing host]
18:21 -!- Floops [~baihu@shellium/staff/floops] has joined #openvpn
18:24 -!- arejay|elsewhere is now known as arejay
18:25 < krzee> sup mike
18:27 -!- jeev [~jeev@206.217.223.151] has quit [Changing host]
18:27 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
18:27 < |Mike|> bugging nigel kersten a bit :)
18:43 -!- takamichi [~pri@78.133.38.192] has quit []
18:56 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
19:07 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:51 -!- phantomcircuit [~phantomci@adsl-99-170-147-98.dsl.pltn13.sbcglobal.net] has joined #openvpn
20:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:36 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
20:37 -!- phantomcircuit [~phantomci@adsl-99-170-147-98.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
20:37 < Dougy> rawr
20:38 < atan> Hey folks! I am trying to figure out exactly why my VPN connection on port 443 is caught by a firewall, whereas a very similar (I think?) openvpn server running on port 443 isn't.
20:39 < atan> I only have access to the client configs for each, and the server config for the problematic server.
20:40 < atan> I want to work out a way so my :443 server slips past this blockage in the pipe like the other servers do.
20:40 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Read error: Operation timed out]
20:43 < atan> http://pastie.org/1187914 is the functional OpenVPN client config
20:43 < atan> And the other config, well, is like three lines long. dev tun, static key, port 443
20:43 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
20:43 < atan> Where did I go wrong? Or I mean, where did they go right? =)
20:51 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
20:53 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 272 seconds]
20:56 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
21:00 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Remote host closed the connection]
21:05 -!- d303k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
21:14 -!- d303k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 252 seconds]
21:15 -!- d303k [~heiko@vpn.astaro.de] has joined #openvpn
23:06 -!- atan [~atan@173.208.45.179] has joined #openvpn
23:06 < atan> Hey guys.... I can't seem to get OpenVPN to connect using TCP 
23:06 < atan> server is set to tcp-server, client config says tcp-client
23:11 -!- atan [~atan@173.208.45.179] has quit [Ping timeout: 240 seconds]
23:18 -!- arejay is now known as arejay|elsewhere
23:21 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:24 -!- arejay|elsewhere is now known as arejay
23:51 -!- atan [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
--- Day changed Wed Sep 29 2010
00:03 < vpnHelper> RSS Update - forum: Wishlist :: Re: Windows Client Source Code + Build Instructions :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=10&t=7073&p=7879#p7879> || Pay OpenVPN Service Provider Reviews/Comments :: Re: [Free VPN] VPN Steel :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=7880#p7880>
00:05 -!- atan [~atan@blk-222-132-103.eastlink.ca] has quit [Ping timeout: 265 seconds]
00:15 < vpnHelper> RSS Update - forum: Authentication Scripts :: Re: Automatically fill in username and password :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=16&t=7093&p=7881#p7881>
00:27 < vpnHelper> RSS Update - forum: Pay OpenVPN Service Provider Reviews/Comments :: Re: [Free VPN] VPN Steel :: Reply by Zero3K <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=7882#p7882>
01:09 < vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=7883#p7883>
01:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
01:24 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:31 -!- severnaya [~severnaya@unaffiliated/severnaya] has joined #openvpn
01:31 < severnaya> i'm generating 4096 bit dh-parameters, and its taking forever. is this overkill?
02:01 -!- jesse_ [~jesse@203.111.190.18] has joined #openvpn
02:01 < jesse_> Hi, can someone help me with openvpnas and ubuntu, NetworkManager?
02:02 < jesse_> it's driving me nuts!  I've googled it for days
02:02 < Bushmills> !ubuntu
02:02 < vpnHelper> Bushmills: "ubuntu" is dont use network manager!
02:02 < HoboSteaux> you dont with network manager
02:03 < Bushmills> check out wicd
02:03 < HoboSteaux> or just have is a service in the background
02:03 < jesse_> ok will do, but I'm setting this up for "users" so want to let them click on and off
02:05 < jesse_> how do you solve the problem with a user using cli openvpn - can'
02:05 < jesse_> can't create tun device?
02:06 < Bushmills> sudo openvpn start,  sudo openvpn stop   
02:07 < jesse_> from the wicd faq:
02:07 < jesse_> Does Wicd support VPN?
02:07 < jesse_> Not really. 
02:07 < jesse_> ??
02:08 < Bushmills> it allows you to execute pre- and post connect/disconnect commands
02:10 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:14 -!- jesse_ [~jesse@203.111.190.18] has quit [Ping timeout: 265 seconds]
02:15 -!- severnaya [~severnaya@unaffiliated/severnaya] has quit [Quit: Leaving]
03:09 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: leaving]
03:26 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:30 -!- dazo_afk is now known as dazo
03:30 < vpnHelper> RSS Update - forum: Server Administration :: OpenVPN, Squid and two networks. How to setup routing? :: Author telepups <https://forums.openvpn.net/viewtopic.php?f=4&t=7138&p=7884#p7884>
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:55 -!- Floops [~baihu@shellium/staff/floops] has quit [Read error: Operation timed out]
04:02 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
04:05 -!- mattock [~samuli@gprs-prointernet-ff326a00-5.dhcp.inet.fi] has joined #openvpn
04:23 < Cmdr_W_T_Riker> i run openvpn on a handful of servers, yet on one of them the connection drops after a while. I can't find out why this happens. I've run openvpn in the foreground, verbosity level on 9. Yet i don't see what's going wrong. The only work-around for me is to have a cron like "ping -c 10 10.8.0.1 &>/dev/null || service openvpn restart"
04:24 < Cmdr_W_T_Riker> i'm a bit stuck as to where to find out more about the cause of the problem
04:25 < Cmdr_W_T_Riker> both the server and the client are in the same subnet, and this connection is reliable
04:28 < Bushmills> !keepalive
04:28 < vpnHelper> Bushmills: Error: "keepalive" is not a valid command.
04:30 < Bushmills> http://scarydevilmonastery.net/snap/1285752590310417794d.png  <<< Cmdr_W_T_Riker
04:30 < Cmdr_W_T_Riker> thanks
04:32 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
04:32 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Client Quit]
04:49 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
04:57 -!- mattock [~samuli@gprs-prointernet-ff326a00-5.dhcp.inet.fi] has quit [Ping timeout: 272 seconds]
05:07 < Cmdr_W_T_Riker> it appears the keepalive setting was already in place by the default configuration. The logs do actually show this behaviour as in "Wed Sep 29 11:57:22 2010 [server] Inactivity timeout (--ping-restart), restarting"
05:08 < Cmdr_W_T_Riker> but that doesn't help getting the connection back on its feet
05:10 < Bushmills> keepalive should prevent connection from dropping in first place.
05:14 < Bushmills> make sure you don't have a too low setting of  --inactive
05:19 < dazo> Cmdr_W_T_Riker: you need to have --persist-key and --persist-tun in your client config as well
05:19 < dazo> especially when using chroot and/or --user/--group
05:36 -!- bandini [~bandini@host34-109-dynamic.2-87-r.retail.telecomitalia.it] has joined #openvpn
05:46 < Cmdr_W_T_Riker> persist-key/tun are in place and there's no mention of --inactive in the config of the server (also the man page describes this as 'experimental'). Thanks thus far
05:47 < Cmdr_W_T_Riker> hmm
05:47 < Cmdr_W_T_Riker> think i've found something
05:48 < Cmdr_W_T_Riker> right, there's a duplicate IP address configured in the client-config-dir :/
06:14 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
06:16 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: No route to host]
06:16 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined #openvpn
06:19 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
06:19 < fahmad> hello
06:20 < fahmad> !30
06:20 < vpnHelper> fahmad: Error: "30" is not a valid command.
06:20 < fahmad> !/30
06:20 < vpnHelper> fahmad: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
06:20 < fahmad> !topology
06:20 < vpnHelper> fahmad: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
06:37 -!- bandini [~bandini@host34-109-dynamic.2-87-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
06:39 -!- sara2010 [~tun@203.100.181.58.dynamic.max.com.pk] has joined #openvpn
06:39 < sara2010> any one alive
06:39 < |Mike|> yes
06:42 < sara2010> |Mike| can u help me
06:42 < sara2010> i m using centos 
06:43 < sara2010> how i can connect with vpn server
06:43 < sara2010> >
06:45 < |Mike|> !howto
06:45 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:47 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:02 -!- tun [~tun@203.100.181.58.dynamic.max.com.pk] has joined #openvpn
07:02 -!- sara2010 [~tun@203.100.181.58.dynamic.max.com.pk] has quit [Read error: Connection reset by peer]
07:10 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
07:17 < vpnHelper> RSS Update - forum: Announcements :: Auto-login / cookie issue fixed :: Author samuli <https://forums.openvpn.net/viewtopic.php?f=20&t=7139&p=7885#p7885>
07:20 < mattock1> ecrist: nice work on vpnHelper :)
07:53 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
07:53 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
07:56 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
08:04 -!- arejay [arejay@i.write.shellcode.eu] has quit [Read error: Operation timed out]
08:06 -!- tun [~tun@203.100.181.58.dynamic.max.com.pk] has quit []
08:06 -!- Mkools [~mukul@117.196.214.205] has joined #openvpn
08:09 -!- arejay [arejay@i.write.shellcode.eu] has joined #openvpn
08:16 < Mkools> Hi, I have some questions related to ip address of my computer. And after that I want to setup my own vpn for playing games with friends. I am using Ubuntu 9.10 server edition. Can I ask?
08:16 < Mkools> barnex: I have two interface eth3 and eth4. eth3 facing Internet. I have eth3 using DHCP. BSNL is my service provider. My resolv.conf shows dns 192.168.1.1 but when I open that address on web and login I see another dns address. Which one real one is NAT is working here.
08:17 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined #openvpn
08:31 < |Mike|> firewall?
08:36 < Mkools> |Mike| talking to me?
08:36 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 264 seconds]
08:38 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:41 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
08:54 < Mkools> iptables
08:59 < Mkools> iptables
08:59 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
09:03 < ecrist> mattock1: you around?
09:03 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
09:08 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
09:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
09:15 -!- WormFood [~wormfood@183.38.13.227] has quit [Remote host closed the connection]
09:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:21 < Mkools> hey guys any help
09:23  * ecrist reads up
09:24 < ecrist> Mkools: that 192 address you're seeing is an internal RFC1918 address
09:25 < Mkools> ecrist ya I know that. I just want to clear my ideas about the environment in which my computer is?
09:26 < ecrist> I don't know what you're asking.
09:28 < Mkools> ecrist: Okay actually I have single PC no LAN connected directly to Internet through modem. And I want to connect to my friend's PC who has got same evironment 
09:28 < Mkools> through openVPN 
09:29 < ecrist> ok...
09:29 < Mkools> we belong to same region that is our ISP is same.
09:29 < Mkools> BSNL
09:30 < ecrist> your service provider doesn't really matter to us.
09:32 < Mkools> Does modem has IP address? It looks because my route -n shows private LAN 192.168.1.0. And I thing 192.168.1.1 is my modem address and 192.168.1.2 is my computer's? Is it?
09:33 < ecrist> modem will have a public IP address.
09:33 < ecrist> http://www.secure-computing.net/ip.php
09:33 < vpnHelper> Title: SCN: SCN (at www.secure-computing.net)
09:33 < ecrist> that page will tell you what it is.
09:34 < Mkools> ya got it. my resolv.conf also shows 192.168.1.1 DNS entry
09:35 < ecrist> yeah, sounds like a normal home LAN
09:38 < Mkools> Cleared, But when I enter 192.168.1.1 a web app is shown in my browser which is specific to my ISP and asks password and user name. In that it has listed two other DNS addresses. What are those?
09:39 < ecrist> as I told you, 192.168.1.1 is a private address on your HOME lan
09:39 < ecrist> you're logging in to your home router.
09:44 < Mkools> yep that two other DNS addresses what are those? Are they specefic to ISP. Also In my route -n I get a address 169.254.0.0. It stands for what?
09:45 -!- manevra [~manevra@188.27.108.102] has joined #openvpn
09:45 < ecrist> that's the 'Automatic Private IP Addressing' netblock range.
09:45 < ecrist> http://ask-leo.com/why_cant_i_connect_with_a_169254xx_ip_address.html
09:46 < ecrist> your home router is acting as a DNS forwarder for your local LAN, that's the address you see there.
09:48 < Mkools> It is forwarding data to whom means which address. Does it forwards to the the IP which your link shown?Now I have installed proper software and 
09:48 < ecrist> Mkools: perhaps you're better off doing some research on home LANs are setup?
09:49 < Mkools> ecrist: GUI tools to configure openVPN any suggestions how to start? I am reading HOWTO of openvpn
09:49 < ecrist> that's a good start
09:51 < Mkools> ecrist: When say add it asks me of whether to use Cisco compitable vpn or openvpn? Which should I choose
09:52 < ecrist> well, this is #openvpn, so I'd use that one.
09:53 -!- EmperorTom [~EmperorTo@184-97-166-249.mpls.qwest.net] has quit [Remote host closed the connection]
09:55 < Mkools> okay, It asks me of gateway which should I choose the one listed in route -n i.e. 192.168.1.1 which is my home DNS or the one which is listed in home router?
09:55 < ecrist> dude, read the docs
09:57 < Mkools> ecrist: Can you please provide me the link of "How to configure HOME LAN", in docs specefic topic to read on solving my problem?
09:58 < ecrist> google.com
09:58 < Mkools> ya, done that please can you tell me the topic?
09:59 -!- Phenox_ [~Bernd@88.215.198.24] has joined #openvpn
10:00 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
10:00 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
10:00 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
10:02 < Phenox_> hi, i have a problem: i have a running openvpn server/client installation using tun devices. Now i tried to push dhcp-options DNS to the client. But as soon as i put that options to ther server config I get the following error on the client side: RROR: --dev tun also requires --ifconfig
10:03 < krzie> Phenox_, 
10:03 < krzie> !configs
10:03 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:07 -!- Mkools [~mukul@117.196.214.205] has quit [Ping timeout: 245 seconds]
10:07 < Phenox_> http://pastebin.com/9iU8RFh1
10:08 < Phenox_> until now i found only working examples with dhcp push options when using dev tap instead of dev tun. is it possible that it is not working when using dev tun?
10:09 < krzie> works fine in dev tun
10:09 < krzie> what OS is the client?
10:09 < Phenox_> windows xp
10:09 < Phenox_> server: freebsd 8.1
10:09 < krzie> dunno if you can put them directly in client config or not tho
10:09 < krzie> like how in client you have #dhcp-option DNS 192.168.240.54
10:10 < krzie> i guess it should work since push just makes commands appear as if in client config... but i have never seen it done
10:10 < Phenox_> its working on the client side
10:10 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
10:10 < Phenox_> but not using the push command
10:10 < krzie> route-delay should never be used with 1
10:11 < krzie> default for route-delay is 30
10:11 < Phenox_> k
10:11 < krzie> using 1 would actually reverse the point of using it
10:11 < krzie> im curious if you actually need tap-sleep 3
10:11 < Phenox_> k
10:11 < krzie> why do you have it there?
10:12 < Phenox_> i thought the error has been caused by the tap device, as it takes a while to come up...
10:13 < Phenox_> but it did not change anything except for an additional delay of 3 seconds ;\
10:13 < krzie> route-delay on a line by itself
10:13 < krzie> comment out tap-sleep
10:13 -!- bent_screwdriver [~socain00@74.255.249.66] has joined #openvpn
10:13 < krzie> !winroute
10:13 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
10:13 < krzie> ;]
10:13 < Phenox_> k
10:14 < Phenox_> i've tried route-method exe
10:14 < krzie> i see that
10:14 < bent_screwdriver> statickey - what permissions are recommended on the actual key/file?
10:14 < krzie> bent_screwdriver, 600 root:wheel
10:14 < krzie> err no
10:14 < krzie> 400 root:wheel
10:15 < krzie> bent_screwdriver, but use persist-key as well
10:15 < bent_screwdriver> thx!
10:15 < krzie> that way if you drop permissions, your openvpn doesnt die because it cant read the file
10:15 < bent_screwdriver> got that in the config, thx agn
10:15 < krzie> np
10:15 < Phenox_> do you have a working config server/client where the dhcp options using dev works?
10:16 < krzie> !sample
10:16 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
10:16 < krzie> pushing dhcp options works in that one
10:16 < Phenox_> k thx
10:16 < krzie> Phenox_, you did what i said?
10:16 < krzie> still didnt work?
10:16 < krzie> if not...
10:16 < Phenox_> i will look for the diff
10:16 < krzie> !configs
10:16 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:18 < Phenox_> yes i did what you said
10:18 < Phenox_> but it still does not work
10:18 < krzie> then paste logs of it pls
10:19 < krzie> also, what version openvpn are you running
10:19 < krzie> on each side
10:25 < Phenox_> server 2.1.1 client 2.0.9
10:25 < Phenox_> i updated the pastebin
10:25 < Phenox_> with the client log
10:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
10:27 < krzie> oh
10:27 < krzie> update the client
10:28 < krzie> may as well update the server while you're at it if thats not a problem
10:31 -!- pumkinhed [~pumkinhed@72.45.85.159] has joined #openvpn
10:34 < pumkinhed> hello #openvpn, i am having a problem with openvpn latest v on windows 7, if the computer resumes from hibernation it never reconnects, its set to keepalive
10:34 < pumkinhed> last time i was here jpalmer said it was a known issue, any idea if its been corrected, even on head?
10:35 < krzie> pumkinhed, tried the latest beta?
10:35 < krzie> 2.2-beta3
10:36 < pumkinhed> let me check...
10:36 < krzie> Phenox_, when you updated the pastebin, it gave you a new URL
10:37 < krzie> i didnt know that was a bug, but if it was a known bug it should be in the TRAC
10:37 < krzie> !community
10:37 < vpnHelper> krzie: Error: "community" is not a valid command.
10:37 < krzie> meh
10:37 < krzie> !trac
10:37 < vpnHelper> krzie: Error: "trac" is not a valid command.
10:37  * dazo watches krzie finding his secret word
10:37 < krzie> lol
10:37 < krzie> !factoids
10:37 < vpnHelper> krzie: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
10:37 < krzie> !bugs
10:37 < vpnHelper> krzie: "bugs" is https://community.openvpn.net/openvpn if we tell you that you found a bug. go there, open an account, and file a bug report in trac (your forum login is good for the trac too)
10:38 < krzie> moinmoin dazo
10:38 < dazo> krzie: moinmoin :)
10:39 < Phenox_> krzie: http://pastebin.com/Yvm6bphX
10:40 < Phenox_> sorry for the delay...went out for a smoke :)
10:40 < krzie> Phenox_, ya the problem is your old version
10:40 < krzie> Wed Sep 29 16:56:49 2010 us=103122 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:29: push-continuation (2.
10:40 < krzie> thats the cause... because of 2.0.9
10:41 < dazo> push continuation is only supported in 2.1 clients, and is sent from 2.1 servers
10:41 < krzie> right
10:41 < dazo> it comes automatically when your push strings are too long
10:41 < Phenox_> k
10:41 < Phenox_> i'll update the client
10:42 < krzie> may as well update both to 2.1.3 =]
10:42 < krzie> although your server being 2.1.1 will still work... why not update both ;]
10:43 < Phenox_> updating the server would be somewhat uncomfortable as i to recompile it from source not managed by the ports/packages system
10:43 < Phenox_> but i'll try it anyway
10:43 < krzie> its easy to compile, no special hackery needed
10:43 < krzie> unless openbsd, but then you just point to 2 files in the ./configure
10:43 < krzie> although i have a feeling you're not using openbsd ;]
10:46 < ecrist> Phenox_: why doesn't ports deal with the new version?
10:47 < krzie> oh ya, he did say ports... we know for a fact that fbsd ports stays updated
10:47 < dazo> 2.1.1 -> 2.1.{2,3} is strictly not a critical update on non-windows ... there are a few bug fixes which are "nice to have", but nothing which really screams out "must upgrade" ... On Windows, it's a must to do this update
10:47 < Phenox_> hmm...ask the freebsd maintainer responsible for the openvpn port
10:47 < Phenox_> id dont know
10:47  * krzie points to ecrist 
10:47 < krzie> lol
10:47 < dazo> heh
10:47 < krzie> Phenox_, you are talking to the maintainer... it stays up to date
10:48 < krzie> (ecrist)
10:48 < krzie> update your ports tree :-p
10:48 < Phenox_> i didn't plan to move to current ;)
10:49 < ecrist> Phenox_: you don't need to move to current.
10:49 < ecrist> ports and base system are different
10:49 < ecrist> portsnap fetch && portsnap update
10:49 < ecrist> if you've never used portsnap: portsnap fetch && portsnap extract
10:49 < ecrist> after the first extract, just use update instead.
10:49 < Phenox_> k i'm used to check it out manually from cvs...
10:50 < ecrist> you can do that, too.
10:50 -!- Irssi: #openvpn: Total of 75 nicks [2 ops, 0 halfops, 0 voices, 73 normal]
10:50 < Phenox_> i just didnt know that there is portsnap
10:50 < Phenox_> :)
10:51 < krzie> portsnap used to be a port, now its part of the base system
10:51 < Phenox_> k
10:51 < krzie> there are a couple reasons to choose portsnap over cvs, main one being MITM
10:51 < Phenox_> most of my systems still run 5.x
10:51 < krzie> ouch
10:51 < krzie> i skipped 5.x all together
10:51 < Phenox_> its rock solid :)
10:51 < krzie> 4.x was great, 6.x was great... 5.x was kinda a stepping stone from 1 to the other imho
10:52 < ecrist> 5.x is the bastard child of freebsd releases.
10:52 < krzie> lol ya
10:52 < Phenox_> lol
10:52 < ecrist> 6 was released to fix all the broken shit in 5
10:52 < Phenox_> i might consider updating
10:52 < ecrist> 5.x is the reason for many of the bsd forks, like dragonfly
10:52 < krzie> this is true
10:53 -!- EmperorTom [~EmperorTo@184-97-166-249.mpls.qwest.net] has joined #openvpn
10:53 < ecrist> Phenox_: you know 6.x loses support next month, right?  5.x has been out of support for quite some time.
10:53 < krzie> aww
10:53 < Phenox_> the same with 8.0
10:53 < ecrist> 8.1 is current release, with 8.2 out sometime early spring (possibly with a 7.4)
10:53 < krzie> i like 6 =/
10:53 < krzie> 6 isnt vuln to the new bugs in 8
10:54 < Phenox_> this is why i need to update our core routers to 8.1
10:54 < krzie> kernel bugs, released and otherwise
10:54 < ecrist> krzie: most of the vulns I've been made aware of are only locally exploitable.
10:54 < krzie> yup
10:55 < ecrist> including that mbuf one (though there are other attack vectors to help make it local)
10:55 < Phenox_> well, nevertheless i try to keep our routers updated
10:55 < Phenox_> we dropped all ciscos and replaced them by freebsd ones
10:55 < krzie> which is why its so important to use diff passwords on different boxes
10:55 < Phenox_> no problems so far
10:56 < Phenox_> we use only pubkeys
10:56 < ecrist> Phenox_: just upgrade to juniper core hardware and you'll be running freebsd. :)
10:56 < Phenox_> i know :)
10:57 < krzie> with a terrible gui (last i saw)
10:57 < Phenox_> the main reason why we use freebsd instead of linux or vyatta is ng_netflow :)
10:58 < ecrist> o.O
10:58 < Phenox_> i always prefer the cli on junos
10:58 < krzie> i prefer the cli on *
10:59 < krzie> ;]
10:59 < Phenox_> :)
10:59 < Phenox_> thats true
10:59 < ecrist> ditto
10:59 < Phenox_> but you dont want to use windows on the cli
10:59 < krzie> s/on the cli//
10:59 < ecrist> fwiw:
10:59 < ecrist> PORTNAME=	openvpn
10:59 < ecrist> DISTVERSION=	2.1.3
11:00 < Phenox_> but you probably dont want to use windows at all :)
11:00 < ecrist> windows CLI is OK, if you install PowerShell
11:00 < krzie> ecrist has to use windows =]
11:00 < Phenox_> :)
11:00 < ecrist> krzie: for two things: 1) your statistics. 2) one server for our DC that we use for web browsing and a few other simple things
11:01  * ecrist sports the MBP
11:01 < Phenox_> as i need to configure checkpoints as well i have a windows vm,too
11:01 < krzie> oh i thought you still had to have windows for your security app testing
11:01 < krzie> but yup, im also sporting the mbp
11:01 < krzie> MacBookPro6,1 CPU: Intel Core i7 M 620 2.67GHz @ 2.66GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/EM64T/VMX/EST] L2: 512K FSB: 4800MHz Airport:  (802.11 a/b/g/n)  RAM: 1.5GB/8.0GB Vram: 0.00M/64.00M Disk: 385.4GB/465.44GB GPU: Intel HD Graphics [288 MB/Stock] 1920x1200 OS: Mac OS X 10.6.4 (10F569) Kernel: Darwin 10.4.0 Up: 21:52 4 
11:02 < ecrist> oh, the burglar alarms programming software is windows-only, as well.
11:02 < Phenox_> i thing macs lost most of their charme when moving from ppc to intel
11:02 < ecrist> krzie: which command was that?
11:02 < jeev> wow
11:02 < jeev> a macluser
11:03 < jeev> i got osx on my lenovo, only thing that doesn't work is wifi
11:03 < Phenox_> but macos runs in a virtualbox as well :)
11:03 < jeev> ah
11:03 < Phenox_> i got it on my thinkpad to...but the trackpoint didnt work :)
11:03 < jeev> minei works
11:03 < krzie> ecrist, macinfo, from xinfo.py
11:03 < jeev> just no wireless, tried to change the card but stupid error comes up
11:04 < Phenox_> and the ati card only after some hacking
11:04 < jeev> saying it's a different card
11:04 < Phenox_> and i always closed my browser when trying to type the @ sign :D
11:05 < krzie> my desktops at home / work are 100% working hackintoshes
11:05 < krzie> both with 64bit/32bit working perfect
11:06  * ecrist installs xchat for pretty info
11:07 < Phenox_> hooray...its working with the new client :)
11:07 < krzie> ecrist, i think there is a irsii version
11:07 -!- manevra [~manevra@188.27.108.102] has quit []
11:08 < krzie> the devs of that script are in osx86.hu #snowleopard
11:08 < Phenox_> unfortunately Apple dropped ZFS... :(
11:08 < ecrist> irssi runs on my freebsd machine
11:08 < krzie> oh ok
11:08 < krzie> Phenox_, they did???
11:08 < krzie> i didnt know bout that
11:08  * krzie uses fbsd ZFS on his NFS
11:09 -!- ecrist_m [~r00t@ms.choksondik.secure-computing.net] has joined #openvpn
11:09 < Phenox_> afair they put it off the dev roadmap
11:09 < krzie> ms choksondik, LOL
11:10 < ecrist> :)
11:10 < Phenox_> and unfortunately oracle dropped opensolaris
11:11 < krzie> wow
11:11 < krzie> so fbsd is the only keepers of OS zfs now
11:11 < krzie> (opensource)
11:11 < Phenox_> well, there is an opensolaris fork
11:11 < Phenox_> openindiana
11:11 < krzie> and thats still not 100%... it still uses cddl i believe
11:12 < krzie> hah wow im out of the loop, i didnt know any of this
11:12 < Phenox_> oracle dropped everything the could not generate money of
11:12 < ecrist_m> MacBookPro6,2 CPU: Intel Core i7 M 620 2.67GHz @ 2.66GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/EM64T/VMX/EST] L2: 512K FSB: 4800MHz Airport:  (802.11 a/b/g/n)  RAM: 4.7GB/8.0GB Vram: 38.67M/256.00M Disk: 3.33TB/9.48TB GPU: Intel HD Graphics [288 MB/Stock] 1680x1050 and 1680x1050@60Hz OS: Mac OS X 10.6.4 (10F569) Kernel: Darwin 10.4.0 Up: 21 days 
11:12 < ecrist_m> 12:22
11:12 < Phenox_> =)
11:13 < ecrist> lots of work to get to that. :)
11:13 < krzie> umm
11:13 < krzie> wtf
11:13 < krzie> no way you have 9.5 TB on a laptop
11:13 < krzie> mounted your NFS?
11:14 < HoboSteaux> haha must have thats ridiculous
11:14 < ecrist> yeah, I've got about 5 things mounted at the moment.
11:14 < krzie> other than that we have the same specs
11:14 < krzie> i plan on taking out the superdrive and putting in a ssd with a conversion kit
11:15 < ecrist> I have two smaller montiors to your one, larger monitor.
11:15 -!- ecrist_m [~r00t@ms.choksondik.secure-computing.net] has quit [Quit: Leaving]
11:15 < krzie> ya i got the 17", and never bother plugging it into my 42" tv
11:15 < krzie> my desktop uses the 42" as its primary monitor
11:15 < krzie> which i control from the laptop using synergy
11:15 < ecrist> I only have the 15" model
11:16 < ecrist> and I don't have a desktop, so this replaces everything.
11:16 < ecrist> I need to get my new triple-head-to-go
11:16 < krzie> currently have back to the future 3 playing on the 42" hackintosh pro
11:20 < ecrist> I've considered setting up a hackintosh.
11:21 < ecrist> I've also considered just picking up a macmini
11:21 < krzie> im gunna get one of thoe too
11:21 < krzie> those*
11:21 < krzie> that will run a projector in my living room
11:22 < krzie> it will be mounted behind a beam running along my ceiling, and i will control it with a VLC app for the iphone
11:24 < ecrist> krzie: you ever used geek tool?
11:24 < ecrist> http://skitch.com/ecrist/d3bwj/geek-tool
11:24 < vpnHelper> Title: Skitch.com > ecrist > geek tool (at skitch.com)
11:24 < krzie> neg
11:25 < krzie> mmm my girl is cooking pasta and it smells goooooooood
11:25 < ecrist> that's some of what I have embedded on the desktop
11:25 < krzie> nice
11:27 < ecrist> the top, ipv4/6 indicators and the temp/weather are just scripts.
11:27 < ecrist> in geek tool, you can set an icon to change based on exit status of a shell script
11:28 < ecrist> in the connection case, it's simply green for successful ping, red for broken.
11:28 < ecrist> :)
11:28 < krzie> niiiice
11:30 -!- m2rt [~m2rt@sa-84-52-10-135.saturn.infonet.ee] has joined #openvpn
11:30 < m2rt> !welcome
11:30 < vpnHelper> m2rt: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:31 < krzie> omg theres an ee... i must have krz.ee
11:32 < krzie> estonia!
11:32 < m2rt> Estfreakingonia!
11:33 < krzie> awww
11:33 < krzie> Domain registration under .ee is open only for the institutions operating and registered in Estonia
11:33 < m2rt> krzie, lies!
11:33 < m2rt> EVERYONE can register a domain in Estonia. New domain regulations.
11:33 < krzie> oh awesome!
11:34 < krzie> can you point me to a registrar which allows this?
11:34 < m2rt> https://www.zone.ee/en/
11:34 < vpnHelper> Title: Shared hosting | Dedicated hosting | Domain registration | Free hosting - Zone.ee (at www.zone.ee)
11:34 < krzie> thank you =]
11:34 < krzie> how can i help you with openvpn...?
11:36 < krzie> Foreign registrants must pay attention to the fact, that you can only register a domain name if you have a person with an Estonian personal ID code as an administrative contact, who has the required mandate. Foreign registrants must establish their identity if required by the registry, by providing the registrar (us) with an extract or certificate of registration from the corresponding registry of the foreign country.
11:36 < krzie> heh
11:36 < m2rt> Yeah, you have to show that you are actually a human being :P
11:36 < krzie> but im a bot =/
11:36 < krzie> ;]
11:37 < m2rt> :P
11:39 < m2rt> So I have a probably weird question... Can you tell me if its possible to do that... I have 2 networks. Network A is a network with only dhcp server and where people connect to(not connected to internet). Network B is network which has various servers and is connected to internet. Can I have OpenVPN server between those networks which will let Network A clients to Network B and give them Network B IP address (so I can track usage using my n
11:39 < m2rt> etwork B internet gateaway). I want the traffic in Network A to be encrypted. Network B is in server room and won't be accessed physically.
11:39 < m2rt> What I want to do? I want to do that no one (if the hack to the wifi on Network A) can eavesdrop on my local network.
11:40 < krzie> network B internet gateway can track usage even if you dont use the same IPs
11:40 < krzie> right...?
11:40 < m2rt> Yes... But I want to track based on IP
11:40 < krzie> sure
11:41 < krzie> based on network A's IP's
11:41 < krzie> LAN ips
11:41 < krzie> then it also NATs network A's IPs
11:41 < krzie> you need a combination of !route and !redirect
11:41 < krzie> but in a different style than either normally is...
11:42 < krzie> is network A's default gateway a linux machine?
11:42 < krzie> (or bsd or anything like that)
11:43 < m2rt> But is this solution viable for like 30 users to protect the user physically accessable network against packet theft or listening. So that the data reaches to my internet gateaway without nobody being able to see the contents. (Assuming Network B is secured in a locked room).
11:43 < m2rt> Yes, Network A gateaway will probably be Debian or Ubuntu box. Anything I decide it to be :P
11:47 < krzie> nice
11:47 < krzie> m2rt, yes
11:47 < krzie> oh wait
11:48 < krzie> network A itself isnt trusted?
11:48 < m2rt> OpenVPN clients on Network A are trusted. Anybody else is not.
11:48 < krzie> oh ok
11:48 < krzie> i was going to route the entire network over the vpn, but it seems you want individual clients instead
11:48 < krzie> which is no problem, just a different way of doing it
11:49 < krzie> in that case your setup is more simple
11:49 < krzie> !redirect
11:49 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:49 < krzie> the NAT normally happens on ovpn server, but you want it to happen on network B internet gateway
11:49 < krzie> that way you can track usage by VPN ip
11:50 < krzie> =]
11:50 < krzie> other than that little change, its a quite standard request
11:50 < m2rt> So the clients can access the IPs of the Network B too right? We have few sharing servers and what else.
11:50 < krzie> if you want them to, yes
11:50 < krzie> !serverlan
11:51 < vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
11:51 < krzie> so both things require IP forwarding on the server
11:51 < m2rt> Nice! Now I am gonna write a presentation about it, do some research and make my bosses to agree me to make it happen.
11:51 < m2rt> Thank you very much.
11:51 < krzie> then you need a route back to VPN subnet on the internet gateway of network B
11:51 < krzie> and that same gateway needs to NAT VPN subnet to inet
11:52 < krzie> no problem man, thanx for educating me about .ee registration... 1 more ? about that...
11:52 < krzie> do they do private registration, or do i need to get a girl in usa to use her name for me
11:53 < m2rt> Sadly I have no idea. The best option is to ask them: https://www.zone.ee/en/feedback
11:53 < vpnHelper> Title: Feedback - Zone.ee (at www.zone.ee)
11:53 < krzie> good stuff, thanx =]
11:53 < m2rt> np
11:54 < krzie> Message has been sent successfully!
12:37 < ecrist> krzie: worst case, I provide a 'front' for private registrations
12:37 < jpalmer> you're a frontman!
12:37 < ecrist> Domain Services (domain-services@secure-computing.net) with my address
12:38 < jpalmer> krzie: did you ever get time to create an invoice for me?
12:38 < krzie> ecrist, oh cool you wouldnt mind doing that?
12:38 < krzie> jpalmer, doh! i forgot =/
12:38 < ecrist> nope
12:39 < krzie> ill do that today when at work
12:39 < krzie> thanx ecrist, that would be great
12:42 < jpalmer> ecrist: krzie don't know if either of you care about ipv6.   but http://ipv6.he.net/certification is a fair amount of fun,  and teaches a little bit ;)
12:42 < vpnHelper> Title: Hurricane Electric Free IPv6 Certification (at ipv6.he.net)
12:42 < ecrist> jpalmer: I've been 'Sage' for ~3 years
12:42 < jpalmer> ecrist: bah,  fine then :P
12:42 < ecrist> http://secure-computing.net/
12:42 < vpnHelper> Title: Secure Computing Networks (at secure-computing.net)
13:08 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined #openvpn
13:12 -!- takamichi [~pri@78.133.38.192] has quit []
13:15 -!- dazo is now known as dazo_afk
13:22 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has left #openvpn []
13:35 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
13:39 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
13:40 -!- m2rt [~m2rt@sa-84-52-10-135.saturn.infonet.ee] has quit [Quit: Leaving]
13:49 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
13:50 -!- Meliorator [m@dunnington.eu] has joined #openvpn
14:12 < hyper_ch> howdy
14:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:56 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
14:58 < koaschten> I am looking for help concerning a redirect-gateway configuration on a vServer, i currently can connect to the server via openvpn and ping the remote adress but redirecting traffic is not working.
14:58 < ecrist> !def1
14:58 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:58 < koaschten> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet+ -j MASQUERADE
14:58 < koaschten> iptables: No chain/target/match by that name.
14:59 < ecrist> I can't help with iptables
15:01 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
15:02 < koaschten> i am not 100% clear on the def1 stuff, why and where would i add that?
15:02 < ecrist> push "redirect-gateway def1"
15:03 < koaschten> so it goes to the server config?
15:03 < ecrist> yes
15:04 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
15:09 < koaschten> doesnt do a thing :/
15:11 -!- openvpn2009 is now known as patel
15:12 -!- patel is now known as openvpn2009
15:12 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
15:13 < koaschten_> adding redirect gateway in the client config traceroutes will go via the openvpn server but die there, probably because of the not working iptables rule :(
15:13 < ecrist> !linipnat
15:13 < vpnHelper> ecrist: Error: "linipnat" is not a valid command.
15:13 < ecrist> !linnat
15:13 < vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:14 < koaschten_> ecrist scroll up ;) i know the rule, but it wont add it
15:14 < koaschten_> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet+ -j MASQUERADE
15:14 < koaschten_> iptables: No chain/target/match by that name.
15:14 < |Mike|> lol
15:16 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 276 seconds]
15:17 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
15:22 -!- srk9 [~richard@unaffiliated/srk9] has joined #openvpn
15:22 < srk9> I have an OpenVPN server setup on a Linksys router running OpenWRT and I currently have my system connected to it and configured to route all traffic through it. Unfortunately, I have a problem in that the subnet that OpenVPN makes is isolated from the rest of my home network and consequently, the entire internet, which defeats the purpose of routing all traffic through it. My router has the Linux 2.4 kernel. Does anyone know how I can tell the ...
15:22 < srk9> ... Linux kernel that I want it to act as a L3 router and forward packets from OpenVPN's subnet to the local gateway (my NAT router) and receive packets from the local gateway intended for its subnet?
15:25 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
15:26 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
15:29 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:40 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
15:52 -!- srk9 [~richard@unaffiliated/srk9] has quit [Quit: leaving]
16:08 < vpnHelper> RSS Update - forum: Configuration :: AS Admin Login not working :: Author jcsa1986 <https://forums.openvpn.net/viewtopic.php?f=6&t=7140&p=7886#p7886>
16:18 -!- cps [~The_Toxic@unaffiliated/the-toxic-mite/x-8446554] has joined #openvpn
16:29 -!- budmang [6337eae6@gateway/web/freenode/ip.99.55.234.230] has joined #openvpn
16:29 < budmang> Any reason why ifconfig-pool-persist, would just start adding duplicates for the same clients?
16:30 < budmang> We have had no issues 1000+ uptime, we upgraded openvpn versions(big jump), and now the ipp.txt file, is adding a second entry for all clients to the ipp.txt file.
16:31 < krzee> !ipp
16:31 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
16:31 < krzee> there is normally no good reason to actually use that option
16:33 < budmang> Right, Ive read the other options, and which one to go first etc..
16:33 < budmang> Im just trying to wrap my head around what changed/causes this..
16:33 < budmang> Why would OpenVPN randomly after 1000+days, start adding a second entry for every client(when one is already there)?
16:34 < krzee> did you change topology?
16:34 < budmang> I pretty sure I didnt, cause I dont know what that is.
16:35 < krzee> !topology
16:35 < vpnHelper> krzee: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
16:36 < krzee> but really, ipp is just a suggestion, openvpn can at any time decide it doesnt want to listen to the ipp file, i would expect that to create a new entry for the client in question
16:37 < budmang> !static
16:37 < vpnHelper> budmang: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
16:43 < budmang> !iporder
16:43 < vpnHelper> budmang: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
16:43 < budmang> whats a client connect script? is that diffferent from the CCD file?
16:50 < budmang> Is there any way to have OpenVPN, assign the IPs statically,(exactly as its doing now, put statically). Having Openvpn See the First IP and use that etc..?
16:50 < budmang> which out having to ifconfig-push to each ccd file?
16:55 < budmang> IE, the gateway, broadcast etc..., it sets sserv314,172.18.16.40  but the client gets .42 etc..
16:56 < reiffert> budmang: the bot was writing all relevant infos 20 minutes ago. why dont you read what's written there?
16:57 < budmang> Ive read all the bot spit out, on the site before joining the channel(plus reread it as it came through). I appreciate the unhelpful help attempt.
16:57 < budmang> Im asking something thats not in there, or if it is, masked in terms Im not following so Im asking for help.
16:58 -!- benofsky [562b5852@gateway/web/freenode/ip.86.43.88.82] has joined #openvpn
16:59 < benofsky> Hi, I followed instructions here for setting up openvpn: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html — I can ping 10.8.0.1 (and typing it into web browser shows content from webserver running locally on server). I'm trying to use "redirect-gateway def1" though and it's not working. Everything just timesout
16:59 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
17:00 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 245 seconds]
17:00 < benofsky> I also ran this command on the server: sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
17:00 < benofsky> any ideas?
17:00 < benofsky> !welcome
17:00 < vpnHelper> benofsky: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:00 < krzee> !linnat
17:00 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
17:01 < krzee> looks right
17:01 < krzee> ip forwarding is enabled?
17:01 < krzee> basically,
17:01 < krzee> !redirect
17:01 < benofsky> how so?
17:01 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:01 < krzee> !linipforward
17:01 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
17:01 < krzee> you can do this to know:
17:01 < krzee> cat /proc/sys/net/ipv4/ip_forward
17:01 < krzee> if it says 1, its enabled
17:02 < benofsky> ok it says 0 at the moment
17:02 < benofsky> lemme change it
17:03 -!- benofsky [562b5852@gateway/web/freenode/ip.86.43.88.82] has quit [Quit: Page closed]
17:04 -!- benofsky [431715b8@gateway/web/freenode/ip.67.23.21.184] has joined #openvpn
17:04 < benofsky> krzee: thanks it worked!
17:05 -!- benofsky [431715b8@gateway/web/freenode/ip.67.23.21.184] has quit [Client Quit]
17:05 < vpnHelper> RSS Update - forum: Configuration :: Re: AS Admin Login not working :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7140&p=7887#p7887>
17:07 < krzee> budmang, a client-connect script can be read about in the manual
17:07 < krzee> basically, it is a dynamic ccd file
17:07 < krzee> the script which you write should spit out config options, which will be treated as ccd options for the connecting client
17:08 < krzee> it is an alternative to ccd files
17:08 < budmang> I figured that out. the thing I cant figure out is, with the ifconfig-pool-persist, the dhcp, the gateway etc.. everything is set/working. with a push you dont have all that
17:08 < krzee> and that script could read from a database if you wanted
17:08 < krzee> huh?
17:08 -!- srk9 [~richard@unaffiliated/srk9] has joined #openvpn
17:08 -!- srk9 [~richard@unaffiliated/srk9] has left #openvpn []
17:10 < budmang> If I use ifconfig-pool-persist, and connect, I get (allthis)http://pastebin.com/c2ctyDJU, with ifconfig-push in the ccd, my client wont even fully connect, as that stuff is all missing (as openvpn was handling dhcp/all that).
17:10 < budmang> I think I might just be asking wrong
17:10 < krzee> your ifconfig-push is prolly wrong
17:10 < krzee> show me
17:11 < krzee> oh god, network manager
17:11 < budmang> ifconfig-push 172.16.0.110 255.255.255.252 
17:11 < budmang> heh, I like to have the icons in my task bar.
17:11 < krzee> not for topology net30 (default topology)
17:11 < budmang> i do have some keys in my /etc/openvpn.
17:11 < krzee> lemme check how its supposed to be
17:12 < budmang> I appreciate it.
17:12 < krzee> more like this
17:13 < krzee> ifconfig-push 172.16.0.9 172.16.0.10
17:13 < krzee> see how that works
17:14 < budmang> Perfect you rock.
17:15 < koaschten> anyone got an idea whats going wrong here?
17:16 < koaschten> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet+ -j MASQUERADE
17:16 < koaschten> iptables: No chain/target/match by that name.
17:16 < budmang> your missing the 0 venet0
17:16 < koaschten> -o venet is the wildcard match because venet0:0 is not allowed
17:16 < koaschten> err -o venet+
17:16 < budmang> plus you need to enable the iptables on that VEID
17:16 < budmang> I run the same setup
17:17 < koaschten> budmang how can i check if iptables is running on the right veid?
17:18 < budmang> koaschten: do you own the HOSTnode or is this a VPS with a company?
17:18 < koaschten> (it's obviously running on a vServer and i have no influence on the host system but tun/tap and iptables is enabled)
17:18 < koaschten> ^^
17:18 < budmang> Your hosts needs to enable the IPtables and modules for your VEID
17:18 < budmang> its out of your hands.
17:19 < koaschten> is there a way from the vserver to see if its enabled, or is the error just a plain "you are totally lost"
17:19 < budmang> you keep saying Vserver, but I think you mean openvz?
17:20 < budmang> iptables -t nat -A POSTROUTING -o venet0  -j SNAT --to 206.51.233.165 
17:20 < budmang> MASQUERADE - is not virtualized, try something like that.
17:21 < koaschten> where the --to is the WAN adress?
17:21 < budmang> correct, or ip you want them to funnel out
17:22 < koaschten> ok, that didnt through an error, but it doesnt show up in iptables -L?
17:22 < koaschten> -through+throw 00:30 is definitly too late for me messing with this stuff
17:22 < budmang> heh
17:22 < budmang> http://pastebin.com/r2ESiFNQ
17:22 < krzee> --to is for choosing the IP it NATs as
17:22 < krzee> !linnat
17:23 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
17:23 < krzee> #2
17:23 < budmang> krzee: hes a special virtualized setup
17:23 < budmang> MASQUERADE and other magic dont work.
17:23 < krzee> ahh, ill let you help him since you seem to understand it =]
17:23 < budmang> koaschten: you should be all set?
17:23 < koaschten> i probably will get disconnected testing this
17:23 < budmang> Im about to jump ship
17:24 < koaschten> yeah if it doesnt work, i will just cease trying ;)
17:24 < koaschten> and blame the vserver provider ;)
17:24 < budmang> disconnect and reconnect form the vpn ip :)
17:24 < budmang> whos the host outta curiosity?
17:24 < koaschten> euserv
17:24 < koaschten> still in beta
17:25 < budmang> krzee: thanks again for the help..
17:25 < krzee> yw
17:28 -!- cps [~The_Toxic@unaffiliated/the-toxic-mite/x-8446554] has quit [Quit: Leaving]
17:29 -!- pervy_sage [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:29 < pervy_sage> Heya
17:29 < pervy_sage> So I have question about the OpenVPN license
17:29 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 264 seconds]
17:31 -!- budmang [6337eae6@gateway/web/freenode/ip.99.55.234.230] has quit [Quit: Page closed]
17:31 < pervy_sage> The ls
17:32 < pervy_sage> The source is licensed under the GPL, but I also see that it requires you purchase license keys.  Is that for hte binary distribution only?
17:32 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
17:32 < koaschten> well seems to work
17:32 < koaschten> thanks budmang
17:33 < koaschten> and they seem to block irc connections on the known ports
17:34 < pervy_sage> koaschten: heh
17:39 < krzee> pervy_sage, 
17:39 < krzee> !AS
17:39 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
17:39 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
17:39 < krzee> that is re: access-server, which is the only part where you buy license keys (and is also not open source/ GPL)
17:39 < krzee> the community version of openvpn requires no license keys, and is GPL
17:40 < pervy_sage> I see.
17:40 < krzee> we do not support access-server here, #4 from the bot is where that is done
17:40 < krzee> we support the opensource version =]
17:40 < pervy_sage> krzee: Ah.
17:40 < pervy_sage> krzee: Okay, good.  because I'm cheap and more than technically adept enough to hack together the proper tools to manage my installation...
17:40 < krzee> =]
17:41 < krzee> its more of an answer to the corporate type setups where they need 1-click setups and professional support
17:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
17:43 < pervy_sage> krzee: That's what I thought.
17:43 < pervy_sage> krzee: yeah, well, this is for a corporate job.  but I'm also the guy in charge of setting it up.
17:47 -!- lightsab8r [~WinNT@52.8.188.72.cfl.res.rr.com] has joined #openvpn
17:48 < lightsab8r> enable LZO or not?
17:48 < krzee> pervy_sage, right, but theres some companies that wont use software unless it has corporate support
17:48 < krzee> lightsab8r, your decision
17:49 < krzee> lightsab8r, if the majority of data is already compressed, lzo wont do much for you
17:49 < krzee> i use it
17:54 < vpnHelper> RSS Update - forum: Configuration :: TLS handshake failed - please Help me! ;) :: Author evo-5 <https://forums.openvpn.net/viewtopic.php?f=6&t=7141&p=7888#p7888>
17:58 < lightsab8r> thx
18:03 -!- lightsab8r [~WinNT@52.8.188.72.cfl.res.rr.com] has quit [Quit: -=SysReset 2.55=-]
18:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:54 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
18:55 -!- Meliorator [m@dunnington.eu] has joined #openvpn
19:08 < pervy_sage> krzee: yeah, I've been there.
19:08 < pervy_sage> krzee: I worked at a company that basically didn't wanna use anything that wasn't corporate backed becasue if something went wrong they wanted to have somebody to sue.
19:09 < pervy_sage> krzee: That's exactly what the lawyer said, "Well, who would we file a claim against if something were to fail?"
19:17 < krzee> heh
19:17 < krzee> ya i couldnt work for a place like that
19:20 < pervy_sage> Well, that was years ago.
19:21 < pervy_sage> Then the PM got so fucking lazy, he went and installed Fedora Core on the deployment servers.
19:21 < pervy_sage> And claimed it was red hat to appease the lawyers.  And then after they got wind of that he blamed me, claiming that I made the decision to use fedora
19:23 < pervy_sage> Eventually they broke down and spent the money on it.
19:25 < pervy_sage> krzee: Thats' why I'm an independent consultant now.  I make shit work.
20:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:16 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
20:37 < krzee> and thats what its all about
20:37 < krzee> im gunna be leaving in a few minutes...
20:37 < krzee> pervy_sage, you have any specific goal in mind for your openvpn setup?  i can point you twords some info before i go
21:15 -!- Optic [~Optic@67.205.74.218] has left #openvpn []
21:37 < vpnHelper> RSS Update - forum: Configuration :: server on a router :: Author pavel989 <https://forums.openvpn.net/viewtopic.php?f=6&t=7142&p=7889#p7889>
21:47 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
21:50 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
22:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Thu Sep 30 2010
00:13 < pervy_sage> krzee: Yeah.  Basically the client wants a handfull of workstations for stay at home employees (sales).  So the machines are behind those little $50.00 consumer grade routers.  What I need to be able to do is SSH back into each one if any one of the personnel needs tech support. (Yes they're LInux workstations jsut for running webapps)
00:13 < pervy_sage> krzee: I just dont' wanna have to have the people have to punch open a port in the router.  It'd be easier if they just VPN'd to my server and I support them via ssh from there.
00:16 < pervy_sage> krzee: The catch is I dont' wanna route all traffic through VPN, just my traffic.  So I need to play with the routing tables such that only *my* traffic goes through the VPN
00:20 < hyper_ch> pervy_sage: tomato wrt on the routers?
00:21 < pervy_sage> No, I can't touch the routers.
00:21 < pervy_sage> I just wanna punch a hole through them.
01:50 < kraut> moin
02:01 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:05 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
02:05 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
02:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:22 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
02:23 < kisom> pervy_sage: Just use a standard openvpn setup, it'll do just fine.
02:27 < krzie> whats the goal?
02:29 < kisom> SSH to client laptops that are NATed
02:31 < krzie> werd
02:31 < krzie> !sample
02:31 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
02:31 < krzie> make pki
02:31 < krzie> done
02:31 < krzie> !pki
02:31 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
02:31 < vpnHelper> krzie: signed specially as a server (see !servercert)
02:33 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
02:43 -!- dazo_afk is now known as dazo
02:57 -!- jim--- [~jimbo@r74-192-149-9.gtwncmta01.grtntx.tl.dh.suddenlink.net] has quit [Read error: Operation timed out]
02:57 -!- jim--- [~jimbo@r74-192-149-9.gtwncmta01.grtntx.tl.dh.suddenlink.net] has joined #openvpn
02:59 < pervy_sage> krzee: yeah
03:01 < reiffert> moin
03:03 < krzie> moin reif
03:03  * krzie bed
03:03  * reiffert coffee :)
03:32 < vpnHelper> RSS Update - forum: Server Administration :: DNS requests leak :: Author davidparks21 <https://forums.openvpn.net/viewtopic.php?f=4&t=7143&p=7890#p7890>
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn
04:41 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:16 -!- rascal999 [~user@li150-20.members.linode.com] has joined #openvpn
05:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:20 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has joined #openvpn
05:20 -!- Niklas-_ [~niklas@217.116.253.195] has joined #openvpn
05:21 -!- rascal999 [~user@li150-20.members.linode.com] has quit [Quit: leaving]
05:28 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
05:46 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
06:52 < Capkirk> anyone here?
06:53 < reiffert> no.
06:54 < Capkirk> ;-)
06:57 < Capkirk> im still fighting with a site to site config my setup is DHCP server <--> vpnA <---> vpnB <--> dhcpclient
06:57 < Capkirk> i use tcpdump to check dhcptraffic and the request goes over tunnel to dhcp server from client
06:58 < Capkirk> the server reply and i can see the repyl on br0 on vpnA
06:58 < Capkirk> but then the reply disappears
06:58 < Capkirk> no reply on br0 on vpnB ?
07:08 < dazo> Capkirk: sounds like firewall .... I presume vpnA and vpnB are boxes running OpenVPN and doing the bridging
07:11 < Capkirk> no firewall on vpnA or vpnB
07:12 < Capkirk> dazo: and yes they are both running OpenVPN 
07:12 < dazo> Capkirk: if you do tcpdump on the tap device (not the br0 dev) on both vpnA and vpnB ... what do you see?
07:13 < Capkirk> sec
07:13 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:15 < Capkirk> dazo: the samen
07:15 < Capkirk> dazo: sorry same
07:16 < dazo> so the reply hits the tap device on vpnA ... and then it's gone ... 
07:17 -!- d303k is now known as d12fk
07:17 < dazo> Capkirk: have you configured IP addresses on the tap devices?
07:17 < Capkirk> dazo: sec
07:18 < Capkirk> something is not right here
07:18 < dazo> you normally don't need IP addresses ... but you anyway need routes 
07:18 < dazo> actually ... you shouldn't need routes on a 100% bridged net
07:18 < Capkirk> dazo: dazo on vpnA i get the reply from the dhcp server on br0 but not on tap0 device?
07:19 < dazo> Capkirk: then you might have some issues with your bridge
07:19 < Capkirk> hmm what could that be?
07:19 < dazo> not sure
07:19 < dazo> I've never debugged bridges :(
07:19 < Capkirk> u want to see config for vpnA?
07:20 < dazo> it's not openvpn issue ... it's the bridge
07:20 < dazo> when you see traffic hit br0 and not the tap device in that bridge, then something is odd
07:20 < dazo> with the bridge
07:21 < dazo> ebtables is the only thing which comes to my mind ... which is kind of like iptables for layer2
07:23 < Capkirk> hehe i dont think i have ebtables installed at all
07:23 < reiffert> brctl show br0
07:24 < Capkirk> br0             8000.0050569543e4       no              eth1
07:24 < Capkirk> ebtables is installed on vpnA but not active
07:24 < Capkirk> all chains is ACCEPT
07:25 < Capkirk> no blocking
07:25 < reiffert> there is no tap0 device assigned to this bridge.
07:25 < reiffert> easy, eh?
07:26 < Capkirk> yes
07:26 < Capkirk> the tap0 is assigned
07:26 < Capkirk> i just didn't post it
07:26 < Capkirk> root@vpn2:/etc/openvpn# brctl show br0
07:26 < Capkirk> bridge name     bridge id               STP enabled     interfaces
07:26 < Capkirk> br0             8000.0050569543e4       no              eth1 tap0
07:27 < Capkirk> so that's not it
07:28 < reiffert> tcpdump -n -i br0 port 67
07:28 < Capkirk> reiffert: what do u wanna know i allready have that in place
07:29 < reiffert> I wanna know why this stuff I'm eating is soo hot.
07:30 < reiffert> so come on, just show us the dhcp request coming in and out and getting back and missing on tap0
07:30 < Capkirk> reiffert: to much chilli? ;-)
07:30 < Capkirk> ok sec
07:30 < Capkirk> 14:26:19.741411 IP 130.225.184.10.67 > 172.20.187.15.68: BOOTP/DHCP, Reply, length 303
07:30 < Capkirk> dhcp server is .10
07:31 < Capkirk> the ipadresse is for the dhcp client behind vpnB
07:31 < reiffert> dhcp over ip? guess that iroute is missing then.
07:32 < Capkirk> iroute?
07:32 < Capkirk> whats that?
07:32 < reiffert> forget about iroute for now ..
07:32 < reiffert> and please show us the complete packet path for this dhcp request by the help of tcpdump. not just a single line.
07:33 < Capkirk> hmm howto do that?
07:34 < reiffert> run multiple tcpdumps.
07:34 < Capkirk> ahh allready doing that
07:34 < Capkirk> running on vpnA and vpnB
07:34 < Capkirk> sec
07:35 < Capkirk> do i need to run on dhcp server? we can see that dhcp servers replies correctly by reply recived on vpnA?
07:35 < reiffert> no need there
07:35 < Capkirk> ok fine ;-)
07:39 < reiffert> so..?
07:39 < Capkirk> 14:36:09.315604 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 1c:c1:de:83:20:4f, length 548
07:39 < Capkirk> vpnB
07:39 < Capkirk> br0
07:40 < Capkirk> request form client behind vpnB
07:40 < reiffert> double your tcpdump, run one on each interface, tcp0 and eth0/1
07:40 < reiffert> s,tcp0,tap0,
07:40 < Capkirk> ah sec
07:41 < Capkirk> whats tcp0?
07:41 < reiffert> tap0
07:42 < Capkirk> ah
07:42 < Capkirk> ok ill starte tcpdump again
07:43 < reiffert> I'm about to leave, lunch's finished
07:43 < Capkirk> ok
07:43 < Capkirk> real world is calling
07:43 < Capkirk> thanks helping out
07:43 < reiffert> just go on here, someone might find that information helpful
07:53 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
07:56 -!- fvultee [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has joined #openvpn
07:57 < fvultee> !welcome
07:57 < vpnHelper> fvultee: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:57 < fvultee> !redirect
07:57 < vpnHelper> fvultee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
07:57 < fvultee> !def1
07:58 < vpnHelper> fvultee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
07:58 < fvultee> !man
07:58 < vpnHelper> fvultee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
08:03 -!- fvultee [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
08:15 < Capkirk> the iroute directive - can't really get my brain around it? 
08:15 < ecrist> !route
08:15 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
08:15 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:15 < ecrist> Capkirk: see that link for more.
08:16 < Alphanaut> !def1
08:16 < vpnHelper> Alphanaut: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:16 < Capkirk> is it used to hmm ok
08:16 < Capkirk> i dont need it
08:17 < Capkirk> i run a bridge setup
08:17 < Alphanaut> !redirect-gateway
08:17 < vpnHelper> Alphanaut: Error: "redirect-gateway" is not a valid command.
08:17 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
08:20 < Alphanaut> !def1
08:20 < vpnHelper> Alphanaut: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:26 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Ping timeout: 245 seconds]
08:26 -!- Alphanaut [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has joined #openvpn
08:27 < Alphanaut> !def1
08:27 < vpnHelper> Alphanaut: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
08:27 < Alphanaut> !man
08:27 < vpnHelper> Alphanaut: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
08:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
08:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:54 < Alphanaut> anyone have a min for a q.  (i've read the docs first).  i have a linux box (openvpn server) and a windows laptop (client).  they are both configured and i can connect the client to the server via openvpn just fine.  i just cant force all the laptop traffic thru the vpn pipe to the server, then out to the net
08:54 < Alphanaut> also cant browse local shares
09:03 < Alphanaut> hmm
09:11 < koaschten> DO yo
09:11 < koaschten> woah
09:12 < koaschten> do you have full control over the vpn server host?
09:12 < koaschten> is iptables working properly?
09:12 < koaschten> and do you have the iptables entry to masquerade the traffic added?
09:16 < Alphanaut> iptables -A INPUT -i tap0 -j ACCEPT
09:16 < Alphanaut> iptables -I INPUT -p udp --dport 1194 -j ACCEPT
09:16 < Alphanaut> where 1194 is replaced by my actual port
09:16 < Alphanaut> so that's in the firewall
09:17 < Alphanaut> i assume iptables is working properly, how would i know?
09:17 < koaschten> you net a NAT rule to use the server as a redirect gateway.
09:17 < koaschten> -net+need
09:18 < krzee> !redirect
09:18 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
09:18 < box2> +/-niet
09:18 < koaschten> !nat
09:18 < vpnHelper> koaschten: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
09:19 < Alphanaut> !def1
09:19 < vpnHelper> Alphanaut: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
09:20 < dazo> Alphanaut: you need such a -i tap0 -j ACCEPT on the FORWARD chain as well
09:20 < Alphanaut> do i have to: push "redirect-gateway def1" on the server or can i just put it in the client config?
09:20 < Alphanaut> hmm i'm not familiar, i'm just following a "guide" (poorly written at that) to do this
09:21 < dazo> --push from server == putting it in the client config ... its the same, but push is more centralised
09:21 < Alphanaut> the linux box by the way is actually a dd-wrt router, but that shouldnt make a diff
09:21 < dazo> nope ... that's fine, that works
09:21 < Alphanaut> well it's only 1 client/1 server so i'm not worried too much about centralization
09:21 < Alphanaut> does it need to be in quotes ? the push "redirect..."
09:23 < Alphanaut> !ipforward
09:23 < vpnHelper> Alphanaut: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
09:23 < Alphanaut> !linipforward
09:23 < vpnHelper> Alphanaut: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
09:23 < Alphanaut> !fbsdipforward
09:23 < vpnHelper> Alphanaut: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd
09:23 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has quit [Quit: leaving]
09:24 < Alphanaut> !linnat
09:24 < vpnHelper> Alphanaut: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
09:24 < Alphanaut> jesus that's gibberish
09:24 < Alphanaut> :)
09:25 < dazo> Alphanaut: yeah, that's always clever to use "
09:26 < Alphanaut> ok so client/server are current connected.  now i can connect to my vnc server while i'm connected to an open wifi hotspot (not my own), but i still cant force all web traffic thru the vpn
09:26 < Alphanaut> so i guess i now have access to my lan at home
09:27 < koaschten> add "redirect-gateway" to the client config (Without the " ")
09:28 < koaschten> and add the iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
09:28 < Alphanaut> ok 1 sec
09:28 < koaschten> with proper -s and -o (-s is the vpn subnet and -o is the interface where the traffic should go, wan, pppoe, eth0 etc)
09:29 < koaschten> adding the redirect-gateway to the config will add a static route for the vpn connection and then add a new default gateway for all other traffic when you connect to the vpn
09:30 < koaschten> (and disconnect you from irc if you are currently connected via your test machine)
09:30 < Alphanaut> hmm
09:30 < Alphanaut> hmm i'm not sure what interface to point that to
09:31 < Alphanaut> just cause it's a dd-wrt router
09:31 < Alphanaut> i dont know what they use
09:31 < Alphanaut> hmm
09:32 < dazo> ohh ... it depends on the hw as well ... use ifconfig and look for the interface with your public IP address
09:33 < koaschten> its running dd-wrt? probably just go into the web-interface -> administration -> commands
09:33 < koaschten> there put "ifconfig" in the box and hit "run comman"
09:33 < Alphanaut> i have this under startup: openvpn --mktun --dev tap0 
09:33 < Alphanaut> brctl addif br0 tap0 
09:33 < Alphanaut> ifconfig tap0 0.0.0.0 promisc up 
09:33 < Alphanaut> i apologize for the spam
09:34 < koaschten> on my wrt610 the WAN interface is vlan2
09:35 < Alphanaut> mine too
09:36 < Alphanaut> so my vpn subnet is 192.168.2.0/24 and vlan2 so it should be: iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o vlan2 -j MASQUERADE
09:36 < Alphanaut> that look right?
09:36 < koaschten> yup
09:36 < Alphanaut> i'll add that into firewall in the dd-wrt
09:37 -!- pumkinhed_ [~pumkinhed@72.45.85.159] has joined #openvpn
09:39 < Alphanaut> router rebooting
09:39 < Alphanaut> i'll be amazed if that works
09:40 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Ping timeout: 252 seconds]
09:40 -!- pumkinhed_ is now known as pumkinhed
09:41 < Alphanaut> damn typo in firewall
09:42 < koaschten> you shouldn't need to reboot the box, just use the command window for testing
09:42 < koaschten> and perm it once it's working ;)
09:43 < Alphanaut> oh
09:43 < Alphanaut> i didnt know that
09:43 < Alphanaut> i'm rebooting over and over remotely :)
09:43 < koaschten> haha :=
09:43 < koaschten> well the firewall is basically the init.d for the dd-wrt
09:44 < koaschten> it's the stuff that gets applied on boot
09:44 < koaschten> the command box is like the shell
09:44 < koaschten> all you do in there is lost on reboot
09:44 < koaschten> unless you save the changes to firewall
09:44 < Alphanaut> well it saves that stuff in dd-wrt
09:44 < Alphanaut> yah i've been saving then rebooting
09:47 < Alphanaut> hmm my browser still shows the WAN IP of the access point i'm using instead of MY WAN IP
09:48 < Alphanaut> so it's not forcing traffic to/from the VPN 
09:48 < Alphanaut> although i can connect to my local resources now
09:49 < dazo> That sounds like missing route on your client ... like --redirect-gateway not being enabled
09:49 < Alphanaut> hmm it's in the client.conf
09:49 < Alphanaut> redirect-gateway def1
09:49 < Alphanaut> is in there
09:49 < koaschten> is "tracert" going via your router to the internets?
09:50 < koaschten> probably some obvious thing, but i do it all the time because i just ctrl+s and leave the config open... you did save the config and reconnect ? ;)
09:50 < Alphanaut> heh i dont understand that question
09:51 < Alphanaut> hahah hmm yes
09:51 < Alphanaut> though i did have it open just now
09:51 < Alphanaut> but i closed and opened again and it's in there
09:51 < koaschten> if you open a shell/command box, and do a "tracert google.com" is it going via your vpn to the internet?
09:52 < Alphanaut> haha holy crud
09:53 < Alphanaut> i saved copies of my config files in a folder i call installers
09:53 < Alphanaut> and i've been editing that one
09:53 < Alphanaut> instead of the one in /openvpn
09:53 < Alphanaut> dar
09:53 < Alphanaut> i am super smart
09:53 < koaschten> :D
09:54 < koaschten> i knew i wasn't the only one it's happening to :D
09:56 < Alphanaut> grr
09:56 < vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn connection to server but mail fails to open :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7127&p=7891#p7891>
09:56 < Alphanaut> that still doesnt help
09:56 < Alphanaut> i know it's something small
09:56 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined #openvpn
09:56 < Alphanaut> does it matter that my lan is 192.168.1.0 and my vpn is using that as well?
09:57 < Alphanaut> i'm doing bridged instead of routed so it shouldnt matter right?
09:57 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
09:59 < Alphanaut> dang local shares browse just fine, this is infuriating!
10:17 -!- APTX_ is now known as APTX
10:19 < ecrist> !1918
10:19 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
10:30 -!- Cubber [~ronny@cpe-24-58-133-221.twcny.res.rr.com] has joined #openvpn
10:32 < Cubber> I just setup an openvpn server on gentoo.  I am able to make a connection over the internet to my server and ping its local lan address, however I cannot access any machines inside the lan.  I read I need to add a route on my gateway in order to make this happen.  I run a dd-wrt based firewall, anyone know how I can do this properlly?  The server IP is 192.168.42.10, its openvpn subnet is 192.168.40.0, the local lan is 192.168.42.0 - than
10:33 -!- jeev [~jeev@unaffiliated/jeev] has quit [Quit: ZNC - http://znc.sourceforge.net]
10:33 -!- jeev [~jeev@206.217.223.151] has joined #openvpn
10:39 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
10:41 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Client Quit]
10:46 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
10:46 < Alphanaut> anyone konw why in some channels i can't say anything
10:46 < Alphanaut> it wont send what i type to the channel
10:46 < koaschten> you need to be registered with freenode
10:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:47 < Alphanaut> hmm i am, but i forgot how to log in :)
10:47 -!- pumkinhed_ [~pumkinhed@72.45.85.159] has joined #openvpn
10:48 < krzee> msg nickserv help
10:48 < krzee> the command is identify
10:48 < krzee> but most IRC clients support automating that by just typing in your nickserv password for the irc network
10:49 < krzee> Cubber, 
10:49 < krzee> !route_outside_ovpn
10:49 < vpnHelper> krzee: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
10:50 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Ping timeout: 265 seconds]
10:50 -!- pumkinhed_ is now known as pumkinhed
10:54 < Cubber> krzee thanks I am looking into using tap over tun now so I dont have to deal with my router and use bridging instead to give the client a local ip from the start
10:55 -!- Alphanaut [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
10:55 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
10:56 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Ping timeout: 255 seconds]
10:56 -!- Cubber [~ronny@cpe-24-58-133-221.twcny.res.rr.com] has quit [Quit: leaving]
10:56 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
10:58 -!- EmperorTom is now known as chinaman
11:02 -!- pumkinhed [~pumkinhed@72.45.85.159] has joined #openvpn
11:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:13 -!- Mkools [~mukul@117.196.220.80] has joined #openvpn
11:16 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
11:18 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
11:56 < Mkools> Hi, I have just started configuring openvpn on Ubuntu 9.10 I am using Quick start HOW TO, want to use bridged setup. Installed necessary software. I am not seeing server.conf file, instead I am seeing a a compressed file. Is that to target?
12:00 < krzee> why do you want a bridged setup?
12:01 < krzee> a compressed file?? did you use the community version?
12:02 < Mkools> krzee I want to use bridged setup for playing LAN games with my friends
12:02 < Mkools> I don't know about that I have installed it from apt.
12:03 < Mkools> using apt
12:03 < Mkools> krzee: server.conf.g
12:03 < Mkools> z
12:05 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
12:06 < Mkools> it contains a server.conf
12:06 < Mkools> file
12:07 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
12:13 < krzee> heh
12:13 < krzee> then gunzip it
12:13 < krzee> but i wont be of much use for the bridge setup, and your reason for wanting a bridge is a good one
12:14 < krzee> (often times i try to convince people to use tun...)
12:15 -!- Mkools [~mukul@117.196.220.80] has quit [Quit: Leaving]
12:16 -!- benofsky [562b5852@gateway/web/freenode/ip.86.43.88.82] has joined #openvpn
12:17 < benofsky> hi, I'm having problems with iptables (shocking, I know) — I had openvpn working last night when I just disabled iptables to get it working, am having trouble getting it going again. Here's my iptables config: https://gist.github.com/db61f99fb3460e7f0a22 — I can connect to openvpn and ping it but  redirect-gateway isn't working
12:17 < vpnHelper> Title: gist: db61f99fb3460e7f0a22 - GitHub (at gist.github.com)
12:17 < krzee> see the section in manual on firewall
12:18 < krzee> it actually goes over the iptables stuff
12:18 < krzee> things like allowing tun+ in forward chain
12:18 < krzee> !man
12:18 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:20 < benofsky> thanks krzee
12:20 -!- benofsky [562b5852@gateway/web/freenode/ip.86.43.88.82] has quit [Client Quit]
12:32 -!- benofsky [562b5852@gateway/web/freenode/ip.86.43.88.82] has joined #openvpn
12:33 < benofsky> krzee: I read that and set it up according to man... still no work :( ... https://gist.github.com/db61f99fb3460e7f0a22
12:33 < vpnHelper> Title: gist: db61f99fb3460e7f0a22 - GitHub (at gist.github.com)
12:35 < benofsky> or if anyone wants to take a quick look at my iptables rules — would be greatly appreciated!
12:41 -!- benofsky [562b5852@gateway/web/freenode/ip.86.43.88.82] has quit [Quit: Page closed]
12:50 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Ping timeout: 240 seconds]
12:52 < kisom> Anyone know of a decent open source deep packet inspector that works in linux?
12:57 -!- pumkinhed [~pumkinhed@72.45.85.159] has joined #openvpn
13:07 < krzee> tcpdump?
13:07 < krzee> wireshark?
13:08 < kisom> Well, i want it to drop and modify connections too ;)
13:08 < krzee> ettercap
13:08 < krzee> or ettercap-ng
13:09 < krzee> btw "packet inspecting" and "MITM attack tool" arent exactly the same thing :-p
13:10 < kisom> I know
13:10 < kisom> Well
13:10 < krzee> you also might enjoy mallory
13:10 < krzee> there was a talk on it in blackhat this year
13:11 < kisom> I want to use it at a gateway for my LAN, it should, for example, inspect the TCP stream itself and block/allow connections
13:11 < krzee> ive never played with it tho, only listened to 1/2 the talk
13:11 < krzee> well now we're once again talking about something different... now you're talking about IPS if i understand you correctly
13:11 < kisom> Yeah, that may be correct.
13:11 < krzee> basically IDS but hooked into a firewall
13:12 < krzee> so... snort
13:12 < kisom> Ok, the question remains. Are there any good open source IPSes out there? :)
13:12 < krzee> snort
13:12 < krzee> (when hooked into your firewall)
13:12 < kisom> Alright, I'll look into that...
13:13 < kisom> Currently got a home made IPS running, but I'm tired of being the only one who knows how it work
13:15 < krzee> snort is annoying at first... but once you configure it correctly for your setup its not bad at all
13:16 < krzee> ive used it as an IDS before, for the hell of it... never hooked it into the firewall tho
13:16 < krzee> of course we're talking back in the late 90's
13:16 < kisom> In the late 90's i was running around in kindergarten ;-)
13:17 < hyper_ch> kisom: you're not anymore?
13:17 < kisom> I'm 20
13:17 < kisom> So yeah, i still am. A bit ;)
13:17 < kisom> Once you grow up you may as well lie down and die
13:17 < krzee> thats where he gets his girls ;)
13:18 < hyper_ch> so, are here any minecraft gurus?
13:18 < kisom> As in the game?
13:18 < kisom> nvm
13:18 < kisom> *detach* ;)
13:19 < hyper_ch> kisom: yes
13:19 < hyper_ch> you can't leave me now :(
13:19 < kisom> i dont play minecraft
13:20 < kisom> only seen it a few times
13:20 < hyper_ch> why did you first bring up my hopes by asking if I meant the game :(
13:20 < kisom> because i know of the game...
13:20 < kisom> ex G/F used to play it a lot
13:21 < krzee> i dont play any games
13:21 < kisom> i only play games which use at least 50% of my GPU ;)
13:22 < hyper_ch> krzee: minecraft is not a game... it's a challenge :)
13:23 < kisom> minecraft looks boring tbh
13:23 < kisom> a single guy developed the entire thing btw
13:24 < hyper_ch> kisom: it's not boring :) it's fun
13:24 < kisom> I prefer blowing heads of russians and watch the blood splash on my screen in MW2
13:37 -!- bandini [~bandini@host153-25-dynamic.20-79-r.retail.telecomitalia.it] has joined #openvpn
14:13 -!- dazo is now known as dazo_afk
14:28 -!- jeev [~jeev@206.217.223.151] has quit [Changing host]
14:28 -!- jeev [~jeev@unaffiliated/jeev] has joined #openvpn
14:29 < krzee> sup there jeev
14:32 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Read error: Connection reset by peer]
14:33 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
14:51 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:04 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
15:51 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
15:51 < DrJ> is there a way to make it so VPN users use a different default gateway than the server?
15:51 < DrJ> basically the server goes out a public IP ... I'd rather the VPN users go out through the lan
15:52 < jeev> hey
15:54 < DrJ> hey
16:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
16:15 -!- bent_screwdriver [~socain00@74.255.249.66] has quit [Ping timeout: 265 seconds]
16:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
16:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:27 < vpnHelper> RSS Update - forum: Configuration :: Re: TLS handshake failed - please Help me! ;) :: Reply by evo-5 <https://forums.openvpn.net/viewtopic.php?f=6&t=7141&p=7892#p7892>
16:37 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
17:21 < DrJ> anyone?
17:35 -!- manevra [~manevra@188.27.108.61] has joined #openvpn
17:36 < pumkinhed> DrJ:  that doesnt make any sense, you want the server to use the vpn as the default gateway?
17:36 < pumkinhed> DrJ: or you want clients to use redirect-gateway but not use the vpn server as the gw...
17:36 < pumkinhed> i cant make out what you are trying to do...
17:37 < pumkinhed> may try push "route-gateway 1.2.3.4"
17:37 < pumkinhed> on the client
17:38 < pumkinhed> err
17:38 < pumkinhed> server rather
17:38 < pumkinhed> put that into server config to push that route to all clients.
17:38 < pumkinhed> but the gateway must be routable or it won't work...
17:40 < pumkinhed> so in this case assuming you wanted to route out via 1.2.3.4, you'd need to precede that with push "route 1.2.3.0 255.255.255.0"
17:40 < pumkinhed> anyways gl with that, i dont know that will work
17:40 < pumkinhed> i am out
17:42 < DrJ> okay
17:42 < DrJ> server has two nics
17:42 < DrJ> eth0: public IP ... they use this to connect to VPN
17:42 < DrJ> eth1: private IP ... internet traffic should go through this on VPN
17:42 < DrJ> server should use eth0 (and does) for internet
17:43 < DrJ> VPN users are coming out eth0 for internet also
17:43 < DrJ> they should not
17:45  * nb wonders how hard ts going to be to set up a openvpn client on windows
17:46 < nb> do they use the same config files as linux?
17:50 -!- manevra [~manevra@188.27.108.61] has quit []
17:56 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
18:01 < vpnHelper> RSS Update - forum: Installation Help :: IP address is not changed :: Author chackboom <https://forums.openvpn.net/viewtopic.php?f=5&t=7144&p=7893#p7893>
18:03 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 265 seconds]
18:30 < Bushmills> nb, they do. additional configuration statements, spefically for windows, exempted.
18:39 -!- manevra [~manevra@188.27.108.61] has joined #openvpn
18:51 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
19:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:06 -!- manevra [~manevra@188.27.108.61] has quit []
19:18 -!- bobfred [6d81f2cd@gateway/web/freenode/ip.109.129.242.205] has joined #openvpn
19:18 < bobfred> hi everyone
19:21 < bobfred> !welcome
19:21 < vpnHelper> bobfred: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:21 < bobfred> !howto
19:21 < vpnHelper> bobfred: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
19:25 < oc80z> how goes it.
19:27 < Bushmills> it goes by clicking on link, and reading it.
19:27 < nb> !/30
19:28 < vpnHelper> nb: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
19:33 -!- bobfred [6d81f2cd@gateway/web/freenode/ip.109.129.242.205] has quit [Quit: Page closed]
19:38 -!- phantomcircuit [~phantomci@adsl-99-40-53-177.dsl.pltn13.sbcglobal.net] has joined #openvpn
19:39 < phantomcircuit> Cannot load private key file phantomcircuit.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
19:39 < phantomcircuit> wat?
19:39 < jeev> wrong key file perhaps
19:39 < jeev> wrong file.
19:39 < phantomcircuit> i just generated it and signed it with the ca.key
19:40 < phantomcircuit> :|
19:40 < jeev> maybe it's messed up
19:41 < phantomcircuit> lol
19:41 < phantomcircuit> why yes 
19:41 < phantomcircuit> i believe it is
19:43 < nb> i am getting a lot of lines in my log that look like Need IPv6 code in mroute_extract_addr_from_packet
19:45 < nb> oh, i think i fixed it by disabling ipv6 for that adapter
20:06 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <-]
20:21 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
20:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:50 -!- phantomcircuit [~phantomci@adsl-99-40-53-177.dsl.pltn13.sbcglobal.net] has quit [Ping timeout: 272 seconds]
20:51 < Dougy> hey guys
20:51 < Dougy> !fedora
20:51 < vpnHelper> Dougy: Error: "fedora" is not a valid command.
20:51 < Dougy> ok
20:52 < Dougy> is it ok to use network manager in fedora?
20:52 < Dougy> !factoids search networkmanager
20:52 < vpnHelper> Dougy: No keys matched that query.
20:52 < Dougy> !factoids search network manager
20:52 < vpnHelper> Dougy: No keys matched that query.
21:13 -!- UweBollsFunder [~fgaaa@bas6-quebec14-1167950650.dsl.bell.ca] has joined #openvpn
21:13 < UweBollsFunder> !welcome
21:13 < vpnHelper> UweBollsFunder: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:13 < Dougy> rawr
21:13 < UweBollsFunder> !howto
21:13 < vpnHelper> UweBollsFunder: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
21:13 < UweBollsFunder> !goal
21:13 < vpnHelper> UweBollsFunder: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:13 < UweBollsFunder> !configs
21:13 < vpnHelper> UweBollsFunder: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
21:19 < Dougy> krzee: couldnt you simplify Don't use 192.168.1.0/24 or  192.168.0.0/24 (too much potential for conflict)
21:19 < Dougy> simplify into .0.0/23
21:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
21:26 < UweBollsFunder> Hi, I need help setting up openvpn on Debian. I installed the package from the repository, and am trying to set up the /dev/net/tun device. I created the file then ran "mknod /dev/net/tun c 10 200" , then added "alias char-major-10-200 tun" to the /etc/modules  file, but now the 3rd step, "modprobe tun" gives me "FATAL: Module tun not found"
21:27 < Bushmills> don't bother - debian autoloads tun module, and tun device is created when openvpn starts (server) or connects (client)
21:28 < Bushmills> tun module comes with stock kernel image already. unless you have compiled your own kernel, you're set
21:29 < UweBollsFunder> I see
21:30 < UweBollsFunder> thanks, I can move on then
21:30 < UweBollsFunder> what permissions should that tun file have?
21:31 < Bushmills> "that" file?
21:31 < UweBollsFunder> because I'm getting permission denied in its current  crw-r--r--  mode
21:31 < UweBollsFunder> tun
21:31 < UweBollsFunder> sorry, I'm inexperienced in Linux
21:32 < Bushmills> the device file which you created with mknod?
21:32 < UweBollsFunder> that's right
21:32 < Bushmills> udev creates that one automatically
21:33 < Bushmills> in  /dev/net, where it will have  666 perms
21:33 < UweBollsFunder> well when I run "openvpn --config myconfig" I get  Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13)".   myconfig has "dev tun" as per the site's quickstart guide
21:33 < UweBollsFunder> I had to create the tun file manually, by first making a folder, then using touch to create it.
21:34 < Bushmills> eh?
21:34 < UweBollsFunder> how do you call udev for the creation of /dev/net/tun then?
21:34 < Bushmills> you don't create device files with touch
21:34 < UweBollsFunder> the mknod gave me a "doesn't exist" error when I tried it, so I created it with touch
21:34 < Bushmills> you don't call udev at all. not manually
21:35 < UweBollsFunder> sigh
21:35 < Bushmills> there's a daemon running, for auto-creating device files
21:36 < UweBollsFunder> what would I have had to do to make it create /dev/net/tun then?
21:36 < Bushmills> with debian, only thing you need to do is creating your openvpn config file, editing /etc/default/openvpn, and starting openvpn
21:37 < UweBollsFunder> do I need to undo what I did?
21:37 < Bushmills> most likely
21:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:38 < UweBollsFunder> is it just a matter of deleting the file or did calling that mknod command do some real changes?
21:39 < Bushmills> deleting your device file should do
21:39 < Bushmills> you can  modprobe tun, just to be sure
21:40 < UweBollsFunder> still not found, so I guess that's good
21:40 < UweBollsFunder> I don't think the main site's quickstart guide really works, at least not without reading the rest of the documentation
21:41 < Bushmills> what not found?
21:41 < UweBollsFunder> modprobe said "module tun not found" . Which is what it said before I deleted /dev/net/tun
21:42 < Bushmills> then your installation is possibly borked.   try   depmod -a
21:43 < UweBollsFunder> it didn't do anything
21:43 < Bushmills> now   modprobe -l|grep tun.ko
21:43 < UweBollsFunder> same
21:44 < Bushmills> uname -a
21:44 < UweBollsFunder> Linux server1 2.6.18-194.8.1.el5.028stab070.5 #1 SMP Fri Sep 17 19:10:36 MSD 2010 i686 GNU/Linux
21:44 < Bushmills> ls /lib/modules
21:45 < UweBollsFunder> there appears to be a folder 2.6.18-194.8.1.el5.028stab070.5
21:45 < Bushmills> what debian version is that?
21:46 < theDoc> UweBollsFunder> The main quickstart guide actually does work.
21:46 < Bushmills> doesn't look like a stock kernel.  when compiled yourself, you must take care to also compile the tun module
21:47 < UweBollsFunder> I don't know how to check but the apt-get source list is aimed at lenny (5.x). I didn't install it myself, this is a virtual server at a hosting provider.
21:48 < UweBollsFunder> so the kernel is lacking the necessary modules to run openvpn?
21:48 < Bushmills> whoever provided that kernel, neglected to provide a tun module
21:48 -!- Squidy_at_Home [~quassel@187.53.179.214] has joined #openvpn
21:49 < UweBollsFunder> I should be able to update the kernel though, right?
21:49 < theDoc> UweBollsFunder> You should be.
21:49 < UweBollsFunder> maybe this is why pptpd didn't work either (though with pptpd there were no error messages to work with)
21:49 < Bushmills> depends on type of virtualisation
21:49 < UweBollsFunder> allright, I'll try that. Hopefully I'll be back tomorrow.
21:49 < UweBollsFunder> or rather, hopefully I don't need to come back :P
21:50 < theDoc> UweBollsFunder> Did you turn on debugging for pptpd?
21:50 < UweBollsFunder> thanks for your help
21:50 < UweBollsFunder> theDoc: yep
21:50 < theDoc> Alternatively, get a better host.
21:50 < UweBollsFunder> can't beat 5$/month
21:50 < theDoc> You pay shit, you get shit.
21:53 < UweBollsFunder> I can't say it's really shit, things have gone well so far, except for this (the reason I got it in the first place tbh...I just figured VPS + VPN > VPN)
21:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
21:53 < UweBollsFunder> thanks for your help
21:55 < Bushmills> theDoc: openvpn is free, and free of charge :P
21:55 < theDoc> pfft :P
21:55 < theDoc> Bushmills> I run access-server exclusively :P
21:55 < theDoc> But then, I use it for commercial deployments around.
21:56 < UweBollsFunder> theDoc: pptpd tells the client to disconnect (FIN, ACK) after sending Outgoing-Call-Reply. There's no error messages but I saw it calling /usr/sbin/pppd. When I ran that command manually, I got a message like "You need to create the /dev/ppp device node with mknod etc". At the time I didn't know what it meant but in light of Bushmill's info it must be the same problem.
21:56 < theDoc> UweBollsFunder> I'm just saying, all the trouble one has to go through just to fix something stupid like the provider forgetting to compile the tun modules can be easily solved by getting a better provider.
21:56 < Bushmills> hopefully not under one of those free of charge bsd or linux flavours :D
21:57 < theDoc> Bushmills> hahaha, debian :P
21:58 < UweBollsFunder> I had a choice of Debian, CentOS, Suse, Fedora and Ubuntu
21:58 < UweBollsFunder> I figured Debian has the best reputation
21:58 < theDoc> and why you were never given a stock debian kernel is beyond me.
21:58 < UweBollsFunder> well at least this will have been educational :P
21:59 < UweBollsFunder> (ie painful)
21:59 < theDoc> I don't know which kernel you're running at the moment but I'm sure it's not the "default" kernel that comes with a fresh debian install.
21:59 < UweBollsFunder> I guess I can expect tons of programs to stop working once I update the kernel?
21:59 < Bushmills> unlikely
21:59 < theDoc> UweBollsFunder> I don't know but generally you should be ok.
22:00 < theDoc> Unless you have some weird setup there.
22:00 < UweBollsFunder> good thing I only signed up for 1 month at first. I almost took the 1-year plan.
22:00 < UweBollsFunder> if things go wrong, I can change hosts as you suggested
22:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:53 < UweBollsFunder> Bushmills, still here?
22:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:59 < UweBollsFunder> Is anyone here familiar with SSH tunnelling? How does it work with Bittorrent? Can people still connect to you or will you be stuck with outbound connections?
23:24 -!- UweBollsFunder [~fgaaa@bas6-quebec14-1167950650.dsl.bell.ca] has left #openvpn []
23:30 -!- DrJ [Bacon@174.141.224.168] has quit [Ping timeout: 265 seconds]
23:30 -!- box2 [~box2@zaibat.su] has quit [Ping timeout: 240 seconds]
23:30 -!- box2 [~box2@zaibat.su] has joined #openvpn
23:32 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
23:45 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
--- Day changed Fri Oct 01 2010
00:07 -!- Squidy_at_Home [~quassel@187.53.179.214] has quit [Remote host closed the connection]
00:55 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
01:07 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
01:15 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
01:25 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:34 -!- Tapke [~Tapkis@home.tapke.eu] has joined #openvpn
01:35 < Tapke> Okay. Everytime I ask a question, noone reacts..
01:35 < Tapke> Is it possible to get some help today?
01:35 < Tapke> *now
01:36 < Tapke> guess notr
01:36 < Tapke> not
01:37 < Tapke> what could make vpn connection crashing?
01:37 < Tapke> with "inactivity timeout"
01:38 < Tapke> although some pings pass trough and then it stops
01:38 < Tapke> reconnects
01:38 < Tapke> and over and over
01:38 < Tapke> link is stable, routes ar good
01:39 < Tapke> no fw problem, as fw forwards 1194 to the server
01:39 < Tapke> anyone?!
01:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
02:11 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 276 seconds]
02:33 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
02:40 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:51 < vpnHelper> RSS Update - forum: Configuration :: creating openvpn with ubuntu server and windows clinet :: Author zina83 <https://forums.openvpn.net/viewtopic.php?f=6&t=7145&p=7894#p7894>
03:14 < Bushmills> Tapke: inactivity timeouts
03:18 -!- anv [~anv@81.172.44.44.dyn.user.ono.com] has joined #openvpn
03:20 < anv> hello. How can I execute a script when openvpn connection is complete?
03:21 < anv> I need to execute a "route add -host xxxx dev tap0" on client side when connection is stablished.
03:26 < Bushmills> anv:  --up
03:26 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by controlc.de <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7895#p7895> || Configuration :: Re: server on a router :: Reply by controlc.de <https://forums.openvpn.net/viewtopic.php?f=6&t=7142&p=7896#p7896>
03:28 < Bushmills> anv: or --route network/IP [netmask] [gateway]
03:32 < kraut> moin
03:33 < anv> Bushmills: I added up /etc/openvpn/myscript to the config of the client, but it seems not being executed....
03:34 < Bushmills> log at logs, react to the script-security warnings 
03:34 < Bushmills> look ..
03:37 -!- dazo_afk is now known as dazo
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:40 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
03:42 < anv> Bushmills: Thank you. This worked. Is there any way to pass the script the name of the interface created by openvpn? (tap0 in my case?)
03:43 < Bushmills> yes. envrionment variables. they're listed in the man page
03:44 < Bushmills> actually, the device is passed as positional parameter 1
03:48 < anv> Bushmills: ok, thank you. I am doing a strange config: doing proxyarp or one lan IP through openvpn.
03:50 < Bushmills> the config may be strange, i can't judge. but what i find strange is that you didn't find the answers to your questions in the man page.
03:55 < anv> Bushmills: man page sould be complete. But there are many options and it is hard to find what you want. The second problem (script security) I could be resolved without asking.
04:08 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
04:37 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
05:06 < vpnHelper> RSS Update - forum: Configuration :: Re: Can't SSH into a open-vpned client anymore :: Reply by zina83 <https://forums.openvpn.net/viewtopic.php?f=6&t=2389&p=7897#p7897>
05:44 < |Mike|> lol
07:03 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
07:09 -!- Kenjiro [~kvirc@unaffiliated/kenjiro] has joined #openvpn
07:10 < Kenjiro> good morning
07:10 < Kenjiro> I am having a nasty problem with my openvpn....
07:11 < Kenjiro> I have two buildings (A and B). Both reach the internet through a router on building C. A and B have no connection (different networks)
07:11 < Kenjiro> then I have this:
07:11 < Kenjiro> A ----VPN----router-----internet------Kenjiro (works ok)
07:12 < Kenjiro> B ----VPN----router-----internet------Kenjiro (works ok)
07:12 < Kenjiro> BUT... when the VPN is active, the private network on B gets too slow. There is even loss of packets on that LAN
07:12 < Kenjiro> does anybody have a clue about what might be happening?
07:13 < Kenjiro> I have other cities reaching me over VPN (same config as buildings A and B) and NONE of them have this problem
07:13 < kisom> Kenjiro: We need more information, what subnets are you using? Client config files? is there only a loss of packets or are all packets dropped when the VPN is active?
07:13 < dazo> !configs
07:13 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:13 < Kenjiro> kisom: only loss of data
07:14 < koaschten> data != packets
07:14 < kisom> from all hosts or only the host which is running the ovpn client?
07:15 < Kenjiro> kisom: interesting is the host running the client can comunicate with the vpn server withouth problem. No packets lost
07:15 < koaschten> you need to sort your thoughts.
07:15 < kisom> ok, then where does the packet loss occur?
07:15 < Kenjiro> problem is: LAN ---- server (running ovpn client)
07:16 < Kenjiro> the packet loss happens in the LAN
07:16 < Kenjiro> if I stop the VPN connection, the comunication IN the LAn goes back to normal
07:16 < koaschten> so you have Subnet A (Server ---> VPN) -- Router C --- internet --- Kenjiro
07:16 < koaschten> and the packetloss happens in subnet A when the vpn on server is active?
07:16 < Kenjiro> yes
07:16 < koaschten> that bares any logic :X
07:17 < Kenjiro> koaschten: INDEED
07:17 < Kenjiro> I spent the whole day (yesterday) trying to figure out what is happening
07:17 < koaschten> unless server does routing for subnet a to subnet c for internet connectivity, then the routing on server is fucked
07:17 < Kenjiro> koaschten: to be more precise.... what we have is:
07:18 < Kenjiro> subnet B (server ---> VPN)---- radio ----- router C ---- internet ----- kenjiro
07:18 < koaschten> the only connectivity for subnet B is VPN? or can they access internet without vpn?
07:18 < Kenjiro> connection is NATed from subnet B to the radio
07:18 < Kenjiro> yes, they can access the internet without the VPN
07:19 < Kenjiro> but the same happens on the other building
07:19 < koaschten> hmm you might want to look into your MTU settings
07:19 < koaschten> but thats more like a shot in the blue
07:19 < dazo> --mtu-test
07:19 < Kenjiro> yes it is REALLY weird
07:19 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Read error: Connection reset by peer]
07:20 < Kenjiro> dazo: '--mtu-test' with openvpn?
07:20 < dazo> yeah, on the client side, iirc
07:20 < koaschten> seriously, give us pasteys of client and server config and probably routing tables of client and server
07:20 < koaschten> the rest is more guessing than anything :)
07:20 < Kenjiro> let me see
07:20 < |Mike|> lawl :-p
07:20 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
07:21 < Kenjiro> testing....
07:27 < Kenjiro> hmmmm I might be doing something wrong...
07:27 < Kenjiro> a simple 'openvpn --mtu-test --dev tun0' is wrong, right?
07:28 < Kenjiro> yes it's wrong, cause the tun0 is not up
07:29 < dazo> use it together with your config file
07:33 < Kenjiro> dazo: I tried but "nothing happens" let me see
07:33 < dazo> I presume you read your log files ...
07:35 < Kenjiro> dazo: yes, thanks
07:35 < Kenjiro> I am watching it now
07:39 < Kenjiro> Fri Oct  1 09:37:34 2010 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1557,1557] remote->local=[1557,1557]
07:40 < Kenjiro> I guess that's good, right ? :D
07:41 < Kenjiro> koaschten: I'll paste the config file for the server and client, hold on
07:41 < Kenjiro> (I'll paste only the "active" lines, ok? Not the commented ones)
07:41 < koaschten> shouldnt the mtu be limited to 1500? at least thats how i run my vpns
07:44 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by MrWetsnow <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7898#p7898>
07:52 < Kenjiro> koaschten: http://pastebin.ca/1952567
07:52 < Kenjiro> I hope that helps
07:53 < koaschten> whats the change directory stuff doing in the server config?!
07:53 < Kenjiro> eheheh my bad
07:54 < Kenjiro> but that's not causing the problem, right? ;)
07:54 < koaschten> no its not :)
07:55 < koaschten> looks normal, nothing that stands out to me there :/
07:55 < Kenjiro> koaschten: exactly what I thought. If it works for all the other buildings (which I ommited there)...
07:55 < Kenjiro> should work for build B too :(
07:55 < Kenjiro> I mean... the VPN itself works like a charm
07:56 < Kenjiro> problem is I bring the vpn up on B.. and the LAN goes to lala land :(
08:00 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
08:01 < Bushmills> routing
08:01 < Bushmills> check client route before and after connecting
08:02 < koaschten> the local network should not be influenced by the routing
08:02 < Kenjiro> Bushmills: will do, hold on
08:04 < Kenjiro> Bushmills: well yeah... the problem is packet loss on the local network when the VPN is active (the subnet that should use the VPN)
08:04 < Kenjiro> other subnets are not affected
08:04 < Bushmills> hm
08:04 < Kenjiro> you see there (my paste) we have sunet 192.168.2.0, that one is not affected
08:05 < Kenjiro> the subnet going which should use the VPN to reach the other side is 10.1.10.0. That one gets affected when the VPN is up
08:05 < Bushmills> no, i don't see. i only caught last part
08:05 < Kenjiro> Bushmills: sorry
08:05 < Kenjiro> Bushmills: http://pastebin.ca/1952567
08:10 < Kenjiro> koaschten: funny... I placed a 'tun-mtu 1500' on the client config file and even then the 'mtu-test' used 1577
08:17 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:17 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
08:19 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
08:19 < Alphanaut> so after it working for a few days, i suddenly get: Connection reset by peer (WSAECONNRESET) (code=10054)
08:20 < Alphanaut> i'm not sure the openvpn service is running on the server, how do i check? i did a: ps | grep openvpn and the only entry is the process for "grep openvpn", that means it's not running right?
08:24 < Kenjiro> koaschten: Now I used 'tun-mtu 1500' on both config files (server and client) and mtu-test still used 1577
08:24 < vpnHelper> RSS Update - forum: Server Administration :: Re: Website SSL Cert :: Reply by lee.todis <https://forums.openvpn.net/viewtopic.php?f=4&t=7134&p=7899#p7899>
08:24 < Bushmills> Alphanaut: try  ps aux | grep openvpn
08:24 < Kenjiro> woops, 1557
08:24 < koaschten> hmm
08:25 -!- Alphanaut_ [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
08:25 < koaschten> Alphanaut try ps -aux
08:25 < koaschten> err what Bushmills said
08:25 < koaschten> Kenjiro i am at a loss, sorry
08:25 < Bushmills> alternatively, netstat -lun  (if using udp)
08:26 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
08:26 < Kenjiro> koaschten: me too *LOL*
08:28 -!- Alphanaut_ is now known as Alphanaut
08:29 < Alphanaut> nope, it's not running
08:29 < Alphanaut> by the way this is on a dd-wrt router box
08:29 < vpnHelper> RSS Update - forum: Server Administration :: Re: Website SSL Cert :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=4&t=7134&p=7900#p7900> || Pay OpenVPN Service Provider Reviews/Comments :: Re: [Free VPN] VPN Steel :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=7901#p7901>
08:29 < Alphanaut> not a standalone computer
08:29 < Alphanaut> but nonetheless, the process isn't running even though i have it in the startup script.  odd.
08:31 < Alphanaut> infuriating since it was working fine yesterday
08:32 < Alphanaut> any way to get more detail on: Fri Oct 01 09:31:54 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
08:32 < Alphanaut> sounds like the client connection isn't reaching the host
08:32 < Alphanaut> i already verified that the firewall port is open
08:32 < Alphanaut> so i assume that's its the process issue
08:35 < koaschten> which client os?
08:36 < Alphanaut> windows
08:36 < koaschten> ... which?
08:36 < Alphanaut> as i said, it worked fine yesterday.  i've already fully reset the router back to defaults, repasted all the keys, server configs, etc
08:36 < Alphanaut> oh sorry windows vista 32
08:36 < Alphanaut> flame on!
08:36 < Alphanaut> :)
08:37 < koaschten> are you running the openvpn client as admin?
08:37 < Alphanaut> yep
08:37 < Alphanaut> infuriating that i cant get more info than the "connection reset by peer" message
08:42 < Alphanaut> oh my freaking god
08:42 < Alphanaut> i figured it out
08:43 < Alphanaut> tried to start the service manually using the config
08:43 < Alphanaut> let's see if you can find the problem
08:43 < Alphanaut> Fri Oct  1 13:42:20 2010 RESOLVE: Cannot parse IP address: 192.168.1.260
08:43 < Alphanaut> DUH
08:43 < Alphanaut> 260
08:43 < Alphanaut> i'm brilliant
08:44 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:45 < Alphanaut> .
08:45 < ecrist> lol
08:45 < Kenjiro> I am fairly new to OpenVPN (and VPNs). Is it possible to have a computer working as server and client at the same time?
08:45 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
08:45 < ecrist> Kenjiro: yes, but a server cannot be a client to it's own vpn.
08:45 < Kenjiro> ecrist: sure, different VPNs
08:45 < ecrist> i.e. a system cannot be a client and server for the same vpn at the same time.
08:45 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
08:45 < ecrist> then yes, no issue with that.
08:46 < Kenjiro> like... I would have A ---- B ---- C
08:46 < Kenjiro> vpn between A and B, then B and C
08:46 < Kenjiro> the idea would be make B a "bridge" or something like that, between A an C
08:46 < Kenjiro> *and
08:46 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Client Quit]
08:50 < ecrist> sure, that's fine.
08:50 < ecrist> personally, I'd have A and C connect to B
09:00 < Kenjiro> that's because my MAIN VPN server is C
09:00 < Kenjiro> there are other cities connecting to it already
09:11 < Kenjiro> koaschten: check this out... (about that problem of mine)
09:11 < pumkinhed> hmm, but then a -> c must go through b, so all a, b and c are all using the same link i think thats innefficient, just create 3 vpns on each, a server and 2 clients, then route to each subnet directly
09:11 < Kenjiro> I stoped the VPN between B and C (remember the LAN problem?)
09:12 < Kenjiro> then I created a B ---> A VPN. This one worked too, without the packet loss on B's LAN 
09:12 < Kenjiro> go figure! :(
09:12 < pumkinhed> ah well, shrug
09:14 < Kenjiro> I think my 'solution' will be  the "two vpns" stance. B ----> A ----> C  :(
09:14 < Kenjiro> now I will read about making a server both Server and Client (in my case, A)
09:19 < ecrist> Kenjiro: it's just two configs.
09:19 < ecrist> you run two instances of openvpn, one with your server config, one with the client config.
09:22 < Kenjiro> ecrist: ok, I guess OpenVPN will "catch" the configs automaticaly?
09:22 < ecrist> not sure what that means
09:23 < Kenjiro> when openvpn goes up will it use both files automatically?
09:23 < Kenjiro> I think I saw something like that happening once
09:23 < Kenjiro> like... no need to TELL it to use both files
09:23 < Kenjiro> ok thanks in advance
09:23 < ecrist> no
09:23 < Kenjiro> I will try and make the magic happen here ;)
09:25 < ecrist> you need to run two copies of openvpn, one with each config
09:27 < Kenjiro> I'll tell you what happens
09:27 < Kenjiro> Will set up the thingy ;)
09:27 -!- anv [~anv@81.172.44.44.dyn.user.ono.com] has quit [Remote host closed the connection]
09:34 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:37 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
09:38 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
09:40 < Kenjiro> like I said, openvpn 'detects' both config files and runs two instances automaticaly ;)
09:40 < Kenjiro> at least it works like that on ubuntu
09:48 < dazo> On Ubuntu the init script scans for config files and starts one instance per config file
09:50 -!- bent_screwdriver [~socain00@173-9-133-102-Miami.FL.hfc.comcastbusiness.net] has joined #openvpn
09:51 -!- rascal999 [~user@li150-20.members.linode.com] has joined #openvpn
09:51 < rascal999> i'm trying to set up a vpn but when I connect to it via Ubuntu's network applet, I can't ping/browse. Here are the config files http://pastebin.ca/1952626 http://pastebin.ca/1952623. Interestingly, I can only connect to the server when I set client to connect via tun device, even though server is configed as tap
09:52 < bent_screwdriver> Is there a security advantage in going static key over SSL (i.e. man in the middle to intercept keys during key exchange)?
09:52 < kisom> rascal999: I've only had bad luck with ubuntus quickhack network manager. try using the CLI instead?
09:52 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
09:55 < kisom> bent_screwdriver: no
09:55 < rascal999> kisom: ok I've just tried openvpn --config client.conf http://pastebin.ca/1952630 still no luck
09:55 < kisom> rascal999: see what the logs are saying. probably some missing certificate path or something
09:55 < kisom> bent_screwdriver: using a static key is more insecure than using PKI
09:55 < rascal999> read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
09:56 < kisom> ok, is the server correctly set up?
09:57 < rascal999> kisom: ok now we're getting somewhere Connection reset, restarting [0]
09:57 < rascal999> sorry i stopped the server and forgot to restart
09:57 < kisom> nah, that only means the connection failed and it tries again
09:57 < rascal999> kisom: it was verifying certs
09:57 < rascal999> then cut out
09:57 < bent_screwdriver> kisom: is there a good article that would help me articulate how there is not a chance for key interception during key exchange, and how this method is secure? How is static less secure (if you have a scure method to get the key on the host i.e. snakernet)? 
09:58 < rascal999> VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress.... was the last thing sent
09:58 < kisom> bent_screwdriver: It's all in the documentation. you may also want to read about asymetric and symetric encryption on wikipedia
09:59 < kisom> bent_screwdriver: http://openvpn.net/index.php/open-source/documentation/security-overview.html
09:59 < vpnHelper> Title: Security Overview (at openvpn.net)
09:59 < rascal999> kisom: did you get my last message? The server I'm messing around on also houses my irc client
09:59 < kisom> rascal999: yeah i got it
10:00 < kisom> rascal999: probably something wrong with your certificates. can you paste the entire client log somewhere?
10:00 < bent_screwdriver> kison: thx, i'll some reading again. i just find it hard to articulate (to my boss) how the key exchange is secured. i'll readup and draw pictures ;) 
10:00 < rascal999> kisom: ok
10:01 < kisom> bent_screwdriver: static keys are also insecure because if they are compromised, previously captured traffic may be decrypted
10:01 < kisom> using PKI, that is not possible as each session has a unique key which is exchanged during the key exchange.
10:01 < rascal999> kisom: http://pastebin.ca/1952633
10:02 < bent_screwdriver> kisom: oh yeah, i remeber that, no forward secrecy. 
10:02 < rascal999> The firewall I'm sitting behind has very low MTU setting, could this be reseting the connection?
10:02 < kisom> bent_screwdriver: also remember that ~15k bit RSA is about equal to 256 bit AES
10:03 < bent_screwdriver> kisom: explaining how that exchanged key was secured when it was exchanged is where i need to readup
10:03 < kisom> bent_screwdriver: have you checked youtube? someone has probably made a movie about it
10:03 < kisom> http://www.youtube.com/watch?v=Wy5HuZlv9gY
10:03 < vpnHelper> Title: YouTube - Misc - Asymmetric Encryption (at www.youtube.com)
10:04 < rascal999> kisom: sorry, that was wrong log section http://pastebin.ca/1952635
10:04 < bent_screwdriver> kisom: no, good idea. thx! that bot is almost spooky
10:04 < kisom> explaining cryptography to a non-tech boss is a bitch tho ;)
10:05 < kisom> i usually go for "its secure, OK?"
10:06 < kisom> rascal999: looks like it *should* work... hmm
10:06 < rascal999> kisom: you want ifconfig from both?
10:06 < kisom> no, sec
10:08 < kisom> can i have your client conf file?
10:09 < rascal999> kisom: http://pastebin.ca/1952640
10:11 < kisom> try using verb 7 and paste the client logs
10:13 < rascal999> kisom: http://pastebin.ca/1952646
10:14 < rascal999> that's a firewall reseting the connection right?
10:16 < kisom> to be honest, i dont know.
10:16 < kisom> are you behind some company firewall?
10:16 < rascal999> kisom: i am behind a firewall yeah. Student accommodation ;)
10:16 < kisom> i know microsofts ISA server intercepts TCP/443 and basically performs a MITM-attack to screen the contents inside the connection
10:16 < rascal999> I tried playing xbox the other day and it failed saying the MTU was too low
10:17 < kisom> try post 80 instead
10:17 < rascal999> kisom: worth trying a different ... righto
10:20 < rascal999> kisom: same crap
10:20 < rascal999> i'll udp
10:23 < rascal999> kisom: http://pastebin.ca/1952652
10:24 < rascal999> how do i lower mtu?
10:26 < ecrist> truecrypt is proving to be an unusable POS.
10:27 < ecrist> s/unusable/difficult to use/
10:28 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
10:29 < jeev> who actually encrypts files ?
10:29 < ecrist> we do, quite a bit
10:30 < jeev> we?
10:30 < jeev> company or personally
10:30 < ecrist> both
10:32 < jeev> i wo uldn't imagine a company using something like truecrypt but ok
10:32 < bent_screwdriver> rascal999: tun-mtu, mss-fix 
10:33 < ecrist> jeev: why not?
10:34 < jeev> dunno
10:34 < bent_screwdriver> rascal999: this doc gives example and elaboration on pg 16: http://www.sans.org/reading_room/whitepapers/vpns/openvpn-ssl-vpn-revolution_1459
10:34 < ecrist> a well thought out argument, jeev.
10:35 < jeev> absolutely ecrist, i take after the republicans and faux news. i have no argument
11:15 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined #openvpn
11:15 < blackxored> what's the best way to define incoming port forward traffic for an openvpn setup?
11:16 < blackxored> let's say for start that I just want one incoming port to one specific address which is odd since it assigns it dynamically
11:17 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
11:40 -!- rascal999 [~user@li150-20.members.linode.com] has quit [Quit: leaving]
12:24 -!- Cubber [~ronny@cpe-24-58-133-221.twcny.res.rr.com] has joined #openvpn
12:25 < Cubber> I setup openvpn on gentoo with bridging I have my br0 setup correctly with eth0 and tap0.  I can connect a openvpn client to the server and it gets an IP however I cannot ping any addresses inside the lan on the server side.  How can I correct this?
12:26 < Cubber> my openvpn.conf file http://paste.pocoo.org/show/269927/
12:27 < Cubber> client config http://paste.pocoo.org/show/269929/
12:34 < Cubber> never mind I got it
12:34 -!- Cubber [~ronny@cpe-24-58-133-221.twcny.res.rr.com] has quit [Quit: leaving]
12:35 -!- manevra [~manevra@188.27.108.61] has joined #openvpn
12:36 -!- manevra [~manevra@188.27.108.61] has quit [Client Quit]
12:36 -!- dmizer [~dmizer@unaffiliated/dmizer] has joined #openvpn
12:37 -!- dmizer [~dmizer@unaffiliated/dmizer] has left #openvpn []
12:45 < vpnHelper> RSS Update - forum: Configuration :: Re: creating openvpn with ubuntu server and windows clinet :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=6&t=7145&p=7902#p7902>
12:51 -!- Kenjiro [~kvirc@unaffiliated/kenjiro] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/]
12:55 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
13:05 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has joined #openvpn
13:05 < keyhive> I'm getting some strange behavior from my VPN server/client setup
13:05 < keyhive> Last night I created and tested a new user key/cert
13:06 < keyhive> it worked perfectly
13:06 < keyhive> and today it fails, telling me their a problem with authentication
13:06 < keyhive> P_CONTROL_HARD_RESET_SERVER_V2
13:07 < keyhive> Does this mean anything to anyone?  I see Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
13:08 < keyhive> but I've set my cipher to 
13:08 < keyhive> tls-cipher DHE-RSA-AES256-SHA
13:08 < keyhive> And another thing
13:10 < keyhive> I moved some of the pieces of my config around [ca, cert, key] above 'remote' and now I'm getting: TCP/UDP: Incoming packet rejected from [AF_INET]a.b.c.d:57165[s], expected peer address: [AF_INET]a.b.c.d:1194 (allow this incoming source address/port by removing --remote or by adding --float)
13:28 < |Mike|> :)
13:29 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has left #openvpn ["Leaving"]
13:40 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
13:44 < blackxored> BTW now that ciphers are touched, should I go for it, currently I have comp-lzo only, it is recommended, how much it will degrade performance?
13:50 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 255 seconds]
13:51 < vpnHelper> RSS Update - forum: Configuration :: Re: creating openvpn with ubuntu server and windows clinet :: Reply by zina83 <https://forums.openvpn.net/viewtopic.php?f=6&t=7145&p=7903#p7903>
14:09 -!- blackxored [~adrian@ubuntu/member/blackxored] has joined #openvpn
14:12 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
14:13 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
14:13 -!- dazo is now known as dazo_afk
14:15 -!- batrick [~batrick@batbytes.com] has joined #openvpn
14:31 -!- manevra [~manevra@188.27.108.61] has joined #openvpn
14:46 < vpnHelper> RSS Update - forum: Server Administration :: Site to Site link :: Author Zexston <https://forums.openvpn.net/viewtopic.php?f=4&t=7146&p=7904#p7904>
14:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
15:07 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
15:13 -!- pumkinhed_ [~pumkinhed@72.45.85.159] has joined #openvpn
15:16 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Ping timeout: 272 seconds]
15:16 -!- pumkinhed_ is now known as pumkinhed
15:24 -!- affix0 [~ident@100-084-128-083.dynamic.caiway.nl] has joined #openvpn
15:40 -!- manevra [~manevra@188.27.108.61] has quit []
15:55 -!- blackxored [~adrian@ubuntu/member/blackxored] has quit [Ping timeout: 240 seconds]
15:57 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 265 seconds]
16:02 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Read error: Connection reset by peer]
16:06 -!- bent_screwdriver [~socain00@173-9-133-102-Miami.FL.hfc.comcastbusiness.net] has quit [Ping timeout: 264 seconds]
16:16 < vpnHelper> RSS Update - forum: Configuration :: Can't connect directly to IP - need to connecting to domain :: Author GreyIBlack <https://forums.openvpn.net/viewtopic.php?f=6&t=7147&p=7905#p7905>
16:16 -!- metze [~metze@samba/team/metze] has left #openvpn []
16:32 -!- bandini [~bandini@host153-25-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:45 -!- affix0 [~ident@100-084-128-083.dynamic.caiway.nl] has quit [Ping timeout: 245 seconds]
17:49 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
17:49 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
18:46 -!- phantomcircuit [~phantomci@adsl-99-35-134-134.dsl.pltn13.sbcglobal.net] has joined #openvpn
18:47 < phantomcircuit> so im trying to setup a tls server with tls-auth but im getting an openssl error about the private key being a mismatch
18:47 < phantomcircuit> http://pastebin.com/HWt8QQQ5
18:47 < phantomcircuit> the error is at the end
18:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
18:52 < phantomcircuit> what the hell the modulus is different in the pub/pri
18:52 < phantomcircuit> >.>
19:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
19:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
19:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
19:45 -!- Squidy [~quassel@189-10-9-250.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
20:03 -!- Optic [~Optic@67.205.74.218] has joined #openvpn
21:18 -!- Squidy [~quassel@189-10-9-250.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
21:24 -!- phantomcircuit [~phantomci@adsl-99-35-134-134.dsl.pltn13.sbcglobal.net] has quit [Quit: Leaving]
22:49 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
22:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 265 seconds]
23:24 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
--- Day changed Sat Oct 02 2010
00:16 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
00:40 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
01:02 -!- qweqweqwe [~alloy@tropyx.com] has joined #openvpn
01:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:40 -!- affix0 [~ident@100-084-128-083.dynamic.caiway.nl] has joined #openvpn
01:51 -!- d1b [~db@d1b.org] has joined #openvpn
01:51 < d1b> morning question
01:59 < d1b> anyone here :) ?
02:16 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
02:37 < d1b> oh hi guys how do i make a new tap device to join a brigde?
02:37 < d1b> bridge*
03:11 < kisom> d1b: check bridge-utils
03:11 < kisom> or whatever your distro calls it
03:33 -!- chinaman_ [~EmperorTo@184-97-166-249.mpls.qwest.net] has joined #openvpn
03:35 -!- chinaman [~EmperorTo@184-97-166-249.mpls.qwest.net] has quit [Ping timeout: 265 seconds]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 < d1b> kisom: got that...
03:39 < d1b> did that
03:39 < d1b> now i have hte problem where my host isn't on the vpn bridge...
03:39 < d1b> even though i made a new tap for it ...
03:39 < d1b> it worked briefly before
03:40 < d1b> i tcpdump and arp is weird...
03:41 < d1b> From 10.8.0.4 icmp_seq=1 Destination Host Unreachable
03:47 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
04:01 -!- WebDawg [~WebDawg@officialg0d.com] has quit [Ping timeout: 264 seconds]
04:02 -!- WebDawg [~WebDawg@officialg0d.com] has joined #openvpn
04:06 < d1b> what happens is it hits the bridge and it isn't --> the dest.
04:07 < d1b> mmm seems to be an agging issue
04:17 -!- qweqweqwe [~alloy@tropyx.com] has quit [Ping timeout: 265 seconds]
04:17 -!- qweqweqwe [~alloy@tropyx.com] has joined #openvpn
04:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
04:42 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
04:46 < GerhardSchr> hi
05:47 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
06:13 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
09:35 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Where/How do I change in the code the packets type tobe HTTP :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7148&p=7906#p7906>
09:53 < vpnHelper> RSS Update - forum: Installation Help :: 2 basic checking questions to see if I am on the right track :: Author ... <https://forums.openvpn.net/viewtopic.php?f=5&t=7149&p=7907#p7907>
10:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
10:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:45 -!- me345 [~me345@75.15.176.124] has joined #openvpn
10:51 -!- Squidy [~quassel@187.53.180.205] has joined #openvpn
10:55 -!- chinaman_ [~EmperorTo@184-97-166-249.mpls.qwest.net] has quit [Ping timeout: 240 seconds]
11:10 -!- chinaman [~EmperorTo@174-30-210-250.mpls.qwest.net] has joined #openvpn
11:10 -!- manevra [~manevra@188.27.108.61] has joined #openvpn
11:13 < |Mike|> 8/wi
11:48 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
12:18 < vpnHelper> RSS Update - forum: Configuration :: Re: server on a router :: Reply by pavel989 <https://forums.openvpn.net/viewtopic.php?f=6&t=7142&p=7908#p7908>
12:20 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
12:46 -!- Squidy [~quassel@187.53.180.205] has quit [Remote host closed the connection]
12:51 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
13:00 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
13:14 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: Operation timed out]
13:27 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn
13:34 -!- Cheets [~Cheets@195.3.138.102] has joined #openvpn
14:06 -!- Optic [~Optic@67.205.74.218] has left #openvpn []
14:09 -!- me345 [~me345@75.15.176.124] has quit [Read error: Connection reset by peer]
14:09 -!- ropetin [~ropetin@pdpc/supporter/student/ropetin] has joined #openvpn
15:24 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined #openvpn
15:37 -!- ifl_ [~irc@ppp-124-121-191-234.revip2.asianet.co.th] has joined #openvpn
15:37 -!- ifl_ [~irc@ppp-124-121-191-234.revip2.asianet.co.th] has left #openvpn []
16:11 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
16:12 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
16:22 -!- manevra [~manevra@188.27.108.61] has quit []
16:29 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
16:31 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 245 seconds]
16:35 -!- Squidy [~quassel@187.53.180.205] has joined #openvpn
17:07 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:22 -!- manevra [~manevra@188.27.109.26] has joined #openvpn
17:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
17:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
17:59 -!- Squidy [~quassel@187.53.180.205] has quit [Remote host closed the connection]
18:10 -!- cpm [~Chip@dns1.daviswv.net] has joined #openvpn
18:10 -!- cpm [~Chip@dns1.daviswv.net] has quit [Changing host]
18:10 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
18:11 -!- avar [~avar@wikipedia/avar] has joined #openvpn
18:12 < avar> !welcome
18:12 < vpnHelper> avar: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:12 < avar> !push
18:12 < vpnHelper> avar: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
18:13 < avar> I have `push "dhcp-option DNS 10.9.8.1"` in my tun0.conf now. But I can't find out how I make that override any other DNS entry already there
18:14 < avar> i.e. I have "nameserver 192.168.2.1" beforehand, and after I'd just like "nameserver 10.9.8.1", not "nameserver 10.9.8.1\nnameserver 192.168.2.1"
18:32 -!- affix0 [~ident@100-084-128-083.dynamic.caiway.nl] has quit [Ping timeout: 272 seconds]
18:38 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
18:58 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Ping timeout: 276 seconds]
18:59 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
19:00 < joako> I had openvpn up and running w/o issues but suddenly Windows clients would loose connection I needed to keep ping going in the background to keep it up, now the same thing on Mac but ping doesn't resolve it
19:00 < joako> How do I configure OpenVPN not to go down every 1 minute?
19:01 < |Mike|> it doesn't go down every minute :-)
19:01 < |Mike|> I set my $5 on the windows firewall
19:01 < avar> tried the keepalive options?
19:02 < joako> On MacOS my issue is the Windows firewall?
19:02 < |Mike|> joako: you wrote "Windows clientS"
19:04 < joako> And there is nothing in the logs in either the client or server that indicates an error
19:04 < |Mike|> Even if you set the verbose logging to 5?
19:10 < joako> I see in my logs Sat Oct  2 20:06:06 2010: [VPNCERT] Inactivity timeout (--ping-restart), restarting
19:10 < |Mike|> Looks like the connection was idle for a while and openvpn decided to kill it
19:11 < joako> How would I disable that?
19:12 < |Mike|> increas the ping 
19:14 < joako> Im constantly pinging a host on the other end of the tunnel but it still drips
19:14 < joako> and my log also shows: Sat Oct  2 20:12:14 2010: SIGUSR1[soft,ping-restart] received, process restarting
20:12 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined #openvpn
20:26 < joako> Can the same user from the same IP address connect to the same openvpn server @ the same time?
20:49 < manevra> joako what do you mean ?
20:49 < manevra> same user from same ip at the same openvpn server?
20:50 < manevra> why would somebody try such thing
20:50 -!- MrKeuner [~sur@unaffiliated/mrkeuner] has joined #openvpn
20:52 < MrKeuner> hello, I am following https://help.ubuntu.com/10.04/serverguide/C/openvpn.html but stuck somewhere. in the server.conf is "local <ip_number>" a real IP number or a LAN IP number?
20:52 < vpnHelper> Title: OpenVPN (at help.ubuntu.com)
20:54 < krzie> it is the IP to bind to
20:54 < krzie> as in, what is on the actual interface
20:57 < MrKeuner> OK, what about this line, server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200
20:57 < MrKeuner> I was thinking that as openvpn server I'd be distributing local IPs
20:59 < krzie> !man
20:59 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:59 < krzie> tried checking there?
21:00 < manevra> can an openvpn server have a single lan card ? will it work ?
21:00 < MrKeuner> krzie, tried openvpn but I could not differentiate what part of that site is for the community version 
21:06 < joako> manevra, I have the same openvpn setup on multiple computers I had unexplained dropping of the connections then I noticed my laptop was also connected to the VPN
21:07 < manevra> and all those multiple computers have the same IP ?
21:21 < joako> manevra, yes they are in my house behind the same NAT router
21:36 < krzie> MrKeuner, to download, or for what?
21:36 < krzie> if for download, go to openvpn.net/download
21:36 < MrKeuner> krzie, for directions
21:37 < krzie> !howto
21:37 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
21:37 < krzie> !man
21:37 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
21:37 < krzie> those are community
21:37 < krzie> also, you likely dont need a bridge
21:37 < krzie> !tunortap
21:37 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
21:37 < vpnHelper> krzie: you over the vpn, or (#4) lan gaming? use tap!
21:38 < krzie> joako, manevra, you can optionally decide to have only 1 machine connected per lan, and join the lan over the vpn... if you want that, see !route
21:38 -!- mmestnik [~mmestnik@173-160-118-149-Minnesota.hfc.comcastbusiness.net] has quit [Ping timeout: 245 seconds]
21:38 < MrKeuner> I'd like to set my school host an openvpn server so that I could connect the e-journal databases from my laptop as if I am at school. one server one client that's all
21:39 < joako> krzie, no it was just my oversight. I had laptop and desktop connected and using desktop, connection was dropping without anything "odd" in the logs. Solution: disconnect 1 machine
21:39 < krzie> MrKeuner, you have access to have a port listening for connections at school?
21:39 < MrKeuner> am root at my school host
21:39 < krzie> joako, solution #2, make a cert for each machine
21:40 < MrKeuner> it is a school desktop that I have ubuntu installed
21:40 < krzie> MrKeuner, but i mean the firewall / NAT would allow it?
21:40 < joako> I want to avoid certificates, they are a pain
21:40 < MrKeuner> krzie, not sure could not set it up yet
21:40 < krzie> joako, thats your choice... but you should be aware that static keys are a little less secure
21:42 < MrKeuner> krzie, I can certainly ssh to it
21:42 < krzie> MrKeuner, good stuff
21:42 < krzie> MrKeuner, 
21:42 < krzie> !sample
21:42 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
21:42 < krzie> !pki
21:42 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
21:42 < vpnHelper> krzie: signed specially as a server (see !servercert)
21:42 < krzie> !serverlan
21:42 < vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
21:47 < joako> krzie, I use passwords
21:50 < MrKeuner> krzie, when I use a /etc/openvpn/client.conf on a client machine, does that mean that vpn will be initiated automatically? what if I have two openvpn servers?
21:50 < MrKeuner> regarding the client.conf from sample 
21:54 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: Leaving]
21:56 < MrKeuner> do I still need client.conf if I'd like to use network manager in ubuntu
21:56 -!- mmestnik [~mmestnik@173-160-118-149-Minnesota.hfc.comcastbusiness.net] has joined #openvpn
22:09 -!- manevra [~manevra@188.27.109.26] has quit []
22:39 < MrKeuner> TLS Error: cannot locate HMAC in incoming packet from... what does that mean?
22:40 < MrKeuner> is that ta.key that is missing?
22:44 -!- Optic [~Optic@67.205.74.218] has joined #openvpn
22:45 -!- MrKeuner [~sur@unaffiliated/mrkeuner] has quit [Quit: Ex-Chat]
22:47 -!- krzie [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
22:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 252 seconds]
23:05 < krzee> yes
23:05 < krzee> oh, he left
23:09 -!- box2 [~box2@zaibat.su] has quit [Quit: soy bomb]
23:25 -!- Optic [~Optic@67.205.74.218] has left #openvpn []
23:43 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
--- Day changed Sun Oct 03 2010
00:11 -!- MrKeuner [~sur@unaffiliated/mrkeuner] has joined #openvpn
00:14 < MrKeuner> !welcome
00:14 < vpnHelper> MrKeuner: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:16 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
00:19 < MrKeuner> i can connect to the openvpn server, verified by the server logs... However, as soon as I connect to the server I lose ability to ping internet IPs. Why would that happen?
00:28 < theDoc> !firewall
00:28 < vpnHelper> theDoc: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
00:28 < theDoc> !linnnat
00:28 < vpnHelper> theDoc: Error: "linnnat" is not a valid command.
00:28 < theDoc> !nat
00:28 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
00:28 < theDoc> !linnat
00:28 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:35 < MrKeuner> theDoc, I can ping to the openvpn servers tun IP, though. I do not think it is firewall issue
00:35 < theDoc> MrKeuner> Check the above first, it's most likely one of those
00:38 < MrKeuner> theDoc, thanks iptables command did the trick, so what is my problem?
00:38 < theDoc> You missed out nat'ing the vpn ip pool to a network interface where the traffic can be sent out to the public internet.
00:39 < MrKeuner> theDoc, is that normally specified in server.conf somewhere?
00:39 < theDoc> No.
00:40 < theDoc> That's an iptables thing.
00:40 < MrKeuner> run iptables command each time? or is there a way to specify a post-run script for openvpn?
00:42 < theDoc> Just save the working config and get iptables to load it on boot.
00:43 -!- affix [~ident@100-084-128-083.dynamic.caiway.nl] has joined #openvpn
01:11 < MrKeuner> theDoc, all right, thank you
01:12 < MrKeuner> theDoc, how can I make sure that the data transmitted between the remote computer and the private network is encrypted?
01:12 < MrKeuner> !encryption
01:12 < vpnHelper> MrKeuner: "encryption" is Why symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf
01:15 < theDoc> MrKeuner> tcpdump
01:15 -!- Mahjongg [~MrKeuner@unaffiliated/mrkeuner] has joined #openvpn
01:15 < theDoc> You want that.
01:16 < MrKeuner> theDoc, that would be too low level for me, what is the server.conf setting that is required for encyption?
01:16 < MrKeuner> or client.conf setting
01:16 < MrKeuner> or both
01:16 < theDoc> MrKeuner> The tunnel already encrypts.
01:16 < theDoc> You can verify it with tcpdump
01:17 -!- MrKeuner [~sur@unaffiliated/mrkeuner] has quit [Quit: Ex-Chat]
01:17 -!- Mahjongg is now known as MrKeuner
01:18 < MrKeuner> tcpdump on the client machine?
01:18 < theDoc> Either server/client is fine.
01:19 < MrKeuner> by tunnel do you mean the openvpn connection?
01:20 < theDoc> Yes.
01:20 < theDoc> You don't need to sniff the tunnel, you just sniff eth0
01:27 -!- MrKeuner [~MrKeuner@unaffiliated/mrkeuner] has quit [Ping timeout: 255 seconds]
01:39 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
01:41 -!- MrKeuner [~MrKeuner@unaffiliated/mrkeuner] has joined #openvpn
01:51 -!- MrKeuner [~MrKeuner@unaffiliated/mrkeuner] has quit [Ping timeout: 276 seconds]
01:52 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
01:57 -!- MrKeuner [~sur@unaffiliated/mrkeuner] has joined #openvpn
01:57 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Client Quit]
01:58 < MrKeuner> so, I do not need to enable "cipher DES-EDE3-CBC" for encryption
02:34 -!- chinaman_ [~EmperorTo@184-97-189-68.mpls.qwest.net] has joined #openvpn
02:36 -!- chinaman [~EmperorTo@174-30-210-250.mpls.qwest.net] has quit [Ping timeout: 255 seconds]
02:45 -!- ifl_ [~irc@ppp-124-122-5-59.revip2.asianet.co.th] has joined #openvpn
02:46 < ifl_> !welcome
02:46 < vpnHelper> ifl_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:59 < vpnHelper> RSS Update - forum: Installation Help :: Destination Host Unreachable :: Author rub <https://forums.openvpn.net/viewtopic.php?f=5&t=7150&p=7909#p7909>
02:59 -!- ifl_ [~irc@ppp-124-122-5-59.revip2.asianet.co.th] has quit [Ping timeout: 272 seconds]
03:00 < MrKeuner> read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
03:02 -!- ifl_ [~irc@ppp-124-122-5-151.revip2.asianet.co.th] has joined #openvpn
03:08 -!- affix [~ident@100-084-128-083.dynamic.caiway.nl] has quit [Disconnected by services]
03:09 -!- avar [~avar@wikipedia/avar] has left #openvpn []
03:11 -!- affix0 [~ident@100-084-128-083.dynamic.caiway.nl] has joined #openvpn
03:29 -!- ifl_ [~irc@ppp-124-122-5-151.revip2.asianet.co.th] has quit [Ping timeout: 240 seconds]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:51 < MrKeuner> MULTI: bad source address from client [128.119.183.104], packet dropped
03:53 -!- MrKeuner [~sur@unaffiliated/mrkeuner] has left #openvpn ["Ex-Chat"]
04:19 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
04:42 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
04:42 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
04:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:54 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
05:05 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:10 -!- detys [~detys@193.48.172.6] has joined #openvpn
05:11 < detys> Hi
05:11 < detys> I'm trying to compile openvpn 2.1.3 with visual studio
05:12 < detys> where can I get the python signtool module? I gave the path to an x86 signtool.exe in settings but it still says "ImportError: No module named signtool"
05:16 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
05:16 < vpnHelper> RSS Update - forum: Installation Help :: Is there an inet_addr for tap0 under the output of #ifconfig :: Author ... <https://forums.openvpn.net/viewtopic.php?f=5&t=7151&p=7910#p7910>
05:29 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
05:41 < detys> ah the joy of trying to compile openvpn on windows 
05:42 -!- Martin` is now known as Martin
05:42 -!- Martin is now known as Guest31163
05:49 < GerhardSchr> why do you compile these? (on windows?)
05:53 < vpnHelper> RSS Update - forum: Installation Help :: Is there a line for tap0 under the output of #route -n? :: Author cakemaker <https://forums.openvpn.net/viewtopic.php?f=5&t=7152&p=7911#p7911>
05:56 < detys> I need enable password save
06:17 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:36 -!- affix0 [~ident@100-084-128-083.dynamic.caiway.nl] has quit [Quit: —I-n-v-i-s-i-o-n— 3.2 (July '10)]
06:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:46 -!- IRConan [~conan@unaffiliated/rconan] has joined #openvpn
07:06 < detys> 
07:07 < detys> openvpn is compiling
07:07 < detys> BWahaahahahaahHAHAHA
07:12 < vpnHelper> RSS Update - forum: Server Administration :: Just no connection :: Author kkaal <https://forums.openvpn.net/viewtopic.php?f=4&t=7153&p=7912#p7912>
07:16 -!- manevra [~manevra@188.27.109.26] has joined #openvpn
07:31 -!- Squidy [~quassel@187.7.244.157] has joined #openvpn
07:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
08:01 -!- Cheets [~Cheets@195.3.138.102] has quit [Remote host closed the connection]
08:01 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
08:02 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
08:07 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
08:09 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
08:10 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 252 seconds]
08:10 -!- ropetin [~ropetin@pdpc/supporter/student/ropetin] has left #openvpn []
08:36 -!- Mushbills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
08:39 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
08:40 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
08:40 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
08:40 -!- Mushbills is now known as Bushmills
08:41 -!- Bushmill- [~Bushmills@scarydevilmonastery.net] has joined #openvpn
08:45 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
08:45 -!- Bushmill- is now known as Bushmills
08:46 -!- Bushmill- [~Bushmills@scarydevilmonastery.net] has joined #openvpn
08:48 -!- Optic [~Optic@67.205.74.218] has joined #openvpn
08:53 -!- zamba [marius@flage.org] has joined #openvpn
08:54 < zamba> when setting up an openvpn connection through gnome network manager, then my default gw gets replaced by the openvpn tunnel
08:54 < zamba> how can i avoid that?
08:57 < zamba> nevermind, i ran it through the cli
09:03 -!- detys [~detys@193.48.172.6] has quit []
09:19 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
09:20 -!- Alphanaut [~chatzilla@c-76-19-128-29.hsd1.ma.comcast.net] has joined #openvpn
09:22 < Alphanaut> so in case anyone is here, my question: i have set up a windows laptop (client) to connect to my home router (dd-wrt) via openvpn, then pipe all traffic back out to the net to secure my traffic while using open wifi hotspots.  I can connect to the router no problem, and i can connect to servers behind my router at home while i'm on the road, however my browser traffic bypasses the vpn tunnel...
09:22 < Alphanaut> ...completely. 
09:22 < Alphanaut> any ideas why this would be?
09:23 < Alphanaut> !def1
09:23 < vpnHelper> Alphanaut: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
09:25 < Alphanaut> hm
09:25 < Alphanaut> !man redirect-gateway
09:25 < vpnHelper> Alphanaut: Error: "man" is not a valid command.
09:25 < Alphanaut> !man
09:25 < vpnHelper> Alphanaut: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
09:27 < Alphanaut> *pin drop*
09:36 -!- Alphanaut [~chatzilla@c-76-19-128-29.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.10/20100914125854]]
09:57 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
10:28 -!- fipu [~fipu@swissvps.net] has quit [Ping timeout: 240 seconds]
11:11 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:25 -!- IRConan [~conan@unaffiliated/rconan] has quit [Ping timeout: 265 seconds]
11:38 -!- digitalfredy [be547a18@gateway/web/freenode/ip.190.84.122.24] has joined #openvpn
11:39 -!- Mahjongg [~MrKeuner@unaffiliated/mrkeuner] has joined #openvpn
11:42 -!- IRConan [~conan@91.121.107.63] has joined #openvpn
11:42 -!- IRConan [~conan@91.121.107.63] has quit [Changing host]
11:42 -!- IRConan [~conan@unaffiliated/rconan] has joined #openvpn
11:44 < Mahjongg> hello, I am using openvpn to connect a my work network, which I think is working successfully, since I get an IP from my work network, except when I go to google maps and ask it to locate me, it locates me at my home. How is this possible? Did I miss something in my openvpn configuration?
11:45 < Rienzilla> maybe you're not routing all your data through the vpn
11:46 < Mahjongg> when I use the browser to check my ip it shows the work IP, I use the same browser for google maps
11:46 < |Mike|> what IP do you get if you surf to www.whatismyip.com ?
11:46 < Mahjongg> |Mike|, work IP
11:48 < Rienzilla> maybe google uses more info than just hte ip you connect from
11:48 < |Mike|> Are they allowed to store such information? :P
11:49 < |Mike|> btw, where do you see a button with 'locate me'?
11:49 < |Mike|> You have to set that location first....
11:50 < Mahjongg> |Mike|, right above the zooming scale there is a circle
11:50 < |Mike|> hm indeed
11:50 < Mahjongg> Rienzilla, what else can they be using?
11:51 < |Mike|> mine is quite acurate
11:51 < Mahjongg> |Mike|, it shows you at your real location not at your remote IP location, doesn't it?
11:51 < |Mike|> Mahjongg: my browser is now asking to set it as default as well
11:52 < Mahjongg> |Mike|, what it is asking is to whether to allow that site location info all the time
11:52 < |Mike|> yeah
11:53 < Rienzilla> they might already have seen his browser from another ip previously
11:53 < Rienzilla> cookies
11:53 < |Mike|> that info shouldn't be stored :P
11:53 < Mahjongg> Rienzilla, this laptop was in the work location actually yesterday
11:53 < Mahjongg> Rienzilla, and I have set the browser to clear cookies on shutdown anyways
11:54 < Mahjongg> do you people know of any other locators?
11:54 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
11:55 < Mahjongg> I am wondering it is only google's algorithm or a setting problem on my side
11:58 < Mahjongg> http://www.mozilla.com/en-US/firefox/geolocation/ but I guess they are also using google
11:58 < vpnHelper> Title: Geolocation in Firefox (at www.mozilla.com)
12:05 < Mahjongg> hmm, If you consent, Firefox gathers information about nearby wireless access points and your computer’s IP address. Then Firefox sends this information to the default geolocation service provider, Google Location Services, to get an estimate of your location. That location estimate is then shared with the requesting website.
12:05 < Mahjongg> that's from mozilla site
12:06 < Mahjongg> I am not sure if I have set my location on my wireless access point, though...
12:23 -!- digitalfredy [be547a18@gateway/web/freenode/ip.190.84.122.24] has quit [Ping timeout: 265 seconds]
12:56 -!- Mahjongg [~MrKeuner@unaffiliated/mrkeuner] has quit [Read error: Connection reset by peer]
13:01 -!- Tapke [~Tapkis@home.tapke.eu] has left #openvpn []
13:03 -!- fipu [~fipu@62.75.187.155] has joined #openvpn
13:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
13:54 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Organize your IRC]
14:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:22 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:22 < vpnHelper> RSS Update - forum: Installation Help :: TAP install Windows XP-SP3 fails :: Author martinbln <https://forums.openvpn.net/viewtopic.php?f=5&t=7154&p=7913#p7913>
14:36 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
14:41 -!- manevra is now known as s7r
14:46 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
15:08 -!- s7r [~manevra@188.27.109.26] has quit []
15:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:36 -!- s7r [~s7r@188.27.109.26] has joined #openvpn
16:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:14 -!- koaschten [koaschten@188-194-96-209-dynip.superkabel.de] has joined #openvpn
17:17 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 255 seconds]
17:17 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
17:24 < oc80z> !welcome
17:24 < vpnHelper> oc80z: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:25 < oc80z> !bonding
17:25 < vpnHelper> oc80z: Error: "bonding" is not a valid command.
17:25 < oc80z> !goal 
17:25 < vpnHelper> oc80z: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:26 < Bushmills> !route
17:26 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:26 < Bushmills> !redirect
17:26 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:29 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
17:32 -!- koaschten [koaschten@188-194-96-209-dynip.superkabel.de] has quit [Ping timeout: 265 seconds]
17:33 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
17:35 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
17:38 < krzee> sup oc80z 
17:48 -!- raidz [~Andrew@seance.openvpn.org] has joined #openvpn
17:50 -!- meepmeep_ [meepmeep@212.24.104.229] has joined #openvpn
17:51 -!- ^scott^ [~scott@stthom.org] has quit [Ping timeout: 240 seconds]
17:51 -!- Optic [~Optic@67.205.74.218] has quit [Ping timeout: 240 seconds]
17:51 -!- Smirnov [~igor@about/csharp/ms/clrjit/smirnov] has quit [Ping timeout: 240 seconds]
17:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
17:51 -!- raidzxx [~Andrew@seance.openvpn.org] has quit [Ping timeout: 240 seconds]
17:51 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 240 seconds]
17:51 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 240 seconds]
17:51 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
17:52 -!- Smirnov [~igor@about/csharp/ms/clrjit/smirnov] has joined #openvpn
17:52 -!- oc80z [oc80z@blea.ch] has joined #openvpn
17:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
17:53 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
17:53 -!- Optic [~Optic@miso.capybara.org] has joined #openvpn
18:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
18:25 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
18:28 -!- tjz [~pc@bb121-7-128-74.singnet.com.sg] has joined #openvpn
18:28 -!- tjz [~pc@bb121-7-128-74.singnet.com.sg] has quit [Changing host]
18:28 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
18:31 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
18:31 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
18:31 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
19:05 -!- IRConan [~conan@unaffiliated/rconan] has left #openvpn []
19:08 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
19:45 -!- ^scott^ [~scott@stthom.org] has joined #openvpn
19:49 -!- Optic [~Optic@miso.capybara.org] has left #openvpn []
19:56 -!- s7r [~s7r@188.27.109.26] has left #openvpn []
20:09 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
20:09 < coppermine> essentially if i establish a vpn link with a remote server my isp cannot look at my packets?
20:10 < jpalmer> they can always look.  they'll just see encrypted data.  the real question is:  what data are you trying to hide from the ISP,  and why would they care to look at your packets.
20:11 < coppermine> jpalmer: thats personal
20:11 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has quit [Client Quit]
20:11 < jpalmer> heh
20:13 < krzee> jpalmer, why would that be the real question?
20:13 < krzee> privacy does not depend on having something to hide
20:14 < jpalmer> I was just messing with him,  and he bolted
20:14 < krzee> lol
20:14 < jpalmer> maybe he thought I was FBI,  I dunno. ;)
20:14 < krzee> oh ya, damn, i should go make an invoice
20:14  * krzee googles for a template
20:14 < jpalmer> yeah,  seriously.
20:15 < jpalmer> btw:  I have that whole scenario labbed up and working.  it just became painfully obvious that i need to lan iptables before I implement it.
20:16 < krzee> to lan iptables?
20:16 < jpalmer> I even have openvpn updating the DNS entries for the hosts.  (and as I said,  I'm keeping notes for a nice wiki article)
20:16 < jpalmer> s/lan/learn/  (brain isn't working)
20:16 < jpalmer> my BSD background has (thankfully) made me not need to learn iptables until now.
20:17 < krzee> ahh
20:19 < krzee> what date shall i put on the invoice
20:22 < jpalmer> erm,  let me see if I can find it.  one sec
20:23 < jpalmer> September 13th
20:26 < jeev> damnit
20:27 < jeev> someone has to know how to record from a camcorder to computer
20:27 < krzee> jeev, vlc can do it
20:27 < jeev> hmm? i want to have multiple
20:28 < jeev> fuckin security cameras suck ballssacks
20:28 < jeev> i want to use 1080p camcorders
20:29 < krzee> heh
20:29 < krzee> (this is for me, ignore it)
20:29 < krzee> !donate
20:29 < vpnHelper> krzee: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
20:30 < jpalmer> jeev:   are you doing a full surveillance system?  or just dabbling?
20:32 < krzee> jeev. remember, the girls have to sign papers before you can sell those videos
20:32 < krzee> o_O
20:33 < jeev> jpalmer, i want at least two or three cameras
20:34 < jeev> krzee, i dont do stuff like that.
20:35 < jpalmer> jeev:  if it's for surveillance,  I've just recently installed half a dozen "digital watchdogs"   lately.   the price is right, and features are great.
20:36 < jpalmer> one restaurant client just installed 5 units, 16 cameras each. AND it has an iphone/blackberry app,  for remote viewing ont he phone.   $1400 for the 16 camera version.  if you only need 4,  I bet you'd get it insane cheap.
20:36 < jeev> wow
20:36 < jeev> what's the qualizity?
20:37 < jeev> i've got some shitty ass system right now i'm gonna dump, it can't pick up a 6 foot tall pube
20:37 < jpalmer> I've found that the res doesn't really mean anything.  it's all about the quality of the camera.
20:37 < jeev> im tired of this generic 30fps shit
20:37 < jeev> i mean i dunno how many fps i need
20:37 < jeev> 30 is probably enough.. but better QUALITY video
20:38 < jpalmer> I'd wager a bet, that your camera's are low quality.
20:39 < jeev> duh but the DVR blows too
20:39 < jeev> how good is the video on those digital watchdogs
20:39 < jpalmer> the vmax16 that I'm using can do up to 720x480
20:40 < jeev> i dont know much about resolution, bah
20:40 < jeev> i mean i know 720x480
20:40 < jeev> isn't that weak
20:40 < jeev> that's dvd qual eh
20:40 < jeev> 720x480 = 720p?
20:41 < jpalmer> not sure.  but I know that paired with good cameras,  I don't even run them that high.  I use 352x240
20:42 < jpalmer> (and that quality is good enough that the cops were able to find 4 people involved in a bar fight a few weeks ago, just off the videos)
20:42 < jeev> jpalmer, i want MAX quality
20:42 < jeev> enough to find out if someone pocketed cash
20:43 < jpalmer> you'd be able to see that easily at 352x240 and decent cams.  but,   if you *do* want higher,  the unit is certainly capable of it.  I was just giving you an idea of the quality.
20:43 < jeev> can you get me a snippet of the quality ?
20:44 < jpalmer> I'd have to get permission.   it's not my restaurant to say yes.
20:45 -!- p3rror [~mezgani@adsl196-233-65-206-196.adsl196-3.iam.net.ma] has joined #openvpn
20:46 < jeev> link me to the products
20:48 < jpalmer> http://www.dwcc.tv/productsDVRS.asp?showme=Stand%20Aloneshowcat=yes&showitem=yes&rid=84
20:48 < vpnHelper> Title: .:: Digital Watchdog - DW-VMAX 16 Stand Aloneshowcat=yes, 173.8.118.214 ::. (at www.dwcc.tv)
20:48 < jpalmer> thats the model I use.  but they have 4 and 8 unit DVR's too.
20:50 < jeev> hmm
20:50 < jeev> that thing is over 1k
20:51 < jpalmer> $1400,  for the 16 unit model.   so I'm guessing the 4 unit will be in the neighboorhood of 400-600
20:52 < jeev> i see but that doesn't include cameras
20:52 < jpalmer> but,  if you don't need the ability to view it over the internet,  it may be overkill.
20:52 < jeev> i'd like the ability to view over the net
20:52 < jpalmer> I used to use digitalmicros gear.   $3200 for 16 cameras,  and nowhere near the quality of features.
20:53 < jeev> jpalmer, you're not speaking clearly.
20:53 < jeev> you told me 16 cameras each
20:53 < jpalmer> for the DVS only. mind you (most of the DVR's are sold independantly)
20:53 < jpalmer> what part isn't clear?
20:53 < jeev> did you or did you not do 5 units, 16 cameras each for 1400 every 16 caemras?
20:53 < jeev> how much is it for 16 cameras for example with the DVR
20:53 < jpalmer> for the DVR, yes.
20:54 < jeev> ok, when looking for good cameras, what do you suggest
20:54 < jpalmer> almost none of these come as "packages"    you buy a DVR,  and cams to hook up to the DVR.  and microphones if you desire sound are also seperate
20:54 < jeev> yes i understand that
20:55 < jpalmer> cams,   I can't really give a suggestion.  thats not my area of expertise..  and te choice will be very dependant on the various environments you'll be installing in.  I'd suggest calling a vendor for that.
20:56 < jeev> looking at their demo..
20:57 < jeev> bah
20:57 < jeev> hrmf
21:00 < jpalmer> hmm?
21:01 < jpalmer> if you have an iphone or blackberry,  make sure to also try the mobile view.
21:01 < jeev> ok
21:02 -!- Squidy [~quassel@187.7.244.157] has quit [Remote host closed the connection]
21:10 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:10 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:12 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:31 < jeev> it actually connecst as "pc camera" with usb
21:35 < jeev> krzee, using vlc
21:37 < theDoc> jeev> What seems to be the problem?
21:37 < jeev> theDoc, no problem, trying to get a camcorder to record on my computer as a security camera for a place (test)
21:37 < jeev> this polace needs better quality stuff
21:37 < jeev> place
21:38 < theDoc> Ah.
21:48 < jeev> directshow/vlc works
21:48 -!- pervy_sage is now known as paradiggum
21:48 < jeev> it's writing to my SSD though, i need to find out how to change it
22:03 -!- paradiggum is now known as svm_invictvs
22:11 < vpnHelper> RSS Update - forum: Server Administration :: simplicity on changing gateways :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=4&t=7155&p=7914#p7914>
22:17 < vpnHelper> RSS Update - forum: Server Administration :: linux bridge and openvpn :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=4&t=7156&p=7915#p7915>
22:32 -!- Optic [~Optic@miso.capybara.org] has joined #openvpn
23:06 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
23:07 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
23:47 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
23:51 -!- Smirnov [~igor@about/csharp/ms/clrjit/smirnov] has quit [Ping timeout: 264 seconds]
23:51 -!- Smirnov [~igor@about/csharp/ms/clrjit/smirnov] has joined #openvpn
--- Day changed Mon Oct 04 2010
00:49 < kraut> moin
00:59 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Where/How do I change the code of openvpn packets to HTTP :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7157&p=7916#p7916>
01:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
01:30 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:43 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
01:45 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:52 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:16 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Read error: Operation timed out]
02:25 -!- dazo_afk is now known as dazo
02:54 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
03:08 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
03:17 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: Operation timed out]
03:20 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
03:20 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Excess Flood]
03:21 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
03:30 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN, Squid and two networks. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7138&p=7917#p7917>
03:30 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 265 seconds]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined #openvpn
03:44 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 265 seconds]
03:56 -!- Phenox_ [~Bernd@88.215.198.24] has quit [Remote host closed the connection]
03:57 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
04:19 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
04:19 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
04:19 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:19 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined #openvpn
04:19 -!- jmm [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has left #openvpn []
04:32 -!- p3rror [~mezgani@adsl196-233-65-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 276 seconds]
04:42 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
04:45 -!- p3rror [~mezgani@adsl196-62-77-206-196.adsl196-3.iam.net.ma] has joined #openvpn
05:14 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:14 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:41 -!- Phenox_ [~Bernd@88.215.198.24] has joined #openvpn
06:41 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined #openvpn
06:46 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
06:47 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Client Quit]
07:22 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn
07:31 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
07:59 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
08:04 < Alphanaut> so i have a windows laptop (client) and i can connect to my home server (dd-wrt).  i use openvpn to secure my traffic when using open wifi hotspots.  i can connect to servers within my lan at home while on the road (thru the vpn), but for some reason sometimes my web ttraffic goes through the vpn and sometimes it doesnt
08:05 < Alphanaut> any idea why using some hotspots it will bypass the vpn and using others it will route browser traffic thru the pipe?
08:10 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:12 < hyper_ch> are you sure it does that? do you use the def1 option?
08:18 < Alphanaut> what do you mean am i sure?  yes, i use: push "default-route def1" on the server config.  i know for 2 reasons.  1. if i go to an ip lookup site when it's not working correctly, it shows the wan ip of whatever open wifi i'm using.  if it is working it will show me my home wan ip.  2. i watch the packet flow on the TAP adapter in windows.  when it's working, both send and receive go up.  when...
08:18 < Alphanaut> ...it's not working only the send goes up, but i never receive anything back thru the pipe to my client.
08:18 < Alphanaut> tis odd no?
08:19 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
08:27 -!- s7r [~s7r@188.27.109.26] has joined #openvpn
08:38 < Alphanaut> so i'm guessing nobody has ever seen that before then
08:38 < dazo> default-route is not a valid option
08:39 < Alphanaut> it's not?
08:39 < dazo> --redirect-gateway on the other hand is
08:39 < Alphanaut> oh my bad
08:39 < Alphanaut> yes
08:39 < Alphanaut> that's what i meant
08:39 < Alphanaut> but perhaps i should verify
08:40 < Alphanaut> yah i have: push "default-gateway def1"  in the server config
08:41 < Alphanaut> so it works on some open wifi access points and not others, and i cant figure out why that would be
08:42 < Alphanaut> oh ahah
08:42 < Alphanaut> duh
08:43 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
08:44 -!- Alphanaut_ [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has joined #openvpn
08:44 < Alphanaut_> if that was the problem all this time i'm going to scream
08:45 < Alphanaut_> i dont think is is however
08:46 < Alphanaut_> dang nope
08:46 < Alphanaut_> do i need to "pull" from the client side if i "push" that option on the server side?
08:46 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Ping timeout: 245 seconds]
08:47 -!- Alphanaut_ [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Client Quit]
08:49 -!- Alphanaut [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has joined #openvpn
08:50 < Alphanaut> infuriating
08:50 < Alphanaut> could this have something to do with it: Mon Oct 04 09:45:42 2010 WARNING: potential TUN/TAP adapter subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0]
08:50 < Alphanaut> i dont see why it would since i get that error on access points that work fine
08:51 < Alphanaut> by work fine i mean that send all client traffic to/from the vpn pipe
08:54 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
09:05 < Alphanaut> bah still doesnt work
09:06 < Alphanaut> is there some rule that the subnet of the open wifi access point i'm using and my home openvpn subnet cant be the same?
09:12 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:13 -!- Alphanaut [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Ping timeout: 240 seconds]
09:18 -!- Alphanaut [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has joined #openvpn
09:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
09:31 < Alphanaut> anyone familiar with iptables setup for openvpn?
09:31 < Alphanaut> !iptables
09:31 < vpnHelper> Alphanaut: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
09:31 < theDoc> !iptables
09:31 < vpnHelper> Alphanaut: computing.net/wiki/index.php/OpenVPN/Firewall
09:31 < vpnHelper> theDoc: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
09:31 < vpnHelper> theDoc: computing.net/wiki/index.php/OpenVPN/Firewall
09:31 < theDoc> lol
09:31 < Alphanaut> beat ya :)
09:31 < theDoc> Do you want a hug?
09:32 < Alphanaut> pretty please
09:32 < theDoc> *hug* <3
09:32 < Alphanaut> gracias
09:33 < Alphanaut> so apparently the traffic is routed into the tunnel, but nothing comes back from the tunnel to the client
09:34 < Alphanaut> i assume it's an iptables issue on the server side
09:35 < theDoc> What do you mean nothing comes back?
09:43 < mmestnik> Hello, I'm wondering if there are any guides on using netfilter's netmap target with openvpn?  I've asked a similar question and did get an answer, but I don't think that answer included netmap as a possibility.
09:44 < Alphanaut> oh i mean i can watch the traffic on the tap adapter on the client, and the "send" packets keeps going up but the "received" packets doesnt move
09:44 < Alphanaut> so i assume the traffic is going from the client into the vpn to my home server, but the home server isn't sending any traffic back to the client
09:44 < Alphanaut> which makes me think something with iptables is messed
09:45 < theDoc> Alphanaut> What are you sending?
09:45 < Alphanaut> i'm not familiar with iptables, though i keep reading and reading
09:45 < Alphanaut> oh anything, trying to connect to a home server for example
09:45 < Alphanaut> the send goes up
09:45 < Alphanaut> the receive stayst eh same
09:46 < theDoc> Alphanaut> I have no idea what you're trying to do.
09:46 < theDoc> It's about 11pm here and I'm tired :P
09:47 < Alphanaut> if i turn off the firewall completely should i still need to configure it with iptables or can i troubleshoot by just disabling it
09:47 < Alphanaut> ahh
09:47 < theDoc> Turn which firewall off?
09:47 < Alphanaut> laptop (client) trying to connect to home openvpn server to encrypt all traffic when using open wifi hotspots
09:47 < Alphanaut> oh the linux server
09:47 < Alphanaut> i can disable the firewall
09:47 < Alphanaut> i dont think that will matter since the client and server connect fine
09:48 < Alphanaut> blah
09:49 < theDoc> Alphanaut> So it connects just fine, you can't surf the net after you have connected?
09:49 < theDoc> Is that the gist of the problem?
09:50 < Alphanaut> i can connect client to server just fine.  i can browse shares on my home server though the vpn, but my client bypasses the vpn for all traffic thru the browser
09:51 < Alphanaut> everything works except for pushing browser traffic thru the vpn
09:51 < Alphanaut> but ONLY on certain open wifi hotspots
09:51 < Alphanaut> others's will work
09:51 < Alphanaut> some dont
09:52 < ecrist> Alphanaut: sounds like a redirect gateway issue.
09:52 < ecrist> !welcome
09:52 < vpnHelper> ecrist: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:52 < Alphanaut> agreed but i've set that
09:52 < Alphanaut> is it possible def1 isn't right?
09:52 < ecrist> probably not
09:52 < ecrist> unless it's wrong in your config
09:52 < ecrist> !configs would help.
09:52 < vpnHelper> ecrist: Error: "configs" is not a valid command.
09:53 < ecrist> !configs
09:53 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
09:56 < Alphanaut> http://pastebin.com/Xxv9EZPR
10:14 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
10:18 < Bushmills> Alphanaut, is your browser configured to use a proxy? 
10:18 < Alphanaut> no
10:19 < Alphanaut> it just doesn't make sense that if i connect to open wifi hotspot #1 it works fine and the browser will show the wan IP of my home server, and if i connect to open wifi hotspot #2 it will show the wan IP of the hotspot
10:19 < Alphanaut> so it works for 1 and not the other even though i'm not changing the config
10:21 < Bushmills> what do you do to resolve host names? 
10:21 < Alphanaut> i have the tap adapter configured with two dns server ips
10:21 < Alphanaut> i have all my local adapters use the same hard set dns ips
10:21 < Bushmills> those name servers are provider agnostic?
10:22 < Alphanaut> yes
10:22 < Alphanaut> opendns
10:22 < Alphanaut> honestly this is driving me bonkers!
10:24 -!- dazo is now known as dazo_afk
10:26 < Alphanaut> i dont know if you read this before but if i watch the packet flow to my tap adapter in windows the packets going into the vpn tunnel keep going up, but the packets being received from the tunnel dont move
10:26 < Alphanaut> so i assume my client is pushing all data into the tunnel but nothing is coming back from the server
10:30 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:36 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
10:36 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
10:36 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
10:38 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
10:43 -!- Alphanaut [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Ping timeout: 245 seconds]
10:50 -!- Optic [~Optic@miso.capybara.org] has left #openvpn ["Leaving"]
10:51 < mmestnik> Can open VPN work with CIDR notation?  I.E. send "route 192.168.5.0/24"
10:56 < ecrist> I don't think so
11:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:03 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
11:06 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
11:06 < Alphanaut> figured it out
11:09 -!- Alphanaut_ [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
11:11 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Ping timeout: 272 seconds]
11:14 < Alphanaut_> .
11:16 < ecrist> what was the issue, Alphanaut_ ?
11:17 -!- Alphanaut_ is now known as Alphanaut
11:18 < Alphanaut> so there are 3 open wifi access points that i use
11:18 < Alphanaut> one of them always fails.  apparently the default gateway 192.168.1.1 on my openvpn server is the same default gateway of the open wifi access point that i use
11:19 < Alphanaut> so i guess while it was indeed pushing the gateway from the server, since that gateway and the local wifi hotspot gateway were they same, it wasnt bothering to use my openvpn server gateway at all
11:19 < ecrist> yeah, about that, change your home lan numbering
11:19 < Alphanaut> haha
11:19 < ecrist> !1918
11:19 < Alphanaut> oh thanks
11:19 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
11:19 < Alphanaut> !
11:19 < Alphanaut> hilarious!
11:20 < ecrist> not trying to be funny, seriously change your home or vpn lan network addresses.
11:20 < Alphanaut> well if the wifi hotspot had changed their router numbering and it was the same, i'd have the same problem
11:20 < Alphanaut> well since i'm using dd-wrt (if you are familiar), i think the vpn gatway and home lan gateway have to match
11:20 < ecrist> no, you're going to run into more problems using 192.168.1.0/24 or 192.168.0.0/24 than any other subnet.
11:20 < Alphanaut> not sure of that tho
11:20 < Alphanaut> i know if i had a standalone network adapter i could just change that
11:21 < ecrist> yes, so switch your home network to something like 172.19.5.0/24
11:21 < Alphanaut> hmm
11:21 < Alphanaut> something that it wont ever conflict with 
11:21 < ecrist> is very unlikely, yes.
11:22 < ecrist> you'd run into this same problem if you went to a friend's house, or your parent's house and tried to connect out.
11:22 < Alphanaut> as a matter of fact i did :)
11:23 < Alphanaut> at my mother in laws house yesterday
11:23 < Alphanaut> another 192.168.x.x
11:23 < Alphanaut> er another same default gateway
11:23 < Alphanaut> too bad i have so many devices on my home lan, now i gotta change those too
11:24 < Alphanaut> perhaps i'll just throw thenm all back to dhcp
11:24 < ecrist> if you need to, just set static assignments and assign them using dhcp
11:25 < Alphanaut> rgr
11:25 < Alphanaut> so many settings in dd-wrt it makes your head spin
11:28 < Alphanaut> need one easy to remember
11:28 < Alphanaut> oo 10.11.12.0/24
11:28 < Alphanaut> that's perty
11:32 < ecrist> will potentially conflict with large corporate networks, though.
11:35 < vpnHelper> RSS Update - forum: Server Administration :: Re: simplicity on changing gateways :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7155&p=7918#p7918>
11:36 -!- Alphanaut_ [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has joined #openvpn
11:38 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
11:38 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Ping timeout: 245 seconds]
11:41 < mmestnik> http://pastebin.com/fuyAfmHk
11:42 -!- Alphanaut_ is now known as Alphanaut
11:42 < Alphanaut> why does my darn identity keep changing
11:42 < Alphanaut> grr
11:42 < mmestnik> uninitialized constant Puppet::Parser::TemplateWrapper::NetAddr
11:42 < Alphanaut> hm large corporations use 10.11.12 eh?
11:42 < Alphanaut> oh well
11:42 < Alphanaut> we'll see
11:42 < mmestnik> Adding support for this would be appreciated, even though it's a little late for me.
11:43 < Alphanaut> the dreaded Puppet Parser!
11:43 < Alphanaut> thats the name of my cat
11:47 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by controlc.de <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7919#p7919>
12:03 -!- Alphanaut [~chatzilla@c-76-119-199-25.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.10/20100914125854]]
12:04 -!- chinaman_ is now known as EmperorTom
12:27 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
12:42 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
12:43 < mmestnik> http://pastie.org/1198908  <--- this is the Puppet::Parser fix, to just do it on my own.
12:46 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
12:48 < mmestnik> There was an issue that iroute could not be used in that context.
12:49 < mmestnik> Can the client advertise a local network to the server?
12:49 < mmestnik> ...or is it only the server who can say "give me access to your network."?
12:50 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
12:50 < krzie> its not actually about that
12:50 < krzie> !iroute
12:51 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
12:51 < krzie> if you allow the client to start changing routes in the server's real routing table and/or openvpn's internal one, i can think of some trouble-making i could cause
12:52 < mmestnik> krzie: That's true, but for my deployment it's the clients that are implicitly trusted and the servers who are untrustworthy.
12:53 < mmestnik> Hence that's why they are not allowed to initiate a connection.
12:53 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by MrWetsnow <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7920#p7920>
12:53 < krzie> choose a new server
12:53 < |Mike|> lol
12:54 < |Mike|> mmestnik: nice ruby ;)
12:54 < krzie> thats not how it works, not how it will work in the future
12:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
12:55 < krzie> oh i see, you're trying to make it work with puppet
12:55 < krzie> cool, goodluck to you
12:55 < mmestnik> So reverse connections are not supported?  What's the logic behind not ever supporting this?
12:55 < |Mike|> network stuff shouldn't be done with puppet imho
12:55 < krzie> [13:51]  <krzie> if you allow the client to start changing routes in the server's real routing table and/or openvpn's internal one, i can think of some trouble-making i could cause
12:55 < krzie> |Mike|, i agree
12:55 < |Mike|> too easy to fuck things up
12:56 < krzie> too easy to give me ways to fuck your things up ;)
12:56 < |Mike|> hehe, that too 
12:57 < krzie> i assume openvpn is being used to increase security... this guy seems to want to decrease his security with it, and since it wont let him, hes coding up his own ways to make that happen
12:57 < krzie> lol
12:57 < mmestnik> How can I get the rest of vpnHelper's factoids?
12:57 < krzie> !factoids
12:57 < vpnHelper> krzie: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:58  * krzie pets vpnHelper 
12:58 < jeev> Dougy, you here ?
13:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
13:02 < mmestnik> krzie: You know I'm not likely the only one who is all about the "Virtual Network" part of VPN.
13:04 < mmestnik> I'm using HTTPTunnel to bridge networks together via openvpn automated using puppet.  The goal being to build a network ontop of the internet were every web client has complete access to every other participating web client.  Thus reducing proxy servers and firewalls to simple routers.
13:06 < mmestnik> The intended audience is system administrators asked by management to operate over these technologies.
13:09 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
13:10 < krzie> !route
13:10 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:10 < krzie> heh
13:10 < krzie> i just do that instead
13:11 < krzie> but good luck to you in that endeavor
13:13 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
13:18 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by controlc.de <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7921#p7921>
13:36 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by MrWetsnow <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7922#p7922>
13:47 -!- dazo_afk is now known as dazo
13:47 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7923#p7923>
13:59 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
14:06 < vpnHelper> RSS Update - forum: Wishlist :: Re: FIPS-compliant OpenVPN :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=10&t=7129&p=7924#p7924>
14:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
14:17 -!- Myrth [~Myrth@unaffiliated/myrth] has joined #openvpn
14:33 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
14:33 < coppermine> where can i find a howto to configure a tunnel between 2 linux hosts and route all internet traffic from the first one to the second one?
14:34 < kisom> coppermine: have you even checked the website?
14:34 < coppermine> which one?
14:34 < kisom> there are lots of howtos
14:34 < kisom> openvpn.net
14:37 < Bushmills> !redirect
14:37 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:37 < Bushmills> !howto
14:37 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:40 < coppermine> so far i can ping both 10.x.x.x ips from eachother, that means my tunnel is established right?
14:42 < coppermine> !def1
14:42 < vpnHelper> coppermine: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
14:50 < coppermine> !ipforward
14:50 < vpnHelper> coppermine: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
14:50 < coppermine> !linipforward
14:50 < vpnHelper> coppermine: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:57 < coppermine> which port do i have to open on my router on the client side?
14:58 < coppermine> because i get ERROR: Linux route add command failed: external program exited with error status: 7
15:03 -!- Guest31163 is now known as Martin`
15:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
15:04 < coppermine> connection keeps getting reset
15:06 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by MrWetsnow <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7925#p7925>
15:07 < Bushmills> possibly error in configuration. check the route or push "route..." config statements
15:07 < coppermine> do i need to open port 11194 on my router?
15:07 < coppermine> but i tried telnet ip 11194 an it responds
15:08 < coppermine> oh wait
15:08 < Bushmills> assuming that you allow outgoing traffic of your client, and client can reach server, there's nothing to set on your router
15:09 < coppermine> right cause i can ping both tunnel ips
15:09 < Bushmills> your router might be a NATting router, returned packets are sent on to client
15:09 < coppermine> ush "dhcp-option DNS x.x.x.x"
15:10 < coppermine> does that look right? x.x.x.x rpalced my dns ip
15:10 < coppermine> push
15:10 < Bushmills> check your log files. if you don't have any, tell openvpn in its config to write log files
15:10 < Bushmills> DNS pushing is unrelated to route error
15:12 < coppermine> wait i dont have a push route command in my server config
15:12 < coppermine> i didnt see that in the howto
15:12 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Read error: Connection reset by peer]
15:13 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined #openvpn
15:20 < coppermine> i set verb to 6
15:20 < coppermine> there's more messages but none help me
15:22 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has quit [Quit: Lost terminal]
15:24 -!- zxvff [shahid@dev.hockingits.com] has joined #openvpn
15:24 < zxvff> is there a reason why I can't copy an openvpn config + cert from one machine to another? every time I try to start the service i get this error: 
15:24 < zxvff> Cannot load CA certificate file /etc/openvpn/ca.crt (SSL_CTX_load_verify_locations) (OpenSSL)
15:25 < zxvff> !welcome
15:25 < vpnHelper> zxvff: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:35 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
15:35 < coppermine> !ipfowarad
15:35 < vpnHelper> coppermine: Error: "ipfowarad" is not a valid command.
15:35 < coppermine> !ipfoward
15:35 < vpnHelper> coppermine: Error: "ipfoward" is not a valid command.
15:35 < coppermine> !linipforward
15:35 < vpnHelper> coppermine: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
15:40 < coppermine> ok i got rid of the error
15:40 < coppermine> but i cant ping acrosds the internet over the tunnel
15:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:47 < krzee> !redirect
15:47 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:48 < krzee> zxvff, is the file in the right location?  have you ensured that the file made it in tact (md5 checksum or something?)?
15:49 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has quit [Quit: leaving]
15:49 < zxvff> yes and yes krzee 
15:49 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
15:50 < coppermine> i typed tcpdump -i tun0 to debug the problem
15:50 < coppermine> i see packets flowing when i type ping something.com
15:50 < coppermine> but ping doesnt work
15:50 < coppermine> why
15:50 < krzee> coppermine, you prolly didnt NAT
15:50 < krzee> zxvff, 
15:50 < krzee> !CERTVERIFY
15:50 < vpnHelper> krzee: "CERTVERIFY" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
15:50 < krzee> oops
15:50 < krzee> capslock
15:51 < |Mike|> glad that I ignore those lines.
15:51 < krzee> mike, you have vpnHelper on ignore?
15:51 < |Mike|> ofc!
15:51 < krzee> must be hard for you to get help from me!
15:51 < |Mike|> haha
15:52 < |Mike|> If I need vpnHelper stuff, I unignore him
15:52 < vpnHelper> RSS Update - forum: Server Administration :: VPN not working with McAffe :: Author alex <https://forums.openvpn.net/viewtopic.php?f=4&t=7158&p=7926#p7926>
15:52 < krzee> !tell |Mike| [bot]
15:53 < krzee> lets see if you ignored msgs too!
15:53 < reiffert> I cant use --shaper with --server .. whats wrong here?
15:53 < krzee> really!?
15:53 < krzee> whats the error?
15:53 < |Mike|> krzee: I only ignore public messages from vpnHelper :-)
15:53 < coppermine> krzee: by NAT i had done this : iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
15:53 < reiffert> ovpn-server1194[15567]: Options error: --shaper cannot be used with --mode server
15:53 < coppermine> is that what you meant?
15:53 < krzee> !tell |Mike| HAHAH
15:54 < |Mike|> 2010/10/04 22:37:10 <vpnHelper> Error: "lol" is not a valid command.
15:54 < |Mike|> *g* :P
15:54 < zxvff> odd, 
15:54 < zxvff> unable to load certificate
15:54 < zxvff> 4036:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
15:54 < krzee> coppermine, do this,     cat /proc/sys/net/ipv4/ip_forward
15:54 < reiffert> ovpn-server1194[15567]: Options error: --shaper cannot be used with --mode server
15:55 < coppermine> krzee: shows value of 1
15:55 < krzee> zxvff, you did something wrong when making your pki... start over and follow this:
15:55 < krzee> !pki
15:55 < vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
15:55 < vpnHelper> krzee: signed specially as a server (see !servercert)
15:55 < zxvff> krzee: but it works on my other machine
15:55 < krzee> reiffert, weird, i wouldnt expect that
15:56 < zxvff> i have it currently running on a different server
15:56 < krzee> zxvff, certainly those exact files do not work on your other machine
15:56 < coppermine> krzee: what else can i check
15:56 < zxvff> i scp'd those files fromt he other machien to this one
15:56 < coppermine> krzee: im not getting errors
15:57 < zxvff> also i have another ca.crt which gives me this output:
15:57 < zxvff> error 20 at 0 depth lookup:unable to get local issuer certificate
15:57 < coppermine> krzee: i pushed the DNS address of the server to the client is that ok?
15:57 < coppermine> with push "dhcp-option DNS
15:57 < reiffert> krzee: it sucks.
15:58 < coppermine> krzee: and do i change the /etc/resolv.conf on my client?
15:58 < coppermine> i tried that too
15:58 < krzee> coppermine, 
15:58 < krzee> !pushdns
15:58 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
15:58 < coppermine> so its fine
15:58 < coppermine> whats the problem
15:59 < krzee> !configs
15:59 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
15:59 < krzee> reiffert, pls enter dev chan
16:00 < krzee> (see topic)
16:02 < coppermine> krzee: http://pastebin.ca/1954322
16:04 < coppermine> is it that client-to-client directive?
16:04 < coppermine> i added that 
16:05 < krzee> nope
16:05 < krzee> !c2c
16:05 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
16:05 < vpnHelper> krzee: behind other clients
16:06 < krzee> ild guess its something in your firewall
16:06 < coppermine> on my client?
16:06 < krzee> more likely on your server
16:06 < krzee> you have the forward chain set to allow?
16:06 < coppermine> my rules are empty
16:06 < coppermine> on the server
16:07 < coppermine> iptables -L
16:07 < coppermine> the -nat table table
16:07 < coppermine> too
16:07 < coppermine> so if there's no rules it should allow by default
16:07 < coppermine> right?
16:09 < coppermine> !allowforwardchain
16:09 < vpnHelper> coppermine: Error: "allowforwardchain" is not a valid command.
16:10 < krzee> well
16:10 < krzee> that depends on your settings
16:10 < coppermine> i dont drop any packets
16:10 < coppermine> or reject
16:11 < coppermine> but whats the command i'll add it anyways
16:11 < coppermine> trying to find it
16:11 < krzee> erm
16:11 < krzee> you just said the nat table is empty?
16:11 < coppermine> yes
16:11 < coppermine> iptables -L shows empty
16:11 < krzee> iptables -L -t nat
16:12 < coppermine> empty too
16:12 < krzee> !linnat
16:12 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
16:12 < krzee> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
16:12 < coppermine> i had done that on my client
16:12 < krzee> lol
16:12 < coppermine> no?
16:12 < krzee> undo it from your client
16:12 < coppermine> ok
16:12 < krzee> do it on your server
16:13 < coppermine> iptables -F didnt get rid of it
16:13 < krzee> theres a good reason im not in #iptables helping people ;)
16:13 < coppermine> ok got it
16:13 < coppermine> had to specify nat
16:16 < coppermine> didnt work yet
16:16 < coppermine> no errors
16:16 < coppermine> just cant ping
16:16 < coppermine> or web
16:17 < krzee> is eth0 your internet interface?
16:18 -!- dazo is now known as dazo_afk
16:18 < coppermine> it has eth0 and eth1
16:18 < coppermine> eth0 points to static ip
16:18 < coppermine> eth1 is some 10.179.x.x ip
16:19 < coppermine> i can try the eth1
16:19 < coppermine> its probably a gateway
16:20 < coppermine> right?
16:20 < krzee> you need to understand your machine
16:21 < krzee> you dont know which one you access the internet with?
16:21 < coppermine> eth1 didnt work
16:21 < coppermine> its just a vps i ordered yesteryday
16:21 < coppermine> i set it back to eth0
16:22 < krzee> why does a vps even have 2 interfaces?
16:22 < coppermine> problably for their service 
16:22 < coppermine> to connect to other machines on the same subnet
16:22 < coppermine> if i order more
16:22 < coppermine> i read somewhere
16:22 < krzee> netstat -rn will tell you which one you route to the internet on
16:23 < krzee> however, if it is a VPS... they might need to do something for you to be able to use NAT
16:23 < coppermine> i checked that allrady
16:23 < coppermine> its enabled in the kernel
16:23 < coppermine> NAT/TUN
16:23 < krzee> in your kernel, or theirs?
16:23 < coppermine> theirs and mine
16:24 < coppermine> its compiled as module on their side
16:24 < coppermine> oh wait
16:24 < coppermine> i need to modprobe
16:24 < coppermine> nope i did allready
16:24 < coppermine> tun                    11720  0 
16:24 < coppermine> and on mine its in the kernel as <*>
16:24 < coppermine> not module
16:26 < coppermine> ok so i checked your command
16:26 < coppermine> it uses eth0 as the last line 0.0.0.0 gateway
16:27 < coppermine> i read openvpn.net, i came here, i dont get errors, and still not working
16:27 < krzee> well its not openvpn
16:28 < coppermine> what else can i check
16:28 < krzee> ild guess its firewall or your VPS provider
16:28 < coppermine> my client firewall?
16:28 < coppermine> i use a linksys router
16:28 < krzee> i need to get back to work
16:28 < coppermine> adn i have no ports open
16:29 < krzee> if it happens to be client firewall (which i doubt) when tcpdump on server you'd see the return packets
16:29 < coppermine> tcpdump shows packets on the tun0 device
16:29 < coppermine> do i need to open port 11194 ?
16:29 < coppermine> as tcp?
16:29 < coppermine> and forward to my machine
16:29 < coppermine> in the router
16:30 < krzee> the client?
16:30 < coppermine> yes
16:30 < krzee> no
16:30 < coppermine> since its back and forth on both machines
16:30 < coppermine> both use that port
16:30 < coppermine> if my router doesnt open it
16:30 < coppermine> why would it work?
16:30 < krzee> you make the outbound connection
16:30 < coppermine> but i also receive
16:30 < coppermine> so maybe its sending out
16:31 < coppermine> but not comming back
16:31 < krzee> why dont you need to forward port 80 in order to browse the web...?
16:31 < krzee> lol
16:31 < coppermine> cause its outbound
16:31 < coppermine> but inbound
16:31 < coppermine> oh right
16:31 < krzee> so is the vpn
16:31 < coppermine> it still receives
16:31 < krzee> lol
16:31 < coppermine> let me run tcpdump again
16:32 < coppermine> how do I know if they are rejected?
16:32 < coppermine> ACK is acknolwedge
16:32 < krzee> cool, im going to go work
16:32 < krzee> adios
16:32 < coppermine> allright
16:35 < coppermine> it shwos even irc packets
16:35 < coppermine> and ping
16:35 < coppermine> in the tun0
16:35 < coppermine> but doesnt work
16:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:43 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has quit [Ping timeout: 265 seconds]
16:44 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
16:44 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has quit [Client Quit]
16:46 -!- p3rror [~mezgani@adsl196-62-77-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
16:50 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
16:50 < coppermine> quit
16:50 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has quit [Client Quit]
16:52 -!- s7r [~s7r@188.27.109.26] has quit [Ping timeout: 240 seconds]
16:53 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
16:57 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
16:58 -!- s7r is now known as Guest35566
17:01 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has quit [Quit: leaving]
17:01 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
17:01 < coppermine> i establed my tunnel but i cant ping
17:01 < coppermine> i checked everything i can think of
17:02 -!- s7r` [~s7r@188.27.109.26] has joined #openvpn
17:04 -!- Guest35566 [~s7r@66.199.231.250] has quit [Ping timeout: 265 seconds]
17:05 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
17:05 < joako> Is it possible to push a route with  gateway in openvpn config?
17:09 -!- coppermine [~coppermin@modemcable109.70-23-96.mc.videotron.ca] has quit [Read error: Connection reset by peer]
17:21 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit [Ping timeout: 264 seconds]
17:33 -!- Meliorator [m@dunnington.eu] has quit [Quit: changing servers]
17:33 -!- Meliorator [m@dunnington.eu] has joined #openvpn
17:42 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
17:42 < coppermine> if i have an openvpn tunnel which im routing all my inet traffic tru, would using a squid proxy server on that same server be useless?
17:42 < coppermine> or would it further secure my connection
17:45 < Rienzilla> it depends on what you want to accomplish
17:46 < Rienzilla> I don't see how squid 'secures your connection' 
17:46 < |Mike|> I rather use an ssh tunnel :p
17:49 < coppermine> well i use openvpn tunnel right now
17:49 < coppermine> so my ip is allready masked 
17:49 < coppermine> so quid would just mask it again
17:49 < coppermine> to the same ip
17:49 < coppermine> useless no?
17:55 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Quit: Lost terminal]
18:04 < krzee> |Mike|, goodluck securing your voip traffic over an ssh tunnel :-p
18:05 < krzee> it wont/cant happen
18:05 < Myrth> hi, how do i configure openvpn AS client to direct all traffic through VPN? i couldn't find any .ovpn configuration on both server or client.. thanks
18:05 < krzee> !AS
18:05 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
18:05 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
18:05 < krzee> please see #4
18:06 < Myrth> ok thanks
18:06 < krzee> np
18:25 -!- coppermi1e [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
18:25 -!- s7r` [~s7r@188.27.109.26] has left #openvpn []
18:27 -!- s7r [~s7r@188.27.109.26] has joined #openvpn
18:34 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
18:36 -!- coppermi1e [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Ping timeout: 240 seconds]
18:37 -!- Myrth [~Myrth@unaffiliated/myrth] has quit [Read error: Connection reset by peer]
18:38 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
18:38 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Client Quit]
18:46 -!- Myrth [~Myrth@unaffiliated/myrth] has joined #openvpn
18:47 < Myrth> is it possible to configure to route ALL traffic through VPN through client .ovpn? I've only found forcing it through server configuration: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
18:47 < vpnHelper> Title: HOWTO (at openvpn.net)
18:53 -!- Myrth- [~Myrth@b08s59ur.corenetworks.net] has joined #openvpn
18:56 -!- Myrth [~Myrth@unaffiliated/myrth] has quit [Ping timeout: 264 seconds]
18:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:04 -!- Myrth- [~Myrth@b08s59ur.corenetworks.net] has quit [Ping timeout: 272 seconds]
19:11 -!- Myrth [~Myrth@unaffiliated/myrth] has joined #openvpn
19:11 < Myrth> just figured out that routing all traffic through vpn on vista and win7 requires running client with elevated privileges
19:11 < Myrth> otherwise it silently creates 0.0.0.0/128.0.0.0 route which is ignored
19:15 -!- Myrth- [~Myrth@m7d0e36d0.tmodns.net] has joined #openvpn
19:15 -!- Myrth- [~Myrth@m7d0e36d0.tmodns.net] has quit [Client Quit]
19:18 -!- Myrth [~Myrth@unaffiliated/myrth] has quit [Ping timeout: 245 seconds]
19:28 < krzee> heh
19:29 < krzee> running openvpn always requires elevated privileges
19:32 -!- Squidy_at_Home [~quassel@187.54.246.152] has joined #openvpn
19:37 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
19:46 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Quit: Lost terminal]
19:52 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 272 seconds]
20:01 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:14 -!- cizzi [~cizzi@modemcable109.70-23-96.mc.videotron.ca] has joined #openvpn
20:14 < cizzi> i've set up an openvpn tunnel to route all my internet traffic to a server, is it hard to add the rest of the clients on my lan to use that tunnel?
20:15 < krzee> not really, gimme a second
20:15 < cizzi> allright
20:16 < cizzi> hey krzee its me coppermien from earlier, im on a differnt computer so different unix account nick, i got it to work earlier 
20:16 < krzee> ive never done this, but i would assume its just a matter of doing this:
20:17 < krzee> on client turn on IP forwarding
20:17 < krzee> then tell other machines in the LAN to use the client as their default gateway
20:17 < cizzi> instead of the now router?
20:17 < krzee> and
20:17 < krzee> !clientlan
20:17 < vpnHelper> krzee: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
20:17 < vpnHelper> krzee: for a better explanation
20:18 < krzee> correct, instead of the router they currently use as their default gateway
20:18 < cizzi> !ipforward
20:18 < vpnHelper> cizzi: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
20:18 < cizzi> i did this step earlier
20:18 < cizzi> on my client
20:18 < cizzi> its at 1
20:18 < krzee> and on your server, you need to also NAT the client's LAN
20:18 < cizzi> thats done allready 
20:18 < krzee> cool, you still have a bit to do
20:19 < cizzi> oh the LAN
20:19 < krzee> no, currently you NAT the VPN subnet
20:19 < cizzi> right
20:19 < krzee> now you need to NAT the client LAN
20:19 < cizzi> so I need to add an entry for the LAN
20:19 < krzee> as well as add an iroute and a route entry
20:19 < krzee> !iroute
20:19 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
20:19 < krzee> !ccd
20:19 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
20:19 < cizzi> i should find a mini howto
20:19 < cizzi> since im on a text terminal now
20:19 < krzee> no such thing buddy'
20:19 < cizzi> big fonts
20:19 < cizzi> oh ok
20:20 < cizzi> cant even scroll
20:20 < cizzi> im doing a system image backup as we speak
20:20 < cizzi> so i just have irssi from a different linxu box
20:21 < cizzi> i miss X :(
20:21 < krzee> get a notepad and pen or something
20:21 < cizzi> ok i have paper and pen
20:21 < krzee> what is the client lan's subnet?
20:21 < cizzi> 192.168.168.x
20:21 < krzee> what is the common-name of your client?
20:21 < cizzi> common-name ?
20:21 < krzee> you had to name your client when you made the cert
20:22 < krzee> !certinfo
20:22 < vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
20:22 < krzee> if you pastebin that, i can tell you
20:22 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 252 seconds]
20:22 < cizzi> let me run that command
20:22 < krzee> or the log of the server when the client connects
20:23 < cizzi> <file> refers to which file
20:23 < cizzi> cert file
20:23 < cizzi> right
20:23 < krzee> heh
20:25 < cizzi> is common-name the CN field?
20:25 < krzee> yes
20:25 < cizzi> Fort-Funtson
20:26 < krzee> thats not it
20:26 < krzee> its something you typed in as the name for the client
20:27 < cizzi> i dont know what it is, i dont feel at ease sending you this file
20:27 < cizzi> can yuo guide me where it is?
20:27 < cizzi> i cat > to a file
20:27 < krzee> yes, pastebin the file
20:27 < cizzi> i dont want to paste it
20:27 < cizzi> for security
20:27 < krzee> i cant help you, sorry
20:28 < cizzi> why not?
20:28 < cizzi> why would ipaste my server certificate on the internet
20:28 < krzee> dont paste the key
20:29 < krzee> the whole point of certs is that they can be public
20:29 < cizzi> but i gave yuo the CN= field
20:29 < cizzi> i didnt modify the defautl value
20:29 < krzee> negative
20:29 < krzee> thats the default city
20:29 < cizzi> right
20:29 < krzee> and im working, dont have time to sit here playing games
20:29 < cizzi> but it says CN = 
20:29 < krzee> pastebin it or dont, it doesnt change my day
20:30 < cizzi> ok there's another CN= field
20:30 < cizzi> with a different name
20:30 < cizzi> would it be that?
20:33 < krzee> in the server log, it will be right before the IP of the client
20:34 < cizzi> /var/log/messages ?
20:34 < vpnHelper> RSS Update - forum: Server Administration :: Re: linux bridge and openvpn :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7156&p=7927#p7927> || Server Administration :: Re: VPN not working with McAffe :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7158&p=7928#p7928>
20:34 < krzee> heh
20:34 < krzee> !logfile
20:34 < vpnHelper> krzee: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
20:34 < cizzi> i dont have browser access right now
20:34 < cizzi> ok yes its in deamon mode
20:34 < cizzi> /etc/init.d/....
20:35 < cizzi> hey there's asshole invalid user entries
20:35 < cizzi> people trying to hack?
20:36 < krzee> more likely you screwing something up :-p
20:36 < cizzi> no.. there's invalud users from ip ....
20:36 < cizzi> and its not my ip 
20:36 < krzee> and if you use HMAC sigs, they have the have the static key to even get that far
20:36 < krzee> !hmac
20:36 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls
20:36 < vpnHelper> krzee: static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
20:37 < cizzi> from the sshd deamon
20:37 < krzee> oh sshd daemon
20:37 < krzee> thats not related to openvpn
20:37 < cizzi> anyways i'll look at that after
20:37 < cizzi> bastards
20:37 < krzee> but yes, there are many brute forcing ssh worms
20:37 < cizzi> i'll restrict allow by ip only later
20:38 < cizzi> ok sos you said to look right before the ip
20:38 < cizzi> for the common-name
20:39 < krzee> CN/IP
20:39 -!- Squidy_at_Home [~quassel@187.54.246.152] has quit [Remote host closed the connection]
20:39 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Where/How do I change the code of openvpn packets to HTT :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7157&p=7929#p7929>
20:40 < cizzi> Fort-Funston_CA/IP  all of the lines are in that format
20:41 < krzee> LOL did you really make that your common-name!?
20:41 < krzee> hahahah
20:41 < cizzi> yes
20:41 < cizzi> to confuse people
20:41 < cizzi> it worked
20:41 < krzee> if by people you mean yourself
20:42 < cizzi> nope
20:42 < cizzi> i know what it was :)
20:42 < krzee> i know the common-name to all my machines
20:42 < cizzi> allright
20:42 < cizzi> so im writting this down
20:43 < krzee> !ccd
20:43 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
20:43 < krzee> on the server add a line with 
20:43 < krzee> client-config-dir <dir>
20:43 < krzee> where <dir> is the full path to a dir you make for CCD entries
20:44 < krzee> also add this line:
20:44 < cizzi> ccd = privnet dir?
20:44 < krzee> route 192.168.168.0 255.255.255.0
20:44 < krzee> ccd= what my bot said above in response to me saying !ccd
20:46 < cizzi> i dont get it
20:46 < krzee> this is such an advanced setup for your skill level =/
20:46 < cizzi> im tired
20:47 < krzee> come back when you have access to browsers and are rested
20:47 < cizzi> 98% done
20:47 < krzee> no, you are not
20:47 < cizzi> my backup
20:47 < krzee> more like 50%
20:47 < krzee> oh
20:48 < cizzi> the letters are like half inch high
20:48 < cizzi> on this display
20:48 < cizzi> its crazy
20:48 < cizzi> its like DOS from 1989
20:48 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
20:48 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
20:49 -!- cizzi [~cizzi@modemcable109.70-23-96.mc.videotron.ca] has quit [Quit: Lost terminal]
20:58 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
20:58 < coppermine> krzee: im back
20:58 < coppermine> !ccd
20:58 < vpnHelper> coppermine: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
21:04 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Quit: Lost terminal]
21:34 -!- Optic [~Optic@miso.capybara.org] has joined #openvpn
21:50 -!- mountainski [~pegg@pool-72-85-192-226.bstnma.east.verizon.net] has joined #openvpn
21:50 -!- mountainski is now known as RoadWarriorVPN
21:50 < RoadWarriorVPN> hi everybody hows it going
21:52 -!- Dereckson [Dereckson@wikipedia/Dereckson] has joined #openvpn
21:53 < Dereckson> Hi
22:09 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
22:11 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
22:20 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
22:49 -!- RoadWarriorVPN [~pegg@pool-72-85-192-226.bstnma.east.verizon.net] has quit [Quit: Leaving]
23:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:10 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has joined #openvpn
23:11 < HoboSteaux> hey does anyone have a sample client-connect script im trying to push iroutes to my clients
23:13 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
23:13 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
23:13 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
23:14 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has joined #openvpn
23:18 -!- Dereckson [Dereckson@wikipedia/Dereckson] has quit [Ping timeout: 252 seconds]
23:19 < xreal> I want to use OpenVPN on the network at work to access it from another computer outside this network (I am allowed to do it). There is a DHCP-server and the network is using IPs in range 10.x.x.x. Can I connect OpenVNC-server to the 10.x.x.x network, but use 192.168.178.x IPs for the clients?
23:31 < krzie> you just wanna share the lan
23:31 < krzie> thats no problem
23:32 < krzie> i wrote a document on sharing 3 lans with openvpn
23:32 < krzie> !route
23:32 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:32 < xreal> Thanks!
23:32 < krzie> for just sharing the server lan its even easier
23:32 < krzie> !serverlan
23:32 < vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
23:33 < krzie> you're welcome =]
23:34 < xreal> krzie: I am using bridging in Windows in order to reach all the other computers. Is this a problem?
23:35 < krzie> !tunortap
23:35 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
23:35 < vpnHelper> krzie: you over the vpn, or (#4) lan gaming? use tap!
23:36 < xreal> krzie: Damn, my English is too bad for this :-(
23:40 < HoboSteaux> hey does anyone have a sample client-connect script im trying to push iroutes to my clients
23:40 < krzie> HoboSteaux, you dont push iroutes to clients
23:41 < krzie> but you can set them in a client-connect script... so that just may have been wording it wrong
23:41 < HoboSteaux> i thought they were in the client config dir
23:41 < krzie> right
23:41 < krzie> !ccd
23:41 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
23:41 < krzie> !client-connect
23:41 < vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
23:42 < HoboSteaux> ok so iroutes are on the server and they only apply to one client?
23:42 < krzie> correct
23:42 < krzie> !iroute
23:42 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
23:43 < HoboSteaux> alright no all my certificates are duplicates which prevents me from having a ccd
23:43 < HoboSteaux> so would a script solve this or should i remake all my scripts?
23:43 < HoboSteaux> certs*
23:43 < krzie> you also auth based on password?
23:43 < HoboSteaux> no, single certificate to multiple clients
23:43 < krzie> thats bad
23:44 < HoboSteaux> yes it is but its to trusted people and i know all of them
23:44 < krzie> the only time certs should be used like that is if you also auth based on password
23:44 < krzie> doesnt matter, give them each their own cert
23:44 < HoboSteaux> yeah i made that mistake alost a year ago :P
23:44 < krzie> time to fix it ;)
23:45 < HoboSteaux> haha a script wont let me sideways that opsie some?
23:45 < krzie> impossible
23:45 < HoboSteaux> its more because i never know what their network ips will be
23:46 < krzie> your script will think they are all the same person
23:46 < krzie> (because they are)
23:46 < xreal> Is it possible to do something like this? "server-bridge 10.0.100.88 255.0.0.0 192.168.178.10 192.168.178.15"
23:46 < krzie> xreal, you do not want a bridge
23:46 < krzie> unless you have a specific layer2 protocol you need
23:46 < krzie> !sample
23:46 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
23:46 < HoboSteaux> alright ill fix all of that
23:46 < krzie> those sample configs is a good way to change to routing
23:47 < krzie> xreal, then you just have 1 line to add to the server, a route to add on the server's LAN's router
23:47 < krzie> and enable ip forwarding on the server
23:50 < xreal> krzie: I am using a TAP bridge. I was reading about it all night and I can't get it working. That's my config, but server-bridge is wrong: http://nopaste.info/2a04a3703c_nl.html
23:55 < krzie> just because you read about it does not make it the right choice
23:56 < krzie> if you dont need a layer2 protocol, you do not want tap / bridge
23:56 < krzie> i dont support bridges
23:59 < xreal> krzie: I want to access Windows file services on server side. I think, this neets TAP, doesn't it?
23:59 < krzie> no
23:59 < krzie> !tunortap
--- Day changed Tue Oct 05 2010
00:00 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
00:00 < vpnHelper> krzie: you over the vpn, or (#4) lan gaming? use tap!
00:00 < krzie> (#2) and if your reason for wanting tap is windows shares, see !wins
00:01 < xreal> !wins
00:01 < vpnHelper> xreal: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
00:06 < krzie> the only part of windows shares that uses layer2 is the name resolution (netbios)
00:06 < krzie> but before checking netbios, it checks if there is a WINS server set
00:06 < krzie> a WINS server does that resolution using layer3
00:07 < xreal> krzie: MMh okay. But everything elso works with tun? Like webcam via MSN?
00:07 < krzie> yes
00:07 < krzie> that is IP traffic
00:08 < xreal> okay, then I need to revert everything back to TUN ... brb
00:14 < xreal> krzie: a question to http://www.ircpimps.org/openvpn.configs  - can the "local <server IP>" be 192.168.1.1 and "server" = 10.8.1.0 255.255.255.0
00:14 < xreal> ?
00:16 < krzie> local <ip to bind to>
00:16 < krzie> so if the ethernet device on the server is using 192.168.1.1, yes
00:17 < xreal> krzie: Problem is my server gets IP by DHCP.
00:17 < krzie> you dont need the local line, however you DO need the port forwarded, so you need a static ip on the lan for that
00:18 < krzie> unless you have some port forwarding magic built into the dhcp server (i have never heard of that existing)
00:18 < krzie> ok well maybe upnp fits that description, but openvpn doesnt use upnp anyways
00:19 < xreal> krzie: I am using a SSH tunnel to access OpenVPN.
00:19 < krzie> huh??
00:20 < xreal> I don't have an external IP, only internal.
00:20 < xreal> I am tunneling port 1194 to a vserver and connecting to this vserver.
00:20 < krzie> umm no
00:20 < krzie> your openvpn is on udp
00:20 < krzie> udp does not tunnel over ssh tunnels
00:20 < xreal> I am using it on TCP.
00:20 < krzie> not the config you pasted earlier
00:21 < xreal> krzie: I changed it after reading your information.
00:21 < krzie> !tcp
00:21 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
00:21 < krzie> you are now tunneling tcp over tcp over tcp
00:21 < krzie> this is TERRIBLE
00:21 < xreal> krzie: I know, but how can I change it? I can't get an external IP.
00:21 < krzie> use a different machine as the server
00:21 < krzie> in a different network
00:21 < xreal> I can't.
00:22 < krzie> clients can share their networks
00:22 < krzie> sure you can
00:22 < xreal> Shall I run a client in the LAN and run the server on a vServer?
00:22 < krzie> right
00:23 < xreal> But how to get from LAN to the vServer? I also need a tunnel for this.
00:23 < krzie> the server doesnt need to be sitting on an external IP, but it must at least be able to have a port forwarded to it
00:23 < krzie> the client connects to the server and shares its lan
00:23 < krzie> another client connects to the server and accesses the first clients lan
00:23 < xreal> krzie: I cannot connect to Port 1194 on external servers.
00:24 < xreal> I think, I need to run the server on Port 443 ?
00:24 < krzie> you dont have permission to be doing this?
00:24 < xreal> Only a few ports are opened in our firewall.
00:24 < krzie> open another if you have permission to do this
00:25 < xreal> But I do have the permission to build up a VPN tunnel - but I don't get support by the admins.
00:26 < krzie> whoever has authority to give you permission should also have authority to give you the ability to run it
00:26 < xreal> krzie: They do, but they don't have time to support me.
00:27 < xreal> long story :-(
00:27 < krzie> they just need to allow a single outbound port in the firewall
00:27 < krzie> takes 5 seconds
00:28 < xreal> krzie: I know, but they don't support me. That's why I wanted to use the (bad) SSH tunnel.
00:28 < krzie> you're saying "i need to build a wooden table, but i am not allowed to use wood, or nails, or a hammer"
00:29 < xreal> krzie: You can't compare this ... I can run the external server on port 21, 22, 80 or 443 ...
00:29 < krzie> tcp over tcp over tcp will not work well
00:30 < krzie> once you get it running you will be saying "hey why is my vpn very very slow and disconnects often?"
00:30 < xreal> krzie: But it works. Better than nothing ;-)
00:30 < xreal> Okay, then I will run it on Port 443.
00:30 < krzie> and we will type !tcp and tell you to read why
00:30 < krzie> "works" is subjective... it WILL connect
00:31 < krzie> but whether or not its usable for anything real... quite likely it will not be
00:31 < xreal> krzie: Can I access two different VPNs over the same port (of course not the same time)?
00:31 < xreal> not at*
00:32 < krzie> huh?
00:33 < xreal> nevermind ;)
00:35 < krzie> the answer is probably yes, but i dont understand the question very well
00:38 < xreal> I am too tired to type :-)
00:40 < xreal> Let me try the 443 solution. If it works, I will ask the admins to open another port.
00:45 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
00:49 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
00:49 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
00:49 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
01:03 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
01:19 < xreal> krzie: It seemed to work!
01:19 < xreal> it seems*
01:25 < krzie> now transfer a good sized file, while running a constant ping
01:26 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
01:28 -!- xreal2 [~mweber@ds87-230-55-31.dedicated.hosteurope.de] has joined #openvpn
01:31 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has quit [Ping timeout: 255 seconds]
01:32 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Need Gaming VPN Programmer :: Author cicakman <https://forums.openvpn.net/viewtopic.php?f=15&t=7159&p=7930#p7930>
01:44 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Need Gaming VPN Programmer :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7159&p=7931#p7931>
01:55 < xreal2> krzie: How can I share the client's network with the server?
01:55 < krzie> !clientlan
01:55 < vpnHelper> krzie: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
01:55 < vpnHelper> krzie: for a better explanation
01:57 < xreal2> !ccd
01:57 < vpnHelper> xreal2: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
01:58 < xreal2> !iroute
01:58 < vpnHelper> xreal2: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
01:58 < xreal2> OMG :-(
02:00 < xreal2> I don't have a clue about iroutes or ccds
02:01 < krzie> you do now
02:01 < reiffert> :)
02:01 < krzie> moinmoin reif
02:02 < reiffert> moin
02:02 < reiffert> time for getting a big coffee
02:03 < xreal2> Ich dreh ab | I am going crazy.
02:03 < krzie> meh, im trying to wrap my head around how to do something in a script im writing
02:04 < reiffert> script? something?
02:05 < krzie> oooo i think i know it!
02:05 < reiffert> :(
02:05 < krzie> i wanted to have variable variables
02:05 < krzie> but i think i can do it with something like
02:05 < xreal2> Anyone interested in helping me getting the LAN sharing working?
02:05 < krzie> ${associativeArray[$key]}
02:06 < xreal2> krzie: PHP?
02:06 < xreal2> Help in the term of a line of code.
02:06 < krzie> nah, bash
02:06 < krzie> xreal2,
02:06 < krzie> in the server config
02:06 < krzie> client-config-dir <dir>
02:06 < xreal2> krzie: Please, no more !
02:06 < xreal2> !<...>
02:06 < vpnHelper> xreal2: Error: "<...>" is not a valid command.
02:06 < krzie> where <dir> is /path/to/a/new/dir
02:07 < xreal2> krzie: okay, I got this far ;)
02:07 < krzie> this dir will have special files in it called ccd files
02:07 < xreal2> krzie: But what route should be in there?
02:07 < krzie> then you need to make a file in that dir with the EXACT name of the client with a lan behind it
02:08 < xreal2> the name? the hostname?
02:08 < xreal2> or the client name
02:08 < krzie> the common-name from the certificate you made
02:08 < krzie> btw, did you read !!route ?
02:08 < krzie> !route
02:08 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:08 < xreal2> krzie: Oh, I am using PAM-auth right now. Okay, switching back to certificates.
02:08 < krzie> that doc explains all of this
02:08 < krzie> no its ok
02:08 < krzie> you can use PAM
02:08 < krzie> !authpass
02:08 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
02:09 < krzie> username-as-common-name
02:09 < krzie> put that in the server config
02:09 < xreal2> ok
02:09 < krzie> now the username is the common-name
02:09 < xreal2> ok
02:09 < reiffert> krzie: advanced bash scripting guide and grep on /etc/init.d/
02:10 < krzie> i dont have a /etc/init.d/
02:10  * krzie uses bsd
02:10 < reiffert>  /etc/rc.d/ then?
02:10 < krzie> yup =]
02:11 < krzie> you're right... it is time i go to the advanced bash scripting guide
02:11 < krzie> i got the answer above from:
02:11 < krzie> http://mywiki.wooledge.org/BashGuide/Arrays#Associative_Arrays
02:11 < vpnHelper> Title: BashGuide/Arrays - Greg's Wiki (at mywiki.wooledge.org)
02:12 < krzie> got link to the advanced guide
02:12 < krzie> ?
02:13 < reiffert> sure..
02:13 < reiffert> http://www.google.de/search?q=advanced+bash+scripting+guide
02:13 < vpnHelper> Title: advanced bash scripting guide - Google-Suche (at www.google.de)
02:14 < krzie> werd, i must be at the right one then, i went to hit #1 of that search but wasnt 100% that it was the one you spoke of
02:14 < krzie> seeing as there are many results claiming to be the same thing
02:14 < krzie> oh and vpnHelper knows !google ;]
02:15 < reiffert> !google why are there so many bash scripting guides and why do they appear to be equal?
02:15 < vpnHelper> reiffert: Bash by example, Part 1: <http://www.ibm.com/developerworks/library/l-bash.html>; List of Bash online-tutorials [Bash Hackers Wiki]: <http://wiki.bash-hackers.org/scripting/tutoriallist>; Bash Guide for Beginners: <http://tldp.org/LDP/Bash-Beginners-Guide/html/Bash-Beginners-Guide.html>
02:16 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:16 < krzie> hah that actually gave good links
02:17 < reiffert> !google how to fake associative arrays with bash?
02:17 < vpnHelper> reiffert: The Linux and Unix Menagerie: How To Fake Associative Arrays In Bash: <http://linuxshellaccount.blogspot.com/2008/05/how-to-fake-associative-arrays-in-bash.html>; Linux Knowledge Base and Tutorial - How To Fake Associative Arrays ...: <http://www.linux-tutorial.info/modules.php?name=News&file=article&sid=6744>; BeggyTech: bash associative arrays(map, hash or how you them calls ...:
02:17 < vpnHelper> reiffert: <http://beggytech.blogspot.com/2010/02/bash-associative-arrays.html>
02:25 < xreal2> krzie: I am stuck.
02:26 < krzie> what is the client's LAN subnet?
02:28 < xreal2> 255.0.0.0
02:28 < krzie> umm, no
02:28 < krzie> a) that is a netmask
02:28 < krzie> b) please say you are kidding
02:29 < xreal2> http://nopaste.info/57906f3d2e.html
02:29 < xreal2> krzie: Sorry, 10.x.x.x - any IPs can be used.
02:30 < krzie> im going to bed, hopefully reif can help you
02:30 < krzie> plus he speaks german!
02:30 < xreal2> reiffert: Hi ;-)
02:30 < xreal2> krzie: Thanks for help.
02:30 < krzie> yw
02:30 < xreal2> 09:30 am here.
02:34 < xreal2> reiffert: Are you reachable?
02:40 < kraut> moin
02:44 -!- kg [~kg@81.222.247.34] has joined #openvpn
02:46 < kg> Hi all, I have a question, after config. my server and clients, all goes well, but every hour I nave a messages in logfile of the client:
02:47 < kg> http://pastie.org/1200238
02:48 < kg> Is it software reset? Which mean that my client nedd to re-establish connection each hour?
02:51 < xreal2> Kraut: Can you help me? Kannst du mir helfen?
02:53 -!- dazo_afk is now known as dazo
02:53 < kraut> xreal2: rather busy atm
02:54 < kraut> xreal2: here are tons of people who could also help you
02:54 < xreal2> kraut: okay, then I'll keep on waiting
03:04 < dazo> kg: look at --reneg-sec in the man page ... and btw. 3600sec = 1 hour
03:10 < xreal2> How can I tell the server about the client's DNS and WINS?
03:10 < dazo> xreal2: read the man page ... look for DNS and WINS
03:11 < xreal2> dazo: I am doing it, but I can't get it working ;-(
03:11 < dazo> --dhcp-option WINS <server IP> ?
03:11 < xreal2> In my opinion, everything is about server => client and not client => server.
03:12 < dazo> you don't tell from clients to the OpenVPN server about WINS servers ... that's for sure
03:12 < xreal2> dazo: in the client's config or in the server's config?
03:12 < dazo> server config ... that's the one pushing setups to clients
03:12 < xreal2> dazo: let me explain my situation.
03:12 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has quit [Quit: reboot]
03:13 < xreal2> I am running OpenVPN server on an external vServer and my client is running behind a firewall in a LAN.
03:13 < xreal2> I want to access the LAN from any external computer using the vServer.
03:13 < xreal2> First, I wanted to run the server in the LAN and tunnel it out via SSH, but krzie told me: TCP over TCP is bad.
03:14 < xreal2> Do you get the point ?
03:14 < dazo> hahahaha .... that's not just TCP over TCP ... that can even be TCP over TCP over TCP ... that's just to forget ;-)
03:15 < xreal2> krzie told me, it would be better to start the VPN-server on the vServer and share the client's network.
03:15 < dazo> yeah
03:15 < xreal2> But now, I'm lost in ccd-files.
03:15 < dazo> krzie is quite experienced and clever in that regards
03:15 < dazo> do you need CCD files first of all?
03:16 < xreal2> dazo: krzie told me, it would be better ;)
03:17 < xreal2> "dhcp-option WINS" doesn't work from the client, does it?
03:17 < dazo> okay ... I've just skimmed your dialogue ... and it seems about unfocused ... but never mind that ... first step is *always* start with the minimum requirements and make that work, then it's easier to go to the next advanced level
03:17 < dazo> --dhcp-option is only for server side
03:17 < dazo> but having that said
03:17 < xreal2> dazo: The tunnel is working already.
03:17 < xreal2> I can ping both virtual IPs and even a gateway is working.
03:18 < xreal2> But I cannot find hostsnames in the client's network.
03:18 < xreal2> It's a Windows network.
03:18 < dazo> the server don't care about the contents of --dhcp-options at all ... it just passes them to the clients, so if that points at IPs behind the client, that's gonna work ... but that does sound a bit odd to me to do it like that
03:19 < dazo> are you connecting to the server from the internal network *and* a remote client, and tunnelling data from the remote client and into the internal network?
03:19 < xreal2> 1 sec, let me think about it :-)
03:20 < xreal2> yes :-)
03:20 < xreal2> LAN => vServer <= other computer in Internet
03:20 < xreal2> LAN <=> vServer <=> other computer in Internet
03:21 < dazo> are you using TUN or TAP?
03:21  * dazo hopes for the former
03:21 < xreal2> tun, as krza told me (what was his name)
03:21 < xreal2> krzie
03:21 < dazo> yeah ... good!
03:22 < xreal2> He told me, I need to create route and iroutes.
03:22 < xreal2> But I am completly lost now.
03:22 < dazo> that means that you need to think about a few things ... the most important one is routing
03:22 < dazo> !route
03:22 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:23 < dazo> nah, that might be too advanced and confusing right now
03:23 < xreal2> dazo: a question to that: is "lan" the real lan IP or the virtual one?
03:23 < dazo> but it might actually have your solution, in fact
03:23 < dazo> in which context?
03:23 < xreal2> client1 with lan 10.10.1.0 
03:23 < xreal2> on the quoted page
03:23 < dazo> that is the real lan
03:24 < xreal2> ah okay!
03:24 < dazo> in fact, if you read that doc *very carefully* ... I think it really can help you out
03:25 < dazo> because when you have figured out the routing ... which means you can sit on your "other computer in Internet" and connect to IP addresses on your "LAN" via the vServer
03:25 < xreal2> dazo: Okay. MMh, my main problem is that the client gets addresses by DHCP. So I can't enter the IPs in the config :-(
03:25 < dazo> which client?
03:25 < xreal2> dazo: DHCP client? Uh, the Microsoft one. I don't know.
03:26 < dazo> no, in which network?
03:26 < xreal2> in the LAN (at the client)
03:26 < xreal2> the server has a static IP
03:27 < xreal2> the LAN uses IPs in range 10.x.x.x
03:27 < dazo> fair enough ... but you need to make sure that you can establish a TCP/IP connection from outside ("other computer on Internet") to the inside ("LAN") via vServer before you can begin to think about DNS and WINS
03:27 < xreal2> dazo: This already works.
03:27 < xreal2> I can ping each other.
03:28 -!- dazo [~dazo@openvpn/community/developer/dazo] has left #openvpn ["Leaving"]
03:28 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
03:28 -!- mode/#openvpn [+o dazo] by ChanServ
03:28 <@dazo> gee ... CTRL-W by accident was silly
03:28 < xreal2> could something like this work? "route 10.0.0.0 255.0.0.0"
03:29  * dazo thinks
03:29 <@dazo> no no no, if you can ping or access computers in "LAN" via vServer from your "other computer on Internet" ... then all routing is done
03:29 < xreal2> I can ping the virtual IPs.
03:30 < xreal2> Not the "real ones" from the LAN.
03:30 <@dazo> I thought you said you could do that .... okay, then reading the !route document is a must now ... because now you need route and iroute properly setup
03:31 <@dazo> and when you can from your "other computer on Internet" ping and access network services on computers on "LAN" ... then you can think about DNS and WINS ... as those services *requires* routing to work to start with
03:31 < xreal2> @dazo: Okay. btw: do *all* Windows computers in the LAN need to have IP forwarding activated?
03:32 <@dazo> nope ... in fact only those acting as routers ... so that makes only the OpenVPN client in your case
03:33 <@dazo> but your setup is getting quite advanced ... so it is really crucial that you understand how routing really works
03:33 < xreal2> Okay.
03:33 -!- vpn-tester [~java@46-126-159-16.dclient.hispeed.ch] has joined #openvpn
03:33 < vpn-tester> hi
03:33 < vpn-tester> i want to use openvpn
03:33 < vpn-tester> but i have problem with the certs
03:34 < vpn-tester> http://nopaste.info/2ab328ca68.html
03:34 < vpn-tester> these are the mistakes
03:34 < vpn-tester> http://nopaste.info/357845af9a.html
03:34 < vpn-tester> this is the client config
03:34 < vpn-tester> any idea?
03:35 <@dazo> vpn-tester: its the server rejecting the certificate ... you probably have errors with the CA certificate signatures
03:35 <@dazo> # Tue Oct 05 09:46:55 2010 VERIFY ERROR: depth=0, error=self signed certificate: /C=xx/ST=xx/L=xx/O=xxx/OU=xx/CN=xx/emailAddress=xx@xx.xx 
03:35 <@dazo> only the CA certificate can be self-signed ... the client and server certificate needs to be signed by the CA certificate to work
03:36 < vpn-tester> this is what i have done
03:36 < vpn-tester> i used this tut http://wiki.openvpn.eu/index.php/OVPN-Linux
03:36 < vpnHelper> Title: OVPN-Linux – OpenVPN Wiki (at wiki.openvpn.eu)
03:36 < krzie> use this one instead
03:36 < krzie> !pki
03:36 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
03:36 < vpnHelper> krzie: signed specially as a server (see !servercert)
03:37 <@dazo> yeah, vpn-tester ... krzie is right ... use ^^^ instead when it comes to setting up certificates and keys correctly ... doing it manually with openssl directly is tedious work
03:37 -!- xreal2 [~mweber@ds87-230-55-31.dedicated.hosteurope.de] has quit [Ping timeout: 264 seconds]
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 < vpn-tester> dazo does this tut not work?
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 <@dazo> vpn-tester: I just know that it's very easy to make mistakes with using openssl manually for CA management ... it might work, I'm not able to say immediately ... but I recommend using something simpler to start with
03:40 <@dazo> openssl stuff directly is great when you have a good grip on how PKI works and you want to implement your own solution ... if not, go for some easier CA tools ... like easy-rsa2, ssl-admin, tinyCA2 or xca 
03:40 <@dazo> OpenVPN will work with whatever CA solution you use, as long as it can give you PEM/DER or PKCS#12 formatted certificates and keys
03:41 < vpn-tester> dazo have you a good tut for me?
03:42 < krzie> !pki
03:42 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
03:42 < vpnHelper> krzie: signed specially as a server (see !servercert)
03:42 < krzie> see the first link
03:42 < krzie> (the only link)
03:42 <@dazo> vpn-tester: yeah, that's the way to go first 
03:43 <@dazo> vpn-tester: it looks like that you've managed quite well the first step, you have a proper connection establishment between client and server, the next step is the certificate stuff ... and then it's usually routing and firewalling people fight with in the end ... the !pki info will help you through the second step
03:43 < krzie> i dunno why anyone would ever do all the openssl commands manually
03:43 <@dazo> krzie: ego and Fran Sinatra ... "I did it my way" :-P
03:43 < krzie> hahah
03:43 <@dazo> s/Fran/Frank/
03:45 < vpn-tester> i will try^^
03:45 < vpn-tester> thx a lot
03:45 <@dazo> you're welcome
03:46 < krzie> dazo, heres one i cant answer, but maybe you can...
03:46 < krzie> https://forums.openvpn.net/viewtopic.php?f=5&t=7154
03:46 < vpnHelper> Title: OpenVPN Support Forum View topic - TAP install Windows XP-SP3 fails (at forums.openvpn.net)
03:46  * dazo sees TAP + WinXP and fears what he will see
03:46 < krzie> hey mattock fixed the cookies on the forum!!!
03:47  * krzie likes mattock, he gets stuff done =]
03:48 <@dazo> krzie: I actually have no idea ... but I'm not using Windows at all ... only when friends ask for help and are completely desperate :)
03:48 <@dazo> reiffert, cron2, Bushmill- or some of those might maybe know?
03:49 < krzie> ahh we're in the same boat
03:49  * dazo see that he needs to get more stuff done so that krzie likes him better :-P
03:50 < krzie> hahaha no i liked you before you ever even came to the irc channel
03:50 -!- xreal [~mweber@ds87-230-55-31.dedicated.hosteurope.de] has joined #openvpn
03:50 <@dazo> krzie: you know I'm married? :-P
03:50 < krzie> you and jjk are the elites from the mail list!
03:51 < xreal> @dazo: I cannot ping the LAN's IP, since the intranet of the vServer uses the same range :-(((
03:51 < krzie> hey hey you figured that one out quick!
03:51 <@dazo> xreal: then you need to figure out that ... but you've come a step forward now, realising that!
03:51 <@dazo> krzie: It might be that he needs to use the DeleteTAP (or whatever its called) to really remove the tap devices ... but that's really a wild hot in the dark
03:52 < vpnHelper> RSS Update - forum: Installation Help :: Re: VMWare Linux client and the big bad host :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7121&p=7932#p7932>
03:53  * dazo goes to do some real work which gives me my payslip
03:59 < vpnHelper> RSS Update - forum: Configuration :: Re: Routing working in 2.09 but not in 2.1.1 with my config :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7119&p=7934#p7934> || Installation Help :: Re: Installing Open VPN --CLIENT-- in Windows Server 2008 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7120&p=7933#p7933>
04:05 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN and WINS problem :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7117&p=7936#p7936> || Installation Help :: Re: network access prob(can access r.PC via Hostname but not :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7122&p=7935#p7935>
04:10 < kg> :dazo thx
04:10 < vpnHelper> RSS Update - forum: Server Administration :: Re: Remote Desktop via OpenVPN on Windows 2003 Server :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7114&p=7939#p7939> || Configuration :: Re: Two problems, one with routing, and one with SIGTERM on :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7116&p=7937#p7937> || Configuration :: Re: Multi-client vpn :: Reply by krzee <https://forums.openvpn.net/viewtopic.ph
04:13 < kg> renegotiation one time in hour. when renegotiation become this mean than it's a little pause  and tunnel don't work at that time or just renew credentials and nothing changes for traffic?
04:14 < krzie> re-key, traffic continues working
04:14 < krzie> when you use certs you get new encryption keys 1x / hr (by default)
04:16 < krzie> if that was not the case (as when you use static key instead of certs) i could capture your encrypted traffic now, and next year get your key, and decrypt all traffic i had captured
04:16 < vpnHelper> RSS Update - forum: Configuration :: Re: client-to-client help :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7113&p=7940#p7940>
04:19 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
04:19 < |Mike|> krzie: :P
04:21 <@dazo> kg: (and krzie) ... the tunnel will "block" while the re-keying process is going on ... but when it is done, the queued up traffic will be sent over the tunnel again
04:21 < vpnHelper> RSS Update - forum: Announcements :: Re: Auto-login / cookie issue fixed :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=20&t=7139&p=7941#p7941> || Server Administration :: Re: High latency with openvpn. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7108&p=7943#p7943>
04:22 <@dazo> the time it takes to do the re-keying depends on if you're using RSA or DSS based keys, public key size and general performance of both sides ... not having a --dh param file might also decrease the performance as well
04:23 < krzie> good point
04:23 < krzie> and i wasnt aware of the block, thanx for pointing that out
04:23 < krzie> its always so fast i never noticed
04:24 < kg> thx for answer
04:25 <@dazo> openssl speed will give a little performance overview on your box, so you can get a little feeling how well it will go
04:28 < krzie> !linnat
04:28 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
04:29 < vpn-tester> dazo seems to work
04:30 < vpn-tester> but how can i use an ip from the network i connect to? there i have some public ips
04:30 < vpn-tester> that the tunnel gets an ip from the dhcp there
04:33 < vpn-tester> there is an router vm which offers dhcp
04:33 < vpn-tester> to this, my vpn server is connected
04:35 <@dazo> vpn-tester: I'm sorry, but I'm not sure I understand your question ...
04:35 < vpn-tester> dazo in the server config file i defined the ip the client gets
04:36 < vpn-tester> but i want, that the client gets his ip from the dhcp server there
04:36 <@dazo> vpn-tester: that's doable, but more work ... first of all, do you know why you want it like that?
04:37 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
04:37 < vpn-tester> i need, cause i want to crypt all the trafic i generate with my notebook @work
04:37 < vpn-tester> cause my chef loggs everything i do
04:37 < vpn-tester> so i want to use the remote server as a gateway to the internet
04:37 < vpn-tester> over the vpn tunnel
04:38 < krzie> !redirect
04:38 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:38 < vpnHelper> RSS Update - forum: Configuration :: Re: OpenVPN, routing & Amazon EC2 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7101&p=7947#p7947>
04:38 < krzie> you do not need dhcp assigned IPs for that
04:38 <@dazo> vpn-tester: fair enough ... but that still don't require a central administered DHCP service .... you can do all this without messing with using a central DHCP server
04:38 < vpn-tester> dazo its an server in the internet i connect to, this one has an ip range
04:38 < vpn-tester> i want to use one of these ips
04:39 < vpn-tester> or what could be another possibility for this?
04:40 <@dazo> vpn-tester: still no problem ... the reason I asked this is that implementing that requires you to use TAP and bridging, which gives more tricky config challenges and a performance loss as TAP devices have higher overhead on the packages compared to TUN
04:40 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
04:40 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
04:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:41 < krzie> when you NAT on the server, you can choose which IP to use
04:41 <@dazo> normally, you will just need to setup MASQUERADING on the OpenVPN server you connect to when you're accessing "the world" ... that way, you can better control the traffic with firewall rules, as the VPN is its own network segment
04:42 < vpn-tester> but how can i do this?
04:42 <@dazo> vpn-tester: what kind of OS is your OpenVPN server?
04:43 < vpnHelper> RSS Update - forum: Configuration :: Re: openvpn Linux server, windows 7 64 client, certificate a :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7123&p=7948#p7948>
04:44 < vpn-tester> debian
04:45 <@dazo> vpn-tester: then you basically need a simple iptables rule ...
04:46 < vpn-tester> dazo but why not use an ip from the dhcp server?
04:46 <@dazo> # iptables -t nat -I POSTROUTING -i <tun device> -o <"internet"> -s <vpn ip addr scope> -d 0.0.0.0 -j MASQUERADE
04:46 <@dazo> vpn-tester: unless the complete network uses public IP addresses, you still need to NAT the VPN network
04:47 < vpn-tester> what is vpn ip addr scope?
04:47 <@dazo> the iptables line above will masquerade/NAT all traffic going out on the "internet" device
04:47 <@dazo> vpn ip addr scope is the network segment you have defined for your VPN clients
04:48 < vpn-tester> so 10.10.100.00/24?
04:48 <@dazo> yeah
04:49 <@dazo> vpn-tester: do you run OpenVPN server on the same server as your default internet gateway?  Or is it a machine on the "inside network"?
04:49 < vpn-tester>  iptables -t nat -I POSTROUTING -i tap0 -o eth0 -s 10.10.100.0/24 -d 0.0.0.0 -j MASQUERADE
04:49 < vpn-tester> like this?
04:49 <@dazo> vpn-tester: yeah
04:49 < vpn-tester> dazo its inside
04:49 <@dazo> oh then .... then you don't need that at all
04:50 <@dazo> and you're already using tap?
04:50 < vpn-tester> dazo its shown as tap0 in ifconfig
04:50 < vpn-tester> iptables v1.4.2: Can't use -i with POSTROUTING
04:50 <@dazo> huh? ....
04:50  * dazo checks
04:50 < vpn-tester> on windows as tap device, too
04:51 <@dazo> you need the same type on both sides, so that's no surprise :)
04:51 <@dazo> vpn-tester: sorry!  yeah, -i tap0 can't be used ... but as you're not on the default gw, that's not needed ... you actually need a special route on the default gateway
04:52  * dazo has mixed vpn-tester's setup with another setup
04:52 <@dazo> sorry about that
04:53 < vpn-tester> mhm
04:53 <@dazo> vpn-tester: you need on the default gw a route which says:  route add -net 10.10.100.0 netmask 255.255.255.0 gw <IP of your OpenVPN server>
04:53 < vpn-tester> how can i do?
04:53 <@dazo> the default gw will then do the masquerading automatically for you
04:53 < vpn-tester> only this on the vpn host?
04:53 <@dazo> no, on the default gateway on your network ... where the traffic will out to the Internet
04:54 < vpn-tester> the host on which the vpn server is running has a public internet ip
04:54 < vpn-tester> there is only a router bevore, which routes the subnets, cause i have different one
04:55 <@dazo> vpn-tester: but does the physical OpenVPN server have a public IP address?  Or is it port-forwarded?
04:55 < vpn-tester> it has a public internet ip adress
04:55 < vpn-tester> which i got from my server hoster
04:56 < vpn-tester> it has its own a record in the nameserver
04:57 <@dazo> okay, I'm quite confused about the network design now ... but ... if you do have a public IP on the server .... then MASQUERADE is the way to go again
04:57 < vpn-tester> its like this
04:57 < vpn-tester> esx host -->routervm for different subnets -> subnet2 there is the vpn gateway
04:57 < vpn-tester> the router gives the vpn server a public ip
04:58 < vpn-tester> in an 184.xxx.xxx.xxx net
04:58 < vpn-tester> on the router there is a dhcp which givs the vms there public ips
04:59 < vpn-tester> and forwards all trafic incomming on eth0 directli to eth2 on which the servers with the public ips are
04:59 < vpn-tester> so just a forwarding
04:59  * dazo understands less and less of the setup ...
05:02 <@dazo> anyhow, with that setup ... it begins now to make more and more sense to do MASQ for Internet traffic ... but I'm not sure if you need to access internal networks somehow as well ... and if they are also in the 184.x.x.x scope (or another public range), it needs to be implemented more carefully
05:02 <@dazo> (the MASQ needs to be implemented more carefully)
05:07 < vpn-tester> cant i forward the ip request to the routervm and let it give the ip?
05:11 <@dazo> vpn-tester: you can ... but you need to setup proper bridging ... it is much more tricky in real life, despite sounding easy
05:11 < vpnHelper> RSS Update - forum: Server Administration :: Re: Create a VPN conection without loosing internet cntion :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7094&p=7950#p7950> || Server Administration :: Re: Connect to server before logging in on client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7130&p=7951#p7951>
05:11 < vpn-tester> an how?
05:12 <@dazo> http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
05:12 < vpnHelper> Title: Ethernet Bridging (at openvpn.net)
05:13 <@dazo> but you need to make sure that you have a bridge "start" script which is run before openvpn fires up ... and then a bridge "stop" script, which runs when OpenVPN stops, to set up and tear down the bridge correctly
05:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:15 <@dazo> then you need to make sure you don't chop-off the connection you have to the server while configuring it ... as you in your case needs to bridge your interface which have the public IP address ... and just by doing such a bridge, you really need to be sure you do it right ... because that's can misused and will be a nice attack vector, from a security perspective ... bridging an interface with a public IP is risky business
05:15 -!- vpn-tester [~java@46-126-159-16.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
05:16 < krzie> yupyup
05:16  * dazo wonders if vpn-tester tried some bridging stuff without knowing what he did now ....
05:17  * dazo heads for lunch
05:17 -!- RichiH [~richih@freenode/staff/richih] has joined #openvpn
05:18 < RichiH> i get a lot of MULTI: packet dropped due to output saturation (multi_add_mbuf) -- is there any way to find out which of the clients is the bottleneck?
05:18 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has joined #openvpn
05:19 < eKKiM> !welcome
05:19 < vpnHelper> eKKiM: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:19 < eKKiM> !redirect
05:19 < vpnHelper> eKKiM: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
05:19 < krzie> RichiH, running out of mbufs... sounds like a routing loop or something, can you paste your configs?
05:20 < krzie> !configs
05:20 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
05:20 < eKKiM> Hmm
05:20 < eKKiM> why i don't get any speeds above 10 Mbps
05:20 < eKKiM> to my openvpn server
05:20 < eKKiM> while i have a 100Mbit connection on client side and Gbit on server side?
05:21 < krzie> eKKiM, likely your tun device, although it could possibly be cpu or something of that nature
05:21 < krzie> could also be mtu settings...
05:22 < krzie> try mtu-test to check that
05:22 < krzie> !mtu
05:22 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
05:23 < eKKiM> cpu wouldn't be the problem..
05:23 < RichiH> http://paste.debian.net/93432/ & http://paste.debian.net/93433/
05:23 < eKKiM> i tried changing the mtu
05:23 < eKKiM> but didn't make any difference..
05:24 < krzie> RichiH, you removed everything that matters...
05:24 < RichiH> krzie: i didn't think any of it would matter, but if you tell me what you need...
05:25 < krzie> actually anything to do with IPs and routes both matter
05:25 < krzie> since i expect to find some sort of routing loop
05:26 < krzie> also for the record
05:26 < krzie> !tcp
05:26 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
05:26 < krzie> and
05:26 < krzie> !ipp
05:26 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
05:26 < krzie> and
05:26 < krzie> !tunortap
05:26 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
05:26 < vpnHelper> krzie: you over the vpn, or (#4) lan gaming? use tap!
05:26 < krzie> (all 3 for you RichiH )
05:27 < RichiH> !static
05:27 < vpnHelper> RichiH: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder
05:27 < RichiH> makes sense
05:28 < krzie> !forget static 2
05:28 < vpnHelper> krzie: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
05:28 < krzie> !forget static 2
05:28 < vpnHelper> krzie: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
05:28 < RichiH> the installation is way too large to change from tap to tun
05:28 < krzie> !forget static 2
05:28 < vpnHelper> krzie: Joo got it.
05:28 < krzie> !forget static 2
05:28 < vpnHelper> krzie: Joo got it.
05:28 < RichiH> krzie: so just to make sure, a routing loop could cause the above?
05:30 < eKKiM> Krzie what could be wrong with my tap device?
05:30 < eKKiM> which causes me to have low speeds?
05:30 < krzie> !learn static as example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6   example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0
05:30 < vpnHelper> krzie: Joo got it.
05:30 < krzie> !learn static as also see !ccd and !iporder
05:30 < vpnHelper> krzie: Joo got it.
05:30 < krzie> eKKiM, what OS?
05:31 < |Mike|> eKKiM: your provide caps you on udp traffic ?
05:31 < eKKiM> i tunnel it over SSH
05:31 < eKKiM> i'm on windows
05:31 < eKKiM> openvpn server is debian
05:31 < eKKiM> so TCP
05:31 < krzie> eKKiM, what version?
05:31 < eKKiM> client or sever?
05:31 < krzie> oh you use TCP
05:31 < eKKiM> server*
05:31 < krzie> that could be a problem
05:31 < krzie> what version on the windows machine'
05:31 < eKKiM> i can't tunnel udp over ssh?
05:31 < eKKiM> Windows 7
05:32 < krzie> correct, but you are transfering tcp over tcp
05:32 < krzie> !tcp
05:32 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
05:32 < krzie> what version openvpn on the windows machine
05:32 < eKKiM> i just read that
05:32 < eKKiM> TAP device is version 9
05:32 < eKKiM> on windows
05:32 < krzie> is that the 2.1.3 version? i dont use windows
05:33 < krzie> but i know the tap device is new in 2.1.3
05:33 < eKKiM> 2.1_rc19 i686-pc-mingw32
05:33 < krzie> change to 2.1.3
05:33 < krzie> !download
05:33 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
05:33 < eKKiM> i'll test it
05:33 < eKKiM> brb
05:34 < krzie> RichiH, last time i saw someone run out of mbufs it was a routing loop, also every time i saw an openvpn assisted routing loop it gave mbuf errors
05:34 < krzie> RichiH, whether that garuntees it to be your problem, i dont know... but without seeing unedited configs i cant help you more than this
05:35 < krzie> RichiH, you mentioned it is a large setup
05:35 < krzie> how large?
05:36 < krzie> since that means it is established and likely hasnt been changed recently... that takes away from the likelihood of a routing loop... but if its large enough your problem might be that you are using tap
05:36 < krzie> since a broadcast domain can only be so large before it goes kaboom
05:37 < RichiH> by large, i mean a few dozen (hey, that's large to me). and while most of the nodes are recent, changing something as basic as tun/tap and/or tcp/udp is very likely not an option
05:38 < krzie> http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html
05:38 < vpnHelper> Title: Re: [Openvpn-users] Re: MULTI: packet dropped due to output saturation (multi_add_mbuf) (at openvpn.net)
05:38 < krzie> i got it on attempt #2
05:38 < krzie> broadcast traffic while in tcp mode
05:39 < krzie> james is the godfather of openvpn, so my answer is in good company =]
05:40 < krzie> !learn mbuf as see http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html if you haved ruled out a routing look as the cause of the error: MULTI: packet dropped due to output saturation (multi_add_mbuf)
05:40 < vpnHelper> krzie: Joo got it.
05:40 < RichiH> krzee: yah, i found that one as well. that's why i asked if there was a way to find out which client could be the cause
05:40 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has quit [Ping timeout: 265 seconds]
05:41 < krzie> ahh
05:41 < RichiH> !mbuf =~ s/look/loop/
05:41 < vpnHelper> RichiH: Error: "mbuf" is not a valid command.
05:42 < krzie> you could login to management interface and see if it gives you stats on backlogged packets, or even start disconnecting clients until it stops ;]
05:42 < RichiH> ah, you prefixed "learn", too. not a blootbot, then
05:42 < krzie> but really, if its only a dozen clients, its soooo much easier to just give out new configs (keep the existing pki)
05:42 < krzie> never too late to do something right
05:42 < krzie> !forget mbuf
05:42 < vpnHelper> krzie: Joo got it.
05:42 < vpnHelper> RSS Update - forum: Server Administration :: Re: Connect to server before logging in on client :: Reply by stevebouffe <https://forums.openvpn.net/viewtopic.php?f=4&t=7130&p=7953#p7953>
05:42 < krzie> thanx for pointing out the typo
05:43 < krzie> !learn mbuf as see http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html if you haved ruled out a routing loop as the cause of the error: MULTI: packet dropped due to output saturation (multi_add_mbuf)
05:43 < vpnHelper> krzie: Joo got it.
05:43 < krzie> its a supybot
05:43 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has joined #openvpn
05:44 < eKKiM> krzie
05:44 < eKKiM> i'm back
05:44 < krzie> eKKiM, 
05:44 < krzie> cool
05:44 < eKKiM> but didn't work =(
05:44 < eKKiM> still 10 Mbps
05:45 < |Mike|> something has to cap you :-)
05:45 < RichiH> krzie: the problem is that no one (relevant) has physical access to the boxes and they are literally sprinkled across the world. far from ideal, but that's the way it is
05:45 < krzie> |Mike|, not true
05:46 < krzie> |Mike|, the devices themselves are far from great in regards to speed
05:46 < krzie> most of us dont notice because we dont have 100mbit and gigabit machines linked =/
05:47 < eKKiM> we'll i do..
05:47 < eKKiM> so there is no way of getting atleast 50 Mbit or something?
05:47 < krzie> http://openvpn.net/index.php/open-source/documentation/install.html?start=1
05:47 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net)
05:47 < krzie> see bottom
05:47 < krzie> but note, that is back in openvpn1, so there have been many changes since then
05:48 < eKKiM> yea we'll but i still get only 10 Mbps
05:52 < krzie> umm eKKiM, if you looked at what i posted it backs up what you are saying
05:52 < krzie> as in agrees
05:53 < krzie> he got 4-5 sec without vpn, 23-19 with
05:53 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has quit [Read error: No route to host]
05:53 < krzie> and that was on 100mbit LAN
05:53 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has joined #openvpn
05:53 < krzie> [06:52]  <krzie> umm eKKiM, if you looked at what i posted it backs up what you are saying
05:54 < krzie> [06:52]  <krzie> as in agrees
05:54 < krzie> [06:53]  <krzie> he got 4-5 sec without vpn, 23-19 with
05:54 < krzie> [06:53]  <krzie> and that was on 100mbit LAN
05:54 < krzie> also, while using TCP, expect it to be slower and disconnect
05:54 < eKKiM> i don't mather if i get speed of 50 Mbps but i think i should atleast get 1/2 of full speed
05:55 < krzie> the lead developer did not in his testings which i linked you to... dunno why you would
05:55 < krzie> also, he wasnt using tcp
05:55 < eKKiM> is there a way to tunnel udp over ssh?
05:56 < krzie> nope and good point
05:56 < krzie> you are tunneling TCP over TCP over TCP
05:56 < krzie> which is lulz
05:56 < krzie> you're lucky you get 10mbit
05:57 -!- vpn-tester [~java@213.55.131.207] has joined #openvpn
05:57 < vpn-tester> re
05:57 < krzie> you get disconnected often dont you
05:57 < eKKiM> i never get disconnected =/
05:58 < krzie> ahh i figured the 2x in the last 40min you dropped were unplanned
05:58 < eKKiM> i editted my seetings
05:58 < eKKiM> and tested it
05:58 < krzie> gotchya
05:58 < vpn-tester> dazo this seams not to be easy...
05:58 < vpn-tester> do i need 2 ips for the first tunnel?
05:58 < vpn-tester> and 3 for 2 tunnels? so tap0 needs an correct ip, too?
05:58 < krzie> if you really really must tunnel, maybe you can use socks instead of ssh tunnel
05:58 < eKKiM> btw krzie also interesting is we are using the vpn with .3 
05:58 < eKKiM> 3 people
05:59 <@dazo> vpn-tester: I told you, bridging is more tricky ... go for NAT and you're up'n'running much quicker
05:59 < eKKiM> from same location
05:59 < eKKiM> and we each get 10 Mbps
05:59 < krzie> at least real socks daemons support udp
05:59 <@dazo> vpn-tester: you missed this message ....vvvv
05:59 <@dazo> <dazo> then you need to make sure you don't chop-off the connection you have to the server while configuring it ... as you in your case needs to bridge your interface which have the public IP address ... and just by doing such a bridge, you really need to be sure you do it right ... because that's can misused and will be a nice attack vector, from a security perspective ... bridging an interface with a public IP is risky business
05:59 < krzie> eKKiM, thats interesting? ive been saying that the interface itself is at LEAST partially to blame
05:59 < eKKiM> yes krzie my school firewall blocks all other kind of proxies..
05:59 < vpn-tester> dazo but how?
05:59 < vpn-tester> how can i use nat?
06:00 < krzie> eKKiM, ssh tunnel IS socks
06:00 <@dazo> vpn-tester: iptables ... and -j MASQUERADE in the nat table 
06:00 < eKKiM> yes but only p22 is open
06:00 < krzie> socks can run on p22 :-p
06:00 < eKKiM> but my server needs p22 for ssh :p
06:00 < krzie> !linnat
06:00 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
06:00 <@dazo> vpnHelper:  # iptables -t nat -I POSTROUTING -o eth0 -s 10.10.100.0/24 -d 0.0.0.0 -j MASQUERADE
06:00 < vpnHelper> dazo: Error: "#" is not a valid command.
06:01 < krzie> weird, my sshd runs on port 220 well ;]
06:01 < vpn-tester> dazo but not use tap?
06:01 < eKKiM> yes krzie it does
06:01 < eKKiM> but my school blocks that..
06:01 < |Mike|> haha
06:01 < eKKiM> -_-
06:01 < krzie> ok, then chop it up to the device itself and you only get 10mbit on your tunnel
06:01 <@dazo> vpn-tester: tap is kind of fine (except it gives more traffic overhead compared to tun) ... and you can use tap or tun, to your liking ... but *briding* is the tricky part
06:02 < krzie> i cant even garuntee youd gain from going udp
06:02 < eKKiM> going to disable blowfish in few minutes
06:02 < eKKiM> hope that helps a bit..
06:02 < krzie> cipher none
06:02 < eKKiM> yup
06:02 < krzie> cool, thought that could save you a moments reading ;]
06:03 < krzie> btw, im jealous of your problem
06:03 < vpn-tester> dazo but what do i need now for the nat?
06:03 < eKKiM> why?
06:03 < krzie> i pay $150 usd to get 3mbit / 1mbit
06:03 < eKKiM> ^^
06:03 < eKKiM> i'm used to something faster..
06:03 < eKKiM> have*
06:03 <@dazo> vpn-tester: # iptables -t nat -I POSTROUTING -o eth0 -s 10.10.100.0/24 -d 0.0.0.0 -j MASQUERADE
06:04 <@dazo> !linnat
06:04 < vpnHelper> dazo: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
06:04 <@dazo> vpn-tester: ^^^
06:04 < krzie> my friends who run an international phone company are talking about getting fiber out here and establishing a presense... i sure hope they do!
06:04 < eKKiM> :D
06:04 < eKKiM> Tue Oct  5 13:02:24 2010 RDTx/127.0.0.149176 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
06:05 < eKKiM> what does that mean?
06:05 < eKKiM> brb disabling fish
06:05 < krzie> eKKiM, likely the same as RichiH had...
06:05 < krzie> !mbuf
06:05 < vpnHelper> krzie: "mbuf" is see http://openvpn.net/archive/openvpn-users/2005-07/msg00247.html if you haved ruled out a routing loop as the cause of the error: MULTI: packet dropped due to output saturation (multi_add_mbuf)
06:06 < krzie> but the tun version, and not broadcast related
06:06 -!- kg [~kg@81.222.247.34] has quit [Remote host closed the connection]
06:06 < krzie> (im guessing, but seems likely)
06:06 < krzie> http://www.mentby.com/chad-z-hower/multi-packet-dropped-due-to-output-saturation.html
06:06 < vpnHelper> Title: MULTI: packet dropped due to output saturation - Chad Z. Hower (at www.mentby.com)
06:06 < krzie> lol, he mentions he found people fix it by going to UDP
06:07 < krzie> try this
06:07 < krzie> tcp-queue-limit 256
06:07 -!- blaat1 [~eKKiM@ks311098.kimsufi.com] has joined #openvpn
06:07 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has quit [Read error: No route to host]
06:07  * dazo brb
06:08 < krzie> blaat1, 
06:08 < krzie> [07:06]  <krzie> http://www.mentby.com/chad-z-hower/multi-packet-dropped-due-to-output-saturation.html
06:08 < krzie> [07:06]  <vpnHelper> Title: MULTI: packet dropped due to output saturation - Chad Z. Hower (at www.mentby.com)
06:08 < krzie> [07:06]  <krzie> lol, he mentions he found people fix it by going to UDP
06:08 < vpnHelper> Title: MULTI: packet dropped due to output saturation - Chad Z. Hower (at www.mentby.com)
06:08 < krzie> [07:07]  <krzie> try this
06:08 < krzie> [07:07]  <krzie> tcp-queue-limit 256
06:08 -!- blaat1 is now known as eKKiM
06:08 -!- eKKiM is now known as blaat1
06:08 < blaat1> http://www.speedtest.net/result/978742183.png
06:08 -!- blaat1 is now known as eKKiM
06:08 -!- eKKiM is now known as blaat1
06:08 < krzie> http://blog.tuinslak.org/2010/03/openvpn-packet-drops/
06:09 < vpnHelper> Title: OpenVPN packet drops » Tuinslak (at blog.tuinslak.org)
06:09 < krzie> !learn multi_process_incoming_tun as http://blog.tuinslak.org/2010/03/openvpn-packet-drops/
06:09 < vpnHelper> krzie: Joo got it.
06:10 < |Mike|> tuinslak is actually dutch
06:10 < blaat1> so am i =)
06:10 < krzie> no shocker... seems many dutch and german people are into security
06:11 <@dazo> paranoid group of people
06:11 < blaat1> brb
06:11 < blaat1> restarting deamon
06:11 -!- blaat1 [~eKKiM@ks311098.kimsufi.com] has quit [Client Quit]
06:12 < krzie> when in holland i couldnt tunnel to internet over dns from any captive portals
06:12 < krzie> nor did i see much WEP
06:12 < krzie> very rare in my travels
06:12 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has joined #openvpn
06:12 < |Mike|> dazo: blablabla :P
06:12 < krzie> i was impressed and annoyed
06:13 <@dazo> annoyingly impressed? ;-)
06:13 < eKKiM> http://www.speedtest.net/result/978746366.png
06:13 < eKKiM> upload still fails
06:13 < |Mike|> mr krzie was trying to get online but couldn't due.... wpa2 :P
06:14 < krzie> dazo, yup
06:15 < vpn-tester> dazo but how do i set the client that windows uses the vpn tunnel for all the trafic not the default?
06:15 < vpn-tester> do i have to push something?
06:15 <@dazo> vpn-tester: --redirect-gateway
06:15 <@dazo> that can be setup in the client config ... or pushed from server
06:16 < eKKiM> hmm
06:16 < eKKiM> having another problem
06:16 < eKKiM> using the linux openvpn client
06:16 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Operation timed out]
06:16 < eKKiM> if i make a ssh tunnel for openvpn
06:16 < eKKiM> and i connect
06:16 < vpn-tester> ok
06:16 < eKKiM> my ssh connection disconnects
06:16  * krzie is getting tired of staying up to watch the action go down in front of his house
06:17 < krzie> theres guys out there, have been for a couple hours... i saw some with semi or auto assault rifles earlier
06:17 < krzie> so i called someone to see whats up, turns out a big drug bust is gunna go down
06:18 < vpn-tester> dazo how has the destination to be?
06:18 < vpn-tester> 10.10.100.1?
06:18 < krzie> so ive been staying up to watch the action... but these guys are taking FOREVER
06:22 < vpn-tester> dazo http://pastebin.com/0Bk99Dj3 this is the actual server config
06:22 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
06:22 < krzie> !authpass
06:23 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
06:25 < krzie> !pki
06:25 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
06:25 < vpnHelper> krzie: signed specially as a server (see !servercert)
06:25 < krzie> (im using those for mail list)
06:25 < krzie> err forum i mean
06:29 < |Mike|> eKKiM: I see, your nick sounds familair
06:29 < vpn-tester> what do i have to push?
06:35 < krzie> a virgin, into a volcano
06:35 < krzie> the openvpn gods demand sacrifice!
06:38 -!- abeehc-_ [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 252 seconds]
06:38 < krzie> !linipforward
06:38 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
06:41 <@dazo> vpn-tester: you mean the iptables command?
06:41 <@dazo> vpn-tester: first of all - some other things first - you don't want 255.0.0.0 as netmask for you ... narrow that down to 255.255.255.0
06:42 <@dazo> #push "route 0.0.0.0 0.0.0.0"  <<--- this is utter wrong ... and just delete it completely, don't ever be tempted to add this one
06:43 < krzie> !route
06:43 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:43 < krzie> (for a forum posting)
06:43 -!- vpn-tester [~java@213.55.131.207] has quit [Ping timeout: 241 seconds]
06:43 <@dazo> gee
06:43 < krzie> hehe
06:43  * dazo considers to get grumpy!
06:43 <@dazo> :-P
06:44 < krzie> im almost done with the "unanswered" section of the forum!
06:44 < krzie> these drug-cops outside waiting to raid my neighbor dont know how many VPN setups they have caused to get help
06:45 < krzie> i should go outside to say "the internet says thank you"
06:45 -!- abeehc- [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined #openvpn
06:46 < krzie> if they dont shoot someone soon im going to sleep
06:46 <@dazo> krzie: do that!  I dare you!  You can even give them a hug from me! :-P
06:46 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has quit [Ping timeout: 240 seconds]
06:47 < krzie> i was kinda scared at first... thought they were doing some home invasions... til i made my call and found out they are cops and theres a bust
06:47 < krzie> they have some nice assault guns... i wouldnt be able to do shit
06:47 < krzie> assault rifles* (damn lack of sleep / weed)
06:48 <@dazo> :)
06:48 < vpnHelper> RSS Update - forum: Server Administration :: Re: Site to Site link :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7146&p=7959#p7959>
06:52 < Bushmills> rinsed it down?
06:54 < krzie> hahah no
06:55 < krzie> a) i dont sell anymore (never did in this country)
06:55 < krzie> b) if it was for me, i would have gotten a phone call instead of making it
06:55 < krzie> or at least i think
06:55 < krzie> heh
07:00 < krzie> screwit im going to sleep
07:00 < reiffert> 14:00 < krzie> screwit im going to sleep
07:00 < reiffert> 09:30 < krzie> im going to bed, hopefully reif can help you
07:00 < krzie> they better have loud guns if they shoot someone
07:00 < krzie> ya, between that isaw assault rifles in front of my house
07:00 < krzie> changes everything!
07:00 < reiffert> body lag with 4:30h?
07:01 < reiffert> why is that, assault rifles?
07:01 < krzie> cause out here they often shoot people during raids
07:01 < krzie> and i wanted to see it!
07:02 < reiffert> any body count?
07:02 < krzie> no action yet
07:02 < krzie> lamesauce so far
07:02 < krzie> dunno wtf the wait is for
07:03 < reiffert> they will raid you when you are asleep ...
07:03 < reiffert> of course.
07:03 < Bushmills> sunrise. best tiime for ducks
07:03 < krzie> sun rose
07:03 < reiffert> moin Bushmills
07:03 < krzie> 8am
07:03 < Bushmills> hi reiff
07:03 < krzie> i met a german at a bar the other week
07:03 < krzie> i said "moin"
07:04 < krzie> he just looked at me weird
07:04 < krzie> heh
07:04 < Bushmills> then he beat you up
07:04 < krzie> shit no i woulda rocked him
07:04 < Bushmills> maybe he was from bavaria, and thought "saupreiss"
07:09 < reiffert> :)
07:10 < reiffert> Bushmills: thought about joining the zoggen today?
07:10 < Bushmills> reiffert, i think the guest machine is occupied already 
07:11 < Bushmills> or did sasha cancel?
07:14 < reiffert> the machine's still occupied by sascha, but there should be a 2nd guest machine IIRC.
07:14 < reiffert> but hm, there is no guest game installation left,, hrmnn..
07:14 < Bushmills> i understood that the two were combined, to make one good machine
07:15 < Bushmills> one had problems with video card, the other with something else
07:17 < reiffert> looks like you know more than I do, just like always ;)
07:17 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN and WINS problem :: Reply by Mimiko <https://forums.openvpn.net/viewtopic.php?f=4&t=7117&p=7962#p7962> || Configuration :: Re: Multi-client vpn :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7115&p=7938#p7938> || Configuration :: Re: client-to-client help :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7113&p=7940#p7940> || Configuration :: Re: OpenV
07:18 < Bushmills> though i could have handled a slice or three of pizza
07:20 < reiffert> I can fetch you up if you like, leaving my flat at 15:30, fetching sascha at 16:00
07:22 < Bushmills> thanks, but i'll give it a pass today. 
07:22 < reiffert> how far did things develop with your toefftoeff?
07:23 < Bushmills> got lock, cover, still waiting for papers
07:23 < reiffert> can I fetch them for you, e.g. right now?
07:24 < Bushmills> no, unlikely. when they arrive, i'll get them brought here next morning.
07:24 < reiffert> let's hope they dont get lost somewhere inbetween.
07:24 < reiffert> didnt
07:24 < Bushmills> intention is to return same afternoon, with all the paperworks, and take it away
07:25 < Bushmills> on the way back, i might stop in mainz, checking out topcases and mounts+
07:27 < reiffert> there are chances that I am in Gonsenheim in the next couple of days, learning maths... Mon to Wed will be Rheingoldhalle
07:28 < Bushmills> oh, great opportunity to keep you from learning :P
07:29 -!- Optic [~Optic@miso.capybara.org] has left #openvpn []
07:31 < reiffert> current plans are to take on learning while sitting around waiting for a network incident
07:34 < Bushmills> impatient look at the controls "shit, still nothing wong with the net"
07:35 < reiffert> ;)
07:35 < Bushmills> that's when the "coffee improves learning" routine starts to set in
07:36 < Bushmills> and it ends with "it's not a plane, it's not a bird, it is - reiffert on caffeine OD"
07:53 -!- sc__ [~sc@unaffiliated/asgw] has joined #openvpn
07:53 < sc__> How do I set static IPs for clients?
07:53 < reiffert> !static
07:53 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
07:53 < sc__> Have googled, and tried ipp.txt but openvpn still seems to deal out dynamic addresses.
07:54 < sc__> hmm ok
07:54 < sc__> thanks
07:56 < reiffert> !iporder
07:56 < vpnHelper> reiffert: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
07:56 < reiffert> !ccd
07:56 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:56 < reiffert> !ipp
07:56 < vpnHelper> reiffert: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
07:56 < sc__> aha
07:56 < reiffert> just try there ! commands yourself, gtg
07:57 < sc__> great :)
07:57 < sc__> no that's perfect, thanks for pointing me in the right direction.
07:57 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:04 -!- xreal [~mweber@ds87-230-55-31.dedicated.hosteurope.de] has quit [Read error: Connection reset by peer]
08:05 -!- xreal [~mweber@ds87-230-55-31.dedicated.hosteurope.de] has joined #openvpn
08:08 < xreal> I've read about routing, but can't get it to work! http://paste.pocoo.org/show/271298/
08:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
09:00 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
09:08 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
09:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:14 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:16 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
09:19 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
10:02 < ecrist> xreal: what's your problem?
10:04 < xreal> 1 sec
10:05 < xreal> ecrist: Can't find the english text anymore :-(
10:05 < xreal> I'm want to share the client's LAN with the server.
10:05 < ecrist> !iroute
10:05 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:05 < ecrist> !route
10:05 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:05 < ecrist> read those, they fully answer your questions, xreal.
10:05 < xreal> ecrist: I know, but I can't get it working. Really. I tried for over 7 hours now.
10:06 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 265 seconds]
10:06 < xreal> My server-config: http://paste.pocoo.org/show/271244/
10:06 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
10:07 < xreal> when uncommenting line 25 and 26, it still doesn't work ;(
10:17 -!- eKKiM [~eKKiM@d5152FCBD.static.telenet.be] has joined #openvpn
10:24 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
10:27 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
10:29 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 265 seconds]
10:36 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
10:39 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:43 < ecrist> xreal: I still don't see client config dir (it's commented out)
10:43 < ecrist> you need that if you're going to push routes for a network behind another client.
10:56 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
10:57 < xreal> ecrist: I removed it, since i don't know, how to use it. Reading man didn't help.
10:57 < ecrist> did you read the route link above?
10:58 < ecrist> let's tackle this in two steps.  first, can you connect to your openvpn server?
10:59 -!- sc__ [~sc@unaffiliated/asgw] has quit [Quit: Ex-Chat]
11:01 < xreal> ecrist: Yes.
11:01 < xreal> I can ping both internal IPs.
11:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:01 < xreal> 172.16.0.1 and 172.16.0.6
11:01 < xreal> those are the VPN IPs
11:01 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-rymcuomoflgmiqaw] has left #openvpn []
11:01 < ecrist> ok, and if your home network connects, can the two vpn clients ping each other?
11:02 < xreal> which IPs do you mean?
11:03 < xreal> I can't ping any address of the LAN.
11:03 < vpnHelper> RSS Update - forum: Configuration :: Re: Multi factor authentication :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7133&p=7956#p7956>
11:05 < xreal> Why can't anyone finish a conversation in IRC nowerdays? :-(
11:08 < ecrist> xreal: the VPN ips, not the LAN ips.
11:08 < xreal> ecrist: Yes. that's 172.16.0.1 and 172.16.0.6.
11:08 < xreal> 172.16.0.1 is the virtual device on the server, 172.16.0.6 is the virtual device on the client.
11:09 < ecrist> so, the server is on the lan you want to connect to?  it has multiple interfaces?
11:10 < xreal> No, the server is an external vserver.
11:10 < ecrist> so, how does the lan connect to the vpn?
11:10 < xreal> I'm connection the client from within the LAN to the external vserver.
11:10 < xreal> connecting*
11:10 < ecrist> I'm confused
11:11 < xreal> I can't run a VPN server on the LAN, since I don't have external IPs and can't open the needed ports.
11:12 < xreal> LAN (10.x.x.x) <=> VPN-Client <=> external server (VPN server)
11:12 < ecrist> and who is trying to connect to the LAN, the VPN server?
11:12 < xreal> exactly!
11:13 < ecrist> ah, that's really easy.
11:13 < xreal> I am trying for 18 hours, 30 minutes now.
11:13 < ecrist> route add 10.0.0.0/8 172.16.0.6
11:13 < ecrist> on the server
11:14 < xreal> but 172.16.0.6 has to be fixed in the ccd file, haven't it?
11:14 < xreal> hasn't* (sorry, tired)
11:14 < ecrist> try it
11:14 < xreal> ok
11:15 -!- Bartzy [c25a7171@gateway/web/freenode/ip.194.90.113.113] has joined #openvpn
11:15 < Bartzy> Hi, anyone here ? I'm having trouble understanding PKI authetication between the server and clients
11:16 < xreal> ecrist: in the server's shell or in the config file?
11:16 < ecrist> server's shell
11:16 < Bartzy> I wanted to know - when I'm generating a client private/public key set... and then sign the public key with my CA.... Why is the private key needed in authentication to the VPN ? What's the role of the private key in all this ?
11:16 < xreal> ecrist: "route: netmask 00ffffff doesn't make sense with host route"
11:17 < Bartzy> I'm looking at this HOWTO: http://openvpn.net/index.php/open-source/documentation/howto.html
11:17 < vpnHelper> Title: HOWTO (at openvpn.net)
11:17 < ecrist> Bartzy: that's basic PKI stuff.  in a real-world situation, the private key is held by and only known to the certificate requestor.
11:17 < ecrist> the private key allows you to decrypt data encrypted by the public key.
11:18 < Bartzy> ecrist: I know that.
11:18 < ecrist> public key trust is had by getting a trusted third-part (the CA) to sign the public key for the key pair.
11:18 < Bartzy> I'm asking what's the private key role in authentication with the VPN ?
11:18 < ecrist> the private key allows you to decrypt data encrypted by the public key.
11:19 < Bartzy> The user's public (signed) key is not presented and/or stored in the VPN Server right ?
11:19 < ecrist> right.
11:19 < ecrist> no, sorry
11:19 < Bartzy> My question is how a user is authenticated with his public/private key pair ?
11:19 < xreal> ecrist: Did you see the failure?
11:19 < Bartzy> I know how PKI works
11:20 < ecrist> http://openvpn.net/archive/openvpn-devel/2005-09/msg00000.html
11:20 < vpnHelper> Title: [Openvpn-devel] OpenVPN Protocol (at openvpn.net)
11:21 < ecrist> Bartzy: if you really need more in-depth information, read the source code.
11:21 < xreal> ecrist: I am using Debian
11:22 < Bartzy> ecrist: I'm just asking if someone can give a straight answer
11:22 <@dazo> Bartzy: the private key is used to decrypt while the public key is used for encryption
11:22  * ecrist thought he just gave one.
11:23 < Bartzy> dazo: I understand that, but that's not what I asked
11:23 < Bartzy> I asked how it is used in user authentication.
11:23 <@dazo> patience, I'm coming there :)
11:23 < xreal> ecrist: Do you have an idea what's wrong?
11:23 < Bartzy> oh OK. :)
11:24 < ecrist> xreal: try 10/8 instead of 10.0.0.0/8
11:24 <@dazo> Bartzy: when the SSL layer negotiates the connection, each side sends over the their certificate (--cert <file>) to the other side, this certificate also includes their public keys
11:24 < Bartzy> dazo: Right.
11:25 < ecrist> or, try 'route add -net 10.0.0.0 255.0.0.0 172.16.0.6'
11:25 <@dazo> Bartzy: then each side validates the certificate, by checking the signatures of the certificates they received and checks if that signature matches the CA certificate they both have
11:25 < xreal> ecrist: sorry, none of these worked.
11:25 < ecrist> xreal: I'm not a linux user, so I can't tell you, but read the man page for route.  you need to add a route to the vpn server.
11:25 < Bartzy> dazo: OK.
11:26 <@dazo> Bartzy: then they negotiate a temporary encryption key, by using the public keys in the certificates ... which goes back and forth a couple of times, which includes making sure the other side can decrypt the info (where the private key is needed)
11:26 < xreal> ecrist: ok ;-(
11:26 <@dazo> Bartzy: then the server can use the DN (X.509 subject field) which includes the identity of the certificate holder
11:27 < Bartzy> dazo: To do what with it ?
11:28 <@dazo> Bartzy: that's used by OpenVPN for further authentication ... usually via plug-ins
11:28 < Bartzy> OK
11:28 < Bartzy> But for the authentication part only, for saying "I am who you think I am", only the public certificate is used ?
11:28 <@dazo> But the SSL layer have already done some authentication, based on the CA certificate both sides have ... and the server and client certificate needs to be signed by that CA certificate
11:29 <@dazo> so the CA certificate is the TTP (Trusted Third Party) ... and based on the signature in the client and server certificates, they can validate that by using the public key of the CA certificate
11:29 < Bartzy> dazo: The server & client certificates are signed by the CA private key, and then if it's successfully opened by the CA public key (which is ofcourse public), then it's considered trusted or 'signed', right ?
11:29 <@dazo> Bartzy: that's right
11:29 < Bartzy> dazo: OK.
11:29 < Bartzy> dazo: So I'll ask again (because I didn't get if fully :)):
11:30 <@dazo> shoot :9
11:30 < Bartzy> What's the private key role of the client ?
11:30 <@dazo> :)
11:30 < Bartzy> I mean, if only the public key is doing the authentication part
11:30 < ecrist> wow
11:30 < ecrist> Bartzy: the only thing the private key is used for is decrypting data encrypted to the public key
11:30 <@dazo> the private key is not used directly in the pure authentication phase ... only the public keys are needed there.  But to generate a public key, you need a private key
11:31 < Bartzy> dazo: OK, and then the server is sending the client a shared symmetric key , encrypted with the client's public key ?
11:31 <@dazo> Further the private keys are used for the next phase, which is to negotiate the temporary (symmetric) encryption keys 
11:31 < Bartzy> OK
11:32 < Bartzy> dazo: But that can be accomplished by using only the server's public/private keys right ?
11:32 < Bartzy> like SSH does ?
11:32 <@dazo> and that temporary key is used to encrypt and decrypt the tunnel data .... and then, based on on --reneg-* settings, this key is changed frequently
11:33 <@dazo> Bartzy: the way SSH does it, is that it doesn't use a third party to confirm the authenticity of neither client nor server
11:33 < Bartzy> dazo: Right.
11:33 <@dazo> Bartzy: that way, you can't check with a third party if the server or client is the one it claims to be, to say it easier
11:34 < Bartzy> dazo: Right, it's just confusing that the public key is used for authentication... and public is well.. public :)
11:34 <@dazo> because the public keys are only used to validate the signatures, that's the tricky thing
11:34 <@dazo> with the private key you can decrypt and sign data .... the public key can only encrypt and verify signatures
11:34 < vpnHelper> RSS Update - forum: Configuration :: Re: Can´t generate the master Certificate Authority (CA) :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7135&p=7957#p7957>
11:34 < Bartzy> so if someone steals the user's public key only (without the private key) , they still can't login to the VPN, because the server will send them the temp symmetric key encrypted with that public key, right ?
11:35 <@dazo> Bartzy: exactly ... so the the next phase of the key negotiation will fail
11:35 < Bartzy> dazo: Wow thanks a lot for a wonderful explaination :)
11:36 < Bartzy> Why bi-directional authentication is needed ? Can I just skip the server's key pair and only generate a key pair (and sign it) for my clients ?
11:36 <@dazo> Bartzy: sure no prob! :)  If you want to know more about it, Eric Rescorla (iirc) wrote a book called "SSL and TLS, designing secure *something*" ... it's a bit dated, but these principles are very well explained in-depth there
11:37 <@dazo> Bartzy: bi-dir auth is useful for the server to know that the client is a trusted client 
11:37 < Bartzy> dazo: Also, I think that in RSA algo, both private and public key can encrypt and decrypt each other... that's how the CA public key is used to verify the certificates that were signed by the CA private key
11:37 <@dazo> Bartzy: you don't need to do that in OpenVPN ... you have some option for the server side to not require client certificates, then it's more like a traditional SSL connection
11:38 < Bartzy> dazo: Ofcourse. I talked about why should I want the client to know that the server is trusted ? 
11:38 <@dazo> Bartzy: you want to be sure about both sides to avoid man-in-the-middle attacks
11:38 < Bartzy> dazo: OK... so the server's signed certificate is a must right ?
11:39 <@dazo> Bartzy: if you have a guy who managed to proxy your connection through an SSL proxy, it could make the client believe it talks to the right server and the real server  that the client side of the proxy is the real client
11:40 <@dazo> and that guy could then decrypt and encrypt the traffic and just pass it on as normal ... with bi-dir auth, this is close to impossible
11:40 -!- xreal2 [~mweber@mailgw.FB12.Uni-Dortmund.DE] has joined #openvpn
11:40 <@dazo> Bartzy: yeah, the server needs a signed certificate for sure ... or else, it's easy to create a fake certificate and claim that you are whichever server 
11:43 -!- xreal [~mweber@ds87-230-55-31.dedicated.hosteurope.de] has quit [Ping timeout: 265 seconds]
11:47 < xreal2> Can anyone please help me? I am willing to pay $5 using Paypal ;-)
11:47 < ecrist> xreal2: read the man page
11:47 < ecrist> for route
11:47 <@dazo> !man
11:47 < ecrist> all you need to do is add the route
11:47 < vpnHelper> dazo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:48 < xreal2> ecrist: I tried it, it just did not work :(
11:48 < ecrist> dazo, the linux man page for the 'route' command.
11:48 < ecrist> xreal2: read the man page for the route command.
11:48 <@dazo> ahh .. that's:  route add -net NETWORK SUBNET gw GW-IP
11:48 < ecrist> ah, I omitted the gw part
11:49 < xreal2> this also doesn't work:  ip r d 10.0.0.0/8 via 172.16.0.6
11:49 < ecrist> xreal2: route add -net 10.0.0.0 255.0.0.0 gw 172.16.0.6
11:49 < xreal2> ok
11:49 < xreal2> No change. It still shows Usage of route.
11:50 < ecrist> and what does it say?
11:50 <@dazo> sorry!
11:50 < xreal2> Nothing, it only shows Usage.
11:50 <@dazo> route add -net 10.0.0.0 netmask  255.0.0.0 gw 172.16.0.6
11:50 <@dazo> I forgot 'netmask'
11:50 < xreal2> ahhh
11:50 < xreal2> it did something ;)
11:50 < xreal2> but I still can't ping anything on LAN ;(
11:52 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 245 seconds]
11:52 -!- xreal2 is now known as xreal
11:54 < ecrist> xreal: we didn't get there yet.
11:54 < ecrist> on the VPN client, you need to enable ip forwarding.
11:54 < ecrist> not sure how to do that on linux, dazo?
11:55 <@dazo> sysctl net.ipv4.ip_forward=1
11:55 < xreal> ecrist: the client is on Windows
11:55 < xreal> registry => forwarding activated
11:55 < xreal> IPEnableRouter = 1
11:56 < ecrist> ok, can the VPN server ping the LAN ip of the VPN client?
11:56 <@dazo> xreal: you'll need to do the same on the openvpn server as well .... you can make it permanent by editing /etc/sysctl.conf
11:56 <@dazo> (at some point)
11:56 < xreal> @dazo: Yep, it's done.
11:57 < xreal> echo 1 > /proc/sys/net/ipv4/ip_forward
11:57 -!- GerhardSchr [~GerhardSc@unaffiliated/gerhardschr] has quit [Ping timeout: 245 seconds]
11:57 < Bartzy> dazo: Thanks a lot for all your help and explainations earlier :)
11:57 < Bartzy> really cleared out a lot of stuff...
11:57 -!- GerhardSchr [~GerhardSc@89.144.18.130] has joined #openvpn
11:57 <@dazo> Bartzy: no problem! good to hear it helped :)
12:02 < ecrist> xreal: traceroute 10.0.0.<whatever> from the VPN server
12:03 < xreal> k
12:03 < xreal>  1  * * *
12:03 < xreal>  2  * * *
12:03 < xreal>  3  * * *
12:03 < xreal>  4  * * *
12:03 < ecrist> can the VPN server ping 172.16.0.6?
12:05 < xreal> yep
12:05 < xreal> (it's 172.16.0.4 now, but I updated anything before)
12:05 < xreal> ip r:
12:05 < xreal> xx.230.55.0/24 dev eth0  proto kernel  scope link  src xx.230.55.31
12:05 < xreal> 172.16.0.0/24 dev tun0  proto kernel  scope link  src 172.16.0.1
12:05 < xreal> 10.0.0.0/8 via 172.16.0.4 dev tun0
12:05 < xreal> default via 87.230.55.1 dev eth0
12:05 < xreal> d'oh: ignore my real IP, please ;-)
12:06  * dazo starts a portscan :-P
12:09 < ecrist> xreal: now it looks like a firewall issue on the remote end
12:09 < ecrist> disable windows firewall
12:10 < xreal> ecrist: 1 sec
12:10 < xreal> has not been started.
12:12 < ecrist> the routes on the server look right, the fact that you can't ping the LAN IP of the windows machine screams firewall
12:14 < xreal> I never had one ...
12:14 < xreal> let me do a reboot
12:16 < xreal> that's what I dream of: http://imagebin.org/117146
12:16 < vpnHelper> Title: Imagebin - A place to slap up your images. (at imagebin.org)
12:17 < xreal> brb reboot
12:17 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has quit [Quit: Switch off the lights and close your eyes. Feel the energy inside.]
12:28 -!- bandini [~bandini@host153-25-dynamic.20-79-r.retail.telecomitalia.it] has joined #openvpn
12:39 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has joined #openvpn
12:39 < xreal> I've updated the image: http://imagebin.org/117150
12:39 < vpnHelper> Title: Imagebin - A place to slap up your images. (at imagebin.org)
12:41 < xreal> Does this explain my situation ?
12:44 < xreal> anyone?
12:52 < Bushmills> !route
12:52 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:54 < xreal> Bushmills: I tried this on the server: "route add -net 10.0.0.0 netmask  255.0.0.0 gw 172.16.0.4" - no success
12:54 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
12:54 < Bushmills> "no success" mean the route wasn't added? try again as root.
12:55 < xreal> The route was added, but ping and traceroute didn't answer.
12:55 < Bushmills> afaik, the !route doc says something about taking care of the back route too
12:59 < xreal> I think, I am too stupid for this. For real.
12:59 -!- dazo is now known as dazo_afk
13:02 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
13:03 < Bushmills> the lazy way to set this up is by configuring NAT on the LAN side. though setting routes right is preferred.
13:04 < xreal> Busmills: I can't change anything on the firewall, sorry (see my diagram).
13:04 < ecrist> gah, xreal is the 10.x lan native to the external server?
13:04 < ecrist> sounds like you have an IP conflict
13:05 < xreal> ecrist: I think, it's a network of the data processing center.
13:06 < xreal> ecrist: Is there a way to fix this?
13:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
13:11 < ecrist> xreal: if there's an actual network conflict, and you don't control the network, no.
13:12 < xreal> ecrist: So 20 hours work with OpenVPN are lost ?
13:12 < ecrist> perhaps, without seeing the actual networks you're on, I can't say for sure.
13:13 < xreal> I can answer all the questions, you've got according this network.
13:19 -!- vpn-tester [~java@46-126-159-16.dclient.hispeed.ch] has joined #openvpn
13:19 < vpn-tester> hi
13:19 < ecrist> does your VPN server have and require access to the 10 class-A network?
13:24 < vpn-tester> how do i have to set the push options that the server is used as a gateway to the internet?
13:25 < ecrist> !def1
13:25 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand
13:25 < ecrist> in other words:
13:25 < ecrist> push "redirect-gateway def1"
13:25 < ecrist> !learn def1 as push "redirect-gateway def1"
13:25 < vpnHelper> ecrist: Joo got it.
13:29 < vpn-tester> ecrist buthow do i set the gateway?
13:29 -!- krzy [krzee@hemp.ircpimps.org] has joined #openvpn
13:29 -!- krzy [krzee@hemp.ircpimps.org] has quit [Remote host closed the connection]
13:29 -!- krzy [krzee@hemp.ircpimps.org] has joined #openvpn
13:30 < vpn-tester> ecrist i dont want 0.0.0.0 the gateway should be 10.10.100.1
13:30 < vpn-tester> this is the tap device on the server side
13:30 < krzy> quotes get eaten by vpnHelper 
13:30 < krzy> !def1
13:30 < vpnHelper> krzy: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push redirect-gateway def1
13:31 < ecrist> vpnHelper: do what I told you.
13:31 < vpnHelper> ecrist: Error: "do" is not a valid command.
13:31 < ecrist> vpn-tester: do what I told you.
13:31 < krzy> !say
13:31 < vpnHelper> krzy: "say" is NO! you're not the boss of me!
13:31 < krzy> actually vpnHelper... i am!
13:32 < ecrist> krzy: I'll fix it in the DB
13:32 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
13:32 -!- krzy [krzee@hemp.ircpimps.org] has quit [Client Quit]
13:32 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
13:35 < vpn-tester> ecrist i tried
13:35 < vpn-tester> but seems not to work
13:35 < ecrist> !def1
13:35 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:35  * ecrist does a dance
13:36 < vpn-tester> http://pastebin.com/ggqrSbqG
13:36 < vpn-tester> like this the server config is
13:36 < ecrist> ok, so what doesn't work?
13:39 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN and WINS problem :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7117&p=7966#p7966>
13:40 < vpn-tester> ecrist it does not set another default gw
13:40 < ecrist> it won't
13:41 < ecrist> you'll see two new routes
13:41 < vpn-tester> nope
13:41 < ecrist> one for 0.0.0.0/1 and 128.0.0.0
13:41 < ecrist> read the man page
13:46 < vpn-tester> i tried ecrist
13:46 < vpn-tester> but i dont find the mistake
13:46 < vpn-tester> why does it not get an gateway?
13:48 < ecrist> you won't see it as a default gateway
13:48 < ecrist> you'll see it in your routing tables
13:51 < krzie> (this is for forums)
13:51 < krzie> !client-connect
13:51 < vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
13:54 < krzie> !ipp
13:54 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
13:55 < vpn-tester> ecrist but windows does not use it
13:56 < zxvff> i fixed my vpn!
13:56 < vpnHelper> RSS Update - forum: Server Administration :: Re: "Reclaim" VPN IP addresses :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7081&p=7971#p7971>
13:56 < krzie> if anyone is good with mtu and or bridge setups, https://forums.openvpn.net/viewtopic.php?f=6&t=7048
13:56 < vpnHelper> Title: OpenVPN Support Forum View topic - Connection dies after 4-7 minutes. Client (at forums.openvpn.net)
13:56 < ecrist> vpn-tester: show me your configs and routing tables.
13:57 < ecrist> krzie: that sounds like a firewall state table issue
13:57 < ecrist> so, look at keepalive?
13:58 < xreal> krzie: ecrist came to the conclusion that there is an IP conflict :-(
13:58 < krzie> he has keepalive 10 120
13:58 < krzie> xreal, so did you, which me and dazo said you were right on
13:59 < xreal> Is there a way to find out, if there are other 10.x IPs in the server's network?
13:59 < xreal> A loop with ping ?
13:59 < krzie> there is a way to find out why the hell you guys use a /8 for your LAN
14:00 < krzie> lol
14:00 < xreal> krzie: The bigger problem is my commercial server by a well known hoster (Hosteurope).
14:00 < ecrist> krzie: there are many large companies that use a /8, though it's not usually subnetted that way
14:01 < krzie> ecrist, its rare that the people setting up the VPN for those companies don't understand networking... my $ is on a misconfig
14:01 < vpn-tester> ecrist how do i show the routing tables in windows?
14:02 < krzie> netstat -rn
14:02 < krzie> same as in linux/bsd
14:02 < krzie> or route print (win only)
14:02 < xreal> 10.102.16.4     0.0.0.0         255.255.255.252 U         0 0          0 eth1
14:02 < xreal> xx.230.55.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
14:02 < xreal> eth1 is the problem, isn't it ?
14:02 < ecrist> not in here, please
14:02 < ecrist> pastebin
14:03 < xreal> http://paste.pocoo.org/show/271460/
14:03 < ecrist> xreal: eth1 shouldn't really cause a problem, that's a very small subnet within that entire class A
14:04 < xreal> ecrist: Let me do some ping tests. Perhaps I missconfigured my VPN server, what caused replies on 10.x
14:05 < xreal> That's no good: http://paste.pocoo.org/show/271461/
14:06 < vpn-tester> ecrist the routing table
14:06 < vpn-tester> http://imagebin.org/117162
14:06 < vpnHelper> Title: Imagebin - A place to slap up your images. (at imagebin.org)
14:06 < vpn-tester> the server config i allready postet
14:06 < vpn-tester> you need one mor?
14:06 < vpn-tester> one more time
14:07 < vpn-tester> http://pastebin.com/vL8MvWZL
14:07 < vpn-tester> server config
14:09 < vpn-tester> client config http://nopaste.info/21d199853e.html
14:18 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
14:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:25 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN and WINS problem :: Reply by Mimiko <https://forums.openvpn.net/viewtopic.php?f=4&t=7117&p=7978#p7978>
14:31 -!- bent_screwdriver [~socain00@74.255.249.66] has joined #openvpn
14:32 < bent_screwdriver> when a new client key is created does the server need to be reloaded to re-read the ca keys?
14:56 < kisom> bent_screwdriver: no
14:56 < kisom> you dont even need to create certificates on the server itself, they can be created on any computer, disconnected or online.
14:58 < bent_screwdriver> thx, what if you revoke a cert, how does the server know it was revoked?
14:59 < ecrist> CRL
14:59 < ecrist> !crl
14:59 < vpnHelper> ecrist: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn)
14:59 < vpnHelper> ecrist: that will create the CRL file for you. ssl-admin will also build a crl for you
15:00 < bent_screwdriver> ahhh, that makes sense. thanks as always!
15:02 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has joined #openvpn
15:19 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
15:19 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
15:19 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
15:29 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has quit [Quit: Switch off the lights and close your eyes. Feel the energy inside.]
15:34 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
15:34 < coppermine> krzee: can we continue?
15:35 < coppermine> client-config dir <dir>
15:35 < coppermine> route 192.168.168.0 255.255.255.0 
15:35 < coppermine> what else
15:36 < fipu> Hi @ all
15:36 < fipu> I have a 10.1.1.0/24 subnet
15:36 < coppermine> !ccd
15:36 < vpnHelper> coppermine: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:36 < fipu> how much clients can I use?
15:37 < coppermine> use a subet calculator
15:37 < fipu> and which adresses can I use?
15:37 < coppermine> actually
15:37 < coppermine> just that one
15:37 < fipu> and how can I "calculate" this adresses?
15:37 < fipu> coppermine, no, not possible
15:37 < fipu> 10.1.1.0/24 = 253 possible hosts
15:37 < fipu> but not at openVPN
15:37 < coppermine> then ask someone else
15:37 < fipu> I think 30 possible hosts
15:37 < fipu> that's what I do :)
15:39 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Client Quit]
15:40 < fipu> can someone give me the information?
15:42 < krzee> fipu
15:42 < krzee> !/30
15:42 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
15:42 < krzee> !topology
15:42 < vpnHelper> krzee: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
15:53 < vpnHelper> RSS Update - forum: Configuration :: Re: 2 gateways :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7095&p=7949#p7949>
16:21 < krzee> !learn wishlist
16:21 < vpnHelper> krzee: (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
16:21 < krzee> heh
16:21 < krzee> !wishlist
16:22 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist
16:22 < krzee> !forget wishlist
16:22 < vpnHelper> krzee: Joo got it.
16:22 < krzee> !learn wishlist as https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
16:22 < vpnHelper> krzee: Joo got it.
16:23 < fipu> !topology
16:23 < vpnHelper> fipu: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
16:30 -!- dollabill [~mike@75-149-232-241-NorthGulf.hfc.comcastbusiness.net] has joined #openvpn
16:35 -!- dollabill [~mike@75-149-232-241-NorthGulf.hfc.comcastbusiness.net] has quit [Ping timeout: 252 seconds]
16:36 -!- dollabill [~mike@75-149-232-241-NorthGulf.hfc.comcastbusiness.net] has joined #openvpn
16:54 < krzee> !euphoria
16:54 < vpnHelper> krzee: Error: "euphoria" is not a valid command.
16:54 < krzee> !factoids search
16:54 < vpnHelper> krzee: (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
16:55 -!- dollabill [~mike@75-149-232-241-NorthGulf.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
16:56 < krzee> !factoids search --values dazo
16:56 < vpnHelper> krzee: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
16:56 < krzee> hrm
16:56 < krzee> !factoids
16:56 < vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
16:59 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:00 -!- dollabill [~mike@75-149-232-241-NorthGulf.hfc.comcastbusiness.net] has joined #openvpn
17:12 -!- dollabill [~mike@75-149-232-241-NorthGulf.hfc.comcastbusiness.net] has quit [Ping timeout: 240 seconds]
17:18 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
17:18 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
18:03 -!- MrJK [~jezu@194.199.166.96] has joined #openvpn
18:04 < MrJK> hello
18:04 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
18:04 < MrJK> I've some troubles to set a gateway between my tun and my eth0
18:04 < MrJK> I don't understand why:
18:05 < MrJK> I've enabled ipforwarding on my server
18:05 < |Mike|> !configs
18:05 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
18:05 < MrJK> and, I try a lot of different combination with ip table
18:05 < MrJK> ok
18:05 -!- bandini [~bandini@host153-25-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
18:06 < reiffert> "tried a lot"? paste iptables -t nat -L -v -n
18:06 < MrJK> ok
18:07 < MrJK> Server config: http://pastie.org/1201912
18:08 < MrJK> Iptables report: http://pastie.org/1201916
18:09 < |Mike|> MrJK: please use the grep -vE... line as asked
18:09 < MrJK> do you want the client config ?
18:09 < MrJK> ok
18:09 < reiffert> iptables tell you, that is working.
18:10 < |Mike|> strange path for your certs btw
18:10 < MrJK> serv conf(cleaned) :http://pastie.org/1201919
18:11 < MrJK> yep, I know, I try to keep all the interresting data in a hierarchical tree
18:12 < |Mike|> then you should be using /etc/ imho :P
18:12 < reiffert> strange but not uncommon and not causing anything to not work.
18:12 < MrJK> I'll use soft links
18:12 < |Mike|> indeed
18:12 < MrJK> In the openvpn logs, Ive:
18:12 < |Mike|> hard links are good enough as long as they work 
18:13 < MrJK> Oct  6 00:55:22 maman ovpn-server[18294]: bolivia/81.104.175.81:14153 MULTI: bad source address from clie
18:13 < MrJK> nt [192.168.0.11], packet dropped
18:13 < MrJK> bolivia is me, the client
18:13 < reiffert> MrJK: see
18:13 < reiffert> !route
18:13 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:13 < reiffert> thing is, you need to have an iroute rule.
18:14 < MrJK> ok, I read this article :D
18:17 < MrJK> Hum, I'm not sure that's what I want to do
18:17 < MrJK> I don't want to see the network behind me 
18:17 < MrJK> My routes sounds good too:
18:17 < MrJK> http://pastie.org/1201930
18:19 < reiffert> your client shouldnt sent packages with source address 192.168.x.x then.
18:19 < reiffert> but use 10.8.0.x instead
18:20 < MrJK> so, there is a problem on the client
18:20 < MrJK> hum
18:20 < MrJK> I use that:
18:20 < MrJK> redirect-gateway def1 bypass-dhcp
18:20 < MrJK> to redirect all my traffic to the vpn server/gateway
18:20 < |Mike|> !def1
18:20 < vpnHelper> |Mike|: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
18:21 < reiffert> why bypass-dhcp?
18:22 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has joined #openvpn
18:23 < MrJK> I don't know, I've done this config a long time ago, and it's working in the past
18:23 < krzee> [16:21]  <reiffert> your client shouldnt sent packages with source address 192.168.x.x then.
18:24 < krzee> once every few months i see this issue
18:24 < krzee> have yet to understand why
18:24 < reiffert> 01:21 < reiffert> why bypass-dhcp?
18:24 < |Mike|> please enlighten us
18:24  * reiffert searches the lighters
18:25 < krzee> its been explained in the mail list, but i dont remember and am not sure i ever understood
18:25 < MrJK> hum, I'm lost, I don't know where is the problem
18:25 < krzee> the workaround is to just enter an iroute rule, assuming the client is not mobile
18:25 < MrJK> By the way, removing bypass-dhcp don't change my error log message
18:26 < krzee> MrJK, also be sure you are not NATing on the client
18:26 < krzee> you DO need to NAT on the server for your redirect-gateway... but not on the client
18:26 < MrJK> ok
18:27 < MrJK> My client is under winXP, so no nat is possible
18:27 < krzee> actually, it is... but you prolly didnt do it
18:27 < MrJK> and, as far I know (few things :p ) I'm just doing a nat on the router 
18:28 < krzee> is the client a laptop?
18:28 < MrJK> yes
18:28 < krzee> damn, that rules out the iroute trick
18:28 < krzee> is routing and remote access off?
18:30 < MrJK> on the router?? Idon't understand ... When I connect the VPN, I loose all others connections (ie internet, but I play with the time to keep alive)
18:30 < MrJK> to keep my term opened
18:30 < MrJK> but, it don't work, until I swithed off the vpn tun
18:32 < krzee> did you setup NAT on your server?
18:32 < keyhive> Hi guys, quick question.  Should tap0 come up on client regardless of the connection state?  Or does tap0 only come up on a successful connect?
18:33 < MrJK> as a modprobe ? No, I don't have any modules available (for security reasons)
18:33 < krzee> MrJK, did you enable ip forwarding on the server?  also is the forward chain set to accept?
18:33 < MrJK> but, I guess NAT is wotking, cause I can see it in iptables -L -t nat
18:33 < MrJK> forward is well activated
18:33 < krzee> might be static in your kernel
18:33 < MrJK> but, the forward chain, I don't know
18:34 < MrJK> krzee: i think too
18:36 -!- Squidy [~quassel@187.55.153.71] has joined #openvpn
18:37 < krzee> by chain i mean in iptables
18:38 < MrJK> arggggg
18:38 < MrJK> that's a DNS resolution problem u_u'
18:39 < MrJK> ping is working, and I can access to google via its IP, but not via google.com
18:39 < MrJK> omg ...
18:42 < keyhive> MrJK: You on a bridged setup?
18:42 < keyhive> Or routing
18:43 < keyhive> MrJK: If it's a bridge I made a similar mistake on an ubuntu server earlier today.. I set up a second gateway in /etc/network/interfaces.  Removing the second gateway parameter solved the dns resolve issue.
18:43 < MrJK> tun
18:43 < keyhive> ah, tun
18:43 < MrJK> debian lenny
18:44 < keyhive> how many NICs?
18:45 < keyhive> I am getting [EHOSTUNREACH]: No route to host (code=113)
18:45 < MrJK> 1 domain, but 2 Ip (eth0 and eth0:0
18:45 < MrJK> )
18:45 < MrJK> and tun0 ^^
18:45 < keyhive> set the rule in the firewall [pf] correctly but tcpdump on the internal interface isn't showing any udp 1194 traffic coming through.  :(
18:47 < keyhive> Has --anyone-- had success with Windows clients in a routing/tun setup?
18:47 < keyhive> The other week I had it all set up, with clients able to mount samba shares by punching in the nat IP of local shares
18:48 < keyhive> and suddenly it all went to hell.  i hit the 'repair network' button on Win7 on a client laptop
18:48 < keyhive> and my brilliant routing / nat rules stopped working.
18:48 < keyhive> #@$%
18:48 < keyhive> for everyone
18:49 < keyhive> iptables -v -t nat -A PREROUTING -i eth0 -d 192.168.0.0/24 -j NETMAP --to 192.168.77.0/24
18:49 < keyhive> iptables -v -t nat -A PREROUTING -i tap0 -d 192.168.77.0/24 -j NETMAP --to 192.168.0.0/24
18:49 < keyhive> iptables -v -t nat -A POSTROUTING -o tap0 -s 192.168.0.0/24 -j NETMAP --to 192.168.77.0/24
18:49 < keyhive> iptables -v -t nat -A POSTROUTING -o eth0 -s 192.168.77.0/24 -j NETMAP --to 192.168.0.0/24
18:49 < keyhive> it worked perfectly.. for a while.
18:49 < keyhive> now I'm having a hell of a time with bridging [the bridge is set up, but the client won't connect.. lots of P_CONTROL_HARD_RESET_CLIENT_V2 happening.
18:50 < keyhive> *sigh*
18:52 < krzee> [16:41]  <MrJK> ping is working, and I can access to google via its IP, but not via google.com
18:52 < krzee> !dns
18:52 < vpnHelper> krzee: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
18:52 < keyhive> krzee: is it tun or tap
18:52 < krzee> try using one of those instead
18:52 < krzee> keyhive, doesnt matter
18:52 < keyhive> krzee: what distribution
18:52 < krzee> what matters is he is using redirect-gateway, and his dns stops working
18:53 < keyhive> oh
18:53 < krzee> also doesnt matter
18:53 < keyhive> i see
18:54 < krzee> whatever NS he is using either cant be reached or doesnt respond when his traffic comes from the server
18:54 < krzee> optionally, he could choose to have the VPN overwrite his DNS settings
18:54 < krzee> (by reading !pushdns)
18:54 -!- Squidy [~quassel@187.55.153.71] has quit [Remote host closed the connection]
18:55 < reiffert> just like a provider ns.
18:55 < MrJK> krzee: I tried with opendns servers: does not work
18:56 < reiffert> MrJK: on the server run: tcpdump -n -i tun0 port 53 
18:56 < reiffert> see if packets come in.
18:57 < krzee> also, show your /etc/resolv.conf
18:57 < krzee> actually, instead of showing resolv.conf... just do this on both sides
18:57 -!- Squidy [~quassel@187.55.153.71] has joined #openvpn
18:57 < krzee> host google.com 8.8.8.8
18:58 < krzee> on client and server
18:58 < reiffert> and traceroute 8.8.8.8
18:58 -!- Squidy [~quassel@187.55.153.71] has quit [Remote host closed the connection]
19:00 < MrJK> ok
19:01  * reiffert bed
19:01 < krzee> gnite
19:01 < krzee> bout 2am there, right?
19:02 < MrJK> You're gmt+1 ?
19:02 < MrJK> Tracert works for 8.8.8.8
19:02 < MrJK> from the client, via the gateway
19:03 < MrJK> but the command only show me IPs, no domain names
19:04 < MrJK> arf, it's maybe windows fucked off ... I've an other old cpu under linux
19:04 < MrJK> 10 minutes to see if there is the same problem
19:05 < krzee> MrJK, from both sides
19:06 < MrJK> ok
19:07 < MrJK> that's work on the server too, however, a name resolution is done on the IPs
19:10 < MrJK> krzee: that's my windows ...
19:11 < MrJK> on the other debian client, it's work well, traffic redirection work perfectly ...
19:11 < MrJK> I'm fed up about windows .... #$@!!!
19:12 < MrJK> krzee: Ok, so I found the solution: FORMAT !!!
19:12 < MrJK> krzee: sorry for that, and thank you a lot for your help !
19:15 < jeev> krzee, does using openvpn help prevent arp spooforizing and mitm?
19:18 < krzee> yes and no...
19:19 < krzee> if i am on your LAN using openvpn to route my inet traffic, you can still arp spoof me... but you will only see encrypted traffic to my openvpn server
19:19 < krzee> however, if you own my openvpn server, you can MITM me from there
19:19 < jeev> hmm
19:19 < jeev> sexy
19:20 < krzee> MrJK, reif was asking about traceroute, not me
19:20 < krzee> i was interested in the output of host google.com 8.8.8.8 from each side
19:21 < krzee> although windows doesnt have the host command
19:21 < MrJK> Dont mind, i just wanted to thanks you :p ( and all others!)
19:21 < krzee> ok
19:57 -!- eKKiM [~eKKiM@d5152FCBD.static.telenet.be] has quit [Ping timeout: 240 seconds]
20:03 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:32 < vpnHelper> RSS Update - forum: Configuration :: Re: Multi factor authentication :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7133&p=7956#p7956> || Configuration :: Re: Can´t generate the master Certificate Authority (CA) :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7135&p=7957#p7957>
22:14 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
22:21 < theDoc> Any of you folks in here that use btbroadband?
22:40 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
22:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
22:51 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 252 seconds]
23:16 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:20 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has quit [Ping timeout: 272 seconds]
23:20 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined #openvpn
--- Day changed Wed Oct 06 2010
00:17 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
00:19 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
00:19 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
00:19 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
00:27 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
00:29 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
01:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
01:22 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:29 -!- vpn-tester [~java@46-126-159-16.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
01:36 -!- dazo_afk is now known as dazo
01:38 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:45 -!- swc|666 [~neopwn@unaffiliated/swc666/x-4934821] has joined #openvpn
01:46 < swc|666> is this error due to the tls-auth key 100% of the time? TLS Error: cannot locate HMAC in incoming packet from [AF_INET]
01:51 <@dazo> swc|666: yes, that's a typical --tls-auth issue
01:52 < swc|666> dazo, yeah it's puzzling me, md5 is the same on both sides
01:54 <@dazo> swc|666: you need --tls-auth <ta.key> 0 on one side and --tls-auth <ta.key> 1 on the otherside ... <ta.key> must be the same key on both sides
01:55 < swc|666> dazo, yep i have that
01:56 <@dazo> swc|666: hmm ... and it works if you remove --tls-auth on both sides?
01:56 < swc|666> dazo, yep
01:56 <@dazo> odd
01:56 < swc|666> i know :/
01:57 <@dazo> swc|666: seems like there's some unexpected fragmentation somewhere ... tcp or udp?
01:57 < swc|666> dazo, trying with tcp at the moment .. one thing to mention, is that the client is a nokia n900 using ovpn 2.1.1 - not sure if there is some packet issues there
01:58 <@dazo> swc|666: I'm using that from time to time myself, starting the client from a shell
01:58 <@dazo> swc|666:  but could be the mobile provider?  or is it wlan you're trying?
01:59 < swc|666> dazo, doing this over 3.5G data
01:59 < swc|666> i can try wlan
01:59 <@dazo> good idea
02:00 < swc|666> dazo, nope same deal with wlan
02:00 < swc|666> grrr
02:01 <@dazo> have you tried udp?  just to rule that out
02:01 <@dazo> (anyway, udp is generally better)
02:02 < swc|666> dazo, i had issues over 3g with udp, but i'll try on wifi real quick..
02:02 <@dazo> mm
02:04 <@dazo> from the source code, it seems that it fails because it receives less data than anticipated ... so some data disappears on the way somewhere
02:06 < swc|666> dazo, hmm
02:06 <@dazo> (that error message is only found one place in the whole code, and it is only one boolean check which gives this error ... that bool check is based on received data length)
02:06 < swc|666> yeah
02:09 < swc|666> what's bugging me out is that on wifi and 3g it times out over udp, can't figure that out
02:09 < swc|666> i'm going to copy this client setup to another machine and try udp
02:10 <@dazo> it might time out on UDP because udp + tls-auth makes the server drop packages directly and silently
02:11 <@dazo> while tcp have these handshake and controls that all packages are received to the other side
02:11 <@dazo> try regenerating the ta.key ... and copy over a fresh copy ... it can be due to a faulty ta.key too
02:12 < theDoc> Go me, getting a new tablet this evening.
02:18 <@dazo> cool!
02:18 < kraut> moin
02:24 < krzie> [03:10]  <dazo> it might time out on UDP because udp + tls-auth makes the server drop packages directly and silently
02:24 < krzie> nah, the server still gives an HMAC error
02:25 < krzie> (i didnt scroll up, excuse me if theres no server access)
02:25 < krzie> moin kraut 
02:25 <@dazo> krzie: good point ... I said that before my breakfast, I blame low sugar level :-P
02:26 < theDoc> Just out of curiosity, does any of you guys have an idea if btbroadband is filtering 443/udp?
02:26 < theDoc> Just had a ticket come in saying that bt is filtering 443/udp.
02:26 < krzie> i do know that this program im coding rocks
02:26 < krzie> ;]
02:27 < krzie> also, why would you use 443 udp?
02:27 < krzie> 443 tcp i understand...
02:27 < krzie> but along the lines of 443 tcp, ild expect 53 udp
02:28 <@dazo> maybe some companies have both 443/tcp and 443/udp open ... so they can switch in case udp won't work ... easier to understand configs and firewall rules when they're "coupled"
02:28 < theDoc> krzie> Most sites I'm at usually filter 53udp outbound and leave 443/tcp/udp open.
02:28 < krzie> weird
02:28 < theDoc> However, someone out there was saying that bt was filtering 443/udp and I just wanted to get a heads up on it.
02:29 < krzie> gotchya
02:29 < theDoc> Interestingly, IANA seems to say that 443/udp is used for http over TLS/SSL.
02:30 < krzie> i wonder if they (phone company ISPs) can legally filter SIP
02:30 < theDoc> I didn't realize you could run https over udp. 
02:30 < krzie> if not, that would make a good port
02:30 < krzie> theDoc, you can not
02:30 < krzie> thats why it caught my attention as odd
02:30 < theDoc> Yeah, I thought so.
02:30 < theDoc> http://www.iana.org/assignments/port-numbers
02:30 < theDoc> Look under 443.
02:31 <@dazo> well, technically speaking, you can pass http over udp ... just that nobody have implemented such a server or client so far
02:31 < krzie> heh, ok maybe im wrong... maybe its for streaming media inside httpd sessions
02:31 < krzie> or like dazo said
02:31 < theDoc> Interesting.
02:32 <@dazo> but it would not be easy to make sure you have received all the data you need/want ... so TCP is safer .... while for streaming media, UDP would make sense though
02:32 < theDoc> Yeah, so like I was saying, seems like a client of mine is running into issues with 443/udp on btbroadband.
02:32 < theDoc> dazo> Yeah, but tcp/tcp sucks balls for streaming anything latency sensitive.
02:32 <@dazo> theDoc: exactly
02:33 < theDoc> I find it reprehensible if the SP filters traffic this way.
02:35 <@dazo> ISPs in general often tries to find ways how to earn more money ... and that's often by blocking ports "average users" don't need ... and then say "oh, you're an advanced user - that's an extra fee for getting that feature enabled"
02:35 <@dazo> (of course, they can also claim it is to protect their users from viruses and trojans as well)
02:36 < theDoc> Which imo, is bull.
02:36 <@dazo> yeah ... but when Jane Doe believes it and trusts the company ... what can you do? .... calling her stupid doesn't make her happier :)
02:37 < theDoc> Well, that's true too.
02:38 < theDoc> I pay for internet access, I should be able to use the entire port range instead of "selective" ports. I can't believe people put up with this shit, like virgin mobile in the UK, where if you buy prepaid cards, you have to call them if you want them to remove some "filter" that allows you to get access to porn and other content.
02:38 < theDoc> or some shit like that, I remember having to ring them up when I was in the uk for 2 weeks. Felt a little like afghanistan.
02:39 <@dazo> heh 
02:43 -!- etherealite [~ethereali@c-76-126-103-179.hsd1.ca.comcast.net] has joined #openvpn
02:43 < etherealite> Can I use open vpn without a server?
02:44 < theDoc> NO.
02:44 < theDoc> Er, no
02:44 < theDoc> Caps got stuck :P
02:44 < etherealite> ok, its not a hamachi like hosted deal right?
02:44 < theDoc> Not really.
02:44 < etherealite> not really or just plain no?
02:44 <@dazo> no, that's not possible with OpenVPN
02:45 <@dazo> openvpn is a client-server app
02:45 <@dazo> in the traditional understanding
02:45 < etherealite> ahh, ok i get it. I'm looking for a hamachi type vpn. so far what i've found is wippien.
02:46 < theDoc> logmein or something.
02:46 < etherealite> seems pretty sketchy though, is there anything like taht you can point me to?
02:46 < etherealite> log mein has no linux support
02:46 < theDoc> No idea really.
02:46 <@dazo> logmein got some nasty security issues too, iirc
02:47 < etherealite> yeah, I'm pretty low security around here since its only me.
02:47 < etherealite> but no linux support is a deal breaker.
02:47 < theDoc> Does teamviewer support linux?
02:48 < etherealite> yes
02:48 < etherealite> but i don't think its a vpn, just screen and file sharing i think.
02:48 < krzie> you could always use hamachi
02:48 < theDoc> There's a vpn mode for it, I don't know what it does though.
02:49 < etherealite> do you know if its free for only 2 clients?
02:49 < theDoc> Teamviewer? It should be.
02:49 < theDoc> I don't know, I've never paid for teamviewer.
02:50 < etherealite> you used it without paying?
02:50 < theDoc> Yeah.
02:50 < theDoc> But I do basic stuff with it, I don't know what you want to do with it.
02:50 < etherealite> I just want to rsync some files over ssh
02:51 < theDoc> Why do you need a vpn for that?
02:51 < etherealite> i'm natted in both directions.
02:51 < etherealite> kinda hard to initiate an ssh connection like that.
02:52 < etherealite> unless there is an easy solution that I'm missing.
02:52 < theDoc> Doesn't matter if you're natted in both directions. Just put a static 1:1 nat on the router that's infront of your server and just ssh in.
02:53 < etherealite> i don't have access to the router.
02:54 < etherealite> and nothing I can do to change that.
02:55 -!- vpn-tester [~java@112-227.61-188.cust.bluewin.ch] has joined #openvpn
02:55 < vpn-tester> hi
02:56 < theDoc> doh.
02:56 < etherealite> yup, fd in the a
02:56 < etherealite> hello
02:56 < theDoc> etherealite> It's probably really easier for you to go hound someone that has access to the router.
02:57 < krzie> or get a third machine somewhere where you have access to a router
02:57 < krzie> connect both sides as clients
02:57 < theDoc> What krzee said.
02:58 < krzie> (or dont need access to a router, ie VPS)
02:58 < etherealite> yah, I'ma have to fork over for a vps someday, need it to host some webapps anyway.
02:59 < vpn-tester> anyone here, who can help me with the push options?
03:00 < theDoc> etherealite> Care to throw me some of your requirements?
03:01 < etherealite> just trying to sync my home dir with unison over ssh.
03:01 < etherealite> going through nat routers on each side of the connection.
03:02 < etherealite> theDoc I was using n2n to do it, but it fd up with certain routers in caffes and what not.
03:02 < theDoc> Interesting.
03:03 < theDoc> etherealite> I'm already provide end user vpn connectivity, now looking at some other stuff.
03:04 < etherealite> theDoc huh? like what kinda stuff
03:04 < Bushmills>   etherealite let remote side be client, and connect to your box where the server runs. you can access your own router, can't you?
03:05 < etherealite> no I can't access the router. Don't care to say why either lol.
03:05 < Bushmills> improve your connectivity
03:06 < etherealite> yes, that would be one way of doing it., then i could just run the ssh server directly.
03:10 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
03:16 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:24 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
03:26 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:37 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
03:37 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:39 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:40 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:47 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
03:49 -!- swc|666 [~neopwn@unaffiliated/swc666/x-4934821] has quit [Quit: Ping timeout or something]
03:49 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:52 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
03:55 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 265 seconds]
03:56 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
03:56 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
03:56 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:59 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:59 < vpnHelper> RSS Update - forum: Configuration :: Re: Multiple non-contiguous client IP ranges. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7132&p=7961#p7961>
04:01 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:06 < vpnHelper> RSS Update - forum: Configuration :: Re: creating openvpn with ubuntu server and windows clinet :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=6&t=7145&p=7964#p7964> || Configuration :: Re: creating openvpn with ubuntu server and windows clinet :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7145&p=7970#p7970>
04:07 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:09 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
04:12 < vpnHelper> RSS Update - forum: Configuration :: Re: Multi-client vpn :: Reply by talis <https://forums.openvpn.net/viewtopic.php?f=6&t=7115&p=7965#p7965> || Configuration :: Re: Multi-client vpn :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7115&p=7968#p7968>
04:16 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
04:17 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:17 < vpnHelper> RSS Update - forum: Configuration :: Re: Multi-client vpn :: Reply by talis <https://forums.openvpn.net/viewtopic.php?f=6&t=7115&p=7973#p7973>
04:21 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:24 < vpnHelper> RSS Update - forum: Configuration :: Re: Can't SSH into a open-vpned client anymore :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=2389&p=7976#p7976>
04:31 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has joined #openvpn
04:32 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
04:32 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
04:32 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:33 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:36 < vpnHelper> RSS Update - forum: Configuration :: Re: Help config problem ! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7091&p=7977#p7977>
04:38 <@dazo> krzie: did you get some action outside your house or not?
04:42 < vpnHelper> RSS Update - forum: Configuration :: Re: Can't connect directly to IP - need to connecting to dom :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7147&p=7960#p7960>
04:43 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:43 <@dazo> svm_invictvs: please get your connection under control ....
04:45 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
04:47 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:53 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
04:53 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
04:53 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:56 -!- blaat1 [~eKKiM@ks311098.kimsufi.com] has joined #openvpn
04:56 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:58 -!- eKKiM [~eKKiM@ks311098.kimsufi.com] has quit [Ping timeout: 245 seconds]
05:02 -!- p3rror [~mezgani@adsl196-40-67-206-196.adsl196-3.iam.net.ma] has joined #openvpn
05:03 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
05:03 < kaushal> hi
05:04 < kaushal> I am using http://gopenvpn.sourceforge.net/ for connecting to openvpn server on Ubuntu 10.04 Desktop
05:04 < vpnHelper> Title: gopenvpn (at gopenvpn.sourceforge.net)
05:05 < kaushal> I get a strange error http://blog.rayfoo.info/2009/11/openvpn-client-fails-after-running-update-resolv-conf
05:05 < vpnHelper> Title: [blog.rayfoo] » OpenVPN client fails after running update-resolv-conf (at blog.rayfoo.info)
05:05 < vpnHelper> RSS Update - forum: Configuration :: Re: Can't connect directly to IP - need to connecting to dom :: Reply by GreyIBlack <https://forums.openvpn.net/viewtopic.php?f=6&t=7147&p=7980#p7980>
05:05 < kaushal> Please suggest
05:06 < kaushal> I have followed it too
05:06 < kaushal> It doesnot work for me 
05:06 < kaushal> I still get the same issue
05:07 < kaushal> I need to connect it twice and then it works fine 
05:07 < kaushal> Please suggest
05:09 < |Mike|> ls -slah /etc/resolv.conf 
05:09 < |Mike|> paste that please
05:11 < kaushal> |Mike|: sure
05:11 < vpnHelper> RSS Update - forum: Installation Help :: Re: TAP install Windows XP-SP3 fails :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7154&p=7954#p7954> || Installation Help :: Re: IP address is not changed :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7144&p=7958#p7958>
05:11 < kaushal> 0 lrwxrwxrwx 1 root root 31 2010-10-06 12:28 /etc/resolv.conf -> /etc/resolvconf/run/resolv.conf
05:11 < |Mike|> and /etc/resolvconf/run/resolv.conf does exist in your system path?
05:12 < |Mike|> is it a valid path?
05:12 < kaushal> -rw-r--r-- 1 root root 257 2010-10-06 14:57 /etc/resolvconf/run/resolv.conf
05:12 -!- blaat1 is now known as eKkiM
05:13 < |Mike|> did you restart the app?
05:13 < kaushal> which app ?
05:13 < kaushal> gopenvpn ?
05:13 < |Mike|> yes.
05:13 < kaushal> I have restarted resolvonf and reinstalled it even its the same issue
05:14 < kaushal> resolvconf*
05:14 < kaushal> I have reinstalled gopenvpn too
05:14 < kaushal> doesnot work for me in first instance
05:14 < kaushal> I need to connect it twice
05:15 < kaushal> Also "Automatically Connect" does not work for me too
05:17 < kaushal> |Mike|: Any clue please ?
05:18 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
05:18 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
05:18 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:19 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
05:24 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
05:24 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
05:24 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
05:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
05:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
05:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
05:33 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:33 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:33 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
05:35 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
05:35 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
05:35 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:38 < vpnHelper> RSS Update - forum: Installation Help :: Re: File path with Office 2007 and openvpn / Samba server :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=5&t=7106&p=7963#p7963>
05:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
05:41 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
05:43 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
05:50 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Openvpn on Openwrt :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7131&p=7955#p7955>
05:53 -!- p3rror [~mezgani@adsl196-40-67-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
05:54 <@dazo> krzie: this last forum post of yours (Openvpn on Openwrt) ... the default route is not changed
05:54 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:54 <@dazo> and the tun device do not have an IP address
06:03 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
06:05 -!- eKkiM [~eKKiM@ks311098.kimsufi.com] has quit [Ping timeout: 252 seconds]
06:05 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
06:05 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
06:05 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:11 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 252 seconds]
06:13 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:16 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
06:16 < kaushal> |Mike|: hi again
06:19 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
06:20 -!- JackCorleone [~root@201-68-38-97.dsl.telesp.net.br] has joined #openvpn
06:26 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
06:26 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Split tunnel tweaks? :: Author bubble1975 <https://forums.openvpn.net/viewtopic.php?f=15&t=7161&p=7967#p7967> || Scripting and Customizations :: Re: Split tunnel tweaks? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7161&p=7969#p7969>
06:26 -!- lolmaus^hey [b2ecf12a@gateway/web/freenode/ip.178.236.241.42] has joined #openvpn
06:26 < lolmaus^hey> !welcome
06:26 < vpnHelper> lolmaus^hey: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:26 < lolmaus^hey> !goal
06:26 < vpnHelper> lolmaus^hey: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:27 < lolmaus^hey> !faq
06:27 < vpnHelper> lolmaus^hey: "faq" is (#1) http://openvpn.net/index.php/documentation/faq.html, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ
06:27 < lolmaus^hey> !route
06:27 < vpnHelper> lolmaus^hey: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:30 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:31 < lolmaus^hey> OpenVPN connection establishes well (with "server 10.9.0.0 255.255.255.0") and client can ping LAN machines behind OpenVPN server. But server can't ping the client (10.9.0.6), why?
06:31 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
06:31 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Split tunnel tweaks? :: Reply by bubble1975 <https://forums.openvpn.net/viewtopic.php?f=15&t=7161&p=7972#p7972>
06:34 < lolmaus^hey> !howto
06:34 < vpnHelper> lolmaus^hey: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:34 < lolmaus^hey> !/30
06:34 < vpnHelper> lolmaus^hey: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
06:34 < lolmaus^hey> !topology
06:34 < vpnHelper> lolmaus^hey: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
06:43 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Split tunnel tweaks? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7161&p=7975#p7975>
06:44 < lolmaus^hey> FUCK! My problem really was a firewall (built-in antivirus)
06:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
06:49 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Split tunnel tweaks? :: Reply by bubble1975 <https://forums.openvpn.net/viewtopic.php?f=15&t=7161&p=7979#p7979>
06:49 <@dazo> From the channel topc: "Your problem is your firewall, really."  .... it's so so true ...
06:52 < ecrist> we didn't put it up there for laughs...
06:52 < ecrist> ;)
06:55 < vpnHelper> RSS Update - forum: Wishlist :: Re: Windows Client Source Code + Build Instructions :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7073&p=7982#p7982>
06:56 -!- dazo is now known as dazo_afk
07:06 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:09 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
07:13 < vpnHelper> RSS Update - forum: Wishlist :: Port Hopping... :: Author smshaker <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=7983#p7983> || Pay OpenVPN Service Provider Reviews/Comments :: Re: [Free VPN] VPN Steel :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=7974#p7974>
07:17 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:17 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
07:17 < sc_> !static
07:18 < vpnHelper> sc_: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
07:18 < sc_> !iporder
07:18 < vpnHelper> sc_: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
07:18 < sc_> !ccd
07:18 < vpnHelper> sc_: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:25 -!- cal-broadcom [d42c1481@gateway/web/freenode/ip.212.44.20.129] has joined #openvpn
07:26 < cal-broadcom> hi all, I heave heard that openvpn uses UDP hole punching. Does this mean that if 2 clients, that wish to transfer a file to wone another, that are connected to an openvpn server, can transfer that file directly without the transfer going through the server?
07:27 < cal-broadcom> !welcome
07:27 < vpnHelper> cal-broadcom: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:27 < cal-broadcom> !wiki
07:27 < vpnHelper> cal-broadcom: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
07:40 < bent_screwdriver> is there a way in iptables to log only the first connection when a vpn client connects via UDP, kinda like a SYN with TCP?
07:53 < cal-broadcom> does anyone know if openvpn can make direct client-to-client connections, bypassing the server?
07:55 < ecrist> no, it cannot
07:56 < cal-broadcom> ok thanks ecrist 
08:00 -!- cal-broadcom [d42c1481@gateway/web/freenode/ip.212.44.20.129] has quit [Quit: Page closed]
08:09 -!- dazo_afk is now known as dazo
08:17 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
08:19 < vpnHelper> RSS Update - forum: Pay OpenVPN Service Provider Reviews/Comments :: Re: [Free VPN] VPN Steel :: Reply by Zero3K <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=7981#p7981>
08:22 <@dazo> bent_screwdriver: you can try to use -m state --state NEW .... that will hit only on new established connections ... works on tcp, udp and icmp
08:22 <@dazo> (other states it can be used on are ESTABLISHED, RELATED and INVALID)
08:22 < bent_screwdriver> ahhh....thx. didn't know state worked with udp. 
08:23 <@dazo> it does :)
08:23 < bent_screwdriver> nice, perfect
08:31 < bent_screwdriver> @dazo: worked like a charm. thx agn
08:31 <@dazo> bent_screwdriver: perfect! Happy it worked for you! :)
08:34 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
09:36 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has joined #openvpn
09:36 < xreal> A new day, a new try.
09:48 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
09:48 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:49 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 245 seconds]
09:50 < Bartzy> Hi
09:50 < Bartzy> VPN's should fetch a CRL list of my CA periodacally right ?
09:50 < Bartzy> Or should I somehow set a time to fetch it ?
09:50 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
09:55 -!- Azhax [~MyAzhax@60.53.228.5] has joined #openvpn
09:56 <@dazo> Bartzy: the CRL is more static ... so you generate the CRL and need to restart OpenVPN ... but I believe you just need to HUP the OpenVPN process when updating the CRL ... you need to test that out to be sure
09:59 < Bartzy> dazo: OpenVPN fetches the CRL when it start ?
09:59 -!- Niklas-_ is now known as Niklas-
10:00 <@dazo> Bartzy: well, fetches and fetches ... it loads it from a local file, yes
10:00 < Bartzy> dazo: It's not importing it in some way and then just keep it ? There's not lifetime for the CRL, and afterwards a new CRL is fetched from HTTP (for example)
10:00 < Bartzy> dazo: What if I have the CRL in a HTTP server..
10:00 <@dazo> Bartzy: you need to download it first, afaik
10:00 < Bartzy> and I revoke a certificate and update the CRL.. how OpenVPN will know about it ?
10:01 < Bartzy> dazo: Oh, so I need to do it manually every time I revoke a certifiicate ?
10:01 <@dazo> Bartzy: you need to update the CRL on the server and reload OpenVPN 
10:02 < Bartzy> update the CRL manually ?
10:02 <@dazo> copy the CRL file to a place OpenVPN can read it
10:03 <@dazo> double checked the source now ... it uses BIO_read_filename(in, opt->crl_file) ... so it must be a local file
10:04 < Bartzy> OK, thanks.
10:04 < Bartzy> and OpenVPN can use OCSP to get revoke status automatically ?
10:04 -!- vpn-tester [~java@112-227.61-188.cust.bluewin.ch] has quit [Ping timeout: 240 seconds]
10:04 <@dazo> which kind of makes sense ... if you have it on a web server, how can you trust that the server you're pulling it down from has not been compromised and used this approach to do some DoS attack against some clients?
10:05 <@dazo> Bartzy: yeah, there are some scripts doing that ... at least in the 2.2-beta3
10:05  * dazo reviewed parts of these scripts
10:05 < Bartzy> OK, thanks.
10:05 < Bartzy> :)
10:06 <@dazo> (scripts == OCSP revocation lists)
10:06 < xreal> I am still not able to route the client's network to the server :-(
10:07 < Bartzy> dazo: Do you have any idea how this is working on commercial products like Fortigate & Juniper ?
10:07 < Bartzy> We're currently evaluating OpenVPN (which seems best :)) against some commercial products
10:08 <@dazo> xreal: (sorry don't have too much time today) ... try to get acquainted with tcpdump ... listen to the different interfaces and see where the traffic goes 
10:08 < xreal> ok
10:08 <@dazo> Bartzy: To be very honest, I don't know how they do that ... I have no experience with those products .... I'm using OpenVPN and helping with development because I'm a F/OSS geek ;-)
10:09 < Bartzy> OK, thanks :)
10:10 <@dazo> Bartzy: but if you want to harden the authentication part further, and add some access control in addition ... have a look at my pet project ... http://www.eurephia.net/
10:10 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
10:10 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
10:11 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 264 seconds]
10:11 < Bartzy> dazo: I will, thanks.
10:11 <@dazo> Bartzy: you're welcome
10:15 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:17 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined #openvpn
10:19 -!- Azhax [~MyAzhax@60.53.228.5] has quit [Quit: Leaving]
10:28 -!- Bartzy [c25a7171@gateway/web/freenode/ip.194.90.113.113] has quit [Quit: Page closed]
10:32 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
10:32 < pushpop> does openvpn have a sollution where I can connect to the vpn through https:  (ssl) rather then downloading a clieant?
10:33 <@dazo> pushpop: nope
10:33 < pushpop> is there an opensource solution out there?
10:33 <@dazo> not afaik
10:38 < keyhive> pushpop: use webdav via VPN
10:38 < keyhive> host a local webdav share and connect to it with OpenVPN
10:42 <@dazo> keyhive: I don't think that's not what he's asking for ... he wants to avoid installation of client software completely .... surf to a website, and establish a proper VPN without installing anything
10:45 < pushpop> thats exactly correct
10:45 < pushpop> just not possible though?
10:47 < Jarpse> heh, that would be a 'real' SSL vpn
10:47 < Jarpse> netgear has such appliances
10:48 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has quit [Read error: Connection reset by peer]
10:48 -!- xreal2 [~mweber@mailgw.FB12.Uni-Dortmund.DE] has joined #openvpn
10:49 -!- arejay [arejay@i.write.shellcode.eu] has quit [Read error: Operation timed out]
10:50 -!- abeehc- [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Read error: Operation timed out]
10:50 -!- abeehc- [~bob@S0106001d73de0dd6.gv.shawcable.net] has joined #openvpn
10:51 -!- arejay [arejay@i.write.shellcode.eu] has joined #openvpn
10:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
10:55 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
10:56 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:01 <@dazo> Jarpse: OpenVPN is *real* SSL VPN ... such a solution would be a real HTTPS VPN
11:14 -!- vpn-tester [~java@46-126-159-16.dclient.hispeed.ch] has joined #openvpn
11:14 < vpn-tester> hi
11:21 -!- SliMM [~SliMM@92.4.73.15] has joined #openvpn
11:22 < SliMM> hello
11:23 < SliMM> I am a bit confuzed
11:23 < SliMM> I've managed to install OpenVPN on my server and to connect to it
11:24 < SliMM> Shouldn't I be able to access the LAN my server is in (e.g. go to 192.168.1.1 with my browser, if there's a webserver there)?
11:26 < ecrist> only if you've the proper routes configured.
11:27 < SliMM> Ok
11:27 < SliMM> and how would I configure those?
11:33 < ecrist> first, 192.168.[1|0].* is a bad subnet to use on your lan, it will break things anything you connect from a network that uses those net blocks.  change it
11:33 < ecrist> !1918
11:33 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
11:33 < ecrist> usually, something in the 172.16/12 range is safe.
11:34 -!- xreal2 is now known as xreal
11:46 -!- vpn-tester [~java@46-126-159-16.dclient.hispeed.ch] has quit [Ping timeout: 240 seconds]
11:48 < keyhive> Is there any need to push route on a bridge setup?
11:49 < Jarpse> dazo: yeah, that's that I meand.
11:49 < Jarpse> *meant
11:49 < Jarpse> dazo: excuse me for confuzzeling
11:50 < SliMM> ecrist: Ok, after I change the subnet, what should I do?
12:02 -!- SliMM [~SliMM@92.4.73.15] has quit [Quit: SliMM]
12:02 -!- SliMM [~SliMM@92.4.73.15] has joined #openvpn
12:12 -!- SliMM [~SliMM@92.4.73.15] has quit [Ping timeout: 264 seconds]
12:12 -!- SliMM [~SliMM@92.4.73.15] has joined #openvpn
12:29 < ecrist> SliMM: 
12:29 < ecrist> !route
12:29 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:29 < ecrist> follow that. :)
12:35 < SliMM> ok, thanks :)
12:41 < SliMM> ecrist: I do not understand the "server" setting of the server.conf
12:42 < SliMM> ecrist: does it have to be the ip of the server/server subnet?
12:42 -!- avocado [~avocado@this.pieceofshit.org] has joined #openvpn
12:42 < avocado> !welcome
12:42 < vpnHelper> avocado: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:47 < avocado> so, all my windows 7 users seem to have weird issues when installing openvpn
12:48 < avocado> i gave them a generic set of instructions
12:48 < avocado> run installer as administrator, copy keys and config, run gui as administrator, connect
12:48 < avocado> for everyone else, it seems to work fine, but windows 7 users always have issues
12:49 < Jarpse> heh, producing a Diffie Hellman key on an Atom machine isn't fun. :)
12:49 < jeev> i've never had a problem on windows 7
12:50 < ecrist> Jarpse: much better to create it on a separate machine.
12:50 < Jarpse> ecrist: true. but I have the time. :>
12:50 < ecrist> I have an 8-core nalehem I could throw at it. :)
12:50 < Jarpse> ecrist: heheh
12:50 < Jarpse> Phenom II here
12:51 < Jarpse> but giving the tiny Atom some sweat.. oh well :)
12:51 < avocado> jeev: if i had a windows 7 machine, i'd investigate it more. but it's annoying. like my last user fixed his by copying over someone else's libeay32.dll
12:51 < ecrist> how big is the keysize?
12:51 < Jarpse> 2048 (I'm the only one using it, so oh well)
12:52 < Jarpse> higher nerd-factor (and higher sweat-factor for the atom, hehe)
12:52 < Jarpse> aka 'paranoid tard'
12:52 < SliMM> Ok, I really can't get this thing to do proper routing: http://stikked.com/view/57209a29
12:52 < vpnHelper> Title: Stikked | Paste: Untitled (at stikked.com)
12:52 < SliMM> (please don't throw rocks at me for 192.168/16, I'm a few thousand miles away from my server and I wouldn't want to break something right now :D)
12:53 < avocado> !topology
12:53 < vpnHelper> avocado: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
12:55 < SliMM> huh?
12:56 < avocado> sorry, that was not a response to what you were saying
12:57 < avocado> tho it could be
12:57 < ecrist> Jarpse: 
12:57 < ecrist> ecrist@cheetah:~-> time openssl dhparam -out test.pem 2048
12:57 < ecrist> Generating DH parameters, 2048 bit long safe prime, generator 2
12:57 < ecrist> This is going to take a long time
12:57 < ecrist> 214.577u 0.060s 3:34.77 99.9%   494+1043k 4+0io 9pf+0w
12:58 < SliMM> avocado: I still fail to see the problem in my config
13:02 < avocado> SliMM: i was looking at !topology for myself. i wasn't commenting on anything you said.
13:02 < SliMM> oh, ok, sorry
13:03 < Jarpse> ecrist: heh :)
13:03 < Jarpse> yay, its finished
13:03 < Jarpse> that took a few.. minutes
13:07 < SliMM> Hmm, could it be the fact that my server is not the gateway for the LAN?
13:08 < ecrist> SliMM: you need to tell the other machines on the lan how to get to the VPN, or enter a static route on the gateway to point to the right place
13:08 < SliMM> Hmm
13:08 < SliMM> how would I tell the other machines on the lan how to get to the VPN?
13:09 < ecrist> by giving all of them a static route to the vpn
13:11 < SliMM> time to configure the router, then...
13:17 < SliMM> ecrist: ok, so I set the gateway in my router (192.168.1.1) to 192.168.1.3 (the vpn server), for 192.168.0.0 255.255.255.0
13:17 < SliMM> ecrist: shouldn't it just work now?
13:17 < ecrist> no
13:18 < SliMM> hmm
13:18 < SliMM> why?
13:18 < ecrist> did you read the routing page I linked, above?
13:18 < SliMM> yes
13:19 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 272 seconds]
13:24 < vpnHelper> RSS Update - forum: Installation Help :: Re: TAP install Windows XP-SP3 fails :: Reply by martinbln <https://forums.openvpn.net/viewtopic.php?f=5&t=7154&p=7984#p7984>
13:28 < SliMM> ecrist: that's exactly what I did
13:33 < SliMM> ecrist: so, when traffic comes through vpn to .3, it get's forwarded to the router (.1) and then the router forwards it to the proper machine
13:34 < SliMM> and when it comes back, it comes through the router, which has a static route for 192.168.0.x to 192.168.1.3
13:40 < ecrist> so everything works?  great
13:43 < SliMM> ecrist: Everything should work
13:43 < SliMM> ecrist: but I think I've found the problem, my vpn server doesn't redirect packets properly
13:43 < SliMM> as in, it doesn't ping my local subnet
13:43 < SliMM> I'll work on it
13:49 -!- SliMM [~SliMM@92.4.73.15] has left #openvpn []
13:50 < keyhive> SliMM you using routing mode?
13:50 < keyhive> iptables?
13:50 < keyhive> 1. turn on masquerading for the desired interface 2. create a nat something like this:
13:51 < keyhive> Err, actually you may not need to create a NAT.  Only if you have overlapping subnets. 
13:51 < keyhive> Also make sure you get the netmask right.
13:51 < Bushmills> ip forwarding may be required
13:51 < keyhive> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
13:52 < keyhive> SliMM: Bushmills suggestion is also very valid
13:52 < keyhive> SliMM: what OS
13:53 < keyhive> Guys I have a little thing happening.. Overlapping subnets that work in bridged mode.  I'm scared that it works.
13:54 < keyhive> Running nmap to see if I can break everything.
13:56 < keyhive> DAMMIT it works
13:56 < keyhive> Arrrgh
13:57 < keyhive> Does anyone in their right mind use an iptables MASQUERADE rule for bridged mode?
13:57 <@dazo> in general (I've not read all scrollback) ... MASQUERADE/NAT should only be used where really appropriate ... like when accessing Internet via the tunnel ... for internal networking, NAT is more a sign of a nasty hack 
13:58 <@dazo> ^^  that is still valid for bridged mode
13:59 -!- dazo is now known as dazo_afk
14:13 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:20 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
14:23 -!- daguz1 [~leo@208.1.63.50] has joined #openvpn
14:28 < ecrist> dazo_afk: in large networks, nat is a common thing, if only to save sanity relative to routing tables and firewalls
14:36 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
14:37 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
14:37 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
14:37 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
14:47 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
14:49 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
14:49 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
14:49 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
15:01 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 276 seconds]
15:02 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
15:02 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
15:02 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
15:13 < keyhive> we have quite a few switches
15:13 < keyhive> now bridged mode won't work on XP clients..
15:13 < keyhive> works fine on linux clients though.
15:15 < keyhive> Sorry, bridged mode connects but I cannot ping the server.
15:15 < Jarpse> hm, does it reply to other clients?
15:16 < keyhive> No.
15:17 < keyhive> It connects [TLS auth] without a hitch
15:17 < keyhive> but once it's connected I can't ping the server.
15:17 < keyhive> tested config works just fine on a linux client
15:18 < keyhive> I thought maybe a firewall issue, so I took down the firewall.
15:18 < keyhive> Still no dice.
15:22 < keyhive> # Windows needs the TAP-Win32 adapter name
15:22 < keyhive> # from the Network Connections panel
15:22 < keyhive> # if you have more than one.  On XP SP2,
15:22 < keyhive> # you may need to disable the firewall
15:22 < keyhive> # for the TAP adapter.
15:22 < keyhive> ;dev-node MyTap
15:22 < keyhive> maybe.. 
15:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:40 -!- mmestnik [~mmestnik@173-160-118-149-Minnesota.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
16:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
16:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:04 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:09 -!- JackCorleone [~root@201-68-38-97.dsl.telesp.net.br] has quit [Quit: Saindo]
16:11 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
16:16 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
16:16 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
16:16 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
16:20 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
16:26 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
16:26 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
16:26 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
16:28 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
16:31 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has quit [Quit: Switch off the lights and close your eyes. Feel the energy inside.]
16:34 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
16:34 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
16:43 < vpnHelper> RSS Update - forum: Server Administration :: Re: Just no connection :: Reply by kkaal <https://forums.openvpn.net/viewtopic.php?f=4&t=7153&p=7985#p7985>
16:44 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
16:44 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
16:44 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
16:50 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
16:56 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
16:56 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
16:56 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
17:00 -!- bent_screwdriver [~socain00@74.255.249.66] has quit [Ping timeout: 276 seconds]
17:06 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:47 -!- Nach0z [~IceChat7@unaffiliated/nach0z] has joined #openvpn
17:47 < Nach0z> !welcome
17:47 < vpnHelper> Nach0z: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:48 < Nach0z> ... huh
17:48 < Nach0z> !goal
17:48 < vpnHelper> Nach0z: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:48 < Nach0z> !goal I want to be able to access the internet through my home server.
17:48 < vpnHelper> Nach0z: Error: "goal" is not a valid command.
17:49 < Nach0z> ..... er.
17:49 < Nach0z> ok lemme just ask this then. I've got this error set when I connect to the VPN... http://pastebin.com/wKSEwK3f
17:52 < Nach0z> basically how do i get this to NOT happen?
17:52 < Nach0z> i've got all the .conf's ready to go for yall
18:11 < ecrist> we'd need the server logs, too
18:11 < Nach0z> erm, ok. one thing about that tho
18:11 < Nach0z> i dunno where they are
18:11 < Nach0z> i've found ONE
18:11 < Nach0z> and its emtpy
18:12 < Nach0z> *empty
18:12 < |Mike|> somewhere in /var/log/
18:13 < Nach0z> okidoki. yall want this on DCC or pastebin?
18:13 < |Mike|> pastebin, doh
18:14 < krzee> !logfile
18:14 < vpnHelper> krzee: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
18:14 < Nach0z> syslog?
18:15 < ecrist> it's possible you're not logging at all.  turn it on and try again to generate some logs
18:15 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
18:17 < Nach0z> how do i turn on logging then?
18:18 < ecrist> see the log line krzee posted above
18:19 < Nach0z> this goes in server.conf yes?
18:19 < ecrist> yep, or client.conf
18:19 < ecrist> it's good for both
18:20 < Nach0z> ok
18:21 < Nach0z> one more question 'fore i get this started... how do i restart openVPN in ubuntu?
18:21 < ecrist> service restart openvpn?
18:21 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
18:21 < ecrist> service openvpn restart?
18:21 < ecrist> I have no idea
18:22 < Nach0z> it says "autostarting VPN: homeserver [OK]" then "autostarting VPN: server [FAIL]"
18:25 < Nach0z> and the server log file i just set up isnt there.
18:26 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
18:27 < Cmdr_W_T_Riker> Nach0z: i would do a tail -f on /var/log/messages and start openvpn again, to see what's happening
18:27 < Nach0z> ... ok, how do i do that?
18:29 < Nach0z> :( i'm no good at ubuntu...
18:29 < ecrist> could always use a *real* OS...
18:30 < Nach0z> :| i'm using ubuntu because it's lightweight and that's what i want from my server. so it can run smoothly
18:30 < Nach0z> otherwise i'd be usin win7
18:31 < ecrist> if you really want light weight, use something like freebsd
18:32 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
18:33 < Nach0z> *sigh* regardless of these issues... i'm just trying to figure out why the thing said that starting "VPN: server" failed
18:33 < ecrist> I don't know ubuntu or linux that well.
18:33 < Nach0z> neither do I lol
18:34 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
18:38 < Cmdr_W_T_Riker> Nach0z: tail -f /var/log/messages
18:38 < Cmdr_W_T_Riker> Nach0z: service openvpn start
18:39 < |Mike|> goede nacht.
18:41 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 265 seconds]
18:43 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
18:43 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
18:43 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
18:46 < Nach0z> ok then.... 
18:46 < Nach0z> nothing really happened
18:49 < Nach0z> can i put the link to my current server.conf in here? maybe yall can figure out why it won't start....
18:51 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 264 seconds]
18:56 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
19:01 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 276 seconds]
19:02 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
19:13 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
19:19 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:21 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
19:26 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:38 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 265 seconds]
19:40 < krzee> Nach0z, yes
19:41 < Nach0z> aight. 
19:41 < Nach0z> http://pastebin.com/dyz1yUwf
19:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
19:45 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
19:45 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
19:45 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:48 < Nach0z> krzee: anything? :/
19:54 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
19:55 < krzee> weird, i cant load pastebin
19:55 < krzee> i couldnt load your earlier link, cant load this one either
19:55 < krzee> i must have a bad route to it at the moment
19:55 < krzee> try pastebin.ca
19:56 < Noble> I've been using SSH tunnels to secure my surfing, emails etc. However it is a real pain to establish all these connections every time I use my computer. Is it possible to use OpenVPN to tunnel *all* of my network traffic through a server, like a proxy?
19:56 < krzee> yes
19:56 < krzee> !def1
19:56 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
19:57 < krzee> #2
19:58 < Noble> krzee: So bascially I specify a new default gateway? What about traffic that sits on the local subnet? How will that be transported?
19:58 < Nach0z> krzee: http://pastebin.ca/1955994
19:58 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
19:59 < krzee> Noble, routing tables work based on most specific route wins
20:00 < krzee> so if you have a more specific route to your local subnet, it overrides default
20:00 < krzee> thats actually also how def1 flag to redirect-gateway works
20:00 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:00 < Nach0z> my openvpn is so fails....
20:01 < krzee> and the internet link im on right now is complete fail
20:01 < krzee> that one isnt loading either
20:01 < krzee> lol
20:02 < Noble> krzee: I have a lot of reading up to do.. Let me clarify this though, using a 'redirect-gateway' I will be able to forward all my network traffic encrypted through a server?
20:03 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
20:03 < krzee> it will give you a new default route to the internet, which will go over the vpn
20:03 < krzee> then your vpn server needs to NAT the vpn subnet so it can reach the internet
20:03 < krzee> the reading thing is common... this is advanced networking
20:06 < Noble> krzee: :) I see, so I have to set up MASQ/NAT on the server as well? This seems like just the thing I've been looking for: securing all network traffic in 'one go'. I administer a couple of roaming laptops that uses different, and sometimes unsecure, connections.
20:07 < krzee> yes, but if the server is linux, here you go
20:07 < krzee> !linnat
20:07 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
20:08 < krzee> so basically:
20:08 < krzee> !tell Noble [sample]
20:08 < krzee> !tell Noble [pki]
20:08 < krzee> !tell Noble [redirect]
20:08 < krzee> =]
20:08 < Noble> krzee: Thank you very much. I will probably be using OpenBSD, but I've messed around with NAT before so I knowthe basics. 
20:08 < krzee> !pfnat
20:08 < vpnHelper> krzee: "pfnat" is nat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
20:08 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:09 < Nach0z> krzee: you couldn't find the error in the server.conf huh :/
20:09 < krzee> Nach0z, i cant even load the pastebins
20:09 < krzee> =/
20:09 < Nach0z> i just
20:09 < Nach0z> oh
20:09 < Nach0z> http://pastebin.ca/1955994
20:09 < krzee> go ahead and paste it to me in msg... thats usually a HUGE no-no, but you can do it this time
20:09 < Noble> krzee: Have you ever tried this kind of setup? How does it play with DHCP leases? :P
20:09 < Nach0z> there's the .ca one
20:10 < krzee> that is not loading either Nach0z 
20:10 < Nach0z> well crap.
20:10 < Nach0z> aight holdon
20:10 < krzee> Noble, you arent bridging, your ethernet device keeps its LAN ip
20:10 < krzee> your TUN device gets a vpn ip
20:10 < krzee> =]
20:11 < krzee> so dhcp will not interfere
20:11 < Noble> krzee: From http://manoftoday.wordpress.com/2006/12/03/openvpn-20-howto/ " The redirect-gateway option might prevent the client from reaching the local DHCP server (because DHCP messages would be routed over the VPN), causing it to lose its IP address lease."
20:11 < vpnHelper> Title: OpenVPN 2.0 HOWTO « life ideas (at manoftoday.wordpress.com)
20:12 < krzee> is that actually happens to you (which is unlikely) there is a bypass-dhcp flag for redirect-gateway
20:12 < krzee> stop reading lame walkthroughs from google
20:12 < krzee> they suck for openvpn
20:12 < krzee> use the openvpn howto and the manual
20:12 < krzee> !howto
20:12 < krzee> !man
20:12 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:12 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:13 < Noble> krzee: Haha ok ;) Thanks for your time, most usefull.
20:13 < krzee> np
20:16 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:17 < krzee> ya Nach0z that config is garbage :-p
20:17 < krzee> start over from my sample configs
20:18 < Nach0z> lol
20:19 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
20:25 -!- svm_invi1tvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
20:26 -!- Alphanaut [~chatzilla@12.50.185.130] has joined #openvpn
20:31 -!- svm_invi1tvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Read error: Connection reset by peer]
20:33 < Nach0z> krzee
20:34 < Nach0z> got a whole new set of issues with this
20:34 < krzee> ?
20:35 < Nach0z> yeah.... about WAY TOO MANY lines of stuff that i don't understand.
20:35 < krzee> !man
20:35 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:35 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
20:36 < Nach0z> :|
20:36 < Nach0z> ....i just realized i forgot to restart the service.
20:37 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
20:37 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
20:37 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:37 < Nach0z> rgh x-|
20:37 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 245 seconds]
20:37 < Nach0z> the server still won't start.
20:37 < krzee> read every line of that in the manual
20:37 < krzee> serious
20:38 < krzee> im leaving in a minute, not going to spoonfeed you
20:38 < krzee> every line from my sample configs, read about it in the manual
20:39 < Nach0z> :| the config
20:39 < Nach0z> isnt the issue i think
20:39 < Nach0z> the PROCESS isnt workin
20:39 < Nach0z> like, wont start
20:39 < Nach0z> ...eh. nvm. later all.
20:39 -!- Nach0z [~IceChat7@unaffiliated/nach0z] has left #openvpn []
20:43 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:44 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
20:48 -!- s7r [~s7r@188.27.109.26] has left #openvpn []
20:51 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:55 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
21:00 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:05 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
21:10 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
21:10 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
21:10 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:17 -!- s7r [~s7r@188.27.109.222] has joined #openvpn
21:43 -!- Alphanaut [~chatzilla@12.50.185.130] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.10/20100914125854]]
--- Day changed Thu Oct 07 2010
00:19 -!- MrJK [~jezu@194.199.166.96] has quit [Ping timeout: 276 seconds]
00:52 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
01:00 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 264 seconds]
01:02 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
01:03 < infid> all i want to do is connect to a vpn server, from ubuntu, do i just 'apt-get install openvpn' and type like 'openvpn <hostname>' ?
01:06 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
01:10 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
01:10 < fahmad> Hello
01:11 < theDoc> infid> You'll want sudo apt-get install openvpn followed by openvpn /path/to/config/file
01:13 < infid> so i have to create a config file first? are there any defaults that work
01:14 < theDoc> infid> No? Do you already have a openvpn server?
01:14 < infid> yeah but it's not mine, but it's all set up
01:14 < infid> if i telnet to the openvpn is there a command i can run to make sure it's running
01:14 < theDoc> You can't telnet to it.
01:14 < theDoc> It's not going to accept the connection.
01:15 < infid> ok
01:15 < theDoc> Just run openvpn /path/to/client/config from the client machine.
01:15 < infid> how will i know what to put in the config file?
01:15 < theDoc> infid> The vpn provider/admin is supposed to provide you with that file.
01:18 < fahmad> can some one tell me if i am using ip allocation using radius and in my openvpn server.conf i have server 172.16.0.0 255.255.255.0 and i am using topology subnet then is it possible to assign ips like this Framed-IP-Address += 172.16.1.2 172.16.0.1/32 1 ?
01:19 < fahmad> because i get ip but i could not able to browse or ping ...
01:22 < infid> theDoc: crap, well the admin told me i could login to like port 943 or something with my web browser and it'd give me the config file, but i dont remember exactly what he said
01:24 < theDoc> infid> crap. get tech support if you're paying for the service.
01:25 < fahmad> any one ?
01:28 < infid> not paying. just have to wait till tomorrow now
01:39 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
01:40 < krzie> fahmad, how are you assigning ips from radius?
01:40 < krzie> (in openvpn)
01:47 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
02:14 < krzie> the only way to do that would be a client-connect script
02:14 < krzie> !client-connect
02:14 < vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
02:19 -!- dazo_afk is now known as dazo
02:22 < fahmad> krzie: hey
02:22 < fahmad> krzie: sorry i missed your message
02:22 < fahmad> by putting ip address in Radius Reply Table ..
02:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:46 -!- dazo is now known as dazo_afk
02:57 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has joined #openvpn
03:02 -!- dazo_afk is now known as dazo
03:12 < Capkirk> hep
03:13 < Capkirk> is it possible to bridge 2 networks using only 2 vpn boxes?
03:13 < Capkirk> bot vpn boxes have 4 physical interfaces
03:13 < Capkirk> both
03:14 < Capkirk> does this setup mean that i need to have 2 instances of openvpn running on both boxes?
03:17 -!- s7r [~s7r@188.27.109.222] has quit [Ping timeout: 240 seconds]
03:26 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
03:28 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
03:28 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
03:28 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:31 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
03:36 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
03:43 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:49 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
03:54 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
03:54 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
03:54 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:56 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:01 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
04:01 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
04:01 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:02 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:08 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
04:08 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
04:08 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:12 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:22 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:27 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
04:48 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
04:48 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
04:48 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
04:54 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
04:56 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:59 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:03 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 250 seconds]
05:05 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:14 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
05:19 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:21 -!- dazo is now known as dazo_afk
05:32 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
05:34 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
05:34 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
05:34 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:38 < fahmad> can some one tell me if i am using ip allocation using radius and in my openvpn server.conf i have server 172.16.0.0 255.255.255.0 and i am using topology subnet then is it possible to assign ips like this Framed-IP-Address += 172.16.1.2 172.16.0.1/32 1 ?
05:38 < fahmad> because i get ip but i could not able to browse or ping ...
05:39 < fahmad> i am assigning ip address using radius replay Framed-IP-Address 172.16.1.2 and Framed-Route 172.16.0.1/32 1 ...
05:42 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 265 seconds]
05:43 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
05:43 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
05:43 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:52 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
06:05 -!- abeehc- [~bob@S0106001d73de0dd6.gv.shawcable.net] has quit [Ping timeout: 252 seconds]
06:07 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
06:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:13 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
06:13 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
06:13 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:22 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
06:23 < fahmad> can some one tell me how can i connect more then 300 users at a time on openvpn ?
06:24 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
06:24 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
06:24 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:30 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
06:34 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
06:36 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
06:47 < fahmad> can some one tell me how can i connect more then 300 users at a time on openvpn ?
06:47 < Bushmills> split them over serveral servers
06:48 < Bushmills> load on one server for 300 concurrent users would be considerable
06:48 < fahmad> Bushmills: but what about ips ?
06:48 < Bushmills> static , assigned,   or dynamic, from pool
06:49 < fahmad> like if i used server 172.100.0.0 255.255.0.0 and i assigned ip address to client using Radius Framed-IP-Address = 172.100.2.1 then this client could not browse
06:50 < fahmad> Bushmills: give me some example brother i am stuck at this part
06:50 -!- dazo_afk is now known as dazo
06:51 < Bushmills> example of what?  vpn server handing out ip addresses to client? splitting clients over multiple servers?
06:51 < fahmad> Bushmills: brother how can i connect 300 concurrent users on single server ?
06:51 < fahmad> and how ips will be assigned ?
06:52 < fahmad> as i can see tun only assigned single ip address ...
06:52 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
06:53 < Bushmills> to let server assign static addresses to clients, ifconfig-push them, best from ccd entries
06:53 < Bushmills> !ccd
06:53 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
06:54 < fahmad> Bushmills: but brother after 254 connections 
06:54 < fahmad> it will not work for 255th connection 
06:54 < Bushmills> as said, i'd not run that number of clients on one server
06:54 < fahmad> even if i am using "topology subnet"
06:55 < Bushmills> for more than 254, you'd need a wider subnet. 
06:55 < fahmad> Bushmills: i used server 172.100.0.0 255.255.0.0
06:55 < fahmad> its wider ...
06:55 < Bushmills> more than 253, actually
06:56 < Bushmills> my estimate is, depending on server, that there's a practical limit to the number clients at around... 30..50 per server 
06:57 < fahmad> --ifconfig-pool-linear
06:57 < fahmad> Modifies the --ifconfig-pool directive to allocate individual TUN interface addresses for clients rather than /30 subnets. NOTE: This option is incompatible with Windows clients.
06:58 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
07:09 < fahmad> how can i do that 
07:09 < fahmad> directive to allocate individual TUN interface addresses
07:13 < ecrist>  good morning.
07:14 < fahmad> hey
07:14 < fahmad> :)
07:16 < vpnHelper> RSS Update - forum: Scripting and Customizations :: allow ssh via on non vpn address while vpn is open :: Author bent <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=7986#p7986>
07:16 < fahmad> Bushmills: again i am stuck at helpless :(
07:17 < Bushmills> <Bushmills> to let server assign static addresses to clients, ifconfig-push them, best from ccd entries
07:18 < fahmad> Bushmills: but what if 253 users connect 
07:18 < fahmad> what about rest of them :)
07:20 < Bushmills> with that many users connected and possibly actively using the vpn link, those remaining users may not notice the difference between being or being not connected.
07:20 < fahmad> ummm
07:38 < ecrist> fahmad: openvpn performance falls off around 200 users
07:38 < ecrist> due to lack of threading, in part
07:38 < fahmad> ecrist: humm
07:39 < fahmad> ecrist: but i need to just learn it 
07:39 < fahmad> ecrist: i know there won't be 300+ user same time 
07:39 < fahmad> but again i need to give static ips to clients
07:39 < fahmad> so that i can not give same ip to another client ...
07:40 < ecrist> I don't know what you're looking for.
07:41 < fahmad> ecrist: i am reading about ifconfig-pool but its not working 
07:41 < fahmad> also read about multiple tun on mutliple ip address interfaces
07:52 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
08:00 -!- le0 [~fin@87.112.250.227] has joined #openvpn
08:00 -!- le0 [~fin@87.112.250.227] has quit [Changing host]
08:00 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
08:02 -!- net_nigel [~net_nigel@d72-38-41-26.commercial1.cgocable.net] has joined #openvpn
08:03 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has quit [Read error: Connection reset by peer]
08:03 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
08:05 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has joined #openvpn
08:07 -!- net_nigel [~net_nigel@d72-38-41-26.commercial1.cgocable.net] has quit [Ping timeout: 276 seconds]
08:08 -!- s7r [~s7r@188.27.109.162] has joined #openvpn
08:08 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
08:08 < fahmad> hello
08:09 < fahmad> ecrist: you there ?
08:09 <@dazo> fahmad: you want to administer 300+ users with static VPN IP addresses?
08:10 < fahmad> dazo: yes 
08:10 <@dazo> fahmad: may I ask why they have to be static?
08:10 < fahmad> well if client need then i need to give them static ip 
08:10 < fahmad> and for that i need to route internal ip to static ip 
08:10 < fahmad> and for that i need static internal ips :$
08:11 <@dazo> but why static?  why not dynamic and let the routing be more generic?
08:11 < fahmad> dazo: then we can not track which user user which ip :$
08:11 <@dazo> and then rather use some script hooks to open up access in a firewall on-the-fly ... that way, no admin of IP addresses
08:11 < fahmad> it will be complicated for us :$
08:11 <@dazo> you can do that with simple scripts, using --learn-address
08:12 < fahmad> humm
08:12 <@dazo> it is a lot more complicated to administer 300+ static IP addresses
08:12 < fahmad> dazo: ok
08:12 < fahmad> can you tell me one thing 
08:12 <@dazo> sure ...
08:13 < fahmad> i am now using "topology subnet" and "client-config-dir ccd" but when i have client file in ccd folder i does not assigned ip like for this topology it must be like this "ifconfig-push 172.16.1.100 255.255.255.0"
08:14 < fahmad> but its not working i keep getting ip 172.16.1.2
08:14 < fahmad> however i need to do that :$
08:14 <@dazo> so all clients are getting 172.16.1.2?
08:15 < fahmad> i just tested one user :)
08:15 < fahmad> i am sure it will happen if no one is connected
08:15 < fahmad> and suppose i forward static ip then any one can use it
08:15 < fahmad> and abuse it 
08:16 <@dazo> I struggle to follow your chain of thoughts now ... but ... lets talk over some concrete config files, please ... maybe that will help clear up some unclear things
08:17 <@dazo> !configs
08:17 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:18 <@dazo> in general, it sounds like there's some misconfiguration somewhere ... where either the CCD file is not found or not read somehow by OpenVPN .... or that there are some other issues which invalidates the ccd somehow
08:18 < fahmad> http://paste.ubuntu.com/507998/
08:18 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:18 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:18 <@dazo> can you please pastbin the ccd file as well?
08:19 < fahmad> ccd file get empty when client connected :(
08:19 < fahmad> i have it now empty file :(
08:20 < fahmad> ifconfig-push 172.16.1.10 255.255.255.0
08:20 <@dazo> then it's not strange you get 172.16.1.2 on the client side ... that's expected ... the server takes 172.16.1.1, and begins to give 172.16.1.2+ to clients
08:20 <@dazo> fine ... I see one potential issue
08:20 < fahmad> O_O ?
08:20 <@dazo> client-config-dir ccd
08:20 < fahmad> yes
08:20 <@dazo> that is a relative path
08:20 < fahmad> yes
08:20 <@dazo> use a full path 
08:20 < fahmad> ok
08:21 <@dazo> and make sure that the nobody user and/or nobody group can access this directory and that it can read files inside this dir
08:21 < fahmad> lemme try 
08:21 < fahmad> connecint
08:21 < fahmad> ok
08:22 < fahmad> same happen after Thu Oct  7 06:30:16 2010 farrukh/202.43.124.41:2229 MULTI: primary virtual IP for farrukh/202.43.124.41:2229: 172.16.1.2
08:22 < fahmad> doing what you have mentioned sir :)
08:22 < fahmad> Thu Oct  7 06:30:18 2010 farrukh/202.43.124.41:2229 SENT CONTROL [farrukh]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route-gateway 172.16.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.16.1.2 255.255.255.0' (status=1)
08:22 <@dazo> okay ... fine ... that indicates that the OpenVPN process either has a mismatch on the filename or cannot read the CCD file
08:23 < fahmad> and file is empty again
08:23 <@dazo> okay ... then you need to figure out who does that ... I suspect the radiusplugin.so 
08:23 <@dazo> I don't know anything about that plug-in, so I can't help you much on that one
08:23 < fahmad> humm
08:24 < fahmad> http://openvpn.net/archive/openvpn-users/2007-03/msg00204.html
08:24 < vpnHelper> Title: [Openvpn-devel] BUG: ifconfig-push in client config when using topology = subnet (at openvpn.net)
08:24 < fahmad> can you read that sir 
08:25 <@dazo> that's not related ... someone deletes/scratches your ccd file ... and this was openvpn 2.1_rc1, back in 2007
08:25 <@dazo> I hope you're using a newer version than that .... more like 2.1.0+
08:25 <@dazo> (official release)
08:26 < fahmad> yes
08:26 < fahmad> OpenVPN 2.1.1 using this
08:26 <@dazo> try to recreate your ccd file again .... and disable the radiusplugin ... see if that solves it
08:27 < fahmad> ok
08:27 <@dazo> (you might need to remove --auth-user-pass in the client config)
08:30 < fahmad> username-as-common-name also from server
08:30 < fahmad> :D
08:30 <@dazo> probably
08:30 <@dazo> :)
08:31 < fahmad> same happen sir
08:31 < fahmad> :(
08:31 < fahmad> again it gave m 172.16.1.2
08:31 <@dazo> okay, and the file gets truncated?
08:31 < fahmad> however i have 172.16.1.100
08:31 < fahmad> nope not this time ...
08:31 <@dazo> yeah ... the filename might be wrong now ... it must be CN not username 
08:32 < fahmad> it does not look for client config file
08:32 < fahmad> like it was looking before
08:32 <@dazo> !logs
08:32 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:34 < fahmad> http://paste.ubuntu.com/508003/
08:34 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 272 seconds]
08:35 <@dazo> fahmad: and the filename of the ccd file is vpn.change-mon-ip.com ?
08:35 < fahmad> nope
08:35 < fahmad> humm
08:35 < fahmad> its username ?
08:35 < fahmad> i think not in this case for now it will username when username-as-common-name is enable ?
08:36 < fahmad> vpn.change-mon-ip.com = is hostname
08:36 <@dazo> but you removed --auth-user-pass, --username-as-common-name from the client and disabled the radiusplugin, didn't you?
08:36 <@dazo> Thu Oct  7 06:39:26 2010 202.43.124.41:2280 VERIFY OK: depth=0, /C=BZ/ST=Belize/L=Belize_City/O=Esecurity_SA/OU=IT/CN=vpn.change-mon-ip.com/emailAddress=admin@change-mon-ip.com
08:36 <@dazo> Look at CN ... that's what the filename will be for CCD when not using username auth
08:37 < fahmad> dazo: i did 
08:37 < fahmad> ok
08:37 < theDoc> radius problem?
08:37 < fahmad> trying again
08:37 <@dazo> theDoc: got a feeling the radiusplugin deletes ccd files
08:38 < theDoc> Which radius implementation is this?
08:38 <@dazo> fahmad: please, increase log level to 7 now ... I want to see logs where the ccd file is tried to be read
08:38 < fahmad> i got that ip now 
08:38 <@dazo> the IP you requested?
08:38 < fahmad> dazo: with that 
08:38 < fahmad> yes
08:38 < fahmad> but again the problem will be radius then (
08:38 < fahmad> :(
08:38 <@dazo> good ... now, enable the radius plug-in ... but *do not* add --username-as-common-name
08:38 < fahmad> ok
08:39 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
08:39 <@dazo> and add --auth-user-pass on the client
08:39 <@dazo> and see if the ccd file disappears or not
08:39 <@dazo> theDoc: I don't know ... fahmad, theDoc wonders which radius implementation you're using
08:39 < theDoc> dazo> Why would the radius plugin delete the ccd?
08:39 <@dazo> theDoc: I dunno
08:40 < fahmad> got it
08:40 < fahmad> got ip
08:40 <@dazo> good ... then enable --username-as-common-name
08:40 <@dazo> and try again
08:41 < fahmad> ok
08:42 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
08:42 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn
08:43 < Xen^> its me 
08:43 < Xen^> back
08:43 < Xen^> dazo: its me fahmad
08:43 < Xen^> <fahmad> ok
08:43 < Xen^> <fahmad> file got empty :)
08:43 < Xen^> <fahmad> but ip assigned from vpn.change-mon-ip.com ccd file
08:44 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Disconnected by services]
08:44 -!- Xen^ is now known as fahmad
08:44 <@dazo> fahmad: okay ... so vpn.change-mon.ip.com is not truncated ... only the file named as your username?
08:44 < theDoc> dazo> I'm still not sure what you guys are trying to do with radius:P
08:44 < fahmad> nope
08:45 < fahmad> theDoc: from radius user authenticate sir
08:45 <@dazo> theDoc: we're trying to locate what causes the ccd file to get truncated
08:45 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has joined #openvpn
08:45 < theDoc> What part of the ccd file gets truncated?
08:46 < theDoc> or rather, what's in the ccd file that's getting truncated?
08:46 < fahmad> i just put single line
08:46 < fahmad> and thats truncated
08:46 < theDoc> fahmad> freeradius?
08:47 < fahmad> ifconfig-push 172.16.1.10 255.255.255.0
08:47 < fahmad> yes
08:47 <@dazo> fahmad: I have a feeling that the radiusplugin supports assigning IP addresses via the radius system ... and that it truncates it, because no IP is configured in radius
08:47 < fahmad> dazo: right but the problem is 
08:47 < fahmad> that if i got for it then it will create problem if client wants to connect on different server e.g. UK server
08:47 < xreal> @dazo: Do you have a little more time today?
08:47 < theDoc> fahmad> If you give the framed-ip attribute in the radius db, does it work?
08:48 < theDoc> I think it should be framed-ip attribute.
08:48 <@dazo> so the radiusplugin generates an empty file now ... and if you don't want the radiusplugin to do that ... you need to figure out how to disable it 
08:48 < fahmad> theDoc: yup
08:48 <@dazo> xreal: not very much
08:48 < xreal> @dazo: Is there a forum or a board to talk about my problem?
08:48 < theDoc> fahmad> So it works, why not use the framed-ip attribute?
08:48 < fahmad> theDoc: sir becaue you know i have more then one vpn server
08:48 <@dazo> xreal: https://forums.openvpn.net/
08:48 < vpnHelper> Title: OpenVPN Support Forum Index page (at forums.openvpn.net)
08:49 < xreal> thx
08:49 < fahmad> and if i want to allow a client to all server and it have only 172.16.1.100 or if there will be a user which is already using it will create problem
08:50 < theDoc> lol
08:50 <@dazo> fahmad: sounds like you need to either try to disable a feature in radiusplugin.so ... or to hack it to work more convenient for you
08:50 < fahmad> umm
08:50 < theDoc> I actually have a different solution to this and bypassing the whole radius plugin issue which I use in my own setup.
08:51 < fahmad> theDoc: and what is that ?
08:51  * dazo senses radius auth via PAM ...
08:52 < fahmad> dazo: no man i can not add many users ...
08:53 < theDoc> dazo> lol, no. I just realized that fahmad's a vpn provider :P
08:53 < fahmad> lol
08:53 < fahmad> i am not 
08:53 < fahmad> but i am trying to give support :d
08:53 < fahmad> who is provider
08:53 < theDoc> fahmad> What are you trying to achieve by using radius to assign ips?
08:54 < fahmad> theDoc: well brother they have different servers
08:54 < theDoc> Ok, and?
08:54 < fahmad> i want authenticate users with radius 
08:54 < theDoc> Ok, and?
08:54 < fahmad> and i want to put server restrictions using radius which i have done
08:54 < fahmad> and now ip assignment ...
08:55 < fahmad> theDoc: so that if client pay for static ip we can give it  to them 
08:55 < fahmad> ok
08:55 < theDoc> fahmad> If they're paying for static, they should be connecting to only specific servers, I still don't see why you need radius to do that.
08:56 < fahmad> well because i do not want to add users on all servers manually
08:56 < fahmad> ok
08:56 < fahmad> same user will connects to all servers
08:56 < fahmad> if allowed
08:57 < theDoc> Um, no. If I'm on a static ip plan, I most probably wouldn't want to be connecting to  different servers and taking random exit ips.
08:58 < fahmad> theDoc: right 
08:58 < fahmad> then we will restrict them 
08:59 < theDoc> fahmad> You're over complicating the problem.
08:59 < fahmad> theDoc: i am using 172.16.0.1 for UDP and 172.16.1.1 for TCP
09:00 < fahmad> on all servers
09:00 < fahmad> now understand ?
09:02 < theDoc> Maybe I'm not understanding you right and I'm not really up for solving a problem for another provider.
09:03 < fahmad> theDoc: you are also provider O_o
09:03 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:03 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
09:04 < theDoc> fahmad> Yep.
09:05 < fahmad> theDoc: then i got a feeling you will never help :0
09:06 < theDoc> :)
09:06 < fahmad> theDoc: but if you could give me an idea then it would be great but i think you feel insecure ...
09:06 < theDoc> fahmad> Sure, we could solve the problem for you but it'll cost.
09:07 < fahmad> you will get same business which has been in your luck anyway ...
09:07 < fahmad> how much you will cost 
09:12 < xreal> Interesting ... it seems like Windows XP doesn't forward my TCP/IP-traffic! But I've activated it in registry!
09:13 <@dazo> xreal: have you tried to reboot the windows box?
09:13 < xreal> @dazo: Yep. 2 days ago :-)
09:14 <@dazo> xreal: that's a reboot after you changed the registry for forwarding?
09:14 < xreal> @dazo: Yep.
09:14 < xreal> And it's still activated.
09:14 < xreal> I can now ping the internal IP of the client, but no other IP on the network.
09:15 <@dazo> then I dunno ... but I'm far from a windows user 
09:15 < xreal> So it seems, like it doesn't forward anything.
09:15 <@dazo> firewalling?
09:15 < xreal> deactivated.
09:15 < xreal> @dazo: Okay, seems like I need to run a live linux from vbox and try it that way.
09:17 <@dazo> xreal: try asking on the openvpn-users mailing list ... there's quite some windows users there as well
09:18 < xreal> ok
09:18 < xreal> DAMMMMMMMMMN
09:18 < xreal> it worked!
09:18 < xreal> I forgot "pull" on client side!
09:18 <@dazo> heh
09:18 < xreal> 4 chars, which took 2 days to appear.
09:19 < xreal> !seen efficiency
09:19 < vpnHelper> xreal: I have not seen efficiency.
09:19 < xreal> "<vpnHelper> xreal: I have not seen efficiency."
09:19 <@dazo> hahah
09:19 < xreal> Thanks for all the help!
09:19 < xreal> Half the way is done ... now I need to check about Samba and WINS.
09:20 <@dazo> well, that *should* be a piece of cake now ... when routing is in order, the rest should "Just Work(tm)"
09:21 < xreal> @dazo: Is it work on client or server side?
09:21 <@dazo> uhh ... good question
09:21  * dazo checks his configs
09:22 <@dazo> xreal: you can from the server do:
09:22 < xreal> server
09:22 <@dazo> push "dhcp-option DNS x.x.x.x"
09:22 < xreal> yeah, I've just found this.
09:22 <@dazo> push "dhcp-option WINS x.x.x.x"
09:23 < xreal> okay, let's try it.
09:23 <@dazo> *or* you can remove the push stuff and do it directly in client config
09:23 < xreal> @dazo: the client is in my target LAN - perhaps the last solution is better.
09:24 -!- fahmad [~linux@vpn.server4sale.com] has quit []
09:24 <@dazo> might be ... I've never tried --dhcp-options directly in client configs ... but I don't see why it shouldn't work
09:27 < xreal> Uh wait ... I can ping one IP, but not another. What's wrong here again? that doesn't make fun anymore.
09:27 < krzee> firewall
09:27 < xreal> krzee: Nope.
09:27 < krzee> one vpn endpoint can be pinged, other cant?
09:27 < krzee> or other machines in the lan cant be pinged?
09:28 < xreal> In "Kernel IP routing table" of the server, there is 10.20.0.0 (destination), 172.16.0.2 (gateway)
09:28 < xreal> shouldn't gateway be the other VPN's IP ?
09:28 < xreal> 172.16.0.1 is the one of the server
09:29 < krzee> !/30
09:29 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
09:29 < krzee> it should be what openvpn makes it
09:29 < krzee> xreal, 
09:29 < krzee> one vpn endpoint can be pinged, other cant?
09:29 < krzee> or other machines in the lan cant be pinged?
09:30 < xreal> krzee: Both endpoints (virtual IP addresses?) can be pinged, but other machines on the lan can't.
09:30 < krzee> !route_outside_ovpn
09:30 < vpnHelper> krzee: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
09:30 < xreal> k
09:31 < xreal> MMh. I can ping 10.20.0.169. This IP is on target LAN of the client.
09:31 < xreal> Uh wait ... 
09:31 < xreal> traceroute gives me 1 entry only. Does this mean, it's on the server's LAN ?
09:33 < krzee> is the ip .169 also the vpn client?
09:34 < krzee> and you should be able to tell me if it is on the servers lan
09:34 < krzee> its impossible for me to know... you should know
09:34 < xreal> Oh yes .169 is the vpn client.
09:35 < krzee> well of course .169 doesnt need !route_outside_ovpn
09:35 < krzee> if you want more of the lan, do as it tells you
09:35 < xreal> Perhaps I did something wrong with WINS and DNS. Let me check again.
09:35 < krzee> lol
09:35 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
09:35 < krzee> did you add a route to the clients gateway?
09:35 < xreal> Yes, it works again without WINS and DNS.
09:35 <@dazo> xreal: WINS and DNS does NOT have anything with ping or traceroute
09:36 < xreal> @dazo: I did something wrong with the routing, I think.
09:36 <@dazo> you're kidding me
09:36 <@dazo> yeah, obviously
09:36  * krzee gives up
09:36 <@dazo> don't touch the routs
09:36 <@dazo> routes*
09:36 < xreal> krzee: 1 sec, I need to answer your questions :-)
09:36 < xreal> krzee: I tried, but it seems, it was wrong.
09:36 < krzee> on a brighter note
09:36 < krzee> http://www.english.rfi.fr/africa/20101006-zimbabwe-man-claims-rape-gang-women
09:36 < vpnHelper> Title: Zimbabwe man claims rape by gang of women | RFI (at www.english.rfi.fr)
09:37 <@dazo> lol
09:37 <@dazo> and he complains about it?
09:37 < xreal> @dazo: the LAN computers are on 10.20.0.0, WINS and DNS are on 10.0.100.1 and 10.0.100.2
09:37 <@dazo> xreal: okay, then you need to add routes .... not modify routes
09:38 < xreal> @dazo: Of course, that's what I did. LEt me post the config. perhaps it's better then.
09:39 <@dazo> yeah
09:39 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
09:40 < krzee> as far as the client lan
09:41 < krzee> once you got .169 working, your routes for openvpn are correct
09:41 < krzee> and you needed to do what i said
09:41 < krzee> (thats why i said it)
09:41 < xreal> http://paste.pocoo.org/show/272251/
09:41 < xreal> krzee: I can ping any computer on the LAN now, this works. But I also want DNS, WINS and SMB working.
09:42 <@dazo> and DNS and WINS are on another subnet on the client side
09:42 < xreal> @dazo: yeah.
09:42 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:43 <@dazo> xreal: yeah, then you need to figure out those routes first ... and when you can ping those IPs ... then you're good to go
09:43 <@dazo> then you can setup WINS and DNS
09:43 < xreal> So this won't work? route 10.0.100.0 255.255.255.0
09:43 < xreal> push "route 10.0.100.0 255.255.255.0"
09:44 <@dazo> krzee: you probably have better experience with LAN behind client routing ...
09:45 < krzee> what i dont get is why he's still talking about routes
09:45 < krzee> he said he can ping everything on the client side lan now
09:45 < krzee> aka, he is finished with routing
09:45 < krzee> xreal, routing != dns/wins
09:46 < krzee> once you can ping by IP, you are FINISHED with routing
09:46 < xreal> krzee: I am finished routing to 10.20.x.x, but not to 10.x.100.x ?!
09:46 < xreal> Or doesn't this matter?
09:46 < xreal> eeeh 10.0.100.x
09:46 < krzee> ok, where is 10.0.100.x located?
09:46 < krzee> the client has 2 lans?
09:47 < xreal> krzee: There are many machines all over 10.x.x.x. That was my main problem.
09:47 < xreal> 10.0.100.x is located on the client's lan.
09:47 <@dazo> krzee: the WINS/DNS servers are in a different subnet behind his OpenVPN client 
09:47 < krzee> ahh ok
09:47 < xreal> 10.20.x.x are the computers
09:47 < krzee> repaste your configs, without comments
09:48 < xreal> printers are 10.20.30.x
09:48 < xreal> krzee: ok, 1 sec
09:50 < xreal> http://paste.pocoo.org/show/272259/
09:50 < krzee> ok so now you just rinse ans repeat
09:50 < krzee> and*
09:51 < krzee> route 10.20.0.0 255.255.255.0
09:51 < krzee> push "route 10.20.0.0 255.255.255.0"
09:51 < krzee> do the same for 10.0.100.0 255.255.255.0
09:51 < xreal> anything else in the ccd ?
09:51 < xreal> iroute?
09:51 < krzee> yup
09:51 < xreal> k
09:51 < krzee> matching iroute entry
09:51 < krzee> just like you did for the other
09:52 < krzee> and then you are done, assuming they use the same default gateway
09:52 < krzee> unless upstream its the same default gateway
09:53 < xreal> great ... now ping stopped working :-(
09:53 -!- bent_screwdriver [~socain00@173-146-34-253.pools.spcsdns.net] has joined #openvpn
09:55 < xreal> I can ping .169, but no other computer on the LAN. It worked before ;-(
09:57 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
09:57 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
09:57 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
09:57 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
09:58 -!- arejay [arejay@i.write.shellcode.eu] has quit [Read error: Operation timed out]
09:58 < xreal> I really can't understand, why it stopped working.
09:59 <@dazo> overlapping networks?
10:00 -!- arejay [arejay@i.write.shellcode.eu] has joined #openvpn
10:00 < xreal> @dazo: I don't have any information about my hoster's network.
10:02 <@dazo> xreal: overlapping networks is often caused by wrong network addresses and subnet masks ... for example:  10.0.0.0/255.255.0.0 and 10.0.100.0/255.255.255.0 are overlapping
10:02 <@dazo> because 10.0.0.0/255.255.0.0 uses 10.0.0.0 -> 10.0.255.255
10:03 <@dazo> and with 10.0.100.0/255.255.255.0 ... it will use: 10.0.100.0 -> 10.0.100.255
10:05 < xreal> I have removed anything from my config files. But still seems to be none working.
10:05 < xreal> Perhaps the routes on my client are wrong now.
10:06 <@dazo> xreal: the best way how to debug routing stuff ... is by using traceroute and wireshark or tcpdump
10:06 <@dazo> the two latter ones, there you listen to the different interfaces and see if ping requests go out and in ... then you know where things stops up
10:07 < xreal> @dazo: Those tools are very advanced. I tried them two days ago.
10:07 < xreal> I can see much traffic on my interfaces.
10:07 <@dazo> you need to filter out traffic you don't need
10:07 <@dazo> for example filter on ICMP traffic ... so that you just see ICMP
10:08 < xreal> Why is this all so unbelievable hard to config? I'm on a standard setup. I didn't tune my WIndows or change anything like that.
10:09 <@dazo> networking isn't that easy ... routing is pretty advanced and challenging if you're not used to do that
10:09 <@dazo> but when you first understand it completely ... it's very easy
10:10 <@dazo> And routing across subnets is an advanced topic
10:10 < xreal> Okay, I can see the ping to .169 (the client's address) in whireshark!
10:10 < xreal> I can also see it to .8
10:10 < xreal> Seems like there is no route back from .8 to the VPN ?
10:10 <@dazo> good catch!
10:11 <@dazo> the route back is important to get right ... the best way is to add that route on the default gateway on that local network 
10:11 < vpnHelper> RSS Update - forum: Server Administration :: Re: Just no connection :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7153&p=7987#p7987>
10:12 < xreal> @dazo: Do I need to do this for all the local IPs?
10:13 < xreal> I don't have access to the default gateway...
10:13 < xreal> only to the client, of course.
10:13 <@dazo> xreal: not necessarily ... or usually not on each of them ... but if you can't add that route on the default gw, then you need on each client you're accessing via VPN
10:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:17 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has quit [Quit: leaving]
10:17 < xreal> @dazo: I think, then I can't use OpenVPN at all.
10:17 < xreal> I don't have access to a server for example.
10:18 < xreal> I thought, OpenVPN allows me to just connect one extern computer to a LAN over a tunnel.
10:18 <@dazo> xreal: then you have one very last option ... and that's to NAT the traffic out of the OpenVPN client ... but I'm not sure if WinXP supports that
10:18 < xreal> @dazo: I can install linux in a virtualbox. That's no problem.
10:18 <@dazo> xreal: OpenVPN does exactly that ... but it depends 100% on the rules set by the networks
10:19 < xreal> @dazo: I can't believe my setup is so unusual :-(  Do you have an example for natting?
10:19 <@dazo> !linnat
10:19 < vpnHelper> dazo: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
10:19 <@dazo> !winnat
10:19 < vpnHelper> dazo: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
10:20 <@dazo> xreal: look at #2 ^^
10:20 < xreal> yeah
10:20 < xreal> two network cards ... what the hell?
10:21 < xreal> or is one the virtual ?
10:21 <@dazo> xreal: your setup isn't that unusual ... but you try to "escape the laws of network physics" :)
10:21 <@dazo> xreal: TUN/TAP devices are virtual network cards
10:22 <@dazo> so yeah, you need to think carefully here, remember that the TUN/TAP is the "outside" network interface, while your fixed ethernet is the "internal"
10:26 < xreal> k
10:26 < xreal> uhm ... it didn't really change anything right now.
10:26 < xreal> I even don't know, if I did it right.
10:28 < xreal> perhaps its more easy in linux ...
10:29 < xreal> oh nice ... my network is f++ked up. brb ... restart this mess :-(
10:29 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has quit [Quit: Switch off the lights and close your eyes. Feel the energy inside.]
10:29 -!- bent_screwdriver [~socain00@173-146-34-253.pools.spcsdns.net] has quit [Ping timeout: 252 seconds]
10:54 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:54 -!- beers3372 [adc8d402@gateway/web/freenode/ip.173.200.212.2] has joined #openvpn
11:01 -!- mage [~mage@24.86.236.78] has joined #openvpn
11:01 -!- mage is now known as Guest4889
11:14 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Ping timeout: 245 seconds]
11:17 -!- Guest4889 is now known as Docteh
11:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
11:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:36 -!- abeehc- [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
11:41 -!- abeehc- [~bob@d207-6-195-163.bchsia.telus.net] has quit [Ping timeout: 265 seconds]
11:42 -!- abeehc- [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
11:44 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
11:53 -!- beers3372 [adc8d402@gateway/web/freenode/ip.173.200.212.2] has quit [Quit: Page closed]
11:59 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
12:08 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has joined #openvpn
12:08 < xreal> Finally, I installed debian.
12:15 < xreal> LooooooooooooL
12:16 < xreal> Hey dazo &...
12:16 < xreal> It worked immediately in debian ;.)
12:16 < xreal> copied config + restart client [x] done.
12:16 < xreal> ping works and answers.
12:16 < xreal> gateway works
12:22 < xreal> After setting the rules for DNS and WINS, everything stopped working again.
12:23 < krzee> !pushdns
12:23 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
12:23 < krzee> #4
12:27 < vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn connection to server but mail fails to open :: Reply by jerry <https://forums.openvpn.net/viewtopic.php?f=4&t=7127&p=7988#p7988>
12:29 < xreal> krzee: come on ... that's what I did :-)
12:29 < xreal> can I enter two DNS?
12:30 < xreal> 10.0.100.1 and 10.0.100.2 are DNS and WINS
12:33 < xreal> interesting ... now it killed the client from LAN. I can't ping it from any computer.
12:39 < krzee> you can if your update-resolv-conf script supports it
12:44 < xreal> I can ping 10.0.100.1 and 10.0.100.2 now.
12:44 < xreal> As soon, as I enter those two, I can't ping anything: push "dhcp-option DNS 10.0.100.1" push "dhcp-option WINS 10.0.100.2"
12:45 < krzee> you mean you cant ping anything by hostname
12:45 < xreal> no, I can't even ping the IPs anymore.
12:45 < xreal> ping 10.0.100.1 => no response
12:45 < xreal> without those entries, it's no problem.
12:45 < krzee> that makes no sense
12:45 < xreal> krzee: don't tell me that.
12:46 < xreal> !seen sense
12:46 < vpnHelper> xreal: I have not seen sense.
12:46 < krzee> !seen xreals mom since that one night
12:46 < vpnHelper> krzee: (seen [<channel>] <nick>) -- Returns the last time <nick> was seen and what <nick> was last seen saying. <channel> is only necessary if the message isn't sent on the channel itself.
12:46 < krzee> !seen xreals_mom_since_that_one_night
12:46 < vpnHelper> krzee: Error: 'xreals_mom_since_that_one_night' is not a valid nick.  That nick is too long for this server.
12:46 < krzee> heh
12:46 < xreal> :-)
12:47 < xreal> Give it up.
12:47 < krzee> damn bot
12:47 < xreal> Okay, where do I need to add it? server.conf
12:47 < xreal> or ccd
12:47 < krzee> actually, either one
12:47 < krzee> ccd if its only for certain clients, server if its for all
12:48 < krzee> s/server/main config/
12:48 < xreal> okay, server then.
12:49 < xreal> the client is on a domain ...
12:49 < xreal> I mean ... there is a domain server, but the client is not part of it.
12:49 < xreal> let me add it, perhaps it works then
12:51 < xreal> Funny, now I can ping the IPs again. But no names.
12:52 < xreal> yep, the domain is needed.
12:56 < xreal> DNS still doesn't work :-(
13:01 <@dazo> xreal: with DNS on Linux ... you need special scripts to make that work out of the box
13:01 <@dazo> bad sentence ... you need scripts, it doesn't work out of the box
13:03 < xreal> Okay, it doesn't work on Windows and it doesn't work on Linux.
13:03 < xreal> Nice :-)
13:03 < xreal> Sounds like a product from Apple.
13:03 < xreal> @dazo: Do you have any access to scripts like that?
13:05 < xreal> Sometimes, when reloading the client or the server, the SSH connection to the client does.
13:05 < xreal> dies*
13:05 <@dazo> xreal: your lucky day ... but real *EVERYTHING*  there's an important update towards the end ... http://www.phocean.net/2006/12/07/openvpn-and-dns-on-a-linux-client.html ... 
13:05 < vpnHelper> Title: OpenVPN and DNS on a linux client « Phocean.net (at www.phocean.net)
13:06 < xreal> okay, I'll give it a try
13:08 < xreal> by the way: there is a file named "update-resolv-conf" in my debian release.
13:08 < xreal> # To use set as 'up' and 'down' script in your openvpn *.conf:
13:08 < xreal> # up /etc/openvpn/update-resolv-conf
13:08 < xreal> seems to be pretty equal to the website you've posted
13:10 -!- mattock [~samuli@gprs-prointernet-ffaa6a00-71.dhcp.inet.fi] has joined #openvpn
13:14 -!- mattock [~samuli@gprs-prointernet-ffaa6a00-71.dhcp.inet.fi] has left #openvpn []
13:25 < krzee> and niether support WINS
13:25 < krzee> although to be honest, i dont know where a WINS server goes in a unix machine
13:26 < krzee> likely somewhere im smb.conf
13:26 <@dazo> samba stuff
13:26 < ecrist> yeah, samba
13:26 <@dazo> but not needed at all
13:26 <@dazo> on *nix
13:26 <@dazo> (not before you begin with SMB shares)
13:31 < xreal> oh ...I need to access SMB.
13:35 <@dazo> xreal: you don't need access to SMB *on* that new VM you've setup with Debian
13:35 <@dazo> you are not planning to mount SMB shares there, are you?   Or start a SMB server on it?
13:36 <@dazo> (meaning: you can do that over VPN without the gateway knowing anything about it)
13:39 < xreal> @dazo: let me explain
13:40 < xreal> the VM with the runs on the LAN. On the LAN, there are several network shares, which I want to access. The server runs at my hoster. I want to start another client from another network, connect to the server and access the shares from the LAN.
13:44 <@dazo> xreal: yes ... and that VM don't need to know a sh*t about SMB services at all ... all that one cares about is that routes and firewall is properly setup ... the other side of your VPN tunnel, where you are going to access SMB shares and whatever else, needs to know about that stuff ... and then the routing magic takes care of transporting that data to the right place and back again
13:45 <@dazo> your VM is just acting as a pipe into the right network ... what the pipe is filled with is irrelevant 
13:45 < xreal> okay
13:46 < xreal> I first need to get names working, since the IP addresses might change.
13:46 <@dazo> first you need to make sure your routing works without any problems ... because without that, your DNS client requests won't be able to figure out how to connect to the DNS server
13:47 < xreal> I can ping all the servers: computers, printers, DNS server, WINS server.
13:47 < xreal> How can I figure out, if routing is okay?
13:47 <@dazo> perfect!  can you do:  dig @DNS-SERVER-IP HOSTNAME
13:48 <@dazo> where HOSTNAME is an internal hostname ... and DNS-SERVER-IP is the IP address to your DNS server in the inside?
13:48 <@dazo> and this from the outside?
13:48 < xreal> 1 sec
13:49 < xreal> When I restart or reload the server, the client reconnects, but sometimes the client's complete network gets lost.
13:49 < xreal> That's no good :-(
13:49 <@dazo> nope
13:53 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
14:02 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
14:02 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
14:03 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Quit: Leaving]
14:04 -!- raidz [~Andrew@seance.openvpn.org] has joined #openvpn
14:04 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
14:04 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
14:04 -!- mode/#openvpn [+o raidz] by ChanServ
14:17 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
14:31 -!- dazo is now known as dazo_afk
14:33 -!- Jarpse [~jarpse@cluon.soleus.nu] has quit [Ping timeout: 276 seconds]
14:38 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 250 seconds]
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:39 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined #openvpn
14:39 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
14:51 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
15:02 -!- qweqweqw1 [~alloy@tropyx.com] has joined #openvpn
15:03 -!- JPeterso2 [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
15:06 -!- s7r [~s7r@188.27.109.162] has quit [Ping timeout: 240 seconds]
15:06 -!- qweqweqwe [~alloy@tropyx.com] has quit [Ping timeout: 240 seconds]
15:06 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 240 seconds]
15:06 -!- ksk [~ksk@im.knubz.de] has quit [Ping timeout: 240 seconds]
15:06 -!- etherealite [~ethereali@c-76-126-103-179.hsd1.ca.comcast.net] has quit [Ping timeout: 240 seconds]
15:06 -!- ksk_ [~ksk@im.knubz.de] has joined #openvpn
15:06 -!- etherealite [~ethereali@c-76-126-103-179.hsd1.ca.comcast.net] has joined #openvpn
15:06 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 260 seconds]
15:08 -!- Netsplit *.net <-> *.split quits: JPeterson, Diffen2
15:08 -!- JPeterso2 is now known as JPeterson
15:09 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
15:11 -!- batrick [~batrick@batbytes.com] has joined #openvpn
15:17 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined #openvpn
15:18 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
15:28 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Quit: Leaving]
15:41 -!- nDuff [~cduffy@rrcs-97-79-207-2.sw.biz.rr.com] has joined #openvpn
16:20 < xreal> @dazo: dig @DNS-SERVER-IP HOSTNAME returns "1 server found", but even if the name is bogus :-(
16:21 -!- ksk_ [~ksk@im.knubz.de] has quit [Quit: leaving]
16:24 < xreal> It this means "DNS-Server found" ;-)
16:24 -!- Docteh [~mage@24.86.236.78] has quit [Read error: Connection reset by peer]
16:24 < xreal> but it doesn't find my internal server :-(
16:24 -!- Docteh [~mage@24.86.236.78] has joined #openvpn
16:32 -!- scenestar [scenestar@5356181D.cable.casema.nl] has joined #openvpn
16:32 -!- scenestar [scenestar@5356181D.cable.casema.nl] has quit [Client Quit]
16:32 -!- famicom [~famicom@h1606120.stratoserver.net] has joined #openvpn
16:32 < famicom> !welcome
16:32 < vpnHelper> famicom: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:32 < famicom> !topology
16:32 < vpnHelper> famicom: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
16:33 -!- Cmdr_W_T_Riker [a90f7ee7dd@xs8.xs4all.nl] has quit [Ping timeout: 245 seconds]
16:34 < xreal> famicom: Hi.
16:34 -!- Nach0z_ [~IceChat7@c-24-126-201-120.hsd1.ga.comcast.net] has joined #openvpn
16:34 < famicom> Hi there
16:34 < famicom> I'm looking for a way of setting up a VPN mesh topology using OpenVPN
16:35 < nDuff> famicom, ...there are other products built for that purpose which might be a better choice unless you're going for something very small.
16:35 < xreal> famicom: Oops, I am a newbie. Better wait for dazo and krzee.
16:35 < famicom> nDuff i was worried about that
16:35 < famicom> what products do you suggest?
16:35  * nDuff was aware that mesh support was planned for OpenVPN 3.0 waaay back in the day, but doesn't believe any of that actually happened.
16:36 < nDuff> famicom, CloudVPN, perhaps? 
16:36 < famicom> :)
16:36 < famicom> already there :)
16:37 < xreal> nDuff: Do you know if it's possible for a server to use the DNS of a client?
16:37 < famicom> nDuff apart from CloudVPN, what other alternatives are there
16:37 < Nach0z_> hello. i've got an issue that i actually DONT think is the firewall atm... could be wrong... basically, when I start up the clientside openVPN, the log has this in it.. http://pastebin.com/6w9629tU
16:37 < famicom> and more importantly, what exactly is the main difference between the nature of OpenVPN or CloudVPN
16:38 < famicom> nDuff, would N2N perhaps be an option?
16:38 < nDuff> sorry, not familiar with it; I actually stopped following mesh VPN development closely quite some time ago (having never found anything that was in a suitable state for production use)
16:39 < famicom> humm
16:39 < famicom> yeah, i was afraid i was going to get that answer
16:41 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
16:41  * Nach0z_ 's openVPN fails so hard....
16:41 < keyhive> :)
16:41 < ecrist> nDuff: last I checked, openvpn 3 hasn't been released, or even started devel yet.
16:42 < nDuff> ecrist, indeed.
16:42 < ecrist> we're just getting ready to release 2.2, after which 3.0 devel will start.
16:42 < ecrist> lots of new things planned.
16:43 < nDuff> ecrist, ...I'm talking about blue-sky on-list brainstorming years ago rather than anything that ever became concrete
16:43 < famicom> hmmmm
16:43 < ecrist> !wishlist
16:43 < vpnHelper> ecrist: "wishlist" is https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
16:43 < famicom> out of interest, are there people here who could in fact implement it?
16:43  * nDuff hasn't tracked OpenVPN closely since... oh, say, 2007?
16:44 < ecrist> openvpn devel has really kicked off in the last ~8 months
16:44 < ecrist> there's actually a community, now.
16:44 < famicom> eh, i kinda need this feature :)
16:44 < ecrist> famicom: you're not going to get mesh vpn for probably 2 years, at the earliest in openvpn
16:44 < famicom> hummm
16:44 < ecrist> if it even gets added
16:45 < famicom> what if i put up a bounty
16:45 < nDuff> famicom, ...if you've got the budget to hire it done, there _is_ James's consulting service
16:45 < ecrist> you can do it manually, where each client connects to eachother, but that can prove to be a pain
16:45 < ecrist> famicom: the current structure of the source doesn't allow for it.  
16:45 < nDuff> famicom, ...but last I knew, he didn't work cheap.
16:45 < nDuff> famicom, ...and as ecrist suggests, it would be a very big project.
16:46 < famicom> yeah, i'd have to "consult my wallet"
16:46 < ecrist> 3.0 is going to be a complete rewrite
16:46 < famicom> oh
16:46 < famicom> "complete rewrite" AKA "Not gonna happen"
16:46 < ecrist> trust me, 3.0 is going to happen, not sure 'mesh vpn' is high on the list.
16:47 < ecrist> vpn failover and other such things are much higher on the list
16:47 < famicom> hmmm
16:48 < krzie> mesh vpn is possible already, but its advanced and difficult
16:48 < krzie> !rip
16:48 < vpnHelper> krzie: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
16:48 < krzie> the goal behind that was mesh vpn
16:48 < ecrist> krzie: I should punch  you for suggesting that
16:48 < famicom> :P
16:49 < ecrist> we get people in here who can't use ping, much less understand a real routing protocol.
16:49 < krzie> lol sry
16:50 < famicom> hahaha
16:50 < famicom> actually, that's more or less what i'm looking for :)
16:50 < ecrist> does freebsd come with ripd or routed in base?
16:50 < ecrist> routed
16:51 < famicom> ok, i'm an idiot
16:51 < ecrist> krzie: if you were a man, you'd rewrite that RIPRouting page for BGPRouting
16:51 < ecrist> :)
16:51 < famicom> vpn failover and mesh
16:51 < krzie> quagga, dont think so
16:51 < famicom> what is the difference
16:52 < krzie> lol ecrist
16:52 < krzie> i wouldnt hold my breath, but that would rock
16:52 -!- Cmdr_W_T_Riker [~user@xs8.xs4all.nl] has joined #openvpn
16:52 < krzie> first ild need a chance to actually play with bgp (which would be very cool tbh)
16:53 < famicom> yeah, i got one for you :
16:53 < famicom> :P
16:53 < ecrist> krzie: to be honest, wouldn't it be bad-ass if openvpn supported stateful failover, and then couple that with BGP?
16:53 < krzie> ooo
16:53 < ecrist> BEST. VPN. EVER.
16:53 < famicom> yes
16:53 < famicom> it 
16:53 < famicom> would
16:54 < krzie> so like CARP but with ovpn failover
16:54 < ecrist> yeah, how you can use CARP + pf + pfsync
16:54 < ecrist> OpenVPN + CARP + OpenVPNsync
16:54 < ecrist> :)
16:54 < krzie> would require an encrypted link between the failover boxen, dont want that traffic being intercepted on lan
16:54 -!- s7r [~s7r@188.27.109.162] has joined #openvpn
16:55 < ecrist> encryption would be required.
16:55 < famicom> thats pretty much a given
16:55 < krzie> hrm, would either be a hack (not supported much in openvpn) or not real CARP, since carp is bsd only afaik
16:56 < ecrist> no, cisco supports it, the protocol is VRRP
16:57 < krzie> cisco doesnt support ovpn... does win/lin support VRRP?
16:57 < krzie> well maybe not win
16:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
16:57 < krzie> but if lin does... could be universal enough
16:57 < ecrist> krzie: yes, linux does support VRRP
16:57 < krzie> nice
16:58 < ecrist> keepalived
16:58 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:58 < ecrist> we're almost back to our ~100 users of two weeks ago, before we moved the channel
16:58 -!- Irssi: #openvpn: Total of 95 nicks [4 ops, 0 halfops, 0 voices, 91 normal]
17:00 < ecrist> krzie: did you know CARP uses some basic crypto for interface advertisements?
17:01 < krzie> sure did not, but would hope it did
17:01 < krzie> protection from mitm harassing it too much
17:01 < ecrist> UCARP is a portable version of carp for linux 2.4 & 2.6 it seems
17:02 < ecrist> most recent release, 1.5.2 on Feb 1, 2010
17:02 < ecrist> http://www.ucarp.org/project/ucarp/download
17:02 < vpnHelper> Title: UCARP - Download (at www.ucarp.org)
17:03 < krzie> very cool
17:03 < krzie> well with how modular 3.0 will be ild expect that could be done
17:03 < ecrist> so, use pfsync as a model for openvpn sync, couple it with carp/VRRP in mind, and WHAMO!
17:04 < krzie> agreed
17:04 < krzie> save this convo, could be gone over in a dev meeting
17:05 < Nach0z_> anyone know why my computer would be saying this stuff when I try to connect on openvpn? http://pastebin.com/6w9629tU
17:05 < vpnHelper> RSS Update - forum: Server Administration :: Problem resolving hostnames :: Author rpr <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=7989#p7989>
17:10 < krzie> !wins
17:10 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
17:10 < krzie> meh
17:10 < krzie> !pushdns
17:10 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
17:10 < krzie> (for that forum post)
17:11 < xreal> krzie: I've drawn a new picture! http://imagebin.org/117467
17:11 < vpnHelper> RSS Update - forum: Server Administration :: Re: Problem resolving hostnames :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=7990#p7990>
17:11 < vpnHelper> Title: Imagebin - A place to slap up your images. (at imagebin.org)
17:12 < xreal> krzee: As far, as I've understood it, push "dhcp-option WINS a.b.c.d" only works for Windows Clients.
17:12 < Nach0z_> what's DHCP do exactly?
17:14 < krzie> yes xreal, its not needed on others
17:14 < krzie> you do that in samba
17:15 -!- Nach0z_ is now known as nach0z
17:15 -!- nach0z [~IceChat7@c-24-126-201-120.hsd1.ga.comcast.net] has quit [Changing host]
17:15 -!- nach0z [~IceChat7@unaffiliated/nach0z] has joined #openvpn
17:15 < krzie> if for some reason you wanted to add/remove it from samba it could be added to update-resolv-conf fairly easily once knowing what to add
17:19 < xreal> krzie: Can you have a look at my drawing? http://imagebin.org/117467
17:19 < vpnHelper> Title: Imagebin - A place to slap up your images. (at imagebin.org)
17:19 < krzie> in a bit
17:19 < krzie> just got home, chilling with my girl and watching pirates of the caribbean 3
17:21 < xreal> krzie: Okay, I will stay over the night and wait for your response.
17:22 < krzie> while you do that, pastebin:
17:22 < krzie> !configs
17:22 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
17:22 < krzie> and tell me what network your notebook is on
17:23 < xreal> krzie: forget the notebook right now, I want to make it working on the server first. That's more important to me ;-)
17:23 < krzie> and any gareways on the lan
17:23 < xreal> gateway ;)
17:24 < xreal> I will update my drawing.
17:28 -!- nach0z [~IceChat7@unaffiliated/nach0z] has quit [Ping timeout: 240 seconds]
17:32 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 276 seconds]
17:33 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
17:51 -!- Cmdr_W_T_Riker [~user@xs8.xs4all.nl] has quit [Quit: nickserv]
17:52 -!- katoen [39239487e7@xs8.xs4all.nl] has joined #openvpn
17:57 < |Mike|> cotton!
18:07 < famicom> MOUTH!
18:07 < famicom> time to blaze
18:08 < xreal> krzie: https://forums.openvpn.net/viewtopic.php?f=6&t=7165&start=0
18:08 < vpnHelper> Title: OpenVPN Support Forum View topic - notebook <-> external server <-> office LAN (at forums.openvpn.net)
18:10 < vpnHelper> RSS Update - forum: Configuration :: notebook external server office LAN :: Author LarsDaniel <https://forums.openvpn.net/viewtopic.php?f=6&t=7165&p=7991#p7991>
18:22 < krzie> of course without ccd you cant ping ips in ln
18:22 < krzie> lan
18:23 < krzie> currently with those configs, you can access everything in lan by IP?
18:23 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:24 < xreal> krzie: Oh wait, I was making music.
18:24 < xreal> krzie: yep, I do.
18:29 < krzie> weird, your ccd entry works?
18:29 < krzie> not a full path
18:30 < xreal> krzie: yes, it does.
18:30 < xreal> I can ping all the IPs: 10.0.100.1, 10.20.30.x, 10.20.x.x
18:31 < krzie> you can access smb shares by ip too
18:32 < xreal> krzie: I would like to do it by hostname, since the IPs can change.
18:32 < xreal> The admins are ... unprofessional ;)
18:32 < krzie> set your notebooks wins server manually and see if it works
18:33 < xreal> krzie: actually (please don't kill me), I don't have a notebook now. That's why I want to do in future (2-3 weeks). That's why I want to finish work on the server first. I'm working on this server every day.
18:33 < krzie> then you cant get it working like this
18:34 < krzie> unless you run samba on the server, but you dont care about that anyways
18:34 < xreal> krzie: But why can't it access hostnames from the server?
18:34 < krzie> your setup should work when windows clients connect
18:34 < xreal> it <-> I
18:34 < krzie> because unix servers dont use wins servers like windows do
18:34 < krzie> its a windows thing that unix supports by running samba
18:35 < xreal> So I need to config samba on the server to read hostnames from client's LAN ?
18:35 < krzie> but you dont even need to!
18:35 < xreal> krzie: I also want to access hostnames from the server. Sometimes I'm working on this server, too (X-Server).
18:36 < krzie> then setup samba
18:36 < krzie> !wins
18:36 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
18:36 < krzie> either way, this is no longer an openvpn issue
18:36 < xreal> krzie: Okay. But the setup is okay that far?
18:36 < krzie> this is about protocols, you already got your vpn done
18:36 < krzie> (protocols that run on top of the vpn)
18:38 < xreal> krzie: Okay, I've added wins server to samba config and restarted samba.
18:38 < krzie> you dont want to run one tho, you want to use the one on the other side of the vpn
18:39 < xreal> yep
18:39 < krzie> cool
18:39 < xreal> "7.3.2 Setting Up Samba to Use Another WINS Server"
18:39 < krzie> you're in territory i cant help with, i dont use windows or samba, nor do i support it
18:39 < krzie> i help people with openvpn ;]
18:39 < xreal> ping: unknown host wks02
18:39 < xreal> d'oh
18:39 < xreal> I'll write a tutorial after I'm finished.
18:40 < krzie> may as well update your forum post too, since your config on there is correct
18:40 < krzie> and works right, ie: not an openvpn issue
18:44 < xreal> MMh, I can't get it working.
18:52 < xreal> krzie: Do I actually need to set push "redirect-gateway"
18:52 < xreal> to make it work?
18:56 < krzie> oh for the redirecting over the vpn
18:56 < krzie> that will only work out the server's inet connection
18:56 < krzie> not out from another client's
18:56 < krzie> it COULD do that, but im not sure how nor do i care to figure it out
18:56 < krzie> lol
18:57 < xreal> krzie: let's try
18:57 < krzie> try what
18:59 < xreal> nope, didn't work.
18:59 < xreal> push "redirect-gateway"
18:59 < xreal> But, okay, now I know that redirect-gateway works ;-)
18:59 < krzie> !redirect
18:59 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:59 < xreal> The client is using the server as a gateway and has its IP now.
19:00 < xreal> krzie: Yes, I know. But I wanted to try, if hostnames work then.
19:00 < krzie> LOL
19:00 < krzie> why would they
19:00 < krzie> i dont think you understand, its your samba you need to work on now
19:00 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
19:00 < xreal> krzie: I've set up the samba exactly as written in MAN file.
19:01 < krzie> openvpn wont help you anymore twords your goal over getting wins resolution working in unix
19:01 < krzie> xreal, thats great, go talk to people who support samba for that
19:01 < xreal> ;-)
19:01 < coppermine> if im using an openvpn tunnel for my internet traffic and i run a deamon on my local machine before the tunnel, im not able to see the port, do i need to forward the port via the tunnel somehow?
19:01 < xreal> ok
19:01 < krzie> !notovpn
19:01 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
19:01 < krzie> coppermine, return traffic goes over the default gateway
19:02 < coppermine> somehow from the outside the port is not seen open
19:02 < krzie> assymetric routing with different IPs, the return traffic gets to the requester, but ignored because its not part of the established session
19:02 < coppermine> if i use my ip before the tunnel
19:04 < coppermine> so how to i not make it get ignored?
19:05 < krzie> coppermine, when the client redirects all traffic over the server, no machines can reach the clients services, unless there is a more specific route to that machine in the client's routing table
19:05 < coppermine> neat, so i guess its security
19:05 < krzie> https://forums.openvpn.net/viewtopic.php?f=15&t=7161&hilit=split+route
19:05 < vpnHelper> Title: OpenVPN Support Forum View topic - Split tunnel tweaks? (at forums.openvpn.net)
19:05 < coppermine> i would just disable the vpn to access the port then
19:05 < krzie> kinda... a firewall is better still ;)
19:05 < krzie> but ya, you can allow certain machines to access without being on the vpn
19:06 < coppermine> krzie: i re-read what you said the other day and it made more sense
19:06 < coppermine> !ogg
19:06 < vpnHelper> coppermine: Error: "ogg" is not a valid command.
19:06 < coppermine> hmmm
19:06 < coppermine> !occ
19:06 < vpnHelper> coppermine: Error: "occ" is not a valid command.
19:06 < krzie> ccd?
19:06 < coppermine> !ccd
19:06 < vpnHelper> coppermine: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
19:06 < coppermine> yes
19:06 < coppermine> basically each client has its own unique configs
19:06 < coppermine> in a file
19:06 < krzie> but pieces of the server config
19:06 < krzie> specific to the client
19:06 < coppermine> right
19:07 < krzie> yup
19:07 < coppermine> for now i just set up a squid server access for the other lan pcs
19:07 < coppermine> for an immediate fix
19:07 < krzie> ouch
19:07 < coppermine> one fo them is windows vista yuck
19:07 < coppermine> sos i dont want to deal with windows clients openvpn
19:07 < krzie> at least use socks
19:07 < krzie> squid isnt meant to imrove security
19:08 < coppermine> i dont see socks deamon
19:09 < coppermine> tsocks ?
19:09 < coppermine> its a library
19:10 < krzie> i use dante
19:11 < coppermine> found it
19:11 < coppermine> dante
19:11 < coppermine> yes
19:11 < krzie> but this isnt the place for help setting that up ;]
19:12 < coppermine> looks simple
19:12 < coppermine> like squid
19:12 < krzie> yup, pretty simple
19:12 < krzie> although it doesnt xmit http like squid, but rather udp/tcp
19:13 < coppermine> but clients can use firefox with it?
19:13 < krzie> google it
19:13 < coppermine> in what regards is it more secure than squid
19:13 < coppermine> squid redirects traffic via another ip
19:13 < coppermine> socks is a layer 5
19:13 < coppermine> on the osi model
19:16 < krzie> what does squid use to encrypt your traffic...?
19:16 < coppermine> nothing that i know of
19:17 < krzie> correct
19:17 < krzie> socks is what ssh tunnels use
19:17 < krzie> in a manner of speaking
19:17 < coppermine> but for any connection to be truely encrypted from two endpoints it must be decrypted on the other end
19:17 < krzie> umm, no shit lol
19:18 < coppermine> so if i go to www.ibm.com , how will the're httpd encrypt/decrypt the socks protocol?
19:21 < krzie> they wont, its between you and the socks server
19:21 < krzie> just like if you use openvpn
19:21 < coppermine> ok so beyond socks its regular
19:21 < krzie> beyond the socks its whatever you and the server you reach agree on
19:22 < krzie> regular or otherwise
19:22 < coppermine> can i use socks on top of openvpn?
19:22 < krzie> yes, in fact...
19:22 < krzie> !routebyapp
19:22 < vpnHelper> krzie: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
19:23 < krzie> its what i do :-p
19:23 < coppermine> ty sir
19:23 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Quit: leaving]
19:29 < vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=7992#p7992>
19:33 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
19:33 < coppermine> great there's no #dante
19:33 < coppermine> and i get a segmentation fault
19:33 < coppermine> and my convfig file is fine -V
19:35 < vpnHelper> RSS Update - forum: Wishlist :: Re: authenticate to socks daemon :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=3790&p=7993#p7993>
19:35 < coppermine> i found my prob
19:35 < coppermine> had an extra line in there
19:36 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Client Quit]
19:49 -!- DrJ is now known as Bacon
19:49 -!- Bacon is now known as DrJ
19:54 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
19:54 < coppermine> krzie: that was amazing
19:54 < coppermine> emerge --unmerge squid :)
19:56 < coppermine> so whats the difference between a vpn and a socks connection from client to server then?
19:58 < krzie> huge difference
19:58 < krzie> !vpn
19:58 < vpnHelper> krzie: "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
20:01 < coppermine> thats fine, they use wires as an analogy with /dev/cable as example, but earlier you said both encrypt the connection from a to b
20:04 < coppermine> this technology is pretty good because im using my openvpn tunnel right now and on top of it is socks running and im able to listen to live streaming music without any delay, so the encryption/decryption X 2 happens really quick
20:04 < coppermine> no latency
20:12 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Quit: Lost terminal]
20:21 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:22 < xreal> Anyone with experience in Samba?
20:24 < krzie> !notovpn
20:24 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
20:24 < krzie> hell, #samba is bigger even
20:24 < krzie> lol
20:25 < xreal> krzie: everyone asleep in there
20:25 < krzie> idle there and hope for help
20:25 < krzie> this is the openvpn help channel
20:26 < xreal> okay, then a openvpn question: I've read " topology subnet" could solve my problem?
20:26 < krzie> no
20:26 < krzie> i have told you 3x now, openvpn is done being configured twords that goal
20:26 < krzie> now you need netbios resolution, via WINS
20:27 -!- mode/#openvpn [+o krzie] by ChanServ
20:27 < xreal> krzie: I am just using Google to find other people with equal problems.
20:27 < theDoc> krzee> Doesn't one have to run openvpn in bridge mode to deal with netbios?
20:27 < xreal> I've set up Samba exactly as needed.
20:28 <@krzie> theDoc, bridge is a bad solution for that, he just needs wins 
20:28 <@krzie> xreal, obviously not
20:28 < theDoc> I'm not familiar with netbios but you can run that in routing mode?
20:28 <@krzie> theDoc, wins
20:29 <@krzie> layer3 solution for netbios resolution
20:29 < theDoc> ah, ok.
20:29 < theDoc> Damn Windows protocols :P
20:29 <@krzie> http://en.wikipedia.org/wiki/Wins_server
20:29 < vpnHelper> Title: Windows Internet Name Service - Wikipedia, the free encyclopedia (at en.wikipedia.org)
20:29 < xreal> What about this? http://openvpn.net/archive/openvpn-users/2007-08/msg00144.html
20:29 < vpnHelper> Title: Re: [Openvpn-users] Vista, Samba, WINS server - browse lists not working in same workgroup across VPN (at openvpn.net)
20:30 <@krzie> hrm, give it a shot
20:30 <@krzie> i always use topology subnet anyways
20:31 < xreal> @krzie: adding "topology subnet" to my server.conf makes the tunnel not working again.
20:31 < xreal> I can't ping any IP.
20:33 <@krzie> sounds like you worked real hard to fix that before saying it here
20:33 <@krzie> lol
20:34 <@krzie> get rid of ifconfig-pool-persist ipp.
20:35 < xreal> k
20:36 < xreal> @krize: nope, didn't help me.
20:37 -!- chungy [~mike@ip24-253-68-14.lv.lv.cox.net] has joined #openvpn
20:38 <@krzie> kill and start fresh both sides
20:39 < xreal> I did, of course
20:42 < xreal> I even can't ping the other tun0 now.
20:43 <@krzie> are both sides 2.1.3?
20:47 < xreal> @krzie: both are the same version, let me check which one
20:47 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has joined #openvpn
20:47 <@krzie> doesnt mattwe that both are the same, matters that both are > 2.1
20:47 < xreal> OpenVPN 2.1_rc11
20:48 <@krzie> if both arent 2.1.3, go upgrade
20:48 < xreal> debian lenny ...
20:48 <@krzie> !download
20:48 < vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
20:48 < xreal> okay ... backporting 2.1.3
20:49 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
20:49 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
20:49 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
20:51 <@krzie> backporting...?
20:52 <@krzie> you are updating
20:52 <@krzie> you are using a pre 2.1 version
20:53 < xreal> compiling ...
20:53 < xreal> @krzie: I am on debian. package manager, you know? :-)
20:53 <@krzie> i dont believe that they havnt updated their sources still
20:54 < xreal> even in next release, there is only 2.1
20:54 <@krzie> i would think you're just not upto date with their sources
20:54 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=7994#p7994>
20:54 < xreal> will be release 2011
20:54 <@krzie> ya 2.1.2/3 were mainly for windows
20:54 < xreal> [x] compilation & backport done.
20:54 < xreal> upgrading to 2.1.3
20:55 < xreal> [x] done
20:56 < xreal> without a problem
20:56 <@krzie> check the other side is up to date as well
20:56 <@krzie> topology subnet was invented during the 2.1 rc process
20:56 <@krzie> you need at least 2.1.1
20:56 < xreal> yes, I've done both.
20:57 < xreal> both are 2.1.3 now.
20:57 < xreal> But still, I cannot ping them anymore. Not even the other tun0
20:57 <@krzie> post your logs
20:57 <@krzie> from both sides
20:57 < xreal> oh wait. I can ping the server from the client.
20:57 < xreal> Which logs? Syslog?
20:57 <@krzie> !logfile
20:57 < vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
20:58 < xreal> okay, creating one.
20:58 < xreal> verb 5 ?
21:00 < xreal> @krzie: can I PM it to you, since there are IPs inside?
21:00 < xreal> PM the pastebin, of course
21:11 < xreal> krzie?
21:17 -!- nach0z [~IceChat7@unaffiliated/nach0z] has joined #openvpn
21:17 < nach0z> hello again. is there more than one directory in Ubuntu that certificates are made to, or is it just /etc/openvpn/easy-rsa/keys ?
21:18 <@krzie> xreal, if its that top secret, you probably want to hire support
21:19 <@krzie> no use im PM'ing to me, im headed out
21:19 <@krzie> but theres plenty others here who can help if you show that you're trying on your own as well
21:21 < xreal> @krzie: Since I'm working for 4 days on this, support would prob. cheaper.
21:33 <@krzie> heh, my first of the type you are doing took a lil longer than that
21:33 <@krzie> and basically nobody was in this channel then
21:34 -!- mode/#openvpn [-o krzie] by krzie
22:16 -!- Alphanaut [~chatzilla@c-98-229-67-227.hsd1.ma.comcast.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.10/20100914125854]]
22:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:26 -!- nach0z [~IceChat7@unaffiliated/nach0z] has left #openvpn []
22:36 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Operation timed out]
22:39 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined #openvpn
23:16 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
--- Day changed Fri Oct 08 2010
00:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
00:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
00:23 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
00:45 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
00:45 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
00:45 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
01:12 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=7995#p7995>
01:13 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
01:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:22 -!- chungy [~mike@ip24-253-68-14.lv.lv.cox.net] has quit [Quit: Leaving]
01:36 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=7996#p7996>
02:14 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:17 -!- dazo_afk is now known as dazo
02:42 < fahmad> dazo: hey
02:42 <@dazo> fahmad: hey!
02:42 < fahmad> how are you brot
02:42 < fahmad> 8brother*
02:42 < fahmad> i have one question 
02:43 <@dazo> shoot!
02:43 < fahmad> is there any way that i can automate disconnection of user using command line ...
02:44 <@dazo> look at the management interface
02:44  * dazo need to run to a meeting
02:44 < fahmad> dazo: umm
02:44 < fahmad> ok
02:44 < fahmad> i know that but you can go for meeting we will talk later
02:44 < fahmad> ok
02:48 < fahmad> dazo: its like we need to telnet into the management ...
02:48 < fahmad> and then we can issue `kill user`
02:48 < fahmad> but can we do same using command line ?
02:55 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
02:59 < kraut> moin
03:01 < theDoc> o/ kraut 
03:01 -!- Chaze [~Chase@74.117.157.254] has joined #openvpn
03:02 < Chaze> hi there. my openvpn log file became quite large, so i emptied it with a simple echo. but on the next write operation to the log, it all was restored.
03:02 < Chaze> which is kinda odd. i doubt that 30mb of log are being kept in memory
03:03 < Chaze> anyone got an idea what's happening there?
03:09 -!- Chaze [~Chase@74.117.157.254] has quit [Ping timeout: 240 seconds]
03:20 -!- Chaze [~Chase@74.117.157.254] has joined #openvpn
03:20 < Chaze> sorry, got disconnected. in case anyone answered, could you send it again?
03:26 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn
03:27 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Disconnected by services]
03:27 -!- Xen^ is now known as fahmad
03:27 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
03:27 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
03:31 -!- Chaze [~Chase@74.117.157.254] has quit [Ping timeout: 255 seconds]
03:33 -!- Chaze [~Chase@74.117.157.254] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 -!- marshallmc1 [~name1@74.215.88.221] has joined #openvpn
03:54 < kraut> moin theDoc 
04:11 < theDoc> lol, thewebsiteisdown
04:15 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Operation timed out]
04:18 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined #openvpn
04:22 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
04:22 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
04:22 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:23 -!- Chaze [~Chase@74.117.157.254] has quit [Ping timeout: 240 seconds]
04:49 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:18 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
05:18 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:31 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=7997#p7997>
05:49 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has quit [Quit: Switch off the lights and close your eyes. Feel the energy inside.]
05:57 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:57 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:07 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
06:20 -!- Beginner1 [~chatzilla@p57A9153F.dip0.t-ipconnect.de] has joined #openvpn
06:20 < Beginner1> hello :) 
06:20 < Beginner1> im having some general network/openvpn problems :/ ...
06:21 < Beginner1> local network. 192.168.0.1. vpn 10.8.0.1 server "server01" = 192.168.0.100 + 10.8.0.30 vpn ip. ive entered "10.8.0.30 server01" into windows/system32/drivers/etc/hosts an "ping server01" works just fine to 10.8.0.30. 
06:21 < Beginner1> but i cant enter "\\server01" into windows explorer to brwose the share..... something just seems wrong? the same config worked on 3 other laptops? am i missing something?
06:24 -!- katoen is now known as cmdr_w_t_riker
06:28 -!- cmdr_w_t_riker is now known as Cmdr_W_T_Riker
06:30 -!- Beginner1_ [~chatzilla@p57A906D8.dip0.t-ipconnect.de] has joined #openvpn
06:32 -!- Beginner1 [~chatzilla@p57A9153F.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
06:32 -!- Beginner1_ is now known as Beginner1
06:51 -!- Beginner1 [~chatzilla@p57A906D8.dip0.t-ipconnect.de] has quit [Quit: ChatZilla 0.9.85 [SeaMonkey 2.0.6/20100701063550]]
07:09 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
07:13 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
07:51 -!- VirusTB [~VirusTB@ip-145-93-222-147.fontys.nl] has joined #openvpn
07:52 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has joined #openvpn
07:55 < Capkirk> doing a normal roadwarrior setup i push a network behind vpnserver with the "push" directiv - the client recives adresse and can ping vpnserver fine but traffic from client only reaches the tun interface on vpnserver - i feel i miss something :)
07:56 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
07:57 -!- daguz1 [~leo@208.1.63.50] has left #openvpn []
08:01 -!- VirusTB [~VirusTB@ip-145-93-222-147.fontys.nl] has quit [Quit:  has left the bulding]
08:07 <@dazo> Capkirk: firewalling, ip forwarding and making sure there's a route back to the VPN from the box on the inside
08:09 < Capkirk> no firewalling
08:09 < Capkirk> ipforwarding
08:09 < Capkirk> must be it
08:10 < Capkirk> thanks
08:10 < Capkirk> it was ipforwarding ;-)
08:24 -!- Capkirk [~thomas@0133300189.0.fullrate.dk] has quit [Quit: weekend!]
08:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:47 < vpnHelper> RSS Update - forum: Server Administration :: Re: Problem resolving hostnames :: Reply by rpr <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=7998#p7998>
08:48 -!- marshallmc1 [~name1@74.215.88.221] has quit [Ping timeout: 265 seconds]
09:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
09:07 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:09 -!- eKKiM [~eKKiM@d5152FCBD.static.telenet.be] has joined #openvpn
09:17 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
09:17 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Selected trafic which goes into the VPN :: Author glloq <https://forums.openvpn.net/viewtopic.php?f=15&t=7166&p=7999#p7999>
09:21 < kisom> waah
09:21 < kisom> 4:21 PM, friday
09:21 < kisom> worst time of the week
09:23 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
09:24 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:25 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
09:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:56 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
10:07 -!- eKKiM [~eKKiM@d5152FCBD.static.telenet.be] has quit [Ping timeout: 276 seconds]
10:17 -!- kotique [~kotique@bluemile.vps.deepunix.net] has joined #openvpn
10:17 < kotique> guys, why aren't you considering moving off openssl? it's impossible to hack it absolutely
10:18 < jeev> what
10:18 < jeev> it's impossible to jhack it absolutely
10:18 < jeev> moving off to what?
10:18 <@dazo> kotique: we're planning better modularity for OpenVPN3
10:18 < kotique> off openssl to somewhere 
10:18 < kotique> it's fricking impsible to work wiht openssl
10:18 < Rienzilla> lol
10:18 < Rienzilla> what's wrong with openssl :)
10:18 < kotique> 1) no documentation
10:18 < kotique> that's enough
10:18 < Rienzilla> ?
10:19 <@dazo> the docs are not good in general when coding openssl ... that's very true
10:19 < kotique> how do I read subjalt extension and set it into openpnv 's environment that's passed to scritp
10:19 < ecrist> openssl docs suck, I'll concur
10:19 < Rienzilla> ok :)
10:19 <@dazo> kotique: can you please rephrase your question ... not sure I follow you
10:20 < kotique> let me explain what I want 
10:20 <@dazo> :)
10:20 < kotique> cert = OpenSSL::X509::Certificate.new(cstr)
10:20 < kotique> dn_ext = cert.extensions.find { |ext| ext.oid =~ /subjectAltName/i }
10:20 < kotique> dnstr = dn_ext.value.sub(/^dirname:\//i, '').split('/').reverse.join(',')
10:20 < kotique> that's all
10:20 < kotique> that's all what i want
10:21 < kotique> now i want this inside opnepnv written in C
10:21 < kotique> cstr is sting holding the certificate in PEM 
10:21 < kotique> dnstr is the output string that i want to be set in script's environment
10:21 <@dazo> okay
10:21  * dazo looks up some stuff
10:23  * dazo looks at verify_callback() in ssl.c in OpenVPN source code
10:23 < kotique> i see where I can get certificate handle or whatever it's called. now i need either  convert the whole cert in PEM format and set to an environmental variable or  do the above chunk in C
10:23 < kotique> of course it's in verify callback, don't think you're smart here
10:23 < kotique> better tell me how do I convert the cert in PEM
10:24 < kotique> I'd better manipulate whole thing in ruby that deal with c functions.
10:24 <@dazo> kotique: that PEM string ... where do you get it from?
10:25 < kotique> that's the question, how do I convert ctx->current_cert into pem
10:25 <@dazo> kotique: but from your snippet you eant to extract some values from it .... subjectAltName, if I'm not mistaken
10:26 < kotique> dazo, are you an openvpn developer?
10:26 <@dazo> I do maintain the openvpn-testing.git tree for the community
10:26 <@dazo> I'm not too deep into all intricate details in OpenVPN but begin to have some overview
10:27 < kotique> well then you aren't the right person then :)
10:27 <@dazo> okay, then I won't say anything else to you
10:27 < kotique> ;-) thanks
10:27 -!- mode/#openvpn [-v kotique] by dazo
10:29 -!- lolmaus^hey [b2ecf12a@gateway/web/freenode/ip.178.236.241.42] has quit [Ping timeout: 265 seconds]
10:30 < ecrist> kotique: aside from James Yonan, dazo was probably your best bet.
10:31 < kotique> openssl is overly complicated, I need someone who has written that very callback routine
10:31 < kotique> *verify
10:31 < ecrist> like I said...
10:31 < ecrist> james is the 'someone'
10:32 < kotique> thaks for help
10:37 -!- chungy [~chungy@mail.bingoblabber.com] has joined #openvpn
10:38 < chungy> Hello, I'm having some network configuration issues and I hope someone can help
10:38 < chungy> I'm trying to use a domU on a CentOS 5.5 machine w/ Xen to host an openvpn server
10:39 < chungy> I need to use a network bridge but when I setup the bridge on the domU, I can't talk over the network anymore (eg, an ssh connection even goes dead ...), until I log into the dom0 and use "xm console openvpn" to login and remove the bridge
10:40 < nDuff> chungy, when you say "setup the bridge" -- there are several non-Xen-specific things you could be doing which would have that effect
10:40 < Rienzilla> if you just add a bridge inside the VM it is probably not xen-related
10:41 < nDuff> chungy, ...could you pastebin some logs or such showing the exact sequence of commands? If you're just adding the device to the bridge without transferring the IP, route, and other configuration over to the bridge from the device, for instance, that would have the effect you describe.
10:41 -!- Irssi: #openvpn: Total of 96 nicks [4 ops, 0 halfops, 0 voices, 92 normal]
10:41 < Rienzilla> but creating a bridge, giving the bridsge the ip information that belongs to your nic, and adding the nic as a slave to the bridge should work (after ~30 seconds)
10:42 < nDuff> (after clearing the IP off of the device itself, ie. assigning it address 0.0.0.0)
10:43 < chungy> well I tried to do "brctl addbr br0" and "brctl addif br0 eth0" directly, it cuts off after the second
10:43 < chungy> the bridge-start script from openvpn fails too but I'm not sure if I need to modify the paramaters in it
10:43 < nDuff> chungy, if you didn't transfer the IP onto br0 off of eth0, that wouldn't work. (It's safest to do that via xm console anyhow, btw, as the whole process is kind of tricky to get right the first time without breaking networking temporarily)
10:44 < nDuff> chungy, (IP, route, and all other associated configuration)
10:44 < nDuff> chungy, ...really, it's much easier to configure your OS to bring the bridge up at boot time.
10:45 < chungy> how do I go about doing that?
10:45 < nDuff> which value of "that"?
10:45 < chungy> Setting the bridge at boot time
10:45 < nDuff> depends on your OS
10:45 < chungy> Setting up*
10:45 < chungy> ah, the domU is also CentOS 5.5
10:45 < nDuff> their documentation and support forums should have coverage
10:47 < nDuff> chungy, ...the steps for that aren't OpenVPN-specific; folks building qemu/kvm virtual machines often uses bridges for the exact same reason.
10:47 -!- arejay [arejay@i.write.shellcode.eu] has quit [Read error: Operation timed out]
10:48 < chungy> alright I'll look around
10:49 < nDuff> chungy, ...as a hint, you'll want an ifcfg-br0 file
10:50 < chungy> btw something else I'm confused about... with bridging, can I take care of conflicts with network addresses, where both sides are 10.0.0.0/24... if I read correctly this should be taken care of by iptables
10:52 < chungy> though openvpn at that level doesn't deal with IP I may be asking in the wrong place :p
10:52 < nDuff> chungy, ...ehm. The place to look for an answer to that would be http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
10:52 < nDuff> chungy, ...particularly, you'd want to see if bridged packets go through PREROUTING and POSTROUTING
10:54 < nDuff> ...and much to my surprise, it looks like they do... so there's a chance you might be able to make that work.
10:56 < chungy> I can't imagine my situation deviates too much from the norm :p
10:57 < nDuff> using NETMAP is already deviating from the norm
10:57 < nDuff> most folks do what they can to avoid having address space conflicts
10:57 < nDuff> and needing a bridged rather than a routed VPN is also contrary to best practices (unless you have a compelling reason to do otherwise, which many people admittedly do)
10:59 < chungy> Well mainly I need to make the office network here available from outside, just for working, eg, at home; didn't seem that routing would let it act as the full network
10:59 < chungy> unless I'm mistaken
11:00 < nDuff> what do you mean by "let it act as the full network"?
11:00 < chungy> as if the machine remotely were part of the LAN
11:00 < nDuff> you have access to all the hosts on it, but don't get broadcast traffic. Broadcast traffic is often more trouble than it's worth, though, so that can be a feature not a bug.
11:01 < chungy> hmm, I may be misunderstanding then, I thought routing would require me to set up connections to each machine independently
11:05 < nDuff> chungy, no -- you just need the remote gateway to play nice
11:07 < nDuff> chungy, ...assign some separate IP space to the VPN that's outside the individual systems' view of what their LAN is, such that they send traffic intended for VPN systems to their default gateway; make sure that gateway either _is_ the VPN server, or directs traffic intended for VPN clients over to it, and everyone behind the gateway then knows how to get to your VPN clients.
11:08 < chungy> this whole vpn thing is a lot more confusing than I expected...
11:10 < ecrist> we get that a lot
11:10 < chungy> well ok, the thing I don't understand, if the VPN clients are all on 10.8/16, with routing how do I talk to 10.0/16 if I assume the home network (or wherever) is also 10.0/16
11:11 < chungy> I was trying to get bridging because I thought I needed to handle that with iptables that way
11:12 < nDuff> chungy, you can either use NETMAP (which definitely works with a routed VPN) to make 10.0/16 addresses accessible as 10.1/16 (or whatever), or you can specify that employees Shall Not have their home networks on 10.0/16
11:12 < nDuff> (if they want to access the VPN)
11:13  * nDuff has historically gone the latter route; far fewer complications than dealing with protocols which pass around callback addresses and such getting confused by NETMAP.
11:13 < chungy> first one sounds like the only reasonable course
11:13 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
11:13 < nDuff> ehh, it's a home network; how hard is it to renumber? Putting a home network on 10.0 is irresponsible anyhow, as it's where corporate networks tend to be -- and since there are only so many private ranges, it's pretty clear on its face that you're going to need to VPN into something on 10.0 _sometime_.
11:14 < chungy> one of the coworkers will probably be connecting from coffee shops or random wifi points when he's on a boat, I can't really dictate how the networks are set up
11:14 < nDuff> fair 'nuff, but there are routing tricks you can play to send traffic to everything but the machine they're on presently and its gateway across the wire
11:15 <@dazo> won't --redirect-gateway be a trick around such scenarios?
11:15 <@dazo> not ideal as you get all Internet traffic over VPN as a consequence
11:16 < nDuff> yup, that's just what I was referring to
11:17 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
11:50 < vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by smshaker <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=8000#p8000>
11:51 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
11:51 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
11:51 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
11:58  * kisom is on the bus, having free internet thanks to openvpn as usual
12:12 < kisom> http://www.wired.com/threatlevel/2010/10/fbi-tracking-device/
12:13 < vpnHelper> Title: Caught Spying on Student, FBI Demands GPS Tracker Back | Threat Level | Wired.com (at www.wired.com)
12:13 < kisom> God bless america :)
12:22 -!- dazo is now known as dazo_afk
12:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
12:58 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
13:16 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 264 seconds]
13:23 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
13:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:43 -!- eKKiM [~eKKiM@d51A4B49E.access.telenet.be] has joined #openvpn
13:48 < keyhive> BTW I found a solution to a problem I had been having with WindowsXP briding.
13:48 < keyhive> The Microsoft RIP Listener Service wasn't installed
13:50 < ecrist> are you running RIP on your network?
13:51 < krzie> ya something sounds very wrong with that
13:54 -!- s7r [~s7r@188.27.109.162] has left #openvpn []
14:12 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:20 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
14:26 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
14:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:37 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
15:01 -!- kotique [~kotique@bluemile.vps.deepunix.net] has quit [Ping timeout: 265 seconds]
15:04 < chungy> ok I'm just lost... examples I find with iptables are both about 192.168/16 and tap0
15:04 < chungy> like this one http://nimlabs.org/~nim/dirtynat.html
15:04 < vpnHelper> Title: NAT tricks for VPN with clients in private address ranges (at nimlabs.org)
15:04 < chungy> I've tried to change numbers around to deal with 10/8 I think and tun0 but it doesn't seem to work... I lose access remotely to talk to the VPN server
15:06 < chungy> i tried this for example
15:06 < chungy> iptables -t nat -A PREROUTING -d 10.8.0.0/24 -j NETMAP --to 192.168.8.0/24
15:06 < chungy> iptables -t nat -A PREROUTING -i tun0 -d 192.168.0.0/16 -j NETMAP --to 10.0.0.0/16
15:06 < chungy> iptables -t nat -A POSTROUTING -o tun0 -s 10.8.0.0/16 -j NETMAP --to 192.168.0.0/16
15:06 < chungy> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j NETMAP --to 10.0.0.0/16
15:07 < chungy> I can't even ping 10.8.0.1 or 192.168.8.1 after that (the later I expect it to be remotely... if i'm not mistaken)
15:08 < chungy> without iptables stuff I can ping 10.8.0.1 fine, but both networks are 10.0.0.1 locally so I can't really talk to other LAN computers remotely
15:08 -!- Docteh [~mage@24.86.236.78] has quit [Read error: Connection reset by peer]
15:08 -!- Docteh [~mage@24.86.236.78] has joined #openvpn
15:22 < chungy> i'm just ack... confused again... doesn't seem like it should be so complicated
15:26 < nDuff> chungy, if it's complicated with physical wiring and no VPN at all (which it is), adding a VPN into the mix doesn't make things easier.
15:27 < chungy> I don't see what you mean... how is physical wiring complicated?
15:29 < chungy> I just don't understand how to make this work... I don't usually deal with iptables and whatnot
15:29 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
15:34 < nDuff> chungy, if you can set up a router running NETMAP rules with physical wires, you can do it with a VPN
15:34 < nDuff> chungy, ...ie. it's not the VPN that makes it complicated.
15:35 < chungy> uh ok... but I've never had to deal with NETMAP before
15:39 < chungy> I just want two 10.0/16 networks to play nicely and I can't figure it out
15:40 < chungy> I don't even think 192.168/16 is right, but I don't seem to have any more success trying another /16 block under 10.
15:55 < chungy> some rules I try don't even let the client to connect to the server ...
15:56 < nDuff> chungy, the same techniques as debugging any other complex firewall situation apply -- inspecting the packets on both ends and comparing them to what you expect.
15:57 < chungy> sigh... not even sure how to do that...
16:02 -!- delroth [~delroth@dhaos.delroth.net] has joined #openvpn
16:03 < keyhive> chungry: do you have conflicting subnet addresses?
16:04 < keyhive> chungy
16:04 < nDuff> keyhive, *nod*, he's 10.0/16 on both sides
16:04 < keyhive> that's an easy fix
16:04 < keyhive> he needs MASQUERADE
16:04 < keyhive> and something like
16:04 < keyhive> iptables -v -t nat -A PREROUTING -i eth0 -d 192.168.0.0/24 -j NETMAP --to 192.168.77.0/24
16:04 < keyhive> iptables -v -t nat -A PREROUTING -i tap0 -d 192.168.77.0/24 -j NETMAP --to 192.168.0.0/24
16:04 < keyhive> iptables -v -t nat -A POSTROUTING -o tap0 -s 192.168.0.0/24 -j NETMAP --to 192.168.77.0/24
16:04 < keyhive> iptables -v -t nat -A POSTROUTING -o eth0 -s 192.168.77.0/24 -j NETMAP --to 192.168.0.0/24
16:05 < keyhive> in my case I mapped the /24 address block to another /24 address block
16:05 < keyhive> and could ping all my ips from the clients using the new address
16:05 < keyhive> so in your case..
16:05 < keyhive> your iptables rules look fine
16:05 < keyhive> you just need MASQUERADE
16:05 < keyhive> iptables -T nat -A POSTROUTING -o eth0 -j MASQUERADE
16:06 < keyhive> maybe also proxy_arp
16:06 < keyhive> proxy_arp=1
16:06 < keyhive> but anyway, chungy, you can review your iptables changes with
16:06 < chungy> I need both NETMAP and MASQUERADE?
16:06 < keyhive> iptables -t nat -nvL
16:06 < keyhive> -yes-
16:06 < keyhive> iptables -nvL
16:06 < keyhive> clear iptables with 
16:06 < keyhive> iptables -F
16:07 < keyhive> and i believe those changes aren't persistent so you'll need to iptables-save
16:07 < keyhive> also make sure you have forwarding enabled
16:07 < chungy> ok and I have push "route 10.10.0.0 255.255.255.0" in my openvpn server.conf, should I keep that?
16:07 < keyhive> Are you trying to translate 
16:07 < keyhive> 10.10/24 to 192.168/24 on the clients?
16:07 < chungy> yeah
16:07 < keyhive> so they ping the address as 192.168.c.d ??
16:07 < chungy> er
16:08 < keyhive> in that case, you would need `push "route 192.168.0.0 255.255.255.0"`
16:08 < chungy> I'm trying so the office end's 10.0/16 addresses are 10.10/16 on the client
16:08 < chungy> any other subnet will do fine though
16:08 < keyhive> you can't do that
16:08 < chungy> I can't?
16:08 < keyhive> you need to do it with another address space
16:08 < keyhive> oh sorry
16:08 < keyhive> yes you can
16:08 < keyhive> you can do exactly that
16:08 < keyhive> so just check your iptables rules
16:08 < keyhive> make sure your NAT looks something like what I posted above
16:09 < keyhive> analyse the rules carefully to make sure they make sense for your config
16:09 < keyhive> you need NAT, you need MASQUERADE, you need ipv4_forwarding and you -might- need proxy_arp
16:09 < keyhive> I got all this info from an article 'dirty nat tricks' i'm sure you've read
16:09 < keyhive> anyway it works
16:09 < keyhive> good luck
16:10 < keyhive> One last question: are there Windows clients?
16:10 < chungy> oh you're using tap0... that's bridging
16:10 < chungy> I was told earlier I don't need to do a bridge
16:10 < keyhive> Actually I did it with tun0
16:10 < chungy> and yes there are Windows clients
16:10 < keyhive> Then I'm sorry to say but you need a bridge
16:10 < keyhive> I went through the entire routing setup
16:10 < keyhive> it took me a week
16:10 < keyhive> I learned iptables
16:10 < keyhive> and everything
16:11 < keyhive> got it set up
16:11 < keyhive> so the windows clients could rdesktop and mount shares
16:11 < keyhive> but guess what
16:11 < keyhive> I hit a single ****ing button on a Win7 client
16:11 < keyhive> "repair this problem" blah
16:11 < keyhive> and it broke my routing rules
16:11 < keyhive> NetBIOS packets do not travel through a routed setup
16:11 < keyhive> further rules [and probably some registry hacking client-side] are required to execute that flawlessly with windows clients
16:12 < keyhive> you need a bridged setup
16:12 < keyhive> HOWEVER
16:12 < keyhive> one caveat
16:12 < keyhive> you need to reference this article at the end of it all:
16:12 < keyhive> http://openvpn.net/index.php/open-source/faq/79-client/279-are-there-any-issues-related-to-pushing-dhcp-options-to-windows-clients.html
16:12 < vpnHelper> Title: Are there any issues related to pushing DHCP options to Windows clients? (at openvpn.net)
16:13 < keyhive> It was a serious problem
16:13 < keyhive> I made the bridge work correctly on linux clients
16:13 < keyhive> but couldn't ping the server with windows clients
16:13 < keyhive> [XP clients]
16:13 < keyhive> so that regedit must be applied
16:13 < keyhive> chungy: what OS are you using?
16:13 < keyhive> server-side
16:13 < chungy> CentOS
16:14 < keyhive> okay I used Ubuntu
16:14 < keyhive> two ethernet interfaces?
16:14 < keyhive> doesn't matter
16:14 < chungy> one
16:15 < chungy> http://pastebin.ca/1957837
16:15 < keyhive> do you want my configs?
16:15 < chungy> I have this and now the client can't even connect to the server ...
16:15 < keyhive> seriously i'd love to save the you the time and hassle it took me
16:15 < chungy> yeah, that might be helpful
16:15 < keyhive> trying a routing setup was very draining
16:15 < keyhive> there are alot of good reasons to go with routing, but Window does not play nicely with OpenVPN unless it's a bridge
16:16 < nDuff> ehh
16:16 < chungy> I couldn't get a bridge to work without losing network connectivity... and I was told I don't really need one
16:16 < nDuff> I've had lots of experiences where Windows didn't play nicely with bridges either
16:16 < keyhive> http://pastie.org/1208635
16:16 < chungy> right now I'm trying with linux on both sides
16:16 < keyhive> Ah
16:16 < keyhive> Well the reason Windows won't play nice with your bridge is the article referenced above
16:17 < chungy> right now i'm not dealing with Windows... I will soon once it's all working
16:17 < chungy> but I generally try to avoid Windows to get things to work first
16:18 < keyhive> Okay, then I'll check out your pastebin
16:18 < keyhive> I think that's kind of a backward way of approaching it, but then again I did the same.
16:19 < keyhive> Just a fair warning that NetBIOS packets don't travel through the tunnel.
16:19 < chungy> not so important right now
16:19 < chungy> maybe in the future that'll be something nice =p
16:20 < keyhive> Agreed.. I wouldn't mind having that working also.
16:21 < chungy> what are the up/down.sh scripts?
16:21 < keyhive> Just bridge control scripts.  Probably extraneous considering I use a static bridge.
16:21 < keyhive> cat /proc/sys/net/ipv4/ip_forward ?
16:22 < keyhive> iptables -A INPUT -i tun+ -j ACCEPT ?
16:22 < keyhive> gotta jet, good luck to ya!
16:22 < chungy> ip_forward is 1
16:22 -!- keyhive [~net_nigel@d221-71-130.commercial.cgocable.net] has left #openvpn ["Leaving"]
16:43 -!- EmperorT1m [~EmperorTo@174-30-252-228.mpls.qwest.net] has joined #openvpn
16:45 -!- EmperorTom [~EmperorTo@184-97-189-68.mpls.qwest.net] has quit [Ping timeout: 245 seconds]
16:49 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:57 -!- ecrist changed the topic of #openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your  questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel || IRC Host Cloaks available, ask ecrist
16:57 < vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn connection to server but mail fails to open :: Reply by Douglas <https://forums.openvpn.net/viewtopic.php?f=4&t=7127&p=8001#p8001> || Server Administration :: Re: Just no connection :: Reply by Douglas <https://forums.openvpn.net/viewtopic.php?f=4&t=7153&p=8002#p8002> || Server Administration :: Re: OpenVPN and WINS problem :: Reply by Douglas <https://forums.openvpn.net/viewtopic.php?f=4
17:10 -!- oracle [~o2@unaffiliated/spice] has joined #openvpn
17:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
17:33 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Selected trafic which goes into the VPN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7166&p=8004#p8004>
17:39 < vpnHelper> RSS Update - forum: Server Administration :: Re: DNS requests leak :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7143&p=8005#p8005>
17:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
17:45 < vpnHelper> RSS Update - forum: Server Administration :: Re: Just no connection :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7153&p=8006#p8006>
17:46 < krzie> Dougy, hahah good call, that IS a US army subnet
17:46 < ecrist> o.O
17:46 < ecrist> what did I miss?
17:47 -!- plundra [404@article.se] has quit [Ping timeout: 264 seconds]
17:47 < krzie> https://forums.openvpn.net/viewtopic.php?f=4&t=7117&p=8007#p8007
17:47 < vpnHelper> Title: OpenVPN Support Forum View topic - OpenVPN and WINS problem (at forums.openvpn.net)
17:47 < |Mike|> what did I miss
17:48 < ecrist> LOL
17:48 < |Mike|> haha
17:48 < krzie> although im officially more confused... since his english is less than perfect
17:48 -!- plundra [404@article.se] has joined #openvpn
17:48 < krzie> "I've made some researches."
17:49 < ecrist> krzie: I'm guessing he's found a chink in some armor, and is trying to secure his thread into the system.
17:49 < |Mike|> krzie: you can't see the iP where he posts from?
17:49 < krzie> good point
17:49 -!- joako_ [~joako@adsl-074-164-021-036.sip.mia.bellsouth.net] has joined #openvpn
17:49 -!- joako_ [~joako@adsl-074-164-021-036.sip.mia.bellsouth.net] has quit [Changing host]
17:49 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
17:50 < ecrist> starnet.md
17:50 < |Mike|> doubt that it's located @ US :p
17:50 < vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN and WINS problem :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7117&p=8007#p8007>
17:51 < krzie> uhhh, i have a feeling we should not support that one
17:51 < krzie> especially not on a public website
17:52 < |Mike|> x.x.x.x the IP's ?
17:53 < krzie> client2 is also us army
17:53 < ecrist> nothing saying he's not stationed in moldova...
17:53 < ecrist> using a cell phone or something to get to the net.
17:54 < ecrist> and there's no evidence of illegal activity.
17:54 < krzie> thats true
17:54 < krzie> interesting issue isnt it...
17:54 < abeehc-> very much so
17:54 < ecrist> he's posted from three different IPs, all tracing back to moldova
17:55 < ecrist> that being said, I would hope if it was some uber leet hax0r, he's at least bounce around.
17:56 < ecrist> ALSO, it's possible the IP range has been reassigned to some community in moldova on some BS peace-keeping mission.
17:56 < krzie> or bounce around in the same foreign country, to effectively throw off a trail
17:56 < krzie> reassign 2 entire /16's for something like that?
17:56 < krzie> thats some serious IP space
17:57 < ecrist> while I'm not a huge fan of windows and microsoft, setting up a WINS server for SMB sharing is hardly a terroristic act. ;)
17:57 < abeehc-> there's a fine line somewhere here..
17:57 < krzie> lol, depends what is being shared
17:58 < ecrist> the issue at hand here, really, as soon as we take responsibility for such things, we become responsible for such things.  it's simply a public forum and there's no evidence of wrong.
17:58 < krzie> you are right
17:58 < krzie> but either way, i dont plan on posting to that thread more
17:59 < ecrist> and there's nothing at all wrong with that. :)
17:59 < ecrist> http://xkcd.com/538/  -- I plan on avoiding Mr Wrench.
17:59 < vpnHelper> Title: xkcd: Security (at xkcd.com)
18:00 < krzie> hahahaha
18:00 < krzie> i love that one
18:00 < ecrist> yeah, one of my personal favorites, as well.
18:00 < |Mike|> haha
18:00 < |Mike|> ecrist++
18:02 < ecrist> I *really* hate the shitty URLs in phpbb
18:02 < ecrist> that's the one thing that really turns me off of it
18:04 < ecrist> raidz: ping - any word on some forum rank images and such?
18:06 < |Mike|> phpbb isn't seo friendly, isn't it?
18:06 < ecrist> yes, it is
18:06 < ecrist> search engines don't care what the URL is.
18:06 < ecrist> our forum already has quite a few listings in google
18:07 < ecrist> wow, 'openvpn routing' in google shows krzee's wiki page as the first link
18:08 < |Mike|> not here, here I get: https://forum.openwrt.org/viewtopic.php?id=6852
18:08 < vpnHelper> Title: OpenWrt / How to configure openvpn (route mode) and routing tables? (at forum.openwrt.org)
18:09 < ecrist> screen cap: http://skitch.com/ecrist/d4u2e/krzee-wiki-page
18:09 -!- krzy [krzee@hemp.ircpimps.org] has joined #openvpn
18:09 < vpnHelper> Title: Skitch.com > ecrist > krzee wiki page (at skitch.com)
18:09 < krzy> aww, what link did i just miss?
18:10 < ecrist> screen cap: http://skitch.com/ecrist/d4u2e/krzee-wiki-page
18:10 < vpnHelper> Title: Skitch.com > ecrist > krzee wiki page (at skitch.com)
18:10 < krzy> cool =]
18:10 < |Mike|> 10th hit here from my NL line
18:10 < |Mike|> I should blog a bit about it tomorrow
18:11 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 253 seconds]
18:11 -!- krzy [krzee@hemp.ircpimps.org] has quit [Client Quit]
18:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:17 < ecrist> I'm pretty happy with how the community is shaping up over the last ~8 months
18:17 < ecrist> compared to a year ago, even.
18:18 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
18:18 < |Mike|> I can imagine, I saw that you guys moved from ## to #openvpn
18:19 < |Mike|> you guys are active on linkedin already?
18:22 < ecrist> no idea, I think that's a corporate thing, we're just the community.
18:26  * ecrist just created 'OpenVPN Community' group on LinkedIn
18:27 < |Mike|> the group "OpenVPN" is actually registered by a friend of mine 
18:27 < ecrist> You're friends with Francis Dinha?
18:28 < |Mike|> No, Arno Kruse
18:28 < |Mike|> But the name Francis Dinha sounds familair to me
18:28 < ecrist> he's the CEO for OpenVPN Technologies
18:28  * ecrist isn't a fan
18:29 < |Mike|> Ah, he's directly linked to me
18:30 < ecrist> http://www.linkedin.com/e/-e3n5gp-gf1opnde-62/vgh/3551054/eml-grp-sub/
18:30 < vpnHelper> Title: OpenVPN Community group | LinkedIn (at www.linkedin.com)
18:30 < |Mike|> - Entrepreneur and founder & co-founder of OpenVPN Technologies, Iraq Telecom Development, PacketStream, and NewCom Technologies.
18:31 < |Mike|> Arno also made me a OpenVPN group manager 
18:33 < |Mike|> ecrist: hehe, nice linkedin profile :-)
18:34 < ecrist> which part?
18:34 < |Mike|> The deputy stuff :)
18:35 < ecrist> :)
18:36 < ecrist> my job histpry fits with someone interested in openvpn, i think
18:36 < abeehc-> hehe
18:37 < |Mike|> from physical to digital security, yes
18:38 < |Mike|> francis dinha used to hang in this channel as well as far as I can remember
18:42 < |Mike|> I should update my work experiences as well again :P
18:57 -!- chungy [~chungy@mail.bingoblabber.com] has quit [Quit: Leaving]
18:58 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 265 seconds]
18:59 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
18:59 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
18:59 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
18:59 < vpnHelper> RSS Update - forum: Configuration :: Openvpn and Amazon EC2 with Windows 2008 :: Author nadin <https://forums.openvpn.net/viewtopic.php?f=6&t=7167&p=8008#p8008>
18:59 < krzie> damn i need new UPSs
18:59 < |Mike|> krzie: buy a shell :P
18:59 < krzie> LOL
18:59 < ecrist> he has a shell, a pretty stable one.
18:59 < krzie> i have servers dude
19:00 < |Mike|> or hire a VPS
19:00 < krzie> hahaha
19:00 < |Mike|> or some iron beast :P
19:00  * ecrist could walk downstairs and look at the server the hosts vpnHelper...
19:00 < krzie> aye, that is quite stable
19:00 < ecrist> it's more stable than xxx
19:01 < krzie> this is true
19:01 < |Mike|> doubt that :p
19:01 < krzie> xxx is another server of mine
19:01 < krzie> :-p
19:10 < ecrist> I *really* need to get freeswitch compiled from git with spandsp/freetdm asap
19:11 < krzie> tis broken or havnt had the time?
19:14 < ecrist> our freeswitch box is having issues, and the freeswitch folks won't help me until I get git running
19:14 < ecrist> having fax issues.
19:18 < ecrist> working on sending out ~2500 faxes, it doesn't like the BS microsoft puts into their TIFF headers
19:18  * ecrist runs a quick gs on all the files
19:29 < krzie> ahh
19:30 < krzie> can you remove said BS on the fly...?
19:30 < ecrist> actually, our current freeswitch box is in a fairly precarious state.  the current tdm driver won't compile on 8.0, and we're running the old one.  we don't have the old one on the system anymore (it's only resident in RAM) so I can't even reboot that box.
19:31 < ecrist> if it goes down, I have a long day/night ahead of me.
19:31 < ecrist> krzie: that's what I'm doing now
19:31 < ecrist> it will be scripted into the process sometime next week.
19:31 < krzie> oh damn
19:32 < krzie> thats quite a scary place to be
19:32 < ecrist> I have a second box ready to roll, but it doesn't have freeswitch compiled (it has all the prereq's, though)
19:32 < ecrist> just need to figure out the magic config bits to make it go
19:58 -!- WitchDoc [~WitchDoc@69.196.64.134] has joined #openvpn
19:58 < WitchDoc> can i setup openvpn with a single nic behind a firewall and have cisco vpn clients connect to it?
19:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
20:00 < ecrist> gah, my damn script isn't generating cover sheets now
20:03 -!- joako_ [~joako@opensuse/member/joak0] has quit [Ping timeout: 276 seconds]
20:06 < krzie> WitchDoc, 
20:06 < krzie> !notcompat
20:06 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn
20:30 -!- WitchDoc [~WitchDoc@69.196.64.134] has quit [Ping timeout: 240 seconds]
20:36 -!- s7r [~s7r@188.27.109.162] has joined #openvpn
21:15 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:18 < vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=8009#p8009>
21:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
21:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:12 < vpnHelper> RSS Update - forum: Server Administration :: Re: DNS requests leak :: Reply by davidparks21 <https://forums.openvpn.net/viewtopic.php?f=4&t=7143&p=8010#p8010>
22:18 < vpnHelper> RSS Update - forum: Server Administration :: Re: DNS requests leak :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7143&p=8011#p8011>
22:29 -!- babbla [~Cory@pool-74-110-124-118.nrflva.fios.verizon.net] has joined #openvpn
22:29 < vpnHelper> RSS Update - forum: Configuration :: Re: Openvpn and Amazon EC2 with Windows 2008 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7167&p=8012#p8012>
22:48 < vpnHelper> RSS Update - forum: Server Administration :: Re: DNS requests leak :: Reply by davidparks21 <https://forums.openvpn.net/viewtopic.php?f=4&t=7143&p=8013#p8013>
23:00 < vpnHelper> RSS Update - forum: Server Administration :: Re: DNS requests leak :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7143&p=8014#p8014>
23:36 < vpnHelper> RSS Update - forum: Server Administration :: What is the difference between tcp/tcp-server/tcp-client? :: Author zespri <https://forums.openvpn.net/viewtopic.php?f=4&t=7168&p=8015#p8015>
--- Day changed Sat Oct 09 2010
00:12 -!- babbla [~Cory@pool-74-110-124-118.nrflva.fios.verizon.net] has left #openvpn []
00:30 < vpnHelper> RSS Update - forum: Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by medleev <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=8016#p8016>
00:36 < vpnHelper> RSS Update - forum: Configuration :: Re: Connection dies after 4-7 minutes. Client :: Reply by medleev <https://forums.openvpn.net/viewtopic.php?f=6&t=7048&p=8017#p8017>
00:49 < vpnHelper> RSS Update - forum: Server Administration :: Re: What is the difference between tcp/tcp-server/tcp-client :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7168&p=8018#p8018>
01:13 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Selected trafic which goes into the VPN :: Author glloq <https://forums.openvpn.net/viewtopic.php?f=15&t=7166&p=7999#p7999>
01:35 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
01:35 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
01:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
01:37 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Selected trafic which goes into the VPN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7166&p=8004#p8004>
01:51 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
02:31 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:22 -!- eKKiM [~eKKiM@d51A4B49E.access.telenet.be] has quit [Read error: Connection reset by peer]
04:22 -!- eKKiM [~eKKiM@d51A4B49E.access.telenet.be] has joined #openvpn
04:27 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
04:28 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Client Quit]
04:29 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
04:29 < SDE> Hi guys
04:29 < SDE> how is everyone?
04:31 < vpnHelper> RSS Update - forum: Server Administration :: Re: Problem resolving hostnames :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=8019#p8019>
04:37 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Selected trafic which goes into the VPN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7166&p=8004#p8004>
05:21 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 276 seconds]
05:26 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
05:31 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
06:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
06:22 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
06:22 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
06:22 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:23 -!- markus_ [~markus@c83-250-33-131.bredband.comhem.se] has joined #openvpn
06:24 < markus_> can i assign /30 net to each client when using tap?
06:58 <@cron2> I don't think so.  tap is "all clients in shared subnet".  use tun.
07:01 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 265 seconds]
07:05 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)]
07:31 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
08:18 -!- eKKiM [~eKKiM@d51A4B49E.access.telenet.be] has quit [Ping timeout: 259 seconds]
08:18 -!- eKKiM [~eKKiM@d51A4B49E.access.telenet.be] has joined #openvpn
08:46 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=8020#p8020>
09:16 < vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by smshaker <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=8000#p8000>
09:32 -!- tjz_ [~pc@bb121-7-128-74.singnet.com.sg] has joined #openvpn
09:33 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
09:52 < vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Protect default route on client :: Author keriati <https://forums.openvpn.net/viewtopic.php?f=17&t=7169&p=8021#p8021>
10:02 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
10:10 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
10:11 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
10:35 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:36 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
12:35 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
12:39 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 264 seconds]
12:56 -!- meh3 [~efnet@27-9.202-62.fix.bluewin.ch] has quit []
13:35 < vpnHelper> RSS Update - forum: Server Administration :: Re: Problem resolving hostnames :: Reply by rpr <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=8022#p8022>
13:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:51 -!- oracle_ [~o2@unaffiliated/spice] has joined #openvpn
13:54 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 264 seconds]
14:21 < krzee> !factoids search win
14:21 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'windows', 'winpath', 'winsudo', and 'windows_mobile'
14:50 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
15:46 -!- p3rror [~mezgani@adsl196-161-64-206-196.adsl196-3.iam.net.ma] has joined #openvpn
16:27 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
16:32 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:54 < vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Protect default route on client :: Author keriati <https://forums.openvpn.net/viewtopic.php?f=17&t=7169&p=8021#p8021>
17:00 < vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=8009#p8009>
17:00 -!- eKKiM [~eKKiM@d51A4B49E.access.telenet.be] has quit [Ping timeout: 240 seconds]
17:09 < fipu> Hi @ all
17:10 < fipu> I have a problem with openVPN gui and Windows 7 Ultimate x64
17:11 < fipu> I get the error all tap-win32 adapters on this system are currently in use
17:25 < krzee> check if the service is starting auto, if it is not, reboot
18:31 < fipu> it was the openVPN Version
18:31 < fipu> does not work on 64 bit system
18:31 < fipu> I used the new one (beta)
18:31 < fipu> that works on win 7 64 bit
18:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
18:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
19:51 < Dougy> hmmmmmmmmmmm
19:51 < Dougy> i need to get a dell windows iso... this is gonna be hard
19:54 -!- etherealite [~ethereali@c-76-126-103-179.hsd1.ca.comcast.net] has left #openvpn []
20:24 -!- joako [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
20:24 -!- joako [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
20:24 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
20:25 < jeev> doug
20:25 < jeev> pro ?
20:26 < jeev> xp ?
20:33 < Dougy> jeev: i got it
20:33 < Dougy> amazingly
20:33 < Dougy> dell's driver/download area let me DL the iso..
20:33 < Dougy> but no, 2003 std x64
20:35 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
20:39 < jeev> oh ok
20:41 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
20:41 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
20:41 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:46 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 252 seconds]
20:47 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:08 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: Connection reset by peer]
21:12 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
21:20 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
21:26 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:26 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
21:26 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
21:26 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:38 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 252 seconds]
21:40 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
21:40 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
21:40 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:47 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
21:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
21:49 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:51 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
21:51 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
21:55 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
21:55 -!- ecrist changed the topic of #openvpn to: 10/10/10: 42 day (101010 base2 is 42 base10)  Just make sure there are no bulldozers on your front lawn.  Just sayin'
22:01 -!- ecrist changed the topic of #openvpn to: 10/10/10: 42 day (101010 base2 is 42 base10)  Just make sure there are no bulldozers on your front lawn.  Just sayin'.  (http://www.fortytwoday.com/)
22:09 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
22:09 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
22:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
22:22 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
22:28 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:34 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
22:39 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
22:39 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
22:39 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:45 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
22:56 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:02 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
23:04 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:07 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
23:10 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: Leaving]
23:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:13 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
23:13 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
23:13 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:17 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
23:23 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:33 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 264 seconds]
23:35 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
23:36 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
23:41 -!- DrJ [Bacon@174.141.224.168] has quit [Remote host closed the connection]
23:49 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
23:49 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:49 -!- DrJ [Bacon@174.141.224.168] has quit [Excess Flood]
23:50 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
23:57 -!- DrJ [Bacon@174.141.224.168] has quit [Read error: Connection reset by peer]
23:59 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
23:59 -!- p3rror [~mezgani@adsl196-161-64-206-196.adsl196-3.iam.net.ma] has quit [Read error: Connection reset by peer]
--- Day changed Sun Oct 10 2010
00:02 -!- DrJ [Bacon@174.141.224.168] has quit [Read error: Connection reset by peer]
00:06 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
00:17 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 264 seconds]
00:56 -!- lkeijser [~leon@fedora/lkeijser] has joined #openvpn
00:56 < lkeijser> can i use tun device in windows (xp and higher) to connect to a linux openvpn server?
01:02 < lkeijser> i mean, i can connect and on the windows side the route is set, but if i ping a remote server, i don't get a reply
01:25 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
01:25 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
01:34 -!- lkeijser [~leon@fedora/lkeijser] has quit [Quit: Leaving]
02:01 -!- tjz_ [~pc@bb121-7-128-74.singnet.com.sg] has quit [Quit: bbl.]
02:02 -!- tjz [~pc@bb121-7-128-74.singnet.com.sg] has joined #openvpn
02:02 -!- tjz [~pc@bb121-7-128-74.singnet.com.sg] has quit [Changing host]
02:02 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
02:29 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 252 seconds]
02:39 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
03:08 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Ping timeout: 272 seconds]
03:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:23 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
03:24 -!- vpn_ [irc@ppp-110-168-41-201.revip5.asianet.co.th] has joined #openvpn
03:24 < vpn_> heyas
03:24 < vpn_> anyone can take a look at this paste and tell me what is wrong?
03:24 < vpn_> http://paste2.org/p/1029205
03:25 < vpn_> other than the fact I'm not concerned at security at this time, just need a basic tunnel up and running
03:30 < reiffert> !howto
03:30 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:33 -!- vpn_ [irc@ppp-110-168-41-201.revip5.asianet.co.th] has quit [Read error: Connection reset by peer]
03:34 < Bushmills> http://scarydevilmonastery.net/snap/1286699623690881315d.png
03:34 -!- vpn_ [~irc@ppp-115-87-37-99.revip4.asianet.co.th] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
04:44 < vpn_> is there any chances the CLUELESS monkeys behind openvpn would EVENTUALLY implement more VERBOSE fucking error messages that actually WOULD make sense?
04:44 < vpn_> I've been fighting for nearly 4 hours with this:
04:45 < vpn_> write to TUN/TAP : Invalid argument (code=22)
04:45 < vpn_> gg
04:45 < vpn_> that is SOOOOOOOOOOO fucking helpful... NOT.
04:45 < vpn_> it's like coding something and spewing out "error: you have an error".
04:49 < reiffert> vpn_: it's what the kernel tells the application.
04:49 < reiffert> vpn_: if you dislike it, change your operating system.
04:49 < reiffert> vpn_: maybe microsoft got something for you.
04:50 < reiffert> vpn_: oh and if you like to have better openvpn error messages: feel free to open a ticket in the ticketdatabase. dont forget to attach your patch.
04:51 < reiffert> vpn_: or switch your vpn solution to something you can pay for better error messages.
04:51 < vpn_> yet another zealous sionist typical answer
04:51 < reiffert> dislike all the options? welcome to opensource shittyness.
04:52 < reiffert> let's have a close look on the negation of "that is soooo fucking helpful"
04:52 < vpn_> can you just... fuck off already?
04:52 < reiffert> "_that_ is not so fucking helpful"
04:53 < reiffert> or "that is so not fucking helpful"
04:53 < vpn_> take that screwdriver on your left and stick it up your ass.
04:53 < reiffert> or maybe "that is so fucking not helpful"
04:53 < reiffert> I get an orgasm and I like it.
04:54 < vpn_> I bet you do you israelian piece of shit.
04:55 -!- vpn_ [~irc@ppp-115-87-37-99.revip4.asianet.co.th] has quit []
04:56 < reiffert> Let's have a look on the negation of "I want someone to leave an irc channel
04:56 < reiffert> "
04:59 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
05:10 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
05:11 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
05:11 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
05:11 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
05:53 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
06:05 -!- famicom [~famicom@h1606120.stratoserver.net] has quit [Quit: Coyote finally caught me]
06:11 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
06:15 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 276 seconds]
06:16 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
06:30 -!- Docteh [~mage@24.86.236.78] has quit [Ping timeout: 252 seconds]
06:31 -!- Docteh [~mage@24.86.236.78] has joined #openvpn
06:36 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 245 seconds]
06:38 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
06:38 -!- portablejim [~james@unaffiliated/portablejim] has joined #openvpn
06:42 < portablejim> is there a way to authenticate via a seperate user/password list (not the system list - /etc/passwd)
06:44 < portablejim> ?
06:45 < reiffert> there is a pam auth module in the contrib section
06:45 < reiffert> pam can be configured to authenticate against such a table/list.
06:47 < portablejim> thanks
06:56 -!- Mkools [~mukul@117.196.218.52] has joined #openvpn
07:01 < Mkools> Hi, I have just started configuring openvpn on Ubuntu 9.10 I am using Quick start HOW TO. I am using ubuntu 9.10 and want to connect window client to it. Installed necessary software. I have configured my own DNS server using BIND 9. Which have private address. Can I use it in server configuration file?
07:23 < Mkools> hey, any help?
08:27 -!- Mkools [~mukul@117.196.218.52] has quit [Quit: Leaving]
08:33 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 255 seconds]
08:47 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
08:51 -!- s7r [~s7r@188.27.109.162] has quit [Ping timeout: 272 seconds]
08:56 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
08:57 -!- s7r is now known as Guest64772
09:28 -!- s7r` [~s7r@188.27.109.162] has joined #openvpn
09:30 -!- Guest64772 [~s7r@66.199.231.250] has quit [Ping timeout: 264 seconds]
09:33 -!- GerhardSchr [~GerhardSc@89.144.18.130] has quit [Read error: Connection reset by peer]
10:20 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
10:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Connection reset by peer]
11:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
11:29 -!- avocado [~avocado@this.pieceofshit.org] has left #openvpn []
11:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:56 -!- bartzy [c25a7171@gateway/web/freenode/ip.194.90.113.113] has joined #openvpn
11:56 < bartzy> Hi, maybe someone here will know :) :
11:56 < bartzy> I'm using OpenSSL as a CA.
11:56 < bartzy> I want to know if it's possible to list all the valid certificates currently in an index file ?
12:03 < ecrist> the index file is just text
12:03 < kisom> bartzy: its up to you to keep track on your certificates.
12:04 < kisom> oh well
12:04 < kisom> on my way home to stockholm once again :(
12:04 < ecrist> no, openssl does it, actually requires it to generate new certificate signatures.
12:04 < bartzy> kisom: Yes, but I want to show a list of the current valid certs...
12:05 < ecrist> bartzy: it's all in the index.
12:05 < bartzy> kisom: I would rather not use a DB of my own if I can pull it out OpenSSL itself
12:05 < bartzy> ecrist: So you say I should just read the index file ?
12:05 < bartzy> Isn't it dangorous in some way ? I'm locking it, and if someone tries to sign a cert in that exact moment... It's not that good :)
12:06 < ecrist> if you open read-only, it won't matter
12:06 < bartzy> really ? If I'll open the file read only then if someone else will change it I won't notice it ?
12:06 < ecrist> if you want the data, read index.txt
12:07 < ecrist> that's all there is to it
12:07 < bartzy> OK
12:07 < bartzy> thanks
12:10 < kisom> bartzy: i dont know how openssl manages an index of certificates, but its all upp to you to keep track of which certificates and keys you have signed
12:10 < ecrist> kisom: openssl manages an index
12:11 < kisom> alright
12:11 < kisom> i use my own tools for generating certificates :)
12:11 < ecrist> it also identifies validity (whether they're revoked or active)
12:11  * ecrist wrote ssl-admin
12:32 -!- bandini [~bandini@host153-25-dynamic.20-79-r.retail.telecomitalia.it] has joined #openvpn
12:41 -!- yourmom [~jeremym@173-29-173-165.client.mchsi.com] has joined #openvpn
12:42 < yourmom> when i have someone connect to my vpn they do not get a vpn address
12:42 < yourmom> is this normal?
12:42 -!- yourmom is now known as jeremym
12:43 < nDuff> jeremym, depends on your configuration
12:43 < jeremym> reason i ask is because when a person connects to my vpn they are unable to access any thing on the network.  I cannot ping them etc...
12:43 < jeremym> i can give them an ip address and they cannot ping anyone on the network
12:44 < nDuff> jeremym, and on what you mean by "do not get a VPN address" (for instance, if you mean they get a regular address for the LAN they're connecting to, that's completely normal when bridging to a network that offers DHCP)
12:44 < nDuff> jeremym, please pastebin your configuration and give a summary of the topology.
12:45 < jeremym> is the config file as.conf?
12:46 < jeremym> i have been using the web tool to configure it
12:46 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn
12:46 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host]
12:46 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
12:46 < nDuff> couldn't say -- I'm utterly unfamiliar with the "web tool" in question.
12:47 < jeremym> im talking about when you configure it with https://ipaddress:943/admin
12:48 < jeremym> i think as.conf is the config file.  I will pastebin that for you
12:49 < nDuff> there's no mention of a web-based configuration interface in the man page. This is the commercial "Advanced Server" product, maybe?
12:49 < nDuff> ...if so, I know nothing about it.
12:50 < jeremym> yes i think it is...i just went to the openvpn web site and downloaded it
12:51 < jeremym> i assume there is a community based one that i should have installed
12:51 < nDuff> under "community software" there's a separate download page
12:53 < nDuff> ...and for the software there, the HOWTO at http://openvpn.net/index.php/open-source/documentation/howto.html should apply (as will the man page)
12:53 < vpnHelper> Title: HOWTO (at openvpn.net)
12:54 < nDuff> jeremym, ...that said, I don't intend to warn you away from the commercial solution -- it's just that I personally don't know enough about it to do anything by way of support.
12:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:56 < jeremym> understood...i just want to use something and be able to get support if i need help.  i have googled this and i am getting results but not clear results as to how to solve it
12:56 < jeremym> if this version will get me that support then i would need to use it
13:05 < ecrist> jeyyour'e using Access Server, which we're unable to support in here
13:05 < ecrist> erm, jeremym 
13:05 < jeremym> understood...i didnt realize there was a difference until now
13:05 < jeremym> im installing the community based one now
13:06 < ecrist> there is no web util for that, just fyi
13:07 < jeremym> yea i noticed.  is there a conf template that is given to go by?
13:09 < nDuff> jeremym, the HOWTO is a pretty good place to start -- it does include some samples. Configuration files can be wildly different depending on what kind of topology you want (a private-key-only point-to-point VPN looks nothing at all like a SSL-based hub-and-spoke configuration), so there isn't really just one template -- more like several, and you start from whichever one makes sense given the kind of VPN you want.
13:10 < jeremym> ok thank you :)
13:10 < nDuff> ...heh -- actually, it looks like they've simplified things a bit by taking the v1-style point-to-point private-key-only style out of the HOWTO.
13:17 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
13:20 < krzee> well there is:
13:20 < krzee> !confgen
13:20 < vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
13:20 < krzee> or
13:20 < krzee> !sample
13:20 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:21 < krzee> but both of those are server/client
13:37 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has left #openvpn []
13:48 < SDE> guys
13:48 < SDE> does anyone know what spec server im going to need to run OpenVPN for 20-30 users?
13:49 < nDuff> SDE, next to nothing
13:50 < SDE> seriously?
13:50 < nDuff> SDE, unless this is a very-high-bandwidth link, any old junker you have in your closet will work.
13:50 < SDE> well looking to rent a dedicated server
13:50 < SDE> so was wandering what the spec should be
13:52 -!- oracle [~o2@unaffiliated/spice] has joined #openvpn
13:52 < SDE> 1GB ram with 2.2ghz dual core enough?
13:52 < nDuff> the only thing that's expensive in terms of CPU time that scales with number of users, rather than bandwidth, is key renegotiation -- and you can control how often that happens
13:52 < nDuff> SDE, yes, absolutely, much more than enough.
13:53 < SDE> even if i have 10-15 users connecting and using torrents + streaming movies?
13:53 < nDuff> that's a question of how much bandwidth is available for them to use
13:53 < SDE> 4Tb - 5TB
13:54 < kisom> my single core atom 330 vpn server does ~80 mbps
13:54 < SDE> wow thank god for that
13:54 < SDE> was going to buy a quadcore + 4GB DDR3 ram for it
13:54 < SDE> lol
13:54 < kisom> depends a lot on your setup as well
13:55 < kisom> do not use key renegotiating and use a lightweight block cipher, like RC4
13:55 -!- oracle_ [~o2@unaffiliated/spice] has quit [Ping timeout: 276 seconds]
13:55 < SDE> well i want
13:55 < SDE> 1 installer for all users
13:55 < SDE> so 1 default config
13:56 < nDuff> SDE, there are some tradeoffs between security and ease-of-configuration you might want to think about
13:56 < kisom> I highly recommend one certificate per client.
13:56 < nDuff> SDE, ...you can certainly have all your users share a certificate and differentiate themselves by username/password, but that's going to be much less secure than unique certificates.
13:57 < SDE> why?
13:57 < nDuff> SDE, a password has much less entropy in it than a private key.
13:57 < kisom> and if the certificate is compromised, you have to change the cert on all clients
13:58 < SDE> but the main problem is the end users being able to install the config files
13:59 < nDuff> SDE, ...also, having an install process where they generate a private key on their own side, such that you never have access to that key yourself, reduces the extent to which your end users need to trust you; if you don't have your users' private keys, even you as their service provider can't impersonate them.
13:59 < nDuff> SDE, right, doing things the secure way takes work. I'm trying to make the point that that work may be worth doing.
13:59 < SDE> i have no issues doing it the secure way
13:59 < nDuff> SDE, ...there are GUI tools which can help to make it easier (ie. set it up where they run a program which prompts them for the data necessary to create a certificate signing request)
13:59 < SDE> main problem is the damn end users
14:00 < kisom> the end users are always the problem :)
14:00 < kisom> i use my own installer for openvpn, it pulls the config files + signs a certificate on request
14:00 < kisom> after you log on, of course
14:00  * nDuff had an in-house build of the Certificate Signing Wizard now included with OpenVPN for Windows back in the day; don't recall what all the differences from upstream were, though.
14:01 < SDE> kisom how did you do that?
14:01 < SDE> I want to find a way around where the end users do not have to extract the config files
14:01 < kisom> just some scripting
14:02 < SDE> so the end users never had to extract the config files/
14:02 < SDE> ?
14:02 < kisom> the end users dont install anything, IT department does
14:02 < kisom> its more a simplification for myself
14:05 < nDuff> SDE, why would end users need to do anything if you build a smart enough installer? :)
14:05 < kisom> anyways, i'm home now
14:05 < nDuff> (well, anything other than fill in a pretty little Windows form with whatever info you want to put in the certificate)
14:05 < kisom> getting of the train, back in 20 minutes
14:05 < SDE> well how would the installer grab from the server? the config files?
14:05 < kisom> SDE: I use my own propetary protocol, but HTTP would do just fine
14:06 < SDE> lol i still dont understand how it would work...
14:06 < nDuff> SDE, ...the tricky part, of course, is doing the whole thing without the install automation having its own vulnerabilities...
14:06 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
14:08 < nDuff> SDE, well -- think about what you'd have end-users doing during the install process if doing it right. Now, what parts of that process _really_ require human involvement, ie. can't be automated away by writing a custom installer that does it for them?
14:09 < SDE> extracting the config files into the correct directory thats all
14:09 < SDE> perhaps i can write a tuotrial + make a small video clip for that
14:09 < nDuff> SDE, and what part of that is something you can't script?
14:09 -!- rm [rm@fsf/member/rm] has joined #openvpn
14:10 < SDE> the downloading of the config file + extracting
14:10 < ecrist> without knowming more, I suspect the pulling of those configs presents a potential security risk.
14:10 < SDE> as each user will have a unique config file? so would need to be downloading for the server
14:10 < rm> hello
14:11 < rm> if I am using an up-script, should the script 'up' the device (as in 'ip link set devX up', or 'ifconfig devX up') as well, or does OpenVPN do that by itself?
14:13 < nDuff> SDE, downloading a file is easy to do programmatically; so is unpacking an archive. What's hard is deciding on a secure procedure to trust whether a signing request issued by a purported end-user is legitimate... but that's true no matter what your process is.
14:13 < SDE> ok thanks i think i know what to do now guys :) cheers
14:15 -!- ssn [~ssn@94.75.220.182] has joined #openvpn
14:16 < ssn> hi guys
14:16 < ssn> is there any good tutorial on how to get openvpn (clientside) running on ubuntu (command line, not network manager)?
14:21 < nDuff> ssn, I'd start with the general HOWTO
14:21 < nDuff> !howto
14:21 < vpnHelper> nDuff: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:22 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
14:23 < coppermine> is openvpn available in 64bit?
14:23 < nDuff> coppermine, yes.
14:23 < coppermine> nDuff: thanks
14:23 < coppermine> but i could still use >4GB with 32-bit PAE paging enabled in kernel 
14:24 < nDuff> coppermine, yup; OpenVPN doesn't use enough memory that it really needs the kind of virtual address space a 64-bit system provides, so it'd be fine either way.
14:31 -!- weggpod [~weggpod@abo-6-236-68.guy.modulonet.fr] has joined #openvpn
14:31 < weggpod> hi all
14:35 < weggpod> how I can optimize openvpn to pass interactiv and batch traffic through an high latency line ?
14:36 < nDuff> weggpod, first thing that comes to mind -- be sure you're in UDP rather than TCP mode
14:36 < weggpod> nDuff, unfortunatly I have to use TCP transport for the VPN
14:37 < weggpod> a firewall issue ...
14:39 < weggpod> and I have a very little line, 1.8Mbits
14:41 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Quit: leaving]
14:59 < kisom> My automated installer is pretty simple
15:00 < kisom> the server will only sign certificates to computers on the local network, and you also need to log on to the server
15:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
15:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:28 -!- sigi [~sigius@93.125.185.45] has joined #openvpn
15:47 -!- jeremym [~jeremym@173-29-173-165.client.mchsi.com] has quit [Ping timeout: 240 seconds]
15:47 -!- jeremym [~jeremym@173-29-173-165.client.mchsi.com] has joined #openvpn
15:51 -!- yourmom [~jeremym@173-29-173-165.client.mchsi.com] has joined #openvpn
15:51 -!- jeremym [~jeremym@173-29-173-165.client.mchsi.com] has quit [Ping timeout: 264 seconds]
15:58 < _zero__>  /G 22
15:58 < _zero__> err
16:00 -!- weggpod [~weggpod@abo-6-236-68.guy.modulonet.fr] has quit [Read error: Operation timed out]
16:01 -!- yourmom [~jeremym@173-29-173-165.client.mchsi.com] has quit [Ping timeout: 264 seconds]
16:20 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 264 seconds]
16:40 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
17:10 -!- me345 [~me345@adsl-75-15-176-124.dsl.bkfd14.sbcglobal.net] has joined #openvpn
17:15 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
17:35 < vpnHelper> RSS Update - forum: Server Administration :: Re: Problem resolving hostnames :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=8023#p8023>
17:47 < vpnHelper> RSS Update - forum: Server Administration :: Re: Problem resolving hostnames :: Reply by rpr <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=8024#p8024>
17:56 -!- ssn [~ssn@94.75.220.182] has quit [Ping timeout: 240 seconds]
18:04 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
18:33 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Operation timed out]
18:40 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
18:52 -!- tuxx_ [~sometinel@81.95.4.163] has joined #openvpn
18:52 < tuxx_> hey guys...
18:52 < tuxx_> im running an openvpn tunnel and diverting my traffic over it
18:52 < tuxx_> however.. my original public ip (eth0) is no longer accessible 
18:52 < tuxx_> what am i doing wrong.. iptables is cleared so it must be a routing issue
18:53 < tuxx_> i wld like both eth0 and tap0 to be accessable
19:20 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
19:45 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
19:46 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
19:52 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:02 < krzie> tuxx_, 
20:02 < krzie> when you send all your traffic over the vpn, your responses to traffic that goes to your eth0 are routed out of your tap0
20:02 < krzie> this is a byproduct of changing your default route
20:03 < krzie> you CAN do split-routing to allow SOME hosts to access your eth0, and all your traffic to those hosts will always bypass the vpn
20:03 < krzie> if that is what you want, search the forum for split routing
20:19 -!- me345 [~me345@adsl-75-15-176-124.dsl.bkfd14.sbcglobal.net] has quit [Read error: Connection reset by peer]
20:48 < krzie> !pushdns
20:48 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
20:53 < vpnHelper> RSS Update - forum: Server Administration :: Re: Problem resolving hostnames :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=8026#p8026> || Installation Help :: Re: TAP install Windows XP-SP3 fails :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=5&t=7154&p=8027#p8027> || Routing and Firewall Scripts :: Re: Protect default route on client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=17&t=7
21:05 < vpnHelper> RSS Update - forum: Installation Help :: Re: TAP install Windows XP-SP3 fails :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7154&p=8028#p8028>
21:05 -!- variable [~variable@unaffiliated/variable] has joined #openvpn
21:12 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:27 -!- rm [rm@fsf/member/rm] has left #openvpn []
21:28 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 255 seconds]
21:35 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:42 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
21:48 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
22:10 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
22:19 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
22:29 -!- s7r` [~s7r@188.27.109.162] has quit []
22:37 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 245 seconds]
22:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
23:05 -!- portablejim [~james@unaffiliated/portablejim] has quit [Ping timeout: 260 seconds]
23:11 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
23:22 -!- qweqweqw1 [~alloy@tropyx.com] has left #openvpn []
23:50 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:58 -!- Sivarts [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has joined #openvpn
23:59 < Sivarts> is it ok to use the same cert/key files on all clients when security is not a concern?
--- Day changed Mon Oct 11 2010
00:35 -!- portablejim [~james@unaffiliated/portablejim] has joined #openvpn
01:21 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
01:22 < Bushmills> i suppose so. read about  --duplicate-cn
01:36 -!- bandini [~bandini@host153-25-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
01:54 < vpnHelper> RSS Update - forum: Server Administration :: Re: What is the difference between tcp/tcp-server/tcp-client :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7168&p=8029#p8029>
02:08 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
02:13 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
02:16 -!- arejay [arejay@shell.dawnshosting.com] has joined #openvpn
02:25 < vpnHelper> RSS Update - forum: Server Administration :: HTTP session problems since setting up VPN :: Author Jools <https://forums.openvpn.net/viewtopic.php?f=4&t=7170&p=8030#p8030>
02:25 -!- tjz_ [~pc@95-168-163-39.internetserviceteam.com] has joined #openvpn
02:26 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
02:28 -!- tjz [~pc@bb121-7-128-74.singnet.com.sg] has joined #openvpn
02:28 -!- tjz [~pc@bb121-7-128-74.singnet.com.sg] has quit [Changing host]
02:28 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
02:30 -!- tjz_ [~pc@95-168-163-39.internetserviceteam.com] has quit [Ping timeout: 245 seconds]
02:35 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:48 -!- Sivarts [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has quit [Quit: This computer has gone to sleep]
02:53 -!- dazo_afk is now known as dazo
03:23 < vpnHelper> RSS Update - forum: Server Administration :: Is it possible to specify dhcp pool? :: Author zespri <https://forums.openvpn.net/viewtopic.php?f=4&t=7171&p=8031#p8031>
03:30 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
03:33 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:12 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 260 seconds]
04:18 < kisom> love it when someone emails me and says "my computer is not working, can you fix it?"
04:33 < theDoc> kisom> My answer is usually, no.
04:45 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has joined #openvpn
04:45 < xreal> Can I just OpenVPN client to connect to a Cisco Server via IPSec?
04:55 < theDoc> No.
04:58 < tuxx_> krzie: still there?
04:58 < tuxx_> hey guys.. 
04:59 < tuxx_> im running an openvpn tunnel and diverting my traffic over it
04:59 < tuxx_> however.. my original public ip (eth0) is no longer accessible
04:59 < tuxx_> i wld however like tap0 to be my default route
04:59 < tuxx_> while still allowing requests from eth0
05:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
05:00 < tuxx_> what i dont understand is .. krzie said its a normal byproduct of changing your default route
05:01 < tuxx_> but on another server i have 29 ip addresses and one of them is set to the default route.. this however does not prevent the other 28 from being accessable 
05:04 -!- xreal [~mweber@mailgw.FB12.Uni-Dortmund.DE] has quit [Quit: Switch off the lights and close your eyes. Feel the energy inside.]
05:10 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:23 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 252 seconds]
05:24 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
05:35 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
05:54 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:55 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
06:05 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 276 seconds]
06:06 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
06:34 -!- sc_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Read error: Operation timed out]
06:35 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
06:37 -!- TuxBrother [525c2573@gateway/web/freenode/ip.82.92.37.115] has joined #openvpn
06:39 < TuxBrother> hello
06:39 < TuxBrother> anyone down for fixing a problem with network-manager (ubuntu) and OpenVPN?
06:39 <@dazo> !ubuntu
06:39 < vpnHelper> dazo: "ubuntu" is dont use network manager!
06:40 < TuxBrother> I Get: Connection reset, restarting [0] Oct 11 13:31:45 * nm-openvpn[1982]: SIGUSR1[soft,connection-reset] received, process restarting
06:40 <@dazo> TuxBrother: I believe Ubuntu have messed it up ... it works fine in RHEL/CentOS/Fedora ... but stinks in Ubuntu ... that's a task for the Ubuntu community to fix what they've broken
06:40 < TuxBrother> ok
06:41 < TuxBrother> there is no easy fix for it?
06:41 <@dazo> TuxBrother: I don't use Ubuntu so I don't know why it happens ... but there's plenty of Ubuntu people complaining about it here
06:41 <@dazo> s/people/users/
06:42 < theDoc> I'm in touch with a ubuntu dev, I'll let him know and have someone try to chase that down.
06:42 < theDoc> Has anyone ever managed to get aircrack-ng to run on a mac via macports
06:43 <@dazo> tuxx_: you are using --redirect-gateway?  in that case, your eth0 (which you use to establish the outgoing VPN connection) will still be available for connections outside the tunnel ... but all outgoing traffic will by default be sent via the tunnel
06:43 <@dazo> (meaning: you don't "kill" your eth0 interface when establishing a VPN connection)
06:44 < tuxx_> dazo: im not calling it specifically
06:44 <@dazo> tuxx_: then I've misunderstood your question :)
06:44 < tuxx_> dazo: well my question is
06:47 < tuxx_> dazo: sry.. i was distracted
06:47 < tuxx_> dazo: my question is that i have a server running the tunnel.. before the tunnel eth0 is pingable
06:47 < tuxx_> as soon as i start the tunnel eth0 is no longer pingable
06:48 < tuxx_> dazo: only tap0 is pingable.. i however wld like both interfaces to be working
06:48 <@dazo> I see
06:48 < tuxx_> is that possible somehow?
06:48 < theDoc> It should be.
06:48 <@dazo> ahh .. and you want that on the client side, which establishes the connection?
06:49 < tuxx_> dazo: yes sorry
06:49 <@dazo> hmm ... that's tricky, actually ... if you think about how the traffic will go
06:49 < tuxx_> dazo: well my problem is that the vpn has a dynamic ip.. i wld like to be able to access the server via its static eth0 ip
06:49 <@dazo> I see
06:50 < tuxx_> dazo: cant it be done?
06:51 <@dazo> The thing is that the ICMP request (I'm just thinking ping now) will hit your public IP address ... the kernel will respond to it and send it to the network stack, which will look at the destination address, look up the perfect gateway in the routing table ... which in this case will be tap0, as the default route
06:51 < tuxx_> dazo: hmm..
06:51 <@dazo> so the response will go to the tap0 ... that's not easy to get around at all
06:51 <@dazo> unless you can route that response traffic outside the tunnel 
06:52 <@dazo> (which will need to happen on your openvpn client)
06:53 < tuxx_> dazo: hmm.. i dont understand tho
06:53 < tuxx_> dazo: on a different server it works fine
06:53 <@dazo> tuxx_: but that's the OpenVPN server side, isn't it?
06:53 < tuxx_> dazo: no.. just a different machine.. also client
06:53 < tuxx_> the server is vpntunnel.se i have no access to the server
06:53 <@dazo> okay
06:54 < tuxx_> my other server has several ip addresses (27) they all work fine 
06:54 < tuxx_> when the tunnel is up
06:54 < tuxx_> i can use both the tunnel AND the public eth0
06:54 <@dazo> and you use --redirect-gateway?
06:54 < tuxx_> dazo: when executing openvpn?
06:54 <@dazo> yes
06:54 < tuxx_> dazo: no
06:54 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
06:55 < tuxx_> dazo: shld i?
06:55 <@dazo> exactly, because you don't route the ICMP response
06:55 <@dazo> if you do that, it will stop working there as well
06:55 <@dazo> it is connected to --redirect-gateway usage
06:56 <@dazo> The important thing is to realise that the kernel don't look at which interface the request came from ... it looks at the IP address the packet is going to, and then apply the routing rules according to that
06:56 < tuxx_> hm..
06:57 < tuxx_> dazo: what will --redirect-gateway do?
06:57 <@dazo> so you get on your client traffic hitting eth0, and then the response gets re-routed back to the sender via tap0, because that's what the routing table tells the kernel to do
06:57 < tuxx_> dazo: hm yes
06:57 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
06:57 -!- TuxBrother [525c2573@gateway/web/freenode/ip.82.92.37.115] has quit [Ping timeout: 265 seconds]
06:58 <@dazo> tuxx_: --redirect-gateway directs all outgoing network traffic via the VPN tunnel ... so that if you sit in location A, connects to location B via VPN ... when you surf the web, it looks like you're surfing from location B
06:58 < tuxx_> yea.. 
06:58 < tuxx_> dazo: but i mean my other server has several ip addresses
06:59 < tuxx_> dazo: all of them are accessable at the same time eventho the first ip is set to the default route
06:59 < tuxx_> how is that situation different form the current one?
06:59 <@dazo> it's not about how many IP addresses or interfaces you have .... its about the routing table and how the routing is configured
06:59 < tuxx_> dazo: can i prepare a pastedump of my routing table etc?
07:00 <@dazo> you may ... but I doubt I can help you solve the unsolvable
07:00 < vpnHelper> RSS Update - forum: Server Administration :: Static ip addresses :: Author zbenta <https://forums.openvpn.net/viewtopic.php?f=4&t=7172&p=8032#p8032>
07:00 < tuxx_> dazo: i dont see why its unsolvable
07:00 < tuxx_> on my other server (bdn.de)
07:00 < tuxx_> it works fine.. while on the other host it doesnt
07:00 < reiffert> run a compare on both then.
07:01 <@dazo> tuxx_: but your other server isn't using --redirect-gateway, is it?
07:01 < tuxx_> neither are
07:01 <@dazo> exactly... Stop using --redirect-gateway, and it will work
07:01 <@dazo> start using --redirect-gateway, and it breaks
07:02 < reiffert> what's his goal btw?
07:02 <@dazo> reiffert: he want's to have an accessible OpenVPN client on the public IP address *and* use default gateway via the VPN
07:03 < tuxx_> dazo: can i grant you login?
07:03 < tuxx_> so you can see for yourself that its working on one server but not the other
07:03 < reiffert> dazo: he might do it using policy based routing.
07:04 <@dazo> tuxx_: you need to see that you route traffic via different networks when routing the default gateway over VPN ... you basically say "all outgoing traffic will by default go to VPN gateway" ... and then traffic coming in on network A ... your box replies to that response ... but your routing tells your box to route this via network B ... while the traffic should normally go to network A ... that's the core of your problem
07:04 <@dazo> reiffert: good point, I honestly didn't think about that ... that's more of the deeper routing stuff I've never really played with ... you know how to do it?
07:05 < tuxx_> dazo: i am running it on my other server (bdn.de) 
07:05 < reiffert> dazo: the linux stuff is on http://lartc.org
07:05 < vpnHelper> Title: Linux advanced Routing & Traffic Control HOWTO (at lartc.org)
07:05 < tuxx_> dazo: i can ping both addresses.. 
07:05 < tuxx_> dazo: the outgoing trafic of the server all goes via the vpn.. i just verified
07:05 < reiffert> tuxx_: paste both traceroute's.
07:06 < tuxx_> dazo: when i ping the server and tcpdump i see incoming icmps form eth0 and outgoing from tap0
07:06 <@dazo> tuxx_: that's what I've been trying to tell you ;-)
07:06 < tuxx_> dazo: thats fine.. but the other server doesnt do that
07:06 < tuxx_> its NOT responding from tap0
07:07 < reiffert> just ignore me.
07:07 < tuxx_> http://pastebin.com/s4CA1fPw
07:07 < tuxx_> reiffert: no i was preparing it :)
07:07 < tuxx_> there it is
07:08 < reiffert> tuxx_: bdn.de is the vpn client?
07:08 < tuxx_> yes
07:08 < reiffert> paste: route -n
07:08 < tuxx_> reiffert: the one which is working as it shld
07:08 < tuxx_> http://pastebin.com/UsBThLij
07:09 < reiffert> paste: brctl -n
07:09 < reiffert> ifconfig -a
07:09 < reiffert> erm, brctl show
07:09 < tuxx_> reiffert: i can give you access if u prefer
07:09 < |Mike|> lol!
07:09 < Rienzilla> uhmm :)
07:10 < |Mike|> Morning Rienzilla :-)
07:10 < reiffert> Yes please.
07:10 < tuxx_> pm?
07:10 < reiffert> wn
07:30 -!- Sivarts [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has joined #openvpn
07:33 < reiffert> dazo: funny.
07:33 <@dazo> ?
07:33 < reiffert> packages arrive on eth0   fromhost -> eth0
07:34 < reiffert> packages leave on tap0 with source address eth0
07:34 <@dazo> uhh!?!?
07:34 < reiffert> but his vpn provider does not drop them and route them back to the right fromhost
07:34 < reiffert> likeisaidfunny
07:34 <@dazo> oh man
07:41 -!- ChristianAA [82e1b818@gateway/web/freenode/ip.130.225.184.24] has joined #openvpn
07:45 < reiffert> dazo: but he refuses to recignize the wrong.
07:45 < reiffert> &
07:46 < tuxx_> um...
07:46 < tuxx_> i dont "refuse" anything
07:47 < tuxx_> im just saying
07:47 < tuxx_> i am completely happy they way traffic is being routed
07:47 < tuxx_> because it does what i need
07:48 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
08:00 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:01 <@dazo> theDoc: thx for notifying the Ubuntu dev ... it's about time someone looks at that
08:02 < theDoc> dazo> I'm just going to raise it up, I can't guarantee that someone is going to fix it.
08:03 < theDoc> btw, anyone has an idea if it's possible to force vmware to forward the "virtual" mac address in a bridged environment?
08:03 <@dazo> theDoc: yeah, I understood that 
08:03 -!- EmperorT1m is now known as EmperorTom
08:03 < theDoc> dazo> Any idea on my second question?:)
08:04 <@dazo> theDoc: nope ... I'm not a vmw user
08:04 < theDoc> I'm trying to execute an arp attack in a bridged environment through vmware.
08:04 < theDoc> Damn thing. >:|
08:39 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 255 seconds]
08:52 -!- s7r [~s7r@188.27.111.55] has joined #openvpn
09:17 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
09:19 -!- dar__ [~droutin@gw.theralys.com] has joined #openvpn
09:19 < dar__> elo
09:19 < dar__> !!!
09:19 < vpnHelper> dar__: Error: "!!" is not a valid command.
09:20 < dar__> i have a strange problem i can't find infos on... i have added another instance of openvpn for tcp connection
09:20 < dar__> but since i have done that i don't have anymore /var/cache/openvpn/openvpn-status.log
09:20 < dar__> i have it but it is empty :((
09:22 -!- koaschten [~koaschten@193.175.191.199] has joined #openvpn
09:34 < krzee> !status
09:34 < vpnHelper> krzee: Error: "status" is not a valid command.
09:34 < krzee> meh
09:34 < krzee> in your 2 openvpn configs, use different status files
09:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:42 -!- cyphermox [~cyphermox@ubuntu/member/pdpc.supporter.active.cyphermox] has joined #openvpn
09:46 < theDoc> dazo> There's an ubuntu dev in here I think. Any idea what was the problem with ubuntu and network manager or something?
09:47 <@dazo> I've forgotten the real issue ... but the connection is somehow not established correctly, due to some arguments passed to openvpn
09:47 <@dazo> running openvpn from the command line works fine, but when doing it via the nm-openvpn plug-in, it always fails
09:49 < krzee> network manager is a fail
09:50 < krzee> uber fail even
09:50 <@dazo> krzee: it actually works pretty will in Fedora, believe it or not ... I'm actually a happy NM user nowadays ... but I remember the pain in openSuSE and Ubuntu
09:51 <@dazo> and now it even works pretty decently with USB and Bluetooth against mobile phones as well
09:52 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: There's nothing to boo in boobies.]
09:55 < reiffert> krzee: try to type über next time ;)
09:55 < krzee> berrrrr
09:55 < krzee> im still drunk from last night
09:56 < reiffert> the character is in 8895-1 ...
09:56 <@dazo> krzee: never mind ... normal people pronounce u as Germans pronounce ü ... while Germans are the only ones pronouncing u as o :-P
09:56  * dazo runs and hide
09:58 < reiffert> Hrmn, I do pronounce U as in YOU and ü like    point your browser to  http://dict.leo.org/ende?lp=ende&lang=de&searchLoc=0&cmpType=relaxed&sectHdr=on&spellToler=&search=over and click the sound speaker symbol next to "über"
09:58 < vpnHelper> Title: LEO Deutsch-Englisches Wörterbuch "over" (at dict.leo.org)
09:59 < reiffert> http://vrserver3.linguatec.net/Server/download.pl?audio=vr00507459.MP3&customerid=10011&guilang=de
10:06 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
10:23 -!- TuxBrother [d9780cc5@gateway/web/freenode/ip.217.120.12.197] has joined #openvpn
10:23 < TuxBrother> can anyone tell me how I set up a open vpn connection in Ubuntu 10.10?
10:23 <@dazo> !howto
10:23 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:24 < TuxBrother> jep
10:24 < TuxBrother> via Networkmanager, I mean
10:24 <@dazo> TuxBrother: forget it ... it's pretty much broken
10:24 <@dazo> !ubuntu
10:24 < vpnHelper> dazo: "ubuntu" is dont use network manager!
10:24 < TuxBrother> that sux a lot..
10:25 < TuxBrother> ubuntu is a great distro, or are there better alternatives?
10:25 <@dazo> even though, 10.10 is pretty fresh ... so it might be fixed ... but if you try to first do it via command line and it works, try to do the same via the GUI setup
10:25 <@dazo> I'm using Fedora
10:25  * dazo is a happy camper
10:27 <@dazo> By all means, Ubuntu is probably not as crappy as it once was ... I jumped off around 8.10 or so, after being nervous for what the following update would break .... where each update broke something, always ... and Ubuntu does a lot of good stuff on the user experience side
10:27 <@dazo> but for me, it's more important that I have a reliable system
10:28 <@dazo> (and Fedora 13 is looking decent, and all stuff I need just works^TM)
10:31 < TuxBrother> is fedora debian based?
10:31 < TuxBrother> and is there a large community support?
10:32 < TuxBrother> does it use gnome>
10:32 < TuxBrother> ?
10:32 < TuxBrother> If so, I'll give it a shot
10:32 -!- ChristianAA [82e1b818@gateway/web/freenode/ip.130.225.184.24] has quit [Ping timeout: 265 seconds]
10:32 -!- lucapost [8c6986fd@gateway/web/freenode/ip.140.105.134.253] has joined #openvpn
10:32 < lucapost> hi all
10:33 < lucapost> I have a problem with my openvpn tunnel
10:33 < lucapost> my router admin block all outgoing ping
10:33 < lucapost> can I disable this in my config?
10:34 <@dazo> TuxBrother: Fedora got a pretty large community, it's what RHEL is based on, uses GNOME .... but it's RPM based
10:34 <@dazo> TuxBrother: http://fedoraproject.org/
10:34 < vpnHelper> Title: Fedora Project (at fedoraproject.org)
10:35 <@dazo> lucapost: it's nothing in OpenVPN which defines such blocking rules ... so you'll probably need to have a close look at your firewall setup
10:38 < lucapost> dazo: what I can do?
10:38 <@dazo> lucapost: have a close look at your firewall setup
10:39 <@dazo> lucapost: and if you have an admin somewhere blocking outgoing ICMP requests ... then you can't do anything
10:39 < lucapost> dazo: sure?
10:39 < lucapost> :(
10:40 <@dazo> openvpn don't do miracles, that I'm sure about
10:46 < TuxBrother> There are not many rpm's out there
10:46 < TuxBrother> most is deb
10:51 <@dazo> TuxBrother: what are you talking about? ... you must live in closed world :) ... it's pretty much even, I'd say
10:52 <@dazo> TuxBrother: especially when you look at the rpmforge repository as well
10:52 < TuxBrother> what is better
10:53 < TuxBrother> BSD or Debian?
10:54 <@dazo> what's better, Ferrari or Lamborghini?
10:54 <@dazo> it really depends more on your needs
11:02 < Bushmills> nice colours or big tits on the packaging are usually good clues
11:07 < sc> dazo, am using ubuntu on my desktop, very stable, most things "just work".
11:08 < sc> But CentOS for everything server-related.
11:08 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Changing host]
11:08 -!- sc [~sc@unaffiliated/asgw] has joined #openvpn
11:10 <@dazo> sc: well, Ubuntu (I started with Gutsy) worked lovely for me as well in the beginning ... but when Ibix came out and after that upgrade, I had to postpone automatic package updates to times where I knew I had time to clean up ... and towards the end, I had to use cryptsetup manually to decrypt my home partition before logging in ... networking was a constant struggle, even though it helped when I through out network-manager
11:10 < krzee> and i choose freebsd for my servers, and osx for my desktops
11:11 < krzee> like dazo and Bushmills said, its all a matter of taste
11:11 <@dazo> sc: but I do know there are many happy Ubuntu users ... but 12-15 months with ubuntu was enough for me
11:11 < krzee> the best OS is the one you are most comfortable with
11:12 <@dazo> that's true
11:14 <@dazo> but I would say the differences between BSD distros are much bigger than most Linux distros, so with Linux its even more "colour and feel" which distinguishes them than the underlying core parts
11:14 <@dazo> (the kernel is practically the same, while NetBSD, FreeBSD and OpenBSD got very different kernels, afaik)
11:14 <@dazo> or at least, they are different branches with different development phases
11:15 < Bushmills> hm .. one may be most comfortable with CP/M or MS/DOS - that doesn't necessarily make them the best operating systems
11:15 <@dazo> lol
11:16 <@dazo> Bushmills: that's pushing it to an extreme, but you're correct from pedantic point of view ;-)
11:19 -!- Mkools [~mukul@117.196.216.145] has joined #openvpn
11:36 < d1b> morning
11:38 -!- lucapost [8c6986fd@gateway/web/freenode/ip.140.105.134.253] has left #openvpn []
11:38 < d1b> TuxBrother: why is that a choice ?
11:39 < d1b> you can have debian bsd ;)
11:39  * d1b takes out cake and eats it too ;)
11:39 -!- koaschten [~koaschten@193.175.191.199] has quit [Ping timeout: 265 seconds]
11:40 -!- dazo is now known as dazo_afk
11:49 < vpnHelper> RSS Update - forum: Server Administration :: Re: Problem resolving hostnames :: Reply by rpr <https://forums.openvpn.net/viewtopic.php?f=4&t=7164&p=8033#p8033>
11:55 -!- Mkools [~mukul@117.196.216.145] has quit [Remote host closed the connection]
12:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
12:25 < SDE> guys
12:25 < SDE> is OpenVZ or vePortal best for OpenVPN or XEN?
12:27 -!- sc [~sc@unaffiliated/asgw] has quit [Ping timeout: 260 seconds]
12:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:32 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
12:34 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: Connection reset by peer]
12:44 < d1b> SDE: what do you mean?
12:55 < SDE> well im looking to get a VPS or my OpenVPN not sure what company to go for though
13:07 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
13:09 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
13:14 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
13:22 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
13:25 -!- _melvin_ [~melvin@bi1wall1.bi.e-7.com] has joined #openvpn
13:27 < _melvin_> Hi. Windows 7 doesn't seam to send dhcp requests over tap device anymore. 
13:28 < _melvin_> On WindowsXP ipconfig /renew works. but on Win7 no broadcast is sent.
13:32 < Bushmills> !windows
13:32 < vpnHelper> Bushmills: "windows" is pcs are like air conditioners, they work fine unless you open windows
13:36 < jpalmer> why do you guys insist on keeping that useless factoid?
13:38 < tuxx_> dazo_afk: i wrote an email to my vpn provider
13:38 < tuxx_> they said that eth0 shld be accessable
13:40 < Bushmills> jpalmer, i think the factoid is very zen.  it has a high "mu" factor
13:40 < jpalmer> Bushmills: I guess we'll have to agree to disagree.  Personally,  I don't care for it, and think it's rather obnoxious
13:42 < Bushmills> we don't need to agree on anything, not even on disagreeing. but you're still free to not care for it. maybe you want to read the "how to not invoke the !windows factoid"-factoid :)
13:42 < Bushmills> in order to not read it, agreeing is not a precondition
13:43  * jpalmer wanders off
13:43 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
13:49 < krzie> lol
13:49 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds]
13:51  * ecrist has a feeling above-mentioned factoid remains
13:51 -!- oracle_ [~o2@unaffiliated/spice] has joined #openvpn
13:52 < krzie> yup, those 2 agreed to disagree, and i agreed to not care
13:52 < krzie> ;)
13:52 < ecrist> ditto
13:53 -!- adxp [~user@host-216-220-114-135.dsl.bway.net] has joined #openvpn
13:53 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
13:54 < adxp> Can anyone explain what "-extensions server" does when creating a server cert with OpenSSL? (I.e., how a server cert differs to an ordinary cert.)
13:54 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 265 seconds]
13:57 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined #openvpn
13:57 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
13:59 < ecrist> adxp: it prevents a client certificate from acting as a server, and vice-versa
14:00 < adxp> ecrist: so if it was stolen, someone couldn't use it to log into the vpn, say?
14:02 < ecrist> right
14:03 < Bushmills> who agreed on what?
14:03  * Bushmills thinks we disgreed on agreeing to disagree
14:06 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 264 seconds]
14:06 < adxp> ecrist: thx!
14:08 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
14:10 < krzie> Bushmills, i disagree!
14:11 < Bushmills> with what do you disagree?
14:12 < krzie> i disagree that you guys disagreed on agreeing to disagree
14:12 < Bushmills> why would you do that?
14:12 < krzie> mainly to keep the chain going
14:12 < Bushmills> and what do you suggest instead?
14:12 < jpalmer> man,  and I thought the factoid was obnoxious.
14:13 -!- adxp [~user@host-216-220-114-135.dsl.bway.net] has quit [Remote host closed the connection]
14:26 < ecrist> I agree
14:26 -!- _melvin_ [~melvin@bi1wall1.bi.e-7.com] has quit [Quit: _melvin_]
14:26 < ecrist> muahaha
14:36 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
14:44 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
14:47 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
14:48 < krzie> you agree with me disagreeing that they disagreed on agreeing to disagree
14:48 < krzie> ?
14:50 < krzie> !irclogs
14:50 < vpnHelper> krzie: "irclogs" is Channel logs are available at http://secure-computing.net/logs/openvpn.txt and are updated in real-time while ecrist is online.
14:50 < krzie> erm
14:50 < krzie> !ircstats
14:50 < vpnHelper> krzie: "ircstats" is (#1) 30-Day Stats: http://www.secure-computing.net/logs/openvpn-last30.html, or (#2) All-Time Stats: http://www.secure-computing.net/logs/openvpn.html
14:50 < krzie> there we goes
14:51 < ecrist> krzie: I agree.
14:52 < ecrist> it's not updated again.  my vpn at home is down, which is where that server that generates those exists.
14:52 < ecrist> I'll work on it tomorrow.
15:08 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
15:11 -!- zanberdo [~mkz@173-164-189-237-SFBA.hfc.comcastbusiness.net] has joined #openvpn
15:15 < zanberdo> I'm looking for guidance. My company has an openvpn server hosting access to an internal network whose address space is 192.168.1.x. When connecting from a home network with the same address space there are problems (as one might expect). We really only need the openvpn connection for access to a specific address in the 192.168.1.x range (74 in this case). Is there a away to handle a home address in 192.168.1.x connecting to 1
15:15 < zanberdo> 92.168.1.x over openvpn such that the one address I need (.74) is exposed that doesn't cause a problem with the remaining network addressing? I'm not sure how clearly I've described the issue, so please feel free to ask questions and I'll attempt to answer them as best I can
15:17 < hyper_ch> why don't you change the home addressing?
15:18 < zanberdo> if it were just me I would (in fact, I use a different space and as such have never run into this issue).  However, there will be many uncontrolled origination networks I can't control. Similarly we can't change the company address space to a non-192.168.1.x address space (which was my first suggestion) as there are too many dependencies that might cause corruption... 
15:18 -!- oracle_ is now known as oracle
15:20 < zanberdo> would it matter if we are using TAP vs TUN? I shouldn't think so, but I'm not familiar enough with the differences to know.
15:37 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
15:47 < krzie> run openvpn on .74
15:48 < krzie> then just access it by its vpn IP
15:48 < krzie> then dont setup a route for the subnet, and you wont get a subnet conflict
15:48 < krzie> if you need both LANs, you really want to change a subnet
15:49 < krzie> note, it CAN be done with NAT... but nobody here will support that i think (historically nobody had cared to, since the root cause is you're doing it wrong, and its an ugly hack that should not be done)
15:50 < krzie> but ya, when you only need openvpn to access 1 machine, you dont need to route the entire subnet ;)
15:51 < zanberdo> I searched google and found a link to http://www.shorewall.net/OPENVPN.html which looks like would translate 192.168.x.x to 172.20.x.x (in this example).
15:51 < vpnHelper> Title: OpenVPN Tunnels and Bridges (at www.shorewall.net)
15:51 < krzie> just do it right instead
15:52 < zanberdo> I can't run openvpn on .74 - it's a production machine that has dedicated resources, so if just doing right means running openvpn on this particular host, it's not going to happen.
15:53 < zanberdo> I suspect one right way to do it would be to change the ip address range for the intranet - but sadly that's not going to happen either.
15:55 < krzie> ok, good luck :)
15:55 < zanberdo> it was ill-conceived to assign the intranet to 192.168.1.x when there was a very good possibility that remote uses who have simply installed their home network with the all-too-typical default address space of 192.168.1.x might need to gain access... as is now the case
15:55 < zanberdo> so, to be clear, what you are proposing as the right way is to simply run openvpn server on the host that would be accessed from remote, is that correct?
15:57 < krzie> well theres 2 right ways
15:57 < tuxx_> krzie: hey man...
15:57 < tuxx_> krzie: we spoke yesterday abt my openvpn
15:58 < krzie> 1 is what you said above, since you dont need to route the entire subnet, run it on the host that will use it (openvpn takes barely any resources if its just a couple users)
15:58 < krzie> 2 is to use a less common subnet
15:59 < tuxx_> krzie: when i connect to my openvpn tunnel (service provided by vpntunnel.se) my eth0 is no longer pingable.. when i tcpdump eth0 i see icmps coming in but nothing being routed out.
15:59 < tuxx_> krzie: i wrote an email to them and they said:
15:59 < zanberdo> ok. I will research option one more closely and see if this is in fact an option. Otherwise, option two still runs the risk (albeit small) that any subnet I choose *could* be in use by the remote user for their home subnet
15:59 < tuxx_> you should still be able to access you server from the eth0 interface. how does you routing table look?
15:59 < tuxx_> could post the output of "route -n" command
16:00 < krzie> if they push redirect-gateway to you, thats not true
16:00 < krzie> of course if they do not, it is
16:00 < krzie> and the routing table is exactly the right thing to look at :)
16:01 < tuxx_> krzie: can i show you my dump?
16:01 < tuxx_> haha that sounded a bit gross :D
16:01 < krzie> but since i would assume the use of paying a vpn provider is to anonymize your internet connection, i expect your gateway is the tunnel
16:01 < krzie> !pastebin
16:01 < krzie> hahah
16:01 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
16:02 < tuxx_> krzie: i pmed you
16:02 < krzie> ok
16:02 < krzie> you see 2 bottom entries on tap0 interface?
16:02 < krzie> that is from redirect-gateway def1
16:02 < tuxx_> um
16:02 < tuxx_> yes
16:03 < krzie> so what i said yesterday is true
16:03 < krzie> people can send traffic to your eth0 IP, but your responses will go over the vpn
16:03 < tuxx_> krzie: but no resposes are being sent out
16:03 < krzie> the person getting the response never sent a request to the VPN ip that you respond as, so it gets ignored
16:04 < krzie> im sure if you dump the packets you'll see you DO respond, but they dont care because they dont see it as a response
16:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: Operation timed out]
16:04 < krzie> if i ping google, and get a reply from yahoo, my kernel doesnt know that its a reply to my ping
16:04 < tuxx_> krzie: hm.. strangely on my otehr server it works fine
16:05 < krzie> then your other server isnt redirecting gateway
16:05 < tuxx_> ok but i call it with the same options
16:05 < krzie> this is a common thing for people to run into
16:05 < tuxx_> i started openvpn with verbose = 4
16:05 < krzie> its been covered on the forum like 3 times this week
16:05 < tuxx_> and i saw options being pushed "redirect_gateway"
16:06 < tuxx_> krzie: may i grant you access to my server
16:06 < krzie> im at work dude
16:06 < tuxx_> ah o
16:06 < tuxx_> k
16:06 < krzie> and i already told you whats going on
16:06 < tuxx_> krzie: yes but how do i fix it? :D
16:06 < krzie> split routing
16:06 < tuxx_> but no
16:07 < tuxx_> i dont want only specific hosts to be redirected
16:07 < tuxx_> i wld like both interfaces to be accessable
16:07 < tuxx_> thats not possible?
16:07 < tuxx_> as i said it works on my bdn.de server..
16:07 < tuxx_> i start openvpn there with the exact same config and cmd
16:07 < tuxx_> and both interfaces are pingable
16:07 < krzie> not same server config
16:07 < tuxx_> server config?
16:08 < tuxx_> the config is from vpntunnel.se's homepage
16:08 < krzie> correct
16:08 < tuxx_> totally unchnaged
16:08 < tuxx_> i can md5 both files it will be the same :)
16:08 < krzie> you are using their server on both machines?
16:08 < tuxx_> yes
16:08 < krzie> bs
16:08 < tuxx_> um really not :)
16:09 < krzie> maybe you have firewall rules making it possible on the one that works
16:09 < krzie> that was recently used by someone on the forum to achieve split-routing
16:09 < tuxx_> krzie: yea md5 is exactly the same
16:10 < krzie> the server config isnt on your clients machines :-p
16:10 < krzie> but you said its connecting to the same server
16:10 < tuxx_> iptables are empty on both
16:11 < tuxx_> well the server its connecting to is given by the config
16:11 < tuxx_> so yes.. its the same server
16:11 < tuxx_> krzie: any chance u cld login and see for yourself when your done with work? :D
16:11 < tuxx_> dont wanta be an annoying prick
16:11 < tuxx_> but i really am at a loss
16:12 < tuxx_> and im so clueless at networking.. i actually ordered "linux network administrator's guide" today
16:12 < tuxx_> because it pissed me off that im so clueless
16:13 < tuxx_> krzie: what happens if i ommit the "redirect-gateway" option? is that even possible? or is it pushed by the server config?
16:13 -!- derik [~derik@unaffiliated/derik] has joined #openvpn
16:14 < krzie> is it in your configs?
16:14 < tuxx_> no
16:15 < krzie> then its kinda obvious that its pushed by the server config :-p
16:15 < tuxx_> i thought it may be some default flag of openvpn
16:15 < tuxx_> krzie: dude i know im retarded
16:15 < tuxx_> stop rubbing it in :P
16:15 < krzie> theres almost nothing default in openvpn
16:16 < tuxx_> k
16:16 < krzie> well i guess i should take that back
16:16 < krzie> but its a good way to think of it
16:16 < tuxx_> krzie: anyway its weird that the support@vpntunnel.se wld claim that it works
16:16 < tuxx_> if its not possible
16:17 < tuxx_> unluckily i wont get a reply until tomorrow i guess
16:17 < tuxx_> its past working hours
16:17 < krzie> weirder that you say it works on your other machine when i know for a fact that it doesnt
16:17 < tuxx_> lol
16:17 < tuxx_> reiffert logged in some hours ago
16:17 < tuxx_> and saw for himself
16:17 < tuxx_> that it works on bdn.de
16:18 < tuxx_> i am ircing from that very server
16:18 < tuxx_> i will now start the tunnel
16:18 < krzie> he saw that your default gateway leaves from the VPN and you answer traffic from your eth0 without using split routing or special firewall hackery...?
16:19 < tuxx_> krzie: 188.126.69.99
16:19 < tuxx_> krzie: i think my default gateway is still eth0
16:19 < tuxx_> krzie: anyway 188.126.69.99 is pingable as is bdn.de
16:20 < tuxx_> the tunnel is now running and im still talking to you :)
16:20 < tuxx_> 0.0.0.0         81.95.4.161     0.0.0.0         UG    0      0        0 eth0
16:20 < tuxx_> is the last line of the routing table
16:21 < tuxx_> http://pastebin.com/n3fVVBtz
16:22 < tuxx_> the verbosity also showed the "reidrect-gateway" flag being used on bdn.de
16:23 -!- TuxBrother [d9780cc5@gateway/web/freenode/ip.217.120.12.197] has quit [Quit: Page closed]
16:24 < krzie> show me the full routing table on that machine
16:24 < tuxx_> its in the pastebin
16:24 -!- cyphermox [~cyphermox@ubuntu/member/pdpc.supporter.active.cyphermox] has quit [Quit: Quitte]
16:25 < krzie> of the one that is reachable on its eth0
16:25 < krzie> the one that does what you want
16:25 < tuxx_> yea  http://pastebin.com/n3fVVBtz
16:26 < tuxx_> the last lines is the full routing table of it
16:26 < krzie> the only ips that should be bypassing the tunnel are the ones with more specific routes
16:27 < tuxx_> mine is totally arbitrary
16:27 < tuxx_> and i can ping it
16:27 < tuxx_> try pinging bdn.de and 188.126.69.99
16:27 < tuxx_> im quite sure both will work
16:29 < tuxx_> i just flushed iptables too to make sure.
16:34 -!- derik [~derik@unaffiliated/derik] has quit [Quit: Good bye]
16:43 -!- dazo_afk is now known as dazo
16:43 < krzie> show me iptables -L -t mangle
16:43 < krzie> show me iptables -L -t nat
16:44 < tuxx_> -t nat is flushed
16:44 < krzie> and the first?
16:45 < tuxx_> http://pastebin.com/1A7RWAxi
16:46 -!- dazo is now known as dazo_afk
16:48 < krzie> im not really a linux guy... but backup the firewall, remove that mark, and tell me if it still works
16:48 < tuxx_> the mark was some nonse i was attempting
16:48 < krzie> looks like you have something in your mangle table, which might be helping you accomplish that goal
16:48 < krzie> oh
16:49 < tuxx_> i flushed the mangle
16:49 < tuxx_> its still works
16:49 < krzie> i have no idea why
16:49 < krzie> afaik it should not
16:58 < tuxx_> http://pastebin.com/1WGeQ0Sy
16:59 < tuxx_> pings come in from tap0 and go out via eth0
16:59 < tuxx_> um the other way around :D
17:05 -!- tuxx [~tuxx@p57AF5AD1.dip.t-dialin.net] has joined #openvpn
17:06 < tuxx> hehe
17:06 -!- tuxx_ [~sometinel@81.95.4.163] has quit [Ping timeout: 250 seconds]
17:06 < tuxx> i just killed bdn.de by removing a default host
17:06 < tuxx> um gateway
17:07 < tuxx> luckily i started a script that will autoreboot it in 10mins
17:07 < tuxx> :)
17:11 -!- tuxx_ [~tuxx@p57AF5AD1.dip.t-dialin.net] has joined #openvpn
17:12 -!- tuxx [~tuxx@p57AF5AD1.dip.t-dialin.net] has quit [Quit: tuxx]
17:28 -!- APTX_ is now known as APTX
17:49 -!- arejay [arejay@shell.dawnshosting.com] has quit [Read error: Operation timed out]
18:00 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:02 -!- arejay [arejay@shell.dawnshosting.com] has joined #openvpn
18:20 < krzie> right, they go in eth0 and exit tap0
18:20 < krzie> or rather they should be
18:21 < krzie> which would result in the return traffic coming from a different sourceIP
18:24 -!- zanberdo [~mkz@173-164-189-237-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving]
18:28 < tuxx_> krzie: yea.. it sounds like theres nat involved..
18:28 < tuxx_> but there really isnt
18:35 -!- arejay [arejay@shell.dawnshosting.com] has quit [Ping timeout: 240 seconds]
18:39 -!- arejay [arejay@shell.dawnshosting.com] has joined #openvpn
18:58 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
19:20 < krzie> well ive got no idea
19:21 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
19:22 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
19:25 < krzie> the strange thing is that it IS working on 1, not that it is not on the other
19:26 < tuxx_> krzie: yea
19:26 < tuxx_> krzie: does it have anything to do with forwarding?
19:26 < tuxx_> i activated /porc/net/ipv4/ip_forward
19:26 < tuxx_> or whatever its called
19:27 < tuxx_> probably not "porc" :)
19:27 < krzie> nah thats for when a packet comes in 1 interface, and needs to traverse to another interface
19:27 < tuxx_> isnt that the case?
19:27 < tuxx_> eth0 and tap0
19:27 < krzie> like when you share your LAN using openvpn or act as a router
19:27 < tuxx_> yea
19:28 < tuxx_> eth0 -> tap0
19:28 < krzie> but it doesnt change that your responses should come from a different ip than i send my request to
19:28 < tuxx_> its strange because tcpdump shows the packets going out of tap0
19:28 < tuxx_> yet the local tcpdump shows that they are from bdn.de
19:29 < tuxx_> not the vpn_ip
19:29 < tuxx_> i'll wait for their email
19:29 < tuxx_> hopefully they can help
19:30 < krzie> i wonder if they are doing some sort of crazy spoofing on your behalf, and their uplink doesnt egress filter
19:30 < krzie> that would actually be quite a cool feature
19:31 < krzie> and could be possible, since they can tell if you started the tcp connection or not
19:31 < tuxx_> :D
19:31 < tuxx_> yea
19:31 < krzie> that would be kinda elite
19:31 < tuxx_> they are swedes
19:31 < tuxx_> i.e. nuts
19:45 < SDE> guys
19:45 < SDE> which distro do you recommend for OpenVPN?
19:46 < SDE> CentOS? Debian? Ubuntu LTS?
19:54 < krzie> no recommendation
19:54 < krzie> they will all work the same as far as openvpn's place in things
20:00 < krzie> !learn bestos as the best os for openvpn is the one you are most comfortable with... also you can make jpalmer angry by seeing !windows
20:00 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
20:00 < krzie> !learn bestos as the best os for openvpn is the one you are most comfortable with... also you can make jpalmer angry by seeing !windows
20:00 < vpnHelper> krzie: Joo got it.
20:07 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
20:07 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
20:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
20:12 -!- tuxx [~tuxx@p57AF5C29.dip.t-dialin.net] has joined #openvpn
20:13 < jpalmer> krzie: I don't know if 'angry' is the right term.  maybe saddened.  I thought this channel had people who were above all the petty bias's found in your common linux channel full of 16 year olds.  so to find the same mentality present here..  sad.
20:15 -!- tuxx_ [~tuxx@p57AF5AD1.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
20:25 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Ping timeout: 272 seconds]
20:26 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn
20:30 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:32 -!- tuxx [~tuxx@p57AF5C29.dip.t-dialin.net] has quit [Quit: Lost terminal]
20:36 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
20:37 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Client Quit]
20:44 < krzie> jpalmer, there are things related to common openvpn setups that windows fails in
20:44 < krzie> for example, when you push dns to windows clients see the posts in mail list @ !pushdns
20:45 < krzie> doing NAT on windows is a serious PITA
20:45 < krzie> (so !redirect with windows server)
20:46 < krzie> hell, windows is the reason for topology net30
20:47 < krzie> (as can be read in mail list posts at !topology)
22:04 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn
22:05 -!- _zero__ [~zero@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
23:04 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
23:06 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: Operation timed out]
23:27 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
23:42 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Tue Oct 12 2010
00:03 -!- Buklov [~3232@213.138.74.165] has joined #openvpn
00:03 < Buklov> hello
00:10 < Buklov> i need help with openvpn
00:10 < Buklov> I need to configure openvpn at speeds above 10 mbps.
00:12 < krzee> !static
00:12 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
00:12 < krzee> the 10mbit thing is just a display issue with the windows tap device
00:12 < krzee> it is capable of going faster
00:12 < vpnHelper> RSS Update - forum: Server Administration :: Re: HTTP session problems since setting up VPN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7170&p=8034#p8034>
00:13 < Buklov>  ethtool tun0
00:13 < Buklov> Settings for tun0:
00:13 < Buklov>         Supported ports: [ ]
00:13 < Buklov>         Supported link modes:
00:13 < Buklov>         Supports auto-negotiation: No
00:13 < Buklov>         Advertised link modes:  Not reported
00:13 < Buklov>         Advertised auto-negotiation: No
00:13 < Buklov>         Speed: 10Mb/s
00:13 < Buklov>         Duplex: Full
00:13 < Buklov>         Port: Twisted Pair
00:13 < Buklov>         PHYAD: 0
00:13 < Buklov>         Transceiver: internal
00:13 < Buklov>         Auto-negotiation: off
00:13 < Buklov>         Current message level: 0xffffffa1 (-95)
00:13 < Buklov> in linux Speed: 10Mb/s
00:14 < krzee> if that is not a display issue, it would be an issue in your OS's tun device
00:14 < krzee> likely a display issue
00:14 < krzee> but either way, openvpn isnt responsible for the linux tun code at all
00:18 < krzee> (for a forum post)
00:18 < krzee> !ipp
00:18 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
00:18 -!- jeev [~jeev@unaffiliated/jeev] has left #openvpn []
00:23 < vpnHelper> RSS Update - forum: Server Administration :: Re: Static ip addresses :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7172&p=8036#p8036> || Server Administration :: Re: Static ip addresses :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7172&p=8037#p8037>
01:20 -!- kyrixpower [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined #openvpn
01:21 -!- kyrixpower [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Client Quit]
01:21 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has joined #openvpn
01:22 -!- kyrix [~ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Client Quit]
02:12 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=8038#p8038>
02:37 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:38 -!- TuxBrother [525c2573@gateway/web/freenode/ip.82.92.37.115] has joined #openvpn
02:38 < TuxBrother> hello
02:38 < TuxBrother> is the debian network manager broken, like ubuntu?
02:49 -!- arejay [arejay@shell.dawnshosting.com] has quit [Ping timeout: 240 seconds]
02:53 -!- dazo_afk is now known as dazo
03:01 -!- doctorray [~ray@static-71-177-137-76.lsanca.fios.verizon.net] has joined #openvpn
03:03 < doctorray> anyone awake to help a semi-experienced openvpn user decide whether my problem is a firewall, routing, or both issue?  client network connects successfully to server network, server network talks to client's vpn ip but not the client lan subnet?
03:04 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:04 < doctorray> if i type route or iptables one more time I might scream
03:08 < theDoc> !route
03:08 < vpnHelper> theDoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:08 < theDoc> doctorray: You want that ^
03:19 -!- arejay [arejay@shell.dawnshosting.com] has joined #openvpn
03:19 -!- TuxBrother [525c2573@gateway/web/freenode/ip.82.92.37.115] has quit [Ping timeout: 265 seconds]
03:24 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=8039#p8039>
03:25 -!- doctorray [~ray@static-71-177-137-76.lsanca.fios.verizon.net] has quit [Ping timeout: 276 seconds]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:49 < kraut> moin
03:51 < krzee> moinmoin
04:11 -!- koaschten [~koaschten@193.175.177.209] has joined #openvpn
04:21 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:24 < vpnHelper> RSS Update - forum: Server Administration :: Re: What is the difference between tcp/tcp-server/tcp-client :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7168&p=8040#p8040>
04:24 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
04:28 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
04:28 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
04:30 -!- koaschten [~koaschten@193.175.177.209] has quit [Ping timeout: 250 seconds]
04:38 -!- koaschten [~koaschten@193.175.177.190] has joined #openvpn
04:42 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=8041#p8041>
04:59 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
05:05 -!- koaschten [~koaschten@193.175.177.190] has quit [Ping timeout: 265 seconds]
05:11 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
05:12 -!- kotique [~kotique@bluemile.vps.deepunix.net] has joined #openvpn
05:12 < kotique> oh what a great day. so I managed to hack certificate fields extraction in openvpn. now I've got another problem;
05:13 -!- mechbangirc [~mechbangi@mbl-65-157-126.dsl.net.pk] has joined #openvpn
05:13 < kotique> push "echo 'msg : blah,blah' " complains about commas, tried to escape with \, didn't work, complains about backslashes
05:13 < kotique> what's the most appropriate solution here?
05:14 < mechbangirc> hi i purchased a vpn account with a static ip. how do i put the static ip in my openvpn conf file?
05:17 -!- koaschten [~koaschten@193.175.177.142] has joined #openvpn
05:17 -!- mechbangirc [~mechbangi@mbl-65-157-126.dsl.net.pk] has quit [Quit: Leaving]
05:43 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
05:59 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
05:59 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
05:59 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
05:59 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:08 -!- koaschten [~koaschten@193.175.177.142] has quit [Read error: Connection reset by peer]
06:50 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
06:57 -!- ChristanAa [82e1b818@gateway/web/freenode/ip.130.225.184.24] has joined #openvpn
06:58 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Changing host]
06:58 -!- sc [~sc@unaffiliated/asgw] has joined #openvpn
07:17 -!- dar__ [~droutin@gw.theralys.com] has quit [Quit: WeeChat 0.3.0]
07:32 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:52 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 264 seconds]
07:53 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
07:59 < vpnHelper> RSS Update - forum: Configuration :: Re: creating openvpn with ubuntu server and windows clinet :: Reply by zina83 <https://forums.openvpn.net/viewtopic.php?f=6&t=7145&p=8042#p8042>
08:01 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:18 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
08:29 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
08:59 < vpnHelper> RSS Update - forum: Configuration :: Re: Openvpn and Amazon EC2 with Windows 2008 :: Reply by nadin <https://forums.openvpn.net/viewtopic.php?f=6&t=7167&p=8043#p8043>
09:04 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
09:11 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 250 seconds]
09:14 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
09:23 < vpnHelper> RSS Update - forum: Server Administration :: draft HOWTO "Use a Windows CA with OpenVPN" :: Author libove <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8044#p8044>
09:25 -!- ChristanAa [82e1b818@gateway/web/freenode/ip.130.225.184.24] has quit [Ping timeout: 265 seconds]
09:43 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit []
09:45 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:52 -!- Deffie [~Deffie@nectarine/admin/deffie] has joined #openvpn
09:54 < Deffie> hello everyone, do you know any free router freebsd/linux distribution able to implement lan to lan vpn with openvpn ? i'm loving pfsense but doesnt fully support vpn bridging, the box is dual homed and will be used only for this scope
09:58 < kotique> push "echo 'msg : blah,blah' " complains about commas, tried to escape with \, didn't work, complains about backslashes
09:58 < kotique> what's the most appropriate solution here?
10:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
10:11 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 272 seconds]
10:12 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
10:16 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
10:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:27 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 276 seconds]
10:27 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
10:28 < ecrist> Deffie: pfsense
10:28 < ecrist> you should be able to do it, but you might have to get into the nuts and bolts of things
10:28 < ecrist> people in #pfsense can help you, they're pretty smart
10:37 -!- Mkools [~mukul@117.196.209.85] has joined #openvpn
10:39 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
11:11 -!- dazo is now known as dazo_afk
11:29 < vpnHelper> RSS Update - forum: Installation Help :: Client error :: Author planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8045#p8045>
11:48 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8046#p8046> || Installation Help :: Re: Client error :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8047#p8047>
11:50 -!- mengu__ [~Death@85.97.58.35] has joined #openvpn
11:50 < mengu__> hi all.
11:53 < mengu__> got a question. i've no idea how to use openvpn. i've just got a new job and they have sent me some .crt, .key and .csr files. where should i copy these files? and where can i read further
11:53 < krzee> they did not send you a config?
11:53 < krzee> what OS are you on?
11:53 < mengu__> linux/ubuntu
11:53 < krzee> and do you even know the general idea of what openvpn does?
11:54 < mengu__> trying to read
11:54 < krzee> !vpn
11:54 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
11:56 < krzee> and without a config file, you cant connect the the vpn, they should have given you one with the key files
11:56 < krzee> you should have a ca.crt, a crt/key, and a config
11:58 < mengu__> krzee: i only have "muhammet.key, ca.crt, muhammet.crt, client.ovpn, muhammet.csr"
11:59 < krzee> client.ovpn is your config
11:59 < krzee> you dont need the csr
11:59 < krzee> use full paths for the other 3 files, inside your config
11:59 < krzee> then you can start it with openvpn --config /path/to/client.ovpn
12:00 < krzee> if you really feel like understanding the options in your config, see the manual
12:00 < krzee> !man
12:00 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:01 < mengu__> krzee: my pc username is mengu, not muhammet
12:01 < mengu__> should i change muhammet.* to mengu.*?
12:02 < krzee> doesnty matter
12:03 < krzee> they are just filenames
12:04 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8048#p8048>
12:09 < Mkools> hi, my all chains are set to ACCEPT policy in iptables, does it mean that I will not face any problem from iptables in setting up single client and server as given in http://www.openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
12:09 < vpnHelper> Title: Static Key Mini-HOWTO (at www.openvpn.net)
12:13 < krzee> thats not client/server
12:13 < krzee> static key is point to point
12:13 < krzee> !sample
12:13 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
12:13 < krzee> thats client / server
12:13 < krzee> !confgen
12:13 < vpnHelper> krzee: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
12:14 < krzee> that makes client/server configs as well
12:17 < g0tcha> krzee, if openvpn is running in a lan thats 192.168.1.1 and i want to send All the traffic including gateway through the vpn from the client side,
12:17 < g0tcha> would it work if the client is running on 192.168.1.X as well?
12:18 < krzee> do you plan on sharing the LAN?
12:18 < krzee> or just redirect inet traffic through vpn server
12:18 < g0tcha> only the internet traffic, no LAN sharing
12:18 < g0tcha> so the client wont b able to get online unless the vpn is connected
12:18 < krzee> then its fine
12:19 < krzee> !redirect
12:19 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:19 < g0tcha> def1 is needed for that or not?
12:19 < krzee> you dont want the def1 flag, but you want redirect-gateway
12:20 < g0tcha> ok, so configure openvpn normally according to the guide, and from there just add the redirect-gateway in the server conf and it should work?
12:20 < krzee> you could even just use my confgen
12:20 < krzee> or my sample configs
12:20 < krzee> then you need NAT and ip forwarding on the server
12:21 < g0tcha> ok i think thats where i got stuck last time
12:21 < g0tcha> let me go over my notes and try again and see if i can get it right
12:21 < krzee> its a rather normal setup
12:21 < krzee> what OS is your server?
12:21 < g0tcha> btw, if the vpn is running correctly, it should show the openvpn ip, not the client, right?
12:22 < g0tcha> krzee, ubuntu server
12:22 < krzee> not just if the vpn is running correctly, if all the redirect stuff is
12:23 < krzee> !linipforward
12:23 < vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:23 < krzee> !linnat
12:24 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
12:25 < mengu__> krzee: i've got this error: http://pastie.org/1216033
12:27 < krzee> you did not put the correct full path to your crt
12:27 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8049#p8049> || Installation Help :: Re: Client error :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8050#p8050>
12:27 < krzee> !path
12:27 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
12:28 < mengu__> krzee: i tried this: openvpn --config /home/mengu/openvpn/client.ovpn
12:29 < krzee> but you did not do the first thing i said
12:30 < Mkools> krzee: If I have 192.168.0.1 as DHCP and DNS servers and want to set 10.0.0.x as vpn server. Is it possible?
12:30 < krzee> [12:59]  <krzee> client.ovpn is your config
12:30 < krzee> [12:59]  <krzee> you dont need the csr
12:30 < krzee> [12:59]  <krzee> use full paths for the other 3 files, inside your config
12:30 < mengu__> oh sorry, i've missed that line
12:30 < krzee> Mkools, you do not want to use such common subnets
12:30 < krzee> !samesubnet
12:30 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
12:31 < Mkools> g0tcha: Can you comment on this link http://pastebin.com/j2UPSueW
12:32 < Mkools> krzee: Can you please rephrase this in simple terms.
12:32 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8051#p8051>
12:32 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
12:32 < krzee> Mkools, you just asked someone who has never gotten a working vpn up
12:32 < krzee> hehe
12:32 < krzee> Mkools, what is your real goal?
12:33 < ecrist> *cough* !welcome *cough*
12:33 < krzee> aye
12:33 < krzee> !welcome
12:33 < vpnHelper> krzee: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:33 < Mkools> krzee: Just want to play online games with friends/
12:35 < krzee> ahh, you want a bridge
12:35 < krzee> but im no good at helping with those
12:35 < krzee> !bridge
12:35 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
12:35 < mengu__> krzee: i got this error: http://pastie.org/1216054 and then added "ca /home/mengu/openvpn/ca.crt" line. after that i got this: http://pastie.org/1216064
12:36 < krzee> need to start as root
12:38 < Mkools> krzee: But I want only want to play online games with only one friend, setup openvpn as early as possible for gaining confidence. So that's why I choose this Quick start.
12:38 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8052#p8052>
12:38 < krzee> but its not the right setup for playing lan games
12:38 < krzee> you need a bridge
12:39 < Mkools> ok, but for instance will help out with this.
12:39 < mengu__> yhank you krzee. it started. now i have no idea how to browse the files, etc. 
12:39 < mengu__> that was very easy with ssh :)
12:39 < Mkools> because bridging is little bit complicated.
12:41 < Mkools> krzee: Can you please answer this If I have 192.168.0.1 as DHCP and DNS servers and want to set 10.0.0.x as vpn server. Is it possible?
12:41 < krzee> as in vpn subnet being 10.0.0.x?
12:44  * ecrist cheers
12:45 < krzee> Mkools, actually i shouldnt even be helping you, i know too little about bridges
12:48 -!- Mkools [~mukul@117.196.209.85] has quit [Quit: Leaving]
12:51 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
12:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
12:56 < g0tcha> oi! lol i got it working but not the way i want it to! =p
13:04 < kisom> SUIT UP DAY TOMORROW!!!!
13:05 < kisom> entire IT department is gonna work in suits :)
13:07 < zxvff> cumgratulations
13:13 < krzee> lol
13:22 -!- arejay [arejay@shell.dawnshosting.com] has quit [Ping timeout: 240 seconds]
13:23 < kotique> i don't have a suit
13:24 < krzee> i have a few, but i will never be wearing one to work
13:30 -!- arejay [arejay@shell.dawnshosting.com] has joined #openvpn
13:38 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has joined #openvpn
13:38 < nat2610> !iptables
13:38 < vpnHelper> nat2610: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
13:38 < vpnHelper> nat2610: computing.net/wiki/index.php/OpenVPN/Firewall
13:39 < nat2610> !masquerade
13:39 < vpnHelper> nat2610: Error: "masquerade" is not a valid command.
13:39 < nat2610> !forward
13:39 < vpnHelper> nat2610: Error: "forward" is not a valid command.
13:40 < nat2610> what is the command to get the bot to give the rule for the network configration in iptable ? (that thing with postrouting masquerade ... )
13:41 < ecrist> !linnat
13:41 < vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:41 < krzee> !linnat
13:41 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:41 < krzee> doh beat me to it
13:41 < ecrist> beat you to it!
13:41 < ecrist> muahahaha
13:41 < nat2610> thk guys ... 
13:43 < krzee> yw
13:51 -!- oracle_ [~o2@unaffiliated/spice] has joined #openvpn
13:55 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 245 seconds]
13:56 -!- bandini [~bandini@host213-105-dynamic.45-79-r.retail.telecomitalia.it] has joined #openvpn
13:59 -!- oracle_ is now known as oracle
14:14 -!- kotique [~kotique@bluemile.vps.deepunix.net] has left #openvpn []
14:25 -!- stoned420 [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
14:27 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 240 seconds]
14:27 -!- abeehc- [~bob@d207-6-195-163.bchsia.telus.net] has quit [Remote host closed the connection]
14:28 -!- skx [skx@unaffiliated/skx] has joined #openvpn
14:30 < skx> hey, I have installed openvpn server, configured it, clients can connect and ping the server (10.10.0.1) but when they use redirect gateway they cannot connect outside
14:30 < skx> I added the appropriate rule on the server: iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
14:30 < skx> what else needs to be done? 
14:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
14:31 < krzie> also need ip forwarding enabled on the server
14:31 < krzie> !linipforward
14:31 < vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
14:31 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
14:31 < krzie> the forward chain in iptables must allow...
14:33 < skx> of course... thanks
14:34 -!- skx [skx@unaffiliated/skx] has left #openvpn []
14:37 -!- stoned420 [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 240 seconds]
15:10 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
15:11 < mengu__> krzie: i have a question. am i able to browse the files and do anything i can do with ssh?
15:12 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8053#p8053>
15:17 < krzie> you can ssh over the vpn...
15:17 < mengu__> how do i do that
15:19 < krzie> same as you would without the vpn, but using the vpn IP
15:19 < krzie> the vpn does nothing besides give you a secure network link to the other machines on the vpn
15:19 < krzie> it doesnt give you some new magic interface or replace ssh or anything
15:20 < mengu__> the problem is, i don't know how do i access the files in the network
15:21 < krzie> there must already be some sort of filesharing services running
15:22 < krzie> like smb,nfs,ftp... something
15:24 < mengu__> damn
15:24 < mengu__> lack of knowledge. sucks.
15:25 < krzie> a vpn is just like having a cable to the machine the server runs on
15:25 < krzie> it does nothing more...
15:26 < krzie> its a secure link between 2 machines... what else you do over it is up to you
15:40 -!- tuxx [~sometinel@81.95.4.163] has joined #openvpn
15:40 < tuxx> hey guys
15:41 < tuxx> is there a forum for openvpn?
15:41 < tuxx> i only find forum.openvpn.eu is this the official forum?
15:43 < |Mike|> forums.openvpn.net
15:43 < krzie> !forum
15:43 < vpnHelper> krzie: Server Administration :: Re: HTTP session problems since setting up VPN :: Reply by krzee || Server Administration :: Re: Static ip addresses :: Reply by krzee || Server Administration :: Re: Static ip addresses :: Reply by krzee || Server Administration :: Re: What is the difference between tcp/tcp-server/tcp-client :: Reply ... || Server Administration :: draft HOWTO "Use a Windows CA with
15:44 < vpnHelper> krzie: OpenVPN" :: Author libove || Configuration :: Re: creating openvpn with ubuntu server and windows clinet :: Reply by zina83 || Configuration :: Re: Openvpn and Amazon EC2 with Windows 2008 :: Reply by nadin || Installation Help :: Client error :: Author planethax || Installation Help :: Re: Client error :: Reply by planethax || Installation Help :: Re: Client error :: Reply by planethax
15:44 < vpnHelper> krzie: || Installation Help :: Re: Client error :: Reply by krzee || Installation Help :: Re: Client error :: Reply by planethax || Installation Help :: Re: Client error :: Reply by planethax || Installation Help :: Re: Client error :: Reply by krzee || Installation Help :: Re: Client error :: Reply by planethax || Installation Help :: Re: Client error :: Reply by planethax || Scripting and (1 more message)
15:44 < krzie> whoaaa
15:44 < |Mike|> !more
15:44 < vpnHelper> |Mike|: Error: You haven't asked me a command; perhaps you want to see someone else's more.  To do so, call this command with that person's nick.
15:44 < |Mike|> :P
15:50 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
16:01 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn
16:01 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Client Quit]
16:01 < krzie> !forums
16:01 < vpnHelper> krzie: Error: "forums" is not a valid command.
16:01 < krzie> weird man, it used to just give a link to the forum when i typed !forum
16:02 < tuxx> forums.openvpn.net only has a category "server administration"
16:02 < tuxx> i have a client side question tho :)
16:03 < |Mike|> and you can't state that question here?
16:03 < tuxx> ive stated it 
16:03 < tuxx> one second
16:03 < tuxx> |Mike|: http://forum.openvpn.eu/viewtopic.php?f=25&t=7232
16:03 < vpnHelper> Title: OpenVPN.eu View topic - OpenVPN with redirect-gateway renders public ip inaccessable (at forum.openvpn.eu)
16:04 < tuxx> vpnHelper monitors the forum? :)
16:04 < vpnHelper> tuxx: Error: "monitors" is not a valid command.
16:04 < tuxx> vpnHelper: calm down dude
16:04 < vpnHelper> tuxx: Error: "calm" is not a valid command.
16:06 < krzie> oh the same question i answered 5+ times
16:06 < krzie> cool
16:06 < tuxx> krzie: we spoke about this yesterday
16:06 < tuxx> u didnt really answer it
16:06 < krzie> i did, what i couldnt answer is why you say that it works on some other machine, cause it shouldnt
16:07 < tuxx> or how to make it work on the other machine...
16:07 < tuxx> "split routing"
16:07 < tuxx> didnt really help
16:07 < tuxx> besides u said that wld be a solution to get it working for SOME hosts... i need it to work for all hosts
16:10 < tuxx> krzie: also why arent the ping replies sent out on tap0
16:11 < tuxx> i dont see anything in tcpdump ... is that normal?
16:13 < tuxx> krzie: did u answer that question 5x on the forum?
16:13 < vpnHelper> RSS Update - forum: Configuration :: OpenVPN with redirect-gateway renders public ip inaccessable :: Author tuxx <https://forums.openvpn.net/viewtopic.php?f=6&t=7175&p=8054#p8054>
16:20 -!- tuxx is now known as tuxx_
16:21 < krzie> nope, i answered it here
16:21 < krzie> and there is no solution for all hosts
16:21 < krzie> either you default route over the vpn, or you do not
16:22 < oracle> i need this
16:22 < oracle> umm the .conf file in static key mode doesnt take entries like "local tun30"
16:23 < oracle> it wants host or ip only. can this be bypassed
16:23 < krzie> nope, it doesnt
16:23 < krzie> see local in the manual
16:23 < krzie> its only for specifying an IP to bind to
16:23 < krzie> you want --dev
16:23 < krzie> but then you must have already made the static tun device of the same name
16:23 < tuxx_> krzie: very hard to believe.. as mentioned before it works on bdn.de
16:24 < krzie> otherwise, you can just use dev tun instead of dev tun30 and it will allocate a new tun device dynamically 
16:24 < krzie> and as i said tuxx_, i dont know why it does... it shouldnt
16:24 < krzie> we had this exact conversation
16:25 < krzie> my only thought was that maybe your ISP was doing some spoof tricks and their uplink didnt do egress filtering
16:25 < tuxx_> krzie: yes and we came to no conclusion :)
16:25 < krzie> you said you were emailing them
16:25 < tuxx_> yes they didnt reply
16:25 < krzie> either way, this is a conversation you need to have with them... you dont even control your server
16:26 < tuxx_> right.
16:31 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8055#p8055>
16:32 < tuxx_> krzie:  would it be possible to remove the pushed "redirect-gateway" ?
16:33 < krzie> not remove, but override
16:33 < tuxx_> krzie: then i cld perhaps bind the services that i need via vpn to the vpn ip
16:34 < tuxx_> krzie: its not the nicest solution but it wld far better than my current one
16:35 < krzie> erm
16:35 < krzie> bind the services...?
16:35 < tuxx_> well such as: 
16:35 < krzie> i dont think you have quite grasped the issue here
16:35 < krzie> routing works based on subnets
16:36 < tuxx_> krzie: well.. i cld do something such as:
16:36 < tuxx_> ssh -b vpn_ip user@hostname
16:37 < tuxx_> even if my traffic was not going through tap0 by default
16:37 < tuxx_> krzie: am i mistaken?
16:37 < tuxx_> krzie: or i cld have services listen on the vpn_ip
16:37 < tuxx_> rather than the public ip
16:38 < krzie> mistaken
16:38 < tuxx_> hmmm...
16:38 < krzie> replies would go over the eth0
16:38 < krzie> same problem reversed
16:38 < krzie> unless you route to the machine making the request over the vpn
16:38 < krzie> by vpn_ip you mean the public ip of the vpn server, right?
16:40 < tuxx_> krzie: the ip of tap0
16:40 < tuxx_> the local one.. not the server ip
16:41 < krzie> from within the vpn?
16:42 < krzie> or are you assinged a public ip by the vpn server...?
16:44 < tuxx_> when i connect my tap0 is assigned a dynamic ip
16:44 < tuxx_> by the vpn server
16:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:46 < tuxx_> krzie: ive actually done something like this on a pptp tunnel before
16:47 < tuxx_> it opened a tunnel but did not change the default gateway.. when i did "ssh -b ip_of_pptp_tunnel user@host"
16:47 < tuxx_> the user showed a login from the pptp_ip
16:47 < krzie> dynamic public ip or 1918 ip
16:47 < krzie> !1918
16:47 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
16:48 < tuxx_> krzie: according to "http://vpntunnel.se" it is an "Anonymous dynamic IP"
16:48 < krzie> marketing term, give me an example
16:48 < tuxx_> it is not a private address...
16:48 < tuxx_> 188.126.68.158
16:48 < tuxx_> its not 192.x or 10.x
16:48 < krzie> ok, so its a public accessible ip
16:48 < tuxx_> yea
16:48 < tuxx_> yes i didnt think of that
16:49 < tuxx_> usually ive used openvpn with private ips
16:50 < krzie> so yes, you would have the same problem, but reversed
16:50 < mengu__> krzie: thanks again for your patience and help :)
16:50 < mengu__> good night.
16:51 < krzie> np mengu__, goodnight
16:51 -!- mengu__ [~Death@85.97.58.35] has left #openvpn ["Konversation terminated!"]
16:51 < tuxx_> krzie: dreadful.
16:51 < krzie> its just not how routing works
16:52 < krzie> traffic without a more specific route will leave via your default gateway
16:52 < tuxx_> krzie: but i really dont understand
16:52 < tuxx_> because i have a pptp tunnel working on the other server
16:52 < krzie> i noticed ;)
16:52 < tuxx_> where i am able to do that
16:52 < tuxx_> but on that server
16:52 < tuxx_> everything seems possible :)
16:52 < krzie> so now the other server is using pptp!?!?
16:52 < tuxx_> it always has been
16:52 < krzie> i thought you said it was being done with openvpn
16:52 < tuxx_> yes both
16:52 < krzie> heh
16:53 < tuxx_> it was running a pptp parallel to the openvpn
16:53 < tuxx_> or actually i had it closed the past few day
16:53 < tuxx_> s
16:53 < krzie> we are talking in circles
16:53 < krzie> i will put an end to that by leaving the conversation
16:54 < krzie> when you figure out your solution ild be interested in hearing what you go with
16:54 < krzie> whether it is split-routing, or you figure out what sort of magic made it work on the other server
16:55 < tuxx_> krzie: http://pastebin.com/5UMXxzgv
16:55 < tuxx_> a quick demonstration
16:55 < tuxx_> of bdn.de
16:55 < tuxx_> tuxx     pts/0    93.182.130.41    23:54    2.00s  0.35s  0.13s sshd: tuxx [pri
16:56 < tuxx_> krzie: wldnt this be possible with openvpn too?
16:58 -!- STF00 [~Dirk@i59F5DFDF.versanet.de] has joined #openvpn
17:01 < STF00> hi i need to know if there a possibility that i make clien-to-client connections that aren' be routet over the server?
17:04 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
17:11 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 265 seconds]
17:16 -!- bandini [~bandini@host213-105-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
17:19 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
17:20 < nDuff> STF00, OpenVPN does not support full-mesh networking
17:21 < tuxx_> krzie: a guy from #networking fixed it!!
17:21 < tuxx_> with a single command
17:29 < tuxx_> actually 2 commands:
17:29 < tuxx_> sudo ip rule add from 91.121.169.129 table 10
17:29 < tuxx_> udo ip route add default via 91.121.169.254 table 10
17:37 < krzie> he changed your default route
17:37 < krzie> doesnt do BOTH
17:39 < tuxx_> what do you mean?
17:39 < tuxx_> i can ping and access both ips
17:40 < tuxx_> all outgoing traffic goes by default via tap0
17:40 < tuxx_> what do you mean by "doesnt do BOTH"?
17:41 < tuxx_> 00:38 < \malex\> tuxx_: no idea what it's called officially, but you created a  second routing table, and then setup a rule for packets with  the src address 99.whatever to use that second routing table  instead of the default
17:41 < tuxx_> krzie: anyway.. thank you for keeping your cool with me and making an effort
17:42 < tuxx_> im really glad this is working
17:42 < krzie> oh thats what that table 10 did
17:42 < krzie> interesting
17:42 < tuxx_> krzie: yea
17:43 < krzie> too bad he didnt know the name, ill have to figure that out
17:43 < tuxx_> krzie: btw can i push those commands in the openvpn config?
17:43 < tuxx_> or wld u simply add them  on boot?
17:43 < krzie> push them no, but you cant push ANYTHING since you dont run the server
17:43 < tuxx_> krzie: well call 
17:43 < krzie> you can put them in an --up script to run when you use the vpn tho ;)
17:43 < tuxx_> not push
17:43 < krzie> !up
17:43 < vpnHelper> krzie: Error: "up" is not a valid command.
17:44 < krzie> !script
17:44 < vpnHelper> krzie: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
17:44 < tuxx_> krzie: right. i will look into it
17:44 < tuxx_> krzie: thanks man!
17:44 < krzie> np, thanx for sharing what did it
17:44 < krzie> sounds very linux specific
17:44 < krzie> i wonder if we have anything similar in bsd
17:44 < jpalmer> !learn-address
17:44 < tuxx_> yes he mentioned, it is
17:44 < vpnHelper> jpalmer: Error: "learn-address" is not a valid command.
17:45 < krzie> tuxx_, pls answer your forum post with that info
17:46 < krzie> will come in useful for others
17:46 < tuxx_> krzie: yes i was going to
17:46 < krzie> thx =]
17:46 < krzie> hey jpalmer, you ever seen that?
17:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
17:51 < tuxx_> krzie: how would you go about adding this command to openvpn .. make a script to add/remove and call it on --up and --down? or add the route statically?
17:51 < krzie> if it's always the exact same commands... just paste them into a shell script and call it from --up
17:54 < krzie> looks like freebsd also has multiple routing tables now
17:54 < krzie> that is awesome
17:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
17:58 < tuxx_> can an up be called from the config too? 
17:59 < krzie> STF00, no, not with openvpn... it is in the wishlist tho
17:59 < krzie> !wishlist
17:59 < vpnHelper> krzie: "wishlist" is https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
17:59 < krzie> tuxx_, 
17:59 < krzie> !--
17:59 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
18:00 < tuxx_> krzie: i rarely see people using such bots so effectively :)
18:00 < krzie> ;)
18:04 -!- variable [~variable@unaffiliated/variable] has left #openvpn ["Trojan horse ran out of hay"]
18:15 < tuxx_> krzie: how can i pass username / passwd to openvpn? --auth-user-pass file still prompts me in command line
18:16 < |Mike|> dude
18:16 < |Mike|> RTFM!
18:17 < tuxx_> |Mike|: thats where i got auth-user-pass from.. or do you think i pulled that out of my ass?
18:17 < krzie> you mean you dont want to be prompted?
18:17 < tuxx_> yea
18:17 < |Mike|> Then you might want to read the howto/article further on.
18:17 < krzie> !pwfile
18:17 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
18:17 < |Mike|> you need a file with user/passwd in it..
18:18 < krzie> (it was in the man entry for --auth-user-pass btw)
18:18 < tuxx_> |Mike|: dude.. i have that file
18:18 < |Mike|> (at least in unix)
18:18 < tuxx_> it just didnt accept it
18:18 < tuxx_> krzie: 01:15 < tuxx_> krzie: how can i pass username / passwd to openvpn?  --auth-user-pass file still prompts me in command line
18:18  * |Mike| stubles about logs
18:18 < krzie> you must not have compiled openvpn as directed in --auth-user-pass
18:18 < tuxx_> krzie: i found --auth-user-pass and created the file but it doesnt work.. perhaps its not compiled in
18:18 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 252 seconds]
18:19 < krzie> its not, unless you did it specificly
18:19 < tuxx_> nope.
18:19 < tuxx_> ok thanks.. krzie 
18:19 < tuxx_> |Mike|: your rtfm was uncalled for.
18:19 < |Mike|> lies.
18:19 < |Mike|> Standard install of openvpn-server on debian has it build in ;)
18:19 < |Mike|> built*
18:20 < krzie> well it was right there in the manual...
18:20 < krzie> --auth-user-pass [up] 
18:20 < krzie> Authenticate with server using username/password. up is a file containing username/password on 2 lines (Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h). 
18:20 < krzie> If up is omitted, username/password will be prompted from the console. 
18:20 < krzie> The server configuration must specify an --auth-user-pass-verify script to verify the username/password provided by the client.
18:20 < tuxx_> krzie: i reposted my question once already
18:20 < tuxx_> krzie: 01:15 < tuxx_> krzie: how can i pass username / passwd to openvpn?  --auth-user-pass file still prompts me in command line
18:20 < tuxx_> i clearly state --auth-user-pass
18:20 < tuxx_> i know its in the man thats where i found it
18:21 < krzie> right... but clearly didnt read the man entry on it where it tells you the configure option needed to enable it
18:21 < krzie> not that i especially care, it was easy for me to type !pwfile ... but you cant tell me you did read that
18:22 < tuxx_> krzie: im rechecking my manpage
18:22 < tuxx_> i cant find that line
18:22 < krzie> !man
18:22 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:23 < tuxx_> ok its there.
18:23 < tuxx_> sorry then
18:23 < krzie> all good, as i said i dont care
--- Log closed Tue Oct 12 18:26:27 2010
--- Log opened Tue Oct 12 18:32:14 2010
18:32 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
18:32 -!- Irssi: #openvpn: Total of 89 nicks [4 ops, 0 halfops, 0 voices, 85 normal]
18:32 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 240 seconds]
18:32 -!- [1]SDE is now known as SDE
18:33 -!- Irssi: Join to #openvpn was synced in 56 secs
18:46 -!- STF00 [~Dirk@i59F5DFDF.versanet.de] has left #openvpn []
18:47 < vpnHelper> RSS Update - forum: Configuration :: Re: OpenVPN with redirect-gateway renders public ip inaccess :: Reply by tuxx <https://forums.openvpn.net/viewtopic.php?f=6&t=7175&p=8056#p8056>
18:49 < |Mike|> tuxx_: are you dutch?
18:49 < tuxx_> nope. german
18:49 < |Mike|> ok.
18:50 < tuxx_> why do you ask?
18:50 < |Mike|> just wondering
18:50 < tuxx_> |Mike|: u dont think much of dutch people, do you? :D
18:50 < krzie> i would think he does
18:50 < tuxx_> hehe ok :)
18:51 < |Mike|> I'm actually Dutch ;)
18:51 < krzie> hehe
18:51 < tuxx_> hehe ok :)
18:52 < tuxx_> im going to amsterdam on saturday :)
19:02 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 264 seconds]
19:07 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
19:22  * nDuff is certainly fond of Dutch-style bicycles
19:22 < nDuff> just commissioned a custom one for the wife
19:22 -!- patel [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn
19:22 < patel> .
19:23 < nDuff> ?
19:23 < patel> just checking what nick I am ircing as
19:23 < patel> is that okay?
19:24 < |Mike|> try /diso!
19:24 < patel> yeah ok genius
19:25 -!- mode/#openvpn [+o patel] by openvpn2009
19:29 < krzee> sup patel
19:30 <@patel> hey how is it going krzee
19:30 < krzee> doin alright
19:30 < krzee> kinda lazy today
19:30 < |Mike|> i'm born lazy
19:30 < krzee> should be scripting stuff i guess, but i think im just gunna watch videos instead
19:33 <@patel> be back from home in a bit
19:33  * patel &
19:44 -!- arejay [arejay@shell.dawnshosting.com] has quit [Ping timeout: 240 seconds]
19:48 -!- arejay [arejay@shell.dawnshosting.com] has joined #openvpn
20:10 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Read error: Connection reset by peer]
20:18 -!- Nappy [~nappy@97.97.247.123] has joined #openvpn
20:20 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
20:25 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:55 < oracle> my routes are like this
20:55 < oracle> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
20:55 < oracle> 192.168.1.5     *               255.255.255.255 UH    0      0        0 tun0
20:55 < oracle> 192.168.30.0    *               255.255.255.0   U     0      0        0 eth0
20:55 < oracle> default         192.168.30.1    0.0.0.0         UG    0      0        0 eth0
20:55 < oracle> this is me behind a nat connecting to a net
20:56 < oracle> anyway, route add default gw 192.168.1.5 doesnt have the desired effect of routing everythjing 
20:56 < oracle> transparently over the tunnle
20:56 < oracle> that's the gateway which should be able to work
20:59 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
21:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
21:45 < ecrist> oracle: please no pasting in here, thanks.
21:51 < krzee> oracle,
21:51 < krzee> !redirect
21:51 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
21:51 < krzee> and always start as root or windows admin
21:53 < ecrist> unless you have proper device permissions setup, which most coming here for help don't know how to do.
22:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:05 < theDoc> or we could give out hugs and comfort you.
22:17 < krzee> >:D<
22:22 < krzee> wow samba is easy to setup
22:22 < krzee> that took about 2min
22:23 < krzee> (my friend who moved out here uses windows, wanted to give him network access to my nfs
22:23 < krzee> )
22:24 < ecrist> yeah, it's pretty simple, even when you use ldap as auth backend.
22:24 < ecrist> AFP is even easier.
22:25 < ecrist> AFP can use PAM pretty easily.
22:26 < krzee> didnt want auth, just to make my movies dir readonly, and open to guest
22:27 < krzee> but ya i imagine that would be easy too
22:27 < ecrist> I finally got my new matrox unit, and a sleek/sexy magic trackpad
22:28 < ecrist> thus, the space in front of my monitors back, and the use of both of them now.
22:28 < ecrist> :)
22:30 < krzee> link to your trackpad?
22:31 < ecrist> http://store.apple.com/us/product/MC380LL/A?fnode=MTY1NDA1Mg&mco=MTg1ODE3MDE
22:31 < vpnHelper> Title: Magic Trackpad - Apple Store (U.S.) (at store.apple.com)
22:32 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:36 < krzee> AWESOME
22:36 < krzee> i have wanted one for a long time, didnt know it existed
22:36 < krzee> usb isnt an option?
22:37 < ecrist> it was what held me up from upgrading my dual-head adapter, I fell in love with multitouch on the MBP, so it had to be open anyhow.
22:37 < ecrist> after they came out with this trackpad, the MBP can be closed up and hidden, again. :)
22:41 < krzee> meh, could be worth the constant cost of batteries
22:41 < ecrist> my keyboard gets about ~3months on a single set
22:42 < krzee> makes no sense they dont have a usb option
22:43 < ecrist> c'mon, you know apple - it's all about design and cords are ugly
22:43 < jpalmer> rechargable batteries.   I use them,  and have a spare set of duracells I use for a couple hours every few months while they recharge.
22:43 < ecrist> I've thought about it
22:44 < jpalmer> make sure you get NiMH,  not NiCad, though.  NiCad won't last long on a keyboard.
22:45  * jpalmer has been working with learn-address, and openvpn for doing DDNS updates to bind.
22:45 < jpalmer> so far,  the script works if I run it by hand.  but when I have openvpn run it,  I get a failure.
22:46 < krzee> maybe it depends on env vars, or a certain shell (and doesnt have the shebang)?
22:46 < krzee> maybe you drop privs and the script requires them?
22:46 < ecrist> env vars or pathing issues
22:47 < jpalmer> it may be env. I'm working to debug now
22:47 < ecrist> add -x to shbang?
22:47 < krzee> aye
22:49  * ecrist goes away
22:50 < krzee> if you echo stuff out, it should go to log
--- Day changed Wed Oct 13 2010
00:09 -!- levi_ [54ac66ae@gateway/web/freenode/ip.84.172.102.174] has joined #openvpn
00:09 < levi_> Hi and good morning
00:14 < levi_> i'm trying to build up a connection to a vpn with openvpn on ubuntu 10.04 . this is my command on the commandline and i'm getting the following output... http://privatepaste.com/b38b9aa16a   on windows i use the astaro vpn-client... i've got an .ovpn file too, but i don't know how to use it or even if i can use it in openvpn
00:14 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=8039#p8039>
00:20 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=8041#p8041>
00:33 -!- cvance [~cvance@12.130.106.86] has joined #openvpn
00:33 < cvance> !help
00:33 < vpnHelper> cvance: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
00:33 < cvance> There was a noob guide at one point in time that openvpn used to have, can anyone let me know how to get to it
00:41 -!- cvance [~cvance@12.130.106.86] has quit [Ping timeout: 264 seconds]
00:46 -!- bartzy [c25a7171@gateway/web/freenode/ip.194.90.113.113] has quit [Ping timeout: 265 seconds]
00:50 -!- levi_ [54ac66ae@gateway/web/freenode/ip.84.172.102.174] has left #openvpn []
00:51 -!- WebDawg [~WebDawg@officialg0d.com] has quit [Quit: FU]
00:51 -!- WebDawg [~WebDawg@officialg0d.com] has joined #openvpn
00:56 -!- WebDawg [~WebDawg@officialg0d.com] has quit [Remote host closed the connection]
00:57 -!- WebDawg [~WebDawg@officialg0d.com] has joined #openvpn
01:08 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
01:12 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
01:13 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
01:28 -!- koaschten [~koaschten@193.175.177.176] has joined #openvpn
01:59 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:59 -!- diffen3 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
02:08 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: Leaving]
02:11 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
02:35 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:39 -!- dazo_afk is now known as dazo
02:46 -!- koaschten [~koaschten@193.175.177.176] has quit [Read error: Connection reset by peer]
02:48 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
02:48 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
02:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:50 -!- koaschten [~koaschten@193.175.177.168] has joined #openvpn
03:10 -!- Nappy [~nappy@97.97.247.123] has quit [Ping timeout: 265 seconds]
03:12 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:19 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: How to setup a OpenVPN network where the client specifie :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=2560&p=8057#p8057>
04:21 < |Mike|> damn, why would someone possibly want that
04:25 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Assign unique public IP for each openvpn user :: Author stefangar <https://forums.openvpn.net/viewtopic.php?f=15&t=7176&p=8058#p8058>
04:31 -!- Deffie [~Deffie@nectarine/admin/deffie] has quit [Read error: Connection reset by peer]
04:33 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:35 -!- koaschten [~koaschten@193.175.177.168] has quit [Ping timeout: 276 seconds]
04:39 -!- Deffie [~Deffie@195.62.234.66] has joined #openvpn
05:00 -!- lkthomas [lkthomas@218.213.78.173] has joined #openvpn
05:00 < lkthomas> hey guys
05:00 < lkthomas> any alternative solution for opensource browser based ssl vpn for openvpn ?
05:01 < theDoc> openvpn != browserbased ssl portal
05:01 < lkthomas> I know
05:02 < lkthomas> but I am looking for a solution here
05:03 -!- lkeijser [~leon@fedora/lkeijser] has joined #openvpn
05:03 < lkeijser> could someone tell me if i can use tunnel mode openvpn with windows clients and a linux server?
05:03 < theDoc> I fail to see why you're asking for help here when you already know that openvpn isn't an ssl portal.
05:04 < theDoc> lkeijser: Yes, that's possible.
05:04 < lkthomas> one more question
05:04 < lkthomas> is it possible to encrypt the configuration file on openvpn client ?
05:04 < theDoc> No, I don't believe so.
05:04 < lkthomas> I don't want user messing around with it so I want it lock
05:05 < lkeijser> theDoc: okay, thanks
05:05 -!- portablejim [~james@unaffiliated/portablejim] has left #openvpn ["Ex-Chat"]
05:05 < theDoc> Take a hammer and break their fingers ;)
05:05 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: brb]
05:05 < lkthomas> LOL
05:06 < lkthomas> by the way
05:06 < lkthomas> is it possible to update client VPN config file by pushing it to them ?
05:06 < lkthomas> when they connect I mean
05:09 < lkeijser> lkthomas: what changes are you trying to push ?  i don't think it's possible as the configuration file is used to make the connection in the first place
05:09 < lkthomas> minor change
05:10 < lkeijser> like?
05:10 < lkthomas> like next connect IP address
05:10 < lkthomas> actually, I hope user could fetch a list of server before connect each time
05:10 < lkthomas> so that we don't need to tell user to change IP
05:10 < lkeijser> you could opt to connect to a host, and the just change the IP of the host
05:10 < lkthomas> sorry ?
05:10 < lkeijser> or use DNS-RR
05:11 < lkeijser> or a loadbalancer
05:11 < lkthomas> DNS-RR wouldn't work
05:11 < lkthomas> in our situation I mean
05:11 < lkeijser> it rarely does :)
05:11 < lkthomas> we are force to use IP base server
05:11 < lkeijser> well, i don't think it would work, but then again, i've never tried it
05:12 < lkthomas> hmm
05:16 -!- koaschten [~koaschten@193.175.177.218] has joined #openvpn
05:20 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
05:25 < lkeijser> hm, for some weird reason, only 1 user at a time can connect ...
05:25 < lkeijser> different certificates/keys/IP's
05:25 < lkeijser> both can connect, but only one can actually send traffic over the tunnel
05:25 < lkeijser> connection tracking issue?
05:28 < reiffert> which ip address do they get?
05:28 < lkeijser> let me check, hold on
05:29 < lkeijser> both different from the ifconfig-pool i've defines
05:29 < lkeijser> s/defines/defined/
05:30 < lkeijser> argh .. .i mean they're both unique and are within the ifconfig-pool i've defined
05:49 -!- lkeijser [~leon@fedora/lkeijser] has quit [Ping timeout: 265 seconds]
05:51 -!- njan [~james@freenode/staff/njan] has joined #openvpn
05:53 -!- lampe [~lampe@82.100.209.66] has joined #openvpn
05:53 < lampe> hi
05:54 < lampe> is it possible to use openvpn client on windows to connect to m0n0wall V 1.3*?
05:55 < lampe> I just want to use a username password combination for auth... so I want avoid any key and cert files which have to be shared to the client... (I know it is not secure)
06:03 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
06:05 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:06 -!- lkeijser [~leon@fedora/lkeijser] has joined #openvpn
06:06 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 264 seconds]
06:12 -!- s7r [~s7r@188.27.111.55] has left #openvpn []
06:13 -!- SURFkees [~kees@2001:610:508:109:21c:23ff:fe0a:282d] has joined #openvpn
06:13 < SURFkees> is openvpn affected by the ECDH openssl vuln?
06:17 <@dazo> lkthomas: you actually have a brilliant idea in regards to "encrypting" the config ... I would probably not do encryption, but signing the config file and verifying the signature against the server certificate could really be a neat feature
06:18 < ecrist> dazo - that could come along with being able to distribute configs from the daemon itself
06:18 < ecrist> allowing the admin to allow unsigned configs or not from within the server config
06:18 <@dazo> ecrist: well, the config signature is quite easier to implement than server pushed config, unfortunately
06:19 < ecrist> for sure, I'm just saying they sort of go hand-in-hand, difficulty aside
06:19 <@dazo> but distributed configs is also a must to get implemented
06:19 <@dazo> yeah, agreed
06:19 -!- lampe [~lampe@82.100.209.66] has quit [Ping timeout: 276 seconds]
06:23 -!- lampe [~lampe@82.100.209.66] has joined #openvpn
06:23 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: allow ssh via on non vpn address while vpn is open :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7163&p=8059#p8059>
06:32 <@dazo> SURFkees: you got any more pointers that openssl vuln?  in general, openvpn depends 100% on openssl, so potentially it influences openvpn - unless openvpn don't use that code path
06:33 < lkeijser> anyone knows why only 1 person at a time can connect with my openvpn server (running in TUN mode) ?
06:34 <@dazo> !configs
06:34 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
06:34 <@dazo> lkeijser: ^^
06:34 < lkeijser> ok ;)
06:38 < lkeijser> http://pastebin.com/ALysufYV
06:39 < lkeijser> i use one iptables rule on my server:    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
06:40 <@dazo> SURFkees: I found a few references on marc.info .... It seems that if you have an OpenSSL library with OPENSSL_NO_ECDH configured, you're safe ... some distroes do that due to some patent concerns .... so that's at least one possible workaround ... but if you do not have OPENSSL_NO_ECDH configured, you might be vulnerable to a DoS attack.
06:41 <@dazo> lkeijser: lets do !logs as well
06:42 <@dazo> !logs
06:42 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
06:42 <@dazo> what's interesting is the server and client logs when the second client tries to connect and gets rejected
06:43 < lkeijser> dazo: it doesn't get rejected ... it connects to the tunnel fine, but then can't send traffic through the tunnel
06:43 < lkeijser> dazo: i see with tcpdump on the server that it sends traffic, but the replies don't get send to the 2nd client  (only the 1st one works fine)
06:43 < lkeijser> dazo: do you still want me to paste logs?
06:44 <@dazo> lkeijser: okay ... yes logs will help to clarify ... but notice the comment about --verb
06:44 < lkeijser> dazo: okay, hang on while i grab some logs
06:44 < lkeijser> and thanks btw
06:46 -!- koaschten [~koaschten@193.175.177.218] has quit [Read error: Connection reset by peer]
06:48 < vpnHelper> RSS Update - forum: Wishlist :: openvpn and a different ntlm auth :: Author stortoaranci <https://forums.openvpn.net/viewtopic.php?f=10&t=7177&p=8060#p8060>
06:49 -!- koaschten [~koaschten@193.175.177.196] has joined #openvpn
06:51 < SURFkees> dazo: Thanks, how do I check if my openssl library has NO_ECDH?
06:52 <@dazo> SURFkees: you need to figure out how your distro compiles OpenSSL .... which distro do you use, btw?
06:52 < SURFkees> Debian
06:52 < SURFkees> Debian Lenny even
06:53 <@dazo> SURFkees: oki ... I don't know anything particular here right now
06:53 -!- daemon [~daemon@2001:470:92bc:0:48cc:528d:8291:64b2] has joined #openvpn
06:54 <@dazo> SURFkees: openssl version -a ... might give you a clue
06:55 < SURFkees> dazo: yea, that did the trick, thanks
06:58 <@dazo> SURFkees: it seems that OPENSSL_NO_ECDH is not reported at all by that command
06:58  * dazo checked against a RHEL5 box which is supposed to be compiled without ECDH
06:59 < SURFkees> dazo: well, I found /usr/include/openssl/ecdh.h on my system
06:59 <@dazo> SURFkees: that's a good indication ... that file is missing on RHEL5
06:59 < SURFkees> yea, the build logs on the debian buildd page for openssl also indicate ecdh being compiled
07:00 < daemon> hi is it possible to have openvpn to appear as a machine on my home lan my current setup is: 10.0.1.1/24, gateway: 10.0.1.1, lan users: 10.0.1.10+, I would liek it so I can 'bridge in' my remote server so it appears as 10.0.1.4 and offer mail and samba services
07:01  * dazo wonders why so many people wants to complicate their lifes with bridging ....
07:04 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:05 < ecrist> dazo: it's a common topic
07:05 < ecrist> most people think they need it for windows file sharing
07:06 < ecrist> that being said, I run our company VPN as a bridged network.
07:06 <@dazo> I know ... but I still wonder where they get that impression that bridging is The Solution ...
07:06 < daemon> dazo, I just assumed I would be bridging a level 2 tap interface with a physical one =o
07:06 <@dazo> bridging is fine, where it is the appropriate solution ... but it's not necessarily the easiest and best solution for everyone
07:07 < ecrist> in their defense, things like gaming and SMB/CIFS 'just work' with bridging
07:07 < daemon> what would be the best way to proceed
07:07 <@dazo> daemon: do you have WINS server in your network?
07:07 < daemon> dazo, no
07:07 < ecrist> daemon: yes, it's possible.
07:08 < ecrist> setup a server on your home LAN, create tap interface, bridge tap interface to your home lan ethernet interface, point openvpn to that tap interface, start openvpn 
07:08 < ecrist> pretty much that easy
07:08 < daemon> I thoguht bridging was bad
07:08 < daemon> I could setup a wins server if it would be a better way around it
07:09 <@dazo> there are issues with bridging which you need to be aware of ... like conflicting DHCP servers, if you have one on each side of the network ... more overhead of tunnelled traffic, broadcasts being tunnelled and not just the needed traffic
07:09 < daemon> I have a spare system st doing nothing
07:09 < lkeijser> dazo: sorry for the delay .. takes some time gathering logs from 3 hosts that aren't all mine :)   http://pastebin.com/4CrMMtaL
07:09 < daemon> dazo, only one dhcp server the remote server is staticly assigned
07:10 <@dazo> daemon: well, in that case, it might work for you
07:10 < daemon> and I would assign it in the range of 10.0.1.2-10.0.1.9
07:10 < daemon> my dhcp server for my lan is 10+
07:10 < daemon> anything on the 9- range is a static service like a print server
07:10 < daemon> or something similiar
07:10 < ecrist> daemon: bridging is often used as the 'right' solution, when it usually isn't.  in your case, things seem simple enough, that's what I'd do.
07:11 < daemon> excellent, thank you dazo & ecrist 
07:11  * dazo agrees to ecrist 
07:11 < ecrist> dazo: conflicting DHCP servers isn't an issue if they're setup right, and the client isn't bridging it's vpn interface with it's lan interface
07:12 < ecrist> 99% of the time, clients do not need to bridge anything, though people often feel the need to bridge tap with lan interfaces
07:12 <@dazo> ecrist: true ... somehow, I was in a network-to-network bridge mindset ... not network to road-warrior setup
07:12 < ecrist> that's where a lot of problems arise.
07:14 < daemon> silly question, my setup would be lan: {em0,tap0} where tap0 = 10.0.1.6 | remote = tap0 10.0.1.7, then won't I be able to see the client end point 10.0.1.6 from my lan also
07:14 < daemon> I could really do with just seeing 10.0.1.7
07:15 < ecrist> the vpn server doesn't need an IP on it's tap interface
07:15 <@dazo> lkeijser: good logs ... except you cut them when the rWwRrrWWwwR stuff would come ...
07:15 < daemon> ah
07:15 < lkeijser> dazo: cut which ones? i thought i saved everything ..
07:15 < ecrist> where people get confused is in thinking IPs are required for bridging to work.  tap is an ethernet interface, and can operation with other protocols than just IP
07:16 <@dazo> actually, in a bridged setup em0 and tap0 won't have an IP ... but the bridge interface would have the IP ... or am I wrong?
07:16 < ecrist> you're wrong
07:16 <@dazo> okay, on Linux that's the usual setup 
07:16 < ecrist> if you're running IP on the bridge (most will), the IP can exist on any of the three
07:16 < daemon> hey hey works perfect 1ms delay, excellent that was alot easier than I first thought it would be
07:17 < daemon> odddly I did not even have to bridge them
07:17 < ecrist> since it's bridging, they all function as a single interface, so it doesn't matter
07:17 <@dazo> br0 get the interface ... and eth0 and tap0 are devices in promisc mode
07:17 < daemon> it just worked
07:17 <@dazo> \o/
07:17 < ecrist> I think the norm is to assign the IP to the bridge interface, but I've seen it all which ways
07:18 <@dazo> lkeijser: you cut the log after the connection is established ... and not when the traffic should begin to flow
07:18 < ecrist> daemon: if you're running the services on the vpn server, you won't.  but, your vpn clients won't get access to the rest of the network without the bridge between interfaces.
07:18 < daemon> ecrist, my windows box 10.0.1.213 can ping 10.0.1.7 succesfully
07:19 < lkeijser> dazo: there is no log when traffic flows. I've only tested it with ping though, let me see if i can generate log with actual traffic
07:19 <@dazo> lkeijser: try using --log and log to files ... it looks like you're using syslog logging right now, that might be the reason
07:20 < daemon> oh I see why
07:20 < lkeijser> dazo: ah :)  okay i'll try that
07:21 < reiffert> strange routing problem on my macbook.
07:21 < reiffert> from the openvpn logs:
07:21 < reiffert> 2010-10-13 14:13:32 /sbin/route add -net 192.186.179.0 10.8.12.1 255.255.255.0 add net 192.186.179.0: gateway 10.8.12.1
07:21 < reiffert> (looks fine)
07:21 -!- SURFkees [~kees@2001:610:508:109:21c:23ff:fe0a:282d] has left #openvpn ["Leaving"]
07:22 <@dazo> reiffert: looks like the logging got screwed up to me, though
07:23 < reiffert> routing tables with and without openvpn:
07:23 < reiffert> http://pastebin.ca/1960838
07:23 < daemon> for the bridge to be succesful would the correct way to be to initilize it on boot and assign it my gateway ip 10.0.1.1, then bind services to bridge0 instead of the em0 they was using previously
07:23 < reiffert> dazo: just the paste (local problem) got screwed up, see the pastebin.ca
07:23 < ecrist> that route command isn't right.
07:24  * ecrist looks at pastebin
07:24 < reiffert> pasting the log _with_ linebreaks:
07:24 < reiffert> 2010-10-13 14:21:53 /sbin/route add -net 192.186.179.0 10.8.12.1 255.255.255.0
07:25 < reiffert>                                         add net 192.186.179.0: gateway 10.8.12.1
07:25 < reiffert> the first line is the call and the 2nd line is the result from the route'ing command.
07:25 < reiffert> (which is fine)
07:25 <@dazo> reiffert: I'm not sure I see what's wrong ... I see what I would expect to see ... 
07:25 < reiffert> however routing tables looks quite ok.
07:25 < reiffert> but now have a look at this:
07:26 < reiffert> http://pastebin.ca/1960840
07:27 < reiffert> strange eh?
07:27 <@dazo> reiffert: that's what I would expect ... your openvpn route says ... 192.186.179  ... and you add a new route 192.168.179 .... you've swapped 6 and 8
07:27 < lkeijser> dazo: i've restarted the openvpn server with a --log parameter (in config file actually) and the only thing i see extra in the server logfile is:  WWWRRWRRWWRRwWRwWRRwWRwWRWRRWRwWWRRWWRR
07:28 <@dazo> lkeijser: only in the server log
07:28 <@dazo> ?
07:28 < lkeijser> dazo: no on the client (the one that traffic fails) i see WWWRrWRrWrWRrWRWrWRWRWRWRrWRWRW
07:28  * reiffert points his head at the close wall and starts running
07:28 < reiffert> thanks.
07:28 <@dazo> reiffert: :)
07:29 < lkeijser> i blindly assume that this stands for read/write .. i just don't know what's the difference between the caps and non-caps 
07:29 < ecrist> lol@reiffert
07:30 <@dazo> lkeijser: that's right ... I always forget if RW is read/write on the tunnel device or the openvpn socket to the other openvpn side
07:30 <@dazo> RW is for tunnel or socket ... and rw is the other one
07:32 < lkeijser> dazo: i've tested it a couple of times, and the first one to connect has no problems, only the second (and more) client can't pass traffic through the tunnel
07:32 <@dazo> lkeijser: sounds more and more like firewalling or routing now
07:33 < lkeijser> dazo: i agree ... except i can't put my finger on it
07:33 <@dazo> lkeijser: I'm sorry, but I gotta run now ... but I'm sure others can help here as well ... and now you have what others will ask for as well (configs, logs)
07:33 < lkeijser> dazo: sure, no problem.  Thanks for the help so far!
07:33 <@dazo> lkeijser: tcpdump will help you there
07:36 < lkeijser> well, the strang thing is that i do an ssh connect from  client --vpntunnel--> remote-sshd   and i see traffic being sent. It gets masqueraded so the remote sshd sends a reply back to the masq'd IP. But then the traffic doesn't get 'de-masqueraded' it seems, as no reply ever gets send back into the tunnel 
07:36 < daemon> hey guys I have it working kind of tcpdump shows udp traffic flying across the interface
07:36 < daemon> but when I try to ping or scan 10.0.1.1 from 10.01.8 (remote server)
07:36 < daemon> I get: sendto in send_ip_packet_sd: sendto(4, packet, 28, 0, 10.0.1.1, 16) => Host is down
07:36 < daemon> Offending packet: ICMP 95.154.246.222 > 10.0.1.1 Echo request (type=8/code=0) ttl=43 id=35567 iplen=7168
07:37 < daemon> I thought it was the route so I did: route add 10.0.1.0/24 10.0.1.8
07:37 < daemon> add net 10.0.1.0: gateway 10.0.1.8: route already in table
07:37 < daemon> that was on the server
07:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
07:43 < daemon> this is what tcpdump can see: http://pastie.org/1218008
07:47 -!- dazo is now known as dazo_afk
07:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
07:54 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
07:55 < SDE> Guys what distro is recommended for OpenVPN?
07:56 < lkeijser> SDE: openvpn should work on any distro which has the openvpn package in its repo(s)
08:00 < ecrist> SDE: freebsd
08:00 < ecrist> ;)
08:00  * lkeijser is puzzled
08:00 < SDE> I was thinking Debian or Ubuntu LTS?
08:01 < SDE> my VPS does not support BSD unfortunatley :S
08:01 < ecrist> sure, whatever works.
08:01 < ecrist> if you're going to ask for a suggestion, I'll recommend what I think is best.  that happens to be freebsd
08:07 < daemon> SDE, if its a vps make sure its not openvz
08:07 < daemon> if it is you cannot create tap or tun interfaces
08:07 < daemon> and openvpn will not work on any distro
08:14 < Deffie> using tap, after succesful connection, attemping to make traffic i get this: "write to TUN/TAP : Connection refused (code=111)" in the server log file, i found it can depend on time desync but it is not my case
08:14 < SDE> its Xen VPS
08:18 < reiffert> SDE: Windows XP
08:20 < SDE> 0_O
08:25 < daemon> ecrist, I found out that if I add the ip 10.0.1.2 to tap0 on the server side it all works... I cannot seem to get it to work with just the client having an ip though it seems the server must have one
08:25 < daemon> well both have to have a valid ip
08:25 < ecrist> daemon: you need to bridge tap and ethernet adapters on the server
08:25 -!- Deffie [~Deffie@195.62.234.66] has quit [Ping timeout: 245 seconds]
08:25 < daemon> ecrist, I have done tap0,em0
08:26 < daemon> I swapped the order around so my head gateway is the server so tap0 its self has no ip and the remote server is a client ip 10.0.1.8
08:26 < daemon> but nothing could reach 10.0.1.8 so I set the ip 10.0.1.2 on tap0 and everything works
08:26 < daemon> the setup was bridge0 {tap0[no ip],em0[no ip]} [LAN]   --       tap0 {10.0.1.8} [remote client]
08:27 < daemon> it is now:
08:27 < ecrist> well, either tap0 or em0 need an ip to be reachable by ip
08:27 < daemon> bridge0 {tap0[10.0.1.2],em0[no ip]} [LAN]      --       tap0{10.0.1.8} [remote client]
08:27 < daemon> in both cases bridge0 its self is 10.0.1.1
08:29 < daemon> ecrist, ok so this setup is correct
08:29 -!- Deffie [~Deffie@195.62.234.66] has joined #openvpn
08:29 -!- koaschten [~koaschten@193.175.177.196] has quit [Read error: Connection reset by peer]
08:29 < daemon> ecrist, I could also do I think bridge0/noip, em0: 10.0.1.1, tap0: 10.0.1.2
08:30 < daemon> remote tap0: 10.0.1.8
08:30 < daemon> I think... does that seem sane?
08:36 < ecrist> sure
08:36 < ecrist> or put both IPs on the bridge virt interface
08:36 < ecrist> it doesn't really matter where the IP is, since ethernet is being passed on all three
08:39 -!- koaschten [~koaschten@193.175.177.142] has joined #openvpn
08:40 < daemon> ah
08:40 < daemon> ecrist, but hold a minute why do I need 10.0.1.2 on tap0
08:40 < ecrist> you shouldn't
08:40 < daemon> if em0 is 10.0.1.1 surely 10.0.1.8 should be able to reach it anyway
08:40 < ecrist> so, you tell me
08:40 < ecrist> ;)
08:40 < daemon> ok what would cause that problem
08:40 < daemon> lol
08:40 < ecrist> firewall?
08:40 < daemon> disabled on both machines
08:40 < daemon> it looks like a routing issue
08:41 < daemon> but im not sure how I would even check or find out
08:41 < ecrist> if there are conflicting IP subnets, that's going to be a problem, and really isn't related to openvpn, but the 'special' admin that configured your vpn
08:41 < daemon> there is only one subnet
08:42 < daemon> ok this is slightly weird...
08:42 < daemon> ecrist, I did this, ifconfig tap0 inet 10.0.1.2; it then worked, so I removed the ip and it still continued working
08:42 < daemon> arp discovery is slow perhaps?
08:43 < ecrist> ifconfig tap0 up?
08:43 < ecrist> most interfaces don't come up automatically until they have anIP
08:43 < daemon> DOH
08:43 < daemon> how did I forget that
08:43 < daemon> thank you for the help ecrist ;)
08:43 < ecrist> you probably need an up script in openvpn server config to 'up' the tap0 interface for you
08:43 < ecrist> no problem.
08:43 < ecrist> been burned by that one myself a few times.
08:44 < daemon> ecrist, its ok I will add it to its startup script to mark the interface as up on creation
08:44 < ecrist> that's what I do on bsd
08:44 < daemon> ^_^
08:44 < ecrist> ifconfig_clone="tap0"\n ifconfig_tap0="up"
08:45 < daemon> ah straight in rc.conf I was going to make my own sh and add it to /etc/rc.d/NETWORKING
08:45 < daemon> then I can create the interfaces start openvpn and then dns then samba etc
08:45 < daemon> so it all comes up in a nice neat fasion
08:46 < daemon> hmm oddly though I keep seeing
08:46 < daemon> 14:46:15.303117 ARP, Request who-has 10.0.2.2 tell core, length 28
08:46 < daemon> 10.0.2.2 was the old vpn tunnel ip assignment
08:46 < daemon> I wonder what service is still trying to find that
08:47 -!- koaschten [~koaschten@193.175.177.142] has quit [Ping timeout: 255 seconds]
08:51 < reiffert> "core"
08:53 -!- ultramage [umage@kurobara.netvor.sk] has joined #openvpn
08:54 < ultramage> hello, I'm using an openvpn connection on windows and after I enabled it again after a month of absence, I'm noticing retransmissions occuring inside the tunnel
08:54 < ultramage> does anyone know how to identify the cause? all that changed was one batch of automatic windows updates...
08:54 < reiffert> ultramage: 
08:54 < reiffert> !config
08:54 < vpnHelper> reiffert: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
08:54 < reiffert> !configs
08:54 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:55 < ultramage> alright, but I haven't changed the configs for months now :)
08:57 < ultramage> http://pastebin.ca/1960891
08:58 < ultramage> note: there is no packet loss on the physical connection between the two machines -.-
08:58 < reiffert> so lets have a look in da manpage
08:58 < ultramage> alright :)
08:59 < reiffert> check for --mssfix
08:59 < ultramage> I have an idea what that does... but why would I need it?
08:59 < reiffert> if you can live with those retransmissions ...
09:00 < ultramage> but a lot of the packets survive without retransmission
09:01 < reiffert> so well then someone, let's call him "peer" thinks that a packet needs to get retransmitted.
09:02 < daemon> ecrist, oddly I have setup wins on samba on my headbox configured everything to use wins... but that remote server is still not showing up. however I can \\10.0.1.8 and access it perfectly
09:02 < daemon> I am using level2 tap0 and it is bridged and everything can contact it
09:02 < daemon> I miss anything or is the samba config probably wrong for it
09:03 < daemon> I canb even see the nbt broadcasts flying over tcpdump
09:03 < reiffert> daemon: check that netbios announcements leave that interface and reach to your openvpn client.
09:03 < daemon> ah gotcha
09:04 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
09:05 < daemon> reiffert, I think it looks good: http://pastie.org/1218157
09:06 < daemon> I will also check em0 which is the lan facing interface which is bridged 
09:06 < daemon> ok maybe I wont to much traffic flying across it at the moment
09:07 < daemon> on 'bridge0' on the server 
09:07 < daemon> I can see
09:07 < daemon> 15:07:09.336420 IP core.netbios-dgm > 10.255.255.255.netbios-dgm: NBT UDP PACKET(138)
09:07 < daemon> 15:07:09.336424 IP core.netbios-dgm > 10.255.255.255.netbios-dgm: NBT UDP PACKET(138)
09:07 < daemon> AH
09:07 < daemon> 15:07:09.336420 IP core.netbios-dgm > 10.255.255.255.netbios-dgm: NBT UDP PACKET(138)
09:07 < daemon> 15:07:09.336424 IP core.netbios-dgm > 10.255.255.255.netbios-dgm: NBT UDP PACKET(138)
09:07 < daemon> damn it
09:07 < daemon> sorry
09:07 < daemon> 15:07:09.336420 IP core.netbios-dgm > 10.255.255.255.netbios-dgm: NBT UDP PACKET(138)
09:07 < daemon> 15:07:09.336424 IP core.netbios-dgm > 10.255.255.255.netbios-dgm: NBT UDP PACKET(138)
09:07 < daemon> what the hell
09:07 < daemon> give me a moment
09:07 -!- daemon [~daemon@2001:470:92bc:0:48cc:528d:8291:64b2] has quit [Quit: Leaving]
09:08 -!- daemon [~daemon@2001:470:92bc:0:48cc:528d:8291:64b2] has joined #openvpn
09:08 < daemon> thats better
09:08 < daemon> I think I messed up xchat somehow
09:11 < ultramage> http://netvor.sk/~umage/wtfretransmission.pcap (3.5 megs)
09:16 < ultramage> lemme check if it's not my newly made network cable -.-
09:21 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
09:33 < ultramage> ok, it's not the network cable - I can transfer 2MB/s to a comp on LAN with zero loss
09:36 < ultramage> oh shit, I was testing it over my vpn, I think
09:39 < daemon> hehe
09:40 < ultramage> I don't like networking issues -.-
09:42 < ultramage> alright, it's the other tunnel endpoint that's having those issues, not me
09:47 < reiffert> and you determined that by what?
09:48 < ultramage> by asking my other endpoint to do a netcat transfer to my VM in canada
09:48 < ultramage> and it exhibited the same pattern
09:49 < ultramage> I'll run pingtest.net at home, and maybe go yell at my ISP a bit
09:49 < ultramage> it's strange though; at home I don't perceive the packet loss... maybe the occasional loading delay or stalled dns lookup
09:50 < Deffie> using tap, after succesful connection, attemping to make traffic i get this: "write to TUN/TAP : Connection refused (code=111)" in the server log file, i found it can depend on time desync but it is not my case
09:50 < ultramage> maybe I haven't been doing big downloads recently
09:50 < ultramage> code 111, mmm
09:51 < lkeijser> could someone tell me why one vpn client has its IP masqueraded, and the other one hasn't?  
09:51 -!- Mkools [~mukul@117.196.214.87] has joined #openvpn
09:51 < ultramage> Deffie: on linux that is "connection refused"....yes.
09:51 < ultramage> maybe you're firewalled off?
09:52 < lkeijser> i swear .. i'm doing something terribly wrong here, and if i see it it's a classic "duh" moment, but i can't figure out what
09:52 < ultramage> Deffie: for fun, try changing the communication protocol from udp to tcp and see if that goes through
09:52 < ultramage> lkeijser: what do you mean by 'masqueraded'?
09:53 < lkeijser> ultramage: i have set up an ifconfig-pool to hand out IP's in a different subnet that my normal lan. When a client connects through the vpn tunnel to a server on the lan, its IP gets masq'd
09:54 < lkeijser> so that server can reply and its reply gets sent back through the tunnel to the client
09:54 < lkeijser> i thought this is how openvpn in tunnel mode should always be set up ... am i mistaken?
09:55 < ultramage> in both modes, you get a special ip address
09:55 < lkeijser> because without the iptables masquerade rule, none of the clients can send traffic through the tunnel
09:55 < lkeijser> right
09:55 < ultramage> iptables? :O
09:55 < ultramage> oh wait
09:56 < ultramage> so err... you're asking the vpn server to let you access other machines on its network
09:56 < lkeijser> correct
09:56 < Deffie> ultramage i tried it :|
09:56 < nDuff> lkeijser, make sure you have a working reverse route from the remote network to the VPN clients' subnet -- then you don't need to masquerade
09:57 < lkeijser> ultramage: and that works well for one client .. but as soon as a second client connects, it is unable to pass traffic through the tunnel
09:57 < lkeijser> hm
09:57 < nDuff> lkeijser, that's pretty easy if they all go through the same gateway
09:57 < ultramage> hmm, let me think, I had the same issue, reply packets were getting eaten along the way.
09:57 < lkeijser> nDuff: that's actually an awesome solution
09:58 < ultramage> I think it was all just a NATing issue though
09:58 < ultramage> oh, right! I was using freebsd in a Virtualbox using nat networking (the simplest mode), trying to talk to the internet through my vpn
09:58 < lkeijser> blasted
09:59 < lkeijser> nDuff: in combination with the NAT rule it's working
09:59 < lkeijser> nDuff: if you're in my vicinity i'd buy you a beer (or beverage of choice)
10:00 < lkeijser> i can't believe i spent all day on this
10:00 < ultramage> ooh, routes!
10:00 < nDuff> lkeijser, austin.tx.us
10:09 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
10:12 < lkeijser> nDuff: hm, long way from holland .. but if i'm ever in the neighbourhood i'll ping you ;)
10:13 < lkeijser> anyway, work day is done .... thanks all 
10:13 -!- lkeijser [~leon@fedora/lkeijser] has quit [Quit: Leaving]
10:19 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:28 -!- [1]SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
10:30 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 240 seconds]
10:30 -!- [1]SDE is now known as SDE
10:34 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
10:34 -!- ultramage [umage@kurobara.netvor.sk] has left #openvpn ["have a nice evening, all"]
11:14 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
11:18 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
11:56 -!- Mkools [~mukul@117.196.214.87] has quit [Ping timeout: 240 seconds]
12:03 -!- Mkools [~mukul@117.196.214.87] has joined #openvpn
12:04 < Mkools> when i use openvpn --genkey --secret static.key in which folder key is generated?
12:05 < nDuff> Mkools, the current directory
12:05 < Mkools> means? I am on desktop.
12:05 < Mkools> on desktop?
12:06 < Mkools> oh sorry got it
12:06 < Mkools> yep got it
12:08 < Mkools> nDuff: I have my own created DNS server which 192.x.x.x private range. I am setting up openvpn  using quick start how to. In that 10.x.x.x range is used. Any comments.
12:08 < Mkools> DNS server is created using BiND 9
12:10 < Mkools> nDuff: Should I use 192.x.x.x for openvpn or 10.x.x.x for DNS, DHCP. Or different block addresses for openvpn and DNS.
12:10 < vpnHelper> RSS Update - forum: Configuration :: sharing database :: Author planethax <https://forums.openvpn.net/viewtopic.php?f=6&t=7178&p=8061#p8061>
12:11 < nDuff> Mkools, only 192.168/16, not 192/8, is reserved
12:11 < nDuff> Mkools, ...beyond that, you really have a lot of flexibility on topology
12:13 < Mkools> nDuff: got it, can you please explain in some detail? And please answer my second question in detail?
12:28 < Mkools> nDuff:any help, atleast any document link to read. I am starting the openvpn daemon. 
12:29 < Mkools> But ps -A | grep openvpn is not outputting any line?
12:31 < nDuff> Mkools, going into detail would effectively mean intro-to-networking (routing and NAT considerations), which I don't have time for.
12:31 < nDuff> now, re starting the daemon and not having anything show up --
12:31 < nDuff> have you created a configuration file?
12:31 < nDuff> if so, and you run openvpn --config yourfile.conf, what happens?
12:32 < nDuff> all starting the service does (with most distro runscripts is do "openvpn --config yourfile.conf" for each configuration file in /etc/openvpn... so there's not really much that's magical to it.
12:32 < Mkools> nDuff: I have edited sample-config files in /usr/share/doc/openvpn/example/sample-files.
12:33 < nDuff> Mkools, edited in-place, or copied and edited?
12:33 < nDuff> Mkools, ...and again, what happens when you start your config files with --config?
12:33 < nDuff> if they exit with an error, presumably the service is doing the same thing
12:35 < Mkools> nDuff: --config showing error: /media/ENGG/8 (THE LAST) SEM/MAJOR PROJECT
12:35 < Mkools> Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf
12:35 < Mkools> Use --help for more informatio
12:36 < Mkools> nDuff: Should I have to place config file /etc/openvpn?
12:36 < nDuff> before running the service, yes; when running by hand, the path just needs to resolve (either be fully qualified, or correct relative to your current working directory)
12:39 < Mkools> nDuff: What does running by hand means?
12:39 -!- locknloaded [~IceChat7@87.114.243.149.plusnet.thn-ag3.dyn.plus.net] has joined #openvpn
12:39 -!- locknloaded is now known as sppadicus
12:39 -!- sppadicus [~IceChat7@87.114.243.149.plusnet.thn-ag3.dyn.plus.net] has left #openvpn []
12:39 < Mkools> By making all policies made to accept will get rid off my firewall problems relating to iptables.
12:45 < Mkools> nDuff: Thanks so much for your help.
12:46 -!- Mkools [~mukul@117.196.214.87] has quit [Quit: Leaving]
12:47 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
13:09 < vpnHelper> RSS Update - forum: Configuration :: client only, but no cert? :: Author thebighere <https://forums.openvpn.net/viewtopic.php?f=6&t=7179&p=8062#p8062>
13:40 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
13:45 < SDE> guys
13:45 < SDE> can you issue an OpenVPN user an static IP?
13:51 < vpnHelper> RSS Update - forum: Server Administration :: Re: What is the difference between tcp/tcp-server/tcp-client :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7168&p=8063#p8063>
13:51 -!- oracle_ [~o2@unaffiliated/spice] has joined #openvpn
13:53 < nDuff> SDE, yes
13:54 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 260 seconds]
13:54 < nDuff> SDE, see the section in the man page talking about ifconfig-push
13:57 < vpnHelper> RSS Update - forum: Server Administration :: Re: Static ip addresses :: Reply by zespri <https://forums.openvpn.net/viewtopic.php?f=4&t=7172&p=8064#p8064>
14:00 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has joined #openvpn
14:01 -!- koaschten [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Ping timeout: 250 seconds]
14:09 < markus_> does the pthread support works for openvpn release 2.1 ?
14:09 < vpnHelper> RSS Update - forum: Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8065#p8065>
14:09 < markus_> --enable-pthread        Enable pthread support (Experimental for OpenVPN 2.0) ?
14:09 < krzee> !static
14:09 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
14:13 -!- nDuff [~cduffy@rrcs-97-79-207-2.sw.biz.rr.com] has quit [Read error: Connection reset by peer]
14:15 < vpnHelper> RSS Update - forum: Configuration :: Re: client only, but no cert? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7179&p=8066#p8066>
14:19 < krzee> !ircstats
14:19 < vpnHelper> krzee: "ircstats" is (#1) 30-Day Stats: http://www.secure-computing.net/logs/openvpn-last30.html, or (#2) All-Time Stats: http://www.secure-computing.net/logs/openvpn.html
14:20 < ecrist> krzee, ircstats are out-dated still
14:21 -!- krzee changed the topic of #openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really! || see !welcome and !goal before asking questions || forum at http://forums.openvpn.net || developers:  #openvpn-devel
14:21 < krzee> so was that topic ;]
14:21 < krzee> i was able to steal the front part from ircstats
14:21 < ecrist> what is still 42-day?
14:21 < krzee> aye
14:21 < ecrist> oh, let me get the whole thing
14:23 -!- ecrist changed the topic of #openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome  before asking your  questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel || IRC Host Cloaks available, ask ecrist
14:24 < ecrist> according to my logs, that was the most recent.
14:26 -!- krzee changed the topic of #openvpn to: OpenVPN 2.1.3 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome and !goal before asking your questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel || IRC Host Cloaks available, ask ecrist
14:26 < krzee> small change =]
14:26 <@patel> haha
14:26 <@patel> :)
14:27 < krzee> brb
14:27 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
14:30 -!- nDuff [~cduffy@rrcs-97-79-207-2.sw.biz.rr.com] has joined #openvpn
14:31 -!- [1]SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
14:33 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 250 seconds]
14:33 -!- [1]SDE is now known as SDE
14:37 < vpnHelper> RSS Update - forum: Configuration :: Re: sharing database :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=6&t=7178&p=8067#p8067>
14:43 < vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: Protect default route on client :: Reply by keriati <https://forums.openvpn.net/viewtopic.php?f=17&t=7169&p=8068#p8068>
14:49 < vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: Protect default route on client :: Reply by keriati <https://forums.openvpn.net/viewtopic.php?f=17&t=7169&p=8069#p8069>
14:55 < krzie> baq
14:55 < vpnHelper> RSS Update - forum: Configuration :: Re: sharing database :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7178&p=8071#p8071> || Routing and Firewall Scripts :: Re: Protect default route on client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=17&t=7169&p=8070#p8070>
14:55 -!- krzie is now known as krzee
15:12 -!- daemon [~daemon@2001:470:92bc:0:48cc:528d:8291:64b2] has quit [Ping timeout: 252 seconds]
15:16 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 272 seconds]
15:18 -!- s7r [~s7r@188.27.111.55] has joined #openvpn
15:20 < vpnHelper> RSS Update - forum: Server Administration :: Jpin Active Directory Domain :: Author T4K <https://forums.openvpn.net/viewtopic.php?f=4&t=7180&p=8074#p8074> || Configuration :: Re: client only, but no cert? :: Reply by thebighere <https://forums.openvpn.net/viewtopic.php?f=6&t=7179&p=8072#p8072> || Routing and Firewall Scripts :: Re: Protect default route on client :: Reply by keriati <https://forums.openvpn.net/viewtopic.php?f=17&t=7169&p=8073#p
15:38 < vpnHelper> RSS Update - forum: Server Administration :: Re: linux bridge and openvpn :: Reply by pinguim007 <https://forums.openvpn.net/viewtopic.php?f=4&t=7156&p=8075#p8075>
16:08 < vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: Protect default route on client :: Reply by keriati <https://forums.openvpn.net/viewtopic.php?f=17&t=7169&p=8073#p8073>
16:20 -!- moonspa [~moonspa@chello089173158247.chello.sk] has joined #openvpn
16:20 -!- moonspa [~moonspa@chello089173158247.chello.sk] has left #openvpn []
16:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:29 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
16:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:31 < vpnHelper> RSS Update - forum: Wishlist :: openvpn and a different ntlm auth :: Author stortoaranci <https://forums.openvpn.net/viewtopic.php?f=10&t=7177&p=8060#p8060>
16:32 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
16:51 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
16:53 < fipu> hi @ all
16:53 < fipu> I have a problem with the build-key script
16:53 < fipu> I get the message that I need to reflect my config with ./vars and after that I have to do a clean-all
16:53 < fipu> but I already do that
16:53 < fipu> and I have openvpn running
16:54 < fipu> with multiple certificates for Clients
16:54 < fipu> all works but now I want to create one more certificate
16:54 < fipu> and get this message
16:54 < fipu> someone an idea?
17:02 < fipu> works now
17:02 < fipu> I must do source ./vars
17:02 < fipu> yesterday it works without that...
17:02 < fipu> :P
17:03 < fipu> I just du ./vars 
17:03 < fipu> *do
17:09 < krzie> . ./vars
17:09 < krzie> the leading . is important, it = 'source'
17:11 -!- oracle_ is now known as destroyacle
17:20 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: Leaving]
17:20 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
17:23 < fipu> krzie: I did that yesterday
17:23 < fipu> and it works
17:23 < fipu> but today I get the message that I need to make that again and make a new PKI...
17:23 < fipu> but with source ./vars it works again...
17:23 < fipu> other question
17:23 < fipu> how can I list all connected clients?
17:24 < krzee> you just did ./vars before... that wouldnt work
17:24 < fipu> no I did . ./vars yesterday
17:24 < fipu> and it works
17:24 < fipu> I created 3 certs
17:24 < krzee> note the . ./vars  the . by itself first is the exact same as source assuming you are in bash
17:24 < fipu> today I want create one more...
17:24 < krzee> correct, . ./vars works
17:24 < krzee> then today you did ./vars
17:24 < fipu> right
17:24 < krzee> easy typo to make
17:24 < fipu> must I do that every day?
17:25 < fipu> or every time I started a new Terminal session?
17:25 < krzee> [15:27]  <fipu> or every time I started a new Terminal session?
17:25 < krzee> yes
17:25 < fipu> ah ok
17:25 < fipu> all clear :)
17:25 < fipu> How can I list all connected clients?
17:25 < krzee> you are taking the env vars from ./vars into your current session (sourcing them)
17:25 < fipu> ah, ok
17:25 < krzee> fipu, by learning the management interface
17:26 < krzee> !management
17:26 < vpnHelper> krzee: "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN
17:26 < fipu> ok, thank you very much for information
17:26 < fipu> I check this tomorrow
17:26 < fipu> now I go to bed ;)
17:26 < fipu> thanks and gn8 to all :)
17:27 < krzee> nite
17:31 -!- destroyacle is now known as oracle
18:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:43 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
19:21 -!- s7r [~s7r@188.27.111.55] has quit [Read error: Connection reset by peer]
19:41 < svm_invictvs> Heya
19:41 < svm_invictvs> So,if I follow the basic HOWTO
19:41 < svm_invictvs> For the Community software, does that mean out of the box all I get is for the client to see the server through the vpn?
19:42 < svm_invictvs> The client's not even configured to route any data out throug the VPN unless I mess with the routing tables, correct?
20:02 < krzie> correct
20:02 < krzie> !goal
20:02 < vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:11 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:21 -!- takamichi [~pri@78.133.38.192] has quit []
20:22 -!- koaschten_ [~koaschten@188-193-133-170-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
20:35 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
20:35 -!- Dougy_ [me@tech.qsi.net] has joined #openvpn
20:36 -!- Dougy [me@openvpn/community/user/dougy] has quit [Read error: Connection reset by peer]
20:38 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Ping timeout: 240 seconds]
20:46 -!- lkthomas [lkthomas@218.213.78.173] has quit [Ping timeout: 255 seconds]
20:46 -!- lkthomas [~lkthomas@202.71.254.94] has joined #openvpn
20:51 -!- lkthomas [~lkthomas@202.71.254.94] has quit [Ping timeout: 252 seconds]
20:51 -!- lkthomas [~lkthomas@202.71.254.94] has joined #openvpn
20:56 -!- lkthomas [~lkthomas@202.71.254.94] has quit [Ping timeout: 240 seconds]
20:56 -!- lkthomas [lkthomas@218.213.78.173] has joined #openvpn
21:32 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
21:40 < Sivarts> How can I create a VPN server where all of my clients can use the same certificates without having to generate a seperate certificate for each client?
21:40 < Sivarts> security is not an issue for me...
21:41 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has joined #openvpn
21:41 < londonmet050> hello
21:53 < londonmet050> I am getting some error witj cannot allocate TUN/TAP dev dynamically
21:56 < svm_invictvs> krzee: My goal is exactly that
21:58 -!- p3rror [~mezgani@adsl196-38-68-206-196.adsl196-3.iam.net.ma] has joined #openvpn
22:06 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:13 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
22:14 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
22:15 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
22:19 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
22:19 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
22:19 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
22:31 < svm_invictvs> Oh poop.
22:31 < svm_invictvs> I'm getting routing conflicts
22:42 < krzie> whats your goal?
23:15 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has quit [Read error: Connection reset by peer]
23:15 -!- londonmet050 [~0wned@93-96-43-166.zone4.bethere.co.uk] has joined #openvpn
23:15 -!- londonmet050 [~0wned@93-96-43-166.zone4.bethere.co.uk] has quit [Changing host]
23:15 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has joined #openvpn
23:23 < krzie> svm_invictvs, whats the problem dude
23:31 -!- aditsu [~aditsu@n1164984115.netvigator.com] has joined #openvpn
23:31 < aditsu> hi, I got 2 servers connected through openvpn, but the connection seems to freeze a lot, what could be the reason?
23:31 < aditsu> it seems to improve if I lower the MSS, but it's supposed to figure it out automatically (and low MSS is inefficient)
23:38 < krzie> checked the mtu?
23:38 < krzie> isnt udp?
23:41 < aditsu> I'm using udp, how can I check the mtu?
23:42 < krzie> !mtu
23:42 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
23:42 < aditsu> oh, I think I did that a long time ago, let me try again
23:44 < aditsu> WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result
23:44 < aditsu> NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes.
23:53 < aditsu> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[493,493] remote->local=[493,493]
23:53 < aditsu> I should probably try it without fragment
--- Day changed Thu Oct 14 2010
00:00 < krzie> you should comment out all mtu settings first
00:00 < krzie> 493... damn, you running this over a DNS over ip tunnel?
00:00 < krzie> lol
00:01 < aditsu> no, I was using fragment 500
00:01 < aditsu> disabled fragment and mssfix now, waiting for results again
00:04 < aditsu> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541]
00:04 < krzie> doesnt seem that you especially need to be changing them
00:04 < aditsu> then what about the freezes?
00:05 < krzie> you on tcp or udp?
00:05 < aditsu> udp
00:05 < krzie> hrm
00:06 < krzie> you sure it is only running 1x, right?
00:06 < aditsu> what do you mean?
00:07 < krzie> if you run an openvpn client more than once, it will battle itself
00:07 < aditsu> it's running only once with this config
00:08 < krzie> you have a keepalive?
00:09 < aditsu> btw, it's not freezing right now (with no fragment and no mssfix), but it might freeze later
00:09 < vpnHelper> RSS Update - forum: Configuration :: [server] Inactivity timeout (--ping-restart), restarting :: Author hohum <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8076#p8076> || Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8077#p8077>
00:10 < aditsu> on the server I have keepalive 10 120
00:11 < aditsu> I guess I'll wait to see if it freezes again
00:14 < aditsu> still working, but the transfer rate is pretty low.. I'll try adjusting the traffic control
00:14 < aditsu> since there are some other connections
00:15 < vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by hohum <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8078#p8078> || Scripting and Customizations :: Re: Assign unique public IP for each openvpn user :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7176&p=8079#p8079>
00:25 < aditsu> hm... client to server is very fast, but server to client is extremely slow
00:29 < svm_invictvs> ls
00:39 < vpnHelper> RSS Update - forum: Server Administration :: Re: Jpin Active Directory Domain :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7180&p=8080#p8080>
00:41 < aditsu> oh, I think I managed to increase the priority of openvpn traffic :)
00:43 < aditsu> I wonder if those freezes were only due to bandwidth choking.. that would be quite silly
00:49 < aditsu> it slowed down again..
00:51 < vpnHelper> RSS Update - forum: Configuration :: Re: notebook external server office LAN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7165&p=8081#p8081>
00:54 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
00:54 -!- takamichi [~pri@78.133.38.192] has quit [Client Quit]
00:58 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:09 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has quit [Quit: londonmet050]
01:09 -!- tessier_ [~treed@kernel-panic/copilotco] has joined #openvpn
01:10 < tessier_> How do people usually handle Windows drive mappings and openvpn? Having to manually remap every time is a pain. The mappings are persistent but fail when the machine boots up and the VPN is not up.
01:26 < vpnHelper> RSS Update - forum: Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8082#p8082>
01:29 < krzie> could map them via --up script
01:30 < krzie> !winscript
01:30 < vpnHelper> krzie: "winscript" is a user reported that his --up script was not executed in windows gui. his config was bps.ovpn, he renamed the script to bps_up.bat and put it in the dir with his config... then it worked!
01:32 < vpnHelper> RSS Update - forum: Server Administration :: Re: Static ip addresses :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7172&p=8083#p8083>
01:38 < vpnHelper> RSS Update - forum: Configuration :: Re: creating openvpn with ubuntu server and windows clinet :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7145&p=8084#p8084>
01:40 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
01:48 < tessier_> krzie: Ah, thanks!
01:50 < krzie> np
02:08 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8085#p8085>
02:12 < aditsu> krzie: well, vpn traffic is still EXTREMELY slow, what can I do about it?
02:14 < vpnHelper> RSS Update - forum: Server Administration :: Re: missing images :: Reply by libove <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8086#p8086>
02:18 -!- Buklov [~3232@213.138.74.165] has quit [Read error: Connection reset by peer]
02:18 -!- Buklov [~3232@213.138.74.165] has joined #openvpn
02:18 < Bushmills> isn't there such a thing as an automounter, or its equivalent, for windows? 
02:19 < Bushmills> that's what i use to access remote exports over openvpn - they're mounted upon attempt to access them. under unixoids, though.
02:19 < vpnHelper> RSS Update - forum: Configuration :: Re: Openvpn and Amazon EC2 with Windows 2008 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7167&p=8087#p8087>
02:24 < krzie> Bushmills, i dont think so... but that reminds me of a factoid jpalmer wouldnt like to see
02:24 < vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=8089#p8089>
02:24 < Bushmills> hehe
02:25 < tessier_> ugh...I hate it when I break my openvpn config. I haven't used it in weeks and it is always a real trick to figure out again.
02:25 < tessier_> It's like my openvpn server isn't routing to the rest of the network. But I have forwarding enabled...
02:26 < tessier_> Not sure what changed. It hasn't been rebooted or anything.
02:27 < aditsu> tessier_: firewall?
02:27 < Bushmills> does your config change just by itself?
02:28 < Bushmills> when i change it, i usually test whether it still works immediately after the change
02:30 < vpnHelper> RSS Update - forum: Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8090#p8090> || Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=8091#p8091>
02:30 < tessier_> Bushmills: It doesn't change by itself. Actually, I have just set up a new client. Maybe it is a client config problem. It has never worked from this client before. 
02:30 < tessier_> aditsu: No firewall on the server.
02:31 < aditsu> hm.. I tried ping -s 1000 over the vpn, and it has heavy packet loss
02:31 < Bushmills> it is always a real trick to figure out why that client has never worked before?
02:32 < aditsu> tessier_: I thought you needed a firewall to route the packets
02:32 < krzie> aditsu, only if you require NAT because you desire !redirect
02:32 < tessier_> Bushmills: It is always a real trick to figure out any networking problem with openvpn. This is the third time I have set it up but each time is months or years apart so I have to relearn it all over again.
02:33 < tessier_> aditsu: I have a firewall elsewhere on the network which my openvpn server knows to route to in order to NAT out to the net
02:33 < tessier_> That is the default route of the openvpn server
02:33 < krzie> tessier_, less likely you need to learn openvpn over again, more likely its the general networking principals you use in conjuction with it
02:33 < Bushmills> well, you don't need to figure that out now. the problem may be a different one with a client which has never worked before
02:33 < tessier_> And the openvpn server is the default route (via a push redirect-gateway) of the client
02:34 < krzie> ahh, then you do require a firewall on the server, for the NAT as aditsu said
02:34 < tessier_> I already have a firewall elsewhere on the network.
02:35 < krzie> ahh so the internet gateway also does NAT for the vpn subnet?
02:35 < tessier_> Correct.
02:35 < tessier_> And that worked as of a few weeks ago.
02:35 < krzie> cool, i like that style better too
02:35 < tessier_>  /etc/shorewall/masq on the firewall contains: eth0                    10.9.8.0/24     216.105.40.123
02:35 < tessier_> Where 10.9.8.0/24 is the network that my openvpn clients are assigned IPs from
02:36 < aditsu> weird, the connection is fast again, and not dropping packets
02:36 < krzie> what os is the non-working client?
02:36 < aditsu> but I have another connection between the same 2 machines, that seems to work much better... should I switch openvpn to use tcp?
02:36 < krzie> (you said there are clients which work, and a single client which does not, right?)
02:37 < tessier_> Let me go fire up the client that was working before and see if it still works...
02:37 < krzie> !tcp
02:37 < vpnHelper> krzie: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
02:37 < krzie> tessier_, you use different certs for each client, right?
02:38 < tessier_> krzie: Yes
02:38 < aditsu> slow again now :(
02:39 < krzie> tessier_, you using tun?
02:39 < krzie> err i mean
02:39 < krzie> aditsu, you using tun?
02:39 < aditsu> I'll try switching to tcp
02:39 < aditsu> krzie: yes, dev tun
02:40 < krzie> cool
02:41 < aditsu> weird, it's fast again now (over udp)
02:42 < krzie> it sounds like when you start it is fast, as more traffic goes it slows down
02:42 < krzie> do you have some sort of QOS?
02:43 < aditsu> it's been running for more than 2 hours now
02:44 < aditsu> yes I'm doing traffic shaping, I tried without it too
02:44 < krzie> sounds like that is whats going on ;)
02:51 < tessier_> The client that used to be configured for openvpn isn't anymore. My wife may have deleted it or something. So I can't test against that. I just reconfigured it and it has the same problem.
02:56 -!- Netsplit *.net <-> *.split quits: Meliorator, d1b, havoc, fipu, raidzx, nb, oracle, n0sq, markus_, krzie,  (+76 more, use /NETSPLIT to show all of them)
03:05 -!- tessier_ [~treed@kernel-panic/copilotco] has quit [Quit: Changing server]
03:54 -!- theDoc [~Link@173.236.42.44] has joined #openvpn
03:55 -!- Netsplit over, joins: EmperorTom, krzie, Rolybrau, krzee, aditsu, Dougy_, nDuff, abeehc, g0tcha`, njan (+14 more)
03:55 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
03:55 -!- Netsplit over, joins: openbsdnoob, jpalmer, kisom, d12fk, @openvpn2009, @cron2, Meliorator, zxvff, Phenox_, Smirnov (+11 more)
03:55 -!- ServerMode/#openvpn [+oooo patel dazo cron2 openvpn2009] by bartol.freenode.net
03:59 -!- Bushmills is now known as 13WAAIF5H
03:59 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:59 -!- tessier [~treed@mail.copilotco.com] has joined #openvpn
03:59 -!- Buklov [~3232@213.138.74.165] has joined #openvpn
03:59 -!- p3rror [~mezgani@adsl196-38-68-206-196.adsl196-3.iam.net.ma] has joined #openvpn
03:59 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
03:59 -!- oracle [~o2@unaffiliated/spice] has joined #openvpn
03:59 -!- Deffie [~Deffie@195.62.234.66] has joined #openvpn
03:59 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:59 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
03:59 -!- WebDawg [~WebDawg@officialg0d.com] has joined #openvpn
03:59 -!- arejay [arejay@shell.dawnshosting.com] has joined #openvpn
03:59 -!- sc [~sc@unaffiliated/asgw] has joined #openvpn
03:59 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:59 -!- sigi [~sigius@93.125.185.45] has joined #openvpn
03:59 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
03:59 -!- Docteh [~mage@24.86.236.78] has joined #openvpn
03:59 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
03:59 -!- plundra [404@article.se] has joined #openvpn
03:59 -!- delroth [~delroth@dhaos.delroth.net] has joined #openvpn
03:59 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
03:59 -!- Cmdr_W_T_Riker [39239487e7@xs8.xs4all.nl] has joined #openvpn
03:59 -!- batrick [~batrick@batbytes.com] has joined #openvpn
03:59 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined #openvpn
03:59 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
03:59 -!- meepmeep_ [meepmeep@212.24.104.229] has joined #openvpn
03:59 -!- fipu [~fipu@62.75.187.155] has joined #openvpn
03:59 -!- zamba [marius@flage.org] has joined #openvpn
03:59 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
03:59 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
03:59 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
03:59 -!- Gokee2_ [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
03:59 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
03:59 -!- zoobab [zoobab@vic.ffii.org] has joined #openvpn
03:59 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
03:59 -!- Joelio [~joel@lcw-212-23-5-1.zen.co.uk] has joined #openvpn
03:59 -!- th1 [~th@pdpc/supporter/professional/th1] has joined #openvpn
03:59 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
03:59 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
03:59 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
03:59 -!- naquad [~naquad@174.142.224.219] has joined #openvpn
04:01 -!- theDoc [~Link@173.236.42.44] has quit [Changing host]
04:01 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
04:03 -!- lkthomas [lkthomas@218.213.78.173] has joined #openvpn
04:06 -!- tessier [~treed@mail.copilotco.com] has quit [Changing host]
04:06 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
04:09 -!- naquad [~naquad@174.142.224.219] has quit [Excess Flood]
04:12 -!- naquad [~naquad@174.142.224.219] has joined #openvpn
04:18 -!- szr [~SR@unaffiliated/szr] has quit [Read error: No route to host]
04:21 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
04:22 -!- p3rror [~mezgani@adsl196-38-68-206-196.adsl196-3.iam.net.ma] has quit [Remote host closed the connection]
04:26 -!- lkthomas [lkthomas@218.213.78.173] has quit [Ping timeout: 276 seconds]
04:34 -!- lkthomas [~lkthomas@184-106-137-103.static.cloud-ips.com] has joined #openvpn
04:39 -!- lkthomas [~lkthomas@184-106-137-103.static.cloud-ips.com] has quit [Ping timeout: 276 seconds]
04:39 -!- lkthomas [lkthomas@218.213.78.173] has joined #openvpn
04:51 -!- mode/#openvpn [+o 13WAAIF5H] by ChanServ
04:51 -!- mode/#openvpn [-o 13WAAIF5H] by 13WAAIF5H
04:52 -!- 13WAAIF5H is now known as Mushbills
04:52 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
04:52 -!- Mushbills is now known as Bushmills
04:53 -!- Bushmill- [~Bushmills@scarydevilmonastery.net] has joined #openvpn
04:53 -!- mode/#openvpn [+o Bushmills] by ChanServ
04:53 -!- Bushmill- was kicked from #openvpn by Bushmills [Bushmill-]
04:54 -!- Bushmill- [~Bushmills@scarydevilmonastery.net] has joined #openvpn
04:54 -!- mode/#openvpn [-o Bushmills] by Bushmills
04:54 -!- mode/#openvpn [+o Bushmills] by ChanServ
04:55 -!- mode/#openvpn [+b *!*Bushmills@scarydevilmonastery.net] by Bushmills
04:55 -!- Bushmill- was kicked from #openvpn by Bushmills [Bushmill-]
04:56 -!- mode/#openvpn [-b *!*Bushmills@scarydevilmonastery.net] by ChanServ
04:56 -!- Bushmill- [~Bushmills@scarydevilmonastery.net] has joined #openvpn
04:57 -!- mode/#openvpn [-o Bushmills] by Bushmills
04:58 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Quit: Terminated with extreme prejudice - dircproxy 1.0.5]
04:58 -!- Bushmill- [~Bushmills@scarydevilmonastery.net] has quit [Quit: Terminated with extreme prejudice - dircproxy 1.0.5]
04:58 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
05:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
05:31 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: Leaving]
05:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
05:37 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
05:37 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
05:37 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
05:49 -!- chantra_afk [~chantra@unaffiliated/chantra] has joined #openvpn
05:51 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 250 seconds]
06:21 < vpnHelper> RSS Update - forum: Server Administration :: Re: Jpin Active Directory Domain :: Reply by T4K <https://forums.openvpn.net/viewtopic.php?f=4&t=7180&p=8092#p8092>
07:34 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 250 seconds]
07:40 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
07:46 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:48 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
07:52 < ecrist> Bushmills: problems this morning?
07:58 -!- aditsu [~aditsu@n1164984115.netvigator.com] has left #openvpn []
08:28 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined #openvpn
08:28 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
08:34 -!- Martin` is now known as Martin
08:34 -!- Martin is now known as Guest60195
08:39 -!- krzy [krzee@hemp.ircpimps.org] has joined #openvpn
08:39 -!- njan [~james@freenode/staff/njan] has quit [Ping timeout: 612 seconds]
08:40 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
08:40 -!- patel [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 276 seconds]
08:40 -!- krzie [krzee@66.11.114.212] has joined #openvpn
08:40 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Remote host closed the connection]
08:40 -!- krzie [krzee@66.11.114.212] has quit [Changing host]
08:40 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
08:40 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
08:40 -!- patel [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn
08:41 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
08:53 < Phenox_> hi. do you know if it is possible to handle access-challenges using openvpn and radius authentication via PAM?
08:54 < Phenox_> as we use RSA authentication manager, the user must define a PIN at first logon which is handled by a challenge ticket from the radius
08:54 < Phenox_> but the client never asks for the PIN but restarts the whole authentication process
08:55 < Phenox_> for people who already have defined a PIN using another system, the authentication works pretty fine
09:08 < krzy> !authpass
09:08 < vpnHelper> krzy: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
09:08 < krzy> and the client uses --auth-user-pass
09:08 -!- krzy [krzee@hemp.ircpimps.org] has quit [Quit: Leaving]
09:15 <@dazo> Phenox_: I have no experience with implementing that, but I'm very sure its doable as we do exactly that at my work with OpenVPN, also using RSA tokens and RSA auth manager (iirc)
09:16 <@dazo> Phenox_: but we have a SSH entry as well to tackle re-synch of the token codes 
09:29 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:32 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
09:34 -!- njan [~james@freenode/staff/njan] has joined #openvpn
09:34 -!- oc80z [oc80z@blea.ch] has joined #openvpn
09:36 < Phenox_> hmm...
09:40 < Phenox_> dazo: K. It would be interesting to know how its implemented as for me neither the pam-radius nor the radius plugin for openvpn is working. Unfortunately there is nothing useful in the usenet regarding this issue.
10:04 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
10:18 -!- nDuff [~cduffy@rrcs-97-79-207-2.sw.biz.rr.com] has quit [Ping timeout: 272 seconds]
10:30 -!- nDuff [~cduffy@rrcs-97-79-207-2.sw.biz.rr.com] has joined #openvpn
10:34 -!- [1]SDE [~SDE@host81-137-144-179.in-addr.btopenworld.com] has joined #openvpn
10:34 < [1]SDE> Hi
10:34 < [1]SDE> I want to use username/password for my OpenVPN clients. Does the OpenVPN Access Server print in some file which clients are currently connected? I would like to use the same key/cert for all clients (duplicate-cn option), but prevent them from connecting several times at the same time using the same username/pass
10:36 -!- dollabill [~mike@97.66.26.10] has quit []
10:43 < krzee> !AS
10:43 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
10:43 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
10:43 < krzee> see #4
10:43 -!- londonmet050 [~0wned@93-96-43-166.zone4.bethere.co.uk] has joined #openvpn
10:43 -!- londonmet050 [~0wned@93-96-43-166.zone4.bethere.co.uk] has quit [Changing host]
10:43 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has joined #openvpn
10:51 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
11:00 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
11:22 -!- [1]SDE [~SDE@host81-137-144-179.in-addr.btopenworld.com] has quit [Ping timeout: 245 seconds]
11:36 -!- zanberdo [~mkz@173-164-189-237-SFBA.hfc.comcastbusiness.net] has joined #openvpn
11:36 -!- [1]SDE [~SDE@host81-137-144-179.in-addr.btopenworld.com] has joined #openvpn
11:37 < ecrist> [1]SDE: saw your question in #openvpn-devel, and we, unfortunately, don't support access server at all on irc.
11:37 < ecrist> there are official support channels on the openvpn website, though.
11:40 < zanberdo> I'm running openvpn server version 2.1_rc11 on a linux box. I'm using openvpn GUI v1.0.3 on an XP box to connect with no problem.  I have a W7 box that needs to connect. I'd like to use the same credentials as on my XP box for this test but when I replace copy my credential files and update the config I get an error from the client stating that the client started then stopped and it gives no further information.  Where can I f
11:40 < zanberdo> ind logs to help me track down what I've done wrong?
11:41 < zanberdo> note: I've installed OpenVPN 3.1.2 client on my W7 box
11:42 -!- [1]SDE [~SDE@host81-137-144-179.in-addr.btopenworld.com] has quit [Ping timeout: 245 seconds]
11:48 < zanberdo> my bad, I was running the wrong client. I have the correct on installed now, but now I'm getting an error that reads: Options error: Unrecognized option or missing parameter(s) in client.ovpn:1: ############################################## (2.1.3)
11:48 < zanberdo> Use --help for more information. 
11:49 < zanberdo> I duplicated the config folder from my xp box and modified the path to the various crt and key files to be consistent with the newly installed path
11:49 < krzee> zanberdo, you said you use access server
11:49 < zanberdo> otherwise the config file is the same.
11:50 < zanberdo> no
11:50 < krzee> oh sorry no you didnt
11:50 < zanberdo> no access server
11:50 < krzee> that was someone else
11:50 < zanberdo> yeah
11:50 < zanberdo> I'm just trying to get the W7 client to work with the same basic config as the XP client
11:50 < krzee> !configs
11:50 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
11:51 < zanberdo> fair enough. I figured you'd need that. One moment whilst I put together the request info.
12:00 -!- vatts [bouncer@unaffiliated/vatts] has joined #openvpn
12:00 -!- [1]SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
12:01 < vatts> Guys i have laptop and desktop on 2 different hotspot, in same town. Each uses its own unique certificate, both connecting to server in germany somewhere.
12:01 < vatts> at desktop i can connect, but on laptop i get error:
12:01 < vatts> us=687000 TLS Error: Unroutable control packet received from <server IP>
12:01 < vatts> belive me, its not firewall, i've used cert from laptop on desktop, still didn't connect.
12:01 < vatts> Both certs are vertified.
12:02 < krzee> need to see more of the logs
12:02 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 260 seconds]
12:02 -!- [1]SDE is now known as SDE
12:02 < zanberdo> krzee, ok, sorry it took a bit.  Here is the config.opvn file from the W7 client stripped of comments: http://pastebin.com/Qqphz1cP
12:03 < zanberdo> I'm working on the server, but suffice to say that the server is working fine with the XP client and I've simply copied the XP client config to W7 and changed the paths to the crt and key files.
12:03 < krzee> but the options for the client depend on the server
12:03 < zanberdo> fair enough. I'm going to post the server config in a moment
12:03 < krzee> but ok, we'll assume everything matches
12:04 < vatts> also, not time errors, since watts-lappi doesnt work on same comp where watts crt works
12:04 < krzee> why are you using tap?
12:04 < krzee> !tunortap
12:04 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
12:04 < vpnHelper> krzee: you over the vpn, or (#4) lan gaming? use tap!
12:04 < vatts> http://vattz.vatts.operaunite.com/paste/?id=28&pass=bFSEThgVMg95&act=show <<Have read fun
12:04 < vatts> Whoops not :P
12:05 < krzee> UDPv4 link remote: <server IP>:<server port>
12:05 < krzee> theres the problem, you need a real ip and port in the configs
12:05 < vatts> http://vattz.vatts.operaunite.com/paste/?id=29&pass=xhrQe2t0Jciv&act=show
12:05 < jpalmer> vatts:  the network the laptop is on..  is the local LAN using the same subnet as the VPN it's trying to connect to?
12:05 < vatts> krzee, i censored IP
12:06 < krzee> vatts, dont, in this situation the IPs matter, since it is an issue getting the connection working
12:06 < vatts> jpalmer, there are 2 different hotspots in town. I try connect with my box cert. works on my box and on my lappy (but not same time). Then i fire up watts-lappy cert and it doesn't connect neither on box, neither on laptop
12:06 < krzee> are both sides being started as root?
12:06 < zanberdo> krzee, here is the server config: http://pastebin.com/8rhdhTcy
12:06 < vatts> krzee, root? wth, i'm on windows on laptop and on desktop
12:07 < krzee> oh you are bridging, i'm of no help
12:07 < vatts> bridging?!
12:07 < krzee> why do you need a bridge?
12:07 < vatts> WHAT BRIDGE
12:07 < krzee> server-bridge 192.168.1.115  255.255.255.0 192.168.1.180 192.168.1.190
12:07 < vatts> o.O?
12:07 < zanberdo> that's me
12:07 < krzee> hey man... its your config
12:07 < krzee> oh bleh
12:07 < krzee> i didnt sleep
12:07 < zanberdo> no worries.
12:07 < krzee> vatts, ok s/root/admin
12:08 < krzee> zanberdo, oh you are bridging, i'm of no help... why do you need a bridge?
12:08 < krzee> ;]
12:08 < vatts> krzee, the bridging stuff... not my idea, i didn't sett it up in CFGs. however, same comp, using 2 certs, 1 connects, 1 doesn't. ofc not at same time
12:08 < vpnHelper> RSS Update - forum: Configuration :: Re: creating openvpn with ubuntu server and windows clinet :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7145&p=8084#p8084>
12:08 < zanberdo> krzee, and I"m running openvpn client on the W7 box as admin if that matters (I saw a note that it did for Vista, but I didn't see anything about W7 so I assumed I needed to)
12:08 < vatts> krzee, and thanks making me think that i'm NOT the bridger :P
12:08 < vatts> LULZ i thought that i'm bridging. lol, 192.168.1.115 is my NAT'd IP
12:08 < vatts> xD
12:09 < krzee> vatts, i still dunno if you are... havnt seen a server config
12:09 < vatts> me neither ;)
12:09 < zanberdo> krzee, I'm afraid I can't answer the bridging question. I can only tell you that however it's been configured on the server side it works just fine with my XP client and performs as expected.  I'm just trying to troubleshoot why the W7 client dies before it gets off the ground and doesn't tell me why.
12:10 < vatts> I copied client CFG from "watts" to "watts-lappi" and putted names of files (.ca, .crt) back in order, same effect.
12:10 < krzee> zanberdo, using 2.1.3?
12:10 < zanberdo> krzee, yes, that is the client I'm running on W7. Let me check the client version for XP box
12:11 < krzee> meh i shouldnt try to answer questions, too tired... especially for windows and bridges
12:11 < zanberdo> krzee, client version 1.0.3 on XP box. So should I take it that the 1.0.3 client config is not compatible with the 2.1.3 client?
12:11 < krzee> 1.0.3??
12:11 < zanberdo> aye
12:12 < krzee> from where
12:12  * ecrist beats zanberdo with the update stick
12:12 < vatts> krzee, http://vattz.vatts.operaunite.com/paste/?id=30&pass=HaZQONegMuEP&act=show ... Seems that CRT or KEY are invalid? Invaild*? ;o
12:12 < krzee> oh god, from that .se link
12:12 < krzee> !download
12:12 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
12:12 < zanberdo> ecrist, you know, sometimes when a product works just fine there is no need to upgrade
12:12 < zanberdo> krzee, Help about reads: OpenVPN GUI v1.0.3
12:12 < ecrist> zanberdo: sometimes, but 1.0.3 was released like 8 years ago
12:12 < krzee> !certverify
12:13 < vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
12:13 < ecrist> we do not support < 2.1.3 in here
12:13 < krzee> for reals, update!
12:13 < zanberdo> ecrist, fine, it's old, but it works and I'm not about to break my XP config until I can make a 2.1.3 config work on a different box.  
12:13 < zanberdo> right, and I'm looking for support with 2.1.3, not 1.0.3
12:13 < ecrist> 2.1.3 to a 2.1.3 server, right?
12:14 < zanberdo> bottom line me: has the config file format changed that drastically from 1.0.3 that it won't work with 2.1.3?
12:14 < ecrist> nope
12:14 < vatts> krzee, Thu Oct 14 19:10:50 2010 us=62000 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=DE/ST=BW/L=whtafhgsoh/O=something/OU=vpn/CN=server/emailAddress=...@....
12:14 < vatts> Thu Oct 14 19:10:50 2010 us=62000 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
12:14 < vatts> *sights*
12:14 < krzee> vatts, there ya goes
12:14 < zanberdo> krzee, $ openvpn --version
12:14 < zanberdo> OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar  9 2009
12:14 < vatts> krzee, what to do to fix it?
12:14 < krzee> vatts, if the same certs work elsewhere, check the clocks (and timezones)
12:15 < krzee> timezones dont need to be =, but the times need to be right for whatever timezone they are in
12:15 < krzee> vatts, if its not that, you need new certs
12:15 < vatts> krzee, same certs DONT work elsewhere
12:15 < zanberdo> ok, let me ask this: if I install the 2.1.3 on my XP box which runs 1.0.3, will the config file be read and updated to be compatible, or will I simply break my XP box trying to use the 1.0.3 config?
12:15 < vatts> thats problem! ;o
12:15 < vatts> timezones are same, my primary key works
12:16 < ecrist> zanberdo: should work fine
12:16 < vatts> but admin just removed all keys (we're starting over)
12:16 < zanberdo> ecrist, so installing 2.1.3 will find my existing installation and modify the client config?
12:16 < ecrist> it won't modify the client config ,no
12:16 < krzee> zanberdo, no need to modify
12:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
12:17 < krzee> they are compatible
12:17 < zanberdo> grrr... didn't I just read from ecrist that the 1.0.3 config file won't work with 2.1.3 (which is why I appear to be here asking questions)?
12:17 < krzee> the old version cant accept everything from the new version, but the new version can handle the old options just fine
12:17 < krzee> no... you did not
12:17 < ecrist> 12:16 < ecrist> zanberdo: should work fine
12:18 < zanberdo> <zanberdo> bottom line me: has the config file format changed that drastically from 1.0.3 that it won't work with 2.1.3?
12:18 < zanberdo> <ecrist> nope
12:18 < krzee> right, no it has not changed
12:18 < ecrist> 12:14 < zanberdo> bottom line me: has the config file format changed that drastically from 1.0.3 that it won't work with 2.1.3?
12:18 < ecrist> 12:14 < ecrist> nope
12:18 < vatts> krzee, do i need .csr file too, eh? ;o
12:18 < krzee> has it changed drastically, no
12:18 < vatts> then this might be my-sided failure, i dont have it on laptop *sights*
12:19 < krzee> vatts, not for connecting, its good to save on your CA machine in case you need to add it to a CRL
12:19 < ecrist> vatts: you need the certificate and key, not the signing request
12:19 < zanberdo> my bad for not phrasing the question more clearly. Ok, so I should be able to use my config file from the 1.0.3 client with my 2.1.3 client
12:19 < krzee> csr is a request for a cert, unsigned by the CA
12:19 < vatts> Hmm.
12:19 < vatts> sight.
12:20 < vatts> but wait thats only difference between laptop and desktop versions :\
12:20 < krzee> vatts, those keys are not good
12:20 < krzee> maybe transfered over bad
12:20 < vatts> seems so
12:20 < vatts> :\
12:20 < vatts> Well i'm gettin gnew cert
12:20 < krzee> maybe you have a ca.crt from old setup... i dunno
12:20 < zanberdo> which brings me back to why I'm asking question: I have copied all the files from the config folder from my 1.0.3 client on XP to my newly installed 2.1.3 client on W7. I've modified only the path to the crt and key files in the config file and yet 2.1.3 fails immediately with no information save 'Options error: Unrecognized option or missing parameter(s) in client.ovpn:1: ############################################## (
12:21 < zanberdo> 2.1.3) Use --help for more information.'
12:21 -!- Busch [6d493239@gateway/web/freenode/ip.109.73.50.57] has joined #openvpn
12:21 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has quit [Ping timeout: 250 seconds]
12:21 < krzee> zanberdo, theres more to the error, pastebin the logfile
12:22 < zanberdo> krzee, actually, there isn't more to the error.  That one line of text IS the log file. 
12:22 < krzee> false
12:22 < krzee> there is more logfile
12:22 < krzee> !logfile
12:22 < vpnHelper> krzee: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
12:22 < zanberdo> I'm right-clicking openvpn client and select view log and that's what I get.
12:22 < krzee> then do what !logfile says
12:24 < zanberdo> since it's a W7 client there is no syslog, at least not in the linux sense, though maybe you are suggesting there is additional logging in the windows logger, I don't know.  I will change by verbosity and see if I can't get more information.
12:24 < vatts> zanberdo, not windows system log. its a OVPN logfile
12:24 < vatts> C:\program files\openVPN\log
12:24 < krzee> You can manually specify a logfile with: log /path/to/logfile
12:24 < vatts> the dir ;p
12:25 -!- dazo is now known as dazo_afk
12:27 < zanberdo> I'm not going to argue over this. I've opened and pasted the content of the log file and I've confirmed that what's written to C:\Program Files (x86)\OpenVPN\log\client.log is the same.  I've also increased verbosity to 5 and get the same issue.  However, I have noted that some special-case characters are being reported in the output which may not be rendering properly in irc chat. as if there are some control characters in th
12:27 < zanberdo> e config file. I will investigate.
12:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
12:37 < krzee> log-append
12:42 < Busch> !welcome
12:42 < vpnHelper> Busch: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:42 < Busch> !/30
12:42 < vpnHelper> Busch: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
12:49 -!- zanberdo [~mkz@173-164-189-237-SFBA.hfc.comcastbusiness.net] has quit [Quit: Leaving]
12:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:53 < Bushmills> ecrist, 9 hours ago? yes. bouncer (?) seemed to have behaved funny
12:53 < Busch> Problem on client: two real network intefaces, LAN & WAN. one tun0 interface that is connected to the openvpn server somewhere in the internet through the wan port. the machine acts as a router for all clients, that are connected to the lan port. 
12:54 < Busch> all traffic from the lan clients will be redirected to the openvpn server by iptables: "iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j SNAT --to 10.10.10.14". 192.168.1.0/24 is my lan, 10.10.10.14 is the ip adress of the tun0 interface. the vpn server is 10.10.10.1. The setup works but i have the following problem: i can ping the openvpn client on the tun0 interface and on the lan interface but NOT on the wan interface.
12:54 < Busch> tcpdump on wan is interesting: incoming icmp echo request come in via wan interface and the openvpn client tries to send the icmp echo reply to the vpn server?! Result: No services (e.g. apache) can be reached via wan interface. Any ideas?
12:59 -!- dazo_afk is now known as dazo
13:09 < vpnHelper> RSS Update - forum: Configuration :: Re: Openvpn and Amazon EC2 with Windows 2008 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7167&p=8087#p8087>
13:24 < SDE> guys is there a support for OpenVPN AS room?
13:35 < nDuff> there's very good paid support for OpenVPN AS
13:47 -!- Busch [6d493239@gateway/web/freenode/ip.109.73.50.57] has quit [Ping timeout: 265 seconds]
13:48 <@dazo> !as
13:48 < vpnHelper> dazo: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
13:48 < vpnHelper> dazo: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
13:48 <@dazo> SDE: ^^
13:51 < vpnHelper> RSS Update - forum: Configuration :: [server] Inactivity timeout (--ping-restart), restarting :: Author hohum <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8076#p8076>
13:52 -!- oracle_ [~o2@unaffiliated/spice] has joined #openvpn
13:55 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 264 seconds]
13:57 < vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8077#p8077>
14:04 -!- vatts [bouncer@unaffiliated/vatts] has left #openvpn ["WIrc 0.8 RC1 [[Kill ordinary clients!]] - CHpart"]
14:07 < vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by hohum <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8078#p8078>
14:10 -!- p3rror [~mezgani@adsl196-128-92-206-196.adsl196-3.iam.net.ma] has joined #openvpn
14:12 < vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8088#p8088>
14:19 -!- dazo is now known as dazo_afk
14:31 -!- oracle_ is now known as oracle
14:35 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8085#p8085>
14:37 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
14:59 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Assign unique public IP for each openvpn user :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7176&p=8079#p8079>
15:05 -!- oryxtec [~test@119.152.76.97] has joined #openvpn
15:05 < oryxtec> hi all..
15:06 < kisom> hello oryxtec
15:06 < oryxtec> i have installed openvpn on centos 5.5
15:06 < oryxtec> 64 bit
15:06 < oryxtec> but
15:06 < oryxtec> but i can't find this dir /usr/share/doc/openvpn-2.0.9/easy-rsa/
15:07 < oryxtec> although i can see this dir /usr/share/doc/openvpn-2.1.1/sample-keys ... but easy-rsa is not in these dir
15:07 < oryxtec> plz help
15:07 < kisom> that's rather a specific issue to rhel/centos :)
15:07 < kisom> you can get the easy-rsa scripts elsewhere
15:07 < oryxtec> yup i didn't the same
15:08 < oryxtec> i get easy-rsa from my other server..
15:08 < oryxtec> now when
15:08 < oryxtec> i have done all steps like ./build-dh etc
15:08 < oryxtec> when i try to start openvpn... 
15:09 < oryxtec>  -- /etc/init.d/openvpn start
15:09 < oryxtec> failed
15:09 < fbh> Look in the logs why it is failing
15:09 < oryxtec> where i can find logs
15:09 < oryxtec> ?
15:10 < kisom> /var/log usually
15:10 < kisom> try running your config files directly
15:10 < krzee> !logfile
15:10 < vpnHelper> krzee: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
15:11 < oryxtec> hold on
15:28 < oryxtec> kisom: 
15:29 < oryxtec> openvpn server is connting only through /etc/init.d/openvpn start
15:29 < oryxtec> if i try to start using this command .. service openvpn start thn it get failed..
15:30 < oryxtec> any way.. its connected now.. but when i try to connect client
15:30 < oryxtec> i get this error msg " unable to connect because certicate is not valid. Check that your system time is correct "
15:32 < oryxtec> help plz !!!!!!!!!!!!!!!!!
15:39 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 250 seconds]
15:40 -!- nDuff [~cduffy@rrcs-97-79-207-2.sw.biz.rr.com] has quit [Quit: kernel upgrade; rebooting]
15:47 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has joined #openvpn
15:57 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
16:04 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
16:06 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
16:15 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined #openvpn
16:16 < rawDawg> !howto
16:16 < vpnHelper> rawDawg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:18 -!- deadevilboy [3e1c8498@gateway/web/freenode/ip.62.28.132.152] has joined #openvpn
16:18 < deadevilboy> hello ppl
16:18 < deadevilboy> I know it might be a stupid question
16:18 < deadevilboy> but I already red a lot of info about ISA Proxies and OpenVPN
16:19 < deadevilboy> and nothing seems to work
16:19 < deadevilboy> I am behind an ISA proxy with Authentication
16:19 < deadevilboy> and my proxy only opens 8000 for log in
16:19 < deadevilboy> and output
16:20 < deadevilboy> so I found a VPN server free on port 443... 
16:20 < deadevilboy> but even with http-proxy bla bla ntlm I can't connect to my web proxy
16:20 < deadevilboy> why ?
16:20 < deadevilboy> what is wrong?
16:23 < vpnHelper> RSS Update - forum: Server Administration :: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) :: Author bbroussard <https://forums.openvpn.net/viewtopic.php?f=4&t=7184&p=8094#p8094>
16:23 < patel> oh one of those
16:23 < patel> no route to host
16:23 < patel> :-)
16:24 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
16:27 < deadevilboy> is it normal when it says connected to %S ?
16:29 < deadevilboy> well I can't do that
16:29 < deadevilboy> I want to bypass proxy
16:43 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has quit [Read error: Connection reset by peer]
16:43 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has joined #openvpn
16:52 -!- luneff [~yury@46.41.68.253] has joined #openvpn
16:52 < luneff> greetings to everyone. i need to run an "up" script, but after the route table is modified. is that possible?
16:53 < luneff> i want to hook telnetd launch to openvpn establishing connection
16:53 < luneff> it seems that openvpn calls "up" script before the system knows that there is a vpn network
16:53 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:58 -!- p3rror [~mezgani@adsl196-128-92-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
16:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
17:01 -!- londonmet050 [~0wned@unaffiliated/londonmet050] has quit [Ping timeout: 245 seconds]
17:05 < luneff> no, the problem is not with that ;(
17:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:14 < Bushmills> luneff, http://scarydevilmonastery.net/snap/1287094469113742007d.png
17:15 < Bushmills> great that man pages exists, isn't it?
17:15 < luneff> hm. yes, probably. thank you, but i guess that my problem is not because of "before route". i'm researching why couldn't openvpn run my scripts the way i want :)
17:16 < Bushmills> i don't know what your problem might be because you didn't say what it is
17:16 < Bushmills> you only told us what it isn't
17:17 < luneff> i'm not asking for help now :) because if i was to define my problem, i would fix it by myself
17:17 < luneff> anyways, i can tell what i'm doing
17:18 < luneff> i have /etc/init.d/S90openvpn, which when being passed "started" runs two other scripts
17:18 < luneff> i have "up" script that calls "S90openvpn started"
17:19 < luneff> two other scripts apparently are being run, but daemons from those scripts are not running after everything's finished
17:19 < luneff> daemons are run through start-stop-daemon
17:19 < luneff> when i run my "up" script by hand after openvpn is connected, everything is good
17:20 < luneff> openvpn on the other hand runs "up" script somehow wrong...
17:21 < Bushmills> you're aware of  --script-security ?
17:24 -!- oryxtec [~test@119.152.76.97] has quit [Ping timeout: 260 seconds]
17:27 < luneff> yes, i can definetely read log messages :)
17:27 < luneff> exact lines of my script are run, but daemon does not remain running
17:27 < Bushmills> add   "echo $PATH > /tmp/foo"  to script and make sure that PATH contains all dirs which contain all involved executables
17:27 -!- s7r [~s7r@188.27.109.61] has joined #openvpn
17:27 < deadevilboy> so, any ideas for config ? bypassing restrictive web ISA Proxy with auth?
17:27 < Bushmills> as a side note, probably irrelevant to your problem, is the choice of /etc/init.d directory for the openvpn run scripts
17:27 < deadevilboy> only allows http on port 8000 and https on standard
17:27 -!- oryxtec [~test@119.152.76.97] has joined #openvpn
17:28 < Bushmills> after all, execution of those scripts is nopt related to run level changes, but to starting openvpn. therefore they seem misplaced in init.d directory
17:28 < luneff> $PATH is ok :(
17:29 < luneff> there are no problems with runlevels, it's an embedded device, i control everything :)
17:29 < Bushmills> that doesn't make placing them there a better chouce
17:29 < Bushmills> choice
17:31 < luneff> openvpn "up" script is in /etc/openvpn/ anyways :)
17:31 -!- oracle [~o2@unaffiliated/spice] has quit [Remote host closed the connection]
17:31 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn
17:32 < luneff> the point is that i want to have telnetd binded to openvpn interface
17:32 < luneff> so i'm trying to start telnetd as soon as openvpn says it's possible
17:33 < luneff> but also as i have 2 daemons i'd like to listen openvpn interface, i grouped them in "started" case of script that runs openvpn
17:34 < luneff> anyways, it's complicated, i'll deal with it myself :-D
17:35 < luneff> doesn't openvpn do anything special about programs left being run from "up" script?
17:35 < luneff> perhaps, it could kill child tree of up script for security reasons
17:37 < Bushmills> i'm not aware of that, but you can find out.  at the end of your up script,  redirect output of ps aux. you could also sleep for x minutes, while backgrounding it, and see whether telnetd runs temporarily
17:37 < luneff> hm. probably yes. i'll try
17:38 < Bushmills> a bit fiddly, but very diagnostic, i suppose
17:38 < luneff> also the thing is that when i run the daemon directly from up script (not by calling other script), everything is ok :)
17:40 < Bushmills> then maybe try to exec that script instead 
17:43 < luneff> i guess so. the one error might be "sh" not recognizing ". file" as "source file"
17:44 < luneff> that's probable :)
17:44 < luneff> i have ip address written in /etc/sysvars
17:44 < luneff> like "export our_address=192.168...."
17:45 < luneff> no :(
17:47 < smerz> can someone give me hints as to how to general client certificates without input (i.e. automating it) ?
17:47 < smerz> don't wanna change the source :|
17:48 < luneff> use "expect"?
17:48 < luneff> :)
17:48 < smerz> hmm i guess i'm to noob. i need another hint :|
17:48 < smerz> generate client certificates i meant earlier
17:49 < smerz> basically creating them from bash script
18:03 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
18:03 < luneff> apparently, my problem is that busybox's start-stop-daemon is a tricky script :) calling daemon in the same place by hand works, but the same call to start-stop-daemon that works w/o openvpn produces an error when launched through openvpn "up" script
18:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:31 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
18:36 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
18:38 -!- luneff [~yury@46.41.68.253] has quit [Quit: Leaving]
18:51 -!- APTX_ is now known as APTX
18:58 -!- dogmeat [~Bob@unaffiliated/dogmeat] has joined #openvpn
18:58 < dogmeat> how can i set a timeout for idle connections after 30 minutes?
19:04 -!- Squidy_at_Home [~quassel@187.54.246.218] has joined #openvpn
19:05 -!- jim--- [~jimbo@r74-192-149-9.gtwncmta01.grtntx.tl.dh.suddenlink.net] has quit [Ping timeout: 276 seconds]
19:13 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 265 seconds]
19:20 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
19:26 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 250 seconds]
19:32 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
19:52 < ecrist> I don't think that's currently supported, dogmeat
20:05 -!- deadevilboy [3e1c8498@gateway/web/freenode/ip.62.28.132.152] has quit [Quit: Page closed]
20:11 -!- oryxtec [~test@119.152.76.97] has left #openvpn []
20:23 -!- Squidy_at_Home_ [~quassel@187.54.209.157] has joined #openvpn
20:24 -!- Squidy_at_Home [~quassel@187.54.246.218] has quit [Ping timeout: 252 seconds]
20:24 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:26 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Read error: Connection reset by peer]
21:47 -!- Squidy_at_Home [~quassel@201-88-245-253.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
21:47 -!- Squidy_at_Home_ [~quassel@187.54.209.157] has quit [Ping timeout: 252 seconds]
22:19 -!- Squidy_at_Home [~quassel@201-88-245-253.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
22:28 -!- rawDawg [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has joined #openvpn
22:44 < vpnHelper> RSS Update - forum: Configuration :: Remote machine bridge problem :: Author cgv <https://forums.openvpn.net/viewtopic.php?f=6&t=7185&p=8095#p8095>
22:49 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:53 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
23:33 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
23:38 -!- s7r [~s7r@188.27.109.61] has quit []
--- Day changed Fri Oct 15 2010
00:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:46 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
00:50 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 272 seconds]
00:53 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:01 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 240 seconds]
01:01 -!- hyper_ch [~hyper_ch@91.121.147.34] has joined #openvpn
01:01 -!- chantra_afk [~chantra@unaffiliated/chantra] has quit [Ping timeout: 252 seconds]
01:03 -!- chantra_afk [~chantra@unaffiliated/chantra] has joined #openvpn
01:12 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
02:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
02:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
02:59 -!- nyne [~ccronin@adsl-71-141-127-109.dsl.snfc21.pacbell.net] has joined #openvpn
03:01 < nyne> i have a debian box running openvpn behind a nat firewall which works out very well for me (so that i can connect my laptop back to my home network). i now have an office lan that i would like to connect to the home network as well. can i use the same type of configuration (with "client" directives in the config)  for the office openvpn gateway?
03:01 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
03:03 -!- meepmeep_ is now known as meepmeep
03:11 -!- dazo_afk is now known as dazo
03:35 -!- nyne [~ccronin@adsl-71-141-127-109.dsl.snfc21.pacbell.net] has quit [Ping timeout: 265 seconds]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- SDE [~SDE@host81-137-144-179.in-addr.btopenworld.com] has joined #openvpn
03:46 < Bushmills> yes. read this:
03:46 < Bushmills> !route
03:46 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:48 < Bushmills> if your openvpn server is neither home nor office, take into account that traffic office<>home will have to traverse openvpn twice
03:48 < Bushmills> openvpn server at office may be preferable
04:02 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
04:21 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
04:25 -!- SDE [~SDE@host81-137-144-179.in-addr.btopenworld.com] has quit [Ping timeout: 245 seconds]
04:34 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
04:34 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
04:34 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
04:39 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
05:04 < vpnHelper> RSS Update - forum: Server Administration :: Re: Join Active Directory Domain :: Reply by T4K <https://forums.openvpn.net/viewtopic.php?f=4&t=7180&p=8096#p8096>
05:05 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
05:19 -!- Phenox_ [~Bernd@88.215.198.24] has quit [Remote host closed the connection]
05:23 -!- r0ckY [~johnpatch@dslb-088-064-243-072.pools.arcor-ip.net] has joined #openvpn
05:23 < r0ckY> !howto
05:23 < vpnHelper> r0ckY: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:03 -!- lkthomas [lkthomas@218.213.78.173] has quit [Ping timeout: 240 seconds]
06:03 -!- lkthomas [lkthomas@218.213.78.173] has joined #openvpn
06:18 < g0tcha> !nat
06:18 < vpnHelper> g0tcha: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
06:18 < g0tcha> !linnat
06:18 < vpnHelper> g0tcha: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
06:44 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
06:49 -!- sypher [~sypher@212.31.236.154] has joined #openvpn
06:49 < sypher> guys is there a way to check openvpn traffic by user / connection ? 
06:49 < sypher> we're in need to have something like that, but i cant seem to find a way 'how'. 
06:52 < Bushmills> on the server, assume that "client" equals "user"
06:54 < Bushmills> the file, created with --status, contains traffic information per client 
07:01 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
07:01 < sypher> Bushmills, thanks will check it up.
07:01 < ecrist> also, that information is passed to client disconnect scripts in the environment
07:02 < sypher> Bushmills, no wait thats no good. 
07:02 < sypher> i need a way to identify the login client.
07:02 < sypher> ecrist, what is passed? in that case, the user is passed also ? 
07:02 < ecrist> sypher: it works based on VPN client connection
07:02 < sypher> is there a way to pass a user ? 
07:02 < ecrist> user = client
07:03 < sypher> ecrist, sorry, im very very very noob in this. on disconnection there's some info passed to disconnect scripts. we're talking server side, correct? 
07:04 < ecrist> yes
07:04 < sypher> Ok. what information will be passed? Is there anywhere i can look what info is being passed to disconnect scripts? 
07:04 < ecrist> hang on a minute
07:05 < sypher> thanks ecrist 
07:06 < ecrist> sypher: have you read the man page?
07:06 < ecrist> http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html
07:06 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net)
07:07 < sypher> yah; ecrist talking about these? "Environmental Variable" ? 
07:07 < ecrist> read the section 'String Types and Remapping' and under that, Environment Variables
07:07 < ecrist> yes
07:07 < ecrist> see the option --client-disconnect
07:07 < sypher> great. 
07:07 < sypher> so on --client-disconnect i'll just run a bash script, writing all that stuff into a readable text file. 
07:08 < ecrist> well, the stuff is stored into a file during the session.  I would suggest writing it to a database, to make it easier to look information up
07:08 < sypher> yah. 
07:08 < sypher> i see its passing a 'username' also 
07:09 < sypher> but im using keys to connect not username pass. any way i can initialize that variable with random data ? (ie the username that i want to appear regardless of the authentication used) 
07:09 < sypher> ? 
07:11 < ecrist> use the CN in the client certificate
07:14 < sypher> thanks will try 
07:15 < Bushmills> sypher, "i need a way to identify the login client" - there's one line per client
07:15 < Bushmills> including client CN
07:15 < sypher> Bushmills, what do you mean ? 
07:15 < Bushmills> one line per client? means, characters, linefeed, characters, linefeed etc
07:17 < sypher> sorry, i lost. 
07:17 < sypher> im lost. i dont get what you're meaning.
07:18 < Bushmills> hm. imagine a text arranged like on a page of a book. 
07:18 < sypher> no wait i know what 'one line means' 
07:18 < Bushmills> yes. and now, many of those
07:18 < sypher> i just dont get your proposed solution. 
07:19 < sypher> what ecrist told me earlier should work, eg, execute a script  that on client disconnect will take the variables passed and insert them in a db or whatever. 
07:19 < Bushmills> ah, ok. i was suggesting to look at that (multi-lined) file
07:19 < sypher> Bushmills, aight, what file ?
07:19 < Bushmills> <Bushmills> the file, created with --status, contains traffic information per client 
07:20 < sypher> ahhhh, ok. sorry didnt get all the whole picture. 
07:20 < sypher> i see ... 
07:20 < sypher> you're right, that would be the only thing i need. now i need to find how to pass a unique info from the client to the server, in the config file. 
07:21 < Bushmills> don't
07:21 < Bushmills> as ecrist said, use the CN
07:21 < Bushmills> CN = Common Name
07:22 < Bushmills> that name is recorded, along with traffic information, in that status file
07:22 < Bushmills> one per line
07:23 -!- rawDawg2 [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has joined #openvpn
07:24 -!- rawDawg2 [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
07:25 -!- rawDawg [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Ping timeout: 272 seconds]
07:28 < sypher> ok, CN to be put in the client config? 
07:30 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:31 -!- arejay [arejay@shell.dawnshosting.com] has left #openvpn []
07:31 < ecrist> CN is in the SSL certifivate
07:31 < ecrist> s/v/c/
07:33 < sypher> aw.
07:35 < sypher> gh nevermind. i've been having problems which actually i dont have. i didnt check before the status file. now i understand more. sorry guys i feel so stupid. 
07:36 < sypher> i'll just set up a script that will read the variables passed and save them on db. thats good enough thank you all 
07:41 < ecrist> np
07:53 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
08:08 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:18 -!- njan [~james@freenode/staff/njan] has left #openvpn []
08:18 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
08:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
08:48 -!- tjz [~pc@bb219-74-133-186.singnet.com.sg] has joined #openvpn
08:48 -!- tjz [~pc@bb219-74-133-186.singnet.com.sg] has quit [Changing host]
08:48 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
08:57 -!- dazo is now known as dazo_afk
09:12 -!- Buklov [~3232@213.138.74.165] has quit [Ping timeout: 240 seconds]
09:28 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:31 -!- Buklov [~3232@213.138.74.165] has joined #openvpn
09:39 -!- sypher [~sypher@212.31.236.154] has quit [Ping timeout: 276 seconds]
09:41 < vpnHelper> RSS Update - forum: Installation Help :: Re: Client error :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=5&t=7174&p=8097#p8097>
09:47 < vpnHelper> RSS Update - forum: Configuration :: Re: sharing database :: Reply by planethax <https://forums.openvpn.net/viewtopic.php?f=6&t=7178&p=8098#p8098>
10:33 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 245 seconds]
10:56 -!- sypher [~sypher@host180-86-dynamic.54-82-r.retail.telecomitalia.it] has joined #openvpn
11:19 -!- s7r [~s7r@188.26.130.218] has joined #openvpn
11:21 -!- Diffen2 [~diffen2@scandic836.host.songnetworks.se] has joined #openvpn
11:35 -!- Diffen2 [~diffen2@scandic836.host.songnetworks.se] has quit [Quit: This computer has gone to sleep]
11:39 -!- Diffen2 [~diffen2@scandic836.host.songnetworks.se] has joined #openvpn
11:48 -!- Diffen2 [~diffen2@scandic836.host.songnetworks.se] has quit [Quit: This computer has gone to sleep]
12:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
12:14 -!- svm_invictvs is now known as IGNORE_ME
12:15 -!- nyne [~ccronin@edge-gw-rwc.silverspringnet.com] has joined #openvpn
12:16 -!- IGNORE_ME is now known as svm_invictvs
12:23 -!- dollabill [~mike@97.66.26.10] has quit []
12:24 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
12:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:26 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
12:33 < svm_invictvs> Heya
12:34 < svm_invictvs> Is there a manual page for the OpenVPN configuration file?
12:34 < krzie> yes, the openvpn manual
12:34 < krzie> because:
12:34 < krzie> !--
12:34 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
12:35 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Assign unique public IP for each openvpn user :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7176&p=8099#p8099>
12:35 < krzie> !man
12:35 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:36 < svm_invictvs> Ah, nice
12:36 < svm_invictvs> The connection is terrible here so browising the mage page through SSH is a little clumsy
12:37 < krzie> ya for some reason i ALWAYS look at this giant manual via browser
12:38 -!- ccr_ [~cransom@crosstalk.atomz.com] has joined #openvpn
12:38 < svm_invictvs> Yeah, I'mt rying to set it up so that when the client connects to the server it launches sshd and binds it only to that vpn network adapter
12:38 < krzie> !script
12:38 < vpnHelper> krzie: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
12:39 < svm_invictvs> So I think I'm gonna have to have a script launch when the VPN connects, find the VPN's Ip address then feed that into the startup of sshd.
12:39 < svm_invictvs> And then give the vpn client a hostname in DNS so I dont' have to remember IP addresses, heh
12:39 < g0tcha> krzie, whats the link to your .conf files
12:39 < svm_invictvs> All of that's in there, eh.  
12:40 < krzie> personally i just have a wrapper for starting the vpn that also runs my services tht depend on it
12:40 < krzie> g0tcha, www.ircpimps.org/openvpn.configs
12:40 < svm_invictvs> So what happens if the vpn link gets cut?
12:40 < vpnHelper> RSS Update - forum: Server Administration :: Need help with core dump gdb output 2.1.3 server :: Author randyw <https://forums.openvpn.net/viewtopic.php?f=4&t=7183&p=8093#p8093> || Scripting and Customizations :: Re: Assign unique public IP for each openvpn user :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7176&p=8101#p8101> || Authentication Scripts :: Re: Automatically fill in username and password :: Reply by Douglas <h
12:41 < krzie> svm_invictvs, if its a small vpn you can just add the entry in hosts file ;]
12:41 < svm_invictvs> Does the server give a new IP address?
12:41 < svm_invictvs> hm.
12:41 < krzie> not if you use
12:41 < krzie> !static
12:41 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
12:42 < svm_invictvs> I dunno if I wanna do static.  I'd have to add a new one for each machine I add tot he network.
12:42 < svm_invictvs> That'd be painful.
12:42 < krzie> only for ones you want to always have the same ip
12:42 < svm_invictvs> Well, that's not the issue
12:42 < krzie> like ones services depend on
12:42 < krzie> then again you can write a script to update dyndns
12:42 < svm_invictvs> Like I said, that's all of them.
12:43 < krzie> someone was just writing one for --learn-address in here
12:43 < svm_invictvs> The thing is, sshd doesn't allow you configure it to always bind to an adapter.  It'd be easy to bind it to /dev/tun0, but I'd have to get the ip address...
12:44 < svm_invictvs> I'll just atke this weekend and read the openVPN book
12:44 < svm_invictvs> That'll probably poitn out a better place for all this
12:44 < krzie> what openvpn book?
12:44 < svm_invictvs> There's one on the site, isn't there?
12:45 < krzie> shit you just reminded me
12:45 < krzie> im wayyyyy late in my peer reviews for the new book
12:45 < krzie> jjk from the mailing list is writing one
12:45 < svm_invictvs> ISBN: 184719706X
12:45 < svm_invictvs> krzie: Is that your book?
12:46 < krzie> nah i havnt written any books
12:46 < svm_invictvs> oh
12:46 < krzie> only thing i wrote was !route and !confgen
12:46 < svm_invictvs> hahaha
12:46 < krzie> wow, $50 for a book of a couple yr old version
12:47 < svm_invictvs> OpenVPN will refuse to connect  a client if their credentials weren't signed with the server's master key
12:47 < krzie> not the servers
12:47 < svm_invictvs> correct?
12:47 < krzie> the CA's
12:47 < svm_invictvs> yeah
12:47 < ecrist> krzie: in their defense, 90% of it is still relevant
12:47 < krzie> !pki
12:47 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
12:47 < vpnHelper> krzie: signed specially as a server (see !servercert)
12:47 < krzie> see #2
12:47 < krzie> ecrist, have you read it?
12:47 < krzie> and yes, i could see that being true
12:47 < svm_invictvs> Which you generate the ca key, you sign all the certs.  Which I did.
12:48 < ecrist> holy cow, that book references wikipedia and someo f their sources.
12:48 < ecrist> no, not read it
12:48 < svm_invictvs> lol
12:48 < krzie> hey its the same publisher as is publishing jjk's openvpn cookbook
12:48 < ecrist> which much on wikipedia is accurate, for a book, I'd hardly list it as a source.
12:48 < krzie> and it was published less than a year ago
12:49 < svm_invictvs> krzie: To give you an idea for the goal of this.... I want to basically make an automatic OS installer that preconfigures the the openvpn then I ship the machines to the customer.
12:49 < krzie> !win_rollup
12:49 < vpnHelper> krzie: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
12:49 < svm_invictvs> krzie: it's a few machines and I need to be able remotely manage each one of them, and each one of them could be behind firewalls, or sporadically disconnected/connectec etc.
12:50 < g0tcha> krzie, still nothing from my side dude.. the vpn would work fine if i comment out redirectgateway from the server size
12:51 < svm_invictvs> So i gotta set up a disc that automatically installs the OS on a new machine, requests from my server a key to provision the machine, and then when the machine is shipped to the client site they just have to plug it in and it "just works"
12:52 < svm_invictvs> Thats' why I'm con cerned about getting it set up where it's automatically connecting ot my VPN server.
12:53 < krzie> g0tcha, and when you dont comment it out, what happens
12:53 < g0tcha> krzie, i can connect to the vpn fine but i cannot go online or ping the other ips from the vpn
12:54 < svm_invictvs> i think all that should work.
12:54 < krzie> what "other ips from the vpn" ?
12:55 < svm_invictvs> g0tcha: I think the HOWTO has a section showing you you can rig that up.  If you have Server naemd S0 and clients named C0, and C1, you want C0, to be able to ping C1, right?
12:56 < g0tcha> krzie, the virtual ip gatway for example
12:56 < g0tcha> svm_invictvs, nah
12:56 < g0tcha> all i want is for the machine not to be able to get online unless the vpn conneciton is active
12:56 < g0tcha> i dont care if they can ping each other or share data between the machines
12:57 < krzie> then do not use def1 in your redirect-gateway
12:57 < svm_invictvs> Ah, I see.
12:57 < g0tcha> krzie, i dont
12:57 < krzie> and you probably do not have NAT correct on your server
12:57 < krzie> (or ip forwarding)
12:59 < g0tcha> how can i check if my NAT settings are correctly?
13:01 -!- f0rd42 [~adieball@p54BE1E39.dip.t-dialin.net] has joined #openvpn
13:01 < f0rd42> hi Guys
13:02 < f0rd42> newbie question: how do I specify the username / passsword (--auth-user-pass) as an option? I need to use --auth-user-pass on a vyatta router which officially doesn't support it, but I can specify openvpn-options
13:02 < vpnHelper> RSS Update - forum: Server Administration :: Re: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7184&p=8102#p8102>
13:02 < krzie> must be compiled in
13:03 < krzie> !pwfile
13:03 < vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
13:04 < svm_invictvs> Dumb question.  Let's say I configure my server to give a client the IP address 10.0.0.2.  Then the user goes and connects the machine to one of those COTS netgear routers.  What happens if the router gives /dev/eth0 the same IP address?
13:05 < f0rd42> must be compiled in .... the client or the server side?
13:05 < svm_invictvs> I'm guessing that there's gonna be come badness happening.
13:05 < svm_invictvs> *some
13:05 < krzie> f0rd42, the side reading pw's from a file
13:06 < f0rd42> krzie: any chance to figure out whther it has this option? (sorry, openvpn newbie)
13:06 < krzie> if you didnt compile it in, it does not
13:07 < krzie> --version should show it
13:07 < f0rd42> it's part of the vyatta router software, debian based, full shell access
13:07 < vpnHelper> RSS Update - forum: Server Administration :: Re: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7184&p=8103#p8103>
13:10 < krzie> g0tcha, by looking at what they should be, and what they are
13:10 < f0rd42> krzie: #adieball@vyatta:~$ /usr/sbin/openvpn --version
13:10 < f0rd42> OpenVPN 2.1_rc21 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Nov 19 2009
13:10 < f0rd42> Developed by James Yonan
13:10 < f0rd42> Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
13:10 < f0rd42> adieball@vyatta:~$
13:10 < krzie> and by disabling everything else in your firewall
13:11 < g0tcha> i do not have any firewalls running
13:11 < g0tcha> let me paste the server and client logs to you
13:11 < g0tcha> i think ive messed things up dunno why
13:11 < krzie> f0rd42, you can try doing it, if it doesnt work its because its not compiled in
13:12 < krzie> g0tcha, paste configs with no comments
13:12 < f0rd42> krzie: is it: --auth-user-pass up /home/vyatta/pw where pw contains the username on the first line and the password on the second? (this is what I understood from the man page)
13:13 < krzie> [up] is the file itself
13:13 < krzie> so remove the word up
13:14 < krzie> other than that, yes
13:18 < f0rd42> krzie: perfect, works, thanks a lot. Now I just need to find out why I can't get any traffic through
13:19 < krzie> g0tcha, use full paths for all filenames, remove the cipher command from your server, remove ifconfig-pool-persist, remove tls-server, windows paths need double quotes " ", client has comp-lzo and server does not
13:19 < krzie> f0rd42, 
13:19 < krzie> !redirect
13:19 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:23 < g0tcha> krzie, i can ping 10.0.1.1 fine now, i couldnt before.. but i still cant get online though
13:23  * krzie looks at the topic
13:23 < krzie> Your problem is your firewall, really.
13:23 < g0tcha> there are none :/
13:23 < g0tcha> yeah i assumed you meant that much heheh
13:23 < krzie> (for the record, that is where NAT happens)
13:24 < g0tcha> i dont have any firewalls running on the server or client side..
13:24 < Bushmills> there's your problem :)
13:24 < krzie> well if you dont have a firewall on the server side, how do you NAT the traffic?
13:24 < krzie> ya, what Bushmills said
13:24 < krzie> moin Bushmills =]
13:25 < Bushmills> hi krzee 
13:25 < Bushmills> ehm
13:25 < g0tcha> uh i thought it would better if there is no firewall running!
13:25 < Bushmills> krzie, 
13:25 < krzie> meh, same me ;]
13:25 < g0tcha> !nat
13:25 < vpnHelper> g0tcha: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
13:25 < f0rd42> krzie: I use blackvpn with openvpn. Using it via Tunnelblick from my Mac OS X works fine. All my traffic get's redicrected than. I want to implement it on a vyatta router. Got it so far that it's connecting and I get an IP, my routiung is setup properly but it fauls to change the default gateway (which is what I want, as I want to specify what to route over the tunnel).
13:25 < f0rd42> krzie: http://pastebin.com/MrbN05Cs
13:25 < Bushmills> http://scarydevilmonastery.net/masq
13:25 < krzie> no idea what blackvpn is
13:26 < f0rd42> krzie: just one of these vpn providers (need to get a US IP Address for Pandora)
13:26 < Bushmills> !redirect
13:26 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:27 < Bushmills> push on server, or add to client config
13:27 < krzie> Oct 15 20:24:47 vyatta openvpn[12454]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
13:27 < g0tcha> hmm for some reason ubuntu is not accepting the iptables i try to add to it
13:28 < g0tcha> http://pastebin.com/WaZgyt5z
13:28 < krzie> f0rd42, you may need an updated version of openvpn
13:28 < Bushmills> actually, def1 won't change default gateway, instead it adds two /1 routes
13:28 < krzie> he doesnt want def1
13:28 < krzie> he wants it to not work when disconnected
13:28 < Bushmills> but def1 would fix the "Cannot read current default gateway" problem
13:29 < f0rd42> krzie: yes, I know. using tunnelblick it does redirect, which is not what I want on the vyatta, I want to specify what traffic goes over the tunnel. Put I can't even ping the "other side"
13:29 < krzie> no it wouldnt Bushmills 
13:29 < f0rd42> I have some host route pointing to vtun0
13:29 < Bushmills> it did when i had no default gateway in my client config.
13:29 < krzie> it reads the current default gateway for other things
13:29 < krzie> not just for redirect
13:30 < f0rd42> my default gw goes out to the internet ..... only specific hosts should be send to the tunnel
13:30 < Bushmills> that's something you'd want to restrict on server/gateway, not on clients
13:31 < krzie> he is using a vpn service
13:31 < f0rd42> but I have no control over the server .... I thought floating static routs should do the trick. I mean the tunnel comes up ....
13:31 < Bushmills> then his client is the gateway
13:31 < Bushmills> his gateway to .. beyond 
13:31 < f0rd42> you're confusing me ;-)
13:32 < Bushmills> good
13:33 < krzie> i have seen this error before
13:34 < krzie> its because of ppp being default
13:34 < krzie> pppoe really, but i saw it with plain ppp
13:34 < krzie> http://www.google.com/search?client=opera&rls=en&q=Cannot+read+current+default+gateway+from+system&sourceid=opera&ie=utf-8&oe=utf-8
13:34 < vpnHelper> Title: Cannot read current default gateway from system - Google Search (at www.google.com)
13:35 < krzie> https://community.openvpn.net/openvpn/attachment/ticket/41/sf.net-comments.txt
13:35 < vpnHelper> Title: Attachment – OpenVPN Community (at community.openvpn.net)
13:35 < g0tcha> this should do it, right? "iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE"
13:36 < krzie> lets check
13:36 < krzie> !linnat
13:36 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:36 < krzie> looks like it
13:37 < svm_invictvs> What exactly does "push" do?
13:37 < krzie> !push
13:37 < vpnHelper> krzie: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
13:37 < svm_invictvs> Ah, I see.
13:37 < svm_invictvs> For whatever reason, I thought that it meant "command" as in executable on the system
13:38 < f0rd42> krzie: maybe completely stupid, but as I don't want ALL traffic to go through the tunnel what do I care whether openvpn can change my default gw or not .....
13:38 < f0rd42> or does the client report back to the server whether everything is " as the server wants it" ...
13:39 < f0rd42> ?
13:39 < krzie> its not about chan ging your default gateway
13:39 < krzie> when openvpn starts it adds routes
13:39 < krzie> it needs to know your real default gateway for that
13:40 < krzie> https://community.openvpn.net/openvpn/ticket/41
13:40 < vpnHelper> Title: #41 (Default gateway not detected (linux)) – OpenVPN Community (at community.openvpn.net)
13:40 < krzie> try setting route_gateway manually
13:40 < f0rd42> but as you can see from the logfile, it added the routes
13:40 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined #openvpn
13:40 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: Connection reset by peer]
13:41 < krzie> f0rd42, your server probably pushes it at you, nothing you can do about that except deal with it after the fact
13:41 < krzie> https://forums.openvpn.net/viewtopic.php?f=15&t=7161&p=7979&hilit=split+routing#p7979
13:41 < vpnHelper> Title: OpenVPN Support Forum View topic - Split tunnel tweaks? (at forums.openvpn.net)
13:42 < f0rd42> krzie, yes, it does, I know. The device in question is a router with my private network attached to it. Openvpon sets the routing (apart from changing the default gw) and route the hosts I want to go through the tunnel to vtun0 ......
13:43 < krzie> but it doesnt work... does it
13:44 < g0tcha> still no good
13:44 < f0rd42> nope, not really :-)
13:44 < krzie> your ovpn needs to know the systems existing default gateway
13:46 < f0rd42> don't blame me, but "why"? the tunnel is st up and the interface vtun0 is up as well .....
13:46 < svm_invictvs> screen -r
13:46 < svm_invictvs> d'oh
13:46 < f0rd42> I don't need to nat traffic on my side, do I?
13:46 < svm_invictvs> Why did I type that when the screen is already ttached.
13:47 < krzie> f0rd42, no
13:47 < krzie> oh wait
13:47 < f0rd42> ok, good to know, one thing I can take off my list
13:47 < krzie> f0rd42, are you saying that your tunnel works, you just need machines on the LAN to route over the tunnel now?
13:48 < krzie> if so, yes, with no control over the server you will need NAT for that
13:48 < f0rd42> sort of ..... I just don't know whether it works or not, as I can't get any traffic though ...... the logfile says it's up (see pastebin)
13:48 < krzie> can you ping the server's VPN ip?
13:49 < f0rd42> according to the logile (I have 172.16.22.121), it should be 172.16.22.122
13:49 < f0rd42> no, I can't ping it
13:49 < krzie> !/30
13:49 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
13:49 < f0rd42> I should have said "i GOT" instead of I have
13:49 < krzie> try pinging 172.16.22.1
13:49 < f0rd42> tried, same result
13:49 < f0rd42> from the router
13:50 < f0rd42> http://pastebin.com/MrbN05Cs
13:51 < g0tcha> krzie, heh nowi cant ping the vpn ip anymore
13:51 < g0tcha> now*
13:51 -!- r0ckY [~johnpatch@dslb-088-064-243-072.pools.arcor-ip.net] has quit [Quit: Verlassend]
13:52 < f0rd42> so I need to nat all traffic which is suposed to go through the von to the IP of the vtun0 interface?
13:52 < krzie> im gunna go eat
13:52 < krzie> adios
13:54 < f0rd42> adieball@vyatta# show
13:54 < f0rd42>  destination {
13:54 < f0rd42>      address 172.16.0.0/16
13:54 < f0rd42>  }
13:54 < f0rd42>  outbound-interface vtun0
13:54 < f0rd42>  type masquerade
13:54 < f0rd42> [edit service nat rule 5]
13:54 < f0rd42> adieball@vyatta#
13:54 < f0rd42> doesn't help
13:54 < f0rd42> :-(
13:55 < f0rd42> Bushmills: any ideas?
13:55 < f0rd42> *begging*
13:56 < krzie> i already told you your problem
13:56 < krzie> you refuse to care / think it can be true
13:56 < krzie> :-p
13:56 < krzie> *back to gone*
13:56 < Bushmills> sorry, prolog is too vertical for comfortable reading
13:57 < Bushmills> i can't even see written anywhere what the problem is
13:58 < f0rd42> so my problem is that openvpn can't read my default gateway (pppoe)?
13:58 < f0rd42> still confused .... (sorry9
13:58 < krzie> [14:35]  <krzie> https://community.openvpn.net/openvpn/attachment/ticket/41/sf.net-comments.txt
13:58 < vpnHelper> Title: Attachment – OpenVPN Community (at community.openvpn.net)
13:58 < krzie> [14:40]  <krzie> try setting route_gateway manually
13:58 < |Mike|> !
14:00 < krzie> also see the actual ticket https://community.openvpn.net/openvpn/ticket/41
14:00 < vpnHelper> Title: #41 (Default gateway not detected (linux)) – OpenVPN Community (at community.openvpn.net)
14:08 < f0rd42> I can see the light krzie (even though it's still very dark here) :-) thanks a lot. So my problem might be related to a openvopn bug
14:40 -!- theDoc [~Link@173.236.42.46] has joined #openvpn
14:43 -!- bandini [~bandini@host213-105-dynamic.45-79-r.retail.telecomitalia.it] has joined #openvpn
14:47 -!- theDoc [~Link@173.236.42.46] has quit [Changing host]
14:47 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
14:50 -!- s7r [~s7r@188.26.130.218] has quit [Ping timeout: 265 seconds]
14:57 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Read error: Connection reset by peer]
14:58 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
15:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:41 -!- SDE [~SDE@li191-210.members.linode.com] has joined #openvpn
15:41 < SDE> Hi
15:41 < SDE> got a quick question guys
15:41 < SDE> where are the OpenVPN log files kept so i can see what site my clients are browsing etc
15:54 -!- SaEeDIRHA [~0mega7@109.162.217.55] has joined #openvpn
16:04 -!- Busch [~michael@109.73.50.57] has joined #openvpn
16:05 -!- SaEeDIRHA [~0mega7@109.162.217.55] has quit [Quit: Leaving]
16:07 < krzie> !logfile
16:07 < vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
16:09 < Busch> my linux openvpn client (my router for my home network) tries to send a icmp echo reply through tun0 interface instead of the real interface eth1 (where icmp echo request comes from). Any ideas?
16:10 < Busch> wrong iptables configuration? "iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j SNAT --to 10.10.10.14"
16:11 -!- p3rror [~mezgani@adsl196-189-72-206-196.adsl196-3.iam.net.ma] has joined #openvpn
16:14 -!- [1]SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
16:15 -!- SDE [~SDE@li191-210.members.linode.com] has quit [Ping timeout: 255 seconds]
16:15 -!- [1]SDE is now known as SDE
16:30 -!- Busch [~michael@109.73.50.57] has quit [Ping timeout: 272 seconds]
16:39 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:42 -!- Busch [~michael@HSI-KBW-109-193-207-246.hsi7.kabel-badenwuerttemberg.de] has joined #openvpn
16:47 -!- Busch [~michael@HSI-KBW-109-193-207-246.hsi7.kabel-badenwuerttemberg.de] has quit [Ping timeout: 245 seconds]
16:47 -!- Busch [~michael@109.73.50.57] has joined #openvpn
16:49 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:50 -!- Sivarts [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has quit [Read error: Operation timed out]
16:54 < krzie> Busch, you must be redirecting gateway
16:55 -!- Sivarts [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has joined #openvpn
16:56 < krzie> see this
16:56 < krzie> https://forums.openvpn.net/viewtopic.php?f=15&t=7163
16:56 < vpnHelper> Title: OpenVPN Support Forum View topic - allow ssh via on non vpn address while vpn is open (at forums.openvpn.net)
17:03 -!- argentineandude [~sdfsdfsdf@190.18.153.197] has joined #openvpn
17:03 -!- Sivarts [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has left #openvpn ["Leaving"]
17:03 < argentineandude> Question: how do i define DNS suffixes properly (several of them) ?
17:04 < argentineandude> -> in OpenVPN, of course (will actually have to do it from a vyatta cli)
17:06 < vpnHelper> RSS Update - forum: Server Administration :: Re: Join Active Directory Domain :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7180&p=8104#p8104>
17:09 < Busch> krzie: a second routing table? oh, thats very complex
17:10 < krzie> i didnt even know about that until his post
17:11 < krzie> even freebsd, my os of choice has supported it for yrs and i didnt know
17:18 < vpnHelper> RSS Update - forum: Authentication Scripts :: Re: Automatically fill in username and password :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=16&t=7093&p=8105#p8105>
17:24 < vpnHelper> RSS Update - forum: Server Administration :: Re: linux bridge and openvpn :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7156&p=8106#p8106> || Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8107#p8107>
17:27 < Busch> krzie: i tried "iptables -A PREROUTING -t mangle -i eth1 -p icmp -j MARK --set-mark 1" but it doesnt work. the openvpn client still answer to tun0 instead of eth1
17:42 < vpnHelper> RSS Update - forum: Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8108#p8108>
17:50 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:07 -!- nyne [~ccronin@edge-gw-rwc.silverspringnet.com] has quit [Ping timeout: 260 seconds]
18:24 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: OpenVPN on Laptop and automatically connect/disconnect :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7074&p=8109#p8109>
18:41 -!- p3rror [~mezgani@adsl196-189-72-206-196.adsl196-3.iam.net.ma] has quit [Read error: Connection reset by peer]
18:50 < krzie> Busch, see how the OP solved it in his last post
18:53 -!- p3rror [~mezgani@adsl196-41-81-206-196.adsl196-3.iam.net.ma] has joined #openvpn
19:08 -!- londonmet [~offsec@host86-163-54-54.range86-163.btcentralplus.com] has joined #openvpn
19:08 < londonmet> hello
19:09 < londonmet> I am trying to use a conf file to openvpn
19:09 < londonmet> it worked fine and suddenly it is broken
19:09 < londonmet> the error I am getting is
19:10 < londonmet> http://pastebin.com/1ENG2jd9
19:15 -!- p3rror [~mezgani@adsl196-41-81-206-196.adsl196-3.iam.net.ma] has quit [Read error: Connection reset by peer]
19:16 < krzie> use a full path to the file pwbv3.pem
19:16 < krzie> and start as admin / root
19:28 -!- p3rror [~mezgani@adsl196-186-71-206-196.adsl196-3.iam.net.ma] has joined #openvpn
19:30 -!- londonmet [~offsec@host86-163-54-54.range86-163.btcentralplus.com] has quit [Ping timeout: 245 seconds]
19:34 -!- Busch [~michael@109.73.50.57] has quit [Ping timeout: 265 seconds]
19:54 -!- nyne [~ccronin@adsl-71-141-127-109.dsl.snfc21.pacbell.net] has joined #openvpn
19:59 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
20:13 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 265 seconds]
20:17 -!- nyne [~ccronin@adsl-71-141-127-109.dsl.snfc21.pacbell.net] has quit [Ping timeout: 250 seconds]
20:18 -!- nyne [~ccronin@adsl-71-141-103-214.dsl.snfc21.pacbell.net] has joined #openvpn
20:27 -!- mountainski [~pegg@209-6-64-252.c3-0.abr-ubr1.sbo-abr.ma.cable.rcn.com] has joined #openvpn
20:31 < vpnHelper> RSS Update - forum: Server Administration :: Not Server config, but config nonetheless :: Author Identity <https://forums.openvpn.net/viewtopic.php?f=4&t=7186&p=8111#p8111>
20:33 < mountainski> so I want to set up a bridge so that a win xp client can then set up a public ip on a embeded system, do I need to do anythign special or just create a birdge
20:39 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
21:21 -!- [1]SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
21:22 -!- EmperorT1m [~EmperorTo@174-30-252-228.mpls.qwest.net] has joined #openvpn
21:25 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
21:25 -!- ^scott^ [~scott@stthom.org] has quit [Ping timeout: 240 seconds]
21:25 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 240 seconds]
21:25 -!- [1]SDE is now known as SDE
21:25 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has quit [Ping timeout: 240 seconds]
21:25 -!- oc80z [oc80z@blea.ch] has joined #openvpn
21:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:10 -!- nyne [~ccronin@adsl-71-141-103-214.dsl.snfc21.pacbell.net] has quit [Ping timeout: 260 seconds]
22:36 -!- nyne [~ccronin@adsl-71-141-103-214.dsl.snfc21.pacbell.net] has joined #openvpn
23:02 -!- mountainski [~pegg@209-6-64-252.c3-0.abr-ubr1.sbo-abr.ma.cable.rcn.com] has quit [Quit: Leaving]
23:09 -!- p3rror [~mezgani@adsl196-186-71-206-196.adsl196-3.iam.net.ma] has quit [Remote host closed the connection]
23:17 -!- corretico [~luis@201.201.44.82] has joined #openvpn
23:18 -!- ^scott^ [~scott@stthom.org] has joined #openvpn
23:23 -!- WormFood [~wormfood@183.39.100.154] has joined #openvpn
23:24 < WormFood> 大家好
23:27 < WormFood> where can I find the list of differences between 2.1.x and 2.2.x?
23:33 < WormFood> there is no way to change my status version, without killing all my active connections, is there?
23:45 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
23:45 < aegis> OpenVPN is awesome...  My thanks goes out to those of you who have contributed to this incredible software.
--- Day changed Sat Oct 16 2010
00:04 -!- showy [~eagmunoz@190.142.85.97] has joined #openvpn
00:05 < showy> hello, I'm using learn-addres to add and delete iptables entries, when the client connects , the server add the appropiate entry, but when the client disconnect the server doesn't remove the entry
00:06 < showy> my understanding is if the server flush the client from its internal routing table ( the one that you see in the status file ) , the server will call learn-address
00:06 < showy> am i wrong ?
00:07 < showy> forget it , I see the problem, learn-address its not called with username on disconection , so my script its no working 
00:11 -!- nyne [~ccronin@adsl-71-141-103-214.dsl.snfc21.pacbell.net] has quit [Ping timeout: 252 seconds]
00:12 < WormFood> showy, I've been having my share of "fun" writing scripts for OpenVPN
00:12 < showy> lol
00:13 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
00:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
00:36 < WormFood> showy, no joke...I've been writing my latest script in php, believe it or not....sounds crazy, huh?
00:37 < WormFood> I misunderstood what I had read, and was going about doing things the hard way....at least now I've seen where I was wrong, and got everything working well :D
00:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
01:19 -!- showy [~eagmunoz@190.142.85.97] has quit [Quit: leaving]
01:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
01:55 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
02:03 -!- argentineandude [~sdfsdfsdf@190.18.153.197] has quit [Read error: Operation timed out]
02:04 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
02:15 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
02:15 -!- theDoc [~Link@173.236.41.35] has joined #openvpn
02:35 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
02:41 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
02:46 -!- f0rd42 [~adieball@p54BE1E39.dip.t-dialin.net] has quit [Remote host closed the connection]
02:48 < takamichi> Anyway seen or familiar with 'ACK output sequence broken' msg's in client logs?
03:01 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:30 < WormFood> great! now I got OpenVPN logging client connection data to a database (and to log files, just in case)
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
05:03 -!- thordon [~sec@ip-88-153-236-190.unitymediagroup.de] has joined #openvpn
05:04 < thordon> hello, together
05:04 < thordon> sorry but i need your help
05:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 264 seconds]
05:06 < thordon> in short: i have bridged lan int with tap int. can snoop traffic on lan int an bridge int. but i can not see any traffic going through the tap int
05:08 < thordon> working on freebsd. openvpn 2.31 on freebsd server and same version client win7
05:09 < thordon> i had have it working on client side winxp. but since win7 nothing ..
05:10 < thordon> connection is initiating and i guess that is not the problem
05:12 < thordon> gave the bridge the ip, can tcpdump on lan-int and brigde-int, but not on tap-int. i guess that is the problem?
05:14 < thordon> do you have any suggestions, please
05:14 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
05:16 < thordon> by the way. i have read all of bridge-docs i could find. U are my final try
05:17 < thordon> don't want to downgrade to xp
05:22 -!- pasik [pk@reaktio.net] has joined #openvpn
05:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:26 < thordon> upsi, i rocognized the whole topic just now
05:36 -!- oskerieet [oskerieet@188-126-70-177.cust.vpntunnel.org] has joined #openvpn
05:42 < oskerieet> is there some easy way to enable autoconnect, and not being asked for the vpn-credentials every time?
05:53 < Cmdr_W_T_Riker> i'm never asked for credentials, as all the certificates are in place, as configured in config files
05:54 < oskerieet> i'm using vpntunnel.se btw
05:55 < oskerieet> i may have found some french guide for enabling it, so i'll stick with google translate and try it
05:56 < oskerieet> brb
05:56 -!- oskerieet [oskerieet@188-126-70-177.cust.vpntunnel.org] has quit []
06:20 < thordon> !welcome
06:20 < vpnHelper> thordon: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:21 < thordon> !goal
06:21 < vpnHelper> thordon: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:22 -!- r0ckY [~johnpatch@dslb-188-099-027-015.pools.arcor-ip.net] has joined #openvpn
06:22 < thordon> in short: i have bridged lan int with tap int. can snoop  traffic on lan int an bridge int. but i can not see any  traffic going through the tap int
06:22 < thordon> in short: i have bridged lan int with tap int. can snoop  traffic on lan int an bridge int. but i can not see any  traffic going through the tap int
06:22 < thordon> in short: i have bridged lan int with tap int. can snoop  traffic on lan int an bridge int. but i can not see any  traffic going through the tap int
06:22 < thordon> ups, sorry
06:22 -!- oskerieet [oskerieet@178-73-211-130.cust.vpntunnel.org] has joined #openvpn
06:23 < oskerieet> yeah, now it works :)
06:23 < thordon> you could name me 3 times man
06:23 < thordon> or spamevil, even
06:33 -!- sypher [~sypher@host180-86-dynamic.54-82-r.retail.telecomitalia.it] has quit [Quit: This computer has gone to sleep]
06:40 < thordon> my server system is freebsd 8.0
06:40 < thordon> client is win7
06:41 < thordon> behind a fritz.box router/modem (cable)
06:41 < thordon> this is my lan default gateway
06:42 < thordon> f***, the main problem exist since win7. i had gave up last year, but now i have to get it working. +sick*
06:44 < g0tcha> im giving up on openvpn :/
06:44 < g0tcha> i cant get it to work .. they connect to the vpn fine but cant get online or ping the vpn server ip and ive been at it for days with no luck
06:46 < thordon> g0tcha: he, same problem. i had worked with winxp clients, but on win7 - nothing. i have tried so many things and read every howto or man page i could get. no ping anyway. no firewall .. no nothing. drive me crazy. but i wish layer 2 networking
06:47 < g0tcha> i tried with ubuntu, winxp and win7 as clients with no luck at all
06:47 < thordon> and i will NOT give up till i die ;)
06:48 < g0tcha> ive been at it for a very long time.. i dont think i can do it without someone holding my hand to get it done
06:49 < thordon> what are your systems ? client / server. maybee i can help out
06:49 < thordon> what is your mode tap/tun ?
06:51 < g0tcha> right now, ubuntu as a server and winxp/win7 as clients im testing with
06:51 < g0tcha> im using "tun" i think
06:53 < thordon> you think ? what does your config says ? 
06:53 < thordon> on both, client and server 
06:55 < g0tcha> thordon, it is set to tun on both
06:55 < thordon> ok. and client is getting an ip from dhcp or from openvpn ?
06:56 < g0tcha> yes it does
06:56 < g0tcha> getting ip 10.0.1.6
06:56 < g0tcha> and i cant ping 10.0.1.1
06:56 < thordon> from dhcp or openvpn ?
06:56 < g0tcha> let me show you the ipconfig after i connect
06:56 < g0tcha> from openvpn
06:59 < thordon> what is your network on the server?
07:00 < g0tcha> i think it has a problem witht he dns server, im not sure
07:00 < g0tcha> what do you mean what is my network on the server?
07:00 < thordon> do you have switched on ip.forward on server side ?
07:00 < g0tcha> this is the ipconfig from the client http://www.pastebin.com/1y25fwHM
07:00 < thordon> dns has nothing to do with ping
07:01 < g0tcha> thordon, hmm imnot sure if i did the ip.forward on the server side
07:01 < g0tcha> the server IS behind a router, yes
07:01 < g0tcha> i have port 1194 forwarded and it works fine
07:02 < thordon> do you see the connect from the client in your openvpn.log ?
07:02 < g0tcha> the server?
07:03 < thordon> sysctl net.ipv4.ip_forward
07:03 < thordon> ?
07:04 < g0tcha> this is the server log: http://pastebin.com/LWdQ0UYG
07:07 < thordon> Connection refused. but you have started openvpn as root ?
07:07 < thordon> what tells you: sysctl net.ipv4.ip_forward
07:08 < g0tcha> yeah as root
07:08 < g0tcha> root@Server-lap:/etc/openvpn# sysctl net.ipv4.ip_forward
07:08 < g0tcha> net.ipv4.ip_forward = 1
07:09 < thordon> ok
07:09 -!- r0ckY [~johnpatch@dslb-188-099-027-015.pools.arcor-ip.net] has quit [Quit: Verlassend]
07:09 < g0tcha> ok i got it
07:09 < g0tcha> one sec
07:10 < g0tcha> hmm
07:10 < g0tcha> vpn works fine now! if i use the ips in the browser
07:10 < g0tcha> it cannot resolve hostnames
07:11 < thordon> this is not necessary. dns is only for resolving names. but if you ping, you ping an ip and no name
07:11 < thordon> tell me your "netstat -rn"
07:12 < thordon> ..but this is done by openvpn, i guess. sorry on the wrong steamer ;)
07:13 < thordon> sorry we have to wait for an expert to solve
07:14 < g0tcha> thordon, netstat http://pastebin.com/JB1MxLpQ
07:14 < thordon> but Connection refused seems not to be an big problem
07:14 < g0tcha> well so far it works like i said but cannot resolve hostnames
07:14 < g0tcha> only with ips
07:15 < g0tcha> ok nm .. now it works with the hostnames as well
07:15 < g0tcha> im getting confused
07:15 < thordon> what it this ? : 10.0.1.4  255.255.255.252
07:15 < thordon> why .252 ?
07:16 < g0tcha> thordon, honestly i do not know.. it shouldnt b like this.. i can show you my server.conf file
07:16 < thordon> you have an mistype in your config, i guess
07:16 < g0tcha> server conf file -> http://pastebin.com/Njf8Svhu
07:18 < thordon> your server is NOT server 10.0.1.0
07:18 < thordon> this a network
07:19 < thordon> your server seems to be 10.0.1.6
07:19 < g0tcha> so it should b like this: server 10.0.1.6 255.255.255.0 ?
07:20 < thordon> and #
07:20 < g0tcha> what?
07:20 < g0tcha> you mean comment it out?!
07:21 < thordon> local 192.168.1.111 , is also wrong. sorry but your config is wrong
07:21 < thordon> so, not comment it out. put the right ip in it
07:22 < g0tcha> i read that if im behind a lan i need to use the local server ip as 'local'
07:22 < thordon> when your lan is 192.xxx than your server has to be in the 192.xx too
07:22 < g0tcha> but wouldnt that conflict with the client network if its using 192.168.1.x as well?
07:23 < thordon> but 10.0.1.0 is no host ip, this is a lan ip
07:24 < thordon> correct. you have to had different lan ip-ranges for openvpn to connect.
07:24 < g0tcha> do you mind if you show me your server conf file?
07:25 < thordon> that will not help you out. i try to use tap and not tun
07:27 < g0tcha> man this is fuckin confusing
07:27 < g0tcha> i didnt change anything and now i can ping the vpn server after i connected to it
07:27 < g0tcha> and ic an go online
07:27 < g0tcha> i can*
07:27 < thordon> not realy
07:27 < g0tcha> what do you mean not really? i didnt change anything so why is it working now?
07:27 < thordon> so your client lan ip-range has to be another than the lan ip-range of your server is
07:28 < thordon> local is your server ip ( not net )
07:28 < g0tcha> hmm i got no idea wat the hell happened but its working fine now with the conf file i showed you
07:29 < g0tcha> well, my 'local' is set to the server ip, 192.168.1.111 is the local server ip in the network
07:30 < thordon> ok. now i am confused too. soory. need to wait for an expert
07:30 < g0tcha> yeah.. this is weird
07:33 < g0tcha> im gonna test with another client and see if it still works or not
07:39 -!- r0ckY [~johnpatch@dslb-188-099-027-015.pools.arcor-ip.net] has joined #openvpn
07:42 < thordon> good luck
07:42 < thordon> U can tell me if it works. i will be here 
07:48 -!- Buklov [~3232@213.138.74.165] has quit [Ping timeout: 264 seconds]
07:57 < g0tcha> thordon, thanks
07:58 < g0tcha> for some reason win7 client doesnt want to pass UDPv4 link remote: 62.203.202.74:1194
08:04 < thordon> g0tcha: mmh. i have my problem only on win7, too
08:05 < g0tcha> thordon, what is the problem youre having with win7 client?
08:06 < g0tcha> which win7 version are you trying with?
08:21 -!- lkthomas_ [~lkthomas@n219077081010.netvigator.com] has joined #openvpn
08:21 < lkthomas_> folks, is it possible to make one instance of openvpn listen on multiple ports ?
08:29 -!- lkthomas_ [~lkthomas@n219077081010.netvigator.com] has quit [Remote host closed the connection]
08:29 -!- lkthomas_ [~lkthomas@184-106-137-103.static.cloud-ips.com] has joined #openvpn
08:30 -!- lkthomas__ [~lkthomas@n219077081010.netvigator.com] has joined #openvpn
08:32 -!- EmperorT1m [~EmperorTo@174-30-252-228.mpls.qwest.net] has quit [Quit: Lost terminal]
08:32 < |Mike|> lkthomas__: why would you like to do that?
08:33 < lkthomas__> because ports we provided might blocked on client side
08:33 < |Mike|> might...
08:34 -!- lkthomas_ [~lkthomas@184-106-137-103.static.cloud-ips.com] has quit [Ping timeout: 240 seconds]
08:34 < |Mike|> if they block 1194, they might block other ports a swell ;)
08:36 < lkthomas__> depends
08:58 -!- lkthomas__ [~lkthomas@n219077081010.netvigator.com] has quit [Ping timeout: 252 seconds]
09:07 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
09:17 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 276 seconds]
09:28 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:31 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
09:31 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Client Quit]
09:33 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
09:43 < thordon> anyone awake who would like to help me out here ?
10:01 < thordon> 3 
10:09 -!- theDoc [~Link@173.236.41.35] has quit [Ping timeout: 265 seconds]
10:09 -!- oskerieet [oskerieet@178-73-211-130.cust.vpntunnel.org] has left #openvpn []
10:21 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
10:21 < krzie> [09:32]  <|Mike|> lkthomas__: why would you like to do that?
10:22 < krzie> |Mike|, you wouldnt like that feature too!?
10:22 < krzie> shit, i dont wanna know why he does... i wanna know why you dont
10:23 < krzie> https://forums.openvpn.net/viewtopic.php?f=10&t=383
10:23 < vpnHelper> Title: OpenVPN Support Forum View topic - bind to multiple ports (at forums.openvpn.net)
10:28 < vpnHelper> RSS Update - forum: Server Administration :: Re: linux bridge and openvpn :: Reply by somms <https://forums.openvpn.net/viewtopic.php?f=4&t=7156&p=8110#p8110>
10:31 -!- kraut_ [~kraut@blackhole.netzdeponie.de] has joined #openvpn
10:31 -!- kraut_ [~kraut@blackhole.netzdeponie.de] has quit [Client Quit]
10:37 < thordon> i can sniff traffic on physical int and on bridge self, but not on virtual tap int. is this correct ?
10:37 < thordon> using tcpdump
10:39 < thordon> i am on a ignore list ? ^^
10:39 < krzie> false
10:39 < vpnHelper> RSS Update - forum: Server Administration :: Re: linux bridge and openvpn :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7156&p=8112#p8112>
10:40 < krzie> you can sniff tun/tap no problem
10:57 < kisom> tcpdump -i tap0 host x.y.z.a
10:57 < kisom> my most used argument together with tcpdump
11:05 -!- WormFood [~wormfood@183.39.100.154] has quit [Ping timeout: 272 seconds]
11:16 -!- cpm [~Chip@dns1.daviswv.net] has joined #openvpn
11:16 -!- cpm [~Chip@dns1.daviswv.net] has quit [Changing host]
11:16 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
11:18 -!- WormFood [~wormfood@183.38.12.37] has joined #openvpn
11:19 < thordon> krzie: thank you. what can be the problem if it does not work
11:19 < WormFood> This is weird. In my openvpn-status.log file, one of my "Common Name"s is set to UNDEF, and it was properly set before. Any idea what causes that?
11:21 < thordon> krzie: but, sorry this post is not an answer of my question, why i can't sniff tap device, but bridge and pysical int works
11:21 < vpnHelper> RSS Update - forum: Scripting and Customizations :: How does openvpn. ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7187&p=8113#p8113>
11:22 < thordon> i have switched ip.forward on
11:22 < thordon> i really does not understand this 
11:22 < thordon> it says, WARNING no IPc4 Address assigned.
11:23 < thordon> why does the bridge not assigned an address to tap0 ?
11:23 < thordon> or have manually assign an address to tap0 ?
11:23 < thordon> +i even
11:24 < thordon> i have understood, that i bride the bridge int with pysical int an virtual int tap0 and assign an address to the bridge
11:24 < thordon> is this right ?
11:28 < thordon> ups, i guess my "d" is not working properly ^^ - sorry
11:34 < thordon> is it possible that my local ip.ip.ip.ip ist the same as the first statement in server-bridge ip.ip.ip.ip mask first.lease last.lease ?
11:49 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Now with extra fish!]
11:50 -!- Busch [~michael@109.73.50.57] has joined #openvpn
11:56 -!- Docteh [~mage@24.86.236.78] has left #openvpn []
12:14 -!- p3rror [~mezgani@adsl196-15-89-206-196.adsl196-3.iam.net.ma] has joined #openvpn
12:16 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
12:34 -!- r0ckY2 [~johnpatch@dslb-188-099-109-241.pools.arcor-ip.net] has joined #openvpn
12:37 -!- r0ckY [~johnpatch@dslb-188-099-027-015.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
12:39 -!- sypher [~sypher@host180-86-dynamic.54-82-r.retail.telecomitalia.it] has joined #openvpn
13:14 -!- Busch [~michael@109.73.50.57] has quit [Ping timeout: 264 seconds]
13:19 -!- Busch [~michael@109.73.50.57] has joined #openvpn
13:32 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
13:47 -!- iElectric [~iElectric@84-255-205-5.static.t-2.net] has joined #openvpn
13:47 < iElectric> hey, can somebody explain what happens when using UDP and packet loss happens?
13:47 -!- Busch [~michael@109.73.50.57] has quit [Ping timeout: 272 seconds]
13:47 < iElectric> does openvpn resend the packets?
13:53 < Bushmills> the tunneled - supposedly tcp - connection will detect the missing packet and request a retransmit
14:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
14:12 < ecrist> iElectric: UDP is best-effort, it's the responsibility of the recieving end to request retrasmit for bad/missing packets
14:32 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
14:40 < iElectric> so UDP is just a tunnel, the over that it's normally TCP?
14:44 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
15:01 < r0ckY2> hi, i have a basic question ... when i'm using the tap driver (bridged mode) i need to assign the tap interface an ip. furthermore the ip should be in the same range as the ip of the lan interface itself. is this right, so far?
15:03 < r0ckY2> or can i also assign the ip adress of the lan interface to the tap interface? because i dont see the point to assign the tap interface its own ip
15:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:16 <@cron2> r0ckY2: don't use tap
15:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:17 <@cron2> (if you need to ask these questions, you don't need to use tap - and if there is no need, tun is the better choice)
15:28 <@cron2> but to answer the question anyway - you can use to together with linux bridging, so the *bridge* interface gets an IP address, and neither lan nor tap (because they are part of the bridge).  You can run tap as a dedicated interface, with no briding, and in that case tap needs to have a *different* IP address than "lan"
15:28 <@cron2> or you can run tap together with linux bridging, and give *neither* bridge nor lan nor tap an IP address (and just bridge)
15:29 < r0ckY2> ok, thanks, i guess i need tap, because i need broadcasts
15:29 < r0ckY2> want to play some lan games and stuff over vpn
15:29 <@cron2> so whether or not tap needs an IP adress, and what its relationship to lan on server and lan on client is, completely depends on the setup used - tap is powerful, and complex
15:30 <@cron2> there are still games that are lan only?  surprising
15:30 < r0ckY2> nope, they arent lan only
15:30 < r0ckY2> however i want to play them over lan, wc3 for example ;) 
15:31 < r0ckY2> its not that laggy over lan, because it sends some more packages in the lan mode, then it does in the internet mode
15:32 <@cron2> do you want to play with other people in the LAN?  If yes, you need bridging, and the IP address goes to the bridge interface on the server
15:33 < r0ckY2> yes, for instance
15:33 < r0ckY2> ill figure it out, wasn't quite sure what briding actually does
15:33 < r0ckY2> but its quite powerful
15:34 <@cron2> in most circumstances, tun just does the job, and tap brings in lots of extra "do I need to do *this* or *that*?" questions
15:34 <@cron2> bridging will tie the "lan" and "tap" interfaces together, as if coupled by an ethernet switch
15:34 < r0ckY2> sure, but its more professional :)
15:35 < r0ckY2> but another question i have is the following: im running openvpn on an openwrt enabled device, which calls the whole switch "eth0", so when i bridge my tap device in there, does this mean that every package will get send over the vpn tunnel?
15:36 < r0ckY2> or just broadcasts entering the switch?
15:38 <@cron2> usually these openwrts already bridge wifi und wired ethernet to something called "br-lan", so you need to add the tap interface to *that* bridge-group
15:39 <@cron2> the linux bridging code is smart enought to know what packets need to go where - broadcasts go everywhere, and packets destined to MAC-addresses "on the other side" also, but nothing else - as an ethernet switch
15:40 < r0ckY2> ok, that was my question
15:40 < r0ckY2> because i didnt know how smart these bridge would be ;)
15:40 < r0ckY2> would be a disaster when every package would get everywhere ;)
16:13 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:15 -!- TheEliteITguyTI9 [~TheEliteI@adsl-0-172-32.jan.bellsouth.net] has joined #openvpn
16:15 < TheEliteITguyTI9> hello, mind if ask a question?
16:16 < TheEliteITguyTI9> please.
16:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:18 < TheEliteITguyTI9> i've installed OpenVPN client
16:18 < TheEliteITguyTI9> but i'm not sure how one gets a user account or a ip 2 a server
16:18 < TheEliteITguyTI9> i'm downloading the server version of the software. Must I run a server to get the 2
16:18 < TheEliteITguyTI9> free accounts?
16:27 < TheEliteITguyTI9> everyone sleeping?
16:28 < ecrist> yeah, many are doing other things
16:28 < ecrist> if you're using access server, we don't support that here, we support the open source project, though.
16:32 < TheEliteITguyTI9> hello
16:33 < TheEliteITguyTI9> okay so, i can't get a server ip and user name and password? i was hoping i could for free
16:34 < TheEliteITguyTI9> i'm guessing this is for running your own vpn? and not a free service?
16:35 -!- r0ckY2 [~johnpatch@dslb-188-099-109-241.pools.arcor-ip.net] has quit [Read error: Connection reset by peer]
17:02 < ecrist> no, this isn't a free service
17:02 < ecrist> this is to run your own
17:09 -!- TheEliteITguyTI9 [~TheEliteI@adsl-0-172-32.jan.bellsouth.net] has quit [Ping timeout: 260 seconds]
17:15 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
17:43 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
17:53 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
17:54 -!- Busch [~michael@109.73.50.57] has joined #openvpn
17:56 -!- sc [~sc@unaffiliated/asgw] has quit [Ping timeout: 245 seconds]
17:57 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
18:16 -!- bandini [~bandini@host213-105-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
18:36 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
18:48 -!- cpm [~Chip@dns1.daviswv.net] has joined #openvpn
18:48 -!- cpm [~Chip@dns1.daviswv.net] has quit [Changing host]
18:48 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
18:51 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 252 seconds]
18:56 -!- Busch [~michael@109.73.50.57] has quit [Quit: Leaving]
19:08 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
19:21 -!- nyne [~ccronin@adsl-71-141-103-214.dsl.snfc21.pacbell.net] has joined #openvpn
19:36 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
19:43 < Patt> Why isnt there an OpenVPN windows server?
20:13 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
20:20 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
20:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
20:58 -!- nyne [~ccronin@adsl-71-141-103-214.dsl.snfc21.pacbell.net] has quit [Ping timeout: 264 seconds]
21:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:04 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:26 -!- nyne [~ccronin@nynex.techrebels.com] has joined #openvpn
21:35 -!- nyne [~ccronin@nynex.techrebels.com] has quit [Ping timeout: 240 seconds]
21:38 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 240 seconds]
22:18 < krzee> Patt,
22:18 < krzee> !download
22:18 < vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
22:19 < krzee> openvpn runs fine on windows
22:19 < Patt> hm
22:19 < Patt> oh
22:19 < Patt> what about the OpenVPN server
22:19 < Patt> not just the client
22:19 < krzee> there is no difference between client / server software
22:19 < Patt> ohh
22:19 < Patt> thanks!
22:19 < krzee> at least for the open source community version
22:20 < krzee> if you want access server, i cannot answer... as there is professional support for that
22:20 < krzee> !AS
22:20 < vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
22:20 < vpnHelper> krzee: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
22:20 < krzee> see #4
22:20 < krzee> thats what the "openvpn client" is on the front page of the website
22:20 < Patt> I just want an OpenVPN server running at home and a client for me to connect to
22:21 < krzee> sounds like you want the community version
22:21 < Patt> ok
22:21 < krzee> so what i said first stands
22:21 < Patt> that answers my question
22:21 < Patt> Thanks!
22:21 < krzee> np =]
22:49 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
22:55 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 250 seconds]
23:17 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
23:17 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
23:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
23:28 -!- variable [~variable@unaffiliated/variable] has joined #openvpn
23:39 -!- s7r [~s7r@188.26.135.59] has joined #openvpn
--- Day changed Sun Oct 17 2010
00:31 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 240 seconds]
00:33 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
00:47 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
00:58 -!- elan61nine [48c09d39@gateway/web/freenode/ip.72.192.157.57] has joined #openvpn
00:58 < elan61nine> Hey
01:02 < elan61nine> !goal
01:02 < vpnHelper> elan61nine: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:03 < elan61nine> I would like to access the internet over my dedicated server, what is the proper set up procedure/tutorial?
01:03 -!- corretico [~luis@201.201.44.82] has quit [Remote host closed the connection]
01:07 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
01:08 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
01:14 < Bushmills> !redirect
01:14 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
01:25 < elan61nine> !def1
01:25 < vpnHelper> elan61nine: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
01:26 < elan61nine> is there any way to run openssl without root?
01:26 < elan61nine> i need to make something like a socks proxy
01:26 < elan61nine> !ipforward
01:26 < vpnHelper> elan61nine: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
01:27 < elan61nine> !linipforward
01:27 < vpnHelper> elan61nine: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
01:28 < elan61nine> what does setting this to 1 do?
01:28 < elan61nine> !nat
01:28 < vpnHelper> elan61nine: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
01:29 < elan61nine> I am confused
01:29 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
01:30 < elan61nine> How so I set up a openvpn server on my dedciated box so that I can access the internet securely from a unsecured wireless connection?
01:32 < elan61nine> can anyone help?
01:33 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
01:36 < krzie> !redirect
01:36 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
01:39 < elan61nine> i really don't get it
01:39 < elan61nine> are these iptable rules I need to set up?
01:39 < Bushmills> with linux, yes
01:39 < Bushmills> for NAT
01:40 < Bushmills> ip forwarding is done in OS config, redirect-gateway in openvpn config
01:41 < Bushmills> on vpn server, all three of them
01:54 -!- Friar [~nathan@188-193-248-101-dynip.superkabel.de] has joined #openvpn
01:55 < Friar> hi, I'm having some problems getting openvpn going and could use some help.
01:57 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
01:58 -!- Friar [~nathan@188-193-248-101-dynip.superkabel.de] has quit [Quit: Leaving]
02:00 -!- Friar [~nathan@188-193-248-101-dynip.superkabel.de] has joined #openvpn
02:02 -!- Friar [~nathan@188-193-248-101-dynip.superkabel.de] has quit [Client Quit]
02:26 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
03:02 < Bushmills> !howto
03:02 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:04 -!- f0rd42 [~adieball@p54BE348F.dip.t-dialin.net] has joined #openvpn
03:05 -!- f0rd42 [~adieball@p54BE348F.dip.t-dialin.net] has quit [Remote host closed the connection]
03:21 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:41 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: OpenVPN on Laptop and automatically connect/disconnect :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7074&p=8114#p8114>
03:41 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
03:50 -!- p3rror [~mezgani@adsl196-15-89-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
03:57 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
04:03 -!- p3rror [~mezgani@adsl196-11-78-206-196.adsl196-3.iam.net.ma] has joined #openvpn
04:03 < thordon> is somebody awake, how wants to help me out, just for 1,2 questions =
04:05 < elan61nine> too late
04:05 -!- elan61nine [48c09d39@gateway/web/freenode/ip.72.192.157.57] has quit []
04:06 < Bushmills> that's what one gets from not asking :)
04:06  * Bushmills afk too now
04:07 < thordon> mmh, staying here since 2 days now. just asking for 2 questions
04:07 < thordon> ... 
04:19 <@cron2> thordon: well, what about "just asking"?
05:04 -!- p3rror [~mezgani@adsl196-11-78-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
05:11 -!- sigi [~sigius@93.125.185.45] has quit [Quit: Leaving]
05:11 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has quit [Quit: Leaving]
05:18 -!- p3rror [~mezgani@adsl196-137-84-206-196.adsl196-3.iam.net.ma] has joined #openvpn
05:31 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
05:46 -!- p3rror [~mezgani@adsl196-137-84-206-196.adsl196-3.iam.net.ma] has quit [Read error: Connection reset by peer]
05:47 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
05:57 < g0tcha> hmm
05:58 < g0tcha> for some reason the vpn only works if i set the ips to static ips on the client machine
05:58 < g0tcha> if i set the local area network to use dhcp, it will connect but wont get online
05:59 -!- p3rror [~mezgani@adsl196-74-89-206-196.adsl196-3.iam.net.ma] has joined #openvpn
06:10 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 276 seconds]
06:11 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
06:13 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
06:14 -!- cpm [~Chip@dns1.daviswv.net] has joined #openvpn
06:14 -!- cpm [~Chip@dns1.daviswv.net] has quit [Changing host]
06:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:16 -!- p3rror [~mezgani@adsl196-74-89-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
06:27 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
06:28 -!- p3rror [~mezgani@adsl196-90-78-206-196.adsl196-3.iam.net.ma] has joined #openvpn
06:31 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
06:33 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 252 seconds]
06:39 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 250 seconds]
06:46 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:48 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
07:07 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
07:12 -!- s7r [~s7r@188.26.135.59] has quit []
07:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
07:18 < g0tcha`> is it normal for 2 clients to have 2 different dhcp servers listed under ipconfig?
07:22 < thordon> hello g0tcha` 
07:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
07:23 < g0tcha`> sup thordon
07:23 < thordon> sorry what does "sup" mean ?
07:23 < g0tcha`> apperantly win7 is not friendly with openvpn client :p
07:23 < g0tcha`> just saying whats up
07:23 < thordon> g0tcha`: yes this is exactly my problem
07:23 < g0tcha`> thanks for making me type it again heheh
07:24 < thordon> nop
07:24 < g0tcha`> whats your problem again with windows 7?
07:24 < g0tcha`> my problem is it does not get the gateway from the vpn
07:24 < g0tcha`> so it doesnt get online
07:25 < thordon> i had have a working openvpn in tap-mode with xp-clients, but not with win7 clients
07:25 < g0tcha`> what happens when you try to connect in win7?
07:27 < thordon> i guess this is a routing problem in win7 ... maybee the metrik
07:31 < thordon> what does "nameserver: not found" mean when i starting openvpn
07:31 < g0tcha`> thordon, can you show me the win7 client log and your netstat -rn ?
07:31 < g0tcha`> just wanna compare with mine
07:31 < thordon> my nameserver IS working
07:33 < thordon> g0tcha`: for this i have to call my friend to test it. this takes times
07:33 < g0tcha`> ow ok
07:33 < g0tcha`> i have the vpn server running from the office
07:34 < g0tcha`> so i can try with the clients from here
07:36 < thordon> i have just 2,3 questions and nobody here to answere.. sick
07:37 < g0tcha`> really?
07:37 < g0tcha`> weird
07:37 < g0tcha`> usually there are ppl here and they are pretty helpful
07:38 < g0tcha`> maybe youre just jynxed :p
07:47 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Chicks dig it]
07:48 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 255 seconds]
07:53 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
07:59 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
08:25 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
08:28 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
08:33 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has quit []
08:36 < thordon> usually..
08:43 -!- Friar [~nathan@188-193-248-101-dynip.superkabel.de] has joined #openvpn
08:44 < Friar> I have open vpn server on a server at home, and I have openvpn on ubuntu 10.10. I can't seem to get it to connect. I keep getting a connection time out error.
08:53 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
08:54 -!- g0tcha is now known as g0tcha`
09:17 -!- sikor_sxe [~sikor_sxe@144.41.253.148] has joined #openvpn
09:18 < sikor_sxe> hello, is there a way to automate the keyfile password input for openvpn server init scripts?
09:18 < sikor_sxe> openvpn < mypasswordfile does not seem to work
09:35 -!- sikor_sxe [~sikor_sxe@144.41.253.148] has left #openvpn []
10:09 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
10:20 -!- sangcoi [7b165e5e@gateway/web/freenode/ip.123.22.94.94] has joined #openvpn
10:22 < sangcoi> Hi all, i need your help
10:24 < sangcoi> !welcome
10:24 < vpnHelper> sangcoi: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:24 < sangcoi> !goal
10:24 < vpnHelper> sangcoi: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:25 < sangcoi> i want use openvpn as a hotspot
10:25 < sangcoi> !goal i want use openvpn as a hotspot
10:25 < vpnHelper> sangcoi: Error: "goal" is not a valid command.
10:26 < sangcoi> !howto
10:26 < vpnHelper> sangcoi: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:26 -!- sangcoi [7b165e5e@gateway/web/freenode/ip.123.22.94.94] has quit [Quit: Page closed]
10:32 < kisom> sandefine "hotspot"?
10:32 < kisom> nvm
10:39 < vpnHelper> RSS Update - forum: Server Administration :: Max simultaneous client connections :: Author swautier <https://forums.openvpn.net/viewtopic.php?f=4&t=7188&p=8115#p8115>
10:48 -!- iElectric [~iElectric@84-255-205-5.static.t-2.net] has left #openvpn []
10:56 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:04 -!- WormFood [~wormfood@183.38.12.37] has quit [Ping timeout: 240 seconds]
11:17 -!- WormFood [~wormfood@183.38.12.154] has joined #openvpn
11:54 < thordon> anyone willing to answer to 2 Questions ?
11:55 < thordon> staying here since the whole weekend, an help is appreciated
11:55 < thordon> +y even
11:59 <@cron2> thordon: we're waiting for you to actually *ask* the questions
12:00 <@cron2> (well, the first question has already been used up :) )
12:18 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
12:18 < fahmad> hey
12:19 < fahmad> can some one tell me how can i block traffic b/w connected vpn clients ?
12:19 <@cron2> unset client-to-client on the server (which makes the traffic go to the linux side on the server) and set up iptables there
12:20 < fahmad> ok
12:20 < fahmad> thanks 
12:20 < fahmad> :0
12:29 < g0tcha`> cron2, i got my openvpn running and working, but i want the client to not be able to get online unless the connection is established to openvpn
12:29 < g0tcha`> do you know how to get this done?
12:35 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn
12:38 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 250 seconds]
12:38 -!- Xen^ is now known as fahmad
12:38 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
12:38 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
12:38  * ecrist waves
12:42 <@cron2> g0tcha: not from "within openvpn" - you could install local firewall rules on the client that disallow outbound traffic on the LAN except to the openvpn server.  Or something like that.
12:43 < krzee> he just doesnt use def1 in his redirect-gateway
12:44 < krzee> then as long as he has connected 1x, he will not have a default route to inet unless connected
12:44 < ecrist> hey krzee 
12:44 < krzee> (i have said this numerous times already)
12:44 < krzee> hey eric, hows it goin?
12:44 < ecrist> :)
12:44 < g0tcha`> krzee, i do not have def1
12:44 < g0tcha`> and i connected multiple times to the vpn fine this time
12:45 < g0tcha`> i can still access the browser when the openvpn connection is down
12:49 < krzee> g0tcha`, show me routing table before and after connecting to the vpn
12:49 < krzee> what OS is it?
12:49 <@cron2> krzee: whatever you configure *in* openvpn will not prevent browser connections *before openvpn starts*
12:50 < krzee> not *before*, but if he connects 1x, and wipes his default route while doing it, he wont have inet access if he somehow gets disconnected
12:50 < fahmad> cron2: i disabled client-to-client but i can still ping ...
12:51 < krzee> !c2c
12:51 < vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
12:51 < vpnHelper> krzee: behind other clients
12:51 < krzee> ^ @ fahmad 
12:51 <@cron2> fahmad: you need to add iptables rules to the server's tun device to prevent client-to-client
12:51 <@cron2> without fw rules, communication is still possible
12:52 < fahmad> ok
12:52 <@cron2> krzee: yes, indeed.  But if he destroys his default route, it will be hard to bring back openvpn...
12:52 < krzee> cron2, not true, before wiping default gateway it makes a route to the vpn server, otherwise there would BE no vpn when using redirect-gateway
12:57 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 240 seconds]
13:11 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
13:13 -!- sypher [~sypher@host180-86-dynamic.54-82-r.retail.telecomitalia.it] has quit [Quit: This computer has gone to sleep]
13:19 < vpnHelper> RSS Update - forum: Server Administration :: IP address lease 0.0.0.0 has been denied :: Author libove <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8116#p8116>
13:21 < g0tcha`> krzee, the OS's are winxp and win7.. the client.. unfortunatly for some reason the vpn server im testing with and running from a different location went offline so i cant test right now
13:21 < krzee> hehehe, maybe it worked ;]
13:34 < g0tcha`> krzee, cant tell if youre being sarcastic or serious :p
13:35 < krzee> lil of each ;]
13:40 < g0tcha`> haha
13:40 < g0tcha`> well, i hope its not the vpn =)
13:40 < g0tcha`> cuz it worked for few hours fine earlier and i cant access another computer in the office remotely too
13:40 < g0tcha`> so either the vpn screwed up the whole network (can it do that?) or something went wrong there
13:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:46 < Bushmills> well, openvpn has been known to make stars explode when not used properly 
13:59 -!- variable [~variable@unaffiliated/variable] has quit [Ping timeout: 264 seconds]
14:00 -!- Friar [~nathan@188-193-248-101-dynip.superkabel.de] has quit [Quit: Leaving]
14:03 < g0tcha`> lets not tell osama about openvpn then!
14:10 < Bushmills> it takes a lot of skill to improperly use it that way
14:12 < krzee> g0tcha`, is openvpn (client config) running on the gateway for that network?
14:12 < krzee> because if so... as i understand it that is your goal (when the vpn is down, no inet access)
14:14 < Bushmills> why not firewall any outgoing packet which doesn't go to either ip address:openvpn port of openvpn server or to tun device? 
14:15 < krzee> that also works
14:17 < Bushmills> may leave the option open to also allow outgoing ssh, to fix remote openvpn problems :)
14:37 -!- gyyg [~mike@96-36-48-82.static.aldl-nbb.mi.charter.com] has joined #openvpn
14:37 < gyyg> hello
14:37 < gyyg> I am having trouble connecting to an open vpn server
14:37 < gyyg> http://pastebin.com/FU8fByt1
14:37 < g0tcha`> you mean on the client side, block all connections except the one coming from thevpn?
14:38 < reiffert> !howto
14:38 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:41 < Bushmills> no, i mean  firewall any outgoing packet which doesn't go to either ip address:openvpn port of openvpn server or to tun device
14:42 < Bushmills> hm. strange. that's pretty much what i wrote above.
14:43 < Bushmills> i am sorry to have expressed that in such a way that you thought that firewalling  any outgoing packet which doesn't go to either ip address:openvpn port of openvpn server or to tun device could be mistaken as  blocking all connections except the one coming from thevpn
14:45 < Bushmills> but by "outgoing" i meant, "leaving", rather the opposite of "coming"
14:46 -!- sypher [~sypher@host180-86-dynamic.54-82-r.retail.telecomitalia.it] has joined #openvpn
14:53 -!- sypher [~sypher@host180-86-dynamic.54-82-r.retail.telecomitalia.it] has quit [Quit: Leaving]
14:53 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
14:55 -!- slidercrank [~tehnik@pi.cbx.ru] has joined #openvpn
14:57 < slidercrank> hi there. is it possible to use openvpn as a replacement to pptpd (there is no pptpd in my distro) ?
15:00 < Bushmills> not as replacement in the sense of being talked to by pptp clients
15:01 < Bushmills> for using openvpn on the server side, you also need openvpn on the client side
15:01 < Bushmills> !pptp
15:01 < vpnHelper> Bushmills: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to
15:01 < vpnHelper> Bushmills: read about why to not use pptp
15:04 < slidercrank> Bushmills, do you know any other program to replace pptpd?
15:06 < slidercrank> I need to setup a vpn server on a Linux host so that windows clients could connect to me (w/o installing anything on Windows)
15:07 < Bushmills> no idea. ask on #pptp
15:07 < slidercrank> thanks
15:15 -!- slidercrank [~tehnik@pi.cbx.ru] has left #openvpn ["Leaving"]
15:19 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:25 -!- variable [~variable@unaffiliated/variable] has joined #openvpn
15:39 -!- sc [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 245 seconds]
16:06 -!- Netsplit *.net <-> *.split quits: Deffie
16:06 -!- Netsplit over, joins: Deffie
16:24 -!- patchie [~sdf@136.81-167-201.customer.lyse.net] has joined #openvpn
16:24 < patchie> is there a openvpn client for android?
16:27 < Bushmills> if there's openvpn, there's also a client.  same program used for either server or client
16:35 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
16:40 -!- thordon [~sec@ip-88-153-236-190.unitymediagroup.de] has quit [Ping timeout: 265 seconds]
16:40 -!- thordon [~sec@ip-88-153-236-190.unitymediagroup.de] has joined #openvpn
16:44 -!- SerpentX [~SerpentX@KTNRON06-1176259399.sdsl.bell.ca] has joined #openvpn
16:44 < SerpentX> hellow
16:45 < patchie> Bushmills: thanks:)...i searched for open vpn...not openvpn :)..so i found it:)..
16:45 < Bushmills> !tunortap
16:45 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning
16:45 < vpnHelper> Bushmills: against you over the vpn, or (#4) lan gaming? use tap!
16:46 < patchie> is it possible/easy to connect 2 vpn servers togather?..
16:47 < Bushmills> connecting like how - what is the purpose of "connecting" them?
16:49 < SerpentX> sorry to drop into the conversation
16:49 < SerpentX> but are you guys suggesting
16:49 < SerpentX> using a openwrt router loaded with openvpn
16:49 < SerpentX> i can connfigure a connection for peers
16:49 < SerpentX> to vpn in and host a LAN game
16:50 < SerpentX> and actually have playable network speeds?
16:50 < SerpentX> say Age of Empires III
16:50 -!- dyer [~voxeojohn@unaffiliated/voxeojohn] has joined #openvpn
16:50 < patchie> Bushmills: if one goes down..and if i want to add people...i can add my friends....and my partner adds his friends
16:50 < dyer> Hello, I have a question, so I have two vpn connections, both on different subnets, and when I have them both up they dont I cant seem to find hosts on one of them
16:51 < dyer> I am sure this has to do w/ routing, but I dont know what changes to make on the client config to address this
16:51 -!- p3rror [~mezgani@adsl196-90-78-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
16:52 < Bushmills> patchie, no use in having them connected when one is down
16:53 < Bushmills> but you can let clients connect to alternative servers if one is down
16:53 < patchie> if they are synk'ed..then the other will act alike?
16:54 < patchie> use the same user/pass and certificationfile..
16:54 < patchie> if i add a user to my server it will sync with his server..
16:54 < Bushmills> depends. if programs on clients try to use services associated with the host name or ip address of one or the other server, being in sync won't be enough
16:55 < patchie> the servers will run no services other then openvpn..
16:56 < krzee> [14:52]  <SerpentX> and actually have playable network speeds?    <-- that depends... if your server is on a 100mbit link i would assume so, lol
16:56 < Bushmills> then they don't need to be in sync, other than allowing connecting to
16:56 < patchie> Bushmills: they must sync the user accounts...and having the same sertification files..
16:57 < Bushmills> openwrt wlan routers are not usually known for their high encryption performance
16:57 < Bushmills> patchie, use multiple  --remote statements
16:58 < dyer> anyone?
16:58 < patchie> aha?..i will look that up...havent tested openvpn server yet...but your telling me this is possible?
16:58 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:58 < Bushmills> that's what you specify in client configs
17:00 < patchie> so i have to manually make the same user on both servers?
17:01 < Bushmills> only those users granted access will be admitted
17:02 < Bushmills> just because server A allows user X, server B doesn't do so implicitely
17:03 < patchie> but we want them to be totally sync'ed
17:03 < Bushmills> or i might be able to connect to your server, just because my server admits me :)
17:03 -!- p3rror [~mezgani@adsl196-88-76-206-196.adsl196-3.iam.net.ma] has joined #openvpn
17:03 < kisom> shit, fell asleep on the train
17:03 < patchie> same subnet also...so mine friends connect to my server...and his friends connects to his server..and all computers can play games togather...and share files
17:04 < SerpentX> what about a 6mb/1mb
17:04 < SerpentX> limited to gta2 right?
17:04 < patchie> Bushmills: i only want these two servers to be sync'ed...no other :P
17:04 < kisom> no
17:04 < patchie> Bushmills: you dont have mine certification file :P
17:04 < kisom> most games requires good latency rather than bandwidth
17:05 < kisom> WoW for example uses maybe 2 kbyte a second...
17:06 < patchie> yep..thanks..but that isnt my question right now...i wanna know if its possible...and how easy it is :)
17:06 < kisom> WoW for example uses maybe 2 kbyte a second...
17:06 < patchie> yeah
17:06 < kisom> patchie: the server presents your certificate to ayone who asks ;)
17:07 < patchie> hmm?
17:07 < kisom> anyways, detach!
17:07 -!- gyyg [~mike@96-36-48-82.static.aldl-nbb.mi.charter.com] has quit [Ping timeout: 265 seconds]
17:28 -!- dyer [~voxeojohn@unaffiliated/voxeojohn] has quit [Read error: Connection reset by peer]
17:29 -!- Mika [~MiKa@ip5657a511.direct-adsl.nl] has joined #openvpn
17:29 -!- dyer [~voxeojohn@unaffiliated/voxeojohn] has joined #openvpn
17:30 < Mika> evening someone here use openvpn at slugos ?
17:31 < Mika> it have some timeouts and gave this in the output Mon Oct 18 00:06:16 2010 192.168.1.98:54952 Re-using SSL/TLS context
17:31 < Mika> Mon Oct 18 00:06:17 2010 192.168.1.98:54952 [mika] Peer Connection Initiated with 192.168.1.98:54952
17:43 -!- p3rror [~mezgani@adsl196-88-76-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 255 seconds]
17:43 -!- Bam_Bam [~Bam_Bam@unaffiliated/bambam/x-942313] has joined #openvpn
17:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
17:53 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 245 seconds]
17:56 < SerpentX> what's slugos?
17:56 < SerpentX> nm
17:56 -!- p3rror [~mezgani@adsl196-13-69-206-196.adsl196-3.iam.net.ma] has joined #openvpn
18:01 < Bam_Bam> What do I have to do to make it possible to network between devices on the VPN? Do I just need to change the setting that allows computers to see each other?
18:01 < Bam_Bam> hmm, "Your problem is your firewall, really."
18:07 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
18:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
18:30 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
18:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:44 < |Mike|> krzee: ofc, that would be wonderfull
18:44 < |Mike|> krzee: but I don't need it at all :)
18:46 < krzee> huh?
18:47 < |Mike|> 10/10/18 01:25:45 -!- Irssi: 4 new messages in awaylog:
18:47 < |Mike|> 17:04 #openvpn: < krzie> [09:32]  <|Mike|> lkthomas__: why would you like to do that?
18:47 < |Mike|> 17:04 #openvpn: < krzie> |Mike|, you wouldnt like that feature too!?
18:47 < |Mike|> --- Day changed Sun Oct 17 2010
18:47 < |Mike|> openvpn to bind to multiple ports
18:53 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Ping timeout: 252 seconds]
18:54 < |Mike|> krzee: cows go?
18:55 < krzee> moo
18:58 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
19:01 < vpnHelper> RSS Update - forum: Scripting and Customizations :: Surfing through VPN Service doesn´t works :: Author SeRpICO <https://forums.openvpn.net/viewtopic.php?f=15&t=7190&p=8117#p8117>
19:16 < |Mike|> krzee: what's up ?
19:34 < krzee> tired as shit, working
19:35 < |Mike|> how late is it over there in cali?
19:35 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
19:35 < krzee> i left usa a couple yrs ago
19:36 < krzee> but its about 5:30 over there ;)
19:36 < krzee> pm
19:36 < |Mike|> and your current location?
19:36 < krzee> caribbean
19:40 < |Mike|> I see
19:41 < |Mike|> And that's part of mexico or smt?
19:51 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:51 < |Mike|> krzee: ping
19:55 < krzee> pong
19:56 -!- BB` [~Bam_Bam@li125-231.members.linode.com] has joined #openvpn
19:56 -!- BB` is now known as Guest35806
19:59 -!- Bam_Bam [~Bam_Bam@unaffiliated/bambam/x-942313] has quit [Ping timeout: 245 seconds]
19:59 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
19:59 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
19:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
20:03 -!- SerpentX [~SerpentX@KTNRON06-1176259399.sdsl.bell.ca] has quit [Ping timeout: 245 seconds]
20:09 -!- SerpentX [~SerpentX@70.28.75.71] has joined #openvpn
20:09 < SerpentX> test
20:17 < SerpentX> test
20:18 -!- SerpentX [~SerpentX@70.28.75.71] has quit [Quit: Leaving]
20:18 -!- SerpentX [~SerpentX@70.28.75.71] has joined #openvpn
20:25 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 240 seconds]
20:39 -!- Dougy_ is now known as Dougy
20:40 -!- Dougy [me@tech.qsi.net] has quit [Changing host]
20:40 -!- Dougy [me@openvpn/community/user/dougy] has joined #openvpn
20:42 < krzee> mike: no, not part of mexico
20:59 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:24 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
21:30 -!- p3rror [~mezgani@adsl196-13-69-206-196.adsl196-3.iam.net.ma] has quit [Read error: Operation timed out]
21:39 -!- SerpentX [~SerpentX@70.28.75.71] has quit [Quit: Leaving]
21:39 -!- SerpentX [~SerpentX@KTNRON06-1176259399.sdsl.bell.ca] has joined #openvpn
21:46 -!- p3rror [~mezgani@adsl196-112-73-206-196.adsl196-3.iam.net.ma] has joined #openvpn
21:55 -!- p3rror [~mezgani@adsl196-112-73-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
22:07 -!- p3rror [~mezgani@adsl196-137-65-206-196.adsl196-3.iam.net.ma] has joined #openvpn
22:22 < SerpentX> hey?
22:22 < SerpentX> I'm about to start an openvpn install on a openwrt
22:22 < SerpentX> router
22:22 < SerpentX> anyone here to supervise?
22:26 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Quit: *Poofff* *Gone*]
22:42 < SerpentX> i'm stuck..anyone?
22:50 < krzie> you need to be more specific, lol
22:50 < krzie> !ask
22:50 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help
22:51 < krzie> #3
22:52 < SerpentX> hey
22:52 < SerpentX> sorry
22:52 < SerpentX> ok
22:52 < SerpentX> so i'm setting up a vpn on a dlink 615
22:52 < SerpentX> which is loaded with openwrt
22:52 < SerpentX> i am following this config
22:52 < SerpentX> https://forum.openwrt.org/viewtopic.php?pid=8495
22:52 < vpnHelper> Title: OpenWrt / OpenVPN Howto (at forum.openwrt.org)
22:53 < SerpentX> so i am stuck on the iptables part
22:53 < SerpentX> it is giving me tcp is not valid paramter
22:53 < SerpentX> i think i have to alter the syntax
22:53 < SerpentX> iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
22:53 < SerpentX> bad argument
22:54 < SerpentX> in reference to tcp
22:55 < SerpentX> hmm $WAN
22:55 < SerpentX> i have to name it wan don't i
22:55 < SerpentX> -i eth1 i think mine is
22:55 < SerpentX> is that my issue?
22:56 < SerpentX> acctually
22:56 < SerpentX> i think my wan device is ppp0
22:56 < SerpentX> does that make sence?
22:57 < SerpentX> 2nd QUESTION: i think i errored in the openvpnbridge.sh
22:58 < SerpentX> his bridged lan is called br0
22:58 < SerpentX> i beleive mine is called br-lan
22:58 < SerpentX> it gave this error
22:58 < SerpentX> brctl: bridge br0: No such device
23:06 < krzie> why do you want to bridge?
23:06 < krzie> lan gaming over the vpn?
23:09 < SerpentX> uh
23:09 < SerpentX> quickbooks file
23:09 < SerpentX> access
23:09 < SerpentX> windows share
23:10 < SerpentX> while remote
23:10 < krzie> any of that layer2?
23:10 < krzie> !layer2
23:10 < vpnHelper> krzie: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
23:10 < krzie> !tunortap
23:10 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
23:10 < vpnHelper> krzie: you over the vpn, or (#4) lan gaming? use tap!
23:11 < SerpentX> um
23:11 < SerpentX> i think toward #4
23:11 < krzie> gotchya
23:11 < SerpentX> i think
23:11 < krzie> i cant really help then, i dont do bridges
23:11 < SerpentX> err
23:11 < SerpentX> ok i may not understand exactly what u just said
23:12 < krzie> others do tho, stick around
23:12 < SerpentX> i want to connect connect from a remote location to my main network
23:12 < SerpentX> to access file shares on internal servers
23:12 < SerpentX> via openvpn
23:12 < SerpentX> and instead of running the openvpn server from a didicated pc
23:12 < krzie> windows (smb) file shares?
23:12 < SerpentX> ya
23:13 < SerpentX> i want to use my dlink 615 with openvpn on openwrt
23:13 < SerpentX> i think i am nearly complete
23:13 < krzie> if you can handle connecting by IP istead of netbios name, standard tun does that
23:13 < SerpentX> ya
23:13 < SerpentX> ip is fine
23:13 < krzie> for resolution WINS does that over layer3
23:13 < SerpentX> ok..
23:13 < SerpentX> you are saying SERVER1
23:14 < SerpentX> instead of 192.168.0.10
23:14 < SerpentX> ip is fine
23:14 < krzie> SERVER1 would be a netbios name
23:14 < SerpentX> right
23:14 < krzie> !sample
23:14 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
23:14 < krzie> you need to share an entire lan?
23:14 < SerpentX> yeah share the entire lan to the vpn client
23:15 < krzie> ok  so server's lan
23:15 < krzie> !serverlan
23:15 < vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
23:15 < krzie> its a router so ip forwarding is already enabled
23:15 < krzie> you also dont need a route outside openvp for that same reason
23:16 < krzie> so basically it is just push "subnet netmask" in the server config
23:16 < SerpentX> ok so i need to tweak the server.ovpn a bit
23:16 < SerpentX> ok let me see wher i am at now
23:16 < SerpentX> so in regards to my first issue
23:16 < SerpentX> with iptables
23:16 < SerpentX> to open the ports
23:17 < SerpentX> iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT
23:17 < SerpentX> i switched $WAN to ppp0
23:17 < SerpentX> that makes sence right?
23:17 < SerpentX> i am using pppoe
23:17 < SerpentX> to connect to the internt
23:17 < krzie> sry i dont use linux
23:17 < krzie> bsd / osx
23:18 < SerpentX> i see
23:18 < krzie> but configuring your firewall isnt really openvpn's thing
23:18 < krzie> thats outside the scope of openvpn
23:18 < krzie> you can get help with your firewall config in #iptables prolly
23:18 < SerpentX> ok
23:18 < SerpentX> well i think i have that sorted out
23:18 < krzie> and WAN is a var in that
23:19 < krzie> so instead of changing it, you put
23:19 < SerpentX> so
23:19 < krzie> WAN="ppp0"
23:19 < krzie> above it
23:19 < SerpentX> yeah
23:19 < SerpentX> ok so what type of configuration would u call my setup?
23:19 < krzie> erm
23:19 < krzie> a standard tun sharing the server lan
23:20 < krzie> i gave you my sample configs
23:20 < SerpentX> where i want vpn client to be on the same subnet as the network he is connecting to and be able to view computers and windows shares
23:20 < krzie> you just need to add the push route
23:20 < SerpentX> is it called bridged vpn?
23:20 < krzie> no, you dont need a bridge
23:20 < SerpentX> ok
23:20 < krzie> forget that walkthrough as far as it related to your config
23:20 < SerpentX> so i just need a default configration with a push
23:20 < krzie> you dont need a bridge, or a script, or any of that
23:20 < krzie> yup
23:21 < krzie> many people use bridges like that because they dont understand routing
23:21 < krzie> which i REALLY dont get when using openwrt-like routers
23:21 < krzie> since theres so much less to understand
23:21 < SerpentX> err..ok
23:22 < SerpentX> so lets see
23:24 < SerpentX> do i have to create a tap0 every restart?
23:25 < SerpentX> can we go through my settings and make sure i'm on the right track?
23:25 < SerpentX> i have a makevpn.sh
23:25 < SerpentX> that basically 
23:25 < krzie> there is no tap
23:26 < krzie> did you see my configs?
23:26 < krzie> it uses tun
23:26 < SerpentX> ok i am looking at them
23:27 < SerpentX> so with ur configs
23:27 < SerpentX> i just need to over write the server.ovpn
23:27 < SerpentX> and my client.ovpn on my client pc
23:27 < SerpentX> and i don't need to run the maketap0 script
23:27 < krzie> whats it do?
23:28 < SerpentX> it looks like it
23:28 < krzie> !pastebin
23:28 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
23:28 < SerpentX> insmod tun
23:28 < SerpentX> br="br0"
23:28 < SerpentX> tap="tap0"
23:28 < SerpentX> for t in $tap; do
23:28 < SerpentX>     openvpn --mktun --dev $t
23:28 < SerpentX> done
23:28 < SerpentX> so no for that right
23:28 < krzie> pls no pasting in the chan
23:29 < krzie> maybe it needs the static device, i never used openwrt
23:29 < SerpentX> lol
23:29 < krzie> in my config, change dev tun to dev tun0
23:29 < krzie> then make that script just this
23:29 < krzie> insmod tun
23:29 < krzie> openvpn --mktun --dev tun0
23:31 < SerpentX> for t in $tap; do
23:31 < SerpentX>     brctl addif $br $t
23:31 < SerpentX> done
23:31 < SerpentX> i forgot this part
23:31 < SerpentX> it's in the script too
23:31 < krzie> just use what i said
23:31 < SerpentX> for t in $tap; do
23:31 < SerpentX>     ifconfig $t 0.0.0.0 promisc up
23:31 < SerpentX> done
23:32 < SerpentX> so can u help me understand what this config does
23:32 < SerpentX> vs what ur config does
23:32 < SerpentX> u said this one used TAP
23:32 < SerpentX> while urs uses TUN
23:32 < krzie> tap is for tunneling layer2
23:33 < krzie> tun is for tunneling layer3
23:33 < krzie> think of it like this
23:33 < krzie> layer2 talks by MAC address
23:33 < krzie> layer3 talks by IP address
23:33 < krzie> many would explain it more complicated (and more correct), but thats the gist of it
23:34 < SerpentX> yeah, i red the wiki
23:34 < SerpentX> so you are suggesting i use layer3 tun
23:34 < krzie> (technically layer3 doesnt HAVE TO be IP)
23:34 < SerpentX> with a push config
23:34 < krzie> yes, suggested it and gave you entire config
23:34 < SerpentX> lol thanks sorry slow learning curve here
23:34 < SerpentX> i want to make sure i thoughouly understand what i'm doing tho
23:35 < SerpentX> ok
23:36 < krzie> np
23:36 < SerpentX> so i have made a .sh
23:36 < SerpentX> that' is insmod tun
23:36 < SerpentX> <krzie> openvpn --mktun --dev tun0
23:36 < SerpentX> no <krzie>
23:37 < SerpentX> do i ahve to clean up my tap0
23:37 < SerpentX> or does it go away on it own when i reboot the device
23:37 < SerpentX> like i kinda ran the old configs already
23:37 < SerpentX> so it created those tap0 devices
23:37 < SerpentX> and all that script
23:37 < krzie> seems to go away on reboot since they needed to write a script to make it
23:37 < krzie> ;]
23:37 < SerpentX> ok thats what i thought
23:37 < SerpentX> so
23:37 < SerpentX> ur script will creat me a tun0
23:38 < krzie> yep
23:38 < SerpentX> ok so i will run it
23:38 < SerpentX> now what
23:38 < SerpentX> i need to redo the server.opvn config
23:38 < SerpentX> i see u have alot of stuff
23:38 < SerpentX> in yours
23:38 < krzie> redo?
23:38 < SerpentX> ca /home/krzee/vpn/keys/server-ca/ca.crt
23:38 < SerpentX> cert /home/krzee/vpn/keys/server-ca/server.crt
23:38 < SerpentX> key /home/krzee/vpn/keys/server-ca/server.key
23:38 < SerpentX> dh /home/krzee/vpn/keys/server-ca/dh4096.pem
23:38 < krzie> mine is basically what you need
23:38 < SerpentX> i don't think i have all those crt
23:38 < krzie> just change the paths to go to your files
23:38 < krzie> !pki
23:38 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
23:38 < vpnHelper> krzie: signed specially as a server (see !servercert)
23:38 < krzie> !dh
23:38 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
23:39 < krzie> !hmac
23:39 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls
23:39 < vpnHelper> krzie: static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
23:40 < SerpentX> so you have some serious encryption going on
23:40 < SerpentX> not just some weak key like i was about to set up
23:40 < krzie> right
23:41 < SerpentX> for ur user vpn
23:41 < krzie> why not, its easy to do and better
23:41 < krzie> if i sniff your encrypted traffic and next year i get your static key, i can decrypt that traffic
23:42 < SerpentX> ok can u explain why you have user and group
23:42 < krzie> with my certs, my key changes every hour
23:42 < SerpentX> is that nessesary?
23:42 < krzie> not necessary, but i always run my apps in a sandbox when available
23:42 < krzie> your router should have some extra user/groups for this
23:42 < krzie> ie: nobody / nogroup
23:43 < SerpentX> yeah i just am wondering what purpuse
23:43 < SerpentX> i will use nobody
23:43 < SerpentX> nogroup
23:43 < SerpentX> well
23:43 < krzie> if one day someone figures out a hack for it, they are not root just by hacking that daemon
23:43 < SerpentX> ok
23:43 < SerpentX> i have a username/password
23:43 < krzie> of course, they need the HMAC key to even get packets read
23:43 < SerpentX> on my smb shares
23:44 < krzie> but security is an onion
23:44 < SerpentX> would it be safe
23:44 < krzie> you try to get as many layers as possible
23:44 < SerpentX> to set the default login
23:44 < krzie> well the VPN secures it from people in the middle
23:44 < SerpentX> yeah
23:44 < SerpentX> ok
23:44 < SerpentX> i think i will go with nobody:nogroup
23:44 < SerpentX> that is safe right
23:44 < krzie> assuming your router has those users
23:45 < vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=8118#p8118>
23:45 < SerpentX> it should
23:45 < SerpentX> so
23:45 < SerpentX> on the server config
23:45 < SerpentX> u have local 
23:45 < SerpentX> and server
23:45 < SerpentX> my router ip is say 192.168.0.1
23:45 < SerpentX> local 192.168.10.1
23:46 < SerpentX> server 192.168.0.1
23:46 < SerpentX> local 192.168.0.1*
23:46 < SerpentX> server 192.168.0.1 255.255.255.0
23:46 < SerpentX> should look like that?
23:49 < SerpentX> also is it safe to put ur keys in /etc
23:49 < SerpentX> that's where to original config recommends
23:49 < SerpentX> but isn't that open domain for all users
23:53 < krzie> see the manual
23:53 < krzie> then ask if you have questions
23:53 < krzie> !man
23:53 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
23:53 < krzie> !--
23:53 < vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
23:55 < SDE> SerpentX if your having too much issues
23:55 < SDE> just get OpenVPN AS
23:55 < SDE> best damn thing i ever did :)
23:55 < SDE> for $5 licencse
23:55 < SDE> lol
23:55 < krzie> ahh cool an AS user =]
23:56 < krzie> been meaning to try it sometime
23:56 < SDE> less headache for people who aint too techy into linux tbh
23:56 < SDE> it's nice mate
23:56 < SDE> very nice
23:56 < SDE> the Admin UI etc
23:56 < SDE> and the way it's compiled for the even more retarded end users
23:56 < SDE> is even nicer :)
23:56 < SerpentX> yeah..seriously, i'm trying to follow along krzie, but shit son..
23:56 < SDE> the user UI
23:57 < SDE> just give openvpn as a try
23:57 < vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=8119#p8119>
23:57 < SDE> comes with free 2 licences
23:57 < SDE> its all tick boxes :)
23:57 < SDE> cant fuck that one up too much i dont think
23:57 < SDE> if u do :P then just pay some guys here to do it for u
23:57 < SDE> save urself the time + headache
23:57 < SDE> time = money :)
23:57 < krzie> actually, AS comes with real support
23:57 < krzie> from openvpn technologies
23:57 < krzie> !AS
23:58 < vpnHelper> krzie: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
23:58 < vpnHelper> krzie: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
23:58 < krzie> #4
23:58 < SDE> correct
23:58 < SDE> they have a live support room + email support
23:58 < SDE> or just  pay krzie to dial in and set it up for you
23:59 < SerpentX> lol
23:59 < SDE> id do either lol im serious mate
23:59 < SerpentX> crazy
23:59 < SDE> save urself the damn headache
23:59 < krzie> SDE, wouldnt be the first
23:59 < SerpentX> u have a client to client setup?
23:59 < SDE> that's what i did :)
23:59 < SDE> I dont have that setup on my OpenVPN AS no
23:59 < SDE> have client to server
23:59 < krzie> client-to-client is default unless firewall blocks it, even if it does you can add 1 config option to bypass firewalling
23:59 < krzie> !c2c
--- Day changed Mon Oct 18 2010
00:00 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things
00:00 < vpnHelper> krzie: behind other clients
00:00 < SDE> Then u need bridging i think
00:00 < krzie> but not direct, always goes through server
00:00 < krzie> why would he need bridging??
00:00 < krzie> you never need a bridge unless you need layer2 traffic
00:00 < SDE> so the clients can speak to each other...?
00:00 < SDE> lol im wrong then :P
00:00 < SerpentX> well
00:01 < SerpentX> i'm genna try krazies config
00:01 < krzie> SDE, unless you dont want them to ;)
00:01 < SerpentX> krzie, if i change all ur ca
00:01 < SerpentX> key
00:01 < SerpentX> auth
00:01 < SerpentX> to secret
00:01 < krzie> SDE, hell, you can have lans all going over the vpn like this
00:01 < SerpentX> i know it's blasphemy
00:01 < krzie> !route
00:01 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:01 < SerpentX> but for testing purpuse
00:01 < SerpentX> is that ok?
00:01 < krzie> SerpentX, you can remove the line with local
00:02 < SerpentX> ok 
00:02 < SerpentX> i #'d all ur auth encrytpions
00:02 < SerpentX> i'm gonna put secret
00:02 < krzie> umm no
00:02 < krzie> not gunna work
00:02 < SerpentX> key?
00:02 < krzie> secret is for ptp
00:02 < krzie> client/server needs certs
00:02 < krzie> go to the links i gave you and read
00:02 < krzie> !pki
00:02 < vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
00:02 < vpnHelper> krzie: signed specially as a server (see !servercert)
00:02 < SerpentX> ok ok..fine
00:03 < SerpentX> i'll create the dam certs
00:03 < krzie> dont expect everything to be done for you
00:03 < krzie> either read or go get AS
00:04 < krzie> it was made so you wouldnt need to read/learn/care
00:06 < krzie> ive given everything you need, bbl
00:07 < SerpentX> ..
00:07 < SerpentX> man i can't even find the easy-rsa folder
00:08 < SerpentX> god i'm a handysnack
00:11 < krzie> dont make the certs on the router
00:11 < krzie> *really bbl this time*
00:12 < SerpentX> oh
00:24 < SerpentX> this dh is charting the known galaxy...
00:31 < SerpentX> wow
00:31 < SerpentX> u fancypance showoff
00:31 < SerpentX> with 4096 key length
00:31 < SerpentX> i am 1024 noob
00:33 < SerpentX> ok..done
00:33 < SerpentX> do i have to drop some stuff into the client config dir?
00:36 < vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=8120#p8120>
00:39 < SerpentX> krzie u back yet
00:44 < SerpentX> i think i'm ready to test
00:44 < SerpentX> other then tls auth
00:44 < SerpentX> ur tun script will reset when i reboot right
00:47 < SerpentX> ..frig
00:47 < SerpentX> i'm getting errors
00:47 < SerpentX> first ti said
00:48 < SerpentX> Options error: --server directive network/netmask combination is invalid
00:49 < SerpentX> server 10.8.0.0 255.255.255.0
00:49 < SerpentX> ### (optional) make local network behind the VPN server accessible for the VPN clients
00:49 < SerpentX> push "route 192.168.1.0 255.255.255.0"
00:49 < SerpentX> should i change to this
00:56 < SerpentX> i'm pretty tired
00:56 < SerpentX> i'll try again tomorrow
01:16 -!- SerpentX [~SerpentX@KTNRON06-1176259399.sdsl.bell.ca] has quit [Read error: Connection reset by peer]
01:17 -!- SerpentX [~SerpentX@70.28.75.71] has joined #openvpn
01:17 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 265 seconds]
01:17 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 265 seconds]
01:25 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:32 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
01:32 -!- SerpentX [~SerpentX@70.28.75.71] has quit [Quit: Leaving]
01:40 -!- dazo_afk is now known as dazo
01:46 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:48 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
01:49 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
01:55 -!- p3rror [~mezgani@adsl196-137-65-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 250 seconds]
01:58 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
01:59 -!- Guest35806 [~Bam_Bam@li125-231.members.linode.com] has quit [Ping timeout: 245 seconds]
02:07 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
02:12 -!- Guest35806 [~Bam_Bam@li125-231.members.linode.com] has joined #openvpn
02:18 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 272 seconds]
02:20 -!- theDoc [~Link@173.236.42.221] has joined #openvpn
02:24 -!- theDoc [~Link@173.236.42.221] has quit [Changing host]
02:24 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
02:46 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:59 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:20 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:53 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:53 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
04:57 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
05:24 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
05:25 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
05:45 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
06:55 < vpnHelper> RSS Update - forum: Server Administration :: Openvpn rooting help :: Author morto <https://forums.openvpn.net/viewtopic.php?f=4&t=7191&p=8121#p8121>
06:55 < |Mike|> lol
07:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
07:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Ping timeout: 276 seconds]
07:19 < vpnHelper> RSS Update - forum: Server Administration :: VPN SS portal? :: Author greeg <https://forums.openvpn.net/viewtopic.php?f=4&t=7192&p=8122#p8122>
07:20 -!- dyer [~voxeojohn@unaffiliated/voxeojohn] has quit []
07:23 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has joined #openvpn
07:27 < vpnHelper> RSS Update - forum: Server Administration :: VPN SSL portal? :: Author greeg <https://forums.openvpn.net/viewtopic.php?f=4&t=7192&p=8122#p8122>
07:28 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
07:28 -!- patchie [~sdf@136.81-167-201.customer.lyse.net] has quit [Ping timeout: 255 seconds]
07:29 -!- patchie [~sdf@136.81-167-201.customer.lyse.net] has joined #openvpn
07:34 -!- takamichi [~pri@78.133.38.192] has quit []
07:40 -!- mschiff_ [~mschiff@d000000.adsl.hansenet.de] has joined #openvpn
07:41 < mschiff_> Is there a possibility for a client (linux, 2.1.3) to deny options pushed by the server?
07:42 < mschiff_> !welcome
07:42 < vpnHelper> mschiff_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:42 < ecrist> look for push-reset or something
07:44 < mschiff_> ecrist: this is for server mode only... What i am loking for is: I do not want openvpn client to set my DNS config
07:44 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:47 <@cron2> mschiff: well, you can always remove "pull" from your client config, but then you'll get no config at all
07:47 <@cron2> fine-grained control only exists for routes ("--route-nopull")
07:48 <@cron2> OTOH, openvpn doesn't set DNS on Linux anyway - this is done by scripts called from OpenVPN (if at all), so you could just change those scripts
07:49 < mschiff_> cron2: hm ok, thanks. So there is nothing like "pull-remove "dhcp-option DNS" or something like that...
07:49 <@cron2> no
07:49 < mschiff_> cron2: yeah I know it is done by scripts, but something in the ovpn config to prevent this would be the cleanest solution
07:55 <@cron2> mschiff_: well, I can understand that point of view, but as of today, nobody implemented that..
07:55 < ecrist> you are welcome to submit a patch adding such features, however.
07:55 < ecrist> :)
07:56 -!- BB` [~Bam_Bam@li125-231.members.linode.com] has joined #openvpn
07:56 -!- BB` is now known as Guest4154
07:58 < mschiff_> ok, I just found a switch in my distro that disables DNS config by openvpn...
07:59 < mschiff_> and of course I would send a patch if time and skills permitted it to be done, thanks for helping!
07:59 <@cron2> there you go :-)
07:59 -!- Guest35806 [~Bam_Bam@li125-231.members.linode.com] has quit [Ping timeout: 245 seconds]
08:24 -!- mschiff_ is now known as mschiff
08:28 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
09:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:17 -!- mschiff_ [~mschiff@d000000.adsl.hansenet.de] has joined #openvpn
09:18 -!- mschiff [~mschiff@d000000.adsl.hansenet.de] has quit [Ping timeout: 260 seconds]
09:36 < vpnHelper> RSS Update - forum: Server Administration :: Re: Need help with core dump gdb output 2.1.3 server :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=4&t=7183&p=8123#p8123>
09:43 -!- mschiff_ [~mschiff@d000000.adsl.hansenet.de] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
09:50 -!- Guest4154 [~Bam_Bam@li125-231.members.linode.com] has quit [Ping timeout: 245 seconds]
09:54 -!- p3rror [~mezgani@adsl196-196-65-206-196.adsl196-3.iam.net.ma] has joined #openvpn
10:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
10:01 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
10:08 -!- dazo is now known as dazo_afk
10:10 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
10:30 -!- rokr1 [~rokr1@59.92.58.198] has joined #openvpn
10:31 < rokr1> hello all
10:32 < rokr1> i have Tomato firmware running openvpn
10:32 < rokr1> i would like to enable ethernet bridging
10:33 < rokr1> i am able to get local ip in one linux box but not in my N900
10:37 < ecrist> rokr1: if your question is specific to setting up bridge on tomato, you'll have to ask them
10:37 < ecrist> we can only help with the openvpn side of things
10:38 < rokr1> ok
10:39 < rokr1> tomato runs dnsmasq so every thing is good
10:40 < rokr1> i just want to forward ip address through dhcp(dnsmasq)
10:40 < rokr1> i am new to this 
10:40 < ecrist> I know nothing about how tomato is configured or how it works, so I couldn't help with the bridging stuff.
10:41 < rokr1> yes wats the basic configuration for bridging in openvpn to forward dhcp address
10:41 < rokr1> for server and client
10:42 < rokr1> tap interface
10:42 < ecrist> yeah, openvpn doesn't handle that, the system kernel builds the bridge.
10:44 < rokr1> is there any pastebin so that i could upload the configuration and u can correct them if possible
10:44 < rokr1> ?
10:46 < ecrist> yeah, just upload to pastebin.ca or whatever and post the link here.
10:49 < rokr1> http://pastebin.ca/1965871
10:49 < rokr1> is this a good configuration file or should i add something more
10:49 < ecrist> does it work?
10:50 < ecrist> can a client connect?
10:50 < ecrist> !dhcp
10:50 < rokr1> only works with windows system
10:50 < vpnHelper> ecrist: "dhcp" is redirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
10:50 < ecrist> openvpn isn't able to setup DNS without scripting on non-windows systems
10:51 < rokr1> i run debian based device on Arm
10:51 < rokr1> N900
10:52 < ecrist> ok, so you'll need some scripting for DNS to work
10:53 < rokr1> when i connect i get remote network connected
10:53 < rokr1> but cannot get a local ip
10:56 < rokr1> see this ecrist
10:56 < rokr1> i dont understand a bit
10:56 < rokr1> http://talk.maemo.org/showthread.php?t=38008
10:56 < vpnHelper> Title: OpenVPN routing problem on N900 - maemo.org - Talk (at talk.maemo.org)
10:57 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
10:59 < rokr1> ecrist does it help u ??
11:02 -!- WormFood [~wormfood@183.38.12.154] has quit [Read error: Connection reset by peer]
11:12 -!- F599 [~F599@162.168.48.60.cbj06-home.tm.net.my] has joined #openvpn
11:17 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:18 -!- WormFood [~wormfood@183.38.15.247] has joined #openvpn
11:24 -!- rokr1_ [~rokr1@59.92.17.137] has joined #openvpn
11:26 < rokr1_> here u go ercrist
11:26 < rokr1_> http://pastebin.ca/1965915
11:28 -!- rokr1 [~rokr1@59.92.58.198] has quit [Ping timeout: 245 seconds]
11:29 -!- rokr1_ is now known as rokr1
11:32 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
11:40 -!- rokr1 [~rokr1@59.92.17.137] has quit [Ping timeout: 265 seconds]
11:48 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:49 -!- rokr1 [~rokr1@59.92.17.137] has joined #openvpn
11:57 -!- takamichi [~pri@78.133.38.192] has quit [Read error: Connection reset by peer]
11:58 -!- Guest4154 [~Bam_Bam@li125-231.members.linode.com] has joined #openvpn
12:00 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
12:01 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
12:04 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
12:06 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:07 -!- p3rror [~mezgani@adsl196-196-65-206-196.adsl196-3.iam.net.ma] has quit [Read error: Connection reset by peer]
12:15 -!- patchie [~sdf@136.81-167-201.customer.lyse.net] has quit [Ping timeout: 240 seconds]
12:15 -!- patchie [~sdf@136.81-167-201.customer.lyse.net] has joined #openvpn
12:53 -!- Agin [~Agin@greenzone.copyleft.no] has joined #openvpn
13:20 -!- Guest4154 [~Bam_Bam@li125-231.members.linode.com] has quit [Changing host]
13:20 -!- Guest4154 [~Bam_Bam@unaffiliated/bambam/x-942313] has joined #openvpn
13:20 -!- Guest4154 is now known as Bam_Bam
13:24 -!- rokr1_ [~rokr1@59.92.42.190] has joined #openvpn
13:28 -!- rokr1 [~rokr1@59.92.17.137] has quit [Ping timeout: 245 seconds]
13:34 -!- mrle0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
13:36 -!- rokr1_ [~rokr1@59.92.42.190] has quit [Ping timeout: 252 seconds]
13:37 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
13:37 -!- rokr1_ [~rokr1@59.92.42.190] has joined #openvpn
13:53 -!- Mika [~MiKa@ip5657a511.direct-adsl.nl] has left #openvpn []
13:56 -!- ldralves [~support@189.24.249.162] has joined #openvpn
13:57 -!- ldralves [~support@189.24.249.162] has quit [Client Quit]
13:57 -!- ldralves [~support@189.24.249.162] has joined #openvpn
14:03 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
14:03 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
14:13 -!- F599 [~F599@162.168.48.60.cbj06-home.tm.net.my] has quit [Read error: Connection reset by peer]
14:27 < Dougy> fdsghdfgs
14:33 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
14:58 < rokr1_> i have a problem... i have a successful connection but the DHCP is not working on my N900
14:58 < rokr1_> i have to do ifconfig tap0 up and then ifconfig tap0 192.168.x.x 255.255.255.0
14:59 < rokr1_> then i can connect...
14:59 < rokr1_> is there any automated script to resolve the issue on server's end ??
15:18 -!- rokr1_ [~rokr1@59.92.42.190] has quit [Quit: Leaving]
15:22 -!- bluegene [~bluegene@awesomo.iodev.org] has joined #openvpn
15:23 < bluegene> guys, i have set up openvpn and i can successfully connect, however, i cannot browse the interwebz ;) http://nopaste.me/paste/636073ece5.html anyone knows what's going wrong here?
15:24 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 245 seconds]
15:24 -!- ping-pong [~qwerty@v01.vedur.is] has joined #openvpn
15:25 -!- Mika [~MiKa@ip5657a511.direct-adsl.nl] has joined #openvpn
15:25 < Mika> how do i add a extra user i have test it with 1 user and works great but now wil i add a 2 user
15:26 < bluegene> same way you created the first one ;)
15:27 < Mika> # sudo ./build-key client2  only that ?
15:28 -!- ldralves [~support@189.24.249.162] has quit [Quit: Ex-Chat]
15:28 < bluegene> Mika: i guess so if you use certs, and then copy the files to your client ;)
15:28 < Mika> so that is easy
15:30 < Mika> i was think i must run also build-dh and the rest
15:37 < Mika> Thx bluegene i gona give it a try
15:42 -!- Nwallins [~rhull@ool-4b7fbf5e.static.optonline.net] has joined #openvpn
15:44 < Nwallins> Hi, my office uses checkpoint secureclient / secureremote for VPN access (from outside the LAN).  checkpoint only offers a linux client for like RH7 or similar.  can openvpn or similar work instead?
15:46 -!- Meliorator [m@dunnington.eu] has quit [Quit: changing servers]
15:47 -!- Meliorator [m@dunnington.eu] has joined #openvpn
15:55 < reiffert> Nwallins: when your office installs an openvpn server, then openvpn is YOUR solution.
15:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
16:01 -!- Nwallins [~rhull@ool-4b7fbf5e.static.optonline.net] has left #openvpn []
16:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
--- Log closed Mon Oct 18 16:09:08 2010
--- Log opened Mon Oct 18 16:09:15 2010
16:09 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined #openvpn
16:09 -!- Irssi: #openvpn: Total of 99 nicks [3 ops, 0 halfops, 0 voices, 96 normal]
16:10 -!- Irssi: Join to #openvpn was synced in 52 secs
16:11 -!- tuxx__ [~sometinel@81.95.4.163] has joined #openvpn
16:14 -!- Guest60195 is now known as Martin`
16:16 -!- Netsplit *.net <-> *.split quits: ecrist, tuxx_, mikkel
16:31 -!- ping-pong [~qwerty@v01.vedur.is] has quit [Read error: Operation timed out]
16:48 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
16:51 -!- SerpentX [~SerpentX@KTNRON06-1176259399.sdsl.bell.ca] has joined #openvpn
16:51 < SerpentX> hi
16:52 < SerpentX> anyone ever do this over OpenWRT?
16:52 < SerpentX> on
16:52 < SerpentX> can someone also confirm that i should be using TUN instead of TAP?
16:53 < SerpentX> I have a dlink dir 615 set up with openwrt
16:53 < SerpentX> on it i have installed openvnc
16:54 < SerpentX> i started with a tap config, but was told i should use tun
16:54 < reiffert> better ask this question on #openvnc.
16:54 < SerpentX> and push availability to my network behind the router (need access to smb share on file server)
16:54 < krzee> lol
16:54 < krzee> i gave you everything you needed
16:54 < SerpentX> lol
16:54 < krzee> including configs
16:54 < SerpentX> krzee i love u
16:55 < SerpentX> but i just don't unterstand u
16:55 < krzee> only thing more i could do for you is type it into your keyboard
16:55 < SerpentX> i got SO far last night
16:55 < SerpentX> i got all the auth keys
16:55 < SerpentX> cept tls
16:55 < SerpentX> but
16:55 < SerpentX> ok
16:56 < SerpentX> i gotta go eat dinner (pizza is here), then i'm gonna wack at it soemmore
16:57 < reiffert> estimated 100 keys with your keyboard, minus all those WRONGS you can type there ... 
16:57 < krzee> !learn basic as if you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first
16:57 < vpnHelper> krzee: Joo got it.
16:57 < reiffert> sounds like typing the correct sentences will succeed much faster.
17:10 -!- aegis [~aegis@74.102.94.215] has quit [Ping timeout: 240 seconds]
17:13 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has quit [Remote host closed the connection]
17:24 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
17:25 < Noble> Please tell me this, does all traffic over a VPN tunnel go through ONE or SEVERAL ports?
17:34 < krzee> from the perspective of someone outside the tunnel?
17:34 < krzee> (like your ISP)
17:34 < krzee> if so, 1 port only
17:48 -!- p3rror [~mezgani@adsl196-146-105-206-196.adsl196-4.iam.net.ma] has joined #openvpn
18:06 -!- mrle0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Ping timeout: 245 seconds]
18:08 < SerpentX> aight back
18:08 < SerpentX> so lets see where i left off last night
18:12 < SerpentX> ok so
18:13 < SerpentX> my client PC MUST be external to my network right?
18:13 < SerpentX> i turned on reflections hotplug
18:13 < SerpentX> on my OpenWRT router
18:13 < SerpentX> but i think for testing purposes, i'll wireless into my neighbours wifi
18:14 < Noble> krzee: Yes from the perspective of the ISP, so if I put it on i.e port 80 I can dodge a lot of (stupid) firewalling?
18:15 < SerpentX> lol
18:15 < SerpentX> i would go easy on the usage of stupid and firewalling around krzee
18:15 < SerpentX> he is a fanatic of formality
18:15 < |Mike|> || Your problem is your firewall, really. || 
18:15 < |Mike|> I agree with that statement ;)
18:20 < SerpentX> ok
18:20 < SerpentX> got a spare laptop, loading it with openvpn windows
18:22 < SerpentX> hey krze
18:22 < SerpentX> or
18:22 < SerpentX> anyone
18:23 < SerpentX> can you tell me why i want to use tun instead of tap
18:23 < SerpentX> i read the wiki on tap vs tun
18:23 < SerpentX> but can someone give it to me straight
18:23 < SerpentX> even it u just say tun>tap
18:23 < SerpentX> that will do
18:24 < SerpentX> i just wanna vpn to use my network smb share
18:24 < SerpentX> from external
18:24 < |Mike|> !tunortap
18:24 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
18:24 < vpnHelper> |Mike|: you over the vpn, or (#4) lan gaming? use tap!
18:24 < |Mike|> there ya go.
18:25 < SerpentX> can i have an example
18:25 < SerpentX> of a MAC/layer2 traffic
18:29 < SerpentX> ..fine, i will just accept that i am more then likely to only need layer 3 and tun is for me
18:30 < SerpentX> well wait
18:30 < SerpentX> #4 use tap
18:30 < SerpentX> i'm not saying that
18:30 < SerpentX> if i didn't have a fast well working vpn
18:31 < SerpentX> i wouldn't consider playing some hardcore gta2
18:31 < SerpentX> with my lil bro
18:31 < SerpentX> are u saying
18:31 < SerpentX> that i couldn't play a lan game on tun?
18:31 < |Mike|> what's your setup?
18:31 < SerpentX> i have a internal network with a smb file server
18:32 < |Mike|> you have to learn about tcp and udp before you understand tun and tap :-)
18:32 < SerpentX> its connected to a dlink dir 615 which i loaded with OpenWRT
18:32 < SerpentX> a linux firmware for routers
18:32 < SerpentX> i am tyring to get openvnc on it
18:32 < |Mike|> I'm familair with that :-)
18:32 < SerpentX> so that the router itself accepts vpn
18:32 < SerpentX> and then gives the vpn users
18:32 < |Mike|> openvnc... zomg, people still use that crap?
18:32 < SerpentX> access to the network
18:32 < SerpentX> mainly the fileshare
18:32 < SerpentX> no i just type it
18:33 < SerpentX> i mean openvpn
18:33 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds]
18:33 < SerpentX> vpn vpn not vnc
18:33 < SerpentX> i have typing issues
18:34 < SerpentX> i found some turortials
18:34 < SerpentX> but then i met krzee
18:34 < SerpentX> and he told me to scrap my tutorials
18:34 < SerpentX> and use tun
18:34 < SerpentX> corse his tun method has every security in the book
18:34 < SerpentX> so i am generating secruity keys all night
18:35 < SerpentX> and apparent'ly copy paste .crt in notepad doesn't transfer right
18:35 < |Mike|> tap uses tcp, which needs a lot of cpu power :-)
18:35 < SerpentX> yeah
18:35 < SerpentX> the router is maybe 600mhz
18:35 < SerpentX> i mean i have a high powered server behind the router
18:35 < SerpentX> i could easily use it
18:35 < SerpentX> and just port forward
18:36 < SerpentX> but last time i tried
18:36 < SerpentX> i took down my webserver
18:36 < |Mike|> I could say "lol, noob!", but that's not appropriate :)
18:37 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
18:37 < SerpentX> well in all honestly
18:37 -!- aegis [~aegis@74.102.94.215] has quit [Excess Flood]
18:37 < SerpentX> this is my first attempt on openwrt
18:37 < |Mike|> what's the purpose of that "high powered server" at all?
18:37 < SerpentX> and my 2nd attempt at openvpn
18:37 < SerpentX> it's got it's purposes
18:37 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
18:38 < |Mike|> consuming electrics? :P
18:38 < SerpentX> look if u want to know which ports i have opened for u to hack, juast ask
18:38 < SerpentX> no
18:38 < |Mike|> heh
18:38 < SerpentX> but i chatted with trine a while
18:38 < SerpentX> u know that character has 
18:38 < SerpentX> openwrt on this lil docstar device
18:38 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
18:38 -!- aegis [~aegis@74.102.94.215] has quit [Max SendQ exceeded]
18:39 < SerpentX> he friggan runs everything..webserver..torrent client
18:39 < SerpentX> from this lil 1.2mhz
18:39 < SerpentX> probbly consumes all of 5 wats
18:39 < |Mike|> I use a NSLU2 as firewall @ home, works great :-)
18:39 < |Mike|> as long as I don't abuse my 50mbit line, it will cope with my ssh supersonic typing speeds ;)
18:40 < SerpentX> i wish i had 50mb
18:40 < SerpentX> i have maybe 5mg down
18:40  * |Mike| loves to be dutch :P
18:40 < SerpentX> i'm thinking of getting a server cage
18:40 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
18:40 < SerpentX> on the main pipe somewhere downtown
18:40 < SerpentX> but for now
18:40 -!- aegis [~aegis@74.102.94.215] has quit [Excess Flood]
18:41 < SerpentX> i'm here trying to setup openvpn on my router
18:41 < SerpentX> so krzee
18:41 < SerpentX> sent me his configs
18:41 < SerpentX> i think i will have to scp the certs over to my router properly
18:41 < SerpentX> i have an external wifi connection prepared
18:41 < SerpentX> so i can test it
18:42 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
18:42 -!- aegis [~aegis@74.102.94.215] has quit [Excess Flood]
18:42 < |Mike|> no need for that imho
18:43 < SerpentX> imho?
18:43 < |Mike|> in my honest opinion
18:43 < SerpentX> i heard..?
18:43 < SerpentX> i heard u can't vpn from internal
18:44 < |Mike|> haha, who told you that?
18:44 < SerpentX> i swear the hardest part of this is every 2nd person tells u to do something different
18:44 < SerpentX> krzee thinks i'm a retard
18:44 < SerpentX> but seriously, i follow the how to
18:44 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
18:44 < SerpentX> and he's like..nno no..don't do any of that, do this
18:44 -!- aegis [~aegis@74.102.94.215] has quit [Excess Flood]
18:44 < |Mike|> krzee: SerpentX isn't retarded :-)
18:44 < SerpentX> now the bot is like..clan gaming? use TAP!
18:44 < |Mike|> SerpentX: you should read the text, serioulsy
18:45 < |Mike|> !tunortap
18:45 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
18:45 < vpnHelper> |Mike|: you over the vpn, or (#4) lan gaming? use tap!
18:45 < |Mike|> and not just #4
18:45 < SerpentX> i did
18:45 < SerpentX> i kon't wanna get arp attacked
18:45 < SerpentX> i don't really know what that is
18:45 < SerpentX> but arp poisoning sounds bad
18:46 < SerpentX> so tun is ok as long as i can get my smb share
18:46 < |Mike|> And besides that, krzee doesn't tag people with "hey, he's a noob, he's retarded"
18:46 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
18:46 < |Mike|> He's really helpfull when you state a question.
18:46 < SerpentX> yeah i like him
18:46 < SerpentX> i not saying he called me a retard
18:47 < |Mike|> < SerpentX> krzee thinks i'm a retard
18:47 < |Mike|> mkay ;)
18:47 < SerpentX> lol
18:47 < SerpentX> well he said
18:47 < SerpentX> SerpentX
18:47 < SerpentX> i told u what to do
18:47 < SerpentX> i provided you everhting
18:47 < SerpentX> all that's left is for me is to type it
18:48 < |Mike|> Yeah, he doesn't want to repeat himself 5000 times ;)
18:48 < SerpentX> that's is implying something
18:48 < SerpentX> lol
18:48 < SerpentX> ye
18:48 < SerpentX> the problem is
18:48 < SerpentX> i'm getting so much confliting info
18:48 < |Mike|> either way, learn the difference between tcp and udp and /or tun or tap ;)
18:48 < |Mike|> don't accept other info from infidels!
18:49 < SerpentX> i'm trying
18:49 < SerpentX> i realize tcp and udp are different protocals
18:49 < |Mike|> they sure are
18:49 < SerpentX> and i heare u guys about the differenet networking layers
18:49 < SerpentX> but truthfully i don't even know what uses layer 2
18:49 < SerpentX> like
18:49 < |Mike|> tcp has a control layer on each packet and udp hasn't :-)
18:49 < SerpentX> smb
18:50 < SerpentX> is that later 2 or 3?
18:50 < SerpentX> i have no idea
18:50 < SerpentX> lan gaming?
18:50 < SerpentX> i would say 3
18:50 < |Mike|> smb is layer 2 :)_
18:50 < SerpentX> but according to ur lil helpme
18:50 < SerpentX> lan gaming needs tap
18:50 < |Mike|> it uses broadcasting etc
18:50 < SerpentX> aka 2
18:50 < |Mike|> Yep.
18:50 < SerpentX> it's hard to find that info
18:50 < SerpentX> like u don't find that on the Age of Empires website
18:50 < SerpentX> i'll tell u that
18:51 < SerpentX> AOE3 REQUIRES LAYER 2
18:51 < SerpentX> no where
18:51 < |Mike|> it's not, basic tcp/udp manual will teach you :-)
18:51 < |Mike|> netstat ;)
18:51 < |Mike|> but hey, it's 01:51 here in NL, time to take some sleep :-)
18:51 < SerpentX> well
18:52 < SerpentX> ok if what u just said
18:52 < SerpentX> smb needs broadcasting
18:52 < SerpentX> layer 2
18:52 < SerpentX> lan gaming boradcasting
18:52 < SerpentX> why is krzee telling me to stop my TAP how to and use tun?
18:53 < SerpentX> !wins
18:53 < vpnHelper> SerpentX: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
18:55 < SerpentX> yeah..i'm lost...i think that dh starmap security key went right to my head
18:55 < SerpentX> on another note, i'm pretty sure my samaba server has it's on WINS server
19:00 < krzee> SerpentX, smb does not need layer2
19:00 < krzee> only the netbios resolution does
19:00 < krzee> which you said you did not need
19:00 < SerpentX> cuz i use ip
19:00 < krzee> THEN YOU DONT NEED TAP
19:00 < SerpentX> ok
19:00 < SerpentX> i'm going with ur config
19:00 < krzee> why the hell have you been here an entire day asking the same questions
19:01 < krzee> i have now answered the same question 3 times
19:01 < krzee> i gave you the entire config
19:01 < SerpentX> krzee
19:01 < SerpentX> can i vpn from internal?
19:01 < krzee> huh?
19:01 < SerpentX> or do i need to connect to my neighbours wifi and vpn in
19:01 < krzee> oh
19:02 < krzee> no you can not do it from inside the lan, since you push the lan in your config
19:02 < krzee> you would create a routing loop
19:02 < SerpentX> yeah
19:02 < SerpentX> soprry i am asking alot
19:02 < SerpentX> but i am seriously getting different answers
19:02 < krzee> it comes down to this
19:02 < SerpentX> every time
19:02 < krzee> !basic
19:02 < vpnHelper> krzee: "basic" is if you do not understand basic networking, you probably should not be administrating a vpn... you should understand the basics of routing / firewalls first
19:02 < SerpentX> that's a valid point
19:02 < krzee> no, you have gotten the same answer from me 3 times
19:02 < SerpentX> but i do understand the basics
19:02 < krzee> no, you do not
19:04 < SerpentX> i'm not going to argue, either way, i'm setting up this vpn and continueing on
19:04 < krzee> \o/
19:04 < dogmeat> is there any setting for idle-timeout? im looking for a setting that if the user is not active for say 30 minutes, the openvpn connection closes. searching, they said this option was not implemented.
19:04 < krzee> dogmeat, --keepalive
19:04 < krzee> if you want it to close instead of reconnect, there is an option for that
19:05 < dogmeat> krzee, what is the option to close?
19:05 < krzee> but keepalive will trigger a reconnect unless you use that other option as well
19:05 < krzee> lemme look in the man for you
19:05 < krzee> !man
19:05 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
19:06 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
19:06 < krzee> ahh instead of keepalive you can use this
19:06 < krzee> --ping-exit n 
19:06 < krzee> Causes OpenVPN to exit after n seconds pass without reception of a ping or other packet from remote. This option can be combined with --inactive, --ping, and --ping-exit to create a two-tiered inactivity disconnect. 
19:06 < krzee> For example, 
19:06 < krzee> openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60 
19:06 < krzee> when used on both peers will cause OpenVPN to exit within 60 seconds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged.
19:07 < krzee> sounds like you just want the client to have --ping and --ping-exit
19:08 < dogmeat> krzee, interesting, thanks for the pointers 
19:08 < krzee> and i guess you cant use keepalive on your server, because that would set --ping-restart on the client, and you want --ping-exit instead
19:08 < krzee> np
19:09 < dogmeat> i had been searching around and came up with some web pages saying that it was not possible to because there was no way to tell if no activity from the connection
19:10 < krzee> that is false
19:11 < krzee> #2 of --ping says this:
19:11 < krzee> This option has two intended uses:
19:11 < krzee> (2) To provide a basis for the remote to test the existence of its peer using the --ping-exit option.
19:11 < krzee> and that should actually be changed to say ping-exit or ping-restart'
19:19 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
19:20 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
19:22 < SerpentX> sigh
19:22 < SerpentX> it's not connecting
19:23 < krzee> did you open the port in your firewall...?
19:23 < krzee> (on the server)
19:23 < SerpentX> i tried to i thinkt hat's my issues
19:24 < krzee> [17:05]  <SerpentX> but i do understand the basics
19:24 < krzee> [17:05]  <krzee> no, you do not
19:24 < SerpentX> 2
19:24 < SerpentX> 									0
19:24 < SerpentX> 									0.00 B
19:24 < SerpentX> 									ACCEPT
19:24 < SerpentX> 									tcp
19:24 < SerpentX> 									--
19:24 < SerpentX> 									ppp0
19:24 < SerpentX> 									*
19:24 < SerpentX> 									0.0.0.0/0
19:24 < SerpentX> 									0.0.0.0/0
19:24 < SerpentX> 									tcp dpt:22
19:24 < SerpentX> 							
19:24 < SerpentX> 						
19:24 < SerpentX> 							
19:24 < SerpentX> 								3
19:24 < SerpentX> 									0
19:24 -!- mode/#openvpn [+o krzee] by ChanServ
19:24 < SerpentX> 									0.00 B
19:24 < SerpentX> 									ACCEPT
19:24 < SerpentX> 									udp
19:24 -!- SerpentX was kicked from #openvpn by krzee [PASTEBIN]
19:25 < dogmeat> heh
19:25 <@krzee> man
19:25 <@krzee> how do those people even find their way to IRC
19:26 -!- mode/#openvpn [+v vpnHelper] by krzee
19:26 -!- mode/#openvpn [-o krzee] by krzee
19:34 < patel> haha
19:34 < patel> pwned
19:35 < krzee> his first warning on that was last night
19:35 < krzee> his next one is +b if im here
19:36 < patel> =)
19:39 < krzee> hows the bay?
19:39 < krzee> oh... and ARE YOU READY FOR SOME FOOTBALL!?
19:50 < patel> man
19:50 < patel> the raiders lost to the worst team
19:50 < patel> ever!
19:51 < patel> bay is great, weather is finally getting better ;)
19:51 < patel> who do you root for?
19:51 < patel> brb from home in a bit
20:01 < krzee> niners!
20:01 < krzee> but we need a damn qb
20:02 -!- SerpentX [~SerpentX@70.28.75.71] has joined #openvpn
20:02 < krzee> then again... your raiders need one more... any idea who will be your starting QB next week now that #1 and #2 are hurt?
20:02 < krzee> SerpentX, use pastebin for pasting things here, you were told last night, just got warning #2, next one is a ban
20:02 < SerpentX> i got it to connect
20:02 < SerpentX> ye well..#football if u wanna discuss the raiders
20:03 < SerpentX> it was a 2 line paste
20:03 < krzee> i will talk about whatever i want here, thanx for your concern
20:03 < SerpentX> sorry it split like that
20:04 < SerpentX> whatever i'm over it
20:04 < SerpentX> i got it to connect but how do i access the file share
20:04 < SerpentX> i tried \\192.168.0.10
20:04 < SerpentX> couldn't find it?
20:04 < krzee> can you ping 192.168.0.10?
20:05 < SerpentX> no
20:05 < krzee> also, your vpn will never work right if your client is on 192.168.0.X... you may want to use a different subnet for your server's lan
20:05 < SerpentX> i get the vpn ip of 10.0.0.2
20:05 < SerpentX> so my wireless ip is
20:05 < SerpentX> 192.168.0.103
20:05 < krzee> ahh
20:05 < SerpentX> my wireless gateway
20:06 < SerpentX> is 0.1
20:06 < krzee> ya, you already have that problem then
20:06 < SerpentX> my tunnel ipv6 is 2001:long
20:06 < krzee> your server lan and your client's ip are the same subnet
20:06 < SerpentX> but openvpn gu8i shows something like 10.0.0.2
20:06 < krzee> !samesubnet
20:06 <+vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
20:06 < SerpentX> no
20:06 < SerpentX> my subnet is 10.x
20:06 < SerpentX> his is 0.x
20:06 < SerpentX> my vpn is 10.0
20:06 < SerpentX> my subnet is 192.168.10.x
20:06 < SerpentX> his is 192.168.0.x
20:07 < SerpentX> my vpn is 10.0.0.x
20:07 < SerpentX> i set 
20:07 < SerpentX> server 10.0.0.0 255.255.255.0 in the server.conf
20:07 < SerpentX> for ovpn
20:07 < SerpentX> i also put
20:07 < SerpentX> push..hold on
20:08 < SerpentX> push "router 192.168.10.0 255.255.255.0"
20:08 < krzee> thats not the problem
20:08 < SerpentX> should i use that gateway redirecto
20:09 < krzee> router or route?
20:09 < krzee> you said you only want access to the internal lan... that does not require redirecting gateway
20:09 < SerpentX> route
20:09 < krzee> it should be push "route subnet netmask" not push router
20:09 < krzee> ok and
20:10 < SerpentX> ye route
20:10 < krzee> what is 192.168.0.10
20:10 < SerpentX> an example
20:10 < krzee> you said the server's lan is 192.168.10.0...
20:10 < SerpentX> ye 0.10 was an exmaple server
20:10 < krzee> you are making no sense
20:10 < SerpentX> ie 192.168.10.10 is the real
20:10 < krzee> well talk in reality
20:10 < SerpentX> like mydomain.com
20:11 < SerpentX> instead of the real domain
20:11 < SerpentX> sure
20:11 < krzee> there is no point to confusing things, especially something so relevant
20:11 < SerpentX> so i can't ping 192.168.10.10
20:11 < SerpentX> which is my internal lan server
20:11 < krzee> !logs
20:11 <+vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
20:11 < krzee> you can set verb to 4 instead of 5
20:12 < SerpentX> oh
20:12 < SerpentX> am i exposing my internet lan
20:13 < SerpentX> to this wifi connection?
20:13 < SerpentX> or is it only availalbe to my vpn client pc
20:13 < krzee> to your client pc because you are not sharing the client lan
20:14 < krzee> a) they have no route to the vpn, b) your vpn server does not know about the client subnet, would ignore the packets
20:14 < SerpentX> excellent
20:14 < krzee> and the phrase "internet lan" is erroneous
20:15 -!- Link_ [~Link@173.236.41.38] has joined #openvpn
20:15 -!- Link_ is now known as theDoc
20:15 -!- theDoc [~Link@173.236.41.38] has quit [Changing host]
20:15 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:15 < krzee> whats up doc <buggs bunny voice>
20:16 < SerpentX> hmm
20:16 < SerpentX> seems like it's having Access is denied with one
20:16 < SerpentX> c;/windows/system32/route.exe
20:16 < krzee> well if i see the logs i asked for 5 mins ago i can help you
20:16 < SerpentX> CreateIpForwardEntry Access is denied
20:17 < krzee> prolly gunna be something like:
20:17 < krzee> !winroute
20:17 <+vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
20:17 < krzee> likely #1 and #2
20:17 < krzee> but also be sure of #4
20:18 < SerpentX> yeah i'm having strange access issues with this pc
20:18 < SerpentX> i'm gonna treconnect as admin
20:19 < SerpentX> GOT PING
20:19 < krzee> oh you didnt connect as admin?
20:19 < krzee> yup, that would do it
20:19 < SerpentX> it's a dell preload
20:20 < SerpentX> it must create user level account by default
20:20 < SerpentX> it's win 7
20:20 < krzee> which is good
20:20 < krzee> but you can still run apps as admin
20:20 < SerpentX> ye, i don't use this spare much
20:20 < SerpentX> ye
20:20 < krzee> and with openvpn, you HAVE to
20:21 < krzee> in linux/unix you can drop permissions after the things you need root for... with windows it stays as admin
20:21 < SerpentX> cool
20:21 < SerpentX> the samba share is asking for a password
20:21 < krzee> then give it one!
20:21 < SerpentX> just like an onion
20:22 < krzee> ahh ;]
20:22 < SerpentX> thanks krzee, sorry i stretched ur patients so much
20:22 < krzee> dont worry about it... im pretty unpatient lately... dealing with a lot
20:22 < krzee> impatient*
20:47 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
20:50 -!- SerpentX [~SerpentX@70.28.75.71] has quit [Quit: Leaving]
21:03 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 264 seconds]
21:03 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
21:06 -!- gyyrog [~gyyrog@75-129-104-146.dhcp.trcy.mi.charter.com] has joined #openvpn
21:08 < gyyrog> where can I find the easy-rsa scripts on an ubuntu system?
21:09 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
21:19 < krzee> find / -name easy-rsa
21:33 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:36 -!- Shauni [~lordrogue@195-252-51-3-no61.tbcn.telia.com] has joined #openvpn
21:37 < Shauni> !welcome
21:37 <+vpnHelper> Shauni: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:37 < Shauni> !goal
21:37 <+vpnHelper> Shauni: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:38 < Shauni> !howto
21:38 <+vpnHelper> Shauni: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
21:42 < Shauni> !goal I would like to connect to an already existing VPN network
21:42 <+vpnHelper> Shauni: Error: "goal" is not a valid command.
21:43 < Shauni> fail
21:47 -!- a1fa [~awef@unaffiliated/a1fa] has joined #openvpn
21:47 < a1fa> whats the best openvpn client for ubuntu
21:50 -!- aegis [~aegis@74.102.94.215] has quit [Ping timeout: 240 seconds]
22:01 -!- gyyrog [~gyyrog@75-129-104-146.dhcp.trcy.mi.charter.com] has quit [Ping timeout: 252 seconds]
22:04 -!- Shauni [~lordrogue@195-252-51-3-no61.tbcn.telia.com] has left #openvpn []
22:06 < Dougy> hmm
22:06 < Dougy> ecrist_: are you here?
22:41 < Dougy> ecrist_: nevermind
22:57 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
23:08 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Read error: Connection reset by peer]
23:09 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
23:11 -!- ^scott^ [~scott@stthom.org] has quit [Ping timeout: 240 seconds]
23:36 -!- variable [~variable@unaffiliated/variable] has quit [Ping timeout: 264 seconds]
23:37 -!- variable [~variable@unaffiliated/variable] has joined #openvpn
23:50 -!- Bam_Bam [~Bam_Bam@unaffiliated/bambam/x-942313] has quit [Ping timeout: 245 seconds]
--- Day changed Tue Oct 19 2010
00:18 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-bgzbdrwpwxaegzzk] has joined #openvpn
00:18 < HoboSteaux> is there a way to tell a client to not try and connect it the local ip is in a scertain range?
00:19 < HoboSteaux> i have a roadwarrior setup with my laptop, but it bombards my vpn server when its in the same local network (tries connecting to a remote ip of it and gets a response from the local)
00:20 < HoboSteaux> and I dont want to have it float, that would make no sense to always have it on the vpn
00:33 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Max simultaneous client connections :: Reply by enjoyjoy <https://forums.openvpn.net/viewtopic.php?f=4&t=7188&p=8124#p8124>
00:53 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
00:56 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:03 < krzie> a) you could have a first connect with lan ip, and not randomize remote
01:04 < krzie> b) you could have it start with a wrapper script that checks its ip before deciding to start openvpn or not
01:04 < krzie> c) you could not start openvpn when in the lan
01:05 < HoboSteaux> how do you have it first connect with a lan?
01:06 < HoboSteaux> ip*
01:06 < HoboSteaux> i thought you could only put in one host name/address
01:06 < krzie> nope, openvpn takes multiple --remote statements
01:06 < krzie> hell, you can even have seperate connection blocks of settings per server
01:07 < krzie> its all in this
01:07 < krzie> !man
01:07 <+vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
01:07 < HoboSteaux> oh damn thank you!
01:08 < krzie> np
01:11 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
01:19 -!- ^scott^ [~scott@stthom.org] has joined #openvpn
01:21 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Max simultaneous client connections :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7188&p=8125#p8125>
01:27 <+vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN and WINS problem :: Reply by Mimiko <https://forums.openvpn.net/viewtopic.php?f=4&t=7117&p=8126#p8126>
01:43 -!- patchie [~sdf@136.81-167-201.customer.lyse.net] has quit [Read error: Connection reset by peer]
01:43 -!- patchie [~sdf@136.81-167-201.customer.lyse.net] has joined #openvpn
01:45 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
01:45 <+vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=8127#p8127>
01:48 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
01:57 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
01:57 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:09 <+vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: How does openvpn. ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7187&p=8128#p8128>
02:21 <+vpnHelper> RSS Update - forum: Configuration :: Re: Not Server config, but config nonetheless :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7186&p=8129#p8129>
02:35 < krzie> !winroute
02:35 <+vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
02:39 <+vpnHelper> RSS Update - forum: Server Administration :: Changed Port Number to access web admin tool :: Author paddym <https://forums.openvpn.net/viewtopic.php?f=4&t=7193&p=8130#p8130> || Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8131#p8131>
02:45 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Changed Port Number to access web admin tool :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7193&p=8132#p8132>
03:03 -!- dazo_afk is now known as dazo
03:23 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
03:27 <+vpnHelper> RSS Update - forum: Server Administration :: Re: VPN SSL portal? :: Reply by greeg <https://forums.openvpn.net/viewtopic.php?f=4&t=7192&p=8133#p8133>
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:44 -!- Gokee2_ [~gokee2@204-195-14-78.wavecable.com] has quit [Read error: Operation timed out]
03:45 <+vpnHelper> RSS Update - forum: Off Topic, Related :: Windows 7 dont get an IP pushed :: Author ohpenvaupeen <https://forums.openvpn.net/viewtopic.php?f=1&t=7194&p=8134#p8134>
03:46 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
03:48 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
04:01 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:09 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by libove <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8135#p8135>
04:15 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8136#p8136>
04:17 < |Mike|> krzie: work harder! :P
04:33 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 240 seconds]
04:40 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by libove <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8137#p8137>
04:41 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
04:49 -!- [1]SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
04:49 -!- HoboStea- [HoboSteaux@nat/wsulug/x-hjfspizkgioqvirn] has joined #openvpn
04:49 -!- Jarpsel [~jarpse@cluon.soleus.nu] has joined #openvpn
04:49 -!- Agin_ [~Agin@greenzone.copyleft.no] has joined #openvpn
04:49 -!- markus___ [~markus@c83-250-33-131.bredband.comhem.se] has joined #openvpn
04:50 -!- Netsplit *.net <-> *.split quits: Agin, Noble, lkthomas, ping-pong, kisom, Jarpse, @dazo, markus_, d12fk, Rolybrau,  (+3 more, use /NETSPLIT to show all of them)
04:50 -!- [1]SDE is now known as SDE
04:50 -!- Netsplit over, joins: Rolybrau, RichiH
04:50 -!- Netsplit over, joins: Noble, kisom
04:50 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
04:51 -!- Netsplit over, joins: ping-pong
04:51 -!- Netsplit over, joins: dazo
04:51 -!- mode/#openvpn [+o dazo] by ChanServ
04:55 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
04:55 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
04:55 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:55 -!- lkthomas [lkthomas@218.213.78.173] has joined #openvpn
05:04 <+vpnHelper> RSS Update - forum: Configuration :: Samba Performance problems :: Author lantzanders <https://forums.openvpn.net/viewtopic.php?f=6&t=7195&p=8138#p8138>
05:07 -!- kmq [~kmq@85.159.13.90] has joined #openvpn
05:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
05:44 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
05:46 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
05:48 -!- p3rror [~mezgani@adsl196-146-105-206-196.adsl196-4.iam.net.ma] has quit [Ping timeout: 252 seconds]
05:48 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
05:49 < zamba> can someone help me with a routing issue? one of my hosts are well hidden behind firewalls that i'm not able to control.. i want to do video conferencing over h323 and the stun test tells me i have symmetrical nat - which is bad and i need to forward ports
05:50 < zamba> since i'm not controlling the router with the public ip myself, i have to go through another machine first..
05:50 < zamba> luckily my openvpn server is on a public network, with a 100/100 mbps connection
05:51 < zamba> so.. i was thinking.. if i'm able to route the h323 traffic through the vpn tunnel and the vpn server and then use its public ip when communicating, then i'm able to forward the ports back to the endpoint through the two routers..
05:51 < zamba> let's say the h323 endpoint i'm trying to reach is at 88.45.32.22
05:52 < zamba> then i did the following at the router at my "problem place": route add -host 88.45.32.22 gw 10.8.0.9 dev tun0
05:52 < zamba> which worked fine in the way that the icmps to 88.45.32.22 stopped completely :)
05:53 < zamba> the 10.8.0.9 is the internal openvpn routing, right?
05:53 < zamba> if i try to trace to 88.45.32.22 from my router, i see the following:
05:53 < zamba>  1  10.8.0.1  42.148 ms  42.279 ms  42.514 ms
05:53 < zamba> and then it stops
05:54 < zamba> oh! there
05:54 < zamba> masquerading rule :)
05:54 < zamba> on the openvpn server
05:57 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
05:57 < zamba> krzie: i'm sure you're able to help me here
05:57 < zamba> http://pastebin.com/MvKWpaTG
05:59 < krzie> looks like you figured it out
05:59 < krzie> nat rule was needed
06:00 < krzie> as far as that route, in the config just add route 88.45.32.22 255.255.255.255
06:00 < zamba> well.. i'm not quite there
06:01 < zamba> because hosts behind my local router isn't able to ping the host
06:01 < krzie> it will add a route for that subnet (or single host when using that netmask) to go over the vpn
06:01 < krzie> ahh so sharing a lan
06:01 < krzie> lan behind a client?
06:01 < zamba> yeah
06:01 < krzie> !clientlan
06:01 <+vpnHelper> krzie: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
06:01 <+vpnHelper> krzie: for a better explanation
06:01 < krzie> there ya go
06:01 < krzie> im gunna goto bed
06:01 < krzie> the bot can answer the rest from here ;]
06:02 < zamba> hm
06:02 < zamba> no, that's not the thing i'm looking for :)
06:02 < zamba> i have the lan routed
06:02 < zamba> that works fine
06:02 < krzie> umm
06:02 < krzie> and openvpn is running on your router...?
06:02 < zamba> # ping 192.168.1.6
06:02 < zamba> PING 192.168.1.6 (192.168.1.6) 56(84) bytes of data.
06:02 < zamba> 64 bytes from 192.168.1.6: icmp_seq=1 ttl=63 time=44.3 ms
06:02 < zamba> that's from the openvpn server
06:03 < zamba> pinging a host in the internal lan
06:03 < zamba> so that works just fine
06:03 < krzie> on the client lan, openvpn is on the router?
06:03 < zamba> yes
06:03 < krzie> then whats the problem...?
06:03 < zamba> and the router is able to ping 88.45.32.22, but not clients in its local lan
06:03 < krzie> oh right
06:04 < krzie> your server needs to NAT the client's lan subnet as well
06:04 < krzie> you are sending pings with source ip of the clients subnet ;)
06:05 < zamba> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d 88.45.32.22 -j MASQUERADE
06:05 < zamba> on the server ^
06:05 < zamba> but still no icmps coming through
06:05 < krzie> traceroute it
06:06 < krzie> err i mean
06:06 < krzie> tcpdump it
06:06 < krzie> !linnat
06:06 <+vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
06:06 < krzie> also, what LAN subnet is the server on?
06:07 < zamba> the server is only on a public ip
06:07 < krzie> (ignore my !linnat, i dont use linux, was checking your nat line)
06:07 < zamba> oh, ok
06:07 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Read error: Connection reset by peer]
06:07 < zamba> but the server is only on a public ip.. no lan there
06:08 < zamba> oh, wait a sec :)
06:08 < zamba> could be my forwarding table :)
06:08 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
06:08 < zamba> argh, which it wasn't
06:08 < krzie> i still believe its something in your firewall
06:08 < krzie> simplify the shit outta it for testing
06:09 < zamba> set it to -P FORWARD ACCEPT
06:10 < krzie> not just forward
06:10 < zamba> hehe
06:10 < zamba> it was :)
06:10 < krzie> ahh, fixed?
06:10 < zamba> yeah :)
06:10 < zamba> totally my bad :)
06:10 < krzie> cool
06:10 < zamba> firewall on local router
06:22 -!- muh2000 [~muh2000@unaffiliated/muh2000] has joined #openvpn
06:22 < muh2000> hi all
06:23 < muh2000> i have a little problem. when the connection is idle, it somewhat drops. after a while it reconnects again and then drops again :(
06:25 < muh2000> log on the server  http://pastebin.org/310204
06:25 < Rienzilla> you can configure openvpn to send keepalives iirc
06:25 < muh2000> log on the client http://pastebin.org/310344
06:26 < muh2000> Rienzilla: keepalive is configure... keepalive 10 120
06:27 < muh2000> config on the server http://pastebin.org/310358
06:27 < |Mike|> it drops when you're not using the tunnel ? :)
06:28 < muh2000> config on the client http://pastebin.org/310361
06:28 < muh2000> |Mike|: yes
06:29 < |Mike|> i have dealt with that issue before, hmm
06:30 < muh2000> hmmm²
06:31 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
06:31 < Rienzilla> is your openvpn client behind nat?
06:31 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:31 < muh2000> Rienzilla: no
06:32 < |Mike|> Rienzilla: it's the openvpn server which closes the inactive connection
06:33 < |Mike|> damn, i thought that i wrote something about it on my blog, but apparently i didn't
06:33 < muh2000> it is?
06:33 < |Mike|> muh2000: watch your server log :-)
06:33 < muh2000> |Mike|:  that? SIGUSR1[soft,ping-restart] received, client-instance restarting
06:34 < |Mike|> no, higher up as far as i can remember
06:35 < muh2000> hmmm
06:35 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
06:51 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:56 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has joined #openvpn
06:58 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has joined #openvpn
06:58 -!- le0 [~fin@cpc3-bele7-2-0-cust163.2-1.cable.virginmedia.com] has quit [Changing host]
06:58 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:59 < muh2000> |Mike|: do you still have the config where you fixed the issue?
07:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
07:06 -!- geemee [~ocs@mailhost.exterity.com] has joined #openvpn
07:07 < geemee> Is there a "suggested hardware" guide for OpenVPN? Curious about how to test capacity and the amount of users a server can handle
07:23 -!- Boka [~boca@200.74.240.44] has joined #openvpn
07:23 < Boka> anyone know good article/doc for setup openvpn tunneled over 2-3 servers, so basically client -> openvpn1 server -> openvp2 server -> internet (also dont mind paying small for help on the configuration)
07:29 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
07:49 -!- a1fa [~awef@unaffiliated/a1fa] has left #openvpn []
07:50 < muh2000> Boka: bridging ? or routing?
07:54 < hyper_ch> magic?
07:56 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:13 -!- You're now known as ecrist
08:15 -!- timothy1jones [~timothy@94.30.31.73] has joined #openvpn
08:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
08:29 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
08:31 -!- kmq [~kmq@85.159.13.90] has quit [Read error: Connection reset by peer]
08:32 < Jarpsel> hmm
08:48 -!- timothy1jones [~timothy@94.30.31.73] has left #openvpn ["Leaving"]
09:15 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:43 -!- [1]SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
09:45 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 265 seconds]
09:45 -!- [1]SDE is now known as SDE
09:59 -!- chalet16 [~chalet16@110.164.68.140] has joined #openvpn
10:00 < chalet16> i have disable redirect-gateway in my server but when my client connect to server they get redirected?
10:00 <+vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Selected trafic which goes into the VPN :: Reply by mark555 <https://forums.openvpn.net/viewtopic.php?f=15&t=7166&p=8139#p8139>
10:01 < chalet16> how can i disable redirect-gateway?
10:01 < chalet16> !welcome
10:01 <+vpnHelper> chalet16: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:02 < chalet16> !howto
10:02 <+vpnHelper> chalet16: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:02 < chalet16> !goal
10:02 <+vpnHelper> chalet16: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:05 -!- dyer [~voxeojohn@unaffiliated/voxeojohn] has joined #openvpn
10:05 -!- dyer [~voxeojohn@unaffiliated/voxeojohn] has quit [Remote host closed the connection]
10:06 -!- dyer [~voxeojohn@unaffiliated/voxeojohn] has joined #openvpn
10:09 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
10:10 -!- chalet16 [~chalet16@110.164.68.140] has quit [Ping timeout: 240 seconds]
10:13 -!- ziroday [~nick@ubuntu/member/ziroday] has joined #openvpn
10:14 < ziroday> !goal
10:14 <+vpnHelper> ziroday: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:14 < ziroday> Hi, I would like to access the internet through the VPN server. I believe I have this all set up however for the life of me I can't get it to go past the server. Any ideas?
10:14 < Bushmills> !redirect
10:14 <+vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
10:15 -!- dyer [~voxeojohn@unaffiliated/voxeojohn] has left #openvpn []
10:15 < ziroday> Bushmills: lemme double check, but I think I did all of those
10:15 < ziroday> (or actually let me pastebin)
10:15 < ziroday> is there a way to message the bot (and not flood the channel)?
10:15 < Bushmills> then it's probably a firewall issue
10:16 < Bushmills>  /query vpnHelper
10:17 < ziroday> it tells me the "Error "foo" is not a valid command"
10:17 < ziroday> !def1
10:17 < ecrist> I would try not using foo
10:17 <+vpnHelper> ziroday: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
10:17 < ziroday> ecrist: funny.
10:17 < ziroday> okay check to def1
10:18 < ziroday> !ipforward
10:18 <+vpnHelper> ziroday: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
10:18 < ziroday> !linipforward
10:18 <+vpnHelper> ziroday: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
10:18 < ziroday> check. Did that. Thrice.
10:18 -!- gyyrog [~gyyrog@96-36-48-82.static.aldl-nbb.mi.charter.com] has joined #openvpn
10:18 < ecrist> ziroday: you can see here:
10:18 < ecrist> !factoids
10:18 <+vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
10:18 < ziroday> ecrist: fantastic, thanks!
10:18 < ecrist> that's all factoids on a web page, easy to read
10:19 < ecrist> I should fix that script, it hasn't updated since Sep 23
10:19 < ecrist> not that there have been a lot of updates, though
10:19 -!- gyyrog [~gyyrog@96-36-48-82.static.aldl-nbb.mi.charter.com] has left #openvpn []
10:20 < ziroday> okay I believe I have done all those. Let me pastebin the relevant info
10:21 < muh2000> is it possible to change the metric of a route made by the openvpn client?
10:21 < Bushmills> do you use a provider-agnostic name server?
10:21 < ziroday> Bushmills: pardon? Where would I define that?
10:22 < Bushmills> try pinging 74.125.43.99 . if  there is a reply, name server may be the issue
10:23 < Bushmills> problem is, many internet access providers allow use of their recursive name server (for resolving host names) only from ip addresses within their net 
10:24 < Bushmills> once you redirect all traffic through an openvpn server, the address from where the dns requests origin from may be outside of their net, denying use of their name server
10:26 < ziroday> Bushmills: nope, no connection. (I did try domain names and IP addresses)
10:26 < ziroday> here is all the diagnostic info http://pastebin.com/i9Zs7qSi is there anything I'm missing?
10:27 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 264 seconds]
10:27 < Bushmills> then it is your firewall, blocking traffic
10:28 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
10:28 < ziroday> but I stuck the NAT rule in there, and flushed everything else
10:28 < Bushmills> there's no hint that you enabled ip forwarding
10:28 < ziroday> how can I prove that?
10:29 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
10:29 < Bushmills> depends on operating system
10:29 < ziroday> (I ran the echo 1 > /proc/sys/net/ipv4/ip_forward command at least three times)
10:29 < ziroday> Debian Stble
10:29 < Bushmills> cat /proc/sys/net/ipv4/ip_forward
10:30 < ziroday> response is 1
10:30 < ziroday> (so yes, correct?)
10:30 < atan> ziroday, I didn't see your topic but I assume you're having issues using openvpn as a proxy-type setup?
10:30 < ziroday> atan: yep!
10:30 < ziroday> atan: want to reroute traffic through the VPN server
10:30 < atan> ziroday, yes. I was in your boat earlier this month. One moment... need to dig out a line of code for you.
10:31 < atan> What OS? Debian?
10:31 < ziroday> atan: aye
10:31 < atan> Rock on.
10:31 < atan> And let me guess...
10:31 < atan> It connects, but rerouting no-workie?
10:31 < ziroday> atan: now now, don't get my hopes up
10:31 < atan> ziroday, are you using a static key or some other auth?
10:31 < atan> I'll guess static?
10:31 < ziroday> atan: certificate
10:32 < ziroday> (using the easy-rsa examples)
10:32 < Bushmills> pastebin output of   iptables -nvL
10:32 < atan> Hmm. Okay, well at least that part of it is working for you then?
10:32 < atan> On your client config ensure you have the line "proto tcp-client"
10:32 < ziroday> Bushmills: http://pastebin.com/fwk9zhNv
10:33 < atan> And "redirect-gateway def1"
10:33 < ziroday> atan: I have "proto tcp" and yes to "redirect-gateway def1". (you can see http://pastebin.com/i9Zs7qSi)
10:33 < ziroday> Bushmills: I flushed *everything*
10:34 < atan> ziroday, and your server config should have "proto tcp-server" and "push "redirect-gateway def1""
10:34 < atan> reload it all with /etc/init.d/openvpn restart
10:35 < ziroday> just to triple check the iptables rerouting command in this case would be iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o venet0:0-00 -j MASQUERADE right?
10:35 < atan> Hmm... you're using a 172 ip range then eh?
10:36 < atan> I have 10.8 in all my setups... they work, I don't fsck with it... :|
10:36 < ziroday> atan: no cookie on the proto tcp-server. Still fails.
10:37 < ecrist> krzie: fixed the factoids web page so it uses the right DB now.  was still pointing to ##openvpn
10:37 < Bushmills> ziroday, output of   iptables -t nat -vL  ?
10:37 < atan> ziroday, Hey just for me swap over to 10.8 would ya? throw ifconfig 10.8.0.1 10.8.0.2
10:37 < atan>  in the server config
10:37 < ziroday> Bushmills: http://pastebin.com/RcmxT5De
10:37 < ziroday> atan: sure, gimme a sec
10:37 < atan> then iptables -t nat -A POSTROUTING -s "10.8.0.0/24"  -j MASQUERADE
10:38 < ziroday> atan: yep
10:38 < atan> Your client config should also say ifconfig 10.8.0.2 10.8.0.1
10:38 < Bushmills> if venet0:0-00 the proper WAN interface?
10:38 < ecrist> ping RichiH 
10:39 < atan> ziroday, I kicked myself for hours about this when I was getting it all setup. You have no idea how much hair was lost during the process.
10:39 < ziroday> Bushmills: http://pastebin.com/X9ptW3SA
10:39 < ziroday> urgh, and my desktop has just decided to take a dump
10:39  * ziroday waits for it to decide to start thinking again
10:39 < ziroday> Bushmills: oh crap.
10:40 < ziroday> I see it!
10:41 < atan> ziroday, reload of course... cigar? 
10:41 < ziroday> atan: un minuto. I think I spotted my problem
10:41 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
10:42 < ziroday> ah FFS.
10:43 < ziroday> there was a type in the iptables command. Should of been -o venet0:0 not -o venet0:0-00
10:43 < ziroday> but still no luck connecting.
10:45 < ziroday> oh you sweet bastard. The correct interface is venet0.
10:45  * atan thinks none of that, and to use  iptables -t nat -A POSTROUTING -s "10.8.0.0/24"  -j MASQUERADE
10:45  * ziroday does a little victory dance
10:45 < ziroday> thanks Bushmills, atan and ecrist!
10:45 < ziroday> I owe you all a cold drink and/or something yummy
10:45  * atan thinks someone else spotted the more technical error... the he|| is nenet0 O_O :P
10:46 < atan> Hey ziroday, remember that iptabels will flush when you reboot
10:46 < atan> Save your iptables into something that loads it when the network comes up
10:46 < ziroday> atan: yeah, its all scripted
10:46 < ziroday> atan: I have my cute little iptables-up script in /etc/network/interfaces all ready to go
10:47 < atan> ^_^
10:47 < Bushmills> ziroday, i'll ask my local pub whether they accept paypal
10:47 < ziroday> Bushmills: haha
10:49 < muh2000> how can i add a metric to push route.....?
10:50 < Bushmills> --route network/IP [netmask] [gateway] [metric]
10:50 < atan> muh2000, I'm not sure but I would assume you don't ask the imperial cooperation.
10:50 < Bushmills> i'd suggest having a look at the man page
10:50 < muh2000> Bushmills: thnx :)
10:50 < atan> What's a metric?
10:52 < muh2000> i thought there had to be some extra metric n command like the route command has... ^^
10:52 < muh2000> anyway it is working now :)
10:52 < Bushmills> a value which allows routing to determine preferred routes 
10:53 < atan> Bushmills, so one might use it on a server with two network cards, to tell it to route local traffic over the local network?
10:55 < Bushmills> no. you set metrik according your preference of route. be it shortest. cheapest, most reliable, and such
10:55 < Bushmills> you could just as well delete the less preferable routes
10:56 < Bushmills> they make sense with routing protocols and dynamically updated routes
10:58 -!- HoboStea- is now known as HoboSteaux
11:03 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:05 -!- WormFood [~wormfood@183.38.15.247] has quit [Ping timeout: 245 seconds]
11:07 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Connection reset by peer]
11:09 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined #openvpn
11:12 -!- Boka [~boca@200.74.240.44] has quit []
11:13 -!- muh2000 [~muh2000@unaffiliated/muh2000] has quit [Read error: Operation timed out]
11:14 -!- muh2000 [~muh2000@unaffiliated/muh2000] has joined #openvpn
11:16 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
11:17 -!- WormFood [~wormfood@183.38.12.230] has joined #openvpn
11:30 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Ping timeout: 276 seconds]
11:32 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
11:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
11:38 -!- geemee [~ocs@mailhost.exterity.com] has quit [Read error: Connection reset by peer]
11:40 -!- ttthhhh [~ttthhhd@out-pq-254.wireless.telus.com] has joined #openvpn
11:41 -!- ttthhhh [~ttthhhd@out-pq-254.wireless.telus.com] has quit [Client Quit]
11:44 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn
11:46 -!- onats [~onats@unaffiliated/onats] has joined #openvpn
11:46 < onats> hi guys, yes my problem is my firewall...
11:47 < onats> how do i trace the packets if it gets dropped in the FW?
11:48 < Bushmills> show firewall stats, updated frequently. then let a few packets loose
11:48 < Bushmills> watch the stats change
11:48 < onats> bushmill, how do i get the FW stats?
11:49 < onats> im on a router with DD-wrt, and not too familiar with the tools there
11:49 < Bushmills> the docs of your particular firewall software might be able to tell you
11:49 < onats> its iptables
11:49 < Bushmills> iptables -nvL
11:49 < onats> there we go
11:49 < Bushmills> while :; clear; iptables -vnL; sleep 1; done
11:50 < Bushmills> i forgot a "do" just left of clear
11:50 < onats> what does that do?
11:51 < onats> its weird coz i can ping the router from one end, but the machines behind the primary site can't be reached from the remote sites
11:51 < Bushmills> that refreshes display with output of iptables -nvL once per second
11:52 < Bushmills> !route
11:52 <+vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:10 < onats> thanks for that
12:10 < onats> i have an old config, some of it may no longer be working
12:25 <+vpnHelper> RSS Update - forum: Server Administration :: Problem with CN in unicode. :: Author forth <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8140#p8140>
12:34 -!- Meliorator [m@dunnington.eu] has joined #openvpn
12:34 -!- Meliorator [m@dunnington.eu] has quit [Excess Flood]
12:35 -!- Meliorator [m@dunnington.eu] has joined #openvpn
12:40 < RichiH> ecrist: pong
12:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
12:55 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8141#p8141>
13:00 -!- dazo is now known as dazo_afk
13:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
13:06 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by libove <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8142#p8142>
13:13 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8143#p8143>
13:35 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
13:42 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
13:44 -!- hyper_ch [~hyper_ch@91.121.147.34] has quit [Ping timeout: 276 seconds]
13:44 -!- hyper__ch is now known as hyper_ch
14:06 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
14:08 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by libove <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8144#p8144>
14:08 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
14:16 -!- lattera [~lattera@174-27-188-152.slkc.qwest.net] has joined #openvpn
14:16 < lattera> I'm working on getting the authsqlite plugin working in an openvpn install on pfSense
14:16 < lattera> the plugin is at http://www.trooth.cc/projects/authsqlite/
14:16 <+vpnHelper> Title: OpenVPN authentication plugin with SQLite backend (at www.trooth.cc)
14:16 < lattera> when I try to run openvpn, I get the following error:
14:17 < lattera> Tue Oct 19 13:01:33 2010 PLUGIN_INIT: could not load plugin shared object /vpn/lib/authsqlite.so: Service unavailable: Invalid argument (errno=22)
14:17 < lattera> anyone know why that's happening and/or how to fix it?
14:27 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds]
14:30 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 265 seconds]
14:34 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined #openvpn
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:52 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Read error: Connection reset by peer]
15:08 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined #openvpn
15:12 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
15:12 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
15:12 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:15 -!- krzee [~k@openvpn/community/support/krzee] has quit [Client Quit]
15:16 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
15:17 -!- mechbangirc [~mechbangi@mbl-65-157-175.dsl.net.pk] has joined #openvpn
15:18 < mechbangirc> hi i am using centos. update-resolv-conf has an entry for /sbin/resovconf, i dont have this script where do i find it?
15:18 < mechbangirc> i installed bind-utils but i couldn't find resolvconf script there
15:18 < krzee> its a package you can install
15:19 < krzee> http://www.grid-appliance.org/wiki/index.php/How_to_install_resolvconf_on_Linux
15:19 <+vpnHelper> Title: How to install resolvconf on Linux - Grid-Appliance Wiki (at www.grid-appliance.org)
15:20 < mechbangirc> thanks guys
15:25 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 264 seconds]
15:25 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
15:26 -!- mechbangirc [~mechbangi@mbl-65-157-175.dsl.net.pk] has quit [Ping timeout: 240 seconds]
15:30 < Noble> What is best tutorial for openvpn on the net? I have limited time, and would like a quick overview.
15:39 < Noble> Nevermind, the docs on the website seems brilliant <3
15:39 < Noble> Is it really worth the hassle to set up SSL in stead of static key if there are only 1 person using the service? 
15:40 < Noble> Given that the key is stored safely, obviously.
15:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
15:41 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
16:01 < Noble> !goal
16:01 <+vpnHelper> Noble: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:08 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.10/20100914125854]]
16:24 <+vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8145#p8145>
16:25 < |Mike|> muh2000: not really
16:25 < muh2000> hmmm
16:25 < muh2000> damn
16:25 < muh2000> anyway i think ping 15 on the client made it more stable...
16:26 -!- omg^ [~omg@host86-137-252-166.range86-137.btcentralplus.com] has joined #openvpn
16:27 -!- omg^ [~omg@host86-137-252-166.range86-137.btcentralplus.com] has quit [Client Quit]
16:30 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
16:35 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 272 seconds]
16:49 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
16:50 -!- dvl [~Dan@pdpc/supporter/active/dvl] has joined #openvpn
16:54 < dvl> trying to get a new client connected to a long-running server.  Exisitng clients are working fine. Not sure of the cause of this error seen on the server: VERIFY ERROR: depth=0, error=unable to get local issuer certificate .... & TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
16:54 < dvl> It sounds to me like the server doesn't know who issued the cert.  Let me check the failing client cert with a known working client cert.
16:55 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
16:59 < krzee> !certverify
16:59 <+vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
17:01 < dvl> krzee: guess what: error 20 at 0 depth lookup:unable to get local issuer certificate
17:01 < dvl> :)
17:05 < dvl> I think I used the wrong CA
17:05 -!- Mika is now known as MiKa_
17:06 < dvl> I am glad for good backups
17:17 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
17:27 -!- lattera [~lattera@174-27-188-152.slkc.qwest.net] has quit [Quit: Leaving]
17:34 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 252 seconds]
17:38 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
17:41 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Ping timeout: 240 seconds]
17:56 -!- MadTBone [~MadTBone@gw.msmnyc.edu] has joined #openvpn
18:08 < dvl> found my error.  Creating stuff with the wrong ca... DOH
18:16 < krzee> =]
18:38 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Changing host]
18:38 -!- ax_ [~sc@unaffiliated/asgw] has joined #openvpn
18:41 < dvl> I think I found the right one...
18:43 < krzee> just take the ca file from a working client, and test it with !certverify
18:43 < krzee> if that works, use it
18:43 < krzee> ca.crt is likely the same everywhere
18:45 < oc80z> whats good
18:46 < dvl> krzee: Yes, it was the same on all clients, but that ca.cert is also used to create new clients?
18:46 < dvl> that was my problem, I could create a new cert signed by all the others.
18:46 < dvl> sorry.. I was creating a cert signed by the wrong ca
18:47 < dvl> So now that i've found the right ca
18:47 < dvl> ...
18:47 < krzee> ahh
18:48 < krzee> actually its the ca.key that signs new clients... otherwise yes
18:49 < dvl> krzee: and yeah, I figured if I had the wrong ca.crt file, which was what I was comparing, I figured I had the wrong ca
18:51 < krzee> ahh
18:51 < dvl> progress.
18:52 < dvl> now, for the DNS.
18:57 <+vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8146#p8146>
19:10 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has quit [Remote host closed the connection]
19:24 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
19:25 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
19:31 -!- meepmeep [meepmeep@212.24.104.229] has quit [Write error: Broken pipe]
19:31 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn
19:31 -!- Rienzilla [rien@sinas.rename-it.nl] has quit [Quit: Lost terminal]
19:35 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
19:35 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
19:35 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:37 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
19:37 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
19:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:42 -!- onats [~onats@unaffiliated/onats] has quit [Quit: onats]
19:45 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
19:51 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
19:58 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
20:02 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 276 seconds]
20:03 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:15 -!- MadTBone [~MadTBone@gw.msmnyc.edu] has quit [Disconnected by services]
20:15 -!- MadTBone_ [~MadTBone@gw.msmnyc.edu] has joined #openvpn
20:29 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
20:32 -!- jpalmer_ [~jpalmer@208.51.3.136] has joined #openvpn
20:32 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
20:36 -!- patelx [patel@vortex.openvpn.net] has joined #openvpn
20:38 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has quit [Ping timeout: 276 seconds]
20:38 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
20:38 -!- dazo_afk [~dazo@openvpn/community/developer/dazo] has quit [Ping timeout: 276 seconds]
20:38 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 276 seconds]
20:38 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 276 seconds]
20:38 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 276 seconds]
20:38 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 276 seconds]
20:38 -!- hyper__ch is now known as hyper_ch
20:38 < oc80z> !bonding
20:38 <+vpnHelper> oc80z: Error: "bonding" is not a valid command.
20:38 -!- _Meliorator [m@dunnington.eu] has joined #openvpn
20:38 -!- havoc_ [~havoc@neptune.chaillet.net] has joined #openvpn
20:38 -!- dazol [~dazo@nat/redhat/session] has joined #openvpn
20:38 -!- dazol [~dazo@nat/redhat/session] has quit [Changing host]
20:38 -!- dazol [~dazo@nat/redhat/x-qhmhkzcohibxwaje] has joined #openvpn
20:39 -!- Netsplit *.net <-> *.split quits: Agin_, muh2000, smerz, kraut, Fiouz, zxvff, Visual`, Smirnov, krphop, x-demon,  (+3 more, use /NETSPLIT to show all of them)
20:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:39 < ecrist> oc80z: what're you looking for?  bridging?
20:39 < ecrist> !tunortap
20:39 <+vpnHelper> ecrist: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
20:39 <+vpnHelper> ecrist: you over the vpn, or (#4) lan gaming? use tap!
20:39 < ecrist> !bridge
20:39 <+vpnHelper> ecrist: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
20:41 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn
20:42 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
20:42 -!- muh2000 [~muh2000@unaffiliated/muh2000] has joined #openvpn
20:42 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
20:42 -!- Agin_ [~Agin@greenzone.copyleft.no] has joined #openvpn
20:42 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
20:42 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
20:42 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has joined #openvpn
20:42 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn
20:42 -!- 50UAAS0KQ [martin@shell.ipv6.octocore.net] has joined #openvpn
20:42 -!- zxvff [shahid@dev.hockingits.com] has joined #openvpn
20:42 -!- Smirnov [~igor@about/csharp/ms/clrjit/smirnov] has joined #openvpn
20:42 -!- |Mike| [mike@2001:1af8:2:444::2] has joined #openvpn
20:42 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has joined #openvpn
20:47 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
20:49 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
20:49 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
20:49 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
20:49 -!- Omanza [~Omanza@ip-137-34-149-91.dialup.ice.net] has joined #openvpn
20:59 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
21:04 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
21:04 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
21:04 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:11 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
21:16 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has joined #openvpn
21:39 -!- linuxviewer [~example@ip70-162-145-222.ph.ph.cox.net] has joined #openvpn
21:39 < linuxviewer> What other ports does openvpn use other than 1194?
21:40 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
21:46 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
21:55 < theDoc> About any other port you want it to.
21:58 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:58 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
22:09 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
22:18 < Omanza> ecrist: How are you doing tonight. Are you going to be evil to the coders ?
22:38 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
23:03 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
23:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
23:07 -!- linuxviewer [~example@ip70-162-145-222.ph.ph.cox.net] has quit []
23:13 < ecrist> don't think so, why?
23:14 < Omanza> So, you live only by what the tv or radio feeds you
23:14 < Omanza> Explain
23:15 < Omanza> You act upon what you see and you have feelings
23:18 < Omanza> ecrist: What do tou think mr crist fucker ?=
23:18 < Omanza> Tell me and us what you think
23:19 < Omanza> 2003 ecrist... what do you think ?
23:21 < Omanza> ecrist: Hmm, be patient or ill eat you again.
23:21 < Omanza> King eats pawn
23:22 < Omanza> But i rather like the reverse, Pawn Eats King
23:22 < Omanza> Both equally true
23:23 < Omanza> ecrist: You have a choice now.
23:24 < Omanza> What it is i dont care about.
23:25 < Omanza> Cheerio!
23:26 < ecrist> lol
23:27 -!- mode/#openvpn [+o ecrist] by ChanServ
23:27 -!- mode/#openvpn [+b *!*@ip-137-34-149-91.dialup.ice.net] by ecrist
23:27 -!- Omanza was kicked from #openvpn by ecrist [Omanza]
23:27 -!- mode/#openvpn [-o ecrist] by ecrist
23:29 < theDoc> skiddie incoming
23:30 < ecrist> ?
23:30 < ecrist> skiddie?
23:33 < ecrist> he pm'd me, but didn't say anything other than hello
23:33 < ecrist> *shrug*
23:33 < theDoc> script kiddie? I don't know, most of them like to do the whole, I eat you nonsnse.
23:35 < ecrist> ah
23:35 < ecrist> I'm not really worried about script kiddies.  most of them can't spell BSD.
23:35 < theDoc> lol
23:36 < ecrist> he picked the wrong person to play with today, though.
23:36 < theDoc> Did you knock him offline?
23:36 < ecrist> nah, I'm not that mean.
23:36 < ecrist> though, it wouldn't be hard.  I have enough boxen/bandwidth to do it
23:36 < theDoc> heh
23:39 < ecrist> it's been a while since I've had the priv of /kb someone
23:41 < theDoc> ecrist: Those people are hard to come by on fn.
23:41 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: brb, iphone]
23:49 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
23:51 -!- ziroday [~nick@ubuntu/member/ziroday] has quit [Ping timeout: 265 seconds]
23:52 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 264 seconds]
23:56 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has joined #openvpn
23:57 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has quit [Changing host]
23:57 -!- ziroday [~nick@ubuntu/member/ziroday] has joined #openvpn
--- Day changed Wed Oct 20 2010
00:09 -!- jpalmer_ [~jpalmer@208.51.3.136] has quit [Quit: leaving]
00:11 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
00:14 -!- aegis [~aegis@74.102.94.215] has quit [Ping timeout: 240 seconds]
00:17 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
00:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
00:32 <+vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8148#p8148>
01:17 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:17 -!- dazol is now known as dazo
01:17 -!- dazo [~dazo@nat/redhat/x-qhmhkzcohibxwaje] has quit [Changing host]
01:17 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
01:20 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Quit: Ex-Chat]
01:20 <+vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: How does openvpn. ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7187&p=8128#p8128>
01:20 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
01:28 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:32 <+vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Selected trafic which goes into the VPN :: Reply by mark555 <https://forums.openvpn.net/viewtopic.php?f=15&t=7166&p=8139#p8139>
01:40 -!- ziroday [~nick@ubuntu/member/ziroday] has quit [Ping timeout: 264 seconds]
01:42 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has joined #openvpn
01:42 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has quit [Changing host]
01:42 -!- ziroday [~nick@ubuntu/member/ziroday] has joined #openvpn
01:44 <+vpnHelper> RSS Update - forum: Off Topic, Related :: Windows 7 dont get an IP pushed :: Author ohpenvaupeen <https://forums.openvpn.net/viewtopic.php?f=1&t=7194&p=8134#p8134>
01:46 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 252 seconds]
01:54 -!- ziroday [~nick@ubuntu/member/ziroday] has quit [Ping timeout: 276 seconds]
01:58 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has joined #openvpn
01:58 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has quit [Changing host]
01:58 -!- ziroday [~nick@ubuntu/member/ziroday] has joined #openvpn
02:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
02:04 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:04 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
02:07 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
02:08 <+vpnHelper> RSS Update - forum: Pay OpenVPN Service Provider Reviews/Comments :: Re: [Free VPN] VPN Steel :: Reply by Zero3K <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=8147#p8147>
02:11 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
02:11 -!- mschiff [~mschiff@d000134.adsl.hansenet.de] has joined #openvpn
02:12 < mschiff> Hi all, does "tls-client" has any effect if "tls-auth" is also set on a client?
02:14 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
02:19 -!- Nickman [~Nickman@d5153743B.access.telenet.be] has joined #openvpn
02:20 < Nickman> !welcome
02:20 <+vpnHelper> Nickman: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:21 < Nickman> Is there a possibility to use LZO compression if the server has LZO1 built in (dd-wrt server, so cannot be changed) and the clients have LZO2 built in?
02:23 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
02:23 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
02:23 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
03:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Excess Flood]
03:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
04:11 < atan> Err, anyone kicking around here tonight? OpenVPN connects up on Windows but does not tunnel all traffic
04:11 < atan> same config works fine on a mac
04:11 < atan> oh wait there we go
04:11 < atan> It just wanted some time
04:13 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
04:13 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
04:13 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:26 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
04:29 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
04:35 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 252 seconds]
04:36 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:45 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Changed Port Number to access web admin tool :: Reply by paddym <https://forums.openvpn.net/viewtopic.php?f=4&t=7193&p=8149#p8149>
05:02 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: hsg]
05:04 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
05:19 -!- ax_ [~sc@unaffiliated/asgw] has quit [Ping timeout: 264 seconds]
05:19 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
05:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
05:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
05:23 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
05:23 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
05:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
05:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
05:38 -!- le0 [~fin@cpc1-bele7-2-0-cust85.2-1.cable.virginmedia.com] has joined #openvpn
05:38 -!- le0 [~fin@cpc1-bele7-2-0-cust85.2-1.cable.virginmedia.com] has quit [Changing host]
05:38 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:43 -!- Nickman is now known as Nickman_OFF
05:44 -!- dvl [~Dan@pdpc/supporter/active/dvl] has left #openvpn ["Leaving"]
05:46 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
05:47 -!- Nickman_OFF is now known as Nickman
05:49 <+vpnHelper> RSS Update - forum: Server Administration :: OpenVPN :: Author mclogic <https://forums.openvpn.net/viewtopic.php?f=4&t=7197&p=8150#p8150>
05:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
05:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
05:53 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
05:56 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
06:09 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
06:10 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:20 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:41 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:41 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:42 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:56 -!- havoc_ is now known as havoc
07:03 -!- mrle0 [~fin@cpc2-bele7-2-0-cust229.2-1.cable.virginmedia.com] has joined #openvpn
07:04 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
07:13 -!- mrle0 [~fin@cpc2-bele7-2-0-cust229.2-1.cable.virginmedia.com] has quit [Quit: Leaving]
07:13 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
07:22 -!- gyyrog [~gyyrog@75-129-104-146.dhcp.trcy.mi.charter.com] has joined #openvpn
07:27 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:37 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Max simultaneous client connections :: Reply by swautier <https://forums.openvpn.net/viewtopic.php?f=4&t=7188&p=8151#p8151>
07:42 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
07:42 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
07:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:47 -!- gyyrog [~gyyrog@75-129-104-146.dhcp.trcy.mi.charter.com] has quit [Ping timeout: 252 seconds]
08:07 -!- gyyrog [~gyyrog@96-36-48-82.static.aldl-nbb.mi.charter.com] has joined #openvpn
08:23 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
08:25 -!- mechbangirc [~mechbangi@115-186-140-204.nayatel.pk] has joined #openvpn
08:26 < mechbangirc> what should be script-security level when client running in daemon mode?
08:31 -!- mechbangirc [~mechbangi@115-186-140-204.nayatel.pk] has quit [Ping timeout: 265 seconds]
08:37 <+vpnHelper> RSS Update - forum: Configuration :: Re: Routing problem :: Reply by russellmd <https://forums.openvpn.net/viewtopic.php?f=6&t=7126&p=8152#p8152>
08:39 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Ping timeout: 240 seconds]
08:41 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has joined #openvpn
08:41 -!- Jarpsel [~jarpse@cluon.soleus.nu] has quit [Ping timeout: 250 seconds]
08:44 -!- mechbangirc [~mechbangi@115-186-140-212.nayatel.pk] has joined #openvpn
08:49 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
08:52 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:53 -!- mechbangirc [~mechbangi@115-186-140-212.nayatel.pk] has quit [Ping timeout: 255 seconds]
09:11 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host]
09:11 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn
09:12 -!- s7r [~s7r@188.27.109.56] has joined #openvpn
09:16 -!- mode/#openvpn [+o ecrist] by ChanServ
09:16 -!- mode/#openvpn [-b *!*@ip-137-34-149-91.dialup.ice.net] by ecrist
09:17 -!- mode/#openvpn [-o ecrist] by ecrist
09:22 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has quit [Quit: leaving]
09:22 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has joined #openvpn
09:58 -!- mrle0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
10:00 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
10:05 -!- SOG [~SOG@222.125.227.167] has joined #openvpn
10:11 -!- mrle0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Quit: Leaving]
10:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
10:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:32 -!- SOG [~SOG@222.125.227.167] has quit [Remote host closed the connection]
10:32 -!- SOG [~SOG@113.116.92.173] has joined #openvpn
10:32 -!- SOG [~SOG@113.116.92.173] has quit [Client Quit]
10:42 -!- ziroday [~nick@ubuntu/member/ziroday] has quit [Ping timeout: 276 seconds]
10:43 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
10:43 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Changing host]
10:43 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
10:47 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has joined #openvpn
10:47 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has quit [Changing host]
10:47 -!- ziroday [~nick@ubuntu/member/ziroday] has joined #openvpn
10:48 -!- Boka [~boca@200.74.240.44] has joined #openvpn
10:48 < Boka> !seen adj
10:48 <+vpnHelper> Boka: I have not seen adj.
10:48 < Boka> !seen davidj
10:48 <+vpnHelper> Boka: I have not seen davidj.
10:48 -!- Boka [~boca@200.74.240.44] has quit [Client Quit]
10:50 <+vpnHelper> RSS Update - forum: Server Administration :: Administrator can download client.ovpn for other users? :: Author nebrera <https://forums.openvpn.net/viewtopic.php?f=4&t=7198&p=8153#p8153>
10:51 -!- Boka [~boca@200.74.240.44] has joined #openvpn
10:51 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:51 -!- Boka [~boca@200.74.240.44] has quit [Client Quit]
10:53 -!- Boka [~boca@200.74.240.44] has joined #openvpn
11:03 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:11 -!- Nickman is now known as Nickman_OFF
11:12 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
11:14 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:15 -!- Boka [~boca@200.74.240.44] has quit []
11:17 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
11:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
11:18 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
11:19 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 252 seconds]
11:20 -!- MadTBone_ [~MadTBone@gw.msmnyc.edu] has quit [Ping timeout: 272 seconds]
11:23 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
11:24 -!- BuSyAnToS [~31749@83-103-68-114.ip.fastwebnet.it] has joined #openvpn
11:24 < BuSyAnToS> !welcome
11:24 <+vpnHelper> BuSyAnToS: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:24 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
11:24 < BuSyAnToS> !goal
11:24 <+vpnHelper> BuSyAnToS: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:29 -!- dazo is now known as dazo_afk
11:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:32 -!- Boka [~boca@200.74.240.44] has joined #openvpn
11:33 -!- MadTBone_ [~MadTBone@160.39.238.196] has joined #openvpn
11:33 < Boka> silly question maybe, but do i have to create dh.pem on every server, or can i copy it along with the keys from the ca server?
11:34 < ecrist> copy it
11:34 < Boka> ok
11:35 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
11:35 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
11:35 -!- mode/#openvpn [+o raidz] by ChanServ
11:37 -!- patelx [patel@vortex.openvpn.net] has quit [Changing host]
11:37 -!- patelx [patel@openvpn/corp/admin/patel] has joined #openvpn
11:40 < patelx> .
12:06 < thordon> using openvpn on freebsd in bridge mode. can tcpdump traffic on the lan interface and on the bridge, but not on the tap0 device. what can be the problem ?
12:07 < thordon> i have the tap0 an the bridge not assigned an ip address. is this correct ?
12:07 < thordon> thank you 
12:09 < thordon> !goal
12:09 <+vpnHelper> thordon: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:09 < ecrist> thordon: you should be able to tcpdump data on tap0 without issue
12:09 < ecrist> I think.
12:13 < thordon> ecrist: mmh, so is it neccessary to give the tap0 device an the lan device an different ip address ?
12:14 < thordon> was thinking, that in bridge mode all interfaces are having the same ip
12:14 < ecrist> you're confusing IP with ethernet
12:14 < ecrist> if you bridge all interfaces, they share ethernet packets.
12:15 < ecrist> it also happens that IP is a layer up from ethernet, so a single IP on one interface will suffice for all.
12:15 < ecrist> that being said, 'best practice' seems to be to put the IP on the actual bridge virtual interface, rather than on lan or tap interfaces.
12:20 < thordon> ecrist: thanks, but i have tried. not working. can't sniffing traffic on tap0
12:20 < ecrist> what tcpdump cmd are you using?
12:21 < thordon> have read an internet article that this is the way discribed for linux. 
12:21 < thordon> tcpdump -i tap0
12:21 < thordon> or tcpdump -i tap0 -v
12:21 < ecrist> that works for me here.
12:21 < dogmeat> can i show current users on vpn?
12:21 < ecrist> dogmeat: if you have --status enabled in your config, yes
12:22 < ecrist> thordon: tcpdump -i tap0 works on both FreeBSD and Mac OS X (just tested)
12:22 < ecrist> if you're not seeing output, I'm guessing something's broken.
12:22 < thordon> ecrist: mmh, so i don't not what to do now. going to build if_bridge module into kernel
12:23 < ecrist> don't need to
12:23 < thordon> ecrist: Mac OS X is a FreeBSD ;)
12:23 < ecrist> if you're running a later version of bsd, it's already in the kernel
12:23 < patel> ^^ LOL
12:23 < ecrist> thordon: Mac OS X uses FreeBSD user land, the kernel is Mach 2.0 with some freebsd add-ins
12:23 < thordon> runningn 8.0 release
12:23 < ecrist> a significant difference.
12:23 < patel> "Mac OS X is a FreeBSD"
12:23 < patel> oh boy
12:24 < ecrist> thordon: then you don't need to compile in if_bridge option to the kernel, it's already there.
12:24 < thordon> ecrist: of course, you are right.
12:24 < ecrist> unless you're doing crazy things, the only thing I've had to compile a kernel for recently are PF_ALTQ, et al, and some obscure NFS bits
12:24 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
12:26 < thordon> net.inet.ip.forwarding: 1 , too
12:26 < thordon> grmpf
12:26 < ecrist> if you're doing routing, you'll need that
12:26 < ecrist> for just a bridge with no actual routing, you don't need that.
12:27 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
12:27 < thordon> i have heard i will need this in it to route between the interfaces. 
12:36 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8154#p8154>
12:42 <+vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Windows 7 dont get an IP pushed :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=1&t=7194&p=8155#p8155>
12:48 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
12:49 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
12:49 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
12:51 < Boka> im copying dh1024.pem from ca server to other server, i was told i could copy it, but now the handshake is timing out. is it because of this? should i create the dh.pem on each server?
12:52 < krzee> doesnt matter... you sure can just make the dh on the server tho'
13:00 <+vpnHelper> RSS Update - forum: Server Administration :: Re: IP address lease 0.0.0.0 has been denied :: Reply by libove <https://forums.openvpn.net/viewtopic.php?f=4&t=7189&p=8156#p8156>
13:02 < Boka> krzee: so the timing out of the handshake cant be because of that then, right? any idea what can cause it? probably many things, but got the setup exactly the same as with other server..
13:02 < krzee> firewall
13:03 < Boka> ok, i thought about it when you wrote it probably
13:03 < Boka> ill check it
13:03 < krzee> =]
13:06 <+vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8157#p8157>
13:12 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:21 -!- MiKa_ [~MiKa@ip5657a511.direct-adsl.nl] has left #openvpn []
13:33 -!- _Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
13:34 -!- mschiff [~mschiff@d000134.adsl.hansenet.de] has quit [Ping timeout: 276 seconds]
13:39 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 276 seconds]
13:50 -!- s7r [~s7r@188.27.109.56] has quit [Ping timeout: 240 seconds]
14:03 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
14:04 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
14:04 -!- makomi_ is now known as makomi
14:05 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
14:05 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
14:07 -!- Agin_ [~Agin@greenzone.copyleft.no] has quit [Read error: Connection reset by peer]
14:07 -!- Agin [~Agin@greenzone.copyleft.no] has joined #openvpn
14:11 -!- makomi_ is now known as makomi
14:11 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-hjfspizkgioqvirn] has left #openvpn []
14:16 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:26 -!- gyyrog [~gyyrog@96-36-48-82.static.aldl-nbb.mi.charter.com] has quit [Ping timeout: 252 seconds]
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
14:49 < thordon> after starting/stoping openvpn, what does "nameserver: not found" mean. Nameserver is working on openvpn server 
14:50 -!- xro [~chatzilla@77-203.104-92.cust.bluewin.ch] has joined #openvpn
14:51 < xro> hi, i'm looking for an openVPN gui for windows...  What is the best solution?
14:54 < xro> openVPN gui is the only and the best solution?
14:55 < reiffert> yes.
14:55 < thordon> reiffert: hello nice to see you. greetings from #chillout
14:56 < reiffert> ah!
14:57 < reiffert> *Re-Greet*
14:59 < ecrist> xro: OpenVPN 2.1.3 comes with a GUI, afaik, it's the only one out there.
15:05 -!- xro [~chatzilla@77-203.104-92.cust.bluewin.ch] has quit [Read error: Connection reset by peer]
15:16 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
15:16 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Read error: Connection reset by peer]
15:23 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
15:43 -!- s7r [s7r@86.55.242.58] has joined #openvpn
15:43 < s7r> hello
15:44 < s7r> i have installed openvpn gui on a windows 2008 server. i have in the client and server config redirect-gateway push-dhcp, etc. if i connect from windows xp everything works good but at this computer it does not change the default gateway
15:45 < Bushmills> !winroute
15:45 <+vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
15:48 < s7r> it shows as local connection, but if i open a website i have the vpn ip in internet
15:48 < s7r> if i enter the vpn ip from another computer, to view the page on port 80 it can't connect
15:49 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:54 < s7r> other ideas?
15:55 < Bushmills> yes.  coconut in tea might be nice
15:55  * Bushmills gives it a try
16:01 -!- s7r [s7r@86.55.242.58] has quit []
16:21 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
16:23 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
16:27 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
16:28 -!- nullm0dem [~nullm0dem@c-71-234-170-169.hsd1.vt.comcast.net] has joined #openvpn
16:31 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:30 -!- Meliorator [m@dunnington.eu] has joined #openvpn
17:30 -!- Meliorator [m@dunnington.eu] has quit [Max SendQ exceeded]
17:31 -!- Meliorator [m@dunnington.eu] has joined #openvpn
17:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:10 < ecrist> sup bitches?
18:10 < ecrist> I think I'm going to get drunk tonight.  should be a fun night on IRC
18:10 < |Mike|> your mom.
18:11 -!- mode/#openvpn [+o ecrist] by ChanServ
18:11 <@ecrist> that way, I'm ready
18:11 < |Mike|> ecrist: have fun, don't get to drunk :)
18:11 <@ecrist> lol
18:11 <@ecrist> a night of random op'ing?
18:11 <@ecrist> that's always good for a laugh
18:11 < |Mike|> or mass whoppin
18:11 !services. [ChanServ:#openvpn] ecrist enabled the VERBOSE flag
18:11 < |Mike|> o dear.
18:12 !services. [ChanServ:#openvpn] ecrist set flags +O on *!*@*.
18:12 <@ecrist> lol
18:12 < |Mike|> krzie: psst, ecrist is a n00b with chanserv :P
18:13 <@ecrist> think so?
18:13 -!- mode/#openvpn [+o |Mike|] by ChanServ
18:13 <@ecrist> muahaha
18:13 -!- mode/#openvpn [-o ecrist] by ecrist
18:13 <@|Mike|> zomg!
18:13 -!- Irssi: #openvpn: Total of 100 nicks [2 ops, 0 halfops, 1 voices, 97 normal]
18:13 -!- mode/#openvpn [-o |Mike|] by |Mike|
18:13 < ecrist> lame sauce
18:14 < |Mike|> cup cake
18:14 < ecrist> start talking like the script kiddies from last night
18:14 < ecrist> or Mike Tyson
18:14 < ecrist> I'm gonna eat chyour childrin
18:14 < |Mike|> script kiddies from last night?
18:15 < ecrist> yeah, someone came in here, picked me out of the crowd, and just randomly started saying shit
18:15 < |Mike|> asin, gcc -o bla.c bla && ./bla ?
18:16 < ecrist> http://pastebin.ca/1968484
18:18 !services. [ChanServ:#openvpn] ecrist set flags -O on *!*@*.
18:18 !services. [ChanServ:#openvpn] ecrist disabled the VERBOSE flag
18:19 < |Mike|> haha, funny guy :P
18:24 < krzie> [16:17]  <ecrist> yeah, someone came in here, picked me out of the crowd, and just randomly started saying shit
18:25 < krzie> heh, i missed that one
18:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:49 < ecrist> yeah, it was fun for a minute
18:49 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:19 -!- STF_ [~chatzilla@dslb-084-061-191-250.pools.arcor-ip.net] has joined #openvpn
19:19 -!- STF_ is now known as STF
19:41 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
19:44 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 255 seconds]
19:46 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Changed Port Number to access web admin tool :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7193&p=8158#p8158>
19:46 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
19:52 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Max simultaneous client connections :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7188&p=8159#p8159>
20:01 -!- p3rror [~mezgani@adsl196-89-98-206-196.adsl196-4.iam.net.ma] has joined #openvpn
20:20 -!- STF is now known as Guest12437
20:20 -!- Guest12437 [~chatzilla@dslb-084-061-191-250.pools.arcor-ip.net] has quit [Read error: Connection reset by peer]
20:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:31 -!- RichiH [~richih@freenode/staff/richih] has left #openvpn []
20:50 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:07 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
21:21 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
21:41 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 240 seconds]
21:44 -!- nullm0dem [~nullm0dem@c-71-234-170-169.hsd1.vt.comcast.net] has quit [Quit: Leaving]
21:46 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
21:50 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
21:51 -!- ax_ [~sc@cpc7-watf9-2-0-cust451.15-2.cable.virginmedia.com] has quit [Quit: Ex-Chat]
21:54 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
21:56 -!- s7r [~s7r@188.27.109.56] has joined #openvpn
22:00 < s7r> !winroute
22:00 <+vpnHelper> s7r: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
22:00 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
22:11 -!- SDE [~SDE@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
22:20 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
23:00 -!- Boka [~boca@200.74.240.44] has quit []
23:05 -!- aegis [~aegis@74.102.94.215] has quit [Ping timeout: 240 seconds]
23:06 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
23:33 -!- d1b [~db@d1b.org] has quit [Remote host closed the connection]
23:35 -!- p3rror [~mezgani@adsl196-89-98-206-196.adsl196-4.iam.net.ma] has quit [Quit: Leaving]
23:48 -!- Boka [~boca@200.74.240.44] has joined #openvpn
23:48 < Boka> !seen davidj
23:48 <+vpnHelper> Boka: I have not seen davidj.
23:51 < Boka> anyone have experience having openvpn server bridge to tor socks? or any socks in general.
23:51 < Boka> or know good article.
23:52 < Boka> !goal
23:52 <+vpnHelper> Boka: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:53 < Boka> !goal I would like to route my OpenVPN server through TOR socks, which runs on the same server. So setup would be, client -> openvpn -> tor -> tor network (internet)
23:53 <+vpnHelper> Boka: Error: "goal" is not a valid command.
23:53 < Boka> goal: I would like to route my OpenVPN server through TOR socks, which runs on the same server. So setup would be, client -> openvpn -> tor -> tor network (internet)
23:53 < Boka> need some help
23:54 < Boka> !seen wolfy
23:54 <+vpnHelper> Boka: I have not seen wolfy.
23:54 < Boka> !seen wolffy
23:54 <+vpnHelper> Boka: I have not seen wolffy.
23:56 < Boka> if someone can help, can reward his help with some $ if needed.
--- Day changed Thu Oct 21 2010
00:14 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 240 seconds]
00:15 -!- batrick [~batrick@batbytes.com] has joined #openvpn
00:32 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 276 seconds]
00:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
00:48 -!- d457k [~heiko@vpn.astaro.de] has joined #openvpn
00:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
00:59 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
00:59 <+vpnHelper> RSS Update - forum: Configuration :: Setting Up A Router :: Author OrangeJuice <https://forums.openvpn.net/viewtopic.php?f=6&t=7199&p=8160#p8160>
01:04 <+vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=8161#p8161>
01:33 -!- mschiff [~mschiff@p54BFCA47.dip.t-dialin.net] has joined #openvpn
01:35 -!- Nickman_OFF is now known as Nickman
01:48 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
01:49 -!- mschiff [~mschiff@p54BFCA47.dip.t-dialin.net] has quit [Read error: Operation timed out]
01:50 -!- Link [~Link@173.236.42.43] has joined #openvpn
01:50 -!- mschiff [~mschiff@p54BFCA47.dip.t-dialin.net] has joined #openvpn
01:50 -!- Link is now known as theDoc_
01:50 -!- theDoc_ [~Link@173.236.42.43] has quit [Changing host]
01:50 -!- theDoc_ [~Link@unaffiliated/thedoc] has joined #openvpn
01:54 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
01:59 < Nickman> i there a way to push out computer names over OpenVPN without an additional DNS server?
02:04 -!- Sp0tteh-Home [~Sp0tteh-H@ppp118-210-86-229.lns20.adl2.internode.on.net] has joined #openvpn
02:04 -!- theDoc_ is now known as theDoc
02:13 -!- mschiff [~mschiff@p54BFCA47.dip.t-dialin.net] has quit [Read error: Operation timed out]
02:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:22 -!- Boka [~boca@200.74.240.44] has quit []
02:24 -!- dazo_afk is now known as dazo
02:28 -!- mschiff [~mschiff@p54BFCA47.dip.t-dialin.net] has joined #openvpn
02:34 < hyper_ch> computernames?
02:34 -!- mschiff [~mschiff@p54BFCA47.dip.t-dialin.net] has quit [Read error: Operation timed out]
02:37 < Nickman> yes hyper_ch, I can access computers on the remote VPN network by IP address, but not by their "name"
02:37 < hyper_ch> you give your computers names?
02:38 < reiffert> Nickman: then your local computer cant resolve them.
02:39 < Nickman> any idea how I can solve that, without the need for an external DNS server on the remote network?
02:39 < reiffert> Nickman: hosts file.
02:40 < Nickman> not possible trough the configuration file on the client I suppose?
02:41 < reiffert> you can push "echo foo bar" stuff and have a script on the client side collect all that.
02:42 < Nickman> but with an extra DNS server on the remote network this would be resolved by just pushing the IP address for that DNS server through the DHCP options?
02:42 < reiffert> Nickman: note that this DNS server does not need to be on the remote network.
02:42 < reiffert> it should answer on requests of vpn clients.
02:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:43 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
02:45 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
02:45 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
02:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:47 < Bushmills> remote LAN probably has a name server which can resolve the host names on LAN already
02:48 -!- chantra_1fk [~chantra@ns38827.ovh.net] has joined #openvpn
02:48 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
02:48 -!- batrick_ [~batrick@batbytes.com] has joined #openvpn
02:48 < Nickman> I'm currently running OpenVPN server on a dd-wrt router
02:49 < Nickman> the router currently resolves the names, but when I pass the IP of the router as DNS server, it does not work?
02:50 < Bushmills> Nickman, configure your name server on router such that it both binds to openvpn interface and accepts requests from there.
02:51 < Bushmills> (assuming you mean that the router won't resolve queries, coming on over openvpn)
02:51 -!- ondrejk [~ondrejk@194.228.50.29] has joined #openvpn
02:52 < Bushmills> coming in
02:52 < ondrejk> hello, i have problem with one client connected to vpn, when i will reload openvpn can cause error in configuration file stop openvpn?
02:53 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:53 -!- Netsplit *.net <-> *.split quits: krzie, chantra_afk, abeehc, fbh, batrick, @raidz
02:53 -!- Netsplit *.net <-> *.split quits: takamichi, havoc, patel, Dougy, ccr_, Gokee2
02:54 -!- Netsplit *.net <-> *.split quits: DarthGandalf, bluegene
02:54 < Bushmills> ondrejk, log files should be able to tel
02:54 < Bushmills> tel
02:54 < Bushmills> tell
02:56 -!- Netsplit over, joins: patel, havoc, Gokee2, bluegene, takamichi, ccr_, Dougy, DarthGandalf
02:56 -!- Netsplit over, joins: fbh, krzie, abeehc
02:59 -!- ondrejk [~ondrejk@194.228.50.29] has left #openvpn []
03:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
03:29 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
03:36 -!- mschiff [~mschiff@tmo-101-155.customers.d1-online.com] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:48 -!- Nickman is now known as Nickman_OFF
03:51 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
04:22 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Remote host closed the connection]
04:22 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
04:25 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has quit [Read error: Operation timed out]
04:25 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Read error: Operation timed out]
04:25 -!- muh2000 [~muh2000@unaffiliated/muh2000] has quit [Read error: Operation timed out]
04:25 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
04:25 -!- 50UAAS0KQ [martin@shell.ipv6.octocore.net] has quit [Read error: Operation timed out]
04:26 -!- |Mike|_ [mike@2001:1af8:2:444::2] has joined #openvpn
04:26 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
04:26 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Read error: Operation timed out]
04:26 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
04:26 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
04:27 -!- muh2000 [~muh2000@unaffiliated/muh2000] has joined #openvpn
04:27 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
04:28 -!- Nickman_OFF is now known as Nickman
04:29 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn
04:29 <+vpnHelper> RSS Update - forum: Server Administration :: Problem with routes in Windows 7 :: Author CHEPERUN <https://forums.openvpn.net/viewtopic.php?f=4&t=7200&p=8162#p8162>
04:30 < Nickman> Is it possible to use lzo compressiong while my server has LZO1 and my client LZO2?
04:30 < Nickman> can I force the client to use LZO1, because I cannot modify the server
04:31 -!- muh2000 [~muh2000@unaffiliated/muh2000] has quit [Read error: Operation timed out]
04:31 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Read error: Operation timed out]
04:31 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
04:32 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has joined #openvpn
04:32 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
04:33 -!- muh2000 [~muh2000@unaffiliated/muh2000] has joined #openvpn
04:33 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
04:36 -!- muh2000 [~muh2000@unaffiliated/muh2000] has quit [Read error: Operation timed out]
04:36 -!- muh2000 [~muh2000@unaffiliated/muh2000] has joined #openvpn
04:46 -!- f0rd42 [~adieball@p54BE59CE.dip.t-dialin.net] has joined #openvpn
04:46 -!- f0rd42 [~adieball@p54BE59CE.dip.t-dialin.net] has left #openvpn []
04:52 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:54 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:59 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
04:59 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
04:59 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:01 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:01 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:01 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:07 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
05:13 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
05:13 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
05:13 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:18 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
05:22 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
05:29 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:36 -!- buntfalke_ is now known as buntfalke
05:39 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
05:43 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:54 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
05:57 -!- |Mike|_ [mike@2001:1af8:2:444::2] has quit [Quit: Reconnecting]
05:57 -!- |Mike| [mike@2001:1af8:2:444::2] has joined #openvpn
05:57 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 250 seconds]
06:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
06:07 -!- Link_ [~Link@173.236.41.38] has joined #openvpn
06:07 -!- Link_ is now known as theDoc
06:07 -!- theDoc [~Link@173.236.41.38] has quit [Changing host]
06:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:07 -!- mschiff [~mschiff@tmo-101-155.customers.d1-online.com] has quit [Ping timeout: 272 seconds]
06:27 -!- mschiff [~mschiff@tmo-101-155.customers.d1-online.com] has joined #openvpn
07:16 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:26 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
07:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:39 -!- Nickman is now known as Nickman_OFF
07:46 -!- s7r [~s7r@188.27.109.56] has quit []
07:48 <+vpnHelper> RSS Update - forum: Server Administration :: Re: ethernet tunnel (not bridge) random PING problem :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7099&p=8163#p8163> || Server Administration :: Re: Problem with routes in Windows 7 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7200&p=8164#p8164>
07:54 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8165#p8165>
08:00 <+vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7197&p=8166#p8166>
08:09 -!- Nickman_OFF is now known as Nickman
08:15 -!- Sp0tteh-Home [~Sp0tteh-H@ppp118-210-86-229.lns20.adl2.internode.on.net] has quit []
08:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
08:38 -!- dazo is now known as dazo_afk
08:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:44 -!- dazo_afk is now known as dazo
08:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:05 < thordon> for a openvpn behind a router is the local ip the same with the first statement in bridge-server ?
09:14 < krzee> !tunortap
09:14 <+vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against
09:14 <+vpnHelper> krzee: you over the vpn, or (#4) lan gaming? use tap!
09:21 < ecrist> krzee: !factoids now parses urls and creates links
09:21 < ecrist> on the web page.
09:22 < Meliorator> !wins
09:22 <+vpnHelper> Meliorator: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:22 < krzee> !factoids
09:22 <+vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:22 < krzee> hey cool!
09:22 < ecrist> and I just fixed it so it opens those links in a new window
09:23 < ecrist> you'll need to refresh
09:24 < krzee> hah, i totally forgot about !samba
09:24 < krzee> good factoid to remember for people
09:24 < ecrist> for some reason, I cannot seem to match a couple of these
09:25  * ecrist continues poking it
09:25 < krzee> !beer
09:25  * patchie gives krzee a beer.
09:25 <+vpnHelper> krzee: "beer" is its what's for dinner!
09:25 < krzee> lol
09:26 < krzee> mirc script, lol
09:27 < ecrist> !pastebin 2
09:27 <+vpnHelper> ecrist: Error: "pastebin" is not a valid command.
09:27 < ecrist> !pastebin
09:27 <+vpnHelper> ecrist: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
09:28 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
09:28 < ecrist> my code doesn't seem to want to match when the URL is at the start of the line.
09:29 < ecrist> ah, I see why
09:29 < ecrist> sloppy code
09:30 -!- Christianaa [82e1b818@gateway/web/freenode/ip.130.225.184.24] has joined #openvpn
09:30 < ecrist> w00t, now it validates, too!
09:30 < ecrist> http://validator.w3.org/check?verbose=1&uri=http%3A%2F%2Fsecure-computing.net%2Ffactoids.php
09:30 <+vpnHelper> Title: [Valid] Markup Validation of http://secure-computing.net/factoids.php - W3C Markup Validator (at validator.w3.org)
09:31 < Christianaa> Anyone here?
09:31 < ecrist> lol, lots of people.
09:31 < ecrist> 105, as a matter of fact
09:32 < Christianaa> heh
09:33 < Christianaa> I am having a bit of trouble setting up OpenVPN as a gateway and I am hoping someone here can help me
09:33 < ecrist> gah, my code has a bug again
09:33 < ecrist> !def1
09:33 <+vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
09:33 < ecrist> make sure you have NAT
09:33 < ecrist> !linnat
09:33 <+vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
09:33 < ecrist> there you go. :)
09:33 < Christianaa> The client seems to connect fine, but once I am connect I can't reach any servers
09:35 < Christianaa> I am using redirect-gateway def1
09:35 < ecrist> do you have nat configured on the vpn server?
09:36 < Christianaa> no
09:36 < ecrist> is the firewall on the server's lan allowing the traffic?
09:36 < ecrist> that's your problem, then.
09:37 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
09:39 < thordon> krzee: thank, that is exactly what i want to do. so i need tap
09:41 < thordon> !layer2
09:41 <+vpnHelper> thordon: "layer2" is (#1) you are using tap, what specific layer2 protocol do you need to work over the vpn?, or (#2) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better, or (#3) protocols that use layer2 communicate by MAC address, not IP address
09:42 < krzee> thordon, lan gaming?
09:42 < ecrist> ok, krzee, my factoids work is done for today. fixed urls, page validates, and I refactored my code a bit, 47 total lines of code to generate !factoids
09:43 < ecrist> including white space
09:43 < krzee> good stuff, i like the link generation, funny i never thought to mention that
09:43 < ecrist> it specifically looks for http or https, so if it doesn't have that, no link
09:43 < krzee> gotchya
09:44 < thordon> krzee: yes, and i had have got a working config under windows xp clients. but its not working with windows 7 clients. so i have done "tabula rasa" and trying start with fresh install. but i thin i have problems with the bridge.
09:44 < ecrist> http://pastie.org/1238211
09:45 < krzee> gotchya, im no good with bridges, but often try to talk people out of using them... since you do need a bridge im of no help
09:51 < thordon> krzee: thank you anyway. i will try going on with different config. maybee you can answer my question: my local vpn-server 172.20.88.11 is behind my router/gateway 172.20.88.1. portforward is working. win7 client is getting ip from vpn-adress-pool. But can not ping. is this correct in the config ?: local 172.20.88.1 ... server-bridge 172.20.88.11 255.255.255.0 172.20.88.202 172.20.88.220
09:52 -!- Christianaa [82e1b818@gateway/web/freenode/ip.130.225.184.24] has quit [Ping timeout: 265 seconds]
09:52 < krzee> local should be .11
09:53 < krzee> !local
09:53 <+vpnHelper> krzee: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
09:53 < krzee> oops
09:53 < krzee> --local refers to what IP to bind to
09:54 < krzee> if there is only 1 ip on the machine, you dont need --local at all
09:54 < krzee> it is useful when you have multiple IPs but only care to listen on 1 ip
09:54 < krzee> as for the bridge part... you'll need to wait for someone else, i havnt done a bridge in yrs
09:55 < ecrist> !learn RFC2045 as testing testing RFC2045
09:55 <+vpnHelper> ecrist: Joo got it.
09:56 < krzee> hrm, that isnt showing up in the factoids.php for me
09:59 < ecrist> it will in a minute
09:59 < ecrist> remember, there's a delay
09:59 < ecrist> supposed to be 3 hours, but it's running every minute for the time being.
09:59 < krzee> ahh
10:00 < krzee> i figured the php read direct from the sqllite db
10:00 < krzee> ohhh right, different boxen
10:00 < krzee> duh
10:01 -!- AL13N_work [~alien@91.183.52.232] has joined #openvpn
10:01 < AL13N_work> is it possible to have a setup that accepts the keys but also ldap authentications?
10:02 < ecrist> yep
10:02 < ecrist> not an either/or, though
10:02 < AL13N_work> ecrist: how do you mean?
10:03 < ecrist> well, actually, you could, with the right scripting
10:03 < AL13N_work> you mean the the handle names HAVE to exist in ldap?
10:05 -!- foobarbaz [cfa26964@gateway/web/freenode/ip.207.162.105.100] has joined #openvpn
10:07 -!- ChristianAa [82e1b818@gateway/web/freenode/ip.130.225.184.24] has joined #openvpn
10:08 < foobarbaz> Hi, what does 'Disabled Privacy Extensions' mean (I get this in dmesg)? Could it mean my VPN is insecure?
10:08 < thordon> krzee: thank you - and sorry local is still .11 was a type error
10:13 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 264 seconds]
10:13 < foobarbaz> !welcome
10:13 <+vpnHelper> foobarbaz: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:14 < foobarbaz> !goal
10:14 <+vpnHelper> foobarbaz: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:16 -!- foobarbaz [cfa26964@gateway/web/freenode/ip.207.162.105.100] has quit []
10:33 < ecrist> AL13N_work: not sure what you mean by handle names
10:57 < ChristianAa> Hello, does anyone have any idea why my clients drop the connection every 2 minutes?
10:59 < ecrist> ChristianAa: considering you've given us no useful information, no
11:03 < ChristianAa> Sorry about that, well I have fairly standard VPN TLS gateway setup
11:03 -!- WormFood [~wormfood@183.38.12.230] has quit [Read error: Connection reset by peer]
11:03 < ChristianAa> Clients can connect just fine, except they drop after 2 minutes
11:04 < ChristianAa> which, incidentally, is also what I've set keep alive to (keepalive 15 120)
11:04 < ChristianAa> I've tried pinging the client's private and public IP from the VPN server and that works fine
11:06 -!- Nickman is now known as Nickman_OFF
11:07 < ChristianAa> After a couple of minutes the connection resets and everything is fine... for 2 minutes then it drops and after a while it resets, etc
11:17 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
11:18 -!- WormFood [~wormfood@183.38.13.230] has joined #openvpn
11:19 -!- patel [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 276 seconds]
11:19 -!- batrick_ is now known as batrick
11:21 -!- patel_ [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn
11:49 -!- dazo is now known as dazo_afk
11:50 < ecrist> krzie: put this php snippet in your pipe and smoke it
11:50 < ecrist> $rfact = preg_replace_callback('/(RFC[\d]+)/i', create_function('$matches', '$lowerurl = strtolower($matches[0]); return "<a href=\"https://datatracker.ietf.org/doc/$lowerurl/\" target=\"_blank\">$matches[0]</a>";'), $pfact);
11:50 < ecrist> that line allows links like the RFC2045 line to work.
11:50 < ecrist> fwiw, I'm going to delete that RFC from vpnHelper in a few
12:17 < ecrist> !rfc2045
12:17 <+vpnHelper> ecrist: "rfc2045" is testing testing RFC2045
12:17 < ecrist> !forget rfc2045
12:17 <+vpnHelper> ecrist: Joo got it.
12:17 < ecrist> !1918
12:17 <+vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16
12:17 < ecrist> !forget 1918
12:17 <+vpnHelper> ecrist: Error: 2 factoids have that key.  Please specify which one to remove, or use * to designate all of them.
12:17 < ecrist> !forget 1918 *
12:17 <+vpnHelper> ecrist: Joo got it.
12:18 < ecrist> !learn 1918 as RFC1918 makes three unique netblock available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16
12:18 <+vpnHelper> ecrist: Joo got it.
12:19 < ecrist> !learn 1918 as see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
12:19 <+vpnHelper> ecrist: Joo got it.
12:19 < ecrist> !1918
12:19 <+vpnHelper> ecrist: "1918" is (#1) RFC1918 makes three unique netblock available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
12:19 < ecrist> !forget 1918 *
12:19 <+vpnHelper> ecrist: Joo got it.
12:19 < ecrist> !learn 1918 as RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16
12:19 <+vpnHelper> ecrist: Joo got it.
12:19 < ecrist> !learn 1918 as see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
12:19 <+vpnHelper> ecrist: Joo got it.
12:19 < ecrist> </spam>
12:26 -!- mschiff [~mschiff@tmo-101-155.customers.d1-online.com] has quit [Ping timeout: 240 seconds]
12:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:34 -!- dazo_afk is now known as dazo
12:37 <+vpnHelper> RSS Update - forum: Off Topic, Related :: Too many routes problem :: Author OndrejL <https://forums.openvpn.net/viewtopic.php?f=1&t=7201&p=8167#p8167>
13:03 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 250 seconds]
13:04 <+vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Too many routes problem :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=1&t=7201&p=8168#p8168>
13:06 -!- variable [~variable@unaffiliated/variable] has quit [Read error: Connection reset by peer]
13:15 <+vpnHelper> RSS Update - forum: Installation Help :: LAN-to-LAN Possible? :: Author struct <https://forums.openvpn.net/viewtopic.php?f=5&t=7202&p=8169#p8169>
13:20 -!- patel_ [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 252 seconds]
13:21 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
13:23 -!- pmow [~pmow@adsl-074-164-029-179.sip.mia.bellsouth.net] has joined #openvpn
13:23 < pmow> oh thank god, there's a channel
13:24 < pmow> !goal
13:24 <+vpnHelper> pmow: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:24 -!- patel_ [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn
13:24 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
13:24 < hyper_ch> where are channels?
13:24 < hyper_ch> hi krzee
13:25 < krzee> heyhey
13:25 < hyper_ch> how are you?
13:25 < pmow> irc channel = room
13:25 < krzee> pretty good
13:25 < pmow> meaning, here.
13:25 < krzee> and you?
13:25 < krzee> room = aol, channel = irc
13:25 < hyper_ch> krzee: recovering from a cold and suffering from minecraft withdrawal :)
13:26 < hyper_ch> besides that I'm fine
13:26 < hyper_ch> but two of my roommates worry me
13:26 < hyper_ch> they just don't get along
13:26 < hyper_ch> chase after each other
13:26 < hyper_ch> use their claws and pranks
13:26 < krzee> haha
13:27 < krzee> if you cant beat 'em, videotape them
13:27 < hyper_ch> how can I make them love each other?
13:27 < krzee> slip them some E...?
13:27 < hyper_ch> lol
13:27 < hyper_ch> they are already crazy enough
13:28 < ecrist> wb, krzie 
13:28 < ecrist> wb, krzee 
13:28 < hyper_ch> hi ecrist
13:28 < krzee> ty ty
13:28 < kisom> 0xE
13:28 < pmow> krzee: I agree, but I said channel and he didn't understand
13:28 < ecrist> hey hyper_ch 
13:28 < krzee> pmow, gotchya =]
13:29 < ecrist> krzee: seems I got my RFC code working, too
13:29 < ecrist> krzee: put this php snippet in your pipe and smoke it
13:29 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
13:29 < ecrist> my working line is $rfact = preg_replace_callback('/(RFC[\d]+)/i', create_function('$matches', '$lowerurl = strtolower($matches[0]); return "<a href=\"https://datatracker.ietf.org/doc/$lowerurl/\" target=\"_blank\">$matches[0]</a>";'), $pfact);  (if you care)
13:29 < krzee> actually, it works and doesnt
13:29 < krzee> see !1918 on the factoids.php
13:29 < ecrist> that's a different issue
13:30 < krzee> ahh ok
13:30 < ecrist> specifically, #1 for !1918 is what i 'fixed'
13:30 < ecrist> there's another issue with #2 I'm tracking down
13:31 < ecrist> gah, my working RFC code is what's breaking #2
13:33 < pmow> !welcome
13:33 <+vpnHelper> pmow: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:34 < pmow> !redirect
13:34 <+vpnHelper> pmow: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:36 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
13:36 < fahmad> hello
13:36 < fahmad> i have question 
13:36 < fahmad> when i connect client and disconnect it after few minutes. It will be showed as connected in openvpn management why its not updating status ?
13:37 < ecrist> !1918
13:37 <+vpnHelper> ecrist: "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
13:37 < fahmad> ecrist: you talking with me ?
13:38 < krzee> fahmad, the --status file or --management?
13:38 < fahmad> krzee: management ...
13:39 < pmow> !def1
13:39 <+vpnHelper> pmow: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:39 < krzee> fahmad, do you have a keepalive?
13:39 < fahmad> nope
13:39 < fahmad> i have ping 10
13:39 < fahmad> ping-restart 120
13:39 < krzee> on client or server...?
13:40 < krzee> --keepalive 10 60 expands as follows: 
13:40 < krzee>  if mode server:
13:40 < krzee>    ping 10
13:40 < krzee>    ping-restart 120
13:40 < krzee>    push "ping 10"
13:40 < krzee>    push "ping-restart 60"
13:40 < krzee>  else
13:40 < krzee>    ping 10
13:40 < krzee>    ping-restart 60
13:41 < fahmad> humm
13:41 < fahmad> ok
13:41 < fahmad> thanks
13:41 < fahmad> i understand its due to keepalive right
13:41 < krzee> so your client will need 120s of disconnect before i knows the client is gone
13:41 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Administrator can download client. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7198&p=8170#p8170>
13:41 < krzee> and the client will need 60s of that, and hopefully reconnect before the server even knows it was gone
13:41  * fahmad hugs krzee
13:42 < krzee> [14:41]  <krzee> so your client will need 120s of disconnect before i knows the client is gone
13:42 < krzee> i meant server will need
13:42 < fahmad> i know brother :)
13:42 < fahmad> atleast i can understand you guys now :)
13:42 < fahmad> however we have language issue because i could not explain in more details 
13:43 < fahmad> cause english is not my native language 
13:43 < krzee> what is?
13:43 < fahmad> ?
13:44 < krzee> your native tounge
13:44 < fahmad> Urdu
13:44 -!- MWinther [~mw@100-197-96-87.cust.blixtvik.se] has joined #openvpn
13:44 < krzee> urdu=?
13:44 < fahmad> yup
13:44  * ecrist likes seeing people help themselves with tools at-hand (pmow)
13:45 < krzee> yup, i liked that one too
13:45 < krzee> pmow++
13:45 < fahmad> means ?
13:45 < krzee> oh i see, i had never heard of urdu... but google showed me
13:46 < fahmad> oh
13:46 < fahmad> ok
13:46 < pmow> well, in other projects I don't appreciate blatant noobing
13:46 < pmow> it's like c'mon, the least you can do is google
13:47 < krzee> the thing that sucks with openvpn... half the time google will lead you wrong
13:47 < pmow> heh
13:47 < krzee> too many lame walkthroughs out there
13:47 < pmow> for me the biggest thing is unbundling what I *think* it should do, from what it actually does
13:47 < pmow> i.e., NAT, routing, etc
13:48  * fahmad leaving ...
13:48 < pmow> I need to set all that up it seems
13:48 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
13:48 < krzee> its very much a unix style app... it does 1 thing well, the OS already has tools for doing the rest (nat / routing)
13:48 < pmow> whereas in my head, it's the default 
13:48 < krzee> right
13:48 < krzee> but all it actually does is give you a link between 2+ machines
13:49 < pmow> krzee is there a howto to set all that up?  I'm migrating my dedicated server to this, and it hasn't done of that stuff
13:49 < krzee> well i see you want !redirect...
13:49 < krzee> do you also want lans behind openvpn?
13:49 < krzee> or just redirect all client inet traffic over ovpn?
13:50 < pmow> lans too ^_^
13:50 < krzee> !route
13:50 <+vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:50 < krzee> theres a doc i wrote, 2 clients and a server, with lans behind each
13:50 < ecrist> my regex foo is failing me today
13:51 < pmow> haha, awesome.  I meant more like a howto covering multiIP/bind/nat in ubuntu for example
13:51 < krzee> as for redirect, what os is your server?
13:51 < pmow> although I'm sure I can find separate guides and do them all
13:51 < krzee> ahh ubuntu
13:51 < pmow> both servers are ubuntu
13:51 < ecrist> !linnat
13:51 <+vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:51 < krzee> !linnat
13:51 <+vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:51 < krzee> !linipforward
13:51 <+vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
13:51  * ecrist beat krzee to it
13:51 < krzee> jinx ;]
13:52 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Quit: Leaving]
13:52 < pmow> linnat, brilliant
13:52 -!- raidz [~Andrew@seance.openvpn.org] has joined #openvpn
13:52 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
13:52 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
13:52 -!- mode/#openvpn [+o raidz] by ChanServ
13:53 < pmow> what complicates things is the localServer, and how I want to split the route from the LAN to its other adapter's LAN vs. tunnel
13:53 < pmow> but one thing at a time
13:53 < krzee> localserver?
13:53 < krzee> pmow, here is 1 important thing to know
13:53 < krzee> !samesubnet
13:53 <+vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway
13:54 < krzee> aka, any lans you share over the vpn must be uncommon
13:54 < pmow> erm...isn't it a matter of setting up two routes on the client running bind?
13:55 < ecrist> krzee: I think I fixed my regex.
13:55 < krzee> where does bind enter the picture?
13:55 < ecrist> never used negative lookbehind before
13:55 < pmow> mine is 192.168.x.x, corp is 10.20.x.x, VPN is 10.8.x.x, dediServer out is static ip
13:55 < krzee> ecrist, close
13:55 < krzee> you fixed the first part of #2
13:55 < ecrist> gah
13:56 < krzee> pmow, you sharing yours as well?
13:56 < pmow> VPN is running over corp connection (60mbit)
13:56 < pmow> i.e., connecting over it
13:56 < ecrist> the problem I'm having is two things are trying to parse urls and rewrite them, the second is doubling the anchors
13:56 < pmow> no
13:56 < pmow> I'm not sharing mine
13:56 < krzee> ahh ok, no problem then =]
13:56 < krzee> pmow, so you are only sharing the server lan?
13:57 < pmow> well, localServer is on the server lan
13:57 < krzee> ecrist, have the rfc one make sure its not part of a url?
13:57 < ecrist> yeah, that's the issue now
13:57 < pmow> so I wanted that to be my local lan's gateway
13:57 < ecrist> the rfc regex is matching too much
13:57 < krzee> !serverlan
13:57 <+vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
13:58 < pmow> so that I could open up firewall and ipforwarding straight through VPN all the way to a lan server here
13:58 < pmow> er, lan pc
13:58 < krzee> you just wanna access the LAN behind the server, and send your internet traffic out to the internet as if you were in the office, correct?
13:58 < krzee> or am i missing something
13:59 < ecrist> gah, lookbehind doesn't support non-fixed lenght
13:59 < krzee> i have to go take my girl to the hospital, so ill bbl... but ill try to answer you pmow first
13:59 < pmow> there are two servers, so I'm a little hazy on what you just said.  I want to make my lan routable, and use a tunnel to my dediServer to take advantage of corpNet's bandwidth and dediServer's public IPs
14:00 < pmow> I still need to be able to route to the corpNet lan though...or, I can simply get another machine to do that with a physical connection
14:01 < krzee> unless ecrist understands, maybe you can make a drawing at gliffy.com to help it make sense what your goal is
14:01 < pmow> sure...
14:01 < pmow> that sounds serious, maybe you should take your daughter to a hospital
14:02 < pmow> honestly it's complicated and I just want to check it's even possible
14:02 < ecrist> krzee: /(?<!href=")(https?[^ \t]*)/i
14:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:02 < ecrist> that was the answer
14:03  * ecrist reads up
14:03 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
14:03 < krzee> booya!
14:03 < krzee> the php gods have smiled
14:03 < hyper_ch> is it thanks-giving yet?
14:03 < hyper_ch> what did they do now?
14:03 < krzee> oh shit its almost halloween
14:03 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
14:03 < hyper_ch> simpson special :)
14:04 < ecrist> krzee: the code is up to 49 lines now to generate that page
14:04 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
14:04  * krzee wonders what happened to the html confgen
14:04 < hyper_ch> krzee: still working on it.... in my thoughts :)
14:04 < krzee> pmow, nah no daughter, my gf needs to visit her uncle
14:04 < hyper_ch> there's too many things I should do :(
14:05 < ecrist> krzee: which confgen?
14:05 < ecrist> krzee: http://pastie.org/1238833
14:06 < pmow> krzee: that sounds less urgent
14:06 < pmow> although more urgent than helping a random internet person with openvpn
14:07 < pmow> gliffy is awesome, btw.
14:08 < krzee> ecrist, hyper_ch was making a badass replacement for my bash config generator... making it in php
14:08 < krzee> back when i made the confgen
14:08 < krzee> but my confgen got made, his is a thought ;]
14:08 < hyper_ch> I'm still making it... I just have a creativity block right now :)
14:08  * ecrist kicks hyper_ch 
14:08 < hyper_ch> you're soooo mean
14:09 < ecrist> hyper_ch: check that pastie out, above
14:09 < ecrist> I'm rather pleased with it
14:09 < hyper_ch> ecrist: it's colourful
14:10 < ecrist> I'm talking the php code, smartass. ;)
14:10 < hyper_ch> looks like you use pdo
14:11 < ecrist> that 49 lines generates the factoids page. :D
14:12 < hyper_ch> if I knew what that is
14:12 < ecrist> !factoids
14:12 <+vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:12 -!- s7r [~s7r@AC81933F.ipt.aol.com] has joined #openvpn
14:13 < hyper_ch> :)
14:13 < ecrist> all the !commands you see, dumped to database, output in pretty-format on that page vpnhelper linked to
14:13 < hyper_ch> but it still has no take-over-the-world button
14:14 < ecrist> yeah, but it parses URLs, and if there is a factoid with rfcNNNN, it creates a link to that RFC at the IETF
14:16  * hyper_ch gives ecrist a cookie
14:17 < ecrist> lines 35 and 36 were a PITA
14:17 < ecrist> individually, not as much (though line 35 is a doozie), but to work together.
14:18 < pmow> krzee: http://www.gliffy.com/pubdoc/2289509/L.png
14:20 < ecrist> pmow: you are aware that because Corp has higher bandwidth, you won't get to use that from home, you're going to be limited to the lowest common denominator, right?
14:20 < pmow> ofc
14:20 < pmow> the laptop would get whatever connection it has, minus overhead
14:21 < pmow> it's just that the alternative for the office lan (at the bottom) is using a DSL modem, and accessing CorpNet file shares via a linux re-share setup
14:21 < pmow> mount smb + share smb
14:22 < pmow> I'm also still not routable...I'd like to run services from here.
14:23 < ecrist> I would suggest we start from the top.
14:23 < pmow> that's what I'm thinking
14:23 < pmow> first setup the extra IPs, and test out connection, then routing
14:23 < ecrist> so, do you have a VPN server setup?
14:23 < pmow> but is this possible?
14:23 < ecrist> yes, easily
14:23 < pmow> yep, on server.pmow.org
14:24 < pmow> sweetness
14:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Connection reset by peer]
14:24 < ecrist> I do something similar to what you have across two data centers and our office, and to each of our road warriors
14:25 < pmow> the workstations at the bottom are Local lan PCs, they'll be able to route to corpnet and "internet"?
14:25 < pmow> i.e., a rule for 10.20.x.x routes, and everything else slung over VPN
14:26 < ecrist> yeah
14:26 < ecrist> is the Ubuntu box the LAN default gateway, as well?
14:27 < pmow> not yet
14:28 < pmow> right now I'm using a dumb router with DSL modem behind it
14:28 < pmow> but I've set up a fresh ubuntu install
14:29 < ecrist> silly question, but as you have an ASA, why not setup an IPSec tunnel and do things that way?
14:29 < pmow> because that's IT's baby, the network guy left, and we merged and NYC controls that now
14:30 < ecrist> ah, ok
14:30 < pmow> a year ago I was almost there, but the then-director of IT didn't want to screw up the corporate network "by touching the ASA config"
14:30 < ecrist> so, the server is on the corp lan, and you want it to bridge the corp lan with the three workstations at the bottom, right?
14:31 < pmow> no, I want to route
14:31 < pmow> the corp lan is 10.20.x, and the workstations at bottom are my local lan
14:31 < pmow> which are 192.168.1.x
14:33 < ecrist> my mistake
14:34 < ecrist> so, once the ubuntu box is connected to the vpn server, can you route to where you need to go?
14:36 < pmow> if you refresh
14:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
14:37 < pmow> ok
14:37 < pmow> refresh
14:37 < pmow> what I have now is the router and laptop at left
14:38 < pmow> the laptop is multihomed and simply sharing samba mounts
14:38 < pmow> (no actual routing)
14:38 < ecrist> looks like all this is covered in the !route page
14:38 < pmow> ok
14:38 < pmow> !route
14:38 <+vpnHelper> pmow: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:42 < pmow> lol, just caught myself skimming a chunk of it
14:46 <+vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Too many routes problem :: Reply by OndrejL <https://forums.openvpn.net/viewtopic.php?f=1&t=7201&p=8171#p8171>
14:54 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
14:58 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
15:16 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:22 -!- dazo is now known as dazo_afk
15:24 -!- MWinther [~mw@100-197-96-87.cust.blixtvik.se] has quit [Remote host closed the connection]
15:28 -!- variable [~variable@unaffiliated/variable] has joined #openvpn
15:45 < pmow> !def1
15:45 <+vpnHelper> pmow: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
15:46 < pmow> !redirect
15:46 <+vpnHelper> pmow: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:46 < pmow> gg
15:46 -!- s7r [~s7r@AC81933F.ipt.aol.com] has quit []
15:47 < pmow> !ipforward
15:47 <+vpnHelper> pmow: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
15:48 < pmow> !linipforward
15:48 <+vpnHelper> pmow: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
15:48 < pmow> !nat
15:48 <+vpnHelper> pmow: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
15:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:01 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has joined #openvpn
16:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
16:01 <+vpnHelper> RSS Update - forum: Cert / Config management :: StoneVPN :: Author leon <https://forums.openvpn.net/viewtopic.php?f=22&t=7203&p=8172#p8172>
16:03 < pmow> I enabled ipforward and redirect with def1, and am able to ping the VPN router side, but it doesn't appear to be redirecting anything
16:04 < pmow> is the iptables statement required from howto#redirect, if I'm not using a proxy?
16:07 < pmow> okay
16:08 < pmow> it seems to go really slow, but when ping worked I checked server output and it's dropping packets because of bad source address
16:08 < pmow> which seems to be because the client is behind a NAT
16:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:32 -!- pmow [~pmow@adsl-074-164-029-179.sip.mia.bellsouth.net] has left #openvpn ["Leaving."]
16:35 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
16:38 -!- SDE is now known as sde
17:01 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:10 -!- zxvff [shahid@dev.hockingits.com] has quit [Ping timeout: 252 seconds]
17:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:14 -!- zxvff [~shahid@dev.hockingits.com] has joined #openvpn
17:19 -!- muh2000 [~muh2000@unaffiliated/muh2000] has left #openvpn ["Konversation terminated!"]
17:24 -!- zxvff [~shahid@dev.hockingits.com] has quit [Ping timeout: 265 seconds]
17:37 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
17:37 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
17:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
17:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:49 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has quit [Remote host closed the connection]
18:05 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined #openvpn
18:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:14 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has joined #openvpn
18:18 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has quit [Remote host closed the connection]
18:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:27 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has joined #openvpn
18:30 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
18:30 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
18:32 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has quit [Remote host closed the connection]
18:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:36 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has joined #openvpn
18:37 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has quit [Remote host closed the connection]
18:38 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has joined #openvpn
18:49 -!- mschiff [~mschiff@d000042.adsl.hansenet.de] has quit [Remote host closed the connection]
18:54 -!- bluegene [~bluegene@awesomo.iodev.org] has quit [Ping timeout: 276 seconds]
18:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:10 -!- hiddem [~hiddem@188-126-68-181.cust.vpntunnel.org] has joined #openvpn
19:12 < hiddem> Could anyone give me the cheatcode to run dns lookups through the tunnel real quick, everything is running fine but all my dns requests are bleeding through, im on linux (backtrack 4 r1) and i cant seem to find appropriate instructions
19:15 < krzee> cheat code, lol
19:15 < krzee> !pushdns
19:15 <+vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
19:22 < hiddem> ty might have helped some gonna try
19:22 -!- hiddem [~hiddem@188-126-68-181.cust.vpntunnel.org] has quit []
19:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:56 -!- Arrow [~IceChat7@c-174-52-87-41.hsd1.ut.comcast.net] has joined #openvpn
19:57 -!- Arrow [~IceChat7@c-174-52-87-41.hsd1.ut.comcast.net] has quit [Client Quit]
19:59 -!- FrozenArrow [~IceChat7@c-174-52-87-41.hsd1.ut.comcast.net] has joined #openvpn
20:10 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:17 < FrozenArrow> hello?
20:18 < FrozenArrow> Ignore me, I'm having trouble sending to another channel.  I was just making sure I could send to something.
20:20 -!- FrozenArrow [~IceChat7@c-174-52-87-41.hsd1.ut.comcast.net] has quit [Quit: IceChat - Its what Cool People use]
20:42 -!- diensthunds [~Chas@216.20.137.20] has joined #openvpn
20:43 < diensthunds> what tutorials if any exist for setting up an openvpn server on a machine with one nic and multiple clients?
20:47 <+vpnHelper> RSS Update - forum: Configuration :: Bridged setup-windows xp, win-tap32 can't get ip :: Author kim92 <https://forums.openvpn.net/viewtopic.php?f=6&t=7204&p=8173#p8173>
20:49 -!- ^scott^ [~scott@stthom.org] has quit [Ping timeout: 240 seconds]
20:50 < diensthunds> that doesnt cover what I'm trying to do 
20:50 < Bushmills> diensthunds, just any.   !howto  for example
20:51 -!- tessier [~treed@kernel-panic/copilotco] has quit [Ping timeout: 264 seconds]
20:52 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined #openvpn
20:52 < diensthunds> no Bushmills I'm trying to set up an openvpn server on my lan but it only has one nic, I want clients, (those that connect into the vpn) to be able to see the other machines on my lan
20:52 -!- tessier [~treed@mail.copilotco.com] has joined #openvpn
20:52 < Bushmills> more than one NIC becomes only desirable when one wants to use the openvpn server as gateway to other nets
20:53 < Bushmills> but, for your stated purpose, "setting up an openvpn server", no 2nd NIC is needed
20:54 < diensthunds> ok what do I need to do to the configuration so that it will allow other clients on my lan to be seen by the outside of the vpn?
20:54 < diensthunds> I can set the vpn server up fine but when I connect to it from outside my network I can only get access to the single machine that the server is running on
20:55 < Bushmills> how is "outside of my network" and "LAN" now connected to one NIC?
20:56 < diensthunds> ok here's the lan setup. I have a desktop that is the server, 3 laptops that are the clients, all 4 machines are on my local lan and get their ip addresses from my router. 
20:56 < diensthunds> each machine has only 1 nic (including the openvpn server)
20:57 < diensthunds> the vpn server is not running as a gateway it is a client on the lan
20:57 < Bushmills> as those clients sit on the same LAN, using a VPN for them is rather pointless
20:58 < diensthunds> except that when I am away from my network I want to be able to vpn into it and access all my machines
21:00 < Bushmills> what kind of access?
21:01 < diensthunds> same as I would have if I was on the local lan
21:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
21:02 < Bushmills> ssh to server. then you have same access to clients
21:02 < diensthunds> not really I only can ssh into the server itself once there then there's no way for me to connect over to the other client machines
21:03 < diensthunds> the server will house all my music and movies and shared documents
21:04 < diensthunds> a few other clients will have documents on them as well
21:04 < diensthunds> I want to be able to connect to the server from a machine at work and be able to have access to all my machines
21:04 < Bushmills> why not? they're on the same LAN. why would you be able to access more of your clients from remote von client than you can from a machine on your LAN?
21:05 < Bushmills> vpn gives you a secure connection. it doesn't give you extra services
21:05 < diensthunds> but it puts me on the lan as if I was physically located there
21:06 < Bushmills> but you said already the even from the machine on the LAN, " there's no way for me to connect over to the other client machine"
21:06 < diensthunds> because I only have one nic on the server
21:06 < Bushmills> so from remote, you get the same ... no way
21:07 < diensthunds> if I'm on the lan locally I can access any of the other clients there
21:08 < diensthunds> if I'm at work then I can vpn into the server but so far that's as far as I can get
21:08 < diensthunds> what I'm looking for is a way to set up the vpn server as if it had 2 nicks and was acting as a gateway but only with 1 physical nic
21:09 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
21:17 < Bushmills> starting the openvpn server gives it a virtual second NIC, next to its - presumable - ethernet interface, which - presumable - goes to your LAN. but i have no idea how you're going to connect to your openvpn server, other than over the LAN interface
21:18 < Bushmills> but, assuming you can connect to it, you have tun0 to talk to it from remote, and eth0 to talk to the LAN
21:19 < diensthunds> yes but that second virtual nick is getting set up as an ip address on a different lan 
21:19 < diensthunds> the issue I'm running into is how to get the two "lans" talking to one another
21:19 < Bushmills> route packets from one to the other through the vpn
21:21 < diensthunds> ok that makes sence is there anything in the vpn I need to configure or do I need to set up the routing on the machine itself?
21:21 < Bushmills> you can instruct openvpn through its configuration to set up routes
21:23 < Bushmills> !route
21:23 <+vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:24 < diensthunds> ok I'll read through it and see if it's what I'm trying to do
21:25 < Bushmills> don't forget that it's not enough to only route requests from A to B -  you also need a back route for replies from B to A
21:29 -!- rawDawg [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has joined #openvpn
21:34 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:39 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
21:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:46 < diensthunds> ok read through the entire site tutorial and it deals with adding three subnets through the cloud, I'm trying to do this on one local network
21:46 < diensthunds> I understand the concept of adding the !route commands 
21:46 < diensthunds> but why would I need to add that to every client on the network though?
22:05 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:32 -!- oc80z [oc80z@blea.ch] has joined #openvpn
22:33 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
22:33 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
22:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
22:45 -!- ^scott^ [~scott@stthom.org] has joined #openvpn
22:45 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:57 -!- rawDawg [~rawdawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: Connection reset by peer]
23:05 -!- WormFood [~wormfood@183.38.13.230] has quit [Ping timeout: 245 seconds]
23:10 <+vpnHelper> RSS Update - forum: Configuration :: moderator please delete :: Author kim92 <https://forums.openvpn.net/viewtopic.php?f=6&t=7204&p=8173#p8173>
23:20 -!- diensthunds [~Chas@216.20.137.20] has quit [Read error: Connection reset by peer]
23:40 -!- s7r [~s7r@AC8178B0.ipt.aol.com] has joined #openvpn
23:41 < s7r> hy
23:42 < s7r> why windows 2008 server sees local area connection as local and internet and openvpn connection as local only, even if it has push redirect-gateway and all client ip is routed through that vpn ?
23:45 < s7r> !local
23:45 <+vpnHelper> s7r: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless.
23:46 < s7r> !internet
23:46 <+vpnHelper> s7r: Error: "internet" is not a valid command.
23:52 < s7r> !winroute
23:52 <+vpnHelper> s7r: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
23:57 -!- WormFood [~wormfood@59.40.216.30] has joined #openvpn
23:57 < s7r> anybody here?
--- Day changed Fri Oct 22 2010
00:22 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by forth <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8174#p8174>
00:32 < s7r> anybody here?
00:57 < cron2> no
01:04 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8175#p8175>
01:06 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds]
01:15 -!- s7r [~s7r@AC8178B0.ipt.aol.com] has quit []
01:26 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:54 -!- dazo_afk is now known as dazo
01:58 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:01 -!- mschiff [~mschiff@d000210.adsl.hansenet.de] has joined #openvpn
02:10 <+vpnHelper> RSS Update - forum: Server Administration :: Error: Could not execute command to generate startup/shutdow :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7205&p=8176#p8176>
02:13 -!- Nickman_OFF is now known as Nickman
02:14 -!- Boka [~boca@200.74.240.44] has joined #openvpn
02:16 < Boka> hi. im setting up test where connect one server as client to the other. but while im connected through ssh, i not want to have the ssh tunnel interupted. now with standart setup, all works, but it will interupt the ssh tunnel. i think something like a static route, but how to do this?
02:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:22 -!- Dennis84 [~dennis@mail.it-moebius.de] has joined #openvpn
02:22 < Dennis84> hey all
02:22 < Dennis84> i have a vpn server based on tun devices
02:23 < Dennis84> now i have the problem, that 1 client needs at least 2 ipadresses
02:24 < Dennis84> is it possible to have more than ca 128 clients on one server? 256 ips / 2 ips per client?
02:39 -!- Nickman is now known as Nickman_OFF
02:42 -!- Nickman_OFF is now known as Nickman
02:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:45 -!- RichiH [~richih@freenode/staff/richih] has joined #openvpn
02:46 < RichiH> just to be certain, SIGUSR1[soft,connection-reset] received, client-instance restarting means the client reset the connection and i will need to wait for access to the client logs to debug further, correct?
03:01 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
03:01 < fahmad> hey
03:29 -!- Nickman is now known as Nickman_OFF
03:30 -!- Nickman_OFF is now known as Nickman
03:30 < cron2> RichiH: yes
03:32 < RichiH> cron2: k, thanks. in that case, i'll just have to wait :)
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 -!- markus___ [~markus@c83-250-33-131.bredband.comhem.se] has quit [Ping timeout: 264 seconds]
03:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:43 -!- markus_ [~markus@c83-250-33-131.bredband.comhem.se] has joined #openvpn
03:55 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
03:58 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
03:58 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
03:58 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:36 < Boka> push DNS push the value, but not taken on linux centos box. what is the workaround? http://openvpn.net/archive/openvpn-users/2006-06/msg00097.html do need something like this still with 2.1.3?
04:36 <+vpnHelper> Title: Re: [Openvpn-users] DNS push for Linux clients? (at openvpn.net)
04:36 < Boka> must be easier solution.
04:43 -!- RichiH is now known as RICHIH
04:48 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:53 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with routes in Windows 7 :: Reply by CHEPERUN <https://forums.openvpn.net/viewtopic.php?f=4&t=7200&p=8177#p8177>
04:59 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 276 seconds]
04:59 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
04:59 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
04:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:03 < Bushmills> what else do you do, besides pushing? what does client do to use the pushed name server?
05:06 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
05:07 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
05:11 -!- Boka [~boca@200.74.240.44] has quit []
05:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
05:22 -!- cairnz [mats@217-14-7-98-dhcp-osl.bbse.no] has joined #openvpn
05:23 < cairnz> is there a way for the client to override the route additions coming from server when connecting?
05:28 -!- SOG [~SOG@113.116.92.40] has joined #openvpn
05:28 < fahmad> i noticed that openvpn stop listening on management port however it was listening on 1194
05:29 -!- Rolybrau [~Rolybrau@83-201.3-85.cust.bluewin.ch] has joined #openvpn
05:29 -!- Rolybrau [~Rolybrau@83-201.3-85.cust.bluewin.ch] has quit [Changing host]
05:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
05:36 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
05:43 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
05:53 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
05:58 -!- SOG [~SOG@113.116.92.40] has quit [Quit: I will be back!]
06:15 <+vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: How does openvpn. ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7187&p=8178#p8178>
06:21 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
06:22 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
06:22 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
06:29 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
06:35 -!- AL13N_work [~alien@91.183.52.232] has left #openvpn []
06:36 -!- mschiff [~mschiff@d000210.adsl.hansenet.de] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
06:45 -!- twister004 [~chatzilla@117.204.134.65] has joined #openvpn
06:45 < twister004> hi guys... i've setup a bridged- openvpn server on my ubuntu box(tap0 and br0)....My client connects to the server, gets an IP on the same subnet as the server, but is unable to ping/access any of the machines(including the server)... please advise what could be the cause... thanks in advance!!
06:46 < twister004> The client machine get's an IP on the same subnet as the server, but cannot access anything... please note that the OpenVPN server is behind a router. This router is an ubuntu server 8.04
06:47 -!- cairnz [mats@217-14-7-98-dhcp-osl.bbse.no] has left #openvpn []
07:05 -!- Nickman is now known as Nickman_OFF
07:16 < atan> twister004, I would guess you're not forwarding traffic correctly once the user connects up.
07:16 < twister004> atan, when I do a tcpdump on the server, I see openvpn packets 
07:17 < twister004> and I get connected... but when I try to view ICMP packets, I dont see any on the server as well as on the router
07:17 < twister004> iptables on the server has been stopped, and the router is not blocking anything... do you think it could be somthing to do with traffic routing?
07:18 < twister004> I'm not sure why I am not able to see any icmp traffic
07:18 -!- Nickman_OFF is now known as Nickman
07:19 < atan> Well that's what I'm leaning toward. Assuming your openvpn config is set to tunnel your traffic then I would assume the server needs to be setup to tell it how to handle the traffic
07:19 < atan> On my installs I've used ip masquerading to deal with such traffic over my vpn
07:19 < atan> Mind you, I'm certainly no expert on this subject but it was indeed worked for me.
07:19 < twister004> atan, it's a bridge setup.. could you explain how the traffic should flow.. could you explain with an example?.. say ICMP?
07:20 < twister004> atan.. I have stopped iptables, so.. it shouldn't be a problem right?
07:20 < atan> Well on my installs I use iptables to deal with the traffic
07:21 < atan> So far so good =\ but it sounds like your setup is far more complex than mine
07:22 < twister004> atan, could you explain how exacly traffic flows in a bridging setup?
07:25 < atan> http://vtun.sourceforge.net/tun/faq.html might be helpful, and far more useful than anything I could come up with
07:25 <+vpnHelper> Title: Universal TUN/TAP driver - FAQ (at vtun.sourceforge.net)
07:43 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:48 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has quit [Ping timeout: 272 seconds]
07:50 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has joined #openvpn
07:57 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:01 -!- markus_ [~markus@c83-250-33-131.bredband.comhem.se] has quit [Ping timeout: 265 seconds]
08:03 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
08:03 < fahmad> hello
08:03 < fahmad> can some one tell me why openvpn stop listening on management port however it was listening on 1194
08:04 < fahmad> i do not see any thing wrong in logs :(
08:09 -!- pmow [~pmow@adsl-074-164-029-179.sip.mia.bellsouth.net] has joined #openvpn
08:17 -!- le0 [~fin@82.132.243.45] has joined #openvpn
08:17 -!- le0 [~fin@82.132.243.45] has quit [Changing host]
08:17 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
08:22 < ecrist> how do you know it was listening on mgmt port to begin with?
08:22 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:22 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
08:27 < fahmad> ecrist: i am using perl module :-)
08:27 < ecrist> no idea what that means
08:28 < fahmad> ecrist: can i pm ?
08:28 < fahmad> you link ?
08:28 < pmow> !nat
08:28 <+vpnHelper> pmow: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
08:28 < pmow> !ipforwarding
08:28 <+vpnHelper> pmow: Error: "ipforwarding" is not a valid command.
08:29 < pmow> !ipforward
08:29 <+vpnHelper> pmow: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
08:29 < pmow> !winipforward
08:29 <+vpnHelper> pmow: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
08:29 < aegis> HAPPY INTERNATIONAL CAPS LOCK DAY!
08:30 < pmow> Is that required on Win7?  I got forwarding enabled just fine yesterday on Ubuntu, but not even able to ping from windows machines
08:30 < ecrist> !pmow
08:30 <+vpnHelper> ecrist: Error: "pmow" is not a valid command.
08:30 < ecrist> !factoids
08:30 <+vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
08:30 < ecrist> pmow ^^^
08:30 < pmow> yes, I've seen that list of factoids
08:31 < pmow> although I skimmed it yesterday, because it did not say "DO NOT SKIM"
08:31 < ecrist> lol
08:31 < ecrist> the factoids there is everything that's in the channel
08:31 < ecrist> I find it can be easier to search than fumbling through channel commands
08:31 < pmow> oh, gotcha.  I thought it was a response to my question, sorry!
08:32 < pmow> that *is* helpful
08:32 < ecrist> I think you're looking for !linnat
08:33 < pmow> I have linux to linux working
08:33 <+vpnHelper> RSS Update - forum: Server Administration :: Multicast using openVPN :: Author andnan <https://forums.openvpn.net/viewtopic.php?f=4&t=7206&p=8179#p8179>
08:33 < pmow> now I'm just trying to get windows to linux working
08:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
08:33 < pmow> just saw a note halfway down !factoids about not using openvpn.se
08:34 < fahmad> ecrist: you see that ?
08:34 < ecrist> yeah, 2.1.3 includes a better gui
08:34 < ecrist> pmow: I've written ~50% of the factoids. :)
08:34 < ecrist> and I coded that web page. ;)
08:34 < pmow> I suspected as much yesterday...
08:34 < pmow> that's why you're the best person to ask!
08:35 < pmow> :D
08:35 < ecrist> fahmad: I do, but the site is protected, and I"m not a fan of PMs
08:35 < ecrist> or PMS, for that matter
08:36 < dazo> well, you can only do something about PMs and not PMS, though
08:36 < ecrist> get rid of the wench, that's what I can do
08:36 < ecrist> ;)
08:37 < fahmad> i think radius plugin messing with openvpn
08:37 < fahmad> Fri Oct 22 15:36:35 2010 RADIUS-PLUGIN: BACKGROUND ACCT: No accounting data was found for cmi_u351wczx,xxx.xxx.xxx.xxx:63901.
08:38 < pmow> even though I have no reason to get one, I find myself lusting over the new macbook air and HP slate announced in the last 24 hours
08:38 < pmow> what's wrong with me?
08:38 < |Mike|> ask urmom :P
08:38 < |Mike|> ecrist: no hangover?
08:38 < ecrist> only a slight one
08:41 < aegis> HAPPY INTERNATIONAL CAPS LOCK DAY!
08:42 -!- mode/#openvpn [+o ecrist] by ChanServ
08:42 < dazo> aegis: you're looking for trouble?
08:42 < pmow> !windows
08:42 <+vpnHelper> pmow: "windows" is pcs are like air conditioners, they work fine unless you open windows
08:42 -!- aegis was kicked from #openvpn by ecrist [SAME TO YOU!]
08:42 -!- mode/#openvpn [-o ecrist] by ecrist
08:42  * ecrist thinks he found it
08:42 -!- aegis [~aegis@74.102.94.215] has joined #openvpn
08:43 < pmow> lol
08:43 < aegis> NO, I"M NOT.  JUST PASSING ON INTERNATIONAL GOODWILL.
08:43 -!- mode/#openvpn [+o ecrist] by ChanServ
08:43 -!- mode/#openvpn [+b *!*@74.102.94.215] by ecrist
08:43 -!- aegis was kicked from #openvpn by ecrist [knock it off]
08:43 -!- mode/#openvpn [-o ecrist] by ecrist
08:44 < dazo> lol
08:44 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
08:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:47 < pmow> ecrist: got it working...some combination of those options worked...route delay of 5 seconds
08:47 < pmow> default route worked too, wow.
08:47 < ecrist> neat
08:48 -!- pmow [~pmow@adsl-074-164-029-179.sip.mia.bellsouth.net] has quit [Quit: Leaving.]
08:48 -!- pmow [~pmow@170.198.232.72.static.reverse.ltdomains.com] has joined #openvpn
08:48 < pmow> mmm, sexeh
08:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:50 < |Mike|> o hir'a 
08:50 < |Mike|> oh it's capslockday again
08:51 < Bushmills> i prefer towel day
08:51 < |Mike|> Or sleepy days
08:54 < ecrist> capslock day in #openvpn will allow you to find the door quickly
08:54 < ecrist> just saying
08:55 < pmow> said and demonstrated I'd say
08:57 -!- mode/#openvpn [+o ecrist] by ChanServ
08:57 -!- mode/#openvpn [-b *!*@74.102.94.215] by ecrist
08:57 -!- mode/#openvpn [-o ecrist] by ecrist
08:58 < |Mike|> haha
08:58 < |Mike|> I hate it when people abuse their capslock
09:00  * dazo has disabled caps-lock on his computer
09:00 < ecrist> ditto, I re-mapped the key as a control key
09:01 < ecrist> I find it makes using control chars much faster
09:02 < pmow> I can't tell if y'all are joking.
09:02 < ecrist> no, I really did remap it
09:02 < pmow> interesting
09:03 < ecrist> http://skitch.com/ecrist/dhs74/remapped-keys
09:03 <+vpnHelper> Title: Skitch.com > ecrist > remapped_keys (at skitch.com)
09:23 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
09:32 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
09:33 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
09:33 < thordon> Hi ecrist :) could you please tell me why i can see in the startuplog tun_mtu_extra = 32. ist this standard ?
09:33 < ecrist> no idea
09:34 < thordon> ecrist: thank you
09:34 < thordon> i can not find it in my config
09:36 -!- BuSyAnToS [~31749@83-103-68-114.ip.fastwebnet.it] has quit [Ping timeout: 252 seconds]
09:37 -!- Boka [~boca@200.74.240.44] has joined #openvpn
09:40 < thordon> i got it: TAP devices may introduce additional overhead in excess of the MTU size, and a setting of 32 is the default when TAP devices are used
09:43 < ecrist> neat
09:52 < Boka> anyone here tried redirecting all traffic on openvpn server through tor network?
09:52 < Boka> if so, write me pls. ill pay for your time/help
09:56 < kisom> almost weekend :)
09:56 < kisom> 4 minutes to go
10:00 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
10:05 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Remote host closed the connection]
10:12 -!- Nickman is now known as Nickman_OFF
10:12 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
10:16 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
10:16 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
10:16 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
10:19 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
10:20  * fahmad hugs krzee
10:21 < Boka> anyone for the TOR problem?
10:21 < pmow> not really, I'm trying to do the same for all traffic on my lan
10:22 < Boka> not succeeding?
10:23 < krzee> wassup guys
10:23 < pmow> it's a little complicated as I'm trying to replace my lan's gateway, the one I'm currently using now
10:23 < pmow> and I need a split roiute
10:23 < pmow> slowly getting there, but "read howto" isn't really helping either
10:24 < krzee> you need a split route for what?
10:24 < krzee> pmow, did you make a gliffy?
10:24 < Boka> we trying to setup TOR behind the openvpn server
10:25 < pmow> yes
10:25 < Boka> so all vpn users route over TOR network
10:25 < krzee> pmow, pass it on over
10:26 < krzee> Boka, do a normal !redirect, but set the server to default route over TOR, you may need a client-connect script to make specific routes to clients that bypass the TOR
10:26 < pmow> may I pm it to you?
10:26 < krzee> pmow, yes
10:26 < krzee> and thx for asking
10:26 < pmow> I'm new to this but not irc or manners =)
10:27 < pmow> yeah, I added actual IPs
10:28 < pmow> krzee: since we talked yesterday, I've managed to get the VPN "endpoint" client going with tunnel
10:28 < pmow> right now, I'm looking at DHCP, although I think I'm going to turn ip forwarding on first and test with a PC using a static assignment, before I do a massive ^!#$up
10:31 < krzee> your image doesnt give much for the goal
10:32 < pmow> sorry, I removed it because I didn't expect to need to send it again
10:32 < krzee> for boka:
10:32 < krzee> !routebyapp
10:32 <+vpnHelper> krzee: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
10:32 < krzee> boka, so you just use:
10:33 < krzee> !sample
10:33 <+vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
10:33 < krzee> and setup your TOR to listen on the vpn server ip
10:33 < pmow> goal is: Split routing at "VPN Endpoint" which is currently VPNed and running, between default route to VPN (10.8.0.1) and selected hosts on CorpNet (10.20.x.x). 
10:33 < krzee> then the clients use the vpn server ip for their proxy
10:33 < krzee> internal VPN ip
10:34 < Boka> ok i get the idea yes. let me try and play with this.
10:35 < krzee> the "endpoint" is the server?
10:35 < pmow> client
10:35 < krzee> (@ pmow )
10:35 < krzee> how is that split?
10:35 < pmow> right now the client "endpoint" is connected, and routing appropriately over the VPN.
10:35 < pmow> well, split between CorpNet LAN and Internet routes
10:35 < krzee> both of those would route to the vpn server
10:36 < krzee> the vpn server then routes appropriately
10:36 < pmow> split for the LocalLan workstations
10:36 < krzee> make sure it doesnt NAT for connections going to 10.20.x.x
10:36 < krzee> then make a route back to 10.8.0.x on the router for 10.20.x.x
10:36 < krzee> like this:
10:36 < krzee> !route_outside_ovpn
10:36 <+vpnHelper> krzee: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
10:37 < pmow> vpn server doesn't have access to CorpNet, just the client does
10:38 < pmow> it's really more of a routing issue than anything...I want "endpoint" to route to tun0 unless there are exceptions
10:38 < krzee> the server must have access
10:38 < pmow> even if the client is a router?
10:39 < krzee> is corp behind the server or lan?
10:39 < pmow> lan is behind corp which is behind a firewall
10:39 < pmow> which I'm traversing by way of the tunnel
10:39 < krzee> and that is vpn server or client...?
10:40 < pmow> neither, the client is a router sitting between corp and lan
10:40 < pmow> s/is/will be
10:41 < pmow> the server is completely outside of all other networks
10:41 < pmow> the green lines are VPN tunnels
10:41 < pmow> so the VPN Client (a.k.a., "endpoint"), below, has three adapters
10:42 < pmow> I think I want to simply route between them, no?
10:42 < krzee> corpnet needs a vpn client in its lan
10:43 < pmow> I want to NAT and route Forensics/LocalLAN to/from VPN gateway, unless superceded by a manual entry for a corporate IP
10:43 < krzee> or vpn server
10:43 < pmow> yes, VPN Endpoint is on Corpnet, Local Lan, and VPN.
10:43 < krzee> you keep saying endpoint
10:43 < pmow> endpoing = client
10:43 < krzee> there arte vpn clients / servers
10:43 < krzee> no endpoints
10:43 < krzee> ok there we go
10:43 < krzee> [11:39]  <pmow> lan is behind corp which is behind a firewall
10:43 < krzee> [11:39]  <pmow> which I'm traversing by way of the tunnel
10:43 < krzee> [11:39]  <krzee> and that is vpn server or client...?
10:43 < krzee> the answer is "client"
10:44 < pmow> okay, well it's not simply a client, as it would be a DHCP server as well, thought it would be good to just call it something
10:44 < krzee> no, it will not be a dhcp server
10:44 < krzee> that would be layer2
10:44 < krzee> and is unnecessary
10:44 < krzee> !clientlan
10:44 <+vpnHelper> krzee: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
10:44 <+vpnHelper> krzee: for a better explanation
10:44 < krzee> and yes, it is simply a client
10:45 < pmow> "the server needs a route to the lan" I don't have that, outside of the VPN tunnel.
10:45 < pmow> Is that okay?
10:47 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:47 < krzee> in server config:
10:48 < krzee> route 10.20.0.0 255.255.0.0
10:48 < krzee> push "route 10.20.0.0 255.255.0.0"
10:51 -!- pmow1 [~pmow@170.198.232.72.static.reverse.ltdomains.com] has joined #openvpn
10:51 < pmow1> meh
10:53 < pmow1> I added those lines to server config, restarted it.  Can't ping 10.20.1.135.  I'm guessing I need to add iroute too?
10:53 < pmow1> 10.20.1.135 = some corp file server
10:54 -!- pmow [~pmow@170.198.232.72.static.reverse.ltdomains.com] has quit [Ping timeout: 265 seconds]
10:54 -!- pmow1 is now known as pmow
10:54 < krzee> yes
10:54 < krzee> need iroute in ccd entry
10:54 < krzee> also need:
10:54 < krzee> !route_outside_ovpn
10:54 <+vpnHelper> krzee: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
10:55 < krzee> on the corpnet router
10:55 < pmow> right well...as I mentioned yesterday, don't have access to that
10:55 < pmow> I need Forensics/LocalLAN to route to CorpNet
10:55 < krzee> in that case you need to add a route to every machine on corpnet which you expect to communicate over the vpn
10:55 < pmow> they all won't be clients.  the client is the VPN client called 'endpoint'
10:56 < krzee> umm
10:57 < krzee> corpnet and forensics are on the same LAN, right?
10:57 < pmow> no
10:57 < pmow> forensics machines are on local lan
10:57 < krzee> in the drawing they seem to be
10:57 < pmow> there's two clouds
10:58 < krzee> 2 clouds behind 1 router
10:58 < krzee> so 2 lans, same building...?
10:58 < pmow> exactly.
10:58 < pmow> exactly, yesp
10:58 < krzee> and you want to use this vpn to bypass all security your office gains by seperating the LANs
10:58 < pmow> the Ubuntnu VM VPN client, is sitting in the middle
10:58 < krzee> without permissions, based on the fact that you cant add a route to the router
10:59 < pmow> partly
10:59 < krzee> you need a client in each of the n2 LANs
10:59 < krzee> but you still need to be able to add routes to the machines that will have access to talk over the vpn
10:59 < krzee> (or you can use the nat hack, which i can explain but wont help with)
10:59 < pmow> why can't I setup ip forwarding on the client, and have it NAT the Local Lan to the corpnet machines?
11:00 < pmow> ok
11:00 < pmow> that's exactly what I've been wanting to do, and figured was the only real way possible
11:01 < pmow> permissions is tricky.  Our firm is part of a larger one, and then I have people that actually do business asking me why they can't access my machines.  It's political and I don't want to deal with it.
11:02 < pmow> 2nd reason is, CorpNet is like 50mbit but I don't want to touch their damn network except for a single tunnel
11:03 < pmow> If they gave a damn about security, they wouldn't use people's initials for username and password for the billing sql server.  But that's neither here nor there.
11:04 < pmow> (the 50mbit thing: I am using a DSL router currently, and said politics will get me a burstable fiber connection, oh...never.  I need the upload to put large deliverables on the FTP, etc)
11:05 -!- WormFood [~wormfood@59.40.216.30] has quit [Ping timeout: 240 seconds]
11:06 < pmow> bbl
11:06 -!- pmow [~pmow@170.198.232.72.static.reverse.ltdomains.com] has quit [Quit: Leaving.]
11:07 -!- pmow [~pmow@adsl-074-164-029-179.sip.mia.bellsouth.net] has joined #openvpn
11:07 < krzee> back?
11:08 < pmow> yep
11:08 < pmow> undid your suggestions
11:08 < krzee> you need my suggestions
11:08 < pmow> also, I stopped connecting over the damn vpn I'm working on...it wasn't very smart
11:08 < krzee> but you need it on a client in each lan
11:08 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:08 < krzee> if you really wanna bypass the built in security using a vpn
11:10 < krzee> and i was wrong about you being able to use the NAT hack, unless you control a router on 1 of the lans, and even then you could only have 1-way communication
11:10 < krzee> (with response)
11:11 -!- Link [~Link@173.236.41.35] has joined #openvpn
11:12 -!- Link is now known as theDoc
11:12 -!- theDoc [~Link@173.236.41.35] has quit [Changing host]
11:12 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:14 < pmow> uhm
11:14 < Boka> !routebyapp
11:14 <+vpnHelper> Boka: "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
11:15 < pmow> I do control the router between the lans
11:15 < krzee> pmow, you have 2 clouds, both behind the same router, but unable to comminicate with eachother
11:15 < krzee> if you control that router, you dont even need openvpn to route between them
11:15 < pmow> I know, but I don't
11:15 < pmow> so I have another router
11:15 < pmow> which I control
11:16 < pmow> multihomed to both networks, ofc
11:16 < pmow> why can't it choose the best route and forward appropriately?
11:16 < krzee> umm
11:16 < krzee> you can
11:16 < krzee> without openvpn
11:16 < pmow> *.*.*.* forward to 10.8.0.1
11:16 < pmow> 10.20.1.135 forward to 10.20.1.135
11:17 < pmow> exactly
11:17 < krzee> you have a router on both LANs, right?
11:17 < krzee> what is the subnet of each LAN?
11:17 < pmow> not yet, that's what I'm trying to set up: routing
11:17 -!- WormFood [~wormfood@183.38.14.120] has joined #openvpn
11:17 < pmow> 10.20.0.0 (255.255.0.0) and 192.168.1.0 (255.255.255.0)
11:17 < krzee> oh, so you do not have a router multihomed on each lan... you want openvpn to be that router then?
11:18 < pmow> The machine labeled "VPN Endpoint Router" in my gliffy, is the VPN Client.  Currently it is not routing.  I would like to change that.
11:18 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
11:18 < pmow> right now the LAN is not routing to the corporate lan
11:19 -!- p3rror [~mezgani@adsl196-230-77-206-196.adsl196-3.iam.net.ma] has joined #openvpn
11:19 < pmow> there's a separate router which until now, has been providing the DSL and DHCP 
11:19 < krzee> 1sec lemme make a gliffy
11:19 < pmow> it's embedded though
11:19 < pmow> and won't support openvpn and multihoming
11:19 < pmow> mkay
11:21 -!- Boka [~boca@200.74.240.44] has quit []
11:28 < krzee> shall i msg it?
11:29 < pmow> sure
11:29 < pmow> thanks
11:30 < krzee> looking at it like that, it still make sense right?  and you simply wanna connect those 2 lans to eachother using openvpn, right?
11:30 < pmow> no
11:30 < pmow> 192 lan is behind one host in 10.20
11:31 < krzee> ahh ok
11:31 < krzee> do you have a machine in 192 lan?
11:31 < krzee> and one in the 10.20 lan?
11:31 < pmow> the idea is that the very same host would be on both
11:32 < pmow> but yes, I can put as many as necessary
11:32 < krzee> what is the IP of the machine that 192 is behind (ip on 192 and ip on 10.20)
11:32 -!- p3rror [~mezgani@adsl196-230-77-206-196.adsl196-3.iam.net.ma] has quit [Ping timeout: 245 seconds]
11:32 < pmow> that's the machine that has the VPN route set up.  So it has three adapters: eth0, eth1, tun0.  Each on a different LAN
11:32 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:33 < krzee> you control that machine!?
11:33 < pmow> 10.20.2.134
11:33 < pmow> yes
11:33 < krzee> and your goal is for 192 lan to be able to talk to 10.20 lan?
11:33 < pmow> yes
11:33 < pmow> honestly I only really need a few hosts
11:33 < pmow> but yes
11:34 < krzee> what is its 192 IP?
11:34 < pmow> later on I'd like to setup a samba forward to a single nated ip but that's another story
11:34 < pmow> 192.168.1.2
11:35 < krzee> put a machine on each side, for argument sake lets say it is 10.20.0.100 and 192.168.1.100
11:35 < pmow> currently I have the embedded router with DSL behind it on 192.168.1.1
11:35 < pmow> ok
11:35 < krzee> now on 10.20.0.100, add a route saying that 192.168.1.0 255.255.255.0 is behind the gateway 10.20.2.134
11:36 < krzee> now on 192.168.1.100, add a route saying that 10.20.0.100 255.255.0.0 is behind the gateway 192.168.1.2
11:36 < krzee> then those 2 hosts should be able to ping eachother, without a vpn
11:37 < pmow> right, it's just I don't have access to the router on corpnet
11:37 < krzee> add similar routes to every machine that needs cross-lan communication (or get access to the router)
11:37 < pmow> which is fine, as I don't really need to have people route to a bunch of machines on my network
11:38 < pmow> 192.168.1.100 > 192.168.1.1 > NAT > 10.20.1.135 and back should work (which is a NATed ip to corp )
11:38 < pmow> but back they would need to address 10.20.2.134, in order to access anything on my LAN, such as a samba share, etc.
11:38 < pmow> that's if I don't add routes to corporate machines
11:39 < pmow> correct me if I'm wrong
11:39 < krzee> you could us ethe nat-hack for single direction communications
11:40 < pmow> could also forward incoming to 10.20.2.134 like any other home router, no?
11:40 < krzee> and really, openvpn cant help you
11:40 < krzee> this is a networking issue, but not an openvpn one
11:40 < krzee> yes, i guess you could
11:41 < pmow> yeah, I figured
11:42 < pmow> I just need to read up on doing ipfowarding, nat, etc with ubuntu...should be fine
11:42 < krzee> ip forwarding is needed to allow packets to pass from 1 int to another
11:42 < krzee> to enable it
11:42 < krzee> !linipforward
11:42 <+vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
11:42 < pmow> int?
11:42 < pmow> ah
11:42 < krzee> interface
11:42 < pmow> interface
11:42 < pmow> yeah, I know that I need to enable that
11:43 < pmow> and also dhcp, which is probably the last thing I will mess with
11:43 < krzee> yup, your multihomed machine is a router
11:43 < krzee> so def needs ip forwarding
11:43 < pmow> well, at least I'm not crazy
11:43 < krzee> likely already has it (since i assume 192 has inet access)
11:43 < pmow> via 192.168.1.1 
11:43 < krzee> ahh
11:44 < pmow> well, thanks for all your help
11:44 < pmow> even though we ended up at the same place
11:44 < pmow> at least  I know it's possible :)
11:44 < krzee> sounds like you now know how to do it tho
11:44 < krzee> and i finally understand your goal ;)
11:44 < pmow> haha, yes
11:45 < pmow> it's kind of complicated for a "first try"
11:45 < pmow> well
11:45 < krzee> i actually did something similar at my office
11:45 < krzee> needed my workstation to access the phone server (seperate lans)
11:45 < pmow> what I've been doing up till now, is mounting a few samba shares on a multihomed laptop, and sharing them
11:45 < krzee> so i multihomed my BSD box, and added a route to phone server, and my workstation
11:45 < pmow> which is mostly all I need
11:46 < pmow> ah, nice
11:46 < krzee> of course i have access to the routers too, but chose not to use them
11:47 < krzee> so now any machine can add routes to the phone server, and communicate with it (assuming my bsd box's firewall allows)
11:49 < pmow> v nice
11:49 < pmow> we run phone stuff on another vlan
11:49 < pmow> actually, I was part of IT for a couple years and moved a couple years ago into forensics
11:50 < pmow> so it's supposed to stay separate from corporate, because corporate IT didn't want machines without antivirus on their network, and forensics didn't want domain authority on their machines for chain of custody
11:51 < pmow> a merger later and nobody cares, and I'm running the show here
11:51 < theDoc> I'm not entirely convinced that anti-viruses are actually a good addition to desktop machines, considering the severity of drive by exploits these days.
11:52 < pmow> I personally don't use them myself
11:53 < krzee> i only use them on my usb sticks
11:53 < pmow> then again, I know what I'm running
11:53 < krzee> cause damn windows users keep getting virii on them
11:53 < pmow> bbl, I need to find a hot dog vendor ^_^
11:53 < krzee> but since i dont use windows i dont really worry bout that
11:53 < krzee> theDoc, !windows ;)
11:53 < theDoc> mac here, we have our own set of issues but nothing overly severe like the stuff windows does.
11:53 < theDoc> !windows
11:53 <+vpnHelper> theDoc: "windows" is pcs are like air conditioners, they work fine unless you open windows
11:53 < theDoc> lol
11:53 < krzee> MacBookPro6,1 CPU: Intel Core i7 M 620 2.67GHz @ 2.66GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/EM64T/VMX/EST] L2: 512K FSB: 4800MHz Airport:  (802.11 a/b/g/n)  RAM: 2.5GB/8.0GB Vram: 27.81M/256.00M Disk: 2.24TB/5.82TB GPU: Intel HD Graphics [288 MB/Stock] 1920x1200 OS: Mac OS X 10.6.4 (10F569) Kernel: Darwin 10.4.0 Up: 6 days 23:34
11:54 < theDoc> krzee: Are you using irssi?
11:54 < krzee> xchat aqua
11:54 < abeehc> :\
11:54 < krzee> i believe they made a plugin for irssi tho
11:54 < theDoc> Yeah, I just don't know how to call it.
11:54 < theDoc> Well, mac here :p
11:55 < theDoc> bbl, bed.
11:55 < theDoc> It's 1.
11:55 < theDoc> g'night.
11:55 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
11:55 < krzee> nite
11:56 -!- f0rd42 [~adieball@p54BE36BC.dip.t-dialin.net] has joined #openvpn
11:57 -!- f0rd42 [~adieball@p54BE36BC.dip.t-dialin.net] has left #openvpn []
12:04 < krzee> !mcast
12:04 <+vpnHelper> krzee: Error: "mcast" is not a valid command.
12:05 < krzee> !factoids
12:05 <+vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:12 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Multicast using openVPN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7206&p=8180#p8180> || Installation Help :: Re: LAN-to-LAN Possible? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7202&p=8181#p8181> || Cert / Config management :: Re: StoneVPN :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=22&t=7203&p=8182#p8182>
12:16 < krzee> !ssl-admin
12:16 <+vpnHelper> krzee: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
12:18 <+vpnHelper> RSS Update - forum: Cert / Config management :: ssl-admin :: Author krzee <https://forums.openvpn.net/viewtopic.php?f=22&t=7207&p=8183#p8183>
12:19 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
12:20 < krzee> !locate win
12:20 <+vpnHelper> krzee: Error: "locate" is not a valid command.
12:20 < krzee> heh
12:22 -!- dazo is now known as dazo_afk
12:24 -!- twister004 [~chatzilla@117.204.134.65] has quit [Ping timeout: 245 seconds]
12:24 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with routes in Windows 7 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7200&p=8184#p8184> || Scripting and Customizations :: Re: How does openvpn. ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7187&p=8185#p8185>
12:30 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Error: Could not execute command to generate startup/shu :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7205&p=8187#p8187> || Configuration :: Re: Setting Up A Router :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7199&p=8186#p8186>
12:35 < ecrist> krzee: what's the site for that again?
12:39 < krzee> site for what?
12:45 < krzee> ecrist, ?
12:58 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
13:09 < ecrist> xchat plugin for system info
13:09 < ecrist> I want to see if there's an irssi version
13:12 -!- Nickman_OFF is now known as Nickman
13:12 < krzee> ahh
13:13 < krzee> on irc: 
13:13 < krzee> server: irc.moofspeak.net
13:13 < krzee> room: #scripts
13:17 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:21 < EmperorTom> ping ecrist, does openvpn check to see if an IP is in use (Ping) before assigning it, or does it just rely on it's own records?
13:22 < ecrist> it relies on it's own records, I believe
13:22 < EmperorTom> ok, so the two openvpn boxes should assign from different ranges to avoid potential conflicts.
13:22 < ecrist> if you're referring to our setup, we probably just want to narrow down the class C block we're using to two /25 subnets and distribute those.
13:22 < EmperorTom> my thought exactly
13:24 < ecrist> alternatively, we could setup bind on the two vpn servers and provide failover through that
13:24 < ecrist> then, openvpn isn't assigning the addresses any more, but DHCP is
13:24 < EmperorTom> i like splitting the /24 atm, it's simple.
13:24 < ecrist> agreed
13:30  * krzee sees "our" and mlps.qwest
13:31  * ecrist wonders why that matters
13:31 < krzee> doesnt
13:31 < krzee> if anything i think its cool, i seen him around here i think but never put that together
13:31 < ecrist> if you're wondering, EmperorTom and I share an employer
13:33 < ecrist> he's really good at analyzing low-level packet issues
13:33 < EmperorTom> some days anyways.
13:34 < ecrist> first couple weeks working for us, he found our upstream provider had incorrect MTU settings.
13:34 < krzee> very nice
13:34 < krzee> mtu issues are a pita to find
13:34 < ecrist> yeah
13:35 < krzee> he'ld be the hero of many ovpn users if he made a howto diagnose / configure openvpn mtu stuffs
13:35 < EmperorTom> they not so hard to find so much as not the first thing you look for
13:35 < EmperorTom> s/they/they're/
13:36 < EmperorTom> That could probably be done. Like a flowchart/checklist sort of thing?
13:36 < ecrist> !wiki
13:36 <+vpnHelper> ecrist: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
13:37 < ecrist> something to fit in with our other docs, above, EmperorTom 
13:38 < krzee> flowchart or checklist or howto... however you see it being easier done for you
13:42 < krzee> i know it would be a great assett to the community, its a common question (one that im unable to really answer)
13:44 < EmperorTom> something specific to mtu issues should be quick and easy to write up.
13:45 < ecrist> mtu issues are very common
13:45 < ecrist> not so common as firewall issues, but in the top 5
13:46 < thordon> m4rt1n
13:47 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
13:47 < EmperorTom> Is there a general "troubleshooting" doc on SCN? If not, maybe I should just create one and add MTU as a section.
13:48 < ecrist> no, there isn't
13:48 < ecrist> it would be listed on that page I linked you
13:48 < EmperorTom> kk
13:49 -!- WormFood [~wormfood@183.38.14.120] has quit [Ping timeout: 245 seconds]
13:53 < pmow> aaand, back.
13:56 -!- WinstonSmith [~true@e177088139.adsl.alicedsl.de] has joined #openvpn
13:58 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
14:12 -!- WormFood [~wormfood@183.38.14.83] has joined #openvpn
14:15 < ecrist> EmperorTom: if you write that mtu doc, we can arrange to get you your very own host cloak, if you want.
14:15 < ecrist> they're super sexy, all the nerds^H^H^H^H^Hcool people have them.
14:16  * EmperorTom is already writing it :D
14:16  * ecrist wonders what EmperorTom's boss would think if *he* knew. :D
14:17 < EmperorTom> EmperorTom doesn't do anything important on Friday's anyways, besides drink mouthwash and smoke crack in the garage.
14:19 < ecrist> true, that is company policy
14:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:27 < EmperorTom> and besides, this is valuable information for the next time the upstream crack-heads fsck up a VLAN setting.
14:28 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
14:32 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 276 seconds]
14:32 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
14:40 -!- RICHIH [~richih@freenode/staff/richih] has left #openvpn []
14:49 < ecrist> indeed
14:57 -!- pmow [~pmow@adsl-074-164-029-179.sip.mia.bellsouth.net] has quit [Quit: Leaving.]
15:05 < EmperorTom> hah, i created my own MTU problem in the process of coming up with an example.
15:13 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
15:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:38 -!- Martin` is now known as Martin
16:38 -!- Martin is now known as Guest88349
16:38 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has quit [Ping timeout: 276 seconds]
16:51 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has joined #openvpn
16:52 -!- p3rror [~mezgani@adsl196-4-107-206-196.adsl196-4.iam.net.ma] has joined #openvpn
16:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
17:01 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
17:04 -!- p3rror [~mezgani@adsl196-4-107-206-196.adsl196-4.iam.net.ma] has quit [Read error: Connection reset by peer]
17:07 -!- olli_ [~sag@188-193-136-127-dynip.superkabel.de] has joined #openvpn
17:07 < olli_> !welcome
17:07 <+vpnHelper> olli_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:07 < olli_> !route
17:07 <+vpnHelper> olli_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:08 -!- Nickman is now known as Nickman_OFF
17:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
17:14 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
17:17 < olli_> !goal
17:17 <+vpnHelper> olli_: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:17 -!- WinstonSmith [~true@e177088139.adsl.alicedsl.de] has quit [Remote host closed the connection]
17:19 < krzie> ecrist, the link to forum at http://secure-computing.net/openvpn/openvpn.php needs updating
17:19 <+vpnHelper> Title: SCN: ##openvpn Policy (at secure-computing.net)
17:20 < krzie> and anywhere on that page that says the channel name still has ##
17:20 -!- WinstonSmith [~true@e177088139.adsl.alicedsl.de] has joined #openvpn
17:21 < olli_> I would like to access the network behind a client. I pushed the route to the network in the server.conf to all other clients. I added an iroute entry in ccd/client, but the other clients are not able to ping / access the network behind the specific client. Clients OS ist Win 7, firewall is completely disabled.
17:21 < krzie> !clientlan
17:21 <+vpnHelper> krzie: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route
17:21 <+vpnHelper> krzie: for a better explanation
17:22 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
17:24 < olli_> krzie: thanks, so my only option to avoid adding the route back to the source net to the gateway / router, is to use snat, right?
17:25 < EmperorTom> krzie: fyi, beginnings of mtu article, more to come later, let me know if something is unclear, etc. http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
17:25 <+vpnHelper> Title: OpenVPN/Troubleshooting - Secure Computing Wiki (at www.secure-computing.net)
17:35 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:42 -!- olli_ [~sag@188-193-136-127-dynip.superkabel.de] has quit [Ping timeout: 265 seconds]
17:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds]
17:57 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:30 -!- ccr_ [~cransom@crosstalk.atomz.com] has quit [Ping timeout: 276 seconds]
18:38 -!- zxvff_ [shahid@dev.hockingits.com] has joined #openvpn
18:50 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
18:50 -!- Guest88349 is now known as Martin`
18:53 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
19:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
20:11 -!- blee [~Bryant@99-117-188-231.lightspeed.dybhfl.sbcglobal.net] has joined #openvpn
20:12 < blee> !welcome
20:12 <+vpnHelper> blee: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:12 < blee> !route
20:12 <+vpnHelper> blee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:13 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
20:27 < blee> anyone have experience with knetworkmanager's openvpn plugin/
20:28 < blee> its dong wonky things to my trouting tables
20:30 -!- ccr_ [~cransom@crosstalk.atomz.com] has joined #openvpn
20:34 -!- cpm [~Chip@dns1.daviswv.net] has joined #openvpn
20:34 -!- cpm [~Chip@dns1.daviswv.net] has quit [Changing host]
20:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
20:51 -!- blee [~Bryant@99-117-188-231.lightspeed.dybhfl.sbcglobal.net] has left #openvpn ["Konversation terminated!"]
20:56 < krzie> !tell blee [netman]
21:03 -!- WinstonSmith [~true@e177088139.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
21:22 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
21:43 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 245 seconds]
21:47 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
21:54 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:56 -!- ping-pong [~qwerty@v01.vedur.is] has joined #openvpn
22:10 -!- ping-pong [~qwerty@v01.vedur.is] has quit [Ping timeout: 255 seconds]
22:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
22:28 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
22:48 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
22:53 -!- s7r [~s7r@188.26.131.132] has joined #openvpn
22:59 < s7r> !goal
22:59 <+vpnHelper> s7r: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
--- Day changed Sat Oct 23 2010
00:36 -!- DrJ [Bacon@174.141.224.168] has quit [Remote host closed the connection]
00:48 -!- tessier [~treed@mail.copilotco.com] has quit [Changing host]
00:48 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
00:53 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
00:58 < krzee> EmperorTom, the mtu guide is coming along nice
01:04 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
01:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
02:29 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
02:29 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
02:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:34 -!- yoghi [~yoghi@78.96.157.252] has joined #openvpn
02:37 < yoghi> Hi guys, I'm trying to set up an OpenVPN server to route all client traffic, I finally got it working but my problem is I have to set up 3 clients, all 3 of them have IPs from different subnets, I tried to add one of the subnets to OpenVPN and seems that nothing is working...
02:38 < yoghi> Only if I use an IP from a subnet used on the same machine thats running the ovpn server
02:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
02:40 < Martin`> yoghi: 3 different servers running on the server?
02:40 < Martin`> the
02:40 < Martin`> then you have to bridge the devices :)
02:40 < yoghi> No, its just 1 server
02:40 < yoghi> ahhh
02:41 < yoghi> right, I can run multiple ovpn servers...yea
02:42 < yoghi> anyway, its already bridge this 1 server thats running for tests, and its not working if the subnet doesn't match with the one from the main machine
02:50 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
02:55 < krzee> huh?
02:55 < krzee> i dont see why it matters you have 3 clients
02:55 < krzee> why are you using a bridge at all?
02:55 < krzee> !redirect
02:56 <+vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:56 < yoghi> krzee with or without its not working, and they have 3 public IPs.
02:57 < krzee> each client has a different public ip it should use for its internet IP for its traffic leaving the server for the inet?
02:57 < krzee> as in 3 ips on the server...?
02:57 < yoghi> yes
02:58 < krzee> give each client a static ip on the vpn
02:58 < krzee> then make 3 nat rules
02:58 < krzee> !linnat
02:58 <+vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
02:58 < yoghi> mhm
02:58 < krzee> iptables -t nat -I POSTROUTING -s 10.8.0.6/32 -o eth0 -j SNAT --to <IP 1>
02:59 < krzee> iptables -t nat -I POSTROUTING -s 10.8.0.10/32 -o eth0 -j SNAT --to <IP 2>
02:59 < krzee> or whatever
03:00 < krzee> your NAT needs to do it... not openvpn's job ;]
03:01 < yoghi> if it wouldn't use only subnets it would've been possible
03:01 < yoghi> as pptp does
03:02 < krzee> !pptp
03:02 <+vpnHelper> krzee: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read
03:02 <+vpnHelper> krzee: about why to not use pptp
03:02 < krzee> thats all i have to say about pptp
03:02 < yoghi> vpnHelper: its not using udp/tcp
03:02 <+vpnHelper> yoghi: Error: "its" is not a valid command.
03:02 < krzee> !bot
03:02 <+vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
03:28 -!- Dougy_ [me@tech.qsi.net] has joined #openvpn
03:30 -!- Dougy [me@openvpn/community/user/dougy] has quit [Ping timeout: 276 seconds]
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 < krzee> yoghi, openvpn doesnt control more than it needs to... lets the OS do everything outside of just being a vpn
03:51 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
03:51 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
03:52 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
04:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:02 -!- yoghi [~yoghi@78.96.157.252] has quit []
04:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:04 -!- buntfalke [~nobody@openvpn-p0-ipv6-10cd.triple-a.uni-kl.de] has joined #openvpn
04:04 -!- buntfalke [~nobody@openvpn-p0-ipv6-10cd.triple-a.uni-kl.de] has quit [Changing host]
04:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:56 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
04:57 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:01 < fahmad> can i use single server with tcp and udp ?
05:02 < fahmad> any one ?
05:12 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:24 -!- cpm [~Chip@dns1.daviswv.net] has joined #openvpn
05:24 -!- cpm [~Chip@dns1.daviswv.net] has quit [Changing host]
05:24 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:00 < fahmad> !hlep
06:00 <+vpnHelper> fahmad: Error: "hlep" is not a valid command.
06:00 < fahmad> !help
06:00 <+vpnHelper> fahmad: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
06:00 < fahmad> !commands
06:00 <+vpnHelper> fahmad: Error: "commands" is not a valid command.
06:00 < fahmad> !list
06:00 <+vpnHelper> fahmad: Admin, Channel, ChannelLogger, Config, Factoids, Google, Misc, Owner, Seen, Services, User, and Web
06:03 < Bushmills> nope, but you can run two servers, one listening to tcp, the other to udp
06:10 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 240 seconds]
06:28 -!- s7r [~s7r@188.26.131.132] has quit [Ping timeout: 245 seconds]
06:32 -!- s7r [~s7r@188.26.131.16] has joined #openvpn
06:33 -!- s7r is now known as Guest64058
06:37 -!- Guest64058 [~s7r@188.26.131.16] has quit [Ping timeout: 240 seconds]
07:34 -!- clyons [~clyons@89.100.156.210] has joined #openvpn
07:34 -!- clyons [~clyons@89.100.156.210] has quit [Changing host]
07:34 -!- clyons [~clyons@unaffiliated/clyons] has joined #openvpn
07:39 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
07:56 -!- ziroday [~nick@ubuntu/member/ziroday] has quit [Ping timeout: 245 seconds]
08:02 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has joined #openvpn
08:02 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has quit [Changing host]
08:02 -!- ziroday [~nick@ubuntu/member/ziroday] has joined #openvpn
08:03 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 255 seconds]
08:22 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:27 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
08:37 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 245 seconds]
08:47 -!- ziroday [~nick@ubuntu/member/ziroday] has quit [Ping timeout: 245 seconds]
08:51 -!- ping-pong [~qwerty@v01.vedur.is] has joined #openvpn
08:52 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has joined #openvpn
08:53 -!- ziroday [~nick@cm141.sigma236.maxonline.com.sg] has quit [Changing host]
08:53 -!- ziroday [~nick@ubuntu/member/ziroday] has joined #openvpn
08:53 < Dougy_> rawr
09:02 -!- ping-pong [~qwerty@v01.vedur.is] has quit [Ping timeout: 245 seconds]
09:05 -!- jmdesigner81 [~julianomo@66.162.23.209.lan.static.cptelecom.net] has joined #openvpn
09:05 < jmdesigner81> hello
09:17 < Jarpse> heya
09:18 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
09:22 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined #openvpn
--- Log closed Sat Oct 23 09:27:53 2010
--- Log opened Sat Oct 23 09:27:58 2010
09:27 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
09:27 -!- Irssi: #openvpn: Total of 100 nicks [1 ops, 0 halfops, 1 voices, 98 normal]
09:28 -!- Irssi: Join to #openvpn was synced in 47 secs
09:33 -!- ziroday [~nick@ubuntu/member/ziroday] has quit [Ping timeout: 245 seconds]
10:01 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
10:15 -!- Boka [~boca@200.74.240.44] has joined #openvpn
10:15 -!- Boka [~boca@200.74.240.44] has quit [Client Quit]
10:18 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
10:18 < fahmad> hello
10:18 < fahmad> krzee: arround ?
10:19 < fahmad> can some one tell me can i use single openvpn vpn server config to listen on both tcp/udp ?
10:23 -!- jmdesigner81 [~julianomo@66.162.23.209.lan.static.cptelecom.net] has quit [Quit: jmdesigner81]
10:24 < Bushmills> my reply won't change, even if you ask 10 times
10:24 < reiffert> fahmad: the answer is: no.
10:25 < fahmad> Bushmills: oh sorry i missed your reply last time :)
10:25 < fahmad> thanks ;)
10:25 < Bushmills> http://scarydevilmonastery.net/snap/1287847521332526008d.png
10:26 < fahmad> :)
10:26 < fahmad> i got it now sir
10:26 < fahmad> thanks :)
10:26 < fahmad> brb i need to go somewhere
10:26 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
10:27 < Bushmills> check that there's paper 
10:47 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:00 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: No route to host]
11:04 -!- WormFood [~wormfood@183.38.14.83] has quit [Read error: Operation timed out]
11:18 -!- WormFood [~wormfood@183.38.12.170] has joined #openvpn
11:25 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: No route to host]
11:25 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
11:27 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- The alternative IRC client]
11:31 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
11:31 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
11:31 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
11:57 -!- Soepstengel [~Soepsteng@unaffiliated/soepstengel] has joined #openvpn
12:20 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
12:35 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
12:40 -!- jmdesigner81 [~julianomo@66.162.23.209.lan.static.cptelecom.net] has joined #openvpn
12:51 -!- L0LI [~DB@unaffiliated/l0li] has joined #openvpn
12:52 < L0LI> !welcome
12:52 <+vpnHelper> L0LI: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:52 < L0LI> !goal
12:52 <+vpnHelper> L0LI: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:00 -!- aliverius [~george@athedsl-389561.home.otenet.gr] has joined #openvpn
13:00 < L0LI> hi, does anyone know a free vpn service that support openvpn ?
13:04 < jmdesigner81> I've got an openvpn server on ubuntu running successfully. The only problem I encounter is sometimes my connection drops and mounting a NFS drive is quite slow. Does anyone know a better way to mount a particular drive faster?
13:11 -!- jmdesigner81 [~julianomo@66.162.23.209.lan.static.cptelecom.net] has quit [Ping timeout: 250 seconds]
13:12 < krzee> L0LI, none i know of
13:12 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
13:12 < krzee> but ive also never looked
13:15 < jmdesigner81> All my music is on my server so when i connect to my server via openvpn (tunnelblick) it takes forever to mount a drive where my music files are. anyone know a better solutions?
13:17 < krzee> jmdesigner81, mounting it by ip?
13:17 < jmdesigner81> yes
13:17 < krzee> is your vpn udp / tun?
13:17 < jmdesigner81> tun
13:17 < krzee> and udp?
13:17 < jmdesigner81> hummmm yea
13:17 < krzee> tested your MTU?
13:18 < krzee> EmperorTom is writing a doc on how to troubleshoot mtu issues, i dont think it is done but here it is
13:18 < krzee> http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
13:18 <+vpnHelper> Title: OpenVPN/Troubleshooting - Secure Computing Wiki (at www.secure-computing.net)
13:24 < Bushmills> jmdesigner81, i mount the server NFS exports through autofs, and there is no appreciatable delay when mounting.
13:25 < jmdesigner81> bushmills: autofs???
13:26 < Bushmills> maybe try changing no_subtree_check or subtree_check to the resp opposite. 
13:26 < Bushmills> autofs = mounting on demand. and unmounting on inactivity
13:26 < jmdesigner81> is that in my exports file?
13:27 < Bushmills> something for lazy bums like me.    yes, in export options, those between parenthesises
13:28 < jmdesigner81> ah ok... let me look quick..
13:30 < jmdesigner81> this is what i have  /media/job/backup  10.8.0.6(rw,async,all_squash,insecure,anonuid=1000,anongid=1000)
13:30 < jmdesigner81> i dont see autofs option in my export
13:31 < Bushmills> ah, no.  no_subtree_check is option for exports.   autofs is a seperate package
13:32 < Bushmills> to be used on clients
13:32 < Bushmills> server config is not affected by autofs
13:33 < jmdesigner81> oh so it's on client. i'm using tunnelblick on mac os x.
13:34 < Bushmills> i like my tea best with ginger and cream.
13:34 < jmdesigner81> should i include no_subtree_check in my exports?
13:34 < Bushmills> worth to try
13:35 < Bushmills> though i never can remember which of the two is better for what usage condition
13:37 < jmdesigner81> i'm just experiencing an appreciatable delay when mouting. :(
13:37 < Bushmills> so it will be easy to determine which of the two makes a difference, if any
13:38 < jmdesigner81> checking NFS documents for some clarity.
13:39 < Bushmills> good idea
13:39 -!- L0LI [~DB@unaffiliated/l0li] has left #openvpn ["Leaving"]
13:40 < jmdesigner81> but what did you mean by autofs on the client?
13:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
13:44 < Bushmills> what do you mean by "but what did you mean by autofs on the client?"?
13:53 < thordon> eureka, es lüppt
14:21 < thordon> ecrist, krzee : thank you for your support. problem was the bridge configuration. it's working fine now.
14:27 < jmdesigner81> bridging is much more complicated to set up than tun.
14:50 -!- Nickman_OFF is now known as Nickman
14:53 -!- aliverius_ [~george@athedsl-373546.home.otenet.gr] has joined #openvpn
14:54 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
14:55 -!- aliverius [~george@athedsl-389561.home.otenet.gr] has quit [Ping timeout: 245 seconds]
14:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:59 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
15:00 -!- aliverius_ [~george@athedsl-373546.home.otenet.gr] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
15:00 -!- aliverius [~george@athedsl-373546.home.otenet.gr] has joined #openvpn
15:04 -!- Nickman is now known as Nickman_OFF
15:05 -!- thordon [~sec@ip-88-153-236-190.unitymediagroup.de] has quit [Read error: Connection reset by peer]
15:05 -!- thordon [~sec@ip-88-153-236-190.unitymediagroup.de] has joined #openvpn
15:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
15:51 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:53 < krzie> thordon, you have no reason to even use a bridge, unless you need a specific layer2 protocol you need
15:53 -!- thordon [~sec@ip-88-153-236-190.unitymediagroup.de] has quit [Ping timeout: 255 seconds]
15:54 -!- thordon [~sec@ip-88-153-236-190.unitymediagroup.de] has joined #openvpn
16:05 -!- Deffie [~Deffie@195.62.234.66] has quit [Disconnected by services]
16:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:37 -!- haploid [~haploid@8.17.170.225] has joined #openvpn
16:38 < haploid> to use a static key, the config line should just be "static <path>" correct ?
16:38 < krzie> secret <path>
16:39 < krzie> this is no good with server/client, and does not provide forward encryption
16:40 < krzie> but is good for a simple ptp link with no need for forward encryption
16:40 < haploid> ah that explains it, these docs must be out of date or wrong
16:40 < haploid> wonder where "static" caome from
16:40 < haploid> *came
16:41 < krzie> dunno what docs you're reading, but i suggest the howto
16:41 < krzie> !howto
16:41 <+vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:41 < krzie> and the manual
16:41 < krzie> !man
16:41 <+vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
16:41 < krzie> in manual under EXAMPLES they go over simple static key configs
16:42 < krzie> !learn statickey as you can use static keys by using --secret </path/to/key>
16:42 <+vpnHelper> krzie: Joo got it.
16:42 < krzie> !learn statickey as static keys only work for ptp links, not client/server.  They also do not provide forward encryption. A forward-secure encryption scheme protects secret keys from exposure by evolving the keys with time.
16:42 <+vpnHelper> krzie: Joo got it.
16:42 < krzie> !forget statickey 2
16:42 <+vpnHelper> krzie: Joo got it.
16:43 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 245 seconds]
16:43 < krzie> !learn statickey as static keys only work for ptp links, not client/server.  They also do not provide forward encryption. A forward-secure encryption scheme (such as openvpn uses with certs) protects secret keys from exposure by evolving the keys with time.
16:43 <+vpnHelper> krzie: Joo got it.
16:43 < haploid> krzie:  Using the tutorial at http://openmaniak.com/openvpn_tutorial.php
16:43 < haploid> the official HOWTO is not very clear or readable.
16:43 < haploid> anyway thanks
16:44 < krzie> theres 1000 tutorials on the net, i do not recommend any of them except the howto, or manual, or our wiki
16:44 < krzie> they tell you to do things, but dont teach you what you are doing / why
16:45 < krzie> in fact yours talks of clients and servers, but uses static keys (and doesnt even give the right command for it)... static keys can not be used in client/server mode
16:47 < krzie> and it links to the old 2.0 manpage
16:47 < krzie> instead of 2.1
16:51 < haploid> allright
16:51 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
16:52 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
16:56 < haploid> cool, got it working
17:06 -!- thordon is now known as sirsec
17:22 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
17:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:51 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
17:53 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Quit: jmdesigner81]
18:00 -!- haploid [~haploid@8.17.170.225] has left #openvpn []
18:07 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
18:10 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Ping timeout: 272 seconds]
18:13 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
18:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
18:23 -!- Trixboxer [~Trixboxer@office.supportdepartment.net] has joined #openvpn
18:23 -!- Agin [~Agin@greenzone.copyleft.no] has quit [Ping timeout: 276 seconds]
18:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
18:25 < Trixboxer> !welcome
18:26 <+vpnHelper> Trixboxer: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:26 < Trixboxer> !howto
18:26 <+vpnHelper> Trixboxer: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
18:29 -!- Agin [~Agin@greenzone.copyleft.no] has joined #openvpn
18:31 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
19:03 -!- Soepstengel [~Soepsteng@unaffiliated/soepstengel] has quit [Quit: Soepstengel]
19:21 -!- Trixboxer [~Trixboxer@office.supportdepartment.net] has quit [Quit: "Achievement is not the end, its the beginning of new journey !!!"]
19:35 -!- p3rror [~mezgani@adsl196-98-76-206-196.adsl196-3.iam.net.ma] has joined #openvpn
19:46 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Connection reset by peer]
19:49 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined #openvpn
19:55 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
20:41 < fipu> hi @ all
20:41 < fipu>  ./revoke-full client_name
20:41 < fipu> ist that right to deny a Client login?
20:41 < fipu> !revoke
20:42 <+vpnHelper> fipu: Error: "revoke" is not a valid command.
20:49 < fipu> should be ok...
20:49 < fipu> does someone knows a good webUI for openVPN? Which is not limited to only 2 clients?
20:57 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
20:58 < Noble> When I connect to my server which has push "redirect-gateway" enabled, the connection is live. I can connect to the server using the VPN address, but if I try to access the interwebs traffic still gets passed through the 'old' default gateway. How come?
21:03 < Noble> Intersting, i had to add --redirect-gateway local def1 to the client, that is not mentioned anywhere in the documents.
21:07 < oc80z> fipu 2 clients? are you using community software or access software
21:08 < oc80z> if you are running the openvpn server at home, perhaps you could use webmin+openvpnca 
21:14 -!- shadowscene [~Ryou@i30-23-169-109.akhb-tokyo.sghr.jp] has joined #openvpn
21:14 < shadowscene> !welcome
21:15 <+vpnHelper> shadowscene: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:15 < shadowscene> are those noticed to me or no, because i dont want to spam -.-
21:15 < shadowscene> !howto
21:15 <+vpnHelper> shadowscene: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
21:25 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:29 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
21:56 -!- wooden [~anon@pdpc/supporter/active/wooden] has joined #openvpn
22:01 < wooden> i'm on a linux box and i've just connected to this openvpn and it's done something sneaky with the routing table such that i can't route to the internet at large anymore, only IPs on the vpn.  is there any way to overcome this with /sbin/route?
22:01 < wooden> http://pastie.org/private/5lrvnzjdadqoz1bafetswa  (IPs changed to protect the innocent)
22:03 < wooden> My home LAN is 192.168.1.0/24 and my gateway is 192.168.1.2.
22:07 < Bushmills> remove from openvpn config that what does something sneaky with your routing table. maybe, start by finding out what that sneaky part is.
22:09 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
22:15 < wooden> The first thing I did was look in the conf file for the sneaky, but I didn't find any settings related to routing.  I believe these can be pushed from serverside, however.
22:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:20 < Bushmills> yes. remove from *server* config what you don't want it to push
22:21 < wooden> Yeah, unfortunately I'm not an admin on that side. 
22:21 < Bushmills> read, in openvpn man page, about --route-nopull
22:22 < wooden> Thanks.  I'll check that out.
22:22 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
22:32 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds]
22:32 -!- p3rror [~mezgani@adsl196-98-76-206-196.adsl196-3.iam.net.ma] has quit [Read error: Operation timed out]
22:34 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
22:41 -!- shadowscene is now known as ShamuTheWhale
22:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
22:55 -!- ShamuTheWhale is now known as shadowscene
22:55 -!- shadowscene [~Ryou@i30-23-169-109.akhb-tokyo.sghr.jp] has left #openvpn ["Leaving"]
23:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
23:07 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
23:07 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
23:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
--- Day changed Sun Oct 24 2010
01:25 -!- patchie [~sdf@136.81-167-201.customer.lyse.net] has quit [Ping timeout: 240 seconds]
02:34 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
02:35 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn
03:07 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
03:18 -!- lkthomas [lkthomas@218.213.78.173] has quit []
03:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:40 -!- WinstonSmith [~true@f052099022.adsl.alicedsl.de] has joined #openvpn
04:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 252 seconds]
04:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:26 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:32 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
04:32 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
04:32 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:41 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
04:41 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Ping timeout: 240 seconds]
04:44 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
04:44 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
04:44 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:50 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
04:55 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
04:55 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
04:55 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
04:57 -!- clyons [~clyons@unaffiliated/clyons] has quit [Ping timeout: 240 seconds]
04:59 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
05:03 -!- clyons [~clyons@89.100.156.210] has joined #openvpn
05:03 -!- clyons [~clyons@89.100.156.210] has quit [Changing host]
05:03 -!- clyons [~clyons@unaffiliated/clyons] has joined #openvpn
05:05 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
05:05 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
05:05 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:05 -!- WinstonSmith [~true@f052099022.adsl.alicedsl.de] has quit [Ping timeout: 252 seconds]
05:09 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Read error: Connection reset by peer]
05:15 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
05:15 -!- svm_invictvs [~patrick@75-25-168-227.lightspeed.sndgca.sbcglobal.net] has quit [Changing host]
05:15 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has joined #openvpn
05:17 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
05:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:39 -!- Nickman_OFF is now known as Nickman
05:43 -!- zplinux [~zplinux@213.8.57.217] has joined #openvpn
05:43 < zplinux> hi all
05:43 < zplinux> here is a wierd issue.
05:43 < zplinux> I see a client connecting using tap0 (layer 2) to my ethernet
05:44 < zplinux> I also see that host announcing the other MAC in its lan as it is a gateway
05:44 < zplinux> yet I can't access that client using ssh
05:45 < zplinux> I can't even ping that host , as I know its IP address
05:45 < zplinux> no firewalls are up
05:47 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:47 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
05:50 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
05:56 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
05:56 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
06:05 < Noble> Anyone have experience with networkmanager and openvpn?
06:16 < Noble> I cant get push "redirect-gateway" to work properly. I need to add it into the clients config, and that cant be right?
06:16 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
06:17 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
06:18 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
06:20 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
06:22 -!- aliverius_ [~george@athedsl-372341.home.otenet.gr] has joined #openvpn
06:23 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
06:23 -!- Nickman is now known as Nickman_OFF
06:24 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
06:26 -!- aliverius [~george@athedsl-373546.home.otenet.gr] has quit [Ping timeout: 252 seconds]
06:31 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined #openvpn
06:31 < Error404NotFound> If i am going to authenticate clients again PAM, do i really need different ssl certs for each client? or ssl certs at all?
06:32 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
06:34 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
06:58 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
07:14 -!- s7r [~s7r@188.27.111.202] has joined #openvpn
07:15 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
07:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
07:20 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 276 seconds]
07:22 -!- aliverius_ is now known as aliverius
07:26 -!- clyons [~clyons@unaffiliated/clyons] has quit [Ping timeout: 240 seconds]
07:27 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Operation timed out]
07:28 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
07:30 -!- clyons [~clyons@89.100.156.210] has joined #openvpn
07:31 -!- clyons [~clyons@89.100.156.210] has quit [Changing host]
07:31 -!- clyons [~clyons@unaffiliated/clyons] has joined #openvpn
07:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
07:37 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
07:40 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
07:40 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
07:43 -!- Meliorator [m@dunnington.eu] has quit [Quit: changing servers]
07:43 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
07:43 -!- Meliorator [m@dunnington.eu] has joined #openvpn
07:53 < ecrist> Error404NotFound: if you want to encrypt your traffic, you need SSL certs.
07:54 < ecrist> that being said, you *could* share ssl certs between all your clients, but then if someone gets those certificates, they can decrypt your traffic, conceivably.
08:21 < Noble> Is traffic encrypted if I use a static key?
08:31 < |Mike|> yeh
08:35 < ecrist> you can only use a static key between two hosts, though.
08:42 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has quit [Ping timeout: 255 seconds]
08:47 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has joined #openvpn
08:52 < Noble> I see, but thats not a problem. Its just me and my server <3
08:57 -!- clyons [~clyons@unaffiliated/clyons] has quit [Ping timeout: 250 seconds]
08:59 -!- yeahbuddy [~eric@c-71-203-248-67.hsd1.tn.comcast.net] has joined #openvpn
09:00 -!- clyons [~clyons@unaffiliated/clyons] has joined #openvpn
09:01 < ecrist> then that's all you need.
09:01 < yeahbuddy> i was able to connect to my tomato router running openvpn yesterday and today i get an unable to open tun/tap dev and cannot connect.  I did not change any of the configuration.. any ideas?
09:01 < yeahbuddy> !welcome
09:02 <+vpnHelper> yeahbuddy: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:02 < yeahbuddy> !goal
09:02 <+vpnHelper> yeahbuddy: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:03 < yeahbuddy> !interface
09:03 <+vpnHelper> yeahbuddy: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
09:06 < yeahbuddy> I want to be able to reconnect my laptop to my home network.  It worked yesterday.   The server is running file the laptop gives a tun error when i do openvpn /etc/openvpn/config.conf
09:06 <+vpnHelper> RSS Update - forum: Server Administration :: Re: Max simultaneous client connections :: Reply by swautier <https://forums.openvpn.net/viewtopic.php?f=4&t=7188&p=8188#p8188>
09:10 < Bushmills> yeahbuddy, read the "a tun error" carefully, then take steps to instruct your operating system to provide the environment that openvpn has no reason to complain "a tun error" any longer.
09:13 < yeahbuddy> does this channel has a pastebin?  Note: Cannot ioctl TUNSETIFF tun21: Device or resource busy (errno=16)
09:14 < yeahbuddy> *have
09:17 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
09:17 < ecrist> yeahbuddy: not an official one, no
09:18  * ecrist considers gettingone
09:20 < yeahbuddy> i can paste my config files and the error.  It worked great yesterday and this morning it refuses to connect.
09:21 < ecrist> !pb
09:21 <+vpnHelper> ecrist: Error: "pb" is not a valid command.
09:21 < ecrist> !learn pb as http://openvpn.pastebin.ca
09:21 <+vpnHelper> ecrist: Joo got it.
09:24 < yeahbuddy> http://openvpn.pastebin.ca/1971873 
09:25 < ecrist> looks to me like an instance of openvpn may already be running
09:26 < yeahbuddy> so top and kill all openvpn and try again?
09:32 < yeahbuddy> updated the post with client and server config files  didn't find openvpn running
09:33 < ecrist> yeahbuddy: make sure the service isn't running, as well.
09:33 < ecrist> do you 'have' a TAP adapter installed?
09:34 < yeahbuddy> i installed openvpn with apt-get so it is default.  i didn't manually add any adapter
09:35 < yeahbuddy> the client stopped with service openvpn stop.. 
09:36 < yeahbuddy> restarted and it is working again.  i feel stupid now.  Thanks
09:37 < ecrist> no problem.
09:37 < ecrist> sorry, for some reason I was thinking you were on Windows.
09:37 < yeahbuddy> for samba to work across it then each subnet must have different workgroup names and only one master.  is that correct?
09:38 < ecrist> no, samba should negotiate master properly, but I'd make sure to setup WINS correctly
09:38 < ecrist> the folks in #samba can give you more specifics
09:39 < yeahbuddy> ok.. thanks again
09:47 < sirsec> and now it does not work again.
09:47  * sirsec is going to jump out of the window
09:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:02 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
10:03 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 240 seconds]
10:07 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
10:09 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
10:29 < zplinux> hi ecrist
10:29 < ecrist> hello
10:30 < zplinux> assuming my client connects to my server using layer 2
10:30 < zplinux> and assume I see it connect and announce the mac addresses on the client lan
10:30 < zplinux> what could be the casue I can't ssh to it?
10:31 < zplinux> on the server tap0 is apart of a bridge and also on the client tap0 is part of a bridge
10:31 < zplinux> assuming firewalls are off
10:37 < ecrist> well, layer 2 doesn't provide TCP or IP, and you need that for ssh to work.
10:37 < ecrist> I assume you have an IP, though?
10:47 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
10:48 < zplinux> sorry for the delay
10:48 < zplinux> I got and IP address on both sides
10:48 < zplinux> as I said, they are ports of a bridge with a static address 
10:49 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
10:53 < reiffert> you said that those interfaces are part of a bridge.
10:53 <+vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8190#p8190>
10:54 < zplinux> reiffert: on the server and on the client I got a tap0 device
10:54 < reiffert> zplinux: however, are you able to see packets arriving at that bridges?
10:55 < zplinux> in both pcs I got br0 a bridge that one of its ports is tap0
10:56 < zplinux> reiffert: no I dont see packets coming in (maybe I should tcpdump -i tap0) I do see arp annoucing on openvpn.log
10:56 < zplinux> and I see that connection is established
10:56 -!- sde [~SDE@93-97-41-44.zone5.bethere.co.uk] has quit [Read error: Connection reset by peer]
10:57 < reiffert> see them leaving the clients interface?
11:00 < zplinux> no
11:01 < zplinux> it is so odd, I run arp -a and I see the client host name - without an ip address
11:01 < zplinux> btw, it used to work fine, but I did edit some system scripts
11:02 < zplinux> what is the first log I should be looking for?
11:02 < zplinux> tcpdump -i tap0 on client?
11:05 -!- WormFood [~wormfood@183.38.12.170] has quit [Ping timeout: 245 seconds]
11:15 < reiffert> your backup.
11:16 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
11:17 -!- WormFood [~wormfood@183.38.13.198] has joined #openvpn
11:36 < zplinux> reiffert: I am sorry but what is the backup , in this case?
11:36 < zplinux> how to use it?
11:39 < reiffert> "18:01 < zplinux> btw, it used to work fine, but I did edit some system scripts"
11:39 < reiffert> undo your editing := restore your backup.
11:40 < zplinux> hmm, sorry this is not an option in this case...
11:40 < zplinux> the problem in this case is that the vpn is an encrypted channel
11:40 < zplinux> so I can't just tcpdump it content and see what is wrong
11:41 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
11:41 < zplinux> I need to listen to it as soon as connection is establishs and see why it is blocking communication 
12:01 < zplinux> ok
12:01 < zplinux> bye bye
12:01 -!- zplinux [~zplinux@213.8.57.217] has quit [Remote host closed the connection]
12:07 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
12:07 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
12:13 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 255 seconds]
12:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:18 -!- julianomoreira [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
12:19 < julianomoreira> Hello
12:21 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:21 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Connection reset by peer]
12:28 < julianomoreira> i'm running openvpn behind a corporate firewall. openvpn works fine but it drops connection every 10 min. anyone knows how to resolve this issue?
12:29 -!- julianomoreira is now known as jmdesigner81
12:34 < reiffert> !factoids search keep
12:34 <+vpnHelper> reiffert: No keys matched that query.
12:34 < reiffert> !factoids search alive
12:34 <+vpnHelper> reiffert: No keys matched that query.
12:34 < reiffert> !factoids search --values alive
12:34 <+vpnHelper> reiffert: No keys matched that query.
12:34 < reiffert> !factoids search --values keep
12:34 <+vpnHelper> reiffert: "kiss" is Keep It Simple Stupid
12:34 < reiffert> jmdesigner81: check the manpage, see keep alive.
12:35 < jmdesigner81> reiffert: openvpn manpage?
12:35 < reiffert> !man
12:35 <+vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
12:40 -!- jmdesigner81_ [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
12:40 < jmdesigner81_> sorry just got disconnected
12:41 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
12:41 -!- jmdesigner81_ is now known as jmdesigner81
12:47 < jmdesigner81> this is what i have in my server.conf "keepalive option 10 120" 
12:59 < jmdesigner81> what should i change to?
13:00 < reiffert> maybe to --go-and-ask-the-corporate-firefwall-admin-if-his-firewall-does-such-bad-things 1
13:01 < jmdesigner81> reiffert: i can't do that. asking the admin is not an option. however, before i set up openvpn on my server i was using ssh to create a tunnel. I had the same issue at first but i was change the port and it was good
13:08 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
13:09 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has quit [Ping timeout: 265 seconds]
13:11 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has joined #openvpn
13:16 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has quit [Ping timeout: 240 seconds]
13:16 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
13:16 < jmdesigner81> changed the keepalive option to 10 60
13:16 < jmdesigner81> hopefully i'll be connected longer.
13:19 < jmdesigner81> anyone has any idea???
13:20 < reiffert> jmdesigner81: ssh is a tcp connection
13:21 < reiffert> jmdesigner81: be aware that recent openssh nowadays supports vpn as well.
13:22 < jmdesigner81> reiffert: i know that. I was using that swtiched to openvpn which works pretty good except at work where i get disconnected quite a bit.
13:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
13:42 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has joined #openvpn
13:58 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
13:58 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
14:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
14:28 -!- s7r [~s7r@188.27.111.202] has quit [Ping timeout: 240 seconds]
14:29 -!- s7r [~s7r@AC81CA6C.ipt.aol.com] has joined #openvpn
14:29 -!- s7r is now known as Guest17109
14:31 -!- WinstonSmith [~true@g225029003.adsl.alicedsl.de] has joined #openvpn
14:38 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Quit: jmdesigner81]
14:44 -!- Nickman_OFF is now known as Nickman
14:47 -!- yeahbuddy [~eric@c-71-203-248-67.hsd1.tn.comcast.net] has quit [Ping timeout: 252 seconds]
14:47 -!- Guest17109 [~s7r@AC81CA6C.ipt.aol.com] has quit [Ping timeout: 255 seconds]
14:48 -!- B45h_V| [~niklaus@90-168-213-213.static.zapp.ch] has joined #openvpn
14:48 < B45h_V|> hey people. I got some (basic) knowledge about networking (sub-net-mask calculation and stuff), but I never did anything with 'bridged-connections'. I'm wondering now, how long would it take me to setup a open-vpn-server on Ubuntu server with a good tutorial. hour? day? week?
14:49 -!- B45h_V| [~niklaus@90-168-213-213.static.zapp.ch] has quit [Quit: leaving]
14:50 -!- B45h_V| [~niklaus@90-168-213-213.static.zapp.ch] has joined #openvpn
14:51 -!- B45h_V| [~niklaus@90-168-213-213.static.zapp.ch] has quit [Client Quit]
14:52 -!- variable [~variable@unaffiliated/variable] has left #openvpn ["Trojan horse ran out of hay"]
14:59 -!- me345 [~me345@adsl-75-15-185-21.dsl.bkfd14.sbcglobal.net] has joined #openvpn
15:02 -!- yeahbuddy [~eric@c-71-203-248-67.hsd1.tn.comcast.net] has joined #openvpn
15:16 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
15:39 -!- aliverius [~george@athedsl-372341.home.otenet.gr] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
15:41 < Dougy_> krzie: 
15:41 < Dougy_> did you see brock lesnar get his face beat in/
15:43 -!- me345 [~me345@adsl-75-15-185-21.dsl.bkfd14.sbcglobal.net] has quit [Remote host closed the connection]
15:52 < krzie> sure did
15:52 < krzie> i liked velasquez, didnt bet it tho
15:53 < krzie> instead i bet jake shields and matt hamill
15:53 < krzie> (both winners)
16:02 -!- nat2610 [~nfelsen@adsl-99-185-243-218.dsl.pltn13.sbcglobal.net] has quit [Read error: Operation timed out]
16:06 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has quit [Read error: Connection reset by peer]
16:10 < Dougy_> krzie: good call
16:10 < Dougy_> i dont watch ufc much
16:10 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has joined #openvpn
16:22 -!- yeahbuddy [~eric@c-71-203-248-67.hsd1.tn.comcast.net] has quit [Ping timeout: 252 seconds]
16:23 -!- Nickman is now known as Nickman_OFF
16:38 -!- apedongle [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
16:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
16:47 -!- |Mike| [mike@2001:1af8:2:444::2] has quit [Quit: leaving]
16:49 -!- apedongle is now known as |Mike|
16:51 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
17:03 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
17:03 -!- WinstonSmith [~true@g225029003.adsl.alicedsl.de] has quit [Ping timeout: 250 seconds]
17:04 -!- aliverius [~george@athedsl-371890.home.otenet.gr] has joined #openvpn
17:06 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Quit: leaving]
17:09 -!- mikeh [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
17:12 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:14 -!- mikeh [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Client Quit]
17:14 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
17:15 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Client Quit]
17:16 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
17:22 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Quit: leaving]
17:23 -!- MWinther [~mw@100-197-96-87.cust.blixtvik.se] has joined #openvpn
17:24 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
17:24 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Client Quit]
17:24 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
17:24 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Client Quit]
17:25 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
17:26 < |Mike|> sorry for the join/quits :)
17:29 < krzie> s'ok
17:30 < reiffert> is it debatable?
17:31 < krzie> sure
17:31 < krzie> ;]
17:41 < hyper_ch> krzie: http://i.imgur.com/NwB5F.jpg
17:42 < reiffert>  :)
17:42 -!- WinstonSmith [~true@g225029003.adsl.alicedsl.de] has joined #openvpn
18:03 -!- WinstonSmith [~true@g225029003.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
18:09 -!- patrick-- [~patrick@netsplit.me] has joined #openvpn
18:10 < patrick--> Hey, i want to setup a VPN connection from my homeserver to my online server which holds multiple static ip adresses, to assign my homeserver one of those to be available through via the internet. how would i proceed? is there any specific tutorial?
18:10 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:17 -!- WinstonSmith [~true@f052100202.adsl.alicedsl.de] has joined #openvpn
18:20 < ecrist> patrick--: the best way to do this, unless you have multiple IP blocks is to setup the vpn server, and create a private network behind the vpn, assign a static address to the vpn client and create a binat rule in your firwall for one of those 'real' IPs.
18:20 < ecrist> if you try to assign the IP directly, you could end up with a situation where you're creating conflicting routes.
18:21 < patrick--> phew
18:21 < patrick--> okay
18:21 < ecrist> I don't know of any particular how to that covers this specific setup.
18:21 < patrick--> ive had this setup back in the day. where the "client" connected to the rootserver and was assinged a tap interface with a public ip
18:22 < ecrist> yeah, it can be done, but you can't do it with a single ip block.
18:23 < patrick--> what do you mean by single block?
18:23 < ecrist> a contiguous block of IPs
18:23 < ecrist> like a /29 from your ISP
18:23 < ecrist> if you had two /29, it's easier
18:23 < ecrist> but you need to have the second block setup to route to your vpn server
18:23 < patrick--> mhh
18:24 < patrick--> i have a single ip + /29 block
18:24 < ecrist> what happens if you don't is you end up with a chicken/egg issue where the vpn tries to route the vpn connection over itself.  that doesn't work well
18:24 < patrick--> ah
18:25 < ecrist> is your 'single' ip completely different from your /29?
18:25 < patrick--> okay
18:25 < patrick--> yes
18:25 < ecrist> ok, so that IP needs to be your vpn server IP, and the /29 needs to be routed to that single IP
18:25 < patrick--> the entire net?
18:25 < ecrist> then it's just a matter of creating the vpn config
18:26 < patrick--> basically the /29 ip's are virtual interfaces on the machine now
18:26 < patrick--> eth0:X
18:26 < ecrist> then that should qualify
18:26 < patrick--> right
18:27 < ecrist> easy enough
18:28  * Bushmills thinks it is less a chicken-and-egg problem but more one of the kind "how to load your car into its own trunk"
18:29 < patrick--> that doesnt sound very... primising...
18:29 < patrick--> promising*
18:44 < ecrist> Bushmills: I like that way of putting things
18:45 < Bushmills> chicken and egg is solved.  fish was before chicken. from fish came eggs. much later. from eggs came chicken.
18:45 < krzie> lol Bushmills, nice
18:46 < krzie> car into own trunk issue solved in the movie transformers
18:47 < Bushmills> can't call it "solved" just by pointing to a fictional tv show
18:47 < Bushmills> same way you could say that faster than light travel has been solved too now
18:48 < Bushmills> after all, many movie spaceships demonstrate it
18:52 < patrick--> not only :D
19:06 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
19:06 < ecrist> learning c++ is hard.  someone do it for me
19:06 < krzie> yup, it was solved in star trek
19:07 < ecrist> actually, if you want to get really geeky, faster than light travel is *not* solved.
19:07 < ecrist> warp travel involved near-light speeds through a warped version of space, which makes it _appear_ as though it's faster than light.
19:08 < krzie> lol
19:08 < patrick--> you know, you really DO deserve a slap for this :D
19:10 -!- MWinther [~mw@100-197-96-87.cust.blixtvik.se] has quit [Ping timeout: 255 seconds]
19:11 < krzie> who deserves a slap is denver
19:11 < krzie> for letting oakland kick their ass so hard
19:11 < krzie> thats the difference between me winning the office pool, and nothing
19:20 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
19:24 -!- patrick-- [~patrick@netsplit.me] has left #openvpn []
19:55 < Dougy_> krzie: you has a day job in the island you live on?
19:55 < Dougy_> holy SHIt
19:55 < Dougy_> 59-14?
19:55 < Dougy_> LOLOLOL
19:59 < krzie> i do
20:00 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
20:16 < jmdesigner81> need help with my vpn. i get disconnected every 10 min. tried changing the keepalive but still happens. any idea?
20:19 < krzie> do you have 2 clients running with the same certs?
20:20 < krzie> does your server log give any clue as to what is happening...?
20:24 < krzie> !client-connect
20:24 <+vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
20:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
20:43 < jmdesigner81> krzie: where do i look at the log?
20:44 < jmdesigner81> krzie: openvpn log?
20:46 < krzie> !logfile
20:46 <+vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
21:05  * ecrist is tired of crazy bitch wife.  Not her, really, just the fact that _all_ women are crazy bitches and on any given day, they go fucking crazy
21:08 -!- aliverius_ [~george@athedsl-377075.home.otenet.gr] has joined #openvpn
21:12 -!- aliverius [~george@athedsl-371890.home.otenet.gr] has quit [Ping timeout: 276 seconds]
22:05 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
22:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:50 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has joined #openvpn
23:04 -!- aliverius_ [~george@athedsl-377075.home.otenet.gr] has quit [Ping timeout: 240 seconds]
23:05 -!- aliverius [~george@athedsl-378581.home.otenet.gr] has joined #openvpn
23:49 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
23:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
--- Day changed Mon Oct 25 2010
00:04 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Quit: jmdesigner81]
00:11 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
--- Log closed Mon Oct 25 00:22:27 2010
--- Log opened Mon Oct 25 00:22:35 2010
00:22 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined #openvpn
00:22 -!- Irssi: #openvpn: Total of 98 nicks [0 ops, 0 halfops, 1 voices, 97 normal]
00:23 -!- Irssi: Join to #openvpn was synced in 61 secs
00:23 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has quit [Ping timeout: 265 seconds]
00:29 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
00:53 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
01:01 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
01:17 -!- ondrejk [~ondrejk@188.246.102.117] has joined #openvpn
01:18 < ondrejk> hello, how is possible to list expire date of certificates signed for using in openvpn?
01:18 < krzee> prolly somewhere here:
01:19 < krzee> !certinfo
01:19 <+vpnHelper> krzee: "certinfo" is run `openssl x509 -in <file> -noout -text` for info from your cert file
01:19 < ondrejk> krzee: thank you
01:19 < krzee> np
01:21 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:30 -!- dazo_afk is now known as dazo
01:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:41 -!- Nickman_OFF is now known as Nickman
01:42 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Quit: Left the building]
01:43 -!- dazo [~dazo@nat/redhat/x-gwtzbgdzbpodfmei] has joined #openvpn
01:43 -!- dazo [~dazo@nat/redhat/x-gwtzbgdzbpodfmei] has quit [Changing host]
01:43 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
01:43 -!- mode/#openvpn [+o dazo] by ChanServ
01:44 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Client Quit]
01:44 -!- dazo [~dazo@nat/redhat/x-hayvtpwyyvbwblbg] has joined #openvpn
01:44 -!- dazo [~dazo@nat/redhat/x-hayvtpwyyvbwblbg] has quit [Changing host]
01:44 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
01:45 -!- mode/#openvpn [+o dazo] by ChanServ
01:46 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
02:06 -!- lampe [~lampe@82.100.209.66] has quit [Ping timeout: 250 seconds]
02:10 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has joined #openvpn
02:17 -!- lampe [~lampe@82.100.209.66] has joined #openvpn
02:23 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
02:34 < theDoc> Question, is there a way to "figure" out ipv6 destinations and route them over the vpn server automatically?
02:35 -!- CheBuzz_ [~CheBuzz_H@173-116-16-76.pools.spcsdns.net] has joined #openvpn
02:35 < CheBuzz_> Does anybody know of some small form factor hardware dedicated to running OpenVPN?
02:36 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:37 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
02:38 < Nickman> wrt routers? :)
02:40 < ambro718> most embedded routers are too slow to be useful for a decently fast VPN
02:40 < CheBuzz_> Go for the obvious solution.  :)  No, I'm thinking of something smaller, without the wifi hardware.   Ideally something that could run off a lipo battery for a couple days.
02:42 < CheBuzz_> Something simple, along the lines of Cisco's VPN concentrators.  That has two ethernet ports labeled - Public  Network and Private Network (or something similar)
02:43 < CheBuzz_> In other words, configure everything and then take it anywhere and plug it in.
02:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
02:43 < ambro718> CheBuzz_: OpenRD ( http://www.open-rd.org/ ) has two ethernet ports and is probably fast enough, but I'm not sure it meets your size requirement
02:43 <+vpnHelper> Title: Open-RD.org (at www.open-rd.org)
02:44 < ambro718> CheBuzz_: also there is the SheevaPlug, but it might be problematic because it has only one ethernet port, and limited internal flash storage
02:45 < CheBuzz_> ambro718: Yes, a bit big.  But that may have to work if there aren't any other solutions.
02:45 < CheBuzz_> Of course, this could be the next DIY project for me...
02:46 < ambro718> also there is the TS-7800 http://www.embeddedarm.com/products/board-detail.php?product=TS-7800 . I own that one and it works well, but it might be a bit too slow, and you'd need a USB network card
02:46 <+vpnHelper> Title: TS-7800 Embedded Computer – Rugged & Reliable, 500 Mhz, FPGA (at www.embeddedarm.com)
02:50 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
02:51 < ambro718> if I remember correctly, the TS-7800 can send data at about 1 MB/s through OpenVPN
03:02 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Ping timeout: 276 seconds]
03:03 < ambro718> I've just published an open source project that implements a peer-to-peer VPN. If anyone is interested, see http://code.google.com/p/badvpn/
03:03 <+vpnHelper> Title: badvpn - Project Hosting on Google Code (at code.google.com)
03:08 < roentgen> ambro718: any comparison with openvpn?
03:09 < roentgen> or put it this way: why would I try badvpn if I already have openvpn?
03:10 < ambro718> roentgen: badvpn uses a peer-to-peer arcitecture, where the peers communicate via a central server. Any peer that connects will automatically establish direct connections to all other. In openvpn you can't do that AFAIK.
03:10 <@dazo> CheBuzz_: http://www.globalscaletechnologies.com/t-guruplugdetails.aspx or http://www.soekris.com/  might be some alternatives?
03:10 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
03:10 <+vpnHelper> Title: GuruPlug Server (at www.globalscaletechnologies.com)
03:11 < ambro718> roentgen: it is also easier to work with NATs and firewalls because of its "address scopes" feature
03:11 < ambro718> roentgen: all the features are on the wiki
03:11 <@dazo> CheBuzz_: I forgot Beagleboard as well http://beagleboard.org/
03:11 <+vpnHelper> Title: BeagleBoard.org - default (at beagleboard.org)
03:13 <@dazo> hmmm ... Beagleboard do not support NIC's ... that's a pity
03:14 <@dazo> (only via USB, though)
03:16 < roentgen> ambro718: thanks for the insights then
03:22 < CheBuzz_> dazo, ambro718: Thanks for the suggestions.  I'll take a look.
03:28 -!- ondrejk [~ondrejk@188.246.102.117] has quit [Quit: leaving]
03:32 < kisom> i hate mondays
03:33 < kisom> i'm also writing a new resume, during work time
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
03:48 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn
03:50 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 265 seconds]
04:12 -!- Phenox_ [~Bernd@88.215.198.24] has joined #openvpn
04:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:46 -!- lampe [~lampe@82.100.209.66] has quit []
04:57 -!- CheBuzz_ is now known as CheBuzz_Home
04:58 < ambro718> is it possible that TAP-Win32 is causing my windows 7 system to crash?
05:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
05:02 < krzee> with the high number of people using windows 7 with openvpn, and the infrequency i have heard that question, i doubt it
05:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
05:23 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:23 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:44 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
05:51 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
06:26 < reiffert> ambro718: sure, it's possible.
06:28 < Bushmills> in the sense of "nobody will claim that it is impossible"
06:29 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
06:30 < reiffert> while being there, what's the negation of: "When rain falls, the street gets wet"?
06:35 < Bushmills> hm "fog lifted from the street, leaving it all dusty"
06:35 < Bushmills> or, "ascended"
06:36 < Bushmills> maybe mist instead of fog
06:39 -!- clyons [~clyons@109.76.192.67] has joined #openvpn
06:39 -!- clyons [~clyons@109.76.192.67] has quit [Changing host]
06:39 -!- clyons [~clyons@unaffiliated/clyons] has joined #openvpn
06:40 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:42 < hyper_ch> Bushmills: what are you trying to say?
06:43 < ecrist_> g'morning
06:49 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
06:53 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
07:08 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:24 -!- Xen^ [~linux@vpn.server4sale.com] has quit []
07:40 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
07:40 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
07:40 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:45 -!- CheBuzz_Home [~CheBuzz_H@173-116-16-76.pools.spcsdns.net] has quit [Ping timeout: 276 seconds]
07:51 <+vpnHelper> RSS Update - forum: Configuration :: Re: Routing problem :: Reply by russellmd <https://forums.openvpn.net/viewtopic.php?f=6&t=7126&p=8191#p8191>
07:55 -!- You're now known as ecrist
07:57 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
08:12 -!- EmperorTom [~EmperorTo@174-30-252-228.mpls.qwest.net] has quit [Ping timeout: 252 seconds]
08:28 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
08:29 -!- STF_ [~chatzilla@dslb-084-061-163-233.pools.arcor-ip.net] has joined #openvpn
08:29 -!- STF_ [~chatzilla@dslb-084-061-163-233.pools.arcor-ip.net] has quit [Client Quit]
08:29 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 255 seconds]
08:36 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
08:40 -!- LeRrA [~lerra@c-9b9872d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
08:47 -!- SOG [~SOG@222.125.227.167] has joined #openvpn
08:51 -!- Boka [~boca@200.74.240.44] has joined #openvpn
08:51 < Boka> !seen davidj
08:51 <+vpnHelper> Boka: I have not seen davidj.
08:52 -!- Boka [~boca@200.74.240.44] has quit [Client Quit]
08:52 < Dougy_> .
08:57 <+vpnHelper> RSS Update - forum: Pay OpenVPN Service Provider Reviews/Comments :: Re: [Free VPN] VPN Steel :: Reply by RedRaider <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=8189#p8189>
09:13 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
09:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
09:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:41 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
09:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
09:48 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
10:02 -!- ksk [~ksk@im.knubz.de] has quit [Ping timeout: 265 seconds]
10:05 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
10:08 -!- EmperorTom [~EmperorTo@184-97-183-97.mpls.qwest.net] has joined #openvpn
10:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
10:10 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
10:14 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
10:15 < jmdesigner81> i'm getting disconnected from my openvpn every 10 minutes. does anyone know how to fix it?
10:17 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 272 seconds]
10:27 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
10:32 -!- LeRrA [~lerra@c-d09872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn
10:36 < ecrist> --keepalive?
10:41 -!- it [~it@93.31.156.226] has joined #openvpn
10:41 < it> hi all
10:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
10:42 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
10:46 < it> I need some help for an understandable problem.... I have a main server running ucarp for failover with a slave server, this works correctly for all services except openvpn... When I try to use ucarp (that creates a virtual interface named eth0:ucarp serving as primary interface), openvpn writes a lot of bad things in my syslog 
10:46 < it> Oct 25 14:36:10 colibri ovpn-tsf[2662]: france2/192.168.0.253:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
10:46 < it> Oct 25 14:36:10 colibri ovpn-tsf[2662]: france2/192.168.0.253:1194 TLS Error: TLS handshake failed
10:46 < it> Oct 25 14:36:11 colibri ovpn-tsf[2662]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
10:46 < ecrist> no poasting in here, it
10:47 < ecrist> ECONNREFUSED is a firewall issue
10:47 < it> there is no firewall between my servers
10:48 < it> that are on the same lan, and behind the firewall
10:48 < it> iptables is disabled
10:48 < it> no rules, and defaults values at ACCEPT
10:48 < it> servers are linked on the same switch
10:49 < ecrist> ok, but ECONNREFUSED means the connection is refused.
10:49 < ecrist> also, you can't fail openvpn over like you do a web server, etc, as there is SSL state information that's not shared between your carp hosts.
10:49 < ecrist> there are plans for openvpn 3.0 to support such a thing, but that currently isn't the case.
10:49 < it> When I disable ucarp and create a virtual interface named eth0:0 with the normal IP of eth0 (at this moment eth0 is configured with another ip that is not its normal one), the same messages appears
10:50 < it> ok ecrist
10:50 < it> but, even when I restart both server and clients it's the same
10:50 < it> is it normal ?
10:50 < ecrist> no, it's not
10:50 < ecrist> !configs
10:50 <+vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
10:50 < ecrist> !logs
10:50 <+vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
10:50 < it> ok
10:50 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
10:51 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
10:51 < ecrist> !pb
10:51 <+vpnHelper> ecrist: "pb" is http://openvpn.pastebin.ca
10:51 < ecrist> !forget pb
10:51 <+vpnHelper> ecrist: Joo got it.
10:52 < ecrist> !learn pb as Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
10:52 <+vpnHelper> ecrist: Joo got it.
10:52 < ecrist> !pb
10:52 <+vpnHelper> ecrist: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
10:52 < it> I have to extract my ovpn output from my syslog...
10:52 < ecrist> ok
10:53 < it> Do you need also "Current Parameter Settings: blah blah blah" ?
11:00 -!- dazo is now known as dazo_afk
11:02 -!- Nickman is now known as Nickman_OFF
11:02 -!- malchias [~uce@174-17-193-198.phnx.qwest.net] has joined #openvpn
11:03 < malchias> !welcome
11:03 <+vpnHelper> malchias: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:03 < malchias> !goal
11:03 <+vpnHelper> malchias: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:04 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
11:05 -!- WormFood [~wormfood@183.38.13.198] has quit [Ping timeout: 276 seconds]
11:06 < malchias> Hi.  I'd like to setup a debian server to be my trusted browsing source with the main 2 purposes of adding a bit more security for certain transactions (prevent cookie sniffing at hotspots) and hiding my connection (at least initial hops and DNS queiries) from my ISP.   Can openvpn do this?  I have a debian server with a public IP.
11:15 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
11:18 -!- WormFood [~wormfood@183.39.101.11] has joined #openvpn
11:20 < it> ecrist: Do you need also all the "Current Parameter Settings blah blah" with the server logs ?
11:22 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
11:23 < it> ecrist: logs are there : http://pastebin.com/LR0UUU6w
11:44 -!- clyons [~clyons@188.141.1.237] has joined #openvpn
11:44 -!- clyons [~clyons@188.141.1.237] has quit [Changing host]
11:44 -!- clyons [~clyons@unaffiliated/clyons] has joined #openvpn
11:51 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
11:59 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
12:05 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
12:12 -!- malchias [~uce@174-17-193-198.phnx.qwest.net] has quit []
12:15 -!- jmdesigner81_ [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
12:15 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
12:15 -!- jmdesigner81_ is now known as jmdesigner81
12:15 <+vpnHelper> RSS Update - forum: Installation Help :: Re: LAN-to-LAN Possible? :: Reply by struct <https://forums.openvpn.net/viewtopic.php?f=5&t=7202&p=8192#p8192>
12:16 -!- budmang [4caa7e05@gateway/web/freenode/ip.76.170.126.5] has joined #openvpn
12:16 < jmdesigner81> ecrist: what setting should i use in keepalive?
12:16 < ecrist> not sure what you have now
12:17 -!- aliverius [~george@athedsl-378581.home.otenet.gr] has quit [Read error: Operation timed out]
12:17 -!- aliverius [~george@athedsl-378581.home.otenet.gr] has joined #openvpn
12:17 < budmang> I have 600 clients connected to my openvpn(working perfectly). though if we connect to eachother or anything within the network, it shows the VPN server IP, as the connecting ip, instead of our vpn ip. IE: Our VPN jabber server, shows us connecting from 172.16.1.1 instead of 172.16.1.110(my local vpn ip).
12:17 < budmang> Is this a quick fix? or possible :) I swear it used to(before I did a large version jump.
12:18 < ecrist> yep, quick fix
12:18 < ecrist> quit using nat 
12:18 < ecrist> ;)
12:18 < budmang> We dont use the internet through the vpn server, so I dont need nat..
12:19 < jmdesigner81> ecrist: i did keepalive 2 30 and still didnt work. any other thing you can think of?
12:19 < it> bye bye guys
12:19 -!- it [~it@93.31.156.226] has quit [Quit: Quitte]
12:21 < ecrist> budmang: if your non-vpn systems are seeing vpn users all coming from the vpn server, you guys are using nat
12:22 < ecrist> it's not a part of openvpn config, but of the server config, check your firewall
12:22 < ecrist> I think we recommend 10 120
12:22 < ecrist> or 60 120
12:22 < ecrist> !keepalive
12:22 <+vpnHelper> ecrist: Error: "keepalive" is not a valid command.
12:27 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has quit [Read error: Operation timed out]
12:28 < budmang> whats the difference in a server.conf file, from a route, and push route?
12:31 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has joined #openvpn
12:32 < ecrist> well, you need both
12:32 < ecrist> push sends that route to the clients that connect
12:32 < Bushmills> you push config of those items you want the remote to take, instead of the local box
12:32 < ecrist> route means you want openvpn process to route for that subnet
12:32 < budmang> Thank, you.
12:33 < budmang> is their any way to set which TUNX a openvpn process will get?
12:33 < budmang> cause shorewall, is nating to all my tuns, but I can turn it off on the employee one, which doesnt need nat.
12:33 < hyper_ch> hi Bushmills
12:33 < hyper_ch> hi ecrist
12:33 < Bushmills> hi hyper_ch 
12:35 < ecrist> budmang: yes, instead of dev tun, use dev tun0 or whatever
12:35 < budmang> Nice, youve helped me tons.
12:41 -!- raidzx is now known as raidz
12:41 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
12:41 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
12:41 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has left #openvpn ["Leaving"]
12:41 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
12:42 -!- mode/#openvpn [+o raidz] by ChanServ
12:44 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
12:52 -!- mode/#openvpn [+o vpnHelper] by ChanServ
12:52 -!- Irssi: #openvpn: Total of 108 nicks [3 ops, 0 halfops, 0 voices, 105 normal]
12:55 -!- iMn00b [4a5f4219@gateway/web/freenode/ip.74.95.66.25] has joined #openvpn
12:56 < iMn00b> f
12:56 < iMn00b> l
12:56 < iMn00b> o
12:56 < iMn00b> o
12:56 < iMn00b> d
12:56 < iMn00b> d
12:56 -!- iMn00b was kicked from #openvpn by vpnHelper [Flooding detected. Please us http://openvpn.pastbin.ca for posting logs or configs.]
12:56 -!- iMn00b [4a5f4219@gateway/web/freenode/ip.74.95.66.25] has joined #openvpn
12:57 < iMn00b> sorry
12:57 < iMn00b> for
12:57 < iMn00b> the
12:57 < iMn00b> flood
12:57 < iMn00b> guys
12:57 < iMn00b>  
12:57 < iMn00b> j
12:57 < ecrist> stupid bot
12:57 < ecrist> one more time
12:58 < iMn00b> f
12:58 < iMn00b> l
12:58 < iMn00b> o
12:58 < iMn00b> o
12:58 < iMn00b> d
12:58 < iMn00b> d
12:58 < iMn00b> d
12:58 < iMn00b> d
12:58 -!- mode/#openvpn [+b *!4a5f4219@*gateway/web/freenode/ip.74.95.66.25] by vpnHelper
12:58 -!- iMn00b was kicked from #openvpn by vpnHelper [Repeated flooding! You've repeatedly flooded this channel. Please come back later.]
12:58 < ecrist> neato
12:58 <@raidz> hehe
12:59 <@raidz> ecrist is vpnhelper an eggdrop bot?
13:00 < ecrist> I don't know why it didn't kick for the second flood attempt
13:00 < ecrist> no, supybot
13:00 < ecrist> just added the FloodPrevent plugin  (that was me testing it)
13:02 < ecrist> it should automatically unban after 300 seconds
13:03 -!- mode/#openvpn [-b *!4a5f4219@*gateway/web/freenode/ip.74.95.66.25] by vpnHelper
13:03 < jmdesigner81> ecrist: keepalive 60 120 is default and it gets dropped still. 
13:04 < ecrist> then it sounds like a UDP state issue in your firewall.
13:05 < ecrist> if you're using pf, something like this in your config will help: 
13:05 < ecrist> set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
13:05 -!- puchu [~puchu@unaffiliated/puchu] has joined #openvpn
13:08 < jmdesigner81> ecrist: in my pf? what do u mean?
13:09 < jmdesigner81> ecrist: sorry for my ignorance.
13:10 < ecrist> firewall, if you use pf
13:18 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:19 < jmdesigner81> ecrist: what is pf?
13:19 < krzee> hey cool
13:19 < krzee> vpnHelper has learned to do more than help
13:19 <@vpnHelper> krzee: Error: "has" is not a valid command.
13:20 < krzee> pf is the openbsd packet filter, which was adopted by freebsd and i think netbsd
13:22 < jmdesigner81> krzee: oh ok but what does ecrist means by saying if i use pf.
13:22 < jmdesigner81> not very clear.
13:22 < ecrist> if you don't know, you don't use it
13:23 < krzee> pf is a firewall, seems you dont use it
13:23 < puchu> hi
13:25 < ecrist> krzee: you like vpnHelper's new role? :)
13:25 < krzee> yup
13:26 < krzee> [14:03]  <jmdesigner81> ecrist: keepalive 60 120 is default and it gets dropped still. 
13:26 < krzee> there is no default
13:26 < krzee> unless you had put that in your server.conf...
13:26 < ecrist> krzee: I think it might be default for his monowall or whatever he's using
13:27 < krzee> ahh
13:27 -!- jmdesigner81_ [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
13:27 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
13:27 -!- jmdesigner81_ is now known as jmdesigner81
13:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:28 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
13:36 -!- Kottizen [kottizen@unaffiliated/icanhasfreenode] has joined #openvpn
13:36 < Kottizen> !welcome
13:36 < Kottizen> !goel
13:36 <@vpnHelper> Kottizen: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:36 <@vpnHelper> Kottizen: Error: "goel" is not a valid command.
13:36 < Kottizen> !goal
13:36 <@vpnHelper> Kottizen: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:36 < Kottizen> oh
13:38 < Kottizen> Ok, hello people. I have started a VPN server at 171.25.159.40 and it's up and running. I can access the web administration. I'd like to connect to my VPN server now. I use KDE, but it doesn't work. I don't get any speicific error message. Here's what I've got: http://img52.imageshack.us/my.php?image=plasmadesktopdc1896.png
13:38 <@vpnHelper> Title: Imageshack - plasmadesktopdc1896.png (at img52.imageshack.us)
13:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:50 < ecrist> Kottizen: are you using access server?
13:50 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:50 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
13:51 < Kottizen> ecrist: yes, I think so
13:51 < ecrist> we don't support that here.  you'll have to look to the commercial support from OpenVPN Technologies
13:51 < krzee> #4 here
13:51 < krzee> !AS
13:51 < ecrist> we *do* support the open source client/server here.
13:51 <@vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
13:51 < Kottizen> uhm
13:51 <@vpnHelper> krzee: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
13:51 < Kottizen> what do you support?
13:51 < Kottizen> I downloaded the .deb file from openvpn.org
13:51 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:51 < krzee> !download
13:51 <@vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
13:52 < krzee> we support that one
13:52 < Kottizen> oh ok
13:53 < Kottizen> ehh
13:53 < Kottizen> I don't know what I did but it works
14:03 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
14:04 -!- EmperorTom [~EmperorTo@184-97-183-97.mpls.qwest.net] has quit [Quit: In your base, killing your dudes.]
14:04 -!- EmperorTom [~EmperorTo@184-97-183-97.mpls.qwest.net] has joined #openvpn
14:09 -!- EmperorTom [~EmperorTo@184-97-183-97.mpls.qwest.net] has quit [Client Quit]
14:09 -!- EmperorTom [~EmperorTo@184-97-183-97.mpls.qwest.net] has joined #openvpn
14:27 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
14:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:46 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
14:53 -!- JPeterson [~JPeterson@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!]
14:58 -!- takamichi [~pri@78.133.38.192] has quit [Read error: Connection reset by peer]
14:59 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
15:17 -!- le0 [~fin@82.132.243.45] has joined #openvpn
15:17 -!- le0 [~fin@82.132.243.45] has quit [Changing host]
15:17 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
15:26 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
15:43 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:47 -!- buntfalke_ is now known as buntfalke
15:47 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Connection reset by peer]
15:47 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
15:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
16:04 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.11/20101012113537]]
16:11 -!- Joelio [~joel@lcw-212-23-5-1.zen.co.uk] has quit [Remote host closed the connection]
16:23 -!- puchu [~puchu@unaffiliated/puchu] has quit [Remote host closed the connection]
16:24 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
16:49 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has quit [Quit: Leaving.]
16:56 -!- Sephen [~Sephen@proxy5.med-web.com] has joined #openvpn
16:58 < Sephen> I have a problem, where I'm connecting to openvpn on an alias interface on my system. eth0=192.168.1.1, eth0:0=192.168.2.1. tcpdump show me connection to 192.168.2.1, but the udp reply comes back as 192.168.1.1.. How do I get openvpn to respect the right correct IP? (It needs to be able to listen and respond on both IPs, correctly).
16:58 < Sephen> I have also tried this with a dummy interface, but it made no difference.
17:08 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:08 < Sephen> !welcome
17:08 <@vpnHelper> Sephen: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:09 < Sephen> !goal
17:09 <@vpnHelper> Sephen: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:09 < Sephen> !iporder
17:09 <@vpnHelper> Sephen: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
17:15 < Sephen> It seems my problem may need to be fixed in code. If any of openvpn's devs are here, they should read the comment in the man page for tftpd: http://man.cx/tftpd(8)
17:16 <@vpnHelper> Title: tftpd manpage - man.cx (at man.cx)
17:17 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
17:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
17:25 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Connection reset by peer]
17:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
17:45 <@vpnHelper> RSS Update - forum: Server Administration :: cipher AES-256-CBC :: Author rossi2000 <https://forums.openvpn.net/viewtopic.php?f=4&t=7208&p=8193#p8193>
17:46 < Sephen> I see openvpn 2.1.3 supports multihoming. Is there some trick to make that work?
17:48 < ecrist> !multihome
17:48 <@vpnHelper> ecrist: Error: "multihome" is not a valid command.
17:48 < ecrist> Sephen: I don't recall the state of multihoming.  check the man page
17:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:54 < Sephen> Ah ha.. Google paid off. :)
18:00 -!- WinstonSmith [~true@f052100202.adsl.alicedsl.de] has quit [Read error: Connection reset by peer]
18:03 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
18:13 -!- Sephen [~Sephen@proxy5.med-web.com] has quit [Quit: Leaving]
18:17 -!- WinstonSmith [~true@e177089144.adsl.alicedsl.de] has joined #openvpn
18:34 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
18:40 -!- budmang [4caa7e05@gateway/web/freenode/ip.76.170.126.5] has quit [Quit: Page closed]
18:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:09 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:26 -!- SOG [~SOG@222.125.227.167] has quit [Quit: SOG]
19:51 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:56 -!- budmang [4caa7e05@gateway/web/freenode/ip.76.170.126.5] has joined #openvpn
19:57 < budmang> ecrist: you in?
19:57 < budmang> Ive set the dev tun9 in the openvpn config. when I restart and connect, I can connect no errors, but I cant ping/connect to anything on the vpn....(I have it set to tun9 so the firewall does not nat it).
19:57 < ecrist> budmang: yes
19:58 < ecrist> best to simply ask your questions.
19:58 < ecrist> is there a tun9?
19:58 < ecrist> is that tun9 bridged to the rest of the network as you'd expect?
19:58 -!- Smirnov [~igor@about/csharp/ms/clrjit/smirnov] has left #openvpn []
19:59 < budmang> I doubt it, I just made up tun9
19:59 < budmang> in the config, netstat -rn shows the normal routes for tun9
20:00 -!- CheBuzz_Home [~CheBuzz_H@173-116-16-76.pools.spcsdns.net] has joined #openvpn
20:02 < ecrist> can two vpn clients ping eachother?
20:02 < budmang> As a vpn client I cant ping the vpn server ip 172.16.1.2
20:02 < ecrist> the server IP is likely 172.16.1.1
20:02 < ecrist> not .2
20:03 < budmang> its both, but I know hwat you mean.
20:09 < ecrist> !/30
20:09 <@vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
20:10 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:12 < budmang> all clients are pushed ips static
20:12 < budmang> each ccd
20:13 < budmang> i get my ip
20:14 < budmang> and routes, just doesnt route when set to dev9
20:14 < theDoc> krzie: Are you around?
20:15 -!- WinstonSmith [~true@e177089144.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
20:21 < krzie> wassup doc (buggs bunny voice)
20:25 < theDoc> krzie: Hehehe, I wanted to ask something about a 6to4 tunnel with openvpn.
20:25 < theDoc> Do you happen to know anything about it?:)
20:25 < theDoc> krzie: I'm wondering how to configure iptables to deal with it right.
20:25 < theDoc> I have the 6to4 tunnel from HE.net working just fine, just figuring out how to get it to work nice with iptables etc.
20:26 < ecrist> ipv6 is supported in 2.2beta3, iirc
20:27 < theDoc> ecrist: Upstream doesn't have ipv6 blocks or at least, can't assign it to me at the moment thus a tunnel broker.
20:28 < ecrist> sure, but you can get a /48 from HE, and use a block for your VPN
20:28 < ecrist> they *will* route that for you
20:28 < ecrist> no need for a 6to4
20:28  * ecrist uses HE, so he knows
20:28 < theDoc> Ah, they will?
20:29 < theDoc> ecrist: Do you happen to have a guide on this? I'm fairly new to v6 and openvpn.
20:31 < ecrist> nope, I don't use IPv6 on OpenVPN yet
20:31 <@vpnHelper> RSS Update - forum: Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8194#p8194>
20:31 < ecrist> I do use it on my home network, though.
20:31 < theDoc> Oh hm.
20:31 < theDoc> right.
20:32 < theDoc> I don't think openvpn-as is capable of dealing with ipv6 natively yet.
20:32 < theDoc> So I'm going to attempt this tunnel broker thing and get iptables to just push protocol 41 stuff out of my end of the tunnel, sounds about right.
20:33 < ecrist> we don't support AS here.
20:34 < theDoc> ecrist: Yes, I know. :p
20:39 -!- Sivart [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has joined #openvpn
20:40 < Sivart> what can I put in my client config to automatically reconnect if disconnected and keep trying so my clients always stay connected?
20:40 < ecrist> --resolve-retry or something similar
20:40 < ecrist> !man
20:40 <@vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:43 < Sivart> thx
20:48 < krzie> theDoc, 
20:48 < krzie> as far as how to configure the ipv6 side of things
20:48 < krzie> !ipv6
20:48 <@vpnHelper> krzie: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
20:48 < krzie> see #1 for the config options to use
20:49 < theDoc> amen.
20:49 < krzie> and use the beta that ecrist mentioned (awesome, i didnt know it was in the beta!!!) to be able to use them
20:49 < theDoc> krzie: I was also looking for appropriate iptables rules :P
20:49 < krzie> im not a linux guy
20:49 < krzie> i just play one on tv
20:49 < krzie> !google iptables ipv6
20:49 <@vpnHelper> krzie: IPv6 iptables firewall (Linux Reviews): <http://linuxreviews.org/features/ipv6/iptables/>; 43.9.6. IPTables and IPv6: <http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-ip6tables.html>; Blocking IPv6 Traffic with iptables: <http://www.cipherdyne.org/blog/2009/07/iptables-script-update-logging-and-ipv6-issues.html>
20:52 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
20:57 < s7r> can i connect from the same computer to 2 clients at the same time ? (have 2 tap adapters on the same machine) ?
20:57 < krzie> sure
20:58 < krzie> but you mean to 2 servers
20:58 < s7r> 2 servers yes, but in both configs it's push redirect-gateway
20:58 < krzie> heh
20:58 < s7r> what gateway i will have for internet than, the first vpn's or the seconds?
20:58 < krzie> why would you do / want to do that
20:59 < krzie> whichever is second... assuming it works
20:59 < s7r> thank you
20:59 < krzie> im not 100% that 2 with redirect-gateway will work
20:59 < krzie> but it may
21:00 < krzie> and if it does, i think the second will be tunneled through the first
21:00 < krzie> so if either goes down you lose your tunnel to inet
21:00 < krzie> and it will be plenty slower than without
21:02 < s7r> yes, you are right. thanks
21:02 < s7r> some other thing
21:03 < s7r> i have a server with windows on it, and i have a openvpn connection established on it (the windows server is the client). in the config, it is redirect-gateway . the server has the vpn ip, if i open a webpage i have the vpn ip, etc. but i can access the server both if i type the vpn ip or it's own default IP
21:03 < s7r> how come
21:04 < krzie> without a route (outside of the vpn) to the server's inet IP, you cant sustain a connection to the vpn ;)
21:04 < krzie> so use vpn ip for a secure connection to the server, otherwise you bypass the vpn
21:05 < s7r> yes i know, i just wanted to know if it is normal for the server to respond on both its own IP and the vpn IP
21:05 < krzie> the vpn server?
21:05 < s7r> no, it acts like a client
21:06 < krzie> then pls stop calling it a server
21:06 < krzie> its confusing ;]
21:06 < s7r> i was saying it has windows server OS installed on it
21:07 < s7r> it acts like a client
21:07 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
21:07 < krzie> thats fine, pls stop saying that
21:07 < s7r> and it can be accessed both from vpn ip, and it's own ip
21:07 < s7r> is this normal?
21:07 < krzie> no
21:07 < krzie> its not
21:08 < s7r> what could be the problem
21:09 < krzie> if you dont want it to respond on the public ip, use your firewall
21:09 < krzie> usually people come here saying they WANT what you are saying
21:09 < krzie> making what you have happen is harder
21:09 < s7r> :)))
21:09 < krzie> i have no idea why its doing that, but its easy to fix
21:09 < krzie> (firewall(
21:09 < s7r> understood. thanks
21:10 < s7r> i just wanted to know if it's normal
21:10 < s7r> it's not affecting me in any way
21:10 < s7r> i will leave it like this
21:10 < krzie> nope, normally your responses would go over the vpn
21:10 < krzie> so they would arrive from a different address (your vpn ip)
21:11 < krzie> unless of course you have a more specific route to the host that you are responding to
21:11 < krzie> (such as with your LAN)
21:12 -!- roothorick [~roothoric@cpe-107-10-78-185.new.res.rr.com] has joined #openvpn
21:12 < roothorick> the data going over the connection is itself encrypted, right?
21:12 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
21:13 < s7r> yes
21:20 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
21:24 -!- WinstonSmith [~true@e177089144.adsl.alicedsl.de] has joined #openvpn
21:26 < ecrist> theDoc: freebsd tree has weekly devel snapshots, too. :)
21:27 < ecrist> so, even if something's too new for the beta, it's buildable
21:27 < ecrist> !snapshots
21:27 < theDoc> ecrist: Awesome. 
21:27 <@vpnHelper> ecrist: "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
21:27 < ecrist> !beta
21:27 <@vpnHelper> ecrist: Error: "beta" is not a valid command.
21:35 -!- CheBuzz_Home [~CheBuzz_H@173-116-16-76.pools.spcsdns.net] has left #openvpn ["Leaving"]
21:42 < Sivart> can anyone point me to a guide for doing a DNS setup, basically I want to be able to access my clients by hostname from the server so ssh user@client name instead of ssh user@virtualip
22:11 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:18 -!- s7r [~s7r@66.199.231.250] has quit []
22:30 < budmang> Sivart: you have to setup a process of things.
22:31 < budmang> dns server, push the dns server to your clients, have the dns server updated with the connected clients nicknames/virtualip to a matching A record.
22:31 < budmang> using connect-scripts or whatever, or an external cron/script.
22:50 < ecrist> Sivart: set static IPs and set DNS to those.
23:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
23:20 -!- EmperorT1m [~EmperorTo@174-30-240-185.mpls.qwest.net] has joined #openvpn
23:22 -!- EmperorTom [~EmperorTo@184-97-183-97.mpls.qwest.net] has quit [Ping timeout: 276 seconds]
23:26 < roothorick> Sivart: or you could go the easy way out. Specify IPs using ccd/<hostname> and map them to hostnames using /etc/hosts
23:26 < roothorick> ....what ecrist said, basically
23:26 < roothorick> it's what I do in my VPN
23:27 < roothorick> speaking of, I need to update my hosts
23:35 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
23:42 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
--- Day changed Tue Oct 26 2010
00:00 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
00:01 < twister004> hi there everybody..... I need to connect to my network using openvpn ... what setup is ideal for me?.. routed or bridged?
00:01 < twister004> basically, i need to connect to a file server on the network
00:01 -!- mutex [~mutex@67-23-13-54.static.slicehost.net] has joined #openvpn
00:01 < mutex> Hi, my openvpn server suddently does not set an IP to its tap device
00:02 < twister004> i tried the bridged approach.. my client machine gets an IP on the same subnet, but cannot ping any device
00:15 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
00:15 < twister004> guys.. any idea?
00:16 < twister004> should I try using the routed approach?.. or should i try the bridged?
00:17 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
00:18 < mutex> twister004: are you sure you don't have any firewalls ?
00:18 < mutex> I actually think that the tap setup is easier
00:19 < mutex> so I added the 'ifconfig <server tap ip> <subnet mask>' seems to do the trick
00:20 < mutex> make sure you have logging turned on, an verbose of 4 or more
00:27 -!- roothorick [~roothoric@cpe-107-10-78-185.new.res.rr.com] has quit [Quit: leaving]
00:27 < twister004> mutex...i have a router(ubuntu) which has shorewall
00:28 < twister004> mutex.. i have set iptables such that openvpn traffic is allowed
00:30 < twister004> mutex...on the client, the gateway becomes the bridge interface ip on the openvpn server
00:30 < twister004> is that correct?
00:30 < mutex> yeah
00:30 < mutex> turn off shorewall and give it a try
00:30 < mutex> get it working with everything off, then do the complicated stuff ;-)
00:35 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
00:38 < twister004> mutex.. the worst part is, itwas working somedays back
00:50 -!- Agin [~Agin@greenzone.copyleft.no] has quit [Ping timeout: 240 seconds]
--- Log closed Tue Oct 26 00:59:01 2010
--- Log opened Tue Oct 26 00:59:07 2010
00:59 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
00:59 -!- Irssi: #openvpn: Total of 97 nicks [3 ops, 0 halfops, 0 voices, 94 normal]
00:59 < Bushmills> !goal
00:59 <@vpnHelper> Bushmills: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:00 -!- Irssi: Join to #openvpn was synced in 57 secs
01:02 -!- WinstonSmith [~true@e177089144.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
--- Log closed Tue Oct 26 01:12:46 2010
--- Log opened Tue Oct 26 05:40:20 2010
05:40 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
05:40 -!- Irssi: #openvpn: Total of 98 nicks [3 ops, 0 halfops, 0 voices, 95 normal]
05:40 !asimov.freenode.net [freenode-info] channel flooding and no channel staff around to help? Please check with freenode support: http://freenode.net/faq.shtml#gettinghelp
05:41 -!- Irssi: Join to #openvpn was synced in 57 secs
05:41 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
05:45 -!- pingufan [~rainer@89-104-9-115.customer.bnet.at] has quit [Remote host closed the connection]
05:54 -!- budmang [4caa7e05@gateway/web/freenode/ip.76.170.126.5] has quit [Ping timeout: 265 seconds]
05:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:02 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
06:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
06:15 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
06:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
06:22 <@vpnHelper> RSS Update - forum: Server Administration :: network problem, openVPN cant connect to server eith any con :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7209&p=8196#p8196>
06:28 <@vpnHelper> RSS Update - forum: Server Administration :: openVPN connection can never stablished on my VPS :: Author chakoshi <https://forums.openvpn.net/viewtopic.php?f=4&t=7209&p=8196#p8196>
07:03 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:11 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
07:13 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 245 seconds]
07:16 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
07:19 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has joined #openvpn
07:20 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
07:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
07:28 -!- twister004 [~chatzilla@117.204.132.129] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.11/20101012113537]]
07:30 -!- Sivart [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has joined #openvpn
07:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:46 <@vpnHelper> RSS Update - forum: Server Administration :: Re: VPN SSL portal? :: Reply by greeg <https://forums.openvpn.net/viewtopic.php?f=4&t=7192&p=8197#p8197>
07:52 <@vpnHelper> RSS Update - forum: Cert / Config management :: using the openvpn pki for other stuff :: Author greeg <https://forums.openvpn.net/viewtopic.php?f=22&t=7210&p=8198#p8198>
08:42 < g0tcha`> hey guys, im planning to buy a scanner, can someone advice me if this is a good scanner or not http://prodimex.ch/pInfos.aspx?CODE=B27H02
08:42 <@vpnHelper> Title: PRODIMEX eShop | Votre magasin online (at prodimex.ch)
08:42 < g0tcha`> uh wrong chan
08:48 < ecrist> :)
08:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
09:17 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has joined #openvpn
09:19 -!- g0tcha` [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 252 seconds]
09:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:59 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
10:07 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
10:10 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
10:28 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Selected trafic which goes into the VPN :: Reply by libove <https://forums.openvpn.net/viewtopic.php?f=15&t=7166&p=8199#p8199>
10:33 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
10:45 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
10:46 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
10:46 < s7r> !route
10:46 <@vpnHelper> s7r: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:46 < jmdesigner81> i have an openvpn running behind a corporate network which drops every 10 min. does anyone know how to make a stable connection?
10:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:50 -!- s7r [~s7r@66.199.231.250] has quit []
10:51 < ambro718> jmdesigner81: try "keepalive 10 60" on the server
10:52 < jmdesigner81> ambro718: i'll try that but i believe i already tried.
10:55 -!- jmdesigner81_ [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
10:55 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
10:55 -!- jmdesigner81_ is now known as jmdesigner81
11:00 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:04 -!- Nickman is now known as Nickman_OFF
11:05 -!- WormFood [~wormfood@183.39.101.11] has quit [Ping timeout: 250 seconds]
11:08 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
11:12 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
11:14 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
11:18 -!- WormFood [~wormfood@183.38.12.61] has joined #openvpn
11:21 <@vpnHelper> RSS Update - forum: Configuration :: Server without tun/tap interface - only client2client? :: Author Fireball <https://forums.openvpn.net/viewtopic.php?f=6&t=7211&p=8200#p8200>
11:30 < Bushmills> reiffert, right
11:33 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:34 -!- ninjai [~quassel@79.169.119.66.static.metrobridge.net] has joined #openvpn
11:37 < ninjai> I set up an openvpn server in ubuntu server 8.04.  Clients connect with a 10.0.0.x IP address.  Whenever a client connects, the bridge breaks or something because I can't ping the server from within the lan it's supposed to be in (192.168.x.x, the lan I'm in).  Here is my config:  http://pastebin.com/DTQmTLzg
11:38 < ninjai> also, this is a windows XP sp2 box connecting
11:39 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has quit [Ping timeout: 276 seconds]
11:39 < ninjai> !goal
11:39 <@vpnHelper> ninjai: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:40 < ninjai> !welcome
11:40 <@vpnHelper> ninjai: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:42 < ninjai> openvpn server is in lan, so is windows xp sp2 box... but i don't see how this could kill all connections to the openvpn server entirely (http, ssh, etc)
11:44 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
11:47 < ninjai> anybody alive out there?
11:50 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has joined #openvpn
11:50 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has quit [Client Quit]
11:51 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Read error: Connection reset by peer]
11:51 -!- jmdesigner81_ [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
11:54 < jmdesigner81_> tried keepalive 10 60 but it still drops
11:54 -!- jmdesigner81_ [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Client Quit]
11:55 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has joined #openvpn
12:04 -!- ninjai [~quassel@79.169.119.66.static.metrobridge.net] has quit [Remote host closed the connection]
12:06 -!- dazo is now known as dazo_afk
12:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
12:31 -!- le0 [~fin@82.132.139.191] has joined #openvpn
12:31 -!- le0 [~fin@82.132.139.191] has quit [Changing host]
12:31 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
12:44 -!- WormFood [~wormfood@183.38.12.61] has quit [Ping timeout: 276 seconds]
12:49 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:52 < jmdesigner81> so
12:53 < jmdesigner81> sorry. but my vpn works poorly. IRC protocol works but i cant use HTTP protocol or ping any sites.... anyidea?
12:53 < jmdesigner81> i'm behind a corporate firewall... does anyone have any idea whats going on?
13:00 < krzee> tested your mtu?
13:00 < krzee> if not, go to the wiki / troubleshooting page
13:00 < krzee> !wiki
13:00 <@vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
13:01 < krzee> and you can try this too:
13:01 < krzee> !mtu
13:01 <@vpnHelper> krzee: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
13:01 < krzee> also are you using udp and tun?
13:01 < jmdesigner81> using tun
13:01 < jmdesigner81> oh wait
13:01 < jmdesigner81> let me check
13:03 < jmdesigner81> dev tun
13:03 < krzee> and udp...?
13:03 < jmdesigner81> i'm using dev tun on the client
13:04 < jmdesigner81> on the server it says proto udp
13:04 < krzee> and the rest of what i said...?
13:04 < jmdesigner81> krzee: on the server says proto udp and client says dev tun
13:05 < jmdesigner81> krzee: what did you say?
13:05 < krzee> [14:00]  <krzee> tested your mtu?
13:05 < krzee> [14:00]  <krzee> if not, go to the wiki / troubleshooting page
13:05 < krzee> [14:00]  <krzee> !wiki
13:05 < krzee> [14:00]  <vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
13:05 < krzee> [14:01]  <krzee> and you can try this too:
13:05 < krzee> [14:01]  <krzee> !mtu
13:05 <@vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net)
13:05 < krzee> [14:01]  <vpnHelper> krzee: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
13:05 -!- krzee was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastbin.ca for posting logs or configs.]
13:05 < jmdesigner81> krzee: it's weird cuz my connection dropped but i'm still able to IRC
13:06 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
13:06 < krzee> hah
13:06 < krzee> !whoami
13:06 <@vpnHelper> krzee: I don't recognize you.
13:06 < krzee> ahh
13:06 < krzee> !whoami
13:06 <@vpnHelper> krzee: krzee
13:06 < krzee> better
13:08 < jmdesigner81> krzee: sorry for my ignorance but what is mtu?
13:08 < krzee> go read the wiki page
13:08 < krzee> reading > asking
13:09 < jmdesigner81>  krzee i'm on there. what am i supposed to read?
13:09 < krzee> the page named troubleshooting!
13:09 < krzee> i really need to say the same thing 3x?
13:10 < jmdesigner81> krzee: sorry. got it.
13:11 -!- onats [~onats@unaffiliated/onats] has joined #openvpn
13:11 < onats> !route
13:11 <@vpnHelper> onats: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
13:19 -!- Kottizen [kottizen@unaffiliated/icanhasfreenode] has left #openvpn []
13:27 -!- jmdesigner81 [~julianomo@c-24-34-4-118.hsd1.ma.comcast.net] has quit [Ping timeout: 252 seconds]
13:29 -!- onats [~onats@unaffiliated/onats] has quit [Quit: onats]
13:43 -!- WormFood [~wormfood@183.38.12.61] has joined #openvpn
13:48 -!- WormFood [~wormfood@183.38.12.61] has quit [Ping timeout: 265 seconds]
13:48 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
13:49 -!- WormFood [~wormfood@183.38.12.61] has joined #openvpn
13:54 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 276 seconds]
13:56 -!- WormFood [~wormfood@183.38.12.61] has quit [Ping timeout: 272 seconds]
13:58 -!- `phiL [~phiL@p578F5A6A.dip.t-dialin.net] has joined #openvpn
14:02 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 255 seconds]
14:11 <@vpnHelper> RSS Update - forum: Configuration :: Need help setting openVPN on a WRT54G router w/DD-WRT :: Author ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8201#p8201>
14:17 -!- WormFood [~wormfood@183.38.12.61] has joined #openvpn
14:21 -!- ^scott^_ [~scott@stthom.org] has joined #openvpn
14:22 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 252 seconds]
14:22 -!- Boka [~boca@200.74.240.44] has joined #openvpn
14:22 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
14:22 -!- ^scott^ [~scott@stthom.org] has quit [Ping timeout: 265 seconds]
14:22 -!- `phiL [~phiL@p578F5A6A.dip.t-dialin.net] has quit [Quit: Ex-Chat]
14:23 -!- WormFood [~wormfood@183.38.12.61] has quit [Ping timeout: 250 seconds]
14:23 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
14:26 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has joined #openvpn
14:27 < coppermine> whats the best flags i can use in openvpn.conf ? i use comp-lzo, is that even encryption?
14:27 < coppermine> or just compression
14:28 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
14:31 < Bushmills> compression
14:32 < coppermine> by default it uses blowfish right?
14:32 < coppermine> without me telling it to ?
14:32 < Bushmills> yes
14:32 < coppermine> is ther something else i can add tro make it even more encrypted?
14:32 < Bushmills> --show-ciphers 
14:32 < coppermine> there's a whole list
14:32 < Bushmills> AES should be pretty hard
14:33 < coppermine> AES-256-CFB8 256 bit default key (fixed) ?
14:33 < Bushmills> the longer the safer. i thik there was a 448 bit AES key iirc
14:33 < coppermine> i dont have the 448 in the list
14:34 < Bushmills> i must be wrong then
14:34 < coppermine> so i would add something like AES-256-CFB8 to both .conf files (server/client) and restart
14:34 < Bushmills> --cipher
14:34 < coppermine> prefixed?
14:34 < coppermine> would it then NOT use blowfish and use what I tell it ?
14:35 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
14:35 < Bushmills> of course, if you specify AES, it *will* use Blowfish, out of sheer spuite
14:35 < Bushmills> spite
14:35 < coppermine> sarcasm
14:36 < coppermine> fyi: The default
14:36 < coppermine> key size is shown as well as whether or not it can be
14:36 < coppermine> changed with the --keysize directive.
14:36 < Bushmills> the logs will confirm what cipher alg openvpn uses
14:38 -!- WormFood [~wormfood@183.38.12.61] has joined #openvpn
14:41 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
14:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- coppermine [~coppermin@184-106-129-151.static.cloud-ips.com] has quit [Ping timeout: 252 seconds]
14:45 -!- coppermine [~coppermin@modemcable042.177-176-173.mc.videotron.ca] has joined #openvpn
14:45 -!- coppermine [~coppermin@modemcable042.177-176-173.mc.videotron.ca] has quit [Client Quit]
14:48 -!- WormFood [~wormfood@183.38.12.61] has quit [Ping timeout: 264 seconds]
14:49 -!- WormFood [~wormfood@183.38.12.61] has joined #openvpn
14:55 -!- WormFood [~wormfood@183.38.12.61] has quit [Ping timeout: 245 seconds]
15:19 <@vpnHelper> RSS Update - forum: Wishlist :: Reject pushed directives (eg. routes) via client config :: Author petiepooo <https://forums.openvpn.net/viewtopic.php?f=10&t=7213&p=8202#p8202>
15:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 252 seconds]
15:20 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 272 seconds]
15:21 -!- roentgen_ [~arthur@miranda/user/roentgen] has joined #openvpn
15:27 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:36 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
15:37 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
15:37 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
15:49 <@vpnHelper> RSS Update - forum: Wishlist :: Re: Reject pushed directives (eg. routes) via client config :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7213&p=8203#p8203>
16:03 -!- Boka [~boca@200.74.240.44] has left #openvpn []
16:11 -!- Nickman_OFF is now known as Nickman
16:15 -!- WormFood [~wormfood@183.38.12.61] has joined #openvpn
16:23 -!- g0tcha [~efnet@167-122.105-92.cust.bluewin.ch] has quit [Ping timeout: 265 seconds]
16:43 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
17:08 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 264 seconds]
17:10 -!- coppermine [~coppermin@173.176.177.42] has joined #openvpn
17:10 < coppermine> when i use cipher CAMELLIA-256-OFB in both configs i get Assertion failed at crypto.c:162
17:10 < coppermine> both openvpn --show-ciphers show CAMELLIA-256-OFB present
17:10 < coppermine> why would it not work?
17:13 -!- coppermine [~coppermin@173.176.177.42] has quit [Client Quit]
17:15 -!- Nickman is now known as Nickman_OFF
17:16 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:27 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
17:30 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
17:49 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:46 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Ping timeout: 265 seconds]
18:46 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
--- Log opened Tue Oct 26 20:48:22 2010
20:48 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
20:48 -!- Irssi: #openvpn: Total of 95 nicks [3 ops, 0 halfops, 0 voices, 92 normal]
20:48 -!- Irssi: Join to #openvpn was synced in 37 secs
20:49 < ecrist> fucking power
20:50 < ecrist> winds 50.6MPH
20:50 < ecrist> it's fun
20:56 -!- Sivart [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has quit [Ping timeout: 255 seconds]
20:56 < theDoc> Holy moly.
20:56 < theDoc> 50.6mph.
20:56 < theDoc> Sounds like a great day for snow boarding ;p
20:57 < ecrist> not late enough in the year for snow
20:57 < ecrist> though, some will be here tomorrow.
20:57 < theDoc> ah.
21:01 -!- Sivart [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has joined #openvpn
21:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:20 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
21:43 < krzie> hah
21:43 < krzie> i h8 snow... luckily it will never snow here (unless there is some earth changing event)
21:47 < theDoc> I love snow
21:47 < theDoc> ;p
22:04 < ecrist> krzie: there are enough wiki pages now, I'm creating a template to help manage the menu for all the pages.
22:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:07 < krzie> nice
22:07 < ecrist> http://www.secure-computing.net/wiki/index.php/Template:OpenVPN_Menu
22:07 <@vpnHelper> Title: Template:OpenVPN Menu - Secure Computing Wiki (at www.secure-computing.net)
22:08 < ecrist> should I put it at bottom or top of pages?
22:09 < ecrist> http://www.secure-computing.net/wiki/index.php/Special:PopularPages
22:09 <@vpnHelper> Title: Popular pages - Secure Computing Wiki (at www.secure-computing.net)
22:10  * ecrist ponders it later
22:12 < krzie> bottom
22:29 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
22:30 -!- WinstonSmith [~true@f052096252.adsl.alicedsl.de] has joined #openvpn
22:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
23:05 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
23:05 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
23:05 < fahmad> hello
23:05 < fahmad> i have very strange problem that openvpn server keep hanging ...
23:06 < fahmad> and i need to restart it in order to make it work again however there are processes which shows its running but its stop listening on management port and nor listening on 1194
23:09 -!- fipu [~fipu@62.75.187.155] has quit [Ping timeout: 252 seconds]
23:09 -!- roentgen_ [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
23:10 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
23:14 -!- fipu [~fipu@62.75.187.155] has joined #openvpn
23:18 -!- showy [~eagmunoz@190.142.85.97] has joined #openvpn
23:19 < showy> gn guys, I have almos recent installed openvpn server in debian lenny. Openvpn was installed via apt. Im usin openvpn-auth-pam plugin, the firts time i made the confi everyting was ok, but after i restart the server , the plugin segafaulting 
23:36 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
23:38 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
23:40 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
23:50 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
--- Day changed Wed Oct 27 2010
00:02 -!- showy [~eagmunoz@190.142.85.97] has quit [Quit: leaving]
00:12 -!- dazo_afk is now known as dazo
00:13 < fahmad> dazo: hey
00:13 <@dazo> hi
00:13 < fahmad> how are you 
00:13 < fahmad> i have very starnge problem
00:14 < fahmad> my openvpn stuck after sometime ...
00:14 < fahmad> OpenVPN 2.1.3 x86_64-redhat-linux [SSL] [LZO1] [EPOLL] [PKCS11] built on Oct 20 2010
00:14 < fahmad> (WSAECONNREFUSED)
00:14 < fahmad> Tue Oct 26 22:40:37 2010 TCP: connect to 188.122.86.195:443 failed, will try again in 5 seconds: Connection refused 
00:14 < fahmad> this messages on client end 
00:15 < fahmad> but when i login into the server i can see process running but its not listeing on management port nor on vpn port :(
00:16 < fahmad> any idea ?
00:17 <@dazo> hmmm .... that sounds really bad ... try pstack <pid of openvpn> ... you might need -debuginfo packages installed (but that can be installed without restarting the openvpn process) ... pastebin that output
--- Log opened Wed Oct 27 06:30:45 2010
06:30 -!- ecrist [~ecrist@173.8.118.210] has joined #openvpn
06:30 -!- Irssi: #openvpn: Total of 105 nicks [3 ops, 0 halfops, 0 voices, 102 normal]
06:31 -!- Irssi: Join to #openvpn was synced in 37 secs
06:38 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
06:39 -!- SOG [~SOG@222.125.195.191] has joined #openvpn
06:41 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 276 seconds]
06:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:45 < kraut> moin
07:07 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:23 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Quit: Bye]
07:25 -!- DarthGandalf [somebody@shellium/developer/darthgandalf] has joined #openvpn
07:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:34 < drcode> hi all
07:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:34 < drcode> how can I tell openvpn to reconnect or to be all the time connected?
07:43 <@vpnHelper> RSS Update - forum: Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8223#p8223>
07:46 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:48 -!- EmperorT1m is now known as EmperorTom
07:54 < ecrist> drcode: --resolve-retry in the man page
07:56 -!- Niklas- [~niklas@217.116.253.195] has quit [Ping timeout: 276 seconds]
08:01 < drcode> I can put it in openvpn.conf?
08:01 < ecrist> yes
08:01 < drcode> resolve-retry iinfinite?
08:02 < ecrist> yep
08:03 < drcode> ecrist, ?
08:03 < drcode> infinite?
08:03 < ecrist> yes
08:03 < drcode> its on both os , linux and windows?
08:04 < ecrist> read the man page
08:04 < drcode> ok
08:04 < drcode> thanx alot
08:04 -!- drcode [~user1@bzq-84-111-105-190.red.bezeqint.net] has left #openvpn ["Leaving"]
08:06 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 252 seconds]
08:11 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:25 -!- SURFkees [~kees@ip218-44-173-82.adsl2.static.versatel.nl] has joined #openvpn
08:29 <@vpnHelper> RSS Update - forum: Server Administration :: Re: openVPN connection can never stablished on my VPS :: Reply by chakoshi <https://forums.openvpn.net/viewtopic.php?f=4&t=7209&p=8224#p8224>
08:57 -!- le0 [~fin@82.132.136.135] has joined #openvpn
08:57 -!- le0 [~fin@82.132.136.135] has quit [Changing host]
08:57 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
08:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
09:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:10 -!- SOG [~SOG@222.125.195.191] has quit [Remote host closed the connection]
09:10 -!- SOG [~SOG@n11649233041.netvigator.com] has joined #openvpn
09:11 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
09:12 -!- SOG [~SOG@n11649233041.netvigator.com] has quit [Remote host closed the connection]
09:15 < SURFkees> how do you debug "Bad encapsulated packet length from peer (8821)" problems?
09:15 -!- jmlane [~jmlane@unaffiliated/Jon-] has joined #openvpn
09:15 < jmlane> !welcome
09:15 <@vpnHelper> jmlane: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:16 < jmlane> !goal
09:16 <@vpnHelper> jmlane: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:16 < jmlane> !howto
09:16 <@vpnHelper> jmlane: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:17 < SURFkees> !iporder
09:17 <@vpnHelper> SURFkees: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
09:18 < SURFkees> !sample
09:18 <@vpnHelper> SURFkees: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
09:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 255 seconds]
09:31 -!- SOG [~SOG@222.125.195.191] has joined #openvpn
09:32 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
09:33 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
09:38 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
09:38 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 272 seconds]
09:40 -!- Coffe [~niszsse@office.alatest.se] has joined #openvpn
09:40 < Coffe> Hi, i am trying to find a good howto , for setting up a office2office connection
09:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
09:56 -!- makomi_ [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
09:56 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
10:01 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 264 seconds]
10:08 < Coffe> yes i am googleing it . but dont find any good ones. any rekommendations ?
10:12 < jmlane> !route
10:12 <@vpnHelper> jmlane: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:12 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
10:17 < ecrist> Coffe
10:17 < ecrist> !route
10:17 <@vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:17 < ecrist> !iroute
10:17 <@vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:17 -!- petan [~KVIrc@71.236.broadband11.iol.cz] has joined #openvpn
10:18 < ecrist> I would suggest reading the docs, rather than finding a howto, and ask intelligent questions.  You'll be happier with the results.
10:18 < petan> I have problem with routing
10:18 < petan> I can connect to server but I can not even ping other machines
10:19 < petan> I tried all examples but still same
10:19 < ecrist> ip_forward=1 on the server?
10:19 < ecrist> firewall?
10:20 < petan> ecrist server is ubuntu, but it is not router
10:20 < ecrist> you still need ip_forward=1 if you want it to route between the vpn clients and the local lan
10:20 < petan> ecrist address of server is 192.168.1.2 vpn is 192.168.8.0
10:20 < petan> ecrist not sure what you mean?
10:21 < ecrist> also, you need to either setup outbound NAT on the vpn server, or the systems the vpn clients are trying to connect to need to know how to route back to the vpn subnet
10:21 < ecrist> !route
10:21 <@vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:21 < ecrist> see that link, petan
10:22 < petan> ecrist ok I read it now but I have tap vpn
10:23 < ecrist> ok, you still need to route if you're trying to connect two distinct networks
10:23 < petan> ecrist not sure if it work for that then and how to set ip_forward in conf file of server or where
10:23 < ecrist> ip_forward is a sysctl for your kernel
10:25 < jmlane> What is the best way to configure my system so that only very specific types of traffic will be routed through the OpenVPN interface? Right now, when I am connected to my VPN, all traffic seems to be routed to that interface, which is problematic.
10:25 < ecrist> fix your configs and pushed routes.
10:26 < petan> ecrist not sure if it is in my kernel but not even sure if I need that I have router which routes 192.168.8.0 over gateway 192.168.1.2 and client set route to 192.168.1 over 192.168.8.1 is that right I am not sure but it should be like that
10:27 -!- Coffe [~niszsse@office.alatest.se] has quit [Quit: Leaving]
10:28 < petan> ecrist server is not router so why I need that enabled
10:29 < jmlane> ecrist: If you were instructing me to fix my configs and pushed routes, can I do so completely client-side in order to filter traffic between my local interfaces and the OpenVPN interface? My configs were provided to me by my VPN provider and I do not have access to the OpenVPN server configuration.
10:32 -!- SURFkees [~kees@ip218-44-173-82.adsl2.static.versatel.nl] has left #openvpn ["Leaving"]
10:34 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
10:34 < petan> how can I enable ip_forward
10:35 < petan> sysctl -w does not work
10:41 < petan> if my server has certain address on lan is that the address I should put as gateway to router
10:42 -!- ninjai [~quassel@79.169.119.66.static.metrobridge.net] has joined #openvpn
10:42 -!- ninjai [~quassel@79.169.119.66.static.metrobridge.net] has left #openvpn []
10:43 -!- SOG [~SOG@222.125.195.191] has quit [Quit: SOG]
10:46 < petan> ok nvm :)
10:46 < petan> I found that
10:46 -!- petan [~KVIrc@71.236.broadband11.iol.cz] has left #openvpn ["No matter how dark the night, somehow the Sun rises once again"]
10:52 -!- SOG [~SOG@222.125.195.191] has joined #openvpn
10:56 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
10:57 -!- Nickman is now known as Nickman_OFF
10:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
10:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:59 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
11:02 -!- SOG [~SOG@222.125.195.191] has quit [Quit: I will be back!]
11:05 -!- WormFood [~wormfood@183.38.12.61] has quit [Ping timeout: 255 seconds]
11:07 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:14 <@vpnHelper> RSS Update - forum: Server Administration :: redirect-gateway w/o bypass-dhcp cause problems in practice? :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7215&p=8229#p8229>
11:15 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
11:17 -!- WormFood [~wormfood@183.38.13.236] has joined #openvpn
11:19 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8216#p8216>
11:28 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 252 seconds]
11:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
11:37 -!- batrick [~batrick@batbytes.com] has joined #openvpn
11:55 -!- straterra [~straterra@fuhell.com] has joined #openvpn
11:56 < straterra> Has anyone witnessed MTU errors? I'm getting this randomly on a client. The tunnel/link MTU isn't explictely set anywhere.. Bad encapsulated packet length from peer (5635)
12:12 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined #openvpn
12:13 < Error404NotFound> If i want to use same SSL certificate for all clients what do i name? 2 Key+Cert Pairs (1 for vpn server, second for all clients) and ca's certificate?
12:13 < Error404NotFound> right?
12:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds]
12:28 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:43 < le0> howdy
12:51 -!- myname121 [~myname121@84-75-176-246.dclient.hispeed.ch] has joined #openvpn
12:51 < myname121> !welcome
12:51 <@vpnHelper> myname121: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:51 < myname121> !redirect
12:51 <@vpnHelper> myname121: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:51 < myname121> !def1
12:51 <@vpnHelper> myname121: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:55 -!- SILOS0022 [~dpenesi@168.226.75.61] has joined #openvpn
12:58 < SILOS0022> HI
12:58 < SILOS0022> I have one question
12:58 < SILOS0022> I have been testing openvpn to connect clients to a private network and I found the problem that when I access the resources of a peer if traffic or by the server
12:59 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn
12:59 < SILOS0022>  I am needing to Full Mesh
13:00 < SILOS0022> I have seen default mode brings a p2p, but the doc is point to point.
13:00 < SILOS0022> I also saw that allows peer to peer using TLS, but I've set and I have many results
13:02 < SILOS0022> Need to be full mesh, and thus avoid going through the vpn server and have doubled response times
13:02 < SILOS0022> does anyone have implemented something like that with openvpn?
13:03 < ecrist> SILOS0022: p2p is an old abbreviation of point-to-point, only recently did p2p come to mean peer-to-peer
13:04 < ecrist> really, they mean the same.  regardless, openvpn doesn't do 'mesh' networks in which everyone connects to everyone else.
13:06 < SILOS0022> I've found this link. http://openvpn.net/archive/openvpn-users/2006-11/msg00195.html
13:06 <@vpnHelper> Title: Re: [Openvpn-users] OpenVPN and Full Mesh network (at openvpn.net)
13:07 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:07 < SILOS0022> in this post, mention a solution, but I actually complicated
13:08 < Error404NotFound> If i want to use same SSL certificate for all clients what do i need? 2 Key+Cert Pairs (first for vpn server, second for all clients) and ca's certificate file? right?
13:08 < ecrist> it's pretty
13:08 < ecrist> SILOS0022: you can do something like that, but you'll need to figure it out
13:08 < ecrist> Error404NotFound: correct, and --duplicate-cn in your server config
13:09 < Error404NotFound> ecrist, hmm, great :)
13:12 < SILOS0022> In the official documentation 2.x package, it is called peer-to-peer in two settings:
13:12 < SILOS0022> The --mssfix option only makes sense when you are using the UDP protocol for OpenVPN peer-to-peer communication, i.e. --proto udp
13:12 < SILOS0022> and
13:12 < SILOS0022> --tls-server 
13:12 < SILOS0022> Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of client or server is only for the purpose of negotiating the TLS control channel
13:13 < SILOS0022> I do not think that is the concept of p2p I'm looking right?
13:15 < ecrist> SILOS0022: mesh networks are not supported by openvpn
13:16 < SILOS0022> ok thanks!!!   Welcome to tinc :( jeje
13:21 < myname121> i'm trying to route my internet traffic through a openvpn tunnel, but i can't setup the route on the client. i can ping the entrypoint at 10.8.0.6 but not the endpoint. any ideas?
13:21 < myname121> client (192.168.1.10) --> openvpn client (192.168.1.2) --> openvpn entry (10.8.0.6) --> openvpn endpoint (10.8.0.1) --> internet
13:21 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
13:22 < myname121> these are the routes on the client (192.168.1.10)
13:22 < myname121> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
13:22 < myname121> 10.8.0.0        192.168.1.2     255.255.0.0     UG    0      0        0 eth0
13:22 < myname121> default         192.168.1.2     0.0.0.0         UG    100    0        0 eth0
13:25 < ecrist> myname121: no posting to the channel, please.
13:25 < ecrist> pasting*
13:26 < myname121> k, sorry
13:26 < myname121> here is my config
13:26 < myname121> http://pastebin.com/avTxwruC
13:26 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:26 < myname121> i think the route on host that the vpn client is running on is wrong
13:27 < myname121> i don't know why openvpn set a route with 10.8.0.5 when the tun0 interface has 10.8.0.6
13:28 < myname121> any help is appreciated
13:29 < Bushmills> " but i can't setup the route on the client..."  why not?
13:30 < myname121> well, i was trying to set 10.8.0.6 as default gw on the client, but i figured thats the wrong thing to do since the default gw has to be in the same subnet
13:31 < myname121> and at this point i was able to ping 10.8.0.1 from the client, which isnt working anymore. so i'm trying to get that fixed first :)
13:31 < Bushmills> what is client?  openvpn client or LAN non-openvpn machine?
13:31 < takamichi> When launching OpenVPN from the cmd line, can I specify a config file + additional commandline parameters or is it one or the other..
13:31 < myname121> LAN client on 192.168.1.10. not the one running openvpn
13:32 < myname121> openvpn client is running at 192.168.1.2
13:32 < Bushmills> for your LAN machine,  192.168.1.2 would be the gateway
13:34 < myname121> and how do i route the internet traffic through openvpn? since the machine at 192.168.1.2 has a direct net connection, and that connection is set as default gw
13:34 < Bushmills> !redirect
13:34 <@vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:34 < myname121> k, i'll have a look at that
13:34 < myname121> thanks
13:35 < Bushmills> ignore the !nat part, if openvpn client is your gateway
13:35 < myname121> yeah, i'll be running NAT at the endpoint
13:36 < myname121> right?
13:36 < Bushmills> preferred, yes
13:36 < myname121> just a final question. does this mean i don't have to be able to ping the VPN server at 10.8.0.1 from the LAN client?
13:37 < Bushmills> you would be able to, unless restricted by e.g. packet filter
13:38 -!- MadTBone_ [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
13:38 < Bushmills> also check this out, it may contain useful bits resp. routing for you:
13:38 < Bushmills> !route
13:38 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:52 < myname121> Bushmills: i still can't figure out why the client sets routes with a different ip adress than tun0. any idea? http://pastebin.com/Eg7nrrLb
14:03 -!- cholo [~cholo@108.117.193.131] has joined #openvpn
14:03 -!- myname121 [~myname121@84-75-176-246.dclient.hispeed.ch] has quit [Ping timeout: 252 seconds]
14:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:03 < cholo> helllo
14:03 < cholo>  has anyone a solution for bonding?
14:06 -!- myname121 [myname121@84-75-176-226.dclient.hispeed.ch] has joined #openvpn
14:10 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8225#p8225>
14:11 < ecrist> cholo: what do you mean?
14:11 < Bushmills> myname121, don't bother setting routes on your LAN clients. they know already how to reach your openvpn client, as its ethernet ip address in the same subnet 192.168.1.x.  just tell them that 192.168.1.2 becomes their gateway
14:11 < ecrist> take your son fishing or something.
14:12 < Bushmills> and of course, set up 192.168.1.2 aka your openvpn client that it can operate as gateway
14:15 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Quit: User guilty of hitting the Big Red X...]
14:16 -!- myname121 [myname121@84-75-176-226.dclient.hispeed.ch] has quit [Ping timeout: 276 seconds]
14:28 -!- epaphus [~user@201.199.62.74] has joined #openvpn
14:29 < epaphus> Hello. If I establish a OpenVPN tunnel to a server, and a coworker does the same thing while being in another network from me. Can we see each other in the same LAN and thus if we are using windows share files through network explorer?
14:29 -!- cholo_ [~cholo@72-60-153-139.pools.spcsdns.net] has joined #openvpn
14:29 < jmlane> So I did some research and I've determined that my VPN provider is overriding my default gateway in the "pushed commands" (pardons for misuse of lingo). Is it feasible to implement the required routing commands locally in the VPN configs for this particular connection, by capturing the server-issued commands for use in my local configs, while rejecting them in later connections?
14:30 < cholo_> tcp bonding
14:31 < ecrist> cholo: you're just throwing out terms.  what do you want to know?
14:31 < ecrist> epaphus: without other setup, a bridged VPN will allow that.
14:31 < ecrist> really, though, you need to setup WINS server
14:31 < ecrist> the samba folks can help more with that
14:32 -!- cholo [~cholo@108.117.193.131] has quit [Ping timeout: 240 seconds]
14:32 < ecrist> jmlane: search the man page for push-reset
14:32 < jmlane> ecrist: Thank you.
14:35 < Bushmills> jmlane, there is a man page, you know?
14:35 < Bushmills> search for route-nopull
14:36 < Bushmills> oh. as ecrist said already
14:37 < jmlane> Bushmills: Yes, I do know there is a man page. I appreciate that you narrowed down what I should be reading about in the manual.
14:38 < Bushmills> do you want me to read it for you?
14:38  * ecrist grabs popcorn
14:38 < ecrist> read it aloud, Bushmills, and use one of those old-timey voice inflections
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:38  * ecrist nom nom nom
14:40 < jmlane> Bushmills: If you feel like reading it, sure.
14:40 -!- cholo [~cholo@184-200-140-148.pools.spcsdns.net] has joined #openvpn
14:43 -!- cholo_ [~cholo@72-60-153-139.pools.spcsdns.net] has quit [Ping timeout: 250 seconds]
14:44 < epaphus> ecrist, what do you mean with "without other setup" ? and is a bridged vpn the default?
14:45 < ecrist> there is no default
14:46 < ecrist> well, if you use a routed vpn, you need to setup WINS
14:47 < epaphus> so, just to confirm versus a bridged you wouldnt need wins. right ecrist 
14:47 < ecrist> right
14:47 < ecrist> !tunortap
14:47 <@vpnHelper> ecrist: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over
14:47 <@vpnHelper> ecrist: the vpn, or (#4) lan gaming? use tap!
14:58 -!- epaphus [~user@201.199.62.74] has quit [Read error: Connection reset by peer]
15:01 -!- epaphus [~user@201.199.62.74] has joined #openvpn
15:04 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
15:06 -!- aliverius_ [~george@athedsl-393096.home.otenet.gr] has joined #openvpn
15:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:07 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
15:08 < fahmad> krzee: there ?
15:09 -!- aliverius [~george@athedsl-378581.home.otenet.gr] has quit [Ping timeout: 264 seconds]
15:11 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
15:14 -!- cholo [~cholo@184-200-140-148.pools.spcsdns.net] has quit [Ping timeout: 245 seconds]
15:18 -!- takamichi [~pri@78.133.38.192] has quit []
15:19 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
15:23 < epaphus> ecrist, tap must be used in the server as well as in the clients... is this right?
15:25 < fahmad> i have question
15:26 < fahmad> http://paste.ubuntu.com/520977/
15:26 < fahmad> this is my configuration
15:26 < fahmad> i have created few users files under ccd folder
15:27 < fahmad> now when user connect on server which does not have ccd file it get reserved ip 
15:27 < fahmad> how can i restrict it ...
15:27 < krzie> there is a ccd file named DEFAULT
15:27 < krzie> also, you can set the pool in the main config
15:29 < fahmad> krzie: where ?
15:29 < krzie> where what
15:29 < fahmad> DEFAULT file also ip pool :4
15:29 < krzie> ifconfig-pool is expanded from --server, see the manual
15:30 < fahmad> okies
15:30 < krzie> and DEFAULT is a default ccd file, see --client-config-dir in the manual
15:30 < fahmad> k
15:30 < fahmad> checking man page
15:31 < krzie> !man
15:31 <@vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
15:32 < krzie> but you cant just give DEFAULT a static ip because more than 1 client may connect without a ccd file, would conflict
15:32 < krzie> also
15:32 < krzie> !client-connecrt
15:32 <@vpnHelper> krzie: Error: "client-connecrt" is not a valid command.
15:32 < krzie> err
15:32 < krzie> !client-connect
15:32 <@vpnHelper> krzie: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
15:33 < fahmad> i think i can use ifconfig-pool with subnet topology 
15:33 < fahmad> right
15:33 < ecrist> epaphus: yes, server and client need to use the same device
15:34 < epaphus> tnx
15:37 < krzie> fahmad, if you use --server you already have ifconfig-pool
15:37 < krzie> as shown in the manual for --server
15:37 < fahmad> i am not using --server in config ...
15:37 < fahmad> did you saw my config http://paste.ubuntu.com/520977/
15:37 < krzie> so you do use server
15:38 < krzie> so you do have ifconfig-pool
15:38 < fahmad> no server in config ...
15:38 < krzie> see --server in the manual, for the 3rd time
15:38 < fahmad> and no i do not use ifconfig-pool ...
15:38 < krzie> server 172.16.0.0 255.255.255.0
15:38 < fahmad> oh
15:38 < fahmad> ok
15:38 < krzie> lol
15:38 < fahmad> hahah
15:38 < fahmad> my bad
15:38 < fahmad> sorry
15:39 < fahmad> krzie: is there any way ot reload vpn config whithout disconnecting clients ?
15:39 < krzie> no
15:39 < fahmad> not even from management ?
15:39 < krzie> you can read SIGNALS in man page to see if im right
15:39 < krzie> but i dont care enough to read it for you
15:39 < fahmad> ok bro
15:40 < fahmad> SIGHUP only option but will close TAP/TUN
15:49 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
16:00 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
16:01 < grendal_prime> hey..i got a client thats key got generated incorrectly.  the size of the key is 0 bytes.  can i just build another one with the same name?
16:01 < ecrist> revoke, re-create
16:01 < grendal_prime> or do i have to first revoke it,
16:02 < grendal_prime> ok. so the revoke whips it out of the database?
16:02 < ecrist> no, it revokes it
16:02 < grendal_prime> ok...so the re-create updates the db then?
16:03 < grendal_prime> wait a min is there a re-create app?
16:03 < ecrist> no
16:04 < ecrist> what do you mean?
16:04 < krzie> !crl
16:04 <@vpnHelper> krzie: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will
16:04 <@vpnHelper> krzie: create the CRL file for you. ssl-admin will also build a crl for you
16:04 < grendal_prime> so the procedure goes like this... client is myclient    ./revoke-full myclient
16:04 < ecrist> !ssl-admin
16:04 <@vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
16:07 < krzie> so really there isnt a db like you are thinking of it
16:07 < ecrist> well, there is, it's the index.txt file
16:08 -!- svm_invictvs [~patrick@unaffiliated/svminvictvs/x-938456] has quit [Quit: leaving]
16:09 -!- jmlane [~jmlane@unaffiliated/Jon-] has quit [Quit: Good evening.]
16:10 < krzie> the CRL is a file signed by the CA, it is a list of certificates that can NOT connect
16:10 < krzie> so adding something to the CRL does not affect some db of clients which CAN connect (no such db exists)
16:11 < krzie> but ya, it needs the entry in index.txt to generate the CRL
16:11 < ecrist> and it uses index.txt to determine conflicting certificates.
16:13 < ecrist> I really wish ssl-admin 2 was completed.
16:13 < ecrist> it's so far as to print 'Hello world!'
16:13 < ecrist> :)
16:13 -!- Irssi: #openvpn: Total of 103 nicks [3 ops, 0 halfops, 0 voices, 100 normal]
16:15 < grendal_prime> then ./build-key myclient
16:18 < krzie> ecrist, ;)
16:18 < krzie> if it counts for anything, im excited =]
16:20 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
16:21 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
16:34 -!- tuxx__ is now known as tuxx
16:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
16:49 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:05 -!- |dpetrek| [~kvirc@78-0-199-205.adsl.net.t-com.hr] has joined #openvpn
17:09 -!- dpetrek [~kvirc@93-136-88-194.adsl.net.t-com.hr] has quit [Ping timeout: 255 seconds]
17:09 < ecrist> krzie: it does count, it's a big project, though.  probably will spend some time on it tonight.
17:10 < ecrist> I'm being convinced to use the boost c++ libraries, at least their program_options and option_tree components for config file and cli option parsing.
17:10 < ecrist> I'm going to start with that (already am able to build some simple options on the cli) 
17:11 < ecrist> once I get all the options setup, I am going to start looking into the openssl libraries.
17:18 < krzie> nice
17:21 < |Mike|> re.
17:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:45 -!- straterra [~straterra@fuhell.com] has left #openvpn []
18:06 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:43 -!- aberrant [~aberrant@unaffiliated/aberrant] has joined #openvpn
18:43 < aberrant> hi all
18:43 < aberrant> "push redirect-gateway def1 bypass-dhcp" doesn't seem to be working. Any suggestions?
18:44 < aberrant> using 2.1.0-1ubuntu1.1 on the server, and tunnelblick (OSX) 3.1b18 (OpenVPN 2.1.3) on the client .
18:50 < |Mike|> !def1
18:50 <@vpnHelper> |Mike|: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
18:52 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
18:56 -!- WebDawg [~WebDawg@officialg0d.com] has quit [Ping timeout: 240 seconds]
19:02 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
19:02 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Client Quit]
19:02 < aberrant> |mike| - it works if I don't specify it on the server side but put it in the client.
19:03 -!- WebDawg [~WebDawg@officialg0d.com] has joined #openvpn
19:04 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 250 seconds]
19:06 < aberrant> gah
19:07 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
19:08 < aberrant> also, is there a way to use secret (instead of server) and handle multiple clients?
19:08 < |Mike|> aberrant: strange.
19:08 < aberrant> |Mike|: yeah
19:09 < |Mike|> secret => /etc/hosts ;)
19:09 < aberrant> huh?
19:09 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
19:09 < |Mike|> why would you like to use secret instead of server?
19:10 < aberrant> because I don't want to go through the hassle of generating and tracking certificates for a handful of devices.
19:12 < aberrant> I guess I could go client-cert-not-required, but that also seems like a pain
19:13 -!- epaphus [~user@201.199.62.74] has quit [Remote host closed the connection]
19:16 < aberrant> I guess it's not possible.
19:16 < aberrant> damn'
19:18 < tuxx> http://i55.tinypic.com/11h9myc.jpg
19:18 < tuxx> LOL
19:21 < krzie> [17:10]  <aberrant> also, is there a way to use secret (instead of server) and handle multiple clients?
19:21 < krzie> no
19:21 < krzie> secret is for PTP only, no client/server
19:21 < aberrant> krzie: yeah, figured.
19:21 < |Mike|> TEH COOKIE TUXXXXXXXXXXX
19:22 < |Mike|> krzie: you always help people with clue questions? :D
19:23 < krzie> |Mike|, you ever help people?
19:23 < |Mike|> Am I hired? :D
19:23 < krzie> hell no
19:23 < krzie> why would anyone hire someone who doesnt do anything :-p
19:25 < |Mike|> because i'm idle ! :D
19:26 < |Mike|> :P
19:26 < |Mike|> damn i'm listening to 2unlimited
19:26 < aberrant> how's the "ca" directive work if you're using a real certificate issued by another CA?
19:27 < |Mike|> !ca
19:27 <@vpnHelper> |Mike|: Error: "ca" is not a valid command.
19:36 < krzie> !pki
19:36 <@vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
19:36 <@vpnHelper> krzie: specially as a server (see !servercert)
19:36 < krzie> you need the ca.crt of the ca that signed the other side of the connection
19:36 < krzie> and the other side needs the ca.crt of the ca that signed your side
19:36 < aberrant> hm.
19:37 < krzie> its pki, not openvpn specific
19:37 < aberrant> ok
19:37 < aberrant> so if I use a godaddy cert
19:37 < aberrant> I get godaddy's crt
19:37 < aberrant> does openvpn support chaining?
19:42 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8230#p8230>
19:42 < krzie> aberrant, you know you can actually test stuff before asking
19:43 < aberrant> krzie: chaining is one of those things that's gonna take 3 hours or so to test.
19:43 < krzie> lol no it wouldnt
19:43 < aberrant> I have to reissue certs in order to do it, and then push them
19:43 < aberrant> sure.
19:43 < krzie> takes seconds to generate certs
19:43 < aberrant> not via godaddy.
19:44 < krzie> but in all reality, there is no reason for you to use (or even want to use) a CA from godaddy
19:44 < krzie> it is no more secure, and actually is less secure (because i believe then godaddy can issue certs for your vpn)
19:45 < krzie> the whole point to godaddy issuing certs would be so that your website can be trusted by default web browsers that already have certs trusted in default config
19:46 < aberrant> good point.
19:55 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 252 seconds]
20:00 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
20:07 -!- aberrant [~aberrant@unaffiliated/aberrant] has quit [Ping timeout: 240 seconds]
20:10 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:12 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8231#p8231>
20:35 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
20:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
20:46 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:50 -!- epaphus [~user@201.199.62.74] has joined #openvpn
20:50 < epaphus> Is there _any_ advantage of using pptp over OpenVPN for a VPN? or are there all disadvantages?
20:50 < ecrist> all disadvantages.
20:50 < ecrist> !pptp
20:50 <@vpnHelper> ecrist: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about
20:50 <@vpnHelper> ecrist: why to not use pptp
20:51 < epaphus> thought so. thanks.
20:51  * epaphus wonders why pptp is still implemented in microsoft win 7... well yeah, its MS.. but still
20:52 < ecrist> legacy support.  there are lots of places that still use it.
20:55 < epaphus> ecrist, a personal question if I may.. did you take any cryptography courses .. or is your experience mostly focused on OpenVPN and thats how you learned cryptography ? you seem to be knowledgeable over these subjects. just wondering.
20:55 < ecrist> I would not consider myself knowledgeable in cryptography.  I'm just a user. :)
20:56 < ecrist> I have a special interest in such things and find it fascinating.
20:56 < epaphus> cool.
20:56 < ecrist> I only know OpenVPN so well, and related things, becuase there was no support community 3 years ago, and krzee and I kicked one off.  That's what we have now.
20:57 < theDoc> ecrist: It's like the devices which only support ipv4.
20:57 < theDoc> :P
20:59 -!- kiwi_ [~kiwi@78.40.120.105] has joined #openvpn
20:59 < kiwi_> hello :)
21:00 < ecrist> theDoc: certainly.  but those are becoming fewer by the day.
21:00 < ecrist> hello, kiwi_ 
21:03 < kiwi_> i'd like to prioritize low delay traffic (games ping 30ms) on my openvpn connection, but i get bad results. is there buffers i can -- or other things i can improve ?
21:04 < ecrist> mtu, get a better connection.
21:04 < kiwi_> for the moment i'm doing the qos on openbsd. it works nicely when done directly on the real interface
21:05 < ecrist> keep in mind, your connection isn't going to get better than your internet connection, so if you have 78ms latency, openvpn won't magically turn that into 30ms.
21:05 < kiwi_> right :)
21:05 < kiwi_> qos on the "real" interface works much better
21:06 < kiwi_> so i thought maybe its due to buffering
21:07 < kiwi_> but you say only mtu plays here ?
21:07 < ecrist> openvpn isn't going to buffer anything.
21:07 < kiwi_> ok
21:07 < krzie> ecrist, actually i have had it make my latency to the usa better... but that is a result of shitty routing on behalf of my ISP
21:07 < krzie> damn 3rd world ISP
21:07 < ecrist> krzie: you're just weird.  I recall your 'W' vpn setup
21:07 < krzie> ;]
21:08 < krzie> never been much for video games... but i do love me some routing games
21:09 < ecrist> krzie: I was going to write ssl-admin in c++, but a few things have convinced me to write in C, instead
21:09 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
21:10 < ecrist> namely, openvpn is written in C, and I'd like to create a module for openvpn that can tie into ssl-admin.  Not sure how, specifically, details when I figure it out.
21:10 < kiwi_> you really feel the smoothness of the packets while playing RPGs :p
21:10 < ecrist> kiwi_: I regularly frag glitchers and lag-switchers with ease.
21:11 < ecrist> w/o network mods
21:11 < kiwi_> me too :)
21:11 < kiwi_> but not while sending a file
21:12 < kiwi_> and that works with real interface
21:12 < kiwi_> but ill do more tests
21:13 < kiwi_> thanks for your answer :)
21:13 < ecrist> np
21:14 < ecrist> remember, you can only queue outbound traffic
21:14 < ecrist> many folks forget that.
21:14 < kiwi_> :)
21:14 -!- al_nz1 [~al@118-93-127-35.dsl.dyn.ihug.co.nz] has joined #openvpn
21:14 < al_nz1> i have open vpn and want to connetc back to my router (running dd-wrt) with open VPN - anyone have any idea of the syntax? the man pages for open vpn were very complicated 
21:15 < al_nz1> I have linux on my laptop which wants to connect back to the dd-wrt vpn "server"
21:15 < ecrist> setup dd-wrt as an openvpn server first.
21:15 < ecrist> if you have that, getting your machine to connect is pretty simply
21:15 < ecrist> does dd-wrt have the ability to generate SSL certs?
21:15 < al_nz1> I can connect to the dd-wrt from windows just fine
21:15 < al_nz1> not sure of the terminal syntax from linux thats all
21:16 < ecrist> same config will work on windows and linux
21:16 < ecrist> openvpn --config <config_file>
21:16 < al_nz1> therin lies the problem
21:16 < al_nz1> the config file looks overwhelming complictaed
21:17 < al_nz1> i have a dd-wrt server address, login and password
21:18 < al_nz1> dd-wrt is all setup for PPTP by the way, not openVPN
21:18 < ecrist> then you're in the wrong channel
21:19 < ecrist> we don't support PPTP here (neither does OpenVPN)
21:19 < ecrist> !pptp
21:19 <@vpnHelper> ecrist: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about
21:19 <@vpnHelper> ecrist: why to not use pptp
21:19 < ecrist> dd-wrt *does* support OpenVPN, though.
21:19 < al_nz1> ecrist: yes I see that. I just enabled PPTP box and what a lot of extra options! wow
21:25 < al_nz1> ecrist: way too complicated for me i think. talks about bricking some linksys routers when enabling the scripts reqd etc
21:26 < ecrist> *shrug*.  it's actually secure, though
21:26 < ecrist> and, like I said, we support it here. ;)
21:27  * ecrist reboots cartman, prays it boots -current OK
21:29 < al_nz1> another day when I have more time
21:29 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
21:29 < al_nz1> thanx anyway
21:29 < ecrist> w00t: FreeBSD cartman.secure-computing.net 9.0-CURRENT FreeBSD 9.0-CURRENT #4: Mon Oct 25 07:06:57 CDT 2010     root@cartman.secure-computing.net:/usr/obj/usr/src/sys/GENERIC  amd64
21:29 < ecrist> no problem, al_nz1 
21:29 -!- al_nz1 [~al@118-93-127-35.dsl.dyn.ihug.co.nz] has quit [Remote host closed the connection]
21:30 < kiwi_> ecrist: does it makes sense that --socket-flags TCP_NODELAY makes my situation better ?
21:31 < ecrist> beyond my paygrade, EmperorTom may know, though.
21:32 < kiwi_> from the man page it makes sense, but i'm only me ...
21:35 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
21:37 < kiwi_> mh no im just being stupid
21:38 -!- epaphus [~user@201.199.62.74] has quit [Ping timeout: 255 seconds]
21:39 -!- epaphus [~user@201.199.62.74] has joined #openvpn
21:45 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
21:46 -!- kiwi_ [~kiwi@78.40.120.105] has left #openvpn []
21:54 <@vpnHelper> RSS Update - forum: Server Administration :: Configuration Question on multiple servers and lans :: Author palladin9479 <https://forums.openvpn.net/viewtopic.php?f=4&t=7216&p=8233#p8233>
22:13 -!- epaphus [~user@201.199.62.74] has quit [Ping timeout: 240 seconds]
22:13 -!- epaphus [~user@201.199.62.74] has joined #openvpn
22:23 -!- epaphus [~user@201.199.62.74] has quit [Quit: Leaving]
22:28 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
22:31 < fahmad> hey
22:32 < fahmad> i am getting following error 
22:32 < fahmad> Options error: --server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly
22:32 < fahmad> any idea how to make both in config ...
22:46 -!- letas [~letas@c-76-26-208-117.hsd1.sc.comcast.net] has joined #openvpn
22:48 < letas> hello everyone - I am currently running openvpn and apache in the same server, is there a way that I can see apache's web sites through the opevpn server ip?
22:49 < fahmad> letas: you mean to say private vpn ip ?
22:51 < letas> fahmad, yeh 
22:57 < fahmad> letas: iptables ...
22:58 < letas> fahmad can u elaborate a bit - i think i have an idea of what you are saying but i am not sure
22:58 < fahmad> iptables -t nat -A PREROUTING -p tcp -d 172.16.0.1 --dport 80 -j DNAT --to XXX.YYY.ZZZ.AAA
23:00 < letas> so I basically say whenever you see xxx.yyy.zzz.aaa ip send it to this www.xxx.yyyy.zzzz ip on port 80?
23:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
23:03 < fahmad> means
23:04 < krzie> !redirect
23:04 <@vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
23:05 < krzie> oh wait you want apache that is on the server
23:05 < krzie> just tell apache to listen on the vpn ip as well
23:05 < krzie> then access it via the vpn ip
23:05 < letas> krzie thanks, it sounds simpler that way
23:14  * fahmad hugs krzie
23:16 < letas> actually i am a dumb*** it seems that either I did some brilliant in ubuntu 10.04 because it works fine or something very stupid on ubuntu 9.10 because i never got it to work 
23:26 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:53 < krzee> !rip
23:53 <@vpnHelper> krzee: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
23:54 <@vpnHelper> RSS Update - forum: Server Administration :: Re: redirect-gateway w/o bypass-dhcp cause problems in pract :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7215&p=8235#p8235> || Server Administration :: Re: Configuration Question on multiple servers and lans :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7216&p=8236#p8236>
--- Day changed Thu Oct 28 2010
00:08 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
00:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
00:24 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
00:45 -!- SILOS0022 [~dpenesi@168.226.75.61] has quit [Ping timeout: 240 seconds]
00:45 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
00:57 -!- SILOS0022 [~dpenesi@168.226.75.74] has joined #openvpn
01:06 -!- SLAiNTRAX [5e17cf98@gateway/web/freenode/ip.94.23.207.152] has joined #openvpn
01:09 < SLAiNTRAX> Hello. On our network we have we have two subnets that I can connect to without using OpenVPN, but I can't access them while connected. Right now I'm using 192.168.1.0/24, and I need to give me access to the local servers that are connected here. route "192.168.1.0 255.255.255.0" doesn't work. Any way to fix this?
01:20 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:22 < fahmad> hello
01:22 -!- letas [~letas@c-76-26-208-117.hsd1.sc.comcast.net] has quit [Ping timeout: 240 seconds]
01:24 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:25 < fahmad> dazo_afk: there 
01:25 < fahmad> dazo_afk: i got openvpn crashed again
01:25 < fahmad> http://paste.ubuntu.com/521244/
01:27 -!- Nickman_OFF is now known as Nickman
01:28 < fahmad> krzee: any idea ?
01:59 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection reset by peer]
02:07 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:08 < krzee> SLAiNTRAX, 
02:08 < krzee> !route
02:08 <@vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:09 < krzee> fahmad, i know nothing about the radius plugin... are you sure you have the right one?
02:11 < Bushmills> radiusplugin.so crashing i have seen before
02:11 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
02:13 < fahmad> krzee: yes
02:13 < fahmad> Bushmills: is there any fix for that ?
02:14 < Bushmills> no idea. who had that problem was told that it wasn't an openvpn problem, but a radius problem, and that was it then
02:14 < SLAiNTRAX> krzee my openvpn server is located at another ISP and has no connection to the local lan here.
02:15 < Bushmills> just wanted to let you know that you're not the first person having that problem
02:15 < fahmad> :)
02:17 -!- SLAiNTRAX [5e17cf98@gateway/web/freenode/ip.94.23.207.152] has quit [Quit: Page closed]
02:18 -!- SLAiNTRAX [5e17cf98@gateway/web/freenode/ip.94.23.207.152] has joined #openvpn
02:19 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8225#p8225>
02:21 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
02:27 < krzee> SLAiNTRAX, you want access to a lan behind openvpn?
02:27 < SLAiNTRAX> I want to acces a lan on the network im on
02:27 < krzee> your local lan?
02:27 < SLAiNTRAX> Our ISA server forwards a lab network at 192.168.1.1/24
02:27 < krzee> where does openvpn fit into this picture
02:28 < SLAiNTRAX> I don
02:28 < SLAiNTRAX> I have way too many restrictions on this network, and I need access to different sites etc. which are blocked using openvpn
02:28 < krzee> oh when you connect to openvpn you lose the connection to your lan?
02:28 < SLAiNTRAX> yup
02:30 < SLAiNTRAX> Right now I'm using 10.40.37.0/24 and the ISA server is forwarding 192.168.1.0/24 to me
02:31 < krzee> https://forums.openvpn.net/viewtopic.php?f=12&t=7065
02:31 <@vpnHelper> Title: OpenVPN Support Forum View topic - Excluding an IP range from redirect gateway (at forums.openvpn.net)
02:31 < krzee> https://forums.openvpn.net/viewtopic.php?f=15&t=7161&p=7975&hilit=split+route#p7975
02:31 <@vpnHelper> Title: OpenVPN Support Forum View topic - Split tunnel tweaks? (at forums.openvpn.net)
02:32 < SLAiNTRAX> Thanks :) I'll read through them right now
02:32 < krzee> yw
02:34 -!- SLAiNTRAX [5e17cf98@gateway/web/freenode/ip.94.23.207.152] has quit [Quit: Page closed]
02:34 -!- SLAiNTRAX [5e17cf98@gateway/web/freenode/ip.94.23.207.152] has joined #openvpn
02:35 < SLAiNTRAX> Great! It worked perfectly. Thanks krzee :)
02:35 < krzee> yw
02:49 <@vpnHelper> RSS Update - forum: Server Administration :: Re: openVPN connection can never stablished on my VPS :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7209&p=8238#p8238>
02:52 -!- patel_ [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Ping timeout: 265 seconds]
02:55 <@vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8237#p8237>
02:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:56 -!- patel_ [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn
03:06 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
03:08 -!- xro [~xro@160.98.239.133] has joined #openvpn
03:11 < xro> hi, i get an issue with openvpn... when client try to connect i get no free --ifconfig-pool addresses are available and no dynamic or static remote --ifconfig address is available for... what that means?
03:18 -!- letas [~letas@c-76-26-208-117.hsd1.sc.comcast.net] has joined #openvpn
03:24 -!- SLAiNTRAX [5e17cf98@gateway/web/freenode/ip.94.23.207.152] has quit [Quit: Page closed]
03:31 < xro> nobody???
03:33 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- Nickman is now known as Nickman_OFF
03:49 < krzee> xro, 
03:49 < krzee> !configs
03:49 <@vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
03:54 < xro> my config --> http://pastebin.com/9s76pRAn on a debian 5 with openvpn 2.0
03:59 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8216#p8216> || Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8225#p8225>
04:05 -!- SILOS0022 [~dpenesi@168.226.75.74] has quit [Quit: Ex-Chat]
04:08 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
04:11 <@vpnHelper> RSS Update - forum: Server Administration :: Re: openVPN connection can never stablished on my VPS :: Reply by chakoshi <https://forums.openvpn.net/viewtopic.php?f=4&t=7209&p=8240#p8240>
04:17 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8225#p8225>
04:18 < krzee> 2,0?
04:18 < krzee> go update
04:18 < krzee> 2.1.3 now
04:18 < krzee> !download
04:18 <@vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
04:20 < krzee> also, i cant help you with your top secret configs
04:20 < krzee> if privacy is so important your ips must be hidden, i suggest paying someone who will sign an NDA
04:23 -!- mape2k [~jabber@jabber.pennewiss.de] has quit [Quit: Leaving.]
04:24 -!- Nickman_OFF is now known as Nickman
04:35 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8230#p8230>
04:37 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
04:40 < fahmad> krzee: how can i get debuginfo packages for openvpn i have seen when i created rpm it just made single rpm ...
04:41 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8231#p8231>
04:42 < xro> krzee, maybe you know why i get these messages... if not i will look for alone... 
04:51 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
04:52 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
04:54 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8232#p8232>
04:58 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:00 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8239#p8239>
05:06 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Using redirect-gateway in Windows XP :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=124&p=8221#p8221>
05:12 <@vpnHelper> RSS Update - forum: Installation Help :: Re: TLS Handshake Fails :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=719&p=8222#p8222>
05:18 <@vpnHelper> RSS Update - forum: Installation Help :: routing cant reach remote LAN :: Author petan <https://forums.openvpn.net/viewtopic.php?f=5&t=7214&p=8226#p8226>
05:24 <@vpnHelper> RSS Update - forum: Installation Help :: Re: routing cant reach remote LAN :: Reply by petan <https://forums.openvpn.net/viewtopic.php?f=5&t=7214&p=8227#p8227> || Installation Help :: Re: routing cant reach remote LAN :: Reply by petan <https://forums.openvpn.net/viewtopic.php?f=5&t=7214&p=8228#p8228>
05:30 <@vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by palladin9479 <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=8234#p8234>
05:37 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
05:48 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
06:02 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
06:12 -!- |dpetrek| [~kvirc@78-0-199-205.adsl.net.t-com.hr] has quit [Quit: When two people dream the same dream, it ceases to be an illusion. KVIrc 3.4.2 Shiny http://www.kvirc.net]
06:14 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
06:17 -!- aliverius_ is now known as aliverius
06:19 -!- fipu [~fipu@62.75.187.155] has quit [Ping timeout: 240 seconds]
06:21 -!- ucekpolish [user@hq.ostc-pl.com] has left #openvpn []
06:22 -!- fipu [~fipu@swissvps.net] has joined #openvpn
06:27 -!- fipu [~fipu@swissvps.net] has quit [Ping timeout: 245 seconds]
06:31 -!- fipu [~fipu@62.75.187.155] has joined #openvpn
06:37 -!- fipu [~fipu@62.75.187.155] has quit [Ping timeout: 255 seconds]
06:39 -!- fipu [~fipu@swissvps.net] has joined #openvpn
06:45 -!- fipu [~fipu@swissvps.net] has quit [Ping timeout: 245 seconds]
06:54 -!- pingufan [~xerox@goliath.hantsch.co.at] has joined #openvpn
06:54 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Configuration Question on multiple servers and lans :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7216&p=8242#p8242>
06:56 < pingufan> Hi, I have a working openvon server and I want to connect to it with a windows client. I have 3 files from the server (ca.crt, client 1.key, client1.crt), but how do I configure the windows client? It always wants a different file (ovpn or so).
07:16 -!- fipu [~fipu@swissvps.net] has joined #openvpn
07:16 -!- fipu [~fipu@swissvps.net] has quit [Read error: Connection reset by peer]
07:17 < pingufan> Can sobebody, please, help?
07:18  * ecrist reads
07:19 < ecrist> you need to create a client config file
07:19 < ecrist> !configs
07:19 <@vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:24 < pingufan> ecrist: talking to me?
07:28 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
07:28 < Noble> Do I need to allow both TCP and UDP traffic to openvpn in my firewall?
07:28 < pingufan> UDP should be sufficient.
07:30 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by forth <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8243#p8243>
07:31 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
07:32 < pingufan> how do I create an .ovpn file for a windows client, please?
07:33 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:33 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
07:33 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
07:33 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
07:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:35 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
07:36 < pingufan> If somebody could, please pastebin me a simple client.ovpn file?  I want to connect a windows client to a Linux server, currently i only have the required ca.crt, client1.crt, client1.key  and nothing else.
07:47 < ksk> http://openvpn.net/index.php/open-source/documentation/howto.html#client
07:47 <@vpnHelper> Title: HOWTO (at openvpn.net)
07:47 < ksk> take a look here
07:48 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
07:49 < EmperorTom> ecrist: TCP_NODELAY disables Nagle's Algorithm. In a nutshell, it tells the network stack to send out packets as soon as it has data to send, rather than waiting to see if more data arrives.
07:49 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
07:49 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
07:49 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
07:49 < EmperorTom> The result is lower latency at the expense of more overhead. 
07:50 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
07:51 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Operation timed out]
07:51 < ksk> pingufan: basicly you can rename your linux client.conf to blafo.ovpn and copy it to windows
07:52 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
07:52 < ksk> some settings may have to be edited, but you should be able to find out
07:53 < EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
07:53 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
07:54 -!- x-demon [xdemon@2001:ba8:1f1:f0b8:216:5eff:fe00:135] has quit [Quit: Cya!]
07:56 < krzee> !learn tcp_nodelay as [08:53]  <EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
07:56 <@vpnHelper> krzee: Error: "08:53" is not a valid command.
07:56 < krzee> !learn tcp_nodelay as <EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
07:56 <@vpnHelper> krzee: Joo got it.
07:56 < krzee> !tcp_nodelay
07:56 <@vpnHelper> krzee: "tcp_nodelay" is <EmperorTom> A good analogy is a bus depot. Drivers normally wait as long as possible to see if any more passengers show up. If you set TCP_NODELAY on the bus driver, he would leave the station as soon as someone got on board. It's faster for the one passenger, but you need a lot more big, ugly, smelly, slow buses on the road to meet demand.
07:57 < EmperorTom> hahaha
07:57 -!- x-demon [xdemon@lex.io] has joined #openvpn
07:57 < krzee> just finished my zfs-boot on mirror fbsd machine
07:58 < krzee> it will be for backing up calls at work... but it also has a secret purpose nobody there knows (or will know) about (except the boss)
07:58 < krzee> it will run the new program i wrote that ensures if anything financial in the database is changed, i know about it
08:00 -!- x-demon [xdemon@lex.io] has left #openvpn []
08:00 < EmperorTom> I love it when people think that there's nobody watching.
08:00 < krzee> yup
08:01 < krzee> until i came, im sure nobody was
08:01 < krzee> and i bet the other tech (whom i dont trust at all) still believe nobody is
08:02 < krzee> but hopefully nobody is doing anything wrong and my program accomplishes nothing except some peace of mind
08:04 < pingufan> ksk: Thank you for your information.  I really wonder why knetworkmanager only asks for the three files and is happy, while in windows this is so different.   Is it possible to show me your working config file? I'll adapt it then to my needs.  The background is: I am no windows user and I email this missing file to one in big distance, and he has no knowledge on that.
08:05 < ksk> neither am i ;)
08:05 < pingufan> ksk: Do you really mean that this client-sample-config is ok?
08:05 < pingufan> Well, I'll have to edit filenames...
08:05 < ksk> yes
08:06 < ksk> and there are some things that just work using linux
08:06 < pingufan> As there are...?
08:06 < ksk> for example setting the mac of the virtual device via lladr
08:06 < pingufan> unimportant.
08:06 < ksk> ;)
08:06 < krzee> !sample
08:07 <@vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
08:07 < krzee> !winpath
08:07 <@vpnHelper> krzee: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
08:07 < pingufan> Oh god, windows is really a nightmare.
08:08 < pingufan> can I enter a fqhn instead of an IP ?
08:09 < ksk> ye
08:09 < pingufan> When I have no tls-auth, I leave this line away?
08:10 < krzee> go make one
08:10 < krzee> !hmac
08:10 <@vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static
08:10 <@vpnHelper> krzee: key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
08:10 < ecrist> EmperorTom: nice analagy
08:11 < EmperorTom> ty :D
08:11 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
08:12 < pingufan> I read that openvpn installs in the program path and has a ..../config/  directory. Shall I store all files there? (the .ovpn, the ca.crt, the client.key and client.crt) ?
08:13 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:14 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
08:15 < ecrist> pingufan: yes, that's where config files go.
08:15 < pingufan> Must I enter the full path to the files when they are there (together with the .ovpn) ?
08:15 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:16 < ecrist> no, you should be fine.
08:16 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
08:18 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:18 < pingufan> So all I do is:  I store the 3 files (crt+key) there, plus the .ovpn file,  and then I point openvpn-client to the ovpn file?
08:19 < ecrist> the windows gui will magically find it
08:19 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
08:19 < pingufan> Thank you. I'll give it a try. ;)
08:20 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
08:21 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:21 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
08:21 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
08:23 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has quit [Read error: Connection reset by peer]
08:24 -!- Noble [~Noble@158.81-166-203.customer.lyse.net] has joined #openvpn
08:31 < kisom> Does anyone know how to push a secondary DNS address to Windows clients?
08:31 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8244#p8244>
08:48 -!- pingufan [~xerox@goliath.hantsch.co.at] has quit [Remote host closed the connection]
08:51 -!- wagi [~wagi@hotel311.server4you.de] has joined #openvpn
08:55 < ecrist> !dns
08:55 <@vpnHelper> ecrist: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.1, or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
08:55 < EmperorTom> fwiw Level3 uses 4.2.2.1-6 for DNS
08:57 < wagi> hi, I have a question concering the setup of tun devices. I see ifconfig reports inet addr:10.1.0.1  P-t-P:10.1.0.2  Mask:255.255.255.255
08:57 < wagi> for tun0
08:57 < wagi> and on the client side I have
08:57 < wagi> inet addr:10.1.0.6  P-t-P:10.1.0.5  Mask:255.255.255.255
08:58 < wagi> why is on the client side ifconfig reporting 10.1.0.1 as server?
08:59 < wagi> it's kind of confusing :)
08:59 < Bushmills> because that's the ip address of server
08:59 < wagi> why is not ...
08:59 < ecrist> !dns
08:59 <@vpnHelper> ecrist: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
09:00 < Bushmills> t'is probably not ifconfig on client, telling you that
09:01 < ecrist> !/30
09:01 <@vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
09:01 < ecrist> wagi ^^^^
09:02 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn
09:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
09:04 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
09:05 < wagi> ecrist: thanks for the tip, but this answer is missing :(
09:05 < ecrist> not really.
09:05 < wagi> ecrist: or the link doesn't do the trick it should 
09:06 < ecrist> the server is 10.1.0.1.  a peer-2-peer connection is made using a /30 subnet, in which the remote end is using the logical address 10.1.0.5.
09:06 < ecrist> it does, you just don't understand p2p tunneling.
09:06 -!- Cain` is now known as Cain
09:07 < wagi> I've never said I understand p2p tunneling. I'm just trying to understand how I have to setup the routing right in connman
09:08 < EmperorTom> On a P2P tunnel, the addressing is (to a large extent) irrelevant. There is only other host on the the segment that you can possibly talk to, the remote side.
09:08 < wagi> and I'm just not understanding the basic as it seems 
09:09 < ecrist> short of it is, ignore the .5 address
09:09 < wagi> found the faq entry :)
09:11 < EmperorTom> ecrist: the faq entry isn't bad (i was never entirely clear on why openvpn does that the way it does). the link in the bot appears to be broken though
09:11 < EmperorTom> http://openvpn.net/index.php/open-source/faq/77-server/273-qifconfig-poolq-option-use-a-30-subnet-4-private-ip-addresses-per-client-when-used-in-tun-mode.html
09:12 < wagi> yep that's the one I found
09:12 < ecrist> no, it's the crappy joomla install openvpn has
09:12 < ecrist> I've pointed the issue out to the responsible parties.
09:14 < wagi> anyway thanks for the info
09:14 < wagi> this should help to get openvpn support into connman
09:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:01 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
10:03 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
10:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:17 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
10:18 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has joined #openvpn
10:27 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
10:51 -!- Nickman is now known as Nickman_OFF
11:05 -!- WormFood [~wormfood@183.38.13.236] has quit [Ping timeout: 265 seconds]
11:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
11:16 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
11:17 -!- fipu [~fipu@62.75.187.155] has joined #openvpn
11:18 -!- WormFood [~wormfood@183.38.12.97] has joined #openvpn
11:26 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
11:27 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:56 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
12:01 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 264 seconds]
12:10 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 255 seconds]
12:17 < Varazir> Hello 
12:18 < patel_> hey
12:18 -!- patel_ is now known as openvpn2009
12:18 -!- openvpn2009 [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Changing host]
12:18 -!- openvpn2009 [~patel@openvpn/corp/admin/patel] has joined #openvpn
12:18 -!- openvpn2009 is now known as patel
12:18 -!- patel [~patel@openvpn/corp/admin/patel] has left #openvpn []
12:19 -!- openvpn2009 [~patel@openvpn/corp/admin/patel] has joined #openvpn
12:19 -!- mode/#openvpn [+o openvpn2009] by ChanServ
12:19 < Varazir> openvpn2009: was it you I just talked to ? 
12:21 < Varazir> ls
12:24 < Varazir> Hello :) 
12:26 <@openvpn2009> yeah
12:26 < Varazir> ok 
12:29 < Varazir> found a old snapshot that worked, see if I can only put back the db I backuped
12:30 < Varazir> love running it virtual 
12:35 < Varazir> openvpn2009: could I just stop the service and copy the db folder ? 
12:37 <@openvpn2009> yeah
12:37 <@openvpn2009> that should be fine
12:37 <@openvpn2009> private message me if you need anything
12:38 < Varazir> cool thanks 
12:41 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8245#p8245>
12:46 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
12:50 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
12:52 -!- futurestack [~futuresta@unaffiliated/futurestack] has joined #openvpn
12:52 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8246#p8246> || Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8247#p8247>
13:00 -!- master_of_master [~master_of@p57B578CB.dip.t-dialin.net] has joined #openvpn
13:32 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
13:39 -!- epaphus [~user@201.199.62.74] has joined #openvpn
13:44 -!- Nickman_OFF is now known as Nickman
13:58 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
13:58 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
13:58 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
14:23 < epaphus> For some weird reason windows OpenVPN client does not detect my configs and when right clicking on the tray icon it only says About and Exit :( i have the files: client1.ovpn, ca.crt, client1.key and client1.crt in the config folder 
14:24 < epaphus> any ideas
14:24 -!- thelongmile [~thelongmi@cpc1-ely04-0-0-cust70.5-1.cable.virginmedia.com] has joined #openvpn
14:25 < epaphus> ive reinstalled openvpn, rebooted x times, re did the easy rsa process.. nothing
14:30 -!- Phenox_ [~Bernd@88.215.198.24] has quit [Ping timeout: 276 seconds]
14:33 -!- thelongmile [~thelongmi@cpc1-ely04-0-0-cust70.5-1.cable.virginmedia.com] has left #openvpn []
14:35 -!- dasy2k1 [~mchi8ds2@host109-157-35-135.range109-157.btcentralplus.com] has joined #openvpn
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:37 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
14:39 < dasy2k1> hi everyone, Ive got a question about networks. from what i can make out the vpn server needs two ethernet connections? one to the outside world and one to the local network?  or is it possible to have a single connection? Basically i wish to VPN into my home network from my smartphone and laptop when out and about to access local resources (such as a NAS drive) and also because one Wifi network i use is transparent t
14:39 < dasy2k1> o VPNs but has a loginwall for non vpn traffic that severly limits what protocalls are allowd (practially only http(s) and IMAP) 
14:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
14:41 -!- Phenox_ [~Bernd@88.215.198.24] has joined #openvpn
14:47 < Bushmills> "two ethernet connections" .. no, it doesn't
14:48 < Bushmills> but if you connect to your home network (the gateway, probably), you're likely to have two NICs already
14:50 < Bushmills> openvpn binds to one NIC, and created a virtual interface upon start (server) or connection (client)
14:51 < Bushmills> ehm. wrong. binds to one or all NICs (server).
15:07 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn
15:07 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host]
15:07 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
15:16 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
15:17 < phusion__> hey guys. i have two nic's with public addresses on my server, and i want to run an openvpn client bound to each interface to distribute traffic. is there an easy way of binding the client?
15:18 < phusion__> sorry, run two openvpn clients bound to each interface
15:18 < phusion__> seperate configurations for openvpn, seperate clients
15:19 < Bushmills> phusion__: your openvpn client will connect to openvpn server, honouring the route as set by your operating system  
15:20 < Bushmills> same is the case when running two clients
15:20 < krzee> --multihome
15:21 < krzee> its new, never played with it
15:22 < phusion__> hmm. here's the thing, my openvpn client is obtaining a public IP on the other end with each client. the server the clients run on has no egress/source ip filtering on it so what i do is comment the #redirect-gateway line and I can spoof right out the default gateway.. I guess thats only going to work with 1 nic though
15:23 < phusion__> (it does work with 1 nic, trying to figure out 2)
15:23 < Bushmills> if you run some load balancing software, which sends to either one or the other openvpn client tun interface, openvpn will most likely not resist
15:37 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:42 < dasy2k1> so if i have the following setup at the moment....   internet --> NAT router --> home network --> server, i can forward the port to the server from the outside world, but how would i set it up that the vpn traffic goes back out of the same NIC it comes into onto the local network?
15:44 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
15:49 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
15:49 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 276 seconds]
15:50 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
15:54 -!- Nickman is now known as Nickman_OFF
16:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:03 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
16:04 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
16:04 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
16:06 -!- fipu [~fipu@62.75.187.155] has quit [Remote host closed the connection]
16:15 < Bushmills> where traffic goes to is determined by routing
16:26 -!- Netsplit *.net <-> *.split quits: hyper_ch, ^scott^_, patelx, Champi, @vpnHelper
16:27 -!- Netsplit over, joins: @vpnHelper, ^scott^_, patelx, hyper_ch, Champi
16:27 -!- mode/#openvpn [+o patelx] by ChanServ
16:42 -!- plaerzen [~cam@vip1.tundraeng.com] has joined #openvpn
16:42 < plaerzen> ecrist, what is a vpn?
16:45 < plaerzen> krzee, did you change your nick to krzie ?
16:45 < plaerzen> Trying to hide from me?
16:49 -!- takamichi [~pri@78.133.38.192] has quit [Read error: Connection reset by peer]
16:49 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
16:50 -!- slyrus_ [~chatzilla@adsl-75-36-215-204.dsl.pltn13.sbcglobal.net] has joined #openvpn
16:50 < slyrus_> !welcome
16:50 <@vpnHelper> slyrus_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:50 < slyrus_> !goal
16:50 <@vpnHelper> slyrus_: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:51 < slyrus_> I just want a secure connection between 2 computers
16:51 < slyrus_> !goal I just want a secure connection between 2 computers
16:51 <@vpnHelper> slyrus_: Error: "goal" is not a valid command.
16:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:52 < slyrus_> !howto
16:52 <@vpnHelper> slyrus_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:59 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:01 -!- brenddie [~eavila@24.55.75.46] has joined #openvpn
17:02 < brenddie> anyone has experience setting up a NEt-to-NET VPN using the ZERINA addon for IPCop ?
17:02 < brenddie> havent been able to connect both IPCops via ipsec due to nating issues
17:02 < brenddie> trying openVPN now
17:03 -!- wagi [~wagi@hotel311.server4you.de] has quit [Ping timeout: 255 seconds]
17:03 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
17:20 < epaphus> hello.. so how could i see who is connected via OVPN to the server..?
17:23 < Bushmills> the status file shows who is connected
17:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:39 -!- james [~jj@adsl-99-96-69-109.dsl.lsan03.sbcglobal.net] has joined #openvpn
17:39 -!- james is now known as Guest4272
17:43 -!- Guest4272 [~jj@adsl-99-96-69-109.dsl.lsan03.sbcglobal.net] has quit [Client Quit]
17:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:49 -!- plaerzen [~cam@vip1.tundraeng.com] has left #openvpn ["Leaving"]
17:53 -!- dasy2k1 [~mchi8ds2@host109-157-35-135.range109-157.btcentralplus.com] has quit [Quit: Leaving]
17:56 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
18:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:04 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
18:05 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
18:08 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has joined #openvpn
18:09 < adac> this openvpn access server is a nice thingy
18:09 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
18:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:14 < krzee> cool
18:15 < slyrus_> So if I see the message "Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)" does that mean I need to setup the TUN interface somehow?
18:15 < krzee> you need to load the tun module into your kernel (or compile it in_
18:16 < slyrus_> oh, I see. thanks.
18:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:20 < brenddie> anyone experienced with the zerina addon for ipcop?
18:20 < brenddie> cant get  a net2net tunnel working
18:39 -!- brenddie [~eavila@24.55.75.46] has quit [Quit: Leaving.]
18:43 -!- brenddie [~eavila@24.55.75.46] has joined #openvpn
18:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:44 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has quit [Ping timeout: 272 seconds]
18:56 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
18:56 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
18:57 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Read error: Connection reset by peer]
18:58 -!- nb [~nb@fedora/GSWoT.Member.nb] has joined #openvpn
19:05 -!- theDoc [~Link@bb119-74-212-233.singnet.com.sg] has joined #openvpn
19:05 -!- theDoc [~Link@bb119-74-212-233.singnet.com.sg] has quit [Client Quit]
19:26 -!- slyrus_ [~chatzilla@adsl-75-36-215-204.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
19:33 -!- EmperorTom [~EmperorTo@174-30-240-185.mpls.qwest.net] has quit [Remote host closed the connection]
20:00 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
20:05 -!- letas [~letas@c-76-26-208-117.hsd1.sc.comcast.net] has left #openvpn []
20:25 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:29 -!- EmperorTom [~EmperorTo@174-30-240-185.mpls.qwest.net] has joined #openvpn
21:30  * ecrist sets topic to 'Boats and Hos'
21:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:08 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
22:08 < dtloken> Hello.
22:09 < dtloken> So, I've got OpenVPN running on my Tomato installation. I'm able to connect via Tunnelblick however it won't pass any traffic as far as I can tell.
22:09 < dtloken> !welcome
22:09 <@vpnHelper> dtloken: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:10 < dtloken> !goal
22:10 <@vpnHelper> dtloken: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:10 < dtloken> The goal would be "I would like to access the internet over my VPN."
22:10 < dtloken> Log in Tunnelblick gives this error "2010-10-28 22:06:51 write to TUN/TAP : Input/output error (code=5)"
22:11 < ecrist> doh
22:11  * ecrist gets shot down by the gf tonight.
22:11 < theDoc> ecrist: I heard chocolates and flowers work good. ;p
22:11 < dtloken> No errors in my Tomato log, I have the connection log for that however.
22:11 < ecrist> theDoc: usually.
22:11 < theDoc> Patch accordingly.
22:28 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:30 -!- dtloken_ [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has joined #openvpn
22:33 -!- dtloken_ [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has quit [Read error: Connection reset by peer]
22:34 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has quit [Ping timeout: 240 seconds]
22:36 -!- dtloken [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has joined #openvpn
22:39 -!- dtloken [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has quit [Remote host closed the connection]
22:40 -!- dtloken [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has joined #openvpn
22:41 -!- dtloken_ [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
22:42 < ecrist> gah, the joins, they hurt my eyes
22:43 -!- dtloken__ [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has joined #openvpn
22:44 -!- dtloken___ [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
22:44 < dtloken___> Ugh.
22:44 < dtloken___> Fuck it.
22:44 < dtloken___> This is never going to work.
22:45 -!- dtloken [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has quit [Ping timeout: 252 seconds]
22:45 -!- dtloken___ is now known as dtloken
22:45 -!- dtloken_ [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has quit [Ping timeout: 245 seconds]
22:46 < dtloken> Anyone?
22:46 < dtloken> I'm at a complete loss.
22:46 < dtloken> It won't pass any traffic over the VPN.
22:47 -!- dtloken__ [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has quit [Ping timeout: 252 seconds]
22:49 < ecrist> dtloken: let me read up, gimme a min
22:49 < dtloken> Ok.
22:49 < ecrist> do you have your configs?
22:49 < dtloken> I've installed Viscosity (another OS X VPN client), same issues.
22:49 < ecrist> !configs
22:49 <@vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
22:49 < ecrist> the issue is your server, most likely
22:52 < dtloken> Oct 28 22:51:31 unknown daemon.notice openvpn[2407]: TUN/TAP device tap21 opened
22:52 < dtloken> Oct 28 22:51:31 unknown daemon.notice openvpn[2407]: TUN/TAP TX queue length set to 100
22:52 < dtloken> Oct 28 22:51:31 unknown daemon.notice openvpn[2407]: Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
22:52 < dtloken> Oct 28 22:51:31 unknown daemon.notice openvpn[2414]: Socket Buffers: R=[32767->65534] S=[32767->65534]
22:52 < dtloken> Oct 28 22:51:31 unknown daemon.notice openvpn[2414]: UDPv4 link local (bound): [undef]:1194
22:52 < dtloken> Oct 28 22:51:31 unknown daemon.notice openvpn[2414]: UDPv4 link remote: [undef]
22:52 < dtloken> Oct 28 22:51:46 unknown daemon.notice openvpn[2414]: Peer Connection Initiated with 192.168.1.149:1194
22:52 -!- dtloken was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastbin.ca for posting logs or configs.]
22:52 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
22:53 < dtloken> That's the log from my server.
22:53 < ecrist> you were booted part way through.  try using a pastebin like the instructions recommend.
22:53 < dtloken> I'm being assigned an IP by the server's DHCP server when connecting to the VPN.
22:55 < dtloken> http://pastebin.com/dcehH8pB
22:56 < ecrist> ok, what IP does the client have, on it's network?
22:56 < dtloken> 192.168.1.149
22:57 < dtloken> Just reconnected to the VPN and was assigned 192.168.1.122
22:57 < dtloken> (Connecting from the same network right now if that makes a difference)
22:58 < epaphus> ecrist, Earlier I asked about bridging and windows share. I must point out that I only need to access windows shares between the subnet of the remote warriors.. not the other LAN. So do broadcasts traverse for all the users in tun?
22:58 < dtloken> I also am able to connect to the VPN from my neighbor's unsecured wifi.
22:58 < dtloken> Same thing happens.
22:58 < dtloken> Although when connected to the VPN on it's own network I'm still able to connect to stuff although the traffic is still not passing through the VPN.
22:58 < ecrist> dtloken: you cannot connect to a VPN on the same network you're on.  your test is bad.
22:59 < dtloken> ecrist: same thing happens on my neighbor's network for what it's worth.
22:59 < ecrist> epaphus: krzee will skin me for saying it later, but just setup a tun/bridged VPN for now, and things will just work.
22:59 < ecrist> that puts all the VPN clients on the same subnet, WINS doesn't need to be invovled
22:59 < ecrist> iirc, I recommended that a couple days ago.
23:00 < epaphus> ok cool
23:00 < ecrist> dtloken: I'm guessing they're using the same !1918 address space (it's common for home routers)
23:01 < dtloken> What would that do to the VPN? I'm an above average user but not all that knowledgable about networks beyond basics.
23:02 < ecrist> heh
23:03 -!- brenddie1 [~eavila@24.55.75.46] has joined #openvpn
23:03 < ecrist> what's happening is the VPN server is trying to assing an IP that is routable to the local network, which is going to have a lower routing metric, which  makes the VPN subnet unroutable.
23:04 -!- brenddie [~eavila@24.55.75.46] has quit [Ping timeout: 255 seconds]
23:04 < dtloken> Well, hold on. Let me connect to that other network and see what IP it's assigning.
23:07 -!- dtloken_ [~dtloken@72.135.205.215] has joined #openvpn
23:07 < dtloken_> 192.168.2.9 is assigned on the other network.
23:08 < dtloken_> So I guess my solution is to reconfigure my router?
23:09 < epaphus> !redirect-gateway
23:09 <@vpnHelper> epaphus: Error: "redirect-gateway" is not a valid command.
23:09 < epaphus> bah
23:09 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has quit [Ping timeout: 272 seconds]
23:09 -!- dtloken_ is now known as dtloken
23:10 < dtloken> http://pastebin.com/c9Tpf3nz is my client side configuration.
23:10 < epaphus> redirect-gateway def1 is a directive I can place in my specific config as a client, and globally for all clients on the server.conf right?
23:13 < ecrist> dtloken: 
23:13 < ecrist> !1918
23:13 <@vpnHelper> ecrist: "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
23:16 < dtloken> Well, yes, that's what I was getting at.
23:18 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:21 < dtloken> So to renumber my network, what would we suggest using to avoid this problem?
23:25 -!- brenddie1 [~eavila@24.55.75.46] has quit [Ping timeout: 255 seconds]
23:26 < ecrist> dtloken: something in the 172.16/12 subnet is best, in my experience.
23:30 -!- brenddie [~eavila@24.55.75.46] has joined #openvpn
23:31 -!- dtloken_ [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
23:31 < dtloken_> Ok, assigning 172.30.1.2-172.30.1.255 now.
23:32 < dtloken_> Let's go test this.
23:32 -!- dtloken [~dtloken@72.135.205.215] has quit [Read error: Operation timed out]
23:32 -!- dtloken_ is now known as dtloken
23:34 < ecrist> work?
23:36 -!- dtloken_ [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has joined #openvpn
23:37 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has quit [Ping timeout: 272 seconds]
23:41 -!- dtloken_ [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has quit [Ping timeout: 252 seconds]
23:41 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
23:41 < dtloken> Ok.
23:42 < ecrist> :)
23:42 < dtloken> So, was able to connect to the VPN from the neighbor's network.
23:42 < dtloken> I was able to login to Tomato's admin panel and change things.
23:42 < dtloken> Assigned an IP of 192.168.x.x on the other network, the VPN assigned one in my router's new range.
23:42 < dtloken> However I'm still not able to reach the internet.
23:43 < ecrist> that's a separate issue
23:45 < dtloken> Any ideas?
23:45 < ecrist> in your server config, add: push "redirect-gateway def1"
23:47 < dtloken> The Tomato VPN version has a GUI for configuring OpenVPN. No particularly easy way of editing the config file manually, however there is a box in the GUI for custom config, I pasted that single line in. Let me see what happens.
23:48 < ecrist> I think you need to present the entire config
23:49 < dtloken> Hmm, this could be a problem then. Let me see if I can view the config via terminal.
23:51 < dtloken> Thank you for being so patient and helpful by the way.
23:52 < ecrist> np
23:52 < dtloken> logged into the router's shell, now time to find where the config file resides here.
--- Day changed Fri Oct 29 2010
00:00 < dtloken> Ok, it just appends the custom config at the end of the automatic config.
00:00 < dtloken> http://pastebin.com/jPxW5ZDn
00:00 < ecrist> w00t
00:01 < ecrist> so, it works, right?
00:01 < dtloken> Didn't test yet, does that config file look good?
00:01 < ecrist> yeah
00:01 < dtloken> Ok, be back shortly.
00:02 -!- dtloken_ [~dtloken@cpe-98-144-31-123.wi.res.rr.com] has joined #openvpn
00:04 < ecrist> looks like it worked
00:05 -!- dtloken__ [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
00:05 < dtloken__> hmm, no dice
00:06 < ecrist> 00:01 < dtloken> Didn't test yet, does that config file look good?
00:06 < ecrist> 00:01 < ecrist> yeah
00:06 < ecrist> 00:01 < dtloken> Ok, be back shortly.
00:06 < ecrist> 00:02 -!- dtloken_ [~dtloken@cpe-98-144-31-123.wi.res.rr.com] has joined #openvpn
00:06 < ecrist> 00:04 < ecrist> looks like it worked
00:06 < ecrist> 00:05 -!- dtloken__ [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
00:06 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has quit [Ping timeout: 245 seconds]
00:06 -!- dtloken__ is now known as dtloken
00:06 < dtloken> hmm
00:06 < dtloken> yeah, that's me reconnecting on this network.
00:07 < dtloken> What was my hostmask at :02?
00:07 < dtloken> Oh, yeah, I see.
00:07 < dtloken> Nope, was on the other guy's network.
00:08 < dtloken> IPs are assigned via DHCP on RR around here but rarely if ever change.
00:08 < dtloken> .215 is me, .123 is the other guy's network.
00:09 < dtloken> Really all I want is a VPN to tunnel through so my traffic is secure when using public wifi. Never figured it would be this much work to set up. :)
00:09 -!- dtloken_ [~dtloken@cpe-98-144-31-123.wi.res.rr.com] has quit [Ping timeout: 276 seconds]
00:11 < dtloken> So I'm guessing the issue is I can't reach the gateway for some reason?
00:11 < dtloken> With the gateway being 172.30.1.1
00:12 < dtloken> Brb, testing something else.
00:12 < ecrist> I'm going for a walk.  Ping me in about 10 hrs
00:12 -!- dtloken_ [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has joined #openvpn
00:13 < dtloken_> hmm
00:16 -!- dtloken__ [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has joined #openvpn
00:17 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has quit [Ping timeout: 255 seconds]
00:17 -!- dtloken__ is now known as dtloken
00:18 < dtloken> http://pastebin.com/AxWwVGLY current client side config.
00:19 -!- dtloken_ [~dtloken@2002:6290:1f7b:1234:61e:64ff:fef3:3c15] has quit [Ping timeout: 272 seconds]
00:20 < epaphus> Why could it that if i push redirect-gateway def1 ... windows doesnt do the trick (not tested with other os) .. i have to push redirect-gateway without options??
00:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:48 < brenddie> using ipcop + zerina, I can ping ipcop from the roadwarrior vpn but cant ping any computers behind ipcop. Only change was upgrading ipcop to 1.4.21 and zerina upgraded to 0.97
00:49 < brenddie> a server on the LAN can ping the vpn client but the client cant ping that server
00:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
00:56 -!- xro [~xro@160.98.239.133] has quit [Quit: Quitte]
01:02 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
01:04 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
01:21 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
01:26 -!- dtloken [~dtloken@CPE-72-135-205-215.wi.res.rr.com] has quit [Quit: dtloken]
01:27 < Bushmills> !winroute
01:27 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
01:28 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
01:28 < Bushmills> brenddie: 
01:28 < Bushmills> !route
01:28 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:29 < epaphus> Is it possible to push: verb or comp-lzo to clients via the server ?
01:29 < brenddie> funny thing it was working with zerina 0.94
01:29 < Bushmills> and ..
01:29 < Bushmills> !firewall
01:29 <@vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
01:29 < brenddie> upgraded to be able to set up net2net
01:29 < brenddie> will read it now
01:36 < brenddie> ah shoot, added a route command and locked my out
01:42 < brenddie> i guess thats it for tonigth
01:42 < brenddie> bushmills, any idea what could have changed that it wouldnt make connection in 1 direction?
01:44 < Bushmills> you said so already: " added a route command and locked my out"
01:45 -!- aliverius_ [~george@athedsl-392811.home.otenet.gr] has joined #openvpn
01:46 < brenddie> the problem was happening before doing that
01:46 < Bushmills> !firewall
01:46 <@vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
01:46 < krzee> yup
01:46 < krzee> [01:49]  <brenddie> a server on the LAN can ping the vpn client but the client cant ping that server
01:46 < krzee> can ping and get response 1 way not other = firewall
01:47 < krzee> windows clients are notorious for this
01:47 < brenddie> the thing that confuses me is that this setuo was worlking for the last 3 or 4 years
01:47 < krzee> til something changed
01:48 < brenddie> had to upgrade openvpn to get net2net and it broke something
01:48 < krzee> wtf is net2net?
01:48 < brenddie> tried restoring the ovpn folder but the issue persisted
01:48 < krzee> net2net isnt an openvpn config option
01:48 < brenddie> net2net openVPN conection
01:48 -!- aliverius [~george@athedsl-393096.home.otenet.gr] has quit [Ping timeout: 265 seconds]
01:49 < brenddie> the newer zerina addon has a net2net option. not sure how it works internally
01:49 < krzee> oh, we dont support zerina here... just openvpn
01:49 < brenddie> ipsec wasnt working due to a dumb dsl router
01:49 < krzee> ;]
01:50 < brenddie> ok, no problem, tought maybe someone here had seen this before
01:51 < krzee> i have
01:51 < krzee> its a firewall issue
01:52 < krzee> you certainly didnt just upgrade openvpn, since you got something called net2net which is not part of openvpn
01:53 < brenddie> yes
01:53 < brenddie> but the weird thing is that restoring the ovpn folder from backup still shows the problem
01:53 < krzee> no kidding
01:53 < krzee> its not openvpn
01:53 < krzee> ITS YOUR FIREWALL
01:54  * krzee points at the topic
01:54 < krzee> (3rd part)
01:54 < brenddie> :) bad firewall
01:55 < krzee> if you can ping 1 direction, the routes are right for the ping response to make it, and return
01:55 < krzee> so they are right for both directions
01:56 < krzee> however, someone can ping out without necessarily being able to be pinged
01:56 -!- EmperorTom [~EmperorTo@174-30-240-185.mpls.qwest.net] has quit [Read error: Operation timed out]
01:56 -!- EmperorT1m [~EmperorTo@174-30-249-165.mpls.qwest.net] has joined #openvpn
01:57 < brenddie> yes, makes sense
02:01 < epaphus> Is it possible to push: verb or comp-lzo to clients via the server ?
02:13 < epaphus> i guess not :P
02:15 -!- epaphus [~user@201.199.62.74] has quit [Remote host closed the connection]
02:18 -!- Nickman_OFF is now known as Nickman
02:49 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: No route to host]
02:57 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:02 <@vpnHelper> RSS Update - forum: Server Administration :: Routing trouble :: Author snorhyvel <https://forums.openvpn.net/viewtopic.php?f=4&t=7217&p=8248#p8248>
03:13 -!- Cain` [~Geek@unaffiliated/cain] has joined #openvpn
03:14 -!- Cain [~Geek@unaffiliated/cain] has quit [Ping timeout: 252 seconds]
03:14 -!- Cain` is now known as Cain
03:31 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
03:32 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
03:32 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
03:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:41 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
04:08 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
04:08 <@vpnHelper> RSS Update - forum: Configuration :: Apply different fw rules (dynamically) to users :: Author feralert <https://forums.openvpn.net/viewtopic.php?f=6&t=7218&p=8249#p8249>
04:12 -!- aliverius [~george@athedsl-395176.home.otenet.gr] has joined #openvpn
04:14 -!- aliverius_ [~george@athedsl-392811.home.otenet.gr] has quit [Ping timeout: 265 seconds]
04:26 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:26 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
04:36 < Dennis84> hey all
04:36 < Dennis84> i have a openvpn setup with only one subnet
04:37 < Dennis84> i found a solution to use the new subnet technology in openvpn version 2.1, but this is not useable with 2.0 clients
04:37 < Dennis84> is there a solution to use more clients with openvpn version 2.0?
04:43 -!- master_of_master [~master_of@p57B578CB.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
04:46 -!- master_of_master [~master_of@p57B54FA7.dip.t-dialin.net] has joined #openvpn
04:46 < cron2> upgrade the clients to 2.1 :-)
04:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:51 < Dennis84> :p
05:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
05:19 -!- Cain [~Geek@unaffiliated/cain] has quit [Read error: No route to host]
05:20 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn
05:21 <@vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: how to add a kernel's route on the openvpn server? :: Author ... <https://forums.openvpn.net/viewtopic.php?f=17&t=7219&p=8250#p8250>
05:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
05:24 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
05:24 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
05:29 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 240 seconds]
05:30 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
05:30 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
05:32 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
05:46 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
06:09 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
06:14 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 245 seconds]
06:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:23 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
06:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
06:38 < Dennis84> hey 
06:38 < Dennis84> i have a question about the vpn example here:http://wiki.openvpn.eu/index.php/Config_ServerNET_Bridging
06:38 <@vpnHelper> Title: Config ServerNET Bridging – OpenVPN Wiki (at wiki.openvpn.eu)
06:39 < Dennis84> is it nessesary to have a bridge setup on my server?
06:39 < Dennis84> so, sry for my stupid question
06:39 < Dennis84> i want only to ping clients on my vpn
06:40 < Dennis84> so, what i mean, is it neccesary to have a bridge added to my root server having a tap device?
07:02 < Dennis84> i got it :)
07:02 < Dennis84> thanks anyway :)
07:10 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
07:13 -!- L0LI [~DB@unaffiliated/l0li] has joined #openvpn
07:28 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
07:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
07:34 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
07:34 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
07:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:04 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:25 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
08:25 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
08:30 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 245 seconds]
08:35 -!- L0LI [~DB@unaffiliated/l0li] has quit [Ping timeout: 245 seconds]
08:37 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:48 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
08:49 < twister004> hi everybody, I have successfully setup and cconfiured the client and server for openvpn..now,, I want to make the client side as userfriendly as possible...
08:49 < twister004> is it possible to have a gui in ubuntu(client)?
08:52 < tuxx> hey guys...
08:54 < tuxx> i have access to an openvpn server which only allows 1 connection for my user.. i however would like to be able to access the vpn from several computers.. 
08:54 -!- nullm0dem [~nullm0dem@c-24-218-189-90.hsd1.vt.comcast.net] has joined #openvpn
08:55 < tuxx> i have the vpn running on a dedicated server
08:55 < tuxx> can i start a vpn server on the dedicated server and then redirect the traffic through the running vpn?
08:58 -!- usual [d19cf929@gateway/web/freenode/ip.209.156.249.41] has joined #openvpn
08:59 < usual> Is OpenVPN capable of allowing SSL vpn connections that will let a remote computer access the entire network on the other side? not just individual apps
09:04 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
09:12 -!- usual [d19cf929@gateway/web/freenode/ip.209.156.249.41] has left #openvpn []
09:13 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
09:21 -!- EmperorTom [~EmperorTo@174-30-246-117.mpls.qwest.net] has joined #openvpn
09:21 < ecrist> wow, he waited 13 minutes for a response.
09:22 -!- EmperorT1m [~EmperorTo@174-30-249-165.mpls.qwest.net] has quit [Read error: Operation timed out]
09:26 -!- EmperorT1m [~EmperorTo@184-97-175-233.mpls.qwest.net] has joined #openvpn
09:28 -!- EmperorTom [~EmperorTo@174-30-246-117.mpls.qwest.net] has quit [Ping timeout: 255 seconds]
09:32 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
09:42 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
09:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:58 -!- EmperorT1m is now known as EmperorTom
10:06 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
10:28 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
10:30 -!- L0LI [~DB@unaffiliated/l0li] has joined #openvpn
10:31 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
10:32 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Connection reset by peer]
10:32 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
10:41 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Remote host closed the connection]
10:42 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
10:47 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Ping timeout: 276 seconds]
10:56 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:05 -!- WormFood [~wormfood@183.38.12.97] has quit [Ping timeout: 264 seconds]
11:16 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
11:18 -!- WormFood [~wormfood@183.38.15.50] has joined #openvpn
11:20 -!- Nickman is now known as Nickman_OFF
11:24 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:32 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
11:38 -!- albech_ [~thomas@124.157.211.236] has joined #openvpn
11:40 < albech_> hi everyone.. i have successfully build a openvpn server (bridge). When connecting I get an ip number from the external LAN. The problem I am facing now seems to be the default route.
11:43 < ecrist> how is it a problem?
11:48 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:55 < albech_> i have no internet access after established the vpn
11:55 < albech_> i wish to route all traffic through the vpn
11:56 < albech_> sorry if i wasnt clear
11:56 -!- robert45 [~robert@r190-135-163-125.dialup.adsl.anteldata.net.uy] has joined #openvpn
11:58 < robert45> hey guys, Im having some weird problem with my openvpn. Im running a OpenVPN server on a linux dedicated server, I have configured it so I can browse using the VPN's IP address, the problem is that when I try to browse a site that is hosted on the same server it uses my machine IP to connect to instead of the VPN Server IP. http://whatismyip.com shows me the VPN IP so Im a bit confused right now
11:58 <@vpnHelper> Title: What Is My IP Address - Shows Your IP Address (at whatismyip.com)
11:58 < robert45> (I can see my machine IP by looking at the apache log)
12:00 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
12:00 < robert45> any advice?
12:01 -!- Agin_ is now known as Agin
12:06 -!- robert45 [~robert@r190-135-163-125.dialup.adsl.anteldata.net.uy] has quit []
12:07 -!- robert45 [~robert@r190-135-163-125.dialup.adsl.anteldata.net.uy] has joined #openvpn
12:15 -!- albech_ [~thomas@124.157.211.236] has quit [Quit: Ex-Chat]
12:20 < Bushmills> robert45: you probably use your vpn server as gateway, maybe with --redirect-gateway, with a masquerading setup. with such, the gateway translates the originator address against its own.
12:20 < Bushmills> when you connect to the webserver on openvpn server, no masquerading is needed, therefore you see the vpn client address in the logs
12:21 < krzee> use that site by its vpn ip
12:21 < L0LI> <iaintel> L0LI, you're opening a port to communicate with your VPN, and malware usually come through that port. best way to secure yourself is protocol-analysis-enabled firewall/IPS, thought requires a lot of system resources..
12:22 < krzee> when you access the vpn server itself by inet ip it must go outside the vpn tunnel, because it must make a route outside the tunnel to keep the tunnel alive
12:22 < L0LI> is this really true, that if i don't trust the openvpn i'm acessing they can send malware easily ?
12:22 < krzee> L0LI, if you access the internet over it, they are a MITM if they wish to be
12:23 < L0LI> or would they have to exploit a bug, inorder to infect my pc ?
12:23 < L0LI> MITM as in, i download a file, and they infect it with a virus ?
12:24 < krzee> it is possible
12:24 < Bushmills> or, you download an already infected file?
12:24 < krzee> that too
12:25 < Bushmills> no MITM needed for that
12:25 < L0LI> hmm, can i just reroute certain traffic ports to go through the vpn ?
12:25 < L0LI> Bushmills, well i don't download untrustworthy executables
12:26 < krzee> yet you surf over untrusted vpn links
12:26 < krzee> heh
12:26 < Bushmills> like, you hash the file after receiving it, and compare against what it should be?
12:26 < L0LI> yeah
12:27 < L0LI> well sha1sums
12:27 < Bushmills> that way, MITM will be thwarted - provided you have a reliable path for "what it should be"
12:27 < L0LI> krzee, but i use ssl to connect to the end points
12:27 < Bushmills> signed files would solve that 
12:28 < krzee> with that and the checksums, you're fine
12:28 < L0LI> but does openvpn create a open port on my pc ?
12:29 < L0LI> as in, if i accidently had a share folder, would it be visible to all who also use the vpn ?
12:29 < krzee> depends... and your firewall should block that anyways
12:29 < Bushmills> not by default
12:29 < Bushmills> means, not by allowing other hosts on the vpn access
12:31 < L0LI> im not sure what that means ?
12:33 < Bushmills> it is possible to offer services to other vpn clients (or the server) over vpn. whether you do or you don't, depends on how you set up your system.
12:33 < Bushmills> i.e. the firewall, the services. not necessarily (or only) the vpn
12:33 -!- nakaori [~nakaori@dslb-188-100-185-130.pools.arcor-ip.net] has joined #openvpn
12:34 < krzee> right
12:34 < nakaori> hey, i need help, connecting 2 different  subnets
12:34 < Bushmills> !route
12:34 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:34 < krzee> basically, its up to you whether you o that or not (and your provider has a say in whether they allow it)
12:36 < Bushmills> "your provider has a say" .. not if those services are offered over vpn
12:37 < robert45> hey Bushmills, thanks for the help. I already have push "redirect-gateway def1" on my server.conf
12:38 < Bushmills> robert45: that's why services which show your ip address actually show the openvpn server address
12:38 < Bushmills> well, that's partly the reason for it
12:39 < Bushmills> most importantly, it is because the server does
12:39 < Bushmills> !nat
12:39 <@vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
12:39 < robert45> Bushmills Hm, dont understant clearly. Isnt --redirect-gateway suppose to send everything through the vpn gateway?
12:39 < Bushmills> no. *to* the gateway
12:39 < Bushmills> but it is up to the gateway to send it on
12:40 < robert45> Bushmills the vpn gateway is my eth0 right ?
12:40 < Bushmills> if gateway isn't configured to do that, it will stop there
12:40 < robert45> my eth0 IP I mean
12:40 < Bushmills> that's an interface, not a gateway
12:41 < L0LI> krzee, well i have it setup so that i have no service ports open to the outside, im just not sure if its a liability opening up a vpn through an untrusted vpn. But considering what has been said, if i have no unnecessary ports open via the firewall, if I use SSL to connect to the sites, and checksum the files. I shouldn't have to worry.
12:41 < Bushmills> "untrusted vpn" is kind of an oxymoron
12:41 -!- Anodl [~Anodl@p54A7978F.dip0.t-ipconnect.de] has joined #openvpn
12:42 -!- Anodl [~Anodl@p54A7978F.dip0.t-ipconnect.de] has left #openvpn []
12:42 < L0LI> well the openvpn provider that i would like to use is ultravpn.
12:43 < robert45> Bushmills, I meant the IP address not the interface itself
12:43 < Bushmills> ah. where VPN means "Virtual *Public* Network"?
12:43 < robert45> This is my NAT entry: iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to 10.0.0.1
12:45 < robert45> if you meant by the gateway the one that it shows by typing "route" I dont have access to the default gateway
12:46 < Bushmills> the purpose of NATting a 10.x.x.x address to another 10.x.x.x address isn't very clear to me
12:48 < robert45> Bushmills, I did this in order to be able to browse using the VPN IP. 10.0.0.1. 10.0.0.1 is NAT'ed by my datacenter to the public IP.
12:50 < krzee> L0LI, cool
12:50 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:52 < L0LI> are there any VPN providers that i can trust or a list of goodones ?
12:54 < krzee> i mostly trust my own server
12:55 < krzee> (yes, i dont even fully trust my own server)
12:56 < robert45> Bushmills any hint on how to accomplish this?
12:56 < robert45> without removing --redirect-gateway
12:56 < Bushmills> robert45: accomplish what?
12:57 < robert45> Bushmills To access the website using the VPN IP
12:57 < krzee> robert45, 
12:57 < krzee> [13:22]  <krzee> when you access the vpn server itself by inet ip it must go outside the vpn tunnel, because it must make a route outside the tunnel to keep the tunnel alive
12:57 < robert45> Im trying to restrict access to this site to just that IP, thats why
12:57 < Bushmills> browse to it using a hostname which resolves to the vpn server ip address
12:58 < krzee> you HAVE TO use the vpn ip to browse the server web site over the VPN
12:59 < robert45> so no other way to do this without updating the DNS to point the site IP to the LAN IP?
12:59 < robert45> what a pitty
12:59 < Bushmills> put hostname into your hosts file, or use ip address instead.
13:00 < robert45> yeah not very friendly
13:00 < robert45> I guess I will have to create an alias
13:00 < robert45> thanks for the help guys, appreciated
13:01 -!- robert45 [~robert@r190-135-163-125.dialup.adsl.anteldata.net.uy] has quit []
13:03 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
13:08 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined #openvpn
13:09 < Error404NotFound> whats the purpose of def1 in "redirect-gateway def1"
13:09 < krzee> !def1
13:09 <@vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:09 < krzee> (the manual also has that info)
13:10 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
13:15 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 255 seconds]
13:21 -!- epaphus [~user@201.199.62.74] has joined #openvpn
13:22 < epaphus> Hello, ive noticed that when i use --redirect-gateway it is not deleting the default gateway of my computer... instead it just adds another default gateway on top with a higher priority. so I end up having two default gateways. 
13:22 < epaphus> why is that?
13:22 < epaphus> (off course the one with the higher priority is the one used, but i would still like the other to be deleted)
13:27 < nakaori> how do i know the internal ip, openvpn uses?
13:28 < epaphus> nakaori, in the server look at the IP assigned to tun or tap devices with ifconfig. In a client such as windows open a command prompt and enter ipconfig and looka t the tap device
13:29 < nakaori> thanks
13:29 -!- ribasushi [~ribasushi@arx.rabbit.us] has joined #openvpn
13:30 < ribasushi> hello there
13:30 < ribasushi> I was looking at how my openvpn reconnects on "ping timeout"
13:30 < ribasushi> and between the time the ping is detected to the time the connection is reestablished it takes 8(!) seconds
13:31 < ribasushi> I do not run any external scripts, this is just openvpn
13:31 < ribasushi> is there a way to speed this up somehow?
13:31 < krzee> epaphus, it is because you use the def1 flag
13:31 < krzee> !def1
13:31 <@vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:32 < epaphus> aha  ;)
13:33 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
13:34 < grendal_prime> krzie, hows it going man?
13:34 < krzee> wassup man
13:34 < grendal_prime> i got a couple of stupid questions for ya...can you put on the stuid hat for a bi?
13:34 < grendal_prime> bit that is.
13:34 < grendal_prime> hehehe
13:35 < krzee> ;]
13:35 < grendal_prime> we are using this on some appliances we have (that run on windows....please dont ask why because i do not have a good answer for that.) 
13:36 < grendal_prime> but...basically we are haveing a few situations that cause some difficulty.
13:36 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
13:36 < grendal_prime> one if the tap interface gets taken down.  and brought back up, it does not ever reconnect.
13:36 < grendal_prime> this is on out xp boxes and out win7 boxes.
13:37 < grendal_prime> sorry not out but our. 
13:37 < krzee> gets taken down and brought back up... i dont know what you mean by that
13:38 < grendal_prime> literally if someone disables the tap interface on the windows box and re-enables it.  the opennvpn client never redials.  (this may be by design i dont know)
13:38 < grendal_prime> i just thought it was odd.
13:38 < krzee> why would someone do that?
13:40 < grendal_prime> we are trying to troubleshoot something much deeper. ( we were trying to replicate a problem and someone came up with the notion that the upgrade that seems to be causing this problem may actually disable all the network devices at one point.
13:41 < grendal_prime> if its something that normally is the case..im not going to worry about it.  but..if it is something i can remedy with a config change, then ...well i want to do that.
13:42 < epaphus> krzee, not using def1 makes the routing table appear how I want it. (only one 0.0.0.0 through 10.8.0.5) however.. how is it that other computers on the same LAN as this client (which are not connected to the VPN) still can access that particular computer through its windows shares..?
13:43 < krzee> epaphus, layer2 ild guess
13:43 < krzee> or more specific route to them
13:44 < epaphus> the only communication to the real local default gatway according to the routing table is to the IP of the vpn server ..
13:46 < krzee> right
13:46 < krzee> but your lan doesnt go over the default gateway
13:47 < krzee> it goes over the switch, direct to the target machine
13:47 < krzee> via arp lookups
13:47 < krzee> (assuming standard lan setup)
13:47 < epaphus> sorry i may ask.. so? :) what relationship to a tcp connection related to windows shares? 
13:47 < krzee> huh?
13:49 -!- EmperorT1m [~EmperorTo@184-97-159-252.mpls.qwest.net] has joined #openvpn
13:49 < krzee> are you saying the lan CAN or CANNOT access the network shares?  and do you want it TO or NOT TO?
13:49 < epaphus> so your saying that arp lookups goes direct to the switch.. without passing through the established default gateway in the routing table. that doesnt explain how a tcp connection like a windows share does get passed my default gateway...
13:49 < epaphus> LAN can access windows shares, i dont want it to.
13:49 < krzee> why not just use a firewall?
13:50 < ecrist> epaphus: arp is an ethernet protocol...
13:50 < krzee> a vpn isnt supposed to replace standard network techniques such as firewalls
13:50 < ecrist> or user auth on the samba server.
13:51 < epaphus> well, the problem is .. you get this dilemma.. may be a little off topic but worth mentioning!! 
13:51 < krzee> you mentioned they are windows... you can actually remotely manage the firewall over the active directory
13:51 -!- EmperorTom [~EmperorTo@184-97-175-233.mpls.qwest.net] has quit [Ping timeout: 272 seconds]
13:52 < epaphus> the dilemma is that even If i do have a firewall in my default gateway. The window shares are broadcasts and if my clients are sitting on a switch prior for the traffic to actually reach the gateway no matter how many rules i have  you cannot stop broadcasts between machines in a switch
13:52 < ecrist> http://secure-computing.net/files/wait.jpg
13:52 < epaphus> ecrist, haha funny
13:54 < krzee> default gateway!?
13:54 < krzee> no you put the firewall on the machine who wants to block his shares
13:54 < epaphus> oh well
13:54 < krzee> lol
13:54 < epaphus> i guess i can do that, right..
13:54 < epaphus> not practical, but yet.
13:55 < epaphus> but yes :)
13:55 < krzee> lan security isnt practical
13:55 < krzee> but thats how you do it
13:58 < ecrist> the internet would be a better place without shitheads
14:00 < ribasushi> so anyone on (re)connection speed?
14:01 < krzee> ribasushi, nope, 8sec does not sound out of line to me
14:02 -!- EmperorTom [~EmperorTo@cl-247.dal-01.us.sixxs.net] has joined #openvpn
14:02 -!- EmperorT1m [~EmperorTo@184-97-159-252.mpls.qwest.net] has quit [Read error: Operation timed out]
14:02 < krzee> ecrist, check this out
14:02 < krzee> hilarious
14:02 < krzee> in #zfs
14:02 < krzee> [14:37]  <Gil> Good evening all - I want to set up a raidz2 pool from one drive with 5 "partitions" - the idea being that as I add more drives, I'll zfs replace each partition with a real drive - is this possible?
14:02 < krzee> [14:38]  <krzee> lol
14:02 < krzee> [14:38]  <krzee> sorry i dont have a better answer than lol, but i really did lol when i read that
14:03 < krzee> possible, sure... lol worthy, of course!
14:03 < ribasushi> krzee: hmmm it sounds rather large for what openvpn is doing
14:03 < ribasushi> krzee: I was thinking I am using some sort of option or whatnot that is known to cause slowdowns
14:03 < ribasushi> but 8 sec can't be normal
14:03 < krzee> lol ok
14:04 < ribasushi> lol @ which part?
14:04 < epaphus> ... or.. but every user on a VLAN for maximum security. Anybody geard of companies that manage computer access this way??
14:12 -!- al_nz1 [~Al@118-93-127-35.dsl.dyn.ihug.co.nz] has joined #openvpn
14:15 < al_nz1> anyone here able to help. I am trying to get open vpn client up and running on backtrack based linux (ubuntu). I think open vpn comes preinstalled on this flavour of BT4 but the only *.conf file a find search shows is : 
14:15 < al_nz1> /var/lib/dpkg/info/openvpn.config
14:16 < al_nz1> is that the right file to edit? none of the tutorials say the conf file should be in this place?
14:30 -!- epaphus [~user@201.199.62.74] has quit [Quit: Leaving]
14:31 -!- L0LI [~DB@unaffiliated/l0li] has quit [Ping timeout: 245 seconds]
14:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:32 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn
14:35 -!- MadTBone_ [~MadTBone@160.39.238.196] has joined #openvpn
14:35 -!- MadTBone_ [~MadTBone@160.39.238.196] has quit [Remote host closed the connection]
14:42 < al_nz1> anyone here able to help. I am trying to get open vpn client up and running on backtrack based linux (ubuntu). I think open vpn comes preinstalled on this flavour of BT4 but the only *.conf file a find search shows is : 
14:49 < grendal_prime> ok so next stupid question
14:50 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 276 seconds]
14:50 < al_nz1> /var/lib/dpkg/info/openvpn.config
14:50 < al_nz1> grendal_prime, can you help me please?
14:51 < grendal_prime> have a windows machnine that is succsessfully connecting and able to send data...all is good.  we uninstall wireshark on that mcahine and the client disconnects.  Now the problem is that it trys to reconnect but is unable to and then pegs the cpu with dhcp requests.?
14:52 < grendal_prime> you need a sample config?
14:52 < grendal_prime> al_nz1 ?
14:52 < al_nz1> I am trying to get open vpn client up and running on backtrack based linux (ubuntu). I think open vpn comes preinstalled on this flavour of BT4 but the only *.conf file a find search shows is : 
14:52 < al_nz1> /var/lib/dpkg/info/openvpn.config
14:53 < al_nz1> shoulndt it be in 
14:53 < al_nz1> /etc/openvpn/openvpn.conf ?
14:53 < grendal_prime> there is not one by default
14:53 < grendal_prime> you have to put one there...also the keys need to be in the proper place.  and the config needs to point to them.
14:54 < al_nz1> yep - the tutorials I have been following cover that I think
14:54 < al_nz1> for some reason I think that they suggested there should be a sample there
14:55 < grendal_prime> sounds like its not installed firs off
14:55 < grendal_prime> apt-get install openvpn
14:55 < al_nz1> 0 upgraded
14:56 < al_nz1> 0 newly installed
14:56 < grendal_prime> ok so next find -name openvpn
14:57 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
14:58 < grendal_prime> your probably going to find what your looking for in /usr/share/doc/openvpn/examples
14:58 < al_nz1> http://pastebin.com/H6nczevk
14:59 < al_nz1> i am following the tut at http://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B#Client_Config_File_-_Desktop
14:59 <@vpnHelper> Title: VPN (the easy way - DD-WRT Wiki (at www.dd-wrt.com)
15:01 < grendal_prime> some embeded device running openwrt?
15:01 < al_nz1> grendal_prime, copy client.conf from examples to /etc/openvpn and edit it?
15:02 < al_nz1> grendal_prime, yeah, dd-wrt which is a router is the server - set that up ok i think and all client and server certs created
15:02 < al_nz1> just got to get this machine (client) setup
15:02 < grendal_prime> yes that would be my advice..thats how i have to do that anyway.
15:03 < al_nz1> will testing from within lan create probs?
15:04 < grendal_prime> not really, i mean so long as the ip address you give it is touchable by the client
15:06 < grendal_prime> you can build a vpn on a local network to test things.  Obviously if you cant get to the interface then the vpn will not establish,  I would stick to using ip addresses untell you are sure you know how to configure. Then you can get dns envolved
15:10 < al_nz1> well conf file done and certs added to same dir
15:11 < al_nz1> how do I try to start a connection?
15:13 < grendal_prime> /etc/init.d/openvpn restart
15:14 < grendal_prime> client conf flile needs .conf file extention.
15:14 < al_nz1> its got it
15:16 < al_nz1> still there grendal_prime ?
15:17 < grendal_prime> you need to make sure your protocol, port match up...soooo like udp 1194.  also the conf file should contain the path to the ca, client.key and client.crt  
15:17 < al_nz1> yep thats done i think as per the tutorial i am following
15:17 < grendal_prime> if your not sure about a relative path use an absolute path.
15:17 < al_nz1> client.crt client.key and ca.crt in etc/openvpn
15:17 < al_nz1> along with client.conf
15:18 < al_nz1> the keys are all referenced in the client.conf too
15:18 < al_nz1> using 1194 too
15:19 < grendal_prime> /etc/init.d/openvpn restart
15:19 < grendal_prime> do you get an OK?
15:20 < al_nz1> says stopping  vpn client
15:20 < al_nz1> says autostarting vpn client
15:22 < al_nz1> http://pastebin.com/MXTKvmHD
15:23 < al_nz1> http://pastebin.com/sYkTR31m
15:28 < al_nz1> grendal_prime, any ideas from the pastebin?
15:31 < grendal_prime> sorry hold on
15:33 < grendal_prime> can you ping the server from your machine?
15:33 < grendal_prime> from the client that is
15:33 < grendal_prime> also did you try and change the permssions.
15:38 < al_nz1> ping the server? you mean geekhelp.dyndns.org?
15:39 < al_nz1> or the lan ip of the server?
15:43 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 250 seconds]
15:43 -!- brenddie [~eavila@24.55.75.46] has left #openvpn ["Leaving."]
15:57 -!- al_nz1 [~Al@118-93-127-35.dsl.dyn.ihug.co.nz] has quit [Ping timeout: 240 seconds]
15:58 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
16:07 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has left #openvpn ["It´s time to say goodbye"]
16:09 -!- al_nz1 [~Al@118-93-127-35.dsl.dyn.ihug.co.nz] has joined #openvpn
16:11 < al_nz1> grendal_prime, http://pastebin.com/udC7XYkH
16:11 < al_nz1> dunno what prob?
16:14 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
16:14 < grendal_prime> sorry about that....work stuff..ok ummmm
16:15 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 245 seconds]
16:19 < al_nz1> any ideas?
16:19 < al_nz1> firewall issue?
16:20 -!- L0LI [~DB@ool-18b9954a.dyn.optonline.net] has joined #openvpn
16:20 -!- L0LI [~DB@ool-18b9954a.dyn.optonline.net] has quit [Changing host]
16:20 -!- L0LI [~DB@unaffiliated/l0li] has joined #openvpn
16:38 < grendal_prime> al_nz1, ya check for firewalls...as for me its friday and im out ...getting a bottle of wine and videogaming with the kidlets...
16:38 < grendal_prime> seeeeeeeeee yaaaaaaaaaaaaaaaaaaaa
16:38 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
16:39 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
16:42 -!- al_nz1 [~Al@118-93-127-35.dsl.dyn.ihug.co.nz] has quit [Quit: Leaving]
16:42 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has quit [Read error: Operation timed out]
17:00 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:10 -!- tuxx is now known as tuxx_
17:36 -!- nakaori [~nakaori@dslb-188-100-185-130.pools.arcor-ip.net] has quit [Ping timeout: 276 seconds]
17:48 -!- L0LI [~DB@unaffiliated/l0li] has quit [Ping timeout: 245 seconds]
18:24 -!- Error404NotFound [~Error404N@119.154.116.3] has joined #openvpn
18:24 -!- Error404NotFound [~Error404N@119.154.116.3] has quit [Changing host]
18:24 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has joined #openvpn
18:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:46 < ecrist> krzee: lol indeed
18:57 -!- fipu [~fipu@swissvps.net] has joined #openvpn
19:17 -!- L0LI [~DB@ool-18b9954a.dyn.optonline.net] has joined #openvpn
19:17 -!- L0LI [~DB@ool-18b9954a.dyn.optonline.net] has quit [Changing host]
19:17 -!- L0LI [~DB@unaffiliated/l0li] has joined #openvpn
19:32 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8251#p8251>
19:45 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:53 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
19:54 -!- L0LI [~DB@unaffiliated/l0li] has quit [Ping timeout: 245 seconds]
20:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
20:26 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
20:38 -!- L0LI [~DB@ool-18b9954a.dyn.optonline.net] has joined #openvpn
20:38 -!- L0LI [~DB@ool-18b9954a.dyn.optonline.net] has quit [Changing host]
20:38 -!- L0LI [~DB@unaffiliated/l0li] has joined #openvpn
21:19 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
21:21 -!- tjz [~pc@bb119-74-160-120.singnet.com.sg] has joined #openvpn
21:21 -!- tjz [~pc@bb119-74-160-120.singnet.com.sg] has quit [Changing host]
21:21 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
21:28 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 245 seconds]
21:32 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:47 -!- L0LI [~DB@unaffiliated/l0li] has quit [Ping timeout: 245 seconds]
22:02 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 265 seconds]
22:11 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 250 seconds]
22:19 -!- epaphus [~user@201.199.62.74] has joined #openvpn
22:21 < epaphus> Hello all. I installed an OpenVPN TUN server on another network from mine. It works great. Now I installed samba on it and I intend to browse the shares from my computer which has a VPN to that same server. no go.   
22:21 < epaphus> I dont even know where i can start troubleshooting. All i know is that the samba server is running and broadcasting because i use smbclient -L SERVER_NAME within the server and I see my samba share
22:21 < epaphus> if I run that same query from my side with the vpn up.. nothing.
22:30 -!- wooden [~anon@pdpc/supporter/active/wooden] has quit [Ping timeout: 245 seconds]
22:41 -!- wooden [~anon@user-0cdfnjd.cable.mindspring.com] has joined #openvpn
22:41 -!- wooden [~anon@user-0cdfnjd.cable.mindspring.com] has quit [Changing host]
22:41 -!- wooden [~anon@pdpc/supporter/active/wooden] has joined #openvpn
22:54 -!- wooden [~anon@pdpc/supporter/active/wooden] has quit [Ping timeout: 255 seconds]
22:55 -!- wooden [~anon@user-0cdfnjd.cable.mindspring.com] has joined #openvpn
22:55 -!- wooden [~anon@user-0cdfnjd.cable.mindspring.com] has quit [Changing host]
22:55 -!- wooden [~anon@pdpc/supporter/active/wooden] has joined #openvpn
23:06 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
23:19 -!- WormFood [~wormfood@183.38.15.50] has quit [Remote host closed the connection]
23:25 -!- albech_ [~thomas@119.42.77.38] has joined #openvpn
23:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
23:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
23:41 < Bushmills> !wins
23:41 <@vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
23:47 -!- albech_ [~thomas@119.42.77.38] has quit [Ping timeout: 245 seconds]
23:48 -!- albech_ [~thomas@119.42.77.38] has joined #openvpn
23:59 -!- albech_ [~thomas@119.42.77.38] has quit [Ping timeout: 265 seconds]
--- Day changed Sat Oct 30 2010
00:00 -!- albech_ [~thomas@124.157.211.236] has joined #openvpn
00:00 -!- albech_ [~thomas@124.157.211.236] has quit [Read error: Connection reset by peer]
00:00 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
00:03 -!- albech_ [~thomas@119.42.77.38] has joined #openvpn
00:05 < albech_> Hi all. I have successfully installed openvpn with a bridge configuration. When the client connect I get the correct IP on the remote LAN. I can ping other IPs on the LAN but all external traffic is not going through. Is this related to routing or do I have to install NAT on the server when connecting through a bridge?
00:17 -!- albech_ [~thomas@119.42.77.38] has quit [Read error: Connection reset by peer]
00:29 -!- albech_ [~thomas@119.42.78.129] has joined #openvpn
00:40 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 245 seconds]
00:53 < epaphus> Bushmills, thanks.. but why would i need WINS if the samba server and openvpn are in the same box ?? i just dont get it
00:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:58 < krzee> because you cant browse smb shares over a tun vpn without it
00:59 < krzee> netbios is layer2, it is also the resolution protocol for smb shares... but WINS to the rescue, it is the lyer3 resolution protocol for smb
00:59 < krzee> layer3*
00:59 < krzee> wins is what you need if you want to share smb by any way except IP
01:00 < krzee> then you need to tell the vpn clients to use that WINS server
01:00 < krzee> same way you push dns, but push wins
01:03 < epaphus> aka!
01:03 < epaphus> aja
01:05 < epaphus> krzee, if I push a WINS to mytself as the vpn user... would that mess the access i have for the other shares on the lan that i already had?
01:05 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
01:11 -!- WinstonSmith [~true@e179002229.adsl.alicedsl.de] has joined #openvpn
01:14 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 272 seconds]
01:37 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
02:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
02:06 -!- Dennis84 [~dennis@mail.it-moebius.de] has left #openvpn []
02:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
02:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:53 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn
02:53 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host]
02:53 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
03:21 <@vpnHelper> RSS Update - forum: Configuration :: Authenticatig clients with certificates & username password :: Author shaia <https://forums.openvpn.net/viewtopic.php?f=6&t=7220&p=8252#p8252>
03:26 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
03:38 -!- nullm0dem [~nullm0dem@c-24-218-189-90.hsd1.vt.comcast.net] has quit [Ping timeout: 272 seconds]
03:39 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has joined #openvpn
03:42 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
03:45 -!- nullm0dem [~nullm0dem@c-24-218-189-90.hsd1.vt.comcast.net] has joined #openvpn
03:56 -!- WinstonSmith [~true@e179002229.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
04:10 -!- nullm0dem [~nullm0dem@c-24-218-189-90.hsd1.vt.comcast.net] has quit [Quit: Lost terminal]
04:38 -!- BenBuc [~ben@lns-bzn-55-82-255-187-213.adsl.proxad.net] has joined #openvpn
04:39 < BenBuc> topic: "Your problem is your firewall, really." yes, the symptoms look like it, just that I have no firewall on either side (both Linux) :)
04:39 -!- BenBuc is now known as BenB
04:40 < |Mike|> !help
04:40 <@vpnHelper> |Mike|: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
04:40 < |Mike|> oh heh.
04:42 < BenB> I am connecting 2 linux machines. they connect fine, I can ping the ip (that openvpn creates for the link) of the other machine. A can ping the primary IP address of B, but not vice versa. I have a "route <opposite-net>" on both sides and can see it in |ip route|. ip_forward is 1.
04:44 -!- master_of_master [~master_of@p57B54FA7.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
04:46 -!- master_of_master [~master_of@p57B53387.dip.t-dialin.net] has joined #openvpn
04:50 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
04:54 -!- nakaori [~nakaori@dslb-188-100-185-130.pools.arcor-ip.net] has joined #openvpn
05:01 < BenB> any idea? http://mozilla.pastebin.com/CXs7QSzs
05:17 < krzee> BenB, using server/client?
05:17 < BenB> krzee: yes, with PKI
05:17 < krzee> client is the side you cannot reach the LAN ip of?
05:17 < BenB> some more info: http://mozilla.pastebin.com/gUj8JZKP
05:18 < BenB> krzee: yes
05:18 < krzee> !clientlan
05:18 <@vpnHelper> krzee: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a
05:18 <@vpnHelper> krzee: better explanation
05:18 < krzee> im guessing you dont have the iroute entry
05:19 < BenB> !iroute
05:19 <@vpnHelper> BenB: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
05:19 < BenB> !ccd
05:19 <@vpnHelper> BenB: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
05:22 < BenB> krzee: indeed I use "route" on both sides. I am unclear what the difference to iroute is, but I'll read up, thanks for the pointer!
05:22 < krzee> !route
05:22 <@vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:22 < krzee> theres a document i made on connecting 3 lans
05:22 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
05:22 < krzee> only difference is i have another client with a lan in my example
05:23 < krzee> i didnt fully understand iroute until i read through the source (which is why i made that writeup)
05:23 < BenB> heh :)
05:23 < krzee> now i see it is an internal routing table to openvpn
05:23 < krzee> if you look at your server log without the iroute, you are getting MULTI errors
05:24 < BenB> which verbose level?
05:24 < krzee> it sees packets coming from a foreign network behind a client, but doesnt have the client and that lan in its internal routing table, so it drops the packets
05:24 < krzee> 4 should be fine
05:24 < krzee> !multi
05:24 <@vpnHelper> krzee: Error: "multi" is not a valid command.
05:24 < krzee> heh
05:24 < BenB> ok.. I used verb 10, and looked at it over the VPN, which got me in a loop :)
05:25 < krzee> well i show the line in !route
05:25 < krzee> lol dont bother with verb 10
05:25 < krzee> ever
05:25 < krzee> 4 for debug, 5 for debug network issues (firewall for example), 3 for normal usage
05:26 < krzee> openvpn has to drop those packets
05:26 < krzee> because imagine the return packets...
05:27 < krzee> they come to the machine, routing table sends them to openvpn process, openvpn process cant tell what client they go to / doesnt know what to do with them
05:28 < krzee> so anytime a foreign subnet needs to route over a client, iroute is needed
05:30 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:31 < BenB> krzee: ah, so openvpn internally makes a difference between client and server when it comes to routing?
05:31 -!- master_of_master [~master_of@p57B53387.dip.t-dialin.net] has quit [Quit: leaving]
05:32 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
05:32 < krzee> well the server needs to know which client owns which subnet
05:32 < krzee> since the system routing table can only point to openvpn, not to a specific client
05:33 < krzee> the server process needs a way to know which client owns the subnet
05:33 < krzee> when running as a client you dont have this problem since you can only connect to a single server
05:33 < BenB> hm, yes. so openvpn assumes there's one server and multiple clients... nod. for me, client/server was only who connects to whom, as I have only one each.
05:33 < krzee> (at a time)
05:33 < krzee> yes
05:34 < krzee> server mode assumes multiple clients when it comes to this
05:34 < krzee> regardless of actual clients
05:34 < BenB> understood, makes sense, although it's very subtle and should be in the main docus.
05:35 < krzee> i think !route will be in the site at some point, for now refer to the link at secure-computing.net
05:35 < BenB> I was puzzled "that's impossible, the ends are *identical*, the config is *exactly* the same, routing, firewall, everything. why does it work in one direction and not the other???"
05:35 < BenB> krzee: so, thanks a lot. I would never have found this on my own.
05:35 < krzee> np
05:36 < krzee> and you would have
05:36 < krzee> but it would have taken awhile
05:36 < krzee> ;]
05:36 < BenB> only if I found some docs by accident on google
05:36 < BenB> and it already took me many hours :)
05:39 < Bushmills> yes, the time google takes to respond is unacceptable
05:39 < krzee> nah google sucks for learning openvpn
05:39 < krzee> but the howto does cover iroute
05:39 < krzee> at: Including multiple machines on the client side when using a routed VPN (dev tun)
05:39 < krzee> !howto
05:39 <@vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:40 < Bushmills> well, they don't deliver in less than about half a second. that means that a mere 10000 requests already take more than one hour in pure search time
05:43 < krzee> 30 minutes or its free
05:44 < BenB> Bushmills: I searched for "ping nur in einer richtung (=only in one direction) openvpn linux", and no word about iroute.
05:45 < krzee> it wasnt actually 1 direction ping
05:45 < BenB> Bushmills: google is useless, if you don't happen to use the "Lucky" keywords
05:45 < krzee> it was lans behind openvpn
05:45 < Bushmills> did it go any faster with that search?
05:46 < krzee>  !google lans behind openvpn
05:46 < krzee> !google lans behind openvpn
05:46 <@vpnHelper> krzee: Opening up the subnet LAN behind an OpenVPN server - Server Fault: <http://serverfault.com/questions/59419/opening-up-the-subnet-lan-behind-an-openvpn-server>; OpenVPN/Routing - Secure Computing Wiki: <http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing>; [ubuntu] Bridge LAN behind a OpenVPN client - Ubuntu Forums: <http://ubuntuforums.org/showthread.php?t=1415775>
05:46 < krzee> from #2
05:46 < BenB> krzee: yeah, sure, but from *my* perspective, it was "just in one direction", because pinging the server LAN IP worked fine.
05:46 < krzee> IP ADDRESS in that case would be the machine on client LAN which tried to talk through vpn, because openVPN has no clue what that address is. Once you give it the iroute statement, that changes. Iroute is a route internal to openVPN, and has nothing to do with the kernel's routing table. It tells openvpn which client owns which network. Note that even if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE.
05:46 < krzee> =]
05:47 < BenB> that's what I say: google is useless for this kind of stuff. if you already know the problem, fine, but if you don't know it...
05:47 < krzee> 1 directional ping would point to a firewall issue, but would rather refer to 1 endpoint can ping other endpoint, but not visa versa
05:48 < Bushmills> sometimes folks rephrase their search engine query before concluding "search engine is shit"
05:50 < krzee> tbh i dont like most the stuff google turns up for openvpn
05:51 < BenB> Bushmills: oh just shut up please. take a lesson from krzee on how to be useful.
05:51 < krzee> BenB, no telling the Bushmills to shut up
05:51 < krzee> =]
05:52 < Bushmills> they really do. sometimes it even helps
05:52 < Bushmills> don't tell me that learning that is not useful
05:54 < BenB> Bushmills: if you know the solution, it's easy to come up with a google query that shows it. if you don't even know what the problem is (much less the solution), that's an entirely different situation.
05:58 -!- master_of_master [~master_of@p57B53387.dip.t-dialin.net] has joined #openvpn
06:19 < albech_> do i need to NAT on the server when I use a bridged setup?
06:21 < BenB> albech_: no, bridged setup happenes below IP layer
06:22 < BenB> albech_: the two networks appear to be physically connected to the same switch.
06:22 < albech_> BenB, so I am guessing the reason I have no connectivity to the internet after connecting to the VPN is routing?
06:23 < albech_> i can ping other machines on the same network (LAN on which I am getting my IP) but not externally
06:23 < BenB> albech_: can't say, I don't know how "internet" comes into play with VPN, where your internet is and where your client is.
06:24 < BenB> albech_: but I would guess the default route is the problem, yes.
06:24 < BenB> albech_: specifically, check whether your clients use DHCP, and which DHCP *server* they use, and which IP addresses and default route that hands out.
06:25 < BenB> albech_: if you have a DHCP server on both ends, things go randomly wrong.
06:25 < albech_> i am using the dhcp server in openvpn and it hands out ips from a reserved range
06:25 < BenB> and there's no DHCP server on either of your LANs? no DSL router or anything?
06:26 < albech_> there is
06:26  * BenB points :)
06:26 < albech_> so there cannot be DHCPs on the LANs?
06:27 < BenB> on each LAN, there can be only one DHCP server. if you have two, the results will be random (and randomly wrong).
06:28 < albech_> im not really sure how to understand that.. i might need some more reading ;)
06:29 < BenB> albech_: yes... read up on the function of the DHCP server. it hands out IP addresses and DNS servers and default routes.
06:29 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
06:29 -!- makomi [~makomi@178-24-106-19-dynip.superkabel.de] has left #openvpn ["It´s time to say goodbye"]
06:29 < BenB> albech_: if there are two, they are competing and whoever is first wins. that means some clients will have that config, some others another config.
06:30 < albech_> BenB, I'm not connecting two entire networks..
06:31 < BenB> ah, I keep assuming that OpenVPN is for connecting two networks :)
06:31 < albech_> BenB, I just want one host to be able to VPN into a remote local network and route *all* traffic through the VPN
06:31 < albech_> BenB, ;)
06:31 < albech_> BenB, I'm aware that having two DHCPs on a network is a *bad* idea ;)
06:32 < BenB> albech_: ah, ok.
06:34 < BenB> albech_: I'm sure there are tutorials for that case. basically, before connecting to VPN, the default route of the client is the DSL router or what have you. when you connect to VPN, you need to change the default route to the Internet gateway on the server side of the VPN. BUT you need to leave a route on the client to the VPN server, otherwise the tunnel breaks down. but that should be a standard case that's well-documented.
06:34 -!- nakaori_ [~nakaori@dslb-188-100-185-130.pools.arcor-ip.net] has joined #openvpn
06:34 < nakaori_> hey guys
06:35 < BenB> nakaori_: hallo
06:35 < nakaori_> i finally got openvpn running. the server can ping the client and the client can ping the server. the stations behind the server can ping the openvpn client. but the client cant ping the servers stations
06:35 < nakaori_> AND: i cannot ping any stations behind the client
06:35 < nakaori_> what do i have to do next?
06:37 < BenB> nakaori_: I have the same problem currently, and reading http://openvpn.net/index.php/open-source/documentation/howto.html#scope
06:37 <@vpnHelper> Title: HOWTO (at openvpn.net)
06:37 < nakaori_> oh, i didnt see that one yet. thanks for pointing
06:50 -!- albech_ [~thomas@119.42.78.129] has quit [Ping timeout: 245 seconds]
06:56 -!- albech_ [~thomas@535AB203.flatrate.dk] has joined #openvpn
06:57 < albech_> ok i manually added the default route to go through the router on the network i am connecting to. Will I have to 'push' that route upon connect?
06:58 -!- nakaori [~nakaori@dslb-188-100-185-130.pools.arcor-ip.net] has quit [Quit: Verlassend]
06:58 < albech_> Th0m@$
06:59 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
06:59 < albech_> ping
06:59 -!- albech_ [~thomas@535AB203.flatrate.dk] has quit [Client Quit]
06:59 -!- s7r [~s7r@66.199.231.250] has quit [Ping timeout: 276 seconds]
07:00 -!- WinstonSmith [~true@e179002229.adsl.alicedsl.de] has joined #openvpn
07:01 -!- albech_ [~thomas@535AB203.flatrate.dk] has joined #openvpn
07:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
07:02 < albech_> holy <beep> bad latency through the vpn :(
07:03 < BenB> albech_: much worse than over the Internet?
07:03 < BenB> for me, it's almost the same as the Internet connection on which it bases.
07:03 < albech_> BenB, yes. probably cause my server is located in Denmark and I currently sit in Thailand ;)
07:04 < BenB> that may be the reason why it's slower than your LAN
07:04 < albech_> ;)
07:05 < BenB> FWIW, I have ~85ms total ping time, with DSL on both ends.
07:06 < BenB> vs. ~0.05ms on the gigabit LAN
07:08 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
07:09 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
07:09 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
07:09 < fahmad> hello
07:09 < fahmad> can some one tell me how can i rotate logs without restarting openvpn ?
07:12 < BenB> fahmad: openvpn can use syslog
07:12 < BenB> config "syslog"
07:13 < fahmad> BenB: yes but what if i have defined log option in configuration
07:13 < BenB> fahmad: then you can't, I guess. if you want rotation, use syslog.
07:14 < fahmad> bad
07:14 < BenB> there's also a log-append ... you may be lucky with just moving the log file while openvpn is running, but I would not recommend that.
07:14 < BenB> fahmad: why would you not use syslog, if you have such needs?
07:15 < fahmad> BenB: i have two openvpn running on same server :)
07:15 < krzee> syslog was made for exactly that
07:15 < krzee> and theres no issue with multiple
07:16 -!- WinstonSmith [~true@e179002229.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
07:16 < fahmad> krzee: for that i need to use daemon option ...
07:16 < krzee> correct
07:16 < krzee> and then configure syslog config
07:16 < fahmad> krzee: example ?
07:17 < krzee> example of how to configure syslog?
07:17 < krzee> go read the syslog docs or ask in a channel related to your OS
07:18 < fahmad> krzee: if i use daemon it will send logs to /var/log/messages
07:20 < krzee> unless you give it progmane and configure syslog
07:20 < BenB> fahmad: that is configurable in syslog.conf
07:20 < krzee> progname
07:20 < krzee> --daemon [progname]
07:20 < fahmad> krzee: okay
07:21 < fahmad> krzee: understand it :)
07:31 -!- L0LI [~DB@unaffiliated/l0li] has joined #openvpn
07:36 -!- L0LI [~DB@unaffiliated/l0li] has quit [Ping timeout: 245 seconds]
07:37 -!- WinstonSmith [~true@g231228173.adsl.alicedsl.de] has joined #openvpn
07:44 -!- BenBu [~ben@ANice-551-1-137-228.w92-143.abo.wanadoo.fr] has joined #openvpn
07:45 -!- BenB [~ben@lns-bzn-55-82-255-187-213.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
07:48 -!- DarthGandalf [somebody@shellium/developer/darthgandalf] has quit [Quit: Bye]
07:53 -!- DarthGandalf [somebody@shellium/developer/darthgandalf] has joined #openvpn
08:13 < epaphus> krzee, if I push a WINS to mytself as the vpn user... would that mess the access i have for the other shares on the lan that i already had?
08:19 < krzee> dunno, dont really use smb
08:20 -!- WinstonSmith [~true@g231228173.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
08:20 < krzee> but if it does, a smb server with wins could be on that side could be used, and hooked into the other smb server with wins
08:20 -!- WinstonSmith [~true@e179002229.adsl.alicedsl.de] has joined #openvpn
08:24 -!- BenBu [~ben@ANice-551-1-137-228.w92-143.abo.wanadoo.fr] has quit [Ping timeout: 276 seconds]
08:27 -!- BenBu [~ben@lns-bzn-28-82-250-136-38.adsl.proxad.net] has joined #openvpn
08:30 < epaphus> tnx
08:30 -!- epaphus [~user@201.199.62.74] has quit [Quit: Leaving]
08:35 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has quit [Read error: Operation timed out]
08:36 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has joined #openvpn
08:48 <@vpnHelper> RSS Update - forum: Configuration :: Network Stalls :: Author voiceover <https://forums.openvpn.net/viewtopic.php?f=6&t=7221&p=8253#p8253>
08:52 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
09:04 -!- BenBuc [~ben@lns-bzn-28-82-250-136-38.adsl.proxad.net] has joined #openvpn
09:07 -!- BenBu [~ben@lns-bzn-28-82-250-136-38.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
09:07 -!- BenB [~ben@lns-bzn-28-82-250-136-38.adsl.proxad.net] has joined #openvpn
09:10 -!- BenBuc [~ben@lns-bzn-28-82-250-136-38.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
09:43 -!- albech_ [~thomas@535AB203.flatrate.dk] has quit [Ping timeout: 252 seconds]
09:59 < ecrist> ping google.com
10:00 < ecrist> stupid internet
10:01 -!- albech_ [~thomas@124.157.211.236] has joined #openvpn
10:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
10:17 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:29 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
10:37 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 272 seconds]
10:49 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
11:03 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
11:21 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 276 seconds]
11:21 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
11:24 -!- albech_ [~thomas@124.157.211.236] has quit [Read error: Connection reset by peer]
11:27 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
11:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:58 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
12:02 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
12:02 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
12:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
12:07 -!- WinstonSmith [~true@e179002229.adsl.alicedsl.de] has quit [Remote host closed the connection]
12:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
12:43 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
12:47 -!- takamichi [~pri@78.133.38.192] has quit [Read error: Connection reset by peer]
12:48 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
12:59 -!- takamichi [~pri@78.133.38.192] has quit [Read error: Connection reset by peer]
13:00 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
13:00 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
13:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
13:16 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has joined #openvpn
13:26 -!- nakaori_ [~nakaori@dslb-188-100-185-130.pools.arcor-ip.net] has quit [Read error: Connection reset by peer]
13:28 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
13:43 -!- ribasushi [~ribasushi@arx.rabbit.us] has left #openvpn ["Leaving"]
13:50 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
13:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
13:57 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
14:30 -!- BenBu [~ben@dispo-82-248-154-7.adsl.proxad.net] has joined #openvpn
14:32 -!- Jarpse [~jarpse@cluon.soleus.nu] has quit [Ping timeout: 265 seconds]
14:34 -!- BenB [~ben@lns-bzn-28-82-250-136-38.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
14:35 -!- BenBu is now known as BenB
14:42 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined #openvpn
14:45 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
15:05 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Remote host closed the connection]
15:14 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
15:20 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
15:23 -!- BenB [~ben@dispo-82-248-154-7.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
15:27 -!- BenB [~ben@dispo-82-248-154-7.adsl.proxad.net] has joined #openvpn
15:41 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 252 seconds]
15:42 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
16:07 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has joined #openvpn
16:07 < adac> I try to start openvpn in a openvz container, and i get the following error: service failed to start due to unresolved dependencies: set(['user', 'iptables_openvpn']) any ideas?
16:08 < adac> here is the full error: http://pastie.org/1260786
16:09 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 264 seconds]
16:09 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
16:13 -!- BenBu [~ben@dispo-82-248-154-7.adsl.proxad.net] has joined #openvpn
16:17 -!- Agin_ [~Agin@greenzone.copyleft.no] has joined #openvpn
16:17 -!- BenB [~ben@dispo-82-248-154-7.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
16:17 -!- BenBu is now known as BenB
16:18 -!- Agin [~Agin@greenzone.copyleft.no] has quit [Ping timeout: 276 seconds]
16:20 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
16:20  * ecrist reads
16:21 < ecrist> adac: looks to me it's an openvz error, not an openvpn issue
16:22 < adac> ecrist, yeah i think so, i also have asked the question in openvz, but all busy there
16:23 < ecrist> really, it looks like there's an issue with a python script that's used to start openvpn
16:25 < adac> ecrist, i found this here: http://ejd021-linux.blogspot.com/2010/08/service-failed-to-start-due-to.html
16:25 <@vpnHelper> Title: Ejd021 - Linux Support: service failed to start due to unresolved dependencies: set(['user', 'iptables_openvpn']) (at ejd021-linux.blogspot.com)
16:26 < ecrist> there you go, that seems to confirm it's an os issue.
16:29 < adac> ecrist, howeever i followed the instructions on that page but all seems to be set up fine.  actually the module thingy is a bit unclear to me. Even though modprobe does not report an error when I execute the modprobe with the modules ipt_mark and ipt_MARK, they seem not to be loaded
16:30 < ecrist> I couldn't tell you anything ,I've never used openvz
16:32 < adac> ecrist, ok, but thx for your hints!
16:32 < ecrist> no problem.
16:32 < ecrist> if you get past that, and have an openvpn question, feel free to ask.
16:41 < adac> ecrist, kk
16:42 < adac> ecrist, do you use command line openvpn? I currently try the Access server version. I must say it is a really really cool thing :)
16:44 < ecrist> it is, but it's commercial.  I use the open-source version.
16:44 < ecrist> due to AS being commercial, we don't support it here.
16:44 < ecrist> !as
16:44 <@vpnHelper> ecrist: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
16:44 <@vpnHelper> ecrist: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
16:47 < adac> ecrist, I see.
16:50 < krzie> plus AS has real support from openvpn tech... so we'ld even be doing you an injustice by helping you with it if we could / knew how
16:51  * ecrist guess most people that come in here are using the free 2-client version
16:53 < adac> krzie, I don't understand
16:53 < adac> Ok i try the open version then :)
16:53 < adac> cannot be that hard to set it up if you guys hlep me, right?
16:54 < krzie> moreso if you read the docs
16:54 < krzie> lol
16:54 < adac> :)
16:56 < adac> krzie, ubuntu docs ok?
16:56 < adac> :D
16:56 < ecrist> !man
16:56 <@vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
16:56 < krzie> !howto
16:56 <@vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:57 < krzie> both of those ^
16:57 < krzie> feel free to play with this, assuming you read about the options it has, in the manual
16:57 < krzie> !sample
16:57 <@vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
16:58 < adac> thx
17:06 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
17:17 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has quit [Quit: Leaving.]
17:19 < adac> Hmm when i create the certificate i get: commonName            :PRINTABLE:'server'  Which option in /etc/openvpn/easy-rsa/vars does hold the "commonName"?
17:20 < krzie> thats 1 thing you set on EACH one, not in vars
17:20 < krzie> you want every cert to have a different common-name
17:21 < adac> krzee, so i can set this directly s an option with pkitool
17:21 < adac> *as an
17:21 < krzie> i dunno pkitool
17:21 < krzie> i use ssl-admin or easy-rsa
17:22 < adac> oh ok
17:22 < adac> yeah there are probably more was to do it
17:22 < krzie> !pki
17:22 <@vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
17:22 <@vpnHelper> krzie: specially as a server (see !servercert)
17:22 < krzie> yes, theres a ton of ways
17:22 < krzie> but you can use easy-rsa and follow the howto and it will walk you through *
17:23 < adac> krzie, ./pkitool  --server servername
17:23 < adac> that should seet it
17:23 < adac> *set
17:24 < krzie> if you feel you are an expert and want to use something else, go for it... but get support from them :-p
17:24 < krzie> easy-rsa is given to you step by step in the openvpn.net howto
17:25 < krzie> im not saying its the best, im just saying you can be brainless and make it work because of the howto :-p
17:25 < adac> krzie, not yet an expert no ;) I take a look at easy-rsa!
17:27 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
17:28 < ecrist> ssl-admin allows for brainless operation, though install on !bsd is not dead-simple.
17:28 < adac> krzie, Its just that i found a step by step example for openvpn on openvz container see http://www.zoleet.com/index.php/basic-openvpn-server-ubuntu-and-debian-openvz
17:28 < ecrist> though, there is a ./configure script
17:28 <@vpnHelper> Title: openVPN server Ubuntu and Debian openVZ (at www.zoleet.com)
17:29 < ecrist> !learn openvz as See http://www.zoleet.com/index.php/basic-openvpn-server-ubuntu-and-debian-openvz for a decent howto on openVZ.  We're not sure how well it works, if you find something better, let us know.
17:29 <@vpnHelper> ecrist: Joo got it.
17:30 < adac> !openvz
17:30 <@vpnHelper> adac: "openvz" is (#1) http://wiki.openvz.org/VPN_via_the_TUN/TAP_device to learn bout openvz specific stuff with regards to openvpn, or (#2) See http://www.zoleet.com/index.php/basic-openvpn-server-ubuntu-and-debian-openvz for a decent howto on openVZ. We're not sure how well it works, if you find something better, let us know.
17:31 < adac> ah nice :)
17:31 < adac> hehe
17:35 < ecrist> adac: both krzee and I are freebsd guys, so linux support in here is limited as nobody that's *really* active uses linux.  
17:36 < ecrist> Not to say we don't support it, just neither of us know it.
17:37 < adac> I see, yeguess i try it with the openvz howto, since this howto looks like very good and openvz has surely some limitations and extras
17:38 < adac> But sure: create certificates, there are tons of possibilities 
17:38 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
17:39  * ecrist recommends ssl-admin
17:39 < ecrist> !ssl-admin
17:39 <@vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
17:43 < adac> ecrist, should every pc have its own certificate?
17:43 < adac> mean every client
17:45 < adac> Or can i just generate one single client certificate that can be used by all clients?
17:48 < ecrist> depends on how you want to administer things.
17:48 < ecrist> you *can* give the same client to all users
17:48 < krzie> make 1 for each client
17:48 < ecrist> make sure you have --duplicate-cn in your config
17:48 < ecrist> but also, enable a secondary auth, such as user/password
17:48 < krzie> we highly recommend against duplicate-cn unless using pw auth
17:48  * ecrist departs for party time
17:49 < krzie> oooo lucky!
17:49 < ecrist> if only sarah was coming tonight
17:49 < krzie> im stuck at work for like 5 more hours
17:49 < ecrist> if she came, she'd come.  just sayin'
17:49 < krzie> hehehe
17:49 < krzie> nothin like some anal to motivate you to finish a program
17:50 < ecrist> lol
17:50 < ecrist> http://www.secure-computing.net/awstats/awstats.pl?config=seccomp
17:50 <@vpnHelper> Title: Statistics for secure-computing.net (2010-10) - main (at www.secure-computing.net)
17:50 < ecrist> your page for routing is right at the top
17:50 < krzie> nice =]
17:50 < ecrist> (I don't count index.php and left_main.php)
17:51 < krzie> o wow im way on top if those 2 dont count
17:51 < ecrist> those two load for every page
17:51 < krzie> ahh makes sense
17:51 < krzie> heavy mac usage
17:52 < ecrist> 16.9% Opera usage
17:52 < ecrist> shocking
17:52 < ecrist> 10 hits from within Lotus Notes, lol
17:53 < krzie> 69 sun views
17:53 < krzie> you doctor'ed that part didnt ya!
17:55 < krzie> i highly doubt those 7 os/2 views too
17:55 < krzie> theres nobody on earth actually using os/2 anymore... i just refuse to believe it
17:56 -!- p3rror [~mezgani@41.137.57.109] has joined #openvpn
17:58 -!- wooden [~anon@pdpc/supporter/active/wooden] has quit [Ping timeout: 276 seconds]
17:58 < ecrist> dude, my factoids display page is being listed in supybot docs now
18:01 -!- wooden [~anon@pdpc/supporter/active/wooden] has joined #openvpn
18:01 < ecrist> http://sourceforge.net/apps/mediawiki/gribble/index.php?title=Supybot_Resources
18:01 <@vpnHelper> Title: SourceForge.net: Supybot Resources - gribble (at sourceforge.net)
18:06 -!- wooden [~anon@pdpc/supporter/active/wooden] has quit [Ping timeout: 255 seconds]
18:25 < krzie> ya man
18:25 < krzie> remember i talked to them about it awhile back
18:26 < adac> hmm I get the following error when i try to start openvpn: http://pastie.org/1261000
18:28 < krzie> in fact iirc thats why you put it on svn
18:30 < krzie> adac
18:30 < krzie> either you dont have dh1024.pem, or your path to it is wrong
18:30 < krzie> !path
18:30 <@vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
18:31 < adac> this file is in: /etc/openvpn/easy-rsa/keys/dh1024.pem
18:33 < adac> krzie, ./build-key-server server when i do that and replace "server" with some other name, do i have to replace also "server" in the server.conf ? 
18:39 < krzie> nope
18:39 < krzie> in the example server was the common-name
18:39 < adac> kk
18:39 < krzie> in the config, the line starting with server is a config option, --server
18:39 < krzie> !--
18:39 <@vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
18:41 < adac> krzie, dh dh1024.pem this is how it is in the config file. Do i have to set the full path there? and for what does "dh" stand for?
18:42 < adac> krzie, ok i need to modify the paths just tried it out
18:51 < adac> # TCP or UDP server?
18:58 < reiffert> diffie hellman
19:05 < krzie> !dh
19:05 <@vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
19:19 -!- nutella_ [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has joined #openvpn
19:19 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has quit [Read error: Connection reset by peer]
19:20 -!- nutella_ is now known as adac
19:22 < adac> Ok now i tried to connect me to the vpn server. it seems to connect, however i cannot ping the server over the tun ip nor access to internet
19:22 < adac> how can i debug this?
19:25 < krzie> !configs
19:25 <@vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
19:25 < krzie> !logs
19:25 <@vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
19:27 < ecrist> krzie: I forgot about that
19:27 < adac> krzie, here is an excerpt of the server log: http://pastie.org/1261086
19:28 < adac> krzie, hmm do i need a client config? isn't it enough to set up the connection on client side via a networkmanager and the client certs?
19:29 < krzie> !netman
19:29 <@vpnHelper> krzie: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
19:31 < krzie> looks to me like one side has comp-lzo and the other doesnt
19:31 < adac> krzie, ok i see. So what is the best way to check if the connection works?
19:31 < krzie> Oct 31 02:15:10 servname ovpn-server[2975]: 85.127.xx.xx:52658 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
19:32 < adac> yeah comp-lzo seems to be an issue...what is it?
19:32 < krzie> also, you have no reason to be playing with your mtu
19:32 < krzie> read the manual before asking questions like that
19:32 < adac> ok
19:32 < krzie> !man
19:32 <@vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
19:33 < krzie> since its the comp-lzo config option you wanna know, search for --comp-lzo
19:35 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
19:35 < adac> krzie, https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/379073
19:35 <@vpnHelper> Title: Bug #379073 in network-manager-openvpn (Ubuntu): “nm-openvpn fails silently on incorrect settings” (at bugs.launchpad.net)
19:35 < adac> seems pretty much my issue then :)
19:35 < krzie> [17:32]  <krzie> !netman
19:35 < krzie> [17:32]  <vpnHelper> krzie: "netman" is if you are using network manager for linux to configure your vpn, dont!
19:35 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
19:37 -!- s7r [~s7r@188.26.131.68] has joined #openvpn
19:38 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has left #openvpn ["Verlassend"]
19:39 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has joined #openvpn
19:41 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has quit [Quit: Verlassend]
19:42 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has joined #openvpn
19:43 < adac> krzie, just for a test now i disabled comp-lzo on server side and then it works. What does "comp-lzo" do? Mean how does its compression work?
19:50 < krzie> did you read --comp-lzo in the manual...?
19:52 < adac> krzie, yeah, bu i don't understand what it really does 
19:53 < krzie> what from the man page did you not understand in relation to what it does?
19:54 < adac> krzie, i mean does it really like compress the whole data stream... do pics within the browser have lower quality if this is enabled and i'm connected
19:55 < krzie> no they would not
19:55 < BenB> adac: there is lossy compression and lossless
19:55 < krzie> and its level on compression depends on samples of the data going over the vpn
19:55 < BenB> adac: most compression algos are lossless.
19:55 < krzie> default comp-lzo setting is adaptive
19:55 < BenB> adac: only jpeg, mpeg and co, mp3 and co are lossy.
19:55 < adac> oh i see
19:55 < krzie> so it samples the info, and sees how much it should actually be compressing
19:56 < krzie> (and BenB covered the rest of the question well)
19:56 < adac> ok then this would be a nice feature then. yes BenB nice job :)
19:56 < BenB> adac: lossless means you get after uncompressing *exactly* what went in before compression
19:56 < krzie> right, thats how comp-lzo is
19:59 < adac> Is it common to use openvpn in combination with LDAP?
20:01 < BenB> no. LDAP is used only by very big (>1000 people) organizations.
20:01 < BenB> (typically)
20:13 < krzie> not sure about "common"  but it has been done
20:13 < krzie> i know *i* dont do it
20:13 < krzie> ecrist prolly does
20:13 < adac> I will do that tomorrow, i think i already know how now
20:13 < adac> since I already have an ldap server i need to connect to :)
20:14 < adac> even thoug I'm only a 2 man company
20:14 < adac> .D
20:17 < adac> ok guys, thx for all the help. I need to go to bed... even though i just realized that i could sit an hour longer here, since the time just was set back for an hour ;) so good night guys! 
20:18 < krzie> yw
20:19 -!- adac [~nutella@85-127-41-82.dynamic.xdsl-line.inode.at] has quit [Quit: Verlassend]
20:25 <@vpnHelper> RSS Update - forum: Configuration :: Getting the remote ip address on my client :: Author mgaustin <https://forums.openvpn.net/viewtopic.php?f=6&t=7222&p=8254#p8254>
21:16 < krzie> that guy needs !redirect, but i dont have the energy to explain it
21:25 -!- BenBu [~ben@lns-bzn-20-82-64-30-182.adsl.proxad.net] has joined #openvpn
21:28 -!- BenB [~ben@dispo-82-248-154-7.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
21:28 -!- BenBu is now known as BenB
21:38 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:38 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:50 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
22:03 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
22:04 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
22:10 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
22:15 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
22:15 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
22:49 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
22:50 -!- BenBu [~ben@dispo-82-250-11-211.adsl.proxad.net] has joined #openvpn
22:54 -!- BenB [~ben@lns-bzn-20-82-64-30-182.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
23:05 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
23:09 -!- BenBuc [~ben@lns-bzn-26-82-254-100-59.adsl.proxad.net] has joined #openvpn
23:13 -!- BenBu [~ben@dispo-82-250-11-211.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
23:48 <@vpnHelper> RSS Update - forum: Configuration :: OpenVPN - Layer7 Filterting :: Author cyberjunk <https://forums.openvpn.net/viewtopic.php?f=6&t=7223&p=8255#p8255>
23:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
--- Day changed Sun Oct 31 2010
00:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
00:17 -!- takamichi [~pri@78.133.38.192] has quit []
00:22 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
00:35 < takamichi> !welcome
00:35 <@vpnHelper> takamichi: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:36 < takamichi> !goal
00:36 <@vpnHelper> takamichi: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:39 -!- p3rror [~mezgani@41.137.57.109] has quit [Ping timeout: 245 seconds]
00:40 -!- takamichi [~pri@78.133.38.192] has quit []
01:09 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
01:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:46 -!- takamichi [~pri@78.133.38.192] has quit [Remote host closed the connection]
01:47 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
02:07 -!- takamichi [~pri@78.133.38.192] has quit [Remote host closed the connection]
02:07 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
02:08 -!- takamichi [~pri@78.133.38.192] has quit [Client Quit]
02:09 -!- takamichi [~pri@78.133.38.192] has joined #openvpn
02:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:10 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:20 < ecrist> krzie: I *do* use LDAP
02:20 < ecrist> we use LDAP for *lots* of things now
02:21 -!- takamichi [~pri@78.133.38.192] has quit [Ping timeout: 255 seconds]
02:25 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
02:34 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn
02:34 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host]
02:34 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
02:39 -!- BenBuc is now known as BenB
02:42 -!- BenB [~ben@lns-bzn-26-82-254-100-59.adsl.proxad.net] has quit [Remote host closed the connection]
02:45 -!- BenB [~ben@lns-bzn-26-82-254-100-59.adsl.proxad.net] has joined #openvpn
02:54 <@vpnHelper> RSS Update - forum: Installation Help :: Internet connection lost when client logged in :: Author esperlu <https://forums.openvpn.net/viewtopic.php?f=5&t=7224&p=8256#p8256>
03:21 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:44 -!- master_of_master [~master_of@p57B53387.dip.t-dialin.net] has quit [Ping timeout: 250 seconds]
04:46 -!- master_of_master [~master_of@p57B52D9A.dip.t-dialin.net] has joined #openvpn
05:53 < takamichi> I understand how --ifconfig-pool-persist creates a long-term association between clients and Ip's, but why is OpenVPN creating hundreds of files in /etc/openvpn named after the user common-name with an ifconfig-push in them?
06:05 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
06:15 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
06:20 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
06:32 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
06:55 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds]
07:04 -!- p3rror [~mezgani@41.137.57.13] has joined #openvpn
07:13 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: OpenVPN on Laptop and automatically connect/disconnect :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7074&p=8257#p8257>
07:30 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
07:31 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:32 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
07:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
07:35 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:36 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
07:38 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:51 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 276 seconds]
07:54 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
08:01 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
08:06 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
08:38 -!- p3rror [~mezgani@41.137.57.13] has quit [Ping timeout: 240 seconds]
08:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
08:50 < cron2> takamichi: openvpn doesn't, actually.  the --ifconfig-pool-persist data is stored in a single file (which is the file name given to the option).  If there are per-common-name files, they are created by someone else, like radiusplugin or such
08:51 < takamichi> cron2, thanks, actually I am using the radius plugin so I assume thats it then, cheers!
09:09 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
09:19 -!- Boka [~boca@200.74.240.44] has joined #openvpn
09:48 -!- karlpinc [~kop@meme-net.meme.com] has joined #openvpn
09:48 < karlpinc> What just happened on the mailing list?  Anybody else just get a whole bunch of old messages re-sent?
09:58 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
10:01 < cron2> yup, someone too stupid to do e-mail used fetchmail and replayed a ton of old openvpn-devel messages
10:03 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
10:05 -!- tiger_ [~tiger@net.claubscher.ch] has joined #openvpn
10:06 < tiger_> !welcome
10:06 <@vpnHelper> tiger_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:07 -!- tiger_ [~tiger@net.claubscher.ch] has quit [Quit: Leaving]
10:12 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
10:35 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:46 -!- Boka [~boca@200.74.240.44] has quit []
11:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
12:16 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
12:16 < fahmad> hey
12:16 < fahmad> krzee: arround ?
12:17 < fahmad> can some one tell me is this possible to assign dhynamic ip address using client-connect script ?
12:18 < fahmad> other then ccd ...
12:32 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
12:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
13:09 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
13:37 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
13:41 -!- bandini [~bandini@host87-106-dynamic.11-79-r.retail.telecomitalia.it] has joined #openvpn
13:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
14:09 < zamba> how do i route all my traffic through the openvpn connection on a router?
14:10 < zamba> redirect-gateway?
14:11 < zamba> yeah, nevermind :)
14:11 < reiffert> !def1
14:11 <@vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
14:25 < krzee> !redirect
14:25 <@vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:47 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
15:26 -!- s7r [~s7r@188.26.131.68] has quit []
15:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
16:08 < Jarpse> !def1
16:08 <@vpnHelper> Jarpse: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
16:16 -!- DrJ is now known as Bacon
16:16 -!- Bacon is now known as DrJ
16:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
16:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
16:45 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
16:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
17:06 -!- bandini [~bandini@host87-106-dynamic.11-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
17:12 -!- Nickman_OFF is now known as Nickman
17:15 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:57 -!- Meliorator [m@dunnington.eu] has quit [Read error: Connection reset by peer]
17:59 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
18:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
18:03 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
18:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
18:11 -!- Meliorator [m@dunnington.eu] has joined #openvpn
18:11 -!- Meliorator [m@dunnington.eu] has quit [Excess Flood]
18:11 -!- Meliorator [m@dunnington.eu] has joined #openvpn
18:20 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 265 seconds]
18:20 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:27 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has left #openvpn ["Leaving"]
18:28 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
18:41 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
18:47 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
18:51 -!- Nickman is now known as Nickman_OFF
18:55 < |Mike|> Nickman_OFF: tbh, i don't give a sh*t that you're offline. Please keep your normal nickname :)
18:56 < |Mike|> uch, I should have copied my irssi config over from my former shell which I had for 9 years...
19:01 < jpalmer> |Mike|: isn't it easier to /ignore nick changes,  than to yell at someone who.. you know isn't looking at the screen?
19:03 < |Mike|> jpalmer: Yep, just done that. I configged it around 9 years ago ;)
20:00  * krzie bets mike wont be taking that same stance with dazo
20:00 < krzie> lol
20:15 -!- aliverius_ [~george@athedsl-373099.home.otenet.gr] has joined #openvpn
20:15 -!- aliverius [~george@athedsl-395176.home.otenet.gr] has quit [Ping timeout: 265 seconds]
20:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
20:24 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:03 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
21:19 -!- batrick [~batrick@batbytes.com] has quit [Read error: Operation timed out]
21:20 -!- nijotz [~nick@72.14.181.106] has quit [Ping timeout: 245 seconds]
21:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
21:28 -!- batrick [~batrick@batbytes.com] has joined #openvpn
21:29 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
22:37 -!- Sivart [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has quit [Ping timeout: 255 seconds]
22:38 -!- Sivart [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has joined #openvpn
23:05 -!- BenBu [~ben@lns-bzn-52-82-65-94-124.adsl.proxad.net] has joined #openvpn
23:08 -!- BenB [~ben@lns-bzn-26-82-254-100-59.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
--- Day changed Mon Nov 01 2010
00:06 -!- jellow_ [~jellow@CPE-124-186-171-147.lns11.woo.bigpond.net.au] has joined #openvpn
00:08 < jellow_> I'm confused hopefully you can help me understand, How can i disable forwarding to lan , I disable it in server or client config ? 
00:24 -!- jellow_ [~jellow@CPE-124-186-171-147.lns11.woo.bigpond.net.au] has quit [Ping timeout: 265 seconds]
00:26 -!- jellow_ [~jellow@178.63.127.231] has joined #openvpn
00:27 < krzee> jellow_, you dont "disable" it... you enable it when needed by adding routes
00:33 < jellow_> I used an auto-configure script affair so rather blind to what is going on. 
00:33 < jellow_> this push "route 10.8.0.0 255.255.255.0"
00:33 < jellow_> #push "redirect-gateway"
00:35 < jellow_> what does this do exactly?
00:36 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:37 < jellow_> 10.8.0.0 is the virtual network then "redirect-gateway" forwards to the external interface (venet0 in my case)? 
00:49 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
01:17 -!- jellow_ is now known as jellow
01:17 -!- jellow [~jellow@178.63.127.231] has quit [Changing host]
01:17 -!- jellow [~jellow@unaffiliated/jellow] has joined #openvpn
01:22 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:46 -!- jellow [~jellow@unaffiliated/jellow] has quit [Ping timeout: 252 seconds]
01:48 -!- jellow [~jellow@CPE-124-186-171-147.lns11.woo.bigpond.net.au] has joined #openvpn
01:57 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:10 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
02:13 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
02:33 -!- Dougy_ [me@tech.qsi.net] has quit [Read error: Connection reset by peer]
02:33 -!- Dougy [me@tech.qsi.net] has joined #openvpn
02:33 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
02:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
03:01 -!- drcode [~user1@bzq-84-111-105-190.red.bezeqint.net] has joined #openvpn
03:01 < drcode> hi all
03:02 < drcode> I have problem with openvpn client in windows, after I have connection lost it got stack to get ip by dhcp , any idea or mybe some bug?
03:02 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
03:02 < drcode> if I restart openvpn service it work
03:27 -!- drcode [~user1@bzq-84-111-105-190.red.bezeqint.net] has quit [Quit: Leaving]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:45 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Internet connection lost when client logged in :: Reply by esperlu <https://forums.openvpn.net/viewtopic.php?f=5&t=7224&p=8258#p8258>
03:47 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
04:03 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
04:05 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
04:07 -!- EmperorTom [~EmperorTo@cl-247.dal-01.us.sixxs.net] has quit [Read error: Operation timed out]
04:07 -!- EmperorTom [~EmperorTo@174-30-252-58.mpls.qwest.net] has joined #openvpn
04:09 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
04:19 -!- n0rb33r7 [n0rb33r7@91.83.172.122] has joined #openvpn
04:19 < n0rb33r7> hello! I'd like to ask you guys for help, I installed openvpn on debian, I can connect to the OpenVPN server, but I can't use the server's internet
04:20 < n0rb33r7> why is that?
04:20 -!- mrle0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
04:20 < n0rb33r7> I used iptables -t nat -A POSTROUTING... masquarede stuff
04:20 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Internet connection lost when client logged in :: Reply by esperlu <https://forums.openvpn.net/viewtopic.php?f=5&t=7224&p=8259#p8259>
04:24 < Bushmills> !redirect
04:24 <@vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:25 < n0rb33r7> !def1
04:25 <@vpnHelper> n0rb33r7: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
04:44 -!- master_of_master [~master_of@p57B52D9A.dip.t-dialin.net] has quit [Ping timeout: 252 seconds]
04:46 -!- master_of_master [~master_of@p57B55D67.dip.t-dialin.net] has joined #openvpn
04:51 -!- n0rb33r7 [n0rb33r7@91.83.172.122] has quit []
05:02 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
05:09 -!- drcode [~user1@bzq-84-111-105-190.red.bezeqint.net] has joined #openvpn
05:09 < drcode> hi all
05:10 < drcode> I have setup dhcp in openvpn server, I got some problem with dhcp on openvpn client under windows, is there way to make openvpn static (if my server config with dhcp) ?
05:21 < Bushmills> yes, there is a way to assign static ip addresses to openvpn clients. but that's unrelated to dhcp or problems with it.
05:21 < |Mike|> krzie: does he use off/away nicks?
05:27 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
05:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:33 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
05:37 < drcode> Bushmills, U mean ipp.txt file?
05:37 < drcode> I also did it
05:37 < drcode> but it still dosn't give the ip
05:37 < Bushmills> no, i didn't mean that
05:37 < drcode> so?
05:38 < Bushmills> !ifconfig-push
05:38 <@vpnHelper> Bushmills: Error: "ifconfig-push" is not a valid command.
05:38 < Bushmills> !ccd
05:38 <@vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
05:38 < Bushmills> combination of these two
05:40 < drcode> thanx alos Bushmills 
05:41 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
05:50 -!- aliverius_ is now known as aliverius
06:08 < drcode> Bushmills, common name u mean file like MYPC
06:09 < Bushmills> !CN
06:09 <@vpnHelper> Bushmills: Error: "CN" is not a valid command.
06:09 < Bushmills> !cn
06:09 <@vpnHelper> Bushmills: Error: "cn" is not a valid command.
06:10 < Bushmills> when you created and signed the openssl key, you were asked for CN - that's the common name
06:11 < drcode> ok
06:11 < drcode> thanx , I see
06:15 < drcode> is there other way to find it , I don't remmber what cn I wrote
06:17 < Bushmills> grep CN /etc/openvpn/*.crt
06:25 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
06:50 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
06:56 -!- BenBu is now known as BenB
07:01 < drcode> ok
07:01 < drcode> thanx
07:15 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
07:15 < drcode> still it take dhcp ip
07:15 < drcode> I did this
07:15 < drcode> my CN is test
07:15 < drcode> I open folder /etc/openvpn/client/Test
07:15 < drcode> and put in Test MYPC,IP
07:15 < drcode> still it take from DHCP
07:15 < drcode> Bushmills, ?
07:18 < Bushmills> no ifconfig-push in file Test? have you set ccd directory in server config?
07:18 < drcode> yes
07:18 < Bushmills> yes what? no ifconfig-push?
07:18 < drcode> I understand that I need to make cert and use it openvpn client
07:19 < drcode> so earch client will have diffrent cert ?
07:19 < Bushmills> yes
07:19 < drcode> k
07:19 < drcode> I will try it
07:19 < drcode> thanx again
07:24 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has quit [Remote host closed the connection]
07:25 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
07:25 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
07:25 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
07:25 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
07:26 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has quit [Remote host closed the connection]
07:27 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
07:30 < drcode> Bushmills, It was long time , I can change only CN inside client.cert or I must make new one , I don't remmber how
07:35 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:40 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:08 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
08:10 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
08:10 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
08:10 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
08:21 -!- roidelapluie [~roidelapl@unaffiliated/roidelapluie] has joined #openvpn
08:38 -!- drcode [~user1@bzq-84-111-105-190.red.bezeqint.net] has quit [Quit: Leaving]
08:47 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:06 <@vpnHelper> RSS Update - forum: Server Administration :: VPN Tunnel with OpenVPN becomes slower and slower over time :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7225&p=8260#p8260>
09:08 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
09:10 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
09:34 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 272 seconds]
09:39 -!- dollabill [~mike@216.sub-75-203-57.myvzw.com] has joined #openvpn
09:43 -!- dbill [~mike@97.66.26.10] has joined #openvpn
09:46 -!- dollabill [~mike@216.sub-75-203-57.myvzw.com] has quit [Ping timeout: 240 seconds]
09:59 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
10:45 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
10:46 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
10:48 < tuxx_> guys? whats the best way to make sure openvpn automatically restarts in case the connection is lost?
10:48 < tuxx_> is there some persistency fla
10:48 < tuxx_> flag...
10:55 < ecrist> yes
10:55 < ecrist> --resolve-retry infinite
11:08 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 276 seconds]
11:15 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
11:22 -!- tomsu [~tom@dhcp-119.hep.fsu.edu] has joined #openvpn
11:24 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
11:25 < tomsu> hi all. Maybe a stupid question: is it possible to "merge" two vpn connections? I have a small box running at home connected to a remote vpn. Now, I'd like to open a vpn connection from work to this box to both have the network drives available and reroute the traffic through the remote vpn. Possible?
11:33 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:40 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
11:41 -!- n0rb33r7 [~n0rb33r7@178.63.201.193] has joined #openvpn
11:54 -!- itchi [~David@unaffiliated/itchi] has joined #openvpn
11:57 -!- n0rb33r7 [~n0rb33r7@178.63.201.193] has left #openvpn []
12:03 -!- n0rb33r7 [~n0rb33r7@178.63.201.193] has joined #openvpn
12:07 < n0rb33r7> hello! I installed openvpn access server, and it's working pretty well, but I have one question. 
12:07 < n0rb33r7> VPN server is debian x64 squeeze, on my laptop I use ubuntu
12:07 < n0rb33r7> how can I enable on the iptables, that I can ssh my ubuntu? the ssh port on my ubuntu is 11111
12:18 -!- p3rror [~mezgani@41.137.57.79] has joined #openvpn
12:22 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
12:37 -!- dbill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
12:39 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
12:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:50 < cron2> !as
12:50 <@vpnHelper> cron2: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
12:50 <@vpnHelper> cron2: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
12:53 < krzee> tomsu, yes, possible
12:53 < krzee> sounds like vpnchains
12:56 -!- n0rb33rr7 [n0rb33r7@91.83.172.122] has joined #openvpn
12:57 -!- n0rb33rr7 [n0rb33r7@91.83.172.122] has quit [Client Quit]
12:58 < krzee> n0rb33r7, https://forums.openvpn.net/viewtopic.php?p=8059#p8059
12:58 <@vpnHelper> Title: OpenVPN Support Forum View topic - allow ssh via on non vpn address while vpn is open (at forums.openvpn.net)
12:58 < tomsu> krzee: good to know. any hints for good guides?
12:58 < krzee> !route
12:59 <@vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:59 < krzee> its not a specific guide, but if you learn routing by learning what that guide teaches, you'll be able to do it
12:59 < tomsu> krzee: great, thanks!
12:59 -!- n0rb33r7 [~n0rb33r7@178.63.201.193] has quit [Ping timeout: 255 seconds]
12:59 < krzee> in my vpnchains writeup i mention that i wont be teaching people how to do it, but rather they must learn from my routing writeup
13:00 < krzee> here: http://www.secure-computing.net/wiki/index.php/OpenVPN/VpnChains
13:00 <@vpnHelper> Title: OpenVPN/VpnChains - Secure Computing Wiki (at www.secure-computing.net)
13:00 < krzee> but that wont be useful, you want the routing one
13:00 < tomsu> yeah, that will help a lot.
13:01 < krzee> ahh there is 1 sidenote i mention in vpnchains twords your goal
13:01 < krzee> the client needs ip forwarding enabled in the OS
13:02 < krzee> other than that, everything you need is in routing writeup, but you need to read it for understanding to make it work... in fact understanding your goal is why i made the routing writeup
13:02 < krzee> once i figured out how to do that, i wrote that page
13:03 < krzee> each other vpn is just a lan behind the client =]
13:09 < tomsu> this is exactly what I expected. I played once with routing and messed up big time :) I'll check the guides out when I'm at home
13:09 < tomsu> thx
13:13 -!- sirsec [~sec@ip-88-153-236-190.unitymediagroup.de] has quit [Remote host closed the connection]
13:13 < krzee> yw
13:30 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:31 -!- tomsu [~tom@dhcp-119.hep.fsu.edu] has left #openvpn ["WeeChat 0.3.3"]
14:01 -!- batrick [~batrick@batbytes.com] has quit [Quit: leaving]
14:03 -!- epaphus [~user@201.199.62.74] has joined #openvpn
14:03 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
14:07 -!- batrick [~batrick@batbytes.com] has joined #openvpn
14:10 < |Mike|> .
14:37 -!- korozion [korozion@linuxgeneration.org] has joined #openvpn
14:39 < korozion> is it ok to ask questions about OpenVPN GUI here?
14:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
14:48 < ecrist> korozion: yes
14:49 < korozion> excellent.  I'd like to have two separate VPN connections from my laptop to two different networks.  I've read that it's doable, however I can't find decent documentation on it.  Could someone point me in the right direction?  I should note I'd like them to both be running at the same time, and yes they are on different subnets
14:51 < finetic> Anyone in here can help me a little with setting up OpenVPN Server on a Debian server?
14:51 < finetic> Is it hard?
14:54 < ecrist> !howto
14:54 <@vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:54 < ecrist> finetic: ^^^
14:54 < ecrist> korozion: let me look
14:57 < krzie> korozion, right click the icon in your taskbar
14:57 < krzie> click connect, choose the vpn connection to connect
14:58 < krzie> or double click the ovpn config file
14:58 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
14:59 < ecrist> there you go
15:00 < lupine_85> hiya. So i'm travelling to a less-liberal country at the end of the week. It has a 3G network, my phone has an OpenVPN client, and I have a server. Does anyone know if OpenVPN works 'transparently' over the kind of NATed setups mobile networks tend to use?
15:04 < krzie> depends on their firewalls
15:04 < krzie> it *can*
15:04 < korozion> krzie: but can both run at the same time?
15:04 < krzie> korozion, as far as i know they can
15:04 < krzie> i dont use windows
15:04 < korozion> hrm, I'll give it a shot and see what breaks
15:04 < krzie> if anything you might need to manually install another TAP device
15:05 < korozion> oh yeah, I think I read something about that
15:05 < krzie> cause windows is weaksauce that cant dynamically assign tap device
15:05 < korozion> indeed
15:05 < krzie> http://openvpn.net/INSTALL-win32.html
15:05 < lupine_85> I guess I should just install it and see
15:06 < lupine_85> worst-case, there's also SSH tunneling to a HTTP proxy
15:06 < korozion> krzie: thanks
15:06 < krzie> np
15:07 < krzie> korozion, if you do need that, see these parts of that url
15:07 < krzie> otes -- Windows and TAP device naming
15:07 < krzie> Notes -- Manual Install/Update/Uninstall of the TAP-Win32 kernel driver
15:08 -!- Agin_ is now known as Agin
15:10 < korozion> yup just got there, looks like everything I need.  Thanks again.  I'll try it out and let you know what happens
15:10 < krzie> cool
15:11 < krzie> if you do in fact need to do that, maybe you can make a writeup on our wiki for the next guy =]
15:11 < korozion> I'd be happy to
15:16 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined #openvpn
15:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:24 < korozion> holy crap I think it worked
15:24 < korozion> brb, need to test more
15:25 < krzie> !wiki
15:25 <@vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
15:29 -!- Jarpse [~jarpse@cluon.soleus.nu] has quit [Ping timeout: 245 seconds]
15:31 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
15:37 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined #openvpn
15:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
15:56 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
16:04 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
16:06 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
16:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
16:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:29 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Quit: ( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )]
16:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
16:48 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Read error: Connection reset by peer]
16:50 -!- p3rror [~mezgani@41.137.57.79] has quit [Ping timeout: 245 seconds]
16:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:52 -!- rhp [c3f15fe0@gateway/web/freenode/ip.195.241.95.224] has joined #openvpn
16:52 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:55 -!- p3rror [~mezgani@41.137.57.79] has joined #openvpn
16:55 < rhp> Hi all. I've been messing about with the  push "route xxx" command all day now, but the only thing I get back is the error message "route parameter network/IP 'add' must be a valid address". The route line reads   ' push "route add 192.168.102.0 255.255.255.0" '.  Does anyone know what I'm doing wrong?
16:57 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
16:59 < korozion> loose the add bit
16:59 < korozion> push "route 172.18.0.0 255.255.0.0"
17:00 -!- p3rror [~mezgani@41.137.57.79] has quit [Ping timeout: 245 seconds]
17:00 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
17:00 -!- p3rror [~mezgani@41.137.57.79] has joined #openvpn
17:06 < rhp> korozion: thx so much
17:06 < rhp> How could I have overlooked that a million times...
17:07 < korozion> no worries
17:08 < rhp> Hm... the route add part is working now. But it is binding to the local interface instead of the tap interface.
17:09 -!- linguini [~user@c-71-193-179-58.hsd1.wa.comcast.net] has joined #openvpn
17:09 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
17:09 < linguini> !welcome
17:09 <@vpnHelper> linguini: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:09 < korozion> rhp: do you have    dev tun    in your client config?
17:09 < rhp> No, dev tap
17:14 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
17:14 -!- p3rror [~mezgani@41.137.57.79] has quit [Ping timeout: 245 seconds]
17:15 -!- p3rror [~mezgani@41.137.57.79] has joined #openvpn
17:19 -!- Patt is now known as Patt_Away
17:19 -!- Patt_Away is now known as Patt
17:19 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
17:20 -!- p3rror [~mezgani@41.137.57.79] has quit [Ping timeout: 245 seconds]
17:21 -!- p3rror [~mezgani@41.137.57.79] has joined #openvpn
17:29 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
17:30 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 255 seconds]
17:30 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
17:32 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has joined #openvpn
17:33 < rhp> !route
17:33 <@vpnHelper> rhp: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:35 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
17:35 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
17:35 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
17:45 -!- rhp [c3f15fe0@gateway/web/freenode/ip.195.241.95.224] has quit [Quit: Page closed]
17:46 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:50 -!- Patt [~patrickal@c-76-23-212-76.hsd1.ct.comcast.net] has quit [Remote host closed the connection]
17:54 < ecrist> !dns
17:54 <@vpnHelper> ecrist: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
18:08 < linguini> !howto
18:08 <@vpnHelper> linguini: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
18:08 < epaphus> is it normal that in my openvpn linux server iam using tun, and openvpn windows client is using tap ¡?
18:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
18:55 < linguini> Is there a way to use OpenVPN on Mac OS X without a GUI?  Mattias Nissler's TUN/TAP driver seems to have gone missing.
18:57 -!- MWinther [~mw@100-197-96-87.cust.blixtvik.se] has joined #openvpn
18:57 < futurestack> I downloaded it the other day...
18:57 < linguini> http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ # does not work for me
18:57 < Bushmills> you need the tun/tap driver for openvpn, not for the gui
18:58 < futurestack> http://tuntaposx.sourceforge.net/faq.xhtml
18:58 <@vpnHelper> Title: TunTap - Frequently Asked Questions (at tuntaposx.sourceforge.net)
18:58 < linguini> Bushmills: Ah, right.  I asked my question poorly.
18:58 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:59 < futurestack> I linked the wrong page but that should work
19:00 < linguini> futurestack: Ah, thanks.  I was looking at old links apparently.
19:00 -!- tck9 [~makaveli@S010600a2bc4a5271.vs.shawcable.net] has joined #openvpn
19:01 < futurestack> np
19:01 < tck9> is there a way to block traffic destined to port 25 from users that are behind openvpn?
19:01 < tck9> iptables -A OUTPUT -p tcp -s 1.1.1.1 --dport 25 -j DROP doesn't work
19:01 -!- MWinther [~mw@100-197-96-87.cust.blixtvik.se] has quit [Ping timeout: 255 seconds]
19:01 < tck9> where 1.1.1.1 is the public openvpn IP
19:16 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 276 seconds]
19:19 -!- linguini [~user@c-71-193-179-58.hsd1.wa.comcast.net] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
19:55 < jpalmer> tck9: do it as an INPUT rule, coming IN on the openvpn interface.
19:57 -!- p3rror [~mezgani@41.137.57.79] has quit [Ping timeout: 245 seconds]
20:02 -!- ropetin [~ropetin@pdpc/supporter/student/ropetin] has joined #openvpn
20:02 -!- ropetin [~ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit]
20:05 < tck9> you mean coming in for tun0 like iptables -A INPUT -i tun0 -p tcp --dport 25 -j DROP ?
21:21 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
21:35 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
22:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:34 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:46 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:03 -!- karlpinc [~kop@meme-net.meme.com] has left #openvpn []
23:05 -!- BenBu [~ben@lns-bzn-38-82-253-102-120.adsl.proxad.net] has joined #openvpn
23:08 -!- ribasushi [~ribasushi@arx.rabbit.us] has joined #openvpn
23:09 -!- ribasushi [~ribasushi@arx.rabbit.us] has left #openvpn ["Leaving"]
23:09 -!- BenB [~ben@lns-bzn-52-82-65-94-124.adsl.proxad.net] has quit [Ping timeout: 276 seconds]
23:44 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
23:44 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
23:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
--- Day changed Tue Nov 02 2010
00:14 < tck9> how do you get the secondary ip (eg. eth0:1) to be the public ip that vpn clients appear to be coming from?
00:14 < tck9> right now they all appear to be coming from the eth0 IP
00:40 -!- ksk [~ksk@im.knubz.de] has quit [Ping timeout: 265 seconds]
00:40 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
01:16 -!- X-Raimo [~asmpub@212.248.8.10] has joined #openvpn
01:17 < X-Raimo> hello, does client checks server's certificate when connects to openvpn server? And how this happens? 
01:24 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
02:08 -!- X-Raimo [~asmpub@212.248.8.10] has left #openvpn []
02:20 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:21 -!- jellow [~jellow@CPE-124-186-171-147.lns11.woo.bigpond.net.au] has quit [Quit: Lost terminal]
02:26 -!- dazo_afk is now known as dazo
02:30 -!- finetic [~finetic@213.155.20.16] has quit [Ping timeout: 245 seconds]
02:36 -!- Nickman_OFF is now known as Nickman
02:56 -!- Nickman [~Nickman@d5153743B.access.telenet.be] has left #openvpn []
03:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:26 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:39 <@vpnHelper> RSS Update - forum: Server Administration :: Re: openVPN connection can never stablished on my VPS :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7209&p=8261#p8261> || Server Administration :: Re: Problem with CN in unicode. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8262#p8262>
03:44 <@vpnHelper> RSS Update - forum: Server Administration :: Re: openVPN connection can never stablished on my VPS :: Reply by chakoshi <https://forums.openvpn.net/viewtopic.php?f=4&t=7209&p=8263#p8263>
03:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:50 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Configuration Question on multiple servers and lans :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7216&p=8264#p8264>
03:56 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
03:56 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
03:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
03:56 <@vpnHelper> RSS Update - forum: Server Administration :: Re: openVPN connection can never stablished on my VPS :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7209&p=8265#p8265>
04:02 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Configuration Question on multiple servers and lans :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7216&p=8266#p8266>
04:12 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by forth <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8267#p8267>
04:13  * lupine_85 follows noddy tutorial
04:14 < krzee> tck9, 
04:15 < krzee> !linnat
04:15 <@vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
04:15 < krzee> see #2
04:15 < krzee> lupine_85, whats your goal?
04:15 < lupine_85> I'm off to Morocco on Friday and want my Internet traffic (passing over GSM/3G) to be encrypted
04:16 < krzee> !redirect
04:16 <@vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:19 < Bushmills> and take care of the name server, as your client will be unlikely to be able to continue using the one set by provider after --redirect-gateway 
04:20 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
04:25 < krzee> this is true
04:27 < lupine_85> woo, I have a tunnel
04:27 < lupine_85> (simple shared secret)
04:36 < lupine_85> hmm. now to make all the traffic go via that tunnel
04:36 < lupine_85>     push "redirect-gateway def1" doesn't seem to have had any effect
04:37 < krzee> other side needs pull
04:37 < krzee> (since you are using point-to-point and not client/server
04:38 < krzee> )
04:39 < lupine_85> ah, ok
04:45 -!- master_of_master [~master_of@p57B55D67.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
04:46 -!- master_of_master [~master_of@p57B53690.dip.t-dialin.net] has joined #openvpn
04:48 <@vpnHelper> RSS Update - forum: Configuration :: How to change users' passwords in the client? :: Author manu26 <https://forums.openvpn.net/viewtopic.php?f=6&t=7226&p=8268#p8268>
04:50 < lupine_85> hmm, just adding pull to the file results in the client complaining that socket.connect() failed
04:53 < lupine_85> I guess what I really want is "route everything except traffic for this particular IP via the gateway". or something
05:05 < kisom> hello everyone, i'm trying to set up openvpn with my usual conf on a RHEL server, but i'm getting this in the log: "Tue Nov  2 10:49:53 2010 Note: cannot open /tmp/VPN-Leases for READ/WRITE"
05:06 < kisom> I'm using ifconfig-pool-persist /tmp/VPN-Leases 29
05:06 < kisom> which works fine on arch and ubuntu
05:07 < lupine_85> a-ha. put the redirect-gateway in the client-config, don't bother trying to push it
05:07 < lupine_85> now I just need to NAT it on the server, and it should Just Work
05:13 < kisom> nvm, selinux was screwing with me
05:14 < lupine_85> ok, traffic passes. Now to stop it from trying to talk to the captive portal's DNS nameservers
05:24 < lupine_85> it works! and well :)
05:24 < lupine_85> awesome
05:57 -!- korozion [korozion@linuxgeneration.org] has quit [Ping timeout: 240 seconds]
06:05 -!- korozion [korozion@linuxgeneration.org] has joined #openvpn
06:06 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:23 < lupine_85> http://nick.thomas.name/2010/11/secure-internet-on-insecure-networks :)
06:23 <@vpnHelper> Title: Nick Thomas : Secure internet on insecure networks (at nick.thomas.name)
06:37 < lupine_85> hmm
06:38 < lupine_85> can I put some kind of passphrase on the static key ?
06:44 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
06:45 < finetic> Anyone in here can help me a bit with starting to set up an openvpn server on my dedicated server?
06:45 < finetic> I have started reading the howto, but i really dont understand it
06:45 < |Mike|> !howto
06:45 <@vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:46 < finetic> read up please
06:47 < finetic> should i use rpm?
06:47 < finetic> there is also debian package , is this better than rpm?
06:49 < |Mike|> what os/distro are you using?
06:49 < finetic> Debian Lenny
06:49 < |Mike|> and they use... apt
06:49 < finetic> Linux I311 2.6.26-2-686 #1 SMP Thu Sep 16 19:35:51 UTC 2010 i686 GNU/Linux
06:50 < finetic> oh ok
06:50 < finetic> |Mike|: openvpn works like, that when you connect to it with a client, everything -once you are connected- is wrapped in that ip right?
06:50 < |Mike|> apt-get install openvpn
06:51 < finetic> so if i would have to connect to for instance a bitlbee server i would have the ip of my openvpn server ip right?
06:51 < |Mike|> could be, depends on how you configure it
06:51 < finetic> Is it configurable like that?
06:52 < |Mike|> Yes.
06:52 < finetic> ok done, installed apt-get install openvpn
06:53 < |Mike|> http://www.openvpn.net/index.php/open-source/documentation/howto.html#redirect
06:53 <@vpnHelper> Title: HOWTO (at www.openvpn.net)
06:54 < finetic> thganks
06:54 < finetic> should i just start there? no other actions i first have to do?
06:54 < finetic> after i installed it
06:55 < |Mike|> please read the howto sir..
06:56 -!- roidelapluie [~roidelapl@unaffiliated/roidelapluie] has left #openvpn []
07:03 < finetic> how can I best determine whether I should use Routed or Bridged VPN ?
07:09 -!- BenBu is now known as BenB
07:25 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:40 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
07:46 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
07:46 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
07:46 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:27 <@dazo> finetic: do you need to pass L2 traffic (ethernet frames) over the VPN at all?  If not, then you most likely don't need bridged VPN at all
08:27 <@dazo> !tunortap
08:27 <@vpnHelper> dazo: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over
08:27 <@vpnHelper> dazo: the vpn, or (#4) lan gaming? use tap!
08:32 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:46 < Martin`> !wins
08:46 <@vpnHelper> Martin`: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:15 -!- morteng [~morteng@dslb-084-062-066-245.pools.arcor-ip.net] has joined #openvpn
09:16 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit []
09:17 < morteng> hello I have a small problem with openvpn running on opensolaris  ; however it works on debian linux, any clue?
09:34 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
09:42 -!- mattock [~samuli@dyn55-11.yok.fi] has left #openvpn []
09:43 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:43 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
09:47 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 240 seconds]
10:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
10:36 -!- finetic [~finetic@213.155.20.16] has quit [Read error: Operation timed out]
10:37 < ecrist> !solaris
10:37 <@vpnHelper> ecrist: "solaris" is http://www.whiteboard.ne.jp/~admin2/tuntap/ for the solaris tuntap driver, good luck... ive heard mixed reviews. let us know how it works for you
10:57 < Bushmills> morteng: " a sma a small problem ..."  a: determine the cause of "small problem", b: take steps towards solving "small problem"
10:57 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
10:58 < finetic> Hi, am just starting with altering config files of openvpn, where can i find it?
10:58 < finetic> the main file
10:59 < |Mike|> strace it ? :-p
10:59 < Bushmills> finetic: you don't need any. but you may want one.
10:59 <@vpnHelper> RSS Update - forum: Off Topic, Related :: The best ever VPN server in the world! :: Author s01o <https://forums.openvpn.net/viewtopic.php?f=1&t=7227&p=8269#p8269>
11:00 < Bushmills> finetic: for creating one, you can use an interactive openvpn configuration frontend, called a "text editor"
11:01 < Bushmills> finetic: all options to openvpn can be passed on the command line, making config file unnecessary
11:01 < finetic> ok
11:01 < finetic> Bushmills: ok
11:02 < finetic> Bushmills: basically, what I only have done until now is installed apt-get install openvpn, generated keys
11:02 < finetic> what more should i do to have it running properly?
11:05 < Bushmills> creating ssl keys and certificates to sign keys with may be a good idea, especially if you want to allow a few clients
11:06 < Bushmills> that's explained in:
11:06 < Bushmills> !howto
11:06 <@vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:06 < finetic> Bushmills: that i have done
11:07 < Bushmills> http://openvpn.net/index.php/open-source/documentation/howto.html#config  here you should find small sample config files
11:08 <@vpnHelper> Title: HOWTO (at openvpn.net)
11:08 < morteng> tun and tap is already installed. pkgutil --install openvpn tun  tap  the tun tap driver was part of my preparations for openvpn
11:09 < morteng> I did it, it works on linux but not on opensolaris.  
11:10 < finetic> Bushmills: which location should the config file be put?
11:13 < Bushmills> doesn't really matter. where it makes most sense. in a subdirectory next to other directories with config files of programs on your system, maybe.
11:14 < Bushmills> though you want to be careful not to place your config file on a RAM disk
11:18 < finetic> Bushmills: but i dont understand it
11:18 < finetic> how does openvpn know where the file is?
11:19 < Bushmills> --config /full/path/to/configfile
11:19 < finetic> so usually you wont start openvpn server as a daemon at boot time?
11:19 < |Mike|> you can.
11:20 < |Mike|> init scripts
11:20 < finetic> but its not default when you install openvpn?
11:20 < |Mike|> in debian it is
11:20 < |Mike|> you can even figure out which config it's using via the init script :)
11:21 < finetic> how?
11:23 < Bushmills> finetic: there is no universal standard where different operating systems put their config files, and how services are started
11:23 < Bushmills> the detailed process of starting openvpn, and the default location of config files, depends on the operating system you're running it under 
11:23 < finetic> i mean, how can i find out which config file is used by openvpn at boot
11:23 < finetic> Bushmills: debian lenny
11:24 < Bushmills>  /etc/openvpn
11:24 < Bushmills> it starts one openvpn instance for each .conf file in there, but you can change that in /etc/defaults/openvpn
11:24 < finetic> Bushmills: no config files there now
11:25 < Bushmills> have you created one already?
11:25 < finetic> nop
11:25 < Bushmills> that's the reason
11:25 < finetic> i should just create one in that folder?
11:25 < finetic> in /etc/openvpn
11:25 < Bushmills> no, you want to place it in that directory
11:26 < finetic> i mean, copy a sample right?
11:26 < Bushmills> if you prefer to start with a sample config, yes
11:26 < finetic> what would you do?
11:26 < finetic> i just want to get the vpn server as fast as i can up / running
11:27 < finetic> i wasted like 2 working days on this already :(*
11:27 < Bushmills> most people manage to get started quicker than that, but they also read some docs before doing
11:28 < Bushmills> did you learn anything in those 2 days?
11:28 < finetic> not much apart from the howto some parts
11:28 < finetic> the howto recommends to just start with the sample config file
11:28 < Bushmills> so you spent two days on trying to set up openvpn without really knowing what you were doing?
11:29 < finetic> i guess
11:29 < Bushmills> in that case i's suggest a bit more study of the !howto.
11:29 < Bushmills> you may want to check out:
11:29 < Bushmills> !confgen
11:30 <@vpnHelper> Bushmills: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
11:31 < finetic> I am reading now, but i will use the sample config with the updated key locations, this is ok?
11:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:32 < finetic> so when my system boots, does it read from /etc/openvpn/server.conf ?
11:33 < Bushmills> yes. files read from that location by /etc/init.d/openvpn
11:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
11:35 < finetic> is it recommended that i let it listen on another ip address than the primary one?
11:36 < finetic> that i connect to
11:36 -!- Netsplit *.net <-> *.split quits: kraut, Fiouz, Agin, pasik, LeRrA, Martin`
11:36 -!- Netsplit over, joins: LeRrA, Martin`, Agin, pasik
11:37 -!- Netsplit over, joins: Fiouz
11:37 < Bushmills> it is recommended to let it listen to the interface with the ip address where you will connect to it
11:37 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
11:37 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
11:38 < Bushmills> letting it listen to the interfaces where you won't connect is not necessary but doesn't hurt
11:38 < finetic> I mean, i have requested multiple ips for my dedicated server
11:38 < finetic> im able to add multiple
11:41 < Bushmills> then you probably want to bind to one single address only - as the additional ip addresses can be used to assign to virtual servers
11:41 < |Mike|> L:P
11:44 < finetic> yes
11:45 < finetic> why openvpn defaults to udp and not tcp?
11:45 < |Mike|> !tcp
11:45 <@vpnHelper> |Mike|: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
11:47 < |Mike|> you know the difference between udp and tcp right?
11:48 < finetic> yes
11:48 < Bushmills> finetic: when setting up an smtp server - do you know what you need to do to . for example - avoid becoming a spam relay?
11:48 < Bushmills> oops. entirely wrong channel, sorry
11:48 < |Mike|> Bushmills: nice domain :)
11:50 < Bushmills> thanks :)
11:51 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
11:54 < finetic> whats the difference in use between 'dev tun' (the default) and 'dev tap' ?
11:54 < Bushmills> !tunortap
11:54 <@vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you
11:54 <@vpnHelper> Bushmills: over the vpn, or (#4) lan gaming? use tap!
11:55 < finetic> ok clear thx
11:56 -!- WebDawg [~WebDawg@officialg0d.com] has quit [Ping timeout: 255 seconds]
11:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:01 -!- WebDawg [~WebDawg@officialg0d.com] has joined #openvpn
12:18 -!- dazo is now known as dazo_afk
12:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
12:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:46 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing trouble :: Reply by snorhyvel <https://forums.openvpn.net/viewtopic.php?f=4&t=7217&p=8270#p8270>
12:49 < finetic> how can i test whether my server that runs openvpn accepts udp connections on port 1194 ?
12:50 < ecrist> connect to udp port 1194
12:51 < Bushmills> finetic: run    netstat -lunp     on server
12:51 < Bushmills> that doesn't take account of possible firewall, potentially blocking access
12:52 < finetic> ok
12:52 < finetic> running now, thanks
12:53 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
12:56 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
13:07 < finetic> is there much difference between OpenVPN Access Server Windows Client Download and OpenVPN Community Software Windows Client Download ?
13:07 < finetic> which can I best download for windows xp ?
13:08 < ecrist> big difference
13:09 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
13:10 < finetic> ecrist: like?
13:10 < ecrist> !as
13:10 <@vpnHelper> ecrist: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
13:10 <@vpnHelper> ecrist: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
13:11 < finetic> so for a basic openvpn server install i would need to install the Access Server Windows Client Download ?
13:12 < Bushmills> openvpn is either client or server, depending only on its configuration
13:13 < finetic> Bushmills: http://openvpn.net/index.php/openvpn-client.html
13:13 <@vpnHelper> Title: Downloads (at openvpn.net)
13:13 < Bushmills> use the community version of openvpn
13:14 < Bushmills> http://openvpn.net/index.php/open-source/downloads.html
13:14 <@vpnHelper> Title: Downloads (at openvpn.net)
13:14 < finetic> ok
13:15 < finetic> TAP Virtual Ethernet Adapter would not be needed right?
13:16 < Bushmills> with a tun configuration on server, client would be configure for tun interface too
13:17 < Bushmills> but i think that the windows tun and tap driver are one and the same
13:17 < finetic> ok
13:17 < Bushmills> i.e. same driver providing functionality for either. but i'm not a windows expert, can't say for sure.
13:21 < finetic> ok got it
13:21 < finetic> I'm connected now
13:22 < finetic> how can i verify this?
13:23 < finetic> nvm i pinged 10.8.0.1 and looks working
13:24 < Bushmills> only 2 hours this time
13:25 < finetic> hehe
13:25 < finetic> well there are some things i want to accomplish
13:25 < finetic> I would like to have the ip address of the vpn, on my local virtual machine
13:26 < finetic> so, no matter where i connect to , bitlbee etc i have the ip of the vpn server
13:26 < Bushmills> but you have it. your tun0 interface ...
13:26 < finetic> yes, but when i go to whatismyip.com i still see the local adsl ip
13:26 < Bushmills> the vpn server also has an ip address which will not change
13:27 < finetic> yes but i need to get the external ip address of the vpn
13:27 < Bushmills> then the only traffic which goes to server is ... traffic to server 
13:27 < finetic> huh ?
13:27 < finetic> dont understand
13:27 < Bushmills> other traffic goes through your dsl connection
13:27 < Bushmills> !redirect
13:27 <@vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:28 < finetic> yes thats what i need
13:28 < Bushmills> your client has no reason to send traffic through openvpn 
13:28 < Bushmills> why should it? just because it is running?
13:28 < finetic> I need to authenticate to a lot ip restricted services
13:28 < finetic> its better to have the ip already
13:29 < Bushmills> the client can not even assume that openvpn server will function as gateway to internet
13:29 < Bushmills> that's why you have to set it up to function as such
13:29 < finetic> ok
13:29 < finetic> so I have to follow all
13:29 < finetic> !redirect
13:29 <@vpnHelper> finetic: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:29 < finetic> things
13:29 < Bushmills> right
13:29 < finetic> ok
13:30 < finetic> !def1
13:30 <@vpnHelper> finetic: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:30 < Bushmills> and you may need to take care of the name server which you currently use to resolve host names
13:31 < Bushmills> if you use the one of your internet provider, it may refuse access when requests are coming from your openvpn server, as that one is most likely outside of their net  
13:45 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
13:52 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
14:04 -!- daguz [~leo@208-1-63-50.celito.net] has joined #openvpn
14:09 -!- larsrh [~lars@unaffiliated/larsrh] has joined #openvpn
14:09 < larsrh> Is it possible to increase the length of the TLS key?
14:09 < larsrh> What I want to do is to increase the renegotiation time, but as that is rather insecure, I would like to get longer keys instead.
14:12 < larsrh> !welcome
14:12 <@vpnHelper> larsrh: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:12 < larsrh> !goal
14:12 <@vpnHelper> larsrh: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:16 < finetic> Bushmills: this means i have to alter the server parameter in the config right?
14:23 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined #openvpn
14:27 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
14:28 < finetic> Anyone in here ever managed to redirect all internet traffic through the VPN ?
14:28 < ecrist> yeah, it's easy to do
14:28 < ecrist> !def1
14:28 <@vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
14:28 < finetic> ecrist: yes i had a question
14:29 < finetic> ecrist: where in the config file can i find this?
14:29 < larsrh> works without def1 for me
14:29 < finetic> larsrh: where should i put this in the config?
14:29 < larsrh> finetic: simply use redirect-gateway as a directive
14:30 < larsrh> or "redirect-gateway def1"
14:30 <@vpnHelper> RSS Update - forum: Configuration :: Openvpn client on opensolaris configuration help :: Author morten44 <https://forums.openvpn.net/viewtopic.php?f=6&t=7228&p=8271#p8271>
14:30 < finetic> when starting openvpn?
14:30 < finetic> larsrh: 'openvpn server.cong --redirect-gateway' - like this?
14:31 < larsrh> finetic: No, not at the server.
14:31 < finetic> on windows xp then?
14:31 < larsrh> If you want to have it for some clients, add --redirect-gateway for each client you wish.
14:31 < larsrh> Else, use "push redirect-gateway" in your server.conf
14:31 < finetic> ok
14:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
14:33 < finetic> I did it now
14:33 < finetic> but the only thing I can connect to is my OpenVPN shell now
14:34 < finetic> the rest dont work
14:34 < morteng> I have posted my issue in the forum, /var/log/openvpn-rwth.log  expects the pem file in a nonexistent directory, obviously there is a linux configuration file I have.
14:34 < finetic> larsrh: I only added push redirect-gateway 
14:34 < finetic> larsrh: any more things i should fix?
14:35 -!- papas_son [~chatzilla@68-116-31-34.static.yakm.wa.charter.com] has joined #openvpn
14:35 < larsrh> finetic: Sorry, I don't know your configuration. I joined a few minutes ago.
14:35 < finetic> larsrh: its completely basic
14:35 < finetic> the only thing changed is what u just said
14:36 < larsrh> try push redirect-gateway def1
14:36 < finetic> MULTI: bad source address from client [192.168.1.30], packet dropped
14:36 -!- morteng [~morteng@dslb-084-062-066-245.pools.arcor-ip.net] has left #openvpn []
14:36 < finetic> this is what i get a 100 times in the vpn server instance
14:37 < larsrh> finetic: IIRC I get this stuff as well and it works nonetheless
14:37 < larsrh> and keep in mind, probably your DNS is going to be broken with redirect-gateway
14:38 < finetic> doesnt matter for now
14:38 < finetic> just even visiting an ip doesnt work
14:38 < finetic> also with def1
14:39 < larsrh> Is IP forwarding active on your server? iptables properly configured?
14:40 < finetic> no
14:40 < finetic> is this hard to do ?
14:42 < ecrist> DNS does not have to break with redirect-gateway
14:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:42 < ecrist> !dns
14:42 < larsrh> Server operating system?
14:42 <@vpnHelper> ecrist: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
14:43 < larsrh> ecrist: Yeah, I know. But it's usually the case if you're using a DHCP server only reachable behind a firewall.
14:44 < ecrist> poor design, rather than a problem with the tech
14:44 < finetic> larsrh: debian
14:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
14:44 < finetic> larsrh: debian lenny
14:45 < larsrh> s/DHCP/DNS/
14:46 < larsrh> fin	wait a sec
14:46 < finetic> ok
14:47 -!- epaphus [~user@201.199.62.74] has quit [Quit: Leaving]
14:48 < larsrh> finetic: forwarding is sysctl -w net.ipv4.ip_forward=1 (on your debian shell)
14:49 < larsrh> Try that, if it doesn't work, also execute     iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
14:49 < larsrh> (with eth0 and 10.8.0.0 replaced by your values)
14:51 < finetic> larsrh: eth0 should be tun0 right?
14:52 < finetic> or eth0  (my primary network if)
14:55 < larsrh> your primary network
14:55 < finetic> ok both done
14:56 < finetic> what should i need to restart? only the vpn? or alkso network
14:57 < finetic> just did it, but stays same
14:57 < larsrh> nothing, normally
14:57 < finetic> cant access any outside ip
14:57 < larsrh> okay, try to restart the openvpn server
14:57 < finetic> done
14:58 < finetic> same still
14:58 < larsrh> is your server behind a firewall?
14:58 < finetic> no
14:58 < finetic> !nat
14:59 <@vpnHelper> finetic: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
14:59 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
15:02 < finetic> weird because what i just did is all the manual said
15:02 < finetic> and i dont see i did something wrong
15:02 < larsrh> could you please make a trace route from your client?
15:06 -!- finetic [~finetic@213.155.20.16] has quit [Ping timeout: 276 seconds]
15:07 -!- kring [~tom@fl-67-235-207-242.dhcp.embarqhsd.net] has joined #openvpn
15:13 < kring> hi! I could need some help with routing, completely new to this. My home setup: A box behind a router with local ip 10.0.1.100 running an openvpn client connected to a remote server. All traffic on this box is redirected over the VPN. Now, without the client running, I can ssh into the box from the outside using the ISPs IP (port forwarding works). When the client runs, I have only ssh access from within 
15:13 < kring> the home LAN. 
15:14 < kring> I guess, the packets from outside are forwarded and then dropped. How can I get ssh access from the outside? Any help is greatly appreciated!
15:33 -!- rawDawg2 [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined #openvpn
15:36 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Ping timeout: 240 seconds]
15:47 -!- BenB [~ben@lns-bzn-38-82-253-102-120.adsl.proxad.net] has left #openvpn ["Konversation terminating Quasselstrippen"]
15:48 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
15:53 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 276 seconds]
15:53 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
15:53 < finetic> hi, i am trying to redirect all internet traffic through my vpn connection
15:53 < finetic> however, I do not get any connection to the internet at all
15:54 < finetic> I'ld like to know what might be going wrong
15:56 < finetic> actually it works now, only a lot of domains dont work
15:56 < Bushmills> finetic:  (19:31:14) Bushmills: if you use the one of your internet provider, it may refuse access when requests are coming from your openvpn server, as that one is most likely outside of their net  
15:57 < Bushmills> (name server)
15:57 < finetic> google.com works
15:57 < finetic> but many other ips dont
15:58 < finetic> the site of my dedicated server works
15:58 < Bushmills> to test, use as name server on your client, a public name server, like 8.8.8.8
15:58 < finetic> Bushmills: how can i do this?
15:58 < Bushmills> if that shows that that is your problem, there'll be several things you can do
15:58 < Bushmills> depends on your operating system. consult the manual
15:59 < finetic> Windows XP
15:59 < finetic> you mean the DNS server?
15:59 < Bushmills> i think you need to move around the mouse in a specific way, and click here and there
16:00 < finetic> ok, the IF of the openvpn server
16:00 < finetic> for this IF in windows XP I change the DNS server to a public one?
16:00 < finetic> but i think thats not the problem anyway
16:00 < finetic> because i cannot ping any addresses either
16:00 < finetic> name resolving all works well anyway
16:00 < finetic> i just cannot ping a lot ip addresses
16:00 < Bushmills> do all these three steps:
16:00 < finetic> cnn.com etc dont work
16:00 < Bushmills> !redirect
16:00 -!- nb_ [~nb@fedora/GSWoT.Member.nb] has joined #openvpn
16:00 <@vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:00 < finetic> while sites like google.com etc do work
16:01 < finetic> ok lets verify i did all 3
16:01 < finetic> !def1
16:01 <@vpnHelper> finetic: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
16:01 < Bushmills> make sure your traffic isn't firewalled
16:01 < Bushmills> and make sure that all host names you try resolve
16:01 < finetic> yes, i tried pinging like 100 names, they all resolved
16:02 < finetic> !ipforward
16:02 <@vpnHelper> finetic: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
16:02 < finetic> !linipforward
16:02 <@vpnHelper> finetic: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
16:02 < finetic> !winipforward
16:02 <@vpnHelper> finetic: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
16:03 < Bushmills> use the windows equivalents of traceroute or mtr to determine what hop in your route causes the problem
16:03 < finetic> yep thanks
16:04 < finetic> 10.8.0.1 
16:04 < finetic> 213.155.20.253
16:04 < finetic> request timed out
16:04 < finetic> Bushmills: any idea how i can see?
16:06 < finetic> Bushmills: i'll pm a traceroute that went ok, and one that did not ?
16:06 < finetic> ok
16:06 < Bushmills> can you ping any internet host (other than your own server)?
16:07 < finetic> yes, but i think it might be the network of the dedicated server in ukraine which has problems
16:07 < Bushmills> if that's the case, there is very little openvpn can do about it
16:07 < finetic> yea and i just need to slap a network admnin
16:07 < finetic> admin
16:07 < finetic> thanks a lot i guess it shoul work
16:08 < finetic> by now, just need network problems fixed
16:14 -!- loczsi [48c09d39@gateway/web/freenode/ip.72.192.157.57] has joined #openvpn
16:14 < loczsi> Is there any way to set up openvpn to work with window's built in vpn client?
16:14 < Bushmills> no
16:15 < loczsi> what to do?
16:15 < Bushmills> install openvpn
16:15 < loczsi> on the window's clients?
16:15 < Bushmills> yes
16:16 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 264 seconds]
16:16 < Bushmills> or on router/gateway those windows clients can route traffic through
16:16 < loczsi> ok... thanks...
16:19 -!- rawDawg2 [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
16:19 -!- nb [~nb@fedora/GSWoT.Member.nb] has quit [Changing host]
16:19 -!- nb [~nb@fedora/nb] has joined #openvpn
16:19 -!- nb_ [~nb@fedora/GSWoT.Member.nb] has quit [Changing host]
16:19 -!- nb_ [~nb@fedora/nb] has joined #openvpn
16:20 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Read error: Connection reset by peer]
16:20 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
16:22 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Read error: Connection reset by peer]
16:23 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
16:24 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
16:24 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
16:30 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
16:31 -!- loczsi [48c09d39@gateway/web/freenode/ip.72.192.157.57] has quit [Quit: Page closed]
16:31 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Read error: Connection reset by peer]
16:31 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
16:33 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 255 seconds]
16:35 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
16:35 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
16:38 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Ping timeout: 264 seconds]
16:53 <@vpnHelper> RSS Update - forum: Configuration :: Error building client certificate! :: Author silajim <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8272#p8272>
16:54 -!- larsrh [~lars@unaffiliated/larsrh] has left #openvpn []
17:01 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:01 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
17:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:13 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
17:16 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
17:20 -!- bob368 [~bob@166.205.9.172] has joined #openvpn
17:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
17:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
17:32 -!- bob368 [~bob@166.205.9.172] has quit [Quit: Colloquy for iPhone - http://colloquy.mobi]
18:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:14 -!- mrle0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Quit: Leaving]
18:14 -!- mrle0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
18:20 -!- atan [atan@unaffiliated/atan] has joined #openvpn
18:21 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Ping timeout: 265 seconds]
18:33 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
18:36 -!- atan [atan@unaffiliated/atan] has quit [Ping timeout: 272 seconds]
18:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:02 < finetic> I've just successfully configured OpenVPN
19:02 < finetic> i had a few questions
19:03 < finetic> now i start it with 'openvpn server.conf'
19:03 < finetic> is it also possible to start it at boot?
19:03 < Bushmills> edit /etc/defaults/openvpn
19:04 < Bushmills> AUTOSTART="all"
19:04 < finetic>  /etc/defaults doesnt exist
19:04 -!- sphinxxx [sphinxxx@pool-74-102-92-41.nwrknj.fios.verizon.net] has joined #openvpn
19:04 < Bushmills> i assume you have installed the debian package
19:04 < finetic> yes
19:05 < sphinxxx> how can i properly install openvpn to protect all my network traffic? on a ddwrt or on one of my network computers that is on 24/7, would that be ok?
19:05 < Bushmills> try to depend less on 100% accuracy of what you're told. for example, see that you can find /etc/default instead of /etc/defaults yourself
19:06 < finetic> sorry
19:06 < finetic> OPTARGS='/etc/openvpn/server.conf' 
19:06 < finetic> like this Bushmills 
19:06 < krzie> sphinxxx, yes, that works fine
19:07 < Bushmills> no
19:07 < Bushmills> like  AUTOSTART="all"
19:07 < finetic> Bushmills: yes i did that
19:07 < finetic> but i mena
19:07 < Bushmills> and like   OPTARGS=""
19:07 < finetic> i want to use the file server.conf as argument
19:08 < finetic> OPTARGS="/etc/openvpn/server.conf"
19:08 < Bushmills> then make it  AUTOSTART="server"
19:08 < finetic> huh?
19:08 < finetic> what this would do?
19:08 < sphinxxx> so if i install openvpn on my "server", all other computesr on the network will go through my server for network traffic, even if they have an ip assigned (and are connected to) my router?
19:08 < Bushmills> server, like  es e are vee e are
19:08 < Bushmills> (01:07:50) finetic: i want to use the file server.conf as argument
19:09 < Bushmills> ^^^^ that's what it does
19:10 < finetic> Bushmills: ok but how does it know where the server.conf ile is?
19:11 < Bushmills> look at /etc/init.d/openvpn
19:12 < Bushmills> especially at the line  CONFIG_DIR=/etc/openvpn
19:12 < finetic> ah sorry
19:17 -!- finetic [~finetic@213.155.20.16] has quit [Quit: leaving]
19:20 < krzie> sphinxxx, you said you were thinking about setting up openvpn on your router
19:21 < krzie> if your router then connects to the server, in a setup like !redirect, all machines that use that router as their default gateway will go over the vpn
19:21 < Bushmills> sphinxxx: no. not automatically
19:21 < krzie> right, not automatically, but it can be done
19:22 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
19:23 < Bushmills> with sufficient openvpn-fu, it can be done
19:23 -!- finetic [~finetic@213.155.20.16] has quit [Client Quit]
19:24  * Bushmills nods
19:29 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
19:29 < finetic> Bushmills: great it doesnt work anymoore :(
19:29 < finetic> the redirecting of traffic
19:29 < finetic> I changed nothing, just only restarted
19:30 < Bushmills> the init stuff is not related to that. 
19:30 < finetic> well i have really no idea what it could be then
19:30 < Bushmills> that only affects starting (or not starting) openvpn
19:30 < krzie> prolly didnt set ip forwarding permanently
19:30 < finetic> ahh of course
19:30 < finetic> thanks
19:30 < krzie> np
19:31 < finetic> !redirect
19:31 <@vpnHelper> finetic: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
19:31 < finetic> !nat
19:31 <@vpnHelper> finetic: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
19:31 < finetic> !ipforward
19:31 <@vpnHelper> finetic: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
19:31 < finetic> !linnat
19:31 <@vpnHelper> finetic: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
19:31 < finetic> !linipforward
19:31 < Bushmills> great, someone who shouts "it doesn't work anymore" before stopping a second to think on what he may have missed 
19:31 <@vpnHelper> finetic: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
19:34 < finetic> these 2 options 'sysctl -w net.ipv4.ip_forward=1' and 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE'
19:34 < sphinxxx> hey sry krzie just say your reply
19:34 < finetic> how can i set them automatically when booting
19:35 < sphinxxx> basically im not sure how i want to go about it, because alkthough i have a router, its a verizon router and i can't put openvpn on it, i'd need a hackable linksys router but then i'd have 2 routers in my setup which might cause headaches
19:35 < Bushmills> read the manual of your operating system
19:35 < Bushmills> finetic: ^^^^
19:36 < finetic> ok
19:36 < sphinxxx> i was looking into the hp mediasmart servers, but the more i learn about linux the more i want a linux server
19:39 < Bushmills> krzie would probably suggest to use FreeBSD instead
19:39 < krzie> nah, use whatever you are comfy with
19:39 < krzie> for me, thats freebsd ;]
19:39 < krzie> !bestos
19:39 <@vpnHelper> krzie: "bestos" is the best os for openvpn is the one you are most comfortable with... also you can make jpalmer angry by seeing !windows
19:40 < Bushmills> !os/2
19:40 <@vpnHelper> Bushmills: Error: "os/2" is not a valid command.
19:40 < sphinxxx> !windows
19:40 <@vpnHelper> sphinxxx: "windows" is pcs are like air conditioners, they work fine unless you open windows
19:40 < Bushmills> pfff
19:40 < krzie> !forget bestos
19:40 <@vpnHelper> krzie: Joo got it.
19:40 < krzie> !learn bestos as the best os for openvpn is the one you are most comfortable with
19:40 <@vpnHelper> krzie: Joo got it.
19:40 < krzie> ;]
19:40 < finetic> Bushmills: the domain look ups, when redirecting, they also take place through the vpn?
19:40 < krzie> finetic, yes, unless you have a more specific route to them
19:40 < finetic> basically nothing happens anymore through my own adsl connection apart from tunneling the traffic FIRST to the VPN server?
19:41 < krzie> so if you use a NS supplied by your ISP, you may want to pushdns too
19:41 < finetic> nono
19:42 < Bushmills> (19:30:18) Bushmills: and you may need to take care of the name server which you currently use to resolve host names
19:42 < Bushmills> (19:31:14) Bushmills: if you use the one of your internet provider, it may refuse access when requests are coming from your openvpn server, as that one is most likely outside of their net  
19:43 < finetic> yes but all dns requests work now so i guessi ts ok
19:43 < finetic> but, really all traffic is now going out securely encrypted?
19:43 < finetic> there is no traffic that does not ?
19:46 < Bushmills> traffic to your server which is not sent to the ip address of the server tun interface will not be encrypted
19:46 < Bushmills> and what leaves your server into the abyss of the internet will also not be encrypted
19:47 < Bushmills> and traffic to any destination for which a route exists with non-tun interface will also not be encrypted
19:48  * krzie nods
19:50 < finetic> hmmmmmm
19:50 < finetic> but basically, this won't happen right?
19:51 < sphinxxx> would the main purpose of openvpn server on a home network be just for securing remote connections into the home network?
19:51 < finetic> why would it not pick the openvpn server interface?
19:51 < finetic> the 10.8.0.3 one
19:51 < Bushmills> what is "it", and why should it do so?
19:51 -!- mrle0 is now known as le0
19:51 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Quit: Leaving]
19:51 < finetic> my primary IF on windows xp
19:51 < finetic> is now the TUN the OpenVPN client creates
19:52 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
19:52 < Bushmills> you don't send interfaces through openvpn. you send network traffic.
19:52 < finetic> which means all traffic (eg. remote desktop, firefox, msn) etc goes through that one?
19:52 < finetic> and thus is encrypted
19:52 < finetic> when i go to firefox and open whatismyip.com it says external.ip
19:53 < Bushmills> and when you connect with firefox to the same address which you specified as "remote" in your openvpn client config, where would the traffic go then?
19:54 < finetic> first to the vpn and then to remote?
19:54 < finetic> so, to the remote first
19:55 < finetic> and then the remote opens itself?
19:55 < Bushmills> where that the case - wouldn't openvpn have to send its own traffic to server through itself then? 
19:55 < Bushmills> were ...
19:55 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
19:55 < finetic> yes, but still encrypted, right?
19:55 < Bushmills> (01:47:29) Bushmills: and traffic to any destination for which a route exists with non-tun interface will also not be encrypted
19:55 < finetic> huh why?
19:55 < finetic> dont understand
19:55 < Bushmills> there *is* a route to your vpn server in your routing table
19:56 < Bushmills> otherwise the client couldn't connect to server
19:56 < Bushmills> well, it could connect, but the moment it did, it would not be able to reach server any longer
19:56 < finetic> but what i dont get
19:57 < finetic> how come it wont be encrypted then?
19:57 < Bushmills> were it encrypted already - you wouldn't need the vpn then
19:58 < Bushmills> traffic from openvpn client to openvpn server (to its public ip address) can't be sent through openvpn
19:58 < Bushmills> after all, that route is used by client to reach server, to establish the vpn
19:59 < Bushmills> vpn traffic can't be sent through itself
19:59 < finetic> ok
20:00 < finetic> so basicaly, lets say i have a virtual machine now on the vpn server running with win2k3 and the openvpn client has 10.8.0.4 the openvpn server has 10.8.0.1 and the new vm i give 10.8.0.10
20:01 < finetic> when i connect from the client 10.8.0.4 to the vm 10.8.0.10
20:01 < finetic> it also won't be encrypted?
20:02 < Bushmills> (01:58:39) Bushmills: traffic from openvpn client to openvpn server (to its public ip address) can't be sent
20:02 < Bushmills> is 10.8.x.x the *public* ip address of server?
20:02 < finetic> ahh ok
20:03 < finetic> so basically all traffic i would execute from the openvpn client running system (in this case vm with windows xp at my home pc) will be encrypted apart from that to the server itself (i.e. i visit the webserver running on the same box as the openvpn server)
20:03 < Bushmills> why don't you try to think a bit for yourself, or at least try to read what is explained to you a bit more carefully?
20:04 < finetic> Well, what can i try ? i can try to catch some traffic with wireshark right?
20:04 < finetic> and see for myself what is and what is not encrypted
20:04 < Bushmills> if wireshark enhances your thinking, sure
20:05 < Bushmills> other folks use coffee
20:05 < sphinxxx> is wireshark good for listening to any traffic on a specific tcp connection (like an established connection from a netstat), or is it overkill?
20:06 < Bushmills> tshark is a nice alternative, being a console app. similar to tcpdump 
20:07 < sphinxxx> in wireshark i believe setting the filter to show only from a certain port would pinpoint the connection
20:07 < finetic> Bushmills: I am trying it now
20:07 < finetic> Bushmills: but the DNS lookups still go to my router instead of the vpn server
20:07 < finetic> (my router locally being 192.168.1.254)
20:10 < sphinxxx> what is the point of encrypting dns lookups?
20:10 < sphinxxx> sorry im a bit new to this stuff
20:11 < Bushmills> sphinxxx: not allowing provider to monitor what host names / domains you're resolving
20:11 < Bushmills> some sell this sort of information
20:12 < finetic> its not always for being at home
20:12 < finetic> but for when im at a hotel etc its much better
20:12 < sphinxxx> right, but the data once it leaves the server onto the internet is unencrypted
20:12 < sphinxxx> so they can tell what youre doing anyway no?
20:12 < finetic> sphinxxx: not if the server is in an environment with different laws
20:12 < finetic> given you are not doing criminal things etc
20:13 -!- kring [~tom@fl-67-235-207-242.dhcp.embarqhsd.net] has left #openvpn ["WeeChat 0.3.3"]
20:13 < Bushmills> no. provider won't know. server hoster may know, but can't easily connect that data with your person
20:13 < Bushmills> while internet access provider could
20:13 < finetic> because, what if there are no logs, what if there are sometimes 4,5  simultaneous  connections all day from different adsl addresses
20:14 < finetic> apart from the fact that the sent traffic is not known, its also impossible to point it to 1 person, right Bushmills ?
20:14 < Bushmills> sorry, there were too many "what if" for my current caffeine level
20:14 < finetic> lol
20:15 < sphinxxx> the iap could simply see packets with a source ip of your ip, and a dest ip of the website your viewing, essentially they can know that way, no?
20:15 < finetic> The packets are first transported encrypted through UDP protocol to the Open VPN Server , right Bushmills ?>
20:15 < Bushmills> name server lookups give almost the same information to IAP 
20:16 < finetic> Bushmills: how u mean?
20:16 < Bushmills> not the contents of traffic, but the destination
20:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
20:16 < Bushmills> sphinxxx: ^^^
20:16 < finetic> Bushmills: so how can i tunnel also the dns requests?
20:17 < Bushmills> by not using the dns proxy of your router
20:17 < sphinxxx> in all this, what would be the dns server, the server with openvpn on it, or a dns service of some kind>
20:17 < Bushmills> your choice
20:17 < finetic> Bushmills: how do i accomplish this?
20:17 < Bushmills> finetic: read your operating system manual
20:18 < Bushmills> sphinxxx: several possibilities
20:18 < finetic> Bushmills: i mean, to what ip should i set it? to the vpn servers one?
20:18 < sphinxxx> very interesting
20:18 < finetic> Bushmills: because they should be encrypted
20:18 < sphinxxx> i'll have to get more knowledgable before i can setup openvpn though
20:18 < Bushmills> finetic: several possibilities
20:18 < sphinxxx> (and buy a server)
20:19 < Bushmills> essentially breaks down to two:  use an own recursor, or use somebody else's recursor
20:20 < finetic> but in both cases they will be unencrypted right?
20:20 < sphinxxx> right
20:20 < sphinxxx> if i'm going to have a server on my home network, might as well use that
20:20 < Bushmills> not quite. 
20:20 < finetic> how not ? dont understand
20:20 < Bushmills> at one point, traffic has to leave unencrypted, that't true
20:21 < finetic> i mean, how do I FIRST get the DNS lookups to the server
20:21 < sphinxxx> bushmills thanks for the info ill be back another day
20:21 < Bushmills> but, depending on your solution, your system won't ask just one single name server, but another for each domain you are querying host names from
20:22 < Bushmills> finetic: read about recursive name server, wikipedia has articles on that for example
20:22 -!- sphinxxx [sphinxxx@pool-74-102-92-41.nwrknj.fios.verizon.net] has quit []
20:24 < Bushmills> idea is to use a recursive name server as resolver for your systems
20:26 < Bushmills> recursive name server can be on either side of the vpn
20:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:27 < Bushmills> when you don't choose to operate it yourself, you'd use a recursive name server, provided by somebody else
20:28 < finetic> yes
20:28 < finetic> so i should just go to the network IF in windows (the TUN one)
20:28 < finetic> and set the dns server to an external one?
20:28 < finetic> (best example here is ukraine because the hosting server is located there)
20:28 < Bushmills> that's one possibility
20:31 < finetic> lets test
20:31 < finetic> how can I best find a good dns server?
20:33 < Bushmills> "find" + "good" in that combination probably requires talking to people who know
20:34 < finetic> cool that works
20:34 -!- sde [~sde@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
20:34 < sde> Hi
20:34 < krzie> first of all
20:34 < finetic> i just added google's 8.8.8.8 
20:34 < sde> anyone around?
20:34 < krzie> what constitutes a "good nameserver" ?
20:34 < sde> my collegue has emailed me a private DSA key but i was wandering
20:35 < sde> what extension i should save it as?
20:35 < krzie> sde, it is for openvpn?
20:35 < sde> ermm no actually
20:35 < sde> sorry i thought i was in openssh room lol
20:36 < krzie> ahh ;)
20:36 < sde> but if you have the answer :)
20:36 < sde> be still good
20:37 < krzie> !google private key openssh filename
20:37 <@vpnHelper> krzie: Key Management and Agents (SSH, The Secure Shell: The Definitive ...: <http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch06_01.htm>; SSH Frequently Asked Questions: <http://www.snailbook.com/faq/publickey-userauth.auto.html>; SSH keys – sourceforge: <http://sourceforge.net/apps/trac/sourceforge/wiki/SSH%20keys>
20:38 < Bushmills> usually id_dsa  under unixoids.  .ppk under windoids
20:39 < finetic> does openvpn log all stuff by default?
20:39 < Bushmills> may need converting for windows
20:39 < finetic> ips ports etc?
20:39 < Bushmills> nope
20:40 < finetic> which dir does it put the thing it actually logs?
20:40 < Bushmills> the one you specify
20:42 < krzie> !logfile
20:42 <@vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
20:42 < krzie> finetic, in a redirect setup like you have, its not openvpn's job to care what the traffic is, so it doesnt
20:43 < krzie> your firewall on the server could do so if you wish
20:43 < finetic> ok
20:45 -!- p3rror [~mezgani@41.137.57.85] has joined #openvpn
21:02 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
21:06 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
21:08 -!- finetic [~finetic@213.155.20.16] has quit [Quit: leaving]
21:10 < ecrist> !diagram
21:10 <@vpnHelper> ecrist: Error: "diagram" is not a valid command.
21:11 < ecrist> !learn diagram as You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
21:11 <@vpnHelper> ecrist: Joo got it.
21:13 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
21:14 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
21:14 < finetic> when you install OpenVPN Client on windows, there appears an icon
21:14 < finetic> 'OpenVPN GUI'
21:14 < ecrist> yep
21:14 < finetic> how can I pass the server.conf fparameter rto it?
21:14 < finetic> parameter
21:15 < finetic> so that I can just double click the icon to connect
21:15 < ecrist> you can put your configs/keys into Program Files/openvpn/conf
21:16 < finetic> only the config right?
21:16 < finetic> the keys should be somewhere else i guess or?
21:16 < ecrist> no
21:16 < ecrist> that's why I said configs and keys
21:16 < finetic> ok
21:22 -!- master_of_master [~master_of@p57B53690.dip.t-dialin.net] has quit [Ping timeout: 252 seconds]
21:22 -!- master_of_master [~master_of@p57B53690.dip.t-dialin.net] has joined #openvpn
21:27 < krzie> diagram, good factoid!
21:28 -!- [1]sde [~sde@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
21:29 -!- sde [~sde@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 255 seconds]
21:29 -!- [1]sde is now known as sde
21:35 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Read error: Connection reset by peer]
21:35 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
21:35 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Read error: Connection reset by peer]
21:38 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
21:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
21:58 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
21:58 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
22:09 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
22:09 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
22:22 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
23:37 < krzee> !winroute
23:37 <@vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
23:38 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8273#p8273>
23:44 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help setting openVPN on a WRT54G router w/DD-WRT :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7212&p=8274#p8274>
23:48 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
23:53 < krzee> !factoids search eur
23:53 <@vpnHelper> krzee: "eurephia" is http://www.eurephia.net/
--- Day changed Wed Nov 03 2010
00:03 <@vpnHelper> RSS Update - forum: Configuration :: Re: Apply different fw rules (dynamically) to users :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7218&p=8275#p8275> || Routing and Firewall Scripts :: Re: how to add a kernel's route on the openvpn server? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=17&t=7219&p=8276#p8276>
00:04 < krzee> !authpass
00:04 <@vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
00:07 < krzee> EmperorTom, this may be a guy who needs your help if you get time https://forums.openvpn.net/viewtopic.php?f=6&t=7221
00:07 <@vpnHelper> Title: OpenVPN Support Forum View topic - Network Stalls (at forums.openvpn.net)
00:09 <@vpnHelper> RSS Update - forum: Configuration :: Re: Authenticatig clients with certificates & username passw :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7220&p=8277#p8277>
00:15 <@vpnHelper> RSS Update - forum: Configuration :: Re: OpenVPN - Layer7 Filterting :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7223&p=8278#p8278>
00:21 <@vpnHelper> RSS Update - forum: Server Administration :: Re: VPN Tunnel with OpenVPN becomes slower and slower over t :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7225&p=8279#p8279> || Configuration :: Re: How to change users' passwords in the client? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7226&p=8280#p8280>
00:25 -!- tck9 [~makaveli@S010600a2bc4a5271.vs.shawcable.net] has quit [Quit: leaving]
00:27 <@vpnHelper> RSS Update - forum: Configuration :: Re: Openvpn client on opensolaris configuration help :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7228&p=8281#p8281>
00:31 < krzee> heh, forum flood!
00:33 <@vpnHelper> RSS Update - forum: Configuration :: Re: Error building client certificate! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8282#p8282>
00:41 -!- dir [~dir@122.55.1.218] has joined #openvpn
00:42 < dir> hi. i've setup openvpn to auth using pam_userdb. is there anyway to limit max concurrent logins per user?
01:05 -!- Belxjander [~Belxjande@sourcemage/Mage/Abh-Elementalist] has joined #openvpn
01:06 < Belxjander> !welcome
01:06 <@vpnHelper> Belxjander: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:06 < Belxjander> !goal
01:06 <@vpnHelper> Belxjander: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:09 < Belxjander> well my goal is to setup the machine I am using now as an openvpn server,  and have a quick recipe to follow for connecting machines to it
01:10 < Belxjander> and I have also chosen a 192.168.x.0/24 network that is 10<x<250
01:11 < Belxjander> !config
01:11 <@vpnHelper> Belxjander: (config <name> [<value>]) -- If <value> is given, sets the value of <name> to <value>. Otherwise, returns the current value of <name>. You may omit the leading "supybot." in the name if you so choose.
01:11 < Belxjander> !interface
01:11 <@vpnHelper> Belxjander: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
01:23 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:29 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:31 < krzee> dir, likely in the pam config, im no expert in pam configs tho, read the docs for your pam implimentation
02:09 -!- p3rror [~mezgani@41.137.57.85] has quit [Ping timeout: 240 seconds]
02:15 -!- Belxjander [~Belxjande@sourcemage/Mage/Abh-Elementalist] has left #openvpn ["Leaving"]
02:30 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
02:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:39 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by forth <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8283#p8283>
02:45 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8284#p8284>
03:04 -!- dazo_afk is now known as dazo
03:07 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
03:09 <@vpnHelper> RSS Update - forum: Server Administration :: Re: VPN Tunnel with OpenVPN becomes slower and slower over t :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7225&p=8285#p8285>
03:11 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 255 seconds]
03:15 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by forth <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8286#p8286>
03:21 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
03:21 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8287#p8287>
03:22 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
03:33 <@vpnHelper> RSS Update - forum: Server Administration :: Re: VPN Tunnel with OpenVPN becomes slower and slower over t :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7225&p=8288#p8288>
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:39 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by forth <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8289#p8289> || Configuration :: How to change users' passwords in the client? :: Author manu26 <https://forums.openvpn.net/viewtopic.php?f=6&t=7226&p=8268#p8268>
03:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
03:45 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8290#p8290>
03:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:51 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to change users' passwords in the client? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7226&p=8280#p8280>
03:52 -!- lkthomas [~lkthomas@123.136.11.115] has joined #openvpn
03:52 < lkthomas> Hey guys
03:52 -!- ChristianAa [82e1b818@gateway/web/freenode/ip.130.225.184.24] has quit [Ping timeout: 265 seconds]
03:52 < lkthomas> If I define openvpn use port 800, does it also require port 443 to be open?
03:53 < krzee> no
03:53 < krzee> openvpn uses 1 port
03:54 < lkthomas> I see, any method to share port 80 between openvpn with apache using iptables?
03:54 < theDoc> Not at the moment.
03:55 < lkthomas> Ok, thanks
03:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
03:57 <@vpnHelper> RSS Update - forum: Configuration :: Openvpn client on opensolaris configuration help :: Author morten44 <https://forums.openvpn.net/viewtopic.php?f=6&t=7228&p=8271#p8271>
03:58 -!- dir [~dir@122.55.1.218] has quit []
04:03 <@vpnHelper> RSS Update - forum: Configuration :: Re: Openvpn client on opensolaris configuration help :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7228&p=8281#p8281>
04:15 <@vpnHelper> RSS Update - forum: Configuration :: Error building client certificate! :: Author silajim <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8272#p8272>
04:19 < krzee> wow, that bot is behind!
04:19 < krzee> lkthomas, no way to share port 80, but you can share port 443
04:19 < krzee> --port-share iirc
04:20 < krzee> !factoids search share
04:20 <@vpnHelper> krzee: No keys matched that query.
04:20 < krzee> sharing port 80 would make no sense, the traffic to port80 isnt encrypted
04:20 < krzee> sharing to port 443, now that makes sense!
04:23 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
04:38 < lkthomas> Ok, thanks, brb
04:38 -!- lkthomas [~lkthomas@123.136.11.115] has quit []
04:39 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined #openvpn
04:39 < jww> Hello.
04:40 < jww> I have some troubles with openvpn and differents networks  with same class for ips .I made a small drawing showing the network.http://pastebin.ca/1980463 .
04:41 < jww> can somebody tell me if it's possible for 'Client' to contact 'HTTP SRV' using the vpn ?
04:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:45 -!- master_of_master [~master_of@p57B53690.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
04:46 -!- master_of_master [~master_of@p57B539EE.dip.t-dialin.net] has joined #openvpn
04:47 < krzee> HTTP SRV is a vpn client?
04:48 < krzee> ^ @ jww
04:48 < theDoc> http srv .. isn't a vpn client? :o
04:49 < krzee> did you look at his text drawing?
04:49 < theDoc> No
04:49 < theDoc> Let me see.
04:50 < theDoc> Why not? It looks like a routing problem. Not so much a software problem.
04:51 < krzee> looks like http srv is a vpn client
04:51 <@vpnHelper> RSS Update - forum: Configuration :: Re: Error building client certificate! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8282#p8282>
04:51 < jww> krzee: yes.
04:51 < krzee> he can use it via vpn IP
04:52 < krzee> then he avoids needing to share conflicting lans
04:52 < krzee> access you website via vpn ip ;)
04:54 -!- key_two [~key2@olm03.cvf.fr] has joined #openvpn
04:54 < key_two> hi
04:54 < krzee> nope, wish i was tho
04:54 < jww> umm krzee I setuped it, but it doesn't works. 
04:55 < krzee> jww: ?
04:55 < jww> I think that the paquets are dropped somewhere at OPENVPN SRV.
04:55 < krzee> jww, can the server access it, but not the other client?
04:55 < jww> yes.
04:55 < krzee> if so try this option
04:55 < krzee> !c2c
04:55 < key_two> is there any tool for debugging the IKE_AUTH phase (doing a Man in the middle on the IKE_SA_INIT phase) ?
04:55 <@vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
04:55 <@vpnHelper> krzee: clients
04:55 < finetic> I am connecting to OpenVPN server now, is really all the UDP traffic I see in wireshark to my OpenVPN server encrypted??
04:55 < finetic> Is there no way to retrieve the data
04:56 < krzee> finetic, sure there is... by knowing the encryption key (this changes every hour if you use certificates)
04:56 < krzee> key_two, not that i know of
04:56 < jww> krzee: sound interesting, lemme google about it.
04:56 < finetic> krzee: i use these i guess
04:56 < finetic> krzee: how do I know if they change every hour?
04:57 < key_two> krzee: but it's a DH ? so it should be possible to midm it and generate a pcap for example ?
04:57 < key_two> krzee: or is there something to prevent one from doing that
04:57 < krzee> finetic, you will see messages in the logs every hour, plus you know just by knowing you use certificates
04:57 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:58 < krzee> key_two, you seem to know more about that part than i ;]  best i can do for ya is point ya here:  www.openvpn.net/security
04:59 < finetic> krzee: ok
04:59 < jww> krzee: ahah it works !! thanks !
05:00 < jww> krzee: now I just need to read some doc about it and I'm done.
05:00 < jww> jww: congrats man, you rock.
05:02 < krzee> yw
05:03 < krzee> finetic, there is a config option to change how often they rekey, something like --reneg-sec (its in the manual)
05:03 < finetic> ok
05:07 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
05:08 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
05:40 -!- chantra_1fk [~chantra@ns38827.ovh.net] has quit [Ping timeout: 265 seconds]
05:46 -!- chantra_afk [~chantra@unaffiliated/chantra] has joined #openvpn
07:00 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:43 -!- albech [~thomas@535AB203.flatrate.dk] has joined #openvpn
07:44 < albech> where would be the best place to define a new default route after the bridge-start script has run?
07:44 < krzee> --redirect-gateway?
07:45 < albech> krzee, i thought that redirected the gateway on the clients?
07:45 < krzee> oh you mean on the server?
07:45 < albech> krzee, it seems like the server lose its default route once the script is run
07:45 < krzee> then at the end of the bridge-start script!
07:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
07:46 < albech> krzee, ok, thats what i thought. But there are so many nifty settings that maybe openvpn had something to address just that problem ;)
07:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:48 < krzee> neg
07:49 < krzee> but i see how that would seem the case ;]
07:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
07:56 -!- albech [~thomas@535AB203.flatrate.dk] has quit [Ping timeout: 276 seconds]
08:09 -!- albech [~thomas@124.157.211.236] has joined #openvpn
08:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
08:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:29 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
08:32 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Ping timeout: 240 seconds]
08:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
08:37 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:44 -!- albech [~thomas@124.157.211.236] has quit [Ping timeout: 252 seconds]
09:03 -!- albech [~thomasalb@119.42.79.133] has joined #openvpn
09:03 < albech> hi gents
09:04 < albech> im having an issue here where i am getting a connection from my server and an ip number, but there is still no connectivity
09:04 < albech> connectivity to the internet
09:04 < albech> i believe it is related to routing
09:12 -!- Netsplit *.net <-> *.split quits: darkwind, Bushmills, nb, kloeri, phusion__
09:12 -!- nb_ is now known as nb
09:30 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined #openvpn
09:31 < McBoingbo> Other than the openvpn service how else can I give my users the ability to start/stop the vpn themselves without admin rights on the box? OS is Windows 7 btw, thanks
09:33 -!- phusion__ [~psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
09:33 -!- 18VABQF5S [~nb@fedora/nb] has joined #openvpn
09:33 -!- Netsplit over, joins: darkwind, kloeri, Bushmills
09:35 < hyper_ch> McBoingbo: installing linux... then they want need admin rights for win7 :)
09:35 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
09:35 -!- phusion__ [~psn@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
09:36 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
09:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
10:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
10:08 -!- albech [~thomasalb@119.42.79.133] has left #openvpn []
10:11 -!- finetic [~finetic@213.155.20.16] has left #openvpn []
10:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:15 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
10:28 < ecrist> http://bit.ly/b8CFbc  see direction number 42
10:28 <@vpnHelper> Title: China to Japan - Google Maps (at bit.ly)
10:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:32 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined #openvpn
10:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:34 <@dazo> lol
10:34 -!- bob368 [~bob@166.205.11.48] has joined #openvpn
10:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 250 seconds]
10:51 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:53 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:55 -!- slyrus__ [~chatzilla@adsl-75-36-215-204.dsl.pltn13.sbcglobal.net] has joined #openvpn
10:55 < slyrus__> !welcome
10:55 <@vpnHelper> slyrus__: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:55 < slyrus__> !route
10:55 <@vpnHelper> slyrus__: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:58 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:00 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 252 seconds]
11:02 -!- bob368 [~bob@166.205.11.48] has quit [Quit: Colloquy for iPhone - http://colloquy.mobi]
11:02 -!- ultramage [umage@kurobara.netvor.sk] has joined #openvpn
11:02 < ultramage> hello, is openvpn planning to add direct client-to-client communication at some point?
11:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
11:04 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:06 -!- bob368 [~bob@166.205.11.48] has joined #openvpn
11:10 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 272 seconds]
11:14 < ecrist> ultramage: maybe, some day
11:15 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:16 -!- bob368 [~bob@166.205.11.48] has quit [Quit: Colloquy for iPhone - http://colloquy.mobi]
11:17 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:18 -!- belamy [~chatzilla@061092214077.ctinets.com] has joined #openvpn
11:20 -!- belamy [~chatzilla@061092214077.ctinets.com] has quit [Client Quit]
11:21 < slyrus__> is there an easy way to assign the server multiple IP addresses in the (e.g.) 10.8.0.x network? I'd like to run multiple services (same port, different IP addresses) on the server.
11:22 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:22 < Bushmills> nope. not now. it is one or all interfaces per server now
11:24 < Bushmills> oh. several addresses on tun ...
11:24 < slyrus__> OK. Just to be clear, I don't want openvpn per se listening on multiple interfaces, just other services like afpd
11:27 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
11:27 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:29 < Bushmills> you could maybe trick it into that behaviour - untested:  clients route /24 to vpn server. there you may be able to alias a physical interface, using addresses of, say, the  top /25 of the vpn net, and enable forwarding. 
11:30 < Bushmills> idea is: clients route the whole /24, but only lower /25 are actually used for vpn, top /25 go to interfaces which you can alias
11:31 < slyrus__> hmm... ok. perhaps I should reconsider my approach instead.
11:31 < slyrus__> thanks
11:33 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
11:36 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:39 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
11:42 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
11:43 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
11:44 < ultramage> ecrist: alternatively, is it possible to make the openvpn server to poll a client ip address, asking it to connect if it's there?
11:44 < ultramage> (a 'reverse connection' so to speak)
11:47 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:49 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has joined #openvpn
11:49 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has quit [Changing host]
11:49 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
11:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
11:55 <@vpnHelper> RSS Update - forum: Configuration :: Re: Error building client certificate! :: Reply by silajim <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8292#p8292>
11:56 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 272 seconds]
11:58 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
12:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
12:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:11 -!- pumkinhed [~pumkinhed@72.45.85.159] has joined #openvpn
12:11 < papas_son> Hey guys! I have openvpn up and running. However, I can only access the vpn server on the 192.168.2.0/24 subnet. How do I access the rest of the network on the 192.168.1.0/24 subnet?
12:12 < pumkinhed> hello, recently updated my server are ppl getting a ton of topology errors?
12:12 < pumkinhed> like Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: topology (2.0.9)
12:13 < pumkinhed> as soon as i upgraded client to 2.1.x the problem went away.... am i going to have to instruct a bunch of old farts how to update openvpn?
12:15 < pumkinhed> papas_son: its a routing issue.
12:16 < papas_son> pumkinhed: yeah, thanks... I started playing around with routes, oh I think I almost have it figured out
12:17 -!- aliverius_ [~george@athedsl-372258.home.otenet.gr] has joined #openvpn
12:17 -!- aliverius [~george@athedsl-373099.home.otenet.gr] has quit [Ping timeout: 240 seconds]
12:20 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
12:25 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
12:26 -!- raidzx is now known as raidz
12:26 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
12:26 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
12:26 < papas_son> I put a route in my client back to the vpn gateway for the 192.168.1.0/24 subnet. I can ping the ip tied to the eth0 of the vpn server, but I cannot ping to other machines on the network. I added a route back to the vpn network in the gateway. Any ideas on what I'm missing?
12:26 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has left #openvpn ["Leaving"]
12:26 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
12:27 -!- mode/#openvpn [+o raidz] by ChanServ
12:29 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Client Quit]
12:30 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
12:37 < ecrist> ultramage: no, that doesn't even make sense
12:47 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to change users' passwords in the client? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7226&p=8280#p8280>
12:49 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:52 -!- aliverius_ is now known as aliverius
13:00 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 255 seconds]
13:07 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
13:17 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8294#p8294>
13:29 -!- dazo is now known as dazo_afk
13:41 -!- johm [~john@75.94.87.153] has joined #openvpn
13:42 < johm> tearing my hair out with a first time openvpn install...can connect to some hosts behind the firewall, but not all.  driving me kind of crazy.
13:42 < johm> !goal
13:42 <@vpnHelper> johm: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:42 < johm> !welcome
13:42 <@vpnHelper> johm: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:43 < johm> !/30
13:43 <@vpnHelper> johm: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
13:43 < johm> !route
13:43 <@vpnHelper> johm: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:50 < johm> so, in more detail, i have machines in a LAN I would like to have remote machines using openvpn client connect to. 
13:50 < johm> the lan is on subnet 192.168.1.0/24 and openvpn is set up to create a routed subnet on 10.19.68.0/24
13:50 < johm> i can connect to the vpn fine.
13:51 < johm> i can connect to a couple of machines in the LAN (and I added a route so this was possible on my firewall)
13:52 < johm> but i cannot connect to a few machines behind the LAN via openvpn.....even though if i'm on one of those unreachable machines inside the LAN i can make an outgoing connection through the vpn to the remote machine in question just fine. 
13:54 < slyrus__> so I take it I should use different client keys on each machine?
13:56 < johm> !topology
13:56 <@vpnHelper> johm: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
14:06 <@vpnHelper> RSS Update - forum: Server Administration :: VPN as service with Windows 2008 R2 not working :: Author Xerum <https://forums.openvpn.net/viewtopic.php?f=4&t=7231&p=8297#p8297>
14:30 <@vpnHelper> RSS Update - forum: Configuration :: Re: Error building client certificate! :: Reply by silajim <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8292#p8292>
14:30 < Bushmills> slyrus__: good plan
14:31 < slyrus__> which part? reconsidering?
14:31 < Bushmills>  different client keys on each machine
14:32 < slyrus__> ah, ok. thanks.
14:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:43 < johm> ok, even weirder thing happening on further inspection
14:43 < johm> start vpn-client on remote machine
14:44 < johm> can't connect to 192.168.1.4 inside the LAN
14:44 < johm> then i connect, from the LAN, to the remote machine via ssh and then disconnect
14:45 < johm> and then and only then can i make the connection into the 192.168.1.4 machine inside the LAN
14:46 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
15:26 -!- idefine [~idef1@ec2-184-72-155-169.compute-1.amazonaws.com] has joined #openvpn
15:28 < idefine> if i do in my openvpn config: ifconfig 192.168.2.1 192.168.2.2 am I restricting access to only one machine?
15:29 < idefine> in the server config
15:35 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
15:36 < finetic> hi, i have a small question. I installed Virtualbox on my Open VPN Server system (Debian Lenny). I installed Windows Server 2003 in it. I am using NAT but I don't want to port forward it. Can I just connect to the server from the virtual machine and then have port 3389 opened for all other clients connected to the open vpn server aswell?
15:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:41 -!- MadTBone [~MadTBone@160.39.238.196] has joined #openvpn
15:47 -!- MadTBone [~MadTBone@160.39.238.196] has quit [Quit: Leaving]
15:49 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Quit: pumkinhed]
15:54 < finetic> anyone ?
15:54 < finetic> I am trying it now, but both clients have got the same ip address
16:03 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
16:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:14 -!- idefine [~idef1@ec2-184-72-155-169.compute-1.amazonaws.com] has quit [Ping timeout: 265 seconds]
16:19 -!- idefine [~idef1@static-173-210-90-12.ngn.onecommunications.net] has joined #openvpn
16:44 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
16:46 -!- johm [~john@75.94.87.153] has quit [Quit: Leaving]
16:53 < ultramage> ecrist: yes it does if the machine that's supposed to act as a server is not internet-reachable :)
16:54 < ultramage> so far I've been working around that by flipping the server-client assignment around... however that doesn't work so well if you want to have more than two machines
16:55 < ultramage> (everyone was supposed to talk to the machine that was supposed to be the 'server'... now that it's in the position of a client, anyone wanting to talk to it needs to do so by bouncing over the server, causing excessive network utilization, not to mention additional latency)
16:56 < ultramage> (since currently openvpn routes all client-client traffic through the one single server, creating a nasty choke point)
16:56 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to change users' passwords in the client? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7226&p=8280#p8280>
16:59 -!- mrle0 [~fin@82.132.139.244] has joined #openvpn
17:09 -!- 18VABQF5S is now known as nb_
17:21 -!- mrle0 [~fin@82.132.139.244] has quit [Quit: Leaving]
17:21 -!- le0 [~fin@82.132.243.47] has joined #openvpn
17:21 -!- le0 [~fin@82.132.243.47] has quit [Changing host]
17:21 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
17:25 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:32 -!- linguini [~user@c-71-193-179-58.hsd1.wa.comcast.net] has joined #openvpn
17:41 < kraut> moin
17:44 < krzie> moinmoin
17:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:14 -!- freaky[t] [alpha@freakyy.de] has quit [Read error: Operation timed out]
18:14 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
18:18 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
18:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:35 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:48 -!- linguini [~user@c-71-193-179-58.hsd1.wa.comcast.net] has left #openvpn ["ERC Version 5.3 (IRC client for Emacs)"]
19:15 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
19:53 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 255 seconds]
19:58 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
19:59 -!- buntfalke_ is now known as buntfalke
20:33 -!- krzie is now known as krzee
20:33 -!- finetic [~finetic@213.155.20.16] has quit [Read error: Operation timed out]
20:34 -!- finetic [~finetic@213.155.20.16] has joined #openvpn
20:36 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
20:39 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:45 -!- s7r [~s7r@66.199.231.250] has quit [Ping timeout: 255 seconds]
20:52 < ecrist> ultramage: what can't the server be in a server role?  why the nasty bouncing around?
20:58 < ecrist> ping krzee 
20:58 < ecrist> http://skitch.com/ecrist/d6an3/webmaster-tools-dashboard
20:58 <@vpnHelper> Title: Skitch.com > ecrist > Webmaster Tools - Dashboard (at skitch.com)
20:58 < krzee> werrd
20:59 < ecrist> google is claiming there are 36,121 external links point to my trac installation
20:59 < krzee> thats the search terms they use to find your wiki?
20:59 < ecrist> 6,968 external links to the OpenVPN wiki page.
20:59 < ecrist> yeah
21:00 < ecrist> you have a gmail account?
21:00 < ecrist> I'll give you access, you can see all the data yourself
21:00 < krzee> i do
21:00 < krzee> keep the addy private tho pls
21:00 < ecrist> pm it to me
21:01 < ecrist> of course. :)
21:03 < ecrist> almost 600 google search impressions per day, so far
21:04 < krzee> interesting, it knows my yahoo email
21:04 < ecrist> o.O
21:05 < ecrist> for the keyword openvpn, secure-computing.net has 100% signifigance
21:05 < krzee> hrm, how do i get to your site?
21:05 < krzee> im in webmaster tools
21:06 < krzee> i need to add the site?
21:07 < ecrist> no, you need to use the gmail address you gave me, or i need to add your yahoo site
21:07 < krzee> im logged in as that gmail addy
21:07 < ecrist> hrm, it should 'just work
21:09 < krzee> ahh there it goes
21:09 < krzee> had to propogate
21:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
21:11 < ecrist> forum.ixbt.com seems to link heavily to my wiki
21:14 < krzee> well it told me im verified in a message, and would let me admin who is an owner
21:14 < krzee> but im unsure how to see what you're seeing
21:14 < ecrist> do you see the domain in the list?
21:14 < ecrist> should just have to click on it
21:15 < krzee> ahh, i guess that will show up in a bit
21:15 < ecrist> worst case, add secure-computing.net, select HTML document as the verification method, email me the docuemtn, and I'll post it
21:17 < ecrist> my HFS+ Disk Quota article has 23 links on apple's forum
21:18 < krzee> hah nice!
21:18 < krzee> ahh this would be a decent apple doc, my experience last night
21:19 < krzee> had a drive that wouldnt boot, took it out and put in usb enclosure, hooked to a working apple, couldnt repair with disk utility
21:19 < ecrist> 95 sites link to mine.  not too shabby
21:20 < krzee> nor could i repair with fsck_hfs -fy /dev/disk2s2
21:20 < ecrist> everything from comcast.com, pfsense.org, apple.com, to nagios.org and freebsddiary.org
21:20 < ecrist> really?  what did you do to it?
21:20 < phusion__> is there an easy way in the openvpn config to specify commands to run after the tunnel is successfully started and running?
21:20 < krzee> but i was able to mount with mount_hfs -o ro /dev/disk2s2
21:21 < krzee> then i was able to copy stuff off it
21:21 < krzee>  mount_hfs -o ro /dev/disk2s2 /Volumes/deaddisk      rather
21:21 < krzee> phusion__, 
21:21 < krzee> !scripts
21:21 <@vpnHelper> krzee: Error: "scripts" is not a valid command.
21:21 < krzee> !script
21:21 <@vpnHelper> krzee: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
21:21  * ecrist goes away
21:22 < krzee> ecrist, you may wanna toss up a summarization of what i just said on your apple wiki, it will definitely help some people
21:23 < krzee> then after that, they should download the manufacturer disk to check the drive, and do a format from that utility so the drive can fix any of its own errors if it is repairable
21:23 < phusion__> krzee: that isn't totally helpful. are there any examples anywhere?
21:23 < krzee> phusion__, depends what you wanna do
21:24 < krzee> you gave a vague question, got a vague answer
21:24 < phusion__> i basically want to run an ifconfig tap0:1 ip netmask type command to get a second IP on the remote end after the tunnel is up
21:24 < krzee> there are many easy ways to have openvpn run a script for you... which to use depends on your goal
21:24 < krzee> !up
21:24 <@vpnHelper> krzee: Error: "up" is not a valid command.
21:24 < krzee> hrmz
21:24 < krzee> see --up in the manual
21:25 < phusion__> i mean right now i just have it in the init script which is kinda ghetto
21:25 < krzee> it would be      up "/path/to/script"
21:25 < krzee> hell if that works i see no reason to change it ;]
21:25 < phusion__> well because its running regardless of if it fails to start or not
21:25 < phusion__> but i guess that doesnt really matter
21:25 < krzee> ahh
21:26 < krzee> you could always test the status of the last command with $?
21:26 < phusion__> answered my own question ill just leave it haha. thanks anyawy.
21:26 < krzee> but that is niether here nor there, you can do it with an up script
21:26 < krzee> also, you could do it in the script like openvpn <config> && ifconfig...
21:27 < krzee> and here is an example of an up script
21:27 < krzee> !pushdns
21:27 <@vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
21:27 < krzee> #4
21:28 < phusion__> awesome. thanks a bunch
21:34 < krzee> yw
21:50 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
21:50 < dogarrhea1> hello
21:51 < dogarrhea1> !welcome
21:51 <@vpnHelper> dogarrhea1: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:51 < krzee> hah interesting ecrist, i went to add site, typed it in, now im at the dashboard
21:52 < dogarrhea1> hrm. i just sudo apt-get installed openssh on a linode server and restarted.  Now I want to connect to my linode server... how do i do this?
21:52 < dogarrhea1> i saw this big config file but don't know what to do
21:52 < krzee> this isnt #openssh
21:52 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
21:52 < dogarrhea1> i know that
21:53 < krzee> you just asked an openssh question...
21:53 < dogarrhea1> how do i connect my client to the openvpn server...
21:53 < dogarrhea1> which is now running
21:53 < dogarrhea1> on linode
21:53 < krzee> " <dogarrhea1> hrm. i just sudo apt-get installed openssh "
21:54 < krzee> you meant openvpn i take it...?
21:54 < dogarrhea1> read above
21:54 < dogarrhea1> dogarrhea1> how do i connect my client to the openvpn server...
21:54 < krzee> so openvpn is up and running correctly, and you want to connect to ssh over the vpn?
21:54 < dogarrhea1> no... use the server which is running as a vpn proxy
21:55 < dogarrhea1> etc
21:55 < dogarrhea1> i can already connect to it via ssh
21:55 < dogarrhea1> how would i have installed it
21:55 < krzee> is the server even running...? did you configure the vpn server?
21:55 < dogarrhea1> it is running said something about daemon and then i got a new prompt after i issued restart command
21:56 < krzee> that doesnt mean it is running
21:56 < krzee> ps auxw|grep openvpn
21:59 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:59 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:59 < dogarrhea1> ok?
21:59 < dogarrhea1> i see a bunch of numbers and then S+   02:58   0:00 grep --color=auto openvpn
22:00 < krzee> ya, it isnt running
22:00 < theDoc> No, that's not it.
22:00 < krzee> because you have not configured it
22:00 < krzee> !goal
22:00 <@vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:01 < dogarrhea1> i want to set it up on a ubuntu box hosted by something so i can surf the internet anonymously at public places
22:02 < krzee> here ya go
22:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Client Quit]
22:02 < krzee> !sample
22:02 <@vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
22:02 < krzee> !pki
22:02 <@vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
22:02 <@vpnHelper> krzee: specially as a server (see !servercert)
22:02 < krzee> !redirect
22:02 <@vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
22:02 < krzee> when you understand those, you will be finished
22:05 < dogarrhea1> great.. code without comments
22:05 < dogarrhea1> thanks krzee. that's really helping me. i think i'll look somwhere else
22:05 < krzee> !man
22:05 <@vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
22:05 < krzee> !howto
22:05 <@vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
22:05 < krzee> there are the docs
22:06 < dogarrhea1> guess what? they are wrong
22:06 < dogarrhea1> and don't apply to my version of ubuntu
22:06 < krzee> guess what, the howto and the manual are NOT wrong
22:06 < krzee> and apply to EVERY os / distro
22:07 < dogarrhea1> especially when they ask me to go to some /etc/somefolderthatdoesnotexistafterisudo apt-get?
22:07 < dogarrhea1> and edit a file that does not exist. 
22:07 < krzee> the links you just got dont say anything of that sort
22:07 < krzee> there is 2 files to change, the config on each side
22:07 < krzee> then you make your certs
22:09 < krzee> if you're looking for a hold your hand walkthrough, wont find it here
22:09 < krzee> if you would like to learn what you're doing, read the links above
22:09 < krzee> oh and there is a 3rd option, which we dont support here
22:09 < krzee> openvpn-as
22:09 < krzee> !AS
22:10 <@vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
22:10 <@vpnHelper> krzee: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
22:10 < krzee> it is the non-free non-opensource version of openvpn
22:11 < krzee> requires no understanding
22:11 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Quit: Leaving]
22:15 < theDoc> lolnerdrage
22:44 < krzee> seriously
22:45 < theDoc> These guys are terrible:P
22:56 < krzee> i cant wait til he finds efnet
22:56 < theDoc> rofl
22:56 < theDoc> I think fn by far is one of the tamer networks.
23:03 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
23:04 < krzee> strongly agree
23:04 < krzee> im even nicer here, lol
23:06 < theDoc> lol
23:06 < theDoc> krzee: Can you see if the twitter site is loading correctly?
23:06 < theDoc> It's a jumbled mess of shit at the moment for me.
23:36 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to change users' passwords in the client? :: Reply by manu26 <https://forums.openvpn.net/viewtopic.php?f=6&t=7226&p=8293#p8293>
23:48 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to change users' passwords in the client? :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=6&t=7226&p=8295#p8295>
23:51 -!- idefine [~idef1@static-173-210-90-12.ngn.onecommunications.net] has quit [Read error: Connection reset by peer]
23:51 -!- idefine [~idef1@static-173-210-90-12.ngn.onecommunications.net] has joined #openvpn
--- Day changed Thu Nov 04 2010
00:00 <@vpnHelper> RSS Update - forum: Configuration :: OpnVPN Bridge and access to the internet (bandwidth) :: Author iwen <https://forums.openvpn.net/viewtopic.php?f=6&t=7230&p=8296#p8296>
00:08 -!- batrick [~batrick@batbytes.com] has quit [Read error: Operation timed out]
00:08 -!- batrick [~batrick@batbytes.com] has joined #openvpn
00:12 <@vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: how to add a kernel's route on the openvpn server? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=17&t=7219&p=8291#p8291>
00:45 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
00:49 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has quit [Read error: Operation timed out]
00:51 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has joined #openvpn
00:52 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
01:12 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with CN in unicode. :: Reply by forth <https://forums.openvpn.net/viewtopic.php?f=4&t=7196&p=8298#p8298>
01:22 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:31 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
01:51 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
02:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
02:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:46 -!- lkthomas [~lkthomas@123.136.11.13] has joined #openvpn
02:46 < lkthomas> Hey guys
02:46 < lkthomas> Currently we are generating Cert for each vpn user, but it start to running out of control and we can't suspend user
02:47 < lkthomas> How do you guys do account management ?
02:47 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Remote host closed the connection]
02:50 < hyper_ch> why can't you suspend users?
02:53 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:56 < lkthomas> How?
02:56 < lkthomas> User are using cert to login only
02:57 < hyper_ch> revoke the cert
02:58 < theDoc> revoke the cert or down the server, ;p
02:59 < hyper_ch> http://openvpn.net/index.php/open-source/documentation/howto.html#revoke
02:59 <@vpnHelper> Title: HOWTO (at openvpn.net)
03:00 < lkthomas> How to revoke?
03:01 < hyper_ch> look three lines above
03:01 < lkthomas> Oh
03:01 < lkthomas> Let me try
03:02 < lkthomas> Is there have any web based GUI tool to deal with cert management?
03:11 < lkthomas> ?
03:11 < lkthomas> Anyone?
03:12 -!- dazo_afk is now known as dazo
03:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:19 < lkthomas> So everytime I generate cert for each client, openvpn server did record them as well?
03:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
03:30 < ultramage> ecrist: the machine that's meant to operate as the 'server' does not have a publicly reachable ip address, thus it cannot be a vpn server that vpn clients connect to. However the vpn client I'm sitting at does have a public ip address, so the best I could come up with was to flip the vpn roles.
03:32 < ultramage> however this approach does not scale past 1 client, because now if anyone else connected, they would be routing through me, which would be not so great.
03:35 -!- lkthomas [~lkthomas@123.136.11.13] has quit []
03:35 -!- idefine [~idef1@static-173-210-90-12.ngn.onecommunications.net] has quit [Quit: This computer has gone to sleep]
03:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:42 -!- dazo is now known as dazo_afk
03:52 -!- dazo_afk is now known as dazo_afk_afk
04:44 -!- master_of_master [~master_of@p57B539EE.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
04:46 -!- master_of_master [~master_of@p57B55E6C.dip.t-dialin.net] has joined #openvpn
04:55 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
04:57 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
05:05 -!- johest|w [~jstephan@109.234.108.3] has joined #openvpn
05:05 <@vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: how to add a kernel's route on the openvpn server? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=17&t=7219&p=8299#p8299>
05:10 < krzie> !winroute
05:10 <@vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
05:10 <@vpnHelper> RSS Update - forum: Configuration :: Re: Error building client certificate! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8300#p8300>
05:10 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
05:14 < krzie> !script
05:14 <@vpnHelper> krzie: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
05:15 <@vpnHelper> RSS Update - forum: Server Administration :: Re: VPN as service with Windows 2008 R2 not working :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7231&p=8301#p8301> || Server Administration :: Isololated client connections :: Author vermeer_p <https://forums.openvpn.net/viewtopic.php?f=4&t=7232&p=8302#p8302> || Scripting and Customizations :: Re: OpenVPN on Laptop and automatically connect/disconnect :: ... <https://forums.open
05:21 <@vpnHelper> RSS Update - forum: Server Administration :: Isololated client connections in version 2.0.5 :: Author vermeer_p <https://forums.openvpn.net/viewtopic.php?f=4&t=7232&p=8302#p8302> || Server Administration :: Re: Isololated client connections in version 2.0.5 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7232&p=8304#p8304> || Server Administration :: Re: Routing trouble :: Reply by krzee <https://forums.openvpn.net/viewtopic.p
05:24 < johest|w> hi guys, short question (hopefully) i'am trying to generate a certificate with easyrsa. now the key in the server.key file doesnt have the RSA Tag, and (pfsense) dont take it
05:33 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Is this type of vpn configuration possible? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7096&p=8306#p8306> || Server Administration :: Re: Isololated client connections in version 2.0.5 :: Reply by vermeer_p <https://forums.openvpn.net/viewtopic.php?f=4&t=7232&p=8307#p8307>
05:37 < krzie> does openvpn work with it without using the pfsense frontend?
05:37 < krzie> (since i cant troubleshoot the pfsense frontend, and that would be for #pfsense )
05:45 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Isololated client connections in version 2.0.5 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7232&p=8308#p8308>
05:50 < johest|w> krzie: good question
06:05 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
06:07 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
06:18 -!- petan [~KVIrc@71.236.broadband11.iol.cz] has joined #openvpn
06:18 < petan> I have trouble with routing
06:18 < petan> it works only with linux clients
06:18 < petan> config is same on linux and win clients
06:20 < petan> !welcome
06:20 <@vpnHelper> petan: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 250 seconds]
06:28 < petan> if you need I can send you logs and so
06:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:33 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:33 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:34 < petan> anyone is available?
06:34 -!- le0 [~fin@82.132.243.47] has joined #openvpn
06:34 -!- le0 [~fin@82.132.243.47] has quit [Changing host]
06:34 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:35 < petan> !howto
06:35 <@vpnHelper> petan: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:35 < petan> !wiki
06:35 <@vpnHelper> petan: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
06:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 252 seconds]
06:45 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Isololated client connections in version 2.0.5 :: Reply by vermeer_p <https://forums.openvpn.net/viewtopic.php?f=4&t=7232&p=8309#p8309>
06:48 -!- albech [~thomas@119.42.79.115] has joined #openvpn
06:49 < albech> hi guys..
06:49 < albech> im using a bridged configuration, where openvpn handles IPs for clients, but i cannot seem to push the new default route to the clients.
06:50 < petan> hi albech
06:50 < petan> server is router?
06:51 < albech> everything works perfectly when i manually set a new default route on the clients upon connection
06:51 < albech> petan, nope
06:51 < petan> did you configured router then
06:52 < albech> what is there to configure on the router?
06:52 < petan> route back
06:53 < petan> you need to set route on client and then on your lan network to route back
06:53 < petan> !route
06:53 <@vpnHelper> petan: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:54 < albech> ill read it, but it seems like this is a client issue, since setting the default route to the gateway on the LAN allows me to connect just fine
06:54 < petan> what os on client
06:54 < albech> Linux and OSX
06:54 < petan> no errors?
06:54 < petan> in client logfile
06:55 < albech> nope
06:55 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 252 seconds]
06:55 < petan> you have probably wrong settings in config
06:55 < albech> and upon connection the default route is set to the vpn server rather than the gateway
06:55 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
06:56 < petan> what route you have in conf
06:56 < petan> copy it here
06:57 < albech> http://pastebin.com/Qv6v56y9
06:58 < petan> you do not push route to clients
06:59 < petan> that is why it does not work untill you add it
06:59 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:59 < albech> thought push "redirect-gateway" would do that?
07:00 < petan> no
07:00 < albech> should i just push "route add default gw 192.168.1.1"?
07:00 < petan> route add 192.168.1.1 255.255.255.0
07:00 < petan> wait
07:01 < petan> route add 192.168.1.0 255.255.255.0
07:01 < petan> uh sry put this there
07:01 < albech> i want all traffic through the vpn, just just the traffic originated to the LAN
07:01 < petan> push route 192.168.1.0 255.255.255.0
07:02 < petan> your lan is 192.168.1.x?
07:02 < albech> petan.. correct. this is just a lab environment
07:02 < petan> did you try it
07:02 < petan> push route 192.168.1.0 255.255.255.0
07:02 < albech> ill try it now.. 2 sec
07:04 < albech> you want to use " around the argument?
07:04 < petan> no required
07:05 < petan> not
07:05 < petan> push "command"
07:06 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Read error: Connection reset by peer]
07:06 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
07:06 < petan> use quotes on argument to push only
07:06 < albech> still no connectivity
07:06 < petan> did it added route on client?
07:07 < petan> after connection
07:07 < petan> you said it works when you manualy add route
07:08 < petan> what route you add manualy then
07:08 < albech> i manually do this: route del default
07:08 < petan> and then?
07:08 < albech> followed by: route add default gw 192.168.1.1
07:10 < albech> it seems to me what you are trying to route is *only* traffic to the 192.168.1.x
07:10 < albech> where i want to route everything else (thus default) through the connection
07:11 < albech> am i making myself clear? ;)
07:11 < albech> still new to openvpn
07:13 < petan> well you can add shell script after performing openvpn like to put it all to one file like openvpn arg&;route del and so
07:13 < petan> if you know what I mean
07:15 < albech> i do.. the problem is that its not the same syntax on all OSes, so that would be client specific i guess
07:15 < finetic> hi, i have a small question. I installed Virtualbox on my Open VPN Server system (Debian Lenny). I installed Windows Server 2003 in it. I am using NAT but I don't want to port forward it. Can I just connect to the server from the virtual machine and then have port 3389 opened for all other clients connected to the open vpn server aswell?
07:15 < petan> indeed but that is same with conf files sometimes windows have different confs and so
07:16 < albech> or i should stick with what you say and only route traffic to the 192.168.1.x network through the vpn and have everything else use the default route prior to connecting
07:16 < petan> uh finetic where is server, client is on win? or it is server
07:17 < petan> finetic why do you need it
07:17 < finetic> client is on win
07:17 < petan> albech depends
07:17 < finetic> petan: i wish to be able to connect to the terminal services from my home (xp) windows system
07:17 < petan> albech what you exactly need? you said you want to traffic all
07:18 < petan> finetic so just set bridging on vbox and it wont be behind nat
07:20 < finetic> petan: i did, but it doesn't give internet access then
07:20 < albech> petan, yes, but that was mainly to have the option to get http/https traffic through the vpn as well, but i could make a squid proxy server for that instead
07:20 < albech> the reason i need my vpn the most is so i can access xen center within the data center
07:20 < petan> albech if you redirect gateway http should go through vpn
07:21 < petan> finetic why, it should be like on local network
07:21 < albech> petan, thanks for the input.. i will do a little more research on that ;)
07:21 < petan> albech np maybe someone else will help you much better
07:22 < petan> finetic when you set ethernet briging in vbox it should be on same net like server
07:22 < albech> petan, no this was great. i dont want to be carried through it anyway. guidance and someone pointing me in the right direction is the best help you can really give me
07:22 < finetic> petan: its not
07:22 < finetic> petan: the server's eth0 is a public ip
07:22 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:23 < petan> albech if I am guiding you right sure
07:23 < albech> petan, if not I want my money back :p
07:24 < petan> finetic in that case use nat and use vpn for it what subnet has your nat network
07:25 < finetic> petan: how can i see?
07:25 < finetic> dont understand
07:25 < petan> connecto to win machine and type ipconfig
07:25 < petan> what u see
07:25 < petan> I mean server in vbox
07:26 < finetic> 169.254.63.144
07:26 < finetic> when i use bridged
07:26 < petan> btw server has some lan or not? you said it has public ip so I suppose it is not also in some lan network, or you have more interfaces
07:26 < finetic> has not
07:26 < petan> when you set nat
07:27 < petan> so you have vpn just for that server?
07:27 < finetic> petan: how do u mean?
07:27 < petan> Virtualbox on my Open VPN Server system (Debian Lenny). I installed Windows Server 2003 in it
07:27 < finetic> I connect to the debian lenny system open vpn server, from home
07:28 < petan> what is that vpn for apart of that win machine
07:28 < finetic> then i have an ip address at home extra 10.8.0.6
07:28 < finetic> to redirect traffic from home, but also to add secure layer to have virtual machine's only accesible in the network
07:28 < petan> one way is to connect from server to server too but use like host your gateway
07:29 < petan> set to nat
07:29 < petan> now ipconfig
07:29 < finetic> ok se
07:29 < petan> on win machine
07:29 < petan> you will need to reload network
07:29 < petan> on vbox
07:29 < finetic> 10.0.2.15
07:29 < petan> ok gateway 10.0.2.1?
07:30 < finetic> 10.0.2.2
07:30 < petan> that is vpn server address
07:30 < finetic> i guess yes
07:30 < petan> you can connect using your conf but enable client-to-client
07:30 < finetic> i cannot connect to 10.0.2.2 on ftp port for example
07:31 < petan> ok can you connect to public ip?
07:31 < finetic> yes
07:31 < petan> ok then use same conf
07:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:32 < petan> btw what if you try ip a or ifconfig on server
07:32 < petan> what you see, do you see nat there?
07:32 < finetic> on the debian system u mean?
07:32 < petan> yes
07:32 < petan> ifconfig
07:34 < finetic> eth09
07:34 < finetic> eth0
07:34 < finetic> l0
07:34 < finetic> tun0
07:34 < finetic> vboxnet0
07:34 < finetic> those interfaces
07:34 < petan> vboxnet
07:34 < petan> what address it has?
07:34 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
07:34 < finetic> 192.168.56.1
07:35 < petan> can you ping it from machine
07:35 < petan> that in vbox
07:36 < finetic> windows server 2003 or windows xp?
07:36 < petan> server
07:36 < finetic> yes
07:36 < petan> ok try to use it instead of public ip
07:36 < petan> in conf
07:37 < finetic> how do u mean?
07:37 < petan> copy conf you use to server machine, install ovpn there
07:37 < petan> then open conf and change host to 192.168.56.1
07:40 < finetic> its not on the same interface then
07:40 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
07:40 < finetic> the machines need to be on the same interface
07:40 < petan> not really, you can also keep public ip there maybe it would be same
07:40 < petan> try it with public ip, copy it
07:40 < petan> then make key for server
07:41 < petan> ./build-key
07:41 < petan> like that on home machine
07:42 < finetic> i already tried this, didnt work
07:42 < petan> what it said
07:42 < finetic> brb
07:42 < petan> do you have client-to-client enabled?
07:47 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:06 -!- albech [~thomas@119.42.79.115] has quit [Ping timeout: 276 seconds]
08:12 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:18 -!- albech [~thomas@535AB203.flatrate.dk] has joined #openvpn
08:21 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
08:28 -!- johest|w [~jstephan@109.234.108.3] has quit [Remote host closed the connection]
08:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
08:40 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:45 -!- albech [~thomas@535AB203.flatrate.dk] has quit [Quit: Ex-Chat]
09:56 < ecrist> krzie: we should write an openvpn book
10:02 < petan> I would buy it
10:02 < petan> :P
10:03 < ecrist> I am actually considering it.
10:04 < ecrist> have two editions. OpenVPN For Beginners (or OpenVPN for Home and Hobby)  and OpenVPN Advanced Concepts
10:11 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
10:13 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
10:15 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
10:17 < krzee> jjk is in the middle of publishing a new book
10:18 < krzee> me and dazo are peer reviewing it
10:18 < krzee> its pretty good
10:21 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
10:22 < ecrist> doh
10:22  * ecrist throws away his dreams
10:22  * ecrist stomps on them
10:24 < krzee> hehehe
10:24 < krzee> well theres room for more
10:24 < krzee> his is a cookbook
10:24 < krzee> has recipes for all sorts of vpns
10:25 < krzee> some cool stuff in there, stuff i didnt know you could do
10:25 < krzee> but it def isnt a book for beginners... one like that would need to take some time explaining certain basic networking concepts such as routing / nat
10:27 < ecrist> that was my thought, lots of pretty pictures, explainations of basic concepts, and a couple setup how-tos for gaming VPNs, how to get your home LAN accessible from outside, etc.
10:28 < krzee> that would be a good book
10:28 < krzee> and is certainly outside the scope of jjk's book
10:28 < ecrist> also, an advanced concepts book.  how to integrate with RADIUS/LDAP/PAM
10:29 < ecrist> discussions on MTU, how to configure it.
10:29 < ecrist> bridged vs routed
10:30 < ecrist> running an actual routing protocol on top of a vpn
10:30 < ecrist> ~rip
10:30 < ecrist> !rip
10:30 <@vpnHelper> ecrist: "rip" is http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting for a writeup on using RIP in openvpn
10:30 < ecrist> things like that
10:30 < krzee> cron2 informed me that you can do things like RIP/ospf/bgp just by running tap
10:30 < krzee> no bridge needed, and can use client/server
10:31 < ecrist> yeah
10:31 < ecrist> the funny part, krzee, is the only place, when using tap, you actually need a bridge, is when you're passing traffic through one of the boxes on the VPN.
10:32 < ecrist> i.e. no reason to bridge road-warriors' home LANs onto the company LAN
10:33 < krzee> lan gaming...?
10:34 < ecrist> a third good book idea (imho), Integrating OpenVPN, talking about non openvpn-specific things, like WINS, file sharing, HA of OpenVPN, certificate management, etc.
10:34 < ecrist> krzie: not if the lan gaming involves the actual vpn clients.
10:34 < ecrist> if you're setting it up for your xbox, yeah, but you're passing traffic through a vpn client.
10:35 < ecrist> if the vpn client is the one with the game, no bridge needed.
10:35 < ecrist> so, you can have a tap-based openvpn setup, without a single bridge actually in place
10:35 < ecrist> and for many games, an IP isn't even needed on any of the clients
10:42 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:48 <@vpnHelper> RSS Update - forum: Server Administration :: Re: VPN as service with Windows 2008 R2 not working :: Reply by Xerum <https://forums.openvpn.net/viewtopic.php?f=4&t=7231&p=8310#p8310>
10:49 < krzee> gotchya
10:49 < krzee> for me, a bridge is never needed
10:52 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
11:24 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:34 -!- buntfalke [~nobody@openvpn-p0-ipv6-107e.triple-a.uni-kl.de] has joined #openvpn
11:34 -!- buntfalke [~nobody@openvpn-p0-ipv6-107e.triple-a.uni-kl.de] has quit [Changing host]
11:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:48 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 255 seconds]
11:48 -!- openbsdnoob_ [~openbsdno@88.79.221.61] has joined #openvpn
11:48 -!- openbsdnoob_ is now known as openbsdnoob
12:48 < Bushmills> because you can walk across water?
12:49 < krzee> correct!
12:51 < Bushmills> reminds me of http://www.approximity.com/cgi-bin/blogtariAgile/index.rb/Forth
12:51 <@vpnHelper> Title: smart stuff (at www.approximity.com)
12:54 < Bushmills> another attempt of characterisation is done here: http://www.mememotes.com/meme_motes/2005/07/a_group_of_prog.html  unluckily, no walking on water, but i think the subject resonates with you anyway.
12:54 <@vpnHelper> Title: Meme Motes - Harry Chesley's Weblog: A group of programmers walk into a bar... (at www.mememotes.com)
12:56 < Bushmills> though i thing he should have said "wine white me give"
12:56 < Bushmills> tihnk
12:56 < Bushmills> grr..
13:32 < ecrist> how is it, as a network/system admin, I write better code than our programmers?
13:32 < ecrist> *blam* *blam* *blam*
13:32 < ecrist> problem solved.
13:33 < |Mike|> ecrist: because they are cheaper
13:33 < ecrist> lol
13:33 < ecrist> and, I suppose, they don't ask questions like admins do.
13:34 < ecrist> boss to me: write software that does FOO.  me: why?  we already to that with BAR.
13:35 < ecrist> bass ot dev:  write software that does FOO.  dev: OK (proceeds to re-write code they wrote two years ago, that does the same thing, only the way that's popular today, using some obscure language) 
13:37 < ecrist> we have a ton of PHP code, this having to do with our company website.  we have a function that writes a generic page header, and an arg you can pass that writes a simplified (VALID!!!) page head.  developer just wrote a *new* function to write a simplified one, that doesn't pull in our auditing code, doesn't pull in our debug functions, doesn't configure user session, etc, etc.  when I asked why, he said he didn't feel like reading ...
13:37 < ecrist> ... the source (or asking, apparently) to find out if we could already do that
13:37 < ecrist> </vent>
13:38 -!- [1]sde [~sde@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
13:39 -!- sde [~sde@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 264 seconds]
13:39 -!- [1]sde is now known as sde
13:41 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
13:41 < |Mike|> ecrist: i would fire someone for beeing ignorant like that
13:43 < ecrist> I would love to
13:56 -!- dazo_afk_afk is now known as dazo
14:06 -!- avleen [~avleen@chiku.silverwraith.com] has joined #openvpn
14:07 < avleen> hey guys :) I'm trying to get openvpn running on a linux client but having a problem. I can see the server is pushing some routes to the client, but none of them are getting applied. I know the server's config is correct because if i used tunnelblick on OSX as the client, it's all fine. just doesn't seem to work from linux.
14:07 < avleen> anyknow know what might be up with that?
14:07 < avleen> does it need a helper script or something?
14:08 < krzee> !configs
14:08 <@vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:08 < krzee> !logs
14:08 <@vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
14:08 < krzee> are you starting it from root...?
14:09 < avleen> i'll get the configs :)  yes starting from root
14:17 < avleen> http://pastebin.com/5wcTB98y
14:17 < avleen> i'm just starting it with:  openvpn --config file.opvn
14:17 < avleen> trying to get the logs
14:21 < krzee> when ONLY using --config, you can drop --config
14:21 < krzee> and can just use openvpn file.ovpn
14:21 < avleen> oh ok :)
14:21 < krzee> if you add any other config options, you must use --config
14:21 < krzee> (not a biggie, just lil info ;] )
14:21 < avleen> that's good to know :)
14:22 < krzee> along the same lines of stuff that doesnt matter
14:22 < avleen> this ubuntu thing is being crap to me today. nothing is copying out of the terminal heh. 
14:22 < krzee> tls-client is part of client, so you can remove that line
14:22 < krzee> you didnt paste the server config
14:22 < avleen> oops! one moment
14:34 < krzee> !changelog
14:34 <@vpnHelper> krzee: "changelog" is http://www.openvpn.net/changelog.html to see the openvpn changelog
14:34 < krzee> (thats for me)
14:44 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:45 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
14:48 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
14:51  * krzee sounds the buzzer
14:51 < krzee> sorry out of time, leaving work
14:51 < krzee> but theres plenty of people here who can help =]
14:52 -!- aliverius [~george@athedsl-372258.home.otenet.gr] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
14:52 -!- aliverius [~george@athedsl-372258.home.otenet.gr] has joined #openvpn
14:56 -!- papas_son [~chatzilla@68-116-31-34.static.yakm.wa.charter.com] has quit [Quit: ChatZilla 0.9.85 [SeaMonkey 2.0.9/20101021005727]]
15:06 -!- dazo is now known as dazo_afk
15:12 -!- s7r [~s7r@66.199.231.250] has quit [Ping timeout: 276 seconds]
15:40 -!- patelx [patel@openvpn/corp/admin/patel] has quit [Quit: ircN 8.00 for mIRC (20100904) - www.ircN.org]
15:43 -!- openvpn2009 is now known as patelx
15:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
15:50 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
15:50 -!- petan [~KVIrc@71.236.broadband11.iol.cz] has quit [Ping timeout: 252 seconds]
15:53 < abeehc> anyone have any suggestions on how to get 2.1.3 working on win7? we just started getting win7 laptops and I don't want to give the user admin privs
15:53 < abeehc> i'm not sure disabling uac is a good plan 
15:53 < krzie> hehe
15:53 < krzie> ahh now i see the whole question
15:53 < abeehc> :)(
15:53 < krzie> if you want the vpn always active, you can use it as a service
15:54 < abeehc> it's an on demand thing when they aren't in the office
15:54 < krzie> otherwise, it must have permissions to set routes on the tap interface (which is why you start as admin)
15:54 < abeehc> when prepping xp i just added their user to network configurators group
15:54 < abeehc> Yeah
15:54 < krzie> i havnt used windows in like 6 yrs really, only even seen win7 2x
15:54 < abeehc> i don't blame you
15:55 < krzie> MacBookPro6,1 CPU: Intel Core i7 M 620 2.67GHz @ 2.66GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/EM64T/VMX/EST] L2: 512K FSB: 4800MHz Airport:  (802.11 a/b/g/n)  RAM: 2.7GB/8.0GB Vram: 18.78M/256.00M Disk: 423.04GB/465.44GB GPU: Intel HD Graphics [288 MB/Stock] 1920x1200 OS: Mac OS X 10.6.4 (10F569) Kernel: Darwin 10.4.0 Up: 20 days  3:35
15:55 < krzie> the only way to fly ;]
15:56 < abeehc> if i had a sexy script id argue
15:56 < abeehc> Hostname: coastline - OS: Linux 2.6.32-25-server/x86_64 - Distro: Ubuntu 10.04.1 LTS  LTS - CPU: 2 x Intel Pentium 4 (1200.000 MHz) - Processes: 148 - Uptime: 5d 39m -  Users: 4 - Load Average: 0.65
15:56 < abeehc> forgot my eggdrop has something like that
15:57 < krzie> !windows
15:57 <@vpnHelper> krzie: "windows" is pcs are like air conditioners, they work fine unless you open windows
15:57 < krzie> ;]
15:58 < abeehc> not easy to justify the apple tax when the windows laptops, for the most part, work
16:00 < krzie> my desktops are hackintosh, but for the laptop i wanted genuine
16:00 < krzie> could easily go hackintosh on the lappy too if i wanted too
16:00 < krzie> to*
16:00 < abeehc> i did hackintosh on my laptop a good few years ago
16:00 < abeehc> when 10.3 was pretty well the latest hehe
16:01 < krzie> damn i didnt realize it was around that long
16:01 < abeehc> i was fourtunate to have the right laptop at the time of course 
16:01 < krzie> now-a-days we can install retail osx on hackintosh, no worries when updating
16:02 < krzie> i wonder if there is a sudo-like thing for windows
16:02 < krzie> that could solve your issue
16:02 < abeehc> that's what i'm starting to think about
16:02 < abeehc> but i'm afraid it sucks too much
16:02 < krzie> well its windows
16:02 < abeehc> i would have hoped, uac enables that possibility
16:02 < abeehc> but clicking around in this os just annoys me
16:02 < krzie> prolly does
16:03 < abeehc> i'll have to detail whatever happens if i do get it to work
16:03 < krzie> totally, would make a good addition to our wiki
16:03 < krzie> !wiki
16:03 <@vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
16:15 < krzie> !ircstats
16:15 <@vpnHelper> krzie: "ircstats" is (#1) 30-Day Stats: http://www.secure-computing.net/logs/openvpn-last30.html, or (#2) All-Time Stats: http://www.secure-computing.net/logs/openvpn.html
16:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
16:47 -!- krzy [krzee@hemp.ircpimps.org] has joined #openvpn
16:47 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 245 seconds]
16:49 -!- krzy [krzee@hemp.ircpimps.org] has quit [Client Quit]
16:49 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
16:49 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
16:49 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
16:52 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 252 seconds]
16:55 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds]
16:56 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
17:01 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:02 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
17:27 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 276 seconds]
17:32 -!- jww [~jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Ping timeout: 276 seconds]
17:43 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
17:45 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
17:52 -!- [1]sde [~sde@93-97-41-44.zone5.bethere.co.uk] has joined #openvpn
17:55 -!- OnionSalmon [~OnionSalm@93.179.52.69] has joined #openvpn
17:55 -!- sde [~sde@93-97-41-44.zone5.bethere.co.uk] has quit [Ping timeout: 252 seconds]
17:55 -!- [1]sde is now known as sde
17:57 < OnionSalmon> My VPN server has stopped routing VPN to the internet from what i can see. Can anyone help me check the network for possible routing problems ?
18:09 < OnionSalmon> The server is working fine, serving webpages and so on, but for some reason the ISP gateway has stopped responding to pings and seems to block VPN-connections..
18:10 < OnionSalmon> The vpn tunnel goes up and i can ping computers on the remote internal lan but not route it outside.
18:12 < OnionSalmon> No change has been made to the setup for atleast a year.
18:13 -!- nukedeath [~quassel@pc5053.stdby.hin.no] has joined #openvpn
18:13 < nukedeath> hum hello folks!
18:13 < OnionSalmon> The tunnel and routing works a bit to the outside. It can load half a page and then gives up
18:13 < OnionSalmon> Sometimes
18:13 < OnionSalmon> hello!
18:13 < nukedeath> is this possible? http://dl.dropbox.com/u/1758502/VPNidea.jpg
18:15 < OnionSalmon> Isnt it PTP Point to point (Protocol)
18:15 < OnionSalmon> ?
18:17 < nukedeath> the thing is, that vyprvpn only supports pptp, and 1 connection. So if i setup an openvpn server at campus, i can connect all my clients, to my openvpn server, which is connected to vyprvpn! :D
18:18 < OnionSalmon> You need "PPTP over openVPN" to some outside vpn server via openvpn ?
18:19 < nukedeath> uhm, kinda hard to explain..
18:19 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:20 < nukedeath> I have 1 VPN provider, VYPRVPN, which allows me to connect to the VPN server, with PPTP, but only 1 computer at a time!
18:20 < OnionSalmon> Aha
18:20 < OnionSalmon> And you need more
18:20 < nukedeath> So i want to setup an OpenVPN server, and let all my clients connect to That server, which again uses VYPRVPN
18:20 < nukedeath> its kinda like dual vpn thingi :)
18:21 < OnionSalmon> VYPRVPN looked like your home server at first :)
18:21 < OnionSalmon> PRV for private
18:21 < nukedeath> ah
18:21 < nukedeath> :P
18:21 < nukedeath> but no its the other way around^^
18:22 < nukedeath> but again, it means i have to setup PPTP VPN on my server, and setup routed OpenVPN, that uses the PPTP VPN for internet access
18:22 < nukedeath> or something like that..
18:22 < OnionSalmon> Setup your own home server to the VYPRVPN via PPTP and setup iptables sharing via to clients connectiong via your-to-be openvpn server :)
18:23 < OnionSalmon> Exactly! :)
18:23 < OnionSalmon> Multi vpn chains :)
18:24 < OnionSalmon> I think my isp has started to fiddle with port 1194 on their router
18:24 < OnionSalmon> or switch rather.
18:26 < nukedeath> i really need to get into this vpn thingi...
18:26 < OnionSalmon> Or its the wireless broadband account people. Hard to tell.
18:27 < OnionSalmon> Setup a vpn server at home and try to have both it and the PPTP client living gracefully together :)
18:28 < nukedeath> hehe jupps
18:28 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined #openvpn
18:28 < nukedeath> or it will be at the universitys Computer club x3
18:28 < OnionSalmon> :)
18:29 < OnionSalmon> Or why not route the second computer via the first one ?
18:29 < nukedeath> i only have 1 computer disposable for this
18:29 < nukedeath> :3
18:30 < OnionSalmon> 2 computers needs vpn access to the pptp provider in your diagram...
18:30 < nukedeath> but getting openvpn server running on that computer could not be so hard
18:31 < OnionSalmon> If computer 1 and computer 2 shared computer 1's vpn connection id also be ok, but theyd have the same ip.
18:31 < nukedeath> ah, no i want to possibility to connect every computer to the OpenVPN server, to get internet from the PPTP VyprVPN :P
18:31 < OnionSalmon> I see :)
18:32 < OnionSalmon> Then you need that outside vpn server combined with a pptp client
18:32 < OnionSalmon> Or just skip the pptp part ?
18:32 < nukedeath> the PPTP part is why i have to setup an openvpn server :3
18:32 < OnionSalmon> Aha
18:33 < nukedeath> or i could just to a SSH tunnel to the server with the PPTP connection running
18:33 < OnionSalmon> Its the end goal of the connections so to speak
18:33 < nukedeath> but a openvpn server sounded more nice
18:33 < nukedeath> yeah, all computers inn to the server, vyprvpn only sees 1 connection
18:33 < nukedeath> everyones happy :)
18:33 < OnionSalmon> you need a tap or a bridge or some virtual net device anyhow.
18:34 < OnionSalmon> :)
18:35 < OnionSalmon> What dist are you using at home and do you have X on it ?
18:36 < nukedeath> i got ubuntu running on the server
18:36 < nukedeath> and no only terminal xD
18:36 < OnionSalmon> I use this thing, works ok for me: http://mange.dynalias.org/linux/gadmintools-webpage/app_pages/gadmin-openvpn-server.html
18:36 < OnionSalmon> Ah!
18:37 < OnionSalmon> Takes a long time to setup otherwise i think, plus its not so easy.
18:37 < nukedeath> its dang hard most likely, but then again everyone likes a challange :)
18:38 < OnionSalmon> Sure, it can be nice to know.
18:39 < OnionSalmon> I spent 1 month before i got everything going as it should. The hardest part is the init scripts and trying to make openvpn work nicely with networkmanager
18:40 < OnionSalmon> So after some months i was able to make that gui
18:42 < nukedeath> uhh fancy fancy :)
18:42 < OnionSalmon> I have recent troubles with my own vpn links. 1. Wireless mobile isp guys has made adjustments for companies using vpn. 2. My other ips router doesnt seem willing to let port 1194 alone :)
18:42 < OnionSalmon> Thanks!
18:43 < OnionSalmon> Ive been writing the guis for 12 years now. Looking forward to the next 30 years :)
18:44 < OnionSalmon> I have 2 more guis ready, but its for a university project so i need to wait for the release since they must correct it first :(
18:45 < OnionSalmon> Btw: indenting C and GTK+ code to 80 colums (looks uncool)
18:46 < OnionSalmon> foobar = (next line)
18:46 < OnionSalmon> g_strdup_printf( (next line)
18:46 < OnionSalmon> _("Hello"));
18:46 < OnionSalmon> :)
18:47 < nukedeath> ^^
18:48 < nukedeath> but now i have to sleep thight for tomorrow, will be lurking these channels til i get the vpn up and running^^
18:48 < OnionSalmon> Best of luck!
18:51 < OnionSalmon> nukedeath: Do you know a guy called "Asbjorn Wetlesen" at Findexa ?
18:52 < OnionSalmon> gulesider.no is trying to connect flood my site.
18:52 < OnionSalmon> 500 simoultaneous connections etc.
18:53 < OnionSalmon> They are using something called "Apptusbot", made in Sweden from what i can see.
18:54 < OnionSalmon> The malconfigured (ehem) computer is called flamme.gulesider.no
18:54 < OnionSalmon> http://mange.dynalias.org/linux/misc/Findexa_Asbjorn_Wetlesen/flamme_1.txt
18:55 < OnionSalmon> Previous lockouts, but now he seems to have amped up...
18:55 < OnionSalmon> http://mange.dynalias.org/linux/misc/Findexa_Asbjorn_Wetlesen/Service_Guardian_log_1.txt
18:56 < OnionSalmon> http://mange.dynalias.org/linux/misc/Findexa_Asbjorn_Wetlesen/Asbjorn_Wetlesen_Crappy_ApptusBot.txt
18:58 < OnionSalmon> I emailed to: asbjorn.wetlesen@findexa.no but this address does not exists there.
18:58 < OnionSalmon> exist
18:58 < OnionSalmon> gulesider has ignored my email.
18:58 < OnionSalmon> as well.
18:59 < OnionSalmon> Should i reroute his traffic to findexa and gulesider ? :)
19:01 < OnionSalmon> www.eniro.no
19:05 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
19:14 < OnionSalmon> gorkhaan: 254.97.74.167 advanced! How ?
19:16 < OnionSalmon> Or did my ipv6 to ipv4 converter code screw up ?
19:18 < OnionSalmon> Naah ;)
19:18 < OnionSalmon> NetName: SPECIAL-IPV4-FUTURE-USE-IANA-RESERVED
19:22 < OnionSalmon> This block was reserved by the IETF. Cool
19:24 < OnionSalmon> gorkhaan: Greetings! :)
19:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
19:38 < OnionSalmon> maybe someone can fix this flamme.gulesider.no so that it doesnt connect 500 times at once to my apache webserver serving Open Source GPL2 and 3 software ...
19:41 < OnionSalmon> Maybe its some sort of taliban cell that likes microsoft very much so they feel its ok to flood competitors, just like microsoft likes todo:...
19:41 < OnionSalmon> Microsoft FUD's OpenOffice/Oracle: http://www.idg.se/2.1085/1.346480/video-fran-microsoft-sagar-openofficeorg
19:41 <@vpnHelper> Title: Video från Microsoft sågar Openoffice.org - IDG.se (at www.idg.se)
19:41 < OnionSalmon> Tanslation: Microsoft bashes OpenOffice
19:41 <@vpnHelper> RSS Update - forum: Server Administration :: How fixed ip client :: Author odylive <https://forums.openvpn.net/viewtopic.php?f=4&t=7233&p=8311#p8311>
19:42 < OnionSalmon> Translation
19:42 < OnionSalmon> Why is the IT world so damn backstabbing ?
19:43 < OnionSalmon> Atleast when it comes to money that they can possibly earn they bash everyone all over that can possibly compete ?
19:49 < OnionSalmon> And microsoft company that should be "Humane" etc. What a load of crock.
19:52 < OnionSalmon> On BBC they showed Melissa Gates "halping all teh childrens" as a response for that they never do anything good besides handing out cd's of windows "for millions and billions" to needing people (IE: schools to increment the drug(windows) use) and to further deminish all competition.
19:52 < OnionSalmon> helping
19:54 < OnionSalmon> A truely nobel task (Yeah, Bill Gates got a nobel prize from KTH-Sweden) for making everyone dependent on windows and Stalinizing the worlds IT economies.
19:54 < OnionSalmon> "Honorary Doctor" was the title i think.
19:55 < OnionSalmon> "Royal Technical University" ... What a shame!
19:56 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
19:58 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
19:58 < OnionSalmon> Ps: The "Millions and Billions" cost them (the cost of a burnt cd * As many as they handed out). So a dime or 10 cents * number_of_handouts
20:00 < theDoc> OnionSalmon: Just filter that ip, ;p
20:00 < theDoc> Anyway, good morning to you all.
20:00 < OnionSalmon> theDoc: Morning!
20:01 < theDoc> 9am here, I'm in a pretty mood.
20:01 < OnionSalmon> theDoc: I feel that they have attacked me and still doing so after a year so now i wish to retalliate :)
20:01 < OnionSalmon> Wisely btw :)
20:01 < OnionSalmon> Im in a perfect mood
20:02 < OnionSalmon> theDoc: Iptables rule to redirect flamme.gulesider.no to www.eniro.no Plz ? :)
20:02 < OnionSalmon> Or route
20:03 < OnionSalmon> Thats a bit of the current Norwegian govt i dont like
20:03 < OnionSalmon> If they send garbage to me i can return the garbage
20:04 < OnionSalmon> theDoc: Its night here btw
20:04 < OnionSalmon> I see i can smurf their nets if i want to, but i want to to it legally
20:04 < OnionSalmon> to do
20:05 < theDoc> OnionSalmon: I usually just drop them, ;p
20:05 < OnionSalmon> Ive been thinking about what to do since they started a year ago
20:05 < OnionSalmon> Yeah, but i have nice backings to do things :)
20:05 < theDoc> I usually just give people hugs.
20:05 < OnionSalmon> So if i DOS you, youll hug me ?
20:06 < OnionSalmon> Although you cant because your lines would be down :)
20:06 < theDoc> That's true as well but I usually have more than one line ;p
20:07 < OnionSalmon> Suppose i staurated all your lines, would i still get a hug ?
20:07 < theDoc> OnionSalmon: If they're really annoying you, why don't you try to contact someone from their end instead of ddosing?
20:08 < OnionSalmon> I have sent mails to findexa and eniro 2 months ago. The person supposedly handling the domain and his contact info returned the mail saying ENOENT
20:08 < OnionSalmon> Eniro didnt respond at all, but the mail got thru
20:08 < OnionSalmon> I have automatic blocking, but they are screwing up my application download statistics
20:09 < OnionSalmon> So i have to deduct their hits in the counter script
20:09 < OnionSalmon> hits/downloads
20:12 < OnionSalmon> Maybe ill have to contact telia again so they can fix it. People are attacking a bit these days.
20:12 < theDoc> I suppose you're really left with fighting with their upstream.
20:12 < theDoc> Just saying that ddos isn't the best solution here, contacting their upstream probably is.
20:13 < OnionSalmon> I know some telians well. They also provide upstream from those enirosians i think so maybe if they cut their lines a bit theyll listen :)
20:13 < theDoc> Yeah, that's probably a better option.
20:13 < OnionSalmon> Naah, i dont dos :)
20:13 < OnionSalmon> A smurf is not a dos either :)
20:14 < theDoc> I should go do breakfast soon and get back to studying.
20:14 < OnionSalmon> Its just like a ballpark but with lots of balls flying aross the rooms :)
20:14 < OnionSalmon> Hehe, have fun and thanks for your input.
20:15 < OnionSalmon> I guess itd be illegal to break their systems now :)
20:19 < OnionSalmon> Not that this would be very hard. Pretty much like in 1995-8 or so when i printed a Pig in Tokyo Japan :)
20:19 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 276 seconds]
20:19 < OnionSalmon> Windows was exactly as rotten then as it is now :)
20:24 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
20:27 < OnionSalmon> Alrighty, sent another email.
20:28 < OnionSalmon> There will be no third email, BAM! :)
20:29 < OnionSalmon> Hi Diffen
20:30 < OnionSalmon> Track 8 - De Lyckliga Kompisarna från Le Som En Fotomodell.
20:31 < OnionSalmon> vpnHelper...
20:31 < OnionSalmon> vpnHelper --help
20:31 <@vpnHelper> OnionSalmon: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
20:31 < OnionSalmon> De Lyckliga Kompisarna från Le Som En Fotomodell.mp3 ?
20:32 < OnionSalmon> Hmm, it got this correctly identified: http://www.idg.se/2.1085/1.346480/video-fran-microsoft-sagar-openofficeorg
20:32 <@vpnHelper> Title: Video från Microsoft sågar Openoffice.org - IDG.se (at www.idg.se)
20:33 < OnionSalmon> LibreOffice doesnt seem willing to compile yet, but its already much better them OpenOffice. Hideous build system.
20:34 < OnionSalmon> Its too big as well. Its always been and i cant understand why the translations take so much space
20:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
20:36 < OnionSalmon> One of my typical projects: [root@server1 po]# wc -l sv.po
20:36 < OnionSalmon> 1939 sv.po
20:36 < OnionSalmon> 1939 translation lines....
20:36 < OnionSalmon> du -h sv.po
20:36 < OnionSalmon> 44K	sv.po
20:37 < OnionSalmon> But that office thing takes up gigabytes for all languages ?
20:37 < OnionSalmon> ehm, many laguages
20:38 < OnionSalmon> Say 100K per language * 100 languages == 10000 K
20:39 < OnionSalmon> Its must be some obsolete translation style
20:40 < OnionSalmon> And remaking the java funcs should take off a few thousand lines and make it much speedier
20:40 < OnionSalmon> Oracle did make a god job there though, although i bet that was redhat/novell and the other coders
20:42 < OnionSalmon> The hardest parts to compile in an entire GNU/Linux operating system to date is "Yelp" (The help reader for gnome) and OpenOffice (More luck then not to have it compile)
20:46 < OnionSalmon> Easy ? : http://mange.dynalias.org/linux/misc/scripts/OO_Build.sh
20:47 < OnionSalmon> that can build if youre lucky :)
20:47 < OnionSalmon> The pixman patching is one bit it fails at, the second is always the missing module "Testautomation"
20:47 < OnionSalmon> Crap
20:48 < OnionSalmon> Sorry, but its how i feel having built GNU/Linux from scratch with gnome and xfce etc about 20 times now wo problems except YELP and OpenOffice.
20:50 < OnionSalmon> Since 2005: http://mange.dynalias.org/linux/distribution/admin-packages/stable/distfiles/packages.conf
20:52 < OnionSalmon> Theres probably one or 2 dependencies that arent correct but it builds new systems without too much hazzles
20:53 < OnionSalmon> 10 patches for net-tools. Hmm
20:55 < OnionSalmon> Search: <net-tools>
20:56 < OnionSalmon> This is my current new dist build scheme: http://mange.dynalias.org/linux/distribution/admin-packages/stable/new-dist/packages.conf
20:56 < OnionSalmon> LFS if you will
20:58 < OnionSalmon> Totally worth the time and effort :)
20:59 < OnionSalmon> Not so many in the world knows how to do this so i dont think its useless information.
21:02 < OnionSalmon> If i buy Microsoft office and find a bug i get to pay 70 USD to tell them that and maybe theyll fix the bug a year after :)
21:09 < OnionSalmon> "Art of Transport Logistics" from the microsoft video is: A little Polish repo firm in Kazachstan ?
21:09 < OnionSalmon> 2 employees :)
21:10 < OnionSalmon> And a schoolchief in Pittsburg :P
21:14 < OnionSalmon> This is always a pain. To switch technologies that the old people cling on to with dear life. Old techs that refuse to learn anything new or retire etc.
21:15 < OnionSalmon> I have one thing to say to them "Like computings or dont work with it" !!!
21:17 < OnionSalmon> Many taxi cabbies and paper-pushing people rather want to do garden work. Why not put Ballmer in a garden ? :)
21:17 < OnionSalmon> Maybe his presence will kill all the flowers, but it could be worth a shot :P
21:18 < OnionSalmon> Make them all black :)
21:18 < OnionSalmon> Id love to make a ballmer commercial where he walks along a cornfiels and all the little flowers around him becomes black and dies :)
21:21 < OnionSalmon> Or just subst him in that alien movie where that happens.
21:21 < OnionSalmon> scifi movie, not "alien".
21:22 < OnionSalmon> Sunshine Baby - Stonecold from Ministry Of Sound Dance Anthems.
21:27 < OnionSalmon> Having looked at the Media-outlet i can only see that they wish to make us sick of IT alltogether. Facebook is another way to make people tired of it, facebook is constructed in that way "Bombaardment" of emails and idiots.
21:29 < OnionSalmon> Listen to what you hear, even if its english or whatnot. Turn it off if it suggests something you dont like.
21:31 < OnionSalmon> Example 1: Blah blah blah "Here alone, take me out of the sahara". Turn it off and dont think of it. Youre never alone.
21:31 < OnionSalmon> Or realize thair intents and listen to it anyway because now you know.
21:32 < OnionSalmon> their
21:32 < OnionSalmon> Intent.
21:35 < OnionSalmon> Vagabonds and Children we are in this Together... What a load of crock. They forgot people aging 6-64 atleast :)
21:36 < OnionSalmon> Highly suggestive: "Summer Dance Mania 2010"
21:37 < OnionSalmon> With the intent to make people watch MTV instead of doing productive things.
21:37 < OnionSalmon> btw... we still have mtv here. Im forced to pay tax for that although NOONE watches it.
21:40 < OnionSalmon> MTV today: No daddy i dont want that color on the new ferrari you want to buy me /buhu.
21:41 < OnionSalmon> Feels like even Americans cant like that nowdays :)
21:57 < OnionSalmon> I moved to a new apartment in Sweden a few years ago. Asked, just out of curiosity if i could use Linux to surf the web and read my email in this network (Cantab). The response from a guy called Peter was "Hello no, this is a private network. You cant use Linux here". I later learned this guys nickname is actually "Phatter" and that he is generally angry as hell.
21:59 < OnionSalmon> The real life nickname would be "Feter" wich means A fat one :)
21:59 < OnionSalmon> But according to him it was "His private network" although it was not.
22:00 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
22:00 < dogarrhea1> ok.. so i configured the server aspect of openvpn according to these docs: http://library.linode.com/networking/openvpn/ubuntu-10.04-lucid
22:00 <@vpnHelper> Title: Deploy VPN Services with OpenVPN - Secure Communications with OpenVPN on Ubuntu 10.04 (Lucid) - Linode Library (at library.linode.com)
22:01 < dogarrhea1> which are 2000000 times better than anything on the openvpn site.  Now how do i configure the client?
22:01 < OnionSalmon> It was not as if that idiot took a shovel and digdug the 200 miles of fiber optics into the ground :P
22:01 < dogarrhea1> on windows using openvpn gui
22:02 < OnionSalmon> That gui cant handle certs and username/passwords at the same time because the guy making doesnt realize ITS NOT EITHER OR, It can be ANY or BOTH :)
22:02 < OnionSalmon> He doesnt even answer emails
22:03 < dogarrhea1> what is this mysterious poorly documented tls-remote variable i see in these very poorly documented openvpn config files?
22:03 < OnionSalmon> It means, use tls encryption
22:04 < OnionSalmon> Hmm, let me check
22:04 < OnionSalmon> tls-client, tls-auth...
22:06 < OnionSalmon> That was from the client setup... checking the server setup
22:06 < OnionSalmon> tls-auth certs/ta.key 0
22:06 < OnionSalmon> tls-server
22:07 < OnionSalmon> Im not using tls-remote
22:07 < dogarrhea1> is there any GOOD dcoumentation on how to configure the client...
22:07 < dogarrhea1> i can't find any in google
22:07 < dogarrhea1> it's ridiculous i might just use something else
22:07 < OnionSalmon> gadmin-openvpn-client
22:08 < OnionSalmon> http://mange.dynalias.org/linux/gadmintools-webpage/app_pages/gadmin-openvpn-client.html
22:08 < dogarrhea1> oh i'm on windows right now 
22:10 < OnionSalmon> Ok, hmm... yeah openvpngui works after you write the openvpn.ovpn configuration file
22:11 < OnionSalmon> I used something called acevpn. A fork off the dreadful (sorry), windows vpn gui thats not getting as much love as it needs because the guy making it doesnt reply to the emails etc.
22:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:12 < dogarrhea1> love open shit software
22:12 < OnionSalmon> It tends to have owners that care, yes.
22:13 < OnionSalmon> Itd be nice if anyone ported gadmin-openvpn-client to windows.
22:14 < OnionSalmon> Its mostly about adding c:\\ and changing / to \
22:14 < OnionSalmon> Then its be the same on all platforms
22:15 < OnionSalmon> The start and stop scripts would need to be windozeified as well.
22:15 < OnionSalmon> wscript i think its called.
22:16 < OnionSalmon> Or something that executes scripts
22:17 < OnionSalmon> KTH did make the windows openvpngui. Has bill gates as its rolemodel :P
22:17 < OnionSalmon> Pretty rotten, but not that openvpngui guys fault.
22:18 < OnionSalmon> I guess.
22:19 < OnionSalmon> dogarrhea1: The crypt() function will have to be substituted to the windows equiv as well.
22:20 < OnionSalmon> But i endorse it.
22:20 < dogarrhea1> bah
22:20 < dogarrhea1> this is too hard
22:20 < OnionSalmon> You have a nack for saying that.
22:22 < OnionSalmon> Never say "I cant", instead say "I can do this, no problem"
22:22 < dogarrhea1> it is too hard.. there's no docs
22:22 < OnionSalmon> ? www.openvpn.net ?
22:22 < OnionSalmon> All you need is there
22:23 < dogarrhea1> it's like "ok you have to eat BUTTTT, before you put a spooonful of food in your mouth, u have to guess the diffie hellman generated key that i randomly generate for you. otherwise u can't eat"
22:23 < dogarrhea1> n onionsalmon
22:23 < dogarrhea1> those docs are useless
22:23 < dogarrhea1> i tried them. 
22:23 < dogarrhea1> it's basically guess and error
22:23 < dogarrhea1> and guess and error
22:23 < dogarrhea1> and guess and error
22:23 < OnionSalmon> I made a server and a client gui from those docs alone
22:23 < dogarrhea1> for hours and hours and hours
22:23 < dogarrhea1> i'm not a programmer looking to do that onionsalmon
22:23 < dogarrhea1> those docs are not written for me
22:24 < dogarrhea1> i just want to securely tunnel. via a server that i do not own but rent (ubuntu)
22:24 < dogarrhea1> so i can surf the internet/do whatever without being tracked
22:24 < OnionSalmon> This is the OpenSource server gui version: http://mange.dynalias.org/linux/gadmin-openvpn/server/screenshots/gadmin-openvpn-server-settings.png
22:24 < dogarrhea1> what's a  VERIFY X509NAME ERROR:
22:24 < OnionSalmon> Seems hard ?
22:25 < OnionSalmon> You press a button to have the certs generated and you can export the cert bundle to clients by pressing the export button
22:25 < dogarrhea1> i have all the certs
22:25 < OnionSalmon> This is the client gui: http://mange.dynalias.org/linux/gadmin-openvpn/client/screenshots/gadmin-openvpn-client.png
22:26 < dogarrhea1> too bad it doesn't work on windows
22:26 < OnionSalmon> With the import button you import server certs and configurations.
22:26 < OnionSalmon> Yep
22:26 < dogarrhea1> o well i will resign myself to finding someone who knows how to do this on windows.
22:26 < dogarrhea1> the docs don't help me at all.
22:27 < OnionSalmon> The windows version isnt very good unfortunately
22:27 < OnionSalmon> The docs helped me to make these guis
22:27 < dogarrhea1> heh that is something i'm not gonna do
22:27 < OnionSalmon> The docs are correct
22:27 < OnionSalmon> Good luck sir! :)
22:29 < dogarrhea1> andrew wile's proof of Fermat's last theorem is correct
22:29 < dogarrhea1> and the documentation is there.
22:29 < dogarrhea1> everyone should be able to know it now.
22:29 < dogarrhea1> yep
22:29 < dogarrhea1> anyways bye thanks for trying
22:29 < OnionSalmon> A book about perfect fermentation temperatures ? :)
22:30 < OnionSalmon> Oh, i dont try but you use DOS :)
22:30 < dogarrhea1> the problem is simple to understand.
22:30 < OnionSalmon> Its hard to help on a thing i only have 20 microsoft certs on and think is garbage.
22:31 < dogarrhea1> a^n + b^n = c^n     "there are no integers in n that solve this"
22:31 < dogarrhea1> after 2
22:31 < OnionSalmon> I have setup openvpn on windows clients, but the windows openvpngui isnt very user friendly.
22:31 < dogarrhea1> well this is theoretical complexity... my problem isn't even of this order. it's stupid engineering complexity
22:31 < dogarrhea1> what do you use?
22:32 < OnionSalmon> Linux, BSD, Solaris. Basically as many dists as i have computers.
22:32 < dogarrhea1> what client did you use
22:32 < dogarrhea1> to set up on windows
22:32 < OnionSalmon> openvpngui
22:33 < OnionSalmon> But you still have to fiddle with the conf/txt file.
22:33 < OnionSalmon> The Linux/OSS server gui exports for windows clients as well.
22:34 < dogarrhea1> can you tell me what Thu Nov 04 20:19:15 2010 VERIFY X509NAME ERROR:  means?
22:34 < OnionSalmon> X509 Certificate is outdated ?
22:34 < dogarrhea1> which means?
22:34 < dogarrhea1> in layman terms?
22:35 < OnionSalmon> You have neglected to make it valid for longer then 30 days / I dunno
22:35 < dogarrhea1> ugh. time to abandon 
22:35 < dogarrhea1> bye
22:35 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has left #openvpn ["Leaving"]
22:35 < OnionSalmon> Microsoftie girl ?
22:35 < OnionSalmon> :)
22:37 < OnionSalmon> !Vsaa Dispatch Ganglians! cpe-98-149-134-210.socal.res.rr.com
22:37 <@vpnHelper> OnionSalmon: Error: "Vsaa" is not a valid command.
22:37 < OnionSalmon> Oh, it is over here ;)
22:39 < OnionSalmon> vpnHelper: Upp Å Håppa! :)
22:39 <@vpnHelper> OnionSalmon: Error: "Upp" is not a valid command.
22:39 < OnionSalmon> Translation: Up and jump..
22:39 < OnionSalmon> vpnHelper: Disperse
22:39 <@vpnHelper> OnionSalmon: Error: "Disperse" is not a valid command.
22:40 < OnionSalmon> vpnHelper: Deactivate
22:40 <@vpnHelper> OnionSalmon: Error: "Deactivate" is not a valid command.
22:40 < OnionSalmon> vpnHelper: Kiss
22:40 <@vpnHelper> OnionSalmon: "Kiss" is Keep It Simple Stupid
22:40 < ecrist> OnionSalmon: something you're looking for?
22:40 < OnionSalmon> vpnHelper: Love
22:40 <@vpnHelper> OnionSalmon: Error: "Love" is not a valid command.
22:40 < OnionSalmon> vpnHelper: Sex
22:40 <@vpnHelper> OnionSalmon: Error: "Sex" is not a valid command.
22:40 -!- mode/#openvpn [+o ecrist] by ChanServ
22:40 < OnionSalmon> vpnHelper: Humanity
22:40 <@vpnHelper> OnionSalmon: Error: "Humanity" is not a valid command.
22:40 -!- OnionSalmon [~OnionSalm@93.179.52.69] has quit [Quit: Quit]
22:41 -!- mode/#openvpn [+b *!*@93.179.52.69] by ecrist
22:41 -!- Irssi: #openvpn: Total of 105 nicks [5 ops, 0 halfops, 0 voices, 100 normal]
22:42 <@ecrist> !seen OnionSalmon
22:42 <@vpnHelper> ecrist: OnionSalmon was last seen in #openvpn 1 minute and 19 seconds ago: <OnionSalmon> vpnHelper: Humanity
22:43 <@ecrist> wtf, the swedes don't usually cause problems.
22:43 -!- Huemongus [~Huemongus@ip-115-210-241-92.dialup.ice.net] has joined #openvpn
22:44 < Huemongus> How yo doings there ehomo ? :)
22:44 -!- Huemongus [~Huemongus@ip-115-210-241-92.dialup.ice.net] has quit [Client Quit]
22:53 <@ecrist> gee, it was hard to figure out who that was.
22:53 -!- mode/#openvpn [+b *!*@92.241.210.115] by ecrist
22:54 -!- mode/#openvpn [-o ecrist] by ecrist
23:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:26 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:36 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
23:41 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
23:50 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
--- Day changed Fri Nov 05 2010
01:24 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 272 seconds]
01:25 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:28 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
01:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
01:50 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
01:53 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
01:56 -!- dazo_afk is now known as dazo
02:02 <@vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: how to add a kernel's route on the openvpn server? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=17&t=7219&p=8312#p8312>
02:08 <@vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: how to add a kernel's route on the openvpn server? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=17&t=7219&p=8313#p8313>
02:45 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:48 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:56 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
03:02 <@vpnHelper> RSS Update - forum: Configuration :: how to get ifconfig-push from client-connect :: Author burn <https://forums.openvpn.net/viewtopic.php?f=6&t=7234&p=8314#p8314>
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
04:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:45 -!- master_of_master [~master_of@p57B55E6C.dip.t-dialin.net] has quit [Ping timeout: 252 seconds]
04:47 -!- master_of_master [~master_of@p57B53512.dip.t-dialin.net] has joined #openvpn
04:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
05:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
05:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
05:40 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
06:19 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:19 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
--- Log closed Fri Nov 05 06:34:59 2010
--- Log opened Fri Nov 05 06:35:10 2010
06:35 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
06:35 -!- Irssi: #openvpn: Total of 105 nicks [4 ops, 0 halfops, 0 voices, 101 normal]
06:35 -!- Irssi: Join to #openvpn was synced in 37 secs
06:43 -!- hargus [d42c1481@gateway/web/freenode/ip.212.44.20.129] has joined #openvpn
06:44 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Disable redirect-gateway for one client :: Author florian <https://forums.openvpn.net/viewtopic.php?f=15&t=7235&p=8315#p8315>
06:47 < hargus> Hi everyone. Is it possible to disable ca verification clientside? I have set up PAM based authemication, and do not wish to distrubute the ca.crt. I know this is insecure.
07:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
07:17 < ecrist> !/30
07:17 <@vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
07:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
07:34 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
07:34 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
07:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:54 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:09 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: .]
08:12 < hargus> (now that more people are here) Hi everyone. Is it possible to disable ca verification clientside? I have set up PAM based authemication, and do not wish to distrubute the ca.crt. I know this is insecure.
08:12 < ultramage> so, how complicated would it be to make an openvpn server 'invite' a client to connect to it?
08:13 < ultramage> (piggybacking on the invitation tcp connection)
08:13 < ultramage> * or udp
08:25 -!- albech [~thomas@535AB203.flatrate.dk] has joined #openvpn
08:25 < albech> i just changed my vpn connection to tcp due to many disconnects and it hasnt happened since.. is this expected and are there any downsides with going tcp?
08:26 < ultramage> disconnects? it could be something inbetween timing out... for example if your keepalive is too low
08:26 < ultramage> er, too high :D
08:27 < ultramage> I'm using tcp because I get 10% packet loss and tcp fast retransmission ought to cope with that better than openvpn's own connection-over-udp protocol
08:27 < albech> ultramage, im connecting from thailand, so the stability of the connection is pretty poor
08:30 < ecrist> ultramage: you'd have to do such outside the scope of openvpn
08:31 < ultramage> hm?
08:31 < ecrist> you could do something like 'ssh <host> 'openvpn_start.sh'
08:31 < ultramage> aah
08:32 < ultramage> ecrist: the issue is the same as before - the server is not reachable, however it can make outgoing connections :)
08:32 < ecrist> right, I'm saying send that command to the client, from the server
08:32 < ecrist> albech: 
08:32 < ecrist> !tcp
08:32 <@vpnHelper> ecrist: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
08:33 < ultramage> I noticed that using udp mode in a packet loss scenario has far worse performance than using tcp
08:33 < ultramage> s/performance/responsiveness/
08:34 -!- Deffie [~Deffie@195.62.234.66] has joined #openvpn
08:34 < ultramage> I wonder if the udp behavior of openvpn can be tuned, for example to reduce retransmission timeout and disable congestion checking
08:34 < ultramage> in tcp, packet loss = congestion = exponential backoff = bad.
08:35 < ecrist> which is why running TCP on top of a TCP tunnel is a bad thing
08:35 < ultramage> yet it's far more responsive than tcp on top of an udp tunnel (openvpn's implementation at lesat)
08:35 < albech> ecrist, so you are saying i shouldnt be using tcp even it fixes my problem where the tunnel drops every min or so?
08:35 < ecrist> it depends,
08:35 < ecrist> albech: I don't recall saying that
08:35 < ultramage> albech: make your openvpn tunnel send pings every 15 seconds.
08:36 < ultramage> you have udp keepalive set to 60 seconds but the NAT mappings time out after 30 seconds
08:36 < ultramage> or something.
08:36 < ecrist> I'm guessing UDP state (even though it's stateless) is killed in his firewall
08:36 < ultramage> he says it only times out after a minute
08:37 < albech> it wasnt a problem yesterday morning when i was using it so im guessing its also related to load on the network
08:37 < ultramage> well, clearly you need to investigate it more, because the vague description you're giving isn't helping much
08:37 < ultramage> or use tcp mode until it goes away
08:37 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
08:37 < albech> im sorry fpr the vague description, but its the best i can come up with right now :(
08:37 < ultramage> tcp has fast retransmission
08:38 < ultramage> it still slows everything down by a factor of 4, but it's still better than a factor of 10+
08:40 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Excess Flood]
08:43 -!- hargus [d42c1481@gateway/web/freenode/ip.212.44.20.129] has quit [Quit: Page closed]
08:43 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Connection reset by peer]
08:43 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
08:44 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:45 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
08:50 <@dazo> ultramage: the problem with OpenVPN and TCP is when you have a lot of packet loss ... then the application using the tunnel will retransmit packets to the tunnel ... and then you have the OpenVPN-to-OpenVPN connection which will in addition do even the same ... so when the packets arrive finally you'll get a mess with a lot of original and retransmitted packets
08:51 <@dazo> ultramage: further ... there are a lot of tuning possibilities ... just read the man page ... it lists them all
08:51 <@dazo> and of course, in some networks, OpenVPN over UDP is impossible due to firewalls and routers messing too much with the packets ... in these situation, TCP is the only thing which might solve it
09:01 < ultramage> > there are a lot of tuning possibilities - I just checked, nothing relevant that has 'udp' in its contents
09:02 < ultramage> I rather doubt it's possible to tune the lowlevel udp implementation
09:02 < ultramage> which raises the question - is there a lowlevel udp implementation?
09:03 < ultramage> or does openvpn just shovel the data in udp packets with no reliability mechanism in place, leaving it up to the encapsulated protocols to figure it out?
09:10 -!- err0r [~err0r@err0r.enjoyvps.net] has joined #openvpn
09:13 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
09:22 < ecrist> ultramage: by definition, UDP is a best-effort service
09:22 < ecrist> fire and forget
09:23 < ecrist> it's up to higher-level protocols to deal with packet loss and mismatched checksums
09:32 < ultramage> no, YOU (openvpn) are the higher level in this case.
09:33 < ultramage> you decide to use udp, you have to manage your communication integrity.
09:33 < ultramage> in this case you can offload that task to the encapsulated payload
09:33 < ultramage> however, I wonder; does openvpn align its udp sends on packet boundaries?
09:34 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 264 seconds]
09:34 < ultramage> if it doesn't, then the loss of one udp packet will mean the loss of multiple packets in the payload
09:34 < ultramage> also, when compressing, the loss of one udp packet will also mean the loss of multiple packets in the payload
09:35 < ultramage> in a zero-loss scenario, udp is far superior... but in a packet loss environment, it's the last thing you want to use
09:35  * ecrist starts to wonder if ultramage is a troll
09:35 < ultramage> nope, comes from real life experience (my own)
09:36 < ultramage> I was happily using udp, then came persistent 10% packet loss and it was unberable... switched to tcp, and I can actually use the connection.
09:36 < ultramage> the 2-second stalls become 250ms stalls
09:37 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
09:38 < ultramage> the techs today said the antenna has a clearly broken pigtail, and they'll be replacing the whole shoddy setup next week
09:42 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
09:43 < ultramage> also, left4dead also seems to run over unreliable udp.. and it is quite hard to connect to games right now.
09:44 < ultramage> but if you have no packet loss then it works like a charm :)
09:53 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:54 <@dazo> ultramage: OpenVPN is basically a secure virtual wire over the Internet ... it's the applications pushing data through that virtual wire (ie. the tunnel) which are the higher-level protocols
09:54 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: [Solved]Re: Disable redirect-gateway for one client :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7235&p=8316#p8316>
09:58 <@dazo> ultramage: you have two MTU settings for OpenVPN ... link-mtu and tun-mtu ... which defines the MTU for the packets being sent over to the other OpenVPN side (OpenVPN encapsulated TCP/UDP packets) and the MTU value for the tun/tap device
10:00 <@dazo> --link-mtu defines the UDP/TCP packet size  .... so if --link-mtu < --tun-mtu ... packets will be fragmented .... if --link-mtu > --tun-mtu, more tunnel packets will go into a UDP/TCP packet sent to the other side
10:01 <@dazo> you probably need to look at --fragment and --mssfix as well to get such tweaking to work as expected
10:09 -!- albech [~thomas@535AB203.flatrate.dk] has quit [Ping timeout: 276 seconds]
10:12 -!- securityxxxpert [~securityx@68-186-162-44.dhcp.stls.mo.charter.com] has joined #openvpn
10:13 < securityxxxpert> Morning.  I am a student and was wondering what type of tunneling protocols OpenVPN supports as well as encryption methods
10:13 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
10:31 -!- busch [6d493239@gateway/web/freenode/ip.109.73.50.57] has joined #openvpn
10:31 < busch> Is there a german support channel for openvpn?
10:33 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
10:33 < tuxx_> busch: ur english sux?
10:36 < busch> I try it in english: 1 openvpn-server on the internet, 1 openvpn-client in my LAN, which is my local router/gateway. All traffic from LAN to the internet will be routed through the openvpn server by the openvpn client. This setup works fine with one exception. if somebody outside of the vpn tries to connect (ping) to my homeserver (the openvpn-client), the homeserver answers the ping through the vpn tunnel (tun0) instead of the real ni
10:37 < busch> client.conf: http://dpaste.de/bdoX/   server.conf: http://dpaste.de/wueP/
10:39 < cron2> busch: the trick is to set "ip rule" tables so that the default route for the "real" address goes to "Internet"
10:39  * cron2 sits in a train and is somewhat typing impaired, but that pointer might help
10:40 < busch> cron2: Is this a kind of "policy based routing"? 
10:40 < cron2> busch: yes
10:40 < busch> cron2: Then i have no chanche to resolv this problem without help :)
10:41 < cron2> you set up multiple default routes, in the "main table" and in "routin gtable #100" (or whatever number you like)
10:41 < cron2> and then syou set up "ip rule" so that "source ip = nnn -> use routing table #100"
10:43 < cron2> google for "ip rule" :-) - or ask me again some time this weekend
10:43 < cron2> (then I can dig out examples)
10:44 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
10:51 -!- Martin` is now known as Martin
10:51 -!- Martin is now known as Guest73969
10:52 -!- Guest73969 is now known as Martin
10:52 -!- Martin is now known as Guest7495
10:53 -!- Guest7495 is now known as Martin
10:53 -!- Martin is now known as Guest805
10:56 -!- Guest805 is now known as Martin
10:57 -!- Martin [martin@shell.ipv6.octocore.net] has quit [Disconnected by services]
11:00 < korozion> I guess so!
11:07 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
11:14 <@dazo> securityxxxpert: openvpn --show-ciphers and --show-tls shows encryption stuff.  It completely depends on what the installed OpenSSL supports.  For type of tunnelling protocols, depends on how you look at it.  It's SSL based for the transport between OpenVPN client/server - using standard UDP or TCP for tranport.  It does not implement the standard SSL over TCP protocol, but encapsulates the encrypted data into TCP or UDP
11:15 < securityxxxpert> dazo: thank you for that 
11:15 < securityxxxpert> this is very nice as opposed to paying $3000 for Open VPN-1
11:15 <@dazo> securityxxxpert: on the "inside" of the tunnel ... it depends on if you use the TUN or TAP device.  TUN devices will only tunnel IP based traffic.  At the moment the released versions of OpenVPN only supports IPv4 here, but the openvpn-testing version does support IPv6 as well .... for TAP, it tunnels ethernet frames, so it takes whatever you push there
11:16  * dazo need to run to catch a dinner
11:16 < securityxxxpert> thanks again dazo
11:16 -!- securityxxxpert [~securityx@68-186-162-44.dhcp.stls.mo.charter.com] has quit [Quit: Thanks for the help]
11:18 -!- dazo is now known as dazo_afk
11:31 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:35 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
11:40 < busch> cron2: great, i got it done. but what if my ip adresse change or the ip adresse of my isp`s gateway? 
11:41 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
12:17 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
12:26 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
12:35 -!- busch [6d493239@gateway/web/freenode/ip.109.73.50.57] has quit [Quit: Page closed]
12:36 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
12:39 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
12:40 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
12:41 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:42 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
12:44 <@vpnHelper> RSS Update - forum: Configuration :: Re: Error building client certificate! :: Reply by silajim <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8317#p8317>
12:52 -!- atan [~atan@unaffiliated/atan] has quit [Disconnected by services]
12:52 -!- atan2 is now known as atan
12:53 -!- atan [~atan@blk-222-132-103.eastlink.ca] has quit [Changing host]
12:53 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
12:53 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
12:56 -!- dollabill [~mike@97.66.26.10] has quit [Read error: No route to host]
12:58 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
13:00 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Quit: Leaving]
13:00 -!- atan is now known as atan2
13:00 -!- atan2 is now known as atan3
13:00 -!- atan3 is now known as atan4
13:01 -!- atan4 is now known as atan
13:01 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
13:08 <@vpnHelper> RSS Update - forum: Configuration :: openvpn gui systray icon missing after incorrect password :: Author wizangzing <https://forums.openvpn.net/viewtopic.php?f=6&t=7236&p=8318#p8318>
13:09 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
13:11 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
13:12 < dogmeat> ive dont have a Default Gateway for my tap interface after connecting to the vpn. how can i specify ?
13:13 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Client Quit]
13:13 < krzie> bridging i take it
13:14 < krzie> add a line for adding the default route to the end of the bridge script
13:17 < dogmeat> krzie, what bridge?
13:19 < krzie> well you said tap, as opposed to tun, and when bridging that is a problem i have seen before
13:19 < krzie> since you gave damn near 0 detail, i took a guess
13:20 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
13:20 < ecrist> krzie: I fixed (finally) google indexing for the forum
13:21 -!- busch [6d493239@gateway/web/freenode/ip.109.73.50.57] has joined #openvpn
13:22 < dogmeat> the server side uses tun
13:23 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
13:23 < busch> cron2: the policy based routing worked exactly for 2 hours and 28 minutes. now it doesnt work anymore. no ip adresse has changed
13:25 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
13:26 < busch> cron2: here are the commands that i used: http://dpaste.org/sxYw/
13:36 < dogmeat> here's the routes produced http://www.pastebin.ca/1983095
13:41 < busch> Is the "Windows 7 cannot set up the routes after standy"-problem a known problem?
14:00 -!- busch [6d493239@gateway/web/freenode/ip.109.73.50.57] has quit [Ping timeout: 265 seconds]
14:00 < dogmeat> krzee, server side uses tun, client side is using tap == "borked openvpn configuration". solution is use tap on both ends
14:13 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
14:16 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
14:31 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:31 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
14:33 -!- bba [~bba@93.1.40.113] has joined #openvpn
14:33 < bba> !welcome
14:33 <@vpnHelper> bba: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:33 < bba> !goal
14:33 <@vpnHelper> bba: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:36 < bba> Hi, I would like to know how to install openvpn on a other port? such as 80 or 443 etc... and not 1194
14:37 < krzie> heh
14:37 < krzie> config option: port
14:37 < bba> I tried just by modify the .ovpn and .conf file with the "port 80", but it seems that openvpn doesn't listen on the port
14:38 < krzie> !configs
14:38 <@vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
14:39 < bba> I will paste my past config, because I'm on a reinstall, and want to have it work and not make a mess :p
14:39 < bba> 2sec
14:41 < bba> http://pastebin.ca/1983133
14:42 < bba> ubuntu server 10.04 x64
14:43 < bba> openvpn/lucid-updates uptodate 2.1.0-1ubuntu1.1
14:53 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
14:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:55 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 272 seconds]
14:56 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
14:56 < krzie> now show me netstat -nl |grep 80
14:57 < krzie> after stopping and starting openvpn
14:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:58 < bba> test with an other port in my config
14:58 < bba> udp        0      0 0.0.0.0:69              0.0.0.0:*
14:58 < bba> ah don't have LISTEN at the end
14:58 < bba> so...
15:16 < bba> no solution?
15:19 < krzie> now show me netstat -nl |grep vpn
15:19 < krzie> oh nm, im too used to bsd
15:19 < krzie> (i use sockstat not netstat)
15:20 < krzie> looks to my like your above app was listening on port 69 just fine
15:21 < krzie> s/my/me
15:21 < bba> it tell's me nothing
15:21 < bba> but when I had it on default port it worked
15:21 < krzie> firewall...?
15:21 < bba> nop
15:21 < bba> stoped my iptable
15:22 < Bushmills> did you set client config to use port 80 too?
15:22 < krzie> well somethings listening on port 69
15:22 < bba> yep
15:22 < Bushmills> tcp or udp?
15:22 < bba> but the server doesn't seems to listen on it
15:22 < krzie> you just showed me that something is listening on port 69
15:23 < bba> hum
15:23 < bba> no
15:23 < bba> because when something is listening on a port
15:23 < krzie> [15:58]  <bba> udp        0      0 0.0.0.0:69              0.0.0.0:*
15:23 < bba> I have a LISTEN behind
15:23 < krzie> that is an app listening
15:23 < bba> tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
15:23 < bba> so does apache
15:23 < krzie> i dont care, its listening
15:23 < bba> lol
15:23 < bba> okok
15:23 < krzie> what did you think that line meant?
15:23 < Bushmills> udp        0      0 78.46.19.202:1194       0.0.0.0:*       
15:24 < Bushmills> that's netstat output of my (listening) server
15:24 < bba> I thought that it only tells me that it's open
15:24 < bba> okay
15:24 < krzie> huh??
15:25 < krzie> udp4       0      0  192.168.0.136.1194     *.*                    
15:25 < krzie> (in osx)
15:25 < krzie> i have no idea what you meant by "if its open"
15:26 < Bushmills> are you sure that your firewall permits udp packets to :80 on your server? 
15:26 < bba> yep
15:26 < krzie> use netcat
15:26 < krzie> klnow for sure
15:26 < Bushmills> also that both client and server make use of udp?
15:26 < krzie> know*
15:26 < bba> right now I'm on 69
15:26 < bba> but tried 80 before
15:26 < krzie> make a connection on that port / proto with netcat
15:33 < ecrist> http://www.youtube.com/watch?v=8YAFM4ATJiU
15:33 <@vpnHelper> Title: YouTube - Total Douche Bag (at www.youtube.com)
15:34 < ecrist> that's what 5 minutes and iMovie will net you.
15:34 < ecrist> :)
15:51 < bba> krzie: what concerns the port it's good, my vpn client give me that
15:52 < bba> MANAGEMENT: >STATE:1288990256,CONNECTED,SUCCESS,10.8.0.6,ip
15:52 < bba> 2010-11-05 21:50:56 *Tunnelblick: Flushed the DNS cache
15:52 < bba> 2010-11-05 21:50:59 *Tunnelblick leasewatch: A network configuration change was detected
15:53 < krzie> hah
15:53 < krzie> are you saying the vpn is up now?
15:53 < krzie> im saying to test that a connection CAN be made on that ip/port/proto by using netcat on both ends
15:53 < bba> yep
15:54 < krzie> ok then nevermind, sounds like you have no problem now
15:54 < bba> http://pastebin.ca/1983191
15:54 < bba> it's not the end
15:54 < bba> xD
15:54 < krzie> why do i need a pastebin if you got the connection
15:54 < bba> if yu can take a look on that
15:55 < krzie> i dont really care about tunnelblick output, run openvpn from commandline and use some gui when you're done
16:56 < tuxx_> tunnelblick is a bitch
17:02 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 264 seconds]
17:11 -!- p3rror [~mezgani@41.137.57.86] has joined #openvpn
17:17 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Read error: Operation timed out]
17:18 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
17:30 -!- bba [~bba@93.1.40.113] has quit [Remote host closed the connection]
17:31 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: leaving]
17:44 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
17:53 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
17:55 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
18:09 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
18:09 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
18:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
18:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
18:11 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:17 < dogmeat> tuxx_, im using it, seems ok
18:35 <@vpnHelper> RSS Update - forum: Configuration :: try to connect on my openvpn, but is not working, why? :: Author slashlinux <https://forums.openvpn.net/viewtopic.php?f=6&t=7237&p=8319#p8319>
18:40 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 245 seconds]
18:42 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
18:49 -!- p3rror [~mezgani@41.137.57.86] has quit [Ping timeout: 252 seconds]
18:50 -!- p3rror [~mezgani@41.137.57.86] has joined #openvpn
18:55 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit: VirusTB]
18:59 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
19:07 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 252 seconds]
19:07 -!- chantra_afk [~chantra@unaffiliated/chantra] has quit [Ping timeout: 240 seconds]
19:07 -!- chantra_afk [~chantra@unaffiliated/chantra] has joined #openvpn
19:07 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
19:15 -!- p3rror [~mezgani@41.137.57.86] has quit [Quit: Leaving]
19:26 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
19:26 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Changing host]
19:26 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
20:00 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
20:00 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
20:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
20:07 -!- Sivart [~Travis@cle-bb-cable2-ws-85.dsl.airstreamcomm.net] has quit [Quit: Leaving]
20:28 -!- le0 [~fin@unaffiliated/le0] has quit [Remote host closed the connection]
20:29 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
20:45 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit:  has left the bulding]
21:36 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 240 seconds]
21:43 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:06 <@vpnHelper> RSS Update - forum: Configuration :: Goofy IPs :: Author jerryk1234 <https://forums.openvpn.net/viewtopic.php?f=6&t=7238&p=8320#p8320>
22:07 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn
22:15 < phusion__> hey guys. anyone interested in a mindbender? I am totally stumped and have been playing for many hours trying to get something working. http://pastebin.ca/1983384 free bj's for all for a fix!
22:22 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
22:36 <@vpnHelper> RSS Update - forum: Configuration :: VPN connects and pings server, cannot see any shares :: Author ajssbp <https://forums.openvpn.net/viewtopic.php?f=6&t=7239&p=8321#p8321>
22:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
23:07 -!- ukaz [bima@80.187.211.15] has joined #openvpn
23:07 < ukaz> i followed all these steps, but still i am confused and things not working as planned: http://cloudservers.rackspacecloud.com/index.php/CentOS_-_VPN_tunneling_with_OpenVPN
23:07 <@vpnHelper> Title: CentOS - VPN tunneling with OpenVPN - Cloud Servers Wiki (at cloudservers.rackspacecloud.com)
23:08 < ukaz> i just want clientA connect to serverA which routes through serverB
23:08 < ukaz> obviously, clientA must have dns from serverB
23:09 < ukaz> anyway, who can help? ill pay even some for solution...
23:14 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:15 -!- ukaz [bima@80.187.211.15] has quit []
23:16 -!- ukaz [bima@80.187.211.15] has joined #openvpn
23:17 < ukaz> who might be awake?
23:17 < ukaz> ...
23:25 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
23:29 < theDoc> !route
23:29 <@vpnHelper> theDoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
23:37 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: brb]
--- Day changed Sat Nov 06 2010
00:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:05 <@vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: how to add a kernel's route on the openvpn server? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=17&t=7219&p=8322#p8322>
00:12 -!- bob368 [~bob@c-67-166-114-210.hsd1.ut.comcast.net] has joined #openvpn
00:17 < ecrist> ukaz: if I might make a suggestion.
00:17 < ukaz> yes sure
00:17 < ecrist> you cannot expect, with any reason, person/people X or X*N will have read howto Y.
00:18 < ecrist> perhaps, you might answer the questions, and read the information contained within /topic, so we might be better suited to help you, in your given situation.
00:18 < ukaz> i do not expect, i ask, not?
00:19 < ecrist> ah, but you expect, through your question, that we know what $FOOBEANS howto states, and what it's told you to do.
00:19 < ukaz> the desired setup is very straightforward: client -> servA -> servB -> internet
00:19 < ecrist> OR, you expect one of us to go read it, understand it, and answer your questions in context.
00:19 < ukaz> i am reading the wrong articles, hence my confusion and misunderstanding
00:20 < ecrist> break that up into three steps
00:20 < ecrist> servB -> internet
00:20 < ecrist> if you can connect, as a client, to servB and get to the internet through the tunnel, move to step two, servA -> servB
00:21 < ecrist> see !route
00:21 < ecrist> !iroute
00:21 <@vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
00:21 < ecrist> should answer your questions.
00:21  * ecrist goes away
00:21 < ukaz> ok
00:23 -!- bob368 [~bob@c-67-166-114-210.hsd1.ut.comcast.net] has quit [Quit: Colloquy for iPhone - http://colloquy.mobi]
00:27 < ukaz> i really still dont get the idea, is servA and servB BOTH openvpn servers? or is one of them client to the other?
00:35 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
00:37 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
00:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
01:03 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
01:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
01:07 < phusion__> hey guys. anyone interested in a mindbender? I am totally stumped and have been playing for many hours trying to get something working. http://pastebin.ca/1983384 free bj's for all for a fix!
01:14 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
01:14 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
01:14 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
01:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
01:27 < ecrist> phusion__: unless you like =< http://secure-computing.net/files/Sarah/10132010113.jpeg, not interested in your bj's
01:30 < ecrist> EmperorTom: see phusion__'s pastebin above.  I think it may have something to do with default differences between Debian and Ubuntu
01:30 < ecrist> see the following
01:30 < ecrist> !def1
01:30 <@vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
01:30 < ecrist> !linnat
01:30 <@vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
01:31  * ecrist goes away again, watching obscure B movies and drinking Jack + Coke
01:31 < phusion__> ecrist: just a line to show my desperation
01:32 < phusion__> finished setting up 5 ubuntu boxes ready for production knowing this worked on debian only to find it doesnt
01:32 < phusion__> :|
01:33 < ukaz> ecrist: from the client, i can ping servA 10.88.20.1 (gateway), i can ping serverB 10.88.20.4, i can ping any ip address, this means the openvpn tunnel is almost working. i just push the DNS but it wont work. i just push the dns of serverB (the end of the chain).
01:34 -!- krzy [krzee@hemp.ircpimps.org] has joined #openvpn
01:35 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
01:35 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
01:37 < joako> I have issues with my certificates the generated client.crt are 0 bytes. How do I change my firewall to allow this?
01:39 < phusion__> ecrist: were you trying to suggest something with redirect-gateway?
01:42 < ukaz> phusion: :/
01:43 < phusion__> :(
01:44 < ukaz> read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
01:44 < ukaz> all i get..
01:44 < phusion__> me?
01:44 < ukaz> no me
01:46 < phusion__> sorry i wish i could help. i only have general knowledge of this kind of stuff 
01:46 < phusion__> hopefully once ecrist gets a buzz going he'll return and save the day :p
01:49 < joako> How can I use OpenVPN without any certificate?
01:49 -!- ukaz [bima@80.187.211.15] has quit [Ping timeout: 276 seconds]
01:50 < jpalmer> joeko: openvpn is an SSL based VPN..
01:52 < joako> jpalmer, Is there an easy, no-possiblities-for-errors, way to generate the certificates? I tried the easy-rsa and it worked the 1st time. The 2nd time it prepopulates the fields with data from the first certificates and the client.crt files are 0 bytes and openvpn refuses to use them
01:53 < jpalmer> I'd try to figure out why openssl is storing your old info, and reusing it.
01:54 < joako> There isn't e.g. a web-based tool to generate all the needed certificates?
01:55 < jpalmer> I don't know.  I use easy-rsa
01:55 < jpalmer> !vpnadmin
01:55 <@vpnHelper> jpalmer: Error: "vpnadmin" is not a valid command.
01:56 < jpalmer> !vpn-admin
01:56 <@vpnHelper> jpalmer: Error: "vpn-admin" is not a valid command.
01:56 < jpalmer> !search admin
01:56 <@vpnHelper> jpalmer: supybot.plugins.Admin and supybot.plugins.Admin.public
01:56 < jpalmer> !factoid search admin
01:56 <@vpnHelper> jpalmer: Error: "factoid" is not a valid command.
02:00 < jpalmer> !ssladmin
02:00 < joako> If I use shared key instead of PKI can more than 1 client connect to the VPN?
02:00 <@vpnHelper> jpalmer: Error: "ssladmin" is not a valid command.
02:00 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Remote host closed the connection]
02:21 < joako> So its just not possible to use openvpn without going through this convoluted key process?
02:29 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 240 seconds]
02:30 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
02:44 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
03:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:17 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
03:31 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:38 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
03:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:59 < Bushmills> !howto
03:59 <@vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
03:59 < Bushmills> quickstart
04:15 -!- aliverius_ [~george@athedsl-373438.home.otenet.gr] has joined #openvpn
04:18 -!- aliverius [~george@athedsl-372258.home.otenet.gr] has quit [Ping timeout: 240 seconds]
04:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:45 -!- master_of_master [~master_of@p57B53512.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
04:47 -!- master_of_master [~master_of@p57B54F10.dip.t-dialin.net] has joined #openvpn
04:55 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
05:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
05:41 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
06:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:13 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
07:29 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:51 -!- bandini [~bandini@host87-106-dynamic.11-79-r.retail.telecomitalia.it] has joined #openvpn
07:51 -!- WinstonSmith [~true@e179011186.adsl.alicedsl.de] has joined #openvpn
07:52 -!- WinstonSmith [~true@e179011186.adsl.alicedsl.de] has quit [Client Quit]
08:12 -!- digitallo1 [~marc@d118-75-137-49.try.wideopenwest.com] has joined #openvpn
08:12 < digitallo1> !welcome
08:12 <@vpnHelper> digitallo1: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:13 < digitallo1> !goal
08:13 <@vpnHelper> digitallo1: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:23 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 255 seconds]
08:31 -!- digitallo2 [~marc@d118-75-36-174.try.wideopenwest.com] has joined #openvpn
08:34 -!- digitallo1 [~marc@d118-75-137-49.try.wideopenwest.com] has quit [Ping timeout: 245 seconds]
08:35 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 250 seconds]
08:39 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
08:44 -!- digitallo1 [~marc@d118-75-137-49.try.wideopenwest.com] has joined #openvpn
08:45 -!- digitallo1 [~marc@d118-75-137-49.try.wideopenwest.com] has left #openvpn []
08:47 -!- digitallo2 [~marc@d118-75-36-174.try.wideopenwest.com] has quit [Ping timeout: 276 seconds]
08:47 < ecrist> !ssl-admin
08:47 <@vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
09:02 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Connection reset by peer]
09:03 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:25 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
09:33 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has joined #openvpn
09:42 -!- ukaz [bima@80.187.148.124] has joined #openvpn
09:44 < ukaz> someone interested helping this poor old soul to create his openvpn tunnel? ill pay you for your time. Yes I know, not appreciated in this channel, it is for helping people "in the right direction", but call me ignorant, lazy or both, im just confused about the whole route/iroute methods. msg me
09:47 < ukaz> setup: client -> servA -> servB -> internet
09:57 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 252 seconds]
09:59 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
10:00 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 260 seconds]
10:01 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
10:04 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
10:04 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
10:05 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
10:11 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 240 seconds]
10:16 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
10:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 240 seconds]
10:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
10:24 < ukaz> !route
10:24 <@vpnHelper> ukaz: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:25 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has quit [Ping timeout: 264 seconds]
10:25 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has joined #openvpn
10:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:34 <@vpnHelper> RSS Update - forum: Server Administration :: Installing OpenVPN in Vmware :: Author ng12345 <https://forums.openvpn.net/viewtopic.php?f=4&t=7240&p=8323#p8323>
10:39 -!- ukaz [bima@80.187.148.124] has quit []
10:39 -!- ukaz [bima@80.187.148.124] has joined #openvpn
10:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
10:50 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
10:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
11:00 < ukaz> someone interested helping this poor old soul to create his openvpn tunnel? ill pay you for your time. Yes I know, not appreciated in this channel, it is for helping people "in the right direction", but call me ignorant, lazy or both, im just confused about the whole route/iroute methods. msg me
11:01 < krzy> [02:56]  <jpalmer> !factoid search admin
11:01 < krzy> [02:56]  <vpnHelper> jpalmer: Error: "factoid" is not a valid command.
11:01 < krzy> [03:00]  <jpalmer> !ssladmin
11:01 < krzy> jpalmer, its !factoids search, and ssl-admin
11:01 < krzy> ;]
11:02 -!- krzy [krzee@hemp.ircpimps.org] has quit [Quit: Leaving]
11:02 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
11:05 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:20 < ecrist> or, !factoids
11:20 < ecrist> !factoids
11:20 <@vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
11:20 -!- ukazo [~bima@77.120.122.184] has joined #openvpn
11:21 -!- ukaz [bima@80.187.148.124] has quit [Ping timeout: 250 seconds]
11:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds]
11:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
11:24 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Read error: Connection reset by peer]
11:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:33 -!- ukazo [~bima@77.120.122.184] has quit []
11:41 -!- ultramage [umage@kurobara.netvor.sk] has left #openvpn []
11:47 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
11:48 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:58 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
12:00 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
12:05 < phusion__> hey guys. could anyone provide some input on this issue: http://pastebin.ca/1983384 i really appreciate it. so stumped!
12:08 < krzie> you are not using network manager, right?
12:08 < phusion__> nah. basic server with no gui
12:08 < phusion__> the network/interfaces files are identical, everything is the same
12:09 < phusion__> although i did find ubuntu likes to change the metric of the default gateway to 100 for some reason, putting metric 0 under the eth0 interface in interfaces file made no difference.
12:10 < krzie> you dont use any auth?
12:10 < krzie> i see no certs, no secret
12:10 < krzie> no server config...
12:10 < phusion__> im basically paying for a vpn service from a company, so i dont have a whole lot of control over that. i know that it works for many people including myself as how i described
12:11 < krzie> then you need to get support from them
12:11 < phusion__> aw come on now it's a finnicky issue that they'd never support because i altered their config
12:12 < phusion__> there was this yesterday, but didnt hear anything else:  <F'ecrist> EmperorTom: see phusion__'s pastebin above.  I think it may have something to do with default differences between Debian and Ubuntu
12:13 < phusion__> pulling hair here
12:15 < ecrist> phusion__: you didn't tell me it was a vpn service
12:15 < ecrist> you really should get support from them.
12:15 < phusion__> the thing is i *know* it has to do with the OS, so i didnt find it relevant
12:15 < ecrist> can you tell us what their config looked like, before you changed it?
12:16 < phusion__> it was identical to what i pasted, but with redirect-gateway uncommented as i said
12:16 < phusion__> it's worked fine on many debian servers with or without redirect-gateway, it works fine on ubuntu with redirect-gateway, but not without
12:17 < ecrist> do you have both systems running at the same time, with the same ifconfig line?
12:17 < phusion__> nope, i tested them seperately with the same client config. the part where i mention im able to access the other one is where i used a different client config, also from the same VPN provider.
12:17 < ecrist> show us logs from both Debian and Ubuntu
12:18 < phusion__> moment please. although i dont think it will be useful
12:19 -!- jrgill [~jrgill@unaffiliated/jrgill] has joined #openvpn
12:19 < ecrist> !logs
12:19 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
12:20 < jrgill> is it possible to connect the openvpn client to my tor server?  im on windows with the openvpn client and vidalia tor package.  i think it would be useful having IPs at my disposal at the network connection level (opposed to plugins in firefox, etc)
12:21 < ecrist> sure, shouldn't be a problem, jrgill 
12:23 < jrgill> i receive this when trying to connect to my tor server though, so im probably missing something but havent been able to find any info on a setup like this
12:23 < jrgill> Sat Nov 06 13:22:53 2010 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
12:24 < phusion__> ecrist: http://pastebin.ca/1983735
12:25 < jrgill> hmm maybe i need tcp
12:26 < ecrist> jrgill: are you trying to use OpenVPN over tor, or are you connect to a server, which has access to tor
12:27 < jrgill> ecrist: trying to connect to a server (in my case, just the same pc localhost) that has tor
12:27 < ecrist> phusion__: verb 5 or 6, please
12:27 < jrgill> so i do remote localhost 9050
12:27 < phusion__> verb is a config variable?
12:27 < ecrist> phusion__: yes
12:27 < phusion__> k sec
12:28 < ecrist> jrgill: you're not going to have any luck testing on a local machine
12:28 < jrgill> it will never work?
12:29 < jrgill> http://pastebin.com/XkESqgkj
12:30 < ecrist> jrgill: what are you hoping to gain by creating a vpn connection to localhost?
12:30 < ecrist> that's just silly
12:30 < ecrist> talk about routing loops
12:30 < jrgill> i want the IP addresses tor offers on localhost:9050
12:31 < jrgill> i use foxyproxy in firefox.  i want the same functionality as a network connection
12:32 -!- dogmeat [~Bob@unaffiliated/dogmeat] has quit [Ping timeout: 265 seconds]
12:32 < ecrist> I don't know enough about tor to speak intelligently on that matter.  I don't think openvpn is the right solution for you
12:32 < jrgill> :/
12:33 < krzie> you want proxifier
12:33 < krzie> or something similar
12:34 < phusion__> ecrist: http://pastebin.ca/1983741 sorry for the wait.
12:34 -!- RichiH [~richih@freenode/staff/richih] has left #openvpn []
12:35 < phusion__> you may notice the debian server has an incremented tap interface somewhere, i have other VPN's doing work on that box right now. i believe it's irrelevant
12:35 < jrgill> i think i recall using proxifier.  i guess ill stick to using openvpn for actual vpns :s
12:38 < ecrist> phusion__: the good news, there's nothing interesting in the logs
12:38 < phusion__> didnt think so hehe
12:39 < ecrist> can you get me a paste of your routing tables on both machines?
12:39 < phusion__> just refer to that one i pasted in the original pastebin, its identical.
12:39 < ecrist> both machines are identical?
12:39 < phusion__> ill do it just for you. hold on :p
12:40 < krzie> you're actually doing it for yourself ;]
12:40 < ecrist> I'd suggest doing it for you
12:40 < krzie> heh
12:40 < ecrist> really, I'm perfectly happy, regardless if your vpn works. :)
12:40 < phusion__> haha i know, they are just the "same" in the sense that theres nothing sticking out in either
12:42 < phusion__> http://pastebin.ca/1983744
12:43 < phusion__> it's tough.. this triangular routing thing isnt exactly done by a lot of people but it's perfect for what i need to achieve
12:44 < phusion__> not a whole lot of support available
12:44 < ecrist> what's with the extra tap interfaces on the deb box?
12:44 < phusion__> there are some other configs running production stuff
12:45 < phusion__> has nothing to do with this.. again remember the debian server works, not ubuntu
12:45 < ecrist> I see nothing in those routing tables that should prevent you from pinging google's DNS server
12:45 < phusion__> well exactly. its something finnicky with ubuntu and default gateway but i have no idea what
12:45 < phusion__> at this point im thinking if i can resort to some crazy iptables stuff or something that will have to do
12:45 < ecrist> !iptables
12:45 <@vpnHelper> ecrist: "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
12:45 <@vpnHelper> ecrist: computing.net/wiki/index.php/OpenVPN/Firewall
12:45 < phusion__> yea there are no iptables in place 
12:46 < phusion__> it's one of those "skip all the usual stuff" problems :p
12:46 < ecrist> if we got a nickel every time someone said that.
12:46 < phusion__> haha
12:46 < ecrist> at this point, I really don't think this is related to openvpn, though.
12:47 < ecrist> I think it's something wonky in openvpn.
12:47 < krzie> o_O
12:47 < phusion__> eh?
12:47 < ecrist> if you add the redirect-gateway back in, does that work
12:47 < phusion__> yeah it does
12:47 < ecrist> sorry, s/openvpn/ubuntu/
12:47 < phusion__> and yeah i agree. something in ubuntu. but ive been trying for help in a number of channels to no avail
12:48 < phusion__> at this point im willing to pay for consultation time or anything, i have 5 boxes ready to roll for production but this is stopping me :(
12:48 < krzie> whats the exact goal?  i still havnt caught onto that
12:48 < phusion__> %i can obtain IP's in another country but still have the outbound routing of the server that the vpn client runs on 
12:48 < phusion__> great for seo, whatever
12:48 < ecrist> EmperorTom might know something.  I think he's using a Leupold to find Bambi's father today, though.
12:50 < phusion__> it's spoofing.. theres no egress filtering in place at the isp my servers are at
12:52 < krzie> umm, so you are sending the traffic out your us isp with foreign isp's IP, then getting the response over the vpn
12:52 < krzie> right?
12:52 < phusion__> well the servers arent in the US, but yes thats right
12:53 < krzie> ip forwarding is enabled on the ubuntu machine?
12:53 < krzie> !linipforward
12:53 <@vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
12:53 < phusion__> net.ipv4.ip_forward = 1
12:53 < phusion__> yeah
12:53 < krzie> cat /proc/sys/net/ipv4/ip_forward is 1
12:54 < phusion__> yessir
12:55 < krzie> the debian machine where this works has no firewall either?
12:55 < phusion__> nope
12:55 < krzie> ild assume you'd need firewall rules to make that work
12:55 < phusion__> heh, thats whats so nice about it 
12:55 < krzie> or a second routing table or something
12:55 < phusion__> it just works off of that #redirect-gateway bascially :p
12:56 < krzie> umm no
12:56 < krzie> commenting that out is just like not having it
12:56 < phusion__> thats what i mean.
12:56 < krzie> so all you're doing is not changing your gateway
12:56 < phusion__> yup
12:56 < krzie> that does NOT make you send traffic out your eth0 with the wrong ip
12:56 < krzie> which is what you wanna do
12:57 < phusion__> eh? having redirect-gateway in place forces everything over the VPN. having it removed/commented makes it go out eth0. for any normal person who has an ISP with egress filtering in place it would simply not work
12:58 < phusion__> well maybe thats just what it seems on the surface and its a giant hack then? my networking knowledge isnt too advanced
12:58 < krzie> umm no
12:58 < krzie> having it does what you think
12:59 < krzie> not having it does not
12:59 < phusion__> then when its uncommented why does all outbound traffic go over the VPN?
12:59 < phusion__> :p
12:59 < krzie> because having it does what you think
12:59 < krzie> its the commenting of it that does not do what you think it does
13:00 < phusion__> what would be the proper way to go about it?
13:00 < krzie> no idea, your goal is far from proper
13:00 < krzie> but you need to figure out the extra step you found in the working machine
13:00 < phusion__> but it is so so sweet.
13:00 < krzie> could be a second routing table, or firewall rules
13:00 < phusion__> what extra step though.. there isnt one
13:00 < phusion__> lol
13:00 < krzie> but theres SOMETHING special you did outside of openvpn
13:01 < phusion__> no man. there isnt
13:01 < krzie> *shrug* ok
13:01 < phusion__> i could format a debian box and slap a config with #redirect-config and this would work
13:01 < krzie> what you said would happen when commenting redirect-gateway just isnt true
13:01 < krzie> then do it!
13:01 < phusion__> i already am. point is i have a new project thats using ubuntu.. i spent weeks rigging up everything and this was the last step
13:01 < phusion__> now i find out it doesnt work
13:02 < krzie> ubuntu is based on debian... if the solution is that easy do that!
13:02 < krzie> theres no reason you would NEED ubuntu and not be able to use debian
13:02 < phusion__> debian cried over my high end raid cards, had to make some sacrifice
13:02 < krzie> they are the same shit with different packaging
13:02 < phusion__> well exactly, why the f doesn't it work lol
13:02 < krzie> umm, they use the same kernel, that makes no sense
13:03 < phusion__> yeah :|
13:04 < phusion__> all i know is i fought with debian for hours to get it working properly with the raid cards.. ubuntu worked first time
13:04 < phusion__> and frankly it's worked fine for me in other setups where im not doing this so i didnt see any problem
13:05 < krzie> then ubuntu is your clue to knowing how to make the cards work in debian
13:05 < phusion__> so im basically avoiding reformatting the servers because i have all these scripts/software etc rigged 
13:05 < krzie> compile in whatever ubuntu used to your debian kernel
13:05 < krzie> in the end, the only difference between ubuntu and debian is packaging
13:05 < phusion__> something is borked with how ubuntu handles default routes
13:06 < krzie> ubuntu came with something flipped for your raid card, debian came with something flipped for your totally messed up routing scheme, both have the same options, but the defaults are different
13:06 < phusion__> even ecrist was mentioning it
13:07 < phusion__> i think im going to run a virtual machine with debian on the ubuntu box and forward traffic that way.. i cant make changes now
13:08 < krzie> heh
13:08 < phusion__> pretty sad but i dont know what to do
13:09 < ecrist> set static routes, maybe
13:09 < phusion__> could you help me with that ecrist? 
13:09 < krzie> ecrist, thing is, he wants his traffic to leave eth0 with the ip that is on his vpn interface
13:09 < phusion__> somehow i know im able to come up with these crazy schemes but im not the best with the route tool and advanced networking
13:10 < krzie> basically, he wants to induce the issue we have come across where people send traffic over the vpn with eth0 ip and get MULTI errors, but in reverse
13:10 < ecrist> if you were using a REAL OS, it wouldn't be an issue
13:10 < krzie> but we have never found the knob to fix that
13:10 < phusion__> beh lets not get into distro arguments and come up with a hack to fix my hack :p
13:10 < krzie> its an OS thing, certainly not openvpn
13:11 < ecrist> phusion__: the two guys your talking to are not Linux users, we use FreeBSD.  this would be an easy fix with pf
13:11 < krzie> and actually, i dont blame ubuntu that it *doesnt* work, i blame debian that is *does*
13:11 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
13:11 < phusion__> krzie i was thinking that too :p
13:11 < krzie> it would be easy with iptables too!
13:11 < ecrist> +1 krzie
13:11 < phusion__> how would we fix it with iptables?
13:11 < krzie> heh
13:11 < krzie> NAT to target servers
13:12 -!- futurestack [~futuresta@unaffiliated/futurestack] has left #openvpn []
13:12 < phusion__> id be happy to know how to make it work in debian properly instead of leaving it as something that "just happens to work"
13:12 < ecrist> in pf, it'd be a nat on foo... followed by a route-to
13:13 < phusion__> i dont know iptables unfortunately. i use apf script for managing any firewall rules if needed. would it just be a few lines? 
13:13 < phusion__> shudder all ya want :p
13:13 < krzie> in the forums bent has a post which mentions how to have a second routing table in linux
13:13 < krzie> phusion__, this isnt a linux support channel, we support openvpn, which you have no problem with
13:14 < krzie> we're more likely to give general ideas, for implimentation go learn your os ;]
13:14 < phusion__> well i know that, but at this point im just looking for someone who has enough general knowledge to help fix the problem
13:14 < phusion__> ive been in the distro channel, networking, linux, blah blah blah
13:14 < ecrist> you're in the right place to fix a problem with openvpn
13:14 < ecrist> unfortunately, you don't have a problem with openvpn
13:15 < krzie> !notovpn
13:15 <@vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
13:15 < krzie> ;]
13:15 < phusion__> could you guys just take it the step further and tell me exactly how to do it with iptables? all deferring me to another channel is gonna do is make me have to re-explain it all over again to someone else
13:15 < krzie> lol
13:15 < krzie> !linnat
13:15 <@vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:15 < krzie> go read the link at #3
13:15 < krzie> learn your OS
13:15 < ecrist> phusion__: we're not linux people, I already told you that.
13:15 < krzie> could you come clean my house? i dont feel like getting up
13:16 < ecrist> I'd have to do the research to figure out how to fix your problem.  the same research you'd have to do.
13:16 < ecrist> unless you're paying my going-rate, it's not going to happen.
13:16 < phusion__> ecrist: I will pay you for that time. 
13:16 < ecrist> $125/hr USD
13:16 < phusion__> as I mentioned in a PM late yesterday when you were drinking
13:16 < phusion__> :)
13:17 < ecrist> I ignore PMs from people I don'tknow
13:17  * ecrist wanders away
13:17 < phusion__> can you message me?
13:17  * phusion__ wonders why no one is interested in consultation on this network.. only deferring people to go learn themselves
13:18 < krzie> phusion__, if you wanna pay his going rate im sure he'll be able to figure it out
13:18 < phusion__> i have 4 seperate jobs, im waiting to launch a large website here
13:18 < phusion__> and yeah, at this point I am
13:18 < krzie> personally im too busy to spend my time learning linux specific stuff
13:19 < phusion__> tjat
13:19 < phusion__> that's fine. thanks for providing input anyways. much appreciated
13:20 < phusion__> but i mean i don't understand why ecrist "wanders away" when i say that I'm willing to pay money to fix the issue :\
13:27 < phusion__> well thanks anyways guys. later
13:28 < krzie> leave an email address in case ecrist comes back and has interest
13:28 < krzie> but easier would be to get a consultant from a linux channel
13:28 < krzie> since it has nothing to do with openvpn
13:29 < krzie> you just want to route out of interface A with the ip from interface B
13:29 < crow> Hi, i am trying to setup one openvpn server and client connect to server but cant open internet page after.. here is my server config. http://paste.debian.net/99152/ <-- should route be send to client, can client have problem with that then?
13:29 < krzie> likely only to certain hosts
13:30 < krzie> and the client config?
13:30 < krzie> ^@ crow
13:31 < crow> http://paste.debian.net/99153/
13:32 < krzie> ca ..\\keys\\ca.crt
13:32 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
13:32 < krzie> dont do your paths like that
13:32 < krzie> !path
13:32 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
13:32 <@vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
13:32 < krzie> !winpath
13:32 <@vpnHelper> krzie: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
13:33 < krzie> route-delay 2
13:33 < crow> krzie ok let me try
13:33 < krzie> 2 is too small
13:33 < krzie> remove the 2, it will default at 30
13:33 < krzie> i see you have these
13:33 < krzie> tun-mtu 1500
13:33 < krzie> #fragment 1300
13:33 < krzie> mssfix
13:33 < krzie> do you know WHY you have them?  or did you blindly copy them from a website...?
13:34 < crow> i did used example-conf
13:35 < krzie> comment those options
13:38 < crow> krzie does client side need to add some route?
13:38 < crow> i did two route on server trought..
13:39 < krzie> what lan is 192.168.1.0 255.255.255.0 ?
13:40 < crow> krzie its server local lan (router)
13:40 < krzie> what lan is the client on?
13:40 < crow> 10.8.0.0
13:41 < krzie> thats the LAN subnet!? not related to openvpn...?
13:41 < crow> 10.0.0.0 is his "openvpn" 10.8.0.0 is his local subnet
13:42 < krzie> "his"?
13:42 < crow> client
13:43 < krzie> the server config says 10.1.0.0/24 is his openvpn subnet, not 10.0.0.0/? ...
13:43 < crow> krzie i ment when he do openvpn server, then he use 10.0.0.0 subnet..
13:43 < crow> but client subnet is 10.8.0.0
13:44 < krzie> niether of those are subnets
13:44 < crow> and client got 10.1.0.6 virtual address
13:44 < krzie> a subnet is a combo of network address and subnet mask
13:44 < crow> thats what i see in openvpn status..
13:45 < krzie> server 10.1.0.0 255.255.255.0
13:46 < crow> thats whats writen in server config file.
13:46 < crow> client connect and get 10.1.0.6 but cant open web pages using openvpn.
13:48 < crow> what shuld i push to client "192.168.1.0 255.255.255.0 " <- this is correct?
13:51 < krzie> !serverlan
13:51 <@vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
13:51 < krzie> that is correct, but there is 2 more steps to sharing that lan
13:54 < crow> but is that also needed if cleient will just go on internet over openvpn server?
13:56 < krzie> nope
13:56 < krzie> !redirect
13:56 <@vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:56 < krzie> server is linux i assume...?
13:56 < crow> krzie its a router with tomatousb firmware which have openvpn inside.
13:57 < krzie> cool then you already have ip forwarding and dont need to add any routes outside openvpn for the !serverlan
13:58 < krzie> so the push route should be all you need for server l an
13:58 < krzie> and you just need !def1 and !linnat
13:58 < krzie> !def1
13:58 <@vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:58 < krzie> !linnat
13:58 <@vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:03 < crow> krzie or will try to read all that..
14:03 < crow> was something like this http://paste.debian.net/99155/ needed then? as i did after start of openvpn.
14:13 -!- s7r [~s7r@AC8197FE.ipt.aol.com] has joined #openvpn
14:23 -!- s7r [~s7r@AC8197FE.ipt.aol.com] has quit [Ping timeout: 255 seconds]
14:38 < crow> krzie no help.. duno whats wrong,, does clinet lan and server lan need to be routed?
14:48 < krzee> crow, honestly i wouldnt know
14:49 < krzee> but you do need to have stuff allowed to pass in the firewall
14:49 < krzee> im not a linux guy
14:49 < |Mike|> lies.
14:49 < krzee> you think im a linux guy?
14:50 < krzee> ive used freebsd since version 3
14:50 < |Mike|> s/linux/opensource
14:50 < krzee> iptables is linux
14:50 < krzee> and your regex failed, unterminated ;)
14:50 < |Mike|> *g*
14:51 < |Mike|> i haven't touched linux since it was using ipchains
14:53 < krzee> ahh you're a bsd guy too?
15:05 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
15:06 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Operation timed out]
15:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
15:47 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
15:50 -!- shuffle2 [shuffle2@cpe-74-74-168-216.rochester.res.rr.com] has joined #openvpn
15:51 < shuffle2> where is documentation for using the TAP driver? (how can I set the mac address programmatically?)
15:54 < Jarpse> shuffle2: ifconfig + grep?
15:55 < shuffle2> i mean from C
15:58 < Jarpse> enoclue
16:06 -!- ukaz [bima@80.187.219.60] has joined #openvpn
16:07 < ukaz> back and still no answers :/ anyone now available maybe to help me with following setup: clientA -> servA -> servB -> internet (openvpn tunnel over 2 servers). Again, I can compensate your time and effort. Thank you for msg me.
16:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
16:19 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
16:38 < hyper_ch> ukaz: can you do it with 1 server?
16:41 < ukaz> hyper: yes
16:41 < ukaz> clientA -> servB works
16:49 < shuffle2> ok...so how about general documentation?
16:49 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
16:49 < ukaz> shuffle2: what you mean?
16:50 < shuffle2> i can't find any documents describing how one can configure the TAP driver programmatically
16:51 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
16:52 < shuffle2> basically i am writing an app that uses the TAP driver as a nic for a virtual machine
16:53 < shuffle2> so it needs to be configured by the app instead of the host
16:59 -!- ukaz [bima@80.187.219.60] has quit [Ping timeout: 255 seconds]
17:03 -!- ukaz [bima@80.187.219.60] has joined #openvpn
17:03 -!- mrjazzman [~mrjazzman@ppp121-44-150-30.lns20.syd7.internode.on.net] has joined #openvpn
17:04 < mrjazzman> greetings all, i'm trying to debug a weird issue and would appreciate some pointers in the correct direction. 
17:04  * ecrist has been using freebsd longer than krzee
17:04  * ecrist lols
17:04 < mrjazzman> I have 2 sites running openvpn 2.1.3. most traffic works fine
17:04 < mrjazzman> however when trying to open a connection to printers on site-b the connection never get's ack's.
17:05 < mrjazzman> i can see traffic going to the printer, coming back from the printer, it comes down the openvpn tunnel but never appears on the router-a lan interface
17:05 < mrjazzman> changed openvpn for a gre tunnel and it works
17:05 < mrjazzman> pinging etc works fine to the printer
17:06 < ecrist> sounds like some sort of firewall issue.
17:06 < mrjazzman> and if i use rinetd on the router A it works fine
17:06 < mrjazzman> no firewall
17:06 < mrjazzman> even tried connecting the printer to the router-b and a laptop directly in router A
17:06 < mrjazzman> no nat
17:06 < mrjazzman> no ipfw 
17:06 < mrjazzman> (freebsd 8 btw)
17:06 < ecrist> ah, a freebsd guy
17:06 < mrjazzman> no pf
17:06 < mrjazzman> well i'm a linux guy
17:06 < mrjazzman> i've inherited the bsd platform
17:07 < ecrist> you're a lucky man, then.
17:07  * ecrist points to /topic
17:08 < mrjazzman> i've spent the last 5 days confirming it's not hte firewall
17:08 < ecrist> sure
17:08 < mrjazzman> went through and thought of MTU issues, so 0dropped that etc 
17:09  * ecrist points to the rest of /topic
17:09 < mrjazzman> !welcome
17:09 <@vpnHelper> mrjazzman: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:10 < ecrist> post that data, I'll see if I can help.  in the meantime, I'm going back to my movie.
17:10 < mrjazzman> ecrist: what level log do you want? 
17:11 < mrjazzman> !logs
17:11 <@vpnHelper> mrjazzman: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
17:14 < mrjazzman> http://pastebin.com/YbqVFz1R
17:19 < mrjazzman> http://pastebin.com/R2XSWZcY - more debug
17:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:34 -!- ukaz [bima@80.187.219.60] has quit [Read error: Connection reset by peer]
17:34 -!- ukazo [bima@80.187.219.60] has joined #openvpn
17:36 -!- p3rror [~mezgani@41.137.57.86] has joined #openvpn
17:40 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has quit [Ping timeout: 264 seconds]
17:41 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has joined #openvpn
17:43 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
17:52 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
18:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
18:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
18:37 -!- bandini [~bandini@host87-106-dynamic.11-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
18:37 -!- ukazo [bima@80.187.219.60] has quit []
18:38 -!- ukaz [bima@80.187.219.60] has joined #openvpn
18:39 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
18:58 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has quit [Remote host closed the connection]
19:21 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds]
19:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
19:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
19:24 -!- ukazo [~bima@digi00433.digicube.fr] has joined #openvpn
19:24 -!- ukaz [bima@80.187.219.60] has quit [Read error: Connection reset by peer]
19:24 -!- ukazoo [bima@80.187.219.60] has joined #openvpn
19:26 -!- ukazo [~bima@digi00433.digicube.fr] has quit [Read error: Connection reset by peer]
19:34 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 250 seconds]
19:36 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
19:39 -!- ukaz [bima@80.187.219.60] has joined #openvpn
19:39 -!- ukazoo [bima@80.187.219.60] has quit [Ping timeout: 276 seconds]
19:41  * nb_ wishes non-jailbroken iphones would work with openvpn
19:49 < nb_> !firewall
19:49 <@vpnHelper> nb_: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
19:50 < krzee> would be cool, but i doubt apple would be willing to distribute the openvpn source
19:50 < krzee> and since it is GPL, this would be necessary
19:50 < krzee> (one of the reasons i personally favor the bsd license)
19:51 < nb_> true
19:59 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
19:59 < dogarrhea1> where can i find the logs for the openvpn server?
19:59 < dogarrhea1> all i get when i try to restart is "fail"
20:00 < reiffert> krzee: apple shares GB of open source on their ftp server.
20:01 < reiffert> krzee: lots and lots and lots of source code. see how they fail e.g. for chaning the resolver part in libc for years.
20:01 < reiffert> or see how they've manage to break the network interfaces stuff.
20:02 < dogarrhea1> so is there actually an error log
20:02 < reiffert> krzee: I was able to replace my apple kernel by a self made kernel with my own options. cool eh?
20:03 < reiffert> dogarrhea1: unix?
20:03 < dogarrhea1> ubuntu
20:03 < dogarrhea1> like i can't find it ... 
20:03 < dogarrhea1> and documentation doesn't talk about it
20:03 < reiffert> cd /var/log; find . -type f -exec grep ovpn {} \;
20:04 < reiffert> zgrep might fit better.
20:04 -!- jrgill [~jrgill@unaffiliated/jrgill] has quit []
20:05 < dogarrhea1> get an error from that
20:05 < dogarrhea1> says "expecting an argument"
20:05 -!- ukaz [bima@80.187.219.60] has quit []
20:05  * reiffert rubs the crystal ball
20:06 < reiffert> how unfourtunate ... it is broken!
20:06 < reiffert> left it the other day at this crystal ball repair guy .. u know?
20:07 < reiffert> got it back just days ago
20:07 < reiffert> damn thing .. broken again.
20:07 < dogarrhea1> what are you babbling about?
20:14 < dogarrhea1> tls-auth ta.key 1
20:14 < dogarrhea1>  <------ what is this and why does documentation not talk about it
20:14 < dogarrhea1> tls-auth ta.key 1 that is
20:16 < reiffert> guess its a line from your config file.
20:16 < reiffert> maybe not even yours.
20:22 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
20:26 -!- humanMeat [alex@209.99.13.244] has joined #openvpn
20:29 -!- edmurphy [~mrjazzman@ppp121-44-150-30.lns20.syd7.internode.on.net] has joined #openvpn
20:29 -!- mrjazzman [~mrjazzman@ppp121-44-150-30.lns20.syd7.internode.on.net] has quit [Ping timeout: 255 seconds]
20:29 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit [Ping timeout: 255 seconds]
20:29 -!- key_two [~key2@olm03.cvf.fr] has quit [Ping timeout: 255 seconds]
20:30 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 264 seconds]
20:33 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has joined #openvpn
20:33 -!- key_two [~key2@olm03.cvf.fr] has joined #openvpn
20:34 -!- shuffle2 [shuffle2@cpe-74-74-168-216.rochester.res.rr.com] has left #openvpn []
20:35 -!- s7r [~s7r@66.199.231.250] has quit []
20:51 -!- Kurogane [~kuro@190.87.80.64] has quit [Ping timeout: 245 seconds]
21:13 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
21:48 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:48 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
21:52 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
21:52 <@vpnHelper> RSS Update - forum: Configuration :: Do I have to have a client file for every pc? :: Author KyferEz <https://forums.openvpn.net/viewtopic.php?f=6&t=7241&p=8324#p8324>
22:31 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
22:41 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Can't login more than two client and Smart Card login :: Author ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7242&p=8325#p8325>
23:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
23:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
23:12 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
23:13 -!- mobiusnz [~mobiusnz@60.234.147.135] has joined #openvpn
23:14 < mobiusnz> h, i'm having problems setting up a bridged vpn. i can access the vpn server fine, but nothing else on the network. anyone able to help?
--- Day changed Sun Nov 07 2010
00:02 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
00:05 -!- corretico [~corretico@201.201.44.82] has quit [Client Quit]
00:05 <@vpnHelper> RSS Update - forum: Configuration :: Re: Do I have to have a client file for every pc? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7241&p=8326#p8326>
00:05 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
00:11 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Isololated client connections in version 2.0.5 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7232&p=8327#p8327>
00:18 -!- nb_ [~nb@fedora/nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
00:19 -!- nb_ [~nb@fedora/nb] has joined #openvpn
00:19 -!- nb [~nb@fedora/nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
00:19 -!- nb_ is now known as nb
01:01 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
01:01 -!- mobiusnz [~mobiusnz@60.234.147.135] has quit [Read error: Connection reset by peer]
01:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
01:11 -!- mobiusnz [~mobiusnz@60.234.147.135] has joined #openvpn
01:13 -!- mobiusnz1 [~mobiusnz@60.234.147.135] has joined #openvpn
01:14 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:17 -!- mobiusnz [~mobiusnz@60.234.147.135] has quit [Ping timeout: 255 seconds]
01:17 <@vpnHelper> RSS Update - forum: Server Administration :: Traffic Disapearing over OpenVPN tunnel :: Author mrjazzman <https://forums.openvpn.net/viewtopic.php?f=4&t=7243&p=8328#p8328>
01:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:41 -!- mobiusnz1 [~mobiusnz@60.234.147.135] has quit [Read error: Connection reset by peer]
01:43 -!- mobiusnz [~mobiusnz@60.234.147.135] has joined #openvpn
01:57 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
01:00 -!- mobiusnz [~mobiusnz@60.234.147.135] has quit [Ping timeout: 240 seconds]
01:01 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 276 seconds]
01:02 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn
01:24 -!- mobiusnz [~mobiusnz@60.234.147.135] has joined #openvpn
01:29 -!- mobiusnz [~mobiusnz@60.234.147.135] has quit [Read error: Connection reset by peer]
01:39 -!- mobiusnz [~mobiusnz@60.234.147.135] has joined #openvpn
01:54 -!- mobiusnz1 [~mobiusnz@60.234.147.135] has joined #openvpn
01:56 -!- mobiusnz2 [~mobiusnz@60.234.147.135] has joined #openvpn
01:56 -!- mobiusnz1 [~mobiusnz@60.234.147.135] has quit [Read error: Connection reset by peer]
01:58 -!- mobiusnz [~mobiusnz@60.234.147.135] has quit [Ping timeout: 240 seconds]
02:10 -!- Kurogane [~kuro@190.87.80.64] has quit [Remote host closed the connection]
02:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
02:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
02:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:47 -!- tieTYT [~bar@ip68-4-69-45.oc.oc.cox.net] has joined #openvpn
02:47 < tieTYT> hello
02:48 < tieTYT> I have a vpn question.  If I connect to a vpn on my local computer, and then download something on my local computer, does the other side of the vpn see the traffic?
02:48 < Bushmills> yes. that's where the vpn ends, after all
02:49 < tieTYT> ok, thanks
02:49 -!- tieTYT [~bar@ip68-4-69-45.oc.oc.cox.net] has quit []
03:05 -!- EmperorTom [~EmperorTo@174-30-252-58.mpls.qwest.net] has quit [Ping timeout: 240 seconds]
03:09 -!- EmperorTom [~EmperorTo@184-97-187-116.mpls.qwest.net] has joined #openvpn
03:45 -!- master_of_master [~master_of@p57B54F10.dip.t-dialin.net] has quit [Ping timeout: 250 seconds]
03:47 -!- master_of_master [~master_of@p57B56C14.dip.t-dialin.net] has joined #openvpn
03:58 <@vpnHelper> RSS Update - forum: Configuration :: Re: Do I have to have a client file for every pc? :: Reply by KyferEz <https://forums.openvpn.net/viewtopic.php?f=6&t=7241&p=8329#p8329>
04:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:10 <@vpnHelper> RSS Update - forum: Configuration :: Re: Do I have to have a client file for every pc? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7241&p=8330#p8330>
04:30 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:33 < hyper_ch> krzie: online?
04:35 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
04:40 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
04:41 < krzie> kinda
04:43 < hyper_ch> krzie: can you help me... tomorrow there will be a break of the internet connection at work with dsl
04:44 < hyper_ch> so I thought I could use my 3g stick to provide internet
04:44 < hyper_ch> and it seems I can't make the routing on the box go through the ppp0 connection
04:46 < hyper_ch> krzie: http://www.pastebin.ca/1984272
04:52 <@vpnHelper> RSS Update - forum: Configuration :: Re: Error building client certificate! :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7229&p=8331#p8331>
04:53 < krzie> can you get the machine accessing inet with the 3g?
04:55 < krzie> or is that what you're trying right now
04:55 < krzie> try removing the route for default over ppp0, and add it but with the gateway of 10.64.64.64
05:02 < hyper_ch> krzie: fixed it :)
05:03 < hyper_ch> works now fine and I have to put it all into a script on the "3g" server
05:03 < hyper_ch> and add "3g" profiles to the network connections of the clients
05:05 < krzie> =]
05:06 < Bushmills> hyper_ch: i am running through 3g right now
05:07 < Bushmills> including --redirect-gateway.   provider gateway 10.64.64.64 ...
05:08 < hyper_ch> can't windows have multiple ntwork profile for the same network interface????
05:09 < hyper_ch> well, we'll have a downtime with the adsl connection tomorrow and so I provide it with different means :)
05:09 < Bushmills> route after connect is http://scarydevilmonastery.net/snap/1289128145872441972d.png
05:10 < Bushmills> to resolve, i'm running a small-footprint recursive nameserver on the client
05:10 < hyper_ch> well, the 3g-server runs its own bind instance
05:11 < Bushmills> will that be of any use of you redirect your traffic through vpn server?
05:11 < Bushmills> if
05:13 < hyper_ch> the vpn setup for me is fine :)
05:14 < hyper_ch> but the problem here righ now is the windows computers
05:14 < hyper_ch> for a network device I can only make one profile
05:14 < hyper_ch> would be much simpler to have a default profile and a "3g" one
05:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:15 < hyper_ch> or I should get a real router and not just that limited dsl modem
05:24 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
05:37 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Read error: Operation timed out]
05:41 < hyper_ch> Bushmills: still here?
05:45 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
06:08 < Bushmills> no. again.
06:11 < Bushmills> i don't know about windows.  my netbook looks, during boot, whether the umts modem is plugged in, and configures accordingly, by executing setup scripts.
06:12 < Bushmills> those do:  modding routes, copying a different resolv.conf, starting recursor locally. 
06:13 < Bushmills> and initially connecting to provider,
06:17 < Bushmills> firewall doesn't change, and drops all traffic which is not local, from vpn, or the tunnel.
06:19 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
06:21 < Bushmills> at home, the same machine connects to a wlan router, reflashed with openwrt. trough dhcp, the name server of that machine will be used for resolving then. the wlan router runs its own openvpn client, so through vpn, can connect to router on its static ip address in the openvpn subnet also from abroad.
06:30 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has joined #openvpn
06:33 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Ping timeout: 260 seconds]
06:39 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
06:39 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
06:39 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
06:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
06:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Client Quit]
06:57 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Isololated client connections in version 2.0.5 :: Reply by vermeer_p <https://forums.openvpn.net/viewtopic.php?f=4&t=7232&p=8332#p8332>
07:16 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
07:26 -!- dagni [dagni@unaffiliated/dagni] has joined #openvpn
07:26 < dagni> hello
07:26 < dagni> > Please specify your OpenVPN-AS license key (or leave blank to specify later): 
07:26 < dagni> does it mean i have to pay for the license ? 
07:27 < dagni> will it work without that license key ?
07:28 < dagni> oh no
07:29 < dagni> thought Open means Open ;)
07:39 -!- p3rror [~mezgani@41.137.57.86] has quit [Ping timeout: 240 seconds]
07:50 -!- neoice [~neoice@thule.neoice.net] has joined #openvpn
07:52 < neoice> has anyone here used openvpn to provide ipv6? for example, I have a VPN client (my webserver) running a 6to4 tunnel and I want another VPN client (my laptop) to use it as a v6 gateway.
07:53 < neoice> I can get it to work route-wise, but I have some relability issues, mostly with having v6 work after a tunnel down/up, which I _think_ is an OSX issue. its routing tables have a tendancy to get b0rked
08:04 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has quit [Ping timeout: 265 seconds]
08:08 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
08:13 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
08:15 <@vpnHelper> RSS Update - forum: Configuration :: Re: Goofy IPs :: Reply by jerryk1234 <https://forums.openvpn.net/viewtopic.php?f=6&t=7238&p=8333#p8333>
08:26 < Bushmills> dagni: community version of openvpn doesn't require license key
08:26 < Bushmills> !as
08:27 <@vpnHelper> Bushmills: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
08:27 <@vpnHelper> Bushmills: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
08:36 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
08:43 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has joined #openvpn
08:47 -!- booost [~fb@38.108.126.157] has joined #openvpn
08:48 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
08:48 -!- booost is now known as whoa
09:00 -!- alex__ [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
09:04 -!- humanMeat [alex@209.99.13.244] has quit [Ping timeout: 260 seconds]
09:05 -!- humanMeat [alex@209.99.13.243] has joined #openvpn
09:05 -!- humanMeat [alex@209.99.13.243] has quit [Client Quit]
09:08 -!- alex__ [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
09:26 -!- s7r [~s7r@86.121.76.237] has joined #openvpn
09:31 -!- markus_ [~markus@c83-250-33-131.bredband.comhem.se] has joined #openvpn
09:33 -!- dogarrhea1 [alex@209.99.13.200] has joined #openvpn
09:33 < dogarrhea1> why is my openvpn preventing communication to my server.. 
09:33 < dogarrhea1> i get connection timed out when i try to log in
09:38 < Bushmills> dogarrhea1: it doesn't
09:38 < dogarrhea1> the way i have it configured now according to the docs, it does
09:39 < Bushmills> the way you have configured it, may change the setup of your operating system such that communication will be prevented. but openvpn doesn't.
09:39 < dogarrhea1> where can i read about this?
09:39 < dogarrhea1> and specific steps to take?
09:39 < Bushmills> your configuration file.
09:39 < Bushmills> check out output of route command
09:40 < Bushmills> examine your firewall
09:41 < Bushmills> specific steps would be to change config such that what prevents communication with server - i.e. the result of your findings - won't apply any longer.
09:41 < Bushmills> generally speaking :)
09:42 < dogarrhea1> it's kind of hard
09:42 < dogarrhea1> every tiem i restart openvpn it logs me out of my ssh session
09:42 < dogarrhea1> so.. debugging this is painful right now
09:42 < Bushmills> start looking at client route
09:42 < Bushmills> assuming your client is local, no ssh session needed for that
09:43 < dogarrhea1> client route?
09:44 < dogarrhea1> right now i'm trying to set up openvpn on a box that i rent/do not own
09:44 < dogarrhea1> via ssh
09:44 < dogarrhea1> and when i issue a restart/start, i'm logged out of ssh
09:44 < Bushmills> yes, route. were packets, depending on their destination, are sent to.
09:44 < Bushmills> where
09:47 < dogarrhea1> hrm. so this route command says: Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
09:47 < dogarrhea1>  xxx.xxx.xxx.0   *               255.255.255.0   U     0      0        0 eth0
09:47 < Bushmills> no, that is buggy
09:48 < dogarrhea1> so what do i need to do to make it unbuggy
09:48 < Bushmills> set it up such that numbers show under destination
09:48 < dogarrhea1> i'm just blocking it out
09:48 < dogarrhea1> for the sake of privacy.
09:48 < Bushmills> still seems wrong. that's not a legal router
09:48 < Bushmills> route
09:49 < dogarrhea1> so it should end with a .1 ?
09:49 < dogarrhea1> instead of a .0 where the x's are?
09:49 < Bushmills> instead of x, there should be numbers.
09:49 < dogarrhea1> there are. but u don't need to know them
09:50 < dogarrhea1> i hear that ip addresses ending in 0 or 255 are reserved
09:50 < Bushmills> ok. the numbers determine the destinations, and the rest of the line relates to those
09:50 < Bushmills> there can be numbers with 0 at the end, or with other than 0 at the end
09:51 < Bushmills> and there can also be zeroes in the other octets. or other than zeroes.
09:51 < Bushmills> the combination of zeroes and other than zeroes influences how you read them
09:51 < Bushmills> good luck.
09:52 < dogarrhea1> so i'm still not sure how to fix it lol
09:52 < Bushmills> that's right. but i can't do a lot without information which i don't need to know.
09:53 < Bushmills> besides, i'm about to leave now
09:54 < dogarrhea1> why exactly do you need to know the ip address of my box...
10:01 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds]
10:08 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
10:09 < dagni> Bushmills: oh, great news then, thanks
10:20 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
10:29 -!- whoa is now known as fbsec
10:35 < ecrist> good morning, folks
10:36 < ecrist> http://www.drinkfour.com/  <--- bad, bad stuff, if you hate getting drunk
10:36 <@vpnHelper> Title: Four :: Caffeinated Alcoholic Beverage (at www.drinkfour.com)
10:46 -!- Dougy [me@tech.qsi.net] has quit [Changing host]
10:46 -!- Dougy [me@openvpn/community/user/dougy] has joined #openvpn
10:46 < Dougy> hey eric
10:46 < Dougy> are you there?
10:58 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
10:58 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
11:00 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:06 < ecrist> yeah, what's up Dougy?
11:14 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
11:15 -!- s7r [~s7r@86.121.76.237] has quit []
11:15 < markus_> is it possible to push out ips to the client from an auth-user-pass script ?
11:18 < crow> whats best encrypt option when using openvpn?
11:20 < hyper_ch> I was just about to make a funny comment :(
11:23 < crow> i was thinking about tls hmac authorisation
11:34 < hyper_ch> crow: I wanted to suggest telepathy :)
11:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:37 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:43 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
11:43 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
11:43 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
11:47 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds]
11:47 <@vpnHelper> RSS Update - forum: Server Administration :: Generating the keys online :: Author strangevpn <https://forums.openvpn.net/viewtopic.php?f=4&t=7244&p=8334#p8334>
11:49 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 272 seconds]
11:50 < dogarrhea1> so.
11:50 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
11:51 < crow> hyper_ch...
11:51 < crow> is that above what i poster enoguh :)
11:52 < hyper_ch> crow: no clue really :)
11:52 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
11:53 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit:  has left the bulding]
11:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
11:58 < dogarrhea1> my server.conf is routing 127.0.0.0 to 10.8.0.5 
11:58 < dogarrhea1> but i dont' know where this stuff is happening
11:59 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
12:00 -!- mobiusnz2 [~mobiusnz@60.234.147.135] has quit [Quit: Leaving.]
12:16 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 276 seconds]
12:16 <@vpnHelper> RSS Update - forum: Configuration :: Re: Do I have to have a client file for every pc? :: Reply by KyferEz <https://forums.openvpn.net/viewtopic.php?f=6&t=7241&p=8335#p8335>
12:31 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
12:39 -!- mobiusnz [~mobiusnz@210.156.118.203.static.cust.vf.net.nz] has joined #openvpn
12:41 -!- mobiusnz1 [~mobiusnz@210.156.118.203.static.cust.vf.net.nz] has joined #openvpn
12:41 -!- mobiusnz [~mobiusnz@210.156.118.203.static.cust.vf.net.nz] has quit [Read error: Connection reset by peer]
13:01 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 240 seconds]
13:19 < dogarrhea1> where the f uck is this easy-rsa directory
13:19 < dogarrhea1> the documentation is absolutely wrong
13:19 < dogarrhea1> you hear me rkzee or whatever your name is
13:19 < dogarrhea1> ITS WRONG
13:21 < crow> cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
13:22 < dogarrhea1> ok so it's NOT in /usr/share/doc/packages/openvpn/other/things/that/dont/exist
13:23 < dogarrhea1> as the documentation states
13:23 < dogarrhea1> which he said was 100% correct
13:24 < dogarrhea1> <krzee> guess what, the howto and the manual are NOT wrong
13:24 < dogarrhea1> <krzee> and apply to EVERY os / distro
13:24 < dogarrhea1> i wonder why i hate open source
13:24 -!- dogarrhea1 [alex@209.99.13.200] has left #openvpn ["Leaving"]
13:25 -!- mode/#openvpn [+o krzie] by ChanServ
13:25 -!- mode/#openvpn [+b *!*alex@209.99.13.200] by krzie
13:25 -!- mode/#openvpn [-o krzie] by krzie
13:26 < krzie> the find command / locate command must be too much for him
13:28 < crow> well if i posted correct path which he found,should be statisfy.. (that was on ubuntu)...
13:33 < hyper_ch> krzie: he probably didn't updatedb first
13:34 < krzie> he prolly didnt try anything except doing the EXACT path in the walkthrough
13:34 < krzie> i remember him, hes against learning, wants everything done for him
13:35 -!- l0rd_hex [~rubit_man@S01060002b3949ac5.ed.shawcable.net] has joined #openvpn
13:35 < hyper_ch> there are many learn-resistant people out there
13:35 < l0rd_hex> !welcome
13:35 <@vpnHelper> l0rd_hex: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:35 < l0rd_hex> !redirect
13:35 <@vpnHelper> l0rd_hex: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:35 < l0rd_hex> !pizzacats
13:36 <@vpnHelper> l0rd_hex: Error: "pizzacats" is not a valid command.
13:36 < l0rd_hex> hmm
13:36 < hyper_ch> krzie: you can help me again? :)
13:36 < krzie> hyper_ch, whats up?
13:36 < hyper_ch> krzie: well, the 3g business
13:36 < krzie> oh, throught you got that working
13:36 < l0rd_hex> ecrist: can I msg you about cloaks?
13:36 < hyper_ch> when I update the routes correctly and when the dns gets updated and the iptables is empty except for the masquerading
13:37 < hyper_ch> then incoming connections like mailserver shouldn't need any special treatment if the mailserver is the same ones as the one that provides the 3g access, right?
13:37 < krzie> hyper_ch, make sure the forward table allows and that you have ip forwarding on
13:37 < hyper_ch> because by default iptables is accept all
13:37 < hyper_ch> and no forwarding to another machine is being required
13:38 < hyper_ch> I have to recheck tomorrow... it's not that important if we don't get email for a day or so... I have a backup mailserver to accept the mail
13:38 < krzie> ip forwarding is about passing between interfaces
13:38 < krzie> comes in via eth0, leaves ppp0... you need ip forwarding
13:39 < hyper_ch> yes, but some remote MTA wants to submit an email to my server
13:39 < hyper_ch> so it comes in by ppp0
13:39 < krzie> and leaves eth0...?
13:39 < hyper_ch> and the ppp0 is the same as the receiving mta
13:39 < krzie> oh
13:39 < krzie> is the mta listening on ppp0?
13:39 < krzie> does it know it runs on that ip...?
13:39 < krzie> its prolly a matter of mta config'
13:39 < hyper_ch> well, same for apache
13:40 < hyper_ch> I didn't set them up onto specific listening ips
13:40 < hyper_ch> only listening to specific ports
13:40 < krzie> correct, apache would also need config'in
13:40 < l0rd_hex> is anyone using OpenVPN on OpenBSD / pf? I'm curious if anyone is redirecting only a specific subnet over the client
13:40 < hyper_ch> but you're right, I might check that
13:40 < hyper_ch> apache listens to given ip?
13:40 < krzie> l0rd_hex, instead of redirect-gateway just setup certain routes, still setup nat
13:40 < krzie> !pfnat
13:40 <@vpnHelper> krzie: "pfnat" is nat on <inf> from <subnet/ip> to <subnet/ip> -> <nat_ip>
13:41 < l0rd_hex> and also I guess what hyper_ch is doing and have my gateway act as a router over vpn
13:41 < l0rd_hex> krzie: thanks
13:41 < hyper_ch> l0rd_hex: not vpn related for once :)
13:41 < krzie> l0rd_hex, nah, ignore hyper_ch, hes not even talking about a vpn =]
13:41 < l0rd_hex> ohh
13:42 < l0rd_hex> sorry I thought he was going an OpenVPN on a ppp link and routing the traffic across his network :)
13:42 < l0rd_hex> *doing
13:42 < krzie> right, would make sense to think that since we're here and all
13:42 < krzie> ;]
13:42 < hyper_ch> l0rd_hex: nah, we'll have dsl outage tomorrow and I thought I could use the current mail/web server to setup a 3g connection :)
13:43 < l0rd_hex> ahhhahhh, why the outtage? polar bears?
13:43 -!- aliverius_ [~george@athedsl-373438.home.otenet.gr] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
13:43 < hyper_ch> probably
13:43 -!- aliverius [~george@athedsl-373438.home.otenet.gr] has joined #openvpn
13:43 < hyper_ch> they tell such generic things like maintenance... but it's probably polar bears
13:44 < l0rd_hex> probably, here in Canada polar bears are always up to no good
13:44 < hyper_ch> l0rd_hex: you don't have to outrun the polar bears... just outrun the kariboos :)
13:45 < krzie> [02:57]  * krzee has quit (Polar bear closed the connection)
13:46 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
13:46 -!- mobiusnz1 [~mobiusnz@210.156.118.203.static.cust.vf.net.nz] has quit [Quit: Leaving.]
13:48 < hyper_ch> but there are no polar bears in the carribean
13:49 < hyper_ch> maybe there are carribean bears....
13:50 < l0rd_hex> hyper_ch: probably laser cats
13:50 < l0rd_hex> when I was in Dominica it was non-stop lasering
13:50 < krzie> lol
13:51 -!- alex__ [alex@209.99.13.245] has joined #openvpn
13:51 < alex__> morever, the useless documentation tells you to copy over client certificates but does not mention WHERE
13:51 < hyper_ch> cats are cute and fluffy and they love to unplug the audio cord between server and amplifier
13:52 -!- mode/#openvpn [+o krzie] by ChanServ
13:52 < hyper_ch> alex__: /dev/null is a good place for all the stuff you don't know exactely where to put ot
13:52 -!- mode/#openvpn [+b *!*@209.99.13.*] by krzie
13:52 -!- alex__ was kicked from #openvpn by krzie [byebye]
13:52 < l0rd_hex> alex__: http://www.kernel-panic.it/openbsd/vpn/vpn4.html
13:52 <@vpnHelper> Title: Building VPNs on OpenBSD - OpenVPN (at www.kernel-panic.it)
13:53 -!- mode/#openvpn [-o krzie] by krzie
13:54 < hyper_ch> krzee banned 254 people now :(
13:55 < l0rd_hex> he must be 20% polar bear
13:56 < krzie> heh
14:22 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit:  has left the bulding]
14:26 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
14:32 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit:  has left the bulding]
14:34 -!- mobiusnz [~mobiusnz@210.156.118.203.static.cust.vf.net.nz] has joined #openvpn
14:36 < ecrist> l0rd_hex: sure
14:38 -!- mobiusnz [~mobiusnz@210.156.118.203.static.cust.vf.net.nz] has quit [Ping timeout: 255 seconds]
14:40 < ecrist> l0rd_hex: send me a pm about what you want, I'm going to go ride my motorcycle for what's likely to be the last nice day this year.
14:40 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
14:52 -!- mobiusnz [~mobiusnz@210.156.118.203.static.cust.vf.net.nz] has joined #openvpn
14:53 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit:  has left the bulding]
15:01 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 276 seconds]
15:09 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
15:12 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
15:14 -!- mobiusnz [~mobiusnz@210.156.118.203.static.cust.vf.net.nz] has quit [Quit: Leaving.]
15:19 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
15:28 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
15:33 -!- nb [~nb@fedora/nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
15:33 -!- nb [~nb@fedora/nb] has joined #openvpn
15:37 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit:  has left the bulding]
15:50 -!- mobiusnz [~mobiusnz@60.234.147.135] has joined #openvpn
15:54 -!- shuffle2 [shuffle2@cpe-74-74-168-216.rochester.res.rr.com] has joined #openvpn
15:54 < shuffle2> can i install more than one TAP device (and add it to my current bridge)?
15:55 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
15:55 < shuffle2> or should i just have the software use a different mac with the existing TAP device?
16:05 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 245 seconds]
16:07 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
16:08 < ecrist> shuffle2: you can have as many tap devices as your OS allows.
16:08 < ecrist> I'm not aware of any limits to that.
16:16 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
16:18 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
16:32 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
16:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
16:41 < shuffle2> ok, i guess the question is how to add another :p
16:41 < shuffle2> cause i tried to make my app share one...doesn't work of course :)
16:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Client Quit]
16:42 < shuffle2> i'm on windows, using Write/ReadFile() for interfacing with the TAP
16:47 < shuffle2> oh heh...the search in windows 7's start menu was not finding the obvious menu item, nevermind :p
16:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
17:13 <@vpnHelper> RSS Update - forum: Server Administration :: HD video over VPN (samba share) lagging :: Author akaka <https://forums.openvpn.net/viewtopic.php?f=4&t=7245&p=8336#p8336>
17:30 -!- crow [~crowmo@chello080108001109.35.11.vie.surfer.at] has quit [Remote host closed the connection]
17:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:48 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
17:49 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
17:49 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
17:52 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
17:53 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
17:58 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
18:04 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
18:05 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit:  has left the bulding]
18:09 -!- nb is now known as i
18:09 -!- i is now known as nb
18:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
18:19 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
18:19 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
18:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:26 < |Mike|> cows go 
18:36 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
18:37 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
18:40 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
18:44 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
19:13 -!- VirusTB [~VirusTB@145.116.24.68] has joined #openvpn
19:19 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:21 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:30 -!- VirusTB [~VirusTB@145.116.24.68] has quit [Quit:  has left the bulding]
19:32 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
19:34 -!- atan3 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
19:34 -!- atan3 [~atan@blk-222-132-103.eastlink.ca] has quit [Changing host]
19:34 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
19:34 -!- mobiusnz [~mobiusnz@60.234.147.135] has left #openvpn []
19:36 -!- s7r [~s7r@66.199.231.250] has joined #openvpn
19:37 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 276 seconds]
19:50 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
19:53 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
20:17 < ecrist> moooooooo
20:17 < korozion> yep
20:20 < ecrist> either that or 'sizzzzle'
20:20 < ecrist> they only do that when you put them on a hot grill
20:24  * krzee prefers *sizzle*
20:29 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
20:29 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Changing host]
20:29 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
20:32 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 272 seconds]
20:35 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
20:36 < derekv> I finally bothered to look at the cost of a licensed version of openvpn, and its quite reasonable.
20:36 < derekv> indeed.
20:38 < derekv> only thing that makes me hesitate is that I'm considering crossgrading my firewalls to pfsense (from a customized freebsd install), I wonder if the script/webconfigurator in pfsense would somehow conflict with a licensed install of openvpn
20:38 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 252 seconds]
20:42 -!- s7r [~s7r@66.199.231.250] has quit []
20:42 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
20:46 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 276 seconds]
20:57 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
21:12 -!- EmperorT1m [~EmperorTo@174-30-245-204.mpls.qwest.net] has joined #openvpn
21:13 -!- EmperorTom [~EmperorTo@184-97-187-116.mpls.qwest.net] has quit [Ping timeout: 240 seconds]
21:14 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
21:14 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
21:23 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
21:26 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
21:27 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 272 seconds]
21:27 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
21:28 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
21:28 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
21:52 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
21:54 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 265 seconds]
22:10 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
22:27 < derekv> oh so wait, licensed openvpn access server is only for linux ? 
22:29 < krzie> !AS
22:29 <@vpnHelper> krzie: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
22:29 <@vpnHelper> krzie: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
22:29 < krzie> see #4
22:29 < krzie> we dont support AS here
22:29 < krzie> (ild answer your question if i knew... last i knew it was a yes)
22:30 < derekv> OK
22:30 < derekv> thanks.
22:30 < krzie> np
22:32 < derekv> actually one of the most enticing things about it would be the user mode client, any other ways around this issue? 
22:32 < krzie> what issue?
22:32 < derekv> needing to start the windows client as an administrator
22:32 < krzie> which windows
22:33 < krzie> in XP ive heard people say to add the user to the networking group
22:33 < derekv> both :), actually xp and 7, but hopefully we will be phasing out xp so 
22:33 < derekv> oh interesting
22:33 < krzie> in all you can just run it as a service
22:34 < derekv> I wonder if I can get it so the user can start/stop that paticular service 
22:34 < krzie> the only reason it needs admin is to add routes and whatnot
22:34 < krzie> sure you can
22:34 < krzie> you setup runas for the service
22:34 < krzie> at least in XP i know that is an option... never played with win7
22:34 < krzie> my windows knowledge came to an abrupt halt around 6 yrs ago
22:35 < derekv> hmm maybe i just need to put more time into it.  I had something not too bad working for the three users + myself that use it, but we are going to be adding some more vpn users in the near future so I was thinking about it again
22:36 < krzie> you may also be interested in:
22:36 < krzie> !win_rollup
22:36 <@vpnHelper> krzie: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
22:38 < derekv> nice, bookmarked
22:39 < krzie> and could possible need
22:40 < krzie> !winroute
22:40 <@vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
22:40 < krzie> when running it as a service on boot, you will likely need route-delay
22:40 < krzie> may or may not need #1 either way
22:41 < krzie> AS is slick tho, may want to visit their support center with any questions about it
22:41 < krzie> ive never used it, but my needs dont call for it
22:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:43 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
22:44 < derekv> I like running bsd as my firewall, Id like to run the vpn on the firewall as it has plenty of free cycles and we don't have extra boxen at the moment, I don't like running more than I need to on a firewall (like a web admin) unless its jailed, and I doubt if AS if it does support bsd that it supports being jailed, but I might email them to ask
22:45 < derekv> I could at least let them know that I am a user interested in such features
22:46 < derekv> meanwhile i'll probably just get more into writing my own scripts since, as it is now, creating access for a new user is a PITA
22:46 < krzie> !ssl-admin
22:46 <@vpnHelper> krzie: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
22:47 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 276 seconds]
22:47 < krzie> a PITA remover for managing your certs on a BSD CA box =]
22:47 < krzie> a few of us here are BSD guys too =]
22:48 < derekv> haha easy-rsa I think thats what I've been using
22:48 < derekv> i have to consult my notes
22:48 < derekv> its like a 30 step process 
22:48 < krzie> ya easy-rsa comes with openvpn
22:49 < krzie> i prefer ssl-admin
22:49 < derekv> I need to put intermediate CA on the firewall for one thing, that'll cut it down to about 10 steps (my CA is offline)
22:49 < krzie> soon ssl-admin will be in C++, and will accept CLI options, at that point i will build it into my config file generator
22:49 < krzie> offline CA is the best way to go
22:49 < krzie> screw the intermediate, keep that extra step for security
22:51 < derekv> well, today I was thinking about it, and ... if I can rig is so that the intermediate residing on the FW/vpn box is only good for signing openvpn certs, 
22:51 < derekv> which I'm not sure I can
22:52 < krzie> you use your openvpn CA for other stuff too?
22:52 < krzie> pls tell me you are not using a CA that you bought for your openvpn setup
22:53 < derekv> hmm, not sure what your asking , I set up a root CA on a seperate box, offline and encrypted, I use that as a trusted root for the organization.  it isn't purchased (so its not a trusted root outside the organization)
22:54 < krzie> oh ok
22:54 < krzie> is it used for more than just openvpn?
22:54 < derekv> I used it to sign the openvpn server, some 4/5 clients, and the domain controller
22:54 < derekv> the root is, yes
22:54 < krzie> so you issue certs to people, but not meant for openvpn?
22:56 < derekv> whats that under, in the cert?
22:57 < derekv> basic constraits?
22:57 < derekv> I don't remember exactly what I did
22:57 < krzie> any cert signed by your CA can connect to openvpn
22:57 < krzie> basically, the openvpn server checks the client was signed by the ca in the server's ca entry in its config
22:57 < krzie> and the client does the same
22:58 < krzie> normally, those are the same ca.crt
22:59 < derekv> yea.
23:01 < derekv> ok re-reading your question, I don't issue certs to anyone normally.  
23:03 < derekv> but your saying, someone with a cert issued signed by the same CA certificate is allowed to connect even if that cert is for a different purpose, like there isn't a parameter it checks in the certificate
23:19 < derekv> ok I'm understanding it better now.
23:22 < derekv> It seems like however a good way to avoid this problem would have been for openvpn to have simply include a field in the server ca, and the client ca, by default, and by default require theses parameters, and in addition, not accept all certificates signed by the root certificate at the top of the chain, but the CA one higher then the server cert, which should generally be an organizational CA 
23:28 < derekv> meanwhile it looks like  I _do_ want an intermediate CA.  
23:31 < derekv> crap I'm going to have to rebuild this.
23:31 < derekv> faster... stronger...
23:33 < derekv>  --tls-verify 
23:33 <@vpnHelper> RSS Update - forum: Configuration :: NAT client side :: Author christiannan <https://forums.openvpn.net/viewtopic.php?f=6&t=7246&p=8337#p8337>
23:37 < derekv> and... it doesn't automatically check the crl fantastic
--- Day changed Mon Nov 08 2010
00:01 < krzie> it doesnt automatically do much
00:01 < krzie> you need to configure it to your liking ;)
00:01 < krzie> !crl
00:01 <@vpnHelper> krzie: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will
00:01 <@vpnHelper> krzie: create the CRL file for you. ssl-admin will also build a crl for you
00:23 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:57 <@vpnHelper> RSS Update - forum: Server Administration :: bridging help :: Author kim92 <https://forums.openvpn.net/viewtopic.php?f=4&t=7247&p=8338#p8338>
01:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:01 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
01:02 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
01:11 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:49 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:04 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 264 seconds]
02:13 < l0rd_hex> vpnHelper: what the heck do you know about network to network vpns?
02:13 <@vpnHelper> l0rd_hex: Error: "what" is not a valid command.
02:15 -!- ycas [~yann@84.114.50.173] has joined #openvpn
02:15 < ycas> !welcome
02:15 <@vpnHelper> ycas: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:16 < ycas> !howto
02:16 <@vpnHelper> ycas: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:16 < ycas> !configs
02:16 <@vpnHelper> ycas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
02:17 < ycas> hello! is there a way to unrevoke certificates on a CRL?
02:19 < ycas> !crl
02:19 <@vpnHelper> ycas: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will
02:19 <@vpnHelper> ycas: create the CRL file for you. ssl-admin will also build a crl for you
02:21 < l0rd_hex> ycas: can you hand edit the crl file?
02:24 < krzie> no, would ruin the CA sig
02:24 < krzie> l0rd_hex, you asked bout network to network
02:24 < krzie> maybe you want this
02:24 < krzie> !route
02:24 <@vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:26 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:26 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
02:27 < l0rd_hex> krzie: reading it right now :)
02:29 < l0rd_hex> is it normal for my client and server to have different ips on their tun interfaces, for example my server says "inet 10.0.1.1 --> 10.0.1.2" but my client says "10.0.1.6 --> 10.0.1.5" ?
02:30 < hyper_ch> yes
02:31 < hyper_ch> don't ask me why, but you need two ips per machine
02:32 < krzie> yes
02:32 < krzie> !/30
02:32 <@vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
02:32 < krzie> and for the why...
02:32 < l0rd_hex> gypsies!
02:32  * l0rd_hex thinks he has routing or maybe firewall problems
02:32 < krzie> they had to find a work-around for windows lamesauce, so they made topology net30 (the only client/server topology in 2.0)
02:33 < krzie> in 2.1 they found topology subnet
02:33 < krzie> !topology
02:33 <@vpnHelper> krzie: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
02:33 < krzie> the email linked there explains some of that
02:34 -!- Deffie [~Deffie@195.62.234.66] has quit []
02:34 < krzie> however, there IS a possible benefit to that
02:34 -!- Deffie [~Deffie@195.62.234.66] has joined #openvpn
02:34 < krzie> lets say you require clients on static ips, and it would be a security violation for them to be on a different IP
02:34 < l0rd_hex> ahh, makes since
02:34 < krzie> in tap, and in tun with topology subnet, clients CAN change their IP
02:34 < l0rd_hex> should I be able to ping 1.6 and 1.5 from my cleint
02:34 < krzie> in tun with topology net30 (default) they CAN NOT
02:34 < l0rd_hex> *client
02:35 < krzie> if they did, they would no longer be in the same subnet as the gateway, and they cant contact the server
02:35 < krzie> .6 is the client, so yes
02:35 < krzie> .5 is virtual, so no
02:35 < krzie> the server is .1
02:35 < l0rd_hex> hmm, I'm not getting a response from .6, perhaps my fw is blocking incoming on tun0?
02:36 < krzie> thats a common reason
02:36 < l0rd_hex> I can ping .1
02:36 < krzie> client can ping .1?
02:36 < l0rd_hex> yes
02:36 < krzie> yes, firewall
02:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:38 < l0rd_hex> so is this traffic coming on tun0?
02:38 < l0rd_hex> ie the reply ping?
02:38 < krzie> yes
02:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
02:38 < krzie> thats how i know it is the firewall, a routing issue would not allow the ping EITHER direction
02:40 < l0rd_hex> makes sense
02:40 < l0rd_hex> okay, time to look at that
02:49 -!- dazo_afk is now known as dazo
02:52 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
03:44 < ycas> 10rd_hex: sorry, was busy. I tried editing the index file manually and recreating the CRL, but it didnt work
03:45 -!- master_of_master [~master_of@p57B56C14.dip.t-dialin.net] has quit [Ping timeout: 255 seconds]
03:46 < krzie> just issue a new cert
03:46 < krzie> you should only add to the CRL when a key is or may have been compromised
03:46 < krzie> the re-issue, make a new cert, different CN
03:47 -!- master_of_master [~master_of@p57B54DED.dip.t-dialin.net] has joined #openvpn
03:54 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:11 < ycas> l0rd_hex: sorry, was busy. I tried editing the index file manually and recreating the CRL, but it didnt work
04:13 < krzie> [05:46]  <krzie> just issue a new cert
04:13 < krzie> [05:46]  <krzie> you should only add to the CRL when a key is or may have been compromised
04:13 < krzie> [05:46]  <krzie> the re-issue, make a new cert, different CN
04:17 < ycas> ok thx. 
04:31 < krzie> kinda like changing the lock on your door... you dont make sure the old key fits
04:35 -!- Deffie [~Deffie@195.62.234.66] has quit [Ping timeout: 255 seconds]
04:38 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
05:08 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:11 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:11 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:11 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
05:19 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
05:39 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 252 seconds]
05:45 -!- m-a [~mandree@131.234.19.44] has joined #openvpn
05:45 -!- m-a [~mandree@131.234.19.44] has left #openvpn []
06:54 -!- jacky_bro [cb51a606@gateway/web/freenode/ip.203.81.166.6] has joined #openvpn
06:54 < jacky_bro> hi i got a problem  with openvpn 
06:54 < jacky_bro> when i start openvpn from my client .. i got this error from server log 
06:55 < jacky_bro> __init__() got an unexpected keyword argument 'type': omi/auth:355,auth/domuserpass:125,auth/domuserpass:54 (exceptions.TypeError)
07:02 < jacky_bro> !welcome
07:02 <@vpnHelper> jacky_bro: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:02 < jacky_bro> !goal
07:03 <@vpnHelper> jacky_bro: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:04 < jacky_bro> !goal when i jon to my  openvpn server , i got this error in server log  -  _init__() got an unexpected keyword argument 'type': omi/auth:355,auth/domuserpass:125,auth/domuserpass:54 (exceptions.TypeError) 
07:04 <@vpnHelper> jacky_bro: Error: "goal" is not a valid command.
07:04 < jacky_bro> omm
07:04 < jacky_bro>  when i jon to my  openvpn server , i got this error in server log  -  _init__() got an unexpected keyword argument 'type': omi/auth:355,auth/domuserpass:125,auth/domuserpass:54 (exceptions.TypeError) 
07:05 < jacky_bro> sorry im not spammer :((((
07:05 < jacky_bro> just following channel instruction 
07:25 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
07:27 < ucekpolish> Hello guys, Is here anyone who can tell me how can I fix the TSL error: Unroutable control packet received error?
07:35 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
07:52 -!- key_two [~key2@olm03.cvf.fr] has left #openvpn []
07:55 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
07:55 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
07:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:14 <@vpnHelper> RSS Update - forum: Configuration :: Re: try to connect on my openvpn, but is not working, why? :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=6&t=7237&p=8339#p8339> || Configuration :: Re: openvpn gui systray icon missing after incorrect passwor :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=6&t=7236&p=8340#p8340>
08:18 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:19 < ecrist> jacky_bro: 
08:19 < ecrist> !logs
08:19 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN connects and pings server, cannot see any shares :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=6&t=7239&p=8341#p8341>
08:19 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:26 -!- ycas [~yann@84.114.50.173] has quit [Ping timeout: 276 seconds]
08:32 -!- edmurphy [~mrjazzman@ppp121-44-150-30.lns20.syd7.internode.on.net] has quit [Ping timeout: 250 seconds]
08:38 -!- mrjazzman [~mrjazzman@ppp121-44-137-254.lns20.syd7.internode.on.net] has joined #openvpn
08:39 -!- jacky_bro [cb51a606@gateway/web/freenode/ip.203.81.166.6] has quit [Quit: Page closed]
08:42 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:59 -!- daguz [~leo@208-1-63-50.celito.net] has left #openvpn []
09:30 -!- househead [~mark@5acb2181.bb.sky.com] has joined #openvpn
09:32 < househead> hi all ... i have just setup openvpn for a client to use samba over adsl... the performance of windows clients is dreadful. I think I am going to change it from proto=UDP to proto=TCP ... will this make much difference to SAMBA and is there any other tweaks I can employ? thanks in advance :)
09:32 < househead> for the record ... it's routed (tun) not bridged (tap)
09:33 < househead> and my problem def isn't my firewall either ;)
09:33 < househead> !welcome
09:33 <@vpnHelper> househead: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:35 < househead> !goal
09:35 <@vpnHelper> househead: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:38 <@vpnHelper> RSS Update - forum: Configuration :: Re: how to get ifconfig-push from client-connect :: Reply by burn <https://forums.openvpn.net/viewtopic.php?f=6&t=7234&p=8342#p8342>
09:38 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 276 seconds]
09:39 <@dazo> !tcp
09:39 <@vpnHelper> dazo: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
09:39 <@dazo> househead: ^^^
09:40 <@dazo> househead: also, look into setting up a WINS available for the OpenVPN clients ... that's said to improve browsing (even though, I'm not a Windows user, so I really don't know)
09:41 < househead> dazo: thanks ... I have WINS setup one side (server) and WINS proxy on the client side 
09:43 <@dazo> househead: make sure the WINS traffic goes as expected and as quick as possible ... also check your firewalls, sometimes they can make things go slower if some ports are not opened correctly between the networks
09:44 <@dazo> as you're running routed tun network (which is usually good!) ... double check the routing as well.  It might also be that you need to look at how broadcast traffic goes as well ... as the SMB/CIFS protocols are really broadcast lovers 
09:44 < househead> dazo: thanks for the links too, I will check them out! I'm interested to see the difference between udp and tcp in openvpn. I'm pretty sure the firewalling and routing is correct. My 'real clients' are actually behind the openvpn client. all the routers and the openvpn client (which is also a SAMBA itself) have the correct routes etc
09:45 < househead> dazo: I was hoping using WINS cuts down on broadcast traffic ... can you tell me about unicast? isn't that what WINS uses?
09:47 < househead> dazo: all good stuff though, thanks pal :)
09:47 <@dazo> househead: normally, if you have no packet loss between the openvpn server and client ... you should not notice too much difference between UDP and TCP ... but if you experience loosing packets between openvpn server/clients, TCP mode can actually decrease the efficiency as you then have two layers (inside and outside of the tunnel) making sure all TCP packets gets through
09:48 <@dazo> househead: I wish I could tell you more about WINS and unicast ... but I'm pretty much ignorant in real life on that field, as I don't need it my work or private life
09:49 < househead> dazo: haha, I don't need it really but the guy paying me does! ;) i'll do some testing tomorrow, I'll be at one of the sites so it should be easier. I'll be reading as much as poss before then however!
09:50 <@dazo> househead: good luck :)  Anyhow, there are quite some windows users in the channel ... so you might find more people chiming in here with more hints and tips
09:51 <@dazo> (staying idle on this channel is advisable!)
10:06 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
10:13 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
10:24 -!- househead [~mark@5acb2181.bb.sky.com] has quit [Ping timeout: 276 seconds]
10:28 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:41 -!- linguini [~user@c-71-193-179-58.hsd1.wa.comcast.net] has joined #openvpn
10:48 -!- roentgen [~arthur@miranda/user/roentgen] has joined #openvpn
10:48 -!- ycas [~yann@84.119.102.7] has joined #openvpn
11:03 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
11:18 <@vpnHelper> RSS Update - forum: Configuration :: OpenVPN smartcard + CAcert configuration :: Author kellogs <https://forums.openvpn.net/viewtopic.php?f=6&t=7248&p=8343#p8343>
11:21 -!- househead [~mark@5acb2181.bb.sky.com] has joined #openvpn
11:25 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:31 -!- nucce [~nucce@90-227-9-168-no136.tbcn.telia.com] has joined #openvpn
11:31 -!- nucce is now known as nucce44
11:35 < nucce44> Hi, I need some help, I just installed Ubuntu, and I dont get this config file to work (It does work on Windows 7), so I would like someone too take a look @ http://pastebin.com/J6a8enEW and correct the file for me? 
11:36 < nucce44> I've got file.p12 and ta.key in the same folder as client.ovpn
11:37 <@dazo> nucce44: check your paths please .... C:\\Program\\OpenVPN\\config\\file.p12 and C:\\Program\\OpenVPN\\config\\ta.key won't work on Linux
11:37 < nucce44> they are ofc fixed
11:37 <@dazo> !logs
11:37 <@vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:38 < nucce44> Ive fixed the path names so it looks like pkcs12 file.p12
11:38 < nucce44> and next line tls-auth ta.key 1
11:39 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Connection reset by peer]
11:40 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has quit [Read error: Connection reset by peer]
11:41 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has joined #openvpn
11:41 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: No route to host]
11:42 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined #openvpn
11:44 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 245 seconds]
11:44 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has quit [Read error: Connection reset by peer]
11:45 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has joined #openvpn
11:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:46 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has quit [Read error: Connection reset by peer]
11:49 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
11:49 -!- nucce44 [~nucce44@90-227-9-168-no136.tbcn.telia.com] has joined #openvpn
11:51 -!- nucce44 [~nucce44@90-227-9-168-no136.tbcn.telia.com] has quit [Read error: Connection reset by peer]
11:52 -!- nucce44 [~nucce44@90-227-9-168-no136.tbcn.telia.com] has joined #openvpn
11:53 -!- nucce44 [~nucce44@90-227-9-168-no136.tbcn.telia.com] has quit [Client Quit]
11:54 -!- nucce44 [5ae309a8@gateway/web/freenode/ip.90.227.9.168] has joined #openvpn
11:55 -!- ycas [~yann@84.119.102.7] has quit [Read error: Operation timed out]
12:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
12:36 -!- dazo is now known as dazo_afk
12:40 < nucce44> Now does everything work with my openVPN except it doesnt resolv simple hostnames, if I aim for a ip it works.. 
12:41 < nucce44> But not netbios(?) names.. :( 
12:41 -!- kdog [kdog@dampbarn.org] has joined #openvpn
12:43 < kdog> hello friends, I've successfully installed openvpn on a qnap TS-209 arm device and running it as typing but got some strange throughput issues. I uses win 7 openvpn client (portableapps client from here http://sourceforge.net/projects/ovpnp/files/OpenVPN%20Portable/ovpnp_1.6.6/OpenVPNPortable_1.6.6.paf.exe/download) is there anything I can do to increase my bandwidth? 
12:43 <@vpnHelper> Title: Download OpenVPN Portable from SourceForge.net (at sourceforge.net)
12:44 < kdog> I tried to turn off autotuninglevel on my windows 7 host but that hasn't helped much
12:45 < kdog> I connect from a 25mbit to a 100 mbit link and facing 100kbps download rate
12:45 < roentgen> kdog: how are direct ping and ping thru vpn ?
12:46 -!- dogmeat [~Bob@unaffiliated/dogmeat] has joined #openvpn
12:47 < kdog> Pinging 10.8.0.1 with 32 bytes of data:
12:47 < kdog> Reply from 10.8.0.1: bytes=32 time=31ms TTL=64
12:47 < kdog> Reply from 10.8.0.1: bytes=32 time=43ms TTL=64
12:47 < kdog> Reply from 10.8.0.1: bytes=32 time=18ms TTL=64
12:48 < kdog> this host is the same that I am accessing through SMB instead of using 10.8.0.1 i uses the actual ip of the SMB server
12:49 < kdog> I dunno if the TAP driver is bad on win 7 or what it could be
12:49 < kdog> I guess I should try my connection with a windows xp client but i don't use any...
12:49 < kdog> It really bothers me cause I like the concept of openvpn
12:50 < roentgen> maybe you should try to test non portable openvpn 2.2 beta 3
12:50 < kdog> roentgen: is it on openvpn.net/relases?
12:51 < roentgen> on the download page http://openvpn.net/index.php/open-source/downloads.html
12:51 <@vpnHelper> Title: Downloads (at openvpn.net)
12:51 < kdog> ok
12:51 < kdog> thxs
12:52 < kdog> roentgen: but is that one based on the same TAP driver as the protable app?
12:52 < roentgen> I don't know, that's why I'd test with the official version first
12:52 < roentgen> I have no probs with it in any win version
12:53 < kdog> roentgen: greate!
12:53 < kdog> sry Great i mean.
12:54 < roentgen> have you checked the CPU usage when transferring on that TS-209 arm device (whatever it is :P)
12:54 < kdog> I'll top it
12:55 < roentgen> you mean it gets high?
12:55 <@vpnHelper> RSS Update - forum: Configuration :: Re: Authenticatig clients with certificates & username passw :: Reply by shaia <https://forums.openvpn.net/viewtopic.php?f=6&t=7220&p=8344#p8344>
12:55 < kdog> roentgen: i dunno yet havn't checked but there are some encryption activites that I guess takes some CPU powers :D
13:03 -!- slyrus__ [~chatzilla@adsl-75-36-215-204.dsl.pltn13.sbcglobal.net] has quit [Remote host closed the connection]
13:08 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:10 < EmperorT1m> krzee: just replied to this forum post that you pointed out. https://forums.openvpn.net/viewtopic.php?f=6&t=7221 -- was in vegas most of last week and hunting this weekend, so i'm catching up on things.
13:10 <@vpnHelper> Title: OpenVPN Support Forum View topic - Network Stalls (at forums.openvpn.net)
13:12 < kdog> roentgen: I've changed the driver and the binary files from the latest release upon my portableapp client and gets the following 
13:12 < kdog> Reply from 192.168.1.3: bytes=32 time=9ms TTL=64
13:12 < kdog> Reply from 192.168.1.3: bytes=32 time=20ms TTL=64
13:12 < kdog> Reply from 192.168.1.3: bytes=32 time=13ms TTL=64
13:12 < kdog> Reply from 192.168.1.3: bytes=32 time=13ms TTL=64
13:12 < kdog> Reply from 192.168.1.3: bytes=32 time=14ms TTL=64
13:12 <@vpnHelper> RSS Update - forum: Configuration :: Re: Network Stalls :: Reply by tommyj27 <https://forums.openvpn.net/viewtopic.php?f=6&t=7221&p=8345#p8345>
13:12 < kdog> Reply from 192.168.1.3: bytes=32 time=16ms TTL=64
13:12 < kdog> Reply from 192.168.1.3: bytes=32 time=11ms TTL=64
13:13 < kdog> Reply from 192.168.1.3: bytes=32 time=29ms TTL=64
13:13 < kdog> Reply from 192.168.1.3: bytes=32 time=12ms TTL=64
13:13 < kdog> Reply from 192.168.1.3: bytes=32 time=13ms TTL=64
13:13 < kdog> Reply from 192.168.1.3: bytes=32 time=17ms TTL=64
13:13 < kdog> I still feel that it's bad so I'll check my CPU
13:13 < roentgen> kdog that is direct ping, no?
13:13 < roentgen> 192... is your local network
13:15 < kdog> no 192.168.1.3 is the vpn pushed network
13:15 < kdog> local network at the vpn site
13:15 < kdog> the vpn network is on a 10. subnet
13:16 < kdog> the vpn GW is the same host as the one I am pinging
13:16 < roentgen> so how's the ping on the 10. net now?
13:16 < kdog> its the same
13:16 < kdog> same host answering the pings
13:16 -!- CaMason [~camason@office.stasismedia.com] has joined #openvpn
13:17 < ecrist> kdog: don't paste into the channel like that, please.
13:17 < kdog> ecrist: ok sry
13:17 < CaMason> hi guys. I've set up a bunch of client configs and they all work on linux (get an assigned IP, can ping, ssh etc). I've tried running one on Windows. It gets the IP, but cannot ping
13:18 < kdog> CaMason: checked the firewall on the windows hosts?
13:18 < CaMason> windows client. Yes - it's winXp and appears to be fully off
13:18 < kdog> CaMason: do the connect from the same network ?
13:19 < roentgen> kdog: that's an awful delay for a local net
13:19 < CaMason> yes actually
13:19 < kdog> roentgen: it isn't the local net its the vpn network
13:19 < roentgen> or better sayd an awful response time
13:19 < CaMason> i.e. linux client is on 10.0.10.100, windows client is on 10.0.10.101, both connecting to server on external IP
13:19 < kdog> roentgen: my local network is 192.168.5
13:20 < roentgen> ehh...
13:21 < dogmeat> how can i set the client to disable auto reconnect upon server reset?
13:22 < kdog> CaMason: you should still be able to ping, have you tested to set your windows client on 10.0.10.100 to check that it isn't a Firewall issue
13:23 < linguini> Is it still harmful to put "daemon" in a config file when using launchd as mentioned in http://openvpn.net/archive/openvpn-users/2005-12/msg00424.html ?
13:23 <@vpnHelper> Title: RE: [Openvpn-users] Launchd for Apple OSX (at openvpn.net)
13:23 < CaMason> kdog, my windows machine can ping other IPs on the local network (10.*) but not the openvpn network (192.168.86.*)
13:24 < kdog> CaMason: check that your .ovpn file has simular config as the linux hosts
13:24 < CaMason> I copy/pasted it. I had to change interface from tun to tap, or it wouldn't start
13:24 < CaMason> other than that - no changes. Same file works on Linux
13:26 < kdog> CaMason: that's very odd...check your route table when connected with your windows host
13:26 < roentgen> CaMason: tun or tap are dictated by the server
13:27 < roentgen> tou can't connect a tap client to a tun server
13:27 < roentgen> *you
13:27 < CaMason> ok, will change back
13:27 < linguini> In particular, http://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/launchd.plist.5.html says it is bad to call daemon or fork/exit.
13:27 <@vpnHelper> Title: launchd.plist(5) Mac OS X Manual Page (at developer.apple.com)
13:28 < kdog> roentgen: is the tun prefeered on windows hosts for performance?
13:28 < CaMason> I get an error connecting saying "There is a problem in your selection of --ifconfig endp oints [local=192.168.86.11, remote=192.168.86.0]."
13:28 < roentgen> CaMason: post your configs somewhere
13:28 < roentgen> It's hard to tell otherwise
13:29 < roentgen> do you use a ccd file for the clients?
13:30 < CaMason> yes to push an ip
13:30 < roentgen> I'd double check that ccd then
13:30 < CaMason> for this machine: "ifconfig-push 192.168.86.11 192.168.86.0"
13:30 < roentgen> ecrist: should I PM you regarding host cloacks?
13:31 < roentgen> CaMason: the second argument should be a netmask
13:31 < roentgen> 255. something
13:32 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
13:33 < kdog> Is there anyone who has issues with bandwidth performance when connected to linux openvpnd from windows 7 x64 host?
13:37 < ecrist> roentgen: yes
13:37 < ecrist> or just ask here if you want one
13:38 < roentgen> ecrist: well, I do :) . What do they look like?
13:38 < ecrist> openvpn/community/user/roentgen
13:38 -!- kdog [kdog@dampbarn.org] has left #openvpn ["GoooooneeeyTunezzzzzzzZ"]
13:38 < ecrist> actually, for you
13:39 < ecrist> openvpn/community/support/roentgen
13:39 < ecrist> you're welcome to suggest something, however
13:39 < roentgen> hmm, I guess the second one rocks
13:39 < ecrist> it's what krzee and myself have.
13:39 < ecrist> you want it, then?
13:39 < roentgen> compared to the miranda that I have now
13:40 < roentgen> of course 
13:41 < roentgen> ecrist: I guess I should relogin, just tell me when...
13:41 < ecrist> I need to have staff do it.  gimme a minute
13:41 < ecrist> it'll "just work" when it's done
13:42 < ecrist> usually RichiH is around and does them for me.
13:43 < CaMason> I switched to tap (from tun) and we're good to go now
13:47 -!- Irssi: #openvpn: Total of 116 nicks [4 ops, 0 halfops, 0 voices, 112 normal]
13:50 -!- roentgen [~arthur@miranda/user/roentgen] has quit [Changing host]
13:50 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:50 < roentgen> ecrist: all done. Thanks
13:50 < ecrist> :)
13:51 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
13:59 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
13:59 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
13:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
14:22 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
14:22 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
14:25 < EmperorT1m> phusion__: ecrist: it may be that Ubuntu, in their infinite wisdom, has decided to set up custom iproute2 routing tables to help you out by forcing traffic out the "right" interface.
14:25 < EmperorT1m> man ip
14:25 < EmperorT1m> # ip rule <--- shows routing rules
14:26 < EmperorT1m> # ip route show table <#> <--- shows rules in the specified table.
14:27 < EmperorT1m> You may want to check the differences between Debian and Ubuntu. I don't have a Ubuntu box to check this, but it sounds like it might be your boggle.
14:27 -!- EmperorT1m is now known as EmperorTom
14:30 < EmperorTom> and ecrist: not a Leupold, Swarovski Optik. It's the clearest glass I've ever seen.
14:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:37 < EmperorTom> Ubuntu is great for Joe F. User. For anyone trying to do anything remotely "outside the box", it becomes utterly frustrating very quickly.
14:39  * ecrist changes topic to:  Use *BSD.  Linux is bad, mmmmkay?
14:41 < EmperorTom> TBH, it's not that bad, just different. It's got BSD beat cold in some areas, but then we're picking nits.
14:42 < hyper_ch> Linux is the better BSD :)
14:42 < ecrist> the better BSD?
14:43 < hyper_ch> :)
14:44 < hyper_ch> although I would consider switching to BSD if she comes with every install:  http://3.bp.blogspot.com/_sov_EN72ZAY/TGcofsFHf1I/AAAAAAAAADA/lTV-5eu5U5I/s1600/1229723093_freebsd.jpg
14:46 -!- ycas [~yann@84.119.102.7] has joined #openvpn
14:47 < EmperorTom> I'd be okay with that too.
14:51 -!- nucce44 [5ae309a8@gateway/web/freenode/ip.90.227.9.168] has quit [Quit: Page closed]
15:02 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
15:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
15:03 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 240 seconds]
15:04 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
15:05 -!- nucc44 [5ae309a8@gateway/web/freenode/ip.90.227.9.168] has joined #openvpn
15:06 < nucc44> Hi guys, is there anyone know howto fix that resolv problem simpliest way? Im connected with openvpn but my computer aint resolving the hostnames correctly on the domain
15:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:22 < krzee> simple simplest way would be to just manually change your NS to 8.8.8.8 or 4.2.2.1
15:22 < Bushmills> nucc44: recursive name server on client
15:23 < Bushmills> works either way - with or without openvpn and redirect-gateway
15:23 < krzee> my way was simpler =]
15:23 < nucc44> hehe
15:23 < Bushmills> oh. i read "manually change..."
15:23 < nucc44> well, your suggestion is to use google(?) nameserver? 
15:23 < Bushmills> mine says "works either way" :)
15:24 < nucc44> Will google know howto resolv the hostnames on my domain? 
15:24 < krzee> Bushmills, manually install bind < manually change nameserver
15:24 < krzee> as far as simple goes
15:24 < Bushmills> i'd not suggest bind, which is overkill for this application.
15:25 < Bushmills> too big. too much config.
15:25 < nucc44> Bushmills, I dont really understand what you propose me too do? 
15:26 < nucc44> "recursive name server on client"? 
15:26 < krzee> just change your NS
15:26 < Bushmills> exactly
15:26 < krzee> its that easy
15:26 < nucc44> krzee are you sure I will find my hosts on the domain then? 
15:26 < hyper_ch> simplest way would be to access servers by ip and not domain :)
15:27 < nucc44> hyper_ch, ill dont agree with you on that.. 
15:27 < krzee> nucc44, all depends... you should know that answer better than me
15:27 < hyper_ch> if you don't use domains, you don't need to resolv themn :)
15:27 < nucc44> I want too resolv them.. :) 
15:27 < hyper_ch> :)
15:28 < hyper_ch> and I want to become lotto millionaire but it's unlikely to happen
15:28 < nucc44> krzee.. depends on what? google dont got access too my intranet
15:28 < nucc44> hyper_ch: im pretty sure I will get this resolv.conf as I want it before you get an millionaire on the lotto.. :D 
15:29 < Bushmills> so you have a name server on your intranet already?
15:29 < krzee> 'depends on what you're talking about... you seem to assume i know your network layout'
15:29 < nucc44> Bushmills, hmm.. im pretty sure we got that yea
15:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:29 < Bushmills> "we" means, your admin knows?
15:30 < Bushmills> you could test whether that name server can also recurse
15:30 < krzee> you could set your lan NS to allow recursion from the VPN server's ip, or you could setup a route for the LAN NS to bypass the vpn
15:31 < nucc44> well I can resolv internethosts as google.com and stuff.. 
15:31 < nucc44> its servers on the network I cant resolv..
15:31 < Bushmills> then you're not using your intranet name server, or it is broken
15:32 < nucc44> Im pretty sure I dont use the intranets name server as resolv.conf tells me 192.168.0.1
15:32 -!- RichiH [~richih@freenode/staff/richih] has joined #openvpn
15:32 < RichiH> ecrist: pong
15:32 < nucc44> whichs feels to simple..
15:32 < Bushmills> do what krzee suggested: set a host route to your intranet name server
15:32 < roentgen> would it be that wrong to publish intranet names on the public dns with their private IPs?
15:33 < krzee> roentgen, depends... i personally wouldnt do it
15:33 < nucc44> I dont wanna do that.. 
15:33 < nucc44> So your telling me the best way to solve this is to "set a host route to my intranet name server"? :) 
15:33 < roentgen> I ask because I don't see anything wrong with it
15:33 < nucc44> Anyone wanna explaian howto do it? 
15:33 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 255 seconds]
15:34 < Bushmills> according your problem description, you can't access your intranet name server when openvpn is up
15:34 < Bushmills> most likely cause is --redirect-gateway, and queries to your name server are attempted from vpn server, and fail
15:34 < nucc44> well I cant access the nameserver which is on the vpn network.. :)
15:35 < Bushmills> if that's the problem, the added host route would be the solution
15:36 < Bushmills> but actually you're in a better position to tell us the actual cause of your problem, not just the symptoms
15:37 < nucc44> my problem is that I cant for example ping server "KING.std.domain.se when im connected too the VPN...
15:37 < Bushmills> that's the symptom
15:37 < Bushmills> and now the cause ...
15:37 < nucc44> but I know KING.std.domain.se got 192.168.1.46, and I can ping that ip
15:39 < Bushmills> ask your admin why that is the case
15:39 < nucc44> nslookup king.std.domain.se Server:		192.168.0.1 Address:	192.168.0.1#53  ** server can't find king.std.domain.se: NXDOMAIN
15:41 < Bushmills> what did he tell you?
15:41 < nucc44> alot of things, I dont know which one you point at.. :-S 
15:41 <@vpnHelper> RSS Update - forum: Server Administration :: Bridging without tun or TAP adapter? :: Author rpcblast <https://forums.openvpn.net/viewtopic.php?f=4&t=7249&p=8346#p8346>
15:43 < nucc44> well I cant get in touch with our network admin at this point
15:44 < nucc44> the clock is 11 pm here
15:44 < nucc44> :D 
15:44 < Bushmills> "ask your admin why that is the case"
15:44 < Bushmills> (nucc44: my problem is that I cant for example ping server ...)
15:45 < hyper_ch> anyone here runs a raid with mdadm?
15:45 < nucc44> Bushmills: but I can ping it from an server on the network thats not connected with openvpn
15:46 < Bushmills> i *know that already*. but we need to know *why* you can't
15:50 < nucc44> well I think I fixed it
15:50 < nucc44> ive stold same settings as we had on one computer in the networks resolv.conf 
15:50 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
15:50 < nucc44> stole* 
15:59 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 264 seconds]
16:06 -!- ycas [~yann@84.119.102.7] has quit [Ping timeout: 265 seconds]
16:09 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Read error: Connection reset by peer]
16:09 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
16:10 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
16:15 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
16:15 -!- mrjazzman [~mrjazzman@ppp121-44-137-254.lns20.syd7.internode.on.net] has left #openvpn []
16:16 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
16:19 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
16:28 -!- davidfetter_vmw [~chatzilla@little-black-box.vmware.com] has joined #openvpn
16:28 < davidfetter_vmw> !welcome
16:28 <@vpnHelper> davidfetter_vmw: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:29 < davidfetter_vmw> !howto
16:29 <@vpnHelper> davidfetter_vmw: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:32 < krzee> hyper_ch, my raids are zfs
16:32 < krzee> 1 in raidz and 1 in mirror
16:36 < hyper_ch> krzee: do you monitor them with cron?
16:36 <@raidz> krzee: what about me :-p
16:37 < krzee> heheh
16:37 < krzee> raidz, i run you on my zfs NFS
16:39 <@raidz> hehe
16:40 < krzee> hyper_ch, i scrub them in cron and i monitor them in the daily periodic emails
16:41 < krzee> daily_status_zfs_enable="YES" in periodic.conf
16:41 < hyper_ch> well, on debian lenny (don't know about other distros) mdadm is located in /sbin/ but /sbin/ was not in cron path. So when I run    mdadm --monitor --scan -1   it did not run it because it couldn't find mdadm... by accident I discovered that one array is degraded
16:43 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
16:45 < krzee> doh!
16:45 < krzee> ya in cron its best to either manually set PATH or ALWYAS use full paths... i been bit by that a few times
16:48 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
16:50 < hyper_ch> :)
16:56 < ecrist> RichiH: was looking for a cloak earlier, noticed you weren't in the channel.  another staffer took care of it (he saw me ping you)
16:57 < RichiH> ah, k
16:57 < RichiH> (i was in the channel, but inactive)
17:01 < ecrist> in that channel, you weren't in here, though.
17:04 -!- davidfetter_vmw is now known as dfetter_grumpy
17:04 -!- dfetter_grumpy is now known as davidfetter_vmw
17:25 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:34 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
17:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:38 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
17:39 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
17:47 < atan> Is there an option I can place in my config to show me everything that is happening? Like a log file I can tail or something.
17:49 < reiffert> --verb
17:49 < reiffert> --log
17:49 < reiffert> --syslog
17:56 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 252 seconds]
18:15 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 255 seconds]
18:15 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn
18:19 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
18:19 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 250 seconds]
18:23 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
18:23 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
18:23 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:24 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
18:36 <@vpnHelper> RSS Update - forum: Configuration :: How to create server.conf file :: Author gambler <https://forums.openvpn.net/viewtopic.php?f=6&t=7250&p=8347#p8347>
18:38 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
18:39 < |Mike|> lol
18:40 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
18:41 < |Mike|> hi atan atan2 atan3 
18:41 < atan> ?
18:44 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 252 seconds]
18:49 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
18:52 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 265 seconds]
18:52 < derekv> trying to mess with my vpn server yesterday ruined my life.
18:53 < |Mike|> okay?
18:53 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
18:54 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
18:54 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:04 < derekv> I just need to either find a good set of scripts and tools to do what I need or I need to purchase a vpn solution. :/
19:04 -!- mutilator [muti@65.111.215.11] has joined #openvpn
19:06 < |Mike|> derekv: what kind of vpn solution are you looking for?
19:06 < mutilator> so.. whats the magic key sequence to get traffic to go over a tunnel?
19:07 -!- davidfetter_vmw [~chatzilla@little-black-box.vmware.com] has left #openvpn ["thanks!"]
19:08 < mutilator> tunnel is connecting, but i cant ping across it, on one side i have the bridge interface binding to the eth and tap, otherside is also binding the eth and tap
19:08 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
19:10 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
19:13 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:15 -!- aliverius_ [~george@athedsl-374746.home.otenet.gr] has joined #openvpn
19:18 < derekv> |Mike|, something I won't regret later ... I'm actually thinking about it and trying to pencil down some requirements right now
19:19 -!- aliverius [~george@athedsl-373438.home.otenet.gr] has quit [Ping timeout: 264 seconds]
19:21 < ecrist> mutilator: see /topic
19:21 < derekv> (I concure with ecrist, sounds like the problems I had originally that ended up being firewall related)
19:22 < ecrist> there's more to /topic than the firewall message.
19:22 < ecrist> usually it's a firewall, but more importantly, we were not given any information that actually helps us help him.
19:22 < derekv> ahh
19:23 < atan2> Ahhh! I can't get tomatoVPN to connect to my VPN properly
19:23 < atan2> Err, well, maybe it is - can I somehow tell if it's connected on the server? Is there like a status command?
19:26 < ecrist> atan2: there is a status log, if enabled.
19:26 < atan2> Can I set it to be like, super-dooper-verbos?
19:27 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
19:27 < ecrist> check sockstat or netstat, see if there's a properly open port.
19:27 -!- havoc [~havoc@neptune.chaillet.net] has quit [Quit: leaving]
19:27 < ecrist> !status
19:27 <@vpnHelper> ecrist: Error: "status" is not a valid command.
19:27 < ecrist> !statuslog
19:27 <@vpnHelper> ecrist: Error: "statuslog" is not a valid command.
19:27 < atan2> Well I can connect from one client, just not the other
19:27 < ecrist> see the man page
19:27 < atan2> But I'd like to know if the other client (tomato router) is connecting but just not routing traffic properly
19:30 < ecrist> atan2: status log
19:30 < ecrist> or look at the logs on the tomato router
19:31 < mutilator> ...
19:31 < mutilator> !welcome
19:31 <@vpnHelper> mutilator: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:31 < mutilator> !goal
19:31 <@vpnHelper> mutilator: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:32 < mutilator> umm
19:32 < mutilator> !route
19:32 < mutilator> ..
19:32 <@vpnHelper> mutilator: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:33 < atan2> My log says openvpn[751]: /sbin/ifconfig tun11 10.8.0.2 pointopoint 10.8.0.1 mtu 1500
19:33 < atan2> Hmm
19:33 < atan2> and says connection established
19:33 < ecrist> atan2: good, sounds like it's connecting.
19:33 < ecrist> now just route some traffic over it.
19:34 < atan2> Check "Redirect Internet traffic" ?
19:35 < ecrist> see !goal
19:36 < mutilator> i just want to make it work as a bridge, i have a 10.1.2.0/24 lan, and i want to connect a remote server into it on a 10.1.2.20 ip to where it can access the lan and the lan can access it
19:37 < mutilator> which irc trigger do i need to use to see that?
19:37 < mutilator> !bridge
19:37 <@vpnHelper> mutilator: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
19:38 -!- s7r [~s7r@AC814E16.ipt.aol.com] has joined #openvpn
19:39 < mutilator> o_O
19:39 < mutilator> yea
19:39 < mutilator> so thats that i'm doing and it doesnt work
19:39 < mutilator> o wait
19:39 < mutilator> not putting eth in promisc mode on both sides
19:40 < atan2> http://pastie.org/private/dorbipnmfopin8blwxaqiq is what I see when I connect (from the router)
19:42 < derekv> so, needs and wants for vpn solution: NEEDS: uncompramised security, quick deployment for new devices/users (15 minutes tops), equally quick revocation, windows and mac clients, scales to at least 60 devices/users (authorized, not simultaneous), firewall&NAT friendly. 
19:43 < atan2> http://pastie.org/private/xemzx0hppnvj1xnfygzrg is what I have now which I think means it is connected, but traffic is not being routed
19:43 < ecrist> mutilator: did you paste your configs?
19:44 < ecrist> derekv: openvpn meets/exceeds all those
19:44 < derekv> WANTS: server can run on freebsd, linux/BSD/iphone/android/otherweirdOS clients, AD/ldap and/or radius authentication as an option, some way to segregate users and control network access weather by vlan or ip group etc
19:45 < ecrist> derekv: openvpn meets/exceeds all those
19:46 < ecrist> mobile clients can be the hardest thing to come by
19:46 < derekv> right, thats a sort of "while were're dreaming" thing
19:46 < derekv> since not everyone will want to root their phone and other hurdles
19:47 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
19:47 < ecrist> right
19:50 < ecrist> openvpn community version can be deployed in ~1 minute, supports ldap/radius/wtf_ever with plugins, is scriptable, revokes both with auth manager or SSL certificate revokation, scales to N users, authorized or simultaneous
19:50 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
19:50 < derekv> I have one client where I already installed openvpn and we use it, but I realized I misconfigured it, and also, the way it is currently configured, which is fairly barebones, it takes over an hour to deploy a new client.  
19:51 < derekv> hi krzee =]
19:51 < ecrist> why would it take over an hour?
19:51 < ecrist> I can't imagine a scenario as such
19:52 < derekv> Several reasons, about 2/3rds of it is me being stupid
19:53 < krzee> hey hey
19:53 < krzee> an hour isnt so bad... it took me a week or so to config my first vpn
19:54 < krzee> (and have it exactly as i wanted it)
19:54 < derekv> Another part is that I had the wrong idea about how to handle openvpn and pki as krzee helped point out.
19:55 < derekv> so there are several steps in there that are not nessisary and actually are hurting security.
19:55 < ecrist> ah
19:55 < ecrist> well, you're in the right place to get help. :)
19:58 < krzee> derekv, ecrist is the author of ssl-admin
19:59 < derekv> Right, good. i'll probably start tackling this in earnest tommorow or weds.  Just thinking over it and making sure I understand things better this time around.
19:59 < derekv> oh, slick
19:59 < derekv> I was just looking at the man page for that
19:59 < derekv> Thanks for writing a man page =]
20:06  * ecrist loves man pages
20:07 < ecrist> derekv: if there are features you want, let me know.
20:07 < ecrist> there's a man page in sections 1 and 5
20:11 -!- househead [~mark@5acb2181.bb.sky.com] has quit [Ping timeout: 255 seconds]
20:11 < atan2> poppycalk!
20:11 < atan2> Under advanced-routing.asp in tomato it shows my public IP for the VPN 
20:11 < atan2> but doesn'
20:11 < atan2> t push any traffic over it
20:14 < ecrist> atan2: you still haven't shown us your config
20:14 < ecrist> or logs
20:16 < atan2> ecrist, the config is like 50 pages on tomato. Is there a text version of it somewhere?
20:17 < atan2> Let me imackshack it, one sec
20:18 < atan2> http://dl.dropbox.com/u/10620394/Capture.JPG
20:18 < atan2> Blue thinger is my public server IP
20:19 < atan2> http://dl.dropbox.com/u/10620394/Capture2.JPG is my server config
20:20 < atan2> http://dl.dropbox.com/u/10620394/client-basic.JPG
20:21 < ecrist> atan2: ask in #tomato where to get the text config
20:21 < ecrist> we don't help with tomato in here, specifically, but we'll help with openvpn
20:21 < ecrist> !tomato
20:21 <@vpnHelper> ecrist: Error: "tomato" is not a valid command.
20:21 < atan2> ='( there's like 2 people in there
20:22 < atan2> and lastly http://dl.dropbox.com/u/10620394/advanced.JPG is the advanced portion of that page =\
20:22 < atan2> There is my key entered in the key section but that's all that's in there
20:23 < atan2> What interests me in in the logs I see openvpn[737]: Socket Buffers: R=[43689->65534] S=[16384->65534]
20:23 < atan2> openvpn[737]: TCPv4_CLIENT link local: [undef]
20:23 < atan2> and then the link remote: remoteip:port =\
20:23 < atan2> And tomato learns the public IP of the VPN server which it shows in the routing page
20:25 < ecrist> the problem is  none of us know/use tomato
20:25 < ecrist> all these embedded-system folks fuck with the config and do special things.
20:25 < ecrist> what we want is a text config and/or the actual openvpn logs.
20:25 < atan2> I tried setting it up with OpenVPN except it didn't support static keys =( blarg
20:26 < atan2> Have you any experience with DD-WRT?
20:26 < ecrist> nope
20:29 < theDoc> I just took an awesome dump.
20:29 < theDoc> :o
20:29 < theDoc> The kind which makes you go, ahh. D:
20:30 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
20:32 < ecrist> and you wonder why you don't have +o
20:32 < ecrist> lol
20:35 < theDoc> If anything, I need +shoes now
20:35 < theDoc> My shoes are soaked and broken.
20:35 < theDoc> I'm going to have to get something like, vibram's 5 fingers at lunch.
20:35  * ecrist sets mode +shoes for theDoc
20:36 < theDoc> It comes with +o too.
20:36 < theDoc> ecrist: Truth, I'm prancing around office barefooted.
20:36 < theDoc> lol
20:36 < theDoc> I don't know what's sadder, me not having shoes or that I can prance around office.
20:40 < mutilator> is there some special config you need to use to make it allow self signed certs?
20:41 < mutilator> on server side i'm getting
20:41 < mutilator>  VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
20:45 < ecrist> mutilator: !configs
20:45 < ecrist> !verify
20:45 <@vpnHelper> ecrist: Error: "verify" is not a valid command.
20:45 < mutilator> !configs
20:45 <@vpnHelper> mutilator: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
20:45 < ecrist> !certverify
20:45 <@vpnHelper> ecrist: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
20:46 < mutilator> both return ok
20:47 < mutilator> hm
20:48 < mutilator> aparently i didnt copy the correct ca.crt over
20:49 -!- mutilator [muti@65.111.215.11] has left #openvpn []
20:55 < ecrist> :)
20:57  * theDoc groans.
20:57 < theDoc> truecrypt, 3 hours more to do.
20:57 < theDoc> @_@
21:00 < ecrist> truecrypt sucks
21:00 < ecrist> just sayin'
21:04 < krzee> ecrist, why?
21:04 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:11 -!- linguini [~user@c-71-193-179-58.hsd1.wa.comcast.net] has quit [Quit: ERC Version 5.3 (IRC client for Emacs)]
21:24 < ecrist> krzee: becuase it is hard as hell to use
21:24 < ecrist> I would consider myself a 'power user' of computers.  truecrypt is hard for *me* to use.
21:26 < theDoc> ecrist: It's fine really, I encrypt usb drives which I use for travel.
21:26 < krzee> ahh
21:26 < ecrist> I get that, but compared even to GEOM's GELI, it's a pain in the ass.
21:28 < theDoc> So, I'm going to pick up that pair of vibrams 5 fingers in a while.
21:28 < theDoc> My shoes are fucked beyond recognition at the moment.
21:29  * ecrist notes this isn't #theDocsShoesSoEcristDoesntGiveAFuckReallyImJustSayinHeProllyDoesntNobodyElseDoesEitherCauseTheyreJustShoesForTheLoveOfGod
21:29 < ecrist> I checked, that channel *is* available.
21:31 < theDoc> D:
21:49 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
21:51 < Dougy> woah ecrist dont hate
21:52 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
21:55 < ecrist> Dougy: what did you want the other day
21:55 < ecrist> ?
22:02 < atan2> hey ecrist, I think I found those config files you spoke of
22:02 < atan2> I am stunned, but one of the .sh scripts has iptables -t nat -I POSTROUTING -s 192.168.2.0/255.255.255.0 -o tun11 -j MASQUERADE in it
22:02 < atan2> Is that where it went wrong maybe?
22:02 < atan2> err, I'll pastebin the configs
22:03 < atan2> http://pastie.org/private/h3xyzkvjskvmmzgw67xfng is the config for it
22:06 -!- s7r [~s7r@AC814E16.ipt.aol.com] has quit []
22:08 < ecrist> g'damn it dougy
22:08  * ecrist walks
22:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:01 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: Operation timed out]
23:01 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
23:01 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:28 -!- fipu [~fipu@swissvps.net] has quit [Ping timeout: 245 seconds]
23:33 -!- fipu [~fipu@swissvps.net] has joined #openvpn
23:36 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
23:37 < joako> Is there some way I can run OpenVPN witthout certificates on the client? Only a simple username and password?
23:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
23:46 -!- Crimor [~chatzilla@0x573a249e.odnqu2.dynamic.dsl.tele.dk] has joined #openvpn
23:47 < Crimor> Hm, anyone know a free proxy based in the UK?
23:47 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
23:52 -!- ecrist1 [~Fuck@ms.choksondik.secure-computing.net] has joined #openvpn
23:55 -!- ecrist1 is now known as ecrist_android
23:58 -!- ecrist_android [~Fuck@ms.choksondik.secure-computing.net] has quit [Changing host]
23:58 -!- ecrist_android [~Fuck@openvpn/community/support/ecrist] has joined #openvpn
--- Day changed Tue Nov 09 2010
00:02 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
00:10 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
00:10 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
00:13 -!- Crimor [~chatzilla@0x573a249e.odnqu2.dynamic.dsl.tele.dk] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
00:54 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
01:24 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:32 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host]
01:32 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn
01:53 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:01 -!- ycas [~yann@84.114.50.173] has joined #openvpn
02:15 -!- EmperorTom [~EmperorTo@174-30-245-204.mpls.qwest.net] has quit [Read error: Connection reset by peer]
02:15 -!- joako [~joako@opensuse/member/joak0] has quit [Quit: Leaving]
02:15 -!- EmperorTom [~EmperorTo@174-30-245-204.mpls.qwest.net] has joined #openvpn
02:18 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:24 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Client Quit]
02:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:29 -!- kdog [kdog@dampbarn.org] has joined #openvpn
02:29 -!- kdog [kdog@dampbarn.org] has left #openvpn ["GoooooneeeyTunezzzzzzzZ"]
02:35 -!- dazo_afk is now known as dazo
02:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:10 < kraut> moin
03:16 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:20 < CaMason> hi guys. I'm seeing lots of "read UDPv4 [ECONNREFUSED]: Connection refused" messages
03:21 < theDoc> lol, try connecting to a server which has the openvpn service listening.
03:21 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
03:22 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
03:22 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Changing host]
03:22 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:24 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:27 -!- househead [~mark@195.74.118.181] has joined #openvpn
03:38 -!- _zero__ [~zero@noc.toile-libre.net] has joined #openvpn
03:41 -!- l0rd_hex_ [~rubit_man@S01060002b3949ac5.ed.shawcable.net] has joined #openvpn
03:41 -!- RichiH_ [~richih@freenode/staff/richih] has joined #openvpn
03:42 -!- batrick_ [~batrick@batbytes.com] has joined #openvpn
03:42 -!- finetic_ [~finetic@213.155.20.16] has joined #openvpn
03:42 -!- dagni_ [dagni@de.moon-station.us] has joined #openvpn
03:42 -!- itchi_ [~David@d5153691F.access.telenet.be] has joined #openvpn
03:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
03:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
03:45 -!- master_of_master [~master_of@p57B54DED.dip.t-dialin.net] has quit [Ping timeout: 255 seconds]
03:47 -!- Netsplit *.net <-> *.split quits: ksk, nukedeath, l0rd_hex, _zero_, finetic, batrick, dagni, itchi, RichiH
03:47 -!- master_of_master [~master_of@p57B57AB2.dip.t-dialin.net] has joined #openvpn
03:48 -!- basso [~quassel@pc5053.stdby.hin.no] has joined #openvpn
03:49 -!- Netsplit over, joins: ksk
04:09 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:12 <@vpnHelper> RSS Update - forum: Configuration :: Re: Network Stalls :: Reply by voiceover <https://forums.openvpn.net/viewtopic.php?f=6&t=7221&p=8348#p8348>
04:39 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
04:39 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
04:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:47 -!- househead [~mark@195.74.118.181] has quit [Ping timeout: 276 seconds]
04:52 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds]
04:59 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 272 seconds]
05:08 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
05:13 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
05:27 -!- Coffe [~niszsse@office.alatest.se] has joined #openvpn
05:28 < Coffe> Hi , is it possible ? to have 2 offices connected to a  third, and have the third routing traffic so office1.computer can ping office2.computeR ?
05:31 < Bushmills> offices 1 and 2 as clients of openvpn server in office 3? yes. needs a bit of routing setup, if you connect the whole LANs of offices 1 and 2, rather than a single machine
05:31 < Bushmills> !route
05:31 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:35 < Bushmills> be aware though that traffic between offices 1 and 2 will have to traverse both vpn tunnels office 1 <> office 3 <> office 2 
05:43 < Coffe> Bushmills,  Tnx,  i will do some reading now , 
05:43 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
05:44 < Coffe> i am trying to ping vpn2 server from vpn1 server, and they both are connected to vpn3 server.
05:46 < reiffert> vpn3 needs to have a route to each of em.
05:46 < reiffert> gateway of vpn1 needs to have a route to vpn2 (with gateway vpn3) and vice versa.
05:46 < Coffe> vpn3.server can ping both other servers
05:46 < reiffert> good. half way done.
05:47 < reiffert> Coffe: vpn1,2,3: are those LAN's or just single PC's?
05:47 < Coffe> reiffert,  yes, i am trying the push , but i dont know if i have a major error in my small office config file. hang on. vill post it 
05:47 < Coffe> all lans
05:47 < reiffert> get away from pusing. set it manually. if it starts working try the push again.
05:50 < Coffe> http://pastebin.com/VAU2BcKG 
05:50 < Coffe> its one satelite office config , and the part att "main" office
05:54 < Coffe> i am guessing i am doing something wrong , like starting 2 VPN connections
06:03 < Coffe> both satelite office now have a route to the otherone when i check route, on a tracepath. i get to middle vpn server, then it dies
06:06 -!- ecrist_android [~Fuck@openvpn/community/support/ecrist] has quit [Quit: -a-]
06:12 -!- ondrejk [~ondrejk@194.228.50.29] has joined #openvpn
06:13 < ondrejk> hello, i'm facing problem with "one sided crashed" vpn connection
06:13 < ondrejk> from client i can ping anything but from server im not able to contact client
06:13 -!- f0g [48f8fdc2@gateway/web/freenode/ip.72.248.253.194] has joined #openvpn
06:14 < f0g> I'm having a bit of a problem with openvpn.  I'm trying to create a vpn on a machine that also handles the routing for intranet<->internet, so I've basically got three subnets on that same machine and things are getting a little bit crazy.
06:17 < Coffe> reiffert, i use one config file for every office. is that a stupid ide ?
06:18 -!- househead [~mark@5acb2181.bb.sky.com] has joined #openvpn
06:18 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
06:28 -!- sde [~sde@93-97-41-44.zone5.bethere.co.uk] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it]
06:28 < reiffert> Coffe: brilliant.
06:28 < Coffe> reiffert,  okey, looking @ the page , i dont have command iroute .
06:29 < reiffert> look, thats what I have in my ccd files:
06:30 < reiffert> http://pastebin.ca/1986222
06:30 < reiffert> fbox is vpn1 and buero is vpn2 for your place.
06:30 < reiffert> iroute is an openvpn internal command.
06:30 < reiffert> s,command,option,
06:31 < Coffe> okey
06:31 < Coffe> Tnx , will test
06:31 < househead> has anyone here used SAMBA over openvpn and ADSL(client and server-side)? I'm having serious issues with latency ... transfer seems fine but beginning file transfers is woeful
06:31 -!- ycas [~yann@84.114.50.173] has quit [Ping timeout: 240 seconds]
06:32 < reiffert> have the iroute option in the ccd files and then add the route's manually. if it works, push them with the help of openvpn.
06:32 < househead> for the record I am using tun not tap
06:32 < reiffert> househead: I'm currently listening to music over SAMBA/CIFS.
06:33 < Coffe> reiffert,  i guess i need to create that foldeR ?
06:33 < reiffert> househead: site1<---ADSL--->site3<---ADSL--->site2 for my case. site3 is my openvpn server.
06:34 < reiffert> Coffe: http://pastebin.ca/1986229
06:34 < Coffe> reiffert,  Tnx :) 
06:35 < reiffert> Coffe: I've got additional openvpn server's running, one on udp/53 and another on tcp/443, and on udp/1194.
06:35 < reiffert> thats why I name my config files like the way I do.
06:36 < househead> reiffert: what OS client-side?
06:36 < reiffert> househead: linux at every place.
06:36 < Coffe> reiffert, i am running a own server for every office
06:37 < reiffert> for the clients I use one of those ADSL/Wireless/LAN boxes.
06:37 < Coffe> reiffert,  i will read more . but as soon as i hve iroute in a config ,  openvpn will not start.
06:37 < reiffert> Coffe: additional routing commands will hit you when your gateway is not your openvpn server.
06:37 < reiffert> or: not your openvpn client
06:38 < reiffert> Coffe: running openvpn version 1.x?
06:38 < househead> reiffert: my setup ... site1 (openVPN Lin server)---ADSL router---Internet----ADSL router----site2(openVPN Lin client)-----Windows client (various)
06:38 < reiffert> current song: The torture never stops
06:38 < Coffe> reiffert,  OpenVPN 2.1_rc19
06:38 < reiffert> Coffe: get something recent.
06:39 < househead> reiffert: windows clients are on their own subnet and i have routes on the client-side adsl router to pass traffic through my openvpn-linux client
06:40 < househead> reiffert: have tried both proto udp and tcp, they seem both awful
06:40 < reiffert> househead: great.
06:40 < reiffert> !tcp
06:40 <@vpnHelper> reiffert: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
06:40 -!- albech_ [~thomas@535AB203.flatrate.dk] has joined #openvpn
06:41 < househead> reiffert:  yea, I've looked into the problems with using tcp 
06:41 < albech_> how do I push 'domain' and 'search' values to the clients?
06:41 < Coffe> reiffert,  http://pastebin.com/hABX9mwq when running with that config , openvpn will not start up
06:41 < Coffe> reiffert,  using ubuntu default :) 
06:42 < househead> reiffert: I think my problem may be SAMBA releated, though I suspect it also could be slow routing
06:42 < reiffert> Coffe: does it tell you why it doesnt?
06:42 < Coffe> reiffert, will try it manaly
06:43 < reiffert> househead: routing is considered to be fast and static. why do you think that your problems are samba related?
06:43 < Coffe> Options error: option 'iroute' cannot be used in this context
06:44 < reiffert> Coffe: be aware that 192.168.177.0 is supposed to be mine.
06:44 < reiffert> Coffe: well then let's have a look at the manpage.
06:44 -!- ycas [~yann@84.114.50.173] has joined #openvpn
06:44 < reiffert> http://pastebin.com/u4KcgzPd
06:45 < househead> reiffert: for one thing I don't trust windows technology, plus it's linux emulating windows technology with windows clients
06:45 < reiffert> househead: get rid of it then
06:46 < reiffert> househead: what are those problems anyway?
06:46 < househead> reiffert: haha, impossible in this scenario.. I poss need to re-think my solution ... small business, two sites, one home, one office, both standard consumer ADSL ... they want to share documents and edit from two locations real-time
06:47 < reiffert> househead: sure. here is what I tell my clients:
06:47 < reiffert> 1) want it fast? get a fast line
06:47 < househead> reiffert: the issue is that file transfers from the windows clients take ages to start, once started, speed is acceptable, but the latency causes windows clients to temp 'hang'
06:47 < reiffert> 2) no money left? Damn, live with the speed and stop blaming me.
06:48 -!- albech_ [~thomas@535AB203.flatrate.dk] has quit [Ping timeout: 250 seconds]
06:48 < househead> reiffert: they just can't really justify a proper line
06:48 < reiffert> househead: you might try compression (comp-lzo) but it wouldnt work on mp3, zip, rar, movies etc.
06:48 < reiffert> househead: solution found.
06:49 < househead> reiffert: ahh, yea, good call ... they're not using anything other than documents, office, PDF, jpeg etc
06:49 < reiffert> househead: when they cant justify a fast line they have to live with its speed.
06:49 < reiffert> househead: you cant improve it. dont you even try it, it's a waste of time.
06:49 < househead> reiffert: agreed ... they aren't very technical people these guys, they make water tanks!
06:50 < reiffert> househead: tell im with their words: no big water tank = not much water
06:50 < reiffert> or: no big pipe = it takes ages to fill the water tank.
06:51 < househead> reiffert: I'm not convinced it's just the line-speed, I just feel it's worth me investigating whether my openvpn,samba and routing config is both correct and optimal before I start blaming the link etc
06:51 < reiffert> househead: thats why inhouse office solutions use BIG BIG PIPES.
06:51 < reiffert> househead: get the theoretical link speed.
06:51 < househead> reiffert: how much would they be looking at to get a better pipe?
06:51 < reiffert> househead: try ftp without openvpn.
06:51 < reiffert> househead: then try ftp with openvpn
06:51 < reiffert> expect to get 20% off.
06:52 < househead> reiffert: what about sftp/ssh, is that likely to perform better than openvpn/samba?
06:52 < reiffert> househead: better and BIGGER pipes is business of local providers at your place.
06:52 < reiffert> househead: maybe 1%.
06:53 < reiffert> househead: but assigning drive letters to sftp connections suck at windows.
06:53 < househead> reiffert: yea, i can imagine windows being sftp/ssh unfriendly
06:53 < reiffert> and encryption over encryption .. mhm.
06:53 -!- albech [~thomas@535AB203.flatrate.dk] has joined #openvpn
06:53 < reiffert> for pipe testing start using ftp.
06:54 < |Mike|> plaintext authentication--
06:54 < reiffert> |Mike|: UHUUUU!U!!!!
06:54 < albech> just found out.. should change the push attributes to capital letters :|
06:54 < househead> reiffert: yes, good call, i will test that
06:55 < reiffert> albech: for the purpose of a better reading without glasses?
06:57 < reiffert> househead: next problem facing will be cross network name resolution :)
06:57 < reiffert> especially with the help of samba :)
06:58 -!- albech [~thomas@535AB203.flatrate.dk] has quit [Read error: Connection reset by peer]
07:00 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
07:02 -!- albech [~thomas@535AB203.flatrate.dk] has joined #openvpn
07:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:12 < Coffe> reiffert,  the server config option you have , is that external ip for server ? 
07:12 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
07:15 -!- RichiH_ is now known as RichiH
07:36 -!- kdog [kdog@dampbarn.org] has joined #openvpn
07:36 < househead> reiffert: I have WINS! ;)
07:37  * kdog Can confirm that running openvpn client on a windows 7 x64 host with the latest TAP driver has significant latency, is there any fix to this?
07:37 -!- raddy [~raddy@117.192.244.30] has joined #openvpn
07:37 < raddy> Hello Everybody
07:38 < raddy> Is there any issues be encountered if the linux server acts as a openvpn client in a multiple ethernet linux server?
07:39 < Coffe> reiffert,  i am giving up right now.
07:40 <@dazo> albech: if you haven't received answer to you question (pushing domain) ... have a look at --dhcp-option in the man page ... it explains what you can push over to the clients
07:41 -!- WormFood [~wormfood@183.38.12.198] has joined #openvpn
07:42 < WormFood> is there any reason not to use compression? I mean, is there any compatibility issues with anything? I'm guessing that there probably isn't any issues, but wanted to double check before I make it a default for all my clients.
07:42 < ecrist> it just increases latency and processor load
07:43 < raddy>  Is there any issues be encountered if the linux os acts as a openvpn client in a multiple ethernet setup?
07:43 < WormFood> no raddy, it acts just like another network connection.
07:43 < ecrist> raddy: focing black text makes your post impossible to read for people who have a black background in the irc client
07:43 -!- ultramage [umage@kurobara.netvor.sk] has joined #openvpn
07:43 < WormFood> yeah, like me (I also use a black background, and couldn't read it (I had to highlight it to read it))
07:43 < ecrist> forcing*
07:44 < raddy> :)
07:44 < WormFood> thanks ecrist, that is what I thought, just wanted to confirm tho
07:44 < ultramage> hello, there's a documentation problem (or alternatively, an implementation problem) in the manual... it says --sndbuf/--rcvbuf default to 65536, but at startup, openvpn says that the defaults are 8192 (lame poor-performance windows default)
07:44 <@dazo> raddy: no not really ... unless you're messing with extra routing options in the openvpn configs
07:45 < WormFood> any idea on how much extra processing power, on average, it takes? I know, that is a hard thing to quantify, so obviously I'm not looking for something precise.
07:46 -!- albech [~thomas@535AB203.flatrate.dk] has quit [Ping timeout: 260 seconds]
07:47 < raddy> @dazo : ecrist : WormFood : thank you.
07:49 < WormFood> raddy, technically, everyone that uses openvpn has multiple network interfaces, since it is a VIRTUAL network, it needs a real network to work ;)
07:52 < raddy> okk :)
07:52 -!- raddy [~raddy@117.192.244.30] has left #openvpn []
07:52 -!- ycas [~yann@84.114.50.173] has quit [Ping timeout: 240 seconds]
07:53 -!- albech [~thomas@535AB203.flatrate.dk] has joined #openvpn
07:53 -!- albech_ [~thomas@535AB203.flatrate.dk] has joined #openvpn
07:54 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
07:54 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined #openvpn
07:57 -!- albech [~thomas@535AB203.flatrate.dk] has quit [Ping timeout: 276 seconds]
08:00 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:07 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:14 < ecrist> !windows
08:14 <@vpnHelper> ecrist: "windows" is pcs are like air conditioners, they work fine unless you open windows
08:14 < krzie> heh
08:15 < ecrist> !learn windows as http://secure-computing.net/files/windows.jpg
08:15 <@vpnHelper> ecrist: Joo got it.
08:20 < albech_> dazo, i realized that i almost had it right, just needed to capitalize the attributes ;)
08:22 < ultramage> --sndbuf size   Set the TCP/UDP socket send buffer size. Currently defaults to 65536 bytes.   Socket Buffers: R=[8192->8192] S=[8192->8192] (just reiterating :)
08:22 < ultramage> did someone forget to actually set the default?
08:45  * ecrist suggests looking at the source
08:46 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:51 < ultramage> :) you will do it faster than I will
08:52 < krzie> dont be so sure
09:01 < krzie> !ipv6
09:01 <@vpnHelper> krzie: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
09:04 < kdog> anyone who has a fix on performance lost when running the openvpn client on windows 7?
09:04 < kdog> I should add x64.... since I havn't tried 32-bit
09:05 < roentgen> kdog: you never said anything about cpu usage on the server when transferring data thru vpn
09:20 < kdog> roentgen: hi friend, well CPU usage is OK... but the TAP driver or software seems to lack in performance on windows 7 x64 home edt... I uses an updated portable client which I've moved between the windows 7 host and windows xp 32-bit host.... there are big diffrences in performance.
09:22 < ultramage> are they on the same network?
09:23 < ultramage> also, I found that windows apps that use send() on many smaller chunks of data and expect the system to aggregate them together, will suffer a huge performance penalty if they don't change the system socket send buffers
09:23 < kdog> yea i connect to the openvpn server from the same network
09:23 < ultramage> try adding sndbuf 65536   and rcvbuf 65536 to your openvpn configs
09:24 < kdog> ultramage: both on client and server side?
09:24 < ultramage> those were the near-ideal values I determined by testing using putty scp and my testing app
09:24 < ultramage> kdog: the sndbuf part is the most important one, but yeah
09:24 < ultramage> do it on your current machine, and possibly on all others too
09:25 < ultramage> if you use the openvpn gui, look for "Socket Buffers: R=[8192->8192] S=[8192->8192]"
09:25 < ultramage> if you get that, then you ought to change the values
09:25 < ultramage> with 8kb, windows will not enable the sliding window algorithm and you'll be stuck with pathetic performance
09:26 < ultramage> not sure if this issue affects openvpn, but I would change those values nonetheless
09:28 < kdog> I am going to test it right away
09:28 < ultramage> note that this might not do anything at all to solve your issue; I'd change the values nonetheless :P
09:28 < ultramage> you only said "the performance is worse", but since I was on the topic already, this is my suggestion
09:29 < ultramage> if that fails, grab your guru networking skills, fire up wireshark on both the real and virtual interface and see if you can spot anything obvious
09:29 < ultramage> also
09:29 < ultramage> you mentioned XP 32bit and w7 64bit... which is the bad-performing one?
09:30 < ultramage> it could be that this 8kb non-sliding-window issue has only been 'added' to vista and above
09:31 < kdog> ultramage: it is now set to -> Socket Buffers: R=[8192->65536] S=[32767->65536]
09:32 < ultramage> o, interesting, you have S=32767?
09:32 < ultramage> I wonder how you achieved that
09:32 < ultramage> I've been hunting for the knob to change it system-wide myself
09:33 < kdog> ultramage: must say i get better performance now 
09:33 < ultramage> O.o
09:33 < ultramage> grat
09:33 < kdog> najz
09:34 < kdog> much better
09:34  * ultramage pokes developers to fix that default that the docs say should be the default
09:34 < ultramage> is it as good?
09:34 < kdog> superB
09:34 < ultramage> well, in my tests, 8kb vs 256kb was 1MB/s vs. 2MB/s with 5ms latency
09:34 < kdog> ultramage: your are the man MAN
09:34 < ultramage> and 40kB/s vs. 330kB/s with 180ms latency
09:34 < ultramage> so 30x improvement
09:35 < ultramage> no sliding window kills youuuu
09:36 < ultramage> kdog: if you're feeling like it, could you tell regedit to look for values of '32767'?
09:37 < ultramage> and let me know of any that have something to do with tcp/ip or sockets or buffres?
09:37 < ultramage> *buffers
09:38 < ultramage> I have plenty of kernel memory and I'm on a client machine, so making the buffers bigger wouldn't hurt me at all
09:38 < ultramage> I've seen someone tuning his server to 1meg buffers, although from my tests, going past 256k actually degraded performance
09:39 < ultramage> also, there are no '32767' occurences in my windows 7 registry, so if the value is there on your side you should be able to spot it fairly easily
09:39  * ultramage waits impatiently
09:39 < kdog> ultramage: I've done configurations to autotuninglevel before maybe that changed it
09:39 < kdog> ultramage: I did disable autotuninglevel and that didn't work so I enabled it again
09:40 < kdog> ultramage:
09:40 < kdog> ultramage: I check the registry
09:41 < kdog> ultramage: if this is stored in the registry i think it will be stored as a REG_DWORD and searching for the string "32767" won't hit.
09:41 < ultramage> search for everything :D
09:41 < ultramage> I normally have all checkboxes checked when searching, since it only takes a minute or so
09:42 < ultramage> also, 'autotuninglevel' says it's for tuning the Receive Window only... this is a send window isue
09:42 < kdog> ultramage: I am doing it now
09:42 < ultramage> thx
09:43 < kdog> got one hit on PDFCreator :S
09:43 < ultramage> :S more
09:43 < kdog> yea I am searching more
09:43 < kdog> one hit on a key name on sidebyside
09:44 < ultramage> yeah, that's not it either
09:45 < kdog> ultramage:same PDFCreator value got hit again
09:45 < ultramage> i was thinking of maybe somehow predicting the address of the buffer before it's allocated, and then doing a data breakpoint there to trap the kernel call that makes it
09:45 < ultramage> but that's really a stretch
09:45 < kdog> ultramage: no hits
09:45 < ultramage> awwww..
09:46 < ultramage> not sure where the 32767 came from then
09:46 < ultramage> thanks for looking, though
09:48 -!- d457k [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
09:49 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
09:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:50 < atan2> I am having difficulties getting the OpenVPN client setup on a Linksys WRT54G running TomatoVPN. Anyone have a recommendation on what forums I could post my configs on for assistance? 
09:50 < |Mike|> gooooooooogle
09:50 < |Mike|> or topic
09:50 < atan2> At this point I do believe it is connecting but it's just not routing the traffic from the 'LAN' side of the router over the VPN connection
09:50 < |Mike|> !forum
09:50 < |Mike|> !forums
09:50 <@vpnHelper> |Mike|: Server Administration :: Bridging without tun or TAP adapter? :: Author rpcblast || Configuration :: OpenVPN smartcard + CAcert configuration :: Author kellogs || Configuration :: Re: Authenticatig clients with certificates & username passw :: Reply by shaia || Configuration :: How to create server.conf file :: Author gambler || Configuration :: Re: Network Stalls :: Reply by tommyj27 ||
09:50 <@vpnHelper> |Mike|: Configuration :: Re: Network Stalls :: Reply by voiceover
09:50 <@vpnHelper> |Mike|: Error: "forums" is not a valid command.
09:50 < |Mike|> Web Forum: http://forums.openvpn.net
09:50 < kdog> ultramage: have you checked http://msdn.microsoft.com/en-us/library/ms819736.aspx
09:50 <@vpnHelper> Title: OpenVPN Support Forum Index page (at forums.openvpn.net)
09:50 <@vpnHelper> Title: TCP Receive Window Size and Window Scaling (at msdn.microsoft.com)
09:50 -!- f0g [48f8fdc2@gateway/web/freenode/ip.72.248.253.194] has quit [Quit: Page closed]
09:51 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
09:51 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
09:51 < atan2> I did see the fourm.openvpn.net link but it seems like such a small community? I'm confused as to why it's so petty small? There are <400 topics posted there.
09:51 < ultramage> kdog: that's all about "receive window"... there is no documentation whatsoever on "send window"
09:52 < kdog> ultramage: but isn't openvpn.exe responsible to set the size? check out this one http://support.microsoft.com/kb/823764
09:52 <@vpnHelper> Title: Slow performance occurs when you copy data to a TCP server by using a Windows Sockets API program (at support.microsoft.com)
09:53 < |Mike|> atan2: they started it a few weeks (if not 2 months max) ago
09:54 < kdog> q/quit
09:54 -!- kdog [kdog@dampbarn.org] has left #openvpn ["GoooooneeeyTunezzzzzzzZ"]
09:55 < ultramage> nothing on that page has anything directly relevant to the issue
09:55 < ultramage> and none of the network coding tutorials, classes or docs I read mentioned anything about changing the system send buffer size
09:56 < ultramage> and still, I'd like to be able to change the global systemwide default... in freebsd I can just do a sysctl and done (which is what I did ^^)
09:56 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
09:58 < atan2> |Mike|, do you think "Off Topic, Related" would be the best area to post about properly configuring TomatoVPN?
09:59 < atan2> I realize OpenVPN isn't TomatoVPN but hoped someone might have some ideas nevertheless =)
10:00 < atan2> Err, I'll try config.
10:00 < atan2> =)
10:01 -!- albech_ [~thomas@535AB203.flatrate.dk] has quit [Remote host closed the connection]
10:01 < |Mike|> TomatoVPN, wtf is that?
10:01 < |Mike|> o, web GUI... 
10:02 < atan2> |Mike|, it's an alternative firmware for the Linksys routers
10:02 < |Mike|> i see, I still prefer dd-wrt :P
10:02 < atan2> |Mike|, I want to use it because some networked devices need to connect to a server securely over the internet but lack any vpn capabilities themselves 
10:03 < atan2> |Mike|, I would happily use DD-WRT for this task. I only picked up TomatoVPN because it had the GUI interface already setup for it.
10:03 < atan2> |Mike|, if I were to toss DD-WRT on it do you think you might be of assistance? 
10:03 < |Mike|> http://www.dd-wrt.com/wiki/index.php/OpenVPN
10:03 <@vpnHelper> Title: OpenVPN - DD-WRT Wiki (at www.dd-wrt.com)
10:03 < |Mike|> they have a really really nice howto on their wiki :-)
10:04 < atan2> DD-WRT doesn't natively (in their interface?) support static keys =(
10:04 < atan2> I suppose I can switch to certificate based authentication... but I have never done that before. Eeeeep!
10:09 -!- ska [~ska@cpe-70-124-88-58.austin.res.rr.com] has joined #openvpn
10:09 < ska> How do I stop an openvpn connection manually?
10:10 < ska> SOrry. On debian/linux
10:11 < ska> ifconfig ?
10:14 < ska> I just killed the process
10:14 < ska> crude but works.
10:19 < atan2> |Mike|, can you point me to where they speak how how to configure server.conf, and generate a certificate to work with DD-WRT? =S
10:20 < atan2> There is plenty of chat on how to set it up within DD-WRT as the server, but I want DD-WRT to act as the client and connect anything on the LAN to the OpenVPN server hosted elsewhere on a non-dd-wrt box
10:23 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:36 < atan2> Hmm. Once you use build-dh can you go back & add more clients using build-key? 
10:38 -!- ycas [~yann@84.119.102.7] has joined #openvpn
10:46 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has quit [Ping timeout: 265 seconds]
10:48 < atan2> I don't suppose there is a status command to see the state OpenVPN is in?
10:51 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
10:52 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
10:54 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
10:59 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
11:12 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
11:12 < noisebleed> Hi all. Is there a limitation on the number of tap devices?
11:13 < noisebleed> I'm planning a project where I may need up to 500 openvpn instances with 500 tap devices
11:17 < jpalmer> noisebleed: why so many instances?  and..  all on the same machine?
11:17 < noisebleed> jpalmer: each device is related to an Access Point
11:18 < jpalmer> you have 500 access point,  and need each to also act as a VPN endpoint?
11:19 < noisebleed> jpalmer: I guess so, because I need to give a personalized captive portal to each AP
11:19 < jpalmer> noisebleed: generally speaking,  when you have 500 AP's,  you're going to set them up on controllers..  they aren't going to be autonomous
11:19 < jpalmer> oh,  these are at various locations?  like coffee shops and whatnot?
11:19 < noisebleed> jpalmer: yep, that's right
11:20 < noisebleed> my current solution of only one instance doesn't let met distinguish from the different APs
11:20 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
11:20 < noisebleed> because every client is on the same Lan
11:21 < jpalmer> ok.  I'd suggest using one openvpn instance.  set each AP as a client (I'm assuming dd-wrt or similar where the AP itself can be the client) then in openvpn, use ccd files to statically IP each client.   have your web portal deliver appropriate content based on openvpn IP
11:21 < grendal_prime> hey im trying to revoke clients but i have no crl file?  sooo it says they are revoking but they are not revoking..wich..well kinda sucks
11:21 < grendal_prime> can i generate one of those now?
11:23 < noisebleed> jpalmer: which IP is being defined? btw each AP has a 3G connection to the main server
11:24 < jpalmer> noisebleed: the VPN IP of the client.  you can set them statically using ccd.   then in your captive portal,  add logic to serve up the appropriate portal for each unique IP.
11:25 < noisebleed> jpalmer: you mean setting the IP address of the tap device on the AP?
11:26 < noisebleed> jpalmer: how do you get that kind of info on the server side?
11:26 < jpalmer> I'm assuming your web browser can tell what IP it's being accessed by.  most (all?) can.
11:27 < jpalmer> err  s/web browser/web server/
11:29 < noisebleed> jpalmer: the web browser knows the IP that the captive has given him, not the tap IP
11:29 < jpalmer> I think you may want to research a bit more ;(
11:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
11:31 < noisebleed> maybe :) thanks for the info anyway
11:32 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
11:34 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 260 seconds]
11:34 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Connection reset by peer]
11:36 < grendal_prime> is it possible to creat a crl file after already issueing certs?
11:36 < grendal_prime> i mean i dont want to have to recreate the ca on these.
11:36 < atan> If an OpenVPN client wants the 'Client Certificate' does it want the bits starting at Certificate: or is the stuff including & after -----BEGIN CERTIFICATE----- okay?
11:37 < jpalmer> atan:   -----BEGIN CERTIFICATE-----
11:37 < atan> jpalmer, thank you
11:38 < jpalmer> atan,  it's a good idea to include all of it if you can.  it's mostly human readable,  so it avoids you having to remember the command syntax to verify things like common name, or expiry date.
11:39 < atan> If I include "status openvpn-status.log" inside my config will it update that status file with a list of currently connected clients?
11:39 < jpalmer> yes
11:39 < jpalmer> !status
11:39 <@vpnHelper> jpalmer: Error: "status" is not a valid command.
11:40 < atan> Thanks
11:40 < atan> Now I hope lastly, my log says "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
11:40 < atan> "
11:40 < atan> Right after the IP address of the client attempting to connect
11:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:42 < grendal_prime> is the make crl scrip in the 1.0 doc dir the only way to create crl file
11:42 < jpalmer> atan:  the client and server may not agree on the --tls-auth option.   try running the client and server in a higher verbosity.. and see what additional info you collect.
11:42 < grendal_prime> ?>
11:43 < atan> I moved the server over to verb 9. Waiting for it to attempt another connection.
11:44 < atan> daemon.warn openvpn[738]: WARNING: No server certificate verification method has been enabled
11:44 < atan> There is a drop-down for Extra HMAC authorization (tls-auth)
11:47 < jpalmer> drop-down?  openvpn has no gui for a drop-down
11:48 < atan> jpalmer, right now I am using the gui options in tomato. I'll chell in to grab the actual config it is using =) two secs =D
11:48 < jpalmer> atan: ahh, I know nothing about tomato.
11:48 -!- avleen [~avleen@chiku.silverwraith.com] has left #openvpn []
11:48 < atan> jpalmer, well it's still running OpenVPN... let's not hate :P
11:49 < atan> Runs BusyBox linux
11:49 -!- Irssi: #openvpn: Total of 117 nicks [4 ops, 0 halfops, 0 voices, 113 normal]
11:50 < jpalmer> atan: from what I've seen,  all of those (tomato, dd-wrt, pfsense, etc) bastardize openvpn to make it work.   as such,  I don't know a thing about openvpn on tomato.
11:53 < atan> jpalmer, http://pastie.org/private/nflifnjlx0cbhgtysi9nga is the client config I am playing with
11:54 < atan> I only have comp-lzo on the server, not comp-lzo adaptive
11:54 < atan> I suppose I can update that =)
11:55 < jpalmer> atan:  there is nothing there about TLS.  but I see you're running in verb 3.   up that to 5 or higher, and check the logs.
11:55 < jpalmer> my guess is,  on the server side,  you're going to have TLS enabled.
11:57 < atan> What's that linux command to lock a file down?
11:57 < atan> chattr +X?
11:57 < atan> Just to prevent it from being overwritten =)
12:03 -!- househead [~mark@5acb2181.bb.sky.com] has quit [Ping timeout: 276 seconds]
12:04 -!- Coffe [~niszsse@office.alatest.se] has quit [Quit: Leaving]
12:10 <@vpnHelper> RSS Update - forum: Configuration :: Re: Network Stalls :: Reply by tommyj27 <https://forums.openvpn.net/viewtopic.php?f=6&t=7221&p=8349#p8349>
12:12 < atan> jpalmer, can I tell the server not to require tls?
12:14  * atan goes to read some man for awhile
12:21 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
12:24 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
12:24 < atan> Err. Options error: Unrecognized option or missing parameter(s) in config.ovpn:20: remote-cert-tls (2.1.1)
12:24 < atan>  ?
12:25 < atan> I thought 2.0.0 and up used remote-cert-tls
12:25 < atan> Perhaps it's ns-cert-type server =\
12:31 < atan> Interesting. Seems one of the external routers was pitching the oddball UDP packets into /dev/null
12:31 < atan> Moving it over to tcp & using port 443 causes it to verify just fine
12:32 < atan> Now I must find the cause of this, err, Connection reset, restarting [0]
12:32 -!- kdog [kdog@dampbarn.org] has joined #openvpn
12:35 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has left #openvpn []
12:37 < atan> Ahah! We have success, Basil!
12:38 -!- kdog [kdog@dampbarn.org] has left #openvpn ["GoooooneeeyTunezzzzzzzZ"]
12:39 -!- s7r [~s7r@ACBFE0C7.ipt.aol.com] has joined #openvpn
12:47 -!- ycas [~yann@84.119.102.7] has quit [Ping timeout: 240 seconds]
12:51 < atan> Poppycock!! It worked once. I swear. It said complete.. and then I stopped/start it and nothing
12:52 < atan> Here's the working log http://pastie.org/private/5bk0qa7irlcusiphnvbeq
12:52 -!- CaMason [~camason@office.stasismedia.com] has quit [Ping timeout: 245 seconds]
12:52 < atan> Now now I don't know who had what... if the client had ns-cert-type server or remote-cert-tls server or what
12:53 < grendal_prime> ok, i have the crl file being created now. Its located in the keys folder though. I dont want to make that folder world readable, so i need to move the crl file outside of it. Problem is every time it edits this file, i have to move it?
13:04 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
13:08 -!- dazo is now known as dazo_afk
13:08 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 255 seconds]
13:13 < mattock> openvpn 2.1.4 is now released: https://forums.openvpn.net/viewtopic.php?f=20&t=7021
13:13 <@vpnHelper> Title: OpenVPN Support Forum View topic - OpenVPN 2.1.4 Released (at forums.openvpn.net)
13:14 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
13:17 -!- tim-ct [~p@41-132-254-27.dsl.mweb.co.za] has joined #openvpn
13:17 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
13:18 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
13:18 <@vpnHelper> RSS Update - forum: Configuration :: Something missing in configuration? :: Author Iassan <https://forums.openvpn.net/viewtopic.php?f=6&t=7251&p=8350#p8350>
13:22 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
13:26 < atan> Errr. Darn. Does scarydevilmonastery ring a bell for anyone in here? 
13:33 < Bushmills> why?
13:34  * Bushmills hears a whole carillon ringing
13:42 -!- f0g [48f8fdc2@gateway/web/freenode/ip.72.248.253.194] has joined #openvpn
13:42 < f0g> Is there a way to force all DNS traffic through the VPN when you're not forcing all internet traffic through it? 
13:42 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
13:43 < Bushmills> how is "all traffic" "all traffic" when it doesn't include "all internet traffic"?
13:44 < Bushmills> it's actually not "forcing" what make traffic go through openvpn. rather, it is setting appropriate routes
13:45 < tim-ct> Hi All I am having a problem with Openvpn setup  please read http://pastebin.ca/1986623
13:45 < s7r> f0g you can inclide in the .ovpn conf file only push dns and not push redirect-gateway
13:45 < s7r> both in server and client config:)
13:45 < Bushmills> oh, "dns traffic". sry, misread on my side
13:46 < Bushmills> add a host route to recursive name server through openvpn interface
13:46 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
13:48 < Bushmills> my preferred solution would probably be to run a recursive name server on openvpn server, and put its openvpn subnet ip address into resolv.conf
13:48 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 276 seconds]
13:48 < tim-ct> Bushmills is that for me?
13:49 < Bushmills> no, that's for f0g
13:49 < Bushmills> i didn't read about your problem, because i am too lazy to open a web page only to find out what your problem is
13:49 -!- f0g [48f8fdc2@gateway/web/freenode/ip.72.248.253.194] has quit [Ping timeout: 265 seconds]
13:50 < tim-ct> i think it may be windows shares but not sure
13:50 < tim-ct> so please open
13:50 < Bushmills> you could explain your problem here
13:51 < tim-ct> and help a poor newbie
13:51 < tim-ct> printing from HO to branch
13:52 < tim-ct> I can ping and RDP across the VPN
13:52 < tim-ct> but cant  computer or USB printers
13:52 < Bushmills> cups or ipp may do nicely for printing across sites
13:53 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
13:53 < tim-ct> XP on both sizes
13:53 < tim-ct> and an AD
13:54  * Bushmills googles this funny term "XP"
13:54 < tim-ct> lol
13:55 < tim-ct> aqlso google Bill Gates
13:55 < ecrist> !windows
13:55 <@vpnHelper> ecrist: "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg
13:59 < tim-ct> please someone that i have not screwed up my IP ranges
14:00 < Bushmills> atan: did those bastard BOsFH on scarydevilmonastery lart you?
14:01 < atan> Bushmills, now sure about that acronym? 
14:01 < atan> Nah, they helped me with something previously but I found the smae information elsewhere
14:01 < atan> They removed a temp file they put up for me I do suppose :P =)
14:01 < Bushmills> bastard operator(s) from hell luser attitude readjustment tooled you?
14:03 -!- ecrist changed the topic of #openvpn to: OpenVPN 2.1.4 Most Current || 2.2-beta3 Released 10-Sept-2010 || Your problem is your firewall, really. || Type  !welcome and !goal before asking your questions. ||  Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel || IRC Host Cloaks available, ask ecrist
14:04 -!- rot13 [~var@unaffiliated/rot13] has joined #openvpn
14:04 < Bushmills> they autodelete the files after 3 weeks
14:05 < grendal_prime> ok so..basically when i revoke someon there key should get writting to the crl.pem file correct?
14:05 < ecrist> their certificate's serial number and revokation date get written there.
14:05 < ecrist> their key does not
14:05 < ecrist> </pedantic>
14:05 < grendal_prime> ok
14:06 < grendal_prime> what does it mean if that is not hapening.  every time i do this it just overwrites whats in there
14:07 < grendal_prime> the bigger problem i have is that the crl.pem file gets created in the keys dir.  it needs to be world readable..but i dont want the keys dir world readable.
14:08 < ecrist> so copy that file somewhere after you revoke a cert
14:08 < grendal_prime> grrrr
14:09  * ecrist grrrr's back
14:09 < grendal_prime> then i replicate it to all the other servers in the cluster
14:09 <@vpnHelper> RSS Update - forum: Server Administration :: NATTING addresses :: Author rpcblast <https://forums.openvpn.net/viewtopic.php?f=4&t=7252&p=8351#p8351>
14:09 < ecrist> -or- move the file, and create a symlink in the keys dir
14:10 < grendal_prime> actually the other way around
14:10 < grendal_prime> ok that solves that problem
14:11 < grendal_prime> if i have revoked two keys shouldnt there be two -----BEGIN X509 CRL-----
14:11 < grendal_prime> bla bla bla -----END X509 CRL----- in that file?
14:12 < grendal_prime> because there is only one
14:12 < grendal_prime> can there be ONLY ONE? HEHEEH sorry couldnt resist
14:13 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
14:16 < ecrist> yes, there would only be one in there, grendal_prime 
14:19 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
14:21 < grendal_prime> alrighty..well im confused then
14:21 < grendal_prime> i thought it was a list
14:21 < grendal_prime> so if i revoke someone is there a way to un-revoke them?
14:22 < ecrist> it is a list
14:22 < ecrist> !crlverify
14:22 <@vpnHelper> ecrist: Error: "crlverify" is not a valid command.
14:22 < ecrist> !crl
14:22 <@vpnHelper> ecrist: "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will
14:22 <@vpnHelper> ecrist: create the CRL file for you. ssl-admin will also build a crl for you
14:22 < ecrist> grendal_prime: you can run the openssl command to pull the actual list
14:22 < ecrist> ssl-admin can handle that for you, as well
14:23 < grendal_prime> so basically here is what happened(im probably going about this all wrong.)  put the box in, techsupport started creating keys, then decided they wanted to use different names. so 40 or so keys they dont want to use.
14:24 < grendal_prime> there is also a ccd file for each of these.
14:24 < grendal_prime> i should still revoke the old ones right?
14:26 < rot13> how can i generate a CSR just for a client bottom up as in i suppose i don't need a server cert for this purpose
14:33 < ecrist> grendal_prime: just start with a new CA.
14:33 < ecrist> :)
14:33 < ecrist> if they're ALL going to be revoked...
14:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
14:37 -!- s7r [~s7r@ACBFE0C7.ipt.aol.com] has quit []
14:37 < grendal_prime> grrr there is no way to just delete the entries?
14:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:38 < grendal_prime> we have situations were we have a customer that we want to disable access  and reissue a key, with the same name.  is that a problem?
14:44 < ecrist> nope, just revoke it and reissue
14:44 <@vpnHelper> RSS Update - forum: Configuration :: Re: Do I have to have a client file for every pc? :: Reply by KyferEz <https://forums.openvpn.net/viewtopic.php?f=6&t=7241&p=8353#p8353> || Installation Help :: Incorrect login? password not right? :: Author cekay <https://forums.openvpn.net/viewtopic.php?f=5&t=7253&p=8352#p8352>
15:26 < grendal_prime> is the keys dir supposed to be drwxr-xr-x  ? 
15:27 < ecrist> not sure
15:27 < ecrist> I don't even know what you're using to deal with ssl certs
15:30 -!- k4r4mb4 [user@puffs.ganja.nl] has joined #openvpn
15:31 < k4r4mb4> hello
15:33 < k4r4mb4> do you know a guide how to create a vpn internet server.I mean to route internet traffic to the vpn server. So when somebody connects to it go to get a internet capable connection.I do not how to explain it better 
15:33 < k4r4mb4> !goal
15:33 <@vpnHelper> k4r4mb4: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:34 < k4r4mb4> Yeah I want to create a vpn server on windows machine that can give internet access to whoever connects to it
15:34 < k4r4mb4> !welcome
15:34 <@vpnHelper> k4r4mb4: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:35 < k4r4mb4> !redirect
15:35 <@vpnHelper> k4r4mb4: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:35 < k4r4mb4> !def1
15:35 <@vpnHelper> k4r4mb4: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
15:37 < Bushmills> k4r4mb4: 
15:37 < Bushmills> !redirect
15:37 <@vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:37 < Bushmills> ah, right. you found it already
15:38 < k4r4mb4> this sounds complicated .Do you know a step by step guide for n00bs?
15:39 < Bushmills> that's one single option in openvpn, what is complicated about that?
15:39 < k4r4mb4> well on windows machine I think that option is not enough
15:39 < k4r4mb4> Or I'm mistaking
15:39 < Bushmills> yes, you are, for most part.
15:39 < Bushmills> !winroute
15:39 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
15:40 < Bushmills> that may possibly bite you with windows
15:43 -!- Diffen2 [~diffen2@81-233-57-145-no71.tbcn.telia.com] has joined #openvpn
15:49 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:51 < krzee> if the server is windows...
15:51 < krzee> !winnat
15:51 <@vpnHelper> krzee: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
15:57 <@vpnHelper> RSS Update - forum: Pay OpenVPN Service Provider Reviews/Comments :: Re: [Free VPN] VPN Steel :: Reply by Zero3K <https://forums.openvpn.net/viewtopic.php?f=21&t=7137&p=8354#p8354>
16:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
16:00 -!- Diffen2 [~diffen2@81-233-57-145-no71.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
16:02 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:03 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
16:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:10 -!- Diffen2 [~diffen2@81-233-57-145-no71.tbcn.telia.com] has joined #openvpn
16:14 -!- Diffen2 [~diffen2@81-233-57-145-no71.tbcn.telia.com] has quit [Client Quit]
16:15 -!- p3rror [~mezgani@41.137.57.31] has joined #openvpn
16:18 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
16:23 -!- Diffen2 [~diffen2@81-233-57-145-no71.tbcn.telia.com] has joined #openvpn
16:30 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
16:55 -!- havoc_ [~havoc@neptune.chaillet.net] has joined #openvpn
16:55 -!- havoc_ [~havoc@neptune.chaillet.net] has quit [Client Quit]
17:06 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 255 seconds]
17:15 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
17:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 265 seconds]
17:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:27 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
17:30 -!- batrick_ is now known as batrick
17:33 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:37 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
17:37 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
17:47 < atan> Well whoops. I installed openbsd-inetd and now openvpn won't accept any connections
17:47  * atan wonders what he has done
17:50 < ecrist> heh
18:00  * ecrist gets f*cked by t-mobile, unhappy about it
18:01 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
18:01 < Bushmills> former german monopolist. attitude problems. unadvisable.
18:02 < Bushmills> last choice, if there's no alternative
18:04 < ecrist> I have been very happy with them for 7+ years
18:05 < ecrist> the last year or so, they've turned into a steaming pile of crap.
18:05 < ecrist> it makes the likes of AT&T look good.
18:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
18:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
18:22 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
18:23 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
18:39 -!- krzie [~k@openvpn/community/support/krzee] has quit [Read error: Operation timed out]
18:39 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
18:49 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
18:50 -!- pasik [pk@reaktio.net] has quit [Read error: Operation timed out]
18:50 -!- Diffen2 [~diffen2@81-233-57-145-no71.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
18:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
19:12 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 276 seconds]
19:17 -!- s7r [s7r@86.55.242.58] has joined #openvpn
19:21 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
19:24 -!- s7r [s7r@86.55.242.58] has quit [Read error: Connection reset by peer]
19:25 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
19:36 -!- itchi_ is now known as itchi
19:37 -!- itchi [~David@d5153691F.access.telenet.be] has quit [Changing host]
19:37 -!- itchi [~David@unaffiliated/itchi] has joined #openvpn
20:03 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
20:03 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
20:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
20:31 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 250 seconds]
20:38 -!- Nephfl [~none@cpe-173-170-50-119.tampabay.res.rr.com] has joined #openvpn
20:39 < Nephfl> does anyone know a good browser based endpoint for openvpn?
20:43 -!- sigius [~sigius@93.125.185.45] has joined #openvpn
20:44  * Bushmills wonders: "openvpn server written in javascript??"
20:54 < krzee> Nephfl, doesnt exist
20:57 < Nephfl> why not? seems like it would be a good project
20:57 < Nephfl> is there something that would work in that sort of way?
20:57 < Dougy> someone called me
20:57 < Dougy> who done it
20:58 < Nephfl> similar to the microsoft version, cisco/juniper versions?
20:58 < Nephfl> where you go to a webpage and sign in and you are on the vpn
20:58 < Nephfl> either activex or java
21:02 < krzee> Nephfl, not openvpn
21:03 < Nephfl> doesnt need to be openvpn...just some open source solution
21:03 < krzee> ahh
21:03 < krzee> i dunno, i support openvpn :-p
21:03 < Nephfl> i would rather have the ability to do an ssl vpn in a sort of mesh network rather than all going through the concentrator
21:04 < Nephfl> just use the concentrator to establish the connections
21:04 < krzee> cool, you dont want openvpn then
21:04 < krzee> goodluck finding what you want
21:05 < Nephfl> lol, i just need to find some direction to find a solution that will at least do the web page part of this thing
21:05 < krzee> !google ssl vpn portal http
21:05 <@vpnHelper> krzee: YouTube - A Short Tour of AnyWare Group ROAM SSL VPN Portal: <http://www.youtube.com/watch?v=xoWcEmGSzRU>; Remote Access Portal (SSL VPN) - Untangle: <http://www.untangle.com/Products/untangle-libitem-portal>; What is SSL VPN? - Definition from Whatis.com - see also: TLS VPN: <http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1201867,00.html>
21:05 < krzee> google is your friend
21:06 < Nephfl> thanks, i just couldnt find the right term
21:06 < Nephfl> it happens sometimes
21:06 < krzee> yup, been there
21:06 < Nephfl> ssl vpn portal
21:06 < Dougy> fuuuuuuuuuuuck
21:06 < Dougy> i hate security at equinix and NASDAQ facilities
21:07 -!- Nephfl [~none@cpe-173-170-50-119.tampabay.res.rr.com] has quit []
21:09  * krzee rubs gunpowder on dougy's shoe before he goes through security
21:10 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
21:10 < Dougy> fuck you
21:10 < Dougy> it took them 2 hours to let me take one server out
21:10 < Dougy> don't make it any worse
21:10 < Dougy> my busted leg cant handle it
21:38 -!- atan [~atan@unaffiliated/atan] has quit [Quit: Leaving]
21:46 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
21:58 -!- l0rd_hex_ [~rubit_man@S01060002b3949ac5.ed.shawcable.net] has quit [Quit: leaving]
21:58 < ecrist> Dougy: what did you want the other day?
21:59 < ecrist> you pinged me, then never responded, wtf?
21:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
22:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:17 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
22:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:59 -!- shuffle2 [shuffle2@cpe-74-74-168-216.rochester.res.rr.com] has quit [Read error: Operation timed out]
23:05 -!- shuffle2 [shuffle2@cpe-74-74-168-216.rochester.res.rr.com] has joined #openvpn
23:05 < WormFood> Dougy, you don't know what security is, until you've experienced this http://thedailywtf.com/Articles/Secured-Typing.aspx
23:05 <@vpnHelper> Title: Secured Typing - The Daily WTF (at thedailywtf.com)
23:11 -!- shuffle2 [shuffle2@cpe-74-74-168-216.rochester.res.rr.com] has quit [Ping timeout: 245 seconds]
23:15 -!- sno_ [~sno@static.153.209.46.78.clients.your-server.de] has joined #openvpn
23:15 -!- krzii [~k@ftp.secure-computing.net] has joined #openvpn
23:16 -!- k4r4mb4_ [user@puffs.ganja.nl] has joined #openvpn
23:16 -!- Netsplit *.net <-> *.split quits: roentgen, kraut, sno, krzee, k4r4mb4, Rolybrau
23:17 -!- Netsplit over, joins: Rolybrau
23:17 -!- shuffle2 [shuffle2@cpe-74-74-168-216.rochester.res.rr.com] has joined #openvpn
23:22 -!- krzii [~k@ftp.secure-computing.net] has quit [Remote host closed the connection]
23:23 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
23:34 -!- krzie is now known as krzee
23:43 -!- Martin` is now known as Martin
23:44 -!- Martin is now known as Guest96659
23:45 -!- Guest96659 is now known as Martin
23:45 -!- Martin is now known as Guest44746
23:56 -!- ska [~ska@cpe-70-124-88-58.austin.res.rr.com] has quit [Ping timeout: 265 seconds]
--- Day changed Wed Nov 10 2010
00:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
00:09 < hyper_ch> krzee: http://nakedsecurity.sophos.com/2010/11/09/dear-starbucks-the-skinny-on-how-you-can-be-a-security-hero/
00:09 <@vpnHelper> Title: Dear Starbucks: The skinny on how you can be a security hero | Naked Security (at nakedsecurity.sophos.com)
00:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 245 seconds]
00:26 -!- k4r4mb4_ [user@puffs.ganja.nl] has quit [Ping timeout: 260 seconds]
00:30 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
00:31 -!- UnterPerro [~UnterPerr@166.192.219.228] has joined #openvpn
00:45 -!- Guest44746 is now known as Martin
00:46 -!- Martin is now known as Guest85766
00:49 -!- k4r4mb4 [user@puffs.ganja.nl] has joined #openvpn
00:58 -!- UnterPerro [~UnterPerr@166.192.219.228] has quit [Quit: UnterPerro lives to save another day]
01:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
01:07 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:46 -!- Guest85766 is now known as Martin
01:46 -!- Martin is now known as Guest57707
01:47 -!- ycas [~yann@84.114.50.173] has joined #openvpn
01:47 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
01:47 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 272 seconds]
01:51 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
01:57 -!- tim-ct [~p@41-132-254-27.dsl.mweb.co.za] has quit [Quit: Leaving]
02:01 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
02:11 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
02:29 -!- dazo_afk is now known as dazo
02:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
02:47 -!- Guest57707 is now known as Martin
02:47 -!- Martin is now known as Guest20480
03:38 -!- Diffen2 [~diffen2@81-233-57-145-no71.tbcn.telia.com] has joined #openvpn
03:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:46 -!- master_of_master [~master_of@p57B57AB2.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
03:47 -!- Guest20480 is now known as Martin
03:48 -!- master_of_master [~master_of@p57B551E3.dip.t-dialin.net] has joined #openvpn
03:48 -!- Martin is now known as Guest83054
03:53 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
04:32 -!- brushie [~brushie@217.109.106.123] has joined #openvpn
04:32 < brushie> hi
04:33 < brushie> !welcome
04:33 <@vpnHelper> brushie: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:33 < brushie> !goal
04:33 <@vpnHelper> brushie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:38 -!- Diffen2 [~diffen2@81-233-57-145-no71.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
04:48 -!- Guest83054 is now known as Martin
04:48 -!- Martin is now known as Guest16759
04:52 < brushie> i am trying to use ccd files, but OpenVPN dont seem to take them,  in the server configuration file i have "client-config-dir /etc/openvpn/ccd" in the folder i ccd i have a file named my client's CN, but the command in the file doesnt seem to be used, so i tried to add "ccd-exclusive" to the serv conf, and now the client cant connect anymore, which mean the serv think my client doesnt have a ccd file
04:57 -!- Guest16759 is now known as Martin
04:57 -!- Martin [martin@shell.ipv6.octocore.net] has quit [Disconnected by services]
05:00 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
05:06 < brushie> does anyone have a clue of what i can have done wrong ?
05:06 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:06 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:06 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:18 <@vpnHelper> RSS Update - forum: Server Administration :: Windows Server 2008 :: Author ohannis <https://forums.openvpn.net/viewtopic.php?f=4&t=7254&p=8355#p8355>
05:24 < |Mike|> atan: ps :)
05:24 < |Mike|> atan: and see the openvpn logs 
05:33 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
05:45 < takamichi> Hey, I've been tasked with updating our Windows installer to 2.1.4. Since there are no pre-built binaries, can I just extract them from the latest windows build and drop them in the gen-prebuilt folder? Any advice would be much appreciated.
05:46 -!- brushie [~brushie@217.109.106.123] has quit [Ping timeout: 240 seconds]
05:47 < tuxx_> hey guys i need some help
05:47 < tuxx_> i have a server with 24 ip addresses... 
05:47 < tuxx_> the default outgoing ip however is filtered from a server while others are not.
05:48 < tuxx_> i wld like a routing command with which all traffic destined to the remote host goes via a different ip
05:48 < tuxx_> is that possible?
05:51 < takamichi> !/30
05:51 <@vpnHelper> takamichi: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
05:52 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  is sleeping]
05:53 < tuxx_> takamichi: is that refering to my question?
05:53 < takamichi> no
05:53 < tuxx_> ok :)
05:54 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
05:57 -!- brushie [~brushie@217.109.106.123] has joined #openvpn
06:07 -!- brushie [~brushie@217.109.106.123] has quit [Ping timeout: 264 seconds]
06:07 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
06:14 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
06:50 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:54 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn
07:16 <@vpnHelper> RSS Update - forum: Off Topic, Related :: OpenVPN and remote connections :: Author duffus <https://forums.openvpn.net/viewtopic.php?f=1&t=7255&p=8356#p8356>
07:24 -!- meero [~meero@78.80.66.30] has joined #openvpn
07:27 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
07:29 < |Mike|> \!/
07:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:36 -!- lcotorres [~olarva@189.26.255.11] has joined #openvpn
07:36 < lcotorres> hi felows
07:37 < meero> Hi, how to set up openvpn, in the way that client cannot "see" to to server or between clients, and server can see ports on clients?
07:40 <@vpnHelper> RSS Update - forum: Server Administration :: Windows Server 2008 - incorect address in TAP connection :: Author Trakhan <https://forums.openvpn.net/viewtopic.php?f=4&t=7256&p=8357#p8357> || Server Administration :: Re: Windows Server 2008 - incorect address in TAP connection :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7256&p=8358#p8358>
07:43 -!- Phenox_ [~Bernd@88.215.198.24] has quit [Remote host closed the connection]
07:47 -!- markydb [~mark@5ac4e2bf.bb.sky.com] has joined #openvpn
07:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 265 seconds]
07:55 -!- ska [~ska@cpe-70-124-88-58.austin.res.rr.com] has joined #openvpn
07:55 -!- lcotorres [~olarva@189.26.255.11] has quit [Ping timeout: 265 seconds]
07:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:07 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
08:07 -!- th1 [~th@pdpc/supporter/professional/th1] has quit [Ping timeout: 264 seconds]
08:15 <@dazo> meero: what do you mean with "see"? ... sounds like firewall rules, where you just DROP all packets from clients to the server on the tunnel
08:20 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has joined #openvpn
08:23 -!- lcotorres [~olarva@189.26.255.11] has joined #openvpn
08:29 -!- finetic_ [~finetic@213.155.20.16] has quit [Ping timeout: 255 seconds]
08:38  * ultramage wants mesh topology :S
08:44 -!- p3rror [~mezgani@41.137.57.31] has quit [Ping timeout: 255 seconds]
08:49 -!- EmperorT1m [~EmperorTo@174-30-245-204.mpls.qwest.net] has joined #openvpn
08:51 -!- EmperorTom [~EmperorTo@174-30-245-204.mpls.qwest.net] has quit [Ping timeout: 245 seconds]
08:51 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Quit: mirco]
08:51 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Sharing OpenVPN connection :: Author tadpole <https://forums.openvpn.net/viewtopic.php?f=1&t=7257&p=8359#p8359>
08:55 -!- lcotorres [~olarva@189.26.255.11] has quit [Quit: WeeChat 0.3.0]
08:55 -!- pmow [~pmow@170.198.232.72.static.reverse.ltdomains.com] has joined #openvpn
08:55 < pmow> !welcome
08:55 <@vpnHelper> pmow: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:56 < pmow> mmm
08:56 < pmow> !route
08:56 <@vpnHelper> pmow: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:58 -!- p3rror [~mezgani@41.140.152.134] has joined #openvpn
08:58 < pmow> !alltips
08:58 <@vpnHelper> pmow: Error: "alltips" is not a valid command.
08:58 < pmow> !commands
08:58 <@vpnHelper> pmow: Error: "commands" is not a valid command.
08:58 < pmow> =D
09:05 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 255 seconds]
09:05 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined #openvpn
09:06 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
09:07 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
09:08 < pmow> anyone know the list of !tips
09:08 < pmow> actually, how about this
09:09 < ecrist> !factoids
09:09 <@vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
09:09 < pmow> thanks, ecrist!
09:09 < ecrist> np
09:12 < pmow> goal: my openvpn server now forwards internet traffic in and out, but I run services on its public IP port.  How can I access these from the tunnel?  I'm guessing I need to add a manual route entry in the kernel?
09:12 < pmow> I am looking at http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing but it's more talking about iroute and lans behind
09:12 <@vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net)
09:13 < ecrist> pmow: you need to either put the VPN on a separate IP and push the route for the other IP down the tunnel, or put those services on a private network and push a route to that.
09:13 < pmow> ok, that sounds great.  I've got 5 ips on that box, it's just not configured
09:15 < pmow> can I use an alias?
09:15 < ecrist> what do you mean?
09:15 < pmow> eth0= 72.x.x.130, eth0:0=72.x.x.131
09:15 < pmow> an alias, in linux
09:16 < pmow> there's only one physical adapter, but I believe the alias allows you to have multiple IPs 
09:17 < ecrist> yeah, that's fine
09:18 < pmow> cool, thanks!  I'll run off and do that
09:19 < meero> dazo: yes, but in fact i was asking if this can be setup directly in openvpn. 
09:20 <@dazo> meero: there is a lesser known feature in OpenVPN called PF (packet filtering), but not sure if that will solve your task as expected 
09:20 <@dazo> You can make use of PF by using a script plug-in interface ... *tries to find info about it*
09:21 <@dazo> http://backreference.org/2010/06/18/openvpns-built-in-packet-filter/
09:21 -!- pmow [~pmow@170.198.232.72.static.reverse.ltdomains.com] has quit [Read error: Connection reset by peer]
09:24 -!- ultramage [umage@kurobara.netvor.sk] has left #openvpn []
09:25 -!- ycas [~yann@84.114.50.173] has quit [Ping timeout: 240 seconds]
09:36 -!- plundra [404@article.se] has quit [Remote host closed the connection]
09:36 -!- plundra [404@article.se] has joined #openvpn
09:46 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 245 seconds]
09:55 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
10:02 -!- sigius [~sigius@93.125.185.45] has quit [Read error: Connection reset by peer]
10:03 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
10:06 -!- McBoingbo [~mcboingbo@mail.hrsg.ca] has quit []
10:14 -!- sno_ is now known as sno
10:15 -!- Raydiation [~bernhard@78.104.151.126] has joined #openvpn
10:15 < Raydiation> is it possible to be in multiple vpns?
10:19 -!- sigius [~sigius@93.125.185.45] has joined #openvpn
10:19 -!- js_ [~js@213.180.83.163] has joined #openvpn
10:19 < js_> how does openvpn handle a few thousand clients on the same subnet?
10:19 < js_> will it consume a lot of memory?
10:23 -!- defacer [~defacer@189.73.168.229] has joined #openvpn
10:23 < defacer> !welcome
10:23 <@vpnHelper> defacer: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:24 < defacer> !goal
10:24 <@vpnHelper> defacer: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:26 < defacer> I'm trying to set up a different route, to 192.168.0.0/16, i changed at .conf, but when i creae the VPN again the client continues to create the route 192.168.1.0/24. Why? I need to change another config?
10:33 -!- p3rror [~mezgani@41.140.152.134] has quit [Ping timeout: 245 seconds]
10:43 < js_> must i use a separate dhcp server to hand out ips or is there another way?
10:46 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
10:50 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
10:55 <@dazo> js_: you don't need any external dhcp ... openvpn can provide that itself to its clients ... you just need a big enough netmask
10:56 < js_> dazo: any hint on how i set up the clients to make that work?
10:56 < js_> or server for that matter
10:56 < js_> must i use tls, or can i use "secret" with the same key for every client?
10:57 <@dazo> js_: but I'd rather recommend splitting "a few thousand clients on the same subnet" to more OpenVPN server processes ... as OpenVPN don't handle too many clients too well in parallel (it's not a threaded application)
10:57 <@dazo> js_: no, you don't need to use TLS ... but it's a lot easier to manage when you have "a few thousand clients" ... as if you need to change the secret, you need to deploy that change to all clients 
10:58 <@dazo> with TLS, you just revoke certificates which are not valid anymore .... you can even exchange the server keys without changing the clients, as long as the same CA is signing the certificates for the keys
10:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:59 <@dazo> js_: look at the --server directive in the man page ... that prepares the openvpn server for serving out IP addresses to clients
10:59 < js_> ahh, right, thanks
11:02 -!- p3rror [~mezgani@41.137.57.11] has joined #openvpn
11:03 < js_> dazo: but i'd need to create all of these thousands of certificates myself, right?
11:03 <@dazo> js_: yeah, but that's possible to do via some clever scripting
11:03 < js_> the idea is that a terminal machine should be part of the vpn network as soon as it is automatically installed
11:03 < js_> the server as it is works quite statically
11:04 <@dazo> it all depends on how high security you want on your VPN
11:04 < js_> hm
11:04 < js_> yeah
11:04 < defacer> i solved my problem by myself, i added a line route 192.168.0.0 255.255.0.0 at my .ovpn file in client side. Thnaks
11:05 <@dazo> and from my experience, it's better to take the pain of doing things properly and most flexible in the beginning than to later on, when having had thousand deployments done - that all those thousand clients needs to be updated
11:06 -!- defacer [~defacer@189.73.168.229] has left #openvpn ["Leaving"]
11:12 -!- pmow [~pmow@170.198.232.72.static.reverse.ltdomains.com] has joined #openvpn
11:13 < js_> dazo: yeah, but what if i hvae to change my CA?
11:13 < js_> would seem odd, but you get the point
11:13 <@dazo> js_: you should have your own OpenVPN CA
11:14 <@dazo> js_: it's not ideal to use f.ex. VeriSign as a CA for your OpenVPN certs ... and the CA should be planned to have a long life-time
11:15 < js_> right
11:17 -!- pmow [~pmow@170.198.232.72.static.reverse.ltdomains.com] has quit [Ping timeout: 264 seconds]
11:22 -!- CaMason [~camason@office.stasismedia.com] has joined #openvpn
11:32 -!- pmow [d03e03c2@gateway/web/freenode/ip.208.62.3.194] has joined #openvpn
11:34 < pmow> My already-working tunnel has started hanging at this spot: http://pastie.org/1287523 - after adding eth0:0 alias and before switching openvpn to listen on that ip
11:34 < pmow> is there something else obvious I could've done?  I was documenting all the things I did but I'm guessing this might be seen before
11:35 < pmow> I'd gotten script-security warning before, and that's the only thing I see close to some sort of error message
11:36 < pmow> tun pseudo interface doesn't get created, and I'm pretty sure it's the client side because a windows client I had set up is able to initiate a tunnel
11:41 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Ping timeout: 276 seconds]
11:44 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 250 seconds]
11:44 <@dazo> !logs
11:44 <@vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
11:45 < pmow> right, server logs
11:45 <@dazo> but as tun device is not created ... you are starting openvpn as root?
11:46 < pmow> yep
11:46 < pmow> trying to find where the client log gets created...
11:46 < pmow> sec
11:47 <@dazo> you showed what looks like log ... if --log is not defined and running in a console, it goes to your console .... but your verbosity is not right for debugging
11:47 < pmow> thanks, I'll adjust it
11:49 < pmow> http://pastie.org/1287608
11:49 < pmow> that's a whopper
11:49 < pmow> great, and now I'm hungry
11:51 < pmow> dazo: would you like the server log?  another client works though, maybe you'd rather have the config
11:51 < pmow> btw, I also did  "iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE -s 10.8.0.0/24"
11:52 < pmow> the tunnel established before with this enabled so I can't imagine it's that
11:53 < pmow> sorry, that's from docs: it's "iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE -s 10.8.0.0/24"
11:53 < pmow> iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE -s 192.168.1.0/24
11:54 < pmow> (I am able to ping the server)
11:55 -!- dazo is now known as dazo_afk
11:55 < pmow> ow, 
11:55 < pmow> WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWed Nov 10 12:55:16 2010 us=44174 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed Nov 10 12:55:16 2010 us=44219 TLS Error: TLS handshake failed
11:56 < pmow> There's an error =)
12:01 < Raydiation> where are the client logs stored?
12:01 < pmow> on my console
12:01 < Raydiation> the openvpn init script fails to start
12:03 < pmow> Raydiation: the client logs are going to the console
12:04 < Raydiation> pmow: http://paste.pocoo.org/show/289075/
12:07 < pmow> That might've been because I chmodded the certs and keys to 700 because of a warning
12:08 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Connection reset by peer]
12:09 -!- p3rror [~mezgani@41.137.57.11] has quit [Ping timeout: 245 seconds]
12:09 -!- dagni_ [dagni@de.moon-station.us] has quit [Changing host]
12:09 -!- dagni_ [dagni@unaffiliated/dagni] has joined #openvpn
12:09 -!- dagni_ is now known as dagni
12:11 < pmow> Raydiation: http://paste.pocoo.org/show/289082/
12:12 < pmow> that's what I get now, after making the certs readable...same thing =/
12:12 < Raydiation> pmow: i got vpn problems too^^ xD
12:12 < pmow> the funny thing is, until now it's worked flawlessly
12:13  * ecrist wonders what pmow changed
12:13 < pmow> (the tunnel part)
12:13 < pmow> well, I added init scripts so that a reboot wouldn't knock out my routing
12:14 < pmow> but I took the client one out and cleared the iptables rule, while troubleshooting this
12:14 < pmow> and I'm able to connect with another client which is weird, otherwise I'd consider the server
12:22 < pmow> well, this is a VM client and I must have a working snapshot somewhere
12:22 < pmow> I'll just go back and verify that it's working back then, and make the changes again and see how it's affected
12:25 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:25 < Raydiation> how can i see that im in an openvpn?
12:26 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
12:26 < pmow> what do you mean "in"
12:26 < ecrist> how can you see that your traffic is being tunneld through openvpn?
12:26 < ecrist> traceroute or tcpdump
12:27 -!- p3rror [~mezgani@41.140.27.232] has joined #openvpn
12:27 < Raydiation> pmow: that im connected to it
12:27 < Raydiation> pmow: im having 2 confs in my /etc/openvpn, both started normally
12:27 < pmow> you could ping a VPN address
12:27 < Raydiation> pmow: im in the local lan atm :)
12:28 < pmow> ping the server
12:28 < pmow> whether or not you're doing ip forwarding, you should be able to ping the private address of the server on the other side
12:28 < pmow> in my case, 10.8.0.0/24 so the server is 10.8.0.1, and my client is usually 10.8.0.6
12:28 < pmow> or .4
12:29 < pmow> so I just "ping 10.8.0.1" and if the tunnel is up, it comes back
12:29 < tuxx_> i am sanga
12:29 < pmow> hi sanga
12:31 < pmow> okay, I'll bbl
12:36 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
12:36 -!- pmow [d03e03c2@gateway/web/freenode/ip.208.62.3.194] has quit [Ping timeout: 265 seconds]
12:43 -!- pmow [48e8c6aa@gateway/web/freenode/ip.72.232.198.170] has joined #openvpn
12:43 < pmow> I'm so confused...a reboot fixed it
12:43 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:46 -!- pmow1 [~pmow@170.198.232.72.static.reverse.ltdomains.com] has joined #openvpn
12:46 < pmow1> mmm
12:46 -!- pmow [48e8c6aa@gateway/web/freenode/ip.72.232.198.170] has quit [Client Quit]
12:46 -!- pmow1 is now known as pmow
12:47 -!- VirusTB [~VirusTB@b90111.upc-b.chello.nl] has joined #openvpn
12:49 -!- pmow [~pmow@170.198.232.72.static.reverse.ltdomains.com] has quit [Read error: Connection reset by peer]
12:56 -!- nucc44 [5ae309a8@gateway/web/freenode/ip.90.227.9.168] has quit [Quit: Page closed]
12:58 -!- VirusTB [~VirusTB@b90111.upc-b.chello.nl] has quit [Quit:  has left the bulding]
12:58 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
12:59 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:19 -!- CaMason [~camason@office.stasismedia.com] has quit [Ping timeout: 255 seconds]
13:25 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
13:27 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has joined #openvpn
13:27 <@vpnHelper> RSS Update - forum: Server Administration :: Server Side Idle Time Out Configuration :: Author oscar <https://forums.openvpn.net/viewtopic.php?f=4&t=7258&p=8360#p8360>
13:32 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn
13:33 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has quit [Read error: Connection reset by peer]
13:35 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has joined #openvpn
13:35 -!- kerfe [~a@121.pool85-60-128.dynamic.orange.es] has joined #openvpn
13:40 -!- s7r [s7r@86.55.242.58] has joined #openvpn
13:41 -!- ycas [~yann@84.119.102.7] has joined #openvpn
13:46 -!- nucce44 [~nucce@90-227-9-168-no136.tbcn.telia.com] has quit [Quit: Leaving.]
14:00 -!- EmperorT1m is now known as EmperorTom
14:05 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
14:07 -!- k4r4mb4 [user@puffs.ganja.nl] has quit [Ping timeout: 260 seconds]
14:10 -!- WebDawg [~WebDawg@officialg0d.com] has quit [Ping timeout: 255 seconds]
14:11 -!- zig [~zig@li121-213.members.linode.com] has joined #openvpn
14:14 < zig> hi all, I have a weird problem : I am connected through a relatively unreliable open wifi connection, I then use a openvpn (with a server of mine with good internet access) to access internet. It works fine to access http content for example; but as soon as I want to do https, my connection get blocked. How is that possible, since http traffic works fine ? 
14:15 < zig> (and https works fine when used directly on my server)
14:15 < zig> also, I get this strange behaviour only when using this specific wifi connection, I had no problems with other wifi access points and this same VPN setup
14:22 -!- k4r4mb4 [user@2001:470:8:69d::7] has joined #openvpn
14:28 -!- s7r [s7r@86.55.242.58] has quit []
14:36 -!- ycas [~yann@84.119.102.7] has quit [Ping timeout: 240 seconds]
14:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:46 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
14:50 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
15:01 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
15:13 < ecrist> !windows
15:13 <@vpnHelper> ecrist: "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg
15:13 < ecrist> !learn windows as also, http://secure-computing.net/files/windows_2.jpg
15:13 <@vpnHelper> ecrist: Joo got it.
15:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:21 -!- zig [~zig@li121-213.members.linode.com] has quit [Ping timeout: 245 seconds]
15:33 -!- Raydiation1 [~bernhard@78.104.151.116] has joined #openvpn
15:33 < Raydiation1> any idea why i get this error? http://pastebin.com/1Psc5NNz
15:34 < Raydiation1> Wed Nov 10 21:13:48 2010 us=575174 83.65.116.98:29948 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
15:39 -!- Raydiation2 [~bernhard@78.104.151.116] has joined #openvpn
15:39 -!- Raydiation1 [~bernhard@78.104.151.116] has quit [Read error: No route to host]
15:41 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
15:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 240 seconds]
15:45 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
15:45 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
15:47 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
16:02 -!- js_ [~js@213.180.83.163] has quit [Ping timeout: 252 seconds]
16:04 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
16:06 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
16:12 <@raidz> ecrist: I am pretty sure this guys owns that VPN company and is just trying to get some link juice from our forums: http://forum.openvpn.net/viewtopic.php?f=21&t=7137&sid=79c4f2db7076801b56a2943017dde28a
16:12 <@vpnHelper> Title: OpenVPN Support Forum View topic - [Free VPN] VPN Steel (at forum.openvpn.net)
16:12 <@raidz> You can see a post he did on reddit: http://www.reddit.com/r/technology/comments/dwbis/vpn_steel_is_a_free_vpn_service_thats_powered_by/
16:12 <@vpnHelper> Title: VPN Steel is a free VPN service that's powered by OpenVPN. It is currently offered as a free 30-day renewable trial with unlimited bandwith and speeds up to 10+ Mbps. : technology (at www.reddit.com)
16:13 < ecrist> good find, I suspected, but didn't have proof so I didn't want to look like an ass
16:14 <@raidz> hehe
16:14  * ecrist grabs his banhammer
16:15 < ecrist> LOL
16:15 <@raidz> Yeah, looks like he is spamming a lot of the seurity forums
16:16 <@raidz> http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=vpnsteel
16:16 <@vpnHelper> Title: vpnsteel - Google Search (at www.google.com)
16:16 <@raidz> All of his posts have the same wording, lol
16:16 < ecrist> https://skitch.com/ecrist/d93jt/f-in-cheaters
16:16 <@vpnHelper> Title: ecrist | skitch.com (at skitch.com)
16:17 <@raidz> nice
16:17 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
16:18 <@raidz> ecrist: looked at some of your other stuff on skitch, I think I have the same lg monitors as you at work
16:19 < ecrist> nice
16:21 < ecrist> topic locked, I'm going to manually update the poll to set to 1, as stated in the forum rules
16:22 -!- k4r4mb4 [user@2001:470:8:69d::7] has quit [Read error: Operation timed out]
16:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
16:29 < ecrist> raidz: but do you have them married to an awesome MBP?
16:29 -!- k4r4mb4 [user@puffs.ganja.nl] has joined #openvpn
16:34 -!- kerfe [~a@121.pool85-60-128.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
16:42 < ecrist> raidz: I fixed up that post.
16:42 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
16:42 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
16:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
16:42 < ecrist> polls don't seem to work on the forum, something I'll need to look in to I guess.
16:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:58 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
17:03 -!- markydb [~mark@5ac4e2bf.bb.sky.com] has quit [Ping timeout: 260 seconds]
17:11 -!- markydb [~mark@5ac4e2bf.bb.sky.com] has joined #openvpn
17:12 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
17:15 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
17:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
17:21 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn
17:30 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
17:32 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
17:33 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
17:47 -!- ska [~ska@cpe-70-124-88-58.austin.res.rr.com] has left #openvpn ["Leaving"]
17:56 -!- Raydiation2 [~bernhard@78.104.151.116] has quit [Quit: Leaving.]
17:56 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 265 seconds]
18:01 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
18:04 -!- Raydiation [~bernhard@78.104.151.126] has left #openvpn []
18:06 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
18:31 -!- Raydiation [~bernhard@78.104.151.126] has joined #openvpn
18:32 < Raydiation> hi is it possible to get dns working on the openvpn server?
18:32 < Raydiation> so i can ssh user@computername
18:32 < Raydiation> when connected to my vpn
18:32 < Raydiation> dnsmasq runs on a different pc though
18:43 -!- Raydiation1 [~bernhard@78.104.151.6] has joined #openvpn
18:44 -!- Raydiation1 [~bernhard@78.104.151.6] has left #openvpn []
18:45 -!- Raydiation [~bernhard@78.104.151.126] has quit [Ping timeout: 245 seconds]
18:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
19:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
19:21 -!- shuffle2 is now known as santa_c
19:22 -!- santa_c is now known as shuffle2
19:44 -!- SOG_ [~SOG@113.116.95.90] has joined #openvpn
19:44 -!- markydb [~mark@5ac4e2bf.bb.sky.com] has quit [Ping timeout: 240 seconds]
19:56 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
19:58 -!- alex__ [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
20:00 < alex__> what does "disable-occ" mean and why does it keep putting that error in the log after i add "disable-occ" to the .ovpn file?
20:04 -!- SOG_ is now known as SOG
20:05 < alex__> anyone home?
20:05 < alex__> anyone care?
20:15 < alex__> i guess it's time to abandon .
20:22 -!- daemon [~daemon@95.154.246.222] has joined #openvpn
20:40 < krzee> alex__, 
20:40 < krzee> rtfm
20:40 < krzee> !man
20:40 <@vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:50 -!- alex__ [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
21:01 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
21:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:14 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
21:16 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
21:30 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:30 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:35 <@vpnHelper> RSS Update - forum: Server Administration :: openSUSE Firewall issue :: Author djm <https://forums.openvpn.net/viewtopic.php?f=4&t=7259&p=8361#p8361>
22:01 -!- epaphus [~user@201.199.62.74] has joined #openvpn
22:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:25 < daemon> hey all I am setting up a tun based vpn network all is working well
22:25 < daemon> but to get complete functionality asfter openvpn loads on the clients I have to manually execute:  route add 10.0.1.1/24 10.0.2.1
22:25 < daemon> is there anyway to add this to the configs to do ti automatically
22:26 < daemon> I already have one route statement
22:27 -!- epaphus [~user@201.199.62.74] has quit [Ping timeout: 245 seconds]
22:41 -!- epaphus [~user@c0sj.x.rootbsd.net] has joined #openvpn
22:48 < daemon> from the client machines 10.0.1.0/24 ping works.. 
22:48 < daemon> Reply from 10.0.2.2: bytes=32 time=19ms TTL=63
22:48 < daemon> I got it all setup I simply added two route statements
22:49 < daemon> still got an issue with samba though (yes I know its a FAQ) here
22:49 < daemon> but I have setup samba as a wins proxy
22:49 < daemon> the gateway seems to be not visible on either network
22:52 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
22:58 -!- user__ [~user@c0sj.x.rootbsd.net] has joined #openvpn
22:59 -!- epaphus [~user@c0sj.x.rootbsd.net] has quit [Ping timeout: 250 seconds]
23:13 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:14 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
23:14 -!- atan2 [~atan@unaffiliated/atan] has quit [Quit: Leaving]
23:39 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
23:39 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
23:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
23:59 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
--- Day changed Thu Nov 11 2010
00:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
00:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:13 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
00:53 -!- dazo_afk is now known as dazo
00:54 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
01:34 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
01:34 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
01:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
01:50 -!- elkng [~elkng@78-24-227-001-dsl.vntc.ru] has joined #openvpn
01:52 < elkng> I just have vpn-server ip, vpn-login and vpn-password how can I establish vpn channel? In windows I just have to enter this data into wizard and thats all, how can I do this in linux with openvpn?
01:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
01:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:02 -!- elkng [~elkng@78-24-227-001-dsl.vntc.ru] has quit [Quit: leaving]
02:02 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
02:03 < dogarrhea1> what is a "openvpn[5569]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
02:03 < dogarrhea1> " error?
02:03 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
02:03 < dogarrhea1> this is about the most nondescriptive error i have seen so far.  netstat -pant shows nothing on 1194
02:05 < Bushmills> maybe -panu
02:05 < Bushmills> not knowing your config, you may run openvpn with udp
02:09 -!- W0rmF00d [~wormfood@183.38.15.242] has joined #openvpn
02:09 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
02:09 < dogarrhea1> hrm. what does 0 0.0.0.0:1194   mean?
02:09 < krzie> every ip, port 1194
02:10 -!- WormFood [~wormfood@183.38.12.198] has quit [Read error: Connection reset by peer]
02:10 -!- W0rmF00d is now known as WormFood
02:13 <@dazo> dogarrhea1: you have a process listening on port 1194 already ... so you need to kill of that process before you can start a new one ... "Address already in use" is pretty much straight to the point
02:13 -!- micw [~micw@p50992bfa.dip0.t-ipconnect.de] has joined #openvpn
02:13 < micw> hi
02:13 < dogarrhea1> dazo, the funny thing is that the process using it is openvpn
02:14 < dogarrhea1> udp        0      0 0.0.0.0:1194            0.0.0.0:*                           10310/openvpn
02:14 <@dazo> dogarrhea1: you have most probably not started a new process ... because the one you tried to start should normally exit immediately
02:14 < micw> i have a server that runs some virtual machines which are not connected to the public internet. all these machines are on the same subnet 10.x.x.x and are reachable from the virtual server host system. now i want to setup openvpn on the host to allow clients to access the virtual machines
02:15 < micw> what is the easiest way? should the vpn be on the same subnet?
02:15 < dogarrhea1> sudo pkill openvpn and /etc/init.d/openvpn restart and then /etc/openvpn openvpn server.conf gets me the same rror
02:15 < micw> or should i set up routing and put the vpn clients to a different network?
02:15 < dogarrhea1> so i'm still at a loss.
02:15 <@dazo> micw: sounds like standard routing over tun would be more than sufficient .... give openvpn a separate network segment and do the rest via routing
02:16 < micw> thx!
02:16 < dogarrhea1> what does the error reallly mean. i've see dozens of mailing lists.. client port doesn't match server.conf port
02:16 < dogarrhea1> but they are the same. what else could it be
02:17 <@dazo> dogarrhea1: I'll explain what your do .... pkill - you first kill all openvpn processes ... then you ask a init script to *restart* openvpn ... and then you try to start another openvpn again ... those two last statement conflicts
02:17 < dogarrhea1> oh ok
02:17 -!- ycas [~yann@84.114.50.173] has joined #openvpn
02:17 <@dazo> dogarrhea1: "address already in use" means that there is already a process using/listening to that port/address ... it's nothing more magic than that
02:18 < dogarrhea1> hrm. so my server is actually running now.  
02:18 <@dazo> very much indeed
02:18 < dogarrhea1> what does it mean if the client openvpn gui stays yellow
02:19 <@dazo> in fact ... you just need to do /etc/init.d/openvpn restart  ... to stop and start the openvpn process you're running ... don't do the kill stuff and the last explicit openvpn call
02:19 < dogarrhea1> ok. what does it mean if the log in the windows 7 client ends with "Wed Nov 10 23:50:24 2010 us=205000 UDPv4 link remote: xxx.xxx.xxx.xxx:1194" but the icon remains yellow?
02:20 < dogarrhea1> for a really long time 
02:20 < dogarrhea1> using openvpn gui.
02:20 <@dazo> dogarrhea1: it usually means it's either trying to connect ... or that the openvpn process died in an unexpected way ... depends very much on your config, your verbosity settings
02:20 <@dazo> and I hope you've started openvpn-gui as administrator
02:21 < dogarrhea1> so i gotta change verbosity to 9 or something in client.conf?
02:21 <@dazo> verb 4 should be sufficient on this stage
02:21 < dogarrhea1> yes it's running in admin btw
02:22 < dogarrhea1> default is verb 4.
02:23 <@dazo> then you got something odd in your win7 setup ... I'm no windows user, so I can't help you further there
02:23 < dogarrhea1> argh..
02:25 < dogarrhea1> i did set up some ltp2 or pptp or some other vpn using another server.. 
02:25 < dogarrhea1> o well . worry later.
02:25 < dogarrhea1> sleep now
02:30 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 276 seconds]
02:36 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
02:37 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
02:48 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
03:01 -!- ycas [~yann@84.114.50.173] has quit [Remote host closed the connection]
03:11 -!- RichiH [~richih@freenode/staff/richih] has left #openvpn []
03:19 -!- dazo is now known as dazo_afk
03:40 -!- monas [~kaspar@88.119.154.240] has joined #openvpn
03:40 < monas> !welcome
03:40 <@vpnHelper> monas: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
03:41 < monas> !route
03:41 <@vpnHelper> monas: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
03:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
03:45 -!- master_of_master [~master_of@p57B551E3.dip.t-dialin.net] has quit [Ping timeout: 255 seconds]
03:47 -!- master_of_master [~master_of@p57B5778A.dip.t-dialin.net] has joined #openvpn
03:59 < monas> Hi, why route is not allowed in ccd files?
04:00 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
04:02 < monas> it would save so much headache when server migrates ISP and it's IP address changes
04:02 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing trouble :: Reply by snorhyvel <https://forums.openvpn.net/viewtopic.php?f=4&t=7217&p=8362#p8362>
04:06 < micw> i have set up my vpn on the vm server. the vpn has subnet 10.11.12.128/25, the virtual machines have 10.11.12.0/25
04:07 < micw> from the vpn client i can ping 10.11.12.1 (which is the host), so the virtual machine network is reachable now.
04:07 < micw> but i cannot ping any og the virtual machines
04:12 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
04:12 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
04:12 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:20 < Bushmills> you may want to look for the reason why you can't
04:23 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:26 -!- markydb [~mark@5ac4e2bf.bb.sky.com] has joined #openvpn
04:40 -!- CaMason [~camason@office.stasismedia.com] has joined #openvpn
04:40 -!- SOG [~SOG@113.116.95.90] has quit [Remote host closed the connection]
04:41 -!- SOG [~SOG@n112120191241.netvigator.com] has joined #openvpn
04:41 -!- SOG [~SOG@n112120191241.netvigator.com] has quit [Client Quit]
04:47 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:30 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined #openvpn
05:38 -!- dazo_afk is now known as dazo
05:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
06:26 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has joined #openvpn
07:23 -!- micw [~micw@p50992bfa.dip0.t-ipconnect.de] has quit [Quit: Verlassend]
07:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:53 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:57 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 250 seconds]
08:25 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:34 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
08:34 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Changing host]
08:34 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
08:35 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
08:40 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
08:41 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
08:52 -!- SOG [~SOG@222.125.194.143] has joined #openvpn
09:09 -!- petan [~kvirc@71.236.broadband11.iol.cz] has joined #openvpn
09:10 -!- petan [~kvirc@71.236.broadband11.iol.cz] has left #openvpn []
09:10 -!- petan [~kvirc@71.236.broadband11.iol.cz] has joined #openvpn
09:16 -!- js_ [~js@213.180.83.163] has joined #openvpn
09:17 < js_> how can i have openvpn share dynamic ip addresses without separate dhcp when using a static key?
09:17 < js_> i can only find examples for tls-server
09:24 <@dazo> js_: you put the VPN connection in a separate network segment ... that's why 10.8.0.0/24 is used in most examples in the official docs
09:25 <@dazo> if you don't want --tls-server ... then look at --ifconfig and --ifconfig-pool  .... --server is a kind of a macro, which does --mode server, --tls-server, --ifconfig, --ifconfig-pool and misc --push statements for you
09:26 <@dazo> you usually want most of these options the --server macro expands to ... --tls-server may be skipped if you don't want to do PKI stuff
09:26 <@dazo> except of that ... --tls-mode and non tls-mode are basically the same configs
09:30 -!- dazo is now known as dazo_afk
09:34 < js_> dazo_afk: i see, because i tried ifconfig-pool and it says "Options error: --ifconfig-pool/--ifconfig-pool-persist requires --mode server"
09:36 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
09:36 < js_> i use the debian package, "2.1~rc11-1"
09:40 <@vpnHelper> RSS Update - forum: Configuration :: Possible to set up OpenVPN server for Cisco VPN client? :: Author kenyee <https://forums.openvpn.net/viewtopic.php?f=6&t=7260&p=8363#p8363>
09:41 < Bushmills> js_: that's right --ifconfig-pool is an option you add to server; it is, after all, the server which assigns ip addresses to clients 
09:41 -!- CaMason [~camason@office.stasismedia.com] has quit [Ping timeout: 255 seconds]
09:41 -!- FRSoldier [~YuYu@net-93-64-60-202.cust.dsl.vodafone.it] has joined #openvpn
09:41 < js_> Bushmills: but does "server" require me to use tls?
09:42 < js_> or can i add every "server" option except tls to make it work without specifying mode server?
09:43 < Bushmills> well, --server implies --tls-server. but i think you can still configure password-based login
09:43 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn
09:44 < Bushmills> ehm, two different things.  --server is not --mode server
09:44 < js_> oh
09:44 < Bushmills> --server implies --mode server AND --tls-server
09:44 < Bushmills> but --mode server doesn't
09:45 < js_> when i try only mode server it says i need to define tls-server as well
09:46 < Bushmills> oh well, there you go :)
09:46 < js_> hehe
09:47 < js_> so is there something other than ifconfig-pool i can use?
09:48 < js_> if i set the ips manually on the clients the tunnel works, but i simply want it to be automatic :)
09:49 -!- miks [~mika@adsl-dyn-248-45.heliweb.de] has joined #openvpn
09:49 < miks> !welcome
09:49 <@vpnHelper> miks: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:49 < miks> lo btw..
09:50 < miks> is there also a german chan, or just this one ?
09:51 -!- monas [~kaspar@88.119.154.240] has quit [Read error: Operation timed out]
09:52 < js_> Bushmills :)
09:57 -!- monas [~kaspar@88.119.154.240] has joined #openvpn
09:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
10:03 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
10:04 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
10:08 -!- user__ [~user@c0sj.x.rootbsd.net] has quit [Ping timeout: 265 seconds]
10:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:19 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
10:24 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
10:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
10:35 -!- p3rror [~mezgani@41.140.27.232] has quit [Read error: Connection reset by peer]
10:38 -!- FRSoldier [~YuYu@net-93-64-60-202.cust.dsl.vodafone.it] has quit [Quit: Lost terminal]
10:49 -!- monas [~kaspar@88.119.154.240] has quit [Read error: Operation timed out]
10:54 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 276 seconds]
11:00 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
11:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
11:03 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 276 seconds]
11:10 -!- dfena [~irc_freen@89.171.106.145] has joined #openvpn
11:12 < dfena> hi, I have rather simple problem: I'm hosting openvpn server on debian (tun) and have client on windows vista. Connection is done properly but: I see net only as local and I don't see that my ip have changed, any help will be appreciated
11:13 < miks> ?
11:13 < miks> "I see net only as local and I don't see that my ip have changed, any help will be appreciated"
11:13 < miks> in other words?
11:13 < miks> why should the internal ip change ?
11:14 < dfena> when i visit http://whatismyipaddress.com/ i expect to see openvpn ip
11:14 <@vpnHelper> Title: What Is My IP Address? Lookup IP, Hide IP, Change IP, Trace IP and more... (at whatismyipaddress.com)
11:14 -!- markydb [~mark@5ac4e2bf.bb.sky.com] has quit [Quit: Lost terminal]
11:15 < miks> that should only work if the server is configurated as internetgateaway
11:16 -!- aliverius [~george@athedsl-371148.home.otenet.gr] has joined #openvpn
11:16 < dfena> is this some option that i may simple enable?
11:17 < miks> u can follow this tutorial: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways
11:17 <@vpnHelper> Title: Konfiguration eines Internetgateways – OpenVPN Wiki (at wiki.openvpn.eu)
11:17 < miks> its in german, but you only need to have a look on the config files as they are described there
11:17 < dfena> miks: thank you
11:17 < miks> welcome
11:19 -!- aliverius_ [~george@athedsl-374746.home.otenet.gr] has quit [Ping timeout: 260 seconds]
11:21 < dfena> miks: should i do what's in Forwarding und NAT paragraph?
11:21 < miks> lemme check
11:22 < miks> yes, u have to
11:22 < miks> does the server use a static ip?
11:22 < miks> if yes you have to define the SNAT-Rule as well
11:23 < miks> for ethx use your interface, usualy eth0 and set for 1.1.1.1 the given ip
11:24 < dfena> yes, static ip
11:24 < dfena> how to define it?
11:25 < dfena> oh ok
11:25 < dfena> i see
11:25 < miks> so use this: iptables -t nat -A POSTROUTING -o ethX -s 10.8.0.0/24 -j SNAT --to 1.1.1.1
11:25 < miks> ethx= your interface
11:25 < miks> 1.1.1.1 = your static external ip
11:25 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
11:27 -!- CaMason [~camason@office.stasismedia.com] has joined #openvpn
11:29 < miks> i never used a configuration like that before, but i would recommend you have a look at http://forum.openvpn.eu/viewforum.php?f=25&sid=f1013bac07fc2a5557a478a7d34067d4
11:29 <@vpnHelper> Title: OpenVPN.eu View forum - OpenVPN (at forum.openvpn.eu)
11:30 < dfena> miks: i did it how it was in tutorial. no effect
11:32 < miks> did you set "redirect-gateway" in the client config?
11:32 < miks> also  route-gateway ip.. ?
11:33 < dfena> no
11:34 < dfena> push "redirect-gateway def1 bypass-dhcp" ?
11:36 < dfena> ?
11:37 < miks> no
11:37 < miks> the command is just redirect-gateway i guess
11:37 < miks> have a look here http://forum.openvpn.eu/viewtopic.php?f=25&t=6971&hilit=redirect+gateway
11:37 <@vpnHelper> Title: OpenVPN.eu View topic - Redirect all traffic (at forum.openvpn.eu)
11:38 <@vpnHelper> RSS Update - forum: Configuration :: Re: how to get ifconfig-push from client-connect :: Reply by burn <https://forums.openvpn.net/viewtopic.php?f=6&t=7234&p=8364#p8364>
11:39 < miks> http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html
11:40 <@vpnHelper> Title: OpenVPN 2.1 (at openvpn.net)
11:45 < miks> redirect-gateway def1
11:45 < miks> should be enough
11:45 < miks> but u have to set the route
11:45 < dfena> route-gateway?
11:45 < miks> like: route 192.168.120.0 255.255.255.0
11:46 < dfena> ok
11:47 < miks> i'll paste you an example at query
11:55 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
12:16 -!- f1assistance [~Carl@cpe-069-134-142-118.nc.res.rr.com] has left #openvpn []
12:25 -!- CaMason [~camason@office.stasismedia.com] has quit [Ping timeout: 272 seconds]
12:32 < roentgen> I just tested a tap device at a client today
12:32 < roentgen> And I wanted to apply the usual forwarding scheme with iptables
12:33 < roentgen> iptables -A FORWARD -i tap0 -j ACCEPT
12:33 < roentgen> which didn't quite work
12:33 < roentgen> I switched to the tun device which works as expected
12:34 < roentgen> I'm just left wondering how does one forward thru a tap device?
12:39 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 245 seconds]
12:40 -!- dfena [~irc_freen@89.171.106.145] has left #openvpn []
12:41 -!- monas [~kaspar@78-57-177-25.static.zebra.lt] has joined #openvpn
12:46 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Quit: Leaving.]
12:59 -!- miks [~mika@adsl-dyn-248-45.heliweb.de] has quit []
13:10 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:12 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
13:13 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
13:16 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
13:29 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
13:31 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Operation timed out]
13:34 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
13:34 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Changing host]
13:34 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
13:39 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 260 seconds]
13:40 -!- d457k [~heiko@vpn.astaro.de] has joined #openvpn
13:40 -!- hwilde [~hwilde@SUREFIRE.REC.RI.CMU.EDU] has joined #openvpn
13:42 < hwilde> HMAC authentication failed, TLS Error: incoming packet authentication failed, http://paste.ubuntu.com/530205/
13:42 < hwilde> suggestions?
13:46 < ecrist> !logs
13:46 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
13:49 -!- s7r [~s7r@188.27.108.138] has joined #openvpn
13:54 < hwilde> that's all the log says 
13:54 < hwilde> and I already did pastebin it
13:55  * hwilde stares at ecrist 
13:56 < roentgen> hwilde: is this when a genuine client tries to connect?
13:56 < hwilde> yeah
13:56 < hwilde> the only thing useful in the client log is TLS Error: TLS handshake failed
13:56 < joako_> Is there a GUI to generate certificates for the client and server?
13:57 < roentgen> does the client have ta.key 1 in config?
13:57 < hwilde> tls-auth ta.key 1
13:59 < roentgen> do you have other clients connecting fine?
13:59 < hwilde> no this is the first time i've set it up and i've never been able to make it work 
14:01 < roentgen> hwilde: show a complete log from the client and server then
14:01 < roentgen> with masked domains/IPs
14:02 < krzee> !static
14:02 <@vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
14:02 < krzee> (for the forum)
14:02 < krzee> hwilde, with that error, it is a problem in your HMAC
14:02 < krzee> !hmac
14:02 <@vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static
14:02 <@vpnHelper> krzee: key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
14:02 < krzee> the files MUST be identical on both sides
14:04 < ecrist> hwilde: not to be rude, but I don't care much for what *you* think is informative in the logs.  I asked for the entire log. :)
14:04 < krzee> !learn win_build as https://community.openvpn.net/openvpn/wiki/BuildingOnWindows for mattock's doc on building openvpn on windows
14:04 <@vpnHelper> krzee: Joo got it.
14:05 < hwilde> ecrist krzee roentgen  here are the logs and config files http://paste.ubuntu.com/530221/
14:05 < krzee> oh god
14:05 < krzee> !netman
14:05 <@vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list
14:06 < hwilde> if that was at me I am not using network mangler
14:07 < krzee> Nov 11 15:03:36 hostname nm-system-settings:    SCPlugin-Ifupdown: device added (udi: /org/freedesktop/Hal/devices/net_3a_38_2b_01_57_94, iface: tap0): not well known
14:07 < krzee> what is that...?
14:07 -!- p3rror [~mezgani@41.140.26.152] has joined #openvpn
14:07 < krzee> certainly not part of normal openvpn
14:08 < hwilde> so I don't think that tap interface is the reason the TLS handshake is failing
14:08 < hwilde> you say the hmac files have to be identical - how do I check ?
14:09 < krzee> could md5 them...
14:09 < hwilde> which file
14:09 < krzee> ta.key
14:10 < hwilde> ok they are different
14:11 < krzee> thats the problem
14:15 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 260 seconds]
14:18 < hwilde> read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
14:18 < hwilde> ?
14:18 <@vpnHelper> RSS Update - forum: Server Administration :: OpenVPN server on windows + radius authentication. :: Author itziksaban <https://forums.openvpn.net/viewtopic.php?f=4&t=7261&p=8365#p8365>
14:20 < hwilde> krzee, what other files have to be the same ?
14:20 < krzee> only that
14:21 < krzee> if you fixed that, repost logs, with verb 5 in both configs
14:22 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: No route to host]
14:22 < krzee> !ccd
14:22 <@vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
14:22 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
14:31 <@vpnHelper> RSS Update - forum: Server Administration :: Re: How fixed ip client :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7233&p=8366#p8366>
14:32 < hwilde> server log:   http://paste.ubuntu.com/530241/     client log:  http://paste.ubuntu.com/530244/
14:33 < hwilde> verb 5 as requested 
14:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:40 < krzee> my first thought is it is a firewall, but also i dunno what this is
14:40 < krzee> nm-system-settings:    SCPlugin-Ifupdown
14:40 < krzee> it could have to do with that
14:41 < krzee> and you are not calling that from your openvpn config... so there is something else involved...
14:41 < krzee> how are you starting openvpn?
14:41 < hwilde> /etc/init.d/openvpn start
14:42 < krzee> well you have something outside of openvpn that i have never seen interfering... 
14:42 <@vpnHelper> RSS Update - forum: Off Topic, Related :: OpenVPN server log to be explained :: Author ramirez <https://forums.openvpn.net/viewtopic.php?f=1&t=7262&p=8367#p8367>
14:42 < krzee> or firewall
14:42 < hwilde> so if it was a firewall the client wouldn't make any messages in the server log right?
14:42 < hwilde> or does it use port 22 to establish the vpn on the other port
14:42 -!- s7r [~s7r@188.27.108.138] has quit [Ping timeout: 245 seconds]
14:42 < krzee> huh?
14:43 < hwilde> if a firewall were blocking the port, there would be nothing in the server log, because the client would not be able to connect
14:43 < krzee> oh also
14:43 < krzee> OpenVPN 2.1_rc11
14:43 < krzee> go upgrade
14:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
14:43 < krzee> that version has known bugs
14:44 < hwilde> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain
14:44 < hwilde> what does that mean on the client
14:44 < krzee> !certverify
14:44 <@vpnHelper> krzee: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
14:45 < hwilde> opennssl verify says OK
14:45 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
14:46 < hwilde> the server.crt file should be the same on both machines?
14:47 < krzee> NOPE...
14:47 < krzee> go read this
14:47 < krzee> !pki
14:47 <@vpnHelper> krzee: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
14:47 <@vpnHelper> krzee: specially as a server (see !servercert)
14:47 < krzee> ca.crt should be
14:47 < krzee> (in most setups)
14:47 < hwilde> mine are different
14:48 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
14:48 < krzee> you didnt follow the howto then
14:48 < krzee> and that results in a problem :-p
14:49 < hwilde> <hwilde> krzee, what other files have to be the same ?
14:49 < hwilde> <krzee> only that
14:49 < krzee> technically they dont have to
14:49 < krzee> there are other ways to do it
14:49 < monas> ca.crt should be the same
14:50 < hwilde> VERIFY OK
14:50 < hwilde> VERIFY KU OK
14:50 < hwilde> VERIFY EKU OK
14:50 < krzee> monas, i could have 2 CA's, sign server with one and clients with other, then give the servers' ca's cert to clients and visa versa
14:51 < krzee> each side only uses its ca.crt to check the OTHER side's cert was signed by it
14:51 < hwilde> hm
14:51 < monas> krzee: yes, you can
14:51 < hwilde> so I got one step further this time
14:51 < hwilde> but now the server says VERIFY ERROR: depth=0, error=unable to get local issuer certificate:
14:52 < monas> krzee: but in that case you would not ask hwilde's questions here :-)
14:52 < krzee> monas, oh so true ;]
14:52 < hwilde> yeah I am not trying to some fancy setup
14:52 < hwilde> I want the simplest example setup 
14:52 < hwilde> server says SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
14:52 < hwilde> client seems to be happy now
14:53 < hwilde> until the TLS handshake times out
14:53 < monas> hwilde: from your logs it seams clocks on boxes are way off
14:54 < hwilde> that's not the problem
14:54 < krzee> that could easily be a problem
14:54 < hwilde> VERIFY ERROR: depth=0, error=unable to get local issuer certificate
14:54 < hwilde> SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
14:54 < hwilde> that's the problem(s) ^
14:55 < krzee> hwilde, unless you know what you're talking about, dont discount answers
14:57 < hwilde> the times are within 1 second now
14:57 < hwilde> same error
15:03 < hwilde> error=unable to get local issuer certificate  :(
15:04 < hwilde> TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
15:04 < krzee> !path
15:04 <@vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier
15:06 < hwilde> full path, same thing
15:08 < hwilde> openssl verify says OK
15:10 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
15:10 < hwilde> do I have to copy ca.crt to /usr/share/ca-certificates or something?
15:11 < hwilde> where is it looking for local issuer certificate?
15:14 < Bushmills> you place it where you have specified it to be in the client config
15:14 < Bushmills> without path, put it in the directory which contains the config file
15:15 < hwilde> all of the configs are in /etc/openvpn
15:15 < hwilde> all of the certificates are as well
15:15 < hwilde> all of the paths are full paths
15:15 < Bushmills> you don't per se *have* to move it to /usr/share, but if you do, you must tell client that you did
15:16 < Bushmills> by placing them in /etc/openvpn, paths should not be required, and file name alone should do. 
15:17 < hwilde> ovpn-server VERIFY ERROR: depth=0, error=unable to get local issuer certificate
15:17 < hwilde> ovpn-server TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
15:18 < hwilde> this is saying that the server cannot find it's own certificate? 
15:19 < Bushmills> http://openvpn.net/archive/openvpn-users/2002-06/msg00043.html
15:19 <@vpnHelper> Title: Re: [Openvpn-users] certificate problems (at openvpn.net)
15:21 < hwilde> so... this is the server rejecting the client.crt
15:28 -!- EmperorTom [~EmperorTo@174-30-245-204.mpls.qwest.net] has quit [Read error: No route to host]
15:32 < hwilde> [client] Peer Connection Initiated
15:32 < hwilde> holy shit 
15:33 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
15:34 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 245 seconds]
15:35 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
15:36 < hwilde> ok the vpn is established now
15:36 < hwilde> but both the client and the server say  ovpn-client[8849]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)  ovpn-server[9093]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113)
15:40 < ecrist> I'm guessing you're pushing a route for a subnet that the VPN server is already on
15:45 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 245 seconds]
15:57 -!- hwilde [~hwilde@SUREFIRE.REC.RI.CMU.EDU] has left #openvpn ["Leaving"]
16:07 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:10 -!- itchi [~David@unaffiliated/itchi] has left #openvpn ["Foo was been here"]
16:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
16:12 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
16:12 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:26 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has joined #openvpn
16:26 -!- le0 [~fin@cpc13-bele7-2-0-cust182.2-1.cable.virginmedia.com] has quit [Changing host]
16:26 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
16:29 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
16:29 < Clete2> !welcome
16:29 <@vpnHelper> Clete2: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:29 < Clete2> !goal
16:29 <@vpnHelper> Clete2: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:30 < Clete2> !howto
16:30 <@vpnHelper> Clete2: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:49 < ElitestFX> !route
16:49 <@vpnHelper> ElitestFX: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: Leaving]
16:58 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has quit [Changing host]
16:58 -!- th1 [~th@pdpc/supporter/professional/th1] has joined #openvpn
17:11 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
17:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
17:24 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Organize your IRC]
17:26 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:27 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined #openvpn
17:31 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Is OPEN VPN right for me? :: Author furface00 <https://forums.openvpn.net/viewtopic.php?f=1&t=7263&p=8368#p8368>
17:32 < |Mike|> ssh -D works as well :D
17:32 -!- fipu__ [~fipu@swissvps.net] has joined #openvpn
17:36 -!- dagni_ [dagni@de.moon-station.us] has joined #openvpn
17:37 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 260 seconds]
17:41 -!- Netsplit *.net <-> *.split quits: fipu, dagni
17:42 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
17:42 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
17:42 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
17:42 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
17:43 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Read error: Connection reset by peer]
17:43 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
18:04 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
18:05 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
18:05 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
18:05 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:51 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
19:00 -!- SOG [~SOG@222.125.194.143] has quit [Quit: SOG]
19:09 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
19:09 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:09 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
19:17 -!- SOG [~SOG@113.116.95.90] has joined #openvpn
19:19 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Read error: Operation timed out]
19:19 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
19:21 -!- joako_ [~joako@opensuse/member/joak0] has quit [Ping timeout: 245 seconds]
19:28 -!- esposj [~esposj@cpe-74-76-129-116.nycap.res.rr.com] has joined #openvpn
19:28 < esposj> hi.
19:28 < esposj> does anyone have redirect-gateway working with Windows 7 client (Ubuntu Server)?
19:29 < esposj> !welcome
19:29 <@vpnHelper> esposj: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:29 < esposj> !redirect
19:29 <@vpnHelper> esposj: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
19:30 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Ping timeout: 272 seconds]
19:31 < esposj> @vpnHelper - sorry have "redirect-gateway def1" in my config..  I was just reading the welcome message :0
19:31 < esposj> I'm actually testing my config on a linux client right now..
19:33 -!- s7r [~s7r@172.129.7.54] has joined #openvpn
19:39  * esposj bangs forehead.
19:40 < esposj> This particular server didn't have NAT setup
19:40 < esposj> or ip forwarding.
19:40 < esposj> oops!
19:40 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
19:45 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
19:55 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
19:55 -!- joako_ [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
19:55 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
19:59 -!- p3rror [~mezgani@41.140.26.152] has quit [Read error: Connection reset by peer]
20:11 -!- s7r [~s7r@172.129.7.54] has left #openvpn []
20:13 -!- s7r [~s7r@188.27.108.138] has joined #openvpn
20:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:14 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
20:14 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
21:14 -!- undecim [~undecim@24-117-63-111.cpe.cableone.net] has joined #openvpn
21:14 < undecim>  !welcome
21:15 < undecim> Well, that's annoying... I think pidgin is trying to treat !somethings as some kind of chat command....
21:16 < ecrist> lol
21:16 < ecrist> !welcome
21:16 <@vpnHelper> ecrist: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:16 < ecrist> !factoids
21:16 <@vpnHelper> ecrist: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
21:16 < ecrist> see that link, undecim 
21:16 < undecim> ty
21:20 < undecim> Alright, I've got a server running Fedora 13. just need 1 client, and don't care much about security, and http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html seems perfect for what I need, but I can't find any place that tells me where to put the server config file.
21:20 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
21:28 -!- undecim [~undecim@24-117-63-111.cpe.cableone.net] has left #openvpn []
21:40 -!- esposj [~esposj@cpe-74-76-129-116.nycap.res.rr.com] has left #openvpn []
21:45 -!- s7r [~s7r@188.27.108.138] has quit []
23:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:08 -!- RootDisPl0x [~RootDisPl@ks26342.kimsufi.com] has joined #openvpn
23:09 < RootDisPl0x> Hey can anyone help me set up routing via OpenVPN for xChat
23:09 < RootDisPl0x> ?
23:09 < RootDisPl0x> !welcome
23:09 <@vpnHelper> RootDisPl0x: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
23:09 < RootDisPl0x> !logs
23:09 <@vpnHelper> RootDisPl0x: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
23:09 < RootDisPl0x> !configs
23:09 <@vpnHelper> RootDisPl0x: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
23:17 -!- RootDisPl0x [~RootDisPl@ks26342.kimsufi.com] has quit [Ping timeout: 240 seconds]
23:18 -!- RootDisPl0x [~RootDisPl@ks26342.kimsufi.com] has joined #openvpn
23:23 -!- RootDisPl0x [~RootDisPl@ks26342.kimsufi.com] has quit [Ping timeout: 260 seconds]
23:24 -!- RootDisPl0x [~RootDisPl@ks26342.kimsufi.com] has joined #openvpn
23:30 -!- RootDisPl0x [~RootDisPl@ks26342.kimsufi.com] has quit [Read error: Connection reset by peer]
23:30 -!- RootDisPl0x [RootDisPl0@AClermont-Ferrand-156-1-142-118.w86-202.abo.wanadoo.fr] has joined #openvpn
--- Day changed Fri Nov 12 2010
00:09 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
00:26 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
00:27 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:30 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
00:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:53 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
00:55 -!- petan [~kvirc@71.236.broadband11.iol.cz] has quit [Quit: brb]
00:57 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:57 -!- neoice [~neoice@thule.neoice.net] has quit [Quit: server maint.]
01:05 -!- dazo_afk is now known as dazo
01:06 -!- monas [~kaspar@78-57-177-25.static.zebra.lt] has quit [Ping timeout: 245 seconds]
01:06 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:06 -!- petan [~kvirc@71.236.broadband11.iol.cz] has joined #openvpn
01:32 -!- monas [~kaspar@88.119.154.240] has joined #openvpn
01:33 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
01:43 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:59 -!- SOG_ [~SOG@113.118.49.74] has joined #openvpn
01:59 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
02:02 -!- SOG [~SOG@113.116.95.90] has quit [Ping timeout: 250 seconds]
02:02 -!- SOG_ is now known as SOG
02:05 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
02:08 -!- k4r4mb4 [user@puffs.ganja.nl] has quit [Ping timeout: 245 seconds]
02:10 -!- k4r4mb4 [user@puffs.ganja.nl] has joined #openvpn
02:11 -!- SOG [~SOG@113.118.49.74] has quit [Remote host closed the connection]
02:14 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
02:14 < kaushal> hi
02:14 < kaushal> I have added all the openvpn certs and configs under /etc/openvpn
02:14 < kaushal> and started openvpn as a daemon mode on my laptop
02:15 < kaushal> it does not work at all
02:18 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
02:23 -!- monas [~kaspar@88.119.154.240] has quit [Read error: Operation timed out]
02:23 -!- monas [~kaspar@217.117.30.121] has joined #openvpn
02:33 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
02:33 < kaushal> hi
02:34 < kaushal> I have dumped all the vpn confs under /etc/openvpn
02:37 < kaushal> I am running openvpn as a daemon mode
02:37 < kaushal> when i start openvpn on my laptop it prompts me for username/password
02:37 < kaushal> is there a way to automate it ?
02:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:38 < kaushal> I mean not prompt me for username/password ?
02:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
02:40 < kaushal> I am using Ubuntu Linux 
02:40 -!- joako_ [~joako@opensuse/member/joak0] has joined #openvpn
02:59 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
03:01 -!- SOG [~SOG@113.88.217.249] has joined #openvpn
03:10 -!- joako_ [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
03:45 -!- master_of_master [~master_of@p57B5778A.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
03:47 -!- master_of_master [~master_of@p57B5728B.dip.t-dialin.net] has joined #openvpn
03:56 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: Operation timed out]
03:56 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
04:01 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:01 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
04:02 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
04:06 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
04:07 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
04:07 < kaushal> hi
04:08 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:09 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
04:11 < kaushal> can someone please guide me about my post http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTi%3DG7cMxXVoDEjy8MU%2BCAv-Bo4Ffp6DhbaA%2Bx7W8%40mail.gmail.com&forum_name=openvpn-users ?
04:11 <@vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-users (at sourceforge.net)
04:21 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
04:35 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
04:42 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
04:42 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
04:42 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
04:42 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:45 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:48 -!- mrle0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
04:50 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
04:53 -!- luneff [~yury@84.51.195.188] has joined #openvpn
04:54 < luneff> hi guys. does client silence over "sigusr1, restarting instance" at server side mean that client connection is actually down?
04:54 < luneff> i mean, is the problem with configuration of openvpn, or pppd :)
04:54 < luneff> proto udp
04:59 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
05:02 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
05:17 -!- mrle0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Quit: Leaving]
05:17 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:24 -!- dazo is now known as dazo_afk
05:28 -!- dazo_afk is now known as dazo
05:28 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 255 seconds]
05:30 -!- SOG [~SOG@113.88.217.249] has quit [Quit: SOG]
05:41 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
05:52 -!- kerfe [~a@212.81.205.13] has joined #openvpn
05:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
05:55 -!- UnterPerro_ [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
05:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer]
05:55 -!- UnterPerro_ is now known as UnterPerro
05:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
05:56 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
05:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
05:58 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
05:59 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
06:09 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:09 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:09 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:16 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
06:17 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
06:21 -!- SOG [~SOG@222.125.194.143] has joined #openvpn
06:27 -!- sigius [~sigius@93.125.185.45] has quit [Read error: Operation timed out]
06:41 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 245 seconds]
06:42 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
06:42 -!- delroth [~delroth@dhaos.delroth.net] has quit [Ping timeout: 245 seconds]
06:42 -!- delroth [~delroth@dhaos.delroth.net] has joined #openvpn
06:43 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
07:15 -!- SOG [~SOG@222.125.194.143] has quit [Quit: I will be back!]
07:17 -!- dazo is now known as dazo_afk
07:22 -!- Cmdr_W_T_Riker [39239487e7@xs8.xs4all.nl] has left #openvpn []
07:25 -!- kerfe [~a@212.81.205.13] has quit [Quit: • IRcap • 8.6 •]
07:29 -!- hariom [~hariom@122.169.11.196] has joined #openvpn
07:30 < hariom> Hi, I am trying to connect an external server. I am able to connect to the server few times but most of the times, I get TLS Error. TLS failed to negotiate within 60 sec.
07:30 < hariom> How to over come that?
07:31 < hariom> TLS key negotiation failed to occur with 60 sec.
07:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:41 -!- EmperorTom [~EmperorTo@174-30-245-204.mpls.qwest.net] has joined #openvpn
07:46 < hyper_ch> !tell hariom config
07:46 < hyper_ch> !configs
07:46 <@vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
07:46 < hyper_ch> !tell
07:46 <@vpnHelper> hyper_ch: (tell <nick> <text>) -- Tells the <nick> whatever <text> is. Use nested commands to your benefit here.
07:46 < hyper_ch> !tell hyper_ch configs
07:47 < hyper_ch> !tell hyper_ch factoids configs
07:50 < |Mike|> :d
07:53 < hyper_ch> how does it work with nested commands again :(
07:53 < ecrist> !tel hypter_ch [configs]
07:53 <@vpnHelper> ecrist: Error: "tel" is not a valid command.
07:53 < ecrist> !tell hypter_ch [configs]
07:53 < hyper_ch> !tell hyper_ch [configs]
07:53 < hyper_ch> thx ecrist
07:56 <@vpnHelper> RSS Update - forum: Off Topic, Related :: anyone having problems showing openvpn-GUI once connected ? :: Author simon <https://forums.openvpn.net/viewtopic.php?f=1&t=7264&p=8369#p8369>
08:03 < hariom> any body to help? Why do I get this error frequently? TLS key negotiation failed to occur with 60 sec.
08:09 < hariom> hyper_ch: I don't have access to server and therefore can't send config. 
08:11 < ecrist> hariom: FYI, we're not going to be able to do much for you if you're not the server admin.
08:11 < ecrist> that error is usually caused by problematic network connections
08:12 < hariom> ecrist: Can you give opinion what should I ask to server admin to look for? Btw, I do get connected many times to the server but it fails as well.
08:14 < ecrist> your internet connection sucks, is what I'm guessing.
08:14 < ecrist> !logs
08:14 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:14 < hariom> ecrist: somebody told me to try with different MTU size. What I know is that server is using 1470 and by default my client is using 1500
08:14 < ecrist> we can start with your logs
08:14 < hariom> ok
08:22 -!- RootDisPl0x [RootDisPl0@AClermont-Ferrand-156-1-142-118.w86-202.abo.wanadoo.fr] has quit [Ping timeout: 272 seconds]
08:23 -!- RootDisPl0x [RootDisPl0@AClermont-Ferrand-156-1-18-210.w81-251.abo.wanadoo.fr] has joined #openvpn
08:35 -!- hariom [~hariom@122.169.11.196] has left #openvpn []
08:36 -!- dazo_afk is now known as dazo
08:38 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn
08:40 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
08:42 -!- raymears [~raymears@intern.ancud.de] has joined #openvpn
08:43 < raymears> !welcome
08:43 <@vpnHelper> raymears: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:44 < raymears> hi everyone. using fedora 14 with kde. need to connect to an openvpn server.
08:44 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:45 < raymears> i can connect from the terminal, but the routing doesn't work properly
08:45 < raymears> the interface tun0 gets created and is defintely connected.
08:48 < raymears> could anyone perhaps point me in the right direction? thank you
08:49 < raymears> http://fpaste.org/cJS5/ this is what route puts out at the moment
08:53 < EmperorTom> raymears: what address(s) are you trying to reach?
08:53 < raymears> well, everything from the remote host...
08:54 < EmperorTom> 10.x addresses? just want to make sure we're on the same page.
08:54 < raymears> i am in my company's network right now, using 172.x addresses
08:54 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: anyone having problems showing openvpn-GUI once connecte :: Reply by simon <https://forums.openvpn.net/viewtopic.php?f=1&t=7264&p=8370#p8370>
08:55 < raymears> and i just want to acces everything available remotely. so yeah..
08:55 < raymears> 10.x addresses
08:55 < Bushmills> raymears: who has configured the openvpn server?
08:56 < raymears> i don't know, a customer of ours.
08:56 < raymears> it is configured properly. everyone else is using it without any problems
08:56 < raymears> and i connected to it using the terminal command...
08:56 < Bushmills> those routes are pushed by server, or do they come from client configuration?
08:56 < raymears> openvpn OpenVPN_FILE.openvpn
08:57 < raymears> there are no routes defined in the file
08:57 < Bushmills> server or client?
08:57 < raymears> so i suspect that the server hadns them out
08:58 < Bushmills> why don't you just look into the client config, instead of "suspecting"?
08:58 < raymears> i did.
08:58 < raymears> i just said so: there are no routes defined in the file
08:59 < Bushmills> read about --route-nopull for client config
09:00 < Bushmills> using this, you'll need to add the routes which you actually require, yourself
09:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
09:00 < ecrist> apologies if people are having problems with the SCN wiki pages, I'm working on an upgrade right now.
09:03 < raymears> Bushmills: ok, i did. now the routing from the server.. isn't used anymore
09:03 < raymears> Bushmills: http://fpaste.org/KOpJ/
09:03 < Bushmills> right
09:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
09:04 < Bushmills> so this "but the routing doesn't work properly" has been eliminated as problem.
09:04 < raymears> Bushmills: i still don't have access to anything remotely
09:05 < raymears> Bushmills: hmm, has it?
09:05 < Bushmills> you can reach openvpn server
09:05 < raymears> i suspect that given the fact that everything uses eth0 for everything...
09:06 < raymears> and that the openvpn connection is done via tun0
09:06 < Bushmills> adding these:
09:06 < raymears> there is still some routing to be done
09:06 < Bushmills> 0.48.25.1      10.48.25.9      255.255.255.255 UGH   0      0        0 tun0
09:06 < Bushmills> 10.48.17.0      10.48.25.9      255.255.255.224 UG    0      0        0 tun0
09:06 < Bushmills> ehm... wring one in there
09:07 < Bushmills> this one:  10.48.25.1      10.48.25.9      255.255.255.255 UGH   0      0        0 tun0
09:07 < raymears> want me to add that one?
09:07 < Bushmills> then you can reach services on 10.48.25.1, the openvpn server, which is remote
09:08 < raymears> i am profoundly embarassed to have to say this but i really don't know how to add this. it has to be some "add route"  statement
09:08 < Bushmills> route add
09:09 < raymears> would you be so kind and help me out slightly?
09:09 < Bushmills> route add host gw gateway
09:09 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
09:10 < raymears> thank you
09:10 < raymears> let me try it out. thank you sir
09:10 < raymears> and/or madam
09:11 < raymears> http://fpaste.org/Bt3A/
09:11 < raymears> still nothing.
09:11 < Bushmills> what nothing.  can't reach 10.48.25.1?
09:12 < raymears> nope
09:12 < raymears> not from the console, not from the browser
09:12 < Bushmills> an't ping it?
09:13 < Bushmills> can't
09:13 < raymears> nope.
09:13 < Bushmills> !firewall
09:13 <@vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
09:13 < raymears> my firewall is and has been disabled for ages
09:14 < raymears> (just checked it again. it is off)
09:15 < Bushmills> no way for you to check up on vpn server firewall
09:16 < raymears> no. but there are colleagues of mine doing stuff on the same server as we speak
09:16 < Bushmills> they could verify that your packets actually reach server
09:17 < raymears> hmm.. they can't look at the openvpn server
09:17 < raymears> don't have the permissions.
09:17 < raymears> but i can get you this...: (10 sec)
09:18 < RootDisPl0x> Hey
09:18 < raymears> http://fpaste.org/fKym/
09:18 < RootDisPl0x> Can someone help me. How can I route xChat's packets through the VPN ?
09:19 < ecrist> push a route for your IRC network via the VPN
09:19 -!- kaushal [~kaushal@triband-mum-120.61.17.44.mtnl.net.in] has joined #openvpn
09:19 < Bushmills> you're probably out of options then, until you come across somebody who has. on the local side, you can fix the config error with route
09:19 < kaushal> Hi
09:20 < kaushal> can some one please guide me about my post on openvpn ML ?
09:20 < raymears> thank you.
09:20 < Bushmills> RootDisPl0x: running an irc bouncer on the openvpn server is an alternative
09:20 < raymears> i'll just boot up a windows image then.
09:20 < RootDisPl0x> ecrist : And how can I do that ? Via Web GUI ?
09:20 < raymears> bye
09:20 -!- raymears [~raymears@intern.ancud.de] has quit [Remote host closed the connection]
09:21 < kaushal> Its great to use Pidgin :)
09:21 < RootDisPl0x> Bushmills : Yeah I was considering that option
09:21 < kaushal> as irc client
09:21 < ecrist> I'm not aware of any web guis, RootDisPl0x 
09:21 < kaushal> I am on Windows 7
09:21 < RootDisPl0x> ecrist : OpenVPN Access Server Web Control Panel
09:21 < ecrist> !as
09:21 <@vpnHelper> ecrist: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
09:21 <@vpnHelper> ecrist: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
09:21 < RootDisPl0x> lolwut
09:21 < ecrist> we don't support access server here.
09:22 < RootDisPl0x> Ok
09:22 < RootDisPl0x> I'm just gonna set up a BNC
09:22 < RootDisPl0x> Does the VPN reroute traffic for chats and everything tho ?
09:22 < kaushal> hi 
09:22 < kaushal> can someone please highlight my name ?
09:23 < |Mike|> eh..
09:23 < |Mike|> kaushal: 
09:23 < Bushmills> RootDisPl0x: not by itself
09:23 < Bushmills> it just adds an interface, subject to same routing as other interfaces
09:23 < RootDisPl0x> Bushmills : Ok How do I do it then
09:23 < ecrist> !howto
09:24 <@vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:24 < monas> RootDisPl0x: I think DNAT rule to your irc server on your vpnserver would be enough
09:24 < kaushal> can some one please guide me about http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTi%3DafWBWVjH3XxVytn8CuBVXEALHj3nV%3DHfLAtz5%40mail.gmail.com&forum_name=openvpn-users
09:24 <@vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-users (at sourceforge.net)
09:24 < RootDisPl0x> Ok
09:25 < Bushmills> irc bouncer wouldn't require any specific routing 
09:25 < ecrist> kaushal: use the init scripts to start it for you, at boot
09:26 < kaushal> ecrist: I did that already
09:26 < kaushal> it works perfectly fine
09:26 < kaushal> the issue is about the username/password 
09:26 < kaushal> is there a way other than auth-user-password ?
09:26 < monas> Bushmills: every approach has it's own pluses and minuse
09:27 < kaushal> If someone hacks the password then its a security flaw
09:28  * Bushmills tries to see the advantages of the approach of peeling an apple on turn helicopter rotor blades  
09:28 < Bushmills> turning
09:29 < kaushal> Bushmills: Are you referring to me ?
09:29 < Bushmills> no. i was reflecting on "every approach has..."
09:29 < kaushal> Bushmills: ok
09:30 < kaushal> so there isnt any alternative available for my specific requirement ?
09:30 < kaushal> is that true ?
09:30 < Bushmills> i don't know - i haven't seen any question of yours
09:31 < kaushal> i see
09:31 < kaushal> can some one please guide me about http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTi%3DafWBWVjH3XxVytn8CuBVXEALHj3nV%3DHfLAtz5%40mail.gmail.com&forum_name=openvpn-users
09:31 <@vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-users (at sourceforge.net)
09:31 < Bushmills> besides asking for name highlighting
09:32 < Bushmills> oh, that i've seen. but i didn't open it.  don't like the idea of having to open pages only to find out what the problem is
09:32 < Bushmills> that's an alternative possibility to " there isnt any alternative available"
09:33 < Bushmills> maybe there is, but people don't know what alternative you're looking for ...
09:34 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:34 < kaushal> Bushmills: I am looking alternative about using auth-username-password
09:35 < kaushal> Do you need more info?
09:35 < Bushmills> signed keys
09:35 < monas> Bushmills: well, it's faster than bringing 100 container apple pealing factory with that same helicopter to the place where that apple is ;-P
09:35 < kaushal> Bushmills: Any docs about signed keys ?
09:35 < Bushmills> !howto
09:35 <@vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:36 < Bushmills> !ppk
09:36 <@vpnHelper> Bushmills: Error: "ppk" is not a valid command.
09:36 < Bushmills> !ssl
09:36 <@vpnHelper> Bushmills: Error: "ssl" is not a valid command.
09:36 < Bushmills> !keys
09:36 <@vpnHelper> Bushmills: "keys" is http://openvpn.net/howto#pki
09:37 < kaushal> Bushmills: Are you referring to me ?
09:37 < Bushmills> yes, i do
09:37 < Bushmills> !pki
09:37 <@vpnHelper> Bushmills: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
09:37 <@vpnHelper> Bushmills: signed specially as a server (see !servercert)
09:42 < kaushal> Bushmills: I have already setup user.cert,user.key,test.conf and ca.cert
09:42 < kaushal> does that suffice ?
09:43 < Bushmills> looks good
09:43 < kaushal> ok
09:44 < kaushal> when i start openvpn i use sudo /etc/init.d/openvpn start it prompts me for username and password
09:44 < kaushal> which i hardcoded in the config
09:44 < kaushal> it worked perfectly fine
09:44 < kaushal> I did chmod 600 openvpn.pass too
09:45 < kaushal> There is a slight issue there
09:45 < kaushal> the password can be hacked
09:45 < kaushal> Hence the concern
09:45 < Bushmills> "prompts me for username.." ... "which i hardcoded in the config"  .. so why should it *not* ask for password?
09:48  * Bushmills gone now
09:48 < kaushal> Bushmills: sorry was away
09:49 < kaushal> openvpn.pass has username
09:49 < kaushal> password 
09:53 < |Mike|> lol
09:53 < kaushal> |Mike|: anything weird here 
09:54 < kaushal> I know i am doing wrong
09:54 < kaushal> please correct me if i am incorrect
09:55 < |Mike|> let me read up
09:55 < kaushal> |Mike|: sure
09:57 < |Mike|> you have your private key protected with a key?
09:57 < kaushal> I do not have one
09:58 < kaushal> I have user.cert,user.key,site.conf and ca.cert
09:58 < kaushal> not sure whats private key
10:01 < kaushal> |Mike|: Any clue ?
10:01 -!- p3rror [~mezgani@41.140.103.175] has joined #openvpn
10:01 < monas> kaushal: it's inside user.key
10:01 < kaushal> ok
10:02 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 255 seconds]
10:02 < kaushal> monas: so just set username in /etc/openvpn/openvpn.pass and set password in user.key ?
10:02 < kaushal> am i understanding you correctly ?
10:02 < monas> NO NO NO!
10:04 < kaushal> monas: Hope you are clear with my issue ?
10:06 < |Mike|> you're using user/password authentication?
10:06 < kaushal> |Mike|: yeah
10:06 < |Mike|> are those files readable by the openvpn daemon? :-)
10:07 < kaushal> they are 600 and with root:root
10:07 < kaushal> yes it is
10:07 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
10:09 < monas> kaushal: what do you want to achieve? Do you want to protect yourself from one who gets root on your box?
10:09 < kaushal> yes
10:10 < monas> kaushal: you can't
10:11 < monas> in principle
10:11 < kaushal> monas: ok
10:13 < kaushal> monas: Any other way as per best practices
10:13 < RootDisPl0x> !foo
10:13 <@vpnHelper> RootDisPl0x: Error: "foo" is not a valid command.
10:14 < RootDisPl0x> !bar
10:14 <@vpnHelper> RootDisPl0x: Error: "bar" is not a valid command.
10:14 < monas> what kind of box it is? user's computer, box connecting some network, other?
10:15 < kaushal> I am using Ubuntu Linux 10.04 OS connecting to OpenVPN Server running on Ubuntu Linux Server 8.04 
10:18 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
10:18 < kaushal> monas: do you need more information ?
10:24 < monas> but what does the first box dos: is it a workstation for somebody? is it router for some network? is it laptop you always carry with you?
10:24 < monas> best practice depends on what it is used for
10:25 < kaushal> it is a laptop i always carry with me 
10:25 < blackpenguin> !welcome
10:25 <@vpnHelper> blackpenguin: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:26 < monas> kaushal: well, in my network I ask users to enter passwords every time they need to connect to central office
10:27 < kaushal> ok
10:27 < RootDisPl0x> !jews
10:27 <@vpnHelper> RootDisPl0x: Error: "jews" is not a valid command.
10:27 < monas> but I put these password on private key,
10:27 < monas> and allow users to change it
10:28 < kaushal> monas: got it now
10:28 < RootDisPl0x> !nazi
10:28 <@vpnHelper> RootDisPl0x: Error: "nazi" is not a valid command.
10:28 < monas> not sure what best practice others have in this situation
10:29 < kaushal> so just dump user.cert,user.key,ca.cert and site.conf under /etc/openvpn and run openvpn in daemon mode and it should work as expected ?
10:29 < kaushal> without calling auth-user-pass in site.conf ?
10:29 < kaushal> if I am using username/password authentication
10:30 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:30 < kaushal> monas: so when i boot up my laptop running Ubuntu Linux 10.04 OS 
10:31 < kaushal> Am i clearly understood you
10:31 < |Mike|> RootDisPl0x: quit it thanks
10:32 < kaushal> s/Am/Have/g
10:33 < kaushal> Let me try it out 
10:37 < monas> Well, my users use windoze... and explicitly start openvpn when need to work with central office
10:42 < kaushal> ok
10:46 -!- buntfalke_ is now known as buntfalke
10:49 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
10:53 < |Mike|> krzee: you have any experience with the GPF cryptostick and VPN authentication?
10:55 -!- monas [~kaspar@217.117.30.121] has quit [Read error: Operation timed out]
10:57 < |Mike|> krzee: https://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
10:57 <@vpnHelper> Title: German Privacy Foundation: Crypto Stick (english) (at www.privacyfoundation.de)
10:58 < kaushal> On the forum i see some comments "Use client certificates instead of auth-user-pass."
10:58 < kaushal> is it the same as private.key
11:00 < blackpenguin> kaushal: it's like client.crt, client.key 
11:00 < kaushal> ok
11:00 < kaushal> so if i have that under /etc/openvpn
11:00 < kaushal> I dont need to use auth-user-pass
11:01 < kaushal> Please guide me
11:01 < kaushal> basically I am having username/password authentication
11:04 < kaushal> bit confused here
11:04 < kaushal> dont know why :(
11:07 < kaushal> blackpenguin: you around ?
11:08 < ecrist> kaushal: what is it you're trying to do?
11:08 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:08 < ecrist> do you use auth-user-pass, or password-protected SSL keys?
11:08 < kaushal> ecrist: I have auth-user-pass
11:09 < ecrist> krzee: my wiki has been upgraded.  added a new syntax-highlight extension (see my talk page for example).  now running SVN HEAD for mediawiki
11:09 -!- nijotz [~nick@72.14.181.106] has quit [Ping timeout: 245 seconds]
11:10 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 260 seconds]
11:10 -!- dazo is now known as dazo_afk
11:10 < kaushal> ecrist: do you need my post on openvpn users ML ?
11:11 < ecrist> NO
11:11 -!- dazo_afk is now known as dazo
11:11 < kaushal> ok
11:11 < ecrist> quit referring me to that, I don't care
11:11 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
11:11 < kaushal> ecrist: apologies
11:11 < ecrist> so, what's the problem?  you want to save user/pass, it doesn't work, what?
11:11 < ecrist> !welcome
11:11 <@vpnHelper> ecrist: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:11 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
11:12 < kaushal> I have save the user/pass in a file under /etc/openvpn/
11:12 < kaushal> I suspect there is a security glitch
11:12 < kaushal> is there a better way to handle it 
11:12 < krzee> !pwfile
11:12 <@vpnHelper> krzee: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
11:13 < krzee> |Mike|, no
11:13 < krzee> ecrist, badass, <3 HEAD
11:13 < krzee> ;]
11:13 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
11:14 < kaushal> krzee: so use pwfile for this special case
11:15 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
11:15 < krzee> well personally i wouldnt
11:15 < krzee> but it seems to be what you're asking
11:16 < kaushal> so does pwfile encrypts /etc/openvpn/openvpn.pass which contains username and password
11:16 < kaushal> not sure i understand that
11:16 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 264 seconds]
11:17 < kaushal> so i use auth-user-pass /etc/openvpn/openvpn.pass in site.conf
11:21 < krzee> the reason i would not use that, it turns "something you know" into "something you have"
11:21 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
11:21 < krzee> but openvpn already comes with a much more secure "something you have" (certs)
11:21 < ecrist> krzee: the openvpn page, or in general?
11:21 < ecrist> http://www.secure-computing.net/wiki/index.php/User_talk:Ecrist#syntax_highliting
11:21 <@vpnHelper> Title: User talk:Ecrist - Secure Computing Wiki (at www.secure-computing.net)
11:22 < krzee> and if the passwords can be used for something else, it is even worse (since you have them sitting there in cleartext)
11:22 -!- batrick [~batrick@batbytes.com] has joined #openvpn
11:25 < kaushal> krzee: ok
11:25 < kaushal> so ideally would be to prompt for username/password ?
11:26 < RootDisPl0x> !?
11:26 <@vpnHelper> RootDisPl0x: Error: "?" is not a valid command.
11:26 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
11:26 < RootDisPl0x> !milf
11:26 <@vpnHelper> RootDisPl0x: Error: "milf" is not a valid command.
11:28 < kaushal> Thanks everyone
11:28 < kaushal> I was interested in automating it
11:28 < kaushal> not sure i would be accomplishing it
11:28 < krzee> kaushal, correct
11:28 < krzee> [13:25]  <kaushal> so ideally would be to prompt for username/password ?
11:29 < krzee> the point of using username and password in addition to certs is to increase security
11:29 < kaushal> yes very true
11:29 < kaushal> so using openvpn --daemon method will not serve the purpose
11:30 < krzee> it *CAN* be automated, but think hard before you choose to
11:30 < kaushal> I should use Network Manager Applet or Gopenvpn for increased security
11:30 < kaushal> krzee: do you have any suggestions please
11:31 < ecrist> !ubuntu
11:31 <@vpnHelper> ecrist: "ubuntu" is dont use network manager!
11:31 < kaushal> someone on #ubuntu suggested me to use openvpn in daemon mode on client machine
11:31 < ecrist> yeah, that's what I'd do
11:32 <@dazo> kaushal: I have good experiences with Gopenvpn .... On Fedora {11,12,13} NetworkManage-openvpn works fine as well, but not as flexible as Gopenvpn
11:32 < krzee> its so interesting to me the quantity of people that want gui for openvpn
11:32 < roentgen> Once again with my (prolly ignorant) question: is it possible to forward packets between clients with iptables when using tap?
11:33 < ecrist> roentgen: of course
11:33 < ecrist> but that traffic will flow through the server, as a middleman
11:33 < kaushal> ecrist: you said you use openvpn in daemon mode 
11:33 < ecrist> yeah
11:33 <@dazo> krzee: I use it mainly out of laziness ... it works on first attempt of configuration, then I'm done ... for work I'm using NM-openvpn, for my private stuff, I'm using a shell - just because I want to see what's going on and it's a config NM-openvpn don't support
11:34  * ecrist uses tunnelblick
11:34 < kaushal> what method do you use for connecting to openvpn server
11:34 < ecrist> the internet
11:34 < kaushal> ecrist: are you on mac
11:34 < kaushal> ecrist: :)
11:34 < krzee> i have a shell script with .command in stacks 
11:34 < krzee> i click it, openvpn runs in a shell
11:34 < roentgen> ecrist: with something like "iptables -A FORWARD -j ACCEPT"?
11:34 < krzee> i close the shell, openvpn is closed
11:34 < ecrist> roentgen: no clue, I know nothing about iptables
11:35 < krzee> all the functionality i could want from a gui
11:35 < roentgen> ecrist: hmmm, the above works for tun but not for tap
11:35 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
11:35 < ecrist> krzee: that's about what tunnelblick does for me, though it allows me to more easily view logs, etc
11:35 < ecrist> and even handles DNS server updates
11:35 < krzee> roentgen, 
11:35 < krzee> !c2c
11:36 <@vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
11:36 <@vpnHelper> krzee: clients
11:36 -!- kaushal [~kaushal@triband-mum-120.61.17.44.mtnl.net.in] has left #openvpn []
11:36 < roentgen> krzee: I know about c2c, but I wanted finer control
11:36 < krzee> ahh
11:36 < roentgen> only some should see the others
11:36 < krzee> if using tap its not iptables
11:37 < krzee> it would be ebtables iirc
11:37 < krzee> remember, its layer2 not layer3
11:37 < roentgen> ohhh.... a new story then
11:37 < roentgen> I know, I have to understand it though ;)
11:39 < roentgen> ebtables says something about bridges which I didn't use
11:39 < roentgen> just a single tap device
11:39 < krzee> why do you need tap?
11:40 < roentgen> because of broadcasts mainly (windows sharing)
11:40 < krzee> !wins
11:40 < ecrist> !wins
11:40 <@vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:40 <@vpnHelper> ecrist: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
11:40 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
11:40 < krzee> lol
11:41 < roentgen> anyway... samba shares work even without a wins server with a tun device
11:41 < roentgen> cd \\client-ip and your it
11:41 < ecrist> right,
11:42 < krzee> yep
11:42 < ecrist> wins does the re-broadcasting for other subnets on which is resides.
11:42 < ecrist> among other things
11:42 < krzee> but if you use tap just for resolution, use wins instead
11:42  * ecrist runs tap on his company VPN
11:42 < roentgen> ecrist: with c2c?
11:43 < ecrist> yeah
11:45 < roentgen> I guess this settles it: tun without c2c but with iptables forwarding is just too beatyfull
11:49 -!- nijotz [~nick@72.14.181.106] has quit [Ping timeout: 245 seconds]
11:49 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 255 seconds]
11:50 -!- batrick [~batrick@batbytes.com] has joined #openvpn
11:51 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
12:13 -!- jtgiri_ [~jtgiri_@c-76-126-88-224.hsd1.ca.comcast.net] has joined #openvpn
12:15 -!- monas [~kaspar@78-57-177-25.static.zebra.lt] has joined #openvpn
12:29 < |Mike|> krzee: that's sad to hear..
12:29 < |Mike|> looks like kaulhal got tired of us?
12:30 < krzee> i think he got his answer
12:31 -!- jtgiri_ [~jtgiri_@c-76-126-88-224.hsd1.ca.comcast.net] has quit [Remote host closed the connection]
12:31 -!- jtgiri_ [~jtgiri_@173-11-116-141-SFBA.hfc.comcastbusiness.net] has joined #openvpn
12:32 -!- jtgiri_ [~jtgiri_@173-11-116-141-SFBA.hfc.comcastbusiness.net] has left #openvpn []
12:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
12:38 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 276 seconds]
12:39 -!- gar0t0 [~gar0t0@unaffiliated/gar0t0] has joined #openvpn
12:40 < gar0t0> hello everyone! anyone knows why this message is 'showed' for me ?
12:40 < gar0t0> Nov 12 15:34:43 localhost kernel: device tun0 left promiscuous mode
12:40 < gar0t0> Nov 12 15:34:43 localhost kernel: audit(1289586883.715:25): dev=tun0 prom=0 old_prom=256 auid=4294967295
12:41 < monas> gar0t0: somebody stoped tcpdump -i tun0 or similar program
12:42 -!- luneff [~yury@84.51.213.169] has joined #openvpn
12:42 < gar0t0> monas: hmmm thanks... I know who! :D
12:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:49 -!- gar0t0 [~gar0t0@unaffiliated/gar0t0] has left #openvpn ["thanks"]
13:05 -!- dazo is now known as dazo_afk
13:10 -!- bitterman [~yury@84.51.213.169] has joined #openvpn
13:11 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:13 -!- luneff [~yury@84.51.213.169] has quit [Ping timeout: 240 seconds]
13:15 <@vpnHelper> RSS Update - forum: Configuration :: Public IP at Client End in tap mod on windows :: Author natural <https://forums.openvpn.net/viewtopic.php?f=6&t=7265&p=8371#p8371>
13:28 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
13:30 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds]
13:31 -!- mutex [~mutex@67-23-13-54.static.slicehost.net] has quit [Remote host closed the connection]
13:41 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
13:45 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
13:48 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
13:50 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
13:57 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 260 seconds]
14:08 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 245 seconds]
14:12 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:20 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <-]
14:29 -!- juostaus [4c07581a@gateway/web/freenode/ip.76.7.88.26] has joined #openvpn
14:30 < juostaus> anyone using the passtos patch to move 802.1q around?
14:30 < juostaus> !welcome
14:30 <@vpnHelper> juostaus: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:37 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
14:37 < juostaus> !goal
14:37 <@vpnHelper> juostaus: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:38 -!- juostaus [4c07581a@gateway/web/freenode/ip.76.7.88.26] has quit [Quit: Page closed]
14:42 -!- WormFood [~wormfood@183.38.15.242] has quit [Ping timeout: 276 seconds]
14:44 -!- WormFood [~wormfood@183.38.15.242] has joined #openvpn
14:56 -!- darth_bitterman [~yury@84.51.213.169] has joined #openvpn
14:57 -!- luneff [~yury@84.51.213.169] has joined #openvpn
14:59 -!- bitterman [~yury@84.51.213.169] has quit [Ping timeout: 260 seconds]
15:00 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds]
15:00 -!- rawDawg [~rawdawg@72-2-94-228.suite224.net] has joined #openvpn
15:01 -!- darth_bitterman [~yury@84.51.213.169] has quit [Ping timeout: 265 seconds]
15:09 -!- juostaus [454582d1@gateway/web/freenode/ip.69.69.130.209] has joined #openvpn
15:10 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
15:11 -!- bitterman [~yury@84.51.213.169] has joined #openvpn
15:14 -!- luneff [~yury@84.51.213.169] has quit [Ping timeout: 255 seconds]
15:17 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:25 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
15:33 -!- rawDawg2 [~rawdawg@72-2-94-228.suite224.net] has joined #openvpn
15:37 -!- rawDawg [~rawdawg@72-2-94-228.suite224.net] has quit [Ping timeout: 240 seconds]
15:44 -!- rawDawg2 [~rawdawg@72-2-94-228.suite224.net] has quit [Ping timeout: 276 seconds]
15:52 <@vpnHelper> RSS Update - forum: Installation Help :: previously functional VPN wont connect now :: Author otahak <https://forums.openvpn.net/viewtopic.php?f=5&t=7266&p=8372#p8372>
15:55 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
15:55 -!- dagni_ [dagni@de.moon-station.us] has quit [Changing host]
15:55 -!- dagni_ [dagni@unaffiliated/dagni] has joined #openvpn
15:56 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
15:56 -!- dagni_ is now known as dagni
16:01 -!- Fullma [~fullma@ram94-2-82-66-69-246.fbx.proxad.net] has joined #openvpn
16:04 -!- darth_bitterman [~yury@84.51.213.169] has joined #openvpn
16:08 < RootDisPl0x> !jews
16:08 <@vpnHelper> RootDisPl0x: Error: "jews" is not a valid command.
16:08 < RootDisPl0x> !jews
16:08 <@vpnHelper> RootDisPl0x: Error: "jews" is not a valid command.
16:08 < RootDisPl0x> !jews
16:08 <@vpnHelper> RootDisPl0x: Error: "jews" is not a valid command.
16:08 < RootDisPl0x> !jews
16:08 <@vpnHelper> RootDisPl0x: Error: "jews" is not a valid command.
16:08 < RootDisPl0x> !jews
16:08 <@vpnHelper> RootDisPl0x: Error: "jews" is not a valid command.
16:08 < RootDisPl0x> !jews
16:08 <@vpnHelper> RootDisPl0x: You've given me 5 invalid commands within the last minute; I'm now ignoring you for 10 minutes.
16:08 < RootDisPl0x> !jews
16:08 -!- bitterman [~yury@84.51.213.169] has quit [Ping timeout: 265 seconds]
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:08 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:09 < RootDisPl0x> !jews
16:10 < RootDisPl0x> !jews
16:10 < RootDisPl0x> !jews
16:10 < RootDisPl0x> !jews
16:10 < RootDisPl0x> !jews
16:10 < |Mike|> *sigh*.
16:11 < |Mike|> ecrist: ban RootDisPl0x tnx.
16:11  * RootDisPl0x lol'd
16:11 -!- mode/#openvpn [+o ecrist] by ChanServ
16:11 -!- mode/#openvpn [+b *!*@AClermont-Ferrand-156-1-18-210.w81-251.abo.wanadoo.fr] by ecrist
16:11 -!- RootDisPl0x was kicked from #openvpn by ecrist [RootDisPl0x]
16:12 -!- mode/#openvpn [+b RootDisPl0x*!*@*] by ecrist
16:12  * ecrist suggests |Mike| be promoted to op
16:14 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined #openvpn
16:14 -!- Irssi: #openvpn: Total of 111 nicks [5 ops, 0 halfops, 0 voices, 106 normal]
16:14 < |Mike|> Nah, channel op means activity, responsibility etc
16:14 <@ecrist> lol
16:15 <@ecrist> imho, we could use a couple people in here with +o from 1800 to 2000 UTC
16:15 <@ecrist> erm
16:15 <@ecrist> 1800 to 0000 UTC
16:19 < |Mike|> hm, that means 17:00 till 23:00 in CET
16:20 < monas> |Mike|: 19-01
16:21 -!- darth_bitterman [~yury@84.51.213.169] has quit [Quit: Leaving]
16:22 < |Mike|> erm, you're correct monas
16:23 < |Mike|> UTC +1
16:25  * monas lives in UTC+2, so, used to calculate differences with UTC and CET :-)
16:26 -!- iTrolled [51fbc1d2@gateway/web/freenode/ip.81.251.193.210] has joined #openvpn
16:26 < iTrolled> !jew
16:26 <@vpnHelper> iTrolled: Error: "jew" is not a valid command.
16:26 < iTrolled> !jew
16:26 <@vpnHelper> iTrolled: Error: "jew" is not a valid command.
16:26 < iTrolled> !jew
16:26 <@vpnHelper> iTrolled: Error: "jew" is not a valid command.
16:26 < iTrolled> !jew
16:26 <@vpnHelper> iTrolled: Error: "jew" is not a valid command.
16:26 < iTrolled> !jew
16:26 <@vpnHelper> iTrolled: Error: "jew" is not a valid command.
16:27 < iTrolled> !jew
16:27 <@vpnHelper> iTrolled: You've given me 5 invalid commands within the last minute; I'm now ignoring you for 10 minutes.
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < iTrolled> !jew
16:27 < hyper_ch> ecrist: 
16:27 -!- iTrolled [51fbc1d2@gateway/web/freenode/ip.81.251.193.210] has quit [Excess Flood]
16:27 -!- mode/#openvpn [+o Bushmills] by ChanServ
16:28 -!- John_Smith [51fbc1d2@gateway/web/freenode/ip.81.251.193.210] has joined #openvpn
16:29 -!- mode/#openvpn [-o Bushmills] by Bushmills
16:29 < John_Smith> !jew
16:29 < John_Smith> !jew
16:29 < John_Smith> !jew
16:29 < John_Smith> !jew
16:29 < John_Smith> !jew
16:29 -!- mode/#openvpn [+o Bushmills] by ChanServ
16:29 < John_Smith> !jew
16:29 < John_Smith> !fag
16:29 < John_Smith> !Bushmills is fag
16:29 -!- mode/#openvpn [-v John_Smith] by Bushmills
16:29 < John_Smith> !jew
16:29 -!- John_Smith was kicked from #openvpn by Bushmills [John_Smith]
16:30 < |Mike|> just ban *!*51fbc1d2@*
16:31 -!- John_Smith [51fbc1d2@gateway/web/freenode/ip.81.251.193.210] has joined #openvpn
16:31 -!- mode/#openvpn [+b *!*81.251.19@*] by Bushmills
16:31 < John_Smith> I lol'd
16:31 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
16:31 -!- John_Smith was kicked from #openvpn by Bushmills [John_Smith]
16:31 -!- John_Smith [51fbc1d2@gateway/web/freenode/ip.81.251.193.210] has joined #openvpn
16:31 < John_Smith> I lol'd
16:32 -!- mode/#openvpn [+b *!*51fbc1d2@*] by Bushmills
16:32 -!- John_Smith was kicked from #openvpn by Bushmills [John_Smith]
16:32 < |Mike|> :-)
16:35 -!- mode/#openvpn [-o Bushmills] by Bushmills
16:35 <@ecrist> sometimes, I really hate people
16:36 < |Mike|> that guy actually asked a question according to my irclogs
16:38 <@ecrist> he did, this morning.
16:39 <@ecrist> asking a question doesn't detract from his douche-baggery
16:43 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
16:43 -!- mode/#openvpn [-bb *!*@92.241.210.115 *!*@93.179.52.69] by ecrist
16:51 -!- joako [~joako@69.25.162.26] has joined #openvpn
16:51 -!- joako [~joako@69.25.162.26] has quit [Changing host]
16:51 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:55 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
17:00 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 265 seconds]
17:05 -!- mode/#openvpn [-o ecrist] by ecrist
17:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
17:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:42 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
17:50 -!- p3rror [~mezgani@41.140.103.175] has quit [Ping timeout: 265 seconds]
18:10 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
18:10 -!- mode/#openvpn [+o dazo] by ChanServ
18:10 <@dazo> !configs
18:10 <@vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
18:30 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Quit: Leaving]
19:39 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
19:40 < LumberCartel> Hello folks.  Is it possible to use ipp.txt to assign IP addresses based on MAC (node) addresses?  Or does "ipp.txt" support specifying multiple IPs for a single cn?  I have a site with 4 computers using the same certificate and duplicate-cn is enabled, and need them to get the same four IP addresses each time (it doesn't really matter which computer gets which IP).  Thanks in advance.
19:41 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
19:41 < dogarrhea1> why does openvpn gui client on windows say it's connected, but the icon still stays yellow and when verbosity is turned up it appears that it's trying to reconnect over and over again?
19:42 < dogarrhea1> it ends in "SIGTERM[hard,] received, process exiting"
19:48 -!- dogarrhea1 is now known as illbeatu
19:49 -!- illbeatu is now known as dogarrhea
19:50 -!- dogarrhea is now known as registering
19:50 -!- registering [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Quit: Leaving]
19:58 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:00 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
20:00 < dogarrhea1> so does anyone know why openvpn gui on windows 7 would just say "connecting to client" forever/
20:01 < dogarrhea1> and not connect?
20:03 < LumberCartel> dogarrhea1:  You should "tail -f" your log file in a separate window/session to see what's going on.
20:03 < dogarrhea1> my daemon.log?
20:03 < LumberCartel> When OpenVPN first connects, it does so before DHCP happens.
20:03 < LumberCartel> I'm not sure.  It depends on what your "cn" is called.
20:03 < LumberCartel> What OS is the client?
20:03 < dogarrhea1> windows 7
20:04 < LumberCartel> Okay, so it will be located in "C:/Program Files/OpenVPN/log/" or "C:/Program Files (x86)/OpenVPN/log/"
20:04 < LumberCartel> ...and will be named after your cn.
20:04 < dogarrhea1> paste?
20:04 < dogarrhea1> !paste
20:04 <@vpnHelper> dogarrhea1: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
20:05 < LumberCartel> Since Windows 7 doesn't have nice Unix commands like "tail" you'll have to use FAR Manager's built in viewer ( http://www.farmanager.com/ ) to accomplish the same, or just DOS commands like "type <cn>.log" over and over again.
20:05 <@vpnHelper> Title: Far Manager Official Site : main (at www.farmanager.com)
20:05  * LumberCartel notes that if you're familiar with Norton Commander that you'll probably really like using FAR Manager, which is a native 32-bit/64-bit Windows text-mode application.
20:06 < LumberCartel> dogarrhea1:  I'm not asking you to share your log file.
20:06 < LumberCartel> What I'm suggesting is that you watch it and try to learn from it.
20:06 < dogarrhea1> i'm not sure how to read it
20:06 < LumberCartel> It contains a lot of information.
20:06 < dogarrhea1> all it's doing is printing a bunch of hex codes lol
20:06 < dogarrhea1> what are rwflags
20:07 < dogarrhea1> and WIN32 I/O: Socket Completion non-queued success [55].
20:07 < dogarrhea1> and us=someNumber
20:08 < LumberCartel> Well, feel free to post your log file then.  I'll take a look at it, but I only have 3 minutes left and then I have to leave (sorry).
20:08 < LumberCartel> You should see other information, not hex codes.
20:09 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
20:09 < dogarrhea1> http://pastebin.ca/1989601
20:09 < dogarrhea1> it's doing whats in there, over and over and over and over. the icon remains yellow. green is connected right?
20:10 < dogarrhea1> lumbercartel. blah i always forget to highlet
20:10 < dogarrhea1> windows says: "no internet access" but shows a new network
20:11 < LumberCartel> Don't worry about highlighting.
20:11 < LumberCartel> I see errors that might be caused by UDP communication issues which I've experienced from time-to-time.
20:11 < LumberCartel> To rule out UDP problems, I suggest using TCP on server and client to see if this resolves it.
20:11 < dogarrhea1> hrm..
20:11 < LumberCartel> You'll need to change server.conf and your local client's .ovpn file.
20:11 < LumberCartel> Then restart the server and the client.
20:12 < dogarrhea1> ok..
20:12 < LumberCartel> TCP has many advantages over UDP as far as smoother communications go too.
20:12 < LumberCartel> UDP is a bit tough for end users I find because the connectivity can get lost without notice.  With TCP this doesn't happen.
20:12 < dogarrhea1> why is it default udp though?
20:12 < LumberCartel> UDP has some advantages with security during the initial handshake that can be configured to simply ignore attempts to connect in the first place if they're not 100% right.
20:13 < LumberCartel> TCP, on the other hand, will respond before any verification takes place, and a dark hacker could guess that the standard TCP port is for a VPN.
20:13 < LumberCartel> I use TCP on all my VPNs without problems.
20:13 < LumberCartel> I like the idea of using UDP, but not with end users.
20:14 < LumberCartel> Sorry, I have to go.  I'll be back in 2 or 3 hours (hopefully).  If you see me, let me know how it went.
20:14 < dogarrhea1> ok.
20:14 < LumberCartel> ...if it didn't go so well, I'll be glad to look at your .ovpn files with you.
20:14 < LumberCartel> Take care.
20:14 < LumberCartel> Good luck!
20:14 < dogarrhea1> thanks 
20:14 < dogarrhea1> bye
20:14 < LumberCartel> You're welcome.
20:14 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: RFCs the easy way -- http://www.openrfc.org/]
20:18 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Quit: Leaving]
20:40 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
20:40 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
20:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:01 -!- joako [~joako@opensuse/member/joak0] has quit [Ping timeout: 276 seconds]
21:09 -!- mode/#openvpn [+o ecrist] by ChanServ
21:09 -!- mode/#openvpn [-bbbb *!*alex@209.99.13.200 *!*@209.99.13.* *!*@AClermont-Ferrand-156-1-18-210.w81-251.abo.wanadoo.fr RootDisPl0x*!*@*] by ecrist
21:10 -!- mode/#openvpn [-bb *!*81.251.19@* *!*51fbc1d2@*] by ecrist
21:10 -!- Irssi: No bans in channel #openvpn
21:10 -!- mode/#openvpn [-o ecrist] by ecrist
21:34 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
21:37 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
22:05 < juostaus> anyone using the passtos patch for 802.1q?
22:08 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
22:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:04 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
23:05 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
23:07 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
23:10 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
23:25 -!- smellyanimal [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
23:27 < smellyanimal> lumbercartel
23:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
23:42 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
--- Day changed Sat Nov 13 2010
00:10 -!- hwilde [~hwilde@pool-74-98-224-203.pitbpa.fios.verizon.net] has joined #openvpn
00:19 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Organize your IRC]
00:19 -!- hwilde [~hwilde@pool-74-98-224-203.pitbpa.fios.verizon.net] has quit [Quit: Leaving]
00:20 -!- smellyanimal [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
00:25 -!- Fullma [~fullma@ram94-2-82-66-69-246.fbx.proxad.net] has quit [Ping timeout: 245 seconds]
00:26 -!- monas [~kaspar@78-57-177-25.static.zebra.lt] has quit [Read error: Operation timed out]
00:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:58 -!- monas [~kaspar@88.119.154.240] has joined #openvpn
01:18 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
01:21 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
01:45 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
01:47 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
01:54 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: RFCs the easy way -- http://www.openrfc.org/]
02:04 -!- W0rmF00d [~wormfood@183.38.14.36] has joined #openvpn
02:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:06 -!- WormFood [~wormfood@183.38.15.242] has quit [Disconnected by services]
02:06 -!- W0rmF00d is now known as WormFood
02:23 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
02:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
02:54 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
03:15 -!- tjz [~pc@bb220-255-124-75.singnet.com.sg] has joined #openvpn
03:15 -!- tjz [~pc@bb220-255-124-75.singnet.com.sg] has quit [Changing host]
03:15 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
03:19 -!- Netsplit *.net <-> *.split quits: monas
03:19 -!- Netsplit *.net <-> *.split quits: Visual`, k4r4mb4, |Mike|
03:20 -!- Netsplit over, joins: Visual`
03:21 -!- monas [~kaspar@2002:5877:9af0:1000:217:8ff:fe4b:9b21] has joined #openvpn
03:23 -!- k4r4mb4 [user@puffs.ganja.nl] has joined #openvpn
03:28 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
03:46 -!- master_of_master [~master_of@p57B5728B.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:48 -!- master_of_master [~master_of@p57B55759.dip.t-dialin.net] has joined #openvpn
03:59 -!- cmur2 [~quassel@static.63.239.63.178.clients.your-server.de] has joined #openvpn
04:01 -!- cmur2 [~quassel@static.63.239.63.178.clients.your-server.de] has left #openvpn []
04:16 -!- twister004 [~chatzilla@117.204.136.190] has joined #openvpn
04:17 < twister004> hi guys.. i havesetup a bridged open vpn on my ubuntu boxc.. the issue im facing is that when I connect to the server usingmy client setup, the default gateway on the client machine changes to the gw of the openvpn server
04:17 < twister004> how cn i prevent this??
04:19 < hyper_ch> !tell twister004 [configs]
04:20 < twister004> ?
04:20 < hyper_ch> !tell hyper_ch [configs]
04:20 < hyper_ch> check what the vpnhelper told you
04:22 < twister004> ok thanks!
04:23 < hyper_ch> !def1
04:23 <@vpnHelper> hyper_ch: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
04:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:30 < twister004> vpnHelper...that option is disabled on the serer
04:30 < twister004> why shoudl the gateway change then?
04:31 < twister004> vpnHelper.. i dont wanna change my gateway on connecting to the vpn srvr
04:31 <@vpnHelper> twister004: Error: "i" is not a valid command.
04:32 < twister004> ??
04:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
04:46 -!- twister004 [~chatzilla@117.204.136.190] has quit [Ping timeout: 245 seconds]
05:07 -!- kerfe [~a@234.pool85-60-147.dynamic.orange.es] has joined #openvpn
05:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
06:16 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:25 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
07:05 <@vpnHelper> RSS Update - forum: Installation Help :: openvpn + Raccon :: Author pauloric <https://forums.openvpn.net/viewtopic.php?f=5&t=7267&p=8373#p8373>
07:52 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
07:57 -!- RealFlub [~realflub@realflub.be] has joined #openvpn
07:57 < RealFlub> hi
07:58 < RealFlub> got openvpn server on my debian server, and client is win7
07:58 < RealFlub> and the problem is, DNS doesnt work over my vpn connection
07:59 < RealFlub> however, in my config there is: push "dhcp-option DNS 8.8.8.8"
07:59 < RealFlub> and its still not working
08:01 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
08:14 < Bushmills> check whether windows has set name server to 8.8.8.8. if so, make sure that openvpn server has been configured for ip forwarding and masquerading 
08:15 < Bushmills> that is, assuming that default route uses openvpn
08:16 < Bushmills> if you try to route your traffic through openvpn, but it mysteriously isn't, then check:
08:16 < Bushmills> !winroute
08:16 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
08:29 < RealFlub> dns server is correct under windows
08:29 < RealFlub> i can surf with ip's, not with dns
08:36 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
08:37 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
08:44 < Bushmills> you can ping 8.8.8.8?
08:56 < RealFlub> mmz, can only ping my vpn server
08:57 < RealFlub> with the real ip that is reachable from the internet
08:58 < Bushmills> if you can't ping 8.8.8.8, it is unlikely that you an use it o resolve host names
08:58 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
08:58 < Bushmills> can
08:58 < RealFlub> yeah, but i cant ping other ips
08:58 < Bushmills> to...
08:59 < Bushmills> well, fox your (probably) routing then. or, set up vpn server for masquerading and ip forwarding
08:59 < Bushmills> fix ... grrr
09:03 < RealFlub> .. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
09:04 < Bushmills> !nat
09:04 <@vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
09:04 < Bushmills> !ipforward
09:04 <@vpnHelper> Bushmills: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
09:16 -!- superbofh [~xumpi@cl-229.lis-01.pt.sixxs.net] has joined #openvpn
09:26 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
09:33 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
10:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
10:19 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
10:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:30 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
10:30 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
10:30 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
10:38 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
10:44 -!- monas [~kaspar@2002:5877:9af0:1000:217:8ff:fe4b:9b21] has quit [Ping timeout: 260 seconds]
11:16 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has joined #openvpn
11:40 -!- corretico [~corretico@201.201.44.82] has quit [Read error: Connection reset by peer]
11:55 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
11:56 -!- smellyanimal [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
11:58 < smellyanimal> why does my openvpn gui client keep doing:  SIGUSR1[soft,connection-reset] received, process restarting
11:58 < smellyanimal>  every 5 seconds?
11:59 < reiffert> maybe because the openvpn process receives a SIGUSR1, every 5 seconds.
12:02 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:05 -!- monas [~kaspar@78-57-177-25.static.zebra.lt] has joined #openvpn
12:28 -!- smellyanimal [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Quit: Leaving]
12:58 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
13:59 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
14:15 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
14:18 < ecrist> openvpn crashing is a good as time as any to upgrade to latest
14:41 -!- luneff [~yury@84.51.213.169] has joined #openvpn
14:50 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 276 seconds]
14:57 -!- kerfe1 [~a@234.pool85-60-147.dynamic.orange.es] has joined #openvpn
15:00 -!- kerfe [~a@234.pool85-60-147.dynamic.orange.es] has quit [Ping timeout: 245 seconds]
15:19 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
15:39 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:45 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
15:46 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Read error: Connection reset by peer]
15:52 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
15:52 -!- bitterman [~yury@84.51.213.169] has joined #openvpn
15:56 -!- luneff [~yury@84.51.213.169] has quit [Ping timeout: 265 seconds]
16:29 -!- darth_bitterman [~yury@84.51.213.169] has joined #openvpn
16:32 -!- bitterman [~yury@84.51.213.169] has quit [Ping timeout: 245 seconds]
16:34 -!- kerfe1 is now known as kerfe
16:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
16:54 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
16:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
16:58 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
17:07 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 255 seconds]
17:20 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
17:30 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
17:33 < kisom> anyone need vpn support?
17:33 < kisom> im quite bored
17:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
17:46 -!- shuffle2 [shuffle2@cpe-74-74-168-216.rochester.res.rr.com] has quit [Quit: Changing server]
17:50 < ecrist> lol
17:51 < krzie> hehehe
17:51 -!- trcpth [~b@91.121.107.112] has joined #openvpn
17:51 < krzie> oh hey ecrist did i send a msg re: webmail?
17:52 < krzie> i forget if i did or not... lol
17:52 < trcpth> who is in for a mystery?
17:52 < ecrist> yeah, i pulled it, figured nobody was using it, I put it back up when you said something.
17:52 < ecrist> trcpth: kisom is
17:52 < trcpth> works for me
17:53 < krzie> oh, lol
17:54 < trcpth> in all seriousness, been trying to get a vpserver to work.. used the same config as one of a server i used before everything works except internet.. tracepath sticks at 1. and i am out of ideas.
17:54 < trcpth> the difference between the two servers is that one is dedicated and the one that doesn't work a vps.
17:55 < krzie> future reference, you can programmatically see who uses it by checking the new / cur imap dirs, since ild bet imap is only open to your webmail
17:55 < krzie> not that it matters, just a trick i had to use before
17:55 < ecrist> no, imap is open everywhere,
17:55 < krzie> oh, interesting
17:55 < ecrist> I use imap now, it allows me to do server-side sorting, and such
17:56 < ecrist> I require SSL on imap and SSL
17:56 < krzie> trcpth, 
17:56 < krzie> !goal
17:56 < ecrist> the server-side sorting is useful for getting the right email to my mobile.
17:56 <@vpnHelper> krzie: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:56 -!- kyrix [~ashley@mar92-2-82-66-59-1.fbx.proxad.net] has joined #openvpn
17:56 < krzie> ecrist, ahh i gotchya
17:57 < trcpth> goal: i want to tunnel my traffic from client through the server.
17:57 < trcpth> to access the internet
18:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
18:01 < ecrist> !def1
18:01 <@vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
18:03 < trcpth> i'll try adding def1 to push "redirect-gateway" 
18:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
18:05 < trcpth> added def1, restarted openvpn service. no dice :(
18:06 < ecrist> are you using NAT on the VPN server for traffic bound for the internet?
18:06 < trcpth> it is a vps with its own hwaddress so afaik it is switched not natted.
18:09 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:09 < ecrist> how man IPs do you have trcpth ?
18:10 < trcpth> the vps has one ipv4 and ipv6 on eth0. then there is lo and tun
18:11 < krzie> did you configure NAT on the server?
18:12 < krzie> did you enable ip forwarding?
18:12 < ecrist> you are going to need NAT for your VPN clients.
18:12 < krzie> !redirect
18:12 <@vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:12 < ecrist> krzie: we really need to write a 'how to use your VPN for internet access wiki page'
18:12 < trcpth> cat /proc/sys/net/ipv4/ip_forward
18:12 < trcpth> 1
18:12 < krzie> yup, ive meant to many times... but it will be SUCH a PITA
18:12 < krzie> because of how many different ways to NAT and whatnot
18:13 < trcpth> ok so NAT as in setup iptables to forward things ?
18:13 < krzie> however, it has to start somewhere... then filling in the info will be easy
18:13 < ecrist> Step 1) Use FreeBSD  Step 2)
18:13 < ecrist> :)
18:13 < krzie> step 3) profit
18:13 < krzie> ;]
18:13 < krzie> !linnat
18:13 <@vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:18 -!- trcpth [~b@91.121.107.112] has quit [Quit: trcpth]
18:18 -!- trcpth [~b@91.121.107.112] has joined #openvpn
18:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:22 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 265 seconds]
18:27 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
18:27 -!- trcpth2 [~b@adam.tilaa.nl] has joined #openvpn
18:27 < trcpth2> iptables did it 
18:28 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
18:29 -!- kyrix [~ashley@mar92-2-82-66-59-1.fbx.proxad.net] has quit [Ping timeout: 265 seconds]
18:31 -!- trcpth [~b@91.121.107.112] has quit [Ping timeout: 260 seconds]
18:32 < trcpth2> ok so where do useless people like me donate to ?
18:35 < krzie> !donate
18:35 <@vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
18:35 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
18:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 240 seconds]
18:37 < trcpth2> thank you krzie 
18:37 < krzie> np
18:38 < trcpth2> can only do a banktransfer at the moment, but will put a reminder in once i got paypal setup. nothing substantial but i assume every little bit helps.
18:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:51 < krzie> very cool, thanx man ;]
18:51 -!- darth_bitterman [~yury@84.51.213.169] has quit [Quit: Leaving]
18:53 -!- kerfe1 [~a@234.pool85-60-147.dynamic.orange.es] has joined #openvpn
18:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:56 -!- kerfe [~a@234.pool85-60-147.dynamic.orange.es] has quit [Ping timeout: 240 seconds]
18:59 -!- kerfe1 [~a@234.pool85-60-147.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
19:09 < LumberCartel> kisom:  Are you still bored?
19:23 -!- k4r4mb4 [user@puffs.ganja.nl] has quit [Ping timeout: 260 seconds]
19:25 -!- trcpth2 [~b@adam.tilaa.nl] has quit [Quit: trcpth2]
19:57 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
19:59 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
19:59 < humanMeat> so, I tried to ssh raw to port 1194 on my ubuntu server where openvpn is supposed to be listening
19:59 < humanMeat> and nothing is happening.
19:59 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
19:59 < humanMeat> how do i diagnose this problem
20:04 < humanMeat> why does my client keep giving me this error every 5 seconds?  Sat Nov 13 18:03:42 2010 us=124000 PID packet_id_free
20:04 < humanMeat> Sat Nov 13 18:03:42 2010 us=124000 SIGUSR1[soft,connection-reset] received, process restarting
20:04 < humanMeat> Sat Nov 13 18:03:42 2010 us=155000 Restart pause, 5 second(s)
20:12 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
20:14 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
20:15 < LumberCartel> humanMeat:  Is OpenVPN configured for UDP or TCP on your server and client?
20:21 < humanMeat> lumbercartel, last we spoke, you told me to try TCP and i tried TCP 
20:22 < humanMeat> and it's restarting the connection every 5 seconds
20:22 < humanMeat> you were saying something about UDP security vs TCP stability or something like that
20:25 < LumberCartel> Oh, you're using a new name now.
20:25 < LumberCartel> TCP is definitely more stable.
20:26 < LumberCartel> You probably won't see anything from a raw TCP connection.  All you'll find is that the connecction is accepted and you can send data.
20:26 < LumberCartel> At least that's what I would expect.
20:26 < humanMeat> i don't understand why it keeps restarting though
20:26 < LumberCartel> On a side-note, I did come back that evening, a few hours later than expected, and didn't see you here (I was looking for your previous pseudonym) -- sorry to have missed you.
20:26 < LumberCartel> Did you want to share your configuration files for server and client through pastebin.ca or something?  I'll be happy to take a look at them.
20:27 < LumberCartel> Please use separate pastes for each.
20:27 < LumberCartel> ...if you do.
20:27 < LumberCartel> You can block out hostnames and public IP addresses if you like (this is normally recommended for security reasons) -- just change them to "x.x.x.x" or "example.com" to make it easiest.
20:27  * LumberCartel assumes IPv4.
20:28 < humanMeat> !paste
20:28 <@vpnHelper> humanMeat: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
20:32 < humanMeat> http://pastebin.ca/1990771
20:35 < LumberCartel> humanMeat:  Your configuration file is quite different from any that I'm using.  For example, "proto" in your files takes different parameters than mine does (mine only takes "udp" or "tcp" without any extra text).
20:36 < LumberCartel> Exactly which product are you using?
20:36 < LumberCartel> ...and version?
20:37 < humanMeat> hrm. it says from "about":  v 1.0.3 mathias someone Version openvpn gui client
20:37 < humanMeat> wow. copyright 2002-2005.
20:37 < humanMeat> i wodner if i should still use this
20:37 < LumberCartel> What's on the server?
20:37 < LumberCartel> Same version?
20:38 < LumberCartel> I experienced quite a few problems (but not consistently) with version 1.x (or maybe it was 2.0.x), but version 2.1.x has been very reliable for me.
20:40 < humanMeat> hrm. trying to get the command to find out about package info on ubuntu
20:40 < humanMeat> i think it's 2.1
20:40 < humanMeat> dun know gotta check the repository
20:40 < LumberCartel> Is it a trivial matter to switch to OpenVPN 2.1 on your client?
20:41 < LumberCartel> What is your client OS, by the way?
20:42 < humanMeat> windows
20:43 < humanMeat> 7. home unpremium 64 bit etc. client is x86
20:43 < LumberCartel> Okay, then it is trivial.  Here's what you need to do:
20:43 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
20:43 < LumberCartel> 0. Backup your configuration files (keys, etc.)
20:44 -!- atan [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
20:44 < LumberCartel> 1. Uninstall OpenVPN 1.x
20:44 < LumberCartel> 2. Install OpenVPN 2.1.4.
20:44 -!- atan [~atan@blk-222-132-103.eastlink.ca] has quit [Changing host]
20:44 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
20:44 < LumberCartel> 3. Restore your configuration files (keys, etc.) if they were deleted by the previous installer (they shouldn't have been)
20:44 < LumberCartel> You'll need to make a few modifications to your .ovpn file so that it will work.  If you need some help with that, just ask.
20:45 < humanMeat> ok. i'll try. btw openvpn_2.1.0-1ubuntu1_i386.deb
20:45 < humanMeat> was package insalled
20:45 < LumberCartel> That's fine.  The 2.1.4 client will work just fine with that.
20:46  * LumberCartel is glad to see that the OpenVPN web site has been improved to make it easy to find the community software download.
20:46 < humanMeat> hrm. i wonder how i ended up downloading the old client..
20:47 < humanMeat> that is 2002-2005 copyright
20:47 < LumberCartel> You were probably using Internet Explorer.
20:47 < humanMeat> lol does that even make a difference?
20:47 < humanMeat> well i'll tell u what i'm about to download next
20:47 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:48 < LumberCartel> Here:  http://www.openvpn.net/index.php/openvpn-client.html
20:48 <@vpnHelper> Title: Downloads (at www.openvpn.net)
20:48 < LumberCartel> You can get 2.1.3 from there.
20:48 < LumberCartel> I'm mistaken in mentioning 2.1.4.
20:48 < humanMeat> first or second link
20:48 < humanMeat> both say "client" one says "access server"
20:49 < LumberCartel> Second one -- Community Software.
20:50 < humanMeat> what's the access server (while it's installing)
20:50 < humanMeat> ok 2.1.3 has been installed
20:50 < LumberCartel> I think it may be the commercial product.  I'm not using it.
20:51 < LumberCartel> Here's a tip for your installation:  Go into your list of network adapters (advanced settings), and rename the TAP adapter (probably called "Network connection #2" or something like that) to "OpenVPN" -- this will greatly simplify any troubleshooting you need to do in the future.
20:51 < LumberCartel> ...just because you can easily see in "ipconfig /all" or through icons and whatnot that you're definitely dealing with OpenVPN's TAP adapter.
20:52  * LumberCartel installed and configured OpenVPN for many different clients with NetBSD servers so that laptop and other remote users can connect securely to the network.
20:53 < humanMeat> hrm. i see some stuff. they are all not connected (all the tap adapters)
20:53 < humanMeat> i see an aetheros wireless thing some wan iminports from other vpn configs 
20:53 < LumberCartel> You have more than one?
20:53 < LumberCartel> Well, to make things simpler, uninstall OpenVPN then delete all the OpenVPN TAP adapters.
20:54 < humanMeat> er?
20:54 < LumberCartel> Then re-install OpenVPN 2.1.3 and it will create only one TAP adapter for you.
20:54 < LumberCartel> I assume this machine you're installing it on is more used just for testing, right?
20:54 < LumberCartel> It doesn't have any other VPNs on it?
20:54 < humanMeat> there is one other from vyprvpn 
20:55 < LumberCartel> Are you actually using that VPN/
20:55 < LumberCartel> ?
20:55 < humanMeat> l2tp or soemthing that i set up with the certificate manager
20:55 < humanMeat> no. it's disconnected right now
20:55 < LumberCartel> Do you need to keep it?
20:55 < humanMeat> i'd like to keep it... i've been using it on and off
20:55 < humanMeat> like today
20:55 < humanMeat> but not now.
20:55 < LumberCartel> Okay, well then be careful not to delete it's adapter.
20:55 < humanMeat> i know it's vpn connection 2 or something like that
20:56 < humanMeat> hrm. i am unable to delete the other random connection 4 and 3 connections
20:56 < LumberCartel> Well, be sure.  I don't want you to delete the wrong adapter, but I also want you to have a simple configuration so we can get you running.
20:56 < humanMeat> windows says "you can't delete it"
20:56 < LumberCartel> Oh, well then just forget about them.
20:56 < LumberCartel> So do you know which one is for OpenVPN?
20:56 < humanMeat> nope
20:56 < LumberCartel> Don't worry about this for now then.
20:56 < LumberCartel> Let's proceed to dealing with the configuration files.
20:57 < LumberCartel> Are they still in place?
20:57 < LumberCartel> Under OpenVPN's config/ directory?
20:57 < humanMeat> yes
20:58 < humanMeat> i see some stuff under C:\Program Files (x86)\OpenVPN\config
20:59 < humanMeat> starting openvpn on the ovpn file says "all tap32 adapters are currently in use
21:00 < LumberCartel> Okay, then I think we need to update your configuration file.  I'll see if I can make one for you.
21:03 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
21:04 -!- atan3 [~atan@unaffiliated/atan] has quit [Max SendQ exceeded]
21:04 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
21:06 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 272 seconds]
21:07 < humanMeat> ok i figured out that it was using local area connection 3
21:07 < humanMeat> but now ti's doing the same thing as the old one "sigusr1 restart pause 5 second" junk
21:08 < humanMeat> and doing the same thing over and over and over again every 5 seconds
21:12 < humanMeat> i going to restart brb
21:12 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Quit: Leaving]
21:13 < LumberCartel> Sorry, I need to help with some family stuff for about 15 minutes (kids, you know).  I'll be AFK for a little while, then I'll continue this very shortly...
21:13 < LumberCartel> Sorry.
21:15 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: No route to host]
21:15 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
21:16 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
21:16 < dogarrhea1> back
21:27 < dogarrhea1> u still there lumbercartel
21:29 < LumberCartel> I'm back now too.
21:29 < LumberCartel> Okay, it's still not working for you, right?
21:32 < LumberCartel> dogarrhea1:  Do you have OpenVPN installed under "Program Files" or "Program Files (x86)" ?
21:33 < LumberCartel> Also, are you using TLS?
21:33 < LumberCartel> ...and do you use the nsCertType feature?
21:34 < LumberCartel> I'm writing your client.ovpn file now.  If you don't answer, I'll just assume that you're not using them, and that OpenVPN is installed under the "C:\Program Files (x86)\OpenVPN\" directory.
21:35 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
21:36 < LumberCartel> Also, when using TCP you don't need to use ping to keep things alive.
21:36 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
21:37 < LumberCartel> TCP has this built in automatically within the protocol.  This is one of its advantages over UDP (which is connectionless by design).
21:37 < krzie> LumberCartel, you are a manual version of my confgen
21:37 < krzie> !confgen
21:37 <@vpnHelper> krzie: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
21:37 < krzie> ;]
21:37 < LumberCartel> Heheh.
21:37 < LumberCartel> I prefer manual.  Is "confgen" something you created?
21:42 < LumberCartel> dogarrhea1:  Please see this configuration file (you may need to change "tun" to "tap"):  http://www.pastebin.ca/1990818
21:43 < LumberCartel> dogarrhea1:  Also, anything else that you'll need to change is called "example" -- just search for that string to quickly find what you need.
21:44 < LumberCartel> dogarrhea1:  This configuration file is basically just about the same as the default example that comes with OpenVPN on NetBSD.  It works just fine on Windows XP, 2003, Vista, and Windows 7 (both 32-bit and 64-bit editions).
21:44 < LumberCartel> I hope this helps.
21:45 < LumberCartel> I have to go, but if you like you can always send me a note via FreeNode.net's MEMOSERV (or is it MEMOSERVE?) feature, or use the Contact page on this web site ("Back-hoe operator" goes directly to me):  http://www.lumbercartel.ca/
21:45 <@vpnHelper> Title: The Lumber Cartel, local 42 (Canadian branch) (at www.lumbercartel.ca)
21:45  * LumberCartel will be leaving in 2 minutes.
21:51  * LumberCartel will be leaving in -5 minutes.
21:51 < LumberCartel> Bye.
21:51 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: RFCs the easy way -- http://www.openrfc.org/]
22:04 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
22:06 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
22:20 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
22:21 < LumberCartel> dogarrhea1:  Hello.  How are things working for you now?  Did that configuration file I provided work out okay for you?
22:30 < dogarrhea1> i am getting a tun 32 adapters are in use :(
22:34 -!- atan [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
22:34 -!- atan [~atan@blk-222-132-103.eastlink.ca] has quit [Changing host]
22:34 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
22:36 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 255 seconds]
22:37 < dogarrhea1> brb gettinb pizza 
22:41 < dogarrhea1> hrm "windows route add command failed"
22:49 < dogarrhea1> hrm. i'm getting closer..
22:49 < dogarrhea1> it says i am connected and assigned an ip of something butttt, there's no internet connectivity
22:53 < ecrist>  !routeexe
22:53 < ecrist> !winroute
22:54 <@vpnHelper> ecrist: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
22:58 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
22:59 -!- atan3 [~atan@unaffiliated/atan] has quit [Max SendQ exceeded]
23:00 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
23:01 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
23:01 -!- atan3 [~atan@unaffiliated/atan] has quit [Max SendQ exceeded]
23:02 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
23:11 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 252 seconds]
23:16 < LumberCartel> dogarrhea1:  What is in your log file now?
23:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:19 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
23:24 -!- onionz [~joemommas@76.7.49.170] has joined #openvpn
23:24 < onionz> hi i can connect to my vpn but cannot browse web pages
23:25 < LumberCartel> Can you browse to web pages when you're not connected to your VPN?
23:25 < onionz> yes
23:25 < LumberCartel> Do you have access to your OpenVPN server's configuration file?
23:25 < onionz> yes
23:26 < onionz> well maybe let me check
23:27 < onionz> no i don't
23:28 < LumberCartel> You need to check your server.conf file for the "redirect-gateway" setting.  If it's enabled, this may be what's causing your problem.
23:29 < onionz> ok
23:30 < LumberCartel> Which OS is the client running?
23:30 < onionz> ubuntu 10.04, weird thing is a page or two will open then it stops
23:34 < LumberCartel> onionz:  Is the particular certificate you have used only by your computer?  If so, you can configure ipp.txt on the server to contain a permanent IP and the use a static IP configuration to match on the client side that leaves out the gateway.  That could work.
23:35 < LumberCartel> If the server-side configuration file includes an uncommented "duplicate-cn" line, then it's possible that certificates are being shared and then ipp.txt won't be the right solution to even attempt.
23:40 -!- onionz [~joemommas@76.7.49.170] has quit [Read error: Connection reset by peer]
23:41 < LumberCartel> onionz:  On the server-side, this line might be helpful to you as well:  push "redirect-gateway local def1"
23:42 < LumberCartel> You'll have to experiment a little bit to figure out just what's right for you.
23:43 -!- onionz [~joemommas@76.7.49.170] has joined #openvpn
23:44 < onionz> thanks for your help lumber but I have no access to the vpn settings on the server
23:44 < onionz> i pay for the service and am not getting much help with it
23:45 < onionz> from support
23:46 < LumberCartel> That's a shame.
23:46 < LumberCartel> What are you using it for?
23:46 < onionz> the vpn?
23:47 < LumberCartel> Yes.
23:47 < onionz> to avoid firewall restrictions lol
23:47 < LumberCartel> You mean for internet access from work or something?
23:48 < onionz> yes
23:48 < LumberCartel> I'll assume it's for your own laptop.  (Of course it is!)
23:48 < LumberCartel> Do you have a high-speed internet connection at your home as well?
23:48 < onionz> from behind a sonicwall with overly strict web browsing polocies
23:49 < onionz> no home at the moment, this is my home
23:49 < LumberCartel> Oh, so work is your home.
23:49 < LumberCartel> Bummer.
23:50 < LumberCartel> If you did have a home with high-speed, I'd suggest you consider comparing the cost of outsourcing OpenVPN with the extra cost from your ISP to get a static IP (for Shaw in Canada it's ~$20/month), then setting up your own OpenVPN server there at home.
23:50 < LumberCartel> OpenVPN can operate as a server on Unix, Linux, or Windows.
23:51 < LumberCartel> Perhaps that will be helpful to you in the future.
23:52 < onionz> thanks for the advice
23:52 < LumberCartel> Now, with regards to the default gateway situation, it actually shouldn't be a big problem.
23:52 < LumberCartel> You're welcome.
23:52 < LumberCartel> If your VPN can provide unrestricted internet access, then you actually want the default gateway to go through it then.
23:52 < LumberCartel> Your local computer should also be smart enough to know where to send traffic in your local subnet (e.g., not over the VPN).
23:52 < onionz> another weird thing is I could ping the website but couldn't open a browser
23:53 < LumberCartel> Can't open a web browser?  That sounds more like a resource or SpyWare issue to me.
23:53 < LumberCartel> Or do you mean that you can't access a web page?
23:53 < onionz> no the browser opens but the web page won't load
23:54  * LumberCartel notes that if onionz' work place has a complicated set up with the network (e.g., multiple subnets), then routing can be a bigger challenge.
23:54 < LumberCartel> Does the OpenVPN service provide do NAT on the server?  If not, then this is probably where your problem is.
23:54 < onionz> it's actually real simple and I'm the it guy
23:55 < LumberCartel> You see, the 10/8 network is not routable outside of private networks.
23:55 < onionz> i don't know about nat
23:55 < LumberCartel> NAT == Network Address Translation.
23:56 < onionz> this vpn was working before though
23:56 < LumberCartel> If you want to use private IPs on your computers, then NAT is needed to access the internet (or a proxy server or something).
23:56 < LumberCartel> Hmm, what are your proxy server settings on your computer, by the way?
23:56 < LumberCartel> Well, I don't need to know what they are.
23:56 < LumberCartel> I just wonder if they are set up.
23:56 < onionz> my mb went bad, I changed it. now it doesn't work. probably unrelated
23:56 < dogarrhea1> lumberCartel, my log file says i'm connected, the icon is green, but in the windows network list it says : " Unidentified network. No Internet Accdess"
23:57 < LumberCartel> dogarrhea1:  If you paste your log file I'd be happy to take a look at it.
23:57 < onionz> yes my VPN must use NAT because my ip address changes
23:57 < onionz> no proxy settings
23:58 < LumberCartel> That's good, that makes it simpler.
23:58 < LumberCartel> With your VPN turned off, you can get to this page and see your workplace IP, right?  http://www.searchbin.ca/whatismyip.pl
23:58 <@vpnHelper> Title: [SearchBin] My IP address (your IP, actually), and more... (at www.searchbin.ca)
23:58 < dogarrhea1> lumberCartel http://pastebin.ca/1990867
--- Day changed Sun Nov 14 2010
00:02 < LumberCartel> dogarrhea1:  Well, it seems to be working according to the log (my log files look like this all over the place too).  Can you ping 10.8.0.1?
00:03 < dogarrhea1> avg 35 ms
00:03 < dogarrhea1> no dropped
00:03 < LumberCartel> Okay, that's good.
00:04 < LumberCartel> 10.8.0.1 is the server.  If you can ping it, then ICMP traffic is passing through your VPN (encrypted) to the server.
00:04 < dogarrhea1> hrm. i always thought the  exteranl ip of the box was the server..
00:04 < LumberCartel> Do you know any of the server's IPs?  Try to ping the internal ones first.  I don't need to know what those IPs are.
00:04 < LumberCartel> The server will have multiple IPs in your case.
00:04 < LumberCartel> Each interface gets an IP address if you wish to use it with TCP/IP.
00:05 < LumberCartel> On the server you can type "ifconfig -av" to see it all.
00:05 < LumberCartel> On some flavours of Unix (or distributions of Linux) the -v switch isn't supported and so you may have to use "ifconfig -a" ("ifconfig -av" is definitely supported on NetBSD). 
00:07 < dogarrhea1> hrm. i don't see anything too significant. i see a 127.0.0.1 a  inet addr:10.8.0.1  P-t-P:10.8.0.2, and the address i use to connect to the SSH client
00:07 < dogarrhea1> which is the remote-server 1194 thing in config
00:08 < dogarrhea1> what should i be looking for
00:08 < LumberCartel> dogarrhea1:  Those are your server's IP addresses.  You can pretty much ignore 10.8.0.2 and just stuck with 10.8.0.1 for everything on the VPN side.
00:08 < LumberCartel> Can you ping the public IP (the one you connect to SSH from)?
00:08 < LumberCartel> s/stuck/stick/
00:10 -!- kaushal [~kaushal@triband-mum-120.61.35.69.mtnl.net.in] has joined #openvpn
00:10 < kaushal> Hi
00:10 < LumberCartel> onionz:  When you're connected to the VPN, can you ping the VPN's gateway address?  I assume this is 10.8.0.1.
00:10 < LumberCartel> Hello kaushal.
00:10 < kaushal> I am running openvpn in my laptop as a daemon mode
00:11 < LumberCartel> kaushal:  Server or client?
00:11 < kaushal> LumberCartel: client
00:11 < LumberCartel> Which OS?
00:11 < kaushal> Ubuntu Linux 10.04
00:11 < LumberCartel> Wow, Ubuntu is popular today.
00:11 < LumberCartel> kaushal:  Is it working okay for you, or have you run into an issue?
00:12 < kaushal> so my question lets say if i switch my wired connection to wifi connection
00:12 < kaushal> so the vpn connection is lost
00:12 < LumberCartel> Is your VPN configured to use TCP or UDP?
00:12 < LumberCartel> If it's UDP, you'll probably have to kill and restart the daemon.
00:13 < dogarrhea1> i am able to ping 
00:13 < kaushal> so i need to reconnect it bt starting openvpn daemon using sudo /etc/init.d/openvpn restart
00:13 < LumberCartel> dogarrhea1:  The public IP?  Great!
00:13 < kaushal> so is there a way to automatically reconnect ?
00:13 < dogarrhea1> i think it's the public ip heh
00:13 < kaushal> when the internet is on
00:13 < kaushal> I am using UDP
00:14 < LumberCartel> kaushal:  If that doesn't work (because sometimes "restart" retains existing connections), then you'll have to actually "stop" before your "start" it.
00:14 < kaushal> yes
00:14 < kaushal> but it runs as a daemon
00:14 < LumberCartel> kaushal:  This is one of the problems with using UDP.  If you used TCP, then OpenVPN would know immediately when the connection was lost.
00:14 < kaushal> ok
00:14 < kaushal> so UDP on server ?
00:15 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
00:15 < kaushal> I am using 1194 UDP
00:15 < LumberCartel> You see, the nature of UDP is connectionless due to its design.  With TCP, there's all this keep-alive stuff going on, packet ordering, etc., so things work more smoothly and errors can be corrected.
00:16 < LumberCartel> kaushal:  Well, you'll need to configure both server and client to use TCP then.  OpenVPN uses UDP by default.  Are you the only OpenVPN client?  If not, you'll need to re-configure all OpenVPN clients.
00:16 < kaushal> got it now
00:16 < kaushal> Thanks
00:16 < LumberCartel> That solved it?  Excellent.
00:16 < kaushal> I cannot use TCP
00:16 < LumberCartel> Why's that?
00:16 < kaushal> so i have to live with it :(
00:17 < LumberCartel> Hang on, there may be a setting that can help...
00:17 < kaushal> sure
00:18 < LumberCartel> Take a look at this in server.conf, see if enabling it helps:  keepalive 10 120
00:18 < LumberCartel> Documentation is in server.conf for that.  Read it first.
00:18 < kaushal> ok
00:18 < kaushal> so set keepalive 10 120 in the client config ?
00:18 -!- ball [~ball@99.142.58.3] has joined #openvpn
00:19 < LumberCartel> I believe that's the default setting.  I suggest you start with the default (whatever it is), and then see if you need to tweak it from there.
00:19 < LumberCartel> Do you use "tls-auth" currently?
00:20 < kaushal> nope
00:20 < LumberCartel> dogarrhea1:  Are you able to ping beyond the public IP, or can you only get as far as the public IP?
00:21 < LumberCartel> kaushal:  You should consider using it.  UDP-based OpenVPN can be made to be more secure with it.  It also seems to improve the reliability of UDP connections a little bit.
00:21 < LumberCartel> It's very easy to set up.
00:21  * LumberCartel greets ball.
00:22 < ball> Hello LumberCartel
00:22 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
00:25 < LumberCartel> kaushal:  http://openvpn.net/index.php/open-source/documentation/howto.html#security
00:25 <@vpnHelper> Title: HOWTO (at openvpn.net)
00:26 < dogarrhea1> lumberCartel what do you mean?
00:26 < LumberCartel> kaushal:  That link is about "tls-auth" and its entiteld "Hardening OpenVPN Security."
00:26 < LumberCartel> dogarrhea1:  Well, you can ping your server's public and private IPs.  Can you ping an IP outside of that, through your VPN?  Or is this not what you're trying to accomplish?
00:27 < LumberCartel> s/its/it's/
00:27 < dogarrhea1> lumbercartel, i think right now, the connection i'm using is just my regular old ISP
00:27 < dogarrhea1> even though openvpn says i've been given an ip
00:28 < dogarrhea1> and the thing is green and "unidentified network. no internet access"
00:28 < LumberCartel> Do you run NAT on your server?
00:28 < LumberCartel> If not, then that's as far as you'll go.
00:28 < LumberCartel> But, it's good enough anyway.
00:29 < dogarrhea1> so i can't tunnel any traffic for anonymous access at starbucks? :(
00:29 < LumberCartel> You can.
00:29 < dogarrhea1> i heard linode does not do nat
00:30 < LumberCartel> But, if you change your default gateway then you might be in a catch-22 situation if your computer tries to route everything through the VPN including the VPN connection.
00:30 < dogarrhea1> er?
00:30 < LumberCartel> So, what you'll need to do next is set up a proxy server on your server that only listens on internal IPs (so that outsiders can't abuse it).
00:30 < ball> Might it disappear up itself?
00:30 < LumberCartel> Then, use proxy to get it going.
00:30 < LumberCartel> ball:  Yes.  That can happen.
00:31 < ball> My boss does that on most Fridays.
00:31 < ball> ;-)
00:31 < LumberCartel> ball:  Then the connection is gone, and OpenVPN disconnects and removes itself from the gateway and guess what -- it attempts to connect again and succeeds, then sets up the default route (gateway) again, and the circle starts all over.  Loads of fun for everyone!
00:32 < ball> That sounds like a pain to spot and diagnose properly.
00:32 < ball> ...though if you're familiar with the pattern...
00:32 < LumberCartel> Not if you have the network icon enabled in the System Tray, because then you see it going on and off repeatedly.
00:33 < dogarrhea1> hrm. this is getting more complex than i thought :(
00:33 < dogarrhea1> linode people say "any respectable company doesn't do NAT"
00:33 < dogarrhea1> why is this? 
00:33 < LumberCartel> dogarrhea1:  That's a strange statement to make.
00:34 < dogarrhea1> what would a box be doing if it's not doing NAT
00:34 -!- atan3 is now known as atan
00:34 < LumberCartel> dogarrhea1:  NAT is a great technology.  One of the most common uses is this:  You have an office with 20 computers and one internet connection with a single IP.  NAT makes it easy to share that connection.
00:35 < ball> That's how I use NAT at the office.
00:35 < LumberCartel> dogarrhea1:  Well, it could be proxying.  Proxies are more difficult to set up than NAT, but they also work quite well.
00:35 < LumberCartel> ball:  All my clients use NAT this way too.  I also use it.  Many big companies also use it.
00:35 < ball> I added another wireless Ethernet to our mix yesterday
00:35 < LumberCartel> ball:  I have a few clients who also use Squid for a small number of the internal computers so they can restrict access, but only for those few.  The rest of the machines are on NAT.
00:36 < ball> "needed" wireless in the basement.
00:36 < LumberCartel> ball:  Congratulations.
00:36 < dogarrhea1> so it's just a way of having more than 256 people  using the same internet?
00:36 < dogarrhea1> or 254 since 0 and the other reserved one..
00:36 < LumberCartel> dogarrhea1:  256 seems arbitrary.
00:36 < LumberCartel> dogarrhea1:  Where do you get that number from?
00:36 -!- k4r4mb4 [user@puffs.ganja.nl] has joined #openvpn
00:36 < dogarrhea1> 192.168.0 - 255
00:36 < LumberCartel> dogarrhea1:  Oh.  You're assuming a /24.
00:36 < ball> dogarrhea1: you're missing an octet
00:37 < dogarrhea1> yea. 192.168.x.0-255
00:37 < ball> Oh, I left my notebook in the car
00:37 < LumberCartel> dogarrhea1:  In that case, you're right, but if internally you were using a /16 then you'd be able to support 65,536 (minus 2) nodes.
00:37 < LumberCartel> ...with a single public IP.
00:37 < ball> We have 192.168.1.x for the office machines.  192.168.2.x for the upstairs wifi, 192.168.3.x for the downstairs wifi
00:38 < ball> ...and 192.168.9.x for the glue.
00:38 < ball> All with one IP address.
00:38 < LumberCartel> ball:  ...and 10.8.0/24 for an OpenVPN in the near future?  ;-D
00:38 < ball> LumberCartel: I've seen VPNs in the past, but never used one myself.
00:39 < ball> Wouldn't begin to know how to set one of those things up.
00:39 < LumberCartel> dogarrhea1:  Just in case you were wondering, that /24 business is the CIDR way of expressing a network mask.  A complete list can be seen here:  http://www.lumbercartel.ca/glossary/netmask.pl
00:39 <@vpnHelper> Title: [LumberCartel.ca] Network mask (at www.lumbercartel.ca)
00:39 < LumberCartel> ball:  Well, it's actually pretty straight-forward, and the documentation for OpenVPN is really excellent -- the authors have made it quite easy to follow.
00:40 < LumberCartel> ball:  When you wish to proceed with this, just let me know if you need some help, or ask here.
00:40 < ball> Our (public) IP address changed yesterday.  I was a bit surprised they just gave us a different Class B IPv4 address.  Thought perhaps it'd be IPv6
00:40 < LumberCartel> I'm getting IPv6 very soon for all my servers.  I'm looking forward to this.
00:41 < ball> LumberCartel: Would OpenVPN be a sensible choice if I wanted staff to be able to connect to the office LAN from home?
00:41 < LumberCartel> ball:  Yes.  Definitely.
00:41 < LumberCartel> ball:  They could use it to access the Samba service on the NetBSD server you're running there, or run remote sessions (which are often unencrypted or the encryption is lousy), etc.
00:42 < LumberCartel> ball:  It would also allow them to print to office printers while at home.
00:42 < dogarrhea1> hrm. i guess setting up a proxy is out of the scope of openvpn... i really wish this wouldv'e worked out
00:42 < LumberCartel> ball:  A few of my clients love this feature -- they'll be talking to someone at the office and say "oh, I just printed the document for you" and the other person says "but I thought you're not at the office" and they say "I'm not."
00:43 < LumberCartel> dogarrhea1:  OpenVPN is not a proxy server.  It also isn't a NAT server.  I suggest you ask about setting up Squid in the #squid channel.
00:43 < ball> I should probably try to get my NetBSD host printing to the office printer.  I'm pretty sure it runs lpd
00:44 < LumberCartel> ball:  Do it with OpenVPN because then the data crosses the internet (which is about as safe as the Gaza Strip) will be encrypted.
00:45 < dogarrhea1> hrm. so vpn is just so you can look at external resources just like they are in 192.168.x.whatever ?
00:45 < LumberCartel> Sort of.
00:45 < LumberCartel> Think of it as a virtual network cable.
00:46 < dogarrhea1> a virtual lan..
00:46 < LumberCartel> Yeah.
00:46 < LumberCartel> ...if you have client-to-client turned on.
00:47 < LumberCartel> OpenVPN does what it does really well because that's what it's focused on.  Proxy and NAT are best handled by their counter-parts.  I like Squid for proxy, and I like "pf" for NAT.
00:47 < LumberCartel> There are other solutions too.
00:48 < LumberCartel> Incidentally, you can use both proxy and NAT together.  I do.
00:48 < dogarrhea1> so a proxy is just a "virtual gateway"?
00:48 < LumberCartel> They don't know that one-another exists, but they work just fine together.
00:48 < LumberCartel> No.
00:48 < ball> I should set up a BSD box to replace our pile of routers
00:48 < LumberCartel> Not really.
00:48 < ball> s/pile/steaming pile/
00:48 < LumberCartel> Steaming?  That can't be good.
00:48 < dogarrhea1> or just another node.. that pretends to be a gateway?
00:49 < LumberCartel> No.
00:49 < LumberCartel> A proxy is a service that relays data.
00:49 < ball> Proxy servers and VPNs are two different animals.
00:49 < LumberCartel> Many proxies also providing caching, such as with HTTP proxies.
00:49 < LumberCartel> s/providing/provide/
00:49 < ball> If I understand correctly.
00:49 < LumberCartel> Yes.
00:50 < LumberCartel> A proxy is a service that runs as a daemon on your server (usually).
00:50 < LumberCartel> Your server is one of the nodes on the network.
00:50 < ball> LumberCartel: Have you ever set up a Web proxy for caching?
00:51 < dogarrhea1> so i'd need to set up a proxy with NAT stuff to make it seem like a server is a gateway since NAT changes ports and IP stuff on packets?
00:51 < LumberCartel> Your web browser sends its requests to the proxy, and then the proxy relays that request to the appropriate web server (just like your web browser would if it wasn't going through a proxy), then sends the data back.
00:51 < dogarrhea1> or just nat or just proxy?
00:52 < LumberCartel> dogarrhea1:  Well, in your case if you need to re-direct HTTP traffic through a particular server, you need a proxy daemon like Squid.  NAT isn't needed for this.
00:52 < dogarrhea1> i don't even need openvpn huh? haha
00:53 < LumberCartel> ball:  Squid has this capability.  I don't use the caching part of it because we're using it to control access.
00:54 < LumberCartel> dogarrhea1:  No, but I recommend you keep the OpenVPN because you have it working now and it will keep all your data encrypted -- nobody else can know what's coming in or going out of the office or the local StarBucks or Tim Horton's shared internet access by sniffing packets.
00:54 < dogarrhea1> i could've done this by using some SSH connection though through my proxy right?
00:54 < LumberCartel> dogarrhea1:  In fact, they won't even be able to tell which web sites you're accessing.  All they'll see is a bunch of non-sensical data travelling between your laptop's IP and your OpenVPN server's IP.
00:54 < LumberCartel> dogarrhea1:  Yes.  That would provide encryption too.
00:55 < LumberCartel> dogarrhea1:  There are many ways to do the same thing.
00:55 < dogarrhea1> what some people called a "socks" proxy?
00:55 < LumberCartel> dogarrhea1:  Yes.
00:55 < dogarrhea1> oh well. i guess i should probably use the right tool then
00:55 < LumberCartel> dogarrhea1:  The Squid package is good for that.
00:55 < LumberCartel> dogarrhea1:  There are many "right tools."
00:55 < ball> Goodnight everyone.  LumberCartel: thanks for the advice and offer of help.
00:56 -!- ball [~ball@99.142.58.3] has quit [Quit: leaving]
00:56 < LumberCartel> dogarrhea1:  If you run Samba on your server, then OpenVPN will be very good for encrypting that.
00:57 < dogarrhea1> alright. i'll try this "squid" out.. i hope i don't get fired. fried squid is an idiom for getting fired in Chinese
00:57 < LumberCartel> Ni shuo zhong wen ma?
00:57 < dogarrhea1> a little.
00:58 < LumberCartel> Hen hao.
00:58 < dogarrhea1> you chinese?
00:58 < LumberCartel> Nope.  I'm a white guy.
00:58 < LumberCartel> How about you?
00:58 < dogarrhea1> yellow fever?
00:58 < dogarrhea1> j/k
00:58 < dogarrhea1> i'm chinese haha
00:58 < LumberCartel> Which part of China are you from?
00:58 < LumberCartel> I'm Canadian.
00:58 < dogarrhea1> parents are from Shanghai and Hong Kong
00:59 < LumberCartel> So you have at least three dialects in your life.
00:59 < dogarrhea1> 2 of which i don't speak/understand
00:59 < LumberCartel> Mei guan xi.
00:59 < |Mike|> lol.
00:59 <@vpnHelper> RSS Update - forum: Server Administration :: Open additional port :: Author jolan <https://forums.openvpn.net/viewtopic.php?f=4&t=7268&p=8374#p8374>
01:00 < LumberCartel> Do you understand Mandarin, |Mike|?
01:00 < |Mike|> not at all sir
01:00 < LumberCartel> It's never too late to learn!
01:00  * LumberCartel smiles.
01:01 < dogarrhea1> hehe. you better have a good memory 
01:01 < |Mike|> that's true
01:01 < dogarrhea1> because remembering a sequence of characters is way different from remembering a window next to a thing that looks like a tree
01:01 < |Mike|> dogarrhea1++ :D
01:02 < LumberCartel> Regarding yellow fever, I started learning Mandarin when I was still in high school because I liked a few of the Chinese girls there and wanted to date them.  That never worked out (I'm Aspburgers), but I am married to a wonderful Chinese lady who moved here from Canton (Guang Dong).
01:02 < LumberCartel> |Mike|:  There's a karma counter here?
01:03 < |Mike|> unfortunatly not hehe
01:03 < LumberCartel> They have a good one in #perl (funny coincidence there though, "c" has the most karma).
01:03 < |Mike|> how's the weather over there btw?
01:04 < LumberCartel> s/Aspburgers/Aspergers/
01:05 < LumberCartel> You mean here in Canada?  Very wet today.  Lots of rain.  We have newly snow-capped mountains so we're expecting snowfall next week probably.
01:05  * LumberCartel is in Greater Vancouver, British Columbia, Canada.
01:05 < LumberCartel> Rain is good though.  It keeps our city very clean for the sunny days.
01:06 < reiffert> moin
01:07 < |Mike|> darn i'm beeing stared by 2 puppies
01:10 -!- k4r4mb4 [user@puffs.ganja.nl] has quit [Ping timeout: 260 seconds]
01:12 < LumberCartel> Hello reiffert.
01:12 < LumberCartel> Well, dogarrhea1, it was nice to meet you.
01:27 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: RFCs the easy way -- http://www.openrfc.org/]
01:27 -!- k4r4mb4 [user@puffs.ganja.nl] has joined #openvpn
01:47 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
01:54 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has joined #openvpn
01:54 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has quit [Changing host]
01:54 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
01:55 -!- mode/#openvpn [+o roentgen] by ChanServ
01:55 -!- mode/#openvpn [-o roentgen] by ChanServ
02:11 <@vpnHelper> RSS Update - forum: Off Topic, Related :: route command path :: Author gkakaron <https://forums.openvpn.net/viewtopic.php?f=1&t=7269&p=8375#p8375>
02:30 -!- monas [~kaspar@78-57-177-25.static.zebra.lt] has quit [Quit: Leaving]
02:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
03:03 -!- kaushal [~kaushal@triband-mum-120.61.35.69.mtnl.net.in] has quit [Quit: Leaving.]
03:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:16 -!- aliverius_ [~george@athedsl-376162.home.otenet.gr] has joined #openvpn
03:20 -!- aliverius [~george@athedsl-371148.home.otenet.gr] has quit [Ping timeout: 250 seconds]
03:45 -!- master_of_master [~master_of@p57B55759.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:48 -!- master_of_master [~master_of@p57B576AB.dip.t-dialin.net] has joined #openvpn
03:53 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
04:10 -!- qfr [void@unaffiliated/yw] has joined #openvpn
04:10 < qfr> Does redirect-gateway even work on Windows 7 or do I need to set up the routing table manually?
04:10 < qfr> Sun Nov 14 11:07:33 2010 us=89000 Route addition via IPAPI failed [adaptive]
04:10 < qfr> Sun Nov 14 11:07:33 2010 us=89000 Route addition fallback to route.exe
04:10 < qfr> The requested operation requires elevation.
04:10 < qfr> Ahhh
04:11 -!- kaushal [~kaushal@triband-mum-120.61.35.69.mtnl.net.in] has joined #openvpn
04:11 -!- pareidolia [~michaelk@mak.xs4all.nl] has joined #openvpn
04:12 < pareidolia> !welcome
04:12 <@vpnHelper> pareidolia: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:12 < pareidolia> !howto
04:12 <@vpnHelper> pareidolia: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
04:21 -!- pareidolia [~michaelk@mak.xs4all.nl] has quit [Ping timeout: 240 seconds]
04:24 -!- pareidolia [~michaelk@178.224.52.205] has joined #openvpn
04:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
04:40 -!- kaushal [~kaushal@triband-mum-120.61.35.69.mtnl.net.in] has quit [Quit: Leaving.]
04:47 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
04:57 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
04:59 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 260 seconds]
05:07 -!- pareidolia [~michaelk@178.224.52.205] has quit [Ping timeout: 276 seconds]
05:14 -!- pareidolia [~michaelk@178.224.52.205] has joined #openvpn
05:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:26 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
05:26 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
05:27 -!- pareidolia [~michaelk@178.224.52.205] has quit [Ping timeout: 255 seconds]
05:37 -!- kaushal [~kaushal@triband-mum-120.61.21.68.mtnl.net.in] has joined #openvpn
05:37 < kaushal> Hi
05:38 < kaushal> Can i set keepalive directive in ### Client configuration file for OpenVPN 
05:38 < kaushal> I mean client.conf
05:39 < kaushal> The purpose behind is that when there is a internet reconnection happens the OpenVPN Session breaks
05:39 < kaushal> Does that make sense ?
05:39 < kaushal> Please suggest
05:39 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
05:45 -!- pareidolia [~michaelk@178.224.52.205] has joined #openvpn
05:47 < kaushal> checking in again for my query ?
05:57 -!- pareidolia [~michaelk@178.224.52.205] has quit [Read error: Connection reset by peer]
06:00 -!- pareidolia [~michaelk@mak.xs4all.nl] has joined #openvpn
06:05 < krzee> yes you can
06:05 < krzee> but if it is in the server config, it will push to client config, and will override it
06:08 -!- f1assistance [~Carl@cpe-024-211-247-099.nc.res.rr.com] has joined #openvpn
06:10 -!- pareidolia [~michaelk@mak.xs4all.nl] has quit [Ping timeout: 240 seconds]
06:11 -!- kaushal [~kaushal@triband-mum-120.61.21.68.mtnl.net.in] has quit [Read error: Connection reset by peer]
06:11 -!- kaushal [~kaushal@triband-mum-120.61.21.68.mtnl.net.in] has joined #openvpn
06:11 < kaushal> Hi again
06:11 < kaushal> got disconnected
06:11 < kaushal> Any clue to my query ?
06:12 -!- pareidolia [~michaelk@178.224.52.205] has joined #openvpn
06:13 < hyper_ch> kaushal: 
06:13 < hyper_ch> [13:05] <krzee> yes you can
06:13 < hyper_ch> [13:05] <krzee> but if it is in the server config, it will push to client config, and will override it
06:15 -!- qfr [void@unaffiliated/yw] has left #openvpn []
06:16 < kaushal> hyper_ch: ok
06:16 < kaushal> so is there a workaround for it ?
06:17 < hyper_ch> take it out of the server
06:17 < kaushal> I mean if the client gets disconnected is there a way to reconnect
06:17 < kaushal> due to internet drop
06:17 < hyper_ch> sudo /etc/init.d/openvpn restart
06:17 < kaushal> yeah
06:17 < kaushal> thats actually manual
06:17 < hyper_ch> but it auto reconnects here
06:18 < kaushal> auto reconnect ?
06:18 < hyper_ch> kaushal: didn't you read? krzee said you can
06:18 < kaushal> sorry i could not see krzee message
06:18 < kaushal> as i got disconnected
06:19 < hyper_ch> kaushal: I pasted it for you again
06:19 < kaushal> so on the server there is keepalive 10 600
06:20 < kaushal> so what does 10 and 600 mean ?
06:20 < hyper_ch> no clue, have a read through the man pages
06:20 -!- pareidolia [~michaelk@178.224.52.205] has quit [Ping timeout: 276 seconds]
06:21 < kaushal> got it
06:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
06:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:31 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
06:31 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
06:31 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
06:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
07:06 -!- aliverius [~george@athedsl-377931.home.otenet.gr] has joined #openvpn
07:07 -!- aliverius_ [~george@athedsl-376162.home.otenet.gr] has quit [Ping timeout: 276 seconds]
07:12 -!- kaushal [~kaushal@triband-mum-120.61.21.68.mtnl.net.in] has quit [Quit: Leaving.]
07:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
07:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
07:42 -!- pareidolia [~michaelk@mak.xs4all.nl] has joined #openvpn
07:43 < pareidolia> dd/quit
07:43 -!- pareidolia [~michaelk@mak.xs4all.nl] has quit [Client Quit]
07:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:45 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds]
07:54 <@vpnHelper> RSS Update - forum: Server Administration :: Samba and OpenVPN servers on the same machine :: Author Gbillou <https://forums.openvpn.net/viewtopic.php?f=4&t=7270&p=8376#p8376>
07:57 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
08:31 -!- kaushal [~kaushal@triband-mum-120.61.11.104.mtnl.net.in] has joined #openvpn
08:31 < kaushal> Hi Again
08:31 < kaushal> In view of yesterdays discussion
08:31 < kaushal> about /etc/openvpn/openvpn.pass
08:32 < kaushal> The file permission is root:root and 600
08:32 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
08:33 -!- kaushal1 [~kaushal@triband-mum-120.61.14.193.mtnl.net.in] has joined #openvpn
08:33 < kaushal1> and i invoke this file in client.conf as auth-user-pass /etc/openvpn/openvpn.pass
08:34 < kaushal1> so is there a way to encrpyt the file and make it work ?
08:34 < kaushal1> so that even root is not able to see the contents of openvpn.pass file 
08:34 < kaushal1> if accidently someone logs in as root to the box
08:35 -!- kaushal [~kaushal@triband-mum-120.61.11.104.mtnl.net.in] has quit [Disconnected by services]
08:35 -!- kaushal1 is now known as kaushal
08:35 < kaushal> Does that make sense ?
08:44 < kaushal> hi mattock
08:48 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
09:03 -!- kaushal [~kaushal@triband-mum-120.61.14.193.mtnl.net.in] has left #openvpn []
09:04 -!- aliverius_ [~george@athedsl-387189.home.otenet.gr] has joined #openvpn
09:05 -!- aliverius__ [~george@athedsl-376898.home.otenet.gr] has joined #openvpn
09:07 -!- aliverius [~george@athedsl-377931.home.otenet.gr] has quit [Ping timeout: 245 seconds]
09:09 -!- aliverius_ [~george@athedsl-387189.home.otenet.gr] has quit [Ping timeout: 276 seconds]
09:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:16 -!- nb [~nb@fedora/nb] has quit [Excess Flood]
09:22 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
09:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
09:23 -!- nb [~nb@fedora/nb] has joined #openvpn
09:26 -!- aliverius__ [~george@athedsl-376898.home.otenet.gr] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
09:27 -!- aliverius [~george@athedsl-376898.home.otenet.gr] has joined #openvpn
09:45 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 250 seconds]
09:51 -!- nijotz [~nick@72.14.181.106] has quit [Ping timeout: 276 seconds]
09:58 -!- batrick [~batrick@batbytes.com] has joined #openvpn
10:14 -!- kaushal [~kaushal@triband-mum-120.61.14.193.mtnl.net.in] has joined #openvpn
10:14 < kaushal> Hi
10:15 < ecrist> hi
10:15 -!- Irssi: No bans in channel #openvpn
10:15 < kaushal> so on the client side i can set ping 10 and ping-restart 60 if there is any sort of Internet Connectivity issue
10:15 < kaushal> on the client config 
10:16 < kaushal> so lets say if i am connected to wired and then switch over to wifi for a meeting 
10:16 < kaushal> will the session stay persistently ?
10:16 < kaushal> meeting in the sense a project related meeting
10:16 < kaushal> ecrist: hi
10:20 < kaushal> Am i asking something irrelevant ?
10:25 -!- f1assistance [~Carl@cpe-024-211-247-099.nc.res.rr.com] has left #openvpn []
10:41 < kaushal> checking in again for my query ?
10:41 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:50 -!- Meliorator [m@dunnington.eu] has quit [Ping timeout: 276 seconds]
10:59 -!- me345 [~me345@adsl-75-15-244-75.dsl.bkfd14.sbcglobal.net] has joined #openvpn
11:04 -!- Mugetsu [~angenoir@vps.angenoir.me] has joined #openvpn
11:04 < Mugetsu> hi
11:07 <@vpnHelper> RSS Update - forum: Configuration :: openvpn client maintaining sessions :: Author kaushal <https://forums.openvpn.net/viewtopic.php?f=6&t=7271&p=8377#p8377>
11:13 <@vpnHelper> RSS Update - forum: Configuration :: Re: [server] Inactivity timeout (--ping-restart), restarting :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7181&p=8378#p8378>
11:18 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
11:21 -!- kaushal [~kaushal@triband-mum-120.61.14.193.mtnl.net.in] has left #openvpn []
11:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
11:31 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
11:47 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
11:50 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Ping timeout: 265 seconds]
11:51 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
11:55 -!- Meliorator [m@dunnington.eu] has joined #openvpn
11:55 -!- Meliorator [m@dunnington.eu] has quit [Max SendQ exceeded]
11:56 -!- Meliorator [m@dunnington.eu] has joined #openvpn
11:59 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
12:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:06 < ecrist> krzee: do you use a BNC of any kind?
12:10 -!- VirusTB_ [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
12:11 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Ping timeout: 276 seconds]
12:11 -!- VirusTB_ is now known as VirusTB
12:17 -!- fas3r [58bede4b@gateway/web/freenode/ip.88.190.222.75] has joined #openvpn
12:17 < fas3r> hello
12:18 < hyper_ch> there's still people not using a bnc?
12:19 < fas3r> i got a problem with openvpn. I have a dedicated server, when i use the server like a proxy i dont have problem when i download a file, i mean i download at 900ko/s for example but if i use openvpn i download max at 300ko ano idea ? (i already made the test-mtu and fix it... any idea :/ )
12:19 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
12:22 < fas3r> no idea :/
12:23 < fas3r> is it possible it's because data are encryted ?
12:24 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Ping timeout: 240 seconds]
12:24 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
12:25 < fas3r> nobody ?
12:27 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Client Quit]
12:32 -!- fas3r [58bede4b@gateway/web/freenode/ip.88.190.222.75] has quit [Quit: Page closed]
12:37 -!- luneff [~yury@84.51.198.254] has joined #openvpn
12:41 -!- mountainski [~pegg@209-6-64-252.c3-0.abr-ubr1.sbo-abr.ma.cable.rcn.com] has joined #openvpn
12:41 -!- bandini [~bandini@host193-108-dynamic.41-79-r.retail.telecomitalia.it] has joined #openvpn
12:46 < mountainski> hi everyone
12:46 < mountainski> I am having a lot of trouble trying to figure out why this client is not able to connect   http://pastebin.com/4BiVTEfe
12:46 < mountainski> any help would be apperichated
12:49 < Bushmills> seems it connects
12:50 < Bushmills> and one minute later, because of no activity, it disconnects again
12:51 < mountainski> yaha I can get it to work just fine
12:51 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
12:51 < mountainski> there is a 60 second inactivity timeout set
13:01 -!- luneff [~yury@84.51.198.254] has quit [Quit: Leaving]
13:03 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
13:10 < ecrist> hyper_ch: I don't use a bnc
13:12 < ecrist> I use screen + irssi
13:23 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
13:33 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
13:34 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
13:38 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
13:38 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:58 -!- Mugetsu [~angenoir@vps.angenoir.me] has quit [Ping timeout: 240 seconds]
14:06 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
14:11 -!- greatwhitehat [~greatwhit@h-164-183.A220.priv.bahnhof.se] has joined #openvpn
14:12 -!- greatwhitehat [~greatwhit@h-164-183.A220.priv.bahnhof.se] has left #openvpn []
14:14 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
14:16 -!- joako [~joako@99.153.162.173] has joined #openvpn
14:16 -!- joako [~joako@99.153.162.173] has quit [Changing host]
14:16 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
14:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
14:50 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
15:04 -!- LumberCartel [~LumberCar@24.86.160.252] has left #openvpn ["RFCs the easy way -- http://www.openrfc.org/"]
15:51 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
16:00 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
16:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
16:17 -!- p3rror [~mezgani@41.140.175.245] has joined #openvpn
16:25 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
16:34 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
16:47 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
16:49 -!- hwilde [~hwilde@pool-74-98-224-203.pitbpa.fios.verizon.net] has joined #openvpn
16:51 -!- p3rror [~mezgani@41.140.175.245] has quit [Read error: Connection reset by peer]
16:59 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
16:59 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
17:00 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
17:00 < s093294> Hello, anyone who can provide or help me create a client conf file for openvpn for a pptp connection. I cant get it working on my own sadly
17:00 < |Mike|> !tell s093294 [howto]
17:01 < s093294> yes, i been using that
17:01 < s093294> and my connection arent working
17:01 < |Mike|> !tell s093294 [logs]
17:02 < s093294> it connects and restarts all over . 2sec will try fix som logs
17:03 < s093294> it just prints out the stuff in terminal, is it stored in som logfile aswell ?
17:09 < krzie> http://thesocietypages.org/socimages/2010/10/17/yale-frat-pledges-chant-no-means-yes-yes-means-anal/
17:09 < krzie> LOL
17:10 -!- mountainski [~pegg@209-6-64-252.c3-0.abr-ubr1.sbo-abr.ma.cable.rcn.com] has quit [Quit: Leaving]
17:12 -!- p3rror [~mezgani@41.140.34.167] has joined #openvpn
17:16 < |Mike|> s093294: if you have configured it, yeah
17:21 < s093294> it is posible to connect to a pptp server with openvpn ?
17:22 < reiffert> no.
17:22 < reiffert> !notovpn
17:22 <@vpnHelper> reiffert: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
17:22 < reiffert> !factoids search pptp
17:22 <@vpnHelper> reiffert: "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read
17:22 <@vpnHelper> reiffert: about why to not use pptp
17:24 -!- hwilde [~hwilde@pool-74-98-224-203.pitbpa.fios.verizon.net] has quit [Quit: Leaving]
17:24 -!- me345 [~me345@adsl-75-15-244-75.dsl.bkfd14.sbcglobal.net] has quit [Read error: Connection reset by peer]
17:25 < s093294> ye ye, i get it!
17:25 < reiffert> !factoids search --values pptp
17:25 <@vpnHelper> reiffert: 'broadcast-relay', 'notcompat', 'bcast', and 'pptp'
17:25 < reiffert> !notcompat
17:25 <@vpnHelper> reiffert: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn
17:26 < s093294> I have to use pptp for my ISP sadly
17:27 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:31 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 276 seconds]
17:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:32 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
17:39 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 276 seconds]
17:58 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
18:31 < Dougy> someone called me
18:34 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Ping timeout: 264 seconds]
18:35 -!- kisom [~kisom@c-d0dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined #openvpn
18:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
18:55 < krzie> ive gotten a few calls today too
19:02 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 245 seconds]
19:18 -!- JPeterson [HydraIRC@c213-100-62-9.swipnet.se] has quit [Quit:  Want to be different? Try HydraIRC -> http://www.hydrairc.com <-]
19:33 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
19:38 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
20:21 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
20:29 -!- Clete2_ [~Clete2@70.15.66.181.res-cmts.man2.ptd.net] has joined #openvpn
20:32 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 265 seconds]
20:37 -!- Clete2_ [~Clete2@70.15.66.181.res-cmts.man2.ptd.net] has quit [Ping timeout: 276 seconds]
20:37 <@vpnHelper> RSS Update - forum: Off Topic, Related :: problem with server config. :: Author generalk25 <https://forums.openvpn.net/viewtopic.php?f=1&t=7272&p=8379#p8379>
20:43 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
20:48 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 250 seconds]
21:18 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
21:18 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
21:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 276 seconds]
22:04 -!- aliverius_ [~george@athedsl-378758.home.otenet.gr] has joined #openvpn
22:04 -!- aliverius [~george@athedsl-376898.home.otenet.gr] has quit [Ping timeout: 255 seconds]
22:28 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
22:28 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
22:38 -!- UnterPerro_ [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Read error: Connection reset by peer]
22:38 -!- UnterPerro_ is now known as UnterPerro
23:37 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
23:39 -!- th1 [~th@pdpc/supporter/professional/th1] has quit [Ping timeout: 260 seconds]
23:41 -!- js_ [~js@213.180.83.163] has quit [Remote host closed the connection]
23:41 -!- js_ [~js@213.180.83.163] has joined #openvpn
23:48 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has joined #openvpn
23:55 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
--- Day changed Mon Nov 15 2010
00:02 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
00:03 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:34 -!- dazo_afk is now known as dazo
01:17 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
01:22 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 240 seconds]
01:26 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
01:26 < fahmad> hello
01:27 < hyper_ch> hi
01:34 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
01:42 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
01:42 < kaushal> hi
01:43 < kaushal> I am using openvpn as a daemon mode on my laptop trying to connect remote Multiple OpenVPN Servers
01:44 < kaushal> In my office set up, I have Wired as well as Wifi Connections
01:44 < kaushal> I am testing OpenVPN in a daemon mode
01:44 < kaushal> When i switch from Wired to Wifi, Openvpn does not reconnect automatically and vice versa
01:45 < kaushal> Please suggest/guide
01:49 < kaushal> is it due the design of UDP Protocol ?
01:49 < kaushal> I am using a UDP Connection
01:50 < kaushal> UDP is connectionless, stateless and unreliable ?
01:50 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
01:50 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
01:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
01:50 < krzee> kaushal, setup a keepalive
01:50 < kaushal> krzee: I did that already
01:51 < krzee> when the connection dies from the keepalive seeing its down, it will reconnect
01:51 < kaushal> keepalive 1 10
01:51 < krzee> takes however long your ping-restart is set to (determined by your keepalive)
01:51 < kaushal> is that a correct value ?
01:51 < krzee> seems rather low
01:51 < kaushal> ok
01:51 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
01:52 < krzee> did you read keepalive in the manual?
01:52 < krzee> !man
01:52 < kaushal> so set keepalive 10 60 ?
01:52 <@vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
01:53  * kaushal re-reading man openvpn
01:53 < kaushal> krzee: read it again
01:54 < kaushal> it says keepalive 10 60
01:54 < krzee> but it also explains what that expands to
01:55 < kaushal> ok
01:55 < krzee> do you can decide for yourself what is best
01:55 < kaushal> krzee: so ideally what would be a good value ?
01:55 < krzee> note, if the server has a keepalive, it is pushed to the client
01:55 < krzee> so it overrides whatever the client wanted
01:55 < krzee> i use 10 60
01:56 < kaushal> ok
01:56 < krzee> but i also didnt come in wondering why mine doesnt reconnect fast enough
01:56 < krzee> maybe try that, maybe lower it a little based on what you read in the man page, and see what works well for you
01:57 < kaushal> krzee: so on the remote openvpn servers its keepalive 10 120
01:58 < kaushal> and on one of the other server it is keepalive 10 600
01:58 < krzee> remote is clients or server
01:58 < krzee> only the server setting matters
01:58 < kaushal> remote is server
01:58 < krzee> then your changes dont matter if server has keepalive
01:59 < kaushal> yeah
01:59 < krzee> its pushed options override yours
01:59 < kaushal> :(
02:00 < kaushal> krzee: any other alternative ?
02:00 -!- W0rmF00d [~wormfood@183.39.103.36] has joined #openvpn
02:00 < kaushal> I sense there is nothing
02:00 < krzee> you sense well
02:00 < krzee> talk to the server admin
02:01 < kaushal> krzee: Thanks 
02:01 < kaushal> much appreciated
02:01 < krzee> np
02:01 < kaushal> Just wanted to get confirmed
02:01 < kaushal> before i speak to the server admin :-)
02:01 < krzee> IF he uses keepalive, it overrides anything you set for that
02:02 < kaushal> so 10 120 and 10 600 means ?
02:02 < krzee> huh?
02:02 < kaushal> krzee: apologies
02:02 < kaushal> i will read the man page
02:03 -!- WormFood [~wormfood@183.38.14.36] has quit [Ping timeout: 264 seconds]
02:05 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
02:06 < kaushal> keepalive is 10,60 which means: ping every 10s and restart the connection if there is no response within 60s
02:06 < kaushal> Am i understanding it correctly ?
02:07 < krzee> one sec ill pull it up with you
02:07 < kaushal> krzee: ok
02:08 < krzee> For example, --keepalive 10 60 expands as follows: 
02:08 < krzee>  if mode server:
02:08 < krzee>    ping 10
02:08 < krzee>    ping-restart 120
02:08 < krzee>    push "ping 10"
02:08 < krzee>    push "ping-restart 60"
02:08 < krzee>  else
02:08 -!- mode/#openvpn [+b *!~k@*openvpn/community/support/krzee] by vpnHelper
02:08 -!- krzee was kicked from #openvpn by vpnHelper [Repeated flooding! You've repeatedly flooded this channel. Please come back later.]
02:09 -!- W0rmF00d is now known as WormFood
02:10 -!- mode/#openvpn [-b *!~k@*openvpn/community/support/krzee] by vpnHelper
02:10 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
02:10 < kaushal> krzee: hi again
02:10 -!- mode/#openvpn [+o krzee] by vpnHelper
02:10 -!- mode/#openvpn [-o vpnHelper] by krzee
02:10 <@krzee> ok so
02:11 < fahmad> krzee: hey
02:11 <@krzee> you dont need to know about the keepalive, since you dont even control the server
02:11 <@krzee> fahmad, wassup
02:11 < fahmad> krzee: i want to know is there anyway that i can log only plugin output into the log file ?
02:11 < kaushal> krzee: yes
02:11 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 240 seconds]
02:12 <@krzee> fahmad, why *only*?
02:12 <@krzee> meh guess im not pasting more
02:12 -!- mode/#openvpn [+o vpnHelper] by krzee
02:12 -!- mode/#openvpn [-o krzee] by krzee
02:13 < kaushal> krzee: Thanks a lot
02:13 < kaushal> I really appreciate it
02:13 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
02:13 < krzee> yw
02:14 < kaushal> Also if i get a chance to talk to server admin, what value is the ideal for keepalive and why do we go with it
02:14 < kaushal> will there be any sort of overheads ?
02:17 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 240 seconds]
02:18 < fahmad> krzee: because when i use verb 11 i have 100 GB logs :D
02:19 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
02:19 < krzee> lol there isnt a verb 11
02:19 < krzee> its 0-10
02:19 < krzee> 3 for normal usage, 4 for more, 5 for debugging firewalls
02:20 < krzee> and i dunno *who* needs higher
02:21 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:25 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 240 seconds]
02:32 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
02:38 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
02:38 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 240 seconds]
02:40 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
02:45 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 265 seconds]
02:46 -!- s093294 [~s093294@82.211.214.96] has joined #openvpn
02:50 -!- mode/#openvpn [+o krzee] by vpnHelper
02:50 -!- mode/#openvpn [+b *!*@~s093294@82.211.214.96] by krzee
02:51 -!- mode/#openvpn [-o krzee] by krzee
02:51 < krzee> erm
02:51 -!- mode/#openvpn [+o krzee] by vpnHelper
02:51 -!- mode/#openvpn [-b *!*@~s093294@82.211.214.96] by krzee
02:51 -!- mode/#openvpn [+b *!~s093294@82.211.214.96] by krzee
02:51 <@krzee> heh
02:51 -!- mode/#openvpn [-o krzee] by krzee
03:00 -!- dazo is now known as dazo_afk
03:04 -!- s093294 [~s093294@82.211.214.96] has quit [Ping timeout: 240 seconds]
03:05 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
03:05 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
03:05 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:06 -!- twister004 [~chatzilla@117.204.129.229] has joined #openvpn
03:06 < twister004> hi guys...
03:07 < twister004> i have an issue with my penvpn server setup on ubuntu... at a time, only one client is able to connect to the server... please advise how i can rectify this
03:08 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
03:10 < venom00ut> hello, I'm using a openvpn (under win32) with redirect-gateway option over a wifi network but when it changes the default gateway (switching periodically between the 2 available) the new gateway overrides the one set by OpenVPN and all my connections to the internet are stopped
03:10 < venom00ut> how can I fix this? do you think it's a bug?
03:13 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 260 seconds]
03:14 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
03:14 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
03:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
03:27 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 264 seconds]
03:28 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
03:29 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
03:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
03:34 < Bushmills> no, it is not a bug. it is because of your configuration
03:35 -!- celerystick009 [~rooms@wireless-128-62-44-182.public.utexas.edu] has joined #openvpn
03:35 < Bushmills> as you say. "the one set by OpenVPN"
03:35 -!- celerystick009 [~rooms@wireless-128-62-44-182.public.utexas.edu] has left #openvpn []
03:36 < venom00ut> Bushmills, I tought it as a bug because OpenVPN could monitor default gateways and keep them under control
03:36 < Bushmills> no, it doesn't monitor them
03:36 < venom00ut> Bushmills, anyway do you have any idea on how to fix this, the only thing coming to my mind is make a periodical check for gateway changes
03:36 < Bushmills> it can set a new default gateway, when configured to do so.
03:37 < venom00ut> but I don't like this solution at all
03:37 < Bushmills> remove the part of your configuration where it sets a new gateway
03:38 < venom00ut> Bushmills, it's not under my control, the network changes periodically gateway (don't know why)
03:39 < venom00ut> I don't know if it's possible to set just a static gateway and leave IP to DHCP
03:39 < Bushmills> i misread your problem. i understood that it was the gateway, as set by openvpn, was the one you didn't want to use
03:39 < venom00ut> (under win32 I mean)
03:39 < Bushmills> instead, it is the gateway which is set by windows dhcp client which you don't want to use
03:40 < venom00ut> Bushmills, yes, exactly, sorry if I expressed myself badly
03:40 < Bushmills> so don't touch the openvpn configuration. instead, touch your windows dhcp configuguration
03:41 < venom00ut> Bushmills, I should set a static gateway, but I don't if it's possible to set just a static gateway but an IP given by DHCP
03:41 < venom00ut> moreover they could change their gateway one day and broke my configuration
03:42 < Bushmills> dhcp clients usually allow to be configured to not request certain data from dhcp server
03:43 < venom00ut> I don't know if it's possible under windows, netsh doesn't seem helpful and the GUI even less
03:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
03:44 < Bushmills> i had to speak in general terms because i don't know the windows dhcp client. i'd consider it buggy if it wasn't configurable.
03:45 < Bushmills> or, broken, even
03:45 < Bushmills> ehm, mayby better is:
03:45 < Bushmills> !def1
03:46 <@vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
03:46 -!- master_of_master [~master_of@p57B576AB.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:46 < Bushmills> by adding these two routes, the default gateway doesn't matter anymore
03:47 -!- master_of_master [~master_of@p57B52B51.dip.t-dialin.net] has joined #openvpn
03:48 < venom00ut> mmmh, very, very, VERY, interesting
03:49 -!- twister004_ [~chatzilla@117.204.132.11] has joined #openvpn
03:49 < venom00ut> very smart solution, so I've to put redirect-gateway def1 and...?
03:49 < venom00ut> !man redirect-gateway
03:49 <@vpnHelper> venom00ut: Error: "man" is not a valid command.
03:49 -!- twister004 [~chatzilla@117.204.129.229] has quit [Ping timeout: 240 seconds]
03:49 -!- twister004_ is now known as twister004
03:56 -!- twister004 [~chatzilla@117.204.132.11] has quit [Ping timeout: 272 seconds]
04:11 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:11 -!- twister004 [~chatzilla@117.204.128.174] has joined #openvpn
04:22 -!- twister004 [~chatzilla@117.204.128.174] has quit [Ping timeout: 240 seconds]
04:30 -!- twister004 [~chatzilla@117.204.138.221] has joined #openvpn
04:36 -!- twister004_ [~chatzilla@117.204.137.21] has joined #openvpn
04:36 -!- twister004 [~chatzilla@117.204.138.221] has quit [Ping timeout: 240 seconds]
04:36 -!- twister004_ is now known as twister004
04:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
04:51 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:53 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:58 -!- luneff [~yury@84.51.195.188] has joined #openvpn
05:03 -!- CaMason [~camason@office.stasismedia.com] has joined #openvpn
05:12 -!- luneff [~yury@84.51.195.188] has quit [Ping timeout: 245 seconds]
05:13 -!- venom00 [~venom00@173.0.1.214] has joined #openvpn
05:13 -!- venom00 [~venom00@173.0.1.214] has quit [Changing host]
05:13 -!- venom00 [~venom00@unaffiliated/venom00] has joined #openvpn
05:15 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 272 seconds]
05:18 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:18 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:18 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:25 -!- CaMason_ [~camason@office.stasismedia.com] has joined #openvpn
05:26 -!- CraigMason [~camason@office.stasismedia.com] has joined #openvpn
05:29 -!- CaMason_ [~camason@office.stasismedia.com] has quit [Ping timeout: 240 seconds]
05:29 -!- CaMason [~camason@office.stasismedia.com] has quit [Ping timeout: 265 seconds]
05:30 -!- twister004 [~chatzilla@117.204.137.21] has quit [Ping timeout: 240 seconds]
05:31 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
05:31 -!- luneff [~yury@84.51.195.188] has joined #openvpn
05:50 < kaushal> hi again
05:51 < kaushal> just want to understand about setting keepalive 10 60 in server.conf, will it lead to additional overheads on the OpenVPN Server ?
05:51 < kaushal> Please guide
05:51 < kaushal> what would be the ideal values 
05:54 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Ping timeout: 276 seconds]
05:55 < Bushmills> will a ping every 10 seconds bring your machine to its knees?
05:56 < kaushal> Bushmills: not really
05:56 < Bushmills> or, your network?
05:56 < kaushal> not at all
05:56 < Bushmills> that's the overhead you're talking about
05:57 < kaushal> Bushmills: so that values are ideal ?
05:57 < Bushmills> those which are most suited for the environment in which you intend to use them
05:57 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
05:57 < Bushmills> was there one single "ideal" set of values, they'd be hardly configurable
05:58 < kaushal> ah that makes sense
05:58 < kaushal> understood now
05:58 < kaushal> Bushmills: Thanks and much appreciated
06:02 -!- SmokeyD [~SmokeyD@93-125-157-31.dsl.alice.nl] has joined #openvpn
06:03 -!- meero [~meero@78.80.66.30] has quit [Quit: leaving]
06:05 < SmokeyD> hey everyone. What is the best way on my linux machine, which is an openvpn client, to make sure a hostname is being resolved to the openvpn ip of the openvpn server?
06:06 < SmokeyD> I don't want to permanently add it in /etc/hosts since the same openvpn client machine (laptop) can also be used fysically inside the network of the openvpn server, in which case there is a local dns server making sure the hostnames resolve correctly
06:16 < Bushmills> SmokeyD: have two names in /etc/hosts.  use one for the openvpn ip address, the other for its ethernet ip address
06:18 -!- twister004 [~chatzilla@117.204.131.198] has joined #openvpn
06:18 < Bushmills> can be done by name server o
06:18 < Bushmills> too
06:18 < Bushmills> alternatively, have a recursive+authoritative name server on openvpn server (or a dns forwarder which also resolves from hosts or config file), use it when you're connected with openvpn
06:23 -!- twister004_ [~chatzilla@117.204.133.56] has joined #openvpn
06:24 -!- twister004 [~chatzilla@117.204.131.198] has quit [Ping timeout: 276 seconds]
06:24 -!- twister004_ is now known as twister004
06:26 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
06:27 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
06:46 < SmokeyD> Bushmills, the openvpn subnet is different from the subnet in the office network. So I would need to setup a separate nameserver for the openvpn network. But the openvpn server is already running a dns server for the local office network, so I can't have it run a second nameserver
06:47 < Bushmills> how do you contact that name server when openvpn is down?
06:49 < SmokeyD> Bushmills? I don't. I have one server at the office which is openvpn server, fileserver and dns server for the office network. I connect to it through the internet and openvpn when I am working at home.
06:50 < SmokeyD> I want my laptop when working at home to be able to access that server by using the same hostname as I am using when my laptop fysically connected to the office network
06:52 < SmokeyD> since the openvpn server is also the dns server for the local office network, I can't run a second nameserver on it dedicated to the openvpn subnet righ?
06:55 < Bushmills> if you can't switch ip address the hostname resolves to by choice of name server, you can re-link one or another version of /etc/hosts when openvpn connects or disconnects
07:13 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
07:14 -!- twister004 [~chatzilla@117.204.133.56] has quit [Ping timeout: 276 seconds]
07:16 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
07:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:23 < kraut> moin
07:24 < ksk> hello guys
07:25 < ksk> is there a way to set the mac of the tap device during install?
07:25 < ksk> or change it automated (no GUI) after install?
07:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
07:32 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
07:34 < ecrist> there's almost always a way to change it
07:34 -!- Coffe [~niszsse@82.99.0.202] has joined #openvpn
07:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:38 < Coffe> Hi, what should i look after ? when i changed ip on tyhe VPN server, and  now when i client connects , i cant ping the client , or they cant ping anything in the network
07:39 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
07:39 < Bushmills> !firewall
07:39 <@vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
07:40 < Coffe> no firewall . it worked before
07:40 < ksk> ecrist: your answer is not that helpful :>
07:41 < ecrist> ksk: I want to say I'm sorry, but I'm really not.
07:42 < ecrist> ksk: try using google.  one such result which may help is http://www.irongeek.com/i.php?page=security/changemac
07:43 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
07:44 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
07:46 < ksk> thanks.
07:50 < ksk> my problem is making it work during/after the install of openvpn. sth like "set mac of adapter( where descr=blafoo ) would be needed..
07:51 < SmokeyD> Bushmills, I managed to get two dnsmasq dns servers running on the same machine, one on the openvpn tun0 interface, and one on eth0/lo. Now I need to tell the openvpn client machine (linux) to use the dns server running on the openvpn server as it's primary dns server
07:55 < ecrist> ksk, that's something you'll have to figure out.  NSIS and a batch file might be what you need.
07:59 < SmokeyD> ah, found it. Need resolvconf and up/down scripts to adjust the dns configuration on my linux client machine
08:02 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
08:06 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
08:10 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
08:13 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:14 -!- SmokeyD [~SmokeyD@93-125-157-31.dsl.alice.nl] has quit [Ping timeout: 276 seconds]
08:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:23 < Coffe> how come ? my VPN server cant ping the ip that a client is connected with  ?
08:33 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 245 seconds]
08:38 -!- hwilde [~hwilde@SUREFIRE.REC.RI.CMU.EDU] has joined #openvpn
08:39 -!- kotique [~kotique@host-static-109-185-140-24.moldtelecom.md] has joined #openvpn
08:40 < kotique> hey, man page for 2.1.2 is missing crl option
08:40 < kotique> and btw, is crl read at startup or every time a client connects?
08:42 < kotique> ouch crl-verify is the option , hehe:)
08:44 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 250 seconds]
08:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:04 < hwilde> seen roentgen
09:08 < tuxx_> hwilde: roentgen rays are NOT visible
09:09 < tuxx_> they are high electro magnetic waves (the so called bremsstrahlung) when high energy electrons are shot at a (usually metal) target
09:09 < tuxx_> the reduction of kinetic engery results in a spectrum of radiation with several clearly defined peaks called the K-alpha/beta lines
09:09 < tuxx_> this is what we refer to as roentgen
09:10 < hwilde> wow.
09:10 < hwilde> somebody had their wikipedia this morning
09:10 < tuxx_> hah.. i study physics
09:10 < tuxx_> and i was bored
09:11 < tuxx_> roentgen actually comes from my home town.. there is a large exhibition at our university :D
09:11 < tuxx_> hwilde: theres a movie where roentgen is drinking some contrast liquid
09:11 < tuxx_> and filming himself
09:11 < tuxx_> he exposed himself to several minutes of x-ray radiation :D not knowing of its harmful effects
09:12 < tuxx_> and frankly it was a coincedential discovery i dont think he even had a degree in physics
09:12 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 272 seconds]
09:13 < tuxx_> but perhaps roentgen will tell you more..
09:13 < tuxx_> good luck finding him.
09:13 -!- tuxx_ [~sometinel@81.95.4.163] has left #openvpn []
09:15 -!- ScriptFanix [~vincent@hanaman.riquer.fr] has joined #openvpn
09:15 -!- EmperorT1m [~EmperorTo@174-30-245-204.mpls.qwest.net] has joined #openvpn
09:19 -!- EmperorTom [~EmperorTo@174-30-245-204.mpls.qwest.net] has quit [Ping timeout: 276 seconds]
09:26 < daemon> hey all I have two networks that work independantly of each other
09:27 < daemon> MSC0 { Maidenhead/10.0.1.1, LIST_OF_CLIENTS 10.0.1.1/24}
09:27 < daemon> CORE { Core/10.0.2.1, LIST_OF_CLIENTS 10.0.2.1/24 }
09:27 < daemon> these networks run samba, and the head servers of both are wins servers
09:27 < daemon> and domain masters
09:28 < daemon> they are however seperate samba domains though MSC0 and DAEMONRAGE
09:28 < daemon> what would be the best way to link them
09:36 -!- zxvff_ is now known as zxvf
09:38 <@vpnHelper> RSS Update - forum: Server Administration :: Re: [SOLVED] VPN SSL portal? :: Reply by greeg <https://forums.openvpn.net/viewtopic.php?f=4&t=7192&p=8380#p8380>
09:51 -!- TuxBrother [d9780cc5@gateway/web/freenode/ip.217.120.12.197] has joined #openvpn
09:51 < TuxBrother> hello
09:51 < TuxBrother> anyone availeble for helping a newbie; that wants to setup a level 2 tunneling via webmin?
09:56  * ecrist looks at channel name
09:56  * ecrist looks at TuxBrother 
09:56  * ecrist looks back at channel name
09:57  * hwilde holds a mirror in front of ecrist 
09:57  * ecrist looks at TuxBrother and blinks.
09:57 < TuxBrother> okay
09:57 < TuxBrother> I want to assign the IP's from my router
09:57 < TuxBrother> so what settings I need?
09:58 < TuxBrother> the module assumes, I need to assign the IP's from the server
09:58 < TuxBrother> teamviewer is maybe hulpfull?
09:58 < ecrist> TuxBrother: we don't support webmin here, sorry.
09:58 < ecrist> I was trying to tell you such in a light-hearted manner, but the point was missed, apparently.
10:02 <@vpnHelper> RSS Update - forum: Server Administration :: How to preserve client’s IP when --duplicate-cn enabled :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7273&p=8381#p8381>
10:04 < TuxBrother> okay
10:04 < TuxBrother> I do it by hand now
10:04 < TuxBrother> has anyone a example of a ethernet briging config file?
10:05 < TuxBrother> asumming the IP's are assigned from the default gateway?
10:14 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Bridged Mesh :: Author Mordenkainen <https://forums.openvpn.net/viewtopic.php?f=15&t=7274&p=8382#p8382>
10:15 -!- tehtrk [~tehtrk@66.196.19.210] has joined #openvpn
10:15 < TuxBrother> can someone look @ my config file?
10:15 < TuxBrother> my open vpn fails to start
10:17 < tehtrk> Where can I find a full list of openvpn options that can be pushed? In the documentation, it says "This is a partial list of options which can currently be pushed".
10:18 < tehtrk> I'm looking here: http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html so I don't know what documentation would be more detailed and give the full list
10:18 <@vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net)
10:19 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
10:19 < tehtrk> That's what I quoted
10:19 < tehtrk> unless I'm replying to a bot X-)
10:24 < tehtrk> ah
10:28 < TuxBrother> if I want to assign the IP from a default gateway
10:28 < TuxBrother> can I use a client config dir?
10:30 <@vpnHelper> RSS Update - forum: Tutorials :: Re: OpenVPN Install Guides :: Reply by adi.kwok <https://forums.openvpn.net/viewtopic.php?f=8&t=2&p=8383#p8383>
10:41 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
10:50 -!- Coffe [~niszsse@82.99.0.202] has quit [Quit: Leaving]
11:01 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:06 <@vpnHelper> RSS Update - forum: Server Administration :: Bridged Mesh :: Author Mordenkainen <https://forums.openvpn.net/viewtopic.php?f=4&t=7275&p=8384#p8384>
11:09 -!- luneff [~yury@84.51.195.188] has quit [Read error: Connection reset by peer]
11:09 -!- luneff [~yury@84.51.195.188] has joined #openvpn
11:13 -!- bitterman [~yury@84.51.195.188] has joined #openvpn
11:16 -!- luneff [~yury@84.51.195.188] has quit [Ping timeout: 245 seconds]
11:17 -!- DarKnesS_WolF [~sherif@unaffiliated/sherif] has joined #openvpn
11:24 < DarKnesS_WolF> hmm i was reading about tap and tun/ if i have a server and a clent and i want all he traffic from my client go to the server then from the server to the internet , what is more secure and best to use ? tun or tap ?
11:26 < krzee> DarKnesS_WolF, 
11:26 < krzee> !tunortap
11:26 <@vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over
11:26 <@vpnHelper> krzee: the vpn, or (#4) lan gaming? use tap!
11:29 < DarKnesS_WolF> krzee: thx the tap did work for me, while tun was giving me errors that the packet is bad cuz it has the source of my real ppp0 conection, what do u think is misconfigured ?
11:30 < krzee> dunno, havnt slept
11:30 < krzee> which im gunna do now for about an hour
11:31 < DarKnesS_WolF> krzee: sweet geey dreams
11:31 < DarKnesS_WolF> geeky *
11:34 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 245 seconds]
11:38 -!- kerfe [~a@234.pool85-60-147.dynamic.orange.es] has joined #openvpn
11:38 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
11:38 < DarKnesS_WolF> MULTI: bad source address from client [XXX>XXX>XXX>XX<--where is that the IP i am really connected with private with 3G], packet dropped
11:40 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
11:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
11:45 -!- TuxBrother [d9780cc5@gateway/web/freenode/ip.217.120.12.197] has quit [Quit: Page closed]
11:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
11:47 -!- TuxBrother [d9780cc5@gateway/web/freenode/ip.217.120.12.197] has joined #openvpn
11:47 < TuxBrother> hello
11:48 < TuxBrother> can someone tell me how to fix this error?
11:49 < TuxBrother> Mon Nov 15 16:43:59 2010 name/X.X.X.X:1108 MULTI: no dynamic or static remote --ifconfig address is available for name/X.X.X.X:1108
11:52 < TuxBrother> the TAP ip of the client is 192.254.112.187
11:52 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
11:53 -!- W0rmF00d [~wormfood@183.38.15.215] has joined #openvpn
11:56 -!- WormFood [~wormfood@183.39.103.36] has quit [Ping timeout: 255 seconds]
12:10 -!- venom00ut [~venom00@net-93-71-20-37.cust.dsl.vodafone.it] has joined #openvpn
12:10 -!- venom00ut [~venom00@net-93-71-20-37.cust.dsl.vodafone.it] has quit [Changing host]
12:10 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
12:13 -!- venom00 [~venom00@unaffiliated/venom00] has joined #openvpn
12:15 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
12:26 < TuxBrother> anyone here?!?
12:26 < |Mike|> sometimes.
12:26 < TuxBrother> aah
12:26 < TuxBrother> can I ask it to you?
12:27 < |Mike|> you can ask it in this channel, yes.
12:27 < TuxBrother> mike: here we go again
12:27 < TuxBrother> Mon Nov 15 16:43:59 2010 name/X.X.X.X:1108 MULTI: no dynamic or static remote --ifconfig address is available for name/X.X.X.X:1108
12:27 < TuxBrother> this error is driving me nuts
12:27 < |Mike|> !configs
12:27 <@vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
12:32 < TuxBrother> http://pastebin.com/d0eLcVr9
12:32 < TuxBrother> there you go
12:38 < TuxBrother> |Mike|: anything wrong so far?
12:42 < |Mike|> no dynamic or static remote ^^
12:42 -!- CraigMason [~camason@office.stasismedia.com] has quit [Ping timeout: 265 seconds]
12:44 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:46 -!- DarKnesS_WolF [~sherif@unaffiliated/sherif] has left #openvpn []
12:47 < TuxBrother> how do you mean?
12:48 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
12:48 < |Mike|> !howto
12:48 <@vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
12:57 -!- ScriptFanix [~vincent@hanaman.riquer.fr] has quit [Ping timeout: 245 seconds]
12:59 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:01 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
13:01 -!- daemon [~daemon@95.154.246.222] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:04 -!- daemon [~daemon@serial.daemonrage.net] has joined #openvpn
13:08 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 264 seconds]
13:10 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
13:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:16 -!- bitterman [~yury@84.51.195.188] has quit [Quit: Leaving]
13:18 -!- TuxBrother [d9780cc5@gateway/web/freenode/ip.217.120.12.197] has quit [Quit: Page closed]
13:18 -!- daemon [~daemon@serial.daemonrage.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:19 -!- daemon [foobar@serial.daemonrage.net] has joined #openvpn
13:35 <@vpnHelper> RSS Update - forum: Installation Help :: Trouble with mapped drives while connected to VPN in Win 7 :: Author danblee <https://forums.openvpn.net/viewtopic.php?f=5&t=7276&p=8385#p8385>
13:39 -!- daemon [foobar@serial.daemonrage.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:40 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
13:41 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
13:41 < grendal_prime> hola me friendo's
13:41 < grendal_prime> i got a werid question fo you alls.
13:43 < grendal_prime> I got a strange situation where a box is trying to connect to a server and get a dhcp address .  It goes like so... discover, offer, request-ip *NAK.   NAK being the server not allowing the box to connect to the very ip address it offered the client.
13:44 < grendal_prime> is there anything obviouse i need to look for on that...(and yes we do not have a dup mac address in this case.)
13:46 -!- daemon [~daemon@serial.daemonrage.net] has joined #openvpn
13:46 <@vpnHelper> RSS Update - forum: Installation Help :: Error driving me nuts :: Author TuxBrother <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8386#p8386>
13:46 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
13:47 -!- daemon [~daemon@serial.daemonrage.net] has quit [Client Quit]
13:48 -!- daemon [foobar@serial.daemonrage.net] has joined #openvpn
13:48 -!- daemon [foobar@serial.daemonrage.net] has quit [Client Quit]
13:49 -!- daemon [foobar@serial.daemonrage.net] has joined #openvpn
13:58 -!- hwilde [~hwilde@SUREFIRE.REC.RI.CMU.EDU] has quit [Ping timeout: 255 seconds]
14:00 -!- s7r [~s7r@188.26.130.126] has joined #openvpn
14:01 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Ping timeout: 255 seconds]
14:03 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
14:03 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
14:03 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
14:04 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
14:04 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
14:04 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
14:14 -!- luneff [~yury@84.51.198.114] has joined #openvpn
14:19 -!- s7r [~s7r@188.26.130.126] has quit [Ping timeout: 240 seconds]
14:25 -!- s7r [~s7r@188.27.110.167] has joined #openvpn
14:26 -!- s7r [~s7r@188.27.110.167] has quit [Client Quit]
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:33 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Read error: Connection reset by peer]
14:33 -!- raidz [~Andrew@seance.openvpn.org] has joined #openvpn
14:33 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
14:33 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
14:33 -!- mode/#openvpn [+o raidz] by ChanServ
14:40 < reiffert> MD5 mismatch for dl/openvpn-2.1.4.tar.gz: 96a11868082685802489254f03ff3bde 112b9ed56516e2aac302bec97732b0c0
14:40 < reiffert> did we change openvpn-2.1.4.tar.gz after we were releasing it?
14:40 < reiffert> I can remember this has happened before at least once... 
14:40 < reiffert> it sucks.
14:41  * ecrist pokes the right people.
14:42 -!- hwilde [~hwilde@SUREFIRE.REC.RI.CMU.EDU] has joined #openvpn
14:42 < hwilde> !seen roentgen
14:42 <@vpnHelper> hwilde: roentgen was last seen in #openvpn 3 days, 2 hours, 56 minutes, and 56 seconds ago: <roentgen> I guess this settles it: tun without c2c but with iptables forwarding is just too beatyfull
14:42 < hwilde> 3 days?  I talked to him last night
14:42 < hwilde> *or her, for all you pc bastards
14:43 < reiffert> ecrist: so we did, right?
14:43 -!- onionz [~joemommas@76.7.49.170] has quit [Ping timeout: 265 seconds]
14:43 < ecrist> reiffert: afaik, no
14:43 < ecrist> if we did, someone needs to be spanked.
14:43 < ecrist> hwilde: you did not talk to roentgen last night.
14:43 < hwilde> !howto
14:43 <@vpnHelper> hwilde: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:43 < hwilde> ecrist, I absolutely did, at 1am his time, about 5:30 my time
14:44 < reiffert> ecrist: and the md5sum is supposed to be 96a11868082685802489254f03ff3bde or 112b9ed56516e2aac302bec97732b0c0?
14:44 < ecrist> hwilde: not in this channel
14:45 < hwilde> are you logging our pms too?
14:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
14:46 < ecrist> reiffert: I'm showing the MD5 sum from current copy is 96a11868082685802489254f03ff3bde
14:46 < ecrist> and:
14:46 < ecrist> SHA256 (openvpn-2.1.4.tar.gz) = 67fe78e5def82d44d2ad4ef6fc6d87901195849d10b6b3cab81fa03257f52af5
14:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:46 < ecrist> hwilde: no
14:47 < ecrist> but, vpnHelper last saw him talk in this channel 3 days ago.
14:47 < reiffert> ecrist: oh, my fault. sorry.
14:47 < reiffert> --2010-11-15 21:46:55--  http://openvpn.net/release/openvpn-2.1.4.tar.gz
14:47 <@vpnHelper> Title: Error 404: File not Found (at openvpn.net)
14:47 < reiffert> Location: http://www.openvpn.net/index.php/index.php/404-page-not-found.html [following]
14:47 <@vpnHelper> Title: Error 404: File not Found (at www.openvpn.net)
14:48 < RealFlub> got problems with my routing..
14:48 < RealFlub> i dont understand why it doesnt work
14:51 < reiffert> ecrist: fixed it at on the distribution side.
14:54 < RealFlub> i cant ping my dns or whatever
14:58 -!- picachu [~kotique@bluemile.vps.deepunix.net] has joined #openvpn
15:00 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
15:01 -!- kotique [~kotique@host-static-109-185-140-24.moldtelecom.md] has quit [Ping timeout: 276 seconds]
15:02 -!- hwilde [~hwilde@SUREFIRE.REC.RI.CMU.EDU] has quit [Quit: Leaving]
15:30 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has left #openvpn []
15:35 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
15:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:50 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
15:52 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 250 seconds]
15:54 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
15:59 -!- FastPutty [~fastputty@dsl-173-248-212-118.acanac.net] has joined #openvpn
16:00 < FastPutty> hello, i have create a bridge on openvpn, everything works fine. but i cannot ping any local clients or server except my gateway
16:00 < FastPutty> and the openvpn server
16:00 < FastPutty> local is 192.168.1.0/24 and my openvpn client is 192.168.1.220
16:00 < FastPutty> i can ping 192.168.1.1 = gateway and 192.168.1.2 = openvpn server
16:01 < FastPutty> but i cannot ping 192.168.1.5 (printer)
16:01 < hyper_ch> are you mixing the network?
16:01 < FastPutty> yes
16:01 < hyper_ch> why?
16:02 < FastPutty> hmmm i dont wanna create another mask for nothing ;/
16:02 < FastPutty> since it only used by me
16:02 < FastPutty> it will only use by me*
16:03 < FastPutty> ideaÉ
16:03 < FastPutty> not a good idea?
16:03 < hyper_ch> I tend to think it's better to keep seperate networks apart
16:05 < hyper_ch> but then, I'm not really good at networking
16:05 < hyper_ch> I'm happy to be able to connect to all clients in the vpn :)
16:06 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
16:06 < FastPutty> maybe someone heer could help me out with that? :S
16:08 < hyper_ch> what do you try to do?
16:09 < hyper_ch> !bridge
16:09 <@vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
16:11 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
16:11 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: problem with server config. :: Reply by simon <https://forums.openvpn.net/viewtopic.php?f=1&t=7272&p=8388#p8388>
16:13 < FastPutty> hyper_ch: nothing just try to connect to my home and having an internal ip with all the rest of my clients/servers
16:14 < FastPutty> so my openvpn client is 192.168.1.220
16:15 < FastPutty> and my network lan is 192.168.1.0/24
16:17 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: route command path :: Reply by simon <https://forums.openvpn.net/viewtopic.php?f=1&t=7269&p=8389#p8389>
16:36 -!- hwilde [~hwilde@pool-74-98-224-203.pitbpa.fios.verizon.net] has joined #openvpn
16:53 <@vpnHelper> RSS Update - forum: Configuration :: Multiple Tunnels on the same server :: Author gcc_computo <https://forums.openvpn.net/viewtopic.php?f=6&t=7278&p=8390#p8390>
16:57 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
16:57 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:01 < hwilde> why can't I see openvpn server listening on port 1194 in netstat ?
17:02 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 265 seconds]
17:04 -!- picachu [~kotique@bluemile.vps.deepunix.net] has quit [Quit: жопа диридай диридиридай]
17:12 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
17:15 -!- p3rror [~mezgani@41.140.34.167] has quit [Ping timeout: 240 seconds]
17:22 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:23 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:24 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
17:29 -!- venom00ut [~venom00@net-93-71-20-37.cust.dsl.vodafone.it] has joined #openvpn
17:29 -!- venom00ut [~venom00@net-93-71-20-37.cust.dsl.vodafone.it] has quit [Changing host]
17:29 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
17:30 -!- p3rror [~mezgani@41.140.30.34] has joined #openvpn
17:33 -!- tehtrk [~tehtrk@66.196.19.210] has quit [Ping timeout: 245 seconds]
17:36 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
17:43 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 255 seconds]
17:45 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 260 seconds]
17:48 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
18:05 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
18:13 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has joined #openvpn
18:17 < ecrist> hwilde: because it's not running?
18:23 < ecrist> Boats and Hos
18:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
18:29 -!- FastPutty [~fastputty@dsl-173-248-212-118.acanac.net] has quit []
18:32 < Bushmills> because you look at netstat  tcp while your server is using udp
18:39 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:58 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
18:58 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
18:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
19:00 -!- kerfe [~a@234.pool85-60-147.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
19:09 < krzie> because you touch yourself
19:12 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:14 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
19:15 < LumberCartel> Hello folks.  Is it possible to push a custom variable to the OpenVPN server from the client's configuration?  Thanks in advance.
19:26 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
19:31 < krzie> absolutely not
19:31 < krzie> and im pretty sure it never will be
19:31 < jpalmer> depending on the "variable"  it may be one that openvpn itself supports.  what is your goal?
19:32 < krzie> jpalmer, either way, the client cant push ANYTHING to the server
19:33 < LumberCartel> jpalmer:  Well, I have a set of machines that are all using the same certs, and I need a way to differentiate them because when they connect they don't always get the same IP addresses from OpenVPN's DHCP server.
19:33 < jpalmer> honestly, the best way to differentiate,  is by using unique keys.
19:33 < LumberCartel> Is there an OpenVPN tool that can provide a little bit more information about the computer connecting through the VPN?
19:34 < jpalmer> have each one use a unique common name,  and the openvpn server can extract that, and hand it off to any custom scripts you write.
19:34 < krzie> you could also use password auth
19:34 < krzie> then use the username as the common-name
19:35 < jpalmer> ahh,  that'd work too, if you don't mind interactive password auth.
19:35 < LumberCartel> Can the password be blank in that case?
19:35 < LumberCartel> Oh, so the passwords are only ever interactive?
19:40 < LumberCartel> You know, one thing I could do is use the COMPUTERNAME environment variable (on Windows clients) as a base filename for output to the server with the information I need (e.g., the IP address) with a script that is called when OpenVPN connects.
19:40 < LumberCartel> Now, I recall that it's possible to set up such scripts, but I've never done this before.
19:41 -!- newmember [~chatzilla@static-66-11-81-77.ptr.terago.net] has quit [Ping timeout: 276 seconds]
19:48  * LumberCartel is looking into the --client-connect option.
19:51 < LumberCartel> What would be great is to have a way of passing the computer name to the server somehow, or at least combining it with the cn.  =(
19:56 < LumberCartel> Does the node address (the MAC address) remain consistent when an OpenVPN client gets connected?
19:56 < LumberCartel> Or does this change with each session?
20:01 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
20:04 < LumberCartel> It appears that the physical address does not change, but I want to be sure that this is what's intended.
20:04 < LumberCartel> If it is, then I can use the node address to differentiate between machines.
20:19 -!- W0rmF00d is now known as WormFood
20:50 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
20:57 < krzie> LumberCartel, either use password auth in addition, or make different certs for each client
20:57 < krzie> the end!
20:57 < LumberCartel> Yeah, that's what it's looking like.
20:58 < LumberCartel> I'm going to be busy generating nearly 50 certs now, and updating that many machines.  Sigh.  I was hoping to avoid that.
20:58 < krzie> automate it
20:58 < LumberCartel> On Windows?  Yeah, right.
20:58 < krzie> openssl is openssl, takes the same args on windows as linux
20:58 < LumberCartel> Creating the certs isn't so difficult, rather it's the manual configuration of Windows that's a royal pain in the backside.
20:59 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Remote host closed the connection]
21:02 < krzie> manual config?
21:02 < LumberCartel> Windows is always a manual configuration.  Each computer is different, regardless of how they start out.  =(
21:03 < krzie> just package it in a zip with a bat file that moves *.crt to the right dir, and pass it out
21:03 < LumberCartel> Automation never works reliably on Windows.
21:03 < krzie> openvpn will be in 1 of 2 dirs, based on if its a 64bit install or not
21:03 < LumberCartel> Yup.
21:03 < LumberCartel> I know that.
21:03 < krzie> so it really is that easy
21:04 < LumberCartel> The only time I've seen automation actually work well is with Novell's Z.E.N.works, but that's not used here.
21:04 < LumberCartel> Yeah, it's easy, but there are problems with getting users to simply double-click on a file to make things work.
21:04 < LumberCartel> There are also logistical problems with getting staff to make their computers available -- they're always too busy.  It's a royal pain.
21:04 < LumberCartel> It'll happen, but it's not going to be fast and it will be tedious.
21:53 < krzie> do you control their machines via active directory?
21:53 < krzie> you could actually force it all to happen upon them logging in
21:54 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
22:12 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
22:20 < LumberCartel> No, we don't use Active Domains.  That thing is a bloody nightmare.
22:21 < LumberCartel> It fails at automation too.
22:28 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn
22:28 < grendal_prime> hey guys
22:32 < grendal_prime> anyone had problems with windows 7 clients and dhcp going apeshit?
22:34 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Quit: Ex-Chat]
23:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:07 < LumberCartel> What are the symptoms you're noticing with DHCP in Windows 7?
23:07 < LumberCartel> Oh, he left.  =(
23:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:11 -!- p3rror [~mezgani@41.140.30.34] has quit [Ping timeout: 240 seconds]
23:13 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
23:20 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
23:20 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
23:21 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: Leaving]
23:22 -!- twister004 [~chatzilla@59.90.34.167] has quit [Ping timeout: 240 seconds]
23:22 -!- patelx [~patel@openvpn/corp/admin/patel] has quit [Ping timeout: 276 seconds]
23:23 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
23:25 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 264 seconds]
23:26 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
23:26 -!- patelx [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn
23:30 -!- twister004_ [~chatzilla@117.204.136.244] has joined #openvpn
23:32 -!- twister004 [~chatzilla@59.90.34.167] has quit [Ping timeout: 272 seconds]
23:32 -!- twister004_ is now known as twister004
23:37 -!- Kevin` [~kevin@router.kwzs.be] has joined #openvpn
23:40 -!- twister004_ [~chatzilla@59.90.34.167] has joined #openvpn
23:42 -!- twister004 [~chatzilla@117.204.136.244] has quit [Ping timeout: 260 seconds]
23:42 -!- twister004_ is now known as twister004
23:43 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
23:45 -!- batrick [~batrick@batbytes.com] has quit [Ping timeout: 276 seconds]
23:46 -!- tessier [~treed@kernel-panic/copilotco] has quit [Ping timeout: 272 seconds]
23:46 -!- batrick [~batrick@batbytes.com] has joined #openvpn
23:46 -!- tessier [~treed@mail.copilotco.com] has joined #openvpn
23:46 -!- fbh [fbh@unaffiliated/fbh] has quit [Ping timeout: 272 seconds]
23:50 -!- fbh [fbh@lucifer.frands.net] has joined #openvpn
23:53 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
23:54 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
23:54 < humanMeat> so i hear i can use this "redirect-gateway" option to basically pretend i'm behind a different gateway.
23:55 < humanMeat> how does this work?  I also hear something about dynamic IPS provided by your ISP breaking this functionality
23:57 -!- krzee [~k@openvpn/community/support/krzee] has quit [Client Quit]
23:57 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
23:58 < LumberCartel> Hello humanMeat.
23:58 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
23:59 < Kevin`> humanMeat: it's actual method of operation is pretty simple, it adds a route for the vpn server itself over your internet connection, then adds an overriding default route (two /1's I think, just because it's easier then removing the existing one) over the vpn interface
23:59 < LumberCartel> Some VPNs redirect the default gateway by default (such as Microsoft's various VPN products, some of which ignore all attempts to disable this behaviour).  It can definitely be useful for redirecting all traffic through your VPN, but you may want to turn on NAT or something on your server if you plan to do web browsing this way.
--- Day changed Tue Nov 16 2010
00:01 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
00:01 < dogarrhea1> sorry about that lumbercartel
00:01 < LumberCartel> Hello dogarrhea1.
00:01 < dogarrhea1> that was me asking about redirect-gateway
00:01 < LumberCartel> Oh, did you miss the last two comments from Kevin` and me?
00:01 < dogarrhea1> yesh
00:01 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
00:01 < LumberCartel> Good.
00:01 < dogarrhea1> hrm? how is that good
00:02 < LumberCartel> Whoops, I misread that as "not miss."
00:02 < LumberCartel> [21:59:31] <Kevin`> humanMeat: it's actual method of operation is pretty simple, it adds a route for the vpn server itself over your internet connection, then adds an overriding default route (two /1's I think, just because it's easier then removing the existing one) over the vpn interface
00:02 < LumberCartel> 21:59:50] <LumberCartel> Some VPNs redirect the default gateway by default (such as Microsoft's various VPN products, some of which ignore all attempts to disable this behaviour).  It can definitely be useful for redirecting all traffic through your VPN, but you may want to turn on NAT or something on your server if you plan to do web browsing this way.
00:02  * LumberCartel shakes his fist at Windows 7's buggy cut-and-paste feature that misses the first character once in a blue moon.
00:03 < dogarrhea1> double clikc. trible click.
00:03 < dogarrhea1> triple
00:03 < dogarrhea1> the process of configuring this to work is simple or hard?
00:03 < LumberCartel> Depends on which software you're using.  I use the keyboard mostly with what I do anyway.
00:03 < dogarrhea1> uncomment the redirect-gateway line?
00:03 < LumberCartel> Is your VPN working properly?
00:03 < Kevin`> microsoft's vpn products do it because they have no way of specifying routes. how else would you access a network behind the vpn besides redirecting all traffic, says the person too deep in windows
00:04  * LumberCartel laughs.
00:04 < dogarrhea1> last you had me ping some ip and it didn't drop anything
00:04 < dogarrhea1> the ip local to the server
00:04 < dogarrhea1> that isn't on my client
00:05 < dogarrhea1> so i would say it's working in joining the two networks heh
00:05 < Kevin`> openvpn involves networking, pki, and configuration files that need to be modified. overall not one of the easier things to make work, but the guide is actually very good
00:05 < LumberCartel> Well, if you can ping 10.8.0.1 from your OpenVPN client with a 10.8.something.something address, and your network adapter is indicated as "plugged in," then your VPN is working.
00:05 < Kevin`> I mean, it's certainly easier than say, ipsec
00:06 < LumberCartel> Okay, then as far as setting up NAT is concerned that's more of a server-side thing.  There are multiple ways to do this, my preference is to use "pf" which is definitely available in the Unix (I'm using NetBSD) world.
00:07 < Kevin`> if you are on linux it's a single command for the built-in firewall (plus enabling routing at all), don't go trying to install pf to issue it ;)
00:07 < LumberCartel> Kevin`:  That's good advice -- using what's already there.
00:08 < dogarrhea1> hrm. man pf manual does not exist
00:08 < dogarrhea1> i have ufw or whatever it was
00:08 < dogarrhea1> if that does anything... i also saw some iptables stuff while trolling the itnernet
00:08 < LumberCartel> Well, you'll need to figure out what's on your platform.
00:09 < LumberCartel> Which OS are you using?
00:09 < Kevin`> LumberCartel: especially as "pf on linux" would lead him into a rather dangerous area :)
00:09 < dogarrhea1> ubuntu
00:09 < LumberCartel> Kevin`:  Oh yeah?  Does it not compile into the kernel very well?
00:09 < LumberCartel> Do you know which firewall is installed by default with Ubuntu?
00:10 < Kevin`> LumberCartel: it basically doesn't exist, aside from some porting attempts now and again
00:10 < LumberCartel> Usually NAT is a part of the firewall.
00:10 < Kevin`> netfilter/iptables would be available by default
00:10 < LumberCartel> Kevin`:  Ooooh, more than dangerous I'd say.  =)
00:10 < Kevin`> ubuntu also may have a GUI for the firewall
00:10 < Kevin`> but I haven't personally used that
00:10 < dogarrhea1> i'm sshing so no gui
00:10 < LumberCartel> IPTables supports NAT, doesn't it?
00:10 < Kevin`> yeah
00:11 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
00:11 < LumberCartel> dogarrhea1:  Since you don't seem to be familiar with NAT, you'd better ask some folks in #ubuntu for some help with setting it up.  If it's a remote box, setting up NAT can be problematic if you get something wrong and lose your ability to re-connect (rare, but not impossible).
00:12 < Kevin`> you can basically do everything i've ever seen done with iptables and iproute2 combined
00:12 < LumberCartel> NAT also seems counter-intuitive to users who are new to it, so pay very close attention to what's going on with packets and whatnot.
00:12 < dogarrhea1> heh http://ubuntuforums.org/showthread.php?t=713874  <------ instructions seem long and confusing
00:12 <@vpnHelper> Title: HOWTO: Internet sharing with Ubuntu (NAT Gateway) - Ubuntu Forums (at ubuntuforums.org)
00:12 < Kevin`> which also means it's probably about as easy for a newbie as pf without a manual
00:12 < krzee> !linnat
00:12 <@vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:13 < krzee> thats for
00:13 < krzee> !redirect
00:13 <@vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:13 < LumberCartel> dogarrhea1:  Take your time to understand that NAT stuff.
00:13 < LumberCartel> dogarrhea1:  If you get it right the first time, then you'll be way ahead of the game.
00:13 < krzee> the doc at #3 is good
00:14 < krzee> (netfilter)
00:15 < dogarrhea1> i guess u won't be hearing from me for a while.. while i try to understand this mystical "NAT". be back in 10 minutes. just kidding
00:16 < Kevin`> btw, good general document to have around: http://jengelh.medozas.de/images/nf-packet-flow.png
00:16 < LumberCartel> No problem.  I'm glad you're taking the time to get it right the first time.
00:16 < Kevin`> (as reference, don't look at that as tutorial material or you'll go batty)
00:17 < LumberCartel> Do ask questions on #ubuntu after you've done some reading if something isn't clear.  There are lots of helpful folks there who deal with this stuff regularly.
00:18 < LumberCartel> Kevin`:  Nice chart.
00:20 < dogarrhea1> hrm. from chapter 3 to 4 there is a huge discontinuity. chapter 3 says something about SNAT and post routing theory.  Chapter 4 begins: Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to 2.2 (ipchains) transition. There's good and bad news.
00:21 < krzee> this is #openvpn
00:21 < krzee> there are a few other channels that will be better for help with the linux firewall
00:22 < Kevin`> dogarrhea1: fortunately you've never (and probably never will) used ipfwadm or ipchains so neither matter. statement possibly out of context.
00:23 -!- LeRrA [~lerra@c-d09872d5.029-136-73746f3.cust.bredbandsbolaget.se] has quit [Ping timeout: 272 seconds]
00:23 < dogarrhea1> oh copyright 2000
00:23 < dogarrhea1> i wonder why it's recommended reading if it's um... expired.
00:23 < Kevin`> the chapter is titled for transistion from 2.0 and 2.2 kernels. i'm not lucky enough to have ever even touched those
00:23 < LumberCartel> dogarrhea1:  A copyright date has nothing to do with a document's expiry date (assuming it even has one).
00:24 < Kevin`> information from 2.4 will be pretty much current unless you need to do crazy fancy things
00:24 < Kevin`> and you don't.
00:24 < dogarrhea1> now i'm confused.. it's out of context
00:24 < dogarrhea1> but.. current
00:24 < Kevin`> (linux has been at 2.6.x for many years now)
00:26 < Kevin`> well, 2.6.x.y.z-w
00:26 -!- LeRrA [~lerra@c-d09872d5.029-136-73746f3.cust.bredbandsbolaget.se] has joined #openvpn
00:26 < Kevin`> erm, no .x
00:27 < Kevin`> erm, no .z *
00:27 < Kevin`> now i'm all confused, also none of this is important
00:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
00:33 < dogarrhea1> haha ok http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml is more my speed. i'll worry about the nasty details of implementation/linux commands later
00:33 <@vpnHelper> Title: How NAT Works - Cisco Systems (at www.cisco.com)
00:39 < LumberCartel> dogarrhea1:  That looks like a pretty good overview.  Typically NAT is used in businesses to share an internet connection among many computers on the internal network (usually with private IPs somewhere in 10/8 and/or 192.168/16) and one or two [that may be load balanced or fail-over-ready] public IPs.
00:40 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
00:40 < kaushal> hi
00:40 < LumberCartel> Hello kaushal.
00:40 < kaushal> LumberCartel: hi
00:41 < kaushal> I have two types of Internet Connection Wired and Wifi
00:41 < kaushal> I have noticed one peculiar thing
00:41 < LumberCartel> dogarrhea1:  Once you have NAT working, computers on your internal network (which include OpenVPN clients with the default gateway redirected to the server) will be able to browse the internet.
00:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
00:41 < Kevin`> dogarrhea1: do be careful about cisco-specific naming conventions in documents like that, but as an overview of the technology it's probably quite good
00:41 < kaushal> when i unplug and plug it back, the openvpn running as daemon mode works perfectly fine after automatically reconnecting
00:42 < Kevin`> dogarrhea1: also, while you should be aware of how it works, the firewall system basically does all the magic for you automatically
00:42 < LumberCartel> That's good, kaushal.  =)
00:42 < kaushal> so unplug and plug wired and wifi works fine
00:42 < LumberCartel> Seems reasonable.
00:42 < kaushal> the issue is when i switch from wired to wifi the connection breaks
00:43 < kaushal> so i need to restart the openvpn daemon by hand and it works fine further
00:43 < LumberCartel> Does it not try to re-connect again?
00:43 < kaushal> nope
00:43 < LumberCartel> OpenVPN, that is.
00:43 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
00:43 < kaushal> so both wifi and wired IPs are different for my laptop
00:44 < LumberCartel> What do you see in your log files when this happens?  And does Windows indicate that the wired connection is down at this time?
00:44 < LumberCartel> They should have different IPs.
00:44 < kaushal> LumberCartel: I am on Ubuntu Linux 10.04
00:44 < LumberCartel> ...so that's good.
00:44 < kaushal> LumberCartel: ok
00:44 < LumberCartel> Whoops, sorry.
00:44 < kaushal> I am using openvpn as a daemon mode on my Linux desktop
00:45 < LumberCartel> Okay, then does "ifconfig -a" show that your wired connection is down?
00:45 < kaushal> LumberCartel: good catch 
00:45 < kaushal> I need to check the logs
00:45 < kaushal> which i havent done
00:45 < LumberCartel> Also, are you using OpenVPN with UDP or TCP?
00:45 < kaushal> UDP
00:45 < kaushal> since its default behaviour is connection less ?
00:46 < kaushal> does that hurt
00:46 < LumberCartel> UDP has some problems with re-connecting in these types of scenarios.  I've seen it before, and switching to TCP mode has always resolved it for me.
00:46 < kaushal> ok
00:46 < LumberCartel> UDP is connectionless by design.  There's no default option to change that.
00:46 < kaushal> LumberCartel: ok
00:46 < kaushal> LumberCartel: if i set keepalive 10 60 ?
00:46 -!- septiq [~septiq@93.19.114.177] has joined #openvpn
00:46 < LumberCartel> You see, the problem with UDP is that it's difficult to detect a disconnection, but with TCP it's known immediately.
00:46 < kaushal> on the Openvpn server
00:46 < LumberCartel> ...or almost immediately.
00:47 < kaushal> will that help ?
00:47 < LumberCartel> You need to change to UDP mode on both client and server.  The "proto" option is key here.
00:47 < LumberCartel> But...
00:47 < LumberCartel> Are you the only OpenVPN client at this point?
00:47 < kaushal> nope
00:47 < kaushal> there are 100 users
00:47 < Kevin`> keep using udp if you can, tcp can have some interesting problems when used for an ip-level or lower vpn link
00:48 < LumberCartel> If not, then you'll need to change all clients, or run a separate instance of OpenVPN that listens on TCP (same port will be fine since UDP 1194 doesn't conflict with TCP 1194).
00:48 < kaushal> yes
00:48 < kaushal> what about keepalive 10 60 ?
00:48 < LumberCartel> It does help, but I find that it's not as effective.
00:49 < LumberCartel> And "10 60" is just one example of settings you can use.  You can customize these to suit your needs.
00:49 < septiq> Hello, is it possible to "deport" several eth0:X interfaces with public ips on host A to host B using a unique OpenVPN link ? 
00:49 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
00:50 < kaushal> LumberCartel: ok
00:50 < Kevin`> kaushal: btw, it's possible for tcp connections to survive unlugging and replugging too (by default this will work on linux, but windows will kill them intentionally. can be changed). eg, you can keep ssh or irc open after switching out your router for a new wireless one
00:50 < LumberCartel> septiq:  What do you mean by "deport?"
00:50 < septiq> so that incoming traffic on host A will be tunnelled to respective interfaces on host B
00:50 < LumberCartel> kaushal:  When you switch to TCP, you might as well just comment out that keepalive setting since it won't be needed.
00:51 < kaushal> LumberCartel: so i would try out the keepalive 10 60 option
00:51 < kaushal> and see if it works for me in my environment
00:51 < kaushal> using UDP 
00:51 < septiq> LumberCartel: i want to use several host A public ips on respective host B interfaces
00:51 < Kevin`> kaushal: what's your actual problem btw? I didn't see a problem, although I could easily imagine one from the lack of that statement
00:52 < LumberCartel> kaushal:  Yeah, if it resolves your problem then that would be great.
00:52 < kaushal> Kevin`: actually when i switch my Internet connection from wired to wifi the openvpn client running as a daemon mode does not reconnect
00:52 < Kevin`> septiq: you are thinking of the traffic flow the wrong way here
00:53 < kaushal> Kevin`: Do you need more information ?
00:53 < Kevin`> septiq: what you describe is quite possible, but it's not done in the way you describe ;)
00:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
00:53 < LumberCartel> septiq:  What do you mean by "use them?"  Is it just routing, NAT, or actually having those IPs duplicated on host B?
00:54 < septiq> Kevin`: what i want to do is to assign public IPs from host A on virtual machines on host B using a unique OpenVPN link
00:54 < septiq> LumberCartel: yes duplicated, layer 2
00:54 < Kevin`> septiq: btw, once a system is receiving traffic for an ip, the actual ip can be on ANY of it's interfaces and it will work, provided the assignment is correct by itself
00:55 < Kevin`> septiq: unless you have another reason to though, you can just stick the addresses on tunx
00:55 < LumberCartel> septiq:  You need to read up on the difference between TAP and TUN in OpenVPN.  This will be very helpful for what you want to do.
00:55 < kaushal> Kevin`: Any further suggestion ?
00:55 < Kevin`> I don't recommend using tap for this
00:56 < Kevin`> kaushal: try keepalive, hope it works nice
00:56 < kaushal> sure
00:56 < kaushal> so set keepalive 10 60 in OpenVPN Server ? 
00:56 < kaushal> since it overrides the client.conf 
00:56 < kaushal> right ?
00:56 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
00:57 < Kevin`> septiq: if the source computer needs it's addresses to be assigned to receive traffic, the proper way to do this is slightly complex: REMOVE the ips from the source computer, instead route them over the vpn interface, and enable proxy arp on the source computer so it still advertises them
00:57 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:57 < Kevin`> actually, that doesn't sound complex when you say it like that, does it :)
00:57  * LumberCartel smiles.
00:58 < Kevin`> kaushal: unsure on that, I usually have it in both
00:58 < kaushal> Kevin`: ok
00:58 < kaushal> Kevin`: please give me a moment
00:58 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
00:59 < septiq> Kevin`: but what will happen on host B, i will get only one TAP interface and i will have to correctly route (L3) traffic to each virtual machine ...
00:59 < septiq> Kevin`: maybe using iptables ROUTE match
01:00 < Kevin`> septiq: you don't need an ethernet link at the vpn level.. avoid if possible
01:00 < septiq> Kevin`: i think i need to activate proxy-arp on both sides and combine bridges
01:01 < Kevin`> septiq: on the new machine you just have to route the ips TO the bridge/interface the guests are on
01:01 < septiq> ok for this part
01:01 < Kevin`> the new machine doesn't need proxy arp since it will always receieve the traffic
01:02 < Kevin`> the old machine knows to send it to the new machine
01:02 < septiq> Kevin`: but on the other side i will have to do something (L3) to untangle the spaghetti plate
01:03 < Kevin`> on the new side you just have to route the ips to the bridge the guests are on
01:04 < septiq> i would rather have the streams isolated (L2) on the full path
01:04 < Kevin`> traffic going BACK may need some interesting funness if your isp won't accept it as-is
01:04 < Kevin`> running layer 2 over the internet is generally a very bad idea
01:05 < Kevin`> and doing it on the full path will link your two isp's together
01:05 < Kevin`> they'll get mad at you
01:05 < Kevin`> if you want you can do it on one or the other host pretty non-destructively
01:06 < LumberCartel> ...especially when the DHCP server competitions begin.
01:06 < septiq> actually hostB "deported" IPS are isolated in containers which can only see the host A network
01:07 < septiq> they cannot access to their real network
01:07 < Kevin`> that will work fine, although it is not efficient to send broadcast traffic or the extra framing
01:08 < septiq> broadcast traffic and extra framing aren't negligible ?
01:09 < Kevin`> extra framing is a constant per-packet, not very much. broadcast traffic could be pretty annoying, but it depends on your network whether it really matters for you
01:10 < septiq> what do you call broadcast traffic ? arp ?
01:10 < septiq> i need arp to make it run
01:11 < LumberCartel> Broadcast traffic is what is sent to all IPs within a given network.
01:11 < Kevin`> anything that's broadcast. arp is included of course and is necessary for your case. on say a cable network, you will see basically just arp (although a shitton of it. the rest is filtered). on the average corporate network you will be flooded with windows identification traffic
01:11 < LumberCartel> It's part of the design of IP.
01:11 < LumberCartel> s/of IP/of the IP/
01:12 < septiq> LumberCartel: thank you for reminding this to me
01:12  * LumberCartel smiles.
01:12 < septiq> i do filter multicast/broadcast so it is not an issue to me
01:14 < septiq> in this case only broadcast traffic is arp, every boradcasted packet is filtered
01:14 < septiq> broadcast icmp is part of the 90's
01:15 < Kevin`> on my isp interface here (cable), I generally have more arp traffic than actual data :)
01:15  * LumberCartel laughs.
01:15 < Kevin`> of course, that's not saying as much as it could be
01:15 < LumberCartel> Your cable provider sucks.
01:15 < Kevin`> it's only maybe 100 packets per second max
01:16 < Kevin`> dwafed by actual traffic when there is real traggic
01:16 < Kevin`> traffic*
01:16 < septiq> i can even shape arp if that gets too crazy
01:17 < septiq> in this case i really want to transport L2 over udp, that is not the issue
01:18 < septiq> the issue is to untangle several streams if i have to mix them
01:18 < Kevin`> easiest, make several connections
01:18 < Kevin`> 802.1q would probably work fine though
01:19 < septiq> so i can vlan on the TAP interface ?
01:19 < Kevin`> I don't see why not. I have never had cause to do it though
01:20 < septiq> so the solution would be: ...
01:21 < septiq> host A: bridge eth0 with tap0, enable arp-proxy
01:21 < LumberCartel> Kevin`:  Heheh, with VLANs one could take the office phone on the road with them and be sitting on a beach somewhere with wireless internet and OpenVPN to the office on the other side of the glove making VOIP calls.
01:21 < septiq> host B: arp-proxy, read the OpenVPN documention concerning vlans :)
01:22 < LumberCartel> s/glove/globe/
01:22 < Kevin`> LumberCartel: i've done that, actually. although I didn't need to use vlans since it was my own network I was connecting to and I could do it however I wanted :)
01:23 < LumberCartel> Yup.
01:23 < LumberCartel> Neat!
01:23 < Kevin`> septiq: you don't need arp-proxy at all for this
01:23 < septiq> i have to arp-advertise IPs on host A ...
01:23 < Kevin`> arp-proxy is if you did it at layer 3 with an uncooperative provider network
01:24 < Kevin`> septiq: the guests will advertise directly over the vpn link
01:24 < Kevin`> which the host will send directly to it's ethernet interface
01:24 < septiq> right
01:24 < Kevin`> the host itself won't need to respond to arp
01:25 < Kevin`> if it did, it would cause a mac address conflict, btw
01:25 < Kevin`> (such that two systems have the same ip)
01:27 < septiq> ok thanks to pointing me at VLANs
01:30 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
01:39 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Packaging of Open VPN :: Author krishanu17 <https://forums.openvpn.net/viewtopic.php?f=1&t=7279&p=8391#p8391>
01:39 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:40 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
01:47 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:50 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
01:50 < kaushal> hi again
01:50 < kaushal> it worked like a charm
01:50 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
01:50 < LumberCartel> Excellent!
01:50 < kaushal> Thanks a Lot guys
01:50 < LumberCartel> Thanks for letting us know.
01:50 < LumberCartel> You're welcome.
01:50 < LumberCartel> Are you on UDP still?
01:50 < kaushal> LumberCartel: I am on UDP 
01:51 < kaushal> Also i have another issue
01:51 < LumberCartel> So the "keepalive" directive helpdd.
01:51 < LumberCartel> Okay, what is it?
01:51 < kaushal> yes
01:51 < kaushal> it helped
01:51 < kaushal> Let me explain
01:51 < kaushal> so the issue is when i am connected to a remote server via wired connection through openvpn
01:52 < kaushal> and then when i switch to wifi the openvpn reconnects automatically using keepalive
01:53 < LumberCartel> ...well, because keepalive helps it to notice that the UDP connection is down.
01:53 < kaushal> but the hiccup is if i am connected to a remote production server which was already connected in wired connection 
01:53 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:53 < kaushal> i need to do again ssh remoteserverIP :/
01:54 < LumberCartel> That's normal.
01:54 < LumberCartel> If your connection is severed, then your ssh session will die off.
01:54 < kaushal> LumberCartel: can the session be maintained
01:54 < kaushal> some sort of autossh
01:54 < LumberCartel> Are you familiar with GNU Screen?
01:54 < kaushal> yes
01:54 < kaushal> very much
01:55 < LumberCartel> Use that on the server side.
01:55 < kaushal> ok
01:55 < kaushal> I was interested on the client side
01:55 < LumberCartel> Then just "screen -x" after you login again.
01:55 < LumberCartel> On the client-side your SSH client may have some auto-reconnect options, but I'm not aware of these off-hand.
01:55 < krzee> kaushal, do you have the same IP when you change from wifi to wired / visa versa?
01:55 < krzee> because thats likely why the connection goes down
01:56 < krzee> and the answer is likely no, you dont have the same ip... so no you cant keep the connection alive when changing
01:56 < kaushal> krzee: nope
01:56 < krzee> but LumberCartel's idea was good, use screen to not lose your place
01:57 < kaushal> krzee: ok
01:57 < kaushal> krzee: what about autossh ?
01:57 < krzee> who knows... maybe if you ran dhcp server on a linux box you could set both MACs to use the same ip... ild think that would work
01:57 < LumberCartel> kaushal:  Check the options in your SSH client.  Hopefully there's something there for you.
01:58 < kaushal> krzee: ok
01:58 < krzee> ya i hadnt heard of autossh, either way its not an openvpn issue
01:58 < kaushal> krzee: very true
01:58 < krzee> the issue is you are changing your IP on the lan, which kills the connection
01:58 < krzee> oh and autossh wouldnt keep the vpn alive
01:58 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
01:59 < kaushal> krzee: understood
01:59 < kaushal> krzee: Thanks
01:59 < kaushal> LumberCartel: Thanks
01:59 < LumberCartel> You're welcome.
01:59 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
01:59 < krzee> np
01:59 < LumberCartel> kaushal...
02:00 < kaushal> LumberCartel: yeah sure
02:00 < kaushal> please go ahead
02:00 < LumberCartel> kaushal:  Think of the OpenVPN connection as a separate network cable.  Although it's a virtual network, this imagery can be helpful.
02:00 < kaushal> Do you have anything to say something
02:00 < LumberCartel> I just didn't want you to leave without seeing my last comment.  =)
02:01 < kaushal> yes
02:01 < kaushal> :D
02:09 < krzee> !client-connect
02:09 <@vpnHelper> krzee: "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
02:10 < kaushal> krzee: are you referring to me ?
02:10 < krzee> nope
02:10 < kaushal> ok
02:11 < krzee> answering a forum post, the bot will announce it in a minute ;]
02:11 < kaushal> krzee: i did autossh remoteserverIP, it didnot worked, the terminal freezed :/
02:11 < kaushal> meh
02:11 < krzee> [03:58]  <krzee> the issue is you are changing your IP on the lan, which kills the connection
02:11 < krzee> [03:58]  <krzee> oh and autossh wouldnt keep the vpn alive
02:12 < krzee> autossh runs on top of the vpn, you kill the VPN by changing IPs
02:12 < krzee> so autossh has no chance
02:12 < kaushal> :/
02:12 <@vpnHelper> RSS Update - forum: Routing and Firewall Scripts :: Re: how to add a kernel's route on the openvpn server? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=17&t=7219&p=8392#p8392>
02:13 < krzee> hrm, i wonder if you could arp poison yourself to steal back the old IP
02:13 < krzee> that would be tricky!
02:13 < Bushmills> no need for authssh with reconnecting openvpn
02:20 -!- kaushal [~kaushal@125.22.61.162] has quit [Ping timeout: 276 seconds]
02:22 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
02:24 -!- kaushal [~kaushal@125.22.61.162] has quit [Client Quit]
02:24 <@vpnHelper> RSS Update - forum: Configuration :: Re: Authenticatig clients with certificates & username passw :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7220&p=8393#p8393>
02:33 < kraut> moin
02:36 < LumberCartel> Hello kraut.
02:36 < krzee> moin
02:36 < LumberCartel> krzee:  That would be tricky, but also hilarious!
02:36 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing trouble :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7217&p=8395#p8395> || Configuration :: Re: Do I have to have a client file for every pc? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7241&p=8394#p8394>
02:37 < krzee> yup, would only need to trick the router's arp table
02:37 < krzee> single sided, single packet arp-poison
02:37 < LumberCartel> It would become a Virtual Poison Network.
02:37 < krzee> but youd need something outside of openvpn to trigger it upon IP change
02:38 < LumberCartel> Couldn't this just be done with ipp.txt?
02:46 < krzee> its not his VPN ip
02:46 < krzee> plus, ipp.txt is a bad way to set static ips
02:46 < krzee> !ipp
02:46 <@vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
02:47 < krzee> it is his LAN ip that is changing, and that breaks his connection to his VPN (his router doesnt blindly broadcast the traffic, nor is it happy to let him continue someone else's conversation (how could the router know it is actually him?)
02:47 < krzee> )
02:49 -!- dazo_afk is now known as dazo
02:55 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Installing OpenVPN in Vmware :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7240&p=8397#p8397> || Configuration :: Re: Multiple Tunnels on the same server :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7278&p=8396#p8396> || Scripting and Customizations :: Re: Can't login more than two client and Smart Card login :: ... <https://forums.openvpn.net/viewtopic.ph
02:58 < LumberCartel> !iporder
02:58 <@vpnHelper> LumberCartel: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
02:58 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
02:59 < LumberCartel> !static
02:59 <@vpnHelper> LumberCartel: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
02:59 < krzee> you may enjoy this as well:
02:59 < krzee> !factoids
02:59 <@vpnHelper> krzee: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
03:04 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 250 seconds]
03:07 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Generating the keys online :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7244&p=8400#p8400> || Off Topic, Related :: Re: Is OPEN VPN right for me? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7263&p=8399#p8399>
03:12 -!- gorkhaan_ [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
03:14 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
03:14 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
03:14 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:23 < LumberCartel> Thanks krzee.  I need to go to sleep.  Take care.
03:24 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: RFCs the easy way -- http://www.openrfc.org/]
03:24 <@vpnHelper> RSS Update - forum: Configuration :: Re: NAT client side :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7246&p=8401#p8401>
03:29 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
03:29 < krzee> whats up doc
03:31 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Bridging without tun or TAP adapter? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7249&p=8402#p8402> || Installation Help :: Re: Error driving me nuts :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8403#p8403>
03:34 < krzee> !c2c
03:34 <@vpnHelper> krzee: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
03:34 <@vpnHelper> krzee: clients
03:36 -!- luneff [~yury@84.51.198.114] has joined #openvpn
03:37 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Bridged Mesh :: Reply by somms <https://forums.openvpn.net/viewtopic.php?f=4&t=7275&p=8387#p8387> || Server Administration :: Re: Bridged Mesh :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7275&p=8404#p8404>
03:39 < krzee> !bcrelay
03:39 <@vpnHelper> krzee: Error: "bcrelay" is not a valid command.
03:39 < krzee> !factoids search bcrelay
03:39 <@vpnHelper> krzee: No keys matched that query.
03:39 < krzee> !factoids search --invalues bcrelay
03:39 <@vpnHelper> krzee: (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
03:39 < krzee> !factoids search --values bcrelay
03:39 <@vpnHelper> krzee: "bcast" is pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup
03:40 < krzee> !winnat
03:40 <@vpnHelper> krzee: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
03:43 < krzee> !--
03:43 <@vpnHelper> krzee: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
03:43 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Bridged Mesh :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7275&p=8405#p8405> || Server Administration :: Re: NATTING addresses :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7252&p=8406#p8406>
03:43 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
03:45 -!- septiq_ [~septiq@93.19.114.177] has joined #openvpn
03:46 -!- master_of_master [~master_of@p57B52B51.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:47 -!- septiq [~septiq@93.19.114.177] has quit [Ping timeout: 240 seconds]
03:47 -!- septiq_ is now known as septiq
03:47 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
03:48 -!- master_of_master [~master_of@p57B56DFC.dip.t-dialin.net] has joined #openvpn
03:49 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to create server.conf file :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7250&p=8407#p8407>
03:53 -!- gorkhaan_ [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
03:55 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
03:55 <@vpnHelper> RSS Update - forum: Configuration :: Re: Something missing in configuration? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7251&p=8409#p8409>
03:56 < krzee> !win_rollup
03:56 <@vpnHelper> krzee: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
03:59 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
04:01 -!- th1 [~th@cpc1-cmbg15-2-0-cust361.5-4.cable.virginmedia.com] has quit [Changing host]
04:01 -!- th1 [~th@pdpc/supporter/professional/th1] has joined #openvpn
04:02 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
04:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 272 seconds]
04:07 <@vpnHelper> RSS Update - forum: Server Administration :: Re: How to preserve client’s IP when --duplicate-cn enabled :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7273&p=8412#p8412> || Server Administration :: Re: Windows Server 2008 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7254&p=8413#p8413>
04:07 -!- septiq_ [~septiq@93.19.114.177] has joined #openvpn
04:09 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 272 seconds]
04:09 -!- boswarrior [~mrnice@78.142.173.114] has joined #openvpn
04:09 -!- boswarrior is now known as boswarrior2
04:11 -!- septiq [~septiq@93.19.114.177] has quit [Ping timeout: 255 seconds]
04:11 -!- septiq_ is now known as septiq
04:13 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Server Side Idle Time Out Configuration :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7258&p=8416#p8416>
04:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
04:20 <@vpnHelper> RSS Update - forum: Server Administration :: Re: openSUSE Firewall issue :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7259&p=8418#p8418>
04:26 <@vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN server on windows + radius authentication. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7261&p=8419#p8419>
04:31 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Open additional port :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7268&p=8422#p8422>
04:32 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
04:35 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
04:36 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
04:42 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Samba and OpenVPN servers on the same machine :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7270&p=8424#p8424>
04:54 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing trouble :: Reply by snorhyvel <https://forums.openvpn.net/viewtopic.php?f=4&t=7217&p=8426#p8426>
05:02 -!- kerfe [~a@212.81.205.13] has joined #openvpn
05:03 -!- kerfe is now known as grank
05:05 -!- grank [~a@212.81.205.13] has quit [Client Quit]
05:05 -!- kerfe [~a@212.81.205.13] has joined #openvpn
05:05 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing trouble :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7217&p=8427#p8427>
05:08 -!- sunta [~cw@hector.raytion.com] has joined #openvpn
05:09 < sunta> !goal
05:09 <@vpnHelper> sunta: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:12 -!- luneff [~yury@84.51.195.188] has joined #openvpn
05:18 < js_> is there any way to query openvpn for connected clients?
05:22 < reiffert> js_: yes.
05:27 < js_> reiffert: i enabled management, telneted and typed status, but i can only see traffic information
05:27 < js_> i use secret with float and there's one client connected (which works)
05:29 < krzee> js_, you may only get traffic info since you have a ptp tunnel
05:29 < krzee> there IS no clients
05:29 -!- CaMason [~camason@office.stasismedia.com] has joined #openvpn
05:30 < reiffert> krzee: you can alwazs parse the status.log
05:31 < krzee> but he said he uses --secret
05:31 < krzee> he does not HAVE clients
05:31 < krzee> just a peer
05:34 < js_> allrighty, thanks
05:36 < sunta> I am trying to bridge 2networks, the configuration for /etc/network/interfaces http://www.shorewall.net/OPENVPN.html#id36132361  "pre-up /usr/sbin/brctl addbr br1" correct for both sides? rest of the config is talking of br0
05:36 <@vpnHelper> Title: OpenVPN Tunnels and Bridges (at www.shorewall.net)
05:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:42 -!- twister004 [~chatzilla@59.90.34.167] has quit [Ping timeout: 255 seconds]
05:43 -!- atan2 [~atan@unaffiliated/atan] has quit [Quit: Leaving]
05:54 -!- petan [~kvirc@71.236.broadband11.iol.cz] has quit [Quit: Changing server...]
06:33 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 264 seconds]
06:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:44 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
06:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
06:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:46 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
06:46 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:47 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
06:47 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:48 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
06:48 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:49 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
06:49 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:51 < sunta> damn AOL surfers
06:52 -!- sunta [~cw@hector.raytion.com] has left #openvpn ["Verlassend"]
06:53 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:53 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:53 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:56 < kisom> Anyone know if it is possible to unset the tun-persist directive once set? The server pushes it out and I want to disable it without restarting the openvpn client
06:59 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
07:00 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined #openvpn
07:03 < k4r4mb4> if line in the openvpn config file begins with # or ;  what does that mean?
07:03 < no_maam> its a comment
07:03 < no_maam> just text
07:03 < no_maam> not processed by openvpn
07:03 < no_maam> just to make the config more readable
07:03 < k4r4mb4> why two signs for comment ?
07:04 < k4r4mb4> # and ; ?
07:04 < no_maam> sometimes you use # for real text
07:04 < k4r4mb4> i see
07:04 < no_maam> and ; for settings, which are not in use yet
07:04 < no_maam> or vice versa
07:04 < k4r4mb4> ok. good to know :)
07:04 < k4r4mb4> if I enable route-nopull option what does that do?
07:05 < k4r4mb4> and redirect-gateway def1 bypass-dhcp
07:07 < no_maam> with route-nopull, the client will ignore messages from the server, how routes should be set
07:07 < no_maam> redirect-gateway means in general set a new default route
07:07 < no_maam> def1 is an alternative way of setting the default route, which usually works better, if you have problems getting your old default-route back when openvpn exists
07:08 < no_maam> or you have another process which tries to control the default route, for example a dhcp client
07:08 < no_maam> bypass-dhcp usually fixes problems related to dhcp, if you cannot hold you dhcp lease anymore after having started openvpn
07:08 < ecrist> !man
07:08 <@vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
07:10 < k4r4mb4> using winxp I get no default route , I have to set it up manually.The client connects after a while but with no new gateway set in route table.Is there a client side option I can use to avoid this? maybe redirect-gateway def1 option?
07:10 < kisom> k4r4mb4: where do you have windows installed on your computer? C:\windows or some other path?
07:11 < k4r4mb4> yeah c:\windows
07:11 < no_maam> k4r4mb4: you might try playing with the route-method or ip-win32 command
07:11 < no_maam> k4r4mb4: try route-method exe or something like this
07:11 < k4r4mb4> on the server or on the client side?
07:11 < kisom> client
07:11 < no_maam> k4r4mb4: client side
07:12 < k4r4mb4> ok
07:12 < k4r4mb4> !route
07:12 <@vpnHelper> k4r4mb4: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:12 < k4r4mb4> !route-method
07:12 <@vpnHelper> k4r4mb4: Error: "route-method" is not a valid command.
07:12 < k4r4mb4> !ip-win32
07:12 <@vpnHelper> k4r4mb4: Error: "ip-win32" is not a valid command.
07:18 < no_maam> I got a question, about best practice
07:19 < no_maam> I have an openvpn server
07:19 < no_maam> and I have a lot of users
07:19 < no_maam> some of them like to connect using tun, some of them using tap
07:19 < no_maam> some of them would like to route all traffic over the vpn
07:19 < no_maam> some of them only traffic towards the network the vpn server is in
07:23 < no_maam> so what would be the best configuration for that?
07:23 < no_maam> run two servers, one with tap, one with tun
07:23 -!- septiq [~septiq@93.19.114.177] has quit [Ping timeout: 260 seconds]
07:23 < no_maam> and have two configurations per server on the client, one with route redirection and one without?
07:25 -!- hwilde [~hwilde@pool-74-98-224-203.pitbpa.fios.verizon.net] has quit [Quit: Leaving]
07:42 -!- kerfe [~a@212.81.205.13] has quit [Quit: • IRcap • 8.6 •]
07:43 -!- mario_ [~mario@projekte.imos.net] has joined #openvpn
07:44 -!- mario_ is now known as spiekey
07:44 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Windows Server 2008 - incorect address in TAP connection :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7256&p=8429#p8429>
07:44 < spiekey> Hello!
07:45 < spiekey> i am using the openvpn client from here http://swupdate.openvpn.net/downloads/openvpn-client.msi, but i run into a dns problem
07:46 < ecrist> what's the problem?
07:46 < spiekey> if i push a dns server, it gets assigned to my tap interface, but my windows still uses the dns server from my wan interface
07:46 < ecrist> !dns
07:46 <@vpnHelper> ecrist: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
07:46 < spiekey> so ipconfig /all shows me two diffrent dns server on two diffrent interfaces. And the one i push wont get used.
07:46 < ecrist> !windns
07:46 <@vpnHelper> ecrist: Error: "windns" is not a valid command.
07:47 < ecrist> spiekey: I'm not sure on that one, I don't use windows
07:47 < spiekey> hmm ._(
08:04 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
08:07 <@dazo> spiekey: that's a regular topic on the openvpn-users mailing list ... look for reply from Jan Just Keijser (or JJK) ... he got some recipes to improve that on  windows
08:08  * dazo vaguely recall something about running 'net dnscache stop ; netdnscache start' from a command line ... but he is also no Windows user
08:09 -!- hwilde [~hwilde@SUREFIRE.REC.RI.CMU.EDU] has joined #openvpn
08:12 < spiekey> okay, thanks
08:12 < spiekey> i will have a look
08:12 < ecrist> wow, virtualbox on freebsd is teh sexy
08:14 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined #openvpn
08:19 -!- mrnice`_ [~mrnice@ip217-196-78-69.funknetz.at] has joined #openvpn
08:22 -!- mrnice`__ [~mrnice@78.142.173.114] has joined #openvpn
08:22 -!- boswarrior2 [~mrnice@78.142.173.114] has quit [Ping timeout: 255 seconds]
08:25 -!- mrnice`_ [~mrnice@ip217-196-78-69.funknetz.at] has quit [Ping timeout: 255 seconds]
08:27 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
08:28 -!- mrnice`_ [~mrnice@ip217-196-78-69.funknetz.at] has joined #openvpn
08:31 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
08:31 -!- mrnice`__ [~mrnice@78.142.173.114] has quit [Ping timeout: 255 seconds]
08:44 -!- mrnice`__ [~mrnice@78.142.173.114] has joined #openvpn
08:48 -!- mrnice`_ [~mrnice@ip217-196-78-69.funknetz.at] has quit [Ping timeout: 255 seconds]
08:48 -!- mrnice`__ [~mrnice@78.142.173.114] has quit [Client Quit]
08:48 -!- FastPutty [~fastputty@dsl-173-248-212-118.acanac.net] has joined #openvpn
08:49 < FastPutty> hello guys, someone help me out please. i build up a bridge with openvpn, my client got an internal ip succesfully but i cannot ping anything in the network except my vpn server and my internet gateway
08:49 < FastPutty> i cannot ping any local ips
08:50 < FastPutty> network: 192.168.1.0/24 and my client is 192.168.1.220
08:50 < FastPutty> my gateway is 192.168.1.1
08:50 < FastPutty> my vpn server is 192.168.1.2
08:50 < FastPutty> oops 192.168.1.201
08:51 < FastPutty> if someone can help me out, it will be amazing
08:54 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 245 seconds]
08:56 < FastPutty> is it possible to do a mixed network ÉÉ
08:56 < FastPutty> ???
08:57 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
09:10 < jpalmer> FastPutty: happen to know much about routing?
09:11 < hyper_ch> FastPutty: what do you try to do.. I'm not sure what you mean by setup up a bridge
09:15 < FastPutty> jpalmer: how can i route if both network are same ips
09:15 < FastPutty> hyper_ch: i mean i start openvpn in bridge mode
09:16 < hyper_ch> FastPutty: you try to bridge two different networks?
09:16 < FastPutty> it same network actually..
09:16 < FastPutty> bridge = same network..
09:16 < FastPutty> how can you bridge 2 seperate network -_-
09:16 < hyper_ch> I have no clue what you try to do
09:17 < FastPutty> my openvpn is giving ips to vpnclient 192.168.1.100-192.168.1.200
09:17 < FastPutty> my network is 192.168.1.0/24
09:17 < FastPutty> my local network...
09:17 < FastPutty> not the one create by openvpn
09:19 < jpalmer> FastPutty: how can i route if both network are same ips  <--  thats exactly the right question.  you can't.
09:20 < FastPutty> jpalmer: SO why asking me if i know about routing.. it has nothing to do with me
09:20 < FastPutty> jpalmer: i am asking if openvpn doesnt have anything that can merge 2 interface together
09:20 < jpalmer> FastPutty: lets start with some more basic information.  While you can DO a bridged VPN, 99.9% of the time, you shouldn't.  the other .1% of the time,  you still probably shouldn't.  But, what specific needs do you have, that make you want a routed VPN.
09:20 < jpalmer> FastPutty: it actually *does* have something to do with you.  you just don't realize it yet.
09:21 < jpalmer> err,  what specific needs do you have, that make you want a *bridged* vpn?
09:25 < FastPutty> i dont feel wanting create another network just for 1 user ...
09:26 < FastPutty> thats the main reason :
09:26 < hyper_ch> FastPutty: you still did not tell what you are trying to achieve
09:26 < FastPutty> also i want to benefit of all the DHCP from my dhcp server
09:27 < FastPutty> iwant to connect my client vpn to my lan using the same lan ip as my Local network area
09:27 < FastPutty> hyper_ch: iwant to connect my client vpn to my lan using the same lan ip as my Local network area
09:27 < FastPutty> hyper_ch: nothing more than that?...
09:28 < hyper_ch> no clue how to do that
09:29 < jpalmer> FastPutty: so far,  I haven't heard any compelling reason to use a bridged network. You're asking for more pain than you need.
09:29 < jpalmer> setup a routed VPN,  give the openvpn server a different network range in it's config file.  done.
09:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:31 < FastPutty> jpalmer: i am not expert in openvpn thats the reason i wonder if openvpn has a feature that allow me to do that?
09:31 < FastPutty> jpalmer: nothing in particulary except i want to have all discovery packet that only send trought local and not extern
09:32 < FastPutty> jpalmer: also i want to my main firewall to be able to tos and priorize packets from x ips
09:32 < FastPutty> if it been routed, i wont be able to see it
09:32 < FastPutty> jpalmer: which mean, i have to set up another tos and rules for the second router
09:33 < FastPutty> jpalmer: i believe that reason is good enough
09:33 < FastPutty> those reasons*
09:38 -!- delroth [~delroth@dhaos.delroth.net] has quit [Ping timeout: 245 seconds]
09:40 < FastPutty> someone else can help me out withthis?
09:41 <@vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN, Squid and two networks. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7138&p=8430#p8430>
09:44 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
09:44 < grendal_prime> ecrist, dude..im trying to post a question in the forums...i screwed something up and wound up with a POLL?  can i remove that?
09:46 < ecrist> yes, just edit the post and select 'remove poll' near the bottom.
09:47 < grendal_prime> i dont see where to edit the post...(I just registered i dont know if that means anything)
09:47 < ecrist> where is the post?
09:48 < grendal_prime> server administration
09:48 < grendal_prime> windows 7 and dhcp NAK after interface refresh
09:48 < grendal_prime> i fond the eide
09:49 < ecrist> I've removed the poll for you.
09:50 < grendal_prime> ok cool thanks...i didnt see where i could remove it though.
09:50 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
09:50 < grendal_prime> have you seen that problem bwfore with dhcp going crazy?
09:51 < fahmad> hello
09:53 < fahmad> krzee: http://pastie.org/private/xslkegdpsczlimun33a
09:53 < fahmad> can some one please tell me why this is not working 
09:53 < fahmad> i could not browse suddenly 
09:54 < fahmad> it was working fine with same configuration but not working any more ...
09:54 < fahmad> riadz there /
09:54 < fahmad> dazo ?
09:55 <@dazo> fahmad: sorry, I'm soaked into stuff right now ... maybe later
09:55 < fahmad> ok
09:56 < fahmad> np
09:56 < fahmad> :)
09:56 < fahmad> but someone else please help me with this ...
09:59 < grendal_prime> fahmad, man you got allot going on there.
09:59 < grendal_prime> hehehe
10:00 < fahmad> O_o
10:00 < fahmad> ?
10:03 <@vpnHelper> RSS Update - forum: Server Administration :: Re: OpenVPN Network issues :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7125&p=8431#p8431>
10:03 -!- tuxx_ [~sometinel@81.95.4.163] has joined #openvpn
10:03 < tuxx_> hey
10:03 < tuxx_> is there some way to make openvpn run persistantly?
10:03 < tuxx_> as in... reconnect 
10:04 < tuxx_> when it goes dwn
10:07 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 240 seconds]
10:08 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
10:09 <@dazo> tuxx_: that's usually the default .... unless you've configured your client differently
10:10 < tuxx_> oh i see
10:11 < hwilde> is there a way for the server to access multiple subnets on the client network?
10:11 < hwilde> or only vice versa what I said
10:15 -!- fahmad [~linux@vpn.server4sale.com] has quit [Ping timeout: 240 seconds]
10:16 -!- SOG [~SOG@222.125.194.143] has joined #openvpn
10:16 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
10:16 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
10:16 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
10:22 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
10:23 < hwilde> anybody?  buehler?
10:25 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn
10:25 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 240 seconds]
10:28 < ecrist> !route
10:28 <@vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:28 < ecrist> see that, hwilde 
10:29 < hwilde> ecrist, I have two subnets on the client machine.   can I reach them from the server?
10:29 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
10:30 < hwilde> this seems to only do the opposite of what I want - allow clients to reach multiple subnets on the server
10:30 -!- Xen^ [~linux@vpn.server4sale.com] has quit [Ping timeout: 240 seconds]
10:31 < ecrist> !iroute
10:31 <@vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
10:31 < ecrist> hwilde: please read the documentation
10:33 < fahmad> ecrist: can you look into my config ?
10:33 < fahmad> http://pastie.org/private/xslkegdpsczlimun33a
10:34 < fahmad> it was working fine but it stopped working now
10:37 < ecrist> if it was working fine, and stopped, you changed something.
10:43 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn
10:43 < Xen^> did not changed anything 
10:43 < ecrist> Xen^: openvpn doesn't just "stop working"
10:45 -!- fahmad [~linux@vpn.server4sale.com] has quit [Ping timeout: 240 seconds]
10:45 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Samba and OpenVPN servers on the same machine :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7270&p=8424#p8424>
10:47 < Xen^> humm
10:47 < Xen^> checking 
10:47 < Xen^> brb
10:51 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Samba and OpenVPN servers on the same machine :: Reply by Gbillou <https://forums.openvpn.net/viewtopic.php?f=4&t=7270&p=8434#p8434> || Server Administration :: windows 7 and dhcp NAK after interface refresh :: Author sgraham <https://forums.openvpn.net/viewtopic.php?f=4&t=7280&p=8436#p8436> || Server Administration :: Re: How to preserve client’s IP when --duplicate-cn enabled :: Reply ... <ht
10:54 -!- CaMason [~camason@office.stasismedia.com] has left #openvpn ["Leaving"]
10:56 -!- luneff [~yury@84.51.195.188] has joined #openvpn
11:02 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
11:03 -!- dazo is now known as dazo_afk
11:03 -!- Xen^ [~linux@vpn.server4sale.com] has quit [Ping timeout: 240 seconds]
11:06 -!- spiekey [~mario@projekte.imos.net] has quit [Quit: Ex-Chat]
11:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
11:08 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn
11:09 -!- fahmad [~linux@vpn.server4sale.com] has quit [Ping timeout: 272 seconds]
11:19 -!- Xen^ [~linux@vpn.server4sale.com] has quit [Ping timeout: 272 seconds]
11:19 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
11:22 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
11:23 -!- patelx [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Changing host]
11:23 -!- patelx [~patel@openvpn/corp/admin/patel] has joined #openvpn
11:24 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 245 seconds]
11:26 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
11:28 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
11:33 -!- Xen^ [~linux@vpn.server4sale.com] has joined #openvpn
11:35 -!- fahmad [~linux@vpn.server4sale.com] has quit [Ping timeout: 272 seconds]
11:36 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
11:47 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
11:47 -!- Xen^ [~linux@vpn.server4sale.com] has quit [Ping timeout: 272 seconds]
11:47 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Read error: Connection reset by peer]
11:47 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
11:48 -!- Thibaud [~Thibaud@93.26.118.248] has joined #openvpn
11:51 < hwilde> ecrist, I have the vpn part working can you just tell me how cna the server access multiple subnets on the client side?
11:51 -!- pumkinhed [~pumkinhed@72.45.85.159] has joined #openvpn
11:51 < pumkinhed> hello #openvpn
11:51 < pumkinhed> easy-rsa is not easy, it seems like it really depends on what shell you are using, does it want me to use bash or what?
11:53 < pumkinhed> ah got it, source ./vars & ./build-ca
12:03 < Thibaud> you could also directly use openssl
12:03 < Thibaud> if you strictly follow the tutorial about easy-RSA you should have any problem
12:04 < Thibaud> shouldn't
12:04 < ecrist> !ssl-admin
12:04 <@vpnHelper> ecrist: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
12:04 < ecrist> pumkinhed: ^^^
12:05 < pumkinhed> thanks ecrist, i think using openssl directly would be even less easy, lol
12:05 < pumkinhed> ooo
12:05 < pumkinhed> i will check that out
12:06 < pumkinhed> does openssl maintain a single db for the entire computer, or a different one for each easyrsa folder?
12:08 < ecrist> I don't know what you mean.
12:12 < Thibaud> May I ask a question about openvpn?
12:12 < Bushmills> of course not. 
12:12 < Thibaud> :D
12:12 < Bushmills> what makes you think you might?
12:13 < Thibaud> Alright. I have been using openvpn for quite a while now and it works great.
12:13 < Thibaud> I would like to go a bit deeper and remove my NAT.
12:14 < Thibaud> I have four IP address.
12:14 < Thibaud> (public IP addresses)
12:14 < Thibaud> and I would like to give public IP addresses to my clients
12:14 < Thibaud> and redirect all the traffic through it.
12:15 < Thibaud> I would like to do ifconfig depending on the client
12:15 < Thibaud> and remove the "server" instruction in the conf file.
12:16 < Thibaud> but it doesn't seem to work.
12:16 < Thibaud> the thing is my IPs are not part from the same subnet.
12:16 < Bushmills> linux server?
12:16 < Thibaud> yes
12:16 < Thibaud> debian
12:17 < Bushmills> i suppose using SNAT iptables rules to your clients is the easiest way, but not consistent with your requirement of not using NAT
12:18 < Thibaud> Yes. The idea is to have a public IP reachable to the Internet without any nat.
12:18 < Thibaud> otherwise I am not reachable.
12:18 < Bushmills> result of those would be that the openvpn sort of pretends to be the clients, towards world, but just sends incoming packets on to the openvpn addresses of the real clients
12:19 < Thibaud> yes that's the idea
12:20 < Bushmills> (oh, and also patches sender address, so that packets returned from clients go to server, which then replaces the original sender address into the reply packets as new destination)
12:20 < Bushmills> so just the same as NAT, just the other way around
12:21 < Thibaud> no. There is no need to switch or patch IPs. The server just forward the packet
12:21 < Thibaud> that's all
12:21 < Thibaud> without writing new IPs
12:21 < Thibaud> just like a regular router
12:22 < Thibaud> Do you see what I'm talking about?
12:23 < Bushmills> but it is not the client with the public ip address of server - it is the server
12:23 < Bushmills> that would mean that both server and client would listen to the same ip address
12:23 < Bushmills> server, because it needs to receive the packets first, and client, because server routes them to them
12:24 < Thibaud> My server recieve paquets from several IPs. I just want him to forward to me the ones that have one specific IP
12:25 < Thibaud> It doesn't listen it just forward for instance with an iptables command
12:25 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:25 -!- dagni [dagni@unaffiliated/dagni] has quit [Ping timeout: 250 seconds]
12:25 < Thibaud> I just add a line to forward paquets to a specific IP from eth0 to tun0
12:26 < Thibaud> and I have the paquet at the end.
12:26 < Bushmills> when client openvpn connects to openvpn server - from what ip address would client connect? the same one you want to listen it to from packets coming from the net?
12:26 < Thibaud> no, not the same.
12:27 < Thibaud> I have four public IPs routed to my server.
12:27 < Bushmills> and on client?
12:27 < Thibaud> on my client ? I have one
12:27 < Bushmills> sry. need to leave ...
12:27 < Thibaud> ok
12:27 < Thibaud> thanks anyway
12:29 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
12:29 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
12:29 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:36 < hwilde> anyone willing to help?   I have server & client connected fine.  I would like now for the server to be able to reach multiple subnets on the client network.  
12:40 -!- juostaus [454582d1@gateway/web/freenode/ip.69.69.130.209] has quit [Quit: Page closed]
12:43 < ecrist> hwilde: read the damn documentation. I've pointed you to everything you need.
12:46 < hwilde> anyone other than ecrist 
12:46 -!- mode/#openvpn [+o ecrist] by ChanServ
12:46 -!- mode/#openvpn [+b *!*@SUREFIRE.REC.RI.CMU.EDU] by ecrist
12:46 -!- mode/#openvpn [-o ecrist] by ecrist
12:50 -!- style [style@vauhtis.thegroup.fi] has joined #openvpn
12:50 < style> Hi
12:50 < style> I'm getting Tue Nov 16 20:48:12 2010 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /O=SUGO/CN=Certification_Authority_Certificate
12:50 < style> any ideas :|
12:50 < style> Tue Nov 16 20:48:12 2010 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
12:51 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 264 seconds]
12:51 < style> tried to google it... but just found problems, no solutions
13:02 < ecrist> style: can we see the rest of your logs, please?
13:03 < ecrist> !logs
13:03 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
13:03 < style> ecrist: solved the problem.. and that message wasn't related to it in any way
13:04 < style> server had some ghost process which blocked real openvpn to bind port on server so the server side was flooging some shit to clients
13:04 < ecrist> ahhh
13:16 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
13:20 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined #openvpn
13:32 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
13:41 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
13:41 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
13:41 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
13:48 -!- kotique [~kotique@bluemile.vps.deepunix.net] has joined #openvpn
13:48 < kotique> + Certificate has key usage  00f0, expects 00a0
13:48 < kotique> ++ Certificate has key usage  00f0, expects 0088
13:49 < kotique> at the same time:        X509v3 Key Usage: critical
13:49 < kotique>                 Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
14:04 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
14:06 -!- tessier [~treed@mail.copilotco.com] has quit [Changing host]
14:06 -!- tessier [~treed@kernel-panic/copilotco] has joined #openvpn
14:11 -!- luneff [~yury@84.51.198.114] has joined #openvpn
14:21 -!- Thibaud [~Thibaud@93.26.118.248] has quit [Remote host closed the connection]
14:22 -!- Thibaud [~Thibaud@93.26.118.248] has joined #openvpn
14:30 -!- gogi [~gogi@hyde.gogi.tv] has joined #openvpn
14:31 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:31 < gogi> What will openvpn do with the client-to-client option? forward every packet to every host?
14:34 -!- antonyo14 [~tony@206.135.21.162] has joined #openvpn
14:36 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
14:37 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
14:37 < antonyo14> hello all.. can anyone point me into the direction of a good howto on setting up username/password authentication instead of certs
14:39 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 255 seconds]
14:41 < theDoc> antonyo14: PKI is a corner stone of openvpn, the certs are not going away.
14:42 < antonyo14> i still will be using certs, i just want to use username/passwords as well
14:43 < theDoc> Just follow the howto, you'll be fine.
14:43 < theDoc> !howto
14:43 <@vpnHelper> theDoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:49 -!- gogi [~gogi@hyde.gogi.tv] has quit [Quit: Lost terminal]
14:51 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
14:56 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
15:01 -!- mmalleis [~mmalleis@24-231-158-154.static.trcy.mi.charter.com] has joined #openvpn
15:04 < mmalleis> hello
15:06 -!- Thibaud [~Thibaud@93.26.118.248] has quit [Read error: Connection reset by peer]
15:06 -!- Thibaud_ [~Thibaud@93.26.118.248] has joined #openvpn
15:06 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
15:06 < mmalleis> I am getting an error when running the build-key script that says "you must define KEY_DIR"
15:06 < mmalleis> how do I define KEY_DIR ?
15:08 -!- antonyo14 [~tony@206.135.21.162] has quit [Quit: Leaving]
15:08 -!- bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
15:11 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Ping timeout: 240 seconds]
15:13 -!- Thibaud_ [~Thibaud@93.26.118.248] has quit [Quit: Thibaud_]
15:15 < mmalleis> any help would be appreciated
15:27 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
15:28 < pushpop> I'm not that educated in the OpenVPN/networking.  But I'm wondering if I will be able to do a site to site vpn with openvpn if the OpenVPN server is behind the firewall at both sites?
15:28 < Bushmills> mmalleis:  defined in file vars, of easy-rsa
15:32 -!- grendal_prime [~sgraham@71.154.139.60] has joined #openvpn
15:32 -!- grendal_prime [~sgraham@71.154.139.60] has quit [Read error: Connection reset by peer]
15:34 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 272 seconds]
15:36 < Bushmills> pushpop: firewall is not the problem, if firewalls are configured to allow openvpn clients to connect to server
15:38 < Bushmills> server not having an internet ip address, but being NATted, is a bigger problem than just a firewall
15:40 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
15:42 < pushpop> Bushmills is it possible?
15:42 < Bushmills> (22:36:53) Bushmills: pushpop: firewall is not the problem, if firewalls are configured to allow openvpn clients to connect to server
15:42 < pushpop> ok so it is possible
15:42 < pushpop> now would I use openvpn as?
15:42 < pushpop> for a site to site?
15:42 < Bushmills> !route
15:42 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:43 < kisom> pushpop: we dont know how the firrewalls are configured. impossible for us to know if it will work.
15:43 < Bushmills> !as
15:43 <@vpnHelper> Bushmills: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations
15:43 <@vpnHelper> Bushmills: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
15:43 < kisom> you will most likly have to allow some incomming traffic and/or perform a port forward
15:43 < pushpop> OK, I obviously lack some knowledge on the subject
15:44 < pushpop> openvpn will be behind verizon fios routers
15:44 < pushpop> so I can easily port forward
15:44 < kisom> i dont have verizon nor do i know how they configure their equipment
15:44 < pushpop> just not sure about the default gateway
15:44 < pushpop> the clients on the network will point to the verizon router not openvpn
15:44 < pushpop> so how will they route out through openvpn
15:45 < kisom> if any of the two ends can accept incomming connections on TCP or UDP your vpn will work.
15:45 < Bushmills> firewall has no way to analyse the traffic, passed through openvpn
15:45 < Bushmills> only, behinf 
15:45 < Bushmills> ..sry
15:46 < pushpop> i dont know what you mean by that
15:46 < Bushmills> behind openvpn server, when it has been decrypted and is possibly sent on, can firewall intervene again
15:46 < kisom> pushpop: i suggest you read the documentation and consider if you are willing to spend 8-20 hours on getting the VPN to work
15:46 < Bushmills> means, firewall can, between server and client, only block either all or none openvpn traffic
15:47 < kisom> if you are looking for an "out of the box" vpn that just works, try hamachi.
15:47 < pushpop> kisom, i dont mind spending some time out on it
15:47 < pushpop> guess I have some reading to do
15:47 < kisom> pushpop: Took me a good 8 hours first time I set it up, and I work daily with networking and programming.
15:47 < Bushmills> doing that is probably appreciated be the folks here
15:48 < pushpop> I apologize for the dumb questions
15:48 < pushpop> just wanted to understand if my configuration can work
15:48 < Bushmills> in advance?
15:48 < pushpop> before i invested the time
15:48 < kisom> Yes, it can.
15:49 < kisom> pushpop: I suggest you read http://openvpn.net/index.php/open-source/documentation/howto.html
15:49 <@vpnHelper> Title: HOWTO (at openvpn.net)
15:49 < pushpop> ok also do you know of a howto for my scenerio 
15:49 < pushpop> before i google it to death
15:50 < kisom> No, I dont. Hence you should read the documentation and set up openvpn as you'd like it
15:50 < pushpop> ok
15:50 < pushpop> thanks
15:55 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
16:01 < ecrist> sup, peeps?
16:01 -!- Irssi: #openvpn: Total of 106 nicks [3 ops, 0 halfops, 0 voices, 103 normal]
16:09 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:11 -!- master_of_master [~master_of@p57B56DFC.dip.t-dialin.net] has quit [Read error: Operation timed out]
16:14 -!- master_of_master [~master_of@p57B56DFC.dip.t-dialin.net] has joined #openvpn
16:16 -!- hwilde [~hwilde@SUREFIRE.REC.RI.CMU.EDU] has quit [Quit: Leaving]
16:18 -!- bandini [~bandini@host193-108-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote host closed the connection]
16:21 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Ping timeout: 255 seconds]
16:29 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
16:33 -!- kotique [~kotique@bluemile.vps.deepunix.net] has quit [Ping timeout: 240 seconds]
16:40 -!- th1 [~th@pdpc/supporter/professional/th1] has left #openvpn ["Leaving"]
16:42 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
16:43 -!- iugrina [~iugrina@brale.math.hr] has joined #openvpn
16:43 < iugrina> !welcome
16:43 <@vpnHelper> iugrina: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:46 -!- ^scott^_ is now known as ^scott^
16:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
17:00 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
17:02 -!- iugrina [~iugrina@brale.math.hr] has left #openvpn []
17:17 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
17:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:28 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined #openvpn
17:31 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Remote host closed the connection]
17:34 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:52 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
17:52 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
17:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:11 -!- SOG [~SOG@222.125.194.143] has quit [Quit: I will be back!]
18:12 -!- SOG [~SOG@222.125.194.143] has joined #openvpn
18:12 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
18:12 -!- SOG [~SOG@222.125.194.143] has quit [Client Quit]
18:13 -!- SOG [~SOG@n112120191241.netvigator.com] has joined #openvpn
18:39 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
18:44 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
18:45 < LumberCartel> join apr
18:45 < LumberCartel> Sorry, Windows 7 drops the first character once in a while.  =(
18:50 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:51 < LumberCartel> Are there some known issues with using "dhcpd" as the DHCP server instead of the built-in one that comes with OpenVPN?  I'm wondering if perhaps OpenVPN has this because there may be some issues.  Thanks in advance.
18:59 -!- SOG [~SOG@n112120191241.netvigator.com] has quit [Quit: SOG]
19:06 < pushpop> in setting up openvpn on ubuntu I install openvpn but have no tap0 interface
19:07 < pushpop> why would that be
19:07 < LumberCartel> !ubuntu
19:07 <@vpnHelper> LumberCartel: "ubuntu" is dont use network manager!
19:07 < LumberCartel> Did you use the network manager?
19:08 < pushpop> vpnHelper are you talking to me?
19:08 <@vpnHelper> pushpop: Error: "are" is not a valid command.
19:08 < pushpop> oh
19:08 < pushpop> haha
19:08 < pushpop> bot
19:08 < LumberCartel> Yup.  =)
19:08 < pushpop> yea i need a tunnel interface
19:08 < pushpop> tun0
19:08 < pushpop> no idea how to get it
19:09 < pushpop> =P
19:10 < LumberCartel> Sorry, I don't use Linux at all.  On NetBSD we have the pkgsrc system that provides most of what's needed, such as current versions of OpenVPN, and the installation process takes care of this.
19:10 -!- patelx [~patel@openvpn/corp/admin/patel] has left #openvpn []
19:10 -!- patelx [~patel@openvpn/corp/admin/patel] has joined #openvpn
19:10 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
19:10 -!- mode/#openvpn [+o patelx] by ChanServ
19:11 < LumberCartel> pushpop:  But, there is no /etc/ifconfig.tun0 on my system -- OpenVPN creates this automatically somehow.
19:13 < pushpop> god
19:13 < pushpop> i suck with linux
19:13 < pushpop> how do I know if its running
19:13 < LumberCartel> Is OpenVPN actually running on your system?  pgrep openvpn
19:13 < LumberCartel> Or you can use this:  ps ax | grep openvpn
19:13 < LumberCartel> The first one will only provide the process Id.
19:13 < pushpop> 5829
19:13 < pushpop> 8529
19:14 < pushpop> openvpn is in red
19:14 < LumberCartel> Red?  You're using a GUI?  I'm not sure what the red colour corresponds to.
19:14 < pushpop> no
19:14 < pushpop> dont think so
19:14 < pushpop> i did the entire config via cli
19:14 < LumberCartel> That ID will change each time OpenVPN is started -- it is dynamically generated by the system.
19:15 < LumberCartel> The fact that it has a Process ID (or PID) means that it's running.
19:15 <@patelx> (^:
19:15 < pushpop> ahh
19:15 < pushpop> says autostarting VPN Server Fail
19:15 < pushpop> when I start it
19:15 -!- SOG [~SOG@183.12.199.215] has joined #openvpn
19:15 < pushpop> shit
19:15 < LumberCartel> An easy way to view the tail end of your logs is this:  tail -f /var/log/messages
19:15 < pushpop> how do I find out whats wrong
19:15 < LumberCartel> See if there is any problem with OpenVPN in there.
19:15 < LumberCartel> Press CTRL-C to exit that.
19:16 < LumberCartel> That log file will tell you pretty much everything.  At least that's what it's named on NetBSD -- I assume it's the same on most Unix/Linux systems.
19:16 < pushpop> tun0: Disabled Privacy Extension
19:18 < LumberCartel> I don't see that in my logs.
19:18 < LumberCartel> ...and this is all I could find with Google:  http://forum.ubuntuclub.com/forum?topic=4919.0
19:18 <@vpnHelper> Title: ubuntu 8.04 64 bit + chillispot ติด chillispot tun0: Disabled Privacy Extension (at forum.ubuntuclub.com)
19:19 < LumberCartel> Would you like to post your server.conf file into pastebin.ca?  I could take a look at it.  Change your hostname to "example.com" if you don't wish to share that.
19:19 < pushpop> sure sec
19:20 < LumberCartel> Also, when you type this command, do you see "tun0" or "tap0" in the list?  ifconfig -l
19:20 < LumberCartel> ...or tun# or tap# where # is a digit...
19:20 < pushpop> http://pastebin.ca/1994017
19:21 < pushpop> -l not recognised
19:21 < pushpop> regular ifconfig i dont see tun0
19:22 < LumberCartel> Okay, your server.conf specifies tap0 as the adapter, so you won't get a tun0 adapter in this case.
19:22 < LumberCartel> For me, I'm using:  dev tun
19:23 < pushpop> ok ill change that to just tun?
19:23 < LumberCartel> Also, you've got OpenVPN configured to listen on a private IP -- is that intentional?
19:23 < LumberCartel> Which version of OpenVPN are you using, by the way?
19:24 < pushpop> owait
19:24 < pushpop> its working now
19:24 < pushpop> i change that in the config
19:24 < LumberCartel> Oh, good!
19:24 < pushpop> and bam
19:25 < pushpop> thanks dood
19:25 < pushpop> now to configure my client
19:25 < LumberCartel> You're welcome.
19:25 < pushpop> that was the server
19:25 < pushpop> =X
19:25 < LumberCartel> Will your c
19:25 < LumberCartel> Whoops, sorry.
19:25 < LumberCartel> Do you have a specific reason for using UDP?
19:25 < pushpop> nope just following the how to
19:26 < LumberCartel> I find that UDP is problematic for quite a few clients.  If you use it, you'll want to make sure you are familiar with the "keepalive" directive, or just use TCP instead.
19:26 -!- SOG [~SOG@183.12.199.215] has quit [Quit: I will be back!]
19:26 < LumberCartel> My preference is TCP.  It just runs more smoothly for regular users I find.
19:26 < pushpop> awsome ill check it out
19:26 < pushpop> im doing a site to site
19:26 < pushpop> so i wouldnt want it to die
19:26 < LumberCartel> TCP will be more reliable.
19:27 < LumberCartel> If it dies, TCP recovers much more gracefully.
19:27 < LumberCartel> UDP takes more time to recover, if it ever does.
19:27 < LumberCartel> The keepalive directive helps with this, but it's not as flawless as using TCP.
19:30 < LumberCartel> Another good thing to look into using is tls-auth -- it's very easy to set up, and adds a little bit more security for you.
19:40 < pushpop> LumberCartel
19:40 < pushpop> i not sure about the certs and keys here
19:40 < pushpop> what will I need on the client to connect to the server
19:40 < pushpop> i crated a ca.cert on the server
19:40 < LumberCartel> You'll need to create keys for the clients.  You should make sure each client has its own certificate.
19:40 < pushpop> a remote_office.crt
19:40 < LumberCartel> Okay, so you've gotten the first step completed.
19:41 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
19:41 < pushpop> yea on the server i have a ca.cert, remote_office.crt
19:41 < pushpop> a server.cfg
19:41 < pushpop> server.crt
19:41 < pushpop> server.key
19:42 < pushpop> what do I copy to the client
19:42 < pushpop> =P
19:45 < korozion> oy
19:45 < korozion> who let you in here? ;)
19:45 < pushpop> lol
19:45 < pushpop> dont hate
19:46 < LumberCartel> pushpop:  Hang on, I'll have a list of files for you in a few seconds...
19:47 < pushpop> =)
19:47 < LumberCartel> pushpop:  This is what I copy:  ca.crt, dh2048.pem, ta.key, CLIENT.crt, CLIENT.key, and CLIENT.ovpn
19:48 < LumberCartel> You may not have dh2048.pem though unless you also followed the steps to use DH.
19:48 < LumberCartel> I have a habit of building the CLIENT.ovpn file on the server, then copying it to the client with the others.
19:48 < LumberCartel> Do NOT copy CLIENT.* because the client doesn't need one extra file that's there.
19:48 < LumberCartel> I hope this helps.
19:49 < LumberCartel> On the client-side, just dump these files in "C:/Program Files (x86)/OpenVPN/config/" (remove " (x86)" depending on the version of Windows you're using).
19:49 < LumberCartel> ...I'm assuming a Windows client there (it's common).
19:49 < pushpop> yea client is linux
19:49 < pushpop> and it a site to site
19:49 < pushpop> =P
19:50 < pushpop> mm
19:54 < pushpop> think i got it
19:54 < pushpop> thx
19:57 < LumberCartel> You're welcome.
19:57 < LumberCartel> Is the client working?
19:58 -!- mmalleis [~mmalleis@24-231-158-154.static.trcy.mi.charter.com] has quit [Ping timeout: 240 seconds]
20:15 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
20:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:16  * LumberCartel says "Ni Hao" to dogarrhea1.
20:17 < dogarrhea1> hi lumercartel
20:17 < dogarrhea1> my place of work wants to send me to singapore
20:19 < LumberCartel> I hear that Singapore is a busy place, and that they have a sense of justice that puts Texas in its place.
20:19 < dogarrhea1> hrm
20:19 < dogarrhea1> yea.. there's a chinese idiom.  your butt will blossom. 
20:20 < dogarrhea1> as in, it wil open up like a flower that is red.
20:22 < LumberCartel> Ouch.  Be good?
20:22 < LumberCartel> In Cantonese that's pronounced as "See Fut Hoi Fa" right?
20:23 < dogarrhea1> dun know.
20:23 < LumberCartel> My wife says it is -- she's from Guang Dong.
20:23 < LumberCartel> She was laughing when I read that to her.
20:31 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Quit: Leaving]
20:50 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
20:53 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Ping timeout: 265 seconds]
21:07 -!- daemon [foobar@serial.daemonrage.net] has quit [Excess Flood]
21:08 -!- daemon [foobar@serial.daemonrage.net] has joined #openvpn
21:11 -!- daemon [foobar@serial.daemonrage.net] has quit [Excess Flood]
21:12 -!- daemon [foobar@serial.daemonrage.net] has joined #openvpn
21:23 -!- mode/#openvpn [+o ecrist] by ChanServ
21:23 -!- mode/#openvpn [-bb *!~s093294@82.211.214.96 *!*@SUREFIRE.REC.RI.CMU.EDU] by ecrist
21:23 -!- mode/#openvpn [-o ecrist] by ecrist
21:26  * ecrist works on updating channel guidlines
21:35 -!- RealFlub [~realflub@realflub.be] has quit [Ping timeout: 255 seconds]
21:46 < ecrist> !rules
21:46 <@vpnHelper> ecrist: "rules" is http://secure-computing.net/openvpn.php for the channel rules!
21:46 < ecrist> !forget rules
21:46 <@vpnHelper> ecrist: Joo got it.
21:46 < ecrist> !learn rules as http://secure-computing.net/openvpn/openvpn.php for channel guildelines.
21:46 <@vpnHelper> ecrist: Joo got it.
22:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
22:05 -!- FastPutty [~fastputty@dsl-173-248-212-118.acanac.net] has quit [Read error: Connection reset by peer]
22:07 < Bushmills> !tcp
22:07 <@vpnHelper> Bushmills: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
22:07 < Bushmills> LumberCartel, pushpop ^^^
22:08 < LumberCartel> Thanks Bushmills.  I've had a lot of problems though with UDP for non-technical end users who don't understand nor have the patience when the VPN doesn't re-connect.
22:09 < LumberCartel> Switching to TCP mode has always resolved this problem.
22:09 < LumberCartel> I prefer the idea of using UDP from a security stand-point as well.
22:11 < Bushmills> http://www.openvpn.net/papers/BLUG-talk/15.html
22:11 <@vpnHelper> Title: Slide 15 (at www.openvpn.net)
22:11 < LumberCartel> Another problem I've encountered at many sites is that there are administrators who block all UDP traffic except for DNS.
22:11 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
22:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:12 < LumberCartel> Bushmills:  These are excellent links you're providing, and they provide great justification for using UDP.
22:13 < LumberCartel> ...especially the points about the extra overhead.
22:14 < LumberCartel> I also had a co-location provider once many years ago that I had to stop using because they were dropping UDP traffic at peak times.  Their routers had UDP as a lower priority than TCP, which resulted in DNS traffic failures.  It was horrible, and I've heard that others practice this too, although it usually doesn't become a problem unless there's more than 50% saturation (which is quite high...
22:15 < LumberCartel> ...for ethernet traffic).
22:16 < Bushmills> "because they were dropping UDP traffic" -> "Sometimes you cannot avoid tunneling over tcp..."
22:16 < LumberCartel> I definitely agree with you that UDP is the better choice though just for the reduced overhead alone.
22:27 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
22:27 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
22:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
22:30 < LumberCartel> Bushmills:  Heheh, IPSec breaks interoperability with NAT according to this slide from a link you provided:  http://www.openvpn.net/papers/BLUG-talk/24.html
22:30 <@vpnHelper> Title: Slide 24 (at www.openvpn.net)
22:36 -!- superbofh [~xumpi@cl-229.lis-01.pt.sixxs.net] has quit [Quit: re-build KDE]
22:53 < krzee> and that slideshow was made by james, the main openvpn dev
22:55 < LumberCartel> I like it.  It's easy to follow.
23:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
23:55 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 240 seconds]
--- Day changed Wed Nov 17 2010
00:01 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Read error: Connection reset by peer]
00:01 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined #openvpn
00:02 -!- freaky[t] [alpha@freakyy.de] has quit [Ping timeout: 240 seconds]
00:06 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
00:10 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Operation timed out]
00:11 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
00:19 -!- pumkinhed [~pumkinhed@72.45.85.159] has joined #openvpn
00:23 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
00:47 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
00:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
01:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:20 -!- kotique [~kotique@bluemile.vps.deepunix.net] has joined #openvpn
01:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
01:46 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
01:46 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
01:47 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
01:50 -!- twister004 [~chatzilla@59.90.34.167] has quit [Read error: Connection reset by peer]
01:50 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
02:03 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
02:03 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
02:03 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
02:08 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined #openvpn
02:16 -!- basso [~quassel@pc5053.stdby.hin.no] has quit [Remote host closed the connection]
02:16 -!- basso [~quassel@pc5053.stdby.hin.no] has joined #openvpn
02:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:36 -!- style [style@vauhtis.thegroup.fi] has left #openvpn []
02:36 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 255 seconds]
02:38 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Ping timeout: 240 seconds]
02:38 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
02:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
02:40 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
02:40 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Bridged Mesh :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7275&p=8404#p8404>
02:40 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
02:42 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
02:42 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
02:48 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Read error: Connection reset by peer]
02:48 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
02:49 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
02:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:54 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 255 seconds]
02:55 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
02:55 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
02:55 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:58 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Bridged Mesh :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7275&p=8405#p8405>
02:59 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
02:59 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
02:59 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:02 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 265 seconds]
03:07 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
03:08 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
03:11 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Bridged Mesh :: Reply by Mordenkainen <https://forums.openvpn.net/viewtopic.php?f=4&t=7275&p=8438#p8438>
03:16 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Ping timeout: 264 seconds]
03:17 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
03:29 <@vpnHelper> RSS Update - forum: Server Administration :: PASSTOS :: Author kanicus <https://forums.openvpn.net/viewtopic.php?f=4&t=7281&p=8442#p8442>
03:41 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to create server.conf file :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7250&p=8407#p8407> || Configuration :: Re: Something missing in configuration? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7251&p=8409#p8409>
03:45 -!- master_of_master [~master_of@p57B56DFC.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:47 <@vpnHelper> RSS Update - forum: Configuration :: Re: Possible to set up OpenVPN server for Cisco VPN client? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7260&p=8417#p8417> || Configuration :: Re: openvpn client maintaining sessions :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7271&p=8423#p8423>
03:48 -!- master_of_master [~master_of@p57B57128.dip.t-dialin.net] has joined #openvpn
03:50 < kraut> moin
03:51 < LumberCartel> Good morning kraut.
03:53 <@vpnHelper> RSS Update - forum: Configuration :: Re: NAT client side :: Reply by christiannan <https://forums.openvpn.net/viewtopic.php?f=6&t=7246&p=8435#p8435>
03:54 < LumberCartel> .
03:57 < LumberCartel> Good night folks.
03:57 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: RFCs the easy way -- http://www.openrfc.org/]
04:05 <@vpnHelper> RSS Update - forum: Configuration :: Re: how to get ifconfig-push from client-connect :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=6&t=7234&p=8432#p8432> || Configuration :: Re: how to get ifconfig-push from client-connect :: Reply by burn <https://forums.openvpn.net/viewtopic.php?f=6&t=7234&p=8439#p8439>
04:11 <@vpnHelper> RSS Update - forum: Configuration :: Re: Multiple Tunnels on the same server :: Reply by gcc_computo <https://forums.openvpn.net/viewtopic.php?f=6&t=7278&p=8440#p8440> || Installation Help :: Re: previously functional VPN wont connect now :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7266&p=8421#p8421>
04:17 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: OpenVPN server log to be explained :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7262&p=8420#p8420>
04:23 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Windows 7 dont get an IP pushed :: Reply by simon <https://forums.openvpn.net/viewtopic.php?f=1&t=7194&p=8425#p8425>
04:27 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
04:27 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
04:27 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:29 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: anyone having problems showing openvpn-GUI once connecte :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7264&p=8428#p8428> || Off Topic, Related :: Re: Is OPEN VPN right for me? :: Reply by furface00 <https://forums.openvpn.net/viewtopic.php?f=1&t=7263&p=8433#p8433>
04:35 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Is OPEN VPN right for me? :: Reply by somms <https://forums.openvpn.net/viewtopic.php?f=1&t=7263&p=8441#p8441> || Off Topic, Related :: Re: Is OPEN VPN right for me? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7263&p=8443#p8443>
04:38 -!- luneff [~yury@84.51.195.188] has joined #openvpn
04:41 <@vpnHelper> RSS Update - forum: Server Administration :: Re: How to preserve client’s IP when --duplicate-cn enabled :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7273&p=8444#p8444>
04:43 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
04:47 <@vpnHelper> RSS Update - forum: Server Administration :: Re: PASSTOS :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7281&p=8446#p8446> || Configuration :: Re: Multiple Tunnels on the same server :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7278&p=8445#p8445>
04:53 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Is OPEN VPN right for me? :: Reply by somms <https://forums.openvpn.net/viewtopic.php?f=1&t=7263&p=8441#p8441> || Off Topic, Related :: Re: Is OPEN VPN right for me? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7263&p=8443#p8443>
04:58 < krzee> heh
04:58 < krzee> the bot is still dealing with posts from yesterday
05:03 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:03 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:03 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:11 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
05:15 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
05:15 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
05:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
05:46 -!- twister004 [~chatzilla@59.90.34.167] has quit [Read error: Connection reset by peer]
05:55 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
06:01 < no_maam> hi
06:01 < no_maam> I need some advice
06:01 < no_maam> I would like to have a multiple clients and one server, some of the clients are windows machines, so I need to use dev tap here
06:02 < no_maam> however, every client should sit in his owne subnet, so that all the clients are not sharing the same broadcast address
06:03 < no_maam> what is the best way to configure something like that
06:09 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 276 seconds]
06:17 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
06:23 -!- amcsi [~amcsi@62.112.212.197] has joined #openvpn
06:24 < amcsi> how do I start openvpn from windows command line?
06:27 < amcsi> the client I mean
06:29 < hyper_ch> no_maam: run multiple openvpn servers on the server machine
06:30 < hyper_ch> well, that's probably the easiest way :) not sure if it's the best
06:34 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:34 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:34 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:35 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
06:37 -!- Clete2_ [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
06:37 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 255 seconds]
06:38 < no_maam> hyper_ch: well, there are many clients
06:39 < hyper_ch> what's the problem with them sharing the same broadcast address?
06:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:51 -!- Coffe [~niszsse@82.99.0.202] has joined #openvpn
06:52 < Coffe> Hi, have 1 office connectiong to my network, and my network is connected to a other, clients onthe 1 network could beforre connect to 3 network, but it just stoped working , without i did do any changes. 
06:55 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
07:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
07:02 < hyper_ch>  !tell Coffe [configs]
07:02 < hyper_ch> !tell Coffe [configs]
07:10 < Coffe> configs -> http://pastebin.com/kzMCY7fq
07:17 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has joined #openvpn
07:18 < Coffe> update . a server in office 3, can ping vpn server in office1
07:19 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has quit [Remote host closed the connection]
07:19 < Coffe> but that vpn server can not ping that server.
07:21 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has joined #openvpn
07:22 < barduck> hello, a quick question - can I use the built-in Mac OSX VPN client to connect to OpenVPN server or do I need special client for that ?
07:22 < ecrist> !mac
07:22 <@vpnHelper> ecrist: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
07:22 < ecrist> the built-in vpn client doesn't support openvpn
07:23 < barduck> ok, gotcha, thanks
07:23 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 245 seconds]
07:26 < Bushmills> Coffe: firewall. check out office 3 server firewal
07:27 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
07:33 < Coffe> Bushmills, okey, as it did work before. and office2 is having full access
07:33 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
07:37 < Bushmills> you mean, it can't be firewall because it once worked? with that reasoning, it must work now because it once worked
07:37 < Bushmills> ergo problem solved :)
07:38 -!- pa [~pa@host140-17-dynamic.57-82-r.retail.telecomitalia.it] has joined #openvpn
07:38 -!- pa [~pa@host140-17-dynamic.57-82-r.retail.telecomitalia.it] has quit [Changing host]
07:38 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
07:39 < Coffe> Bushmills,  there is nothing beeing blocked in firewall , did chech the logs.
07:40 < Bushmills> is there NAT involved anyhow and anywhere?
07:40 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:40 < Bushmills> (i consider problems with NAT also "firewall issues")
07:41 < Coffe> yes,  i am guessing its something in office1 or office2 not working , as office2 computers have access to office3
07:41 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
07:42 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
07:42 < Bushmills> then examine whether this scenario is given:  office 3 server uses NAT before openvpn on the path to office 1.  office 1 can get through openvpn to office 3, but from there not to server of office 3, which is behind NAT 
07:50 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Error driving me nuts :: Reply by TuxBrother <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8447#p8447>
07:51 < Coffe> Bushmills, no . they are not behind nat. you can access some services on office2 servers  from internet , but VPN is not using nat
07:52 < Bushmills> then it must be a hardware problem
07:56 < Coffe> i dont know. it where working and i where doing changes to DNS server, and now it dont work.
07:59 < Bushmills> you can exclude name server changes by not referring to the destination by name, but by ip address
07:59 < Coffe> yes its using ip from the beginning
07:59 < Coffe> i havent restarted the vpn or anything
08:00 < Coffe> i am thinking it might be a iroute thing on office2.vpn
08:01 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
08:07 -!- eliasp [~quassel@HSI-KBW-109-193-152-083.hsi7.kabel-badenwuerttemberg.de] has joined #openvpn
08:10 < eliasp> is it possible to negate 'push' directives? i'm pushing globally DNS, WINS and DOMAIN to the clients, but for some, i'd like to push nothing... 
08:11 < eliasp> couldn't find a directive for ccd files which prevent pushing specific things....
08:11 < eliasp> nvm, i think i just found it... push-reset
08:19 -!- Clete2_ [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
08:21 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
08:28 -!- cairnz [mats@217-14-7-98-dhcp-osl.bbse.no] has joined #openvpn
08:29 < cairnz> i have a client that's given ip <a>, and through astaro remote ssl has defined access to local computer with ip <b>
08:29 < cairnz> is there a way for <b> to contact <a> ?
08:30 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
08:30 < cairnz> basically, externalcomp->1.2.3.4->astaro<-4.3.2.1 - 1.2.3.4 can access resources on 4.3.2.1, but i need it the other way, the dialin-client needs to be accessible
08:35 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 255 seconds]
08:38 < ecrist> cairnz: what is astaro?
08:38 < cairnz> internet gateway thing, running linux-ish OS
08:38 < ecrist> !welcome
08:38 <@vpnHelper> ecrist: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:39 < cairnz> !route
08:39 <@vpnHelper> cairnz: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:40 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:41 < cairnz> ok ecrist, maybe you know an easy answer: in this scenario: http://www.secure-computing.net/wiki/index.php/Graph
08:41 <@vpnHelper> Title: Graph - Secure Computing Wiki (at www.secure-computing.net)
08:42 < cairnz> can target on 10.10.2.20 connect to openvpn client at 10.8.0.6, and if so, what do i need to do?
08:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:44 < ecrist> should be able to, yes
08:45 < cairnz> i can ping from vpn client to target behind openvpn server, but not the other way
08:47 < cairnz> in this case my openvpn server is also my default gateway, but i'm unsure on how to diagnose what could be wrong
08:47 < cairnz> !redirect
08:47 <@vpnHelper> cairnz: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:47 < cairnz> !def1
08:47 < cairnz> !nat
08:47 <@vpnHelper> cairnz: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
08:47 <@vpnHelper> cairnz: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
08:47 < cairnz> !linnat
08:47 <@vpnHelper> cairnz: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
08:51 -!- aliverius [~george@athedsl-392905.home.otenet.gr] has joined #openvpn
08:54 -!- aliverius_ [~george@athedsl-378758.home.otenet.gr] has quit [Ping timeout: 255 seconds]
08:56 <@vpnHelper> RSS Update - forum: Server Administration :: Re: PASSTOS :: Reply by kanicus <https://forums.openvpn.net/viewtopic.php?f=4&t=7281&p=8448#p8448>
08:56 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
09:05 -!- luneff [~yury@84.51.195.188] has joined #openvpn
09:15 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has quit [Remote host closed the connection]
09:16 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has joined #openvpn
09:19 < pushpop> anyone free to help me with my PKI keys i can't get them to work for the life of me
09:20 -!- Shawn__ [~Shawn@dhcp-0-11-9-9f-90-ef.cpe.quickclic.net] has joined #openvpn
09:20 < Shawn__> Are there any free openVPN services that are available
09:27 < Coffe> when i am trying to enable client confings, it fails
09:31 -!- Shawn__ [~Shawn@dhcp-0-11-9-9f-90-ef.cpe.quickclic.net] has quit [Remote host closed the connection]
09:31 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
09:32 -!- Shawn__ [~Shawn@dhcp-0-11-9-9f-90-ef.cpe.quickclic.net] has joined #openvpn
09:47 -!- kerfe [~a@234.pool85-60-147.dynamic.orange.es] has joined #openvpn
09:49 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:56 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
09:56 <@vpnHelper> RSS Update - forum: Configuration :: Passthrough Issue :: Author Werner <https://forums.openvpn.net/viewtopic.php?f=6&t=7282&p=8449#p8449>
10:09 -!- Shawn__ [~Shawn@dhcp-0-11-9-9f-90-ef.cpe.quickclic.net] has quit [Ping timeout: 264 seconds]
10:14 <@vpnHelper> RSS Update - forum: Configuration :: Re: Something missing in configuration? :: Reply by Iassan <https://forums.openvpn.net/viewtopic.php?f=6&t=7251&p=8450#p8450>
10:18 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
10:19 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:20 <@vpnHelper> RSS Update - forum: Configuration :: How to allow the client reach server entire subnet? :: Author shuji <https://forums.openvpn.net/viewtopic.php?f=6&t=7283&p=8451#p8451>
10:23 -!- amcsi [~amcsi@62.112.212.197] has quit [Quit: Leaving]
10:39 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
10:39 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
10:39 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
10:53 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
10:57 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Client Quit]
11:04 -!- Coffe [~niszsse@82.99.0.202] has quit [Quit: Leaving]
11:14 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:27 -!- patelx [~patel@openvpn/corp/admin/patel] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:49 -!- W0rmF00d [~wormfood@183.38.14.178] has joined #openvpn
11:50 <@vpnHelper> RSS Update - forum: Tutorials :: Re: OpenVPN Install Guides :: Reply by adi.kwok <https://forums.openvpn.net/viewtopic.php?f=8&t=2&p=8452#p8452>
11:51 -!- WormFood [~wormfood@183.38.15.215] has quit [Ping timeout: 250 seconds]
12:07 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
12:12 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro]
12:14 -!- daemon [foobar@serial.daemonrage.net] has quit [Ping timeout: 250 seconds]
12:17 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
12:20 -!- daemon [foobar@serial.daemonrage.net] has joined #openvpn
12:22 -!- FastPutty [~fastputty@dsl-173-248-212-118.acanac.net] has joined #openvpn
12:22 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:27 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
12:27 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
12:27 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:29 -!- le0 [~fin@unaffiliated/le0] has quit [Client Quit]
12:29 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
12:29 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
12:29 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:54 < FastPutty> hello, someone can help me out with this conf
12:54 < FastPutty> http://pastebin.com/RZQQbGQY
12:54 < FastPutty> i cannot start openvpn with this..
12:55 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
13:02 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
13:03 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:06 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
13:09 < FastPutty> i make it work but now i dont have a gateway...
13:10 < FastPutty> i receive ip: 192.168.2.6 and my subnet mask is 192.168.2.5
13:10 < FastPutty> wtf O_O
13:19 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:20 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
13:21 -!- arthur__ [~arthur@psw.ro] has joined #openvpn
13:22 -!- arthur__ [~arthur@psw.ro] has quit [Remote host closed the connection]
13:23 -!- roentgen [~arthur@psw.ro] has joined #openvpn
13:24 -!- roentgen [~arthur@psw.ro] has quit [Changing host]
13:24 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:27 <@vpnHelper> RSS Update - forum: Configuration :: OpenVPN bridged + client with lan behind :: Author ieracos <https://forums.openvpn.net/viewtopic.php?f=6&t=7284&p=8453#p8453>
13:50 -!- s7r [5927ae4a@gateway/web/freenode/ip.89.39.174.74] has joined #openvpn
14:01 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit []
14:20 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
14:20 -!- luneff [~yury@84.51.198.114] has joined #openvpn
14:29 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
14:32 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 265 seconds]
14:34 < pushpop> anyone present except korozion
14:36 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:37 < korozion> :)
14:38 < pushpop> haha
14:50 -!- Amacidia [~amacidia@70.74.161.36] has joined #openvpn
14:51 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
14:51 < Amacidia> Hey everyone. I'm planning to setup 2 windows workstations with openvpn. Both of these machines are behind a nat router. Is there anything specical I have to do in order for these 2 machines to stay connected? NAT won't cause any problems will it ?
14:52 < Amacidia> I remember before that I had a few problems with 1 client disconnecting if another connected.
14:52 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
14:55 < reiffert> Amacidia: portforward a port through one of the gateways.
14:56 < reiffert> one cert per client will help for the latter.
15:01 < pushpop> does the ca.crt generated on the server
15:01 < pushpop> need to be copied to the client?
15:04 < reiffert> pushpop: yes. as give in the howto.
15:04 < reiffert> given
15:04 < pushpop> ok thought so
15:04 < pushpop> just wanted to make sure i was understand it right
15:04 < reiffert> Filename Needed By Purpose Secret
15:04 < reiffert> ca.crt server + all clients Root CA certificate NO
15:06 < pushpop> i just did the entire process in the how to
15:06 < pushpop> and when I start openvpn it fials
15:06 < pushpop> and I get this
15:06 < pushpop> openvpn[12439]: Cannot load private key file /etc/openvpn/easy-rsa/keys/ca.                                        key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
15:06 < pushpop> Nov 17 16:05:00 marc-virtual-machine openvpn[12439]: Error: private key password verification failed
15:06 < reiffert> pushpop: where did you get your config from?
15:07 < pushpop> server.conf?
15:07 < reiffert> jup
15:07 < pushpop> a how to on the net
15:07 < pushpop> http://www.smallnetbuilder.com/myincludes/new_page.php?howto_openvpn_config.htm
15:07 < reiffert> well then it's wrong.
15:07 <@vpnHelper> Title: SmallNetBuilder - New Page (at www.smallnetbuilder.com)
15:07 < pushpop> looks very close to that
15:07 < reiffert> ca.key has nothing to do in server.conf
15:08 < reiffert> check out the official howto and click "sample config"
15:08 < pushpop> ok
15:08 < pushpop> thx
15:09 < pushpop> last question
15:09 < pushpop> by default where does openvpn expect the keys/crts to be
15:09 < pushpop> or you must specify in the conf
15:12 -!- Squidy [~quassel@189.73.253.39] has joined #openvpn
15:12 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 255 seconds]
15:12 < reiffert> you can do both.
15:13 < pushpop> k
15:13 < reiffert> explicitly give a full path/to/every/file
15:13 < reiffert> or refer to them from the directory where the server.conf lives.
15:14 < reiffert> or name that directory by --cd /tmp
15:14 < reiffert> IIRC
15:14 -!- p3rror [~mezgani@41.140.47.30] has joined #openvpn
15:15 < pushpop> ok thank you
15:15 < reiffert> welcome
15:16 < pushpop> hehe
15:16 < pushpop> got a sec for a few more
15:16 < pushpop> ;client-config-dir ccd
15:17 < pushpop> i made my client cert
15:17 < pushpop> client1
15:17 < reiffert> afk
15:19 < pushpop> hehe
15:19 < pushpop> don't blame you
15:19 < pushpop> thx
15:19 < pushpop> =)
15:28 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
15:31 < pushpop> could someone may tell me where I went wrong here
15:31 < pushpop> http://pastebin.ca/1994953
15:31 < pushpop> syslog after i try to start the openvpn server
15:33 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
15:35 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined #openvpn
15:36 < reiffert> if it's still that ca.key stuff, then once again: ca.key does not belong to server.conf
15:36 < reiffert> back to watching tv eps
15:36 < pushpop> nm figured it out
15:36 < pushpop> what show
15:36 < pushpop> oursourced?
15:50 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
15:59 < Amacidia> reiffert: Can I ask you something, I understand that I am going to need to port forward at the client site in order for 2 desktops behind their router to stay connected, however I'm exactly sure what ports to forward. I know that the server listens on port 1194 but for the clients I'm not sure.
15:59 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
15:59 < Amacidia> I'm not*
16:00 -!- Squidy [~quassel@189.73.253.39] has quit [Remote host closed the connection]
16:02 -!- Squidy [~quassel@189.73.253.39] has joined #openvpn
16:10 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
16:20 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
16:22 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
16:22 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Client Quit]
16:23 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
16:23 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
16:24 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
16:35 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
16:39 -!- bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
16:41 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
16:42 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
16:43 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
16:45 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
16:49 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined #openvpn
16:52 < s34n> I'm having trouble with ftp transfers across openvpn connections
16:52 < s34n> specifically, I can't transfer files successfully over the vpn
16:55 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
16:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
16:56 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
16:56 -!- s7r [5927ae4a@gateway/web/freenode/ip.89.39.174.74] has quit [Ping timeout: 265 seconds]
16:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:04 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
17:11 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
17:11 -!- kotique [~kotique@bluemile.vps.deepunix.net] has left #openvpn []
17:16 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has quit [Quit: barduck]
17:16 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:20 -!- daemon [foobar@serial.daemonrage.net] has quit [Ping timeout: 265 seconds]
17:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
17:31 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 255 seconds]
17:32 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
17:34 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
17:38 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
17:39 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
17:40 < pushpop> anyone here familiar with setting up a site to site with openvpn?
17:41 < krzie> its cleanly spelt out in the manual under EXAMPLES
17:41 < krzie> !man
17:41 <@vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:43 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:43 -!- gogi [~gogi@hyde.gogi.tv] has joined #openvpn
17:43 < pushpop> that you sir
17:43 < pushpop> I was looking in the wrong place
17:43 < krzie> np
17:43 < gogi> what does the client-to-client do? are all packets sent to all clients?
17:43 < gogi> the option?
17:43 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
17:45 < krzie> !c2c
17:45 <@vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
17:45 <@vpnHelper> krzie: clients
17:47 < gogi> how does openvpn know which ip address belongs to which client?
17:48 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
17:48 < krzie> it is what hands out IPs to clients
17:50 < gogi> and what if you do not hand out anything?
17:50 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
17:50 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
17:51 < krzie> what is it you are doing
17:52 < gogi> what happens if you simple connect multiple clients to a server
17:52 < gogi> and configure the clients manually
17:52 < gogi> and use the client-to-client option
17:52 < krzie> you asked how openvpn knows which ip belongs to which client
17:53 < krzie> if it did not know, how do you think ANY traffic would work...?
17:53 < krzie> what would happen is clearly explained above in !c2c
17:56 < gogi> i have openvpn instances where openvpn certainly does not know anything about addresses
17:56 < gogi> I do not use the client-to-client option though
17:57 < gogi> openvpn only works as a virtual cable
17:57 < gogi> oh wait
18:00 -!- gogi [~gogi@hyde.gogi.tv] has quit [Quit: Lost terminal]
18:01 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
18:06 < pushpop> krzie still there?
18:07 -!- Squidy [~quassel@189.73.253.39] has quit [Remote host closed the connection]
18:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
18:12 -!- kerfe [~a@234.pool85-60-147.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
18:18 -!- Squidy [~quassel@189.73.253.39] has joined #openvpn
18:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:27 -!- daemon [foobar@serial.daemonrage.net] has joined #openvpn
18:29 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
18:32 < krzie> pushpop, had you asked a more useful question ild be answering it now instead of saying "yes" and going back to working
18:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
18:42 -!- W0rmF00d is now known as WormFood
18:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:59 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
18:59 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 265 seconds]
19:08 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
19:12 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:12 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
19:20 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
19:33 -!- coppermine [~coppermin@modemcable042.177-176-173.mc.videotron.ca] has joined #openvpn
19:33 < coppermine> sometimes with my openvpn tunnel some network deamons still see my regular ip and some the end of tunnel ip
19:34 < coppermine> is this normal
19:34 < coppermine> like if i have named/exim/dante/socks/ etc all those deamons, i usually have to put both sets of ips in their .conf files to be sure
19:49 -!- coppermine [~coppermin@modemcable042.177-176-173.mc.videotron.ca] has left #openvpn []
19:52 < krzie> heh
19:59 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
20:02 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Ping timeout: 264 seconds]
20:03 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
20:26 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to allow the client reach server entire subnet? :: Reply by shuji <https://forums.openvpn.net/viewtopic.php?f=6&t=7283&p=8454#p8454>
21:08 -!- Squidy [~quassel@189.73.253.39] has quit [Remote host closed the connection]
21:17 -!- SOG [~SOG@183.12.198.104] has joined #openvpn
21:35 -!- p3rror [~mezgani@41.140.47.30] has quit [Quit: Leaving]
21:50 -!- mick_laptop [~mick@clamwin/admin/mickhome] has joined #openvpn
21:50 < mick_laptop> hi everyone
21:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
21:53 -!- coppermine [~coppermin@modemcable042.177-176-173.mc.videotron.ca] has joined #openvpn
21:54 < coppermine> how come when my vpn tunnel is active i cant access ports from the main ip
21:54 < coppermine> if i stop openvpn i can
21:55 < krzee> you are using --redirect-gateway
21:55 < krzee> what OS is the client?
21:55 < coppermine> linux
21:55 < coppermine> do i need to forward the port from the other end of the tunnel
21:55 < coppermine> as it seems to see that ip
21:56 < coppermine> with iptables
21:56 < krzee> https://forums.openvpn.net/viewtopic.php?f=15&t=7163
21:56 <@vpnHelper> Title: OpenVPN Support Forum View topic - allow ssh via on non vpn address while vpn is open (at forums.openvpn.net)
21:56 < coppermine> ty sir
21:56 < krzee> yw
21:57 -!- coppermine [~coppermin@modemcable042.177-176-173.mc.videotron.ca] has quit [Client Quit]
22:03 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to allow the client reach server entire subnet? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7283&p=8455#p8455>
22:06 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Excess Flood]
22:07 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has joined #openvpn
22:09 <@vpnHelper> RSS Update - forum: Configuration :: Re: Passthrough Issue :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7282&p=8456#p8456>
22:15 <@vpnHelper> RSS Update - forum: Server Administration :: Re: PASSTOS :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7281&p=8458#p8458> || Installation Help :: Re: Error driving me nuts :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8457#p8457>
22:32 -!- SOG [~SOG@183.12.198.104] has quit [Remote host closed the connection]
22:33 -!- SOG [~SOG@n112120191241.netvigator.com] has joined #openvpn
22:38 -!- SOG_ [~SOG@183.12.198.104] has joined #openvpn
22:41 -!- SOG [~SOG@n112120191241.netvigator.com] has quit [Ping timeout: 245 seconds]
22:41 -!- SOG_ is now known as SOG
23:01 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to allow the client reach server entire subnet? :: Reply by shuji <https://forums.openvpn.net/viewtopic.php?f=6&t=7283&p=8459#p8459>
23:10 -!- dogarrhea [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
23:16 -!- humanMeat [alex@199.48.243.252] has joined #openvpn
23:19 -!- dogarrhea [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 245 seconds]
23:20 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
23:22 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Client Quit]
23:22 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
23:26 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
23:28 -!- humanMeat [alex@199.48.243.252] has quit [Ping timeout: 240 seconds]
23:30 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
23:32 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
23:38 < humanMeat> what is a gateway of 0.0.0.0? 
23:43 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:47 < humanMeat> well it appears open source docs are failing me again... http://openvpn.net/index.php/open-source/documentation/miscellaneous/88-1xhowto.html
23:47 <@vpnHelper> Title: 1xHOWTO (at openvpn.net)
23:48 < humanMeat> it's too old and inapplicable to my case
23:48 < krzee> whts the real question
23:48 < krzee> !goal
23:48 <@vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
23:51 < humanMeat> i am trying to access the internet through my remote ubuntu box with openvpn server installed on it from my windows client
23:51 < humanMeat> whatever i'm not playing this game 
--- Day changed Thu Nov 18 2010
00:01 <@vpnHelper> RSS Update - forum: Tutorials :: Unified configuration splitter :: Author zeroepoch <https://forums.openvpn.net/viewtopic.php?f=8&t=7285&p=8460#p8460>
00:02 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
00:04 < krzee> ahh
00:04 < krzee> !redirect
00:04 <@vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:04 < krzee> !linnat
00:04 <@vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:04 < krzee> !linipforward
00:04 <@vpnHelper> krzee: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
00:04 < krzee> !def1
00:04 <@vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
00:04 < krzee> that should do it ;]
00:05 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
00:07 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 272 seconds]
00:10 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:12 -!- Amacidia [~amacidia@70.74.161.36] has quit [Remote host closed the connection]
00:12 -!- Amacidia [~amacidia@70.74.161.36] has joined #openvpn
00:15 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
00:20 -!- Amacidia [~amacidia@70.74.161.36] has quit [Read error: Operation timed out]
00:28 -!- Amacidia [~amacidia@70.74.161.36] has joined #openvpn
00:34 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
01:06 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has joined #openvpn
01:06 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has quit [Client Quit]
01:06 -!- Druid_ [~mf@p5B1377DB.dip.t-dialin.net] has joined #openvpn
01:07 < Druid_> good morning
01:07 < Druid_> !welcome
01:07 <@vpnHelper> Druid_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:26 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Ping timeout: 260 seconds]
01:27 -!- PhilKenSebben [~LumberCar@24.86.160.252] has joined #openvpn
01:27 -!- PhilKenSebben is now known as LumberCartel
01:51 -!- dazo_afk is now known as dazo
02:01 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined #openvpn
02:08 -!- kotique [~kotique@bluemile.vps.deepunix.net] has joined #openvpn
02:08 < kotique> So guys, how do I use MS cert store in order to use certificate off it in openpnv?
02:08 < kotique> is it something that's possible?
02:08 < kotique> I don't want to have certs lying around on filesystem
02:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
02:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:25 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 250 seconds]
02:26 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
02:33 < krzee> protect the certs with a passphrase
02:33 < krzee> ild trust openssl over ms
02:33 < krzee> well the certs are public, but protect the key
02:35 -!- Druid_ [~mf@p5B1377DB.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
02:40 -!- Druid_ [~mf@p5B137993.dip.t-dialin.net] has joined #openvpn
02:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
02:40  * LumberCartel agrees with krzee.
02:50 <@vpnHelper> RSS Update - forum: Configuration :: Re: Passthrough Issue :: Reply by Werner <https://forums.openvpn.net/viewtopic.php?f=6&t=7282&p=8461#p8461>
02:50 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
02:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
02:56  * Bushmills wonders why anyone would put trust into a program which has "MS" in its name
02:57 < kraut> moin
03:02 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
03:05 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
03:06 -!- jmkgreen [~chatzilla@wish-hq3.gotadsl.co.uk] has joined #openvpn
03:07 < jmkgreen> Is it possible to operate a load balancing/failover network without needing a different subnet per server?
03:11 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
03:13 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
03:13 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
03:13 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:22 -!- SOG [~SOG@183.12.198.104] has quit [Read error: Connection reset by peer]
03:23 -!- SOG [~SOG@183.12.198.104] has joined #openvpn
03:23 < |Mike|> krzee: awake?
03:28 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has joined #openvpn
03:34 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
03:35 -!- kotique [~kotique@bluemile.vps.deepunix.net] has quit [Ping timeout: 240 seconds]
03:43 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
03:46 -!- master_of_master [~master_of@p57B57128.dip.t-dialin.net] has quit [Ping timeout: 250 seconds]
03:47 -!- master_of_master [~master_of@p57B57046.dip.t-dialin.net] has joined #openvpn
03:52 -!- kotique [~kotique@ip12.69-162-148.static.steadfast.net] has joined #openvpn
03:56 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:31 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 265 seconds]
04:33 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
04:37 -!- Diffen2 [~diffen2@81-234-228-6-no32.tbcn.telia.com] has quit [Ping timeout: 240 seconds]
04:57 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:01 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has joined #openvpn
05:04 -!- kotique [~kotique@ip12.69-162-148.static.steadfast.net] has quit [Ping timeout: 240 seconds]
05:06 -!- brah [~asdofp@190.7.17.210] has joined #openvpn
05:07 -!- kotique [~kotique@host-static-109-185-140-24.moldtelecom.md] has joined #openvpn
05:13 < ksk> hello there
05:13 < ksk> !welcome
05:13 <@vpnHelper> ksk: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:14 < ksk> !howto
05:14 <@vpnHelper> ksk: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
05:14 < ksk> why doesnt it work in query to the bot? vpnHelper> "Error: "howto" is not a valid command."
05:17 < ksk> i once saw a nsis script for creating own installers. can you guide me thru?
05:19 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has quit [Ping timeout: 250 seconds]
05:21 -!- SOG [~SOG@183.12.198.104] has quit [Quit: SOG]
05:24 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has joined #openvpn
05:29 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Read error: Connection reset by peer]
05:29 -!- LumberCartel [~LumberCar@24.86.160.252] has joined #openvpn
05:41 <@dazo> !factoids
05:41 <@vpnHelper> dazo: "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
05:42 <@dazo> !win_rollup
05:42 <@vpnHelper> dazo: "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
05:42 <@dazo> ksk: ^^
05:43 <@dazo> (even though unattended windows installers might be a bit misguiding ... but it should give the basic ideas behind it)
05:44 < ksk> thanks
05:48 <@vpnHelper> RSS Update - forum: Server Administration :: Openvpn and shell script :: Author joeskop <https://forums.openvpn.net/viewtopic.php?f=4&t=7286&p=8462#p8462>
05:55 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
05:59 -!- kotique [~kotique@host-static-109-185-140-24.moldtelecom.md] has quit [Ping timeout: 240 seconds]
06:00 -!- kotique [~kotique@ip12.69-162-148.static.steadfast.net] has joined #openvpn
06:06 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:20 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
06:24 <@vpnHelper> RSS Update - forum: Configuration :: Problems in Linux - Windows mixed environment. :: Author marto72 <https://forums.openvpn.net/viewtopic.php?f=6&t=7287&p=8463#p8463>
06:29 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Operation timed out]
06:29 -!- k4r4mb4 [user@puffs.ganja.nl] has quit [Ping timeout: 245 seconds]
06:32 -!- LumberCartel [~LumberCar@24.86.160.252] has quit [Quit: RFCs the easy way -- http://www.openrfc.org/]
06:33 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
06:33 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
06:37 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
06:38 -!- SURFkees [~kees@2001:610:508:109:21c:23ff:fe0a:282d] has joined #openvpn
06:38 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
06:41 < SURFkees> Anyone know if OpenVPN is affected by the openssl CVE-2010-3864 bug?
06:42 <@vpnHelper> RSS Update - forum: Server Administration :: Network Issues in mixed Linux Windows Environment. :: Author marto72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7288&p=8464#p8464> || Scripting and Customizations :: TAP-Win32 device and IPv6 addresses :: Author juhovh <https://forums.openvpn.net/viewtopic.php?f=15&t=7289&p=8465#p8465>
06:43 < |Mike|> openvpn uses openssl
06:43 < SURFkees> yup, but is openvpn multi-threaded and is it using the openssl internal caching mechanism?
06:44 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
06:44 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
06:45 < pushpop> anyone here kind enough to help me setup a site to site
06:46 < |Mike|> SURFkees: no, it's single-threaded 
06:47 < |Mike|> SURFkees: http://openvpn.net/archive/openvpn-users/2004-08/msg00186.html
06:47 <@vpnHelper> Title: Re: [Openvpn-users] 2.0 pthread support? (at openvpn.net)
06:48 < SURFkees> |Mike|: thanks :)
06:48 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn and shell script :: Reply by marto72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7286&p=8466#p8466>
06:49 < |Mike|> maarten: stomme new kids morgen bij 3fm
06:49 < |Mike|> e-wrongchan
06:54 -!- SURFkees [~kees@2001:610:508:109:21c:23ff:fe0a:282d] has left #openvpn ["Leaving"]
07:06 -!- Squidy [~quassel@187.7.246.159] has joined #openvpn
07:13 < Druid_> i need a specialist :) what could be the cause that tcp connection works and udp not?
07:13 < Druid_> between windows client and freebsd ovpnserver
07:14 < |Mike|> Druid_: firewall?
07:15 < |Mike|> or one uses tcp and the other udp...
07:15 < |Mike|> configuration
07:15 < Druid_> both uses udp
07:15 < |Mike|> firewall accepts it?
07:15 < Druid_> Thu Nov 18 13:43:01 2010 us=725486 UDPv4 link local (bound): 213.131.228.201:1194
07:15 < |Mike|> does openvpn server listen on the udp port?
07:16 < Druid_> setup by this tut: http://www.pronix.de/pronix-935.html
07:16 <@vpnHelper> Title: OpenVPN Tutorial (at www.pronix.de)
07:16 < Druid_> no firewall on server side
07:16 < |Mike|> restarted the openvpn server after you editted the config?
07:16 < Druid_> sure
07:16 < |Mike|> and the client as well?
07:18 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
07:18 < Druid_> yep, the windows ovpn client
07:18 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
07:19 < |Mike|> restarted windows?
07:19 < |Mike|> (i'm not into windows hehe)
07:19 < Druid_> i guess that's not necessary :)
07:19 < Druid_> it's specified in the client.ovpn
07:21 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
07:21 < ecrist> !logs
07:21 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
07:21 < |Mike|> my experience with windows is like: reboot it if it aint working :P
07:21 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn and shell script :: Reply by joeskop <https://forums.openvpn.net/viewtopic.php?f=4&t=7286&p=8467#p8467>
07:23 < Druid_> ah k
07:23 < Druid_> Thu Nov 18 14:13:38 2010 Cannot load private key file [[INLINE]]: error:0906D066:PEM routines:PEM_read_bio:bad end line
07:23 < Druid_> Thu Nov 18 14:13:38 2010 Error: private key password verification failed
07:23 -!- atan3 [~atan@unaffiliated/atan] has quit [Client Quit]
07:23 < ecrist> Druid_: that !logs line was directed at you
07:23 < Druid_> yes, thats from client log
07:24 < |Mike|> bad end line <-- i wonder how it ever worked with tcp then :-)
07:24 < Druid_> it didn't work, it showed a connect on serverside
07:25 < |Mike|> Hm, i thought you switched from tcp to udp
07:31 -!- k4r4mb4 [user@puffs.ganja.nl] has joined #openvpn
07:32 < pushpop> Hi All, I successfully created a tunnel (site2site) between two sites of mine.  The OpenVPN servers are behind a firewall.  I was wondering how I would get the clients on each network to communicate with each other?
07:33 < Druid_> hm oh okay
07:33 < Druid_> the cause was the pem file
07:34 < Druid_> ecrist: http://yourpaste.net/6214
07:35 < Druid_> thats the config file
07:35 < Druid_> i want to access the 192.168.0.0 255.255.0.0 network, anthing i'm missing?
07:39 < ecrist> gah, 
07:41 < ecrist> Druid_: it's usually better to remove comments when posting configs
07:41 < Druid_> sorry
07:51 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: TAP-Win32 device and IPv6 addresses :: Author juhovh <https://forums.openvpn.net/viewtopic.php?f=15&t=7289&p=8465#p8465>
08:05 < ksk> is it needed to set the PATH variable to use openvpn on windows?
08:05 < ksk> (in installer its optional)
08:06 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has joined #openvpn
08:16 -!- nettie [~nettie@stewie.freax.it] has joined #openvpn
08:16 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 255 seconds]
08:18 < nettie> HI guys, I setup an openvpn tunnel (and it works) but I keep seeing a warning message in the log saying I have a LAN+VPN address block clashing which I can't see .. The error message is: "WARNING: potential route subnet conflict between local LAN", it also indictates the ranges involved.
08:21 < ecrist> Druid_: I'd suggest not using that particular subnet, it's too common.
08:21 < ecrist> nettie: !logs
08:21 < ecrist> !logs
08:21 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard.
08:22 < Druid_> okay
08:22 < nettie> thanx just a sec
08:22 < Druid_> gonna switch to 10.0
08:22 < Druid_> 192.168 for home
08:22 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
08:22 < ecrist> Druid_: that's probably good.  tbh, though, I'd suggest something in the 172.12 1918 space
08:22 < ecrist> !1918
08:22 <@vpnHelper> ecrist: "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
08:23 < ecrist> oops, 172.16/12
08:23 < Druid_> okay
08:23 < Druid_> trying to bridge setup now
08:24 < Druid_> need to bridge tun0 and the em0 (which has the local network) right?
08:26 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn and shell script :: Reply by joeskop <https://forums.openvpn.net/viewtopic.php?f=4&t=7286&p=8468#p8468>
08:31 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
08:38 < nettie> ecrist I think I found the issue, I'm going to produce the logs, just a clarification, in server.conf when I write: server 10.3.5.0 255.255.255.0 <- this is the network dedicate to tunnels?
08:39 < ecrist> yes
08:46 < ecrist> nettie: just fyi, I don't respond to unsolicited PMs
08:48 < nettie> didn't you ask me for a pastebin?
08:49 < ecrist> yeah, post the link here in the channel.
08:50 < nettie> ecrist: ok :) http://pastebin.com/9CESfBN9
08:50 < nettie> thanx
08:51 < ecrist> !learn logs as see !pb for our preferred pastebin
08:51 <@vpnHelper> ecrist: Joo got it.
08:51 < ecrist> that's not for you, nettie 
08:51  * ecrist reads log
08:52 < ecrist> nettie: the issue is that you're using the same IP space on the VPN and your local lan.
08:52 < ecrist> !configs
08:52 <@vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) use http://pastebin.com or http://pastebin.ca
08:52 < nettie> ecrist: this is what google says
08:53 < ecrist> !forget configs 3
08:53 <@vpnHelper> ecrist: Joo got it.
08:53 < nettie> but I can assure you I'm not doing that :)
08:53 < ecrist> !configs
08:53 < nettie> eheh
08:53 <@vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries
08:53 < ecrist> !learn configs as see !pb for our preferred pastebin
08:53 <@vpnHelper> ecrist: Joo got it.
08:54 < nettie> ecrist the server address is on a public address block
08:54 < ecrist> I see that.
08:54 < ecrist> what's the IP of your client machine, the private IP?
08:54 < nettie> ecrist: the client is on a private block which is 192.168.2.0/24
08:54 < nettie> ecrist: the client wan is on 192.168.1.0/24
08:55 < nettie> ecrist: cliente machines are on 192.168.2.0/24
08:55 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: TAP-Win32 device and IPv6 addresses :: Author juhovh <https://forums.openvpn.net/viewtopic.php?f=15&t=7289&p=8465#p8465>
08:55 < nettie> clients
08:56 < ecrist> ah, it seems you're pushing a route you shouldn't be pushing.  configs would be nice
08:56 < ksk> i hope its okay if i ask again: why to add openvpn/bin to PATH in windows? is it needed/recommended/why?
08:56 < nettie> ok, to be clear the openwrt is acting as openvpn client, the was is on 192.168.1.0/24 the lan is on 192.168.2.0/24 and the physical clients shares openwrt lan with 192.168.2.0/24 addresses
08:57 < nettie> ecrist exactyl
08:57 < nettie> that's what I noticed as well
08:58 < nettie> seems I'm pushing the tunnel netowrk
08:58 < nettie> the network dedicated to tunnels
08:58 < nettie> this is the only thing I'm pushing push "redirect-gateway"
08:58 < ecrist> yep, and you shouldn't be.
08:58 < ecrist> configs, please.
08:59 < nettie> just a sec
08:59 < nettie> ecrist server side right?
08:59 < ecrist> both
09:02 < nettie> ecrist: http://pastebin.com/JuQZ4bHr
09:05 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:08 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
09:13 -!- jmkgreen [~chatzilla@wish-hq3.gotadsl.co.uk] has quit [Ping timeout: 240 seconds]
09:14 < Druid_> hm
09:14 < Druid_> my openvpn client hangs at "obtaining configuration
09:14 < nettie> ecrist: looks fine right? it's actually working but I keep gettign the waring mesage
09:14 < nettie> message
09:15 < Druid_> and tap0 doesn't get an ip-address assigned
09:15 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
09:16 < grendal_prime> hey guys
09:16 < grendal_prime> im going crazy with this dhcp nak problem
09:16 -!- jmkgreen [~chatzilla@wish-hq3.gotadsl.co.uk] has joined #openvpn
09:16 -!- jmkgreen [~chatzilla@wish-hq3.gotadsl.co.uk] has quit [Client Quit]
09:16 < grendal_prime> has anyone see dhcp go apshit crazy on win 7 boxes?
09:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
09:18 < grendal_prime> it seems to be isolated to when the interface gets taken down and brought back up.
09:23 < Druid_> ecrist when bridging, do i actually need to bridge the tap0 with the interface with the localnet ip or with the inet ip?
09:23 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Error driving me nuts :: Reply by TuxBrother <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8470#p8470>
09:26 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit []
09:29 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Error driving me nuts :: Reply by TuxBrother <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8471#p8471>
09:41 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Error driving me nuts :: Reply by TuxBrother <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8473#p8473>
09:42 -!- TuxBrother [d9780cc5@gateway/web/freenode/ip.217.120.12.197] has joined #openvpn
09:42 < TuxBrother> hello ppl
09:43 < TuxBrother> simple question
09:43 < TuxBrother> OpenVPN Server on Linux, Level 2 Ethernet Bridging
09:43 < TuxBrother> goal:
09:44 < TuxBrother> assing the clients a IP from the default gateway. Example: 192.168.1.0 is the server subnet, when a client connects, the router assigns an IP from the 192.168.1.0 subnet
09:45 < TuxBrother> and not the server to its own, for example, 192.168.2.0 subnet
09:52 <@vpnHelper> RSS Update - forum: Tutorials :: Re: OpenVPN Install Guides :: Reply by adi.kwok <https://forums.openvpn.net/viewtopic.php?f=8&t=2&p=8452#p8452>
09:52 < ecrist> Druid_: if you're trying to access systems across a given box, yes
09:53 < Druid_> ecrist i setup briding, got a home router here adressrange 192.168.178.x
09:53 < Druid_> now on the serverside one adapter has the internet ip
09:53 < Druid_> and one adapter an local (remote) ip
09:53 < Druid_> each net has it own switch
09:54 < Druid_> so em0 is connected to the switch for local network, em1 to the switch to the internet gateway
09:55 < Druid_> no luck yet
09:56 < Druid_> the windows tap device don't get an ip assigned
09:56 < ecrist> you just need to bridge em0 and tap0
09:56 < ecrist> not em1
09:56 < Druid_> jep, that's how i do it now 
09:56 < Druid_> freebsd
09:56 < Druid_> bridge0 doesn't get an ip assigned
09:57 < ecrist> make sure ip_forward sysctl = 1, too
09:57 < ecrist> make sure bridge0 is 'up' too
09:57 < Druid_> net.inet.ip.forwarding: 1
10:00 < Druid_> it is up
10:03 <@vpnHelper> RSS Update - forum: Tutorials :: Unified configuration splitter :: Author zeroepoch <https://forums.openvpn.net/viewtopic.php?f=8&t=7285&p=8460#p8460>
10:06 < Druid_> the problem is, that the tap0 adapter gets no ip address assigned
10:09 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Is it a problem with openvpn or virtualbox ? :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=5&t=7035&p=8475#p8475>
10:15 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to allow the client reach server entire subnet? :: Reply by shuji <https://forums.openvpn.net/viewtopic.php?f=6&t=7283&p=8476#p8476>
10:17 < Druid_> okay now i managed that my windows box tap device gets an ip assigned
10:19 -!- jmkgreen [~chatzilla@wish-hq3.gotadsl.co.uk] has joined #openvpn
10:21 <@vpnHelper> RSS Update - forum: Server Administration :: SOLVED Re: Openvpn and shell script :: Reply by joeskop <https://forums.openvpn.net/viewtopic.php?f=4&t=7286&p=8478#p8478> || Configuration :: Re: Samba Performance problems :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=6&t=7195&p=8477#p8477>
10:24 < jmkgreen> so we're looking at some form of load balancing solution, partly for redundancy's sake
10:25 < jmkgreen> looking at the docs, we can connect our clients to multiple servers, but it only suggests to maintain a single subnet per server
10:25 < jmkgreen> is there any way of a client connected to server a on 10.0.1.x talking with a client on server b on 10.0.1.x?
10:26 < EmperorT1m> the multiple servers don't check to see if an address is in use before assigning it, so you can end up with conflicts
10:26 < jmkgreen> sorry server b with 10.0.2.x
10:27 < EmperorT1m> if your subnet is 10.0.0.0/22, they will be able to talk directly.
10:27 < jmkgreen> presumably via the two servers?
10:27 < EmperorT1m> we split a /24 between two servers in bridged mode
10:27 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has joined #openvpn
10:29 < EmperorT1m> are you running openvpn bridged or routed?
10:30 < jmkgreen> bridged apparently
10:33 -!- Thibaud [~Thibaud@ks21241.kimsufi.com] has joined #openvpn
10:33 < Thibaud> Hi.
10:33 < EmperorT1m> you may want verify that, "apparently" doesn't install much confidence. assuming they are running bridged, and the servers are on the same broadcast domain, clients should be able to communicate with each other if they are assigned addresses from different parts of a common logical subnet.
10:33 < EmperorT1m> s/install/instill/
10:34 < jmkgreen> EmperorT1m: I say apparently as I just spoke to the person who set it up. He did not use the word "apparently"
10:35 < jmkgreen> EmperorT1m: so essentially the server the clients are connected to acts as a software switch routing messages between them.
10:37 < EmperorT1m> OpenVPN in bridged mode acts as a software switch between the client and the ethernet interface assigned to the software bridge (the bridging is technically handled by the underlying OS). To be clear, the two servers still need to be connected by a physical switch.
10:37 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has quit [Ping timeout: 276 seconds]
10:41 -!- EmperorT1m is now known as EmperorTom
10:41 < jmkgreen> EmperorT1m: We have a series of dedicated hosts in two datacentres with each host having only a standard public IP connected to a shared switch. Does this still meet the requirements?
10:42 < jmkgreen> I'm just wondering it the bridging between the servers is more by virue of the arp cache within the switch
10:42 < jmkgreen> virtue, even
10:45 < EmperorTom> My guess is probably not, unless the servers at each datacenter share a common broadcast domain; possible, but not common. Are the servers at each DC linked by VPN or some other mechanism?
10:46 < jmkgreen> nope
10:46 < jmkgreen> just two independant providers. we're actually migrating from one to the other.
10:47 < EmperorTom> so the idea is that clients connect to either server, and can access resources on either network?
10:48 < nettie> ecrist: another question.. if you have a minute.. I'm noticing latency spikes when from spoke2 I ping the a remote clientA. This does not happen when, from spoke2 I ping the spoke1. clientA---spoke1---hub---spoke2--clientB
10:48 < jmkgreen> we have two issues (well, I have). one is migrating from the single openvpn server in the "old" datacentre to the machine of the same hostname in the "new" datacentre, and I happen to be concerned that we only have one vpn server - if that goes down an awful lot of servers (vpn clients) will stop talking to each other
10:48 < jmkgreen> EmperorTom: I'm looking for redundancy and shared network traffic load, if at all possible. Add in simple configuration and I'd have a nice cake to eat! :-)
10:50 < jmkgreen> we effectively have a star network whereby every node and the server is physically provisioned the same way. The VPN allows secure traffic between the lot. Clearly if the server goes, that's all inter-node communication gone.
10:51 < jmkgreen> if - if - we could have redundancy at the server level allowing clients to pick a server from a list and be able to talk to all other connected clients that solves at least part of the problem. However, some nodes are provisioned by provider A, some by provider B.
10:54 < EmperorTom> the best solution in my mind would be to put a pair (or more?) of servers at the new data center, bridged and connected by a switch. this would be the scenario I described before. If you need those clients to be able to talk to the old DC in the interrim, set up the vpn server at the old DC to connect to the new DC as another VPN client. Push static routes to your other clients so that they can get to the hosts @ old DC
10:55 -!- Thibaud [~Thibaud@ks21241.kimsufi.com] has quit [Remote host closed the connection]
10:55 < jmkgreen> EmperorTom: when you say switch are you referring to a private one or the same shared switch that are connected to anyway>
10:56 -!- Thibaud [~Thibaud@ks21241.kimsufi.com] has joined #openvpn
10:57 < EmperorTom> assuming you have a switch the new DC, just use that. should be no need for an additional switch. My point was simply that the two vpn servers need to be on the same broadcast domain so that their clients can talk to each other.
11:00 -!- dazo is now known as dazo_afk
11:01 < jmkgreen> EmperorTom: I'm just trying to clear up in my head the notion of broadcast domain. been a while since i used such terminology. are you referring to x.y.z.255 where x.y.z is the physical interfaces connected to the switch on both servers? Ours are connected to the same switch, but using the IP addresses assigned to us by the hosting companies involved.
11:03 < jmkgreen> reading http://en.wikipedia.org/wiki/Broadcast_domain :)
11:03 <@vpnHelper> Title: Broadcast domain - Wikipedia, the free encyclopedia (at en.wikipedia.org)
11:06 < krzie> same broadcast domain, only needed if layer2 is needed
11:06 < EmperorTom> If they're connected to the same switch, then they in the same broadcast domain (barring vlans and other complex configuration).
11:07 -!- krzie is now known as krzee
11:07 < krzee> g'mornin tom
11:07 < EmperorTom> The IP addresses of the servers themselves are irrelevant in that situation, because the clients can still talk to each other
11:07 < EmperorTom> mornin'
11:12 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
11:13 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Ping timeout: 245 seconds]
11:15 -!- pushpop1 [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
11:19 -!- kotique [~kotique@ip12.69-162-148.static.steadfast.net] has quit [Quit: жопа диридай диридиридай]
11:25 < Druid_> gnaa
11:25 < Druid_> i think i just buy 2 vpn appliances
11:26 < ecrist> Druid_: if you figure out openvpn, you'll be better off
11:26 -!- grendal_prime [~sgraham@74.221.225.31] has joined #openvpn
11:26 < Druid_> ecrist, i managed the connection, ip will be assigned, routes done in windows
11:26 < Druid_> but still i can't ping the gateway
11:27 < ecrist> did you ever paste configs?
11:27 < Druid_> wait
11:27  * ecrist is working, so may have missed them.
11:28 < Druid_> http://pastebin.com/Jd6XwGzj
11:31 < Druid_> for the client
11:31 < Druid_> http://pastebin.com/FktEMm6i
11:31 < Druid_> for the server
11:32 < Druid_> the client connect does a simple ifconfig bridge0 addm $dev
11:32 < Druid_> and disconnect a ifconfig bridge0 deletem $dev
11:33 < ecrist> why?
11:33 < ecrist> you don't need to add each client connection to the bridge
11:34 < Druid_> a okay
11:34 < Druid_> so a static bridge will be good enough?
11:34 < ecrist> yep
11:34 < Druid_> output serverlog: http://pastebin.com/9s2Gnw35
11:34 < ecrist> I also use FreeBSD, pretty heavily, and my config involves a static tap0 interface in rc.conf along with a bridge interface
11:34 < ecrist> I do have an up script to up the interface tap0, though
11:37 < Druid_> cloned_interfaces="bridge0"
11:37 < Druid_> ifconfig_bridge0="addm em0 addm tap0 up"
11:37 < ecrist> cloned_interfaces="bridge0 tap0"
11:38 < ecrist> dev tap0 in your server.conf
11:38 < Druid_> thy tap0
11:38 < Druid_> hm okay
11:39 < Druid_> using freebsd 8.1
11:39 < Druid_> isn't tap0 created by kldload if_tap ?
11:39 < Druid_> http://pastebin.com/RXaQ1QcU
11:40 < ecrist> it can be, but you can use a static one
11:40 < Druid_> is the openvpn rc up
11:40 -!- jmkgreen [~chatzilla@wish-hq3.gotadsl.co.uk] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
11:44 < Druid_> ecrist: http://pastebin.com/muiLtUP4
11:45 < Druid_> thats the ifconfig now
11:45 < Druid_> with static bridge and tap0
11:45 -!- dazo_afk is now known as dazo
11:46 < ecrist> looks good, Druid_ 
11:46 < ecrist> my up.sh simply has the following two lines:
11:46 < ecrist> #!/bin/sh
11:46 < ecrist>  /sbin/ifconfig tap0 up
11:47 -!- Thibaud [~Thibaud@ks21241.kimsufi.com] has quit [Quit: Thibaud]
11:47 < Druid_> you call that with up or client-connect?
11:47 < ecrist> up
11:47 < ecrist> you don't need client-connect scripts, from what I can tell
11:47 < Druid_> k
11:48 < Druid_> if i say in rc.cof ifconfig_tap0="up" will be the same
11:49 < ecrist> no
11:50 < Druid_> not?
11:51 < Druid_> okay
11:51 -!- zxvf is now known as zxvff
11:52 < Druid_> trying again
11:56 < Druid_> ahhh
11:56 < Druid_> uhh
11:56 < Druid_> that did it
11:56 < Druid_> it seems
11:57 < ecrist> :)
11:59 < Druid_> but still i see a pro for an appliance :)
11:59 < Druid_> i don't want my kvm-over-ip floating on the internet
12:00 < ecrist> o.O  what do you mean?
12:00 < Druid_> my boxes have kvm-over-ip
12:00 < ecrist> so?
12:00 < Druid_> dedicated ip / lanport for kvm
12:00 -!- s7r [~pixel@89.39.174.74] has joined #openvpn
12:00 < ecrist> I understand, why do you mean 'floating on the internet'
12:00 < Druid_> if i put that into the local network
12:00 < ecrist> s/why/what/
12:00 < Druid_> and the box crashes :D
12:00 < Druid_> with openvpn, i could not access the kvm anymore :D
12:01 < ecrist> if you put that into the local network, they're not 'on the internet' but on the vpn
12:01 < Druid_> yep
12:01 < Druid_> but i sometimes make mistakes in ifconfig and stuff
12:01 < Druid_> :D
12:03 < Druid_> but that's my only concern
12:08 < nettie> ecrist, with a tcp based tunnel is normal having spikes duing icmp pings?
12:10 < ecrist> yep
12:10 < ecrist> !tcp
12:10 <@vpnHelper> ecrist: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
12:11 -!- s7r [~pixel@89.39.174.74] has quit [Ping timeout: 240 seconds]
12:12 < Druid_> hm
12:12 < Druid_> ecrist, the openvpn client for windows adds a weird route
12:12 < Druid_>      0.0.0.0        128.0.0.0         10.0.1.1        10.0.1.50     31
12:12 < Druid_> so every ip below 128.... will get to 10.0.1.1
12:12 < ecrist> !def1
12:12 <@vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:13 < ecrist> that explains why. :)
12:13 < Druid_> the original gateway is still there
12:13 < ecrist> that's from your route-gateway def1
12:13 < ecrist> yep, it's supposed to be.
12:13 < ecrist> otherwise, you'd lose your VPN connection.
12:13 < ecrist> it's a viscious loop
12:14 < Druid_> in client.ovpn right?
12:14 < Druid_> no push should be server
12:15 < ecrist> yeah, in server
12:15 < ecrist> Druid_: don't worry about that route, it's valid.  ignore it
12:16 < Druid_> ecrist, doesn't let me ping ip's below 128 :)
12:16 < Druid_> 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,redirect-gateway def1,route-gateway 10.0.1.1,ping 10,ping-restart 120,ifconfig 10.0.1.50 255.255.0.0' (status=1)
12:16 < ecrist> sure, are you using pf on the freebsd server to nat traffic from the vpn out to the internet?
12:16 < Druid_> nope
12:16 < ecrist> that's going to be a problem.
12:17 < Druid_> ip's above 128.x.x.x do work
12:17 < Druid_> :D
12:19 < nettie> yeah.. unfortunately all I can do it tunneling in tcp
12:20 < Druid_> ecrist: http://pastebin.com/ZE3ASFgX
12:23 < Druid_> ecrist so i can't change it?
12:23 -!- grendal_prime [~sgraham@74.221.225.31] has quit [Ping timeout: 240 seconds]
12:23 < ecrist> Druid_: are you trying to route all internet traffic across your VPN?
12:23 < Druid_> no
12:23 < Druid_> i don't want any internet traffic on my vpn :)
12:23 < ecrist> then remove the route-gateway def1 line
12:24 < Druid_> push "redirect-gateway def1"
12:24 < Druid_> this one?
12:27 < Druid_> hm
12:27 < Druid_> the client still adds 0.0.0.0 128.0.0.0
12:29 < ecrist> remove that, restart the VPN
12:29 < ecrist> server
12:29 < ecrist> then show me your configs again.
12:29 < ecrist> new paste
12:34 < Druid_> http://yourpaste.net/6217
12:34 < Druid_> server.conf
12:36 < Druid_> paste from server-log
12:36 < Druid_> http://yourpaste.net/6218/
12:38 < Druid_> and log from client
12:38 < Druid_> http://yourpaste.net/paste
12:38 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
12:47 -!- Peter_ [~Peter@belgique.perret.ca] has joined #openvpn
12:48 < grendal_prime> ok
12:49 < grendal_prime> anybody here?
12:49 < Peter_> I don't know if I can help you but I can try
12:49 < grendal_prime> we have a windows client that crashes when we add a new interface..the client drops the connection...and it doesnt come back up..whats up with that?
12:50 < Peter_> Oh… Windows… I don't use this OS, I'm sorry, I won't be able to help you on that.
12:50 < grendal_prime> is there something we can set (like a redial) on the client in the event that it goes down?  Im not familiar with the windows clients...the linux clients just work.
12:54 < ecrist> Druid_: looking
13:01 < Peter_> I also have a question if someone has the answer.
13:01 < Peter_> I'm using a tap interface and I would like to route a specific ip address that on not in the IP subnet (255.255.255.0) but actually is in LAN.
13:01 < Peter_> In other words, I would like to push that info in client configs "ip route add w.x.y.z dev tap0"
13:01 < Peter_> Any idea please ?
13:01 < ecrist> push "route <ip> <netmask> <gateway>"
13:01 < ecrist> in server config
13:02 < Peter_> I would like to specify the interface.
13:02 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
13:02 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
13:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
13:02 < Peter_> This IP is not par of my IP subnet.
13:02 < grendal_prime> ya this blows
13:03 < Peter_> So it's redirected in the wrong interface
13:03 < ecrist> the gateway must be part of your subnet, the routed IP usually isn't (otherwise you don't need a route)
13:03 < Peter_> When I do it manually it works, but it's not so great.
13:03 < ecrist> omit gateway
13:03 < ecrist> push "route <ip> <netmask>"
13:04 < grendal_prime> we have  a situation where we want some connected boxes to connect to another server.  When we add the second tap device we loose connectivity and it never comes back up.
13:04 < ecrist> grendal_prime: --resolve-retry
13:04 -!- dazo is now known as dazo_afk
13:04 < grendal_prime> we have a snifff that shows the entire dhcp process and the server denying to assign an ip address that it just offered.
13:05 < Peter_> it's better without the submask (because it's in my LAN) but because it's not part of my subnet LAN it's redirected to the wrong interface. Maybe I'm not explaining the thing well.
13:05 -!- TuxBrother [d9780cc5@gateway/web/freenode/ip.217.120.12.197] has quit [Ping timeout: 265 seconds]
13:06 < ecrist> Peter_: create an --up script that adds the route manually
13:06 < ecrist> just needs to be a batch file, then.
13:07 < Peter_> ah really? So I add "up command" and make a script?
13:07 < Peter_> called command
13:07 < ecrist> yep
13:07 < Peter_> ok!
13:07 < ecrist> :)
13:08 < Peter_> The thing is with the route command it works with all OSs
13:08 < Peter_> I'm not sure it will be the same.
13:08 < ecrist> yeah, but it doesn't support device name
13:08 < ecrist> windows doesn't call them tap0 tap1 etc
13:08 < Peter_> ok. It's more OS X and Linux so it's not a problem.
13:08 < Peter_> $
13:08 < ecrist> and really, openvpn server has no way of knowing the name of the interface on the remote end.
13:09 < Peter_> so I just have to guess that it's tap0.
13:09 < ecrist> might be a valid wishlist item, though, to add a keyword, and the client can determine the interface name and append it to the route command.
13:09 < ecrist> !wishlist
13:09 <@vpnHelper> ecrist: "wishlist" is https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
13:10 < Peter_> I'm going to make a post then.
13:10 < Peter_> Thank you ecrist :)
13:10 < ecrist> np
13:10 -!- Irssi: No bans in channel #openvpn
13:10 < Peter_> 've been struggling for hours on that problem ^^
13:12 < grendal_prime> ecrist, hey we set that for infinate
13:12 < grendal_prime> the resolv-retry.
13:12 < ecrist> grendal_prime: then it should just reconnect, when it's able to
13:13 < ecrist> if there are other issues, we can't really do anything abou tthat.
13:13 < grendal_prime> how long are we typically going to have to wait for it.?
13:13 < grendal_prime> it just seems odd that adding a tap interface would take down existing tap interfaces.
13:13 < grendal_prime> it sort of ...well makes things..bad..
13:13 < ecrist> grendal_prime: no idea, I'm not your admin.   sounds like something is seriously screwed up in your config
13:14 < grendal_prime> seems to be a client issue
13:14 < grendal_prime> we didnt have this probelem with the xp clients...well not like this
13:14 < grendal_prime> i poseted on the forum but no responces yet
13:16 < grendal_prime> the resolv-retry that goes into the client config right?
13:16 < ecrist> yeah
13:16 < ecrist> have you looked to the client logs, to find out why the connection is dropped?
13:17 < grendal_prime> think i should enable something on the server for that as well.
13:17 < grendal_prime> ok log says
13:17 < grendal_prime> sigterm[soft,tun-stop]received, process exiting
13:18 < grendal_prime> thats the last thing anyway
13:22 -!- Peter_ [~Peter@belgique.perret.ca] has quit [Quit: Peter_]
13:28 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Is it a problem with openvpn or virtualbox ? :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=5&t=7035&p=8475#p8475>
13:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
13:32 < grendal_prime> we tried running the app in compatability mode too...no dice.
13:40 <@vpnHelper> RSS Update - forum: Server Administration :: Re: How to preserve client’s IP when --duplicate-cn enabled :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7273&p=8480#p8480>
13:41 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
13:46 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 245 seconds]
13:55 < Druid_> ecrist, looked into the config
13:56 < ecrist> what?
13:57 < Druid_> the 0.0.0.0 128.0.0.0 subnet
13:57 < Druid_> thingie
13:57 < krzee> that is
13:57 < krzee> !def1
13:57 <@vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
13:58 < Druid_> i removed that line
13:59 < ecrist> Druid_: if that line is removed, then you shouldn't be getting that route anymore
14:00 < krzee> assuming you restarted the config that had that line in it
14:01 < Druid_> Thu Nov 18 20:58:40 2010 us=967000 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.1.1
14:01 < Druid_>  OK!
14:01 < Druid_> Thu Nov 18 20:58:41 2010 us=264000 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.1.1
14:01 < Druid_> in the client
14:01 < Druid_> RThu Nov 18 20:58:49 2010 us=475894 Boss/91.19.121.147:58563 PUSH: Received control message: 'PUSH_REQUEST'
14:01 < Druid_> Thu Nov 18 20:58:49 2010 us=476124 Boss/91.19.121.147:58563 SENT CONTROL [Boss]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route-gateway 10.0.1.1,ping 10,ping-restart 120,ifconfig 10.0.1.50 255.255.0.0' (status=1)
14:02 < Druid_> in the server log
14:02 < ecrist> no posting in the channel please
14:02 < ecrist> !logs
14:02 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
14:02 < Druid_> http://yourpaste.net/6217
14:02 < Druid_> http://yourpaste.net/6218/
14:11 < Druid_> and that are logfiles from server & client
14:11 < Druid_> http://yourpaste.net/6220/
14:13 -!- DUEDAHL [duedahl@92.246.30.239] has joined #openvpn
14:16 < ecrist> Druid_: are you using access server?
14:17 < Druid_> no
14:17 < Druid_> but it seems openvpn client does some caching or similar
14:17 < Druid_> after killing it
14:17 < Druid_> changing config files
14:17 < Druid_> etc
14:17 < Druid_> works now
14:17 < Druid_> i got a dir with the .pem files + client.ovpn
14:18 < ecrist> I think I told you a few hours ago you had to do that.
14:18 < Druid_> and when i click client.ovpn it doesn't reload
14:18 < Druid_> in the etc/profile dir then i see client_p4791.ovpn
14:18 < Druid_> etc.
14:20 < Druid_> but i guess that's just the beginning
14:26 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
14:28 -!- luneff [~yury@84.51.198.114] has joined #openvpn
14:29 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
14:31 < pushpop1> anyhave time to take a look at an issue I have with routing.  I have a point to point setup i can ping all clients on 1 remote site but the other i can't ping the clients only the router and openvpn server i have a network diagram if your willing to help =P
14:45 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has quit [Ping timeout: 240 seconds]
14:54 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has joined #openvpn
14:54 -!- Varazir [mircwars@c-94-255-129-218.cust.bredband2.com] has quit [Client Quit]
14:57 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined #openvpn
14:58 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn
14:59 -!- sparkymarkd [~mark@190.242.32.11] has joined #openvpn
15:01 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
15:04 < sparkymarkd> I need some help with a vpn that's working, but getting a lot of disconnections.  can someone help me please?  any hints?
15:11 < hyper_ch> !tell sparkymarkd [configs]
15:12 < s34n> I'm trying to complete an ftp file transfer over the vpn that works without the vpn
15:12 < s34n> but it fails across the vpn
15:13 < s34n> do I have to change some default to get ftp to work over an ovpn connection?
15:15 < sparkymarkd> configs:  http://pastebin.com/BbYHiBFp
15:22 < Bushmills> s34n: is your vpn server doing NAT while when connecting with ftp client to server from your public ip address, there's no NAT?
15:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
15:27 -!- gogi [~gogi@hyde.gogi.tv] has joined #openvpn
15:27 < gogi> How does openvpn decide which packets to send to which client in server mode?
15:31 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
15:32 < ecrist> what?
15:33 < ecrist> probably in the packet header...
15:33 -!- gogi [~gogi@hyde.gogi.tv] has quit [Disconnected by services]
15:33 -!- GoGi [~gogi@hyde.gogi.tv] has joined #openvpn
15:33 < GoGi> How does openvpn decide which packets to send to which client in server mode?
15:34 < ecrist> probably in the packet header...
15:34 < GoGi> sorry I don't know if my first question reached you
15:34 < ecrist> yeah, it did
15:34 < GoGi> so it inspects the packets?
15:34 < ecrist> it has to
15:35 < GoGi> in one-to-one mode it was possible to just connect two hosts and then configure the ip adresses manually
15:35 < GoGi> so this can't work here?
15:35 < ecrist> what do you mean?
15:35 < ecrist> I don't understand your line of questioning
15:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:37 < GoGi> openvpn must know what ip address every host has
15:39 < Bushmills> GoGi: each client has an own ip address
15:39 < Bushmills> and openvpn server assigns those to connecting clients
15:40 < Bushmills> (openvpn subnet addresses)
15:41 < s34n> Bushmills: the vpn server is snat-ing
15:42 < Bushmills> s34n: try passive ftp
15:43 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
15:52 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
15:56 < GoGi> what happens if I do not enable client-to-client and use tap mode
15:57 < s34n> Bushmills: passive doesn't work
15:57 < GoGi> does it make sense then to have a bridge device with only that tap interface connected?
16:02 < sparkymarkd> could someone help me please?  cleints disconnecting many times / day    http://pastebin.com/gMN0gXrC
16:02 < sparkymarkd> *clients
16:04 < Bushmills> what does "push "route 10.5.5.0 255.255.255.0"   do in client config?
16:07 < sparkymarkd> I guess it's unnecessary because the client has an IP in that subnet, but does it hurt?
16:09 < Bushmills> not just that, i'd even say that it's nonsense
16:09 -!- rawDawg [~rawdawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: Connection reset by peer]
16:11 < sparkymarkd> are you seeing anything else that could cause problems?
16:15 < Bushmills> only something which could possibly, but because you didn't say what serverIP resolves to, i can't speculate on that.
16:20 < sparkymarkd> why would you need the server IP?
16:22 < Bushmills> it may conflict with your routing
16:25 < sparkymarkd> server name is s1.bullrun.bz with IP  69.21.196.174
16:25 < Bushmills> actually, not likely. i didn't see the appended log first
16:27 < sparkymarkd> there's clients from a diff public IP that might have the same local subnet  I guess that could give problems
16:27 -!- DUEDAHL [duedahl@92.246.30.239] has quit []
16:30 < Bushmills> do you use different CNs for the clients?
16:31 < Bushmills> yes, you do. according log
16:33 < GoGi> when using client-to-client mode can I have openvpn write a copy of each packet also to the server's tap interface?
16:34 < GoGi> like a monitoring port of a switch?
16:38 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
16:51 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
16:56 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:00 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has joined #openvpn
17:01 -!- krzie [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
17:07 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
17:09 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:10 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
17:11 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
17:25 -!- fipu__ [~fipu@swissvps.net] has quit [Ping timeout: 240 seconds]
17:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
17:39 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 245 seconds]
17:40 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
17:47 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:49 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Is it a problem with openvpn or virtualbox ? :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=5&t=7035&p=8475#p8475> || Tutorials :: Unified configuration splitter :: Author zeroepoch <https://forums.openvpn.net/viewtopic.php?f=8&t=7285&p=8460#p8460>
17:50 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 245 seconds]
17:52 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
17:55 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to allow the client reach server entire subnet? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7283&p=8482#p8482>
17:57 < krzie> !mail
17:57 <@vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive
17:59 -!- Diffen2 [~diffen2@213-67-232-161-no32.tbcn.telia.com] has quit [Quit: This computer has gone to sleep]
18:03 < reiffert> !fetch mail and !drop spam and !delete irrelevant and !answer importants
18:03 <@vpnHelper> reiffert: Error: 'mail' is not a valid url.
18:04 < reiffert> !fetch google.de
18:04 <@vpnHelper> reiffert: Error: 'google.de' is not a valid url.
18:04 < reiffert> !fetch http://google.de
18:04 <@vpnHelper> reiffert: Error: This command is disabled (supybot.plugins.Web.fetch.maximum is set to 0).
18:13 < krzie> hehe
18:13 <@vpnHelper> RSS Update - forum: Server Administration :: Re: SOLVED Re: Openvpn and shell script :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7286&p=8483#p8483>
18:15 < reiffert> !learn learn as learn or learn
18:15 <@vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
18:15 < reiffert> :p
18:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:10 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:27 -!- superbofh [~xumpi@cl-229.lis-01.pt.sixxs.net] has joined #openvpn
19:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
19:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: No route to host]
19:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
19:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
20:02 -!- humanMeat [alex@199.48.243.215] has joined #openvpn
20:02 < humanMeat> so i tried this redirect-gateway thing
20:02 < humanMeat> why does the documentation say it's "experimental"?
20:02 < humanMeat> does it not work?
20:04 -!- Squidy [~quassel@187.7.246.159] has quit [Read error: Connection reset by peer]
20:06 < humanMeat> hrm. some docs say use "push this, push that" but other docs ommit push from the syntax
20:14 -!- alex__ [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
20:14 < korozion> works for me
20:15 < korozion> push "route 172.18.0.0 255.255.0.0" is what I use
20:18 -!- humanMeat [alex@199.48.243.215] has quit [Ping timeout: 245 seconds]
20:20 < alex__> hrm
20:20 < alex__> what version are you on?
20:20 -!- GoGi [~gogi@hyde.gogi.tv] has quit [Quit: leaving]
20:25 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Error driving me nuts :: Reply by TuxBrother <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8470#p8470>
20:26 < alex__> hrm
20:26 < alex__> i'm getting this error with openvpn again... sigurs soemthign about restart. Happens every 5 seconds
20:27 < alex__> i am getting no useful debugging output from the console at verbosity 5
20:27 < alex__> just "ok need to restart connection. 5 second wait"
20:31 < alex__> hrm this is getting ridiculous
20:31 < alex__> now i'm getting a key mismatch error?
20:31 < alex__> i just looked in my ca file and the key is the same
20:34 < alex__> how can openvpn just all of a sudden start giving me errors on my certificates?
20:35 < alex__> i haven't generated/regenerated since a week ago.. do they expire that quickly?
20:35 < alex__> i didn't chagne them
20:35 < alex__> i wonder if the openvpn community actually cares about their software lol
20:36 < korozion> you think that since you can't make it work, no one cares?
20:36 < korozion> wow
20:36 < alex__> i didn't say that.
20:36 < alex__> and a user should be able to install according to documentation
20:37 < alex__> and get it running. am I correct?
20:37 < korozion> most do
20:37 < alex__> define "most" do you have facts? a percentage?
20:37 < korozion> 99.7436%
20:37 < alex__> made up?
20:37 < korozion> absolutely
20:37 < alex__> anyways.
20:38 < alex__> i have this problem. My CA apparently doesn't match after i didn't edit any of the crt or key files
20:38 < alex__> how would this happen?
20:41 < alex__> running diff on the two files in question which supposedly are mismatched doesn't tell me anything
20:41 < alex__> i can only conclude openvpn is broken.
20:41 < alex__> either the windows client or the server
20:45 < alex__> why would openvpn say my ca stuff is not matching when it's actually a firewall issue?
20:46 < alex__> did someone forget to QA the output of openvpn client?
20:47 -!- alex__ [~alex@cpe-98-149-134-210.socal.res.rr.com] has left #openvpn ["Leaving"]
20:50 < korozion> what an idiot
20:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
20:54 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 240 seconds]
20:55 -!- pa [~pa@host140-17-dynamic.57-82-r.retail.telecomitalia.it] has joined #openvpn
20:55 -!- pa [~pa@host140-17-dynamic.57-82-r.retail.telecomitalia.it] has quit [Changing host]
20:55 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
21:19 -!- pushpop1 [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 265 seconds]
21:49 -!- humanMeat [alex@199.48.243.208] has joined #openvpn
22:05 -!- The-Fly [~Bofh@c-67-162-150-125.hsd1.co.comcast.net] has joined #openvpn
22:05 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Error driving me nuts :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7277&p=8481#p8481>
22:05 < The-Fly> !welcome
22:05 <@vpnHelper> The-Fly: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:06 < The-Fly> !goal
22:06 <@vpnHelper> The-Fly: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:06 < The-Fly> !man
22:06 <@vpnHelper> The-Fly: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
22:07 < The-Fly> hi, would anyone be able to assist me with getting split tunnel functionality working on openvpn ?
22:12 <@vpnHelper> RSS Update - forum: Tutorials :: Unified configuration splitter :: Author zeroepoch <https://forums.openvpn.net/viewtopic.php?f=8&t=7285&p=8460#p8460> || Tutorials :: Re: OpenVPN Install Guides :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=8&t=2&p=8474#p8474>
22:13 < humanMeat> has openvpn gui client actually been tested thoroughly on windows 7?
22:13 < humanMeat> i even get errors installing it and connecting to vyprvpn
22:14 < The-Fly> we use it extensively at work
22:14 < The-Fly> with win7
22:14 < The-Fly> both 32bit and 64bit
22:14 < The-Fly> but you MUST turn the UAC off
22:14 < The-Fly> otherwise it wont work
22:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:16 < humanMeat> the-fly, what kind of problems have you been getting
22:16 < The-Fly> well, at work, we've been using openvpn for a few years now, having it tunnel ALL client traffic
22:16 < The-Fly> and its been working fine
22:16 < The-Fly> but for various political reasons, we want to change that to do split tunnel now, so ONLY traffic for the work lan is tunneled
22:17 < The-Fly> and regular internet traffic from the client is NOT tunneled over the vpn
22:17 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: TAP-Win32 device and IPv6 addresses :: Author juhovh <https://forums.openvpn.net/viewtopic.php?f=15&t=7289&p=8465#p8465>
22:17 < The-Fly> i've been having a hell of a time getting it to work
22:17 < The-Fly> i am ssh'd into our vpn server as we speak
22:17 < The-Fly> so i can paste any info required
22:17 < humanMeat> what does UAC have to do with it heh
22:18 < The-Fly> UAC seems to screw with the client's ability to update the route tables
22:18 < The-Fly> we found it necessary to turn it off for openvpn client to work
22:18 < The-Fly> no loss IMHO :)
22:20 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has joined #openvpn
22:21 < ecrist> humanMeat: what gui are you using?
22:22 < humanMeat> openvpnGUI v 1.0.3 or soemthing like that
22:22 < humanMeat> the funny thing is that this is what was on the community software page
22:22 < ecrist> you're using the wrong one, that wasn't touched since 2.0.9
22:23 < humanMeat> and it's copyright 2002-2005
22:23 < The-Fly> yep, wrong ver
22:23 < The-Fly> here's the one you want to use ...
22:23 < ecrist> there's a gui built in now
22:23 < The-Fly> link coming...
22:23 < ecrist> that's the one that's supported, and it is actively developed and tested.
22:23 < The-Fly> http://swupdate.openvpn.net/community/releases/openvpn-2.1.4-install.exe
22:23 < ecrist> the new gui is actually the old one, updated.
22:23 < ecrist> :)
22:23 < ecrist> !download
22:23 <@vpnHelper> ecrist: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
22:24 < ecrist> The-Fly: ^^^ that would have worked, as weel.
22:24 < ecrist> well*
22:24 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
22:33 -!- The-Fly [~Bofh@c-67-162-150-125.hsd1.co.comcast.net] has quit [Quit: There's a lamer born every minute, and they all got mail.]
22:58 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: TAP-Win32 device and IPv6 addresses :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7289&p=8469#p8469>
22:58 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
23:04 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:36 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
23:38 -!- mick_laptop [~mick@clamwin/admin/mickhome] has left #openvpn []
23:39 -!- aliverius_ [~george@athedsl-376130.home.otenet.gr] has joined #openvpn
23:43 -!- aliverius [~george@athedsl-392905.home.otenet.gr] has quit [Ping timeout: 265 seconds]
23:58 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: TAP-Win32 device and IPv6 addresses :: Reply by cron2 <https://forums.openvpn.net/viewtopic.php?f=15&t=7289&p=8472#p8472>
--- Day changed Fri Nov 19 2010
00:30 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
00:50 -!- humanMeat [alex@199.48.243.208] has quit [Ping timeout: 240 seconds]
00:59 -!- sparkymarkd [~mark@190.242.32.11] has quit [Ping timeout: 265 seconds]
01:02 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:14 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
01:14 < kami> Hello
01:14 < kami> !welcom
01:14 < hyper_ch> hi kami
01:14 <@vpnHelper> kami: Error: "welcom" is not a valid command.
01:14 < kami> !welcome
01:14 <@vpnHelper> kami: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:15 < kami> Hmm. I searched most of what is suggested by vpnHelper but didn't find an answer.
01:16 < hyper_ch> what do you search for?
01:16 < kami> It is probably a very dumb question: is it possible to use a tap device on the client side when the server is configured for tun?
01:16 < hyper_ch> I don't think so
01:16 < hyper_ch> but I don't really know for sure
01:17 < hyper_ch> !tunortap
01:17 <@vpnHelper> hyper_ch: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you
01:17 <@vpnHelper> hyper_ch: over the vpn, or (#4) lan gaming? use tap!
01:19 < kami> My problem is that I have a connection as client to a company who use openvpn "wrapped" in an appliance with a GUI (Astaro firewall).
01:19 < hyper_ch> I'm only a very basic openvpn user and setup my own little vpn :)
01:20 < kami> Their admin cannot (and may not) modify the settings of the connection which is a tun config.
01:20 < kami> Now, I would like to send packets from the network behind the end point and thought that a bridged configuration might help.
01:21 < hyper_ch> is that really necessary?
01:21 < hyper_ch> if you have one client in your network that has the vpn established
01:21 < hyper_ch> wouldn't you just need to alter your local routing so that everything goes through that clien and the lcient uses then the vpn?
01:22 < kami> hyper_ch: no, I could also nat the traffic over the tun device.
01:22 < hyper_ch> as said, I don't know too many things about that stuff :) sorry
01:23 < kami> hyper_ch: no problem. Thank you.
01:38 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
01:40 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
01:45 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 260 seconds]
02:01 -!- dazo_afk is now known as dazo
02:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
02:23 -!- brah [~asdofp@190.7.17.210] has quit [Remote host closed the connection]
02:31 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
02:33 -!- Druid_ [~mf@p5B137993.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
02:39 -!- Druid_ [~mf@p5B136426.dip.t-dialin.net] has joined #openvpn
02:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
02:41 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
02:43 -!- Diffen2 [~diffen2@195-198-92-149.customer.telia.com] has joined #openvpn
02:51 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: TAP-Win32 device and IPv6 addresses :: Reply by juhovh <https://forums.openvpn.net/viewtopic.php?f=15&t=7289&p=8479#p8479>
02:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:00 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
03:04 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
03:14 -!- fipu [~fipu@swissvps.net] has joined #openvpn
03:16 -!- fipu [~fipu@swissvps.net] has quit [Read error: Operation timed out]
03:16 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
03:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:18 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 255 seconds]
03:19 -!- humanMeat [alex@199.48.243.245] has joined #openvpn
03:23 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 276 seconds]
03:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:28 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
03:33 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
03:33 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
03:33 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:34 -!- kami [~user@unaffiliated/kami-] has quit [Remote host closed the connection]
03:34 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
03:40 -!- humanMeat [alex@199.48.243.245] has quit [Ping timeout: 265 seconds]
03:46 -!- master_of_master [~master_of@p57B57046.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:48 -!- master_of_master [~master_of@p57B56789.dip.t-dialin.net] has joined #openvpn
03:54 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:15 -!- kerfe [~a@30.pool85-60-141.dynamic.orange.es] has joined #openvpn
04:18 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
04:22 -!- Diffen2 [~diffen2@195-198-92-149.customer.telia.com] has quit [Ping timeout: 240 seconds]
04:27 -!- Diffen2 [~diffen2@195-198-92-149.customer.telia.com] has joined #openvpn
04:40 -!- p3rror [~mezgani@41.140.42.116] has joined #openvpn
04:40 -!- Mkools [~mukul@117.196.213.210] has joined #openvpn
04:42 -!- Diffen2 [~diffen2@195-198-92-149.customer.telia.com] has quit [Ping timeout: 252 seconds]
04:43 -!- Diffen2 [~diffen2@195-198-92-149.customer.telia.com] has joined #openvpn
04:45 < Mkools> Hi I am using Ubuntu 9.10 server edition, configuring server.conf , I am using Quick start howto. Edited server.conf properly but still the start script doesn't setup openvpn. It is giving fail condition. Any help?
04:46 < hyper_ch> what start script?
04:46 < hyper_ch> and you really should update your server
04:46 < hyper_ch> 9.10 was no LTS
04:46 < hyper_ch> 10.04
04:46 < hyper_ch> and current non-LTS is 10.10
04:48 < Mkools> hyper_ch: ok, I will update but the script I am talking about is in /etc/init.d folder.
04:48 < hyper_ch> and what error do you get when you run it?
04:49 < Mkools> hyper_ch: Auto starting VPN server fail.
04:49 -!- Sky[XX] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
04:49 < hyper_ch> sudo /etc/init.d/openvpn restart
04:49 < hyper_ch> what output do you get?
04:50 < Mkools> * Stopping virtual private network daemon(s)...                                 *   No VPN is running.
04:50 < Mkools>  * Starting virtual private network daemon(s)...                                 *   Autostarting VPN 'server'                                           [fail] 
04:51 < hyper_ch> ps aux | grep openvpn ?
04:52 < ksk> take a look at the logfiles. daemon.log iirc
04:52 < hyper_ch> also that :)
04:52 < Mkools> I I sir.
04:53 < Mkools> mukul     3565  0.0  0.0   7344   860 pts/0    S+   16:22   0:00 grep --color=auto openvpn
04:54 < hyper_ch> so it's not running :) then you have to check logs and maybe even set a higher log level
04:54 < Mkools> ksk: Where to look for that log ?
04:55 < ksk> oh, cmon. on debian/ubuntu logfiles are in /var/log
04:55 < ksk>  /var/log/
04:55 -!- kami [~user@unaffiliated/kami-] has quit [Remote host closed the connection]
04:56 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
04:56 < Mkools> hyper_ch: Yeah I know that, but I thought daemon.log was special one.
04:57 < ksk> no.
04:57 < ksk> its just a logfile seom daemons use. openvpn or ntpd for example
04:57 < ksk> s/seom/some/
05:00 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:00 < hyper_ch> in the server config you can set where to log to
05:00 < hyper_ch> and what loglevel
05:04 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
05:06 < kami> Mkools: on ubuntu, openvpn logs to /var/log/syslog with ovpn-<connection-name>, so if you grep for ovpn in /var/log/syslog, you will see everything which was output by openvpn
05:09 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
05:11 < Mkools> kami: hey thanks man
05:13 < Mkools> kami: how to know that connection name?
05:14 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
05:17 < Mkools> kami: cat /var/log/syslog | grep openvpn outputting nothing.
05:28 < Mkools> I am just getting ov 19 08:31:29 mukul-desktop rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="799" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'lightweight' in /var/log/syslog
05:28 -!- Sky[XX] is now known as Sky[X]
05:29 < Mkools> and some resolving problem in /var/log/daemon.log
05:30 < Mkools> any help.
05:31 < Bushmills> add  log /path/file  to config. look in there, after restarting openvpn server
05:40 -!- Mkools [~mukul@117.196.213.210] has quit [Ping timeout: 265 seconds]
05:45 < ksk> btw, this "cat foo | grep bar" is bad style they say :P
05:45 < |Mike|> it sure is
05:45 < ksk> use "grep "term" $file" instead
05:46 < |Mike|> or some people make it like this: cat bla | grep foo | wc -l (while you can do it with grep -c foo bla)
05:46 < |Mike|> (rtfm!)
05:49 -!- toortog [nesm6@notsecure.net] has joined #openvpn
05:49 < toortog> morning everyone
05:58 -!- Sky[X] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
06:01 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: How do I use extra server IP's with Access Server? :: Author ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7290&p=8484#p8484>
06:07 -!- luneff [~yury@84.51.195.188] has joined #openvpn
06:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
06:12 -!- kami [~user@unaffiliated/kami-] has quit [Remote host closed the connection]
06:13 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
06:37 <@vpnHelper> RSS Update - forum: Server Administration :: swapping a vpn from one routing to another :: Author dexdyne <https://forums.openvpn.net/viewtopic.php?f=4&t=7291&p=8485#p8485>
06:57 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
06:59 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
07:08 -!- kami [~user@unaffiliated/kami-] has quit [Remote host closed the connection]
07:10 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
07:10 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
07:12 -!- kami [~user@unaffiliated/kami-] has quit [Remote host closed the connection]
07:13 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
07:18 -!- orentet [~orentet@80.178.3.219.adsl.012.net.il] has joined #openvpn
07:21 < orentet> hey guys, my machine has eth0 which connects to the internet (default gateway), eth1 which connects to the computer i'm working on, and tap0 which is the openvpn driver. i'm able to connect as client to my server (with tap0), but not able to "share" the connection to the machine on eth1. (internet connection is shared). i would be realy grateful if someone could help me.
07:22 < orentet> oh, i forgot the mention i set up a bridge between all interfaces
07:22 < orentet> in short, i just want to set my machine as a gateway for my openvpn connection
07:29 < orentet> i wondered maybe it has something to do with the bridge: i set it up like that: first bridge the two connections (eth0 and eth1), then connect to openvpn, then bridge tap0. maybe it has something to do with the order?
07:33 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
07:33 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
07:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:44 < ecrist> !logs
07:44 <@vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
07:44 < ecrist> !configs
07:44 <@vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
08:10 -!- straterra [~straterra@fuhell.com] has joined #openvpn
08:12 < straterra> I'm running OpenVPN (TCP) over a link that has sporadic data loss and high latency..is there some performance tuning I can do specific to this?
08:22 < ecrist> !tcp
08:22 <@vpnHelper> ecrist: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
08:22 -!- Squidy [~quassel@187.7.246.159] has joined #openvpn
08:26 -!- ujjain [~ujjAIN@unaffiliated/ujjain] has joined #openvpn
08:26 < ujjain> do I need to install openvpn client on Windows?
08:28 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
08:29 < ecrist> ujjain: if you want to use it.  nobody's going to force you to, though.
08:29 < straterra> ecrist: I can't avoid it
08:29 < ujjain> I wish to be able to access the 192.168 network of my servers.
08:29 < straterra> TCP performs tons better than UDP with the ammount of loss that is going on
08:30 < ecrist> make sure your MTU is setup properly is about the only thing I can think of
08:30 < ecrist> !mtu
08:30 <@vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config
08:30 < straterra> It is
08:31 < ecrist> !learn mtu as mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
08:31 <@vpnHelper> ecrist: Joo got it.
08:36 -!- orentet [~orentet@80.178.3.219.adsl.012.net.il] has quit [Ping timeout: 245 seconds]
08:45 -!- Diffen2 [~diffen2@195-198-92-149.customer.telia.com] has quit [Quit: This computer has gone to sleep]
08:56 -!- kami [~user@unaffiliated/kami-] has quit [Remote host closed the connection]
08:57 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
08:57 <@vpnHelper> RSS Update - forum: Server Administration :: Routing Problems :: Author adamb <https://forums.openvpn.net/viewtopic.php?f=4&t=7292&p=8486#p8486>
09:05 -!- kami [~user@unaffiliated/kami-] has quit [Remote host closed the connection]
09:06 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
09:07 < straterra> Hmm..is there a way to toss --tun-mtu in to the config file instead of as an argument when starting ovpn?
09:10 < ecrist> yep
09:10 < ecrist> just remove --
09:14 -!- Druid_ [~mf@p5B136426.dip.t-dialin.net] has quit [Read error: Connection reset by peer]
09:15 -!- Druid_ [~mf@p5B136426.dip.t-dialin.net] has joined #openvpn
09:18 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has quit [Quit: Leaving]
09:29 -!- kami [~user@unaffiliated/kami-] has quit [Remote host closed the connection]
09:29 -!- kami [~user@unaffiliated/kami-] has joined #openvpn
09:36 -!- Blues-Man [~bluesman@95.239.124.115] has joined #openvpn
09:41 -!- kami [~user@unaffiliated/kami-] has left #openvpn ["ERC Version 5.3 (IRC client for Emacs)"]
09:42 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
09:43 -!- geruser1 [~geronimo@ppp-94-69-21-160.home.otenet.gr] has joined #openvpn
09:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
09:44 < geruser1> hi there.. i have openvpn 2.1.4 and i have a push route <somenetwork> .. the problem is that when i connect remotely i can't see the lan computers but only the openvpn server...forwarding is enabled..firewall policy is accept?any ideas?
09:46 < geruser1> here is my server.conf http://pastebin.com/qDZNTLsK
09:47 < geruser1> !goal
09:47 <@vpnHelper> geruser1: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:54 < ecrist> geruser1: what do you mean by "can't see"
09:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:54 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
09:58 < ujjain> I would like to access the lan behind the server, does this require installing openvpn packages on my Windows computer?
10:01 < ecrist> ujjain: we have no way of knowing without configs and more information on what you're trying to do 
10:01 < ujjain> Sorry, I wish to access the 192.168.x NAT/LAN of my servers.
10:01 < ujjain> VMWare ESXi. VM´s.
10:02 < ecrist> I got that part
10:02 < ecrist> but we don't know where you have a windows machine, so how would we know whether you need to install openvpn?
10:02 < ecrist> !diagram
10:02 <@vpnHelper> ecrist: "diagram" is You can use a site such as http://gliffy.com to create a network diagram as well as programs such as Visio, Dia, or OmniGraffle
10:03 < geruser1> i can ping the vpn server...but not the lan computers...
10:04 < ecrist> geruser1: do you have a route to the lan computers?
10:04 < ecrist> do the lan computers have a route back to the vpn?
10:04 < geruser1> doesn't this happen automatically when tun dev is up?
10:05 < geruser1> I mean the vpn has the a lan address assigned to eth0 and the vpn address assigned to tun..
10:06 < ecrist> I don't follow what you're saying.
10:06 < geruser1> well beside the "push route <network>" do i have to add extra rules to the vpn server?
10:08 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
10:09 < ecrist> not really
10:09 < ecrist> but your LAN needs to know how to route back to the VPN ip space, or you need to NAT vpn connections.
10:11 < geruser1> well gateway and vpn are different machines...in my gateway i have a route that says 10.8.1.0/24 goes to 192.168.20.98 and the latter is the vpn server..
10:19 -!- geruser1 [~geronimo@ppp-94-69-21-160.home.otenet.gr] has left #openvpn []
10:19 < EvilJStoker> Hi, Does anyone happen to know how I could have ipv6 tunneled across openvpn, so that the vpn-client can have an ipv6 ip address routed to it, which the space is 'owned' by the vpn-server?
10:24 < blackpenguin> EvilJStoker: I have done it using an external script that set the IP and route then. I've followed these instructions and it works fine: http://silmor.de/64
10:24 <@vpnHelper> Title: IPv6 via OpenVPN (at silmor.de)
10:24 -!- dazo is now known as dazo_afk
10:28 -!- markus_ [~markus@c83-250-33-131.bredband.comhem.se] has quit [Ping timeout: 264 seconds]
10:29 -!- dazo_afk is now known as dazo
10:31 < EvilJStoker> blackpenguin, Oh, I forgot to mention, i'm TUN, not TAP. Would that still work? I see "Usually OpenVPN uses IPv4 on those devices - IPv6 support is still experimental (as of mid 2009).", so i'm not exactly sure if this is possible. :(
10:32 < ecrist> EvilJStoker: iirc beta 2.2 has IPv6 support
10:32 < ecrist> !beta
10:32 <@vpnHelper> ecrist: Error: "beta" is not a valid command.
10:32 < ecrist> !download
10:32 <@vpnHelper> ecrist: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
10:34 < blackpenguin> EvilJStoker: AFAIK the linux tun device is capable to work with ipv6, too, haven't tried this though.
10:34 -!- dazo is now known as dazo_afk
10:34 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
10:37 < EvilJStoker> ecrist, Ahh. Okay, Thanks.
10:43 -!- markus [~markus@c83-250-33-131.bredband.comhem.se] has joined #openvpn
10:44 -!- luneff [~yury@84.51.195.188] has joined #openvpn
10:47 -!- Lalvard_ [~Lalvard@201.200.107.2] has joined #openvpn
10:47 < Lalvard_> hello
10:47 -!- Lalvard_ is now known as grojas
10:47 < grojas> anyone around?
10:48 < grojas> !welcome
10:48 <@vpnHelper> grojas: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:48 < ecrist> yeah, lots of people
10:48 < grojas> hi ecrist
10:49 < grojas> i'm having some trouble with my openvpn connection and i think is routing
10:49 < grojas> server=ubuntu
10:49 < grojas> client=macos
10:49 < grojas> my client can't ping my tun0 ip
10:49 -!- _zero__ [~zero@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
10:50 < grojas> !route
10:50 <@vpnHelper> grojas: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:51 < grojas> any ideas?
10:51 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 240 seconds]
10:52 -!- dazo_afk is now known as dazo
10:53 < grojas> can anyone help me for a sec?
10:54 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn
10:55 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
10:56 < grojas> ecrist are you there?
10:57 < Bushmills> grojas:   read  !welcome
10:57 < grojas> !goal
10:57 <@vpnHelper> grojas: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:58 < ecrist> configs would help, grojas 
10:58 < grojas> !configs
10:58 <@vpnHelper> grojas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
11:00 < grojas> route-gateway 130.0.0.252
11:00 < grojas> remote 184.73.243.158 1194 tcp-client
11:00 < grojas> pull
11:00 < grojas> tls-client
11:00 < grojas> persist-key
11:00 < grojas> ca ca.crt
11:00 < grojas> redirect-gateway def1
11:00 -!- grojas was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastbin.ca for posting logs or configs.]
11:01 -!- grojas [~Lalvard@201.200.107.2] has joined #openvpn
11:01 < grojas> oops
11:01 < grojas> my mistake
11:01 < grojas> posting on forum
11:02 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Would you like to know more?]
11:02 < grojas> http://openvpn.pastbin.ca/ doesn't load
11:10 -!- grojas [~Lalvard@201.200.107.2] has quit [Read error: Connection reset by peer]
11:10 -!- Lalvard_ [~Lalvard@201.200.107.2] has joined #openvpn
11:13 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:13 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:17 -!- Lalvard_ [~Lalvard@201.200.107.2] has quit [Ping timeout: 255 seconds]
11:24 < ecrist> typo
11:24 < ecrist> !pb
11:24 <@vpnHelper> ecrist: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
11:24 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:25 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:27 -!- Lalvard___ [~Lalvard@201.200.107.2] has joined #openvpn
11:32 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
11:34 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:37 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Client Quit]
11:37 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:39 -!- Lalvard___ [~Lalvard@201.200.107.2] has quit [Ping timeout: 255 seconds]
11:42 < ecrist> !config supybot.plugins.RSS.announce
11:42 <@vpnHelper> ecrist: Global: pastebin #openvpn; #openvpn: feed://ovpnforum.com/external.php?type=RSS2 forum openvpnforum
11:43 < ecrist> !config supybot.plugins.RSS.announce pastebin
11:43 <@vpnHelper> ecrist: Joo got it.
11:43 < ecrist> !config supybot.plugins.RSS.announce
11:43 <@vpnHelper> ecrist: Global: pastebin; #openvpn: feed://ovpnforum.com/external.php?type=RSS2 forum openvpnforum
11:43 < ecrist> !config supybot.plugins.RSS.announce --remove feed://ovpnforum.com/external.php?type=RSS2
11:43 <@vpnHelper> ecrist: Joo got it.
11:43 < ecrist> !config supybot.plugins.RSS.announce
11:43 <@vpnHelper> ecrist: Global: feed://ovpnforum.com/external.php?type=RSS2 --remove; #openvpn: feed://ovpnforum.com/external.php?type=RSS2 forum openvpnforum
11:43 < ecrist> !config supybot.plugins.RSS.announce #openvpn --remove feed://ovpnforum.com/external.php?type=RSS2
11:43 <@vpnHelper> ecrist: Joo got it.
11:43 < ecrist> !config supybot.plugins.RSS.announce
11:43 <@vpnHelper> ecrist: Global: feed://ovpnforum.com/external.php?type=RSS2 #openvpn --remove; #openvpn: feed://ovpnforum.com/external.php?type=RSS2 forum openvpnforum
11:43 < ecrist> gah
11:44  * ecrist hand-edits config
11:44 -!- W0rmF00d [~wormfood@183.38.15.107] has joined #openvpn
11:44 -!- Sky[X] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:44 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
11:46 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
11:46 -!- Sky[X] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
11:47 -!- WormFood [~wormfood@183.38.14.178] has quit [Ping timeout: 240 seconds]
11:48 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:48 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
11:48 -!- mode/#openvpn [+o vpnHelper] by ChanServ
11:49 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Client Quit]
11:49 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
11:49 -!- mode/#openvpn [+o vpnHelper] by ChanServ
11:50 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
11:50 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
11:50 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
11:57 -!- caesay [~caesay@unvanquished/associate/sniperx] has joined #openvpn
11:57  * Blues-Man good blues bye | i remember you to listen once at day SRV and Otis Redding to feel better ;)
11:57 -!- Blues-Man [~bluesman@95.239.124.115] has quit [Remote host closed the connection]
12:07 -!- dazo is now known as dazo_afk
12:12 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
12:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
12:28 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
12:30 -!- ujjain [~ujjAIN@unaffiliated/ujjain] has quit [Read error: Connection reset by peer]
12:38 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
12:39 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
12:58 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
13:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds]
13:03 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
13:13 -!- kerfe [~a@30.pool85-60-141.dynamic.orange.es] has quit [Read error: Connection reset by peer]
13:14 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has joined #openvpn
13:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
13:17 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
13:17 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has quit [Changing host]
13:17 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
13:33 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
13:34 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Ping timeout: 255 seconds]
13:38 -!- krzie [krzee@hemp.ircpimps.org] has joined #openvpn
13:38 -!- krzie [krzee@hemp.ircpimps.org] has quit [Changing host]
13:38 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
13:41 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
13:47 -!- Squidy_at_Home [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
13:47 -!- Squidy [~quassel@187.7.246.159] has quit [Ping timeout: 252 seconds]
13:50 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Openvpn using with ptunnel :: Author beq.scream <https://forums.openvpn.net/viewtopic.php?f=1&t=7293&p=8487#p8487>
13:55 < krzie> !linnat
13:55 <@vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
13:55 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Openvpn using with ptunnel :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7293&p=8488#p8488>
14:02 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: How do I use extra server IP's with Access Server? :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7290&p=8489#p8489>
14:07 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing Problems :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7292&p=8490#p8490> || Server Administration :: Re: swapping a vpn from one routing to another :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7291&p=8491#p8491>
14:14 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Is it a problem with openvpn or virtualbox ? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7035&p=8492#p8492>
14:25 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:54 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
14:57 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
15:04 -!- Sky[xxx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
15:11 -!- Sky[xxx] is now known as Sky[x]
15:16 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
15:20 -!- luneff [~yury@84.51.198.114] has joined #openvpn
15:20 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
15:25 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
15:26 <@vpnHelper> RSS Update - forum: Server Administration :: vpn config issue? :: Author generalk25 <https://forums.openvpn.net/viewtopic.php?f=4&t=7294&p=8493#p8493>
15:29 -!- s7r [~s7r@85.186.178.32] has joined #openvpn
15:29 < s7r> anybody here from the UK ?
15:29 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Quit: Farewell]
15:30 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
15:30 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
15:30 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
15:33 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
15:34 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
15:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
15:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit]
15:40 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
15:49 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
15:52 -!- Thibaud [~Thibaud@ver44-1-87-91-227-245.dsl.club-internet.fr] has joined #openvpn
15:53 < Thibaud> Hello. :)  Is there someone willing to help me?
15:54 < s7r> Thibaud: tell us your problem
15:55 < Thibaud> Thanks.
15:55 < Thibaud> I would like to use openVPN on multiple ports / protocols but with the same virtual interface.
15:55 < s7r> you mean connect to multiple openVPN servers?
15:56 < Thibaud> no. I have an openvpn server and I would like to configure it to enable mutli ports/protocols
15:56 < Thibaud> I just add a new .conf file
15:56 < Thibaud> but it creates me another tap interface.
15:57 < Thibaud> which is not what I would like.
15:57 < s7r> yes, well I am not sure you can program the server to listen to multiple ports, at the same time on the same tun/tap device
15:57 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
15:58 < s7r> why you need such option?
15:58 < Thibaud> to be able to connect on my openvpn with multiples protocoles/ports.
15:58 < s7r> I understand
15:59 < Thibaud> And since my ips in my openvpn are public, I would like to use the sames and route them no mater the type of connection
15:59 < s7r> I am sorry I never done this and don't know how to, don't even know if it is possible. maybe somebody else with better experience on the channel will help
15:59 < Thibaud> Well, nevermind. Thank you s7r :)
15:59 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
16:00 < s7r> for nothing, sorry
16:00 < s7r> is anybody here from UK?
16:00 < Thibaud> For trying to hep.
16:00 < s7r> yeah well trying doesn't help you that much does it :))
16:00 < s7r> actual helping sounds better
16:00 < Thibaud> :)
16:04 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
16:05 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
16:06 -!- Clete2_ [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
16:06 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
16:08 -!- Clete2_ [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
16:09 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
16:14 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
16:21 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
16:23 -!- NextPhraze [~next@178-73-208-56.cust.vpntunnel.org] has joined #openvpn
16:24 -!- patelx [~patel@openvpn/corp/admin/patel] has joined #openvpn
16:24 -!- mode/#openvpn [+o patelx] by ChanServ
16:24 <@patelx> eric?
16:25 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
16:26 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
16:33 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
16:34 < NextPhraze> What is modifying my resolv.conf every 5min or so? I manually added a dns server to get it working but it keeps reverting :<
16:35 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
16:39 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
16:41 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
16:42 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
16:43 < krzie> not openvpn
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
17:00 <@vpnHelper> RSS Update - forum: Server Administration :: Re: vpn config issue? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7294&p=8494#p8494>
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:01 -!- Thibaud [~Thibaud@ver44-1-87-91-227-245.dsl.club-internet.fr] has quit [Quit: Thibaud]
17:02 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
17:07 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
17:24 -!- s7r [~s7r@85.186.178.32] has left #openvpn []
17:36 <@vpnHelper> RSS Update - forum: Wishlist :: fix your email address parser :: Author solinym <https://forums.openvpn.net/viewtopic.php?f=10&t=7295&p=8495#p8495> || Wishlist :: mailman mailing list instead of web forum? :: Author solinym <https://forums.openvpn.net/viewtopic.php?f=10&t=7296&p=8496#p8496>
17:39 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
17:40 -!- luneff [~yury@84.51.198.114] has joined #openvpn
17:42 <@vpnHelper> RSS Update - forum: Wishlist :: config file entry to bind to specific interfaces :: Author solinym <https://forums.openvpn.net/viewtopic.php?f=10&t=7297&p=8497#p8497> || Wishlist :: specifying source port for connections? :: Author solinym <https://forums.openvpn.net/viewtopic.php?f=10&t=7298&p=8498#p8498>
17:54 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
17:54 <@vpnHelper> RSS Update - forum: Wishlist :: Re: mailman mailing list instead of web forum? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7296&p=8499#p8499>
17:54 < |Mike|> krzie: 
17:57 < krzie> |Mike|, 
17:57 < |Mike|> I've spotted your nickname in some magazine
17:57 < krzie> as did i
17:57 < |Mike|> :-)
17:57 < krzie> heh
17:58 < |Mike|> we both know who the new 'punk' is :p
17:58 < |Mike|> quite cool that he named you
17:59 < krzie> we had a blast that weekend
17:59 <@vpnHelper> RSS Update - forum: Wishlist :: Re: specifying source port for connections? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7298&p=8500#p8500>
17:59 < krzie> phear and loathing in .nl
18:01 < |Mike|> I can imagine, you remember that we spoke eachother? :P
18:01 < krzie> yup
18:02 < krzie> think i still have your # on a dead laptop hd
18:02 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
18:02 < |Mike|> hehe, it's still in use :-)
18:05 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
18:08 < |Mike|> Nirvana - lithium on the radio... woah
18:08 < |Mike|> good old times
18:17 <@vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by daftpunk <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=8501#p8501>
18:19 < caesay> So i just recently installed OpenVPN, running on a very minimal config, and no iptable changes at all.. Ive looked at documents and such, but im not very knowledgable in this area so ive not been able to solve my problem..
18:19 < caesay> What im trying to do, is route all traffic (http, ftp, etc..) from the clients, through the VPN tunnel, and then to the internet from the server.. What additional steps do i have to do in order to acomplish this?
18:19 < ecrist> patelx?
18:20 -!- bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
18:21 < |Mike|> caesay: read !howto :)
18:21 < |Mike|> and !def1
18:22 < ecrist> which magaize?
18:22 < caesay> !howto
18:22 <@vpnHelper> caesay: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
18:22 < caesay> |Mike|: i believe i did check there, 
18:22 < caesay> I was reading and it said something about --push "redirect-gateway def1" in the server config but that doesnt seem to work by itself, and im quite new to the whole linux scheme in general
18:22 < |Mike|> ecrist: maggi? :P
18:23 < caesay> !def1
18:23 <@vpnHelper> caesay: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
18:23 < ecrist> caesay: you're going to need to nat traffic from the vpn to the internet
18:23 < caesay> ecrist: "nat traffic" ?
18:23 < |Mike|> NAT
18:24 < caesay> I know what that is - not how to do it, i suppose ill focus my research into that then
18:24 < ecrist> !linnat
18:24 <@vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:27 < caesay> will i need to push a DNS server aswell?
18:27 < ecrist> depends.
18:28 < ecrist> probably
18:28 < ecrist> !dns
18:28 <@vpnHelper> ecrist: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
18:33 <@vpnHelper> RSS Update - forum: Wishlist :: iptables solution? also possible DoS :: Author daftpunk <https://forums.openvpn.net/viewtopic.php?f=10&t=7299&p=8502#p8502>
18:39 <@vpnHelper> RSS Update - forum: Wishlist :: Re: iptables solution? also possible DoS :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=10&t=7299&p=8503#p8503>
18:39 < |Mike|> lol
18:44 < ecrist> lol?
18:44 < |Mike|> wrong channel ecrist :)
18:55 < |Mike|> :P
18:57 <@vpnHelper> RSS Update - forum: Configuration :: config file entry to bind to specific interfaces :: Author solinym <https://forums.openvpn.net/viewtopic.php?f=6&t=7297&p=8497#p8497> || Configuration :: Re: config file entry to bind to specific interfaces :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7297&p=8505#p8505>
18:57 < ecrist> ,.|..
19:03 <@vpnHelper> RSS Update - forum: Server Administration :: I can only ping one way. Client to server works. :: Author jcavil <https://forums.openvpn.net/viewtopic.php?f=4&t=7300&p=8506#p8506> || Configuration :: specifying source port for connections? :: Author solinym <https://forums.openvpn.net/viewtopic.php?f=6&t=7298&p=8498#p8498> || Configuration :: Re: specifying source port for connections? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f
19:05 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
19:15 <@vpnHelper> RSS Update - forum: Server Administration :: Re: I can only ping one way. Client to server works. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7300&p=8508#p8508>
19:36 -!- Squidy_at_Home [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Read error: Connection reset by peer]
19:51 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
19:57 -!- Clete2 is now known as Clete2|away
20:01 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
20:09 <@vpnHelper> RSS Update - forum: Server Administration :: iptables solution? also possible DoS :: Author daftpunk <https://forums.openvpn.net/viewtopic.php?f=4&t=7299&p=8502#p8502> || Server Administration :: Re: iptables solution? also possible DoS :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=4&t=7299&p=8503#p8503> || Server Administration :: possible DoS :: Reply by daftpunk <https://forums.openvpn.net/viewtopic.php?f=4&t=7299&p=8507#p85
20:11 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
20:17 -!- humanMeat [alex@199.48.243.207] has joined #openvpn
20:21 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 252 seconds]
20:26 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
20:26 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
20:28 -!- NextPhraze [~next@178-73-208-56.cust.vpntunnel.org] has quit [Read error: Operation timed out]
20:44 -!- Clete2|away [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
20:53 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
20:58 -!- Clete2 is now known as Clete2|Away
21:01 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:01 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:16 < humanMeat> uh
21:16 < humanMeat> the exe at http://swupdate.openvpn.net/community/releases/openvpn-2.1.4-install.exe
21:16 < humanMeat> is still installing openvpn gui 1.03
21:16 < humanMeat> even after i uninstall
21:16 < humanMeat> and reinstall, it's still reinstaling the 2002-2005 copyright 1.0.3 openvpn gui client
21:19 < humanMeat> wow it's even erroring on install now
21:19 < humanMeat> how can people say openvpn is good software..
21:19 < humanMeat> what am i supposed to do when even the isntaller breaks
21:20 < humanMeat> "error opening openvpn gui client 1.03 for writing abort skip retry"
21:21 -!- Clete2|Away [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
21:26 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
21:32 -!- alex__ [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
21:32 < alex__> so why is the old vpn client packaged with 2.14?
21:33 < alex__> this is not a little dumb, not kind of dumb, but very very very dumb.
21:33 < alex__> why would you package somethign that has not been updated since 2005 with your software
21:34 < krzie> huh?
21:34 < alex__> i ran the 2.14 installer.
21:34 < krzie> what 2.14
21:34 < alex__> for windows.  It installed openvpn gui client 1.0.3
21:34 < alex__> !download
21:34 <@vpnHelper> alex__: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
21:35 < alex__> 2.1.4
21:35 < krzie> if you insist on new windows stuff, the 2.2 beta has new windows stuff iirc
21:35 < alex__> so it's either use beta or use 1.0.3?
21:35 < alex__> somehow i think that's a losing proposition
21:35 < krzie> whats the problem with the windows gui?
21:35 < alex__> 1.0.3 which has not been updated since 2005?
21:35 -!- humanMeat [alex@199.48.243.207] has quit [Ping timeout: 245 seconds]
21:35 < krzie> rifght
21:36 < krzie> thats the gui
21:36 < alex__> it doesn't work.
21:36 < alex__> on windows 7
21:36 < alex__> 64 bit.
21:36 < krzie> sure it does
21:36 < krzie> has for many others
21:36 < alex__> uh huh.
21:36 < alex__> but you're saying that the only stable client is 1.0.3
21:36 < krzie> all it does is start a config
21:37 < krzie> openvpn it starts is what gets the updating
21:37 < alex__> is 1.0.3 the only "stable" client?
21:37 < krzie> the gui is a wrapper for starting and stopping configs... not much reason to update it
21:37 < alex__> for windows?
21:37 < krzie> no, your client is 2.1.4
21:37 < alex__> gui client.
21:37 < krzie> the lil gui that it gets started by is 1.0.3
21:37 < alex__> i'm talking about the gui client
21:38 < krzie> no, you are talking about the lil gui that starts the client
21:38 < krzie> your actual openvpn is 2.1.4
21:38 < alex__> i hear it's actually a client by looking at the name, "openvpn gui client"
21:38 < krzie> well you misunderstand
21:38 < krzie> i just told you how it really is
21:38 < alex__> but maybe it's named very poorly
21:38 < alex__> ok
21:38 < krzie> whatever
21:40 < alex__> anyways. it's still broken 
21:41 < krzie> so whats the problem
21:41 < alex__> it says "key values mismatch
21:41 < alex__> " looking at the key files on my server and client,
21:41 < alex__> they do not mismatch.
21:42 < krzie> !configs
21:42 <@vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
21:44 < alex__> !pb
21:44 <@vpnHelper> alex__: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
21:46 < alex__> http://openvpn.pastebin.ca/1996844
21:46 < alex__>  <----- client config
21:46 < krzie> with comments removed, like the bot said
21:47 < alex__> yes i will run grep on windows
21:47 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/1996844>
21:48 < alex__> and by config file, u mean .ovpn
21:48 < alex__> right?
21:48 < krzie> right
21:48 -!- p3rror [~mezgani@41.140.42.116] has quit [Read error: Connection reset by peer]
21:48 < alex__> and server.conf
21:50 < alex__> http://openvpn.pastebin.ca/1996846
21:50 < alex__> comments removed
21:53 <@vpnHelper> RSS Update - pastebin: Something <http://pastebin.ca/1996846>
21:54 < krzie> and the server?
21:57 < alex__> k found the problem with ti
21:57 < alex__> but now i get connect to 173.255.215.123:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
21:58 < krzie> sounds like a firewall
21:58 < alex__> client or server. i have 2 rulees configured client side
21:59 < krzie> server, client would be firewall if after connection it doesnt work
21:59 <@vpnHelper> RSS Update - pastebin: Something <http://pastebin.ca/1996847>
22:01 < alex__> hrm. i see tcp        0      0 0.0.0.0:1194            0.0.0.0:*               LISTEN 
22:04 < alex__> i added a ufw rule on 1194.
22:04 < alex__> still getting the same error
22:05 < krzie> !logs
22:05 <@vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
22:07 < alex__> http://pastebin.ca/1996858 < ----- client
22:07 < alex__> u want daemon.log from server?
22:08 < krzie> dont need it, can see its firewall on server
22:08 < krzie> unless server config isnt listening on the same ip:port/proto as the client is connecting to
22:09 < krzie> i wouldnt know, since you didnt post your server config
22:12 < alex__> http://pastebin.ca/1996859 <---- server config
22:16 -!- humanMeat [alex@199.48.243.214] has joined #openvpn
22:18 < humanMeat> oops got disconnected
22:18 < humanMeat> this is alex__
22:18 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
22:19 < humanMeat> anything wrong with config
22:19 -!- alex__ [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
22:20 < krzie> nope, its firewall
22:20 < krzie> on server
22:21 < krzie> (assuming the server is running fine... feel free to pastebin its log if you want it seen)
22:21 < krzie> but i feel strongly that something is filtering packets
22:31 -!- UnterPerro [~UnterPerr@32.164.211.177] has joined #openvpn
22:48 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
23:13 < humanMeat> hrm
23:13 < humanMeat> even if i do ufw 1194
23:13 < humanMeat> it's still firewall?
23:29 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
23:33 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
23:34 -!- humanMeat [alex@199.48.243.214] has quit [Quit: Leaving]
23:44 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
23:59 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Sat Nov 20 2010
01:10 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
01:17 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
01:43 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
02:10 -!- UnterPerro [~UnterPerr@32.164.211.177] has quit [Quit: UnterPerro]
02:23 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
02:34 -!- Druid_ [~mf@p5B136426.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
02:38 -!- Druid_ [~mf@p5B1373F5.dip.t-dialin.net] has joined #openvpn
02:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
02:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:08 -!- tjz [~pc@67.220.220.132] has joined #openvpn
03:08 -!- tjz [~pc@67.220.220.132] has quit [Changing host]
03:08 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
03:08 -!- gallatin [~gallatin@dslb-094-220-123-255.pools.arcor-ip.net] has joined #openvpn
03:20 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
03:26 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has joined #openvpn
03:28 -!- aliverius_ [~george@athedsl-376130.home.otenet.gr] has quit [Ping timeout: 240 seconds]
03:46 -!- master_of_master [~master_of@p57B56789.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
03:48 -!- master_of_master [~master_of@p57B570CA.dip.t-dialin.net] has joined #openvpn
04:39 -!- WWGD [~WWGD@208.79.14.130] has joined #openvpn
04:44 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
04:46 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
04:46 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has joined #openvpn
05:13 -!- gallatin [~gallatin@dslb-094-220-123-255.pools.arcor-ip.net] has quit [Quit: Client exiting]
05:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
05:59 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Openvpn using with ptunnel :: Author beq.scream <https://forums.openvpn.net/viewtopic.php?f=1&t=7293&p=8487#p8487>
06:18 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: help :(]
06:35 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Openvpn using with ptunnel :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7293&p=8488#p8488>
06:51 -!- lkthomas [~lkthomas@123.136.11.67] has joined #openvpn
06:52 < lkthomas> Hey guys
06:52 < lkthomas> How could I limit one concurrent login per user?
06:53 < reiffert> pardon?
06:53 < reiffert> !duplicate
06:53 <@vpnHelper> reiffert: "duplicate" is the option duplicate-cn is for allowing the same cert to login more than once. It should not be used in most situations, with main exceptions being if you also use !authpass or if just testing
06:54 < lkthomas> Is it possible to do it across server as well?
06:59 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: QoS or traffic shaping within VPN tunnel when using OpenVPN :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7301&p=8513#p8513>
06:59 < reiffert> doing it across server means?
07:01 < lkthomas> I have multiple openvpn servers and want to control one login per user name across them
07:05 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 240 seconds]
07:18 < Bushmills>         --client-connect script ...  "Note  that the return value of script is significant.  If script returns a non-zero error status, it will cause the client to  be disconnected."  - let client-connect-script check openvpn status file on other server
07:27 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
07:56 -!- p3rror [~mezgani@41.140.101.146] has joined #openvpn
07:58 < ecrist> morning, folks
08:06 < lkthomas> Ok, thanks guys
08:07 -!- lkthomas [~lkthomas@123.136.11.67] has quit []
08:10 -!- UnterPerro [~UnterPerr@32.164.211.177] has joined #openvpn
08:10 -!- UnterPerro [~UnterPerr@32.164.211.177] has quit [Client Quit]
08:17 < toortog> morning everyone
08:22 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
08:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:31 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
08:36 -!- ujjain [~ujjAIN@unaffiliated/ujjain] has joined #openvpn
08:36 < ujjain> What is an ike-group? :p
08:45 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
08:46 -!- ujjain [~ujjAIN@unaffiliated/ujjain] has left #openvpn []
08:53 -!- luneff [~yury@84.51.198.114] has joined #openvpn
08:53 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Openvpn using with ptunnel :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7293&p=8488#p8488>
09:15 < ecrist> holy crap, this is cool
09:16 < ecrist> krzie: http://bepe80.com/vbmediawiki/#vbmediawiki
09:16 <@vpnHelper> Title: vbMediaWiki Manual (at bepe80.com)
09:26 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
09:30 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to allow the client reach server entire subnet? :: Reply by shuji <https://forums.openvpn.net/viewtopic.php?f=6&t=7283&p=8516#p8516>
09:49 -!- p3rror [~mezgani@41.140.101.146] has quit [Ping timeout: 260 seconds]
09:50 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has joined #openvpn
09:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
09:54 < barduck> Hello, a question: I want to use my linux server to tunnel all traffic from my macbook pro when using public networks. What would be a better solution (easy of setup, speed, security) - openvpn server and custom client on my macbook or installing L2TP/IPsec on the server and using the built in VPN client in OSX ?
09:54 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
09:57 -!- gyyrog [~mmalleis@24-231-158-154.static.trcy.mi.charter.com] has joined #openvpn
09:57 < gyyrog> why I try to start openvpn, it can't open openvpn-status.log ipp.txt because they don't have proper permissions. It also can't find the dh file. I made one, it is in /etc/openvpn
09:58 < gyyrog> where should it be?
10:01 < toortog> where you tell it to be in server config
10:03 < ecrist> barduck: openvpn
10:03 < ecrist> !mac
10:03 <@vpnHelper> ecrist: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
10:04 < krzie> gyyrog, 
10:04 < krzie> !path
10:04 <@vpnHelper> krzie: "path" is always use full paths in your config file, it makes things easier
10:05 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:06 < ecrist> !forget path
10:06 <@vpnHelper> ecrist: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
10:08 < ecrist> !forget path
10:08 <@vpnHelper> ecrist: Joo got it.
10:08 < ecrist> !learn path as It is a good idea to use full paths in your config.
10:08 <@vpnHelper> ecrist: Joo got it.
10:09 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
10:11 < fahmad> can someone tell me is there any openvpn management interface api written on php ?
10:12 < ecrist> what do you mean?
10:14 < fahmad> means 
10:14 < fahmad> like i can see there is one for openvpn::management for perl but i need to know is there api for php ...
10:14 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 276 seconds]
10:15 < gyyrog> where should I put my key files?
10:15 < fahmad> so that i can write code into php which will pay less load on server ...
10:15 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
10:16 < fahmad> http://search.cpan.org/~meyeaard/Net-OpenVPN-Manage-0.02/lib/Net/OpenVPN/Manage.pm
10:16 < fahmad> brb
10:16 <@vpnHelper> Title: :::: - search.cpan.org (at search.cpan.org)
10:21 -!- Fieldy [7f5dNa6ghb@gentoo/contributor/Fieldy] has joined #openvpn
10:22 < Fieldy> more of a netfilter/iptables question, but i'm thinking maybe someone in here thought of it while running openvpn;  if I'm running an openvpn server as the user openvpn, and a remote client pushes traffic through it, can i use the owner module in iptables to tag that traffic as user openvpn? (I have also asked in #Netfilter)
10:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:40 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:47 < ecrist> fahmad: no, I do not think so
10:48 < fahmad> ok
10:49 < ecrist> Fieldy: no idea.
10:50 -!- Fieldy [7f5dNa6ghb@gentoo/contributor/Fieldy] has quit [Remote host closed the connection]
10:51 -!- Fieldy [lIynpGIHPV@gentoo/contributor/Fieldy] has joined #openvpn
10:51 -!- Fieldy [lIynpGIHPV@gentoo/contributor/Fieldy] has quit [Remote host closed the connection]
10:52 -!- Fieldy [dHLeA9lJLO@gentoo/contributor/Fieldy] has joined #openvpn
10:55 < gyyrog> I am getting some sort of tsl error?
10:55 < gyyrog> http://pastebin.com/vum8wLgi
10:55 < gyyrog> TLS key negotiation failed to occur
11:15 -!- WWGD [~WWGD@208.79.14.130] has left #openvpn []
11:21 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
11:34 -!- MariaKeys [~MariaKeys@92.98.143.193] has joined #openvpn
11:36 < MariaKeys> how to check a site-to-site VPN between 2 machines?
11:36 < MariaKeys> both sides are up and initialized.
11:41 -!- barduck [~barduck@bzq-79-178-196-33.red.bezeqint.net] has quit [Quit: barduck]
11:48 < Fieldy> is there a way to specify the default route only for traffic coming from the clients, and through the VPN server out to the world? case: use a different gateway for exiting VPN traffic. i've spent a few hours fighting with iptables marking, route, ip route etc trying to get it done to no avail.
11:48 < Fieldy> a way to specify it in the server config, that is.
11:49 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Ping timeout: 265 seconds]
11:50 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
11:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:51 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
11:55 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
12:00 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
12:03 < gyyrog> can anyone help? or even just point me in the right direction
12:03 -!- atan2 [~atan@unaffiliated/atan] has quit [Quit: null]
12:04 -!- dogarrhea1 [alex@199.48.243.208] has joined #openvpn
12:04 < dogarrhea1> so apparently it's not a firewall issue... but i'm still getting will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
12:04 < dogarrhea1> is there any place where i can read aboout this mysterious undocumented wsaetimedout
12:13 < dogarrhea1> anything about sigterm hard errors?
12:14 < dogarrhea1> are errors ever descriptive?
12:15 < dogarrhea1> does openvpn ever work?
12:15 < dogarrhea1> on windows 7 64 bit?
12:40 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
12:50 -!- Fieldy [dHLeA9lJLO@gentoo/contributor/Fieldy] has quit [Remote host closed the connection]
12:50 -!- Rienzilla [rien@sinas.rename-it.nl] has joined #openvpn
12:51 -!- Fieldy [~shya@gentoo/contributor/Fieldy] has joined #openvpn
12:51 < dogarrhea1> hi rienzilla
12:52 < Rienzilla> hi
12:53 < dogarrhea1> !paste
12:53 <@vpnHelper> dogarrhea1: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
12:54 < dogarrhea1> rienzilla,  http://pastebin.ca/1997296   is my server.conf
12:55 < dogarrhea1> http://pastebin.ca/1997297    is my client
12:55 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
12:55 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
12:55 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
12:55 < dogarrhea1> i've got these 2 unnamed adapters that i can't delete after installing opnevpn client
12:56 < dogarrhea1> i'm pretty sure one of them is for the openvpn client some tap 32 adapater
12:57 < Rienzilla> yes you're supposed to get a new adapter
12:57 < Rienzilla> but first things first. See query
13:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
13:04 -!- Fieldy [~shya@gentoo/contributor/Fieldy] has quit [Quit: Fieldy]
13:16 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
13:25 -!- caesay [~caesay@unvanquished/associate/sniperx] has quit [Remote host closed the connection]
13:48 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
13:50 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:50 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: Openvpn using with ptunnel :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7293&p=8488#p8488>
13:57 <@vpnHelper> RSS Update - forum: Off Topic, Related :: mailman mailing list instead of web forum? :: Author solinym <https://forums.openvpn.net/viewtopic.php?f=1&t=7296&p=8496#p8496> || Off Topic, Related :: Re: mailman mailing list instead of web forum? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7296&p=8499#p8499>
14:03 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: route command path :: Reply by gkakaron <https://forums.openvpn.net/viewtopic.php?f=1&t=7269&p=8512#p8512>
14:09 <@vpnHelper> RSS Update - forum: Wishlist :: Re: bind to multiple ports :: Reply by daftpunk <https://forums.openvpn.net/viewtopic.php?f=10&t=383&p=8504#p8504>
14:15 <@vpnHelper> RSS Update - forum: Wishlist :: Re: bind to multiple ports :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=383&p=8511#p8511>
14:15  * krzee kicks vpnHelper 
14:21 <@vpnHelper> RSS Update - forum: Configuration :: Re: How to allow the client reach server entire subnet? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7283&p=8517#p8517>
14:24 < ecrist> 09:15 < ecrist> holy crap, this is cool
14:24 < ecrist> 09:16 < ecrist> krzie: http://bepe80.com/vbmediawiki/#vbmediawiki
14:24 <@vpnHelper> Title: vbMediaWiki Manual (at bepe80.com)
14:27 < krzee> yup that does look cool
14:42 < |Mike|> :P
14:42 < |Mike|> i have to say that police dog training is kewl
14:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:06 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
15:09 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
15:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:27 <@vpnHelper> RSS Update - forum: Wishlist :: Re: bind to multiple ports :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=383&p=8511#p8511>
15:44 < hyper_ch> |Mike|: you get training as police dog?
15:49 < |Mike|> hyper_ch: as leader, i sure do :)
15:49 < |Mike|> it's a two way learning session ;)
15:54 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
15:58 -!- gyyrog [~mmalleis@24-231-158-154.static.trcy.mi.charter.com] has quit [Ping timeout: 265 seconds]
16:00 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
16:03 -!- caesay [~caesay@unvanquished/associate/sniperx] has joined #openvpn
16:06 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
16:10 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
16:25 -!- gyyrog [~mmalleis@75-129-104-146.dhcp.trcy.mi.charter.com] has joined #openvpn
16:26 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
16:29 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
16:32 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Client Quit]
16:32 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
16:33 -!- gyyrog [~mmalleis@75-129-104-146.dhcp.trcy.mi.charter.com] has quit [Ping timeout: 240 seconds]
16:34 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
16:50 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:52 -!- s7r [~s7r@89.39.174.74] has quit [Quit: Leaving.]
16:52 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
16:57 <@vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by daftpunk <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=8501#p8501>
17:03 -!- Druid_ [~mf@p5B1373F5.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
17:03 -!- Druid_ [~mf@p5B1373F5.dip.t-dialin.net] has joined #openvpn
17:12 < krzee> |Mike|, you are involved with police dogs?
17:13 < |Mike|> training of them, yes.
17:14 < krzee> i must admit to being a lil surprised
17:15 < |Mike|> i can imagine why :)
17:15 < |Mike|> krzee: we have one dutch shepherd here which needs some bite adjustment training
17:17 < |Mike|> and it gets the 'stellen' (attack and bite command) etc there
17:19 < krzee> PLUTZ
17:19 < |Mike|> PLUTZ?
17:19 < krzee> (lay down in german... german is a common language to train dogs in)
17:19 < |Mike|> Yeah
17:19 < |Mike|> few weeks ago she started to bark at people in the woods
17:20 < |Mike|> w/o leash
17:20 < |Mike|> butttttttttt, she was barking people into corners
17:20 < krzee> sure it was at people?  dogs in training often get distracted by critters
17:20 < ecrist>  
17:20 < |Mike|> Yes sir
17:20 < ecrist> |Mike|: something you say keeps screwing up my irssi
17:21 < |Mike|> ecrist: wtf?
17:21 -!- krzee is now known as |krzee|
17:21 < |Mike|> crist!
17:21 < ecrist> gah
17:21 < |Mike|> use pipes
17:21 < |krzee|> does this mess up your irssi ecrist ?
17:21 < ecrist> there it goes
17:22 < |Mike|> :D
17:24  * |Mike| still uses the default irssi theme
17:25 < |Mike|> |krzee|: we use "Plaats" here in NL
17:27 < ecrist> |Mike|: what were you doing that screwed up my client?
17:28 < |Mike|> ecrist: nothing.
17:28 < MariaKeys> how to do openVPN? site-to-site
17:28 < |Mike|> I didn't say anything colorfull,, did i? :P
17:28 < ecrist> nope
17:28 < |Mike|> MariaKeys: !howto please
17:29 < ecrist> is that mIRC?
17:29 < MariaKeys> Machine A has public IPs: 1.1.1.1 1.1.1.2 1.1.1.3
17:29 < MariaKeys> Machine B has public IP: 2.2.2.2
17:29 < MariaKeys> Mike: I am reading howtos since 4 days.
17:29 < |Mike|> ecrist: irssi baby!
17:29 < |Mike|> Irssi 0.8.15 (20100403) - http://irssi.org/
17:29 <@vpnHelper> Title: Irssi - The client of the future (at irssi.org)
17:30 < MariaKeys> openVPN  is established between A and B on tun1 10.9.9.1-2
17:30 < MariaKeys> ping is working from both sides. firewall is off.
17:30 < ecrist> how did you do the rainbow colors so fast?
17:31 < MariaKeys> how to make a connection to 1.1.1.2 go out from 2.2.2.2?
17:31 < |Mike|> ecrist: ascii.pl
17:31 < ecrist> ah
17:31 < |Mike|> like this? :)
17:31 < Bushmills> |Mike|:  "zit" is said to dutch dogs
17:31 < |Mike|> ./colsay like this? :)
17:31 < Bushmills> or "ga zitten"
17:31 < |Mike|> Sit / zit
17:31 < |Mike|> or 'af'
17:32 < |Mike|> altho 'af' is more an inhouse command
17:32 < |Mike|> (which means -> go into your bench / basket)
17:33 < Bushmills> never heard anyone say (dutch) "plaats" when he wants his dog to sit
17:33 < |Mike|> plaats is more a way to sit away from you
17:33 < |Mike|> erm
17:33 < Bushmills> german "platz" can also mean "burst"
17:34 < Bushmills> the imperative
17:34 < |Mike|> plaats is more a  command to say to a dog which needs to return! to his place where he started from
17:34 < |Mike|> like -> sit -> come here -> lace -> platz! (plaats)
17:34 < Bushmills> a well trained dog may explode when being told "platz"
17:35 < |Mike|> or 'go get him' :P
17:35 <@vpnHelper> RSS Update - forum: Wishlist :: Re: Port Hopping... :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=10&t=7162&p=8514#p8514>
17:35 < |Mike|> ours responds to hit
17:35 < |Mike|> *it
17:36 < Bushmills> "faß" in german, equ to dutch "pak"
17:36 < |Mike|> yeah, we use "stellen"
17:36 < Bushmills> where german faß also means "barrel, vat"
17:36 < |Mike|> altho ours is used to PAK
17:37 < |Mike|> frisbee => PAK
17:37 < |Mike|> (said hardly)
17:37 < Bushmills> suit -> pak
17:37 < |Mike|> yeah :P
17:37 < |Mike|> suit is needed
17:38 < |Mike|> altho PAK means -> get him
17:38 < Bushmills> so what do dutch suits and german barrels have in common :P
17:38 < |Mike|> pak is similar to fetch
17:38 < |Mike|> a barrel is filled with beer :P
17:38 < Bushmills> both involve grabbing :D
17:38 < |Mike|> true
17:41 < MariaKeys> As soon as I say something, people disappear like Red Sea split in half to make way for moses!
17:41 <@vpnHelper> RSS Update - forum: Forum & Website Support :: Re: fix your email address parser :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=30&t=7295&p=8515#p8515>
17:41 < Bushmills> see you later
17:41 < |Mike|> MariaKeys: got cold beers?
17:42 < MariaKeys> I need help with this VPN crap. If i could send beers to people, i would.
17:42 < Bushmills> a suit of beer :P
17:43 < |Mike|> @ amsterdam :P
17:43 < Bushmills> oh well. can't change that. if i could help people with vpn crap, i'd do as wel
17:43 < |Mike|> craptitude? :P
17:44 < MariaKeys> if you cant help with VPN crap, what are you doing here?
17:44 < Bushmills> i pul peoples' toes
17:44 < |Mike|> Drinking beer MariaKeys.
17:44 < Bushmills> pull
17:44 < |Mike|> define 'crap'
17:45 < MariaKeys> crap=anything I can solve
17:45 < MariaKeys> *I can't solve
17:45 < Bushmills> hm. i think i like "pul" better, reminds me more of "tap"
17:45 < |Mike|> !tell MariaKeys [logs]
17:45 < |Mike|> !tell MariaKeys [configs]
17:45 < Bushmills> !beer
17:45 <@vpnHelper> Bushmills: "beer" is its what's for dinner!
17:46 < MariaKeys> mike: openVPN established from both sides. It starts, initializes and ping works from both machines to the other.
17:46 < |Mike|> but
17:48 < MariaKeys> i dont know how to do the routings.
17:48 < Bushmills> why do extra routing if it works
17:49 < MariaKeys> just ping works. nothing else works.
17:49 < Bushmills> unrelated to routing
17:49 < Bushmills> !firewall
17:49 <@vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
17:49 < MariaKeys> firewall is off as i mentioned.
17:49 < Bushmills> or, bind services to all interfaces, including the vpn interace
17:49 < Bushmills> interface
17:50 < |Mike|> all interfaces? eeuw.
17:50 < |Mike|> how are you networps split up?
17:50 < Bushmills> was routing the problem, you couldn't ping the other end
17:50 < |Mike|> like management, secure and public?
17:53 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
17:54 < MariaKeys> netwho?
17:55 < |Mike|> ..
18:00 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
18:07 < reiffert> ..
18:07 < |Mike|> ./
18:07 < reiffert> \.
18:26 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
18:49 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
19:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
19:19 < korozion> is there a client limit to the free version?
19:22 < Bushmills> not by policy
19:22 < korozion> nice
19:23 < Bushmills> but practical limits exist
19:23 < korozion> makes sense
19:38 -!- p3rror [~mezgani@41.140.26.232] has joined #openvpn
20:06 -!- via [~via@vtluug/member/via] has joined #openvpn
20:06 -!- via [~via@vtluug/member/via] has left #openvpn []
20:30 -!- |krzee| is now known as krzee
20:41 -!- s7r [~s7r@89.39.174.74] has quit [Read error: Connection reset by peer]
20:43 -!- W0rmF00d is now known as WormFood
21:16 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: route command path :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7269&p=8518#p8518>
21:59 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has joined #openvpn
22:00 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Ping timeout: 255 seconds]
22:14 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
22:33 -!- nb [~nb@fedora/nb] has quit [Read error: Operation timed out]
22:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:56 -!- dogarrhea1 [alex@199.48.243.208] has quit [Ping timeout: 276 seconds]
23:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:40 -!- WormFood [~wormfood@183.38.15.107] has quit [Ping timeout: 265 seconds]
23:45 -!- nb [~nb@fedora/nb] has joined #openvpn
23:51 -!- straterra [~straterra@fuhell.com] has left #openvpn []
23:53 -!- WormFood [~wormfood@183.39.101.108] has joined #openvpn
23:57 -!- UnterPerro [~UnterPerr@166.199.96.117] has joined #openvpn
23:59 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
--- Day changed Sun Nov 21 2010
00:02 -!- humanMeat [alex@199.48.243.225] has joined #openvpn
00:05 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
00:14 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
00:14 -!- jpalmer [~jpalmer@174.136.106.114] has joined #openvpn
00:14 -!- jpalmer [~jpalmer@174.136.106.114] has quit [Changing host]
00:14 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
00:33 -!- MariaKeys [~MariaKeys@92.98.143.193] has quit []
02:26 -!- UnterPerro [~UnterPerr@166.199.96.117] has quit [Quit: UnterPerro]
02:32 -!- Druid_ [~mf@p5B1373F5.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
02:35 -!- Druid_ [~mf@p5B1371B9.dip.t-dialin.net] has joined #openvpn
02:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
02:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:46 -!- master_of_master [~master_of@p57B570CA.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:48 -!- master_of_master [~master_of@p57B533CB.dip.t-dialin.net] has joined #openvpn
03:57 -!- humanMeat [alex@199.48.243.225] has quit [Ping timeout: 272 seconds]
04:21 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
04:24 <@vpnHelper> RSS Update - forum: Server Administration :: Routing Questions :: Author ExEric3 <https://forums.openvpn.net/viewtopic.php?f=4&t=7306&p=8519#p8519>
04:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:48 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
05:15 -!- cherva [~cherva@87.120.176.252] has joined #openvpn
05:16 < cherva> can someone help me in the status log I get the virtual addresses as the mac address of the tap device
05:17 < reiffert> !goal
05:17 <@vpnHelper> reiffert: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:18 < cherva> reiffert, I want to see the current virtual ip in the status log not the mac address of the users tap device
05:19 < krzie> see -management
05:19 < krzie> --management
05:19 < krzie> !man
05:19 <@vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
05:30 < cherva> krzie, thi is for managment of the vpn I just want to see the virtual ip of the user connected in my status log. My current status log looks like this: http://pastebin.com/pYrLqacq  as what I can understand from line 6 the first thing on line 7 should be the virtual ip in my case 10.8.0.X but instead of this I get the mac of the users tap dev
05:32 -!- Druid_ [~mf@p5B1371B9.dip.t-dialin.net] has quit [Read error: Connection reset by peer]
05:51 -!- cherva [~cherva@87.120.176.252] has quit [Remote host closed the connection]
05:54 <@vpnHelper> RSS Update - forum: Configuration :: Mac address instead of virtual addres in status log.. :: Author cherva <https://forums.openvpn.net/viewtopic.php?f=6&t=7307&p=8520#p8520>
06:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
06:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
06:04 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:07 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
06:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
06:13 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Ping timeout: 252 seconds]
06:20 < krzie> oh he must have been using tap
06:20 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
06:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:44 < tuxx_> hey guys...
06:44 < tuxx_> sometimes my openvpn tunnel "crashes"
06:44 < tuxx_> the tap0 interface is still up and everything
06:45 < tuxx_> but no hosts are reachale
06:45 < tuxx_> reachable
07:10 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
07:16 -!- kaushal [~kaushal@triband-mum-120.61.12.33.mtnl.net.in] has joined #openvpn
07:16 < kaushal> Hi
07:17 < kaushal> I was discussing last week here about running openvpn in daemon mode
07:17 < kaushal> on the client machine
07:18 < kaushal> How do i handle the DNS Servers of the ISP when i swich from office to home network ?
07:18 < kaushal> I am using Ubuntu Linux 10.04
07:19 < Bushmills> and what cause the need to discuss that again?
07:20 < Bushmills> last weeks suggestions are still valid today, technology changes rapidly but not *that* rapidly
07:20 < hyper_ch> Bushmills: we're still stuck with last week's technology? :(
07:20 < hyper_ch> where is my transmat and my holodeck :(
07:21  * Bushmills is stuck with technology many years old
07:21 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
07:21 < hyper_ch> why can't my brain interface directly with my computer
07:21 < Bushmills> consumer protection
07:21 < hyper_ch> pr0n overload?
07:22 < Bushmills> there could be a virus or backdoor on the computer
07:22 < hyper_ch> most people run windows... so they don't object to viruses and backdoors anyway
07:23 < Bushmills> glassy eyes, mumbling, repetitively: "i must write a bank order to transfer all my money to memorized account"
07:25 < kaushal> Bushmills: sorry was away
07:25 < kaushal> please suggest
07:25 < Bushmills> or "must ... by ... more ... microsoft"
07:25 < Bushmills> buy
07:55 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
08:07 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
08:08 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
08:09 -!- UnterPerro [~UnterPerr@166.199.96.117] has joined #openvpn
08:09 -!- Squidy_at_Home [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
08:09 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Ping timeout: 245 seconds]
08:18 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
08:35 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:38 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
08:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:45 -!- Squidy_at_Home [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
08:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:49 -!- pushpop [~marc@pool-173-68-141-224.nycmny.fios.verizon.net] has quit [Ping timeout: 265 seconds]
09:00 -!- UnterPerro [~UnterPerr@166.199.96.117] has quit [Quit: UnterPerro lives to save another day]
09:10 -!- luneff [~yury@84.51.198.114] has joined #openvpn
09:19 -!- Chaze_ [~Chase@74.117.157.254] has joined #openvpn
09:20 < Chaze_> hi there. i'm having some trouble with clearing the logfile of openvpn. even though i emptied it (echo>), on the next write operation the whole log is back again
09:21 < Chaze_> it seems openvpn always keeps the handle to the file open
09:25 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has joined #openvpn
09:40 -!- Amacidia [~amacidia@70.74.161.36] has quit [Ping timeout: 276 seconds]
09:54 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:55 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
09:58 -!- p3rror [~mezgani@41.140.26.232] has quit [Ping timeout: 255 seconds]
10:01 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
10:03 -!- Chaze_ [~Chase@74.117.157.254] has quit [Ping timeout: 240 seconds]
10:05 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 276 seconds]
10:14 -!- p3rror [~mezgani@41.140.172.9] has joined #openvpn
10:17 -!- kaushal [~kaushal@triband-mum-120.61.12.33.mtnl.net.in] has left #openvpn []
10:22 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
10:29 -!- Amacidia [~amacidia@70.74.161.36] has joined #openvpn
10:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:39 -!- bba [~bba@93.1.40.113] has joined #openvpn
10:43 -!- datalock [~ircap@189.35.6.113] has joined #openvpn
10:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:02 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
11:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
11:07 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
11:23 -!- bitterman [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
11:23 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
11:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:27 -!- terminatorthree [~terminato@ip-141-31-181-238.nat.selfnet.de] has joined #openvpn
11:27 < terminatorthree> hi
11:28 < terminatorthree> anybody here who can help me with openvpn?
11:29 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:32 < hyper_ch> !tell terminatorthree [welcome]
11:33 < terminatorthree> is it ok if i explain the situation?
11:33 < hyper_ch> well, we could also fetch our magic crystal balls and start divning :)
11:34 < terminatorthree> ok, would be even easier
11:34 < terminatorthree> ok
11:34 < terminatorthree> so what i want to do is connection networks using bridgiung
11:34 < hyper_ch> !bridge
11:34 <@vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
11:34 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn
11:34 < terminatorthree> i have 1 ubuntu vps and want to bridge my home network to it
11:34 < terminatorthree> yes i read all the docs
11:35 < terminatorthree> and got is set up but it works only partly
11:35 < terminatorthree> so vps is server with ip 192.168.7.1, client get 7.2 and bridges it to eth1
11:35 -!- darth_bitterman [~yury@84.51.198.114] has joined #openvpn
11:36 < terminatorthree> but client behind 7.2 cannot reach 7.1
11:36 < terminatorthree> which logs or configs do you need?
11:37 < terminatorthree> any idea?
11:37 < hyper_ch> I have no idea
11:37 < hyper_ch> but then I don't know much about openvpn
11:38 < terminatorthree> hmm ok anybody else of the 120 people here in the channel has an idea?
11:38 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
11:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
11:50 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
11:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
12:00 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
12:01 -!- terminatorthree_ [~terminato@ip-141-31-181-238.nat.selfnet.de] has joined #openvpn
12:01 < terminatorthree_> hi, anybody here who can help with openvpn?
12:02 -!- terminatorthree_ [~terminato@ip-141-31-181-238.nat.selfnet.de] has quit [Client Quit]
12:02 -!- terminatorthree [~terminato@ip-141-31-181-238.nat.selfnet.de] has quit [Quit: Verlassend]
12:03 -!- darth_bitterman [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
12:38 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
12:47 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:48 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
13:11 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
13:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
13:30 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
13:31 -!- bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
13:35 -!- dogarrhea1 [alex@199.48.243.221] has joined #openvpn
13:37 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
14:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:01 -!- bba [~bba@93.1.40.113] has quit [Remote host closed the connection]
14:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
14:02 -!- bba [~bba@93.1.40.113] has joined #openvpn
14:05 -!- DrJ is now known as Bacon
14:05 -!- Bacon is now known as DrJ
14:08 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
14:08 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
14:20 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
14:22 -!- hulagu [~hulagu@69.172.135.243] has joined #openvpn
14:22 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
14:23 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
14:25 -!- datalock [~ircap@189.35.6.113] has quit []
14:30 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
14:51 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Ping timeout: 252 seconds]
14:51 -!- Squidy_at_Home [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
14:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
14:59 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
15:01 -!- Squidy_at_Home [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Ping timeout: 252 seconds]
15:08 -!- Kurogane [~kuro@190.87.80.64] has quit [Ping timeout: 245 seconds]
15:15 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn
15:38 <@vpnHelper> RSS Update - forum: Server Administration :: Measuring per user bandwidth :: Author stewsnooze <https://forums.openvpn.net/viewtopic.php?f=4&t=7308&p=8521#p8521>
15:39 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
15:39 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
15:47 -!- s7r [~manevra@89.39.174.74] has joined #openvpn
15:50 -!- luneff [~yury@84.51.198.114] has joined #openvpn
15:51 -!- s7r [~manevra@89.39.174.74] has quit [Quit: bye]
15:59 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
16:13 -!- plundra [404@article.se] has quit [Remote host closed the connection]
16:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Read error: Connection reset by peer]
16:31 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
16:34 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
16:38 -!- davascript [~davascrip@cpe-74-69-146-66.stny.res.rr.com] has joined #openvpn
16:38 < davascript> Hello All
16:38 < davascript> anyone around?
16:39 < Rienzilla> yes!
16:39 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has quit [Ping timeout: 245 seconds]
16:40 < davascript> I would like to know if it is possible to force use of tun1 instead of tun0.  I presume so but its not jumping out at me in the conf file.  A little googling and did not find much useful.
16:44 < Rienzilla> dev-type tun 
16:44 < Rienzilla> dev tun1
16:45 < Rienzilla> (or dev-node tun1 if you are on windows)
17:00 -!- c|oneman [c_oneman@i209-195-69-75.cia.com] has joined #openvpn
17:01 < c|oneman> hello.
17:01 < Rienzilla> hello
17:01 < c|oneman> I have setup openvpn client and server. I seem to have been successful, as I'm able to communicate between then in their new, virtual IPs
17:02 < c|oneman> however, I was trying to as well make the clients use the internet connection of the server, but they are having trouble detecting it
17:03 < krzee> !redirect
17:03 <@vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:03 < Rienzilla> you need to make sure to route all traffic of the client through the tunnel (this can be accomplished with 'redirect-gateway def1')
17:03 < Rienzilla> and of course the server needs to route (and maybe NAT) the traffic
17:04 < c|oneman> push "redirect-gateway def1"  # This will force the clients to use the home network's internet connection
17:04 < c|oneman> thats what I have for the server
17:05 < krzee> sure, but you still need the other 2 things
17:05 < c|oneman> I've also setup a route in my NAT
17:05 < krzee> [15:03]  <vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:05 < c|oneman> !ipforward
17:05 <@vpnHelper> c|oneman: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
17:05 < c|oneman> !winipforward
17:05 <@vpnHelper> c|oneman: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
17:05 < krzee> the server is windows?
17:06 < c|oneman> yes
17:06 < krzee> !winnat
17:06 <@vpnHelper> krzee: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
17:06 < c|oneman> so I have to configure ICS as well?
17:06 < c|oneman> o
17:06 < c|oneman> maybe not
17:06 < krzee> you said you setup nat on the server already...?
17:08 < c|oneman> no, what I did is, I added a route inside my router's config
17:08 < krzee> the route?
17:08 < krzee> you need to NAT the packets
17:08 < krzee> the vpn subnet is likely not internet routable (10.8.0.0/24 or something similar)
17:08 < c|oneman> right
17:09 < krzee> so you either tell the server, or the server's router to NAT those
17:09 < c|oneman> hrm. I followed the following instructions, most of which seem to be in line with what you're telling me
17:09 < c|oneman> http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/
17:09 <@vpnHelper> Title: Its A Tech World | How to configure OpenVPN (at www.itsatechworld.com)
17:09 < krzee> omg no
17:09 < krzee> it tells you to use openvpn.se
17:09 < krzee> that is yrs old, install from this
17:09 < krzee> !download
17:09 <@vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
17:10 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
17:10 < c|oneman> I didnt follow all the instructions to the T, I inferred a little, and used the lastest
17:10 < c|oneman> http://swupdate.openvpn.net/community/releases/openvpn-2.2-beta3-install.exe
17:11 < c|oneman> thats the one I downloaded.
17:11 < c|oneman> so yeah, I followed old instructions, with new software. it worked out pretty well!
17:11 < krzee> are you sharing a LAN?
17:11 < krzee> because thats the only purpose to the route it told you to add on the router
17:11 -!- p3rror [~mezgani@41.140.172.9] has quit [Ping timeout: 260 seconds]
17:11 < krzee> (thats why learning is better than following some lamesauce howto)
17:12 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
17:12 < c|oneman> could you explain what you mean by sharing a lan?
17:12 < krzee> umm
17:12 < krzee> !serverlan
17:12 <@vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
17:12 < krzee> that
17:12 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
17:12 < krzee> having an entire lan be accessible over the vpn...
17:13 < c|oneman> so, like hamachi, right?
17:13 < krzee> no
17:13 < krzee> like openvpn with a lan accessible over the vpn
17:13 < krzee> how about this
17:13 < c|oneman> lol
17:13 < krzee> !goal
17:13 <@vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:14 < c|oneman> I want the clients to use the internet connection of the server.
17:14 < c|oneman> access to the lan isnt really important.
17:14 < krzee> then heres what you need
17:14 < krzee> i dont care what thehowto said
17:14 < krzee> !redirect
17:14 <@vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:14 < krzee> !winnat
17:14 <@vpnHelper> krzee: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
17:14 < krzee> !winipforward
17:14 <@vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
17:15 < krzee> the end
17:15 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
17:15 < c|oneman> lol
17:15 -!- bitterman [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
17:15 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
17:17 < c|oneman> thanks krzee
17:18 < c|oneman> your compassion for a script kiddie is most appreciated
17:18 < krzee> erm ok
17:18 < krzee> heh
17:19 -!- fink [~guest@99-206-179-66.pools.spcsdns.net] has joined #openvpn
17:20 < fink> what's a good way to check if the openvpn connection is up, with a shell script?
17:20 < reiffert> ping -c1 $remote and check the exit status.
17:20 < krzee> ping the remote node?
17:21 < krzee> yep
17:21 < reiffert> krzee: we should step away form ip here, but it's pretty easy for now.
17:21 < krzee> ping -c1 $remote && NODE_IS_UP="1"
17:22 < krzee> true, it could be improved, but thats a rough idea
17:24 < Bushmills> i'd possibly go for   ping -c1 $host ; status=$?
17:25 < fink> krzee & reiffert: are you talking to me?
17:26 < krzee> fink, yes
17:26 < krzee> as was Bushmills 
17:26 < fink> thanks guys
17:26 < fink> i was hoping to accomplish this without necessarily knowing what's on the remote end
17:27 < Bushmills> you don't need to know
17:27 -!- p3rror [~mezgani@41.140.97.133] has joined #openvpn
17:27 < Bushmills> as long as it replies to echo requests
17:28 < fink> does openvpn create a file in /var/tmp when it brings up an interface? or could i check ifconfig?
17:28 < fink> Bushmills: you mentioned $host, which i don't necessarily know
17:29 < Bushmills> you do know. it is passed to --up or --client-connect as variable
17:34 < fink> Bushmills: ok, thanks
17:34 < fink> Bushmills: but ping seems kind of fragile, with packet loss & latency
17:35 < krzee> sure you could also parse ifconfig
17:35 < Bushmills> if there's loss, there's a problem with the connection
17:35 < Bushmills> and that's exactly what you're testing
17:35 < krzee> jeff-16:~ jeff$ ifconfig tun0|grep inet|awk '{print $2}'
17:35 < krzee> 10.8.10.1
17:35 < fink> i'm often on a 3g connection, and my first five pings through the vpn often are dropped
17:36 < krzee> then ping -c6 ignoring output, then ping -c1
17:36 < Bushmills> ifconfig tun0 && echo up
17:36 < krzee> or come up with an idea of how you decide it is up
17:36 < krzee> if a ping doesnt do it for you, figure that out first... we cant use your connection and figure that out for you
17:37 < krzee> there is also tcping
17:37 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
17:37 < fink> krzee, Bushmills: thanks
17:37 < Bushmills> if you can't send a ping through vpn, you can as well assume that the connection is down
17:37 < fink> i see that my initial question was vague
17:38 < fink> Bushmills: well yes and no, the remote end may not accept icmp
17:38 < fink> basically, i want to know if the interface is up
17:38 < Bushmills> then the remote isn't rfc compliant
17:38 < reiffert> n8
17:40 < fink> thanks for your help guys; i think i'll parse ifconfig
17:40 < krzee> yup, ifconfig is what says if the interface is up
17:40 < krzee> remember it wont be portable beyond your specific ifconfig
17:40 < reiffert> that the interface is up doesnt mean that openvpn is connected to a remote host.
17:44 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
17:45 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
17:54 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
17:56 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
18:01 -!- fink_ [~guest@184-210-67-146.pools.spcsdns.net] has joined #openvpn
18:03 -!- fink [~guest@99-206-179-66.pools.spcsdns.net] has quit [Ping timeout: 255 seconds]
18:04 -!- fink_ is now known as fink
18:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
18:25 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!]
18:29 -!- SerpentX [~SerpentX@KTNRON06-1176259399.sdsl.bell.ca] has joined #openvpn
18:29 < SerpentX> hi
18:29 < SerpentX> quick question
18:29 < SerpentX> so it looks like there is a script in /etc/init.d
18:29 < SerpentX> called openvpn
18:30 < SerpentX> it looks like this script has start..stop, etc
18:30 < SerpentX> but ibut it doesn't seem to be working
18:30 < SerpentX> where is the default .conf file suppose to be located?
18:30 < SerpentX> docs say /etc/openvpn/server.conf
18:30 < SerpentX> which is where i have it
18:31 < SerpentX> but it doesn't seem to be loading
18:31 < SerpentX> now the config does work
18:31 < SerpentX> if i type openvpn server.conf
18:31 < SerpentX> in the /etc/openvpn folder it works
18:32 < SerpentX> openvpn version 2.1.1
18:46 < c|oneman> !def1
18:46 <@vpnHelper> c|oneman: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
18:48 < c|oneman> krzee
18:48 < |Mike|> probably not here.
18:50 < c|oneman> im having issues with the 'win nat' part
18:50 < c|oneman> I think>
18:50 < c|oneman> !winnat
18:50 <@vpnHelper> c|oneman: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
18:51 < c|oneman> i followed that, it went through no errors, but how do I know if its working
18:51 < c|oneman> #2
18:51 < SerpentX> SOLVED my idduq
18:52 < SerpentX> idduq means issue
18:52 -!- SerpentX [~SerpentX@KTNRON06-1176259399.sdsl.bell.ca] has quit [Quit: Leaving]
18:56 < c|oneman> has anyone ever done winnat
18:58 -!- fink [~guest@184-210-67-146.pools.spcsdns.net] has quit [Ping timeout: 272 seconds]
18:59 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
19:00 < c|oneman> !nat
19:00 <@vpnHelper> c|oneman: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
19:09 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:09 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
19:10 -!- fink [~guest@184-196-19-101.pools.spcsdns.net] has joined #openvpn
19:24 -!- fink [~guest@184-196-19-101.pools.spcsdns.net] has quit [Ping timeout: 240 seconds]
19:25 -!- fink [~guest@70-14-155-40.pools.spcsdns.net] has joined #openvpn
19:26 < krzee> !windows
19:27 <@vpnHelper> krzee: "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg
19:27 < krzee> c|oneman, sorry i cant help with windows specific stuff
19:27 < c|oneman> krzee: I fixed it
19:27 < c|oneman> suprisingly
19:29 < krzee> feel free to write about it on our wiki
19:30 < krzee> if you dont, it is unlikely to be done... since most of us use unix
19:30 < krzee> !wiki
19:30 <@vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
19:30 < krzee> of course you dont have to... but i think people would gain from it
19:32 < c|oneman> krzee: I'll leave out the details about how the whole point of this for me was to abuse Cellular Data
19:32 -!- bitterman [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
19:32 < ecrist> sounds like a solid use-case to me.
19:32 < c|oneman> 10$ unlimited 3G ftw
19:32 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
19:37 < fink> c|oneman: where/how?
19:38 < c|oneman> some carriers have a "value" cellular data plan that works only via proxy
19:38 < c|oneman> for example, t-mobile t-zones
19:39 < c|oneman> if you can tcp/ip via the proxy
19:39 < c|oneman> you've got 100% cellular data
19:39 < c|oneman> I dont have t-mobile
19:39 < c|oneman> but
19:39 < c|oneman> its the same concept
19:40 < c|oneman> http://wiki.howardforums.com/index.php/T-Mobile_Data#SSH_Tunneling
19:40 < c|oneman> IN my case, I had to use another port, for another carrier, which is not a US-Carrier
19:40 < krzee> ya i see no reason to leave that out
19:40 < c|oneman> I wont reveal too much, b/c I promised
19:41 < krzee> that is a very common reason to setup your style setup
19:41 < c|oneman> lol
19:41 < krzee> its something i would do if i had an unlimited data plan
19:41 < c|oneman> but then they'll block the loophole
19:41 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Operation timed out]
19:41 < c|oneman> krzee: Except that this is supposed to be "on device browsing" only
19:42 < c|oneman> im using a rocketstick, AND im unlocking all the ports
19:42 < c|oneman> im gonna do it prepaid so they cant legally come after me
19:42 < c|oneman> or just pull funds from my CC
19:43 < c|oneman> I should fly under the radar if I stay under 2gb
19:44 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
19:45 < c|oneman> I started raging yesterday when I was told they cancelled the 20$ ipad plan. That would have to pay 40$/mo for 1gb
19:45 < fink> c|oneman: cool
19:45 < c|oneman> Anyway, thats my rant. I'm done. I'll add to the wiki later.
19:49 -!- MariaKeys [~MariaKeys@92.98.143.193] has joined #openvpn
19:50 < MariaKeys> any idea how to tie openvpn ends?
19:50 < krzee> in a knot?
19:50 < MariaKeys> for example: user connects to openvpn server 1 (tun0 10.10.10.0/24)
19:51 < MariaKeys> on server 1, there is an openvpn tunnel to server 2 (tun1 10.20.20.0/24)
19:52 < MariaKeys> how to make forward connection from tun0 to tun1 on the same machine?
19:55 < MariaKeys> is --bind command option and 'local' config entry the same?
20:17 < ecrist> ip_forward = 1 
20:17 < ecrist> push "route 10.20.20.0 255.255.255.0" on openvpn server 1 config
20:17 < ecrist> pretty simple.
20:17 < ecrist> !route
20:17 <@vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:17  * ecrist poofs
20:26 < MariaKeys> ecrist: gracias
20:27 < MariaKeys> will test it out now.
20:34 -!- FastPutty [~fastputty@dsl-173-248-212-118.acanac.net] has quit []
20:40 -!- darth_bitterman [~yury@84.51.198.114] has joined #openvpn
20:42 < MariaKeys> ecrist: sorry, didnt work out.
20:44 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 272 seconds]
20:45 -!- luneff [~yury@84.51.198.114] has joined #openvpn
20:45 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Ping timeout: 252 seconds]
20:47 -!- darth_bitterman [~yury@84.51.198.114] has quit [Ping timeout: 240 seconds]
20:54 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
20:58 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 276 seconds]
21:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
21:14 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:48 -!- MariaKeys [~MariaKeys@92.98.143.193] has quit []
22:11 -!- fink_ [~guest@174-150-207-148.pools.spcsdns.net] has joined #openvpn
22:13 -!- fink [~guest@70-14-155-40.pools.spcsdns.net] has quit [Ping timeout: 265 seconds]
22:13 -!- fink_ is now known as fink
22:18 -!- fink [~guest@174-150-207-148.pools.spcsdns.net] has quit [Quit: fink]
22:47 -!- fink [~guest@166.137.9.9] has joined #openvpn
22:48 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:53 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
23:07 -!- bitterman [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
23:08 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
23:12 -!- fink [~guest@166.137.9.9] has quit [Quit: fink]
23:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:47 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
23:47 -!- Kurogane [~kuro@190.87.80.64] has quit [Remote host closed the connection]
23:50 -!- UnterPerro [~UnterPerr@32.165.37.231] has joined #openvpn
--- Day changed Mon Nov 22 2010
00:07 -!- darth_bitterman [~yury@84.51.198.114] has joined #openvpn
00:10 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
00:14 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Quit: Leaving]
00:16 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
00:16 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 245 seconds]
00:28 -!- UnterPerro [~UnterPerr@32.165.37.231] has quit [Quit: UnterPerro lives to save another day]
00:58 -!- dogarrhea1 [alex@199.48.243.221] has quit [Ping timeout: 245 seconds]
01:06 -!- dazo_afk is now known as dazo
01:15 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
01:33 -!- bba [~bba@93.1.40.113] has quit [Ping timeout: 276 seconds]
02:25 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:28 -!- c|oneman [c_oneman@i209-195-69-75.cia.com] has quit []
02:33 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
02:33 < Klem> yo
02:33 < Klem> I've some trouble with openvp client/server
02:33 -!- venomen [~venomen@p579974DB.dip.t-dialin.net] has joined #openvpn
02:33 < venomen> Hy all
02:34 < Klem> Configuration sounds fine
02:34 < venomen> !welcome
02:34 <@vpnHelper> venomen: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
02:34 < Bushmills> Klem: then it's not an openvpn problem
02:34 < venomen> !sample
02:34 <@vpnHelper> venomen: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
02:34 < Klem> mmh
02:34 < Klem> I think it is
02:34 < Bushmills> config is fine? a bug, you mean?
02:34 < krzie> klem, not if the configuration is fine
02:35 < krzie> moinmoin bush
02:35 < Klem> my client is connected to the serveur, but the client can"t go on the net with the good public IP
02:35 < Bushmills> hi krzie
02:35 < Klem> haha
02:35 < Klem> true :p
02:35 < krzie> klem,
02:35 < krzie> !redirect
02:35 < Bushmills> Klem: what have you configured to that end?
02:35 <@vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:35 < Klem> ho
02:35 < Klem> redirect
02:35 < hyper_ch> !
02:35 < Bushmills> (you didn't assume the server would give you access to what is behind just by itself, did you?)
02:35 < hyper_ch> !ipforward
02:35 < Klem> ty !
02:35 <@vpnHelper> hyper_ch: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
02:35 < krzie> yw
02:35 < hyper_ch> !ip4_forward
02:35 <@vpnHelper> hyper_ch: Error: "ip4_forward" is not a valid command.
02:35 < venomen> Hey guys, does anyone of you have a good site-to-site howto (maybe windows compatible)?
02:36 < Klem> Bushmills, client is connected to the server
02:36 < Bushmills> not enough
02:36 < Klem> it's just a public IP problem
02:36 < krzie> venomen, the manual does under EXAMPLES
02:36 < krzie> !man
02:36 <@vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
02:36 < venomen> !examples
02:36 <@vpnHelper> venomen: Error: "examples" is not a valid command.
02:36 < Bushmills> as said, it's not an openvpn problem :D
02:36 < Klem> k
02:36 < krzie> waitwait
02:37 < Bushmills> !redirect
02:37 <@vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
02:37 < venomen> !howto
02:37 < krzie> venomen, site-to-site you mean lans?
02:37 <@vpnHelper> venomen: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
02:37 < krzie> or peer-to-peer
02:37 < venomen> Lemme explain
02:38 < krzie> !route
02:38 <@vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:38 <@vpnHelper> RSS Update - forum: Wishlist :: Root Permission Restart :: Author shmoopie <https://forums.openvpn.net/viewtopic.php?f=10&t=7309&p=8522#p8522>
02:40 < venomen> my colleague set up a pfsense FW device which I need now connected to our datacenter, but this device is only able to make a openvpn connection which I dont have a clue of ;) So I need to get a ovpn server up which only accepts one connection from this device but I cant find any howtos for this. I only find howtos with client access etc.
02:40 < venomen> I already set up the cert/rand/keys etc. with the howtos but Im stuck with the config
02:41 -!- Intel`` [~clarencec@94.200.7.26] has joined #openvpn
02:41 < venomen> (I set the server up on a windows machine) thats the next problem...
02:41 < krzie> ok point to point
02:41 < venomen> ah this what its called ;)
02:41 < krzie> if you look in the manual, there is a section called EXAMPLES
02:41 < krzie> !man
02:41 <@vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
02:41 < krzie> #2
02:42 < Intel``> guys need help. im using openvpn client via windows. what i wanted to do is to openvpn to allow one specific application only to connect to vpn. then other traffics, (browser, messenger, mikogo) will route to the original connection
02:42 < krzie> or this
02:42 < krzie> http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
02:42 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
02:42 < krzie> point to point uses static key
02:43 < Intel``> krzie: is that fore me?
02:43 < Bushmills> Intel``: as address to connect to, with that one app, use the openvpn subnet addess
02:43 < krzie> no, that is for venomen 
02:43 < Bushmills> for the others, use non-vpn addresses
02:43 < krzie> Intel``, 
02:43 < Intel``> Bushmills: example i wanted to only use x-lite sip client
02:43 -!- darth_bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
02:43 < Intel``> to connect to vpn.
02:43 <@vpnHelper> RSS Update - forum: Wishlist :: Re: Root Permission Restart :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7309&p=8523#p8523>
02:43 < krzie> the server needs to listen on VPN ip
02:44 < krzie> then you connect to that
02:44 < Intel``> others will use the original way
02:44 < krzie> thats fine, it should also listen on inet interface
02:44 < krzie> the app could already be listening on vpn ip, check netstat -l
02:44 < Bushmills> Intel``: look in client configuration, where you specify the destination ip address
02:45 < venomen> I dont get this example
02:45 < venomen> anyone here to pay to put this up? :D
02:46 < krzie> sure
02:46 < venomen> or isnt there a configuration wizzard or a guy this this thingy?
02:46 < krzie> !donate
02:46 <@vpnHelper> krzie: "donate" is (#1) send monetary donations to openvpn@secure-computing.net via paypal. All money donated goes to staff toward development of the community wiki, forum, and this IRC channel., or (#2) Contributions to this address do *NOT* directly benefit OpenVPN Technologies, Inc., or (#3) http://www.secure-computing.net/wiki/index.php/OpenVPN/Donations for Contribution totals and benefactors
02:46 < krzie> heh
02:47 < krzie> assuming some sort of *nix
02:47 < Bushmills> (09:41:12) venomen: (I set the server up on a windows machine) thats the next problem...
02:47 < venomen> :)
02:48 < krzie> ahh missed that line
02:48 < krzie> heh
02:48 < krzie> wait its still just a ptp config
02:48 < venomen> on unix I may had the thing already up but I cant find any point-to-point howto (step by step, Im a dummy) for windows
02:48 < krzie> install openvpn, but the config/secret key in place, done
02:49 < Bushmills> there is a tap driver limitation with windows
02:49 < venomen> pitty its not done with that :)
02:49 < Bushmills> local and p-t-p addresses must be in the same /30 net
02:49 < krzie> venomen, you just put the config options into openvpn/config
02:50 < krzie> in any filename with .ovpn
02:50 < venomen> w8, Im missing some config steps in the manual I know:
02:50 < krzie> http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
02:50 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
02:50 < venomen> I have the keys and the cert already
02:50 < krzie> you said you want point to point
02:50 < venomen> yep
02:51 < krzie> you dont need certs
02:51 < venomen> oh okay
02:51 < venomen> damnit I spent many time with generating these ;D
02:51 < krzie> read the link i gave you 2x
02:51 < venomen> kk
02:51 < krzie> certs are for client/server
02:53 < venomen> this howto  I like better its shorter but:
02:53 < venomen> where to declare (for example) what IP the dialing in server gets?!
02:54 < krzie> there is no server
02:54 < krzie> each side gives itself an ip, and the other side one
02:54 < krzie> you'll notice their ifconfigs are the same but reversed
02:55 < krzie> much like youd do for a LAN crossover
02:55 < venomen> but I need the dialing in site to get a local IP on the endpoint
02:55 < krzie> why
02:55 < Bushmills> !wins
02:55 <@vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
02:55 < Bushmills> just anticipating ...
02:55 < krzie> could be ;]
02:56 < krzie> that or a route entry
02:56 < venomen> I just saw the route entry
02:56 < venomen> maybe thats what I mean
02:56 < krzie> what is your goal!?
02:56 < venomen> okay let me explain *g*
02:57 < krzie> services in the lan you would like to reach...? but which kind
02:58 < venomen> on the site 1 there are bureau clients (10.10.4.0) which need to communicate with the other servers in the datacenter (192.168.100.0) in the bureau there is a openvpn "client" which wants to connect with the datacenter, and I want to set up this server in the datacenter
02:58 < Bushmills> !route
02:58 -!- dazo is now known as dazo_afk
02:58 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
02:58 < krzie> actually thats overkill
02:58 < venomen> so the server in the bureau needs to connect to another server in the datacenter via openvpn
02:59 < venomen> I dont have a choice...
02:59 < krzie> the dc needs this
02:59 < venomen> yerp
02:59 < krzie> route 10.10.4.0 255.255.255.0
02:59 < venomen> and the DC is in the datacenter... thats why I need this communication ;)
02:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
02:59 < krzie> the other side needs something too
02:59 < krzie> !route_outside_ovpn
02:59 <@vpnHelper> krzie: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
03:00 < venomen> dont explain that to me ;) the chief of this company doesnt want any server in his bureau anymore so the DC got kicked out in the datacenter...
03:00 < Bushmills> venomen: how come that you can connect to IRC server, without being in the same subnet?
03:01 -!- dazo_afk is now known as dazo
03:01 < venomen> got a router ;)
03:01 < Bushmills> why would one server, to talk to another, have to be in the same subnet?
03:02 < venomen> because it cant contact the one beeing in another subnet?
03:03 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
03:03 < Bushmills> the machine with openvpn client or server can act as a router
03:03 < venomen> the graph shows it but also the dialing in client got a IP...
03:03 < venomen> yeeees but how can I set it up on windows?
03:03 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
03:03 -!- datalay [~datalay@217.131.39.154] has joined #openvpn
03:04 < venomen> or does the openvpn server route itself by adding this one line in the cfg?
03:04 < datalay> cant start openvpn, can you look at errors please, http://pastebin.com/beXAVkse  thanks
03:04 < Bushmills> by ... delegating the job to a qualfied professional?
03:05 < krzie> venomen, there is no server, the route command in openvpn adds a route to your kernels routing table
03:05 < venomen> okay, thats what I wanted to know
03:05 < krzie> but those machines need a route back
03:05 < venomen> so no need to setup a RRAS server or anything
03:05 < krzie> [05:01]  <krzie> you saying you cant access that router?
03:05 < krzie> [05:02]  <krzie> the machines in the LAN need a route to the vpn subnet
03:05 < krzie> [05:02]  <krzie> you can add it to them all, or just 1 time in their gateway
03:06 < krzie> im not sure if that sent, i got d/c
03:06 < venomen> not sent but now ;)
03:06 < venomen> So I think I can try it now I made the wrong howto...
03:07 < krzie> you can access the router at the bureau?
03:08 < venomen> nah its under control of another employee :(
03:09 -!- ajohnstone [~andrew@host217-40-217-41.in-addr.btopenworld.com] has joined #openvpn
03:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
03:11 < ajohnstone> Trying to setup a vpn connection to a client. However getting,  "031 "client" #18: max number of retransmissions (2) reached  STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:  perhaps peer likes no proposal" and "000 "durrants" #18: starting keying attempt 2 of an unlimited number, but releasing whack".
03:11 < ajohnstone> How can I identify what I might be doing wrong?
03:13 < datalay> # sudo openvpn --script-security 2 system /etc/openvpn/server.conf
03:13 < datalay> Options error: You must define TUN/TAP device (--dev)
03:13 < datalay> how?
03:14 < krzie> datalay, 
03:14 < krzie> !configs
03:14 <@vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
03:14 < krzie> venomen, you could NAT
03:14 < krzie> !winnat
03:14 <@vpnHelper> krzie: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
03:15 < datalay> config file: http://pastebin.com/zZ5LzPVD
03:15 < venomen> nah
03:15 < datalay> it s server krzie 
03:16 < venomen> I cant setup a RRAS Server for security issues on this server 
03:16 < datalay> http://pastebin.com/KjHvXmM3  without comments
03:18 < datalay> ifconfig and others settings: http://pastebin.com/beXAVkse
03:20 < venomen> I think I have that mini config now but cant test it yet... the employee which should start a test is not at work yet hehe
03:21 -!- superbofh [~xumpi@cl-229.lis-01.pt.sixxs.net] has quit [Quit: Leaving]
03:23 < datalay> krzie, do you have any idea?
03:24 < datalay> im trying to configure a server behind the firewall, port 1723 opened and forwared to my server's local ip address
03:24 < krzie> datalay, do you already have a device named tap0?
03:24 < datalay> no dont have
03:24 < datalay> i have br0
03:24 < venomen> sorry one more question: What IPs to use in the line "ifconfig 10.8.0.1 10.8.0.2" should this be the external IPs of the Server/Client?
03:25 < krzie> br0 is tap and an ethernet device in a bridge... right?
03:25 < datalay> i run instructions here: https://help.ubuntu.com/community/OpenVPN
03:25 <@vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com)
03:25 < krzie> venomen, use those exact ips
03:25 < datalay> that ip addresses are local
03:25 < krzie> correct
03:26 < krzie> the vpn uses a 1918 subnet
03:26 < venomen> local ips? 
03:26 < krzie> !vpn
03:26 <@vpnHelper> krzie: "vpn" is http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html for a basic rundown of what a vpn is
03:26 < venomen> so the local IP of the server and the "local IP" that the site gets from the server when it connects?
03:26 < datalay> yes krzie  br0 is tap and an ethernet device in a bridge
03:26 -!- cairnz [mats@217-14-7-98-dhcp-osl.bbse.no] has quit [Ping timeout: 240 seconds]
03:26 < krzie> datalay, and that tap is named tap0 ?
03:27 < datalay> it should be br0
03:27 < krzie> dev tap0 ## If you need multiple tap devices, add them here
03:27 < datalay> i dont need
03:27 < krzie> huh?
03:27 < datalay> i should add # before that
03:27 < datalay> :P
03:27 < datalay> trying
03:27 < krzie> no
03:27 < krzie> you do need dev
03:27 < datalay> dev br0
03:27 < krzie> but should prolly use dev tap
03:27 < datalay> ?
03:28 < krzie> no, not dev br0, br0 isnt a virtual device used by openvpn
03:28 < datalay> i have two devices br0 and eth0 ... they are bridged
03:28 < krzie> br0 is the bridge between that virtual device and another real interface
03:29 < datalay> and why is tap0 not working ?
03:29 < krzie> but by specifying dev tap0 instead of dev tap, you are telling it you already have the tap device made
03:29 < datalay> iam changing tap0 to tap
03:29 < datalay> and trying again
03:30 < datalay> not worked again
03:30 < datalay> root@aokan-ubuntu:/etc/openvpn# sudo openvpn --script-security 3 system /etc/openvpn/server.conf
03:30 < datalay> Options error: You must define TUN/TAP device (--dev)
03:30 < datalay> sudo openvpn --script-security 3 system --dev tap0  /etc/openvpn/server.conf it worked ;)
03:30 < venomen> krzie: on that ifconfig line you said I should enter the local IPs (The one of the server already has on its LAN device and I think the IP the "client" should get when it connects) right?
03:31 < venomen> or am I wrong here?
03:31 < krzie> venomen, i was clear
03:31 < krzie> use the exact ips from the guide
03:31 < krzie> 10.8.0.1
03:31 < krzie> and .2
03:32 < venomen> okay
03:32 < datalay> ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
03:33 < venomen> okay the server should be ready now
03:33 < venomen> I hope it listens on the correct NIC ;)
03:33 < krzie> datalay, not if you used the config you pastebin'ed
03:34 < datalay> iam using that config file krzie 
03:34 < venomen> ill try to connect with my notebook here to the server, when Im able to ping a 192.168.100.x address, all is fine ;)
03:35 < krzie> bbl
03:35 < venomen> kk
03:40 < venomen> lol, where is this client hidden? http://openvpn.net/index.php/openvpn-client/howto-openvpn-client/397-how-to-connect-to-a-vpn-server-with-the-openvpn-client.html
03:40 <@vpnHelper> Title: How to connect to a VPN Server with the OpenVPN Client (at openvpn.net)
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:41 < krzie> that is for access-server
03:41 < krzie> !AS
03:41 <@vpnHelper> krzie: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
03:41 <@vpnHelper> krzie: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
03:41 < krzie> we dont support that here
03:42 < venomen> ôh man
03:43 < venomen> so i need to do a config file for the client too, right?
03:43 < Bushmills> not necessarily
03:43 < Bushmills> you can pass options on command line as well
03:44 < venomen> ah that would be fine
03:45 -!- le0 [~fin@87.112.250.227] has joined #openvpn
03:45 -!- le0 [~fin@87.112.250.227] has quit [Changing host]
03:45 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:46 < venomen> can you say me how I have to launch the openvpn.exe to pass that options by command line?
03:46 < krzie> !--
03:46 <@vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
03:47 < venomen> or I may understood wrong, it does not ask for I think
03:47 < venomen> hm okay doenst help, need a config file
03:47 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing Questions :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7306&p=8524#p8524> || Server Administration :: Re: Measuring per user bandwidth :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7308&p=8525#p8525> || Configuration :: Re: Mac address instead of virtual addres in status log.. :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7307&p
03:47 -!- master_of_master [~master_of@p57B533CB.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
03:47 < krzie> heh
03:47 < krzie> every single line in your config file can be made to start with -- and go in CLI
03:47 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
03:47 < venomen> yah
03:48 < krzie> it is your option which you use
03:48 < venomen> but I even dont know what to parameters to pass
03:48 < krzie> exact same ones as your config
03:48 < venomen> I think I need the IP of the server and the key
03:48 < venomen> what else?
03:48 < Bushmills> ah, right. windows.  asking everytime.   "do you really want to log out" "yes, dammit".  "are your sure" "*swear".  "really?" "#!§&§$%""
03:48 -!- master_of_master [~master_of@p57B54791.dip.t-dialin.net] has joined #openvpn
03:48 < venomen> sure
03:49 < Bushmills> wellcome to the world of shiny guis
03:49 < venomen> why cant I launch a openvpn.exe where a gui pop ups askink me for the server ip and the key file and all is done...
03:49  * krzie pets his mbp
03:49 < krzie> MacBookPro6,1 CPU: Intel Core i7 M 620 2.67GHz @ 2.66GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/SSE4.2/x86_64/PAE/XD/EM64T/VMX/EST] L2: 512K FSB: 4800MHz Airport:  (802.11 a/b/g/n)  RAM: 2.3GB/8.0GB Vram: 26.86M/256.00M Disk: 363.86GB/465.44GB GPU: Intel HD Graphics [288 MB/Stock] 1920x1200 OS: Mac OS X 10.6.5 (10H574) Kernel: Darwin 10.5.0 Up: 6 days  3:46
03:49 < Bushmills> venomen: because most users are more intelligent than needing that
03:50 < krzie> venomen, you want access-server
03:50 < venomen> nooo :D
03:50 < krzie> their support is #4 at !AS
03:50 < krzie> yes, that what access-server is
03:50 < venomen> sure but I dont need that
03:50 < krzie> its what you said you want
03:50 < venomen> I only want to test the ptp server with my client and dont know how ;)
03:50 < Bushmills> wanting != needing
03:50 < krzie> then read
03:51 < venomen> you know, I cant access that firewall which should connect to the server but I want to test it b4 ;)
03:51 < venomen> why is that so complicated ;D
03:51 < Bushmills> shit happens
03:51 < krzie> thats great
03:51 < krzie> go test!
03:51 < krzie> if you cant yet, you need to read more
03:52 < krzie> but actually read, dont just type commands
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 < venomen> thats too complicated for me...
03:52 < venomen> ;)
03:52 < venomen> honestly...
03:52 < krzie> then go pay someone
03:52 < venomen> but who =)
03:53 < krzie> you wanna pay someone to test a vpn with their own 2 machines and give you the configs?
03:53 < Bushmills> windows?
03:53  * Bushmills hides
03:53 < venomen> no
03:53 < krzie> since you dont have access to the windows machine yet anyways...
03:54 < krzie> right now you say you want to test
03:54 < venomen> I want someone to pay to set up the whole connection between the two machines ;)
03:54 < krzie> but you dont have access to 1
03:54 < venomen> http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html explained me how to set up the server but what explains me how to connect to this server =)
03:54 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
03:54 < Bushmills> what do you call "connect"?
03:54 < krzie> there are 2 configs there!
03:55 < Bushmills> connect vpn, or talk to services?
03:55 < krzie> remote myremote.mydomain
03:55 < venomen> you are right
03:55 < venomen> damnit
03:55 < venomen> im too tired... sorry
03:55 < krzie> READ IT
03:55 < krzie> dont skim it looking for stuff to copy paste
03:55 < krzie> =]
03:56 < venomen> but that would be easier ;)
03:56 < Bushmills> leading to a whole bunch of vpn "admins" who don't know what they have configured
03:57 < Bushmills> vpns are security sensitive and critical services
03:57 < venomen> sure I dont want to know... I only want this connection, I have a lot of work to do ;)
03:57 < venomen> I dont care about security, the customer dont cares about and I dont get paid for that so...
03:58 < venomen> the firewall is maintained by someone else ;)
03:58 < Bushmills> there are solutions which work out of the box
03:58 < Bushmills> hamachi is one of those
03:58 < venomen> yeah but I dont have a choice...
03:58 < Bushmills> then better read
03:58 < venomen> the firewall in the bureau ONLY supports this openvpn
03:58 < venomen> nothing elser
03:58 < venomen> and
03:59 < venomen> when I want to connect with that one then, it wants to know many many more options than I know
03:59 < venomen> stage1 encrpytion, stage 2 etc...
03:59 < Bushmills> the admin can pass on configs, ready for use
03:59 < venomen> I never configured that types anywhere so how to find out... thats what I mean ;)
04:00 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:01 < kraut> moin
04:01 < krzie> moin
04:01 < venomen> hy
04:02 < venomen> krzie: are you german?
04:02 < hyper_ch> he's not
04:02 < venomen> pitty, that would have made it pretty easier to explain what I need to do ;)
04:06 < venomen> hm connection seems to be up now
04:08 < venomen> nah its not ;)
04:08 < venomen> that cant work with that you said me: in the ifconfig line are local ips... wtf should the server know on what IP to listen on and how should the client know where to connect?
04:09 < Bushmills> ifconfig lines from config are only relevant *after* client contacted server
04:09 < Bushmills> in client config, server ip address is given behind "remote"
04:10 < venomen> ah okay
04:10 < venomen> but in the manual is missing something that I may need to know
04:10 < Bushmills> and then only does client obtain an ip address for the new vpn interface
04:10 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 250 seconds]
04:10 < venomen> where to enter the servers IP that should be dialed?
04:11 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Quit: Left the building]
04:11 < Bushmills> openvpn has no concept of "dialing"
04:11 < venomen> I understand
04:11 < venomen> okay okay call it how you want =)
04:11 < venomen> but I need a IP to contact
04:11 < venomen> :D
04:11  * Bushmills calls it "steak grilling"
04:11 < venomen> :)
04:12 < venomen> so in the sample client config are 4 lines
04:12 < venomen> none of these declare the servers IP address, right?
04:12 < venomen> only when its already connected
04:12 < Bushmills> "declare" as in ...?
04:12 < venomen> but wheres the line "Server IP which I should try to contact"? =)
04:12 < Bushmills> didn't i just tell you?
04:13 < venomen> look
04:13 < venomen> the server is not standing next to my on my desk ;)
04:13 < Bushmills> neither does mine
04:13 < venomen> where is the external IP of the server written in this client config example?
04:14 < Bushmills> didn't i just tell you?
04:14 < venomen> nope?
04:14 < Bushmills> (11:09:51) Bushmills: in client config, server ip address is given behind "remote"
04:14 < Bushmills> yes, i did
04:14 < venomen> aaaaaaah
04:14 < venomen> lol
04:14 < venomen> okay now I got it ;)
04:14  * Bushmills cheers
04:15 < venomen> ;)
04:16 < venomen> ok, there seems to be a link now
04:16 < venomen> i think
04:16 < Bushmills> therefore you are
04:17 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
04:17 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
04:17 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:17 < venomen> hmmm
04:18 < Bushmills> a descartes classic
04:18 < Bushmills> now that you have proven your existence, do so for the openvpn link
04:18 < hyper_ch> and if you don't think, then you are not?
04:19 < Bushmills> hint: "openvpn thinks..." won't work
04:19 < venomen> hm
04:19 < venomen> hmmmmm.... ;)
04:19 < venomen> there seems to be a link but I even cant tell... that openvpn is really missing some status messages...
04:20 < Bushmills> hyper_ch: could depend on whether you actually don't think, or just think that you don't
04:20 -!- le0 [~fin@87.112.250.227] has joined #openvpn
04:20 -!- le0 [~fin@87.112.250.227] has quit [Changing host]
04:20 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:20 < hyper_ch> well, a lot of peoples obviously don't think yet they still are
04:20 < Bushmills> venomen: no, it doesn't. there are logs, status files
04:21 < venomen> I have a DOS window which doensnt write anything even when I stop the VPN Service on the remote server :/
04:21 < venomen> shouldt there also be info when the connection breaks?
04:21 < Bushmills> openvpn for DOS?
04:22 < venomen> nah it looks like a command prompt, you know what I mean...
04:22 < Bushmills> maybe that's the openvpn CP/M port
04:22 < venomen> not one file on the log dir also
04:23 < venomen> man that sucks...
04:23 < Bushmills> blame the admin, who may have  neglected to instruct openvpn to write to log file
04:23 < Bushmills> you may blame him in your very own words :)
04:24 < venomen> so I would say: venomen you dumbass, you forgot to declare one more line for a log dir...
04:25 < Bushmills> while calling you "dumbass", you could also do so for the "status" line
04:25 < venomen> I did
04:25 < venomen> (now)
04:26 < venomen> doenst bring me forward ;D
04:26 < venomen> some statistic info in there
04:26 < venomen> rx tx bytes etc
04:26 < venomen> the server on the other side is down so why doesnt it say something that it could not contact it lol
04:27 < Bushmills> logs will tell
04:27 < venomen> ah wait
04:27 < venomen> I put the wrong command I think
04:27 < Bushmills> purpose of status is not to report on connect failures, but give status on connected clients
04:27 < Bushmills> none connected -> no status
04:28 -!- datalay [~datalay@217.131.39.154] has quit [Remote host closed the connection]
04:28 < Bushmills> not "here is presented to you information which shouldn't be here in this file at all"
04:28 < venomen> http://pastebin.com/cBvQ39YJ
04:28 < venomen> thats all it says...
04:29 < venomen> so its not connected BUT it doesnt either say "error, could not contact your stupid server" or something like that...
04:30 < venomen> at what state it is now?
04:30 < venomen> does it try something or is it already finished?
04:30 < Bushmills> trying to connect ..
04:31 < venomen> this already is there for over 30 minutes
04:31 < venomen> nothing changes
04:31 < Bushmills> once it connected, you will see more info, regarding the established connection, in there
04:31 < venomen> hm
04:31 < venomen> do I have to set a timeout to reconnect tooß
04:31 < venomen> ?
04:32 < Bushmills> you don't have to.  but you may have to read up about the options which you can use in the config
04:33 < venomen> you sure know how many there are... :)
04:33 < Bushmills> no, i don't
04:33 < Bushmills> i know that there are many, not not exactly how many
04:34 < Bushmills> to lazy to actually count them
04:34 < Bushmills> too
04:34 < venomen> :)
04:34 < Bushmills> but rejoice - programs with many config options  tend to be flexible, and thereby powerful programs.
04:36 < Bushmills> knowing those puts you ahead of the "why doesn't this just ask for the address of the remote server" rubble :D
04:36 < Bushmills> or the "where is the setup dialog" crowd
04:37 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
04:37 < venomen> hm
04:37 < venomen> powerful but extremly complicated...
04:37 < renihs> hmm i want to assign a specific ip-address to a specific user, according to docu its done with: client-config-dir ccd
04:37 < renihs> however, in that file, i dont understand the docu
04:38 < renihs> an example looks like: ifconfig-push 10.8.1.1 10.8.1.2
04:38 < renihs> whats the first/2nd adress here?
04:38 < Bushmills> "i want to set up a secure server, but i don't find the radio buttons for setting the security level"
04:38 < venomen> exactly
04:38 < venomen> why isnt there a wizard to put this thing up?
04:38 < venomen> would make this thing much easier
04:39 < Bushmills> because it makes admins feel like experts without having a decent grasp on implications of their settings
04:39 < renihs> is the first adress the client or the 2nd?
04:40 < venomen> how about: Mon Nov 22 11:38:53 2010 Initialization Sequence Completed
04:40 < venomen> ;)
04:40 < venomen> that looks good right?
04:40 < venomen> i can ping the servers ip (10.8.0.1)
04:41 < Bushmills> renihs: what part of the manual, explaining the purposes of those addresses, is the part you don't understand?
04:41 < renihs> Bushmills, the part which describes which adress is what
04:41 < renihs> the first is client? server endpoint?
04:41 < renihs> or vice versa?
04:41 < renihs> Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. They must be taken from successive /30 subnets in order to be compatible with Windows clients and the TAP-Win32 
04:41 < renihs> ...which pair is what
04:42 < venomen> forst is the server
04:42 < venomen> first
04:42 < renihs> k thx
04:42 < venomen> i know that from my config ;) you see, I learned ;)
04:43 < venomen> but the route on my config doenst work
04:43 < Bushmills> "local" or "netmask"?  or " Note that the parameters local and remote-netmask are from the perspective of  the  client,  not  the server."
04:43 < Bushmills> not quite sure how you read from the latter that those are "server addresses"
04:44 < venomen> look: My Site 1 has IP 10.8.0.2 and the Site 2 has 10.8.0.1 now everything is fine I can ping each other but the tunnel should be for another subnet like 192.168.100.0/24
04:45 < venomen> whats the config option to tell the "server" that it has to route its traffic to the other NICs network?
04:45 < Bushmills> there *is* a problem with the man page text though. it doesn't clearly say there that, instead of a netmask, a host address can be used, implying a 255.255.255.255 net mask
04:45 < renihs> Bushmills, that was directed at me?
04:45 < venomen> I thought route 192.168.100.0 255.255.255.0 is for that
04:46 < Bushmills> venomen: routers between your irc client and the irc server don't need to be in the same subnet as client or server, just to be able to pass on your traffic from one to the ohter
04:46 < Bushmills> other
04:47 < Bushmills> in the same way, openvpn subnet does not need to be the same subnet as server or client, only to pass traffic between them 
04:47 < Bushmills> you use route statements to tell your client and server where traffic from one to the other goes.
04:47  * Bushmills gone now
04:48 < venomen> so a route is missing on my client maybe
04:48 -!- luneff [~yury@84.51.195.188] has joined #openvpn
04:52 < venomen> hehe got it
04:52 < venomen> can ping the LANs NIC from the server now, but now the servers behind this host :/
05:02 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
05:20 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
05:23 -!- ajohnstone [~andrew@host217-40-217-41.in-addr.btopenworld.com] has left #openvpn ["Leaving."]
05:27 -!- koriel [~koriel@78-45-202.adsl.cyta.gr] has joined #openvpn
05:28 < koriel> hi there....i used to have a fedora workstation connected with a vpn server...with fedora I could connect to vpn and see all computers in the lan of my remote office...now I have ubuntu and I connect using the same configuration file and keys but I can only ping the remote vpn server....
05:30 < koriel> just to let you know there is no firewall in my ubuntu workstation.. 
05:42 < koriel> ok...i found that when connection is initiated the remote lan network (192.168.20.0/24) is routed throught 10.8.0.5 which does not exists...my tun0 on client is 10.8.0.6 and in the remote server is 10.8.0.1 ... so why is this rule created to route my remote lan through 10.8.0.6...?where can I change that?
05:54 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
05:54 -!- mode/#openvpn [+o dazo] by ChanServ
05:56 < koriel> here are the last lines of my connection initiation.. http://pastebin.com/f6KSRqSF
05:56 < koriel> I can't understand where the 10.8.0.5 comes from... 
05:57 < |Mike|> that's your gateway
05:58 < koriel> but there is no interface with that ip address...
05:58 <@vpnHelper> RSS Update - forum: Server Administration :: Re: swapping a vpn from one routing to another :: Reply by dexdyne <https://forums.openvpn.net/viewtopic.php?f=4&t=7291&p=8527#p8527>
05:59 < koriel> i can't ping 10.8.0.5
05:59 < |Mike|> !configs
05:59 <@vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
05:59 < koriel> my server.conf is here http://pastebin.com/Nsy8t6wS
06:00 < koriel> my client.conf http://pastebin.com/NyTcXy6R
06:04 < |Mike|> err, i miss some grep 
06:06 < koriel> ok...sorry...
06:06 < koriel> client config http://pastebin.com/4Aehy0NU
06:07 < koriel> server conf http://pastebin.com/3hNji9uA
06:08 < koriel> on server side i run ubuntu server and on client side I use ubuntu desktop
06:08 <@dazo> koriel: that's normal ... many people expects to be able to ping x.x.x.5 when they have x.x.x.6 as their tunnel IP ... but they can only ping x.x.x.1 on the remote side
06:09 < koriel> so why can't i access my server side lan computers..?
06:09 <@dazo> koriel: that's the default behaviour of topology /30 ... which is the default topology
06:09 <@dazo> koriel: that's an entirely different question
06:10 <@dazo> koriel: that's most often due to lack of routes being set up, missing ip_forward on the server and firewalling
06:10 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:10 < koriel> firewall on server and client is off (all policies set to accept
06:11 < koriel> ip_forward is on on server side
06:11 < koriel> but not on client side
06:11 <@dazo> good ... you only need that on the OpenVPN server
06:11 <@dazo> then you're missing the routes
06:11 <@dazo> !route
06:11 <@vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
06:12 <@dazo> (it's a fairly advanced setup here, but it also covers the basic stuff ... make sure to read the complete stuff, you need that to understand what's going on)
06:12 < koriel> please note that I add a route rule to my gateway on server side...and all was working fine when I was using  a fedora workstation...
06:13 < koriel> I could access samba shares on remote lan as well.. 
06:13 < koriel> configurations didn't change...only my client's OS from fedora to ubuntu
06:13 <@dazo> oh dear ... why did you do that! :-P
06:14 < koriel> :P... 
06:14 < koriel> I wanted to see the new ubuntu distro... 
06:14 < theDoc> o/
06:15 <@dazo> you've heard about virtualization ;-) ... anyhow ... changing a distro is basically changing a lot ... but as it was working with Fedora, it has to do with the network config somehow
06:15 <@dazo> theDoc: speak up :)
06:16 < theDoc> dazo: Nothing really, just saying hi.
06:16 < theDoc> Trying to get an ipsec vpn working on my cisco box
06:16 < theDoc> I'm starting to require remote resources from home when I travel.
06:16 <@dazo> theDoc: :)  heh ... I thought so .... but you might be so polite that you wanted to raise your hand before speaking :-P
06:17 <@dazo> theDoc: good luck :)
06:17 < theDoc> lol, I wish
06:17 < theDoc> There's a fair bit of configurations to do and I'm not really keen at the moment.
06:17 < theDoc> I need to fix the dynamic dns thing first then the ipsec vpn.
06:17 <@dazo> hmm
06:18 <@dazo> koriel: try to use tcpdump on gateway and ubuntu ... to see if the traffic goes as expected ... that's a good starting point
06:25 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
06:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:32 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
06:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 245 seconds]
06:41 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
06:48 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
06:50 < venomen> Hey Guys, still trying myy P to P VPN and almost working fine, I cant get the route running (Site1 10.8.0.2 can connect Site2 10.8.0.1 but not the "real Network" 192.168.100.x) can anyone help me out a bit?
06:52 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
06:53 -!- boswarrior1 [~mrnice@78.142.173.114] has joined #openvpn
06:59 < venomen> I even can ping the host itself (192.168.100.253) but not the clients behind (192.168.100.1 for example)
06:59 < venomen> also a routing problem, right?
07:05 < Rienzilla> hmm
07:06 < Rienzilla> Is it possible to somehow start the openvpn gui as adminsitrator on boot every time?
07:06 < venomen> windows?
07:06 < venomen> put it on autostart =)
07:07 < Rienzilla> well, it needs to be started with elevated privileges
07:07 < Rienzilla> else it won't be able to make the necessary changes to the routingtasble
07:07 < Rienzilla> oh I see a way I think
07:08 <@dazo> Rienzilla: what about to consider to put the user into a local network admin group ... that group got the proper access levels for doing such stuff
07:08 < Rienzilla> ah that would work too
07:10 < Rienzilla> I can just put authenticated users into the network admin group and be done with it I guess
07:11 < venomen> you can start it with a -admin flag
07:19 < Rienzilla> thanks
07:19 -!- le0 [~fin@87.112.250.227] has joined #openvpn
07:19 -!- le0 [~fin@87.112.250.227] has quit [Changing host]
07:19 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
07:21 < venomen> np
07:26 -!- twister004_ [~chatzilla@59.90.34.167] has joined #openvpn
07:27 -!- twister004 [~chatzilla@59.90.34.167] has quit [Ping timeout: 245 seconds]
07:27 -!- twister004_ is now known as twister004
07:35 -!- datalay [~datalay@217.131.39.154] has joined #openvpn
07:35 < datalay> hi 
07:35 < datalay> i need openvpn client for ARM embedded linux
07:35 < datalay> is there any url about that you advise, 
07:36 < datalay> thanks
07:42 < Rienzilla> I run openvpn on MIPS
07:42 < Rienzilla> I don't know if it can be compiled on arm
07:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
07:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
07:54 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:58 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit [Ping timeout: 245 seconds]
07:58 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
08:00 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:00 < datalay>  /join #buildroot
08:04 < venomen> fail =)
08:04 <@vpnHelper> RSS Update - forum: Configuration :: Re: OpenVPN bridged + client with lan behind :: Reply by ieracos <https://forums.openvpn.net/viewtopic.php?f=6&t=7284&p=8528#p8528>
08:09 <@dazo> datalay: I'm running OpenVPN on my N900 ... which is ARM based, so it's doable ... you probably just need to figure out the cross compiling
08:12 < datalay> i found buildroot
08:12 < datalay> but i need to compile for existing system
08:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:27 -!- philG [~philg@artis3.probesys.com] has joined #openvpn
08:28 < philG> hi all
08:28 < philG> i'm new and of course i have a little problem trying to use openvpn client
08:28 < philG> when i start my client i have this error : AUTH: Received AUTH_FAILED control message
08:29 < philG> but my login and password because i can connect to the web interface without problem
08:30 < philG> do you think it can be an error with ip6 configuration of my computer ?
08:40 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
08:41 -!- EmperorTom [~EmperorTo@174-30-245-204.mpls.qwest.net] has quit [Ping timeout: 240 seconds]
08:47 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
08:50 < ecrist>  philG are you using access server?
08:50 < ecrist> openvpn doesn't have a web interface
08:50 < philG> no i'm on debian
08:50 < philG> i have use an web interface to take my conf file
08:51 < philG> the server interface
08:53 < ecrist> what server interface?
08:53 < ecrist> what web interface to make configs?
08:53 < ecrist> I know of only one
08:55 < philG> my "client" send me an url where i can find a conf, tha .exe file if i'm use windows 
08:55  * ecrist is confused
08:55 < renihs> ?
08:56 < renihs> sure you are talking about openvpn here? :)
08:56 < philG> http://www.openvpn.net/index.php/access-server/download-openvpn-as.html
08:56 <@vpnHelper> Title: Access Server Downloads (at www.openvpn.net)
08:56 < ecrist> dude, fuck
08:56 < ecrist> 08:50 < ecrist>  philG are you using access server?
08:56 < ecrist> 08:50 < philG> no i'm on debian
08:56 < philG> okok 
08:56 < ecrist> we don't support access server
08:56 < philG> soory
08:56 < philG> soory
08:56 < philG> sorry grr
08:57 < philG> well
08:57 < ecrist> access server support is available from openvpn technologies
08:57 < ecrist> !as
08:57 <@vpnHelper> ecrist: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
08:57 <@vpnHelper> ecrist: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
09:01 < philG> ok so if i want find some information i have to go the #4 link
09:04 < philG> thanks
09:06 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit [Ping timeout: 255 seconds]
09:06 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
09:09 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 260 seconds]
09:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:15 -!- pumkinhed [~pumkinhed@72.45.85.159] has quit [Quit: pumkinhed]
09:15 -!- Blues-Man [~bluesman@host194-194-dynamic.117-80-r.retail.telecomitalia.it] has joined #openvpn
09:16 -!- dazo is now known as dazo_afk
09:18 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
09:19 <@vpnHelper> RSS Update - forum: Configuration :: new server hardware :: Author gondolin <https://forums.openvpn.net/viewtopic.php?f=6&t=7310&p=8529#p8529>
09:23 -!- venomen [~venomen@p579974DB.dip.t-dialin.net] has quit []
09:23 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
09:31 <@vpnHelper> RSS Update - forum: Forum & Website Support :: No VPN access for client overnight :: Author m.ourmech <https://forums.openvpn.net/viewtopic.php?f=30&t=7311&p=8530#p8530>
09:35 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
09:37 < pushpop> fds
09:38 -!- datalay [~datalay@217.131.39.154] has quit [Ping timeout: 255 seconds]
09:41 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit [Ping timeout: 276 seconds]
09:42 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
09:43 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:48 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has joined #openvpn
09:57 -!- EugenMayer [~EugenMaye@frbg-5f730d43.pool.mediaWays.net] has joined #openvpn
09:58 < EugenMayer> hello. What do i need to let the openvpn server push DNS options to my client? I see that windows clients can do this nativly, but on linux there is something like foreign_option_ needded?
10:10 < reiffert> !factoids search dns
10:10 <@vpnHelper> reiffert: 'pushdns', 'dns', and 'splitdns'
10:10 < reiffert> !pushdns
10:10 <@vpnHelper> reiffert: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
10:10 < reiffert> !factoids search dhcp
10:10 <@vpnHelper> reiffert: 'bridge-dhcp' and 'dhcp'
10:10 < reiffert> !dhcp
10:10 <@vpnHelper> reiffert: "dhcp" is redirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
10:10 < reiffert> forget the latter
10:13 < EugenMayer> reiffert: well it was more about update-resolf-conf script
10:14 < EugenMayer> the push were done, but linux clients do not take DNS pushes natively. Working now though
10:14 < EugenMayer> is there a way to set the username and password in the config file?
10:19 -!- EugenMayer [~EugenMaye@frbg-5f730d43.pool.mediaWays.net] has quit [Ping timeout: 276 seconds]
10:21 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
10:21 < reiffert> hrmn.
10:22 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Client Quit]
10:27 -!- EugenMayer [~EugenMaye@frbg-5f730d43.pool.mediaWays.net] has joined #openvpn
10:30 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
10:31 -!- hulagu [~hulagu@69.172.135.243] has quit [Quit: leaving]
10:32 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
10:34 < renihs> EugenMayer, should work on linux as well
10:34 < renihs> i push dns to my linux clients
10:46 -!- p3rror [~mezgani@41.140.97.133] has quit [Remote host closed the connection]
10:57 -!- philG [~philg@artis3.probesys.com] has left #openvpn []
10:58 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Ping timeout: 252 seconds]
11:01 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
11:07 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
11:15 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
11:23 -!- Blues-Man [~bluesman@host194-194-dynamic.117-80-r.retail.telecomitalia.it] has quit [Quit: Sto andando via]
11:39 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:05 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:05 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 245 seconds]
12:08 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
12:14 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
12:32 -!- luneff [~yury@84.51.195.188] has joined #openvpn
12:33 -!- EugenMayer [~EugenMaye@frbg-5f730d43.pool.mediaWays.net] has left #openvpn []
12:49 -!- P4C0 [~paco@unaffiliated/p4c0] has joined #openvpn
12:50 < P4C0> hello, do I have to restart the openvpn server when I modify client's certificates/keys?
12:59 < roentgen_> P4C0: modify how?
12:59 < P4C0> revoked and new ones created
12:59 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing Questions :: Reply by ExEric3 <https://forums.openvpn.net/viewtopic.php?f=4&t=7306&p=8531#p8531>
13:00 < roentgen_> P4C0: usually no
13:00 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
13:00 < roentgen_> if you revoke a connected client that you might use the management console to kick it 
13:01 < roentgen_> *may
13:01 < P4C0> roentgen_: thanks!
13:03 < roentgen_> P4C0: don't forget to update your crl file
13:03 < roentgen_> for revoked certs
13:06 < P4C0> i think this script is doing that
13:11 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
13:21 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:58 -!- luneff [~yury@84.51.198.114] has joined #openvpn
14:09 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
14:17 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
14:27 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
14:28 -!- le0 [~fin@82.132.243.41] has joined #openvpn
14:28 -!- le0 [~fin@82.132.243.41] has quit [Changing host]
14:28 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
14:30 -!- sentmen [~sentmen@188.204.72.86] has joined #openvpn
14:30 < sentmen> Hi all
14:30 < sentmen> I have a problem
14:31 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
14:32 < hyper_ch> we all have problems
14:32 < sentmen> Lol
14:32 < hyper_ch> but don't look at it as problem but rather look at it as challenge
14:33 < sentmen> But i think it is simple:p
14:33 < sentmen> Do you have a problem?
14:33 < hyper_ch> I have many problems
14:33 < sentmen> Like?
14:33 < hyper_ch> how can I train my cats to use the toilette and flush it after they do their business
14:34 < sentmen> Lol
14:34 < hyper_ch> how to find the perfect job and woman
14:34 < ecrist> wrong channel.
14:34 < hyper_ch> has there been a universe before this one?
14:34 < sentmen> Lol
14:34 < sentmen> But i have a problem with openvpn±p
14:34 < hyper_ch> is this realy or are we in a matrix?
14:34 < sentmen> :p
14:34 < hyper_ch> sorry ecrist :)
14:34 < sentmen> I have a problem with openvpn
14:35 < sentmen> If i had not than i don
14:35 < sentmen> 't need to join this channel
14:35 < ecrist> sentmen: see /topic
14:36 < sentmen> !welcome
14:36 <@vpnHelper> sentmen: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:36 < sentmen> !goal
14:36 <@vpnHelper> sentmen: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:36 < sentmen> Ok
14:36 < sentmen> I read it
14:36 < sentmen> I have a problem to ping my server
14:37 < sentmen> I have a range from 10.8.0.0 to 10.8.0.24
14:37 < sentmen> If i ping from client to client it work
14:37 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Remote host closed the connection]
14:37 < hyper_ch> !tell sentmen [configs]
14:37 < sentmen> !tell
14:37 <@vpnHelper> sentmen: (tell <nick> <text>) -- Tells the <nick> whatever <text> is. Use nested commands to your benefit here.
14:38 < sentmen> ?
14:38 < hyper_ch> you should have a query by vpnHelper
14:38 < sentmen> ?
14:38 < sentmen> I don't understand you
14:38 < hyper_ch> query = private chat
14:39 < hyper_ch> !configs
14:39 <@vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
14:39 < sentmen> Ok:)
14:39 < sentmen> I understand you
14:40 -!- cairnz [mats@217-14-7-98-dhcp-osl.bbse.no] has joined #openvpn
14:40 < hyper_ch> but your server's firewall could be configured to drop icmp requests
14:40 < sentmen> I can connect
14:41 < hyper_ch> so?
14:41 < sentmen> If i connect to the server it give me an ip
14:41 < hyper_ch> that's something different
14:41 < hyper_ch> !icmp
14:41 <@vpnHelper> hyper_ch: Error: "icmp" is not a valid command.
14:42 < sentmen> But i can't ping it
14:42 < hyper_ch> http://www.linuxquestions.org/questions/linux-networking-3/iptables-question-how-do-you-reject-icmp-596207/
14:42 <@vpnHelper> Title: IPTABLES question - how do you reject icmp? (at www.linuxquestions.org)
14:42 < hyper_ch> those two are not necessarily related
14:42 < sentmen> I want to ping but i can't
14:43 < sentmen> That is to reject ping:p
14:43 < hyper_ch> it is to help you understand
14:43 < hyper_ch> check your firewall
14:43 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has joined #openvpn
14:44 < sentmen> All firewalls shutted down:)
14:44 < sentmen> Didn't work:(
14:44 -!- Squidy [~quassel@189-31-24-14.cbace701.dsl.brasiltelecom.net.br] has quit [Client Quit]
14:45 < hyper_ch> how do you shut down the firewall?
14:45 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:45 < sentmen> The server has no firewall and my windows client has a standard microshit firewall
14:46 < sentmen> I shutted him down
14:46 <@vpnHelper> RSS Update - forum: Server Administration :: Re: I can only ping one way. Client to server works. :: Reply by jcavil <https://forums.openvpn.net/viewtopic.php?f=4&t=7300&p=8532#p8532>
14:46 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 276 seconds]
14:46 < sentmen> No
14:46 < hyper_ch> how do you know that your server has no firewall?
14:46 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
14:46 < sentmen> Because it is a ubuntu ec2 vps:)
14:47 < hyper_ch> it has a firewall
14:47 < sentmen> And how shut i him down?
14:47 < sentmen> Witch command?
14:47 < hyper_ch> you don't
14:47 < sentmen> Ok:)
14:47 < hyper_ch> ubuntu comes with iptables
14:47 < hyper_ch> iptables is a firewall
14:47 < hyper_ch> usually it has no rules, meaning it lets verything pass
14:47 < sentmen> Ok
14:47 < hyper_ch> but no clue what your vps is configured like
14:48 < hyper_ch> so you need to check iptables for rules
14:48 < hyper_ch> and I'm quite positive there are rules in place to drop icmps
14:48 < sentmen> Can i paste here?
14:48 < sentmen> Or need i an pastebin?
14:48 < hyper_ch> use pastebin
14:48 < sentmen> Where?
14:49 < sentmen> Link plz
14:49 < hyper_ch> ?
14:49 < hyper_ch> what link?
14:49 < sentmen> How i use pastebin?
14:49 < sentmen> Another server has a website with pastebin
14:49 < hyper_ch> www.pastebin.ca
14:49 < hyper_ch> paste your stuff there
14:50 < hyper_ch> you will be given a unique url
14:50 < hyper_ch> paste that url here
14:50 < sentmen> http://pastebin.ca/1999322
14:51 < hyper_ch> don't use the NAT table for that
14:51 < hyper_ch> just iptables -L
14:53 < hyper_ch> (as root)
14:53 -!- buntfalke_ is now known as buntfalke
14:53 < sentmen> http://pastebin.ca/1999325
14:54 < hyper_ch> hmmm.... then I don't know
14:54 < hyper_ch> could be your ISP filtering out the ICMPs
14:57 < sentmen> But i can connect and i get an ip:)
14:57 -!- skullone [skullone@galaxy.distant.net] has joined #openvpn
14:57 < sentmen> I run it on port 443
14:58 < hyper_ch> somewhere the ICMPs get filtered out
14:58 < hyper_ch> it's a different protocoll from UDP and TCP
14:58 < sentmen> I will try
14:58 < hyper_ch> so because you can't ping a box it doesn't mean that you can reach it with other means
14:59 -!- koriel [~koriel@78-45-202.adsl.cyta.gr] has left #openvpn []
14:59 < skullone> does restarting the openvpn service drop existing connections
15:01 < sentmen> No
15:01 < hyper_ch> keep-alive should keep it alive during restart
15:02 < sentmen> If i set it to udp it doesn't connect at all
15:02 -!- mirak [~mirak@81-64-223-104.rev.numericable.fr] has joined #openvpn
15:02 < mirak> hello
15:03 < sentmen> I can ping now:D
15:03 < sentmen> Thanks for the help:)
15:03 < sentmen> Bye
15:03 < sentmen> Hi mirak
15:04 < mirak> I have two ddwt routers. A is client of B. Computers from the A Lan can see computers of B Lan, but the opposite is not true. Is it about just defining a route from B to A ?
15:04 < mirak> dd-wrt
15:04 -!- sentmen [~sentmen@188.204.72.86] has quit []
15:04 < mirak> Because I was thinking also that I could make B a client of A also. To have something bidirectionnal, but that doesn't seems necessary
15:05 < skullone> hyper_ch: will sessions inside the VPN stay up even with keep-alive? i would think things would reset...
15:05 < hyper_ch> skullone: no, sessions should also stay up - I think
15:05 < krzee> mirak, 
15:06 < krzee> !route
15:06 <@vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:14 < mirak> krzee, thanks
15:14 < mirak> krzee, why does the client lan adress needs to be harcoded in the server ?
15:15 < mirak> krzee, ok I think it would be too dangerous
15:15 < mirak> krzee, the client could maybe break and create conflicts with the server
15:16 < mirak> if the server doesn't watch carrefully
15:16 < mirak> (the server adminstrator I mean)
15:19 < mirak> openvpn have a bridge mode. does this eliminates all this routing issues ?
15:25 -!- mirak [~mirak@81-64-223-104.rev.numericable.fr] has quit [Quit: Ex-Chat]
15:29 -!- mirak [~mirak@81-64-223-104.rev.numericable.fr] has joined #openvpn
15:29 -!- mirak [~mirak@81-64-223-104.rev.numericable.fr] has quit [Client Quit]
15:29 -!- mirak [~mirak@81-64-223-104.rev.numericable.fr] has joined #openvpn
15:37 < reiffert> mirak: no.
15:37 -!- adac [~nutella@85-127-41-126.dynamic.xdsl-line.inode.at] has joined #openvpn
15:38 < adac> would this be valid or better can somthing like this be done: http://pastie.org/1318503 
15:40 -!- darkwind [~bpayne@rrcs-70-61-50-54.central.biz.rr.com] has quit [Remote host closed the connection]
15:40 < reiffert> why not have a group of vpn users where you can have a user with and without a vpn certificate?
15:43 < reiffert> Maybe you want have different levels of access, based on the cert ..?
15:43 < mirak> any one uses dd-wrt by the way ?
15:44 < reiffert> #dd-wrt does?
15:44 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
15:45 < adac> reiffert, oh I'm in the wrong channel (:
15:46 < adac> I wnated to ask this in openldap
15:46 < adac> :D
15:46 < reiffert> adac: :)
15:47 < adac> reiffert, its late i should go to bed 
15:47 < adac> ;)
15:47  * reiffert swaps byte 2 with with 4 and byte 3 with 4 of ADAC
15:48 < adac> :D
15:49 <@vpnHelper> RSS Update - forum: Server Administration :: how does openvpn see the configuration files? :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=4&t=7312&p=8533#p8533>
15:49 < reiffert> all in the name of liberty 
15:52 < adac> reiffert, I see you like anagrams  :)
15:53 < reiffert> adac: hrmn?
15:55 < cairnz> is it possible to have user-based routing ?
15:56 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
15:56 < reiffert> cairnz: mark locally generated packages based on the userid?yes.
15:57 < reiffert> cairnz: have different routing rules, based on the COMMONNAME? Yes.
15:57 < cairnz> let's say i have two users setup user1 and user2. user1 should have route 0.0.0.0 set up through vpn, user2 should not
15:57 < reiffert> cairnz: 
15:57 < reiffert> !ccd
15:58 <@vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
15:58 < cairnz> ah danke
15:58 < adac> reiffert, http://dbpedia.org/snorql/?query=%09%09SELECT+%3Fo%0D%0A%09%09WHERE+{+%0D%0A%09%09%09++%3Chttp%3A%2F%2Fdbpedia.org%2Fresource%2FAnagram%3E++%3Chttp%3A%2F%2Fdbpedia.org%2Fontology%2Fabstract%3E+%3Fo+.%0D%0A++++++++++++++++++++++++++FILTER+%28LANG%28%3Fo%29+%3D+%27en%27%29+.%0D%0A%09%09%09++}
15:58 <@vpnHelper> Title: SPARQL Explorer (at dbpedia.org)
16:01 < reiffert> adac: ho girth!
16:01 <@vpnHelper> RSS Update - forum: Server Administration :: Re: I can only ping one way. Client to server works. :: Reply by jcavil <https://forums.openvpn.net/viewtopic.php?f=4&t=7300&p=8534#p8534>
16:02 < adac> :)
16:02 -!- tyrok_laptop [~tyrok_lap@adsl-99-19-46-107.dsl.klmzmi.sbcglobal.net] has joined #openvpn
16:02 < tyrok_laptop> !welcome
16:02 <@vpnHelper> tyrok_laptop: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:02 < tyrok_laptop> !goal
16:02 <@vpnHelper> tyrok_laptop: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:04 < reiffert> pretty annoying this goal stuff.
16:04 < tyrok_laptop> I have a Linux OpenVPN server with a Linux client and Windows client, and I would like the two clients to be able to talk to each other over an encrypted connection for SIP calls.  They connect fine and I can ping each client from each other.  (more)
16:04 < reiffert> (Calls Try) crystall ball > goals
16:05 < adac> reiffert, can you help me to set up ldap authentication? I'm just not sure how the configuration file has to look like
16:06 < tyrok_laptop> When I place a call from the Windows client to the Linux one, the SIP URI is perfect, but when I go the other way, the URI has a different IP address than it should have (a NAT address on a physical network that should be unrelated to the VPN).
16:06 < tyrok_laptop> Any ideas?
16:06 < reiffert> adac: I could guess that your ldap scheme exactly needs to fit to what the ldap plugins expects it to look a like.
16:06 < adac> reiffert, that is  good guess :)
16:07 < reiffert> adac: further on reading the docs may help or may lead you into the plugin source code with an additional google loop inbetween..
16:08 < adac> reiffert, well I guess i fail on the filters somehow
16:09 < reiffert> adac: ldap filters suck, sore fur
16:09 < reiffert> adac: no example given in the docs?
16:10 < reiffert> tyrok_laptop: are they talking to anything outside of your vpn, e.g. some sip gate stuff?
16:10 < adac> reiffert, yeah there are examples give...but looks like I'm to stupid for this ldap language
16:10 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 245 seconds]
16:10 -!- corretico_ [~corretico@201.201.44.82] has joined #openvpn
16:11 < tyrok_laptop> reiffert: Nothing outside.  Ideally, the VPN would be entirely insulated from anything else with clients able to talk to each other.
16:11 < reiffert> adac: looks like http://code.google.com/p/openvpn-auth-ldap/ belongs to landon fuller
16:11 <@vpnHelper> Title: openvpn-auth-ldap - Project Hosting on Google Code (at code.google.com)
16:11 < reiffert> adac: you can find him on #macports
16:12 < reiffert> great apple guy
16:12 < adac> oh an apple
16:12 < adac> :)
16:12 < adac> I try in #openldap first. BUt many thanks for the hint!
16:16 -!- kerfe1 [~a@66.pool85-60-140.dynamic.orange.es] has joined #openvpn
16:19 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has quit [Ping timeout: 240 seconds]
16:24 -!- mirak [~mirak@81-64-223-104.rev.numericable.fr] has quit [Quit: Ex-Chat]
16:27 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn
16:31 < adac> reiffert, which nick does landon fuller have on macports?
16:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:32 < reiffert> landonf with optional _'s
16:33 < adac> reiffert, ok thx. I might ask him. openvpn schläft
16:34 < reiffert> na, openvpn's up and running!
16:34 < adac> openldap ;)
16:34 < adac> darn
16:34 < adac> hehehe
16:35 < reiffert> I was visiting Nordschleife with an openldap developer once, couple of years ago, If I only could remember his nick ...
16:36 < adac> reiffert, are you an openvpn developer?
16:37 < reiffert> na
16:37 < reiffert> dazo is
16:37 < adac> reiffert, i see!
16:37 < reiffert> "openvpn supporter" or "friend" hits the road I guess
16:38 < reiffert> hitting the road is not what I was about to say .. anyway :)
16:39 < adac> :D
16:39 < adac> hey support is even as important as development
16:41 -!- bimbo [~emerino@poseidon.etesa.com.mx] has joined #openvpn
16:44 < bimbo> hello, I currently have an openvpn server running inside my network, and I've got a router that redirects traffic going to udp port 1194 to this machine, however if I don't specify the "--float" option in the openvpn client, it'll refuse to connect to the server... why is this happening?
16:44 < bimbo> I mean, is this a layer 7 security restriction? 
16:46 < reiffert> bimbo: Guess that your router redirection is doing something really strange, e.g. NAT'ing the inbound connection.
16:47 < reiffert> sorry, what I meant is: replacing the client's IP address by its internal router address
16:48 < reiffert> you might get a clue in the server logfile, e.g. what is the client's ip address when the client connects as seen by the server (log)?
16:58 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 245 seconds]
16:59 < bimbo> reiffert: ok, let me see
17:00 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
17:04 -!- tyrok_laptop [~tyrok_lap@adsl-99-19-46-107.dsl.klmzmi.sbcglobal.net] has quit [Quit: Leaving.]
17:04 < skullone> does the openVPN access server UI have a section to apply firewall rules to clients?
17:05 < skullone> im not seeing it in the features or screenshots
17:11 < Bushmills> openvpn has nothing to do with firewall
17:11 -!- corretico_ [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
17:12 < Bushmills> ah.  access server.  no idea
17:13 < skullone> yah
17:13 < skullone> was wondering if it had a GUI for making access rules for clients, beyond just what IP's they can get to
17:16 < reiffert> access server got a gui?
17:18 < krzee> reiffert, ya web based
17:18 < krzee> but we dont support AS here
17:18 < krzee> !AS
17:18 <@vpnHelper> krzee: "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
17:18 <@vpnHelper> krzee: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
17:18 < krzee> see #4 for support
17:19 -!- kantxx [44c3fb02@gateway/web/freenode/ip.68.195.251.2] has joined #openvpn
17:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:19 < kantxx> has anyone here done a peer to peer vpn with a large company?
17:21 < Bushmills> statistically speaking, yes. most likely.
17:21 < kantxx> heya Bushmills  :)
17:21 < kantxx> is there a simple way to have all sites talk without configging a vpn for every site on every sites router?
17:23 < kantxx> Bushmills: :)?
17:23 < Bushmills> question sounds similar to "can i access remote openvpn server without a client on the local machine"
17:24 < kantxx> well no
17:24 < reiffert> hm, maybe it sounds like ...
17:24 < kantxx> we have 8 sites and would put openvpn in all sites so they can talk to eachother
17:24 < kantxx> we would want a setup similar to a MPLS
17:24 < Bushmills> i suppose the answer could be similar too: ssh to a remote machine which is  a client or routes (some) traffic through a client
17:24 < kantxx> layer2
17:25 < kantxx> i think
17:25 < reiffert> can we have a kantxx translator please?
17:25 < kantxx> lolz?
17:26 < kantxx> whats so confusing?
17:26 -!- P4C0 [~paco@unaffiliated/p4c0] has quit [Quit: leaving]
17:26 < kantxx> say we have 3 sites. main site is A
17:26 < reiffert> everything after "has anyone"
17:26 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 240 seconds]
17:26 < kantxx> A<->B     A<->C      B<->C
17:27 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
17:27 < kantxx> that kind of setup requires 2 vpn tunnels per site
17:27 < kantxx> is there an alternate method?
17:27 < reiffert> Yes, there is.
17:27 < kantxx> ah
17:27 < kantxx> what would that be?
17:28 < Bushmills> a<->b   a<->c      b<>a<>c
17:28 < kantxx> force all through A?
17:28 < Bushmills> not really "force"
17:28 < kantxx> hmm
17:28 < Bushmills> such a topology comes naturally with openvpn
17:28 < kantxx> oh?
17:29 < Bushmills> that's where the server is
17:29 < kantxx> i know w/ ipsec i would need 2 tunnels per site
17:30 < kantxx> so i would only need one per site?
17:30 < reiffert> look, a got  n-1
17:30 < kantxx> hmm
17:30 < Bushmills> one client per site, yes.  and one server, anywhere.  shortest hops or latency, highest bandwidth location probably best suited.
17:30 < kantxx> ah
17:31 < kantxx> so it wont force to tunnel through A if B<->C need to talk?
17:32 < reiffert> one concept is circular, the other concept is radial symmetric.
17:32 < kantxx> reiffert: sorry i dont follow
17:32 < reiffert> a-b-c-d-e-f-g-h-a
17:32 < reiffert> circular
17:32 < kantxx> okay
17:32 < reiffert> \ | /
17:33 < reiffert> - a -
17:33 < reiffert> | \
17:33 < reiffert> hrmn.
17:33 < reiffert> \ | /
17:33 < reiffert> - a -
17:33 < reiffert> / | \
17:33 < kantxx> ah
17:33 < reiffert> put b,c,d,e,f,g,h at every end of such a pipe
17:33 < kantxx> so circular = less bandwidth at the server site?
17:34 < reiffert> and call it radial symmetric or "a"-center-whatever word fits best in your language.
17:35 < reiffert> now have a best case szenario, a worst case szenario and a what-you-think-will-be-the-average-szenario
17:35 < bimbo> reiffert: ok, I've set openvpn log verboseness to 6, but I don't see anything useful in the server log... what should I be looking for?
17:35 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:35 < krzee> hub/spoke
17:35 < reiffert> in circular: what does it take when b talks to a neighbour, what will it take to have b talk to the neighbour far far away
17:35 < kantxx> hmm
17:36 < reiffert> are there any single point of failures?
17:36 < reiffert> is there redundnacy?
17:36 < kantxx> reiffert: me?
17:36 < reiffert> can we have intelligent routing protocols to improve things?
17:36 < reiffert> so what about star symmetric setup. a is as close to c as to d.
17:37 < reiffert> what happens when a fails suddenly?
17:37 < reiffert> and whats your average use?
17:37 < kantxx> reiffert: we have triple redundant wans
17:37 < reiffert> kantxx: no, I'm talking to Bushmills.
17:37 < kantxx> at all sites
17:37 < kantxx> err k
17:38 < Bushmills> go on, tell kantxx
17:38 < reiffert> kantxx: see above.
17:38 < kantxx> i see
17:38 < kantxx> i was just hoping to avoid setting up multiple PTP connections at each site.. 
17:38 -!- maicod [~mailadd@a240153.upc-a.chello.nl] has joined #openvpn
17:39 < kantxx> client/server mode wont let B<->C talk directly right?
17:40 < reiffert> openvpn does not distinguish between client or server when it comes to routing.
17:40 < maicod> hi I have succesfully setup openvpn server (windows pc) and client (another windows pc) but what config option in the server config file do I need to set for netbios routing ?
17:40 < reiffert> well at least for "how to forward packages from interface one to another one"
17:40 < maicod> I now have 10.8.0.1 and 10.8.0.6 talking with ping
17:40 < kantxx> reiffert: bit confused...
17:44 < adac> For to enable also DNS over openvpn, which option i have to activate? Or is this done by default?
17:45 < reiffert> adac: how would you do it without openvpn?
17:46 < adac> /etc/resolv.conf 
17:46 < bimbo> hello, I currently have an openvpn server running inside my network, and I've got a router that redirects traffic going to udp port 1194 to this machine, however if I don't specify the "--float" option in the openvpn client, it'll refuse to connect to the server... why is this happening? I've tried increasing verboseness of the openvpn server to see what's going on but I can't really see anything useful... (verb 6)
17:46 < reiffert> adac: there you are.
17:47 < adac> reiffert, so I have to set up on client side?
17:48 < reiffert> adac: right. you can push the value with the help of ...
17:48 < reiffert> !dhcp
17:48 <@vpnHelper> reiffert: "dhcp" is redirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
17:48 < reiffert> !dns
17:48 <@vpnHelper> reiffert: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
17:48 < reiffert> !push-dns
17:48 <@vpnHelper> reiffert: Error: "push-dns" is not a valid command.
17:48 < reiffert> !pushdns
17:48 <@vpnHelper> reiffert: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
17:48 < reiffert> the latter.
17:49 < adac> oh i see!
17:50 < reiffert> but like you already said two lines above, you will have to set it by yourself manually with the help of whatever scripting language you like most
17:50 < adac> push "dhcp-option DNS 208.67.222.222"
17:50 < adac> push "dhcp-option DNS 208.67.220.220"
17:50 < adac> sems already be enabled
17:51 < maicod> adac: I'm messing with the same problem. Now the 10.8.0.0 network works but it should talk to my 192.168.3.0 network :)
17:51 < maicod> I configged PUSH now
17:51 < maicod> push "route 192.168.3.0 255.255.255.0" 
17:51 < maicod> hope it works
17:52 < adac> maicod, reiffert How can I see then afterwards if dns is really running via vpn?
17:53 < reiffert> adac: cat /etc/resolv.conf
17:54 < adac> reiffert, true :)
17:54 < adac> hehe
17:54 < reiffert> ah well, traceroute will prove.
17:55 < adac> http://pastie.org/1318782
17:55 < adac> reiffert, ^^
17:56 < adac> so it adds the nameservers, but this isn't proof that all, even dns is running over vpn
17:57 < adac> hmm where on traceroute do i see it?
17:58 < reiffert> well, think you've got a route to those DNS over your vpn?
17:59 < adac> reiffert, so you mean i just do a traceroute on ie. 208.67.220.220 an see where it goes?
17:59 -!- kantxx [44c3fb02@gateway/web/freenode/ip.68.195.251.2] has quit [Quit: Page closed]
18:00 < adac> 208.67.220.220 is my dns i push to the client
18:00 < reiffert> adac: sounds like the purpose of traceroute.
18:00 < adac> hehehe
18:00 < adac> true
18:00 < adac> yeah well it goes directly to 10.8.0.1
18:01 < adac> so it should work
18:01 < adac> :)
18:01 < reiffert> Adding some confusion: udp, icmp and tcp may travel over different paths and traceroute can handle icmp and udp :)
18:01 < adac> ouch!!!
18:01 < adac> reiffert, its late you shouldnt have mentioned yet now ;)
18:02 < reiffert> :)
18:02 < reiffert> your c lib most probably uses udp/53 for talking to your nameservers.
18:02 < adac> reiffert, hmm # TCP or UDP server?
18:02 < adac> ;proto tcp
18:02 < adac> proto udp
18:02 < maicod> can I add options like --ip-win32 method as a server config command ?
18:02 < maicod> -method
18:02 < adac> so udp is enabled
18:03 < reiffert> adac: proto udp sounds like an openvpn option to me
18:03 < reiffert> adac: tracerouting your nameserver is about to prove what paths the nameservice requests travel.
18:03 < adac> reiffert, correct this is from the server.conf file
18:05 < adac> reiffert, I guess i have right a million questions still left...but i guess i leave this for tomorrow and I can just hope that tomorrow you will be as talkative as today :)
18:05 < adac> Sleep well and thx a lot! Se you tomorrow
18:06 < reiffert> adac: Tomorrow will be Bushmills turn
18:06 < adac> maicod, sleep well you too ;)
18:06 < maicod> thanks
18:06 < adac> oh i see... well yet another victim .) 
18:07  * Bushmills is the grumby bastard
18:07 < Bushmills> grumpy, even
18:07 < adac> haha
18:07 < adac> darn...the  i wait for the day after tomorrow :P
18:07 < Bushmills> do you think man pages have decorative purposes only?
18:08 < maicod> reiffert: what is the best way to route netbios that normally goes over my 192.168.3.0 network also over the tunnel at 10.8.0.0 ?
18:08 < adac> Bushmills, No they are too less colorfull for decorative purposes
18:08 < adac> only
18:08 < maicod> im talking about a windows to windows setup
18:08 < adac> Bushmills, but yeah you are right I should read them 
18:08 < adac> ok its time
18:09 < adac> sleep well ya all
18:09 < adac> bye!
18:09 -!- adac [~nutella@85-127-41-126.dynamic.xdsl-line.inode.at] has quit [Quit: Verlassend]
18:09 < Bushmills> mission completed
18:09 < reiffert> maicod: you can have netbios over tcp for that purpose.
18:09 < maicod> I only added PUSH 192.168.3.0 so far
18:10 < maicod> in the server config
18:10 < maicod> you mean using wins ?
18:10 < reiffert> http://de.wikipedia.org/wiki/NetBIOS_over_TCP/IP
18:10 <@vpnHelper> Title: NetBIOS over TCP/IP – Wikipedia (at de.wikipedia.org)
18:10 < maicod> thanks I will read
18:11 < maicod> ha your german :)
18:11 < reiffert> for english: http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP
18:11 <@vpnHelper> Title: NetBIOS over TCP/IP - Wikipedia, the free encyclopedia (at en.wikipedia.org)
18:11 < maicod> no problem reiffert ich bin hollaendisch und kan auch Deutch lesen
18:11 < reiffert> Bushmills!!!!!
18:12 < Bushmills> mijn fiets terug
18:12 < reiffert> maicod: to shorten all of this:
18:12 < maicod> ok?
18:12 < reiffert> maicod: I think you want to use samba/cifs, just enter \\ip.address.of.remote.pc
18:12 < maicod> oh
18:12 < reiffert> maicod: using network neighbourhood:
18:13 < maicod> yeah I want that ;)
18:13 < reiffert> maicod: either setup wins (tihs fucks and will fail), or use a broadcast relay, like e.g.
18:13 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
18:13 < reiffert> !factoids search relay
18:13 <@vpnHelper> reiffert: "broadcast-relay" is a software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough.
18:13 < reiffert> (note, it also sucks)
18:14 < maicod> okay thanks i will think out my posibillities :)
18:14 < maicod> oh :)
18:14 < reiffert> cross subnet name resolution sucks on microsoft networks.
18:15 < reiffert> min fiets zerug! hahaha
18:15 < maicod> can't I make the tunnel use 192.168.3.x also ?
18:15 < maicod> hehe
18:15 < maicod> thats old
18:15 < maicod> we love germans now :)
18:15 < maicod> haha
18:16 < reiffert> sure you can use the same subnet, but broadcast packages wont make it to the other side.
18:16 < maicod> oh :(
18:16 < maicod> thats the whole idea of a VPN LOL
18:16 < maicod> oh sorry misread
18:16 < maicod> broadcast
18:17 < maicod> like netbios names
18:17 < maicod> :(
18:17 < reiffert> (m$ network name resolution uses broadcast packages)
18:17 < maicod> yeh
18:17 < reiffert> netbios is dead, please learn the proper name.
18:17 < maicod> I get that
18:17 < maicod> samba?
18:17 < reiffert> CiFS
18:17 < maicod> oh ok
18:17 < maicod> still using win xp :)
18:17 < reiffert> CIFS
18:18 < reiffert> netbios died with win 3.11
18:18 < maicod> hehe
18:19 < reiffert> "To that end, Windows XP-based, Client-Server networks - and later - do not require this insecure means of name resolving and addressing or navigating of network shares."
18:19 < maicod> ok
18:22 < reiffert> afk, n8
18:22 < maicod> gute nacht
18:22 < maicod> im out too
18:22 < maicod> seeya
18:22 < maicod> thanks for help
18:22 -!- maicod [~mailadd@a240153.upc-a.chello.nl] has left #openvpn []
18:37 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
18:41 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Client Quit]
18:46 -!- Fieldy [Cz21VIYhk9@gentoo/contributor/Fieldy] has joined #openvpn
18:48 < Fieldy> I've heard that using UDP for openvpn is preferred, and that TCP is an option. other than being restricted to just tcp, is there a reason where TCP would be more ideal than UDP? i'm connecting over a fairly unstable wireless link and am trying to get the most i can out of it.
18:54 -!- kerfe1 [~a@66.pool85-60-140.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
18:54 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
18:55 < krzee> Fieldy, you mean udp would be more ideal than TCP
18:55 < krzee> !tcp
18:55 <@vpnHelper> krzee: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
18:55 < Fieldy> ah thanks, I will read up
18:58 < Fieldy> the first one makes a lot of sense. i'll check out the others too. i'm messing with TCP right now, i'll switch it back.
18:58 < Fieldy> the second one tops it off for me, udp leaves data reliability to the app. thank you krzee
19:02 < Fieldy> perhaps this explains why tcp traffic over ssh's -D (socks proxy to the server) and -R (set up a listening port on the server, route it to a port on the client) behaves so badly at times.
19:03 -!- Fieldy [Cz21VIYhk9@gentoo/contributor/Fieldy] has quit [Remote host closed the connection]
19:04 -!- Fieldy [dfCyVwNJz8@gentoo/contributor/Fieldy] has joined #openvpn
19:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:09 -!- Fieldy [dfCyVwNJz8@gentoo/contributor/Fieldy] has left #openvpn []
19:14 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
19:17 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 240 seconds]
19:34 -!- corretico [~corretico@201.201.44.82] has quit [Quit: Leaving]
19:34 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
19:34 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
19:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:34 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
19:58 < jpalmer> quick question.   I have an up-script, and a down-script.   is there a directive to get them to run again, if the openvpn client reconnects for any reason?
20:07 -!- bimbo [~emerino@poseidon.etesa.com.mx] has left #openvpn []
21:16 -!- p3rror [~mezgani@41.140.181.224] has joined #openvpn
21:38 <@vpnHelper> RSS Update - forum: Server Administration :: Re: I can only ping one way. Client to server works. :: Reply by secesh <https://forums.openvpn.net/viewtopic.php?f=4&t=7300&p=8535#p8535>
21:42 < krzee> jpalmer, if thats what you want, you likely dont want up / down
21:45 < jpalmer> krzee, ok,  what should I be looking at then?
22:03 -!- markus [~markus@c83-250-33-131.bredband.comhem.se] has quit [Ping timeout: 240 seconds]
22:05 -!- markus [~markus@c83-250-33-131.bredband.comhem.se] has joined #openvpn
22:23 -!- Some_Person [~Sam@unaffiliated/someperson/x-249303] has joined #openvpn
22:24 < Some_Person> Is there any simple way to test if an openvpn server is working at all (without dealing with login stuff or anything)?
22:26 < Some_Person> Or is there any simple way to test if traffic on a machine is actually going through the VPN?
22:33 < ecrist> jpalmer: client-connect and client-disconnect
22:52 -!- Some_Person [~Sam@unaffiliated/someperson/x-249303] has quit [Quit: Leaving]
23:06 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
23:06 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
23:06 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
23:26 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
23:26 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
23:26 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
23:32 -!- W0rmF00d [~wormfood@183.39.100.108] has joined #openvpn
23:35 -!- WormFood [~wormfood@183.39.101.108] has quit [Ping timeout: 245 seconds]
23:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:51 < jpalmer> ecrist: thanks.  will take a look.
23:58 < jpalmer> ecrist: these look like they'd be set on the server side,  for when a client connects (I currently use this to update DDNS entries for vpn clients)  you're saying it'll work on the client too?
--- Day changed Tue Nov 23 2010
00:02 < krzie> jpalmer, earlier you asked about --up scripts on reconnection
00:02 < krzie> you may want --client-connect instead
00:02 < krzie> --up and --down are for when the interface comes up or down iirc
00:02 < krzie> !script
00:02 <@vpnHelper> krzie: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
00:05 < jpalmer> krzie: can you confirm then "client-connect"  isn't just for the openvpn server?  it works on the client side too?
00:07 < krzie> Normally the up script is called after the TUN/TAP device is opened. In this context, the last command line parameter passed to the script will be init. If the --up-restart option is also used, the up script will be called for restarts as well. A restart is considered to be a partial reinitialization of OpenVPN where the TUN/TAP instance is preserved (the --persist-tun option will enable such preservation). A restart can be generated by a SIGUS
00:07 < krzie> R1 signal, a --ping-restart timeout, or a connection reset when the TCP protocol is enabled with the --proto option. If a restart occurs, and --up-restart has been specified, the up script will be called with restart as the last parameter.
00:07 < krzie> or that
00:09 < jpalmer> ping-restart sounds promising.  let me expain:
00:10 < jpalmer> I have a script that creates a few simple tunnels to another machine (think of it as port redirection)  but when the client loses connectivity for any reason and then reconnects..  the proxy processes are still running, but no longer work.  I need a way to kill them, and restart them when the client reconnects.
00:13 < jpalmer> (this script is run on the client side, not server0
00:15 -!- Mkools [~mukul@117.196.217.112] has joined #openvpn
00:31 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
00:36 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
00:38 < krzie> if you want them killed, use ping-exit
00:38 < krzie> if you want them to reconnect, ping-restart (see --keepalive)
00:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
00:54 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
01:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
01:07 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
01:13 -!- rcngeoff_ [~rcngeoff@p4FDBE1A4.dip.t-dialin.net] has joined #openvpn
01:14 < rcngeoff_> !welcome
01:14 <@vpnHelper> rcngeoff_: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:15 < rcngeoff_> !goal
01:15 <@vpnHelper> rcngeoff_: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:15 < rcngeoff_> Hello, I have been trying to install the latest openvpn client on Win7 x64, but I am getting libeay32.dll not found errors, any pointers?
01:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
01:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Client Quit]
01:32 -!- W0rmF00d is now known as WormFood
01:42 < krzie> hyper_ch, here?
01:43 < hyper_ch> krzie: if you want to give me money, then I'm here... if you want me to give you mone, then I'm not :)
01:43 < reiffert> :)
01:43 < krzie> if theres $ going 1 way or the other, i'll prefer my direction, otherwise can i msg?
01:43 < krzie> haha
01:44 < hyper_ch> sure :) how may I be of service to you
01:44 -!- Mkools [~mukul@117.196.217.112] has quit [Ping timeout: 252 seconds]
01:52 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
--- Log closed Tue Nov 23 02:18:51 2010
--- Log opened Tue Nov 23 02:36:14 2010
02:36 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
02:36 -!- Irssi: #openvpn: Total of 116 nicks [2 ops, 0 halfops, 0 voices, 114 normal]
02:36 -!- Irssi: Join to #openvpn was synced in 35 secs
02:37 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
02:39 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
02:39 -!- mode/#openvpn [+o vpnHelper] by ChanServ
02:43 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
--- Log closed Tue Nov 23 02:48:27 2010
--- Log opened Tue Nov 23 02:59:57 2010
02:59 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
02:59 -!- Irssi: #openvpn: Total of 118 nicks [3 ops, 0 halfops, 0 voices, 115 normal]
03:00 -!- Irssi: Join to #openvpn was synced in 37 secs
03:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:06 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: time to work]
03:09 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
03:09 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
03:09 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Remote host closed the connection]
03:09 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
03:09 -!- mode/#openvpn [+o vpnHelper] by ChanServ
03:09 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has quit [Ping timeout: 240 seconds]
--- Log closed Tue Nov 23 03:09:55 2010
--- Log opened Tue Nov 23 03:10:01 2010
03:10 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
03:10 -!- Irssi: #openvpn: Total of 118 nicks [3 ops, 0 halfops, 0 voices, 115 normal]
--- Log closed Tue Nov 23 03:12:59 2010
--- Log opened Tue Nov 23 03:15:03 2010
03:15 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined #openvpn
03:15 -!- Irssi: #openvpn: Total of 118 nicks [2 ops, 0 halfops, 0 voices, 116 normal]
03:15 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has quit [Ping timeout: 260 seconds]
03:15 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
03:15 -!- mode/#openvpn [+o vpnHelper] by ChanServ
03:15 -!- Irssi: Join to #openvpn was synced in 41 secs
03:28 -!- basso [~quassel@pc5053.stdby.hin.no] has quit [Read error: Connection reset by peer]
03:33 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 245 seconds]
03:33 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:46 < hyper_ch> krzie: online?
03:47 -!- master_of_master [~master_of@p57B54791.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:48 -!- master_of_master [~master_of@p57B56E36.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:53 -!- eliasp [~quassel@HSI-KBW-109-193-152-083.hsi7.kabel-badenwuerttemberg.de] has quit [Ping timeout: 240 seconds]
--- Log closed Tue Nov 23 03:55:15 2010
--- Log opened Tue Nov 23 04:18:23 2010
04:18 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
04:18 -!- Irssi: #openvpn: Total of 120 nicks [2 ops, 0 halfops, 0 voices, 118 normal]
04:18 -!- Irssi: Join to #openvpn was synced in 35 secs
04:20 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
04:20 -!- mode/#openvpn [+o vpnHelper] by ChanServ
--- Log closed Tue Nov 23 04:25:02 2010
--- Log opened Tue Nov 23 04:41:11 2010
04:41 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
04:41 -!- Irssi: #openvpn: Total of 121 nicks [3 ops, 0 halfops, 0 voices, 118 normal]
--- Log closed Tue Nov 23 04:45:08 2010
--- Log opened Tue Nov 23 04:59:57 2010
04:59 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has joined #openvpn
04:59 -!- Irssi: #openvpn: Total of 122 nicks [3 ops, 0 halfops, 0 voices, 119 normal]
05:00 -!- Irssi: Join to #openvpn was synced in 38 secs
05:01 -!- boswarrior1 [~mrnice@78.142.173.114] has quit [Ping timeout: 240 seconds]
05:02 -!- boswarrior1 [~mrnice@78.142.173.114] has joined #openvpn
05:02 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
05:04 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined #openvpn
05:08 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
05:09 < krzie> powerunits, the time is wrong on one of the machines
05:12 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Ping timeout: 245 seconds]
05:23 -!- sonicman [~admin@periwinkle.feralhosting.com] has joined #openvpn
05:24 < sonicman> greetings
05:24 < sonicman> I 'm having problems excluding an ip address on our Lan from using the openvpn tunnel
05:25 < sonicman> I tried this route ip/address  255.255.255.0 net_gateway
05:25 < krzie> use a firewall
05:26 < sonicman> in the client config but I get this error message in logs /sbin/route add -net 192.168.5.198 netmask 255.255.255.0 gw 69.40.x.x
05:26 < sonicman> ERROR: Linux route add command failed: external program exited with error status: 1
05:26 < sonicman> use a firewall
05:27 < sonicman> explain please
05:28 < sonicman> I have google this to my wits end
05:28 < sonicman> thanks for any help
05:30 < renihs> i would also suggest using a firewall, though i am not sure what you mean with "explain please"
05:33 < sonicman> we have one machine behind the firewall and behing the openvpn client/switch/router that we do not want to pass its connection through the tunnel we want it to use the default internet gateway
05:34 < sonicman> how would the firewall help
05:34 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
05:36 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
05:39 < renihs> you use a firewall instruction on the openvpn server?
05:39 < powerunits> guys can we install openvpn server on windows server 2008
05:39 < powerunits> ??
05:39 < renihs> to prevent packets from that specific ip entering the tun device?
05:39 < krzie> powerunits, sure
05:39 < krzie> !download
05:39 <@vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
05:39 < renihs> would be my general suggestion :)
05:40 < renihs> at least thats how i do it
05:40 < krzie> sonicman, oh now i see what you mean
05:40 < renihs> though i usually tend to prevent vpn clients reaching certain machines
05:40 < krzie> sonicman, you have an entire lan routing over openvpn, and you want a single exception?
05:41 < krzie> their default route to the internet
05:42 < hyper_ch> krzie: still online?
05:43 < hyper_ch> krzie: http://ajaxload.info/ --> so you can create a different loading.gif :)
05:43 <@vpnHelper> Title: Ajaxload - Ajax loading gif generator (at ajaxload.info)
05:45 < krzie> hey thats cool!
05:47 < hyper_ch> I hope the scripts works :)
05:47 < sonicman> yes you are correct krzie
05:48 < hyper_ch> krzie is always correct except when he doesn't share the same opinion as I do :)
05:48 < sonicman> it worked once when I used this ip route add default via x.x.x.x  table 10
05:49 < sonicman> then I just added ip rule add from 192.168.15.172/32 table 10
05:49 < sonicman> worked like a dream
05:49 < krzie> then whats the problem?
05:50 < sonicman> then I had switch die and had to change software
05:50 < sonicman> the new client tomatovpn does not support tables
05:50 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:51 < krzie> sounds like an issue to talk to their support about
05:51 < krzie> since thats how i would have told you to do it
05:51 < sonicman> brb
05:51 < krzie> especially since your problem lies outside of openvpn
05:53 < sonicman> no this is a way to include it on the client config
05:53 < sonicman> there is a way
05:53 < krzie> nope
05:53 < krzie> oh wait, yes
05:53 < krzie> maybe at least
05:53 < krzie> err, no there is not
05:54 < krzie> because your routing table is based on destination, not source
05:54 < sonicman> http://translate.google.com/translate?js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&sl=fr&tl=en&u=http%3A%2F%2Fwww.vpnblog.net%2Fforum%2Fvpn-sous-windows%2Fcomment-exclure-des-adresses-ip-ou-un-logiciel-du-vpn%2F
05:54 <@vpnHelper> Title: Google Translate (at translate.google.com)
05:54 < sonicman> can you read this
05:54 < sonicman> google translate sorry
05:54 < krzie> thats for the TARGET ip
05:55 < krzie> that is doable
05:55 < krzie> to not hit a target over the vpn
05:55 < krzie> you are talking about someone on your lan not hitting ANY target over the vpn, that is different
05:55 < sonicman> oh
05:55 < sonicman> thats target ips
05:56 < sonicman> crap
05:56 <@vpnHelper> RSS Update - forum: Server Administration :: Data output :: Author dashpilot79 <https://forums.openvpn.net/viewtopic.php?f=4&t=7314&p=8537#p8537>
05:56 < krzie> you already noted the way to solve your problem
05:56 < krzie> go talk to tomato people, im sure they didnt strip that from the kernel
05:56 < krzie> and it is linux
05:57 < krzie> ok im not sure, but ild assume... since it IS a router and all
05:57 < sonicman> thanks for the help
05:57 < krzie> np
06:01 -!- sentmen [~sentmen@193.141.72.113] has joined #openvpn
06:01 < sentmen> Hi
06:02 < sentmen> !goal
06:02 <@vpnHelper> sentmen: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:02 < sentmen> I want to access the internet over my vpn
06:02 < sentmen> How can i do it?
06:05 < krzie> !redirect
06:05 <@vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:05 < sentmen> !def1
06:05 <@vpnHelper> sentmen: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
06:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
06:07 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
06:08 -!- sonicman_ [~admin@h125.118.40.69.dynamic.ip.windstream.net] has joined #openvpn
06:09 -!- sonicman [~admin@periwinkle.feralhosting.com] has quit [Read error: Connection reset by peer]
06:15 -!- sonicman_ is now known as sonicman
06:26 -!- sonicman_ [~admin@h18.9.89.75.dynamic.ip.windstream.net] has joined #openvpn
06:27 < sentmen> Can anyone help me to access internet over my vpn?
06:27 < sentmen> I'm a beginner
06:27 < krzie> what os is your server
06:27 < sentmen> Ubuntu
06:27 < krzie> !linnat
06:27 <@vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
06:27 < krzie> !linipforward
06:27 <@vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
06:27 -!- twister004 [~chatzilla@59.90.34.167] has quit [Read error: Connection reset by peer]
06:27 < krzie> in addition to using redirect-gateway def1    in your client config
06:28 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
06:28 -!- sonicman [~admin@h125.118.40.69.dynamic.ip.windstream.net] has quit [Ping timeout: 252 seconds]
06:28 -!- sonicman_ is now known as sonicman
06:29 < sentmen> If i use iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
06:29 < sentmen> It will give an error
06:30 < sentmen> Cannot use -A with -A
06:31 < sentmen> How to fix it?
06:32 < sentmen> krzie Do you how to fix it?
06:32 < krzie> cannot use -A with -A?
06:32 < sentmen> Yes
06:32 -!- sonicman [~admin@h18.9.89.75.dynamic.ip.windstream.net] has quit [Ping timeout: 255 seconds]
06:32 < sentmen> My server say it
06:33 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
06:33 -!- italoclone [c9568b78@gateway/web/freenode/ip.201.86.139.120] has joined #openvpn
06:33 < sentmen> Lol
06:33 < sentmen> I pasted it 2 times:p
06:34 < sentmen> Can you please say it in a simple term
06:35 < sentmen> *simple steps
06:35 < sentmen> Like step 1: ...
06:35 < sentmen> Wait
06:35 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
06:35 < sentmen> Do i need to add anything in my config?
06:36 -!- rcngeoff__ [~rcngeoff@p508A2CC0.dip.t-dialin.net] has joined #openvpn
06:37 < sentmen> krzie?
06:38 < krzie> [08:27]  <krzie> in addition to using redirect-gateway def1    in your client config
06:38 < krzie> and no
06:38 -!- rcngeoff_ [~rcngeoff@p4FDBE1A4.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
06:38 < krzie> im doing other stuff, not looking to hold any hands
06:38 -!- sonicman [~admin@periwinkle.feralhosting.com] has joined #openvpn
06:40 < sentmen> Ok
06:40 < sentmen> Did that
06:40 < sentmen> Do i need edit another config?
06:41 < krzie> you just do 3 things
06:41 < krzie> the line i said in the config
06:41 < krzie> NAT
06:42 < krzie> and ip forwarding
06:42 < krzie> just like said in this:]
06:42 < krzie> !redirect
06:42 <@vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:42 < krzie> !linnat
06:42 <@vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
06:42 < krzie> !linipforward
06:42 <@vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
06:48 -!- sentmen [~sentmen@193.141.72.113] has quit []
06:48 -!- luneff [~yury@84.51.195.188] has joined #openvpn
06:58 < hyper_ch> krzie: have you the script running yet?
06:59 < krzie> no im modding my script a bit to run better with it
07:01 < hyper_ch> hehehe :)
07:01 < hyper_ch> shall I also have a look at it?
07:01 -!- EmperorTom [~EmperorTo@184-97-154-150.mpls.qwest.net] has joined #openvpn
07:02 < krzie>     4519 total
07:02 < krzie> hehehe
07:02 < krzie> ill take care of it ;]
07:02 < hyper_ch> 4519?
07:02 < krzie> wc -l
07:02 < hyper_ch> :)
07:06 -!- mrbrdo [~mrbrdo@89.212.77.221] has joined #openvpn
07:07 < mrbrdo> hey, i'm having a little trouble.. i'm setting up openvpn via webmin. at this point, i can connect to my openvpn server from a windows box, but it cannot ping or access computers inside my LAN
07:07 < krzie> !route
07:07 <@vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:08 < krzie> if it is only 1 LAN, which side is it behind?
07:08 < krzie> client or server
07:08 < mrbrdo> server
07:08 < krzie> !serverlan
07:08 <@vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
07:08 < mrbrdo> !route_outside_openvpn
07:08 <@vpnHelper> mrbrdo: "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
07:09 < mrbrdo> it is the gateway
07:09 < krzie> score
07:09 < mrbrdo> and i push the route
07:09 < krzie> erm
07:09 < mrbrdo> also, do i need to assign different subnet to openvpn or not?
07:09 < mrbrdo> my internal lan is 10.10.10.0/24
07:09 < krzie> yes, like this
07:09 < krzie> !sample
07:09 <@vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
07:09 < mrbrdo> i tried to assign 10.8.0.0/24 to openvpn
07:10 < krzie> yup, thats a common subnet to use
07:10 < mrbrdo> then i do push "10.10.10.0 255.255.255.0" in additional config, is that ok?
07:10 < mrbrdo> 10.10.10.1 is the server/gateway
07:11 < krzie> yep
07:11 < krzie> the client is not also on 10.10.10.1, right?
07:11 < krzie> err i mean 10.10.10.x
07:11 < mrbrdo> the client is on 10.8.0.6
07:11 < mrbrdo> that's what it gets assigned
07:11 < krzie> and its LAN?
07:12 < mrbrdo> u mean gateway or what?
07:12 < krzie> clients LAN ip
07:12 < krzie> is not 10.10.10.x
07:12 < mrbrdo> not sure how to check it
07:12 < krzie> the ip on its local network
07:13 < mrbrdo> it's only connected to net directly and to openvpn
07:13 < mrbrdo> it's not on any lan
07:13 < krzie> ok
07:13 < mrbrdo> maybe it's a firewall problem?
07:13 < krzie> can the client ping 10.8.0.1?
07:13 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:13 < mrbrdo> no
07:14 < krzie> yes, check firewalls
07:14 < mrbrdo> times out
07:14 < krzie> also, post these
07:14 < krzie> !logs
07:14 <@vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
07:14 < krzie> and these
07:14 < krzie> !configs
07:14 <@vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
07:14 < krzie> !pb
07:14 <@vpnHelper> krzie: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
07:14 < mrbrdo> i have in INPUT accept eth0 (lan IF), tun0, UDP 1194, eth2 (ext if) ESTABLISHED,RELATED
07:14 < mrbrdo> also FORWARD accept tun0
07:15 < mrbrdo> and in POSTROUTING i have if source is 10.8.0.0/24 and output if is eth0
07:15 < krzie> ESTABLISHED,RELATED
07:15 < krzie> this is UDP...
07:15 < mrbrdo> well that's just for my internal NAT then :)
07:15 < krzie> dont try stateful filtering on your UDP, unexpected stuff may happen ;]
07:15 < mrbrdo> without that my NAT will not work on local lan (not openvpn related)
07:16 < krzie> ok
07:16 < krzie> im not much of a linux guy
07:16 < krzie> but post those logs and configs
07:16 < krzie> (i use bsd)
07:16 < mrbrdo> ok sec
07:16 < mrbrdo> i will pastie them
07:17 < mrbrdo> !pb
07:17 <@vpnHelper> mrbrdo: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
07:17 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
--- Log closed Tue Nov 23 07:19:07 2010
--- Log opened Tue Nov 23 07:19:15 2010
07:19 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
07:19 -!- Irssi: #openvpn: Total of 125 nicks [3 ops, 0 halfops, 0 voices, 122 normal]
07:19 < mrbrdo> could this be the problem perhaps? Tue Nov 23 14:12:40 2010 mrbrdo/89.212.175.209:65004 Need IPv6 code in mroute_extract_addr_from_packet
07:19 < mrbrdo> i get that in server log a lot
07:19 -!- Irssi: Join to #openvpn was synced in 39 secs
07:19 < mrbrdo> openvpn log that is
07:22 < powerunits> guys openvpn server on windows 
07:22 < powerunits> i m trying to build-ca
07:22 < powerunits> but i m getting this error
07:22 < krzie> mrbrdo, 
07:22 < krzie> http://comments.gmane.org/gmane.network.openvpn.user/31166
07:22 <@vpnHelper> Title: OpenVPN users list (at comments.gmane.org)
07:22 < powerunits> error on line 117 of openssl.cnf -- 3624:error:0E065068:configuration file ----outines:STR_COPY:variable has no value:. --- \crypto\conf\conf_def.c:629:line 117
07:22 < krzie> but thats not the problem, post what i said
07:23 < krzie> powerunits, did you follow this:
07:23 < krzie> !pki
07:23 <@vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was
07:23 <@vpnHelper> krzie: signed specially as a server (see !servercert)
07:23 < krzie> note, the . in front of . ./vars is important
07:23 < powerunits> let me see
07:23 < powerunits> plz hold
07:24 < mrbrdo> krzie: config http://openvpn.pastebin.ca/1999893
07:24 <@vpnHelper> RSS Update - pastebin: Miscellany <http://pastebin.ca/1999893>
07:24 < mrbrdo> tell me if you need something else
07:24 < krzie> i told you
07:24 < krzie> !configs
07:24 < reiffert> powerunits: line 117 of openssl.cnf?
07:24 <@vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
07:24 < krzie> !logs
07:24 <@vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
07:24 < krzie> those are 4 things to paste
07:25 < mrbrdo> in log there's nothing else relevant
07:25 < krzie> heh
07:25 < krzie> says you
07:25 < krzie> change it to verb 5 and paste
07:26 < krzie> server config is good
07:27 < mrbrdo> openvpn.log: http://openvpn.pastebin.ca/1999898
07:28 < mrbrdo> other logs: http://openvpn.pastebin.ca/1999899
07:28 < krzie> interesting
07:29 < krzie> client log?
07:29 < mrbrdo> sec
07:29 <@vpnHelper> RSS Update - pastebin: Something <http://pastebin.ca/1999899> || Anonymous <http://pastebin.ca/1999898>
07:29 < krzie> also, may wanna update
07:29 < krzie> we're on 2.1.4 now...
07:30 < mrbrdo> client is on windows, but when i do view log in openvpn gui it says it's empty
07:30 < krzie> !logfile
07:30 <@vpnHelper> krzie: "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
07:30 < krzie> !winpath
07:30 <@vpnHelper> krzie: "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
07:31 < mrbrdo> i installed from ubuntu repos on server so it would be too much trouble to update to current (in repo this is up to date, what i have)
07:31 < krzie> no, it would be easy
07:31 < krzie> !download
07:31 <@vpnHelper> krzie: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
07:31 < krzie> extract, make, make install, done
07:31 < krzie> far from hard
07:31 < mrbrdo> i know but i rather use packages when i can
07:32 < mrbrdo> the log folder is empty on windows, maybe a win7 permissions problem
07:32 < krzie> evidently this isnt one of those times
07:32 < krzie> since your repo doesnt seem to be up to date
07:32 < krzie> there is no default log dir
07:32 < krzie> you need to use log in the config, like my bot said
07:32 < mrbrdo> sec
07:34 -!- luneff [~yury@84.51.195.188] has joined #openvpn
07:36 < mrbrdo> krzie: i used the log option (with quotes and /) but still no log file... this is what i get when connecting though, if it helps: http://openvpn.pastebin.ca/1999905
07:40 <@vpnHelper> RSS Update - pastebin: Unnamed <http://pastebin.ca/1999905>
07:40 < mrbrdo> krzie: i ran it as Administrator now, and it magically works, heh?
07:40 < mrbrdo> on windows
07:41 < mrbrdo> i saw something about an ARP flush which i didn't see before, at the end just before it connected
07:41 < mrbrdo> internet doesn't work on that box now though
07:42 < mrbrdo> (nvm last sentance, cable went out a bit)
07:43 < mrbrdo> log file after running it as admin: http://openvpn.pastebin.ca/1999911
07:43 < mrbrdo> the successful ARP flush is new... wasn't in log before
07:46 < mrbrdo> any idea what happened
07:46 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/1999911>
07:46 < krzie> must be started as admin
07:46 < mrbrdo> worked as normal user before
07:46 < krzie> was prolly the old problem
07:46 < mrbrdo> i had a little different setup but it worked
07:47 < krzie> only if you figured out how to give it access to add routes and change interfaces
07:47 < krzie> like
07:47 < krzie> !win_noadmin
07:47 <@vpnHelper> krzie: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
07:47 < mrbrdo> i used the same subnet for openvpn and actual lan back then
07:47 < mrbrdo> dunno how, but it worked fine
07:48 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 255 seconds]
07:50 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
07:53 < mrbrdo> krzie: in any case, thanks for the help!
07:54 -!- mrbrdo [~mrbrdo@89.212.77.221] has quit [Quit: leaving]
08:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:04 -!- takamichi [Takamichi@pm301-97-169.keyworld.net] has quit [Ping timeout: 240 seconds]
08:05 < ecrist> morning, folks.
08:05 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
08:05 < ecrist> sorry about the bot being off line last night, ISP was doing work on the node in my area.
08:07 < kisom> ecrist: bad ISP :) shouldn't be any downtime due to planned maintenance
08:09 -!- joako [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
08:09 -!- joako [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
08:09 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
08:10 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Ping timeout: 276 seconds]
08:11 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
08:14 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
08:14 -!- _Sud0 [~Sud0@unaffiliated/-sud0/x-6662295] has joined #openvpn
08:14 < _Sud0> hello
08:15 < _Sud0> just asking a question if anyone can answer
08:16 < _Sud0> may i install OpenVpn community Server (the free version) on an ESXi machine ?
08:17 < korozion> I don't see why not
08:17 < _Sud0> thx korozion, about esxi i googled and found some talking about the OpenvpnAS
08:18 < _Sud0> want to know if with the free version OpenVpn comun server i can connecte about 20 clients
08:18 < korozion> I've been told there is no limit
08:18 < korozion> I mean, you'd eventually be limited by hardware
08:19 < _Sud0> i see, that's sure
08:19 < _Sud0> thx
08:19 < korozion> no problem
08:23 < ecrist> kisom: I forgive them, as my connection is more stable, generally, than some high-end data centers.
08:26 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 240 seconds]
08:26 -!- takamichi [~pri@pm301-97-169.keyworld.net] has joined #openvpn
08:26 < krzie> there are limits, but 20 is far from them
08:32 < powerunits> guys i m still having this issue...
08:32 < powerunits> :(
08:33 < powerunits> error on line 117 of openssl.cnf -- 3624:error:0E065068:configuration file ----outines:STR_COPY:variable has no value:. --- \crypto\conf\conf_def.c:629:line 117
08:33 -!- Mkools [~mukul@117.196.216.224] has joined #openvpn
08:33 < krzie> sounds like either you didnt edit vars, or you didnt source them right
08:33 < powerunits> i m trying it on windows 2008 server
08:33 < powerunits> i did
08:33 < krzie> you used the oipenvpn.net howto for making your keys?
08:34 < powerunits> http://www.runpcrun.com/howtoopenvpn
08:34 <@vpnHelper> Title: OpenVPN Windows HowTo | runPCrun - IT Support for London (at www.runpcrun.com)
08:34 < powerunits> i follow this 
08:35 < powerunits> ??
08:35 < powerunits> any help?
08:38 <@vpnHelper> RSS Update - forum: Installation Help :: Getting started on Hyper-V :: Author AliTodd <https://forums.openvpn.net/viewtopic.php?f=5&t=7315&p=8538#p8538>
08:38 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
08:39 < ecrist> sup d00ds?
08:55 -!- pif [~ldm@zenon.apartia.fr] has joined #openvpn
08:56 -!- pif [~ldm@zenon.apartia.fr] has left #openvpn []
09:08 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has quit [Ping timeout: 272 seconds]
09:20 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has quit [Ping timeout: 245 seconds]
--- Log closed Tue Nov 23 09:20:05 2010
--- Log opened Tue Nov 23 09:20:12 2010
09:20 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined #openvpn
09:20 -!- Irssi: #openvpn: Total of 126 nicks [3 ops, 0 halfops, 0 voices, 123 normal]
09:20 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: TAP-Win32 device and IPv6 addresses :: Reply by juhovh <https://forums.openvpn.net/viewtopic.php?f=15&t=7289&p=8539#p8539>
09:20 -!- ucekpolish1 [user@hq.ostc-pl.com] has joined #openvpn
09:20 -!- Irssi: Join to #openvpn was synced in 42 secs
09:21 -!- mukul_ [~mukul@117.196.216.224] has joined #openvpn
09:22 -!- ucekpolish1 [user@hq.ostc-pl.com] has quit [Client Quit]
09:22 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
09:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
09:24 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has quit [Ping timeout: 245 seconds]
09:24 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Ping timeout: 245 seconds]
09:24 -!- Mkools [~mukul@117.196.216.224] has quit [Ping timeout: 245 seconds]
09:24 -!- MattJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 245 seconds]
09:26 -!- boswarrior1 [~mrnice@78.142.173.114] has quit [Remote host closed the connection]
09:28 -!- You're now known as ecrist
09:29 -!- nb [~nb@fedora/nb] has quit [Read error: Operation timed out]
09:36 -!- EmperorT1m [~EmperorTo@184-97-174-215.mpls.qwest.net] has joined #openvpn
09:37 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn
09:38 -!- EmperorTom [~EmperorTo@184-97-154-150.mpls.qwest.net] has quit [Ping timeout: 240 seconds]
09:38 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
09:39 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has quit [Client Quit]
09:41 -!- _Sud0 [~Sud0@unaffiliated/-sud0/x-6662295] has quit [Remote host closed the connection]
09:44 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
09:52 -!- eNaz [~eNaz@c-9edbe655.04-57-626f721.cust.bredbandsbolaget.se] has joined #openvpn
09:53 < eNaz> Does anyone know how to make OpenVPN (Linux) reconnect when the connection is lost? Google didnt give me any accurate information.
09:55 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
10:06 -!- mukul_ [~mukul@117.196.216.224] has quit [Ping timeout: 250 seconds]
10:06 -!- nb [~nb@fedora/nb] has joined #openvpn
10:11 -!- eNaz [~eNaz@c-9edbe655.04-57-626f721.cust.bredbandsbolaget.se] has quit []
10:11 < powerunits> guys i can now connect to my windows server through openvpn
10:11 < powerunits> but i can't get ping between them :S
10:12 < powerunits> even there is no firewall
10:12 < powerunits> plz help on this
10:14 < jpalmer> powerunits: what do the packet captures tell you?  where are you losing packets?  what diagnotics have you already performed?
10:15 < powerunits> when i try to ping
10:15 < powerunits> ping 10.8.0.1
10:15 < powerunits> request time out.. means no ping on both sides
10:16 < jpalmer> I know what it means.   what do the *packet captures* tell you?  where are the packets being lost?
10:18 -!- EmperorT1m [~EmperorTo@184-97-174-215.mpls.qwest.net] has quit [Ping timeout: 245 seconds]
10:20 < Bushmills> check routing make sure there is a route, for vpn subnet destinations, sent to vpn interface
10:22 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
10:22 -!- EmperorTom [~EmperorTo@184-97-159-175.mpls.qwest.net] has joined #openvpn
10:24 < powerunits> humm
10:26 < powerunits> do i need to Setup VPN routing
10:26 < powerunits> ?
10:26 < powerunits> is it important coz in linux when i configure openvpn server i never setup routing
10:26 < Bushmills> windows can be tricky
10:27 < Bushmills> !winroute
10:27 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
10:28 -!- Mkools [~mukul@117.196.216.224] has joined #openvpn
10:28 < Bushmills> whether you need any, you may know already, by checking whether the required routes exist, as i suggested
10:29 < Bushmills> there's also the answer to your question "do i need to Setup VPN routing"
10:30 -!- nb [~nb@fedora/nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
10:31 < powerunits> hum
10:31 < powerunits> thnks
10:35 -!- nb [~nb@fedora/nb] has joined #openvpn
10:47 < Mkools> Hi when I am starting openvpn I am getting error:  Options error: --server and --secret cannot be used together (you must use SSL//TLS keys)
10:48 < Mkools> I am trying quick start howto and using Ubuntu 9.10
10:48 < Mkools> server any help
10:48 < Bushmills> Mkools: your problem is that  --server and --secret cannot be used together
10:49 < Mkools> BushmillsL: I got the server but what is secret is it the key?
10:50 < Mkools> that I generated
10:50 < Mkools> or any thing wrong in server.conf
10:50 < Mkools> file?
10:50 < Bushmills> pre shared keys.
10:50 < Bushmills> used for peer-to-peer
10:50 < Bushmills> for server, you use openssl cert signed keys
10:51 < Bushmills> !howto
10:51 <@vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:51 < Bushmills> !pki
10:51 <@vpnHelper> Bushmills: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert
10:51 <@vpnHelper> Bushmills: was signed specially as a server (see !servercert)
10:56 < Mkools> Bushmills: Yeah thanks, I am already reading HOW TO. But I want to quick start the things to gain confidence and then I will go in deep the PKI infrastructure. That's what Quick start is about(if I read it correctly) isn't it? 
10:58 -!- p3rror [~mezgani@41.140.181.224] has quit [Ping timeout: 264 seconds]
10:58 < Mkools> any further help?
10:59 -!- italoclone [c9568b78@gateway/web/freenode/ip.201.86.139.120] has quit [Quit: Page closed]
11:00 < ecrist> Mkools: you cannot have --server and --secret is same config
11:00 < ecrist> if you want a peer-to-peer VPN, remove --server
11:04 < Mkools> ecrist: That is what exactly I need to edit in server.conf?
11:09 < ecrist> yep
11:09 < ecrist> we're not going to do this for you, but we'll point you in the right diretion.
11:09 < ecrist> direction*
11:10 < Mkools> ecrist: Thanks, but can give me any related topic of HOW TO about your direction.
11:11 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 260 seconds]
11:13 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
11:16 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
11:26 < Mkools> ecrist: Hey, please one  more sub direction(hint)
11:31 -!- Mkools [~mukul@117.196.216.224] has quit [Quit: Leaving]
11:32 < powerunits> i have done this for routing http://pastebin.com/Bjr5r3Hi
11:32 < powerunits> but still ping is not going through
11:37 < powerunits> :(
11:39 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Ping timeout: 265 seconds]
11:47 -!- markus [~markus@c83-250-33-131.bredband.comhem.se] has quit [Ping timeout: 250 seconds]
11:48 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn
11:49 -!- markus [~markus@c83-250-33-131.bredband.comhem.se] has joined #openvpn
11:52 -!- hdeshev [~Hristo@92-247-239-141.spectrumnet.bg] has joined #openvpn
11:52 < hdeshev> Hello
11:54 < hdeshev> I set up a tap VPN over UDP that worked flawlessly. And suddenly it broke.
11:54 < hdeshev> Now to define "broke" :)
11:55 < hdeshev> Running on Windows here. Both tap interfaces are up, and the client gets his IP address properly configured on connect (using a client config and ifconfig-push to do that)
11:55 < hdeshev> Wireshark says UDP packets fly both ways
11:55 < hdeshev> but nothing seems to go over that interface. I can't ping any of the hosts anymore
11:55 < hdeshev> How do I troubleshoot what's wrong?
12:01 -!- markus [~markus@c83-250-33-131.bredband.comhem.se] has quit [Ping timeout: 272 seconds]
12:02 -!- markus_ [~markus@c83-250-33-131.bredband.comhem.se] has joined #openvpn
12:09 -!- me345 [~me345@adsl-75-15-246-50.dsl.bkfd14.sbcglobal.net] has joined #openvpn
12:17 < Bushmills> "Wireshark says UDP packets fly both ways"  - how did you find out, especially when "nothing seems to go over that interface"
12:20 < hdeshev> ugh, got hijacked for a second. sorry
12:20 < Bushmills> powerunits: have you done that by now:   (17:20:33) Bushmills: check routing make sure there is a route, for vpn subnet destinations, sent to vpn interface  ?
12:21 < hdeshev> So I'm sniffing with Wireshark on the base tcp interfaces
12:21 < hdeshev> and I see UDP packets on the port I've specified for OpenVPN
12:22 < Bushmills> how can that be correlated with your idea that nothing seems to go over that interface?
12:22 < hdeshev> Bushmills: that's what I don't understand
12:22 < hdeshev> it could be a Windows issue, but I've disabled the firewalls on both machines
12:23 < Bushmills> do you understand that others have a problem with that too? you see packets, and you conclude that they didn't get there?
12:23 < hdeshev> Bushmills: hmm, what?
12:23 < Bushmills> (18:55:37) hdeshev: but nothing seems to go over that interface.
12:23 < Bushmills> (19:21:20) hdeshev: and I see UDP packets 
12:23 < hdeshev> so, I see UDP packets in Wireshark
12:24 < hdeshev> but when I ping the remote machine, I get no responses
12:24 < Bushmills> and you see them while they didn't go through that interface?
12:24 < Bushmills> how did they get there?
12:24 < hdeshev> and that used to work like a day ago - I could ping the machine and access Windows shares
12:25 < hdeshev> I see something going over UDP. It could either be my pings (and they get dropped by the remote machine)
12:25 < hdeshev> or it could be some OpenVPN connection maintenance packets... keepalives or something
12:25 < hdeshev> I can't know that
12:26 < Bushmills> well, it could. but we can't tell you whether those are your pings or not
12:27 < hdeshev> I could imagine that. I just thought I wasn't the first sucker with a similar problem and an OpenVPN veteran could help me find out what's wrong
12:27 < Bushmills> oh yes, there are more people who can't ping the remote
12:28 < hdeshev> Bushmills: okay. Thanks for your help
12:28 -!- me345 [~me345@adsl-75-15-246-50.dsl.bkfd14.sbcglobal.net] has quit [Remote host closed the connection]
12:42 -!- dazo is now known as dazo_afk
12:48 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
13:15 < hyper_ch> hi krzie
13:15 < hyper_ch> hi Bushmills
13:20 < krzie> hihi
13:26 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Excess Flood]
13:30 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 260 seconds]
13:30 -!- ElitestFX [~ElitestFX@static-72-248-253-194.ma.onecommunications.net] has joined #openvpn
13:30 -!- ElitestFX [~ElitestFX@static-72-248-253-194.ma.onecommunications.net] has quit [Changing host]
13:30 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn
13:31 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has quit [Read error: Connection reset by peer]
13:31 -!- hdeshev [~Hristo@92-247-239-141.spectrumnet.bg] has quit [Remote host closed the connection]
13:32 -!- ElitestFX [~ElitestFX@static-72-248-253-194.ma.onecommunications.net] has joined #openvpn
13:32 -!- ElitestFX [~ElitestFX@static-72-248-253-194.ma.onecommunications.net] has quit [Changing host]
13:32 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn
13:46 -!- p3rror [~mezgani@41.140.97.121] has joined #openvpn
14:28 < powerunits> guys are these messges are normal on openvpn server
14:28 < powerunits> http://pastebin.com/kJAhc7pB
14:28 < powerunits> coz i m getting these msgs again and again..
14:28 < |Mike|> tried to google on them?
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:29 < |Mike|> http://brneurosci.org/linuxsetup71.html
14:29 <@vpnHelper> Title: Installing a Virtual Private Network with OpenVPN (at brneurosci.org)
14:29 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: No route to host]
14:29 < |Mike|> end of the page.
14:30 < powerunits> MIke: u talking to me?
14:31 < |Mike|> y
14:32 -!- plaerzen [~cam@vip1.tundraeng.com] has joined #openvpn
14:32 -!- plaerzen [~cam@vip1.tundraeng.com] has left #openvpn ["Leaving"]
14:36 < powerunits> Mike : http://brneurosci.org/linuxsetup71.html i have done same steps
14:36 <@vpnHelper> Title: Installing a Virtual Private Network with OpenVPN (at brneurosci.org)
14:36 < powerunits> but still getting those msgs...
14:37 -!- adac [~nutella@85-127-41-126.dynamic.xdsl-line.inode.at] has joined #openvpn
14:38 < adac> hi. Is there an open source webinterface for openvpn?
14:44 < ecrist> no
14:44 < ecrist> webmin and some others try, but they all suck
14:44 < ecrist> as such, we don't support any in here.
14:49 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has quit [Quit: Leaving]
14:49 -!- ElitestFX [~ElitestFX@static-72-248-253-194.ma.onecommunications.net] has joined #openvpn
14:49 -!- ElitestFX [~ElitestFX@static-72-248-253-194.ma.onecommunications.net] has quit [Changing host]
14:49 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn
14:50 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has quit [Read error: Connection reset by peer]
14:50 -!- ElitestFX [~ElitestFX@static-72-248-253-194.ma.onecommunications.net] has joined #openvpn
14:50 -!- ElitestFX [~ElitestFX@static-72-248-253-194.ma.onecommunications.net] has quit [Changing host]
14:50 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has joined #openvpn
14:51 -!- ElitestFX [~ElitestFX@unaffiliated/elitestfx] has quit [Client Quit]
14:52 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 272 seconds]
14:55 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
15:01 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
15:04 < powerunits> adac: untangle has web based openvpn server... 
15:08 -!- luneff [~yury@84.51.198.114] has joined #openvpn
15:10 -!- realrob [~crim@213.155.29.16] has joined #openvpn
15:10 -!- realrob is now known as Robuster
15:10 -!- Robuster [~crim@213.155.29.16] has quit [Changing host]
15:10 -!- Robuster [~crim@unaffiliated/robuster] has joined #openvpn
15:12 < Robuster> hi, have anyone here setup openvpn on FreeBSD?
15:12 -!- rcngeoff__ [~rcngeoff@p508A2CC0.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
15:12 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
15:14 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds]
15:19 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
15:21 -!- powerunits [~aa@119.152.8.87] has quit []
15:22 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
15:23 < adac> powerunits, thx i wil have a look at that
15:25 < reiffert> dont trust anybody but Bushmills.
15:25 < adac> heheh
15:26 < adac> and what about you? your statemnt implies that you should be trusted too reiffert hehe
15:26 -!- toortog` [~nesm6@c-75-69-211-52.hsd1.nh.comcast.net] has joined #openvpn
15:26 < reiffert> you'd better rethink this.
15:27 -!- toortog` [~nesm6@c-75-69-211-52.hsd1.nh.comcast.net] has quit [Client Quit]
15:37 < adac> this is a nice overview: https://community.openvpn.net/openvpn/wiki/RelatedProjects
15:37 <@vpnHelper> Title: RelatedProjects – OpenVPN Community (at community.openvpn.net)
15:40 -!- lau [~lau@unaffiliated/lau] has joined #openvpn
15:41 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
15:42 -!- basso [~quassel@pc5053.stdby.hin.no] has joined #openvpn
15:43 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 276 seconds]
15:45 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
15:46 < lau> hello I am trying to push the client IP via the client-config-dir directive in server.conf
15:47 < lau> server 10.8.8.0 255.255.255.0
15:47 < lau> dev tun
15:48 -!- dollabill [~mike@97.66.26.10] has quit []
15:48 < lau> route 10.8.8.0 255.255.255.0
15:49 < lau> in ccd/client
15:49 < lau> ifconfig-push 10.8.8.1 10.8.8.2
15:49 < lau> iroute 10.8.8.0 255.255.255.255
15:50 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Ping timeout: 272 seconds]
15:50 < lau> but I still get the MULTI: bad source address from client [10.8.8.1]
15:50 < lau> if I remove the ifconfig-push 10.8.8.1 10.8.8.2 everything is ok
15:51 < lau> any idea ?
15:59 -!- Robuster [~crim@unaffiliated/robuster] has quit [Quit: 0]
16:06 < lau> ifconfig-push 10.8.8.2 10.8.8.1 (swapping the IPs) seems to work
16:06 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:11 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
16:18 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
16:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:43 -!- powerunits [~aa@119.152.8.87] has joined #openvpn
16:43 < powerunits> guys i have enable client-to-client option on openvpn server.. 
16:44 < powerunits> now i can access other system as well.
16:44 < powerunits> but when to access them using any port it does not work..
16:44 < powerunits> why is that
16:44 < powerunits> any idea??
16:45 -!- NephFL [434e9576@gateway/web/freenode/ip.67.78.149.118] has joined #openvpn
16:45 < NephFL> hello
16:46 < NephFL> I want to connect a linux server to adito, should I also install openvpn or use an adito endpoint
16:48 < hyper_ch> what's adito?
16:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
16:55 < krzee> powerunits, firewall
16:55 -!- mrbrdo [~mrbrdo@89.212.77.221] has joined #openvpn
16:55 < mrbrdo> i am wondering, is it possible to enable/disable routing all traffic through openvpn on the windows gui client?
16:55 < krzee> and btw all --client-to-client did was bypass your server's firewall for traffic going between clients
16:55 < mrbrdo> or is this enabled/disabled only on the server
16:56 < krzee> mrbrdo, depends how you set it up
16:56 < krzee> you dont HAVE TO push it from the server
16:56 < mrbrdo> is there a nice guide for it that explains it?
16:56 < krzee> you can instead just put the command in the client config
16:56 < krzee> !push
16:56 <@vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
16:57 < mrbrdo> ok i will try it
16:57 < krzee> say hey jose
16:57 < krzee> oops wrong window
16:57 < mrbrdo> lol
16:58 < mrbrdo> krzee: so basically the commands i want are redirect-gateway and dhcp-option DNS gateway_ip ? and the gateway must also have a DNS server like bind9?
16:58 < krzee> what you said has nothing to do with dns
16:58 < krzee> but that is an option... for you to decide
16:59 < mrbrdo> aha so it doesn't matter how i setup DNS
16:59 < mrbrdo> then i just add redirect-gateway to the client config?
17:00 < krzee> dns *COULD* matter
17:00 < mrbrdo> can you explain what you mean
17:00 < krzee> if your prior NS will not accept queries from your server
17:00 < krzee> then it would ignore your NS lookups
17:00 < mrbrdo> prior?
17:00 < krzee> you can bypass that without openvpn by using
17:00 < krzee> the NS you use
17:00 < krzee> as in, without overwriting it using openvpn
17:01 < krzee> !opendns
17:01 <@vpnHelper> krzee: Error: "opendns" is not a valid command.
17:01 < krzee> !dns
17:01 <@vpnHelper> krzee: "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
17:01 < mrbrdo> yeah i am using google DNS
17:01 < krzee> then you dont need to do anything re: dns
17:01 < mrbrdo> aha
17:01 < mrbrdo> so just append redirect-gateway to the config file?
17:02 < mrbrdo> i have the POSTROUTING rule in iptables also
17:02 < krzee> remove it from server config, add it to client config
17:02 < mrbrdo> yeah but do i need to use the push command in client config too, or just say redirect-gateway?
17:03 < krzee> see, most these questions wont exist if you read each command you use in the manual
17:03 < krzee> !push
17:03 <@vpnHelper> krzee: "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
17:03 < mrbrdo> ah :)
17:03 < mrbrdo> ok thanks
17:04 < mrbrdo> i will try it out
17:04 < krzee> if that is what push does... do you think you would need it still?
17:11 -!- powerunits [~aa@119.152.8.87] has quit []
17:20 -!- adac [~nutella@85-127-41-126.dynamic.xdsl-line.inode.at] has quit [Quit: Verlassend]
17:22 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
17:22 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
17:22 < mrbrdo> krzee: tried it... something weird is going on. when i add redirect-gateway to the config, i can still ping other computers on LAN (which i can't ping without connecting to openvpn first), but it cannot resolve any IP (i guess DNS issue). i can ping 8.8.8.8 fine... any idea? the "real internet" interface has google DNS' set
17:23 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 272 seconds]
17:23 < mrbrdo> resolve any domain name i meant
17:23 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
17:24 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit []
17:28 < krzee> try resolving a hostname, lol
17:28 < krzee> simple network troubleshooting man
17:28 < krzee> not very openvpn specific
17:36 -!- papas_son [~chatzilla@68-116-31-34.static.yakm.wa.charter.com] has joined #openvpn
17:36 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 250 seconds]
17:38 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
17:40 < Bushmills> mrbrdo: did you set up the openvpn server to operate as gateway to internet, other than just adding "redirect-gateway" to the config?
17:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:42 < krzee> http://bfads.net/NewEgg
17:42 <@vpnHelper> Title: NewEgg Black Friday Ad - The Official Black Friday Website (at bfads.net)
17:42 < krzee> nice sale at newegg tomorrow
17:42 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
17:42 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
17:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
17:45 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Client Quit]
17:50 < papas_son> Our internal network was on the 192.168.1.0/24 network and I could use the VPN just fine. Then we changed to the 10.10.10.0/24 network and the VPN stopped working even though I have a correct route in the client. Interestingly, I can get into a particular server from the client if I add a route on the server back to the client network. Any ideas on how I borked this?
17:52 < ecrist> !welcome
17:52 <@vpnHelper> ecrist: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:52 < papas_son> !route
17:53 <@vpnHelper> papas_son: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:53 < krzee> papas_son, 
17:53 < krzee> !route_outside_ovpn
17:53 <@vpnHelper> krzee: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
17:53 < krzee> thats prolly what you broke
17:54 < papas_son> krzee: thanks!
17:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:56 < ecrist> !external_routes
17:56 <@vpnHelper> ecrist: Error: "external_routes" is not a valid command.
17:56 < ecrist> !learn external_routes as see !route_outside_openvpn
17:56 <@vpnHelper> ecrist: Joo got it.
17:57 < krzee> you can also just learn it as [route_outside_ovpn]
17:58 < ecrist> I know, but it doesn't update if I change route_outside_ovpn
17:58 < krzee> this is tru
17:58 < ecrist> I've been thinking about going through, finding those entries, and manually editing the database to support multiple keys/factoid
17:59 < ecrist> if I knew python, or gave a crap about learning it, I'd fix the bot to do the right thing.
17:59 < krzee> shouldnt be so hard... would be a key + the factoid it points to, when receiving one of those as the response it would do another lookup for the factoid that it points to
18:00 < krzee> but ya, i dunno python either
18:00 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
18:02 < ecrist> well, it's easy to do in the database, if you've seen the schema
18:02 < krzee> ahh even better
18:03 < ecrist> but it involves manual work right now.
18:03 < ecrist> though, there aren't *that* many updates to factoids
18:03 < krzee> possibly scriptable
18:03 < krzee> then it gets crontabbed, and booya
18:03 < ecrist> oh, not even possibly, anything is scritable.
18:03 < ecrist> we'd just need a convention so the script worked.
18:04 < ecrist> like, !learn foo as bar
18:04 < ecrist> where bar was the key for the linked factoid
18:04 < ecrist> exactly.
18:04 < krzee> currently, the only ones linked start with this:
18:04 < krzee> "route_outside_ovpn" is "route_outside_openvpn" is (#1)
18:05 < ecrist> I'll look at it tomorrow and get it done.
18:05 < krzee> otherwise it will never have "something" is "whatever" is
18:05 < ecrist> it's "Ultimate Fuck Off Week" afterall.
18:05 < krzee> and "whatever" is the factoid to return
18:05 < ecrist> right.
18:05 < krzee> oh right, lucky!
18:05 < krzee> no thanksgiving here
18:06 < ecrist> doh
18:06 < krzee> hell columbus marked the beginning of slavery for these people
18:06 < krzee> lol
18:06 < ecrist> any holiday which mandates eating tasty dead animals = win
18:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:20 < mrbrdo> Bushmills: yes it's set up that way
18:20 < mrbrdo> Bushmills routing is fine, just the DNS is the problem
18:20 < mrbrdo> because i can ping external IPs
18:21 < Bushmills> so you can ping 8.8.8.8?
18:21 < mrbrdo> yes
18:21 < mrbrdo> it's weird, nslookup works but ping says can't resolve
18:21 < mrbrdo> lol
18:21 < mrbrdo> e.g. nslookup www.google.com is ok but ping says it can't resolve
18:22 < mrbrdo> and my internet interface is set to use 8.8.8.8 as DNS, it works fine e.g. if i don't use redirect-gateway
18:30 < mrbrdo> using dhcp-option DNS 8.8.8.8 fixed it
18:32 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:37 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
18:42 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
18:46 -!- mrbrdo [~mrbrdo@89.212.77.221] has quit [Ping timeout: 240 seconds]
19:38 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
19:39 < dogarrhea1> so is it push "redirect-gateway def1" or just redirect-gateway def1 or redirect-gateway def1 local or push "redirect-gateway def1 local"
19:44 < krzee> all of the above, depending on your goal
19:44 <@vpnHelper> RSS Update - forum: Server Administration :: Re: how does openvpn see the configuration files? :: Reply by bmj1474 <https://forums.openvpn.net/viewtopic.php?f=4&t=7312&p=8540#p8540>
19:49 -!- lau [~lau@unaffiliated/lau] has quit [Ping timeout: 240 seconds]
19:50 < ecrist> hrm
19:58 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:18 -!- takamichi [~pri@pm301-97-169.keyworld.net] has quit [Remote host closed the connection]
20:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:31 < dogarrhea1> hurray. adding redirect-gateway stuff locks me out of my server
20:31 <@vpnHelper> RSS Update - forum: Server Administration :: Re: bridging help :: Reply by bmj1474 <https://forums.openvpn.net/viewtopic.php?f=4&t=7247&p=8541#p8541>
20:39 < dogarrhea1> so.  the redirect-gateway functionality isn't working correct?
20:39 < dogarrhea1> it's in "beta" ?
20:47 < dogarrhea1> anyone know what  P_CONTROL_HARD_RESET_CLIENT_V2 is?
20:48 < dogarrhea1> i've tried configuring and adding the iptable stuff using eht0 tun1 tun0 and the redirect-gateway stuff
20:48 < dogarrhea1> but all i get is  P_CONTROL_HARD_RESET_CLIENT_V2 
20:51 < krzee> it works correctly when the user uses it correctly
20:51 < krzee> it is not a beta feature
20:52 < dogarrhea1> well. the documents are telling me to do something. I'm doing it. it doesn't work. are the docs incorrect?
20:52 < dogarrhea1> i can connect to the server without the push "redirect-gateway def1" thing in the server conf
20:52 < dogarrhea1> and i'm not over a wireless local network
20:53 < dogarrhea1> and i have tried eth0 tun0 tun1 for the masquerade thing and the server ip is 10.8.0.0 in the server.conf
20:53 < dogarrhea1> and dropping these rules after trying them out and i still get that error.
20:53 < dogarrhea1> what causes it?
20:53 < krzee> ild dig into it, but you seem to appear with problems every couple days... dont feel like it anymore
20:53 < krzee> maybe later
20:54 < dogarrhea1> mm hmmm
20:56 < dogarrhea1> oh. it IS not working with windows
20:56 < dogarrhea1> http://openvpn.net/index.php/open-source/faq/79-client/279-are-there-any-issues-related-to-pushing-dhcp-options-to-windows-clients.html  
20:56 <@vpnHelper> Title: Are there any issues related to pushing DHCP options to Windows clients? (at openvpn.net)
20:58 < krzee> thats not a dhcp option
20:59 < dogarrhea1> so the push "dhcp-option DNS 10.8.0.1" doesn't mean anything?
20:59 < krzee> well it has nothing to do with what you were talking about above
21:00 < dogarrhea1> the docs say there is something to do with it shortly after in the caveats section
21:04 < dogarrhea1> hrm there is also a thread somewhere that says it's related to UDP
21:07 -!- humanMeat [alex@199.48.243.235] has joined #openvpn
21:09 < humanMeat> hrm. another thread says something about an error in libcrypto. whatever that means
21:11 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 265 seconds]
21:11 < humanMeat> yet another thread says it has something to do with the client: https://forums.openvpn.net/viewtopic.php?f=6&t=7004&p=7572
21:11 <@vpnHelper> Title: OpenVPN Support Forum View topic - Window 7 TLS issue (at forums.openvpn.net)
21:13 < humanMeat> it's too bad the "about" menu option shows a copyright from 2002-2005
21:13 < humanMeat> otherwise i might be able to check the version i'm using.
21:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
21:51 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit []
21:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:58 -!- havoc [~havoc@neptune.chaillet.net] has quit [Ping timeout: 240 seconds]
22:03 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
22:09 -!- havoc [~havoc@neptune.chaillet.net] has quit [Read error: Operation timed out]
22:14 < humanMeat> so the openvpn client is bugged?
22:23 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
22:25 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
22:28 -!- humanMeat [alex@199.48.243.235] has quit [Quit: Leaving]
22:56 -!- rcngeoff [~rcngeoff@p508A2CC0.dip.t-dialin.net] has joined #openvpn
22:59 -!- dogarrhea1 [alex@199.48.243.235] has joined #openvpn
22:59 < dogarrhea1> anyone know why i get client errors when i try to do redirect-gateway
23:53 < dogarrhea1> oh
23:53 < dogarrhea1> so it IS openvpn that's screwing up
23:53 < dogarrhea1> the client is seg faulting
23:58 -!- grapsus [~grapsus@acces1155.res.insa-lyon.fr] has quit [Read error: Operation timed out]
--- Day changed Wed Nov 24 2010
00:14 < hyper_ch> krzie: http://www.crypto.com/papers/rsa2011-blaze.pdf
00:21 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Connection reset by peer]
00:34 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:35 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:44 -!- dogarrhea1 [alex@199.48.243.235] has quit [Ping timeout: 255 seconds]
01:08 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
01:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:15 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:31 -!- hetii [~Grzegorz@194.181.154.25] has joined #openvpn
01:31 < hetii> Hello :>
01:31 < hetii> Q: How to block on localc cpn config routes that are pushed by server ?
01:32 < hetii> *local vpn
01:33 < hetii> .. and set static this one that i really need ?
01:36 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:38 < reiffert> hetii: route-noexec
01:38 < reiffert> hetii: route-up
01:43 < hetii> hmm thx :) but 
01:45 < hetii> first i had route-noexec 
01:45 < hetii> then
01:45 < hetii> something like
01:45 < hetii> route-up "route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.15.30.31" 
01:46 < reiffert> from the manpage:
01:46 < reiffert>        --route-up cmd
01:46 < reiffert>               Execute shell command cmd after routes are added, subject to --route-delay.
01:46 < hetii> and indead noexec don`t allow set routes from server but route up don`t add my one
01:46 < hetii> ok so i try add path to executable script
01:46 < reiffert> route-up "C:\doit.bat" or route-up /foo/bar.sh
01:47 < reiffert> afk
01:47 < hetii> i based on this howto http://wiki.mikrotik.com/wiki/OpenVPN and there was without additional scripe
01:47 < hetii> script
01:47 <@vpnHelper> Title: OpenVPN - MikroTik Wiki (at wiki.mikrotik.com)
01:50 < hetii> ok with external script works. Thx for helpo
01:50 < hetii> *helpo
01:50 < hetii> hmm ..
01:50 < hetii> Help :>
01:52 < krzie> or you can override the routes that it pushes to you
01:59 < hetii>  i need set this vpn channel as long as i find solution for other vpn chanell (its a pptp) that i had trouble :( 
02:00 < hetii> i got there 
02:00 < hetii> MPPE required, but MS-CHAP[v2] auth not performed.
02:00 < hetii> sent [LCP TermReq id=0xa "MPPE required but not available"]
02:01 < hetii> but no clue, what can be wrong :(
02:01 < krzie> https://forums.openvpn.net/viewtopic.php?f=15&t=7161&start=0
02:01 <@vpnHelper> Title: OpenVPN Support Forum View topic - Split tunnel tweaks? (at forums.openvpn.net)
02:01 < hetii> maybe the reason is that i use this account also in other server.
02:01 < krzie> dunno, openvpn has nothing to do with pptp
02:01 < hetii> but i quess is a talk for other channel :>
02:02 < krzie> but for overriding routes sent to you by the server
02:02 < krzie> see above forum post
02:02 < hetii> ok
02:02 < krzie> you can specificly route around anything the server is sending, just cant directly override
02:02 < krzie> most specific route wins, make something more specific
02:02 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
02:18 < krzie> !learn route_override as https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet
02:18 <@vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
02:18 < krzie> !learn route_override as https://forums.openvpn.net/viewtopic.php?f=15&t=7161 for how to override --redirect-gateway for a certain subnet
02:18 <@vpnHelper> krzie: Joo got it.
02:21 < hyper_ch> hi krzie
02:21 < krzie> hey hyper_ch =]
02:21 < hyper_ch> did you see the pdf?
02:21 < krzie> neg
02:22 < hyper_ch> krzie: http://www.crypto.com/papers/rsa2011-blaze.pdf  --> it's a gooe ppt presentation
02:22 < hyper_ch> it's even cryptography related
02:23 < krzie> lol
02:23 < hyper_ch> I guess somebody didn't even review the ppt before putting it online
02:30 -!- dazo_afk is now known as dazo
02:30 < krzie> thats comedy
02:33 < hyper_ch> krzie: hows my php/ajax script doing
02:34 < krzie> plan on loading it tonight
02:35 < hyper_ch> :)
02:35 < hyper_ch> did you make the html pretty?
02:36 < krzie> not yet, gunna get it loaded then start adding buttons for all sorts of things to control
02:36 < krzie> it will turn into the command station for all the stuff i build for them
02:37 < hyper_ch> just don't add a big red button
02:37 < krzie> stats and info, controlling apps, etc
02:37 < krzie> haha
02:37 < hyper_ch> people like to press those even if you label them "emergency only"
02:37 < hyper_ch> for different things you might even like tabs?
02:37 < krzie> i could add it and hook it into the say command in a osx machine
02:38 < krzie> so when you press it my speakers say something to them ;]
02:38 < krzie> "Jeff told you not to press that!"
02:38 < hyper_ch> :)
02:39 < krzie> i played something out my speakers with say this morning from home
02:39 < krzie> had people tripping out
02:39 < krzie> my empty desk had a computer talking shit to them
02:40 < hyper_ch> krzie: do you have carnivoral, four-legged, furry meowing-machines at home?
02:40 < krzie> only the girlfriend
02:40 -!- lau [~lau@che33-5-82-232-104-115.fbx.proxad.net] has joined #openvpn
02:40 < hyper_ch> girlfriends are expensive to maintain :)
02:40 -!- lau is now known as Guest97922
02:41 < hyper_ch> the other day I was looking at some stuff on youtube and in one clip a cat just meowed all the time
02:41 < hyper_ch> two of my three furballs immediately came to check who that intruder is :)
02:41 < hyper_ch> they were looking for quite some time for an intruder until they lost interest
02:41 < krzie> the cat was giving out orders for feline domination
02:41 < krzie> you fell right into his trap
02:42 < hyper_ch> :)
02:42 < krzie> thats how they spread the message!
02:42 -!- boswarrior1 [~mrnice@78.142.173.114] has joined #openvpn
02:42 < hyper_ch> someone watches Futurama?
02:42 < krzie> havnt in a long time
02:42 < hyper_ch> oih ok :)
02:43 < krzie> i dont have cable, but i see it when im visiting usa (at friends houses)
02:44 < hyper_ch> krzie: japan's best known cat http://www.youtube.com/watch?v=xdhLQCYQ-nQ&feature=related
02:44 <@vpnHelper> Title: YouTube - 大きな箱とねこ。 (at www.youtube.com)
02:52 -!- hetii [~Grzegorz@194.181.154.25] has quit [Quit: Leaving]
02:55 -!- sonicman_ [~admin@h18.9.89.75.dynamic.ip.windstream.net] has joined #openvpn
02:57 -!- sonicman [~admin@periwinkle.feralhosting.com] has quit [Ping timeout: 245 seconds]
02:57 -!- sonicman_ is now known as sonicman
03:03 -!- sonicman [~admin@h18.9.89.75.dynamic.ip.windstream.net] has quit [Ping timeout: 240 seconds]
03:04 -!- sonicman [~admin@periwinkle.feralhosting.com] has joined #openvpn
03:10 -!- Guest97922 [~lau@che33-5-82-232-104-115.fbx.proxad.net] has quit [Read error: Operation timed out]
03:10 -!- sonicman_ [~admin@h18.9.89.75.dynamic.ip.windstream.net] has joined #openvpn
03:11 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 245 seconds]
03:12 -!- sonicman [~admin@periwinkle.feralhosting.com] has quit [Ping timeout: 245 seconds]
03:12 -!- sonicman_ is now known as sonicman
03:15 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
03:22 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
03:25 -!- sonicman [~admin@h18.9.89.75.dynamic.ip.windstream.net] has quit [Ping timeout: 255 seconds]
03:31 -!- sonicman [~admin@periwinkle.feralhosting.com] has joined #openvpn
03:36 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:46 -!- master_of_master [~master_of@p57B56E36.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:48 -!- master_of_master [~master_of@p57B53930.dip.t-dialin.net] has joined #openvpn
03:49 -!- grapsus [~grapsus@acces1155.res.insa-lyon.fr] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:03 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
04:26 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
05:01 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:02 -!- GUIpsp [GUIpsp@a81-84-62-149.cpe.netcabo.pt] has joined #openvpn
05:03 -!- GUIpsp [GUIpsp@a81-84-62-149.cpe.netcabo.pt] has left #openvpn []
05:07 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
05:11 -!- toortog [nesm6@notsecure.net] has quit [Ping timeout: 255 seconds]
05:14 -!- toortog [~nesm6@c-75-69-152-214.hsd1.nh.comcast.net] has joined #openvpn
05:32 -!- _toortog [nesm6@notsecure.net] has joined #openvpn
05:43 -!- _toortog [nesm6@notsecure.net] has quit [Ping timeout: 255 seconds]
05:59 -!- Columbo0815 [~root@p54AD9E55.dip.t-dialin.net] has joined #openvpn
06:00 < Columbo0815> hi, i have a running openvpn-server and 2 ISP. the default gateway on the host (openvpn-server) is ISP1. i want to say openvpn-server "--use-different-ISP"
06:01 < Columbo0815> how can i solve this?
06:01 < Columbo0815> the default-gateway must be ISP1. openvpn must use ISP2
06:09 -!- zoobab [zoobab@vic.ffii.org] has quit [Ping timeout: 265 seconds]
06:19 -!- zoobab [zoobab@vic.ffii.org] has joined #openvpn
06:19 <@dazo> Columbo0815: use --listen ... that tells openvpn which IP address (interface) to listen to
06:21 < Columbo0815> ok. i can create a pseudointerface (the server only have 1 interface). but:
06:22 <@dazo> a pseudo interface sounds wrong
06:23 < Columbo0815> the client request from ISP2. the openvpnserver sees the external IP from the client and sends the answers through standardgateway (ISP1) -> doesnt work
06:23 < Columbo0815> i think it doesnt work with a real intreerface, too
06:23 <@dazo> aha!  --multihome is then one option to check out ... otherwise, you also need to look at firewall settings
06:24 < Columbo0815> multihome? ok.. i read the manpage
06:25 <@dazo> in Linux, f.ex. you can have a -t nat POSTROUTING rule which sends traffic from out from a specific IP address, using -j SNAT --to <ip address>
06:25 < Columbo0815> only  relevant for UDP servers and currently is only implemented on Linux.
06:25 < Columbo0815> i have freebsd :(
06:25 -!- zoobab [zoobab@vic.ffii.org] has quit [Read error: Operation timed out]
06:28 < Bushmills> Columbo0815: set a host route to vpn server, using isp2
06:28 < Columbo0815> ok.. i suppose the firewall (here pf) is the possibilitiy
06:29 < Columbo0815> Bushmills: i think this isnt possible.
06:29 < Columbo0815> only VPN should use IPS2. 
06:29 < Columbo0815> the other traffic shoutld use ISP1
06:31 -!- _toortog [nesm6@notsecure.net] has joined #openvpn
06:31 < Columbo0815> dazo: the clients have changing IP addresses. so i dont know the specific IP
06:31 < Bushmills> have an alternative ip address on vpn server machine. bind vpn server to that one.  set a host route to that ip address, using gateway of isp2
06:32 < Columbo0815> host route = standard gateway?
06:32 < Bushmills> pardon?
06:33 < Columbo0815> set a host route to that ip <-- host route = default router?
06:33 -!- zoobab [zoobab@vic.ffii.org] has joined #openvpn
06:33 < Bushmills> "that ip" = "alternative ip address on vpn server machine"
06:34 < Columbo0815> ok.. my english is too bad (sorry). example:
06:35 < Columbo0815> IP1 on server: 10.1.0.2 (default router on server: 10.1.0.1)
06:35 < Columbo0815> IP2 on server: 10.1.0.3 (ISP2 is 10.1.0.4)
06:35 < Columbo0815> 10.1.0.1 is ISP1
06:35 -!- rcngeoff_ [~rcngeoff@p508A3557.dip.t-dialin.net] has joined #openvpn
06:36 < Columbo0815> all clients that are connecting have changing IPs
06:37 < Columbo0815> i cant add a static route for the client-IPs
06:37 < Bushmills> hm - i understood that *client* has two providers, intention to use one for vpn exclusively.
06:37 -!- rcngeoff [~rcngeoff@p508A2CC0.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
06:38 < Columbo0815> no. *server* have two providers. one fast provider and one slow
06:38 < Columbo0815> VPN should use fast provider.
06:38 < Columbo0815> squid (http) should use slow provider
06:40 < cpm> yeah, but in the real world, like the on in which we live, folks want shiny shiny now now, meaning put the http proxy on the fast leg, and slow/fast are relative terms, what is the real bandwidth? 
06:41 < cpm> been running our vpn (and dns, incoming smtp) on our 3mbit leg, and everything else is on our 10mbit leg here. 
06:45 < Columbo0815> fast ist 2mbit up/down
06:45 < Columbo0815> slow is 3mbit down/512kbit up
06:45 < Columbo0815> fast is expensive (no flatrate), slow is flatrate
06:45 < kisom> 2 mbps is not that fast... :)
06:46 < Columbo0815> thank you very much... ;-P 
06:46 < Columbo0815> its the fastest i get here
06:46 < kisom> where do you live?
06:46 < Columbo0815> the speed says: in the rainforrest
06:46 < kisom> we get 100 mbps in most apartments over here, about $30 a month for flatrate
06:47 < kisom> ah, fair enough :)
06:47 < Columbo0815> ... WTF. 2mbit up/down: 200 $
06:47 < Columbo0815> 2 GB traffic included
06:47 < Columbo0815> welcome in the jungle
06:47 < kisom> hehe, got a server on 1 gbps at my buddys house tho :)
06:48 < Columbo0815> so.. back to my problem ;)
06:48 < kisom> right
06:48 < kisom> let me check the backlog
06:55 < ecrist> sup d00ds?
06:56 < ecrist> Columbo0815: freebsd can do what you want.
06:56 < |Mike|> doing some colorfull things here ecrist
06:56 -!- derik [~derik@unaffiliated/derik] has joined #openvpn
06:56 < ecrist> lol
06:56 < derik> how much ram use openvpn ?
06:56 < ecrist> depends on how many connections.
06:56 < |Mike|> derik: depends on your crypto and connections
06:56 < derik> 1 conections
06:57 < Rienzilla> not much :-)
06:58 < ecrist> derik: my server, with 6 active connections in bridged mode uses 6344K
06:58 < Columbo0815> ecrist: yes? how can i do this?
06:59 -!- angel-tsankov [~angel@212.73.151.246] has joined #openvpn
06:59 < ecrist> Columbo0815: within pf
06:59 < ecrist> let me get an example rule
07:00 < angel-tsankov> can I pass the openvpn client a private key password via file
07:00 < Columbo0815> ok. pf is good! ipfw doesnt support "fwd" with generic kernel
07:00 < ecrist> well, in pf you're going to want to use route-to I think.
07:01 < ecrist> what version of freebsd are you using?
07:01 < Columbo0815> 8.1
07:01 < ecrist> perfect
07:01 < Columbo0815> :-D
07:01 < ecrist> I have a better solution for you.
07:01 -!- angel-tsankov [~angel@212.73.151.246] has left #openvpn []
07:02 < ecrist> we have a script we use, internally, I can make available to you.  It's a perl script which uses multiple routing tables and switches default gateway based on which connection is active and functional.
07:02 < ecrist> that's what we do now
07:02 < ecrist> I don't remember the route-to we used to use, those are a bit more obtuse.
07:02 -!- angel-tsankov [~angel@212.73.151.246] has joined #openvpn
07:02 < angel-tsankov> what is a management channel
07:03 < ecrist> to use mfib, Columbo0815, you'll need to compile in the options to your kernel.
07:03 < ecrist> angel-tsankov: what do you mean?
07:04 < Columbo0815> if mfib isnt in GENERIC, i cant use it. :(
07:05 < Columbo0815> so maybe route-to is the solution
07:05 < angel-tsankov> ecrist: I have to enter a private key password in order to connecto to an OpenVPN server; however, I'd rather not enter this password manually every time I connect to the server
07:06 < Columbo0815> the manpage of pf (route-to) sounds good
07:08 < ecrist> then there you go.
07:08 < ecrist> mfib is not in generic
07:09 < ecrist> why can't you compile a new kernel?
07:11 < ecrist> angel-tsankov: then why did you put a password on the private key?
07:11 < ecrist> it's possible to create private keys without a password.
07:14 < angel-tsankov> ecrist: I do not understand you; in order to connect to an OpenVPN server I have to provide an auth username, an auth password, and a private key password; I can put the auth username and the auth password in a file, but do I have to enter the private key password manually every time?
07:22 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:27 < ecrist> yes
07:27 < ecrist> unless you have a key that does not use a password.
07:27 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
07:28 < Columbo0815> ecrist: this is a "longer" story, why i have to use GENERIC... :)
07:28 < Columbo0815> so.. i check route-to. :)
07:28 < ecrist> maybe "echo 'mypassphrase' | openvpn --config <config>"
07:28 < Columbo0815> many thanx to all of you!
07:28 < ecrist> route-to is the right thing, Columbo0815 
07:28 < Columbo0815> but pf isnt "my thing" ;)
07:29 < ecrist> start using it, you'll quickly become a fan.
07:31 < |Mike|> haha
07:31 < |Mike|> won't work on teh lunix 
07:32 -!- angel-tsankov [~angel@212.73.151.246] has left #openvpn []
07:44 -!- derik [~derik@unaffiliated/derik] has quit [Quit: Good bye]
07:58 < ecrist> krzee: the factoids db is keys inversely to what I was thinking yesterday
08:00 < ecrist> I'd have to re-code the bot to make it work right.
08:01 < ecrist> or, write a script like I described before.
08:04 -!- rcngeoff_ [~rcngeoff@p508A3557.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
08:06 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
08:11 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
08:15 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
08:16 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
08:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
08:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:57 -!- Lenhix [~lenhix@static-adsl201-232-118-160.epm.net.co] has joined #openvpn
09:01 < Lenhix> Hello. I think once I was configuring an OpenVPN server and read an article about why it is/could be bad to encapsulate TCP over TCP. I haven't been able to find it in Google and thought some guru here knew/bookmarked it
09:05 < ecrist> !tcp
09:05 <@vpnHelper> ecrist: "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
09:06 < ecrist> glad to help. :)
09:08 < ecrist> Lenhix: ^^^ that's for you
09:09 < Lenhix> thx ecrist :)
09:10 -!- Lenhix [~lenhix@static-adsl201-232-118-160.epm.net.co] has left #openvpn []
09:14 -!- rcngeoff_ [~rcngeoff@p508A3557.dip.t-dialin.net] has joined #openvpn
09:14 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
09:21 -!- Netsplit *.net <-> *.split quits: Gokee2, kraut, krzie, derekv, buntfalke, k4r4mb4
09:21 -!- NephFL [434e9576@gateway/web/freenode/ip.67.78.149.118] has quit [Ping timeout: 265 seconds]
09:24 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Read error: Connection reset by peer]
09:24 -!- Netsplit over, joins: krzie, buntfalke, kraut, Gokee2, derekv, k4r4mb4
09:29 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
09:36 < Columbo0815> exit
09:36 -!- Columbo0815 [~root@p54AD9E55.dip.t-dialin.net] has quit [Quit: leaving]
09:45 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has joined #openvpn
09:47 -!- krzie [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
09:49 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
09:51 -!- NephFL [434e9576@gateway/web/freenode/ip.67.78.149.118] has joined #openvpn
09:52 < NephFL> hello, I'm trying to figure out how to get a vpn between an adito server and a linux(non-gui) box, should i use openvpn or an adito endpoint?
09:57 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
09:58 < NephFL> anyone here?
10:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:19 -!- sonicman [~admin@periwinkle.feralhosting.com] has quit [Ping timeout: 240 seconds]
10:19 < ecrist> yeah, people are here.
10:19 < ecrist> you just have to be more patient than 6 minutes. :)
10:19 < ecrist> I have no idea what adito is
10:22 < NephFL> adito is openvpn ALS
10:23 < ecrist> ALS?
10:24 < ecrist> no idea, we don't support that in this channel
10:24 < ecrist> I'd suggest using openvpn between the two boxes.  we can help with that.
10:25 < NephFL> I need a clientless frontend
10:25 < ecrist> I don't know what that means
10:26 < NephFL> adito/openvpnALS allows someone to go to a webpage and log in and click on an internal website and view it, it will also create an ssl tunnel for other applications
10:26 < NephFL> similar to logmein
10:26 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
10:27 < NephFL> i think some of that functionality is part of the pay versions of openvpn...but i need an opensource/free equivalent
10:27 < ecrist> ah, openvpn doesn't do that
10:27 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 255 seconds]
10:27 < NephFL> openvpnALS does
10:27 < ecrist> the pay version doesn't either, right now.
10:27 < ecrist> ok, this isn't #openvpnALS though
10:28 < ecrist> sounds to me as though they're abusing openvpn's popularity
10:28 < NephFL> just going to a place that might have tried that application
10:28 < ecrist> !als
10:28 <@vpnHelper> ecrist: Error: "als" is not a valid command.
10:28 < ecrist> !openvpnals
10:28 < NephFL> no, it was adito, then the project was taken over by openvpn
10:28 <@vpnHelper> ecrist: Error: "openvpnals" is not a valid command.
10:28 < ecrist> hrm
10:28 < ecrist> I'm pretty heavily involved.  I'd have thought I'd known about it
10:29 < NephFL> some sites say that openvpn has decided to abandon it because they can't monetize it
10:29 < NephFL> they want to instead have their own closed product
10:30 < ecrist> sounds like incorrect speculation
10:30 < NephFL> surprised everyone hasnt tried adito though, since it seems it would be a popular functionality to want
10:30 < ecrist> OpenVPN Technologies, Inc owns OpenVPN, and was founded by the folks that started openvpn
10:31 < ecrist> they currently support and work on the open source solution, as well as their closed-source product.
10:31 < ecrist> most of the development for openvpn is done by the community, though.
10:31 < ecrist> openvpnALS is not part of openvpn project
10:31 < ecrist> I assure you of this
10:32 < ecrist> looking at their page, they *really* look like they're trying to rake in traffic from openvpn users.
10:34 -!- grapsus [~grapsus@acces1155.res.insa-lyon.fr] has quit [Ping timeout: 252 seconds]
10:35 < NephFL> any idea why that functionality wouldnt be popular?
10:37 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:43 < NephFL> or know of another similar project?
10:43 -!- septiq [~septiq@93.19.114.177] has joined #openvpn
10:44 < ecrist> NephFL: no, I know of nothing similar.
10:47 <@dazo> ecrist: ALS is how mattock got involved into openvpn ... it was a little attempt to merge it into openvpn ... and then openvpn decided to close down als
10:48 <@dazo> (openvpn in this context is the OpenVPN Tech. company)
10:52 < NephFL> would have been a really cool product
10:54 < ecrist> ahh
11:01 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
11:02 -!- sonicman [~admin@h7.3.89.75.dynamic.ip.windstream.net] has joined #openvpn
11:02 -!- Mkools [~mukul@117.196.217.101] has joined #openvpn
11:06 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
11:07 -!- boswarrior1 [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
11:17 -!- Freeaqingme| [~dolf@dsl-083-247-011-232.solcon.nl] has joined #openvpn
11:17 < Freeaqingme|> !welcome
11:17 <@vpnHelper> Freeaqingme|: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:18 < ecrist> Freeaqingme| wins a prize for reading /topic.
11:18 < Freeaqingme|> \o/ ty :D
11:18 < Freeaqingme|> Hi. I already log in with a public/private key, does anybody have a nice link on how to use those when setting up openvpn?
11:18 < ecrist> what do you mean?
11:19 < ecrist> are you talking about ssh pub/priv keys?
11:19 < Freeaqingme|> uhu
11:19 < ecrist> they're completely different
11:19 < Freeaqingme|> okay. that's what I wondered about
11:19 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 250 seconds]
11:20 < Freeaqingme|> ecrist, tnx
11:20 < ecrist> np
11:23 -!- grapsus [~grapsus@acces1155.res.insa-lyon.fr] has joined #openvpn
11:25 < Mkools> Freeaqingme|: Are you building openvpn
11:25 < Freeaqingme|> just installing it from ubuntu's repository. Why?
11:25 -!- dazo is now known as dazo_afk
11:27 < Mkools> Freeaqingme|: I am building one using quick start how to. 
11:27 < Mkools> So if our problem is same we can share our problems to reach to a solution.
11:28 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 252 seconds]
11:28 < Freeaqingme|> I'm not having a particular problem, I was merely wondering if I could use my ssh keys with openvpn as well
11:29 < Mkools> have configured the server?
11:32 < ecrist> Mkools: Freeaqingme|'s question was answered
11:35 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 265 seconds]
11:43 < Mkools> ecrist: Yesterday you said you should not use --server and --secret together means that server should be configured on one machine and key should be kept on another?
11:44 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
11:55 < ecrist> no
11:55 < ecrist> when you're using static keys, neither one is actually a server, they're both clients
11:55 < ecrist> they both need the same key, as well
11:59 -!- grapsus [~grapsus@acces1155.res.insa-lyon.fr] has quit [Quit: Quitte]
11:59 < Mkools> ecrist: If both are clients then who is serving there requests? Any further directions
11:59 < ecrist> serving what requests?
12:00 < Mkools> ecrist: Means there is a openvpn server who serves it's clients. Isn't it?
12:00 < ecrist> with static keys, you can only have two machines in the vpn
12:00 < ecrist> we told you that earlier this week.
12:01 < Mkools> ecrist : Yeah I have read this in manual.
12:02 < Mkools> so any more direction on solving my problem.
12:02 < ecrist> so, there are no 'requests' to serve in your situation.
12:02 < ecrist> I don't know what your current problem is
12:05 < Mkools> ecrist: My problem is that when I run the openvpn script it gives this log message in which it suggest option error and use of SSL/TLS keys. How sort it out?
12:05 < ecrist> post the error, please
12:06 < Mkools> ecrist: Options error: --server and --secret cannot be used together (you must use SSL/TLS keys)
12:06 < Mkools> Use --help for more information.
12:06 < ecrist> how much more clear can that be
12:06 < ecrist> are you going to use static keys, or SSL certificates?
12:06 < Mkools> static keys, first
12:07 < ecrist> then remove the --server option from your config
12:07 < ecrist> I told you that the other day
12:08 < Mkools> ecrist: I have scanned my server.conf file two times but I am not able to locate this option. Please any help if possible.
12:08 < ecrist> paste your config
12:09 < ecrist> !pb
12:09 <@vpnHelper> ecrist: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
12:10 -!- Freeaqingme| [~dolf@dsl-083-247-011-232.solcon.nl] has quit [Quit: Leaving]
12:12 < Mkools> http://openvpn.pastebin.ca/2001159
12:12 < ecrist> line 98
12:13 < Mkools> ecrist: gotccha, then what is secret option in this file?
12:13 < ecrist> line 55
12:14 < Mkools> ecrist: thanks
12:16 <@vpnHelper> RSS Update - pastebin: server.conf <http://pastebin.ca/2001159>
12:21 < Mkools> ecrist: Another error: Options error: --ifconfig-pool/--ifconfig-pool-persist requires --mode server
12:21 < Mkools> Use --help for more information.
12:22 < Mkools> is it due to line 105
12:22 < ecrist> Mkools: read the documentation, please
12:22 < Mkools> ecrist: No prob. Thanks, for your patience. 
12:24 < Mkools> ecrist: Hey, my server started. How to check it works.
12:29 < Mkools> I know bridging connection is required for playing games. But if my server is working correctly can I play a game with my single friend 
12:30 -!- Mkools [~mukul@117.196.217.101] has quit [Quit: Leaving]
12:33 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
12:40 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
12:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
12:46 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
12:48 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:58 -!- zoobab [zoobab@vic.ffii.org] has quit [Read error: Operation timed out]
12:59 -!- zoobab [zoobab@vic.ffii.org] has joined #openvpn
13:04 -!- zoobab [zoobab@vic.ffii.org] has quit [Ping timeout: 240 seconds]
13:04 -!- zoobab [zoobab@vic.ffii.org] has joined #openvpn
13:16 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
13:25 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 265 seconds]
13:41 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
13:41 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
13:44 -!- septiq [~septiq@93.19.114.177] has quit [Ping timeout: 252 seconds]
13:49 -!- luneff [~yury@84.51.198.114] has joined #openvpn
13:50 -!- p3rror [~mezgani@41.140.97.121] has quit [Ping timeout: 245 seconds]
14:06 -!- p3rror [~mezgani@41.248.187.216] has joined #openvpn
14:12 <@vpnHelper> RSS Update - forum: Server Administration :: Help setting up OpenVPN.... :: Author robmypro <https://forums.openvpn.net/viewtopic.php?f=4&t=7316&p=8542#p8542>
14:43 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
14:43 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
14:43 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
14:47 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
14:48 -!- luneff [~yury@84.51.198.114] has joined #openvpn
14:52 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
14:55 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 240 seconds]
14:59 -!- rcngeoff_ [~rcngeoff@p508A3557.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
15:00 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
15:06 -!- bitterman [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
15:06 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
15:08 -!- darth_bitterman [~yury@84.51.198.114] has joined #openvpn
15:10 -!- luneff [~yury@84.51.198.114] has joined #openvpn
15:10 -!- luneff [~yury@84.51.198.114] has quit [Read error: No route to host]
15:11 -!- luneff [~yury@84.51.198.114] has joined #openvpn
15:11 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
15:12 -!- darth_bitterman [~yury@84.51.198.114] has quit [Ping timeout: 265 seconds]
15:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
15:36 -!- tuxx_ [~sometinel@81.95.4.163] has left #openvpn []
15:41 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
15:45 < hyper_ch> anyone here?
15:47 -!- Riiiis [~Kosmo@82.211.197.216] has joined #openvpn
15:48 < Riiiis> !welcome
15:48 <@vpnHelper> Riiiis: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:48 < Riiiis> !goal
15:48 <@vpnHelper> Riiiis: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:49 < krzee> hyper_ch, yes now
15:49 < Riiiis> !route
15:49 <@vpnHelper> Riiiis: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:49 < hyper_ch> weird, ubuntu.com and kubuntu.org aren't working for me
15:49 < Riiiis> works here
15:49 < hyper_ch> what ip does kubuntu.org resolve to?
15:49 < hyper_ch> PING kubuntu.org (91.189.94.156) 56(84) bytes of data.
15:50 < Riiiis> 64 bytes from vostok.canonical.com (91.189.94.156): icmp_req=1 ttl=48 time=23.1 ms
15:50 < krzee> works for me
15:50 < hyper_ch> not here :(
15:50 < krzee> ubuntu.com has address 91.189.94.156
15:51 < hyper_ch> kubuntu.org ist also hosted by canonical IIRC
15:51 < krzee> you may have a bad route, try tunneling
15:51 < Riiiis> if i want to connect from the interwebz to a server and be connected to the lan behind it, should i then read the ! route article ?
15:51 < krzee> !serverlan
15:51 <@vpnHelper> krzee: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
15:52 < krzee>  but !route is good for understanding the commands
15:52 < Riiiis> okay, thanks !
15:52 < krzee> np
15:52 < hyper_ch> downloading the iso to my server
15:54 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
15:54 < Riiiis> hmmm could someone please check the link in ! route ?
15:54 < Riiiis> my firefox says that its a reported attack page... ??
15:55 -!- toortog [~nesm6@c-75-69-152-214.hsd1.nh.comcast.net] has quit [Quit: ircN 8.00 for mIRC (20100904) - www.ircN.org]
15:55 < krzee> whaaaa
15:55 < krzee> hey ecrist 
15:55 < Bushmills> yes, that way we gain access to user machines
15:55 < Riiiis> or rather, the links on it ..
15:55 < Riiiis> hehe .....
15:55 < krzee> and i cant login
15:56 -!- _toortog is now known as toortog
15:56 < krzee> ignore the page for now... something happened
15:56 < krzee> not sure what, gotta talk to ecrist 
15:57 < krzee> Riiiis, is your server the router for its LAN?
15:57 < Riiiis> ok
15:57 < Riiiis> no, its just on a priviledged port on the dedicated router
15:57 < krzee> ok
15:58 < krzee> so you need to do 3 things
15:58 < Riiiis> ok
15:58 < krzee> on the server, enable ip forwarding
15:58 < krzee> what is the LAN the server sits on?
15:58 < krzee> what subnet
15:58 < reiffert> my subnet.
15:58 < Riiiis> 192.200.200
15:58 < krzee> ok, so on the server config put this
15:58 < reiffert> nah, his subnet.
15:58 < krzee> errr what
15:59 < krzee> thats not a 1918 subnet
15:59 < krzee> !1918
15:59 <@vpnHelper> krzee: "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
15:59 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 276 seconds]
15:59 < krzee> you mean 192.168.200.x or 10.200.200.x?
15:59 -!- dogarrhea1 [alex@199.48.243.204] has joined #openvpn
15:59 < Riiiis> i meant 192.200.200.x but maybe we should change that ;-)
16:00 < Riiiis> * i should
16:00 < krzee> hah ya you should
16:00 < krzee> so lets say you make it 10.200.200.x
16:00 < Riiiis> yeah
16:00 < dogarrhea1> anyone knwo what a READ [0] from [undef]: DATA UNDEF len=-1 means?
16:00 < krzee> in the server config, add this.  push "route 10.200.200.0 255.255.255.0"
16:00 < reiffert> dogarrhea1: see man 2 read
16:01 < dogarrhea1> man 2 read?
16:01 < krzee> reiffert, no use, he doesnt read docs :-p
16:01 < krzee> Riiiis, what is your VPN subnet?
16:01 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
16:01 < krzee> the option in server config after the word server
16:01 < reiffert> dogarrhea1: basically it means: a systemcall named 'read' was 'reading' "nothing" from an unknown filedescrptor, wie unknown length.
16:01 < Riiiis> krzee, i havent got one yet..
16:02 < reiffert> wie = with
16:02 < dogarrhea1> reiffert, how can i make openvpn client stop trying to do that on windows7
16:02 < Riiiis> krzee, if you can just give me the overall setup i need to do, then i can probably figure out the specifics my self 
16:02 < reiffert> dogarrhea1: listen to what krzee tells you.
16:02 < krzee> reiffert, nah i dont tell him anything anymore... gave up on him
16:02 < krzee> hes a waste of time
16:03 < krzee> Riiiis, ok, the other thing to do is to add a route to your VPN subnet on the router in the server lan, telling it that the subnet lies behind the LAN ip of the vpn server
16:05 -!- luneff [~yury@84.51.198.114] has joined #openvpn
16:05 < dogarrhea1> not my fault the docs tell me to do something and i get errors for following them to the letter..
16:06 < Riiiis> ok (i really should learn about networks and routes, i always get REALLY confused)
16:06 < krzee> they work for everyone else, but ya they must be wrong since you cant figure it out
16:07 < dogarrhea1> they don't work for everyone else.  That is a broad general statement. I know people who have tried opnevpn and the docs don't work for them. so your statement is wrong?
16:07 < Riiiis> krzee, you said three things ? :-)
16:08 < dogarrhea1> and from looking at all these google queries with unanswered threads, i'd say a lot of people have trouble with using openvpn.
16:09 < Bushmills> usually, people find that they skipped something, when the docs didn't work out for them.
16:09 -!- luneff [~yury@84.51.198.114] has quit [Client Quit]
16:10 < krzee> route on lan router, ipconfig enabled on the server, push route in openvpn config
16:10 < krzee> the only part that is openvpn is pushing the route
16:10 < dogarrhea1> bushmills.  I don't get how you can skip adding redirect-gateway and ip masquerading and pushing dhcp
16:10 < Bushmills> but there's also windows which is sometimes a bit ... peculiar
16:10 < krzee> !windows
16:10 <@vpnHelper> krzee: "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg
16:10 < Bushmills> like with ...
16:10 < Bushmills> !winroute
16:10 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
16:11 < Riiiis> krzee, ok, ill see if can figure it out :-)
16:11 < Riiiis> thanks
16:11 < krzee> np
16:13 < reiffert> dogarrhea1: I guess that your read -1 unkown 0 messages comes from debug level 300?
16:14 < reiffert> dogarrhea1: how about putting that level to 3, restart your openvpn stuff again, bring on !logs and !configs and then I'll have a look into this?
16:15 < dogarrhea1> ok.
16:15 < dogarrhea1> !paste
16:15 <@vpnHelper> dogarrhea1: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
16:18 < dogarrhea1> http://pastebin.ca/2001429
16:18 < dogarrhea1>  log of the client
16:19 < dogarrhea1> http://pastebin.ca/2001431 .ovpn client file
16:20 < reiffert> #
16:20 < reiffert> Wed Nov 24 14:15:29 2010 TLS Error: TLS handshake failed
16:20 < dogarrhea1> hrm. push-redirect gateway locks me out of the server. brb lish
16:21 < Bushmills> seems that redirect-gateway has some effect, after all
16:22 < reiffert> how can it have an effect, when the TLS handshake fails?
16:22 -!- papas_son_ [~chatzilla@68-116-31-34.static.yakm.wa.charter.com] has joined #openvpn
16:22 < Bushmills> does it?
16:23 < dogarrhea1> it has a negative effect heh
16:23 < dogarrhea1> i can ping 10.xxx.xxx.xxx without the redirect gateway option
16:23  * Bushmills applauds
16:23 < reiffert> dogarrhea1: the logs you were pasting: I cant see a successful connection.
16:23 -!- papas_son [~chatzilla@68-116-31-34.static.yakm.wa.charter.com] has quit [Ping timeout: 245 seconds]
16:23 <@vpnHelper> RSS Update - forum: Configuration :: Push Route doesn't work, but route add does :: Author BillyBuerger <https://forums.openvpn.net/viewtopic.php?f=6&t=7317&p=8543#p8543>
16:24 -!- papas_son_ is now known as papas_son
16:24 < dogarrhea1> reiffert, it only succeeds when i take out the redirect-gateway thing
16:24 < reiffert> dogarrhea1: let's start over.
16:24 < reiffert> dogarrhea1: paste !logs and !configs from a working situation.
16:26 -!- luneff [~yury@84.51.198.114] has joined #openvpn
16:27 -!- dogmeat [~Bob@unaffiliated/dogmeat] has quit [Quit: Leaving]
16:27 < dogarrhea1> ok brb reconfiguring
16:28 < reiffert> krzee: hey, please help me!!! - Ok, gimme all you got.. - IT DOES NOT WORK!! - Ok, gimme all you got - ... sounds familiar?
16:28 < krzee> lol
16:29 < hyper_ch> how's the script coming?
16:30 < reiffert> ?
16:31 < hyper_ch> reiffert: my secret take-over-the-world php/ajax script I created for krzee
16:34 < reiffert> so hyper_ch and krzee share the world now .. damnit
16:35 < hyper_ch> you can have africa if you want :)
16:35 < hyper_ch> and the north pole
16:35 < reiffert> great, I can sell you energy in a couple of years then.
16:35 < dogarrhea1> http://pastebin.ca/2001446
16:35 < dogarrhea1>    this is the server configuration when it works.
16:36 < dogarrhea1> the .ovpn client file is the same as http://pastebin.ca/2001429
16:37 < reiffert> 23:14 < reiffert> dogarrhea1: how about putting that level to 3,
16:37 < dogarrhea1> http://pastebin.ca/2001449 is the log when it succeeds.
16:38 < reiffert> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [status=160 if_index=28]
16:38 < reiffert> show us the client config.
16:38 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
16:39 < dogarrhea1> http://pastebin.ca/2001453
16:40 < reiffert> add this to client config:
16:40 < reiffert> script-security 2
16:40 < reiffert> restart all the shit, repaste log and client conf
16:40 < reiffert> all logs. both. server and client.
16:40 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
16:45 < dogarrhea1> http://pastebin.ca/2001460 client log
16:45 -!- darth_bitterman [~yury@84.51.198.114] has joined #openvpn
16:46 < dogarrhea1> http://pastebin.ca/2001463 client conf. added the script-security 2 thing right after the verb setting
16:46 < krzee> hyper_ch, ran into a snag with my script
16:47 < krzee> debugging it now
16:47 < hyper_ch> :)
16:47 < krzee> unrelated to your side, but holding it up
16:48 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 265 seconds]
16:48 < reiffert> what is it that I need to tell dogarrhea1 now?
16:49 < krzee> not sure, i ignored him
16:49 < dogarrhea1> working on server .log
16:49 < dogarrhea1> u want daemon?
16:51 < reiffert> dogarrhea1: do I?
16:51 < dogarrhea1> yes do you?
16:52 < reiffert> dogarrhea1: I asked you twice at least..
16:58 < dogarrhea1> http://pastebin.ca/2001481
16:58 < dogarrhea1>  daemon.log
17:00 < reiffert> looks good.
17:03 <@vpnHelper> RSS Update - forum: Server Administration :: Re: I can only ping one way. Client to server works. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7300&p=8544#p8544>
17:09 -!- Riiiis [~Kosmo@82.211.197.216] has left #openvpn ["Leaving"]
17:10 < dogarrhea1> so what else do you need reiffert?
17:10  * Bushmills guesses he needs a coffee
17:15 <@vpnHelper> RSS Update - forum: Server Administration :: Re: I can only ping one way. Client to server works. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7300&p=8545#p8545>
17:19 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
17:22 -!- darth_bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
17:23 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
17:24 -!- tvm [~tvm@router-vinice.pilsfree.net] has joined #openvpn
17:24 < tvm> hi, is there anything to particular to change when i'm migrating a openvpn client from windows to linux?
17:25 < tvm> figured that i can use same config, only changed path to p12 key.
17:27 < tvm> i keep getting this, but i'm sure that i'm enterring correct passphrase.
17:27 < tvm> error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure: error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
17:38 < krzee> are you using 2.1.4?
17:40 < krzee> ^ @ tvm
17:40 < tvm> it's debian stable
17:40 < tvm> so 2.1rc11
17:40 < krzee> go update
17:41 < krzee> !download
17:41 <@vpnHelper> krzee: "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
17:41 < tvm> hrmh.
17:53 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
17:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:58 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
18:12 -!- elva [~elva@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
18:17 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:17 -!- tvm [~tvm@router-vinice.pilsfree.net] has quit [Quit: leaving]
18:23 -!- luneff [~yury@84.51.198.114] has joined #openvpn
18:27 <@vpnHelper> RSS Update - forum: Server Administration :: UDP Connection Works fine but TCP connection wont ping :: Author sonlas7y20 <https://forums.openvpn.net/viewtopic.php?f=4&t=7318&p=8546#p8546>
18:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
18:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:45 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing Questions :: Reply by sonlas7y20 <https://forums.openvpn.net/viewtopic.php?f=4&t=7306&p=8547#p8547>
19:05 -!- elva [~elva@pool-173-53-57-150.rcmdva.fios.verizon.net] has left #openvpn []
19:36 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
19:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
19:56 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
20:00 -!- rcngeoff [~rcngeoff@p508A3557.dip.t-dialin.net] has joined #openvpn
20:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
20:07 -!- rcngeoff [~rcngeoff@p508A3557.dip.t-dialin.net] has quit [Ping timeout: 255 seconds]
20:13 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
20:16 -!- oc80z [oc80z@blea.ch] has joined #openvpn
20:50 -!- aderouineau [oreo@AGrenoble-152-1-69-241.w83-201.abo.wanadoo.fr] has joined #openvpn
20:50 < aderouineau> hey everyone
20:51 < aderouineau> my local network uses the subnet 172.24.42.0/24, and i was wondering if there was a way for openvpn to use a subset of that network for IP's
20:52 < aderouineau> so that i don't have to push routes and thus  require administrative privileges on vista and +
20:52 < aderouineau> (as well as linux)
20:58 < krzee> you still require admin privs
20:58 < krzee> and there are still routes set
20:59 < krzee> in linux you can drop the privileges tho
21:37 < aderouineau> krzee: what do you mean?
21:50 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
22:04 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: UDPBroadcastForwarder :: Author jgoetze <https://forums.openvpn.net/viewtopic.php?f=15&t=7319&p=8548#p8548>
22:24 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
22:33 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
22:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:43 -!- dogarrhea1 [alex@199.48.243.204] has quit [Quit: Leaving]
22:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:56 -!- rcngeoff [~rcngeoff@p508A3557.dip.t-dialin.net] has joined #openvpn
23:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
23:28 -!- W0rmF00d [~wormfood@183.39.104.154] has joined #openvpn
23:29 -!- aderouineau [oreo@AGrenoble-152-1-69-241.w83-201.abo.wanadoo.fr] has quit []
23:32 -!- WormFood [~wormfood@183.39.100.108] has quit [Ping timeout: 272 seconds]
23:40 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
23:40 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
23:40 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
23:49 -!- dogarrhea1 [alex@199.48.243.204] has joined #openvpn
23:49 < dogarrhea1> hrm. never did get my last error with redirect-gateway resolved
23:50 < dogarrhea1> lol. searching redirect-gateway bug in google fills up two paginations worth of material
23:55 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
23:55 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
23:58 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
--- Day changed Thu Nov 25 2010
00:02 -!- dogarrhea1 [alex@199.48.243.204] has quit [Ping timeout: 276 seconds]
00:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
00:16 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
00:28 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing Questions :: Reply by ExEric3 <https://forums.openvpn.net/viewtopic.php?f=4&t=7306&p=8549#p8549>
00:29 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:44 < humanMeat> hrm. openvpn says i'm connected yet i cannot ping 10.8.0.2
00:46 < krzie> ping 10.8.0.6
00:46 < krzie> !/30
00:46 <@vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
01:06 -!- humanMeat [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
01:11 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has joined #openvpn
01:17 -!- Columbo0815 [~fre@p54AD9E55.dip.t-dialin.net] has joined #openvpn
01:20 < Columbo0815> ecrist: here iam again to say thank you! my problem is solved with pf! :-D 
01:31 -!- dazo_afk is now known as dazo
01:39 -!- dogarrhea1 [~alex@cpe-98-149-134-210.socal.res.rr.com] has quit [Ping timeout: 255 seconds]
01:58 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
02:03 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
02:04 -!- oc80z [oc80z@blea.ch] has joined #openvpn
02:14 -!- Columbo0815 [~fre@p54AD9E55.dip.t-dialin.net] has quit [Quit: leaving]
02:16 -!- W0rmF00d is now known as WormFood
02:18 -!- Intel`` [~clarencec@94.200.7.26] has quit [Remote host closed the connection]
02:50 < kraut> moin
02:51 < krzie> moin
03:02 -!- septiq [~septiq@93.19.114.177] has joined #openvpn
03:24 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
03:24 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
03:24 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:28 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
03:28 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
03:28 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:33 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
03:36 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:47 -!- master_of_master [~master_of@p57B53930.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
03:49 -!- master_of_master [~master_of@p57B54B62.dip.t-dialin.net] has joined #openvpn
03:50 < hyper_ch> hi krzie
03:50 < krzie> werd
03:51 < krzie> still redesigning... ran into some seriously ugly code
03:51 < krzie> got a ssd on the way, one for the box that runs this, one for my laptop
03:51 < krzie> s/a/some/
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 < krzie> but this redesign is good, speeding things up a bit
03:52 < krzie> and making it saner, lol
03:52 < hyper_ch> krzie: you're a bash guru, right?
03:53 < krzie> i use it a bit, got a '?'?
03:53 < hyper_ch> you know how to make user interactions in bash especially stopping the script and asking for a y/n input?
03:53 < krzie> sure, read
03:53 < krzie> see my confgen
03:53 < krzie> !confgen
03:54 <@vpnHelper> krzie: "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
03:54 < krzie> http://www.secure-computing.net/svn/trunk/openvpn-confgen/confgen.sh
03:54 < hyper_ch> thx
03:54 < krzie> read LISTENIP
03:54 < krzie> : ${LISTENIP:=0.0.0.0}
03:54 < krzie> that is how you set a default
03:54 < krzie> if the var LISTENIP is empty, it will set to 0.0.0.0
03:55 < hyper_ch> thx
03:55 < krzie> see
03:55 < krzie> echo "Will the server share its LAN with the VPN?"
03:55 < krzie> right below that
03:55 < krzie> i use a while : to loop forever until i break
03:56 < krzie> so "(y/n)" will reappear until i get a y or n
03:57 < krzie> but i setup a default on that one, so if you typed nothing it would be no
03:57 < krzie> if you answered with apple, it would say (y/n)
03:58 < krzie> oh and when i said read i didnt mean docs, i meant the command is named read =]
03:58 < hyper_ch> cool :)
03:59 < krzie> you cant man read, cause it is bash builtin
03:59 < krzie> but you can read its doc with 'help read'
04:01 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has joined #openvpn
04:02 < razorx> !welcome
04:02 <@vpnHelper> razorx: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:02 < razorx> !redirect
04:02 <@vpnHelper> razorx: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:03 < razorx> !howto
04:03 <@vpnHelper> razorx: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
04:03 < razorx> good morning
04:03 < krzie> g'mornin
04:07 < razorx> krzie, are you running openvpn in linux?
04:08 < krzie> i use freebsd, but ive helped enough people in linux that you can ask anyways
04:08 -!- ksk [~ksk@im.knubz.de] has quit [Quit: leaving]
04:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
04:10 < razorx> Ok here it goes, i recently bought a vpn account and it works well in win. When im connecting to the network from my ubuntu server it connects and all but i cant get it to communicate with the world :/
04:10 < krzie> ahh
04:10 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
04:10 < krzie> do you have it connected for testing?
04:11 < razorx> no its offline right now
04:11 < septiq> Hi, is it possible to use variables in config files ?
04:11 < krzie> connect, try pinging 8.8.8.8
04:11 < razorx> but i belive its some form of iptables setting to reroute all traffic
04:11 < krzie> septiq, as in, shell variables?
04:11 < krzie> razorx, that is on the server
04:12 < krzie> razorx, im guessing it has to do with DNS
04:12 < razorx> ok
04:12 < krzie> get it online and test that =]
04:12 < krzie> windows automaticly accepts pushed dns, linux needs a script
04:12 < septiq> krzie: ideally yes, but file-defined variables would be a good start eg define values on top of the config file, then use them
04:12 < krzie> nope
04:12 < krzie> however
04:12 < razorx> krzie, ok thanks will try that
04:13 < krzie> instead of a config you could hve a script start openvpn, and use vars in it
04:13 < krzie> EVERY command in a config can be a --option
04:13 < krzie> !--
04:13 <@vpnHelper> krzie: "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
04:14 < septiq> krzie: right but in that case i won't be able to use openvpn init.d starting mecanism, but i could rewrite something like that ...
04:15 < krzie> right
04:15 < krzie> all depends how much you need vars i guess
04:17 < septiq> krzie: my main objective is to keep clean templates as i don't like the search/replace way, I have tried config file generation scripts, that works but seems too much work for this
04:17 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
04:18 < krzie> i love search replace way for templates
04:18 < septiq> krzie: in that case you would need at least to insert a comment on top describing all the values to replace
04:19 < krzie> sed -e 's/HOSTNAME/something.com/' -e 's/IP/1.2.3.4/' -e ...
04:19 < krzie> but you replace with $hostname instead of something.com
04:19 < krzie> and at top you have hostname="something.com"
04:20 < krzie> same deal, still search/replace
04:23 < septiq> another question: can the bridge script be called from openvpn ?
04:23 < krzie> see --up
04:23 < krzie> !script
04:23 <@vpnHelper> krzie: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
04:24 -!- s7r1 [~s7r@89.39.174.74] has joined #openvpn
04:24 -!- s7r [~s7r@89.39.174.74] has quit [Ping timeout: 276 seconds]
04:24 < krzie> heres an interesting one
04:24 < krzie> http://ubuntuforums.org/showthread.php?t=538788
04:24 <@vpnHelper> Title: Bridge Automation Script -- Setting up linux bridges. With Rateshaping - Ubuntu Forums (at ubuntuforums.org)
04:24 < krzie> never seen that before
04:24 < septiq> so which hooks are ok for bridge-start/stop
04:25 < krzie> oh wait ignore the above link
04:25 < krzie> lol
04:25 < krzie> you want --up for that
04:26 < krzie> there is a commonly used script, i think its in the howto
04:26 < krzie> (personally i dont bridge)
04:26 < krzie> you setting it up for lan gaming? theres not too many reasons to use a bridge
04:28 < septiq> actually, i want to use bridge to flow several remote ips to another host, ideally each ip to a distinct virtual host
04:29 < krzie> ahh
04:29 < septiq> s/host/container
04:29 < krzie> so for using real IPs like you're at the other site?
04:29 < krzie> you dont need to communicate with an actual LAN?
04:30 < septiq> exact, as i need arp to register these ips it requires tap
04:30 < septiq> i don't understand your last question
04:30 < krzie> is it host to host, or a lan behind openvpn?
04:31 < septiq> lan to lan ?
04:31 < krzie> does 1 side need to access another side's lan over layer2?
04:31 < krzie> or simply the client needs layer2 to the server...?
04:32 < septiq> very good question
04:32 < krzie> i dont know too much about bridges, but ecrist told me when there is no lan, you dont need a bridge, but rather just use tap in a normal routed setup
04:33 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
04:33 < septiq> actually i'm first looking for (2) but maybe later i will need (1) maybe to avoid routing for sip
04:33 < krzie> but sip isnt layer2
04:33 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
04:33 < krzie> you can use a routed setup, with dev tap
04:33 < krzie> easier =]
04:34 < septiq> right
04:34 < krzie> you'll still have arp to the server
04:34 < septiq> so i'm looking for a tap routed setup ...
04:35 < krzie> basically:
04:35 < krzie> !sample
04:35 <@vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
04:35 < krzie> but switch dev tap to dev tun
04:35 < krzie> err
04:35 < krzie> s/to/from/ ;]
04:38 < septiq> so the "server 10.8.1.0 255.255.255.0" directive implies automatic ip distribution to remote tap devices
04:39 < krzie> right thats how you give the IP
04:39 < septiq> but how will tapX:10.8.1.Y let PR.IV.AT.EIP to flow arp to the remote gateway, maybee i need to activate proxy-arp on tapX ...
04:40 < krzie> your server needs to take an IP in the subnet you have to give out
04:40 < krzie> the first IP of the subnet
04:40 < krzie> last will be broadcast
04:40 < krzie> everything else will be handed out
04:40 < septiq> i'm talking about client side
04:41 < krzie> so like server 1.2.3.0 255.255.255.128 or whatever
04:41 < krzie> oh
04:41 < krzie> so you need to arp beyond the server after all!
04:41 < krzie> proxyarp is a way to do it
04:42 < krzie> or you can bridge ;]
04:42 < krzie> you mean the "remote gateway" is not the server, right?
04:42 < septiq> yes
04:43 < septiq> it's the ip router provinding connection to the server that will be also used to provide "deported" internet to client's virtal appliances
04:45 < septiq> i still don't know if a routing configuration permits to do so
04:45 < septiq> that's why i went to the bridge way
04:49 < krzie> it would with proxyarp
04:49 < krzie> but really its up to taste at that point
04:49 < septiq> i'd rather use the routed setup, but in that casee i don't know what would be the two tap interfaces ips
04:50 < krzie> my personal choice would be to use routed, but im pretty sure some others here would use bridge
04:50 < krzie> i just know routed better ;]
04:50 < septiq> so do i
04:50 < krzie> and prefer to limit my layer2 as much as possible
04:52 < septiq> but in the routed setup with proxy-arp, i think it requires network addresses coherence between the client's tap interface (with private ip) and the client's container ip (public ip)
04:52 < septiq> to me that is the issue
04:53 < krzie> cool
04:53 -!- sonicman [~admin@h7.3.89.75.dynamic.ip.windstream.net] has quit [Read error: Operation timed out]
04:53 < krzie> --up script for starting the script =]
04:54 -!- sonicman [~admin@periwinkle.feralhosting.com] has joined #openvpn
04:56 < septiq> server tap0[10.0.0.1](proxyarp) <---> client tap0[10.0.0.2](proxyarp) <---> container xxxY[PU.BL.IC.IP] won't work as the container and the client do not share the network address
04:58 < krzie> no worries, use bridge then
04:59 < krzie> bridge isnt needed unless you need layer2 to the lan, you do
05:01 < septiq> moreover i would like to use several containers with different public ips (all flowing in the same tunnel)
05:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
05:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
05:44 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
06:06 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 255 seconds]
06:07 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:09 -!- s7r1 [~s7r@89.39.174.74] has left #openvpn []
06:21 -!- zoobab [zoobab@vic.ffii.org] has quit [Read error: Operation timed out]
06:21 -!- zoobab [zoobab@vic.ffii.org] has joined #openvpn
--- Log closed Thu Nov 25 06:23:42 2010
--- Log opened Thu Nov 25 06:41:05 2010
06:41 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
06:41 -!- Irssi: #openvpn: Total of 116 nicks [3 ops, 0 halfops, 0 voices, 113 normal]
06:41 -!- Irssi: Join to #openvpn was synced in 36 secs
07:06 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
07:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
07:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
07:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
07:28 -!- twister004__ [~chatzilla@59.90.34.167] has joined #openvpn
07:29 -!- twister004 [~chatzilla@59.90.34.167] has quit [Ping timeout: 252 seconds]
07:29 -!- twister004__ is now known as twister004
07:33 -!- hampusw [~hampusw@c-3a9ae055.1122-1-64736c10.cust.bredbandsbolaget.se] has joined #openvpn
07:34 -!- hampusw [~hampusw@c-3a9ae055.1122-1-64736c10.cust.bredbandsbolaget.se] has left #openvpn ["Leaving"]
07:43 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Quit: narf]
07:44 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
07:46 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
07:58 -!- rcngeoff_ [~rcngeoff@p4FDBE72F.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
08:31 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
08:33 < unspin> is there a way to force a specific certificate to authenticate to a specific user?
08:33 < unspin> i'm currently using the auth-pam plugin
08:35 -!- s7r [~s7r@89.39.174.74] has quit [Quit: Leaving.]
08:36 < unspin> i thought about using the, 'auth-user-pass-verify' directive but id like to avoid writing a script to handle password authentication if possible
08:41 < Bushmills> "user" or "host"?
08:44 < unspin> user
08:45 < unspin> if i allocate a cert (cert1) to a user (user1), the way it works by default with auth-pam, user1 can use his authorization credentials with any other valid cert
08:45 < unspin> i want to enforce the association between user and cert
08:52 < unspin> the "client-connect script" directive seems like it may be an acceptable approach
08:54 < unspin> ah maybe not, it only has access to the CN
08:58 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
08:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
08:59 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
09:04 < reiffert> unspin: secure the cert of user1 with the password of user1.
09:04 < reiffert> unspin: which means hand him another cert when he changes his password.
09:05 < reiffert> ah well, thats not what you want .. mhm.
09:25 < unspin> leaning towards writing a plugin at this point
09:25 < unspin> something simple like enforce username to be the same as CN
09:36 -!- Mkools [~mukul@117.196.208.132] has joined #openvpn
09:36 -!- rcngeoff [~rcngeoff@p4FDBE72F.dip.t-dialin.net] has joined #openvpn
09:47 < Mkools> ecrist: Hi I want to connect a client which uses Windows 7 to my openvpn client on Ubuntu which software should I download. Is this one correct: http://www.openvpn.net/index.php/openvpn-client.html
09:47 <@vpnHelper> Title: Downloads (at www.openvpn.net)
10:06 -!- rcngeoff [~rcngeoff@p4FDBE72F.dip.t-dialin.net] has left #openvpn []
10:09 -!- Mkools [~mukul@117.196.208.132] has quit [Ping timeout: 260 seconds]
10:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:12 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
10:26 -!- Amacidia [~amacidia@70.74.161.36] has quit []
10:26 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
10:28 <@dazo> unspin: have a look at eurephia ... http://www.eurephia.net/
10:28 <@vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
10:29 <@dazo> unspin: it don't support PAM or other auth methods, but I'm digging into that - to support other auth methods like LDAP and PAM as a starter at least
10:39 -!- Mkools [~mukul@117.196.208.132] has joined #openvpn
10:41 < Mkools> ecrist: Consider my situation: I have 4 inter faces 1. loopback 2. eth3 (facing Internet) 3. eth4 (configured my own dns server using bind 9) 4. tun0
10:42 -!- septiq_ [~septiq@93.19.114.177] has joined #openvpn
10:42 < Mkools> I have openvpn clients on address range 10..x.x.x facing tun0
10:43 < Mkools> What should I edit in windows client file in domain name?
10:44 < Mkools> so that my two openvpn clients should connect?
10:44 < Mkools> thanks in advance
10:45 -!- septiq [~septiq@93.19.114.177] has quit [Ping timeout: 265 seconds]
10:45 < Mkools> when I edit my resolv.conf file and interfaces files I lost connectivity to the internet. How should I edit files to get connection to Internet as well as windows openvpn client.
10:45 < Mkools> Both the clients are connected directly to Internet using modem
10:46 -!- septiq_ [~septiq@93.19.114.177] has quit [Ping timeout: 252 seconds]
10:58 < Bushmills> why do you lose connectivity?
11:17 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
11:22 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
11:29 -!- Mkools [~mukul@117.196.208.132] has quit [Ping timeout: 265 seconds]
11:31 -!- dazo is now known as dazo_afk
11:53 -!- Alonea [~Alonea@rdhddmazokuvpn.student.rit.edu] has joined #openvpn
11:53 < Alonea> !goal
11:53 <@vpnHelper> Alonea: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:53 < Alonea> !welcome
11:53 <@vpnHelper> Alonea: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:53 < Alonea> !howto
11:53 <@vpnHelper> Alonea: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:53 < reiffert> Alonea 1 : 0 #OpenVPN
11:57 < Alonea> ok, I had a couple questions. A friend at work told me to use this, but I didn't understand everything he said. I want to make a file share so my family back home can connect to me. I am on a network where I can't access the router, but I can hook up my own switch if needed (currently just plugged into the wall) and I am trying a bridged connection since I need that for file shares yes?
11:59 < Alonea> I managed to get the bridge up in Windows 7, but I am trying to figure out if I need my own router and how to do the config file properly
12:01 -!- dazo_afk is now known as dazo
12:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:06 < Alonea> anyone around?
12:06 -!- blink_ [~blink@reality.is-after.me] has joined #openvpn
12:07 < blink_> !goal
12:07 <@vpnHelper> blink_: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:08 < blink_> !goal I would like to to have multiple clients connect to a single IP, and have traffic for all clients egress a single IP, to anywhere on the internet
12:08 <@vpnHelper> blink_: Error: "goal" is not a valid command.
12:08 < |Mike|> :P
12:08 < blink_> well, that.
12:08 < |Mike|> blink_: you might want to read this:
12:08 < |Mike|> !tell blink_ [howto]
12:09 < |Mike|> linux or windows?
12:09 < Alonea> oh my a person!
12:09 < blink_> debian stable server, osx and windows clients
12:09 < |Mike|> !tell blink_ [linnat]
12:10 < blink_> I've been tasked with giving them access to UK tv shows, have a server with 3 IPs available to me
12:10 < blink_> thanks, I'll check it out
12:10 < |Mike|> !def1
12:10 <@vpnHelper> |Mike|: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
12:10 < |Mike|> you might need this as well 
12:10 < Alonea> Mike, did you have any ideas for me?
12:11 < |Mike|> let me read up
12:11 < Alonea> ok thanks. I am a newb at this, so thus confusion
12:12 < |Mike|> you need to forward a port (1194 UDP) for this 
12:12 < |Mike|> you want to run openvpn-server on a computer at your house, correct?
12:13 < Alonea> yes, but the internet is provided to us so thus I don't really have control over it, but I can hook up a router to the wall and then forward the port on it?
12:15 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
12:15 < |Mike|> you're not using a router at the moment?
12:15 < |Mike|> or what's your situation
12:15 < Alonea> no, just plugged into the ethernet jack in the wall. 
12:16 < Alonea> but I do have a wired router in the other room I can grab if needed.
12:17 < |Mike|> so you're directly connected to the internet?
12:17 < Alonea> yes
12:19 < Alonea> and I took my TAP-Win32 Adapter and made a network bridge.
12:21 < Alonea> however I got confused in the config file for the ip part for "server-bridge" Do I put in 10.8.0.4 or what it says in ipconfig? or do I need to change it under the network bridge to 10.8.0.4?
12:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
12:22 < reiffert> Alonea 1 : 1 #OpenVPN
12:23 < Alonea> there is also this line I need to edit as well right? server 10.8.0.0 255.255.255.0? and reiffert, I don't know what that means
12:26 < reiffert> Alonea 1 : 3 #OpenVPN
12:29 < blink_> |Mike|: based on what I've read so far, my goal is now to set up a bridged VPN to a private network, then NAT that network out the UK IP; client side I will use 0.0.0.0/1 to avoid squashing the default gateway on the client
12:30 < blink_> derp, routed, not bridge.
12:34 < Alonea> ok, going to see if I can do this step: Then you must manually set the IP/netmask on the bridge interface, here we assume 10.8.0.4/255.255.255.0.
12:38 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
12:41 -!- Alonea [~Alonea@rdhddmazokuvpn.student.rit.edu] has quit [Ping timeout: 272 seconds]
12:43 -!- Alonea [~Alonea@res55554915.rh.rit.edu] has joined #openvpn
12:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
12:46 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
12:46 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
12:46 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
12:54 <@vpnHelper> RSS Update - forum: Configuration :: OpenVPN, WLan, Replay Window Backtrack , Connection Reset :: Author Aramis <https://forums.openvpn.net/viewtopic.php?f=6&t=7320&p=8550#p8550>
12:55 < Alonea> Ok, I can't seem to change the ip on it to something else without it failing to connect back. turned off the bridge for now
13:01 < unspin> dazo, Euphoria looks pretty interesting, but it wont compile under Freebsd
13:04 -!- Alonea1 [~Alonea@129.21.146.94] has joined #openvpn
13:04 <@dazo> unspin:  ahh ... keen on helping out fixing that?   I want it to run on *BSD as well .... I've just never had time to setup a BSD box
13:05 -!- Alonea [~Alonea@res55554915.rh.rit.edu] has quit [Ping timeout: 245 seconds]
13:05 <@dazo> (and I know someone managed during the beta phase of eurephia)
13:05 < unspin> sure, if i have any success getting it to compile
13:06 <@dazo> unspin:  what's the issues you see?
13:06 < unspin> there were a few small things (libdl being integrated into libc on freebsd) but i'm having problems with mempcpy now
13:06 <@dazo> memcpy?
13:07 < unspin> mempcpy, referenced in common/password.c
13:07 < Alonea1> @@...I have no idea if this is even correct. So I made a bridge, left its settings along, and left this line as: server-bridge 10.8.0.4 255.255.255.0 10.8.0.100 10.8.0.150, but the ip on the bridge is 129.21.146.94 accords to ipconfig
13:07 <@dazo> I'm just surprised ... as that's usually a very natural part of libc :)
13:08 < unspin> yeah
13:08 < unspin> i'm more of a linux guy myself :)
13:08 < Alonea1> or does the server-bridge thing need to reflect what the bridge says?
13:10 < unspin> seems to be a part of libssp on freebsd, not sure yet
13:10 < Alonea1> when I run the server it says Initialization Sequence Completed. and then which address am I supposed to ping???
13:11 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
13:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
13:38 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
13:54 -!- p3rror [~mezgani@41.248.187.216] has quit [Ping timeout: 265 seconds]
14:18 -!- p3rror [~mezgani@41.140.179.106] has joined #openvpn
14:23 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
14:30 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
14:34 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 264 seconds]
15:05 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
15:06 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
15:22 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
15:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds]
15:25 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
15:29 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
15:31 -!- techqbert [~jim@c-68-32-38-158.hsd1.pa.comcast.net] has joined #openvpn
15:34 < techqbert> hey guys, i made my keys a long time ago. i recently made a key for my jailbroken iphone but alas openvpn complains "private key password verification failed." does that mean i password-protected the hand-shake or something?
15:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:47 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
15:49 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 265 seconds]
16:00 -!- Thibaud [~Thib@thib.ca] has joined #openvpn
16:01 < Thibaud> Hello there. :)
16:01 < Thibaud> I would be grateful if someone could help me.
16:02 < Thibaud> I have a small problem with my configuration.
16:02 < Thibaud> On one hand, I have a debian server which host the openvpn server and a macintosh client.
16:02 < Thibaud> I have a /31 subnet
16:02 < Thibaud> 255.255.255.254
16:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:03 < Thibaud> which is a bit special according to IETF specification (no broadcast or network ip)
16:04 < Thibaud> but when I want to ping the other side of my tunnel, it sends frames to the MAC address of the broadcast.
16:04 < Thibaud> if I manually set (with the ifconfig) my config it works great but not without.
16:05 < Thibaud> Do you have have any idea, how could I make it work?
16:07 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
16:09 < Alonea1> Can someone tell me if I need a router for this to work or no? I am currently connected to the internet through the ethernet port in the wall. So there is no way for me to port foward anything and I assume my ip address will change periodically? Is this even possible with my setup? Trying to set up a connection so family can connect and get files from a share.
16:10 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:11 -!- Thibaud_ [~Thib@93.26.145.205] has joined #openvpn
16:11 < Bushmills> Alonea1: will family machines be openvpn clients?
16:12 < Alonea1> yes
16:13 < Alonea1> though getting them to install it and get it setup right on their end will be "fun", Bushmills
16:14 < Bushmills> possible, though having a static ip address on the machine which will be server would be helpful
16:14 < Alonea1> Bushmills: don't think I can do that. I am on a college network and its funky enough as it is.
16:15 -!- Thibaud [~Thib@thib.ca] has quit [Ping timeout: 264 seconds]
16:15 -!- Thibaud_ is now known as Thibaud
16:16 < Bushmills> server could be a different machine.  if it must be yours, and you have dynamic ip address, you need to set up a host name for your ip address, which gets updated when your ip address changes. let clients connect to machine with that hostname
16:17 < Bushmills> before you do make sure your connection accepts incoming udp, or allows tcp connections from remote.
16:18 < Alonea1> Bushmills: ok, how do I check that?
16:18 < Bushmills> netcat
16:18 < Alonea1> Bushmills: I did manage to at least get the bridge working earlier. Let me look at netcat
16:18 < Bushmills> why bridge?
16:19 < Alonea1> Bushmills: When I was reading the how to it suggested that I needed a bridge if I was going to do file sharing
16:19 < Bushmills> sounds odd
16:20 < Bushmills> !tunortap
16:20 <@vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you
16:20 <@vpnHelper> Bushmills: over the vpn, or (#4) lan gaming? use tap!
16:21 < Bushmills> !howto
16:21 <@vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:21 < Alonea1> Bushmills: Yeah, I just want to share a folder that all of us can access is all. Nothing else. No internet sharing, gaming, etc. Family all either has XP or Windows 7. I have 7 as well.
16:22  * Bushmills googles these funny terms "XP" and "Windows 7"
16:22 < Alonea1> Bushmills: ^_^. I got slackware on my netbook at least.
16:23 < Alonea1> yeah from the how-to it says "you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server."
16:23 < Bushmills> ah.  XP... "there must be food".  meeting requirement for eXtreme Programming
16:24 -!- Thibaud [~Thib@93.26.145.205] has quit [Quit: Thibaud]
16:24 < Alonea1> Bushmills: Oh extreme programming sessions...where everyone trys to reach Balmers Peak
16:25 < Alonea1> Bushmills: Well, I guess I could do a Samba or WINS server, but I really have no idea how to do either. I program software generally..my network experience is pretty limited to setting up the router.
16:27 -!- ruben23 [~RLACUMBA@121.97.111.142] has joined #openvpn
16:29 < Alonea1> Bushmills: ok, I got a windows version of netcat, now what?
16:30 < Bushmills> re XP vs Ballmer's peak:  actually no.   http://en.wikipedia.org/wiki/Extreme_Programming
16:30 <@vpnHelper> Title: Extreme Programming - Wikipedia, the free encyclopedia (at en.wikipedia.org)
16:32 < Alonea1> Bushmills: I was kidding, though many kids on campus do try to finish projects with Ballmer's peak...>.<
16:33 -!- aderouineau [oreo@AGrenoble-152-1-69-241.w83-201.abo.wanadoo.fr] has joined #openvpn
16:34 < Alonea1> !wins
16:34 <@vpnHelper> Alonea1: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
16:34 < aderouineau> Hey everbody. I set up OpenVPN to use a 172.31.41.0/25 for VPN connections, and added: push "route 172.24.42.0 255.255.255.0"
16:35 -!- bitterman [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
16:35 < aderouineau> How can I configure a client to use a static IP and get the route to the correct gateway IP (since I have to specify a /30 subnet and thus the server would not be .1 anymore)
16:35 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
16:35 < aderouineau> Thanks.
16:35 < Bushmills> !ccd
16:35 <@vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
16:37 < Bushmills> for connecting,  --remote server.ip.address
16:37 < Bushmills> (plus port)
16:38 < Bushmills> client doesn't need to "get" the route. when route exists in routing table, conneting to remote ip will use that route
16:38 < Bushmills> usually by default route
16:39 < aderouineau> Bushmills: huh?
16:39 < aderouineau> it does need to get the route
16:39 < Alonea1> Bushmills: still have no idea how to use this netcat thing to check udp and tcp
16:40 < Bushmills> Alonea1: listener on one side, use it send send from the other side.
16:40 < aderouineau> it gets 172.31.41.0/25 through VPN, and needs to be able to access 172.24.42.0/24
16:40 < Bushmills> to send...#
16:40 < aderouineau> so I added push "route 172.24.42.0 255.255.255.0" in the command line
16:41 < Bushmills> try --push
16:41 < aderouineau> it works for normal clients that do not get assigned a static IP
16:41 < Bushmills> or push ... in (server) config file 
16:41 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
16:41 < aderouineau> Bushmills: read what I wrote; I did add "push"
16:41 < aderouineau> and it works for normal clients
16:41 < Bushmills> "so I added push "route 172.24.42.0 255.255.255.0" in the command line" is what i read
16:42 < aderouineau> but for my own use (my client config reads: ifconfig-push 172.31.41.202 172.31.41.201), it errors our during connection -> cannot get an ip
16:42 < Bushmills> is there a return route?
16:43 < Bushmills> from 172.24.42.x through vpn to clients?
16:43 < Alonea1> Bushmills: ??? so nc -l -p port# -t -e cmd.exe?
16:43 < Alonea1> but -t is telnet. not sure how to do udp
16:44 < Bushmills> -u
16:44 < Bushmills> i am pretty sure that the man page mentions that
16:44 < aderouineau> Bushmills: yes
16:44 < aderouineau> i also added --route on the server
16:44 < Alonea1> Bushmills: this is a hacked together version, not exactly like the unix one.
16:44 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:45 < aderouineau> --route 172.31.41.200 255.255.255.252
16:45 < Alonea1> what port would I use?
16:45 < Bushmills> aderouineau: server and client routes check out?
16:46 < aderouineau> Bushmills: my own client cannot finish connecting since it doesn't get an ip
16:46 < Bushmills> Alonea1: start with openvpn default port
16:46 < Alonea1> 1194?
16:46 < Bushmills> aderouineau:  how do you push the client ip address from ccd file?
16:47 -!- dazo is now known as dazo_afk
16:47 < aderouineau> Bushmills: ifconfig-push 172.31.41.202 172.31.41.201
16:48 < Alonea1> Bushmills: ok so nc -l -p 1194 -u -e cmd.exe says: can't grab 0.0.0.0:1194 with bind
16:48 < Bushmills> aderouineau: ccd file is named after Common Name?
16:49 < aderouineau> yes and the client does mention that IP
16:49 < aderouineau> but cannot successfully connect
16:49 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 240 seconds]
16:50 < Bushmills> Alonea1: already running openvpn,  bound to udp/1194?
16:51 < Bushmills> aderouineau: 
16:51 < Bushmills> !logs
16:51 <@vpnHelper> Bushmills: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
16:53 < Alonea1> !pb
16:53 <@vpnHelper> Alonea1: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
16:54 -!- luneff [~yury@84.51.198.114] has joined #openvpn
16:54 -!- sonicman_ [~admin@h7.3.89.75.dynamic.ip.windstream.net] has joined #openvpn
16:56 -!- sonicman [~admin@periwinkle.feralhosting.com] has quit [Read error: Operation timed out]
16:56 -!- sonicman_ is now known as sonicman
16:56 < aderouineau> Bushmills: http://nopaste.info/d2e34d59a6.html
16:56 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 252 seconds]
17:00 < Bushmills> client can't connect to server because there is no route to server?
17:01 < Alonea1> Bushmills: Since I really have no idea here is my log when I start my server, my ipconfig /all list, and I can copy my server config file as well
17:01 <@vpnHelper> RSS Update - pastebin: Miscellany <http://pastebin.ca/2002395>
17:01 < Alonea1> Bushmills: http://openvpn.pastebin.ca/2002395
17:02 < aderouineau> Bushmills: for some reason it's trying to find the normal address of the gateway (the one used for the ip range)
17:03 < Bushmills> no idea what "normal address" means - client specifies remote address in its config file (or on command line)
17:03 < Alonea1> Bushmills: think I might have pasted a the ipconfig a couple times by accident there, but you get idea...
17:03 -!- ping-pong [~qwerty@v01.vedur.is] has joined #openvpn
17:03 < Bushmills> Alonea1: i didn't look at those - still waiting for reply to "already running openvpn,  bound to udp/1194?"
17:05 < aderouineau> Bushmills: my server is set to "route 172.31.41.0 255.255.255.128"
17:05 < aderouineau> so its "normal" IP is 172.31.41.1
17:05 < Alonea1> Bushmills: I don't understand. I have no idea what I am doing. I just tried to follow the how to. Where do I see what its bound to? Here is my server config: http://openvpn.pastebin.ca/2002400
17:07 <@vpnHelper> RSS Update - pastebin: Alonea's server config <http://pastebin.ca/2002400>
17:07 < Bushmills> Alonea1: you need somebody more windows savvy than me, esp. in respect to starting and stopping services
17:09 < Bushmills> or checking whether they run
17:09 < Alonea1> Bushmills: I just don't understand if I can even do this or not. I don't have a static ip or router and I don't get this line from the config: server-bridge 10.8.0.4 255.255.255.0 10.8.0.100 10.8.0.150 . Am I supposed to use the ip thats on my bridge or something made up like that?
17:10 < Bushmills> aderouineau: your pasted logs show no indication that client can reach server and connect to it at all. 
17:11 < Bushmills> Alonea1: (23:16:36) Bushmills: server could be a different machine.  if it must be yours, and you have dynamic ip address, you need to set up a host name for your ip address, which gets updated when your ip address changes. let clients connect to machine with that hostname
17:12 < aderouineau> Bushmills: http://pastebin.ca/2002406
17:12 < Alonea1> Bushmills: I don't have any other machine to use but this one and my laptop. I don't know how to set up a host name. I don't understand how to check if that udp/tcp thing will work or not.
17:12 < Bushmills> but your efforts will be wasted if you find out later that your internet connection doesn't allow incoming udp, or opening tcp connections 
17:13 < Bushmills> therefore you want to test that before, and use netcat. but not being able to bind to openvp default port may mean that something - openvpn - is bound already. i have no idea how to check that with windows.
17:15 < Alonea1> could I run netcat from my laptop with linux? there is no openvpn on it though.
17:16 < Alonea1> well, according to my server.ovpn the port is set to 1194 and then proto udp
17:16 < aderouineau> Bushmills: so?
17:19 < Bushmills> aderouineau: pass gateway as well, besides destination and netmask
17:20 < aderouineau> Bushmills: "pass"? what do you mean?
17:20 < Bushmills> specifiy
17:21 < aderouineau> server 172.31.41.0 255.255.255.0
17:21 < aderouineau> route 172.31.41.200 255.255.255.252
17:22 < aderouineau> push "route 172.24.42.0 255.255.255.0"
17:22 < aderouineau> that's the interesting part of server config
17:22 < Bushmills> route network/IP [netmask] [gateway]
17:22 < aderouineau> and for the client config file!
17:22 < aderouineau> s/!/:
17:22 < aderouineau> ifconfig-push 172.31.41.202 172.31.41.201
17:23 < Bushmills> if there's no route to gateway, you may need a host route to gateway
17:23 < aderouineau> Bushmills: how can I make it so that normal clients get the normal route, and my client gets route through 172.31.41.201 ?
17:25 < Bushmills> ypu can push alternative routes from ccd file of your client
17:25 < aderouineau> how will openvpn know not to push the default route ?
17:26 < Bushmills> don't put them in main config, but in ccd files of other clients
17:26 < aderouineau> Bushmills: no can do; dozens of clients can connect
17:27 < Alonea1> Bushmills: ok, I changed the port to 1234 in my server config and in my terminal I did nc -u localhost 1234 and it worked.
17:27 < Bushmills> alternatively, run an --route-up script on your client, which tores down the wrong route
17:27 < Bushmills> tears down
17:28 < Bushmills> Alonea1: good. proceed
17:29 < aderouineau> Bushmills: perhaps i'll tell you what i want to do exactly and you could give me some advice
17:29 < Alonea1> Bushmills: I tried port 1194 and it wouldn't bind.
17:29 < Alonea1> Bushmills: but 1234 works
17:29 < Bushmills> or use route-noexe on client, to prevent setting routes at all. add them on client
17:29 < aderouineau> I set up OpenVPN for a small structure (dozens of people) that uses RADIUS for authentication against Active Directory
17:30 < aderouineau> and i want to set up firewall rules for the default VPN clients so that they can't access everything on the local network
17:30 < aderouineau> but i also want to be able to connect and have full access
17:31 < Bushmills> i split clients into two groups, a /25 subnet each
17:31 < Bushmills> one subnet is less, the other more privileged
17:32 < Alonea1> Bushmills: ok. now. 1. How do I make a hostname? 2. What what I put in my server config then?
17:32 < aderouineau> one subnet would be dhcp (server subnet mask), and the other would use static ip's
17:32 < aderouineau> right?
17:33 < Bushmills> Alonea1: check out services like noip.com or dyndns.org.  no relationship to server config.
17:33 < Bushmills> aderouineau: right
17:34 < Alonea1> Bushmills: Ok, I know noip.com somewhat. Let me look at that.
17:34 < Bushmills> the more privileged group through ccd, allowing to refine options
17:34 < aderouineau> and since i want both normal clients (through dhcp) and my computer to be able to access 172.24.42.0/24 through the VPN gateway
17:34 < aderouineau> how am I supposed to configure ?
17:36 < Bushmills> aderouineau:  how is AD and Radius related to routing a subnet through vpn?
17:36 < Bushmills> seems to me like two different aspects of your setup
17:36 < aderouineau> in my case it isn't; just wanted to specify
17:37 < Bushmills> for routing subnet, you'd set up routes on clients, through vpn, and routes on server, for return traffic
17:37 < Bushmills> here's a document, which is more specific about the setup:
17:37 < Bushmills> !route
17:37 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:39 < Bushmills> gotta go
17:39 < aderouineau> bye
17:40 < Alonea1> Bushmills: Ok, so the hostname would then go into the client config files right?
18:05 -!- ping-pong [~qwerty@v01.vedur.is] has quit [Ping timeout: 245 seconds]
18:11 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Read error: Connection reset by peer]
18:15 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
18:15 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
18:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
18:22 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
18:27 < Alonea1> yay!!! I just saw my dad connect to me on my screen. Now. How do I make a fileshare in windows 7?
18:36 -!- aderouineau [oreo@AGrenoble-152-1-69-241.w83-201.abo.wanadoo.fr] has quit [Read error: Connection reset by peer]
18:36 -!- aderouineau [oreo@AGrenoble-152-1-69-241.w83-201.abo.wanadoo.fr] has joined #openvpn
18:39 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
18:43 < Alonea1> anyone know how to set up a fileshare in windows once you got a vpn connection setup with bridge?
18:43 < aderouineau> Alonea1: that's beyond the scope of openvpn
18:44 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
18:49 < Alonea1> aderouineau: er, I am just confused about this bridging thing. in the client config, does this line stay commented out? ;dev-node tap-bridge
18:50 < aderouineau> if you managed to communicate with your dad, why change the configuration?
18:51 < Alonea1> aderouineau: well, I thought the shared stuff was supposed to show up automatically with a bridged connection and I thought it might not be working because of that. 
18:51 < Alonea1> aderouineau: the how to says: OpenVPN clients should see server-side machines in their network neighborhood.
18:51 < aderouineau> Alonea1: that would probably be because ARP requests are not passed through
18:51 < aderouineau> that shouldn't matter too much if you don't need to rely on broadcasts
18:52 < aderouineau> can you ping your dad's computer?
18:52 < Alonea1> aderouineau: so why doesn't he see anything in his network neighborhood with my name on it?
18:52 < Alonea1> aderouineau: umm. let me see. I ping the ip of his that the log shows?
18:52 < aderouineau> yes
18:53 < Alonea1> aderouineau: yes, I am getting replies
18:54 < aderouineau> so just do in windows browser: \\YOUR_DAD_S_IP
18:55 < Alonea1> aderouineau: nothing seems to happen
18:56 < Alonea1> aderouineau: says windows can't access it
18:57 < aderouineau> hmm i guess you need to search on google for openvpn netbios
18:57 < aderouineau> ping works so the computers can communicate
18:57 < aderouineau> but netbios isn't passed through it seems
18:58 < Alonea1> aderouineau: not familar with netbios. also, I only asked about that tap thing because it says you set the protocol in the client to tap if the server is tap, so I was wondering if it needed the connection name as well on his machine
19:00 < Alonea1> aderouineau: ok so windows says that file and print sharing resource (his ip) is online but isn't responding to connection attempts
19:00 < aderouineau> sorry but i can't help on that
19:01 < Alonea1> aderouineau: its ok. I did find under the bridge that netbios was disabled. I enabled it. going to try again here.
19:09 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 240 seconds]
19:17 -!- ruben23 [~RLACUMBA@121.97.111.142] has quit [Read error: Connection reset by peer]
19:20 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn
19:21 < Alonea1> I am thinking windows 7 has some security settings somewhere preventing the share from happening...will figure it out tomorrow
19:21 < aderouineau> yes
19:21 < aderouineau> you need to change firewall settings
19:21 < aderouineau> try to disable it temporarily
19:30 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Remote host closed the connection]
19:54 < Alonea1> aderouineau: it is disabled. I think the share is messed up. windows 7 is horrid sometimes, but I like it overall
19:54 < aderouineau> me too =)
19:57 < Alonea1> aderouineau: I have a friend who might be able to help me with the shared thing. At least the vpn is working. step 1 completed
19:57 < aderouineau> ^^
19:58 < aderouineau> you have two things to check
19:59 < aderouineau> 1, which is the most important) firewall rules on both computers, and that both interfaces allow netbios protocol and windows client and server (for the computer sharing) services
19:59 < aderouineau> 2) check that broadcasts are transfered from one LAN to the other
20:08 -!- kaushal1 [~kaushal@triband-mum-120.61.17.124.mtnl.net.in] has joined #openvpn
20:08 < kaushal1> Hi
20:08 < aderouineau> kaushal1: hello
20:08 < kaushal1> aderouineau: Hi
20:09 < aderouineau> sup?
20:09 < kaushal1> I am using Linux Desktop and running Openvpn client running as daemon mode
20:09 < kaushal1> It works perfectly fine
20:10 < kaushal1> The issue is that my Internal DNS Server details are not populated to /etc/resolv.conf
20:10 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:10 < aderouineau> kaushal1: does the server push or does your client config add the entry?
20:10 < kaushal1> How do i overcome the issue ?
20:11 < kaushal1> I havent added anywhere in the server or on the client
20:11 < kaushal1> It works perfectly for windows Client
20:12 < daemon> kaushal1, use mans best friend; vodka and cigrettes; sit with both until the answer becomes clear.
20:12 < aderouineau> kaushal1: that's surprising...
20:12 < kaushal1> daemon: Please dont use sarcasm
20:12 < aderouineau> daemon: not a good name to choose if you want to avoid highlights XD
20:13 < daemon> Who says I was being sarcastic >:-)
20:13 < kaushal1> daemon: avoid trolling please
20:13 < daemon> aderouineau, Yeah I have had it since this place was openprojects to; call me a gluten for punishment
20:13 < aderouineau> kaushal1: your clients cannot know by default the existence of your internal dhcp server
20:13 < daemon> kaushal1, are you even aware what trolling is?
20:13 < aderouineau> either the server has to push its IP, or the client config has to do it
20:14 -!- Alonea1 [~Alonea@129.21.146.94] has left #openvpn []
20:16 < daemon> aderouineau, I am not a openvpn professional just a theoretical question, would it be possible to fake sending a dhcp lease out to the client with an incredibly low refresh interval so after the primary tunnel has been created the client automatically requests a new lease from his DHCP server
20:16 -!- kaushal [~kaushal@triband-mum-120.61.16.45.mtnl.net.in] has joined #openvpn
20:16 < kaushal> aderouineau: sorry got disconnected
20:17 < kaushal> please suggest further
20:17 < aderouineau> kaushal: did you get what i wrote ?
20:17 < daemon> kaushalhttp://pastie.org/1326864
20:17 < daemon> hmm kaushal http://pastie.org/1326864
20:17 < aderouineau> daemon: i'm not sure openvpn uses true DHCP
20:17 -!- kaushal1 [~kaushal@triband-mum-120.61.17.124.mtnl.net.in] has quit [Ping timeout: 250 seconds]
20:18 < daemon> aderouineau, but it can transport layer 2, for use with samba etc so in theory it would be possible
20:19 < aderouineau> daemon: don't think so; there's no lease in openvpn
20:19 < daemon> at least thats how I see it; it also took me 3 weeks to get my openvpn rig setup right ;)
20:19 < kaushal> aderouineau: sure
20:19 < aderouineau> daemon: if a client changes his IP in subnet topology, the connection becomes kaput
20:19 < kaushal> so if i add the DNS search and nameserver in client config it would pust it to /etc/resolv.conf ?
20:20 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 250 seconds]
20:20 -!- faustisch [~ali@212.16.80.160] has joined #openvpn
20:20 < kaushal> push*
20:20 < aderouineau> kaushal: yes, but you might need to decrease openvpn security level on the client
20:20 < aderouineau> depending on if an external command is needed
20:20 < aderouineau> to push dns
20:20 < kaushal> ok
20:20 < faustisch> I want to route my Linux machine's traffice through a SSH tunnel, is it possible at all? Please kindly give me some hints.
20:21 < aderouineau> kaushal: why not have the server push those dhcp options? seems easier to me
20:21 < kaushal> ok
20:21 < aderouineau> faustisch: this is not the channel for that. you could use openvpn for what you want though
20:21 < kaushal> aderouineau: i do not have any control on the server
20:22 -!- luneff [~yury@84.51.198.114] has joined #openvpn
20:22 < kaushal> so you said decrease security level on client
20:22 < kaushal> what parameters i need to set
20:22 < aderouineau> kaushal: could you get the admin to push those options? or he has reasons for clients to not use the local dns server?
20:22 < faustisch> aderouineau, shall run an OpenVPN server locally, or I can accomplish that with OpenVPN client?
20:22 < kaushal> yes
20:22 < kaushal> aderouineau: he has reasons not to use the local dns server
20:23 < aderouineau> faustisch: you need to configure a server on the remote endpoint and a client on your computer
20:24 < faustisch> aderouineau, you did not get what I'm trying to do, never mind though
20:25 < aderouineau> faustisch: perhaps you can explain then
20:25 < kaushal> so add these line --> push "dhcp-option DNS your.dns.ip.here" push "dhcp-option DOMAIN yourdomain.com" in client config
20:25 < faustisch> aderouineau, oh thank you! I'm behind a backward-ass theocratic tyrany's censorship and I only have an ssh account on a shared hosting
20:25 < aderouineau> well that would be for the server; i don't know if they work on config
20:26 < aderouineau> you can always try kaushal
20:26 < faustisch> aderouineau, I can't run OpenVPN on the remote host, but I do have ssh access (ssh tunneling)
20:26 < aderouineau> faustisch: you cannot create a tun interface on the remote host?
20:26 < kaushal> aderouineau: is there a docs about openvpn for client config
20:26 < faustisch> aderouineau, no
20:26 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
20:26 < faustisch> aderouineau, via ifconfig? no
20:27 < aderouineau> faustisch: well this channel is not really the right one for ssh tunnelling, but basically you just have to configure your ssh client for tunelling
20:27 < aderouineau> if you're using windows it's very easy with putty
20:27 < faustisch> aderouineau, I know, but I can't configure the ssh daemon on the remote host
20:27 -!- luneff [~yury@84.51.198.114] has joined #openvpn
20:27 < aderouineau> kaushal: http://www.subvs.co.uk/openvpn_resolvconf
20:27 <@vpnHelper> Title: openvpn and resolv.conf | SubVS.co.uk (at www.subvs.co.uk)
20:28 < faustisch> aderouineau, I'm looking for a way to route all my traffic through the ssh tunnel via openvpn
20:28 < aderouineau> faustisch: you shouldn't have to
20:29 < faustisch> aderouineau, the ssh man page and several Linux Journal and O'Reilly articles say I should configure a tun interface or the ssh on the remote machine
20:29 < aderouineau> faustisch: well i was talking about forwarding traffic for ports
20:29 < faustisch> aderouineau, btw thanks fo helping e out
20:30 < aderouineau> if you're in a bad regime, it's mainly web browsing that you're looking for
20:30 < aderouineau> just forward ports 80 (http) and 443 (https), and perhaps email
20:31 < faustisch> aderouineau, Ubuntu won't update, they have restricted access to many repositories for Iran-based IPs
20:31 -!- Mkools [~mukul@117.196.212.17] has joined #openvpn
20:31 < aderouineau> ubuntu uses http or ftp
20:31 < aderouineau> just forward them
20:31 < faustisch> faustisch, tsocks doesn't work with apt-get coz apt-get runs wget within it and it will run outside the tsocks wrap
20:31 < Mkools> Bushmills: Sorry I lost connection yesterday
20:31 < faustisch> aderouineau,  tsocks doesn't work with apt-get coz apt-get runs wget within it and it will run outside the tsocks wrap
20:32 < aderouineau> Mkools: he's not here
20:32 < aderouineau> faustisch: i didn't mention tsocks
20:32 < Mkools> Busmills: yesterday I asked you about loss of connectivity to internet
20:32 < aderouineau> i mentioned ssh tunnel
20:33 < aderouineau> faustisch: http://www.linuxhorizon.ro/ssh-tunnel.html
20:33 <@vpnHelper> Title: LiNUX Horizon - SSH Port Forwarding (SSH Tunneling) (at www.linuxhorizon.ro)
20:33 < faustisch> aderouineau, ok, when you run an ssh tunnel, ssh accepts transaction through a local SOCKS5 port, am I right?
20:33 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
20:33 < aderouineau> faustisch: i don't think so
20:33 < faustisch> aderouineau, ssh -oTCPKeepAlive=no -oServerAliveInterval=8 -p5678 -C -D 7070 -l azadrahk 64.16.193.80
20:34 < faustisch> aderouineau, -D is for the local proxy port
20:34 -!- luneff [~yury@84.51.198.114] has joined #openvpn
20:34 < faustisch> aderouineau, ssh -p5678 -C -D 7070 -l azadrahk 64.16.193.80
20:34 < aderouineau> ah wait a minute
20:34 < faustisch> aderouineau, maybe I'm wrong
20:34 < faustisch> aderouineau, let me read your link
20:34 < aderouineau> nvm about tunelling; you'd have to do it for each host you access on the net
20:35 < aderouineau> you could set up privoxy (http proxy) on the ssh server
20:35 < aderouineau> can't you just use TOR though?
20:35 < Mkools> hey can any one help me out with my problem of domain name?
20:35 < Mkools> and interfaces
20:36 < faustisch> aderouineau, no, tsocks won't properly wrap apt-get
20:36 < faustisch> aderouineau, there's no other way for getting apt-get to communicate through a proxy
20:37 < aderouineau> then idk :/
20:37 < aderouineau> i'm pretty tired so i can't think very straight right now
20:37 < aderouineau> sorry
20:38 < faustisch> aderouineau, thanks so much for your dedicating precious time, bro :)
20:38 < aderouineau> well no
20:38 < aderouineau> i wasn't of any help
20:41 < Mkools>  Consider my situation: I have 4 inter faces 1. loopback 2. eth3 (facing Internet) 3. eth4 (configured my own dns server using bind 9) 4. tun0
20:41 < Mkools>  I have openvpn clients on address range 10.x.x.x facing tun0
20:41 < Mkools>  What should I edit in windows client file in domain name?
20:41 < Mkools>  so that my two openvpn clients should connect?
20:41 < Mkools>  thanks in advance
20:41 < Mkools>  when I edit my resolv.conf file and interfaces files I lost connectivity to the internet. How should I edit files to get connection to Internet as well as windows openvpn client.
20:41 < Mkools>  Both the clients are connected directly to Internet using modem
20:41 -!- Mkools was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastebin.ca for posting logs or configs.]
20:43 < kaushal> Hi
20:44 < kaushal> I could see it in http://article.gmane.org/gmane.network.openvpn.user/20057/match=foreign_option_n
20:44 -!- Mkools [~mukul@117.196.212.17] has joined #openvpn
20:44 <@vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org)
20:44 < kaushal> It does not mention about Linux OS specific
20:44 < aderouineau> kaushal: cool
20:44 < faustisch> aderouineau, what is the local port to which the web server responds?
20:45 < Mkools> kaushal: talking to me?
20:45 < kaushal> Mkools: nope
20:45 < kaushal> i was referring to aderouineau
20:46 < aderouineau> Mkools: domain name doesn't need to be set for that
20:46 < aderouineau> you need to add client-to-client in openvpn server config
20:46 < aderouineau> for clients to communicate with each other
20:47 < Mkools> aderouineau: But client.conf file wants some domain name. it's there in docs.
20:48 < aderouineau> weird
20:48 < kaushal> aderouineau: I will update you with my findings
20:49 < Mkools> what weird?
20:50 < Mkools> aderouineau: I know I want to use a bridge if I want to play games. Can I play games with this client-client connection
20:51 < aderouineau> bridge?
20:51 -!- kaushal [~kaushal@triband-mum-120.61.16.45.mtnl.net.in] has left #openvpn []
20:53 < Mkools> aderouineau: Forget that bridge, can I play LAN game with this setup?
20:53 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
20:55 < Mkools> aderouineau: I am using this doc http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
20:56 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
20:56 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 240 seconds]
20:58 < Mkools> aderouineau: Should I add client-to-client in server.conf
20:58 < aderouineau> Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface. 
20:59 < aderouineau> but then i think you have to SNAT your VPN subnet to access other networks
20:59 < aderouineau> since routing is handled internally
20:59 < aderouineau> but i'm not sure
21:01 < Mkools> aderouineau: Hey, my case is very simple, I have no LAN behind my two machines. Both machines are directly connected to Internet through modem.
21:02 < aderouineau> oh ok
21:02 < aderouineau> Mkools: then just use TAP interface and bridge completely
21:03 < aderouineau> and don't use client/server configuration
21:03 < aderouineau> but peer to peer
21:04 < Mkools> aderouineau: Any doc on that? The doc that I mentioned above doesn't that do the same thing.
21:04 < aderouineau> i haven't played with that yet so i can't help you for config
21:04 < aderouineau> look at the official documentation
21:04 < aderouineau> try site to site openvpn on google too
21:06 < Mkools> aderouineao: How to implement the first statement suggested by you?
21:06 < Mkools> the TAP interface and the bridge thing.
21:09 < aderouineau> as i haven't fooled with it, i cannot help you; sorry.
21:28 < Mkools> Can any one help me out with this?
21:33 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 264 seconds]
21:45 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn
21:49 -!- kaushal_ [~kaushal@115.118.228.207] has joined #openvpn
21:49 < kaushal_> hi
21:49 < kaushal_> aderouineau: hi again
21:49 < kaushal_> i just checked the openvpn server configs
21:50 < kaushal_> I see push "dhcp-option DOMAIN ..." 
21:50 < kaushal_> dont know why its not populating in my /etc/resolv.conf
21:50 < kaushal_> I tried adding the same in the client configs
21:50 < kaushal_> it didnot worked
21:51 < Mkools> kaushal: I think it is always overwritten by some programmes.
21:51 < kaushal_> Mkools: yes
21:51 < kaushal_> i believe so
21:51 < kaushal_> so how do i address it
21:51 < kaushal_> # Generated by NetworkManager
21:52 < kaushal_> wierd 
21:52 < kaushal_> I am on Ubuntu Linux 10.04 Desktop
21:52 < Mkools> kaushal_: Indian? Hindi ? 
21:52 < kaushal_> ?
21:53 < Mkools> kaushal: I don't know how to handle it? Do you know hindi?
21:53 < kaushal_> yes
21:53 -!- aderouineau [oreo@AGrenoble-152-1-69-241.w83-201.abo.wanadoo.fr] has quit [Ping timeout: 240 seconds]
21:53 < Mkools> chal bade hindi mein bolta hoon, kaha se hai?
21:53 < kaushal_> why is that relevant
21:54 < kaushal_> Mkools: please stick to the /topic
21:54 < Mkools> kaushal_: relevant toh nahi hai, par accha lagta hai jab hindi mein bolta hoon toh. Nahi mujko nahi pata teri problem kaise solve karna?
21:55 < Mkools> Sorry, I don't know how to solve your problem?
21:56 < Mkools> kaushal_: I think you don't prefer Hindi
21:58 < Mkools> kaushal_: Can you help me out with my problem?
22:00 -!- Mkools [~mukul@117.196.212.17] has quit [Quit: Leaving]
22:08 -!- kaushal_ [~kaushal@115.118.228.207] has quit [Quit: leaving]
23:09 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
23:27 -!- skullone [skullone@galaxy.distant.net] has left #openvpn []
23:38 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Buffy shows hope and courage :: Author nicyling <https://forums.openvpn.net/viewtopic.php?f=1&t=7321&p=8551#p8551> || Off Topic, Related :: I recommend you watch Curb Your Enthusiasm :: Author nicyling <https://forums.openvpn.net/viewtopic.php?f=1&t=7322&p=8552#p8552> || Off Topic, Related :: Sex and the City was certainly memorable. :: Author nicyling <https://forums.openvpn.net/viewtopic.php?f=1&t=732
23:44 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Your Baby Can Read will help your child learn to read :: Author nicyling <https://forums.openvpn.net/viewtopic.php?f=1&t=7324&p=8554#p8554>
23:58 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has quit [Ping timeout: 240 seconds]
23:59 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has joined #openvpn
--- Day changed Fri Nov 26 2010
00:04 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 245 seconds]
00:24 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 265 seconds]
00:34 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:41 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
01:04 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn
01:10 -!- faustisch [~ali@212.16.80.160] has left #openvpn ["Ex-Chat"]
01:13 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
01:30 -!- mape2k [~jabber@jabber.pennewiss.de] has joined #openvpn
01:33 <@vpnHelper> RSS Update - forum: Installation Help :: site-to-site MTU issues??? :: Author zbadone <https://forums.openvpn.net/viewtopic.php?f=5&t=7325&p=8555#p8555>
01:36 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
01:38 -!- noogenesis [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
01:38 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
01:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:02 -!- techqbert [~jim@c-68-32-38-158.hsd1.pa.comcast.net] has quit [Quit: techqbert]
02:24 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:26 -!- k4r4mb4 [user@puffs.ganja.nl] has quit [Quit: quiting]
02:34 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
02:34 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
02:34 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
02:39 -!- p3rror [~mezgani@41.140.179.106] has quit [Ping timeout: 252 seconds]
02:40 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:44 -!- p3rror [~mezgani@41.140.179.106] has joined #openvpn
02:54 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has quit [Quit: No Ping reply in 180 seconds.]
02:55 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has joined #openvpn
03:00 -!- NephFL [434e9576@gateway/web/freenode/ip.67.78.149.118] has quit [Ping timeout: 265 seconds]
03:04 -!- dazo_afk is now known as dazo
03:25 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
03:26 -!- bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
03:33 -!- kish [~o2@unaffiliated/spice] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 252 seconds]
03:46 <@dazo> krzee: ecrist:  Have you guys seen this one?  http://www.guizmovpn.com/
03:46 <@dazo> (at first glance, it looks pretty decent and clever)
03:46 -!- master_of_master [~master_of@p57B54B62.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:47 <@dazo> (at least from the user experience side of it)
03:48 -!- master_of_master [~master_of@p57B559A1.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:54 -!- DeafGoose [~Adium@5e014683.bb.sky.com] has joined #openvpn
03:55 < DeafGoose> Hello all, can I ask a openvpn-as question here?
03:58 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:00 -!- sedulous [~sed@2001:41d0:2:46c1::1] has joined #openvpn
04:00 < sedulous> can I use OpenVPN over a SOCKS4 proxy?
04:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
04:03 < sedulous> (or SOCKS5)
04:03 <@vpnHelper> RSS Update - forum: Server Administration :: --client-config-dir problems :: Author muffty <https://forums.openvpn.net/viewtopic.php?f=4&t=7326&p=8556#p8556>
04:04 <@dazo> sedulous: yes, SOCKS is supported ... look at the man page and search for SOCKS
04:04 <@dazo> !as
04:04 <@vpnHelper> dazo: "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
04:04 <@vpnHelper> dazo: supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
04:04 <@dazo> DeafGoose: ^^^
04:05 < DeafGoose> dazo, thanks, I have gone through the material, I got openvpn-as already installed and running, theres just one thing I cant seem to figure out how to do
04:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 265 seconds]
04:06 < sedulous> DeafGoose: cool thanks
04:06 < DeafGoose> I can connect to all IPs on my server however if I do a ip-lookup, my ip always shows me to be connected on the primary ip of the server
04:06 < DeafGoose> I wanted to show the ip i connected to do you what i mean?
04:07 <@dazo> DeafGoose: well, AS is a commercial product with it's own support channels ... and due to some of the differences in the configs, we don't know too much about it here ... and OpenVPN Tech. have asked us to forward AS users to their support channels as well
04:07 < DeafGoose> alright
04:07 < DeafGoose> I will contact them :)
04:07 < DeafGoose> thanks again
04:07 <@dazo> no problem
04:09 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: Connection reset by peer]
04:09 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined #openvpn
04:11 -!- luneff [~yury@84.51.198.114] has joined #openvpn
04:13 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 255 seconds]
04:17 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
04:33 -!- DeafGoose [~Adium@5e014683.bb.sky.com] has left #openvpn []
04:48 -!- p3rror [~mezgani@41.140.179.106] has quit [Ping timeout: 272 seconds]
04:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:02 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has joined #openvpn
05:05 -!- mape2k [~jabber@jabber.pennewiss.de] has left #openvpn []
05:14 -!- lmns972 [~lmns972@cac94-8-82-245-26-103.fbx.proxad.net] has joined #openvpn
05:15 < lmns972> !goal
05:15 <@vpnHelper> lmns972: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
05:16 < lmns972> I would like to access the lan behind the server
05:16 < Bushmills> !route
05:16 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:16 < Bushmills> !serverlan
05:16 <@vpnHelper> Bushmills: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
05:20 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 265 seconds]
05:20 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
05:20 < lmns972> hello everybody 
05:20 < lmns972> I just set up a vpn it works for now but not like I want.
05:21 < lmns972> the vpn server is connected to a client B (ok) but the customer C who is on LAN B can not join the server
05:21 < lmns972> I checked the roads, are turned forward, I don't see come the problem.
05:21 < krzie> sorry but customer C is on lan C
05:22 < krzie> :-p
05:22 < lmns972> krzie: :(
05:23 < lmns972> the customer is me 
05:23 < lmns972> so if you have a idea :)
05:24 < krzie> sure
05:24 < krzie> !clientlan
05:24 <@vpnHelper> krzie: "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a
05:24 <@vpnHelper> krzie: better explanation
05:25 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
05:25 < lmns972> !ipforward
05:25 <@vpnHelper> lmns972: "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
05:25 < lmns972> !linipforward
05:25 <@vpnHelper> lmns972: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
05:26 < lmns972> !ccd
05:26 <@vpnHelper> lmns972: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
05:26 < lmns972> !route
05:27 <@vpnHelper> lmns972: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:27 < lmns972> !route_outside_openvpn
05:27 <@vpnHelper> lmns972: "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
05:28 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
05:29 < Bushmills> "can not join the server" - what would be needed for customer to have joined a server?
05:33 < lmns972> yes is important for the client join the server
05:34 < lmns972> in the logs openvpn i have a error "MULTI: bad source address from client"
05:34 < Bushmills> what is it what client can't do?  can't connect with openvpn to openvpn server? can't use any services on server through openvpn?
05:36  * Bushmills thinks if the problem is that "client can't join server", the solution would probably be "to fix it"
05:37 < lmns972> yet the client may make just ssh. after the server will also monitor the number of clients on the LAN B
05:38 < Bushmills> if that helps, sure.
05:41 < lmns972> to fix it can you explain (because i'm french ) and i the expression i don't know 
05:41 < lmns972> sorry
05:42 < Bushmills> yes. to fix, in this context = to edit relevant configuration files, with the goal to remove configuration problems
05:44 < Bushmills> on't be sorry that you're french, it is not your fault
05:44 < Bushmills> don't
05:44 < lmns972> :)
05:45 < lmns972> thank for your help i test the configuration provided in ! route 
05:53 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Read error: Connection reset by peer]
05:54 < krzie> lol Bushmills nice
05:55 < Bushmills> ?
05:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:58 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has quit [Ping timeout: 252 seconds]
05:58 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has joined #openvpn
06:15 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn
06:26 -!- EdwardIII [edward@unaffiliated/edward123] has joined #openvpn
06:26 < EdwardIII> hey
06:28 < EdwardIII> i'm trying to setup one of my servers on another network so i can use it kind of like a proxy. i've setup a tun connection on both and i've enabled push "redirect-gateway", but when i connect up the client it can't see the internet
06:28 < EdwardIII> i'm going to try nat between the virtual interface and the real one - if that's not the right thing to do could someone point me in the right direction?
06:29 < Bushmills> have you configured openvpn server as gateway?
06:30 < Bushmills> (openvpn server = the machine where openvpn server runs, not the openvpn program)
06:32 < ecrist> dazo: no, not seen that one.
06:32 < EdwardIII> sorry Bushmills how do you mean as gateway? do you mean does the client have the server's IP in the 'gateway' field?
06:33 < Bushmills> EdwardIII: it is not enough to route traffic through server. the server must also route that traffic to it WAN interface, and masquerade it
06:33 < EdwardIII> Bushmills, cool - that's what i'm trying to do now
06:33 < Bushmills> !redirect
06:33 <@vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
06:36 < EdwardIII> !nat
06:36 <@vpnHelper> EdwardIII: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
06:37 < ecrist> !iphone
06:37 <@vpnHelper> ecrist: "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion, or (#3) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone
06:37 < Bushmills> http://scarydevilmonastery.net/masq
06:38 < Bushmills> (linux)
06:38 < ecrist> !learn iphone as see http://www.guizmovpn.com/ for an iOS client for OpenVPN for iPhone and iPad.
06:38 <@vpnHelper> ecrist: Joo got it.
06:38 < ecrist> !learn !ipad as see !iphone
06:38 <@vpnHelper> ecrist: Joo got it.
06:52 -!- sonicman [~admin@h7.3.89.75.dynamic.ip.windstream.net] has quit [Ping timeout: 252 seconds]
06:53 < krzie> looks like a decent app
06:53 < krzie> too bad it costs $
06:53 < EdwardIII> hey now i'm cooking
06:53 < ecrist> *shrug*  if an application works, I'm not opposed to paying a reasonable fee.
06:53 < EdwardIII> thanks Bushmills 
06:54 -!- sonicman [~admin@periwinkle.feralhosting.com] has joined #openvpn
06:54 < krzie> same, but im also not opposed to setting up openvpn myself for free
06:55 < krzie> although i dont trust the security of the iphone enough to put my vpn keys on it
07:01 < krzie> ooo actually they got passphrased certs working
07:01 < krzie> hrm, i may need to give that a shot
07:08 -!- luneff [~yury@84.51.198.114] has joined #openvpn
07:24 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
07:25 -!- luneff [~yury@84.51.198.114] has joined #openvpn
07:30 -!- luneff [~yury@84.51.198.114] has quit [Read error: No route to host]
07:30 -!- luneff [~yury@84.51.198.114] has joined #openvpn
07:51 -!- Netsplit *.net <-> *.split quits: ScriptFanix, krzie, Fiouz, kraut, jpalmer, zxvff, nb, Visual`, ccr_, gorkhaan,  (+6 more, use /NETSPLIT to show all of them)
07:52 -!- Netsplit over, joins: Diffen2, krzie, sedulous, roentgen_, Visual`, ScriptFanix, blink_, MJD, kraut, nb (+5 more)
07:56 -!- septiq [~septiq@93.19.114.177] has joined #openvpn
08:03 < ecrist> shit
08:03 < ecrist> seems people have finally decided my wiki is worth spamming
08:07 < |Mike|> hehe
08:08 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
08:21 < ecrist> seriously, I just rolled back around 300 edits
08:21 < ecrist> made it easier they were all done by 4 users
08:21 < hyper_ch> howdy ecrist
08:21 < hyper_ch> how krzie
08:21 < ecrist> I have to actually put a captcha back up
08:23 < krzie> is that a surprise?
08:26 < ecrist> krzie: I haven't had a captcha in ~2 years
08:26 < ecrist> this is the first spam I've gotten since then.
08:28 < krzie> its the first hit on a common issue with common software
08:29  * ecrist enjoyed being under the radar
08:31 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
08:36 < |Mike|> ecrist: thanks
08:38 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
08:40 < ecrist> |Mike|: np.  you want admin?
09:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:08 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
09:11 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:29 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
09:30 -!- luneff [~yury@84.51.198.114] has joined #openvpn
09:41 -!- septiq [~septiq@93.19.114.177] has quit [Quit: septiq]
09:41 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
09:43 -!- septiq [~septiq@93.19.114.177] has joined #openvpn
09:46 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
09:48 -!- septiq [~septiq@93.19.114.177] has quit [Ping timeout: 265 seconds]
09:49 -!- septiq [~septiq@93.19.114.177] has joined #openvpn
10:08 -!- luneff [~yury@84.51.198.114] has joined #openvpn
10:46 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 264 seconds]
10:47 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn
10:47 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay]
10:47 -!- sonicman [~admin@periwinkle.feralhosting.com] has quit [Ping timeout: 250 seconds]
10:51 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has quit [Read error: Connection reset by peer]
10:51 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has joined #openvpn
10:54 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn
10:55 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
11:10 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
11:27 <@vpnHelper> RSS Update - forum: Server Administration :: Msi program with default icon :: Author nebrera <https://forums.openvpn.net/viewtopic.php?f=4&t=7327&p=8557#p8557>
11:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
11:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:54 -!- rjd_ [~rjd@212.112.31.11] has joined #openvpn
11:56 -!- powerunits [powerunits@119.152.77.30] has joined #openvpn
11:57 < powerunits> hey guys i ve install openserver on windows i can connect openvpn client... but i m unable to get ping between both machines 
11:57 < powerunits> please help on this
11:57 < powerunits> .. thanks ..
11:58 < hyper_ch> krzie: may I ask you a super simple question?
11:59 -!- dazo is now known as dazo_afk
12:02 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
12:02 < powerunits> any help please?
12:04 < hyper_ch> !welcome
12:04 <@vpnHelper> hyper_ch: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:04 < hyper_ch> !ping
12:04 <@vpnHelper> pong
12:07 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Ping timeout: 276 seconds]
12:09 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn
12:12 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
12:20 < |Mike|> ecrist: Nah :)
12:20 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Quit: Leaving]
12:28 -!- blink_ [~blink@reality.is-after.me] has quit [Quit: leaving]
12:31 -!- Antarez [kruse@tranquility.quidor.net] has joined #openvpn
12:32 < |Mike|> bleap
12:33 < |Mike|> Antarez: ping
12:34 < Antarez> hi
12:35 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
12:35 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
12:39 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
12:43 < hyper_ch> hhi |Mike|
12:43 < hyper_ch> hi Antarez
12:49 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
12:49 -!- kerfe [~a@66.pool85-60-140.dynamic.orange.es] has quit [Ping timeout: 252 seconds]
12:58 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has joined #openvpn
12:58 < nelgin> Hi all. I am setting up openvpn client on Win 7, server on Linux. I can see that the gateway is being pushed but is empty on the Windows 7 in ipconfig. Any clues or suggestions?
12:58 < korozion> bbl
12:58 -!- korozion [korozion@linuxgeneration.org] has left #openvpn []
13:01 < Bushmills> !winroute
13:01 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
13:01 < Bushmills> nelgin: ^^^
13:01 < nelgin> Thanks. Let me try that. 1 and 2 are on the windows side too I assume.
13:02 < Bushmills> right
13:02 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
13:03 < rjd_> what are some sane values for keepalive, considering server is in a highend datacentre in france and clients are likely to be on dsl/cable in the states?
13:03 < Bushmills> 10 60 is frequently used
13:03 < nelgin> Do I need to restart the gui everytime I change a setting?
13:04 < rjd_> Bushmills: ok, thanks. what if clients are more likely to be on fibre within 20ms of the server?
13:04 < rjd_> Bushmills: 2 30?
13:04 < Bushmills> you may go for 9 60, most likely your network will be able to withstand that extra traffic :P
13:05 < rjd_> I figure
13:06 < Bushmills> or 2 10
13:06 < nelgin> I added 1,2 and was alrealy running as admin but still no gateway. Not sure about turning off remote access, I need that.
13:06 < rjd_> is there general figures on how much more cpu comp-lzo will take? What are the factors?
13:06 < nelgin> I see the route if I do "route" but in ipconfig the gateway is empty.
13:06 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Client Quit]
13:06 -!- kish is now known as kimjongil
13:07 < Bushmills> rjd: size gain on already compressed files: about zero
13:07 < Bushmills> other than that: depends
13:07 < rjd_> oh, and that can be determined for zip|rar|gzip|bzip etc?
13:07 < Bushmills> right. compressed files don't compress well
13:07 < rjd_> silly me, I get it
13:09 < rjd_> Will the daemon use all cores efficently or would it make sense to run a daemon per core?
13:09 < nelgin> I don't see a "routing and remote access" option in Win7.
13:14 < rjd_> I withdraw my question, google answered
13:14 < krzie> [15:09]  <rjd_> Will the daemon use all cores efficently or would it make sense to run a daemon per core?
13:14 < krzie> single threaded, daemon per core
13:15 < nelgin> Hey in the Windows client config, it's asking for the name of the Tap device, would this be something like "Local Connection 2" or am I missing something?
13:16 < rjd_> krzie: and what guarantees that they dont use the same core?
13:16 < krzie> how busy is the system?
13:17 < krzie> if its super busy they could end up on the same core ild think
13:17 < krzie> however, ive never seen it happen
13:19 < krzie> but to answer your question, that is your kernels job
13:19 < rjd_> today idle, but will have up to a hundred extremely active users
13:24 < krzie> you'll be fine
13:24 < krzie> hell up to 100 you can likely just run 1 daemon
13:25 < krzie> its somewhere around 200 that ive heard of people running into problems
13:27 < nelgin> in the Windows client config, it's asking for the name of the Tap device, would this be something like "Local Connection 2" or am I missing something?
13:29 < krzie> nelgin, you have 2 openvpn configs or something?
13:29 < krzie> dev tap   normally works fine
13:29 < krzie> its when you need multiple VPNs on windows that youd need to actually define it
13:30 < nelgin> One on the server (Linux) one on the client (Windows 7). In the client config it says Windows needs the TAP-Win32 adapter na,e.
13:30 < nelgin> ok, so I can leave dev-node commented out then?
13:33 < nelgin> THis is pissing me off. I've tried both windows 7 and Vista and it cannot set the damn gateway for the interface (I'm using a bridged config fwiw)
13:34 < nelgin> I can see the server push "route-gateway" and it's received by the client but not getting set. *sigh*
13:39 < nelgin> No other clues?
13:40 < nelgin> I'm using wireless, would that made a difference?
13:45 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
13:55 < nelgin> Maybe it's the bridge on the linux side which is broken.
14:00 -!- powerunits [powerunits@119.152.77.30] has quit [Ping timeout: 245 seconds]
14:03 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
14:15 -!- powerunits [powerunits@119.152.77.30] has joined #openvpn
14:35 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2003197> || Unnamed <http://pastebin.ca/2003191>
14:47 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2003207>
15:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
15:23 < nelgin> So, any idea why I can establish a connection but not ping the server? Is there a way to test the bridge is properly setup?
15:24 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
16:00 -!- papas_son [~chatzilla@68-116-31-34.static.yakm.wa.charter.com] has quit [Quit: ChatZilla 0.9.85 [SeaMonkey 2.0.10/20101028140239]]
16:13 -!- kimjongi1 [~o2@unaffiliated/spice] has joined #openvpn
16:14 -!- Alonea [~Alonea@res55554966.rh.rit.edu] has joined #openvpn
16:15 < Alonea> well, I got things somewhat working now, but I ran into a problem on dad's computer. We set up the service to start automatically, but when he tries to connect with the OpenVPN Gui, it can't because it says it needs admin privs to open the log file. Dad is on XP and logged in as admin. What gives?
16:16 -!- kimjongil [~o2@unaffiliated/spice] has quit [Ping timeout: 252 seconds]
16:19 < Bushmills> !winroute
16:19 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
16:20 < Bushmills> try #4
16:20 < Bushmills> (right click, properties, etc) 
16:20 < Alonea> Bushmills: well, here is the thing, Vista/7 you can right click, run as admin, but XP doesn't have that really.
16:21 < Bushmills> specify in client config a different path/file to log file. one where you can write to.
16:21 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Read error: Operation timed out]
16:22 < Alonea> Bushmills: well, here is the thing, OpenVPN was working fine if we had the service turned off, but now that its on it can't do the log when before it could.
16:24 < Alonea> I think I will just tell him to turn the service back off and just run openvpn gui manually.
16:26 < Alonea> Bushmills: Well, with my brother got everything working. He could see my shares. Dad still can't, but I am blaming XP at this point. Not sure what else to try there.
16:30 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:48 < reiffert> Alonea 3 : 25 #OpenVPN
16:49 < reiffert> Alonea: http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin.html
16:49 <@vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at openvpn.se)
16:52 < Alonea> reiffert: what does the 3: 25 stuff mean???
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
17:02 -!- luneff [~yury@84.51.198.114] has joined #openvpn
17:28 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
17:31 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
17:45 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
17:45 < Aakash> Hey
17:46 < Aakash> I have done the following steps to set up my vpn server:  http://pastebin.com/6hKybWga
17:46 < Aakash> but for some reason I still cannot ping any other IP's on the subnet behind the router except the server's
17:46 < Aakash> Any ideas on what else I am doing wrong?
17:48 < |Mike|> re
17:48 < |Mike|> hyper_ch: jo :)
17:50 < Aakash> !welcome
17:50 <@vpnHelper> Aakash: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:50 < Aakash> !route
17:50 <@vpnHelper> Aakash: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:56 < Bushmills> !route
17:56 <@vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:56 < Bushmills> Aakash: ^^^
17:56 < Bushmills> !serverroute
17:56 <@vpnHelper> Bushmills: Error: "serverroute" is not a valid command.
17:56 < Bushmills> ehm
17:56 < Bushmills> !serverlan
17:56 <@vpnHelper> Bushmills: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
17:57 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Ping timeout: 260 seconds]
18:00 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn
18:04 -!- Aakash_ [~AakashPat@32.167.255.24] has joined #openvpn
18:04 -!- Aakash_ [~AakashPat@32.167.255.24] has quit [Changing host]
18:04 -!- Aakash_ [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
18:04 -!- Aakash_ [~AakashPat@unaffiliated/aakashpatel] has quit [Client Quit]
18:05 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Ping timeout: 255 seconds]
18:11 < krzie> !serverlan
18:11 <@vpnHelper> krzie: "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
18:12 < |Mike|> ahoy krzie 
18:12 < krzie> [19:46]  <Aakash> but for some reason I still cannot ping any other IP's on the subnet behind the router except the server's
18:12 < krzie> that points to this:
18:12 < krzie> !route_outside_ovpn
18:12 <@vpnHelper> krzie: "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
18:12 < krzie> arrr matey
18:13 < |Mike|> krzie: you're into the linkedin groups "openvpn" and "openvpn community" right?
18:13 < krzie> nope, i dont use linkedin
18:13 < krzie> nore do i plan on signing up
18:13 < krzie> ;]
18:13 < |Mike|> BEEAAAAAAAAATCH !
18:13 < |Mike|> :P
18:13 < |Mike|> I understand your choise :)
18:18 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
18:19 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:23 < |Mike|> krzie: t * c
18:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
18:40 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has joined #openvpn
18:40 < k3y> !welcome
18:40 <@vpnHelper> k3y: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:40 < k3y> !howto
18:40 <@vpnHelper> k3y: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
18:41 < k3y> oh.
18:41 < ecrist> :)
18:41 < k3y> !goal
18:41 <@vpnHelper> k3y: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:43 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
18:43 < k3y> hi ecrist
18:44 < k3y> !goal i would like to access the internet over my vpn
18:44 <@vpnHelper> k3y: Error: "goal" is not a valid command.
18:44 < k3y> lol
18:44 < k3y> hrm...
18:44 < k3y> i'm trying to figure out how to make the tunnel adapter for openvpn 
18:44 < krzie> you just speak your goal
18:44 < krzie> not with !goal in front ;]
18:45 < krzie> what OS are you using?
18:45 < k3y> ubuntu
18:45 < k3y> 10.10
18:45 < krzie> insmod tun
18:45 < k3y> does openvpn create it on its own when the vpn starts?
18:46 < krzie> if the tun module is loaded, and you use a dynamic device (dev tun, not dev tun0), then yes
18:47 < k3y> nope i'm bridging so i need to use tap0
18:47 < krzie> you just need tap, not necessarily tap0
18:47 < krzie> and why are you briding?
18:47 < krzie> bridging*
18:47 < k3y> i read you can play lan games over it...some diablo2 perhaps?
18:48 < k3y> i'm in way over my head here...new to ubuntu and openvpn bad combo
18:48 < |Mike|> sounds like you need a management team !
18:49 < k3y> i set up my server.conf file and tried to start the server but it fails
18:49 < krzie> you dont need ubuntu for ovpn
18:49 < krzie> it'll run fine on windows, if you happen to understand networking on windows
18:49 < k3y> and i thought maybe it is because i haven't precreated the tunnel adapter 
18:49 < krzie> if you are also new to networking, you are right that it is a bad combo
18:49 < |Mike|> !tell k3y [configs]
18:50 < k3y> hmm?
18:50 < k3y> yea not completely new to networking but linux networking is different...i'm used to a gui lol
18:50 -!- powerunits [powerunits@119.152.77.30] has quit []
18:51 < |Mike|> networking == networking imho.
18:51 < k3y> yah mike
18:51 < k3y> just gotta make this tunnel adapter and i think it will work
18:52 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:52 < |Mike|> i'm going to sleep, night.
18:52 < k3y> night mike
18:53 < k3y> oh
18:53 < k3y> haha i didn't see the message from vpnHelper sorry
18:57 < k3y> where should i paste my config at mike?
19:06 < Bushmills> k3y: nope
19:07 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
19:07 < Bushmills> interface will be created automatically, upon connection (client) or start (server) 
19:07 < k3y> ohh
19:07 < k3y> thank you bushmills
19:08 < Bushmills> if it doesn't come up, it should mean that connecting to server failed
19:08 <@vpnHelper> RSS Update - forum: Server Administration :: what is the server parameter :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=4&t=7328&p=8558#p8558>
19:08 < Bushmills> look at interfaces of server, there'll be a tun0
19:08 < k3y> doesn't bridge-utils have something to do with this equation?
19:09 < Bushmills> in that case it'd be a tap interface
19:09 < k3y> yea 
19:09 < k3y> i can't get it to create the tap interface
19:09 < k3y> lol
19:10 < Bushmills> tap / bridging is not something you'd want to ask me about.
19:10 < k3y> well the config file says i need to precreate the tap0 interface if i need to use it
19:10 < k3y> i think it has to do with bridge-utils 
19:10 < Bushmills> i was assuming tun
19:10 < k3y> oh sorry bushmills
19:13 < k3y> probably way simpler to just run a routed vpn but i don't like to make things easy...
19:19 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
19:25 < k3y> ohhh haha i think i got it
19:27 < k3y> OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
19:28 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
19:28 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
19:28 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:28 < Bushmills> that's just a warning. no relevance as long as you don't intend to execute own scripts upon connection, or such
19:28 < Bushmills> even "warning" is too string a word for it. call it "informational"
19:28 < Bushmills> strong
19:28 < k3y> After that it fails t o load a few cert files
19:28 < k3y> and then exits
19:29 < k3y> so i think i need to figure out why i didn't make those yet....hmm
19:29 < Bushmills> "fails to load a few cert files" <- there's your problem
19:29 < k3y> yea
19:30 < k3y> server.crt 
19:36  * ecrist considers actively developing vbulletin
19:36  * ecrist does happy dance, grabs more rum
19:36  * ecrist stops emoting
19:36  * k3y is just gonna idle here for a while.
19:40 -!- EmperorT1m [~EmperorTo@174-30-241-122.mpls.qwest.net] has joined #openvpn
19:40  * ecrist also considers writing a php front-end for openvpn
19:41 -!- EmperorTom [~EmperorTo@184-97-159-175.mpls.qwest.net] has quit [Ping timeout: 265 seconds]
19:43  * Bushmills brews himself a cup of tea with a serious quantity of rum in it.
19:44 <@vpnHelper> RSS Update - forum: Configuration :: Re: Multiple Tunnels on the same server :: Reply by gcc_computo <https://forums.openvpn.net/viewtopic.php?f=6&t=7278&p=8559#p8559>
20:13 -!- kaushal [~kaushal@triband-mum-120.61.11.232.mtnl.net.in] has joined #openvpn
20:13 < kaushal> Hi
20:16 < kaushal> Can someone please guide me about http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTimEkL%3DLurQ_gVLz58NzxWJqyDeA_TGXBU_mghiw%40mail.gmail.com&forum_name=openvpn-users
20:16 <@vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-users (at sourceforge.net)
20:18 < ecrist> kaushal: we've discussed this before.
20:19 < ecrist> none of us are going to read your link
20:19 < ecrist> tell me what you want to know, and give the link as an additional reference.
20:19  * ecrist considers banning users who post a link within the first 5 posts after they join.
20:22 < kaushal> ecrist: apologies
20:23 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has quit [Quit: Leaving]
20:26 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has joined #openvpn
20:26 < k3y> woops
20:31  * ecrist poofs
20:32 < k3y> lol
20:32 < k3y> ifconfig $t 0.0.0.0 promisc up <-do i need something in place of the 0.0.0.0 ?
20:42 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
20:45 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has quit [Quit: Leaving]
20:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
21:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
21:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
22:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:51 -!- raddy_ [~raddy@117.192.237.68] has joined #openvpn
22:51 -!- raddy_ is now known as raddy
22:52 < raddy> Hello Everybody
22:52 < raddy> I am new to openvpn and vpn in general.
22:52 < raddy> trying to setup vpn server in centos.
22:53 < raddy> I have two ethernet cards.
22:53 < raddy> 1 is for internet access and other one is for vpn.
22:53 < raddy> should i use bridging technique when setting up openvpn?
23:23 -!- W0rmF00d [~wormfood@183.39.107.107] has joined #openvpn
23:26 -!- WormFood [~wormfood@183.39.104.154] has quit [Ping timeout: 240 seconds]
23:41 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
--- Day changed Sat Nov 27 2010
00:43 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:20 -!- kaushal [~kaushal@triband-mum-120.61.11.232.mtnl.net.in] has quit [Read error: Connection reset by peer]
01:31 < krzie> !linipforward
01:31 <@vpnHelper> krzie: "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
01:31 < krzie> !linnat
01:31 <@vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
01:31 < krzie> !def1
01:31 <@vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
01:31 < krzie> !sample
01:31 <@vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
01:32 < krzie> !pki
01:32 <@vpnHelper> krzie: "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
01:32 <@vpnHelper> krzie: specially as a server (see !servercert)
01:42 -!- raddy [~raddy@117.192.237.68] has quit [Quit: ~ Trillian Astra - www.trillian.im ~]
01:48 -!- davascript [~davascrip@cpe-74-69-146-66.stny.res.rr.com] has quit [Ping timeout: 265 seconds]
02:01 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
02:02 -!- shai [~Shai@l192-117-110-233.cable.actcom.net.il] has joined #openvpn
02:02 -!- shai [~Shai@l192-117-110-233.cable.actcom.net.il] has left #openvpn []
02:04 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has joined #openvpn
02:04 < k3y> !welcome ?
02:04 <@vpnHelper> k3y: Error: "welcome" is not a valid command.
02:04 < k3y> lol
02:05 < k3y> i think i'm really close to up and running...got one error i don't understand
02:05 < k3y> well 2 errors
02:06 < k3y> one isn't openvpn though
02:06 < k3y> "script failed: external program fork failed" is this a really vague error?
02:08 < krzie> the ? after !welcome changed the bots response
02:08 -!- toortog [nesm6@notsecure.net] has quit [Ping timeout: 255 seconds]
02:08 < krzie> !logs
02:08 <@vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
02:15 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has quit [Ping timeout: 276 seconds]
02:19 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has joined #openvpn
02:20 < k3y> lol
02:20 < k3y> yep it's a bridge problem...i'm going to bed...
02:20 < k3y> maybe i can ask for help tomorrow :)
02:20 < k3y> hehehe
02:33 -!- toortog [nesm6@notsecure.net] has joined #openvpn
02:34 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
02:41 -!- raddy_ [~raddy@117.192.237.68] has joined #openvpn
02:41 < raddy_> Hello Everybody
02:42 < raddy_> I am new to openvpn and bridging
02:43 < raddy_> i have two ethernet cards.
02:44 < raddy_> one for internet.
02:44 < raddy_> and another for vpn.
02:44 < raddy_> anybody listening?
02:54 < hyper_ch> !bridge
02:54 <@vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
02:54 < hyper_ch> raddy_: patience is a virtue
02:54 < raddy_> hyper_ch : okk.
02:55 < hyper_ch> !tell raddy_ [welcome]
02:56 < raddy_> hyper_ch : actually i just need our server to connect to our client system in secure way, one ethernet for the server to work in internet and other ethernet for it to connect to it's client in secure way, that requires bridging?
02:57 < hyper_ch> I don't really understand what you mean
03:00 < raddy_> hyper_ch : we have computer a, in it it has two ethernet cards, one ethernet is used to connect to public networks such as internet, the other one is meant to be connected with computer b via vpn, the computer a is server,  and computer b logs into computer a, now should i configure bridging or routing in computer a?
03:00 < hyper_ch> you don't need two cards for that
03:00 < rjd_> raddy_: if I understand you correctly, then no. if the clients connect to your openvpn over internet then the interface communicating with them would be either tap or tun, not a second eth
03:01 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
03:02 < raddy_> rjd_ : what if, the computer b too is in same lan?
03:02 < hyper_ch> raddy_: doesn't really matter
03:02 < hyper_ch> vpn creates virtual interface to which you connect
03:03 < raddy_> okk.,
03:03 < hyper_ch> but you could setup like two vpns.... one that only allows access to a nat network behind computer a or something
03:03 < hyper_ch> and one that would provide as vpn gateway to the internet
03:03 < raddy_> hyper_ch : so i have to create bridge for my internet facing ethernet to create a seperate private network, eh?
03:04 < hyper_ch> I don't quite understand what you mean by that
03:05 < raddy_> hyper_ch : ok, it appears i don't need bridging, routing is enough, ?
03:05 < hyper_ch> btw, I like graphics that show the server, lan, internet and the different clients and from where they connect and where they shall have access to
03:05 < hyper_ch> !def1
03:05 <@vpnHelper> hyper_ch: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
03:06 < hyper_ch> if you set that option all traffic will be routed through the vpn
03:16 -!- raddy_ is now known as raddy
03:19 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:45 -!- fbh [fbh@lucifer.frands.net] has quit [Changing host]
03:45 -!- fbh [fbh@unaffiliated/fbh] has joined #openvpn
03:45 -!- kerfe [~a@230.pool85-60-130.dynamic.orange.es] has joined #openvpn
03:47 -!- master_of_master [~master_of@p57B559A1.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
03:48 -!- master_of_master [~master_of@p57B57B65.dip.t-dialin.net] has joined #openvpn
03:49 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:12 -!- kimjongi1 is now known as kish
04:21 -!- raddy [~raddy@117.192.237.68] has quit [Read error: Connection reset by peer]
04:21 -!- raddy [~raddy@117.192.237.68] has joined #openvpn
04:22 -!- raddy is now known as raddy_
04:38 -!- kraut [~kraut@blackhole.netzdeponie.de] has quit [Read error: Operation timed out]
04:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:58 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
05:16 -!- raddy_ [~raddy@117.192.237.68] has quit [Read error: Connection reset by peer]
05:17 -!- raddy_ [~raddy@117.192.237.68] has joined #openvpn
05:26 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:28 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
05:28 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
05:28 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:33 -!- raddy_ [~raddy@117.192.237.68] has quit [Quit: ~ Trillian Astra - www.trillian.im ~]
05:37 -!- SmokeyD [~Dolf_Andr@93-125-157-31.dsl.alice.nl] has joined #openvpn
05:38 < SmokeyD> hey everyone. In order to connect to two different openvpn servers from my windows laptop, I need a second tap adapter right? How do I add that?
06:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
06:12 -!- common [~common@p5DDA40AC.dip0.t-ipconnect.de] has joined #openvpn
06:20 < hyper_ch> howdy
06:28 -!- ruben23 [~RLACUMBA@121.97.111.142] has joined #openvpn
06:44 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
06:47 < ruben23> hi guys any idea on how to setup openvpn on an ubuntu-server platform..?
06:47 < hyper_ch> yes
06:48 < ruben23> hyper_ch: is it ok to ask for the link..if you dont mind
06:48 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
06:48 < hyper_ch> http://www.simplylinux.ch/openvpn-einrichten
06:48 <@vpnHelper> Title: Linux für alle » OpenVPN einrichten (at www.simplylinux.ch)
06:54 < common> whom to refer to to get a patch upstream?
06:55 < ruben23> hyper_ch: seems i cant understand the languae- is ther any english text..
06:55 < hyper_ch> ruben23: there is not
06:55 < hyper_ch> !tell ruben23 [howt]
06:55 <@vpnHelper> hyper_ch: Error: "howt" is not a valid command.
06:55 < hyper_ch> !tell ruben23 [howto]
06:56 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
07:18 -!- SmokeyD [~Dolf_Andr@93-125-157-31.dsl.alice.nl] has quit [Read error: Connection reset by peer]
07:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
07:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:26 < ruben23> do we have how to or article for samba over openvpn..?
07:28 < Bushmills> !wins
07:28 <@vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
07:28 < Bushmills> other than that, there's nothing special about samba - it is just a network service
07:29 < Bushmills> and wins because of:
07:29 < Bushmills> !tunortap
07:29 <@vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you
07:29 <@vpnHelper> Bushmills: over the vpn, or (#4) lan gaming? use tap!
07:29 < Bushmills> #2 
07:30 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
07:32 -!- ruben231 [~RLACUMBA@121.97.111.142] has joined #openvpn
07:34 -!- ruben231 [~RLACUMBA@121.97.111.142] has left #openvpn []
07:35 -!- ruben23 [~RLACUMBA@121.97.111.142] has quit [Ping timeout: 260 seconds]
07:41 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
08:20 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
08:36 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has quit [Read error: Connection reset by peer]
08:37 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has joined #openvpn
08:54 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
08:57 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
09:21 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
09:22 < venom00ut> hello, if I connect to an openvpn server on 443 with TLS enabled, is it possible for an observer to distinguish openvpn traffic from standard HTTPS traffic?
09:22 < hyper_ch> I don't think so
09:27 < rjd_> unless it's a reverse proxy that terminates the ssl session, inspects and re-opens the ssl session
09:27 < rjd_> :)
09:28 < rjd_> !wins
09:28 <@vpnHelper> rjd_: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:29 < rjd_> You wins some, you loose some :-)
09:29 -!- luneff [~yury@84.51.198.114] has joined #openvpn
09:41 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
09:56 -!- noogenesis [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 252 seconds]
09:58 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
09:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
10:09 < Bushmills> venom00ut: i guess you can do it that way:  install a stub listener, enable port sharing in openvpn. traffic to stub listener is HTTPS, difference of port traffic and stub traffic is openvpn
10:10 < venom00ut> Bushmills, I mean MITM observer
10:10 < common> I'd say yes
10:10 < common> given the session duration
10:12 < common> so there is no need to look at packets, netflow is enough
10:19 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
10:38 -!- f1assistance [~Carl@cpe-024-211-247-099.nc.res.rr.com] has joined #openvpn
11:01 -!- luneff [~yury@84.51.198.114] has joined #openvpn
11:07 -!- Alonea [~Alonea@res55554966.rh.rit.edu] has quit [Read error: Connection reset by peer]
11:09 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
11:31 -!- whitefang [tyler@ionise.org] has joined #openvpn
11:32 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 272 seconds]
11:33 < whitefang> hey, are OpenVPN-AS licenses needed to deplay OpenVPN to more than 2 users? from what I can tell OpenVPN-AS is the "ezmode" solution for deplaying OpenVPN and that if you can just through the hoops of configuring OpenVPN on your own then the OpenVPN-AS licenses are unneeded?
11:34 < hyper_ch> no, openvpn comunity can have lots of users
11:35 < ecrist> krzie: I've fixed the wiki
11:35 < ecrist> I did not add your changes.
11:35 < whitefang> in a commerical environment right? I'm trying to explain to my boss that OpenVPN can be deployed without paying for licenses if we don't need OpenVPN-AS to make it easier to setup and deploy.
11:36 < ecrist> whitefang: AS is not supported here, but you do need to purchase licenses for more than 2 users.
11:36 < hyper_ch> openvpn is distributed under an opensource licence IIRC
11:36 < whitefang> OK.
11:36 < krzie> yep, GPL
11:36 < whitefang> yeah its GPLed.
11:36 < ecrist> openvpn (not access server) is free
11:36 < hyper_ch> otherwise debian wouldn't have it packaged
11:36 < hyper_ch> what's the difference between AS and community?
11:36 < whitefang> OpenVPN-AS is just a service that puts it all together nicely with a web interface and stuff right?
11:36 < hyper_ch> ah :)
11:37 < ecrist> yeah
11:37 < hyper_ch> krzie: can you add a flattr button to openvpn community?
11:37 < ecrist> a what button?
11:38 < krzie> no idea, lol
11:38 < ecrist> recaptcha is broken in latest SVN mediawiki
11:38 < krzie> openvpn-AS also has professional support
11:40 < hyper_ch> ecrist: flattr :)
11:40 < hyper_ch> ecrist: you don't know flattr?
11:41 < ecrist> no
11:42 -!- ucekpolish1 [user@hq.ostc-pl.com] has joined #openvpn
11:44 < hyper_ch> it's an interesting micropayment system... as "customer" you define how much money you want to spend in a month... during that month, when you see something interesting you can press the flattr button on that site... at the end of the month, your monthly "spending" gets evenly divided up upon all those things you have flattred :)
11:44 < ecrist> ah
11:45 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
11:46 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Ping timeout: 245 seconds]
11:46 -!- whitefang [tyler@ionise.org] has quit [Ping timeout: 245 seconds]
11:47 < hyper_ch> I like it :) but there's one thing that still need to improved IMHO
11:52 < hyper_ch> if you add a flattr button, let me know
12:20 -!- f1assistance [~Carl@cpe-024-211-247-099.nc.res.rr.com] has left #openvpn []
12:32 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
12:36 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has quit [Read error: Connection reset by peer]
12:37 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has joined #openvpn
12:38 -!- caesay_ [~caesay@173.236.15.70] has joined #openvpn
12:38 -!- common- [~common@p5DDA40AC.dip0.t-ipconnect.de] has joined #openvpn
12:38 -!- kerfe1 [~a@230.pool85-60-130.dynamic.orange.es] has joined #openvpn
12:39 -!- hyper__ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
12:39 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 240 seconds]
12:39 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Write error: Broken pipe]
12:39 -!- rjd__ [~rjd@212.112.31.11] has joined #openvpn
12:39 -!- Edward123 [edward@unaffiliated/edward123] has joined #openvpn
12:39 -!- raidzxx [~Andrew@2002:adc0:e0ad::adc0:e0ad] has joined #openvpn
12:39 -!- tessier_ [~treed@mail.copilotco.com] has joined #openvpn
12:39 -!- krzy [~k@ftp.secure-computing.net] has joined #openvpn
12:39 -!- DrJ [Bacon@174.141.224.168] has quit [Ping timeout: 264 seconds]
12:39 -!- tessier [~treed@kernel-panic/copilotco] has quit [Ping timeout: 264 seconds]
12:39 -!- nijotz [~nick@72.14.181.106] has quit [Ping timeout: 264 seconds]
12:39 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 264 seconds]
12:39 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 264 seconds]
12:39 -!- common [~common@p5DDA40AC.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
12:39 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 264 seconds]
12:39 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has quit [Ping timeout: 264 seconds]
12:39 -!- rjd_ [~rjd@212.112.31.11] has quit [Ping timeout: 264 seconds]
12:39 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 264 seconds]
12:39 -!- fbsec [~fb@38.108.126.157] has quit [Ping timeout: 264 seconds]
12:39 -!- Champi [Champi@damn.e-leet.be] has quit [Ping timeout: 264 seconds]
12:39 -!- ksk [~ksk@im.knubz.de] has quit [Ping timeout: 264 seconds]
12:39 -!- hyper__ch is now known as hyper_ch
12:39 -!- Netsplit *.net <-> *.split quits: ScriptFanix, kish, gorkhaan
12:39 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
12:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
12:39 -!- sno_ [~sno@static.153.209.46.78.clients.your-server.de] has joined #openvpn
12:39 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
12:39 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 240 seconds]
12:39 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Ping timeout: 240 seconds]
12:39 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
12:40 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
12:40 -!- Dougy [me@openvpn/community/user/dougy] has quit [Ping timeout: 245 seconds]
12:40 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
12:40 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
12:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
12:40 -!- septiq [~septiq@93.19.114.177] has quit [Ping timeout: 245 seconds]
12:40 -!- caesay [~caesay@unvanquished/associate/sniperx] has quit [Ping timeout: 245 seconds]
12:40 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
12:40 -!- szr [~SR@64.85.235.207] has joined #openvpn
12:40 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
12:40 -!- szr [~SR@64.85.235.207] has quit [Changing host]
12:40 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
12:40 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
12:40 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:40 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
12:40 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
12:40 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 240 seconds]
12:40 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Ping timeout: 240 seconds]
12:40 -!- aliverius_ [~george@athedsl-377917.home.otenet.gr] has joined #openvpn
12:40 -!- EdwardIII [edward@unaffiliated/edward123] has quit [Ping timeout: 240 seconds]
12:40 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
12:40 -!- septiq_ [~septiq@93.19.114.177] has joined #openvpn
12:40 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 240 seconds]
12:40 -!- fbh [fbh@unaffiliated/fbh] has quit [Ping timeout: 240 seconds]
12:40 -!- Edward123 is now known as EdwardIII
12:40 -!- fbh__ [fbh@lucifer.frands.net] has joined #openvpn
12:40 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
12:40 -!- septiq_ is now known as septiq
12:40 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
12:40 -!- Dougy_ [me@tech.qsi.net] has joined #openvpn
12:40 -!- Netsplit over, joins: gorkhaan, kish, ScriptFanix
12:40 -!- kerfe [~a@230.pool85-60-130.dynamic.orange.es] has quit [Ping timeout: 245 seconds]
12:40 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
12:41 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
12:41 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined #openvpn
12:41 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
12:41 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
12:41 -!- common- is now known as common
12:42 -!- Typone [~nnnnnnnit@195.197.184.87] has joined #openvpn
12:42 -!- key [~key@c-76-22-43-138.hsd1.wa.comcast.net] has joined #openvpn
12:44 -!- tjz [~pc@67.220.220.132] has joined #openvpn
12:44 -!- tjz [~pc@67.220.220.132] has quit [Changing host]
12:44 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
12:44 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has quit [Remote host closed the connection]
12:44 -!- key is now known as Guest6149
12:44 -!- sno_ [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 272 seconds]
12:44 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined #openvpn
12:44 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 255 seconds]
12:44 -!- Fiouz [~Fiouz@2a01:e0b:1:68:240:63ff:fee6:924b] has joined #openvpn
12:44 -!- fbsec [~fb@38.108.126.157] has joined #openvpn
12:44 -!- fbh__ [fbh@lucifer.frands.net] has left #openvpn []
12:45 -!- fbh__ [fbh@lucifer.frands.net] has joined #openvpn
12:45 -!- fbh__ is now known as fbh
12:45 -!- fbh [fbh@lucifer.frands.net] has quit [Changing host]
12:45 -!- fbh [fbh@unaffiliated/fbh] has joined #openvpn
12:45 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
12:47 -!- darkscrypt [~darkscryp@adsl-074-166-089-185.sip.asm.bellsouth.net] has joined #openvpn
12:47 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
12:48 -!- corretico_ [~corretico@201.201.44.82] has joined #openvpn
12:48 < darkscrypt> i am looking to build a vpn that meets the hipaa encryption requirements. does anybody know if openvpn is a solution that meets this
12:49 < ecrist> what requirement, specifically
12:49 < ecrist> hipaa only says you have to try to protect data, and have a written policy about it
12:50 < ecrist> it doesn't say you must use XYZ encryption with keys less than W bits
12:50 -!- ucekpolish1 [user@hq.ostc-pl.com] has quit [Ping timeout: 245 seconds]
12:50 -!- nettie [~nettie@stewie.freax.it] has quit [Ping timeout: 245 seconds]
12:50 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 245 seconds]
12:50 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
12:50 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
12:50 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
12:50 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
12:50 < hyper_ch> vpn does not protect data... it secures communication channels, right?
12:50 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
12:50 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
12:50 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:50 -!- nettie [~nettie@stewie.freax.it] has joined #openvpn
12:53 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
12:58 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
12:59 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 240 seconds]
12:59 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
13:00 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
13:02 -!- havoc__ [~havoc@neptune.chaillet.net] has joined #openvpn
13:03 -!- rjd_ [~rjd@212.112.31.11] has joined #openvpn
13:04 -!- havoc [~havoc@neptune.chaillet.net] has quit [Disconnected by services]
13:04 -!- havoc__ is now known as havoc
13:04 -!- Nappy_ [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
13:05 -!- raidzxx [~Andrew@2002:adc0:e0ad::adc0:e0ad] has quit [Read error: Connection reset by peer]
13:05 -!- krzy [~k@ftp.secure-computing.net] has quit [Write error: Connection reset by peer]
13:05 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 324 seconds]
13:05 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 324 seconds]
13:05 -!- rjd__ [~rjd@212.112.31.11] has quit [Write error: Connection reset by peer]
13:07 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 250 seconds]
13:19 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
13:22 < venom00ut> common, about the distinguishing vpn traffic from https, you talk about session duration, but nowadays there are long enough SSL session, like downloading a big FLV, or just keeped-alive connection to a website like facebook, making frequent requests
13:23 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has quit [Ping timeout: 264 seconds]
13:23 -!- sno [~sno@static.153.209.46.78.clients.your-server.de] has joined #openvpn
13:30 -!- darth_bitterman [~yury@84.51.198.114] has joined #openvpn
13:34 -!- APTX_ [~APTX@phpBB/developer/APTX] has joined #openvpn
13:35 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Ping timeout: 272 seconds]
13:35 -!- jpalmer_ [~jpalmer@irc.palmerit.net] has joined #openvpn
13:35 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
13:36 -!- aliverius_ [~george@athedsl-377917.home.otenet.gr] has quit [Read error: Connection reset by peer]
13:36 -!- raidz [~Andrew@seance.openvpn.org] has joined #openvpn
13:36 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
13:36 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
13:36 -!- mode/#openvpn [+o raidz] by ChanServ
13:36 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
13:36 -!- corretico__ [~corretico@201.201.44.82] has joined #openvpn
13:36 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has joined #openvpn
13:37 -!- corretico_ [~corretico@201.201.44.82] has quit [Ping timeout: 342 seconds]
13:37 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Ping timeout: 342 seconds]
13:37 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 342 seconds]
13:37 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined #openvpn
13:37 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
13:37 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 240 seconds]
13:39 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 250 seconds]
13:39 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
13:39 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Ping timeout: 245 seconds]
13:41 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
13:47 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
13:50 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 255 seconds]
13:53 < common> venom00ut: a vpn connection is likely to last longer and have less throughput than a download
13:54 < venom00ut> common, but it's similar to a keeped-alive session of a website visited for a long time
13:55 < common> keep alive sessions do not last forever anyway, ff closes them too after using them N times
13:58 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
14:00 -!- ksk_ [~ksk@im.knubz.de] has joined #openvpn
14:00 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
14:00 -!- ksk_ [~ksk@im.knubz.de] has quit [Client Quit]
14:04 -!- darth_bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
14:05 -!- luneff [~yury@84.51.198.114] has joined #openvpn
14:05 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
14:10 < krzee> [11:22]  <venom00ut> common, about the distinguishing vpn traffic from https, you talk about session duration, but nowadays there are long enough SSL session, like downloading a big FLV, or just keeped-alive connection to a website like facebook, making frequent requests
14:10 < krzee> correct, however, a clever person could tell them apart by looking at the encryption
14:10 < krzee> according to a theory of mine based on how port sharing works
14:19 < derekv> activesync stays open for a long time
14:19 < derekv> 15 minute keepalives I think
14:19 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: Leaving]
14:40 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 252 seconds]
14:50 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:08 <@vpnHelper> RSS Update - forum: Configuration :: Suddenly OpenVPN clients cannot see network :: Author rentageek <https://forums.openvpn.net/viewtopic.php?f=6&t=7329&p=8560#p8560>
15:12 < derekv> Probably the best way to do client deployment is to have a package the user downloads and installs, providing configuration, key pair is generated on the client's machine and public key sent in some manner to the administrator, who signs it 
15:13 < derekv> I'm going to try to set something up like that, to be as automated as possible from the user's perspective.
15:14 < ecrist> NSIS is what we use to package openvpn now.
15:14 < derekv> Yea I just found a page about that.
15:14 < common> what is the currently recommended gui for windows?
15:15 < derekv> I think this is going to be a very educational little project.  
15:16 < ecrist> OpenVPN packages a windows client now
15:17 < krzee> common, since there is only one gui, i would go with that one
15:19 < derekv> Another thing I want to tackle is securing the private key on a laptop.  I can think of a few possibilities ... none perfect, ideally, you could force the security to happen without any aggravations to the user,
15:19 < common> actually I've had problems with the openvn-gui, as it is impossible to run openvpn as service and use certificates with passphrase
15:19 < derekv> but in any case I think you have to trust the user to do their part, and make it as easy as possible for them.
15:19 < ecrist> common: that's not a problem, it's a feature.
15:19 < common> so I tested the securepoint vpn gui, which is handy http://sourceforge.net/projects/securepoint
15:19 <@vpnHelper> Title: OpenVPN Client Windows | Download OpenVPN Client Windows software for free at SourceForge.net (at sourceforge.net)
15:19 < krzee> derekv, add a passphrase to the key, and/or add password auth to the vpn
15:19 < common> but just wanted to check if I missed something in the meantime
15:20 -!- hydester [4a672fe6@gateway/web/freenode/ip.74.103.47.230] has joined #openvpn
15:20 < krzee> common, you use the gui OR the service, you are talking about 2 different things
15:20 < derekv> krzee, what method would you use to add a password auth to the vpn? 
15:20 < derekv> would/do? 
15:20 < krzee> derekv, 
15:20 < krzee> !authpw
15:20 <@vpnHelper> krzee: Error: "authpw" is not a valid command.
15:20 < krzee> err
15:20 < krzee> !authpass
15:20 <@vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name
15:21 < common> krzee: if you run openvpn on windows as a client, and the user is not admin, it can't set routes
15:21 < derekv> see there, everytime I come here I learn something :)
15:21 < hydester> hi.  i'm running an openvpn server and trying to VPN to it from an android phone.  all seems to work except that it is prompting me for a username/password even though i am using L2TP/IPSec PSK VPN.  my understanding is that the installed certs on the phone are all i need
15:22 < common> if you run it as system service, openvpn-gui can not ask fr the passphrase to the cert
15:22 < ecrist> !winnoadmin
15:22 <@vpnHelper> ecrist: Error: "winnoadmin" is not a valid command.
15:22 < ecrist> !admin
15:22 <@vpnHelper> ecrist: Error: "admin" is not a valid command.
15:22 < ecrist> !factoids search win
15:22 <@vpnHelper> ecrist: 'winroute', 'winpass', 'win_noadmin', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'windows', 'winpath', 'winsudo', 'windows_mobile', and 'win_build'
15:22 < ecrist> !win_noadmin
15:22 <@vpnHelper> ecrist: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista
15:22 < hyper_ch> hydester: did you add a password to the cert?
15:22 < common> messing with user groups is not an option
15:23 < ecrist> hyper_ch: we support OpenVPN, not L2TP/IPSec
15:23 < ecrist> sorry, hydester 
15:23 < hyper_ch> sorry :)
15:23 < hydester> hyper_ch: yes.  i made a p12 to install it, and the phone asked for a password to open it.  so i made it with a password so it can be installed
15:25 < common> the securepoint gui uses the management interface to have the gui communicate with the system service, so there is no problem with uac at all
15:25 < hydester> hyper_ch: but a username is required at the prompt too, so even using that password alone wouldn't help
15:25 < hyper_ch> hydester: no clue
15:26 < ecrist> common: there is a new openvpn gui, I think it's packaged with 2.2-beta3
15:26 < ecrist> which does the same thing
15:26 < common> great
15:26 < ecrist> hydester: we do not support L2TP/IPSec here.
15:27 < common> ecrist: whom to talk to for patches?
15:27 < ecrist> patches for what?
15:27 < common> openvpn
15:27 < hydester> ecrist: where then?
15:27 < derekv> ecrist, in ssl-admin "owner" refers to the CN?
15:27 < ecrist> hydester: no idea, perhaps the support channel for your product?
15:27 < common> hydester: you'll have to root your phone to use openvpn
15:28 < ecrist> derekv: yes.
15:28 < common> I guess you are using cisco vpn atm
15:28 < hydester> just was following this: http://www.coffeepowered.net/2010/11/21/mobile-and-secure-setting-up-openvpn-with-dd-wrt-and-android/
15:29 < hydester> but then tried to use it on an ubuntu machine instead of dd-wrt
15:29 < common> # Select Add OpenVPN VPN
15:30 < derekv> Do you suggest setting the CN to be the username like the same as the user's login name for other things? I had previously set it up, with the CN for the client being the name of the device, since EG more than one domain user could login on the same laptop and have access to the vpn.
15:30 < derekv> I'm redoing it now so I'm hear to learn.
15:31 < derekv> I don't want to redo it again soon. :P
15:31 < ecrist> hydester: Android doesn't support openvpn by default
15:31 < ecrist> derekv: I would suggest so, yes
15:31 < ecrist> it allows for other things, later
15:31 < ecrist> such as auth-pass and using cn as username
15:31 < common> ecrist: I authored the patch which allows using the email address from a certificate as "common name" to authenticate, and wanted to check what needs to be done to get it merged
15:32 < ecrist> also, it retains your sanity. :)
15:32 < derekv> ecrist, OK, sounds good.  
15:32 < ecrist> common: for ssl-admin?
15:32 < common> openvpn
15:32 < hydester>  ok then, i guess it does require another rom.  :(    does openvpn support PPTP?
15:32 < common> wait, I'll pick the mail from the list
15:32 < ecrist> common: it needs to go to openvpn devel mailing list, or open a trac ticket
15:32 < ecrist> !trac
15:32 <@vpnHelper> ecrist: Error: "trac" is not a valid command.
15:33 < ecrist> http://community.openvpn.net
15:33 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
15:33 < ecrist> !learn trac as see http://community.openvpn.net for development information and bug tracker.
15:33 <@vpnHelper> ecrist: Joo got it.
15:33 < common> http://article.gmane.org/gmane.network.openvpn.devel/4185
15:33 <@vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org)
15:33 < ecrist> hydester: no, openvpn is it's own protocol
15:34 < ecrist> common: I'd suggest showing up in #openvpn-devel here on Thursday at 1800UTC, or bump your post on the ML
15:34 < common> 1800 utc is fine for me
15:34 < ecrist> we have a meeting every week.
15:34 < ecrist> also, you can just poke in there now and mention it
15:34 < ecrist> stick around, lots of idle today
15:35 < common> ah, two channels, dev & users
15:35 < ecrist> :)
15:36 < ecrist> ironically, most of the devs are in here, too, but the dev type stuff seems to go by without comment, usually
15:44 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
15:45 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
15:49  * ecrist debates whether to root his android phone and install openvpn
15:49 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has quit [Quit: *poof*]
15:49  * krzee votes yes
15:50 -!- kloeri [~kloeri@freenode/staff/exherbo.kloeri] has joined #openvpn
15:51 < ecrist> holy crap
15:51 < ecrist> unique visitors
15:51 < ecrist> Oct 20104676
15:52 < ecrist> that's Oct 2010 4676
15:52 < ecrist> Nov 2010 6274
15:52 < ecrist> it would seem, for some reason, there was a HUGE uptick in traffic on Nov 23
15:52 < ecrist> my average is about 250 visitors/day
15:52 < ecrist> 23rd had 1302
15:54 < krzee> likely had to do with the spammer im thinkin
15:54 < venom00ut> <krzee> according to a theory of mine based on how port sharing works
15:55 < ecrist> yeah, that's what I'm thinking.  looking at the logs now
15:55 < venom00ut> what do you mean? I'm talking about a MITM, I'm not interested in distinguish the traffic on one of the ends
15:55 < ecrist> on Nov 23, I had 1414 unique IPs hit the site.
15:55 < krzee> oh, nevermind then... i must have somehow misunderstood what i pasted above that
16:01 < ecrist> hrm, 76 edits were made from an IP in Minnesota on that day
16:01 < ecrist> sorry, 144
16:03 < ecrist> that spamming was done by a bot net.
16:03 < ecrist> irritating
16:05 < krzee> if its easy may as well remove those hits from the tally
16:05 < krzee> so it stays correct... then again if its not simple it really isnt important
16:06 < ecrist> not simple
16:08 < krzee> and not important =]
16:13 -!- kish_ [~o2@unaffiliated/spice] has joined #openvpn
16:14 -!- kish [~o2@unaffiliated/spice] has quit [Read error: Operation timed out]
16:20  * ecrist can't find root for mytouch 4g 
16:20 < ecrist> looks like there isn't one, yet
16:26 -!- jpalmer_ [~jpalmer@irc.palmerit.net] has quit [Quit: leaving]
16:27 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
16:27 -!- hydester [4a672fe6@gateway/web/freenode/ip.74.103.47.230] has quit [Ping timeout: 265 seconds]
16:36 < derekv> So, my network internally does most access control via active directory with user passwords, and thus the other things that can by implication sometimes work (eg kerberous authentication in some cases) I have Network Policy and Access Server installed as well, which provides radius.
16:36 < derekv> Whats the most likely canidate to tie auth-verify-user-password to?
16:37 < derekv> I'm hunting around for scripts..
16:42 < derekv> security/openvpn-auth-ldap look at that
16:42 < derekv> haha
16:49 < krzee> ldap/radius/pam
16:55 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
17:02 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 240 seconds]
17:05 -!- luneff [~yury@84.51.198.114] has joined #openvpn
17:10 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
17:40  * ecrist restarts phone, hopes openvpn works
17:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
17:59 <@vpnHelper> RSS Update - forum: Configuration :: need help setting up my OpenVPN config using a web proxy :: Author carlito.way <https://forums.openvpn.net/viewtopic.php?f=6&t=7330&p=8561#p8561>
18:03 < ecrist> alas, it does not
18:05 < derekv> :(
18:13 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
18:14 < mikey_w> I have a problem with windows and my openvpn server.  In linux my ip changes but in win7 it doesn't, when connected?
18:15 < mikey_w> I have an acevpn account and the ip changes in windows as expected.
18:15 < derekv> hmm whats a good way to test authenticating to the domain controller and/or radius from the command line/interactivly so I can make sure I have the settings needed?
18:21 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
18:26 -!- mikie-MID [~yaaic@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
18:33 < derekv> maybe I can get ldapsearch to work
18:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:38 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
18:38 -!- kish_ [~o2@unaffiliated/spice] has quit [Read error: Connection reset by peer]
18:38 -!- kish [~o2@unaffiliated/spice] has joined #openvpn
18:42 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has quit [Ping timeout: 245 seconds]
18:44 -!- kerfe1 [~a@230.pool85-60-130.dynamic.orange.es] has quit [Ping timeout: 255 seconds]
18:44 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
18:44 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has joined #openvpn
18:53 < unspin> i'm trying to diagnose the, "bad source address from client [blah blah], packet dropped" error message in my openvpn logs; what does this mean exactly?
18:54 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
18:55 < Guest6149> anyone a bridging expert?
18:55 -!- Guest6149 is now known as k3y
18:59 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
18:59 -!- dcode [~quassel@173-22-229-92.client.mchsi.com] has joined #openvpn
18:59 -!- dcode [~quassel@173-22-229-92.client.mchsi.com] has quit [Client Quit]
19:00 -!- dcode [~quassel@173-22-229-92.client.mchsi.com] has joined #openvpn
19:01 -!- dcode [~quassel@173-22-229-92.client.mchsi.com] has left #openvpn []
19:13 -!- APTX_ is now known as APTX
19:33 -!- mikie-MID [~yaaic@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
19:37 -!- dcode [~quassel@173-22-229-92.client.mchsi.com] has joined #openvpn
19:40 -!- hkessler [~hkessler@c-76-126-63-39.hsd1.ca.comcast.net] has joined #openvpn
19:40 < hkessler> hi
19:41 < hkessler> will openvpn work to administer windows 7 box?
19:45 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 245 seconds]
19:47 < mikey_w> My openvpn server works with a linux client but not with a win7 client?
19:48 < mikey_w> Help, please?
19:49 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
19:52 < derekv> I have had no success get anything to work to authenticate to my domain controller, at all, from my openvpn box
19:53 < hkessler> mikey_w, is openvpn server installed on the windows7 box?
19:57 < Bushmills> !winroute
19:57 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
19:58 < Bushmills> mikey_w: ^^^
19:58 < mikey_w> No the server is on linux.
19:58 < mikey_w> I am going to try that now.
19:58 -!- unspin [~unspin@192.48.234.197] has joined #openvpn
20:03 < krzee> mikey_w, 
20:03 < krzee> !logs
20:03 <@vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
20:04 < krzee> unspin, see this page:
20:04 < krzee> !route
20:04 <@vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
20:05 < krzee> derekv, 
20:05 < krzee> !AD
20:05 <@vpnHelper> krzee: Error: "AD" is not a valid command.
20:05 < krzee> !factoids search --values active
20:05 <@vpnHelper> krzee: No keys matched that query.
20:05 < krzee> !factoids search directory
20:05 <@vpnHelper> krzee: "activedirectory" is http://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD
20:05 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
20:05 < krzee> there is it
20:08 < derekv> krzee, the openvpn server doesn't run on a windows box.  So, I'm not real sure how to execute the vbs from BSD =P
20:10 < krzee> setup PAM to auth with your AD, and auth against PAM
20:10 < derekv> but, I can't even get authentication to happen via ldapsearch 
20:11 < unspin> krzee, i've read that; but whats the prescribed approach when you have a vpn client connecting to your server from several (unknown) networks (road warrior clients)
20:11 < derekv> I was trying to auth via PAM via radius with absolutely no success, but I didn't try any other pam methods yet
20:11 < krzee> unspin, do they need to access a LAN? do you need to access theirs?
20:11 < krzee> unspin, that page explains what the error you asked about is
20:12 < unspin> got it
20:12 < unspin> but if a client is roaming around (the world) and they are connecting from different nets each time, do i simply ignore the error?
20:12 < krzee> derekv, here is a linux-centric link on making PAM auth against ADhttp://www.windowsnetworking.com/articles_tutorials/Authenticating-Linux-Active-Directory.html
20:12 <@vpnHelper> Title: Authenticating Linux against Active Directory (at www.windowsnetworking.com)
20:12 < krzee> derekv, here is a linux-centric link on making PAM auth against AD http://www.windowsnetworking.com/articles_tutorials/Authenticating-Linux-Active-Directory.html
20:12 < krzee> sorry, missed a space
20:13 < derekv> thanks krzee 
20:13 < krzee> yw
20:14 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
20:15 < mikey_w> vpnHelper, ok, didn't work but thanks.
20:15 <@vpnHelper> mikey_w: Error: "ok," is not a valid command.
20:16 < mikey_w> Bushmills, Didn not work.
20:16 < Bushmills> !blame windows
20:16 <@vpnHelper> Bushmills: Error: "blame" is not a valid command.
20:17 < mikey_w> Though the log had a nice collection of routing commands.
20:17 < mikey_w> I always blame windoze.
20:17 < mikey_w> Don't know why the acevpn servers work?
20:19 < mikey_w> Very magical.
20:20 < krzee> mikey_w, 
20:20 < krzee> !logs
20:20 <@vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
20:20 < krzee> oh and
20:20 < krzee> !windows
20:20 <@vpnHelper> krzee: "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg
20:22 -!- hkessler [~hkessler@c-76-126-63-39.hsd1.ca.comcast.net] has quit [Quit: Leaving]
20:22 < k3y> terminal is so harsh sometimes...
20:23 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 250 seconds]
20:23 < mikey_w> Ok when I figure out how to change the verbage to 5.
20:24 < mikey_w> I can't restart the server, others are using it, from linux.
20:25 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
20:29 < k3y> !help
20:29 <@vpnHelper> k3y: (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
20:29 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
20:29 < k3y> !help logs
20:29 <@vpnHelper> k3y: Error: There is no command "logs".
20:30 < k3y> !welcome
20:30 <@vpnHelper> k3y: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:30 < k3y> !goal
20:30 <@vpnHelper> k3y: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:30 < k3y> oh snap
20:30 < k3y> don't use 192.168.1.0/24
20:31 < k3y> why?
20:31 < k3y> just so clients can connect? or will the server not start under those parameters 
20:34 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 265 seconds]
20:38 < ecrist> ah, my issue is that I'm using the wrong tun.ko
20:38 < ecrist> unfortunately, there is no tun.ko for my phone yet
20:39 < ecrist> I wish google would just include openvpn support
20:39 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 245 seconds]
20:42 < k3y> i'm lucky i haven't broken something yet haha
20:42 < k3y> new to ubuntu and openvpn
20:42 < k3y> but i almost got this thing running...
20:45 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:45 -!- ping-pong [~qwerty@v01.vedur.is] has joined #openvpn
20:46 < derekv> ok so it helps to have a /etc/krb5.conf and/or a /usr/local/etc/ldap.conf ... which of course seems obvious now that I've figured it out.
20:49 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
20:51 < mikey_w> krzee, I cloned the acevpn configuration file, added my certs, etc.  It still fails.
20:51 -!- unspin [~unspin@192.48.234.197] has quit [Ping timeout: 240 seconds]
20:52 < mikey_w> I am checking it doing a tracert, from linux the first ip is 10.8.0.8.  From windoze it's 192.168.0.xxx.
20:53 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
20:53 < mikey_w> Using trace because the test machine is on the same router as the server.
20:53 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has quit [Ping timeout: 250 seconds]
20:55 < mikey_w> Added "route-method exe" to the config too. 
20:56 < mikey_w> Win7 sucks.
20:59 < mikey_w> What is the preferred pastebin?
21:06 -!- Hilsor [~Hilsor@201.124.76.60] has joined #openvpn
21:10 < Hilsor> Hello. I run Ubumtu 10.10 and Gnome, using OpenVPN with network-manager GUI. For my surprise, in order to have OpenVPN working i have to store my private key's password in the connection configuration, while  I expect to be prompted for the password each time i establish the connection. Am i missing something?
21:12 < oc80z> perhaps it was unlocked with pam.d , added to your key-ring 
21:14 < Hilsor> actually, the configuration dialogue has the "apply" button grayed, until i type something in the password field. I believe it's a hi-level thing, nothing to do with key-ŕing or pam yet... Although key-ring seems to be the right place to store the password, instead of network-manager config
21:15 -!- ping-pong [~qwerty@v01.vedur.is] has quit [Ping timeout: 240 seconds]
21:18 < Hilsor> ty anyway, i'll try to raise this question somewhere else...
21:25 -!- darkscrypt [~darkscryp@adsl-074-166-089-185.sip.asm.bellsouth.net] has quit [Remote host closed the connection]
21:30 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
21:53 -!- Hilsor [~Hilsor@201.124.76.60] has left #openvpn []
21:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
21:59 < krzee> mikey_w, just give me the client log if you like
21:59 < krzee> !pb
21:59 <@vpnHelper> krzee: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
22:00 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
22:00 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
22:01 < derekv> Nice.  works via pam_unix , thats a step in the correct direction methinks
22:13 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
22:18 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has joined #openvpn
22:24 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 276 seconds]
22:34 < derekv> anyone got a working pam.d config for pam_krb5 on bsd? 
22:36 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
22:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
22:51 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:52 < derekv> ok well, thats bittersweet.  on the bright side , nothings wrong whith my pam_krb5 or configuration
22:52 < derekv> on the downside 
22:53 < derekv> I just spent about 2 hours on what is apperently something to do with pam not reloading the configuration
22:58 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 245 seconds]
22:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
23:06 < k3y> .
--- Day changed Sun Nov 28 2010
00:08 < k3y> anyone know if this command will help me with my bridging problems? sysctl -w net.ipv4.ip_forward=1
00:08 < k3y> there's no #bridging 
00:08 < k3y> :)
00:17 < derekv> its been a while since I had to do it
00:18 < k3y> it is in this tutorial i am using...i been across about 4 different ones trying settings from each lol
00:19 < k3y> finally got the openvpn to start but it mentioned no encryption something about [clear text] and UDPv4 link local (bound): [undef]
00:19 < k3y> Sat Nov 27 22:15:37 2010 UDPv4 link remote: [undef]
00:19 < k3y> doesn't look right to me
00:32 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
01:02 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 272 seconds]
01:17 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
01:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:32 < derekv> oh my god
01:33 < derekv> I got it to work
01:33 < krzie> k3y, there is no #bridging but there is #networking
01:33 < derekv> but that is 10 hours I will never have back
01:33 < krzie> derekv, so use another 15min and make a writeup on it!
01:33 < krzie> you will save thousands of people those 10 hours
01:33 < krzie> !wiki
01:33 <@vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
01:33 < krzie> ;]
01:33 < derekv> right, must take notes before I fall to sleep
01:34 < krzie> its a good setup, congrats on getting it working
01:34 < krzie> did you make an extra flag in the AD setup for vpn-user?
01:35 < derekv> nope, didn't get to the ldap flag yet
01:35 < derekv> got krb auth
01:35 <@vpnHelper> RSS Update - forum: Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8562#p8562>
01:37 < derekv> but i'm also able to do command line queries against ldap so I should be close
01:37 < krzie> ahh
01:37 < krzie> but you got PAM authing against AD and openvpn against PAM
01:37 < derekv> once I reissue the certificates 
01:37 < derekv> right
01:37 < hyper_ch> good morning krzie
01:37 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has quit [Quit: EvilJStoker is gone :(]
01:38 < krzie> still definitely worth a writeup!
01:38 < krzie> i wonder if PAM can check ldap
01:38 < krzie> good morning hyper_ch 
01:38 < krzie> actually, yes pam CAN check ldap
01:38 < krzie> thats how people like ecrist who run networks of fbsd machines do their stuff
01:39 < derekv> once the certificates are reissued I can use that verify cn name --username-as-common-name and that will be quite secure, since I won't be issueing certificates to those who I don't want access, the ldap groups would be a management convenience 
01:40 < krzie> !google pam ldap freebsd
01:40 <@vpnHelper> krzie: LDAP authentication under Linux/MacOS X/FreeBSD: <http://vuksan.com/linux/LDAP_authentication_under_Linux.html>; auth ldap pam - lists.freebsd.org Mailing Lists: <http://lists.freebsd.org/pipermail/freebsd-isp/2003-October/001185.html>; [Solved] pam ldap authentication - The FreeBSD Forums: <http://forums.freebsd.org/showthread.php?t=18437>
01:40 < krzie> theres tons
01:40 < derekv> i've always wanted to try forcing a windows domain controller to defer its authorization to a kerberous server running on unix, one day, if I am feeling masocistic enough... 
01:41 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has joined #openvpn
01:41 < derekv> can never spell that word without looking it up
01:43 < derekv> yea, there are setups with authorizing to ldap directly, ldap via pam, radius via pam, and Kerberos via pam, probably many more permutations 
01:44 < derekv> i like the pam setup because it would allow me to do anything pam supports.  i can for example have a unix user for maintenance access, use opie, etc
01:48 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
01:54 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
01:56 < derekv> the silver lining here is that I understand PAM in BSD now 
01:57 < krzie> nice
01:57 < krzie> i use pam to auth with my dante sockd
01:58 < krzie> i use pam to auth with my dante sockd
01:59 < derekv> awesome... yes, AD/LDAP auth or at least LDAP enable logging through squid was on my list of goals, i should be able to skate right over that hopefully
02:11 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
02:12 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
02:12 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
02:17 <@vpnHelper> RSS Update - forum: Server Administration :: Re: draft HOWTO "Use a Windows CA with OpenVPN" :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7173&p=8563#p8563>
03:08 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
03:41 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 272 seconds]
03:45 -!- master_of_master [~master_of@p57B57B65.dip.t-dialin.net] has quit [Read error: Operation timed out]
03:48 -!- master_of_master [~master_of@p57B52AAE.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:57 -!- lmns972_ [~lmns972@cac94-8-82-245-26-103.fbx.proxad.net] has joined #openvpn
03:57 -!- nelgin_ [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has joined #openvpn
03:57 -!- lmns972 [~lmns972@cac94-8-82-245-26-103.fbx.proxad.net] has quit [Ping timeout: 240 seconds]
03:58 -!- mike_ [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
03:58 -!- mike_ is now known as Guest92297
03:58 -!- EvilJStoker_ [jstoker@unaffiliated/jstoker] has joined #openvpn
03:58 -!- dcode_ [~quassel@173-22-229-92.client.mchsi.com] has joined #openvpn
03:59 -!- nebzz [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn
03:59 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has quit [Ping timeout: 272 seconds]
03:59 -!- aliverius_ [~george@athedsl-377917.home.otenet.gr] has joined #openvpn
04:01 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 240 seconds]
04:01 -!- septiq [~septiq@93.19.114.177] has quit [Ping timeout: 240 seconds]
04:01 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
04:01 -!- oc80z [oc80z@blea.ch] has joined #openvpn
04:01 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
04:01 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has quit [Ping timeout: 272 seconds]
04:01 -!- kish [~o2@unaffiliated/spice] has quit [Read error: Connection reset by peer]
04:01 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Ping timeout: 272 seconds]
04:01 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has quit [Ping timeout: 240 seconds]
04:01 -!- dcode [~quassel@173-22-229-92.client.mchsi.com] has quit [Ping timeout: 240 seconds]
04:01 -!- patelx [~patel@openvpn/corp/admin/patel] has quit [Ping timeout: 240 seconds]
04:02 -!- EvilJStoker_ is now known as EvilJStoker
04:02 -!- nb [~nb@fedora/nb] has quit [Read error: Connection reset by peer]
04:02 -!- sno_ [~sno@static.153.209.46.78.clients.your-server.de] has joined #openvpn
04:03 -!- master_o1_master [~master_of@p57B52AAE.dip.t-dialin.net] has joined #openvpn
04:03 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
04:03 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn
04:04 -!- kish [~o2@unaffiliated/spice] has joined #openvpn
04:06 -!- _DrJ [Bacon@174.141.224.168] has joined #openvpn
04:07 -!- nb [~nb@fedora/nb] has joined #openvpn
04:07 -!- Netsplit *.net <-> *.split quits: sno, master_of_master
04:07 -!- mike__ [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
04:08 -!- DrJ [Bacon@174.141.224.168] has quit [Ping timeout: 240 seconds]
04:08 -!- Guest92297 [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 240 seconds]
04:08 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
04:08 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has joined #openvpn
04:17 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
04:19 -!- common [~common@p5DDA40AC.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
04:21 -!- common [~common@p5DDA46F0.dip0.t-ipconnect.de] has joined #openvpn
04:25 -!- mike__ is now known as mikey_w
04:39 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
04:58 -!- kerfe [~a@230.pool85-60-130.dynamic.orange.es] has joined #openvpn
05:23 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has quit [Ping timeout: 276 seconds]
05:23 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has joined #openvpn
05:44 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
05:46 < pihhan> hi
05:48 < pihhan> is it possible to configure tun device to route ipv6 and ipv4 in the same tunnel?
05:52 -!- luneff [~yury@84.51.198.114] has joined #openvpn
05:54 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
05:55 -!- luneff [~yury@84.51.198.114] has joined #openvpn
05:55 < hyper_ch> !ipv6
05:55 <@vpnHelper> hyper_ch: "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
05:56 < hyper_ch> no clue :)
06:12 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
06:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
06:27 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
06:27 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing Questions :: Reply by ExEric3 <https://forums.openvpn.net/viewtopic.php?f=4&t=7306&p=8564#p8564>
06:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 245 seconds]
06:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
06:34 < pihhan> thanks for that link
06:34 -!- lmns972_ [~lmns972@cac94-8-82-245-26-103.fbx.proxad.net] has quit [Read error: Connection reset by peer]
06:37 < pihhan> but i have problem with setting ipv6 address on tun device
06:38 < pihhan> what modules or options enabled do i need in linux kernel for that?
06:43 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
06:46 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 245 seconds]
06:46 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
06:48 -!- dcode_ [~quassel@173-22-229-92.client.mchsi.com] has quit [Ping timeout: 245 seconds]
06:50 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
06:50 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 265 seconds]
06:51 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
06:55 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 250 seconds]
06:55 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
06:55 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
06:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
07:08 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
07:21 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
07:27 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
07:32 -!- f1assistance [~Carl@cpe-024-211-247-099.nc.res.rr.com] has joined #openvpn
07:36 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has quit [Read error: Operation timed out]
07:42 -!- ksk_ [~ksk@im.knubz.de] has joined #openvpn
07:42 -!- ksk_ [~ksk@im.knubz.de] has quit [Client Quit]
07:47 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
07:54 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has joined #openvpn
07:56 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
07:57 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has joined #openvpn
07:57 -!- mrnice1 [bouncer@ip077244250141.rev.nessus.at] has quit [Excess Flood]
07:58 < mikey_w> I have my openvpnserver connection failing in both win7 and linux using openvpn from the command line
07:58 < mikey_w> If I connect in linux using the wifi manager it works.
07:59 < mikey_w> When it works ifconfig shows the tun device else the tun device shows zero packet activity.
08:00 < mikey_w> Anyone have and ideas?
08:00 < hyper_ch> !tell mikey_w [configs]
08:02 < Bushmills> seems client connects to server successfully. "zero packet" ... try to transfer something
08:02 < hyper_ch> hi Bushmills
08:02 < Bushmills> or check why in one case, traffic goes through openvpn, in the other it doesn't
08:03 < Bushmills> hi  hyper_ch
08:03 < hyper_ch> Bushmills: how are you today?
08:03 < Bushmills> undecided
08:03 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:04 < hyper_ch> :)
08:04 < Bushmills> not sure whether i should pour some hard booze into my tea or pull out the bike, at 0°
08:04 < Bushmills> those are mutually exclusive
08:04 < hyper_ch> booze
08:05 < Bushmills> road looks rather dry, though
08:06 < hyper_ch> booze is always a good option
08:06 -!- venom00ut [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
08:06 -!- venom00ut [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
08:06 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
08:08 < Bushmills> actually, there is a way to have both
08:08 < Bushmills> booze after bike :)
08:08 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
08:08 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds]
08:08 < hyper_ch> :)
08:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
08:16 -!- venom00ut [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
08:16 -!- venom00ut [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
08:16 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
08:20 -!- Bushmill- [~Bushmills@scarydevilmonastery.net] has joined #openvpn
08:20 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
08:21 -!- Bushmill- is now known as Bushmills
08:21 -!- venom00 [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
08:21 -!- venom00 [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
08:21 -!- venom00 [~venom00@unaffiliated/venom00] has joined #openvpn
08:21 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
08:23 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
08:23 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
08:23 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
08:24 < mikey_w> I cloned an acevpn ovpn file and changed the data to my server and it clerly doesn't set the default route?
08:24 < mikey_w> clearly
08:25 < Bushmills> try the openvpn sample configs instead
08:28 < mikey_w> Default route using wif manager -- default  10.8.0.5  0.0.0.0   UG   0  0  0 tun0
08:29 < mikey_w> Default rout using openvpn from the CL -- default         Wireless_Broadb 0.0.0.0         UG    0      0        0 eth1
08:29 < mikey_w> ok I will try them
08:40 < common> krzee: you mentioned the new openvpn gui - 2.2-beta3 ships the old, where to get the new?
08:42 -!- zorzar [~zorzar@p578EFD8C.dip.t-dialin.net] has joined #openvpn
08:54 -!- luneff [~yury@84.51.198.114] has joined #openvpn
08:58 < mikey_w> Bushmills, same result default is still eth1
09:00 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Quit: Leaving.]
09:02 < mikey_w> Running openvpn as root doesn't work either.
09:08 -!- kerfe1 [~a@230.pool85-60-130.dynamic.orange.es] has joined #openvpn
09:08 <@vpnHelper> RSS Update - forum: Server Administration :: Problems when install OpenVPN on windows server 2003 VPS. ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7331&p=8565#p8565>
09:10 -!- kerfe [~a@230.pool85-60-130.dynamic.orange.es] has quit [Ping timeout: 245 seconds]
09:10 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 245 seconds]
09:27 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
09:27 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
09:28 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
09:29 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
09:31 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 245 seconds]
09:38 < ecrist> krzee: you forgot the best LDAP resource: http://www.secure-computing.net/wiki/index.php/OpenLDAP
09:38 < ecrist> :)
09:38 <@vpnHelper> Title: OpenLDAP - Secure Computing Wiki (at www.secure-computing.net)
09:39 < hyper_ch> isn't LDAP evil?
09:40 < ecrist> it's only evil to those that don't understand it
09:40  * hyper_ch doesn't understand it
09:40 < hyper_ch> ecrist, are you a windows guru?
09:41 < ecrist> hah, no
09:42 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
09:42 < ecrist> these days, I probably know less about windows than most peoples' mothers
09:42 < hyper_ch> damn, I don't know any windows gurus :(
09:44 < hyper_ch> I can't believe that you can't install win7 easily on a SD card
09:46 < ecrist> SSDs are pure hype
09:46 < ecrist> I don't know why anyone with any sense would buy one right now
09:46 < hyper_ch> not SSDs
09:46 < hyper_ch> SD card
09:46 < ecrist> my statement still stands
09:47 < ecrist> why would you want to install win7 on an SD card?
09:47 < hyper_ch> I like SD cards.. they are small and you can have a number of installs easily
09:47 -!- f1assistance [~Carl@cpe-024-211-247-099.nc.res.rr.com] has quit [Ping timeout: 260 seconds]
09:47 < hyper_ch> and just switch them if you need them
09:47 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 240 seconds]
09:47 < hyper_ch> there's a few things I'd like to try and don't wanna resize my harddisk
09:48 < ecrist> SD cards are SLOW though.
09:48 < hyper_ch> SSDs can be nice as in fster... but when you fully encrypt the system I don't think you'll notice much anymore
09:48 < ecrist> you could do compact flash with an IDE interface
09:48 < ecrist> IDE or SATA
09:48 < ecrist> SSDs aren't any faster, though, that's the problem.
09:48 < hyper_ch> but the main advantage I see compared to harddisks is no movable / mechanical parts
09:48 < hyper_ch> I thought SSDs are faster than HDs
09:49 < hyper_ch> I know that SD cards are slow... but I don't aim at running a fast system from SD anyway
09:49 < hyper_ch> just like to have a copy available in case I need to test something
09:49 < ecrist> use compact flash with a SATA interface adapter
09:50 < hyper_ch> on a netbook?
09:50 < ecrist> you didn't say netbook anywhere.
09:50 < hyper_ch> Win7 can't even install itself onto a USB
09:50 -!- luneff [~yury@84.51.198.114] has joined #openvpn
09:51 < hyper_ch> I wonder, with all that money being poured into windows development, why can't you easily chose to install onto usb, sd or whatever other bootable devices there are?
09:51 < ecrist> no idea.  sounds like a #windows question
09:51 < hyper_ch> so, let's check how the two public votes went today:)
09:53 -!- bitterman [~yury@84.51.198.114] has quit [Ping timeout: 255 seconds]
09:54 < hyper_ch> one public initiative accepted, one dismissed.... the outcome could be worse :)
09:56 < hyper_ch> actually, the outcome is fine :)
09:56 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
09:57 -!- luneff [~yury@84.51.198.114] has joined #openvpn
09:57 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
10:16 < derekv> so what are planned features for the gui ? I understand, window's _user_ certificate store, ability to run service and start stop service as use and still prompt for password (or does that already work in the developement version?) 
10:20 < derekv> I'm thinking about methods one might use to remotely update openvpn...
10:21 < derekv> e.g. change client config files automatically through the tunnel, or through an insecure channel.
10:21 < derekv> unsecured.
10:23 -!- ksk [~ksk@im.knubz.de] has quit [Remote host closed the connection]
10:25 < derekv> You could push out, or email even, a zip file and a signature, inclulde a script in the original distribution that checks the signature of the zip file, if its good ,exctracts in and runs an executable within 
10:25 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:27 < derekv> you could feasibly use the same client key pair openvpn uses, or use an independent public key trust system
10:28 -!- WinstonSmith [~true@e179008216.adsl.alicedsl.de] has joined #openvpn
10:30 < ecrist> !wishlist
10:30 <@vpnHelper> ecrist: "wishlist" is https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
10:30 < ecrist> derekv: ^^^
10:31 < derekv> =]
10:35 < derekv> well, your configs from server post, it seems there are three things here : 
10:36 < derekv> but its similar, 
10:37 < derekv> Instead of me emailing  or having users download a custom rolled client, they could download the normally distrubuted one and enter in say a url, which would pull the customizations 
10:38 -!- boswarrior [~mrnice@84.115.26.221] has joined #openvpn
10:40 -!- WinstonSmith [~true@e179008216.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
10:40 < derekv> But the second part is, to change client configuration on the fly, I can see how this would work in theory, but it seems like a much more significant amount of work.
10:40 < ecrist> I'm thinking more in line with how voip phones are provisioned.  server has user name and config pairs, pushes that to client
10:40 < ecrist> on client, you enter port, host name, username, pulls your config automagically
10:41 < ecrist> I don't think it's as much work as you thin.
10:41 < ecrist> think
10:41 < derekv> How do you verify the client is authentic? 
10:44 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
10:47 < ecrist> user/pass
10:47 < ecrist> just thinking out louad
10:47 < ecrist> loud
10:59 -!- Kevin` [~kevin@router.kwzs.be] has quit [Read error: Connection reset by peer]
10:59 -!- Kevin` [~kevin@router.kwzs.be] has joined #openvpn
10:59 < derekv> I think the dead simplest way for me to meet my needs is to have the user install gpg, generate a private key, upload the private key, call me with the thumbprint.
11:00 < derekv> I then can send them signed or signed/encrypted zips, which they can open and double-click "runme"
11:01 < derekv> There are probably mechanisims built into windows such as wmi that if I understood it better, might be just as good
11:01 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
11:01 < derekv> but since I don't understand it, its security seems suspect
11:06 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
11:08 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has quit [Ping timeout: 265 seconds]
11:08 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has joined #openvpn
11:23 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
11:25 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
11:29 -!- err0r [~err0r@err0r.enjoyvps.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
11:29 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
11:38 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
11:44 -!- Beber` [~Beber@2a01:e35:2422:da50:34::11] has joined #openvpn
11:44 < Beber`> Hi
11:44 < Beber`> is there a way to change the keysize when using openvpn --genkey ?
12:22 -!- luneff [~yury@84.51.198.114] has joined #openvpn
12:27 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
12:45 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
12:46 -!- Beber` [~Beber@2a01:e35:2422:da50:34::11] has quit [Read error: Operation timed out]
13:10 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
13:19 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: OpenVPN for GPRS Bidirectional Communication? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7313&p=8566#p8566>
13:38 -!- luneff [~yury@84.51.198.114] has quit [Read error: Connection reset by peer]
13:38 -!- luneff [~yury@84.51.198.114] has joined #openvpn
13:50 -!- luneff [~yury@84.51.198.114] has quit [Quit: Leaving]
14:00 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 260 seconds]
14:20 -!- fbh [fbh@unaffiliated/fbh] has quit [Ping timeout: 240 seconds]
14:21 -!- aliverius_ [~george@athedsl-377917.home.otenet.gr] has quit [Read error: Connection reset by peer]
14:21 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Write error: Connection reset by peer]
14:21 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
14:21 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has joined #openvpn
14:22 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
14:22 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
14:22 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
14:22 -!- fbh__ [fbh@lucifer.frands.net] has joined #openvpn
14:23 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
14:29 -!- adsad [~Napsi@ti0210a340-0957.bb.online.no] has joined #openvpn
14:29 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Connection reset by peer]
14:41 -!- adsad is now known as Napsi
14:57 -!- fbh__ is now known as fbh
14:57 -!- fbh [fbh@lucifer.frands.net] has quit [Changing host]
14:57 -!- fbh [fbh@unaffiliated/fbh] has joined #openvpn
15:06 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
15:14 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has left #openvpn []
15:15 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
15:38 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 276 seconds]
15:50 < s7r> how can I assign static IP for a client, each times he connects to have the same IP address for internet (.conf set to route all the trafic through the vpn)
15:51 < krzee> static IP for the vpn address?
15:52 < s7r> yes, I have a server with 3 IP addresses. on one from these it has to listen, so 2 remains. I have 1 single client and I want to give him the same IP every time he connects to the VPN
15:52 < krzee> !static
15:52 <@vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
15:53 < krzee> !linnat
15:53 <@vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
15:53 < krzee> #2
15:53 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has joined #openvpn
15:55 < s7r> thanks
15:55 < s7r> !topology
15:55 <@vpnHelper> s7r: "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
15:55 < s7r> !tunortap
15:55 <@vpnHelper> s7r: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over
15:55 <@vpnHelper> s7r: the vpn, or (#4) lan gaming? use tap!
16:12 -!- |ns|nR8 [~steve@60-242-209-243.static.tpgi.com.au] has joined #openvpn
16:12 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
16:13 -!- kish_ [~o2@unaffiliated/spice] has joined #openvpn
16:16 -!- kish [~o2@unaffiliated/spice] has quit [Ping timeout: 250 seconds]
16:18 -!- _DrJ is now known as DrJ
16:18 -!- DrJ is now known as Bacon
16:18 -!- Bacon is now known as DrJ
16:20 -!- |ns|nR8 [~steve@60-242-209-243.static.tpgi.com.au] has left #openvpn ["Leaving"]
16:30 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
16:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
16:56 -!- luneff [~yury@84.51.198.114] has joined #openvpn
17:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
17:10 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:14 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 260 seconds]
17:27 -!- corretico__ [~corretico@201.201.44.82] has quit [Quit: Leaving]
17:27 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
17:31 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
17:36 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:40 -!- boswarrior [~mrnice@84.115.26.221] has quit [Quit: Ex-Chat]
17:42 -!- kerfe1 [~a@230.pool85-60-130.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
17:55 -!- GrafeX [GrafeX@pool-173-62-217-189.phlapa.fios.verizon.net] has joined #openvpn
17:56 < GrafeX> !welcome
17:56 <@vpnHelper> GrafeX: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:56 < GrafeX> !howto
17:56 <@vpnHelper> GrafeX: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:56 < GrafeX> ~.~
17:58 < GrafeX> i got a pretty simple question bout the vm appliance, just want to know if i should be concerned or not.. anyone round? :)
18:08 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 276 seconds]
18:13 -!- ambro718 [~ambro@BSN-77-101-149.dsl.siol.net] has quit [Quit: Leaving.]
18:27 -!- fbsec [~fb@38.108.126.157] has quit [Remote host closed the connection]
18:33 < sedulous> i have a routing related question. let's say i'm connected to a random network and have only 2 routes, the one for the network i'm connected to, e.g. "10.0.0.0/24 dev wlan0" and one default route "via 10.0.0.1"... now i'm starting an OpenVPN connection and i want it to replace the default route with two things: A) $VPN_SERVER_IP via 10.0.0.1 and B) default via $VPN_INTERNAL_SERVER_IP 
18:34 < sedulous> i plan to write a script that does this but: is there some sort of hook in the openvpn configuration file that i can use to call it as soon as the network's up?
18:36 < sedulous> basically, all i want is: "execute a script whenever the OpenVPN connection has been (re-)established successfuly"
18:36 < reiffert> !def1
18:36 <@vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
18:36 < reiffert> !up
18:36 <@vpnHelper> reiffert: Error: "up" is not a valid command.
18:36 < reiffert> !factoids search script
18:36 <@vpnHelper> reiffert: '2.1-winpass-script', 'winscript', and 'script'
18:37 < reiffert> !script
18:37 <@vpnHelper> reiffert: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
18:37 < sedulous> ok cool
18:37 < sedulous> redirect-gateway looks neat, reiffert, thanks
18:39 -!- venom00 [~venom00@unaffiliated/venom00] has quit [Ping timeout: 272 seconds]
18:39 < sedulous> this is _just_ what i wanted :)
18:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:51 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
18:52 < derekv> Is "use windows login permissions" already on the wishlist or is it already known how to do this? 
18:52 < derekv> s/permissions/credentials 
18:52 < krzee> auth against active directory?
18:53 < derekv> nope, I got that working remember? :) I mean, to work without prompting the user on the client side for the windows login and password if it is the same as the credentials they have already used to log into the local computer.
18:53 < krzee> doesnt exist
18:54 < krzee> !wishlist
18:54 <@vpnHelper> krzee: "wishlist" is https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
18:54 < derekv> I was just looking at that.  Should I post it? 
18:55 < GrafeX> local windows auth.. prolly would need to know the local windows computer name too when you set it up.. no?
18:56 < GrafeX> oh wait missread :-P
18:56 < derekv> Assuming 1. openvpn is tied to auth to an active directory domain in some way, 2. the client is a computer on the domain and the current user is also a domain user, and the credentials are valid
18:57 < derekv> desired behavior (with correct settings / discretion of  admin) user is not bothered to enter password again.
18:58 < krzee> feel free to post the request, doesnt mean it will happen tho
18:58 < derekv> You can see this behaviour if you log into a windows domain client computer as a domain user while the computer is offline, plug the computer into the network, and then access a resource, eg off a file server, to which the user should be allowed access.
18:58 < krzee> basically it boils down to a programmer feeling like it
18:59 < derekv> In most cases, windows will not prompt the user for a password, it just works.  However, eg if you changed the password on the domain, the user is prompted to enter password again or given an error.
18:59 < derekv> Yea I understand.
18:59 < krzee> However, eg if you changed the password on the domain, the user is prompted to enter password again or given an error.
18:59 < krzee> that would be upon reconnect
19:00 < krzee> it wouldnt boot them out of the session
19:00 < krzee> for something like that you need to build your own db, and hook some scripts into the management interface
19:00 < derekv> Yea I don't have the exact rules for how that works in front of me.
19:01 < derekv> Well from openvpn, this is all happening during initial authentication so, I wouldn't expect it to boot the user off because their password had changed, after the session was created.  
19:03 < derekv> So, help me solidify my logic here: Assume absolutly no access to an internal network except via openvpn, and mobile clients (running windows for our example) are issuse certificates, no further authentication is done other than the typical, which is that the certificate is verified to have been issued as coming from the same CA as the server's.
19:04 < derekv> The weak point in this configuration is likely to be the private keys on the client laptops, or the client laptop operating systems themselves (eg could be rooted)
19:05 < krzee> if they are in fact rooted, using the same password for openvpn as the system would be a weak point
19:05 < derekv> Right... I was getting to that..
19:05 < sedulous> hmm, redirect-gateway works for startup/shutdown of the VPN but it doesn't replace my default route
19:06 < krzee> it doesnt replace your default route because you use the def1 flag
19:06 < krzee> !def1
19:06 <@vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
19:06 < sedulous> yes, i use def1
19:06 < krzee> with def1 it overrides your default route without wiping it out
19:06 < sedulous> it sets one route for the --remote IP, that works
19:06 < krzee> if you want it overwritten, do not use def1
19:07 < sedulous> well i want to keep a route to the old router
19:07 < sedulous> so that the VPN still works :)
19:07 < krzee> umm, redirect-gateway does that
19:07 < derekv> Under the above mentioned configuration, an attacker needs either 1. the private key, which they can get via filesystem access to the laptop, or 2. "root" or even just the user level access to the laptops OS.
19:07 < krzee> def1 has nothing whatsoever to do with that
19:08 < sedulous> krzee: yes, it does that, but it doesn't set a new default route 
19:08 < krzee> def1 allows you to still have a route to the internet when openvpn goes down
19:08 < krzee> umm, yes it does
19:08 < krzee> sedulous, what is your actual goal?
19:08 < krzee> derekv, if you passphrase protect the private key, simply accessing the file does nothing
19:09 < sedulous> my goal is just what the manpage describes for --redirect-gateway, and everything works as intended except that it lacks a default route (via --route-gateway)
19:09 < krzee> sedulous, 
19:09 < krzee> !logs
19:09 <@vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
19:09 < krzee> just client side
19:09 < krzee> and netstat -rn from before and after connecting
19:10 < derekv> Right, passphrase on the private key ties the security to the quality of that passphrase (which under many enviroments would end up being low anyways), however in the face of the reality of keyloggers I think root access to client computer is an invarient 
19:12 < sedulous> krzee: http://pastebin.com/raw.php?i=vNbmDGme
19:13 < krzee> heh
19:13 < krzee> i didnt say to pastebin the part you felt was relevant
19:18 < derekv> Here's my point, adding kerberous authentication against AD to this configuration, when the user is already logged in as that same user into windows, adds only slightly to the security, though might add some management abilities if routed through PAM (eg time of day restrictions) 
19:18 < sedulous> figured it out, wrong route-gateway :) thanks tho, krzee 
19:20 < derekv> In the same way, authentication against ldap or radius only adds some management type security, policy based or soforth, the weak spot still seems to be the with the physical client computer itself, the client's OS, and the end user.
19:25 -!- mode/#openvpn [+o ecrist] by ChanServ
19:25 -!- krzee was kicked from #openvpn by ecrist [krzee]
19:26 -!- mode/#openvpn [-o ecrist] by ecrist
19:27 -!- katoen [b0a8b4eee4@xs8.xs4all.nl] has joined #openvpn
19:30 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:30 < derekv> =/
19:31 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
19:31 -!- ecrist was kicked from #openvpn by vpnHelper [krzee]
--- Log closed Sun Nov 28 19:31:28 2010
--- Log opened Sun Nov 28 19:31:50 2010
19:31 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has joined #openvpn
19:31 -!- Irssi: #openvpn: Total of 108 nicks [3 ops, 0 halfops, 0 voices, 105 normal]
19:31 -!- Irssi: Join to #openvpn was synced in 0 secs
19:31 < krzee> muahaha
19:32 < ecrist> lol
19:33 -!- krzee was kicked from #openvpn by vpnHelper [bitch]
19:34 -!- ecrist was kicked from #openvpn by vpnHelper [wheeeee]
--- Log closed Sun Nov 28 19:34:22 2010
--- Log opened Sun Nov 28 19:36:42 2010
19:36 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has joined #openvpn
19:36 -!- Irssi: #openvpn: Total of 108 nicks [3 ops, 0 halfops, 0 voices, 105 normal]
19:36 -!- Irssi: Join to #openvpn was synced in 0 secs
19:36 < krzee> its not like there is a magic pill that makes everything secure
19:36 < krzee> you just keep adding layers to the onion
19:37 < derekv> Firstly I'm concerned with not leaving any doors wide open.
19:37 < krzee> you are also using udp, with an hmac, right?
19:37 < krzee> !hmac
19:37 <@vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls static
19:38 <@vpnHelper> krzee: key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs
19:39 < derekv> No but at minimum I was planning to add that to my configuration along with correctly implemented certificates and server authentication, the A.D. was almost a distraction, but it was also on my list of goals.
19:39 < ecrist> krzee: touche, mother f'er.  touche
19:40 < krzee> ;]
19:40 < krzee> i was surprised chanserv doesnt have a kick command
19:40  * ecrist didnt' bring chanserv into it...
19:40 < ecrist> :)
19:40 < krzee> your first kick was by you, after chanserv oped you
19:41 < krzee> but there seems to not be a chanserv kick command, so i had to hide behind the bot instead ;)
19:42 < ecrist> 19:41 <ecrist> akick #openvpn add krzee your a bitch
19:42 < ecrist> 19:41 -ChanServ(ChanServ@services.)- krzee already has flags +votsrifA on #openvpn
19:43 < ecrist> 19:42 <ecrist> why #openvpn krzee
19:43 < ecrist> 19:42 -ChanServ(ChanServ@services.)- krzee has flags +votsrifA in #openvpn because they are logged in as krzee.
19:43 < ecrist> 19:42 -ChanServ(ChanServ@services.)- krzee has flags +votsrifA in #openvpn because they match the mask *!*@openvpn/community/support/*.
19:44 < derekv> I had a user's computer on my network get backdoored, they logged into the banking website, a few hours later, someone created 20 something new employees across 16 or so checking accounts accross the country, and tried to run a 144k payroll
19:45 < ecrist> sounds like you need better control of your employee mgmt system
19:45 < derekv> and I can't like, protect users from themselves.
19:46 < derekv> perhaps the best security is better insurance.
19:46 < ecrist> s/insurance/employees/
19:46 -!- mikey_w [~mike@178.162.174.69] has joined #openvpn
19:46 < krzee> lol nice regex
19:46 < krzee> too tru
19:47 < ecrist> :)
19:48 < derekv> Not realistic.  
19:48 < ecrist> derekv: 100% protection from such isn't, either
19:49 < derekv> I'd love do deal with security without realistic concerns.  We could debate weather twofish is stronger than Rijndael... 
19:50 < derekv> sorry, I'm just getting tired.
19:50 < ecrist> or, whether perfect secrecy of vpn keys is realistic relative to other alternatives.
19:50 < ecrist> lame.  /me goes to bar.
19:51 < krzee> take it easy ecrist 
19:51 < derekv> heh, i went to the bar.
19:52  * ecrist takes it easy.  continues working on lady friend.
20:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
20:41 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
20:46 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
20:49 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Read error: Operation timed out]
21:01 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
21:08 -!- mikey_w [~mike@178.162.174.69] has quit [Ping timeout: 240 seconds]
21:16 < theDoc> Policies are there for a reason and so are BCPs.
21:25 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
21:27 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
21:52 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 240 seconds]
22:05 -!- mikey_w [~mike@95.211.85.224] has joined #openvpn
22:25 -!- mikey_w [~mike@95.211.85.224] has quit [Ping timeout: 245 seconds]
22:41 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
22:45 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 264 seconds]
23:02 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
23:07 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:09 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
23:16 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
23:16 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
23:16 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
23:19 -!- earwax [~wormfood@183.39.105.91] has joined #openvpn
23:22 -!- W0rmF00d [~wormfood@183.39.107.107] has quit [Ping timeout: 250 seconds]
23:38 -!- jpalmer is now known as jptemp
23:38 -!- jptemp is now known as jpalmer
23:41 -!- razorx [~razorX@h-157-112.A155.priv.bahnhof.se] has quit [Quit: —I-n-v-i-s-i-o-n— 3.2 (July '10)]
23:53 -!- venom00ut [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
23:53 -!- venom00ut [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
23:53 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
23:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
--- Day changed Mon Nov 29 2010
00:16 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
00:16 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 260 seconds]
00:28 -!- ondrejk [~ondrejk@194.228.50.29] has quit [Quit: leaving]
01:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:22 -!- k3y [~key@c-76-22-43-138.hsd1.wa.comcast.net] has quit [Quit: Leaving]
01:40 < sedulous> Hmm, is anyone able to connect to an OpenVPN server via a SSH SOCKS5 proxy? 
01:41 < sedulous> I've verified: 1) the OpenVPN client config works with direct connections, 2) the SOCKS5 proxy works for other applications... yet i'm getting this error: recv_socks_reply: TCP port read failed on recv(): Operation now in progress (errno=115) --- a quick google search suggests that others have the same problem with OpenVPN via SSH's SOCKS.
01:47 < sedulous> debian has a bug for that too
01:51  * sedulous compiles openvpn-2.2 beta manually to see if it's already fixed
02:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
02:19 -!- boswarrior1 [~mrnice@78.142.173.114] has joined #openvpn
02:27 -!- kish_ [~o2@unaffiliated/spice] has quit [Quit: leaving]
02:29 < krzie> sedulous, you using UDP or TCP for your vpn?
02:29 < krzie> and does your socks auth?
02:29 < krzie> ssh's socks doesnt do UDP
02:30 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
02:30 < krzie> ovpn doesnt do socks auth (althought !snapshots should have socks auth)
02:31 -!- dazo_afk is now known as dazo
02:52 < krzie> ahh socks auth is in beta2.2
02:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:57 < rjd_> how could I automate generation of new certificates where username/common name is arg1 and password would be arg2?
02:58 < krzie> !learn new_win_gui as http://sourceforge.net/projects/openvpn-gui/ is the upstream project for the new windows gui
02:58 <@vpnHelper> krzie: Joo got it.
02:59 < krzie> rjd_, by reading the hell out of the man pages for openssl and reading the easy-rsa scripts
02:59 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Password OpenvpnGUI :: Author darco <https://forums.openvpn.net/viewtopic.php?f=15&t=7332&p=8567#p8567>
02:59 < krzie> !pwfile
02:59 <@vpnHelper> krzie: "pwfile" is (#1) OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h, or (#2) see --auth-user-pass in the manual (!man) for more info
03:11 < rjd_> but auth-user-pass is only a client config option, right?
03:12 < rjd_> iirc, the daemon complained when I added it in server config
03:12 -!- venom00ut [~venom00@173.0.1.137] has joined #openvpn
03:12 -!- venom00ut [~venom00@173.0.1.137] has quit [Changing host]
03:12 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
03:15 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:17 < krzie> no no the pwfile thing is for a forum post
03:20 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Password OpenvpnGUI :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7332&p=8568#p8568>
03:23 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Ping timeout: 255 seconds]
03:30 <@vpnHelper> RSS Update - forum: Configuration :: Re: Multiple Tunnels on the same server :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7278&p=8569#p8569>
03:36 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn
03:37 < sedulous> krzie: oh, good to know. UDP and no authentication. 
03:37 < sedulous> so i'll just have to enable TCP on the server :)
03:37 < sedulous> (to be honest, UDP NAT has always been a mystery to me)
03:37 < sedulous> (unrelated)
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:42 < krzie> dante socks server supports UDP
03:42 < krzie> but then you need auth
03:42 < sedulous> it's okay, I can live with TCP
03:42 < sedulous> it's only temporary 
03:42 < krzie> (this is for a forum post)
03:42 < krzie> !winnat
03:42 <@vpnHelper> krzie: "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
03:45 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing Questions :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7306&p=8570#p8570>
03:48 -!- master_o1_master [~master_of@p57B52AAE.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
03:49 -!- master_of_master [~master_of@p57B54CDF.dip.t-dialin.net] has joined #openvpn
03:52 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:10 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
04:10 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
04:10 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:16 -!- common- [~common@p5DDA4AD7.dip0.t-ipconnect.de] has joined #openvpn
04:17 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
04:18 -!- common [~common@p5DDA46F0.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
04:18 -!- common- is now known as common
04:25 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
04:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:47 -!- mrb__ [~mrb@178.171.133.151] has joined #openvpn
04:48 < mrb__> hey, i installed OpenVPN client on ubuntu 10.10 and i need the configuration files to set it up.. where do i get them ?!
04:53 < |Mike|> topic
04:53 < |Mike|> !tell mrb__ [welcome]
04:53 < |Mike|> !tell mrb__ [goal]
04:53 < |Mike|> anyway, i'm gone till 2pm
05:15 -!- zorzar_ [~zorzar@p4FFD11C3.dip.t-dialin.net] has joined #openvpn
05:18 -!- zorzar [~zorzar@p578EFD8C.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
05:20 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
05:21 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
05:30 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:30 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:30 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:38 <@vpnHelper> RSS Update - forum: Server Administration :: Client cant see together :: Author shpy <https://forums.openvpn.net/viewtopic.php?f=4&t=7333&p=8571#p8571>
05:48 -!- luneff [~yury@84.51.195.188] has joined #openvpn
05:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
06:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
06:22 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Quit: leaving]
06:22 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
06:23 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:30 < Bushmills> mrb__: most system come with interactive openvpn configuration frontends, called "editors"
06:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:34 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 245 seconds]
06:35 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
06:40 <@dazo> Bushmills: "editors" aka ... vim, vi, emacs, gedit, notepad, edit or similar? ;-)
06:41 < Bushmills> yes, exactly one of these kind of configuration frontents
06:41 < Bushmills> frontends
06:42 -!- nixfloyd [~floyd@host-static-89-41-107-223.moldtelecom.md] has joined #openvpn
06:54 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
07:01 < hyper_ch> Bushmills: hi there :)
07:03 < Bushmills> hi hyper_ch
07:06 < hyper_ch> Bushmills: how are you doing?
07:06 < Bushmills> t'is snowing outside - that reduces the number of my options today
07:08 < Bushmills> ehm .. do you sometimes see postmen on scooters or motorbikes?
07:08 < hyper_ch> e-scooters
07:09 < hyper_ch> Bushmills: how about some entertainment - http://www.linux.fm/ :)
07:09 <@vpnHelper> Title: Linux Radio - Broadcasting the Linux kernel! (at www.linux.fm)
07:09 < Bushmills> when you do, could you look at their tyres, what brand and model those are?
07:09 < Bushmills> (that's for verification - supposedly they drive on IRC Urban Snow)
07:09 < hyper_ch> I can try to
07:09 < hyper_ch> usually they come after I go to work
07:12 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
07:13 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:17 < Bushmills> reading the kernel source is not the longest audio project, btw. compare against http://www.john-cage.halberstadt.de/new/index.php?seite=dasprojekt&l=e, alternative link http://www.travbuddy.com/blog/archives/126-ASLAP-Halberstadts-639-Year-Tourist-Draw.html
07:17 <@vpnHelper> Title: ASLSP - John-Cage-Orgelprojekt Halberstadt (at www.john-cage.halberstadt.de)
07:18 < Bushmills> performance will end in the year 2640
07:20 -!- nelgin_ [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has quit [Quit: [BX] Harry Potter uses BitchX. Shouldn't you?]
07:21 < Bushmills> on 5th of february 2011 will the performance move on to the next tone
07:23 < Bushmills> events of next sixty years are here: http://www.john-cage.halberstadt.de/new/index.php?seite=cdundtoene&l=d
07:23 <@vpnHelper> Title: ASLSP - John-Cage-Orgelprojekt Halberstadt (at www.john-cage.halberstadt.de)
07:32 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
07:34 < Bushmills> http://longplayer.org/listen/longplayer.m3u   this project is meant to run until year 3000
07:36 -!- nigelreed [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has joined #openvpn
07:37 < nigelreed> HI all. I'm having problems with openvpn setting the gateway. Running the server on Linux in bridged mode, the client is receiving the gateway push but is setting it to the currently configured gateway, hence no network to the vpn. Any suggestions?
07:42 < hyper_ch> !bridge
07:42 <@vpnHelper> hyper_ch: "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
07:44 < nigelreed> Yup, done the bridging docs and it's all setup as far as I can tell. I have my br0 device on the linux side. The client gets an ip addess when it connects. There's no firewall on the linux side and I'm using tcp and the connection is good.
07:44 < nigelreed> Let me check the faq.
07:45 < nigelreed> Not using access server, just the regular community openvpn
07:45 < nigelreed> !man
07:45 <@vpnHelper> nigelreed: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
07:46 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
07:49 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Password OpenvpnGUI :: Reply by Damien74 <https://forums.openvpn.net/viewtopic.php?f=15&t=7332&p=8572#p8572>
07:49 < nigelreed> the server-bridge line should contain the same IP address as the netword card on the private lan, right?
07:49 < nigelreed> ie, if it's 192.168.1.1 then I'd use server-bridge 192.168.1.1 255.255.255.0 192.168.1.100 192.168.1.200 for example
07:53 < nigelreed>  PUSH: Received control message: 'PUSH_REPLY,route 192.168.169.0 255.255.255.0,redirect-gateway,route-gateway 192.168.168.1,ping 10,ping-restart 120,ifconfig 192.168.168.130 255.255.255.0'
07:54 < nigelreed> The client gets the push, and there's the gateway I'm using, 192.16.168.1 however it's not getting it.
07:55 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
07:57 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
07:58 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has joined #openvpn
07:58 < nelgin> Back again
08:01 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
08:02 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 245 seconds]
08:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
08:15 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:15 -!- nigelreed [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has quit [Quit: BitchX: the fizzle goes straight to your brain!]
08:15 < nelgin> Any other suggestions on where to get help?
08:17 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
08:17 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
08:17 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:21 < rjd_> just nu iaf haha
08:21 < rjd_> ops
08:47 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Remote host closed the connection]
08:55 < nelgin> This sucks I guess I'll find another solution.
09:01 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
09:15 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
09:15 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:20 <@dazo> nelgin: have anyone asked you why you want to do bridging?
09:23 < nelgin> dazo no, they have not.
09:23 < nelgin> I want to bridge because I need to broadcast on the network.
09:24 < nelgin> So I need to be on the same segment of network and allow broadcasting and other protocols.
09:24 <@dazo> nelgin: okay, then it's fine ... that's the right use case
09:25 <@dazo> (90% of users here does it because they think it is the quickest and simplest way to setup VPN)
09:25 < nelgin> Yup. I am getting a connection, because the server is giving an IP to the client, but that's as far as I can get.
09:25 <@dazo> users ... users coming here, I mean
09:25 < nelgin> Yeah, if I wanted quick and easy I'd go with routed.
09:25 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
09:25 <@dazo> now we're talking :)  .... okay, good to know you know what you talk about :)
09:25 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
09:26 < nelgin> I generally know what I am doing, but in this case, I have no idea why I cannot get any further.
09:26 < nelgin> My first question, the br0 interface is 192.168.168.1 - This is the IP I put into the bridge-server line, right?
09:26 <@dazo> nelgin: yes ... that is correct ... the bridge device need to have the IP address
09:26 < nelgin> err server-bridge
09:26 < nelgin> server-bridge 192.168.168.1 255.255.255.0 192.168.168.130 192.168.168.140
09:26 < nelgin> That's what I have.
09:27 <@dazo> nelgin: but you need brctl to bridge the tap device and the eth device as well
09:27 < nelgin> [root@wibble openvpn]# brctl show
09:27 < nelgin> bridge name     bridge id               STP enabled     interfaces
09:27 < nelgin> br0             8000.00064f6386f0       no              eth1
09:27 < nelgin>                                                         tap0
09:27 < ecrist> gah, the pasting
09:27 < ecrist> !pb
09:27 <@vpnHelper> ecrist: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
09:28 <@dazo> nelgin: perfect .... but listen to ecrist :)
09:28 < nelgin> Chill dude, if there were other people needing help then I'd do pn.
09:28 < nelgin> err pb
09:28 < nelgin> but if you insist.
09:28 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:28 < ecrist> thanks. :)
09:28 <@dazo> nelgin: I'd probably recommend then to use tcpdump to see if you see the traffic from VPN flowing or not
09:30  * dazo brb 
09:30 < nelgin> I only need to look on port 1194 for vpn traffic, right?
09:31 < ecrist> yes, if that's the port your vpn is running on
09:31 < ecrist> if you want to see the encrypted traffic.
09:31 < nelgin> Yup, and there's nothing I need to do eith the external IP address right?
09:31 < ecrist> nelgin: silly question, but is br0 'up'?
09:32 < nelgin> Yes, it is.
09:35 <@vpnHelper> RSS Update - forum: Server Administration :: Fijitsu Celvin Q700 :: Author lardon03x <https://forums.openvpn.net/viewtopic.php?f=4&t=7334&p=8573#p8573>
09:39 < nelgin> http://openvpn.pastebin.ca/2005744
09:39 <@vpnHelper> RSS Update - pastebin: nelgin <http://pastebin.ca/2005744>
09:39 -!- luneff [~yury@84.51.195.188] has joined #openvpn
09:41 -!- Napsi [~Napsi@ti0210a340-0957.bb.online.no] has quit []
09:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
09:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
09:54 -!- mrb__ [~mrb@178.171.133.151] has quit [Ping timeout: 245 seconds]
09:56 < nelgin> I'm not seeing any traffic on the eth1 or br0 interfaces 
09:57 < nelgin> only internal network connections, nothing from the vpn.
09:58 -!- mrb [~mrb@178.171.133.151] has joined #openvpn
10:01 -!- earwax is now known as WormFood
10:03 <@dazo> nelgin: that can almost sound like you have some firewall issues on the client side ...
10:04 <@dazo> have you tried tcpdump on the tap interface as well?
10:04 < nelgin> Hmm nope.
10:04 < nelgin> I can telnet to 71.252.xxx.xx from the PC to port 1194 on the linux box.
10:04 < nelgin> fwiw
10:05 < nelgin> nothing on tap0
10:05 <@dazo> and routing tables are sensible?
10:05 <@dazo> on the client side?
10:06 < nelgin> Yup.
10:06 < nelgin> I have a route to 192.168.168.0 using 192.168.168.1 as the gw
10:08 <@dazo> gw being the tap interface?
10:08 < nelgin> hmm
10:09 < nelgin> The local tap device should be 192.168.168.130 - is that what should be there?
10:09 <@dazo> that's a sensible value for me ... that makes the server's tap device 192.168.168.1
10:09 <@dazo> but when you telnet to the linux box ... you don't hit the tunnel .... when I meant firewall, I meant the firewalling on the tap device on the client
10:09 < nelgin> Correct, well, that's the ip on br0
10:09 <@dazo> yeah, of course
10:10 <@dazo> my mistake :)
10:10 < nelgin> If I ssh to 192.168.168.1 then I get nothing
10:10 <@dazo> so you see absolutely nothing on the tap0 device using tcpdump on the server or the client if try telnet or ping?
10:11 < nelgin> Let me see if I can figure out which device is the tap device on the windows box. windump doesn't help much.
10:11 -!- boswarrior1 [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
10:12 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
10:14 < nelgin> Hmm, windump isn't seeing the tap device, it seems.
10:31 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has quit [Ping timeout: 260 seconds]
10:47 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
10:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
10:55 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
10:58 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:58 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
10:59 < mikey_w> When I connect to my openvpn server my defaut route is no set to tun0.  Any ideas?
11:01 -!- blink [~blink@reality.is-after.me] has joined #openvpn
11:02 < blink> hi, I've set up a VPN on a box that has 3 public IPs on a single physical interface, but I want to do NAT on the 10.8.0.0/24 network to a specific IP; it's an alias so iptables is giving me a warning
11:05 < blink> though not strictly a openvpn problem (it works wonderfully), I was hoping somebody might be able to prod me in the right direction. thanks.
11:07 < mikey_w> Connecting to an acevpn server sets the default route properly?
11:08 < ecrist> mikey_w: did you configure it to change your default route?
11:08 < ecrist> !def1
11:08 <@vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
11:15 < mikey_w> openvpn --redirect-gateways def1 client1.ovpn Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: redirect-gateways (2.1.0)
11:15 < mikey_w> Use --help for more information.
11:16 < mikey_w> ecrist, get an error?
11:19 < ecrist> mikey_w: the arguement is --redirect-gateway  not --redirect-gateways
11:19 < mikey_w> Tried that too.
11:20 < ecrist> and what was the error
11:20 -!- nebzz [~patel@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:22 < mikey_w> sudo openvpn --redirect-gateway def1 client1.ovpn Options error: unknown --redirect-gateway flag: client1.ovpn
11:23 < ecrist> did you read the error?
11:23 < ecrist> try
11:23 < ecrist> sudo openvpn --redirect-gateway def1 --config client1.ovpn
11:30 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 240 seconds]
11:43 -!- nigelreed [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has joined #openvpn
11:43 -!- nigelreed is now known as nelgin
11:43 < nelgin> Back again. Sorry, I tried something on openvpn and screwed my remote connection up.
11:46 -!- nixfloyd [~floyd@host-static-89-41-107-223.moldtelecom.md] has quit [Read error: Connection reset by peer]
11:47 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has quit [Client Quit]
11:49 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
11:52 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
12:02 < reiffert> iivfriofrviomfr
12:28 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn
12:58 <@vpnHelper> RSS Update - forum: Server Administration :: Re: what is the server parameter :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7328&p=8574#p8574>
13:01 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:04 <@vpnHelper> RSS Update - forum: Server Administration :: local parameter is not working in client mode :: Author kerozcak <https://forums.openvpn.net/viewtopic.php?f=4&t=7335&p=8575#p8575>
13:05 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
13:07 -!- fbsec [~fb@38.108.126.158] has joined #openvpn
13:09 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
13:12 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
13:18 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
13:19 -!- cpm_ [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
13:19 -!- cpm_ [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
13:19 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
13:25 -!- dellboy [~dellboy@109-92-87-78.dynamic.isp.telekom.rs] has joined #openvpn
13:25 < dellboy> Hello
13:25 < blink> I've configured a client and a server, and I want all traffic on the 10.8.0.0/24 network to egress an ip alias on an interface so I've run the following
13:26 < blink> iptables -A POSTROUTING -t nat -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 94.23.153.###
13:26 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has joined #openvpn
13:26 < blink> I've set def1 so that all traffic enters the VPN
13:26 < ecrist> congrats.
13:26 < ecrist> :)
13:27 < blink> but the client can only ping 10.8.0.1 and 94.23.153.###; everything else seems to die
13:27 < dellboy> Has anyone problems with Windows 7 Ultimate (64bit) and OpenVPN 2.1.4 version? I get 'Win32 TAP device driver failed
13:27 < blink> ecrist: I wish, I'm close but no cigar yet
13:27 -!- cpm_ [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm_]
13:28 < nelgin> blink, lucky you, I can't ping anything stiff :/
13:28 < dellboy> I can't even uninstall the network adapter as unknown device, the only way to revert is to use restore point
13:28 < ecrist> !configs
13:28 <@vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
13:28 < blink> is that directed at me?
13:29 < blink> !pb
13:29 <@vpnHelper> blink: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
13:29 < nelgin> or me?
13:29 < dellboy> Sorry for interrupting the conversation :)
13:29 < ecrist> blink: you
13:29 < ecrist> dellboy: we've had no such reports of problems with OpenVPN 2.1.4
13:30 < dellboy> ecrist: it may have nothing to do with openVPN 2.1.4 version, I've tried several other version none of them worked
13:30 < blink> ecrist: I'm pretty sure this is more of a netfilter issue, my iptables-fu is weak
13:30 < ecrist> no idea, then.
13:31 < blink> kk
13:31 < dellboy> 2.1.3, 2.1 rc 15, rc 20
13:31 < ecrist> blink: that's my guess, too, but I'm not a linux guy.
13:31 < dellboy> ecrist: I have 2.1 rc 20 version working on my desktop machine, but I'm trying to install the version on laptop 
13:32 < dellboy> ecrist: dell inspiron n5010
13:32 < dellboy> and it constantly fails
13:32 < ecrist> dellboy: I have no clue.  I'm not a windows guy, and on the machines I've installed OpenVPN, it's not been an issue.
13:33 < dellboy> ecrist: do you have any suggestion where to reach help? I've tried everything, support tickets, mailing lists, google...
13:33 < ecrist> #windows?
13:33 < ecrist> otherwise, hang out here, someone is sure to know
13:34 < nelgin> dellboy, did you run the installer as administrator?
13:34 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:34 < dellboy> nelgin: yes
13:35 < nelgin> No idea then.
13:35 < dellboy> i turned off the UAC, windows defender, firewall, Avira... I even disabled driver signing
13:35 < nelgin> Turn off the laptop and install linux on it ;)
13:35 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
13:36 < dellboy> :) I wish I could feel the same way you are, but...
13:37 < dellboy> Is there anyone else with the simmilar problem?
13:39 < dellboy> I tried with live online support on openvpn.net, but they provide support only for the access server version
13:47 < dellboy> Anyone :) ...
13:50 -!- zroysch [~dongery@71.180.229.128] has joined #openvpn
13:50 < ecrist> dellboy: just wait a while.
13:55 -!- dazo is now known as dazo_afk
13:57 < Bushmills> dellboy: afaik, openvpn needs to run in 32 bit compatibility mode with XP under win7
13:57 < Bushmills> (that is, right click, properties, etc)
13:59 < dellboy> ok tnks
13:59 < Bushmills> also set it to "run as admin"
14:00 < Bushmills> and whie you're bus<y, heed:
14:00 < Bushmills> !winroute
14:00 <@vpnHelper> Bushmills: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
14:01 < dellboy> bushmills: is it important to run in compatibility mode with xp with some service pack? 1, 2, 3
14:01 < Bushmills> no idea
14:01 < dellboy> ok
14:06 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
14:11 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 260 seconds]
14:13 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
14:15 < blink> is anybody here an iptables wiz?
14:17 < hyper_ch> blink: what do you need to konw?
14:18 < blink> I apparently need to SNAT; I've got a debian server with 3 IPs (2 of those are IP aliases, incompatible with NAT) and I want all traffic on 10.8.0.0/24 to egress one of those virtual IPs
14:18 < ecrist> !linnat
14:18 <@vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
14:18 < blink> sorry, I keep saying virtual ip, I mean ip alias
14:18 < blink> I've read that, and used #2 to no effect
14:19 < hyper_ch> tried #lart ?
14:19 < blink> def1 is set as well, and the client can ping both 10.8.0.1 and the public IP I am to egress
14:19 < hyper_ch> or #iptables
14:19 < hyper_ch> not sure what the proper channel name is
14:19 < blink> I am in #netfilter as well
14:19 < hyper_ch> I think that's the one
14:20 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has quit [Read error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number]
14:20 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
14:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:41 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 265 seconds]
14:46 -!- mrb [~mrb@178.171.133.151] has quit [Disconnected by services]
14:47 -!- mrb__ [~mrb@178.171.133.151] has joined #openvpn
14:52 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
14:54 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
15:11 -!- dollabill [~mike@97.66.26.10] has quit []
15:13 -!- boswarrior [~mrnice@84.115.26.221] has joined #openvpn
15:13 -!- luneff [~yury@84.51.198.114] has joined #openvpn
15:14 -!- boswarrior is now known as boswarrior1
15:14 < blink> still doesn't work. bah.
15:14 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
15:18 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has quit [Quit: BitchX for president.]
15:23 -!- bitterman [~yury@84.51.198.114] has joined #openvpn
15:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
15:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
15:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
15:25 -!- luneff [~yury@84.51.198.114] has quit [Ping timeout: 265 seconds]
15:29 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
15:29 -!- zorzar_ is now known as zorzar__away
15:29 -!- zorzar__away [~zorzar@p4FFD11C3.dip.t-dialin.net] has quit [Quit: WeeChat 0.3.3]
15:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:52 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
15:52 -!- GrafeX [GrafeX@pool-173-62-217-189.phlapa.fios.verizon.net] has quit [Ping timeout: 255 seconds]
15:55 -!- zroysch [~dongery@71.180.229.128] has quit [Ping timeout: 245 seconds]
16:02 -!- bitterman [~yury@84.51.198.114] has quit [Quit: Leaving]
16:02 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Remote host closed the connection]
16:03 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn
16:06 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
16:21 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
16:25 -!- dellboy [~dellboy@109-92-87-78.dynamic.isp.telekom.rs] has quit [Ping timeout: 245 seconds]
16:36 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
16:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
16:41 -!- boswarrior1 [~mrnice@84.115.26.221] has quit [Quit: Ex-Chat]
16:48 -!- le0 [~fin@82.132.139.63] has joined #openvpn
16:48 -!- le0 [~fin@82.132.139.63] has quit [Changing host]
16:48 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
16:49 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
16:51 -!- dellboy [~dellboy@93-86-87-243.dynamic.isp.telekom.rs] has joined #openvpn
16:52 < dellboy> Is there anyone experiencing problem with OpenVPN and Avira? TAP device driver could not be installed...
16:53 < ecrist> nope
16:53 < ecrist> still
16:53 < ecrist> :)
16:54 < dellboy> can firewall or any kind of antivirus prevent installation TAP win-32 virt. network adapter?
16:54 < ecrist> in theory, yes
16:55 < dellboy> They are considered as a kind of malware or spyware...
16:55 < dellboy> i suppose
17:04 -!- mrb__ [~mrb@178.171.133.151] has quit [Remote host closed the connection]
17:07 < reiffert> missing rights?
17:11 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:28 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
17:29 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
17:30 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
17:30 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
17:34 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 260 seconds]
17:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:38 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:46 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has left #openvpn ["Leaving"]
17:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 245 seconds]
17:48 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
17:58 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
18:03 -!- legodude [~legodude@adsl-76-226-142-167.dsl.sfldmi.sbcglobal.net] has joined #openvpn
18:04 < legodude> hi everyone, I'm trying to follow: https://forum.openwrt.org/viewtopic.php?pid=8495 for a very simple  openvpn bridging config
18:04 <@vpnHelper> Title: OpenWrt / OpenVPN Howto (at forum.openwrt.org)
18:04 < legodude> the connection seems to go alright
18:04 < legodude> but I can't coonect to the remote network
18:11 < legodude> got it
18:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:41 -!- tdc [tdc@hemp.ircpimps.org] has joined #openvpn
18:41 < tdc> yo
18:43 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Client Quit]
18:45 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
18:45 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
18:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:51 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
18:51 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
18:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 260 seconds]
18:58 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
19:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:01 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
19:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:10 -!- tdc [tdc@hemp.ircpimps.org] has quit [Quit: leaving]
19:14 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
19:17 < ecrist> oy
19:17 -!- corretico [~corretico@201.201.44.82] has quit [Quit: Leaving]
19:18 < krzee> oi oi oi
19:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 240 seconds]
19:20 < |Mike|> krzee: jo
19:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:21 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
19:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 264 seconds]
19:43 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:47 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
19:49 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:52 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
20:04 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 255 seconds]
20:32 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
21:09 -!- intralanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
21:12 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 250 seconds]
21:14 -!- intralanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Ping timeout: 265 seconds]
21:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 245 seconds]
21:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:22 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Excess Flood]
21:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:27 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
21:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Excess Flood]
21:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:32 <@vpnHelper> RSS Update - forum: Server Administration :: Setting TCP or UDP from the client side? :: Author TheMG <https://forums.openvpn.net/viewtopic.php?f=4&t=7336&p=8576#p8576>
21:33 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
21:48 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
21:52 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn
21:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 245 seconds]
21:54 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 272 seconds]
21:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:56 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Setting TCP or UDP from the client side? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7336&p=8577#p8577>
21:59 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 245 seconds]
22:03 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:08 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Password OpenvpnGUI :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7332&p=8578#p8578>
22:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:37 -!- jwm [jwm@dev.dist.us] has joined #openvpn
22:37 < jwm> kind of a network question here
22:37 < jwm> I'm using a mac to openvpn to my server across the internet
22:37 < jwm> I set a private ip range of 10.0.0.x
22:37 < jwm> my home lan uses 192.168.1.x
22:38 < jwm> I'd like computers other than the mac to be able to access 10.0.0.x (vpn machines)
22:38 < jwm> can I setup a route on my linksys router to do this?
22:39 < jwm> I'm using tap btw
22:46 < jwm> I guess I have to do ipforwarding on the mac
22:46 < jwm> and add routes on each computer on my lan I want to access the different vpn lan
23:09 < rjd_> I the router has a route to the remote net, then you would not have to add the routes on the other computers
23:09 < rjd_> I think
23:12 -!- intralanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
23:13 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Ping timeout: 260 seconds]
23:21 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn
23:53 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
23:56 < krzie> jwm, why are you using tap?
23:56 < krzie> and are you bridging?
23:56 < krzie> if it is a routed setup i can help you
23:56 < krzie> if it is a bridge, i cannot
--- Day changed Tue Nov 30 2010
00:02 <@vpnHelper> RSS Update - forum: Configuration :: Re: new server hardware :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7310&p=8579#p8579>
00:04 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
00:04 < kaushal> hi
00:04 < kaushal> I have started openvpn client as daemon mode. I get these errors in daemon.log file http://pastebin.ubuntu.com/538205/ 
00:04 < kaushal> please suggest/guide
00:05 < krzie> your config is making use of the update-resolv-conf script to add DNS servers given by your server
00:05 < krzie> it is giving an error
00:05 < krzie> have you added the resolvconf package to your system? it is used by that script
00:05 < kaushal> krzie: yeah
00:08 <@vpnHelper> RSS Update - forum: Installation Help :: Re: site-to-site MTU issues??? :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7325&p=8580#p8580>
00:09 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
00:26 -!- intralanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Ping timeout: 255 seconds]
00:38 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Operation timed out]
00:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
00:48 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Ping timeout: 245 seconds]
00:51 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:23 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
01:24 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Quit: Leaving]
01:24 -!- sigi__ [~sigius@93-125-185-45.dsl.alice.nl] has quit [Client Quit]
01:24 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
01:24 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
01:29 -!- DarthGandalf [somebody@shellium/developer/darthgandalf] has quit [Ping timeout: 252 seconds]
01:30 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
01:37 -!- DarthGandalf [somebody@shellium/developer/darthgandalf] has joined #openvpn
02:02 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Read error: Operation timed out]
02:08 -!- kaushal [~kaushal@125.22.61.162] has joined #openvpn
02:08 < kaushal> krzie: hi again
02:11 < kaushal> please suggest me about http://pastebin.ubuntu.com/538218/
02:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:23 < krzie> ahh network manager
02:23 -!- dazo_afk is now known as dazo
02:23 < krzie> you arent using that to start openvpn, are you?
02:23 < krzie> if so, try starting it via commandline instead
02:23 < krzie> !ubuntu
02:23 <@vpnHelper> krzie: "ubuntu" is dont use network manager!
02:26 <@vpnHelper> RSS Update - forum: Configuration :: Bridge Ubuntu server under VMware :: Author makkon <https://forums.openvpn.net/viewtopic.php?f=6&t=7337&p=8581#p8581>
02:29 < katoen> is it possible to have a client function as a default gw for other clients?
02:31 < krzie> not sure
02:31 < krzie> why not just make that the server...
02:31 <@dazo> katoen: yeah, the tunnel itself is bi-directional.  What defines client and server is who is listening and who is connecting to the server ... but its probably just more tricky to configure
02:33 < krzie> route-gateway would be the static vpn ip of the client i guess
02:34 < krzie> then redirect-gateway may do it for you
02:34 < krzie> but ive never tried it
02:34 <@dazo> I think there's a keyword for doing that ... redirect-gateway won't work, as this needs to be done after the client has connected
02:35 <@dazo> actually, you need to do some scripting setting up routes via a --client-connect hook
02:35 <@dazo> until that point, there's no VPN tunnel to push anything to
02:36 <@dazo> (the keyword for --route would be vpn_gateway ... but that works only inside OpenVPN and not in scripts)
02:39 < krzie> but wouldnt route-gateway set the gateway for adding other routes?
02:39 < krzie> ohh right nevermind
02:39 <@dazo> I don't think that would work on the server side ;-)
02:39 < krzie> im not sure if hes concerned about the server's route, but rather the other clients
02:40 < krzie> if on routed tap maybe they could just route straight through
02:42 <@dazo> the clients in the server LAN need to route via VPN gateway (unless the default GW is also the OpenVPN server, then nothing changes) ... on the LAN of the ovpn client, they need to know the routes to push to the server side LAN
02:42 <@dazo> I don't think tun or tap mode matters much, it's just pure routing, isn't it?
02:45 < rjd_> I agree, tun will work just as well if he routes his local client on the vpn client machine
02:47 < krzie> i was just thinking that clients could add routes using other clients as their gateway if on tap
02:48 < krzie> but i have not tested this
02:48 < krzie> wouldnt you be able to arp the gateway ip still?
02:49 < krzie> or can you only arp the server when not on a bridge...?
02:49 < katoen> interesting! thanks for your answers
02:50 <@dazo> I've not thought about the arp stuff ... but you can only arp the local network ... you need a bridge to do cross-sites, afaik
02:50 < krzie> definitely if going to the lan of the server
02:50 < krzie> but if just going to a client, i dunno
02:52 <@dazo> I don't think openvpn cares much about arp in general, so using a routed setup in tun or tap, will not do much ... but when bridging, the arp traffic will go through the tunnel, due to the nature of the bridge (unless the bridge filters it out)
02:53  * dazo don't recall having seen any real arp related code in openvpn
02:53 < krzie> so i would assume arp would flow to another client (when using --client-to-client over a routed tap)
02:53 < krzie> if so, a client can have a route that uses another client as the gateway
02:54 <@dazo> I'm not sure you can even mix --client-to-client and tap .... I think client-to-client only works with tun ...
02:54  * dazo don't recall exactly though
02:55 < krzie>  
02:55 < krzie> Because the OpenVPN server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface.
02:55 <@dazo> yeah, but JJK had some notes about that in his book
02:56 < krzie> ahh
02:56 <@dazo> and I've not gotten --client-to-client to work properly with --dev tap either ... in fact, it broke things partly
02:56 < krzie> i remember reading something... guess i should check it out again
02:56 <@dazo> :)
02:56 < krzie> damn i still have a little to finish
02:57 < krzie> im so bad
02:57 <@dazo> I think this might be due to the lack of proper arp support inside openvpn 
02:57 < krzie> ibut why should openvpn care what the traffic is?
02:57 <@dazo> yeah, I'm bad as well ... after I heard what you do .... I'm simply ignoring the deadlines and take them asap
02:57 < krzie> omg theres still more chapters!?
02:58 < krzie> which are you on?
02:58 <@dazo> krzie: I'm on 12 now, my last one I thought ... until another chapter appeared again, so I need to check out that again
02:58 < krzie> haha
02:58 < krzie> shit, thats a lot
02:59 <@dazo> krzie: [arp] OpenVPN needs to properly tell the kernel about things ... so that it knows which TAP MAC addresses are where
02:59  * krzie needs a vacation
02:59 < krzie> ohhh
02:59  * dazo needs 48 hour days
02:59 < krzie> like a layer2 version of the internal routing table
03:00 <@dazo> yeah, that's my understanding of it ... but I'm no expert, I'm just resonating from what I know and learnt so far :)
03:00 <@dazo> (and by reading the source code)
03:00 < krzie> hrm, i would think arp would be broadcasted, and then ip communication would work
03:01 < krzie> but maybe not
03:01 < krzie> will have to play with that sometime
03:01 <@dazo> :)
03:01 < krzie> hey hey, a multi-headed hydra of vpnchains
03:02 < krzie> change the chain you go over by changing the cert you use to connect in
03:02 <@dazo> arp can be broadcasted if you have a arp daemon running to do so ... otherwise, it's only broadcasted on the local network, and if no response - the traffic goes via the proper gateway (defined in the routing table)
03:02 < krzie> ccd entries to decide the client you route out of
03:03 < krzie> ahh ok, well that should be enough to allow a client to use another client as the gateway for routes
03:03 <@dazo> yeah
03:03 < krzie> while the server keeps its normal connection to the inet
03:14 -!- dazo is now known as dazo_afk
03:16 -!- kaushal [~kaushal@125.22.61.162] has quit [Quit: leaving]
03:17 -!- dazo_afk is now known as dazo
03:29 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:44 -!- meepmeep_ [meepmeep@there-is-no.endoftheinternet.org] has quit [Quit: Yippee-kay-yay]
03:45 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn
03:47 -!- master_of_master [~master_of@p57B54CDF.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:49 <@vpnHelper> RSS Update - forum: Forum & Website Support :: Re: No VPN access for client overnight :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=30&t=7311&p=8582#p8582>
03:49 -!- master_of_master [~master_of@p57B5537A.dip.t-dialin.net] has joined #openvpn
03:50 < krzie> hey dazo what were those settings you mentioned in the meeting in regards to a ticket saying there was a hardcoded frame size or something of that nature
03:50 < krzie> it was blocking his speed and leading to cacheing network to disk
03:50 <@dazo> krzie: --sndbuf and --rcvbuf
03:50 < krzie> thanx
03:50 <@dazo> they are 64KB as default, max is 1.000.000
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 < krzie> thanx
03:55 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Data output :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7314&p=8583#p8583> || Installation Help :: Re: Getting started on Hyper-V :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=5&t=7315&p=8584#p8584>
03:56 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
03:58 < krzie> http://www.hanksoft.de/service/46-udpbroadcastforwarder
03:58 <@vpnHelper> Title: hanksoft | UDPBroadcastForwarder (at www.hanksoft.de)
04:01 <@vpnHelper> RSS Update - forum: Server Administration :: Re: --client-config-dir problems :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7326&p=8585#p8585>
04:05 < krzie> !/30
04:05 <@vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
04:13 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Client cant see together :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7333&p=8586#p8586> || Server Administration :: Re: Fijitsu Celvin Q700 :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7334&p=8587#p8587> || Server Administration :: Re: local parameter is not working in client mode :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7335&p=8
04:14 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host]
04:14 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn
04:17 -!- common- [~common@p5DDA4977.dip0.t-ipconnect.de] has joined #openvpn
04:21 -!- common [~common@p5DDA4AD7.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
04:21 -!- common- is now known as common
04:38 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:38 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
04:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
04:45 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 255 seconds]
05:00 < krzie> i can pipe them right into a while statement... a technique i found from a script i wrote before... you had helped me with that part =]
05:00 < krzie> meh, wrong win
05:08 -!- d457k [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
05:09 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Ping timeout: 265 seconds]
05:10 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
05:20 -!- s7r [~s7r@212.78.230.226] has joined #openvpn
05:31 -!- _zero_ [~zero@noc.toile-libre.net] has quit [Ping timeout: 260 seconds]
05:31 -!- _zero_ [~zero@noc.toile-libre.net] has joined #openvpn
05:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
06:01 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:23 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:37 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
06:37 < Sushiyant> how i can fix this error TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
06:38 <@dazo> Sushiyant: "certificate verify failed" that's your real issue
06:39 < Sushiyant> dazo: No
06:39 <@dazo> Either your client certificate is signed by the wrong CA ... or the CA certificate on the client or server is not matching the CA certificate of the CA who signed the client or server certificate
06:40 <@dazo> Sushiyant: I'm telling you, you got trouble with your SSL certificate ... or else you wouldn't see that error
06:41 < krzie> yup
06:41 < |Mike|> morning
06:41 < krzie> !certverify
06:42 < Sushiyant> dazo: it my problem http://pastebin.ca/2006677
06:42 <@vpnHelper> krzie: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
06:42 < theDoc> What dazo said.
06:46 <@dazo> error=certificate is not yet valid
06:46 <@dazo> Sushiyant: check the date fields of your certificates
06:46 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
06:46 <@dazo> Sushiyant: and check that the clock is correct on your boxes
06:47 < Sushiyant> dazo: yes it true
06:47 <@dazo> Your log file says Sat Oct 30 16:10:36 .... I believe you're one month behind
06:47 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
06:48 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
06:49 -!- boswarrior1 [~mrnice@78.142.173.114] has joined #openvpn
06:49 <@dazo> lol ... http://xkcd.org/827/ 
06:49 <@vpnHelper> Title: xkcd: Business Idea (at xkcd.org)
06:57 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Quit: Leaving]
07:01 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 245 seconds]
07:04 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
07:21 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
07:23 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:27 -!- joako [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has joined #openvpn
07:27 -!- joako [~joako@99-153-162-173.lightspeed.miamfl.sbcglobal.net] has quit [Changing host]
07:27 -!- joako [~joako@opensuse/member/joak0] has joined #openvpn
07:32 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
07:33 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
07:38 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
07:39 < Sushiyant> dazo:I fixed it but i now have problem with connent from my country to it 
07:40 <@dazo> Sushiyant: good! ... well, logs and configs are needed for people here to help then
07:40 <@dazo> !logs
07:40 <@vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
07:40 <@dazo> !configs
07:40 <@vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
07:40 <@dazo> !pb
07:40 <@vpnHelper> dazo: "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
07:40 <@dazo> Sushiyant: ^^^  (read carefully all these references)
07:41  * dazo disappears for a while, but is confident more people here can help
07:46 < Sushiyant> dazo: server config : http://openvpn.pastebin.ca/2006711 & client conf: http://openvpn.pastebin.ca/2006712
07:46 <@vpnHelper> RSS Update - pastebin: Unnamed <http://pastebin.ca/2006712> || Someone <http://pastebin.ca/2006711>
07:48 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:15 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 260 seconds]
08:15 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
08:20 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 245 seconds]
08:21 -!- Sushiyant [~hamed@91.99.198.184] has joined #openvpn
08:21 -!- Sushiyant [~hamed@91.99.198.184] has quit [Changing host]
08:21 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
08:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:33 -!- rjd_ [~rjd@212.112.31.11] has quit [Ping timeout: 245 seconds]
08:36 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 240 seconds]
08:36 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
08:38 -!- jimbauwens [~jim@d51538A12.access.telenet.be] has joined #openvpn
08:38 < jimbauwens> Thank you guys for having a irc channel :)
08:42 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:42 < jimbauwens> I have setup a vpn using openvpn, but I'm trying to access the web through it, and that does not work. What is the best way to do this, routing or bridging. 
08:46 <@vpnHelper> RSS Update - forum: Server Administration :: Re: local parameter is not working in client mode :: Reply by kerozcak <https://forums.openvpn.net/viewtopic.php?f=4&t=7335&p=8589#p8589>
08:46 < Bushmills> routing, with
08:46 < Bushmills> !redirect
08:46 <@vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
08:47 < Bushmills> alternatively, for web only, run a web proxy on vpn server, and tell web browser to use that proxy
08:47 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 264 seconds]
08:47 -!- Sushiyant [~hamed@178.162.136.41] has joined #openvpn
08:47 -!- Sushiyant [~hamed@178.162.136.41] has quit [Changing host]
08:47 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
08:47 < jimbauwens> Ok, thanks
08:48 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has joined #openvpn
08:49 < jimbauwens> I have push "redirect-gateway def1" in my config, and IP forwarding is turned on, and tried to nat tun0 to eth1, but it doesn't work. I use iptables to do the nat
08:49 < ecrist> !linnat
08:49 <@vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
08:50 < Bushmills> where is "my config"? server or client?
08:50 < jimbauwens> Eh, server, sorry :)
08:50 < Bushmills> what OS on client?
08:51 < jimbauwens> Linux (ubuntu)
08:51 < Bushmills> should be fine then. that's all you need.
08:51 < jimbauwens> ok, thanks i'll try using what vpnHelper gave
08:51 < Bushmills> provided your WAN interface is eth1
08:52 < jimbauwens> Yep, eth1 is wan
08:52 < Bushmills> http://scarydevilmonastery.net/masq
08:52 < jimbauwens> ok, ill try that :)
08:52 < jimbauwens> thanks
08:53 < jimbauwens> Mynet is the ip range on the vpn network, isn't it
08:53 < Bushmills> make sure your problem is not a name server problem
08:53 < jimbauwens> no, it's not a nameserver problem, tried going to google using the ip, but also that didn't work
08:56 < Sushiyant> are any body a slovetion to connect openvpn server from Iran 
08:57 -!- mape2k [~jabber@galatea.net.pennewiss.de] has quit [Quit: Leaving.]
09:03 < jimbauwens> The wan network is 81.83.xx.xx, and the vpn network is 10.8.xx.xx . Could this be a problem
09:03 < jimbauwens> ?
09:03 < ecrist> nope
09:03 < ecrist> unless you're not routing correctly
09:04 < jimbauwens> Shall I pastebin my config?
09:04 < jimbauwens> (server config)
09:04 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 240 seconds]
09:05 < Bushmills> client route to pastebin (and server route too) would be more informative
09:06 < jimbauwens> On the client i connect using the network manager, just using the ip from the server
09:06 < blink> anybody familiar with SNAT'ing 10.8.0.0/24 to an ip alias?
09:07 < ecrist> !linnat
09:07 <@vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
09:07 < blink> yeah, did that yesterday, #netfilter help wasn't much assistance
09:07 < blink> I am doing #2, yes.
09:07 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
09:07 < blink> the packets get to the ip alias via ping and traceroute, beyond that, nothing.
09:08 < blink> so the tunnel works as intended
09:08 < jimbauwens> bushmill, I'm using  #1 of !linnat for the server
09:10 < jimbauwens> I have to go now.. 
09:10 -!- jimbauwens [~jim@d51538A12.access.telenet.be] has quit [Quit: bye]
09:15 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
09:17 -!- Sushiyant [~hamed@91.99.198.184] has joined #openvpn
09:17 -!- Sushiyant [~hamed@91.99.198.184] has quit [Changing host]
09:17 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
09:19 -!- jimbauwens [~jim@d51538A12.access.telenet.be] has joined #openvpn
09:20 < jimbauwens> Bushmills, my openvpn-status.log shows : 10.8.0.6,jam,81.83.138.xx:48549,Tue Nov 30 16:12:44 2010
09:20 < jimbauwens> So, it connects good
09:21 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
09:21 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:22 < jimbauwens> pastebin of the log: http://pastebin.com/FJjbzfYt
09:22 < jimbauwens> I used iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERAD
09:23 < jimbauwens> eth1 is connected to the www
09:26 < jimbauwens> it works
09:26 < jimbauwens> IT WORKS, YEAHA
09:27 < jimbauwens> forgot to enable comp-lzo on my client...
09:27 < jimbauwens> Thanks everyone!
09:27 < jimbauwens> You all rock
09:30 < jimbauwens> Thanks Bushmills, ecrist,vpnHelper, and all others
09:33 < ecrist> np
09:33 < ecrist> !tell jimbauwens you're welcome
09:33 < ecrist> :)
09:36 -!- jimbauwens [~jim@d51538A12.access.telenet.be] has quit [Ping timeout: 265 seconds]
09:36 -!- boswarrior1 [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
09:37 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 255 seconds]
09:37 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
09:40 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
09:42 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 265 seconds]
09:42 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
09:47 < ecrist> !shaper
09:47 <@vpnHelper> ecrist: Error: "shaper" is not a valid command.
09:50 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
09:55 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Data output :: Reply by dashpilot79 <https://forums.openvpn.net/viewtopic.php?f=4&t=7314&p=8590#p8590>
09:55 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 240 seconds]
10:01 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
10:02 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
10:05 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Remote host closed the connection]
10:10 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 255 seconds]
10:10 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
10:11 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
10:11 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
10:11 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
10:15 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:16 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
10:16 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
10:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:28 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
10:36 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
10:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:43 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
10:55 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined #openvpn
11:10 -!- rasengan [~rasengan@unaffiliated/rasengan] has joined #openvpn
11:16 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 240 seconds]
11:16 -!- dellboy [~dellboy@93-86-87-243.dynamic.isp.telekom.rs] has left #openvpn []
11:16 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
11:18 -!- dellboy [~dellboy@93-86-87-243.dynamic.isp.telekom.rs] has joined #openvpn
11:21 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 264 seconds]
11:28 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 255 seconds]
11:41 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn
11:54 -!- dellboy [~dellboy@93-86-87-243.dynamic.isp.telekom.rs] has quit [Ping timeout: 265 seconds]
11:56 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:58 -!- dellboy [~dellboy@109-93-245-57.dynamic.isp.telekom.rs] has joined #openvpn
12:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
12:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:17 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has joined #openvpn
12:24 -!- markus_ [~markus@c83-250-33-131.bredband.comhem.se] has quit [Ping timeout: 255 seconds]
12:24 <@vpnHelper> RSS Update - forum: Server Administration :: Client to other client behind subnet :: Author kid.xiyang <https://forums.openvpn.net/viewtopic.php?f=4&t=7338&p=8591#p8591>
12:25 -!- krzie [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
12:28 -!- rasengan [~rasengan@unaffiliated/rasengan] has left #openvpn ["WeeChat 0.3.2"]
12:35 -!- p3rror [~mezgani@41.248.107.242] has joined #openvpn
12:54 -!- dazo is now known as dazo_afk
12:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:02 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
13:02 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Quit: Leaving]
13:04 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
13:30 -!- s7r [~s7r@212.78.230.226] has left #openvpn []
13:40 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:45 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 276 seconds]
13:46 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
14:01 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
14:03 < Essobi> Howdy.
14:11 < Essobi> Has anyone looked at building OpenVPN with FIPS compliance?
14:18 < hyper_ch> whats fips compliance?
14:20 < Essobi> http://en.wikipedia.org/wiki/FIPS_140-2
14:20 <@vpnHelper> Title: FIPS 140-2 - Wikipedia, the free encyclopedia (at en.wikipedia.org)
14:20 < Essobi> Basically, it's a certified cryptographic module, that is available from openSSL.
14:21 < hyper_ch> krzee: some crypto stuff for you http://www.theregister.co.uk/2010/11/30/canon_verification_cracked/
14:21 <@vpnHelper> Title: Cryptographers crack system for verifying digital images • The Register (at www.theregister.co.uk)
14:24 < Essobi> I knew I recognized that name.. that's the company they tried to give 25 years to for DMCA for the Adobe password crack.
14:26 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
14:27 -!- dellboy [~dellboy@109-93-245-57.dynamic.isp.telekom.rs] has quit [Ping timeout: 260 seconds]
14:29 < hyper_ch> :)
14:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:31 -!- dellboy [~dellboy@109-93-134-119.dynamic.isp.telekom.rs] has joined #openvpn
14:31 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 255 seconds]
14:31 -!- dellboy [~dellboy@109-93-134-119.dynamic.isp.telekom.rs] has left #openvpn []
14:33 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:35 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing Questions :: Reply by ExEric3 <https://forums.openvpn.net/viewtopic.php?f=4&t=7306&p=8592#p8592>
14:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
14:40 -!- thear [~thear@74-92-245-225-Utah.hfc.comcastbusiness.net] has joined #openvpn
14:41 < thear> is there an openvpn client for iphone (without a jailbroken phone)?
14:41 < hyper_ch> people still buy iPhones?
14:41 < thear> :-)
14:41 < thear> I have an HTC Evo, but my coworkers have iPhones
14:42 < hyper_ch> poor you... you have zombies for coworkers :(
14:44 < thear> haha :-D
14:47 -!- mikey_w [~mike@178.162.174.69] has joined #openvpn
14:48 < mikey_w> Why is it best to use separate client keys with openvpn?
14:49 < ecrist> mikey_w: because you can revoke one and not have to issue keys to all your users
14:49 < ecrist> thear: no, there isn't
14:49 < Bushmills> and because you can give client-specific (key-specific) option per connecting client 
14:49 < ecrist> it's due to technology, there isn't proper support in iOS for OpenVPN without jail breaking the device
14:51 < mikey_w> Acevpn appears to use the same keys for everyone.
14:51 < ecrist> the must depend upon user/password authentication, as well
14:59 < thear> ecrist: thanks
15:02 < hyper_ch> ecrist: some crypto stuff for you http://www.theregister.co.uk/2010/11/30/canon_verification_cracked/
15:02 <@vpnHelper> Title: Cryptographers crack system for verifying digital images • The Register (at www.theregister.co.uk)
15:12 < mikey_w> Thanks.
15:13 -!- joako [~joako@opensuse/member/joak0] has quit [Read error: No route to host]
15:13 < mikey_w> Of course I can just remove the user.
15:22 < Essobi> ecrist: You know of any FIPS 140-2 work with OpenVPN?  I've google here and there but find everyone asking the same question I am..
15:28 < ecrist> nope
15:29 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
15:43 < krzee> its all about what openssl supports
15:44 < krzee> if your openssl supports your hardware, openvpn will transparently use it
15:44 < krzee> (cause openvpn just calls openssl)
15:51 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
16:09 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
16:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:33 -!- legodude [~legodude@adsl-76-226-142-167.dsl.sfldmi.sbcglobal.net] has quit [Remote host closed the connection]
16:36 -!- mikkel [~mikkel@84-238-113-66.u.parknet.dk] has quit [Quit: Leaving]
16:45 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn
16:47 -!- ascii` [~ascii@unaffiliated/ascii/x-736482] has joined #openvpn
16:48 < ascii`> hi, anybody with experience about giving public ip's to openvpn clients using tun?
16:49 < ascii`> eg: i've some spare ip addresses now configured ad aliases for eth0
16:50 < ascii`> just configured a simple static setup with the client ip = one "public" ip
16:50 < ascii`> now i'm missing the glue part, do i have to do a bridge, use an aro proxy, do snat/dnat?
16:50 < ascii`> any help is welcome :)
17:05 -!- patelx [~patel@openvpn/corp/admin/patel] has joined #openvpn
17:05 -!- mode/#openvpn [+o patelx] by ChanServ
17:05 <@vpnHelper> RSS Update - forum: Installation Help :: Re: site-to-site MTU issues??? :: Reply by zbadone <https://forums.openvpn.net/viewtopic.php?f=5&t=7325&p=8593#p8593>
17:16 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:21 -!- magicblaze0072 [~magicblaz@67.237.112.232] has joined #openvpn
17:21 < magicblaze0072> Can I setup a vpn on a windows machine behing nat and get it a ip using openvpn that is accessible to other such windows machines?
17:21 < magicblaze0072> I'm new to the concept of vpn and would like to know some more
17:22 < magicblaze0072> I am interested in forming a vpn of machines behind nat/firewalls that can talk to each other easily. 
17:27 < krzee> !route
17:27 <@vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:31 < Bushmills> magicblaze0072: let them connect to same server. check out client-to-client.  not required but shortens routing
17:32 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:33 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:34 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:43 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
17:54 <@vpnHelper> RSS Update - forum: Installation Help :: Re: site-to-site MTU issues??? :: Reply by zbadone <https://forums.openvpn.net/viewtopic.php?f=5&t=7325&p=8594#p8594>
18:04 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
18:56 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
18:58 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
18:59 -!- corretico [~corretico@201.201.44.82] has quit [Read error: Connection reset by peer]
18:59 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
19:06 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:07 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Read error: Operation timed out]
19:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:25 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
19:42 <@vpnHelper> RSS Update - forum: Configuration :: Still confused on what to do :: Author bistritapcv <https://forums.openvpn.net/viewtopic.php?f=6&t=7339&p=8595#p8595>
19:51 < Dougy_> RAWR
19:52 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:54 -!- s34n [~chatzilla@ip-208-76-93-125.mvdsl.com] has quit [Remote host closed the connection]
19:55 -!- magicblaze007 [~piyush@67.237.112.232] has joined #openvpn
20:11 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
20:24 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
20:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
20:48 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Setting TCP or UDP from the client side? :: Reply by TheMG <https://forums.openvpn.net/viewtopic.php?f=4&t=7336&p=8596#p8596>
20:54 <@vpnHelper> RSS Update - forum: Server Administration :: Re: local parameter is not working in client mode :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=4&t=7335&p=8597#p8597>
21:29 -!- blee_laptop [~blee@211.71.118.70.cfl.res.rr.com] has joined #openvpn
21:29 < blee_laptop> I was hoping someone could help me, I am I just installed Fedora 14, and moved over my configs from my windows machine over, however I cannot get my VPN connection to connect
21:30 < blee_laptop> I have a tun connection which is working great, but tap is fighting me like nobodies business
21:30 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Password OpenvpnGUI :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=15&t=7332&p=8578#p8578>
21:44 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:44 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:55 <@vpnHelper> RSS Update - forum: Forum & Website Support :: Re: No VPN access for client overnight :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=30&t=7311&p=8582#p8582>
21:57 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
22:12 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
22:16 < unspin> does anyone know of a mini pci-e aes accelerator card?
22:26 < jwm> hehe
22:26 < jwm> maybe they have usb? :)
22:26 < jwm> or would that be fast enough
22:30 < unspin> yeah, too slow
22:31 < unspin> but i'm looking for something to install into an embedded system
22:31 < unspin> less appendages are better :)
22:34 < unspin> ah, here we go
22:34 < unspin> Soekris vpn1411
22:44 -!- mikey_w [~mike@178.162.174.69] has quit [Ping timeout: 260 seconds]
22:48 < jwm> I was wondering if you could use a video card
22:48 < jwm> but I don't think they have any good gpu video cards in mini pcie :)
22:53 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
23:04 < unspin> haha
23:04 < unspin> and i'd have to actually do work to use it :)
23:29 < jwm> I want to get into gpu coding 
23:29 < jwm> hehe
23:38 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
23:38 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
23:38 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
23:44 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
23:47 <@vpnHelper> RSS Update - forum: Server Administration :: Re: local parameter is not working in client mode :: Reply by kerozcak <https://forums.openvpn.net/viewtopic.php?f=4&t=7335&p=8598#p8598>
23:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Read error: Operation timed out]
--- Day changed Wed Dec 01 2010
00:14 -!- nettie [~nettie@stewie.freax.it] has quit [Ping timeout: 245 seconds]
00:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:48 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
01:09 -!- _zoom_ [~user@196.29.186.102] has joined #openvpn
01:09 < _zoom_> hello, how to enable management interface over VPN?
01:11 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:15 < krzie> see --management in the manual
01:15 < krzie> !man
01:15 <@vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
01:18 < _zoom_> krzie, thanx
01:21 < jpalmer> krzie: the other day,  you were telling me about "client-connect"  but,  that only works in server mode.   is there anything similar for a client endpoint?    I need to run a script everytime the VPN reconnects for any reason (even though the tun interface didn't go down, the tunnel itself did)
02:00 -!- juhovh [~jvahaher@kekkonen.cs.hut.fi] has joined #openvpn
02:02 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
02:06 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 240 seconds]
02:10 -!- nettie [~nettie@stewie.freax.it] has joined #openvpn
02:11 -!- dazo_afk is now known as dazo
02:32 < reiffert> moin
02:35 -!- markus_ [~markus@c83-250-36-93.bredband.comhem.se] has joined #openvpn
02:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:55 -!- _zoom_ [~user@196.29.186.102] has quit [Quit: Leaving.]
02:59 -!- _zoom_ [~user@196.29.186.102] has joined #openvpn
03:02 -!- _zoom_ [~user@196.29.186.102] has quit [Client Quit]
03:28 -!- thear [~thear@74-92-245-225-Utah.hfc.comcastbusiness.net] has quit [Ping timeout: 265 seconds]
03:29 <@dazo> jpalmer: check --up
03:29 <@dazo> and also --route-up
03:33 -!- luneff [~yury@84.51.198.44] has joined #openvpn
03:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:44 < krzie> !script
03:44 <@vpnHelper> krzie: "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
03:45 < krzie> --route-up looks like the winner
03:46 -!- master_of_master [~master_of@p57B5537A.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:49 -!- master_of_master [~master_of@p57B54657.dip.t-dialin.net] has joined #openvpn
03:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:56 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:15 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
04:16 < renihs> hello, hmm if a cert is revoked, can a new cert be created with exactly the same name? or should it be incremented :)
04:17 -!- common- [~common@p5DDA4AE7.dip0.t-ipconnect.de] has joined #openvpn
04:18 < krzie> increment
04:20 -!- common [~common@p5DDA4977.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
04:20 -!- common- is now known as common
04:27 -!- thear [~thear@74-92-245-225-Utah.hfc.comcastbusiness.net] has joined #openvpn
05:15 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:18 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
05:39 -!- blee_laptop [~blee@211.71.118.70.cfl.res.rr.com] has quit [Remote host closed the connection]
05:58 < LowKey> !welcome
05:58 <@vpnHelper> LowKey: "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:58 < LowKey> !configs
05:58 <@vpnHelper> LowKey: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
06:05 -!- WinstonSmith [~true@e179013136.adsl.alicedsl.de] has joined #openvpn
06:05 -!- WinstonSmith [~true@e179013136.adsl.alicedsl.de] has quit [Read error: Connection reset by peer]
06:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
06:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
06:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
06:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
07:00 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 272 seconds]
07:02 -!- oracle [~o2@unaffiliated/spice] has joined #openvpn
07:02 < oracle> i have this link with  some server
07:02 < oracle> simply put, it uses 1024 bit rsa keys when i connect to it
07:03 < oracle> now, is that rsa key actually used to transmit the session encryption key
07:03 < oracle> does its size/strength have any effect on generation of session keys
07:05 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
07:05 <@dazo> oracle: the 1024 RSA key is the the public/private key stuff which is used to generate a temporary session key.  The key itself is not transferred using this encryption key alone, but is rather calculated/generated through a Diffie-Hellman key exchange algorithm
07:07 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
07:07 -!- meepmeep [meepmeep@212.24.104.229] has joined #openvpn
07:08 <@dazo> to explain it really simple ... client and server gathers some random data, signs some of the random data and sends it to the other side.  The other side validates the signature, extracts the public key from the signature, applies its own random data which has been transfered and the rest of the private random data and that generates the temporary session key which then is used to symmetrically encrypt the tunnel data ... defined by --cipher
07:10 <@dazo> this is _not_ 100% accurate, but very overly simplified ... it's a bit more trickery ... the key point is that the keys being exchanged over the wire before the encryption is established are just part of the temporary crypto key
07:18 < oracle> i thought it might be for authentication of the server. i dont have any keys as a user, only a password
07:22 <@dazo> oracle: if you don't have a client certificate, then it will use a similar algorithm, where the client will only use the server's public key to manage this key exchange
07:22 <@dazo> but certificates are also used to authenticate server and clients
07:23 <@dazo> (certificates are basically just a public key signed by a CA which both parties knows and trusts)
07:23 < oracle> so the entire system comes down to the weakest link, which in ideal cases would be the keysize
07:24 < oracle> the 1024 bit rsa key can be compromized and out of that a passive listener could determine all traffic session keys generated after that
07:24 <@dazo> keysize is always important ... but the RSA keysize is less important than the key size of the symmetric encryption of the tunnel itself 
07:24 < oracle> no wait, that's not how it works. diffie hellman assures of that i think
07:24 <@dazo> exactly, DH does prevent some of those attacks
07:25 < oracle> yes, the dh mumbojumbo does that
07:26 <@dazo> so the encryption set with --cipher is therefore much more crucial/important than --tls-cipher (which defines the cipher the key exchange will make use of)
07:27  * dazo finds it intriguing to help to an oracle :)
07:27 < oracle> heh ;)
07:27 -!- _zoom_ [~user@196.29.186.102] has joined #openvpn
07:27 < _zoom_> hi, is it possible to client to ignore push request from server?
07:30 <@dazo> _zoom_: remove --pull from the client config .... or read up what --client does in the man page and implement the same without --pull
07:31 < oracle> rather not mess with public keys so i just use static keys when i can
07:32 <@dazo> static keys do have weaker security all in all, though ... and no strict client/server authentication
07:33 <@dazo> setting up a CA using f.ex. xca or TinyCA2 isn't rocket science ... or ssl-admin and easy-rsa2 for console usage
07:33 <@dazo> !ssl-admin
07:33 <@vpnHelper> dazo: "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
07:37 -!- meepmeep [meepmeep@212.24.104.229] has quit [Ping timeout: 240 seconds]
07:38 < oracle> shouldnt be too hard to do it the openssl way either
07:39 < LowKey> hello, i got some problem with openvpn : http://pastebin.com/DnRZjMSk , my firewall is OFF.
07:39 <@dazo> oracle: well, depends on your openssl knowledge level ... it's not too easy, especially for newbies ... but for advanced and experienced users who knows what they're doing, the openssl is far from impossible
07:40 <@dazo> LowKey: may I first suggest you to upgrade to 2.1.x ... it's available via the Fedora EPEL5 repository ... 2.0.9 is not supported any longer, and was released in 2006, iirc
07:41 <@dazo> (not that this necessarily is the cause of your issue)
07:42 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has joined #openvpn
07:42 <@dazo> LowKey: and please pastbin logfiles with --verb 4
07:43 <@dazo> especially from the client side
07:43 <@dazo> further pastebin route -n on client and server as well
07:46 -!- meepmeep [meepmeep@there-is-no.endoftheinternet.org] has quit [Ping timeout: 245 seconds]
07:50 < LowKey> ok 
07:50 < LowKey> let me upgrade first
07:51 < magicblaze0072> If I've a lot of machines (> 500) behind different NATs/firewalls, is there a way to use openvpn to get them on a local lan ip system (10.x.x.x) so that they can run services for this network and others can access it?
07:53 < magicblaze0072> anyone uses hamachi here?
08:01 <@dazo> ecrist: krzie: may I suggest that !epel5 would say "Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F" ... and that !rhel and !centos would point at !epel5
08:01 <@vpnHelper> Title: EPEL/FAQ - FedoraProject (at fedoraproject.org)
08:02 -!- magicblaze007 [~piyush@67.237.112.232] has quit [Quit: Leaving.]
08:04 < ecrist> !learn epel5 as Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F
08:04 <@vpnHelper> ecrist: Joo got it.
08:04 < ecrist> !learn rhel as see !epel5
08:04 <@vpnHelper> ecrist: Joo got it.
08:04 < ecrist> !learn centos as see !epel5
08:04 <@vpnHelper> ecrist: Joo got it.
08:04 < ecrist> dazo: done
08:05 <@dazo> exthx!
08:05 <@dazo> gee 
08:06 <@dazo> ecrist: thx!
08:06 < ecrist> np
08:13 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
08:15 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: ecrist]
08:19 < _zoom_> dazo: regarding to disable push-request,  when i used tls-client --ifconfig is required when --dev tun is used.
08:20 <@dazo> _zoom_: yeah, that is configured via --push  ... so without a client --pull, you need to do --ifconfig yourself on the client side
08:21 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
08:22 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
08:22 -!- mode/#openvpn [+o vpnHelper] by ChanServ
08:23 -!- meepmeep [meepmeep@212.24.104.229] has joined #openvpn
08:25 < LowKey> dazo: still got same issues after upgrade : here : http://pastebin.com/U8fDhUtq
08:26 -!- rjd_ [~rjd@212.112.31.11] has joined #openvpn
08:27 <@dazo> LowKey: can you pastebin route -n of client and server?
08:27 <@dazo> LowKey: and try to ping 10.8.0.1
08:27 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Ping timeout: 245 seconds]
08:28 -!- luneff [~yury@84.51.198.44] has quit [Read error: Connection reset by peer]
08:31 <@dazo> LowKey: I'm wondering if this statement gives you troubles ...  "route 10.8.0.0 255.255.255.0"
08:31 <@dazo> and also  'push "route 10.8.0.1 255.255.255.255"'
08:33 < LowKey> dazo: http://pastebin.com/bDT7Euky
08:35 < magicblaze0072> anyone uses hamachi here?
08:38 <@dazo> LowKey: make sure you have enabled IP forwarding .... sysctl net.ipv4.ip_forward ... you can set that value to 1 in /etc/sysctl.conf to make it persistent on boot
08:39 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
08:39 <@dazo> but ... that doesn't explain why the client fails when accessing something else outside the tunnel ... hmm
08:39 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
08:39 -!- mode/#openvpn [+o vpnHelper] by ChanServ
08:41 -!- boswarrior1 [~mrnice@78.142.173.114] has joined #openvpn
08:42 < LowKey> dazo: sorry, this route -n client and server side : http://pastebin.com/ReP66Z7M
08:42 < LowKey> dazo: need to disable  "route 10.8.0.0 255.255.255.0" ?
08:45 < LowKey> oh forgot to ip forwarding
08:46 < magicblaze0072> anyone knows where i can get some help on hamachi/logmein?
08:46 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has joined #openvpn
08:48 <@dazo> !forget centos
08:48 <@vpnHelper> Joo got it.
08:48 <@dazo> !learn centos See !epel
08:48 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
08:49 <@dazo> !learn centos as See !epel
08:49 <@vpnHelper> Joo got it.
08:49 <@dazo> !centos
08:49 <@vpnHelper> "centos" is See !epel
08:49 <@dazo> !forget centos
08:49 <@vpnHelper> Joo got it.
08:49 <@dazo> !learn centos as See !epel5
08:49 <@vpnHelper> Joo got it.
08:49 <@dazo> !epel5
08:49 <@vpnHelper> "epel5" is Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F
08:50 < ecrist> !whoami
08:50 <@vpnHelper> ecrist
08:50 < ecrist> try that, dazo
08:50 < ecrist> please
08:50 <@dazo> !whoami
08:50 <@vpnHelper> developers
08:51 < ecrist> w00t
08:51 < ecrist> works as advertised
08:51 <@dazo> heh :)
08:51 < magicblaze0072> when you use openvpn on windows, can you get a ip range on which i can connect a bunch of machines behind nat/firewalls? 
08:52 < ecrist> !supybot
08:52 < ecrist> !learn supybot as http://supybook.fealdia.org/devel/#_adding_a_new_user
08:52 <@vpnHelper> Joo got it.
08:56 -!- basso [~quassel@pc5053.stdby.hin.no] has quit [Remote host closed the connection]
08:57 -!- basso [~quassel@pc5053.stdby.hin.no] has joined #openvpn
08:57 < LowKey> dazo: still not work, after enable ip forwarding
08:57 < LowKey> hmm
08:57 -!- basso [~quassel@pc5053.stdby.hin.no] has quit [Remote host closed the connection]
08:58 -!- basso [~quassel@pc5053.stdby.hin.no] has joined #openvpn
08:58 -!- basso [~quassel@pc5053.stdby.hin.no] has quit [Client Quit]
09:00 -!- Sushiyant [~hamed@unaffiliated/sushiyant] has quit [Quit: Leaving]
09:03 < LowKey> dazo: any idea with my problem ?
09:04 <@dazo> LowKey: Just to be sure I understand .... you loose general network access outside the tunnel, when you start and connect the VPN?
09:06 -!- magicblaze0072 [~magicblaz@67.237.112.232] has quit [Quit: Leaving.]
09:09 < LowKey> hmmm, confuse , i already follow up the step on the tutorial , 
09:17 < Bushmills> "...my firewall is OFF.." - then there is missing NAT
09:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:19 <@dazo> Bushmills: If I've understood it correctly ... LowKey doesn't use --redirect-gw ... and on the client, he looses access to the rest of the world when the VPN started
09:19 <@dazo> LowKey: please confirm
09:20 < Bushmills> ah
09:20 <@dazo> If so ... could it be vmware related?
09:20 < Bushmills> so why should firewall be related then?
09:21 < LowKey> i'm OFF the firewall , need to up the firewall ?
09:22 < Bushmills> why do you push  push "route 192.168.0.0 255.255.255.0"  route?
09:22 < LowKey> because i just follow the sample conf :D, sorry , but i'm already put # on it
09:23 < Bushmills> sample config is meant to customize it for your own purposes
09:23 < Bushmills> "because it is in config" is not a good reason. a better reason would be "because i intend to ..."
09:24 < ascii`> hi, anybody with experience about giving public ip's to openvpn clients using tun?
09:24 < ascii`> eg: i've some spare ip addresses now configured ad aliases for eth0
09:24 < ascii`> just configured a simple static setup with the client ip = one "public" ip
09:24 < ascii`> now i'm missing the glue part, do i have to do a bridge, use an aro proxy, do snat/dnat?
09:26 < Bushmills> who has the extra ip addresses. openvpn server?
09:27 < ascii`> Bushmills, yes
09:27 < Bushmills> what OS?
09:27 < ascii`> if i bind an interface to it, let's say eth0:10 it work but it doesn't tunnel the data to tun0
09:28 < ascii`> Bushmills, debian stable
09:28 < Bushmills> you can DNAT or SNAT packets coming in from WAN --to-destination openvpn clients  
09:28 < rjd_> ascii`: those should not be bound to an eth alias.. are they all on the same subnet?
09:30 < ascii`> rjd_, if i don't bind the interface the data doesn't reach the other side of the vpn. another note is that the openvpn server is a vps
09:30 < ascii`> so i don't know how arp is managed there
09:30 < ascii`> i can remember that if i arpping an internal openvpn ip on an ethernet segment the host will reply
09:31 < ascii`> so i was guessing that the only interface that needed the public ip was the p-t-p tun0
09:31 < ascii`> and everything would have worked out of the box
09:31 < ascii`> but this seems not to be the case
09:32 < ascii`> rjd_, what's your setup?
09:32 < Bushmills> can't you  up ip addr add  ...  your extra addresses?
09:33 < ascii`> i could, it's almost the same than creating an alias i think
09:33 < ascii`> and the routing wouldn't work as expected as the ip is local to the server
09:34 < ascii`> in another setup (physical server) i have no alias or interface withe the ip except the tun
09:34 < Bushmills> not quote. no aliases ethernet devices with ip addr add - dev is for all the same eth device 
09:34 < Bushmills> quite
09:34 < ascii`> i can try
09:36 < ascii`> Bushmills, same result, i can ping the ip but the vpn server reply instead of the client
09:36 < Bushmills> iptables -t nat -A PREROUTING  -d $CLIENTPUB -j DNAT --to-destination $CLIENTVPN  # something like that could be the iptables rules 
09:37 < ascii`> Bushmills, yes if it's not going to work i'll use dnat but that's not the ideal condition as as rjd_ said this should work without nat
09:37 < ascii`> i'm trying to debug the issue but i'm short on ideas :)
09:39 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has joined #openvpn
09:40 < nelgin> Still trying to get openvpn working. Background -  Linux running VPN server - no firewall, public IP on eth0 and private 192.168.168.x IP address bound to br0, using tap. Client is Windows 7 running openvpngui. The client connects to the server and obtains and IP address but I cannot ping the host. Looking for more clues and suggestions.
09:46 < ecrist> !configs
09:46 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
09:46 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
09:46 < nelgin> I think I might have found the problem.
09:46 < ecrist> w00t
09:47 < ecrist> I love problems that solve themselves.
09:47 < nelgin> It hasn't solved itself.
09:47 < ascii`> Bushmills, rjd_ okay it's definitely an arp thing, well i'm posting for collective knowledge :) when i arpspoof my ip on my mac against the gateway the data correctly flow inside the tun without any special configuration
09:48 < ascii`> when i stop and the firewall/gateway cache flush the data stop reaching my interface
09:48 < ascii`> i have no idea of what virtualization product they use but i think it's xen
09:57 <@vpnHelper> RSS Update - forum: Server Administration :: timeouts after loging in on OpenVPN :: Author jolan <https://forums.openvpn.net/viewtopic.php?f=4&t=7340&p=8600#p8600>
10:11 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
10:11 < _zoom_> does the management password travel clearly in plain thru connections?
10:12 <@dazo> _zoom_: yes
10:14 -!- boswarrior1 [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
10:14 -!- dazo is now known as dazo_afk
10:20 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
10:21 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 250 seconds]
10:30 < jpalmer> dazo_afk: --up is for when the tun0 interface comes up initially. regardless of if there is a VPN connection itself or not.  I need something more like client-connect (but, on the client side)  that executes a script every time the VPN tunnel is established.
10:31 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 240 seconds]
10:32 < jpalmer> dazo_afk: a little background.  I have a script that runs (currently using "up")  but if the VPN drops/reconnects for any reason,  the "up" script doesn't run again. (it only runs,  when the tun interface is created.. which is only when the openvpn client starts.  once.
10:33 < ascii`> jpalmer, try ipchange
10:34 < jpalmer> ascii`: the IP's are static via ccd.  I haven't tried it, but from what I've read,  it won't help
10:34 -!- oracle [~o2@unaffiliated/spice] has joined #openvpn
10:35 < ascii`> jpalmer, it's executed at every initialization
10:35 < ascii`> eg: connection established
10:35 < jpalmer> hrm, I'll look at it again.
10:35 < ascii`> "Executed after connection authentication, or remote IP address change."
10:36 -!- _zoom_ [~user@196.29.186.102] has left #openvpn []
10:38 < jpalmer> yeah, I'll have to test that out.  thanks a ton.
10:38 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit [Ping timeout: 260 seconds]
10:38 < ascii`> jpalmer, glad to be useful :)
10:43 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
10:47 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:00 -!- dazo_afk is now known as dazo
11:00 <@dazo> jpalmer: then --route-up is probably your winner
11:01 <@dazo> that's a script which is run when routes are added
11:01 <@dazo> --ipchange is server side, iirc ... but I probably remember wrong
11:03 -!- s7r [~s7r@212.78.230.244] has joined #openvpn
11:21 -!- ruben23 [~RLACUMBA@121.97.111.142] has joined #openvpn
11:33 -!- mikey_w [~mike@va-76-6-219-207.dhcp.embarqhsd.net] has joined #openvpn
11:34 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
11:37 < mikey_w> Hello, my server's  just suddenly stopped working.  It was working earlier and now fails to resolve an URL
11:38 <@dazo> mikey_w: what did you change?
11:38 <@dazo> no software suddenly stops working by itself ... 95% of the times it happens ... it's because of a so called "harmless change" ... speaking purely out of experience :)
11:39 < mikey_w> Nothing.  I attached earlier and it was working and now fails.
11:39 <@dazo> something has changed, I'm absolutely sure  
11:41 < mikey_w> Very frustrating.
11:41 < mikey_w> Raw ip works just no NAT.
11:43 < Dougy_> wat
11:46 -!- luneff [~yury@84.51.198.44] has joined #openvpn
11:46 -!- mikey_w [~mike@va-76-6-219-207.dhcp.embarqhsd.net] has quit [Ping timeout: 260 seconds]
11:47 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
11:47 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
11:48 < Bushmills> obviously, a name server problem
11:49  * Bushmills guesses the subject runs resolvconf, network-manager or similar, and/or a dhcp request has messed up his resolver config. 
11:49 <@vpnHelper> RSS Update - forum: Server Administration :: Block DHCP from bridged VPN sites :: Author caciavar <https://forums.openvpn.net/viewtopic.php?f=4&t=7341&p=8601#p8601>
11:50 < Bushmills> long live automagic configuraration facilities
11:51  * Bushmills also guesses that the subject is running ubuntu
11:56 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
11:56 < pyther> Hello
11:57 < pyther> If I decide to use lzo compression on a link, how much cpu power will I need?
11:58 -!- mikey_w [~mike@95.211.85.224] has joined #openvpn
11:58 < pyther> I'm trying to decide of a P4 machine will have enough power to handle up to 5 connections simutanously with compression/decompression
11:58 < Bushmills> pyther: not a lot. client side, using a netbook, a hardly notice it.
11:59 < Bushmills> may depend on network transfer rate, of course
12:00 < Bushmills> sending (compressing) side will have more work with it, though 
12:02 <@dazo> pyther: people run 20 folds that amount of clients with encryption and compression on even weaker hardware without issues ... you're good to go
12:03 < pyther> ahh cool
12:03 < pyther> thanks
12:11 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
12:12 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
12:32 -!- p3rror [~mezgani@41.248.107.242] has quit [Read error: Connection reset by peer]
12:32 <@vpnHelper> RSS Update - pastebin: Mine <http://pastebin.ca/2007905>
12:32 < jpalmer> pyther: I have a P4 machine handling 180 simultaneous clients.
12:33 < jpalmer> pyther: the real question is:  how much DATA is each client going to be passing.   a VPN client that is mostly idle and not sending traffic,  is MUCH less computational overhead than one that sends gig of data.
12:33 < nelgin> Hrm
12:34 < nelgin> Does Linux make use of two tap adatptors when running openvpn as a server?
12:34 <@dazo> nelgin: nope
12:34 < nelgin> #
12:34 < nelgin> Dec  1 12:14:24 wibble openvpn[7011]: TUN/TAP device tap1 opened
12:34 < nelgin> #
12:34 < nelgin> Dec  1 12:14:26 wibble avahi-daemon[19482]: Registering new address record for fe80::40d5:2fff:feb2:e423 on tap0.*.
12:34 < nelgin> Dec  1 12:14:39 wibble kernel: br0: port 2(tap0) entering forwarding state
12:35 < nelgin> Could that be my problem?
12:35 <@dazo> that means it already exists a process using a tap device ... or that an old device was not torn down properly
12:35 <@dazo> yeah, that could be 
12:35 < nelgin> Let me see if I can remove it.
12:36 <@dazo> openvpn --rmtun
12:37 < nelgin> While openvpn is running?
12:37 <@dazo> nope, after it is stopped
12:38 <@dazo> openvpn --rmtun --dev tap0 ... probably
12:38 < nelgin> OK, I stopped it and did openvpn --rmtun --dev tap1 but when I started openvpn it was back
12:38 <@dazo> you need to remove the old tap device ... the new one shouldn't be relevant
12:38 <@dazo> if you want to use that old one explicitly ... you need to use --dev tap0  in your config
12:39  * dazo heads for dinner
12:39 < nelgin> Oh ok. It should be. I pastebin'd my configs
12:39 -!- mikey_w [~mike@95.211.85.224] has quit [Ping timeout: 245 seconds]
12:39 < nelgin> http://openvpn.pastebin.ca/2007905
12:39 < nelgin> [root@wibble openvpn]# service openvpn start
12:39 < nelgin> Starting openvpn: Wed Dec  1 12:39:48 2010 TUN/TAP device tap0 opened
12:39 < nelgin> Wed Dec  1 12:39:48 2010 Persist state set to: ON
12:43 -!- le0 [~fin@82.132.248.211] has joined #openvpn
12:43 -!- le0 [~fin@82.132.248.211] has quit [Changing host]
12:43 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:44 < nelgin> Well shite, that was it!
12:44 < nelgin> SOLVED!
12:47 < nelgin> So, how can I permanently get rid of tap1?
12:50 -!- straterra [~straterra@fuhell.com] has joined #openvpn
12:51 < straterra> Is there a way to make TLS auth optional for a specific client in OpenVPN?
12:51 -!- p3rror [~mezgani@41.248.104.33] has joined #openvpn
12:55 -!- bitterman [~yury@84.51.198.44] has joined #openvpn
12:55 < nelgin> Sweetness! 
12:56 -!- mikey_w [~mike@va-76-6-219-207.dhcp.embarqhsd.net] has joined #openvpn
12:57 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:57 -!- luneff [~yury@84.51.198.44] has quit [Ping timeout: 245 seconds]
12:58 < nelgin> Well, that was a waste of time :(
13:02  * ecrist thinks nelgin is bipolar
13:02 < nelgin> I was hopeful that I could use the vpn to use directv2pc but seems not. I get everything except the content. Probably too bandwidth intensive.
13:03 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Read error: Connection reset by peer]
13:03 < nelgin> Everything on my pc connecting the local network disconnected and my remote ssh sessions lagged lol
13:04 -!- raidz [~Andrew@seance.openvpn.org] has joined #openvpn
13:04 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
13:04 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
13:04 -!- mode/#openvpn [+o raidz] by ChanServ
13:05 < nelgin> I suppose I can now use my openvpn tunnel instead of using putty to create an ssh tunnel for my web browser and other apps I shouldn't use at work lol.
13:05 -!- straterra [~straterra@fuhell.com] has left #openvpn []
13:06 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has quit [Quit: My damn controlling terminal disappeared!]
13:06 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has joined #openvpn
13:06 < nelgin> Then there are times it disconnects my shell too lol.
13:11 -!- katoen is now known as Cmdr_W_T_Riker
13:12 -!- bitterman [~yury@84.51.198.44] has quit [Ping timeout: 255 seconds]
13:14 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: making packets :: Author Felix <https://forums.openvpn.net/viewtopic.php?f=15&t=7342&p=8602#p8602>
13:30 < Essobi> I hate to ask this, but ... Is there any decent UIs for configuring a server config?
13:30 < Essobi> <--- OpenVPN newb
13:33 < nelgin> Essobi, it's pretty easy, even I was able to follow the instructions.
13:33 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
13:34 < Essobi> nelgin: Ehh, I was trying to quick generate a config to start mangling it for FIPS compliance..
13:35 < nelgin> I pastebin'd mine recently that actually works.
13:35 < nelgin> http://openvpn.pastebin.ca/2007905
13:36 < nelgin> This is for a bridged connection rather than routed, you'd just need to change server-bridge to server I think.
13:38 < Bushmills> Essobi: check whether this helps:
13:38 < Bushmills> !confgen
13:38 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
13:40 < Bushmills> nelgin: "use openvpn tunnel to create ssh tunnel for web browser" ... no need to tunnel through tunnel through tunnel - you can route  web traffic through openvpn directly. 
13:40 < Bushmills> easiest for web is probably, run a web proxy on openvpn server machine, tell web browser to use that proxy
13:42 <@dazo> !factiods
13:42 <@dazo> !factoids
13:42 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
13:42 <@dazo> !confgen
13:42 <@vpnHelper> "confgen" is (#1) http://www.doeshosting.com/code/openvpn-confgen.tgz for the bash config generator, or (#2) you can use svn co http://www.secure-computing.net/svn/trunk/openvpn-confgen/
13:43 <@dazo> Essobi: ^^^ it's not a gui, but more tui ;-)
13:44 < Bushmills> usually, i suggest the use of interactive openvpn configuration frontend programs, aka "editors"
13:57 -!- mikey_w [~mike@va-76-6-219-207.dhcp.embarqhsd.net] has quit [Ping timeout: 265 seconds]
14:09 -!- mikey_w [~mike@va-76-6-219-207.dhcp.embarqhsd.net] has joined #openvpn
14:17 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Ping timeout: 265 seconds]
14:19 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
14:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
14:27 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Ping timeout: 250 seconds]
14:29 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 272 seconds]
14:29 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
14:37 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:57 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 260 seconds]
15:05 < nelgin> The best interactive configuration program I have found for openvpn is vi :)
15:07 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
15:07 < pyther> Hello
15:07 < pyther> I'm trying to figure out how the opevpn gui works?
15:07 < pyther> Does it read the config and try to automatically connect?
15:08 < nelgin> When you tell it to connect it'll connect.
15:08 < pyther> nelgin: how do you tell it to connect?
15:08 < ecrist> right click on it, click connect
15:08 < pyther> Ahh I don't have that, would that be the result of no config?
15:09 < nelgin> I feel like I'm an expert now it's working. It was actually very easy to get going, just that tap1 device fooled me.
15:09 < nelgin> Did you copy a sample config from the samples directory into the config directory and configure it?
15:10 < Essobi> Bushmills: thanks!
15:11 < pyther> nelgin: no, but I just did and now see all of the opitions
15:11 < pyther> nelgin: I haven't actually setup a openvpn server yet, just exploring it for now
15:11 < nelgin> Oh.
15:11 < hyper_ch> hi krzie
15:11 < nelgin> You'll need to generate your certificates too.
15:11 < pyther> I'm trying to decide if I should purchase the access-server
15:11 < nelgin> The openvpn walkthroughs are very good.
15:12 < hyper_ch> pyther: how many users to manage?
15:12 < pyther> nelgin: yah it doesn't look to hard, looks like it'd be a good learning experience
15:12 < Bushmills> !howto
15:12 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:12 < Bushmills> see quick start
15:12 < pyther> hyper_ch: maybe 10
15:12 < nelgin> !howto
15:12 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:12 < nelgin> can I do that too? :)
15:12 < nelgin> Guess not lol
15:12 < hyper_ch> pyther: for 10 users I don't think you need AS
15:13 < pyther> hyper_ch: well my debate is that it has a nice gui web interface, I'm more than comfortable with working with the cli, but my boss is not
15:14 < hyper_ch> but why would you boss use a web interface anyway= will he manage access and stuff? if so, he should learn the cli :)
15:15 < Bushmills> pyther: tell boss he better leaves setting up server to somebody who knows what he's doing, and doesn't need a web interface
15:15 < hyper_ch> Bushmills: well said :)
15:15 < pyther> hyper_ch: yah he would, I really should be the boss and he should be my employee :P
15:15 < Bushmills> he can admin a client, if he likes
15:15 < pyther> I'm a college student and I might take his position when I graduate
15:15 < pyther> Bushmills: haha :)
15:16 < hyper_ch> pyther: just make hime some inteface with siny buttons and tell him that's to administer the vpn
15:16 < hyper_ch> pyther: and then when he tells you ti's not working you can just say he's doing it wrong :)
15:16 < pyther> does the community version have the ability to generate an msi that would contain the need certs?
15:16 < pyther> hyper_ch: haha, I like it
15:19 <@vpnHelper> RSS Update - forum: Configuration :: Cannot browse internet push "redirect-gateway def1" WINDOWS :: ... <https://forums.openvpn.net/viewtopic.php?f=6&t=7343&p=8603#p8603>
15:19 < Bushmills> pyther: i use a script, to generate and sign keys, and pack config, key and certs into one archive file.  unpacking that one is all needed for a running client.
15:19 < Bushmills> not quite an MSI, but close enough
15:19 < pyther> Bushmills: Bushmills so you install the vpn package and the extract the archive file?
15:20 < Bushmills> right
15:20 < pyther> not, so bad, I can live with that
15:20 < pyther> Is there a way to start the vpn connection before login?
15:21 < pyther> I know my boss will ask me if we can get users to authenticate into AD from home
15:21 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
15:21 < Bushmills> that's about what the script is doing:  http://scarydevilmonastery.net/snap/1291238444656093960d.png
15:24 < pyther> nice, simple too
15:24 -!- mikey_w [~mike@va-76-6-219-207.dhcp.embarqhsd.net] has quit [Ping timeout: 272 seconds]
15:27 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
15:28 -!- EmperorT1m [~EmperorTo@174-30-241-122.mpls.qwest.net] has quit [Ping timeout: 265 seconds]
15:33 -!- Sky[xx] [~SkyB0x@212.235.177.25] has joined #openvpn
15:34 -!- Netsplit *.net <-> *.split quits: Kevin`
15:35 -!- unspin [~unspin@74-115-199-34.eng.wind.ca] has joined #openvpn
15:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
15:36 -!- stormeye [~storm@c-93-182-144-100.cust.relakks.com] has joined #openvpn
15:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
15:37 -!- Netsplit over, joins: Kevin`
15:38 -!- ascii` [~ascii@unaffiliated/ascii/x-736482] has quit [Quit: Leaving]
15:38 -!- Sky[xx] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
15:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 245 seconds]
15:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
15:43 -!- dazo is now known as dazo_afk
15:50 < nelgin> pyther, I assume you're going to use windows rather than unix
15:51 < nelgin> DO you want it to start the server or the client at startup?
15:56 -!- HerrRiz [~admin@adsl-69-105-232-51.dsl.pltn13.pacbell.net] has joined #openvpn
15:56 -!- mode/#openvpn [+v HerrRiz] by patelx
15:56 <+HerrRiz> Is OpenVPN a good substitute for Hamachi?
16:02 < Rienzilla> it will work as such
16:04 -!- HerrRiz [~admin@adsl-69-105-232-51.dsl.pltn13.pacbell.net] has quit []
16:07 -!- unspin [~unspin@74-115-199-34.eng.wind.ca] has quit [Ping timeout: 264 seconds]
16:20 < krzee> depends on his goal really
16:20 < krzee> hamachi supports client to client without going through server, openvpn does not
16:34 < Cmdr_W_T_Riker> hmm, openvpn does not support client to client?
16:36 < Cmdr_W_T_Riker> krzee: i think this site talks about setting up a site-to-site VPN: http://openvpn.net/index.php/open-source/documentation/miscellaneous/88-1xhowto.html
16:36 <@vpnHelper> Title: 1xHOWTO (at openvpn.net)
16:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
16:44 < Bushmills> Cmdr_W_T_Riker: it does, but by sending traffic through server.
16:44 < Bushmills> not directly from one to another client.
16:50 < krzee> actually in that writeup there IS no server
16:50 < krzee> only 2 peers
16:50 < krzee> so it is 100% unrelated to what i said above
16:50 < krzee> This HOWTO is mainly relevant for setting up single-client or static site-to-site VPNs and is oriented more towards OpenVPN 1.x than 2.0. To take advantage of the OpenVPN 2.0 client/server capability, see the OpenVPN 2.0 HOWTO.
16:53 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:54 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Read error: Operation timed out]
16:55 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
17:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:38 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
17:41 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:51 -!- s7r [~s7r@212.78.230.244] has quit [Ping timeout: 276 seconds]
17:53 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
17:54 -!- s7r is now known as Guest53061
17:57 < Dougy_> sup jeff
17:57 < Essobi> howdy
17:58 -!- Guest53061 [~s7r@89.39.174.74] has quit [Ping timeout: 250 seconds]
18:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:49 -!- noogenesis [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
18:50 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 265 seconds]
18:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:54 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
19:11 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 245 seconds]
19:50 < krzee> sup doug
19:50 < krzee> sup Essobi 
19:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
20:04 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
20:04 < mikey_w> Hello.
20:08 < krzee> sup mike
20:12 < ecrist> hey krzee
20:12 < krzee> sup ecrist 
20:12 < krzee> hows the kid?
20:12 < ecrist> good!
20:13 < ecrist> I tweaked the bot today
20:13 < mikey_w> I think I figured out my NAT problem.
20:13  * krzee taps vpnHelper on the shoulder
20:13 < ecrist> it no longer will say your nick when you run a command.
20:13 < krzee> !tell #openvpn /me falls apart
20:13 <@vpnHelper> Error: Dude, just give the command.  No need for the tell.
20:13 < krzee> !howto
20:13 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:14 < krzee> hey thats cool!
20:14 < ecrist> it doesn't respond to invalid commands at all
20:14 < ecrist> also, I've set up two pseudo users that are entirely based on host mask
20:14 < ecrist> openvpn/community/support/* and openvpn/community/developers/* have access to add/edit/delete factoids
20:14 < krzee> since you've dug unto the code, maybe it would be possible to do something like !howto > ecrist
20:15 < krzee> to have him direct it to you
20:15 < krzee> (in the channel, we already have !tell for msg)
20:15 < ecrist> !tell krzee [howto]
20:15 < krzee> !tell vpnHelper [howto]
20:15 <@vpnHelper> Error: You just told me, why should I tell myself?
20:16 < krzee> heheh
20:16 < ecrist> oh, hrm, that would involve me learning python
20:16 < krzee> oh nm then, its no biggie
20:16 < ecrist> but I'm sure it can be done, just a modification of the !tell command
20:16 < krzee> just figured you were already in the code
20:16 < ecrist> nope, not yet
20:16 < ecrist> everything I did was just base config
20:16 < krzee> ohh the name prefix was a config setting?
20:16 < ecrist> yep
20:16 < krzee> i havnt looked in those configs for a long time
20:17 < Dougy_> yoooooooooooooooooooooo
20:17 < Dougy_> whats POPN
20:17 < ecrist> yeah, I've upgraded the bot and added extensions. :)
20:17 < Dougy_> hmm... i think imma buy a cab in Dallas. I'll offer brocolo to those in here
20:17 < Dougy_> cheap cabinets ftw
20:17 < ecrist> I already have ecristcolo, sorry
20:18 < Dougy_> win
20:18 < Dougy_> :D
20:18 < Dougy_> whats your setup like these days
20:24 < ecrist> not much different
20:25 < ecrist> comcast business class in my basement.
20:37 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Read error: No route to host]
20:44 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
20:47 < ecrist> krzee: the tell thing is in a plugin.  I should be able to figure that out, and either add another command !wtf krzee [howto]
20:47 < ecrist> :)
20:47 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
20:51 < ecrist> !supybot
20:51 <@vpnHelper> "supybot" is http://supybook.fealdia.org/devel/#_adding_a_new_user
20:51 < ecrist> !die
20:52 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: ecrist]
20:55 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has joined #openvpn
20:58 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 245 seconds]
21:02 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
21:02 -!- mode/#openvpn [+o vpnHelper] by ChanServ
21:05 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Client Quit]
21:05 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
21:05 -!- mode/#openvpn [+o vpnHelper] by ChanServ
21:06 < ecrist> not quite as simple as I thought, krzee, but I'll get it figured out.
21:07 -!- magicblaze007 [~magicblaz@67.237.112.232] has joined #openvpn
21:07 < magicblaze007> anyone here?
21:08 < ecrist> some
21:08 < ecrist> best time is actually about 10 hours from now
21:08 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
21:11 < magicblaze007> hi ecrist
21:11 < magicblaze007> I'm looking to understand some basics about vpn and if i cud use it in my application
21:12 < magicblaze007> I would like to setup an overlay/vpn network (for machines behind nat as well), and get IPs for these machines so that they are accessible from each other 
21:12 < magicblaze007> is it something that can be done using vpn or any other software that I could look at?
21:12 < magicblaze007> I did look at logmein hamachi, but for some reason it seems that they do not allow access unless an ip joins a network...?
21:15 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:17 < magicblaze007> any ideas?
21:31 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
21:44 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
21:54 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 265 seconds]
21:56 -!- ruben23 [~RLACUMBA@121.97.111.142] has quit [Read error: Connection reset by peer]
21:59 <@vpnHelper> RSS Update - forum: Configuration :: IP Routing Problem :: Author stevodevo <https://forums.openvpn.net/viewtopic.php?f=6&t=7344&p=8605#p8605>
22:03 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:15 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
22:21 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 265 seconds]
22:31 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:39 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
22:41 < magicblaze007> anyone here?
22:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
23:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
--- Day changed Thu Dec 02 2010
00:33 -!- stormeye [~storm@c-93-182-144-100.cust.relakks.com] has quit [Quit: - nbs-irc 2.39 - www.nbs-irc.net -]
00:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
00:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
00:53 <@vpnHelper> RSS Update - forum: Configuration :: Re: IP Routing Problem :: Reply by stevodevo <https://forums.openvpn.net/viewtopic.php?f=6&t=7344&p=8606#p8606>
00:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
01:02 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:19 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
01:41 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
01:42 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
01:44 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
01:46 -!- corretico [~corretico@201.201.44.82] has quit [Quit: Leaving]
01:46 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
01:46 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
01:46 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
01:48 -!- toortog [nesm6@notsecure.net] has quit [Ping timeout: 255 seconds]
02:14 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
02:14 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
02:24 -!- VirusTB_ [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
02:37 -!- VirusTB_ [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  is sleeping]
02:42 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
02:43 -!- dazo_afk is now known as dazo
03:13 -!- VirusTB_ [~VirusTB@ip-145-93-236-213.fontys.nl] has joined #openvpn
03:25 -!- VirusTB_ is now known as Timmy
03:26 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Operation timed out]
03:29 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
03:31 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:41 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
03:47 -!- master_of_master [~master_of@p57B54657.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:48 -!- master_of_master [~master_of@p57B538B6.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
03:59 -!- Timmy [~VirusTB@ip-145-93-236-213.fontys.nl] has quit [Ping timeout: 245 seconds]
04:00 -!- VirusTB_ [~VirusTB@ip-145-93-213-127.fontys.nl] has joined #openvpn
04:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:10 -!- oracle is now known as KlausBarbie
04:18 -!- common- [~common@p5DDA498F.dip0.t-ipconnect.de] has joined #openvpn
04:18 <@vpnHelper> RSS Update - forum: Configuration :: Re: new server hardware :: Reply by gondolin <https://forums.openvpn.net/viewtopic.php?f=6&t=7310&p=8607#p8607>
04:19 -!- common [~common@p5DDA4AE7.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
04:19 -!- common- is now known as common
04:32 -!- toortog [nesm6@notsecure.net] has joined #openvpn
04:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:38 -!- VirusTB_ [~VirusTB@ip-145-93-213-127.fontys.nl] has quit [Quit:  is sleeping]
04:47 -!- VirusTB_ [~VirusTB@ip-145-93-213-127.fontys.nl] has joined #openvpn
04:57 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
05:02 -!- KlausBarbie is now known as oracle
05:04 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn
05:05 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:08 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
05:20 -!- ptman [ptman@pusta.ptman.name] has joined #openvpn
05:47 < Cmdr_W_T_Riker> when i'm trying to log in via ssh at a openvz host, ssh stalls at "debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP"
05:47 -!- VirusTB_ [~VirusTB@ip-145-93-213-127.fontys.nl] has quit [Quit:  is sleeping]
05:47 < Cmdr_W_T_Riker> when i lower the MTU of the tun device on my machine to 700, logging in goes fine
05:48 < krzie> !mtu
05:48 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
05:48 < Cmdr_W_T_Riker> i'm wondering why the default of 1500 is giving me problems, and what is the best way to solve this problem permanently
05:48 < Cmdr_W_T_Riker> oh, nice, thanks :-)
05:54 -!- kerfe [~a@230.pool85-60-130.dynamic.orange.es] has joined #openvpn
05:59 < rjd_> Cmdr_W_T_Riker: it could travel over a link with lower mtu, and in that case one effect could be that the session hangs/freezes
06:13 -!- assassinsppadic [~sonupunno@88.211.55.77] has joined #openvpn
06:15 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
06:22 -!- WinstonSmith [~true@e179003105.adsl.alicedsl.de] has joined #openvpn
06:23 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
06:27 < ptman> the topic is spot on, my problem really was the firewall
06:28 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 260 seconds]
06:28 <@vpnHelper> RSS Update - forum: Installation Help :: Can't reinstall OpenVP-AS :: Author papapod <https://forums.openvpn.net/viewtopic.php?f=5&t=7345&p=8608#p8608>
07:04 < magicblaze007> I would like to setup an overlay/vpn network (for machines behind nat as well), and get IPs for these machines so that they are accessible from each other...I'm essentially looking to use udp hole punching code that works...
07:04 < magicblaze007> Anyone has any suggestions for me?
07:05 < magicblaze007> Anyone using logmein habachi here? Does openvpn allow for udp hole punching easily?
07:17 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
07:18 -!- Munksgaard [~Munksgaar@mail.powersense.dk] has joined #openvpn
07:18 < Munksgaard> !welcome
07:18 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:18 < Munksgaard> !goal
07:18 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:19 < magicblaze007> Munksgaard: I'm just interested in making an overlay network on the internet 
07:19 < magicblaze007> is that something easy to do?
07:20 < Munksgaard> magicblaze007, erh, no idea :-D
07:20 < Munksgaard> I would like to assign ip adresses to my connecting clients based on their MAC addresses. I realise it's not possible to do directly via openvpns config files, but i was wondering if it was somehow possible via a client-connect script?
07:20 < magicblaze007> Munksgaard: if one installs openvpn on two windows machine, do they get an ip automatically so that they can talkt o each other?
07:21 -!- mikey_w [~mike@pool-173-53-57-150.rcmdva.fios.verizon.net] has quit [Ping timeout: 245 seconds]
07:22 < Munksgaard> magicblaze007, i don't know how the windows clients work, but i'd guess you need an openvpn server set up for them to be able to talk to each other
07:23 < magicblaze007> is it easy to setup the clients?
07:24 < magicblaze007> can i automate that installation? Is there a ceiling on the number of clients? Can I assign them any ip range? 
07:25 < Munksgaard> wow, chill dude, check out the manual on http://openvpn.net/index.php/open-source/documentation/manuals/
07:25 <@vpnHelper> Title: Manuals (at openvpn.net)
07:26 < magicblaze007> Munksgaard: I'm just trying to ascertain whether i should get into openvpn or not, hence my questions.
07:26 < magicblaze007> thanks for all the help.
07:27 < Munksgaard> no problem
07:27 < nelgin> Can't openvpn work using the servers dhcp server, if so then that can assign ips based on mac address.
07:28 < magicblaze007> Munksgaard: I dont mind maintaining a complicated configuration on the server...I just want to make sure that my clients will have an easy time installing and using openvpn...no configuration needed.
07:29 < magicblaze007> how does openvpn get around the problem of machines with nat? is it udp hole punching? is it more than one method that is tried?
07:30 < Munksgaard> magicblaze007, i think openvpn on windows supports some kind of autoconfiguration if you just give it an ip and username/password. I haven't really used in on windows though, and either way i dont think i'm really the one you should be asking :-)
07:30 < Bushmills> magicblaze007: you can give each client a unique key, and assign fixed ip addresses based on those.
07:32 < magicblaze007> Bushmills: I'm trying to prepare an application that would benefit from using a vpn. Can I install and configure openvpn configuration at the client side so that it is automatic. My user doesnt have to do anything. I install and configure the openvpn client automatically using a script and it works? 
07:32 < Bushmills> re NAT:  client outgoing packets are NATted and reach server. server replies, and on the way back to client, they are de-NATted 
07:33 < Bushmills> "not anything" is impossible. he needs to turn on the computer, grant somebody access to installation (or download/execute an installation script)
07:33 < magicblaze007> Not anything means, he/she clicks "next" when installing my app.
07:33 < Bushmills> but as you say " I install and configure" ... sure, when you do, users don't have to.
07:34 < magicblaze007> Bushmills: Right now i'm using logmein habachi...and the problem is the 16 upper limit ... It installs and works without problems thou.
07:34 < magicblaze007> I wish they had allowed their 5.x.x.x range to be accessible without joining a network. 
07:35 < Bushmills> maybe you haven't wished loud enough for them to hear
07:36 < Bushmills> though i wonder how one can access a 5.x.x.x subnet without network
07:36 < magicblaze007> Bushmills: when a habachi machine registers, it gets a 5.x.x.x address
07:36 < magicblaze007> If two machines have such an address, they should be able to talk to each other...
07:36 < magicblaze007> They dont seem to allow that...unless both are part of the same network name
07:39 < magicblaze007> Bushmills: For configuring a client, is a key and ip sufficient? Then it can talk to other ips on the same keyring of some sort?
07:41 < Bushmills> for configuring one client of many (i.e. client/server configs), you want one config file and three authentication related files (key,certs) per client. 2 of the latter 3 are unique for each client
07:42 < Bushmills> the ip to assign to connecting client is determined by server when client connects
07:42 < Bushmills> but only after it has authenticated
07:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
07:43 < Bushmills> clients would commonly be assigned ip addresses of the same subnet, and openvpn server acts as a router between them
07:44 < magicblaze007> Bushmills: do i have to punch any holes in my firewalls/routers?
07:45 < Bushmills> if firewalls allow openvpn client to talk to server on the chosen port and protocol, you're fine.
07:45 < Bushmills> i.e. single port, single protocol
07:45 < Bushmills> single destination
07:46 < magicblaze007> Bushmills: I dont know how habachi does it, but i didnt have to fiddle with any ports on my machines behind nats
07:47 < Bushmills> server firewall must of course permit those incoming packets. it also helps if server has a static WAN ip address
07:47 < Bushmills> wrong.  if firewall doesn't permit *any* outgoing, you'd have to fiddle with it too
07:47 -!- nelgin [~nigelreed@static-71-252-202-194.dllstx.fios.verizon.net] has quit [Ping timeout: 272 seconds]
07:48 < Bushmills> i.e. must allow packets to leave machine and reach another.
07:48 < Bushmills> same requirement does openvpn have
07:48 < magicblaze007> Bushmills: I'm not worried about server firewalls
07:48 < Bushmills> deny all outgoing traffic, and a machine won't be able to talk to another. 
07:48 < magicblaze007> Because that i can configure/maintain. I'm only worried about clients. My clients are dumb. Telling them to login into the router admin page is useless.
07:49 < magicblaze007> I can assume that http ports are open, since they can browse. I'm not sure what else i can assume about my clients.
07:50 < Bushmills> well, it is easy. if outgoing traffic is blocked, or traffic to a specific destination port, there will be no communication.
07:50 < Bushmills> this is not openvpn specific.
07:51 < magicblaze007> Bushmills: I can assume that logmein habachi works on these machines without any problems. 
07:51 < magicblaze007> I've tested it. The only problem with them is the 16 upper limit on the free version. 
07:51 < magicblaze007> + I dont like closed source.. If I can help it.
07:52 < Bushmills> you can assume, if you like, that hamachi works even on a machine with outgoing traffic blocked, but i tell you that it won't be able to talk to another machine then.
07:52 < magicblaze007> absolutely agreed
07:53 < Bushmills> now  s/hamachi/openvpn/, and the same is still true
07:53 < magicblaze007> What I meant was that habachi seems to have no problems with my client machines. They didnt need any configuration to get habachi 5.xxx ips.
07:53 -!- EmperorTom [~EmperorTo@174-30-245-217.mpls.qwest.net] has joined #openvpn
07:53 < magicblaze007> Bushmills: if that is true, that would be cool. 
07:53 < magicblaze007> It seems to me that habachi is esentially maintaining the openvpn server and configuring the client correctly...
07:53 < magicblaze007> That is what I need
07:54 < Bushmills> hardest is probably to learn setting up the CA .. that is, the ssl related authentication stuff.
07:55 < Bushmills> openvpn config itself is just a mere detail after that
07:55 < magicblaze007> Bushmills: have you used habachi ever? Is there a place to get help on that? Seems like their technical people are only available to talk to at a cost...
07:55 < Bushmills> mostly.
07:56 < Bushmills> why would i want to run hamachi when there is openvpn?
07:56 < magicblaze007> have people deployed openvpn for particular application? (which needed networking without nats?)
07:56 < renihs> usually people tend to use it because of old protocoll support, like ipx :)
07:56 < Bushmills> detail "particular application"
07:57 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:57 < Bushmills> or the answer will have to be "yes, people have deplyed openvpn for particular application"
07:58 < Bushmills> i also have machines without NAT and with static WAN ip addresses talk to each other through openvpn
07:59 -!- ptman [ptman@pusta.ptman.name] has left #openvpn []
07:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:04 < magicblaze007> Bushmills: how many clients can one openvpn server support?
08:04 < Bushmills> depends on traffic, server power, network bandwidth, activity pattern
08:05 -!- luneff [~yury@84.51.195.188] has joined #openvpn
08:05 < magicblaze007> When two machines connect to each other on the vpn, does the traffic go thru the server?
08:05 < renihs> thats an odd question
08:05 < ecrist> magicblaze007: we've seen a practical limit of about 200
08:06 < renihs> magicblaze007, but yes
08:06 < magicblaze007> thanks.
08:06 < ecrist> magicblaze007: yes, all traffic with openvpn goes through the server
08:06 < Bushmills> for a ballpark number, i'd say that 100 clients per server gets it to the point where spreading traffic over several servers may make sense. others would put the number lower, some probably higher.
08:06 < magicblaze007> hmm...I was looking for a solution which is decentralized. The server only helps the clients get connected behind firewalls...then the clients are on their own...
08:06 < magicblaze007> That way the server can scale pretty well..
08:06 < ecrist> try Hamachi
08:07 < magicblaze007> i did
08:07 < ecrist> openvpn isn't your thing
08:07 < magicblaze007> and the only problem i face with hamachi is that once i get two ips, i cant ping each other without putting them in the same network, wierd
08:07 < magicblaze007> ecrist: have you used hamachi?
08:09 < ecrist> nope
08:10 < magicblaze007> why is all traffic routed thru the server on openvpn? 
08:10 < ecrist> because that's how it works.
08:10 < renihs> thats the idea behind it :)
08:10 < ecrist> openvpn creates an ssl tunnel between the clients and server
08:11 < renihs> 1 tunnel, 2 endpoints :)
08:11 < ecrist> not between each individual client.
08:11 < magicblaze007> ah ok
08:12 < magicblaze007> is there code to create tunnels between two endpoints using a third party session initializer somewhere?
08:12 < renihs> if its linux you are talking about, maybe racoon is something for you
08:12 < magicblaze007> i need cross platform
08:14 < ecrist> magicblaze007: afaik, Hamachi does what you need, not sure what/why it didn't work for you.
08:14 < ecrist> you *could* just create end points to each individual system and create a mesh that way
08:16 < Bushmills> though that's more likely to result in a mash, rather than a mesh
08:16 < ecrist> lol
08:17 < magicblaze007> ecrist: The problem is this: Lets say I've machines A and B. I install hamachi on both. They both are assigned 5.xxx addresses. Now I run a webserver on A and try to access it from B. Wont work. 
08:17 < ecrist> dont' know Hamachi, but it sounds like a firewall issue
08:17 < magicblaze007> Unless I put both A and B in a "hamachi network"- they seem not to communicate...unless i was doing something wrong perhaps.
08:17 < ecrist> I'd bet on that.
08:18 < renihs> mammals tend to mess up things
08:18 < magicblaze007> true.  :)
08:20 < magicblaze007> perhaps i could use remote desktop ports and see if that works
08:20 < magicblaze007> instead of running a webserver behind the firewall
08:36 < krzee> [19:06]  <ecrist> not quite as simple as I thought, krzee, but I'll get it figured out.
08:36 < krzee> ecrist, i would think that the code is already there, almost the same code that makes it able to reply to me by handle when we had factoids doing that
08:37 < krzee> just changed to reply to the name after > instead of the person who triggered the command
08:37 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:45 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
08:46 < ecrist> it's simply a matter of mimicing the !tell command, but sending a privmsg to the channel, mentioning the nick, rather than a privmsg to the nick
08:46 < ecrist> as I said, I'll get it, it wasn't as cut-and-dry and I though last night.
08:46 < ecrist> tonight I'll get some Jack and Coke and hammer it out.
08:46 < ecrist> :)
08:47 < theDoc> o/
08:51 -!- EmperorTom [~EmperorTo@174-30-245-217.mpls.qwest.net] has quit [Quit: leaving]
08:52 -!- EmperorTom [~EmperorTo@174-30-245-217.mpls.qwest.net] has joined #openvpn
09:08 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:11 -!- thear [~thear@74-92-245-225-Utah.hfc.comcastbusiness.net] has quit [Quit: Leaving]
09:28 < js_> how can i connect two users from the same ip to my openvpn when using static key? right now, when one connects the other one gets disconnected
09:29 < ecrist> you cannot
09:29 < ecrist> static key is only good for 1-to-1 connection
09:30 < js_> oh, i see
09:31 < Bushmills> let one user use the machine of the other as gateway
09:31 <@vpnHelper> RSS Update - forum: Server Administration :: Multiple site connection problem :: Author athensy <https://forums.openvpn.net/viewtopic.php?f=4&t=7346&p=8609#p8609>
09:31 <@dazo> ecrist: you can't use static keys for multi-peer connections?  I think you can
09:32 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Ping timeout: 264 seconds]
09:32 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
09:32 <@dazo> ecrist: it's all about --mode .... if mode is p2p or server
09:33 <@dazo> (from security perspective, it's not advisable though)
09:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 240 seconds]
09:34 < ecrist> dazo: I don't think you can.  I'm bound to be wrong eventually
09:35 < ecrist> I think you cannot use --staic and --server in the same config
09:35 <@dazo> ecrist: not --server .... --mode server
09:35 <@dazo> --server is a "macro" 
09:35 <@dazo> --server == --mode server + --tls-server (which conflicts with --static)
09:35 < ecrist> js_: give that a try
09:36 <@dazo> plus a lot of more things
09:36  * ecrist turns in his badge and gun
09:37  * dazo wonders if that's good or bad ....
09:37 < js_> just two clients here, so i made two configs instaed :)
09:37 < js_> instead*
09:39 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
09:43 -!- sno_ is now known as sno
09:47 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
09:48 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
09:48 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
09:58 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 265 seconds]
10:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
10:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:15 -!- Munksgaard [~Munksgaar@mail.powersense.dk] has quit [Quit: Leaving]
10:17 -!- assassinsppadic is now known as Directorsppadic
10:29 -!- oracle_ [~o2@unaffiliated/spice] has joined #openvpn
10:32 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 255 seconds]
10:38 -!- Directorsppadic [~sonupunno@88.211.55.77] has left #openvpn []
10:44 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:51 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:54 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
11:01 -!- extor [~extor@c-76-16-36-19.hsd1.il.comcast.net] has joined #openvpn
11:20 -!- EdwardIII [edward@unaffiliated/edward123] has left #openvpn ["Leaving"]
11:24 -!- oracle_ is now known as oracle
11:47 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 276 seconds]
12:12 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn
12:16 <@vpnHelper> RSS Update - pastebin: Someone <http://pastebin.ca/2008769>
12:17 -!- luneff [~yury@84.51.195.188] has joined #openvpn
12:17 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 255 seconds]
12:17 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Quit: Leaving]
12:17 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn
12:18 -!- luneff [~yury@84.51.195.188] has quit [Read error: Connection reset by peer]
12:21 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
12:27 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
12:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
12:30 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
12:30 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
12:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:34 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
12:37 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
12:38 -!- p3rror [~mezgani@41.248.104.33] has quit [Ping timeout: 276 seconds]
12:40 -!- steelnwool1 [~Adium@blk-30-130-240.eastlink.ca] has joined #openvpn
12:40 < steelnwool1> Is tehre a way to make the gui client remember the password?
12:41 < ecrist> !savepassword
12:41 < ecrist> !factoids search password
12:41 <@vpnHelper> "password-only" is http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html
12:41 < ecrist> !factoids search pass
12:41 <@vpnHelper> 'winpass', '2.1-winpass-script', 'authpass', and 'password-only'
12:41 < ecrist> !winpass
12:41 <@vpnHelper> "winpass" is openvpnGUI for windows has a change password feature that will change the passphrase on your .key files
12:41 < ecrist> steelnwool1: you need a compiled version with --enable-password-save or somesuch
12:41 < steelnwool1> okay. I'll just tell her to remember her fucking password.
12:41 < steelnwool1> tks :)
12:42 < ecrist> lol
12:42 < ecrist> np
12:43 -!- steelnwool1 [~Adium@blk-30-130-240.eastlink.ca] has left #openvpn []
12:49 < krzee> ecrist, !pwfile
12:49 < krzee> and password only is in !authpass
12:52 -!- p3rror [~mezgani@41.140.25.6] has joined #openvpn
12:54 < ecrist> ah
13:00 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:23 -!- luneff [~yury@84.51.205.82] has joined #openvpn
13:23 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Ping timeout: 255 seconds]
13:24 -!- powerunits [~aa@119.152.229.190] has joined #openvpn
13:28 < powerunits> guys i installed openvpn on windows ... i can connect the client but i can't ping windows openvpn IP address
13:28 < powerunits> do u know wht could be the reason..
13:28 < powerunits> even windows firewall is off
13:29 < Cmdr_W_T_Riker> powerunits: can you clarify whichever is the server and client?
13:29 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
13:30 < powerunits> Cmdr_W_T_Riker: wht do u mean by ?
13:30 < powerunits> please can express ?
13:31 < Cmdr_W_T_Riker> powerunits: are you running openvpn as a server on your windows box?
13:31 < powerunits> i m running openvpn server in windows server.
13:31 < powerunits> and i have configure openvpv client on win XP
13:32 < Cmdr_W_T_Riker> okay, you said you're connected. have you studied the log files?
13:32 < Cmdr_W_T_Riker> does your client get an IP from the openvpn server?
13:32 < powerunits> logs said i m connected with openvpn server and it shows me my IP address
13:32 < powerunits> yes
13:33 < Cmdr_W_T_Riker> can the server ping the client?
13:33 < powerunits> nop
13:34 < Cmdr_W_T_Riker> powerunits: ipconfig on xp shows it got an IP, yes?
13:35 < powerunits> yes
13:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
13:35 < Cmdr_W_T_Riker> strange
13:36 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 255 seconds]
13:37 < powerunits> any help?
13:38 < Bushmills> be more detailed about what you do when you say "can't ping windows openvpn IP address"
13:38 < Cmdr_W_T_Riker> powerunits: have you tried rdp or opening a share instead of ping?
13:42 < powerunits> nothing is working
13:42 < powerunits> i have tried RDP and shre files as well
13:43 < Cmdr_W_T_Riker> powerunits: if i were you i would have another close look at the openvpn log files
13:43 < powerunits> let me show u logs please give 1  min
13:43 < powerunits> thanks
13:51 < powerunits> http://pastebin.com/JkZfB8i3
13:53 < powerunits> i can ping windows server local IP address 
13:54 < powerunits> but i can't ping VPN server IP address
13:54 < powerunits> http://www.runpcrun.com/howtoopenvpn
13:54 <@vpnHelper> Title: OpenVPN Windows HowTo | runPCrun - IT Support for London (at www.runpcrun.com)
13:54 < powerunits> i have follow this example to install openvpn server in windoes
13:56 < Bushmills> did you read "route addition failed using CreateIpForwardEntry: One or more arguments are not correct.   [if_index=21]"  in your log file?
13:56 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:57 < powerunits> let me see
13:57 < Bushmills> and  "Thu Dec 02 11:48:32 2010 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9)"
13:57 < ecrist> we don't support 2.0.9 any longer
13:57 < powerunits> humm 
13:58 < Bushmills> maybe you could have looked at the logs yourself before pasting them
13:58 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
13:58 < powerunits> yup i shoudl... i m fool i just saw last few line
13:58 < powerunits> that its in connected
13:58 < powerunits> sorry
13:59 < powerunits> which ver should i try?
13:59 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 272 seconds]
13:59 < powerunits> http://swupdate.openvpn.net/community/releases/openvpn-2.1.3-install-win2k.exe
13:59 < powerunits> shall i try this one?
14:01 -!- oracle [~o2@unaffiliated/spice] has joined #openvpn
14:10 -!- nijotz [~nick@72.14.181.106] has quit [Quit: nijotz]
14:19 < powerunits> guys please have a look on my server logs
14:19 < powerunits> http://pastebin.com/K2Y0QaKq
14:20 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:20 < powerunits> i don't see any errors in it
14:20 < powerunits> but still just to make sure
14:20 < powerunits> please can u checkl
14:21 < powerunits> i have used openvpn-2.1.3 server but still i m getting 
14:21 < powerunits> Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9)
14:21 < powerunits> msg on client
14:21 < powerunits> how can i solve it please guide. thanks
14:25 < powerunits> ? plz
14:26 < powerunits> got it work
14:26 < powerunits> thanks
14:26 < powerunits> i changed clint ver as well
14:34 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
14:34 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
14:34 -!- smerz [~smerz@smerz.demon.nl] has quit [Ping timeout: 245 seconds]
14:38 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
14:46 < krzee> powerunits, upgrade your openvpn =]
14:47 < krzee> ahh nm you did
14:48 < ecrist> powerunits: if you are running 2.1+, you won't get that message.
14:49 < ecrist> you need to run 2.1+ EVERYWHERE to use --topology
14:49 -!- blink [~blink@reality.is-after.me] has left #openvpn []
14:54 -!- pyther [~pyther@unaffiliated/pyther] has quit [Quit: Lost terminal]
14:57 < powerunits> krzee= every thing seems to be working 
14:57 < powerunits> fine
14:58 < powerunits> on windows vpn client i can get ping ..
14:58 < powerunits> on linux machine i can get ping ... 
14:58 < powerunits> but when i connect clinet from linux i get this message on server logs
14:58 < powerunits> http://pastebin.com/uF6XGCDM
14:59 -!- \ottizen [kottizen@unaffiliated/icanhasfreenode] has joined #openvpn
14:59 < \ottizen> Hi, I just installed OpenVPN om my Debian VPS. When I enter the web administration panel and click "Start the server", I get the following error: 
15:00 < \ottizen> http://simplest-image-hosting.net/jpg-0-plasma-desktopjs1777
15:00 <@vpnHelper> Title: Image plasma-desktopjs1777.jpg - Simplest Image Hosting (at simplest-image-hosting.net)
15:00 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
15:02 < powerunits> ecrist, krzee: these message are comming again and again on server machine
15:02 < powerunits> logs
15:20 -!- nettie [~nettie@stewie.freax.it] has quit [Ping timeout: 250 seconds]
15:24 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
15:26 <@dazo> powerunits: have you upgraded to 2.1?
15:31 <@dazo> \ottizen: you seem to have restrictions added by your VPS provider ... those error is not openvpn related at all
15:31 < \ottizen> I see. Thank you!
15:31 < powerunits> @dazo: sorry for late reply 
15:31 < powerunits> yes i did upgrade server and client to 2.1
15:32 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
15:32 <@dazo> okay, then that warning you see is most probably harmless ... it might be you have some packets getting duplicated or coming in the wrong order, and that will trigger those warnings
15:33 <@dazo> powerunits: so ... I'd probably recommend you to read up on --no-replay and --replay-window in the man page ... they should explain pretty nicely what's happening and why you see these messages
15:34 -!- nijotz [~nick@72.14.181.106] has quit [Client Quit]
15:34 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
15:35 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
15:35 < powerunits> humm
15:35 < powerunits> let me see
15:36 -!- nijotz [~nick@72.14.181.106] has quit [Client Quit]
15:37 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
15:45 < powerunits> @dazo: what do u mean by to read up on --no-replay and --replay-window in the man page ??
15:45 < powerunits> i didn't get it
15:45 <@dazo> !man
15:45 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
15:49 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
15:51 -!- s7r [~s7r@178.86.6.44] has joined #openvpn
15:52 < Bushmills> "read on" related to "reading", "to read":  http://scarydevilmonastery.net/wordnet.cgi?read  and    http://scarydevilmonastery.net/dict.cgi?read
15:52 <@vpnHelper> Title: wordnet lookup (at scarydevilmonastery.net)
15:54 < Bushmills> http://scarydevilmonastery.net/wordnet.cgi?read
15:54 <@vpnHelper> Title: wordnet lookup, specifically for powerunits (at scarydevilmonastery.net)
15:54 < Bushmills> :D
15:55 <@dazo> lol
15:56 -!- Sky[xx] [~SkyB0x@212.235.177.25] has joined #openvpn
15:56 -!- dazo is now known as dazo_afk
15:56 < powerunits> @dazo: i could not find any hint to stop these messages :(
15:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:02 -!- powerunits [~aa@119.152.229.190] has quit []
16:06 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Connection reset by peer]
16:11 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
16:16 -!- Sky[xx] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
16:17 -!- WinstonSmith [~true@e179003105.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
16:20 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Read error: Operation timed out]
16:20 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:29 -!- buntfalke_ [~nobody@openvpn-p0-ipv6-1014.triple-a.uni-kl.de] has joined #openvpn
16:29 -!- buntfalke_ [~nobody@openvpn-p0-ipv6-1014.triple-a.uni-kl.de] has quit [Changing host]
16:29 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
16:36 -!- s7r [~s7r@178.86.6.44] has quit [Quit: Leaving.]
16:38 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
16:39 -!- \ottizen [kottizen@unaffiliated/icanhasfreenode] has left #openvpn []
16:40 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
16:46 -!- DarthGandalf [somebody@shellium/developer/darthgandalf] has quit [Read error: Connection reset by peer]
16:53 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit [Ping timeout: 240 seconds]
16:56 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
16:58 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has joined #openvpn
17:02 <@vpnHelper> RSS Update - pastebin: Miscellany <http://pastebin.ca/1999893>
17:02 -!- s7r [~s7r@178.86.6.44] has joined #openvpn
17:05 < reiffert> 00:02 <@vpnHelper> RSS Update - pastebin: Miscellany <http://pastebin.ca/1999893>
17:05 < reiffert> thats not a valid id. whats going on here?
17:06 < tessier_> Question for everyone: I had 158 packets rejected on my firewall from a VPN user trying to do what looks like a udp port 4321 scan of the VPN network. Only 158 destination IPs though, not the whole /24.
17:06 < tessier_> Nov 29 15:25:10 officefw kernel: Shorewall:FORWARD:REJECT:IN=tun0 OUT=tun0 SRC=192.168.10.38 DST=192.168.10.5 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=23323 PROTO=UDP SPT=4407 DPT=4321 LEN=20
17:06 < tessier_> The user says he was on a different machine on his home network, not the VPN connected machine, doing some stuff with ARP in a script.
17:07 < tessier_> Unclear exactly what he was doing with arp. How could that possibly result in UDP packets to 4321 being sent out over the VPN network?
17:08 < reiffert> tessier_: short answer: you cant tell.
17:08 < tessier_> ah
17:08 < reiffert> Protocol / Name: rwhois
17:08 < tessier_> He just figured it out. Zend Development Studio broadcasts license info on that port.
17:08 < tessier_> Thanks anyway! :)
17:09 < reiffert> ah well, whatever it is he found while using google just to keep your mouth shut :)
17:10 -!- luneff [~yury@84.51.205.82] has quit [Ping timeout: 240 seconds]
17:16 -!- nettie [~nettie@stewie.freax.it] has joined #openvpn
17:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:23 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Read error: Connection reset by peer]
17:31 -!- s7r [~s7r@178.86.6.44] has left #openvpn []
17:40 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
17:48 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
17:48 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
17:48 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
17:48 -!- coppermine [~coppermin@2a02:750:5::590] has joined #openvpn
17:48 < coppermine> if i need to access my home network from remote and use local subnet ips i.e 192.168.x.x, I setup an openvpn server at home and connect to it remotely and push the local subnet?
17:49 < reiffert> !route
17:49 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:50 < coppermine> if i have an openvpn connection setup allready with my home  network, can i connect to that one? and push the subnet? instgead of creating a new one
17:52 -!- coppermine [~coppermin@2a02:750:5::590] has quit [Client Quit]
18:03 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
18:07 -!- coppermine [~coppermin@2a02:750:5::590] has joined #openvpn
18:07 < coppermine> my tunnel is established allready i run
18:07 < coppermine> route add -net 192.168.168.0 255.255.255.0 tun0
18:07 < coppermine> but it gives me the usage help
18:08 < coppermine> missing gateway
18:15 < krzie> coppermine, 
18:15 < coppermine> yes
18:15 < krzie> are you asking if you can connect a clientlan?
18:15 < coppermine> no
18:16 < coppermine> my existing connection openvpn
18:16 < coppermine> im on the server now
18:16 < coppermine> im adding
18:16 < coppermine> route del -net 192.168.168.0/24 gateway 10.8.0.2 dev tun0
18:16 < coppermine> but it wont take the getway
18:16 < coppermine> ip
18:16 < coppermine> SIOCDELRT: No such process
18:16 < krzie> route del...
18:16 < coppermine> if i dont tell it a gateway it takes the wrong one
18:16 < |Mike|> windows?
18:16 < coppermine> gentoo
18:16 < krzie> you want add
18:16 < coppermine> oh right
18:16 < coppermine> i didnt chanfge that lol
18:17 < |Mike|> cupcake alert.
18:17 < coppermine> :)
18:17 < coppermine>  ping 192.168.168.1
18:17 < coppermine> PING 192.168.168.1 (192.168.168.1) 56(84) bytes of data.
18:17 < coppermine> no ping :(
18:17 < coppermine> but it took the command
18:17 < coppermine> route
18:17 < coppermine> 192.168.168.0   10.8.0.2        255.255.255.0   UG    0      0        0 tun0
18:17 < |Mike|> krzie: https://www.wickedleaks.nl/2010/12/honden-in-de-sneeuw/
18:17 < krzie> why dont you let openvpn make the route
18:17 <@vpnHelper> Title: Honden in de sneeuw | Mike Huijerjans his blog (at www.wickedleaks.nl)
18:18 < coppermine> krzie: i tried, freezes the connection
18:18 < |Mike|> coppermine: even if you push them?
18:18 < coppermine> yes
18:18 < coppermine> push and route
18:18 < coppermine> in .conf
18:18 < coppermine> and restart both ends
18:19 < coppermine> wait
18:19 < coppermine> i cant ping 10.8.0.2
18:19 < coppermine> thats weird
18:19 < coppermine> isnt that my gateway
18:19 < krzie> umm
18:20 < coppermine> its a virtual ip
18:20 < krzie> whose lan do you want to reach?
18:20 < coppermine> hmm
18:20 < coppermine> mine
18:20 < krzie> the one behind client or server
18:20 < coppermine> client
18:20 < coppermine> from server
18:20 < krzie> [20:15]  <krzie> are you asking if you can connect a clientlan?
18:20 < krzie> [20:15]  <coppermine> no
18:20 -!- tessier_ [~treed@mail.copilotco.com] has quit [Changing host]
18:20 -!- tessier_ [~treed@kernel-panic/copilotco] has joined #openvpn
18:20 < krzie> the correct answer was yes
18:20 < krzie> :-p
18:20 < coppermine> :)
18:20 < krzie> !clientlan
18:20 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a
18:20 <@vpnHelper> better explanation
18:20 < coppermine> ip_forwards maybe not on client
18:21 < krzie> check each of those
18:21 < coppermine> echo "1" > /proc/sys/net/ipv4/ip_forward
18:21 < coppermine> have that on server
18:21 < coppermine> let me check lcient
18:21 < krzie> did you make a ccd file with iroute?
18:21 < krzie> on the server
18:21 < coppermine> client has 1 too in ipforward
18:21 < krzie> and enabled client-config-dir on the server to make the above work...
18:21 < coppermine> so thats not it
18:21 < coppermine> no i dont use that
18:22 < krzie> well then it wont work :-p
18:22 < krzie> see this
18:22 < krzie> !route
18:22 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
18:22 < krzie> in that i explain what those options are, and how to use them'
18:22 < coppermine> cool
18:22 < coppermine> thanks
18:22 < krzie> np
18:22 -!- coppermine [~coppermin@2a02:750:5::590] has quit [Quit: Lost terminal]
18:23 -!- coppermine [~coppermin@2a02:750:5::590] has joined #openvpn
18:23 < coppermine> is it because im using ush "redirect-gateway def1"
18:24 < coppermine> on server
18:24 < coppermine> not compatible?
18:24 < coppermine> so it uses the default gateway all the time
18:24 < coppermine> regardless of what i tell it in route
18:25 < coppermine> and i didnt have client-to-client in there
18:25 < coppermine> is that required
18:25 < coppermine> according to docs yes
18:25 < coppermine> also
18:25 < coppermine> i dont have "iroute"
18:26 < coppermine> just "route" or "ip route"
18:26 < coppermine> wheres iroute
18:30 < krzie> hehe
18:30 < krzie> !iroute
18:30 -!- kerfe [~a@230.pool85-60-130.dynamic.orange.es] has quit [Ping timeout: 245 seconds]
18:30 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
18:30 < coppermine> ok i got further
18:30 < coppermine> i put it on server.conf
18:30 < coppermine> doesnt free
18:30 < coppermine> and adds it in route
18:30 < krzie> dude
18:30 < coppermine> still cant ping yet
18:31 < krzie> stop testing, it wont work until you figured out iroute
18:31 < krzie> !ccd
18:31 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
18:31 < krzie> if you actually READ my doc it should be clear what to do
18:31 < coppermine> i just hate ccd
18:31 < krzie> too bad
18:32 < krzie> its not optional for this
18:32 < coppermine> allright
18:32 -!- coppermine [~coppermin@2a02:750:5::590] has quit [Quit: leaving]
18:41 -!- coppermine [~coppermin@2a02:750:5::590] has joined #openvpn
18:41 < coppermine> ok i understand ccd now but it doesnt owkr
18:41 < coppermine> i created /etc/openvpn/ccd dir
18:41 < coppermine> i created CN-file in ccd
18:42 < coppermine> with iproute command
18:42 < coppermine> restarted
18:42 < coppermine> and cant ping
18:42 < coppermine> i got the CN from openvpn.log on client
18:42 < coppermine> in CN field
18:43 < coppermine> Thu Dec  2 19:40:47 2010 us=691774 WARNING: potential route subnet conflict between local LAN [192.168.168.0/255.255.255.0] and remote VPN [192.168.168.1/255.255.255.255]
18:43 < coppermine> hmmm
18:43 < |Mike|> lol
18:43 < |Mike|> conflicts are neat.
18:44 < coppermine> 192.168.168.0   *               255.255.255.0   U     0      0        0 eth0
18:44 < coppermine> 192.168.168.1   10.8.0.9        255.255.255.255 UGH   0      0        0 tun0
18:44 < coppermine> first is my normal router
18:44 < coppermine> second is the vpn entry
18:44 < coppermine> both on client
18:44 < coppermine> its confused
18:45 < coppermine> but i need both
18:45 < coppermine> it needs to get to the router
18:46 < coppermine> i dont think this is the problem though
18:46 < coppermine> its only a warning
18:47 < coppermine> gonna traceroute
18:48 < coppermine> doesnt go anywhere
18:48 < krzie> dude
18:48 < coppermine> i read the doc
18:48 < krzie> for some reason i dont think you really did
18:48 < coppermine> i did every step
18:48 < krzie> !configs
18:48 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
18:59 < krzie> ok, or not
19:05 -!- coppermi1e [~coppermin@2a02:750:5::590] has joined #openvpn
19:05 < coppermi1e> im not doing anything wrong, the thing is the docs say put the commands in server.conf but in my case i want to PUSH the client ip to the server
19:05 < coppermi1e> it should be the other way around
19:06 < krzie> !configs
19:06 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
19:06 < coppermi1e> no, i dont want an answer
19:06 < coppermi1e> i want to understand
19:06 < krzie> dunno what you dont understand til i see your configs
19:06 < krzie> lol
19:06 < coppermi1e> allright hang on
19:07 < coppermi1e> can i hide some ips?
19:07 < coppermi1e> servers
19:09 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 245 seconds]
19:11 < coppermi1e> http://pastebin.com/y7iNncRk
19:11 -!- coppermine [~coppermin@2a02:750:5::590] has quit [Quit: Lost terminal]
19:11 -!- coppermi1e is now known as coppermine
19:12 -!- Deathvalley122 [~Death@unaffiliated/deathvalley122] has joined #openvpn
19:13 -!- coppermi1e [~coppermin@2a02:750:5::590] has joined #openvpn
19:13 < coppermi1e> krzie: see, its pushing 192.168.168.1 back on the client
19:13 < coppermi1e> i dont need that
19:13 < coppermi1e> i want it pushed on the server
19:13 < krzie> because your iroute isnt being read
19:13 < krzie> on line 60 you say where the file is
19:13 < coppermi1e> why not?
19:14 < coppermi1e> i have ccd/cn
19:14 < coppermi1e> client-config-dir /etc/openvpn/ccd/
19:14 < coppermi1e> thats right isnt it
19:14 < krzie> does nobody/nobody have access to read the files?
19:14 < coppermi1e> path to ccd dir
19:14 < coppermi1e> dont think so i
19:14 < coppermi1e> its root:root
19:14 < krzie> but you drop permissions
19:14 < krzie> make sure nobody can READ it
19:14 < coppermi1e> ok
19:14 < krzie> doesnt need to write
19:15 < coppermi1e> its fine allready
19:15 < coppermi1e> has o+r
19:15 < coppermi1e> the file
19:15 < krzie> and the file inside?
19:15 < coppermi1e> yes
19:15 < coppermi1e> the ccd and the file inside ccd
19:16 < coppermi1e> thing is, not sure what my real CN is, there's 2 CN lines in openvpn.log
19:16 < coppermi1e> so i created 2 files
19:16 < coppermi1e> to make sure
19:16 < krzie> heh
19:16 < coppermi1e> with same info
19:16 < krzie> post logs
19:16 < coppermi1e> ok
19:16 < krzie> can hide IPS, but nothing else
19:16 < krzie> verb 4
19:17 < coppermi1e> WRThu Dec  2 20:12:19 2010 us=631585 TLS: Initial packet from [AF_INET]184.106.129.151:11194, sid=bf5f6a99 11b54e96
19:17 < coppermi1e> WWWWRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRThu Dec  2 20:12:19 2010 us=809337 VERIFY OK: depth=1, /C=CA/ST=Quebec/L=Montreal/O=rdp/CN=rdp_CA/emailAddress=cizzi@mail13.dyndns.org
19:17 < coppermi1e> let me paste second
19:17 < coppermi1e> first CN
19:17 < coppermi1e> its not there anymore
19:17 < coppermi1e> jus that one
19:17 < coppermi1e> so my CN name i put rdp_CA as a filename
19:18 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:18 < |Mike|> heh
19:18 < coppermi1e> so i ahve /etc/openvpn/ccd/rdp_CA
19:18 < coppermi1e> with iproute command insinde that
19:19 < coppermi1e> like I said before, i think its cause im not pushing the right direction
19:19 < coppermi1e> but i cant put the info in client.conf
19:19 < coppermi1e> wont start
19:21 < coppermi1e> so i followed the docs
19:21 < coppermi1e> dont know what else to do
19:22 < coppermi1e> see this is weird
19:22 < coppermi1e> on client i have this in route
19:22 < coppermi1e> 192.168.168.1   10.8.0.9        255.255.255.255 UGH   0      0        0 tun0
19:22 < coppermi1e> so it comes on client, and cleint sends it back in the tunnel
19:22 < coppermi1e> doesnt make sense
19:23 < coppermi1e> becauyse im using default gw redirect
19:23 < coppermi1e> so anything is redirectyed back t o the server
19:23 < Bushmills> why do your local subnet and the vpn subnet overlap?
19:23 < coppermi1e> loop
19:23 < coppermi1e> because im trying to use my existing vpn tunnel to push the client subnet to the server
19:24 < Bushmills> nm, they don't. looked like it when i glimpsed at what you pasted earlier on
19:24 < coppermi1e> i'll just set up a new vpn connection
19:24 < coppermi1e> on a different machine
19:24 < coppermi1e> but it will always go to the router
19:25 < coppermi1e> which will redriect traffic to server
19:28 -!- coppermi1e [~coppermin@2a02:750:5::590] has quit [Quit: leaving]
19:28 < krzie> coppermine, does 192.168.168.1 have a route back to the vpn...?
19:29 -!- coppermine [~coppermin@2a02:750:5::590] has quit [Quit: Lost terminal]
20:04 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
20:09 <@vpnHelper> RSS Update - forum: Wishlist :: Re: Statistics Offloading :: Reply by shopno11 <https://forums.openvpn.net/viewtopic.php?f=10&t=2413&p=8610#p8610>
20:17 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 245 seconds]
20:26 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
20:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:46 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
20:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
21:03 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Read error: Connection timed out]
21:04 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
21:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:13 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
21:42 -!- daemon [foobar@serial.daemonrage.net] has quit [Ping timeout: 276 seconds]
21:47 -!- daemon [~daemon@serial.daemonrage.net] has joined #openvpn
21:47 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
21:47 < pyther> Hello
21:47 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined #openvpn
21:47 < pyther> Does will the openvpn gui client prompt for a username + password?
21:53 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 265 seconds]
22:05 < ecrist> it will, if required
22:07 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:10 < pyther> ecrist: cool thanks
22:10 < ecrist> np
22:33 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Connections bypassing OpenVPN? :: Author VPNner <https://forums.openvpn.net/viewtopic.php?f=15&t=7347&p=8611#p8611>
22:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:39 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 272 seconds]
23:06 -!- noogenesis [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 260 seconds]
23:08 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
23:10 -!- W0rmF00d [~wormfood@183.39.107.104] has joined #openvpn
23:11 -!- WormFood [~wormfood@183.39.105.91] has quit [Disconnected by services]
23:11 -!- W0rmF00d is now known as WormFood
23:13 -!- tjz [~pc@bb116-14-149-10.singnet.com.sg] has joined #openvpn
23:13 -!- tjz [~pc@bb116-14-149-10.singnet.com.sg] has quit [Changing host]
23:13 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
23:19 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 265 seconds]
23:47 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined #openvpn
23:47 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
--- Day changed Fri Dec 03 2010
00:00 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
00:00 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
00:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:33 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:33 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
00:33 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:34 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
00:34 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
00:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:56 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
01:12 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
01:23  * Essobi glares at UnterPerro.
01:23 < UnterPerro> oh snap
01:23 < Essobi> Hehehe
01:37 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
01:44 -!- mape2k_2 [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined #openvpn
01:48 -!- mape2k_2 [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Client Quit]
03:09 -!- dazo_afk is now known as dazo
03:16 -!- kerfe [~a@230.pool85-60-130.dynamic.orange.es] has joined #openvpn
03:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:19 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:43 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: YAY! \o/]
03:47 -!- master_of_master [~master_of@p57B538B6.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:48 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
03:48 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
03:48 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:49 -!- master_of_master [~master_of@p57B54AB9.dip.t-dialin.net] has joined #openvpn
03:59 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn
04:06 -!- johest [~johest@opensuse/member/johest] has joined #openvpn
04:07 < johest> hi there, is there anyway to get the status of the openvpn server via commandline
04:19 < macsppadic> morning johest 
04:19 < hyper_ch> define status
04:19 -!- common- [~common@p5DDA481F.dip0.t-ipconnect.de] has joined #openvpn
04:19 < macsppadic> i believe if ur running management then status command will do the trick 
04:19 < macsppadic> as hyper_ch mentions 
04:19 -!- common [~common@p5DDA498F.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
04:19 -!- common- is now known as common
04:19 < hyper_ch> ps aux | grep openvpn
04:20 < johest> okay, i see, i will look further in that direction , thy so far
04:20 < macsppadic> johest: http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
04:21 <@vpnHelper> Title: Management Interface (at openvpn.net)
04:22 < johest> coo, thats it thx macsppadic 
04:22 < macsppadic> np johest 
04:23 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:56 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
04:56 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
04:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:43 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
05:50 -!- pyther [~pyther@adsl-99-37-208-222.dsl.bcvloh.sbcglobal.net] has joined #openvpn
05:50 -!- pyther [~pyther@adsl-99-37-208-222.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
05:50 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
05:58 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
06:19 -!- grapsus [~grapsus@acces1219.res.insa-lyon.fr] has joined #openvpn
07:03 -!- luneff [~yury@84.51.205.82] has joined #openvpn
07:09 -!- raidzx [~Andrew@2002:adc0:e0ad::adc0:e0ad] has joined #openvpn
07:09 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Read error: Connection reset by peer]
07:09 -!- magicblaze007 [~magicblaz@67.237.112.232] has quit [Read error: Connection reset by peer]
07:10 -!- magicblaze007 [~magicblaz@67.237.112.232] has joined #openvpn
07:43 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
07:57 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:03 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
08:17 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
08:36 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
08:42 -!- WinstonSmith [~true@e179005146.adsl.alicedsl.de] has joined #openvpn
08:48 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2009607>
08:50 -!- bitterman [~yury@84.51.205.82] has joined #openvpn
08:51 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
08:53 -!- luneff [~yury@84.51.205.82] has quit [Ping timeout: 245 seconds]
08:54 <@vpnHelper> RSS Update - pastebin: OS X keychain patch <http://pastebin.ca/2009618>
08:56 -!- adawda [~awda@p4FDC3FD0.dip.t-dialin.net] has joined #openvpn
08:56 < adawda> !welcome
08:56 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:56 < adawda> !logs
08:56 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
08:57 < adawda> !configs
08:57 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
08:57 < adawda> !goal
08:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:59 <@vpnHelper> RSS Update - pastebin: Stuff <http://pastebin.ca/2009622>
09:01 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
09:01 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
09:01 -!- mode/#openvpn [+o ecrist] by ChanServ
09:02 -!- mode/#openvpn [-o ecrist] by ecrist
09:05 < adawda> Alright, so I'm on ubuntu 10.10 and paying for VPN service @ vpntunnel.se (so I don't have access to any server configs or logs). I'm using it to encrypt my traffic and to bypass all NAT-related port-forwarding stuff by getting my own IP. Problem is described here, also added some logs. http://ubuntuforums.org/showthread.php?p=10191293#post10191293 Just updated to 2.2-beta3, but the error remains the same.
09:05 <@vpnHelper> Title: [ubuntu] OpenVPN issues - Ubuntu Forums (at ubuntuforums.org)
09:06 < adawda> it works fine in windows though
09:06 < adawda> no problems there at all
09:08 -!- darth_bitterman [~yury@84.51.205.82] has joined #openvpn
09:11 -!- bitterman [~yury@84.51.205.82] has quit [Ping timeout: 240 seconds]
09:11 -!- luneff [~yury@84.51.205.82] has joined #openvpn
09:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:15 -!- darth_bitterman [~yury@84.51.205.82] has quit [Ping timeout: 276 seconds]
09:20 < oracle> there is a reason other than simplicity in why i prefer static keys
09:21 < oracle> it has to do with how network traffic is obscured from easy identification
09:21 < oracle> which is very cool
09:24 < ecrist> adawda: are you using Network Manager?
09:28 -!- luneff [~yury@84.51.205.82] has quit [Quit: Leaving]
09:30 <@dazo> oracle: static keys only have the simplicity as an advantage compared against PKI (key/certs) ... PKI is much more robust, flexible and scalable
09:33 < adawda> ecrist yeah network-manager definitely has some extra flaws in it.. so doing it manually right now.
09:33 < ecrist> :)
09:33 < ecrist> !ubuntu
09:33 <@vpnHelper> "ubuntu" is dont use network manager!
09:34 < adawda> ^^ ... it's easier that way though! :P ... no need for entering passwords, all my VPN connections in one spot... etc.
09:34 < ecrist> yeah, but it's broken as hell
09:34 < adawda> it worked just fine with my old vpn provider ;)
09:35 < adawda> whatever
09:35 < adawda> rjd_ hooked me up with a VPN, going to give that a good spin now, see what errors my computer decides to come up with :P
09:36 < adawda> later!
09:36 -!- adawda [~awda@p4FDC3FD0.dip.t-dialin.net] has quit [Quit: Suck on my dick while I fuck that ass, HEY!]
09:37 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
09:37 < rjd_> welcome :)
09:39 -!- grapsus [~grapsus@acces1219.res.insa-lyon.fr] has quit [Remote host closed the connection]
09:42 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
09:57 -!- johest [~johest@opensuse/member/johest] has quit [Quit: Verlassend]
09:58 -!- adawda [~awda@p4FDC3FD0.dip.t-dialin.net] has joined #openvpn
10:06 -!- adawda [~awda@p4FDC3FD0.dip.t-dialin.net] has quit [Quit: Suck on my dick while I fuck that ass, HEY!]
10:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:11 < oracle> is there an easy setup for a lan on openvpn
10:11 < oracle> if i want, say, 5000 clients on one vpn server having all other 5000 machines accessible from any machine
10:12 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
10:18 <@dazo> oracle: I'd never put that amount of clients against one openvpn instance simultaneously ... 
10:19 <@dazo> OpenVPN isn't multi-threaded, so it will only run on one CPU core, no matter how powerful your box is
10:19 -!- adawda [~awda@zeus235.dentoo.info] has joined #openvpn
10:19 <@dazo> oracle: rather consider to spread it out on say 10 OpenVPN processes, many processes can run on the same physical box, just by pinning them to separate CPU cores
10:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:20 <@dazo> oracle: and then use multiple --remote statements in the client configs and --random-remote
10:21 <@dazo> I would not run more OpenVPN instances on a server than what you have CPU cores, though ... that won't scale as well
10:29 < oracle> dazo, so what will one have to configure to make a vpn lan work
10:30 <@dazo> oracle: routing
10:30 <@dazo> !route
10:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
10:30 < oracle> okay so routing in iptables
10:30 < oracle> i can do that
10:30 <@dazo> and firewall 
10:30 <@dazo> iptables is only filtering and NAT stuff .... nothing to do with routing
10:31 < oracle> i have this one problem though, when the vpn link is established i have to manually run 'route add default gw ip'
10:31 < oracle> there wouldnt be a openvpn switch which could do that?
10:31 < oracle> unless push can, but i've tried that
10:31 <@dazo> oracle: --push "route add default gw ip"
10:31 < oracle> i'll try it again ;) thanks
10:34 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:37 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn []
10:42 < oracle> that didn't work now or ever. i guess i'll just do it manually
10:42 < oracle>  L:1545 D:1450 EF:45 EB:135 ET:0 EL:0 AF:3/1 ]
10:43 < oracle> oops
10:46 -!- adawda [~awda@zeus235.dentoo.info] has quit [Quit: Suck on my dick while I fuck that ass, HEY!]
10:46 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
10:49 -!- goose [goose@staff.chatspike.net] has joined #openvpn
10:50 < goose> I'm following the Linode guide to setup a VPN on my Linode (guide at http://library.linode.com/networking/openvpn/debian-5-lenny#installing_openvpn ) but I can't get past the ./build-ca, it just keeps on telling me to edit the vars file, which I did
10:50 <@vpnHelper> Title: Deploy VPN Services with OpenVPN - Secure Communications with OpenVPN on Debian 5 (Lenny) - Linode Library (at library.linode.com)
10:55 <@dazo> goose: you have probably not sourced the vars file before calling the ./build-ca script
10:55 <@dazo> goose: try:    . ./vars
10:55 <@dazo> or:  source ./vars
10:55 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
10:56 < goose> dazo: I did, it just told me: NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
10:56 < goose> but I assumed that's what it was supposed to do
10:56 < goose> I assumed it wasn't supposed to ask for any user input till build-ca, but I ./vars and ./clean-all
10:57 < KaiForce> do current versions of openvpn gui still require "run as administrator" to be used?
10:57 < KaiForce> with win7  / vista?
10:57 <@dazo> yeah, that's good ... only do that clean-all when you want to start from scratch ... I don't think it modifies vars file
10:58 < goose> well, I'm stuck then at build-ca. I've done: ./vars && ./clean-all && ./build-ca
10:58 < goose> here, pastebin
10:58 <@dazo> KaiForce: yes, it still will need that ... however d12fk is working on a newer GUI .... http://openvpn-gui.sourceforge.net/ 
10:58 <@dazo> goose: not ./vars .... I said:   . ./vars
10:58 < goose> ..oops
10:58 <@dazo> notice the extra dot and the space
10:58 < goose> heh
10:59 < goose> guess who feels like a dolt
10:59 <@dazo> heh
10:59 < KaiForce> dazo ok thank you for the info.
10:59 < goose> thanks dazo, I failed to notice the directory change
10:59 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 272 seconds]
10:59 <@dazo> goose: the single dot means in shell-ish that you source the file, kind of like include the contents into your environment and you don't execute it
11:00 < KaiForce> dazo:  I did not know that.  I only ran into that . ./vars construction with OpenVPN on Leaf Bering and never really "got" it
11:01 < KaiForce> so thanks for that also :)
11:01 <@dazo> when you execute a script, it will forget all variables the script sets when you get the command prompt back ... when you source it, it will stay available for you after the file is "included"
11:01 <@dazo> KaiForce: sure, no prob :)
11:03 <@dazo> KaiForce: btw ... the new openvpn GUI should use the management interface, that's kind of the biggest change there ... and I'm sure d12fk will be happy for some feedback if you decide to give it a whirl
11:03 < KaiForce> dazo:  I will.  I'll use it personally.  I'm setting up a client laptop today and was just trying to find out what I need to tell this guy on how to run it.
11:04 <@dazo> :)
11:11 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:19 -!- p3rror [~mezgani@41.140.25.6] has quit [Ping timeout: 245 seconds]
11:25 < goose> I uh..
11:26 < goose> god I hate to ask this question and sound like a kiddiot, but.. I've got my VPN setup, now how do I connect to it? (Debian Squeeze)
11:27 < ecrist> heh
11:27 < ecrist> first, how do you know you have your vpn set up?
11:28 < |Mike|> :-P
11:28 < goose> because I followed the guide, and got no errors? :p
11:28 < ecrist> 'the guide'
11:28 < ecrist> what is that?
11:28 < goose> http://library.linode.com/networking/openvpn/debian-5-lenny#installing_openvpn
11:28 <@vpnHelper> Title: Deploy VPN Services with OpenVPN - Secure Communications with OpenVPN on Debian 5 (Lenny) - Linode Library (at library.linode.com)
11:29 < ecrist> !man
11:29 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:29 < ecrist> !howto
11:29 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:29 -!- nesta [~solo@billymays.info] has joined #openvpn
11:30 < goose> "network-manager-openvpn-gnome" sounds like a good package to install
11:31 -!- nesta [~solo@billymays.info] has quit [Quit: leaving]
11:32 -!- goose [goose@staff.chatspike.net] has quit [Quit: God doesn't send firemen to hell; if he did, he knows we'd just put it out!]
11:33 -!- nesta [~solo@stoned.coffeeaddict.net] has joined #openvpn
11:41 -!- err0r [~err0r@89.36.166.222] has joined #openvpn
11:43 < |Mike|> ecrist: why do people write stuff in Italian? :P
11:44 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 264 seconds]
11:45 -!- Some_Person [~sam@unaffiliated/someperson/x-249303] has joined #openvpn
11:46 < Some_Person> Can 2 machines use the same client certs to log into an OpenVPN server?
11:47 < Bushmills> !duplicate-cn
11:47 < Bushmills> hm.  look up --duplicate-cn in man page
11:48 < Some_Person> So is that a yes or a no?
11:48 < Bushmills> they can
11:48 < Some_Person> Do I just start the connection as usual or do I have to do something special?
11:48 -!- extor [~extor@c-76-16-36-19.hsd1.il.comcast.net] has quit [Read error: Connection reset by peer]
11:48 < Some_Person> I'm at school and want to run openvpn on my netbook and phone. My server is at home
11:49 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
11:49 < Bushmills> don't they teach you to read at school?
11:49 < Some_Person> ???
11:49 -!- goose [~goose@samson.honk-honk.org] has joined #openvpn
11:49 < goose> You guys rock, I've happily got my VPN setup and working
11:49 < goose> One last question, though
11:50 < nesta> meaning to life?
11:50 < goose> close
11:50 < Bushmills> "(18:48:04) Some_Person: So is that a yes or a no?"   that would have been answered by reading the man page section i told you 
11:50 < goose> I have all my traffic going through my VPN, but I want to exempt Pandora from it, or bad things will happen to my server's bandwidth allotment :S How can I do this?
11:50 < nesta> oh well, because thats the only question I can answer
11:50 < goose> I'll take it, then
11:50 < goose> What's the meaning to life?
11:51 < nesta> you already used up your one question allowance
11:51 < nesta> :/
11:51 < goose> but it wasn't answered!
11:51 < goose> answer one of the two, at least! :p
11:52 < goose> (I have a Pandora desktop application, I'm not using the website, by the way)
11:52 < Some_Person> Bushmills: From what I can tell, the option must be in the server config. Is this correct?
11:52 < Bushmills> that is correct.
11:53 < Some_Person> Bushmills: But I'm at school now and the server is at home, so how am I supposed to edit the config?
11:53 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:53 < Bushmills> you could wait until school is over. or, you could login using ssh. or call somebody and ask him to do that for you.
11:53 -!- hyper_ch is now known as hyper_away
11:54 < Bushmills> but in fact, you know better about the possiblities you have than i do
11:54 < Some_Person> Bushmills: The only one at home is my mom, who isn't a computer user at all
11:54 < Bushmills> then teach her.
11:54 < Some_Person> Bushmills: And I don't have an SSH server running (the server runs Windows XP)
11:55 < Some_Person> Please don't start that discussion
11:55 < Bushmills> i can't solve impossibilities for you
11:55 < Bushmills> i there is now way to edit the config - then don't do it.
11:55 < Bushmills> no way
11:57 < Some_Person> I just remembered I have a VNC server on there!
11:58 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
12:00 -!- hyper_away is now known as hyper_ch
12:04 < goose> I've used netstat to kind of find out what port(s) Pandora is using, how do I exempt those from my VPN?
12:05 -!- Some_Person [~sam@unaffiliated/someperson/x-249303] has quit [Ping timeout: 276 seconds]
12:13 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
12:14 -!- dazo is now known as dazo_afk
12:17 <@vpnHelper> RSS Update - forum: Server Administration :: Bug: mute does not always work :: Author Psilo <https://forums.openvpn.net/viewtopic.php?f=4&t=7348&p=8612#p8612> || Server Administration :: Re: Multiple site connection problem :: Reply by Psilo <https://forums.openvpn.net/viewtopic.php?f=4&t=7346&p=8613#p8613>
12:20 < Bushmills> goose: use the facilities your operating system offers you
12:21 < goose> err.. huh?
12:21 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:21 < Bushmills> that's not something you'd set up in the vpn config
12:21 < Bushmills> instead, it is something you configure your OS accordingly
12:23 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Block DHCP from bridged VPN sites :: Reply by Psilo <https://forums.openvpn.net/viewtopic.php?f=4&t=7341&p=8614#p8614> || Server Administration :: Re: timeouts after loging in on OpenVPN :: Reply by Psilo <https://forums.openvpn.net/viewtopic.php?f=4&t=7340&p=8615#p8615>
12:23 < goose> I haven't been able to find an option for such a setting in my OS
12:23 < Bushmills> hint: if it wasn't vpn, and von interface,  but ethernet NIC and wire, the necessary steps would be rather the same
12:23 < goose> but rather, how about this:
12:23 < goose> I have OpenVPN setup to forward all traffic, can I tell it to forward all traffic minus 2 IP ranges?
12:23 < Bushmills> add host routes for those
12:24 < goose> how do I go about doing that?
12:24 < Bushmills> depends on your operating system
12:24 -!- WinstonSmith [~true@e179005146.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
12:24 < Bushmills> "2 ip ranges" - that's not host routes, but subnet routes. i was in error there.
12:25 < goose> I'm more referring to the push "redirect-gateway def1 bypass-dhcp" in server.conf
12:25 < goose> I don't suppose push "redirect-gateway def1 bypass-dhcp -xx.xx.xx.*" is a valid format?
12:26 < Bushmills> that must be a different problem you are talking about now
12:27 < Bushmills> if you're not happy with adding routes to those subnets, drop the redirect-gateway, and add host route to vpn server, and routes for the subnets which you want to be routed through vpn 
12:27 < goose> Simply put: I want ALL my internet to go through my VPN *except* for 2 IP address ranges, which I want to go directly through my modem to those respective ranges, NOT through my VPN
12:28 < Bushmills> simply answered (again): add routes to those 2 subnets
12:29 < goose> alright. how do I do that? :p
12:29 < Bushmills> (19:24:12) Bushmills: depends on your operating system
12:37 -!- goose [~goose@samson.honk-honk.org] has quit [Ping timeout: 245 seconds]
12:40 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
12:46 -!- eagles0513875 [~kvirc@unaffiliated/eagles0513875] has joined #openvpn
12:51 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
12:51 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
12:51 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
13:13 -!- kerfe1 [~a@71.pool85-60-149.dynamic.orange.es] has joined #openvpn
13:15 < rjd_> are there any alternative methods of delegating ips to the client, but the 'server' directive of the openvpn server?
13:16 -!- tingelt [~tingelt@dslb-094-221-111-208.pools.arcor-ip.net] has joined #openvpn
13:16 -!- kerfe [~a@230.pool85-60-130.dynamic.orange.es] has quit [Ping timeout: 245 seconds]
13:16 < tingelt> Hey, I have a question. I would like to connect to a VPN to another VPN is that possible?
13:17 < tingelt> *I would like to connect to a VPN through another VPN is that possible?
13:18 < ecrist> yes
13:19 < tingelt> great! Can you give me a hind, where I can find howto's and/or informations about that?
13:27 <@vpnHelper> RSS Update - forum: Server Administration :: Alternative methods to delegate IP to clients? :: Author dtremolo <https://forums.openvpn.net/viewtopic.php?f=4&t=7349&p=8616#p8616>
13:31 < hyper_ch> ecrist: is there a simple way for traffic management/bandwidth control of an individual vpn client?
13:31 < ecrist> !shaper
13:32 < ecrist> --shaper in the man page, hyper_ch 
13:32 < hyper_ch> thx
13:33 <@vpnHelper> RSS Update - forum: Server Administration :: Alternative methods to delegate IP to clients? :: Author dtremolo <https://forums.openvpn.net/viewtopic.php?f=4&t=7350&p=8617#p8617>
13:37 < eagles0513875> hey hyper_ch 
13:39 < hyper_ch> hi eagles0513875
13:40  * eagles0513875 remembers hyper_ch from ubuntu
13:40 < hyper_ch> that happens
13:40 -!- fipu [~fipu@84.200.8.103] has joined #openvpn
13:47 -!- raidzx is now known as raidz
13:47 -!- raidz [~Andrew@2002:adc0:e0ad::adc0:e0ad] has quit [Changing host]
13:47 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
13:49 -!- fipu [~fipu@84.200.8.103] has left #openvpn []
13:50 -!- luneff [~yury@84.51.205.82] has joined #openvpn
13:57 -!- oracle_ [~o2@unaffiliated/spice] has joined #openvpn
13:59 -!- oracle [~o2@unaffiliated/spice] has quit [Ping timeout: 240 seconds]
14:01 -!- luneff [~yury@84.51.205.82] has quit [Ping timeout: 245 seconds]
14:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:14 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
14:14 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:22 -!- kerfe1 is now known as kerfe
14:26 -!- adawda [~awda@p4FDC3FD0.dip.t-dialin.net] has joined #openvpn
14:28 -!- s7r [~s7r@79.142.65.14] has joined #openvpn
14:33 -!- adawda [~awda@p4FDC3FD0.dip.t-dialin.net] has quit [Ping timeout: 255 seconds]
14:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:38 -!- adawda [~adawda@p4FDC3FD0.dip.t-dialin.net] has joined #openvpn
14:42 -!- adawda [~adawda@p4FDC3FD0.dip.t-dialin.net] has quit [Client Quit]
14:42 -!- adawda [~adawda@zeus235.dentoo.info] has joined #openvpn
14:42 < tingelt> ecrist, sorry for bothering you again. You told me that I can connect to a VPN through another VPN. I googled 30mins and haven't found any useful stuff on the internet. Do you have a Idea where I can find the information I'm am looking for, or can you explain it to me?
14:44 < KaiForce> tingelt:  what would be different about connecting to a network behind a VPN to what you are trying to do?  basically, if you can route to it, you can get to it.  The fact that the second network is also a VPN shouldn't matter, assuming firewall rules allow what you are trying to do
14:45 < ecrist> !route
14:45 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
14:45 < ecrist> see #1 in there.
14:45 < ecrist> vpn to vpn is no different than another network.
14:46 -!- batrick [~batrick@batbytes.com] has quit [Quit: leaving]
14:46 < tingelt> Many thanks. 
14:47 < KaiForce> i have multiple instances of (Roadwarrior) => NET1 => VPN => NET2 and I just needed to make sure my Roadwarrior could route to NET2 through the VPN
14:47 < tingelt> I'm sorry for my dumbness...
14:47 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
14:49 <@vpnHelper> RSS Update - pastebin: Something <http://pastebin.ca/1999899>
14:53 -!- adawda [~adawda@zeus235.dentoo.info] has quit [Ping timeout: 255 seconds]
14:53 -!- adawda [~adawda@zeus235.dentoo.info] has joined #openvpn
14:56 < tingelt> I think that would not work. Like I want. PC1 needs to connect (and pusch all traffic) to the publicVPN to get access to the localLAN and Internet. I don't trust that network, so I would like to push all traffic through another VPN to a secure end. Does this work with the routing? I don't see the solution... 
14:57 -!- p3rror [~mezgani@41.140.178.96] has joined #openvpn
14:59 -!- adawda_ [~adawda@zeus235.dentoo.info] has joined #openvpn
15:00 < tingelt> My approach is to "push" all traffic to VPNSecure and push all VPNSecure traffic to VPNunsecure.
15:01 -!- adawda [~adawda@zeus235.dentoo.info] has quit [Ping timeout: 265 seconds]
15:01 < tingelt> Can this work?
15:02 < ecrist> sure
15:08 < tingelt> That's great! And all configuration is done on the client side?
15:15 -!- teraquendya [810f6dfe@gateway/web/freenode/ip.129.15.109.254] has joined #openvpn
15:15 < teraquendya> !welcome
15:15 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:15 < teraquendya> !goal
15:15 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:16 -!- EmperorT1m [~EmperorTo@174-30-255-245.mpls.qwest.net] has joined #openvpn
15:16 < teraquendya> Hey, I am interested in setting up a vpn, but I was wondering how it works out with QoS/
15:17 -!- adawda [~adawda@zeus235.dentoo.info] has joined #openvpn
15:17 < teraquendya> I have a network shared by ~20 people, and I want to guarantee each one of them equal amounts of bandwidth. This would include anyone accessing the network via vpn.
15:17 < teraquendya> Does anyone have experience with this?
15:17 -!- adawda [~adawda@zeus235.dentoo.info] has quit [Client Quit]
15:18 -!- adawda_ [~adawda@zeus235.dentoo.info] has quit [Ping timeout: 260 seconds]
15:18 -!- EmperorTom [~EmperorTo@174-30-245-217.mpls.qwest.net] has quit [Ping timeout: 260 seconds]
15:23 -!- adawda [~adawda@zeus235.dentoo.info] has joined #openvpn
15:37 -!- adawda_ [~adawda@zeus235.dentoo.info] has joined #openvpn
15:40 -!- adawda [~adawda@zeus235.dentoo.info] has quit [Ping timeout: 260 seconds]
15:41 -!- adawda_ [~adawda@zeus235.dentoo.info] has quit [Ping timeout: 255 seconds]
15:42 -!- adawda [~awda@zeus235.dentoo.info] has joined #openvpn
15:43 -!- batrick [~batrick@batbytes.com] has joined #openvpn
16:09 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
16:09 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
16:09 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
16:09 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
16:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
16:17 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
16:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:26 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 255 seconds]
16:30 -!- ^scott^ [~scott@stthom.org] has quit [Ping timeout: 252 seconds]
16:40 -!- mant1s [~mant1s@cpe-76-179-25-35.maine.res.rr.com] has joined #openvpn
16:40 -!- mant1s [~mant1s@cpe-76-179-25-35.maine.res.rr.com] has quit [Changing host]
16:40 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:41 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
17:01 -!- teraquendya [810f6dfe@gateway/web/freenode/ip.129.15.109.254] has quit [Ping timeout: 265 seconds]
17:09 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
17:14 -!- adawda [~awda@zeus235.dentoo.info] has quit [Quit: Suck on my dick while I fuck that ass, HEY!]
17:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
17:49 -!- s7r [~s7r@79.142.65.14] has left #openvpn []
18:01 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
18:12 <@vpnHelper> RSS Update - forum: Server Administration :: Stuck at a step during configuring openvpn :: Author ilovegrolsc <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8618#p8618>
18:15 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:15 -!- tingelt [~tingelt@dslb-094-221-111-208.pools.arcor-ip.net] has quit [Remote host closed the connection]
18:17 -!- p3rror [~mezgani@41.140.178.96] has quit [Ping timeout: 245 seconds]
18:20 -!- daniell [daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
18:20 < daniell> hello all
18:24 < daniell> anybody here?
18:24 < daniell> all idle?
18:25 < daniell> 118 idlers, gotta be a record
18:30 -!- p3rror [~mezgani@41.140.47.231] has joined #openvpn
18:31 -!- ^scott^ [~scott@stthom.org] has joined #openvpn
18:34 < daniell> any1 here
18:47 < reiffert> no.
18:48 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Ping timeout: 276 seconds]
18:49 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 260 seconds]
18:50 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
19:16 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
19:38 -!- zxvff [shahid@dev.hockingits.com] has quit [Quit: HOLY FUCKING KIKE AR EOYU SHITTING ME IM GOING TO LOSE LIKE 70 IRSSI TABS BECAUSE RAVNOS IS A FAGGOT]
19:48 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Multiple site connection problem :: Reply by athensy <https://forums.openvpn.net/viewtopic.php?f=4&t=7346&p=8619#p8619>
19:51 < daniell> pls help https://forums.openvpn.net/viewtopic.php?f=4&t=7351
19:51 <@vpnHelper> Title: OpenVPN Support Forum View topic - Stuck at a step during configuring openvpn (at forums.openvpn.net)
19:54 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 264 seconds]
20:17 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Stuck at a step during configuring openvpn :: Reply by ilovegrolsc <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8620#p8620>
20:29 -!- kerfe [~a@71.pool85-60-149.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
20:32 -!- pyther [~pyther@unaffiliated/pyther] has left #openvpn []
20:35 <@vpnHelper> RSS Update - forum: Wishlist :: cryptoapicert and ca :: Author patrickovpn <https://forums.openvpn.net/viewtopic.php?f=10&t=7352&p=8621#p8621>
20:47 < mant1s> how can i use dnsmasq to do name-resolution for a 'route all traffic through vpn' setup?
20:47 < mant1s> :)
21:19 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
21:19 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
21:25 < Bushmills> mant1s: by forwarding dns requests to a publicly accessable recursive name server
21:26 < mant1s> Bushmills thank you. I actually had just forgot to setup kernal forwarding! 
21:26  * mant1s is derp
21:43 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 250 seconds]
22:29 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: OpenVPN 2.1 requires '--script-security 2' or higher... ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7353&p=8622#p8622>
22:35 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: WARNING: potential route subnet conflict :: Author DasFox <https://forums.openvpn.net/viewtopic.php?f=15&t=7354&p=8623#p8623>
22:41 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Stuck at a step during configuring openvpn :: Reply by ilovegrolsc <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8624#p8624>
22:42 < daniell> please help my openvpn service fails to start i made a post in forum
22:42 < daniell> https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8624#p8624
22:42 <@vpnHelper> Title: OpenVPN Support Forum View topic - Stuck at a step during configuring openvpn (at forums.openvpn.net)
22:51 -!- p3rror [~mezgani@41.140.47.231] has quit [Quit: Leaving]
23:05 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
23:05 < Xgates> hey guys and gals
23:05 < Xgates> when connecting to a VPN service I'm using I get this;
23:05 < Xgates> WARNING: potential route subnet conflict between local LAN [10.8.0.0/255.255.255.0] and remote VPN [10.8.0.1/255.255.255.255]
23:06 < Xgates> Here's a post I made if anyone can help...
23:06 < Xgates> http://www.vpnsteel.com/forum/viewtopic.php?f=7&t=289
23:06 <@vpnHelper> Title: VPN Steel Forum View topic - WARNING: potential route subnet conflict between (at www.vpnsteel.com)
23:06 < Xgates> huh?
23:07 < Xgates> vpnHelper: are you a bot?
23:09 < Bushmills> Xgates: your LAN is subnet 10.8.0.0/24?
23:11 < Xgates> Bushmills: my ifconfig; http://pastebin.com/kZ3ja2QD
23:11 < Xgates> no I don't use 10.. I'm using a little router/firewall those are using 192...
23:11 < Xgates> don't know where any of this 10.x local lan crap is coming from...
23:13 < Bushmills> check client logs. it probably show what action caused this. i suppose it is a route setting statement.
23:16 < Xgates> I don't see anything in the logs
23:16 < Xgates> does openvpn log to any particular logs?
23:16 < Bushmills> to the file you specified
23:17 < Xgates> sorry you lost me what file?
23:18 < Bushmills> read man page about --log
23:19 < Xgates> not sure what that's going to help since there is nothing in any logs
23:21 < Xgates> First I'm trying to figure why is OpenVPN complaining about a local lan of 10x when I don't have a local lan running this IP
23:21 < Xgates> where would it be getting this information from?
23:23 < Xgates> Oh if you're talking about the forum post and you read it and the rc.local
23:23 < Xgates> I add that after I saw the warning message thinking that was going to help and it didn't
23:23 < Xgates> I added...
23:24 < Xgates> /sbin/route add -net 10.8.0.1 dev eth0 was not there when the warning happened, it's a fix I'm trying to make work that isn't
23:25 < Xgates> When a VPN provider gives you a .crt, .key and .opvn files where the heck is that connection going to determine something like this especially when it doesn't exist
23:34 < daniell> hi guys
23:35 < daniell> nice to see not every1 is idle
23:45 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
23:48 -!- Xgates [~Xgates@unaffiliated/xgates] has left #openvpn ["Ping Timeout ( 0.0 Seconds )"]
23:53 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has quit [Quit: No Ping reply in 180 seconds.]
23:53 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has joined #openvpn
23:57 <@vpnHelper> RSS Update - forum: Off Topic, Related :: JonDo vs OpenVPN - They Claim To Be More Secure :: Author DasFox <https://forums.openvpn.net/viewtopic.php?f=1&t=7355&p=8625#p8625>
23:58 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Sat Dec 04 2010
00:03 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Stuck at a step during configuring openvpn :: Reply by ilovegrolsc <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8626#p8626>
00:30 < daniell> j
00:30 < daniell> .............
00:30 -!- daniell [daniell@82-168-191-228.ip.telfort.nl] has quit []
00:30 -!- daniell [daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
00:32 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
00:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:13 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
01:16 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Stuck at a step during configuring openvpn :: Reply by ilovegrolsc <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8628#p8628>
01:23 < daniell> please helppppppppppppppppp
01:23 < daniell> https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8628#p8628
01:23 <@vpnHelper> Title: OpenVPN Support Forum View topic - Stuck at a step during configuring openvpn (at forums.openvpn.net)
01:31 -!- eagles0513875 [~kvirc@unaffiliated/eagles0513875] has quit [Quit: KVIrc 4.1.1 Equilibrium http://www.kvirc.net/]
01:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:36 < mant1s> daniell you need to make sure your kernel is forwarding enabled
01:37 < mant1s> try --  echo 1 > /proc/sys/net/ipv4/ip_forward 
01:37 < mant1s> on your server 
01:39 < mant1s> also, if you're trying to route ALL client traffic through your vpn you need to enable the push DNS dhcp option noted in the documentation
01:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:09 < hyper_ch> good morning
02:09 < hyper_ch> !ptp
02:10 < hyper_ch> !nat
02:10 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
02:34 -!- daniell [daniell@82-168-191-228.ip.telfort.nl] has quit []
02:35 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Now with extra fish!]
02:35 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
02:48 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
02:58 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
02:59 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
03:03 -!- tingelt [~tingelt@dslb-094-221-111-208.pools.arcor-ip.net] has joined #openvpn
03:34 -!- oracle_ [~o2@unaffiliated/spice] has quit [Read error: Operation timed out]
03:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:37 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:38 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has left #openvpn []
03:38 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
03:38 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
03:39 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
03:41 -!- tingelt [~tingelt@dslb-094-221-111-208.pools.arcor-ip.net] has quit [Remote host closed the connection]
03:42 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
03:42 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
03:46 -!- tingelt [~tingelt@dslb-094-221-111-208.pools.arcor-ip.net] has joined #openvpn
03:46 -!- master_of_master [~master_of@p57B54AB9.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:48 -!- master_of_master [~master_of@p57B55DE9.dip.t-dialin.net] has joined #openvpn
03:53 < reiffert> moin
04:07 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has quit [Remote host closed the connection]
04:11 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined #openvpn
04:11 < hyper_ch> huhu reiffert
04:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:22 -!- common [~common@p5DDA481F.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
04:24 -!- common [~common@p5DDA43CD.dip0.t-ipconnect.de] has joined #openvpn
04:38 -!- eliasp [~quassel@HSI-KBW-109-193-152-083.hsi7.kabel-badenwuerttemberg.de] has quit [Ping timeout: 265 seconds]
04:42 < reiffert> hyper_ch: kimsufi.com seems to be way more expensive than hetzner.de
04:43 < hyper_ch> reiffert: depends.... my kimsufi box just servers as vpn server for the rest
04:43 < reiffert> at least for hosting and root servers
04:43 < hyper_ch> you can get a ded box for € 15.-
04:43 < hyper_ch> but why do you bring this up?
04:44 < reiffert> I was just curious and clicked around in the internet.
04:44 < hyper_ch> http://www.kimsufi.com/ks/
04:44 -!- eliasp [~quassel@HSI-KBW-109-193-152-083.hsi7.kabel-badenwuerttemberg.de] has joined #openvpn
04:44 <@vpnHelper> Title: Kimsufi - votre gamme de serveurs dédiés à partir de 14.99 Euros/mois ! (at www.kimsufi.com)
04:44 < hyper_ch> not a very powerfull box
04:45 < hyper_ch> but it allows me to run the vpn server on it and everything else from behind the vpn
04:45 < reiffert> damn, 1.2Ghz Celeron. Woot.
04:45 < hyper_ch> plenty for a vpn server :)
04:46 < reiffert> "Go" is the french way of keeping it different?
04:46 < hyper_ch> ?
04:46 < reiffert> That particular "o" stands for?
04:46 < hyper_ch> go?
04:46 < reiffert> 250 Go
04:46 < reiffert> (supposed to be 250 GB)
04:47 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
04:48 < hyper_ch> dunno
04:48 < hyper_ch> the o stands for byte
04:48 < reiffert> and "byte" translates to french like .....?
04:49 < reiffert> 8 bit = 1 'o whathere?'
04:50 < hyper_ch> dammit, is one of my keys broken
04:52 < reiffert> octet is the word.
04:53 < hyper_ch> so simple it can be
04:53 < hyper_ch> kde is not respecting one of my keys :($
04:54 -!- eliasp [~quassel@HSI-KBW-109-193-152-083.hsi7.kabel-badenwuerttemberg.de] has quit [Ping timeout: 245 seconds]
04:55 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
04:55 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
04:56 < reiffert> hyper_ch: smallest dedicated at hetzner.de is at 7,90 EUR/month
04:56 -!- eliasp [~quassel@HSI-KBW-109-193-152-083.hsi7.kabel-badenwuerttemberg.de] has joined #openvpn
04:56 < reiffert> well it's a vserver.
04:58 < hyper_ch> then it's not a dedicated server
05:01 -!- cairnz [mats@217-14-7-98-dhcp-osl.bbse.no] has quit [Quit: moo]
05:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
05:08 < hyper_ch> reiffert: well, I like to fully encrypt my servers also :)
05:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
05:36 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined #openvpn
05:40 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
05:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:51 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
05:55 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
06:22 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
06:27 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 272 seconds]
06:31 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:07 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
07:16 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
07:21 <@vpnHelper> RSS Update - forum: Installation Help :: unable to connect to vpn network :: Author silverlight <https://forums.openvpn.net/viewtopic.php?f=5&t=7357&p=8629#p8629>
07:27 -!- tingelt_ [~tingelt@178.6.248.113] has joined #openvpn
07:29 -!- tingelt [~tingelt@dslb-094-221-111-208.pools.arcor-ip.net] has quit [Ping timeout: 276 seconds]
07:32 -!- tingelt [~tingelt@178.6.248.245] has joined #openvpn
07:34 -!- tingelt_ [~tingelt@178.6.248.113] has quit [Ping timeout: 276 seconds]
07:34 -!- tingelt_ [~tingelt@178.1.151.179] has joined #openvpn
07:36 -!- eliasp [~quassel@HSI-KBW-109-193-152-083.hsi7.kabel-badenwuerttemberg.de] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
07:37 -!- tingelt [~tingelt@178.6.248.245] has quit [Ping timeout: 276 seconds]
07:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
08:07 -!- tingelt [~tingelt@dslb-088-077-166-110.pools.arcor-ip.net] has joined #openvpn
08:10 -!- tingelt_ [~tingelt@178.1.151.179] has quit [Ping timeout: 276 seconds]
08:10 -!- tingelt_ [~tingelt@dslb-084-061-111-027.pools.arcor-ip.net] has joined #openvpn
08:12 -!- tingelt [~tingelt@dslb-088-077-166-110.pools.arcor-ip.net] has quit [Ping timeout: 276 seconds]
08:13 -!- tingelt_ [~tingelt@dslb-084-061-111-027.pools.arcor-ip.net] has quit [Read error: Connection reset by peer]
08:13 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
08:15 -!- tingelt [~tingelt@178.1.231.129] has joined #openvpn
08:16 -!- OtherJakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
08:16 -!- OtherJakeSays is now known as JakeSays
08:18 -!- pushpop [~marc@pool-173-77-222-236.nycmny.fios.verizon.net] has quit []
08:20 -!- tingelt [~tingelt@178.1.231.129] has quit [Ping timeout: 276 seconds]
08:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:31 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
09:32 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
09:40 -!- Deathvalley122 [~Death@unaffiliated/deathvalley122] has quit [Read error: Connection reset by peer]
09:41 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
09:58 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
09:59 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
09:59 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
09:59 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
10:00 -!- sigi [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
10:02 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
10:52 -!- me345 [~me345@adsl-75-15-181-17.dsl.bkfd14.sbcglobal.net] has joined #openvpn
10:56 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
11:04 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
11:16 -!- daniell [daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
11:24 -!- trkemist [~trkemist@unaffiliated/trkemist] has joined #openvpn
11:24 < trkemist> !welcome
11:24 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:24 < trkemist> !goal
11:24 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:25 < trkemist> !goal vpn to server and out same interface to internet
11:29 < trkemist> anyone online today can help me see if a potential setup is possible? I'd like to basically openvpn into my server to use its internet connection for all of my internet traffic. I've been able to do this with some limited success using squid but obviously not all traffic can go through squid. Any thoughts?
11:29 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:31 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn
11:31 < Bushmills> possible
11:31 < Bushmills> !redirect
11:31 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:32 < trkemist> Bushmills - I'll try it again see what happens
11:32 < Bushmills> take care of resolving, client must be able to access a recursive name server. 
11:32 < Bushmills> provider name server are usuallynot accessible from outside their own net
11:32 < trkemist> Bushmills - Yeah I was thinking of running Bind in my openvpn server to ensure simple resolution
11:33 < Bushmills> bind is overkilll
11:39 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
11:44 < mant1s> dnsmasq for forwarding only
11:45 < Bushmills> maradns is small footprint, fast, available for windows and unixoids, an can be recursive, forward, and authoritative 
11:46 < trkemist> well 
11:46 < Bushmills> and, easy to configure
11:47 < daniell> hi
11:47 < trkemist> i'm very into security so I am very cautious about what I load on my system. It has taken me a while to make sure the openvpn code is good enough to run
11:47 < daniell> i just did that push redirect gateway thing on my server.conf
11:47 < Bushmills> oh, maradns is also secure
11:47 < daniell> however, now i can't visit any websites
11:47 < daniell> i think my linode doesn't know what to do with the traffic
11:48 < Bushmills> daniell: redirect-gateway is not enough, you also need to ip forwards, and set up NAT on server
11:48 < daniell> i disabled iptables firewall
11:48 < Bushmills> !redirect
11:48 < daniell> oh
11:48 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:48 < daniell> !ipforward
11:48 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
11:49 < daniell> i did this: net.ipv4.ip_forward = 1
11:49 < trkemist> does openvpn support Eliptic Curve based encryption?
11:49 < daniell> in /etc/sysctl.conf
11:49 < trkemist> like ECDHA algorithms?
11:49 < daniell> however this command didn't work: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
11:49 < daniell> it said not recognised
11:50 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
11:50 < daniell> could it be i need to change eth0 to something else?
11:50 < daniell> !nat
11:50 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
11:51 < Bushmills> trkemist: openvpn --show-ciphers
11:58 < daniell> i have teh vpn working but nothing is encrypted in the tunnel
11:59 < Bushmills> what makes you think that?
12:00 < daniell> one moment
12:00 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Ping timeout: 272 seconds]
12:00 < daniell> -bash-3.2# openvpn --dev tun0
12:00 < daniell> Sat Dec 4 08:10:25 2010 OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 26 2010
12:00 < daniell> Sat Dec 4 08:10:25 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
12:00 < daniell> Sat Dec 4 08:10:25 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
12:00 < daniell> Sat Dec 4 08:10:25 2010 ******* WARNING *******: all encryption and authentication features disabled -- all data will be tunnelled as cleartext
12:00 < daniell> Sat Dec 4 08:10:25 2010 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
12:00 < daniell> Sat Dec 4 08:10:25 2010 Exiting
12:00 -!- daniell was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastebin.ca for posting logs or configs.]
12:00 -!- daniell [daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
12:01 < daniell> back
12:01 < daniell> i started a thread yesterday about my difficulties
12:01 < daniell> https://forums.openvpn.net/viewtopic.php?f=4&t=7351
12:01 <@vpnHelper> Title: OpenVPN Support Forum View topic - Stuck at a step during configuring openvpn (at forums.openvpn.net)
12:01 < Bushmills> Socket bind failed on local address [undef]:1194: Address already in use..  stop the already running openvpn before you start another instance with the same config
12:02 < daniell> what do you mean i only have one openvpn running
12:02 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 255 seconds]
12:03 -!- jwhisnant [~jwhisnant@twdp-174-109-179-252.nc.res.rr.com] has joined #openvpn
12:04 < Bushmills> something is listening to port 1194 on localhost already - most likely openvpn
12:04 < daniell> ok
12:04 < Bushmills> if not, stop whatever it listens to it, or run openvpn on a different port
12:04 < daniell> good advice i'll try it ty
12:05 < daniell> then the encryption should work?
12:05 < Bushmills> you'll see. at least, then openvpn will run. which it doesn't now (except the presumably not running first instance)
12:06 -!- jwhisnant_ [~jwhisnant@74.115.6.60] has joined #openvpn
12:07 < Bushmills> could also be that you neglected to give an interface address to bind to
12:07 < daniell> in server.conf?
12:08 < daniell> im confused about my linux vps
12:08 < daniell> its running centos5 with xen virtualisation
12:08 -!- jwhisnant [~jwhisnant@twdp-174-109-179-252.nc.res.rr.com] has quit [Ping timeout: 245 seconds]
12:08 < Bushmills> probably. there where openvpn doesn't start
12:08 < Bushmills> !xen
12:09 < daniell> also new to linux, not sure how to find out the name of my ethernet device
12:09 < daniell> or interface address etc
12:09 < Bushmills> ifconfig
12:10 < daniell> thx
12:10 < daniell> says command not found
12:11 < daniell> i'm using putty to connect to centos
12:11 < Bushmills> you're root?
12:12 < daniell> yep
12:12 < Bushmills> blame hoster
12:12 < daniell> its weird... i just did 'service openvpn stop'
12:12 < daniell> ok
12:12 < daniell> then that openvpn --dev tun0
12:12 < daniell> still same warning
12:12 -!- Cain [~Geek@unaffiliated/cain] has joined #openvpn
12:12 < Bushmills> or become root with   su -   instead of just su
12:13 < daniell> about  address already in unse
12:14 < Bushmills> specifying --dev tun0 won't change anything about that problem
12:14 < Bushmills> you want to specify the interface to bind openvpn to, not the interface the tunneled traffic uses
12:14 < daniell> ok
12:14 < daniell> so first step is find out what interface to use
12:15 < Bushmills> read in man page about --local
12:15 < daniell> k
12:16 < daniell> ok i just typed ifconfig
12:17 -!- Cain [~Geek@unaffiliated/cain] has quit [Quit: Sayaunara ^_^]
12:17 < Bushmills> no. you just typed "ok i just typed ifconfig"
12:18 < daniell> :)
12:18 < daniell> i posted the result in my thread pls look last post
12:18 < daniell> https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8630#p8630
12:18 <@vpnHelper> Title: OpenVPN Support Forum View topic - Stuck at a step during configuring openvpn (at forums.openvpn.net)
12:18 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
12:19 < Bushmills> openvpn seems to run.
12:19 < Bushmills> check logs, for the used encryption
12:19 < daniell> i just stopped the service and yet it is still running...
12:20 < daniell> weird
12:20 < daniell> i can even connect via openvpn windows gui after typing 'service openvpn stop'
12:21 < Bushmills> that's not plausible
12:21 < Bushmills> when openvpn is stopped, the tun0 interface, which you can see in ifconfig output, will have disappeared 
12:22 < daniell> yea but it is happening, i can even ping 10.8.0.1 after stopping the service
12:22 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Stuck at a step during configuring openvpn :: Reply by ilovegrolsc <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8630#p8630>
12:22 < daniell> i can still connect with openvpn win gui
12:22 < Bushmills> then it wasn't stopped.
12:22 < daniell> but i did type 'service openvpn stop'
12:22 < daniell> and it said OK
12:23 < Bushmills> ps aux|grep openvpn    
12:23 < Bushmills> shows you processes with name openvpn
12:24 < Bushmills> netstat -lunp   shows services listening to udp
12:24 < daniell> i posted results in thread
12:24 < Bushmills> i gave you those commands for you to see
12:25 < daniell> yes
12:25 < daniell> but it seems like there are 2 instances of openvpn running
12:25  * Bushmills thinks that's what /me suggested right from the begin
12:26 < daniell> yes you are right
12:26 < Bushmills> anyway, gotta run now
12:27 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Stuck at a step during configuring openvpn :: Reply by ilovegrolsc <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8631#p8631>
12:31 -!- trkemist [~trkemist@unaffiliated/trkemist] has quit [Quit: Computer has gone to sleep]
12:44 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
12:47 -!- jwhisnant_ [~jwhisnant@74.115.6.60] has quit [Ping timeout: 240 seconds]
12:49 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
12:49 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
12:49 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
13:19 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
13:20 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
13:44 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:48 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
13:59 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
14:01 -!- luneff [~yury@84.51.205.82] has joined #openvpn
14:07 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
14:07 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
14:07 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
14:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
14:24 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
14:33 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
14:42 -!- dazo_afk is now known as dazo
14:44 -!- mant1s [~mant1s@cpe-76-179-25-35.maine.res.rr.com] has joined #openvpn
14:44 -!- mant1s [~mant1s@cpe-76-179-25-35.maine.res.rr.com] has quit [Changing host]
14:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:58 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
14:58 < infid> if you telnet to a vpn port, what command can you type to see if it's responsive or what version it is?
15:03 < hyper_ch> why would you want to telnet to a vpn port?
15:06 < infid> test
15:17 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
15:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
15:37 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Remote host closed the connection]
15:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:42 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
15:43 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:45 < infid> our admin gave me VPN PPTP credententials but i can't connect with ubuntu's VPN in the network manager. yet i can telnet to the pptp port fine. syslog just says " NetworkManager: <info>  VPN plugin failed: 1. Could  not process the request because no VPN connection was active."
15:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
15:51 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
15:53 < infid> keeps telling me MS-CHAP authentication failed
15:59 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:04 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
16:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
16:19 -!- luneff [~yury@84.51.205.82] has quit [Quit: Leaving]
16:33 < ecrist> infid: openvpn is not PPTP
16:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:48 -!- s7r [~s7r@94.100.17.21] has joined #openvpn
16:49 < Dougy_> rawr
16:49 < Dougy_> ecrist: i suggest topic have 'OpenVPN is not pptp or ipsec' added
16:50 < ecrist> nah, I think the topic is long enough.
16:51 -!- ecrist changed the topic of #openvpn to: OpenVPN 2.1.4 Most Current || 2.2-beta5 Released 03-Dec-2010 || Your problem is your firewall, really. || Type !welcome and !goal before asking your questions. || Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel
17:02 < infid> :(
17:08 <@vpnHelper> RSS Update - forum: Off Topic, Related :: Re: mailman mailing list instead of web forum? :: Reply by ecrist <https://forums.openvpn.net/viewtopic.php?f=1&t=7296&p=8632#p8632>
17:12 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:24 -!- me345 [~me345@adsl-75-15-181-17.dsl.bkfd14.sbcglobal.net] has quit [Remote host closed the connection]
17:26 -!- trkemist [~trkemist@unaffiliated/trkemist] has joined #openvpn
17:29 < Bushmills> !blame pptp for not being openvpn compatible
17:29 -!- trkemist [~trkemist@unaffiliated/trkemist] has quit [Client Quit]
17:32 < derekv> huh?
17:37 < Bushmills> instead of vice versa
17:47 < derekv> oh, just wonder'd why we where talking about it.
17:48 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:49 < Bushmills> just a comment, somebody unhappy about not being able to use openvpn on pptp account
17:50 < ecrist> derekv: scroll up about, oh 10 lines.
17:50 < ecrist> :)
17:53 -!- dazo is now known as dazo_afk
17:53 < derekv> can't be bothered.
17:53 < derekv> :p
18:06 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 260 seconds]
18:12 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
18:40 -!- daniell [daniell@82-168-191-228.ip.telfort.nl] has left #openvpn []
18:40 -!- dannielle [daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
19:02 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Setting TCP or UDP from the client side? :: Reply by TheMG <https://forums.openvpn.net/viewtopic.php?f=4&t=7336&p=8633#p8633>
19:07 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
19:18 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
19:19 < Xgates> hey guys
19:19 < Xgates> anyone ever use Comodo's free Trust Connect VPN service?
19:19 < dannielle> hey x
19:19 < dannielle> welcome to idle ville
19:19 < Xgates> For the life of me in Linux, I can connect but then I can't go anywhere online with it
19:21 < dannielle> u new at linux?
19:21 < Xgates> so if any Linux users might be into checking out a free service I'd appreciate it if you can get it to run
19:21 < Xgates> http://forums.comodo.com/comodo-trustconnect-ctc/you-wanted-trustconnect-and-wanted-it-for-freewell-t45831.0.html
19:21 < Xgates> No I'm not new to Linux
19:21 < Xgates> 10 years
19:22 < dannielle> ah
19:22 < dannielle> i have about 10 hours under the belt
19:22 < Xgates> Slackware user of 10....
19:23 < Xgates> well you'd probably have bigger problems then me hehe
19:23 < dannielle> ;)
19:23 < Xgates> this stupid Comodo has to be doing something different because I can connect to two other VPNs without problems 
19:23 < Xgates> hmm
19:24 < dannielle> im using putty
19:24 < dannielle> to connect fron win 7 to centos5
19:28 < Xgates> Someone needs to update that OpenVPN website there are no links to download the Linux tar if you click the Linux Download link and then in  http://www.openvpn.net/release/   2.1.4 isn't listed  
19:28 <@vpnHelper> Title: Index of /release (at www.openvpn.net)
19:28  * Xgates bangs head
19:28 < Xgates> errrrrrr
19:28 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
19:28 < Xgates> sorry I don't use putty
19:28 < Xgates> did in Windows ages back....
19:30 < dannielle> oh
19:30 < dannielle> putty not good?
19:30 < dannielle> its the only one i know
19:32 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
19:49 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
19:53 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
20:15 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Ping timeout: 255 seconds]
20:17 -!- Xgates [~Xgates@unaffiliated/xgates] has joined #openvpn
20:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds]
20:25 -!- Xgates [~Xgates@unaffiliated/xgates] has quit [Quit: Ping Timeout ( 0.0 Seconds )]
20:25 -!- Martin` [martin@shell.ipv6.octocore.net] has quit [Read error: Operation timed out]
20:31 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has quit [Ping timeout: 240 seconds]
20:33 -!- infid [~infid@69.198.100.228] has joined #openvpn
20:34 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
20:44 -!- infid [~infid@69.198.100.228] has quit [Ping timeout: 265 seconds]
20:46 -!- infid [~infid@rrcs-173-198-12-38.west.biz.rr.com] has joined #openvpn
20:48 < dannielle> service openvpn start
20:48 < dannielle> FAILED
20:48 < dannielle> any1 help?
20:52 -!- infid [~infid@rrcs-173-198-12-38.west.biz.rr.com] has quit [Ping timeout: 265 seconds]
20:52 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
20:54 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:56 -!- Martin` [martin@shell.ipv6.octocore.net] has joined #openvpn
21:04 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has quit [Remote host closed the connection]
21:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:07 -!- s7r [~s7r@94.100.17.21] has left #openvpn []
21:07 < Bushmills> sure. fix it.
21:09 < dannielle> nice advice
21:09 < Bushmills> best i can do, given the wealth of information you offer
21:10 < dannielle> i have given a wealth of info in my thread, 6 posts worth
21:10 < dannielle> although not a single reply.. figures
21:11 < Bushmills> http://scarydevilmonastery.net/snap/1291518652616063408d.png
21:12 < Bushmills> you didn't expect me to google for your problem, or read an unknown number  of pages back?
21:13 < dannielle> course not
21:13 < dannielle> i like fixing things myself, rarely ask for help
21:14 < dannielle> might have to go to a linux forum or something
21:14 < dannielle> openvpn is preety ... closed
21:14 < dannielle> 110 idlers lol
21:14 < Bushmills> oh, i must have misunderstood. "any1 help" sounded  like you were asking for helo
21:14 < Bushmills> p
21:14 < dannielle> i didnt realise iding was a sport
21:14 < Bushmills> nothing to do here, i guess. I'm off again.
21:15 < dannielle> bye bye
21:15 < dannielle> put another gold star on your resume for help
21:16 -!- dannielle [daniell@82-168-191-228.ip.telfort.nl] has quit []
21:32 < krzee> hah
21:32 < krzee> i guess he didnt get what he paid for
21:33 < krzee> o_O
21:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
21:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:54 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 272 seconds]
21:59 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 276 seconds]
22:02 < Bushmills> "(04:10:38) dannielle: although not a single reply.. figures"  ... not surprising
22:06 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:42 -!- dannielle [dannielle@82-168-191-228.ip.telfort.nl] has joined #openvpn
22:42 -!- dannielle [dannielle@82-168-191-228.ip.telfort.nl] has quit [Client Quit]
22:42 -!- dannielle [dannielle@82-168-191-228.ip.telfort.nl] has joined #openvpn
22:43 -!- dannielle is now known as theBusinessMan
22:43 < krzee> theBusinessMan, your problem was linux specific, not openvpn, try running openvpn via CLI to see if you have an openvpn problem or not
22:46 < krzee> theBusinessMan, 
22:46 < krzee> !goal
22:46 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:46 < theBusinessMan> hi
22:46 < theBusinessMan> ok i'll set goal
22:47 < krzee> set?
22:47 < krzee> just clearly state it
22:47 < theBusinessMan> just type the goal?
22:47 < krzee> you were trying to get help with something earlier, what was your goal
22:48 < theBusinessMan> i am moving to mainland China i would like to continue open access to internet. I have rented a vps in honkkong and i want to have a vpn connection to that vps so that i can use the vps's internet connection
22:48 < krzee> !redirect
22:48 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
22:48 < theBusinessMan> yep i'm aware of redirect
22:48 < krzee> so your server has NAT and ip forwarding enabled...?
22:48 < krzee> !linnat
22:48 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
22:49 < theBusinessMan> at the moment i have the vpn working with default server.conf but the tunnel is not encrpyted 
22:49 < krzee> not encrypted!?
22:49 < krzee> you used --cipher none ?
22:49 < theBusinessMan> no
22:49 < theBusinessMan> see 3rd last post in my thread
22:49 < theBusinessMan> http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
22:49 < theBusinessMan> i did openvpn --dev tun0
22:49 < krzee> thats not a thread
22:49 < theBusinessMan> it says 'warning all encryption and authentication features disabled all data will be sent as cleartext'
22:50 < theBusinessMan> oh sorry 
22:50 < theBusinessMan> https://forums.openvpn.net/viewtopic.php?f=4&t=7351
22:50 <@vpnHelper> Title: OpenVPN Support Forum View topic - Stuck at a step during configuring openvpn (at forums.openvpn.net)
22:50 < theBusinessMan> lol
22:50 < krzee> third post?
22:50 < theBusinessMan> third from bottom
22:50 < krzee> the linux-specific error that has nothing to do with openvpn?
22:51 < krzee> oh no
22:51 < theBusinessMan> well im wondering why my tunnel isn't encrypted
22:51 < krzee> see my configs
22:51 < krzee> !sample
22:51 < theBusinessMan> according to openvpn --dev tun0 
22:51 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
22:52 < theBusinessMan> i just used the sample client.conf in usr/share/doc/openvpn-2.1.1/sample-config-files/
22:52 < krzee> you need certs
22:52 < krzee> !pki
22:52 < theBusinessMan> and of course changed the ip address to the servers, and changed the key names to be correct
22:52 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
22:52 <@vpnHelper> specially as a server (see !servercert)
22:52 < theBusinessMan> i've done all that
22:52 < krzee> !configs
22:52 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
22:52 < theBusinessMan> all the necessary crts and key is in on my local computer for client
22:53 < theBusinessMan> all the necessary server key and crts are in /etc/openvpn
22:53 < krzee> dir doesnt matter
22:53 < krzee> the config just needs to point to them
22:53 < theBusinessMan> server.conf?
22:53 < krzee> all configs
22:53 < theBusinessMan> ok
22:54 < theBusinessMan> well i think default .conf i used for both will point to /etc/openvpn
22:54 < theBusinessMan> so i just put the necessary key and crts in there
22:54 < theBusinessMan> as per most tutorial's 
22:54 < krzee> pastebin them
22:54 < theBusinessMan> ok one moment
22:54 < theBusinessMan> thx for your help btw
22:54 < krzee> stop reading tutorials fund by google
22:54 < krzee> they all suck
22:54 < krzee> you want this
22:54 < krzee> !howto
22:54 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
22:54 < theBusinessMan> i've read the entire howto that u just posted
22:55 < krzee> cool
22:55 < theBusinessMan> one sec gonna past bin those
22:57 < theBusinessMan> this is the client.conf i'm currently running and it has the vpn running at least i can ping 10.8.0.1
22:57 < theBusinessMan> http://pastebin.com/QwfkpnYh
22:57 < krzee> read this again
22:57 < krzee> !configs
22:57 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
22:58 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: No route to host]
22:59 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
23:00 < theBusinessMan> ok one moment
23:01 < theBusinessMan> http://pastebin.com/mNkZA3Zw
23:01 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Client Quit]
23:02 < theBusinessMan> that was server.conf actually
23:03 < theBusinessMan> this is client.conf
23:03 < theBusinessMan> http://pastebin.com/68q7X10y
23:05 < theBusinessMan> so afaik at the moment the tunnel is working but not encrypted... and 2) i have some issue with this: Sat Dec 4 08:10:25 2010 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use
23:06 < theBusinessMan> i think i should get the encryption working before i worry about pushing all my internet traffic over the vpn
23:06 -!- W0rmF00d [~wormfood@183.39.103.83] has joined #openvpn
23:08 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Remote host closed the connection]
23:08 -!- WormFood [~wormfood@183.39.107.104] has quit [Ping timeout: 240 seconds]
23:17 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
23:18 < krzee> !path
23:18 <@vpnHelper> "path" is It is a good idea to use full paths in your config.
23:19 < theBusinessMan> weird, now my /etc/init.d/openvpn start       returns FAILED
23:19 < theBusinessMan> i didn't change anything
23:19 < theBusinessMan> but not can't start the service
23:19 < krzee> i dont care about that way, use openvpn <configfile>
23:19 < krzee> if it is not already running
23:20 < krzee> once you get openvpn working, figure out the linux specific startup method for your distro
23:20 < theBusinessMan> ok
23:20 < theBusinessMan> just clueless why it wnot start anymore i changed nothing
23:20 < krzee> ps auxw|grep openvpn
23:21 < theBusinessMan> -bash-3.2# ps aux|grep openvpn
23:21 < theBusinessMan> root      2827  0.0  0.4  40744  2360 ?        S    06:15   0:00 openvpn --dev tun0
23:21 < theBusinessMan> root      2946  0.0  0.1   6136   608 pts/1    S+   06:21   0:00 grep openvpn
23:21 < krzee> kill -9 2827
23:21 < krzee> openvpn /path/to/config
23:22 < theBusinessMan> killed it
23:22 < krzee> i cant help with the centos stuff, but im sure theres channels for that, we only care bout openvpn here ;]
23:22 < theBusinessMan> yep
23:22 < krzee> i use fbsd / osx
23:23 < theBusinessMan> but the fact that i got cleartext going over the tunnel must be centos problem
23:23 < theBusinessMan> u saw my client and server.conf and they are fine
23:23 < krzee> try by using openvpn and see what happens
23:23 < krzee> and use full paths in your configs
23:23 < krzee> openvpn has no default
23:23 < theBusinessMan> well now im able to start openvpn again thanks to killing that process, ty
23:24 < theBusinessMan> ah one sec i know where that is
23:24 < theBusinessMan> you mean the openvpn file? in my centos its at /etc/init.d/openvpn
23:25 < theBusinessMan> i can vi into that
23:25 < krzee> dude
23:25 < krzee> thats your os specific stuff
23:26 < krzee> i dont care about it
23:26 < krzee> openvpn is a binary
23:26 < krzee> you have a config
23:26 < krzee> in that config you changed all filenames to full paths
23:26 < theBusinessMan> your telling me to explicitly type full paths to the crt and key files
23:26 < krzee> now you run it by typing openvpn /path/to/config
23:26 < krzee> yes
23:26 < krzee> i am, for the third time
23:26 < krzee> !path
23:26 <@vpnHelper> "path" is It is a good idea to use full paths in your config.
23:45 < theBusinessMan> that offical HOWTO document doesn't mention a single time about any openvpn config file
23:47 < theBusinessMan> maybe i could find the config file if i knew what name it has
23:47 < theBusinessMan> but can't find any reference on the internet to any config file
23:47 < theBusinessMan> only server and client.conf
23:49 < krzee> lol
23:50 < krzee> you pastebin'ed them
23:50 < krzee> im starting to wonder if you're trolling or serious
23:52 < theBusinessMan> what
23:52 < theBusinessMan> u were talking about client.conf and server.conf?
23:52 < theBusinessMan> i thought u were saying there is some central configuration file for openvpn
23:52 < theBusinessMan> i was on a goose chase and yes im serious
23:53 < theBusinessMan> i know exactly where those conf files are and how to edit them
23:53 < theBusinessMan> anyway adding full paths now , fingers crossed
23:59 < theBusinessMan> well... did full paths and still get warningggggg all data sent in cleartext
23:59 < theBusinessMan> while i was editing those files i added cipher AES-256-CBC for good measure
--- Day changed Sun Dec 05 2010
00:01 < theBusinessMan> and im certainly not trolling, i really appreciate your help
00:01 < theBusinessMan> no1 else would help lol
00:03 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Stuck at a step during configuring openvpn :: Reply by ilovegrolsc <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8634#p8634>
00:04 < theBusinessMan> just posted logs from last connection... i dunno maybe encryption is working? i mean it now mentions aes 256 which i just added to the confs
00:05 < krzee> how did you start it?
00:05 < krzee> that doesnt say anything about cleartext
00:06 < krzee> that is encrypted
00:06 < theBusinessMan> i use openvpn windows gui tool
00:06 < krzee> ok well it worked
00:07 < theBusinessMan> i dont even know what openvpn --dev tun0   means but it always says warning
00:07 < krzee> hah
00:07 < krzee> you need to tell it to use your config
00:08 < theBusinessMan> ahhhhhhhhhhhhh
00:08 < krzee> !--
00:08 <@vpnHelper> "--" is OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix must be removed when an option is placed in a configuration file.
00:08 < krzee> when someone says --dev tun they mean the line dev tun appears in the config
00:09 < krzee> and instead of tun0 you just use tun to make it dynamic
00:09 < krzee> with tun0 you would need to make a static interface before
00:10 < theBusinessMan> ok
00:10 < theBusinessMan> perhaps its working fine then
00:11 < theBusinessMan> google realy is a fail when it comes to all this
00:13 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
00:16 < theBusinessMan> !linnat
00:16 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:17 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has quit [Ping timeout: 255 seconds]
00:19 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
00:19 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 265 seconds]
00:20 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
00:34 < theBusinessMan> !ipforward
00:34 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
00:34 < theBusinessMan> !linipforward
00:34 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
00:34 < theBusinessMan> ahhh
00:34 < theBusinessMan> i c
01:02 < theBusinessMan> .
01:07 -!- freaky[t] [alpha@freakyy.de] has quit [Remote host closed the connection]
01:13 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
01:24 < theBusinessMan> any helping hand still out there? i added push "redirect-gateway def1" to server.conf,  net.ipv4.ip_forward = 1 to sysctl.conf then restarted the vps
01:24 < theBusinessMan> then i can't visit any websites on my computer so need set up NAT
01:24 < theBusinessMan> so...
01:25 < theBusinessMan> -bash-3.2# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
01:25 < theBusinessMan> iptables: Unknown error 18446744073709551615
01:25 < theBusinessMan> as you can see i get unkown error
01:29 < theBusinessMan> so at the moment im stuck with all my net traffic being sent over the vpn, but not a single packet being returned
01:46 <@vpnHelper> RSS Update - forum: Configuration :: open vpn firewall :: Author mehdi2010 <https://forums.openvpn.net/viewtopic.php?f=6&t=7359&p=8635#p8635>
01:48 < krzee> then you're down to linux specific stuff
01:49 < krzee> your iptables NAT, and your startup thing
01:49 < krzee> your opevpn stuff is done =]]
02:01 < theBusinessMan> ok
02:01 < theBusinessMan> thx for the help
02:01 < theBusinessMan> i'll find a linux place
02:02 < theBusinessMan> be back if run into openvpn specific issue
02:02 -!- theBusinessMan [dannielle@82-168-191-228.ip.telfort.nl] has quit []
02:22 < roentgen_> !winipforward
02:22 <@vpnHelper> "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows
02:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:46 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:47 -!- master_of_master [~master_of@p57B55DE9.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:49 -!- master_of_master [~master_of@p57B57D1A.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:09 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
04:10 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
04:20 -!- common- [~common@p5DDA4A70.dip0.t-ipconnect.de] has joined #openvpn
04:23 -!- common [~common@p5DDA43CD.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]
04:23 -!- common- is now known as common
04:30 -!- dazo_afk is now known as dazo
04:36 -!- W0rmF00d is now known as WormFood
04:41 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 265 seconds]
04:44 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
04:58 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
05:10 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
05:10 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
05:10 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
05:45 -!- beric [~ErI@bzq-79-181-28-254.red.bezeqint.net] has joined #openvpn
05:57 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
06:02 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
06:28 -!- kerfe [~a@114.pool85-60-138.dynamic.orange.es] has joined #openvpn
06:47 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
06:47 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
06:47 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
07:14 -!- beric [~ErI@bzq-79-181-28-254.red.bezeqint.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101027124735]]
07:24 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
07:27 -!- dazo is now known as dazo_afk
07:33 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
07:41 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
07:47 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 245 seconds]
07:50 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
08:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Quit: Leaving]
08:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
08:20 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
08:26 -!- s7r [~s7r@93.174.95.145] has joined #openvpn
08:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:40 -!- luneff [~yury@84.51.205.82] has joined #openvpn
09:03 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:10 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 240 seconds]
09:36 -!- luneff [~yury@84.51.205.82] has quit [Read error: No route to host]
09:36 -!- luneff [~yury@84.51.205.82] has joined #openvpn
09:52 -!- bitterman [~yury@84.51.205.82] has joined #openvpn
09:55 -!- luneff [~yury@84.51.205.82] has quit [Ping timeout: 245 seconds]
09:59 -!- bitterman [~yury@84.51.205.82] has quit [Ping timeout: 245 seconds]
10:22 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
10:22 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:26 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 240 seconds]
10:31 -!- adawda [~awda@p5B03F923.dip.t-dialin.net] has joined #openvpn
10:33 -!- s7r1 [~s7r@93.174.95.189] has joined #openvpn
10:34 -!- s7r is now known as Guest53826
10:35 -!- s7r1 [~s7r@93.174.95.189] has left #openvpn []
10:35 -!- Guest53826 [~s7r@93.174.95.145] has quit [Ping timeout: 250 seconds]
10:37 -!- adawda [~awda@p5B03F923.dip.t-dialin.net] has quit [Ping timeout: 245 seconds]
10:49 -!- adawda [~awda@zeus235.dentoo.info] has joined #openvpn
10:57 -!- adawda [~awda@zeus235.dentoo.info] has quit [Ping timeout: 272 seconds]
11:15 -!- reiffert_ [~thomas@mail.reifferscheid.org] has joined #openvpn
11:15 -!- Dougy [me@tech.qsi.net] has joined #openvpn
11:16 -!- agagag_ [~anton@eudaimonia.goto10.org] has joined #openvpn
11:16 -!- ksk_ [~ksk@im.knubz.de] has joined #openvpn
11:16 -!- Netsplit *.net <-> *.split quits: buntfalke
11:16 -!- Netsplit *.net <-> *.split quits: agagag, ksk, reiffert, Dougy_, rjd_
11:16 -!- rjd__ [~rjd@212.112.31.11] has joined #openvpn
11:16 -!- Netsplit over, joins: buntfalke
11:20 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
11:28 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
11:29 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
11:29 < infid> how come when i disconnect from my vpn (i'm using ubuntu's NetworkManager), when i type 'route' it shows:  <ip of VPN Server>  home            255.255.255.255 UGH   0      0        0 eth0
11:29 < infid> i can tell i'm not still connected in the sense that the internal IPs of the vpn no longer work, but why does the VPN's ip show up in the routing table at all if i disconnected?
11:29 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
11:35 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
11:35 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
11:37 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
11:44 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:03 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
12:19 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
12:19 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
12:19 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
12:25 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has quit [Read error: Operation timed out]
12:25 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
12:26 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds]
12:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
12:39 -!- Rolybrau [~Rolybrau@228-25.3-85.cust.bluewin.ch] has joined #openvpn
12:39 -!- Rolybrau [~Rolybrau@228-25.3-85.cust.bluewin.ch] has quit [Changing host]
12:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:55 -!- ftp [~solo@billymays.info] has joined #openvpn
12:58 -!- ftp [~solo@billymays.info] has quit [Client Quit]
12:58 -!- nesta [~solo@stoned.coffeeaddict.net] has quit [Quit: leaving]
12:59 -!- nesta [~solo@billymays.info] has joined #openvpn
13:12 -!- nesta [~solo@billymays.info] has quit [Quit: leaving]
13:13 -!- ftp [~solo@billymays.info] has joined #openvpn
13:13 -!- ftp is now known as nesta
13:15 -!- nesta [~solo@billymays.info] has quit [Client Quit]
13:47 -!- adawda [~awda@zeus235.dentoo.info] has joined #openvpn
13:54 -!- mrpog [80eb1c18@gateway/web/freenode/ip.128.235.28.24] has joined #openvpn
13:54 < mrpog> hi anyone setup openvpn on a pfsense 2.0 firewall
13:54 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 259 seconds]
14:22 < mrpog> hi anyone here
14:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:35 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
14:38 -!- Speedy2 [~JohnnyJac@76.88.67.189] has joined #openvpn
14:38 < Speedy2> Hey all.  I just compiled OpenVPN 2.1.4 on Linux
14:39 < Speedy2> The install.sh script seems to return a weird error
14:39 < Speedy2>  ./install-sh
14:39 < Speedy2> ./install-sh: no input file specified.
14:39 < Speedy2> make install invokes install-sh and returns the same error.
14:39 < Speedy2> Any ideas?
14:40 -!- adawda [~awda@zeus235.dentoo.info] has quit [Ping timeout: 264 seconds]
14:41 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
14:41 <@vpnHelper> RSS Update - forum: Configuration :: OPENVPN Client and NAT'ing :: Author wvwavere <https://forums.openvpn.net/viewtopic.php?f=6&t=7360&p=8636#p8636>
14:45 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has joined #openvpn
14:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
14:47 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has quit [Client Quit]
14:48 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has joined #openvpn
14:48 < nunya> Hi everyone
14:49 -!- mrpog [80eb1c18@gateway/web/freenode/ip.128.235.28.24] has quit [Ping timeout: 265 seconds]
14:50 < nunya> anybody here?
14:53 -!- adawda [~awda@p5B03F923.dip.t-dialin.net] has joined #openvpn
14:56 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:58 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
14:58 <@vpnHelper> RSS Update - forum: Configuration :: Re: OPENVPN Client and NAT'ing :: Reply by wvwavere <https://forums.openvpn.net/viewtopic.php?f=6&t=7360&p=8637#p8637>
14:58 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has left #openvpn ["Leaving"]
14:59 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
15:03 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
15:05 -!- luneff [~yury@84.51.198.222] has joined #openvpn
15:10 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has joined #openvpn
15:12 -!- adawda [~awda@p5B03F923.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
15:21 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
15:28 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has quit [Read error: Operation timed out]
15:32 -!- infid [~infid@rrcs-173-198-12-38.west.biz.rr.com] has joined #openvpn
15:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:53 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)]
15:58 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
16:00 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
16:00 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:00 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has quit [Ping timeout: 255 seconds]
16:06 -!- s7r [~s7r@static.24.231.63.178.clients.your-server.de] has joined #openvpn
16:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:07 < s7r> !ipv6
16:07 <@vpnHelper> "ipv6" is (#1) http://www.greenie.net/ipv6/openvpn.html for ipv6 payload patch (adds some nice ipv6 options), or (#2) see !snapshots for a release with ipv6 patches in it, report how it works to help it get included in a stable release
16:13 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has joined #openvpn
16:25 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
16:31 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 240 seconds]
16:39 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has quit [Ping timeout: 260 seconds]
16:41 -!- infid [~infid@rrcs-173-198-12-38.west.biz.rr.com] has left #openvpn []
16:53 -!- infid [~infid@rrcs-173-198-12-38.west.biz.rr.com] has joined #openvpn
16:54 < infid> why on the vpn, in order to ssh to anything internally, i have to ping it first?
16:58 -!- szr [~SR@unaffiliated/szr] has quit [Read error: Connection reset by peer]
17:03 -!- szr [~SR@unaffiliated/szr] has joined #openvpn
17:08 -!- luneff [~yury@84.51.198.222] has quit [Read error: No route to host]
17:10 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
17:40 -!- s7r [~s7r@static.24.231.63.178.clients.your-server.de] has left #openvpn []
17:48 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has joined #openvpn
17:52 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Ping timeout: 250 seconds]
18:02 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:22 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has quit [Ping timeout: 265 seconds]
18:23 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:24 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
18:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
19:11 < krzie> infid, i have never heard of that
19:11 < krzie> maybe weird firewall
19:12 -!- magicblaze007 [~magicblaz@67.237.112.232] has left #openvpn []
19:21 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:39 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 276 seconds]
19:42 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
19:43 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Excess Flood]
19:43 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
19:56 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has joined #openvpn
20:10 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
20:13 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
20:20 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
20:22 -!- szr [~SR@unaffiliated/szr] has quit [Ping timeout: 245 seconds]
20:32 -!- kerfe [~a@114.pool85-60-138.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
21:20 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 245 seconds]
21:20 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
22:03 -!- dann [dann@82-168-191-228.ip.telfort.nl] has joined #openvpn
22:03 < dann> !linat
22:07 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
22:15 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
22:15 < dann> !linnat
22:15 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
23:01 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
23:02 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
23:09 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
23:37 < infid> does being connected to a VPN slow down your whole local internet much?
23:37 < infid> i know the vpn itself can be slow
23:37 <@vpnHelper> RSS Update - forum: Forum & Website Support :: Help?? :: Author iamgeniusrnt <https://forums.openvpn.net/viewtopic.php?f=30&t=7361&p=8638#p8638>
23:57 -!- WormFood [~wormfood@183.39.103.83] has quit [Ping timeout: 265 seconds]
--- Day changed Mon Dec 06 2010
00:19 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:23 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 264 seconds]
01:11 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 265 seconds]
01:27 -!- dann [dann@82-168-191-228.ip.telfort.nl] has quit [Read error: Connection reset by peer]
01:27 -!- dann [dann@82-168-191-228.ip.telfort.nl] has joined #openvpn
01:33 -!- dann [dann@82-168-191-228.ip.telfort.nl] has quit []
01:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:01 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
02:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
02:04 -!- dazo_afk is now known as dazo
02:05 -!- infid [~infid@rrcs-173-198-12-38.west.biz.rr.com] has quit [Ping timeout: 240 seconds]
02:07 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
02:11 -!- sigius [~sigius@93.125.185.45] has joined #openvpn
02:19 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
02:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:40 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
02:44 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
02:49 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
02:52 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
03:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:12 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
03:16 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Ping timeout: 272 seconds]
03:36 < rjd__> the /30 ip pool thingie, will first client be .6, second .10, third .14 etc etc?
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:45 -!- WinstonSmith [~true@f052102007.adsl.alicedsl.de] has joined #openvpn
03:47 -!- master_of_master [~master_of@p57B57D1A.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
03:49 -!- WinstonSmith [~true@f052102007.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
03:49 -!- master_of_master [~master_of@p57B55069.dip.t-dialin.net] has joined #openvpn
03:50 -!- Speedy2 [~JohnnyJac@76.88.67.189] has left #openvpn ["Konversation terminated!"]
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:00 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:14 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:18 -!- le0 [~fin@unaffiliated/le0] has quit [Client Quit]
04:20 -!- common- [~common@p5DDA493F.dip0.t-ipconnect.de] has joined #openvpn
04:24 -!- common [~common@p5DDA4A70.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
04:24 -!- common- is now known as common
04:28 -!- Urania [~CO_EXMUD@81.85.205.78] has joined #openvpn
04:28 -Urania:#openvpn- hacking software download http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
04:28 < Urania> download this http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
04:28 -!- Urania [~CO_EXMUD@81.85.205.78] has left #openvpn []
04:30 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
04:34 < |Mike|> *sigh*
04:45 <@vpnHelper> RSS Update - forum: Configuration :: Access policies on Windows host :: Author Cyrus XIII <https://forums.openvpn.net/viewtopic.php?f=6&t=7362&p=8639#p8639>
04:59 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
04:59 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
04:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:02 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Remote host closed the connection]
05:05 -!- Urania [~CO_EXMUD@81.85.205.78] has joined #openvpn
05:05 -Urania:#openvpn- look http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
05:05 < Urania> hacking software download http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
05:05 -!- Urania [~CO_EXMUD@81.85.205.78] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
05:10 < |Mike|> for fuck sake
05:10 < |Mike|> dazo: awake?
05:10 < |Mike|> patelx: awake?
05:10 < |Mike|> ecrist: ?
05:10 < |Mike|> krzee: ?
05:10 <@dazo> daemon: I am
05:10 <@dazo> gah
05:11 < |Mike|> dazo: could you ban Urania?
05:11 <@dazo> |Mike|: I'm on it
05:14 -!- mode/#openvpn [+p] by dazo
05:15 -!- mode/#openvpn [-p] by dazo
05:16 -!- mode/#openvpn [+b *!Urania@*] by dazo
05:16 -!- mode/#openvpn [+b *!*@81.85.205.78] by dazo
05:22 < |Mike|> eeh
05:22 < |Mike|>  /unban 1
05:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:42 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn
05:54 -!- le0 [~fin@82.132.248.212] has joined #openvpn
05:54 -!- le0 [~fin@82.132.248.212] has quit [Changing host]
05:54 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:04 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
06:06 -!- mode/#openvpn [+b Urania!*@*] by dazo
06:06 -!- mode/#openvpn [-b *!Urania@*] by dazo
06:20 < ecrist> |Mike|: what's up?
06:21 < ecrist> nm, you always seem to be around when we have problems. :)
06:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
06:24 < hyper_ch> hi ecrist :)
06:29 < rjd__> I have two clients, client1 and client2 on one computer each. I would very much like the "next free ip" to be assigned to the connecting client. But no matter how I do, the client2 always get a higher ip than client1. I do not use ifconfig-pool-persist. What can I do to solve it?
06:30 < rjd__> as for now, client1 always become .6 and client2 become .10
06:31 < hyper_ch> why is it important what ip a client gets?
06:31 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
06:31 < ecrist> !/30
06:31 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
06:31 < ecrist> rjd__: ^^^
06:31 < rjd__> no ecrist, that is not my issue. I just dont want the clients to re-use same ip over and over again
06:31 < rjd__> hyper_ch: they feel more anonymous
06:31 < ecrist> rjd__: your issue is /30
06:32 < hyper_ch> rjd__: ah
06:32 < ecrist> I assure you
06:32 < rjd__> no ecrist, its not
06:32 < rjd__> ecrist: you totally misunderstood my question
06:32  * hyper_ch sides with ecrist
06:32 < rjd__> I know why /30 happens, and thats fine
06:32 < ecrist> that's why one client gets .6 and another get .30
06:32 < ecrist> .10*
06:32 < rjd__> I know, seriously
06:32  * hyper_ch doesn't have a cloue about it but ecrist knows a fair deal
06:32 < rjd__> I just dont want the clients to get the SAME ip over and over
06:32 < ecrist> rjd__: they're going to
06:32 < rjd__> They are not
06:33 < ecrist> sure they are.  if you have nobody connected, the first client to connect is going to get the first /30
06:33 < rjd__> I connected client1, then client2; they got .6 and .10. I then disconnected both and reconnected client2, who got .10 again
06:33 < ecrist> the second will get the next /30
06:33 < ecrist> do you have ipp enabled?
06:33 < rjd__> no
06:33 < ecrist> how long is that client disconnected?
06:33 < rjd__> matter of seconds :)
06:33 < ecrist> that's likely the problem.
06:33 < rjd__> let me retry
06:34 < |Mike|> ecrist: yeah
06:34 < ecrist> as hyper_ch said, not sure why that matters.
06:35 < hyper_ch> ecrist: he wants to have random vpn ips assigned because he thinks it makes his clients for more anonymous
06:35 < rjd__> No I dont
06:35 < rjd__> but my clients think it does
06:35 < hyper_ch> that's what I meant to say
06:35 < hyper_ch> rjd__: you are willing to provide security through obscurity because your clients feel safer
06:35 < rjd__> hyper_ch: I am
06:35 < hyper_ch> I would rather tell them why it doesn't make them any safer
06:35 < hyper_ch> much less headache
06:37 < rjd__> ecrist: disconnected about 4 minutes ago. Now I reconnected client2 who got .10.
06:38 < rjd__> the log file of openvpn server says:  MULTI: Learn: 10.100.0.10 -> client2/x.y.z.x
06:39 < ecrist> rjd__: there must be something that remembers IPs for a short duration.  not sure what that would be.
06:39 < rjd__> or as long as the daemon is alive? :/
06:39 < rjd__> or for as long as*
06:39 < ecrist> no, that's not the case
06:39 < rjd__> okey
06:39 <@dazo> rjd__: it doesn't make much sense ... but it's possible to do what you want, with randomised IP addresses using a script via --client-connect on the server side, iirc ... that script can write "push ifconfig" stuff with the assigned IP address.  The filename is given as a parameter to this script. iirc
06:41 -!- adawda [~awda@p5B03F061.dip.t-dialin.net] has joined #openvpn
06:41 < rjd__> dazo: so expected behaviour is to learn clients and ips, and does not forget until daemon is restarted?
06:41 <@dazo> rjd__: then that's what you need to code into your own script
06:41 < ecrist> rjd__: without ipp, openvpn doesn't remember for the entire time it's running.
06:42 <@dazo> but it will always assign the lowest available IP addresses first to new clients
06:43 < rjd__> dazo: I just want the clients to get the ips in order of connection, so if client2 connects first any given day he would be given .6 (even though he got .10 today)
06:43 < ecrist> between days, that *should* happen.
06:44 < rjd__> great ecrist, I'll monitor it closely and hopefully it does
06:44 < rjd__> between days would be fine
06:44 <@dazo> rjd__: then don't use ifconfig-pool-persist at all ... and that *will* happen ... That's what I see on my logs on my setups every day
06:44 < ecrist> but, that's only if client1 isn't already connected
06:44 < rjd__> dazo: I am not using it at all.
06:46 <@dazo> rjd__: then try to connect three clients to your server ... disconnect the first and the last one ... and then connect the "last one" and notice which IP it gets
06:47 <@dazo> rjd__: also make sure you don't use any --client-config-dir stuff which might interfere with the IP address assignments
06:47 < rjd__> Im not using ccd. Will try with a third client as you said
06:49 <@vpnHelper> RSS Update - forum: Installation Help :: OpenVPN on Droid :: Author iamgeniusrnt <https://forums.openvpn.net/viewtopic.php?f=5&t=7363&p=8640#p8640>
06:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
06:54 -!- corretico [~corretico@201.201.44.82] has quit [Read error: Operation timed out]
06:55 -!- adawda [~awda@p5B03F061.dip.t-dialin.net] has quit [Quit: Suck on my dick while I fuck that ass, HEY!]
06:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
07:03 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
07:20 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn
07:20 < pyther24> Hello
07:21 < pyther24> I want to create a vpn box but I'm trying to figure out if I should give it an address on my main network (10.25.11.254), or on my vpn network (10.25.80.0) or a /30 address between the server and the router, any suggestions?
07:29 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
07:32 -!- nunya [~thisguy@c-98-217-98-164.hsd1.ma.comcast.net] has quit [Remote host closed the connection]
07:34 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
07:34 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
07:34 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
07:38 <@dazo> pyther24: use tun mode with a separate network segment for your vpn network ... and then use routing to access other networks across the vpn
07:39 < rjd__> with tun interface, and no client-to-client configured, plus iptables -A INPUT -i tun0 -d my_vpn_net_here -j REJECT, clients can still talk to each others. Why is this, and how can it be solved?
07:40 < pyther24> dazo: with tun mode though, I still need an ip address on the ethernet adapter, right?
07:41 <@dazo> rjd__: you need to check your FORWARD rule ... INPUT/OUTPUT is only relevant to your router .... FORWARD takes what is being sent to other networks/clients
07:41 < pyther24> dazo: I'm goung to use a seperate network for vpn traffic, just trying to figure out what address to give the vpn box
07:41 <@dazo> pyther24: your local network needs an IP address ... but you can even use IP-less tun adapters
07:42 < pyther24> dazo: err... I wasn't clear... my vpn box will be hooked up to  router (layer 3 switch)
07:42 <@dazo> pyther24: in that case, give your vpn a 10.8.0.0/24 address or something else rfc1918 compliant
07:42 < rjd__> oh, right
07:43 < pyther24> So I'm trying to figure out do I have a /30 between the vpn box and the network, do I put the vpn box on the main network, or an the vpn network
07:44 <@dazo> pyther24: aha .. I'd say that extra layer is not needed ... however, having your VPN in a central position as a GW on your network will make it easier to get routing between LAN and VPN to work properly
07:44 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Read error: Connection reset by peer]
07:45 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn
07:45 <@dazo> pyther24: but even if you have your vpn as a separate box in the network, that should also work fine ... you just need to setup your routing tables on your default gw to also know about the VPN network and route traffic to the VPN via your OpenVPN box
07:46 < pyther24> dazo: yah, I got that, just trying to figure out "best" practice
07:47 <@dazo> but it all ends up with what kind of security you want ... of course having a complete separate network (a kind of DMZ) for your VPN server and route traffic from there into your internal network is increased security ... but more work to setup
07:47 < pyther24> yah
07:47 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
07:47 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
07:48 < pyther24> does openvpn create routes automatically for routes that it advertises? or do I need to run iproute on the vpn box?
07:48 <@dazo> pyther24: you configure which routes OpenVPN should know about ... and then you push these routes to clients if you want as well
07:49 <@dazo> pyther24: and these routes being pushed can be separate for each openvpn client, differentiated by the CN in the certificate
07:50 < pyther24> dazo: so if openvpn knows about the routers, the linux machine knows about the routes too?
07:50 < pyther24> errr... routes
07:51 <@dazo> pyther24: yes, openvpn will run the route command upon startup (for server) and on successful connection for clients
07:51 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:51 < pyther24> ahh ok, cool
07:51 <@dazo> (meaning setting up the routes)
07:51 <@dazo> !route
07:51 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:51 < pyther24> Now I just need to get my boss to get another static ip from the ISP :)
07:52 <@dazo> pyther24: ^^ look at that !route doc ... that might give some better ideas
07:52 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
07:52 < pyther24> alright, thanks, my boss is worried about security, but currenty the vpn the isp provides only uses user/pass authentication :X
07:54 <@dazo> pyther24: heh ... well, openvpn without anything extra only supports certificates as the strongest authentication method ... but you have plenty of username/password authentication modules which can be used with or without certificates
07:55 <@dazo> pyther24: and of course, you also have the --tls-auth feature ... which is especially neat if you're using UDP mode (which is recommended anyway) - as that will hide the open UDP on your openvpn server for clients not using the proper --tls-auth key
07:55 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
07:56 < pyther24> dazo: thats what I've read, I'm thining about using keys authentication and username/pass authentication, I will hand out flash drives with the key/client on it, and then use password authentication to login
07:56 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
07:56 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
07:56 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:56 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
07:57 < pyther24> That should make it fairly user for our users, and then if something happens to the flash drive I can deactive the key
07:57 <@dazo> pyther24: you can check out one of my own project then as well .... http://www.eurephia.net/
07:57 <@vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net)
07:58 <@dazo> pyther24: currently only TAP mode is supported, but I'm working on TUN support nowadays (almost completed)
08:01 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
08:01 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
08:01 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:01 < pyther24> dazo: how is that different than the dual authentication in openvpn?
08:02 <@dazo> pyther24: with dual auth in openvpn, I presume you mean with f.ex. auth-pam or auth-ldap, you will not have an enforced relation between certificates and user names
08:03 <@dazo> pyther24: so eurephia will make sure there is a match between the user account and the certificate ... and based on this combination, you can dynamically update an iptables based firewall granting a restricted access to the internal networks
08:03 < pyther24> ahh so I can connect with one certificate and login as 3 different users
08:03 <@dazo> pyther24: yes, that is possible without having a match between username and passwords
08:04 <@dazo> and of course, eurephia will blacklist too many attempts ... the default openvpn setup will not do that, unless configured so via auth-pam ... not sure how that is with LDAP auth
08:05 < rjd__> a user gets "Message too long", tried lowering MTU etc etc. We're now at 'tun-mtu 1500, tun-mtu-extra 32, mssfix 1200, fragment 1200'. What are the next step to test?
08:05 <@dazo> rjd__: have you tried to run a client with --mtu-test?
08:05 < pyther24> dazo: hmm I like that, but I don't think tap support will work well for us, we have way to much broadcast traffic :-/
08:05 < rjd__> dazo: --cd path --config config.file --mtu-test?
08:06 < rjd__> or just without any other arguments?
08:06 < pyther24> plus only want specific routes on the clients, which I don't think is possible with tap mode
08:06 <@dazo> pyther24: I understand ... well, I have a guy already helping me out with tun support (doing a lot of testing) ... I expect to have it in applied to the source tree within a week or so
08:06 < pyther24> oh really cool
08:06 < pyther24> I'm gonna start implementing this server in a week or two
08:06 <@dazo> rjd__: append --mtu-test
08:07 <@dazo> (it will make the startup of the tunnel much slower ... so don't do it for "production usage" :))
08:07 < pyther24> dazo: how much is much slower?
08:07 < pyther24> oh that wasn't fro me :P
08:07 < rjd__> pyther24: he meant slower when mtu testing
08:07 <@dazo> pyther24: --mtu-test will make the startup much slower :)
08:07 < rjd__> :p
08:08 < pyther24> dazo: I thought you meant eurephia would case startup to be much slower
08:08 < rjd__> dazo: so, having hundreds of different clients, on various connections and in different countries - how do you satisfy them all with mtu, fragments etc?
08:08 <@dazo> pyther24: oh, no not at all :)  well, maybe a second or two ... depending on how hard password hashing you insist on :)
08:09 <@dazo> rjd__: dunno, tbh
08:09 < pyther24> dazo: is it fairly easy to configure?
08:09 <@dazo> pyther24: I think so ;-) .... I hope it is ... I've written a command line utility to do much of the work ... and there's a pretty extensive documentation, including man pages now
08:11 <@dazo> pyther24: basically, you run the eurephia_init tool, which will guide you through the initial setup - creating admin account and setting up defaults ... then you use eurephiadm to register certificates and user accounts and map them ... and then you add a --plugin statement to the OpenVPN config
08:12 < pyther24> cool, doesn't look to hard, are planning on releasing release of eurephia is the next week or so with tun support, or just a git commit?
08:12 <@dazo> but unless you're going for OpenVPN 2.2, you'll need a patched OpenVPN 2.1 unfortunately ... but OpenVPN 2.2 beta5 is out, next 2.2 release will be RC with hopefully a stable openvpn release in January
08:13 <@dazo> pyther24: I'm not having a eurephia release planned yet ... but I'm running the latest git stuff in production on a site of my own (with 5-7 VPN users depending on it)
08:14 <@dazo> pyther24: I want to have PostgreSQL and/or MySQL support in addition for a 1.1 release ... but it might be I change my mind if more people want tun support so badly :)
08:15 < pyther24> dazo: cool, now I just have to decide what distro to use
08:15 <@dazo> heh :)  well, in Debian you have eurephia packages and a patched OpenVPN 2.1 version available already
08:15 < pyther24> I'm thinking about either debian or CentOS
08:15 < pyther24> dazo: well I'd have to recompile eurephia anyways :P
08:15 <@dazo> good point!
08:16 <@dazo> pyther24: well, I'm a CentOS/RHEL/Fedora kind of guy
08:17 <@dazo> pyther24: but building on CentOS (I do use eurephia on one CentOS and one Gentoo box) is a little bit work, as you need a pretty fresh CMake available ... but it is doable
08:17 < pyther24> dazo: yah me too... but CentOS 5.4 is a bit dated
08:17 <@dazo> pyther24: CentOS5.5 is out, though
08:17 <@dazo> pyther24: it's been out for a while already ... That's what I'm using everywhere with CentOS
08:18 < pyther24> dazo: but isn't that still a bit dated?
08:18 <@dazo> pyther24: yes and no ... the base versions are a bit dated ... but the kernel (2.6.18) have backported a lot of stuff, even from the later 2.6.3x kernels
08:19 <@dazo> pyther24: don't listen to what Oracle says about the RHEL kernel :-P
08:19 < pyther24> dazo: haha :P
08:19 < pyther24> does cmake need to be compiled on CentOS or is there an update package some place
08:19 <@dazo> pyther24: and the same for a lot of the other packages .... it's a lot of backports from newer versions, to enable needed features and with bug/security fixes
08:20 <@dazo> pyther24: I don't recall now ... It might be in EPEL5
08:20 <@dazo> CMake 2.6.1 and newer is needed
08:22 < pyther24> dazo: it is, cool
08:22 < pyther24> well I got some work cut out for me :)
08:22 <@dazo> pyther24: cool!  please feel free to drop by #eurephia whenever you wonder about something
08:23 < pyther24> alright, I'm sure you'll see me in the coming weeks
08:23 <@dazo> pyther24: looking fwd to that :)
08:23 < pyther24> I work at a school district, so this is gonna be a "winter break" project
08:24 < pyther24> the vpn the isp provides has virus scanning, cookie filtering and all sorts of crap
08:25 <@dazo> you have pretty much to play with then :)
08:28 < pyther24> dazo: the client will prompt the user for their username / password when they connect, right?
08:28 <@dazo> pyther24: that's correct
08:29 <@dazo> pyther24: look up --auth-user-pass in the man page, you need that in addition in the client configs
08:32 -!- huzpol [~huzur@business-188-111-123-132.static.arcor-ip.net] has joined #openvpn
08:34 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
08:34 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
08:34 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Client Quit]
08:35 < rjd__> openvpn server OpenVPN 2.1_rc11, client is 2.1.4 stable, --mtu-test generates:  read UDPv4 [EMSGSIZE Path-MTU=1492]: Message too long (code=90) \n NOTE: failed to empirically measure MTU (requires OpenVPN 1.5 or higher at other end of connection).
08:37 < rjd__> dazo: this tells you something? :-)
08:38 <@dazo> rjd__: just that you need to update clients and servers .... and I'd  recommend to read up in the man page for --mtu-test as well
08:40 < rjd__> the man page didnt say much, is there a problem with the rc11 or what do you mean?
08:40 <@dazo> rjd__: rc11 is way old ... the final 2.1 version has been out for about a year now ... and considering there were 22 rc candidates, your rc11 is .... old
08:41 < rjd__> it's debian lenny ;-)
08:41  * dazo is not surprised :)
08:41 < rjd__> it's always like this
08:44 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has joined #openvpn
08:44 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
08:44 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has quit [Changing host]
08:44 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
08:45 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
08:46 < ecrist> rjd__: debian lenny or not, we don't support anything older than 2.1.x now
08:47 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
08:50 -!- ksk_ [~ksk@im.knubz.de] has left #openvpn []
08:50 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn []
08:50 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
08:51 -!- _LowKey [rhel@69.197.60.117] has joined #openvpn
08:55 < rjd__> should I remove both fragment and mssfix prior to running mtu test?
08:57 < Essobi> Morning all.
08:59 <@dazo> Essobi: morning!
08:59 < Essobi> yurp
09:04 < ecrist> !mtu
09:04 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 265 seconds]
09:04 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
09:04 < ecrist> rjd__: ^^^
09:16 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Remote host closed the connection]
09:18 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
09:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
09:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:22 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
09:23 -!- _LowKey [rhel@69.197.60.117] has quit [Quit: changing servers]
09:23 -!- _LowKey [rhel@69.197.60.117] has joined #openvpn
09:24 -!- _LowKey [rhel@69.197.60.117] has quit [Client Quit]
09:24 -!- _LowKey [rhel@69.197.60.117] has joined #openvpn
09:25 -!- _LowKey is now known as LowKey
09:25 -!- LowKey [rhel@69.197.60.117] has quit [Changing host]
09:25 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
09:26 -!- dazo is now known as dazo_afk
09:28 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Client Quit]
09:28 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
09:35 -!- funyun [~eddie@ns213451.ovh.net] has joined #openvpn
09:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
09:43 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
09:44 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
09:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
10:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:09 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 276 seconds]
10:09 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
10:23 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
10:23 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
10:23 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
10:25 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
10:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
10:32 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Remote host closed the connection]
10:35 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
10:39 -!- le0 [~fin@87.112.250.227] has joined #openvpn
10:39 -!- le0 [~fin@87.112.250.227] has quit [Changing host]
10:39 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
10:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
10:42 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
10:43 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
10:45 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has joined #openvpn
10:45 < mrrothh> hi
10:45 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
10:45 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
10:45 < mrrothh> how do I configure open vpn in pfsense 2.0
10:45 < krzee> thats a pfsense question
10:46 < krzee> if you get to the commandline or figure out how to upload the config file, it can become a openvpn question
10:46 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
10:46 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
10:46 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
10:52 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
10:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:53 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
11:00 -!- UnterPerro [~UnterPerr@131.94.186.10] has joined #openvpn
11:03 -!- huzpol1 [~huzur@p508735E7.dip.t-dialin.net] has joined #openvpn
11:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:06 -!- huzpol [~huzur@business-188-111-123-132.static.arcor-ip.net] has quit [Ping timeout: 272 seconds]
11:16 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
11:17 -!- mrroth [~mrroth@ool-44c07f7c.dyn.optonline.net] has joined #openvpn
11:18 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has joined #openvpn
11:18 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 240 seconds]
11:18 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
11:19 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
11:21 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
11:26 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
11:31 -!- mrroth [~mrroth@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 240 seconds]
11:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
11:33 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
11:36 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
11:49 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
11:55 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
12:03 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
12:04 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
12:09 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
12:09 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
12:14 -!- dazo_afk is now known as dazo
12:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds]
12:24 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
12:29 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:29 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
12:31 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
12:37 -!- UnterPerro [~UnterPerr@131.94.186.10] has quit [Quit: UnterPerro lives to save another day]
12:38 -!- jobicreatingweb [~jobicreat@adsl-34.109.242.48.tellas.gr] has joined #openvpn
12:38 < jobicreatingweb> hello
12:39 < jobicreatingweb> i have ubuntu 10.04 and i installed Ubuntu Version of OpenVPN Access Server. is this right???
12:39 < jobicreatingweb> or i should install openvpn-2.1.4.tar.gz????
12:39 < jobicreatingweb> pls help
12:41 < hyper_ch> you need the access server?
12:41 < jobicreatingweb> i installed the first and gave me an ip to log in with my root
12:41 < jobicreatingweb> i need to fix a vpn to my comp
12:41 < jobicreatingweb> so i can log in to it from outside
12:41 < hyper_ch> you need the access server?
12:42 < jobicreatingweb> i am  a newb
12:42 < jobicreatingweb> i dont know do i need it
12:42 < jobicreatingweb> ?
12:42 < hyper_ch> and where did you get the access server from=
12:42 < jobicreatingweb> for what i want to do?
12:42 < hyper_ch> IIRC that's payware
12:42 < jobicreatingweb> from openvpn site
12:42 -!- luneff [~yury@84.51.211.242] has joined #openvpn
12:42 < jobicreatingweb> so its not freeware
12:42 < hyper_ch> default ubuntu repos have openvpn included
12:42 < jobicreatingweb> ok understood
12:43 < hyper_ch> that's all you need
12:43 < jobicreatingweb> and how i set that ?
12:43 < jobicreatingweb> from my connections
12:43 < hyper_ch> sudo apt-get install openvpn
12:43 < jobicreatingweb> i already installed that
12:43 < hyper_ch> then setup the server config on the machine that should act as server
12:43 < jobicreatingweb> its my comp
12:43 < hyper_ch> then generate the certs on the server
12:43 < hyper_ch> and finally sudo apt-get openvpn  on the client
12:43 < hyper_ch> and setup the client config
12:44 < jobicreatingweb> how i generate the certs?/
12:45 < jobicreatingweb> how i uninstall the access server?
12:46 < hyper_ch> jobicreatingweb: no clue how you installed the access server
12:46 < hyper_ch> jobicreatingweb: here's my server config:   http://pastebin.ca/2012190
12:47 < hyper_ch> jobicreatingweb: that's how you create the keys:  http://openvpn.net/index.php/open-source/documentation/howto.html#pki
12:47 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:47 < jobicreatingweb> i just whent to the site
12:47 < jobicreatingweb> of openvpn
12:47 < jobicreatingweb> choose ubuntu
12:47 < jobicreatingweb> and there is a file to download
12:48 < jobicreatingweb> i download it installed it and it asked me to configure it
12:48 < jobicreatingweb> in the terminal
12:48 < jobicreatingweb> i put some things that it asked me and ....
12:48 < jobicreatingweb> i found how to uninstall :)
12:49 < hyper_ch> jobicreatingweb: that's one client config  http://pastebin.ca/2012191
12:50 < hyper_ch> jobicreatingweb: and that's the ccd file for the doubie client http://pastebin.ca/2012192
12:52 < jobicreatingweb> brb
12:52 < jobicreatingweb> must restart
12:52 -!- jobicreatingweb [~jobicreat@adsl-34.109.242.48.tellas.gr] has left #openvpn []
12:54 -!- jobicreatingweb [~jobicreat@adsl-34.109.242.48.tellas.gr] has joined #openvpn
12:55 < jobicreatingweb> back
12:55 < jobicreatingweb> i installed the openvpn from the repos
12:55 < hyper_ch> good
12:56 < jobicreatingweb> now what to do
12:56 < jobicreatingweb> i go to my connections
12:56 < hyper_ch> jobicreatingweb: here's my server config:   http://pastebin.ca/2012190
12:56 < jobicreatingweb> and i configure vpn?
12:56 < hyper_ch> jobicreatingweb: that's how you create the keys:  http://openvpn.net/index.php/open-source/documentation/howto.html#pki
12:56 <@vpnHelper> Title: HOWTO (at openvpn.net)
12:56 < hyper_ch> jobicreatingweb: that's one client config  http://pastebin.ca/2012191
12:56 < hyper_ch> jobicreatingweb: and that's the ccd file for the doubie client http://pastebin.ca/2012192
12:57 < jobicreatingweb> ok i will read the how to
12:57 < jobicreatingweb> got it
12:58 < hyper_ch> !howto
12:58 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:02 -!- luneff [~yury@84.51.211.242] has quit [Read error: Connection reset by peer]
13:02 -!- luneff [~yury@84.51.211.242] has joined #openvpn
13:08 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
13:13 < jobicreatingweb> very difficult how to
13:13 < jobicreatingweb> linux with win togethere and info and... more
13:13 < jobicreatingweb> its confusing
13:14 < jobicreatingweb> Numbering private subnets it says to the how to
13:14 < jobicreatingweb> and what ????? what should i do?
13:14 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
13:25 < ecrist> jobicreatingweb: setting up a VpN is going to require some document reading, that's just how it is.
13:26 < jobicreatingweb> i dont have problem reading
13:27 < jobicreatingweb> i see this not usefull
13:27 < jobicreatingweb> at all
13:27 < jobicreatingweb> very confusing
13:27 < ecrist> lots of people use it. lots and lots of people.
13:27 -!- s7r [~s7r@223.27.168.81] has joined #openvpn
13:28 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn
13:29 < jobicreatingweb> and lots and lots of people see this confusing as i do
13:29 < jobicreatingweb> but i will still try with this... what ever it is
13:29 < ecrist> *shrug*
13:30 < ecrist> if you can identify specific things that would help, we're willing to make changes.
13:30 < jobicreatingweb> when i will need help i will ask
13:30 < jobicreatingweb> thank you
13:32 <@dazo> jobicreatingweb: you may also try the very easy mini-howto's ... try to get them to work first, then when you understand how things work, you can advance to the more advanced ones .... like this one: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
13:32 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
13:36 < jobicreatingweb> so as i understand until now
13:37 < jobicreatingweb> i first fix the master certificate authority
13:37 < jobicreatingweb> this is the  first thing i see doing in the how to
13:37 < jobicreatingweb> am i right?
13:37 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
13:38 < ecrist> well, the static-key howto bypasses that and helps you get a basic vpn running first.
13:38 < ecrist> once you can do that, then you can figure out how to setup a CA and distribute certificates.
13:38 < krzee> depends on the goal really
13:38 < jobicreatingweb> the goal is 
13:38 < krzee> if you only have 2 endpoints and dont need forward security, can stick with statickey
13:39 < jobicreatingweb> to fix my pc as vpn so i can connect with from everywhre in my country
13:40 < krzee> so like
13:40 < krzee> !goal
13:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:40 < krzee> the second one?
13:40 < krzee> " I would like to access the internet over my vpn" ?
13:41 < jobicreatingweb> access internet over vpn and connect between any computer i would like to my comp
13:43 < jobicreatingweb> so i use routed vpn and i start with creating conf server client files????
13:44 < jobicreatingweb> now i need you help to continue
13:44 < jobicreatingweb> i would like to access my vpn over the internet
13:50 < jobicreatingweb> cant find server.conf no /.../.../.../packages or .././/..
13:50 < ecrist> you need to create the server.conf
13:50 < jobicreatingweb> /.../.../openvpn-2.0
13:50 < jobicreatingweb> a ok
13:58 < jobicreatingweb> i dont have /packages i only have /openvpn
13:58 < ecrist> I have no idea what you're looking for
13:59 < jobicreatingweb> Creating configuration files for server and clients
13:59 < jobicreatingweb> Getting the sample config files
13:59 < jobicreatingweb> It's best to use the OpenVPN sample configuration files as a starting point for your own configuration. These files can also be found in
13:59 < jobicreatingweb>     * the sample-config-files directory of the OpenVPN source distribution
13:59 < jobicreatingweb>     * the sample-config-files directory in /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 if you installed from an RPM package
13:59 < jobicreatingweb>     * Start Menu -> All Programs -> OpenVPN -> OpenVPN Sample Configuration Files on Windows
13:59 < jobicreatingweb> Note that on Linux, BSD, or unix-like OSes, the sample configuration files are named server.conf and client.conf. On Windows they are named server.ovpn and client.ovpn.
13:59 < jobicreatingweb> Editing the server configuration file
13:59 < jobicreatingweb> The sample server configuration file is an ideal starting point for an OpenVPN server configuration. It will create a VPN using a virtual TUN network interface (for routing), will listen for client connections on UDP port 1194 (OpenVPN's official port number), and distribute virtual addresses to connecting clients from the 10.8.0.0/24 subnet.
13:59 < jobicreatingweb> Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above.
14:00 < ecrist> please don't paste like that into the channel
14:00 < jobicreatingweb> sorry my mistake
14:00 < jobicreatingweb> at the end it says about edit ca,cert ,key so i must pre fix them create them??
14:01 < ecrist> those are for SSL certs
14:01 < ecrist> I believe dazo suggested you try the static-key howto
14:01 < ecrist> !static
14:01 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
14:01 < ecrist> hrm
14:01 < ecrist> !static-key
14:01 <@vpnHelper> "static-key" is when you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default
14:01 < ecrist> here: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html
14:01 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
14:02 < jobicreatingweb> thanks 
14:02 < jobicreatingweb> let me read more
14:03 < jobicreatingweb> where i put my ip settings to my internet connection that i already have?
14:04 < ecrist> read the howto
14:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Client Quit]
14:12 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
14:12 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
14:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:16 -!- huzpol1 [~huzur@p508735E7.dip.t-dialin.net] has quit [Quit: Leaving.]
14:23 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
14:27 -!- s7r [~s7r@223.27.168.81] has left #openvpn []
14:30 -!- phusion__ [psn@2607:f0d0:2001:8b::50:1337] has quit []
14:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
15:00 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
15:00 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Client Quit]
15:02 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
15:07 < jobicreatingweb> it says to me to open up this port to my firewall
15:07 < jobicreatingweb> 1194
15:07 < jobicreatingweb> its udp?
15:08 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
15:08 < jobicreatingweb> and what ip i will put? example ext port 1194 inter port 1194 udp 192.168.1.?
15:08 < jobicreatingweb> pls help 
15:08 < jobicreatingweb> i am at the end to configure it
15:10 -!- jobicreatingweb [~jobicreat@adsl-34.109.242.48.tellas.gr] has quit [Quit: www.jobi.com.gr]
15:11 -!- commander-ape [~commander@dtmd-4d0bebc4.pool.mediaWays.net] has joined #openvpn
15:11 < Bushmills> sounds like a ubuntu user
15:13 -!- jobicreatingweb [~jobicreat@adsl-34.109.242.48.tellas.gr] has joined #openvpn
15:13 <@dazo> Bushmills: high expectations?
15:13 < commander-ape> hello - i installed openvpn on my server and i am trying to use it - i can connect properly, can ping my server but i am not able to ping any client on the server network - this is a windows 2003 server - i guess this is a routing problem? 10.1.x.x to 192.168.X.X ? what would be the easiest solution? 
15:15 < commander-ape> my w2k3 sbs is not able to do network bridges, is there an easy way? maybe just create a route?
15:15 < Bushmills> dazo: no, it's just the ... style ...  seems to match a certain pattern which i am inclined to attribute to similar reasons 
15:15  * dazo got no further comments :)
15:19 -!- dazo is now known as dazo_afk
15:20 -!- commander-ape [~commander@dtmd-4d0bebc4.pool.mediaWays.net] has quit [Read error: Connection reset by peer]
15:21 -!- commander-ape [~commander@dtmd-4d0bebc4.pool.mediaWays.net] has joined #openvpn
15:26 -!- huzpol [~huzur@business-188-111-123-132.static.arcor-ip.net] has joined #openvpn
15:26 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
15:31 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
15:33 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Ping timeout: 260 seconds]
15:35 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
15:37 < huzpol> hi guys i have a problem with my vpn...i use the gui for windows and i get this error:http://pastebin.com/F2g5dJQL
15:39 < huzpol> i cant connect how can i fix it?
15:40 < jobicreatingweb> can t copy the ta.key file
15:40 < jobicreatingweb> permision denied
15:40 < jobicreatingweb> it says
15:43 < jobicreatingweb> ?
15:43 < jobicreatingweb> ?
15:43 < Bushmills> if you don't have enough permissions, you may have to ask somebody who has, to do that foryou  
15:43 < jobicreatingweb> i am the admin the root
15:43 < jobicreatingweb> how this is posible
15:44 < jobicreatingweb> its on my pc
15:44 < Bushmills> you're the admin - you find out :D
15:45 < Bushmills> what OS are you running?
15:46 < huzpol> Bushmills: du you have idee for my problem?
15:46 < huzpol> :-)
15:47 < Bushmills> huzpol: no idea. check whether openvpn isn't already running. make also sure you run it as admin
15:48 < huzpol> Bushmills: dou you think this is a client problem?
15:48 < Bushmills> most likely
15:49 < huzpol> hmmm
15:49 < huzpol> i kill the progress and start it as admin same result :-(
15:53 -!- jobicreatingweb [~jobicreat@adsl-34.109.242.48.tellas.gr] has left #openvpn []
15:56 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:02 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Ping timeout: 276 seconds]
16:05 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Operation timed out]
16:05 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
16:09 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
16:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:16 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
16:16 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:22 -!- epaphus [~epaphus@201.199.62.74] has joined #openvpn
16:23 < epaphus> Hello. So iam going to be placing a mini server behind a NAT and no IP forwarding from the NATs public IP back to the mini server... If I want to SSH from the outside is my only option to do so is for the mini server to establish a vpn connection to me as a openvpn server and then I SSH in it via the tun private IP? 
16:23 < epaphus> any other alternatives?
16:25 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Quit: Távozom]
16:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
16:27 < krzie> thats the way to do it
16:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:31 < Bushmills> in general, most any tunnel from mini server to outside machine which allows to to access the remote end of the tunnel is possible. openvpn is one of the solutions to handle that this way
16:32 < Bushmills> thus, the "only option" is relative. but the approach is right.
16:33 < krzie> right
16:38 < Bushmills> had to clarify that, because experience teaches: if there's only one option - better choose the alternative :)
16:43 < epaphus> ok. I dont need a bridged VPN to SSH into a "neighbors" tun IP.. right?
16:43 < Bushmills> that's right
16:43 < Bushmills> ehm
16:43 < Bushmills> stop... "neighbours tun ..." 
16:44 < Bushmills> first you need to connect to a server - there it is determined what your interface will be
16:44 < epaphus> right. I get an IP of 10.0.1.6, my mini server has the IP 10.0.1.5 .. so I just SSH to that IP.. right?
16:48 < epaphus> under this scenario i jsut want to confirm my packets will flow to that IP without the need of the bridge as mentioned :)
16:49 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
16:50 < Bushmills> mtr or traceroute is a way to check+verify
16:56 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 250 seconds]
17:02 -!- luneff [~yury@84.51.211.242] has quit [Read error: Connection reset by peer]
17:03 -!- Champi [Champi@damn.e-leet.be] has quit [Quit: Quit]
17:03 -!- luneff [~yury@84.51.211.242] has joined #openvpn
17:04 < mant1s> so I suppose I can't generate another client key after i've applied the dh-params huh?
17:04 < mant1s> w/o having to redo everything
17:06 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
17:09 < Bushmills> observations were made which may indicate an "echo" remainder from before what is commonly known as the "big bang" - in case to be verified, the concept of "everything" may change towards you having to do even more. 
17:11 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
17:12 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
17:18 < krzie> mant1s, please rephrase the question in english
17:18 -!- epaphus [~epaphus@201.199.62.74] has quit [Remote host closed the connection]
17:18 -!- robert83a2 [~robert83a@gandalf.topolauniverzal.com] has joined #openvpn
17:20 -!- huzpol [~huzur@business-188-111-123-132.static.arcor-ip.net] has quit [Quit: Leaving.]
17:22 < robert83a2> hello, i've setup a openvpn server on centos , my config : http://pastebin.com/qwWiqwRR , and the client is OpenVPN Gui latest beta, config file http://pastebin.com/PwzYQD2a , the client connects to the server the route is recieved... but I cannot ping 192.168.1.250 ... on the OpenVPN server (which is the firewall as well) I've modified quagga to also work with 192.168.200.0/24 subnet... any errors in my config ?
17:22 < mant1s> Krzie, all set over here. I was just having some trouble adding a cert for a client
17:22 -!- robert83a2 [~robert83a@gandalf.topolauniverzal.com] has quit [Read error: Connection reset by peer]
17:22 < mant1s> thanks!
17:24 -!- robert83a2 [~robert83a@gandalf.topolauniverzal.com] has joined #openvpn
17:24 < krzie> ok
17:24 < krzie> =]
17:25 < robert83a2> it's the firewall...just stopped it... and pinged... but I wonder what?
17:25 < robert83a2> I allowed tun and tap as well...
17:25 < robert83a2> and traffic to 192.168.200.x
17:25 < robert83a2> will play
17:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:31 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
17:36 -!- robert83a2 [~robert83a@gandalf.topolauniverzal.com] has quit [Ping timeout: 240 seconds]
17:38 -!- luneff [~yury@84.51.211.242] has quit [Quit: Leaving]
17:40 -!- robert83a2 [~robert83a@gandalf.topolauniverzal.com] has joined #openvpn
17:40 -!- JPeterson [~JPeterson@s213-103-209-64.cust.tele2.se] has joined #openvpn
17:41 -!- mrrothh [~mrroth@64.20.46.210] has joined #openvpn
17:42 < reiffert_> http://www.youtube.com/watch?v=bldDyRxvFik
17:42 <@vpnHelper> Title: YouTube - Matias Concha Beinbruch! Brutales Ekel-Foul ! 2.Liga Union Berlin- Vfl Bochum (at www.youtube.com)
17:44 < robert83a2> how do I fix this ? allow this incoming source address/port by removing --remote or adding --float
17:44 < robert83a2> this is what I'm getting on the client? i've decieded to put the openvpn server on the main router instead of the firewall
17:46 < reiffert_> think the doctor will have to fix this.
17:46 < robert83a2> oh got it , added float
17:46 < robert83a2> it works nOW :)
17:46 < robert83a2> sorry a bit excited
17:46 < reiffert_> send pics of your boobs.
17:47 -!- robert83a2 [~robert83a@gandalf.topolauniverzal.com] has quit []
17:49 -!- nubix [~opera@188.108.23.170] has joined #openvpn
17:51 -!- mrrothh [~mrroth@64.20.46.210] has quit [Ping timeout: 260 seconds]
17:53 -!- nubix [~opera@188.108.23.170] has left #openvpn []
17:56 -!- err0r [~err0r@89.36.166.222] has quit [Ping timeout: 245 seconds]
17:57 -!- JPeterson [~JPeterson@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Like it?  Visit #hydrairc on EFNet]
17:58 -!- err0r [~err0r@89.36.166.222] has joined #openvpn
18:02 -!- commander-ape [~commander@dtmd-4d0bebc4.pool.mediaWays.net] has quit [Quit: commander-ape]
18:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:30 -!- d3v0 [~invisible@unaffiliated/d3v0] has joined #openvpn
18:31 < d3v0> has anybody tried setting up a vpn in ubuntu for sony ericsson x10i ?
18:31 < d3v0> it only accepts PPTP, L2TP and L2TP/IPSec PSK
18:32 < d3v0> any help would be much appreciated 
18:34 < Bushmills> ask ericsson to install an openvpn server on it.
18:34 < d3v0> do i need a server version of ubuntu?
18:35 < Bushmills> you need openvpn on the phone before openvpn on ubuntu will be any use to you
18:35 < d3v0> ah i c
18:35 < d3v0> thanks
18:36 -!- d3v0 [~invisible@unaffiliated/d3v0] has left #openvpn ["Leaving"]
18:39 -!- ilovegrolsc [dann@82-168-191-228.ip.telfort.nl] has joined #openvpn
18:39 < ilovegrolsc> hi
18:41 < ilovegrolsc> !linnat
18:41 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:41 < ilovegrolsc> need help please
18:42 < Bushmills> lawyer? medical attention?
18:42 < Bushmills> "spare a dime?"
18:43 < ilovegrolsc> no smartass
18:43 < Bushmills> try praying
18:44 < ilovegrolsc> there's a mental health channel maybe u should idle in there
18:44 < ilovegrolsc> instead of being a jackass when ppl ask for help in a help channel
18:44 < ilovegrolsc> 24 hour a day
18:45 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:46 < Bushmills> now, considering your request for help - what reply would you have expected? maybe "surre, just fix the problem on line 3 in your config file"?
18:46 < Bushmills> or "try turning on your computer first"?
18:47 < Bushmills> go an learn how to ask properly for help first.
18:47 < Bushmills> i should just have left you hanging there indefinitely.
18:56 < ilovegrolsc> hahahahah
18:56 < ilovegrolsc> i got it working bitches
18:56 < ilovegrolsc> hahahahahahhaa
18:56 < ilovegrolsc> HAHAHHAHAHAA
18:56 < ilovegrolsc> HAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
18:57 -!- ilovegrolsc [dann@82-168-191-228.ip.telfort.nl] has left #openvpn []
19:02 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
19:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
19:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
19:46 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 265 seconds]
19:49 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:18 -!- ralnaemi [~ralnaemi@unaffiliated/ralnaemi] has joined #openvpn
20:19 < ralnaemi> Client A <--> OpenVPN Server <--> Client B. If client A were to access something on client B, would the connection be encrypted? Assuming there's no tunneling.
20:22 < theDoc> If there isn't a tunnel, how exactly are they connecting?
20:41 -!- nac909 [~daniell@vps1098.directvps.nl] has joined #openvpn
20:41 < nac909> hola
20:42 -!- nac909 [~daniell@vps1098.directvps.nl] has left #openvpn []
20:42 -!- nac909 [~daniell@vps1098.directvps.nl] has joined #openvpn
20:42 < nac909> whats up in here
20:49 < theDoc> beep boop!
20:54 < nac909> huh
20:55 < nac909> what is beep boop
20:55 < nac909> beep boop!
20:55 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
21:16 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has joined #openvpn
21:16 -!- mode/#openvpn [+o openvpn2009] by ChanServ
21:34 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has joined #openvpn
21:49 < ralnaemi> theDoc: Sorry. I meant routing.
21:55 < theDoc> Yes, it would be as long as the traf goes into the tunnel
22:02 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Read error: Operation timed out]
22:04 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
22:17 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:23 < mrrothh> anyone willing to help me with pfsense and openvpn
22:24 < krzie> if you ssh in and use it as a freebsd machine, yes
22:24 < krzie> if you need the pfsense gui, i cant
22:25 < krzie> cause at that point you are asking for help with pfsense, not openvpn... and i dont use pfsense
22:26 < mrrothh> oh
22:26 < mrrothh> oh
22:26 < krzie> if you cant get to cli, try #pfsense, they should be able to help with their openvpn interface
22:27 < mrrothh> k
22:30 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
22:37 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
23:20 -!- sparkymarkd [~mark@200.32.232.149] has joined #openvpn
23:21 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 250 seconds]
23:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:49 < nac909> what's the highest RSA key length that openvpn supports? 
23:54 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
23:55 -!- nac909 [~daniell@vps1098.directvps.nl] has quit []
23:55 -!- nac909 [~daniell@vps1098.directvps.nl] has joined #openvpn
--- Day changed Tue Dec 07 2010
00:28 -!- cholo [~cholo@108.117.49.178] has joined #openvpn
00:30 -!- kwame [~kwame@201.166.104.61.cable.dyn.cableonline.com.mx] has joined #openvpn
00:34 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
00:49 -!- sparkymarkd [~mark@200.32.232.149] has quit [Ping timeout: 245 seconds]
00:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
00:57 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 255 seconds]
00:57 -!- cholo [~cholo@108.117.49.178] has quit [Ping timeout: 265 seconds]
00:58 -!- cholo [~cholo@184-200-110-80.pools.spcsdns.net] has joined #openvpn
01:07 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
01:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
01:15 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
01:26 -!- raidzx is now known as raidz
01:26 -!- raidz [~Andrew@seance.openvpn.org] has quit [Changing host]
01:26 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
01:30 -!- cholo [~cholo@184-200-110-80.pools.spcsdns.net] has quit [Read error: Connection reset by peer]
01:31 -!- cholo [~cholo@184-200-110-80.pools.spcsdns.net] has joined #openvpn
01:34 <@vpnHelper> RSS Update - forum: Server Administration :: does auth-pam support to terminate a connected session ? :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7364&p=8641#p8641>
01:54 -!- cholo [~cholo@184-200-110-80.pools.spcsdns.net] has quit [Ping timeout: 265 seconds]
02:04 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
02:12 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 255 seconds]
02:29 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 255 seconds]
02:29 -!- Speedy2 [~JohnnyJac@cpe-76-88-67-189.san.res.rr.com] has joined #openvpn
02:30 < Speedy2> Hey all.  I have a quick question about DNS with OpenVPN, anyone around?
02:31 -!- albech [~thomasalb@gatekeeper.cnx.awareidc.com] has joined #openvpn
02:34 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 260 seconds]
02:34 -!- WinstonSmith [~true@e179001061.adsl.alicedsl.de] has joined #openvpn
02:35 -!- WinstonSmith [~true@e179001061.adsl.alicedsl.de] has quit [Client Quit]
02:42 < rjd__> Speedy2: shoot
02:44 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
02:45 < Speedy2> rjd__: Well, the issue is I wanted "normal" DNS requests to go through my normal DNS resolvers and only VPN-specific stuff to the VPN.  But I just modified my hosts file to deal with it.
02:45 -!- dazo_afk is now known as dazo
02:47 < rjd__> ok, don't push dns and dont redirect gateway and it should work as expected :)
02:47 < rjd__> or push the normal dns 
02:48 < Speedy2> rjd__: Well on the VPN, I have servers like web.vpnserver and I wanted that to get resolved to the IP used on the other end of the VPN tunnel and then go across the VPN.  The hosts file seemd to work.
02:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:16 -!- krzee [~k@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
03:16 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:19 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
03:19 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
03:19 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
03:25 < reiffert_> :)
03:25 -!- reiffert_ is now known as reiffert
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:46 -!- master_of_master [~master_of@p57B55069.dip.t-dialin.net] has quit [Read error: Operation timed out]
03:46 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:50 -!- master_of_master [~master_of@p57B52B48.dip.t-dialin.net] has joined #openvpn
03:51 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:55 -!- venk [~user@d110-33-204-135.mas801.nsw.optusnet.com.au] has joined #openvpn
04:00 -!- albech [~thomasalb@gatekeeper.cnx.awareidc.com] has quit [Ping timeout: 245 seconds]
04:21 -!- common- [~common@p5DDA4840.dip0.t-ipconnect.de] has joined #openvpn
04:25 -!- common [~common@p5DDA493F.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
04:25 -!- common- is now known as common
04:47 -!- nac909 [~daniell@vps1098.directvps.nl] has quit [Read error: Connection reset by peer]
04:48 -!- nac909 [~daniell@vps1098.directvps.nl] has joined #openvpn
04:48 -!- nac909 [~daniell@vps1098.directvps.nl] has quit [Client Quit]
04:50 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn
04:56 -!- kwame [~kwame@201.166.104.61.cable.dyn.cableonline.com.mx] has quit [Ping timeout: 265 seconds]
05:01 -!- venk [~user@d110-33-204-135.mas801.nsw.optusnet.com.au] has quit [Ping timeout: 240 seconds]
05:07 -!- albech [~thomas@124.157.202.78] has joined #openvpn
05:08 < albech> how can i prevent openvpn from changing my default route on the client. I only wish to route traffic originated to the openvpn servers network through the tunnel.
05:19 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has joined #openvpn
05:24 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 260 seconds]
05:28 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
05:31 < rjd__> albech: dont push redirect-gateway in server config
05:32 < reiffert> rjd__: and how to care if you cant change the server config?
05:33 < rjd__> Dont know
05:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:40 -!- huzpol [~huzur@business-188-111-123-132.static.arcor-ip.net] has joined #openvpn
05:45 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
05:45 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
05:45 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
05:45 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
05:46 < albech> rjd__, i dont. http://pastebin.com/DhYYW824
05:48 -!- bauruine [~stefan@cust.static.46-14-255-113.swisscomdata.ch] has joined #openvpn
05:49 < bauruine> !welcome
05:49 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
05:49 < bauruine> !redirect
05:49 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
05:50 < rjd__> albech: is it possible you pass --redirect-gateway as an argument to the openvpn server?
05:50 < rjd__> perhaps in a "defaults" file, or init script
05:50 < albech> rjd__, doubt it, but will have a look
05:51 < bauruine> hi, is it possible to ignore default routes in the client conf? 
05:51 -!- miltio [~marco@ip-45-99.sn3.eutelia.it] has joined #openvpn
05:51 < miltio> hi
05:52 < miltio> if I want to delete a user, do I need to revoke certificate?
05:52 < miltio> what if I manually delete crt, csr, key?
05:53 < bauruine> found it route-nopull :> 
05:53 < albech> rjd__, does not look like its being passed to the server at start: nobody   28133     1  0 08:04 ?        00:00:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --config server.conf --cd /etc/openvpn
05:56 -!- nac909 [~daniell@vps1098.directvps.nl] has joined #openvpn
05:56 <@vpnHelper> RSS Update - forum: Installation Help :: Re: TAP Driver Install Problem in 2.1.2 - KNOWN ISSUE :: Reply by ash <https://forums.openvpn.net/viewtopic.php?f=5&t=7035&p=8642#p8642>
05:58 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
06:03 -!- nac909 [~daniell@vps1098.directvps.nl] has quit [Read error: Connection reset by peer]
06:03 -!- nac909 [~daniell@vps1098.directvps.nl] has joined #openvpn
06:08 < bauruine> another question i have to authentificate with username / pass is it possible to store this information in the config file? it doesn't ever prompt for the username if i start openvpn with the init script. :-/ 
06:16 < hyper_ch> won't by-passing username / password requirement nullify the whole reason as to why it's being demanded to do so?
06:16 -!- nac909 [~daniell@vps1098.directvps.nl] has quit [Ping timeout: 272 seconds]
06:29 -!- adawda [~awda@178-73-209-198.cust.vpntunnel.org] has joined #openvpn
06:36 -!- imushroom [~chatzilla@drms-590c5412.pool.mediaWays.net] has joined #openvpn
06:36 < imushroom> hey
06:36 < imushroom> jemand deutsches da, der sich einwenig mit der matrei auskennt
06:36 < imushroom> überhaupt jemand anwesen aus dem deutschsprachigen raum
06:37 < imushroom> anyone here???
06:37 < adawda> FRAGEZEICHENPOWAH!
06:37 < macsppadic> miltio: the revoking of certificate shud do the trick 
06:37 < imushroom> ^^
06:37 < imushroom> ich brauch hilfe, verdammt :(
06:37 < adawda> ah, deutsch. jo.
06:37 < adawda> kenn ich mich aus? eher nich.
06:37 < adawda> schilder mal das problem
06:38 < adawda> -> qry
06:50 <@dazo> adawda: imushroom: there are some German speaking people here ... but doing it in English will include an even broader audience which might help out ... just saying, nothing else...
06:51 -!- TuxFighter [~TuxFighte@p5DF7B2D5.dip.t-dialin.net] has joined #openvpn
06:52 < TuxFighter> Hi guys I got a script security note while starting openvpn but anythings seems to run
06:52 < TuxFighter> what matter of that
06:52 < TuxFighter> what should I do
06:52 < TuxFighter> Server Linux and Client Windows XP-7
06:53 < adawda> ignore it
06:53 < imushroom> okay i will try in english.... i like to install a vpn server... but the connect clients should only have acces to one local port on one local ip adress... 
06:53 < TuxFighter> german or english
06:53 < TuxFighter> both will work for me
06:53 < TuxFighter> ah its not realted to me sry :-)
06:53 <@dazo> imushroom: that's a firewall question ... so you need to firewall your tunnel device on the server
06:54 < TuxFighter> is there really no security risk ignoring this ?
06:54 < TuxFighter> even not in case of case
06:54 < imushroom> the clients request of download or homepages should work with tghe local internet connectuons of the clients
06:54 < adawda> TuxFighter hah, dunno ^^
06:54 <@dazo> TuxFighter: check out the openvpn-users mailing list ... and probably the forum ... I believe this has been discussed there countless times
06:54 <@dazo> !forum
06:54 <@vpnHelper> Server Administration :: does auth-pam support to terminate a connected session ? :: Author ... || Installation Help :: Re: TAP Driver Install Problem in 2.1.2 - KNOWN ISSUE :: Reply by ash
06:54 <@dazo> !forums
06:55 <@dazo> gah
06:55 < adawda> TuxFighter nobody's ever advised me to get rid of that message... so i'm assuming it's safe
06:55 <@dazo> https://forums.openvpn.net/
06:55 <@vpnHelper> Title: OpenVPN Support Forum Index page (at forums.openvpn.net)
06:55 < TuxFighter> m ok :-)
06:55 < imushroom> ?
06:55 < TuxFighter> futhermore I want to switch to better algo as bluefish what would recommend
06:56 < TuxFighter> Rindjal ?
06:56 < TuxFighter> or anything else
06:56 <@dazo> imushroom: your question is a bit vague for me ... can you reformulate please?
06:56 < adawda> what imushroom is trying to say: only connections to a specific IP & port should be sent over the VPN ...
06:56 < TuxFighter> I would prefer Serpent
06:56 < imushroom> right.....
06:56 < TuxFighter> but there should not be a high performance impact
06:56 < TuxFighter> because we are using samba
06:56 < TuxFighter> over inet
06:56 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:57 <@dazo> TuxFighter: AES256 is what people usually use instead of blowfish .... even though blowfish is not bad, in fact on weaker hardware it may perform better
06:57 < TuxFighter> ok so I should us rindjal
06:58 <@dazo> TuxFighter: rindjal doesn't ring any bells right now ... but if your OpenSSL implementations supports it, then OpenVPN will tackle that fine
06:58 < adawda> dazo Rijndeal = AES
06:58 <@dazo> gah ... such a long name for something with a short abbrev!
06:58 < adawda> :>
06:59 < TuxFighter> yea
06:59 < TuxFighter> its was the winner
06:59 <@dazo> :)
06:59 < TuxFighter> but I personally like sperpent
06:59 < TuxFighter> its only slower
06:59 < TuxFighter> but more secure
06:59 < TuxFighter> but I think its not implemente right ?
07:00 < imushroom> ??
07:00 < TuxFighter> what algo are available in OpenVPM?
07:00 < TuxFighter> *OpenVPN
07:00 <@dazo> TuxFighter: openvpn --show-ciphers .... and openvpn --show-tls  (for PKI key exchange phase with certs)
07:01 < TuxFighter> ih k :-)
07:01 <@dazo> TuxFighter: OpenVPN 100% depends on what OpenSSL supports
07:01 < TuxFighter> ty
07:02 < TuxFighter> oh thats great maybe there should be a way for implementing serpent
07:03 < TuxFighter> is it correct that performance impact of using high algo is more on cpu side instead of network load ?
07:04 < TuxFighter> When its mentioned blowfish is for older machines; does that mean for older cpu or for small networks ?
07:04 <@dazo> TuxFighter: the most CPU intensive part is the key-exchange part when using TLS/PKI ... when the key exchange is performed, symmetric encryption is used, which is not so CPU intensive at all
07:05 < imushroom> can someone help meeee
07:05 < TuxFighter> k
07:05 <@dazo> imushroom: [resending] your question is a bit vague for me ... can you reformulate please?
07:06 < imushroom> only connections to a specific IP & port should be sent over the VPN ...
07:06 < TuxFighter> thanks for your help guys :-)
07:06 <@dazo> imushroom: and then plenty patience is the second ingredient when asking for help on IRC
07:06 < imushroom> not all reqeusts
07:06 <@dazo> imushroom: and I told you ... you need to firewall the specific IP and port on your OpenVPN server
07:06 <@dazo> TuxFighter: you're welcome
07:07 < imushroom> and thats all?
07:07 <@dazo> yes
07:07 < imushroom> omg
07:07 < imushroom> :P
07:08 < imushroom> and how can i make tjhis ?
07:08 <@dazo> imushroom: which OS do you run on your server?
07:08 < imushroom> ubuntu
07:10 <@dazo> imushroom: http://lmgtfy.com/?q=ubuntu+firewall+config
07:10 <@vpnHelper> Title: Let me google that for you (at lmgtfy.com)
07:10 < imushroom> :P
07:14 -!- smerz [~smerz@smerz.demon.nl] has quit [Ping timeout: 264 seconds]
07:15 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
07:16 -!- aliverius [~george@athedsl-377917.home.otenet.gr] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
07:18 -!- p3rror [~mezgani@41.140.152.72] has joined #openvpn
07:19 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has joined #openvpn
07:41 -!- imushroom [~chatzilla@drms-590c5412.pool.mediaWays.net] has quit [Ping timeout: 245 seconds]
07:44 < bauruine> hyper_ch, sorry for the late answer. i've found the option (rtfm ftw -.-) the file is only readable by root. i think it's secure enough for my requirements. 
07:44 < hyper_ch> bauruine: there's no excuse for such a late answer :)
07:45 < hyper_ch> :)
07:48 -!- sparkymarkd [~mark@200.32.232.149] has joined #openvpn
07:50 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
07:56 -!- adawda [~awda@178-73-209-198.cust.vpntunnel.org] has quit [Ping timeout: 240 seconds]
07:57 -!- kwame [~kwame@201.166.104.61.cable.dyn.cableonline.com.mx] has joined #openvpn
08:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
08:03 -!- OtherJakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
08:05 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
08:07 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
08:14 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:15 -!- bauruine [~stefan@cust.static.46-14-255-113.swisscomdata.ch] has quit [Quit: Leaving]
08:24 -!- sparkymarkd [~mark@200.32.232.149] has quit [Ping timeout: 255 seconds]
08:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
08:30 -!- OtherJakeSays is now known as JakeSays
08:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:37 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Operation timed out]
08:45 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
08:47 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
08:50 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Read error: Connection reset by peer]
08:51 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
08:59 -!- miltio [~marco@ip-45-99.sn3.eutelia.it] has quit [Quit: Leaving]
09:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
09:02 -!- adawda [~awda@91-121-219-67.dc1.fusa.be] has joined #openvpn
09:05 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 264 seconds]
09:09 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
09:11 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
09:11 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Password OpenvpnGUI :: Reply by Damien74 <https://forums.openvpn.net/viewtopic.php?f=15&t=7332&p=8643#p8643>
09:11 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
09:24 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
09:25 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
09:31 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
09:36 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: Password OpenvpnGUI :: Reply by darco <https://forums.openvpn.net/viewtopic.php?f=15&t=7332&p=8644#p8644>
09:37 -!- sjk [sjk@unaffiliated/sjk] has joined #openvpn
09:38 < sjk> !welcome
09:38 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:38 < sjk> !goal
09:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
09:39 < sjk> !howto
09:39 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:40 < ecrist> krzie: ping
09:43 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Ping timeout: 255 seconds]
09:44 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
09:48 -!- albech [~thomas@124.157.202.78] has quit [Quit: Ex-Chat]
09:51 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
09:54 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 272 seconds]
09:57 -!- kwame is now known as kwame_home
09:59 < |Mike|> .
10:00 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has joined #openvpn
10:00 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has quit [Client Quit]
10:11 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
10:15 < Essobi> How's IPV6 on openvpn in beta3/4?
10:15 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
10:15 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
10:15 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
10:26 -!- s7r [~s7r@static.3.231.63.178.clients.your-server.de] has joined #openvpn
10:27 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
10:30 -!- sigius [~sigius@93.125.185.45] has quit [Remote host closed the connection]
10:31 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has joined #openvpn
10:32 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has quit [Remote host closed the connection]
10:33 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has joined #openvpn
10:33 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has quit [Remote host closed the connection]
10:37 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has joined #openvpn
10:38 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has quit [Remote host closed the connection]
10:44 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has joined #openvpn
10:55 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
11:00 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn []
11:03 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 250 seconds]
11:09 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
11:18 <@vpnHelper> RSS Update - forum: Server Administration :: Where's the database from generated keys ? :: Author sierramike <https://forums.openvpn.net/viewtopic.php?f=4&t=7365&p=8645#p8645>
11:18 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
11:20 -!- s7r [~s7r@static.3.231.63.178.clients.your-server.de] has quit [Ping timeout: 240 seconds]
11:20 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has joined #openvpn
11:21 <@dazo> Essobi: IPv6 will come in OpenVPN 2.3 ... so the openvpn-testing allmerged is the place where to get that code now ... If all goes as we plan, we're talking about 2.3 beta around March 2011
11:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:53 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
11:53 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
11:53 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
12:00 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
12:03 -!- luneff [~yury@84.51.195.188] has joined #openvpn
12:09 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
12:16 < Essobi> dazo: roger that
12:22 -!- cpm [~Chip@guest-ap.xo.avitecture.net] has joined #openvpn
12:22 -!- cpm [~Chip@guest-ap.xo.avitecture.net] has quit [Changing host]
12:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
12:33 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 255 seconds]
12:34 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
12:37 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 276 seconds]
12:38 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Ping timeout: 240 seconds]
12:39 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
12:40 -!- ftp [~solo@billymays.info] has joined #openvpn
12:40 -!- ftp is now known as nesta
12:41 -!- nesta [~solo@billymays.info] has quit [Client Quit]
12:43 -!- ftp [~laguan@billymays.info] has joined #openvpn
12:43 -!- ftp is now known as nesta
12:43 -!- nesta [~laguan@billymays.info] has quit [Client Quit]
12:43 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
12:48 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
12:50 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
12:54 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Quit: ZNC - http://znc.sourceforge.net]
12:55 -!- dazo is now known as dazo_afk
12:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
12:57 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
13:20 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
13:25 -!- luneff [~yury@84.51.211.242] has joined #openvpn
13:35 -!- Speedy2 [~JohnnyJac@cpe-76-88-67-189.san.res.rr.com] has left #openvpn ["Konversation terminated!"]
13:53 -!- s7r [~s7r@static.57.231.63.178.clients.your-server.de] has joined #openvpn
13:53 < s7r> when I connect to openvpn, what MAC address does the vpn server see? The one from tap virtual adapter or the one from physical network card?
13:53 < rjd__> s7r: I would assume tap? :)
13:54 < s7r> rjd__: you know for sure or you assume? :D because I assume tap too, but i am not sure
13:54 < rjd__> I assume :-)
13:56 < s7r> !mac
13:56 <@vpnHelper> "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/)
13:57 < rjd__> !hwaddr
13:57 < rjd__> :\
14:02 -!- sam555 [~chatzilla@udp124488uds.hawaiiantel.net] has joined #openvpn
14:02 < sam555> hello all!
14:03 < Essobi> howdy
14:03 < sam555> I'm running openvpn on a windows xp machine and the IP address changed for the router I'm remoting into.  I've edited the *.opvn file with the new ip address, but the short cut keeps tunneling to the old IP address.  Any ideas?
14:08 -!- ralnaemi [~ralnaemi@unaffiliated/ralnaemi] has left #openvpn []
14:23 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
14:24 -!- sparkymarkd [~mark@200.32.232.149] has joined #openvpn
14:24 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 265 seconds]
14:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
14:54 -!- epaphus [~epaphus@201.199.62.74] has joined #openvpn
14:59 < epaphus> Hello. So I have this config http://pastebin.com/YpRLqsJt  as a client that hosts a webserver. I (as another client) can access the webserver in question only when the other client has redirect-gateway enabled. Otherwise Iam not even able to ping him. 
14:59 < epaphus> What should i set in the client that hosts the webserver so I keep the redirect gateway off, but i can access it through the tun private ip?
15:01 < hyper_ch> I don't understand what works and what doesn't
15:03 < epaphus> The config in the pastebin works in  the sense that it is given a private IP (10.8.0.6) but me as another client of the vpn (10.8.0.10) cannot ping him. If I uncomment the redirect-gateway on the client then I can ping him. 
15:03 < epaphus> I want to still be able to ping him without having him have redirect gateway activated
15:04 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
15:04 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has joined #openvpn
15:06 < epaphus> is it a bit more clear now what my problem is? :)
15:07 -!- Irssi: #openvpn: Total of 118 nicks [4 ops, 0 halfops, 0 voices, 114 normal]
15:09 < epaphus> Bushmills ? :)
15:10 -!- cj [~cjac@adsl-207-32-174-101.rockisland.net] has joined #openvpn
15:10 < cj> is there a wireshark dissector for openvpn yet?
15:10 < cj> google says there wasn't in 2007
15:12 < cj> I'm trying to figure out why I get this error:
15:12 < cj> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
15:12 < cj> the certs all look good to me
15:13 < cj> I'd like to bump up the verbosity and figure out what is failing
15:13 < cj> but the gnome vpn manager thing doesn't seem to allow folks to do that...
15:13 < cj> maybe I should use the command line instead
15:15 < epaphus> LOL i figured it out!!! hyper_ch i had to enable client-client in the server. 
15:15 < hyper_ch> good
15:15 < epaphus> the odd thing is that with redirect gateway it does work
15:17 < krzie> if you had to enable client-to-client then it was a firewall issue
15:18 < krzie> !c2c
15:18 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
15:18 <@vpnHelper> clients
15:22 < epaphus> well one thing is for sure, i dont have a firewall in the server active.
15:23 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 260 seconds]
15:23 -!- epaphus [~epaphus@201.199.62.74] has quit [Read error: Connection reset by peer]
15:24 -!- epaphus [~epaphus@201.199.62.74] has joined #openvpn
15:24 < epaphus> sorry
15:26 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
15:39 -!- epaphus [~epaphus@201.199.62.74] has quit [Quit: Leaving]
15:43 -!- unspin [~unspin@S0106001451226d9c.vc.shawcable.net] has quit [Ping timeout: 245 seconds]
15:44 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
15:54 -!- kwame_home is now known as kwame
16:17 <@vpnHelper> RSS Update - forum: Configuration :: VPN Noob needs help with configuration :: Author Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8646#p8646>
16:22 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
16:27 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
16:29 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN Noob needs help with configuration :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8647#p8647>
16:44 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:45 < krzie> !pki
16:45 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
16:45 <@vpnHelper> specially as a server (see !servercert)
16:46 < krzie> !bridge
16:46 <@vpnHelper> "bridge" is (#1) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html for the doc, or (#2) http://openvpn.net/index.php/documentation/faq.html#bridge1 for info from the FAQ, or (#3) also see !tunortap and !layer2 and read --server-bridge in the manual (!man)
16:47 -!- s7r [~s7r@static.57.231.63.178.clients.your-server.de] has left #openvpn []
16:48 -!- zongo [~zongo@86-41-76-29-dynamic.b-ras2.chf.cork.eircom.net] has joined #openvpn
16:48 -!- zongo [~zongo@86-41-76-29-dynamic.b-ras2.chf.cork.eircom.net] has quit [Remote host closed the connection]
16:49 -!- zongo [~zongo@86-41-76-29-dynamic.b-ras2.chf.cork.eircom.net] has joined #openvpn
16:51 < zongo> Greeting Guys, I have a stupid question which has been kicking my ass for a while now. I have installed OpenVPN and it works perfectly. I ran some test on one client with different network configuration which left the OpenVPN client Windows 7 full of config/certificate. How do I delete those on the client and start fresh 
16:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
16:52 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN Noob needs help with configuration :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8648#p8648>
16:53 < zongo> because one issue I am facing now is that the client windows 7 is only connecting to port 443 
16:59 < krzie> umm
16:59 < krzie> delete the files and replace them with the right ones...?
17:01 < zongo> krzie, thanks for your reply but what file on the client ? the client windows 7 connects perfectly on port 443 but if I change port on the server does not want to connect at all
17:02 < zongo> the error mentions a xml on the client
17:02 < zongo> *xml file
17:03 < zongo> I am assuming i would need to get access to that file but even after reading how tos, could not find where the client stacks its configuration file 
17:03 < zongo> + windows 7 does not help as I am not very well acquainted with that platforme :)
17:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:15 -!- r420r [isaacbsd@unaffiliated/r420r] has joined #openvpn
17:16 < r420r> hi guys, i am reading about openvpn, i wondering how is it of security , it accepting mitm attacks ?
17:17 -!- zongo [~zongo@86-41-76-29-dynamic.b-ras2.chf.cork.eircom.net] has quit [Quit: Ex-Chat]
17:20 -!- jdstroy [jdstroy@unaffiliated/jdstroy] has joined #openvpn
17:20 -!- jdstroy [jdstroy@unaffiliated/jdstroy] has left #openvpn []
17:20 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:21 < adawda> r420r: i'd assume it's safe if you use a proper cipher
17:21 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN Noob needs help with configuration :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8649#p8649>
17:22 < r420r> adawda: i using ssh tunnel without password, i using only keys, is that possible in vpn too ?
17:22 < adawda> yes
17:23 < adawda> i don't know what the server side settings are, though
17:23 < r420r> hmm
17:23 < adawda> but the VPN tunnel i'm using now is configured that way
17:23 < adawda> maybe ask rjd__ 
17:24 < adawda> or an op or somethin ^^
17:24 < r420r> passphrase ?
17:25 < adawda> huh?
17:26 < r420r> ok i am searching on google =)
17:26 -!- r420r [isaacbsd@unaffiliated/r420r] has left #openvpn []
17:28 -!- mwcarroll [~mwcarroll@develogix.com] has joined #openvpn
17:28 < mwcarroll> !welcome
17:28 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:29 < adawda> !redirect
17:29 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:31 < mwcarroll> !goal
17:31 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
17:43 < mwcarroll> I just configured my router to be a VPN server and I'm having issues connecting to it
17:43 < mwcarroll> the response is:
17:43 < mwcarroll> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
17:44 < mwcarroll> TLS Error: TLS handshake failed
17:49 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
17:56 < |Mike|> . . .
17:57 < |Mike|> firewall?
17:58 -!- dann [dann@82-168-191-228.ip.telfort.nl] has joined #openvpn
17:59 < mwcarroll> http://logi.pastebin.com/cgYvEnyU
17:59 < mwcarroll> |Mike|: ^
18:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:00 < mwcarroll> that's on my router, running dd-wrt
18:01 < |Mike|> !firewall
18:01 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
18:01 < |Mike|> !linnat
18:01 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:01 < |Mike|> there ya go
18:02 < dann> hi mike
18:02 < |Mike|> hello dann 
18:02 < dann> your doing push redirect gateway in server.conf?
18:03 < |Mike|> mede nederlander :-)
18:03 < dann> british in rotterdam
18:03 < |Mike|> depends on why you're using the push redirect gateway
18:03 < mwcarroll> I have no idea what I'm doing... I just want to be able to VPN into my home network so that I can do things securely
18:04 < mwcarroll> I followed this: http://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B
18:04 <@vpnHelper> Title: VPN (the easy way - DD-WRT Wiki (at www.dd-wrt.com)
18:04 < mwcarroll> installed tuntaposx and tunnelblick on my macbook pro
18:04 < mwcarroll> and can't get it to work properly
18:07 < mwcarroll> this is my configuration on my router
18:07 < mwcarroll> http://logi.pastebin.com/G1dSHEPL
18:07 < dann> try following this tut to the letter
18:07 < dann> it works
18:07 < dann> http://library.linode.com/networking/openvpn/centos-5
18:07 <@vpnHelper> Title: Deploy VPN Services with OpenVPN - Secure Communications with OpenVPN on CentOS 5 - Linode Library (at library.linode.com)
18:11 < mwcarroll> I can't follow it exactly
18:11 < mwcarroll> due to how my router installs openvpn
18:13 < |Mike|> mwcarroll: you might want to join #dd-wrt for it
18:13 < mwcarroll> k
18:13 < |Mike|> i'm totally unfamilair with dd/open-wrt's
18:17 -!- sam555 [~chatzilla@udp124488uds.hawaiiantel.net] has quit [Ping timeout: 240 seconds]
18:20 -!- bitterman [~yury@84.51.211.242] has joined #openvpn
18:21 < dann> mike
18:21 < dann> i got a q
18:21 < dann> would using larger RSA key length slow down connection?
18:21 < |Mike|> 1024 is recommended
18:21 < |Mike|> larger keys will slow down your speed yeah
18:22 < dann> slow down just the tls handshake or actually slow down the connection all the time
18:22 < |Mike|> if both sides have enough cpu power it won't, but the tls handshake will be a lot slower
18:23 -!- luneff [~yury@84.51.211.242] has quit [Ping timeout: 255 seconds]
18:30 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN Noob needs help with configuration :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8650#p8650>
18:35 < mwcarroll> I figured out the problem....
18:35 -!- bitterman [~yury@84.51.211.242] has quit [Ping timeout: 240 seconds]
18:35 < mwcarroll> openvpn starts, but doesn't stay on
18:35 < mwcarroll> http://logi.pastebin.com/Aw2bVdnq
18:39 < |Mike|> verbose on 4 or 5?
18:42 < |Mike|> mwcarroll: haha
18:42 < |Mike|> openvpn --mktun --dev tap0
18:43 < |Mike|> mktun and use device tap0 ? ;)
18:44 < mwcarroll> that's what the guide said to do
18:45 < dann> achh
18:45 < dann> i think my slow internet is problem of my vps provider not openvpn
18:45 < dann> thats what u get for 10 euro per month ;)
18:49 < krzie> |Mike|, thats not true
18:50 < |Mike|> dann: Hetzner?
18:50 < |Mike|> krzie: it aint? :x
18:50 < krzie> larger keys only slow down the keying process
18:51 < krzie> 1x / hour
18:51 < krzie> your cipher isnt changed by the keysize of your certs
18:51 < |Mike|> true that.
18:51 < krzie> and your certs are not your cipher ;]
18:52 < krzie> [16:42]  <|Mike|> openvpn --mktun --dev tap0
18:52 < krzie> [16:43]  <|Mike|> mktun and use device tap0 ? ;)
18:52 < |Mike|> krzie: you remind me to finish reading my crypto book
18:52 < krzie> thats how you make a static device
18:52 < krzie> as opposed to using a dynamic device
18:52 < krzie> the difference in your config would be     dev tun  (dynamic device)    or dev tun0  (static device)
18:53 < krzie> if you used dev tun0 and had not made a static device, it would fail
18:54 < krzie> what i consider a standard setup gains nothing by using static devices, but there are times it is needed
18:58 < mwcarroll> wait... so what should I put
18:58 < mwcarroll> krzee: ^
18:59 < krzie> all that command does is make a device
18:59 < krzie> you need to actually make a vpn config
19:00 < krzie> so lets start with this
19:00 < krzie> !goal
19:00 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
19:02 < mwcarroll> I want a secure connection between my network and wherever I am
19:02 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
19:02 < krzie> and your network is a client or the server...?
19:03 < mwcarroll> the server
19:03 < krzie> ok...
19:03 < mwcarroll> the server is my router
19:03 < krzie> !pki
19:03 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
19:03 <@vpnHelper> specially as a server (see !servercert)
19:03 < krzie> that is for making your certificates
19:03 < krzie> !sample
19:03 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
19:03 < krzie> that is some basic configs you can start with
19:03 < mwcarroll> I've done the !pki
19:03 < krzie> !serverlan
19:03 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
19:04 < krzie> hrm
19:04 < mwcarroll> I've done the routing
19:04 < krzie> its a router so you can skip 2 of 3 steps
19:04 < mwcarroll> of which?
19:04 < krzie> well ip forwarding is already enabled
19:05 < krzie> and you dont need a route on the router, since the router is already the vpn node
19:05 < krzie> what is the subnet of the server's lan?
19:06 < krzie> so if you already have your PKI, basically you can just take my sample configs edit paths to point to your certs, and add a single push route to the server config, which i will give you after you answer the above question
19:07 < mwcarroll> 192.168.2.0/24
19:08 < mwcarroll> I think I set that up correctly
19:08 < mwcarroll> I want all VPN connections to be 192.168.2.*(*(*))
19:10 <@vpnHelper> RSS Update - forum: Forum & Website Support :: IP address issue :: Author msmoore <https://forums.openvpn.net/viewtopic.php?f=30&t=7367&p=8651#p8651>
19:10 < mwcarroll> krzee: http://logi.pastebin.com/G1dSHEPL that's the config for openvpn on my router
19:11 < mwcarroll> it creates the dh, ca, cert, and key files in the /tmp/ folder based on what you enter in the GUI
19:12 < krzie> [17:08]  <mwcarroll> I want all VPN connections to be 192.168.2.*(*(*))
19:12 < krzie> wtf is that supposed to mean?
19:13 < mwcarroll> I want my VPN clients to receive IPs of 192.168.2.*
19:13 < krzie> there ya go
19:13 < jpalmer> I think mwcarroll is using that as his "regex" to indicate 1, 2, or 3 digitsin the last octet.
19:13 < krzie> so the lan subnet is 192.168.1.X ?
19:14 < krzie> ahh you're right jpalmer 
19:15 < krzie> mwcarroll, that config should work, however, you should seriously change the subnet your LAN currently uses
19:15 -!- patelx [~patel@openvpn/corp/admin/patel] has quit [Ping timeout: 240 seconds]
19:15 < krzie> since you will break shit if you connect from a location where you are on the same subnet
19:15 < krzie> and that is the most common LAN subnet on earth
19:16 < mwcarroll> k
19:17 < mwcarroll> I'll do that after I get this crap working
19:17 < mwcarroll> lol
19:17 < dann> oh dear
19:17 < dann> did you just call openvpn crap?
19:17 < dann> tisk tisk
19:18 < mwcarroll> no
19:18 < mwcarroll> well... I guess technically yes
19:18 < mwcarroll> lol
19:18 < krzie> hah
19:18 < mwcarroll> root@dvl:~# openvpn --mktun --dev tap0 
19:18 < mwcarroll> Tue Dec  7 20:16:07 2010 TUN/TAP device tap0 opened
19:18 < mwcarroll> Tue Dec  7 20:16:07 2010 Persist state set to: ON
19:18 < |Mike|> dann: cleaning time! :-P
19:18 < mwcarroll> it works just fine... but it doesn't continue to run
19:19 < mwcarroll> root@dvl:~# ps | grep openvpn
19:19 < krzie> LOL
19:19 < mwcarroll> (nothing)
19:19 < krzie> i already told you
19:19 < krzie> THAT DOES NOT START OPENVPN
19:19 < mwcarroll> oh
19:19 < mwcarroll> what's that do?
19:19 < dann> shows u running process
19:19 < krzie> [16:59]  <krzie> all that command does is make a device
19:19 < dann> the openvpn daemon
19:20 < mwcarroll> ah
19:20 < mwcarroll> how do you start openvpn?
19:20 < dann> service openvpn start
19:20 < dann> or
19:20 < krzie> openvpn /path/to/config
19:20 -!- patelx [~patel@openvpn/corp/admin/patel] has joined #openvpn
19:20 -!- mode/#openvpn [+o patelx] by ChanServ
19:20 < dann> .
19:20 < krzie> dann, no, thats how some distro's of linux choose to setup wrappers to start openvpn
19:20 < dann> well it works for me... isnt he using linux?
19:21 < krzie> hes using a linux based router, i doubt they include the service command
19:21 < krzie> as i said, some distros
19:22 < dann> ach
19:22 < dann> when will openvpn be a turnkey solution
19:22 < mwcarroll> ok
19:23 < mwcarroll> now it's running
19:23 < mwcarroll> client still cannot connect
19:23 < mwcarroll> never...
19:24 < mwcarroll> using the same CA cert
19:24 < mwcarroll> the client cert generated using the CA cert
19:25 < mwcarroll> the client key generated using the CA cert
19:26 < krzie> !logfile
19:26 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
19:26 < mwcarroll> http://logi.pastebin.com/2SqJxBcV
19:27 < krzie> lol
19:27 < krzie> remove tls-client and pull, replace them with client
19:27 < krzie> why did you set route-gateway?
19:29 < dann> oh deary me
19:29 < mwcarroll> I didn't
19:29 < dann> that config file is a mess
19:29 < dann> deaary deary me
19:29 < mwcarroll> that's what's generated by Viscosity
19:29 < krzie> lol
19:29  * krzie goes away
19:30 < mwcarroll> http://cl.ly/1t1X1J0S3R1b1d0d1k0F
19:30 <@vpnHelper> Title: Screen shot 2010-12-07 at 20.29.58.png (at cl.ly)
19:30 < mwcarroll> http://cl.ly/0p2W072s0T2l392f2s1a
19:30 <@vpnHelper> Title: Screen shot 2010-12-07 at 20.30.30.png (at cl.ly)
19:31 < mwcarroll> options for Authentication Type are: SSL/TLS Client, SSL/TLS Client (PKCS11), SSL/TLS Client (PKCS12), and Static Key
19:33  * dann meh
19:34 < dann> good luck mwcarrol
19:34 < dann> krzie is preety mutch the only person in here who ever helps
19:34 < dann> rest are always idle
19:34 < dann> except Bushmills who just talks smack and doesnt help
19:35 < mwcarroll> krzie: come back!!
19:36 < dann> i politely asked Bushmills for help and he just says 'pray'
19:39 < mwcarroll> lol
19:39 < dann> i dont understand irc
19:39 < dann> why ppl enjoy idling
19:40 < dann> whats the point
19:41 -!- R-66Y [~nobody@elegua.za.net] has joined #openvpn
19:43 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:45 < R-66Y> just one client keeps getting "TLS keys are out of sync" errors. What should I do to debug this? (it's a TCP connection, and google hasn't helped at all yet)
19:45 < mwcarroll> got it working!
19:45 < mwcarroll> ish
19:45 < mwcarroll> TCP/UDP: Incoming packet rejected from 192.168.1.1:1194[2], expected peer address: ***:1194 (allow this incoming source address/port by removing --remote or adding --float)
19:45 < mwcarroll> I'll have to test it tomorrow at school
19:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
19:50 < mwcarroll> nvm changing remote to 192.168.1.1 makes it work
19:55 -!- Martin` is now known as Martin
19:55 -!- Martin is now known as Guest69400
19:57 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: No route to host]
20:14 < R-66Y> anybody wanna help me out here? I can provide more info, just don't know what I need to provide.
20:16 < krzie> R-66Y, sure, provide logs with verb 4 from both sides
20:18 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN Noob needs help with configuration :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8652#p8652>
20:23 -!- TuxFighter [~TuxFighte@p5DF7B2D5.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
20:26 -!- Nappy_ [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Quit: Leaving]
20:26 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
20:26 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
20:26 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
20:26 -!- Nappy [~nappy@97.97.247.123] has joined #openvpn
20:27 -!- TuxFighter [~TuxFighte@p5DF7FD39.dip.t-dialin.net] has joined #openvpn
20:29 < R-66Y> http://slexy.org/view/s2bNkcGcMx , krzie you too :P
20:29 <@vpnHelper> Title: Paste // Slexy 2.0 (at slexy.org)
20:29 < R-66Y> that's his log
20:29 < R-66Y> mine just repeats the TLS out of sync error every 10 seconds
20:30 -!- WinstonSmith [~true@e177090035.adsl.alicedsl.de] has joined #openvpn
20:30 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
20:30 < ecrist> R-66Y: /topic is a good place to start. :)
20:30 < ecrist> that goes for *any* channel
20:31 < R-66Y> it's not my firewall, I've used google, I hate stupid mailing lists and forums that never get answered. I fail to see your point.
20:31 < ecrist> client log looks OK.  server log and configs please.
20:31 < ecrist> type /topic and read the whole thing.
20:31 < R-66Y> I did.
20:31 < ecrist> yet, you didn't execute !goal or !welcome
20:31 < ecrist> you may have seen, but didn't read
20:32 < R-66Y> I did read, but I used my brain to think, and it came to the conclusion that canned messages won't resolve special issues. sure, it would have told me to give you my server and client confs, but I was working on that anyway.
20:33 < R-66Y> look I don't wanna cause a bunch of argument over silly stuff, so can we move on please?
20:33 < R-66Y> lemme get that server conf.
20:34 < krzie> ok i have seen 1 log
20:34 < krzie> however, i have not seen both
20:34 < krzie> we'll also need both configs now that i see something out of place in his log
20:34 < Bushmills> http://scarydevilmonastery.net/snap/1291775606472127183d.png <- that's how dann  asks kindly for help
20:35 < R-66Y> what was out of place, krzie?
20:35 < krzie> Wed Dec  8 12:48:10 2010 us=262761 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.8.0.0 255.255.255.0'
20:36 < krzie> points to a weird config
20:36 < krzie> LOL Bushmills 
20:36 < krzie> good one
20:36 < Bushmills> dann as perceptional problems, is my impression
20:36 < R-66Y> http://slexy.org/view/s21pFXLPte server conf, and he just went offline. damn.
20:36 <@vpnHelper> Title: Paste // Slexy 2.0 (at slexy.org)
20:36 < Bushmills> has
20:36 < krzie> R-66Y, you each made your own configs??
20:37 < krzie> since they must match, normally the person who runs the server sends configs to his clients
20:37 < R-66Y> he may have played with it recently, so I was going to ask for his current.
20:37 < R-66Y> correct, I made it, but he still owns his box.
20:37 < krzie> gotchya
20:38 < krzie> md5 each ta.key, make sure his config has 1 after referencing ta.key
20:38 < krzie> make sure the md5's match on the file
20:38 < R-66Y> already did. ('cept sha1). they match.
20:38 < krzie> werd
20:38 < krzie> sha1 is technically better anyways, but either would be sufficient for this
20:39 < R-66Y> mmhmmm. also, all that's in his ccd is an address "deligation" if you will: ifconfig-push 10.8.0.25 255.255.255.0
20:39 < R-66Y> errr .2, not .25.
20:39 < R-66Y> sorry.
20:40 < krzie> erm
20:41 < krzie> because it is dev tap that may work
20:41 < krzie> actually ya i think it will
20:41 < R-66Y> well I mention this because the ccd-exclusive option is used in the server config, it's set to 10.8.0.2 in it, and his client is apparently trying to use 10.8.0.0.
20:41 < krzie> without his config i cant tell you why
20:41 < R-66Y> alright.
20:42 < krzie> he seems to be using ifconfig in it tho
20:42 < R-66Y> he went offline while I was looking through the logs and configs. sorry dude.
20:42 < krzie> which he shouldnt be
20:42 < R-66Y> what do you recommend?
20:42 < krzie> also be sure both sides have their clocks correctly set
20:42 < krzie> i recommend coming back with his config
20:42 < krzie> ;]
20:43 < R-66Y> didn't think about the clock issue. good call!
20:46 < krzie> even if that does fix the 1 issue, theres at least 1 more
20:46 < R-66Y> which is?
20:47 < R-66Y> I think I know, but I want your perspective.
20:47 < krzie> he prolly has an ifconfig in his config
20:47 < krzie> like one would use when making standard PTP static-key configs
20:48 < krzie> but thats only a guess
20:48 < R-66Y> right. I'll let you know when I can.
20:48 < R-66Y> thanks a lot for all the help :)
20:49 < krzie> yw
20:52 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Quit: Aakash]
21:01 -!- sparkymarkd [~mark@200.32.232.149] has quit [Read error: Connection reset by peer]
21:01 -!- sparkymarkd [~mark@187.153.138.127] has joined #openvpn
21:03 < dann> can i just chroot /etc/openvpn
21:03 < dann> or need to chose another dir?
21:03 < dann> Bushmills?
21:03 < dann> you have an Answer for me?
21:04 < Bushmills> sure.   http://scarydevilmonastery.net/snap/1291775606472127183d.png  answer all questions you have ever asked me.
21:04 < dann> i saw
21:04 < dann> lol im funny
21:04 < Bushmills> apart from that, your just a whining and lieing
21:05 < dann> must have been angry at the time
21:05 < dann> soryr
21:05 < dann> sorry
21:06 < Bushmills> you may call that funny, i call that insulting
21:06 < dann> i was frustrated 
21:06 < Bushmills> though your idea is "kindly asking"
21:07 < Bushmills> can you point me out your question?
21:07 < dann> my most recent Q is 'i want to chroot the openvpn daemon, can i just do chroot /etc/openvpn or should i chose another new dir like /etc/jail'
21:08 < Bushmills> as i never help, yoiu are better off asking somebody else
21:08 < dann> well what is it they say
21:08 < dann> a cycle 
21:08 < dann> i'm being nice
21:08 < dann> be helpfull and i'll continue to be nice
21:08 < dann> no need to go in a circle
21:09 -!- sparkymarkd [~mark@187.153.138.127] has quit [Ping timeout: 240 seconds]
21:09 < Bushmills> your idea just half an hour ago. still frustrated then?
21:09 < dann> now im chillaxed
21:09 < dann> have a beer
21:10 -!- sparkymarkd [~mark@187.157.145.215] has joined #openvpn
21:10 < Bushmills> i can't deal with people who need beer before they can be talked to
21:10 < dann> lool
21:10 < dann> i respect you as an authority of knowledge on openvpn
21:10 < dann> otherwise why else am i here
21:10 < dann> i know u know everything
21:10 < Bushmills> my esteem of you is to my regret a bit less
21:11 < jpalmer> dann:  did they get tired of you in #centos?
21:11 < dann> i have read the offical HOWTO thats why i called the dir jail... just wanna know if i can use chroot /etc/openvpn or if i should make a new dir
21:11 < dann> yes
21:11 < jpalmer> figured.
21:13 < dann> i helped some1 in centos 
21:13 < dann> even though im a noob
21:13  * dann is a kind spirit
21:14 < dann> well Bushmills
21:14 < dann> what is it they say
21:15 < dann> takes a man to accept an apology
21:18 < Bushmills> perceptional problem showing again?   http://scarydevilmonastery.net/snap/1291778167903819752d.png     are you pretending to have apoligized for anything? 
21:19 < dann> i said i apologise like 4 times
21:19 < dann> you've got to be levelling 
21:19 < dann> funny
21:20 < Bushmills> strange - i have exactly two hits on "apolog" which are these: http://scarydevilmonastery.net/snap/1291778382216948012d.png
21:20 < dann> lol
21:21 < dann> i apologise x 10^999999999999999999999
21:21 < dann> that should overload your database
21:24 < dann> find / -nam i apologise
21:24 < dann> -name
21:24 < dann> too many results
21:28 < dann> sorry
21:28 < dann> :)
21:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:30 <@vpnHelper> RSS Update - forum: Server Administration :: System time at bootup not correct, Key authentication fails :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7368&p=8653#p8653>
21:30 -!- dann is now known as ilovegrolsc
21:43 -!- sparkymarkd [~mark@187.157.145.215] has quit [Ping timeout: 276 seconds]
21:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
21:57 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has quit [Quit: Leaving]
21:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:58 -!- krphop [~krphop@watch.out.the.feds.are.rightbehind.us] has joined #openvpn
22:32 -!- sparkymarkd [~mark@187.157.145.215] has joined #openvpn
22:44 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has joined #openvpn
22:46 -!- markus_ [~markus@c83-250-36-93.bredband.comhem.se] has quit [Read error: Operation timed out]
22:54 -!- markus [~markus@c83-250-36-93.bredband.comhem.se] has joined #openvpn
22:59 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
23:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds]
23:13 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN Noob needs help with configuration :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8654#p8654>
23:33 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:37 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: VPN before 2routers :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=15&t=7369&p=8655#p8655>
23:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:48 -!- WinstonSmith [~true@e177090035.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
23:56 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 255 seconds]
--- Day changed Wed Dec 08 2010
00:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:18 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:20 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
00:34 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
00:35 -!- travalas [~travalas@202.84.40.65] has joined #openvpn
00:39 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:51 < travalas> hello, I'm seeing an odd problem.  I've got openvpn set up on a NATed vm running gentoo.  The external ip is forwarded to the vm0.  I can connect to the openvpn, however I can't seem to reach any ip addresses not on the box.   Here is trying paste bin on the outgoing interface showing an unsuccessful ping from an openvpn client and a successful one from the box itself.   http://pastebin.com/ydgscJgz
00:52 < travalas> !welcome
00:52 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:52 < travalas> !goal
00:52 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:53 < travalas> !route
00:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:53 < travalas> !redirect
00:53 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:59 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
01:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
01:55 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
02:06 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
02:08 -!- travalas [~travalas@202.84.40.65] has quit [Quit: travalas]
02:15 -!- buntfalke_ is now known as buntfalke
02:16 -!- dazo_afk is now known as dazo
02:19 -!- travalas [~travalas@202.84.40.65] has joined #openvpn
02:20 -!- adawda [~awda@91-121-219-67.dc1.fusa.be] has quit [Ping timeout: 240 seconds]
02:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
02:32 -!- WormFood [~wormfood@183.38.12.231] has joined #openvpn
02:42 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
02:47 -!- vindex_ [~vindex@71.6.167.164] has joined #openvpn
02:47 < vindex_> hello
02:47 < hyper_ch> hin vindex_
02:47 -!- vindex_ is now known as vindex
02:47 -!- vindex [~vindex@71.6.167.164] has quit [Changing host]
02:47 -!- vindex [~vindex@unaffiliated/moldenauer] has joined #openvpn
02:48 < vindex> heya, im having trouble setting up two concurrent vpn connections on windows 7
02:48 < vindex> i already installed a secondary tuntap device
02:48 < hyper_ch> windows7? no clue
02:48 < vindex> on linux it's fine i think though i havent tested it yet, but when i try to connect to the second one it says cannot bind address already in use
02:51 < vindex> hyper_ch: ok, i fixed the first part apparently
02:51 < vindex>  VERIFY ERROR: depth=0, error=unsupported certificate purpose
02:51 < vindex> thats the error i get now
02:51 < vindex> TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
02:56 <@vpnHelper> RSS Update - forum: Installation Help :: Starting Server Fails :: Author GeoDirk <https://forums.openvpn.net/viewtopic.php?f=5&t=7370&p=8656#p8656>
03:02 <@vpnHelper> RSS Update - forum: Server Administration :: Openvpn on a xen vm :: Author ncharles <https://forums.openvpn.net/viewtopic.php?f=4&t=7371&p=8657#p8657>
03:05 < vindex> the openvpn versions are the same
03:08 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Starting Server Fails :: Reply by GeoDirk <https://forums.openvpn.net/viewtopic.php?f=5&t=7370&p=8658#p8658>
03:08 -!- p3rror [~mezgani@41.140.152.72] has quit [Ping timeout: 240 seconds]
03:23 -!- p3rror [~mezgani@41.140.24.235] has joined #openvpn
03:26 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: VPN before 2 routers :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=15&t=7369&p=8655#p8655>
03:34 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
03:35 <@dazo> vindex: I'm guessing you try to use a server certificate as a client connection, or vice-versa ... or that the certificate is lacking the "what is this certificate supposed to be used for" flag ... 
03:36 <@dazo> a quick workaround is to remove --ns-cert-type from your configs ... that will at least tell you if that's the issue or not
03:36 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:43 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
03:43 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
03:43 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:48 -!- master_of_master [~master_of@p57B52B48.dip.t-dialin.net] has quit [Ping timeout: 255 seconds]
03:49 -!- master_of_master [~master_of@p57B52D5E.dip.t-dialin.net] has joined #openvpn
03:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:59 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
04:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
04:22 -!- common- [~common@p5DDA4976.dip0.t-ipconnect.de] has joined #openvpn
04:23 -!- TuxFighter [~TuxFighte@p5DF7FD39.dip.t-dialin.net] has quit []
04:25 -!- common [~common@p5DDA4840.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
04:25 -!- common- is now known as common
04:27 < vindex> dazo: fixed it, indeed i had created the wrong kind of cert following outdated doco
04:27 < vindex> pkitool did it for me
04:28 <@dazo> vindex: which docs did you follow?  If there's something wrong in the official OpenVPN tools, then we need to fix that
04:32 -!- luneff [~yury@84.51.199.24] has joined #openvpn
04:39 -!- Klem__ is now known as Klem
04:42 < vindex> dazo: no worries it was the gentoo wiki
04:42 < vindex> i dont know if the openvpn docs refer to the old scripts or just pkitool
04:42 < vindex> they are probably up to date
04:43 <@dazo> vindex: I hope so :)   .... you have ./build-key-server for creating server stuff and ./build-key-{pass,pkcs12} for client stuff
04:43 <@dazo> (in easy-rsa-2.0)
04:44 < vindex> yeah it's much more handy these days hehe
04:45 < vindex> now im fizzling with the issue of having a tracking tool+wiki for the internal company vpn... thats going to be a more convoluted task than setting up the vpn itself
04:45 <@dazo> vindex: but please, make some remarks in the Gentoo wiki that it's outdated ... so that not more people fall into that trap
04:45 < vindex> amazing that there is no official support for git in trac yet... and we need acls :|
04:45 < vindex> yeah, i think that the wiki is generally outdated though
04:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
05:07 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:11 -!- sparkymarkd [~mark@187.157.145.215] has quit [Remote host closed the connection]
05:41 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
05:42 <@vpnHelper> RSS Update - forum: Configuration :: Advice / Help with openVPN :: Author damoon <https://forums.openvpn.net/viewtopic.php?f=6&t=7372&p=8659#p8659>
05:43 < skrusty> hi, is it possible to use openVPN server to connect to a site-2-site vpn, and VLAN tag the resulting VPN network?  want to connect a virtual machine to a remote VPN... thanks in advance.
05:50 < hyper_ch> skrusty: not quite sure what you mean
05:50 -!- kerfe [~a@114.pool85-60-138.dynamic.orange.es] has joined #openvpn
06:00 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: openvpn exceptions ?!! :: Author anteelsayed <https://forums.openvpn.net/viewtopic.php?f=15&t=7373&p=8660#p8660>
06:07 -!- dazo is now known as dazo_afk
06:08 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
06:08 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
06:17 < Bushmills> "connect to a site-2-site vpn" - to a vpn which has already been established?
06:17 -!- adawda [~awda@p5B03F0AA.dip.t-dialin.net] has joined #openvpn
06:20 -!- adawda [~awda@p5B03F0AA.dip.t-dialin.net] has quit [Client Quit]
06:26 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 240 seconds]
06:29 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
06:35 < skrusty> Bushmills, I have a client who has a vpn router at their location, we host a VM for them, and they want to have their VM(s) on as part of their VPN... looking for options on how to do it
06:36 < Bushmills> that vpn router is openvpn?
06:36 < skrusty> wondered if openPN can connect to an existing VPN server as a site, and then tag the VPN traffic witha  aavlan, which i can then attach to a VM
06:36 < Bushmills> i.e runs openvpn?
06:36 < skrusty> no, their onsite vpn is zyxel
06:36 < skrusty> which support IPSec
06:36 < ilovegrolsc> hi Bushmills 
06:36 < ilovegrolsc> and every1
06:37 < skrusty> lo :)
06:37 < skrusty> sorry if my question wasn't well phrased, new to VPNs really
06:37 < skrusty> so quick learning curve 
06:37 < ilovegrolsc> its tricky at first skrusty but it is the best
06:38 < Bushmills> openvpn can connect to openvpn only.  but routing a subnet through an openvpn tunnel, estrablished on a different machine, could work.
06:38 < skrusty> hmmm, ok...
06:40 < Bushmills> actually, some routers can run openvpn, but zyxel is not one of those, i think
06:44 < ilovegrolsc> hmm
06:44 < ilovegrolsc> i don't think my traffic is encrypted
06:44 < ilovegrolsc> did a wireshark on it
06:44 < ilovegrolsc> can read every HTTP GEt request
06:45 < reiffert> Listening to what interface?
06:45 < ilovegrolsc> tap win 32
06:45 < jpalmer> if yu are doing wireshark on one of the endpoints,  you are probably seeing it after the decryption.
06:45 < reiffert> ilovegrolsc: the tap device got the uncrypted stuff.
06:45 < ilovegrolsc> oh
06:45 < reiffert> ilovegrolsc: your ethernet interface got the encrypted stuff.
06:46 < ilovegrolsc> ah thx
06:46 < ilovegrolsc> will try the other interface
06:46 < jpalmer> (or, you aren't sending your http requests over the VPN)
06:47 < reiffert> jpalmer: as he was inspecting the vpn interface ..
06:48 < ilovegrolsc> well when i monitor the other interface and visit a few websites... i see no http get info or anything.. just lots of udp connections
06:48 < ilovegrolsc> and no DNS queries either
06:48 < ilovegrolsc> so i think its working :)
06:49 < rjd__> it's possible to run a script on server upon client connect, where the clients ip can be passed as an argument or something like that?
06:51 < Bushmills> rjd__: you can run script on server upon connect - but passing the ip addresses is better done using one of the existing mechanisms. those support dynamic and static addresses, what else would you want for your connect script? 
06:52 < rjd__> Bushmills: basically run p0f on the tun device, grep the client ip and his signature, and if match or does not match certain pattern, perform an action
06:53 < Bushmills> client ip address is available in --client-connect script, no need to grep.  deciding on action to perform can be done in script.
06:54 -!- vindex [~vindex@unaffiliated/moldenauer] has quit [Quit: "Third world children are plentiful. Fossil fuels are scarce. We need to burn something."]
06:55 < rjd__> is --client-connect an argument to openvpn server?
06:55 < Bushmills> yes
06:55 < Bushmills> $ifconfig_remote  should be the client vpn ip address
06:57 < Bushmills> you might be able to use --client-connect from a ccd file, specific for client. then you'd not need to do any testing of ip address at all
07:15 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:19 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 276 seconds]
07:22 -!- bitterman [~yury@84.51.199.24] has joined #openvpn
07:23 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:23 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
07:26 -!- luneff [~yury@84.51.199.24] has quit [Ping timeout: 272 seconds]
07:39 -!- huzpol [~huzur@business-188-111-123-132.static.arcor-ip.net] has left #openvpn []
07:42 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
07:42 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
07:42 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:45 -!- albech [~thomas@119.42.79.120] has joined #openvpn
07:47 < albech> i keep getting a new default gw after i establish my connection.. I do not have push "redirect-gateway" defined.. any suggestions?
07:47 <@vpnHelper> RSS Update - forum: Configuration :: when I establish a tun, does it takes all use of the port? :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=6&t=7374&p=8661#p8661>
07:47 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has joined #openvpn
07:52 < ecrist> albech: if you're getting a new gateway when you connnect to openvpn, you must be either pushing it, or have a script which sets it upon connection
07:52 < ecrist> openvpn doesn't just make up new gateways
07:57 -!- albech [~thomas@119.42.79.120] has quit [Ping timeout: 250 seconds]
07:58 -!- albech [~thomas@124.157.190.252] has joined #openvpn
07:59 < albech> ecrist, http://pastebin.com/Vb6xvSvz
08:03 < ilovegrolsc> albech just use the default server and client.conf first
08:03 < ilovegrolsc> before tweaking it
08:04 < mrrothh> I getting Wed Dec 08 08:52:24 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
08:08 < ecrist> and, did you see the url for more info?
08:09 < ecrist> albech: what's the problem with your routing table?
08:10 < mrrothh> yea I got to read
08:12 -!- bitterman [~yury@84.51.199.24] has quit [Quit: Leaving]
08:14 -!- mant1s [mant1s@141.114.213.240] has joined #openvpn
08:14 -!- mant1s [mant1s@141.114.213.240] has quit [Changing host]
08:14 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn
08:15 -!- albech [~thomas@124.157.190.252] has quit [Ping timeout: 240 seconds]
08:16 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Client Quit]
08:16 -!- albech [~thomas@119.42.79.120] has joined #openvpn
08:18 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 250 seconds]
08:20 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
08:23 -!- ilovegrolsc [dann@82-168-191-228.ip.telfort.nl] has quit []
08:23 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Remote host closed the connection]
08:26 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
08:30 -!- mrrothh [~mrroth@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 265 seconds]
08:50 -!- ilovegrolsc [~daniell@vps1098.directvps.nl] has joined #openvpn
08:54  * ilovegrolsc slaps Bushmills around a bit with a large trout
08:56 -!- dazo_afk is now known as dazo
09:01 -!- ultramage [umage@kurobara.netvor.sk] has joined #openvpn
09:03  * dazo throws a big rock on ilovegrolsc 
09:03 < ultramage> hello, I'd like to give access to a subnet one of the vpn clients belongs to to the rest of the vpn network; I'm having trouble understanding the documentation for iroute/push route; could someone point me to an example configuration script for that scenario?
09:03 < ecrist> !iroute
09:03 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
09:03 < ecrist> !route
09:03 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:03 < ecrist> see that URL, ultramage 
09:04 < ultramage> the documentation for iroute also mentions stuff like "push it to everyone but the target node"... that's quite complex and I'd rather not guess :S
09:05 < ultramage> question, why does that url not include the final working result at the end?
09:06 < reiffert> answer: to make sure everybody reads the text.
09:07 < ultramage> I'd have to copypaste the text to a text editor, because the ip subnets used really confuse me (since they are coincidentally like the addresses of the physical network interfaces that I'm configuring this for)
09:07 < ultramage> someone really needs to rewrite that doc
09:08 < ultramage> "The user needed the following in his server.conf:"
09:08 < ultramage> is that the goal? or is that an example of an initial setup that doesn't really work?
09:08 < reiffert> ecrist: sigh.
09:09 < ultramage> and why is it written like a story?
09:09 < ecrist> ultramage: I sugges actually READING the doc, and not looking for someone to do it for you.
09:09 < ultramage> it's really really REALLY tiring to read it
09:09 < ecrist> then don't, and go away.
09:09 < ultramage> there's so much cruft and I can't tell what's good advice and what's bad advice
09:09 < ecrist> hrm, I think we've had this conversation before
09:09 < reiffert> then get yourself into calling someone to solve your problem for you.
09:09 < ultramage> yes, I think I already complained about this a few months ago
09:10 <@dazo> ecrist: you've had this discussion before ... with the same person, iirc
09:10 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:11 < reiffert> moin dazo
09:11 < ultramage> once more and I'll start editing the page
09:11 < reiffert> ultramage: please, feel free to improve things on that page. it's a wiki after all?!
09:11 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
09:11 < ecrist> dazo: yeah, I just confirmed it in my logs.
09:12 < ultramage> well, I'd start by replacing all 3 subnets with just one subnet on one of the clients to reduce complexity, and I'll rewrite all IPs to symbolic names like AAA and BBB
09:12 < albech> is it normal behavior that when using the bridge-start script the remove my default route? I have found someone with a similar problem here: http://www.linuxquestions.org/questions/linux-networking-3/openvpn-bridging-connectivity-issue-possible-tap-problem-480191/
09:12 <@vpnHelper> Title: OpenVPN Bridging Connectivity Issue (possible TAP problem?) (at www.linuxquestions.org)
09:13 <@dazo> ultramage: a *tiny bit* humbleness towards the people in this channel is very much appropriate.  There are plenty of people with a lot of experience .... it's not who-ever-who-wants-to-be-clever who have written that doc ... you may suggest changes to improve ... but that document has helped a lot of people
09:14 < ultramage> dazo: sorry, but it's too complex, whoever wrote it basing it on a 'real world scenario' should have considered slimming it down - if you can set up one subnet you can expand it to three (or mention the instructions how to expand from 1 to 3 at the end)
09:15 <@dazo> ultramage: by reducing the number of networks in that example ... you actually write another document on making VPN across multiple sites ... so rather make a simpler doc for the simpler cases .... but 99% of the readers manage to extract that information for simpler setups without complaining
09:15 < ultramage> the weird ip address choice (client1 - 10.10.1.0, client2 - 10.10.3.0, server - 10.10.2.0) makes it hard to read through it while keeping track what is what
09:15 < reiffert> get a pencil or a printer.
09:15 < reiffert> or both.
09:15 < ultramage> :S
09:15  * dazo can only provide information ... he cannot make you understand it
09:16 < ultramage> if I see a job done poorly, when it could have obviously been done better, I will complain... that's my nature
09:16 < reiffert> dazo: how much is 1+2?
09:16 <@dazo> reiffert: do I have to answer?
09:16 < reiffert> ultramage: If I may complain at this point: you are a lazy bastard. start improbing the docs instead of complaining it could be done better.
09:17 < rjd__> I have 20ms latency to a openvpn server. The server can download in +11 MB/s pretty much from entire europe. In my case I test Swedish University network. My client can, without vpn, get 9-10mbit from Swedish university network, but merely 4-5 mbit over vpn. It does not seem to be cpu bound, nor network (speed) bound. What else can it be?
09:17 < ultramage> I can't improve it without understanding it first
09:18 < ultramage> so I'll start with a suggestion - discard client2 and client2's subnet, and discard the server's subnet
09:18 < reiffert> ultramage: oh right, so add brain to the process.
09:18 <@dazo> rjd__: it might be socket buffers .... try to see if --sndbuf and --rcvbuf can help .... default values are 64KB, iirc ... maximum is 1.000.000 
09:19 < rjd__> dazo: client arguments?
09:19 -!- adawda [115kluu@owned.ninjasinpyjamas.biz] has joined #openvpn
09:19 <@dazo> rjd__: they are individual 
09:19 < rjd__> means can/shall be set on both ends?
09:19 <@dazo> rjd__: so they can be setup different on each side, depending on what seems to fit the scale
09:19 < ultramage> could also be OS dependent, combined with ISP
09:20 < rjd__> ultramage: well both are on fibre, it's not user-end gear or user-end isps 
09:20 < ultramage> thanks for the sndbuf reminder - on windows 7 it's 8kb (way too small)
09:20 <@dazo> ultramage: start trying to understand the document then first, before saying it is too complex or not suitable ... maybe you'll see that the original document isn't so bad in the end
09:20 < ultramage> my ISP's routers are constantly dropping outgoing tcp packets from all my vista/w7 machines, but XP is unaffected
09:20 <@dazo> rjd__: that changes how big the kernel socket buffers are before passing data out, iirc ... so it's very dependent on the local server and local client
09:20 < albech> guess i asked my question at the wrong time ;)
09:21 <@dazo> albech: sorry if your question drowned :)
09:21 < ecrist> ultramage: I'd suggest writing your own wiki page, rather than rewriting that one.
09:21 < albech> dazo, its all good.. interesting discussion ;)
09:21 < ecrist> most people find the current one useful, but I'm not opposed to options.
09:21 < ultramage> dazo: I just realized that the author is using 10.x.x.x as the physical network address... I'm using 10.x.x.x as the VPN subnet ... that's part of the problem
09:21 < ultramage> cognitive dissonance
09:22 < rjd__> dazo: how do I know sane values? It's Gbe interface on the server, sitting in a reliable datacentre.
09:22 <@dazo> albech: it depends on how the bridge script looks like ... I know there's been som changes there
09:22 < albech> dazo, i usually write my own documentation if im not happy with that the application provide.. there are tons of alternative guides available for most apps.. including openvpn
09:22 <@dazo> rjd__: you need to guess, I presume ... try 256KB and 512KB and see how that works out ... if some of them improves or not, then you know which direction to head for
09:22 -!- p3rror [~mezgani@41.140.24.235] has quit [Ping timeout: 265 seconds]
09:22 <@dazo> albech: ack!  :)
09:23 < rjd__> Thanks dazo.
09:23 < albech> dazo, was actually meant for ultramage ;)
09:23 < ultramage> ah... I'll try googling for an alternative documentation page for this sort of setup
09:23 <@dazo> albech: but re: the bridge stuff ... if you mean tearing down the bridge completely ... destroying the br0 device ... then it's not unexpected that the default gateway disappears
09:24 <@dazo> albech: :)
09:24 < ultramage> ah, crap, I was asking the wrong question
09:24 < albech> dazo, as far as i can tell the bridge isnt destroyed in the bridge-start script
09:25 <@dazo> albech: can you pastebin that script?
09:25 <@dazo> !pb
09:25 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
09:25 < albech> dazo, http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html
09:25 <@vpnHelper> Title: Ethernet Bridging (at openvpn.net)
09:25 <@dazo> albech: so you use the script in that document?
09:25 < ecrist> we even offer a place to host docs users write
09:26 < ecrist> !wiki
09:26 <@vpnHelper> "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN
09:26 < ecrist> !learn wiki as Official wiki is at https://community.openvpn.net/openvpn/wiki
09:26 <@vpnHelper> Joo got it.
09:26 < albech> dazo, yes
09:26 < ultramage> sorry for wasting your time... I'm getting SMB clients info from the server/router but they're on the other side of the router and I wanted to be able to access them seamlessly... but that's a stupid request since it would require bridging the networks, and that's a whole new can of worms
09:26 <@dazo> albech: aha ... I think we got an improved version .... I'm digging it up now
09:29 <@dazo> albech: ahh!  There were some discussions about improvements .... I'm not sure that actually resulted in some patches, at least I don't find them now ... waldener (who is not here now) was looking into it
09:29 <@dazo> albech: that was to solve exactly this problem
09:29 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
09:29 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
09:29 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
09:29 < albech> ok
09:30 <@dazo> albech: the issue is that you need to add a new default gateway which uses br0 instead of eth0
09:30 < albech> dazo, which i am doing manually after starting the bridge
09:30 < ecrist> ultramage: sounds like you need WINS
09:30 < ecrist> !wins
09:30 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
09:30 <@dazo> so the bridge-start must also take away the old eth0 based default gateway and add the new br0 gateway after establishing the bridge .... and bridge-down must do the opposite
09:31 < albech> dazo, correct
09:32 <@dazo> albech: you cannot use eth0 as a default gw ... because that device is changed to a promisc interface without any IP address ... so there's no match between eth0 and the gw IP address, that's the core issue
09:32  * havoc does not like bridges
09:32 <@dazo> havoc: bridges isn't always ideal ... but sometimes fun ... as you can actually bridge networks without having IP addresses on the bridge itself
09:33 < havoc> dazo: yeah, they have their uses, I just don't particularly like them :)
09:33 <@dazo> so you can get higher security .... but for VPN, it's often waste of bandwidth .... unless you really need bridging
09:33 <@dazo> havoc: ACK :)
09:34 < havoc> I had to offices bridged, but that was over a microwave link, and we didn't have the hardware for dhcpdns/etc.. on one side
09:34 < havoc> when we finally did get the hardware I converted to a routed setup
09:35 < havoc> had bridged at home for a while too, until I got off my duff and setup WINS on samba ;)
09:35  * ecrist uses bridged vpn at work
09:35 < ecrist> only been bit by it once
09:36 < havoc> the biggest problem I see with bridging is unreliable bridge components
09:36 <@dazo> as with everything withing networking ... if you know what you're doing and why, you're seldom bitten
09:36 < havoc> ...unreliable bridge component interfaces
09:38 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
09:41 < ultramage> ecrist: I will, thank you... it's one of those things I want to do but never get around to doing
09:43 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:46 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
09:50 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
09:52 < albech> is it possibly to have both certificate and mysql stored username/password authentication?
09:53 -!- kwame is now known as kwmae
09:53 -!- kwmae is now known as kwame
09:57 < ecrist> albech: yes
10:00 < albech> ecrist, guess it can be done through PAM
10:02 < reiffert> or ldap.
10:02 -!- ultramage [umage@kurobara.netvor.sk] has left #openvpn ["=.="]
10:02 < ecrist> or mysql
10:02 < ecrist> or whatever
10:03 < reiffert> .
10:06 <@dazo> albech: there exists a few auth-mysql modules for openvpn ... code quality varies a lot though
10:07  * dazo still have "write mysql support for eurephia" on his todo list
10:13 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
10:13 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
10:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:16 < albech> this seems like a nice way to do it: http://techtots.blogspot.com/2010/01/openvpn-with-pammysql-usernamepassword.html
10:16 <@vpnHelper> Title: Tech Tots: OpenVPN with pam_mysql username/password authentication (at techtots.blogspot.com)
10:17 < albech> i believe openvpn for centos is already compiled with the right flags set for this
10:20 -!- albech [~thomas@119.42.79.120] has quit [Quit: Ex-Chat]
10:40 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
10:49 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
10:49 -!- kwame is now known as kwame_home
10:51 -!- p3rror [~mezgani@41.140.181.21] has joined #openvpn
10:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:10 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
11:10 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
11:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
11:11 -!- travalas [~travalas@202.84.40.65] has left #openvpn []
11:28 -!- patelx [~patel@openvpn/corp/admin/patel] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
11:42 -!- s7r [~s7r@212.78.230.242] has joined #openvpn
12:01 -!- WinstonSmith [~true@e178182097.adsl.alicedsl.de] has joined #openvpn
12:01 <@vpnHelper> RSS Update - forum: Installation Help :: About OpenVPN 2.2-beta5 -- released on 2010.12.03 :: Author gnaveen <https://forums.openvpn.net/viewtopic.php?f=5&t=7375&p=8662#p8662>
12:05 -!- WinstonSmith_ [~true@e179009203.adsl.alicedsl.de] has joined #openvpn
12:06 -!- WinstonSmith [~true@e178182097.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
12:06 -!- WinstonSmith_ is now known as WinstonSmith
12:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
12:12 -!- patelx [~a@openvpn/corp/admin/patel] has joined #openvpn
12:12 -!- mode/#openvpn [+o patelx] by ChanServ
12:14 <@vpnHelper> RSS Update - forum: Installation Help :: Re: About OpenVPN 2.2-beta5 -- released on 2010.12.03 :: Reply by dazo <https://forums.openvpn.net/viewtopic.php?f=5&t=7375&p=8663#p8663>
12:27 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Quit: Leaving.]
12:27 -!- mwcarroll [~mwcarroll@develogix.com] has left #openvpn []
12:34 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
12:35 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
12:36 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Multiple site connection problem :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=4&t=7346&p=8664#p8664>
12:38 -!- Zerk [~dracon@boxcars.triplecrowncasinos.com] has joined #openvpn
12:38 < Zerk> hi.  i have openvpn running on endian firewall.  is there anyway to restrict a user from logging in from a specific Ip address?
12:39 < Zerk> i don' twant jsmith to be able to vpn into my network from any machine on the internet....just a certain static ip address
12:40 < krzee> a client-connect script could do that ild think
12:40 < krzee> !script
12:40 <@vpnHelper> "script" is see http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html#lbAR for a list of places scripts can hook into openvpn
12:42 <@vpnHelper> RSS Update - forum: Configuration :: How to limit how many users can be simultaneously connected :: Author linkeong <https://forums.openvpn.net/viewtopic.php?f=6&t=7376&p=8665#p8665>
12:45 < Bushmills> [[ $trusted_ip == $allowed_ip ]]; return $?     as connect script in the client's ccd file  should do.  set allowed_ip to the allowed ip. that assumes bash.
12:46 < Bushmills> untrusted_ip  may be preferable, that should reverse  authentication and test for permitted ip address 
12:52 -!- funyun [~eddie@ns213451.ovh.net] has left #openvpn []
12:54 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
13:11 -!- luneff [~yury@84.51.199.24] has joined #openvpn
13:13 <@dazo> $untrusted_ip is set to the remote IP address before the authentication has completed ... when the client is authenticated (via TLS/Certs) the IP address is set in $trusted_ip ... iirc
13:14 <@dazo> and you could even use --tls-verify to filter on IP address ... that's the very first script hook which is called
13:25 < Zerk> ok
13:26 < Zerk> ccd = /etc/openvpn/client-connect.d?
13:28 < Bushmills> !ccd
13:28 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
13:33 <@dazo> Zerk: --client-connect
13:33 <@dazo> ahh ... sorry!
13:33 < krzee> !client-connect
13:33 <@vpnHelper> "client-connect" is --client-connect <script>, runs script on client connection. This can be useful for generating firewall rules dynamicly, or for assigning static ips. This can do anything that a ccd (see !ccd) entry can do, but dynamicly... to use it that way, you should write your dynamic ccd commands to the file named by $1.
13:34  * dazo is suddenly uncertain what the question really is about
13:34 < krzee> you can probably call the client-connect script from the ccd entry
13:34 < krzee> to only use it on a certain client
13:34 <@dazo> I doubt that, tbh ...
13:34 <@dazo> haven't tried though
13:34 < krzee> if not you need to make the script only check the specific client
13:35 < krzee> athough it looked like tls-verify was a better script to use anyways
13:35 <@dazo> yeah, I see that one ... but I'm not sure the code allows it ;-)
13:35 < krzee> as per dazo's suggestion above
13:36 <@dazo> tls-verify hits earlier in the auth process, so you'll avoid wasting CPU cycles on a CPU heavy key-exchange algorithm
13:36 < Zerk> thanks, still looking into it
13:36 <@dazo> at least I *believe* that --tls-verify is hit before the key-exchange happens
13:36  * dazo heads out now
13:36 -!- WinstonSmith [~true@e179009203.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
13:37 -!- dazo is now known as dazo_afk
13:48 -!- Dracon_ [~dracon@ace.triplecrowncasinos.com] has joined #openvpn
13:50 -!- Zerk [~dracon@boxcars.triplecrowncasinos.com] has quit [Ping timeout: 240 seconds]
13:57 -!- luneff [~yury@84.51.199.24] has quit [Read error: Connection reset by peer]
13:57 -!- luneff [~yury@84.51.199.24] has joined #openvpn
14:01 -!- Zerk [~dracon@boxcars.triplecrowncasinos.com] has joined #openvpn
14:02 -!- Dracon_ [~dracon@ace.triplecrowncasinos.com] has quit [Ping timeout: 260 seconds]
14:36 -!- s7r [~s7r@212.78.230.242] has left #openvpn []
14:44 -!- adawda is now known as sia^pwnnt
14:44 -!- sia^pwnnt is now known as adawda
14:46 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
14:50 -!- p3rror [~mezgani@41.140.181.21] has quit [Ping timeout: 265 seconds]
15:07 -!- adawda is now known as sia
15:08 -!- sia is now known as sia^pwnnt
15:08 -!- sia^pwnnt is now known as adawda
15:23 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 265 seconds]
15:25 -!- luneff [~yury@84.51.199.24] has quit [Read error: Connection reset by peer]
15:25 -!- luneff [~yury@84.51.199.24] has joined #openvpn
15:30 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
15:33 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
15:38 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has joined #openvpn
15:38 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
15:39 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has joined #openvpn
15:39 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
15:40 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has joined #openvpn
15:40 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
15:45 -!- aliverius [~george@athedsl-377399.home.otenet.gr] has left #openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."]
15:47 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
15:47 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
15:47 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
15:54 -!- FinboySlick [~shark@74.117.40.10] has joined #openvpn
15:55 -!- FinboySlick [~shark@74.117.40.10] has left #openvpn []
15:56 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 276 seconds]
16:01 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
16:07 -!- luneff [~yury@84.51.199.24] has quit [Quit: Leaving]
16:11 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has joined #openvpn
16:11 -ce_leo:#openvpn- download and install http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
16:11 < ce_leo> best site http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
16:11 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
16:11 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has joined #openvpn
16:11 -!- ce_leo [~resmea@c-24-118-247-59.hsd1.mn.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
16:12 <@patelx> hah
16:12 -!- mode/#openvpn [+b *!*@c-24-118-247-59.hsd1.mn.comcast.net] by patelx
16:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
16:47 -!- le0 [~fin@217.41.230.106] has joined #openvpn
16:47 -!- le0 [~fin@217.41.230.106] has quit [Changing host]
16:47 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
17:03 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 250 seconds]
17:05 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:07 -!- err0r [~err0r@89.36.166.222] has quit [Ping timeout: 260 seconds]
17:08 -!- err0r [~err0r@89.36.166.222] has joined #openvpn
17:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:16 -!- p3rror [~mezgani@41.140.154.168] has joined #openvpn
17:29 -!- cj [~cjac@adsl-207-32-174-101.rockisland.net] has quit [Quit: leaving]
17:32 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:48 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
17:49 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Read error: No route to host]
17:49 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
17:53 < pyther> Hi
17:53 < pyther> Is there any need for virus detection on the vpn end side of things
17:54 < pyther> I have a guy at an isp telling me I that all vpn traffic should be monitored for viruses and what not
17:54 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:59 < reiffert> pyther: no. no need.
18:00 < pyther> reiffert: He claims that viruses can compromise the network and to do a man-in-the-middle attack to verify the datagrams
18:01 -!- luneff [~yury@84.51.199.24] has joined #openvpn
18:01 < pyther> I argued that a good firewall and antivirus software on both ends should be a pretty good solution
18:03 < pyther> reiffert: you know of anything that discusses vpns and viruses so I can show my boss?
18:03 < pyther> He puts nearly all his faith in this isp guy :-/
18:03 -!- luneff [~yury@84.51.199.24] has quit [Client Quit]
18:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
18:23 -!- kerfe [~a@114.pool85-60-138.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
18:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
18:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:39 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has joined #openvpn
18:39 -!- atan2 [~atan@blk-222-132-103.eastlink.ca] has quit [Changing host]
18:39 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
18:47 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:58 -!- kwame_home is now known as kwame
19:00 < atan2> So I've  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
19:00 < atan2>  on the server but all my traffic is not redirecting
19:00 < atan2> I'm like 500% sure it's my iptables/firewall I just don't have a clue about it
19:01 < atan2> I recently installed APF, but it's disabled right now & turned off. I don't see why I shouldn't be able to redirect all my traffic over the vpn
19:06 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN Noob needs help with configuration :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8666#p8666>
19:24 <@vpnHelper> RSS Update - forum: Configuration :: Connection Problems with Ethernet-Bridged VPN Server :: Author Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7377&p=8667#p8667>
19:35 < Bushmills> !ipforward
19:35 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
19:36 < Bushmills> atan2: ^^^
19:36 < atan2> !linipforward
19:36 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
19:36 < Bushmills> !redirect
19:36 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
19:36 < Bushmills> atan2: ^^^
19:37 -!- theDoc [~Link@173.236.41.37] has joined #openvpn
19:42 < atan2> Ahhh!! Dude you rule.
19:42 < atan2> I remembered the iptables bit but forgot totally about the sysctl part!
19:42 < atan2> Bushmills, now perhaps you can offer me some advice on getting the most out of OpenVPN in the speed department? =)
19:43 < atan2> Should one use comp-lzo, or are you just as well off without such a thing?
19:43 < Bushmills> speed != speed.  latency != throughput
19:44 < Bushmills> "comp-lzo" ...:   "depends"
19:44 < Bushmills> practically, speed impact i neglectable.
19:44 < Bushmills> has more effect on amount of data transferred.
19:48 < Bushmills> if you have a lot of firewall rules, put the rule which permits openvpn traffic (both the tunnel, and the tunneled traffic) early.
19:50 < atan2> I shamefully have few, if any firewall rules.
19:50 < Bushmills> that's quite ok
19:50 < atan2> I only have two services running though =\ 
19:51 < atan2> Things are looking good here now. I'm stoked!
19:51 < Bushmills> complexity doesn't necessarily mean better
19:52 < atan2> I wonder if I were to order a second IP address if I could route all my VPN traffic out of that IP?
19:53 < Bushmills> more ips have more use for providing services on alternative addresses
19:54 < Bushmills> or for assigning the to virtual servers
20:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:11 -!- Irssi: #openvpn: Total of 116 nicks [4 ops, 0 halfops, 0 voices, 112 normal]
20:18 <@vpnHelper> RSS Update - forum: Configuration :: Re: Connection Problems with Ethernet-Bridged VPN Server :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7377&p=8668#p8668>
20:47 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
20:48 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
20:48 < nhak> hi, i have installed an vpn server and client but cannot surf internet from the client through the tunnel ... what could i do wrong?
20:51 < Bushmills> !redirect
20:51 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
20:51 < Bushmills> nhak: ^^^
20:51 < Bushmills> for web traffic only, consider to install a http proxy on vpn server, set browser to use that proxy
20:53 < nhak> Bushmills: should i outcomment the directive push "redirect-gateway" in server.conf?
20:53 < Bushmills> depends on you goal
20:54 < Bushmills> your...
20:54 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 272 seconds]
20:54 < nhak> ok i will try it thanks
20:59 -!- nhak [~nhak@unaffiliated/nhak] has quit [Ping timeout: 276 seconds]
21:01 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has joined #openvpn
21:01 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has quit [Changing host]
21:01 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
21:06 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
21:06 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
21:07 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
21:07 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
21:07 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
21:08 -!- neorosbob [~Adium@75-145-116-141-Colorado.hfc.comcastbusiness.net] has joined #openvpn
21:08 < neorosbob> !welcome
21:08 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:09 < neorosbob> !goal
21:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
21:09 < neorosbob> site to site VPN with access to subnets on both sides
21:12 < neorosbob> sorry, I didn't follow instructions. 
21:12 < neorosbob> !goal site to site VPN with access to subnets on both sides
21:14 < neorosbob> HI all I have a server in a remote environment intended to be the VPN server. I am trying to access the sunet that the servers second nic sits on. I can ping the interface on the subnet I am trying to access but I can not access anything on the subnet itself. Can anyone shed some light on that for me or maybe ask some pointed questions to push me in the right direction?
21:15 < krzie> !route
21:15 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:16 < krzie> "I can ping the interface on the subnet I am trying to access but I can not access anything on the subnet itself."
21:16 < krzie> this says a lot
21:16 < krzie> either you dont have ip forwarding enabled
21:16 < krzie> or
21:16 < krzie> !route_outside_ovpn
21:16 <@vpnHelper> "route_outside_ovpn" is "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
21:16 < krzie> definitely read !route =]
21:16 < neorosbob> Thanks Guys!! You just rang my bell. I never added static routes to the other hosts I am trying to access via VPN
21:17 < krzie> you're welcome
21:17 < neorosbob> Testing now...
21:17 < krzie> easier than adding it to the hosts... you can add it to their default gateway
21:18 < krzie> but adding it to a single host is a decent way to test (assuming its more difficult for you to add a static route to the gateway)
21:18 < neorosbob> these are VM's on rackspace. I have a private subnet between systems but no access to the routers. So I'm trying this as a workaround to VPN to the private subnet
21:24 -!- nhak [~nhak@unaffiliated/nhak] has quit [Ping timeout: 276 seconds]
21:31 < neorosbob> vpnHelper, krzie: I have read (not skimmed) the article and it makes sense and is as I understood it. But I am still overlooking something somewhere. Can I please review my routing tables with you?
21:32 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has joined #openvpn
21:32 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has quit [Changing host]
21:32 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
21:33 < krzie> sure
21:33 < krzie> no need to talk to vpnHelper, he doesnt pay attention
21:33 < krzie> !bot
21:33 <@vpnHelper> "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P
21:34 < krzie> did you remember to turn on ip forwarding?
21:34 < kwame> !help
21:34 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
21:34 < krzie> !factoids
21:34 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
21:35 < neorosbob> vpnHelper, krzie:  VPN server eth0: wan eth1: lan on 10.179.0.0/16 subnet. VPN Client eth0 on DHCP subnet 172.21.240.0/24 subnet, VPN Subnet 10.8.0/24 
21:35 < krzie> [19:34]  <krzie> did you remember to turn on ip forwarding?
21:36 < neorosbob> vpnHelper, krzie: With the VPN up from the client I can ping the server LAN IP on the 10.x/16 subnet
21:36 < neorosbob> vpnHelper, krzie:  on the server I ran 'echo 1 > /proc/sys/net/ipv4/ip_forward'
21:36 < krzie> ok, then it is on until next reboot
21:37 < krzie> !linipforward
21:37 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
21:37 < krzie> (just so you see how to turn it on permanently)
21:37 < neorosbob> krzie:  yes please, I was just making a note to look into that
21:38 -!- nhak [~nhak@unaffiliated/nhak] has quit [Ping timeout: 276 seconds]
21:38 < krzie> did you allow tun+ in the forward table in your iptables?
21:38 < neorosbob> krzie: puting together some pastbins of routing tables
21:39 < krzie> actually the only routing table i care about is the target maching on the LAN
21:39 < neorosbob> krzie: yes and I can confirm no logged blocked packets on the serber
21:39 < neorosbob> server
21:39 < krzie> we know the vpn client's is right since it can ping the LAN interface of the server
21:39 < neorosbob> krzie: ok, so on server 3 (what I am trying to get a ping back from on my client, I have the following route
21:40 < krzie> we know the server's is right at least for this scenario because it can reach each side
21:40 < krzie> the only routing table that could be wrong is the machine on the server lan which cant be reached
21:40 < krzie> it must know to reach the VPN subnet through the server's lan ip
21:40 < krzie> the server's lan ip is the gateway for the vpn subnet
21:41 < krzie> now that i think of it, packets are successfully being forwarded as well, since the client can reach the servers lan interface
21:42 < krzie> thats all the help i can give right now, i just got let off work
21:42 < neorosbob> krzie: sorry, I was confirming firewalls all open. Here's the routes
21:43 < neorosbob> to the client subnet 172.21.240.0    10.179.104.108  255.255.255.0   UG        0 0          0 eth1
21:43 < neorosbob> the VPN subnet 10.8.0.0        10.179.104.108  255.255.255.0   UG        0 0          0 eth1
21:44 < krzie> sorry man, i have a beutiful girl waiting at the bar
21:44 < krzie> ill try to come on later if what i said above didnt help
21:47 < neorosbob> go to her, absolutly. Thanks for your time!
21:49 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
21:51 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:06 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 276 seconds]
22:06 < neorosbob> cool
22:21 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
22:38 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
22:38 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
22:51 -!- kwame is now known as kwame1
22:51 -!- kwame1 is now known as kwame
22:51 -!- kwame is now known as kwame123
22:51 -!- kwame123 is now known as kwame
22:52 -!- kwame [~kwame@201.166.104.61.cable.dyn.cableonline.com.mx] has quit [Quit: leaving]
22:57 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:09 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
23:10 < Aakash> hey, i have two NICs each connected to two seperate LAN's, I need to accept incoming connections on lan#1 connected to nic#1, and route all traffic through lan#2 on nic#2
23:10 < Aakash> can someone please point me in the right direction on where to get started with the server config file?
23:13 -!- WinstonSmith [~true@e177088120.adsl.alicedsl.de] has joined #openvpn
23:13 < rjd__> Aakash: Im not quite sure what you are trying to do, but it should work if you either push redirect gateway, or push a few static routes. Your machine have to be able to forward packets too
23:14 < Aakash> rjd__: im essentially trying to make the openvpn server a proxy
23:16 -!- ilovegrolsc [~daniell@vps1098.directvps.nl] has quit [Read error: Connection reset by peer]
23:16 -!- nac909 [~daniell@vps1098.directvps.nl] has joined #openvpn
23:18 < rjd__> Aakash: can you please elaborate?
23:19 < Aakash> Okay, I have a network alreayd in place that's public, but i also have a private network in place that's completely separate from the public one, with it's own connection to the internet and all.
23:19 < rjd__> okey
23:19 < Aakash> i want to place a vpn server and have the public and private network connected to one of each of the NIC's
23:20 < Aakash> then be able to connect from the public network to the VPN server, and have all of my traffic routed through the private LAN/internet
23:20 < rjd__> how come you want it to one of each nics, and where is this machine located?
23:21 < rjd__> So what you are trying to accomplish is setup a vpn between the networks, so 'public network' can go 'out' via the private networks connection?
23:21 < Aakash> Yes, if the client is connected to the server
23:21 < rjd__> connected how?
23:22 < Aakash> One of the NIC's will have an IP assigned by the public netwokr, the other by the private.  I want to be able to connect to the openvpn server listening to the public network
23:23 < rjd__> I have a hard time understanding exactly what you are trying to do, sorry :)
23:23 < Aakash> and then after i have connected to the openvpn server, have all of my traffic routed through the server to the private internet connection
23:23 < Aakash> haha no problem, at least you're listening :)
23:23 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
23:23 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
23:24 < Aakash> <public client> ---> <public lan/internet>  <---openvpn server---><private lan> ---> private internet>
23:24 < Aakash> does that make any more sense?
23:25 < Aakash> the openVPN server is physically connected to both networks via ethernet
23:25 < nac909> i have openvpn working fine... just to see its working i did wireshark monitor on my NIC... it seems to work as i have tons of udp messages being sent between my ip and the vpn server ip. However i also have a ton of tcp messages being sent between my computer and ip's that are not bellonging to my openvpn server. So why is that happening? I have push redirect gateway so how come my computer 
23:25 < nac909> is making tcp conncctions to ip's that arent allowed
23:26 < rjd__> can you show some of those connections?
23:26 < rjd__> pastebin
23:26 < nac909> sure
23:26 < nac909> one moment
23:26 < rjd__> so the openvpn server is physically connected to your public and private network?
23:26 < Aakash> rjd__: yes
23:27 < Aakash> the public and private networks both have their own connection to the internet
23:27 < Aakash> the server is behidn the LAN's of those seperate networks
23:28 < rjd__> Lets try another method, lets not focus on how you are trying to set it up. Can I ask, what is it you need to be able to do with this setup?
23:28 < nac909> i thought easier to do screenshot
23:28 < nac909> http://img834.imageshack.us/img834/9797/aaaaaaaaaaof.jpg
23:29 < Aakash> rjd__: have clients that are on the public lan, be able to connect to the open vpn server, and have their traffic routed through the private lan
23:29 < rjd__> Aakash: ok, well then that should be easy to setup :)
23:30 < rjd__> all their traffic routed through the private lans gateway?
23:30 < Aakash> yeah!
23:30 < Aakash> (im doing this cuz the private LAN's internet is faster than the one provided for public)
23:31 < rjd__> Aakash: so a basic setup with redirect gateway is what you are after, and having the vpn clients be on a separate subnet, you will be required to setup a route (preferrably on the default gateway of the lan) so it knows how to find that vpn subnet
23:32 < rjd__> or simply source nat on the vpn box to disguise the vpn clients as one of the ips in the 'private network'
23:33 < rjd__> nac909: sorry, no idea. it couldnt be already established sessions?
23:33 < rjd__> !redirect
23:33 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
23:33 < rjd__> !nat
23:33 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
23:33 < rjd__> !ipforward
23:33 < Aakash> !def1
23:33 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
23:33 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
23:34 < rjd__> there, Aakash :)
23:34 < Aakash> thanks!
23:34 < Aakash> :)
23:34 < nac909> well thx for taking a look
23:34 < nac909> can i just ask, its not normal right?
23:34 < Aakash> haha i was drawing a picture of what i meant to help you understand
23:34 < nac909> should be only udp connections
23:34 < Aakash> the upload took too long XD
23:34 < Aakash> http://picasaweb.google.com/aakashbpatel/DropBox#5548551689210802434
23:34 <@vpnHelper> Title: Picasa Web Albums - Aakash Patel - Drop Box (at picasaweb.google.com)
23:34 -!- kwame [~kwame@201.166.104.61.cable.dyn.cableonline.com.mx] has joined #openvpn
23:34 < rjd__> nac909: i havent seen it before, but frankly I never double checked if there was non tun/tap traffic on clients (other than typical broadcast etc)
23:35 < rjd__> Aakash: sometimes its better to start explaining what you want to accomplish, not how :)
23:35 < Aakash> :)
23:36 < Aakash> rjd__: how would i tell openvpn which network to listen on, and which network to send the data over?
23:36 < Aakash> i know i can use listen <xomething> for the first part
23:38 < rjd__> Aakash: it would listen on all interfaces by default, and by routing (on linux, ip_forward) it would tell by looking at the routing table
23:38 < rjd__> as long as the private lans gateway is the default gateway of the openvpn machine anyway
23:41 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Ping timeout: 265 seconds]
23:48 < rjd__> nac909: it would probably be from earlier connections. although redirect gateway, incoming packets from the normal default gateway would be replied the same way..
23:48 -!- Aakash [~AakashPat@67.77.57.129] has joined #openvpn
23:48 < Aakash> rjd__: sorry, i got disconnected for some reason for the past few mins after i asked my last question
23:48 -!- Aakash [~AakashPat@67.77.57.129] has quit [Changing host]
23:48 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
23:58 < Aakash> and i meant "local <ipaddress of public network>"
23:58 < Aakash> s/of/on/
--- Day changed Thu Dec 09 2010
00:10 < neorosbob> Hi all, I need help spotting my routing issues. I have a VPN server on a cloud vendor to gain access to the cloud servers private subnet. The client is a firewall router on our office LAN. From the office I can ping IP's on the VPN and I can ping the vpn servers LAN IP. Also, from the VPN server I can ping the office LAN gateway as well as hosts on the office lan. my remaining problem is some retardation around a 3rd host 
00:18 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
00:20 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
00:26 -!- twister004 [~chatzilla@117.204.128.92] has joined #openvpn
00:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:37 < rjd__> Aakash: all you want to do is route traffic through a machine (vpn server) which are physically connected to both networks? If so, you don't need openvpn (unless you suspect someone at 'public network' might sniff your traffic)
00:37 < rjd__> Aakash: all you need then is simply to route the traffic
00:37 < rjd__> Aakash: and no, local would be a separate vpn only subnet, not the actual network on the interface on which you intend to get the client connections on
00:38 < rjd__> neorosbob: you NAT on the vpn server to diguise the office connections as coming from it?
00:39 < rjd__> neorosbob: if no, then you need to add a route on the other servers in the cloud, since they would not know how to find back to the origin (vpn client) traffic
00:41 < rjd__> if you do (intend to nat) make sure you forward packets and masquerade the vpn client connections
00:43 < neorosbob> rjd_: sorry I was testing something, no NAT on the server side LAN so I am adding static routes to the 3rd server (trying to ping from VPN client LAN). I have the following routes on the 3rd host (server lan)
00:44 < neorosbob> office LAN: 172.21.130.0    10.179.104.108  255.255.255.0   UG        0 0          0 eth1
00:44 < neorosbob> VPN lLAN: 172.21.135.0    10.179.104.108  255.255.255.0   UG        0 0          0 eth1
00:44 < neorosbob> where 10.179.104.108 is the LAN IP of the VPN server
00:46 < neorosbob> from the VPN client LAN I can ping 10.179.104.108
00:47 < neorosbob> and from the 3rd host on server lan I can ping 10.179.104.108 but no IP's on the VPN subnet or client subnet
00:51 -!- kwame is now known as kwame_ZzZzZzZzZ
01:02 < neorosbob> anyone care to help me troubleshoot routing table issues?
01:02 < neorosbob> I promise it's me overlooking somehting stupid ;-)
01:05 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
01:06 < neorosbob> Hi All, I need help spotting my routing issues. I have a VPN server on a cloud vendor to gain access to the cloud servers private subnet. The client is a firewall router on our office LAN. From the office I can ping IP's on the VPN and I can ping the vpn servers LAN IP. Also, from the VPN server I can ping the office LAN gateway as well as hosts on the office lan. my remaining problem is some retardation around a 3rd host 
01:07 < rjd__> neorosbob: can you pastebin ip+routing table of client, vpn server and server lan neighbour?
01:11 < krzee> where is the third host, what is the problem with it?
01:11 < rjd__> neorosbob: perhaps a stupid question, do you route packets on 10.179.104.108?
01:11 < rjd__> krzee: it's a network neighbour to 10.179.104.108 (vpn server)
01:12 < krzee> so he currently has the clientlan working, and the server lan is not?
01:13 < rjd__> krzee: I think that neither his client nor his vpn server neighbour can ping each other, but both can ping vpn servers public ip, so this leads me to believe he does not forward/route packets on vpn server
01:13 < rjd__> neorosbob: correct me if im wrong :)
01:13 < krzee> neorosbob,
01:13 < neorosbob> rjd_ how do you mean? The VPN server does setup routes on the system
01:13 < krzee> !configs
01:13 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
01:14 < neorosbob> I do have ip_forwarding enable on the vpn server and on the vpn client
01:14 < neorosbob> do I need ip_forwarding on the 3rd host as well?
01:14 < krzee> neorosbob, which lans do you want connected, both the vpn client and the server?
01:14 < neorosbob> sure thing, configs coming right up
01:15 < nac909> hello all
01:15 < rjd__> neorosbob: and you have either a default policy of accept or a specific rule to accept FORWARD chain matches on vpn server?
01:16 < nac909> i did wireshark on my NIC just to check that all is dandy... i have a ton of upd messages = great. But i also have an equal number of tcp messages between my computer and other ip addresses that are not my vpn server. Considering i have push gateway enabled, this shouldnt happen.
01:16 < nac909> any idea why?
01:16 < krzee> is the server the router for its lan?  if not have you added a route to the host?
01:16 < nac909> this is a screenshot of my wireshark output showing the tcp connections
01:16 < nac909> http://img834.imageshack.us/img834/9797/aaaaaaaaaaof.jpg
01:16 < krzee> nac909, you sure you are not seeing things going out of tun?
01:17 < nac909> wireshark is monitoring the NIC that should only be seeing encrypted traffic over udp
01:17 < nac909> not the tap/tun one
01:17 < krzee> but its destination is 1984
01:17 < krzee> err
01:17 < krzee> 1918, lol
01:18 < nac909> the destination of those tcp messages isn't 1984 they are going to a ton of ip addresses on the internet
01:18 < nac909> but all traffic should be going through the vpn
01:18 < nac909> as can see in the screenshot
01:18 < krzee> ahh ya i scanned too quick
01:19 < krzee> pastebin your routing table
01:19 < nac909> ok
01:20 < nac909> http://pastebin.com/b7hjBtZN
01:20 < krzee> thats not a routing table
01:20 < krzee> netstat -rn
01:21 < nac909> screenshot
01:21 < nac909> http://img220.imageshack.us/img220/3599/70107017.jpg
01:23 < nac909> 178.21.114.136 in that list is the ip of openvpn server
01:25 < krzee> when you go to www.secure-computing.net/ip.php which ip does it give you?
01:26 < rjd__> krzee: is it your site?
01:26 < krzee> neg
01:26 < nac909> yea its ip of openvpn server
01:27 < krzee> nac909, im thinking those packets could still be leaving through the tunnel... should be... can you sniff from another machine in the middle (or via layer2?)
01:28 < nac909> i just have my computer, my internet router... about 100 miles or 'internet' then my openvpn server on a vps
01:29 < neorosbob> ALL: here are my configs, routing tables and rough notes. Please let me know what else I can provide http://pastebin.com/catiuJez
01:29 < krzee> is there some reason you believe your traffic to not be tunneled?
01:29 < nac909> yes
01:29 < krzee> you can try to hit some of my boxes and i can tell you your ip
01:29 < rjd__> krzee: I might be wrong, but what if it's responses from earlier connections. Those would go out the same way they come in, not via tunnel that is. Right?
01:29 < nac909> i have like a million udp messages in wireshark... all either from my local computer to the openvpn server, or vice versa
01:29 < nac909> ok
01:29 < krzee> rjd__, wrong
01:30 < krzee> new packets would follow the new route
01:30 < nac909> but tcp messages shouldn't be going direct from my computer to other destinations as is shown in wireshark... it should all be udp
01:30 < krzee> there is no caching
01:30 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Quit: Aakash]
01:30 < krzee> with something like a socks proxy it would work that way
01:30 < rjd__> krzee: yes, new packets. But (incoming non SYN) packets from old connections would be responsed the same way they come in?
01:30 < nac909> gimmie an address of one of your boxes i'll visit
01:30 < krzee> nope
01:31 < krzee> responses would follow the route given to them in the kernel
01:32 < krzee> open a connection to something then delete your default route, see what happens
01:32 < krzee> or override it with something more specific that does not work
01:32 < neorosbob> vpnHelper, krzee: I have posted my configs http://pastebin.com/catiuJez
01:33 < nac909> its such a huge number of tcp messages, almost one per udp message
01:33 < nac909> what can i connect to
01:35 < krzee> you notice what you said...?
01:36 < krzee> almost 1 per tcp message
01:36 < krzee> lol
01:36 < krzee> you're noticing something ;]
01:36 < nac909> well i just looked visually it looks like 1:1
01:36 < krzee> you're seeing the same traffic 2x
01:36 < krzee> once when you make it, again when you see it go out of the tunnel
01:37 < nac909> so someone in the middle monitorring me would only see the udp not the tcp?
01:37 < nac909> cuz the tcp ones give destination ip's 
01:37 < krzee> right
01:37 < nac909> like websites etc
01:37 < nac909> ahh ok
01:37 < krzee> a vpn is like a secure cable of udp between endpoints
01:37 < nac909> so its normal thing? its the wireless NIC i was monitoring
01:38 < nac909> i guess not many people bothered to wireshark themeslves before
01:38 < krzee> i dont use windows
01:38 < krzee> i know what to expect from tcpdump... but not wireshark
01:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 265 seconds]
01:39 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
01:40 < krzee> ok rjd__ 
01:40 < nac909> ty, dont tell police i tried log into your server
01:40 < nac909> ;)
01:40 < krzee> is the client the router for its lan?
01:40 < krzee> heh
01:42 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
01:50 < krzee> if the client is not the router for its lan, you will need to add a route to the server lan on the router, which lists the server lan ip as the gateway
01:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:55 < rjd__> krzee: a quick test shows that related and established sessions continue over the old default route, after connecting to a vpn (and getting a new default route)
01:55 < krzee> ahh, i stand corrected then, not what i expected
01:57 < rjd__> or atleast established, but I would assume related too
01:57 < krzee> i still believe he was seeing his own traffic tho
01:57 < krzee> encrypted i mean
01:59 < rjd__> why would he have his lan address as source then?
02:00 < rjd__> Im not saying you're incorrect, I just didn't fully understand why one would see tcp packets where src and dest host can be his lan ip
02:00 < krzee> you run windows?  what does wireshark show you?
02:01 < rjd__> me? Im not the one experiencing it :)
02:01 < krzee> =]
02:01 < krzee> anyways, lets get yours working
02:02 < rjd__> Mine is working
02:02 < rjd__> Thanks anyway
02:02 < krzee> oh i thought you had a machine on the server lan that couldnt connect with the client lan
02:02 < rjd__> No, that would be neorosbob 
02:02 < rjd__> neorosbob: still here?
02:03 < krzee> my mistake, im also working on something in another window
02:03 < neorosbob> rjd_ : yes sir!
02:03 < krzee> and pretty wasted =]
02:04 < krzee> neorosbob, 
02:04 < krzee> [03:50]  <krzee> if the client is not the router for its lan, you will need to add a route to the server lan on the router, which lists the server lan ip as the gateway
02:04 < krzee> i sent that @ him before by accident
02:04 < neorosbob> krzee: correct. Did you by chance review my configs and routes on pastebin? http://pastebin.com/catiuJez
02:04 < krzee> add the route on the client lan's router i mean
02:05 < krzee> for the server lan, like you did for the vpn
02:05 < krzee> or
02:05 < krzee> on computer 3
02:06 < neorosbob> krzee:, that's what I'm not understanding. I do have that route in there, as refelected here http://pastebin.com/catiuJez, but I must still be overlooking something. I still can't ping from client LAN to server LAN 3rd server
02:06 < krzee> give a route to 10.179.0.0 255.255.0.0
02:06 -!- dazo_afk is now known as dazo
02:06 < krzee> the gateway should be the lan ip of its local vpn node
02:06 < neorosbob> krzee: 10.179.204.208 right?
02:06 < krzee> oh wait
02:07 < krzee> what subnet is client lan
02:07 < neorosbob> 172.21.130.0/24
02:08 < krzee> what lan ip is the server
02:08 < neorosbob> 10.179.0.0/16
02:09 < krzee> ip not subnet
02:09 -!- WinstonSmith [~true@e177088120.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
02:10 < neorosbob> oh, sorry, 10.179.104.108
02:10 < krzee> ip forwarding is enabled on the server?
02:11 < neorosbob> root@gateway:/etc/openvpn# cat  /proc/sys/net/ipv4/ip_forward
02:11 < neorosbob> 1
02:11 < rjd__> neorosbob: iptables rules for FORWARD chain is?
02:12 < neorosbob> disabled for eth1 (Server LAN Subnet) on both server and 3rd host
02:12 < krzee> ahh
02:13 < rjd__> you need to forward it using iptables
02:13 < krzee> rjd__, you called it
02:13 < rjd__> :)
02:13 < rjd__> I think I pointed this out an hour ago :)
02:14 -!- shai__ [~shai__@212.117.158.222] has joined #openvpn
02:14 < krzee> i was just looking for the timestamp
02:14 < krzee> lol
02:14 < neorosbob> how do you mean? I have the firewall set to pass all packets on the LAN subnet. No blocking. And it logs all blocked packets to /var/log/syslog and there are no blocked packets recorded on either the server or the host. I can ping freely between server and 3rd host and VPN Client lan and server
02:14 < krzee> yup, hour
02:14 < neorosbob> I'm sorry I'm not catching it. 
02:15 < krzee> neorosbob, can you ping the vpn ip of the server from the 3rd machine?
02:15 < neorosbob> LAN IP right?
02:15 < rjd__> neorosbob: so the vpn client is the default gateway of your remote location, and you're trying to ping from clients on the LAN behind that gateway?
02:15 < krzee> no, vpn ip
02:16 < rjd__> neorosbob: in order for clients behind the vpn client machine to be able to communicate with stuff behind the vpn server, you need iroutes in the ccd I think. Do you have that?
02:16 < shai__> Hi :) Can I have my main office and remote office both have site-to-site vpn and then have each openvpn server on each site allow clients to connect to it as well? In other words, have openvpn act in two different setups?
02:17 < krzee> rjd__, that is for lan behind client
02:17 < krzee> !iroute
02:17 <@vpnHelper> "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd
02:17 < neorosbob> rjd_: correct, I can ping from the client LAN to the server LAN IP at 10.179.104.108 and I can ping from the server LAN to the 3rd host lan at 10.179.98.73
02:17 < rjd__> krzee: that's what I understood he is trying to do ;)
02:17 < krzee> 3rd host is behind server
02:17 < rjd__> I know krzee 
02:17 -!- WinstonSmith [~true@e177088120.adsl.alicedsl.de] has joined #openvpn
02:17 < neorosbob> and I can ping from the 3rd host LAN back to the server LAN IP 10.179.98.73 -> 10.179.104.108
02:18 < krzee> cool you got it
02:18 < rjd__> neorosbob: ccd client file contains what? can I see iptables rules for filter table on vpn server too?
02:18 < neorosbob> krzee: correct, 3rd host is behind server
02:18 < neorosbob> rjd_: sure, one sec
02:19 < rjd__> if it's not a forward rule, it's a missing iroute in ccd file I suspect..
02:19 < neorosbob> root@gateway:/etc/openvpn# cat /etc/openvpn/client-configs/clientcertcommonname.com 
02:19 < neorosbob> iroute 172.21.130.0 255.255.255.0
02:19 < rjd__> and 172.21.130.0 was what again? :>
02:19 < rjd__> client lan
02:19 < rjd__> ok
02:20 < rjd__> so that is correct
02:20 < neorosbob> root@gateway:/etc/openvpn# csf -l
02:20 < neorosbob> Chain INPUT (policy DROP 0 packets, 0 bytes)
02:20 < neorosbob> num   pkts bytes target     prot opt in     out     source               destination         
02:20 < neorosbob> 1       74  6216 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
02:20 < neorosbob> 2       23  5849 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
02:20 < neorosbob> 3     9615 2220K LOCALINPUT  all  --  !lo    *       0.0.0.0/0            0.0.0.0/0   
02:20 < neorosbob> sorry, should have pastbin'd that
02:20 < krzee> can server3 ping the VPN ip of the vpn server?
02:20 < rjd__> krzee: I think yes
02:20 < krzee> he mentioned the lan ip only
02:21 < rjd__> neorosbob: thats INPUT chain, paste FORWARD chain at pastebin
02:21 < neorosbob> krzee: you mean the VPN subnet 172.21.135.0? so the VPN server IP is 172.21.135.1, which, from the 3rd host I can not ping
02:21 < rjd__> oh
02:21 < krzee> so forwarding is not working
02:21 < rjd__> FORWARD rule! :)
02:21 < krzee> you found it
02:21 < neorosbob> AH! Chain FORWARD (policy DROP 50 packets, 3944 bytes)
02:21 < neorosbob> num   pkts bytes target     prot opt in     out     source               destination         
02:22 < neorosbob> nada
02:22 < rjd__> default policy drop
02:22 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
02:22 < rjd__> so iptables -A FORWARD -i tun+ -o eth1 -j ACCEPT
02:22 -!- WinstonSmith [~true@e177088120.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
02:22 < rjd__> and -i eth1 -o tun+ -j ACCEPT
02:22 < rjd__> or simply allow any if you dare ;)
02:22 < neorosbob> sweet, one sec. Let me go get caffein an test. give me 2 min
02:23 < krzee> [03:13]  <rjd__> krzee: I think that neither his client nor his vpn server neighbour can ping each other, but both can ping vpn servers public ip, so this leads me to believe he does not forward/route packets on vpn server
02:23 < krzee> sorry i slowed that one down
02:23 < rjd__> :o
02:23 < krzee> didnt understand the reasoning, but you had the right cause!
02:24 < rjd__> Perhaps a lucky shot ;)
02:27 < neorosbob> rjd_: so I have on the server now
02:27 < neorosbob> sorry, one sec. Let me double check my ish here
02:28 < shai__> Hi :) Can I have my main office and remote office both have site-to-site vpn and then have each openvpn server on each site allow clients to connect to it as well? In other words, have openvpn act in two different setups?
02:28 < shai__> Thing is .. I'm assuming the remote site is just another client .. right?
02:29 < shai__> And also, I am going to use plugin /usr/lib/openvpn/openvpn-auth-pam.so to have each client authenticate using a user/password
02:29 < neorosbob> rjd_: Ok so on server, iptables
02:29 < neorosbob> Chain FORWARD (policy DROP)
02:29 < neorosbob> target     prot opt source               destination         
02:29 < neorosbob> ACCEPT     all  --  anywhere             anywhere 
02:29 < neorosbob> this is after running 'iptables -A FORWARD -i tun+ -o eth1 -j ACCEPT'
02:29 < shai__> And for the only client I don't want .. is the remote site ...
02:29 < shai__> It should not need to authenticate as the other clients do ...
02:30 < neorosbob> I still can not ping from 3rd host to client LAN IP
02:31 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has joined #openvpn
02:31 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has quit [Changing host]
02:31 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
02:33 < neorosbob> rjd_, krzee you still there?
02:35 < krzee> can you ping the vpn ip from it now?
02:35 < krzee> of the server
02:35 < neorosbob> from the 3rd host?
02:36 < krzee> shai__, you can do either
02:36 < krzee> but yes, you can run multiple vpn instances
02:36 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
02:37 < krzee> neorosbob, you will know you fixed the forwarding issue on the server when machine3 can ping the vpn ip of the server
02:37 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
02:37 < rjd__> neorosbob: so you say adding the rule had no affect on the iptables rules?
02:38 < rjd__> neorosbob: iptables-save > somefile instead, and pastebin that
02:38 < neorosbob> no, in fact I just tested by shutting down the firewall altogether on the server and I still can not ping from 3rd host to client lan
02:38 < krzee> neorosbob, stop testing that!!!
02:39 < neorosbob> krzee: can you point me somewhere else?
02:39 < krzee> from machine3, ping the vpn ip of the server
02:39 < neorosbob> does not ping
02:39 < neorosbob> I said that already
02:39 < krzee> then there is no reason to test the client lan
02:40 < krzee> you still need help with your firewall
02:40 < neorosbob> that's what I though as well
02:40 < neorosbob> but unfortunaetly I can not see past the problem to get the packets to flow
02:40 < krzee> [04:38]  <rjd__> neorosbob: iptables-save > somefile instead, and pastebin that
02:40 -!- nhak [~nhak@unaffiliated/nhak] has quit [Ping timeout: 276 seconds]
02:40 < neorosbob> as I said, I shutdown the firewall on the vpn server and it made no difference
02:40 < krzee> and until you can ping the vpn ip of the server, dont bother testing anything else
02:41 < neorosbob> http://pastebin.com/jPLTBpwP
02:42 < neorosbob> sorry, one sec, here a new one with the forward rule
02:43 < neorosbob> krzee: http://pastebin.com/LpeHzBFe
02:44 < neorosbob> still can not ping 172.21.135.1 from 3rd host
02:44 < krzee> you wanna send that @ rjd__ =]
02:45 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
02:46 < neorosbob> I added the forward rule to server IPTABLES per rjd_ 'iptables -A FORWARD -i tun+ -o eth1 -j ACCEPT'
02:46 < neorosbob> for grins I also tried 'iptables -A FORWARD -i eth1 -o tun+ -j ACCEPT'
02:46 < neorosbob> no effect
02:46 < neorosbob> no can pingy
02:47 < neorosbob> krzee: per my pastebin is line 46. what you expect to see for iptables -> -A FORWARD -i tun+ -o eth1 -j ACCEPT
02:48 < rjd__> neorosbob: edit FORWARD DROP to FORWARD ACCEPT to the ipt save, and reload it using iptables-restore < thefile
02:48 < rjd__> then pastebin, then try :)
02:49 < rjd__> neorosbob: stupid question, but you do use tun and not tap? :)
02:49 < neorosbob> yes tun on both sides
02:50 < rjd__> you are using some iptables script/program to generate the rules for you?
02:50 < rjd__> is it possible that it monitor changes in the ruleset that is not in it's config, and upon changes reloads it config?
02:52 < neorosbob> rjd: yes I am using config server firewall but for the time being I am running the iptables commands directly to effect the chains. Restarting csf flushes the rules back to a default set.
02:53 < rjd__> neorosbob: edit FORWARD DROP to FORWARD ACCEPT to the ipt save, and reload it using iptables-restore < thefile
02:54 < neorosbob> the one thing I don't understand is that if I shut down the firewall on the server altogether it has zero (none) effect. Which makes me wonder why forward rules on the firewall would effect it if when I remove the firewall from the equation I still can't ping. I still  thing it's routing tables myself
02:54 < neorosbob> rjd_: one sec. coming right up
02:55 < neorosbob> rjd_ done, here's what I did
02:56 < neorosbob> top of the file I have ':FORWARD ACCEPT [0:0]'
02:56 < neorosbob> I also have
02:56 < neorosbob> -A FORWARD -i tun+ -o eth1 -j ACCEPT 
02:56 < neorosbob> -A FORWARD -i tun+ -j ACCEPT 
02:56 < neorosbob> -A FORWARD -o tun0 -j ACCEPT 
02:56 < neorosbob> down a ways
02:57 < neorosbob> and this is on VPN server just to be clear
02:57 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Quit: Leaving.]
02:58 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
03:00 -!- singe [~singe@luxurybus.sensepost.com] has joined #openvpn
03:01 < singe> Hello. We've got a client insisting that there are risks to using UDP for OpenVPN. About to phone them, but wanted to be informed. Is there any additional benefit of using TCP? I don't see why there would be.
03:02 < krzee> actually, the opposite
03:02 < krzee> !tcp
03:02 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
03:02 -!- neorosbob [~Adium@75-145-116-141-Colorado.hfc.comcastbusiness.net] has quit [Ping timeout: 245 seconds]
03:02 < singe> krzee: ta muchly
03:02 < krzee> link in #1 can be found in the manual under --proto
03:02 < krzee> in case you want to use that to show it to him
03:04 < singe> krzee: perfect. thanks again
03:04 < krzee> np
03:11 -!- neorosbob [~Adium@c-75-71-24-202.hsd1.co.comcast.net] has joined #openvpn
03:11 < neorosbob> rjd: you still there?
03:12 < rjd__> yes
03:12 < rjd__> status?
03:12 < neorosbob> sorry I had to relocate
03:12 < neorosbob> I did as you said and still can't ping. I also tried shutting the firewall down on the server and still can't ping from 3rd host to client lan
03:16 < neorosbob> rjd: anything else you can think that I can test?
03:16 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
03:20 < rjd__> neorosbob: after you changed the forward rule (by re-reading the iptables save), did you confirm it was applied (with iptables -L -n -v for example)?
03:21 < singe> bye bye
03:21 -!- singe [~singe@luxurybus.sensepost.com] has left #openvpn []
03:22 < krzee> "and still can't ping from 3rd host to client lan"
03:22 < krzee> [04:40]  <krzee> and until you can ping the vpn ip of the server, dont bother testing anything else
03:22 < neorosbob> rjd_: I show :FORWARD ACCEPT [0:0]
03:22 < neorosbob> and
03:22 < neorosbob> -A FORWARD -i tun+ -o eth1 -j ACCEPT 
03:22 < neorosbob> -A FORWARD -i tun+ -j ACCEPT 
03:22 < neorosbob> -A FORWARD -o tun0 -j ACCEPT 
03:24 < neorosbob> krzee: yes I understand. I am only trying to ping the VPN LAN IP
03:24 < neorosbob> and it doesn't work
03:24 < neorosbob> do you have any further suggestions?
03:25 < rjd__> neorosbob: iptables -L -v -n, do you see hits on the FORWARD rules?
03:26 < neorosbob> I am quite clear on the fact that I must be overlooking something. I need help identifying what that is. I understand routing enough to know that if I can't ping the VPN gateway it won't go to the client LAN. I am not debating that. I am simply trying to understand how to get packets from the 3rd host the the VPN subnet
03:26 < neorosbob> rjd_: I see the folling for forward rules from your command ' iptables -L -v -n'
03:26 < neorosbob> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
03:26 < neorosbob>  pkts bytes target     prot opt in     out     source               destination         
03:26 < neorosbob>     0     0 ACCEPT     all  --  tun+   eth1    0.0.0.0/0            0.0.0.0/0           
03:26 < neorosbob>     0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
03:26 < neorosbob>     0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0  
03:27 < rjd__> ok, no matching hits
03:27 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Different networks, DNS-Server does not work :: Author Kampfzivi <https://forums.openvpn.net/viewtopic.php?f=15&t=7378&p=8669#p8669>
03:27 < neorosbob> rjd_: I'm afraid we're gettiing out of my expertise. Do you see what I need to adjust?
03:28 < neorosbob> rjd_: also, I still don't understand why I can shutdown the VPN server firewall with no effect
03:28 < neorosbob> rjd_: With no firewall running doesn't ip forwarding happen un-impeded? 
03:34 < rjd__> not as you have default drop policies
03:34 < rjd__> ok lets try this instead
03:35 < rjd__> you want to ping from a client behind vpn client to a server next to the vpn server, so tcpdump on vpn server to see the matching packet
03:36 < rjd__> tcpdump -i <yourtundevice> host <ip_of_actual_client_behind_vpn-client_that_pings>
03:38 < neorosbob> rjd_: ok, one sec
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:42 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 276 seconds]
03:44 < neorosbob> rjd_: tcpdump shows this
03:44 < neorosbob> 09:43:40.927537 IP 172.21.130.10 > 10.179.98.73: ICMP echo request, id 62484, seq 1, length 64
03:44 < neorosbob> when I ping from client LAN host 172.21.130.10 to server lan host 10.179.98.73
03:44 < neorosbob> I get no response on ping
03:45 < neorosbob> odly when I ping the vpn server LAN IP I get nothing from tcpdump but I get pings back
03:47 -!- ilovegrolsc [ilovegrols@82-168-191-228.ip.telfort.nl] has joined #openvpn
03:47 -!- nac909 [~daniell@vps1098.directvps.nl] has quit [Read error: Connection reset by peer]
03:47 -!- master_of_master [~master_of@p57B52D5E.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:48 < rjd__> neorosbob: now tcpdump on the lan interface of the vpn server and repeat the icmp ping
03:49 < neorosbob> rjd_: sorry that's what I ran it on first was the LAN interface of the VPN server
03:49 < neorosbob> I also just test on the LAN interface of the 3rd host on the VPN server LAN
03:49 -!- master_of_master [~master_of@p57B55B51.dip.t-dialin.net] has joined #openvpn
03:49 < neorosbob> no packets reported on the 3rd host, only on the VPN server LAN
03:49 < rjd__> ok, then thats why you didnt see the pings to the vpn servers vpn ip, because it never traverses the physical ethernet card but responds internally
03:50 < rjd__> on 10.179.98.73, tcpdump the interface to see the incoming icmp request from 172.21.130.10
03:50 < neorosbob> I did, nothing shows
03:51 < neorosbob> oh, wait. I let it run a sec this time and I saw some arps
03:51 < neorosbob> 09:52:57.246096 ARP, Request who-has 10.179.98.73 tell 10.179.104.108, length 46
03:51 < neorosbob> 09:52:57.246125 ARP, Reply 10.179.98.73 is-at 40:40:74:65:d5:b9 (oui Unknown), length 28
03:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 < rjd__> to summarize, on the lan itnerface of vpn server, you can see the icmp echo-request from the client (behind the vpn client), but not on the interface of the '3rd server'
03:53 < shai__> Hello :) When trying to run './pkitool --server server' ; I keep getting 'The commonName field needed to be supplied and was missing' ; why would this be?
03:54 < ilovegrolsc> because the commonName field needs to be supplied and is missing
03:54 < shai__> I would have expected output similar to 'Certificate is to be certified until' and 'Write out database with 1 new entries' instead
03:54 < shai__> ilovegrolsc: really?
03:54 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
03:54 < ilovegrolsc> yes
03:54 < shai__> How do you figure?
03:54 < ilovegrolsc> u didnt give a common name
03:54 < ilovegrolsc> when u make certificate
03:54 < ilovegrolsc> u must
03:54 < shai__> isn't the latter 'server' the common name?
03:54 < ilovegrolsc> its the only field that u must fill in
03:55 < ilovegrolsc> what platform is openvpn installed on
03:55 < shai__> Where exactly? The pkitool doesn't request me for any input.
03:55 < shai__> I have it on both Ubuntu Lucid 10.04 and Debian (which the latter is the problematic one)
03:55 < shai__> On Ubuntu it went just fine...
03:56 < shai__> On debian it gives me that output
03:56 < ilovegrolsc> are you using easy-rsa scripts to make the crt and keys?
03:56 < shai__> Debian lenny
03:56 < rjd__> neorosbob: if you do the other way, ping server vpn ip from 3rd server, meanwhile tcpdumping on the ethernet interface of vpn server. what do you see?
03:56 < shai__> ilovegrolsc: yes.
03:56 < ilovegrolsc> then you obv didn't fill in the common name when it asked u for one
03:56 < ilovegrolsc> when u make the server crt and key 
03:56 < shai__> ; /etc/openvpn/easy-rsa/pkitool
03:56 < neorosbob> rjd_: yes, what I see when I ping from client LAN IP 172.21.130.10 to Server LAN IP 10.179.98.73 (3rd host) I see on the server tcpdump:
03:56 < neorosbob> 09:54:49.033319 IP 172.21.130.10 > 10.179.98.73: ICMP echo request, id 3349, seq 1, length 64
03:56 < neorosbob> and I see on the 3rd host tcpdump (on host 10.179.98.73:
03:56 < neorosbob> 09:56:35.597609 ARP, Request who-has 10.179.98.73 tell 10.179.104.108, length 46
03:56 < neorosbob> 09:56:35.597645 ARP, Reply 10.179.98.73 is-at 40:40:74:65:d5:b9 (oui Unknown), length 28
03:56 < ilovegrolsc> u need to type server when it asks for a common name
03:57 < ilovegrolsc> u didnt give a common name
03:57 < shai__> hmm....
03:57 < ilovegrolsc> start over
03:57 < neorosbob> rjd_: one sec
03:57 < shai__> I thought I did, with ./build-ca 
03:57 < ilovegrolsc> delete whatever key crt files u made
03:57 < ilovegrolsc> ok
03:57 < ilovegrolsc> u put a common name for that one
03:57 < shai__> Indeed.
03:57 < ilovegrolsc> also again u need for when u make the server one
03:57 < ilovegrolsc> each must be unique
03:57 < shai__> I'll try again ...
03:57 < ilovegrolsc> i call the ./build-ca one something like 'myblahblah'
03:58 < ilovegrolsc> doesnt matter
03:58 < ilovegrolsc> and call the server one 'server'
03:58 < neorosbob> rjd_: when I ping from 3rd host (server lan ip 10.179.98.73) to a host on client lan IP (172.21.130.10) tcpdum on the server shows:
03:58 < neorosbob> 10.179.98.73
03:58 < neorosbob> sorry
03:58 < neorosbob> 09:57:43.679493 ARP, Request who-has 10.179.104.108 tell 10.179.98.73, length 46
03:58 < neorosbob> 09:57:43.679514 ARP, Reply 10.179.104.108 is-at 40:40:c6:ca:d3:08 (oui Unknown), length 28
03:58 < shai__> I just ran the ./build-ca script again, and type 'server' in the commonName field ... and then ran the ./pkitool again ... and with --server server ; and yet it failed again with the same error.
03:59 < ilovegrolsc> no no no no no
03:59 < ilovegrolsc> don't type server as common name when ur making the CA
03:59 < ilovegrolsc> call it anything BUT server
03:59 < ilovegrolsc> any word in the english language but server
03:59 < ilovegrolsc> when u make the build-server server thing
03:59 < rjd__> neorosbob: 3rd host to ip of vpn servers tun device..
03:59 < ilovegrolsc> call it server
03:59  * shai__ runs ./clean-all
04:00 < ilovegrolsc> for your clients, also give a common name
04:00 < ilovegrolsc> use any word in english language except for server or whatever word u chose for the CA's common name
04:00 < shai__> Ok
04:00 < shai__> I gave it the hostname of the server... where it won't be used anywhere else. Is that ok?
04:00 -!- theDoc [~Link@173.236.41.37] has quit [Quit: teehee!]
04:01 < ilovegrolsc> just give it something totally unique
04:01 < ilovegrolsc> like 'ilovecoke'
04:01 < shai__> Done.
04:01 < shai__> I wrote 'readallaboutit'
04:01 < ilovegrolsc> ok now build the server key and crt
04:01 < ilovegrolsc> good
04:01 < neorosbob> rjd_: do you want me to tcpdump on the server while pinging from 3rd host to VPN gateway 172.21.135.1?
04:01 < shai__> And then I ran ./pkitool --server server
04:01 < ilovegrolsc> good
04:01 < shai__> And it still fails.
04:01 < ilovegrolsc> type
04:01 < ilovegrolsc> one second
04:01  * shai__ waiting...
04:02 < shai__> btw: thanks for you time :)
04:02 < ilovegrolsc> are you in the easy-rsa directory
04:02 < shai__> yes
04:02 < ilovegrolsc> for me it is easy-rsa/2.0
04:02 < ilovegrolsc> did you edit the vars file
04:02 < shai__> yes
04:02 < ilovegrolsc> good
04:02 < ilovegrolsc> ok try
04:02 < ilovegrolsc> ./build-key-server server
04:03 < ilovegrolsc> first type . ./vars
04:03 < ilovegrolsc> then ./build-key-server server
04:03 < shai__> Worked.
04:03 < ilovegrolsc> ok
04:03 < ilovegrolsc> for clients
04:03 < shai__> Why did this work and not the pkitool?
04:03 < ilovegrolsc> type ./build-key client1        and ./build-key client2   etc depending how many u like
04:03 < shai__> Is there a chance that there is info in some sort of database that needs to be completely cleaned out?
04:04 < ilovegrolsc> you just have to do it like this... 
04:04 < ilovegrolsc> always first type . ./vars
04:04 < ilovegrolsc> then ./clean-all
04:04 < ilovegrolsc> then ./build-ca
04:04 < shai__> Always does ...
04:04 < ilovegrolsc> then ./build-key-server server
04:04 < shai__> I always source the vars file
04:04 < ilovegrolsc> thats in the offical how-to
04:04 < ilovegrolsc> http://openvpn.net/index.php/open-source/documentation/howto.html
04:04 <@vpnHelper> Title: HOWTO (at openvpn.net)
04:04 < rjd__> neorosbob: correct, because that does not work either?
04:04 < ilovegrolsc> serce that how to for 'Generate the master Certificate Authority'
04:05 < ilovegrolsc> it goes through all the steps with correct commands
04:05 < ilovegrolsc> search*
04:05 < neorosbob> rjd: yes when I tcpdump on the server and ping from 3rd host to the VPN subnet I only see ARPS on the server tecpdump
04:05 < neorosbob> 10:03:14.647451 ARP, Request who-has 10.179.104.108 tell 10.179.98.73, length 46
04:05 < neorosbob> 10:03:14.647467 ARP, Reply 10.179.104.108 is-at 40:40:c6:ca:d3:08 (oui Unknown), length 28
04:05 < shai__> ilovegrolsc: thanks so much for your assist :)
04:06 < ilovegrolsc> your welcome
04:06 < ilovegrolsc> read the how to... lots of good info in there about not just setting up your vpn but also how to secure it
04:07 < shai__> Will do :)
04:07 < shai__> Already on it ...
04:08 < neorosbob> rjd: do I need to revisit the routes on my server? I also have an openvpn access server on another VM on the same subnet as the server. It works like a charm. I'm just wondering what obvious thing is staring me in the face that I can't see
04:08 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
04:09 < rjd__> neorosbob: beats me. it's extremely hard to find the reason without having access
04:09 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
04:10 < neorosbob> rjd_: I understand. Thanks so much for your time tonight. 
04:12 < rjd__> neorosbob: check in here and let me know if you fix it
04:12 < rjd__> id like to know the reason
04:12 < neorosbob> will do
04:12 < neorosbob> I will spend some time tomorrow comparing firewall and routing tables between the openvpn acces server and the server in questions
04:13 < neorosbob> thanks again for your time. I greatly appreciate it
04:13 < neorosbob> the access server works so hopefully there's a clue there
04:18 -!- neorosbob [~Adium@c-75-71-24-202.hsd1.co.comcast.net] has quit [Quit: Leaving.]
04:22 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
04:22 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
04:22 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:22 -!- common- [~common@p5DDA480F.dip0.t-ipconnect.de] has joined #openvpn
04:26 -!- common [~common@p5DDA4976.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
04:26 -!- common- is now known as common
04:28 -!- le0 [~fin@host86-189-18-254.range86-189.btcentralplus.com] has joined #openvpn
04:28 -!- le0 [~fin@host86-189-18-254.range86-189.btcentralplus.com] has quit [Changing host]
04:28 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
04:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
04:37 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
04:37 < venom00ut> hello, I'm trying to use openvpn with a socks proxy but I receive the following error:
04:37 < venom00ut> recv_socks_reply: Socks proxy returned bad reply
04:37 < venom00ut> what does this mean?
04:38 < reiffert> you mean other than "socks proxy returned a bad reply"?
04:40 < venom00ut> I want to know if someone else had the same experience, and maybe can help
04:40 < venom00ut> the socks proxy works fine with other applications
04:43 < ilovegrolsc> ummm
04:43 < ilovegrolsc> i did ./revoke-full client2   but the user who is client 2 is still able to connect to the vpn, even after i restart the vpn
04:45 -!- albech [~thomas@124.157.238.185] has joined #openvpn
04:46 < reiffert> !factoids search revocke
04:46 <@vpnHelper> No keys matched that query.
04:46 < reiffert> !factoids search revocke
04:46 <@vpnHelper> No keys matched that query.
04:46 < reiffert> !factoids search revoke
04:46 <@vpnHelper> No keys matched that query.
04:46 < reiffert> !factoids --values search revoke
04:46 < reiffert> !factoids search --values revoke
04:46 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that
04:46 <@vpnHelper> will create the CRL file for you. ssl-admin will also build a crl for you
04:47 < albech> in the server.conf file when working with bridges.. i am a little confused about the first option of the server-bridge value. Is that the ip number of the openvpn server or the gateway that should be defined there?
04:48 < albech> so according to the example (server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100) would 10.8.0.4 be the gateway or the openvpn ip?
04:48 < ilovegrolsc> yep i looked at crl.pem 
04:48 < ilovegrolsc> somehow he's still connecting...
04:48 < reiffert> ilovegrolsc: you have to tell openvpn that there is a crl.
04:49 < ilovegrolsc> it made the crl when i typed ./revoke-full client2
04:49 < ilovegrolsc> it put it in the key_dir specified in vars file
04:49 < reiffert> ilovegrolsc: you have to tell openvpn that there is a crl.
04:49 < ilovegrolsc> how to do that
04:49 < reiffert> rtfm.
04:49 < ilovegrolsc> crl-verify crl.pem ?
04:49 < reiffert> albech: "the gateway"
04:49 < reiffert> albech: from the manpage:
04:49 < ilovegrolsc> ah ok ok
04:50 < ilovegrolsc> i got it now 
04:50 < reiffert>        --server-bridge gateway netmask pool-start-IP pool-end-IP
04:50 < ilovegrolsc> no need to swear
04:50 < albech> reiffert, ty
04:51 < reiffert> albech: you might wanna read to what --server-bridge expands to.
04:51 < ilovegrolsc> the only problem is
04:51 < ilovegrolsc> when i type
04:51 < ilovegrolsc> crl-verify it says commandn ot found
04:51 < ilovegrolsc> not*
04:52 < ilovegrolsc> oh it goes in server.conf
04:52 < ilovegrolsc> ok
04:52 < ilovegrolsc> got it
04:52 < ilovegrolsc> nothing to see here move along
04:52 <@dazo> ilovegrolsc: it's not --crl-verify ... it's --crl <path to your .crl file>
04:52 <@dazo> and yeah, it's on the server side alone
04:52 < reiffert> dazo: the manpage tells otherwise.
04:53 < ilovegrolsc> if i put the crl.pem in etc/openvpn
04:53 < ilovegrolsc> can i just add crl-verify crl.pem to server.conf
04:53 < ilovegrolsc> without using full path
04:53 <@dazo> reiffert: you're right ... I mixed it
04:54  * dazo got confused by the "crl-verify it says commandn ot found" ... and the script hook called '--tls-verify'
04:55 <@dazo> ilovegrolsc: yes, you can ... but then you need to start the OpenVPN daemon where the relative path will match where the crl file is available anyway
04:55 < ilovegrolsc> ach not i can't connect
04:55 < ilovegrolsc> and i didnt revoke myself
04:56 <@dazo> check your log files ... and it will tell you why .... maybe wrong permissions on the crl file?
04:56 < ilovegrolsc> ok
04:56 < reiffert> guess the openvpn server is not running.
04:58 < albech> i keep having an issue where the default route is set through the tap interface upon connection to the openvpn server, which will route all traffic through the vpn. I only want to route the traffic through the vpn which is destined for the remote location.
04:59 < ilovegrolsc> when i type vim openvpn-status.log i keep getting told there is a swap file
04:59 < ilovegrolsc> how to delete swap?
05:00 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Ping timeout: 264 seconds]
05:00 < ilovegrolsc> fixed it
05:00 < ilovegrolsc> i had chroot in server.conf
05:01 < ilovegrolsc> commented it out and i can connect
05:01 < ilovegrolsc> i think if u use chroot jail or whatever, u gotta put the crl.pem in jail
05:01 < ilovegrolsc> else can't connect
05:01 < ilovegrolsc> its one of those dependencies
05:02 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
05:03 < ilovegrolsc> as the how to says: f you are using the chroot directive, make sure to put a copy of the CRL file in the chroot directory, since unlike most other files which OpenVPN reads, the CRL file will be read after the chroot call is executed, not before.
05:04 < ilovegrolsc> the how to really has it all covered
05:04 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
05:11 < albech> looking at my log file it looks like my server is pushing the default route, but i am not telling it to do so. http://pastebin.com/dZt273hr
05:23 < ilovegrolsc> albech where is your openvpn.log file
05:23 < ilovegrolsc> what path
05:24 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:24 < albech> its in the /etc/openvpn for now until i move it to /var/log
05:24 -!- adawda is now known as sia^pwnnt
05:24 -!- sia^pwnnt is now known as adawda
05:25 < ilovegrolsc> hmm
05:26 < ilovegrolsc> it gets re-written every like 1 minute right?
05:28 -!- twister004 [~chatzilla@117.204.128.92] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
05:39 -!- ilovegrolsc [ilovegrols@82-168-191-228.ip.telfort.nl] has left #openvpn []
05:45 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
05:46 -!- adawda is now known as sia^pwnnt
05:47 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
05:49 -!- sia^pwnnt is now known as adawda
05:53 -!- venom00ut [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
05:53 -!- venom00ut [~venom00@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
05:53 -!- venom00ut [~venom00@unaffiliated/venom00] has joined #openvpn
05:59 -!- adawda is now known as sia^pwnnt
06:01 -!- sia^pwnnt is now known as adawda
06:02 -!- adawda is now known as sia^pwnnt
06:04 -!- sia^pwnnt is now known as adawda
06:05 -!- adawda is now known as sia^pwnnt
06:10 -!- sia^pwnnt is now known as adawda
06:19 -!- adawda is now known as sia^pwnnt
06:20 < zamba> how much overhead is it in an idle vpn connection?
06:20 < zamba> just the icmp packets to keep the connection open?
06:20 -!- sia^pwnnt is now known as adawda
06:23 < rjd__> zamba: I would assume 
06:23 < zamba> ok
06:25 -!- shai__ [~shai__@212.117.158.222] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101027124711]]
06:27 -!- adawda is now known as sia^pwnnt
06:27 -!- sia^pwnnt is now known as adawda
06:37 -!- luneff [~yury@84.51.199.24] has joined #openvpn
06:42 <@dazo> zamba: yeah, basically that's it ... I haven't measured it .... but it's not much, that's for sure
06:43 -!- adawda is now known as sia^pwnnt
06:43 < zamba> ok, thanks :)
06:43 -!- sia^pwnnt is now known as adawda
06:49 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
06:49 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
06:49 < zamba> no problem running openvpn over a 3g connection, no?
06:51 < hyper_ch> zamba: works fine
06:52 < rjd__> Quite a bit higher Alive values for a 3G, so it does not attempt to recoonect only because of 20-30 seconds without connectivity?
06:52 -!- luneff [~yury@84.51.199.24] has quit [Read error: Connection reset by peer]
06:52 < rjd__> or rather the opposite, ping frequently to keep the connection up`?
06:53 -!- luneff [~yury@84.51.199.24] has joined #openvpn
06:53 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
06:53 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
06:53 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
06:53 < hyper_ch> rjd__: I didn't have to alter anything and it worked fine for me :)
06:53 < hyper_ch> but it might be provider specific for 3g
06:54 < rjd__> I know from when I had 3G and went by train, the connection came and went all the time. ssh sessions etc managed to survive, so I guess one would not like the vpn to try to reconnect even if no packets come through for a short period or so
06:54 < zamba> hyper_ch: what hardware did you use?
06:54 < zamba> hyper_ch: usb modem?
06:55 < hyper_ch> huawei e220 IIRC
07:01 < rjd__> the howto documentation is fantastic!
07:01 -!- ilovegrolsc [~daniell@vps1098.directvps.nl] has joined #openvpn
07:03 -!- ucekpolish [user@94.42.141.162] has joined #openvpn
07:10 -!- mace [~mace@debian/developer/mace] has joined #openvpn
07:11 < mace> i'm having some odd problems with warnings about "Replay-window backtrack occurred" and a load of "Authenticate/Decrypt packet error: bad packet ID (may be a replay)" which follow it
07:12 < mace> i've read the man page and googled etc etc but haven't really found a convincing answer as to whats going on
07:12 < rjd__> mace: any mtu/fragment/mssfix on either side?
07:12 < zamba> hyper_ch: sweet
07:12 < zamba> hyper_ch: connected to a linux router?
07:12 < mace> i see these messages on multiple machines, over various different connections, generally when there's a lot of traffic being pushed
07:13 < mace> rjd__: how'd you mean?
07:13 -!- luneff [~yury@84.51.199.24] has quit [Read error: Connection reset by peer]
07:13 < rjd__> !mtu
07:13 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
07:13 < rjd__> !fragment
07:13 <@vpnHelper> "fragment" is http://openvpn.net/archive/openvpn-users/2005-01/msg00411.html if getting FRAG_IN error
07:13 < rjd__> !mssfix
07:13 < rjd__> !mss
07:13 < rjd__> :-)
07:13 < mace> ta
07:14  * mace rtfms
07:14 -!- luneff [~yury@84.51.199.24] has joined #openvpn
07:16 < rjd__> mace: I think I saw those errors a few days ago, but I have made so many alterations I cant recall what I concluded 
07:19 < mace> rjd__: i've been seeing them for months, only now have they annoyed me enough to get me to investigate/fix :)
07:20 < rjd__> :)
07:25 < mace> ok well neither fragment nor mssfix appear in either client or server config files
07:25 < mace> and mtu tests suggest that this is working fine too
07:26 < mace> one thing i did notice whilst running tcpdump
07:26 < mace> and transferring a reasonably chunky file via ssh over the vpn
07:26 < mace> the sender is putting out 1445 byte packets
07:27 < mace> i've tested mtu up to 1470 so that much is ok
07:27 < mace> however, the receiver is sending back 93 byte long packets most of the time
07:27 < mace> presumably encapsulated ACKs
07:28 < mace> however when the errors start appearing in the receivers logs, the receiver instead starts sending 101 byte packets
07:28 < mace> then the errors stop again, and its back to 93 byte
07:29 < rjd__> I don't know much enough about the protocols nor openvpn to help you :)
07:29 < rjd__> openvpn udp mode right?
07:29 < mace> aye
07:34 -!- s7r [~s7r@195.242.152.12] has joined #openvpn
07:34 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
07:37 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:37 -!- venom00ut [~venom00@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
07:42 < hyper_ch> zamba: what do you mean by connected to a linux router?
07:43 < zamba> hyper_ch: how did you connect the huawei?
07:43 < hyper_ch> put it in my netbook
07:43 < zamba> you see.. i'm looking into combining a huawei with openwrt and openvpn
07:43 < hyper_ch> and use the kde network manager
07:43 < hyper_ch> and I also set it up to a debian stable box and dialed out there
07:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
07:48 -!- nardul [~kse@212.37.141.188] has joined #openvpn
07:49 < nardul> Hello. Is there any way to not push a route to a specific client?
07:49 < nardul> The network the server pushes already exists on the client. So i'm gonna do something with iptables mangling.
07:50 < nardul> I just need to find a way for the client to ignore the route.
07:50 <@dazo> nardul: --client-config-dir is the closest you can get .... using --push-reset in a specific config for that user and push all the needed stuff from that file
07:50 <@dazo> !ccd'
07:50 <@dazo> !ccd
07:50 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:51 -!- WormFood [~wormfood@183.38.12.231] has quit [Ping timeout: 240 seconds]
07:52 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
07:52 < nardul> dazo: Create, didn't know the --push-reset existed. Checking it out.
07:52 -!- WormFood [~wormfood@183.38.12.231] has joined #openvpn
07:53 < nardul> dazo: Just what i was looking for. Thank you.
07:53 <@dazo> nardul: you're welcome!  happy to help :)
07:58 < albech>  looking at my log file it looks like my server is pushing the default route, but i am not telling it to do so. http://pastebin.com/dZt273hr
08:00 <@dazo> albech: have you checked you client config for redirect gateway stuff? ... and please, re: the config
08:00 <@dazo> !configs
08:00 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
08:00 <@dazo> please notice the grep part ...
08:01 -!- nhak [~nhak@vpn-cl-192-236.scc.kit.edu] has joined #openvpn
08:01 -!- nhak [~nhak@vpn-cl-192-236.scc.kit.edu] has quit [Changing host]
08:01 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
08:04 < albech> dazo, sorry the previous pastebin was rather long: http://pastebin.com/ir9KAW2W
08:05 <@dazo> albech: have a look at the man page for --server-bridge .... you'll find your answer there for sure ;-)
08:05 < albech> dazo,  and I have checked that openvpn is not started with some additional push gateway flags
08:09 < albech> dazo, you sound rather cryptic here.. am i missing something obvious? just looked at the man pags ;)
08:10 <@dazo>  If --server-bridge is  used  without  any  parameters,  it ......  The optional nogw flag (advanced) indicates that  gateway  information  should  not  be pushed to the client ....
08:11 <@dazo> (that's straight out of the second paragraph of the --server-bridge description)
08:13 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
08:14 < albech> dazo, sorry is that option available in OpenVPN 2.0.9 which CentOS ships with
08:14 <@dazo> albech: to give you a further clue ... you probably cannot use --server-bridge directly ... you you'll need to do the first example a little bit lower down, and just skip the --push statement
08:15 <@dazo> albech: please don't use 2.0.9 
08:15 <@dazo> !epel5
08:15 <@vpnHelper> "epel5" is Please use the EPEL repository when installing OpenVPN on RHEL/CentOS: http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_the_EPEL_software_repository.3F
08:15 <@dazo> that will give you 2.1.x something
08:17 -!- nhak [~nhak@unaffiliated/nhak] has left #openvpn []
08:20 -!- luneff [~yury@84.51.199.24] has quit [Quit: Leaving]
08:21 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 240 seconds]
08:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:22 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
08:27 < rjd__> !mtu
08:27 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
08:29  * mace looks
08:29 < rjd__> oh, I just didnt remembered if it was --mtu-test or not ;)
08:29 < rjd__> answering a question regarding openvpn at serverfault
08:30 < albech> dazo, now the nogw option showed up in the man pages.. makes a lot more sense now :)
08:30 <@dazo> \o/
08:30 < albech> dazo, sorry for the confusion
08:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
08:30 <@dazo> no worries :)  we just take for granted people here run the latest stable versions ;-)
08:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:31 < albech> yeah i guess thats the curse of CentOS :(
08:33 < rjd__> albech: it's also a very good thing, considering the opposite :)
08:33 < rjd__> ie have no one verify stability :)
08:34 < albech> rjd__, true
08:38 -!- nardul [~kse@212.37.141.188] has quit [Quit: leaving]
08:42 -!- Meliorator [m@dunnington.eu] has quit [Excess Flood]
08:42 < albech> im not really sure i like the nogw option, the fact that i could specify an ip-range for vpn clients was nice and it does not seem possible when using the nogw or am i wrong?
08:43 -!- Meliorator [m@dunnington.eu] has joined #openvpn
08:43 -!- Meliorator [m@dunnington.eu] has quit [Max SendQ exceeded]
08:44 -!- Meliorator [m@dunnington.eu] has joined #openvpn
08:46 -!- Meliorator [m@dunnington.eu] has quit [Excess Flood]
08:47 -!- Meliorator [m@dunnington.eu] has joined #openvpn
08:47 -!- Meliorator [m@dunnington.eu] has quit [Max SendQ exceeded]
08:48 -!- Meliorator [m@dunnington.eu] has joined #openvpn
08:52 < ecrist> that's a good sign.
08:53 < ecrist> albech: depends on your layout
09:01 -!- Zerk [~dracon@boxcars.triplecrowncasinos.com] has quit []
09:02 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
09:24 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 240 seconds]
09:39 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
09:40 -!- albech [~thomas@124.157.238.185] has quit [Ping timeout: 260 seconds]
09:43 -!- albech [~thomas@119.42.79.161] has joined #openvpn
09:46 -!- neorosbob [~Adium@166.205.12.143] has joined #openvpn
09:47 -!- Sky[xx] [~SkyB0x@212.235.177.25] has joined #openvpn
09:48 -!- neorosbob [~Adium@166.205.12.143] has quit [Client Quit]
09:50 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
09:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
09:53 -!- Sky[xx] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
09:54 -!- kwame_ZzZzZzZzZ is now known as kwame
09:55 < albech> ecrist, im not sure i understand what you mean
09:55 < ecrist> different options for openvpn are only good for specific setups
09:56 < ecrist> nogw may not be useful to you, but there are others that find it useful
09:56 < albech> all i really want to do is allow traffic destined to one network to be bridged and everything else go through the default route on the client side
09:56 < ecrist> then you don't need to push a gateway
09:57 < albech> ecrist, which im trying *not* to do :)
09:57 < ecrist> openvpn, if you use server-bridge doesn't push a gateway
09:57 <@dazo> albech: server-bridge <gw> <netmask> <pool-start> <pool-end> is basically a macro, which expands to --mode server, --tls-server, --ifconfig-pool <pool-start> <pool-end> <netmask>, --push "route-gateway <gw>"
09:58 <@dazo> while server-bridge nogw just expands to --mode-server and --tls-server
09:59 <@dazo> ecrist: --server-bridge initiate a --push, in some cases
09:59 < albech> dazo, i see.. let me try something then
09:59 <@dazo> albech: try doing the same as the macro expansion, without the --push ;-)
10:00 < albech> dazo, what i was about to do ;)
10:00 < albech> that reply made so much more sense than the man page... thanks dazo
10:01 -!- s7r [~s7r@195.242.152.12] has left #openvpn []
10:01 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 260 seconds]
10:02 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
10:04 < |Mike|> adawda: client broken?
10:10 < albech> can we agree that this should not set any default route on the client? http://pastebin.com/Jurwsmvz
10:11 <@dazo> albech: if you restart your server with this config, yes, then I'm inclined to claim so :)
10:13 < albech> dazo, it still sets the default route to the through the tunnel for some reason
10:14 < ecrist> !configs
10:14 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
10:14 <@dazo> albech: okay ... think through things now ... you are bridging you your internal network with the tap0 interface ... your client sends out an DHCPDISCOVERY request ... will it get an answer?
10:15 <@dazo> from a DHCP server on the network which is *not* the OpenVPN server?
10:15 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
10:18 < albech> dazo, so you are asking if the client will get an ip from a dhcp server on the server network that is not the openvpn server? is that correct?
10:18 <@dazo> albech: correct ... as you are doing bridging, your tap0 based network is initially the same network as your internal net
10:19 < albech> dazo, in that case it the answer is yes.. it may be getting a reply from the dhcp server on the openvpn server network
10:19 <@dazo> albech: doing some tcpdump on the tap0 interface might reveal that
10:20 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 240 seconds]
10:21 < albech> dazo, i see your point that this 'new default route' is a response from the dhcp server on the server side network.
10:21 < mace> is there a windows 7 64 bit client/tap driver thats known to work?
10:32 < albech> dazo, hmm my problem just became a lot more complicated :) guess i need to split up the two networks or use a route setup instead of a bridge setup
10:33 <@dazo> albech: you can also use ebtables to filter DHCP requests, if you really want it properly bridged
10:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:48 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:50 -!- kwame is now known as kwame_home
11:01 -!- dazo is now known as dazo_afk
11:05 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
11:12 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 245 seconds]
11:12 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
11:17 -!- neorosbob [~Adium@74-92-220-242-Colorado.hfc.comcastbusiness.net] has joined #openvpn
11:22 -!- neorosbob [~Adium@74-92-220-242-Colorado.hfc.comcastbusiness.net] has quit [Ping timeout: 245 seconds]
11:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
11:26 -!- ilovegrolsc [~daniell@vps1098.directvps.nl] has left #openvpn []
11:34 -!- neorosbob [~Adium@74-92-220-244-Colorado.hfc.comcastbusiness.net] has joined #openvpn
11:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:47 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
11:52 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn
11:53 < albech> dazo_afk, thanks for suggesting ebtables.. will research that some.
11:53 -!- albech [~thomas@119.42.79.161] has quit [Quit: Ex-Chat]
11:53 -!- Aakash [~AakashPat@67.77.57.129] has joined #openvpn
11:53 -!- Aakash [~AakashPat@67.77.57.129] has quit [Changing host]
11:53 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
11:55 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
11:56 < atan2> My server looks like this: http://pastie.org/1362615 my client: http://pastie.org/1362621 but when I connect I can not browse websites. sysctl.conf has forwarding enabled, and I've run iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
11:56 < atan2> I swear this worked for me once before. Not sure where I went wrong.
11:57 < atan2> It connects up and gets an IP address, but websites can not  be browsed.
11:57 < Bushmills> !ipforward
11:57 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
11:58 < atan2> !linipforward
11:58 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
11:58 < atan2> I have done this =)
11:58 < Bushmills> do a traceroute on client
11:58 < Bushmills> or mtr
11:59 < atan2> Okay. One sec while I connect up. IRC might drop not usre. One sec.
11:59 < atan2> Nice. Unable to resolve target system name google.co.uk.
12:00 -!- dazo_afk is now known as dazo
12:00 < Bushmills> put a public name server into resolv.conf.  for example, 8.8.8.8
12:04 < atan2> is 8.8.8.8 a valid server?
12:04 < Bushmills> yes
12:05 < rjd__> atan2: iptables -A FORWARD rule that accepts the traffic too?
12:06 <@dazo> $ host 8.8.8.8
12:06 <@dazo> 8.8.8.8.in-addr.arpa domain name pointer google-public-dns-a.google.com.
12:06  * dazo wonders how much google paid for that IP address :)
12:07 < atan2> Okay so I added the new DNS to resolv.conf, server resolved fine but not connected clients
12:07 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
12:07 < atan2> err
12:07 -!- atan2 [~atan@unaffiliated/atan] has quit [Quit: null]
12:07 -!- atan3 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
12:08 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
12:08 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:08 < atan2> sorry about that. Someone was saying accept all traffic?
12:08 < Bushmills> FORWARD policy ACCEPT will do
12:08 < Bushmills> (which is the default)
12:09 <@dazo> unless you have a DROP/REJECT at the bottom which triggers instead
12:10 < Bushmills> in that case,
12:10 < Bushmills> !firewall
12:10 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
12:10 < atan2> Okay still can't resolve
12:10 < atan2> Do I need to push some rule about using DNS?
12:11 < Bushmills> won't help if manually editing doesn't help
12:11 < atan2> Well I edited the resolv.conf
12:11 < Bushmills> traceroute an ip address, rather than a hostname
12:11 < atan2> ok =)
12:11 < Bushmills> for example, 8.8.8.8
12:11 < atan2> Err, nope. That does not fly. =)
12:12 < atan2> Can not tracert an ip =|
12:12 < Bushmills> i don't know that error message
12:12 < Bushmills> tracert?  windows?
12:12 < atan2> Sorry, yes. The client is on Windows 7.
12:12 < Bushmills> !winroute
12:12 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
12:13 < atan2> I do swear this once worked before. The problem was something with forwrding on the server.
12:14 < Bushmills> !redirect
12:14 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
12:14 -!- skrusty [~skrusty@83.166.176.39] has quit [Read error: Operation timed out]
12:14 < rjd__> atan2: did you exec openvpn as administrator, so that a route was set?
12:14 < Bushmills> !firewall
12:14 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
12:14 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
12:14 < rjd__> oh, !winroute suggested that :>
12:14 < atan2> My user is running as administrator. openvpn opened on startup. 
12:15 < atan2> But let me close it + run as admin
12:16 < Bushmills> your client config doesn't use any of those suggestions, like route-method.  those are not for decorative purposes only,
12:17 < atan2> I have it run as administrator and it can now tracert 8.8.8.8. Hmm. Interesting. 
12:18 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
12:18 < atan2> I have redirect-gateway def1 on the server as "push". I need it in my local config as well?
12:19 < Bushmills> no
12:19 < atan2> We are cooking with gas now. Hmm
12:20 < atan2> I added redirect-gateway def1 to my Windows config and it now redirects traffic
12:20 < atan2> Well, err, it did. whatismyip.com showed me my VPN server IP in my browser.
12:20 < atan2> Now we are back to not working at all. =\ frig
12:21 < Bushmills> "whatismyip.com showed me my VPN server IP" - which is what you'd expect with redirect-gateway 
12:22 < atan2> Yup! But I refreshed 5 or 6 times, and now nothing loads
12:22 < atan2> It only worked for a few seconds before shutting down
12:23 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn
12:23 < Bushmills> server shut down? not due to openvpn
12:23 < Bushmills> check power supply
12:25 < atan2> Err. Okay it's showing whatismyip.com with the VPN server IP. Perfect. But now if I count to 30
12:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
12:25 < neorosbob> Hi all, I'm having either firewall or routing table issues and I can't spot the problem. I have a VPN server that I can connect to. The VPN server can send pings to the client LAN and the client lan can send ping to the vpn servers LAN IP. My problem is I can't get packets to go from my VPN client LAN to the Server LAN. I have ip_forward enabled on the server, as well as ACCEPT in my forward policy in IPTABLES. I also have 
12:25 < atan2> Yup. Now we're back to my local/public IP. No server IP. Hmm.
12:26 < atan2> Let me switch out from my cellular connection to a local one. Sec.
12:26 < krzie> neorosbob, can you ping the VPN ip of the server from machine3 yet?
12:26 < atan2> Oh wait. Crap. if I do that I can't shell to the server.
12:26 < krzie> if not, nothing else matters
12:26 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
12:26 < Bushmills> !route
12:26 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:27 < Bushmills> neorosbob: ^^^
12:27 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:27 < krzie> Bushmills, he's read it
12:27 < neorosbob> I should also mention a tcpdump on the server and host on server lan show the server ARPS for the host I am pinging and I see the ARP response in the tcpdump of the host I am trying to ping. But ICMP echos ever make it to the host I am pinging. I do see the echos on the server though
12:27 < krzie> Bushmills, its some weird firewall rulesets
12:27 < krzie> neorosbob, answer my question
12:27 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Quit: Aakash]
12:27 < neorosbob> Bushmills, yes I have read that, understand it and that is what I have based my configurations off of.
12:28 < neorosbob> krzie: shoot, what's your question?
12:28 < Bushmills> neorosbob: check where communication get stuck
12:28 < krzie> [10:26]  <krzie> neorosbob, can you ping the VPN ip of the server from machine3 yet?
12:28 < Bushmills> tshark / tcpdump are useful aids
12:28 < neorosbob> krzie: no I still can't and I am still searching for someone who can shed some light on that for me
12:29 < neorosbob> tcpdump is how I know the server ARPS for the hosts IP and it's how I know the host responds to the ARP
12:29 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
12:29 < Bushmills> thus, follow the back route
12:30 < neorosbob> Bushmills: sorry I don't follow. Probably if I was better with routing and firewalls I would but I require more explination
12:30 < atan3> Okay well something is working here.
12:30 < Bushmills> you say that host responds. see what route those replies take
12:31 < krzie> neorosbob, then PLEASE do what i said last night
12:31 < atan3> I'm on a network which only allows 80+443tcp connects to 6667 so it must be through the VPN
12:31 < atan3> But domains are not resolving
12:31 < krzie> that is, STOP TALKING ABOUT THE CLIENT LAN
12:31 < krzie> in fact STOP TALKING ABOUT ANYTHING EXCEPT THAT EXACT PROBLEM!
12:31 < krzie> lol
12:31 < Bushmills> somewhere on the way back, they're not going to the next hop.  pinpoint that machine.
12:31 < neorosbob> krzie: I'm on board
12:31 < neorosbob> from the server, here's what the ARPS show
12:31 < neorosbob> 18:18:21.293170 ARP, Request who-has 10.179.98.73 tell 10.179.104.108, length 28
12:31 < neorosbob> 18:18:21.293800 ARP, Reply 10.179.98.73 is-at 40:40:74:65:d5:b9 (oui Unknown), length 46
12:31 < krzie> Bushmills, we found his problem last night
12:31 < krzie> his server is not ip forwarding
12:31 < krzie> its something in his firewall
12:31 < Bushmills> "found" as in "solved"?
12:31 < krzie> (iptables)
12:32 < neorosbob> krzie: the firewall is shutdown
12:32 < Bushmills> or "found" as in "located but not fixed yet"?
12:32 < krzie> neorosbob, thats part of the problem then
12:32 < krzie> Bushmills, the second one
12:32 < neorosbob> and
12:32 < neorosbob> root@gateway:~# cat /proc/sys/net/ipv4/ip_forward 
12:32 < neorosbob> 1
12:32 < krzie> his server lan machine cant ping the vpn IP of his server
12:33 < krzie> yet ip forwarding is on
12:33 < neorosbob> krzie: correctomundop
12:33 < krzie> which points to a firewall issue
12:33 < krzie> his firewall is some lamesauce auto-generated craziness
12:33 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 255 seconds]
12:33 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
12:33 < neorosbob> krzie: as I said, if I understood firewalls better I may be having the same AHA moment you did several hours ago. As it stands I still require more explination. 
12:33 < krzie> neorosbob, Bushmills may be able to help you with that
12:34 < krzie> neorosbob, i dont use linux so im not the one for that
12:34 < neorosbob> Firewall UP, forwards set to accept, can't ping. Firewall down can't ping
12:34 < neorosbob> can't
12:34 < neorosbob> ping
12:34 < krzie> and sorry bout last night... i was pretty wasted ;]
12:34 < neorosbob> HA!
12:34 < Bushmills> only in general terms, like "replace firewall rules against hand crafted ones"
12:34 < neorosbob> me too
12:34 < krzie> neorosbob, but its surely your firewall
12:34 < krzie> neorosbob, remove EVERYTHING and set everything to accept
12:34 < krzie> !linfw
12:34 <@vpnHelper> "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info
12:34 < Bushmills> or "ask on the support channel of that particular firewall rules generator"
12:34 < neorosbob> krzie, I tend to agree. Wish I knew how to fix
12:35 < neorosbob> it's IPTABLES
12:35 < neorosbob> current ruleset is
12:35 < neorosbob> root@gateway:~# iptables -L FORWARD
12:35 < neorosbob> Chain FORWARD (policy ACCEPT)
12:35 < neorosbob> target     prot opt source               destination         
12:35 < neorosbob> ACCEPT     all  --  anywhere             anywhere            
12:35 < neorosbob> ACCEPT     all  --  anywhere             anywhere            
12:35 < neorosbob> ACCEPT     all  --  anywhere             anywhere 
12:35 -!- neorosbob was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastebin.ca for posting logs or configs.]
12:35 < krzie> haha nice
12:35  * krzie pets vpnHelper 
12:35 < Bushmills> problem sorting out itself
12:36 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
12:36 -!- neorosbob [~Adium@74-92-220-244-Colorado.hfc.comcastbusiness.net] has joined #openvpn
12:36 < neorosbob> woops
12:36 < Bushmills> spammer
12:36 < neorosbob> let me pastebin that
12:36 < neorosbob> sorry guys
12:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:37 < neorosbob> here's my current FORWARD rules for IPTABLES on the server
12:37 < neorosbob> http://openvpn.pastebin.ca/2014966
12:37 < krzie> show ALL rules
12:37 < krzie> its not 100% garunteed to be the forward chain
12:37 < Bushmills> iptables -nvL
12:37 < Bushmills> iptables -t nat -nvL
12:37 -!- atan3 [~atan@unaffiliated/atan] has joined #openvpn
12:38 < neorosbob> k, one sec
12:38 < atan3> Okay. wtf. Since I'm connected here the VPN is connected and routing traffic over it. However my web requests are not going over the vpn.
12:38 <@vpnHelper> RSS Update - pastebin: iptables <http://pastebin.ca/2014966>
12:38 < krzie> atan3
12:38 < krzie> !goal
12:38 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:39 < Bushmills> atan3: look for the reason why they aren't.  like, check whether web browser use a web proxy
12:39 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
12:39 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 260 seconds]
12:39 < neorosbob> Busmills: http://openvpn.pastebin.ca/2014972
12:40 < atan3> My web browser can't resolve crap now =| I didn't touch anything I swear, lol
12:40 < Bushmills> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)  <-  nothing being forwarded between interfaces
12:40 < neorosbob> krzie: when I ping from the host to the servers VPN IP I do see an ARP on the server but I never see ICMP packets. 
12:40 < krzie> atan3, can you ping 4.2.2.1?
12:40 < atan3> ye
12:40 < atan3> s/ye/yes/
12:40 < krzie> can you resolve google.com?
12:40 < atan3> No.
12:40 < krzie> are you in linux?
12:41 < atan3> Client is Windows. Server is Debian.
12:41 < krzie> !pushdns
12:41 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
12:41 < krzie> !opendns
12:41 < krzie> !dns
12:41 < Bushmills> i gave up on atan3, he consistently ignores suggestions to to what !winroute suggests, or show a traceroute
12:41 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
12:41 < krzie> its not !winroute, its dns
12:41 < atan3> Bushmills, sorry man I skipped over it =\ thing closed and I didn't see it
12:41 < krzie> you have 2 choices of how to fix it atan3 
12:41 < Bushmills> no. when using 8.8.8.8, the problem seems to prevail
12:42 < krzie> you can manually change the DNS on the client machine
12:42 < Bushmills> he did
12:42 < Bushmills> no change
12:42 < krzie> Bushmills, he can ping the ip, not resolve hostnames
12:42 < krzie> maybe his server's provider only allows DNS out via their NS then
12:42 < krzie> but the fact he can ping ip and not resolve proves it is DNS
12:43 < Bushmills> (19:10:22) atan2: Okay still can't resolve
12:43 < Bushmills> (19:10:31) atan2: Do I need to push some rule about using DNS?
12:43 < Bushmills> (19:11:05) Bushmills: won't help if manually editing doesn't help
12:43 < krzie> atan3, on the server machine type this:   host google.com 8.8.8.8
12:43 < neorosbob> bushmills: this forward policy does no effect outcome either http://openvpn.pastebin.ca/2014974
12:43 <@vpnHelper> RSS Update - pastebin: iptables <http://pastebin.ca/2014974> || iptables <http://pastebin.ca/2014972>
12:43 < atan3> command not found, krzie 
12:44 < krzie> you said it was debian
12:44 < Bushmills> server is. client is win7
12:44 < krzie> i said to do it on the server
12:44 < krzie> not the client
12:45 < atan3> host google.com 8.8.8.8 shows their dns results
12:45 < atan3> I just installed 'host' =\
12:45 < Bushmills> neorosbob: on that machine, replies seem to disappear? make sure there are routes to the needed destinations
12:45 < atan3> trying that push dns thing, one sec while I reconnect up
12:45 < krzie> you need to restart the server before the push will happen
12:46 < krzie> Bushmills, if it was !winroute, he would still be able to resolve, he would not be able to communicate over the vpn
12:46 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
12:46 < krzie> he wouldnt have routes bypassing his default gateway
12:46 < Bushmills> depends whether default gateway lets him out
12:46 < atan2> push DNS worked. =D
12:46 < atan2> We're up and running with working DNS now baby! Yeah!
12:47 < atan2> Thank you krzie and Bushmills =)
12:47 < krzie> you're welcome
12:48 < krzie> Bushmills, that comes down to windows being lamesauce
12:48  * Bushmills grumbles some incoherent words
12:48 < atan2> Might I ask if now that we are using this push dns, does resolve.conf have _anything_ do to with my vpn resolving stuff?
12:48 < krzie> what you were saying made sense, but windows sucks
12:48 < krzie> lol
12:48 < krzie> atan2, no
12:48 < krzie> only the local machine itself
12:48 < neorosbob> Bushmills: on the host I am trying to ping I have added static routes that point to the VPN servers LAN IP as the gateway for the VPN subnet and vpn client subnet. But as krzie and I have gone over, the routing tables seem to be ok because I can see the host ARP for the gateway (server LAN IP) if I try to ping from the host to the VPN IP of the server. That being said I must re-state how much I suck at iptables. Any insight
12:49 < krzie> the clients will get DNS over the vpn, but from the NS it contacts over the vpn
12:49 < krzie> whoa whoa
12:49 < krzie> the ARP has nothing to do with routing tables
12:49 < krzie> different layers
12:49 -!- atan3 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
12:49 < neorosbob> well it's looking for the right gateway IP which comes from the static route I added
12:50 < neorosbob> so the ARP has something to do with it. It indicates the host I am trying to ping is attempting to return packets to the correct gateway (VPN servers LAN IP)
12:50 < atan2> Okay. I best take off and reboot things a bit to make sure all my configs are correct =) I'm going to leave IRC to save annoying people with peer messages :P :D
12:50 < atan2> Thanks again!! =D
12:50 < Bushmills> i mean, on the host you now pasted iptables output - which is, as i understand, a router between hosts - do proper routes exist there too?
12:50 < atan2> Rock on. Ciao.
12:51 -!- atan2 [~atan@unaffiliated/atan] has quit [Client Quit]
12:52 < Bushmills> well, i assume they do. krzee mentioned something to the end of routes having been verified
12:52 < neorosbob> Bushmills: The VPN server is on a VM vendors cloud with several servers that share a private 10.8.0.0/16 subnet. I am using the VPN server to gain access to that private subnet. The client is the default gateway for our office.
12:53 < neorosbob> Bushmills: I am happy to provide all of my routing tables on the server, the host I am trying to ping on the server LAN and the client
12:54 < Bushmills> where is the vpn server?
12:54 < neorosbob> rackspace
12:54 < Bushmills> you can't tcpdump on that one?
12:55 < Essobi> libpcap FTW!
12:55 < neorosbob> yes I can, all of the tcpdumps I have provided came from 1 of 2 rackspace systems 1.) the VPN server, or 2.) the host I am trying to ping from the VPN client LAN
12:55 < neorosbob> that's how I know the VM's are ARPing for each other when I test
12:55 < neorosbob> tcpdump is a beautiful thing
12:56 < Bushmills> on vpn server, you see packets from vpn go to your server, and replies from server reaching vpn server?
12:56 < neorosbob> so, care to look at my routing tables?
12:56 < neorosbob> Bushmills, yes in fact from my office, on my laptop (host on client LAN) I can ping the VPN servers LAN IP.
12:56 < Bushmills> no, not unless the machine which causes the problem has been pinpointed
12:56 < neorosbob> Also, from the VPN server I can ping to the client LAN ANY IP
12:57 < neorosbob> lastly
12:57 < Bushmills> that's not what i meant to ask
12:57 < neorosbob> I can ping from the VPN server to the VM on the server LAN and the VM on the server LAN can ping back to the VPN servers LAN IP but can not ping the VPN servers VPN IP
12:58 < Bushmills> i mean, pinging your server from your office, thereby packets traversing vpn, and then being routed to your server - do they arrive at server? are they replied to? do replies go back to vpn server?
12:58 < neorosbob> but when I ping from the VM to the VPN servers VPN IP I see ARPS on the VPN server from the VM looking for the gateway IP I defined on the VM's routing tables
12:59 < Bushmills> tell me once you know.
12:59 < neorosbob> Bushmills, yes I can ping across the VPN to the VPN servers LAN IP and I get them back
12:59 < Bushmills> good. problem solved.
12:59 < neorosbob> How so?
12:59 < Bushmills> pinging your server from your office, thereby packets traversing vpn, and then being routed to your server - do they arrive at server? are they replied to? do replies go back to vpn server?
12:59 < neorosbob> I still can't get to any host on the servers LAN via VPN
13:00 < Bushmills> ->  yes I can ping across the VPN
13:00 < neorosbob> problem not solved. I can not access hosts on the server LAN via VPN
13:01 < Bushmills> pinging your server from your office, thereby packets traversing vpn, and then being routed to your server - do they arrive at server? are they replied to? do replies go back to vpn server? ... tell me once you know.
13:01 < neorosbob> we just went full circle back to the beginning
13:01 < neorosbob> as Krzie said
13:01 < Bushmills> no, you just don't tell me what i want to know
13:01 < Bushmills> no full circle. from my POV, not moved yet
13:02 < neorosbob> Busmills, what do you need to know? Help me help you help me ;-).
13:02 < Bushmills> pinging your server from your office, thereby packets traversing vpn, and then being routed to your server - do they arrive at server? are they replied to? do replies go back to vpn server?
13:03 < neorosbob> yes, yes, yes
13:03 < neorosbob> in order
13:03 < Bushmills> does openvpn server have a route back to vpn clients?
13:03 < neorosbob> yes
13:04 < Bushmills> pastebin openvpn server firewall rules and routes
13:04 < neorosbob> everything from the client lan to the server is working
13:04 < neorosbob> the problem lies in getting packets from the VPN lan to the server lan
13:05 < Bushmills> pinging your server from your office, thereby packets traversing vpn, and then being routed to your server - do they arrive at server? -> "yes"   .... "problem lies in getting packets from the VPN lan to the server lan"  - isn't that a contradiction?
13:05 < neorosbob> ok, let me take a step back and recap
13:06 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
13:06 < neorosbob> VPN server has an interface on 10.179.0.0/16
13:07 < Bushmills> just do this:  spot the machine where packets don't take the intended route. i.e. where they arrive, but don't seem to leave.
13:07 < neorosbob> that's the VPN server
13:07 < Bushmills> and note what direction the problem shows.  route to server, or route back.
13:07 < neorosbob> ping from client to vpn Server LAN IP OK/PASS
13:07 < neorosbob> ping from VPN Server to CLient LAN OK/PASS
13:08 < neorosbob> ping from client LAN to host on server LAN FAIL
13:08 < neorosbob> ping from host on server LAN to vpn subnet FAIL
13:08 < neorosbob> the VPN server is where packets DIe
13:09 < neorosbob> tcpdump shows the ARPs of the machines looking for the right gateways but the ICMP packets never go 
13:09 < neorosbob> so, to recap
13:09 < neorosbob> VPN servers LAN 10.179.0.0/16
13:09 < neorosbob> VPN Subnet 172.21.135.0/24
13:09 < neorosbob> Client LAN subnet 172.21.130.0/24
13:10 < rjd__> wb neorosbob :)
13:10 < neorosbob> Host I am trying to get to on Servers LAN is 10.179.98.73
13:11 < neorosbob> VPN servers LAN IP is 10.179.104.108
13:11 < neorosbob> I can ping 10.179.104.108 to 172.21.130.212 (my laptop)
13:11 < neorosbob> I can ping my laptop to 10.179.104.108
13:11 < neorosbob> I can NOT ping from my laptop to 10.179.98.73
13:12 < neorosbob> i can NOT ping from 10.179.98.73 to 172.21.135.1
13:12 < neorosbob> I can ping from 10.179.98.73 to 10.179.104.108
13:12 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
13:12 < grendal_prime> hey guys this is going to sound stupid..but ok im stupid...
13:14 < grendal_prime> got working opvnp connection up .. we will call that network O on debian router box.  vpn network is say 192.168.106.0  internal network (call it I ) is 192.168.107.0 
13:14 < neorosbob> Bushmills: does that help connect the dots?
13:14 < grendal_prime> normally i would set a static route on each of the machines on the internal network.
13:14 < Bushmills> have you found the problem spot?
13:14 < Bushmills> (20:07:13) Bushmills: just do this:  spot the machine where packets don't take the intended route. i.e. where they arrive, but don't seem to leave.
13:14 < neorosbob> No, that's what I'm looking to you guys for
13:15 < neorosbob> well, then yes
13:15 < Bushmills> why - you know how to use tcpdump, don't you?
13:15 < neorosbob> the problem machine is the VPN server. That is the die point for packets
13:15 < rjd__> Bushmills: he did that, and that's vpn server, where he could se the incoming icmp echo-request from a vpn client out to a machine neighbour to his vpn server, with no response
13:15 < Bushmills> do packets leave towards lan there?
13:15 < Bushmills> do reply packets arrive there?
13:15 < neorosbob> Busmills: yes, the problem spot (machine) is the VPN server
13:15 < Bushmills>  do reply packets arrive there?
13:16 < neorosbob> Busmills: Before I answer that can we take a step back and define what kind of test I am running
13:16 < neorosbob> what am I pinging and from where and I will tell you the results
13:16 < grendal_prime> but i want everything on the 107 network to be able to see the 106 network..what would my route look like?  i was assming  it would be route route add 192.168.106.0 255.255.255.0  -g 192.168.107.254
13:17 < neorosbob> Busmills: rjd_ helped me for a long time on this last night.  Please see his response
13:17 < neorosbob> Again, I can't stress enough that I know there's something utterly simple that I am overlooking. I just can't spot it. 
13:18 < neorosbob> Probably because I'm still learning over hear. Grasshopper is looking to you for guidance 
13:21 < Bushmills> " could se the incoming icmp echo-request from a vpn client out to a machine neighbour to his vpn server, with no response" - assuming they've been sent on towards server, and there's no reply - the openvpn is NOT the problem.
13:21 < Bushmills> or, not the only problem
13:21 < Bushmills> after all, what should openvpn machine sent on if there's nothing coming back?
13:22 < Bushmills> so please proceed and spot the machine very packets are seemingly getting lost
13:22 < Bushmills> where
13:23 < neorosbob> Bushmills, the only thing I can guess is either the firewall is not forwarding packets, or ip_forwarding is not functioning properly. I can get ICMP to the servers LAN interface, just not past it.
13:23 < Bushmills> why not use tcpdump, rather than guessing=
13:23 < neorosbob> packets seem to get lost on the VPN server
13:23 -!- edmund [~hello@12.17.176.50] has joined #openvpn
13:24 < Bushmills> you can only find the problem once you found the spot where it manifests
13:24 < neorosbob> that's how I know packets are getting lost on the server, I see (in TCPDUMP) ICMP packets coming from the VPN. I see on the other host (IN TCPDUMP) that no ICMP packets get there
13:24 < Bushmills> "seem to get lost" means, they replies arrive on openvpn server, but aren't sent on?
13:24 < neorosbob> all I see on the other host is the VPN server ARPing for the host I am trying to ping
13:25 < Bushmills> so you can see the replies at the openvpn server?
13:25 < neorosbob> and I see, in tcpdump, the host I am trying to ping responds to the ARP
13:25 < Bushmills> so you can see the replies at the openvpn server?
13:25 < neorosbob> I see, in tcpdump on the server, that the ARP response is received by the server
13:25 < edmund> Hey All, I'm guessing this has been discussed here before, but I was just wondering.... What is the best available OpenVPN interface for iOS4 (iPhone) since Apple probably wont open up the SSL API guts to anyone besides Juniper and Cisco? Thank you!
13:25 < Bushmills> so you can see the replies at the openvpn server?
13:25 < neorosbob> I see in tcpdump on the host I am trying to ping, NO ICMP packets
13:25 < Bushmills> so you can see the replies at the openvpn server?
13:25 < neorosbob> no, I do not see replies at the server
13:26 < Bushmills> then openvpn server is NOT the problem
13:26 < neorosbob> and I do not see echos at the host I am trying to ping
13:26 < Bushmills> (assuming requests reach the server)
13:26 < neorosbob> I see the echo hit the server and I never see echos hit the host I am trying to ping
13:26 < Bushmills> you may have been looking in the wrong place all the time 
13:27 < neorosbob> so, that being said, and echo reply never gets issued since the host I am trying to poing never receives the ICMP echo pcaket
13:28 -!- atan [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
13:29 < neorosbob> if I ping the other direction, from the host on the server lan to the VPN IP of the server I never see ICMP's hit the LAN interface of the server
13:30 < Bushmills> well, spot the problem hop
13:30 < neorosbob> BUT, I do see an ARP come from the host looking for the LAN IP of the VPN server
13:30 < neorosbob> but, still no ICMP packets reach the LAN interface of the server
13:30 < neorosbob> and thusly never make it to the VPN subnet either
13:30 < neorosbob> it still seems to me like the server is the problem hop
13:30 <@dazo> !iphone
13:30 <@vpnHelper> "iphone" is (#1) http://github.com/jfx2006/OpenVPN_iphone/downloads for precompiled iphone binaries, or (#2) http://modmyi.com/cydia/package.php?id=15784 for the gui portion, or (#3) http://www.zdnet.com/blog/hardware/ubuntu-lucid-lynx-1004-can-read-your-iphones-secrets/8424 <-- be aware of that before putting your keys on an iphone, or (#4) see http://www.guizmovpn.com/ for an iOS client for OpenVPN for
13:31 <@vpnHelper> iPhone and iPad.
13:31 <@dazo> edmund:  ^^^
13:31 < Bushmills> " still no ICMP packets reach the LAN interface of the server" -> "still seems to me like the server is the problem hop"  : inconclusive
13:33 < neorosbob> Bushmills, I can ping from the LAN IP of the server to the host on the same lan. They can ping back and forth (see and talk to each other)
13:34 < Bushmills> neorosbob: i can ping my router from my local machine
13:35 < neorosbob> Bushmills: me too
13:35 < Bushmills> hope that helps
13:36 < neorosbob> Sorry, I'm still obviously overlooking something.
13:41 < neorosbob> Bushmills: any other ideas on where I should look?
13:42 < Bushmills> yes. spot the problem hop
13:42 < neorosbob> server
13:42 < neorosbob> spotted
13:42 < neorosbob> what next?
13:43 < neorosbob> Unless you have some insight as to why it isn't the server all evidence (tcpdump) points to the server. The server has been spotted as the problem'
13:43 < neorosbob> Firewall, routing tables or something else. 
13:43 < neorosbob> I'm just looking for wisdom and insight
13:43 < Bushmills> thus, request arrive at server?
13:44 < neorosbob> yes ICMP request arrive at the server if they originate from the VPN subnet or client LAN
13:44 < Bushmills> but server doesn't reply?
13:45 < neorosbob> but not going from a host on the server LAN to an IP on the VPN subnet or Client subnet. They never reach the server
13:45 < Bushmills> sorry, there are too many "ifs" for the simple case of "ping from your office machine"
13:45 < neorosbob> VPN server replies replies if pinged from VPN. So from my office I can ping the VPN servers VPN IP at 172.21.135.1 and I get replies
13:46 < Bushmills> you ping server from office machine, and icmp echo requests arrive at server?
13:46 < neorosbob> yes
13:47 < neorosbob> both server IP's reply, it's LAN IP (10.179.104.108) and it's VPN IP (172.21.135.1) I can ping from my office laptop (172.21.130.212) and get replies
13:47 <@vpnHelper> RSS Update - pastebin: iptables <http://pastebin.ca/2014974> || iptables <http://pastebin.ca/2014972> || Stuff <http://pastebin.ca/2009622> || OS X keychain patch <http://pastebin.ca/2009618> || Anonymous <http://pastebin.ca/2009607> || Someone <http://pastebin.ca/2008769> || Mine <http://pastebin.ca/2007905> || Unnamed <http://pastebin.ca/2006712> || Someone <http://pastebin.ca/2006711> || nelgin <http://pastebin.ca/2005744> || 
13:48 -!- edmund [~hello@12.17.176.50] has quit [Quit: edmund]
13:48 <@dazo> wtf!?!?
13:49 <@dazo> ecrist:  do we have rss feed on pastebin.ca?
13:49 < neorosbob> Server can ping hosts on it's LAN (like the one I'm trying to ping). So server LAN IP 10.179.104.108 can ping and get replies from 10.179.98.73. And 10.179.98.73 can ping and get replies from 10.179.104.108
13:50 -!- MarocSlave [~Co_Permen@187.6.200.78] has joined #openvpn
13:50 -!- MarocSlave [~Co_Permen@187.6.200.78] has left #openvpn []
13:50 < neorosbob> if I try to ping from host 10.179.98.73 to 172.21.135.1 (Server VPN IP) ICMP packets never arrive on 10.179.104.108 (proven in tcpdump)
13:51 < Bushmills> those echo replies from server, do they arrive at openvpn server?
13:53 < neorosbob> If I ping from 10.179.98.73 to 10.179.104.108 I see ICMP packets arrive on VPN server. If I ping 10.179.98.73 to 172.21.135.1 I do not see ICMP packets arrive on VPN server. 
13:53 < neorosbob> But I do see 10.179.98.73 arping for 10.179.104.108. I assume this is because on the .73 host I have defined static routes that point to 10.179.104.108 as the gateway to both 172.21.135.0/24 and 172.21.130.0/24 subnets.
13:53 < Bushmills> thus, server replies, but they don't arrive at openvpn server?
13:54 < neorosbob> no, sorry, we got mixed up
13:54 < neorosbob> I keep jumping to my next example before you are done with questions.
13:54 < Bushmills> oh well. just follow that suggested route. ping from office, and look where those packets get lost
13:54 < neorosbob> they stop at the VPN server
13:55 < Bushmills> do the *get* there?
13:55 < Bushmills> they
13:55 < neorosbob> ICMP packets never go to their final endpoint when pinging that way
13:56 < neorosbob> they get to the VPN servers LAN interface 10.179.104.108 but they never make it to the server they are intended for (10.179.98.73)
13:56 < Bushmills> they are replies - the come from server, and are not supposed to go there
13:56 < Bushmills> no idea how "never make it to the server" fits in here
13:56 < neorosbob> sorry, replies never happen, I'm talking about the initial ICMP echo request packet
13:56 < ecrist> dazo: yes
13:56 < neorosbob> the ICMP echo response never happens 
13:57 < ecrist> only for openvpn.pastebin.ca though
13:57 < Bushmills> sorry. i find that too confusing. they do - they don't - they do.
13:57 < neorosbob> because the request never gets to it's endpoint
13:57 < Bushmills> ah. they don't, now
13:57 < neorosbob> correct, they do not
13:57 < neorosbob> ICMP echo request dies at the server so a response never happens
13:57 < Bushmills> then look for the problem hop
13:57 < Bushmills> if they don't get to server, server is not likely the problem
13:58  * Bushmills gone now
13:58 < neorosbob> wow, we're back to this. Anyone else care to chime in with what I can start to look at? Seems I'm caught in a loop here.
14:00 < ecrist> firewall?
14:00 < krzie> its still the firewall on the server
14:01 < krzie> something is blocking ip forwarding on the server
14:01 < krzie> period.
14:01 < neorosbob> that's what I'm thinking. I just need help looking in the right places. I don't know what I'm looking for at this point. 
14:01 < ecrist> a firewall
14:01 < krzie> nor do i
14:01 < krzie> but its something in the iptables
14:01 < krzie> im no linux guru
14:01 < ecrist> specifically, a rule in the firewall blocking the traffic
14:02 < neorosbob> no worries krzie. You and rjd_ helped me a ton last night to narrow it down to firewall. I should have avoided the bushmills loop altogether. I agree, it is firewall 
14:06 < Essobi> It's ALWAYS the firewall!
14:06  * Essobi shakes his fist at the firewalls.
14:07 < krzie> Bushmills knows his stuff
14:08 < krzie> i go to him for help on other stuff quite a bit
14:08 < krzie> (for the record)
14:08 < ecrist> there's a reason the firewall is specifically mentioned in /topic
14:10 < krzie> yep, seems like we find our way to the firewall being the issue a healthy percentage of the time
14:10 < krzie> rjd__ had actually said it was the firewall right away... then i troubleshot it for like an hour before coming to the conclusion that he was right all along
14:12  * ecrist smacks krzie around with a large trout
14:13 < krzie> heh
14:16 < Essobi> so I havn't hung out here much..
14:17 < Essobi> Or seen traces of a firewall in action mangling someones OpenVPN..
14:17 < Essobi> What do most of them do, exactly? :)
14:17 < ecrist> prevent people from connecting
14:17 < ecrist> or blocking traffic once you're on the vpn
14:18 < krzie> sometimes they can connect, but then tun is blocked so everything dies after connection
14:18 < krzie> or often times the firewall blocks lan communications (ip forwarding) or !redirect type setup (nat)
14:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:23 < neorosbob> krzie, Bushmills was very helpful indeed. I think I have monopolized enough of his time, per his being finished with me. And he was doing what I needed in the end. That is to ask questions and put me through the motions of trouble shooting.  I took it that I must have annoyed him in that he began repeating himself didactically and then was done with me.
14:24 < krzie> ya, i get burnt out taking people in circles as well
14:24 < neorosbob> Krzie the one question I still have is where can I look next. You and jrd_ reviewed my iptables last night and could not spot anything either
14:25 < neorosbob> I know I've been eating up a lot of everyones time. Please know I appreciate it. I think my frustration has blinded me to the solution and I'm just hoping for maybe some good questions to get me there
14:29 < krzie> i did not review them
14:29 < krzie> nor will i be, i dont troubleshoot linux firewalls
14:29 < krzie> maybe #iptables or something
14:29 < neorosbob> sorry, you're right, rjd_ did.
14:29 < ecrist> historically, this channel hasn't been the most linux friendly
14:35 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Quit: leaving]
14:37 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
14:42 < Essobi> Ah.. It's LINUX firewalls that're broken. Heh.
14:42 < Essobi> Okay.. That makes a lot more sense now.
14:43 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
14:43 < neorosbob> yup, iptables. In fact I have gone so far as to remove the firewall script and use the example firewall config at http://svn.openvpn.net/projects/openvpn/trunk/openvpn/sample-config-files/firewall.sh and it has had no effect on the issue. Trying to come up with a different way of looking at this
14:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 272 seconds]
14:46 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
14:53 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Quit: leaving]
14:55 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has quit [Ping timeout: 260 seconds]
14:55 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Remote host closed the connection]
14:57 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has joined #openvpn
15:02 <@vpnHelper> RSS Update - pastebin: iptables <http://pastebin.ca/2014974> || iptables <http://pastebin.ca/2014972> || Stuff <http://pastebin.ca/2009622> || OS X keychain patch <http://pastebin.ca/2009618> || Anonymous <http://pastebin.ca/2009607> || Someone <http://pastebin.ca/2008769> || Mine <http://pastebin.ca/2007905> || Unnamed <http://pastebin.ca/2006712> || Someone <http://pastebin.ca/2006711> || nelgin <http://pastebin.ca/2005744> || 
15:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
15:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:28 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
15:28 -!- p3rror [~mezgani@41.140.154.168] has quit [Ping timeout: 255 seconds]
15:42 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
15:42 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
15:44 -!- p3rror [~mezgani@41.140.180.174] has joined #openvpn
15:44 < nhak> i cannot surf through the tunnel although i can ping to the vpn server from my computer
15:45 < nhak> there are no problem to start the server and the client
15:45 < nhak> but i cannot surf with the client
15:45 < nhak> where can i do wrong there?
16:02 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
16:07 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 265 seconds]
16:07 -!- nhak [~nhak@unaffiliated/nhak] has quit [Read error: Connection reset by peer]
16:10 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:14 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has joined #openvpn
16:14 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has quit [Changing host]
16:14 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
16:22 -!- nhak [~nhak@unaffiliated/nhak] has quit [Read error: Connection reset by peer]
16:26 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
16:26 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 260 seconds]
16:29 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
16:43 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
16:44 -!- nhak [~nhak@unaffiliated/nhak] has quit [Ping timeout: 276 seconds]
16:44 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Quit: Aakash]
16:46 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
16:51 -!- boswarrior [~mrnice@84.115.26.221] has joined #openvpn
16:58 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
17:01 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
17:04 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
17:05 < Bushmills> !redirect
17:05 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:06 < Bushmills> ehm... gone
17:10 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:15 -!- neorosbob [~Adium@74-92-220-244-Colorado.hfc.comcastbusiness.net] has quit [Ping timeout: 245 seconds]
17:18 -!- cpf_ [~cpf@94-224-232-223.access.telenet.be] has joined #openvpn
17:19 < cpf_> !welcome
17:19 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:19 < cpf_> !route
17:19 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:23 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
17:57 -!- boswarrior [~mrnice@84.115.26.221] has quit [Quit: Ex-Chat]
17:58 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has quit [Quit: Ex-Chat]
18:03 <@vpnHelper> RSS Update - forum: Configuration :: Re: VPN Noob needs help with configuration :: Reply by Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7366&p=8666#p8666> || Configuration :: Connection Problems with Ethernet-Bridged VPN Server :: Author Sky <https://forums.openvpn.net/viewtopic.php?f=6&t=7377&p=8667#p8667> || Configuration :: Re: Connection Problems with Ethernet-Bridged VPN Server :: Reply by Sky <https://forums.openvpn.net/viewtopic.
18:28 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:30 -!- dazo is now known as dazo_afk
18:37 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 276 seconds]
18:42 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds]
18:43 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
18:48 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 265 seconds]
18:58 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
18:58 < venom00ut> hello guys
18:59 < venom00ut> I've a problem, I want to connect to a remote vpn through a local proxy which connects to another remote proxy
18:59 < venom00ut> using redirect-gateway openvpn sets 127.0.0.1 (the local proxy address) to route to the old gateway
19:00 < venom00ut> but the local proxy then tries to talk with the remote proxy on an IP which has no specific rules in the routing table
19:00 < venom00ut> so goes throught the vpn, creating a sort of loop
19:01 < venom00ut> how can I solve this? (the IP the local proxy connects to vary)
19:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
19:07 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:27 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
19:35 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
19:41 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
19:43 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
19:44 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Ping timeout: 265 seconds]
19:45 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined #openvpn
19:51 -!- epaphus [~epaphus@201.199.62.74] has joined #openvpn
19:51 < epaphus> Hello, is it normal that i get this every hour? Fri Dec 10 05:53:51 2010 TLS: tls_process: killed expiring key .... where is that set at?
19:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
20:12 < ecrist> !man
20:12 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
20:23 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
20:45 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
20:45 <@vpnHelper> RSS Update - forum: Announcements :: phpBB-SEO installed :: Author ecrist <https://forums.openvpn.net/viewtopic.php?f=20&t=7382&p=8671#p8671>
20:45 < KipMacy> so my openvpn client is linux.  what's a good way to use the DNS server provided by my openvpn host?
20:51 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 255 seconds]
20:57 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
21:02 -!- epaphus [~epaphus@201.199.62.74] has quit [Ping timeout: 240 seconds]
21:02 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
21:14 -!- epaphus [~epaphus@ec2-50-16-226-177.compute-1.amazonaws.com] has joined #openvpn
21:17 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
21:18 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
21:18 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Client Quit]
21:22 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
21:26 <@vpnHelper> RSS Update - forum: Server Administration :: backslash problem :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=4&t=7383&p=8672#p8672>
21:29 < ecrist> KipMacy: have a script on the client that adds it to resolv.conf
21:30 < ecrist> or whatever linux uses now to assign that
21:35 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
21:35 -!- epaphus [~epaphus@ec2-50-16-226-177.compute-1.amazonaws.com] has quit [Quit: Leaving]
21:36 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
21:55 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 264 seconds]
21:59 -!- epaphus [~epaphus@ec2-50-16-226-177.compute-1.amazonaws.com] has joined #openvpn
21:59 < epaphus> Hey guys, what parameter controls the amount of time that openvpn as a client knows that the server has been disconnected? ... 
22:00 < epaphus> i dont think its --ping because thats just for firewalls to not loose their state...
22:00 < epaphus> as far as i understand
22:08 -!- albech [~thomas@124.157.245.88] has joined #openvpn
22:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:11 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
22:21 -!- blahzey [~stevo@hosted2.lnk.telstra.net] has joined #openvpn
22:30 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Read error: Operation timed out]
22:51 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
23:13 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
23:24 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
23:32 <@vpnHelper> RSS Update - forum: Server Administration :: Someone PLEASE HELP!!! OPENVPN SOFT RESETTING FAILED HANDSHA :: Author ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7384&p=8673#p8673>
23:34 < ecrist> epaphus: no, it's for more than that
23:34 < ecrist> that's the option you want.
23:39 < epaphus> ok.. hmm ill dig in
23:52 -!- epaphus [~epaphus@ec2-50-16-226-177.compute-1.amazonaws.com] has quit [Quit: Leaving]
23:52 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
23:55 -!- Netsplit *.net <-> *.split quits: corretico, ^scott^, nijotz, Kevin`, batrick
23:58 -!- cpf_ [~cpf@94-224-232-223.access.telenet.be] has quit [Ping timeout: 240 seconds]
23:58 -!- Guest69400 is now known as Martin
23:59 -!- Martin is now known as Guest34695
23:59 -!- Netsplit over, joins: corretico, ^scott^, nijotz, Kevin`
--- Day changed Fri Dec 10 2010
00:00 -!- Netsplit over, joins: batrick
00:14 <@vpnHelper> RSS Update - forum: Server Administration :: backslash problem VPN fail windows xp :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=4&t=7383&p=8672#p8672>
00:15 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:17 -!- blahzey [~stevo@hosted2.lnk.telstra.net] has quit []
00:26 <@vpnHelper> RSS Update - forum: Server Administration :: backslash problem VPN fail windows xp client :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=4&t=7383&p=8672#p8672>
00:29 -!- albech [~thomas@124.157.245.88] has quit [Quit: Ex-Chat]
00:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:04 -!- cpf_ [~cpf@91.183.51.181] has joined #openvpn
01:09 -!- dazo_afk is now known as dazo
01:21 -!- dazo is now known as dazo_afk
01:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:27 -!- dazo_afk is now known as dazo
01:37 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Disconnected by services]
01:38 -!- _sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
01:38 -!- sirdon [~sirdon@adsl-76-228-34-213.dsl.hrlntx.sbcglobal.net] has joined #openvpn
01:45 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 260 seconds]
01:45 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
01:54 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
02:00 -!- sirdon [~sirdon@adsl-76-228-34-213.dsl.hrlntx.sbcglobal.net] has quit [Quit: Leaving]
02:13 -!- boswarrior1 [~mrnice@78.142.173.114] has joined #openvpn
02:18 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has joined #openvpn
02:18 -!- nhak [~nhak@nat-wh.rz.uni-karlsruhe.de] has quit [Changing host]
02:19 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
02:22 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
02:27 -!- W0rmF00d [~wormfood@183.39.101.114] has joined #openvpn
02:30 -!- WormFood [~wormfood@183.38.12.231] has quit [Ping timeout: 250 seconds]
02:33 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
02:36 -!- VillageIdiot [VillageIdi@82-168-191-228.ip.telfort.nl] has joined #openvpn
03:21 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
03:32 -!- nhak [~nhak@unaffiliated/nhak] has quit [Ping timeout: 276 seconds]
03:33 -!- VillageIdiot [VillageIdi@82-168-191-228.ip.telfort.nl] has quit []
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:43 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
03:43 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
03:43 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:48 -!- master_of_master [~master_of@p57B55B51.dip.t-dialin.net] has quit [Ping timeout: 272 seconds]
03:50 -!- master_of_master [~master_of@p57B56881.dip.t-dialin.net] has joined #openvpn
03:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:55 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:58 -!- kerfe [~a@114.pool85-60-138.dynamic.orange.es] has joined #openvpn
04:17 -!- nhak [~nhak@vpn-cl-192-168.scc.kit.edu] has joined #openvpn
04:17 -!- nhak [~nhak@vpn-cl-192-168.scc.kit.edu] has quit [Changing host]
04:17 -!- nhak [~nhak@unaffiliated/nhak] has joined #openvpn
04:23 -!- common- [~common@p5DDA4979.dip0.t-ipconnect.de] has joined #openvpn
04:26 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
04:27 -!- common [~common@p5DDA480F.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
04:27 -!- common- is now known as common
04:34 -!- nhak [~nhak@unaffiliated/nhak] has quit [Read error: Connection reset by peer]
04:35 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
04:44 -!- dazo is now known as dazo_afk
04:52 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
04:55 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
05:03 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Operation timed out]
05:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
05:10 -!- dazo_afk is now known as dazo
05:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:15 -!- OtherJakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
05:15 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Ping timeout: 245 seconds]
05:43 -!- twister004 [~chatzilla@59.90.34.167] has quit [Ping timeout: 240 seconds]
06:02 -!- pyther [~pyther@adsl-99-37-208-222.dsl.bcvloh.sbcglobal.net] has joined #openvpn
06:02 -!- pyther [~pyther@adsl-99-37-208-222.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
06:02 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
06:05 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
06:08 -!- dazo is now known as dazo_afk
06:16 -!- dazo_afk is now known as dazo
06:44 -!- f1assistance [~Carl@cpe-024-211-247-099.nc.res.rr.com] has joined #openvpn
06:57 -!- W0rmF00d is now known as WormFood
06:58 -!- VillageIdiot [VillageIdi@82-168-191-228.ip.telfort.nl] has joined #openvpn
06:58 < VillageIdiot> hola
06:58 < ecrist> hola
06:58  * VillageIdiot slaps Bushmills around a bit with a large trout
06:59 < VillageIdiot> Bushmilllssss
07:06 -!- f1assistance [~Carl@cpe-024-211-247-099.nc.res.rr.com] has left #openvpn []
07:12 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
07:18 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Backup route :: Author bistritapcv <https://forums.openvpn.net/viewtopic.php?f=15&t=7385&p=8674#p8674>
07:19 -!- reber [~reber@212-198-99-56.rev.numericable.fr] has joined #openvpn
07:19 < reber> hi
07:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
07:20 < reber> i have setup an openvpn tunnel, annd the tunnel is created, but i can't ping anything when it's done. Any ideas to try ?
07:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
07:25 < rjd__> reber: can you ping the vpn servers vpn ip?
07:26 -!- reber [~reber@212-198-99-56.rev.numericable.fr] has quit [Ping timeout: 250 seconds]
07:45 -!- reber [~reber@212-198-99-56.rev.numericable.fr] has joined #openvpn
07:51 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
08:01 -!- cpf_ [~cpf@91.183.51.181] has quit [Ping timeout: 255 seconds]
08:07 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
08:10 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 255 seconds]
08:14 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
08:16 < hyper_ch> krzie: howdy
08:17 -!- adawda is now known as sia^pwnnt
08:29 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
08:29 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
08:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
09:00 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 276 seconds]
09:02 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:06 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
09:13 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
09:15 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
09:16 -!- ucekpolish [user@94.42.141.162] has quit [Remote host closed the connection]
09:19 -!- tsunamie [~chatzilla@5acea1c5.bb.sky.com] has joined #openvpn
09:19 < tsunamie> save me
09:19 < tsunamie> I am a simple person trying to connect to a simple vpn on a draytek router
09:19 < tsunamie> using open vpn client from a redhat box
09:20 < ecrist> does the draytek router use openvpn?
09:20 < tsunamie> how do I configure this thing to connect to the simple vpn server (on a drayteck router
09:20  * ecrist has no idea what a drayteck router is
09:21 < tsunamie> http://www.draytek.co.uk/products/vigor2930.html
09:21 <@vpnHelper> Title: DrayTek Vigor2930 Firewall Router (at www.draytek.co.uk)
09:22 < ecrist> so, you want me to read the documentation for you?
09:22 < tsunamie> no
09:22 < ecrist> that router doesn't support openvpn
09:23 < tsunamie> was just showing your the router I am using
09:23 < tsunamie> I see
09:23 < ecrist> from the SSL VPN tab:
09:23 < tsunamie> so you need to have openvpn client only works on open vpn servers?
09:23 < tsunamie> I don't need a key
09:23 < ecrist> read the docs for that router, it says you just use a web browser
09:24 < ecrist> openvpn only works with openvpn
09:25 < tsunamie> I see
09:25 < ecrist> http://www.draytek.co.uk/support/kb_vigor_ssl.html
09:25 <@vpnHelper> Title: Vigor Router FAQ - Vigor SSL VPN (at www.draytek.co.uk)
09:25 < tsunamie> I read that
09:25 < tsunamie> I ahve setup a traditiona;l vpn server on that router
09:25 < tsunamie> I can connect to it using windows
09:25 < tsunamie> nvm
09:25 < tsunamie> thought opnvpn was a generic vpn client
09:26 < tsunamie> going to use PPTP Client
09:26 < tsunamie> thanks
09:26 -!- tsunamie [~chatzilla@5acea1c5.bb.sky.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
09:27 < VillageIdiot>  is openvpn slower than ipsec?
09:27 < hyper_ch> aren't those total different things?
09:32 -!- VillageIdiot [VillageIdi@82-168-191-228.ip.telfort.nl] has quit []
09:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
09:42 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
09:52 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
09:54 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn
10:11 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
10:14 -!- boswarrior1 [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
10:17 -!- powerunits [~aa@119.152.77.63] has joined #openvpn
10:18 < powerunits> hi guys do you offer support paid support?
10:18 < powerunits> i need some customization
10:18 < powerunits> openvpn and .whmcs.??
10:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:20 < ecrist> powerunits: there may be a user in here who does, but in general, we don't offer paid support
10:21 < ecrist> openvpn does have a commercial product, however, which is commercially supported.
10:21 < ecrist> !as
10:21 <@vpnHelper> "as" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
10:21 <@vpnHelper> supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
10:28 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
10:36 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
10:44 -!- OtherJakeSays is now known as JakeSays
10:53 -!- blistov [~bens@s199-126-201-153.ab.hsia.telus.net] has joined #openvpn
10:55 < venom00ut> hello, I receive the error message "TLS key negotiation failed to occur within 60 seconds"
10:55 < venom00ut> my connection is VERY slow, can I increase the timeout somehow?
10:55 < blistov> eth0 - WAN, eth1 bridged to br0, tap0 bridged to br0, br0 LAN 10.0.0.1/8.  vpn client connects to the WAN, which forwards to br0, and connects successfully, but I can not communicate between the client and the server/LAN.  Anyone know why?
10:55 < blistov> http://pastebin.ca/2015680
10:56 < blistov> Been fighting with this for 6 hours.
10:58 -!- kwame_home [~kwame@201.166.104.61.cable.dyn.cableonline.com.mx] has quit [Quit: leaving]
11:02 < ecrist> venom00ut: see connect-timeout
11:03 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:08 -!- patelx [~a@openvpn/corp/admin/patel] has quit [Ping timeout: 260 seconds]
11:09 < venom00ut> ecrist, how to use it? man page just says it exists
11:09 < ecrist> try just adding connect-timeout 120
11:09 < ecrist> to your client config
11:09 -!- dazo is now known as dazo_afk
11:11 < venom00ut> ecrist, "now I receive TCP port read timeout expired: operation now in progress"
11:12 < ecrist> wow, no idea what that means.
11:12 < ecrist> !man
11:12 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:12 < ecrist> read that, see if there's info to help you
11:12 < venom00ut> I'm thorugh a socks proxy
11:12 < venom00ut> ecrist, I've been on that page for two hours :P
11:12 < ecrist> gimme a sec
11:13 < ecrist> ah, --connect-timeout is only good for TCP
11:13 < venom00ut> I'm using tcp :(
11:14 < venom00ut> I read somewhere that's a sort of bug because it should just be a warning, not a fatal error
11:14 < venom00ut> I'm through a socks proxy, btw
11:14 < ecrist> sounds like this is above my pay grade
11:16 -!- patelx [~a@openvpn/corp/admin/patel] has joined #openvpn
11:16 -!- mode/#openvpn [+o patelx] by ChanServ
11:16 < ecrist> hi patelx 
11:16 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
11:16 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
11:16 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
11:16 < ecrist> krzee: ping
11:17 < venom00ut> ecrist, np, thank you anyway ;)
11:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
11:17 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
11:22 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
11:28 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn
11:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:31 < krzee> pong
11:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
12:09 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
12:48 < Essobi> krzee: beer?
12:48 < |Mike|> cold beer*
12:51 < reber> Dec 10 19:48:28 dns-1 ovpn-server[19625]: remi/212.200.98.56:39459 MULTI: bad source address from client [192.168.1.10], packet dropped
12:51 < reber> what could be the problem ?
12:53 < ecrist> !google 'openvpn MULTI: bad source address from client'
12:53 <@vpnHelper> Openvpn – MULTI: bad source address from client – solution | Into ...: <http://www.void.gr/kargig/blog/2008/05/17/openvpn-multi-bad-source-address-from-client-solution/>; openvpn ipaddress problem: "MULTI: bad source address from client": <http://www.linuxquestions.org/questions/linux-networking-3/openvpn-ipaddress-problem-multi-bad-source-address-from-client-673001/>; OpenVPN FAQ:
12:53 <@vpnHelper> <http://www.ossg.ru/docs/OpenVPN/faq.html>
13:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 264 seconds]
13:02 < krzee> mmm beer
13:02 < krzee> reber, 
13:02 < krzee> !route
13:02 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:02 < krzee> i talk about that error, and why you get it in the above doc
13:06 -!- fifer [~fifer@67.208.108.228] has joined #openvpn
13:06 < fifer> tgif!
13:07 < fifer> I'm sure this is simple, but I just generated a new client key in my windows install of OpenVPN where I have generated all my keys.
13:08 < fifer> This is for a pfSense OpenVPN setup. I have one client working fine connecting to that server but the new client is getting an error when using the new key with the existing ca.crt:  VERIFY ERROR: ..... error=self signed cirt . . .
13:09 < fifer> The only thing I did to prep for generating the new key is to run the vars.bat
13:09 < ecrist> !configs
13:09 < ecrist> !logs
13:09 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
13:09 < fifer> Is there anything else I'm forgetting to properly generate new client keys?
13:09 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
13:09 < ecrist> more important, the logs
13:09 < fifer> sure, thanks
13:17 < fifer> http://pastebin.ca/2015771
13:17 < fifer> Client windows xp, server pfSense FW
13:18 < fifer> my config is a working one, the client config is just a copy of the working one with the client cirts changed.
13:18 < ecrist> update your vpn client first
13:18 < ecrist> 2.0-beta16 is not acceptable. :)
13:20 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
13:21 < krzee> 2.0-beta!?
13:21 < krzee> lol
13:21 < krzee> still run windows 3.1?
13:22 < |Mike|> 3.11!
13:23 < fifer> updated, no change
13:24 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
13:24 < ecrist> configs, then, fifer
13:24 < fifer> Is there anything you have to do when generating new client keys on windows other than running vars.bat?
13:36 < reber> krzee, ecrist okay thanks, reading.
13:40 < ecrist> no
13:40 < ecrist> fifer: !configs, please
13:47 < blistov> I've got my vpn server setup on tap0 which is connected to br0.  eth1 (lan) as also bridged to br0.  VPN clients can connect and ping br0 at 10.0.0.1, but can not ping LAN clients.. Anyone know why?
13:53 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
13:55 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
14:01 -!- dollabill [~mike@97.66.26.10] has quit [Ping timeout: 265 seconds]
14:02 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
14:05 < fifer> ecrist: Thanks for the help. It turned out the easy-rsa install I was working in was the old one we used during testing. Everything is fine now, testing setup gone!!
14:05 < fifer> Also upgraded to ovpn 2.2
14:07 < ecrist> good!
14:17 -!- clyons [~clyons@089-101-181232.ntlworld.ie] has joined #openvpn
14:17 -!- clyons [~clyons@089-101-181232.ntlworld.ie] has quit [Changing host]
14:17 -!- clyons [~clyons@unaffiliated/clyons] has joined #openvpn
14:19 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:22 -!- boswarrior [~mrnice@84.115.26.221] has joined #openvpn
14:24 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
14:25 -!- clyons [~clyons@unaffiliated/clyons] has joined #openvpn
14:28 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 255 seconds]
14:29 -!- reber [~reber@212-198-99-56.rev.numericable.fr] has quit [Ping timeout: 245 seconds]
14:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Client Quit]
14:33 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
14:38 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 255 seconds]
14:39 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
14:43 -!- reber [~reber@ns1.sylogix.net] has joined #openvpn
14:48 < reber> krzee, ecrist thanks :) It worked :)
14:49 < ecrist> nm
14:49 < reber> *but* i wonder something
14:50 < reber> if i leave this local network and want to have a client that connects from everywhere ... ? How to do that ecrist krzee  ?
14:50 < krzee> huh?
14:50 < reber> i mean for example if i connect for a wifi hotspot that would gave me another ip network
14:50 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 255 seconds]
14:51 < reber> for instance
14:51 < reber> with another adress class
14:51 < krzee> but you wont need to share that lan
14:51 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
14:52 < reber> right now i can connect with 192.168.1.0/24 because i have these settings on my server.conf. But what about other ip adresses ?
14:52 < reber> mmm
14:52 < reber> route 192.168.1.0 255.255.255.0   <---- is what i put on my server.conf
14:52 < reber> what about other networks ?
14:53 < krzee> when you are out connecting from random networks you dont need to share the lan behind you
14:54 < krzee> the route command (and matching iroute) only have to do with sharing the lan
14:54 < krzee> the vpn client itself would work without them
14:57 < reber> mmm ok. i understand
14:57 < powerunits> guys i need some to help me in intgration of openvpn with whmcs??
14:58 < powerunits> please let me know if any one can give me paid support...
14:58 < powerunits> and configration
14:58 < powerunits> thanks
14:59 < krzee> whats whmcd
14:59 < krzee> whmcs...
14:59 < krzee> oh ok i see it
14:59 < krzee> doesnt look like something ild be of use for
15:00 < powerunits> i have a clint who need this
15:01 < powerunits> on urgent bases
15:01 < powerunits> krzee: have u ever used whmcs?
15:02 < krzee> nope
15:02 < powerunits> rite
15:04 < krzee> im not sure if this would help any, but you could email openvpn technologies to see if they had any interest in doing the job
15:04 < krzee> what level of integration are you looking for anyways?  just auth?
15:05 < powerunits> let me tell you..
15:06 < powerunits> It should automatically; create, read, update and delete new users from the WHMCS control panel. Also a option to give the user a dedicated IP or a shared one. When it does create a new user he does of course need to receive a notification with the login information - would also like to be able to monitor connections - traffic - b/w. will i be able to use multiple vpn servers? - and will you be able to make the module pick servers that are less full etc ?
15:07 < krzee> im definitely not interested
15:07 < krzee> you'd wanna use eupheria
15:07 < krzee> !eupheria
15:07 < krzee> !factoids
15:07 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
15:08 < krzee> !eurephia
15:08 <@vpnHelper> "eurephia" is http://www.eurephia.net/
15:08 < krzee> as well as --management with some custom code to interface to it (see --management in the manual)
15:09 < krzee> monitor bandwidth would normally be a job for the firewall, but you complicate that if you use dynamic ips
15:09 < krzee> multiple servers yes, picking which to use based on load, no
15:10 < ecrist> I'll do it, for $100,000 US
15:10 < krzee> well actually i guess that is 'possible' but not likely to happen
15:10 < ecrist> 50% up-front
15:10 < ecrist> non-refundable
15:10 < ecrist> ;)
15:10 < krzee> you *could* make your own NS software that keeps track of their load, and replys to the query with the least loaded ip
15:11 < ecrist> TXT records
15:11 < krzee> ahh sure, and a custom patch to openvpn
15:12 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 255 seconds]
15:13 < ecrist> or an instance of relayd + pf in front of the 'real' openvpn servers
15:13 < ecrist> that can handle load-balancing
15:14 < krzee> oh sure, i assumed remote locations
15:14 < ecrist> if that, could almost be done, with just changing the order in the client config of the servers.
15:15 < krzee> ahh, a wrapper script
15:15 < ecrist> client1 has hostlist server1, server2, etc.  client2 has host list server2, server3, server1
15:15 < krzee> sure, much better than my custom ns idea
15:15 < krzee> oh you meant that
15:15 < ecrist> a wrapper script would be easy, too
15:15 < krzee> even better, a wrapper script to start openvpn for the clients... queries to see who to use, changes --remote accourdingly
15:15 < ecrist> sort of a launcher
15:16 < krzee> yep
15:17  * krzee hopes you get the 100k contract
15:17 < ecrist> me too
15:17 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
15:27 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 255 seconds]
15:36 -!- boswarrior [~mrnice@84.115.26.221] has quit [Remote host closed the connection]
15:44 -!- skrusty [~skrusty@83.166.176.39] has joined #openvpn
15:47 -!- p3rror [~mezgani@41.140.180.174] has quit [Ping timeout: 245 seconds]
15:49 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
15:50 -!- clyons [~clyons@unaffiliated/clyons] has quit [Quit: Leaving]
16:19 -!- powerunits [~aa@119.152.77.63] has quit []
16:31 -!- infid [~infid@99-101-15-134.lightspeed.sndgca.sbcglobal.net] has left #openvpn []
17:14 -!- s7r [~s7r@178.73.198.40] has joined #openvpn
17:14 -!- kerfe [~a@114.pool85-60-138.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
17:18 < krzee> ecrist, he signed the papers!
17:18  * krzee happy
17:30 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
17:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:41 -!- reber [~reber@ns1.sylogix.net] has quit [Ping timeout: 240 seconds]
17:52 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:10 -!- fifer [~fifer@67.208.108.228] has left #openvpn []
18:10 -!- TOnDiieuE [~KlausFuch@173-13-150-137-sfba.hfc.comcastbusiness.net] has joined #openvpn
18:10 -!- TOnDiieuE [~KlausFuch@173-13-150-137-sfba.hfc.comcastbusiness.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
18:40 < ecrist> now to figure out how to pay for this thing
18:44 < reiffert> gimme all your money, I will care about the rest.
18:44 < ecrist> lol
18:49 < reiffert> :)
18:50 < ecrist> in all seriousness, I have no idea how to send these folks the money
18:51 < reiffert> who is "these"?
18:51 < krzee> they've gotta accept cc dont they?
18:51 < ecrist> Zone.eu
18:52 < ecrist> krzee: I can not see anywhere.  all I have is an invoice with a Swedbank acount number and a SWIFT code.
18:52  * ecrist has never used SWIFT
18:52 < krzee> oh wow
18:52 < krzee> they might want bank transfer, lol
18:52 < krzee> for such a small amount, that makes NO sense
18:53 < ecrist> I can send IBAN, too
18:53  * ecrist looks that up
18:53 < reiffert> ecrist: they've got a https://ahk.eesti.ee/ link at the very bottom.
18:53 <@vpnHelper> Title: Ausa hinnastamise kokkulepe (at ahk.eesti.ee)
18:54 < ecrist> wtf is that?
18:54 < krzee> all that page tells me is that theres some languages i SERIOUSLY dont understand
18:54 < reiffert> ecrist: what is it that you want to register, I can check at my registry service.
18:54 < krzee> krz.ee
18:54  * reiffert checking
18:55 < krzee> needs estonian signature, already got a guy to sign the papers =]
18:55 < reiffert> I can register krz.ee
18:56 < reiffert> you can hand me the money by paypal or similar?
18:56 < krzee> hrm, i think that would require him signing new papers
18:56 < ecrist> it would
18:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:56 < reiffert> My registrant doesnt say anything about papers.
18:57 < krzee> to reg .ee you must live in estonia
18:58 < reiffert> estonia is close to my place...
18:58 < reiffert> just 2000km.
18:58 < reiffert> allright, I just tried to register.
18:59 < reiffert> It says: owner-c is .de which is a fail.
18:59 < reiffert> If you friend hands me his owner-c number, I might try again.
18:59 < reiffert> If your
19:01 < reiffert> s, might,'ll,
19:02 < reiffert> http://maps.google.de/maps?f=d&source=s_d&saddr=mainz&daddr=estonia&hl=de&geocode=FXPd-gIdoiZ-ACl5E98zLpG9RzGgG9sQ1dQiBA%3BFcgXfgMdZ619ASn9S6CCnJSSRjHDJbRPup_qQA&mra=ls&sll=51.151786,10.415039&sspn=13.357423,28.78418&ie=UTF8&ll=54.316523,16.655273&spn=12.429057,28.78418&z=5
19:02 <@vpnHelper> Title: Mainz nach Estland - Google Maps (at maps.google.de)
19:05 -!- sekyourbox [44092124@gateway/web/freenode/ip.68.9.33.36] has joined #openvpn
19:06 < sekyourbox> hello, Is there support for gaming controllers over VPN?  I want to connect to my gaming pc through a laptop i have in my living room which is hooked up to a projector ?  Is this possible?
19:07 < sekyourbox> :D
19:09 < reiffert> guys
19:09 < reiffert> ;\
19:09 < reiffert> ?
19:11 < sekyourbox> i will be using VPN over the LAN
19:11 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:13 < sekyourbox> !welcome
19:13 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:13 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
19:13 < sekyourbox> I'd like to know before I but a gaming controller
19:13 < sekyourbox> buy*
19:16 < Bushmills> what you can use over the network, you can use over openvpn
19:17 < sekyourbox> yes, I guess it wouldn't be a VPN issue
19:17 < sekyourbox> nevermind
19:17 < Bushmills> when buying a network cable, you wouldn't ask whether it has gaming controller support
19:17 < sekyourbox> I know i'm stupid
19:18 < sekyourbox> I have a bushmills shirt
19:18 < sekyourbox> I wonder what happened to that shirt
19:18 < Bushmills> you drank it
19:19 < Bushmills> why vpn for the LAN?
19:19 < sekyourbox> you took it from me and i want it back
19:20 < sekyourbox> I guess there is no point to VPN over the lan anyway. I'll just throw them on the same subnet
19:21 < sekyourbox> pardon
19:21 -!- sekyourbox [44092124@gateway/web/freenode/ip.68.9.33.36] has left #openvpn []
19:23  * Bushmills runs out of hi-spirit tea enhancer
19:32 < krzee> that ranks high in the odd question contest
19:33 -!- s7r [~s7r@178.73.198.40] has left #openvpn []
19:33 < Bushmills> ah. there's some spare booze on my keychain
19:36  * Bushmills better consumes it before the key gets lost
19:37 -!- p3rror [~mezgani@41.140.31.40] has joined #openvpn
19:48 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
19:52 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
19:58 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Connection reset by peer]
20:00 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
20:02 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
20:05 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
20:08 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Remote host closed the connection]
20:10 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
20:15 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:33 -!- pyther [~pyther@unaffiliated/pyther] has quit [Quit: Lost terminal]
20:36 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
20:41 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
20:42 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
20:43 -!- skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 255 seconds]
20:43 -!- agagag_ [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 255 seconds]
21:03 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
21:05 -!- Agin [~Agin@greenzone.copyleft.no] has quit [Ping timeout: 276 seconds]
21:21 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
21:24 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
21:24 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Read error: Operation timed out]
21:32 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:50 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
22:04 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Ping timeout: 264 seconds]
22:33 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
22:33 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
22:34 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Client Quit]
22:42 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
22:44 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 245 seconds]
22:54 -!- albech [~thomas@124.157.238.171] has joined #openvpn
22:57 < albech> i am an issue with my vpn connection where the clients do get connected and an ip number is given out, but the clients cannot connect through the tunnel nor can they ping the vpn server.
22:58 < albech> no machines on the remote network are visible to the clients
22:59 < albech> i have checked connectivity on the openvpn server and it can connect fine to other machines on the network and the internet
22:59 < albech> i am using a bridged setup btw
22:59 < albech> want me to paste some config files?
23:03 -!- albech [~thomas@124.157.238.171] has quit [Quit: Ex-Chat]
23:12 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
23:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 245 seconds]
23:31 -!- Jouva [Jouva@fluffy.moufette.com] has joined #openvpn
23:33 < Jouva> Argh. I've been pulling my hair out trying to get a VPN connection through a Windows XP based server to contact other machines on the same network as the windows server. Tried routing with tun, no go. Doing bridged connection is even worse: Client won't connect, and server doesn't seem to latch on to the tap device.
23:34 < Jouva> Yes I know there's like a million documents and FAQs and posts about this. But I have no clue what I'm missing
23:46 -!- Jouva [Jouva@fluffy.moufette.com] has quit []
23:48 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
23:49 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
23:59 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
--- Day changed Sat Dec 11 2010
00:00 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
00:01 -!- VillageIdiot [~daniell@vps1098.directvps.nl] has joined #openvpn
00:06 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 265 seconds]
00:10 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
00:10 < Aakash> hey guys
00:11 < Aakash> I'm trying to set up openvpn and i need to change the default gateway of my server to the 10.0.0.1 network so the traffic is routed through there
00:11 < Aakash> http://pastebin.com/AVaVwr1d <-network status
00:11 < Aakash> can someone please help me do this?
00:11 < Aakash>  when i do "route add default gw 10.0.0.1" and then "route del default gw 10.138.1.254" i can no longer ping any networks, on the 10.138.xx.xx nor 10.0.0.x network
00:16 < Bushmills> you're sure that 10.0.0.1 is a good gateway?
00:17 < Aakash> Bushmills: im pretty sure, is there a way i can check by the command line?
00:17 < Bushmills> how is changing default gateway to 10.0.0.1 related to setting up openvpn?
00:17 < Aakash> Bushmills: i need it to route all my traffic thhrough that network
00:17 < Aakash> and not the 10.186.xx.xx one
00:17 < Bushmills> can you reach openvpn server through 10.0.0.1 route?
00:17 < Aakash> yes
00:18 < Aakash> (before i do those changes)
00:18 < Bushmills> so why don't you make that 10.0.0.1 your default gateway before starting openvpn?
00:18 < Aakash> but fomr the server, i can no longer access any outside IP's
00:18 < Aakash> (outside the LAN)
00:18 < Bushmills> how is that related to openvpn?
00:18 < Aakash> well, in the process of setting up openVPN, that happens
00:19 < Aakash> so i was curious if im doing someting wrong
00:19 < Bushmills> leave openvpn off for now, and just change your gateway to 10.0.0.1
00:19 < Bushmills> see whether you can still reach everything
00:19 < Aakash> Bushmills: using those same commands i pasted earlier?
00:20 < Bushmills> if you can't, you should fix that before continuing to set up openvpn
00:20 < Bushmills> if you can, is starting openvpn taking away your ability to reach other hosts? 
00:20 < Bushmills> no. no command. make it your default setup.
00:21 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
00:21 < Bushmills> why would you set up a different gateway as default when you're going to change that anyway
00:24 < Aakash> okay, here is what im trying to do, a public network is on eth0, and a private on eth2, i want clients conencted to the network that eth0 is on and be able to route their traffic through eth2
00:25 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Excess Flood]
00:25 < Bushmills> how is that related to openvpn?
00:26 < Aakash> openvpn is the medium at which the clients are connecting to the private network
00:26 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
00:26 < Bushmills> thus that machine is an openvpn server, with a LAN behind it on eth2?
00:27 < Aakash> yes, and on eth0
00:27 < Bushmills> !route
00:27 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:27 < Aakash> im doing a push "redirect-gateway def1"
00:28 < Bushmills> you want clients to access internet through eth2?
00:29 < Aakash> yes
00:29 < Bushmills> !redirect
00:29 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:31 < VillageIdiot> !linant
00:31 < VillageIdiot> !linnat
00:31 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:32 < Aakash> okay i have done iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth2 -j MASQUERADE
00:32 < Aakash> and have not changed any gateway settings
00:32 < VillageIdiot> good
00:32 < VillageIdiot> now it will work
00:32 < Aakash> okay, brb!
00:32 < Bushmills>  as well as IP forwarding (see !ipforward) 
00:32 < Aakash> i have done that also :)
00:39 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Ping timeout: 245 seconds]
00:41 -!- Aakash [~AakashPat@207.160.210.187] has joined #openvpn
00:41 -!- Aakash [~AakashPat@207.160.210.187] has quit [Changing host]
00:41 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
00:41 < Aakash> VillageIdiot: I tried testing it, i could access the router of the private network
00:41 < Aakash> but nothing further :/
00:41 < Aakash> (the internet)
00:42 < VillageIdiot> iptables -L -v
00:42 < VillageIdiot> pastebin result here
00:43 < Aakash> http://pastebin.com/B7rNvMHk
00:44 < VillageIdiot> ok
00:44 < VillageIdiot> it appears your FORWARD chain is completely empty
00:44 < VillageIdiot> this won't do
00:44 < Aakash> oh?
00:44 < VillageIdiot> type the commands i give u now
00:44 < Aakash> okay
00:45 < Bushmills> FORWARD chain is good as it is. 
00:45 < VillageIdiot> Aakash if you want it working listen to me
00:45 < VillageIdiot> type:
00:45 < VillageIdiot> iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
00:46 < VillageIdiot> iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
00:46 < VillageIdiot> iptables -A FORWARD -j REJECT
00:46 < VillageIdiot> then your setup should work
00:46 < Bushmills> he bullshits you.  your forward chain has policy ACCEPT, that's enough
00:46 < Aakash> lol okay
00:46 < VillageIdiot> Bushmills thats innapropriate
00:47 < VillageIdiot> Aakash just type those commands it won't ruin anything
00:47 < Aakash> hmm ok
00:47 < VillageIdiot> or you can listen to Bushmills, the most egotistical asshole in here
00:47 -!- mode/#openvpn [+o Bushmills] by ChanServ
00:47 -!- VillageIdiot was kicked from #openvpn by Bushmills [ next time ban]
00:48 -!- mode/#openvpn [-o Bushmills] by Bushmills
00:48 -!- VillageIdiot [~daniell@vps1098.directvps.nl] has joined #openvpn
00:48 < Aakash> okay, im gonna try it :p
00:48 < Aakash> brb
00:48 -!- albech [~thomasalb@124.157.209.135] has joined #openvpn
00:48 < VillageIdiot> it won't hurt anything even if it doesnt work
00:49 < VillageIdiot> another thing... how did you set up ip forewarding?
00:50 < VillageIdiot> if you edited sysctl.conf you'd need resetart before it takes affect
00:50 < Aakash> VillageIdiot: tet
00:50 < Aakash> is this thign on?
00:50 < Aakash> test*
00:50 < VillageIdiot> type   echo 1 > /proc/sys/net/ipv4/ip_forward
00:50 < VillageIdiot> that will enable ip foreward immediately
00:50 < Aakash> yeah i did the latter
00:50 < Aakash> and i still didnt work :/
00:50 < VillageIdiot> hmm
00:50 < Bushmills> told you, he bullshits you
00:50 < VillageIdiot> can you ping 10.8.0.1 from your client computer
00:51 < Aakash> yes
00:51 < Aakash> lol idk who to believe 
00:51 < VillageIdiot> at least im trying to help him Bushmills
00:51 < VillageIdiot> Aakash its not that either of us is lying to you
00:51 < VillageIdiot> its just that Bushmills thinks as your default poilcy is ACCEPT that you don't need to add any rules
00:52 < Aakash> VillageIdiot: oh here's something
00:52 < Aakash> without your rules
00:52 < Aakash> just the masquerade thing set to eth0 except eth2 and ip_forwarding enabled
00:52 < Aakash> the VPN worked fine, except in reverse
00:53 < VillageIdiot> hold on
00:53 < VillageIdiot> type ifconfig
00:53 < VillageIdiot> post results in pastebin
00:53 < VillageIdiot> i thought your NIC is named eth0?
00:53 < Aakash> I have two
00:53 < VillageIdiot> !linnat
00:53 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:53 < Aakash> http://pastebin.com/Z2H39tEE
00:53 < VillageIdiot> then replace eth0
00:54 < Aakash> i replaced eth0 with eth2, when i tried right now
00:54 < VillageIdiot> and what happened
00:54 < VillageIdiot> still no internet?
00:54 < Aakash> the results i just gave you
00:54 < Aakash> yeah
00:54 < VillageIdiot> try replace it with eth1
00:54 < Aakash> eth1 is wifi, which isnt connected to anythign
00:55 < VillageIdiot> what do u mean by the vpn worked fine but in reverse
00:55 < Aakash> i would connect tothe VPN server from the pirvate network
00:56 < Aakash> and it would route my traffic out the public one
00:56 < Aakash> private = eth2
00:56 < Aakash> public= eth0
00:57 < Aakash> instead of connecting to the server from the public network and routing traffic out the private one
00:57 < VillageIdiot> how did you add the new nat rule
00:57 < VillageIdiot> did you edit a file or just type a command
00:57 < VillageIdiot> because you need to delete the pervious one
00:57 < Aakash> typed that command
00:57 < VillageIdiot> achh
00:57 < VillageIdiot> get a clean slate
00:57 < Aakash> i restarted the server
00:57 < VillageIdiot> iptables -F
00:57 < Aakash> okay
00:57 < VillageIdiot> then just type the command with eth2
00:57 < Aakash> ok
00:58 < VillageIdiot> but i really think it should be working if you type eth0 not eth2
00:59 < Aakash> sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth2 -j MASQUERADE
00:59 < VillageIdiot> perhaps flush rules and try eth0 once more to be sure
00:59 < Aakash> okay i ran that
01:00 < VillageIdiot> are you sure that your vpn subnet is 10.8.0.0/24
01:00 < Aakash> 100%
01:00 < VillageIdiot> ok
01:00 < VillageIdiot> so still working in reverse?
01:00 < Aakash> VillageIdiot: no no, when i ran it in reverse, i used 'eth0'
01:00 < VillageIdiot> ah
01:00 < Aakash> do you want me to try it in reverse with eth2?
01:01 < VillageIdiot> yep
01:01 < Aakash> okay
01:01 < Aakash> brb!
01:02 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Read error: Operation timed out]
01:05 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
01:05 < VillageIdiot> any luck?
01:05 < Aakash> nah
01:06 < Aakash> im checking something
01:07 -!- |ns|nR8 [~steve@60-242-209-243.static.tpgi.com.au] has joined #openvpn
01:08 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 260 seconds]
01:08 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Read error: Operation timed out]
01:09 -!- Aakash [~AakashPat@207.160.210.138] has joined #openvpn
01:09 < Aakash> VillageIdiot: did you get my last 6 messages?
01:09 -!- Aakash [~AakashPat@207.160.210.138] has quit [Changing host]
01:09 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
01:11 < Aakash> VillageIdiot: could this have anything to do with my default gateway
01:11 < Aakash> on the server?
01:12 < VillageIdiot> hey
01:12 < VillageIdiot> didnt get any messages
01:12 < Aakash> oh ok
01:12 < Aakash> Aakash: okay
01:12 < Aakash> [01:07am] Aakash: VillageIdiot: im connected with the reverse vpn now
01:12 < Aakash> [01:08am] Aakash: shall i try the other way again?
01:12 < Aakash> [01:08am] Aakash: (the normal way)
01:13 < VillageIdiot> yep try normal way
01:13 < Aakash> ok
01:13 -!- Aakash_ [~AakashPat@207.160.210.187] has joined #openvpn
01:13 -!- Aakash_ [~AakashPat@207.160.210.187] has quit [Changing host]
01:13 -!- Aakash_ [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
01:14 < VillageIdiot> your whois is changing
01:14 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Read error: Connection reset by peer]
01:17 -!- Aakash_ is now known as Aakash
01:17 < Aakash> VillageIdiot: what is it right now
01:17 < Aakash> okay this is wierd
01:17 < Aakash> the VPN didn't connect me to my private network
01:18 < Aakash> my traffic is still being routed through the public one
01:19 < Aakash> VillageIdiot: ping
01:19 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has left #openvpn []
01:19 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has joined #openvpn
01:19 < Aakash> that was weird
01:20 < Aakash> the VPN wasnt routing my traffic through the private network, but through the public one still
01:20 < Aakash> even though i was connected
01:20 < Aakash> i could still access the private network's IPs thoug
01:23 < Aakash> VillageIdiot: how do i check my existing firewall rules
01:23 < Aakash> to make sure they're correct
01:23 < Aakash> (i wanna check if that masquerade is in effect) 
01:27 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
01:30 < Aakash> VillageIdiot: pinggg
01:47 -!- unspin_ [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
01:48 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
01:50 -!- Aakash [~AakashPat@unaffiliated/aakashpatel] has quit [Ping timeout: 265 seconds]
01:53 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
02:04 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
02:06 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
02:10 -!- albech [~thomasalb@124.157.209.135] has quit [Quit: albech]
02:37 -!- unspin_ [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
02:37 -!- albech [~thomasalb@124.157.209.135] has joined #openvpn
03:25 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:48 -!- master_of_master [~master_of@p57B56881.dip.t-dialin.net] has quit [Ping timeout: 255 seconds]
03:50 -!- master_of_master [~master_of@p57B55B2C.dip.t-dialin.net] has joined #openvpn
03:50 -!- albech [~thomasalb@124.157.209.135] has quit [Quit: albech]
03:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:57 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has left #openvpn []
03:58 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
04:10 -!- albech [~thomasalb@124.157.209.135] has joined #openvpn
04:24 -!- common- [~common@p5DDA453E.dip0.t-ipconnect.de] has joined #openvpn
04:26 -!- common [~common@p5DDA4979.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
04:26 -!- common- is now known as common
04:32 -!- nettie [~nettie@stewie.freax.it] has left #openvpn []
04:36 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
04:44 -!- |ns|nR8 [~steve@60-242-209-243.static.tpgi.com.au] has quit [Remote host closed the connection]
04:56 -!- p3rror [~mezgani@41.140.31.40] has quit [Read error: Operation timed out]
05:09 -!- albech [~thomasalb@124.157.209.135] has quit [Quit: albech]
05:10 -!- p3rror [~mezgani@41.140.170.224] has joined #openvpn
05:22 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
05:22 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
05:22 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
05:27 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
05:27 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
05:36 -!- albech [~thomasalb@124.157.238.171] has joined #openvpn
05:36 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
05:36 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
05:36 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
05:47 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 240 seconds]
05:54 -!- VillageIdiot [~daniell@vps1098.directvps.nl] has quit [Ping timeout: 272 seconds]
05:58 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
06:00 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
06:31 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:38 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Ping timeout: 245 seconds]
06:49 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
06:54 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
07:06 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
07:11 -!- albech_ [~thomas@119.42.77.184] has joined #openvpn
07:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
07:47 -!- roentgen_ [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
07:49 -!- WormFood [~wormfood@183.39.101.114] has quit [Remote host closed the connection]
07:50 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
08:00 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
08:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
08:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:37 -!- totyko_ [~totyko@190.32.71.124] has joined #openvpn
08:37 < totyko_> hola alguien que hable español
08:37 -!- Guest34695 is now known as Martink
08:38 -!- Martink is now known as Guest76283
08:38 < hyper_ch> nessuno hable espa~~nol
08:38 -!- Guest76283 is now known as Martin`
08:39 < totyko_> hyper_ch, necesito ayuda
08:39 < hyper_ch> halba ingles
08:39 < totyko_> hyper_ch, I need help
08:39 < hyper_ch> !tell totyko_ [welcome]
08:39 < hyper_ch> !tell totyko_ [goal]
08:42 < totyko_> hyper_ch, ensure that my clients navigate the vpn windows, I mean add a gateway and modify the route table
08:42 < hyper_ch> !def1
08:42 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
08:44 < totyko_> hyper_ch,  def1 would it be?
08:44 < hyper_ch> !tell totyko_ [man]
08:44 < hyper_ch> check for def1 there
08:56 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 264 seconds]
09:14 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:28 < albech_> i know this is probably more related to the network-manager, but for some reason when i launch my openvpn connection through the network-manager it alters my default route. If i manually start openvpn client from command line the routes are as expected. Im sure someone else must have experienced the same thing.
09:34 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
09:40 < ecrist> !ubuntu
09:40 <@vpnHelper> "ubuntu" is dont use network manager!
09:40 < ecrist> albech_: we don't support, or condone, network manager
09:44 < albech_> ecrist, i know.. and i realized that the problem i have been trying to figure out is related to a bug in the network-manager openvpn-plugin. Sorry to create 'noise' in the channel.
09:48 -!- renihs [~philipp@vie-086-059-069-178.dsl.sil.at] has joined #openvpn
09:49 < renihs> any bugs known with 2.6.36.1 (32bit) and openvpn 2.1.3? i managed to oops my kernel when openvpn initialized the tun device
09:54 < kisom> renihs: distro?
09:54 < kisom> renihs: I'm running 2.1.3 on 2.6.36, no problems at all
09:57 < renihs> kisom, gentoo, 2.6.36.1, no issues on 2.6.36 (oldconfig)
09:57 < renihs> but havent digged deeply yet, will reboot later, after i upgrade some other stuff which might have caused breakage
09:58 < renihs> though the kernel oopsed, and no tcp/ip devices were willing to transmit afterwards :)
10:19 -!- UnterPerro_ [~UnterPerr@32.160.5.174] has joined #openvpn
10:22 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 265 seconds]
10:22 -!- UnterPerro_ is now known as UnterPerro
10:31 -!- VillageIdiot [VillageIdi@82-168-191-228.ip.telfort.nl] has joined #openvpn
10:31 < VillageIdiot> hola
10:34 < kisom> VillageIdiot: hey
10:36 -!- UnterPerro [~UnterPerr@32.160.5.174] has quit [Quit: UnterPerro lives to save another day]
10:44 < venom00ut> hello, I'm in trouble with "tcp port read timeout expired: operation now in progress" is this a bug?
10:44 < venom00ut> http://www.mentby.com/felix-schwarz/openvpn-through-ssh-socks-proxy-tcp-port-read-failed-on-recv-operation-now-in-progress-errno115.html
10:44 <@vpnHelper> Title: OpenVPN through SSH SOCKS proxy: TCP port read failed on recv(): Operation now in progress (errno=115) - Felix Schwarz (at www.mentby.com)
10:49 -!- albech [~thomasalb@124.157.238.171] has quit [Quit: albech]
10:49 -!- albech_ [~thomas@119.42.77.184] has quit [Quit: Ex-Chat]
10:51 -!- _sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Ping timeout: 240 seconds]
10:58 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:00 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
11:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds]
11:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 255 seconds]
11:39 -!- s7r [~s7r@95.143.192.84] has joined #openvpn
11:40 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it]
11:41 -!- totyko_ [~totyko@190.32.71.124] has quit [Remote host closed the connection]
11:48 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
11:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:06 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn
12:19 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
12:20 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:42 -!- VillageIdiot [VillageIdi@82-168-191-228.ip.telfort.nl] has quit []
13:00 -!- p3rror [~mezgani@41.140.170.224] has quit [Ping timeout: 245 seconds]
13:06 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 265 seconds]
13:56 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn
13:58 < Kurogane> anyone can help me which way is better to setup openvpn lan gaming.
14:00 -!- p3rror [~mezgani@41.248.109.230] has joined #openvpn
14:22 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
14:25 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
14:35 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
14:35 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
14:35 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:38 -!- Aakash [~AakashPat@207.160.210.187] has joined #openvpn
14:38 < Aakash> hey guys, im tryign to run an openvpn server on windows xp
14:39 < Aakash> on linux i would have to do  iptables -t nat -A POSTROUTING -s $PRIVATE -o eth0 -j MASQUERADE
14:39 < Aakash> what would be the equiv on windows?
14:42 < hyper_ch> wiping windows and installing linux :)
14:42 < Aakash> lol i wish
14:42 < Aakash> i cant though
14:50 < krzie> !winnat
14:50 <@vpnHelper> "winnat" is (#1) http://www.windowsnetworking.com/articles_tutorials/NAT_Windows_2003_Setup_Configuration.html for a guide on setting up NAT in windows, or (#2) http://www.nanodocumet.com/?p=14 for windows XP
15:13 -!- Aakash [~AakashPat@207.160.210.187] has quit [Ping timeout: 264 seconds]
15:14 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
15:17 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn
15:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:45 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
17:08 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
17:28 < |Mike|> .
17:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:47 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has quit [Write error: Connection reset by peer]
18:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
18:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
18:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:09 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has joined #openvpn
18:18 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
18:18 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
18:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
18:19 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
18:19 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
18:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:22 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Read error: Connection reset by peer]
18:25 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
18:27 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
18:38 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Ping timeout: 260 seconds]
18:40 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
18:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
18:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:54 -!- p3rror [~mezgani@41.248.109.230] has quit [Quit: Leaving]
19:11 -!- nb [~nb@fedora/nb] has quit [Read error: Connection reset by peer]
19:13 -!- nb [~nb@fedora/nb] has joined #openvpn
19:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
20:17 -!- renihs [~philipp@vie-086-059-069-178.dsl.sil.at] has quit [Read error: Connection reset by peer]
20:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:06 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 255 seconds]
21:19 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
21:45 -!- albech [~thomasalb@119.42.77.184] has joined #openvpn
21:56 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 250 seconds]
22:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
22:29 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
22:35 -!- albech_ [~thomas@124.157.238.234] has joined #openvpn
22:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
23:07 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
23:27 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
23:28 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
23:33 -!- maledictvm_ [~maledictv@kref-4d09521d.pool.mediaWays.net] has joined #openvpn
23:33 < maledictvm_> Hi. 
23:34 < maledictvm_> I have a server running openvpn in the datacenter. It has two interfaces where eth0 is only allowed for internal traffic while eth1 is the external one with a default-route.
23:35 < maledictvm_> As soon as I connect my client, I have no internet access. I think I will have to setup bridging from eth0 to eth1?
23:35 < maledictvm_> Uh, from tap0 to eth1 I mean. 
23:37 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit []
23:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
23:40 -!- agagag [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 272 seconds]
23:44 -!- irssi_ [~irssi@devastation.securewebs.net] has joined #openvpn
23:45 -!- irssi_ is now known as dictvm
23:46 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:49 -!- maledictvm_ [~maledictv@kref-4d09521d.pool.mediaWays.net] has left #openvpn []
23:53 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
23:55 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
--- Day changed Sun Dec 12 2010
00:18 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Ping timeout: 240 seconds]
00:32 -!- WinstonSmith [~true@e179015158.adsl.alicedsl.de] has joined #openvpn
00:34 -!- oupsillium [~pretty_Ni@c-68-58-65-183.hsd1.in.comcast.net] has joined #openvpn
00:34 -!- oupsillium [~pretty_Ni@c-68-58-65-183.hsd1.in.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
00:34 -!- oupsillium [~pretty_Ni@c-68-58-65-183.hsd1.in.comcast.net] has joined #openvpn
00:34 -oupsillium:#openvpn- try it http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
00:34 < oupsillium> Happy Christmas! http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
00:34 -!- oupsillium [~pretty_Ni@c-68-58-65-183.hsd1.in.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
00:40 -!- oupsillium [~pretty_Ni@c-68-58-65-183.hsd1.in.comcast.net] has joined #openvpn
00:40 -!- oupsillium [~pretty_Ni@c-68-58-65-183.hsd1.in.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
00:49 -!- oupsillium [~pretty_Ni@c-68-58-65-183.hsd1.in.comcast.net] has joined #openvpn
00:49 -!- oupsillium [~pretty_Ni@c-68-58-65-183.hsd1.in.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:00 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
01:00 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
01:00 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
01:10 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:10 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:17 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:17 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:18 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:18 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:19 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:19 -agas:#openvpn- download and install http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
01:19 < agas> hacker! http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
01:19 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:22 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
01:28 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:28 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:31 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:31 -agas:#openvpn- hacker! http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
01:31 < agas> look http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
01:31 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:37 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:37 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:38 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:38 -agas:#openvpn- free http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
01:38 < agas> cool site http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
01:38 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:38 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has joined #openvpn
01:38 -!- agas [~beaublack@cpe-76-188-83-127.neo.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
01:38 < hyper_ch> there's a reason why I put "rr.com" on my mailserver as blacklisted domain
01:39 -!- mode/#openvpn [+o krzee] by ChanServ
01:39 -!- mode/#openvpn [+b *!*@cpe-76-188-83-127.neo.res.rr.com] by krzee
01:39 < WinstonSmith> finally
01:39 -!- mode/#openvpn [-o krzee] by krzee
01:39 < krzee> sry
01:40 < hyper_ch> hi krzee
01:40 < WinstonSmith> dont be ... u did a good thing :D
01:40 < krzee> waddup bro
01:40 < hyper_ch> just chilling after having gotten waken up by my furballs way too early
01:41 < hyper_ch> isn't it like in the middle of the night for you?
01:41 < krzee> yep
01:41 < krzee> rolling a blunt and drinkin beers
01:41 < hyper_ch> :)
01:41 < hyper_ch> btw, got my script working meanwhile?
01:42 < krzee> nope, got them bugs fixed tho
01:42 < hyper_ch> :)
01:42 < krzee> gunna adapt that script into the mix soon
01:42 < krzee> they've had me too busy making a new script
01:42 < hyper_ch> damn, first after getting up is giving my furballs the food they want
01:43 < hyper_ch> now they've had theirs and I'm having mine
01:43 < krzee> haha thats why they woke you up
01:43 < hyper_ch> but I'm already besieged again by them for my food :(
01:43 < hyper_ch> why do cats like bread?
01:44 < krzee> wouldnt know, no lolcats at my house
01:44 < krzee> only cat i bring home leaves when im done
01:44 < krzee> lol
01:44 < hyper_ch> no furballs at your place? poor you
01:44 < hyper_ch> :)
01:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:59  * WinstonSmith thinks that the cats nickname for humans is "canopeners"
02:08 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
02:10 < hyper_ch> WinstonSmith: hehehe :)
02:11 < hyper_ch> the cats just tolerate out presence because we open cans, clean their litterboxes and pet them when they meow
02:12 < WinstonSmith> well dogs have owners cats have servants
02:12 < hyper_ch> that's an accurate description actually
02:13 < WinstonSmith> i know used to have cats always AND the treat u like a waiter ... actually not cause waiters get tips ;)
02:14 < WinstonSmith> s/the/they/
02:14 < hyper_ch> why don't you have them anymore?
02:15 < WinstonSmith> well i had one left but i had to move to germany (from portugal) to a small flat and i preferred to leave him with a friend then to bring him 3000 km into the city
02:15 < WinstonSmith> miss him alot though
02:16 < hyper_ch> why don't you get a new pair? I'm currently training mine to use the toilette
02:17 < WinstonSmith> well my flat i rather small ... i am not sure if a cat will like that ... but maybe i will not be able to resist when i get lonely
02:18 < WinstonSmith> how is that training going along?
02:18 < Bushmills> you could try some yeast-in-a-bottle as pet
02:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
02:18 < hyper_ch> well, no clue... if you provide according settings it would still be ok... if they can't get out, you should get at least a pair
02:19 < hyper_ch> WinstonSmith: numbered the litterboxes down from two to one, moved it into the bath room and it's on the toilette now
02:19 < WinstonSmith> Bushmills, or a goldfish
02:19 < Bushmills> too demanding :)
02:19 < hyper_ch> reducing now little by little the litter amount in it
02:19 < hyper_ch> and then comes the hard part, the actual switch... I'll try that during xmas / new year
02:20 < hyper_ch> and then I would also need some kind of auto-toilette flusher
02:20 < WinstonSmith> wish u luck with that ... and the cleaning when they dont hit the spot ;)
02:20 < WinstonSmith> that would be a nice arduino project
02:20 < hyper_ch> bath room is easily cleaned... they just need to learn at first
02:21 < hyper_ch> well, I except some mess at first
02:21 < WinstonSmith> like a pressure switch under the toilet seat and a motor to flush afterwards
02:22 < hyper_ch> or some other devices that would flash at given times
02:22 < hyper_ch> flush
02:22 < WinstonSmith> no at given times is to water intensive
02:22 < hyper_ch> it's not that water intensive
02:23 < hyper_ch> when it's like 2-3 times a day
02:24 < hyper_ch> I tend to think the pressure plate could be abused quickly when they figure it out
02:24 < WinstonSmith> and about the small flat . i always lived in the countryside so they could get out always and had a lot of space. so im not sure if i want a freedom loving creature to live in my 40 m2
02:24 < hyper_ch> one of mine has already figured out how to open closed doors
02:24 < WinstonSmith> thats true about the pressure switch
02:24 < hyper_ch> 40m2 is challenging but doable
02:24 < hyper_ch> give them niches to hide
02:25 < hyper_ch> climb vertically
02:25 < WinstonSmith> yes i had one of those ... damn bugger never closed then though
02:25 < hyper_ch> they haven't figured out yet how to turn the key when the door is locked ;)
02:25 < WinstonSmith> my neighbor had a horse that figured that out!
02:26 < hyper_ch> really? wow
02:26 < WinstonSmith> u would be sitting in the kitchen suddenly the horse opens the door & comes in!
02:26 < hyper_ch> smart horse
02:26 < WinstonSmith> indeed
02:27 < hyper_ch> could it also speak?
02:27 < WinstonSmith> always looking for the apple
02:27 < WinstonSmith> lol
02:29 < WinstonSmith> maybe instead of a pressure switch a infrared sensor that has to be activated longer then x. x being the minimum time they need on the potty
02:30 < hyper_ch> hehehe :)
02:30 < hyper_ch> I still like the auto-flushing idea at given times
02:31 < WinstonSmith> but if u do that lets say every 4 hours and they go just after a flush it would stink for the next 4 hours
02:31 < hyper_ch> I already setup webcams to spy on them when I'm away
02:31 < hyper_ch> doing the business into the toilette shouldn't make it stink quickly.... that's why we use toilettes
02:31 < WinstonSmith> or it flushes while they are at it, they get spooked and spray all over the place ;)
02:32 < hyper_ch> they'll learn when it's being flushed at given intervalls (I think)
02:32 < WinstonSmith> but we flush right after  thats why it doesnt stink
02:32 < hyper_ch> well, try it out and don't flush :)
02:33 < WinstonSmith> well better not hehehe
02:33 < hyper_ch> I just wonder what guests will say when I tell them they can't use the loo cause the cat is using it right now
02:33 < WinstonSmith> but you will see (or smell) that when they are trained i suppose
02:34 < WinstonSmith> true first they wont believe
02:34 < hyper_ch> then they will say how unhygienic it is... while it's more hygienic than a litterbox
02:37 < WinstonSmith> bah unhygienic ... humans lived in the dirt for thousands of years and it didnt kill us
02:37 < Bushmills> it even hardened them against germs
02:37 < hyper_ch> well, a cat using the toilette is like a fellow human using the toilette - without the flushing
02:37 < WinstonSmith> i hate all this germ-free hysteria that is going around now
02:37 < hyper_ch> compared when they do they business in the litterbox
02:37 < hyper_ch> first they walk all over it, then hide it with other litterl
02:37 < hyper_ch> walk over it all again
02:38 < hyper_ch> and then walk all over the apartement
02:38 < WinstonSmith> and then they jump in ur bed!
02:38 < hyper_ch> yeah
02:38 < hyper_ch> :)
02:38 < WinstonSmith> we know it seems!
02:38 < hyper_ch> exposure to germs stimulates the immune system
02:38 < WinstonSmith> exactly
02:39 < hyper_ch> Bushmills: do you have furballs
02:40 < Bushmills> nope. i have a see-through jar of mutating sauerkraut
02:40 < WinstonSmith> i used to have one of those closed litterboxes ... it smells less outside bot more inside ... so u wake up in the morning from the cat  aside your head stinking cause it just came from there
02:40 < hyper_ch> hmmm, sauerkraut
02:40 < WinstonSmith> not nice
02:40 < hyper_ch> does it come with metwurst
02:40 < Bushmills> it is 8 months old now
02:40 < WinstonSmith> sauerkraut is really good !
02:41 < Bushmills> in a completely liquified condition at the moment
02:41 < WinstonSmith> so nearly ready to crawl out of the jar
02:41 < hyper_ch> wohoo :)
02:42 < WinstonSmith> and about cats & sensors : http://www.plasma2002.com/blenderdefender/
02:42 <@vpnHelper> Title: Blender Defender (at www.plasma2002.com)
02:42 < Bushmills> i suppose when (if) mould will eventually cover it, i could call it "furball" 
02:43 < Bushmills> though it lives in an isolated and closed biotop 
02:44 < WinstonSmith> maybe get a second jar ? so it does not feel alone?
02:45 < Bushmills> a bacteria count could be interesting
02:45 < hyper_ch> and did you place the jar on a heightened position? furballs are hunters and they like to observer from above
02:45 < Bushmills> slightly elevated, yes. on the window bench, above the radiator
02:45 < WinstonSmith> ever see a pouncing jar lolol
02:46 < hyper_ch> WinstonSmith: lol
02:48 < WinstonSmith> mine is a great hunter ... came from a weekend-long party and found a half eaten bunny in my kitchen
02:49 < WinstonSmith> well i was thankful that at least he didnt skin the thing in my bed
02:49 < hyper_ch> To teach a cat not to do something, it has to get the idea that what it is doing is a bad thing. One way to do so is to sternly tell your cat 'NO' when it does something. The cat may learn that it is bad, but more often than not, the cat learns that it's not supposed to it when your around.   -->  that's so true
02:49 < hyper_ch> well, mine can go onto the balcony
02:49 < hyper_ch> and one caught two birds there
02:50 < hyper_ch> I didn't even know birds get on the blacony
02:50 < WinstonSmith> well the birds didnt knew ur cats did ;)
02:50 < hyper_ch> :)
02:52 < Bushmills> unless cat understands "no" as "that moving in front of you nose tastes nice"
02:54 < hyper_ch> hehehe :)
03:04 < hyper_ch> WinstonSmith: https://www.youtube.com/watch?v=d__cHglvOM0
03:04 <@vpnHelper> Title: YouTube - Automatic toilet flusher (at www.youtube.com)
03:05 < WinstonSmith> there u go hehehe
03:06 < hyper_ch> toilette flusher and blenderdefender are still needed here :)
03:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:12 < WinstonSmith> yes the blenderdefender seems like a good idea
03:14 < hyper_ch> well, I don't really mind them getting on the counter
03:14 < hyper_ch> what I'm worried is when the cooking plates are hot and they'd jump on it....
03:14 < hyper_ch> usually after cooking I put water into the pan and put it on there
03:14 < hyper_ch> but on occasion I forget about it
03:15 < WinstonSmith> my mum has an old  "kuechenhexe" eg a woodstove with a big horizontal metalplate to cook on it 
03:16 < WinstonSmith> we had small kittens who used to jump on it the whole summer. well first time we lit it one of them jumped on it
03:16 < WinstonSmith> poor thing
03:16 < hyper_ch> yeah.. thats what I'm worried about
03:17 < hyper_ch> it could be some really nasty burns
03:17 < hyper_ch> and even more dire when it's more than just one paw
03:17 < WinstonSmith> yes but the kitten survived ... the skin on their paws is quite thick
03:17 < WinstonSmith> in our case it was a ll 4 of them
03:18 < WinstonSmith> and they learn
03:18 < WinstonSmith> they stay away after that
03:18 < hyper_ch> :)
03:18 < WinstonSmith> like my cat liked to chew cables
03:19 < hyper_ch> mine don't do that at all :)
03:19 < WinstonSmith> went trough a couple of speaker cables cause of him ... but then he tried the 220 volt lamp cable .... never chewed a cable again heheheh
03:21 < hyper_ch> nasty one
03:22 < WinstonSmith> well i wasnt home just came back noticed in the next days he wasnt chewing cables anymore then noticed one day the teeth marks on the lamp cable 
03:22 < WinstonSmith> a lesson well learned 
03:23 < hyper_ch> cats can learn :)
03:24 < WinstonSmith> o yes they do but only if its in their interest. not when you want them to.
03:24 < WinstonSmith> your just a stupid can opener. never forget....
03:24 -!- rise_up [~co_criTmn@ool-182d3335.dyn.optonline.net] has joined #openvpn
03:24 -!- rise_up [~co_criTmn@ool-182d3335.dyn.optonline.net] has left #openvpn []
03:28 < hyper_ch> :)
03:28 < hyper_ch> and petting machine
03:28 < WinstonSmith> well it stopped raining here (berlin) so i am going for a walk get some fresh air. wish u much luck with potty training. nice cat talk !
03:29 < WinstonSmith> pet them for me ;)
03:29 < hyper_ch> some fresh kebab air?
03:29 < WinstonSmith> well maybe a bit early for that but later maybe
03:30 < hyper_ch> one is hiding under the bed blanket http://images.sjau.ch/img/f335f900.jpg
03:30 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined #openvpn
03:30 < hyper_ch> enjoy the walk
03:31 < hid3> Hello everyone. I have a local network which has some multicast streams (IPTV). I have set up an OpenVPN server + client, they work fine. Any ideas if/how can I make so that multicast traffic would be also available via VPN connection too?
03:32 < hyper_ch> is the client the multicast streamer?
03:32 < WinstonSmith> cheers have a nice one!
03:34 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
03:36 -!- FluxD [~FluxD@unaffiliated/fluxd] has joined #openvpn
03:37 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
03:40 < FluxD> Hi, I have a setup like this. Server A has 2 ips. I am connecting to server B which has openvpn server. When I connect A to B, the ip of B becomes A. Is it possible to use the original ip's of A somehow?
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 272 seconds]
03:43 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
03:45 < hyper_ch> FluxD: I have no clue what you mean
03:46 < FluxD> hyper_ch, When I connect to the openvpn server on server B, server A looses all its ip addresses ?
03:46 < hyper_ch> FluxD: no, why should it?
03:47 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
03:47 < hyper_ch> and I still have no clue what your setup is or what you want to achieve
03:47 < hyper_ch> !tell FluxD [goal]
03:48 -!- master_of_master [~master_of@p57B55B2C.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
03:48 < FluxD> hyper_ch, I am testing this service http://prq.se/?p=tunnel&intl=1
03:48 <@vpnHelper> Title: PRQ - Colocation, Dedicated Servers, Web hosting, VPN Tunnels, Privacy services (at prq.se)
03:48 -!- albech_ [~thomas@124.157.238.234] has quit [Quit: Ex-Chat]
03:49 -!- master_of_master [~master_of@p57B5538A.dip.t-dialin.net] has joined #openvpn
03:50 < hyper_ch> FluxD: do they use openvpn?
03:50 < FluxD> hyper_ch, yes
03:50 < hyper_ch> I still don't know what you're trying to do
03:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 < FluxD> hyper_ch, I am using it as a proxy, when I connect to it, my original public ip is not visible, when I go on the internet it shows me them using the IPs prq assigns me. I was wondering if I can use my original ip for running some service
03:53 < hyper_ch> pretty sure you can - somehow
03:54 < FluxD> Yea, I was wondering how would I go about doing that
03:55 -!- albech [~thomasalb@119.42.77.184] has quit [Ping timeout: 255 seconds]
03:56 < hid3> Any ideas how to lower CPU usage on the server side? It uses 100% of my 700 Mhz cpu at speed around 40 mbps... I have 384-bit certificate...
03:56 < hid3> I don't need any encryption or other options, etc...
03:56 < hid3> It seems 384 bits is the lowest possible
03:59 < hyper_ch> hid3: turn off compression?
03:59 < hyper_ch> vpn without encryption is no vpn
03:59 < hid3> it's already turned off!
03:59 < hyper_ch> FluxD: don't really knw
03:59 < hid3> yeah, but it would be enough 128 bits of encryption, I guess
03:59 < FluxD> hyper_ch, okay thanks, will wait and see
04:00 < hyper_ch> FluxD: I guess you have to work on the routing
04:02 < hid3> Any other ideas about the performance?
04:02 < hyper_ch> get a faster cpu or a cpu with crypto chip
04:03 < hid3> I wish I could
04:03 < hyper_ch> it's very simple actually :)
04:04 < hyper_ch> go to a computer shop and get the parts
04:04 < hid3> Got tired of those 'get a new machine' 'get a faster cpu' complains each time :(
04:04 < hyper_ch> crypto is demanding
04:04 < hyper_ch> I notice it with my fully encrypted systems
04:05 < hid3> simply because I don't want to spend extra money (which I'm REALLY tight ath the moment) and don't need a faster machine at that end, yet
04:07 < hid3> Will mssfix 1400; tun-mtu 1500 and tun-mtu-extra 32 improve something? I'm a Windows client connecting to a server running on a Unix machine
04:07 < hyper_ch> I have no clue what those settings do
04:09 -!- ivenkys [~ivenkys@81.168.100.198] has joined #openvpn
04:09 -!- ivenkys [~ivenkys@81.168.100.198] has quit [Changing host]
04:09 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
04:09 < hid3> Guess the best answer would be to try them
04:16 < hid3> nope, no performance improvement
04:17 < hyper_ch> hid3: http://people.mandriva.com/~ybourhis/openvpn/index.html#Crypto_Cipher
04:17 <@vpnHelper> Title: Open-VPN HowTo (at people.mandriva.com)
04:18 < hyper_ch> RC2-40-CBC 40 bit default key (variable)
04:18 < hyper_ch> DES-CBC 64 bit default key (fixed)
04:19 < hyper_ch> you can use different ciphers :)
04:21 < hid3> nice
04:21 < hid3> thanks!
04:21 < rjd__> hid3: what type of cpu? what need of encryption do you have?
04:22 < hid3> rjd__: Pentium III, with 256 kB cache and 700 Mhz. I have minimal need for encryption: anything not a plaintext is better than good!
04:22 < hyper_ch> use cesar's cipher :)
04:24 < rjd__> hid3: Not sure if I'm allowed to propose it here, but pptp's highest encryption is (to my knowledge) 128bit ;)
04:24 -!- common- [~common@p5DDA4066.dip0.t-ipconnect.de] has joined #openvpn
04:24 < rjd__> other alternatives could be ip over ip, like GRE
04:25 < rjd__> although obviously without encryption
04:25 < hid3> will I need to regenerate the certificates for lower bits?
04:26 < hyper_ch> I don't think there
04:26 -!- albech [~thomasalb@124.157.209.135] has joined #openvpn
04:26 < hyper_ch> there are two setups involved
04:26 < hyper_ch> establishing the tunnel
04:26 < hyper_ch> for which the certs are used
04:26 < hyper_ch> and once the tunnel is established symmetrical encryption is applied... like that cipher you can select
04:27 < rjd__> actually, three with tls-auth I think
04:27 < hyper_ch> but that's just how I think it works... not sure if that's actually the case
04:27 < hid3> Oh that's the way it works!
04:27 < hyper_ch> establishing the tunnel should be asymmetric by the pki I think
04:27 < hid3> so lower bits = expected faster performance (chiphers option), right?
04:27 < hyper_ch> hid3: I think so
04:28 -!- common [~common@p5DDA453E.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
04:28 -!- common- is now known as common
04:28 < hyper_ch> but then if you have a crypto chip, you might want to apply another cipher because the crypto chip handles things then
04:28 < hyper_ch> I heard the sheevaplug has a aes crypto chip
04:28 < hid3> What's the difference between 'fixed' and 'variable'?
04:29 < hyper_ch> have a guess
04:29 < hyper_ch> or continue reading on that page
04:29 < hid3> guess the latter one
04:30 < hid3> Oh
04:30 < hid3> yeah ;-)
04:31 < hid3> So the only one with 40 bit is RC2-40-CBC (supported by my server). Guess I'll use it
04:32 < hyper_ch> :)
04:33 < rjd__> hid3: would be interesting to know the difference in performance cpu usage from that, can you report that back to us?
04:34 < hid3> yeah, just a moment. I'll take a snack, make a cofee and try to test the settings...
04:35 < hyper_ch> veto
04:35 < hyper_ch> test it now :)
04:35 < hid3> no way!
04:35 < hid3> I haven't had any breakfast this morning!
04:36 < hyper_ch> you haven't done any real work yet so you have not deserved breakfast yet :)
04:36 < hid3> my GF is away and I don't know how to cook
04:36 < hyper_ch> dial: 0800-pizza-delivery
04:39 < hid3> It's even worse! 28 megabits instead of 40.
04:39 <@vpnHelper> RSS Update - forum: Server Administration :: Problem with VPN Client :: Author Gabor <https://forums.openvpn.net/viewtopic.php?f=4&t=7386&p=8675#p8675>
04:39 < hid3> Same file, same method used, etc...
04:40 < hyper_ch> try another one then
04:40 < hid3> others are 64 bit already
04:40 < hyper_ch> so?
04:40 < hid3> I'll give em try
04:42 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
04:42 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
04:42 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:48 -!- albech [~thomasalb@124.157.209.135] has quit [Quit: albech]
04:53 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
04:54 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
04:57 < hid3> RC2-64-CBC gave 27 megabits, others 64 bit forces the daemon to crash
05:18 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
05:46 < hid3> I get 'Assertion failed' when using any 64 bit chiphers.. Not sure if it's fixable or not
05:51 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
06:04 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
06:06 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Remote host closed the connection]
06:09 < hid3> Blowfish seems to be the fastest one, anyway
06:09 < hid3> but setting the 'keysize' to as low as 16 bits doesn't increase the performance much
06:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
06:10 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
06:13 < hid3> Oh, and cipher none gives me 65-75 mbps...
06:15 < Bushmills> there's a block cypher, called Salsa, which is relatively new, and seems to have great performance, while being secure. unluckily, openssl/openvpn doesn't yet seem to support it.  
06:16 < Bushmills> looking at performance, blowfish is on about 18, where Salsa goes as low as 4 cycles per bytes
06:18 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
06:18 < hid3> Others probably have much more than 18, right?
06:18 < Bushmills> quite likely.  AES should be rather slow, in comparison
06:19 < hid3> Yeah. They all are slow. Blowfish seems to be the fastest what is supported by OpenVPN
06:19 < Bushmills> blowfish is known as relatively quick, therefore the Salsa overhead is even more impressive.  
06:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
06:22 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:22 -!- albech [~thomasalb@124.157.209.135] has joined #openvpn
06:23 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Remote host closed the connection]
06:38 -!- albech [~thomasalb@124.157.209.135] has quit [Quit: albech]
06:39 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
06:39 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Remote host closed the connection]
06:49 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has joined #openvpn
06:49 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has left #openvpn []
06:52 -!- WinstonSmith [~true@e179015158.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
06:56 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has joined #openvpn
06:56 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
06:57 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has joined #openvpn
06:57 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
06:58 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
06:59 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Remote host closed the connection]
06:59 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has joined #openvpn
06:59 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
07:03 -!- albech [~thomasalb@119.42.77.184] has joined #openvpn
07:05 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has joined #openvpn
07:05 -kaka_26_butuh_wa:#openvpn- dude u want this http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
07:05 < kaka_26_butuh_wa> try it http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
07:05 -!- kaka_26_butuh_wa [~Guest7561@cpe-76-179-247-94.maine.res.rr.com] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
07:07 < hyper_ch> openvpn2009: patelx: can you ban that kaka one?
07:08 -!- zheng [~zheng@180.171.161.102] has joined #openvpn
--- Log closed Sun Dec 12 07:09:24 2010
--- Log opened Sun Dec 12 08:47:27 2010
08:47 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
08:47 -!- Irssi: #openvpn: Total of 116 nicks [3 ops, 0 halfops, 0 voices, 113 normal]
08:48 -!- Irssi: Join to #openvpn was synced in 42 secs
08:48 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
08:59 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Connection reset by peer]
--- Log closed Sun Dec 12 09:05:09 2010
--- Log opened Sun Dec 12 09:22:37 2010
09:22 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
09:22 -!- Irssi: #openvpn: Total of 116 nicks [3 ops, 0 halfops, 0 voices, 113 normal]
09:23 -!- Irssi: Join to #openvpn was synced in 42 secs
09:24 -!- albech_ [~thomas@124.157.238.234] has joined #openvpn
09:27 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
09:28 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
09:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
--- Log closed Sun Dec 12 09:37:38 2010
--- Log opened Sun Dec 12 09:43:44 2010
09:43 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has joined #openvpn
09:43 -!- Irssi: #openvpn: Total of 116 nicks [3 ops, 0 halfops, 0 voices, 113 normal]
09:44 -!- Irssi: Join to #openvpn was synced in 46 secs
09:44 < dictvm> Helpful. ;-)
09:50 < aderouineau> dictvm: ?
09:50 < dictvm> I have setup OpenVPN on a Linux box. My problem is, that I am on a dedicated server with two interfaces: An internal one, which is restricted to private addresses only and an external one which has internet access. 
09:50 < dictvm> Do I have to bridge my client's internal IP address or can I use iptables for this?
09:50 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
09:50 < aderouineau> you need to clarify your situation first
09:50 < dictvm> Sure. 
09:50 -!- ecrist [~ecrist@openvpn/community/support/ecrist] has quit [Ping timeout: 276 seconds]
--- Log closed Sun Dec 12 09:50:10 2010
--- Log opened Sun Dec 12 09:50:22 2010
09:50 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
09:50 -!- Irssi: #openvpn: Total of 117 nicks [3 ops, 0 halfops, 0 voices, 114 normal]
09:50 < dictvm> I only need one client and I've setup my client to get the ip-address 192.168.11.6 on the openvpn-system. 
09:50 < aderouineau> what's your goal with this client?
--- Log closed Sun Dec 12 09:53:46 2010
--- Log opened Sun Dec 12 09:55:23 2010
09:55 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
09:55 -!- Irssi: #openvpn: Total of 117 nicks [3 ops, 0 halfops, 0 voices, 114 normal]
09:55 -!- Irssi: Join to #openvpn was synced in 38 secs
09:57 < dictvm> What I think to be my problem: My tun-dev on my openvpn-box has no defaultroute.
09:57 < aderouineau> dictvm: you set it with this option
09:57 -!- sia^pwnnt is now known as sia
09:57 < dictvm> Ah. 
09:57 < dictvm> Great. 
09:58 < dictvm> And this should be my external interface?
09:58 < aderouineau> it tells the client to set up a new default route towards the vpn server
09:59 < dictvm> That doesn't seem work. I've been using this conf: http://pastebin.com/bWjDxsW9
10:00 < dictvm> Oh no. 
10:00 < dictvm> Please don't.
10:00 < dictvm> :)
10:00 < dictvm> I have to name an IP, huh? :)
10:00 < aderouineau> name an ip?
--- Log closed Sun Dec 12 10:04:11 2010
--- Log opened Sun Dec 12 10:10:04 2010
10:10 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
10:10 -!- Irssi: #openvpn: Total of 117 nicks [3 ops, 0 halfops, 0 voices, 114 normal]
10:10 < hid3> ecrist: we know your real host!
10:10 -!- Irssi: Join to #openvpn was synced in 43 secs
10:10 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
10:11 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
10:16 -!- albech_ [~thomas@124.157.238.234] has quit [Quit: Ex-Chat]
10:16 -!- albech [~thomasalb@119.42.77.184] has quit [Quit: albech]
10:16 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Remote host closed the connection]
--- Log closed Sun Dec 12 10:23:10 2010
--- Log opened Sun Dec 12 10:23:15 2010
10:23 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
10:23 -!- Irssi: #openvpn: Total of 114 nicks [3 ops, 0 halfops, 0 voices, 111 normal]
10:23 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
10:23 -!- Irssi: Join to #openvpn was synced in 42 secs
10:25 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
10:25 -alonso_morning:#openvpn- elite botnet http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
10:25 < alonso_morning> dude u want this http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
10:25 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn []
10:26 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
10:26 -alonso_morning:#openvpn- dude u want this http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
10:26 < alonso_morning> l33t http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
10:26 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn []
10:26 < |Mike|> uch
10:26 < |Mike|> lets complain in #freenode
10:27 < hid3> let's buy a botnet instead!
10:28 < |Mike|> or hire the one from that anongroup :P
10:31 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
10:31 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
10:35 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
10:41 -!- Netsplit *.net <-> *.split quits: agagag, ivenkys, ^scott^, nijotz, Kevin`
10:43 -!- Netsplit over, joins: ivenkys, agagag, ^scott^, nijotz, Kevin`
10:47 -!- Netsplit *.net <-> *.split quits: agagag, ivenkys, ^scott^, nijotz, Kevin`
10:47 -!- Netsplit over, joins: ivenkys, agagag, ^scott^, nijotz, Kevin`
10:50 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
10:50 -alonso_morning:#openvpn- cool site http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
10:50 < alonso_morning> try it http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
10:50 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
10:51 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 240 seconds]
10:51 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
10:51 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
10:52 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
10:59 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
10:59 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:03 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
11:03 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:03 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
11:03 -alonso_morning:#openvpn- best site http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:03 < alonso_morning> download and install http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:03 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:06 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
11:06 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:09 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
11:09 -alonso_morning:#openvpn- download and install http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:09 < alonso_morning> bots http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:09 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:10 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
11:10 -alonso_morning:#openvpn- try it http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:10 < alonso_morning> best script ever http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:10 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:11 < havoc> can we ban that asshole already?
11:12 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
11:14 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
11:14 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:15 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has quit [Ping timeout: 272 seconds]
11:15 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
11:15 -alonso_morning:#openvpn- /!\ http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:15 < alonso_morning> this is not spam http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:15 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:17 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined #openvpn
11:18 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has joined #openvpn
11:18 -!- alonso_morning [~Cow_kece@24-119-83-207.cpe.cableone.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
--- Log closed Sun Dec 12 11:32:39 2010
--- Log opened Sun Dec 12 11:38:31 2010
11:38 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
11:38 -!- Irssi: #openvpn: Total of 115 nicks [3 ops, 0 halfops, 0 voices, 112 normal]
11:38 !kornbluth.freenode.net [freenode-info] channel trolls and no channel staff around to help? please check with freenode support: http://freenode.net/faq.shtml#gettinghelp
11:39 -!- Irssi: Join to #openvpn was synced in 42 secs
11:45 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has quit [Ping timeout: 264 seconds]
11:57 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined #openvpn
11:58 < ecrist> hid3: it's not hard to figure out. :)
11:58 -!- mode/#openvpn [+o ecrist] by ChanServ
11:59 -!- mode/#openvpn [+b *!*@24-119-83-207.cpe.cableone.net] by ecrist
12:00 -!- mode/#openvpn [-b *!*@81.85.205.78] by ecrist
12:00 -!- mode/#openvpn [-b Urania!*@*] by ecrist
12:00 -!- mode/#openvpn [-b *!*@c-24-118-247-59.hsd1.mn.comcast.net] by ecrist
12:00 -!- mode/#openvpn [-o ecrist] by ecrist
12:01 < ecrist> we need a couple more ops, I think
12:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
12:04 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
12:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 272 seconds]
12:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:20 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:42 -!- Nappy [~nappy@97.97.247.123] has quit [Quit: Leaving]
12:45 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
12:53 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
12:53 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
12:53 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
13:01 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
13:01 < KipMacy> some nice person should write a guide on getting openvpn to work with selinux
13:05 < hyper_ch> KipMacy: become that nice person
13:09 < ecrist> indeed
13:09 < ecrist> !wiki
13:09 < ecrist> wtf, vpnhelper, get back here
13:09 < KipMacy> its off leaking somewhere
13:10 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
13:10 -!- mode/#openvpn [+o vpnHelper] by ChanServ
13:10 < ecrist> !wiki
13:10 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN, or (#2) Official wiki is at https://community.openvpn.net/openvpn/wiki
13:24 < reiffert> !openvpn
13:24 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
13:24 < reiffert> !wiki
13:25 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN, or (#2) Official wiki is at https://community.openvpn.net/openvpn/wiki
13:25 < reiffert> !openvpn wtf?
13:25 < reiffert> !Idontknowwhatthisis
13:25 < reiffert> Looks like some kind of software improvement.
13:27 < havoc> ecrist: thank you :)
13:43 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Remote host closed the connection]
13:45 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
14:04 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
14:12 < ecrist> reiffert: what do you mean?
14:14 < reiffert> ecrist: I remember that vpnHelper was responding like "I dont know what "!openvpn" means" or similar. Now it doesnt do that anymore.
14:15 < ecrist> yeah, I disabled that.
14:16 < ecrist> also, it doesn't say your nick anymore when you issue a command
14:17 < reiffert> Great job!
14:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
14:24 -!- karmst [~kevin@s1.acclaimpc.com] has joined #openvpn
14:24 < karmst> Hello
14:24 < karmst> I'm having problems with my VPN
14:25 < karmst> Is there a way to make openvpn a site to site permenant connection?
14:27 < ecrist> !static
14:27 <@vpnHelper> "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example in net30 (default): ifconfig-push 10.8.0.5 10.8.0.6 example in subnet (see !topology) or tap (see !tunortap): ifconfig-push 10.8.0.5 255.255.255.0, or (#3) also see !ccd and !iporder
14:27 < ecrist> !static-key
14:27 <@vpnHelper> "static-key" is when you use --secret, you are using a static key. this is only valid for point-to-point setups. Static keys are less secure in that they never change. If someone captures your traffic, and then gains your static key a year from now, they can decrypt the captured traffic. Setups that use certs re-key every hour by default
14:39 < pyther> Can openvpn run over port 443?
14:45 < reiffert> pyther: udp or tcp?
14:46 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
14:46 < pyther> reiffert: doesn't matter, I would assume it would probably have to be tcp
14:47 < pyther> doubt many firewalls allow udp 443 traffic :P
14:49 < reiffert> well .. --port 443 then.
14:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
15:29 -!- dev001 [~dev001@unaffiliated/pgngw] has joined #openvpn
15:29 < dev001> !welcome
15:29 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:32 < dev001> Hi.  I've a local lan behind a gateway and a remote (VPS) server I want to connect via openvpn.  the remote box runns a DNS slave to a master that sits on the local lan behind a gateway. 
15:32 < dev001>  in such a config, which should be server, and which should be client?  i know I *can* do either, but tbh am not clear on the benefit of one over the other -- if there's any at all.
15:33 -!- dictvm [~irssi@devastation.securewebs.net] has quit [Quit: leaving]
15:34 < reiffert> It depends on your level of insanity.
15:34 -!- dictvm [~irssi@devastation.securewebs.net] has joined #openvpn
15:34 -!- sia is now known as adawda
15:38 < dev001> reiffert: heh.  pls expound ...
15:40 < reiffert> If there are two road warriors then keeping the server on one of the road warriors laptops is possible, but totally insane.
15:41 < dev001> reiffert: i have no road warriors ... just two static nets
15:42 < reiffert> Do whatever is more comfortable for you then. e.g. maintenance stuff, 24/7 hosts etc.
15:42 -!- StanC [~Stanislav@219-88-66-88.adsl.xtra.co.nz] has joined #openvpn
15:43 < StanC> !welcome
15:43 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:43 < StanC> !goal
15:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:47 < dev001> reiffert: ah.  so no particularly compelling reason either way.  fair enuf.  thx!
15:49 < reiffert> dev001: regarding all that what you have told us .. I dont know of any advantage over the other.
15:52 < StanC> ummm, new to OpenVPN. Got a few questions. Basically I'm trying to setup a VPN Server in the office and allow upto 10 concurrent client connections. Is this free, or do I need to buy "licenses" for the client connections?
15:53 < dev001> reiffert: thx agn!  cheeers.
15:53 -!- dev001 [~dev001@unaffiliated/pgngw] has left #openvpn []
15:53 < dictvm> OpenVPN is free software.
15:55 -!- jobicreatingweb [~jobicreat@adsl-132.91.140.93.tellas.gr] has joined #openvpn
15:55 < krzie> openvpn AS needs licenses, community version is free
15:55 < krzie> !AS
15:55 <@vpnHelper> "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
15:55 <@vpnHelper> supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
15:55 < jobicreatingweb> hello
15:55 < StanC> cool, thanks
15:57 < jobicreatingweb> i installed the client.conf to the client computer but when i openvpn restart it says autostarting vpn 'client' [fail]
15:57 < jobicreatingweb> can anybody help?
15:59 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  Want to be different? Try HydraIRC -> http://www.hydrairc.com <-]
16:02 < StanC> quick question about the HowTo Guide
16:03 < StanC> when editing the Editing the server configuration file, it says I should "first edit the ca, cert, key, and dh parameters to point to the files you generated". where do I edit the parameters to point at the generated files?
16:04 < StanC> I assume in the server configuration file... but which part?
16:06 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
16:07 < StanC> !howto
16:07 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:10 -!- p3rror [~mezgani@41.140.31.29] has quit [Quit: Leaving]
16:10 < jobicreatingweb> i installed the client.conf to the client computer but when i openvpn restart it says autostarting vpn 'client' [fail]
16:14 < krzie> jobicreatingweb, try running it via openvpn binary instead of your OS's built in way
16:14 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 276 seconds]
16:14 < krzie> check if it is running, if it is kill it, then type openvpn /path/to/config
16:14 < krzie> StanC, YOU EDIT THE VARS FILE
16:14 < krzie> oops, capslocl
16:17 < StanC> and how do I do that?
16:17 < StanC> Vars.bat file?
16:18 < krzie> right
16:18 < krzie> !pki
16:18 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
16:18 <@vpnHelper> specially as a server (see !servercert)
16:18 < krzie> Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank.
16:18 < krzie> as copied from the howto
16:21 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
16:31 < StanC> thanks krzie, still having trouble though... 
16:31 < StanC> umm, basically I created the certificate and key files for the server and 3 clients (just like in the howto)
16:32 < StanC> then generated the diffie hellman parameters
16:32 < StanC> (again just like in the howto)
16:32 < StanC> then the next step is to create the configuration files for the server/clients
16:33 < StanC> using the sample server configuration file, what do I need to modify?
16:33 < reiffert> StanC: from the howto:
16:34 < StanC> in the HowTo section "Editing the server configuration file" it says "Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated in the PKI section above."
16:34 < reiffert> Editing the server configuration file
16:34 < reiffert> right.
16:34 < StanC> how do I edit the ca, cert, key and dh parameters to point at the files generated in the PKI section?
16:34 < reiffert> StanC: open a text editor, open the client and server config file and have a look inside them.
16:35 < StanC> with you so far =)
16:36 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:37 -!- kevin__ [~kevin@s1.acclaimpc.com] has joined #openvpn
16:38 -!- Acrono [~kuro@67.23.250.154] has joined #openvpn
16:40 -!- fbsec_ [~fb@38.108.126.158] has joined #openvpn
16:40 < StanC> umm, what specifically am I meant to be looking at?
16:40 < StanC> under "# Diffie hellman parameters."
16:40 < reiffert> the content of the client and the server config file
16:41 < StanC> am I meant to replace the "dh dh1024.pem" with "path/dh1024.pem"?
16:41 < reiffert> yes.
16:42 -!- kevin__ [~kevin@s1.acclaimpc.com] has quit [Client Quit]
16:42 < reiffert> StanC: I guess it's the first time for you and editing configuration files?
16:42 -!- fbsec [~fb@38.108.126.158] has quit [Ping timeout: 240 seconds]
16:42 -!- Kurogane [~kuro@190.87.80.64] has quit [Ping timeout: 240 seconds]
16:42 -!- karmst [~kevin@s1.acclaimpc.com] has quit [Ping timeout: 240 seconds]
16:42 -!- oc80z [oc80z@blea.ch] has quit [Ping timeout: 240 seconds]
16:42 -!- oc80z [oc80z@blea.ch] has joined #openvpn
16:42 < StanC> yes it is
16:43 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
16:44 < reiffert> StanC: I guess that the client and server OS is windows?
16:44 < StanC> yes, Windows XP
16:44 < reiffert> # Remember on            #
16:44 < reiffert> # Windows to quote pathnames and use            #
16:44 < reiffert> # double backslashes, e.g.:                     #
16:44 < reiffert> # "C:\\Program Files\\OpenVPN\\config\\foo.key" #
16:46 < krzie> aka
16:47 < krzie> !winpath
16:47 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
16:47 < ecrist> gah the pasting
16:48 < reiffert> StanC: from here on ecrist is helping you.
16:48 < ecrist> nope. i'm playing halo
16:52 < StanC> hmm, adding the path didn't work. But putting the all the files in the same directory (ie. config folder) worked
17:01 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
17:05 < jobicreatingweb> my linksys modem router support ddns. do i have to install an update client?
17:05 < reiffert> jobicreatingweb: this is #openvpn.
17:05 < jobicreatingweb> i know
17:06 < reiffert> jobicreatingweb: and your question is?
17:06 < jobicreatingweb> to the vpn manager to the gateway 
17:07 < reiffert> "to the vpn manager to the gateway" no question here
17:08 < jobicreatingweb> ok let me refraze it
17:08 < jobicreatingweb> if i put the conf files like they are to server side and client side will the connection play?
17:09 < reiffert> jobicreatingweb: depends on how the conf files look like.
17:09 < jobicreatingweb> its like it is from default
17:09 < jobicreatingweb> can i paste bin you 
17:09 < reiffert> jobicreatingweb: the answer is quite simple, guess it!
17:10 < jobicreatingweb> i cant quess cause many things work from default
17:10 < jobicreatingweb> and i dont know that about openvpn
17:10 < jobicreatingweb> and i am a new in this thing and i am trying to set it up 
17:10 < reiffert> jobicreatingweb: good point, let me explain it:
17:11 < jobicreatingweb> with my ubuntu machines
17:11 < reiffert> !howto
17:11 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
17:11 < jobicreatingweb> oooo come on again with that
17:12 < jobicreatingweb> pff
17:12 < jobicreatingweb> its very confusing
17:12 < reiffert> ok, let me paste you the relevant lines:
17:12 -!- aderouineau [oreo@AGrenoble-152-1-8-182.w82-122.abo.wanadoo.fr] has quit [Ping timeout: 255 seconds]
17:12 < reiffert> Creating configuration files for server and clients
17:12 < reiffert> Getting the sample config files
17:12 < reiffert> It's best to use the OpenVPN sample configuration files as a starting point for your own configuration.
17:12 < jobicreatingweb> i found this more easy https://help.ubuntu.com/10.04/serverguide/C/openvpn.html
17:12 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
17:12 < reiffert> The sample server configuration file is an ideal starting point for an OpenVPN server configuration.
17:13 < reiffert> jobicreatingweb: more easy but not openvpn related? Hell go and annoy people from ubuntu then!
17:13 < reiffert> +please
17:14 < |Mike|> reiffert: i would ignore him :p
17:14 < StanC> !winpath
17:14 <@vpnHelper> "winpath" is (#1) Remember on Windows to quote pathnames and use double backslashes, e.g.: "C:\\Program Files\\OpenVPN\\config\\foo.key", or (#2) also, you can use forward slashes to avoid needing double backslashes, but you still need quotes, e.g.: C:/Program Files/OpenVPN/config/foo.key (but surrounded by quotes)
17:16 < reiffert> StanC: there is more intaction with the bot, e.g.
17:16 < reiffert> !factoids search windows
17:16 <@vpnHelper> 'windows' and 'windows_mobile'
17:16 < reiffert> !factoids search --values windows
17:16 <@vpnHelper> 'winroute', 'winpass', 'tap', 'win_noadmin', 'winipforward', 'pwfile', 'interface', 'tunortap', 'vista', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'download', 'windows', 'winpath', 'winnat', 'windows_mobile', 'windows', 'windows', 'win_build', and 'new_win_gui'
17:17 < StanC> cool, thanks alot.... got it working, now I get a "Connection reset by peer" on the client side.... I'll investigate that a bit before asking for help
17:18 < jobicreatingweb> i could say not openvpn help but this is microsoft chan! the help should be provided in any OS and not to have this racist profile |Mike|
17:18 < |Mike|> jobicreatingweb: ignored!
17:18 < jobicreatingweb> mike sta arxidia mou file
17:19 < jobicreatingweb> mporeis na pas na gamitheis palio minara
17:19 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:19 < reiffert> |Mike|: he talks french now saying that his mother offers you a blow job.
17:19 < |Mike|> it's a greek ;)
17:19 < reiffert> pretty well on french anyway :)
17:19 < |Mike|> :P
17:21 < reiffert> jobicreatingweb: have a look at StanC, he is obviously a beginner just like you and stanc was definitly *reading* the fucking howto and there he is: a successful player.
17:22 < |Mike|> s/fucking/fine/g
17:22 < reiffert> jobicreatingweb: btw, those openvpn-windows guys are a small and special minority.
17:22 < reiffert> jobicreatingweb: there is so much more functionality for !windows.
17:22 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
17:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
17:24 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds]
17:24 < reiffert> StanC: have a look at the logs. "verb 3" should give you all the clues you will need.
17:26 < reiffert> StanC: wordpad will show you the logfiles with a proper line breakage
17:27 < reiffert> dazo_afk: can we have \r\n for the logfiles for compatibility reasons?
17:30 < jobicreatingweb> i am doing to but with the attitude read the How to all the time answer its all time classic and lack of knowledge as i understand. And what you said about my mother. It obviously shows that you haven't got down from the trees yet and stop the masturbating cause at the end you will go blind.  
17:31 < |Mike|> ecrist: wakeywakey
17:31 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Remote host closed the connection]
17:31 < reiffert> Please stop writing that much, my braille terminal is limited to 80 chars per row.
17:33 -!- jobicreatingweb [~jobicreat@adsl-132.91.140.93.tellas.gr] has left #openvpn []
17:48 -!- mode/#openvpn [+oo raidz cron2] by ChanServ
17:54 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
18:07 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:25 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
18:26 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
18:43 -!- StanC [~Stanislav@219-88-66-88.adsl.xtra.co.nz] has quit []
18:47 -!- StanC [~Stanislav@219-88-66-88.adsl.xtra.co.nz] has joined #openvpn
18:52 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Remote host closed the connection]
18:56 -!- StanC [~Stanislav@219-88-66-88.adsl.xtra.co.nz] has quit [Ping timeout: 260 seconds]
19:02 -!- StanC [~Stanislav@219-88-66-88.adsl.xtra.co.nz] has joined #openvpn
19:14 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
19:15 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
19:21 -!- gdb` [~user@166.205.136.187] has joined #openvpn
19:23 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
19:24 -!- albech [~thomasalb@124.157.238.243] has joined #openvpn
19:25 < gdb`> I'm using openvpn on Ubuntu 10.04 via a tun device.  Recently I've been observing a failure mode where connections will just hang (to be resumed upon restarting openvpn/a timeout triggering a ping-reset).  Other people (all running OSX) continue to have connectivity while mine is hanging.  tcpdump shows that I continue to send packets to tun0, but there are no responses.  I don't see anything glaringly obvious in either the client or
19:25 < gdb`> server logs, but I also don't know exactly what to look for.  Does this sound familiar to anyone?  Any suggestions for debugging output to gather?  Any advice would be appreciated.
19:34 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:34 -!- gdb` [~user@166.205.136.187] has quit [Read error: Connection reset by peer]
19:37 < StanC> hi again, small problem with the VPN
19:37 < StanC> I have a simple server/client setup
19:37 < StanC> I can ping from both ends (ie. server can ping client, and client can ping server)
19:37 < StanC> but I can't browse the server shared folders from the client
19:38 < StanC> but can browse client shared folders from the server
19:39 < StanC> can anyone help debug this? (maybe happened to other people and there is a known solution)
19:40 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
19:53 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
20:07 -!- albech [~thomasalb@124.157.238.243] has quit [Quit: albech]
20:16 -!- toortog` [~nesm6@121.97.98.88] has joined #openvpn
20:16 -!- toortog` [~nesm6@121.97.98.88] has quit [Client Quit]
20:37 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
20:40 -!- albech [~thomasalb@gatekeeper.cnx.awareidc.com] has joined #openvpn
21:09 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
21:22 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:33 -!- StanC [~Stanislav@219-88-66-88.adsl.xtra.co.nz] has quit []
21:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
21:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:52 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 276 seconds]
21:57 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:01 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
22:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:22 -!- gdb` [~user@166.205.138.23] has joined #openvpn
22:24 < gdb`> (Sorry, I posted earlier about having openvpn randomly stop transmitting packets on me, but my internets died before seeing a response.  Not sure about the social conventions here - should I repost the query?)
22:26 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 245 seconds]
22:33 -!- adxp [~user@166.205.138.23] has joined #openvpn
22:36 -!- gdb` [~user@166.205.138.23] has quit [Read error: No route to host]
22:40 <@vpnHelper> RSS Update - forum: Configuration :: Problems with RoadWarrior Setup on Windows Server 2008 :: Author reuben <https://forums.openvpn.net/viewtopic.php?f=6&t=7391&p=8681#p8681>
22:52 -!- gdb`` [~user@dr-wily.ipv6.mit.edu] has joined #openvpn
23:01 -!- adxp [~user@166.205.138.23] has quit [Read error: Connection reset by peer]
23:02 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:30 -!- tessier_ [~treed@kernel-panic/copilotco] has quit [Remote host closed the connection]
23:34 -!- Acrono [~kuro@67.23.250.154] has quit [Remote host closed the connection]
--- Day changed Mon Dec 13 2010
00:02 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
00:06 -!- WinstonSmith [~true@dslb-088-073-064-109.pools.arcor-ip.net] has joined #openvpn
00:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
00:15 < krzee> gdb``, does your firewall keep state?  do you have a keepalive?
00:23 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:24 < gdb``> Yeah, my firewall is stateful, although I'm not seeing rejected packets in the logs
00:25 < krzee> try setting it to not keep state on that connection
00:25 < gdb``> Also this occurs while I am actively using the connection
00:25 < krzee> right but i bet a difference besides os is how your firewalls work
00:25  * krzee looks at the topic
00:25 < gdb``> Hmm.
00:26 < gdb``> To be clear, you mean the server firewall, not a client firewall (which I don't believe anyone is running), right?
00:26 < krzee> [21:25]  <gdb`> I'm using openvpn on Ubuntu 10.04 via a tun device.  Recently I've been observing a failure mode where connections will just hang (to be resumed upon restarting openvpn/a timeout triggering a ping-reset).  Other people (all running OSX) continue to have connectivity while mine is hanging.  tcpdump shows that I continue to send packets to tun0, but there are no responses.  I don't see anything glaringly obvious in either the clie
00:26 < krzee> nt or
00:27 < krzee> i mean the ubuntu box
00:27 < gdb``> Gotcha.  Not running a firewall locally, unfortunately.
00:27 < krzee> hrm
00:27 < krzee> you using verb5 in your logs?
00:28 < krzee> verb 5
00:28 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
00:28 < gdb``> Yep, among other levels.
00:28 < gdb``> For verb 5, I see the client continuing to do Rs and Ws
00:28 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
00:28 < krzee> how long does it take to stall on you?
00:29 < gdb``> It really varies; haven't found a pattern yet.  Anywhere from a minute to hours.
00:29 < gdb``> I wonder if I should try restarting the openvpn server?  I haven't made any config changes for a while, but it suddenly has gotten bad today.
00:30 < krzee> this is only today its happening?
00:30 < gdb``> No, it's been happening intermittently for a few days at least.
00:30 < gdb``> It's possible it happened before without my noticing.
00:31 < krzee> was the client fine before that?
00:31 < gdb``> (Since the ping-restart fixes the problem automatically)
00:31 < gdb``> Yeah, I don't recall noticing such an issue prior to, say, a week ago.
00:31 < gdb``> Maybe even shorter than that.
00:31 < krzee> is it possible that the client's internet actually has an issue right now?  have you tested that this is isolated to the exact machine?
00:32 < gdb``> I can still ping non-vpn'd IPs during that time
00:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
00:32 < gdb``> Also other people using the same wireless are still connected to the VPN
00:32 < krzee> ok thats what i wanted to hear
00:32 < krzee> other people in the lan are not losing connection to the vpn
00:32 < gdb``> Correct
00:33 < krzee> !configs
00:33 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
00:33 < gdb``> !pn
00:33 < krzee> !pb
00:33 < gdb``> Err, thanks:)
00:33 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
00:38 < gdb``> Ok, here we go: http://openvpn.pastebin.ca/2017997
00:40 < gdb``> One difference between the two clients, thinking about it, is that I use a custom script to deal with dhcp dns, while the OSX people use the native client to do so
00:41 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
00:42 <@vpnHelper> RSS Update - pastebin: openvpn occasionally freezing <http://pastebin.ca/2017997>
00:53 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:10 <@vpnHelper> RSS Update - forum: Server Administration :: Internet Connection Sharing with openvpn :: Author lrhorer <https://forums.openvpn.net/viewtopic.php?f=4&t=7392&p=8682#p8682>
01:20 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
01:20 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 240 seconds]
01:21 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
01:21 -!- mode/#openvpn [+o vpnHelper] by ChanServ
01:23 < kisom> seriously
01:23 < kisom> IE caches ajax requests....
01:24 < kisom> its a pain to be a web developer these days!
01:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:44 -!- Bushmills1 [~Bushmills@scarydevilmonastery.net] has joined #openvpn
01:44 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has quit [Disconnected by services]
01:44 -!- Bushmills1 is now known as Bushmills
01:58 < gdb``> Another difference between me and other clients is that I use the VPN way more than anyone else.  Could there be some residual state that gets left behind on the vpn server, perhaps per-connection or per-tcp connection or something like that?
02:00 < hyper_ch> hi krzee
02:03 -!- SLAiNTRAX [~SLAiNTRAX@clubcarisma.info] has joined #openvpn
02:04 < SLAiNTRAX> Hello. I've been trying to revoke a certificate, but I can still connect using it. I get the "unable to write 'random state'", but I haven't managed to solve it. I'm using Windows Server 2008 R2
02:14 < R-66Y> who was helping me the other day with my TLS keys out of sync problem?
02:15 < R-66Y> ecrist: do you remember?
02:15 < R-66Y> (not that I think it's your duty to)
02:18 < R-66Y> krzee: hey! I got my problem fixed! turns out he added some options to the config file, one of them being an ifconfig line, another route line, and tls-client instead of just "client" caused the key sync problem :)
02:18 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has joined #openvpn
--- Log closed Mon Dec 13 02:27:19 2010
--- Log opened Mon Dec 13 02:33:06 2010
02:33 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
02:33 -!- Irssi: #openvpn: Total of 115 nicks [5 ops, 0 halfops, 0 voices, 110 normal]
02:33 -!- Irssi: Join to #openvpn was synced in 57 secs
02:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
02:42 < SLAiNTRAX> No suggestions?
02:49 < SLAiNTRAX> http://paste2.org/p/1139542
02:51 -!- dazo_afk is now known as dazo
02:54 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
02:55 -!- VirusTB [~VirusTB@145.93.236.170] has joined #openvpn
02:56 -!- WinstonSmith [~true@dslb-088-073-064-109.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
02:57 < rjd__> SLAiNTRAX: hi, what steps did you take when you revoked it?
02:57 < rjd__> !revoke
02:57 < SLAiNTRAX> I follwed the documentation step by step
02:57 < SLAiNTRAX> !revoke
02:59 < rjd__> ok, so you moved the crl.pem into the main openvpn directory?
02:59 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
02:59 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
02:59 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
02:59 < SLAiNTRAX> it should be in C:\Program Files (x86)\OpenVPN right?
02:59 < rjd__> on the server
02:59 < SLAiNTRAX> yup.
03:00 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has quit [Quit: This computer has gone to sleep]
03:00 < SLAiNTRAX> sigh... it didn't have read access. Gonna see if this helps.
03:05 -!- SLANTRAX [~SLAiNTRAX@clubcarisma.info] has joined #openvpn
03:05 -!- SLAiNTRAX [~SLAiNTRAX@clubcarisma.info] has quit [Ping timeout: 265 seconds]
03:06 < SLANTRAX> Sometimes I hate windows permissions. It didn't innerhit the read/write access of the folder. It works now. Thanks.
03:07 <@dazo> Sometimes I don't hate Windows ... it happens seldom .... :-P
03:07 < SLANTRAX> heh
03:07 < rjd__> SLANTRAX: :)
03:12 -!- VirusTB [~VirusTB@145.93.236.170] has quit [Ping timeout: 272 seconds]
03:12 < R-66Y> krzee: yup. thanks for the help :)
03:13 -!- WinstonSmith [~true@e177094108.adsl.alicedsl.de] has joined #openvpn
03:13 -!- SLANTRAX [~SLAiNTRAX@clubcarisma.info] has quit []
03:15 < reiffert> 00:27 < reiffert> dazo_afk: can we have \r\n for the logfiles for compatibility reasons?
03:17 <@dazo> reiffert: that's a good though :)
03:18 < reiffert> ah well, can we have it on windows... compile time decision should be enough
03:18 <@dazo> reiffert: yeah, that's what I was thinking
03:18 < reiffert> #ifdef WINDOWS
03:18 < reiffert> allright
03:19 <@dazo> reiffert: do you happen know if OSX still uses \r as newline?  I know earlier MacOS pre-OSX) used that
03:19 < reiffert> it's hard looking at logfile with their text editor when everything is just in a single line.
03:19 <@dazo> :)
03:19 <@dazo> reiffert: open it in wordpad ;-)
03:19 < reiffert> dazo: I know this, you know this too. Stupids dont.
03:20 <@dazo> yeah, I know :)
03:20 < reiffert> OS X terminal or open with texteditor?
03:21 <@dazo> reiffert: It didn't cross my mind that it could be different on one single platform ...
03:21 < reiffert> thomas-reifferscheids-macbook:~ thomas$ echo -n '
03:21 < reiffert> ' | hexdump -C
03:21 < reiffert> 00000000  0a                                                |.|
03:21 <@dazo> that's \n
03:22 < reiffert> yep.
03:22 <@dazo> okay, let's only fix it on Windows
03:25 < reiffert> opening logfiles with the OS X standard texteditor works fine btw ;)
03:35 <@dazo> reiffert: http://openvpn.pastebin.ca/2018091 ... something like this?
03:35 <@dazo> (I don't know if you have possibility to test it)
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:48 -!- master_of_master [~master_of@p57B5538A.dip.t-dialin.net] has quit [Ping timeout: 250 seconds]
03:50 -!- master_of_master [~master_of@p57B55EB4.dip.t-dialin.net] has joined #openvpn
03:50 -!- WinstonSmith [~true@e177094108.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:57 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: fuck yea!]
03:58 < krzee> gdb``, sry dont see a problem
03:59 -!- albech [~thomasalb@gatekeeper.cnx.awareidc.com] has quit [Quit: albech]
03:59 < krzee> did you try restarting the server daemon?
03:59 -!- MissAnthrope [~Edras@66.195.230.128] has joined #openvpn
03:59 -!- MissAnthrope [~Edras@66.195.230.128] has left #openvpn []
04:04 -!- VirusTB [~VirusTB@145.93.236.170] has joined #openvpn
04:14 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:24 < reiffert> dazo: think there is missing a "," in line 58.
04:24 <@dazo> reiffert: nope, that's fine ... it's string concatenation .... C accepts printf("string1" "string2")
04:24 -!- common- [~common@p5DDA4948.dip0.t-ipconnect.de] has joined #openvpn
04:25 < gdb``> I did just now. Observed the issue once
04:25 < gdb``> (just now being within the past three hours or so)
04:25 <@dazo> reiffert: NEWLINE is a macro, expanding to a string which is "\n" or "\r\n"
04:25 < reiffert> dazo: ah, I ever thought string concatenation got be done with .'s
04:27 <@dazo> dynamic strings, as in char *, must use %s ... and then the variable as an argument .... but static strings in the code (including expanded macros) can be concatenated like this
04:27 < reiffert> dazo: ah, 1.c:5: error: expected identifier before string constant
04:27 < reiffert> there you go, my fault.
04:27 <@dazo> no worries :)
04:27 -!- common [~common@p5DDA4066.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
04:27 -!- common- is now known as common
04:28 <@dazo> reiffert: in fact, I could simplify those others as well ... to drop one %s as and move the inline newline cases ... but I didn't see that one until now :)
04:29 < reiffert> preprocessoroptimazation?
04:29 <@dazo> heh ... well basically, yes.
04:30 < reiffert> keep it simple, the proprocessor will know it better.
04:30 <@dazo> I don't think the pre-processor catches these cases, though ... maybe the C compiler will
04:31 < reiffert> well then have a look after the proprocessor finishes.
04:31 < reiffert> -E that is?
04:45 <@dazo> reiffert: ahh .. well, actually it cannot be done differently, due to flags in the OpenVPN code is dynamic.  It would only work if flags was a static value being determined by cpp
05:08 < reiffert> dazo: well it actually can if you assign the flags to some constant prior to fprintf
05:09 < reiffert> a string constant eg :)
05:15 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:22 -!- VirusTB [~VirusTB@145.93.236.170] has quit [Ping timeout: 245 seconds]
05:45 -!- EmperorTom [~EmperorTo@174-30-253-105.mpls.qwest.net] has joined #openvpn
05:47 -!- EmperorT1m [~EmperorTo@174-30-255-245.mpls.qwest.net] has quit [Ping timeout: 245 seconds]
06:01 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
06:13 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:30 -!- venom00ut [~wer@173.0.13.126] has joined #openvpn
06:30 -!- venom00ut [~wer@173.0.13.126] has quit [Changing host]
06:30 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
06:31 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:31 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:31 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:34 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 276 seconds]
06:59 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
07:00 -!- VirusTB [~VirusTB@145.93.213.243] has joined #openvpn
07:12 -!- janjust [~janjust@ardeche.nikhef.nl] has joined #openvpn
07:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
07:31 -!- dollabill [~mike@97.66.26.10] has joined #openvpn
07:32 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has joined #openvpn
07:39 -!- dollabill [~mike@97.66.26.10] has quit [Read error: No route to host]
07:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:49 -!- EmperorT1m [~EmperorTo@184-97-153-105.mpls.qwest.net] has joined #openvpn
07:52 -!- EmperorTom [~EmperorTo@174-30-253-105.mpls.qwest.net] has quit [Ping timeout: 276 seconds]
07:59 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
08:05 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn
08:14 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 245 seconds]
08:16 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
08:25 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:28 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Client Quit]
08:31 -!- janjust [~janjust@ardeche.nikhef.nl] has quit [Quit: Leaving]
08:49 -!- ruyo [~psantos@a83-132-152-91.cpe.netcabo.pt] has joined #openvpn
08:51 < ruyo> Hello. Could the reason for easy-rsa to create "-----BEGIN PRIVATE KEY-----" instead of "-----BEGIN RSA PRIVATE KEY-----" be my openssl version or something like that?
08:54 < ruyo> This is to create a server.key, by the way.
08:54 <@dazo> ruyo: that sounds more like the key has been created the wrong way
08:55 <@dazo> but I don't recall which command which generates the header without RSA now
08:55 < ruyo> I followed the same guide to create the keys and now I can't have the RSA key. http://forum.pfsense.org/index.php/topic,7840.0.html
08:56 < ruyo> Does the easy-rsa from the source code package rely on any external applications?
08:57 < ruyo> I'm on Arch Linux, not on Windows.
08:58 < ruyo> The strangest thing is:
08:58 < ruyo> "Generating a 1024 bit RSA private key ... writing new private key to 'server.key'"
09:04 -!- Diffen2 [~diffen2@user8.85-195-0.netatonce.net] has quit [Quit: This computer has gone to sleep]
09:04 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
09:09 -!- ruyo [~psantos@a83-132-152-91.cpe.netcabo.pt] has quit [Quit: Leaving]
09:11 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
09:11 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
09:11 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
09:11 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
09:13 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
09:13 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
09:13 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
09:13 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
09:15 -!- ruyo [~psantos@a83-132-152-91.cpe.netcabo.pt] has joined #openvpn
09:21 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:21 < blistov> Ok, there's gotta be something I'm not understanding with regards to creating a bridged VPN (or there's a bug, as I've done this a hundred or so times in the past).
09:23 < blistov> The vpn server is listening on eth1 (LAN) at 10.0.0.1.   The connection comes in through eth0 (WAN) and is prerouted to the LAN 10.0.0.1.  The VPN server creates tap0 which is bound to br0.  Tap0 is set 0.0.0.0 promisc up and eth1 is then bridged to br0 as well.
09:23 < blistov> VPN is established, but clients can only hit 10.0.0.1, nothing else behind the LAN.
09:23 -!- EmperorT1m [~EmperorTo@184-97-153-105.mpls.qwest.net] has quit [Quit: dynamic IPs suck more than your mom.]
09:24 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
09:24 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
09:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:24 < blistov> However, ARP traffic from remote, is making its way to the LAN, but LAN ARP is not traversing the tunnel.
09:24 < blistov> Anyone point me in the right direction?
09:24 < blistov> Without saying "TUN" ?
09:25 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 264 seconds]
09:26 < pyther24> Hi
09:27 < pyther24> When running ./build-key-server server for the common name should I put in server (like the howto guide states) or should I enter the fully qualified domain name?
09:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
09:30 <@dazo> pyther24: you may do what you prefer ... you can validate the CN value in the client config with --tls-remote server-CN anyway
09:31 <@dazo> but FQDN is usually the most common and recommended way
09:31 -!- VirusTB [~VirusTB@145.93.213.243] has quit [Quit:  is sleeping]
09:31 < pyther24> dazo: and then how about a challenge password?
09:32 <@dazo> that's not used at all
09:32 <@dazo> not afaik, at least
09:32 < pyther24> dazo: the FQDN should probably be the outside FQDN, right?
09:32 <@dazo> pyther24: that's right
09:35 < blistov> Gah!  Why are my ARP's coming in from vpn clients, hitting the LAN, LAN clients respond with an ARP reply, but the reply is never heard by the LAN-VPN bridge br0
09:35 < blistov> Firewall is inclusive and flushed.
09:37 <@dazo> blistov: are you using bridging?
09:38 <@dazo> blistov: I read the last sentence now :-P
09:38 < blistov> :)
09:38 < blistov> dazo, yea, its making me fucking crazy.
09:38 < blistov> I've done this hundreds of times in the past.  All I can think is that there's a bug.
09:38 <@dazo> blistov: this is really expected with bridging .... that's the concept of ARP on a network ... it will travel through a bridged network
09:38 <@dazo> if they are on separate network segments, it will just stay inside that network segment
09:39 < blistov> LAN is 10.0.0.0/8.  VPN clients are being given 10.0.4.1-20
09:39 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
09:39 < blistov> ARP leaves VPN client, traverses tun0 which is bridged to br0.  eth1 is also bridged to br0.
09:39 <@dazo> blistov: why are you bridging then?
09:40 < gladiatr> !welcome
09:40 < blistov> dazo, I need vpn clients to be on the same network as the LAN.
09:40 < blistov> Am I just having a brain fart here?
09:41 < gladiatr> blistov, just got here.  What sort of issue are you having?  I've got a bridge set up on a couple local nets for access to management functions.
09:41 <@dazo> blistov: you're having an enormous LAN you're bridging here ... and by having VPN clients in this little scope ... I wonder why you really need the VPN clients to be on the same lan
09:41 <@dazo> !logs
09:41 <@dazo> !log
09:41 <@dazo> !factoid
09:41 <@dazo> !factoids
09:42 <@dazo> ecrist: where is vpnHelper?
09:42 < blistov> The clients need to be accessible to LAN broadcast.
09:42 < blistov> Thats the biggest thing.
09:42 < pyther24> The client name, for client certs, don't have to be related to the hostname of the client, do they?
09:42 < blistov> SMB/Code Co-op.
09:42 < gladiatr> pyther24, they do not
09:42 < blistov> And a few other applications.
09:43 <@dazo> blistov: and a WINS server won't be easier?
09:43 < blistov> dazo, nope.  Code co-op needs broadcast as well.
09:43 < pyther24> gladiatr: any good naming scheme for them? I'm thinking something like jsmith-home
09:44 < blistov> Besides which, we occasionally need to connect to vpn clients by hostname.
09:44 <@dazo> blistov: okay ... well, then consider not to give out VPN addresses via OpenVPN but let the LAN DHCP server take care of that
09:44 < gladiatr> pyther24, My client certs are for specific individuals, so I do the "First Last <email@domain.com>"
09:44 < blistov> dazo, I've been trying to do that from the start.
09:44 < blistov> dazo, how do I configure vpnserver to do that?
09:44 < gladiatr> pyther24, but you can use anything that makes sense in your environment
09:45 < pyther24> gladiatr: do you pass ./build-key "First Last <email@domain.com>" ?
09:45  * ecrist kicks it again
09:45 <@dazo> blistov: lookup --server-bridge in the config ... read also how the --server-bridge macro expands towards the end ... and don't use pool-start/pool-end information
09:45 < gladiatr> pyther24, you're using the easy-rsa scripts?
09:46 < pyther24> gladiatr: yes
09:46 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
09:46 -!- mode/#openvpn [+o vpnHelper] by ChanServ
09:46 <@dazo> blistov: then you need to start a DHCP client on the Linux/OSX OVPN clients .... Windows OVPN clients should use DHCP by default
09:47 < gladiatr> pyther24, I run it as follows: "./pkitool --pass "John Smith <jsmith@somewhere.com>"
09:47 <@dazo> blistov: another thing ... the server TAP device don't need any IP address at all in this setup
09:47 < gladiatr> pyther24, that takes care of everything
09:48 < pyther24> gladiatr: does the openvpn client prompt for a password for the cert?
09:48 < gladiatr> pyther24, yes
09:49 < blistov> dazo, when I let dhcp server handle the clients ip, clients can no longer ping 10.0.0.1 (LAN interface)
09:49 < gladiatr> pyther24, technically it prompts for the passphrase for the *key*, but tis a hair that doesn't need to be split
09:49 < ecrist> be back in a while
--- Log closed Mon Dec 13 09:49:36 2010
--- Log opened Mon Dec 13 10:30:24 2010
10:30 -!- ecrist [~ecrist@kenny.secure-computing.net] has joined #openvpn
10:30 -!- Irssi: #openvpn: Total of 117 nicks [6 ops, 0 halfops, 0 voices, 111 normal]
10:30 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
10:30 -!- Irssi: Join to #openvpn was synced in 37 secs
10:31 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Client Quit]
10:32 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 260 seconds]
10:38 < ruyo> Is it possible easy-rsa scripts are not yet compatible with openssl 1.0.0x?
10:40 < ruyo> Because on Linux with openssl 1.0.0c I get "-----BEGIN PRIVATE KEY-----" and on Windows "-----BEGIN RSA PRIVATE KEY-----", making exacly the same steps.
10:45 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
10:47 < gladiatr> ruyo, dunno.  I haven't looked at the changelog for 1.x.  I wouldn't imagine they made dramatic changes to the interface, but I just can't say for certain.
10:48 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
10:50 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:50 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
10:51 <@dazo> ruyo: easy-rsa uses the openssl binary to do all its stuff, so if openssl have changed things, that will break things with openssl compatibility alone ... easy-rsa only exectures openssl commands, and catches the result of these operations
10:52 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
10:53 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
10:53 < gladiatr> ruyo, I'm curious so I'm compiling openssl 100c now
10:56 < ruyo> The fact is that the first time I generated keys I didn't have 1.0.0 and worked fine.
10:57 < ruyo> I know some changes were made that affected some applications, for instance Nautilus' SFTP.
10:58 < gladiatr> Hrm... I BLAME JULIAN ASSANGE!
10:58 < gladiatr> heh
11:04 < gladiatr> hrm... so is this with an existing CA or are you starting from scratch?
11:05 < ruyo> Always starting from scratch.
11:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 264 seconds]
11:07 < gladiatr> Ok.  Well, I'm seeing the same thing: 100c is not actually designating the key as an RSA key
11:08 < ruyo> Good to know I'm not getting senile. Yet. =)
11:08 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
11:08 < gladiatr> indeed!  It's always good to know that our sanity is relatively normal vs. the status quo
11:09 < ruyo> Hehe,
11:09 < ruyo> It says "Generating a 1024 bit RSA private key ... writing new private key to 'server.key'" though.
11:12 -!- ecrist_ [~ecrist@216.17.68.153] has joined #openvpn
11:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:13 -!- ecrist_ [~ecrist@216.17.68.153] has quit [Client Quit]
11:18 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
11:21 < gladiatr> yup.  It acts normally.  Have you tried using the generated keys with anything?
11:24 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
11:27 < gladiatr> Hrm... an explanation is found here: http://tinyurl.com/27ud58q
11:27 <@vpnHelper> Title: Preamble Change with PKCS12 -> PEM - mailing.openssl.users | Google Groups (at tinyurl.com)
11:28 < gladiatr> So, if your applications are unable to cope with what is apparently the standard, you will want to not move to the 1.x branch of openssl for the time being
11:29 -!- dev001 [~dev001@unaffiliated/pgngw] has joined #openvpn
11:29 < pyther24> Ok I have setup a vpn and I got a connection going. I'm using tun, but I can't seem to talk to my 10.25.8.0 network (from the vpn client). However the server can talk to the 10.25.8.0 by means of a default route
11:29 < dev001> in my server's '/etc/openvpn/ccd/client.mydomain.com', i have "iroute 10.10.10.1 255.255.255.0; ifconfig-push 10.10.10.100 10.10.10.1".
11:29 < dev001>  but @ client->server connect, the client's assigned "10.10.10.10", and @server log reports: "client.mydomain.com/1.2.3.4:52105 SENT CONTROL [client.mydomain.com]: 'PUSH_REPLY,route  10.10.10.1 255.255.255.0,route 10.10.10.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.10.10.10 10.10.10.9'". 
11:30 < dev001>  i need a static IP assignment (10.10.10.100) @ client -- what have I missed/fubar'd?
11:31 < gladiatr> pyther24, are you pushing a route to the 10.25.8/24 network to your client?
11:32 < pyther24> gladiatr: yes, 10.25.8.0       10.25.252.5     255.255.252.0   UG    0      0        0 tun0
11:32 < pyther24> iptables and selinux are disabled for testing
11:33 < pyther24> gladiatr: I don't need an explict route on the vpn server, do I?
11:34 < gladiatr> Is the VPN server also acting as a router on your network?
11:34 < pyther24> gladiatr: no
11:34 < gladiatr> on your destination/server-side network, that is
11:35 < gladiatr> Ok.  Can you ping the server-side end-point from your client?
11:35 < pyther24> gladiatr: what address would that be? the other p-t-p address or the .1 address?
11:36 < pyther24> I can ping 10.25.252.1, but not 10.25.252.5, my client has 10.25.252.6
11:36 < gladiatr> net.ipv4.conf.all.forwarding is set to 1?
11:37 < gladiatr> or: echo 1 > /proc/sys/net/ipv4/ip_forward
11:39 < pyther24> gladiatr: bingo, so having ip_forward set to zero prevents the kernel networking stack from doing any routing, right?
11:39 < gladiatr> specifically, routing between interfaces
11:41 < gladiatr> brb
11:47 -!- mattock1 [~samuli@dyn55-11.yok.fi] has joined #openvpn
11:47 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Quit: Leaving.]
11:59 -!- dev001 [~dev001@unaffiliated/pgngw] has left #openvpn []
12:04 -!- jobicreatingweb [~jobicreat@adsl-132.91.140.93.tellas.gr] has joined #openvpn
12:05 < ucekpolish> hello guys
12:05 < ucekpolish> I have a short question
12:05 < ucekpolish> how can I put NAT exemption through the VPN tunnel
12:08 < jobicreatingweb> i have installed and configured the openvpn server-client 
12:09 < jobicreatingweb> from both of the sides when i restart openvpn it says
12:09 < jobicreatingweb> [OK]
12:10 < jobicreatingweb> but when from the client side i try to connect ( i have at the gateway my extr IP )its says failed to connect
12:10 < rjd__> ucekpolish: what exactly do you want to accomplish?
12:10 < jobicreatingweb> can you give me any hint
12:11 < rjd__> jobicreatingweb: increase verbosity on the client, and possibly on the server, and show us
12:12 < jobicreatingweb> i have installed and put the conf files and certs like the how to says
12:13 < jobicreatingweb> i have opened port 1194
12:14 < jobicreatingweb> i have put the parameters in the certs and conf files server -client
12:15 < jobicreatingweb> how i see what ip openvpn has took?
12:15 < jobicreatingweb> from server side?
12:15 < jobicreatingweb> my modem is in dhcp
12:18 < rjd__> ucekpolish: not sure if I know what you are trying to do, but in iptables you can use exclamation mark to say anything NOT blabla that bla bla and bla bla -j MASQUERADe, for example
12:21 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
12:24 < jobicreatingweb> i have left my ip that my modem router gives me in dhcp at my network card
12:24 < jobicreatingweb> ahould i put this ip somewhere in the conf files?
12:25 < jobicreatingweb> openvpn [server config file]  how to do this from terminal?
12:27 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 265 seconds]
12:31 -!- dazo is now known as dazo_afk
12:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:38 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
12:43 -!- jobicreatingweb [~jobicreat@adsl-132.91.140.93.tellas.gr] has left #openvpn []
13:04 -!- ruyo [~psantos@a83-132-152-91.cpe.netcabo.pt] has quit [Remote host closed the connection]
13:08 < krzee> !dns
13:08 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
13:11 -!- FluxD [~FluxD@unaffiliated/fluxd] has quit [Quit: Leaving]
13:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
13:24 < roentgen> krzee: no love for opendns?
13:25  * jpalmer has the opposite of "love" for opendns.
13:26 < jpalmer> they never return an NXDOMAIN for one thing.  which is important in several environments.  (especially,  for things like mailservers and whatnot)
13:27 -!- s7r [~s7r@178.73.198.24] has joined #openvpn
13:28 < roentgen> true, although mailservers should not rely on public dns
13:29 < roentgen> and 4.2.2.x performs really bad in my region
13:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 265 seconds]
13:36 -!- Puck` [puck@akos.me] has joined #openvpn
13:36 < Puck`> hi everyone
13:38 < Puck`> I'd have a slight problem installing openvpn on ubuntu and I'd like to ask for some assitance if possible. I'm following this guide: https://help.ubuntu.com/10.04/serverguide/C/openvpn.html while copying the certs I'm getting "cp: cannot stat `dh1024.pem': No such file or directory"
13:38 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
13:38 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
13:38 < Puck`> what should I do, or if I'm missing this, is it okay?
13:39 < krzee> !dh
13:39 <@vpnHelper> "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN
13:39 < krzee> what you should really do is not blindly follow lamesauce walkthroughs
13:39 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
13:39 < Puck`> that's one good thought, but I thought it would be okay, since it's official documentation :\
13:40 < Puck`> krzee: could you point me to a valid howto please?
13:40 < krzee> official??
13:40 < krzee> !howto
13:40 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:40 < Puck`> thank you
13:40 < krzee> THAT is the official howto
13:40 < krzee> not some walkthrough on the ubuntu site
13:41 < Puck`> well I believed that it was an OS specific, but okay, my bad, i'm sorry, i'm new to this. Thank you very much for the help krzee 
13:41 < krzee> no problem
13:42 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
13:45 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
13:52 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 265 seconds]
13:53 < gdb``> Oh looking back through the verb 5 logs, looks like there is a somewhat interesting pattern: ...WRwrWRwrWRwrWRwrWRwrWRwrWRwrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWr....  I guess that reflects the server ceasing to respond?
14:12 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:17 -!- trumee [~parul@cpc3-cmbg14-0-0-cust113.5-4.cable.virginmedia.com] has joined #openvpn
14:19 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
14:19 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
14:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
14:24 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
14:27 -!- EmperorTom [~EmperorTo@174-30-242-211.mpls.qwest.net] has joined #openvpn
14:41 < trumee> guys my router is called xx.dyndns.org which port forwards sip ports to my asterisk server sitting at 172.16.1.120. My sip client registers to the server xx.dyndns.org in the absence of vpn. However, once i turn the openvpn on, it fails to register to xx.dyndns.org, instead i have to change the server to 172.16.1.120.
14:42 < trumee> is there any way xx.dyndns.org may be made to resolve to 172.16.1.120 once the vpn has been has been established?
14:42 < trumee> The openvpn server runs on the router itself (ie xx.dyndns.org)
14:43 < Bushmills> check your routing
14:43 < ucekpolish> rjd__: I have a problem with NAT. My software received packet from ie. 192.168.0.1 but over tun 10.0.0.1. the software want to respond to address 10.0.0.1 but it is 192.168.0.1. here is a problem
14:44 < ucekpolish> should I do it over iptables?
14:44 < Bushmills> i suppose "made to resolve to 172.16.1.120" doesn't mean what it says - otherwise just add a line to the hosts file
14:46 < Bushmills> 172.16.0.0/12 is an rfc1918 address and dyndns shouldn't have to do anything with that
14:47 < roentgen> gdb``: not at all. I guess it means traffic passing on
14:48 < trumee> Bushmills: i have this in the server openvpn.conf,  push "route 172.16.1.0 255.255.255.0" , push "redirect-gateway def1 bypass-dhcp" and push "dhcp-option DNS 172.16.1.1"
14:49 < Bushmills> trumee: i drink my coffee without sugar, and just a bit of milk.
14:50 < trumee> Bushmills: you mean in the client i should add an entry to the /etc/hosts, xx.dyndns.org 172.16.1.120?
14:50 < Bushmills> no, i mean you should check whether your routing is right, as that can explain "fails to register when openvpn is up"
14:51 < trumee> Bushmills: on the client side i should do a route -n?
14:51 < Bushmills> that sound sort of good
14:55 < trumee> Bushmills, This is the route table after openvpn has been established, http://pastebin.com/2R1cySyj
14:55 < Bushmills> ucekpolish: why does your software want to reply to 10.0.0.1 when it received a request from 192.168.0.1?
14:56 < Bushmills> trumee: now make sure that all destinations are accounted for properly
14:58 < trumee> Bushmills: my sip client would tries to connect to xx.dyndns.org which will resolve to my wan ip i guess and will fail after that
14:59 < Bushmills> once you spotted a wrong, or a missing route, fix it.   alternatively, take steps to allow server to respond to packets coming in from a different ip address, or going to a different interface.
14:59 < trumee> Bushmills: my understanding (might be wrong) is that router recieves a sip request from the client but doesnt forward it to the asterisk server.
14:59 < ucekpolish> sorry I explened wrong. it is going 192.168.0.1 -> 10.0.0.1 -> 192.168.3.1 and the 192.168.3.1 see it as 10.0.0.1. It is a problem with the network address translation
15:00 < ucekpolish> that's way I would like to do vpn without NAT. is it possible?
15:00 < Bushmills> right, then you don't want NAT
15:00 -!- mant1s [mant1s@unaffiliated/mant1s] has joined #openvpn
15:01 < ucekpolish> how can I do that?
15:01 < Bushmills> NAT is not configured in openvpn. it is in the networking setup of your machine
15:01 < ucekpolish> oh...
15:01 < Bushmills> essentially, you reverse the steps you took when configuring NAT
15:02 < trumee> Bushmills, no idea what route might be missing.
15:03 < Bushmills> neither do i. but you have the advantage of knowing what connections you intend to let go over what interface.
15:04 < trumee> Bushmills: :), no worries. thanks for your comments.
15:09 -!- raven737 [5b41ec40@gateway/web/freenode/ip.91.65.236.64] has joined #openvpn
15:10 < raven737> Hi... i just set up open vpn. I can connect via a client but when i browse the internet the client still uses its local connection and not the vpn tunnel.... how can i make sure it connects via the vpn tunnel?
15:12 < raven737> ohhh me just saw "Routing all client traffic (including web-traffic) through the VPN" in the hwoto... 
15:14 < raven737> now i remember... it didn't work becuase iwasn't using bridge mode.. need to setup brige mode
15:16 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 240 seconds]
15:20 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Remote host closed the connection]
15:20 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:20 < Bushmills> nope
15:21 < Bushmills> no need for bridge to have internet over vpn
15:21 < Bushmills> !redirect
15:21 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:21 < raven737> arg i enabled push redirect-gateway and dhcp-option and now the server is not openning a port.. what am i doing wrong? :(
15:22 < Bushmills> "what am i doing wrong?" you failed to read the log for the reason of "server is not openning a port"
15:22 < raven737> Bushmills: yes.. but that whole ip forwarding/nat did not work for me somehow.. bridge is simple .. if it works :/
15:22 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
15:22 < Bushmills> !tunortap
15:22 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you
15:22 <@vpnHelper> over the vpn, or (#4) lan gaming? use tap!
15:24 < raven737> Bushmills: ohhh thanks.. i just learned there was a log ^_^;
15:35 -!- mant1s [mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
15:37 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
15:38 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
15:50 < raven737> aw man... so i removed ifconfig-pool-persist on server, changed client to tap, removed ifconfig on client... now it is not using the ca i specify in the client config... instead it is getting a really old one that i 
15:50 < raven737> deleted from somehwre
15:51 < raven737> could it be that the cert is set up for the tap connection?
15:56 < pyther> Hi
15:56 < pyther> Does anyone have a good guide on iptables?
15:57 < hyper_ch> http://lartc.org/
15:57 <@vpnHelper> Title: Linux advanced Routing & Traffic Control HOWTO (at lartc.org)
16:01 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Amazon Cloud and OpenVPN :: Author masalinas <https://forums.openvpn.net/viewtopic.php?f=15&t=7396&p=8686#p8686>
16:03 -!- mattock [~samuli@dyn55-11.yok.fi] has joined #openvpn
16:03 -!- mattock1 [~samuli@dyn55-11.yok.fi] has quit [Read error: Connection reset by peer]
16:11 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
16:23 -!- raven737 [5b41ec40@gateway/web/freenode/ip.91.65.236.64] has quit [Ping timeout: 265 seconds]
16:25 -!- raven737 [5b41ec40@gateway/web/freenode/ip.91.65.236.64] has joined #openvpn
16:27 < raven737> meh... so i set up bridge mode, i switched to tap, disabled ifconfig-pool, used push redirect-gateway... client connects and gateway/dns/subnet all looks good.. i can access other servers on local server lan... but when i browse the net it still not using server connection... why :(
16:28 < raven737> what is the "def1" refering to in "redirect-gateway def1"
16:29 < raven737> do i need the "bypass-dhcp"? i want the client to get an ip via server dhcp...
16:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
16:29 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Organize your IRC]
16:30 < trumee> raven737: dont you need to forward traffic on the server.
16:30 < trumee> raven737: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
16:30 < trumee> raven737: echo 1 > /proc/sys/net/ipv4/ip_forward
16:30 < trumee> on the server.
16:31 < raven737> ... it.s windows :( (hides)
16:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:33 < raven737> trumee: server and clients are windows based... i bridged the tap and main ethernet using this right-click-bridge thing
16:33 < ecrist> blah
16:34 < trumee> raven737: no idea about windows. i am still learning openvpn on linux and have no windows machines.
16:35 < raven737> trumee: well thanks for trying to help! :)
16:35 < raven737> i just saw the client said something about "unable to redirect gateway" should use route-gateway?
16:41 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with VPN Client :: Reply by Gabor <https://forums.openvpn.net/viewtopic.php?f=4&t=7386&p=8687#p8687>
16:46 -!- adawda is now known as sia^pwnnt
16:46 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:54 -!- trumee is now known as trumee_away
16:59 < pyther> If I wanted to route only for VPN connections I would only want to accept only NEW (state) connections for tap0, correct?
17:11 < Bushmills> udp is stateless. connection-less.
17:11 < raven737> i only get "NOTE: unable to redirect default gateway — VPN gateway parameter (–route-gateway or –ifconfig) is missing" ... tried to enable route-gateway via push from server and directly on client... with and without subnet mask.. nothing helsp :(((
17:16 < Bushmills> " VPN gateway parameter is missing" - maybe your problem is that the parameter to –route-gateway is missing?
17:16 < Bushmills> at least, that's what that message suggests
17:17 < raven737> no i added it in all possible variants (server push, client, no gateway address, gateway only, gatway + subnet... nothing
17:18 < Bushmills> "unable to redirect default gateway" ... is there a route through which the specified gateway can be reached?
17:21 < raven737> Bushmills: well i can ping the gw... gw is also dns and that also works
17:23 < Bushmills> you wanted to use internet over openvpn?
17:23 < raven737> yes.. only that
17:23 < raven737> well i don't mind if more works.. but inet is what i need :(
17:23 < Bushmills> where does the need come from to explicitely set up routes and specify gateway? for your goal, that's not needed
17:24 < Bushmills> ah, i remember. you were the one saying that you prefer tap, because everything is easy-peasy with that, and it just works, rather than using tun
17:24 < raven737> without redirect gateway inet goes over the local inet connection and not trough vpn over server inet
17:25 < raven737> lol are you making fun of me :/
17:25 < Bushmills> right.  redirect-gateway. but you're trying to use route-gateway
17:25 < Bushmills> you don't need route-gateway for and with redirect-gateway
17:26 < raven737> Bushmills: no i have redirect gateway... it doesn't work with note above and says it also needs route gateway (or ifconfig on tun) .. so i also added that.. still does not work
17:26 < Bushmills> yes, a bit. pulling you toes there. i'm notorious for that.
17:26 < raven737> :)
17:26 < Bushmills> redirect-gateway won't give you a note about route-gateway
17:27 < Bushmills> !redirect
17:27 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:27 < Bushmills> is your client windows?
17:27 < raven737> Bushmills: yes
17:27 < Bushmills> !winroute
17:27 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
17:28 < raven737> ok will try those one by one...
17:29 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
17:55 -!- sia^pwnnt is now known as sia
17:55 -!- sia is now known as adawda
18:02 < raven737> no thos eoptions did not work..... Sooo i took the sample config for both server and client and only changed as little as possible... and now it works >_<
18:10 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 245 seconds]
18:12  * ecrist needs to enable the new RSS feed generator
18:15 -!- s7r [~s7r@178.73.198.24] has left #openvpn []
18:20 -!- nijotz_ [~nick@72.14.181.106] has joined #openvpn
18:20 -!- nijotz_ is now known as nijotz
18:21 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: reboot]
18:23 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined #openvpn
18:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
18:41 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 264 seconds]
18:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:58 < pyther> Anyone using eupheria? I cant seem to get my firewall rules to work right
18:58 < pyther> Here they are: http://paste.pocoo.org/show/304564/
18:59 < pyther> my vpn_users rule is being hit, but I'm guessing packets aren't coming back
19:02 < pyther> I just confirmed it doing a wireshark
19:02 < pyther> what do I need to do in my forward policy to allow packets to come back to my hosts?
19:11 -!- jay_mart [~jay.mart@75-151-249-165-Pennsylvania.hfc.comcastbusiness.net] has joined #openvpn
19:11 < jay_mart> !Welcome
19:11 <@vpnHelper> "Welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
19:12 < jay_mart> !goal I am looking into setting up an openvpn server on a vps server but my main goal is to be able to vpn to the vps server that will then forward all routing to my home network
19:23 -!- jay_mart [~jay.mart@75-151-249-165-Pennsylvania.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
19:24 -!- jay_mart [~jay.mart@75-151-248-53-Pennsylvania.hfc.comcastbusiness.net] has joined #openvpn
19:25 < pyther> Can anyone share their firewall rules with me?
19:26 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
19:34 < Bushmills> forward policy ACCEPT, no rules, is enough
19:35 -!- jay_mart [~jay.mart@75-151-248-53-Pennsylvania.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
19:35 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:35 < Bushmills> you need a nat rules, though. like that one:  http://scarydevilmonastery.net/masq
19:35 < ecrist> !linnat
19:35 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
19:35 -!- jay_mart [~jay.mart@75-151-249-165-Pennsylvania.hfc.comcastbusiness.net] has joined #openvpn
19:36 < Bushmills> (you were trying to use internet over vpn, by redirect-gateway, right?)
19:38 -!- jay_mart [~jay.mart@75-151-249-165-Pennsylvania.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
19:38 -!- jay_mart [~jay.mart@75-151-249-57-Pennsylvania.hfc.comcastbusiness.net] has joined #openvpn
19:39 < jay_mart> Bushmills, is ur question directed at me or pyther?
19:39 < Bushmills> to pyther
19:40 < krzie> jay_mart, 
19:40 < krzie> your main goal is to just access your home LAN over the VPN, right?
19:40 < Bushmills> you i didn't react to.  i didn't quite know what "forwarding my routing means"!
19:40 < krzie> right, thats the part i dont get as well
19:40 < Bushmills> i know forwarding packets, routing packets. 
19:41 < Bushmills> and i know of doing routing
19:41 < Bushmills> i guess you want to download your routing table over vpn
19:42 -!- SOG [~SOG@113.90.224.244] has joined #openvpn
19:42 < jay_mart> my apartment complete uses several routers that I can not setup forwarding thru so ddyns will not work for me to access my home network
19:42 < Bushmills> dyndns is not a forwarding service. it is a host name resolving service. 
19:43 < jay_mart> i want to setup a vpn from my home network (pc or dd-wrt router) to a cloud server or vps server
19:43 < Bushmills> sounds like, server on one end, client on the other end.
19:45 < jay_mart> i want it so that when im not at home i can vpn to the server and be able to access my home network resources
19:45  * Bushmills braces himself for the question "will that forward my routing?"
19:46 < Bushmills> you can have multiple clients. also from different locations
19:47 < Bushmills> you can also talk between clients, if set up accordingly
19:47 < jay_mart> rounting was ALL network traffic the client was sending
--- Log opened Mon Dec 13 19:49:54 2010
19:49 -!- ecrist [~ecrist@216.17.68.153] has joined #openvpn
19:49 -!- Irssi: #openvpn: Total of 116 nicks [6 ops, 0 halfops, 0 voices, 110 normal]
19:50 -!- Irssi: Join to #openvpn was synced in 37 secs
19:51 < jay_mart> will my home network traffic (internet, ftp, etc) go thru the vpn and be able to access the internet?
19:52 < Bushmills> if you set it up that way, and if cloud (where vpn server is) allows outbound traffic, yes.
19:52 < ecrist> hopefully this will prove a more reliable irc host
19:53 < Bushmills> ecrist: in need of a bouncer?
19:53 < ecrist> no, my home connection gets bouncy in really cold weather, so I moved my irssi stuff to a work machine
20:01 < jay_mart> i am pretty new to setting up vpns, i am also just now getting used to irc
20:07 < pyther> I want to push some routes to specific clients (not all clients) can I put a push "route 10.25.8.0 255.255.252.0" in a ccd file?
20:07 < Bushmills> yes, you can
20:09 -!- raven737 [5b41ec40@gateway/web/freenode/ip.91.65.236.64] has quit [Quit: Page closed]
20:13 < pyther> Is there anything special I need to do?
20:13 < pyther> I created /etc/openvpn/ccd/mgyurgyik
20:14 < pyther> grr wrong folder
20:14 < pyther> I'm having a terrible night
20:30 -!- jay_mart_me [~jay.mart@75-151-249-165-Pennsylvania.hfc.comcastbusiness.net] has joined #openvpn
20:30 -!- jay_mart [~jay.mart@75-151-249-57-Pennsylvania.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
20:31 < pyther> Is it possible to run openvpn from a flash drive?
20:31 < reiffert> yes.
20:31 < pyther> reiffert: what is the trick to get the gui to find my configs?
20:32 < reiffert> gui?
20:33 < pyther> yes, openvpn-gui-1.0.3
20:33 < pyther> I should mention this is for a windows machine
20:33 < reiffert> openvpn runs perfectly without gui.
20:33 < pyther> reiffert: but my end users don't!
20:34 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
20:34 < reiffert> your end users dont run perfectly without gui?
20:34 < pyther> nope, if there is no gui they will bitch
20:35 < reiffert> cicso vpn?
20:35 < Bushmills> wrong kind of end users :) 
20:35 < reiffert> or better: windows vpn.
20:35 < pyther> can openvpn be used with windows vpn client?
20:35 < reiffert> pyther: hand them a .bat file. you can click it
20:35 < reiffert> no.
20:35 < pyther> reiffert: I can't do that
20:36 < reiffert> *YES, YOU CAN*
20:36 < pyther> sure I can but it aint gonna help me switch over from the crappy vpn client my isp currently provides
20:37 < ecrist> ping krzee
20:38 < krzie> pong
20:39 < theDoc> reiffert: What's the recommended setup for getting openvpn on a usb stick?
20:39 < reiffert> theDoc: take a screw driver. open the pen. bring it on and close the stick.
20:40 < krzie> ecrist, =]
20:40 < theDoc> D:
20:41 < theDoc> reiffert: Not that way, D:
20:41 < reiffert> e.g. copy all the required files onto the filesystem and you are done.
20:41 < krzie> but the gui needs reg entries and stuff
20:41 < krzie> so you really wont be using the gui like that
20:41 < reiffert> krzie: really?
20:42 < reiffert> does the gui registry entries? are you sure?
20:42 < krzie> yup, info on the reg entries is on the win install notes
20:42 < krzie> you can change the default config dir in there and stuff
20:42 < reiffert> so can I put them in a bat file, like "all the things that are required"?
20:43 < krzie> maybe, im not sure what else is needed
20:43 < krzie> thats just 1 thing i know for sure
20:43 < reiffert> guess!
20:43 < reiffert> its windows ninetyyy fiivvveeee
20:43 < reiffert> it's sucking up my driiiiive
20:43 < krzie> well i would say:
20:44 < reiffert> kernel drivers and administrator priveledges. can I pack them into the bat file?
20:44 < reiffert> like all the required stuff? hell yes, there you got!
20:44 < krzie> the user could install openvpn to their system, then run your .reg file to import your settings, then the gui would know to look in the usb stick for the configs and whatnot
20:44 < reiffert> it
20:44 -!- jay_mart_me [~jay.mart@75-151-249-165-Pennsylvania.hfc.comcastbusiness.net] has quit [Read error: Connection reset by peer]
20:44 < reiffert> put the fucking installer onto the drive.
20:44 < krzie> but regardless, they will need openvpn on the system
20:44 -!- jay_mart_me [~jay.mart@75-151-249-57-Pennsylvania.hfc.comcastbusiness.net] has joined #openvpn
20:44 < reiffert> copy paste the fucking configs
20:44 < reiffert> done
20:45 < ecrist> krzie: can you run /sysinfo for me?
20:45 < ecrist> or whatever the command is?
20:45 < ecrist> I'm making a BSD version for irssi
20:45 < ecrist> :)
20:45 < krzie> MacPro3,1 CPU: Intel Core2 Quad Q9400 2.66GHz @ 2.4GHz [/FPU/MMX/SSE/SSE2/SSE3/S.SSE3/SSE4.1/x86_64/PAE/XD/EM64T/VMX/EST/QuadCore] L2: 6144K FSB: 1064MHz Airport:    RAM: 4.9GB/8.0GB Vram: 121.38M/256.00M Disk: 426.98GB/931.39GB GPU: Unknown nVidia card [512 MB/Stock] 1280x1024@60Hz and 1280x1024@60Hz OS: Mac OS X 10.6.5 (10H574) Kernel: Darwin 10.5.0 Up: 27 days 21:08
20:45 < krzie> (/macinfo)
20:45 < ecrist> danke
20:45 < krzie> np
20:45 < reiffert> moin moin ecrist!
20:46 < ecrist> howdy
20:47 < reiffert> ecrist is taking a german course ...
20:47 < reiffert> for hunting german drivers when patrolling the highway ..!
20:50 -!- dhani_cakep [~Guest6595@195.117.61.5] has joined #openvpn
20:50 -dhani_cakep:#openvpn- Happy Christmas! http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
20:50 < dhani_cakep> dude u want this http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
20:50 -!- dhani_cakep [~Guest6595@195.117.61.5] has left #openvpn []
20:50 -!- mode/#openvpn [+o ecrist] by ChanServ
20:50 -!- mode/#openvpn [+b *!*@195.117.61.5] by ecrist
20:50 < krzie> can you word ban ihaxor on vpnHelper?
20:51 <@ecrist> hrm
20:51 <@ecrist> prolly
20:51  * ecrist doesn't want to read docs right now, though
20:51 <@ecrist> feel free. :)
20:51 <@ecrist> so, so far I have 
20:51 <@ecrist> System Info: RAM: 24GB
20:51 <@ecrist> woot
20:59 < pyther> Doesn't look like I can connect to the vpn using the same cert
20:59 < reiffert> iaxhor
20:59 < pyther> err... I connect to hosts using the same cert/username/password combo and got the same ip address on both hosts
21:00 < krzie> pyther, why would you use the same cert?
21:00 < pyther> just to test the windows piece :P
21:02 -!- s7r [~s7r@178.73.198.24] has joined #openvpn
21:05 -!- adawda is now known as sia^pwnnt
21:11 < krzie> gotchya
21:12 < krzie> in that case, you cant use static ips, or ipp.txt, and youd need to enable duplicate cert logins
21:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
21:15 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
21:21 -!- jay_mart_me [~jay.mart@75-151-249-57-Pennsylvania.hfc.comcastbusiness.net] has quit [Quit: Leaving]
21:28 -!- jay_mart [4b97f835@gateway/web/freenode/ip.75.151.248.53] has joined #openvpn
21:29 -!- s7r [~s7r@178.73.198.24] has left #openvpn []
21:29 <@ecrist> this sysinfo plugin is not going to be done tonight
21:29 <@ecrist> will get it done tomorrow
21:31 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
21:31 < pyther> Does anyone hae a good dns helper script for linux?
21:32 -!- jay_mart [4b97f835@gateway/web/freenode/ip.75.151.248.53] has quit [Client Quit]
21:33 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
21:33 -!- mode/#openvpn [+o vpnHelper] by ChanServ
21:36 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Client Quit]
21:37 -!- jay_mart [~Jason@75-151-249-165-Pennsylvania.hfc.comcastbusiness.net] has joined #openvpn
21:37 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
21:37 -!- mode/#openvpn [+o vpnHelper] by ChanServ
21:39 -!- jay_mart [~Jason@75-151-249-165-Pennsylvania.hfc.comcastbusiness.net] has quit [Client Quit]
21:43 <@ecrist> I cannot seem to get the BadWords plugin loaded.
21:45 -!- Some_Person [~GoodPerso@99-99-216-248.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
21:45 < Some_Person> I'm having a problem with OpenVPN Server on Windows XP: The service, which has worked before a recent malware infection, is refusing to start
21:47 < pyther> Some_Person: you problem is pretty obvious
21:47 < pyther> you had a malware infection
21:47 < Some_Person> Everything else on this machine appears to be working fine, but the OpenVPN service won't start because "The dependency service or group failed to start"
21:47 < pyther> who the hell knows what it messed up
21:47 < Some_Person> It was the TDSS rootkit
21:48 < Some_Person> As far as I can tell, it appears to be gone now
21:53 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 265 seconds]
21:53 < Some_Person> I was able to trace the problem
21:53 < Some_Person> The OpenVPN Service service depends on the TAP-Win32 Adapter V9 service which failed to start because of the following error:
21:53 < Some_Person> The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
21:54 < Some_Person> The service doesn't seem to exist. Is hthere any way to reinstall it without reinstalling OpenVPN itself?
21:55 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
21:56 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
21:56 -!- mode/#openvpn [+o vpnHelper] by ChanServ
21:57 -!- SOG [~SOG@113.90.224.244] has left #openvpn []
21:57 -!- SOG [~SOG@113.90.224.244] has joined #openvpn
21:59 < Some_Person> If I reinstall OpenVPN on Windows, will I have to regenerate my certs?
22:00 <@ecrist> ihaxor
22:00 <@ecrist> !badwords list
22:00 <@vpnHelper> ihaxor
22:02 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:03 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Read error: Connection reset by peer]
22:09 -!- Some_Person [~GoodPerso@99-99-216-248.lightspeed.hstntx.sbcglobal.net] has quit []
22:21 -!- Some_Person [~GoodPerso@99-99-216-248.lightspeed.hstntx.sbcglobal.net] has joined #openvpn
22:21 < Some_Person> I got the server running again, but clients that connect to it are unable to access anything
22:22 < Some_Person> I had this issue before, and I think it had to do with NAT or something like that, but I don't remember what I did before to get things working
22:28 < Some_Person> nevermind got it
22:28 -!- Some_Person [~GoodPerso@99-99-216-248.lightspeed.hstntx.sbcglobal.net] has quit []
22:38 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Disconnected by services]
22:38 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
22:39 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 264 seconds]
22:39 -!- dazol [~dazo@nat/redhat/x-zhxamqseajxtodja] has joined #openvpn
22:39 -!- _Meliorator [m@dunnington.eu] has joined #openvpn
22:40 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
22:40 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
22:40 -!- mode/#openvpn [+o vpnHelper] by ChanServ
22:40 -!- Gokee2_ [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
22:41 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
22:41 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
22:41 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
22:52 -!- Netsplit *.net <-> *.split quits: sedulous, APTX, err0r, @raidz, Typone, common, ScriptFanix, _zero_, krzee, toortog,  (+94 more, use /NETSPLIT to show all of them)
22:55 -!- Netsplit over, joins: batrick, oc80z, gladiatr, corretico, theDoc
22:55 -!- DarthGandalf [~Vetinari@delta.cluenet.org] has joined #openvpn
22:55 -!- Netsplit over, joins: kisom, LeRrA, Typone
22:55 -!- Martin [martin@shell.ipv6.octocore.net] has joined #openvpn
22:55 -!- Netsplit over, joins: d457k, @patelx, common, krphop, nb, ivenkys, Kevin`, ^scott^, agagag, takamichi (+12 more)
22:55 -!- Martin is now known as 14WAAFT4F
22:56 -!- Netsplit over, joins: @openvpn2009, chantra_afk, Rolybrau, jfkw, master_of_master, APTX, sjk, _zero_, fbh, @vpnHelper (+50 more)
22:56 -!- sia^pwnnt_ [115kluu@owned.ninjasinpyjamas.biz] has joined #openvpn
22:56 -!- Netsplit over, joins: krzee, grishnav, ScriptFanix, LowKey, ucekpolish, Champi
22:56 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has joined #openvpn
22:56 -!- DarthGandalf [~Vetinari@delta.cluenet.org] has quit [Changing host]
22:56 -!- DarthGandalf [~Vetinari@shellium/developer/darthgandalf] has joined #openvpn
22:57 -!- Netsplit *.net <-> *.split quits: sht, Dougy, KipMacy, Bushmills, blistov, JakeSays, UnterPerro, trumee_away, Visual`, Puck`,  (+41 more, use /NETSPLIT to show all of them)
22:57 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has joined #openvpn
22:58 -!- Netsplit over, joins: @vpnHelper, EvilJStoker, @raidz, @cron2, jpalmer, Gokee2_, Klem, SOG, UnterPerro, nijotz (+41 more)
22:58 -!- Gokee2_ [~gokee2@204-195-14-78.wavecable.com] has quit [Write error: Broken pipe]
23:01 -!- err0r [~err0r@89.36.166.222] has quit [Ping timeout: 333 seconds]
23:01 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Ping timeout: 333 seconds]
23:01 -!- meepmeep [meepmeep@212.24.104.229] has quit [Ping timeout: 333 seconds]
23:01 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
23:02 -!- err0r [~err0r@89.36.166.222] has joined #openvpn
23:02 -!- meepmeep [meepmeep@212.24.104.229] has joined #openvpn
23:14 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
23:17 -!- mant1s [~mant1s@cpe-76-179-25-35.maine.res.rr.com] has joined #openvpn
23:17 -!- mant1s [~mant1s@cpe-76-179-25-35.maine.res.rr.com] has quit [Changing host]
23:17 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
23:23 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:42 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds]
23:55 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
23:57 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Read error: Connection reset by peer]
23:57 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
--- Day changed Tue Dec 14 2010
00:10 -!- Netsplit *.net <-> *.split quits: agagag, ^scott^, Kevin`
00:10 -!- Netsplit over, joins: agagag, Kevin`
00:11 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 265 seconds]
00:11 -!- _Meliorator [m@dunnington.eu] has quit [Quit: changing servers]
00:12 -!- Meliorator [m@dunnington.eu] has joined #openvpn
00:16 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 245 seconds]
00:18 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
00:18 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
00:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds]
00:24 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
00:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
00:43 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:12 -!- hanasaki [BLACKLIST@cpe-76-92-220-37.kc.res.rr.com] has joined #openvpn
01:13 < hanasaki> is openvpn in ubuntu the client,server,both?
01:14 < hyper_ch> hanasaki: both
01:14 < hanasaki> so does it have the 2 user license limit like the download from the openvpn.net?
01:15 < hyper_ch> you use community version or AS?
01:15 < hyper_ch> the community version has no user licence limit
01:16 < hanasaki> neither... just investigating now
01:16 < hyper_ch> and that's the openvpn package provided by the Ubuntu repos
01:16 < hanasaki> what's missing in community vs AS?  AS = ?
01:16 < hyper_ch> AS has a nice gui to manage it I think
01:18 < hanasaki> 50 bucks min .. hmmm
01:18 < hanasaki> the other one is ummm openswan? or is that the dead project?
01:19 -!- trumee_away is now known as trumee
01:20 -!- trumee [~parul@cpc3-cmbg14-0-0-cust113.5-4.cable.virginmedia.com] has left #openvpn ["Leaving"]
01:32 -!- SOG [~SOG@113.90.224.244] has quit [Remote host closed the connection]
01:32 -!- SOG [~SOG@113.88.216.224] has joined #openvpn
01:33 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:34 -!- SOG [~SOG@113.88.216.224] has quit [Client Quit]
01:37 -!- Gokee2 [~gokee2@204-195-14-78.wavecable.com] has quit [Read error: Operation timed out]
01:40 < hyper_ch> ???
01:40 < hyper_ch> why do you even need a gui?
01:43 < hanasaki> so what is  openswan vs openvpn?
01:44 < hanasaki> hyper_ch: well whatever I have must support windows and have a gui setup.. its not me using it .. :(  the client software that is
01:44 < hyper_ch> what is openswan?
01:44 < hyper_ch> never used openvpn on windows
02:03 -!- gdb`` [~user@dr-wily.ipv6.mit.edu] has quit [Remote host closed the connection]
02:03 -!- gdb`` [~user@dr-wily.ipv6.mit.edu] has joined #openvpn
02:10 -!- ^scott^ [~scott@stthom.org] has joined #openvpn
02:17 <@vpnHelper> RSS Update - forum: Installation Help :: error read UDPv4: Connection reset by peer (WSAECONNRESET) ( :: Author IanD <https://forums.openvpn.net/viewtopic.php?f=5&t=7397&p=8688#p8688>
02:28 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has joined #openvpn
02:30 < SmokeyD> hey everyone, does the revoke-full script also keep the entries of previously revoked certificates to the crl.pem file? 
02:46 -!- dazol is now known as dazo
02:46 -!- dazo [~dazo@nat/redhat/x-zhxamqseajxtodja] has quit [Changing host]
02:46 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
02:46 -!- dictvm [~irssi@devastation.securewebs.net] has quit [Ping timeout: 272 seconds]
02:47 -!- irssi [~irssi@devastation.securewebs.net] has joined #openvpn
02:55 -!- patelx [~a@openvpn/corp/admin/patel] has quit [Ping timeout: 272 seconds]
02:56 -!- ccr_ [~cransom@crosstalk.atomz.com] has quit [Ping timeout: 272 seconds]
02:56 -!- common [~common@p5DDA4948.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
02:57 -!- common [~common@p5DDA4948.dip0.t-ipconnect.de] has joined #openvpn
02:59 -!- patelx [~a@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined #openvpn
03:24 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:25 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Disconnected by services]
03:26 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
03:27 -!- mode/#openvpn [+o vpnHelper] by ChanServ
03:36 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
03:38 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has quit [Changing host]
03:38 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:48 -!- master_of_master [~master_of@p57B55EB4.dip.t-dialin.net] has quit [Ping timeout: 250 seconds]
03:49 -!- master_of_master [~master_of@p57B57128.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:23 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Disconnected by services]
04:25 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
04:25 -!- mode/#openvpn [+o vpnHelper] by ChanServ
04:25 -!- common- [~common@p5DDA48AA.dip0.t-ipconnect.de] has joined #openvpn
04:28 -!- common [~common@p5DDA4948.dip0.t-ipconnect.de] has quit [Ping timeout: 272 seconds]
04:28 -!- common- is now known as common
04:46 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
04:51 -!- ccr_ [~cransom@crosstalk.atomz.com] has joined #openvpn
04:53 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:00 -!- irssi is now known as dictvm
05:04 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
05:10 -!- barfster [~barf@193.69.144.163] has joined #openvpn
05:10 < barfster> I have an OpenVPN setup
05:11 < barfster> With keys on several clients
05:11 < barfster> Can I connect from one VPN client to another?
05:11 < barfster> Which IP address would I use?
05:12 < chantra_afk> barfster: you need to have client-to-client defined in your conf
05:12 < Rienzilla> you need to enable the client-to-client option on the server
05:12 < chantra_afk> the ip to use is the ip assign to the client
05:13 < barfster> client-to-client where? on the server?
05:13 < chantra_afk> yeah, server conf
05:16 < barfster> client to client is enabled
05:16 -!- batrick [~batrick@nmap/developer/batrick] has quit [Ping timeout: 240 seconds]
05:16 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
05:17 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Ping timeout: 240 seconds]
05:17 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
05:17 < barfster> What more? ccd folder?
05:17 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 265 seconds]
05:18 < chantra_afk> barfster: then, you should be able to ping from one openvpn client to the other
05:18 < chantra_afk> if not, enabling logs might help
05:19 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
05:24 < Bushmills> actually, you don't really need client-to-client. but if you don't enable it, network configuration of openvpn server must allow inter-client traffic. 
05:25 < Bushmills> you'd use client-to-client if you don't mind, for example, that the firewall on openvpn server is not able to police traffic between clients
05:27 < Rienzilla> Bushmills: will it work if you disable client-to-client and let the networking code in the kernel handle the routing of packets?
05:27 < Rienzilla> I seem to recall that that won't do even if you have the correct routing configured
05:27 < Bushmills> yes. client-to-client is merely for taking a shortcut around OS networking/routing.
05:28 < Rienzilla> oh ok
05:28 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
05:28 < Bushmills> for testing, it is probably preferable, as you can also cut potential problem areas 
05:28  * Rienzilla thinks it is clearer to not take any shortcuts anywhere :)
05:28 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
05:28 < Bushmills> shortcuts can get you to your goal quicker
05:28 < Bushmills> more quickly
05:29 < Rienzilla> that is true, but they will give you headaches further along the road
05:30 < Bushmills> could be. wondering why firewall won't see that traffic may cause on of those
05:30 < Bushmills> of
05:30 < Bushmills> one of ...
05:34 < Rienzilla> yeah
05:34 < Rienzilla> stuff like that
05:40 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:40 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:40 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:42 -!- Kevin` [~kevin@router.kwzs.be] has quit [Read error: Connection reset by peer]
05:43 < barfster> It does not work, where should I check the logs?
05:45 < barfster> cat /var/log/openvpn/ipp.txt
05:46 < barfster> gives me 1 IP address pr key
05:46 < barfster> but none of those IP addresses are pingable
05:46 -!- Kevin` [~kevin@router.kwzs.be] has joined #openvpn
05:47 < barfster> What is considered best practice when it comes to log rotation and openvpn?
05:51 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
06:09 -!- barfster [~barf@193.69.144.163] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
06:12 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
06:19 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
06:24 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
06:27 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
06:29 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
06:29 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn
06:38 -!- WinstonSmith [~true@e179001228.adsl.alicedsl.de] has joined #openvpn
06:51 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
06:55 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
06:56 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 276 seconds]
07:17 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
07:19 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
07:22 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 264 seconds]
07:27 <@vpnHelper> RSS Update - forum: Server Administration :: Certificate fields :: Author veljkopopovi <https://forums.openvpn.net/viewtopic.php?f=4&t=7398&p=8689#p8689>
07:39 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
07:39 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
07:43 -!- hanasaki [BLACKLIST@cpe-76-92-220-37.kc.res.rr.com] has quit [Remote host closed the connection]
07:43 -!- hanasaki [BLACKLIST@76.92.220.37] has joined #openvpn
07:48 -!- hanasaki [BLACKLIST@76.92.220.37] has quit [Remote host closed the connection]
07:48 -!- hanasaki [BLACKLIST@76.92.220.37] has joined #openvpn
07:50 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
07:50 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
07:50 -!- WinstonSmith [~true@e179001228.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
08:01 -!- mode/#openvpn [-bb *!*@24-119-83-207.cpe.cableone.net *!*@cpe-76-188-83-127.neo.res.rr.com] by ecrist
08:22 -!- EmperorTom [~EmperorTo@174-30-242-211.mpls.qwest.net] has quit [Quit: leaving]
08:23 -!- EmperorTom [~EmperorTo@216.17.68.153] has joined #openvpn
08:28 -!- mant1s [~mant1s@cpe-76-179-25-35.maine.res.rr.com] has joined #openvpn
08:28 -!- mant1s [~mant1s@cpe-76-179-25-35.maine.res.rr.com] has quit [Changing host]
08:28 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:35 -!- janjust [~janjust@ardeche.nikhef.nl] has joined #openvpn
08:37 < janjust> !help
08:37 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
08:37 < janjust> !goal
08:37 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:37 < janjust> !welcome
08:37 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:38 < janjust> !wiki
08:38 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN, or (#2) Official wiki is at https://community.openvpn.net/openvpn/wiki
08:41 < janjust> hi all ; is it very quiet here or am I simply not seeing what others are typing?
08:43 < dazo> heh
08:43 < dazo> janjust: it's just amazingly quiet at the moment 
08:44 < janjust> ah , which means openvpn is an amazingly well working piece of software :)
08:44 < dazo> but I see you're getting acquainted with vpnHelper :)
08:44 < janjust> just curious what's out there ... but I still prefer mailing lists to irc channels or forums
08:44 < dazo> janjust: yeah ... and it seems the troublemakers (as in those not being able to get openvpn working) usually turn up a bit later :)
08:45 < dazo> a lot of issues are solved here actually ... but the knowledge level is somewhat more variable here on irc compared to the ML
08:46 < janjust> which is fine; I must say I stopped looking on the forums as well - if I can't get an update on postings via email then I simply forget to look 
08:46 < dazo> yeah, I'm not so active in the forum as well ... for me it's too unstructured .... but the right people here knows when to point me at things to look at :)
08:47 < dazo> janjust: while you're here .... what kind of Alladin key stuff would you recommend for both Linux and Windows environments?  You seem to have some good knowledge here :)
08:48 < dazo> and have you ever tested yubikey?  http://www.yubico.com/yubikey
08:48 <@vpnHelper> Title: Yubikey - Yubico (at www.yubico.com)
08:49 < dazo> it's different technologies ... but I'm considering to implement one of them in a mixed environment (well, mostly Windows clients, but I need to admin it from Linux)
08:50  * dazo need to prepare for a meeting
08:51 < janjust> nope I have never tested yubikey 
08:51 < janjust> I do have a Feitian ePass smartcard with reader 
08:51 < janjust> the problem with the aladdin etokens is that they're fairly hard to buy these days, IIRC
08:52 < janjust> plus, you can no longer download the aladdin driver software from the web - you need a reseller for that
08:52 < janjust> the aladdin driver software for windows is much nicer than the opensc package
08:52 < janjust> the linux client is a bit nicer too than opensc but you need less 'point&drool' for those users
08:53 < dazo> yeah, I don't care much about GUI stuff :)
08:53 < janjust> the opensc software is fairly fluid, in the sense that things change rapidly.
08:56 < janjust> the yubikey thing looks interesting but it's not a smartcard/hardware token (which are required for some of the things I do)
08:57 -!- venom00ut [~wer@173.0.2.110] has joined #openvpn
08:57 -!- venom00ut [~wer@173.0.2.110] has quit [Changing host]
08:57 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
09:00 < dazo> yeah, I know yubikey is not a "smart card" :)
09:00 < dazo> it's kinda closer to an RSA token
09:00 < janjust> I also see that yubikey is already deployed by the fedora project
09:03 < dazo> yeah, which is kind of interesting
09:04 < dazo> open source client and server stuff as well
09:04 < dazo> not too clean code at first glance, IMO ... but not bad
09:04 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 250 seconds]
09:04 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:06 < dazo> I would just like a better two-phase authentication ... and yubikey seems to be able to be more accessible and affordable
09:06 < janjust> open source client? as far as I can tell no client software is needed?
09:07 < dazo> client as in the plug-in/module for using the yubikey auth server 
09:07 < dazo> so it would be easily integratable with OpenVPN
09:08 < janjust> ah right... 
09:08 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
09:08 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
09:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:08 < dazo> on the "client client" side, the yubikey acts like a USB keyboard, if I've understood it right
09:08 < janjust> if they have a pam interface it will/should most definitely work with OpenVPN
09:09 < dazo> yeah, at least code I can rip out for my own eurephia module :)
09:10 -!- venom00ut [~wer@173.0.9.87] has joined #openvpn
09:10 -!- venom00ut [~wer@173.0.9.87] has quit [Changing host]
09:10 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
09:11 -!- EmperorT1m [~EmperorTo@174-30-242-211.mpls.qwest.net] has joined #openvpn
09:12 -!- EmperorT1m [~EmperorTo@174-30-242-211.mpls.qwest.net] has quit [Client Quit]
09:12 < janjust> if all you're looking for is more than username+password authentication then this looks *much* nicer than a smartcard/token
09:13 < janjust> but getting a user to "tap" his x509 certificate using the yubikey is a bit more of a hassle :)
09:16 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 260 seconds]
09:16 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
09:17 < dazo> janjust: yeah, I'm using cert + username/password auth today ... so just considering to improve the username/password stuff
09:18 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 276 seconds]
09:23 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
09:53 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
09:54 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
10:01 -!- EmperorT1m [~EmperorTo@174-30-242-211.mpls.qwest.net] has joined #openvpn
10:01 -!- EmperorT1m [~EmperorTo@174-30-242-211.mpls.qwest.net] has quit [Client Quit]
10:09 <@ecrist> krzee: 
10:09 <@ecrist> OS: FreeBSD 8.1-PRERELEASE CPU: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz (2261.01-MHz K8-class CPU) RAM: 24GB UP: 145 days 12:32 USERS: 6 LOAD: 0.05 0.02 0.00 (77 processes:  1 running, 76 sleeping)
10:09 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
10:10 < |Mike|> zomg.
10:11 < |Mike|> ecrist: 
10:11 < |Mike|> [mike@phantom ~]$ uname -srm ; uptime
10:11 < |Mike|> FreeBSD 6.3-RELEASE i386 4:51PM  up 559 days, 10:20, 1 user, load averages: 0.02, 0.01, 0.00
10:11 < |Mike|> (256mb ram!)
10:11 <@ecrist> |Mike|: I can win the uptime war, or could.
10:11 < |Mike|> :P
10:11 < pyther24> janjust: dazo said you might be able to help me setup xca
10:11 <@ecrist> we had one box that had ~1100 uptime days
10:11 < dazo> |Mike|: it's not the lengt^Wsize^Wamount that matters, but how you use it ;-)
10:12 < |Mike|> dazo: the box is doing nothing actually
10:12 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
10:12 <@ecrist> it would have had 1800 when we shut it down, but our datacenter actually lost power.
10:12 < dazo> obviously, that message overloaded krzee :)
10:13 < dazo> janjust: I think you know which kind of parameters to set correctly in xca ... I haven't figured all of them out yet, so I have a partial working setup only
10:13 < dazo> (--ns-cert-type is one which is failing)
10:15 < pyther24> I take it I have to import the CA key?
10:15 < dazo> yeah, that's a good start ... and the CA cert
10:15 < pyther24> so the ca key goes into private keys and the ca cert into certifcates?
10:16 < dazo> afaik, yes ... and then there are some options (right click) to set this as trusted, iirc
10:17 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Quit: Yes, Virginia...]
10:17 < pyther24> Do I need to import the dh1024.pem key?
10:18 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
10:18 -!- batrick_ [~batrick@nmap/developer/batrick] has joined #openvpn
10:18 < janjust> (back again)
10:18 < pyther24> So I want to trust my certificates?
10:18 < janjust> xca? let me read back for a bit
10:18 -!- irssi [~irssi@devastation.securewebs.net] has joined #openvpn
10:19 -!- agagag_ [~anton@eudaimonia.goto10.org] has joined #openvpn
10:19 < janjust> pyther24 you will want to trust your CA certificate only
10:19 < janjust> the others don't matter
10:20 < pyther24> ok so I've imported the CA cert, the server cert, and the client cert, along with their keys
10:20 < pyther24> is there anything else I need to import?
10:20 < janjust> nope
10:20 < janjust> xca is nice for generating new certs, not for importing old ones... 
10:20 < pyther24> Now lets say I want to make a new cert/key for a client what do I need to do?
10:20 < dazo> but when creating a new cert ... then there are quite some things to think about :)
10:21 < janjust> go to f
10:21 < janjust> pyther, go to File->Opendatabase, open the database in which your CA is stored
10:21 < pyther24> ok
10:21 < janjust> pyther: then click on the tab Certificates, select your CA cert and right click it
10:21 < pyther24> do I need the Diffie Hellman pem?
10:22 < janjust> pyther: choose 'New certificate'
10:22 < pyther24> k
10:22 < janjust> nope, the DH1024.pem file dose nothing useful in xca
10:22 < janjust> it's for the openvpn server noly
10:22 < janjust> only
10:22 < pyther24> ahh ok
10:22 < janjust> after clicking 'New certificate' click on 'generate key' first in the new window
10:23 -!- Netsplit *.net <-> *.split quits: dictvm, agagag, gladiatr, batrick
10:23 < pyther24> under subject?
10:23 < janjust> yep
10:24 < pyther24> is the name the CN
10:24 < pyther24> ?
10:24 < janjust> yep
10:25 < pyther24> RSA and 1024bit is all good?
10:25 < janjust> (I need to leave in about 3 minutes)
10:25 < janjust> yes RSA is good, 1024 bit is good (for a client cert)
10:25 < pyther24> ok key is created
10:25 < janjust> for server certs I would use 2048 or 4096
10:25 < janjust> now click on the 'extensions' tab
10:25 < pyther24> ok
10:25 < janjust> choose 'End entity' for Type
10:26 < pyther24> k
10:26 < janjust> mark 'subject key identifier' and 'authority key identifier' as enabled
10:26 < janjust> next the 'key usage' tab
10:26 < pyther24> k
10:26 < janjust> select 'Digital signing' in key usage; select 'TLS Web client authentication' in extended key usage
10:27 < janjust> (or TLS web server for a server cert)
10:27 < janjust> NOW press the OK button to generate the certificate
10:27 < pyther24> I don't see "Digital Signing" should it be digital signature?
10:27 < janjust> ah yes
10:28 < janjust> I don't have the screens in front of me, just a printout of my book ;-)
10:28 < pyther24> Don't I also want to use my CA cert for signing
10:28 < janjust> if you choose 'new certificate' from your CA then this is automatically set up correctly
10:28 < janjust> I've got to go now - feel free to ping me tomorrow
10:28 < janjust> bye
10:28 -!- janjust [~janjust@ardeche.nikhef.nl] has quit [Quit: Leaving]
10:29 < pyther24> meh
10:29 < pyther24> so close to being done
10:29 < dazo> pyther24: :)  I think you're right ... choose you're CA if not selected right
10:29 < dazo> that makes sense, afair
10:29 < pyther24> and fill in the CA fields?
10:29 < dazo> nope ... it should be a drop-down box
10:30 < dazo> where you can select your CA directly
10:30 < pyther24> err... I mean I should fill in the countryname state, etc...
10:30 < dazo> ahh
10:30 < dazo> yeah, you can fill out that
10:31 < pyther24> and then hit create?
10:31 < dazo> yeah, I guess so :)
10:32 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
10:32 < pyther24> I guess I'll give it a try after lunch
10:33 < pyther24> bbl
10:33 < dazo> :)
10:34 < dazo> pyther24: you'll also catch janjust (aka JJK) on the openvpn mailing lists too ... so if he doesn't pop in tomorrow, send an e-mail to the list :)
10:39 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 240 seconds]
10:45 -!- takamichi [~pri@194.126.175.219] has quit [Read error: Connection reset by peer]
10:46 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
10:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:47 -!- malibu29 [~Leo_Lee@c-69-141-28-48.hsd1.pa.comcast.net] has joined #openvpn
10:47 -!- malibu29 [~Leo_Lee@c-69-141-28-48.hsd1.pa.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
10:47 -!- SmokeyD [~dolf@f12099.upc-f.chello.nl] has left #openvpn []
10:51 -!- malibu29 [~Leo_Lee@c-69-141-28-48.hsd1.pa.comcast.net] has joined #openvpn
10:51 -malibu29:#openvpn- hacker! http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
10:51 < malibu29> /!\ http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
10:51 -!- malibu29 [~Leo_Lee@c-69-141-28-48.hsd1.pa.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
10:54 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has joined #openvpn
10:54 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has left #openvpn []
10:55 -!- fbsec_ [~fb@38.108.126.158] has quit [Ping timeout: 272 seconds]
10:59 -!- malibu29 [~Leo_Lee@c-69-141-28-48.hsd1.pa.comcast.net] has joined #openvpn
10:59 -!- malibu29 [~Leo_Lee@c-69-141-28-48.hsd1.pa.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:09 -!- huzpol [~huzurp@p5485EEF0.dip.t-dialin.net] has joined #openvpn
11:09 < huzpol> hi guys
11:09 -!- malibu29 [~Leo_Lee@c-69-141-28-48.hsd1.pa.comcast.net] has joined #openvpn
11:09 -malibu29:#openvpn- this is not spam http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:09 < malibu29> Happy holydays! http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:09 -!- malibu29 [~Leo_Lee@c-69-141-28-48.hsd1.pa.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:10 < havoc> oh boy
11:10 < dazo> ecrist: can you take care of malibu here?  this has become more and more frequent
11:10 < dazo> not sure if there's a more clever ban to use
11:12 < huzpol> guys i get allways this errot when i try to connect my ovpn server :http://pastebin.com/hKyKTdGu
11:12 < huzpol> i installed the gui under W7
11:12 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has joined #openvpn
11:12 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:18 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has joined #openvpn
11:18 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:19 -!- mode/#openvpn [+b *!*@c-69-141-28-48.hsd1.pa.comcast.net] by ecrist
11:20  * ecrist wonders where dazo's @ is
11:20 -!- mode/#openvpn [+o dazo] by ecrist
11:21 <@dazo> dazo: I don't know where that access disappeared ... but I tried once to block this spammer ... but I'm not sure if there's a better matching which can be done
11:21 <@ecrist> nah, they're coming from all over.
11:21 <@ecrist> we need to give vpnHelper some automation to block that ihaxor phrase
11:21 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has joined #openvpn
11:21 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:21 -!- Irssi: #openvpn: Total of 111 nicks [6 ops, 0 halfops, 0 voices, 105 normal]
11:22 <@ecrist> where the hell is vpnHelper?
11:23 <@ecrist> gah
11:23 < huzpol> your guys have no idee abaut my problem?
11:23 < huzpol> o
11:25 < huzpol> iptables ist disabled
11:26 <@dazo> huzpol: you got issues with W7 ... I'm not a Windows user, so I don't know much to help you further :(
11:26 <@dazo> #
11:26 <@dazo> #
11:26 <@dazo> Tue Dec 14 18:05:29 2010 CreateFile failed on TAP device: \\.\Global\{15BEA090-2FAD-411C-8288-4FF1D7D7FAD9}.tap
11:26 <@dazo> #
11:26 <@dazo> Tue Dec 14 18:05:29 2010 All TAP-Win32 adapters on this system are currently in use.
11:26 <@dazo> huzpol: those two lines are your core issue
11:27 < huzpol> yes
11:27 < huzpol> so you mean is a server site problem?
11:28 <@dazo> huzpol: I understand your log file is from the client, right?
11:28 <@dazo> if so, then your problem is on the client
11:29 <@dazo> if your log file is from the server, then you have a problem on the server
11:29 < huzpol> yes is from client
11:29 <@dazo> okay, then it is a client problem
11:29 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
11:29 < huzpol> hmmm
11:29 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
11:29 -!- mode/#openvpn [+o vpnHelper] by ChanServ
11:29 <@dazo> huzpol: your server seems to respond properly, as far as I can see
11:29 < huzpol> and you dont know what it can be becouse of W7
11:30 <@dazo> huzpol: I am not a Windows user ... last time I used Windows was 5 years ago on WindowsXP ... I barely remember the tweaks I needed to do back then :)
11:30 < huzpol> i disabled he firewall on server dan client
11:30 <@dazo> this is not a firewall issue
11:30 < huzpol> you do the right thing windows is realy bad
11:30 <@dazo> you have issues with creating the virtual network in W7
11:31 < huzpol> ok
11:31 <@dazo> virtual network *interface, I mean
11:33 <@ecrist> dazo: I'm setting up a script in my irc client to kick/ban on that word
11:33 <@dazo> ecrist: cool, thx!
11:34 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
11:34 < huzpol> ecrist: dou you mean my words ? sorry
11:35 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has joined #openvpn
11:35 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:36 <@dazo> huzpol: nope, not you ... we got some spammers bothering us a little bit
11:38 < huzpol> aa ok
11:38 < huzpol> sorry
11:38 <@dazo> no worries :)
11:40 < huzpol> dazo:  i dont know why bat it works now :-)
11:40 < huzpol> i am in^^
11:40 <@dazo> cool!
11:41 < huzpol> bat how cann  i access the networ sources now? \\nerworkname?
11:44 <@ecrist> someone say ihaxor
11:45 <@dazo> ihaxor
11:45 <@ecrist> dammit
11:45 <@dazo> :)
11:48 <@ecrist> ihaxor
11:48 <@ecrist> ihaxor
11:48 <@ecrist> ihaxor
11:48 <@ecrist> ihaxor
11:52 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has joined #openvpn
11:52 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:53 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has joined #openvpn
11:53 -Wendat_28:#openvpn- Happy holydays! http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:53 < Wendat_28> cool site http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
11:53 -!- Wendat_28 [~nazi]\_]@c-68-45-35-171.hsd1.nj.comcast.net] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
11:53 -!- mode/#openvpn [+b *!*@c-68-45-35-171.hsd1.nj.comcast.net] by ecrist
12:03 -!- huzpol1 [~huzurp@p50872C91.dip.t-dialin.net] has joined #openvpn
12:03 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
12:05 -!- huzpol [~huzurp@p5485EEF0.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
12:06 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
12:10 -!- dazo is now known as dazo_afk
12:19 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
12:19 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
12:19 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
12:25 -!- ecrist_ [~ecrist@kenny.secure-computing.net] has joined #openvpn
12:25 < ecrist_> Happy holydays! http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
12:25 -!- mode/#openvpn [+b *!*@kenny.secure-computing.net] by ecrist
12:25 -!- ecrist_ was kicked from #openvpn by ecrist [User banned for saying the wrong thing.  Be warned!]
12:26 <@ecrist> sweet, it works
12:26 -!- mode/#openvpn [-b *!*@kenny.secure-computing.net] by ecrist
12:26 < jpalmer> wait, what?
12:32 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
12:37 -!- RichiH [~richih@freenode/staff/richih] has joined #openvpn
12:38 < RichiH> how reliable, resilent & performant are the multi-daemon openvpn setups?
12:38 < RichiH> i.e. http://www.linuxjournal.com/article/9915 and similar
12:38 <@vpnHelper> Title: Building a Multisourced Infrastructure Using OpenVPN | Linux Journal (at www.linuxjournal.com)
12:41 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Quit: leaving]
12:43  * ecrist looks
12:44 <@ecrist> oh, that, it's been stable for me in similar situations.
12:45 <@ecrist> the performance is purely dependant on the hardware you're running on coupled with you available link throughput
12:45 <@ecrist> we used a similar setup for a datacenter migration and things went smoothly.
12:45 <@ecrist> for a while, our website backend DB server was in another DC from the rest of the website, customers never knew
12:46 < hyper_ch> hi ecrist
12:47 < RichiH> ecrist: ok, i will need to poke it, then
12:47 < RichiH> thanks
12:47 <@ecrist> np
12:52 <@ecrist> RichiH: any idea what's going on with al the channel spam we've been getting to download some MIRC package?
12:55 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
12:55 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
12:55 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
13:02 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
13:35 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 265 seconds]
13:44 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
13:47 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 250 seconds]
13:48 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Client Quit]
13:48 -!- takamichi [~pri@pm302-97-254.keyworld.net] has joined #openvpn
13:55 -!- batrick_ is now known as batrick
13:55 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
13:56 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
14:01 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Problem with routes in Windows 7 :: Reply by baza <https://forums.openvpn.net/viewtopic.php?f=4&t=7200&p=8690#p8690>
14:06 -!- blistov [~bens@s199-126-201-153.ab.hsia.telus.net] has quit [Remote host closed the connection]
14:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds]
14:19 -!- disaster37 [~disaster@ns3.webcenter.fr] has joined #openvpn
14:19 < disaster37> hi all
14:31 -!- s7r [~s7r@178.73.198.39] has joined #openvpn
14:35 -!- krzee [krzee@hemp.ircpimps.org] has joined #openvpn
14:35 -!- krzee [krzee@hemp.ircpimps.org] has quit [Changing host]
14:35 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
14:36 <@ecrist> sup krzee 
14:36 < krzee> wassup pimpin
14:36 < hyper_ch> hi krzee
14:37 < disaster37> You know if with XP, openVPN must use a special option ?
14:37 < disaster37> because on my XP computer, the performance is bad (speed)
14:38 < disaster37> with VPN 100ko/s
14:38 < disaster37> without VPN 900k/s
14:38 < disaster37> and there no problem with the server speed
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:38 < krzee> hey hyper!
14:40 < hyper_ch> krzee: you don't tab complete :(
14:40 < krzee> not that time ;]
14:40 < krzee> didnt get much sleep, spent the night scripting
14:41 < hyper_ch> what did you script?
14:41 < hyper_ch> something that can easily take over the world?
14:43 < krzee> if not the world, at least my office ;]
14:43 < krzee> disaster37, you are using tcp?
14:43 < krzee> disaster37, have you checked for MTU problems?
14:58 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
15:04 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:05 < disaster37> Yes I use tcp
15:05 < disaster37> MTU problem ?
15:05 < disaster37> It's possible to setting MTU size ?
15:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:15 < krzee> !tcp
15:15 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
15:25 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
15:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
15:55 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
15:58 <@vpnHelper> RSS Update - forum: Configuration :: VPN server won't start :: Author marcerickson <https://forums.openvpn.net/viewtopic.php?f=6&t=7399&p=8691#p8691>
16:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:04 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:05 -!- takamichi [~pri@pm302-97-254.keyworld.net] has quit []
16:07 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
16:25 -!- disaster37 [~disaster@ns3.webcenter.fr] has quit [Ping timeout: 265 seconds]
16:35 -!- Cmdr_W_T_Riker is now known as Katoen
16:36 -!- huzpol [~mandala@xdsl-78-35-131-61.netcologne.de] has joined #openvpn
16:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
16:37 < huzpol> hi guys i my vpn connection works now but how cann i acccess my network sources?
16:37 < huzpol> in windows \\networkadress?
16:39 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
16:40 <@ecrist> lol
16:40 <@ecrist> http://www.youtube.com/watch?v=ymIAAts6U-4
16:40 <@vpnHelper> Title: YouTube - Broadcast Yourself. (at www.youtube.com)
16:40 <@ecrist> fwiw, irssi-xmpp is pretty sweet
16:41 <@ecrist> couple shortcomings, but sweet
16:41 <@ecrist> I can facebook chat in irssi
16:41 -!- irssi is now known as dictvm
16:41 < dictvm> lol
16:46 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
16:46 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
16:46 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:50 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Client Quit]
16:50 < huzpol> ecrist: du you have any idee?
16:51 < huzpol> vpn ceonnection works fine ...i can connect to the server bat cant access to the network sources
16:53 <@ecrist> !route
16:53 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:57 < huzpol> ecrist: can you look in this pastebin pls : http://pastebin.com/6K7fNMPA ithink the rote is alrady ther
16:58 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 260 seconds]
16:59 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:13 -!- le0 [~fin@87.127.62.234] has joined #openvpn
17:13 -!- le0 [~fin@87.127.62.234] has quit [Changing host]
17:13 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
17:15 -!- huzpol [~mandala@xdsl-78-35-131-61.netcologne.de] has quit [Read error: Connection reset by peer]
17:19 -!- s7r [~s7r@178.73.198.39] has quit [Ping timeout: 240 seconds]
17:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
17:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:38 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: hacking the interwebz]
17:45 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined #openvpn
17:46 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
17:46 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
17:46 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
17:49 < mant1s> hey all. I'm having trouble with some iptables rules. I'd like to allow my subnet which is located inside a class C to talk to the servers located outside of it but still within that class c range
17:49 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Client Quit]
17:49 < mant1s> ...yeah picture time.. sorry 1 second
17:50 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
17:50 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn
17:54 -!- grishnav [~grishnav@209.160.52.134] has quit [Client Quit]
17:54 -!- le0 [~fin@87.127.62.234] has joined #openvpn
17:54 -!- le0 [~fin@87.127.62.234] has quit [Changing host]
17:54 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
17:56 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn
17:56 -!- grishnav [~grishnav@209.160.52.134] has quit [Client Quit]
17:56 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has joined #openvpn
17:57 < Bushmills> "talk to the servers located outside of it (a class C)  but still within that class c range."   
17:57 < Bushmills> makes a lot of sense
17:59 < Bushmills> i suppose the troubles you have is either, ACCEPTING traffic while REJECTing it, or adding the proper rule while not adding it.
18:01 < mant1s> http://tinypic.com/r/migdus/7
18:01 <@vpnHelper> Title: Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting (at tinypic.com)
18:01 < mant1s> bushmills I made art
18:02 -!- grishnav [~grishnav@e2180-8777.securedservers.com] has quit [Quit: hacking the internet again]
18:03 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn
18:06 <@vpnHelper> RSS Update - forum: Configuration :: OpenVPN connection speed :: Author mariannoem <https://forums.openvpn.net/viewtopic.php?f=6&t=7400&p=8692#p8692>
18:09 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:11 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
18:12 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Ping timeout: 276 seconds]
18:13 -!- _skrusty [~skrusty@83.166.176.39] has quit [Read error: Operation timed out]
18:14 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
18:22 -!- jasonmchristos [~jasonmchr@unaffiliated/jasonmchristos] has joined #openvpn
18:22 < jasonmchristos> hello
18:22 < jasonmchristos> My name is Jason
18:23 < jasonmchristos> Does openvpm come as a fedora package?
18:25 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has joined #openvpn
18:26 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
18:27 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
18:28 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
18:28 < jasonmchristos> I want to install openVPN on a server im thinking of switching to cent 
18:32 < krzee> jasonmchristos, ild expect they have a package for that distro
18:32 < krzee> in reality thats more of a question for your distro's help channel tho
18:32 < krzee> openvpn will compile on it without issue, that i know
18:46 < |Mike|> centos has openvn server in their repos imho
18:46 < |Mike|> *openVPN
18:47 < |Mike|> damn, saturday i have my first agility match with one of our 'lease' dogs
18:48 < |Mike|> matches which need to be done before the dog can have a walk at the Word champoinships when it has enough points :D
18:48 < pyther> Does anyone understand how traffic flows from a TUN device?
18:49 < |Mike|> probably over some ethernet cables
18:49 < |Mike|> !tunortap
18:49 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over
18:49 <@vpnHelper> the vpn, or (#4) lan gaming? use tap!
18:50 < |Mike|> and look at some OSI layers :-)
18:50 < pyther> -A FORWARD -s 10.25.252.0/255.255.255.0 -i tun0 -m state --state NEW -j vpn_users 
18:50 < pyther> I'm trying to understand how that works
18:50 < |Mike|> tried man iptables?
18:50 <@ecrist> hola, suckers!
18:50 < |Mike|> hi mom!
18:50 < pyther> |Mike|: I get the basis, but what traffic is flowwing into the tun0 device?
18:51 < pyther> the p-2-p link traffic
18:51 < |Mike|> no clue, depends on your configuration.
18:51 <@ecrist> |Mike|: I got a script running in my client to kick/ban anyone who sends that link to the channel
18:51 <@ecrist> it's somewhat pointless as they usually don't come back, though
18:51 < |Mike|> ecrist: badword.pl? 
18:51 <@ecrist> yeah
18:52 < pyther> |Mike|: just a basic openvpn setup
18:52 <@ecrist> I'm not particularly fond of +o though, for myself.
18:52 < |Mike|> it's to slow and doesn't ban on notices in the channel ;)
18:52 <@ecrist> it banned the last two
18:52 <@ecrist> indeed.  I could modify it speed it up a bit, I suppose
18:52 < |Mike|> nope
18:53 <@ecrist> really the only thing we can do to 100% stop it is set +m on the channel and +v to users
18:53 < |Mike|> see query
18:53 < |Mike|> +r is the solution
18:53 < |Mike|> but that's nazi modus imho
18:54 < |Mike|> everyone what isn't registered to chanserv won't be able to join #OpenVPN 
18:54 <@ecrist> yeah, we used to do that.
18:54 <@ecrist> as I recall you and/or reifert opposed that
18:54 <@ecrist> and you two suckers pull some weight around here. ;)
18:54 < pyther> |Mike|: are you able to help me?
18:55 < |Mike|> !tell pyther [configs]
18:59 < pyther> |Mike|: http://paste.pocoo.org/show/304994/
18:59 <@ecrist> sorry about that mike
18:59 < pyther> |Mike|: http://paste.pocoo.org/show/304995/ <== Firewall Config
19:00 < pyther> Runnig CentOS with openvpn 2.2beta5
19:00  * ecrist just flooded |Mike| with an errant /exec -o
19:02 < pyther> I'm trying to figure out what is considered input traffic and output traffic on tun0
19:02 < |Mike|> you're trying to monitor it?
19:02 < |Mike|> (per client?)
19:02 < pyther> |Mike|: no I simply want to understand the flow of traffic
19:03 < |Mike|> !google iptables counting
19:03 < pyther> specifically in regards to the FORWARD iptables chain
19:03 <@vpnHelper> iptables count port 80: <http://linux.derkeiler.com/Mailing-Lists/Fedora/2008-07/msg03294.html>; Bandwidth monitoring with iptables (Linux.com) [LWN.net]: <http://lwn.net/Articles/165646/>; Ariel Cobb » Iptables Traffic Counting: <http://arielcobb.gblog.cl/010663>
19:03 < |Mike|> there ya go :-)
19:03 < pyther> I don't want to monitor it!
19:03 < |Mike|> you need to to understand it :-)
19:04 <@ecrist> pyther: all traffic in on the interface in input, all traffic out is output
19:04 < pyther> -A FORWARD -s 10.25.252.0/255.255.255.0 -i tun0 -j vpn_users ... lets take this rule for an example
19:04 < pyther> it is matching traffic coming in on tun0 with a source address of 10.25.252.0
19:04  * ecrist wonders if |Mike| autoignored him.
19:05 < pyther> what is considered in traffic? Traffic from the client and traffic from the private network?
19:05 -!- theDoc [~Link@119.75.42.2] has joined #openvpn
19:05 -!- theDoc_ [~Link@173.236.41.36] has joined #openvpn
19:05 -!- theDoc_ [~Link@173.236.41.36] has quit [Changing host]
19:05 -!- theDoc_ [~Link@unaffiliated/thedoc] has joined #openvpn
19:05 -!- theDoc [~Link@119.75.42.2] has quit [Disconnected by services]
19:06 < |Mike|> -i stands for interface tun0, so yes.
19:06 < |Mike|> ecrist: done yet?
19:08 <@ecrist> yeah, sorry
19:08 <@ecrist> errant /exec -o
19:08 < pyther> |Mike|: so traffic from my vpn client -> server (on private lan) would match along with server (on private lan) -> vpn client would match
19:08  * ecrist is sheepish
19:10 < |Mike|> yep
19:12 < |Mike|> a bit? 
19:12 <@ecrist> apologies, |Mike| 
19:12 < pyther> lets say I ping a server on the private lan from my vpn client... 1. vpn client -> vpn box (tun in) 2. vpn box -> server (tun out) server->vpn box (tun in) vpn box -> server (tun out), yes?
19:13 < |Mike|> 356 lines further... :P
19:13 < pyther> but I have the basic concept yes?
19:16 < |Mike|> that's possible yeah.
19:17 < pyther> ok
19:18 <@ecrist> heh, I ran that math though bc, appended -o to exec by mistake
19:18 < pyther> -A FORWARD -i eth0 -j ACCEPT that rule should route packets coming through eth0, yes?
19:18 < |Mike|> next time only use - instead - -o :)
19:18 <@ecrist> yeah, lol
19:19 < |Mike|> pyther: no idea, i'm not a walking iptables guru.
19:20 < |Mike|> please read the manpage.
19:20 < pyther> |Mike|: with all do respect man pages only help so much
19:20 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
19:21 < |Mike|> it's A) I have to search for it and I learn a bit more about IPtables or B) You search for it and YOU learn some more about IPtables
19:21 < |Mike|> double profit for you imho.
19:23 < pyther> |Mike|: what I asked is the way I understand it, simply looking for confirmation :)
19:25 < |Mike|> I can't confirm it.
19:29 < derekv> I just got an interesting email regarding the IPSEC stack in openbsd
19:30 < |Mike|> derekv: don't
19:30 < |Mike|> http://www.osnews.com/story/24136/_quot_FBI_Added_Secret_Backdoors_to_OpenBSD_IPSEC_quot_
19:30 <@vpnHelper> Title: "FBI Added Secret Backdoors to OpenBSD IPSEC" (at www.osnews.com)
19:31 < |Mike|> derekv: you're refering to this article?
19:32 < derekv> Yea.  Well, the actual email via list that the article refers to.
19:32 < derekv> |Mike|, what shouldn't I? 
19:33 < derekv> other than get too offtopic?
19:51 <@ecrist> |Mike|: what if we banned all the entries in the idents.txt?
19:59 < havoc> heh, just saw that elsewhere
19:59 < havoc> can't wait to see how that asplodes
20:08 <@ecrist> nah, off-topic is ok so long as on-topic convo isn't going on
20:23 < havoc> I saw that [or similar] link posted on several channels across multiple networks within the same 20min or so
20:24 < havoc> this being the most common: http://permalink.gmane.org/gmane.os.openbsd.tech/22557
20:24 <@vpnHelper> Title: Allegations regarding OpenBSD IPSEC (at permalink.gmane.org)
21:08 < abeehc> "Merry Christmas..." hehe
21:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
21:19 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: How to create my own TAP driver installer (Windows) :: Author ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7401&p=8693#p8693>
21:22 -!- rich_ [~rich@216.38.140.199] has joined #openvpn
21:23 < rich_> Can one connect to an openvpn server using netcat -u servername port?
21:24 < rich_> It seems like that should work (we are using udp), but it doesn't.
21:24 < rich_> I'm missing something simple, I'm sure.
21:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:27 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
21:32 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:33 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:33 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:33 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:38 < rich_> !welcome
21:38 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
21:38 < rich_> !wiki
21:38 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN, or (#2) Official wiki is at https://community.openvpn.net/openvpn/wiki
21:40 < rich_> !route
21:40 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
21:46 < rich_> !/30
21:46 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
21:46 < rich_> !iporder
21:46 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
21:51 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 265 seconds]
21:59 < Bushmills> rich_: no, you can't.  openvpn doesn't show a banner, or such. and as udp is connection-less, there's no "connected" state or such, to trigger such a reply.
22:00 < Bushmills> best option is probably to enable logging on both client and server side, then start client - assuming server is already running -, and look at log files to find out what is happening.
22:01 < Bushmills> or, stop openvpn server, and put a netcat listener serverside, echoing udp input to screen.
22:02 < rich_> interesting.  thanks Bushmills.
22:03 < rich_> so netstat won't even see an connection, or display anything, I guess.
22:03 < rich_> since any individual packet does not represent a persistent thingy.
22:04 < rich_> (but that's technical talk)
22:04 < rich_> ;)
22:13 < krzee> technical talk re openvpn is def on-topic for here =]
22:23 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Ping timeout: 250 seconds]
22:26 -!- SOG [~SOG@113.90.225.172] has joined #openvpn
22:30 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
23:06 < theDoc_> Any freeradius experts?:)
23:23 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:33 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
23:33 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
23:33 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
23:36 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
23:41 <@vpnHelper> RSS Update - forum: My VPN :: Windows xp worked and the 7 don't. :: Author pinguim007 <https://forums.openvpn.net/viewtopic.php?f=13&t=7402&p=8694#p8694>
23:45 < simplechat> hey guys
23:45 < simplechat> what happened to openvpn.net?
23:45 < jasonmchristos> Can someone experienced with openVPN review a howto for me?
23:46 < jasonmchristos> I am about to try and setup openVPN http://www.susegeek.com/security/install-configure-openvpn-ssl-vpn-in-suse-opensuse-linux/
23:56 < theDoc_> krzie: You there?
--- Day changed Wed Dec 15 2010
00:16 <@ecrist> sup bitches?
00:16 <@ecrist> simplechat: what's wrong with it?
00:17 <@ecrist> jasonmchristos: sure, but is there something the other docs didn't cover you're trying to
00:17 <@ecrist> ?
00:20 <@ecrist> sigh
00:20 -!- jasonmchristos was kicked from #openvpn by ecrist [we're not here to provide you traffic]
00:21 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:23 < simplechat> ecrist, you're no longer standard foss
00:23 < simplechat> its gone all...... icky and corperate
00:23 <@ecrist> what?
00:23 < simplechat> ecrist, i thought somebody stole your domain for a minute tehre
00:23 <@ecrist> me?
00:23 < simplechat> openvpn.net?
00:23 < simplechat> not you, openvpn
00:24 < simplechat> seriously
00:24 <@ecrist> oh, they haven't been for a *long* time
00:24 < simplechat> wtf?
00:24 < simplechat> they were ok when i was building my last openvpn
00:24 < simplechat> *openvpn box
00:24 <@ecrist> they're still OK
00:24 < simplechat> isn't openvpn run by the openbsd guys?
00:24 <@ecrist> no
00:24 < simplechat> like openssh?
00:24 < simplechat> :(
00:24 <@ecrist> where the fuck did you get that idea
00:24 < simplechat> ecrist, tis how openssh runs
00:25 < simplechat> and openvpn is pretty sweetly security focused
00:25 <@ecrist> but, why does that mean they have to be free, and why does that mean they can't have a commercial component?
00:26 < simplechat> ecrist, commercial components are all well and good, but what they are trying to sell isn't something most people want
00:26 <@ecrist> I think you're wrong.
00:26 <@ecrist> I'd say most people in HERE don't want that, but we're a small percent.
00:26 < simplechat> from what i can see you guys do hosted vpns?
00:26 < simplechat> yeah
00:26 <@ecrist> I'm not with openvpn
00:27 <@ecrist> I am simply a self-appointed community representative.
00:27 < simplechat> kk
00:28 < simplechat> ecrist, well as a loyal user for many years now: If, when somebody goes to your website, they think that you've been domain hijacked..... it doesn't bode well
00:28 < simplechat> hmmmmm.
00:28 <@ecrist> it's not me
00:28 < krzie> you keep saying "your"
00:28 < krzie> its "their" website
00:29 <@ecrist> we are individuals
00:29 < simplechat> krzee, sure
00:29 <@ecrist> we simply own this channel
00:29 < simplechat> ecrist, i'm not ;)
00:29 < simplechat> yeah
00:30 < simplechat> ecrist, is there any backup of the old website?
00:30 <@ecrist> dude, what do you want?
00:30 < simplechat> ecrist, the old tutorials, how do deal with easy-rsa, build up openvpn confs/etc.
00:31 < krzie> !howto
00:31 <@ecrist> it's all there
00:31 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
00:31 < simplechat> as opposed to http://openvpn.net/index.php/access-server/docs/quick-start-guide.html
00:31 <@vpnHelper> Title: Quick Start Guide (at openvpn.net)
00:31 < krzie> see, you're looking at access-server stuff
00:31 < krzie> not community stuff
00:31 < simplechat> you have a giant thing saying "Software packages"
00:31 <@ecrist> click on the community link at the top-right of the page
00:31 < simplechat> openvpn should be a software packages
00:31 < simplechat> why isn't it there?
00:31 < krzie> stop saying "you"
00:32 < krzie> WE DONT RUN THAT SITE!
00:32 < krzie> lol
00:32 -!- simplechat was kicked from #openvpn by ecrist [gah!]
00:32 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:32 < simplechat> krzee, ..
00:33 <@ecrist> simplechat: click the community link in the upper right of the page
00:33 < krzie> yes...?
00:33 <@ecrist> all the old docs are there
00:33 < simplechat> kk
00:36 < simplechat> ecrist, is there any way to slap the webmaster in the face with a fish?
00:36 < simplechat> preferably a trout?
00:36 < krzie> heh
00:36 < simplechat> ...
00:36 <@ecrist> suggest a fix, describe you specific issues and I can work with it
00:36 < simplechat> kk
00:37 <@ecrist> currently, I have a great report with the openvpn folks, but it's a two-way street.
00:37 < krzie> a good place for that would be:
00:37 <@ecrist> I'll get no where with ' < simplechat> preferably a trout?
00:37 < krzie> !wishlist
00:37 <@vpnHelper> "wishlist" is https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
00:38 < simplechat> hmmmm
00:38 <@ecrist> most here know, first hand, I'm the first in line to slap the openvpn folks around for not listening to the community
00:38 < krzie> but he uses goldfish
00:38 <@ecrist> give me a chance with constructive criticism, something specific, and I'll get it fixed.
00:38 <@ecrist> lol
00:38 < simplechat> kk
00:39 < simplechat> ecrist, well not having the openvpn product itself on the software packages page seems surprisingly surprising.
00:39 < simplechat> and as somebody trying to use it came as a complete shock
00:39 <@ecrist>  ugh
00:39 < simplechat> ecrist, so what, just shove that up on the wishlist?
00:39 < simplechat> put your namesake product in the product page?
00:39 <@ecrist> ye
00:39 < simplechat> yeah
00:39 <@ecrist> what's wrong with that
00:39 < simplechat> ecrist, so the commercial product is what, a nice web gui on top of openvpn?
00:40 < simplechat> and hosting?
00:40 < krzie> !AS
00:40 <@vpnHelper> "AS" is "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations options
00:40 <@vpnHelper> supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://openvpn.net/index.php/access-server/download-openvpn-as.html to download, or (#4) go to http://openvpn.net/index.php/access-server/support-center.html for support
00:40 <@ecrist> do you know who controls the forum, simplechat ?
00:40 < simplechat> not really
00:40 < simplechat> ecrist, i just use it/deploy it
00:40 < krzie> we both do, corp and community
00:40 < simplechat> kk
00:40 < simplechat> krzie, cool
00:41 <@ecrist> simplechat: I am the root user for the system that hosts the forum.  I have root on the community server.  I CAN get changes made.  but give me something to work with.
00:41 <@ecrist> "bitch, shit be broke!"  doesn't work
00:42 < simplechat> ecrist, ok, i do get where you are coming from
00:43 < simplechat> ecrist, in my defence my first reaction was a rather large "WTF!?!?!?"
00:43 < krzie> so was mine ;]
00:43 <@ecrist> so was mine
00:43 < simplechat> hmmm. :(
00:43 <@ecrist> BUT, we're working on it
00:43 < simplechat> so when did they start doing this?
00:44 <@ecrist> you still haven't defined 'what'
00:44 < simplechat> go from the foss project we all know and love to.... whatever it is they happen to be now
00:44 < krzie> but its still foss
00:44 < simplechat> last time i was building an openvpn box it was the old site
00:44 < krzie> they just happen to ALSO have a pay version
00:45 <@ecrist> I cannot stop progress.  we have achieved _so_ much in the last 10 months....
00:45 < krzie> in fact since that site was released many new features have been added to the foss version
00:45 < simplechat> hmmmm. 
00:45 <@ecrist> krzie, myself, dazo, and others have been key is such progress.
00:45 < krzie> best devel period for the foss version in years
00:45 < krzie> and cron!
00:46 <@ecrist> in < 1 year we're moving from 2.0.9 as current to 2.2 being released in < 2 months!
00:46 <@ecrist> considering how long 2.0 was around!  Gah!
00:46 < simplechat> hmmmm.
00:46 < simplechat> are you guys being paid reasonably now?
00:46 < krzie> us!?
00:46 <@ecrist> fuch you
00:46 < simplechat> or what was the major changes?
00:46 < krzie> we're community
00:46 < simplechat> or whoever it is who is devving?
00:46 < simplechat> like what happened?
00:47 < simplechat> like what were the actual changes that lead to this being the best dev period
00:47 <@ecrist> read the fucking change logs.  
00:47 < krzie> corp and community started working together :-p
00:47 < krzie> and no we dont get paid, as we've tried to explain we dont work for openvpn technologies
00:47 < simplechat> ecrist, that will tell me what was changed, but not how the environment itself changed
00:47 < krzie> hence it isnt "our" website, etc
00:47 -!- mode/#openvpn [+b *!*@unaffiliated/simplechat] by ecrist
00:47 -!- simplechat was kicked from #openvpn by ecrist [simplechat]
00:47 <@ecrist> fuck him
00:47 < krzie> i remember his nick from long ago
00:47 <@ecrist> ditto
00:48 <@ecrist> he's a passive-aggressive troll
00:53  * ecrist does not plan on unbanning simplechat based on DCC, and leaves it up to other +o
00:53  * krzie whistles
00:55 <@ecrist> hehe "/set badword_words ihaxor simplechat"
00:55  * ecrist mixes another
01:00 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Ping timeout: 260 seconds]
01:00 -!- dazo_afk is now known as dazo
01:02 <@ecrist> 01:01 <simplechat> which was insanely useful as a foss form, until they started going all corperate
01:02 <@ecrist> 01:01 <simplechat> and after a few years they basically squeezed everybody out
01:02 <@ecrist> 01:01 <ecrist> it's still available in the same form!
01:02 <@ecrist> 01:01 <ecrist> click the fucking link!!!!1!!!1!
01:04 -!- regius [~regius@c-43c6e455.034-67-6c6b701.cust.bredbandsbolaget.se] has joined #openvpn
01:06 < regius> Hi! I have configured a bridged openvpn config and it work's great besides that the server it self can not contact the internet.  I can connect to it by openvpn/ssh but i can't run ping google.com
01:06 < regius> Is this a route problem?
01:07 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 265 seconds]
01:08 < regius> brb
01:08 -!- regius [~regius@c-43c6e455.034-67-6c6b701.cust.bredbandsbolaget.se] has quit [Client Quit]
01:08 -!- regius [~regius@c-43c6e455.034-67-6c6b701.cust.bredbandsbolaget.se] has joined #openvpn
01:09 < regius> !goal
01:09 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:10 < regius> !welcome
01:10 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:11 < regius> !route
01:11 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
01:12 < krzie> but thats not for bridging
01:12 < krzie> which is why im silent, i dont do/know bridge setups
01:12  * ecrist looks
01:12 < regius> aa okey thanks
01:13  * ecrist hates +o
01:13  * krzie helps
01:13 -!- mode/#openvpn [-o ecrist] by ChanServ
01:13 < krzie> heheh
01:14 < regius> can't it still be a route problem. It's only a local problem, the server don't connect to the gateway
01:14  * ecrist can't have is script ban those script kiddies of late flooding the channel without +o, though.
01:14 < ecrist> regius: I don't fully understand your issue.
01:14 < krzie> ahh
01:14 -!- mode/#openvpn [+o ecrist] by ChanServ
01:14 <@ecrist> specifically, what does not work, what does work.
01:14 <@ecrist> lol
01:15 <@ecrist> krzie: only reason I'm +o right now. ;)
01:15 <@ecrist> you know me.
01:15 < krzie> i didnt even notice it was you who kb/ed on banned word, for some reason i thought it was the bot
01:16 <@ecrist> can't find a plugin for the bot that can do banwords
01:16 <@vpnHelper> RSS Update - forum: Server Administration :: Linux client stall at Initialization Sequence Completed :: Author RyanP <https://forums.openvpn.net/viewtopic.php?f=4&t=7403&p=8695#p8695>
01:16 <@ecrist> :\
01:16 < regius> openvpn work fine (bridge setup). But the server don't connect to internet properly, for example ssh server, ping google.com don't work
01:17 <@ecrist> if it was my own bot, would be a 5 second perl mod. ;)
01:17 <@ecrist> regius: sounds like a NAT issue
01:17 <@ecrist> !nat
01:17 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
01:18 < krzie> nat?
01:18 < regius> It is not client traffic I want to route
01:18 < krzie> my main curiosity is how can the clients make a connection to the server if the server cannot reach the internet
01:19  * ecrist was getting there...
01:19 < krzie> regius, have you tried to ping an IP (instead of hostname)?
01:21 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
01:21 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
01:21 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
01:22 < regius> wierd, no everything works fine
01:22 < krzie> thats because ecrist knows magic
01:22 < krzie> he fixed it
01:22 < regius> i guess I be back if I can repruduce the problem
01:23 < regius> hehe :-)
01:23 <@ecrist> LOL
01:23 < regius> Tnx ecrist and krzie 
01:23 <@ecrist> no!
01:23 <@ecrist> np! rather
01:23 < krzie> np, literally ;]
01:26 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
02:00 -!- venom00ut [~wer@173.0.2.204] has joined #openvpn
02:00 -!- venom00ut [~wer@173.0.2.204] has quit [Changing host]
02:00 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
02:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:18 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
02:18 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
02:23 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 265 seconds]
02:24 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
02:29 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
02:53 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 260 seconds]
03:05 -!- WinstonSmith [~true@g230122177.adsl.alicedsl.de] has joined #openvpn
03:08 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
03:09 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
03:09 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
03:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:14 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has joined #openvpn
03:29 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:40 < RichiH> ecrist: it's just that, spam
03:40 < RichiH> if they are not klined within seconds, poke us in #freenode
03:49 -!- master_of_master [~master_of@p57B57128.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
03:50 -!- master_of_master [~master_of@p57B5642C.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:01 -!- theDoc_ [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:01 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
04:10 -!- dennisger [c05701c8@gateway/web/freenode/ip.192.87.1.200] has joined #openvpn
04:10 < dennisger> hi all - is it possible to bind the openvpn server to one ip? I have multiple on my server
04:12 < dennisger> !welcome
04:12 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:12 < dennisger> !goal
04:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:14 < dennisger> !configs
04:14 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
04:18 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has joined #openvpn
04:19 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has left #openvpn []
04:20 -!- dazo is now known as dazo_afk
04:26 -!- common- [~common@p5DDA49E6.dip0.t-ipconnect.de] has joined #openvpn
04:29 -!- common [~common@p5DDA48AA.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
04:29 -!- common- is now known as common
04:34 -!- SOG [~SOG@113.90.225.172] has quit [Quit: SOG]
04:35 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
04:35 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
04:35 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
04:36 < venom00ut> hello, but if I'm on an open wireless network just allowing dns can I contact my openvpn server if it's configured to 53 udp?
04:39 < rjd__> yes
04:39 < venom00ut> cool
04:40 < mape2k> only if you can reach external dns-servers
04:41 < mape2k> if there's only a local caching dns you're allowed to talk it won't work
04:44 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn
05:07 < hyper_ch> ecrist: online?
05:14 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
05:17 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
05:17 -!- venom00 [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
05:17 -!- venom00 [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
05:17 -!- venom00 [~wer@unaffiliated/venom00] has joined #openvpn
05:23 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:23 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:25 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
05:31 -!- venom00 [~wer@unaffiliated/venom00] has quit [Ping timeout: 260 seconds]
05:34 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
05:41 <@vpnHelper> RSS Update - forum: Server Administration :: what is the right way...? :: Author vpnuser <https://forums.openvpn.net/viewtopic.php?f=4&t=7404&p=8696#p8696>
05:41 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 264 seconds]
05:43 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
05:46 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
05:48 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
05:48 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
05:48 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
05:48 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
05:52 -!- sjk [sjk@unaffiliated/sjk] has left #openvpn []
05:59 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
06:05 -!- dazo_afk is now known as dazo
06:05 < dennisger> hi all - is it possible to bind the openvpn server to one ip? I have multiple on my server
06:09 < chantra_afk> dennisger: yep, use "local" in your server coinf
06:10 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 260 seconds]
06:11 < dennisger> chantra_afk: thanks!!
06:11 < chantra_afk> np
06:13 -!- sia^pwnnt_ [115kluu@owned.ninjasinpyjamas.biz] has quit [Remote host closed the connection]
06:18 -!- sia^pwnnt [115kluu@owned.ninjasinpyjamas.biz] has joined #openvpn
06:18 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
06:19 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
06:26 -!- Directorsppadic [~sonupunno@88.211.55.77] has joined #openvpn
06:26 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has joined #openvpn
06:30 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has quit [Changing host]
06:30 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
06:30 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 265 seconds]
06:40 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
06:40 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
06:40 -!- Directorsppadic is now known as DENZEL_XO
06:41 < bauruine> hi, just a small question is it possible to access the public ip of the openvpn server after connection to it with redirecting all traffic through the vpn?  
06:42 < krzie> yes, if it wasnt you wouldnt have a vpn connection
06:42 < krzie> when you redirect-gateway, it adds a route direct to the vpn server over your old default route
06:43 < bauruine> krzie, ok in this case it's my routing setup which broke it :-( 
06:43 < krzie> not sure what you mean, but sounds like you found your problem
06:45 < |Mike|> ecrist: too long list
06:48 -!- DENZEL_XO is now known as macsppadic
06:48 < hyper_ch> krzie: http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
06:48 <@vpnHelper> Title: 'Allegations regarding OpenBSD IPSEC' - MARC (at marc.info)
06:48 < krzie> yep
06:51 < hyper_ch> openvpn does not relay on the obsd ipsec stack, right?
06:51 < macsppadic> yikes
06:51 < krzie> lol, no not at all
06:51 < Rienzilla> shiver
06:51 < hyper_ch> krzie: did you read the above?
06:52 < krzie> ya yesterday when it got dropped on every irc channel on every irc network at the same time
06:52 < Rienzilla> this kind of news is quite a blow to the opensource community
06:52 < krzie> and in msg ;]
06:52 < macsppadic> hehe
06:52 < krzie> this would need to happen in openssl to effect openvpn
06:53 < hyper_ch> Rienzilla: why a blow? every crypto fanatic will now screen the code
06:53 < hyper_ch> while in proprietary code you can't even go check but you have to relay on the producers word that there is nothing in there
06:53 < hyper_ch> (and I'm pretty sure Redmond does build in backdoors for the nsa, cia, .....)
06:54 < krzie> nsakey
06:54 < macsppadic> hyper_ch: good point 
06:54 < krzie> !google nsakey
06:54 <@vpnHelper> _NSAKEY - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/NSAKEY>; NSA key to Windows an open question - CNN: <http://articles.cnn.com/1999-09-03/tech/9909_03_windows.nsa.02_1_national-security-agency-cryptography-windows-nt4?_s=PM:TECH>; Microsoft Stonewalls NSA_key Questions: <http://cryptome.org/nsakey-ms-dc.htm>
06:54 < bauruine> krzie, you are right. ping to the vpnserver works.  the problem is the openvpn server runs also a webserver on a different ip and after the vpn connection it doesn't work anymore :-/ 
06:54 < Rienzilla> I'm not saying proprietary code is better. But saying that open source is better because we can fix the vulnerabilirties after they have been exploited for ten years is not a very strong argument at best
06:55 < krzie> bauruine, you have 2 options there, better option is to also run the webserver on the internal VPN ip
06:55 < hyper_ch> having an exploit and using an exploit are different things
06:55 < Rienzilla> What I meant was that one of the key advantages of open source is that you can inspect what your program does before you decide to use it. But apparently, nobody does :-)
06:55 < hyper_ch> I tend to think all code has exploits.... but are those konwn and do they get exploited? and how much after discovery is it closed?
06:56 < krzie> Rienzilla, in closed source we likely still would not know
06:56 < macsppadic> krzie: hit the nail on the head there 
06:56 < Rienzilla> krzie: agreed, I'm not saying closed source is better, I'm just saying that the advantage of open source is less than I expected
06:56 < macsppadic> Rienzilla: i remind u of windows vista
06:57 < bauruine> krzie, but in this case i have to push a dns server with my zones and the 10/8 ip.
06:57 < krzie> im actually rather surprised that theo was so fast to admit this... since they continually audit their own code they missed whatever may be there for 10 yrs
06:57 < krzie> surprised and impressed
06:58 < Bushmills> if web server is bound to same ip address as openvpn server, redirecting traffic through vpn doesn't change anything they way the web server is accessed - there's still a host route to web server
06:59 < Bushmills> ...bound the the same interface ...
06:59 < krzie> bauruine, http://forums.openvpn.net/topic7161.html
06:59 <@vpnHelper> Title: OpenVPN Support Forum Split tunnel tweaks? : Scripting and Customizations (at forums.openvpn.net)
06:59 < Bushmills> unless you *want* to access it through openvpn, nothing should be needed
07:00 < krzie> Bushmills, his server has a second ip, and that is the ip the webserver is on
07:00 < Rienzilla> krzie: lol, if I see how incredibly blatant the debian openssl exploit was which got through all the way, I'm not surprised a skilled developer can create subtle backdoors unseen
07:00 < Bushmills> that changes matters
07:00 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
07:01 < krzie> Bushmills, but i just gave him the relevant forum post
07:02 < bauruine> krzie, thanks that sounds like the right thing testing it now.
07:02 < krzie> Rienzilla, ya sometimes it could just be a missing character
07:03 < Rienzilla> yep
07:08 < bauruine> krzie, Bushmills, thanks for the help it's working now (push "route secondip netmask net_gateway"). 
07:08 < krzie> yw
07:08 < krzie> netmask is 255.255.255.255 i assume
07:23 <@ecrist> morning, folks
07:23 < macsppadic> hello ecrist 
07:25 < krzie> moinmoin
07:31 -!- bauruine [~stefan@79-110.4-85.cust.bluewin.ch] has quit [Read error: Operation timed out]
07:33 <@ecrist> krzie: my bank doesn't do those int'l transfers
07:34 < krzie> gotchya
07:34 < krzie> ill see whats up with reiffert's way
07:40 <@ecrist> ok
07:42 -!- bauruine [~stefan@178-73-209-85.cust.vpntunnel.org] has joined #openvpn
07:46 -!- Puck` [puck@akos.me] has left #openvpn ["Have fun."]
07:46 -!- hanasaki [BLACKLIST@76.92.220.37] has quit [Remote host closed the connection]
07:47 < krzie> sry this seems to be turning into so much effort
07:47 -!- hanasaki [BLACKLIST@cpe-76-92-220-37.kc.res.rr.com] has joined #openvpn
07:48 -!- bauruine [~stefan@178-73-209-85.cust.vpntunnel.org] has quit [Read error: Connection reset by peer]
08:08 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has joined #openvpn
08:10 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
08:10 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
08:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:15 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
08:15 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
08:15 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
08:20 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
08:20 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
08:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
08:20 -!- simplechat [~simplecha@unaffiliated/simplechat] has left #openvpn []
08:23 -!- nobody [~root@113.29.243.245] has joined #openvpn
08:24 < nobody> Hey guys, if i have an openvpn network on the 172.16/16 and i want to route it to/from a 10./8 is there any nice way to do this?
08:25 < nobody> at the moment i have a tap device on the server end, so should i just be able to build a bridge with that and the interface and will it just be able to route properly? or will i need to do something strange on openvpns end to get it to work as a gateway?
08:26 < macsppadic> nobody: the tap interface should sort out the bridge as long as options are right 
08:27 < nobody> macsppadic: what options should i be using?
08:27 < macsppadic> u r trying to route from 172.16 to 10.0/8 rite 
08:27 < nobody> yeah
08:27 -!- nobody [~root@113.29.243.245] has quit [Remote host closed the connection]
08:31 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn
08:32  * dazo wonders why people still think they need to bridge when all they need is the route command
08:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
08:36 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has joined #openvpn
08:36 -!- [intra]lanman [~lanman@c-68-40-206-235.hsd1.mi.comcast.net] has quit [Changing host]
08:36 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:39 -!- pyther [~pyther@adsl-99-37-208-222.dsl.bcvloh.sbcglobal.net] has joined #openvpn
08:39 -!- pyther [~pyther@adsl-99-37-208-222.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
08:39 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
08:43 -!- dennisger [c05701c8@gateway/web/freenode/ip.192.87.1.200] has quit [Quit: Page closed]
08:48  * ecrist bridges because it's convenient.
08:48 <@ecrist> and I'm a rebel.
08:53 <@vpnHelper> RSS Update - forum: My VPN :: Re: Windows xp worked and the 7 don't. :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=13&t=7402&p=8697#p8697>
08:54 < |Mike|> i wonder how he copied the keys over :-p
08:55 < theDoc> Ok, just saying, if any of you guys suffer from gastrointestinal gas problems, what works for you?
08:56 < |Mike|> farting!
08:56 < krzie> just stab yourself, poke a lil hole for it to leave
08:58 -!- takamichi [~pri@pm302-97-254.keyworld.net] has joined #openvpn
08:59 < krzie> dazo, yay, nice to have backup on that one, ive been the sole tun V tap nazi around here for too long
09:01 <@dazo> krzie: I don't mind tap so much though, you can still route with tap as well (yeah, I know, the overhead costs) ... but bridging, ugh ... it's not that often needed
09:01 < krzie> good point
09:03 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
09:03 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
09:03 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
09:08  * macsppadic agrees with ecrist on the bridging convenience
09:09  * dazo finds routing much more easier and convenient and more controllable - especially for beginners
09:10 < gladiatr> bridging is nice when you have a dynamic routing environment
09:15 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds]
09:15 -!- nameless` [~nameless`@lav35-1-82-236-136-20.fbx.proxad.net] has joined #openvpn
09:15 < nameless`> hi there
09:16 < nameless`> i've got a weird problem which i doesn't explain so far, it's actually the reason of my problem here
09:16 < nameless`> i can connect to my openvpn server with tcp but not with udp
09:16 < nameless`> the thing is that both port are open
09:16 < nameless`> the weird thing is that locally (i mean in my local network) i can connect with udp as well
09:17 < nameless`> (the iptables make no restriction on the ip source)
09:17 < nameless`> my server is nated behind a "box" but i setted up a DMZ
09:17 <@dazo> gladiatr: fair enough, but in that scenario you also know very well what you are doing ... and you won't trample into the all the gotchas bridging can bring
09:17 < gladiatr> dazo, indeed! 
09:18 <@dazo> nameless`: check with tcpdump on your eth device that your UDP connections are forwarded ... it might be your router blocking it
09:18 < gladiatr> dazo, I completely agree with your statement about point-to-point being the easiest and most often useful scenario, though :)
09:18 <@dazo> :)
09:22 -!- bauruine [~stefan@178-73-209-85.cust.vpntunnel.org] has joined #openvpn
09:27 < krzee> ptp doesnt come with forward security tho
09:27 < krzee> i prefer udp routed tun in client/server mode
09:28 < nameless`> dazo: tcpdump shows packet before that iptables process them right ?
09:28 <@dazo> nameless`: yupp
09:28 < nameless`> dazo: then you're true
09:28 < nameless`> dazo: my box blocked the traffic
09:28 < nameless`> and i don't know why
09:28 < nameless`> damn box
09:28 <@dazo> nameless`: what kind of box is it?
09:29 < nameless`> dazo: it's a device provided by my ISP
09:30 <@dazo> ugh
09:30 < nameless`> dazo: yep 
09:30 < nameless`> dazo: it's a modem/switch/router/firewall
09:30 < nameless`> by default everything is nated behind that box
09:30 < nameless`> but i setted up a DMZ for my home-server
09:30 < nameless`> but it obviously didn't work as well as expected :)
09:31 <@dazo> mm ... well, then you'll need to be a PITA towards your ISP :)
09:31 < gladiatr> go get 'em, nameless
09:31 <@dazo> heh
09:31 < nameless`> hu, sorry but what 'PITA' means ?
09:31 < gladiatr> pain in the ass
09:32 < nameless`> huhu
09:41 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
09:41 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
09:41 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
09:42 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:42 < theDoc> gladiatr: I'm probably missing your point but why bridging for dynamic routing?
09:43 -!- bauruine [~stefan@178-73-209-85.cust.vpntunnel.org] has quit [Read error: Operation timed out]
09:44 < krzee> i dont know the issue trying to be solved, but if you have a subnet that is not used by the router, a route needs to be added to it
09:44 < krzee> such as !route_outside_openvpn
09:44 < krzee> again, i dont know if that applies in this situation
09:44 <@ecrist> should I enable command parsing when it's not at the beginning of the line, krzee?
09:45 < krzee> neg
09:45 < krzee> i did that so he could decide whether or not it may apply, and use the command if he cared to see it
09:46 <@ecrist> ok
09:46 -!- mode/#openvpn [-o ecrist] by ecrist
09:46 -!- mode/#openvpn [+o krzee] by ChanServ
09:47 -!- mode/#openvpn [-b *!*@unaffiliated/simplechat] by krzee
09:47 -!- mode/#openvpn [-o krzee] by krzee
09:56 -!- imagez [~imagez@ks354672.kimsufi.com] has joined #openvpn
10:01 < gladiatr> theDoc, I'm not going to say its impossible, but I've not discovered a way to get a proper multicast over a point-to-point link.  Protocols such as OSPF have the ability to pass routing data over point-to-point links, but I was not able to determine the problem with such a configuration--I ended up bypassing the whole business by using  a bridged/tap config
10:03 < theDoc> gladiatr: I'm working on deploying quagga over a cluster of openvpn servers.
10:03 < theDoc> I'm going to investigate that more when I'm a little more settled down with things.
10:04 < gladiatr> theDoc, cool.  Yeah, OSPF has the functionality to support frame relay and the like.  I just wasn't ever able to get a tun connection to act like what quagga recognizes as a proper p2p link
10:05 < ecrist> heh, the gracious savior
10:05  * gladiatr slides the bong away from ecrist
10:06 < ecrist> o.O
10:06 < theDoc> gladiatr: I wonder why that's the case. What kind of errors were you seeing?
10:06 < theDoc> Sounds like it should work like a charm on paper.
10:07 < gladiatr> theDoc, Indeed. The environment I was using this in is 3 years in the past, but from what I remember, it was a matter of just not seeing the update packets arriving at the destination side of the link.
10:08 < gladiatr> theDoc, unicast: check.  broadcast: check.  multicast: awol
10:08 < theDoc> gladiatr: Strange strange problem.
10:08 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn []
10:09 < theDoc> gladiatr: Which would also mean, your ospf routing tables are empty, does it even establish an adjacency?
10:09 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
10:10 < gladiatr> theDoc, No.  It wouldn't even do that.
10:10 < gladiatr> theDoc, The non-tunneled networks were converging quite nicely, but connecting them via a p2p openvpn connection did nothing
10:12 < gladiatr> theDoc, now, once I got bridges set up, things were perfect.  tun: like looking at pictures in a magazine  tap: like actually being there
10:12 < gladiatr> heh
10:12 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
10:13 < theDoc> Hm.
10:13 < theDoc> gladiatr: Did debug ospf show you anything relevant?
10:15 < gladiatr> Nope.  It would show that the tun interface was successfully added to the area, but its inability to pass traffic over the link precluded it being able to give me any meaningful data
10:15 < krzee> gladiatr, ecrist doesnt use the bong... that would be me!
10:15 < ecrist> I use the bottle
10:15 < ecrist> :)
10:16 < gladiatr> LMAO
10:16 < ecrist> krzee: did simplechat ask you to unban him, or are you being a nice guy today?
10:16 < theDoc> gladiatr: Strange but thanks for that info, I'm going to test it out. o/
10:16 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
10:17 < krzee> i told him yesterday that ild unban him today
10:17 < krzee> he asked what our policies are re bans, i replied that ild unban him today
10:17 < krzee> if he acts up i wont re-unban
10:18 < ecrist> !policy
10:18 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario
10:18 < ecrist> doh
10:18 < ecrist> !factoids search rules
10:18 <@vpnHelper> "rules" is http://secure-computing.net/openvpn/openvpn.php for channel guildelines.
10:18 < krzee> heheheh
10:18 < gladiatr> that's sort of relevant.  client-specific rules and access policies as they pertain to channel trolls
10:19 < ecrist> !learn policy as see !rules for #openvpn channel policy
10:19 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
10:19 -!- buntfalke_ [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
10:19 < ecrist> sigh
10:19 < |Mike|> yep
10:20 < ecrist> !learn policy as see !rules for #openvpn channel policy
10:20 <@vpnHelper> Joo got it.
10:22 < gladiatr> irc bots: not as cute or cuddly as kittens but several times more useful
10:24 < ecrist> we use the hell out of vpnHelper
10:24 < ecrist> !factoids
10:24 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
10:24 -!- imagez [~imagez@ks354672.kimsufi.com] has quit [Quit: imagez]
10:25 -!- BoomSie [~gideon@84-245-27-118.dsl.cambrium.nl] has quit [Quit: Ex-Chat]
10:25 < gladiatr> verah nice
10:45 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
10:45 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
10:45 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
10:45 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
10:56 < krzee> " several times more useful"
10:57 < krzee> hrm, ((0 * several))
10:59 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 276 seconds]
11:01 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
11:05 < gladiatr> haha
11:13 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
11:15 -!- p3rror [~mezgani@41.140.176.72] has joined #openvpn
11:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:27 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
11:28 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
11:40 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
11:52 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
11:59 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:03 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
12:04 -!- huzpol [~huzurp@p5087236C.dip.t-dialin.net] has joined #openvpn
12:05 -!- huzpol1 [~huzurp@p50872C91.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
12:12 -!- disaster37 [~disaster@ns3.webcenter.fr] has joined #openvpn
12:17 < gladiatr> !goal
12:17 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:17 < gladiatr> !Vista
12:17 <@vpnHelper> "Vista" is 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
12:17 < gladiatr> !Vista
12:17 <@vpnHelper> "Vista" is 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\
12:18 < gladiatr> !DNS
12:18 <@vpnHelper> "DNS" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
12:34 < gladiatr> Most of the posts regarding MS Vista pertain to routes not being installed due to admin privs, etc.  I have only 1 problematic vista laptop (known, good config running on other vista systems, xp and win7).  It connects.  the vpn gui goes green.  The logs show nothing but hippyesque happiness, but the system will only use the DNS server acquired from the wireless devices dhcp convo with the local AP.  The (vpn) DNS IP is configured on t
12:34 < gladiatr> he tap device and is pingable.   
12:34 < gladiatr> I'm missing something...
12:35 < ecrist> I'd suggest asking in #windows.  if the DNS address is getting assigned to the interface, then you need to find a way to tell windows to use it.
12:36 -!- dazo is now known as dazo_afk
12:36 < gladiatr> there's a #windows channel... of course there is :P.  thx
12:36 < ecrist> np
12:48  * Bushmills thinks running vpn with windows machines is compromising the vpn
12:49 < gladiatr> Bushmills, lol
12:50 -!- Jmainguy [466cf917@gateway/web/freenode/ip.70.108.249.23] has joined #openvpn
12:51 < Jmainguy> hey, a client recently asked if he should renew his SonicWall license
12:51 < Jmainguy> as i understand SonicWall is just a vpn software
12:51 < Jmainguy> Can I install openvpn on his windows machine so he can share files with dallas and maryland 
12:51 < Bushmills> is it openvpn compatible?
12:51 < Jmainguy> I dont know much about it
12:51 < Jmainguy> they want 1k to upgrade it
12:52 < Jmainguy> so im looking for an alternative
12:52 < Bushmills> then assume that it isn't
12:52 < Jmainguy> this is my first foray into security
12:52 < Jmainguy> as im an idiot and run programs as root on my vps's
12:52 < Jmainguy> but he basically wants a WAN with his remote offices
12:53 < Bushmills> then running a vpn may lead to endangering your clients
12:53 < Jmainguy> or may lead to saving them money
12:53 < Jmainguy> so thats what im gonna do
12:53 < Jmainguy> anyways
12:53 < Jmainguy> Do I need a paid license to set up openvpn with his remote offices
12:54 < Jmainguy> and does it install on windows or only linux
12:54 < Bushmills> no. openvpn is free software
12:54 < Bushmills> it can be used on windows too
12:55 < Jmainguy> great thank you Bushmills
12:55 < Bushmills> but windows is a bit quirky, and my need a bit extra setup effort
12:55 < Jmainguy> I see
12:55 < Bushmills> may
12:55 < Bushmills> things like these, for example:
12:55 < Jmainguy> Would it be worthwile installing a cheap linux box at the main office
12:55 < Bushmills> !winroute
12:55 < Jmainguy> and having the vpn go through that?
12:55 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
12:56 < Bushmills> depends on your needs.  if nobody will use it, it's not going to be worthwhile
12:58 < Jmainguy> yeah
12:58 < Jmainguy> basically the client got the sonicwall thing a year ago to encrypt his emails
12:58 < Jmainguy> he has no idea if it is even doing that
12:59 < Jmainguy> and wants to know if he should get it for another year
12:59 < Bushmills> unless you gain the skills to set it up and use it, thereby being able to deploy it without much start up time
12:59 < Jmainguy> alot of research ahead of me
13:00 < Jmainguy> I love learning new things, and I really want to get better at security
13:00 < Bushmills> well, i'd say that most people here would say "use openvpn", but that's to be expected on a product specific channel
13:00 < Jmainguy> yeah
13:00 < Jmainguy> thats what im basically gonna tell him
13:00 < Jmainguy> I just have to learn how to install the OpenVpn before i tell him that
13:01  * Bushmills nods
13:02 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:05 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving]
13:05 < Bushmills> maybe with factoid is helpful:
13:05 < Bushmills> !pptp
13:05 <@vpnHelper> "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read
13:05 <@vpnHelper> about why to not use pptp
13:06 < Bushmills> this ...
13:06 < Bushmills> pptp is the vpn software and protocol which comes with windows
13:06 < Bushmills> chances are that the vpn software you mentioned is compatible with this
13:08 < Jmainguy> lol Microsoft recomending you not use a product they made
13:08 < Jmainguy> nice
13:14 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
13:14 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
13:14 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
13:15 -!- necktie [~eddie@ns213451.ovh.net] has joined #openvpn
13:15 < necktie> !welcome
13:15 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:16 < Jmainguy> !howto
13:16 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:18 < necktie> !howto
13:18 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
13:19 -!- tjz [~pc@unaffiliated/tjz] has quit [Quit: bbl.]
13:21 < necktie> can openvpn be used to connect through my dedicated server from my home computer? sorry, i'm a complete noob..
13:23 < krzee> yes
13:23 < krzee> !redirect
13:23 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:26 < Bushmills> necktie: connect where to?
13:27 < necktie> krzee: would it be possible for you to help me set this up? or is it very difficult? i'm reading the how to page but this is like i different language to me :'(
13:28 < krzee> its basically:
13:28 < krzee> !sample
13:28 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
13:28 < krzee> !redirect
13:28 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
13:29 < Bushmills> and possibly, take care of
13:29 < Bushmills> !dns
13:29 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
13:29 -!- Manny [~Christian@p549655A0.dip.t-dialin.net] has joined #openvpn
13:29 < Manny> hi
13:30 < Manny> any experience with multiple parallel VPN connections that are used only by some applications? Most websites seem to suggest to use tsocks in conjunction with OpenVPN.
13:30 < Manny> it seems that my main problems are:
13:30 < Manny> a) how to run multiple openvpn clients -- covered under http://www.fosiul.com/index.php/2010/04/linuxhow-to-create-multiple-openvpn-instances/
13:30 < Manny> b) how to connect properly to them
13:30 < Bushmills> connect to clients?
13:30 < Manny> c) how to prevent leaks
13:31 < necktie> krzee, Bushmills: yes. i think redirect is what i'm looking for
13:32 < Bushmills> Manny: rather than allowing specific apps on client only, consider to proxy their access through vpn
13:32 < Manny> Bushmills, I don't run any VPN server, but want to connect to other ones (over the internet). However, I most of my applications should not use any VPN. Only a few applications rather than the entire system should be protected.
13:33 < Bushmills> for example, if you want to run http traffic over vpn, rather than trying to route, or socksify http traffic, put a http proxy on a vpn accessable location, and configure web clients to use that proxy
13:33 < krzee> !socks
13:34 < krzee> !sockd
13:34 <@vpnHelper> "sockd" is if you want !routebyapp you can use this dante config www.ircpimps.org/sockd.conf but BE SURE TO ONLY RUN THIS ON THE INTERNAL VPN IP! otherwise you will be an open proxy. that config has no security because its expected to run inside openvpn
13:34 < krzee> !routebyapp
13:34 <@vpnHelper> "routebyapp" is if you want to send only certain apps over the VPN you need to run a socks server on the internal VPN subnet (see !sockd) then get an app like proxifier (google it) to selectively route traffic over the socks proxy based on port/app/subnet or any combination.
13:35 -!- Apachez [~apachez@unaffiliated/apachez] has joined #openvpn
13:36 < Manny> krzee, thanks. Some websites also suggest to use custom routing tables that redirect packages for certain users to a certain tunX iface created by OpenVPN. I could also run the respective applications as special users vpnuser1...vpnuserM created for connecting to the M OpenVPN instances
13:37 < Manny> do you think the latter is a good idea?
13:37 < necktie> krzee: so i start off by making a file called openvpn.configs on my dedicated server?
13:38 < secretary_linux> greetings - quick question: I'm creating a bridged vpn.. should I apply my iptables rules to the br0 bridge interface I'm creating for the vpn or to the eth0 interface I'm bridging to the bridge interface (with promisc etc)
13:41 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:41 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
13:45 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
13:46 -!- brah [~asdofp@190.7.17.210] has joined #openvpn
13:51 < disaster37> re
13:51 < disaster37> I have try to set tcp to udp
13:51 < disaster37> it's better
13:52 < disaster37> but there are still a speed problem
13:52 < disaster37> now with vpn 400ko/s
13:52 < disaster37> without 900k/s
13:52 < disaster37> with xp sp3
13:52 < disaster37> with seven it's good
13:55 -!- necktie is now known as neckti3
13:56 -!- neckti3 is now known as neckti3e
13:56 -!- neckti3e [~eddie@ns213451.ovh.net] has left #openvpn []
13:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:17 -!- Manny [~Christian@p549655A0.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
14:27 -!- Champi [Champi@damn.e-leet.be] has quit [Read error: Operation timed out]
14:28 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
14:28 -!- gdb``` [~user@2001:4830:2446:b5:214:4fff:fe4a:f0] has joined #openvpn
14:29 -!- gdb`` [~user@dr-wily.ipv6.mit.edu] has quit [Remote host closed the connection]
14:30 -!- Champi [Champi@damn.e-leet.be] has joined #openvpn
14:43 -!- luneff [~yury@84.51.197.80] has joined #openvpn
14:45 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
14:56 -!- bitterman [~yury@84.51.197.80] has joined #openvpn
14:57 -!- Jmainguy [466cf917@gateway/web/freenode/ip.70.108.249.23] has quit [Quit: Page closed]
14:58 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
14:59 -!- bitterman [~yury@84.51.197.80] has quit [Read error: Connection reset by peer]
14:59 -!- luneff [~yury@84.51.197.80] has quit [Ping timeout: 264 seconds]
14:59 -!- bitterman [~yury@84.51.197.80] has joined #openvpn
15:01 -!- bitterman [~yury@84.51.197.80] has quit [Client Quit]
15:10 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
15:10 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
15:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
15:15 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
15:16 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
15:32 < reiffert> how many fbi nsa side channel attacks are there in openvpn?
15:32 < reiffert> http://marc.info/?l=openbsd-tech&m=129236621626462&w=2
15:32 <@vpnHelper> Title: 'Allegations regarding OpenBSD IPSEC' - MARC (at marc.info)
15:34 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn
15:38 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Read error: Connection reset by peer]
15:38 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
15:39 < krzee> reiffert, only 5
15:48 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
15:51 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
15:58 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
15:58 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn
16:04 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has left #openvpn []
16:10 -!- p3rror [~mezgani@41.140.176.72] has quit [Ping timeout: 272 seconds]
16:13 -!- R-66Y [~nobody@elegua.za.net] has quit [Quit: Leaving.]
16:22 -!- Bebop2Steady [~Bebop2Ste@124-168-55-212.dyn.iinet.net.au] has joined #openvpn
16:24 < Bebop2Steady> !welcome
16:24 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:24 < Bebop2Steady> !redirect
16:24 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:24 < Bebop2Steady> !def1
16:24 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
16:25 < Bebop2Steady> !ipforward
16:25 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
16:26 < Bebop2Steady> !linipforward
16:26 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
16:27 < Bebop2Steady> !nat
16:27 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
16:27 < Bebop2Steady> !linnat
16:27 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
16:28 -!- p3rror [~mezgani@41.140.176.15] has joined #openvpn
16:29 -!- disaster37 [~disaster@ns3.webcenter.fr] has quit [Ping timeout: 265 seconds]
16:41 -!- Manny [~Christian@p549655A0.dip.t-dialin.net] has joined #openvpn
16:42 -!- Manny [~Christian@p549655A0.dip.t-dialin.net] has quit [Client Quit]
16:48 -!- takamichi [~pri@pm302-97-254.keyworld.net] has quit [Ping timeout: 264 seconds]
16:48 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
17:05 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:06 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
17:13 -!- adawda [~awdawdadq@91-121-219-67.dc1.fusa.be] has joined #openvpn
17:15 -!- Bebop2Steady [~Bebop2Ste@124-168-55-212.dyn.iinet.net.au] has quit [Quit: KVIrc 4.0.2 Insomnia http://www.kvirc.net/]
17:26 -!- WinstonSmith [~true@g230122177.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
17:32 -!- s7r [~s7r@79.142.65.62] has joined #openvpn
17:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
17:39 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
17:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:04 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
18:10 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 240 seconds]
18:10 -!- takamichi [~pri@pm302-97-254.keyworld.net] has joined #openvpn
18:17 <@vpnHelper> RSS Update - forum: Server Administration :: process openvpn.exe problem :: Author mrmassis <https://forums.openvpn.net/viewtopic.php?f=4&t=7405&p=8698#p8698> || My VPN :: Re: Windows xp worked and the 7 don't. :: Reply by pinguim007 <https://forums.openvpn.net/viewtopic.php?f=13&t=7402&p=8699#p8699>
18:36 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:53 -!- devilspgd [me@devilspgd.net] has joined #openvpn
18:53 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
18:53 < devilspgd> I'm trying to connect to a OpenVPN server that pushes "redirect-gateway def1", can I override that from the client side if I don't want it taking over my default gateway?
18:55 < Bushmills> check out  --route-nopull  option
18:55 < devilspgd> Thanks... RTFMing now
18:59 < Bushmills> you could also delete the two 0.0.0.0/31 and 128.0.0.0/31 routes
18:59 < Bushmills> ehm
18:59 < Bushmills>  /1, both, that is
18:59 < devilspgd> Yeah that was my first approach
19:00 < devilspgd> Didn't seem like a very clean approach
19:02 < Bushmills> can be cleaner than rejecting all routes, and having to add some of them manually
19:02 < Bushmills> (or in the connect script)
19:14 -!- s7r [~s7r@79.142.65.62] has left #openvpn []
19:21 -!- nb [~nb@fedora/nb] has quit [Read error: Connection reset by peer]
19:22 -!- nb [~nb@fedora/nb] has joined #openvpn
19:23 <@vpnHelper> RSS Update - forum: My VPN :: Re: Windows xp worked and the 7 don't. :: Reply by pinguim007 <https://forums.openvpn.net/viewtopic.php?f=13&t=7402&p=8700#p8700>
19:25 -!- nb [~nb@fedora/nb] has quit [Read error: Operation timed out]
19:34 -!- nb [~nb@fedora/nb] has joined #openvpn
19:41 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has joined #openvpn
19:56 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
20:04 -!- newmember [~chatzilla@S010600036d1139bb.cg.shawcable.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
20:20 -!- huzpol [~huzurp@p5087236C.dip.t-dialin.net] has quit [Read error: Connection reset by peer]
20:54 -!- hanasaki [BLACKLIST@cpe-76-92-220-37.kc.res.rr.com] has quit [Quit: Leaving.]
21:22 -!- batrick [~batrick@nmap/developer/batrick] has quit [Read error: Operation timed out]
21:22 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
21:35 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
21:35 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
21:42 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
21:52 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 250 seconds]
22:01 -!- Klem__ [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:17 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
22:26 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
22:39 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 265 seconds]
22:50 -!- pyther [~pyther@unaffiliated/pyther] has quit [Read error: Operation timed out]
22:51 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:28 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
23:48 -!- caesay_ is now known as caesay
23:48 -!- caesay [~caesay@173.236.15.70] has quit [Changing host]
23:48 -!- caesay [~caesay@unvanquished/associate/sniperx] has joined #openvpn
23:57 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
23:59 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
--- Day changed Thu Dec 16 2010
01:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:06 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
01:09 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
01:14 -!- dazo_afk is now known as dazo
01:21 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Read error: Operation timed out]
01:37 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:41 -!- NoOova [~pasha@unaffiliated/nooova] has joined #openvpn
01:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:41 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
01:41 < NoOova> Hi all! My VPN connection is shutting down after lond doing nothing
01:41 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
01:41 < NoOova> how i can support connection?
01:41 < NoOova> loke autoping in 1 min
01:41 < NoOova> like
01:59 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:08 <@dazo> NoOova: look at --keepalive in the man page
02:08 < NoOova> thanks =)
02:15 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:16 -!- dennisger [c05701c8@gateway/web/freenode/ip.192.87.1.200] has joined #openvpn
02:16 < dennisger> llo - i got this error: Thu Dec 16 09:15:30 2010 192.87.1.200:43842 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
02:17 < dennisger> what does it mean?
02:22 -!- venom00ut [~wer@173.0.5.204] has joined #openvpn
02:22 -!- venom00ut [~wer@173.0.5.204] has quit [Changing host]
02:22 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
02:31 < dennisger> never mind - looks like an debian error
02:36 < dennisger> Okay, another question... I just want to have an VPN but now it also does http for example trough the tunnel but i dont want that
02:37 < dennisger> whats the configuration setting for it? :)
02:40 < hyper_ch> dennisger: do you want just to be able to connect to the vpn or do you want to route outgoing (internet) traffic through it?
02:46 < mape2k> dennisger... user and/or password seems to be wrong... or something went wrong with auth
02:50 -!- dazo is now known as dazo_afk
03:11 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
03:18 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
03:19 -!- NoOova [~pasha@unaffiliated/nooova] has quit [Ping timeout: 255 seconds]
03:26 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn
03:35 -!- star314 [~star314@xchg.fiss-oeaw.at] has joined #openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:48 -!- master_of_master [~master_of@p57B5642C.dip.t-dialin.net] has quit [Ping timeout: 276 seconds]
03:50 -!- master_of_master [~master_of@p57B57A61.dip.t-dialin.net] has joined #openvpn
03:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:54 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
04:26 -!- common- [~common@p5DDA49F3.dip0.t-ipconnect.de] has joined #openvpn
04:29 -!- common [~common@p5DDA49E6.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
04:29 -!- common- is now known as common
04:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
04:40 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 260 seconds]
04:41 -!- mannaz [~mannaz@78.142.150.242] has joined #openvpn
04:41 < mannaz> !welcome
04:41 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:47 -!- dazo_afk is now known as dazo
04:53 < dennisger> hyper_ch: i just awnt to connect to the vpn, internet traffic shouldt be routed trough it
04:53 < dennisger> mape2k: its fixed already, libpam-mysql seems to be broken in debian repo's. thanks!
04:54 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
04:55 < hyper_ch> dennisger: then don't redirect def1
04:55 < hyper_ch> then you will have access to the vpn but by default no traffic is routed through the vpn
05:09 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
05:09 -!- ksk [~ksk@im.knubz.de] has joined #openvpn
05:13 -!- gorkhaan [~gorkhaan@87.229.108.75] has joined #openvpn
05:16 < mannaz> hi #openvpn - i need some help with a fresh install. My client (windows) does not connect. This is the server output: http://pastebin.com/GvYX08q4
05:17 < mannaz> this repeats forever - as long as the client is trying to connect
05:17 < mannaz> any sugestions?
05:18 < mannaz> log in corret order: http://pastebin.com/z08F5zGQ
05:18 < mannaz> *correct
05:31 -!- macsppadic [~sonupunno@88.211.55.77] has quit [Quit: macsppadic]
05:35 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:35 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:35 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:44 -!- mannaz1 [~mannaz@194.24.158.3] has joined #openvpn
05:45 -!- mannaz1 [~mannaz@194.24.158.3] has quit [Client Quit]
05:45 -!- mannaz [~mannaz@78.142.150.242] has quit [Ping timeout: 265 seconds]
05:55 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Read error: Connection reset by peer]
05:56 < dennisger> hyper_ch: thanks!
05:56 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
06:00  * dazo thinks some people should learn to ready before crying out for help ...
06:00 <@dazo> WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1492)
06:00 <@dazo> gee ... is this really so unclear?
06:01 < dennisger> hyper_ch: i've commented it on the client side out but its still internetting trough the tunnel..
06:02 < hyper_ch> dennisger: the client has nothing to say about it
06:02 < hyper_ch> routes are given out by the server
06:02 < hyper_ch> if you need different settings, use a ccd for each client
06:02 < hyper_ch> !ccd
06:02 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
06:02 -!- mannaz [~mannaz@78.142.150.242] has joined #openvpn
06:02 < dennisger> aaah okay, thank you!
06:03 < dennisger> push "redirect-gateway" is the problem then i guess
06:10 -!- pa [~pa@unaffiliated/pa] has quit [Ping timeout: 255 seconds]
06:21 -!- binou [~cow_suka_@41.226.250.21] has joined #openvpn
06:21 -!- binou [~cow_suka_@41.226.250.21] has left #openvpn []
06:26 -!- binou [~cow_suka_@41.226.250.21] has joined #openvpn
06:26 -binou:#openvpn- join the club http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
06:26 < binou> elite botnet http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870
06:26 -!- binou [~cow_suka_@41.226.250.21] has left #openvpn ["http://ihaxor.hpage.com/get_file.php?id=911760&vnr=411870"]
06:31 -!- bauruine [~stefan@cust.static.46-14-255-113.swisscomdata.ch] has joined #openvpn
06:31 < |Mike|> ecrist: you're too slow
06:31 < |Mike|> erm, you need to be chaop :P
06:31 < |Mike|> *chanop
06:33 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
06:33 < dennisger> thats stage
06:33 < dennisger> i can ping the server from my client but i cant ping the client from my server
06:33 < mannaz> hi, can someone help me with my connecting problem? This is the server output: http://pastebin.com/wuS6LbEb
06:34 < mannaz> client just shows http://pastebin.com/dk1yVW5F in an endless loop
06:36 < mannaz> ok, found the problem
06:36 < mannaz> tls-remote was not as in the server cert
06:39 -!- mode/#openvpn [+o ecrist] by ChanServ
06:39 < mannaz> has anyone of you experiences with openvpn + android?
06:39 <@ecrist> mannaz: I couldn't get it to work. :)
06:39 <@ecrist> 06:26 -!- #openvpn You're not channel operator
06:39 <@ecrist> 06:26 -!- #openvpn You're not channel operator
06:40 < bauruine> mannaz, i have no root on my android phone :-( 
06:42 < bauruine> is there a good openvpn dokumentation? is it possilble to tel openvpn client to use a specific routing table for pushed routes? 
06:42 < mannaz> ecrist: damn
06:42 < mannaz> because 2.2 has some vpn settings
06:43 -!- chantra_afk [~chantra@unaffiliated/chantra] has quit [Quit: Reconnecting]
06:43 -!- chantra_afk [~chantra@unaffiliated/chantra] has joined #openvpn
06:50 <@dazo> mannaz: you have a WARNING in your log file you need to solve as well
06:50 <@dazo> another WARNING, that is
06:52 <@dazo> bauruine: what do you mean with specific "routing table"?
06:52 <@dazo> mannaz: I doubt Android itself support OpenVPN out of the box ... but the infrastructure (tun driver) should be in place, but you most probably need to root your phone
06:53  * dazo suspects built in Andriod VPN support to be l2tp and/or pptp based
06:56 < bauruine> dazo, i mean linux iproute2 routing tables. 
06:57 <@dazo> bauruine: openvpn supports iproute2 if compiled with that support, but I doubt it supports more advanced features than what the traditional route tools does
06:58 -!- dennisger [c05701c8@gateway/web/freenode/ip.192.87.1.200] has quit [Quit: Page closed]
06:58 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
06:59 < mannaz> dazo: damn - so i have to look for a l2tp vpn server
06:59 < mannaz> any suggestions?
06:59 <@dazo> this is #openvpn
06:59 <@dazo> So I suggest, root your phone and get openvpn installed
07:00 < bauruine> dazo, at the moment i have route-nopull in the config and add all the routes with a script ( eg.  ip route add default via $ROUTER1 dev $DEV1 table vpnprovider1)
07:01 <@dazo> bauruine: check if route-up can be more useful for you ... I think that can be used to intercept pushed routes ... but I'm not completely convinced it works like that
07:09 < bauruine> dazo, thanks looking at it atm.
07:15 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
07:28 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
07:30 < bauruine> dazo, is there a documentation about route-up? i've made a script which echoes the $1 $2 etc. but those are empty :-/ 
07:30 <@dazo> bauruine: not more than which is in man pages, afaik
07:44 -!- mannaz [~mannaz@78.142.150.242] has left #openvpn []
07:48 -!- takamichi [~pri@pm302-97-254.keyworld.net] has quit [Ping timeout: 276 seconds]
07:49 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
07:49 -!- pa [~pa@unaffiliated/pa] has quit [Max SendQ exceeded]
08:00 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
08:02 -!- krzie [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
08:06 -!- star314 [~star314@xchg.fiss-oeaw.at] has quit [Quit: Leaving]
08:10 -!- raw_ [~raw@chipotle118.server4you.de] has joined #openvpn
08:11 < raw_> maybe iam just missing a basic understanding of openvpn, but: why does my openvpn-client state that it cant bind to port 1194? its a client, so why bind ports?
08:11 < raw_> i have a openvpn server currently running, so the port is blocked
08:16 <@dazo> raw_: it might be that the client config binds a management interface to localhost:1194
08:16 <@dazo> depends on your config
08:16 < raw_> http://pastebin.com/VA4DdWYF
08:17 < raw_> there is my config so far
08:17 < raw_> the box iam working on is running a local openvpn server and is connected to a other openvpn
08:17 < raw_> and now i want to add a 2nd openvpn-connection :)
08:18 < raw_> just to route to one ip
08:18 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
08:19 < raw_> i've just updated the pastebin with my error output
08:21 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
08:21 < bauruine> raw_, maybe you need the nobind option 
08:22  * bauruine just guessing ^^
08:22 < raw_> worth a try
08:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:26  * bauruine cries 
08:28 < raw_> uh its working :)
08:31 < bauruine> isn't it possible to use for in a route-up script? http://paste.pocoo.org/show/v6tsZzQNppSDkpOMav05/  but it doesn't output anything to args if i run it in the terminal it works :-/ 
08:41 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
08:42 < raw_> bauruine, indeed, nobind was what i was missing
08:42 < raw_> thank you
08:42 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
08:49 -!- adawda [~awdawdadq@91-121-219-67.dc1.fusa.be] has quit [Ping timeout: 240 seconds]
08:50 -!- nubix [~opera@dslb-092-076-182-104.pools.arcor-ip.net] has joined #openvpn
08:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:13 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
09:14 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Read error: Connection reset by peer]
09:15 -!- adawda [~awdawdadq@91-121-219-67.dc1.fusa.be] has joined #openvpn
09:17 -!- boswarrior1 [~mrnice@78.142.173.114] has joined #openvpn
09:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:23 -!- nubix [~opera@dslb-092-076-182-104.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
09:30 -!- atan2 [~atan@unaffiliated/atan] has quit [Read error: Connection reset by peer]
09:55 -!- dborgmann [~dborgmann@p4FCB58C0.dip.t-dialin.net] has joined #openvpn
09:55 < dborgmann> hello there!
09:55 < dborgmann> i am using openvpn without encryption and it will blast my ALIX 500MHz-CPU to its limits anyway while trying to transfer via 802.11g-WLAN. is there another option to reduce cpu-load apart from not using encryption?
09:56 < hyper_ch> using a different encryption method
09:56 < hyper_ch> there are various ciphers available
09:57 < krzee> hyper_ch, theres no way that cipher none uses more than any cipher
09:58 < hyper_ch> krzee: ?
09:58 < krzee> dborgmann, are you using udp?  if not that could reduce load
09:58 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:58 < krzee> since tcp does some buffering
09:58 < krzee> hyper_ch, he said he is currently using NO encryption, you said he could reduce load by changing ciphers
09:59 < hyper_ch> krzee: I think you missunderstand... he asks to lower the cpu load and what options there are - except from using no encrpytion
09:59 < krzee> he currently uses no encryption and still has high load, he wants additional ways to lower load
10:00 < hyper_ch> dborgmann: oh... right... sorry
10:00  * hyper_ch gives a big cookie to krzee
10:00 < krzee> =]
10:00  * dazo snaps that cookie
10:01  * hyper_ch says thta it's actually a poisonous cookie because krzee dared to correct him
10:01  * krzee logs in again and gets a new cookie!
10:01 < hyper_ch> damn, I need to finish a plead and I just don't get anywhere
10:02  * krzee finished some crazy math for the office, now has a team of monkeys trying to break it
10:02 < krzee> but they wont be able to ;]
10:02 < krzee> step 2, code it
10:02 < hyper_ch> given enough monkeys, given enough time and typewriters, they will be able to break it
10:02 < krzee> step 3, ???
10:03 < krzee> step 4, take over the world
10:03 < hyper_ch> why does nobody includ a take-over-teh-world button in their applications
10:04 < bauruine> hyper_ch, i am sure emacs has one :>
10:05 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 240 seconds]
10:05 -!- Klem__ is now known as Klem
10:05 < hyper_ch> emacs has the butterfly-button... but never heard that it has a take-over-the-word one
10:05 -!- takamichi [~pri@pm302-97-254.keyworld.net] has joined #openvpn
10:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
10:15 -!- bauruine [~stefan@cust.static.46-14-255-113.swisscomdata.ch] has quit [Read error: Operation timed out]
10:22 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Wibbly Wobbly IRC]
10:22 < dborgmann> sorry, was awk. i will read your answers... just a moment
10:22 < dborgmann> afk i mean ;-)
10:23 < hyper_ch> awk is also fine
10:23 < dborgmann> awk, hehe
10:23 < dborgmann> awk is powerful
10:24 < dborgmann> ok, so i read your posts
10:24 < dborgmann> i am using udp within openvpn, and no encryption at all
10:24 < hyper_ch> why use then openvpn when you don't use any encryption?
10:24 < dborgmann> anyway i have 100% load on a 500MHz x86 machine while putting 16mbit through it
10:24 < dborgmann> i want to create a bridge
10:24 < dborgmann> and this can easily be done with openvpn
10:24 < hyper_ch> what for?
10:25 < dborgmann> bridging wireless and rj45
10:25 < hyper_ch> well, as long as you are happy :)
10:25 < dborgmann> this seemed to be the easiest way to do it
10:25 < dborgmann> and it works quite fine
10:25 < dborgmann> except the cpu load
10:26 < dborgmann> with com-lzo i can reach up to 32mbit, which already is quite high, but i guess, this one will be lower if i transfer uncompressible data
10:26 < dborgmann> wihtout comp-lzo i am down to 16mbit with 100% load
10:27 < hyper_ch> shouldn't lzo make it slower?
10:28 < dborgmann> it should, but i guess it speeds it up, since the data is so good compressibel ( i am using iperf for tests), that the gain is higher than the loss by cpu-power
10:28 < dborgmann> so effectively it might work slower than 16mbit with lzo, but since the data can be compressed very well, the effective thoughput is higher
10:28 < dborgmann> at least that's what i suppose
10:29 < krzee> [08:25]  <dborgmann> bridging wireless and rj45
10:29 < krzee> you TOTALLY do not need to do that
10:29 < krzee> they are already the same layer2
10:29 < dborgmann> what else then?
10:30 < krzee> if they arent, it is because of an error in your topology, fix that and you dont need openvpn
10:30 < krzee> i assume the error is double-natting
10:30 < krzee> just reserve an ip block of the subnet for the wireless, you dont need to double-nat
10:31 < krzee> sure there are valid reasons for seperating the layer2's
10:31 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
10:31 < dborgmann> simply bridging won't work
10:31 < krzee> however, when you then go and bridge them together, you get rid of that separation, and should just do it right in the first place
10:31 < krzee> you dont need to bridge at all!
10:32 < krzee> you just let your wireless router give out IPs in the same subnet
10:32 < dborgmann> because of different header infos during wireless usage
10:32 < krzee> i guess the wireless router would be in bridge mode
10:32 < krzee> the wireless router should take care of that header stuff
10:32 < dborgmann> if you do WDS via wireless, then you need 4(four) MACs inside the transmission packets - in the IP header. this cannot be done using no WDS.
10:33 < dborgmann> and WDS can't do no WPA. that's why i built it the way i did.
10:33 < dborgmann> WPA via wireless and an openvpn tunnel though the wireless connection
10:33 < dborgmann> anyway, that doesn't matter that much. i just would like to know, how to get rid of high cpu usage ;-)
10:33 -!- gorkhaan [~gorkhaan@87.229.108.75] has quit [Ping timeout: 276 seconds]
10:34 < krzee> by getting a real computer? :-p
10:34 < dborgmann> that was my first thought as well
10:34 < dborgmann> :-)
10:34 < dborgmann> but can't do so...
10:34 < dborgmann> i am limited to the small boards :-(
10:34 < krzee> but seriously, there is no reason to bridge 2 sites that are already local using openvpn
10:34 < krzee> in fact you may be getting 100% cpu from some sort of arp loop
10:35 < krzee> im no bridging expert, but i could see something like that happening
10:35 < dborgmann> arp loop within the openvpn tunnel?
10:35 < dborgmann> so tcpdump on the tap device might help?
10:37 < krzee> it would eliminate (or prove right) that idea
10:38 < dborgmann> ok, i don't know, which ARP-ing could be done insinde the tunnel, but i will have a look at that one. thanks a lot!
10:41 < krzee> np, pls feel free to share the results of your testing
10:42 < common> dborgmann: you could use a ocf patched kernel and use the hardware aes engine in the geode cpu using a patched openssl which can make use of the cryptodev provided by your ocf patched kernel
10:43 < common> I got an geode based machine myself, but for me thats to much patching (...)
10:44 < common> linux lacks a kernel to userspace crypto api by default
10:44 < krzee> however he has no need for encryption at all
10:44 < common> hrmkay
10:44 < krzee> he is bridging 2 subnets in his lan
10:44 < krzee> which to me is silly to use openvpn for
10:44 < common> yep
10:44 < common> brctrl
10:45 < krzee> he says that wont work for wireless + wired, i disagree even tho i dont know much about bridging
10:45 < krzee> all i do know is that if you are using openvpn in your own lan just to bridge, you're for sure doing it wrong
10:46 < krzee> openvpn bridging is for lans seperated by internet, not 2 lans local to eachother
10:49 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:50 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
10:51 < dborgmann> openvpn open the option to transparently bridge the packets on the ethernet though the wlan
10:51 < dborgmann> that's what it's worth for
10:51 < dborgmann> never mind, i will check the tcpdump on the tap devs :-)
10:52 < dborgmann> thanks anyway
10:52 < krzee> np
10:52 < krzee> look into better ways to accomplish your bridge as well, you really shouldnt need openvpn for this
10:55 < hyper_ch> dborgmann: http://ubuntuforums.org/showpost.php?p=749543&postcount=5
10:55 <@vpnHelper> Title: Ubuntu Forums - View Single Post - How to make a network bridge in linux? (at ubuntuforums.org)
10:56 < hyper_ch> http://www.linux.com/community/blogs/howto-make-a-virtual-bridged-network.html
10:56 <@vpnHelper> Title: Howto make a virtual bridged network | Linux.com (at www.linux.com)
10:56 < hyper_ch> http://www.linux.org/docs/ldp/howto/BRIDGE-STP-HOWTO/set-up-the-bridge.html
10:56 <@vpnHelper> Title: Linux Online - Set Up The Bridge (at www.linux.org)
10:56 < hyper_ch> plenty of resources :)
11:00 < dborgmann> thanks
11:00 < dborgmann> i will definitely check all of it :-)
11:01 < hyper_ch> not sure what you can use
11:01 < dborgmann> i fear none of them due to no usage of wlan in these articles, but anyway. i will digg deeper into it
11:02 < krzee> ild expect the wifi router to eat the wifi pieces of the packets
11:03 < krzee> have you tried it?
11:07 -!- luneff [~yury@84.51.196.217] has joined #openvpn
11:09 -!- boswarrior1 [~mrnice@78.142.173.114] has quit [Quit: Ex-Chat]
11:09 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
11:09 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
11:24 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
11:32 -!- bitterman [~yury@84.51.196.217] has joined #openvpn
11:33 -!- bitterman [~yury@84.51.196.217] has quit [Read error: Connection reset by peer]
11:36 -!- luneff [~yury@84.51.196.217] has quit [Ping timeout: 276 seconds]
11:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
11:36 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
11:43 < dborgmann> ok cu :-)
11:43 -!- dborgmann [~dborgmann@p4FCB58C0.dip.t-dialin.net] has quit [Quit: Ex-Chat]
11:43 -!- Kevin` [~kevin@router.kwzs.be] has quit [Ping timeout: 255 seconds]
12:08 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
12:15 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:22 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
12:22 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
12:22 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:36 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
12:37 -!- disaster37 [~disaster@ns3.webcenter.fr] has joined #openvpn
12:43 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
12:43 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
12:43 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:44 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
12:47 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
12:49 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:49 -!- waterfoul [~1889764@151.159.109.188] has joined #openvpn
12:49 < waterfoul> !welcome
12:49 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
12:50 < waterfoul> !goal
12:50 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
12:50 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
12:53 < waterfoul> I would like to be able to access my server as if it were local. My internal subnet is 172.16.245.* and i want to be able to access my server as its internal ip as i have some programs set up to use that ip. I have set up the vpn and made a successful connection from my external windows 7 machine but i can't ping the server from the win 7 machine nor vice versa
12:55 < waterfoul> i'm 90% sure the connections are using the correct interface because when i try to ping from the server when 'm not connected i get unreachable and when i'm connected they get dropped
12:56 < waterfoul> the main services I want working over the vpn are smb and mysql
12:57 < secretary_linux> waterfoul: is iptables blocking the traffic?
12:58 < secretary_linux> waterfoul: that is, assuming you're running linux
12:58 < waterfoul> the server is linux, yes, and it works on the local subnet
12:59 < waterfoul> i'm 90% sure iptalbes is in full permissive mode
12:59 < krzee> did you do:
12:59 < krzee> !route
12:59 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
12:59 < krzee> or rather
12:59 < krzee> !serverlan
12:59 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
12:59 < krzee> if you want to access the LAN ip of the server, you must treat it like you are sharing the server lan
13:00 < krzee> if you dont want access to the actual lan behind the server, you can ignore !route_outside_openvpn
13:00 < krzee> but you still need ip forwarding and a push route
13:01 < waterfoul> ok thanks
13:03 -!- adawda [~awdawdadq@91-121-219-67.dc1.fusa.be] has quit [Quit: Verlassend]
13:03 < waterfoul> !ipforward
13:04 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
13:04 < waterfoul> !#openvpn
13:04 < waterfoul> grr
13:04 < waterfoul> !linipforward
13:04 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
13:05 -!- dazo is now known as dazo_afk
13:09 -!- adawda [~awdawdadq@91-121-219-67.dc1.fusa.be] has joined #openvpn
13:11 <@vpnHelper> RSS Update - forum: Wishlist :: Re: my wish :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7394&p=8701#p8701>
13:29 -!- waterfoul [~1889764@151.159.109.188] has quit [Quit: Leaving.]
13:33 -!- waterfoul [~1889764@151.159.109.188] has joined #openvpn
13:35 -!- waterfoul [~1889764@151.159.109.188] has quit [Client Quit]
13:35 -!- waterfoul [~1889764@151.159.109.188] has joined #openvpn
13:36 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
13:38 < KaiForce> running OpenVPN servers on old Leaf Bering routers.  They do not have a "revoke-full" script, but they do have a revoke-crt.  Only problem is, the revoke-crt does not terminate VPN access for that cert/key.  How can I invalidate a cert?
13:39 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
13:40 -!- waterfoul [~1889764@151.159.109.188] has quit [Ping timeout: 272 seconds]
13:41 < krzee> KaiForce, but using revoke-full
13:41 < krzee> there is no reason your CA should be on the server
13:41 < krzee> in fact ideally it should not
13:41 < krzee> and revoking a cert is the CA's job
13:41 < krzee> then you move the CRL to the server
13:42 < KaiForce> is revoke-full a script?  it isn't available on these old boxes
13:42 < krzee> its part of easy-rsa
13:42 < KaiForce> ok
13:42 < krzee> easy-rsa is a suite of scripts that come with openvpn, which should be used on the CA box only
13:43 < krzee> the CA, not to be confused with the server
13:43 < krzee> the CA is where you make certs
13:43 < krzee> yes it is possible to use 1 machine for both, but not ideal for security
13:43 < krzee> personally, my CA has no network access
13:45 < KaiForce> inherited config - i have several routers all acting as their own CA
13:45 < KaiForce> for small businesses
13:46 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
13:47 < KaiForce> understand it is not ideal, but even before I can fix it I need to figure out how to revoke a cert absent the revoke-full program.
14:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:09 <@vpnHelper> RSS Update - forum: Wishlist :: Re: cryptoapicert and ca :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=10&t=7352&p=8702#p8702>
14:15 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out]
14:15 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
14:22 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds]
14:28 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
14:28 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
14:32 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
14:43 -!- secretary_linux1 [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
14:45 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Running a down script prior to route del :: Author grlindsay <https://forums.openvpn.net/viewtopic.php?f=15&t=7406&p=8703#p8703>
14:47 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Ping timeout: 240 seconds]
14:49 -!- secretary_linux1 is now known as secretary_linux
14:52 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has quit [Read error: Connection reset by peer]
14:52 -!- openvpn2009 [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
14:55 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
15:09 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving]
15:12 -!- p3rror [~mezgani@41.140.176.15] has quit [Ping timeout: 260 seconds]
15:20 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
15:21 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
15:23 -!- rich_ [~rich@216.38.140.199] has quit [Read error: Connection reset by peer]
15:23 -!- rich_ [~rich@216.38.140.199] has joined #openvpn
15:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:39 -!- disaster37 [~disaster@ns3.webcenter.fr] has quit [Ping timeout: 240 seconds]
15:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:47 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn
15:50 -!- Netsplit *.net <-> *.split quits: JakeSays, Dougy, sht, MJD, devilspgd, Bushmills, ^scott^, Rolybrau, KipMacy, jpalmer,  (+44 more, use /NETSPLIT to show all of them)
15:51 -!- Netsplit over, joins: common
15:51 -!- Netsplit over, joins: err0r
15:52 -!- Netsplit over, joins: reiffert
15:52 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has joined #openvpn
15:52 -!- Netsplit over, joins: sno, Rienzilla
15:57 -!- err0r [~err0r@89.36.166.222] has quit [Quit: ZNC - http://znc.sourceforge.net]
15:58 -!- zamba [marius@flage.org] has joined #openvpn
15:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:58 -!- rich_ [~rich@216.38.140.199] has joined #openvpn
15:58 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has joined #openvpn
15:58 -!- adawda [~awdawdadq@91-121-219-67.dc1.fusa.be] has joined #openvpn
15:58 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
15:58 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
15:58 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
15:58 -!- nb [~nb@fedora/nb] has joined #openvpn
15:58 -!- devilspgd [me@devilspgd.net] has joined #openvpn
15:58 -!- gdb``` [~user@2001:4830:2446:b5:214:4fff:fe4a:f0] has joined #openvpn
15:58 -!- Apachez [~apachez@unaffiliated/apachez] has joined #openvpn
15:58 -!- nameless` [~nameless`@lav35-1-82-236-136-20.fbx.proxad.net] has joined #openvpn
15:58 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
15:58 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn
15:58 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
15:58 -!- agagag_ [~anton@eudaimonia.goto10.org] has joined #openvpn
15:58 -!- EmperorTom [~EmperorTo@216.17.68.153] has joined #openvpn
15:58 -!- ^scott^ [~scott@stthom.org] has joined #openvpn
15:58 -!- meepmeep [meepmeep@212.24.104.229] has joined #openvpn
15:58 -!- jpalmer [~jpalmer@about/windows/regular/jpalmer] has joined #openvpn
15:58 -!- nijotz [~nick@72.14.181.106] has joined #openvpn
15:58 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
15:58 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
15:58 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
15:58 -!- EvilJStoker [jstoker@unaffiliated/jstoker] has joined #openvpn
15:58 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
15:58 -!- mace [~mace@debian/developer/mace] has joined #openvpn
15:58 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has joined #openvpn
15:58 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
15:58 -!- Dougy [me@tech.qsi.net] has joined #openvpn
15:58 -!- toortog [nesm6@notsecure.net] has joined #openvpn
15:58 -!- juhovh [~jvahaher@kekkonen.cs.hut.fi] has joined #openvpn
15:58 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn
15:58 -!- DrJ [Bacon@174.141.224.168] has joined #openvpn
15:58 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
15:58 -!- havoc [~havoc@neptune.chaillet.net] has joined #openvpn
15:58 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined #openvpn
15:58 -!- caesay [~caesay@unvanquished/associate/sniperx] has joined #openvpn
15:58 -!- Antarez [kruse@tranquility.quidor.net] has joined #openvpn
15:58 -!- zoobab [zoobab@vic.ffii.org] has joined #openvpn
15:58 -!- naquad [~naquad@174.142.224.219] has joined #openvpn
15:58 -!- ServerMode/#openvpn [+ooo vpnHelper raidz cron2] by gibson.freenode.net
15:58 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined #openvpn
15:58 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
15:58 -!- freaky[t] [alpha@freakyy.de] has joined #openvpn
16:00 -!- nameless` is now known as nameless
16:00 -!- nameless is now known as nameless`
16:00 -!- master_of_master [~master_of@p57B57A61.dip.t-dialin.net] has joined #openvpn
16:02 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
16:02 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Disconnected by services]
16:03 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
16:04 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
16:04 -!- mode/#openvpn [+o vpnHelper] by ChanServ
16:05 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
16:05 -!- daemon_ [~daemon@serial.daemonrage.net] has joined #openvpn
16:05 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
16:27 -!- nameless` is now known as u1cjPxdVbIfuI
16:27 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
16:27 -!- u1cjPxdVbIfuI is now known as nameless`
16:29 -!- waterfoul [~1889764@151.159.109.188] has joined #openvpn
16:30 -!- waterfoul [~1889764@151.159.109.188] has left #openvpn []
16:37 < secretary_linux> what's the best way (on ubuntu or similar) to automate the bridge-start and bridge-stop scripts as part of the openvpn service in upstart? is it enough to put them as pre-up and pre-down in /etc/network/interfaces ?
16:38 < secretary_linux> my issue is just that the openvpn service will start on boot, but it depends on the bridge-start script having run first
16:40 < Bushmills> so run it first
16:41 < secretary_linux> Bushmills: :) I know this is mostly an ubuntu thing, as they are transitioning away from sysvinit toward upstart, but the transition seems like a mess right now and the documentation is even worse. so I was just asking here in case anyone had done this specifically with openvpn
16:42 < Bushmills> sysv-rc, file-rc or whatever mechanism your OS uses to execute boot or runlevel change actions
16:42 -!- waterfoul [~1889764@151.159.109.188] has joined #openvpn
16:42 < Bushmills> why use bridge at all?
16:43 < waterfoul> !goal
16:43 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:43 < waterfoul> !welcome
16:43 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:43 < waterfoul> !route
16:43 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:44 < secretary_linux> Bushmills: I already have a working bridge set up, I just have to manually start the bridge and service on boot. specifically again this was about upstart, though as I said ubuntu is using sysvinit and upstart in a really messy hybrid. so if anyone has specific experience with openvpn in an ubuntu/debian environment similar to ubuntu 10.10's upstart/sysvinit, then maybe they could help. thanks!
16:45 < secretary_linux> Bushmills: however I would be interested and open to arguments against using a bridged setup. main reason I was doing it was to simplify windows domain logons, but we may not do those over vpn anyway.
16:45 < Bushmills> !tunortap
16:45 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you
16:45 <@vpnHelper> over the vpn, or (#4) lan gaming? use tap!
16:45 < Bushmills> !wins
16:45 <@vpnHelper> "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba
16:46 < secretary_linux> I think you just convinced me - I didn't realize ARP poisoning would work over VPN.
16:46 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
16:46 < Bushmills> not "over VPN" - but "through bridge"
16:47 < secretary_linux> fair enough
16:48 < Bushmills> !route
16:48 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
16:48 < Bushmills> !serverlan
16:48 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
16:48 < Bushmills> !clientlan
16:48 <@vpnHelper> "clientlan" is (#1) for a lan behind a client, the client must have ip forwarding enabled (!ipforward), the server needs a route to the lan, the server needs to push a route for the lan to clients, the server needs a ccd (!ccd) file for the client with an iroute (!iroute) entry in it, and the router of the lan the client is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a
16:48 <@vpnHelper> better explanation
16:50 < secretary_linux> Bushmills: does this also negate the need to run a start script or is there a necessary script for routing analogous to bridge-start/bridge-stop?
16:51 < Bushmills> no need. tun module should be loaded, usually it gets autoloaded on demand
16:51 < secretary_linux> great!
16:52 < Bushmills> if ip forwarding is needed, it can be permanently configured in sysctl.conf
16:52 < secretary_linux> already got it
16:52 < waterfoul> !redirect
16:52 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
17:05 -!- patelx [~a@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Changing host]
17:05 -!- patelx [~a@openvpn/corp/admin/patel] has joined #openvpn
17:24 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has left #openvpn []
17:29 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
17:32 -!- ubuntu [~ubuntu@adsl-99-183-168-255.dsl.stlsmo.sbcglobal.net] has joined #openvpn
17:39 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:43 < ubuntu> will somone please help me,  I am trying to browse the web through my openvpn, im guessing i need to use push "route x.x.x.x x.x.x.x" , the server is behind a standard netgear nat router so the gateway is 192.168.1.1
17:52 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
17:53 -!- ubuntu [~ubuntu@adsl-99-183-168-255.dsl.stlsmo.sbcglobal.net] has quit [Ping timeout: 265 seconds]
18:17 -!- pyther [~pyther@unaffiliated/pyther] has quit [Quit: Lost terminal]
18:23 -!- dogmeat [~Bob@unaffiliated/dogmeat] has joined #openvpn
18:24 < dogmeat> im trying to ping A, which from my openvpn server, can ping A, but not from the openvpn client ping A doesnt work. there is a route from the vpn client to direct the network traffic to the server, but i cant see any of the ping requests from the vpn server. any ideas?
18:25 < dogmeat> ... or from tcpdump for that matter. its odd that i cannot see the network traffic from that
18:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
18:26 < Bushmills> A can ping A from your openvpn server?
18:31 < Bushmills> client ping A doesnt work.... cant see any of the ping requests from the vpn server.  .. can you ping anything at all, besides A able ping A
18:33 < Bushmills> and how does "A" relate to "vpn client" and "my openvpn server"?
18:36 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Ping timeout: 255 seconds]
18:48 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:54 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
18:57 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
19:04 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:15 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
19:33 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
19:37 -!- takamichi [~pri@pm302-97-254.keyworld.net] has quit [Ping timeout: 276 seconds]
19:38 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
19:39 -!- daemon_ is now known as daemon
19:58 -!- waterfoul [~1889764@151.159.109.188] has quit [Quit: Leaving.]
20:03 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
20:08 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 255 seconds]
20:08 -!- takamichi [~pri@pm302-97-254.keyworld.net] has joined #openvpn
20:59 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Disconnected by services]
21:00 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
21:00 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Disconnected by services]
21:00 -!- _sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
21:03 -!- waterfoul [~1889764@151.159.109.188] has joined #openvpn
21:05 -!- waterfoul [~1889764@151.159.109.188] has left #openvpn []
21:17 -!- mappum [43aa151d@gateway/web/freenode/ip.67.170.21.29] has joined #openvpn
21:18 < mappum> Will I be able to use custom topologies with OpenVPN?
21:22 < mappum> Is OpenVPN just the library for the point-to-point communication, or the whole VPN system?
21:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
21:52 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 265 seconds]
22:01 -!- mappum [43aa151d@gateway/web/freenode/ip.67.170.21.29] has quit [Quit: Page closed]
22:01 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
23:01 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
--- Day changed Fri Dec 17 2010
00:07 -!- openvpn2009 [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has quit [Quit: ircN 8.00 for mIRC (20080809) - www.ircN.org]
00:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
00:20 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:50 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
00:52 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
01:11 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:35 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
01:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
02:08 -!- openvpn2009 [nebula@openvpn/corp/admin/patel] has joined #openvpn
02:08 -!- mode/#openvpn [+o openvpn2009] by ChanServ
02:08 -!- openvpn2009 [nebula@openvpn/corp/admin/patel] has left #openvpn []
02:17 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
02:31 -!- dazo_afk is now known as dazo
02:33 -!- xro [~xro@160.98.239.133] has joined #openvpn
02:34 < xro> hi... i try to connect a window 7 65bits laptop to my openvpn server.... It works with ubuntu... It there something special with windows? when i try to connect i get process started and immediately exited: []
02:42 < Bushmills> !winroute
02:42 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
02:42 < Bushmills> but that shouldn't lead to immediately exiting
02:42 < Bushmills> lack of admin privs may do
02:42 < Bushmills> check client logs
02:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:11 < xro> Bushmills, i checked the log, unrecognized option or missing parameters in stdin44: ca.crt (2.1.1o0AS).... It cannot load the cert? should i put the cert in a specific location?
03:12 < Bushmills> ca.crt is not an option. it is a parameter to an option.  "unrecognized option or missing parameters" suggests one or the other is missing.
03:13 < xro> Bushmills, so to set my ca.crt in the config file.... what should i do? now i only have --> ca.crt
03:14 <@dazo> ca ca.crt
03:14 < Bushmills> what is ca.crt - your log file?
03:15 < xro> it's my server certificate.... so, --> ca ca.crt for the server cert... and for the client cert end the client key?
03:15 < Bushmills> if it is - how does openvpn know if you don't tell it?
03:16 < xro> like linux does :)
03:17 < Bushmills> linux version will barf at you the same way when trying to give a file name as option without arguments
03:19 < xro> i will check it
03:19 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
03:19 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
03:19 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:26 -!- janjust [~janjust@s5596c956.adsl.wanadoo.nl] has joined #openvpn
03:30 < RichiH> xro: ca.crt would usually be the CA's certificate
03:31 < RichiH> i.e. the certificate (chain) which signed your server's and client's certs
03:31 < RichiH> with self-signed certs, the CA's certificate and the server's may be the same, though (which would be a truly weird setup, though)
03:32 <@dazo> RichiH: if you read up on the -devel ML ... --ca is not for the certificate chain ... it's a certificate bundle, so it will match which ever certificate in --ca
03:32 < RichiH> dazo: so i don't need the full path in there? interesting, thanks :)
03:33 <@dazo> RichiH: It all is in this thread ... http://thread.gmane.org/gmane.network.openvpn.devel/4266/focus=4277
03:33 <@vpnHelper> Title: Gmane Loom (at thread.gmane.org)
03:37 < RichiH> dazo: thanks
03:37 <@dazo> you're welcome
03:37 < RichiH> obvious in hindsight, i guess
03:39 < janjust> as a side note: this thread will be condensed as a wiki entry on https://community.openvpn.net/openvpn/wiki
03:39 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 265 seconds]
03:42 <@dazo> janjust: that's wonderful!  thank yoU!
03:45 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
03:45 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
03:45 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:46 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
03:46 -!- davneg [~lunix@otherreality.net] has joined #openvpn
03:47 -!- master_of_master [~master_of@p57B57A61.dip.t-dialin.net] has quit [Read error: Operation timed out]
03:48 < davneg> Hi, i have a client of mine that wants a web gui to manage openvpn... i have advised that there is no active project that maintains a web gui admin interface for openvpn unless they use something like IPcop or something... is there any web gui software for openvpn that i should be aware of? thanks!
03:49 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
03:50 <@dazo> davneg: check out https://community.openvpn.net/openvpn/wiki/RelatedProjects
03:50 <@vpnHelper> Title: RelatedProjects – OpenVPN Community (at community.openvpn.net)
03:50 -!- master_of_master [~master_of@p57B56A28.dip.t-dialin.net] has joined #openvpn
03:51 < davneg> yeah i was there, but every web gui project is dead :)
03:51 <@dazo> davneg: well, feel free to resurrect one which is interesting for you :)
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 <@dazo> that list is also not complete ... there might be other projects we don't know about as well
03:54 -!- xro [~xro@160.98.239.133] has quit [Quit: Quitte]
03:54 <@dazo> davneg: what is the core feature you need in the webUI?
03:56 < davneg> i am not pretty sure at the moment, it is just a requirement from the customer but i will make that question
03:56 < davneg> anyway i found this wicked remote openvpn manager called bytemine manager
03:56 < davneg> looks pretty sweet
03:59 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
04:01 -!- janjust [~janjust@s5596c956.adsl.wanadoo.nl] has left #openvpn ["Leaving"]
04:01 -!- janjust [~janjust@s5596c956.adsl.wanadoo.nl] has joined #openvpn
04:04 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Read error: No route to host]
04:06 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
04:07 -!- janjust [~janjust@s5596c956.adsl.wanadoo.nl] has left #openvpn ["Leaving"]
04:20 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
04:21 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
04:25 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn
04:25 < macsppadic> morning all
04:27 -!- common- [~common@p5DDA4608.dip0.t-ipconnect.de] has joined #openvpn
04:31 -!- common [~common@p5DDA49F3.dip0.t-ipconnect.de] has quit [Ping timeout: 276 seconds]
04:31 -!- common- is now known as common
04:51 -!- janjust [~janjust@s5596c956.adsl.wanadoo.nl] has joined #openvpn
05:06 -!- janjust [~janjust@s5596c956.adsl.wanadoo.nl] has quit [Quit: Leaving]
05:17 -!- OtherJakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
05:20 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Ping timeout: 265 seconds]
05:22 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
05:23 -!- archangelpetro [~archangel@cpc4-oxfd19-2-0-cust84.4-3.cable.virginmedia.com] has joined #openvpn
05:24 < archangelpetro> i got a question, if you start /etc/init.d/openvpn  and then you get prompted for a password. Once you're VPN'd in to the network, is it possible to change this password?
05:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
05:33 < archangelpetro> #nobody here?
05:35 < rjd__> archangelpetro: I dont understand your question
05:36 < rjd__> do you want to enter a password or not?
05:41 < archangelpetro> ah, i found it
05:41 < archangelpetro> it was this.
05:42 < archangelpetro> openssl rsa -in bleh.key -out bleh.key -des3
05:58 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
05:59 -!- WinstonSmith [~true@g225029041.adsl.alicedsl.de] has joined #openvpn
06:31 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
06:36 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
06:42 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:43 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has joined #openvpn
06:43 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Read error: Operation timed out]
07:53 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
08:15 -!- pyco [~pyco@pdpc/supporter/active/pyco] has joined #openvpn
08:21 <@vpnHelper> RSS Update - forum: Configuration :: Need help with my openVPN Configuration :: Author ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7407&p=8704#p8704>
08:25 < pyco>  !welcome
08:25 < pyco> !goal
08:25 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
08:26 < pyco> !welcome
08:26 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
08:26 < pyco> !route
08:26 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:28 -!- janjust [~janjust@s5596c956.adsl.wanadoo.nl] has joined #openvpn
08:31 < pyco> Hi, i would like to route a bigger netmask as /24 but it is dosn't work (/19) the result is on route -n Genmask 255.255.255.255
08:32 < janjust> hi pyco, plz rephrase: what exactly do you wish to route? and what are you getting instead?
08:36 < pyco> janjust: i wish to route in client-config "ip.ip.ip.0 255.255.224.0" and i get a /32 mask, also 255.255.255.255
08:37 < janjust> is "ip.ip.ip.0" the IP address of the client? of the server? you will always get a /32 route back to the server. you can add a /19 on top of it but you cannot get rid of the /32 to the server
08:39 < pyco> ip.ip.ip.0 is a route of the tun device on client
08:39 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:40 < janjust> so on the client you wish tou add a route to the tun device of the client itself using a /19 netmask? most OSes don't like that (and it has little to do with openvpn)
08:42 < janjust> oh I am starting to get what you mean... 
08:42 -!- Irssi: #openvpn: Total of 121 nicks [5 ops, 0 halfops, 0 voices, 116 normal]
08:42 <@ecrist> ping RichiH 
08:42 < janjust> the /24 route is based on the "server" directive on the server, not on the client
08:42 < RichiH> pong
08:42 < RichiH> ecrist: 
08:43 <@ecrist> RichiH: can you set cloak openvpn/community/support/janjust for janjust, please?
08:43 < janjust> to overrule this server behaviour stop using the "server" directive but expand it into
08:43 < pyco> janjust: hm, the route describes the complete network that is to route, for example OS=linux http://nopaste.info/36c9e0b10e_nl.html
08:43 < janjust> replace "server" by
08:43 < janjust> mode server
08:43 < janjust> tls-server
08:44 < RichiH> janjust: i assume you are OK with that?
08:44 < janjust> hehe I asked him myself, RichiH 
08:44 -!- janjust [~janjust@s5596c956.adsl.wanadoo.nl] has quit [Changing host]
08:44 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
08:45 < RichiH> ecrist: i gave up on you remembering this, but the form "janjust openvpn/community/support/janjust" is preferred ;p
08:45 < RichiH> for single cloaks it's not that bad, though
08:45 <@ecrist> doh
08:45  * ecrist retarded
08:45 < pyco> janjust: server parameter is not exist :/
08:45 < RichiH> it's ok as long as i get to make fun of you for it ;)
08:46 <@ecrist> after the work you put in to get us reg'd, I'll take a beating. ;)
08:46 < janjust> pyco: continue with "ifconfig ip.ip.ip.1 255.255.224.0", the "ifconfig-pool ip.ip.ip.X ip.ip.ip.Y" and finally "push route ip.ip.ip.0 255.255.224.0"
08:46 < janjust> hehe ecrist 
08:46 < RichiH> yah, eternally grateful and all that
08:48 < pyco> janjust: that sounds like a workaround
08:49 < janjust> it's not: the "server" statement expands to these statements internally; if you wish for the default VPN route to be larger than your ifconfig-pool size then you have to resort to a solution like this
08:51 <@ecrist> RichiH: mattock openvpn/corp/admin/mattock
08:52 -!- mattock [~samuli@dyn55-11.yok.fi] has quit [Changing host]
08:52 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn
08:52 < pyco> janjust: hm.. actually i push the route in route-up cmd
08:52 <@ecrist> thanks, RichiH 
08:53 < janjust> pyco: won't work , as the route is added when the interface is brought up
08:53 < janjust> unless you want to interfere with how the interface is brought up (now THAT's a workaround)
08:54 -!- romel [~romel@unaffiliated/romel] has joined #openvpn
08:55 < pyco> janjust: hm? it's work, it's a workaround but simple
08:55 < RichiH> np
08:55 < romel> hi guys. is it possible in any way to see which local ip addresses are currently in use? I mean... there is a lot of client configs... how to choose free ips?
08:56 < janjust> pyco: if it works for you it's fine but then I don't see what your problem is ;-)
08:57 < janjust> romel: local IP addresses? from your VPN IP range or are you using bridging?
08:57 < pyco> janjust: the problem is up, down, route-up and pre-down, buggy for that ;)
08:58 < janjust> pyco: then I'd replace the "server" statement by whatever is listed on the openvpn man page and expand the route 
08:58 < romel> janjust: local IP addresses
08:59 < janjust> romel: how is a local IP address assigned to the (VPN) client? what's your config ?
08:59 < romel> 'ifconfig a.b.c.d e.f.g.h'
09:00 < pyco> janjust: it is only on client! it has nothing to do with the server
09:00 < romel> there's config per user with this option in each
09:00 < janjust> romel: why not let the server take care of this using "server X.Y.Z.0 255.255.255.0"  ?
09:00 < pyco> janjust: I think we do not understand us
09:01 < romel> janjust: how to choose server ip?
09:01 < janjust> romel: when using "server X.Y.Z.0 255.255.255.0" the server is assigned the VPN IP X.Y.Z.1 (as is explained in the manual/HOWTO)
09:03 < romel> so it's not necessary that this ip is unique?
09:03 < janjust> pyco: I agree :) but the *SERVER* pushes out the /24 route to the client. so either change the behaviour of the server or overrule the server routes using route-up/route-noexec whatever
09:03 < romel> oh
09:03 < romel> sorry
09:03 < romel> thanks a lot
09:03 < janjust> romel: depends on what you choose for X.Y.Z
09:03 -!- dazo is now known as dazo_afk
09:05 < romel> Options error: --server and --secret cannot be used together (you must use SSL/TLS keys)
09:06 < janjust> romel: how do you wish to connect many clients using --secret? --secret is only for setting up point-to-point connections
09:07 < romel> ok. how to let the server take care of assigning ips in point-to-point mode?
09:07 < janjust> romel: you cannot, that's not what the point-to-point mode is for (and which IP would you choose anyway?)
09:08 < janjust> it's best to choose an unused IP range for a VPN connection (e.g. 10.13.15.1 and 10.13.15.2) - otherwise you'll get routing errors on either end
09:13 < pyco> janjust: hm ok, i try it ;) 
09:13 -!- gorkhaan [~gorkhaan@193.225.186.237] has joined #openvpn
09:17 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
09:18 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Quit: Leaving]
09:24 <@vpnHelper> RSS Update - forum: Server Administration :: Re: what is the right way...? :: Reply by vpnuser <https://forums.openvpn.net/viewtopic.php?f=4&t=7404&p=8705#p8705>
09:30 <@vpnHelper> RSS Update - forum: My VPN :: Re: Windows xp worked and the 7 don't. :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=13&t=7402&p=8706#p8706>
09:37 < pyco> janjust: but, the needed routes of the clients are different..
09:38 < pyco> *for
09:46 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has joined #openvpn
09:47 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has quit [Client Quit]
09:47 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has joined #openvpn
09:49 -!- Jones1_ [863afd39@gateway/web/freenode/ip.134.58.253.57] has joined #openvpn
09:49 < Jones1_> !welcome
09:49 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
09:50 < Jones1_> !howto
09:50 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:50 < Jones1_> !route
09:50 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
09:52 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn []
09:54 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
09:54 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
09:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:54 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
09:56 < Jones1> !redirect
09:56 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
09:56 < Jones1> !def1
09:56 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
10:00 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
10:00 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
10:00 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
10:00 < Jones1> anyone using openvpn on a Nokia N900?
10:01 < gladiatr> Yup
10:02 < Jones1> cool… i'm having some trouble here...
10:03 < gladiatr> Give me a few minutes here... someone touched something that they had no business touching...
10:03 < Jones1> no pb
10:07 -!- mirco [~mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
10:17 -!- dazo_afk is now known as dazo
10:19 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined #openvpn
10:20 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn
10:21 < gladiatr> ok.  Crisis averted(ish)
10:25 -!- WinstonSmith [~true@g225029041.adsl.alicedsl.de] has quit [Read error: Connection reset by peer]
10:26 -!- WinstonSmith [~true@g225029041.adsl.alicedsl.de] has joined #openvpn
10:29 < Jones1> Did he/she get punished? 
10:40 -!- Netsplit *.net <-> *.split quits: sedulous, _skrusty, APTX, DarthGandalf, @raidz, archangelpetro, Typone, common, krzee, ScriptFanix,  (+101 more, use /NETSPLIT to show all of them)
10:40 -!- gorkhaan [~gorkhaan@193.225.186.237] has quit [Ping timeout: 265 seconds]
10:42 -!- mode/#openvpn [+o mattock] by ChanServ
10:42 -!- Netsplit over, joins: common, @vpnHelper, @cron2, @raidz, EvilJStoker, krzee, patelx, kisom, d457k, WinstonSmith (+101 more)
10:50 -!- mort_gib [~mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Quit: Leaving]
10:53 -!- disaster37 [~disaster@ns3.webcenter.fr] has joined #openvpn
10:54 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has joined #openvpn
10:54 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Quit: Leaving]
11:03 -!- OtherJakeSays is now known as JakeSays
11:05 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:08 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
11:08 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
11:08 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
11:10 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 240 seconds]
11:21 -!- Jones1_ [863afd39@gateway/web/freenode/ip.134.58.253.57] has quit [Ping timeout: 265 seconds]
11:21 -!- luneff [~yury@84.51.213.16] has joined #openvpn
11:21 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has quit [Ping timeout: 260 seconds]
11:22 -!- WinstonSmith [~true@g225029041.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
11:25 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving]
11:27 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has joined #openvpn
11:29 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
11:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
11:35 -!- WinstonSmith [~true@f052098003.adsl.alicedsl.de] has joined #openvpn
11:38 -!- Natanaiel [~zahra@unaffiliated/natanaiel] has joined #openvpn
11:38 < Natanaiel> doesn openvpn support smart card/usb token on linux?
11:39 <@ecrist> iirc, there was a recent patch to add support
11:41 -!- bitterman [~yury@84.51.213.16] has joined #openvpn
11:41 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
11:41  * hyper_ch gives ecris a big, pine tree shaped xmas cookie
11:42 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:43 -!- bitterman [~yury@84.51.213.16] has quit [Read error: Connection reset by peer]
11:45 -!- luneff [~yury@84.51.213.16] has quit [Ping timeout: 264 seconds]
11:48 <@dazo> Natanaiel: yes ... if it's supported by the opensc stuff, or similar frameworks ... Aladdin key stuff is also supposed to work in Linux ... but I have no experience and don't know how well
11:56 -!- Essobi [~Essobi@74-128-72-212.dhcp.insightbb.com] has joined #openvpn
12:02 -!- romel [~romel@unaffiliated/romel] has quit [Quit: Lost terminal]
12:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
12:22 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
12:22 -!- ChUbB [~IceChat7@cpc2-aztw12-0-0-cust229.aztw.cable.virginmedia.com] has joined #openvpn
12:32 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
12:56 -!- luneff [~yury@84.51.213.16] has joined #openvpn
13:02 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
13:02 < fahmad> hello
13:07 -!- fahmad [~linux@vpn.server4sale.com] has left #openvpn []
13:08 -!- luneff [~yury@84.51.213.16] has quit [Quit: Leaving]
13:13 < patelx> where is krzee
13:15 -!- dazo is now known as dazo_afk
13:18 -!- Natanaiel [~zahra@unaffiliated/natanaiel] has quit [Quit: Leaving.]
13:23 -!- mirco [~mirco@p4FF2384F.dip.t-dialin.net] has joined #openvpn
13:29 -!- mirco [~mirco@p4FF2384F.dip.t-dialin.net] has quit [Quit: mirco]
13:30 -!- WinstonSmith [~true@f052098003.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
13:42 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has quit [Quit: Leaving.]
13:46 -!- WinstonSmith [~true@e178182017.adsl.alicedsl.de] has joined #openvpn
14:02 -!- disaster37 [~disaster@ns3.webcenter.fr] has quit [Ping timeout: 260 seconds]
14:04 <@ecrist> did he no-show on your date last night, patelx ?
14:04 <@ecrist> ;P
14:06 -!- John [52269ae1@gateway/web/freenode/ip.82.38.154.225] has joined #openvpn
14:06 < John> !welcome
14:07 <@ecrist> dammit vpnhelper
14:07 <@ecrist> oh, that's right, I lost power
14:07 < John> !goal
14:07 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
14:08 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
14:08 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:08 <@ecrist> try again, John 
14:08 < John> !welcome
14:08 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:08 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has joined #openvpn
14:09 < John> thanks, havn't used IRC in a decade! thought I was doing something wrong
14:09 <@ecrist> nope, vpnHelper sits on a machine at my house, I had a power hiccup this afternoon
14:09 < John> !inet
14:10 < John> ah
14:10 <@ecrist> !factoids
14:10 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
14:11 < John> I was looking to get a little advice on my first OpenVPN setup
14:11 < John> I'd be very greatful if someone could inform me the best method for my demands, and I'll see if I can work out the rest myself!
14:12 <@ecrist> !goal
14:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:12 < John> ah, I didn't understand, thanks
14:14 < John> !goal I have multiple VPS which I want to connect with OpenVPN. One in UK (server), the rest USA (clients). When I ping from USA -> USA the trip should take <1ms, instead it takes over 200ms as it travels via UK. How do I setup OpenVPN so not all traffic goes through server, just the configuration?.
14:15 <@ecrist> John: openvpn doesn't support a distributed setup like that
14:15 < John> I am a complete newbie not just to OpenVPN but to servers too. I'm trying to work out what road to take.
14:16 <@ecrist> what i'd suggest is a bridged setup with multiple point to point tunnels
14:16 <@ecrist> or a routed setup
14:17 < John> Are these implemented with openVPN, or is it just not at all suitable for this?
14:17 < John> thanks for the advice
14:18 <@ecrist> they can all be implemented in OpenVPN
14:19 < John> at the moment I used "dev tap" which I shought was bridged
14:19 < John> *thought
14:19 <@ecrist> it is
14:19 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
14:20 < John> how would I then ad the point to point tunnels?
14:20 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
14:20 -!- mode/#openvpn [+o vpnHelper] by ChanServ
14:20 < John> can that be done in the server config?
14:20 <@ecrist> no, see !howto for a static config example
14:21 < John> !howto
14:21 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
14:22 -!- takamichi [~pri@pm302-97-254.keyworld.net] has quit [Ping timeout: 260 seconds]
14:23 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
14:24 < John> is their a difference between my current setup and ethernet bridging? Ethernet bridging looks a lot more complicated and *scary*... is this what I'll have to do?
14:24 <@ecrist> what is your current setup?
14:25 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
14:26 < John> just a basic config with "dev tap" on server and all clients, and "client-to-client" on server config
14:26 < John> I've not done anything with the ethernet adapters
14:26 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Remote host closed the connection]
14:27 <@ecrist> my suggestion is to read the how to, !man, and try to set it up yourself.  as you come across specific questions, ask here.
14:27 <@ecrist> generally, we're a helpful bunch
14:27 <@ecrist> :)
14:28 < John> I appreciate it. I was just trying to work out if I had to delve in even deeper, or if it was going to be impossible and I was just wasting my time
14:30 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
14:30 <@ecrist> nope, what you want isn't too difficult
14:31 < |Mike|> re!
14:32 < John> haha, as a total newbie who'se been trying to wrap my head around VPN all day I'd disagree! I'll get back to work, thanks for the advice... I'll probably be back, lol
14:32 -!- aditsu [~aditsu@n1164982109.netvigator.com] has joined #openvpn
14:33 < John> bye
14:33 -!- John [52269ae1@gateway/web/freenode/ip.82.38.154.225] has left #openvpn []
14:34 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has quit [Client Quit]
14:35 -!- |Mike| [mike@vps-2a01-4f8-101-1c1-b23f-f6e5.twenty-five.nl] has joined #openvpn
14:35 -!- adawda [~awdawdadq@91-121-219-67.dc1.fusa.be] has quit [Ping timeout: 240 seconds]
14:37 < aditsu> hi, I'm having some problems with a vpn connection, it keeps looping this stuff in the log: http://dpaste.com/287824/
14:37 < aditsu> I'm only using tcp because it kept freezing with udp but worked smoothly with tcp
14:38 < aditsu> just now it can't connect, what can I do about it?
14:38 < aditsu> (it worked well for a long time before)
14:39 -!- jobicreatingweb [~jobicreat@91.140.100.38] has joined #openvpn
14:39 < jobicreatingweb> ../vars
14:40 < jobicreatingweb> bash: ../vars: No such file or directory
14:40 < jobicreatingweb> but the file is there
14:40 < aditsu> jobicreatingweb: ls -l ../vars
14:41 < jobicreatingweb> ls: cannot access ../vars: No such file or directory
14:42 < jobicreatingweb> aditsu: 
14:43 < jobicreatingweb> :) if you can help 
14:43 -!- WinstonSmith [~true@e178182017.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
14:43 < aditsu> jobicreatingweb: that means it's not there
14:44 < aditsu> jobicreatingweb: .. is parent dir in case you didn't know
14:49 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
14:51 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
14:51 < aditsu> jobicreatingweb: just wondering... isn't there a space between the two dots?
14:53 -!- michal` [~michal@rsbac/developer/michal] has joined #openvpn
14:53 < michal`> hey
14:54 < |Mike|> oi!
14:54 < michal`> got a question - i have a dumb network admin on my client's side, left running windows with rdp in the office, and want to get there
14:54 < michal`> but
14:54 < michal`> some addresses are filtered, some are not... but
14:55 < michal`> i have a linux machine in the same l2 network :)
14:55 < michal`> and i can get to it... via another openvpn and so on, but at least i can
14:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
14:55 < michal`> the rdp expects me to connect from 192.168.60.0/24
14:56 < michal`> how should i do that? l2 tunneling on that linux?
14:57 < michal`> (i'd rather do the connection with l3, can't setup bridge, because i will lose connectivity ;)
14:57 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
14:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
14:58 < aditsu> michal`: does the windoze machine have an ip in that subnet? and the linux machine doesn't?
14:59 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
14:59 < michal`> aditsu: win has ip in 90.0 and linux box too
15:00 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
15:00 < aditsu> so win is in 90.0 but expects connections from 60.0?
15:00 -!- ChUbB [~IceChat7@cpc2-aztw12-0-0-cust229.aztw.cable.virginmedia.com] has quit [Ping timeout: 240 seconds]
15:00 < michal`> ups, sorry, should be 90.0 in both cases
15:00 < michal`> too much work for today ;)
15:00 < aditsu> that means you can connect from the linux machine
15:01 < michal`> yes
15:01 < michal`> pinged it, nmaped
15:01 < aditsu> so what do you want to do?
15:01 < michal`> connect to that win with rdp from my own network
15:02 < aditsu> you can use an ssh tunnel
15:02 < michal`> from my own network i can connect to that linux host, but not to that win
15:02 < aditsu> on the linux machine
15:02 < michal`> hm, tell me more, i know ssh has tuneliing, but haven't been using it yet
15:02 -!- WinstonSmith [~true@e178181059.adsl.alicedsl.de] has joined #openvpn
15:03 < aditsu> ssh linux -L 3389:win:3389 ; also see man ssh
15:03 < michal`> thx, reading now...
15:04 < aditsu> btw, that command will listen to port 3389 on the local machine, and forward to the win machine
15:05 -!- jobicreatingweb [~jobicreat@91.140.100.38] has left #openvpn []
15:05 < aditsu> now.. can anybody help with my problem?
15:05 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 272 seconds]
15:07 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has quit [Ping timeout: 260 seconds]
15:07 -!- VirusTB [~VirusTB@thetouch.xs4all.nl] has quit [Quit:  has left the bulding]
15:07 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has joined #openvpn
15:15 -!- disaster37 [~disaster@ns3.webcenter.fr] has joined #openvpn
15:22 <@vpnHelper> RSS Update - forum: Configuration :: OpenVPN to Mikrotik 4.15 router :: Author jantypas <https://forums.openvpn.net/viewtopic.php?f=6&t=7408&p=8707#p8707>
15:26 < Bushmills> aditsu: are you pushing to client a route to server public address through vpn interface?
15:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
15:30 -!- disaster37 [~disaster@ns3.webcenter.fr] has quit []
15:33 < aditsu> Bushmills: no, and if I did, it would probably show in the log
15:50 < aditsu> bbl, feel free to suggest stuff in the meantime
15:51 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
15:54 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
15:56 -!- pyther [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
15:56 -!- bauruine [~stefan@178-73-211-157.cust.vpntunnel.org] has joined #openvpn
16:06 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
16:26 -!- Essobi [~Essobi@74-128-72-212.dhcp.insightbb.com] has quit [Quit: leaving]
16:41 < aditsu> back
16:41 -!- pyco [~pyco@pdpc/supporter/active/pyco] has left #openvpn []
17:03 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds]
17:19 -!- WinstonSmith [~true@e178181059.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
17:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
17:48 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 265 seconds]
18:08 <@vpnHelper> RSS Update - forum: Server Administration :: Migrate from openvpn Gui v1.03 to openvpn2.x :: Author armindom <https://forums.openvpn.net/viewtopic.php?f=4&t=7409&p=8708#p8708>
18:30 -!- _sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
18:33 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
18:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:42 < aditsu> hi, I'm having some problems with a vpn connection, it keeps looping this stuff in the log: http://dpaste.com/287824/
18:43 < aditsu> and can't connect
18:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:57 -!- devilspgd [me@devilspgd.net] has left #openvpn []
19:13 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:27 < Bushmills> did you pick a vpn subnet which overlaps with an ete
19:27 < Bushmills> ethernet subnet?
19:33 < aditsu> no, it worked perfectly for a long time; anyway, it seems that the bandwidth is choked on the server side, that could cause this problem
19:56 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
20:15 < aditsu> oh great, my boss was downloading a movie over a slow connection :(
20:15 < aditsu> vpn and everything else is back now
20:36 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
20:37 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
20:39 -!- aditsu [~aditsu@n1164982109.netvigator.com] has left #openvpn []
21:02 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Read error: Operation timed out]
21:06 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
21:11 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has quit [Read error: Connection reset by peer]
21:14 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
21:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:17 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:23 -!- s7r [~s7r@89.39.174.74] has quit [Quit: Leaving.]
21:25 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
21:39 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
21:40 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
21:48 -!- jantypas [~jantypas@74-93-0-52-SFBA.hfc.comcastbusiness.net] has joined #openvpn
21:52 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 260 seconds]
21:55 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
21:57 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:00 -!- sangnom [~sangnom@cpe-76-184-79-182.tx.res.rr.com] has joined #openvpn
22:01 -!- jantypas [~jantypas@74-93-0-52-SFBA.hfc.comcastbusiness.net] has quit [Quit: Colloquy for iPad - http://colloquy.mobi]
22:01 < sangnom> !goal
22:01 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:10 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
22:10 < sangnom> does anyone know where I could find an explanation of the routes added by redirect-gateway? specifically the route add 0.0.0.0 MASK 128.0.0.0 10.8.0.1 command? I have a basic understanding of what a netmask is but now sure what a netmask of 128.0.0.0 is doing
22:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
--- Day changed Sat Dec 18 2010
00:17 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
00:29 -!- hpa [hpa@terminus.zytor.com] has joined #openvpn
00:29 < hpa> !welcome
00:29 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:29 < hpa> @goal
00:29 < hpa> !goal
00:29 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
00:29 < hpa> !redirect
00:29 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
00:30 < hpa> !def1
00:30 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
00:31 < hpa> !nat
00:31 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
00:31 < hpa> !linnat
00:31 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
00:52 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
00:55 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:20 -!- SL55 [~jam@190.21.183.69] has joined #openvpn
01:21 < SL55> !welcome
01:21 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:22 < SL55> !goal
01:22 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:22 < SL55> !howto
01:22 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
01:24 < SL55> !redirect
01:24 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
01:24 < SL55> !def1
01:24 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
01:30 < SL55> !logs
01:30 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
01:31 < SL55> !iporder
01:31 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
01:33 < SL55> !topology
01:33 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
01:34 < SL55> !sample
01:34 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
01:36 < SL55> !interface
01:36 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
01:37 < SL55> !redirect
01:37 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
01:52 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 272 seconds]
01:53 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:59 < SL55> Hi everybody; I would like to access the internet over my vpn. It works running the client under windows, but it doesn't in linux. Anybody can give me a hint? I'm using a server-side dhcp server with a bridge. The linux client doesn't get an internal IP on the tap0 adapter
01:59 < SL55> Client configuration: http://pastebin.com/DvneKFgH --> works with the windows client.
02:00 < Bushmills> SL55: try pinging an ip address, rather than a host name
02:00 < Bushmills> if pinging an ip address is possible, check your name server setup
02:03 < SL55> "no route to host.."
02:04 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
02:05 < reiffert> Bushmills: his linux doesnt send a dhcp request.
02:07 < Bushmills> "no route to host.." means no route to host
02:07 < Bushmills> i guess you guessed that already
02:08 < reiffert> Bushmills: my crystall ball is broken these days.
02:08 < SL55> hahaha
02:08 < SL55> yup
02:08 < reiffert> The chinese crystall ball warranty association told me that repairs will last until 2011 at least.
02:09 < Bushmills> no sheep or lamb intestines at hand?
02:09 < SL55> http://pastebin.com/DWyGWKxj --> It works, but under windows.
02:09 < reiffert> ion: http://pastebin.com/DvneKFgH --> works with the windows client.
02:10 < reiffert> SL55: tell linux to start a dhcp request, once connected.
02:11 < SL55> with a script throught openvpn you mean?
02:11 < reiffert> SL55: open you mouth and spell the magic words: Hey openvpn you suck. Do it like I say. Start a dhcp request once connected!
02:12 < reiffert> Does it work?
02:12 < SL55> No, It doesn't react to cursing..
02:13 < reiffert> well then maybe add some little magic. "echo dhcp dhclient openvpn linux | google"
02:13 < reiffert> !factoids search dhcp
02:13 <@vpnHelper> 'bridge-dhcp' and 'dhcp'
02:14 < SL55> If I do it that way, I would'nt be able to control the thing with networkmanager, beacuse networkmanager doesn't run scripts (i think)
02:14 < reiffert> !dhcp
02:14 <@vpnHelper> "dhcp" is redirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1
02:14 < reiffert> !nm
02:14 < reiffert> !factoids search network manager
02:14 <@vpnHelper> No keys matched that query.
02:14 < reiffert> !factoids search networkmanager
02:14 <@vpnHelper> No keys matched that query.
02:14 < reiffert> !factoids search network-manager
02:14 <@vpnHelper> No keys matched that query.
02:14 < reiffert> !factoids search --values manager
02:14 <@vpnHelper> 'ubuntu', 'netman', and 'win2k8'
02:14 < reiffert> !ubunut
02:14 < reiffert> !ubuntu
02:14 <@vpnHelper> "ubuntu" is dont use network manager!
02:14 < reiffert> !bridge-dhcp
02:14 <@vpnHelper> "bridge-dhcp" is http://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server
02:15 < reiffert> !factoids search tap
02:15 <@vpnHelper> 'tap', 'mactuntap', 'wintaphide', 'tunortap', and 'obsdtap'
02:15 < reiffert> !factoids search linux
02:15 <@vpnHelper> No keys matched that query.
02:15 < reiffert> !factoids search --values linux
02:15 <@vpnHelper> 'gentoo', 'router', 'netman', 'samba', 'easy-rsa-unix', and 'bridge-fw'
02:15 < reiffert> !bridge-fw
02:15 <@vpnHelper> "bridge-fw" is in bridging mode you could still have a firewall handle who'sdoing what. On linux it's ebtables and reiffert says it's working great.
02:18 < reiffert> it's something similar to ...
02:18 < reiffert> up "dhclient -e tap0"
02:19 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Remote host closed the connection]
02:20 < reiffert> have a look here. It sounds working: http://hans.fugal.net/blog/2009/01/06/putting-openvpn-in-its-place/
02:20 <@vpnHelper> Title: Putting OpenVPN in its place « The Fugue (at hans.fugal.net)
02:21 < SL55> thank.. taking a look at it
02:28 < SL55> !bridge-dhcp
02:28 <@vpnHelper> "bridge-dhcp" is http://openvpn.net/faq.html#bridge-addressing for making clients grab dhcp ip over the bridge but not over-riding dhcp ip from local dhcp server
02:36 < SL55> http://pastebin.com/SK03n3vU --> Linux connection log
03:01 -!- SL55 [~jam@190.21.183.69] has quit [Ping timeout: 272 seconds]
03:10 -!- WinstonSmith [~true@g225031154.adsl.alicedsl.de] has joined #openvpn
03:14 < hyper_ch> hi reiffert
03:20 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
03:34 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has joined #openvpn
03:35 < grendal_prime> ok so along time ago i created this openvpn server.  Now im having to set up a gui to manage it..because they are moving me on to another project.  so i dont want to recreate my ca and whatnot so im trying to piece together everthing i need and movie it around
03:36 < grendal_prime> to work with this gui.  the gui creates a config that needs a ca.pem.  I dont have one of those?
03:36 < Bushmills> you "have to" set up a gui because "they" are moving the server?  interesting reason for needing a gui
03:37 < grendal_prime> no no dude IM being moved to a new project.
03:37 < Bushmills> moving you. that's, like, moving the server relative to you :)
03:37 < grendal_prime> something much nicer.
03:37  * Bushmills uses ssh as gui
03:38 < grendal_prime> well also they want to adopt it for something else as well..but they do not...look here is the deal..they like it..they just dont like the fact that im the only one that can manage it.  
03:38 < Bushmills> i someone needs a gui to manage the server, he better shouldn't manage it :)
03:38 < grendal_prime> me to..but i got 5 other people that understand the gui for this...im not trying to say its the greatest of situations.  is there a way to generate a ca.pem with the existing ca?
03:39 < grendal_prime> they all windows monkeys..but hey..what do you know there vpn blows...and sucks...at the same time.
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:42 < Bushmills> the web interface you're looking for seems to be more openssl- than openvpn specific 
03:43 < Bushmills> cert creation, key signing is not exactly something openvpn does. though openvpn uses the outcome.
03:44 < Bushmills> openvpn stops about where you specific the cert and key names in its configuration. so would probably do an openvpn frontend
03:46 < grendal_prime> ya i used the easy rsa package to create these...and your right this gui does not seem the least bit concerened with where that is located.
03:46 < Bushmills> http://sourceforge.net/projects/casystems/  is what google came up with first. no idea how useable or useful that is
03:46 <@vpnHelper> Title: CAsystems - OpenSSL PHP-Webfrontend | Download CAsystems - OpenSSL PHP-Webfrontend software for free at SourceForge.net (at sourceforge.net)
03:46 -!- master_of_master [~master_of@p57B56A28.dip.t-dialin.net] has quit [Read error: Operation timed out]
03:47 < grendal_prime> thanks vpnHelper we tried that and it did not do what we were hoping for.
03:47 < grendal_prime> im going to bed ill beat it up more tomorro.
03:47 < grendal_prime> thanks guys...girls?  bots.
03:48 -!- grendal_prime [~sgraham@c-67-187-145-117.hsd1.ca.comcast.net] has quit [Quit: Ex-Chat]
03:50 -!- master_of_master [~master_of@p57B56F68.dip.t-dialin.net] has joined #openvpn
03:50 -!- sangnom [~sangnom@cpe-76-184-79-182.tx.res.rr.com] has quit [Quit: Leaving]
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 -!- KipMacy [~kmacy@unaffiliated/kipmacy] has quit [Quit: leaving]
04:03 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
04:13 -!- gorkhaan [~gorkhaan@2001:738:7901:729:21a:92ff:fe61:4aa7] has quit [Quit: Távozom]
04:30 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
04:30 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Remote host closed the connection]
04:31 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
04:31 -!- common [~common@p5DDA4608.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
04:33 -!- common [~common@p5DDA4B90.dip0.t-ipconnect.de] has joined #openvpn
04:45 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
05:26 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
05:28 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
05:35 -!- Jones1 [~Adium@d54C3B3CE.access.telenet.be] has joined #openvpn
05:36 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
05:36 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
05:36 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
05:42 -!- Jones1 [~Adium@d54C3B3CE.access.telenet.be] has left #openvpn []
06:16 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn
06:16 -!- mode/#openvpn [+o mattock] by ChanServ
06:42 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 260 seconds]
07:02 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
07:10 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
07:10 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has joined #openvpn
07:10 -!- venom00ut [~wer@net-93-70-12-6.cust.dsl.vodafone.it] has quit [Changing host]
07:10 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
07:22 -!- master_of_master [~master_of@p57B56F68.dip.t-dialin.net] has quit [Quit: Lost terminal]
07:28 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
07:45 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:52 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
08:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:24 -!- John____ [52269ae1@gateway/web/freenode/ip.82.38.154.225] has joined #openvpn
08:24 < John____> hi
08:25 < John____> !goal Get clients to communicate directly instead of through the serve.
08:39 -!- WinstonSmith [~true@g225031154.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
08:41 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
08:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
08:41 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:46 -!- WinstonSmith [~true@g225031154.adsl.alicedsl.de] has joined #openvpn
08:50 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:52 -!- ilovegrolsc [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
08:52 < ilovegrolsc> halo
08:54 < John____> hey
08:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
08:57 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
08:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Client Quit]
08:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
09:00 < ilovegrolsc> any1 got questions?
09:02 < John____> I'm struggling a little if you could help
09:02 < John____> I'm very new to openvpn. Set it up for first time
09:02 < John____> I have 2 clients in the USA, and the server in Europe
09:03 < John____> When the USA servers ping eachother through public IP its <1ms, but when I ping through VPN its >200ms.
09:03 < John____> I'm just wondering how I can get the clients to communicate directly
09:03 < John____> *USA clients
09:07 < hyper_ch> John____: all traffic goes through the vpn server
09:07 < hyper_ch> so make one of the servers in the US as vpn server
09:08 < John____> Is there no possible way around this? I'm just thinking for future expansion and more servers in Europe that it's going to be a massive load for everything to go through one server
09:09 < hyper_ch> John____: there was some proposition but current it's not possible (at least not with openvpn, no clue about other vpn software)
09:10 < John____> ah, I see. Well thank you for your help
09:13 < ilovegrolsc> yea its not possible to have an openvpn tunnel between 2 computers directly
09:13 < ilovegrolsc> you need a server in the middle
09:13 < ilovegrolsc> unfortunately
09:13 < John____> Never mind, back to square 1, lol!
09:14 < ilovegrolsc> the latency isn't so bad
09:14 < John____> appreciate the advice. Anybody know anything about CloudVPN and tinc and whether either is suitable for my purpose?
09:14 < ilovegrolsc> your going from usa to europe and back so no way around 200ms
09:14 < John____> Iwhat do you mean?
09:14 < ilovegrolsc> your client is in usa
09:15 < ilovegrolsc> your openvpn server is in europe
09:15 < ilovegrolsc> when u use vpn tunnel your data goes from usa to europe then back to usa
09:15 < John____> the USA clients are in same data centre in USA. When they ping Europe public IP or over VPN it's 113ms
09:15 -!- archangelpetro [~archangel@cpc4-oxfd19-2-0-cust84.4-3.cable.virginmedia.com] has quit [Ping timeout: 250 seconds]
09:15 < ilovegrolsc> why you have server in europe
09:15 < John____> then they ping eachother its <1ms public IP or 226ms VPN
09:15 < ilovegrolsc> if you just want a vpn tunnel in usa get a server in the usa
09:16 < ilovegrolsc> then you'll have very low latency
09:16 < John____> the site and mysql database is in based in the UK
09:16 < ilovegrolsc> ok
09:16 < John____> the USA clients were very cheap/not as reliable and are used to backup
09:16 < ilovegrolsc> well you won't find any1 talking about any other software other than openvpn in here
09:17 < John____> that's fair enough. Thanks again for the help
09:17 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
09:17 < John____> I do like OpenVPN, great software
09:17 -!- archangelpetro [~archangel@cpc4-oxfd19-2-0-cust84.4-3.cable.virginmedia.com] has joined #openvpn
09:17 < John____> I'll definitely be using it in the future when my circumstances are different
09:21 < John____> Peace!
09:21 -!- John____ [52269ae1@gateway/web/freenode/ip.82.38.154.225] has quit []
09:34 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
09:40 < ilovegrolsc> i'm on a new server, ./build-dh is taking forever, already over 1 hour and still not finished
09:40 < ilovegrolsc> is that normal?
09:40 < ilovegrolsc> the server is quite high spec
09:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
09:44 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:48 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Ping timeout: 240 seconds]
09:49 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
09:50  * ilovegrolsc watches tumbleweeds drift by
09:51  * ilovegrolsc thinks Bushmills is silently observing the silence
10:09 -!- smerz [~smerz@smerz.demon.nl] has quit [Ping timeout: 240 seconds]
10:20 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 260 seconds]
10:21 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
10:22 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:24 < ilovegrolsc> !linnat
10:24 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
10:29 -!- orangey [~orangey@CPE0018e7c840f5-CM0022103a6e13.cpe.net.cable.rogers.com] has joined #openvpn
10:30 -!- nac909 [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
10:31 -!- ilovegrolsc [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 260 seconds]
10:33 -!- nac909 [~daniell@82-168-191-228.ip.telfort.nl] has left #openvpn []
10:34 -!- babySpoon [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
10:34 < babySpoon> hey
10:35 < babySpoon> just installed openvpn on new server, can connect fine, then i added push 'redirect-gateway' to server.conf and now i can't visit any websites
10:35 < babySpoon> oh wait
10:35 < babySpoon> i forgot ip forwarding
10:35 < babySpoon> one sec
10:37 -!- ilovegrolsc [~daniell@vps6794.xlshosting.net] has joined #openvpn
10:37 -!- ilovegrolsc is now known as whateverDever
10:37 -!- whateverDever [~daniell@vps6794.xlshosting.net] has left #openvpn []
10:39 -!- babySpoon [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 265 seconds]
10:49 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
10:50 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn
11:05 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 240 seconds]
11:06 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
11:07 -!- mOo [moo@lighttpd/moo] has joined #openvpn
11:08 < mOo> is there any guide on how to make 1 ovpn server for multiple windows clients?
11:08 < mOo> !goal
11:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:21 < mOo> never mind
11:21 -!- mOo [moo@lighttpd/moo] has left #openvpn []
11:23 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has quit [Ping timeout: 265 seconds]
11:38 -!- mOo [moo@lighttpd/moo] has joined #openvpn
11:38 < mOo> !howto
11:38 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
11:38 < reiffert> explaining your question.
11:38 < reiffert> be sure to also read about windows specialities
11:38 < reiffert> !factoids search win
11:38 <@vpnHelper> 'winroute', 'winpass', 'win_noadmin', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win_ipfail', 'win2k8', 'sudowin', 'win_tcplimit', 'winnat', 'winscript', 'win_rollup', 'windows', 'winpath', 'winsudo', 'windows_mobile', 'win_build', and 'new_win_gui'
11:39 < reiffert> and of course:
11:39 < reiffert> !topology
11:39 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
11:39 < reiffert> !subnet
11:39 <@vpnHelper> "subnet" is http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork
11:39 < reiffert> grr.
11:39 < reiffert> see "subnet" in the howto and manpage.
11:41 < mOo> thx
11:42 < reiffert> welcome
11:42 < reiffert> !windows
11:42 <@vpnHelper> "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg
11:42 < mOo> is the "topology subnet" option on byte default in 2.1 or 2.2? (which is the "later")
11:43 < mOo> googling... :)
11:43 < reiffert> reading ... manpage
11:43 < reiffert> !man
11:43 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
11:44 -!- whateverDever [~daniell@vps6794.xlshosting.net] has joined #openvpn
11:44 < reiffert> dazo_afk: add some "this is the default" to the manpage...
11:45 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
11:48 < whateverDever> is port 22 better for openvpn than 1194
11:48 < whateverDever> i read somewhere 22 is bestest
11:51 -!- me345 [~me345@adsl-75-15-227-60.dsl.bkfd14.sbcglobal.net] has joined #openvpn
11:51 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
11:53 < reiffert> whateverDever: tcp/443, udp/53 are my favourite
11:56 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
11:56 < whateverDever> any particular reason?
11:59 -!- s7r [~s7r@89.39.174.74] has joined #openvpn
12:01 -!- goopen [~goopen@c-150872d5.25-92-64736c10.cust.bredbandsbolaget.se] has joined #openvpn
12:05 -!- goopen [~goopen@c-150872d5.25-92-64736c10.cust.bredbandsbolaget.se] has left #openvpn []
12:08 -!- orangey [~orangey@CPE0018e7c840f5-CM0022103a6e13.cpe.net.cable.rogers.com] has left #openvpn []
12:30 -!- brah [~asdofp@190.7.17.210] has quit [Remote host closed the connection]
12:32 -!- mOo [moo@lighttpd/moo] has quit [Ping timeout: 255 seconds]
12:32 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
12:34 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:35 -!- d457k [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 260 seconds]
12:36 -!- d457k [~heiko@vpn.astaro.de] has joined #openvpn
12:44 -!- whateverDever [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 272 seconds]
12:50 -!- whateverDever [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
12:54 -!- whateverDever [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
12:55 -!- whateverDever [~daniell@vps6794.xlshosting.net] has joined #openvpn
12:55 < whateverDever> ...
12:55 < whateverDever> source port tekpls
12:56 < whateverDever> and unimobilectrl
12:56 < whateverDever> should only say openvpn
12:58 < whateverDever> nevermind
12:58 < whateverDever> i see you all need some sleep
12:58 < whateverDever> night
12:58 -!- whateverDever [~daniell@vps6794.xlshosting.net] has left #openvpn []
12:58 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
13:14 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
13:15 -!- rkantos [robin@hp1.jaketus.net] has joined #openvpn
13:25 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 250 seconds]
13:26 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
13:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
13:30 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
13:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
13:42 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
13:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Quit: I am off]
13:50 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 265 seconds]
13:53 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
14:02 -!- Jumbo [~Jumbo@75.81-167-136.customer.lyse.net] has joined #openvpn
14:02 < Jumbo> !welcome
14:02 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:03 < Jumbo> hello somebody knwos why openvpn cleint work under XP but not windows 7?`
14:03 < Jumbo> When will this be fixed?
14:04 < Jumbo> !howto for beginners
14:05 -!- Jumbo [~Jumbo@75.81-167-136.customer.lyse.net] has left #openvpn []
14:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
14:24 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
14:41 -!- jobicreatingweb [~jobicreat@adsl-166.109.242.191.tellas.gr] has joined #openvpn
14:41 < jobicreatingweb> hello
14:42 -!- whateverDever [~daniell@vps6794.xlshosting.net] has joined #openvpn
14:43 < whateverDever> i see the default hash in openvpn is the venerable SHA1 which is cracked
14:43 < whateverDever> nice
14:43 -!- whateverDever [~daniell@vps6794.xlshosting.net] has left #openvpn []
14:52 < jobicreatingweb> i am at the folder /easy-rsa and i am doing to my terminal ../vars but it says bash: ../vars: No such file or directory
14:52 < jobicreatingweb> but the file is there i see it in the directory
14:57 -!- JozoSalt [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
14:57 < JozoSalt> hello
14:57 < JozoSalt> Have a Q i couldnt find an answer to in HowTo
15:02 -!- whateverDever [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:06 -!- JozoSalt [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
15:14 -!- JozoSalt [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:14 -!- JozoSalt [~daniell@vps6794.xlshosting.net] has quit [Client Quit]
15:14 -!- whateverDever [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 260 seconds]
15:14 -!- JozoSalt [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:14 -!- JozoSalt [~daniell@vps6794.xlshosting.net] has left #openvpn []
15:16 -!- slickrick [~INTERWORX@CPE0010f30c0794-CM00159a648146.cpe.net.cable.rogers.com] has joined #openvpn
15:16 < slickrick> !welcome
15:16 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:16 < slickrick> !goal
15:16 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:17 -!- jobicreatingweb [~jobicreat@adsl-166.109.242.191.tellas.gr] has quit [Ping timeout: 250 seconds]
15:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
15:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
15:25 -!- Essobi [~Essobi@74-128-72-212.dhcp.insightbb.com] has joined #openvpn
15:31 -!- me345 [~me345@adsl-75-15-227-60.dsl.bkfd14.sbcglobal.net] has quit [Read error: Connection reset by peer]
15:31 -!- me345 [~me345@adsl-75-15-227-60.dsl.bkfd14.sbcglobal.net] has joined #openvpn
15:36 -!- raw_ [~raw@chipotle118.server4you.de] has quit [Ping timeout: 265 seconds]
15:48 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
15:51 -!- Jumbo [~Jumbo@75.81-167-136.customer.lyse.net] has joined #openvpn
15:51 < Jumbo>  !welcome
15:51 < Jumbo> !goal
15:51 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:52 < Jumbo> !goal want to know why win7 64 dosent work properly with def1 and openvpn client
15:56 -!- Jumbo [~Jumbo@75.81-167-136.customer.lyse.net] has quit []
15:58 -!- WinstonSmith [~true@g225031154.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
16:04 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
16:16 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
16:31 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 260 seconds]
16:38 -!- raw_ [~raw@chipotle118.server4you.de] has joined #openvpn
16:46 -!- openbsdnoob [~openbsdno@88.79.221.61] has quit [Quit: byebye]
16:47 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
16:49 -!- openbsdnoob [~openbsdno@88.79.221.61] has joined #openvpn
16:58 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Ping timeout: 240 seconds]
17:02 -!- archangelpetro [~archangel@cpc4-oxfd19-2-0-cust84.4-3.cable.virginmedia.com] has quit [Ping timeout: 265 seconds]
17:09 -!- archangelpetro [~archangel@cpc4-oxfd19-2-0-cust84.4-3.cable.virginmedia.com] has joined #openvpn
17:15 -!- LowKey [fafa@unaffiliated/lowkey] has joined #openvpn
17:26 -!- qermit [~qermit@unaffiliated/pantofel] has joined #openvpn
17:27 < qermit> hi, i have problem with openvpn and windows7. When i connect to remote server default route for ipv6 disapears.
17:27 < qermit> I use Router Advertisement (radvd)
17:34 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
17:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
18:01 -!- s7r [~s7r@89.39.174.74] has left #openvpn []
18:06 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Ping timeout: 260 seconds]
18:30 -!- me345 [~me345@adsl-75-15-227-60.dsl.bkfd14.sbcglobal.net] has quit [Remote host closed the connection]
18:31 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
18:41 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 276 seconds]
18:49 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has joined #openvpn
18:49 -!- mode/#openvpn [+o openvpn2009] by ChanServ
18:56 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
19:15 <@vpnHelper> RSS Update - forum: Server Administration :: DNS problem. Many hours wasted, need help. :: Author Bebop <https://forums.openvpn.net/viewtopic.php?f=4&t=7410&p=8709#p8709>
19:23 -!- lorph [~lorph@unaffiliated/hgj] has joined #openvpn
19:26 < lorph> hi I'm having trouble with this simple shared key configuration http://codepad.org/WmKBktpw
19:26 <@vpnHelper> Title: Plain Text code - 70 lines - codepad (at codepad.org)
19:27 < lorph> it worked to begin with so I added another line and it stopped working
19:27 < lorph> so I removed it and now it keeps complaining about HMAC authentication failed
19:39 -!- mOo [moo@lighttpd/moo] has joined #openvpn
19:46 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
19:52 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
19:55 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
20:03 <@vpnHelper> RSS Update - forum: Installation Help :: Openvpn on a public gateway. :: Author CarlC <https://forums.openvpn.net/viewtopic.php?f=5&t=7411&p=8710#p8710>
20:09 < krzee> whoawhoa
20:09 < krzee> lorph, never paste the context of your private key
20:09 < krzee> that is your ONLY security in a point-to-point setup
20:09 < krzee> guard that thing with your life, and now that you posted it, go make another
20:28 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!]
20:43 < lorph> krzee: I am only testing
20:43 < lorph> it doesn't work anyway so it doesn't matter
20:49 < krzee> just making sure you are aware that you should never use those keys again
20:50 < krzee> get md5 (or sha1) hashes for the secret file on each side, make sure they match
21:17 -!- LowKey [fafa@unaffiliated/lowkey] has quit [Read error: Connection reset by peer]
21:22 -!- corretico_ [~corretico@201.201.44.82] has joined #openvpn
21:26 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
21:30 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
21:46 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 276 seconds]
21:52 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 250 seconds]
21:55 < pyther> is ipsec more secure than public/private key authentication like openvpn uses?
21:56 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:05 -!- Bebop2Steady [~chatzilla@myprojectz.com] has joined #openvpn
22:05 < Bebop2Steady> !goal
22:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:06 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
22:07 < Bebop2Steady> !welcome
22:07 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:08 < Bebop2Steady> Iiporder
22:08 < Bebop2Steady> !iporder
22:08 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
22:09 < Bebop2Steady> Goal: solve openvpn dns problem. I got 2 near identical servers, yet fail to get dns routed on 2nd server. Details @ https://forums.openvpn.net/topic7410.html    any fresh set of eyes/ideas most welcome and appreciated.
22:09 <@vpnHelper> Title: OpenVPN Support Forum DNS problem. Many hours wasted, need help. : Server Administration (at forums.openvpn.net)
22:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:14 < pyther> Bebop2Steady: maybe bind is rejecting connections from tun0?
22:15 < pyther> plus I dunno much about venet0, but I find it hard to believe it can have the same address as lo
22:15 < pyther> but then again I've never played with venet0
22:16 < Bebop2Steady> Oh yes.. good point..I havn't set the ACL on bind yet (since i had dnsmasq before)..
22:16 < Bebop2Steady> venet is a real pain.. venet:0 cant be added in iptables because of the :  <-- symbol
22:26 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
22:27 < Bebop2Steady> Thx for your help so far pyther. I updated ACL and will go test it now *disconnects*
22:29 -!- Bebop2Steady_ [~chatzilla@212.117.191.16] has joined #openvpn
22:31 < Bebop2Steady_> Solved by pyther!  If ya happen to live in sydney, or ever visit than I owe you a beer
22:31 -!- Bebop2Steady [~chatzilla@myprojectz.com] has quit [Ping timeout: 240 seconds]
22:32 -!- Bebop2Steady_ is now known as Bebop2Steady
22:36 < pyther> Bebop2Steady: did it work?
22:37 < Bebop2Steady> YES! thank you. Owe you bigtime.
22:38 < pyther> Bebop2Steady: no problem, I spent two hours figting with iptables because I was using tap0 instead of tun0
22:38 < pyther> hehe
22:41 < Bebop2Steady> Sounds like you had a fight with iptables and won :]  I owe the dear iptables an appology somewhat since I was starting to blame it for my dns problem.
22:42 < pyther> hehe
22:42 <@vpnHelper> RSS Update - forum: Server Administration :: Re: DNS problem. Many hours wasted, need help. :: Reply by Bebop <https://forums.openvpn.net/viewtopic.php?f=4&t=7410&p=8711#p8711>
22:42 < pyther> I spent a good 15-20 minutes playing with an iptable rule only to realize I didn't have a local route to the server I was trying to reach :P
22:49 < Bebop2Steady> thanks for your flawless advice dear pyther. I shall be going to mess around with the server some more.
22:55 -!- Bebop2Steady [~chatzilla@212.117.191.16] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.12/20101026210630]]
23:03 -!- lorph [~lorph@unaffiliated/hgj] has left #openvpn []
23:18 -!- pyther [~pyther@unaffiliated/pyther] has quit [Read error: Operation timed out]
23:41 < mOo> hi, i'm able to make custom ovpn installer for windows. but i want different keys for each client. any idea?
23:41 -!- Essobi [~Essobi@74-128-72-212.dhcp.insightbb.com] has quit [Ping timeout: 276 seconds]
23:42 < mOo> prompt for password and use it to download keys from http?
23:42 < mOo> select keys to copy in 1 of installer steps?
23:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
--- Day changed Sun Dec 19 2010
00:40 -!- mOo [moo@lighttpd/moo] has quit [Quit: hAvE yOu mOOEd tOdAY]
00:52 -!- slickrick [~INTERWORX@CPE0010f30c0794-CM00159a648146.cpe.net.cable.rogers.com] has quit [Quit: Ex-Chat]
00:52 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
00:52 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
00:52 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
01:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:03 -!- Essobi [~Essobi@74-128-72-212.dhcp.insightbb.com] has joined #openvpn
01:28 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 276 seconds]
02:42 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn
02:59 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
03:01 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
03:24 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
03:38 -!- regius [~regius@c-43c6e455.034-67-6c6b701.cust.bredbandsbolaget.se] has quit [Remote host closed the connection]
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
04:28 -!- common- [~common@p5DDA45ED.dip0.t-ipconnect.de] has joined #openvpn
04:31 -!- common [~common@p5DDA4B90.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
04:31 -!- common- is now known as common
04:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
04:41 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
04:42 -!- WinstonSmith [~true@e179010246.adsl.alicedsl.de] has joined #openvpn
04:53 < morbidwar> hello
04:53 < morbidwar> i have a little problem with my openvpn server
04:54 < morbidwar> i configured the server, but the client (opensuse with networkmanager) get's timed out when i try to connect to the server, on the server i can telnet localhost port and works, can somebody tell me where to look?
05:01 < atan> morbidwar, look at the firewall
05:02 < morbidwar> atan: i disabled the firewall
05:02 < atan> morbidwar, both firewalls
05:03 < atan> Outside of that I am not sure.
05:03 < morbidwar> both sides
05:03 < morbidwar> both firewalls are disabled
05:03 < atan> Is the server waiting for connections on the public address? what does your server.conf look like?
05:08 < morbidwar> here is my config http://pastebin.com/iy1fVNN4
05:11 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
05:15 < qermit> hi, i have problem with openvpn and windows7. When i connect to remote server default route for ipv6 disapears.
05:15 < qermit> I use Router Advertisement (radvd)
05:25 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Operation timed out]
05:27 < morbidwar> atan: did you see something wrong there?
05:28 < atan> what about your client config? =)
05:28 < atan> server 10.199.250.0 255.255.255.0 ?
05:33 < morbidwar> yes i want to use this network for my vpn
05:41 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
05:44 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
05:45 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Ping timeout: 240 seconds]
06:13 -!- pa [~pa@host242-12-dynamic.1-87-r.retail.telecomitalia.it] has joined #openvpn
06:13 -!- pa [~pa@host242-12-dynamic.1-87-r.retail.telecomitalia.it] has quit [Changing host]
06:13 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
06:18 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 250 seconds]
06:19 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
06:49 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn
06:51 < morbidwar> hello, i just finished to configure my vpn server but i have an issue, when i ping/browse domain.tld the dns query respond successfully but i have 100% packets lost
06:52 < morbidwar> could somebody give me a hint where to look?
06:53 < Bushmills> how are "configuring vpn server" and "pinging domain.tld" related?
06:53 < morbidwar> :D it's my first time that i configure a vpn
06:54 < morbidwar> maybe i'm wrighting wrong my configuration
06:54 < Bushmills> usually people describe their problems in terms of "my server made a boo-boo"
06:55 < morbidwar> usually, but i don't
06:55 < Bushmills> though i may have missed any problem description, relating to pinging domain.tld, which you may have written earlier on
06:56 -!- zamba [marius@flage.org] has quit [Ping timeout: 264 seconds]
06:56 < morbidwar> the connection with the vpn server works ok, but i cannot recive any packets when i'm trying to browse the web
06:57 < Bushmills> what have you set up to the end of allowing you to browse the web (over openvpn, i assume)
06:57 < morbidwar> and when i ping the domain.tld i got the respond "pinging domain.tld (a.b.c.d) with XX(xx)of data and after that nothing... silence on the console
07:00 < morbidwar> i push dns 8.8.8.8 and 8.8.4.4, and redirect-gateway is disabled
07:01 < morbidwar> would you like to see the config files?
07:08 < Bushmills> no. i prefer to get an idea what you have setup first
07:08 < Bushmills> "redirect-gateway is disabled" .. how is pinging that domain related to openvpn?
07:09 < morbidwar> Bushmills: sorry i was not tipying clearly
07:10 < morbidwar> so this is the scenario: i got one server with public ip that runs openvpn(server mode) and i got my home computer that connects to the vpn
07:10 < morbidwar> on both sides the firewall is disabled 
07:11 < morbidwar> on my home computer when is not connected to the vpn i can browse without no problem, but when i'm connected to the vpn i got no answers from webpages/pings
07:12 < Bushmills> does server push redirect-gateway?
07:12 < morbidwar> no
07:13 < Bushmills> pastebin client routing table with and without client connected to server
07:13 < morbidwar> ok
07:15 < morbidwar> http://pastebin.com/nX7jvsjm
07:16 < Bushmills> 0.0.0.0         10.8.33.5       0.0.0.0         UG    0      0        0 tun0   ... something *is* doing redirect-gateway, unless default route isn't changed in an --up script, or manually
07:24 < morbidwar> maybe it's a networkmanager problem
07:26 < Bushmills> at least it is one of the programs which have the potential of doing behind your back something different than intended through network setup
07:27 < Bushmills> disabling network manager when doing network-related configuration is probably a good idea
07:28 < Bushmills> (actually, i'd say that disabling it completely, i.e. removing it, may be an even better idea)
07:29 < morbidwar> :)) Bushmills now i will try to configure the vpn without NetworkManager... be right back
07:54 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 250 seconds]
07:54 -!- takamichi [~pri@66.96.216.38] has joined #openvpn
08:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:23 -!- takamichi [~pri@66.96.216.38] has quit [Ping timeout: 250 seconds]
08:24 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
08:31 -!- Netsplit *.net <-> *.split quits: fbh
08:31 -!- 14WAAFT4F is now known as Martin
08:31 -!- Martin is now known as Guest90874
08:39 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn
08:39 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
08:39 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
08:43 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: leaving]
08:44 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
08:50 -!- fbh [fbh@lucifer.frands.net] has joined #openvpn
08:50 -!- fbh [fbh@lucifer.frands.net] has quit [Changing host]
08:50 -!- fbh [fbh@unaffiliated/fbh] has joined #openvpn
08:53 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
08:53 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
08:53 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:56 -!- RichiH [~richih@freenode/staff/richih] has left #openvpn []
09:07 -!- albech [~thomas@124.157.209.118] has joined #openvpn
09:16 -!- michal` [~michal@rsbac/developer/michal] has quit [Ping timeout: 240 seconds]
09:21 -!- michal` [~michal@www.rsbac.org] has joined #openvpn
09:21 -!- michal` [~michal@www.rsbac.org] has quit [Changing host]
09:21 -!- michal` [~michal@rsbac/developer/michal] has joined #openvpn
09:34 -!- albech [~thomas@124.157.209.118] has quit [Quit: Ex-Chat]
09:37 -!- WinstonSmith [~true@e179010246.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
09:46 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
09:52 -!- WinstonSmith [~true@g225028053.adsl.alicedsl.de] has joined #openvpn
09:53 -!- Bondv6 [db@2a02:20c8:1140:102:1::2] has joined #openvpn
09:58 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has joined #openvpn
09:58 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has quit [Changing host]
09:58 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:06 -!- mOo [moo@lighttpd/moo] has joined #openvpn
10:10 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
10:12 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 276 seconds]
10:13 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
10:18 -!- venom00ut [~wer@net-93-71-34-173.cust.dsl.vodafone.it] has joined #openvpn
10:18 -!- venom00ut [~wer@net-93-71-34-173.cust.dsl.vodafone.it] has quit [Changing host]
10:18 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
10:36 < Bondv6> Hi, I'm using OpenVPN for IPv6, and was wondering if there is any support for client addressing with v6?
10:42 <@ecrist> no, not currently.
10:43 <@ecrist> there may be something in the devel tree, but I don't recall the details.
10:43 <@ecrist> !git
10:44 <@ecrist> !learn git as OpenVPN testing: git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git
10:44 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
10:44 <@ecrist> gah
10:44 <@ecrist> !learn git as OpenVPN testing: git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git
10:44 <@vpnHelper> Joo got it.
10:44 <@ecrist> !learn git as Browse Git: http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=summary
10:44 <@vpnHelper> Joo got it.
10:44 <@ecrist> !git
10:44 <@vpnHelper> "git" is (#1) OpenVPN testing: git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn-testing.git, or (#2) Browse Git: http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=summary
10:45 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Remote host closed the connection]
11:02 -!- Bondv6 [db@2a02:20c8:1140:102:1::2] has quit [Read error: Operation timed out]
11:06 -!- Bondv6 [db@2a02:20c8:1140:102:1::2] has joined #openvpn
11:09 < pyther> For anyone interested, I wrote a small blog post about setting up dns conditional forwarding on a local linux box. This will allow for dns queries to be resolved both locally and remotely. http://pyther.net/blog/index.php/2010/12/dns-conditional-forwarding-dnsmasq/
11:09 <@vpnHelper> Title: Pythers Interworld » DNS Conditional Forwarding dnsmasq (at pyther.net)
11:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:32 < Bushmills> may make sense to install a recursive name server instead of a forwarding resolver.
11:38 < pyther> how would the recursive dns work? google doesn't give much info
11:44 < Rienzilla> it looks hostnames it cannot find in its cache or local database at the dns root servers
11:44 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:44 < pyther> Rienzilla: ahh, like how dnsmasq on openwrt operates
11:45 < Rienzilla> that I don't know
11:46 < pyther> I want a forwarder since work dns is actually a "K-12 education/school" server
11:46 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
11:46 < pyther> so I don't want anything accedientaly going to that dns server
11:51 -!- mOo [moo@lighttpd/moo] has quit [Quit: hAvE yOu mOOEd tOdAY]
11:52 -!- justinbeiber [~daniell@vps6794.xlshosting.net] has joined #openvpn
11:56 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
11:57 < atan> pyther, lol.
11:59 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:00 < pyther> atan: last thing I need is for a dns request for thepiratebay.org to go through eduaction owned name servers
12:01 < atan> Because kids these days don't torrent... you sketchy bugger.
12:01 < atan> If I saw things like EducationDirect.whatever at school I'd know something was up.
12:01 < pyther> hehe
12:02 < atan> The usual is facebook, youtube, and farmville/Xville....
12:02 < pyther> well it is more adult entertainment that would get me into trouble
12:05 < atan> And the truth starts to come out...
12:05 < atan> So you're the teacher? what? vp?
12:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
12:19 < justinbeiber> kids don't torrent?
12:19 < justinbeiber> every1 torrents
12:20 < justinbeiber> what are u talking about
12:23 <@ecrist> pyther: you can set your own DNS servers as static on most machines, regardless of the local network connetion.
12:23 <@ecrist> !dns
12:23 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
12:24 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
12:25 < atan> justinbeiber, what, the... 
12:26 < justinbeiber> what
12:26 < justinbeiber> lol @ u thinking no1 torrents anymore
12:26 < justinbeiber> software, movies, books
12:26 < justinbeiber> all torrented 
12:26 < justinbeiber> tv shows
12:27 < justinbeiber> so kids these days actually buy windows 7? and buy movies?
12:27 < justinbeiber> no stealing?
12:27 < justinbeiber> lmao
12:27 < Rienzilla> hmm, probably stupid question. One of my openvpn clients quits after the connection is terminated and/or authentication fails during connect. Others just keep retrying indefinitely. What config option is that?
12:27 < justinbeiber> i guess that's why the latest harry potter movie has 10k seeders on the pirate bay
12:27 < justinbeiber> seeders
12:27 < justinbeiber> leachers is 80k
12:28 < justinbeiber> cuz no1 torrents anymore....
12:29 < justinbeiber> Rienzilla during tls handshake?
12:29 < justinbeiber> or you can't start a vpn
12:29 < atan> persist-tun ?
12:29 < atan> & maybe persist-key
12:29 < Rienzilla> well, the reason that the tls handshake failed is clear (ccd-exclusive and no entry for the client), but I wondered why the client doesnt keep trying
12:29 < Rienzilla> I have persist-key, and persust tun
12:30 < Rienzilla> persist-tun*
12:30 < Rienzilla> (and resolv-retry infinite)
12:30 < atan> keepalive 3 10 ?
12:30 < justinbeiber> what client are you using
12:30 < Rienzilla> keepalive is pushed from the server side
12:30 < justinbeiber> windows gui? linux client?
12:30 < Rienzilla> linux openvpn client
12:30 < Rienzilla> I'll paste my confs, sec
12:30 < justinbeiber> yea pastebin them
12:30 < atan> Rienzilla, is the one who won't reconnect an old install of OpenVPN client?
12:31 < justinbeiber> atan just wait for the config files
12:31 < Rienzilla> it's debian's default, so probably not very new
12:31 < justinbeiber> Rienzilla obviously download and install the newest version
12:31 < justinbeiber> b4 you come to official help channels
12:31 < atan> justinbeiber, I can't believe I'm typing your name into a chat room... errrrrr, but okay. Let's.
12:31 < atan> Pfft.
12:32 < justinbeiber> i'm not the justin beiber
12:32 < atan> No no, it's not that I'm happy to be typing it. No no no. You have it all wrong.
12:32 < Rienzilla> server: http://pastebin.com/FV0w3eRu client: client: http://pastebin.com/zJ2V2uma 
12:33 < Rienzilla> and i'd rather have my distribution take care of version updates, unless there is a very compelling reason not to for a specific package. Otherwise it's a maintenance nightmare. 
12:33 < justinbeiber> Rienzilla do you care about security
12:33 < Rienzilla> absolutely, that's one of the reasons
12:34 < justinbeiber> cuz you are using RSA 1024 which even us government says should not be used post 2010
12:34 < justinbeiber> and your using SHA1 160 bit which is cracked for the hash
12:34 -!- justinbeiber [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
12:34 -!- justinbeiber [~daniell@vps6794.xlshosting.net] has joined #openvpn
12:34 < atan> I see someone didn't have the beiber fever.
12:34 < atan> Err, he's back.
12:34 < justinbeiber> yea
12:34 < justinbeiber> just telling him the facts
12:35 < justinbeiber> he's using insecure SHA1 which is cracked
12:35 < atan> justinbeiber, have you seen the Shaved Beiber firefox extension?
12:35 -!- robuster [~crim@213-142-138-241.reverse.adeox.com] has joined #openvpn
12:35 < justinbeiber> my recommendation RienZilla is add auth SHA512  to your server and client conf
12:35 < justinbeiber> then generate a 2056bit RSA key
12:35 < justinbeiber> then your golden
12:36 < Rienzilla> which fixes my reconnection problem how?
12:36 < justinbeiber> it fixes your lack of security which you don't realise is a problme
12:36 < justinbeiber> using a cracked SHA1 hash is a fail
12:36 < justinbeiber> its cracked and useless
12:36 < justinbeiber> for your other issue i dont know the solution
12:38 < justinbeiber> you said you have persist tun but its not in your server conf
12:38 < justinbeiber> so you do not have persist tun enabled
12:39 < Rienzilla> I don't think the server closes its tun/tap device when one of its clients drops; the device is opened on startup
12:39 < justinbeiber> Sir, you do not have persit tun in your server.conf
12:39 < justinbeiber> add it and try again
12:41 < pyther> ecrist: I'm aware of that it it could be the simpler method, but I like making things complex :)
12:41 < robuster> hello, i installed openvpn on CentOS 5.5, and i got problems using push redirect-gateway, the connection just times out, i did enable packet forwarding by "echo 1 > /proc/sys/net/ipv4/ip_forward" and iptables
12:42 < robuster> and the log (on level 6) appears to say no relevant info
12:42 < justinbeiber> robuster did you setup nat
12:42 < justinbeiber> !linnat
12:42 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
12:43 < robuster> yes i did
12:43 < robuster> iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
12:43 < robuster> this is what i did
12:43 < justinbeiber> ok
12:43 < Rienzilla> I have never used persist-* on the server side of openvpn tunnels and have never had this issue before. I'm not 'adding and trying again' random options to my configuration. Never mind.
12:43 < justinbeiber> you say connection times out, you mean you can't establish a vpn tunnel or you can't for example visit any websites?
12:43 < robuster> i can connect to the vpn perfectly, but i can't tunnel
12:43 < robuster> can't ping google or anything
12:44 < justinbeiber> Reinzilla your welcome, if you don't wish to take free advice then feel free to purchase a closed source vpn technology and pay for commerical support
12:44 < justinbeiber> robuster your iptables what is the default policy for input, forward
12:44 < justinbeiber> is it accept
12:45 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
12:45 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
12:45 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
12:45 < robuster> bah i didnt think of that, i bet its my apf firewall doing it
12:45 < robuster> sorry for bothering
12:46 < justinbeiber> best to set default to accept until you know what rules to add to make it work
12:47 < atan> justinbeiber, are you from Schiedam?
12:47 < justinbeiber> what
12:48 < justinbeiber> schiedam?
12:48 < Rienzilla> justinbeiber: I hope you don't mind that I would like to understand _why_ a certain configuration change will help, before entering and running it on my machine. If you're so concerned about security you should certainly appreciate that.
12:48 < atan> Yes, in NL
12:48 < justinbeiber> no
12:48 < qermit> hi, i have problem with openvpn and windows7. When i connect to remote server default route for ipv6 disapears.
12:48 < qermit> I use Router Advertisement (radvd)
12:48 < justinbeiber> i'm in uk
12:48 < justinbeiber> scotland
12:49 < justinbeiber> have a openvpn in holland obv
12:49 < krzie> Rienzilla, commonly people use test-beds for that sort of thing... disable firewalls to prove ovpn setup works, then start adding the layers til you break it
12:49 < Rienzilla> Besides, I've been around in the channel long enough to establish i'm not an idiot, and specifically also not on the topic of openvpn. If you're not willing to give more 'advice' than just shouting config options through the channel and berating people for asking them what they would accomplish with them, then please stay silent, at least to me. 
12:49 < krzie> then they learn why as opposed to being told why
12:50 < krzie> assuming he was talking to you re: firewall
12:50 < justinbeiber> listen to krzie
12:50 < justinbeiber> he's most knowledgable in here
12:50 < Rienzilla> krzie: Yes. And I have exactly this setup in a lot of location, which do not have this issue.
12:50 < krzie> i wouldnt go that far
12:50 < Rienzilla> +s
12:51 < justinbeiber> atan why u so interest where i am
12:51 < justinbeiber> i think every1 in here is connecting via some remote server
12:51 -!- mant1s [~mant1s@76.179.1.48] has joined #openvpn
12:51 -!- mant1s [~mant1s@76.179.1.48] has quit [Changing host]
12:51 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:51 < krzie> Rienzilla, did you try disabling the firewall for testing?  (im still not 100% he was talking to you re: firewall)
12:51 < Rienzilla> i have no firewall issue 
12:51 < krzie> ok, my bad ;]
12:51 < qermit> krzie: mabe you know how to fix my problem?
12:51 < justinbeiber> krzie no that was ssomeone else
12:51 < Rienzilla> the vpn setup works, the client just doesn't reconect when the connection drops or when authentication fails
12:52 < justinbeiber> i told him to make default policy to ACCEPT for all chains
12:52 < krzie> Rienzilla, post both configs without comments?
12:52 < justinbeiber> he did the ip forwarding and nat ok so thats the only reason it might not work
12:52 < Rienzilla> 19:32 < Rienzilla> server: http://pastebin.com/FV0w3eRu client: client: http://pastebin.com/zJ2V2uma
12:52 <@ecrist> hey, krzie
12:52 < krzie> qermit, its possible, whats the issue?
12:52 < krzie> moinmoin ecrist 
12:52 -!- mode/#openvpn [-o ecrist] by ecrist
12:53 < qermit> krzie: default route for ipv6 disepears when i connect to server (i use windows7)
12:53 < krzie> qermit, nope, i wont be of use on that one
12:53 < qermit> i use ipv4 client/server
12:53 < krzie> qermit, you're using tap?
12:54 < qermit> i use tun
12:54 < krzie> Rienzilla, i see routed tap, you are doing something with outside routing protocols like ospf or something?
12:54 < krzie> qermit, i have no idea
12:55 < qermit> ok
12:55 < Rienzilla> stp
12:55 < krzie> qermit, you using beta2?
12:55 < krzie> err beta5
12:55 < qermit> no
12:55 < krzie> 2.1.4?
12:55 < qermit> i think it's last stable
12:55 < krzie> pls check
12:55 < krzie> both sides
12:56 < qermit> OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010
12:56 < krzie> other side too
12:56 < qermit> hmm mabe i upgrade its 
12:57 < krzie> Rienzilla, gotchya
12:57 < ecrist> while it may not directly apply, we require people to use the latest, either beta, git source package (up to a week old) or latest release
12:57 < justinbeiber> how regular are updates to openvpn
12:57 < ecrist> extremely
12:57 < krzie> heh
12:57 < krzie> now, very
12:57 < justinbeiber> think i installed mine around a month ago
12:58 < ecrist> if you're running release, you're probably fine
12:58 < qermit> server - OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
12:58 < justinbeiber> preety nice that its a very active project
12:58 < ecrist> qermit: you're almost two years out of date
12:58 < justinbeiber> would be nice if they add multicore cpu support
12:58 < ecrist> justinbeiber: that's a goal, but extremely difficult to deal with.
12:59 < ecrist> in all likelyhood, it probably won't happen until > 3.0
12:59 < qermit> ecrist: not me, Debian stable is two hears out of date
12:59 < justinbeiber> can't imagine how fast it'd be with an i7 using all cores
12:59 < ecrist> no, debian stable has 2.1.1, iirc
12:59 < ecrist> regardless, we don't support 2.1_rc* anymore
12:59 < pyther> Is snort woth it to put onto a vpn box?
12:59 < justinbeiber> ecrist: as long as it happens eventually
12:59 < Rienzilla> Debian has 2.1_rc11, I'm quite certain
13:00 < qermit> my other server - OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
13:00 < krzie> justinbeiber, wont do multi-core til openvpn v3
13:00 < justinbeiber> which is months, years away?
13:00  * ecrist already said that
13:00 < ecrist> justinbeiber: probably over a year away
13:00 < krzie> no time soon
13:00 < ecrist> we're just starting to talk about the restructure of the code
13:01 < justinbeiber> by then we'll all be running 16 core i9's
13:01 < justinbeiber> 8 virtual 8 real
13:01 < ecrist> I think we're planning a 2.4 before a 3 beta is even ready
13:01 < justinbeiber> openvpn on that could probably saturate a T1 line
13:01 < krzie> haha
13:01 < ecrist> openvpn can easily saturate a T1 now
13:01 < krzie> you can already EASILY saturate a t1
13:01 < krzie> t1 is dog slow man
13:01 < krzie> 1.5mbit
13:02 < justinbeiber> perhaps i was thinking T3
13:02 < ecrist> as a matter of fact, on a Pentium 3 I can nearly saturate 10Mbit
13:02 < justinbeiber> which one is 1gibabit
13:02 < Rienzilla> I think you can fill t3 too
13:02 < krzie> ya decent HW should fill up a t3 (45mbit)
13:02 < Rienzilla> my mipses do 10mbit easily
13:02 < Rienzilla> and those are low end cpu's :)
13:02 < justinbeiber> T5 then
13:03 < krzie> but either way, it will be nice to do threading
13:03 < krzie> umm, t5?
13:03 < justinbeiber> yea T5
13:04 < krzie> sorry dude, copper doesnt have a t5
13:04 -!- Bondv6 [db@2a02:20c8:1140:102:1::2] has quit [Read error: Operation timed out]
13:04 < krzie> maybe you mean oc3
13:04 < justinbeiber> http://www.ehow.com/about_6645303_difference-between-t1-t5-line_.html
13:04 <@vpnHelper> Title: What Is the Difference Between a T1 and a T5 Line? | eHow.com (at www.ehow.com)
13:05 < krzie> "T5 lines when fully developed will most likely be available to large companies, mainly due to the high costs that are sure to be associated when purchasing them."
13:05 < krzie> did you read what you linked me to?
13:05 < justinbeiber> yea i didn't say it exists now
13:05 < krzie> lol
13:06 < justinbeiber> by the time openvpn is multi-threaded then it will exist
13:06 < krzie> it wont need to, there is already faster
13:06 < Rienzilla> you can practice to saturate 1GE now
13:06 < Rienzilla> that is faster dan t5
13:06 < krzie> ds* only matters for analog shit now-a-days
13:06 < justinbeiber> dunno how to practice, my server has one xeon core and it always idles even when i'm downloading at 10Mbits/s
13:07 < justinbeiber> so im happy with it
13:08 < justinbeiber> the only area that openvpn can't improve upon is latency
13:08 < justinbeiber> compared to lower level ipsec
13:08 < justinbeiber> but its not really noticable
13:08 < krzie> Rienzilla, im looking at your configs
13:08 < krzie> By default, --resolv-retry infinite is enabled. You can disable by setting n=0.
13:08 < krzie> so that can be removed if you want
13:09 < krzie> try adding a keep-alive to the server
13:09 < krzie> oh wait im blind
13:09 < krzie> its there
13:09 < Rienzilla> the server has a keepalive
13:09 < Rienzilla> yeah
13:10 < justinbeiber> by Rien's own addmission he is running an out of date and hence unsupported client
13:10 < Rienzilla> the weird thing is, I'm using exactly this config on literally dozens of openvpn connections, and they all try to reconnect on a connection failure
13:10 < pyther> I take it an IDS would possibly be able to prevent a client side virus from infecting machines?
13:10 < krzie> oh Rienzilla what versions are each side
13:10 < Rienzilla> Thank you for that constructive remark, justinbeiber 
13:10 < Rienzilla> it's debian stable, so, 2.1_rc11 indeed
13:10 < justinbeiber> tell us the client v
13:10 < krzie> pyther, forget there is a VPN installed, think of it as a network cable, so with that in mind you should be able to answer re: IPS / IDS
13:11 < krzie> Rienzilla, upgrade
13:11 < justinbeiber> he refuses to krzie i suggested it
13:11 < justinbeiber> he says its a maintanence hassel
13:11 < Rienzilla> it is
13:11 < justinbeiber> so he'd rather hassel the support chat
13:11 < justinbeiber> about out-of-date and unsuported software
13:11 < krzie> it is what?
13:11 < krzie> it is 2 years old?
13:11 < krzie> heh
13:11 < krzie> go update
13:12 < Rienzilla> upgrading all deployments to a newer version, not included in the distribution, is a hassle
13:12 < pyther> krzie: ok, genearlly speaking and IDS should be able to protect and possibly prevent a virus attack on other network devices, yes?
13:12 < krzie> debian DOES have newer than 2.1 rc
13:12 < justinbeiber> Rienzilla going to the gym is a hassel but its good for your health
13:12 < Rienzilla> no it does not :-)
13:12 < Rienzilla> at least not in stable
13:12 < krzie> [14:58]  <qermit> server - OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
13:12 < krzie> [14:58]  <ecrist> qermit: you're almost two years out of date
13:12 < Rienzilla> it might have a newer backport
13:12 < krzie> [14:59]  <ecrist> no, debian stable has 2.1.1, iirc
13:12 < krzie> [14:59]  <ecrist> regardless, we don't support 2.1_rc* anymore
13:13 < krzie> put it this way, if your packages are that out of date, you are better off not opening ANY ports to the internet at all
13:13 < qermit> my other server has  OpenVPN 2.1.3 i486-pc-linux-gnu [
13:13 < krzie> since you most likely have quite a few exploitable services
13:13 < justinbeiber> he isn't concenred about security it seems
13:13 < justinbeiber> even using SHA1 for hash
13:13 < Rienzilla> krzie: that's not true. Debian-secutiry fixes security issues in the packages
13:14 < qermit> it behaves in the same way
13:14 < qermit> i upgraded also client ot latest stable version 2.1.3
13:14 < qermit> krzie: ^^
13:14 < krzie> Rienzilla, regardless, we dont support the code you are running
13:14 < Rienzilla> it just has a policy to freeze versions as much as possible in order to prevent new features from doing unexpected things.
13:14 < Rienzilla> that's fine
13:15 < justinbeiber> i think this one is solved
13:15 -!- mrroth [~mrroth@ool-44c07f7c.dyn.optonline.net] has joined #openvpn
13:15 < mrroth> X2 zone, why do I need to create a different zone *ip subnet* for x2 port that connects to the ssl vpn x0 port, are vpn user on a different ip subnet from lan user? is that the norm " 
13:16 < krzie> qermit, thats interesting, there *is* new ipv6 code, i have no idea if that has anything to do with your issue (i dont use ipv6 or windows)... maybe you could make a forum post and ill forward it to someone who knows more about that
13:16 < krzie> !forum
13:16 <@vpnHelper> Server Administration :: DNS problem. Many hours wasted, need help. :: Author Bebop || Server Administration :: Re: DNS problem. Many hours wasted, need help. :: Reply by Bebop || Installation Help :: Openvpn on a public gateway. :: Author CarlC
13:16 < krzie> hah
13:16 < krzie> http://forums.openvpn.net
13:16 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Support Forum (at forums.openvpn.net)
13:16 < qermit> krzie: i did a test. i forced this virtual interface state to connected media
13:20 -!- Bondv6 [db@2a02:20c8:1140:102:1::2] has joined #openvpn
13:20 < ecrist> !current
13:21 < krzie> !testing
13:21 < Bushmills> pyther: "last thing I need is for a dns request for thepiratebay.org to go through eduaction owned name servers" - that would be a reason to *not* forward requests to your school, but run a recursive name server yourself. 
13:21 <@vpnHelper> "testing" is "snapshots" is (#1) weekly dev snapshots are available from ftp://ftp.secure-computing.net/pub/openvpn, or (#2) by helping test these features, and reporting back on either of the mailing lists, you can help these features become part of the stable branch
13:21 < justinbeiber> i have a Q for u krzie
13:21 < justinbeiber> can i use dh group 18 with openvpn
13:21 < krzie> wanted that ecrist?
13:21 < qermit> it breaks default route 
13:21 < ecrist> no
13:22 < krzie> justinbeiber, openssl handles all encryption, if both sides have openssl which supports it, i would imagine thats fine
13:22 < Bushmills> pyther: difference is, dnsmasq, like other forwarders, will simply forward requests to another server, which resolves then and returns the reply.  a recursive name server wil resolve the requests by itself, only asking authoritative name servers.
13:22 < justinbeiber> ok
13:22 < justinbeiber> and it only slows down the tls handshake once an hour, not any other time?
13:22 < ecrist> !learn current as Our policy is to only support current versions of software.  If your Linux distribution's repository doesn't have the latest, you'll need to compile from source.  See /topic for the latest versions of OpenVPN software (usually at the beginning).  Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance.
13:22 <@vpnHelper> Joo got it.
13:23 < krzie> justinbeiber, but it will not help any really
13:23 < krzie> well, wait i may be wrong
13:23 < krzie> i know a tls static key that big wouldnt help, lemme check re: dh
13:23 < justinbeiber> ok
13:24 < justinbeiber> i'm talking about RSA 8192
13:25 < krzie> no you arent, you are talking about 8192 dh
13:25 < mrroth> oh
13:25 < justinbeiber> yea i thought they are preety much the same
13:26 < krzie> RSA = the keys / certs, dh = the random seed
13:26 < justinbeiber> ahh
13:26 < justinbeiber> the default RSA is 2056 i think
13:26 < justinbeiber> then i'm talking about changing that to 8192
13:27 < krzie> you mean 1024 i think
13:27 < justinbeiber> cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
13:27 < justinbeiber> it says 4096 RSA
13:27 < qermit> whoi is developing TAP Adapter for Windows?
13:28 < ecrist> why do you need 8192 bits for your RSA keys?
13:28 < justinbeiber> same reason why if i built a moat to protect my home i'd make it a mile deep
13:28 < justinbeiber> maximum security
13:28 < krzie> keysizes that big have not been tested extensively, and its therefor possible that you introduce something thats breaks down the strength
13:29 < krzie> i do use 4096 personally tho
13:29 < justinbeiber> i just figure it barely even slows down the tls handshake so why not
13:29 < justinbeiber> of course the one time generation takes forever
13:30 < krzie> and i was thinking of the static key
13:31 < krzie> i believe all of your dh file will be used
13:31 < krzie> http://openvpn.net/index.php/open-source/faq/77-server/327-changed-hex-bytes-in-the-static-key-the-key-still-connects-to-a-remote-peer-using-the-original-key.html
13:31 <@vpnHelper> Title: Changed hex bytes in the static key, the key still connects to a remote peer using the original key. (at openvpn.net)
13:31 < ecrist> I moat 1 mile deep around your home is foolish.  Imagine a small landslide near the bottom, and and imagine the affect near the top.  In essence, your house would end up ~5,128 feet below the water line. ;)
13:32 < ecrist> s/^I/A/
13:32 < krzie> ecrist, if i build a moat around my home will you give me fricken sharks with friken "lasers" on their fricken heads?
13:33 < krzie> maybe for xmas!
13:36 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
13:36 < ecrist> of course, krzie !
13:36 < justinbeiber> i dont get the argument that becuase its not tested it might introduce weakness
13:36 < justinbeiber> openvpn supports all that openssl can throw at it
13:36 < justinbeiber> so the manual says
13:36 < krzie> right
13:37 < ecrist> do what you want, we're just offering advice
13:37 < krzie> its openvpn with those keysizes that havnt been tested so much
13:37 < krzie> errr
13:37 < krzie> openssl
13:37 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: Connection reset by peer]
13:37 < ecrist> w00t, Tank is a watch instantly on netflix now.
13:38  * ecrist grabs a beer, goes to TV
13:38 < justinbeiber> you pay for netflix
13:38 < krzie> ecrist, that tv would be better used for football man
13:39 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
13:41 < krzie> but ya, time for me to get a lil scripting done before i gotta goto work
13:41 < krzie> bbl
13:51 < justinbeiber> later
13:52 < justinbeiber> btw are you one of the openvpn devs?
13:52 < justinbeiber> just seems like you might be
13:54 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:55 < mrroth> hey wha thappens when a road wwarrior has the same subnet as the remote vpn tunnel what if he is setup on a different zone but both remote and local network interface are on the same subnet
13:55 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
13:56 < justinbeiber> bad things
13:56 < mrroth> oh
13:56 < mrroth> even if the VPN interface is on a different subnet from the local network and remote
13:56 < mrroth>  a network 10.10.10.0/24 and a road warrior connects, it has 2 interface normally: the VPN(-tunnel) and its local, normal interface right
14:06 -!- michal` [~michal@rsbac/developer/michal] has quit [Ping timeout: 260 seconds]
14:10 -!- michal` [~michal@www.rsbac.org] has joined #openvpn
14:10 -!- michal` [~michal@www.rsbac.org] has quit [Changing host]
14:10 -!- michal` [~michal@rsbac/developer/michal] has joined #openvpn
14:12 -!- JozoSalt [~daniell@vps6794.xlshosting.net] has joined #openvpn
14:12 -!- justinbeiber [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
14:12 < Rienzilla> hmm. Can you tell openvpn to bind to a specific interface/ip, but still use a dynamically allocated portnumber?
14:16 < Bushmills> binding to specific interface makes most sense for listener (server) - using dynamic port for initiator (client)
14:17 < Rienzilla> well, it also makes sense for a client with multiply connections to the web
14:17 < JozoSalt> what do you mean dynamically allocated portnumber
14:17 < Bushmills> that's what job of routing, routes table, would be
14:18 < Rienzilla> well, if you tell openvpn to bind to a specific IP, it seems to insist to bind on 1194
14:18 < Bushmills> what would a packet do when client is bound to an interface a packet is not destined to according routing?
14:19 < Rienzilla> uhm, does not compute, what do you mean?
14:19 < Rienzilla> and yes, I intend to configure my routing tables to route everything originating from IP1 to one gateway, and everything originating from ip2 to the oter
14:19 < Bushmills> assuming client was bound to interface - and client now tries to send a network packet which, according routing table, had to be sent through another interface
14:20 < Rienzilla> it won't
14:20 < Bushmills> now if your routing determines what interface a packet goes to - what is the purpose of binding client to an interface?
14:21 -!- lampliter [~esj@c-76-19-126-1.hsd1.ma.comcast.net] has joined #openvpn
14:21 < Rienzilla> beacuse my routing makes that decision based on the packet's source address
14:21 -!- WinstonSmith [~true@g225028053.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
14:21 < Rienzilla> and if I bind to 0.0.0.0, I can't be sure which one it chooses
14:22 < lampliter> this is where I have to admit being not so bright. I have forgotten passwords for half of my certificates. I know I should've written them down but I didn't
14:22 < Rienzilla> (s/which one it chooses/what source address my openvpn-generated packets will have/)
14:23 < lampliter> do any of the passer crackers like John the Ripper or Cain and able work with open VPN certificates?
14:26 < Rienzilla> Bushmills: are you aware of any other way to make sure what application uses what interface as a source?
14:27 < lampliter> I'll assume the silence means no.  Now I get to see if I can remember firewall passwords. Given the memory deficits caused by anesthesia, I'm not betting on it
14:28 < Rienzilla> (silence usually means "i don't know")
14:29 < lampliter> Sorry, speech recognition error
14:29 < Rienzilla> hehe
14:30 < lampliter> hhad a stent put in back in June and my memory is really bad over the summer and I'm mostly recovered but there are black patches
14:30 < lampliter> like trying to remember the domain names for the firewalls
14:31 < lampliter> fortunately the deep skills  are still accessible otherwise I would be really hosed
14:31 < Bushmills> Rienzilla: the very concept of binding a client to an interface, only that routing (by source!) knows what interface to send a packet from client to sounds so alien that i wonder whether you haven't mixed up the concepts of server and client.  what OS are you using?
14:31 < lampliter> you can bind the client to an interface in the case where you have a multi-homed client
14:32 < Rienzilla> linux. Let me explain the setup, I have certainly not mixed up the client and server
14:32 < Rienzilla> lampliter: exactly
14:32 < lampliter> for example, a desktop machine with WiFi and ethernet
14:32 < lampliter> I suspect you try to bind to WiFi?
14:32 < Bushmills> why bind a client to 0.0.0.0 at all, to confuse source based routing, if routing alone could determine what interface to send packets to? 
14:32 < Bushmills> hide interface from client. let routing do the job instead.
14:32 < Rienzilla> Bushmills: if I do not specifically bind to an interface, I will bind to 0.0.0.0
14:33 < Bushmills> which commonly means, any interface
14:33 < Rienzilla> indeed
14:33 < lampliter>  and that works for most clients
14:33 < lampliter> let's say you had a situation like I did recently
14:33 < lampliter> one interface went to my WiFi router which was my normal gateway to the Internet
14:33 < Rienzilla> and on a multihomed client, this means that I have no way of knowing what source address openvpn is going to use for its vpn packet
14:34 < lampliter> the second was to the "lan" end of my voice over IP terminal adapter which was connected to the Internet via the wan interface
14:34 < lampliter> same number of hops but how do you choose?
14:35 < lampliter> Turns out, choices made for you by DHCP. Last packet interface to get an address wins
14:35 < Rienzilla> yep
14:35 < lampliter> unfortunately, whoever comes in last changes
14:35 < lampliter> it also changes every time you get a lease renewal
14:35 < lampliter> so binding to a specific interface makes a tremendous amount of sense
14:35 < Bushmills> Rienzilla: why binding client to 0.0.0.0, rather than not specifying what interfaces to bind client to? 
14:36 < lampliter> I believe there are some client-side options for binding to an interface
14:36 < Rienzilla> Bushmills: I want to bind to an interface, however, openvpn refuses to dybnamically allocate a port when I specify an ip to bind to
14:36 -!- WinstonSmith [~true@dslb-088-074-019-023.pools.arcor-ip.net] has joined #openvpn
14:37 < Rienzilla> it's either bind to specific IP and port, or bind to 0.0.0.0 with a dynamic port
14:37 < Bushmills> using the nobind option for dynamic ports, i assume
14:37 < Rienzilla> well, nobind+local don't work together
14:37 < lampliter> Why do you want to bind to a specific port?
14:37 < Rienzilla> I don't :)
14:37 < Rienzilla> but I have to if I want to bind to a specific IP
14:37 < lampliter> Oh, then why don't you?
14:37 < Rienzilla> because the port may be in use at some time in the future when I want to start my vpn
14:38 < lampliter> Right. Right now, take the path of least resistance
14:38 < Rienzilla> yeah, specify local + port
14:38 < Rienzilla> it will work
14:38 < Rienzilla> but it's not very nice
14:38 < lampliter> let open VPN control the port
14:38 < lampliter> I understand. But your goal is probably to get a job done not mess around with open VPN
14:39 < JozoSalt> can you remname the server port to something other than 'openvpn'... if some1 is sniffing my traffic i'd rather not have a road sign telling them what vpn software i use
14:40 < Rienzilla> lampliter: specifying ip and port is a working workaround. I just wondered whether there was a way to use specific IP bind and random port. Apparently not
14:40 < Bushmills> JozoSalt: the server port is a number, not a name. pick a different port
14:41 < Bushmills> you may have a file on your system which associates port numbers and names. that's a thing local to your machine. changing name there has no effect on the machine of a possible sniffer.
14:50 < Bondv6> heya Rienzilla
14:53 < Rienzilla> yeah Bondv6 
14:53 < Rienzilla> hi
14:53 < Rienzilla> eoffset )
15:06 -!- WinstonSmith [~true@dslb-088-074-019-023.pools.arcor-ip.net] has quit [Ping timeout: 255 seconds]
15:08 -!- lampliter [~esj@c-76-19-126-1.hsd1.ma.comcast.net] has left #openvpn []
15:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:11 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:11 <@vpnHelper> RSS Update - forum: Server Administration :: Server can't reach client's network :: Author thepontifex <https://forums.openvpn.net/viewtopic.php?f=4&t=7412&p=8712#p8712>
15:15 -!- Netsplit *.net <-> *.split quits: Dougy, sht, ^scott^, dogmeat, Visual`, jpalmer, @cron2, no_maam, @openvpn2009, grishnav,  (+35 more, use /NETSPLIT to show all of them)
15:18 -!- Netsplit over, joins: abeehc
15:19 -!- Netsplit over, joins: Antarez
15:20 -!- Netsplit over, joins: Essobi, @openvpn2009, EvilJStoker, @raidz, @cron2, robuster, reiffert, Visual`, takamichi, tjz (+33 more)
15:20 -!- mode/#openvpn [+o patelx] by ChanServ
15:26 -!- WinstonSmith [~true@e179002251.adsl.alicedsl.de] has joined #openvpn
15:45 < JozoSalt>  What strikes me is that most of these predict that 4096 bits
15:45 < JozoSalt> > > > assymmetric (RSA) will be safe for the next 50 years (or thereabouts).
15:45 < JozoSalt> > > > However, the NIST recommends 7680 (for decades?) and even 15360 bits
15:45 < JozoSalt> > > > for RSA (for centuries?).
15:49 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
15:50 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
15:52 < JozoSalt> thx Bushmills
15:52 < JozoSalt> sorry that was accident post
15:53 < JozoSalt> is it possible to chain link openvpn servers? my computer --- server 1 --- server 2 --- internet
15:53 < JozoSalt> using push redirect-gateway so i'm using server 2's internet
15:55 < Bushmills> haven't tried but i don't see a reason why it shouldn't be possible.  server 1 would either run two instance, one client and one server, or, alternatively, server2 would be client to server1, same as your computer.
15:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
15:56 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
15:57 < JozoSalt> so i guess there's no tut's out there online i can follow
15:58 < Bushmills> not that i'm aware off. in second case, you'd not use redirect-gateway, but set default gateway on your computer to server2 
15:58 < Bushmills> of
15:59 < JozoSalt> 2nd option seems simpler
16:00 < Bushmills> nod
16:00 < JozoSalt> so its my computer (client 1) --- server ---- (client 2) --- internet
16:00 < Bushmills> right
16:00 < JozoSalt> i guess the server has to decrypt from client 1 then encrypt again before sending on to cilent 2
16:00 < Bushmills> right
16:00 < JozoSalt> k thx
16:04 -!- bauruine [~stefan@178-73-211-157.cust.vpntunnel.org] has quit [Ping timeout: 272 seconds]
16:07 -!- fuho [~fuho@88.103.4.252] has joined #openvpn
16:09 < fuho> Hi everyone, I got a question concerning iptables. trying to get OpenVPN working but client still can't connect, I realised I still didn't run this command: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT -to venet0 but when I do, it returns Bad argument 'venet0', anyone have a clue what am I doing wrong? I tried using IP too.
16:10 < JozoSalt> but thinking about it Bushmills, what we just talked about must be done all the time
16:10 < JozoSalt> its the only way to connect two computers via openvpn
16:11 < JozoSalt> always gotta have a sever in the middle 
16:11 < Bushmills> --to and argument should be address, not an interface
16:12 < fuho> bushmills: I tried it with IP too.
16:12 < Bushmills> JozoSalt: right. otherwise other clients could decrypt your traffic.
16:12 < Rienzilla> --to instead of -to?
16:12 < Bushmills> fuho:  --to, not -to
16:13 < fuho> Bushmills: Wow, jsut did that and no errors, thanks! What is the rule? If the "switcher" is more than one charI have to use -- instead of -?
16:13 < Rienzilla> most arguments to iptables have a long and a short form
16:13 < JozoSalt> but say i want to connect two windows computers together, is it necessary to have a totally seperate server in the middle running on a seperate machine, or can i just install a server and client on one of the windows computer..
16:14 < Bushmills> rule is "as written in documentation"
16:14 < Rienzilla> the long is prepended with --, the short with - (see the manpage)
16:14 < fuho> Bushmills: Ok, but I read the whole man iptables ans still failed :)
16:15 < Bushmills> JozoSalt: either point to point,  or one is server, the other client
16:15 < JozoSalt> so can't have server and client on one physical computer..
16:16 < Bushmills> you can.
16:16 < JozoSalt> oh
16:16 < Bushmills> but why would you want that, when you can avoid that
16:16 < fuho> Bushmills: I am still getting this from client though: Sun Dec 19 23:15:14 2010 VERIFY OK: depth=1, /C=CZ/L=Prague/O=xxx/CN=Oxxxx_CA/emailAddress=xxxxx
16:16 < fuho> Sun Dec 19 23:15:14 2010 VERIFY OK: depth=0, /C=CZ/L=Prague/O=xxxx/CN=server/emailAddress=xxx
16:16 < JozoSalt> umm
16:16 < JozoSalt> afaik you said server is needed in the middle else any client can connect
16:17 < Bushmills> fuho: are you to be congratulated, or to be pitied because of that?
16:17 < JozoSalt> so one of the computers needs a server and client
16:17 < JozoSalt> ahh ok lolz
16:17 < JozoSalt> i get it
16:17 < JozoSalt> one comp can be server the other client and its works fine
16:17 < fuho> bushmills: I guess shouted at.
16:17 < JozoSalt> <--- slow 
16:26 < fuho> I found "VERIFY ERROR: depth=0, error=unable to get local issuer certificate: xxxx" in the OpnVPN log, does it mean that it cant find certificate of the user trying to log in, or server?
16:26 < ecrist> !logs
16:26 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
16:29 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:30 < fuho> !pb
16:30 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
16:37 < fuho> Okay I got the server log ( http://openvpn.pastebin.ca/2023938 ) and client log ( http://openvpn.pastebin.ca/2023939 ) Can anyone have a look at it and point me in the right direction please?
16:37 <@vpnHelper> RSS Update - pastebin: fuho_client_log <http://pastebin.ca/2023939> || fuho_server_log <http://pastebin.ca/2023938> || fuho_client_log <http://pastebin.ca/2023937>
16:37 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
16:37 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
16:37 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:38 < ecrist> wtf is going on with butters, krzie?
16:41 -!- JozoSalt [~daniell@vps6794.xlshosting.net] has quit []
16:41 -!- justinbeiber [~daniell@vps6794.xlshosting.net] has joined #openvpn
16:42 -!- justinbeiber [~daniell@vps6794.xlshosting.net] has left #openvpn []
16:43 < fuho> It looks like OpnVPN is looking for client certificate but can't find it, eventhough the certificate .cer and .key are in easy-rsa/keys/
16:44 < ecrist> how does openvpn know to look there?
16:48 < fuho> ecrist: Well I thought it does, does it not? Where can I tell it where to look for client certificates?
16:48 < ecrist> in the config
16:48 -!- bauruine [~stefan@178-73-209-40.cust.vpntunnel.org] has joined #openvpn
16:48 < ecrist> openvpn only knows what is in the config file
16:50 < fuho> ecrist: I set the server certificate and kes and ca.cert in congig, haven't found anything about the folder for client, certificates yet.
16:51 < ecrist> openvpn in server mode doesn't need the client certificates
16:51 < ecrist> it makes sure they were signed by the proper ca
16:51 < ecrist> that is all
16:51 < fuho> ecrist: But why does it ca ca.crt
16:51 < fuho> cert server.crt
16:51 < fuho> key server.key
16:51 < fuho> oops
16:52 < fuho> ecrist: Why does it say Sun Dec 19 23:26:58 2010 us=711454 88.103.4.252:17596 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
16:52 < ecrist> !configs
16:52 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
16:52 < ecrist> !logs
16:52 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
16:53 < fuho> ecrist I alreade pastebinned logs
16:53  * ecrist doesn't see the link
16:53 < fuho> <@vpnHelper> RSS Update - pastebin: fuho_client_log <http://pastebin.ca/2023939> || fuho_server_log <http://pastebin.ca/2023938> || fuho_client_log <http://pastebin.ca/2023937>
16:54  * ecrist sees it now
16:55 < ecrist> your server is out of date, upgrade it
16:55 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
16:56 -!- robuster [~crim@213-142-138-241.reverse.adeox.com] has quit [Remote host closed the connection]
16:56 < ecrist> your client is also out of date
16:57 < fuho> ecrist: aptitude upgrade dowsnt see any updates
16:58 < ecrist> I don't use aptitude
16:58 < ecrist> !current
16:58 <@vpnHelper> "current" is Our policy is to only support current versions of software. If your Linux distribution's repository doesn't have the latest, you'll need to compile from source. See /topic for the latest versions of OpenVPN software (usually at the beginning). Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance.
16:59 < fuho> ecrist: Here is the server.config stripped from comments http://openvpn.pastebin.ca/2023958
16:59 <@vpnHelper> RSS Update - pastebin: fuho_server_config <http://pastebin.ca/2023958>
16:59 -!- Essobi [~Essobi@74-128-72-212.dhcp.insightbb.com] has quit [Ping timeout: 240 seconds]
17:00 < ecrist> !learn current as The current version of OpenVPN can be downloaded from http://openvpn.net/index.php/open-source/downloads.html for RELEASE and BETA versions, and a tarball snapshot of the development tree can be had from ftp://ftp.secure-computing.net/pub/openvpn/
17:00 <@vpnHelper> Joo got it.
17:00 < ecrist> fuho: that post expired or was removed
17:00 < ecrist> nm, I got it now
17:01 < ecrist> on the server, are the ca.crt, server.crt and server.key in the same directory as the server config file?
17:02 < fuho> yes
17:04 < fuho> Well there is one ca.cert in /easy-rsa/keys/ca.cert and its differetn to the on in the directory where config is
17:04  * Rienzilla declares victory
17:04 < ecrist> fuho: that's going to pose a problem if your client certificates are signed by the one in the easy-rsa directory
17:04  * ecrist congratulates Rienzilla 
17:05 < Rienzilla> thank you :)
17:06 < ecrist> fuho: looking at your server log, it seems to be erring due to not finding a valid CA for the certificate presented
17:06 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
17:07 < fuho> ecrist: I will move the one from subdirectory to the main dir then
17:08  * ecrist rejoices in the charity
17:12 < fuho> ecrist: But in /easy-rsa/keys/ there is no server.key, so it must be using the right one
17:17 < ecrist> where is your openvpn config file?
17:17 < fuho> ecrist: etc/openvpn/server.conf
17:18 < ecrist> ok, ca.crt, server.crt and server.key need to bein etc/openvpn/ then, or you need to use full paths in your config file
17:18 < fuho> thats where they are
17:19 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
17:20 < ecrist> you just said your ca.crt is in /easy-rsa/keys
17:21 < fuho> in /easy-rsa/keys/ is another one, a different one
17:21 <@vpnHelper> RSS Update - pastebin: fuho_client_config <http://pastebin.ca/2023974>
17:22 < fuho> and in that folder is only server.crt and ca.crt, no server.key
17:22 < ecrist> which one is use to sign server.crt and your client certificates?
17:22 < ecrist> s/use/used/
17:24 < fuho> I don't really know, but I think the one in main dir, because that ca.cert is the one I copied to client and after that it at leasast printed out those two OK lines
17:25 < ecrist> !verify
17:25 < ecrist> !factoids search verify
17:25 <@vpnHelper> 'tls-verify' and 'certverify'
17:25 < ecrist> !certverify
17:25 <@vpnHelper> "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
17:25 < ecrist> do that
17:28 < fuho> ecrist: I am trying
17:29 < fuho> error 20 at 0 depth lookup:unable to get local issuer certificate
17:30 < ecrist> do you replace <ca.crt> with the full path to the ca.crt and <client.crt> with the full path to server.crt?
17:34 < fuho> yes
17:35 < fuho> ecrist: What about deleting all certifficates ad creating them again? Couldn't that make things easier and less messy?
17:35 < ecrist> try the other ca.crt with one of the client or server certs
17:35 < ecrist> yes, it could
17:35 < fuho> like this: source vars
17:35 < fuho> ./clean-all
17:35 < fuho> ./pkitool --initca
17:35 < fuho> ./pkitool --server server
17:36 < fuho> ./pkitool client_name
17:40 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
17:44 < fuho> ecrist: Okay, I dont know why but now the daemon wont start but doesnt even generate log
17:53 < fuho> ecrist: Okay it didnt want to start probably because there was a client.conf file in the folder too, got rid of the client.conf, copid to main directory newly generated ca.crt, server.crt adnd server.key
17:53 < ChocoCooks> fuho yea multiple client.confs not good
17:53 < fuho> restarted daemon without problem
17:53 < ChocoCooks> what os you running the server on?
17:53 < fuho> Ubuntu 10.04 LTS Server
17:54 < ChocoCooks> ok
17:54 < ChocoCooks> mind if i see your server.conf? pastebin
17:54 < ChocoCooks> just check if its all kosher
17:54 < fuho> Then I copied newly generated ca.cert and client.crt and client.key files to client computer and tried to connect, which still doesnt work but shows different errors now
17:55 < ChocoCooks> what os on client computer
17:55 < fuho> chococooks: no problem I already pasted them, lemme just find the link http://openvpn.pastebin.ca/2023958
17:58 < fuho> ChocoCooks: Win 7
17:58 < ChocoCooks> ok
17:58 < ChocoCooks> when you made the client key and crt
17:58 < ChocoCooks> what name did you give it
17:58 < ChocoCooks> ./build client1 ?
17:59 < ChocoCooks> when u typed the command to build the cert and keys
17:59 < fuho> The client crt and key are in ./easy-rsa/keys/ and they are called amdfu2.crt and key
17:59 < ChocoCooks> ok well i see your problem
18:00 < fuho> Then i typed ./pkitool amdfu2
18:01 < ChocoCooks> pastebin your client.conf
18:01 < fuho> http://openvpn.pastebin.ca/2023974
18:01 < fuho> Its not grepped sorry, cant really do that on W7
18:02 < ChocoCooks> my setup is similar to yours
18:02 < ChocoCooks> got openvpn server on centos, client on win7
18:02 < ChocoCooks> works fine
18:03 < fuho> I must have messed up something in config
18:03 < ChocoCooks> good place to start with config is to use the sample that is given
18:04 < fuho> Here is the GREPed version of client.config http://openvpn.pastebin.ca/2024002
18:04 < fuho> I did use the sample
18:04 -!- p3rror [~mezgani@41.140.101.242] has joined #openvpn
18:04 < fuho> All I changed is 2 lines
18:04 < ChocoCooks> from
18:04 < ChocoCooks> ?
18:04 < ChocoCooks> usr/share/doc/openvpn-2.1.1/sample-config-files/
18:05 < ChocoCooks> ok so you can't even connect via opevpn to the server
18:05 < ChocoCooks> can you pastebin your log
18:05 < ChocoCooks> i assume your using the windows gui client
18:06 < ChocoCooks> i see nothing wrong in your server or conf files
18:07 < fuho> And now I get Cannot connect because your certificateè is not yet valid
18:07 < fuho> wtf?
18:07 < ChocoCooks> if i were you
18:07 < ChocoCooks> i'd go into easy-rsa
18:07 < ChocoCooks> ./clean-all
18:07 < ChocoCooks> start again
18:07 < fuho> I will paste new log so you can see whats happening
18:07 < ChocoCooks> this time
18:08 < fuho> I jsut did that 20 minutes ago, really
18:08 < ChocoCooks> when you build the server key and crt
18:08 < fuho> This what I have here is a step forward already, holdon I will get the logs ready just a sec.
18:08 < ChocoCooks> what common name did you chose
18:08 <@vpnHelper> RSS Update - pastebin: fuho_client_config <http://pastebin.ca/2024002>
18:08 < fuho> server
18:08 < ChocoCooks> ok
18:09 < ChocoCooks> that post not work
18:10 < ChocoCooks> make sure you have ca.crt, ca.key, dh1024.pem, server.crt and server.key   all in /etc/openvpn
18:10 -!- sia^pwnnt is now known as sia
18:10 < ChocoCooks> make sure you have ca.crt, client crt and client key and client.opvn in /programfiles/openvpn/config
18:10 < fuho> Server log : http://openvpn.pastebin.ca/2024010
18:11 < ChocoCooks> are those files in the correct places?
18:11 < fuho> Yes they are
18:11 < ChocoCooks> you did ./build-dh ?
18:11 < fuho> root@vps:/etc/openvpn# ls
18:11 < fuho> backup                ipp.txt               server.crt
18:11 < fuho> ca.crt                openvpn.log           server.key
18:11 < fuho> client.conf.DONOTUSE  openvpn-status.log    ta.key
18:11 < fuho> dh1024.pem            server.conf           update-resolv-conf
18:11 < fuho> down.sh.DONOTUSE      server.conf.DONOTUSE  up.sh.DONOTUSE
18:11 < fuho> easy-rsa              server.conf.original
18:11 < fuho> root@vps:/etc/openvpn#
18:11 -!- fuho was kicked from #openvpn by vpnHelper [Flooding detected. Please use http://openvpn.pastebin.ca for posting logs or configs.]
18:11 < ChocoCooks> ok
18:11 -!- fuho [~fuho@88.103.4.252] has joined #openvpn
18:11 < ChocoCooks> your using ta.key also
18:12 < ChocoCooks> well i see the problem
18:12 < ChocoCooks> at least i see a problem
18:12 < fuho> chococooks: I did not do ./build-dh whats it for?
18:12 < ChocoCooks> your server.conf needs to have tls-auth ta.key 0
18:13 < ChocoCooks> and your client.conf needs to have tls-auth ta.key 1
18:13 < ChocoCooks> if your going to use that secret ta.key 
18:13 < ChocoCooks> i assume you must have run --genkey --secret ta.key
18:14 <@vpnHelper> RSS Update - pastebin: fuho_server_log <http://pastebin.ca/2024010>
18:14 < ChocoCooks> right? thats how u got that ta.key file
18:14 < ChocoCooks> but you didn't add the neccesary lines to your config files to use that
18:14 < ChocoCooks> so either delete ta.key or fix your config files
18:14 < fuho> really I cant remmeber if I ran that :(
18:14 < ChocoCooks> for now just delete ta.key
18:14 < ChocoCooks> you can always add it after you got it working
18:14 < fuho> But I am aediting the config file. So i uncommented the line with tls-auth
18:15 < ChocoCooks> delete it from server and client computers
18:15 < ChocoCooks> lets keep it simple 
18:15 < ChocoCooks> get it running first then you can tweak it for max security
18:15 < ChocoCooks> you dont even know where that ta.key came from
18:15 < fuho> Ok, so I will comment it out again and then delete ty.key
18:15 < ChocoCooks> yep
18:16 < ChocoCooks> delete ta.key from both server and client computers
18:16 < fuho> Well I renaed it to *.DONOTUSE, should be enogh
18:17 < fuho> And it never was on client computer
18:17 < ChocoCooks> what dir is your server.conf file in
18:17 < ChocoCooks> ok well lol.. if you want to use that security feature it needs to be on client computer too
18:17 < fuho> In etc/openvpn/
18:17 < ChocoCooks> ok
18:17 < ChocoCooks> restart openvpn daemon and try to connect again
18:19 < fuho> Ok. It say Unable to connect because your certificate is not yet valid. Check that your system time is correct.
18:19 < ChocoCooks> i'm suprised you don't know what ./build-dh is
18:20 < ChocoCooks> and yet you have the file it creates
18:20 < fuho> I am very new to this whole thing.
18:20 < fuho> Maybe it was copied with the sample config?
18:20 < ChocoCooks> ok please delete all your keys and crts i will tell you exactly what to type to do it properly
18:20 < fuho> okay
18:21 < fuho> I will delete all crt and key files and csr files
18:21 < ChocoCooks> delete from etc/openvpn and in easy-rsa run ./clean-all
18:21 < ChocoCooks> what dir are your keys made in
18:21 < fuho> from main opensll directory and /easy-rsa/keys
18:22 < ChocoCooks> what i do is make a new dir called keys in /etc/openvpn/
18:22 < fuho> They are made in /etc/openvpn/easy-rsa/keys
18:22 < ChocoCooks> ok thats fine doesn't matter where
18:22 < ChocoCooks> just ./clean-all
18:22 < ChocoCooks> you'll have to type . ./vars first
18:22 < ChocoCooks> after you've done clean all
18:23 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
18:23 < fuho> so holdon a sec, I will delete all keys first right, jsut in case
18:23 < ChocoCooks> yep
18:24 < fuho> even csr files, i dont know what they are
18:24 < ChocoCooks> yes
18:24 < ChocoCooks> and the dh1028.pem one
18:24 < ChocoCooks> everything except your server.conf 
18:24 < fuho> that one too? ok
18:24 < fuho> really?
18:24 < ChocoCooks> yes
18:24 < ChocoCooks> you'll make them all again shortly in proper way
18:24 < fuho> but there is buil-key file
18:25 < fuho> build-key-pass file and other
18:25 < ChocoCooks> what dir are you in now
18:25 < ChocoCooks> your in easy-rsa?
18:25 < ChocoCooks> i'm talking about in /etc/openvpn
18:25 < fuho> thats where I am
18:25 < ChocoCooks> delte everything except server.conf
18:25 < ChocoCooks> in /etc/openvpn
18:25 < fuho> root@vps:/etc/openvpn# ls
18:25 < fuho> backup                ipp.txt               server.crt
18:25 < fuho> ca.crt                openvpn.log           server.key
18:25 < fuho> client.conf.DONOTUSE  openvpn-status.log    ta.key.DONOTUSE
18:25 < fuho> dh1024.pem            server.conf           update-resolv-conf
18:25 < fuho> down.sh.DONOTUSE      server.conf.DONOTUSE  up.sh.DONOTUSE
18:25 < fuho> easy-rsa              server.conf.original
18:25 -!- mode/#openvpn [+b *!~fuho@*88.103.4.252] by vpnHelper
18:25 -!- fuho was kicked from #openvpn by vpnHelper [Repeated flooding! You've repeatedly flooded this channel. Please come back later.]
18:26 < ChocoCooks> delete all that junk
18:26 < ChocoCooks> even your .donotuse they are just confusing
18:26 < ChocoCooks> only thing you'll have in /etc/openvpn is your server.conf and the easy-rsa dir
18:26  * krzee pets vpnHelper 
18:27 -!- anonymous [~anonymous@88.103.4.252] has joined #openvpn
18:27 < krzee> really?
18:27 < krzee> ban evasion now?
18:27 < krzee> trying to make it permanent?
18:27 < ChocoCooks> anonymous?
18:28 < anonymous> i didnt really do anything i jsut posted ls from terminal
18:28 < krzee> [16:11]  * vpnHelper has kicked fuho from #openvpn (Flooding detected. Please use http://openvpn.pastebin.ca for posting logs or configs.)
18:28 < krzee> [16:25]  * vpnHelper has kicked fuho from #openvpn (Repeated flooding! You've repeatedly flooded this channel. Please come back later.)
18:28 < anonymous> and it kicked me i am in middle of being helped with opnvpn
18:28 < krzee> it warned you, then it banned you
18:28  * reiffert dislikes bots kicking people.
18:29 < krzee> reiffert, really? i loved it
18:29 < anonymous> look at what i posted, it was jsut from terminal but it hits enter after every line so it looks like i posted 5 times quickly after each post
18:29 < reiffert> krzee: really. yes. I do dislike automatismn doing things.
18:29 < krzee> anonymous, i dont care what it was, it belonged in pastebin
18:29 -!- krzee [krzee@openvpn/community/support/krzee] has left #openvpn []
18:29 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
18:29 < reiffert> 01:25 < fuho> ca.crt                openvpn.log           server.key
18:29 < reiffert> 01:25 < fuho> client.conf.DONOTUSE  openvpn-status.log    ta.key.DONOTUSE
18:29 < reiffert> 01:25 < fuho> dh1024.pem            server.conf           update-resolv-conf
18:29 < reiffert> 01:25 < fuho> down.sh.DONOTUSE      server.conf.DONOTUSE  up.sh.DONOTUSE
18:29 < reiffert> 01:25 < fuho> easy-rsa              server.conf.original
18:29 < reiffert> 01:25 -!- mode/#openvpn [+b *!~fuho@*88.103.4.252] by vpnHelper
18:29 < reiffert> 01:25 -!- fuho was kicked from #openvpn by vpnHelper [Repeated flooding! You've repeatedly flooded this channel. Please come back later.]
18:29 < reiffert> eg it does not kick me.
18:30 < krzee> reiffert, because we specifically gave you privileges 
18:31 -!- mode/#openvpn [-b *!~fuho@*88.103.4.252] by vpnHelper
18:31 < ChocoCooks> reiffert is special because?
18:32  * ChocoCooks wants to be special
18:35 < reiffert> krzee: ohoo, let me paste the manpage
18:35 <@vpnHelper> RSS Update - pastebin: Unnamed <http://pastebin.ca/2024026>
18:35 < reiffert>  /exec -o man openvpn
18:36 < krzee> reiffert has been here helping people for a long time
18:36 < reiffert> !reiffert
18:37 < reiffert> !learn foo as bar
18:37 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
18:37 < reiffert> !whoami
18:37 <@vpnHelper> I don't recognize you.
18:37 < reiffert> it's me!
18:40 -!- WinstonSmith [~true@e179002251.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
18:41 < krzee> anyways
18:41 < krzee> the ban is removed, continue getting help, but learn to use pastebin
18:41 < krzee> !pb
18:41 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
18:49 -!- Netsplit *.net <-> *.split quits: ping-pong
18:54 -!- Netsplit over, joins: ping-pong
18:58 -!- Bondv6 [db@2a02:20c8:1140:102:1::2] has quit [Quit: Ex-Chat]
18:58 <@vpnHelper> RSS Update - pastebin: Unnamed <http://pastebin.ca/2024037>
19:16 <@vpnHelper> RSS Update - pastebin: Something <http://pastebin.ca/2024048>
19:17 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
19:36 -!- p3rror [~mezgani@41.140.101.242] has quit [Ping timeout: 240 seconds]
19:49 -!- p3rror [~mezgani@41.140.43.137] has joined #openvpn
19:56 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Disconnected by services]
19:57 -!- _sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
20:05 <@vpnHelper> RSS Update - pastebin: fuho_server_log <http://pastebin.ca/2024077>
20:23 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Ping timeout: 264 seconds]
20:35 <@vpnHelper> RSS Update - pastebin: OS X keychain patch <http://pastebin.ca/2009618>
20:36 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: leaving]
20:41 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2009607>
20:44 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
20:55 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
20:55 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
20:55 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
21:06 < ChocoCooks> !linnat
21:06 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
21:12 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
21:14 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
21:16 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 260 seconds]
21:16 <@vpnHelper> RSS Update - pastebin: fuho_server_log <http://pastebin.ca/2024104>
21:17 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: leaving]
21:19 -!- fuho [~anonymous@64.120.239.172] has joined #openvpn
21:20 < ChocoCooks> ?
21:21 -!- anonymous [~anonymous@88.103.4.252] has quit [Ping timeout: 240 seconds]
21:21 -!- fuho [~anonymous@64.120.239.172] has quit [Client Quit]
21:21 -!- fuho [~anonymous@64.120.239.172] has joined #openvpn
21:29 -!- anonymous [~anonymous@64.120.239.172] has joined #openvpn
21:29 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
21:30 -!- p3rror [~mezgani@41.140.43.137] has quit [Quit: Leaving]
21:33 -!- fuho [~anonymous@64.120.239.172] has quit [Ping timeout: 264 seconds]
21:33 -!- anonymous is now known as fuho
21:40 -!- anonymous [~anonymous@88.103.4.252] has joined #openvpn
21:42 -!- anon_anon_anon [~anonymous@64.120.239.172] has joined #openvpn
21:44 -!- fuho [~anonymous@64.120.239.172] has quit [Ping timeout: 276 seconds]
21:44 -!- anon_anon_anon is now known as fuho
21:45 -!- anonymous [~anonymous@88.103.4.252] has quit [Ping timeout: 240 seconds]
21:52 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 276 seconds]
21:54 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
21:54 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
21:56 -!- fuho [~anonymous@64.120.239.172] has quit [Ping timeout: 272 seconds]
21:56 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
21:59 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Client Quit]
22:00 -!- asdfsd [~fuho@88.103.4.252] has joined #openvpn
22:00 < asdfsd> test
22:03 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 272 seconds]
22:13 -!- fuho [~fuho@64.120.239.172] has joined #openvpn
22:15 -!- asdfsd [~fuho@88.103.4.252] has quit [Ping timeout: 240 seconds]
22:15 -!- fuho is now known as asdfsd
22:31 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:35 -!- fuho [~fuho@88.103.4.252] has joined #openvpn
22:36 -!- fuho [~fuho@88.103.4.252] has quit [Client Quit]
22:38 -!- asdfsd [~fuho@64.120.239.172] has quit [Ping timeout: 250 seconds]
22:43 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 265 seconds]
23:15 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: client subnet servers cannot connect to vpn server network :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7413&p=8713#p8713>
23:40 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
--- Day changed Mon Dec 20 2010
00:02 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
00:02 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
00:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
00:14 < krzie> !route_outside_openvpn
00:14 <@vpnHelper> "route_outside_openvpn" is (#1) http://www.secure-computing.net/wiki/index.php/Graph for a cool graph explaining the route you need to add to your gateway, explained better in section: ROUTES TO ADD OUTSIDE OPENVPN in !route, or (#2) you do not need this if the vpn node IS the gateway for its lan
00:20 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:21 < ecrist> lol @ irc drama
00:21 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: Re: client subnet servers cannot connect to vpn server netwo :: ... <https://forums.openvpn.net/viewtopic.php?f=15&t=7413&p=8714#p8714>
00:22  * ecrist stopped trying to please everyone, someone will usually not like what we're doing
00:33 < krzie> heh
00:40 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2009607>
01:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds]
01:11 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
01:29 -!- zenmower [clarke187@gateway/shell/devio.us/x-lvnkdrkclfqsuvpw] has joined #openvpn
01:29 < zenmower> hello
01:29 < zenmower> wait i see it in the topic
01:29 < zenmower> lol
01:29 < zenmower> !welcome
01:30 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
01:30 < zenmower> it really is the firewall
01:30 < zenmower> !goal
01:30 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
01:31 < zenmower> i want openvpn to continue to work with iptables
01:33 < zenmower> !wiki
01:33 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN, or (#2) Official wiki is at https://community.openvpn.net/openvpn/wiki
01:40 < krzie> how does it currently break?
01:42 < zenmower> this is actually more of an iptables issue / question
01:42 < zenmower> it works until i load my config
01:43 < zenmower> i have a rule allowing udp for all on port 1194
01:46 < zenmower> wait i think i know whats wrong
01:50 < krzie> ahh
01:50 < krzie> !man
01:50 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
01:50 < krzie> see firewall section
01:50 < krzie> theres specifics on iptables
01:53 < zenmower> k
01:53 < zenmower> thanks
01:53 < zenmower> dealing with iptables makes me really appreciate pfw
01:53 < krzie> np
01:54 < zenmower> i think i am on to it
01:54 < krzie> pf or pfw?
01:54 < zenmower> pf
01:54 < krzie> ahh, i agree
01:55 < zenmower> iptables is really unintuitive 
01:55 < zenmower> so i am trying to use this fwbuilder gui
01:55 < krzie> eww
01:56 < zenmower> yeah i haven't had time to read this iptables book
01:56 < zenmower> =\
01:58 < zenmower> all in all openvpn was wicked easy to setup ... you guys have great documentation 
01:58 -!- venom00ut [~wer@net-93-71-34-173.cust.dsl.vodafone.it] has joined #openvpn
01:58 -!- venom00ut [~wer@net-93-71-34-173.cust.dsl.vodafone.it] has quit [Changing host]
01:58 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
02:13 -!- mrroth [~mrroth@ool-44c07f7c.dyn.optonline.net] has quit [Ping timeout: 260 seconds]
02:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:26 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
02:34 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:36 < zenmower> got it
02:36 < zenmower> stupid mistake
02:36 < zenmower> forgot to add the tun0 interface
02:42 < Bushmills> it is the firewall
02:51 < krzie> heh
02:55 < zenmower> oh i knew it was
02:55 < zenmower> it was working fine before
02:55 < zenmower> thanks guys... 
02:55 < zenmower> =)
02:56 < krzie> np, you did the lifting =]
02:57 < zenmower> yeah the beta man helped
02:57 < zenmower> now i just gotta nmap the server and make sure everything is working
03:01 < zenmower> later... thanks again
03:02 -!- zenmower [clarke187@gateway/shell/devio.us/x-lvnkdrkclfqsuvpw] has left #openvpn ["Leaving"]
03:02 -!- dazo_afk is now known as dazo
03:14 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
03:14 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
03:14 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:15 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
03:23 -!- venom00ut [~wer@net-93-71-34-173.cust.dsl.vodafone.it] has joined #openvpn
03:23 -!- venom00ut [~wer@net-93-71-34-173.cust.dsl.vodafone.it] has quit [Changing host]
03:23 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
03:37 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn
03:37 -!- mode/#openvpn [+o mattock] by ChanServ
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:11 -!- sia is now known as sia^pwnnt
04:15 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
04:29 -!- common- [~common@p5DDA4ADF.dip0.t-ipconnect.de] has joined #openvpn
04:32 -!- common [~common@p5DDA45ED.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
04:32 -!- common- is now known as common
04:41 <@vpnHelper> RSS Update - forum: Installation Help :: Can connect to server but don't have internet afterwards :: Author hypertyper <https://forums.openvpn.net/viewtopic.php?f=5&t=7414&p=8715#p8715>
05:04 -!- sia^pwnnt is now known as sia
05:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:10 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:14 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 265 seconds]
05:14 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
05:14 -!- bauruine [~stefan@178-73-209-40.cust.vpntunnel.org] has quit [Ping timeout: 260 seconds]
05:16 -!- bauruine [~stefan@178-73-209-40.cust.vpntunnel.org] has joined #openvpn
05:17 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:17 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:17 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:20 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
05:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
05:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
05:27 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
05:28 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
05:40 -!- krzie [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
05:41 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 240 seconds]
05:42 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
05:42 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
05:42 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
05:42 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
05:56 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
06:08 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
06:30 -!- cherva [~cherva@78.128.100.50] has joined #openvpn
06:30 < cherva> How can I see the assigned VPN ip for a client in the status file ?
06:38 -!- janjust [~janjust@ardeche.nikhef.nl] has joined #openvpn
06:38 -!- janjust [~janjust@ardeche.nikhef.nl] has quit [Changing host]
06:38 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
06:44 -!- knick_ [~knick@ipd50a9e19.speed.planet.nl] has joined #openvpn
06:44 < knick_> !welcome
06:44 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
06:45 < knick_> !goal
06:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
06:45 < knick_> hm
06:46 < knick_> I'm setting up a VPN for people to remotely connect to it, at this moment i'm testing at LAN. On the server it shows the port is open, and I can Ping the servers host through the other machine I'm testing with. However if I try to connect to it it says: TLS Error: TLS key negotiation failed to occur within 60 seconds
06:47 < knick_> I followed a tutorial - also it asks me for login information, which I don't remember to have created (user/pass). And at this point I have no clue whatsoever of what could be wrong/missing/misconfigured.
06:47 < janjust> goeiemiddag knick_ ; normally a TLS key negotation failure indicates that a firewall/router is blocking traffic
06:48 < janjust> which tutorial did you follow? if you follow the HOWTO on the openvpn.net site you should not end up with a username/password setup
06:48 < knick_> Might the fact that the Client I'm testing with - is in a VM - be a problem?
06:48 < knick_> I've used this: http://www.scribd.com/doc/41831166/Install-Openvpn-on-CentOS-5
06:48 <@vpnHelper> Title: Install Openvpn on CentOS 5 (at www.scribd.com)
06:50 < janjust> I test openvpn regularly from within a VM so it does not have to be the problem
06:50 < janjust> try switching to TCP mode (proto tcp) and see if that helps - just for debugging purposes
06:51 < knick_> sec
06:51 < knick_> If I use server.conf in /etc/openvpn/server.conf .. That should automatically be used, yes? Or should i specify that file on startup
06:51 < janjust> depends on which centos package you're using
06:53 < knick_> used yum
06:53 < knick_> yum install openvpn
06:53 < knick_> Mon Dec 20 13:53:04 2010 TCP: connect to 192.168.2.3:1194 failed, will try again in 5 seconds: No Route to Host (WSAEHOSTUNREACH)
06:53 < janjust> if you grab the one from the rpmforge/epel/dag wieers site then yes, it should automatically pick up the all .conf files from /etc/openvpn at system startup
06:53 < knick_> I've used epel
06:53 < knick_> No route to host ... hmm
06:53 < janjust> the .2.3 address is the server?
06:53 < knick_> yes
06:53 < knick_> for now :)
06:54 < knick_> however port is open: tcp        0      0 0.0.0.0:1194                0.0.0.0:*                   LISTEN      4507/openvpn        
06:54 < janjust> yeah OK ; so the VM client cannot reach tcp port 1194 on the server 
06:54 < knick_> And I can connect to it's ssh
06:54 < knick_> from the vm.. on port 22, so that's kinda bothering me,  heh
06:55 < janjust> try disabling selinux (or set it to permissive mode)
06:55 < janjust> could be that your centos box is not allowing port 1194 without an explicit selinux policy
06:55 < knick_> Wait, just to clarify - 2.3 is the server (centos) - and the client is a windows XP sp3 machine
06:55 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn
06:56 < knick_> Ah, janjust ;; here's some output from tshark:
06:56 < knick_>   7.492965  192.168.2.4 -> 192.168.2.3  TCP dmidi > openvpn [SYN] Seq=0 Win=64240 Len=0 MSS=1460
06:56 < knick_>   7.492998  192.168.2.3 -> 192.168.2.4  ICMP Destination unreachable (Host administratively prohibited)
06:56 < knick_> I can ping it, though 
06:56  * knick_ scratches head
06:57 -!- zenmower [clarke187@gateway/shell/devio.us/x-lvnkdrkclfqsuvpw] has joined #openvpn
06:57 < knick_> ah, i see something in iptables
06:57 -!- zenmower [clarke187@gateway/shell/devio.us/x-lvnkdrkclfqsuvpw] has left #openvpn []
06:58 < knick_> HA - that worked kinda, janjust -- Only thing is that it says my cert is not yet valid  and I should see if my system time is correct
06:59 < janjust> you can check the dates on your certificates using 'openssl x509 -subject -dates -noout -in <CERT>'
07:00 < janjust> but the date inside a VM is notoriously unreliable 
07:00 < knick_> notBefore=Dec 20 13:31:48 2010 GMT
07:00 < knick_> notAfter=Dec 17 13:31:48 2020 GMT
07:00 < knick_> That should be fine?
07:01 < janjust> well, it's not yet 13:31 GMT :)
07:01 < knick_> ah, GMT
07:01 < janjust> right now it's 13.01 GMT which is 14.01 Dutch time
07:01 < knick_> So - i corrected system time using ntpdate
07:02 < knick_> Can I edit them?
07:02 < knick_> Or do I have to create a new one
07:02 -!- cherva [~cherva@78.128.100.50] has quit [Read error: Connection reset by peer]
07:02 < janjust> you'd have to create a new one or wait for half an hour
07:05 < knick_> K - that fixed now got some other issue
07:05 < knick_> !pastebin
07:05 <@vpnHelper> fuho_server_log || fuho_server_log || Something || Unnamed || Unnamed || fuho_server_log || fuho_client_config || fuho_client_config || fuho_server_config || fuho_client_log || iptables || iptables || Stuff || OS X keychain patch || Anonymous
07:05 < knick_> janjust, http://pastebin.com/4jMm4Ugb
07:07 < janjust> the Heroth_CA cert should be listed as the 'ca ...' cert; you should have another certificate as the server cert ('cert ...' directive)
07:08 < knick_> i have server.crt and ca.crt
07:09 < janjust> try running 'openssl verify -CAfile ca.crt server.crt' 
07:09 < janjust> this should return 'OK'
07:10 < knick_> error 20 at 0 depth lookup:unable to get local issuer certificate
07:10 < knick_> sec
07:10 < janjust> that means the certificate(s) were not generated properly
07:10 < knick_> ,let me remake certs
07:10 < janjust> run 'build-ca' first, then run 'build-key-server server'
07:11 < janjust> (the tutorial is blank for me from page 4 on...)
07:11 < knick_> now it returns OK
07:12 < janjust> now try starting the server again
07:12 < knick_> same thing
07:12 < knick_> i need to make new client certs i think
07:13 < janjust> if you've regenerated the ca.crt and server.crt then you also need to generate a new client cert
07:14 < knick_> hmm
07:14 < knick_> Do you recommend signing the certificates?
07:15 < janjust> you mean the challenge thingie? No
07:15 < knick_> Sign the certificate? [y/n]:
07:15 < knick_> CERTIFICATE WILL NOT BE CERTIFIED
07:16 < janjust> Ah that : yes you MUST sign the cert (with your ca.crt file) otherwise the certificate will never be valid
07:17 < knick_> k, server and client crt now return OK
07:18 < janjust> so what happens when you start the server and client?
07:19 < knick_> server fine, client says VERIFY OK
07:19 < knick_> and then gets connection reset
07:19 < janjust> if you start the server with '--verb 5' you should see some incoming traffic when the client tries to connect
07:19 < knick_> http://pastebin.com/CqpnwFuX
07:21 < janjust> is the server running and listening on tcp port 1194 (netstat --tcp -an | grep :1194) ?
07:21 < knick_> oh woah
07:21 < knick_> sec
07:22 < knick_> janjust, http://pastebin.com/bz3P4u7R
07:23 < janjust> post your client config - the line "192.168.2.4:1288 TLS Error: Auth Username/Password was not provided by peer" points at a config error
07:24 < knick_> janjust, http://pastebin.com/F8NktP17
07:24 < knick_> But that means the sevrer is requesting an user/password authentication?
07:25 < janjust> oh wait - your previoust pastebin was from the server log - yes the server seems to be asking for user/password auth
07:25 < janjust> are any plugins loaded in the server config?
07:26 < knick_> ah wait - i included openvpn-auth-pam.so according to the tutorial - let me take that out
07:26 < janjust> hehe that would do it ;-)
07:26 < janjust> you can use user/password authentication as an extra security measure but it does require all some configuration on the client side
07:27 < knick_> HA
07:27 < knick_> It works!
07:27 < janjust> excellent!
07:28 < knick_> Zo, nu mag ik gaan documenteren, heh.
07:28 < knick_> Thanks a lot! :))
07:28 < janjust> no problem - just buy my book when it comes out :-P
07:28 < janjust> https://www.packtpub.com/openvpn-2-cookbook/book
07:28 <@vpnHelper> Title: OpenVPN 2 Cookbook: RAW Book & eBook | Packt Publishing Technical & IT Book Store (at www.packtpub.com)
07:29 < knick_> cool
07:29 < knick_> bookmarked
07:37 -!- Netsplit *.net <-> *.split quits: ping-pong
07:40 -!- mrroth [~mrroth@ool-185982aa.static.optonline.net] has joined #openvpn
07:42 -!- mrroth [~mrroth@ool-185982aa.static.optonline.net] has quit [Client Quit]
07:44 -!- Netsplit over, joins: ping-pong
07:52 -!- nameless` [~nameless`@lav35-1-82-236-136-20.fbx.proxad.net] has left #openvpn []
08:25 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Quit: Leaving]
08:28 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has joined #openvpn
08:54 -!- Jones1 [~Adium@kulnet-nat-2.kulnet.kuleuven.be] has left #openvpn []
09:26 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
09:26 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
09:26 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:35 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
09:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:41 -!- bauruine [~stefan@178-73-209-40.cust.vpntunnel.org] has quit [Read error: Operation timed out]
09:57 -!- knick_ [~knick@ipd50a9e19.speed.planet.nl] has quit [Quit: Leaving]
10:20 <@vpnHelper> RSS Update - forum: Configuration :: HELP :: Author kgeklinsky <https://forums.openvpn.net/viewtopic.php?f=6&t=7415&p=8716#p8716>
10:24 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
10:50 -!- michal` [~michal@rsbac/developer/michal] has quit [Ping timeout: 240 seconds]
10:56 -!- michal` [~michal@www.rsbac.org] has joined #openvpn
10:56 -!- michal` [~michal@www.rsbac.org] has quit [Changing host]
10:56 -!- michal` [~michal@rsbac/developer/michal] has joined #openvpn
11:12 -!- brah [~brah@host134.186-109-248.telecom.net.ar] has joined #openvpn
11:23 < ecrist> krzee: 11:22 < wayita> danielsh: I am a bot. I am written in Python, and serve factoids in #svn on freenode. My home is http://repos.borg.ch/svn/wayita/trunk/
11:23 <@vpnHelper> Title: svn - Revision 394: /wayita/trunk (at repos.borg.ch)
11:24 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
11:24 -!- travalas [~travalas@202.84.40.65] has joined #openvpn
11:33 < ecrist> krzee: 11:13 <@danielsh> !a ecrist source
11:33 < ecrist> 11:13 < wayita> ecrist: ayita's source code is at http://hix.nu/svn-public/alexis/trunk/. Ask me about 'wayita source'.
11:33 <@vpnHelper> Title: alexis - Revision 368: /trunk (at hix.nu)
11:40 -!- WinstonSmith [~true@e179006069.adsl.alicedsl.de] has joined #openvpn
11:42 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
11:42 < scatterp> !welcome
11:42 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:42 < scatterp> !goal
11:42 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:48 < scatterp> I want to connect to openvpn server that "may be" runing on my brothers ddwrt router from windows 7 i clicked start in the router config there... in windows 7 i downloaded openvpn it gave an error about unsigned drivers i installed again in compatability mode moved the example config in and set the ip to my external ip i get an error: Options error: Unrecognized option or missing parameter(s) in client.ovpn:42: 87.127.188.177 (2.0.9)
11:48 < scatterp> Use --help for more information.
11:52 < travalas> i've got openvpn set up on a NATed xen vm running gentoo. The external ip is forwarded to the vm0. I can connect to the and ping the vm interfaces, however I can't seem to reach any ip addresses not on the vm.
11:53 < Bushmills> what have you configured to allow reaching other addresses than vpn subnet addresses?
11:57 < travalas> i've got a iptables masquerade statement and ip forwarding turned on
11:59 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
12:00 < brah> scatterp: What's on that line?
12:00 < brah> Line 42 of the client.openvpn file.
12:01 < scatterp> sorry for the slow reply brah was reading some report from someone with the same issue in spanish 
12:01 < scatterp> line 42 is:87.127.188.177 1194
12:03 < scatterp> !interface
12:03 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
12:04 -!- WinstonSmith [~true@e179006069.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
12:04 < scatterp> brah would you like me to post the config ?
12:05 < scatterp> http://pastebin.com/g608UKi9 incase you need it 
12:07 -!- krzie [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
12:10 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
12:12 -!- imagez [~imagez@static.238.229.4.46.clients.your-server.de] has joined #openvpn
12:16 -!- WinstonSmith [~true@e178178092.adsl.alicedsl.de] has joined #openvpn
12:18 < Bushmills> travalas: what about routing on client?
12:20 < travalas> Bushmills: well i can ping the remote interface, that should mean I have a good route right?
12:21 < Bushmills> no, that means that you have a route to remote interface. that doesn't mean that those non-vm addresses which you want - and can't - reach are routed through openvpn as well.
12:22 -!- scatterp [~scatterp@87.127.188.177] has quit [Ping timeout: 255 seconds]
12:24 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
12:24 < scatterp> found the issue needed the word "remote" so im working through the process again
12:25 < travalas> my default on the client is default via 10.9.8.5 dev tun0
12:25 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
12:26 < travalas> i can get to 192.168.1.240 which is the ip address of the vm
12:27 < travalas> i can see outgoing pings on that interface
12:30 < travalas> thanks for the help... I need to get some sleep so I'll have to pick this up another time
12:34 -!- X-Raimo [~asmpub@ppp95-165-241-32.pppoe.spdop.ru] has joined #openvpn
12:34 -!- X-Raimo [~asmpub@ppp95-165-241-32.pppoe.spdop.ru] has left #openvpn []
12:35 -!- dazo is now known as dazo_afk
12:46 -!- scatterp [~scatterp@87.127.188.177] has quit []
12:57 -!- brah [~brah@host134.186-109-248.telecom.net.ar] has quit []
12:59 -!- Essobi [~kstone@pixout.appriss.com] has joined #openvpn
13:02 -!- Essobi [~kstone@pixout.appriss.com] has quit [Client Quit]
13:04 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
13:06 < scatterp> i can not get the TAP-Win32 virtual ethernet adapter to install on windows 7 it said it was unsigned ive tried rebooting and using f8 to select no driver signing but no luck also used deseo http://www.ngohq.com/home.php?page=dseo
13:06 <@vpnHelper> Title: Driver Signature Enforcement Overrider 1.3b (at www.ngohq.com)
13:09 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
13:10 -!- bauruine [~stefan@188-126-68-111.cust.vpntunnel.org] has joined #openvpn
13:14 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
13:15 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Quit: ZNC - http://znc.sourceforge.net]
13:16 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has joined #openvpn
13:16 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has quit [Changing host]
13:16 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
13:17 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Max SendQ exceeded]
13:19 -!- mace [~mace@debian/developer/mace] has quit [Ping timeout: 245 seconds]
13:19 -!- corretico_ [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
13:20 -!- mace [~mace@debian/developer/mace] has joined #openvpn
13:22 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
13:25 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has joined #openvpn
13:32 -!- corretico_ [~corretico@201.201.44.82] has joined #openvpn
13:32 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
13:32 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
13:32 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
13:36 -!- brah [~brah@host134.186-109-248.telecom.net.ar] has joined #openvpn
13:44 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
13:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
13:55 -!- p3rror [~mezgani@41.140.33.245] has joined #openvpn
13:55 <@vpnHelper> RSS Update - forum: Server Administration :: Routing & Load Balancing :: Author Driver <https://forums.openvpn.net/viewtopic.php?f=4&t=7416&p=8717#p8717>
14:05 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
14:06 -!- jobicreatingweb [~jobicreat@adsl-159.109.242.53.tellas.gr] has joined #openvpn
14:06 < jobicreatingweb> hi
14:07 < jobicreatingweb> /etc/openvpn/easy-rsa$ ./vars
14:07 < jobicreatingweb> bash: ./vars: Permission denied
14:07 < brah> chmod +x vars
14:07 < jobicreatingweb> why this?
14:07 < jobicreatingweb> ok thanks
14:08 < jobicreatingweb> chmod: changing permissions of `vars': Operation not permitted
14:09 < brah> Uh, are you running an user with enough priviledges?
14:09 < brah> If you're running Ubuntu, do `sudo chmod +x vars`
14:09 < krzie> also
14:09 < krzie> you dont do ./vars
14:09 < krzie> you do . ./vars
14:09 < brah> rather
14:09 < krzie> the leading . is very important
14:09 < brah> ./source vars
14:09 < brah> Wasn't it?
14:09 < krzie> you also dont do ./source
14:09 -!- Essobi_ [~kstone@pixout.appriss.com] has joined #openvpn
14:10 < krzie> source ./vars
14:10 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
14:10 -!- abeehc is now known as abeehc_
14:10 < krzie> since vars is the file in your dir, not source
14:10 < jobicreatingweb> so i copy the vars into another folder named vars and after i change that
14:10 < krzie> source is a builtin, which is = to .
14:10 < krzie> just follow the directions EXACTLY
14:10 < krzie> !pki
14:10 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
14:10 <@vpnHelper> specially as a server (see !servercert)
14:11 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
14:15 -!- abeehc_ is now known as abeehc
14:20 < jobicreatingweb> i copied the easy-rsa to etc
14:21 < jobicreatingweb> i ./vars that file or the one that is in the /usr/share/doc..... ??
14:24 < jobicreatingweb> can someone help
14:28 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Connection reset by peer]
14:29 < jobicreatingweb> no one
14:30 < jobicreatingweb> ?
14:33 < Bushmills> i think, seeing the poor response already to earlier questions from you, that some folks have put you on /ignore after your "got down from the trees yet and stop the masturbating cause at the end you will go blind." reaction recently
14:34 < scatterp> here on step 4 http://www.dd-wrt.com/wiki/index.php/OpenVPN#Server_mode_with_Static_Key it says to reboot is there any way to avoid that reboot if i disconnect from my isp they downgrade me 
14:34 <@vpnHelper> Title: OpenVPN - DD-WRT Wiki (at www.dd-wrt.com)
14:36 -!- jobicreatingweb [~jobicreat@adsl-159.109.242.53.tellas.gr] has left #openvpn []
14:36 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit []
15:01 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 265 seconds]
15:17 -!- imagez [~imagez@static.238.229.4.46.clients.your-server.de] has quit [Quit: imagez]
15:18 -!- sia is now known as sia^pwnnt
15:18 < jpalmer> krzie: ping?
15:18 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
15:33 < krzee> pong, kinda
15:33 < krzee> make sure you prefix with krzee, im busy in other windows
15:43 -!- benedikt [~benedikt@earth.sudo.is] has joined #openvpn
15:43 < benedikt> Why do i not want openvpn to use TCP rather then UDP?
15:43 < krzee> !tcp
15:43 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
15:46 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
15:47 < benedikt> krzee: seems like i can't avoid it. i think this isp is blocking udp ports (probably all except 80 and some others). I haven't found a working udp port yet though, should test a few others at least
15:49 < benedikt> im also open to ideas about commonly used udp ports not likely to be filtered
15:58 < krzee> SIP/DNS
15:59 < krzee> just look through your services file and guess based on apps that look common if you wanna
15:59 < krzee> you can grep it for UDP
16:05 -!- Essobi_ [~kstone@pixout.appriss.com] has quit [Remote host closed the connection]
16:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
16:22 -!- sedulous [~sed@2001:41d0:2:46c1::1] has quit [Quit: We're all going to die.]
16:34 -!- p3rror [~mezgani@41.140.33.245] has quit [Quit: Leaving]
16:38 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
16:38 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
16:38 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:41 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
16:42 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
17:11 -!- WinstonSmith [~true@e178178092.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
17:20 <@vpnHelper> RSS Update - forum: Configuration :: [CLOSED] Re: Need help with my openVPN Configuration :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7407&p=8718#p8718>
17:21 < reiffert> benedikt: udp/53?
17:24 -!- WinstonSmith [~true@e177088083.adsl.alicedsl.de] has joined #openvpn
17:26 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Can connect to server but don't have internet afterwards :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=5&t=7414&p=8719#p8719>
17:42 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
17:47 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
17:58 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
18:02 -!- le0 [~fin@unaffiliated/le0] has quit [Client Quit]
18:14 <@vpnHelper> RSS Update - forum: Installation Help :: Re: Can connect to server but don't have internet afterwards :: Reply by ... <https://forums.openvpn.net/viewtopic.php?f=5&t=7414&p=8720#p8720>
18:43 -!- s7r [~s7r@95.154.230.49] has joined #openvpn
18:44 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 276 seconds]
18:45 < scatterp>  /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --port 1194 --proto udp --verb 3 --daemon
18:45 < scatterp> how can i make that so it binds to only a specific interface or ip ?
18:46 < reiffert> -lport
18:46 < scatterp> i mean instead of listening on 0.0.0.0
18:46 < reiffert> --local ip
18:46 < reiffert> --lport portnum
18:46 < reiffert> see man openvpn
18:46 < scatterp> thanks 
18:47 < scatterp> so  /tmp/myvpn --dev tap0 --secret /tmp/static.key --comp-lzo --lport 123 --local ip 82.123.123.123 --proto udp --verb 3 --daemon
18:47 < scatterp> for example 
18:52 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:56 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
18:56 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
19:22 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
19:59 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 260 seconds]
20:12 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
20:16 -!- WinstonSmith [~true@e177088083.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
20:18 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:26 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
20:28 -!- s7r [~s7r@95.154.230.49] has left #openvpn []
20:38 <@vpnHelper> RSS Update - forum: Wishlist :: Re: cryptoapicert and ca :: Reply by patrickovpn <https://forums.openvpn.net/viewtopic.php?f=10&t=7352&p=8721#p8721>
20:46 -!- s2r [~ginlj@190.2.0.105] has joined #openvpn
20:46 < s2r> !welcome
20:46 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:47 < s2r> !howto
20:47 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
20:51 -!- s2r [~ginlj@190.2.0.105] has quit [Ping timeout: 240 seconds]
20:54 -!- s2r [~ginlj@190.2.0.105] has joined #openvpn
20:55 < s2r> !goal
20:55 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:56 < s2r> I would like to generate a certificate for the openvpn server, windows 2008. I followed the steps in the readme but the file created by build-key-server.bat has zero filesize.
20:58 < s2r> Also the .crt file generated by build-key.bat have filesize zero.
21:03 -!- s2r [~ginlj@190.2.0.105] has quit [Ping timeout: 260 seconds]
21:04 -!- s2r [~ginlj@190.2.0.105] has joined #openvpn
21:07 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 240 seconds]
21:09 -!- s2r [~ginlj@190.2.0.105] has quit [Ping timeout: 260 seconds]
21:13 -!- s2r [~ginlj@190.2.0.105] has joined #openvpn
21:15 -!- travalas [~travalas@202.84.40.65] has quit [Quit: travalas]
21:20 -!- s2r [~ginlj@190.2.0.105] has quit [Ping timeout: 240 seconds]
21:24 -!- s2r [~ginlj@190.2.0.105] has joined #openvpn
21:24 -!- s2r [~ginlj@190.2.0.105] has quit [Client Quit]
21:27 -!- travalas [~travalas@202.84.40.65] has joined #openvpn
21:51 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Ping timeout: 265 seconds]
21:54 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
21:57 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:58 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
22:00 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 264 seconds]
22:03 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
22:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:06 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has joined #openvpn
22:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
22:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:39 -!- Masshuu [~Masshuu@unaffiliated/masshuu] has joined #openvpn
22:40 < Masshuu> Cannot load CA certificate file /etc/openvpn/ca.crt path (null) (SSL_CTX_load_verify_locations) (OpenSSL)
22:43 < Masshuu> i have tripple checked the file exsists. Am i using the wrong file or somthing?
22:47 < ecrist>  ping krzee
22:49 < Masshuu> rebuild the CA cert and stuff and it looks like its working now
23:00 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
23:00 < ecrist> good to haar, masshuu
23:00 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
23:09 -!- travalas_ [~travalas@202.84.40.65] has joined #openvpn
23:09 -!- travalas [~travalas@202.84.40.65] has quit [Read error: Connection reset by peer]
23:09 -!- travalas_ is now known as travalas
23:11 < Masshuu> also was having another issue. Of course it was my firewall
23:12 < Masshuu> yall just know
23:12 < Masshuu> are you guys like 
23:12 < Masshuu> reading my mind
23:14 < scatterp> i think everyones sleeping :/
23:14 < scatterp> did you get it working /
23:15 < scatterp> i cant make mine work so i doubt i can be much help 
23:20 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:26 -!- brah [~brah@host134.186-109-248.telecom.net.ar] has quit [Ping timeout: 260 seconds]
23:27 -!- travalas [~travalas@202.84.40.65] has quit [Read error: Connection reset by peer]
23:27 -!- travalas_ [~travalas@202.84.40.65] has joined #openvpn
23:36 -!- corretico_ [~corretico@201.201.44.82] has quit [Ping timeout: 260 seconds]
23:48 -!- corretico_ [~corretico@201.201.44.82] has joined #openvpn
23:48 -!- travalas_ [~travalas@202.84.40.65] has quit [Quit: travalas_]
--- Day changed Tue Dec 21 2010
00:10 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has quit [Read error: Connection reset by peer]
00:10 -!- no_maam [~no_maam@gate.cdc.informatik.tu-darmstadt.de] has joined #openvpn
00:35 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
00:35 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
00:35 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
00:37 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need help with my openVPN Configuration :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=6&t=7407&p=8722#p8722>
00:55 <@vpnHelper> RSS Update - forum: Configuration :: Static Key Setup & Routing :: Author jmancuso <https://forums.openvpn.net/viewtopic.php?f=6&t=7417&p=8723#p8723> || Off Topic, Related :: Re: JonDo vs OpenVPN - They Claim To Be More Secure :: Reply by krzee <https://forums.openvpn.net/viewtopic.php?f=1&t=7355&p=8724#p8724>
01:31 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
01:56 <@vpnHelper> RSS Update - forum: Configuration :: Need Help with Config :: Author cabbiebro <https://forums.openvpn.net/viewtopic.php?f=6&t=7418&p=8725#p8725>
02:00 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:08 -!- Klem [~Klem@82.245.6.195.static.adsl.abo.nordnet.fr] has quit [Remote host closed the connection]
02:26 <@vpnHelper> RSS Update - forum: Configuration :: tls-auth question :: Author perazim <https://forums.openvpn.net/viewtopic.php?f=6&t=7419&p=8726#p8726>
02:28 -!- lupine_85 [~lupine_85@master.lupine.me.uk] has quit [Changing host]
02:28 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
02:41 -!- ondrejk [ondrej@plox.tor.hu] has joined #openvpn
02:41 < ondrejk> hi, im running openvpn client under nobody user and when i receive "ping restart" from server, my opevnpn crashes because user nobody doesnt have rights for executing /sbin/route del ... how can i bypass that?
02:42 < krzie> persist options
02:42 < ondrejk> i have persist-tun on client ..
02:44 < krzie> hrm all i use is persist-tun / persist-key and i dont get that problem
02:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
02:45 < krzie> in fact mine doesnt try to remove the routes
02:45 < krzie> !configs
02:45 -!- dazo_afk is now known as dazo
02:45 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
02:48 < ondrejk> this is server config - http://pastebin.com/V9xEP1Br
02:50 < ondrejk> client config - http://pastebin.com/srpUFLre
02:51 < ondrejk> and when server wants client to restart, client will hang on deleting routes
02:53 < ondrejk> i just found one solution - redefining route command via iproute cmd to sudo /sbin/route ..... but i would like to know if there is better way
03:04 < krzie> also, what version are you using on each side?
03:07 < krzie> do you use selinux?
03:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
03:16 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
03:16 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
03:16 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
03:22 -!- corretico_ [~corretico@201.201.44.82] has quit [Read error: Connection reset by peer]
03:22 < ondrejk> krzie: i dont use selinux
03:23 < ondrejk> krzie: 2.1~rc11-1 on both sides
03:23 < ondrejk> debian lenny
03:23 -!- kyrix [~ashley@mar92-2-82-66-59-1.fbx.proxad.net] has joined #openvpn
03:38 -!- WinstonSmith [~true@g225026067.adsl.alicedsl.de] has joined #openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:43 < krzie> maybe its a bug of some sort, thats a rather old version that has known bugs
03:43 < krzie> thats why it ended up just being an RC ;]
03:43 < krzie> !download
03:44 <@vpnHelper> "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
03:48 < ondrejk> thank you for tip, i will check debian backports
03:48 < ondrejk> is there anything like openvpn bugzilla?
03:48 < ondrejk> so i could search for this issue
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:53 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
03:54 -!- Evet [~Evet@unaffiliated/evet] has joined #openvpn
03:56 -!- d457k [~heiko@vpn.astaro.de] has quit [Remote host closed the connection]
03:57 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 276 seconds]
03:59 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
03:59 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
04:28 -!- juhovh_ [~jvahaher@kekkonen.cs.hut.fi] has joined #openvpn
04:31 -!- common [~common@p5DDA4ADF.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
04:32 -!- Netsplit *.net <-> *.split quits: juhovh
04:34 -!- common [~common@p5DDA4864.dip0.t-ipconnect.de] has joined #openvpn
04:48 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
04:48 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
04:48 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:57 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Quit: ZNC - http://znc.sourceforge.net]
05:01 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
05:02 -!- janjust [~janjust@ardeche.nikhef.nl] has joined #openvpn
05:02 -!- janjust [~janjust@ardeche.nikhef.nl] has quit [Changing host]
05:02 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
05:04 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Client Quit]
05:04 -!- janjust [~janjust@ardeche.nikhef.nl] has joined #openvpn
05:04 -!- janjust [~janjust@ardeche.nikhef.nl] has quit [Changing host]
05:04 -!- janjust [~janjust@openvpn/community/support/janjust] has joined #openvpn
05:18 -!- raomin [~romain@86.66.22.240] has joined #openvpn
05:23 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
05:23 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
05:23 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:30 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
05:38 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
05:38 -!- pa [~pa@host242-12-dynamic.1-87-r.retail.telecomitalia.it] has joined #openvpn
05:38 -!- pa [~pa@host242-12-dynamic.1-87-r.retail.telecomitalia.it] has quit [Changing host]
05:38 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:41 -!- pa [~pa@unaffiliated/pa] has quit [Client Quit]
05:42 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:42 -!- pa [~pa@unaffiliated/pa] has quit [Client Quit]
05:42 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:43 -!- pa [~pa@unaffiliated/pa] has quit [Read error: Connection reset by peer]
05:43 -!- pa [~pa@host242-12-dynamic.1-87-r.retail.telecomitalia.it] has joined #openvpn
05:43 -!- pa [~pa@host242-12-dynamic.1-87-r.retail.telecomitalia.it] has quit [Changing host]
05:43 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:46 -!- pa [~pa@unaffiliated/pa] has quit [Client Quit]
05:46 -!- pa [~pa@host242-12-dynamic.1-87-r.retail.telecomitalia.it] has joined #openvpn
05:46 -!- pa [~pa@host242-12-dynamic.1-87-r.retail.telecomitalia.it] has quit [Changing host]
05:46 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
05:59 -!- qermit [~qermit@unaffiliated/pantofel] has quit [Ping timeout: 245 seconds]
05:59 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
06:04 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: Operation timed out]
06:19 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
06:22 -!- qermit [~qermit@unaffiliated/pantofel] has joined #openvpn
06:31 -!- sia^pwnnt is now known as sia
06:34 <@dazo> ondrejk: http://community.openvpn.net/ ... you'll find a bugtracker here
06:34 <@vpnHelper> Title: OpenVPN Community (at community.openvpn.net)
06:38 -!- morbidwar [~ovidiu@81.196.150.82] has joined #openvpn
06:50 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
06:50 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
06:50 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
07:05 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
07:05 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
07:05 -!- twister004 [~chatzilla@59.90.34.167] has joined #openvpn
07:08 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
07:15 < morbidwar> hello, i have a question
07:17 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 240 seconds]
07:17 < janjust> hi morbidwar , shoot
07:17 < morbidwar> i have 2 openvpn servers running on the same machine, each have an /24 network, i'm dooing "push "network A /24" on server B and "push "network B /24 on server A
07:18 < morbidwar> i configured 2 pc to connect to the vpn
07:18 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 240 seconds]
07:18 < morbidwar> the problem is from pc A i don't see* pc B
07:19 < janjust> from pc A can you see the VPN server B?
07:19 < janjust> I mean, can you reach the VPN IP address of server B
07:20 < morbidwar> no
07:21 < janjust> OK, let's fix that first before attempting to "see" pc B
07:21 < morbidwar> on the routing table shows me that both networks are routed thru the VPN
07:21 < morbidwar> ok
07:21 < morbidwar> "see" = ping reply
07:21 < morbidwar> both firewalls disabled
07:21 < janjust> yup ; is routing (ip forwarding) enabled on the server machine?
07:22 < janjust> by 2 openvpn servers , are we talking about 2 virtual machines or 2 instances of openvpn ?
07:22 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
07:22 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Client Quit]
07:23 < Evet> anyone knows decent vpn hosting?
07:24 < morbidwar> no i didn't enable routing on the machine
07:24 < morbidwar> 2 instances of vpn
07:24 < janjust> morbidwar: try "echo 1 > /proc/sys/net/ipv4/ip_forward" 
07:24 < janjust> evet: nope, only one I know of is strongvpn.com
07:25 < morbidwar> janjust: thank you very much for your time, i enabled the ip forward and now everything is running good
07:26 < janjust> morbidwar, remember to make this change permanent
07:26 < janjust> change the ip_forward entry in /etc/sysctl.conf
07:26 < morbidwar> it's permanently enabled
07:26 < janjust> excellent, enjoy :)
07:27 < morbidwar> :D thank you
07:46 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing & Load Balancing :: Reply by Driver <https://forums.openvpn.net/viewtopic.php?f=4&t=7416&p=8727#p8727>
07:49 -!- mode/#openvpn [+o janjust] by ChanServ
07:50 -!- krzie [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
08:01 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
08:02 -!- TACPILOT [~tacpilot@c-76-31-248-181.hsd1.tx.comcast.net] has joined #openvpn
08:06 -!- janjust [~janjust@openvpn/community/support/janjust] has quit [Quit: Leaving]
08:08 < TACPILOT> hello .. just trying to understand the relationship between ip's .. (client tun0 has  addr:10.x.x.6     p-t-p:10.x.x.4)   (server     ipp.txt has 10.x.x4)   explantions ??
08:08 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
08:09 < TACPILOT> p-t-p:10.x.x.5
08:09 < ecrist> !/30
08:09 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
08:09 < ecrist> TACPILOT: 
08:10 < TACPILOT> I'll give it a read  
08:10 < TACPILOT> TY
08:10 -!- albech_ [~thomas@119.42.78.122] has joined #openvpn
08:23 <@vpnHelper> RSS Update - forum: Server Administration :: connect from server to client :: Author selcmania <https://forums.openvpn.net/viewtopic.php?f=4&t=7420&p=8728#p8728> || Configuration :: Re: Need help with my openVPN Configuration :: Reply by ytekght <https://forums.openvpn.net/viewtopic.php?f=6&t=7407&p=8729#p8729>
08:28 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
08:29 -!- twister004_ [~chatzilla@117.207.244.132] has joined #openvpn
08:32 < TACPILOT> I am scripting some automation. Is there an openvpn command a client can use that will return its current address ?  or do I need to grep/regex the ifconfig ??
08:32 < ecrist> ifconfig, I think
08:33 < TACPILOT> IC
08:33 -!- twister004 [~chatzilla@59.90.34.167] has quit [Ping timeout: 245 seconds]
08:33 -!- twister004_ is now known as twister004
08:35 < Bushmills> current openvpn address?
08:35 < gladiatr> !topology
08:35 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
08:40 < TACPILOT> the default config is no issue no worries of running out of addresses. my scripting will simply be registering clients to the server and storing the clients name/ip combo in a DB for future reference
08:41 < TACPILOT> was just looking for the simplest solution to extract the clients specific ip 
08:42 < gladiatr> TACPILOT, are you not using client certs?
08:42 < TACPILOT> though most clients will be linux, I still want to leave the win option open
08:42 < TACPILOT> I am using certs
08:42 < gladiatr> that information is available on the server side
08:42 < gladiatr> or did I miss an important part of what you're inquiring about?
08:43 -!- morbidwar [~ovidiu@81.196.150.82] has quit [Remote host closed the connection]
08:45 < TACPILOT> just trying to find my way arround to the easiest most efficient way getting the client ip at point of registration so i can store it with machine name in a database so when an admin needs to access a specific client he'll know what address to use
08:47 < gladiatr> Hrm... well, the cn of the cert is matched with the IP address of the client in ipp.txt (persistent) and whatever file you have the "status" config directive pointing to
08:49 < gladiatr> You can also leverage the client-connect script hook to capture the connection/user info to... do things with.  I use it to set custom firewall access depending on custom values in the client cert.  It could also be used to make database calls.
08:49 < TACPILOT> sounds like a plan TY all for your help ..  Have Great Day   :D
08:50 < gladiatr> :)  
08:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
08:51 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
08:55 < Bushmills> TACPILOT: why don't you take currently connected clients from openvpn status file?
08:59 < ecrist> he wants to do it from client side, Bushmills 
09:00 < Bushmills> client ip address (openvpn subnet address) is available as environment variable when executing a --up script
09:00 < Bushmills> though there's not much databasing needed for a single connection
09:01 <@vpnHelper> RSS Update - forum: Configuration :: Re: Need Help with Config :: Reply by cabbiebro <https://forums.openvpn.net/viewtopic.php?f=6&t=7418&p=8730#p8730>
09:01 < Bushmills> "getting the client ip at point of registration" sounds like wanting to do that on server.   --client-connect script,   for example
09:03 < Bushmills> though for "when an admin needs to access a specific client he'll know what address to use" would suggest to assign static addresses to clients, and have them resolved by a name server
09:06 < gladiatr> Indeed, but you really don't even need to go that far if you maintain an ipp file.
09:08 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
09:08 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
09:08 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:23 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:25 -!- twister004_ [~chatzilla@59.90.34.167] has joined #openvpn
09:25 <@vpnHelper> RSS Update - forum: Server Administration :: Re: connect from server to client :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7420&p=8731#p8731>
09:26 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 255 seconds]
09:26 -!- twister004 [~chatzilla@117.207.244.132] has quit [Ping timeout: 250 seconds]
09:26 -!- twister004_ is now known as twister004
09:30 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Ping timeout: 260 seconds]
09:30 <@vpnHelper> RSS Update - forum: Server Administration :: Re: connect from server to client :: Reply by selcmania <https://forums.openvpn.net/viewtopic.php?f=4&t=7420&p=8732#p8732>
09:35 -!- albech_ [~thomas@119.42.78.122] has quit [Read error: Connection reset by peer]
09:36 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:47 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
10:00 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing & Load Balancing :: Reply by Driver <https://forums.openvpn.net/viewtopic.php?f=4&t=7416&p=8733#p8733>
10:02 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Quit: No Ping reply in 180 seconds.]
10:02 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
10:09 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Read error: Connection reset by peer]
10:11 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
10:27 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
10:30 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
10:30 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
10:48 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Quit: Leaving.]
10:55 -!- twister004 [~chatzilla@59.90.34.167] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
10:57 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:58 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
10:58 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
10:58 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
11:04 -!- Chris____ [goose@samson.honk-honk.org] has joined #openvpn
11:05 < Chris____> I'm having a time and a half trying to get windows to use my OpenVPN connection with the GUI application
11:05 < Chris____> I've installed the OpenVPN GUI client, configured it, and it connects successfully, but it doesn't bind to the VPN IP
11:05 < krzie> !redirect
11:05 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:05 < Chris____> those are enabled; when I use openVPN in linux it works just fine
11:06 < Chris____> I'm just having issues getting the GUI windows client to work, if anyone has any ideas why I can't get it to flow my traffic through my VPN
11:06 < rjd__> !winroute
11:06 <@vpnHelper> "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access, or (#4) make sure you are running openvpn as admin
11:06 < rjd__> !32
11:06 < rjd__> !30
11:06 < krzie> !/30
11:06 < krzie> ?
11:06 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
11:07 < krzie> it could be winroute...
11:07 < krzie> have you been looking at your logs?
11:07 < Chris____> perhaps.. so just add the line "route-method exe" to my configuration file?
11:09 < krzie> dunno really, post the logfile
11:09 < krzie> !logs
11:09 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
11:09 < krzie> prolly dont need server
11:10 < Chris____> mind if I censor the server's identifying info?
11:12 < Chris____> krzie: http://pastie.org/1395504
11:13 < krzie> whoa
11:13 < krzie> update
11:14 < krzie> !download
11:14 <@vpnHelper> "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
11:14 < krzie> your version is years old
11:14 < krzie> oct, 2006
11:14 < Chris____> lol
11:14 < Chris____> that's what I get for using aptitude
11:14 -!- Chris____ is now known as Chris___
11:14 < krzie> aptitude isnt for windows...
11:15 < Chris___> no, my VPN server is Debian
11:15 < Chris___> Lenny
11:15 < krzie> and your client is 2.0.9
11:15 < Chris___> my PC runs two OS's, Debian Squeeze and Win7. Squeeze connects just fine, it's Win7 that's being difficult.
11:15 < Chris___> Oh, my windows client?
11:15 < krzie> your windows client is the log you pasted, and its running 2.0.9, and thats the problem
11:16 < Chris___> http://openvpn.se/download.html
11:16 <@vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se)
11:16 < krzie> NO
11:16 < krzie> !download
11:16 <@vpnHelper> "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
11:16 < Chris___> is there a newer versio available?
11:16 < Chris___> ooh
11:16 < Chris___> face, meet palm
11:16 < krzie> ;]
11:16 < Chris___> is the beta fine and good to use?
11:17 < Chris___> or should I use stable?
11:17 < krzie> so far so good
11:17 < Chris___> shiny
11:17 <@dazo> Chris___: I'm running beta5 on a couple of (Linux) boxes 
11:17 <@dazo> the more testers, the better .... and the 2.2-RC is coming this Christmas
11:17 <@dazo> I consider beta5 stable
11:17 < krzie> and if it does have any problems, we wont know about them until people like you run it and report on how it runs for ya ;]
11:17 < Chris___> I love Linux <3
11:18 < Chris___> but I can't play StarCraft 2 in it :p
11:18 <@dazo> heh
11:18 < krzie> g'mornin dazo
11:18  * dazo thinks people should stop playing games on Windows and force game developers to discover Linux :-P
11:18 <@dazo> krzie: morning :)
11:18 <@dazo> well ... evening, here :-P
11:19  * Chris___ refreshs whatismyip.com
11:19 < krzie> only game i play is more or less for all major OS except windows
11:19 < Chris___> err, oh yeah
11:19 < gladiatr> krzie, nethack, huh?
11:19 < Chris___> I need to manually assign DNS servers, the ones in my config are broken
11:19 < krzie> [root@backup ~/gametracker]# wc -l gametracker.sh 
11:19 < krzie>      461 gametracker.sh
11:19 < krzie> nope, bash scripting, lol
11:19 < gladiatr> rawr
11:20 < Chris___> can I do that in client.conf ?
11:20 < gladiatr> seksheeee
11:20 < krzie> !pushdns
11:20 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
11:20 < Chris___> I love you guys
11:20 < krzie> !push
11:20 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
11:20 < Chris___> can I do multiple dhcp-option DNS a.b.c.d lines?
11:20 < krzie> yes
11:20 < gladiatr> to quote G. Carlin (RIP), exactly what form will this Love take?
11:21 < krzie> however, if the client has <config option> and server pushes something conflicting, client will use what came from server
11:21 <@dazo> By testing openvpn beta/RC and report bugs, I hope :-P
11:21 < Chris___> huh..fail
11:21 <@dazo> (re: form of love)
11:21  * gladiatr chuckles
11:21 < krzie> G carlin was the man
11:21 < gladiatr> indeed
11:22 < gladiatr> !changelog
11:22 <@vpnHelper> "changelog" is http://www.openvpn.net/changelog.html to see the openvpn changelog
11:23  * dazo wonders if that's the old changelog
11:23 <@dazo> okay, it's the 2.1 changelog
11:24 <@dazo> !learn changelog as For OpenVPN 2.2 changelog , see http://www.openvpn.net/index.php/open-source/documentation/change-log/425-changelog-for-openvpn-22.html
11:24 <@vpnHelper> Joo got it.
11:24 <@dazo> !changelog
11:24 <@vpnHelper> "changelog" is (#1) http://www.openvpn.net/changelog.html to see the openvpn changelog, or (#2) For OpenVPN 2.2 changelog , see http://www.openvpn.net/index.php/open-source/documentation/change-log/425-changelog-for-openvpn-22.html
11:24 -!- Evet [~Evet@unaffiliated/evet] has quit [Quit: Leaving]
11:26 -!- kyrix [~ashley@mar92-2-82-66-59-1.fbx.proxad.net] has quit [Ping timeout: 260 seconds]
11:27 < Chris___> still being uncooperative :/ http://pastie.org/1395543
11:27 < Chris___> same issue though, I can't get it to push traffic through the VPN
11:27 -!- dazo is now known as dazo_afk
11:29 < krzie> Tue Dec 21 12:25:37 2010 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
11:29 < krzie> Tue Dec 21 12:25:37 2010 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
11:29 < krzie> !configs
11:29 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
11:29 < krzie> you may continue blocking server ip, it is unimportant in this problem
11:29 < Chris___> server config? or client?
11:29 < krzie> both
11:29 < Chris___> moment
11:31 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
11:34 < Chris___> http://pastie.org/1395571
11:35 < Chris___> err, just noticed the device isn't assigning itself a default gateway. iirc, that's kinda important, isn't it?
11:40 -!- pyther [~pyther@unaffiliated/pyther] has quit [Read error: Operation timed out]
11:40 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn
11:40 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
11:40 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
11:45  * Chris___ pokes krzie, don't know if you saw the pastie or not
11:45 < krzie> was debugging something
11:45 < krzie> and found the issue :)
11:46 < krzie> (my issue)
11:46 < krzie> ok
11:46 < krzie> server has comp-lzo, client does not
11:46 < krzie> add it to client
11:47 < Chris___> done, still stick in a rut though
11:47 < krzie> new client log
11:47 < krzie> use verb 4 tho pls
11:48 < Chris___> alright, moment.
11:49 < Chris___> krzie: http://pastie.org/1395601
11:50 < krzie> ok that stuff looks fine
11:51 < krzie> try going to http://secure-computing.net/ip.php  does it show server or client IP
11:51 <@vpnHelper> Title: SCN: SCN (at secure-computing.net)
11:52 < krzie> if that doesnt load, try http://173.8.118.210/ip.php
11:52 <@vpnHelper> Title: SCN: SCN (at 173.8.118.210)
11:52 < Chris___> my client IP
11:52 < krzie> gimme client routing table before connecting and after connecting
11:53 < krzie> i think in windows this can be done with route print, if not, netstat -rn
11:53 < Chris___> http://goose.honk-honk.org/files/openvpn.png
11:53 < Chris___> if it means anything at all?
11:53 < krzie> nope, doesnt
11:54 < Chris___> E is for Effort :p
11:54 < Chris___> let me see about that routing table
11:54 < krzie> ;]
11:54 < krzie> i like the ascii tho
11:56 < Chris___> krzie: http://pastie.org/1395616
11:57 < krzie> are you using ipv6?
11:58 < Chris___> Used to be, but I think comcast revoked the beat v6 addresses
11:58 < krzie> gotchya
11:58 < Chris___> yeah, I no longer have my v6 address
11:58 < Chris___> s/beat/beta/
11:58 < krzie> well i dont see why its not working for ya, your routes go over the vpn
11:58 < Chris___> long shot, but I'll disable v6
11:58 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
11:58 < secretary_linux> !welcome
11:58 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:58 < secretary_linux> !route
11:59 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:59 < krzie> it would make more sense for the page to not load than for it to say you are connecting from client's IP
12:00 < krzie> Chris___, can you ping 10.8.0.1?
12:00 < secretary_linux> !/30
12:00 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
12:01 < secretary_linux> !mitm
12:01 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
12:01 < Chris___> krzie: negative
12:01 < krzie> secretary_linux, you may find this interesting as well
12:01 < krzie> !factoids
12:01 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:01 < krzie> Chris___, are you logged into the server?
12:01 -!- thelongmile [~thelongmi@cpc1-ely04-0-0-cust70.5-1.cable.virginmedia.com] has joined #openvpn
12:01 < secretary_linux> krzie: thanks!
12:01 -!- thelongmile [~thelongmi@cpc1-ely04-0-0-cust70.5-1.cable.virginmedia.com] has left #openvpn []
12:01 < Chris___> krzie: through the openvpn windows client? yes
12:01 < krzie> secretary_linux, np =]
12:01 < krzie> Chris___, ahhhh, try disabling your windows firewall and re-test
12:01 < Chris___> it should be disabled
12:01  * Chris___ double checks
12:02 < krzie> just for now, you can configure it later
12:02 < krzie> also check any security software
12:02 < Chris___> OH I HATE YOU WINDOWS
12:02 < krzie> !windows
12:02 <@vpnHelper> "windows" is (#1) pcs are like air conditioners, they work fine unless you open windows, or (#2) http://secure-computing.net/files/windows.jpg, or (#3) also, http://secure-computing.net/files/windows_2.jpg
12:02 < krzie> ;]
12:02 < Chris___> well, that didn't fix it either
12:03 < krzie> reconnect to vpn after and see if you can ping 10.8.0.1
12:03 < krzie> thats first step
12:03 < Chris___> windows firewall was disabled in the first place, I found a sub-option that had it set to "Only guard connection: vpn0", and disabled it, but no luck
12:03 < Chris___> still 404's
12:03 < krzie> forget web, try pinging 10.8.0.1 first
12:03 < krzie> until that works, everything else is pointless
12:03 < Chris___> yeah, sorry, that's what I meant
12:04 < Chris___> the 10.8.0.1 ping cannot find destination
12:04 < krzie> comment route-method exe
12:04 < krzie> i dont think you need that in win7
12:04 < krzie> reconnect, rinse/ repeat
12:05 < Chris___> still nothing
12:05 < Chris___> I can ping 10.8.0.6, *my* assigned IP
12:05 < krzie> you still have something filtering
12:05 < krzie> some security software or something
12:05 < Chris___> I would blame my router, except that it works fine in linux
12:06 < krzie> besides, it isnt the router
12:06 < krzie> if the connection *starts* it isnt the router or an in between firewall
12:06 < krzie> since to those devices the entire connection is just a tunnel
12:06 < krzie> however, something on the win machine is filtering
12:07 < krzie> to THAT, the connection is very different, it uses the tun device (named windows tap in windows, but it still does tun)
12:07 < Chris___> http://pastie.org/1395646
12:07 < Chris___> if that means anything
12:07 < Chris___> I'm unsure why it won't assign a default gateway
12:08 < krzie> but it did
12:08 < krzie> oh you mean there
12:08 < Chris___> on line 11 it didn't
12:08 < krzie> its a point-to-point link
12:08 < Chris___> ah
12:08 < krzie> thats part of the !/30 lameness
12:08 < krzie> it was a work-around for windows before they came up with topology subnet
12:08 < krzie> !/30
12:08 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
12:09 < krzie> !topology
12:09 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
12:09 < krzie> but thats not your problem here
12:09 < krzie> you have some software filtering
12:09  * krzie looks at part 3 of the topic ;]
12:09 < Rienzilla> :)
12:09 < Chris___> lol
12:09 < Rienzilla> it always is! :)
12:09 < Chris___> that confuses me because I have windows firewall disabled, and _no_ other firewall/antivirus/etc bloatware installed
12:09 < krzie> super extra common
12:10 < krzie> i dont run windows so i cant help on that part so much
12:10 < Chris___> I don't run it often either
12:10 < krzie> but at this point im rather confident its not windows
12:10 < Rienzilla> whats the issue?
12:10 < Chris___> Rienzilla: cannot get my computer to connect to my openVPN
12:10 < krzie> Chris___, repost a new client log please, and client routing table after connecting
12:10 < Chris___> alright, moment
12:11 < krzie> Rienzilla, it connects, but he cant ping the vpn server's vpn ip
12:11 < krzie> Rienzilla, and his linux client on same machine (dual boot or something) can
12:11 < krzie> (or other machine, same lan... something like that)
12:12 < Rienzilla> does a ping end up in the tunnel? (i.e. do vpn packets emitted from the machine?)
12:12 < Rienzilla> s/do/are
12:12 < krzie> good question...
12:12 < krzie> Chris___, change both sides to verb 5, then repost logs... send a ping from client to server before saving the logs for posting
12:12 < Rienzilla> (it might be an overlapping ip range used for tunnel and lan)
12:12 < Chris___> http://pastie.org/1395657
12:12 < Chris___> d'oh
12:12 < krzie> thats for helping to diagnose firewall issues
12:13 < Chris___> ok, just give me a minute to grab a snack first :p
12:13 < krzie> oh ok
12:13 < krzie> you need route-method exe after all
12:13 < krzie> uncomment that as well
12:14 < Rienzilla> the route to the vpn is not being added it seems?
12:14 < krzie> it was before
12:15 < krzie> i had him comment route-method exe cause i thought only XP needed it (was wrong)
12:15 < Rienzilla> ok
12:15 < Chris___> uncomment, rinse, repeat?
12:15 < krzie> yepyep
12:15 < Rienzilla> btw
12:15 < krzie> but use verb5 etc
12:15 < Rienzilla> is this win 7 or vista?
12:15 < Chris___> win7
12:16 < Rienzilla> are you running openvpn as admin?
12:16 < Rienzilla> otherwise it will refuse to alter network settings
12:16 < Chris___> yes
12:16 < Rienzilla> ok
12:16 < krzie> it was all adding right before i had him remove that line
12:16 < Rienzilla> ok
12:18 < Chris___> ok, on verbosity 5:
12:18 < Chris___> http://pastie.org/1395667
12:18 < krzie> we needed the ping before you saved the log
12:18 < krzie> it would show RWRWRW
12:20 < Rienzilla> a packet dump on the receiving vpn host may work as well
12:20 < Rienzilla> (althoguh that may run into firewall nonsense :))
12:20 < krzie> tru
12:21 < krzie> openvpn logfile while pinging will likely show WWWWWW
12:21 < krzie> with no R
12:21 < krzie> is that what you are seeing Chris___...?
12:21 < Rienzilla> well then the pings are sent into the tunnel
12:21 < Chris___> let me check
12:21 < Rienzilla> ...and the issue is not on this host 
12:22 < krzie> Rienzilla, other clients work
12:22 < krzie> its only his windows box that has an issue
12:22 < krzie> then again i didnt test that, took his word on it
12:22 < Rienzilla> wehave to :)
12:22 < Chris___> heh
12:23 < Chris___> I'm about to just give on on VPN in windows
12:23 < Chris___> you guys are really helpful, but I've spend an hour at least so far on this
12:23 < krzie> s/on on VPN/up on/
12:23  * Rienzilla has the feeling this is going to turn out tot be a very simple doh!-type mistake :D
12:23 < Chris___> so, I'm looking for a log file with ping results
12:23 < krzie> only an hour?
12:23 < gladiatr> lol
12:23 < Chris___> on the server? or the client?
12:23 < krzie> on the client, which is verb 5
12:24 < krzie> when you ping the server from the client
12:24 < Chris___> alright
12:24 < krzie> you SHOULD be seeing RWRWRW
12:24 < Chris___> moment
12:24 < krzie> you are likely seeing WWWWW
12:24 < rjd__> that means read write read write?
12:24 < gladiatr> (it is pitch black.  you might be eaten by a grue...)
12:25 < krzie> rjd__, yep
12:25 < krzie> lol gladiatr is that from a mudd?
12:25 < Chris___> krzie: I'm not seeing any R's or W's in the client log
12:25 < Chris___> (during/after ping 10.8.0.1)
12:25 < Rienzilla> then either verb is not 5, or were not sending packets into the tunnel
12:26 < krzie> Chris___, how about during pinging 10.8.0.6 from server?
12:26 < Chris___> I'll restart the client just to be safe
12:26 < gladiatr> krzie, Zork!  The original single player MUD :)
12:26 < Chris___> krzie: fails to ping
12:26 < krzie> hey Chris___ you arent using the same keys on this client as are currently in use by another client
12:26 < krzie> right>
12:26 < krzie> s/>/?/
12:26 < Chris___> currently? no
12:26 < gladiatr> http://en.wikipedia.org/wiki/Grue_%28monster%29
12:26 < Chris___> it's the same keys for this machine
12:27 <@vpnHelper> Title: Grue (monster) - Wikipedia, the free encyclopedia (at en.wikipedia.org)
12:27 < krzie> ok good
12:27 < Chris___> but it's either being used in linux or windows
12:27 < Chris___> not both at the same time
12:27 < krzie> gladiatr, lol right on
12:27 < krzie> Chris___, im sticking to my story, i believe something on the windows machine is filtering packets
12:27 < Chris___> probably
12:28 < Chris___> since the same machine booted in linux works fine
12:28 < Chris___> well, to hell with it, I'll reboot in linux since the only time I'm in windows anyways is to play starcraft 2 or use Nero
12:28 < Rienzilla> bah
12:28 < Chris___> thanks for your help guys, you were a lot more helpful than a lot of other help channels
12:28 < Rienzilla> i wanna know the issue
12:28 < Rienzilla> :)
12:28 < gladiatr> out of curiosity, is this basically the same config as in Linux except for s/tun/tap and the appropriate forward slash -> backslash nonsense?
12:29 < krzie> gladiatr, you use tun in windows too
12:29 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has joined #openvpn
12:29 < krzie> the tap device does tun, tap is just the windows name for the interface
12:29 < gladiatr> did i get that backwards?
12:29 < grendal_prime> hey guys...girls..
12:29 < Rienzilla> s/dev/dev-node .aybe :)
12:29 < Rienzilla> hello
12:29 < gladiatr> hiya grendal
12:30 < krzie> dev-node is needed when renaming, but thats true in both OS
12:31 < Rienzilla> is that so? Iirc it;s dev and dev-type in linux and dev-node and dev-type in windows
12:31 < grendal_prime> someone asked me the other day if this vpn could be used in the same fashion as ssl.  Like without having to distribute keys to the users.  So that so long as someone knows the ip and port then can connect and the key is simply dished out to the client at the time of request. (like for anonbrowsing or something like that)?
12:31 < grendal_prime> seems like i remember reading of a method of doing that. But wasnt sure.
12:32 < gladiatr> grendal_prime, I don't use it that way, but I'm pretty sure there are docs on the community site for setting up openvpn to use user/password authentication w/out a client certificate.
12:32 < jpalmer> quick question.    when an openvpn client gets disconnected for any reason (loss of network connectivity or whatever)   does the route get deleted?  I've tried a ton of things to execute a script everytime a client reconnects,  but aven't found anything useful yet (the script needs to run on the client,  so client-connect isn't an option)
12:32 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn
12:32 -!- mode/#openvpn [+o mattock] by ChanServ
12:32 < krzie> grendal_prime, you could use password auth instead of certs, or you could just not require a cert at all
12:33 -!- goose [~goose@samson.honk-honk.org] has joined #openvpn
12:33 < krzie> jpalmer, you want up-restart
12:33 < krzie> runs the up script upon restarts
12:33 < goose> yep, it works just fine in linux still
12:33 < krzie> the up script can tell if its running on restart or initial start
12:33 < grendal_prime> krzie you ever tie that into a database on the backside?
12:33 < krzie> grendal_prime, nope
12:33 < grendal_prime> for the username and pass that is
12:33 < goose> although I would like to bind it to a different IP address for rDNS reasons
12:33 < krzie> however,
12:34 < krzie> !dazo
12:34 <@vpnHelper> "dazo" is "eurephia" is http://www.eurephia.net/
12:34 < krzie> that does
12:34 < krzie> ^ @grendal
12:34 < krzie> I WANNA SPEAK TO SAMSON!
12:34 < krzie> goose, 
12:35 < krzie> !linnat
12:35 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
12:35 < krzie> see #2
12:36 < krzie> grendal_prime, i woulda typed !eurephia above, but i can never remember how to spell that thing
12:36 < grendal_prime> na you got it right enough
12:36 < grendal_prime> looks good thanks man
12:36 < krzie> np
12:38 < goose> krzie: the iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to command, it that used on my client, or the server?
12:38 < jpalmer> krzie: up-restart from the description sounds like it'd be called in the case of something like sending openvpn a HUP.   it'd also be called in the case of a disconnect/reconnect even if client itself wasn't restarted?  (I'm thinking short network hiccups)
12:39 < krzie> goose, server, that is who does the NAT in redirection setups
12:39 < goose> makes sense
12:39 < krzie> jpalmer, if you look in the manual it says ping-restart would trigger it
12:40 < jpalmer> I saw that earlier,  it dodn't seem right,  but I'll doublecheck.
12:40 < goose> krzie: that won't mess with the rest of my eth0 traffic, and only reroute the VPN tunnel?
12:40 < jpalmer> krzie: did you ever get that check?
12:40 < krzie> jpalmer, btw did you ever talk to your company re: me?
12:40 < krzie> whoa, jinx!
12:40 < jpalmer> gmta
12:40 < jpalmer> and by your question, I'm guessing that is a no.
12:40 < krzie> correct, afaik
12:40 < krzie> unless ecrist forgot to tell me ;]
12:41 < jpalmer> I'll check with ecrist before ruffling any feathers here.
12:41 < ecrist> what did I do?
12:42 < |Mike|> everything. :p
12:42 < ecrist> shit
12:42 < gladiatr> except that
12:42 < ecrist> was a check headed my way?
12:44 < krzie> paypal i think was all i gave them
12:44 < krzie> the one from !donate
12:45 -!- brah [~brah@host134.186-109-248.telecom.net.ar] has joined #openvpn
12:49 < jpalmer> krzie: here is what I have happening.  right now I have an up-script.  but,  occasionally the client gets disconnected (for as little as a couple seconds) then reconnects on its own (no manual intervention)  when it does,  it fouls up the up-script.   I'm looking for a way to restart that script, upon a reconnect for *any* reason.  ip-change doesn't work, as they all get static IP's
12:50 < jpalmer> ecrist: I'll get with our accounting dept and see why the donation wasn't made.
12:50 < krzie> it reconnects because of --keepalive im guessing, the log would say its done by ping-restart
12:50 < ecrist> ah, ok.
12:50 < ecrist> I didn't know one was coming.
12:50 < krzie> up-restart can be told to operate different if its a restart than init
12:51 < krzie> ecrist, you did long ago, but its been forever
12:51 < krzie> jpalmer, speaking of which, how did the setup go?
12:51 < ecrist> oh, ok
12:51  * ecrist checks, to be sure
12:53  * krzie picks up Bushmills and carries him around the channel
12:53 < krzie> im proud of my latest shell script
12:54 < ecrist> nope, nothing in paypal.
12:54 < krzie> his company wanted to W-9 me for $150, lol
12:55 < krzie> im like... i dont live in usa, i dont pay taxes to any country, and i dont give my docs
12:55 < krzie> lol
12:56 < krzie> i dont believe in paying taxes to usa especially ;]
12:56 < krzie> the federal reserve doesnt deserve my $
12:57 < krzie> (thats where an amount roughly = to the federal income tax take-in goes)
13:01 < jpalmer> krzie: the setup is still lab-only, but seems to be working well.
13:01 < jpalmer> would the "ping restart" message be in the server log, or client log?  I'm not seeing it?
13:02 < krzie> client log would say
13:02 < krzie> Tue Dec 21 12:54:30 2010 [server] Inactivity timeout (--ping-restart), restarting
13:02 < krzie> Tue Dec 21 12:54:32 2010 TCP/UDP: Closing socket
13:02 < krzie> Tue Dec 21 12:54:32 2010 SIGUSR1[soft,ping-restart] received, process restarting
13:02 < krzie> Tue Dec 21 12:54:32 2010 Restart pause, 2 second(s)
13:02 < krzie> (my server is named "server"
13:02 < krzie> )
13:02 < jpalmer> krzie: thanks.  let me doublecheck.
13:03 < krzie> np
13:03 < jpalmer> no such log.
13:03 < krzie> then im interested in knowing why your vpn restarts
13:03 < jpalmer> I honestly think this is only happening occasionally,  during network hiccups.  it only happens once every few weeks.
13:03 < krzie> you sending it a signal?
13:05 < jpalmer> no signals.  I think it's due to a routing issue or something occasionally.   or,  maybe the hospitals are flushing firewall states or something occasionally..  causing connections to drop for a few seconds.
13:05 < krzie> but the restart should still come from keepalive, which is ping-restart
13:09 < ecrist> for $150 they wanted to w9?  that's not required in the US until $600
13:10 < ecrist> not required at all internationally.
13:10 < ecrist> I could have sent them an invoice...
13:10 < ecrist> no big deal
13:11 < krzie> i thought it was 500 in usa
13:11 < krzie> its been awhile tho
13:11 < krzie> hard to believe i been gone over 3.5 yrs
13:11 < krzie> (until you hear my spanish, lol)
13:15 < jpalmer> sorry for slow responses.  in a meeting.
13:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
13:22 <@vpnHelper> RSS Update - forum: Forum & Website Support :: avahi-autoipd breaks openvpn client routes :: Author xtronics <https://forums.openvpn.net/viewtopic.php?f=30&t=7421&p=8734#p8734>
13:25 < jpalmer> ok,  no ping restart at all listed in logs for client or server
13:32 -!- goose [~goose@samson.honk-honk.org] has quit [Quit: God doesn't send firemen to hell; if he did, he knows we'd just put it out!]
13:45 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
13:46 <@vpnHelper> RSS Update - forum: Scripting and Customizations :: New user question :: Author martienne <https://forums.openvpn.net/viewtopic.php?f=15&t=7422&p=8735#p8735>
13:55 < jpalmer> sorry,  back now.
14:01 < ecrist> krzie: btw: http://www.secure-computing.net/wiki/index.php/FreeBSD/LiveCD
14:01 <@vpnHelper> Title: FreeBSD/LiveCD - Secure Computing Wiki (at www.secure-computing.net)
14:01 < ecrist> ;)
14:03 < gladiatr> oooo
14:04 -!- macrofix [~chatzilla@183.83.253.50] has joined #openvpn
14:04 < macrofix> !welcome
14:04 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:05 < ecrist> would be really easy to add openvpn for a client or server to that, fwiw
14:05 < macrofix> !goal
14:05 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:08 < gladiatr> ecrist, was just thinkin' that...
14:10  * gladiatr <3's him some FreeBSD
14:10 -!- FSprofi [~chatzilla@77.119.217.43.wireless.dyn.drei.com] has joined #openvpn
14:11 < FSprofi> !welcome
14:11 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
14:11 < FSprofi> !goal
14:11 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
14:12 < ecrist> give that a shot, gladiatr.  I just tweaked that writeup as I built an updated live cd for $job
14:13 < gladiatr> I will.  I'll start the build before I pass out tonight.
14:13 < FSprofi> i have a openvpn server with no port restrictions. a client pc is behind a http proxy, but some ports are available, can udp work for this, or do i need to switch to tcp?
14:16 < ecrist> heh
14:25 < krzie> http proxy, give it a lil thought ;]
14:26 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
14:26 < krzie> do you think the http proxy would be made for passing tcp or udp traffic?
14:26 < krzie> and with that, bbiaf
14:26 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
14:29 -!- svirfneblin [~user@i.dont.get.mad.i.get.stabby.net] has joined #openvpn
14:33  * ecrist is considering a FreeBSD openvpn livecd
14:33 < ecrist> both a client mode and server mode, likely to be configured on menu choice at boot
14:33 < ecrist> maybe a bridged-mode VPN with static keys, which you enter, manually upon startup
14:34 < ecrist> could be a fun project.
14:35 < gladiatr> indeed.  fun and useful
14:36 -!- macrofix [~chatzilla@183.83.253.50] has quit [Ping timeout: 265 seconds]
14:36 < ecrist> maybe configure it to setup IPv6 link local, or some other ethernet-level IPv6 network.
14:36 < gladiatr> never know when you might want to get a pangeic Duke Nuke'em party going.  "Burn this. Boot this. Let's raaaawwk!"
14:37 < ecrist> lol
14:37 < ecrist> it could be a pretty epic live cd, if done right
14:37 < ecrist> I think I'll start that project next week.
14:37  * ecrist goes on vacation starting thurs till Jan 3
14:38 < gladiatr> so we should hear something from you after you get back from frolicking in the tropics?
14:38 -!- batrick [~batrick@batbytes.com] has joined #openvpn
14:38 -!- batrick [~batrick@batbytes.com] has quit [Changing host]
14:38 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
14:39 < ecrist> a rudimentary version could be done in < 6 hours, I think
14:40 -!- batrick [~batrick@nmap/developer/batrick] has quit [Client Quit]
14:41 < gladiatr> I miss play time.  Chrononazis should all be drowned
14:41 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:46 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 260 seconds]
14:47 -!- batrick [~batrick@batbytes.com] has joined #openvpn
14:47 -!- batrick [~batrick@batbytes.com] has quit [Changing host]
14:47 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
14:49 < krzee> tropics!?
14:49 < ecrist> no
14:49 < krzee> you coming my way ecrist?
14:49 < ecrist> staying in MN
14:49 < krzee> oh =/
14:49 < ecrist> heh, if I was heading your way, I'd for sure let you know before hand.
14:49 < ecrist> my uncle-in-law lives where you do
14:50 < krzee> ya man, air mattress is yours
14:50 < ecrist> so long as by 'air mattress' you mean that cute 5'4" brunette. ;)
14:51 < krzee> glad you didnt say blond or redhead
14:51 < krzee> they dont exist here
14:52 < gladiatr> krzee, live in a town populated with goth chicks, huh?
14:52 < krzee> heh, not quite
14:54 < krzee> vivo en otro pais donde me llaman "rubio" porque mi piel es blanco, pero mi cabello es cafe
14:57 < gladiatr> not even any bottle blondes, huh?
14:57 < gladiatr> heh
14:58 -!- Masshuu [~Masshuu@unaffiliated/masshuu] has left #openvpn []
14:59 -!- brah [~brah@host134.186-109-248.telecom.net.ar] has quit []
15:00 < krzee> ok theres some of those, but i totally dont count them
15:06 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
15:17 <@vpnHelper> RSS Update - forum: Configuration :: undestanding rsa management :: Author capitansig <https://forums.openvpn.net/viewtopic.php?f=6&t=7423&p=8736#p8736>
15:17 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 276 seconds]
15:19 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds]
15:20 < FSprofi> is openvpning through a http proxy good?
15:20 < FSprofi> meaning of speed
15:27 < krzee> well
15:27 < krzee> theres multiple reasons it might not be
15:27 < krzee> but there is no guaranteed answer to your question
15:31 < FSprofi> kay
15:32 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
15:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
15:34 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
15:42 -!- venom00ut [~wer@net-93-71-34-173.cust.dsl.vodafone.it] has joined #openvpn
15:42 -!- venom00ut [~wer@net-93-71-34-173.cust.dsl.vodafone.it] has quit [Changing host]
15:42 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
15:44 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
15:45 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
15:49 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 265 seconds]
15:55 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 265 seconds]
15:56 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has left #openvpn []
15:58 < grendal_prime> grrrrr...
15:58 < grendal_prime> i got this dir..some customer keeps filling it up, what is the best way to systimatically movie files  I mean i can make a cron job but im going to wind up with a ton  of them running
16:00 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
16:00 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
16:00 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:03 -!- anonymous [~anonymous@88.103.4.252] has joined #openvpn
16:04 -!- anonymous [~anonymous@88.103.4.252] has left #openvpn []
16:27 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 265 seconds]
16:28 < svirfneblin> what's wrong with a cronjob?
16:29 -!- WinstonSmith [~true@g225026067.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
16:35 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
16:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
16:41 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
16:42 -!- WinstonSmith [~true@g231242176.adsl.alicedsl.de] has joined #openvpn
16:43 -!- s7r [~s7r@213.229.116.239] has joined #openvpn
16:46 -!- WinstonSmith_ [~true@g231242176.adsl.alicedsl.de] has joined #openvpn
16:46 -!- WinstonSmith_ [~true@g231242176.adsl.alicedsl.de] has quit [Remote host closed the connection]
16:46 -!- WinstonSmith_ [~true@g231242176.adsl.alicedsl.de] has joined #openvpn
16:47 -!- WinstonSmith_ [~true@g231242176.adsl.alicedsl.de] has quit [Client Quit]
16:47 -!- WinstonSmith_ [~true@g231242176.adsl.alicedsl.de] has joined #openvpn
16:47 -!- WinstonSmith [~true@g231242176.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
16:48 -!- WinstonSmith_ is now known as WinstonSmith
16:48 -!- WinstonSmith [~true@g231242176.adsl.alicedsl.de] has quit [Client Quit]
16:49 -!- WinstonSmith [~true@g231242176.adsl.alicedsl.de] has joined #openvpn
16:54 < ecrist> grendal_prime: this isn't #cron
16:54 < ecrist> ;)
16:55 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
17:00 < grendal_prime> ya sorry
17:00 < grendal_prime> wrong channel
17:00 < grendal_prime> have a good one mate
17:00 -!- grendal_prime [~sgraham@riverbank.fpdomain.com] has left #openvpn ["Ex-Chat"]
17:09 < FSprofi> another question: i got a openvpn server with 100 mbit, a client with 16 mbit. 16mbit even with tcp?
17:10 < krzee> FSprofi, can you put that into question form please?
17:10 < FSprofi> kay
17:11 < FSprofi> do you know which speed with tcp is possible?
17:11 < krzee> depends on your link
17:11 < krzee> and not just the fact that its 16mbit
17:11 < krzee> for example, packet loss will strongly fuckup a tcp over tcp link
17:12 < krzee> theres an option somewhere which you will want, that will stop TCP from queueing
17:12 < krzee> !man
17:12 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:12 < krzee> its somewhere in there
17:16 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 240 seconds]
17:30 -!- fixxxermet [~lopan@vps.fixertec.net] has joined #openvpn
17:31 < fixxxermet> !welcome
17:31 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:34 < fixxxermet> !route 
17:34 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:35 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has joined #openvpn
17:35 < gorkhaan> hi! Is there an official openvpn-over-ipv6 support? I found some patches btw.
17:36 < fixxxermet> Hey everyone.  I have a VPN working between two networks, but am getting errors in the logs and want to address them.  Logs, config and interfaces @ http://pastebin.com/Si5n1a98
17:36 < fixxxermet> Using PKI
17:39 < fixxxermet> !sample
17:39 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
17:43 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
17:45 < gorkhaan> I've found this:  https://launchpad.net/~berni/+archive/ipv6/+packages it's not too old, however I would prefer the newest 2.1.4. I go to sleep now, cu
17:45 <@vpnHelper> Title: Packages in “IPv6 Packages” : IPv6 Packages : Bernhard Schmidt (at launchpad.net)
17:52 -!- gorkhaan [~gorkhaan@adsl-101-61.globonet.hu] has quit [Remote host closed the connection]
17:53 < krzee> if gorkhaan comes back, someone type !ipv6 for him
17:54 < |Mike|> you can send him a message via nickserv.
17:54 < |Mike|> krzee: ^^
17:55 < krzee> meh, busy at work
17:57 < |Mike|> it's 01:00
17:58 < krzee> do i live in .nl?
18:00 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:00 < |Mike|> krzee: sometimes.
18:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
18:25 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:32 -!- s7r1 [~s7r@89.39.174.74] has joined #openvpn
18:32 -!- s7r1 [~s7r@89.39.174.74] has left #openvpn []
18:33 -!- s7r [~s7r@213.229.116.239] has quit [Ping timeout: 265 seconds]
18:38 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
18:39 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 245 seconds]
18:57 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
19:16 -!- benedikt [~benedikt@earth.sudo.is] has left #openvpn []
19:17 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
19:22 -!- FSprofi [~chatzilla@77.119.217.43.wireless.dyn.drei.com] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
19:25 -!- svirfneblin [~user@i.dont.get.mad.i.get.stabby.net] has quit [Quit: leaving]
19:48 -!- scatterp [~scatterp@87.127.188.177] has quit [Ping timeout: 255 seconds]
19:55 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
20:11 -!- scatterp [~scatterp@87.127.188.177] has quit [Ping timeout: 272 seconds]
20:13 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
20:25 -!- atan2 [~atan@unaffiliated/atan] has quit [Quit: null]
20:33 -!- WinstonSmith [~true@g231242176.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
20:45 -!- WinstonSmith [~true@g231243171.adsl.alicedsl.de] has joined #openvpn
20:51 < ecrist> moin moin
21:18 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
21:50 <@vpnHelper> RSS Update - forum: Configuration :: Re: Static Key Setup & Routing :: Reply by jmancuso <https://forums.openvpn.net/viewtopic.php?f=6&t=7417&p=8737#p8737>
21:55 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
22:11 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
22:12 -!- ntucker_ [~ntucker@c-71-227-154-92.hsd1.wa.comcast.net] has joined #openvpn
22:12 < ntucker_> !welcome
22:12 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
22:13 < ntucker_> !howto
22:13 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
22:13 < ntucker_> !goal
22:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
22:13 < ntucker_> !route
22:13 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
22:16 < ntucker_> hello there.  i have a question about bridging with openvpn
22:17 < ntucker_> my goal is: i have a private network (10.x.x.x) with one linux host attached to the internet, and I want to connect to this private network with openvpn clients out on the internet
22:18 < ntucker_> i have successfully done this with routing and ip forwarding, but I would also like to try it with bridging
22:19 < ntucker_> i'm unclear on whether bridging means i need my private network's hosts to have routes specifically for the address space that the clients get put in
22:33 <@vpnHelper> RSS Update - forum: Server Administration :: Client and Server on same machine? :: Author jerryk1234 <https://forums.openvpn.net/viewtopic.php?f=4&t=7424&p=8738#p8738>
22:39 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:46 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 264 seconds]
23:05 -!- WinstonSmith [~true@g231243171.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
23:09 -!- TACPILOT [~tacpilot@c-76-31-248-181.hsd1.tx.comcast.net] has quit [Quit: Leaving.]
23:10 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
23:13 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
23:17 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has quit [Read error: Operation timed out]
23:19 -!- abeehc [~bob@d207-6-195-163.bchsia.telus.net] has joined #openvpn
23:30 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:48 -!- diphthong [~diphthong@69.172.135.243] has joined #openvpn
--- Day changed Wed Dec 22 2010
00:11 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 240 seconds]
00:18 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:20 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
00:54 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Ping timeout: 240 seconds]
00:54 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:03 <@vpnHelper> RSS Update - forum: Configuration :: Re: Unable to access servers on vpn network. :: Reply by amitk <https://forums.openvpn.net/viewtopic.php?f=6&t=7044&p=8739#p8739> || Configuration :: Unable to access internal servers on openvpn server :: Author amitk <https://forums.openvpn.net/viewtopic.php?f=6&t=7425&p=8740#p8740>
01:11 -!- barfster [~barf@138.124.131.122] has joined #openvpn
01:13 < barfster> The latest update for Mac is very annoying when connection drops, Steve Job’s beach ball shows up...
01:13 < barfster> or is this a new feature?
01:14 < krzie> i think you got the wrong channel
01:14 < barfster> 2190.2248
01:14 < barfster> A
01:14 < barfster> Tunnelblick
01:14 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
01:15 < barfster> No, such channel.
01:15 < barfster> Hmm, where to report?
01:15 < krzie> you didnt mention tunnelblick before i said that
01:15 < krzie> you just mentioned an apple update
01:15 < krzie> but personally i dunno anything bout tunnelblick
01:17 < barfster> The latest update of Tunnelblick( 2190.2248 ) for Mac is very annoying when connection drops, Steve Job’s beach ball shows up...
01:27 -!- barfster [~barf@138.124.131.122] has quit [Quit: Get MacIrssi - http://www.sysctl.co.uk/projects/macirssi/]
01:27 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 265 seconds]
01:31 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
02:06 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 264 seconds]
02:30 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
02:30 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
02:33 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
02:40 -!- scatterp [~scatterp@87.127.188.177] has quit [Ping timeout: 255 seconds]
02:41 -!- Jones1 [~Adium@d54C3B3CE.access.telenet.be] has joined #openvpn
02:46 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
02:46 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn
02:46 -!- mode/#openvpn [+o mattock] by ChanServ
03:16 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 265 seconds]
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:46 -!- macsppadic [~sonupunno@88.211.55.77] has joined #openvpn
03:51 -!- Jones1 [~Adium@d54C3B3CE.access.telenet.be] has left #openvpn []
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:58 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 276 seconds]
03:58 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has joined #openvpn
04:02 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
04:02 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Operation timed out]
04:14 -!- macsppadic is now known as COBsppadic
04:16 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
04:16 < fahmad> hello
04:16 < fahmad> can some one give me some best solution to monintor openvpn server using client ...
04:28 < Bushmills> define "monitor"
04:28 -!- _skrusty [~skrusty@83.166.176.39] has quit [Read error: Operation timed out]
04:29 < fahmad> Bushmills: like i need something like which can try to connect to openvpn and if its working then it will do nothing else it will start openvpn
04:30 < Bushmills> ah.  look at   monit
04:30 -!- common- [~common@p5DDA4901.dip0.t-ipconnect.de] has joined #openvpn
04:30 < Bushmills> or, run openvpn with respawn  from /etc/inittab
04:31 < Bushmills> but, that does "using client..." mean in that context?
04:32 < fahmad> Bushmills: but it will not work :(
04:33 < fahmad> i created perl script using Net::OpenVPN::Manage 
04:33 < COBsppadic> fahmad: are u after something that just monitors and restarts openvpn when it goes down on the server?
04:33 -!- common [~common@p5DDA4864.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
04:33 -!- common- is now known as common
04:33 < Bushmills> sure it works. i use monit myself
04:33 < fahmad> COBsppadic: yes but it must make sure
04:33 -!- twister004 [~chatzilla@mail2.polariswireless.com] has joined #openvpn
04:33 < COBsppadic> ditto on the monit as Bushmills said 
04:34 < COBsppadic> all monit needs is a process which generates a pid file which openvpn does n am quite sure it will do the trick 
04:36 < fahmad> COBsppadic: you know when my openvpn is not working it will still show pid
04:36 < fahmad> when i do pidof openvpn it will show me ...
04:36 < fahmad> thats the issue
04:37 < Bushmills> monit will check whether pid in pid file and process match
04:37 < Bushmills> thus, no issue
04:38 < fahmad> ok
04:38 < Bushmills> pid file checking is just optional, but increases reliability
04:38 < fahmad> i will check it ...
04:38 < COBsppadic> Bushmills: took the words out of my mouth there 
04:39 < fahmad> COBsppadic: what if i do not want to use inittab ?
04:40 -!- RichiH [~richih@freenode/staff/richih] has joined #openvpn
04:40 < Bushmills> http://scarydevilmonastery.net/snap/1293014366779521760d.png   this is what i use with monit for openvpn monitoring
04:41 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
04:41 < COBsppadic> fahmad:  the start program option shud just point to the program binary that will run it 
04:42 < RichiH> is there a quick way to parse out all re-keying sequences from the logs so i am left with _new_ connections, only?
04:42 < fahmad> looking ...
04:42 < COBsppadic> fahmad:  Bushmills link is pretty much what u need 
04:42 < fahmad> ok
04:42 < fahmad> i will try this with one server 
04:42 < fahmad> and let you guys know
04:42 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
04:43 < Bushmills> RichiH: most likely. but consider, if your interest is new connections only, to run a --client-connect script which simply sends you an instant message (jabber/xmpp for example) 
04:44 < Bushmills> means, you get notifications immediately, and those are also buffered in case you're offline until you connect again
04:45 < RichiH> found it, i just need to look for Peer Connection Initiated
04:45 < RichiH> Bushmills: i need to look at it after the fact, so i needed something that's in there by default
04:48 -!- rjd__ [~rjd@212.112.31.11] has quit [Quit: leaving]
04:51 -!- twister004_ [~chatzilla@117.204.141.37] has joined #openvpn
04:52 -!- twister004 [~chatzilla@mail2.polariswireless.com] has quit [Ping timeout: 245 seconds]
04:52 -!- twister004_ is now known as twister004
05:06 <@vpnHelper> RSS Update - forum: My VPN :: Re: Windows xp worked and the 7 don't. :: Reply by pinguim007 <https://forums.openvpn.net/viewtopic.php?f=13&t=7402&p=8741#p8741>
05:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
05:20 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has joined #openvpn
05:23 -!- RichiH [~richih@freenode/staff/richih] has left #openvpn []
05:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
05:32 -!- unspin [~unspin@S010600031d02196a.vc.shawcable.net] has quit [Ping timeout: 255 seconds]
05:40 -!- kraut [~kraut@blackhole.netzdeponie.de] has joined #openvpn
05:40 < kraut> howdy
05:40 < kraut> any ideas why i get this "read UDPv4 [EHOSTUNREACH]: No route to host (code=113)" when i change server<->client from tcp to udp?
05:40 < kraut> there isn't any firewall blocking
05:40 < reiffert> kraut: prove!
05:41 < reiffert> kraut: Bet that you cant prove as you dont know anything about the providers firewalls.
05:41 < reiffert> kraut: else you should be able to run:
05:41 < reiffert> nc -u -l -p  12345 on one side and
05:41 < reiffert> echo "foo" | nc -u one_side 12345
05:41 < reiffert> on the other
05:43 < reiffert> echo "foo" | nc -u reifferscheid.org 12345
05:43 < reiffert> root@reifferscheid:/home/thomas# nc -u -l -p 12345
05:43 < reiffert> foo
05:43 < kraut> reiffert: mom
05:43 < kraut> but provider isn't blocking
05:44 < reiffert> kraut: so enter this:
05:44 < reiffert>  echo "foo" | nc -u reifferscheid.org 12345
05:44 < kraut> <- on the phone
05:44 < reiffert> my nc server is listening.
05:44 < reiffert> copy paste it
05:44 < kraut> i'm coming from two sides
05:45 < kraut> ok, can't test client-side, it's a fritzbox without nc
05:45 < kraut> brb, sry
05:45 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn
05:45 < reiffert> there is netcat on the fb
05:45 < reiffert> foo
05:45 < reiffert> the foo reached me.
05:46 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
05:46 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
05:46 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
05:46 < kraut> so, fscking phone
05:46 < kraut> reiffert: i can see the udp packets reaching the server from the client via tcpdump f.e.
05:47 < reiffert> kraut: great. is openvpn listening on that udp port?
05:47 < kraut> yep
05:47 < kraut> wait :D
05:47 < reiffert> :)
05:47 < kraut> you are to fast for me
05:47 < kraut> see: http://pastebin.com/PCuD7gxE
05:47 < kraut> seems to be fine but then 113
05:48 < reiffert> kraut: btw, moin moin
05:48 < kraut> ahhh
05:48 < kraut> #
05:48 < kraut> Dec 22 12:43:13 exodus ovpn-server_udp[9149]: 91.97.13.219:2071 TLS: Initial packet from [AF_INET]91.97.13.219:2071, sid=e36db8fe f0cd7ba
05:48 < kraut> maybe the client-side is blocking on 2071?!
05:48 < kraut> ah, client port, so no
05:48 < kraut> reiffert: moin moin und xoxo :D
05:49 < reiffert> ping 91.97.13.219 works?
05:49 < kraut> yep
05:49 < reiffert> send some udp stuff to your fbox
05:49 < reiffert> watch it arrive with tcpdump
05:49 < kraut> or is there any bi-directional so that the client fw needs to be opened?
05:50 < kraut> it will be blocked i bet
05:50 < kraut> there is a fw running on the fritzbox
05:50 < reiffert> ther you are.
05:50 < kraut> <kraut> or is there any bi-directional so that the client fw needs to be opened?
05:51 < kraut> i don't understand actually the difference between udp and tcp in the openvpn context
05:51 < kraut> because with tcp everything is fine
05:51 < kraut> also muss ich bei udp auch auf der client-seite einen port öffnen? unterhalten die sich bi-direktional?
05:52 < reiffert> kraut: you wacky fbox fails on keeping the udp client port open
05:52 < kraut> aha!
05:53 < reiffert> kraut: as it should when your dbox is the client. however, opening a port should lead into endless luck.
05:53 < reiffert> 12:40 < kraut> there isn't any firewall blocking
05:53 < reiffert> :p
05:53 < kraut> yes, sorry. i meant the server-side
05:53 < kraut> lemmy debug something, brb
05:53 < reiffert> 12:53:37.635009 IP 178.63.49.86.59001 > 91.97.13.219.2071: UDP, length 14
05:53 < reiffert> 12:53:37.663778 IP 91.97.13.219 > 178.63.49.86: ICMP host 91.97.13.219 unreachable - admin prohibited filter, length 36
05:53 < reiffert> there you go.
05:54 < kraut> is there any switch don't do run openvpn in background?
05:54 < kraut> erm
05:54 < kraut> wtf?
05:54 < reiffert> well better ask those fbox folks..
05:54 < kraut> how did you tested that?
05:54 < kraut> this dsld sucks hell
05:54 < reiffert> start with rebooting that bad bad bunny, maybe the firewall will be working ok then.
05:55 < reiffert> I was on my server, sending you:
05:55 < reiffert> thomas@reifferscheid:~$ echo "kraut is doof" | nc -u 91.97.13.219 2071
05:55 < reiffert> and running tcpdump on your fbox^W^W my server
05:55 < kraut> i'm not "doof" *patsch*
05:55 < reiffert> 12:55:38.464110 IP 91.97.13.219 > 178.63.49.86: ICMP host 91.97.13.219 unreachable - admin prohibited filter, length 36
05:55 < reiffert> echo "kraut is doof^Wnot so doof" | nc -u 91.97.13.219 2071
05:56 < reiffert> 12:55:52.334800 IP 91.97.13.219 > 178.63.49.86: ICMP host 91.97.13.219 unreachable - admin prohibited filter, length 36
05:56 < reiffert> kraut: I remember tsomething from the fbox docs...
05:57 < kraut> hrhr
05:57 < kraut> yes, i have a look on that
05:57 < reiffert> kraut: ah nah, it's relevant only if the fbox is vpn server.
05:57 < kraut> since that i switch another client from tcp to udp
05:57 < kraut> that's just a linux box
05:58 < kraut> that should work better
05:58 < reiffert> start with a reboot, and add tcpdump and netcat to fbox.
05:58 < reiffert> if you like you can have my binaries without th eneed of compilation
05:59 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn
05:59 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
05:59 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
05:59 < kraut> no need, got that from another box allready
05:59 < kraut> but thanks anyway
06:00 < kraut> Dec 22 12:59:34 exodus ovpn-server_udp[9149]: 194.126.239.66:60068 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
06:00 < kraut> Dec 22 12:59:34 exodus ovpn-server_udp[9149]: 194.126.239.66:60068 TLS Error: TLS handshake failed
06:00 < reiffert> my fbox is an openvpn client as well
06:00 < kraut> strange
06:00 < reiffert> it works fine here
06:00 < reiffert> 12:59:59.048948 IP 178.63.49.86.1194 > 192.168.179.1.1254: UDP, length 93
06:00 < reiffert> 12:59:59.050390 IP 192.168.179.1.1254 > 178.63.49.86.1194: UDP, length 205
06:00 < reiffert> tcpdumping the dsl interface
06:00 < reiffert> kraut: run tcpdump on your openvpn server like this:
06:01 < reiffert> tcpdump -n -i eth0 -proto udp --port 1194 -s 1500 -w -
06:01 < reiffert> stop.
06:01 < reiffert> tcpdump -n -i eth0 -proto udp --port 1194 -s 1500 -w out.pcap
06:01 -!- WinstonSmith [~true@e179008112.adsl.alicedsl.de] has joined #openvpn
06:01 < reiffert> then stop it with ctrl-c and put out.pcap online.
06:01 < reiffert> inbetween try some connects, 2-3
06:02 < reiffert> oh, wrong tcpdump syntax .. sorry, it should be
06:02 < reiffert> tcpdump -n -i eth0 -s1500 -w out.pcap proto udp and port 1194 
06:03 < reiffert> wrong again
06:03 < reiffert> tcpdump -n -i eth0 -s1500 -w out.pcap proto UDP and port 1194 
06:05 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 260 seconds]
06:05 < kraut> you need the pcap file?
06:05 < reiffert> yea
06:06 < reiffert> thomas@reifferscheid.org or /dcc
06:06 -!- vpnHelper [~vpn@butters.secure-computing.net] has joined #openvpn
06:06 -!- vpnHelper [~vpn@butters.secure-computing.net] has quit [Changing host]
06:06 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
06:06 -!- mode/#openvpn [+o vpnHelper] by ChanServ
06:06 < kraut> i noticed you an url
06:06 < kraut> is that fine?
06:06 < kraut> hmm, maybe my config is worst
06:07 < kraut> more or less i took my tcp config, copied that also to an udp-one and started both
06:07 < reiffert> kraut: ah, missed that.
06:07 < kraut> i thought this wouldn't be a big issue, but i also get this problems when i start the udp instance alone
06:07 < reiffert> kraut: problem is: no icmp message inside, something similar to: admin prohibitied
06:07 < kraut> from the server?
06:07 < reiffert> becaue my filter was bad.
06:07 < reiffert> lets redo it like this:
06:07 < kraut> what is -s1500?
06:07 < kraut> fragment size?
06:08 < reiffert> tcpdump -n -i eth0 -s1500 -w host 91.97.13.219 and not port ssh
06:08 < reiffert> -s 1500 is snaplen
06:08 < reiffert> how many bytes it will dump of every packet
06:08 < kraut> 91.97.13.219 <- that's fhe fb-client
06:08 < kraut> is that fine?
06:08 < reiffert> yeah
06:09 < kraut> maybe it's more easier to debug the linux-client
06:09 < reiffert> lets try this tcpdump first.
06:09 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
06:10 < kraut> i bet that dump wouldn't be fine
06:10 < kraut> there should also be an filter on 1194
06:10 < kraut> or not?
06:10 < reiffert> no, just:
06:10 < reiffert> tcpdump -n -i eth0 -s1500 -w host 91.97.13.219 and not port ssh
06:11 < reiffert> argh damnit
06:11 < reiffert> tcpdump -n -i eth0 -s1500 -w out2.pcap host 91.97.13.219 and not port ssh
06:11 < kraut> allready fixed that^^
06:11 < kraut> wait
06:11 < reiffert> .oO tcpdump "send everything relevant to reiffer" :)
06:11 < kraut> you got a notice
06:12 < reiffert> 13:11:10.278810 IP 91.97.13.219 > 95.33.239.26: ICMP host 91.97.13.219 unreachable - admin prohibited filter, length 36
06:12 < reiffert> get it with: tcpdump -r out2.pcap | less
06:13 < reiffert> tcpdump -n -r out2.pcap -s1500 -X |less 
06:13 < kraut> ah, tcpdump could also read pcap
06:14 < kraut> i searched allready my wireshark but it's some kind of borken
06:14 < kraut> wait
06:19 -!- takamichi [Takamichi@pm302-97-254.keyworld.net] has quit [Ping timeout: 250 seconds]
06:21 < kraut> tada.wav
06:23 < |Mike|> oooo!
06:23 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has quit [Read error: Connection reset by peer]
06:25 < kraut> reiffert: i got it! :)
06:25 < kraut> my server is multihomed with two different WAN ips, that was the problem
06:27 -!- juhovh_ is now known as juhovh
06:27 -!- juhovh [~jvahaher@kekkonen.cs.hut.fi] has quit [Changing host]
06:27 -!- juhovh [~jvahaher@xmms2/developer/juhovh] has joined #openvpn
06:28 -!- tjz_ [~pc@bb116-14-147-103.singnet.com.sg] has joined #openvpn
06:29 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 245 seconds]
06:30 -!- luneff [~yury@84.51.195.188] has joined #openvpn
06:32 < kraut> ah, fine. everything works like a charme
06:32 < kraut> thanks reiffert 
06:32 < kraut> should i use lzo if i need low latencies?
06:32 < kraut> or better without?
06:41 -!- WinstonSmith [~true@e179008112.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
06:49 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:49 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:49 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:57 -!- WinstonSmith [~true@g231243171.adsl.alicedsl.de] has joined #openvpn
07:15 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
07:25 -!- pa [~pa@unaffiliated/pa] has quit [Quit: Sto andando via]
08:31 -!- bauruine [~stefan@188-126-68-111.cust.vpntunnel.org] has quit [Read error: Operation timed out]
08:35 <@vpnHelper> RSS Update - forum: Server Administration :: How to stop ping-restart every 2 min? :: Author elpasha009 <https://forums.openvpn.net/viewtopic.php?f=4&t=7426&p=8742#p8742>
08:35 -!- luneff [~yury@84.51.195.188] has joined #openvpn
08:42 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
09:02 -!- chris_____ [5d61f643@gateway/web/freenode/ip.93.97.246.67] has joined #openvpn
09:03 < chris_____> hi
09:04 < chris_____> I am use to setting up openvpn server on centos but not ubuntu, bridging is new to me
09:04 < chris_____> should my eth0 have an ip address for eth0 and br0 or just br0?
09:04 < ecrist> usually br0
09:05 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
09:06 < chris_____> ta, so if my br0 address is 10.10.1.1 how do I give clients a 10.90.0.0 address using server-bridge?
09:07 < ecrist> are you using the entire class a?
09:07 -!- brah [~asdofp@190.7.16.216] has joined #openvpn
09:12 -!- scrapheap [~matthias@p54A09075.dip0.t-ipconnect.de] has joined #openvpn
09:13 < scrapheap> Hello everybody
09:13 < COBsppadic> Hello scrapheap 
09:19 < chris_____> <ecrist>: yes
09:20 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
09:20 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
09:20 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
09:20 -!- sia is now known as sia^pwnnt
09:21 -!- sia^pwnnt is now known as sia
09:21 < chris_____> so I guess I'm asking how do I translate 'server 10.90.0.0 255.255.0.0' to server-bridge '....' with a local address of 10.10.1.1?
09:25 -!- twister004 [~chatzilla@117.204.141.37] has quit [Read error: No route to host]
09:27 -!- twister004 [~chatzilla@117.204.134.90] has joined #openvpn
09:27 < gladiatr> chris__, you're bridging your ovpn connection to an internal ethernet segment?
09:30 < ecrist> chris_____: you just gave a class b subnet, not a class a subnet.
09:30 < ecrist> which is it?
09:32 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
09:33 < chris_____> a/b, don't know to be honest...what I do know is firewall is pointing to 10.10.1.1 and want to keep that as local address and if poss give clients 10.90.0.0
09:33 < ecrist> !google class based subnetting
09:33 -!- mikkel [~mikkel@80.71.132.15] has joined #openvpn
09:33 <@vpnHelper> The TCP/IP Guide - IP Subnetting Summary Tables For Class A, Class ...: <http://www.tcpipguide.com/free/t_IPSubnettingSummaryTablesForClassAClassBandClassCN.htm>; Subnetwork - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/Subnetwork>; Subnets and Subnet Masks: <http://technet.microsoft.com/en-us/library/cc958832.aspx>
09:35 < chris_____> I'm not asking for a subnet lesson because even if I looked into it that won't answer my question
09:35 < scrapheap> Hello everybody, does anybody know about Problems with OVPN 2.1.3. I can't get my mails with outlook 2010 from the exchangeserver.
09:35 < krzee> a good understanding of networking is important to setting up vpns the right way
09:35 < krzee> if you dont want to learn networking, you're probably attempting something that you shouldnty
09:36 < krzee> scrapheap, can you ping the exchangeserver?
09:37 < ecrist> chris_____: in order for what you want to do to work, you're going to either need to re-subnet your network, choose different IPs, or setup routing between the distinct subnets
09:37 < ecrist> it's not as simple as --server bridge 10.10.1.1. 255.255.0.0 10.90.0.0 10.90.0.255
09:37 < ecrist> since you're unwilling to learn, I'm unwilling to help.
09:37 < ecrist> ;)
09:38 < krzee> hehe
09:38 < COBsppadic> hehehe
09:38  * krzee gives ecrist a spare cluehammer
09:38 < chris_____> <ecrist> cheers, starting to see that now...I only ever used server command and pushed other stuff out...will need to think about how may ips that can give me
09:38 < krzee> (for xmas)
09:38 < krzee> scrapheap, pls respond in the channel instead of private message
09:39 < scrapheap> @krzee OK, Im sorry I thought it would be much easier to communicate.
09:40 < gladiatr> !infinity
09:40 < scrapheap> I can ping the exchangeserver, I get shares but Outlook 2010 will not connect to the Exchangeserver
09:40 < krzee> sounds like a firewall issue
09:40 < krzee> prolly doesnt know about the vpn subnet
09:41 < gladiatr> scrapheap, when you ping the server, are you using an IP or a host name?
09:41 < krzee> gladiatr, good question
09:41 < COBsppadic> ahh yes gladiatr good question 
09:41 -!- chris_____ [5d61f643@gateway/web/freenode/ip.93.97.246.67] has quit [Quit: Page closed]
09:41 < scrapheap> I used the host name
09:41 < scrapheap> but i can trie using the IP
09:42 < krzee> nah thats fine
09:42 < gladiatr> Replace the host name in your outlook config with the IP of the exchange server
09:42 < gladiatr> just temporarily
09:42 < scrapheap> OK, I try one moment pls.
09:42 < gladiatr> krzee, remember the problem with that vista system I asked about a few days ago?  Turns out it is a borked dll associated with the DNS Client service.
09:43 < COBsppadic> borked dll sheesh
09:43 < krzee> ouch
09:43 < gladiatr> the really fscked up thing about it is that the service doesn't throw any events--but it sure as hell screws up dns lookups when connected to a virtual network device :\
09:43 < krzee> that can NOT have been fun to find
09:43 < gladiatr> no.  No it wasn't.  Not fun at all.
09:43 < COBsppadic> whoa that s just pure unadulterated pain
09:43 < krzee> did you try the hax in here?  they were for XP but maybe apply
09:43 < krzee> !pushdns
09:43 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
09:44 < krzee> in #3
09:44 < gladiatr> yup.  That's actually what led me to the solution of just disabling the service until I can get that machine reinstalled.
09:45 < gladiatr> Thing had a kind of programmatic walking-pneumonia... would work sporadically and then revert to its previous disfunction.
09:46 < krzee> ya windows has EDD
09:46 < krzee> err ED
09:46 < krzee> whatever it is on those cialis commercials
09:46 < gladiatr> HAHAHAHAHA!
09:46 < COBsppadic> hahahaha
09:47 < gladiatr> (because you'll know when the time is right...)
09:47 < COBsppadic> rofl
09:49 < gladiatr> but anyway, part of the pain in troubleshooting this problem is that some software (mozilla in particular) caches dns data by default.  Some windows software uses some kind of libbind library for resolving and others have hooks into some sort of winsock compatibility layer.  I couldn't get consistent results across varying pieces of software.
09:50 < gladiatr> so that's why I suggested him removing host names and replacing them with IPs for the moment.  Even if it throws TLS errors when he tries to get his mail, at least it will indicate whether or not he's connecting to the server
09:50 < COBsppadic> so scrapheap any luck>
09:51 < scrapheap> 2010 is awful its really hard to find the right option everything is different than before.
09:52 < gladiatr> I loathe outlook.
09:52 -!- bauruine [~stefan@188-126-68-111.cust.vpntunnel.org] has joined #openvpn
09:52 < scrapheap> anything is wrong, after I changed the Name into the IP and now Outlook is really slow, I have to find what I have done wrong.
09:53 < gladiatr> Are you getting any sort of indication that it is connecting to the exchange server, though?
09:53 < gladiatr> Chances are, *not* using the host name is going to cause some issues with the TLS negotiation on exchange, so that *might* be what's causing the slowness.  
09:54 < gladiatr> Using the IP address isn't a solution to your problem.  It's just a troubleshooting step.
09:55 < scrapheap> No, there is no connection, but I just saw, everytime I change the IP Outlook replace it with the Name. - So I think it could resolve the IP. (But thats only my interpretation.)
09:57 < gladiatr> No problem.  Ok.  So that answers that question.  So, in closing, I would like to offer up my oh-so-very-knowledgeable opinion: krzee is right.  It sounds like a firewall issue.
09:58 < gladiatr> Unless you have admin access on the exchange server and can install a packet sniffer, I'd suggest downloading a port scanner and seeing if the MAPI port on the exchange server is visible from the VPN subnet.
09:58 < scrapheap> OK, but which Firewall thats the great question.
09:58 < scrapheap> Before I had problems I used a Windows XP Machine with Outlook 2003 it worked.
09:58 < scrapheap> Could there be Firewallproblems with Windows 7?
09:59 < scrapheap> I will try to find a Portscanner to do a Portscan.
10:00 < gladiatr> Are you using the stock win7 firewall or have you installed Something Else?
10:01 < scrapheap> Its from stock, but I put the Machine into the ActiveDirectory. But there were no other changes.
10:02 < gladiatr> hrm... Contact your IT goons about any sort of group policies they might be pushing that might be modifying your firewall
10:04 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has quit [Ping timeout: 272 seconds]
10:05 < scrapheap> Now I scanned Port 25 and 135 but which Port uses MAPI?
10:06 < gladiatr> checking...
10:06 < gladiatr> ohsweetjesus.  It's an RPC service...
10:06 < gladiatr> sec
10:07 < scrapheap> RPC service? - That's Port 135, right?
10:07 < gladiatr> heh.  no.
10:08 < gladiatr> I'm spinning up a win7 vm here... I need to check sometihng
10:08 < gladiatr> s/tih/thi
10:08 -!- fahadsadah [fahad@unaffiliated/fahadsadah] has joined #openvpn
10:08 < COBsppadic> 135 i thought gladiatr 
10:09 < COBsppadic> http://technet.microsoft.com/en-us/library/bb331973.aspx
10:09 <@vpnHelper> Title: Exchange Network Port Reference: Exchange 2010 SP1 Help (at technet.microsoft.com)
10:09 < gladiatr> is that the win rpc service?
10:10 < COBsppadic> rpc god 
10:11 < gladiatr> I was just tryin' to see if there was some microsoft equivalent to rpcinfo 
10:13 < ecrist> !google MAPI port
10:13 <@vpnHelper> Exchange Server static port mappings: <http://support.microsoft.com/kb/270836>; MAPI and RPC over HTTP: <http://technet.microsoft.com/en-us/library/aa996632(EXCHG.65).aspx>; Re: Port of MAPI: <http://www.tech-archive.net/Archive/Exchange/microsoft.public.exchange.connectivity/2005-07/msg00126.html>
10:14 -!- JakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
10:17 < COBsppadic> http://social.technet.microsoft.com/wiki/contents/articles/configuring-static-rpc-ports-on-an-exchange-2010-client-access-server.aspx
10:17 <@vpnHelper> Title: Configuring Static RPC Ports on an Exchange 2010 Client Access Server - TechNet Articles - Home - TechNet Wiki (at social.technet.microsoft.com)
10:17 < gladiatr> egads.  Yeah.  I'm sorry scrap, but it really does look like you're going to need to get with your network people about this.  I found an article that discusses using the rpcping.exe utility that comes with powershell 2 (http://support.microsoft.com/kb/831051), but I have a feeling that you'll save yourself some time by fobbing this off on your tech guys.
10:17 <@vpnHelper> Title: How to use the RPC Ping uti (at support.microsoft.com)
10:19 < scrapheap> That's bad I'm the "network people" I'm the "Administrator" I'm still the Nanny for all the people around me, so I have to find a way.
10:19 < COBsppadic> oh dear 
10:19 < COBsppadic> :-)
10:19 < scrapheap> But I think all the last links where not too bad, I just have to find time to read and understand all these things.
10:20 < gladiatr> ahh... gotcha.
10:20 < COBsppadic> gladiatr: success?
10:20 < gladiatr> lol
10:21 < COBsppadic> :-)
10:23 -!- archangelpetro [~archangel@cpc4-oxfd19-2-0-cust84.4-3.cable.virginmedia.com] has quit [Ping timeout: 240 seconds]
10:23 < scrapheap> I'm sorry, I'm not sure if I had understand it the right way.
10:23 < scrapheap> But all the articles are talking about Exchange 2010. I use Exchange 2007, if the server is connected from Outlook 2003 it works but if it is connected from Outlook 2010 it didn't work. So there must be differences betwenn 2003 and 2010.
10:24 < gladiatr> Thing #47 that I would do if I had access to a time machine: Infiltrate the Sun team that was tasked with developing what became RPC and present every case that's occured since then of why RPC is an Extremely Bad Idea
10:24  * COBsppadic would join on that saving humanity mission to the past 
10:24 < gladiatr> :D woot!
10:25 < krzee> 508
10:25 -!- brah [~asdofp@190.7.16.216] has quit [Quit: Ex-Chat]
10:25 < krzee> meh wrong win
10:25 < COBsppadic> heehe
10:26 < gladiatr> scrapheap, ...  . ..... ... ....... .. .. .... ........ ... ..................... ... .. you have no crossed the line requirement of windows knowledge that I know nothing about... MS product release details :|
10:26 < gladiatr> s/no/now
10:26 < gladiatr> wow.  Completely boogered that sentence, but I hope you get my meaning
10:27 < gladiatr> Do you still have access to the 2003 install?
10:27 < scrapheap> No I haven't
10:28 < gladiatr> I wish you The Best of Luck.  I can't imagine its a network issue if you're able to do a domain login across the VPN.  If you haven't done anything with the domain group policy and are using the stock win7 firewall, I can't imagine that's getting in the way.
10:29 <@vpnHelper> RSS Update - forum: Server Administration :: Re: connect from server to client :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=4&t=7420&p=8743#p8743>
10:30 -!- archangelpetro [~archangel@cpc4-oxfd19-2-0-cust84.4-3.cable.virginmedia.com] has joined #openvpn
10:33 < scrapheap> Ok, thanks to all for your help.
10:33 < gladiatr> good luck, my friend
10:33 < scrapheap> I just installed Wireshark so I will do a little sniffing tomorrow.
10:33 < COBsppadic> all the best scrapheap  
10:34 < scrapheap> Also I will try to install a different machine to try if this could help.
10:35 <@vpnHelper> RSS Update - forum: My VPN :: Re: Windows xp worked and the 7 don't. :: Reply by george <https://forums.openvpn.net/viewtopic.php?f=13&t=7402&p=8744#p8744>
10:35 -!- luneff [~yury@84.51.195.188] has joined #openvpn
10:36 -!- scrapheap [~matthias@p54A09075.dip0.t-ipconnect.de] has left #openvpn []
10:39 -!- luneff [~yury@84.51.195.188] has quit [Read error: Connection reset by peer]
10:40 -!- luneff [~yury@84.51.195.188] has joined #openvpn
10:47 -!- michal` [~michal@rsbac/developer/michal] has left #openvpn [">/dev/yachill"]
10:50 -!- ivenkys [~ivenkys@unaffiliated/ivenkys] has left #openvpn []
11:01 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
11:09 -!- twister004 [~chatzilla@117.204.134.90] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
11:11 -!- COBsppadic [~sonupunno@88.211.55.77] has quit [Quit: COBsppadic]
11:46 -!- Sky[xx] [~SkyB0x@212.235.177.25] has joined #openvpn
11:48 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
12:07 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 272 seconds]
12:17 <@vpnHelper> RSS Update - forum: Server Administration :: Re: connect from server to client :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7420&p=8745#p8745>
12:23 <@vpnHelper> RSS Update - forum: Server Administration :: Re: How to stop ping-restart every 2 min? :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7426&p=8746#p8746>
12:24 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
12:35 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Client and Server on same machine? :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7424&p=8747#p8747>
12:54 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing & Load Balancing :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7416&p=8749#p8749> || Off Topic, Related :: Cisco IPSEC VPN Client on Linux causing Kernel Panic :: Author hank42 <https://forums.openvpn.net/viewtopic.php?f=1&t=7427&p=8748#p8748>
13:08 -!- bauruine [~stefan@188-126-68-111.cust.vpntunnel.org] has quit [Read error: Operation timed out]
13:09 -!- bauruine [~stefan@94.75.216.21] has joined #openvpn
13:12 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Server can't reach client's network :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7412&p=8750#p8750>
13:18 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
13:30 <@vpnHelper> RSS Update - forum: Server Administration :: Re: process openvpn.exe problem :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7405&p=8751#p8751>
13:34  * ecrist should install/configure the new RSS mod
13:38 < gladiatr> less wordy?
13:43 < ecrist> no, new URLs
13:48 -!- Essobi_ [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
13:48 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Certificate fields :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7398&p=8752#p8752>
13:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
13:50 -!- archangelpetro [~archangel@cpc4-oxfd19-2-0-cust84.4-3.cable.virginmedia.com] has left #openvpn []
13:51 -!- Essobi_ [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Remote host closed the connection]
13:51 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Remote host closed the connection]
13:52 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
13:54 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Outside access issue when using OpenVPN :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7388&p=8753#p8753>
13:59 < Essobi> Merry Xmas!
13:59 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Windows7 64 bit and Openvpn :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7387&p=8754#p8754>
14:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
14:01 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
14:01 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
14:05 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Changing host]
14:05 -!- rot13 [~var@unaffiliated/rot13] has joined #openvpn
14:06 -!- master_of_master [~master_of@p57B56055.dip.t-dialin.net] has joined #openvpn
14:16 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Openvpn on a xen vm :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7371&p=8755#p8755>
14:21 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:22 <@vpnHelper> RSS Update - forum: Server Administration :: Re: System time at bootup not correct, Key authentication fa :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7368&p=8756#p8756> || Server Administration :: Re: IP address issue :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7367&p=8757#p8757>
14:28 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Where's the database from generated keys ? :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7365&p=8758#p8758>
14:34 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Outside access issue when using OpenVPN :: Reply by freeman656 <https://forums.openvpn.net/viewtopic.php?f=4&t=7388&p=8759#p8759> || Server Administration :: Re: does auth-pam support to terminate a connected session :: Reply ... <https://forums.openvpn.net/viewtopic.php?f=4&t=7364&p=8760#p8760>
14:35 -!- luneff [~yury@84.51.199.6] has joined #openvpn
14:40 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Stuck at a step during configuring openvpn :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7351&p=8761#p8761>
14:45 -!- secretary-linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
14:45 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Alternative methods to delegate IP to clients? :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7350&p=8762#p8762>
14:53 < ecrist> holy active forums batman
15:05 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Read error: Operation timed out]
15:06 -!- luneff [~yury@84.51.199.6] has quit [Ping timeout: 245 seconds]
15:10 < krzee> thats good stuff right there, work has had me coding up a storm, not enough time to respond to much
15:10 < krzee> Essobi, merry xmas to you too!
15:11 < Essobi> hehe
15:12 < krzee> i was given tomorrow off work to sit at home and finish coding a program, they hope to have it by the weekend
15:12 < krzee> im confident i can finish it tomorrow... but i dont have enough weed =[
15:13 < krzee> how am i supposed to whip up scripts without weed!?
15:14 < Essobi> lol
15:15 < Essobi> Adderall > weed for coding effort
15:15 < krzee> while im sure thats true, i must stay away from meth-like stuff
15:26 < Essobi> Okay..
15:26 < Essobi> Speed > Weed for coding. ;)
15:26 < Essobi> Caffiene is perfectly legal.
15:30 < Essobi> krzee: honestly it's more like caffeine then meth.  you don't get the bugs. ;)
15:34 -!- WinstonSmith [~true@g231243171.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
15:40 -!- WinstonSmith [~true@g231243171.adsl.alicedsl.de] has joined #openvpn
15:53 < gladiatr> :D
15:53 < gladiatr> krzee, indeed.  coding sober is ... well... wrong
15:54 < gladiatr> righto.  happy holidays and such.  i'm off...
15:54 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving]
15:55 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
15:55 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
15:55 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:02 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has joined #openvpn
16:17 -!- KaiForce [~chatzilla@adsl-70-228-100-166.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
16:47 -!- mikkel [~mikkel@80.71.132.15] has quit [Quit: Leaving]
16:50 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
17:00 -!- istherenonewnick [~lord3nd3r@c-68-59-84-122.hsd1.fl.comcast.net] has joined #openvpn
17:01 < istherenonewnick> hey guys
17:01 -!- istherenonewnick is now known as End3r|lappy
17:01 < End3r|lappy> having an issue with openvpn
17:01 < End3r|lappy> I have it all up and running
17:01 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: Leaving]
17:01 < End3r|lappy> but when I turn it on via my windows 7 laptop it connects but i cant resolve any websites
17:02 < End3r|lappy> tried manually editing the dns servers but to no avail
17:02 < End3r|lappy> any suggestions?
17:03 < End3r|lappy> http://www.specialvps.com/install-openvpn-debianubuntu-vps-instantly/
17:03 <@vpnHelper> Title: How to install OpenVPN on a Debian/Ubuntu VPS instantly | Special VPS (at www.specialvps.com)
17:03 < End3r|lappy> used that script to install it. which worked
17:03 < End3r|lappy> I can show any confs needed
17:04 < End3r|lappy> !welcome
17:04 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 255 seconds]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:06 < End3r|lappy> !configs
17:06 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
17:06 < End3r|lappy> !pb
17:06 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
17:08 < End3r|lappy> http://openvpn.pastebin.ca/2026668
17:08 < End3r|lappy> i posted the configs on there
17:10 < End3r|lappy> updated http://openvpn.pastebin.ca/2026670
17:10 <@vpnHelper> RSS Update - pastebin: end3r <http://pastebin.ca/2026670> || end3r <http://pastebin.ca/2026668>
17:25 -!- End3r|lappy [~lord3nd3r@c-68-59-84-122.hsd1.fl.comcast.net] has quit [Quit: Ømega script v0.9.7 :: http://omega.neeq.net/ :: "Chuck Norris visits an active volcano every morning to get some of "the best damn espresso on Earth"."]
17:35 -!- me345 [~me345@adsl-71-131-133-80.dsl.sntc01.pacbell.net] has joined #openvpn
17:47 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 276 seconds]
17:48 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
18:06 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:17 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Where's the database from generated keys ? :: Reply by sierramike <https://forums.openvpn.net/viewtopic.php?f=4&t=7365&p=8764#p8764>
18:23 <@vpnHelper> RSS Update - forum: Server Administration :: Re: Routing & Load Balancing :: Reply by gladiatr72 <https://forums.openvpn.net/viewtopic.php?f=4&t=7416&p=8749#p8749>
18:40 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
18:43 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
19:41 <@vpnHelper> RSS Update - forum: Server Administration :: TAP-Win32 Adapter is Limited to 10 Mbps :: Author longknife <https://forums.openvpn.net/viewtopic.php?f=4&t=7429&p=8767#p8767>
19:46 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has quit [Read error: No route to host]
19:55  * ecrist puts gladiatr72 in global mod group
20:04 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 250 seconds]
20:10 < ecrist> new RSS feeds and sitemap links installed
20:13 < ecrist> !die
20:13 < ecrist> !quit
20:13 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: ecrist]
20:13 < ecrist> muahahah
20:15 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
20:15 -!- mode/#openvpn [+o vpnHelper] by ChanServ
20:15 < ecrist> !forum
20:15 <@vpnHelper> Routing & Load Balancing || Certificate fields || TAP-Win32 Adapter is Limited to 10 Mbps || 3g works router adsl don´t || Where's the database from generated keys ? || Windows xp worked and the 7 don't. || Alternative methods to delegate IP to clients? || Stuck at a step during configuring openvpn || does auth-pam support to terminate a connected session ? || Outside access issue when
20:15 <@vpnHelper> using OpenVPN || IP address issue || System time at bootup not correct, Key authentication fails || Openvpn on a xen vm || Windows7 64 bit and Openvpn || process openvpn.exe problem || Server can't reach client's network || Cisco IPSEC VPN Client on Linux causing Kernel Panic || Client and Server on same machine? || How to stop ping-restart every 2 min? || connect from server to
20:15 <@vpnHelper> client || Unable to access internal servers on openvpn server || Unable to access servers on vpn network. || Static Key Setup & Routing || undestanding rsa management || New user question || avahi-autoipd breaks openvpn client routes || Need Help with Config || Need help with my openVPN Configuration || tls-auth question || JonDo vs OpenVPN - They Claim To Be More Secure || (4 more messages)
20:15 < ecrist> we'll see how this new feed works, if it works any better with the bot
20:17 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
20:19 -!- me345 [~me345@adsl-71-131-133-80.dsl.sntc01.pacbell.net] has quit [Remote host closed the connection]
20:28 -!- WinstonSmith_ [~true@g231229215.adsl.alicedsl.de] has joined #openvpn
20:29 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 276 seconds]
20:30 -!- WinstonSmith_ [~true@g231229215.adsl.alicedsl.de] has quit [Client Quit]
20:32 -!- WinstonSmith [~true@g231243171.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
20:38 -!- rich_ [~rich@216.38.140.199] has left #openvpn []
20:48 -!- secretary-linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Quit: leaving]
20:58 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
21:40 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
21:47 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
21:54 -!- Essobi [~Essobi@74-128-53-127.dhcp.insightbb.com] has joined #openvpn
21:57 < secretary_linux> !mitm
21:57 <@vpnHelper> "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config
22:45 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 260 seconds]
23:19 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
--- Day changed Thu Dec 23 2010
00:15 <@vpnHelper> RSS Update - forum: 2 basic checking questions to see if I am on the right track <http://forums.openvpn.net/topic7149.html#p8770>
01:05 -!- TACPILOT [~tacpilot@c-76-31-248-181.hsd1.tx.comcast.net] has joined #openvpn
01:05 < TACPILOT> hello 
01:06 < TACPILOT> what is expected network overhead per client to be connect to the network without any additional data transfer?
01:09 < TACPILOT> if you have clients with persistent connections to the server how much bandwidth do they use simply idle in 24 hours just staying connected ?
01:38 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:40 <@vpnHelper> RSS Update - forum: Static Key Setup & Routing <http://forums.openvpn.net/topic7417.html#p8771>
01:52 < krzee> TACPILOT, good question, i dunno
01:53 < krzee> havnt heard of anyone measuring... mayube you will be #1
02:01 < TACPILOT> I figure for large client pool of persistent connections, the bandwidth overhead on the server could end up being substantial even if they were simply idle.
02:03 < TACPILOT> If this turned out to be an issue, is there a setting to allow throttling the persistent handshaking ??
02:14 < krzee> sure
02:14 < krzee> theres definitely a setting for how often reneg is done
02:14 < krzee> although i suspect this traffic is negligable
02:14 < krzee> the term to search manual for is renger
02:14 < krzee> reneg
02:35 < TACPILOT> cool TY  :D
02:40 < krzee> yw
03:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
03:19 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 245 seconds]
03:21 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
03:30 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
03:30 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
03:30 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
03:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 245 seconds]
03:49 -!- Directorsppadic [~sonupunno@88.211.55.77] has joined #openvpn
03:49 -!- master_of_master [~master_of@p57B56055.dip.t-dialin.net] has quit [Ping timeout: 264 seconds]
03:50 -!- master_of_master [~master_of@p57B57366.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:55 -!- venom00ut [~wer@net-93-71-36-86.cust.dsl.vodafone.it] has joined #openvpn
03:55 -!- venom00ut [~wer@net-93-71-36-86.cust.dsl.vodafone.it] has quit [Changing host]
03:55 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
04:01 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
04:03 -!- freaky[t] [alpha@freakyy.de] has quit [Read error: Operation timed out]
04:03 -!- freaky[t]_ [alpha@freakyy.de] has joined #openvpn
04:06 -!- reiffert [~thomas@mail.reifferscheid.org] has quit [Ping timeout: 240 seconds]
04:06 -!- reiffert [~thomas@mail.reifferscheid.org] has joined #openvpn
04:08 -!- Directorsppadic is now known as macsppadic
04:22 -!- markus [~markus@c83-250-36-93.bredband.comhem.se] has quit [Ping timeout: 272 seconds]
04:29 <@vpnHelper> RSS Update - forum: OpenVPN connection speed <http://forums.openvpn.net/topic7400.html#p8772>
04:30 -!- TACPILOT [~tacpilot@c-76-31-248-181.hsd1.tx.comcast.net] has left #openvpn []
04:30 -!- common- [~common@p5DDA4718.dip0.t-ipconnect.de] has joined #openvpn
04:32 -!- common [~common@p5DDA4901.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
04:32 -!- common- is now known as common
04:33 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
04:39 -!- Sky[xx] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
04:45 -!- evenflow [~david@bzq-79-178-184-68.red.bezeqint.net] has joined #openvpn
04:45 < evenflow> hey hey, im using openvpn-gui 1.0.3 and i have no connect button at the tray icon 
04:46 < evenflow> i understand it uses openvpn as a service, should i start the service manually from the windoes services or am i missing something here?
04:47 < evenflow> when i right-click the icon in the tray all i get is proxy settings and about
04:48 < sno> evenflow: it sounds like your client configuration isn't complete or in the correct place?
04:48 < evenflow> will misconfiguration cause a missing button in the gui?
04:49 < sno> with a misconfiguration you would expect the "name" of the profile to appear but perhaps not work, sounds like openvpn doesn't know about the config at all
04:53 < evenflow> ok ill reconfigure and see
04:57 < evenflow> sno thanks
04:57 < evenflow> working noqw
04:57 < sno> great
04:57 < sno> now fancy helping me with a routing issue ? :)
04:57 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
04:57 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
04:57 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:57 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
05:03 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
05:06 -!- bauruine [~stefan@94.75.216.21] has quit [Ping timeout: 272 seconds]
05:09 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: leaving]
05:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
05:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Excess Flood]
05:19 -!- Sky[x] [~SkyB0x@212.235.177.25] has joined #openvpn
05:53 <@vpnHelper> RSS Update - forum: TAP-Win32 Adapter is Limited to 10 Mbps <http://forums.openvpn.net/topic7429.html#p8773>
05:57 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn
05:57 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
05:57 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
05:57 -!- markus [~markus@c83-250-36-93.bredband.comhem.se] has joined #openvpn
05:59 <@vpnHelper> RSS Update - forum: Unable to access internal servers on openvpn server <http://forums.openvpn.net/topic7425.html#p8774>
06:16 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
06:16 <@vpnHelper> RSS Update - forum: OpenVPN connection speed <http://forums.openvpn.net/topic7400.html#p8775>
06:18 -!- markus [~markus@c83-250-36-93.bredband.comhem.se] has quit [Ping timeout: 265 seconds]
06:23 <@vpnHelper> RSS Update - forum: Static Key Setup & Routing <http://forums.openvpn.net/topic7417.html#p8776>
06:29 <@vpnHelper> RSS Update - forum: 3g works router adsl don´t <http://forums.openvpn.net/topic7428.html#p8777>
06:35 <@vpnHelper> RSS Update - forum: undestanding rsa management <http://forums.openvpn.net/topic7423.html#p8778>
06:36 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
06:39 -!- evenflow [~david@bzq-79-178-184-68.red.bezeqint.net] has left #openvpn []
06:53 <@vpnHelper> RSS Update - forum: tls-auth question <http://forums.openvpn.net/topic7419.html#p8779>
06:59 <@vpnHelper> RSS Update - forum: How to limit how many users can be simultaneously connected <http://forums.openvpn.net/topic7376.html#p8781> || OpenVPN to Mikrotik 4.15 router <http://forums.openvpn.net/topic7408.html#p8780>
07:00 -!- Chris___ [goose@samson.honk-honk.org] has left #openvpn ["God doesn't send firemen to hell; if he did, he knows we'd just put it out!"]
07:03 -!- markus [~markus@c83-250-36-93.bredband.comhem.se] has joined #openvpn
07:06 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
07:19 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 250 seconds]
07:23 <@vpnHelper> RSS Update - forum: VPN server won't start <http://forums.openvpn.net/topic7399.html#p8783> || Problems with RoadWarrior Setup on Windows Server 2008 <http://forums.openvpn.net/topic7391.html#p8782>
07:25 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
07:31 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
07:35 <@vpnHelper> RSS Update - forum: when I establish a tun, does it takes all use of the port? <http://forums.openvpn.net/topic7374.html#p8784>
07:49 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
07:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:00 -!- Kosmo_ [59966112@gateway/web/freenode/ip.89.150.97.18] has joined #openvpn
08:01 < Kosmo_> hey, im trying to follow a guide on: http://en.gentoo-wiki.com/wiki/Road_Warriors_with_OpenVPN
08:01 <@vpnHelper> Title: Road Warriors with OpenVPN - Gentoo Linux Wiki (at en.gentoo-wiki.com)
08:01 < Kosmo_> but i dont understand the /etc/conf.d/net part of the guide
08:02 < Kosmo_> where i need to add a route from br0 ? to eth0 i suspect
08:07 < renihs> Kosmo_, hmm odd why do you need a bridge?
08:07 < ecrist> Kosmo_: it's difficult for us to support every single howto out there
08:08 < ecrist> we suggest the official howto
08:08 < ecrist> !howto
08:08 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:08 < Kosmo_> ok
08:08 < renihs> Kosmo_, unless you have specific reasons to use a bridge
08:08 < renihs> there is no need for it
08:08 < Kosmo_> ill look at that then, i suspect i have only done stuff i need to do anyways
08:08 < renihs> oddly enough, dunno why the gentoo doc describes it that way
08:08 < renihs> will talk with the maintainer
08:09 < Kosmo_> i want the external box to be "on" the internal network via vpn
08:09 < renihs> i usually do that with simple NAT
08:09 < renihs> unlesss you have reasons not to want that
08:10 < Kosmo_> i dont know anything about it :-) just want a secure way of connecting to my internal lan from the world...
08:10 < Kosmo_> and have access to everything on the inside
08:11 < renihs> well, basicly you only need to enable ip_forwarding and add 1 iptables line to make that work
08:12 < Kosmo_> ok, and no vpn ?
08:12 < renihs> well with vpn :)
08:12 < Kosmo_> do you have a guide for that setup ?
08:12 < renihs> but you NAT the packages leaving your tun0 device
08:12 < renihs> if you want to keep it simple, drawback, without more sophisticated rules, all roadwarriors, will appear to come from the internal ip of your openvpn server
08:18 < Kosmo_> that fine
08:18 < Kosmo_> thats
08:18 < renihs> the openvpn server is already set-up and you can connect to it?
08:19 < Kosmo_> not the openvpn-server, but the box with openvpn on it
08:19 < Kosmo_> it was the next step in the guide
08:21 < Kosmo_> i've made some keys for the vpn
08:22 < Kosmo_> but the guide also say something like "then move the keys to the server" ... i know this isnt your guide, but thats not very useable
08:23 < renihs> well, as suggested, try the official openvpn howto 
08:23 < renihs> its pretty good and the steps remain basicly the same
08:23 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
08:24 < Kosmo_> renihs: ok will do that
08:25 < renihs> once the server is up and you can connect, if you want to use NAT, you only need like 2 lines (+ iptables installed)
08:25 < renihs> if you want to it with nat, bridge or route can also be ok, though in my cases i usually prefer a nat
08:26 < Kosmo_> so you would suggest me to use routed vpn ?
08:26 < Kosmo_> not bridged
08:27 < Kosmo_> im reading your guide, and it seems like i need to choose between those two
08:30 < renihs> well, ya, unless you only want to talk to the openvpn server
08:30 < renihs> you need routing, bridging or nat
08:30 < renihs> btw, neither one is "my" guide :)
08:31 -!- Sky[x] [~SkyB0x@212.235.177.25] has quit [Ping timeout: 276 seconds]
08:34 < reiffert> Kosmo_: choose routing for the beginning and then switch to whatever you think you need.
08:36 < Bushmills> many users never switch to bridging at all. a few do, for reasons of convenience
08:36 < Bushmills> only a very small number seems to actually need it.
08:38 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
08:38 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
08:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
08:46 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
08:53 < Kosmo_> ok i've setup and started the openvpn server now
08:53 < Kosmo_> im now trying to connect to it from a WinXP box
08:54 < Kosmo_> shouldn't i copy some keys to that box for security ? im trying to use the built-in vpn functionality of XP ( can use something else if better / easier )
08:57 < reiffert> !notovpn 
08:57 <@vpnHelper> "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem
08:57 < reiffert> sorry.
08:57 < reiffert> !factoids search pptp
08:57 <@vpnHelper> "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read
08:57 <@vpnHelper> about why to not use pptp
08:58 <@vpnHelper> RSS Update - forum: TAP-Win32 Adapter is Limited to 10 Mbps <http://forums.openvpn.net/topic7429.html#p8785>
08:58 < reiffert> !factoids search --values pptp
08:58 <@vpnHelper> 'broadcast-relay', 'notcompat', 'bcast', and 'pptp'
08:58 < reiffert> Kosmo_: see here:
08:58 < reiffert> !notcompat
08:58 <@vpnHelper> "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn
08:58 < Kosmo_> so is there a openvpn windows client ?
08:59 < Kosmo_> ahh sorry, only saw the last message
08:59 < reiffert> of course there is. see openvpn homepage
09:04 < renihs> ipsec uses proprietary protocols?
09:04 < renihs> can use
09:20 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
09:21 < Kosmo_> renihs: ok now i got the connection from client to server
09:22 < Kosmo_> how can i then add the nat functionality ?
09:22 < Kosmo_> i have a little experience with iptables, so it shouldn't be that hard for me :-)
09:23 < renihs> well depends on your firewall rules you have so far, basicly, for the subnet defined for your vpn-clients you first allow traffic from tun0
09:23 < renihs> like
09:23 < Kosmo_> right now i have none
09:23 < renihs> iptables -t filter -A FORWARD -i tun0 -s <your-range> -j ACCEPT
09:23 < renihs> next the nat rule
09:23 < Kosmo_> but i will have to have some at some point
09:23 < renihs> iptables -t nat -A POSTROUTING -s <your-range> -o <your-internal-network-device> -j MASQUERADE 
09:23 < renihs> or SNAT 
09:24 < renihs> echo 1 > /proc/sys/ipv4/ip_forward 
09:24 < renihs> that should be it
09:24 < Kosmo_> those three lines ? Thanks :-)
09:24 < renihs> should do the trick :)
09:39 < Kosmo_> renihs: is there a quick way to allow every packet to go anywhere ? something like iptables -reset
09:39 < Kosmo_> or to disable iptables
09:39 < renihs> well, flushing all rules should allow it
09:40 < macsppadic> iptables --flush 
09:40 < renihs> unless the policy is DROP
09:40 < renihs> iptables -F 
09:40 < Kosmo_> ok
09:40 < Kosmo_> thanks
09:40 < renihs> iptables -X (deletes all custom chains)
09:42 < Bushmills> !linnat
09:42 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
09:43 < Bushmills> for NAT on server to make sense, you probalby want to route some non-vpn net traffic. for all traffic, check out:
09:43 < Bushmills> !redirect
09:43 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
09:43 -!- WinstonSmith [~true@g231229215.adsl.alicedsl.de] has joined #openvpn
09:49 < Kosmo_> i have no overview over this.. hehe...
09:50 < Kosmo_> those three iptables lines are not enough to route traffic from my client to my servers nic ?
09:50 < Bushmills> iptables doesn't do anything for routing on client
09:50 < Kosmo_> no i just saw that
09:50 < Kosmo_> but the server part first
09:51 < Bushmills> those lines merely set up server to masquerade packets coming from client, trying to use server as gateway
09:51 < Kosmo_> ok, trying you say?
09:51 < Bushmills> but if clients decides not to send any packets, server is fine with that, and actually doesn't care
09:52 < Kosmo_> yeah the clients need to have some routing also, is that just a default gateway ?
09:52 < Bushmills> !redirect
09:52 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
09:53 < Kosmo_> !def1
09:53 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
09:53 < Bushmills> just default gateway will most likely not do, because client still need to reach server over a non-openvpn route
09:53 < Bushmills> that's what --redirect-gateway takes care of doing for you 
09:54 < Kosmo_> ok so i start the server with --redirect-gateway ?
09:54 < Kosmo_> or the client ?
09:54 < Bushmills> no. use that on client, or push it from server to client 
09:54 < Kosmo_> ok, ill rather push it
09:54 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
09:57 < Kosmo_> Bushmills: so how do i actually add the pushing to the config file ?
09:59 < renihs> Kosmo_, push "route 192.168.0.1 255.255.255.0"
09:59 < renihs> would be an example line
09:59 < renihs> in openvpn.conf
09:59 < Bushmills> you open the config file with an editor, enter it by pushing keys on your keyboard, and save the file
10:00 < renihs> replace ip/mask to your actual gateway
10:00 < renihs> ah never mind
10:00 < renihs> that was just a net push
10:00 < renihs> to push a route to your internal lan
10:00 < renihs> push" route 192.168.0.0 255.255.255.0"
10:00 < renihs> if thats your internal lan behind your vpn
10:01 < Bushmills> seems he just wanted to push redirect-gateway def1
10:01 < Kosmo_> Bushmills: ahhhh i know how to edit files :-D
10:02 < Kosmo_> so i just write push redirect-gateway def1 
10:02 < Kosmo_> ?
10:02 < Bushmills> hm .. you asked "how to add ... to the config file"
10:02 < Bushmills> you didn't ask "what to add..."
10:02 < renihs> ph
10:02 < renihs> oh
10:03 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:04 < Kosmo_> Bushmills: yeah all right, my bad
10:04 < Bushmills> for the "what" you better ask renihs, he is the man page bot here :D
10:05 < Kosmo_> hehe
10:05 < renihs> na i am fighting my cluster nodes atm
10:05 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
10:05 < renihs> 200 of them decided to pxe boot the wrong way :(
10:05 < Kosmo_> that quite alot
10:05 < renihs> i noticed it quickly enough :)
10:05 < Bushmills> renihs, botsnack
10:05 < Kosmo_> ill just try the line i wrote here then
10:05 < renihs> thats only 1/6 :)
10:06 < renihs> else the power draw goes to high if all are power up at same time
10:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
10:06 < renihs> a simple typo in a for loop can be .....arf
10:07 < Bushmills> that he's a bot you can see from him claiming to be very busy while continueing to chat
10:07 < renihs> lol :)
10:08 < renihs> its already fixed, was just a typo
10:08 < renihs> pebkac
10:08 < renihs> now for the delicate task to figure out what i was thinking when writing these scripts
10:08 < renihs> i cant even read that crap
10:10 -!- Kosmo_ [59966112@gateway/web/freenode/ip.89.150.97.18] has quit [Ping timeout: 265 seconds]
10:19 -!- Kosmo [59966112@gateway/web/freenode/ip.89.150.97.18] has joined #openvpn
10:20 < renihs> also its getting too late...why did i write :q!
10:20 < macsppadic> hehehe 
10:22 < Kosmo> aww, forgot to save?
10:23 < renihs> indeed :(
10:23 < Kosmo> renihs: the iptables lines you wrote a little time ago, is <your-range> my network like 172.20.40.0 ?
10:23 < renihs> after messing with some serious brainfck ....
10:23 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:23 < renihs> Kosmo, y, but with a netmask
10:23 < renihs> erm no
10:23 -!- macsppadic [~sonupunno@88.211.55.77] has left #openvpn []
10:24 < renihs> those are the ip-addresses your vpn clients get assigned on their tun/tap
10:24 < renihs> i assume without further context
10:24 < renihs> paste the entire line :)
10:25 < renihs>  -s <your-range>  = vpn client ips
10:25 < Kosmo> iptables -t filter -A FORWARD -i tun0 -s <your-range> -j ACCEPT iptables -t nat -A POSTROUTING -s <your-range> -o eth0 -j MASQUERADE
10:25 < Kosmo> those two
10:25 < renihs> those are the ip-addresses you assign your vpn clients 
10:25 < renihs> not your local network :)
10:26 < Kosmo> but the network of that ? or specific adresses ?
10:26 < renihs> you can do either, but i would suggest the entire netmask 
10:26 < Kosmo> ok
10:26 < renihs> like 172.16.0.0/16
10:26 < renihs> or whatever
10:26 < renihs> unless you want to nat only 1 ip
10:26 < renihs> and have only 1 vpn client :)
10:27 < Kosmo> so that per default 10.8.0.0 ?
10:29 < renihs> dunno what default is, didnt even know there is a default :)
10:29 < renihs> but possible
10:29 < renihs> but with netmask :)
10:29 < Kosmo> yep
10:36 <@vpnHelper> RSS Update - forum: Access policies on Windows host <http://forums.openvpn.net/topic7362.html#p8786>
10:41 -!- Kosmo [59966112@gateway/web/freenode/ip.89.150.97.18] has quit [Ping timeout: 265 seconds]
10:42 <@vpnHelper> RSS Update - forum: Advice / Help with openVPN <http://forums.openvpn.net/topic7372.html#p8788> || OPENVPN Client and NAT'ing <http://forums.openvpn.net/topic7360.html#p8787>
10:48 <@vpnHelper> RSS Update - forum: open vpn firewall <http://forums.openvpn.net/topic7359.html#p8789>
10:50 -!- brah [~brah@host92.200-82-54.telecom.net.ar] has joined #openvpn
10:51 -!- brah is now known as Guest11775
10:51 -!- Guest11775 is now known as brah
10:54 -!- WinstonSmith [~true@g231229215.adsl.alicedsl.de] has quit [Ping timeout: 245 seconds]
11:05 < brah> Is it possible to put a password on a particular certificate?
11:08 < renihs> you can provide a challenge password on cert creation
11:09 < renihs> afterwards its not possible afaik
11:11 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn
11:14 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Quit: This computer has gone to sleep]
11:31 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
11:45 -!- Kosmo [59966112@gateway/web/freenode/ip.89.150.97.18] has joined #openvpn
11:47 < Kosmo> read UDPv4: Connection reset by peer <WSAECONNRESET> <code=10054>
11:47 < Kosmo> what to do about that, its when i added the iptables rules
12:01 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
12:02 -!- Kosmo [59966112@gateway/web/freenode/ip.89.150.97.18] has quit [Ping timeout: 265 seconds]
12:03 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Quit: enough of this 192.168.1.0/24 crap]
12:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:07 -!- Sky[xx] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
12:19 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
12:26 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
12:26 < morbidwar> hello, one question
12:28 < morbidwar> i have a network and one network ip class and one public ip class, and a vpn server on the network (not on the router), to be able to route the public ip class thru the vpn i need to do "push route ip netmask"? and do i need to setup a route on the router?
12:30 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
12:31 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
12:47 -!- [intra]lanman [~lanman@12.200.95.45] has joined #openvpn
12:47 -!- [intra]lanman [~lanman@12.200.95.45] has quit [Changing host]
12:47 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
13:07 -!- samael [~earendil@host171-58-dynamic.16-79-r.retail.telecomitalia.it] has joined #openvpn
13:07 < samael> hello
13:07 < samael> !welcome
13:07 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:10 < samael> uhm.. vpnHelper does not work in private queries?
13:10 < samael> !route
13:10 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
13:19 < samael> existing scenario: openvpn 2.0.9 server, couple dozens 2.0.9/2.1 clients in a routed VPN, no client-to-client communication. works like a charm since years. now I've to add two clients and I'd want them (and *only* them) to be able to reach the entire network directly, without bouncing on the server. of course all the other clients must stay isolated as they have been since now.
13:19 < samael> tried playing with the routing features but I'm a bit confused. any advice?
13:20 < ecrist> !current
13:20 <@vpnHelper> "current" is (#1) Our policy is to only support current versions of software. If your Linux distribution's repository doesn't have the latest, you'll need to compile from source. See /topic for the latest versions of OpenVPN software (usually at the beginning). Anything earlier than these, and you'll be REQUIRED to upgrade before we offer assistance., or (#2) The current version of OpenVPN can be
13:20 <@vpnHelper> downloaded from http://openvpn.net/index.php/open-source/downloads.html for RELEASE and BETA versions, and a tarball snapshot of the development tree can be had from ftp://ftp.secure-computing.net/pub/openvpn/
13:21 < ecrist> not sure what you mean by 'without bouncing on the server'
13:23 < samael> an upgrade is planned, but it's not a two minutes task
13:24 < ecrist> we can help with configuration, but we cannot help if you have bugs.
13:24 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Quit: ☃]
13:25 -!- venom00ut [~wer@net-93-71-36-86.cust.dsl.vodafone.it] has joined #openvpn
13:26 -!- venom00ut [~wer@net-93-71-36-86.cust.dsl.vodafone.it] has quit [Remote host closed the connection]
13:26 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 265 seconds]
13:26 < samael> ecrist: e.g. if I want to connect to any other client via ssh from one of the "two", now I have to slogin on the server and then slogin again
13:26 < samael> I understand, of course
13:27 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
13:27 -!- fixxxermet [~lopan@vps.fixertec.net] has left #openvpn []
13:27 < ecrist> not sure, but you may be able to enable client-to-client for just those two 'special' clients in a CCD entry
13:27 < ecrist> never tried that, though.
13:29 < samael> ok, I'll give a try. if I won't manage, I think I'll play a bit with some iptables
13:29 < samael> thank you :)
13:30 < ecrist> np
13:31 -!- pyther24 [~pyther@unaffiliated/pyther] has joined #openvpn
13:33 -!- brah [~brah@host92.200-82-54.telecom.net.ar] has quit [Ping timeout: 276 seconds]
13:42 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
13:43 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
13:43 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Remote host closed the connection]
13:47 <@vpnHelper> RSS Update - forum: Site-to-Site VPN <http://forums.openvpn.net/topic7430.html>
13:59 <@vpnHelper> RSS Update - forum: max-clients <http://forums.openvpn.net/topic7431.html>
14:11 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Read error: Operation timed out]
14:15 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
14:15 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
14:15 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:15 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
14:17 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
14:17 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
14:17 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
14:24 -!- jobicreatingweb [~jobicreat@91.140.40.0] has joined #openvpn
14:27 < jobicreatingweb> how to start my openvpn client from terminal
14:31 -!- renihs [~philipp@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
14:33 < ecrist> openvpn --config <file>
14:33 < jobicreatingweb> thanks found it
14:34 < ecrist> or openvpn --all --your --options --on --the --command --line
14:34 < ecrist> :)
14:34 < jobicreatingweb> it says --script-security 2 or higher to call user-defined......
14:35 < jobicreatingweb> error cannot load certificate file
14:35 < ecrist> !logs
14:35 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
14:35 < ecrist> !conigs
14:35 < ecrist> !configs
14:35 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
14:36 < jobicreatingweb> where are the log files kept?
14:36 < ecrist> depends on your configs
14:36 < jobicreatingweb> the configs i know 
14:36 < jobicreatingweb> a ok 
14:36 < jobicreatingweb> let me see
14:37 < krzee> !logfile
14:37 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
14:41 -!- pyther24 [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
14:50 < jobicreatingweb> read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
14:51 < jobicreatingweb> why this?
14:53 < krzee> im not sure how to be more clear than "your connection was refused"
14:53 < krzee> basic networking issue, either wrong ip/port/proto or bad firewall
14:58 <@vpnHelper> RSS Update - forum: Suddenly OpenVPN clients cannot see network <http://forums.openvpn.net/topic7329.html#p8792>
15:10 <@vpnHelper> RSS Update - forum: OpenVPN, WLan, Replay Window Backtrack , Connection Reset <http://forums.openvpn.net/topic7320.html#p8794> || Site-to-Site VPN <http://forums.openvpn.net/topic7430.html#p8793>
15:12 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
15:15 < jobicreatingweb> how to exit openvpn
15:16 < jobicreatingweb> from the terminal
15:21 <@vpnHelper> RSS Update - forum: need help setting up my OpenVPN config using a web proxy <http://forums.openvpn.net/topic7330.html#p8795>
15:37 -!- jobicreatingweb [~jobicreat@91.140.40.0] has left #openvpn []
15:43 -!- jobinet [~jobinet@91.140.40.0] has joined #openvpn
15:43 < jobinet> i established aq connection
15:44 < jobinet> and now what i do ?
15:44 < jobinet> how i see my computer ? with remote desktop?
15:45 < Bushmills> aren't those the exact same questions you asked a week ago?
15:45 < jobinet> who me?
15:45 < Bushmills> no, you
15:46 < jobinet> no cause its the first time i made a connection
15:46 < Bushmills> hm. congrats then.
15:46 < jobinet> thanks 
15:46 < jobinet> can you guide me or tell me from now what to do?
15:47 < Bushmills> you'd do about the same as if your openvpn connection was a network cable between two computers
15:48 < jobinet> xmm ok
15:48 < Bushmills> soif your question was "i connected my computers with a network cable - how can i use the network" is similarily tedious to answer,
15:48 < jobinet> ok
15:49 < Bushmills> but - once openvpn connected - it's not an openvpn issue anymore :D
15:50 < jobinet> :)
15:52 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has joined #openvpn
15:53 -!- jobinet [~jobinet@91.140.40.0] has left #openvpn []
16:06 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
16:17 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
16:50 -!- freaky[t]_ [alpha@freakyy.de] has quit [Remote host closed the connection]
16:58 -!- freaky[t]_ [alpha@freakyy.de] has joined #openvpn
17:01 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out]
17:04 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 250 seconds]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:11 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
17:12 < dschuett> if openvpn is pushing out 10.8.0.0 but my local network is 192.168.0.0 what do i need to do to make them reachable to eachother within the openvpn server.conf and iptables?
17:12 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
17:13 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
17:19 < krzee> its not just there
17:19 < krzee> unless the openvpn node in the lan of 192.168.0.0 happens to also be the router for that lan
17:20 < krzee> read this:
17:20 < krzee> !route
17:20 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
17:21 < dschuett> krzee: the openvpn server is also my gateway/router of my home network
17:21 < dschuett> i run iptables on it for routing
17:22 < reiffert> routing?
17:22 < dschuett> krzee: clients connect without a problem, but can't ping server from client and server can't ping clients
17:22 < dschuett> yes, iptables...
17:23 < reiffert> dschuett: the question was not "iptables?", but "routing?"
17:23 < dschuett> what about it?
17:24 < reiffert> dschuett: there is an routing extension for netfilter. are you talking about it when you say "routing with iptables"?
17:24 < dschuett> well iptables technically does routing for the most part...
17:25 < reiffert> no, it does not.
17:25 < dschuett> it routes traffic using rules... thats how i look at it
17:25 < reiffert> not correct.
17:26 < dschuett> well either way...this isn't working :P
17:26 < reiffert> the routing table is what is routing packets.
17:26 < reiffert> iptables can replace destination and source addresses, commonly known as masquerading or network address translation (NAT).
17:27 < dschuett> ok, you're right litterally speaking
17:27 < reiffert> so either use routing, or NAT, but try not to mix that up.
17:27 < dschuett> ok, thanks
17:29 < reiffert> so when planning to use "routing", read !route
17:29 < reiffert> !factoids search nat
17:29 <@vpnHelper> 'nat', 'linnat', 'fbsdnat', 'pfnat', 'freebsdnat', 'bsdnat', 'donate', and 'winnat'
17:29 < reiffert> else have a look at these.
17:30 < reiffert> keep in mind, that NAT will work in a "one way" way.
17:33 < reiffert>  when thinking about "routing", keep in mind that you will need two routes: one for the way to the target and one back
17:33 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 240 seconds]
17:34 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:37 < krzee> he doesnt need NAT
17:37 < krzee> he needs to read !route
17:37 < krzee> lol
17:38 < krzee> and dschuett, listen to reif re what he said about iptables
17:38 < reiffert> at least he doesnt use NAT software for routing purposes anymore.
17:38 < krzee> it is a filter, not a routing table
17:38 < krzee> heheh
17:38 < reiffert> And I cant tell what it is he really needs.
17:38 < krzee> ahh so its the server LAN
17:38 < krzee> !serverlan
17:38 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
17:39 < krzee> so all he needs is
17:39 < reiffert> sex? Money?
17:39 < krzee> in server config:   push "route 192.168.0.0 255.255.255.0"
17:39 < reiffert> both?
17:39 < krzee> and !linipforward
17:39 < krzee> done
17:40 < reiffert> krzee: keeping him from reading !route, eh?
17:40 < krzee> well i do take donations in the form of currency and female full frontal nudity
17:41 < krzee> meh, i give up on thinking people will read docs sometimes, sad sad stuff
17:41 < krzee> it makes me wanna kill penguins
17:41 < reiffert> http://www.smarthairypussy.com/
17:41 <@vpnHelper> Title: Natural Hairy Pussy - Free Hairy Pussy Porn (at www.smarthairypussy.com)
17:42 < krzee> eww
17:42 < krzee> guesshermuff.blogspot.com
17:43 < reiffert> hehe
17:48 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
17:49 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn []
17:49 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:00 <@vpnHelper> RSS Update - forum: Static Key Setup & Routing <http://forums.openvpn.net/topic7417.html#p8796>
18:03 -!- freaky[t]_ [alpha@freakyy.de] has quit [Remote host closed the connection]
18:08 -!- freaky[t]_ [alpha@freakyy.de] has joined #openvpn
18:12 <@vpnHelper> RSS Update - forum: Static Key Setup & Routing <http://forums.openvpn.net/topic7417.html#p8797>
18:21 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 265 seconds]
18:33 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
18:35 -!- MereX [~MereX@195.218.5.142] has joined #openvpn
18:35 < MereX> Hi there, I have a problem, successfully connected to my VPN the traffic doesn´t go through the tunnel created, any ideas?
18:35 < MereX> !welcome
18:35 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:35 < MereX> !goal
18:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:36 < MereX> !goal getting a secure connection for the congress
18:37 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
18:37 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
18:38 < krzee> for the congress!?
18:38  * krzee baffles
18:40 < ecrist> for Luxembourg?
18:41 < MereX> ecrist for Luxembourg... yup.. the congress "27c3" you should know this one ;)
18:41 < krzee> ohhhh
18:41 < krzee> ok
18:41 < krzee> so you meant to say
18:41 < krzee> I would like to access the internet over my vpn
18:41 < krzee> to which i respond:
18:41 < krzee> !redirect
18:41 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:42 < MereX> krzee hold on: was there done that, I guess. 
18:43 < krzee> huh?
18:43 < MereX> push "redirect-gateway"
18:43 < krzee> sure... did you enable NAT on the server for the vpn subnet...?
18:43 < krzee> did you enable ip forwarding on it as well...?
18:43 < krzee> theres config to be done outside of openvpn
18:44 < krzee> openvpn just acts as a virtual network cable of sorts... doesnt do the NAT or any other adjustments in your kernel
18:44 < MereX> echo 1 > /proc/sys/net/ipv4/ip_forward     i guess so, no?
18:44 < krzee> !linipforward
18:44 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
18:45 < krzee> !linnat
18:45 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
18:45 < MereX> krzee, thank you, let me try this out!
18:47 < MereX> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE   --- by using this I do not have to change to tun0, is this right? Aswell ass I am using a VPS i need to choose venet0 ?
18:48 < MereX> eth0 has to be changed to what?
18:48 < MereX> guess tun0 actually, but I am not sure at all
18:52 < krzee> no
18:52 < krzee> the device traffic goes out of
18:52 < krzee> aka -o in iptables ;]
18:52 < MereX> yeah sorry, i´m a noob here ;)
18:52 < MereX> first time using openvpn
18:54 < krzee> pls talk in the channel
18:54 < MereX> don´t want to spam the channel, is this ok?
18:54 < krzee> !pb
18:54 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
18:54 < MereX> http://openvpn.pastebin.ca/2027761
18:55 < krzee> pastebin > spamming channel > spamming privmsg
18:55 < MereX> guess this error is because of the vps - i´m aswell owner of the host, so I have to do this on the host?
18:55 < krzee> you need to compile NAT into your kernel
18:55 < krzee> your VPS provider may or may not need to do something for you
18:55 < krzee> tbh i dont use vps
18:56 < krzee> but ive heard of some needing to have their provider enable something
18:56 < krzee> !factoids help search 
18:56 < MereX> I´m the provider of the vps aswell... but do not want to use the rootbox as vpn
18:56 < krzee> !factoids search --invalues provider
18:56 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
18:57 < krzee> !factoids search --values provider
18:57 <@vpnHelper> No keys matched that query.
18:57 < krzee> !factoids search --values vps
18:57 <@vpnHelper> No keys matched that query.
18:57 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2027761>
18:57 < krzee> oh ok i see
18:57 < krzee> what software do you use?
18:57 < MereX> software for what? ;)
18:57 < MereX> for vps? OpenVZ
18:57 < krzee> vps
18:58 < krzee> ahh ok
18:58 < MereX> ...? :/
18:58 < MereX> oh man i´m feeling bad
18:59 < krzee> ohh
18:59 < krzee> http://forum.openvz.org/index.php?t=msg&goto=8117
18:59 <@vpnHelper> Title: OpenVZ Forum: Support » *SOLVED* OpenVPN in VPS : Masquerade (at forum.openvz.org)
18:59 < krzee> hit #2 here
18:59 < krzee> !google openvz openvpn
18:59 <@vpnHelper> VPN via the TUN/TAP device - OpenVZ Wiki: <http://wiki.openvz.org/VPN_via_the_TUN/TAP_device>; OpenVZ Forum: Support » OpenVPN inside OpenVZ container - Socket ...: <http://forum.openvz.org/index.php?t=msg&goto=35270&>; Setting up Openvpn on OpenVZ - Web Hosting Talk: <http://www.webhostingtalk.com/showthread.php?t=919314>
18:59 < krzee> ;)
19:01 < MereX> hold on, got to read this now
19:03 < MereX> okay, well actually, i already set this up
19:04 < MereX> http://openvpn.pastebin.ca/2027766
19:04 < krzee> whats that got to do with sanything?
19:05 < MereX> well actually, that tun0 is already up and running. That´s what the link says. ( already worked with that link when i´m remembering right. )
19:05 < krzee> umm
19:05 < krzee> that link is about NAT
19:05 < krzee> not tun0
19:05 < krzee> what link are you tlking about
19:05 < krzee> oh, go to the link i pasted
19:06 < krzee> vpnhelper got different results from google than i did
19:06 < MereX> ^^ yeah, just saw this myself
19:06 < MereX> give me a sec
19:08 < MereX> FATAL: Could not load /lib/modules/2.6.26-2-openvz-686/modules.dep: No such file or directory
19:08 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2027766>
19:08 < MereX> still the same..
19:08 < krzee> !learn openvzlinnat as since openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination <container.ip>
19:08 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
19:09 < krzee> !learn openvzlinnat as since openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination <container.ip>
19:09 <@vpnHelper> Joo got it.
19:10 < MereX> what now?!
19:10 < MereX> am I really that stupid?! -.-
19:12 < MereX> iptables v1.4.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
19:12 < MereX>    okay getting stuck here now...
19:13 < MereX> by removing module-init-tools the FATAL already disappeared ..
19:15 < krzee> dude
19:15 < krzee> !openvzlinnat
19:15 <@vpnHelper> "openvzlinnat" is since openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination <container.ip>
19:16 < krzee> YOU CANT DO NAT IN OPENVZ!
19:16 < krzee> hehe
19:16 < MereX> yeah okay, got ya... but tried that aswell, give a sec
19:17 < MereX> http://openvpn.pastebin.ca/2027769
19:17 < MereX> ..
19:18 <@vpnHelper> RSS Update - pastebin: Someone <http://pastebin.ca/2027769>
19:20 < MereX> you see my problem?
19:24 -!- OtherJakeSays [~quassel@c-98-202-184-139.hsd1.ut.comcast.net] has joined #openvpn
19:27 -!- cron2_ [~gert@kirk.greenie.muc.de] has joined #openvpn
19:27 < MereX> krzee, I know this sucks... but I would really appreciate input
19:32 -!- Netsplit *.net <-> *.split quits: Essobi, @cron2, blackpenguin, JakeSays, ping-pong, Rolybrau, pa, tjz_, _skrusty, le0
19:32 < krzee> expired too soon
19:33 < krzee> im also working on a script while i check back here
19:33 < MereX> hmm..
19:33 -!- Netsplit over, joins: Essobi
19:33 < krzee> happy festivus Essobi 
19:34 -!- OtherJakeSays is now known as JakeSays
19:34 -!- Solar_chil [Solar_chil@46.100.63.163] has joined #openvpn
19:34 -!- Solar_chil [Solar_chil@46.100.63.163] has quit [Client Quit]
19:39 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
19:39 -!- ping-pong [~qwerty@212-30-223-89.static.simnet.is] has joined #openvpn
19:39 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
19:40 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
19:40 -!- pa [~pa@unaffiliated/pa] has joined #openvpn
19:40 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
19:42 < krzee> MereX, your pastebin expired before i saw it...
19:42 < MereX> hold on
19:42 < MereX> got something which could help out
19:42 -!- samael [~earendil@host171-58-dynamic.16-79-r.retail.telecomitalia.it] has quit [Ping timeout: 272 seconds]
19:42 < krzee> also list your iptables
19:44 < MereX> hey dude, sorry for that one, but i never worked with iptables, i really need more details on how to
19:45 < krzee> man iptables
19:46 < krzee> netfilter.org has some good docs too
19:46 < krzee> and theres always #iptables
19:46 < krzee> im a freebsd user
19:46 < MereX> awesome dude, awesome... ;-) how to inform on iptable shouldn´t be the problem. but actually I am starting freaking out because of my timeframe
19:47 < krzee> but really, your vpn works, you have the right directive for openvpn to add the routing right
19:47 < krzee> ip forwarding is enabled
19:47 < krzee> the remaining thing you need is to NAT the vpn subnet out of your venet0:0's ip
19:48 < krzee> normal NAT rule wont work because you use openvz
19:48 < krzee> but others have found a way around that, which i linked you to
19:48 < krzee> your remaining issues are iptables stuff
19:51 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 260 seconds]
19:52 < MereX> you look pretty sure about that... so i´ll have a look
20:07 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:08 -!- Rundll [~thomas@ppp105-140.static.internode.on.net] has quit [Remote host closed the connection]
20:12 -!- pyther [~pyther@unaffiliated/pyther] has quit [Read error: Operation timed out]
20:32 < MereX> krzee, Fri Dec 24 03:21:26 2010 WARNING: potential route subnet conflict between local LAN [10.8.0.0/255.255.255.0] and remote VPN [10.8.0.1/255.255.255.255]   u mean this, what?
20:32 < ecrist> lol
20:38 < MereX> ecrist, u might laugh about this, i´m pretty pissed because I don´t find the solution because of the "NAT" this won´t worked, tried this now often enough
20:39 < ecrist> I was loling about your IP address conflict
20:41 < MereX> okay, so how to solve this?
20:41 < MereX> if you laugh you might have a solution, i guess
20:41 < ecrist> you can't have the same IP range on the VPN and your local lan, that's going to cause problems.
20:42 < ecrist> you need to change one of them.
20:42 < ecrist> !1918
20:42 <@vpnHelper> "1918" is (#1) RFC1918 makes three unique netblocks available for private use: 10.0.0.0/8, 172.16.0.0/12, adn 192.168.0.0/16, or (#2) see also: http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html
20:42 < ecrist> choose something in there.
20:45 < MereX> i don´t even have something about the 10.8.0.0 in my client.conf o.O
20:47 < ecrist> your LOCAL lan, not in your client.conf
20:47 < ecrist> what IP address does your client machine have, before it's even on the VPN?
20:48 < MereX> 192.168.0.17
20:48 < ecrist> !logs
20:48 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
20:48 < ecrist> !configs
20:48 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
20:49 < MereX> ecrist, come on dude, don´t be complicated... My LOCAL lan is on 192.168 the server is on 10.8 there shouldn´t be any problem..
20:50 < ecrist> dude, I"m trying to help.  let me see your configs, and your server/client logs
20:50 < MereX> where are the logs stored? /var/log/?
20:50 < MereX> *pb
20:50 < ecrist> !loglocation
20:50 < MereX> !pb
20:50 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
20:50 < ecrist> !factoids search log
20:50 <@vpnHelper> 'topology', 'changelog', 'logs', 'log', 'logfile', and 'irclogs'
20:50 < ecrist> !logfile
20:50 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
20:52 < MereX> http://openvpn.pastebin.ca/2027817
20:52 <@vpnHelper> RSS Update - pastebin: Mine <http://pastebin.ca/2027817>
20:52 < MereX> there u have configs
20:53 < MereX> can´t contribute u any logs, don´t find anything in the syslog which looks like openvpn
20:54 < MereX> ecrist, got it?
20:54 < ecrist> sweet, but I do need the logs to help you
20:55 < MereX> dude, i´ll paste u my syslog there, but there´s none
20:55 < MereX> none of openvpn
20:55 < ecrist> then generate some logs
20:56 < ecrist> add 'log /var/log/openvpn.log' and 'verb 5' to both server and client config, start the server, try to connect with the client
20:56 < ecrist> tell me what's broken.
20:56 < ecrist> also, in the future, post your configs without the comments, please.
20:57 < MereX> http://openvpn.pastebin.ca/2027820
20:57 < MereX> there u go
20:57 < ecrist> anyone helping you isn't going to need to see the comments :)
20:57 < ecrist> oh, so you did have logs
20:57 < MereX> yeah, syslog.0 didn´t checked it, sorry
20:57 <@vpnHelper> RSS Update - pastebin: Mine <http://pastebin.ca/2027820>
20:58 < ecrist> that looks like part of the client log, can I see the whole thing?  also, the server log, please
20:58 < MereX> this was server log ;)
20:59 < ecrist> looks like you have a firewall issue
20:59 < ecrist> line 23 of the log you just posted in the smoking gun.
21:01 < MereX> but this couldn´t be... because port 1195 ( openvpn ) YEAH 5 net 4 , is free..
21:02 < MereX> well i guess it is free, an i see no firewall... so it should be the datacenter, but those guys there should be every port available
21:03 < ecrist> ok, 'Connection refused (code=111)' means there is something filtering/blocking traffic.
21:03 < MereX> http://readthefuckingmanual.net/error/383/
21:03 <@vpnHelper> Title: readthefuckingmanual.net - solutions to error messages (at readthefuckingmanual.net)
21:03 < ecrist> in this case, UDPv4 
21:04 < MereX> so this should be solved, if i would change my configs to tcp
21:04 < MereX> no more udp
21:04 < ecrist> no
21:05 < MereX> woah come on :(
21:05 < MereX> this really starts sucking..
21:05 < ecrist> can you post both logs, please?  if not, I'm going to walk away, get a drink, and leave you to your own devices.
21:05 < ecrist> I'm only asking for the very things we ask of everyone who comes here for help.
21:06 < MereX> hold on
21:06 < ecrist> ~90% of them have firewall issues, it's why we have it in the channel topic
21:06 < MereX> http://openvpn.pastebin.ca/2027824
21:06 < MereX> but the point actually is that the cert is there and ready to use!
21:07 < ecrist> can you set verb to 5, also, in your configs, as I asked already?
21:08 <@vpnHelper> RSS Update - pastebin: Something <http://pastebin.ca/2027824>
21:09 < MereX> http://openvpn.pastebin.ca/2027826
21:09 < MereX> serversite with verb 5
21:10 < MereX> http://openvpn.pastebin.ca/2027827
21:10 < MereX> clientsite with verb 5
21:12 < ecrist> that's not the full log
21:13 < ecrist> in either case
21:14 -!- Kurogane [~kuro@190.87.80.64] has joined #openvpn
21:14 <@vpnHelper> RSS Update - pastebin: Miscellany <http://pastebin.ca/2027827> || Someone <http://pastebin.ca/2027826>
21:15 < MereX> cubiclecode:~# cat /var/log/syslog | grep "openvpn"
21:15 < ecrist> MereX: this is roughly what I'm looking for: http://openvpn.pastebin.ca/2027830
21:15 < MereX> for the server it is
21:16 < ecrist> that's a complete log, that's what I want from you, server and client.
21:16 < MereX> hey, cubiclecode:~# cat /var/log/syslog | grep "openvpn"
21:16 < MereX>  with this on serversite u got everything, no?
21:16 < ecrist> you've got about 40 seconds before I bail on this sinking ship and swim for shore.
21:17 < MereX> dude
21:17 < MereX> I DONT KNOW WHAT YOU WANT
21:17 < ecrist> !logs
21:17 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
21:17 < ecrist> !logfile
21:17 < MereX> I GIVE YOU whatever you wnat
21:17 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
21:17 < ecrist> did you see what I posted?
21:17 < ecrist> what you gave me was 11 lines
21:17 < ecrist> I posted 127
21:17 < MereX> yes i do but the hell look at the command i used
21:17 < MereX> cubiclecode:~# cat /var/log/syslog | grep "openvpn"
21:18 < MereX> in my syslog there are lots of other things that have nothing todo with openvpn
21:18 < MereX> what the hack
21:18 < MereX> how should I do this?
21:18 < ecrist> and I told you, in your configs, change verb to 5 and add 'log /var/log/openvpn.log' and cat from there.
21:18 < ecrist> read what vpnHelper is saying, it's telling you EXACTLY what to do
21:20 < MereX> http://openvpn.pastebin.ca/index.php
21:21 < MereX> client
21:21 <@vpnHelper> RSS Update - pastebin: Mine <http://pastebin.ca/2027832> || Untitled <http://pastebin.ca/2027830>
21:21 < MereX> http://openvpn.pastebin.ca/2027834
21:21 < MereX> server
21:21 < ecrist> wrong link for client
21:22 < ecrist> I figured it out, though
21:24 < ecrist> ok, on your client, you're failing the private key password authentication
21:24 < ecrist> line 267 of your client log
21:25 < ecrist> you need to upgrade your server to 2.1.4 or later
21:25 < ecrist> we no longer support 2.1 RCs
21:25 < ecrist> regardless, your server looks to be doing what it should
21:26 < MereX> so updating the server means aswell updating the client
21:26 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2027834>
21:27 < ecrist> at least your client isn't a release candidate
21:27 < MereX> okay, what is now the easiest way updating openvpn?
21:27 < ecrist> but, yes, both should really be updated to 2.1.4 or a beta or dev snapshot
21:27 < MereX> as i installed openvpn over the repos
21:27 < ecrist> I'd suggest 2.1.4, though.
21:27 < ecrist> !download
21:27 <@vpnHelper> "download" is (#1) http://www.openvpn.net/download to download OpenVPN, or (#2) OpenVPN's Windows installer now includes OpenVPN GUI. Don't bother with http://openvpn.se anymore
21:27 < ecrist> I'd worry more aobut the server
21:28 < MereX> yeah, tell me, how to, pls
21:28 < ecrist> but, to be honest, let's get your config fixed, first
21:28 < ecrist> do you know your SSL certificate private key password?
21:28 < MereX> of course I do
21:29 < MereX> ( as I installed openvpn over the repos I guess there´ll be much trouble updating?! )
21:29 < ecrist> can you use it, and re-submit the client log, please?
21:30 < ecrist> MereX: the update is pretty minor, really
21:30 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:30 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:30 < MereX> <ecrist> can you use it, and re-submit the client log, please?  - I do not understand, sorry for that I really feel myself as a stupid one here - never had this feeling before, but first time using openvpn..
21:31 < ecrist> not trying to make you feel stupid. :)
21:32 < MereX> ;) thank you.. so what you meant, how to proceed by concret?
21:32 < ecrist> connect your client to the server.  when you submitted the last full log, it didn't connect becuase you used the wrong SSL private key password.
21:32 < MereX> yup, right.
21:32 < MereX> i was actually entering a wrong one, because there was no more output, just to try
21:32 < ecrist> use the right password, and connect, then submit the log
21:33 < MereX> okay give me a sec
21:34 < MereX> client or serversite?
21:35 < ecrist> brb
21:36 < MereX> now there isn´t any more serversitelog only clientsite!
21:37 < MereX> http://openvpn.pastebin.ca/2027836    clientsite!
21:37 <@vpnHelper> RSS Update - pastebin: Something <http://pastebin.ca/2027836>
21:39 < krzee> vpnhelper's links are broken
21:40 < MereX> hmm, but my link works, huh?
21:40 < krzee> yep
21:41 < MereX> kk
21:41 < krzee> could use an upgrade to 2.1.4, other than that it looks good
21:41 < krzee> and thats not a big deal either
21:41 < MereX> i hope that man... really... i´m sitting behind this problem since more than 14 hours from now.. 
21:42 < MereX> here it is no 4.40 AM no sleep so far and in 3 hours i have to get up again..
21:42 < MereX> this´ll be hardcore
21:42 < MereX> but is it normal that there is no log on serversite?
21:43 < MereX> only clientsite after connect, even if verbose is set on 5?
21:47 < MereX> krzee, eventhough about the upgrade, is there no problem even if I installed openvpn over the repos?
21:51 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
21:52 -!- krzee [~k@openvpn/community/support/krzee] has quit [Remote host closed the connection]
21:52 -!- MereX2 [~MereX@195.218.5.142] has joined #openvpn
21:52 < MereX2> hmm
21:52 < MereX2> sorry...
21:53 -!- MereX [~MereX@195.218.5.142] has quit [Read error: Connection reset by peer]
21:53 -!- MereX2 is now known as Merex
21:53 < Merex> ecrist, still not back?
21:54 < ecrist> back
21:54 < Merex> oooh yes :D
21:54 < Merex> what was my last message you received?
21:54 < Merex> got the log?
21:55 < ecrist> I got them all, Merex 
21:55 < ecrist> I never really disconnect from here, had to add a code to my alarm panel
21:55 < Merex> yeah, i know that... but I did...
21:55 < Merex> I connected to the vpn, but couldn´t resolve any site. so i thought i´d had to be offline here aswell
21:56 < ecrist> ok, so it appears your client can connect just fine, so now you just want your client to route all it's traffice for the internet through the server, right?
21:56 < Merex> yes sir!
21:56 < Merex> so that there won´t be any sniffing attacks on the congress
21:56 < Merex> as a tunnel 
21:57 < ecrist> ok, so now you need to add the following line to your server config
21:57 < ecrist> push "redirect-gateway def1"
21:57 < ecrist> and do one of the following on the server
21:57 < ecrist> !linnat
21:57 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info
21:57 < Merex> do i have to delte the line push "redirect-gateway" or may i only add def1 there ?
21:58 < ecrist> Debian, I assume, based on the repo version.
21:58 < ecrist> you can add def1 in there.
21:58 < Merex> Debian yup, but be patient! I am on a VPS so NAT doesn´t work as !openvzlinnat should tell you ;)
22:00 < ecrist> gah, that sucks
22:00 < Merex> http://openvpn.pastebin.ca/2027845
22:00 < Merex> so we´re back on the beginning -.-
22:01 < ecrist> ah, but you have def1 in the push, now, which you need
22:01 < Merex> yup, but check the pastebin
22:01 < ecrist> !openvzlinnat
22:01 <@vpnHelper> "openvzlinnat" is since openvz cant do NAT inside containers, use iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination <container.ip>
22:01 < Merex> what i actually did ( see pastebin )
22:01 < ecrist> that was for me.
22:02 < Merex> kk
22:02 < Merex> so what now?
22:02 < ecrist> google the insmod thing, something you're missing from your kernel, I think
22:02 < ecrist> brb
22:02 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
22:02 -!- WinstonSmith [~true@g231218012.adsl.alicedsl.de] has joined #openvpn
22:03 -!- sia is now known as sia^pwnnt
22:04 < Merex> ecrist, wtf ... my /usr/src is empty o.O
22:05 < Merex> well actually on the VPS...
22:05 < Merex> so do I have to do this on the HOST?
22:07 <@vpnHelper> RSS Update - pastebin: Mine <http://pastebin.ca/2027845>
22:23 < Merex> ecrist - tell me when will you be back online? I´ve got to sleep, i´m really really tired
22:24 < Merex> just write me this, i´ll stay connected. See you tomorrow!
22:24 -!- Merex is now known as MereX_sleeps
22:56 -!- Kurogane [~kuro@190.87.80.64] has quit [Remote host closed the connection]
22:58  * ecrist is back
22:59 < ecrist> MereX_sleeps: the nat stuff only needs to happen on the server.  man insmod and find out what you need to do for devices/kernel modules
23:03 -!- ondrejk [ondrej@plox.tor.hu] has quit [Ping timeout: 276 seconds]
23:17 < krzie> nat is unavailable in a openvz box
23:17 < krzie> he can NOT load the module
23:17 < krzie> the workaround was here
23:18 < krzie> http://forum.openvz.org/index.php?t=msg&goto=8117
23:18 <@vpnHelper> Title: OpenVZ Forum: Support » *SOLVED* OpenVPN in VPS : Masquerade (at forum.openvz.org)
23:30 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:42 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
--- Day changed Fri Dec 24 2010
00:04 < ecrist> !learn linnat as on openvz try 'iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination container.ip'
00:04 <@vpnHelper> Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
00:04 < ecrist> !learn linnat as on openvz try 'iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination container.ip'
00:04 <@vpnHelper> Joo got it.
00:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
00:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
00:48 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
01:04 -!- WinstonSmith [~true@g231218012.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
01:24 -!- ntucker_ [~ntucker@c-71-227-154-92.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer]
01:24 -!- ntucker__ [~ntucker@c-71-227-154-92.hsd1.wa.comcast.net] has joined #openvpn
01:27 -!- morbidwar [~morbidwar@78.96.23.179] has joined #openvpn
02:04 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
02:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
02:18 -!- ntucker__ [~ntucker@c-71-227-154-92.hsd1.wa.comcast.net] has quit [Read error: Connection reset by peer]
02:18 -!- ntucker__ [~ntucker@c-71-227-154-92.hsd1.wa.comcast.net] has joined #openvpn
02:50 -!- MereX_sleeps [~MereX@195.218.5.142] has quit [Ping timeout: 240 seconds]
02:50 -!- MereX_sleeps [~MereX@195.218.5.142] has joined #openvpn
03:00 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
03:38 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:49 -!- master_of_master [~master_of@p57B57366.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:51 -!- master_of_master [~master_of@p57B57E53.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:59 -!- markus [~markus@c83-250-36-93.bredband.comhem.se] has quit [Ping timeout: 276 seconds]
04:08 < reiffert> !linnat
04:08 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info, or (#4) on openvz try 'iptables -t nat -A PREROUTING -i
04:08 <@vpnHelper> tun0 -j DNAT --to-destination container.ip'
04:09 < reiffert> wow, thats weired.
04:31 -!- common- [~common@p5DDA4984.dip0.t-ipconnect.de] has joined #openvpn
04:34 -!- common [~common@p5DDA4718.dip0.t-ipconnect.de] has quit [Ping timeout: 250 seconds]
04:34 -!- common- is now known as common
05:03 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
05:06 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
05:06 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
05:06 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
05:07 -!- MereX_sleeps is now known as MereX
05:07 -!- Eirel [d980a5da@gateway/web/freenode/ip.217.128.165.218] has joined #openvpn
05:08 < Eirel> hi guys I've got a problem with opnvpn client/server communication on UDP protocole: packet doesn't go throught the tun. Can somebody help me?
05:11 < Bushmills> can client ping server through vpn tunnel?
05:18 < Eirel> yep. And tcp packet goes well (a bit less since I put some try in my server.conf, but at the beginning it works x) )
05:20 < Bushmills> then it shouldn't be an openvpn problem.
05:20 < Bushmills> !firewall
05:20 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
05:20 < Eirel> allright I'll gonna give it a look
05:21 < Eirel> thanks anyway
05:22 < Eirel> hum...iptables -L shows that my server firewall accpet all kind of connection, so I suppose this come from my windows client...
05:22 -!- MereX [~MereX@195.218.5.142] has quit [Ping timeout: 272 seconds]
05:24 < Bushmills> alternatively, packet is sent to wrong address. for example, to server public address instead of openvpn subnet address
05:26 -!- sia^pwnnt is now known as sia
05:26 < Eirel> well actually, i use iperf to test bandwith and communication between client and server. So, on client side, I have to specified to which server adress I wanna send my packet, and it shouldn't have this kind of problem, except if opnvpn doesn't make the tun correctly...
05:26 < Eirel> is there a way to test where packet are going?
05:28 < Bushmills> mtr
05:30 < Eirel> ?? sorry, don't know about it...
05:30 <@vpnHelper> RSS Update - forum: Is it possible to update sqlite to add users <http://forums.openvpn.net/topic7432.html>
05:31 < Bushmills> i know - you'd not have asked if you did
05:31 < Eirel> ^^'
05:38 < Eirel> so, what's mtr plz?
05:41 < Bushmills> http://scarydevilmonastery.net/snap/1293190862163336382d.png 
05:45 -!- MereX [~MereX@195.218.5.142] has joined #openvpn
05:45 < MereX> ecrist, are you still on?
05:49 <@vpnHelper> RSS Update - forum: OpenVPN connection speed <http://forums.openvpn.net/topic7400.html#p8799>
06:03 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn
06:03 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
06:03 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
06:05 -!- MereX [~MereX@195.218.5.142] has quit [Read error: Connection reset by peer]
06:21 -!- morbidwar [~morbidwar@78.96.23.179] has quit [Ping timeout: 240 seconds]
06:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds]
06:38 -!- sia is now known as sia^pwnnt
06:48 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn
06:50 < Eirel> @bushmills: so, I should only launch mtr on ubuntu server, and let it test the network, is that so?
07:00 -!- Eirel [d980a5da@gateway/web/freenode/ip.217.128.165.218] has quit [Ping timeout: 265 seconds]
07:10 -!- sia^pwnnt is now known as sia
07:16 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 276 seconds]
07:18 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
07:25 -!- scatterp [~scatterp@87.127.188.177] has quit [Ping timeout: 276 seconds]
07:31 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
07:35 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Ping timeout: 265 seconds]
07:40 -!- sia [115kluu@owned.ninjasinpyjamas.biz] has quit [Ping timeout: 250 seconds]
07:45 -!- markus__ [~markus@c83-250-36-93.bredband.comhem.se] has joined #openvpn
08:07 <@vpnHelper> RSS Update - forum: OpenVPN client for the iPhone and iPad <http://forums.openvpn.net/topic4568.html#p8800>
08:23 -!- sia [115kluu@owned.ninjasinpyjamas.biz] has joined #openvpn
08:50 -!- Eirel [d980a5da@gateway/web/freenode/ip.217.128.165.218] has joined #openvpn
08:51 < Eirel> hi guys can sbdy help me with a problem of UDP non reception upon a tcp tun using openvpn (serv linux, client windows)
08:52 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
08:53 < reiffert> Eirel: sure, go ahead.
08:55 < Eirel> actually, I developpe a soft which communicate with a server on tcp and udp protocole. For some reasons (upnp unavalable) I must create a vpn communication between serv and client. The ping from each to each other is ok, tcp seems to go well, but none of udp packet reach the server...
09:04 -!- JPeterson [HydraIRC@213.103.209.64] has joined #openvpn
09:05 < reiffert> Eirel: start tcpdump or wireshark to help you diagnose the cause.
09:05 < reiffert> My wild guess is one or more firewalls.
09:06 < Bushmills> (12:20:11) Bushmills: then it shouldn't be an openvpn problem.
09:06 < Bushmills> (12:20:24) Bushmills: !firewall
09:06 < Bushmills> !firewall
09:06 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
09:06 < Eirel> yep that's mine too...I know that the server firewall accept all comunication entry, so I suppose that it should be on client side.
09:07 < Bushmills> or, udp service on server not bound to vpn interface 
09:07 < Bushmills> though that's hardly "packets don't reach server"
09:09 < reiffert> happy helloween, see you soon
09:09 < Bushmills> i'll it the road in about 15...30 min
09:09 < reiffert> same here
09:09 < Bushmills> hit
09:09 < reiffert> snow snow snow on my hill
09:10 < Bushmills> don't dig out the wrong car
09:10 < reiffert> at 12:00 it turned into ice at around 230m over zero
09:10 < Bushmills> going to be slippery business now
09:10 < reiffert> so you should be safe once left saulheim
09:11 < reiffert> however, &
09:11 < Bushmills> some adrenaline is good
09:13 < Bushmills> computer shut down now. will take it along for the ride. so i have some movies to watch when hospitalized :)
09:20 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
09:46 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
09:55 -!- Eirel [d980a5da@gateway/web/freenode/ip.217.128.165.218] has quit [Quit: Page closed]
10:04 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 272 seconds]
10:15 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
10:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
10:46 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
10:50 -!- JPeterson [HydraIRC@213.103.209.64] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D]
11:17 -!- sia is now known as sia^pwnnt
11:19 -!- Dougy [me@tech.qsi.net] has quit [Changing host]
11:19 -!- Dougy [me@openvpn/community/user/dougy] has joined #openvpn
11:21 -!- dschuett [~dschuett@ip-66-241-173-54.cmts-dhcp.way.huntel.net] has joined #openvpn
11:21 < dschuett>  I am setting up my first vpn connection - i want to be able to connect to my home network from anywhere. My clients get an IP address and connect fine, but client can't ping server and server can't ping client?
11:25 < hyper_ch> !tell dschuett [welcome]
11:27 < dschuett> can anyone help me?
11:30 < Bushmills> if in doubt, disable ...
11:30 < Bushmills> !firewall
11:30 <@vpnHelper> "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets.
11:33 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
11:35 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
11:39 -!- corretico [~corretico@201.201.44.82] has quit [Read error: Operation timed out]
11:40 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
11:44 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has joined #openvpn
11:44 < hetii> Hello :>
11:44 < hetii> Merry christmass;>
11:45 < hetii> Q: is is possible to define in openvpn somehow that some user had access to some network/host throught tunel and other not.
11:45 < hetii> ?
11:45 -!- venom00ut [~wer@unaffiliated/venom00] has joined #openvpn
11:54 < dschuett> I am setting up my first vpn connection - i want to be able to connect to my home network from anywhere. My clients get an IP address and connect fine, but client can't ping server and server can't ping client?
11:58 < Bushmills> hetii: that's more something you'd want to set up in firewall, or put users into different subnets, which are routed differently then
11:59 < Bushmills> a way to decide who gets which ip adress is through
11:59 < Bushmills> !ccd
11:59 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
11:59 < hetii> hmm s
12:00 < hetii> ok i try explain what i had now and what i need
12:02 < hetii> now i had vpn that allow have access to all  subnets (i push some routes and dns settings) but now i also need for some other client access to few ip inside this network
12:03 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:03 < hetii> the question is can i set all of that using one vpn instance ?  
12:04  * Bushmills replies with the same he said before
12:05 < hetii> The other question is if i don`t push routes by server config but someone will manually set them on local pc then he will had also access to my network
12:05 < Bushmills> which is why i didn't suggest that
12:07 < dschuett> my server.conf says server 10.8.0.0 255.255.255.0 but when my client connects it says my subnet mask is 255.255.255.252 ???
12:09 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
12:14 -!- venom00ut [~wer@unaffiliated/venom00] has quit [Read error: Connection reset by peer]
12:17 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
12:24 -!- dschuett [~dschuett@ip-66-241-173-54.cmts-dhcp.way.huntel.net] has left #openvpn []
12:29 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has quit [Ping timeout: 240 seconds]
12:29 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
12:36 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
12:42 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has joined #openvpn
12:42 < hetii> re
12:42 < hetii> i lost my connection 
12:44 -!- MrHetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has joined #openvpn
12:45 < MrHetii> ehh
12:47 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has quit [Ping timeout: 260 seconds]
12:49 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
12:49 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
12:49 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:49 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has joined #openvpn
12:50 -!- hetii is now known as Hetii
12:50 < Hetii> hmm
12:51 -!- MrHetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has quit [Ping timeout: 250 seconds]
13:02 -!- Hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has quit [Ping timeout: 265 seconds]
13:03 -!- s7r [~s7r@212.78.230.250] has joined #openvpn
13:05 -!- hanasaki [~hanasaki@76.92.220.37] has joined #openvpn
13:05 < hanasaki> how do you replace a user that was w/ot a pass with one that has a pass?
13:13 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
13:30 -!- s7r1 [~s7r@89.39.174.74] has joined #openvpn
13:31 -!- s7r1 [~s7r@89.39.174.74] has left #openvpn []
13:33 -!- s7r [~s7r@212.78.230.250] has quit [Ping timeout: 264 seconds]
14:10 -!- hanasaki [~hanasaki@76.92.220.37] has quit [Remote host closed the connection]
14:11 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
14:20 -!- hanasaki [~hanasaki@76.92.220.37] has joined #openvpn
14:48 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has joined #openvpn
14:48 < hetii> re
14:48 < hetii> Q: i need help. how to set openvpn that will not allow trafic that is not set on CCD file.
14:59 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 272 seconds]
15:07 < hetii> so how to secure it  :>
15:11 -!- hanasaki [~hanasaki@76.92.220.37] has left #openvpn []
15:11 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
15:13 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
15:13 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
15:13 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
15:17  * derekv watches the proxy cache log at work at realizes someone doesn't know that if they listen to xm radio online while connected to whe work proxy its stupid
15:17 < derekv> I need to change the wpad
15:23 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Ping timeout: 265 seconds]
15:32 < Bushmills> (18:58:40) Bushmills: hetii: that's more something you'd want to set up in firewall, or put users into different subnets, which are routed differently then
15:42 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
15:48 < hetii> But...
15:49 < hetii> even when i put it into firewall there are still way how to get access to host that someone should had no access.
15:49 < Bushmills> then make better firewall rules
15:50 < hetii> imagine that i set some rule based on client ip then someone can mad alias and use some ip used by other client that had more privigeless than this one.
15:51 < hetii> only openvpn know on with client is connected and should be able to set some proper restriction
15:51 < Bushmills> no. server associates his openvpn ip address with his network ip address. when client changes openvpn ip address, packets won't be returned to him
15:51 < Bushmills> if you give static address to clients, you can be sure that clients will use that address
15:52 < Bushmills> openvpn is not a firewall. openvpn provides an encrypted tunnel. for policing access to services or resources, you'd use a firewall.
15:52 < hetii> for eg by ifconfig-push 10.0.0.2 255.255.255.0 putted inside ccd customer file ?
15:53 < Bushmills> such as, yes
15:55 < hetii> and you are sure that even if client will do something like alias for his vpn tun interface or change ip tunel will break instead give him a way to go deeper ?
15:55 < Bushmills> he can alias it if he likes - but the server doesn't care. it even doesn't know about it.
15:57 < hetii> ok so then i try to do it on this way and check few ideas ho to break it :) 
15:59 < Bushmills> i have the /24 openvpn subnet split into two /25 nets, with different base set of privileges
15:59 < hetii> but one things more wondering me. Let say that i had a lots defaults rules for eg. abour routes on my main config file and then on the client file inside ccd i want to exclude some of the default rules 
15:59 < hetii> is it possible ?
15:59 < hetii> or instead i need to copy all of them to each of my file into personal ccd file ?
16:00 < Bushmills> what can removed  by openvon options, you can remove in ccd files. 
16:00 < Bushmills> where there is no option to remove features after adding, you can't 
16:01 < hetii> in my case it will be push directive
16:03 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Ping timeout: 250 seconds]
16:06 < Bushmills> http://scarydevilmonastery.net/snap/1293228355509156214d.png
16:06 < Bushmills> that section comes from - oh wonder - the man page
16:09 < hetii> sarcasm :>
16:11 < Bushmills> you may also want to read about --learn-address
16:32 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
16:32 < hetii> thx ;) will check it:>
16:43 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
16:52 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
17:00 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Read error: Connection reset by peer]
17:04 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 272 seconds]
17:06 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
17:11 <@vpnHelper> RSS Update - forum: Static Key Setup & Routing <http://forums.openvpn.net/topic7417.html#p8801>
17:15 < hetii> hmm
17:16 < hetii> almast all isse i  resolve but wondering why i cannot get answer when i push to my client ip that don`t belong to my internal LAN 
17:17 < hetii> theoreticly this trafic shoulg  then via default gateway 
17:29 <@vpnHelper> RSS Update - forum: Static Key Setup & Routing <http://forums.openvpn.net/topic7417.html#p8802>
17:38 < ecrist> wtf, my home systems aren't pingable from my parent's house
17:38 < ecrist> lamesauce
17:41 < krzee> mehhhh?
17:41 < krzee> can you ping butters?
17:41 < krzee> ill make you a vpn in if you can
17:42 < krzee> ...i can ping it
17:50 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
17:51 -!- gorkhaan [~gorkhaan@adsl-101-17.globonet.hu] has joined #openvpn
17:52 < gorkhaan> Hi. I'm testing network throughtput with iperf and openvpn. It seems like it the maximum speed is 20MByte/sec ?  My network has 1GBit.
17:52 < gorkhaan> im using tunnel.
17:52 < gorkhaan> I played with MTU, nothing interesting happened.
17:53 < gorkhaan> VPN connection is UDP, 
17:53 < gorkhaan> udp6 to be clear
17:54 < gorkhaan> turned LZO on and off, nothing interesting either.
17:56 < krzee> what OS's?
17:57 < krzee> there are definitely deficiencies in the tun devices of some OS... but 20MB/s over gigabit sounds pretty slow
17:57 < krzee> when playing with mtu, did you read this:
17:57 < krzee> !mtu
17:57 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
17:57 < krzee> #2
17:58 < gorkhaan> ubuntu  either of them
17:58 < gorkhaan> let's see.
18:01 < gorkhaan> when everything is default:  Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541]
18:01 < gorkhaan> but TCP over UDP tunnel stops at maximum 20MegaByte/sec
18:04 < krzee> can you see anything getting high on your box during that? cpu? interupts? anything
18:05 < reiffert> re
18:06 < krzee> happy festivus reiffert!
18:06 < gorkhaan> yeah CPU having a "hard" time, model name	: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+  1 core is nearly 80% used during the test.
18:07 < krzee> ahh
18:07 < krzee> looks like you found one of the shortcomings of openvpn
18:07 < reiffert> every one's compelling about a white christmas. Today we do *have* white christmas as 10cm brand new and fresh snow fell.
18:07 < krzee> single threaded, cant use more than 1 cpu
18:07 < reiffert> but because of those compelling it took me 2 hours to get a 110km ride done ...
18:07 < krzee> hahaha
18:08 < krzee> its somewhat warm here, thinking bout going to the beach on tuesday
18:09 < reiffert> On the frozen snow you can drive about 80km/h without any problems .. but when you come up with another car you have to slow down to 30 .. 40km/h
18:09 < reiffert> damn.
18:09 < krzee> i would need to go 20km/h, never driven on snow/ice before
18:09 < reiffert> well some time later I ran up to a snowplough driving 60km/h .. but driving behind that snowplough "frozen snow" converted into "frozen", so even worse
18:09 < krzee> and would rather arive alive
18:09  * qermit loves driving snowed roads
18:10 < reiffert> And I couldnt overtake that snowplough as it drove right in the middle of the road and it was ignoring my singals .. :(
18:11 < reiffert> If I only could have told him, that driving behind it is even worse than before .. sigh sigh sigh
18:12 < gorkhaan> one test: http://dl.dropbox.com/u/531976/ovpnv6.png  :)
18:12 < reiffert> On the last 3km it goes uphill for me, from about 170m absolute altitude to 430m aa... one car was trying to get uphill with walking speed.
18:13 < reiffert> of course the wheels will overrun(?) and it failed right in front of me :)
18:13 < krzee> gorkhaan, 2  97%  is core 2 of the cpu?
18:13 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
18:14 < reiffert> My ride ended with not succeeding in getting my car into the garage driving forth .. backwards was the deal...
18:14 < reiffert> so thats all for white christmas here. I wish you a happy one of course!
18:14 < krzee> gorkhaan, if so, the only way you will get faster is with a cpu with faster cores (it could even be single core if nothing else loads the system
18:14 < gorkhaan> hm I see.
18:14 < ChocoCooks> mery xmas all
18:15 < krzee> reiffert, why could you not get it in forward?
18:15 < reiffert> krzee: driving on snow and ice is big big fun :)
18:15 < reiffert> krzee: the wheels overran when I tried to get up that last 10m hill..
18:15 < krzee> ohh i see, wow
18:15 < krzee> merry xmas ChocoCooks =]
18:16 < reiffert> tried again with some "start-up"(?) but failed again
18:16 < krzee> "momentum"
18:16 < reiffert> oh right, momentum sounds pretty sane
18:17 < reiffert> point is, you have to turn the car for 90 degrees right when this last 10m hill starts...
18:17 < gorkhaan> krzee, thanks now I've got another idea, running multiple instances of OpenVPN on a different ports should "do the trick". :) Thanks for the answers,  Merry Xmas 4 everyone
18:18 < reiffert> so you cant do it while driving fast, the hill starts, wheel overrun, car stops after some right/left sliding on the front axis
18:19 < krzee> gorkhaan, correct, thats another way to get more throughput for multiple clients... doesnt help that SINGLE burst tho
18:21 < krzee> ive seen this problem in relation to have too many clients connected, you're the first ive seen where throughput was what triggered it... but same solution (btw in openvpn3 which will not be around for awhile, it should be less of an issue)
18:21 < reiffert> lemmy got 65 today btw
18:22 < reiffert> krzee: that's representative for "now" http://www.hunsrueck-wetter.de/
18:22 < gorkhaan> krzee, yeah, thats fine for now. :) I've got multiple clients, --remote-random will help. ( if it's really random )
18:22 <@vpnHelper> Title: Hunsrck Wetter / Flughafen Hahn Wetter/ Hunsrck Webcam (at www.hunsrueck-wetter.de)
18:22 < reiffert> although that image is 3.5hours old
18:22 < reiffert> let's get another one
18:23 < krzee> i must admit... thats pretty beautiful
18:24 < reiffert> http://www.eswe-versorgung.de/fileadmin/be_user/img/webcam/bild1_gross.jpg
18:25 < reiffert> http://www.rhein-mosel-dreieck.de/webcam/webcam/current.jpg
18:32 < ChocoCooks> if u need faster vpn use ipsec
18:32 < ChocoCooks> but afaik openvpn is plenty fast enough on one core even
18:32 -!- WinstonSmith [~true@e177092065.adsl.alicedsl.de] has joined #openvpn
18:33 < krzee> well hes getting 100% cpu on the 1 core from 20MB/s (over gigabit)
18:33 < krzee> but he said that by adding a second process (to use the other core) it will solve his needs
18:37 < reiffert> might be intresting to debug where exactly all that cpu time gets wasted.
18:39 < ChocoCooks> you mean 20MB or 20Mb
18:40 < ChocoCooks> 20MB/s is preety damn fast, what is he using openvpn on, a local ethernet?
18:40 < reiffert> krzee: you were mentioning ovpn3, are there any plans like e.g. multi port binding?
18:42 < krzee> yep
18:42 < krzee> on multiple protos
18:42 < reiffert> any roadmap online?
18:42 < krzee> kinda, lemme find
18:42 -!- guille_ [~user@69.Red-83-54-97.dynamicIP.rima-tde.net] has joined #openvpn
18:42 < guille_> hi there
18:42 < krzee> https://community.openvpn.net/openvpn/wiki/RoadMap
18:42 <@vpnHelper> Title: RoadMap – OpenVPN Community (at community.openvpn.net)
18:43 < guille_> I've a push "redirect-gateway" directive but the client is taking as default gateway a different IP than the server one, how can this be?
18:44 < krzee> !redirect
18:44 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
18:49 < guille_> the thing is an ifconfig reveals the point-to-point connection is established from 10.8.0.6 (my ip), to 10.8.0.5 (doesn't exist, the server's ip is 10.8.0.1)
18:52 < guille_> I've just read that it's normal since there're two addresses for both networks
18:56 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 272 seconds]
18:57 < guille_> Should I be able to ping 10.8.0.5?
18:58 -!- Visual` [~visualsta@ip-80-236-243-4.dsl.scarlet.be] has joined #openvpn
18:58 -!- Visual` [~visualsta@ip-80-236-243-4.dsl.scarlet.be] has quit [Changing host]
18:58 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
19:01 < krzee> no
19:01 < krzee> !/30
19:01 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
19:01 < krzee> .2 and .6 are virtual IPs internal to how topology net30 (default) works
19:02 < krzee> you'll notice your server has 10.8.0.1 and its ptp is setup for 10.8.0.2, just like the .5 of your client
19:06 -!- sia^pwnnt is now known as sia
19:06 < ChocoCooks> is routed or bridged connection better?
19:06 < ChocoCooks> never tried bridged 
19:07 < krzee> depends on your goal, normally routed
19:07 < guille_> krzee: thanks. i'll review the docs in more detail
19:08 -!- WinstonSmith [~true@e177092065.adsl.alicedsl.de] has quit [Ping timeout: 265 seconds]
19:11 < ChocoCooks> hmm
19:11 < ChocoCooks> well i dont want dns requests to go outside of the tunnel
19:11 < ChocoCooks> which i notice happens with routed
19:11 < ChocoCooks> i can see dns in wireshark
19:15 < krzee> !pushdns
19:15 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
19:17 < krzee> does your nameserver happen to be the same as a) your local router or b) your server?
19:21 -!- WinstonSmith [~true@g231218012.adsl.alicedsl.de] has joined #openvpn
19:25 -!- tjz [~pc@67.220.220.132] has joined #openvpn
19:25 -!- tjz [~pc@67.220.220.132] has quit [Changing host]
19:25 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
19:27 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Quit: leaving]
19:27 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has quit [Ping timeout: 240 seconds]
19:27 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
19:32 -!- gorkhaan [~gorkhaan@adsl-101-17.globonet.hu] has quit [Quit: Távozom]
19:39 -!- WinstonSmith [~true@g231218012.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
19:41 < ChocoCooks> krzee
19:41 < ChocoCooks> back
19:41 -!- guille_ [~user@69.Red-83-54-97.dynamicIP.rima-tde.net] has quit [Ping timeout: 240 seconds]
19:41 < ChocoCooks> i'm not sure, i rent a VPS i think the server has the nameserver on it
19:42 < krzee> cat /etc/resolv.conf
19:42 < krzee> gunna go get drinks, bbl
19:43 < reiffert> I like really like the apple libc extension on resolving hostnames: you can have one nameserver per domain, if you like.
20:00 < krzee> maybe you have an idea for this reiffert 
20:00 < krzee> [21:56]  <krzee> i think select would be best for this, but not sure how it would look... i have 2 arrays, hometeam[$idgame] and visitorteam[$idgame], i would like to give a list of all hometeam vs visitorteam, and set another variable to be the $idgame they selected
20:00 < krzee> [21:57]  <krzee> i think select would be nice because it would give them index 1 through X to choose, but i have no idea how i would know the $idgame that = the hometeam v visitorteam they selected
20:01 < reiffert> perl?
20:01 < krzee> bash
20:02 < krzee> bash4 to be specific
20:02 < reiffert> hometeam = (foo bar)
20:02 < reiffert> visitorteam = (foz baz)
20:03 < reiffert> show me an example of what should be printed out
20:04 < krzee> rather idgame=69 ; hometeam[$idgame]= (foo bar) ; visitorteam[$idgame]=(foz baz)
20:04 < reiffert> ok, understood.
20:04 < krzee> 1)  foo bar VS foz baz
20:05 < krzee> if the user selects 1, i want specialgame=69
20:05 < reiffert> have an additional array which maps 1 to 69.
20:05 < krzee> not that i know of, bash select invents the 1
20:06 < krzee> i THINK $1 is 1 $2 is 2
20:06 < reiffert> ah.
20:06 < reiffert> PS3="Choose: "
20:06 < reiffert> select i in a b c quit do  [ $i = "quit" ]  && exit 0 echo "You chose $i"
20:06 < reiffert> done
20:08 < reiffert> 1 is save in $REPLY
20:08 < reiffert> quoting the manpage:
20:08 < reiffert>  The  line  read  is saved  in  the  variable REPLY.
20:10 < krzee> hrm, so for each idgame i could make a new array which is hometeam vs visitorteam (aka "foo bar VS foz baz")
20:10 < krzee> that will help for displaying
20:10 < krzee> but im still not sure how ill find the idgame for the entry they select
20:11 < reiffert> thomas-reifferscheids-macbook:~ thomas$ select i in a b c quit;  do   [ $i = "quit" ]  && exit 0;  echo "You chose $i in line $REPLY"; done
20:11 < reiffert> 1) a
20:11 < reiffert> 2) b
20:11 < reiffert> 3) c
20:11 < reiffert> 4) quit
20:11 < reiffert> Choose: 1
20:11 < reiffert> You chose a in line 1
20:11 < reiffert> Choose: 
20:11 < reiffert> idgames=$REPLY
20:12 < krzee> sure, but if a is the contents of a array var, how do i find the INDEX of that array var
20:12 < krzee> not the value, the index itself is what i need
20:12 < krzee> the value of the index number, as opposed to the contents of the array[index]
20:12 < reiffert> index is $REPLY
20:13 < krzee> that is the select's index
20:13 < reiffert> so?
20:13 < krzee> i need the array index
20:13 < krzee> like 69 in my above example, not 1
20:14 < reiffert> select i in ${#array}; do echo index=$REPLY; done
20:16 < krzee> idgame=69 ; game[$idgame]="foo bar VS foo baz"    ,   i want them to see foo bar VS foo baz, type 1 to select it, and then specialgame will = 69, thats what you're saying?
20:19 < reiffert> array=( foo bar ); select i in ${array[@]}; do let index=REPLY-1; echo $index; done
20:19 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
20:19 < reiffert> krzee: I'm not sure about your select statement. please be more verbose about *what* the user actually sees.
20:21 < krzee> 1) foo bar VS foz baz
20:21 < reiffert> how and why does it get there?
20:22 < reiffert> and what about 2)
20:22 < krzee> 2) would be some other game[$idgame]
20:23 < krzee> maybe that idgame=70, maybe it is some other number
20:23 < tjz> Merry xmas jeff~ :D
20:23 < tjz> merry xmas, refiffert~~
20:23 < tjz> :D
20:23 < krzee> merry xmas tjz
20:24 < reiffert> krzee: ok. in the algorithm that chooses for idgame in 69 131; put it in the array for the select call; done
20:24 < reiffert> do something like this:
20:24 < reiffert> for idgame in 69 131; do
20:24 < reiffert>   put game[$idgame] into the array for the select call;
20:25 < reiffert>   idbridge[$i] = $idgame;
20:25 < reiffert>   let i=i+1;
20:25 < reiffert> done
20:25 < reiffert> dont forget to initialize i with i=0
20:25 < krzee> ohhh i see
20:25 < reiffert> user chooses 1)
20:25 < krzee> THEN i can use $REPLY
20:25 < reiffert> idbridge[1]=69
20:25 < krzee> damn good idea man!
20:28 < krzee> yay now i can go get food / drinks
20:28 < reiffert> :)
20:28 < krzee> saving the buffer, i know that will work just gotta play with it
20:28 < reiffert> sure it will.
20:28 < reiffert> better rethink that select stuff and switch to dialog
20:31 < krzee> but i dunno how many items there will be, case / ifs would be too ugly
20:32 < krzee> oh dialog is a command
20:34 < reiffert> powerful one
20:54 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:59 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
21:01 < ChocoCooks> krzee u there
21:26 < ChocoCooks> have dns question
21:26 -!- sia is now known as sia^pwnnt
21:27 < ChocoCooks> my server is telling me it is using 194.60.207.52 as nameserver
21:27 < ChocoCooks> that's a local ip right?
21:27 < ChocoCooks> therefore my server is hosting the nameserver?
21:33 -!- pyther [~pyther@unaffiliated/pyther] has quit [Read error: Operation timed out]
21:48 -!- JozoSalt [~daniell@vps6794.xlshosting.net] has joined #openvpn
21:50 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
21:52 -!- JozoSalt is now known as ChocoCooks2
22:03 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
22:06 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 272 seconds]
22:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 260 seconds]
22:26 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Read error: Connection reset by peer]
22:26 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
22:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:34 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit []
22:34 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
22:39 -!- felix_da_catz [~felix_da_@50.15.94.128] has joined #openvpn
22:50 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 240 seconds]
22:50 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
22:53 < felix_da_catz> hey you here?
22:53 < ChocoCooks> yep
22:53 < felix_da_catz> Ok cool.
22:53 < felix_da_catz> So removing the DNS servers didn't help?
22:54 < ChocoCooks> seems its not possible to get dns requests to go through vpn tunnel
22:54 < ChocoCooks> not in routed mode anyway
22:54 < felix_da_catz> ahh
22:54 < felix_da_catz> Have to do bridge mode or whatever?
22:54 < ChocoCooks> bridged mode might do it, but for some reason every1 says routed is best
22:55 < felix_da_catz> Well bridge is weird.  
22:56 < felix_da_catz> So what is using CentOS?  The OpenVPN box?
22:56 < ChocoCooks> yep
22:56 < felix_da_catz> ok, what about your connection at the house?  You have the Windows 7 box.  Is there anything in between the Windows 7 box and your device that connects you to the internet?
22:57 < ChocoCooks> a nat
22:57 < felix_da_catz> You have a wireless router right? 
22:57 < ChocoCooks> one of those all in one wireless routers/nats
22:57 < felix_da_catz> ok
22:58 < ChocoCooks> bridged mode looks to be very complicated to set up
22:58 < felix_da_catz> I have never set it up with a VPN before.
22:59 < felix_da_catz> It is technically pretty easy to do.  Or at least used to be in Windows XP
23:01 < felix_da_catz> What about this link here?  https://forum.perfect-privacy.com/showthread.php?t=702
23:01 < ChocoCooks> am reading bout it
23:03 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit []
23:10 -!- scatterp [~scatterp@87.127.188.177] has quit [Ping timeout: 260 seconds]
23:14 -!- KindOne [~lol@unaffiliated/kindone] has joined #openvpn
23:16 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
23:18 -!- nb [~nb@fedora/nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
23:19 -!- nb [~nb@fedora/nb] has joined #openvpn
23:52 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
--- Day changed Sat Dec 25 2010
00:07 < Dougy> meh
00:25 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
00:28 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 264 seconds]
00:41 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
01:45 < krzee> lol
01:45 < krzee> he does not need bridged mode
01:45 < krzee> just because he doesnt have it right he made up the theory that routed cant do it
01:48 -!- JPeterson [HydraIRC@213.103.209.64] has joined #openvpn
01:49 < JPeterson> can I debug the routing?
01:49 < JPeterson> i have four openvpn clients and all of them can ping eachother, except 10.8.0.10 can't ping 10.8.0.14
01:50 < JPeterson> but 10.8.0.14 can ping 10.8.0.10
01:50 < JPeterson> i restarted all clients and the server
01:53 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
01:54 < JPeterson> ok, now it worked, when i restarted the server again
03:22 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:41 < Dougy> ahh i love being an EMT
03:41 < Dougy> pole 1 nissan pathfinder 0
03:49 -!- master_of_master [~master_of@p57B57E53.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:51 -!- master_of_master [~master_of@p57B57F9C.dip.t-dialin.net] has joined #openvpn
03:51 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:31 -!- common- [~common@p5DDA4326.dip0.t-ipconnect.de] has joined #openvpn
04:34 -!- common [~common@p5DDA4984.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
04:34 -!- common- is now known as common
04:40 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
04:48 -!- cpm [~Chip@c-75-75-170-11.hsd1.pa.comcast.net] has joined #openvpn
04:48 -!- cpm [~Chip@c-75-75-170-11.hsd1.pa.comcast.net] has quit [Changing host]
04:48 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
04:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Client Quit]
06:56 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
07:12 -!- Floort [~floort@dhcp-077-250-046-156.chello.nl] has joined #openvpn
07:12 < Floort> !welcome
07:12 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:13 < Floort> !goal
07:13 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:13 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 255 seconds]
07:32 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
07:32 < ChocoCooks> how make sure dns requests go through the vpn?
07:41 < krzee> heh
07:41 < krzee> !pushdns
07:41 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
07:42 < krzee> use a dns server whose route is set to go over the vpn
07:42 < krzee> since you mentioned you redirect your gateway before, try 8.8.8.8
07:42 < krzee> !dns
07:42 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
07:44 < ChocoCooks> hi
07:44 < ChocoCooks> i'm reading the how to document, it says you can push an internet dns server at 10.66.0.4
07:44 < ChocoCooks> but i don't have any internal dns server on the server
07:45 < ChocoCooks> 8.8.8.8 is google
07:45 < ChocoCooks> that would work? i'd have thought if my computer contacts google directly then that is outside of the vpn tunnel
07:47 < ChocoCooks> ah
07:48 < ChocoCooks> your saying if i push 8.8.8.8 then my dns goes through the vpn then to google
07:48 < ChocoCooks> ok fine thx will try
07:50 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out]
07:51 < krzee> you dont even necessarily have to push it
07:51 < krzee> you can just change your client to use that
07:51 < krzee> client is unix from our last conversation... right?
07:53 < ChocoCooks> client is win 7
07:53 < ChocoCooks> server is centos
07:53 < krzee> oh so you were telling me your server's dns server, lol
07:53 < ChocoCooks> i have a nat router between my computer and the internet
07:53 < krzee> ya try the pushdns
07:54 < ChocoCooks> i just prefer having it pushed than changing the client
07:54 < ChocoCooks> seems more convenient
07:54 < krzee> it will be, for windows
07:54 < ChocoCooks> so then it'll be impossible for my win 7 to use my isp's dns?
07:54 < krzee> in unix it would be lazier to just change the client, since you need to setup a script to handle the pushdns in unix client
07:54 < krzee> do it, test it, decide for yourself
07:55 < ChocoCooks> yea i read about that
07:55 < krzee> i dont use windows
07:55 < krzee> but i do garuntee that its not some shortcoming of tun like you assumed earlier
07:55 < ChocoCooks> ah
07:55 < ChocoCooks> thought i might have to do bridged
07:55 < krzee> absolutely not
07:55 < krzee> !tunortap
07:55 <@vpnHelper> "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over
07:55 <@vpnHelper> the vpn, or (#4) lan gaming? use tap!
07:56 < ChocoCooks> great, because bridged seems hard as hell to setup in comparison
07:56 < krzee> i agree
07:57 < ChocoCooks> k will try it and do a wireshark on the wireless adapter
08:01 -!- krzie [~k@ftp.secure-computing.net] has joined #openvpn
08:01 -!- krzie [~k@ftp.secure-computing.net] has quit [Changing host]
08:01 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
08:01 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
08:07 <@vpnHelper> RSS Update - forum: Advice / Help with openVPN <http://forums.openvpn.net/topic7372.html#p8803>
08:41 < ecrist> merry xmas, bitches
08:46 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has joined #openvpn
08:46 -!- pyther [~pyther@adsl-99-155-90-130.dsl.bcvloh.sbcglobal.net] has quit [Changing host]
08:46 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
08:48 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has joined #openvpn
08:50 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 260 seconds]
08:54 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:57 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
08:57 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
09:00 < ChocoCooks> well
09:00 < ChocoCooks> i tried pushing 8.8.8.8
09:00 < ChocoCooks> then opendns
09:00 < ChocoCooks> both times i still can see info about my isp's dns when i do dns resolver test
09:00 < ChocoCooks> also can see a few dns queries in wireshark but not as many as before
09:11 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
10:01 < ecrist> !dns
10:01 <@vpnHelper> "dns" is (#1) Level3 open recursive DNS server at 4.2.2.[1-6], or (#2) Google open recursive DNS server at 8.8.8.8 / 8.8.4.4
10:01 < ecrist> !pushdns
10:01 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
10:06 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
10:16 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 272 seconds]
10:35 <@vpnHelper> RSS Update - forum: Problem when connecting Samba <http://forums.openvpn.net/topic7433.html>
10:41 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:48 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
10:49 < ChocoCooks> i'm screwed
10:49 < ChocoCooks> Sat Dec 25 16:54:07 2010 write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065)
10:49 < ChocoCooks> can't connect anymore 
10:51 -!- DrJ is now known as Bacon
10:51 -!- Bacon is now known as DrJ
10:51 -!- DrJ is now known as Bacon
10:51 -!- Bacon is now known as DrJ
10:59 < ChocoCooks> Sat Dec 25 17:58:26 2010 Message hash algorithm 'SHA512' not found (OpenSSL)
11:04 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
11:16 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has joined #openvpn
11:16 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has quit [Client Quit]
11:16 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has joined #openvpn
11:18 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 265 seconds]
11:27 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
11:27 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
11:27 -!- luneff [~yury@84.51.202.205] has joined #openvpn
11:34 -!- luneff [~yury@84.51.202.205] has quit [Quit: Leaving]
11:37 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
12:27 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
12:27 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
13:22 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined #openvpn
13:50 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
14:01 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
14:06 < Bushmills> ChocoCooks: windows or non-windows client?
14:06 < ChocoCooks> windows 7
14:07 < ChocoCooks> the push dhcp dns option in server isn't working 
14:07 < ChocoCooks> because my router overides it
14:07 < ChocoCooks> even i set my computer to use no dns, it'll still pick up dns settings from router which has a dhcp server running on it courtery of my isp
14:08 < krzie> then change the dns server in your router, lol
14:08 < Bushmills> dhcp clients can be configured to not request certain data. like, don't request name servers. no idea how that would be done with windows.
14:09 < ChocoCooks> i'd rather not mess with the router
14:09 < ChocoCooks> because i'm a road warrior
14:09 < ChocoCooks> i wont always have access to the router
14:09 < ChocoCooks> in a wireless hotspot for example
14:09 < krzie> then dont *shrug*
14:10 < Bushmills> so you prefer a non-resolving setup over one which does resolve, because a road warrior prefer to not fix the router settings?
14:10 < ChocoCooks> not quite
14:10 < ChocoCooks> im considering just setting the dns i want in my wireless adapter tcp4 settings
14:10 < ChocoCooks> then the dns goes through the vpn
14:11 < Bushmills> router isn't vpn client?
14:11 < ChocoCooks> the router is just between me and the internet
14:11 < ChocoCooks> so no
14:11 < ChocoCooks> it's a nat 
14:11 < ChocoCooks> i even disabeld the dhcp server on the router as a test, and my computer still was fetching my isp's dns
14:12 < Bushmills> router would usually tell clients to use its dns forwarder
14:13 < ChocoCooks> would just adding the dns i want to the adapter settings work in all situations?
14:13 < ChocoCooks> like wireless hotspot etc
14:13 < ChocoCooks> not sure if it can overide all routers 
14:13 < Bushmills> there are probably as many different ways to set up resolvers as there are ways to use the vpn
14:14 < Bushmills> i suppose best is when use and method to resolve host names match
14:15 < ChocoCooks> when i do ipconfig /all i can see the tun adapter has the correct dns from the server
14:15 < ChocoCooks> shame i can't overide the router, its an elegent way to do it with the push
14:16 < Bushmills> (21:08:39) Bushmills: dhcp clients can be configured to not request certain data.
14:16 < ChocoCooks> to not request data from the router?
14:16 < Bushmills> no need to override, if client doesn't request it in first place
14:17 < ChocoCooks> that would be nice
14:17 < Bushmills> yes. like, telling dhcp client "don't request name servers from dhcp server"
14:17 < ChocoCooks> no idea how to do that in win 7
14:17 < Bushmills> neither do I
14:17 < ChocoCooks> guess i can google it
14:18 < Bushmills> probably somebody more windows savvy than me can tell you
14:18 < ChocoCooks> if it is indeed possible then i'm sure i'll get it done
14:19 < ChocoCooks> would be nice if i could just tell my computer not to use the default gateway but
14:19 < Bushmills> i go with those who say "a computer without windows is like a dog without a brick around the neck"
14:19 < ChocoCooks> then i'd have no way to connect to server
14:20 < ChocoCooks> lol
14:34 < ChocoCooks> Bush
14:35 < ChocoCooks> i see a setting for the adapter under advanced
14:35 < ChocoCooks> DHCP ENABLED
14:35 < ChocoCooks> might be worth trying to disable it?
14:35 < Bushmills> i's think you only want to disable requesting name servers, not dhcp entirely
14:36 < Bushmills> unless you can statically configure your network interface and routes and name servers etc
14:36 -!- krzie [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
14:40 < Bushmills> though i'd think easiest would be to have a section for your MAC in the dhcp server config which provides it with a slightly different configuration than the other machines.
14:41 < Bushmills> i.e. one with a different name server.
14:41 < ChocoCooks> there ought to be a way to do it without touching the router
14:41 < ChocoCooks> because often i wont have access to the router
14:41 < Bushmills> when i'm mobile, i have a recursive name server on the client.
14:42 < Bushmills> such as i do right now
14:42 < ChocoCooks> whats a recursive nameserver
14:42 < Bushmills> when it's connected to the router, it uses the router provided name server (a forwarder, which passes on queries to a name server on the openvpn server - router is vpn client too)
14:43 < Bushmills> decision of which config to use is done by checking usb ids for a plugged in cell modem.
14:44 < ChocoCooks> complex
14:44 < Bushmills> nope
14:44 < Bushmills> one case is simple dhcp request
14:44 < Bushmills> other case is simple swapping the resolv.conf file, and starting the local recursive name server
14:46  * Bushmills can't think of a much simpler solution
14:46 < Bushmills> in neither case do i use provider supplied name servers
14:47 < ChocoCooks> your client is linux is a bit different
14:47 < Bushmills> the recursive name server which i run when mobile exists even in a windows version
14:48 < Bushmills> but how to script during startup to use the one or the other i wouldn't know how to do with windows
14:48 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
14:51 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
14:54 < Bushmills> though, always running a recursive name server on your client may eliminate all your problems, by being able to set static name server in your windows config, running on the machine itself. 
14:54 < ChocoCooks> ok
14:55 < Bushmills> maradns is what i use for that purpose
14:55 < Bushmills> small memory footprint, fast, secure. easy to configure.
15:07 < ChocoCooks> asked in windows channel
15:07 < ChocoCooks> just idiots in there :(
15:08 < ChocoCooks> actually im preety mad
15:08 < ChocoCooks> just went to check my ip... and low and behold
15:08 < ChocoCooks> its my computers
15:09 < ChocoCooks> so openvpn just shut down without telling me
15:09 < ChocoCooks> the client didnt say a thing
15:10 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
15:10 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:11 < ChocoCooks> hope its not a common thing for the tunnel to collapse without warning
15:11 < ChocoCooks> looking at the log doesn't even say it shut down
15:25 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Ping timeout: 260 seconds]
15:27 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
15:27 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:32 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
15:41 -!- mmarker [~crichton@ool-4354a976.dyn.optonline.net] has joined #openvpn
15:42 < mmarker> !welcome
15:42 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
15:42 < mmarker> !route
15:42 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:42 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
15:43 < mmarker> !/30
15:43 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
15:43 < mmarker> !topology
15:43 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
15:43 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:44 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
15:45 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:45 < mmarker> !redirect
15:45 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
15:46 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
15:46 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
16:09 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
16:11 -!- luneff [~yury@84.51.202.205] has joined #openvpn
16:18 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
16:21 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
16:30 -!- mmarker [~crichton@ool-4354a976.dyn.optonline.net] has quit [Quit: Leaving]
16:56 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
16:56 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
16:59 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
16:59 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
16:59 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
16:59 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Write error: Broken pipe]
17:02 -!- luneff [~yury@84.51.202.205] has quit [Read error: Connection reset by peer]
17:09 -!- p3rror [~mezgani@41.140.153.58] has joined #openvpn
18:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
--- Log closed Sat Dec 25 18:33:46 2010
--- Log opened Sat Dec 25 18:33:54 2010
18:33 -!- ecrist_ [~ecrist@216.17.68.153] has joined #openvpn
18:33 -!- Irssi: #openvpn: Total of 123 nicks [5 ops, 0 halfops, 0 voices, 118 normal]
18:34 -!- Irssi: Join to #openvpn was synced in 47 secs
18:35 <@vpnHelper> RSS Update - forum: Full cone NAT on OpenVPN? <http://forums.openvpn.net/topic7434.html>
18:39 -!- Netsplit *.net <-> *.split quits: kloeri, rot13, blackpenguin, Nappy, Hamlin, jwm, ecrist, chantra_afk, cron2_, sia^pwnnt,  (+2 more, use /NETSPLIT to show all of them)
18:40 -!- Netsplit over, joins: Hamlin
18:40 -!- kloeri_ is now known as kloeri
18:48 -!- ChocoCooks2 [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
18:48 -!- ChocoCooks2 [~daniell@82-168-191-228.ip.telfort.nl] has quit [Client Quit]
18:52 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 276 seconds]
19:13 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
19:14 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
19:15 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
19:33 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 264 seconds]
19:39 -!- Floort [~floort@dhcp-077-250-046-156.chello.nl] has quit [Ping timeout: 240 seconds]
19:45 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
19:52 -!- tjz_ [~pc@67.220.220.132] has joined #openvpn
19:53 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 276 seconds]
20:11 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:25 -!- xenome [~xen@ip68-10-126-184.hr.hr.cox.net] has joined #openvpn
20:29 <@vpnHelper> RSS Update - forum: Static Key Setup & Routing <http://forums.openvpn.net/topic7417.html#p8806>
20:35 -!- xenome [~xen@ip68-10-126-184.hr.hr.cox.net] has quit [Ping timeout: 276 seconds]
20:39 < Essobi> Merry Christmas.
20:39 -!- xenome [~xen@ip68-10-126-184.hr.hr.cox.net] has joined #openvpn
20:43 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
20:43 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
20:43 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
20:58 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
20:58 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
20:58 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
21:00 -!- xenome [~xen@ip68-10-126-184.hr.hr.cox.net] has quit [Ping timeout: 255 seconds]
21:08 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
22:15 -!- pyther [~pyther@unaffiliated/pyther] has quit [Ping timeout: 272 seconds]
22:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
22:23 -!- Netsplit *.net <-> *.split quits: freaky[t]_
22:32 -!- Netsplit over, joins: freaky[t]_
22:48 <@vpnHelper> RSS Update - forum: VPN server won't start <http://forums.openvpn.net/topic7399.html#p8807>
22:54 <@vpnHelper> RSS Update - forum: VPN server won't start <http://forums.openvpn.net/topic7399.html#p8808>
22:57 -!- jwm_ is now known as jwm
22:58 -!- Guest90874 is now known as martink
22:58 -!- martink is now known as Martin`
23:17 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:27 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
23:27 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
23:27 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
23:34 -!- KindOne [~lol@unaffiliated/kindone] has quit [Ping timeout: 265 seconds]
23:37 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
23:40 -!- KindOne [~lol@h196.201.40.162.dynamic.ip.windstream.net] has joined #openvpn
23:40 -!- KindOne [~lol@h196.201.40.162.dynamic.ip.windstream.net] has quit [Changing host]
23:40 -!- KindOne [~lol@unaffiliated/kindone] has joined #openvpn
--- Day changed Sun Dec 26 2010
00:02 -!- KindOne [~lol@unaffiliated/kindone] has quit [Ping timeout: 250 seconds]
00:07 -!- KindOne [~lol@unaffiliated/kindone] has joined #openvpn
00:33 -!- tjz_ [~pc@67.220.220.132] has quit [Quit: bbl.]
00:38 -!- tjz [~pc@67.220.220.132] has joined #openvpn
00:38 -!- tjz [~pc@67.220.220.132] has quit [Changing host]
00:38 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
01:04 -!- felix_da_catz [~felix_da_@50.15.94.128] has quit [Ping timeout: 264 seconds]
01:07 -!- felix_da_catz [~felix_da_@50.15.94.128] has joined #openvpn
01:54 -!- jhelwig [~jhelwig@li229-87.members.linode.com] has joined #openvpn
02:23 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
02:31 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
02:48 -!- grapsus [~grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Quit: Quitte]
03:16 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
03:39 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:48 -!- master_of_master [~master_of@p57B57F9C.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:50 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has joined #openvpn
03:50 -!- master_of_master [~master_of@p57B53EB0.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:00 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
04:05 <@vpnHelper> RSS Update - forum: Client pings server but server cant ping Client. <http://forums.openvpn.net/topic7435.html>
04:15 -!- Diffen2 [~diffen2@78-82-119-199.tn.glocalnet.net] has quit [Quit: This computer has gone to sleep]
04:32 -!- common- [~common@p5DDA49AB.dip0.t-ipconnect.de] has joined #openvpn
04:36 -!- common [~common@p5DDA4326.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
04:36 -!- common- is now known as common
04:52 -!- APTX [~APTX@phpBB/developer/APTX] has quit [Quit: No Ping reply in 180 seconds.]
04:53 -!- APTX [~APTX@phpBB/developer/APTX] has joined #openvpn
05:20 -!- unspin [~unspin@S01060018f8ecf681.vs.shawcable.net] has joined #openvpn
05:35 -!- Kosmo [59966112@gateway/web/freenode/ip.89.150.97.18] has joined #openvpn
05:37 < Kosmo> Hey, i've been setting up a vpn tunnel, that actually works, but i need some iptables "magic" to nat the packets to the LAN where the vpn-server is located.
05:39 < Kosmo> My current iptables rules: http://paste.pocoo.org/show/309853/
05:39 < Kosmo> Any ideas :-)
05:43 < Bushmills> #iptables
05:44 < Kosmo> yeah ok..
05:50 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 255 seconds]
06:03 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
06:11 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
06:32 -!- pihhan [~pihhan@pihhan.cipis.net] has joined #openvpn
06:50 < reiffert>  moin
06:50 < reiffert> Kosmo: 
06:50 < reiffert> !factoids search iptables
06:50 <@vpnHelper> 'iptables' and 'ldap_iptables'
06:50 < reiffert> !iptables
06:50 <@vpnHelper> "iptables" is (#1) o test if iptables is your problem, disable all rules or put the defaults to accept: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT;, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-
06:50 <@vpnHelper> computing.net/wiki/index.php/OpenVPN/Firewall
06:50 < reiffert> !factoids search nat
06:50 <@vpnHelper> 'nat', 'linnat', 'fbsdnat', 'pfnat', 'freebsdnat', 'bsdnat', 'donate', 'winnat', and 'openvzlinnat'
06:50 < reiffert> !linnat
06:50 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info, or (#4) on openvz try 'iptables -t nat -A PREROUTING -i
06:50 <@vpnHelper> tun0 -j DNAT --to-destination container.ip'
06:51 < reiffert> see #1 for the latter.
06:52 < reiffert> ecrist_: can you please put some more information into !linnat #4, it is pretty confusing to get -j MASQUERADE, -j SNAT and then without a reason !linnat is telling something about -j DNAT which is the opposite of -j SNAT...
06:52 < reiffert> ecrist_: with all my knowledge I can imagine what -j DNAT is needed in openvz, but I doubt that others can do so as well.
06:53 < reiffert> s,(is needed),\$1 for,
06:53 < reiffert> ecrist_: thanks.
06:56 < Kosmo> maybe im just stupid, but i didnt understand anything of all that vpnhelper stuff ....
07:12 < reiffert> Kosmo: allright. what is your
07:12 < reiffert> !goal
07:12 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:27 < Kosmo> reiffert: i am using: "push redirect-gateway def1" on the server, would that be correct? because i get a default gateway on the clients that is 10.8.0.5 (the server is .1) ...
07:27 < Kosmo> !ipforward
07:27 <@vpnHelper> "ipforward" is please choose between !linipforward !winipforward !osxipforward and !fbsdipforward
07:28 < Kosmo> !linipforward
07:28 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
07:30 -!- luneff [~yury@84.51.192.1] has joined #openvpn
07:41 -!- luneff [~yury@84.51.192.1] has quit [Read error: Connection reset by peer]
07:41 -!- luneff [~yury@84.51.192.1] has joined #openvpn
07:44 -!- pyther [~pyther@unaffiliated/pyther] has joined #openvpn
07:44 < reiffert> Kosmo: I cant tell you if it correct, because I dont know anything of your goal
07:45 -!- luneff [~yury@84.51.192.1] has quit [Client Quit]
07:45 < Kosmo> reiffert: ok my goal is that the clients (somewhere in the world) can connect to the openvpn server and get complete access to the lan it sits on
07:45 < reiffert> Kosmo: allright.
07:45 < Kosmo> and to the web through this lan
07:46 < reiffert> !route
07:46 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
07:46 < Kosmo> ok
07:46 < Kosmo> thanks
07:46 < reiffert> it's something similar to push "route ip.of.your.lan netmask"
07:47 < reiffert> so the openvpn clients add a route with target "lan behind openvpn server" to its local routing table
07:47 < Kosmo> ok but i shouldn't do as the link suggests, because i really dont want the clients lans to have any acess
07:47 < Kosmo> access
07:47 < reiffert> but keep in mind, this is just a route forwards.
07:48 < reiffert> the computers in your lan will need a route to the openvpn clients in order to be able to answer on "ping" and such
07:48 < Kosmo> i want the client to "be on the lan" via vpn
07:48 < reiffert> see all about this in !route
07:48 < Kosmo> ok
07:48 < reiffert> "to be on the lan" is not what you said 4 minutes ago when I asked you about your goal.
07:49 < reiffert> let me re-ask:
07:49 < reiffert> will your clients need layer 3 oder layer 2 access to your lan?
07:49 < reiffert> s,oder,or,
07:49 < Kosmo> ich verstand
07:49 < reiffert> :)
07:49 < Kosmo> but ill have to look at wikipedia for the diff ;-)
07:50 < reiffert> http://en.wikipedia.org/wiki/OSI_model#Layer_2:_Data_Link_Layer
07:50 <@vpnHelper> Title: OSI model - Wikipedia, the free encyclopedia (at en.wikipedia.org)
07:50 < reiffert> http://en.wikipedia.org/wiki/OSI_model#Layer_3:_Network_Layer
07:50 <@vpnHelper> Title: OSI model - Wikipedia, the free encyclopedia (at en.wikipedia.org)
07:51 < Kosmo> i can ask a requestion then.. is it complicated to be on the lan (get ip from the lans dhcp and all) via openvpn?
07:52 < reiffert> layer 3 is "ip access" without broadcasts, layer 2 is "with broadcasts" and basically the clients reside in the same subnet.
07:52 < reiffert> Kosmo: define "complicated" :)
07:52 < Kosmo> hehe i cant
07:52 < reiffert> well then it's "you cant"
07:52 < Kosmo> that solution would be nice
07:52 < reiffert> I'd do it like this: start with routing, layer 3.
07:53 < reiffert> when it works, check if all clients will be satisfied.
07:53 < reiffert> When they dont, switch to bridged setup (layer 2)
07:54 < reiffert> e.g. browsing in the network neighbourhood requires layer 2.
07:54 < Kosmo> ok
07:54 < reiffert> but accessing a server by typing \\ip.of.server doesnt require it.
07:57 < Kosmo> Im curious about something, why isnt there like 10 howtos for different scenarias nicely put on a webpage for openvpn ?
07:57 < Kosmo> or is there and i havent found them ?
07:57 < Kosmo> i mean complete howtos including iptables rules and such
07:58 < Kosmo> i know way too little about networking and tcp/ip to put together the parts i can get from the tutorials linked to in here..
08:05 -!- luneff [~yury@84.51.192.1] has joined #openvpn
08:05 -!- luneff [~yury@84.51.192.1] has quit [Read error: Connection reset by peer]
08:07 < reiffert> Kosmo: there is one howtos for two diffent scenarios.
08:07 < reiffert> !howto
08:07 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
08:07 < reiffert> feel free to improve it.
08:08 < Kosmo> hehe.. i just saw the "Routing all client traffic (including web-traffic) through the VPN" entry...
08:08 < Kosmo> will read that :-)
08:10 -!- Floort [~floort@dhcp-077-250-046-156.chello.nl] has joined #openvpn
08:12 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
08:13 < fahmad> hello, can someone tell me how much users openvpn server on 64bit OS with 4 GB ram can handle easily ?
08:27 -!- Floort [~floort@dhcp-077-250-046-156.chello.nl] has left #openvpn []
08:30 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
08:30 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
08:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:35 -!- theDoc [~Link@unaffiliated/thedoc] has joined #openvpn
08:45 -!- Kosmo [59966112@gateway/web/freenode/ip.89.150.97.18] has quit [Quit: Page closed]
08:53 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
08:59 -!- p3rror [~mezgani@41.140.153.58] has quit [Read error: Operation timed out]
09:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
09:10 -!- pyther [~pyther@unaffiliated/pyther] has quit [Quit: leaving]
09:15 -!- p3rror [~mezgani@41.140.155.192] has joined #openvpn
09:23 -!- theDoc [~Link@unaffiliated/thedoc] has quit [Quit: Lost terminal]
09:34 -!- p3rror [~mezgani@41.140.155.192] has quit [Ping timeout: 240 seconds]
09:37 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Ping timeout: 276 seconds]
09:45 -!- s7r [~s7r@178.73.198.16] has joined #openvpn
09:47 -!- p3rror [~mezgani@41.140.159.43] has joined #openvpn
09:51 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has joined #openvpn
09:51 < hetii> Hello:>
09:51 < hetii> Q: i got this: Sun Dec 26 16:49:18 2010 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.255) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
09:52 < hetii> when i try to push static ip. And the question is what  kind of ip address i should use fot p-t-p topology?
09:52 < hetii> for my few clients.
09:53 < hetii> its always something like interface ip + interface ip+1 ? for eg. ip 192.168.40.40 then second parameters will be 192.168.40.41 ?
09:54 < hetii> what happen if i will set this same second parameter for few clients ?
10:17 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
10:39 -!- sia^pwnnt [115kluu@owned.ninjasinpyjamas.biz] has joined #openvpn
10:39 -!- Nappy [~nappy@123-247.97-97.tampabay.res.rr.com] has joined #openvpn
10:40 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
10:46 -!- ntucker__ [~ntucker@c-71-227-154-92.hsd1.wa.comcast.net] has quit [Ping timeout: 265 seconds]
10:57 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds]
11:03 < hetii> Q: why my vpn server don`t start when i use
11:03 < hetii> server 192.168.20.0 255.255.255.0
11:03 < hetii> ifconfig-pool 192.168.20.10 192.168.20.20
11:04 < hetii> i need to set default ip range for clients that had not own ip defined in ccd
11:04 < krzee> see --server in the manual
11:04 < krzee> it comes with its own ifconfig-pool
11:06 < hetii> so what? use ifconfig-pool instead server directive?
11:09 < krzee> you could always just live with what server does... what are you trying to work around...?
11:09 < hetii> i suposse if i use just ifconfig-pool instead of server then i need set also some additional directive like route.
11:10 < hetii> i need had two range of ip that will be assing to clients
11:10 < hetii> each range will had different iptables sets.
11:12 < hetii> and one of the range i will assign for user by define it in ccd files.
11:12 < krzee> !policy
11:12 < krzee> grr the bot is down
11:12 < krzee> 1min
11:13 < hetii> ok
11:13 < hetii> :>
11:14 -!- p3rror [~mezgani@41.140.159.43] has quit [Ping timeout: 240 seconds]
11:16 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
11:16 -!- mode/#openvpn [+o vpnHelper] by ChanServ
11:16 < krzee> !policy
11:16 <@vpnHelper> "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario, or (#3) see !rules for #openvpn channel policy
11:16 < krzee> !forget policy #3
11:16 <@vpnHelper> Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified.
11:17 < krzee> !forget policy #3
11:17 <@vpnHelper> Error: There is no such factoid.
11:17 < krzee> !forget policy 3
11:17 <@vpnHelper> Joo got it.
11:17 < krzee> there
11:17 < krzee> see #1 for !policy
11:19 < krzee> you give ccd to all special, and let --server assign the rest
11:19 < krzee> make sure you do not use tap or topology subnet, as those allow users to change their own ip via ifconfig
11:19 < krzee> another way could be:
11:19 < krzee> !dazo
11:19 <@vpnHelper> "dazo" is "eurephia" is http://www.eurephia.net/
11:20 < hetii> i use tun
11:20 < krzee> as i said... dont use topology subnet either
11:20 < hetii> but
11:21 < hetii> i don`t use topology directive at all so dont know with one is default
11:21 < krzee> good
11:21 < krzee> you want net30, and that is the default
11:22 < hetii> ok told me something my clients had something like inet addr:192.168.20.14  P-t-P:192.168.20.13  Mask:255.255.255.255
11:23 < krzee> !/30
11:23 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
11:23 < hetii> is it means that i canno use this ip P-t-P:192.168.20.13 for other client ?
11:26 < hetii> ok this is twisted
11:29 < hetii> is it means that i cannot use on ccd files for two user this ip range 192.168.20.20 and for his ptp 21 and for second user 192.168.20.23 and 24 for his ptp ?
11:32 <@vpnHelper> RSS Update - forum: Problem when connecting Samba <http://forums.openvpn.net/topic7433.html#p8814>
11:34 < hetii> BTW I had one big trouble that i don`t know how to resolve. I can use push to push routes for client that exist on my lan, and this works. but how can (if its possible) to pass ip that don`t belong to my lan but to one that exist on WAN for eg i try use one of google ip.
11:35 < hetii> so if client will go to google then should be routed by my vpn tunell and go out throught my default gateway on vpn server.
11:47 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
11:47 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
11:47 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
11:50 <@vpnHelper> RSS Update - forum: Client pings server but server cant ping Client. <http://forums.openvpn.net/topic7435.html#p8815>
11:53 < krzee> you need
11:53 < krzee> !redirect
11:53 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:54 < krzee> except, do not use redirect-gateway
11:54 < krzee> you do need the nat and ipforwarding on your server
11:54 < krzee> then you can push the route and it works
11:54 < krzee> the vpn subnet is not a routable subnet... it must be NAT'ed
12:02 <@vpnHelper> RSS Update - forum: VPN server won't start <http://forums.openvpn.net/topic7399.html#p8816>
12:06 -!- p3rror [~mezgani@41.248.109.110] has joined #openvpn
12:09 -!- KindOne [~lol@unaffiliated/kindone] has quit [Ping timeout: 255 seconds]
12:10 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
12:11 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
12:11 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
12:11 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:15 -!- KindOne [~lol@h64.40.30.71.dynamic.ip.windstream.net] has joined #openvpn
12:15 -!- KindOne [~lol@h64.40.30.71.dynamic.ip.windstream.net] has quit [Changing host]
12:15 -!- KindOne [~lol@unaffiliated/kindone] has joined #openvpn
12:23 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
12:24 < fahmad> hello, can someone tell me how much users openvpn server on 64bit OS with 4 GB ram can handle easily ?
12:24 -!- smerz [~smerz@smerz.demon.nl] has quit [Remote host closed the connection]
12:26 -!- JPeterson [HydraIRC@213.103.209.64] has quit [Quit:  HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it]
12:28 -!- Irssi: #openvpn: Total of 115 nicks [4 ops, 0 halfops, 0 voices, 111 normal]
12:28 < ecrist_> reiffert: what are you getting on about?
12:28 -!- You're now known as ecrist
12:29 < hetii> something is not clear for me
12:29 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:29 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has quit [Quit: Ctrl-C at console.]
12:29 < hetii> i use file for ifconfig-pool-persist directive
12:30 < hetii> inside i had entry for ip: 192.168.20.8, 192.168.20.12, 192.168.20.16
12:30 < hetii> and this is ips set by server
12:30 < fahmad> ecrist: hey
12:31 < hetii> and this not fit to this entry that are describe on the site about /30
12:31 < hetii> so
12:31 < hetii>     * 192.168.1.4/30
12:31 < hetii>     * 192.168.1.4 -- Network address
12:31 < hetii>     * 192.168.1.5 -- Virtual IP address in the OpenVPN Server
12:31 < hetii>     * 192.168.1.6 -- Assigned to the client
12:31 < hetii>     * 192.168.1.7 -- Broadcast address.
12:31 < ecrist> reiffert: you know you have bot access, right
12:31 < ecrist> hetii: no pasting in the channel, please
12:32 < hetii> ok
12:32 < ecrist> !pb
12:32 -!- vpnHelper [~vpn@openvpn/bot/vpnHelper] has joined #openvpn
12:32 -!- mode/#openvpn [+o vpnHelper] by ChanServ
12:32 < ecrist> !pb
12:32 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
12:33 < fahmad> !help 
12:33 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
12:33 < fahmad> !memory
12:34 < fahmad> Bushmills: arround ?
12:35 < ecrist> hetii: what is the question?
12:35 < ecrist> !/30
12:35 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
12:36 < hetii> as i understand on my ipp file i had ips that was assigned to the client so if the informattion from site are correct the ips should be  192.168.1.6, 192.168.1.10,  192.168.1.14 not 8,12,16
12:38 < fahmad> !memory
12:39 < hetii> The question is why my server use ip that not fit with the ip from site about "/30" subnet
12:42 < hetii> It looks like ipp file store ip that are network address instead assigned to the client.
12:43 -!- fahmad [~linux@unaffiliated/fahmad] has quit [Read error: Connection reset by peer]
12:44 -!- fahmad [~linux@vpn.server4sale.com] has joined #openvpn
12:44 -!- fahmad [~linux@vpn.server4sale.com] has quit [Changing host]
12:44 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
12:45 < ecrist> that would be my guess, hetii
12:45 < ecrist> I don't know why it would make sense to store the client IP, the network address makes more sense to me.
12:46 < fahmad> ecrist: can you please tell me how much users openvpn server on 64bit OS with 4 GB ram can handle easily ?
12:47 < ecrist> lots
12:47 < ecrist> more than you likely have
12:47 < fahmad> lots = 45 ...
12:47 < fahmad> problem is its using too much memory and CPU
12:48 < fahmad> openvpn	running	2d 1h 18m 	15.3%	0.7% [32172 kB]
12:49 < fahmad> 15.3% = CPU and 0.7% Memory [ 32172  kB] I do not know how openvpn counts memory ...
12:53 < fahmad> any idea ?
13:28 -!- luneff [~yury@84.51.192.1] has joined #openvpn
13:37 -!- bitterman [~yury@84.51.192.1] has joined #openvpn
13:39 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host]
13:39 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn
13:40 -!- luneff [~yury@84.51.192.1] has quit [Ping timeout: 255 seconds]
13:42 -!- bitterman [~yury@84.51.192.1] has quit [Quit: Leaving]
14:08 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
14:27 <@vpnHelper> RSS Update - forum: Client pings server but server cant ping Client. <http://forums.openvpn.net/topic7435.html#p8817>
14:31 < ecrist> fahmad: 32M of memory isn't bad
14:31 < ecrist> and 15.3% of a single CPU core is about right, I'd guess
14:34 -!- jfkw_ [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
14:37 -!- jfkw_ [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Client Quit]
14:38 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
14:38 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Remote host closed the connection]
14:40 -!- krzie [krzee@openvpn/community/support/krzee] has joined #openvpn
14:44 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
14:45 -!- dogmeat [~Bob@unaffiliated/dogmeat] has quit [Remote host closed the connection]
14:50 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
14:50 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:52 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Client Quit]
14:54 -!- KindOne [~lol@unaffiliated/kindone] has quit [Quit: client restart]
15:05 -!- sia^pwnnt is now known as sia
15:12 -!- unspin [~unspin@S01060018f8ecf681.vs.shawcable.net] has quit [Read error: Operation timed out]
15:28 -!- sia is now known as sia^pwnnt
15:28 -!- sia^pwnnt is now known as sia
15:29 -!- unspin [~unspin@S01060018f8ecf681.vs.shawcable.net] has joined #openvpn
15:36 -!- farciarz84 [~farciarz@unaffiliated/farciarz84] has joined #openvpn
15:43 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 240 seconds]
15:43 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:43 < ChocoCooks> halo
15:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
15:49 < hetii> Q: how can i manuall add client certificate to CRL  and if i do that is it able then generate new one with the same CN ?
15:55 < hetii> ok for the second question i know response :>
15:56 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
16:04 -!- unspin [~unspin@S01060018f8ecf681.vs.shawcable.net] has quit [Ping timeout: 276 seconds]
16:07 < ecrist> !revoke
16:07 < ecrist> !crl
16:07 <@vpnHelper> "crl" is (#1) --crl-verify <crl> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will
16:07 <@vpnHelper> create the CRL file for you. ssl-admin will also build a crl for you
16:09 < hetii> ok i have and this client cannot establish connection
16:09 < hetii> but is it normal that he don`t get any message that use revoked script ?
16:10 < ecrist> what do you mean?
16:10 < hetii> cause i got just  VERIFY OK ... and after  Connection reset, restarting [0]
16:11 < hetii> i`m just supprised that client try connect again when his certificate is revoked
16:11 < ecrist> are you including the CRL in the server config?
16:11 < hetii> yes
16:11 < ecrist> !congis
16:11 < ecrist> !configs
16:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
16:11 < ecrist> !logs
16:11 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
16:12 < hetii> hmm
16:13 < hetii> !paste
16:13 <@vpnHelper> "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca
16:16 < ecrist> !pb
16:16 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
16:17 < hetii> http://openvpn.pastebin.ca/2030107
16:18 < ecrist> hetii: does /etc/ssl/openvpn/crl.pem list the just-revoked certificate as revoked?
16:18 <@vpnHelper> RSS Update - pastebin: Stuff <http://pastebin.ca/2030107>
16:19 < Bushmills> "logs" in this season are bulky pieces of firewood, essential to stay warm. 
16:20 < ecrist> Bushmills: s/logs/buxom blondes/ for a much happier winter experience. ;)
16:20 < hetii> should i do it by openssl ca -revoke newcerts/0B.pem && openssl ca -gencrl -out crl.pem
16:20 < Bushmills> one can also sit at the fire
16:21 < hetii> inside i have just one cert. with this header: -----BEGIN X509 CRL-----
16:22 < ecrist> I use the following:
16:22 < ecrist> openssl ca -revoke $working_dir/active/$cn.crt -config $key_config -batch
16:22 < ecrist> followed by 
16:22 < ecrist> penssl ca -gencrl -out $crl -config $key_config
16:22 < ecrist> s/^/o/
16:23 < ecrist> you need to do the revoke followed by the gencrl to generate a new CRL
16:23 < ecrist> once that's done, run 'openssl crl -noout -text -in /path/to/crl.pem' and looks for the serial number of your just-revoked certificate
16:24 < ecrist> !ssl-admin
16:24 <@vpnHelper> "ssl-admin" is (#1) if you use freebsd, it is in ports, or (#2) svn co https://www.secure-computing.net/svn/trunk/ssl-admin to grab it from svn, or (#3) A perl script for managing SSL certificates (being a CA). Makes a good replacement for easy-rsa
16:24 < ecrist> otherwise, that'll do it all for you.
16:24 < ecrist> (I pulled those commands out of that program)
16:24 < hetii> hmm ok i need read  more manuals and will check
16:25 < hetii> but in fact my client cannot use this certificate. so it looks  like its revoked. 
16:25 < hetii> my question is is it proper revoked because client try connect again and again. 
16:26 < hetii> i don`t know if its proper behavior or not :>
16:34 < hetii> Revoked Certificates: Serial Number: 0B 
16:35 < krzie> depending on settings yes
16:35 < krzie> client just knows it cant connect, so if it should reconnect upon failure, it will
16:35 < krzie> that wouldnt be such a bad feature request tho
16:36 < krzie> (for an optional flag to kill the client if denied due to revocation)
16:36 < krzie> throw that on the wishlist if you like
16:36 < krzie> !wishlist
16:36 <@vpnHelper> "wishlist" is https://forums.openvpn.net/viewforum.php?f=10 for the openvpn wishlist
16:44 < hetii> hmm 
16:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
16:46 < hetii> interesting things is that the user of client can  take out his pass phrase using his password instead of CA
16:46 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
16:48 -!- WinstonSmith [~true@g230123139.adsl.alicedsl.de] has joined #openvpn
17:30 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
17:30 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
17:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
17:41 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:52 -!- s7r [~s7r@178.73.198.16] has left #openvpn []
17:52 < ChocoCooks> krizie is it normal for the connection to suddenly drop without warning
17:52 < ChocoCooks> sometimes i'll randomly check my ip and its back to my computers
17:52 < ChocoCooks> but the client gave no indication
17:52 < ChocoCooks> even shows the tls handshakes happening 
17:59 < hetii> thx for helping me today :) see you soon :>
17:59 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has quit [Quit: Wychodzi]
18:04 -!- pihhan [~pihhan@pihhan.cipis.net] has quit [Quit: using sirc version 2.211+KSIRC/1.3.12]
18:08 -!- sia is now known as sia^pwnnt
18:36 -!- renihs [~philipp@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Quit: Leaving]
18:38 -!- p3rror [~mezgani@41.248.109.110] has quit [Read error: Connection reset by peer]
18:50 -!- farciarz84 [~farciarz@unaffiliated/farciarz84] has quit [Quit: Lost terminal]
19:12 < krzie> ChocoCooks, you can remove def1 to make the connection not work unless the vpn is up
19:28 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 240 seconds]
19:32 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
19:33 < ChocoCooks> krzie
19:33 < ChocoCooks> thats exactly what i want to do
19:33 < ChocoCooks> you mean if the vpn closes/fails then i wont able access any internet?
19:34 < ChocoCooks> my server.conf says push "redirect-gateway"
19:35 < ChocoCooks> there's no def1 to remove
19:43 < krzie> then something is going wrong... without def1 your gateway should be overwritten, you should not have a route to the internet if the vpn goes down
19:43 < krzie> unless your dhcp is renewing it or something
19:48 < ChocoCooks> hmm never heard that before
19:49 < ChocoCooks> it works fine just sometimes my internet stops flowing through the vpn
19:49 < ChocoCooks> i'll try adding def1 see what happens
19:50 < ChocoCooks> i have a router between my computer and the internet which is annoying
19:50 < ChocoCooks> isp gave it to me
19:51 < ChocoCooks> its a nat, hub, firewall, dhcp server all rolled into one
19:54 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
20:01 -!- ChocoCooks2 [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
20:01 < ChocoCooks2> back
20:01 < ChocoCooks2> yea so im wondering if the bypass-dhcp bit is neccessary
20:02 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 240 seconds]
20:03 -!- ChocoCooks2 [~daniell@82-168-191-228.ip.telfort.nl] has quit [Client Quit]
20:04 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
20:08 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
20:09 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
20:09 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Client Quit]
20:09 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
20:09 < ChocoCooks> golly
20:13 -!- WinstonSmith_ [~true@g231240127.adsl.alicedsl.de] has joined #openvpn
20:16 -!- WinstonSmith [~true@g230123139.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
20:18 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:23 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 255 seconds]
20:25 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
20:25 < ChocoCooks> well i finally just disabled the dhcp server on the router
20:25 < ChocoCooks> then set my wireless adapter to have no dns settings
20:26 < ChocoCooks> works fine
20:26 < ChocoCooks> now i only have internet when vpn is connected as otherwise my comp doesnt know what dns to use
20:29 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has joined #openvpn
20:29 < LordDoskias> hello people 
20:29 < ChocoCooks> but krize i added that def1 thing, now my wireshark has a gazillion tcp packets going between my local computer and 77.87.179.69
20:29 < ChocoCooks> have no idea why
20:30 < ChocoCooks> always between me and that ip
20:30 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
20:30 < ChocoCooks> before without the def1 i just had upd packets
20:30 < ChocoCooks> hey lord
20:30 < LordDoskias> i get the error "TLS Error: Unroutable control packet received from xx.xx.x.x:1194 (si=3 op=P_CONTROL_V1)"
20:31 < LordDoskias> now most probably you will tell me to check the time of the client and the server but the thing is i can connect to the vpn at random times and then if something happens and the connection drops 
20:31 < LordDoskias> i'm locked out of the vpn for some time and then i can connect again
20:31 < ChocoCooks> better be willing to wait a long time for answer lord, the room genius krzie is out buying alcohol
20:32 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
20:32 < LordDoskias> well, will wait then i'm gonna go off to bed 
20:34 < LordDoskias> what is your problem 
20:34 < ChocoCooks> my personality mainly
20:35 < LordDoskias> your technical problem :D
20:35 < ChocoCooks> well
20:35 < ChocoCooks> i added def1 to the push "redirect-gateway" in server.conf
20:36 < ChocoCooks> now my wireshark shows a ton of tcp messages all between my computer and a foreign ip address
20:36 < ChocoCooks> no idea why its weird
20:36 < LordDoskias> what is it that you are trying to achieve
20:36 < LordDoskias> to have the vpn as your default route ?
20:36 < ChocoCooks> yep
20:37 < LordDoskias> and now you are afraid that actually some 3rd party is getting the traffic?
20:37 < ChocoCooks> just dont want any packet to leave my computer unless its gonna go to the openvpn server
20:37 < ChocoCooks> yea
20:37 < LordDoskias> i see 
20:37 < LordDoskias> okay, so from wireshark 
20:37 < ChocoCooks> cuz i have a billion tcp messages between me and 77.87.179.69
20:37 < ChocoCooks> i dont even know who that ip is
20:37 < LordDoskias> well, check the ports 
20:37 < LordDoskias> i mean the port on your machine that this ip is sending its traffic
20:37 < ChocoCooks> lol
20:37 < ChocoCooks> thats a uk ip
20:38 < ChocoCooks> i'm in netherlands
20:38 < ChocoCooks> so that shouldnt be happening
20:38 < ChocoCooks> before i had push "redirect-gateway"
20:38 < ChocoCooks> then i added def1 to it as per the how to and advice i got in here
20:38 < ChocoCooks> now this uk ip
20:38 < LordDoskias> okay 
20:38 < LordDoskias> are ou using windows as a client 
20:38 < ChocoCooks> yep
20:38 < LordDoskias> right
20:38 < LordDoskias> so 
20:38 < LordDoskias> go to cmd prompt
20:38 < LordDoskias> and type route print
20:39 < ChocoCooks> done
20:39 < LordDoskias> can you paste it 
20:39 < LordDoskias> on privatepaste or something similar
20:39 < ChocoCooks> copy pasting the cmd prompt is difficult would u look at a screenshot?
20:39 < LordDoskias> okay 
20:39 < ChocoCooks> k thx one sec
20:39 < LordDoskias> you can just do a right click on cmd prompt 
20:39 < LordDoskias> click mark 
20:39 < LordDoskias> mark everything and press enter and then you just paste
20:40 < ChocoCooks> i'll try
20:40 < LordDoskias> but a screenshot is ok too 
20:41 < ChocoCooks> ok this screenshot also shows my wireshark
20:42 < ChocoCooks> you'll see the udp packets between me and openvpn server which is normal
20:42 < ChocoCooks> and in between the tcp packets between me and uk
20:42 < ChocoCooks> http://img829.imageshack.us/img829/2135/asdfc.png
20:43 < LordDoskias> hmz 
20:43 < LordDoskias> i think not all of your traffic is going trhough the tunnel
20:43 < ChocoCooks> and literally only change i made was
20:43 < LordDoskias> 192.168.1.254 is your home router?
20:43 < ChocoCooks> push "redirect-gateway"
20:43 < ChocoCooks> to
20:43 < ChocoCooks> push "redirect-gateway def1"
20:43 < ChocoCooks> yes it is 
20:43 < LordDoskias> okay 
20:43 < LordDoskias> then 
20:43 < LordDoskias> run a traceroute to this ip 
20:44 < LordDoskias> and see if it going through the vpn which is 10.8.0.5
20:44 < ChocoCooks> good idea
20:44 < LordDoskias> os thourgh your normal home router
20:44 < ChocoCooks> so i just type traceroute xxx.xxx.xxx.xxx
20:44 < LordDoskias> i think it is through your router
20:44 < LordDoskias> tracert in windows
20:44 < ChocoCooks> k
20:45 < LordDoskias> also 
20:45 < LordDoskias> run a netstat -nto
20:45 < LordDoskias> and then see which process owns a connection to the ip you are suspicious of 
20:45 < LordDoskias> you might have some p2p software
20:45 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
20:45 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
20:45 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
20:45 < ChocoCooks> looks weird
20:46 < ChocoCooks> screenshot coming
20:46 < LordDoskias> becuase as you can see you have 2 default routes
20:46 < LordDoskias> and the one is persistent with metrics 1 
20:46 < LordDoskias> which means it is always going to be 
20:46 < LordDoskias> prefered
20:46 < LordDoskias> also 
20:46 < LordDoskias> have you manually put the persitent route?
20:46 < ChocoCooks> i'm preety confused when it comes to routes
20:47 < ChocoCooks> that route print looks to me like i have around 13 routes
20:47 < ChocoCooks> ipv4 route table
20:47 < LordDoskias> yes, most of them are fine 
20:47 < LordDoskias> just some default by windows 
20:47 < LordDoskias> what you can do is 
20:47 < LordDoskias> route -f
20:47 < LordDoskias> which will flush your routing table and you will loose connectivity 
20:48 < LordDoskias> then just ipconfig /release *wireless adapter* and ipconfig /renew *wireless adapter*
20:48 < ChocoCooks> do you think it might be a virus or something
20:48 < LordDoskias> well 
20:48 < LordDoskias> could be 
20:48 < ChocoCooks> http://img571.imageshack.us/img571/2794/hhhhhhhhhhhhhhhhhhhhhhhb.png
20:48 < LordDoskias> that's why you need to see which program on your pc actually owns this socket
20:49 < ChocoCooks> ok
20:49 < LordDoskias> okay so your traffic to this ip is going through the vpn 
20:49 < ChocoCooks> i dont think so
20:49 < LordDoskias> hmz, wait 
20:49 < LordDoskias> which interface are you sniffing 
20:49 < LordDoskias>  is it the openvpn tap interface
20:49 < ChocoCooks> wireless 
20:49 < LordDoskias> or your actual wireless
20:50 < ChocoCooks> my vpn server is 178.18.87.16
20:50 < ChocoCooks> that first ip in the route trace is missed the 6
20:50 < LordDoskias> well, the first ip is the ip of the vpn, right?
20:50 < LordDoskias> the server end 
20:50 < ChocoCooks> almost
20:50 < ChocoCooks> missing 
20:50 < ChocoCooks> 6
20:50 < ChocoCooks> should be .16 on end
20:51 < LordDoskias> not necessarily 
20:51 < LordDoskias> openvpn can be funny when it comes to numbering 
20:51 < LordDoskias> i mean my pc has an address of .6 and then i see the vpn as .5 
20:51 < LordDoskias> but actually the traffic goes through .1 (which is again the openvpn ip)
20:51 < LordDoskias> anyway
20:51 < LordDoskias> as i was saying
20:51 < ChocoCooks> i did that netstat thing
20:51 < ChocoCooks> i found 
20:51 < ChocoCooks> 7684 owns that
20:52 < LordDoskias> now open task manager
20:52 < LordDoskias> then view => select cloumns 
20:52 < LordDoskias> and choose process identifier
20:52 < LordDoskias> or you can use a nifty little tool called cports
20:53 < ChocoCooks> ok
20:53 < ChocoCooks> that process belongs to pokerstars.net
20:53 < ChocoCooks> i happen to be playing poker now 
20:53 < LordDoskias> well then 
20:53 < LordDoskias> you have your answer
20:53 < LordDoskias> it is not a virus 
20:53 < LordDoskias> but then again this traffic might not be going through the vpn 
20:53 < LordDoskias> becaus eyou have a default route with lower metrics
20:54 < ChocoCooks> can i fix the route thing so only route i have is vpn one
20:54 < LordDoskias> well yes and now 
20:54 < LordDoskias> becuase you need one route which will direct traffic to the actual openvpn 
20:54 < LordDoskias> so that you can establish the conneciton, right?
20:54 < ChocoCooks> yep
20:54 < LordDoskias> and then you can have a route from openvpn which will most probably get all of the traffic 
20:54 < LordDoskias> if i were you i would flush my routing table 
20:55 < LordDoskias> then renew my network adapter
20:55 < ChocoCooks> i'd like my internet to completely not work unless im connected to the vpn
20:55 < ChocoCooks> at the moment i have push dns so i can only visit websites if connected to vpn
20:55 < ChocoCooks> but programs might get around that obv
20:55 < LordDoskias> where is the vpn server 
20:55 < LordDoskias> i mean is it in the same subnet as your pc 
20:55 < LordDoskias> or is it in some remote location god-knows-where
20:55 < ChocoCooks> its about 100 miles away
20:55 < LordDoskias> well then the answer is no 
20:56 < LordDoskias> you need to have connectivity to this location 
20:56 < LordDoskias> and then you can have your vpn 
20:56 < LordDoskias> it's logical, right
20:56 < LordDoskias> ?
20:56 < ChocoCooks> yep :)
20:56 < LordDoskias> the idea of a vpn is to have a secure network over an unsecure one
20:56 < LordDoskias> doesn't matter if it is openvpn, pptp, ipsec or whatever
20:56 < ChocoCooks> i'm not sure what a proper vpn route should look like
20:57 < LordDoskias> well you needn't care about that 
20:57 < LordDoskias> the push redirect-gateway will sufice
20:57 < LordDoskias> if you have no routes with lower metrics, right 
20:57 < LordDoskias> so, flush your routing table 
20:57 < ChocoCooks> ahhhh
20:57 < LordDoskias> renew the adapter 
20:57 < LordDoskias> also i don't know why you added def1 to the push 
20:58 < LordDoskias> i mean just a normal push won't help or what?
20:58 < ChocoCooks> when i had push without def1 my wireshark only showed udp packets
20:58 < ChocoCooks> never tcp
20:58 < ChocoCooks> nor dns
20:58 < ChocoCooks> i was happy
20:58 < krzie> !def1
20:58 <@vpnHelper> "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand, or (#3) push "redirect-gateway def1"
20:58 < ChocoCooks> then i was told it shouldn't work without def1
20:58 < ChocoCooks> so i tried adding it
20:58 < krzie> thats what def1 does
20:59 < ChocoCooks> ah so i dont need it
20:59 < krzie> once you understand what it does, you can make the decision of whether to use it or not
20:59 < krzie> the only difference is if you will have a route to the internet when the vpn goes down
20:59 < krzie> (without def1 you wipe the orig default gateway, with it you do not)
21:00 < LordDoskias> krzie: yeah but a route with a netmask of 128.0.0.0 won't cover all adresses, right?
21:00 < ChocoCooks> so your saying
21:00 < LordDoskias> even if you have the vpn some "lower" addresses might traverse the original route
21:00 < krzie> it will cover half, and the OTHER route with that same netmask covers the other half
21:00 < ChocoCooks> im confused, which should i use so that my computer has no internet connectivity if the vpn goes down
21:00 < ChocoCooks> i.e my computer has no routes
21:01 < krzie> ChocoCooks, dont use def1
21:01 < krzie> thats exactly what happens if you dont use def1
21:01 < ChocoCooks> ok 
21:01 < ChocoCooks> im going to remove def 1, restart the server and flush my route table
21:01 < LordDoskias> krzie:  but  you need at least one route to the vpn 
21:02 < LordDoskias> or am i mistaken?
21:03 < ecrist> sup bitches?
21:03 < LordDoskias> so i have this problem with the unroutable packet thingy 
21:03 < LordDoskias> but the problem is not the time 
21:03 < LordDoskias> what else can it be 
21:03 < ChocoCooks> thx for help Lord i'll be back after this test 
21:04 < ChocoCooks> :)
21:04 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit []
21:04 < LordDoskias> received unroutable control packet
21:04 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
21:10 < LordDoskias> anyone ;\
21:10 < ecrist> !logs
21:10 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
21:13 < LordDoskias> hmz, i'm locked out of the server ;\
21:13 < LordDoskias> but i will paste the client logs
21:13 < ecrist> odds are I cannot help without both.
21:19 < LordDoskias> you gotta be kidding me 
21:19 < LordDoskias> it is working now 
21:19 < LordDoskias> o_O
21:19 < LordDoskias> ops, wrong vpn connection
21:20 < LordDoskias> my connection uses username/password authentication 
21:20 < LordDoskias> withverb 5 
21:21 < LordDoskias> it doesn't present me with a prompt to auth is that normal?
21:23 < LordDoskias> right, so if i have verb 5 and log openvpn.log
21:23 < LordDoskias> how can i authenticate with a username/password since i don't get a prompt because everything is redirected to a file
21:23 < LordDoskias> are there directives that i can put in the conf file to be used as a username/password
21:24 -!- ChocoCooks3 [~ChocoCook@82-168-191-228.ip.telfort.nl] has joined #openvpn
21:24 < ChocoCooks3> hey im back
21:24 < ChocoCooks3> in trouble
21:24 < ChocoCooks3> i did route -f   
21:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
21:25 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
21:25 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:25 < ChocoCooks3> then i restarted the wireles adapter
21:25 < ChocoCooks3> but i have no internet now, cant connect to vpn server either
21:25 < ChocoCooks3> and cant fix the route table lol, im using a different laptop now
21:25 < LordDoskias> try disable/enable the wireless card
21:25 < LordDoskias> it just can't get the route to your router
21:26 < ChocoCooks3> i did that and i can visit the router only
21:26 < LordDoskias> show the state of the routing table
21:26 < ChocoCooks3> ok
21:28 < ChocoCooks3> so after route -f it was empty obv, after disable/enable wireless it looks like this:
21:28 < ChocoCooks3> http://img109.imageshack.us/img109/3219/82886238.png
21:29 < LordDoskias> !pb
21:29 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
21:29 < ChocoCooks3> pastebin? im on a different computer
21:29 < ChocoCooks3> best i can do is screenshot and use usb to transfer to this computer
21:29 < LordDoskias> ecrist: http://openvpn.pastebin.ca/2030253
21:29 < LordDoskias> ChocoCooks3: this is for me
21:30 < ChocoCooks3> oh sorry
21:30 < ChocoCooks3> lol
21:30 < ChocoCooks3> ;)
21:30 < LordDoskias> okay 
21:30 < LordDoskias> if you type 
21:30 < ChocoCooks3> i restarted the router, my computer, nothing works
21:31 < LordDoskias> route add 0.0.0.0 mask 0.0.0.0 192.168.1.254
21:31 < LordDoskias> you should hav einternet 
21:31 < LordDoskias> try it 
21:31 < ChocoCooks3> ok
21:31 < ChocoCooks3> genius it worked
21:32 < ChocoCooks3> so what did we learn from this? we were trying to make it so only route was the one to vpn
21:32 < LordDoskias> connect your vpn 
21:32 < ChocoCooks3> k
21:32 < ChocoCooks3> done
21:32 < LordDoskias> route print again 
21:33 < ChocoCooks3> k will have screenshot in 1 min
21:34 <@vpnHelper> RSS Update - pastebin: Anonymous <http://pastebin.ca/2030253>
21:35 < ChocoCooks3> http://img694.imageshack.us/img694/6841/82655403.png
21:36 < LordDoskias> do you have internet now?
21:36 < ChocoCooks3> yep
21:37 < LordDoskias> well 
21:37 < LordDoskias> now you have the desired set up 
21:37 < ChocoCooks3> but i also have internte if i disconect the vpn
21:37 < LordDoskias> the default route is that of the vpn 
21:37 < ChocoCooks3> just not via the vpn
21:38 < ChocoCooks3> i guess its not possible to have no internet at all unless im connected to vpn
21:38 < LordDoskias> you sure
21:38 < ChocoCooks3> 100%
21:38 < LordDoskias> disconnect the vpn and show route print
21:38 < ChocoCooks3> ok
21:40 < ChocoCooks3> http://img211.imageshack.us/img211/306/74861562.png
21:40 < ChocoCooks3> definetely still have internet 
21:41 < ChocoCooks3> i dont have dns because that is pushed over the vpn, but i can visit websites by typing in their ip
21:42 < LordDoskias> well 
21:43 < LordDoskias> the thing is when you disconnect you get a default route to 1.254
21:43 < LordDoskias> i don't know why this is happening 
21:43 < LordDoskias> anyway bbl 
21:43 < ChocoCooks3> k thx
21:45 < ChocoCooks3> afik without that default route i cant connect to the vpn server so it gotta be there always
21:45 < ChocoCooks3> i'll just leave it as is, most things dont work without dns so that'll let me know preety quick if the vpn drops
21:47 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
21:47 -!- ChocoCooks3 [~ChocoCook@82-168-191-228.ip.telfort.nl] has quit []
21:55 < LordDoskias> you can connect without the default route
21:55 < LordDoskias> you need a route just to the vpn server 
21:57 < ChocoCooks> well
21:57 < ChocoCooks> that's proving to be ellusive lol
21:58 < ChocoCooks> because i need to connect to my router to get to the vpn server
21:58 < ChocoCooks> and if i can connect to the router it seems i have internet no matter what 
21:59 < ChocoCooks> maybe there is some firewall that can be used for this
22:06 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Read error: Operation timed out]
22:10 < LordDoskias> nope
22:10 < LordDoskias> you have to understand how routing works
22:10 < LordDoskias> 0.0.0.0 means match all routes
22:10 < LordDoskias> so when you have a packet destined to a place for which you don't have a route
22:10 < LordDoskias> it is going to be forwarded to the address pointed to by this default route
22:10 < LordDoskias> right
22:11 < LordDoskias> but then, if you have a specific route it won't use the default one but the specific
22:11 < LordDoskias> to what you need is 1 specific route to your vpn server
22:11 < LordDoskias> so that packets destined for it can actually reach it 
22:11 < LordDoskias> and then you need a default route with your vpn server internal ip 
22:12 < LordDoskias> so you send a packet to place-a inside the vpn
22:13 < LordDoskias> and windows says "ok, i've got a packet to this destination but how do i reach it - well i have to send the packet to the vpn server internal ip, but how do i reach this, ah - i have a specific route to the external ip of the vpn server"
22:13 < LordDoskias> so "i will send the encrypted packet to the public ip of the vpn server"
22:13 < LordDoskias> that's how roughly routing works 
22:13 < LordDoskias> http://www.networktutorials.info/routing.html
22:13 <@vpnHelper> Title: Network Routing Overview - Routing Table (at www.networktutorials.info)
22:13 < LordDoskias> read that if you are interested
22:16 < ChocoCooks> hi was away, will read all you typed now 
22:16 < LordDoskias> what is the weather condition in .nl was going to go there for new year 
22:16 < ChocoCooks> absolutely freezing
22:16 < ChocoCooks> snow everywhere
22:17 < ChocoCooks> but most of europe is like that, not sure where you are from
22:17 < LordDoskias> in the uk currently 
22:17 < ChocoCooks> i'd think we have the same weather preety much
22:17 < LordDoskias> tell me about it i don't have water becuase the pipes are frozen 
22:17 < LordDoskias> o_O
22:17 < ChocoCooks> i might spend new year in Shanghai, warmer there too
22:18 < ChocoCooks> thats why im learning all this vpn stuff, gonna be moving to inside the great firewall soon
22:18 < LordDoskias> there was a simple way to actually jump over it 
22:18 < LordDoskias> can't remember it though 
22:18 < ChocoCooks> there was tor, but they blocked all the exit nodes
22:18 < LordDoskias> not that 
22:19 < LordDoskias> what the firewall was doing was something silly 
22:19 < ChocoCooks> oh
22:19 < ChocoCooks> well you can imagine its still nice to have all the traffic encrypted
22:19 < LordDoskias> i think it was sending rst packets to clients
22:19 < LordDoskias> so fi you patch your tcp stack to ignore it it will be working but don't quote me on that 
22:19 < LordDoskias> ...
22:20 < ChocoCooks> preety lame how youtube isn't allowed
22:21 < LordDoskias> i'm just watching a movie about google from nat ge
22:21 -!- funyun [~eddie@ns213451.ovh.net] has joined #openvpn
22:21 < LordDoskias> and they say all this stuff about censorship in china 
22:21 < ChocoCooks> google is recommending every1 in china to use vpn's
22:22 < LordDoskias> are they
22:22 < ChocoCooks> yep
22:22 < ChocoCooks> even if there was some trick to bypass teh firewall, or even just using a proxy like squid... they'd still be logging all your dns requests etc and they'd know your bypassing it and what your visiting
22:22 < ChocoCooks> that makes me uneasy
22:23 < ChocoCooks> so for me it'll be a openvpn server in taiwan
22:23 < LordDoskias> but then again they will be able to identify you are using a vpn 
22:23 < funyun> hi. noob here.. i used pptpd to setup a vpn on my dedicated server so i can browse sites like youtube that are blocked by my ISP. but the speed is too slow. can i use openvpn to setup a ssl vpn? and would it be faster? than pptp?
22:23 < ChocoCooks> sure but that isn't illegal, lots of businessmen use them etc
22:23 < LordDoskias> funyun: try disabling encryption for the pptp if you are using it 
22:24 < LordDoskias> but chances are it won't be faster 
22:24 < LordDoskias> are you using windows?
22:24 < funyun> LordDoskias: i've actually tried it on mac, windows and linux
22:24 < funyun> LordDoskias: the vpn is on linux tho
22:25 < LordDoskias> well on windows i think that the tap driver is limited to 10mbps connection
22:25 < LordDoskias> + ssl related computation are heavier than mppe (what pptp is using)
22:26 < funyun> LordDoskias: so ssl would probably be slower?
22:26 < LordDoskias> well... can't say definitely 
22:26 < LordDoskias> there is LZO compression
22:27 < LordDoskias> maybe you will just have to test and see 
22:27 < LordDoskias> http://forums.contribs.org/index.php?topic=44103.0
22:27 <@vpnHelper> Title: Fastest VPN: OpenVPN vs PPTP (at forums.contribs.org)
22:27 < LordDoskias> check this
22:27 < ChocoCooks> i think openvpn is far superior to pptp
22:27 < LordDoskias> ChocoCooks:  in terms of security and flexibility - yes
22:27 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds]
22:27 < LordDoskias> but in terms of speed i can't be sure 
22:27 < ChocoCooks> ipsec is obv winner in speed but
22:27 < ChocoCooks> fails in all other aspects
22:28 < ChocoCooks> and i rekon actually openvpn is just as fast as ipsec, just a tiny bit more latency... unless your pushing a huge ammount of data 
22:28 < LordDoskias> hmz 
22:29 < LordDoskias> not sure about ipsec as well 
22:29 < funyun> LordDoskias: would you be able to help me setup openvpn for what i need?
22:29 < LordDoskias> funyun:  if you just read the howto section on the website you should be able to do it
22:29 < LordDoskias> !howto
22:29 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
22:29 < ChocoCooks> that how to is very helpful
22:30 < funyun> LordDoskias: do i read the entire thing? or is there a specific section? i think someone once told me what i need is called redirect?
22:31 < LordDoskias> well, i believe ChocoCooks can help you 
22:31 < LordDoskias> since he was doing the same thing 1 hour ago 
22:31 < LordDoskias> i'm tired currently 
22:31 < ChocoCooks> i only know how to set up openvpn on linux server
22:31 < ChocoCooks> i helped some1 before do that including myself lol
22:31 < funyun> ChocoCooks: my server is linux :)
22:31 < ChocoCooks> centos?
22:31 < funyun> debian
22:31 < ChocoCooks> fine
22:31 < ChocoCooks> and client windows?
22:31 < funyun> client is mac
22:32 < ChocoCooks> ok
22:32 < funyun> ChocoCooks: thanks so much :)
22:32 < ChocoCooks> well it'd take like an hour to setup the server since i'd have to explain each step
22:32 < LordDoskias> lol
22:32 < LordDoskias> openvpn can be setup in like 15 minutes with minimal settings 
22:32 < funyun> yes. i just need minimal
22:33 < ChocoCooks> Lord i can do it in 5 minutes
22:33 < ChocoCooks> but the point is i'd be explaining
22:33 < ChocoCooks> so he learns
22:33 < LordDoskias> yep
22:33 < LordDoskias> goodie, saw 7 ^_^
22:34 < ChocoCooks> funyun did you download/install openvpn yet on your debian server
22:34 < funyun> ChocoCooks: yes
22:35 < ChocoCooks> did you generate the crts and keys etc
22:35 < funyun> ChocoCooks: no. i've only installed
22:35 < ChocoCooks> ok
22:35 < ChocoCooks> lets take this to private message else its pratically spamming the room
22:35 < funyun> alright
23:25 < ChocoCooks> Lord i guess your away but would you have any idea what routes i should add for that purpose
23:25 < ChocoCooks> don't think google will help me with this lol
23:47 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has quit [Quit: Lost terminal]
23:57 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-mksnccwaanlxkkbj] has joined #openvpn
23:57 < HoboSteaux> !help
23:57 <@vpnHelper> (help [<plugin>] [<command>]) -- This command gives a useful description of what <command> does. <plugin> is only necessary if the command is in more than one plugin.
--- Day changed Mon Dec 27 2010
00:06 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
00:21 < HoboSteaux> help
00:21 < HoboSteaux> ugh
00:21 < HoboSteaux> whats the commands for vpnHelper
00:22 -!- WinstonSmith_ [~true@g231240127.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
00:23 <@vpnHelper> RSS Update - forum: Full cone NAT on OpenVPN? <http://forums.openvpn.net/topic7434.html#p8819> || [Solved] Problem when connecting Samba <http://forums.openvpn.net/topic7433.html#p8818>
00:29 < reiffert> HoboSteaux: it's !welcome
00:30 < HoboSteaux> ty
00:30 < HoboSteaux> !welcom
00:30 < HoboSteaux> !welcome
00:30 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
00:30 < HoboSteaux> !route
00:30 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
00:30 < HoboSteaux> exactly what i needed
00:31 < reiffert> :)
00:44 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
01:15 -!- fahmad [~linux@unaffiliated/fahmad] has joined #openvpn
01:26 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Ping timeout: 246 seconds]
01:26 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
01:36 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit []
01:38 -!- diphthong [~diphthong@69.172.135.243] has quit [Quit: leaving]
01:45 < funyun> noob here. chococooks was helping me. my vpn was working until he told me to type "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE". now it does not work. anyone know how i can fix this?
01:50 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
01:53 <@vpnHelper> RSS Update - forum: need access openvpn server my server by dns or icmp tunnel <http://forums.openvpn.net/topic7440.html>
02:06 -!- krzee [~k@openvpn/community/support/krzee] has quit [Quit: This computer has gone to sleep]
02:09 -!- curriegrad2004 [~curriegra@cg4l3001.smb.curriegrad2004.ca] has joined #openvpn
02:11 <@vpnHelper> RSS Update - forum: VPN server won't start <http://forums.openvpn.net/topic7399.html#p8821>
02:11 < Bushmills> funyun: 1. determine why it doesn't work anymore.  2. undo what you did to put your system in that state
02:13 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
02:20 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has joined #openvpn
02:57 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
03:11 -!- rubin110 [~rubin110@70-36-142-176.dsl.dynamic.sonic.net] has joined #openvpn
03:12 < rubin110> Hi there. How do I setup openvpn to allow multiple clients to connect with different client keys?
03:15 < rubin110> Oh, so I don't need to call for the client keys on the serer?
03:15 < rubin110> server
03:26 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:48 -!- master_of_master [~master_of@p57B53EB0.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:50 -!- master_of_master [~master_of@p57B5748B.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:52 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
03:55 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 272 seconds]
03:57 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
03:59 -!- atan2 [~atan@unaffiliated/atan] has quit [Ping timeout: 240 seconds]
04:07 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Read error: Operation timed out]
04:08 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has joined #openvpn
04:09 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has joined #openvpn
04:09 < hetii> Hello :>
04:10 < hetii> I had this issue: http://pastebin.ca/2030400
04:10 < hetii> my protocol is tcp :( and i had this trouble on windows client machine. under my linux box tunel works fine :<
04:16 -!- d457k [~heiko@vpn.astaro.de] has joined #openvpn
04:17 -!- d12fk [~heiko@2a01:198:4d7:1128:21f:c6ff:fe44:aec8] has quit [Ping timeout: 260 seconds]
04:19 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
04:31 < hetii> there are some proxy server that can produce this issue
04:31 < hetii> is it some way to handle this trafic
04:33 -!- common- [~common@p5DDA475E.dip0.t-ipconnect.de] has joined #openvpn
04:36 -!- common [~common@p5DDA49AB.dip0.t-ipconnect.de] has quit [Ping timeout: 264 seconds]
04:36 -!- common- is now known as common
04:39 < hetii> i also  do  a port DNAT on my firewall to 1194 cause others ports are block this client.
04:39 < hetii> So why it works under linux but not under windows client ?
04:56 -!- tlalt [~pawel@92.23.148.205] has joined #openvpn
05:05 -!- kaushal [~kaushal@182.72.135.38] has joined #openvpn
05:05 < kaushal> hi
05:08 < kaushal> I have two openvpn site configs. I have configured openvpn in daemon mode and it needs to be restarted automatically. I am always faced with the below sitution.
05:08 < kaushal> and then i need to restart it manually.
05:08 < kaushal> Dec 27 16:24:26 kaushal-laptop ovpn-sjc2[1287]: script failed: external program exited with error status: 1
05:08 < kaushal> Dec 27 16:24:26 kaushal-laptop ovpn-sjc2[1287]: Exiting
05:08 < kaushal> please suggest
05:09 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
05:09 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
05:09 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
05:13 -!- atan [~atan@unaffiliated/atan] has quit [Ping timeout: 265 seconds]
05:27 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
05:44 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn
05:48 <@vpnHelper> RSS Update - forum: TAP driver on Windows x64 <http://forums.openvpn.net/topic7441.html>
05:48 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Client Quit]
05:56 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
06:02 -!- brah [~brah@host29.190-31-62.telecom.net.ar] has joined #openvpn
06:02 -!- brah is now known as Guest81324
06:03 -!- hetii [~MrHetii@078088207047.walbrzych.vectranet.pl] has quit [Ping timeout: 276 seconds]
06:03 -!- Guest81324 is now known as brah
06:05 < kaushal> checking in again for the query ?
06:12 -!- Diffen2 [~diffen2@c-2472e555.042-17-73746f11.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
06:14 < tlalt> You can't do specialized forms of this attack like SYN flooding either. in TOR
06:14 < tlalt> is not good because my Linux PyLOIC is capable of SYN 
06:15 < tlalt> sorry just forget about it
06:16 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
06:51 -!- luneff [~yury@84.51.195.188] has joined #openvpn
07:20 -!- kaushal [~kaushal@182.72.135.38] has quit [Quit: leaving]
07:21 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
07:22 -!- Netsplit *.net <-> *.split quits: scatterp, Jarpse
07:27 -!- Netsplit over, joins: scatterp, Jarpse
07:32 -!- albech_ [~thomas@124.157.238.254] has joined #openvpn
07:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Read error: Operation timed out]
07:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
07:48 -!- dschuett1 [~dschuett@216.229.21.250] has joined #openvpn
08:08 -!- brah [~brah@host29.190-31-62.telecom.net.ar] has quit [Ping timeout: 240 seconds]
08:10 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
08:14 -!- brah [~brah@host18.190-31-20.telecom.net.ar] has joined #openvpn
08:18 < dschuett1> I am trying my first attempt at setting up openvpn. - I want to be able to vpn to my home network. - I have a linux box at home in front of my network running as my gateway with iptables and openvpn is set up on the same box. - I can't get my clients to connect with at IP from openvpn, but they can't ping anything on my home network??
08:24 -!- Pinger [182eb176@gateway/web/freenode/ip.24.46.177.118] has joined #openvpn
08:24 -!- brah [~brah@host18.190-31-20.telecom.net.ar] has quit [Ping timeout: 260 seconds]
08:26 < dschuett1> anyone here willing to help me figure out why my openvpn clients can't ping the vpn server or anything behind it?
08:29 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has quit [Quit: ZNC - http://znc.sourceforge.net]
08:30 -!- brah [~brah@host18.190-31-20.telecom.net.ar] has joined #openvpn
08:30 -!- derekv [~derekv@c-68-62-78-203.hsd1.mi.comcast.net] has joined #openvpn
08:31 -!- brah is now known as Guest96845
08:32 < Pinger> Question: I have OpenVPN set up on my gateway. Using the gateway's shell, I can access the other side of the lan  (192.168.0.1/24). However, if I'm on another computer (not the gw), I can not access 192.168.0.1/24
08:32 < Pinger> Any ideas.
08:33 < dschuett1> I am trying my first attempt at setting up openvpn. - I want to be able to vpn to my home network. - I have a linux box at home in front of my network running as my gateway with iptables and openvpn is set up on the same box. - I can get my clients to connect with at IP from openvpn, but they can't ping anything on my home network??
08:34 -!- fahmad [~linux@unaffiliated/fahmad] has quit []
08:47 -!- Guest96845 [~brah@host18.190-31-20.telecom.net.ar] has quit [Ping timeout: 260 seconds]
08:48 < Pinger> Again, I have a linux box as my gateway. It's the client on an openvpn network, and I'd like all my LAN traffic that is for 192.168.0.0/24 to go through the VPN and be returned to the LAN computer. so far, on the gateway itself I can ping all the 192.168.0.0/24 addresses, but on my LAN I can not.
08:48 < Pinger> Ideas?
08:50 -!- Guest96845 [~brah@host18.190-31-20.telecom.net.ar] has joined #openvpn
08:51 -!- Guest96845 is now known as brah
08:55 -!- brah [~brah@host18.190-31-20.telecom.net.ar] has quit [Client Quit]
09:06 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
09:07 -!- tlalt [~pawel@92.23.148.205] has quit [Read error: Connection reset by peer]
09:19 <@vpnHelper> RSS Update - forum: VPN server won't start <http://forums.openvpn.net/topic7399.html#p8823>
09:30 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Remote host closed the connection]
09:31 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
09:41 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
09:43 < dschuett1> I am trying my first attempt at setting up openvpn. - I want to be able to vpn to my home network. - I have a linux box at home in front of my network running as my gateway with iptables and openvpn is set up on the same box. - I can get my clients to connect with at IP from openvpn, but they can't ping anything on my home network??
09:47 -!- albech_ [~thomas@124.157.238.254] has quit [Quit: Ex-Chat]
09:53 < gladiatr> dschuett1, are you using a point-to-point/tun connection?
09:54 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
09:55 -!- rubin110 [~rubin110@70-36-142-176.dsl.dynamic.sonic.net] has left #openvpn []
10:01 -!- Pinger [182eb176@gateway/web/freenode/ip.24.46.177.118] has quit [Quit: Page closed]
10:01 <@vpnHelper> RSS Update - forum: VPN server won't start <http://forums.openvpn.net/topic7399.html#p8824>
10:02 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out]
10:02 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:02 -!- takamichi [~pri@85.232.213.54] has joined #openvpn
10:06 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
10:06 -!- dschuett1 [~dschuett@216.229.21.250] has quit [Ping timeout: 240 seconds]
10:08 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn
10:09 < gladiatr> dschuett1, are you using a point-to-point/tun connection?
10:11 -!- s7r [~s7r@178.73.198.8] has joined #openvpn
10:20 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
10:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:32 -!- p3rror [~mezgani@41.140.39.157] has joined #openvpn
10:42 -!- th3mis [~them1s@node-nx6.ipv4.congress.ccc.de] has joined #openvpn
10:42 <@vpnHelper> RSS Update - forum: Full cone NAT on OpenVPN? <http://forums.openvpn.net/topic7434.html#p8825>
10:43 < th3mis> hi there
10:43 < gladiatr> hello
10:44 < th3mis> i'd need some support with my OpenVPN connection. Some kind of stuck here and don't know why atm, would somebody be so kind?
10:45 -!- MereX [~MereX@node-nwq.ipv4.congress.ccc.de] has joined #openvpn
10:45 < gladiatr> Do tell...
10:50 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
10:51 -!- th3mis [~them1s@node-nx6.ipv4.congress.ccc.de] has quit [Ping timeout: 276 seconds]
10:54 < gladiatr> waiting... :)
10:55 -!- MereX [~MereX@node-nwq.ipv4.congress.ccc.de] has quit [Ping timeout: 255 seconds]
10:55 <@vpnHelper> RSS Update - forum: [Solved] Problem when connecting Samba <http://forums.openvpn.net/topic7433.html#p8826>
11:03 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
11:05 -!- MereX [~MereX@node-obh.ipv4.congress.ccc.de] has joined #openvpn
11:06 < MereX> hi guys, I set up my openvpn now on my dedicated, stopped trying with the vps because didn´t get a damn! Same problem here, connecting is no problem, nat is configured to masquerate + ip_forward in on 1... i can connect to the vpn but there are no results coming back, any ideas`
11:06 <@vpnHelper> RSS Update - forum: max-clients <http://forums.openvpn.net/topic7431.html#p8827>
11:07 < MereX> ecrist, krzee, last time you both helped me alot any ideas now?
11:10 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Disconnected by services]
11:10 -!- Hamlin_ [~Hamlin@unaffiliated/hamlin] has joined #openvpn
11:10 < MereX> !welcome
11:11 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
11:11 < MereX> !configs
11:11 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
11:11 < MereX> !logs
11:11 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
11:11 < MereX> !route
11:11 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
11:12 < MereX> !redirect
11:12 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
11:12 <@vpnHelper> RSS Update - forum: Is it possible to update sqlite to add users <http://forums.openvpn.net/topic7432.html#p8828>
11:13 < MereX> !nat
11:13 <@vpnHelper> "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat !winnat and !fbsdnat for specific howto
11:13 < MereX> !linnat
11:13 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info, or (#4) on openvz try 'iptables -t nat -A PREROUTING -i tun0
11:13 <@vpnHelper> -j DNAT --to-destination container.ip'
11:19 -!- MereX [~MereX@node-obh.ipv4.congress.ccc.de] has quit [Quit: Leaving]
11:31 <@vpnHelper> RSS Update - forum: [Solved ]VPN server won't start <http://forums.openvpn.net/topic7399.html#p8824>
11:37 <@vpnHelper> RSS Update - forum: TAP driver on Windows x64 <http://forums.openvpn.net/topic7441.html#p8829>
11:43 <@vpnHelper> RSS Update - forum: error read UDPv4: Connection reset by peer (WSAECONNRESET) ( <http://forums.openvpn.net/topic7397.html#p8830> || [SOLVED] Can connect to server but not internet <http://forums.openvpn.net/topic7414.html#p8720>
11:52 -!- WinstonSmith [~true@e179020248.adsl.alicedsl.de] has joined #openvpn
11:55 <@vpnHelper> RSS Update - forum: Openvpn on a public gateway. <http://forums.openvpn.net/topic7411.html#p8831>
12:01 <@vpnHelper> RSS Update - forum: Client pings server but server cant ping Client. <http://forums.openvpn.net/topic7435.html#p8832>
12:05 -!- WinstonSmith [~true@e179020248.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
12:07 <@vpnHelper> RSS Update - forum: [MOVED] Client pings server but server cant ping Client. <http://forums.openvpn.net/topic7435.html#p8832> || [SOLVED] Advice / Help with openVPN <http://forums.openvpn.net/topic7372.html#p8803>
12:08 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
12:10 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
12:10 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
12:10 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
12:11 < gladiatr> you get punched in the woofer and you get a noisebleed :D
12:11 -!- s7r [~s7r@178.73.198.8] has left #openvpn []
12:12 -!- mmarker [~anon@ool-4354a976.dyn.optonline.net] has joined #openvpn
12:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
12:18 -!- Netsplit *.net <-> *.split quits: ChocoCooks, scatterp, Jarpse
12:21 -!- WinstonSmith [~true@g231240127.adsl.alicedsl.de] has joined #openvpn
12:22 -!- Netsplit over, joins: ChocoCooks
12:31 <@vpnHelper> RSS Update - forum: OpenVPN connection speed <http://forums.openvpn.net/topic7400.html#p8834> || Static Key Setup & Routing <http://forums.openvpn.net/topic7417.html#p8833> || [SPLIT] Unable to access servers on vpn network. <http://forums.openvpn.net/topic7442.html>
12:37 <@vpnHelper> RSS Update - forum: Need Help with Config <http://forums.openvpn.net/topic7418.html#p8836> || [SPLIT] Unable to access servers on vpn network. <http://forums.openvpn.net/topic7442.html#p8835>
12:43 <@vpnHelper> RSS Update - forum: HELP <http://forums.openvpn.net/topic7415.html#p8837> || [SOLVED] Need help with my openVPN Configuration <http://forums.openvpn.net/topic7407.html#p8729>
12:45 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
12:46 -!- scatterp [~scatterp@87.127.188.177] has joined #openvpn
12:51 -!- Jarpse [~jarpse@cluon.soleus.nu] has joined #openvpn
12:53 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: to the toad abode, Blode...]
13:12 -!- mmarker [~anon@ool-4354a976.dyn.optonline.net] has quit [Quit: mmarker]
13:28 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
13:29 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
13:32 -!- WinstonSmith [~true@g231240127.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
13:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
13:40 -!- Hamlin_ is now known as Hamlin
13:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
13:45 -!- WinstonSmith [~true@g230120063.adsl.alicedsl.de] has joined #openvpn
13:48 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has joined #openvpn
13:49 < LordDoskias> !tap
13:49 <@vpnHelper> "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where
13:49 <@vpnHelper> the protocol uses MAC addresses instead of IP addresses.
13:56 < ecrist> hola peoples
13:58 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:18 -!- curriegrad2004 [~curriegra@cg4l3001.smb.curriegrad2004.ca] has quit [Read error: Connection reset by peer]
14:23 < krzee> !forget linnat 4
14:23 <@vpnHelper> Joo got it.
14:23 < krzee> !learn linnat openvz see !openvzlinnat
14:23 <@vpnHelper> (learn [<channel>] <key> as <value>) -- Associates <key> with <value>. <channel> is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value.
14:23 < krzee> !learn linnat as openvz see !openvzlinnat
14:23 <@vpnHelper> Joo got it.
14:27 -!- luneff [~yury@84.51.195.188] has joined #openvpn
14:29 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:34 -!- luneff [~yury@84.51.195.188] has quit [Ping timeout: 240 seconds]
14:39 -!- WinstonSmith [~true@g230120063.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
14:42 < dschuett> is packet loss normal with openvpn?
14:42 < dschuett> for example...if i ping my client from inside my LAN i get around a 5%-20% packet loss ?
14:52 -!- WinstonSmith [~true@e177093150.adsl.alicedsl.de] has joined #openvpn
14:53 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:55 < LordDoskias> dschuett: what's the underlying environment
14:57 < dschuett> LordDoskias: I just have a single server and a few pc's behind my linux box (running iptables and openvpn) and i'm pining a client from my server inside my LAN
14:57 < LordDoskias> i mean 
14:57 < LordDoskias> what's the underlying link that openvpn is running atop 
14:58 < LordDoskias> i don't think it's normal to have packet loss unless the underlying network media is fucked up 
14:58 < LordDoskias> eg, overloaded switch, faulty cables
14:58 < LordDoskias> some sort of traffic shaping 
15:00 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 276 seconds]
15:02 -!- funyun [~eddie@ns213451.ovh.net] has quit [Remote host closed the connection]
15:05 < dschuett> LordDoskias: my openvpn box is my first point of contact on my home network. eth0 is hooked to my cable modem, and eth1 is my internal network... is that what you're looking for?
15:05 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
15:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
15:06 < dschuett> eth1 connects directly to a linksys switch which then is connected to my internal network...
15:06 < dschuett> LordDoskias ^^
15:19 < krzie> also, are you using tcp as your transport protocol?
15:20 < krzie> if so, dont
15:21 < krzie> as for the question...
15:21 < krzie> [12:42]  <dschuett> is packet loss normal with openvpn?
15:21 < krzie> no
15:22 < dschuett> krzie: when i ping my remote clients from a server behind my openvpn/gateway i get packet loss
15:22 < krzie> [13:19]  <krzie> also, are you using tcp as your transport protocol?
15:25 < dschuett> krzie: no, udp
15:25 < krzie> good
15:25 < krzie> test your mtu
15:25 < krzie> !mtu
15:25 <@vpnHelper> "mtu" is (#1) see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config, or (#2) mtu debugging guide: http://www.secure-computing.net/wiki/index.php/OpenVPN/Troubleshooting
15:25 < dschuett> ok, cool. thanks for the info!
15:32 < krzie> np
15:32 < LordDoskias> grrr
15:32 < LordDoskias> why does my vpn die at random intervals :(
15:32 < LordDoskias> and then i can't connect
15:36 < krzie> very likely unrelated to openvpn... more likely something outside of it
15:39 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn []
15:39 -!- reggie [~reggie@luhy.skylan.sk] has joined #openvpn
15:40 < reggie> !goal
15:40 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
15:41 < reggie> hellou friends
15:41 < reggie> i have problem with creating tap/tun interface in vserver linux debian machine
15:42 < reggie> Dec 27 21:34:52 vpn ovpn-tcp-server[28097]: Initialization Sequence Completed
15:42 < reggie> Dec 27 21:34:52 vpn ovpn-tcp-server[28097]: EVENT: epoll_ctl EPOLL_CTL_MOD failed: Operation not permitted (errno=1)
15:42 < reggie> Dec 27 21:34:52 vpn ovpn-tcp-server[28097]: Exiting
15:42 < reggie> can somebody help me?
15:43 < reggie> and also I've got in log this:
15:43 < reggie> Dec 27 21:29:28 vpn ovpn-tcp-server[27688]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface
15:43 < reggie> Dec 27 21:29:28 vpn ovpn-tcp-server[27688]: Cannot open TUN/TAP dev /dev/tap1: No such file or directory (errno=2)
15:44 < reggie> i tried create in root tap0 and tap1 interface in root linux machine with vserver kernel
15:44 < reggie> inside vserver i cant access to tap1, tap0 - it must run automatically
15:44 < reggie> not?
15:45 < LordDoskias> krzie: highly doubtful 
15:45 < LordDoskias> after a couple of restarts due to idle ping 
15:45 < LordDoskias> i suddenly get a unroutable control packet received 
15:45 < LordDoskias> and the whoe thing dies, and then after some period i can connect again
15:46 < LordDoskias> reggie: do you have an openvz container?
15:47 < reggie> LordDoskias: i'm using linux-vserver 
15:47 < LordDoskias> esentially your openvpn is inside a virtual machine?
15:47 < reggie> yes
15:47 < LordDoskias> right
15:48 < LordDoskias> http://wiki.openvz.org/VPN_via_the_TUN/TAP_device
15:48 <@vpnHelper> Title: VPN via the TUN/TAP device - OpenVZ Wiki (at wiki.openvz.org)
15:48 < LordDoskias> check this, i know it is for openvz but might contain some related info
15:48 < LordDoskias> probably you need the equivalent of the venet/veth interfaces
15:51 -!- me345 [~me345@adsl-75-15-182-128.dsl.bkfd14.sbcglobal.net] has joined #openvpn
15:55 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has joined #openvpn
15:56 < Cruality> Hello
15:56 < Cruality> Someone can help me to configure OpenVPN on my server?
15:58 < ChocoCooks> what kind of server
15:58 < ChocoCooks> linux, windows?
16:01 < Cruality> ChocoCooks, Debian on a Kimsufi (ovh)
16:03 < ChocoCooks> debian isn't really my forte'
16:04 < Cruality> wish distrib you can help me?
16:04 < ChocoCooks> centos
16:04 < reggie> LordDoskias: i'm trying this http://linux-vserver.org/Frequently_Asked_Questions#Can_I_run_an_OpenVPN_Server_in_a_guest.3F
16:04 <@vpnHelper> Title: Frequently Asked Questions - Linux-VServer (at linux-vserver.org)
16:06 < reggie> i have still errors
16:06 < reggie> openvpn --mktun --dev tun16
16:06 < reggie> Mon Dec 27 22:06:16 2010 Note: Cannot ioctl TUNSETIFF tun16: Inappropriate ioctl for device (errno=25)
16:06 < reggie> Mon Dec 27 22:06:16 2010 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
16:06 < reggie> Mon Dec 27 22:06:16 2010 Cannot open TUN/TAP dev /dev/tun16: No such file or directory (errno=2)
16:06 < reggie> Mon Dec 27 22:06:16 2010 Exiting
16:06 < reggie> :(
16:06 < reggie> i tried create also tap0 and still have errors
16:10 < ChocoCooks> reggie ur probably dont have tun/tap support
16:12 < reggie> but when i create sometiing like this: echo "tap0" > /etc/vserver/my_vpn_server/interfaces/1/dev
16:13 < reggie> i have this tap interface inside vserver guest machine
16:13 < reggie> and openvpn udp config assign automatically ip address to this interface
16:13 < reggie> but i have 2 server configs
16:13 < reggie> everything works  with udp
16:14 < reggie> but with tcp i having errors
16:18 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 240 seconds]
16:18 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
16:18 <@vpnHelper> RSS Update - pastebin: end3r <http://pastebin.ca/2026670>
16:19 -!- p3rror [~mezgani@41.140.39.157] has quit [Ping timeout: 240 seconds]
16:21 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Read error: Connection reset by peer]
16:23 < krzie> assuming you do have tuntap loaded in the kernel, you likely dont have tun nodes above 9
16:24 < krzie> which you can see by ls /dev/tun*
16:24 < krzie> as for tcp...
16:24 < krzie> !tcp
16:24 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
16:25 < krzie> LordDoskias, your reasoning for your problem being inside openvpn does not convince me... i still think something outside openvpn is the cause
16:26 < LordDoskias> krzie:  i can present you with a log now
16:28 < krzie> i dont have much time to look things over, but you should post them anyways since others may see it as well
16:28 < LordDoskias> dhttp://openvpn.pastebin.ca/2030886
16:28 < Cruality> This is a good tutorial? https://help.ubuntu.com/10.04/serverguide/C/openvpn.html
16:28 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
16:29 < krzie> Cruality, this is:
16:29 < krzie> !howto
16:29 <@vpnHelper> RSS Update - pastebin: lorddoskias <http://pastebin.ca/2030886>
16:29 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
16:30 < Cruality> I don't understand the openvpn's how to
16:30 -!- shnook [~shnoon@unaffiliated/shnook] has joined #openvpn
16:30 < shnook> hi
16:30 < shnook> in my server conf i have "management localhost 7505"
16:30 < shnook> when i try to start the service, it says no perm to bind
16:31 < LordDoskias> you should start it as an administrator
16:31 < LordDoskias> right click run as admin or something 
16:31 < LordDoskias> that's for windows
16:31 -!- scatterp [~scatterp@87.127.188.177] has left #openvpn []
16:32 < shnook> i am doing it in console
16:32 < shnook> service openvpn start
16:33 < krzie> are you root in this console...
16:33 < shnook> yea
16:33 < krzie> Cruality, what is your goal?
16:33 < shnook> i tried adding it to /etc/services also
16:33 < krzie> shnook, are you using selinux...?
16:33 < shnook> no. centOS
16:33 < krzie> selinux is not an OS
16:33 < shnook> i dont think so. how do i check
16:34 < krzie> dunno, i dont use linux
16:34 < shnook> oh also
16:34 < shnook> ifconfig-pool-persist isnt working
16:34 < Cruality> Krzie, i want to install OpenVPN on my server. I want to connect my PC through this VPN.
16:48 < ChocoCooks> Cruality google is your friend too
16:48 < ChocoCooks> search for 'how install openvpn debian'
16:48 < Cruality> i did
16:49 < Cruality> i try 4 times. never succed
16:49 < ChocoCooks> thats funny
16:49 < krzie> here ya go
16:49 < ChocoCooks> cuz yesterday i searched for that and found 
16:49 < krzie> !sample
16:49 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
16:49 < krzie> !redirect
16:49 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
16:50 < Cruality> ChocoCooks, i've found a lot of tutorials. But when i try to install, that don't work
16:50 < shnook> guys
16:50 < shnook> any idea
16:51 < shnook> how ot make  ifconfig-pool-persist work?
16:52 < Cruality> In this guide, https://help.ubuntu.com/10.04/serverguide/C/openvpn.html i don't understand when he said Replace all IP addresses and domain names above with those of your network
16:52 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
16:54 < krzie> shnook, 
16:54 < krzie> !ipp
16:54 < shnook> hi
16:54 <@vpnHelper> "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static
16:54 < shnook> ok
16:54 < shnook> but that file is empty nevertheless
16:54 < krzie> odds are its not what you want anyways
16:55 < shnook> but still, i want it to work. i'll do static later
16:55 < shnook> maybe it's very picky about file flags?
16:55 < krzie> you most likely DO NOT want it to work
16:55 < krzie> what makes you think you do?
16:55 < shnook> i've read the descr
16:55 < shnook> looks good to me for now
16:55 < shnook> i am testing it out etc
16:56 < krzie> and if you happen to be dropping permissions,  it would need to be writeable by the new user/group
16:56 < shnook> i am not
16:56 < krzie> what is your goal of using that option...?
16:59 < shnook> to see how it works
16:59 < shnook> i want to see the file
17:01 < krzie> it would look like this:
17:01 < krzie> mary,192.168.5.4
17:01 < krzie> www.gayleard.com,192.168.5.8
17:02 < krzie> CN,IP   (with IP being the non-existent ip that the server uses to reach the client (assuming net30, aka default topology))
17:04 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 260 seconds]
17:05 < shnook> dude
17:05 < shnook> how to make it work?
17:13 < shnook> ?
17:23 < krzie> figure out why your system wont let you write to the file, then fix it... you also may need to use a full path in your config if you dont already
17:25 < shnook> works
17:25 < shnook> ok
17:25 < shnook> now, how to get the management console working?
17:25 < shnook> [17:30] <shnook> in my server conf i have "management localhost 7505"
17:25 < shnook> [17:30] <shnook> when i try to start the service, it says no perm to bind
17:25 < krzie> is something already bound to 127.0.0.1:7505?
17:26 < shnook> dont think so
17:26 < shnook> how to check?
17:26 < krzie> if not, figure out why your OS wont let root bind to that
17:26 < krzie> netstat -l and an understanding of the output
17:26 < shnook> nop nothing
17:27 < shnook> i am on centOS
17:42 < reiffert> moin
17:42 < Bushmills> hi reiffert
17:44 < shnook> ?
17:47 < LordDoskias> http://openvpn.pastebin.ca/2030886 - can someone check this url and see if they can provide hints as to why i can't connect to the vpn
17:48 < reiffert> OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options
17:49 < LordDoskias> reiffert: this is for me?
17:49 < LordDoskias> yeah ok
17:49 < LordDoskias> but the thing is after some hours this connection will work 
17:49 < reiffert> ERROR: --dev tun also requires --ifconfig
17:49 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has quit [Quit: Leaving...]
17:50 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has joined #openvpn
17:50 < LordDoskias> in short - it most probably has something to do with the server's conf, correct?
17:50 < LordDoskias> i have to add correct ifconfig option?
17:50 < LordDoskias> so that it can push correct settings to my adapter 
17:51 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has quit [Read error: No route to host]
17:51 < reiffert> in short: probably
17:53 < reiffert> !man
17:53 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
17:53 < reiffert> see what --server expands to.
17:53 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
17:54 < reiffert> and what it expands for --client
17:54 -!- Cruality [~Cruality@pyrus.feralhosting.com] has joined #openvpn
17:55 < LordDoskias> what worries me is that this problem is not persistent 
17:55 < LordDoskias> because as i said after some time everything will be working
17:56 < LordDoskias> right, so i night to play with the push "route-gateway" option
17:57 < LordDoskias> as far as i can remember i have a route gateway directive and ifconfig-pool 
17:57 < LordDoskias> but i will see
17:59 < LordDoskias> !speed
18:00 < LordDoskias> what are the maximum speeds that ppl in this channel have managaed to get with openvpn 
18:00 < LordDoskias> ?
18:00 < krzie> someone was getting 20MB/s over gigabit before spiking his cpu core to 100%
18:00 < krzie> he found his solution was to run 2 server instances to get both cores working
18:01 < krzie> it didnt give more single client throughput, but it did help him get more max throughput with multiple clients (because each core could handle roughly 20MB/s)
18:01 < krzie> thats MB, megabytes
18:02 -!- |ns|nR8 [~steve@60-242-209-243.static.tpgi.com.au] has joined #openvpn
18:02 -!- |ns|nR8 [~steve@60-242-209-243.static.tpgi.com.au] has left #openvpn []
18:03 < LordDoskias> i guess you can do more if you use shorter key etc
18:03 < LordDoskias> or some less cpu-intensive ciphers
18:05 < ChocoCooks> i dont think there is a max speed
18:05 < ChocoCooks> just depends on cpu
18:05 < krzie> yes and no
18:05 < ChocoCooks> it'll be multicore with version 3 i suspect
18:06 < krzie> yes, that is true
18:06 < ChocoCooks> 1000Mbit line could probably be saturated already
18:06 < krzie> not so likely
18:06 < krzie> i believe that guy was using cipher none for testing
18:06 < krzie> aka no encryption
18:07 < ChocoCooks> after compression...
18:07 < ChocoCooks> i thought i heard someone saying that maxed out a 1Gbit line 
18:08 < ChocoCooks> got like 120MB/s
18:08 < ChocoCooks> one core
18:08 < ChocoCooks> any of the developers ever pop in here?
18:08 < LordDoskias> w00t, californication ep 2 ^_^
18:12 < ChocoCooks> never heard of that show
18:13 < krzie> ChocoCooks, someone may have, im just saying what 1 person reported the other day
18:13 < krzie> and yes devs do pop in
18:15 < ChocoCooks> i thought u might be one
18:15 < ChocoCooks> u know alot
18:15 < reiffert> :)
18:15 < reiffert> krzie: did the shell trickery work the other day?
18:16 < krzie> not yet, i ran into more issues with my script, realized that for now i can set a couple vars manually in the script and worry about the UI once things are working as they should
18:17 < krzie> the UI is for other users, but they shouldnt be using it anyways until i solve the remaining issues
18:19 < reiffert> the ui stuff isnt that hard .. using dialog.
18:19 -!- shnook [~shnoon@unaffiliated/shnook] has quit [Ping timeout: 240 seconds]
18:20 < krzie> yup, definitely first on my list of things to play with when ui time comes
18:21 < reiffert> you will need some redirection stuff like
18:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
18:21 < reiffert> exec 6>&1
18:21 < reiffert> answer=$(dialog --foo --bar >6)
18:21 < reiffert> erm, 1>&6
18:26 -!- shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has joined #openvpn
18:27 < ChocoCooks> does the openvpn client ever need to 'ping' the server?
18:28 < reiffert> see what --ping and suchalikes do.
18:28 < reiffert> --ping-restart may be interesting.
18:29 < reiffert> ah well, --keepalive may be of interest too
18:29 < ChocoCooks> just asking because i might get a server with a company
18:30 < ChocoCooks> that puts a firewall infront of your server that wont let u ping the server
18:30 < ChocoCooks> just wondering if that would affect openvpn
18:30 < reiffert> ping will use the tunnel.
18:32 < ChocoCooks> and tunnel goes through their firewall
18:32 -!- shn00k [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has joined #openvpn
18:34 -!- reggie [~reggie@luhy.skylan.sk] has quit [Ping timeout: 255 seconds]
18:35 -!- shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has quit [Ping timeout: 240 seconds]
18:38 < LordDoskias> !man
18:38 <@vpnHelper> "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!
18:41 <@vpnHelper> RSS Update - forum: windows client and ubuntu virtual machine server on same box <http://forums.openvpn.net/topic7443.html>
18:43 < krzie> !factoids
18:43 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
18:48 < reiffert> !help factoids
18:48 <@vpnHelper> Error: There is no command "factoids".
18:48 < reiffert> !factoids help
18:49 < krzie> !factoids --help
18:49 < krzie> !factoids search --help
18:49 <@vpnHelper> (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.
18:49 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has left #openvpn []
18:50 < krzie> !list factoids
18:50 <@vpnHelper> change, forget, info, learn, lock, random, search, unlock, and whatis
18:53 -!- shn00k is now known as shnook
18:53 -!- shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has quit [Changing host]
18:53 -!- shnook [~shnoon@unaffiliated/shnook] has joined #openvpn
18:54 -!- shnook is now known as shn00k
18:54 -!- shn00k is now known as shnook_
18:54 -!- shnook_ is now known as shnook
18:54 < shnook> sorry
18:55 < LordDoskias> the moon, is NOT a "heavenly body" but rather, an artificial construct, A gigantic spacecraft  ( probably a hollowed out planetoid) which is home to the extraterrestrial group which has been manipulating humanity for aeons.
18:56 < LordDoskias> ppl are crazy ...
19:04 < reiffert> ?
19:06 < shnook> can someone help me get management interface up? it cant bind due to perms even though i am running as root
19:06 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
19:07 < krzie> reiffert, you know much more about linux than me, maybe he has selinux running ^ ?
19:07 < |Mike|> lol?
19:08 < |Mike|> shnook: what error do you get?
19:18 < shnook> Mike
19:18 < shnook> could not bind to 7505
19:18 < shnook> permission denied
19:18 < |Mike|> it's already in use?
19:18 < |Mike|> (use netstat or nmap or whatever)
19:19 < shnook> its not in use
19:19 < shnook> [root@30AK10 openvpn]# netstat -a|grep 7505
19:19 < shnook> [root@30AK10 openvpn]#
19:22 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 265 seconds]
19:22 -!- ss0 [~shotgun@cpe-72-190-122-22.tx.res.rr.com] has joined #openvpn
19:26 < shnook> any suggestions?
19:27 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
19:30 < |Mike|> shnook: try 7504 or something
19:31 < shnook> k
19:31 < |Mike|> ChocoCooks: ohai dutchy
19:33 < shnook> Dec 27 15:33:49 30AK10 openvpn[4512]:   auth_user_pass_file = '[UNDEF]'
19:33 < shnook> Dec 27 15:33:49 30AK10 openvpn[4512]: OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  2 2010
19:33 < shnook> Dec 27 15:33:49 30AK10 openvpn[4512]: MANAGEMENT: Socket bind failed on local address 127.0.0.1:7504: Permission denied
19:33 < shnook> Dec 27 15:33:49 30AK10 openvpn[4512]: Exiting
19:34 < shnook> wtf?
19:34 < |Mike|> a port below 1024 works?
19:34 < shnook> i havent tried
19:34 < shnook> arent they all taken
19:34 < |Mike|> by whom
19:36 < shnook> Dec 27 15:36:08 30AK10 openvpn[4574]: OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  2 2010
19:36 < shnook> Dec 27 15:36:08 30AK10 openvpn[4574]: MANAGEMENT: Socket bind failed on local address 127.0.0.1:1000: Permission denied
19:36 < shnook> Dec 27 15:36:08 30AK10 openvpn[4574]: Exiting
19:36 < |Mike|> I would blame redhat.
19:36 < shnook> but other shit works
19:36 < shnook> weird
19:36 < |Mike|> 'shit'?
19:36 < shnook> like other services can bind
19:36 < |Mike|> port 1194 works?
19:36 < shnook> yes
19:37 < shnook> i got it up and running nicely
19:37 < shnook> hmm let me try 1194
19:37 < shnook> that worked
19:38 < shnook> laim
19:38 < |Mike|> laim?
19:38 < shnook> lame
19:38 < |Mike|> sno: jo
19:39 < |Mike|> shnook: strange.
19:39 < |Mike|> firewall?
19:40 < shnook> its open for local stuff
19:40 < shnook> how do i list clients
19:40 < shnook> when i am telnetted in
19:40 < |Mike|> telnet into what?
19:40 < shnook> management interface
19:42 < |Mike|> openvpn doesn't have that imho.
19:42 < shnook> i read somewhere that it does so i was trying to set it up
19:50 < shnook> hah
19:50 < shnook> it uses the log
19:50 < shnook> thats so lame
19:50 < |Mike|> your OS is beeing lame towards you imho.
19:50 < shnook> wachu mean
19:50 < shnook> with the port stuff?
19:50 < |Mike|> Yes sir.
19:51 < shnook> i was thinking it's lame that the management thingie does not list all connected clients. what's up with that?
19:51 < krzie> [17:40]  <shnook> management interface
19:51 < krzie> [17:42]  <|Mike|> openvpn doesn't have that imho.
19:51 < shnook> yea
19:51 < |Mike|> don't ask me. Ask their developers.
19:51 < shnook> what's up with that? that's lamage
19:51 < krzie> |Mike|, you meant that openvpn doesnt have management interface?
19:51 < krzie> because, yes, it does
19:51 < shnook> it has
19:51 < krzie> see --management
19:51 < shnook> but it doesnt list shit
19:51 < |Mike|> it does? 
19:51 < krzie> !management
19:51 <@vpnHelper> "management" is (#1) see http://openvpn.net/management for doc on management interface, or (#2) read http://svn.openvpn.net/projects/openvpn/obsolete/BETA21-preauto/openvpn/management/management-notes.txt if you are a programmer making a GUI that will interact with OpenVPN
19:52 < |Mike|> 2.1 beta?
19:52 < krzie> thats when it came to existence
19:52 < krzie> it was not meant for users to use tho
19:53 < krzie> it was meant for programs to use, to get info and give it to users in a friendlier way
19:53 < shnook> heh
19:53 < shnook> why does everything have to be so cheesy
19:53 < |Mike|> I'm more a commandline guru than a GUI click/delete figure :-O
19:53 < shnook> hey guys
19:53 < shnook> maybe you know this:    i have openVPN server running on a host. On same host, i also have 2 virtual machines in VBOX
19:54 < |Mike|> so
19:54 < shnook> and i have a windows7 client with which i am connecting to the vpn
19:54 < shnook> i wanna be able to see those VBOX machines
19:54 < shnook> without installing openVPN client on each
19:54 < shnook> is it possible?
19:54  * |Mike| utters something with openvpn and bridges
19:55 < shnook> heh
19:56 < krzie> !route
19:56 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
19:56 < krzie> i wont be helping with that setup tho
19:56 < shnook> why not?
19:56 < krzie> cause i dont run VBOX
19:57 < shnook> so
19:57 < shnook> what do you run?
19:57 < krzie> nor do i care about learning about anything specific you'll need to learn
19:57 < |Mike|> kvm!
19:57 < krzie> i run freebsd/osx
19:57 < krzie> specific to it*
20:02 < shnook> hehhh
20:14 < shnook> ohh krzie
20:14 < shnook> you wrote it
20:14 < shnook> nice
20:18 < krzie> ;]
20:21 -!- dschuett1 [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
20:22 < dschuett1> should i see my openvpn clients in the arp table on the box running openvpn server?
20:22 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
20:22 < krzie> are you using tun or tap...?
20:23 < krzie> if tun, no... if tap, maybe (i dont know, but could see that it could be a yes)
20:26 < dschuett1> tun
20:27 -!- dschuett1 [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn []
20:27 < shnook> heh
20:37 -!- Cruality [~Cruality@pyrus.feralhosting.com] has quit [Ping timeout: 240 seconds]
20:43 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:44 -!- harry_ [~harry@123.sub-174-252-47.myvzw.com] has joined #openvpn
20:44 < harry_> !welcome
20:44 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
20:45 < harry_> !goal
20:45 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
20:45 -!- WinstonSmith_ [~true@g231218251.adsl.alicedsl.de] has joined #openvpn
20:45 < harry_> !logs
20:45 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
20:46 < harry_> !pb
20:46 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
20:47 < harry_> sorry, I suppose i could reduce clutter and do this in /pm
20:47 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Ping timeout: 276 seconds]
20:48 < harry_> or not :(
20:48 -!- me345 [~me345@adsl-75-15-182-128.dsl.bkfd14.sbcglobal.net] has quit [Read error: Connection reset by peer]
20:48 -!- WinstonSmith [~true@e177093150.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
20:51 < krzie> !factoids
20:51 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
20:53 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
20:57 -!- harry_ [~harry@123.sub-174-252-47.myvzw.com] has quit [Ping timeout: 240 seconds]
21:02 -!- WinstonSmith_ is now known as WinstonSmith
21:11 <@vpnHelper> RSS Update - pastebin: harry_ <http://pastebin.ca/2031074>
21:11 -!- harry_ [~harry@123.sub-174-252-47.myvzw.com] has joined #openvpn
21:12 < harry_> greetings
21:12 < harry_> requesting assistance: http://openvpn.pastebin.ca/2031074
21:13 < harry_> sorry. http://openvpn.pastebin.ca/2031076
21:14 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:17 <@vpnHelper> RSS Update - pastebin: harry_ <http://pastebin.ca/2031076>
21:18 < harry_> That is an invalid ID, or the post has expired.
21:19 < harry_> might want to tweak the url generator on that script
21:39 < harry_> !sample
21:39 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
21:39 -!- kaushal [~kaushal@182.72.135.38] has joined #openvpn
21:39 < kaushal> hi
21:40 < harry_> greetings
21:40 < kaushal> harry_: hi
21:40 < harry_> how's things?
21:40 < kaushal> Please guide me about my issue posted on openvpn users mailing list ?
21:40 < harry_> <----- noob
21:44 < harry_> sorry to disappoint you
21:47 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
21:47 < kaushal> My post is here --> http://sourceforge.net/mailarchive/message.php?msg_id=26812706
21:47 <@vpnHelper> Title: SourceForge.net: OpenVPN: (at sourceforge.net)
21:47 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
21:48 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has quit [Quit: Lost terminal]
21:53 < harry_> well you post has been replied to, requesting more info. I too would need that info
21:54 < harry_> and even then I am not sure I could help
22:05 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
22:06 < kaushal> ok
22:21 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
22:41 -!- Cruality [~Cruality@pyrus.feralhosting.com] has joined #openvpn
22:45 -!- kaushal [~kaushal@182.72.135.38] has quit [Ping timeout: 255 seconds]
22:48 -!- harry_ [~harry@123.sub-174-252-47.myvzw.com] has quit [Ping timeout: 240 seconds]
23:00 -!- kaushal [~kaushal@182.72.135.38] has joined #openvpn
23:01 -!- harry_ [~harry@166.sub-174-252-35.myvzw.com] has joined #openvpn
23:14 -!- kaushal [~kaushal@182.72.135.38] has quit [Quit: leaving]
23:46 -!- kaushal [~kaushal@182.72.135.38] has joined #openvpn
23:46 < kaushal> hi
23:47 < kaushal> can someone please guide me about my issue ?
23:47 < krzee> depends what it is
23:47 < kaushal> krzee: ah sure
23:48 < kaushal> krzee: please give me a moment
23:49 < kaushal> krzee: http://sourceforge.net/mailarchive/forum.php?thread_name=4D18B6AC.90309%40open-t.co.uk&forum_name=openvpn-users
23:49 <@vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-users (at sourceforge.net)
23:50 < krzee> i dont see the info he asked for
23:51 < kaushal> sure
23:51 < kaushal> krzee: do you need client configs ?
23:52 < krzee> whichever one that error is from
23:52 < kaushal> I see it in daemon.log 
23:52 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:52 < krzee> !logfile
23:52 <@vpnHelper> "logfile" is (#1) openvpn will log to syslog if started in daemon mode. You can manually specify a logfile with: log /path/to/logfile, or (#2) verb 3 is good for everyday usage, verb 5 for debugging, or (#3) see --daemon --log and --verb in the manual (!man) for more info
23:53 < krzee> whichever machine the mail post log is from
23:53 < kaushal> ok
23:54 < kaushal> krzee: is it log /var/log/sjc2.log in client.conf ?
23:54 < kaushal> I mean add that line ...
23:55 < krzee> sure, if that is the logfile you want
23:55 < krzee> and use verb 4
23:55 < kaushal> ok
23:55 < kaushal> ok
23:59 < kaushal> http://pastebin.ubuntu.com/548150/
--- Day changed Tue Dec 28 2010
00:07 -!- kaushal [~kaushal@182.72.135.38] has quit [Quit: leaving]
00:08 < krzee> while thats not his configs, it seems to be a problem in his up script, which is used to catch pushdns stuff
00:09 -!- BasketCase [~kmk@asylum.sanitarium.net] has joined #openvpn
00:16 <@vpnHelper> RSS Update - forum: VPN coder wanted <http://forums.openvpn.net/topic7444.html>
00:18 -!- harry_ [~harry@166.sub-174-252-35.myvzw.com] has quit [Read error: Connection reset by peer]
00:19 -!- harry_ [~harry@166.sub-174-252-35.myvzw.com] has joined #openvpn
00:30 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
00:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
00:40 -!- WinstonSmith [~true@g231218251.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
00:42 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
00:45 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
00:51 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
00:51 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
00:51 -!- harry_ [~harry@166.sub-174-252-35.myvzw.com] has quit [Remote host closed the connection]
00:52 -!- harry_ [~harry@166.sub-174-252-35.myvzw.com] has joined #openvpn
01:08 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
01:15 -!- harry_ [~harry@166.sub-174-252-35.myvzw.com] has quit [Ping timeout: 240 seconds]
01:21 -!- harry_ [~harry@166.sub-174-252-35.myvzw.com] has joined #openvpn
02:10 -!- harry_ [~harry@166.sub-174-252-35.myvzw.com] has quit [Ping timeout: 240 seconds]
02:20 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro]
02:23 -!- harry_ [~harry@19.sub-174-252-49.myvzw.com] has joined #openvpn
02:25 -!- reggie [~reggie@luhy.skylan.sk] has joined #openvpn
02:44 -!- Bushmills [~Bushmills@scarydevilmonastery.net] has joined #openvpn
02:51 -!- harry_ [~harry@19.sub-174-252-49.myvzw.com] has quit [Ping timeout: 255 seconds]
03:03 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
03:13 -!- krzee [~k@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
03:13 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has quit [Excess Flood]
03:14 -!- hyper_ch [~hyper_ch@ks357331.kimsufi.com] has joined #openvpn
03:20 <@vpnHelper> RSS Update - forum: [Solved] Problem when connecting Samba <http://forums.openvpn.net/topic7433.html#p8840>
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:49 -!- master_of_master [~master_of@p57B5748B.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
03:50 -!- master_of_master [~master_of@p57B57E6B.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:10 -!- Visual` [~visualsta@unaffiliated/visualstation] has quit [Ping timeout: 260 seconds]
04:12 -!- Visual` [~visualsta@unaffiliated/visualstation] has joined #openvpn
04:21 < reiffert> http://www.youtube.com/watch?v=RzToNo7A-94
04:21 <@vpnHelper> Title: YouTube - Terry Tate Office Linebacker (at www.youtube.com)
04:29 -!- Ove_ [~Ove@2001:470:dd66:1::3] has joined #openvpn
04:29 < Ove_> !welcome
04:29 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:36 -!- rot13_ is now known as rot13
04:36 -!- rot13 [~var@vps-1005590-1468.united-hoster.de] has quit [Changing host]
04:36 -!- rot13 [~var@unaffiliated/rot13] has joined #openvpn
04:37 -!- common [~common@p5DDA475E.dip0.t-ipconnect.de] has quit [Ping timeout: 265 seconds]
04:38 -!- common [~common@p5DDA480A.dip0.t-ipconnect.de] has joined #openvpn
04:41 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:00 < Ove_> !route
05:00 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
05:01 < Ove_> !redirect
05:01 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
05:02 < Ove_> !/30
05:02 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
05:02 < Ove_> !topology
05:02 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
05:26 -!- luneff [~yury@84.51.195.188] has joined #openvpn
05:28 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
05:34 < Ove_> http://openvpn.net/index.php/open-source/faq/79-client/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn.html
05:34 < Ove_> I have that problem with my openbsd nat/gateway acting as a client.
05:35 < Ove_> Cant ping the ip I recieve from the tunnel provider from any other box but the gw box itself.
05:36 < Ove_> Having: pass in quick on tun0 inet proto {tcp,udp,icmp} from any to any flags S/SA keep state
05:36 < Ove_> and: pass out quick on tun0 inet proto {tcp,udp,icmp} from any to any flags S/SA keep state
05:37 < Ove_> Still doesnt seem to help.
05:37 < Ove_> (I am getting public ips over the tunnel if that matters)
05:40 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
05:45 -!- Pierre_ [~Cruality@62.66.195-77.rev.gaoland.net] has joined #openvpn
05:48 -!- Cruality [~Cruality@pyrus.feralhosting.com] has quit [Ping timeout: 240 seconds]
06:01 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has joined #openvpn
06:01 < LordDoskias> for the --route-gateway directive i should use the private ip of the vpn server as seen from the client side?
06:02 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
06:10 -!- harry_ [~harry@102.sub-174-252-50.myvzw.com] has joined #openvpn
06:10 < Pierre_> Someone can help me to configure OpenVPN on my Ubuntu dedicated server?
06:12 < harry_> http://openvpn.pastebin.ca/2031076
06:12 < hyper_ch> !tell Pierre_ [welcome]
06:13 < Pierre_> hyper_ch, i've try with the Howto, but in didn't succed
06:14 < Pierre_> then i'm looking for someone to install me OpenVPN =)
06:14 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
06:14 < hyper_ch> sudo apt-get install openvpn
06:15 < Pierre_> and for generate some keys?
06:16 < hyper_ch> check the easy-rsa part in the howto
06:16 < Pierre_> !howto
06:16 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:17 < LordDoskias> grrrr, i locked myself out of the vpn server ;\\\\\\\\
06:17 < hyper_ch> LordDoskias: congrats :)
06:17 < hyper_ch> now, do you auto-start the vpn server at bootup?
06:17 < hyper_ch> that question is irrelevant anyway
06:18 < LordDoskias> the thing i'm completely locked out of the machine because of some iptables rules ...
06:18 < Pierre_> hyper_ch i have to config smthing?
06:18 < LordDoskias> will have to chase the admin ....
06:18 < hyper_ch> LordDoskias: :(
06:18 < hyper_ch> Pierre_: yes, you have to config the server and client conf and generate the keys
06:18 < LordDoskias> hyper_ch:  basically i had this problem earlier - http://openvpn.pastebin.ca/2030886
06:18 < LordDoskias> and it occurs at random intervals 
06:18 -!- harry_ [~harry@102.sub-174-252-50.myvzw.com] has quit [Remote host closed the connection]
06:19 < Pierre_> I don't know how to config :x
06:19 < LordDoskias> i mean sometimes if the vpn drops the conneciton due to inactivity i get this error 
06:19 < LordDoskias> today i decided to try and fix it and add the directive on the server side route-gateway 10.10.11.1
06:19 < LordDoskias> this being the vpn ip of the server
06:19 -!- harry_ [~harry@102.sub-174-252-50.myvzw.com] has joined #openvpn
06:20 < LordDoskias> but i think the traffic has been black holed or something 
06:20 < hyper_ch> Pierre_: my notes for it (in german) http://www.simplylinux.ch/openvpn-einrichten
06:20 <@vpnHelper> Title: Linux für alle » OpenVPN einrichten (at www.simplylinux.ch)
06:21 < Pierre_> I'm french :(
06:22 < Bushmills> LordDoskias: suggestion next time you change rules:  set policy to ACCEPT, add ssh rule early, set policy to DROP or DENY only at end of proper loading of rules
06:22 < hyper_ch> Pierre_: so?
06:22 < Pierre_> this is a good guide ? https://help.ubuntu.com/10.10/serverguide/C/openvpn.html
06:22 <@vpnHelper> Title: OpenVPN (at help.ubuntu.com)
06:22 < Pierre_> I don't understand german :p
06:22 < LordDoskias> Bushmills:  the thing is i'm not administering the hw box 
06:22 < LordDoskias> just the vps 
06:22 < harry_> Pierre_:  google translate
06:22 < Bushmills> though you may have figured that out by now yourself already :)
06:22 < LordDoskias> and the admin is paranoid becuase of some recent hack attempts ..
06:22 < LordDoskias> i would at least add an exception to my ip 
06:23 < LordDoskias> so i won't need the vpn to connect to ssh in the first place
06:23 < Bushmills> Pierre_: are we supposed to read that guide, for telling you whether it is any good?
06:23 < LordDoskias> i think i black holed the traffic or completely fucked up the routing table of the server
06:23 < LordDoskias> ;\
06:23 < Bushmills> !howto
06:24 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:25 < LordDoskias> i can't find a sensible explanation of the route related directives
06:26 < Bushmills> man route
06:26 < LordDoskias> for the vpn itself
06:26 < LordDoskias> not the route command :) 
06:26 < Bushmills> man openvpn
06:26 < LordDoskias> i read it 
06:27 < LordDoskias> --route-gateway gw Specify a default gateway gw for use with --route. 
06:27 < LordDoskias> i understand this as the "the ip of the gw of the pushed routes will be that of the route-gateway directive"
06:27 < Bushmills> --route   ... [gateway]   (optional)
06:27 < LordDoskias> correct?
06:27 < LordDoskias> http://openvpn.pastebin.ca/2030886
06:27 < Bushmills> --route-gateway gw Specify a default gateway gw for use with --route. 
06:27 < LordDoskias> look what it was giving me yesterday 
06:28 < LordDoskias> that i don't have gw set up 
06:28 < LordDoskias> today i set it up and it is not working o_O 
06:28 < harry_> http://openvpn.pastebin.ca/2031076
06:28 < Bushmills> does your setup require passing any other gateway at all?
06:28 < LordDoskias> no
06:28 < LordDoskias> just that of the vpn server 
06:29 < Bushmills> so why would you use  --route-gateway ?
06:29 < LordDoskias> because that's what is said in the log file
06:29 < LordDoskias> when i couldn't connect yesterday 
06:30 < Bushmills> have you tried without --route-gateway?  and possibly simplified your --route parameters?
06:31 < LordDoskias> well without route-gateway it was working 
06:31 < LordDoskias> but then again if the vpn drops the connection
06:32 < LordDoskias> there is some time period during which i can't connect 
06:32 < LordDoskias> and the log file i showed is during that time, but then again after some time somethign happens and i can connect to the vpn again 
06:33 < Bushmills> so you thought "that problem can surely be solved if i add  --.route-gateway to my config" 
06:33 < LordDoskias> drop the surely 
06:33 < LordDoskias> but yeah 
06:33 < LordDoskias> :) 
06:33 < Bushmills> but it didn't help ...
06:33 < LordDoskias> yeah 
06:34 < LordDoskias> now i'm thinking about the ifconfig directive
06:34 < LordDoskias> i don't have such on my client, but it takes an ip address from the vpn server 
06:34 < LordDoskias> so it's not that as well i guess
06:35 < Bushmills> when connection dropped, as long as it hasn't been reestablished, the openvpn added routes do nothing - as they have been removed from your client routing table
06:35 < LordDoskias> hmz
06:35 < Bushmills> those routes are relevant once a client is connected 
06:35 < LordDoskias> you are right 
06:36 < LordDoskias> actually connection drop is not the right term 
06:36 < LordDoskias> becuase it is more of a conneciton hang 
06:36 < Bushmills> but your problem seems to revolve around client *not* being connected
06:37 < LordDoskias> right now i cannot connect to the vpn 
06:37 < Bushmills> because of firewall, you said?
06:37 < LordDoskias> i just killed the connection from the client side and now i can't conenct
06:37 < LordDoskias> no
06:37 < LordDoskias> ssh being unreachable is due to firewall 
06:37 < LordDoskias> i'm gonna paste a fresh log 
06:38 < LordDoskias> http://openvpn.pastebin.ca/2031377
06:38 < LordDoskias> check this
06:39 < LordDoskias> Tue Dec 28 12:37:55 2010 us=839000 TLS Error: Unroutable control packet received from 87.120.131.41:1194 (si=3 op=P_CONTROL_V1)
06:39 <@vpnHelper> RSS Update - pastebin: lorddoskias <http://pastebin.ca/2031377>
06:39 -!- luneff [~yury@84.51.195.188] has joined #openvpn
06:39 < LordDoskias> Tue Dec 28 12:37:59 2010 us=380000 ERROR: --dev tun also requires --ifconfig
06:39 < LordDoskias> and then some OpenVPN Route messages
06:40 < Bushmills> what parameters do you specify with --route?
06:40 < LordDoskias> just a route and netmask
06:40 < LordDoskias> when it works 
06:40 < LordDoskias> it uses the ip of the vpn server as the gateway 
06:40 < LordDoskias> and everything works fine
06:41 < LordDoskias> but then again i have those times as now that i cannot connect to the vpn o_O and after some hours i will be able to conenct
06:41 < LordDoskias> as if some timer expires and i don't know 
06:43 -!- harry_ [~harry@102.sub-174-252-50.myvzw.com] has quit [Ping timeout: 250 seconds]
06:43 < LordDoskias> that's why i think the whole situation is pretty strange
06:44 < Bushmills> you read that you can specify a gateway on the --route line?  if you don't, a default is taken if specified with --route-gateway or --ifconfig, as alternative to specifying it with --route.   so why not specify gateway on --route instead, rather than adding --route-gateway or --ifconfig?  
06:44 < Bushmills> you're using peer to peer, not server-client?
06:45 < LordDoskias> erm, what do you mean using peer to peer 
06:45 < LordDoskias> i don't have the client-to-client directive enabled
06:46 < Bushmills> is your setup capable to run with multiple concurrent clients?
06:46 < LordDoskias> i'm not sure i have never used it that way - not my objective 
06:46 < LordDoskias> i just want to use the vpn as a sort of a proxy 
06:46 < Ove_> Anyone else having troubles getting openvpn running properly on OpenBSD? FreeBSD works fine for me though.
06:47 < LordDoskias> so i'll say that i'm using client-server 
06:47 < Bushmills> does your server config have something like "mode server" in it?
06:47 < Bushmills> and/or   server subnet netmask 
06:48 < LordDoskias> my set up looks more or less like that http://openvpn.pastebin.ca/2031382
06:49 < LordDoskias> yes, i have the server iprange mask directive
06:49 < LordDoskias> so the server pushes settings to the client
06:49 < Bushmills> there is a syntax error
06:50 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:50 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:50 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:50 <@vpnHelper> RSS Update - pastebin: lorddoskias <http://pastebin.ca/2031382>
06:50 < LordDoskias> where?
06:50 < Bushmills> on the line with route
06:51 < LordDoskias> it is push "route bla bla 255.255.255.255"
06:51 < LordDoskias> on the server 
06:51 < Bushmills> that's wrong too
06:52 < LordDoskias> why ?
06:52 < LordDoskias> it was working for most of the time ?
06:52 < Bushmills> it "bla bla" or "xxx.xxx.xxx.xxx" needs to be a subnet address
06:52 < Ove_> So no one has any experience running openvpn as client on an openbsd box?
06:52 < LordDoskias> nope
06:52 < LordDoskias> the destination comes first and then the subnet mask
06:53 < Bushmills> but "xxx.xxx.xxx.xxx" is not a legal address
06:53 < Bushmills> neither is "bla bla"
06:53 < LordDoskias> yes i know 
06:53 < Bushmills> there is your problem
06:53 < LordDoskias> no, jesus 
06:53 < LordDoskias> ;( 
06:53 < LordDoskias> i was giving examples 
06:53 < LordDoskias> on the real server i have like 15 lines with push "route some-ip-destination 255.255.255.0"
06:53 < Bushmills> oh, sorry. then use the example config
06:53 < LordDoskias> where some-ip-destination is the destination of the routes
06:54 < Bushmills> those are examples too
06:54 < LordDoskias> i would give you the real config if only i could ssh into the server :( 
06:54 < Bushmills> why? you have the network address just one line above, 10.10.10.0
06:54 < LordDoskias> i don't want the vpn to be my default route 
06:54 < LordDoskias> i just want specific routes to go through it 
06:55 < Bushmills> that's not for the default. that's for client to know how to route packets to openvpn interface to the other end
06:55 < Pierre_> !howyo
06:55 -!- harry_ [~harry@102.sub-174-252-50.myvzw.com] has joined #openvpn
06:55 < Pierre_> !howto
06:55 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
06:55 < LordDoskias> what is it that you are trying to state?
06:55 < Bushmills> if there's no route, it won't know how to reach other end, and probably requires an alternative route, needing a gateway 
06:56 < Bushmills> and that's your problem
06:56 < LordDoskias> so you think i need to add more routes pointing to the vpn, etc?
06:56 < LordDoskias> but there area couple of routes added autmatically (without them being written anywhere in the conf files) 
06:57 < Bushmills> no. i think you need to replace your "bla bla" or "xxx.xxx.xxx.xxx" against the openvpn subnet address
06:57 < LordDoskias> for example 10.10.11.x is reachable via 10.10.11.6 (this is my local tap interface's ip ) 
06:57 < Bushmills> even if those are "examples" they are still not valid destinations
06:58 < LordDoskias> which ones?
06:58 < Bushmills> route 10.10.10.0 255.255.255.0
06:58 < Bushmills> ehm... 10.10.11.0 is your, not 10.10.10.0
06:58 < LordDoskias> yeah 
06:58 < Bushmills> eh?   server 10.10.10.0 255.255.255.0
06:58 < Bushmills> from your config
06:59 < LordDoskias> i wrote an article for setting up openvpn some years ago and i know i based my current setup on it 
06:59 < LordDoskias> and since i can't get the actual config i'm using the config from my article 
06:59 < Bushmills> well, maybe 10.10.11.0 is "example" too now, but i don't know then what it refers to
06:59 < LordDoskias> the point is that 10.10.11.0 is the subnet of my vpn 
06:59 < LordDoskias> so it is valid 
06:59 < LordDoskias> my vpn server has ip 10.10.11.1 and then my client has 10.10.11.6 (on the tap interface) 
07:00 < Bushmills> then this line   server 10.10.10.0 255.255.255.0  is wron
07:00 < LordDoskias> and then i have a copule of routes which are routed through 10.10.11.1 
07:00 < Bushmills> wrong
07:00 < LordDoskias> but it has been working for months 
07:00 < LordDoskias> apart from those problem periods i told you about
07:00 < LordDoskias> why is it wrong?
07:01 < Bushmills> "my vpn server has ip 10.10.11.1"
07:01 < LordDoskias> it get's it automatically 
07:01 < Bushmills> while config says "server 10.10.10.0 255.255.255.0"
07:01 < LordDoskias> i don't set ips manually anywhere 
07:01 < LordDoskias> the actual config is server 10.10.11.0 
07:02 -!- m4rvin [~m4rvin@unaffiliated/m4rvin] has joined #openvpn
07:02 < Bushmills> sorry, i find your "example" config then too confusing, if your real config differs from it in relevant places
07:02 < LordDoskias> okay wait 
07:02 < LordDoskias> gonna rewrite it as far as i can remember it 
07:02 < Bushmills> use one of the openvpn example configs then
07:04 < LordDoskias> http://openvpn.pastebin.ca/2031387
07:04 < LordDoskias> that's it with the appropriate ips and the appropriate push directives
07:04 < LordDoskias> i just don't remember all destination routes
07:04 < LordDoskias> the point is 
07:05 < LordDoskias> i find it confusing why the vpn works, then when i kill the connection it doesn't work for a period of time
07:05 < LordDoskias> as if something hangs somewhere 
07:05 < LordDoskias> ...
07:05 < Bushmills> drop all those pushed routes for now.  put a single   route vpnnet 255.255.255.0  in instead.
07:05 < Bushmills> once you can connect, add those pushed routes as needed
07:06 < LordDoskias> the routes regarding the vpn are added automatically 
07:06 <@vpnHelper> RSS Update - pastebin: lorddoskias <http://pastebin.ca/2031387>
07:06 < m4rvin> hi, I've setup the simple tun example. the server is on an external box with masquerading. the connections are NATed, and i see on tun0 (10.8.0.1) on the server side the answers from the public IPs to my client ip (10.8.0.2). but on tun0 on the client i don't see the answers. any hints for debugging? :)
07:06 < LordDoskias> there is no need to set them explicilty 
07:06 < Bushmills> ok. then don't. that was my suggestion to solve your problem.
07:07 < LordDoskias> if this was the problem the vpn would have not worked ever, right?
07:08 < Bushmills> from what i understand, you modified the configuration
07:12 < LordDoskias> when the vpn is accessible magically after some hours i will post the verb 5 log form the server 
07:12 < LordDoskias> and the conf file
07:12 < m4rvin> short tcpdump snippet: http://nopaste.info/4c33785ffc.html
07:12 < LordDoskias> but i'm skeptic about the whole issue
07:13 < LordDoskias> m4rvin: why dont you post some conf files, etc
07:13 -!- harry_1 [~harry@6.sub-174-252-53.myvzw.com] has joined #openvpn
07:14 < m4rvin> LordDoskias: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html, + lzo enabled :)
07:14 <@vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net)
07:15 -!- harry_ [~harry@102.sub-174-252-50.myvzw.com] has quit [Ping timeout: 250 seconds]
07:15 < m4rvin> OpenVPN 2.1.1 (Fedora 14 on both sides)
07:22 -!- harry_1 [~harry@6.sub-174-252-53.myvzw.com] has quit [Ping timeout: 276 seconds]
07:24 -!- harry_ [~harry@239.sub-174-252-41.myvzw.com] has joined #openvpn
07:27 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
07:28 < LordDoskias> Bushmills:  you still here?
07:28 < Bushmills> partially
07:29 < LordDoskias> got a full ssh wihtout the vpn now 
07:29 < m4rvin> LordDoskias: what informations do you need?
07:29 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
07:29 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
07:29 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
07:30 < LordDoskias> Bushmills: http://openvpn.pastebin.ca/2031400
07:30 < LordDoskias> here is the actual config file 
07:30 < Pierre_> On the server conf files, i'have to change what?
07:30 < LordDoskias> m4rvin: well the actual config file without a ton of useless comments would be fine
07:31 < LordDoskias> both for a client and for the server 
07:31 < LordDoskias> Bushmills:  but now everything is working :( 
07:31 < LordDoskias> anyway, next time things go south i will have the necessary facilities to debug it or at least give more meaningful info 
07:32 < LordDoskias> sorry if i was being annoying...
07:34 < Pierre_> Je me laisse pas invincu, je retente openVPN :D
07:34 <@vpnHelper> RSS Update - pastebin: lorddoskias <http://pastebin.ca/2031400>
07:34 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn
07:34 < Bushmills> make sure that you have a route 10.10.11.0 ...... tun0 
07:34 < Bushmills> om server, that is
07:35 < m4rvin> LordDoskias: http://openvpn.pastebin.ca/2031403 -- client is controlled with network manager
07:36 < LordDoskias> right
07:36 < Bushmills> yes, you should have   --server should set it
07:37 < LordDoskias>  10.10.11.1  255.255.255.255       10.10.11.5       10.10.11.6
07:37 < LordDoskias>  10.10.11.4  255.255.255.252         On-link        10.10.11.6
07:37 < LordDoskias>  10.10.11.6  255.255.255.255         On-link        10.10.11.6
07:37 < LordDoskias>  10.10.11.7  255.255.255.255         On-link        10.10.11.6
07:37 < LordDoskias> those are set up automatically
07:37 < LordDoskias> on the server, wait
07:37 < Bushmills> should be set by --server macro unless topology is subnet which it isn't in your case
07:38 < LordDoskias> 10.10.11.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
07:38 < LordDoskias> 10.10.11.0      10.10.11.2      255.255.255.248 UG    0      0        0 tun0
07:38 < LordDoskias> yes, it is 
07:38 < LordDoskias> the problem apparently is not in the routes, something else is happening
07:38 < dschuett> LordDoskias: may I ask what problem you are having? - I just set my first openvpn up yesterday
07:39 < dschuett> All is working well now!
07:39 < LordDoskias> dschuett: sometimes when the connection is either dropped or disconnected i can't connect to the vpn for an abritrary amount of time 
07:39 <@vpnHelper> RSS Update - pastebin: Miscellany <http://pastebin.ca/2031403>
07:39 < LordDoskias> and after some hours it works without any external influence
07:39 < Bushmills> that netmask 255.255.255.248 is odd with your 10.10.11.0 route
07:40 < LordDoskias> Bushmills:  i don't want a whole range of ip address
07:40 < Bushmills> suggests that if your client is not < 10.10.11.8, return packets won't reach it.
07:40 < dschuett> LordDoskias: get anything weird in your client log?
07:40 < LordDoskias> my client is 11.6
07:41 < Bushmills> and when you reconnect?
07:41 < Bushmills> thinking of your problem of not being able to talk to server then
07:41 < LordDoskias> dschuett: http://openvpn.pastebin.ca/2031377 that (when ther eis a problem)
07:41 < LordDoskias> currently everything is workign
07:42 < LordDoskias> Bushmills:  you might be right 
07:42 < LordDoskias> holy fuck 
07:42 < LordDoskias> if the connection hangs
07:42 < LordDoskias> and the server don't disconnect the client each time i try to connect again i might be getting a wrong ip o_O
07:43 < Pierre_> I've a problem. I've conf my openvpn server. When i'm connecting "client1", i've the same ip as usualy, and not the server's ip! Why?
07:43 < LordDoskias> but then again, the server 10.10.11.0 255.255.255.248 will draw ip adresses from that subnet 
07:43 < Bushmills> ip may be "don't care about" - but your server route 10.10.11.0 netmask may be too narrow
07:43 < LordDoskias> so that won't relaly be the problem 
07:43 < Bushmills> set up client for static address
07:43 < Bushmills> !ccd
07:43 < LordDoskias> Bushmills:  it's the server's job to give me the appropriate address
07:43 <@vpnHelper> "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir <dir> to enable it, then put the config options for the client in <dir>/common-name
07:44 < LordDoskias> Bushmills: since i don't use certs i don't think i have a cn 
07:44 < Bushmills> ccd *is* server 
07:44  * hyper_ch likes ccds
07:45 < dschuett> LordDoskias: that is a HUGE log file for one connection attempt. - However, i do see a lot of Errors. What OS is your server and client?
07:45 < LordDoskias> i don't know what the common name is (if any) i'm using plain password auth 
07:45 < Bushmills> /C=BG/ST=Rousse/L=Rousse/O=LordDoskias/OU=Nikisof/CN=87.120.131.41
07:46 < LordDoskias> that's the server cert
07:46 < Bushmills> UDPv4 link remote: 87.120.131.41:1194 ...
07:47 < Bushmills> UDPv4 link local (bound): [undef]:1194
07:47 < LordDoskias> 87.120.131.41 is the server 
07:47 < LordDoskias> dschuett: i've set the verbose level to 5 
07:47 < LordDoskias> most of the stuff are just for information 
07:48 < LordDoskias> yeah, there is a directive username-as-common-name
07:49 < Bushmills> anyway, when client attempts to reconnect before server has detected disconnect, and your pool is too small, there'd be no alternative ip address available.
07:50 < LordDoskias> well as mask of 248 gives me 4 usable adresses 
07:50 < LordDoskias> 1 is for the server 
07:51 < LordDoskias> which leaves 3 addresses and given that i have only 1 client this is more than enough
07:54 < dschuett> LordDoskias: what are you trying to do with openvpn, are you you just wanting to connect to your openvpn server whenever you want from any client?
07:54 < dschuett> or is it going to be a permanent connection between two networks?
07:56 < LordDoskias> just to connect 
07:56 < LordDoskias> but currently the problem doesn't persist so i can't debug it 
07:57 < LordDoskias> but next time i'll be able to 
07:57 < LordDoskias> hopefully...
07:57 < dschuett> LordDoskias: what are you running openvpn server on? and what is your client?
07:58 -!- harry_ [~harry@239.sub-174-252-41.myvzw.com] has quit [Ping timeout: 240 seconds]
07:58 -!- luneff [~yury@84.51.195.188] has quit [Read error: Connection reset by peer]
07:58 <@vpnHelper> RSS Update - forum: [MOVED] windows client and ubuntu virtual machine server <http://forums.openvpn.net/topic7443.html#p8841>
07:59 < LordDoskias> serv debian, client win
07:59 < m4rvin> gnarf. pebkac as usual. key direction for the static was set only on one side. LordDoskias thx anyway. :)
07:59 -!- luneff [~yury@84.51.195.188] has joined #openvpn
08:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
08:00 -!- cron2 [~gert@openvpn/community/developer/cron2] has quit [Ping timeout: 255 seconds]
08:01 < dschuett> LordDoskias: what version of windows?
08:02 < LordDoskias> 7 64 bit 
08:02 < LordDoskias> i don't think you will be able to help me, though
08:02 -!- harry_ [~harry@239.sub-174-252-41.myvzw.com] has joined #openvpn
08:03 < dschuett> ok, I had a problem until adding these two lines the the bottom of my client.ovpn:
08:03 < dschuett> route-method exe
08:03 < dschuett> route-delay 2
08:03 < dschuett> however, I was able to connect, I just couldn't ping anything
08:03 < harry_> http://openvpn.pastebin.ca/2031076
08:04 <@vpnHelper> RSS Update - forum: TLS Blocked by provider, need to modify source code... <http://forums.openvpn.net/topic7439.html#p8842>
08:04 < LordDoskias> dschuett: it's not that
08:04 < LordDoskias> the thing is my vpn is working 
08:04 < LordDoskias> but under certain conditions it stops 
08:04 < LordDoskias> and then it starts working again o_O 
08:04 < m4rvin> LordDoskias: whats the time span between start-stop?
08:05 < dschuett> LordDoskias: ok, well here is the guide i used. IT worked the VERY first time (it is based on ubuntu 10.04, which is based on debian) http://library.linode.com/networking/openvpn/ubuntu-10.04-lucid
08:05 <@vpnHelper> Title: Deploy VPN Services with OpenVPN - Secure Communications with OpenVPN on Ubuntu 10.04 (Lucid) - Linode Library (at library.linode.com)
08:06 < LordDoskias> m4rvin: in order to work probably a couple of hours 
08:07 < m4rvin> LordDoskias: do you have open (eg time_wait) tcp sessions on the server side after that happens?
08:07 <@vpnHelper> RSS Update - pastebin: Someone <http://pastebin.ca/2027826>
08:08 < LordDoskias> m4rvin:  haven't checked, but that's a good pointer 
08:08 < LordDoskias> next time this happens will look at it 
08:08 < LordDoskias> netstat -ntlp
08:08 < LordDoskias> oops
08:08 < m4rvin> LordDoskias: lsof -nLi
08:09 < LordDoskias> actually i'm using udp 
08:09 <@vpnHelper> RSS Update - forum: Migrate from openvpn Gui v1.03 to openvpn2.x <http://forums.openvpn.net/topic7409.html#p8845> || TLS Blocked by provider, need to modify source code... <http://forums.openvpn.net/topic7439.html#p8844> || New user question <http://forums.openvpn.net/topic7422.html#p8843>
08:09 < m4rvin> LordDoskias: ok, never mind then ;)
08:13 -!- m4rvin [~m4rvin@unaffiliated/m4rvin] has quit [Quit: .]
08:13 -!- cron2 [~gert@kirk.greenie.muc.de] has joined #openvpn
08:15 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
08:15 <@vpnHelper> RSS Update - forum: Linux client stall at Initialization Sequence Completed <http://forums.openvpn.net/topic7403.html#p8846> || [SOLVED] Outside access issue when using OpenVPN <http://forums.openvpn.net/topic7388.html#p8759>
08:16 < Bushmills> LordDoskias: only that your topology is probably /30, which gives you space for server (4 addresses) and 1 client (4 addresses)
08:20 < harry_> any chance of someone looking at my pastebin and feeding me a couple of clues?
08:21 < gladiatr> sure, harry_
08:21 <@vpnHelper> RSS Update - forum: need access openvpn server my server by dns or icmp tunnel <http://forums.openvpn.net/topic7440.html#p8847>
08:23 < LordDoskias> 248 is /29 
08:23 < LordDoskias> which gives for 6 usable addresses 
08:23 < LordDoskias> 1 for server => 5 for clients
08:24 < Bushmills> didn't you say that your (one and only) client has ip address ending in 5 or 6 already?
08:25 < Bushmills> !net30
08:25 <@vpnHelper> "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology
08:26 -!- EvilGuru [~freddie@warzone2100/developer/EvilGuru] has joined #openvpn
08:28 < EvilGuru> I've been playing around with OpenVPN between my laptop and my home network. Following the guide on the Shorewall site I've got a simple set-up working
08:29 < EvilGuru> In that I can VPN and the server can ping the client and vice-versa, however, things on my lan can not ping my vpn client and the client can not ping them. I have a push "route ...", what firewall settings should I be looking over to diagnose this?
08:29 < Bushmills> !route
08:29 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
08:29 -!- Phenox_ [~Bernd@88.215.198.24] has joined #openvpn
08:29 -!- Phenox_ [~Bernd@88.215.198.24] has quit [Quit: Leaving]
08:30 < gladiatr> (skimming causes herpes in laboratory animals...)
08:30 < krzie> lol
08:33 < LordDoskias> okay 
08:33 < LordDoskias> my vpn 
08:33 < LordDoskias> broke
08:35 < LordDoskias> [ECONNREFUSED]: Connection refused (code=111)
08:35 < LordDoskias> i get a lot of those 
08:35 < harry_> no takers?
08:35 < gladiatr> sure, harry_
08:35 < gladiatr> post away
08:36 < EvilGuru> My set-up seems somewhat simplier (only a single client, and only the server-side lan needs routing)
08:37 < Bushmills> !serverlan
08:37 <@vpnHelper> "serverlan" is (#1) for a lan behind a server, the server must have ip forwarding enabled (!ipforward), the server needs to push a route for its lan to clients, and the router of the lan the server is on needs a route added to it (!route_outside_openvpn), or (#2) see !route for a better explanation
08:38 < LordDoskias> Bushmills: i think it has something to do with client keep alive 
08:39 < Bushmills> ECONNREFUSED? doubtful
08:39 < EvilGuru> I am reasonably sure it is pushing a route outside, as systems on the lan (192.168.0.xx) can ping 192.168.1.2 (what I've assigned the server in OpenVPN) just not 192.168.1.1 (client in OpenVPN)
08:40 < Bushmills> EvilGuru: congratulations. now that everything is routed right, you have a working configuration
08:49 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
08:49 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
08:49 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
08:51 < Pierre_> I've a problem. I've install OpenVPN on my dedicated server. When i connect the client1, i've no internet connection. Have you an idea why?
08:51 <@vpnHelper> RSS Update - pastebin: Something <http://pastebin.ca/2027824>
08:53 < gladiatr> Pierre_, your connection comes back after you tell the openvpn client to disconnect?
08:53 < Pierre_> yes
08:54 < gladiatr> There's only one answer.  Jesus hates you.
08:54 < gladiatr> j/k
08:54 < gladiatr> Give us a client log on pastebin.ca and let's have a look
08:54 < gladiatr> also throw up your client.conf
08:54 < gladiatr> and the output of netstat -rn
08:55 < EvilGuru> Hmm, okay, the client's routing table once connected to the VPN does not show a 192.168.0.0 entry; but the server has a push "route 192.168.0.0 255.255.255.0" line in its configuration file
08:55 < EvilGuru> Is there a way to see if OpenVPN is trying to change/add an entry to the routing table?
08:55 < gladiatr> EvilGuru, yup.  Add a 'verb 4' to your client configuration
08:56 < EvilGuru> I have verb 5 in both, the server says it is going to push, but there is no mention in the client
08:56 < Pierre_> http://pastebin.ca/2031472  gladiatr
08:57 < gladiatr> Pierre_, thx
08:57 < gladiatr> EvilGuru, What does it show after the ifconfig line in your client log?
08:58 < gladiatr> Pierre_, pastebin the output of 'netstat -rn
08:59 < Pierre_> from my dedicated serveur?
08:59 < gladiatr> Pierre_, from your client after it is connected
08:59 < Pierre_> Ok
09:00 < Pierre_> http://pastebin.ca/2031476
09:00 < Pierre_> (on a mac)
09:01 < gladiatr> k
09:01 < Pierre_> Something wrong?
09:02 < gladiatr> give me a minute here...
09:04 < Pierre_> Ok. Take your time :)
09:07 -!- harry_ [~harry@239.sub-174-252-41.myvzw.com] has quit [Ping timeout: 240 seconds]
09:08 < gladiatr> harry must have me on his ignore list...
09:08 < Pierre_> :s
09:09 < Pierre_> then, you find the mistake?
09:09 < gladiatr> a few more minutes... I've got a work thing going here...
09:09 < Pierre_> alright :)
09:11 < gladiatr> Pierre_, out of curiosity, is there an active firewall on your mac?
09:12 < Pierre_> in don't know
09:12 < Pierre_> i
09:17 -!- LordDoskias [~nib9@unaffiliated/lorddoskias] has quit [Quit: Lost terminal]
09:17 -!- BasketCase [~kmk@asylum.sanitarium.net] has left #openvpn ["Client exiting"]
09:27 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Quit: narf]
09:34 < gladiatr> back in a bit
09:34 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving]
09:46 -!- harry_ [~harry@74.sub-174-252-47.myvzw.com] has joined #openvpn
09:58 <@vpnHelper> RSS Update - forum: LAN to LAN issues <http://forums.openvpn.net/topic7446.html>
10:02 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
10:03 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:04 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 272 seconds]
10:14 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
10:14 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:14 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
10:17 -!- gladiatr [~gladiatr@madeline.boneyard.lawrence.ks.us] has joined #openvpn
10:21 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Quit: http://quassel-irc.org - Converse confortavelmente. Em qualquer lugar.]
10:22 -!- harry_ [~harry@74.sub-174-252-47.myvzw.com] has quit [Ping timeout: 276 seconds]
10:24 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
10:24 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
10:24 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
10:25 -!- s7r [~s7r@72.20.18.215] has joined #openvpn
10:28 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
10:30 -!- noisebleed [~quassel@piggy.inescn.pt] has joined #openvpn
10:30 -!- noisebleed [~quassel@piggy.inescn.pt] has quit [Changing host]
10:30 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
10:30 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
10:31 -!- s7r [~s7r@72.20.18.215] has left #openvpn []
10:32 -!- cpf_ [~cpf@94-226-0-20.access.telenet.be] has joined #openvpn
10:36 < cpf_> Hi all, I've got an openvpn key that I know works (since I use it on my laptop), but doesn't work on another computer: http://paste.org/pastebin/view/26749
10:36 < cpf_> Only difference I can think about is that both my computer and the server are debian, and the other client is OpenSuse
10:45 -!- harry_ [~harry@56.sub-174-252-35.myvzw.com] has joined #openvpn
10:46 < gladiatr> you probably need to install the certificate authority cert(s) for the CA that generated the client certificate
10:49 < krzie> you said openvpn key
10:49 < krzie> do you mean for access-server, the pay version of openvpn that comes with a 10 license key?
10:49 < krzie> if so, type !AS and see #4
10:50 < krzie> happy holidays cpf_ 
10:50 < cpf_> krzie, I don't think I mean that, I use self-generated certificates and such (thanks btw!)
10:50 < gladiatr> evil...
10:50 < cpf_> You too :)
10:50 < cpf_> gladiatr, As for the certificate authority's certs -> It's in the client.conf (pasting...)
10:51 <@vpnHelper> RSS Update - forum: Routing & Load Balancing <http://forums.openvpn.net/topic7416.html#p8849>
10:51 < cpf_> http://paste.org/pastebin/view/26751
10:52 < gladiatr> Right.  So, the ca.crt key is in place?
10:57 < Bushmills> Pierre_: have you configured your machine on which openvpn server runs for masquerading?
10:58 < Pierre_> i don't know :D
10:58 < Bushmills> then either do that, or remove the redirect-gateway line from your configs 
10:58 < gladiatr> Bushmills, the script he found set up nat rules for the vpn network, but evidently, whoever put the script together was using some sort of vm environment... had -o venet0 rather than -o eth0 :P
11:01 < Bushmills> he has a 0.0.0.0/1 and 128.0.0.0/1 routes, which are commonly added by redirect-gateway def1.   
11:02 < Bushmills> if those are added by other means, it would have to be addressed there. 
11:02 < Bushmills> or the server needs masquerading to internet
11:07 < cpf_> gladiatr, Yeah, ca.crt is in place, and readable by the software (currently actually a bit too lax)
11:13 < gladiatr> hrm.  That's... kind of annoying.  My CA is multi-tiered so I don't run into that particular error. :\
11:13 < gladiatr> and it works on your other client, huh?
11:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: Connection reset by peer]
11:17 -!- max [max@denial.ru] has joined #openvpn
11:29 -!- WinstonSmith [~true@e179015080.adsl.alicedsl.de] has joined #openvpn
11:35 -!- Pierre_ [~Cruality@62.66.195-77.rev.gaoland.net] has quit [Ping timeout: 240 seconds]
11:36 -!- Cruality [~Cruality@ks33992.kimsufi.com] has joined #openvpn
11:39 < krzie> cpf_, 
11:39 < krzie> !certverify
11:39 <@vpnHelper> "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile <ca.crt> <client.crt>` for client.crt and server.crt
11:39 < krzie> and be sure to run md5 or sha1 checksums on the ca.crt on both sides
11:51 -!- max [max@denial.ru] has left #openvpn ["Leaving"]
11:55 < cpf_> krzie, I'll do in a sec, thanks already
11:57 -!- diphthong [~diphthong@69.172.135.243] has joined #openvpn
11:57 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has joined #openvpn
11:59 -!- Cruality [~Cruality@ks33992.kimsufi.com] has quit [Ping timeout: 276 seconds]
12:00 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has joined #openvpn
12:06 < krzie> np
12:07 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
12:10 < cpf_> Ok, got to go eat now, but the weirdness: Server (openssl v0.9.8g 19 oct 2007) doing verify: failed, client pc A (working) (openssl v0.9.8o 01 Jun 2010) verify: OK, client pc B (openssl v1.0.0 29 Mar 2010) verify: Failed
12:10 < cpf_> All files' md5sum checks out.
12:11 < cpf_> Anyhow, brb, going to eat.
12:12 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Read error: Connection reset by peer]
12:18 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
12:18 <@vpnHelper> RSS Update - forum: Routing & Load Balancing <http://forums.openvpn.net/topic7416.html#p8850>
12:19 -!- EvilGuru [~freddie@warzone2100/developer/EvilGuru] has left #openvpn []
12:20 < cpf_> So, I'm back, is there a reason why cert verify failes even on the server (While still perfectly able to connect with PC A)
12:21 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
12:34 < harry_> could I get some help with this: http://openvpn.pastebin.ca/2031076
12:34 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has quit [Read error: No route to host]
12:35 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has joined #openvpn
12:36 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
12:36 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has joined #openvpn
12:38 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
12:39 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
12:56 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has joined #openvpn
12:56 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has quit [Client Quit]
12:56 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
12:57 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has quit [Remote host closed the connection]
12:57 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has joined #openvpn
12:58 -!- Cruality [~Cruality@62.66.195-77.rev.gaoland.net] has quit [Remote host closed the connection]
13:00 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
13:03 -!- WinstonSmith [~true@e179015080.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
13:21 -!- luneff [~yury@84.51.192.1] has joined #openvpn
13:44 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn []
13:49 -!- luneff [~yury@84.51.192.1] has quit [Read error: Connection reset by peer]
13:49 -!- luneff [~yury@84.51.192.1] has joined #openvpn
13:51 -!- luneff [~yury@84.51.192.1] has quit [Read error: Connection reset by peer]
13:56 < harry_> !welcome
13:56 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
13:57 < harry_> !goal
13:57 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
13:58 < harry_> !logs
13:58 <@vpnHelper> "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 5, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard., or (#3) see !pb for our preferred pastebin
13:58 < harry_> !interface
13:58 <@vpnHelper> "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn
14:01 < harry_> !forum
14:01 <@vpnHelper> Routing & Load Balancing || LAN to LAN issues || need access openvpn server my server by dns or icmp tunnel || Linux client stall at Initialization Sequence Completed || Migrate from openvpn Gui v1.03 to openvpn2.x || TLS Blocked by provider, need to modify source code... || New user question || [MOVED] windows client and ubuntu virtual machine server || [Solved] Problem when connecting
14:01 <@vpnHelper> Samba || VPN coder wanted || HELP || Need Help with Config || [SPLIT] Unable to access servers on vpn network. || OpenVPN connection speed || Static Key Setup & Routing || [MOVED] Client pings server but server cant ping Client. || Openvpn on a public gateway. || error read UDPv4: Connection reset by peer (WSAECONNRESET) ( || TAP driver on Windows x64 || Is it possible to update
14:01 <@vpnHelper> sqlite to add users || max-clients || Full cone NAT on OpenVPN? || [Solved ]VPN server won't start || TLS Blocked by provider, need to modify source code... || logout - dead link || submitting bug reports || [SOLVED] Advice / Help with openVPN || OpenVPN client for the iPhone and iPad || need help setting up my OpenVPN config using a web proxy || OpenVPN, WLan, Replay Window Backtrack (4 more messages)
14:01 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
14:02 < |Mike|> wtf?
14:02 < |Mike|> ecrist: fix ^
14:04 < ecrist> !learn forum as Our official forum can be found at http://forums.openvpn.net
14:04 <@vpnHelper> Joo got it.
14:04 < ecrist> !forum
14:04 <@vpnHelper> Routing & Load Balancing || LAN to LAN issues || need access openvpn server my server by dns or icmp tunnel || Linux client stall at Initialization Sequence Completed || Migrate from openvpn Gui v1.03 to openvpn2.x || TLS Blocked by provider, need to modify source code... || New user question || [MOVED] windows client and ubuntu virtual machine server || [Solved] Problem when connecting
14:04 <@vpnHelper> Samba || VPN coder wanted || HELP || Need Help with Config || [SPLIT] Unable to access servers on vpn network. || OpenVPN connection speed || Static Key Setup & Routing || [MOVED] Client pings server but server cant ping Client. || Openvpn on a public gateway. || error read UDPv4: Connection reset by peer (WSAECONNRESET) ( || TAP driver on Windows x64 || Is it possible to update
14:04 <@vpnHelper> sqlite to add users || max-clients || Full cone NAT on OpenVPN? || [Solved ]VPN server won't start || TLS Blocked by provider, need to modify source code... || logout - dead link || submitting bug reports || [SOLVED] Advice / Help with openVPN || OpenVPN client for the iPhone and iPad || need help setting up my OpenVPN config using a web proxy || OpenVPN, WLan, Replay Window Backtrack (4 more messages)
14:04 < ecrist> fun
14:04 < ecrist> looks like I need to set an ordering to commands.
14:05 < ecrist> remind me later, Mike
14:05 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
14:05 -!- harry_ [~harry@56.sub-174-252-35.myvzw.com] has quit [Ping timeout: 240 seconds]
14:05 < |Mike|> ok.
14:11 <@vpnHelper> RSS Update - forum: Linux client stall at Initialization Sequence Completed <http://forums.openvpn.net/topic7403.html#p8851>
14:17 <@vpnHelper> RSS Update - forum: [SOLVED] Routing & Load Balancing <http://forums.openvpn.net/topic7416.html#p8850>
14:17 -!- ss0 [~shotgun@cpe-72-190-122-22.tx.res.rr.com] has left #openvpn []
14:37 -!- nijotz [~nick@72.14.181.106] has quit [Quit: ram upgrade]
14:38 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:41 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
14:47 -!- nijotz_ [~nick@72.14.181.106] has joined #openvpn
14:48 -!- nijotz_ is now known as nijotz
14:51 -!- nijotz [~nick@72.14.181.106] has quit [Client Quit]
14:52 -!- nijotz_ [~nick@72.14.181.106] has joined #openvpn
14:54 -!- nijotz_ is now known as nijotz
14:59 <@vpnHelper> RSS Update - forum: [MOVED] windows client and ubuntu virtual machine server <http://forums.openvpn.net/topic7443.html#p8852>
15:23 -!- nijotz [~nick@72.14.181.106] has quit [Quit: migrating to west coast!! :)]
15:34 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
15:58 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has quit [Ping timeout: 276 seconds]
15:59 <@vpnHelper> RSS Update - forum: TAP driver on Windows x64 <http://forums.openvpn.net/topic7441.html#p8854> || Can I clone my strongVPN open connection to 2nd ethernet? <http://forums.openvpn.net/topic7447.html>
16:06 -!- nijotz [~nick@li230-4.members.linode.com] has joined #openvpn
16:16 -!- cron2 [~gert@kirk.greenie.muc.de] has quit [Changing host]
16:16 -!- cron2 [~gert@openvpn/community/developer/cron2] has joined #openvpn
16:23 <@vpnHelper> RSS Update - forum: [MOVED] windows client and ubuntu virtual machine server <http://forums.openvpn.net/topic7443.html#p8855>
16:24 -!- me345 [~me345@75.15.182.128] has joined #openvpn
16:30 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
16:30 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
16:30 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
16:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:37 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
16:39 -!- Champi [Champi@damn.e-leet.be] has quit [Quit: Quit]
16:39 -!- Champi [Champi@rootshell.fr] has joined #openvpn
16:44 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
16:46 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
16:52 < dschuett> i have my opevpn server installed on my gateway of my network...behind my gateway is my 192.168.0.0/24 network. openvpn server is serving 10.8.0.0 network. Everything works FINE, but i'm just wondering HOW i am able to ping my LAN behind the openvpn server if i have NO push route options enabled?
16:53 -!- me345 [~me345@75.15.182.128] has quit [Read error: Connection reset by peer]
16:57 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
17:00 < krzie> you dont ever need to push anything
17:01 < krzie> the client can just put the command that would be pushed in its config
17:01 < krzie> !push
17:01 <@vpnHelper> "push" is usage: push <command> , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries
17:01 -!- harry_ [~harry@56.sub-174-252-35.myvzw.com] has joined #openvpn
17:01 < krzie> note, you also need ip forwarding enabled in the kernel of the server machine
17:01 < krzie> so if it is linux:
17:01 < krzie> !linipforward
17:01 <@vpnHelper> "linipforward" is (#1) echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution, or (#2) chmod +x /etc/rc.d/rc.ip_forward for perm solution in slackware
17:03 < dschuett> krzie: no push in client.conf either
17:04 < krzie> you cant push in client.conf
17:04 < krzie> you would just put route 192.168.0.0 255.255.255.0 in client config
17:04 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 272 seconds]
17:04 < dschuett> krzie: could either or these two lines be doing it in my client? route-method exe OR route-delay 2
17:04 < dschuett> krzie, that isn't in there either
17:11 < krzie> umm what!?
17:11 <@vpnHelper> RSS Update - forum: Installing TAP driver on Windows x64 fails [solved] <http://forums.openvpn.net/topic7441.html#p8856>
17:11 < krzie> those have nothing to do with your question
17:12 < krzie> you are talking about sharing a lan behind your server, not having an issue with a windows client adding routes
18:25 -!- MusicMan500 [~MusicMan5@98.125.151.108] has joined #openvpn
18:25 < MusicMan500> !welcome
18:25 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
18:26 < MusicMan500> !goal
18:26 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
18:27 < MusicMan500> I'm trying to get openvpn to open on win 7-64, it installs and the openvpn logo is in the tray, but double clicking it doesn't open anything and right clicking all that's there is proxy settings, about, and exit... I've tried tons of versions, done all the 64 bit suggestions of messing with vista compatibility and administrative rights, never seen it do anything else... any ideas?
18:27 < krzie> did you setup the configs / certs and all?
18:27 < MusicMan500> no... but shouldn't the gui still load?
18:28 < krzie> nope, its just a frontend for loading configs
18:28 < krzie> it doesnt do any config or anything
18:29 < MusicMan500> oh cool, it works now with my keys file in config, thanks!
18:30 < krzie> np
18:30 -!- MusicMan500 [~MusicMan5@98.125.151.108] has quit [Client Quit]
18:35 -!- WinstonSmith [~true@dslb-088-073-117-171.pools.arcor-ip.net] has joined #openvpn
18:45 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Ping timeout: 264 seconds]
18:45 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
18:50 < reiffert> krzie: maybe dschuett is just mising the "pull" which may come from "client".
18:55 < dschuett> reiffert: i got everything working besides one thing that i don't really like...
18:56 < dschuett> reiffert: http://pastebin.com/MMFZALjx
18:57 < dschuett> line 2 $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT   i don't really like having it THAT wide open... i want to change it to $IPT -A FORWARD -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT  but then internet breaks on my clients
19:01 -!- reggie [~reggie@luhy.skylan.sk] has quit [Ping timeout: 250 seconds]
19:06 < krzie> reiffert, he said he is not trying to push
19:06 < krzie> unless i misunderstood him
19:14 -!- dschuett1 [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
19:15 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Ping timeout: 255 seconds]
19:24 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds]
19:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
19:27 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
19:27 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
19:31 -!- p3rror [~mezgani@41.140.28.75] has joined #openvpn
19:56 -!- p3rror [~mezgani@41.140.28.75] has quit [Ping timeout: 240 seconds]
19:57 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:00 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
20:09 -!- p3rror [~mezgani@41.140.40.163] has joined #openvpn
20:23 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
20:27 -!- shn00k [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has joined #openvpn
20:29 -!- shnook [~shnoon@unaffiliated/shnook] has quit [Ping timeout: 240 seconds]
20:34 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:17 -!- WinstonSmith [~true@dslb-088-073-117-171.pools.arcor-ip.net] has quit [Ping timeout: 265 seconds]
21:24 <@vpnHelper> RSS Update - forum: IP address issue <http://forums.openvpn.net/topic7367.html#p8857>
21:30 -!- WinstonSmith [~true@g231217188.adsl.alicedsl.de] has joined #openvpn
21:30 <@vpnHelper> RSS Update - pastebin: Mine <http://pastebin.ca/2027820>
21:31 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
21:31 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
21:31 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
21:44 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
21:48 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
21:53 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:55 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
22:00 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
22:05 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
22:39 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
22:39 -!- dschuett1 [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn []
22:40 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has left #openvpn []
22:44 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
23:33 -!- naquad [~naquad@174.142.224.219] has left #openvpn ["Ухожу я от вас"]
23:41 -!- Iron_Chef [~alloy@tropyx.com] has joined #openvpn
23:42 < Iron_Chef> hi, i can't get linux boxes to autostart, ubuntu and centos, i have /etc/openvpn/client.ovpn in place, but after boot it does not
23:42 < Iron_Chef> also set /etc/default/blahblah in ubuntu and that made no diff
23:42 < Iron_Chef> is there something that isn't documented here? i want to use package provided scripts if possible
23:50 < shn00k> iron
23:50 < shn00k> chkconfig openvpn on
23:50 < shn00k> on centOS
23:52 -!- cpf_ [~cpf@94-226-0-20.access.telenet.be] has quit [Ping timeout: 240 seconds]
23:52 < Iron_Chef> shn00k: it is
23:53 < Iron_Chef> still not connecting on reboot tho
23:53 < Iron_Chef> rcconf on ubuntu also set
23:53 < shn00k> did you check
23:53 < shn00k> /var/log/messages ?
23:53 < Iron_Chef> /etc/init.d/openvpn also doesn't start any connections on either
23:53 < shn00k> oh
23:53 < shn00k> when you do
23:53 < shn00k> service openvpn start
23:53 < shn00k> what does it say
23:53 < Iron_Chef> chkconfig --list openvpn
23:53 < Iron_Chef> openvpn        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
23:54 < Iron_Chef> service openvpn start
23:54 < Iron_Chef> Starting openvpn:                                          [  OK  ]
23:54 < shn00k> what about
23:54 < shn00k> tail /var/log/messages
23:54 < Iron_Chef> no mention of openvpn there
23:54 < Iron_Chef> i've been tail -f it
23:55 < shn00k> weird man
23:55 < shn00k> what about the log file that you specified in conf?
23:55 < shn00k> ps aux|grep openvpn
23:55 < Iron_Chef> yeah i know - openvpn /etc/openvpn/client.ovpn starts it ok
23:56 < Iron_Chef> yep nothing on ps
23:56 < Iron_Chef> client.ovpn is set to all read, and /etc/openvpn is all x
23:57 < Iron_Chef> shn00k: that might be it, do i need to create /etc/openvpn.conf?
23:57 < shn00k> no
23:57 < Iron_Chef> hm
23:57 < shn00k> oh
23:57 < shn00k> i know
23:57 < shn00k> extension should be .conf
23:57 < shn00k> ovpn is for windows
23:57 < Iron_Chef> ah lol
23:58 < ecrist> the extension doesn't matter.
23:58 < Iron_Chef> hah that did it
23:58 < Iron_Chef> renamed it to client.conf
23:58 < shn00k> it matters cause it looks for all .conf files
23:58 < ecrist> .ovpn or .conf are acceptable in either case, though the windows GUI requires .ovpn to auto-recognize the config
23:58 < shn00k> by default
23:58 < Iron_Chef> awesome, thanks for that - was driving me nuts!
23:59 < Iron_Chef> yep worked on ubuntu too woohoo!
--- Day changed Wed Dec 29 2010
00:00 < Iron_Chef> seems linux needed them to be called conf
00:01 < ecrist> if you execute 'openvpn --config <file>' you can use whatever file name you want.
00:08 < shn00k> he wanted autostart
00:08 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 240 seconds]
00:08 < ecrist> sounds like the startup script needs some tweaking
00:17 <@vpnHelper> RSS Update - forum: JonDo vs OpenVPN - They Claim To Be More Secure <http://forums.openvpn.net/topic7355.html#p8859> || OpenVPN 2.1 requires '--script-security 2' or higher... <http://forums.openvpn.net/topic7353.html#p8858>
00:29 <@vpnHelper> RSS Update - forum: OpenVPN 2.1 requires '--script-security 2' or higher... <http://forums.openvpn.net/topic7353.html#p8860>
00:33 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
00:34 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
00:44 -!- WinstonSmith [~true@g231217188.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
00:45 -!- WinstonSmith [~true@g231217188.adsl.alicedsl.de] has joined #openvpn
00:46 < reiffert> moin
00:50 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
00:51 -!- cpf_ [~cpf@91.183.51.181] has joined #openvpn
01:02 -!- nijotz [~nick@li230-4.members.linode.com] has quit [Quit: nijotz]
01:12 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
01:15 -!- WinstonSmith [~true@g231217188.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
01:15 -!- harry_ [~harry@56.sub-174-252-35.myvzw.com] has quit [Ping timeout: 250 seconds]
01:29 -!- WinstonSmith [~true@dslb-088-073-091-247.pools.arcor-ip.net] has joined #openvpn
01:29 -!- harry_ [~harry@23.sub-174-252-49.myvzw.com] has joined #openvpn
01:41 <@vpnHelper> RSS Update - forum: OpenVPN 2.1 requires '--script-security 2' or higher... <http://forums.openvpn.net/topic7353.html#p8861>
01:42 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
01:58 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has joined #openvpn
01:58 -!- simplechat [~simplecha@123-243-79-139.static.tpgi.com.au] has quit [Changing host]
01:58 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
02:02 -!- WinstonSmith [~true@dslb-088-073-091-247.pools.arcor-ip.net] has quit [Quit: Ex-Chat]
02:44 -!- [1]shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has joined #openvpn
02:45 -!- shn00k [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has quit [Read error: Connection reset by peer]
02:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
02:47 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has quit [Ping timeout: 255 seconds]
02:53 -!- Iron_Chef [~alloy@tropyx.com] has left #openvpn []
02:58 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
03:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
03:00 -!- sigius [~sigius@93-125-185-45.dsl.alice.nl] has joined #openvpn
03:01 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:11 -!- mape2k_2 [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has joined #openvpn
03:13 -!- mape2k_2 [~mape2k@2001:6f8:997:1000:221:86ff:fe98:93a2] has quit [Client Quit]
03:40 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:49 -!- master_of_master [~master_of@p57B57E6B.dip.t-dialin.net] has quit [Ping timeout: 260 seconds]
03:51 -!- master_of_master [~master_of@p57B5640E.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
03:58 -!- harry_ [~harry@23.sub-174-252-49.myvzw.com] has quit [Ping timeout: 272 seconds]
04:00 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
04:00 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
04:04 -!- reggie [~reggie@luhy.skylan.sk] has joined #openvpn
04:06 -!- nextgens [~florent@freenet/developer/nextgens] has joined #openvpn
04:06 < nextgens> hi
04:06 < nextgens> !welcome
04:06 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:07 < nextgens> !iporder
04:07 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
04:07 < nextgens> !topology
04:07 <@vpnHelper> "topology" is (#1) is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions., or (#2) this results in clients getting addresses .2 .3 .4 .5 etc
04:08 < nextgens> !goal
04:08 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
04:08 < nextgens> !goal I would like to access the internet over my vpn
04:08 -!- ksk [~ksk@im.knubz.de] has quit [Quit: leaving]
04:08 -!- ksk [ksk@im.knubz.de] has joined #openvpn
04:10 < nextgens> is it possible to use certificates server side only (to do server authentication) and to use username/passwords to do client side authentication/authorization ?
04:11 < nextgens> I have an authentication backend (ldap/radius) and don't want to manage my own pki (with client certificates)
04:11 < nextgens> can I configure openvpn this way?
04:11 < Bushmills> internet over vpn:
04:12 < Bushmills> !redirect
04:12 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
04:12 < reiffert> nextgens: yes. There's an pam plugin. pam can be configured to auth against ldap.
04:12 < nextgens> great
04:13 < nextgens> is that kind of setup documented somewhere?
04:14 < Bushmills> !radius
04:14 < Bushmills> hm
04:19 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
04:20 < nextgens> okay, googleing it helped me to find what I was looking for
04:21 < nextgens> !client-cert-not-required
04:21 < nextgens> !man client-cert-not-required
04:21 -!- harry_ [~harry@220.sub-174-252-54.myvzw.com] has joined #openvpn
04:25 -!- reggie [~reggie@luhy.skylan.sk] has quit [Quit: Lost terminal]
04:35 -!- common [~common@p5DDA480A.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
04:39 -!- common [~common@p5DDA48CD.dip0.t-ipconnect.de] has joined #openvpn
04:57 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 264 seconds]
05:11 < Ove_> I am having troubles with udp and openvpn on openbsd, any idea on how to resolve this problem?
05:22 < gladiatr> Ove_, my experiences with openbsd and udp is quite positive.  :)  What's the nature of your problem?
05:23 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
05:24 < Ove_> I am running openvpn on my openbsd gateway as client, but openvpn doesnt seem to respond to the packets sent from the tunnel server.
05:25 < Ove_> If I run it on a FreeBSD host behind that gateway/nat it works flawlessly.
05:25 < Ove_> Suspecting it might be my firewall rules, but I am passing out and in from the tunnelserver.
05:26 < Ove_> But really, I don't know where I am failing, been trying every rule I can think off, as well as alot of examples found on the Internetz, just to make sure. Still doesnt work.-
05:27 < gladiatr> hrm
05:28 < gladiatr> What are you seeing when you run tcpdump on your tun device?
05:29 < Ove_> I can see ssh connections for example, when I try from an host on the outside.
05:29 < Ove_> But I do not see a response.
05:29 < gladiatr> and just to be clear, you are connecting your openvpn gateway as a client to a remote network?
05:29 < Ove_> Yes
05:29 < gladiatr> k
05:30 < gladiatr> when you say 'on the outside', you mean from the other end of the tunnel, yes?
05:30 < gladiatr> also, is the tunnel device on your openbsd system tun0?
05:30 < Ove_> No, from a host on another isp.
05:30 < Ove_> I get public ips over the tunnel.
05:31 < gladiatr> @_o
05:31 < gladiatr> heh
05:31 < gladiatr> interesting
05:31 < gladiatr> sorry.  So the device on the openbsd system is tun0?
05:31 < Ove_> I bought a package from PRQ, which gives me 4 public ip adresses.
05:31 < Ove_> Yes, and dev-type is set to tap.
05:31 < gladiatr> ohhh
05:32 < gladiatr> and you said that this worked with using FreeBSD as a client?  You're configuring things for a bridge then?
05:32 < Ove_> Yes, it worked from a FreeBSD box, behind that exact same gateway.
05:32 < gladiatr> behind the gateway, though
05:32 < Ove_> It assigns a public ip to the tun0-interface and I can ssh into it.
05:33 < Ove_> Sorry tap0-interface on FreeBSD. :P
05:34 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
05:34 < gladiatr> Not to put you off, but would you mind posting a message on http://forums.openvpn.net ?  I would need to spin up an openbsd vm to have a look at what's going on, and I would like to try to help
05:34 <@vpnHelper> Title: OpenVPN Support Forum OpenVPN Support Forum (at forums.openvpn.net)
05:39 < Ove_> I don't seem to be able to connect to that url.
05:39 < Ove_> Odd
05:40 < gladiatr> indeed
05:42 < gladiatr> that system is hosted down in Dallas, TX... very well connected (internet-wise) city.  Very strange.
05:42 < Ove_> I was able to reach it yesterday, searched the forums, without luck.
05:42 < gladiatr> Well, I'm taking my dogs out for their morning walk in a few minutes and then I'm heading to work.  If you want to hang around or come back later, I'll be on.
05:43 < gladiatr> Yeah.  Most openvpn installations seem to be using linux or windows
05:43 -!- nextgens [~florent@freenet/developer/nextgens] has left #openvpn []
05:44 < gladiatr> My BSD of choice is FreeBSD.  OpenBSD can be quirky/unique with its network stack, but it should still work 
05:45 < Ove_> Just removed all the rules, listening on pflog0 with tcpdump, no packets gets blocked or anything.
05:45 <@vpnHelper> RSS Update - forum: Need Help with Config <http://forums.openvpn.net/topic7418.html#p8862>
05:45 < gladiatr> Have you tried flushing your pf rules alltogether just for testing?
05:46 < Ove_> Flushing the states?
05:46 < gladiatr> the rules
05:47 < Ove_> All of them you mean?
05:47 < gladiatr> Yes.
05:47 < gladiatr> disabling pf all together
05:47 -!- linze [~linze@546B9DC8.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
05:48 < Ove_> Then I will not be able to reach the Internet from behind the firewall. :P
05:48 < Ove_> Ah well
05:48 < Ove_> I'll pfctl -d 
05:48 < Ove_> And drop my connections. :P
05:49 < gladiatr> Heh.  Yeah, but just for the time it takes to test your gateways vpn connection :)
05:51 < Ove_> Didnt seem to work
05:51 -!- Ove_ [~Ove@2001:470:dd66:1::3] has quit [Read error: Connection reset by peer]
05:57 -!- Ove_ [~Ove@what.thefuck.se] has joined #openvpn
05:57 < gladiatr> what's the word?
05:57 < Ove_> It didn't work
05:58 < gladiatr> Ok.  What version of OpenBSD are you running?
05:58 < Ove_> 4.6
05:58 < Ove_> Shouldn't matter what version I'm running though. :I
05:59 < gladiatr> righto.  I'll get the 4.6 iso downloading on one of my work machines and get a vm setup when I get in.  I'll be back online in about 3 hours or so
05:59 < Ove_> Cool
05:59 < Ove_> gladiatr: I'm appreciating the help, been busting my balls trying to get this to work.
05:59 < gladiatr> No problem.  :)  ttys
06:00 -!- gladiatr [~gladiatr@madeline.boneyard.lawrence.ks.us] has quit [Quit: [BX] We are BitchX of Borg. You will be assimilated. Using mIRC is futile.]
06:07 < harry_> could I get some help with this: http://openvpn.pastebin.ca/2031076
06:08 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
06:08 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
06:08 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
06:09 < Ove_> Does the openvpn-binary have a switch for showing what flags and switches it was compiled with?
06:10 -!- luneff [~yury@84.51.195.188] has joined #openvpn
06:13 -!- luneff [~yury@84.51.195.188] has quit [Read error: Connection reset by peer]
06:13 -!- luneff [~yury@84.51.195.188] has joined #openvpn
06:14 -!- cpm [~Chip@web-gw.xo.avitecture.net] has joined #openvpn
06:14 -!- cpm [~Chip@web-gw.xo.avitecture.net] has quit [Changing host]
06:14 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:20 <@vpnHelper> RSS Update - forum: Ineternet speed after the openvpn connection <http://forums.openvpn.net/topic7448.html>
06:21 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has quit [Ping timeout: 260 seconds]
06:32 < Ove_> The beta doesnt seem to work on OpenBSD 4.6. :I
06:32 -!- linze [~linze@546B9DC8.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: tot kijk]
06:32 < Ove_> 2.2 wouldnt compile due missing symbols or something (I googled).
06:38 <@vpnHelper> RSS Update - pastebin: Mine <http://pastebin.ca/2027817>
06:48 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
06:50 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn
06:56 -!- s7r [~s7r@66.90.75.76] has joined #openvpn
07:01 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
07:03 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
07:16 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
07:25 -!- [1]shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has quit [Read error: Connection reset by peer]
07:26 -!- shn00k [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has joined #openvpn
07:26 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 264 seconds]
07:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
07:34 -!- renihs [~lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined #openvpn
07:35 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined #openvpn
07:35 < hid3> Hello everyone. I'm thinking about a simple, slim and easy VPN solution. I'd like to make a USB flash which contains openvpn plus a certificate. So a user just inserts his stick, lauches openvpn and he's connected. Any ideas if that's possible? 
07:36 < hid3> I mean, pre-installed openvpn, or somthing like that...
07:36 < renihs> it requires tun/tap drivers
07:37 < hid3> So it must be installed each time on a different workstation then :(
07:37 < renihs> or the required drivers are on your target already
07:37 < renihs> for most linux it will work
07:37 < renihs> windows, dont think so
07:37 < hid3> well, linux - yeah
07:37 < hid3> not windows
07:37 < renihs> depends on the kernel of the target
07:38 < renihs> but should be doable on 90%
07:38 < renihs> assuming you have root access :)
07:38 < hid3> well..
07:38 < renihs> though even that is not really needed, depending on situation
07:38 < hid3> those end users 100% will be using this on windows
07:39 < renihs> well in that case, dunno, personally i doubt it but maybe i am wrong
07:39 < renihs> havent used openvpn alot on win yet
07:41 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
07:53 -!- mOo [moo@lighttpd/moo] has joined #openvpn
08:04 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
08:10 -!- noisebleed_ [~quassel@piggy.inescn.pt] has joined #openvpn
08:11 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
08:12 -!- s7r [~s7r@66.90.75.76] has quit [Ping timeout: 255 seconds]
08:14 -!- s7r [~s7r@66.90.75.104] has joined #openvpn
08:14 <@vpnHelper> RSS Update - forum: Openvpn desktop client works - Openvpn Connect doesn´t <http://forums.openvpn.net/topic7449.html>
08:14 -!- s7r is now known as Guest20039
08:17 < hid3> Any ideas about multicast routing via openvpn?
08:18 < hid3> Is that at least possible?
08:22 -!- p3rror [~mezgani@41.140.40.163] has quit [Ping timeout: 240 seconds]
08:23 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
08:26 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
08:26 -!- noisebleed_ [~quassel@piggy.inescn.pt] has quit [Remote host closed the connection]
08:28 < renihs> hid3, should work
08:29 < hid3> renihs: out of the box?
08:29 < hid3> I'm connected to my home LAN (via openvpn)
08:29 < hid3> and I can't get the multicast stream
08:29 < hid3> do I need any additional settings or ...?
08:29 < renihs> not out of the box, but i wouldnt know why it shouldnt work
08:29 < renihs> google is your friend :)
08:30 < renihs> never tried or done, this is my educated guess :)
08:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
08:36 -!- p3rror [~mezgani@41.140.40.243] has joined #openvpn
08:39 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Remote host closed the connection]
08:40 -!- cpf_ [~cpf@91.183.51.181] has quit [Ping timeout: 265 seconds]
08:41 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
08:41 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
08:41 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
08:42 -!- Guest20039 [~s7r@66.90.75.104] has quit [Ping timeout: 250 seconds]
08:44 -!- Ove_ [~Ove@what.thefuck.se] has quit [Ping timeout: 272 seconds]
08:52 -!- cpf_ [~cpf@91.183.51.181] has joined #openvpn
08:54 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Read error: Operation timed out]
08:57 <@vpnHelper> RSS Update - forum: OpenVPN 2.1 requires '--script-security 2' or higher... <http://forums.openvpn.net/topic7353.html#p8865>
09:00 -!- Ove_ [~Ove@ua-85-227-16-134.cust.bredbandsbolaget.se] has joined #openvpn
09:01 -!- _sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Ping timeout: 240 seconds]
09:02 -!- cpf_ [~cpf@91.183.51.181] has quit [Ping timeout: 260 seconds]
09:03 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 246 seconds]
09:03 -!- krzie [krzee@openvpn/community/support/krzee] has quit [Ping timeout: 260 seconds]
09:05 -!- noisebleed [~quassel@lula.inescn.pt] has joined #openvpn
09:05 -!- noisebleed [~quassel@lula.inescn.pt] has quit [Changing host]
09:05 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
09:10 -!- bauruine [~stefan@gprs49.swisscom-mobile.ch] has joined #openvpn
09:27 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 260 seconds]
09:29 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
09:34 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
09:34 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
09:34 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
09:36 -!- p3rror [~mezgani@41.140.40.243] has quit [Ping timeout: 240 seconds]
09:38 -!- bauruine [~stefan@gprs49.swisscom-mobile.ch] has quit [Ping timeout: 260 seconds]
09:40 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
09:40 < gladiatr> Ove_, you abuot?
09:40 < gladiatr> s/uo/ou
09:40 < Ove_> gladiatr: Yeah
09:40 < gladiatr> cool.  are you bridging or routing?
09:41 < Ove_> I'm kind of a newbie on this.
09:41 < Ove_> gladiatr: Can we speak in a /query ?
09:41 < gladiatr> sure
09:54 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
10:01 -!- kai_office [~kai@asa-2.fbp.ore.fiber.net] has joined #openvpn
10:01 < kai_office> !welcome
10:01 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:02 < kai_office> !/30
10:02 <@vpnHelper> "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior by reading !topology, or (#3) so by default, first client is .6, then .10 .14 .18 etc etc
10:02 -!- blackpenguin [~bp@unaffiliated/blackpenguin] has joined #openvpn
10:02 < kai_office> !goal
10:02 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:03 -!- p3rror [~mezgani@41.140.43.182] has joined #openvpn
10:05 -!- harry_ [~harry@220.sub-174-252-54.myvzw.com] has quit [Ping timeout: 240 seconds]
10:07 < kai_office> I would like determine if it it is possible to merge 3 or more private subnets to be into a single subnet. We already have 3 individually bridged openVPN networks, we simply want all 3 networks to be a single large LAN. Then I would like to understand how that will impact the client OpenVPN connections, like from my Laptop on the road.
10:08 < kai_office> I've come across the term 'point-to-multipoint', but documentation and how-to's are scarce.
10:08 < kai_office> !configs
10:08 <@vpnHelper> "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries, or (#3) see !pb for our preferred pastebin
10:10 < kai_office> One of the server configs: http://pastebin.com/bpJaecxL  and one of the client configs: http://pastebin.com/qpTU3xBS
10:11 < kai_office> !pb
10:11 <@vpnHelper> "pb" is Use our pastebin to post configs and logs at http://openvpn.pastebin.ca rather than posting to the channel.
10:12 < kai_office> Server is CentOS 5.5, openvpn-2.1.1-2.el5
10:13 < gladiatr> kai_office, so you want to have 3 networks appear to be on a contiguous lan?
10:13 < kai_office> gladiatr: Yes. OpenVPN is already running on all 3 routers
10:14 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:15 < kai_office> what I can find out point-to-multipoint makes it sound like its possible
10:15 < kai_office> err "find out about..."
10:16 < gladiatr> hm... well, the linux bridge module does support stp.  The way I'd do this is to set up a bridge between each network--otherwise your broadcasts are going to have to pass through the one server network which will congest things badly
10:16 < gladiatr> how is the upstream bandwidth at your various sites?
10:17 < gladiatr> also, is there any particular reason you're using tcp rather than udp for your vpn link?
10:17 < kai_office> 1) "setup a bridge" as in an OpenVPN bridge? Is that any different than making each of the 3 servers clients for the other 2?
10:18 < kai_office> 2) Upstream's above 100Kbs on each site
10:19 < kai_office> 3) Some little bug in the back of my brain that says "tcp is more stable" is all. I really don't have an educated reason.
10:19 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
10:19 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
10:19 -!- harry_ [~harry@220.sub-174-252-54.myvzw.com] has joined #openvpn
10:19 < gladiatr> I would run a server instance at each site (A, B and C) and then cross link them (A->B, A->C, B->A, B->C)
10:20 < gladiatr> In response to 2: your performance is going to royally suck
10:21 < gladiatr> 3: use udp.  It performs better.  The tcp ability exists for very specific situations where udp packets tend to get lost
10:21 < kai_office> gladiatr: right, each of the sites are already running a bridged OpenVPN server, so if I add a client connection, and then put the same ip blocks and broadcast networks, that's what you're saying, right?
10:22 < kai_office> Ya, I'm aware our uplinks aren't the fastest :)
10:23 < gladiatr> thinkin...
10:24 < kai_office> Also, if you would chew on how that would impact a 4th system "D", that is client-only. What would be the best thing for him? Would we want to put 3 client configs on D, D->A, D->B, D->C? 
10:25 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
10:26 < gladiatr> The thing that you'll want to do at each site is to have a bridge device that ties your tap adapters together.  This will unify your broadcast domain (your lan) and also allow the stp capabilities of the bridge module to prevent broadcast storms
10:26 < gladiatr> Does that make sense?
10:26 < kai_office> gladiatr: yes :)
10:26 < kai_office> that's what we were hoping to be able to do
10:28 < gladiatr> Ok.  I don't have a specific cookbook type recipe for you on that, but you're going to need to skip any sort of network configuration by way of the openvpn config.  I think your best route is going to be setting things up with an up script
10:28 -!- mOo [moo@lighttpd/moo] has quit [Quit: hAvE yOu mOOEd tOdAY]
10:29 < gladiatr> Basically, you'll have the tap device that's associated with each connection--after it comes up, you'll do a brctl add massivelan tapN
10:30 < gladiatr> You're probably going to want to statically configure IP information--dhcp requests might not be reliable on that kind of setup
10:30 < kai_office> gladiatr: ya, they're already bridged
10:31 < gladiatr> ok.  So just reuse that bridge for each additional vpn link
10:31 < kai_office> Our Private facing interfaces are all running DHCP for the private lan on the bridged interface
10:32 < kai_office> gladiatr: great, so point-to-multipoint is not something we have to do extra configuration for. :)
10:32 < gladiatr> right, but having multiple dhcp servers on a single lan segment will cause huge problems
10:32 < gladiatr> I don't think so
10:32 < kai_office> gladiatr: ya, but I don't think OpenVPN is passing DHCP through the bridged interface.
10:32 < gladiatr> It will once you unify your broadcast domain, though.
10:33 < kai_office> When I connect a client to each of my servers, I get DHCP from OpenVPN not from dhcpd
10:33 < gladiatr> Correct, but for each physical network, there will be only one client: the gateway
10:33 < kai_office> hmm
10:33 < gladiatr> Are you in absolute need of a unification at layer 2?
10:34 < kai_office> right, so on point-to-multipoint our DHCP servers running on each gateway will see DHCP broadcasts from across the OpenVPN?
10:34 < gladiatr> in a bridged configuration, yes
10:34 < kai_office> gladiatr: Layer 2 is desirable, yes :) It's the main motivation to move from 3 separate networks to a single unified one.
10:34 -!- p3rror [~mezgani@41.140.43.182] has quit [Ping timeout: 240 seconds]
10:35 < kai_office> ok, well, I think I can deal with DHCP
10:35 < gladiatr> Gotcha.
10:35 < gladiatr> Good luck with your endeavor!
10:35 < kai_office> thanks for the help :)
10:36 < gladiatr> you bet
10:36 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
10:38 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn
10:38 < Malard> !welcome
10:38 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:39 -!- Ove_ [~Ove@ua-85-227-16-134.cust.bredbandsbolaget.se] has quit [Ping timeout: 255 seconds]
10:39 < Malard> !goal
10:39 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
10:39 -!- Ove_ [~Ove@ua-85-227-16-134.cust.bredbandsbolaget.se] has joined #openvpn
10:41 < Malard> Hi, i'm trying to create a layer 3 tun between 2 locations, location A is on 10.20.0.0/23 location B is on 10.20.24.0/21, i've got a 'working' vpn connection between the 2 sites using openvpn, over 10.8.0.0/24 whereby both sides can ping each other over the 10.8.0.0/24 range, however I cannot get traffic to route through the tunnel
10:42 < Malard> i.e. traffic from 10.20.0.0/23 cannot reach 10.20.24.0/21 or vice versa. I cannot ping the interfaces of either vpn server that are on those ranges, only the 10.8.0.0/24 interfaces
10:43 -!- Ove_ [~Ove@ua-85-227-16-134.cust.bredbandsbolaget.se] has quit [Ping timeout: 240 seconds]
10:44 -!- le0 [~fin@unaffiliated/le0] has quit [Quit: Leaving]
10:48 -!- p3rror [~mezgani@41.140.24.206] has joined #openvpn
10:48 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
10:51 < kai_office> Malard: You need to add a route to each side's routing table, effectively teaching A that "10.20.0.0/23 is reachable through tun0"
10:51 < kai_office> err I meant "teaching B that"
10:52 < kai_office> At least I hope it's that simple :)
10:52 < Malard> yeah i've done that
10:53 < Malard> on side A, for example the vpnserver has the ip 10.20.1.151, and on side B it has 10.20.26.101, but from side A i cant ping side B on that ip, or vice versa
10:53 <@vpnHelper> RSS Update - forum: [SOLVED] Need Help with Config <http://forums.openvpn.net/topic7418.html#p8862>
10:53 < Malard> the static routes have been added automatically by openvpn
10:53 < Malard> on those 2 machines
10:54 < renihs> i would suggest sniffing on the tun interfaces
10:55 < Malard> any guides for doing that?
10:56 < renihs> what os is that?
10:56 < Malard> running both ends on ubutnu 10.10
10:56 < renihs> tcpdump -ni tun0  should give you already some hints
10:56 < renihs> on both sides
10:56 < renihs> maybe
10:57 < Malard> thanks, thats a really useful command
10:57 < Malard> should be good from here to debug it
11:00 < Malard> hmm, from side b, i see IP 10.8.0.1 > 10.20.1.151: ICMP echo request, id 3366, seq 1, length 64 but i see nothing on side a
11:00 < Malard> however, on side a, if i ping side b, i see both sides of the tun with the echo request
11:01 < kai_office> Malard: Are you masquerading on your tun devices?
11:02 < kai_office> sudo iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
11:02 < Malard> nothing comes back from running that command on either end
11:03 < kai_office> sorry, I pasted tap0 to you, you're running tunnels, right? Try tun0
11:03 < Malard> still nothing
11:03 < kai_office> And iptables would silently add the rule. check with iptables -t nat -L
11:04 < renihs> not sure if he wants to masquerade, but if you see the requests from one side but nothing from the other then 
11:05 < renihs> sounds like one side is mising a route
11:05 < renihs> or maybe ip_forwarding is disabled
11:05 < Malard> okay, i seem to be able to ping through one side
11:05 < Malard> give me a few, it might be a layer 8 issue
11:06 < renihs> it usually is :)
11:06 < renihs> but i gotta hit the road
11:06 < Malard> ty
11:06 < Malard> for the help
11:06 < renihs> also check if ip_forward = 1 (cat /proc/sys/net/ip_forward)
11:07 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
11:10 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving]
11:12 < Malard> thats not right for ubuntu, but found that its not switched on
11:12 < Malard> so thats probably whats wrong
11:17 < Malard> bingo, fault was ip_forwarding was not turned on, did'nt realise it wasnt a default setting
11:17 < Malard> thanks everyone for the help
11:21 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 272 seconds]
11:21 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 272 seconds]
11:25 -!- Ove_ [~Ove@ua-85-227-16-134.cust.bredbandsbolaget.se] has joined #openvpn
11:26 < kai_office> Malard: haha, I always get stuck on one of those two things. Masquerading and ip_fowarding. Glad you got it :)
11:29 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
11:31 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
11:32 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:34 -!- Ove_ [~Ove@ua-85-227-16-134.cust.bredbandsbolaget.se] has quit [Ping timeout: 255 seconds]
11:44 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:48 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has joined #openvpn
11:48 < gladiatr> !whee
11:48 < gladiatr> hrmph
11:49 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
11:49 -!- nijotz [~nick@li230-4.members.linode.com] has joined #openvpn
11:51 -!- Ove_ [andreas@88.80.29.100] has joined #openvpn
11:59 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
12:01 < gladiatr> ecrist, what's the link to the database of Things vpnHelper Knows?
12:05 <@vpnHelper> RSS Update - forum: [SOLVED] OpenVPN connection speed <http://forums.openvpn.net/topic7400.html#p8834>
12:12 -!- harry_ [~harry@220.sub-174-252-54.myvzw.com] has quit [Ping timeout: 264 seconds]
12:12 < ecrist> !factoids
12:12 <@vpnHelper> "factoids" is A semi-regularly updated dump of factoids database is available at http://www.secure-computing.net/factoids.php
12:13 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
12:14 < gladiatr> thankee
12:34 -!- luneff [~yury@84.51.195.188] has quit [Quit: Leaving]
12:36 -!- felix_da_catz [~felix_da_@50.15.94.128] has quit [Ping timeout: 255 seconds]
12:42 -!- gladiatr [~sdspence@160.15.124.24.cm.sunflower.com] has quit [Quit: Leaving]
12:49 -!- felix_da_catz [~felix_da_@50.15.94.128] has joined #openvpn
12:53 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has joined #openvpn
12:53 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
13:03 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
13:06 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
13:19 -!- ChocoCooks2 [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 265 seconds]
13:23 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
13:25 -!- WinstonSmith [~true@g231218170.adsl.alicedsl.de] has joined #openvpn
13:30 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
13:30 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
13:32 -!- alhadi [~thunderst@unaffiliated/alhadi] has joined #openvpn
13:32 < alhadi> Hello
13:33 < alhadi> having a problem with openvpn, I'am connected to the VPN but there is no internet connection .
13:33 < alhadi> how can i solve this problem?
13:34 < |Mike|> start with reading the topic alhadi 
13:34 < alhadi> sorry new to here
13:34 < alhadi> accept my apology
13:37 < alhadi> actually , i am using a VPS and iptables is installed
13:38 < alhadi> whenever i try this iptables -t nat -A POSTROUTING -j SNAT --to-source YOURVPSIP
13:38 < alhadi> it gives me error
13:39 < alhadi> iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do
13:39 < alhadi>  you need to insmod?)
13:39 < alhadi> Perhaps iptables or your kernel needs to be upgraded.
13:40 < hyper_ch> ipforward enabled on the server?
13:41 < hyper_ch> oh... and something wrong with iptables
13:42 < alhadi> yes enabled
13:43 < alhadi> echo 1 > /proc/sys/net/ipv4/ip_forward
13:44 < alhadi> when i do that , it dose not show anything
13:45 < |Mike|> it shouldn't show anything :p
13:45 < |Mike|> do you actually know what echo 1 > bla/file did?
13:46 < alhadi> to be honest sir i dont know.
13:46 < alhadi> just got a tutorial on my VPS hosting
13:46 < alhadi> followed exactly the same but i failed
13:54 <@vpnHelper> RSS Update - forum: Openvpn desktop client works - Openvpn Connect doesn´t <http://forums.openvpn.net/topic7449.html#p8866>
13:54 -!- p3rror [~mezgani@41.140.24.206] has quit [Ping timeout: 240 seconds]
13:59 -!- DrJ [Bacon@174.141.224.168] has left #openvpn []
14:06 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
14:12 <@vpnHelper> RSS Update - forum: Can I clone my strongVPN open connection to 2nd ethernet? <http://forums.openvpn.net/topic7447.html#p8867>
14:13 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 276 seconds]
14:21 -!- datalay [~datalay@217.131.39.154] has joined #openvpn
14:22 < datalay> i have 1 ethernet device. i can connect to my openvpn server. but i want to connect internet over my vpn server's IP address
14:22 < datalay> how can i do that?
14:24 <@vpnHelper> RSS Update - forum: OPENVPN Help <http://forums.openvpn.net/topic7450.html>
14:25 < Bushmills> !redirect
14:25 <@vpnHelper> "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.
14:25 < Bushmills> datalay: ^^^
14:28 < ChocoCooks> datalay linux server?
14:28 < ChocoCooks> !linnat
14:28 <@vpnHelper> "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to <IP ADDRESS>, or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info, or (#4) openvz see !openvzlinnat
14:31 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Read error: Connection reset by peer]
14:33 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has joined #openvpn
14:34 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
14:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
14:49 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
14:50 -!- Malard|Home [ident@xbmc/staff/malard] has joined #openvpn
14:54 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds]
15:06 -!- krzee [krzee@openvpn/community/support/krzee] has joined #openvpn
15:11 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has joined #openvpn
15:14 -!- felix_da_catz [~felix_da_@50.15.94.128] has quit [Ping timeout: 276 seconds]
15:14 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has quit [Client Quit]
15:14 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has joined #openvpn
15:19 -!- ScriptFanix [vincent@hanaman.riquer.fr] has joined #openvpn
15:24 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has joined #openvpn
15:24 -!- le0 [~fin@cpc8-bele7-2-0-cust12.2-1.cable.virginmedia.com] has quit [Changing host]
15:24 -!- le0 [~fin@unaffiliated/le0] has joined #openvpn
15:25 -!- Malard [~ident@hebe.travelrepublic.co.uk] has joined #openvpn
15:25 -!- Malard [~ident@hebe.travelrepublic.co.uk] has quit [Changing host]
15:25 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn
15:26 < dschuett> i have openvpn running on my home gateway, i have installed dnsmasq and added files to /etc/hosts on the gateway running openvpn... why can't my openvpn clients ping any of the machines i list in /etc/hosts by their DNS?
15:29 -!- Malard|Home [ident@xbmc/staff/malard] has quit [Ping timeout: 246 seconds]
15:31 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn []
15:32 < krzee> i often find it interesting that just because someone is running openvpn they ask all network/os/firewall related questions here
15:41 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has quit [Quit: Leaving]
15:48 -!- WinstonSmith [~true@g231218170.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
15:55 -!- alhadi [~thunderst@unaffiliated/alhadi] has quit [Quit: alhadi]
16:00 <@vpnHelper> RSS Update - forum: [n00b] No traffic on tun0 over LAN <http://forums.openvpn.net/topic7451.html>
16:02 < Bushmills> krzee: at least they do ask something, unlike the jokers who only demand help, without giving any clue what their problem might be
16:05 -!- Gilos [~Gilos@vares-gw.sprint.com] has joined #openvpn
16:06 < Gilos> !welcome
16:06 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
16:06 < Gilos> !goal
16:06 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
16:06 < Gilos> !wiki
16:06 <@vpnHelper> "wiki" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN, or (#2) Official wiki is at https://community.openvpn.net/openvpn/wiki
16:08 -!- WinstonSmith [~true@g231218170.adsl.alicedsl.de] has joined #openvpn
16:09 < Gilos> !forum
16:09 <@vpnHelper> [n00b] No traffic on tun0 over LAN || OPENVPN Help || Can I clone my strongVPN open connection to 2nd ethernet? || Openvpn desktop client works - Openvpn Connect doesn´t || OpenVPN 2.1 requires '--script-security 2' or higher... || Ineternet speed after the openvpn connection || [SOLVED] Need Help with Config || JonDo vs OpenVPN - They Claim To Be More Secure || IP address issue ||
16:09 <@vpnHelper> Installing TAP driver on Windows x64 fails [solved] || [MOVED] windows client and ubuntu virtual machine server || Linux client stall at Initialization Sequence Completed || [SOLVED] Routing & Load Balancing || LAN to LAN issues || need access openvpn server my server by dns or icmp tunnel || Migrate from openvpn Gui v1.03 to openvpn2.x || TLS Blocked by provider, need to modify source
16:09 <@vpnHelper> code... || New user question || [Solved] Problem when connecting Samba || VPN coder wanted || HELP || [SPLIT] Unable to access servers on vpn network. || [SOLVED] OpenVPN connection speed || Static Key Setup & Routing || [MOVED] Client pings server but server cant ping Client. || Openvpn on a public gateway. || error read UDPv4: Connection reset by peer (WSAECONNRESET) ( || Is it (4 more messages)
16:13 < ChocoCooks> the worst was a guy i spent 2 hours helping (sucessfully) to setup openvpn on his debian box
16:14 < ChocoCooks> soon as its working gone, no ty
16:14 < ChocoCooks> i think in future i refer people to the how to
16:17 < Gilos> I'm running openvpn 2.09 on a clustered windows server connecting to Many Solaris clients.  Everything works fine except for when I try to roll the windows cluster from side to side.  I have the exact same configuration on both sides and would like the same IP on both sides.  The problem that I'm having is that the cluster is naming the virtual adapter the same and windows doesn't like that and renames the non-active adapter and then that cause it to f
16:17 < Gilos> ail when it rolls from side to side.
16:18 < Gilos> and I promise to say thank you if you can help :)
16:29 < ChocoCooks> i think that is a question for a windows channel
16:29 < ChocoCooks> or networking
16:30 < krzee> openvpn 2.09!?
16:30 <@vpnHelper> RSS Update - pastebin: Someone <http://pastebin.ca/2027769>
16:30 < krzee> update that
16:43 < Gilos> ChocoCooks, even though it's the vtun adapter?
16:44 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
16:56 -!- s7r [~s7r@66.90.75.71] has joined #openvpn
17:00 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
17:00 < dschuett> i have openvpn running on my home gateway, i have installed dnsmasq and added files to /etc/hosts on the gateway... why can't my openvpn clients ping any of the machines i list in /etc/hosts by their DNS?
17:00 < dschuett> is that not how it is supposed to work?
17:10 < Bushmills> what part of your question is the part related to openvpn?
17:11 < dschuett> just thought i would see if anyone is using dnsmasq to push dns through openvpn
17:11 < ChocoCooks> why use dnsmasq
17:11 < dschuett> chococooks: what do you suggest?
17:11 < ChocoCooks> whats your goal
17:12 < dschuett> ChocoCooks: i just want to be able to ping/access servers behind my openvpnserver/gateway by using their dns names
17:13 < Bushmills> how does your problem relate to openvpn?
17:13 < ChocoCooks> try networking channel
17:13 < dschuett> ChocoCooks: ok thanks!
17:31 < krzee> if you can ping them by ip, anything related to openvpn is done
17:36 < dschuett> krzee: what would this option state in my server.conf: push "dhcp-option DNS 10.8.0.1"
17:38 -!- WinstonSmith [~true@g231218170.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
17:39 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
17:39 -!- star314 [~star314@starnet1.sinh.us] has joined #openvpn
17:41 < krzee> that by itself would make windows clients set their NS to 10.8.0.1
17:41 -!- fdarling [~forest@h96-60-30-11.prrymi.dsl.dynamic.tds.net] has joined #openvpn
17:41 < krzee> unix clients would need an additional script for their --up, and then they would do the same
17:41 < krzee> !pushdns
17:41 <@vpnHelper> "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit, or (#4) in unix you'll use the update-resolv-conf script
17:41 < krzee> as seen in #4
17:42 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
17:47 -!- fdarling [~forest@h96-60-30-11.prrymi.dsl.dynamic.tds.net] has quit [Ping timeout: 272 seconds]
17:48 -!- Gilos [~Gilos@vares-gw.sprint.com] has quit [Quit: Leaving]
18:17 <@vpnHelper> RSS Update - forum: Ubuntu 10.4 configuration <http://forums.openvpn.net/topic7452.html>
18:29 -!- p3rror [~mezgani@41.140.35.126] has joined #openvpn
18:31 -!- star314 [~star314@starnet1.sinh.us] has quit [Quit: Leaving]
18:42 -!- s7r [~s7r@66.90.75.71] has left #openvpn []
18:49 -!- le0 [~fin@unaffiliated/le0] has quit [Ping timeout: 240 seconds]
18:57 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Read error: Connection reset by peer]
18:58 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
19:11 -!- WinstonSmith [~true@g231218170.adsl.alicedsl.de] has joined #openvpn
19:18 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Read error: Connection reset by peer]
19:18 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
19:32 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Ping timeout: 276 seconds]
19:36 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
19:39 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Read error: Connection reset by peer]
19:40 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
19:45 -!- nb [~nb@fedora/nb] has quit [Quit: ZNC - http://znc.sourceforge.net]
19:45 -!- nb [~nb@fedora/nb] has joined #openvpn
19:45 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has joined #openvpn
19:46 < wolfric> how do i verify if a vpn connection is connected?
19:46 < wolfric> i set up a conf file and did openvpn conf_file
19:51 -!- nb_ [~nb@fedora/nb] has joined #openvpn
19:55 < ChocoCooks> ping 10.8.0.1
19:55 < ChocoCooks> if ping works you are connected
20:01 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
20:01 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
20:01 -!- n0sq_ [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
20:07 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has quit [Ping timeout: 265 seconds]
20:08 -!- agagag_ [~anton@eudaimonia.goto10.org] has quit [Ping timeout: 240 seconds]
20:08 -!- agagag [~anton@eudaimonia.goto10.org] has joined #openvpn
20:08 -!- p3rror [~mezgani@41.140.35.126] has quit [Ping timeout: 272 seconds]
20:09 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has joined #openvpn
20:10 -!- openvpn2009 [patel@openvpn/corp/admin/patel] has quit [Ping timeout: 255 seconds]
20:10 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has quit [Read error: Connection reset by peer]
20:10 <@vpnHelper> RSS Update - forum: Ubuntu 10.4 configuration <http://forums.openvpn.net/topic7452.html#p8871>
20:14 -!- openvpn2009 [patel@75-54-230-125.lightspeed.sntcca.sbcglobal.net] has joined #openvpn
20:20 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Read error: Connection reset by peer]
20:20 -!- dschuett1 [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
20:22 -!- dschuett1 [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Read error: Connection reset by peer]
20:22 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
20:22 <@vpnHelper> RSS Update - forum: Linux client stall at Initialization Sequence Completed <http://forums.openvpn.net/topic7403.html#p8872>
20:26 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Read error: Connection reset by peer]
20:27 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
20:29 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has quit [Read error: Connection reset by peer]
20:29 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has joined #openvpn
20:30 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has joined #openvpn
20:31 < wolfric> sorry. just in reference to my question before hand. I'm connected to a vpn that assigns a public ip so testing connectivity to any ip on the network won't verify. 
20:31 < wolfric> is there a more official way to display current vpn connections 
20:35 -!- nb_ [~nb@fedora/nb] has quit [Read error: Connection reset by peer]
20:42 -!- dschuett [~dschuett@ip68-99-4-225.om.om.cox.net] has left #openvpn []
20:47 -!- nb_ [~nb@fedora/nb] has joined #openvpn
20:54 < krzee> by looking at your routing table?  by sniffing your network?
20:55 < krzee> or from what your setup sounds like it is... by hitting http://secure-computing.net/ip.php
20:55 <@vpnHelper> Title: SCN: SCN (at secure-computing.net)
20:57 < wolfric> ok by the looks of it (running a netstat) it doesn't seem to have connected however if i just do openvpn conffile it doesn't show me anything
21:05 <@vpnHelper> RSS Update - forum: How to sign my own TAP driver? <http://forums.openvpn.net/topic7453.html>
21:09 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
21:16 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 272 seconds]
21:21 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has quit [Ping timeout: 276 seconds]
21:23 -!- Clete2 [~Clete2@70.15.66.134.res-cmts.man2.ptd.net] has joined #openvpn
21:24 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:26 < ChocoCooks> wolfric u still here
21:37 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 265 seconds]
21:48 < wolfric> i am indeed
21:48 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:48 < wolfric> ChocoCooks: 
21:50 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn
21:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 255 seconds]
21:56 -!- [1]shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has joined #openvpn
21:58 -!- shn00k [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has quit [Ping timeout: 240 seconds]
21:59 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
21:59 -!- shn00k [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has joined #openvpn
22:01 -!- [1]shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has quit [Ping timeout: 240 seconds]
22:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:06 -!- [1]shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has joined #openvpn
22:10 -!- shn00k [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has quit [Ping timeout: 276 seconds]
22:15 -!- [1]shnook [~shnoon@cpe-68-174-148-185.nyc.res.rr.com] has quit [Read error: Connection reset by peer]
22:16 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
22:21 -!- ChocoCooks [~daniell@vps6794.xlshosting.net] has quit [Ping timeout: 240 seconds]
22:26 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has joined #openvpn
22:26 -!- ChocoCooks [~daniell@82-168-191-228.ip.telfort.nl] has quit [Client Quit]
22:30 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
22:35 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 250 seconds]
22:47 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
23:00 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 240 seconds]
23:07 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
23:09 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
23:12 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
23:23 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
23:36 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
23:57 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
--- Day changed Thu Dec 30 2010
00:04 -!- atan [~atan@unaffiliated/atan] has quit [Quit: null]
00:17 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 260 seconds]
00:50 -!- cpf_ [~cpf@91.183.51.181] has joined #openvpn
00:58 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
01:11 -!- tessier [~treed@mail.copilotco.com] has joined #openvpn
01:20 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Ping timeout: 240 seconds]
01:28 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has joined #openvpn
01:28 -!- roentgen [~arthur@2001:4d18:3:1:ffff:ffff:ffff:1] has quit [Changing host]
01:28 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
01:42 <@vpnHelper> RSS Update - pastebin: Miscellany <http://pastebin.ca/2031403> || lorddoskias <http://pastebin.ca/2031400> || harry_ <http://pastebin.ca/2031076> || harry_ <http://pastebin.ca/2031074> || Mine <http://pastebin.ca/2027845> || Something <http://pastebin.ca/2027836> || Anonymous <http://pastebin.ca/2027834> || Mine <http://pastebin.ca/2027832> || Untitled <http://pastebin.ca/2027830> || Miscellany <http://pastebin.ca/2027827> || So
01:47 -!- datalay [~datalay@217.131.39.154] has quit [Ping timeout: 260 seconds]
02:07 -!- farciarz84 [~farseer@unaffiliated/farciarz84] has joined #openvpn
02:08 < farciarz84> hi, what is the minimal comfortable ping response to work through vpn with editing file over ssh?
02:10 < tessier> farciarz84: I would guess a hundred milliseconds or so
02:11 < tessier> Anyone know why the DOS box stays open on one of my user's openvpn installs?
02:11 < tessier> It seems to disappear in all of the previous installs.
02:11 < tessier> But this one stays open. I think if he kills it the connection will drop.
02:18 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has quit [Ping timeout: 255 seconds]
02:50 -!- WinstonSmith [~true@g231218170.adsl.alicedsl.de] has quit [Read error: Connection reset by peer]
02:51 -!- WinstonSmith [~true@e177095236.adsl.alicedsl.de] has joined #openvpn
03:03 -!- n0de_ [~n0de@ks354672.kimsufi.com] has joined #openvpn
03:03 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:08 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
03:13 -!- cpf_ [~cpf@91.183.51.181] has quit [Ping timeout: 250 seconds]
03:13 -!- cpf_ [~cpf@91.183.51.181] has joined #openvpn
03:18 -!- ScriptFanix [vincent@hanaman.riquer.fr] has quit [Read error: Operation timed out]
03:19 -!- ScriptFanix [~vincent@hanaman.riquer.fr] has joined #openvpn
03:21 -!- lupine_85 [~lupine_85@unaffiliated/lupine-85/x-7392152] has joined #openvpn
03:25 -!- krzie [~k@openvpn/community/support/krzee] has joined #openvpn
03:37 -!- dazo [~dazo@openvpn/community/developer/dazo] has joined #openvpn
03:37 -!- mode/#openvpn [+o dazo] by ChanServ
03:39 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Operation timed out]
03:48 -!- master_of_master [~master_of@p57B5640E.dip.t-dialin.net] has quit [Ping timeout: 240 seconds]
03:51 -!- master_of_master [~master_of@p57B561E9.dip.t-dialin.net] has joined #openvpn
03:52 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:05 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
04:05 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
04:05 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:11 < Bushmills> farciarz84: about the same as editing through ssh alone, without vpn
04:13 <@vpnHelper> RSS Update - forum: Unable to access internal servers on openvpn server <http://forums.openvpn.net/topic7425.html#p8874>
04:13 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined #openvpn
04:19 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has joined #openvpn
04:22 < kraut> moin
04:26 < krzie> moin
04:32 -!- Malard|Home [~ident@xbmc/staff/malard] has joined #openvpn
04:34 < renihs> moin?
04:34 < renihs> its 11:30
04:34 < Ove_> Does moin mean morning?
04:36 -!- Malard [~ident@xbmc/staff/malard] has quit [Ping timeout: 240 seconds]
04:37 -!- common [~common@p5DDA48CD.dip0.t-ipconnect.de] has quit [Ping timeout: 240 seconds]
04:38 < renihs> thats my translation for it the past 10 years
04:39 < renihs> dont tell me its wrong
04:39 < renihs> :)
04:39 -!- onikk [~onik@ap85.adsl.tnnet.fi] has joined #openvpn
04:39 < onikk> !welcome
04:39 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
04:39 < krzie> its a greating
04:39 -!- common [~common@p5DDA49AA.dip0.t-ipconnect.de] has joined #openvpn
04:39 < krzie> however, its a german expression, so it actually is kinda morning over there
04:40 < mape2k> renihs: moin is a german short-form for "Guten Morgen" (Good Morning)
04:41 < mape2k> it's mainly used in north germany
04:42 < onikk> hi, i have a "tiny" problem with my key files... a user's crt file was genetared empty, and i can't recreate it properly, how can i remove the entire user and readd?
04:42 < onikk> *generated
04:43 < krzie> there are no users, only those with signed certs and those without
04:44 < onikk> ok, so what does it mean if i get a TXT_DB error number 2 when trying to recreate the certs?
04:45 < krzie> ahh easy-rsa needs you to remove it from the index.txt file
04:46 < krzie> thats how it keeps track of issued certs internally so you can later revoke them
04:48 < onikk> ahh, that fixed it, thanks krzie :)
04:48 < krzie> np
04:48 -!- onikk [~onik@ap85.adsl.tnnet.fi] has left #openvpn []
04:53 <@vpnHelper> RSS Update - forum: Linux client stall at Initialization Sequence Completed <http://forums.openvpn.net/topic7403.html#p8875>
04:56 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
05:08 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 240 seconds]
05:09 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
05:21 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has quit [Quit: Leaving]
05:21 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has joined #openvpn
05:22 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
05:26 -!- ScriptFanix [~vincent@hanaman.riquer.fr] has quit [Quit: WeeChat 0.3.2]
05:26 -!- ScriptFanix [~vincent@hanaman.riquer.fr] has joined #openvpn
05:33 -!- alhadi [~thunderst@92.96.212.59] has joined #openvpn
05:53 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 272 seconds]
05:53 -!- takamichi [~pri@85.232.213.54] has joined #openvpn
05:56 -!- x-demon [xdemon@lex.io] has joined #openvpn
06:17 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-mksnccwaanlxkkbj] has quit [Ping timeout: 240 seconds]
06:19 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
06:19 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
06:23 -!- cpf_ [~cpf@91.183.51.181] has quit [Ping timeout: 240 seconds]
06:24 -!- maxJadi [~maxJadi@mehdi.kjm.sgsnet.se] has quit [Quit: Leaving]
06:27 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-cpzjnlkimbbqpvaz] has joined #openvpn
06:30 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
06:52 -!- dschuett [~dschuett@216.229.21.250] has joined #openvpn
06:56 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
06:56 -!- mape2k [~jabber@galatea.net.pennewiss.de] has joined #openvpn
07:06 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-cpzjnlkimbbqpvaz] has quit [Ping timeout: 240 seconds]
07:07 -!- n0de_ [~n0de@ks354672.kimsufi.com] has quit [Quit: n0de_]
07:14 -!- HoboSteaux [HoboSteaux@nat/wsulug/x-ltqmlliavogkigsn] has joined #openvpn
07:15 -!- mape2k [~jabber@galatea.net.pennewiss.de] has left #openvpn []
08:14 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
08:17 < takamichi> What is the most common reason for infrequent disconnects - openvpn gui shows yellow icon after being connected for 24-72 hours ?
08:20 < takamichi> I know that dhcp request can disconnect the client and obviously network failures will do so as well, but what else?
08:23 < alhadi> hello , is it possible for openvpn to be setup as automatic username and password , like without entering anything and just right click connect?
08:26 < Bushmills> !keys
08:26 <@vpnHelper> "keys" is http://openvpn.net/howto#pki
08:28 -!- Lenhix [~lenhix@19014233237.ip10.static.mediacommerce.com.co] has joined #openvpn
08:30 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Ping timeout: 255 seconds]
08:31 < Lenhix> Hellol. I just installed openvpn on Fedora but /etc/openvpn is empty. Where can I find sample server and client config files?
08:34 < dschuett> Lenhix: this is for ubuntu but it should be no different on fedora: got be up and woking on the first try: http://library.linode.com/networking/openvpn/ubuntu-10.04-lucid
08:34 <@vpnHelper> Title: Deploy VPN Services with OpenVPN - Secure Communications with OpenVPN on Ubuntu 10.04 (Lucid) - Linode Library (at library.linode.com)
08:34 < Lenhix> thx dschuett
08:35 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
08:37 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
08:37 < dschuett> Lenhix: no problem... i just set up my very first openvpn server so i'm right there with ya
08:39 -!- farciarz84 [~farseer@unaffiliated/farciarz84] has quit [Quit: Lost terminal]
08:41 < alhadi> hmm
08:41 < alhadi> Bushmills for me?
08:41 < Bushmills> alhadi: yes
08:42 -!- Katoen_ [ab62731c85@xs8.xs4all.nl] has quit [Quit: leaving]
08:48 <@vpnHelper> RSS Update - forum: Ubuntu 10.4 configuration <http://forums.openvpn.net/topic7452.html#p8876>
08:50 < alhadi> Bushmills still dont understand where i have to enable automatic username password setup
08:50 < alhadi> if you can only Hint would make me think easy
08:50 < Bushmills> you'd use keys instead of user/pass login
08:51 < alhadi> like ca.crt, server.csr ?
08:52 < Bushmills> for one single client, a symmetric key would do.
08:52 < Bushmills> for multiple clients, you'd probably want to set up the whole PKI
08:53 < common> today dev meeting?
08:55 -!- gladiatr [~gladiatr@madeline.boneyard.lawrence.ks.us] has joined #openvpn
08:55 <@dazo> common:  Yeah, I think so ... even though, I'm not convinced ... haven't seen mattock in a while here, so it also depends on him
08:58 < gladiatr> hey all
08:58 -!- cpf_ [~cpf@94-226-0-20.access.telenet.be] has joined #openvpn
09:04 <@vpnHelper> RSS Update - forum: tun or tap? <http://forums.openvpn.net/topic7454.html>
09:04 < alhadi> Bushmills  according to my understanding do i put this thing in client.ovpn ca ca.crtcert server.crtkey server.key ?
09:13 < Bushmills> !howto
09:13 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
09:13 < alhadi> Bushmills i have done automatic login now but i have error
09:13 < Bushmills> there's quickstart section
09:13 < alhadi> says connection reset
09:13 < alhadi> i already did automatic login
09:13 < Bushmills> quickstart shows symmetric key setup
09:13 < alhadi> it was establishing connection but gave me error
09:16 <@vpnHelper> RSS Update - forum: tun or tap? <http://forums.openvpn.net/topic7454.html#p8878>
09:16 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has joined #openvpn
09:19 < gladiatr> "You cannot make another post so soon after your last." :P -> phpBB
09:22 <@vpnHelper> RSS Update - forum: Unable to access internal servers on openvpn server <http://forums.openvpn.net/topic7425.html#p8880> || Ubuntu 10.4 configuration <http://forums.openvpn.net/topic7452.html#p8879>
09:24 -!- WinstonSmith [~true@e177095236.adsl.alicedsl.de] has quit [Quit: Ex-Chat]
09:26 -!- Lenhix [~lenhix@19014233237.ip10.static.mediacommerce.com.co] has quit [Ping timeout: 255 seconds]
09:26 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 240 seconds]
09:27 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
09:40 <@vpnHelper> RSS Update - forum: Help?? <http://forums.openvpn.net/topic7361.html#p8881>
09:40 -!- x-demon is now known as lex
09:53 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Read error: Operation timed out]
10:06 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
10:08 -!- ucekpolish [user@hq.ostc-pl.com] has quit [Remote host closed the connection]
10:08 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
10:08 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
10:10 -!- tacidsky [~tacidsky@vps.tacidsky.com] has joined #openvpn
10:10 < tacidsky> !welcome
10:10 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
10:11 < tacidsky> !iporder
10:11 <@vpnHelper> "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp
10:11 < tacidsky> !howto
10:11 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
10:14 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
10:15 -!- ucekpolish [user@hq.ostc-pl.com] has joined #openvpn
10:26 -!- corretico [~corretico@201.201.44.82] has quit [Quit: Leaving]
10:27 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has joined #openvpn
10:34 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: http://quassel-irc.org - Chat comfortably. Anywhere.]
10:35 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
10:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Client Quit]
10:37 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
10:39 -!- optiz0r [~optiz0r@miranda.sihnon.net] has joined #openvpn
10:39 <@vpnHelper> RSS Update - forum: Ineternet speed after the openvpn connection <http://forums.openvpn.net/topic7448.html#p8882>
10:41 < optiz0r> Where a server has two IP addresses on the same interface, is it possible to select which one is used for an outgoing (client) openvpn connection (udp)? I've tried setting `local foo` and removing the `nobind`, but the openvpn server sees the connection coming from the host's primary IP.
10:41 < optiz0r> Also tried SNATting the outgoing packets, but that didn't seem to do the trick either
10:41 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has joined #openvpn
10:42 < gladiatr> optiz0r, It depends on the OS.
10:42 < optiz0r> gladiatr: in this case, linux
10:43 < optiz0r> running 2.1.3 on the client side
10:43 < gladiatr> optiz0r, start here: 
10:43 < gladiatr> http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2
10:43 <@vpnHelper> Title: iproute2 | The Linux Foundation (at www.linuxfoundation.org)
10:44 < gladiatr> It'll take some noodling, but it is possible.
10:44 < optiz0r> aye, iproute2 is on the box
10:44 < optiz0r> high-level, what are you thinking?
10:45 < gladiatr> lartc.org also has some good information on the topic (of iproute2)
10:45 -!- lex is now known as x-demon
10:58 < krzee> lol i just went to change you to a forum mod and see i got beat to the punch
10:58 < krzee> you really a dog trainer gladiatr?
11:02 < |Mike|> ping
11:05 -!- smerz [~smerz@smerz.demon.nl] has joined #openvpn
11:08 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has quit []
11:08 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has joined #openvpn
11:08 -!- hid3 [~tst@lan-78-157-71-116.vln.skynet.lt] has quit [Client Quit]
11:09 -!- Ove_ [andreas@88.80.29.100] has quit [Ping timeout: 260 seconds]
11:09 -!- Ove_ [andreas@gw.thefuck.se] has joined #openvpn
11:11 <@dazo> optiz0r:  see if --multihome helps you as well
11:19 -!- simplechat [~simplecha@unaffiliated/simplechat] has quit [Remote host closed the connection]
11:19 < gladiatr> kzree, yup
11:20 < krzee> gladiatr, SAR?
11:21 < krzee> |Mike|, can use !ping
11:21 < krzee> !ping
11:21 <@vpnHelper> pong
11:21 -!- Ove_ [andreas@gw.thefuck.se] has quit [Quit: leaving]
11:23 < gladiatr> krzee, not yet.  I'm looking to get into that and tracking.  I've got a retriever at the moment.  He's not a bloodhound but he's got great aptitude for finding buried treasure.
11:23 < gladiatr> Met the most amazing bloodhound at a shelter in KC a few months ago... made me wish I had a bigger house
11:26 <@vpnHelper> RSS Update - forum: Unable to access internal servers on openvpn server <http://forums.openvpn.net/topic7425.html#p8883>
11:28 -!- Ove_ [~Ove@what.thefuck.se] has joined #openvpn
11:29 < krzee> retrievers make fantastic area search dogs... bloodhounds would be more for trailing
11:29 < krzee> in SAR you may find that area search dogs are more commonly useful
11:29 -!- Ove_ [~Ove@what.thefuck.se] has quit [Client Quit]
11:30 < krzee> the main thing to look for in a SAR dog is that it can hold its attention span on a single object (some favorite toy or something of that sort)
11:30 < krzee> if it can do that, it'll make a good search dog
11:30 < gladiatr> Are you a handler as well?
11:31 < krzee> nope, but my mom was well respected in the world search team
11:31 < krzee> so osmosis kicked in i guess
11:31 < gladiatr> nothing wrong with that.  My mother just complained a lot.  heh
11:32 < krzee> when i actually have a yard my dog will be an english bulldog, lol
11:32 < krzee> you DEFINITELY cant do SAR with one of those guys
11:32 < gladiatr> I love those dogs.  They don't have to be good at anything to be awesome
11:33 < gladiatr> This old guy that lived a block from me when I was a kid had one... used to put it in the side cart on his Harley and drive around town.
11:33 < gladiatr> Mr. Hecker & Mac
11:34 < krzee> ya man they're great
11:35 < gladiatr> Yeah.  Living in the midwest, you get a lot of people that bring home working breeds.  My plan over the next few years is to work with sar, tracking and herding trainers to at least help people get started on the right path of not driving their dog insane. :)
11:35 < gladiatr> My wife is a nurse... she can't stand being around the bronchiosyphalic(sp?) breeds... their breathing issues make her want to Help Them 
11:35 < krzee> aussie shepherds are natural herders
11:36 < gladiatr> Amazingly so
11:36 < krzee> you couldnt train it out of them if you wanted to
11:36 < gladiatr> Get them sheep or they shall herd squirrels and cats!
11:36 < krzee> lol yes
11:37 < krzee> they'll herd the kids if they have nothing else, lol
11:37 < gladiatr> indeed!
11:38 < gladiatr> and the stare... between border collies and aussies... lasers for eyes
11:38 < krzee> totally
11:39 < gladiatr> I was taking care of a client's BC a few months back.  She had to states of being: right next to me and 4 blocks away
11:43 < krzee> and when she was 4 blocks away she was prolly doing something she thought you'd be proud of
11:44 < gladiatr> You can say that again.  I think she tree'd an entire family of squirrels. :)
11:45 < dschuett> hmmm... openvpn dogs
11:45 < dschuett> haha
11:45 < gladiatr> lol
11:45 < krzee> so what do you train them for?  general behavior or things like herding?
11:45 < dschuett> good covo going on in here
11:46 < krzee> lol, the off-topic stops when people have more questions
11:46 < dschuett> no questions here! :)
11:46 < krzee> til then, anything (within common-sense) goes
11:46 < gladiatr> indeed!
11:46 < dschuett> well, i have 2 boxers that are more personable than most people...
11:47 -!- cpf_ [~cpf@94-226-0-20.access.telenet.be] has quit [Ping timeout: 272 seconds]
11:47  * cpm read that as perishable. was in the 'huh?' mode.
11:49 < gladiatr> dschuett, I feel that way about my retriever.  When I was chased out of an Einstein Bros. bagle shop during a sudden ice storm a few years back, my parting shot was, "He's clean, well behaved and parasite free which is more than can be said for some of your patrons' children"
11:51 < dschuett> gladiatr: very well put!
11:51 < gladiatr> needless to say, the assistant manager was not amused.  I, on the other hand, was very amused.
11:52 < dschuett> I used to have a lab - who was also an AMAZING dog
11:52 < dschuett> if most people were half as smart as dogs, this world might be ok :P
11:52 < krzee> lol
11:53 < gladiatr> agreed
11:59 -!- cpf_ [~cpf@94-226-0-20.access.telenet.be] has joined #openvpn
12:06 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
12:10 < krzee> [10:08]  <pressureman> ./configure --without-carrier-pigeon
12:10 < krzee> lol
12:12 < gladiatr> awesome
12:13 < gladiatr> for those that haven't had the pleasure: http://tools.ietf.org/html/rfc1149
12:13 <@vpnHelper> Title: RFC 1149 - Standard for the transmission of IP datagrams on avian carriers (at tools.ietf.org)
12:13 < krzee> aye, love that
12:13 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has quit [Ping timeout: 260 seconds]
12:14 < gladiatr> The fun part is that a group of MIT geeks implemented it back in the early/mid 90's 
12:14 < gladiatr> If only youtube would have been around then...
12:14 < krzee> and recorded RTT
12:14 < krzee> lol
12:14 < gladiatr> hrm...
12:19 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has quit [Read error: Operation timed out]
12:22 -!- wolfric [~wolfric@84-203-39-186.mysmart.ie] has joined #openvpn
12:22 -!- wolfric [~wolfric@84-203-39-186.mysmart.ie] has quit [Changing host]
12:22 -!- wolfric [~wolfric@pdpc/supporter/student/wolfric] has joined #openvpn
12:22 -!- cpf_ [~cpf@94-226-0-20.access.telenet.be] has quit [Ping timeout: 255 seconds]
12:22 -!- bauruine [~stefan@cable-dynamic-87-245-124-161.shinternet.ch] has joined #openvpn
12:41 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
13:01 <@vpnHelper> RSS Update - forum: Ubuntu 10.4 configuration <http://forums.openvpn.net/topic7452.html#p8884>
13:14 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
13:35 -!- s7r [~s7r@66.90.75.99] has joined #openvpn
13:39 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Read error: Operation timed out]
13:41 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
14:11 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Quit: cpm]
14:16 -!- dschuett [~dschuett@216.229.21.250] has left #openvpn []
14:19 -!- patelx [~a@openvpn/corp/admin/patel] has quit [Quit: ircN 8.00 for mIRC (20100904) - www.ircN.org]
14:22 -!- nb_ [~nb@fedora/nb] has quit [Read error: Operation timed out]
14:22 -!- ccr_ [~cransom@crosstalk.atomz.com] has quit [Ping timeout: 260 seconds]
14:23 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
14:24 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
14:26 < alhadi> hi guys
14:28 < Essobi> Morning
14:29 < krzee> mornin Essobi!
14:29 < krzee> and hello alhadi 
14:30 < alhadi> have some problem with openvpn
14:30 < alhadi> since 2 days trying to find out how to setup the username and password automatic
14:31 < alhadi> created auth-username-pass file.txt, made a file but when i right click and connect it says sorry No Auth as file.txt
14:32 < hyper_ch> krzee: http://www.defectivebydesign.org/node/2164
14:32 <@vpnHelper> Title: The most important work for freedom that this culture has seen in generations | DefectiveByDesign.org (at www.defectivebydesign.org)
14:33 -!- MJD [~quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined #openvpn
14:36 -!- nb_ [~nb@fedora/nb] has joined #openvpn
14:39 -!- alhadi [~thunderst@92.96.212.59] has quit [Quit: alhadi]
14:50 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
14:50 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
14:58 -!- Lenhix [~lenhix@200.119.13.10] has joined #openvpn
14:59 < Lenhix> Hello. How complex is to set up a LAN-to-LAN VPN using two openvpn servers?
15:01 < Bushmills> !route
15:01 <@vpnHelper> "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT
15:01 < reiffert> Lenhix: depends on your skills
15:02 < Bushmills> reiffert: moinmoin
15:02 < Lenhix> reiffert: I'm pretty good with Linux, know enough iptables and.. I also can read
15:03 < reiffert> Lenhix: basic routing skills?
15:03 < Lenhix> enough, I guess... I work at a networking company
15:03 < Bushmills> reiffert: want your torch back?
15:04 < reiffert> Bushmills: sure 
15:04 < Bushmills> i'll be in mainz fromon tomorrow
15:04 < reiffert> Lenhix: great. so first decide if you want routing or bridging
15:04 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 246 seconds]
15:04 < reiffert> Lenhix: start reading the official howto. it's at
15:04 < reiffert> !howto
15:04 <@vpnHelper> "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto
15:04 < reiffert> then go on with !route
15:04 < Lenhix> ok, thx
15:05 -!- takamichi [~pri@85.232.213.54] has joined #openvpn
15:07 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
15:09 <@vpnHelper> RSS Update - forum: OpenVPN Won't Start <http://forums.openvpn.net/topic7455.html>
15:21 <@vpnHelper> RSS Update - forum: OpenVPN Won't Start <http://forums.openvpn.net/topic7455.html#p8886>
15:33 <@vpnHelper> RSS Update - forum: OpenVPN Won't Start <http://forums.openvpn.net/topic7455.html#p8887>
15:35 < gladiatr> Hrm.  That's the second time someone has told me they couldn't get to the openvpn.net site...
15:45 < gladiatr> Here we go.  Basically random and nothing to do with openvpn, but can anyone explain why a tomcat system (or is it java's thing?) that it seems to require the public key of a remote TLS-enabled service installed in its local keystore to successfully negotiate a tls connection?
16:20 < ecrist> gladiatr: java sucks.  that is all.
16:31 -!- krzee [krzee@openvpn/community/support/krzee] has quit [Quit: Leaving]
16:32 -!- Lenhix [~lenhix@200.119.13.10] has quit [Quit: Mindwall!!]
16:36 < gladiatr> ecrist, yay and verily
16:36 -!- KaiForce [~chatzilla@adsl-70-228-82-202.dsl.akrnoh.ameritech.net] has quit [Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014]]
16:51 <@vpnHelper> RSS Update - forum: Tapinstall.exe failed to install. Help!!! OpenVPN-AS 1.3.4 <http://forums.openvpn.net/topic7456.html>
17:02 -!- WinstonSmith [~true@e177095236.adsl.alicedsl.de] has joined #openvpn
17:06 -!- krzie [~k@openvpn/community/support/krzee] has quit [Ping timeout: 272 seconds]
17:15 -!- Malard [~ident@xbmc/staff/malard] has joined #openvpn
17:15 <@vpnHelper> RSS Update - forum: OpenVPN Won't Start <http://forums.openvpn.net/topic7455.html#p8889>
17:15 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has quit [Ping timeout: 240 seconds]
17:16 < Malard> hi, is there a guide somewhere that I can use to setup openvpn so that standard windows clients can authenticate (with openvpn using radius authentication to verify users)
17:16 < Malard> i.e. i dont want to use certificates for these windows users
17:37 -!- raidzx [~Andrew@seance.openvpn.org] has joined #openvpn
17:39 -!- raidz [~Andrew@openvpn/corp/admin/andrew] has quit [Ping timeout: 240 seconds]
17:40 < gladiatr> I'm gonna say no.  I think what you'll find are documents regarding radius and others involving using username/password authentication.  There's also a plugin for dealing with PAM if you're running a linux or BSD on the server
17:41 < Malard> its a linux server, what is PAM?
17:42 < gladiatr> http://www.kernel.org/pub/linux/libs/pam/
17:42 <@vpnHelper> Title: A Linux-PAM page (at www.kernel.org)
17:43 < Malard> really all i want is the ability to move away from using RRAS for vpn, i.e. having a windows machine handling the vpn connections
17:45 -!- raidzxx [~Andrew@seance.openvpn.org] has joined #openvpn
17:48 -!- raidzx [~Andrew@seance.openvpn.org] has quit [Ping timeout: 260 seconds]
17:49 < gladiatr> I understand, but I'm pretty sure the only method for user/pass authentication that openvpn directly supports is a text file that list the users and their passwords.  If you want to tie this into a different kind of authentication system, you're going to need a plugin of some sort.  The two options that I know of are a radius plugin (not from experience, just from seeing it mentioned on the mailing list) and a pam plugin.
17:50 < Malard> i found a radiusplugin and got that installed
17:50  * qermit uses pam plugin
17:50 < Malard> but i am a bit hazy as the guide i was following was still saying to create certificates
17:50 < Malard> http://www.roessner-network-solutions.com/beliebte-seiten-und-artikel/openvpn-radius-mysqlldap-howto/#openvpn
17:50 <@vpnHelper> Title: OpenVPN RADIUS MySQL/LDAP Howto | Rößner-Network-Solutions (at www.roessner-network-solutions.com)
17:55 < gladiatr> Even with having a user/pass system in place, its a Good Idea to use a certificate on the client-side, so you're going to see that on many howtos and walk-throughs
17:56 < Malard> just need to backtrack, with openvpn does it support connections from just the standard vpn support in windows?
17:56 < Malard> or do i need an openvpn specific client?
18:03 <@dazo> Malard:  you need a specific openvpn client
18:03 < Malard> ah damn, okay then so much for that idea. its a bit tricky right now for me to get all the remote workers to shift to a new way of doing things
18:04 < Malard> by hope was to get away from using windows as the vpn server
18:05 <@dazo> not sure what the default vpn server on Windows is ... but if it is still pptp ... I'd force my users over to whatever else, at least to keep my back clean
18:05 < gladiatr> righto.  I'm off. happy new year all :)  be safe and frolicksome
18:05 -!- gladiatr [~gladiatr@madeline.boneyard.lawrence.ks.us] has quit [Quit: Killed (einride (requested by panasync))]
18:06 < Malard> yeah i'm just taking over all of this stuff from a collection of different people who have contributed to the mess over the years.
18:07 <@dazo> even more a better reason why to clean up and kick out unsafe technologies ...
18:07 < Malard> so i am just trying to attack low hanging fruit at the moment, i got openvpn setup to act as a layer 3 tunnel and was hoping to get it to handle remote workers also, but thats a bit of a political mess to move them from their existing setup
18:08 < Malard> forgive my ignorance, but why is pptp bad?
18:09 -!- krzee [~k@ftp.secure-computing.net] has joined #openvpn
18:09 -!- krzee [~k@ftp.secure-computing.net] has quit [Changing host]
18:09 -!- krzee [~k@openvpn/community/support/krzee] has joined #openvpn
18:10 <@dazo> Malard:  try to google "Why is pptp bad?" and you might find this one http://www.zdnet.com/blog/ou/pptp-vpn-authentication-protocol-proven-very-susceptible-to-attack/21
18:10 <@vpnHelper> Title: PPTP VPN authentication protocol proven very susceptible to attack | ZDNet (at www.zdnet.com)
18:11 <@dazo> http://www.mail-archive.com/security-basics@securityfocus.com/msg01288.html
18:11 <@vpnHelper> Title: RE: Microsoft PPTP bad for security? (at www.mail-archive.com)
18:11 < krzee> !pptp
18:11 <@vpnHelper> "pptp" is PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about
18:11 <@vpnHelper> why to not use pptp
18:11 <@dazo> krzee:  ahh ... cool .... didn't know about that one :)
18:12 < krzee> i like that link a lot
18:12 < Malard> okay thanks, i'm asking so i have ammo when proposing it upwards
18:13 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 240 seconds]
18:13 < Malard> in terms of deployment, we have a few laptops which circulate between employees when they are out and about, it would be good that ontop of having a certificate there was still a password layer
18:13 < Malard> incase they decide to leave it on a train or whatever.
18:14 <@dazo> Malard:  that's doable ... use a "laptop related certificate" on them which won't change ... and then you can do user/pass auth on top of that
18:14 <@dazo> then you can just revoke the certificate if the laptop is lost/stolen/broken/whatever silly people do with laptops
18:15 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
18:15 < Malard> so i assume i would generate a certificate per laptop
18:15 <@dazo> yeah
18:15 <@dazo> I'd go that path in this case
18:15 < Malard> it makes sense, the difficulty is that many of the remote workers are international
18:16 < Malard> getting hands on access to the machine will be tricky
18:16 <@dazo> Malard:  are you bound to RADIUS authentication?
18:16 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
18:16 < Malard> no, but i have a radius server setup that is proxying to the ldap server on the windows domain
18:17 < Malard> i dont mind going direct to the ldap server, but i've tried to funnel all connections via radius
18:17 <@dazo> Malard:  well, you can make it easier for them if you make a customised installer ... that's pretty easy with NSIS, which would install all what's needed
18:17 <@dazo> fair enough ... makes sense, then the RADIUS plug-in is probably your best target
18:18 < Malard> it makes things simple if i say to any of the other staff who need to setup authentication to use the radius cluster rather than having random things plugging away at the domain controllers for authentication
18:18 <@dazo> yupp
18:19 < Malard> i know i am being lazy asking instead of googling, but the windows client, can i idiot proof it
18:19 < Malard> i mean i dont want a headache dealing with support calls with people not able to log on
18:19 < |Mike|> depends on your skills :-p
18:19 -!- tjz [~pc@bb121-7-108-120.singnet.com.sg] has joined #openvpn
18:19 -!- tjz [~pc@bb121-7-108-120.singnet.com.sg] has quit [Changing host]
18:19 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
18:20 < Malard> ideally i dont want to invest too much time in the problem
18:20 <@dazo> Malard:  I've tried to make the windows installation more idiot safe ...
18:20 <@dazo> the normal usage .... I dunno
18:20 < Malard> as it stands _things work_ and the vpn users are segmented from the rest of the network anyway. but if i move them over to openvpn clients, i just want it to be as simple as a popup box asking for their user and pass
18:21 < Malard> i havent downloaded the windows client so i am sort of asking a bit blindly
18:21 <@dazo> you'll have a little icon on your taskbar ... click on it to connect, and it pops up the needed username/password login box
18:21 <@dazo> I got some Windows users which figured out that pretty easily
18:22 <@dazo> Malard:  to make your own NSIS installer on top of the stock OpenVPN installer ... have a look at this one: http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2
18:22 <@vpnHelper> Title: OpenVPN/HowTo for Windows 2 - Secure Computing Wiki (at www.secure-computing.net)
18:24 < Malard> i assume i need to create a NSIS installer to setup the certificate in the first place?
18:24 -!- theotek [~theotek@modemcable165.193-83-70.mc.videotron.ca] has joined #openvpn
18:24 <@dazo> Malard:  nope ... you'll just wrap up the config file and the needed extra files into a zip file ... the installer will ask for that zip file and unpack it on the proper place
18:25 < Malard> btw, i dont know if its just me, but openvpn.net seems down
18:26 <@dazo> I
18:26 <@dazo> I've heard rumours it's been unstable today
18:26 <@dazo> works for me now, though
18:29 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 276 seconds]
18:29 < Malard> thanks for the info
18:29 < Malard> will plug away at this tommorrow :)
18:29 <@dazo> :)
18:32 < krzee> !win_rollup
18:32 <@vpnHelper> "win_rollup" is please see http://www.secure-computing.net/wiki/index.php/OpenVPN/HowTo_for_Windows_2 for dazo's writeup on making unattended windows installers for openvpn
18:32  * dazo need to refresh his factoids memory :)
18:33 -!- tjz [~pc@bb121-7-108-120.singnet.com.sg] has joined #openvpn
18:33 -!- tjz [~pc@bb121-7-108-120.singnet.com.sg] has quit [Changing host]
18:33 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
18:33 < krzee> since i cant spell your plugin suite, we also have:
18:33 < krzee> !dazo
18:33 <@vpnHelper> "dazo" is "eurephia" is http://www.eurephia.net/
18:33 < krzee> lol
18:33 -!- [intra]lanman [~lanman@freeswitch/developer/intralanman] has quit [Quit: This computer has gone to sleep]
18:33 <@dazo> lol
18:37 <@dazo> man ... I'm pretty impressed by the Varnish cache/proxy ... been playing with that a couple of days now ... my "simple setup" is getting quite advanced, and I'm still scratching the surface it seems ... and it really seems to work well
18:37 < krzee> im unimpressed with the ease of connecting unix to mssql via unixODBC/freetds, but happy its behind me
18:38 <@dazo> :)
18:38 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote host closed the connection]
18:42 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 255 seconds]
18:45 -!- s7r [~s7r@66.90.75.99] has left #openvpn []
18:48 < |Mike|> s7r, word
18:56 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Quit: No Ping reply in 90 seconds.]
18:58 -!- WinstonSmith_ [~true@g230120202.adsl.alicedsl.de] has joined #openvpn
19:01 -!- WinstonSmith [~true@e177095236.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
19:02 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
19:05 -!- theotek [~theotek@modemcable165.193-83-70.mc.videotron.ca] has quit [Quit: Leaving]
19:07 -!- WinstonSmith_ is now known as WinstonSmith
19:09 -!- johnnynobody [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
19:09 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Read error: Connection reset by peer]
19:19 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
19:19 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
19:19 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
19:32 -!- dazo [~dazo@openvpn/community/developer/dazo] has quit [Quit: Leaving]
19:47 -!- jfkw [~jtk@24-216-252-176.dhcp.mdfd.or.charter.com] has quit [Quit: leaving]
19:48 -!- WinstonSmith [~true@g230120202.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
19:55 -!- WinstonSmith [~true@g230120202.adsl.alicedsl.de] has joined #openvpn
20:00 -!- WinstonSmith [~true@g230120202.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
20:01 -!- freaky[t]_ [alpha@freakyy.de] has quit [Read error: Operation timed out]
20:01 -!- freaky[t]_ [alpha@freakyy.de] has joined #openvpn
20:03 -!- WinstonSmith [~true@g230120202.adsl.alicedsl.de] has joined #openvpn
20:03 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Ping timeout: 255 seconds]
20:32 -!- smerz [~smerz@smerz.demon.nl] has quit [Quit: Ex-Chat]
20:33 -!- grishnav [~grishnav@209.160.52.134] has quit [Ping timeout: 255 seconds]
20:40 -!- grishnav [~grishnav@209.160.52.134] has joined #openvpn
20:45 -!- WinstonSmith [~true@g230120202.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
20:59 -!- WinstonSmith [~true@g231242232.adsl.alicedsl.de] has joined #openvpn
21:46 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has joined #openvpn
22:05 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
22:27 -!- albech [~thomas@124.157.238.254] has joined #openvpn
22:30 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Quit: Leaving]
23:08 -!- albech [~thomas@124.157.238.254] has quit [Quit: Ex-Chat]
23:50 -!- atan [~atan@unaffiliated/atan] has joined #openvpn
23:55 -!- alhadi [~thunderst@92.96.212.59] has joined #openvpn
--- Day changed Fri Dec 31 2010
00:27 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
00:40 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
00:49 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Ping timeout: 260 seconds]
01:02 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Quit: changing servers]
01:02 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
01:06 -!- roentgen [~arthur@openvpn/community/support/roentgen] has joined #openvpn
01:12 -!- WinstonSmith [~true@g231242232.adsl.alicedsl.de] has quit [Ping timeout: 240 seconds]
01:21 -!- roentgen [~arthur@openvpn/community/support/roentgen] has quit [Remote host closed the connection]
01:24 -!- WinstonSmith [~true@dslb-088-073-117-160.pools.arcor-ip.net] has joined #openvpn
02:35 -!- p3rror [~mezgani@41.140.101.202] has joined #openvpn
02:44 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
03:00 -!- p3rror [~mezgani@41.140.101.202] has quit [Ping timeout: 276 seconds]
03:03 -!- p3rror [~mezgani@41.140.101.130] has joined #openvpn
03:25 -!- WinstonSmith [~true@dslb-088-073-117-160.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
03:38 -!- WinstonSmith [~true@dslb-088-073-117-160.pools.arcor-ip.net] has joined #openvpn
03:40 -!- johnnynobody [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has quit [Ping timeout: 240 seconds]
03:41 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Remote host closed the connection]
03:43 -!- WinstonSmith [~true@dslb-088-073-117-160.pools.arcor-ip.net] has quit [Ping timeout: 240 seconds]
03:49 -!- master_of_master [~master_of@p57B561E9.dip.t-dialin.net] has quit [Ping timeout: 265 seconds]
03:51 -!- master_of_master [~master_of@p57B56EC1.dip.t-dialin.net] has joined #openvpn
03:53 -!- n0sq [~quassel@mo-65-41-216-18.sta.embarqhsd.net] has joined #openvpn
04:21 -!- WinstonSmith [~true@dslb-088-073-064-132.pools.arcor-ip.net] has joined #openvpn
04:30 -!- WinstonSmith [~true@dslb-088-073-064-132.pools.arcor-ip.net] has quit [Quit: Ex-Chat]
04:35 -!- common- [~common@p5DDA49B5.dip0.t-ipconnect.de] has joined #openvpn
04:36 -!- common [~common@p5DDA49AA.dip0.t-ipconnect.de] has quit [Read error: Operation timed out]
04:36 -!- common- is now known as common
04:49 -!- noisebleed [~quassel@kermit.inescn.pt] has joined #openvpn
04:49 -!- noisebleed [~quassel@kermit.inescn.pt] has quit [Changing host]
04:49 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has joined #openvpn
04:56 <@vpnHelper> RSS Update - forum: How do I do a complete cleanup after openvpn installation <http://forums.openvpn.net/topic7457.html>
05:09 -!- unspin [~unspin@S01060026f2f3042e.vc.shawcable.net] has quit [Ping timeout: 250 seconds]
05:23 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 250 seconds]
05:24 -!- rkantos [robin@hp1.jaketus.net] has joined #openvpn
05:31 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
05:37 -!- theotek [~theotek@modemcable165.193-83-70.mc.videotron.ca] has joined #openvpn
05:43 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 264 seconds]
05:43 < theotek> hello guys 
05:43 -!- rkantos [robin@hp1.jaketus.net] has joined #openvpn
05:43 < theotek> many some of you may have a clue about my problem:
05:44 < theotek> I start openvpn using: /usr/local/sbin/openvpn --daemon /usr/local/etc/openvpn/openvpn.conf 
05:44 < theotek> I get an error msg asking for a --dev cmdline parameter
05:45 < theotek> I type exactly the same command and add "--dev tap0" (also tried "--dev tap")
05:45 < theotek> server launches but clients yell about unroutable packets recieved
05:46 < theotek> but .. I can start the server by removing the --daemon and --dev cmdline parameter flawlessly and everythig works fin 
05:46 < theotek> wth that means ? 
05:48 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has joined #openvpn
05:50 -!- rkantos [robin@hp1.jaketus.net] has quit [Ping timeout: 240 seconds]
05:52 -!- rkantos [robin@hp1.jaketus.net] has joined #openvpn
05:56 -!- theotek [~theotek@modemcable165.193-83-70.mc.videotron.ca] has left #openvpn ["Leaving"]
05:59 -!- theotek [~theotek@modemcable165.193-83-70.mc.videotron.ca] has joined #openvpn
06:02 -!- cpm [~Chip@dns1.daviswv.net] has joined #openvpn
06:02 -!- cpm [~Chip@dns1.daviswv.net] has quit [Changing host]
06:02 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
06:30 -!- alhadi [~thunderst@92.96.212.59] has quit [Ping timeout: 276 seconds]
06:31 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
06:32 -!- mattock [~samuli@openvpn/corp/admin/mattock] has joined #openvpn
06:32 -!- mode/#openvpn [+o mattock] by ChanServ
06:36 -!- alhadi [~thunderst@92.96.235.36] has joined #openvpn
06:41 -!- kdefreak [kottizen@unaffiliated/icanhasfreenode] has joined #openvpn
06:41 < kdefreak> hi, what does this mean?
06:41 < kdefreak> http://simplest-image-hosting.net/jpg-0-plasma-desktopwl1746
06:41 <@vpnHelper> Title: Image plasma-desktopwl1746.jpg - Simplest Image Hosting (at simplest-image-hosting.net)
06:42 < kdefreak> got it when I tried to start my server
06:43 -!- kerfe [~a@121.pool85-60-146.dynamic.orange.es] has joined #openvpn
06:43 < atan> Uh. Start your server in what? Tomato, DD-WRT or something? O_O
06:44 < kdefreak> I installed it on my debian machine using the .deb file from the site
06:44 < atan> To me it looks like your tables are messed
06:44 < kdefreak> and then I logged in on ip:943/admin
06:44 < atan> perhaps apt-get install iptables
06:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
06:44 < kdefreak> haven't touched them
06:44 < kdefreak> did that, no changes
06:44 < kdefreak> shall I restart the daemon maybe?
06:44 < atan> Or the server so iptables take effect?
06:45 < kdefreak> I pressed the button here: http://simplest-image-hosting.net/jpg-0-plasma-desktopay1746
06:45 <@vpnHelper> Title: Image plasma-desktopay1746.jpg - Simplest Image Hosting (at simplest-image-hosting.net)
06:45 < kdefreak> ok, sure
06:51 < kdefreak> atan: Rebooted the machine, still the same error.
06:51 < kdefreak> There is a program named "iptables-restore" in /sbin/.
06:52 < atan> I'm quite confused how you even have 943/admin going on there honestly =\
06:52 < atan> O
06:52 < atan> Err, I've never seen an OpenVPN gui just the CLI.
06:53 < kdefreak> It's a web administration thing.
06:53 < kdefreak> Would you like to teamview my screen?
06:53 < atan> I'd likely be no help honestly =\ sorry
06:53 < kdefreak> ah ok
06:53 < kdefreak> thanks anyway :)
06:54 < kdefreak> "Your problem is your firewall, really."
06:54 < kdefreak> they are awesome
06:54 < atan> It's always fun to see error messages and how they are resolved though so I'm watching it ^_^
06:54 < atan> Well, err, there is like 99/100 people in here asking why it "doesn't work" when they didn't enable forwarding or whatnot
06:54 < kdefreak> forwarding?
06:55 < atan> Well a lot of people want to use a VPN like a proxy to hide their computer IP. To watch hulu outisde the US and so on.
06:55 < atan> By default it doesn't exactly do that.
06:55 < kdefreak> you mean port forwarding?
06:55 < atan> But I swear everyone thinks it does.
06:55 < atan> Nah, like ip forwarding. So it redirects all your traffic over the new tun.
06:55 < theotek> I've a good one for you: I start openvpn using /usr/local/sbin/openvpn /usr/local/etc/openvpn/openvpn.conf .. everything works fine from both sides of the VPN
06:56 < theotek> I add the --daemon cmdline parameter .. openvpn aks me to provide a --dev 
06:56 < kdefreak> that conf file is empty
06:57 < kdefreak> oh.
06:57 < kdefreak> there's an openvpn in the package manager
06:57 < theotek> then I add the --dev tun (or even --dev tun0) and client rejects the connection packets
06:57 < kdefreak> gonna try that one
06:57 < theotek> any clue how to fix this ? 
07:15 < Bushmills> theotek: by setting up the configuration and authentication infrastructure such that the rejection problem disappears
07:18 < theotek> client says: TLS Error: unroutable control packet received from server_ip:port (si=3 op=P_ACK_V1)
07:19 < theotek> that only happen if I ask the server to daemonize (implying that I must provide the "--dev tun0" that is already defined in the configuration file)
07:19 < Bushmills> put --dev tun into config file, or specifiy all option on command line, or use --config before config file name
07:20 < theotek> <-- lame
07:20 < theotek>  --config fixed it lol
07:21 < theotek> I guess I should go get a little bit of sleep :D
07:22 < theotek> tyvm 
07:22 < Bushmills> now where is the promised "good one"?
07:22 < theotek> wasn't that one funny enough ? :P
07:22 < Bushmills> no, that was a no-brainer
07:23 < Bushmills> my li'l sister could have told you if i had one
07:24 < theotek> boohoo ... go beg your mom to have one 
07:28 -!- takamichi [~pri@85.232.213.54] has quit [Ping timeout: 255 seconds]
07:28 < theotek> ty for pointing the --config .. I did overlook that parameter .. happy new year guys 
07:28 -!- takamichi [~pri@194.126.175.219] has joined #openvpn
07:28 -!- theotek [~theotek@modemcable165.193-83-70.mc.videotron.ca] has quit [Quit: Leaving]
07:30 -!- farciarz84 [~farciarz@unaffiliated/farciarz84] has joined #openvpn
07:31 < farciarz84> hi, I got username.openvpn, password and .crt to openvpn server. Can I change my password?
07:35 < farciarz84> !welcome
07:35 <@vpnHelper> "welcome" is Start with !goal || we may need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !sample !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict)
07:36 < farciarz84> !goal
07:36 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
07:38 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Ping timeout: 276 seconds]
07:49 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
07:53 -!- mant1s [~mant1s@jcon.ums.maine.edu] has joined #openvpn
07:53 -!- mant1s [~mant1s@jcon.ums.maine.edu] has quit [Changing host]
07:53 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
08:05 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined #openvpn
08:16 <@vpnHelper> RSS Update - forum: Tapinstall.exe failed to install. Help!!! OpenVPN-AS 1.3.4 <http://forums.openvpn.net/topic7456.html#p8891>
08:34 -!- alhadi [~thunderst@92.96.235.36] has quit [Ping timeout: 272 seconds]
08:34 <@vpnHelper> RSS Update - forum: Tapinstall.exe failed to install. Help!!! OpenVPN 1.3.4 <http://forums.openvpn.net/topic7458.html>
08:41 -!- alhadi [~thunderst@92.96.223.187] has joined #openvpn
08:56 -!- takamichi [~pri@194.126.175.219] has quit [Ping timeout: 250 seconds]
08:56 -!- takamichi [~pri@85.232.213.54] has joined #openvpn
09:03 -!- belZe [irc@cl-457.dus-01.de.sixxs.net] has joined #openvpn
09:03 < belZe> Hallo reiffert ;-)
09:11 < reiffert> :)
09:11 < reiffert> Say hello to belZe formerly know as snowtrash
09:11 < belZe> wrooong
09:11 < belZe> hehe
09:11 < belZe> <- Bjoern
09:20 -!- noisebleed [~quassel@gentoo/contributor/noisebleed] has quit [Ping timeout: 240 seconds]
09:39 -!- alhadi [~thunderst@92.96.223.187] has quit [Ping timeout: 240 seconds]
09:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
09:43 -!- LowKey [rhel@unaffiliated/lowkey] has quit [Excess Flood]
09:43 -!- LowKey [rhel@unaffiliated/lowkey] has joined #openvpn
09:43 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Client Quit]
09:44 < reiffert> Hey there Bjoern :)
09:47 -!- alhadi [~thunderst@ner-as45159.alshamil.net.ae] has joined #openvpn
09:48 -!- atan2 [~atan@unaffiliated/atan] has joined #openvpn
09:59 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Read error: Connection reset by peer]
10:00 -!- cpm [~Chip@pdpc/supporter/active/cpm] has joined #openvpn
10:09 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 264 seconds]
10:22 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
10:22 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
10:22 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
10:28 -!- p3rror [~mezgani@41.140.101.130] has quit [Ping timeout: 265 seconds]
10:40 -!- p3rror [~mezgani@41.140.183.252] has joined #openvpn
11:03 -!- tjz_ [~pc@bb116-14-171-63.singnet.com.sg] has joined #openvpn
11:04 -!- tjz [~pc@unaffiliated/tjz] has quit [Ping timeout: 265 seconds]
11:22 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
11:25 -!- hacim [~micah@debian/developer/micah] has joined #openvpn
11:27 -!- trkemist [~trkemist@unaffiliated/trkemist] has joined #openvpn
11:27 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
11:30 -!- linze [~linze@546B9DC8.cm-12-4c.dynamic.ziggo.nl] has joined #openvpn
11:31 < trkemist> !goal hairpin
11:32 < trkemist> !goal
11:32 <@vpnHelper> "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc
11:34 < trkemist> !goal I would like route all my internet traffic for roadwarriors through a central server
11:36 < hacim> i've been running openvpn in a number of scenarios very successfully, thanks to the openvpn developers for the great software!
11:37 < hacim> for some reason, at my new home, things are weird... everything works fine, but then suddenly I get really high packetloss
11:37 < hacim> turning off the VPN, all the packetloss goes away
11:37 < hacim> i thought maybe my ISP was shaping port 22, so I tried on other ports, same problem
12:01 -!- kdefreak [kottizen@unaffiliated/icanhasfreenode] has left #openvpn []
12:29 -!- trkemist [~trkemist@unaffiliated/trkemist] has quit [Quit: pwn3d]
12:44 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn
12:56 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
12:57 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Read error: Connection reset by peer]
13:00 -!- linze [~linze@546B9DC8.cm-12-4c.dynamic.ziggo.nl] has quit [Quit: tot kijk]
13:03 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
13:16 -!- cpm [~Chip@pdpc/supporter/active/cpm] has quit [Remote host closed the connection]
13:17 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
13:19 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 250 seconds]
13:36 -!- Sky[x] [~SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit []
13:44 -!- p3rror [~mezgani@41.140.183.252] has quit [Ping timeout: 240 seconds]
13:52 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has quit [Ping timeout: 276 seconds]
13:52 -!- Hamlin [~Hamlin@unaffiliated/hamlin] has joined #openvpn
13:58 -!- p3rror [~mezgani@41.140.103.30] has joined #openvpn
14:08 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has joined #openvpn
14:08 -!- mant1s [~mant1s@cpe-76-179-1-48.maine.res.rr.com] has quit [Changing host]
14:08 -!- mant1s [~mant1s@unaffiliated/mant1s] has joined #openvpn
14:11 -!- unspin [~unspin@S010600900b1a7c77.vc.shawcable.net] has quit [Ping timeout: 255 seconds]
14:38 -!- ropetin [~ropetin@pdpc/supporter/student/ropetin] has joined #openvpn
14:43 -!- ropetin [~ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit]
14:51 -!- p3rror [~mezgani@41.140.103.30] has quit [Ping timeout: 240 seconds]
15:01 -!- JPeterson [HydraIRC@s213-103-209-64.cust.tele2.se] has joined #openvpn
15:18 -!- mant1s [~mant1s@unaffiliated/mant1s] has quit [Ping timeout: 240 seconds]
15:38 -!- _skrusty [~skrusty@83.166.176.39] has quit [Ping timeout: 240 seconds]
15:52 -!- _skrusty [~skrusty@83.166.176.39] has joined #openvpn
16:14 -!- seekwill [~wfong@pdpc/supporter/professional/will] has joined #openvpn
16:29 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 240 seconds]
16:30 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
16:31 < seekwill> Hi. Conceptual question here... I'm setting up some remote monitoring services (nagios and cacti, etc) on some of my servers and client servers. Some of the servers are remote VPS's on different providers. I'd like to keep each vpn connection from the monitoring server separate, Is it good enough that I have my VPN server on ie 10.0.1.1 and each client 10.0.1.x, or should I have the server 10.0.x.1 and each client 10.0.x.2 ?
16:50 -!- p3rror [~mezgani@41.140.172.124] has joined #openvpn
17:12 -!- seekwill [~wfong@pdpc/supporter/professional/will] has quit [Quit: Leaving]
17:21 -!- sht [sht@2607:f0d0:2001:8b::50:1337] has joined #openvpn
17:22 -!- seekwill [~wfong@pdpc/supporter/professional/will] has joined #openvpn
17:26 -!- nb_ [~nb@fedora/nb] has quit [Remote host closed the connection]
17:28 -!- nb_ [~nb@fedora/nb] has joined #openvpn
17:29 < krzee> seekwill, look over your question
17:29 < krzee> Is it good enough that I have my VPN server on ie 10.0.1.1 and each client 10.0.1.x, or should I have the server 10.0.x.1 and each client 10.0.x.2 ?
17:29 < krzee> theres a typo in there right?
17:30 < krzee> ohh no theres not, i get it now
17:30 < seekwill> :)
17:31 < krzee> you just wanna have clients not be able to communicate with eachother over the vpn, right?
17:31 < seekwill> yeah
17:31 < seekwill> I think the "routed" option is what I want, vs "bridge"
17:31 < krzee> do not use tap, do not use topology subnet, do not use client-to-client
17:31 < seekwill> Most of the tutorials were talking about bridged
17:31 < krzee> a normal routed setup will work
17:31 < krzee> !c2c
17:31 <@vpnHelper> "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other
17:31 <@vpnHelper> clients
17:32 < seekwill> This is my first time setting this up, and networking is generally pretty new to me :)
17:32 < krzee> if you dont use that option, unless you configure the servers firewall to allow it, clients cant communicate with eachother
17:32 < krzee> thats tough
17:32 < krzee> in general openvpn does 1 small thing, the rest is just networking
17:33 < seekwill> hehe
17:33 < krzee> but your goal seems simple enough
17:33 < krzee> !sample
17:33 <@vpnHelper> "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man), or (#3) these configs are for a basic multi-user vpn, which you can then build upon to add lans or internet redirecting
17:33 < seekwill> Cool, I'll read up on those. Thanks!
17:33 < krzee> remove client-to-client from that, make your own files, and adjusts the paths... that should be about it
17:33 < krzee> !pki
17:33 <@vpnHelper> "pki" is (#1) http://openvpn.net/index.php/open-source/documentation/howto.html#pki for how to make your PKI stuff (ca, and certs), or (#2) Heres a basic rundown of how it works... The server, client, and ca certs are all signed by the same ca.key. The server and client use the ca.crt to check that eachother were signed by the right ca.key. Optionally, the client also checks that the server cert was signed
17:33 <@vpnHelper> specially as a server (see !servercert)
17:34 < seekwill> So IP address wise, it doesn't really matter? I can have it 10.0.1.x ?
17:34 < krzee> yes. you can
17:34 < krzee> as long as:
17:34 < krzee> [19:31]  <krzee> do not use tap, do not use topology subnet, do not use client-to-client
17:34 < seekwill> Is there a preferred way to do all this? For example, if someone else were to look at my set up, they'd understand, not be confused, etc?
17:35 < krzee> basically the sample configs i just gave you
17:35 < seekwill> Alright, I'll check those out. Thanks!
17:35 < krzee> np
17:36 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
17:37 < reiffert> happy new year
17:38 < seekwill> Happy new year! :D
17:44 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
17:56 < krzee> happy new year!
17:56 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has joined #openvpn
18:10 -!- UnterPerro [~UnterPerr@c-75-74-122-61.hsd1.fl.comcast.net] has quit [Quit: UnterPerro lives to save another day]
18:13 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has quit [Remote host closed the connection]
18:19 < Bushmills> new beer?
18:19 < Bushmills> !beer
18:19 <@vpnHelper> "beer" is its what's for dinner!
18:20 < |Mike|> cold beer :D
18:21 < hacim> would could cause high packet loss on a vpn connection?
18:21 < |Mike|> say what?
18:21 < ecrist> a shitty internet connection
18:21 < hacim> well, thats what I thought at first
18:22 < hacim> but as soon as I disable openvpn, its gone
18:22 < ecrist> hacim: are you using TCP or UDP?
18:22 < hacim> i thought that my ISP was maybe shaping, so I tried on another port, same problem
18:22 < ecrist> also, the openvpn server may be the one with the shitty internet connection.
18:22 < hacim> udp, but I've tried tcp too
18:22 < ecrist> !tcp
18:22 <@vpnHelper> "tcp" is (#1) Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. http://sites.inka.de/~bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea., or (#2) http://www.openvpn.net/papers/BLUG-talk/14.html for a presentation by James Yonan (OpenVPN lead developer)
18:22 < ecrist> udp is good, I'm thinking the server end is having issues.
18:22 < ecrist> or you have split routing getting in the way
18:23 < hacim> ecrist: its not, because this doesn't happen from the office... its just my new home internet connection
18:23 < hacim> it didn't happen at my previous location (different provider)
18:23 < Bushmills> hacim: packet loss over vpn only, or on other routes too?
18:23 < hacim> Bushmills: just on the vpn
18:23 < hacim> as soon as I kill the vpn, 0% packet loss to the vpn server
18:23 < ecrist> it's possible your ISP is shaping UDP traffic as it thinks it's bittorrent
18:23 < hacim> i've tried playing with MTU, I've tried TCP
18:24 < hacim> i've tired port 80, port 443
18:24 < hacim> s/tired/tried
18:24 < Bushmills> 0% loss over vpn which isn't online anymore?
18:24 < |Mike|> abuse of sed.
18:24 < hacim> i was using ed
18:24 < hacim> Bushmills: no, 0% loss on the connection between here and the vpn server
18:25 < |Mike|> ed is yet another editor ;)
18:25 < Bushmills> but you said that packet loss occurs only over vpn, not over other routes
18:25 < hacim> 80-95% loss to everywhere when the vpn is up, tear it down, 0%
18:26 < Bushmills> so other - non-vpn - route to server was 0% loss before as well, even with openvpn online?
18:26 < hacim> i haven't tried other routes, as all the traffic was going over the vpn
18:26 < Bushmills> but you do/did have a host route to openvpn server, i assume?
18:27 < hacim> i have two computers
18:27 < hacim> I can have one with openvpn running, getting 80% loss, and the other without it running getting 0%
18:27 < Bushmills> does that answer the host route question?
18:27 < hacim> my college, who is in a different city has no issue at all to the same server
18:28 < hacim> i guess I'm not totally understanding the question
18:28 -!- Rolybrau [~Rolybrau@unaffiliated/rolybrau] has joined #openvpn
18:28 < Bushmills> connect client to server again, then look at client route table. make sure there is a route to server which is not over vpn
18:30 < hacim> yes, there is a route to the server via my local router that is not over the vpn
18:31 < Bushmills> that eliminates this potential problem
18:31 < Bushmills> assuming your openvpn client can use that route, according its own routing table
18:31 < hacim> ie. 204.13.24.2 via 192.168.0.1 dev eth0
18:32 < hacim> it can
18:32 -!- mattock [~samuli@openvpn/corp/admin/mattock] has quit [Ping timeout: 240 seconds]
18:32 < Bushmills> is your local route the openvpn client?
18:32 < hacim> the packet loss doesn't happen immediately
18:32 < Bushmills> router
18:32 < hacim> no
18:32 < hacim> the openvpn client is running on my laptop
18:32 < Bushmills> does your *openvpn client* have a non-openvpn route to server? 
18:32 -!- ecrist changed the topic of #openvpn to: Happy New Year!!!! || OpenVPN 2.1.4 Most Current || 2.2-beta5 Released 03-Dec-2010 || Your problem is your firewall, really. || Type !welcome and !goal before asking your questions. || Web Forum: http://forums.openvpn.net || Developers: #openvpn-devel
18:33 < hacim> isn't this it? 204.13.24.2 via 192.168.0.1 dev eth0
18:33 < hacim> 204.13.24.2 being my server
18:33 < hacim> 192.168.0.1 being my router
18:33 < hacim> default via 192.168.0.1 dev eth0
18:33 < Bushmills> is that a route from your router, or from your openvpn client?
18:34 < hacim> my router isn't involved in openvpn at all
18:35 < hacim> but are you asking if that route came from my router, or my openvpn client?
18:35 < Bushmills> you brought up your router, by saying that your local router has a route to openvpn server 
18:35 < Bushmills> i wasn't interested in your local router at all
18:36 < hacim> i meant that i have a route on my laptop via my local router that is not over the vpn
18:36 < hacim> which is: 204.13.24.2 via 192.168.0.1 dev eth0
18:37 < Bushmills> 204.13.224.2 is your openvpn server?
18:37 < hacim> yes
18:37 < Bushmills> looks ok.
18:38 < hacim> yeah, the route table is no different for my collegue, who does not have the issue
18:39 < Bushmills> check on server what is lost: requests (not) getting there, or replies (not) being sent back 
18:39 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Ping timeout: 250 seconds]
18:41 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
19:06 < hacim> ok
19:09 -!- buntfalke [~nobody@unaffiliated/buntfalke] has joined #openvpn
19:30 -!- p3rror [~mezgani@41.140.172.124] has quit [Ping timeout: 250 seconds]
20:16 -!- farciarz84 [~farciarz@unaffiliated/farciarz84] has quit [Quit: Lost terminal]
20:40 -!- buntfalke [~nobody@unaffiliated/buntfalke] has quit [Remote host closed the connection]
20:41 -!- kerfe [~a@121.pool85-60-146.dynamic.orange.es] has quit [Quit: • IRcap • 8.6 •]
21:02 -!- simplechat [~simplecha@unaffiliated/simplechat] has joined #openvpn
21:05 -!- corretico [~corretico@201.201.44.82] has quit [Ping timeout: 276 seconds]
21:07 -!- boswarrior [~mrnice@84.115.26.221] has joined #openvpn
21:08 -!- corretico [~corretico@201.201.44.82] has joined #openvpn
21:10 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has quit [Ping timeout: 255 seconds]
21:14 -!- corretico [~corretico@201.201.44.82] has quit [Remote host closed the connection]
21:17 -!- secretary_linux [~bplunkert@static-70-107-242-118.ny325.east.verizon.net] has joined #openvpn
22:10 -!- tjz_ [~pc@bb116-14-171-63.singnet.com.sg] has quit [Quit: bbl.]
22:10 -!- tjz [~pc@67.220.220.132] has joined #openvpn
22:10 -!- tjz [~pc@67.220.220.132] has quit [Changing host]
22:10 -!- tjz [~pc@unaffiliated/tjz] has joined #openvpn
22:10 < tjz> Happy new year, everyone~ :)
22:31 <@vpnHelper> RSS Update - forum: Connecting two LANs <http://forums.openvpn.net/topic7459.html>
23:07 -!- albech [~thomas@119.42.78.92] has joined #openvpn
23:14 -!- tacidsky [~tacidsky@vps.tacidsky.com] has left #openvpn ["happy newyear"]
23:39 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.3.2]
23:39 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
23:39 -!- batrick [~batrick@nmap/developer/batrick] has quit [Client Quit]
23:39 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
23:40 -!- batrick [~batrick@nmap/developer/batrick] has quit [Client Quit]
23:40 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
23:51 -!- batrick [~batrick@nmap/developer/batrick] has quit [Quit: WeeChat 0.3.2]
23:53 -!- batrick [~batrick@nmap/developer/batrick] has joined #openvpn
--- Day changed Sat Jan 01 2011